1802 files changed, 197637 insertions, 174950 deletions

diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index a07e8ab..892ed28 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -9,7 +9,8 @@ Please write a few sentences describing the overall goals of the pull request's
 Please tick as appropriate and edit the reasons (e.g.: "backport: not needed because this is a new feature")
 
 - [ ] **changelog** provided, or not required
-- [ ] **backport** done, or not required
+- [ ] **3.6 backport** done, or not required
+- [ ] **2.28 backport** done, or not required
 - [ ] **tests** provided, or not required
 
 
@@ -18,3 +19,10 @@ Please tick as appropriate and edit the reasons (e.g.: "backport: not needed bec
 
 Please refer to the [contributing guidelines](https://github.com/Mbed-TLS/mbedtls/blob/development/CONTRIBUTING.md), especially the
 checklist for PR contributors.
+
+Help make review efficient:
+* Multiple simple commits
+  - please structure your PR into a series of small commits, each of which does one thing
+* Avoid force-push
+  - please do not force-push to update your PR - just add new commit(s)
+* See our [Guidelines for Contributors](https://mbed-tls.readthedocs.io/en/latest/reviews/review-for-contributors/) for more details about the review process.
diff --git a/.gitignore b/.gitignore
index 185bd7a..6068cbc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,9 @@
 seedfile
 # MBEDTLS_PSA_INJECT_ENTROPY seed file created by the test framework
 00000000ffffff52.psa_its
+# Log files created by all.sh to reduce the logs in case a component runs
+# successfully
+quiet-make.*
 
 # CMake build artifacts:
 CMakeCache.txt
@@ -63,5 +66,10 @@ massif-*
 /cscope*.out
 /tags
 
-# Clangd compilation database
+# clangd compilation database
 compile_commands.json
+# clangd index files
+/.cache/clangd/index/
+
+# VScode folder to store local debug files and configurations
+.vscode
diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..4fb26b5
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "framework"]
+	path = framework
+	url = https://github.com/Mbed-TLS/mbedtls-framework
diff --git a/.readthedocs.yaml b/.readthedocs.yaml
index 72f126f..2b10f86 100644
--- a/.readthedocs.yaml
+++ b/.readthedocs.yaml
@@ -5,6 +5,11 @@
 # Required
 version: 2
 
+# Include the framework submodule in the build
+submodules:
+  include:
+  - framework
+
 # Set the version of Python and other tools you might need
 build:
   os: ubuntu-20.04
diff --git a/.uncrustify.cfg b/.uncrustify.cfg
index 92b8ce9..8dc9db0 100644
--- a/.uncrustify.cfg
+++ b/.uncrustify.cfg
@@ -4,19 +4,7 @@
 # to Mbed TLS.
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 
 # Wrap lines at 100 characters
diff --git a/3rdparty/CMakeLists.txt b/3rdparty/CMakeLists.txt
deleted file mode 100644
index fa149bd..0000000
--- a/3rdparty/CMakeLists.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-add_subdirectory(everest)
-add_subdirectory(p256-m)
diff --git a/3rdparty/Makefile.inc b/3rdparty/Makefile.inc
deleted file mode 100644
index 70f316b..0000000
--- a/3rdparty/Makefile.inc
+++ /dev/null
@@ -1,3 +0,0 @@
-THIRDPARTY_DIR := $(dir $(lastword $(MAKEFILE_LIST)))
-include $(THIRDPARTY_DIR)/everest/Makefile.inc
-include $(THIRDPARTY_DIR)/p256-m/Makefile.inc
diff --git a/3rdparty/everest/CMakeLists.txt b/3rdparty/everest/CMakeLists.txt
deleted file mode 100644
index e0e5ade..0000000
--- a/3rdparty/everest/CMakeLists.txt
+++ /dev/null
@@ -1,42 +0,0 @@
-set(everest_target "${MBEDTLS_TARGET_PREFIX}everest")
-
-add_library(${everest_target}
-  library/everest.c
-  library/x25519.c
-  library/Hacl_Curve25519_joined.c)
-
-target_include_directories(${everest_target}
-  PUBLIC $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/include>
-         $<BUILD_INTERFACE:${MBEDTLS_DIR}/include>
-         $<INSTALL_INTERFACE:include>
-  PRIVATE include/everest
-          include/everest/kremlib
-          ${MBEDTLS_DIR}/library/)
-
-# Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
-# This must be duplicated from library/CMakeLists.txt because
-# everest is not directly linked against any mbedtls targets
-# so does not inherit the compile definitions.
-if(MBEDTLS_CONFIG_FILE)
-    target_compile_definitions(${everest_target}
-        PUBLIC MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
-endif()
-if(MBEDTLS_USER_CONFIG_FILE)
-    target_compile_definitions(${everest_target}
-        PUBLIC MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}")
-endif()
-
-if(INSTALL_MBEDTLS_HEADERS)
-
-  install(DIRECTORY include/everest
-    DESTINATION include
-    FILE_PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ
-    DIRECTORY_PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
-    FILES_MATCHING PATTERN "*.h")
-
-endif(INSTALL_MBEDTLS_HEADERS)
-
-install(TARGETS ${everest_target}
-  EXPORT MbedTLSTargets
-  DESTINATION ${CMAKE_INSTALL_LIBDIR}
-  PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
diff --git a/3rdparty/everest/Makefile.inc b/3rdparty/everest/Makefile.inc
deleted file mode 100644
index 77a6b49..0000000
--- a/3rdparty/everest/Makefile.inc
+++ /dev/null
@@ -1,6 +0,0 @@
-THIRDPARTY_INCLUDES+=-I../3rdparty/everest/include -I../3rdparty/everest/include/everest -I../3rdparty/everest/include/everest/kremlib
-
-THIRDPARTY_CRYPTO_OBJECTS+= \
-	../3rdparty/everest/library/everest.o \
-	../3rdparty/everest/library/x25519.o \
-	../3rdparty/everest/library/Hacl_Curve25519_joined.o
diff --git a/3rdparty/p256-m/CMakeLists.txt b/3rdparty/p256-m/CMakeLists.txt
deleted file mode 100644
index 2ef0d48..0000000
--- a/3rdparty/p256-m/CMakeLists.txt
+++ /dev/null
@@ -1,40 +0,0 @@
-set(p256m_target ${MBEDTLS_TARGET_PREFIX}p256m)
-
-add_library(${p256m_target}
-    p256-m_driver_entrypoints.c
-    p256-m/p256-m.c)
-
-target_include_directories(${p256m_target}
-  PUBLIC $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}>
-         $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/p256-m>
-         $<BUILD_INTERFACE:${MBEDTLS_DIR}/include>
-         $<INSTALL_INTERFACE:include>
-  PRIVATE ${MBEDTLS_DIR}/library/)
-
-# Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
-# This must be duplicated from library/CMakeLists.txt because
-# p256m is not directly linked against any mbedtls targets
-# so does not inherit the compile definitions.
-if(MBEDTLS_CONFIG_FILE)
-    target_compile_definitions(${p256m_target}
-        PUBLIC MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
-endif()
-if(MBEDTLS_USER_CONFIG_FILE)
-    target_compile_definitions(${p256m_target}
-        PUBLIC MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}")
-endif()
-
-if(INSTALL_MBEDTLS_HEADERS)
-
-  install(DIRECTORY :${CMAKE_CURRENT_SOURCE_DIR}
-    DESTINATION include
-    FILE_PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ
-    DIRECTORY_PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
-    FILES_MATCHING PATTERN "*.h")
-
-endif(INSTALL_MBEDTLS_HEADERS)
-
-install(TARGETS ${p256m_target}
-EXPORT MbedTLSTargets
-DESTINATION ${CMAKE_INSTALL_LIBDIR}
-PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
diff --git a/3rdparty/p256-m/Makefile.inc b/3rdparty/p256-m/Makefile.inc
deleted file mode 100644
index fc8f73b..0000000
--- a/3rdparty/p256-m/Makefile.inc
+++ /dev/null
@@ -1,5 +0,0 @@
-THIRDPARTY_INCLUDES+=-I../3rdparty/p256-m/p256-m/include -I../3rdparty/p256-m/p256-m/include/p256-m -I../3rdparty/p256-m/p256-m_driver_interface
-
-THIRDPARTY_CRYPTO_OBJECTS+= \
-	../3rdparty/p256-m//p256-m_driver_entrypoints.o \
-	../3rdparty/p256-m//p256-m/p256-m.o
diff --git a/3rdparty/p256-m/README.md b/3rdparty/p256-m/README.md
deleted file mode 100644
index 89648d4..0000000
--- a/3rdparty/p256-m/README.md
+++ /dev/null
@@ -1,4 +0,0 @@
-The files within the `p256-m/` subdirectory originate from the [p256-m GitHub repository](https://github.com/mpg/p256-m), which is distributed under the Apache 2.0 license. They are authored by Manuel Pégourié-Gonnard. p256-m is a minimalistic implementation of ECDH and ECDSA on NIST P-256, especially suited to constrained 32-bit environments. Mbed TLS documentation for integrating drivers uses p256-m as an example of a software accelerator, and describes how it can be integrated alongside Mbed TLS. It should be noted that p256-m files in the Mbed TLS repo will not be updated regularly, so they may not have fixes and improvements present in the upstream project.
-
-The files `p256-m.c` and `.h`, along with the license, have been taken from the `p256-m` repository.
-It should be noted that p256-m deliberately does not supply its own cryptographically secure RNG function. As a result, the PSA RNG is used, with `p256_generate_random()` wrapping `psa_generate_random()`.
diff --git a/3rdparty/p256-m/p256-m/LICENSE b/3rdparty/p256-m/p256-m/LICENSE
deleted file mode 100644
index d645695..0000000
--- a/3rdparty/p256-m/p256-m/LICENSE
+++ /dev/null
@@ -1,202 +0,0 @@
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
diff --git a/3rdparty/p256-m/p256-m/p256-m.c b/3rdparty/p256-m/p256-m/p256-m.c
deleted file mode 100644
index 3f878f7..0000000
--- a/3rdparty/p256-m/p256-m/p256-m.c
+++ /dev/null
@@ -1,1514 +0,0 @@
-/*
- * Implementation of curve P-256 (ECDH and ECDSA)
- *
- * Copyright The Mbed TLS Contributors
- * Author: Manuel Pégourié-Gonnard.
- * SPDX-License-Identifier: Apache-2.0
- */
-
-#include "p256-m.h"
-#include "mbedtls/platform_util.h"
-#include "psa/crypto.h"
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#if defined (MBEDTLS_PSA_P256M_DRIVER_ENABLED)
-
-/*
- * Zeroize memory - this should not be optimized away
- */
-#define zeroize mbedtls_platform_zeroize
-
-/*
- * Helpers to test constant-time behaviour with valgrind or MemSan.
- *
- * CT_POISON() is used for secret data. It marks the memory area as
- * uninitialised, so that any branch or pointer dereference that depends on it
- * (even indirectly) triggers a warning.
- * CT_UNPOISON() is used for public data; it marks the area as initialised.
- *
- * These are macros in order to avoid interfering with origin tracking.
- */
-#if defined(CT_MEMSAN)
-
-#include <sanitizer/msan_interface.h>
-#define CT_POISON   __msan_allocated_memory
-// void __msan_allocated_memory(const volatile void* data, size_t size);
-#define CT_UNPOISON __msan_unpoison
-// void __msan_unpoison(const volatile void *a, size_t size);
-
-#elif defined(CT_VALGRIND)
-
-#include <valgrind/memcheck.h>
-#define CT_POISON   VALGRIND_MAKE_MEM_UNDEFINED
-// VALGRIND_MAKE_MEM_UNDEFINED(_qzz_addr,_qzz_len)
-#define CT_UNPOISON VALGRIND_MAKE_MEM_DEFINED
-// VALGRIND_MAKE_MEM_DEFINED(_qzz_addr,_qzz_len)
-
-#else
-#define CT_POISON(p, sz)
-#define CT_UNPOISON(p, sz)
-#endif
-
-/**********************************************************************
- *
- * Operations on fixed-width unsigned integers
- *
- * Represented using 32-bit limbs, least significant limb first.
- * That is: x = x[0] + 2^32 x[1] + ... + 2^224 x[7] for 256-bit.
- *
- **********************************************************************/
-
-/*
- * 256-bit set to 32-bit value
- *
- * in: x in [0, 2^32)
- * out: z = x
- */
-static void u256_set32(uint32_t z[8], uint32_t x)
-{
-    z[0] = x;
-    for (unsigned i = 1; i < 8; i++) {
-        z[i] = 0;
-    }
-}
-
-/*
- * 256-bit addition
- *
- * in: x, y in [0, 2^256)
- * out: z = (x + y) mod 2^256
- *      c = (x + y) div 2^256
- * That is, z + c * 2^256 = x + y
- *
- * Note: as a memory area, z must be either equal to x or y, or not overlap.
- */
-static uint32_t u256_add(uint32_t z[8],
-                         const uint32_t x[8], const uint32_t y[8])
-{
-    uint32_t carry = 0;
-
-    for (unsigned i = 0; i < 8; i++) {
-        uint64_t sum = (uint64_t) carry + x[i] + y[i];
-        z[i] = (uint32_t) sum;
-        carry = (uint32_t) (sum >> 32);
-    }
-
-    return carry;
-}
-
-/*
- * 256-bit subtraction
- *
- * in: x, y in [0, 2^256)
- * out: z = (x - y) mod 2^256
- *      c = 0 if x >=y, 1 otherwise
- * That is, z = c * 2^256 + x - y
- *
- * Note: as a memory area, z must be either equal to x or y, or not overlap.
- */
-static uint32_t u256_sub(uint32_t z[8],
-                         const uint32_t x[8], const uint32_t y[8])
-{
-    uint32_t carry = 0;
-
-    for (unsigned i = 0; i < 8; i++) {
-        uint64_t diff = (uint64_t) x[i] - y[i] - carry;
-        z[i] = (uint32_t) diff;
-        carry = -(uint32_t) (diff >> 32);
-    }
-
-    return carry;
-}
-
-/*
- * 256-bit conditional assignment
- *
- * in: x in [0, 2^256)
- *     c in [0, 1]
- * out: z = x if c == 1, z unchanged otherwise
- *
- * Note: as a memory area, z must be either equal to x, or not overlap.
- */
-static void u256_cmov(uint32_t z[8], const uint32_t x[8], uint32_t c)
-{
-    const uint32_t x_mask = -c;
-    for (unsigned i = 0; i < 8; i++) {
-        z[i] = (z[i] & ~x_mask) | (x[i] & x_mask);
-    }
-}
-
-/*
- * 256-bit compare for equality
- *
- * in: x in [0, 2^256)
- *     y in [0, 2^256)
- * out: 0 if x == y, unspecified non-zero otherwise
- */
-static uint32_t u256_diff(const uint32_t x[8], const uint32_t y[8])
-{
-    uint32_t diff = 0;
-    for (unsigned i = 0; i < 8; i++) {
-        diff |= x[i] ^ y[i];
-    }
-    return diff;
-}
-
-/*
- * 256-bit compare to zero
- *
- * in: x in [0, 2^256)
- * out: 0 if x == 0, unspecified non-zero otherwise
- */
-static uint32_t u256_diff0(const uint32_t x[8])
-{
-    uint32_t diff = 0;
-    for (unsigned i = 0; i < 8; i++) {
-        diff |= x[i];
-    }
-    return diff;
-}
-
-/*
- * 32 x 32 -> 64-bit multiply-and-accumulate
- *
- * in: x, y, z, t in [0, 2^32)
- * out: x * y + z + t in [0, 2^64)
- *
- * Note: this computation cannot overflow.
- *
- * Note: this function has two pure-C implementations (depending on whether
- * MUL64_IS_CONSTANT_TIME), and possibly optimised asm implementations.
- * Start with the potential asm definitions, and use the C definition only if
- * we no have no asm for the current toolchain & CPU.
- */
-static uint64_t u32_muladd64(uint32_t x, uint32_t y, uint32_t z, uint32_t t);
-
-/* This macro is used to mark whether an asm implentation is found */
-#undef MULADD64_ASM
-/* This macro is used to mark whether the implementation has a small
- * code size (ie, it can be inlined even in an unrolled loop) */
-#undef MULADD64_SMALL
-
-/*
- * Currently assembly optimisations are only supported with GCC/Clang for
- * Arm's Cortex-A and Cortex-M lines of CPUs, which start with the v6-M and
- * v7-M architectures. __ARM_ARCH_PROFILE is not defined for v6 and earlier.
- * Thumb and 32-bit assembly is supported; aarch64 is not supported.
- */
-#if defined(__GNUC__) &&\
-    defined(__ARM_ARCH) && __ARM_ARCH >= 6 && defined(__ARM_ARCH_PROFILE) && \
-    ( __ARM_ARCH_PROFILE == 77 || __ARM_ARCH_PROFILE == 65 ) /* 'M' or 'A' */ && \
-    !defined(__aarch64__)
-
-/*
- * This set of CPUs is conveniently partitioned as follows:
- *
- * 1. Cores that have the DSP extension, which includes a 1-cycle UMAAL
- *    instruction: M4, M7, M33, all A-class cores.
- * 2. Cores that don't have the DSP extension, and also lack a constant-time
- *    64-bit multiplication instruction:
- *    - M0, M0+, M23: 32-bit multiplication only;
- *    - M3: 64-bit multiplication is not constant-time.
- */
-#if defined(__ARM_FEATURE_DSP)
-
-static uint64_t u32_muladd64(uint32_t x, uint32_t y, uint32_t z, uint32_t t)
-{
-    __asm__(
-        /* UMAAL <RdLo>, <RdHi>, <Rn>, <Rm> */
-        "umaal   %[z], %[t], %[x], %[y]"
-        : [z] "+l" (z), [t] "+l" (t)
-        : [x] "l" (x), [y] "l" (y)
-    );
-    return ((uint64_t) t << 32) | z;
-}
-#define MULADD64_ASM
-#define MULADD64_SMALL
-
-#else /* __ARM_FEATURE_DSP */
-
-/*
- * This implementation only uses 16x16->32 bit multiplication.
- *
- * It decomposes the multiplicands as:
- *      x = xh:xl = 2^16 * xh + xl
- *      y = yh:yl = 2^16 * yh + yl
- * and computes their product as:
- *      x*y = xl*yl + 2**16 (xh*yl + yl*yh) + 2**32 xh*yh
- * then adds z and t to the result.
- */
-static uint64_t u32_muladd64(uint32_t x, uint32_t y, uint32_t z, uint32_t t)
-{
-    /* First compute x*y, using 3 temporary registers */
-    uint32_t tmp1, tmp2, tmp3;
-    __asm__(
-        ".syntax unified\n\t"
-        /* start by splitting the inputs into halves */
-        "lsrs    %[u], %[x], #16\n\t"
-        "lsrs    %[v], %[y], #16\n\t"
-        "uxth    %[x], %[x]\n\t"
-        "uxth    %[y], %[y]\n\t"
-        /* now we have %[x], %[y], %[u], %[v] = xl, yl, xh, yh */
-        /* let's compute the 4 products we can form with those */
-        "movs    %[w], %[v]\n\t"
-        "muls    %[w], %[u]\n\t"
-        "muls    %[v], %[x]\n\t"
-        "muls    %[x], %[y]\n\t"
-        "muls    %[y], %[u]\n\t"
-        /* now we have %[x], %[y], %[v], %[w] = xl*yl, xh*yl, xl*yh, xh*yh */
-        /* let's split and add the first middle product */
-        "lsls    %[u], %[y], #16\n\t"
-        "lsrs    %[y], %[y], #16\n\t"
-        "adds    %[x], %[u]\n\t"
-        "adcs    %[y], %[w]\n\t"
-        /* let's finish with the second middle product */
-        "lsls    %[u], %[v], #16\n\t"
-        "lsrs    %[v], %[v], #16\n\t"
-        "adds    %[x], %[u]\n\t"
-        "adcs    %[y], %[v]\n\t"
-        : [x] "+l" (x), [y] "+l" (y),
-          [u] "=&l" (tmp1), [v] "=&l" (tmp2), [w] "=&l" (tmp3)
-        : /* no read-only inputs */
-        : "cc"
-    );
-    (void) tmp1;
-    (void) tmp2;
-    (void) tmp3;
-
-    /* Add z and t, using one temporary register */
-    __asm__(
-        ".syntax unified\n\t"
-        "movs    %[u], #0\n\t"
-        "adds    %[x], %[z]\n\t"
-        "adcs    %[y], %[u]\n\t"
-        "adds    %[x], %[t]\n\t"
-        "adcs    %[y], %[u]\n\t"
-        : [x] "+l" (x), [y] "+l" (y), [u] "=&l" (tmp1)
-        : [z] "l" (z), [t] "l" (t)
-        : "cc"
-    );
-    (void) tmp1;
-
-    return ((uint64_t) y << 32) | x;
-}
-#define MULADD64_ASM
-
-#endif /* __ARM_FEATURE_DSP */
-
-#endif /* GCC/Clang with Cortex-M/A CPU */
-
-#if !defined(MULADD64_ASM)
-#if defined(MUL64_IS_CONSTANT_TIME)
-static uint64_t u32_muladd64(uint32_t x, uint32_t y, uint32_t z, uint32_t t)
-{
-    return (uint64_t) x * y + z + t;
-}
-#define MULADD64_SMALL
-#else
-static uint64_t u32_muladd64(uint32_t x, uint32_t y, uint32_t z, uint32_t t)
-{
-    /* x = xl + 2**16 xh, y = yl + 2**16 yh */
-    const uint16_t xl = (uint16_t) x;
-    const uint16_t yl = (uint16_t) y;
-    const uint16_t xh = x >> 16;
-    const uint16_t yh = y >> 16;
-
-    /* x*y = xl*yl + 2**16 (xh*yl + yl*yh) + 2**32 xh*yh
-     *     = lo    + 2**16 (m1    + m2   ) + 2**32 hi    */
-    const uint32_t lo = (uint32_t) xl * yl;
-    const uint32_t m1 = (uint32_t) xh * yl;
-    const uint32_t m2 = (uint32_t) xl * yh;
-    const uint32_t hi = (uint32_t) xh * yh;
-
-    uint64_t acc = lo + ((uint64_t) (hi + (m1 >> 16) + (m2 >> 16)) << 32);
-    acc += m1 << 16;
-    acc += m2 << 16;
-    acc += z;
-    acc += t;
-
-    return acc;
-}
-#endif /* MUL64_IS_CONSTANT_TIME */
-#endif /* MULADD64_ASM */
-
-/*
- * 288 + 32 x 256 -> 288-bit multiply and add
- *
- * in: x in [0, 2^32)
- *     y in [0, 2^256)
- *     z in [0, 2^288)
- * out: z_out = z_in + x * y mod 2^288
- *      c     = z_in + x * y div 2^288
- * That is, z_out + c * 2^288 = z_in + x * y
- *
- * Note: as a memory area, z must be either equal to y, or not overlap.
- *
- * This is a helper for Montgomery multiplication.
- */
-static uint32_t u288_muladd(uint32_t z[9], uint32_t x, const uint32_t y[8])
-{
-    uint32_t carry = 0;
-
-#define U288_MULADD_STEP(i) \
-    do { \
-        uint64_t prod = u32_muladd64(x, y[i], z[i], carry); \
-        z[i] = (uint32_t) prod; \
-        carry = (uint32_t) (prod >> 32); \
-    } while( 0 )
-
-#if defined(MULADD64_SMALL)
-    U288_MULADD_STEP(0);
-    U288_MULADD_STEP(1);
-    U288_MULADD_STEP(2);
-    U288_MULADD_STEP(3);
-    U288_MULADD_STEP(4);
-    U288_MULADD_STEP(5);
-    U288_MULADD_STEP(6);
-    U288_MULADD_STEP(7);
-#else
-    for (unsigned i = 0; i < 8; i++) {
-        U288_MULADD_STEP(i);
-    }
-#endif
-
-    uint64_t sum = (uint64_t) z[8] + carry;
-    z[8] = (uint32_t) sum;
-    carry = (uint32_t) (sum >> 32);
-
-    return carry;
-}
-
-/*
- * 288-bit in-place right shift by 32 bits
- *
- * in: z in [0, 2^288)
- *     c in [0, 2^32)
- * out: z_out = z_in div 2^32 + c * 2^256
- *            = (z_in + c * 2^288) div 2^32
- *
- * This is a helper for Montgomery multiplication.
- */
-static void u288_rshift32(uint32_t z[9], uint32_t c)
-{
-    for (unsigned i = 0; i < 8; i++) {
-        z[i] = z[i + 1];
-    }
-    z[8] = c;
-}
-
-/*
- * 256-bit import from big-endian bytes
- *
- * in: p = p0, ..., p31
- * out: z = p0 * 2^248 + p1 * 2^240 + ... + p30 * 2^8 + p31
- */
-static void u256_from_bytes(uint32_t z[8], const uint8_t p[32])
-{
-    for (unsigned i = 0; i < 8; i++) {
-        unsigned j = 4 * (7 - i);
-        z[i] = ((uint32_t) p[j + 0] << 24) |
-               ((uint32_t) p[j + 1] << 16) |
-               ((uint32_t) p[j + 2] <<  8) |
-               ((uint32_t) p[j + 3] <<  0);
-    }
-}
-
-/*
- * 256-bit export to big-endian bytes
- *
- * in: z in [0, 2^256)
- * out: p = p0, ..., p31 such that
- *      z = p0 * 2^248 + p1 * 2^240 + ... + p30 * 2^8 + p31
- */
-static void u256_to_bytes(uint8_t p[32], const uint32_t z[8])
-{
-    for (unsigned i = 0; i < 8; i++) {
-        unsigned j = 4 * (7 - i);
-        p[j + 0] = (uint8_t) (z[i] >> 24);
-        p[j + 1] = (uint8_t) (z[i] >> 16);
-        p[j + 2] = (uint8_t) (z[i] >>  8);
-        p[j + 3] = (uint8_t) (z[i] >>  0);
-    }
-}
-
-/**********************************************************************
- *
- * Operations modulo a 256-bit prime m
- *
- * These are done in the Montgomery domain, that is x is represented by
- *  x * 2^256 mod m
- * Numbers need to be converted to that domain before computations,
- * and back from it afterwards.
- *
- * Inversion is computed using Fermat's little theorem.
- *
- * Assumptions on m:
- * - Montgomery operations require that m is odd.
- * - Fermat's little theorem require it to be a prime.
- * - m256_inv() further requires that m % 2^32 >= 2.
- * - m256_inv() also assumes that the value of m is not a secret.
- *
- * In practice operations are done modulo the curve's p and n,
- * both of which satisfy those assumptions.
- *
- **********************************************************************/
-
-/*
- * Data associated to a modulus for Montgomery operations.
- *
- * m in [0, 2^256) - the modulus itself, must be odd
- * R2 = 2^512 mod m
- * ni = -m^-1 mod 2^32
- */
-typedef struct {
-    uint32_t m[8];
-    uint32_t R2[8];
-    uint32_t ni;
-}
-m256_mod;
-
-/*
- * Data for Montgomery operations modulo the curve's p
- */
-static const m256_mod p256_p = {
-    {   /* the curve's p */
-        0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000,
-        0x00000000, 0x00000000, 0x00000001, 0xFFFFFFFF,
-    },
-    {   /* 2^512 mod p */
-        0x00000003, 0x00000000, 0xffffffff, 0xfffffffb,
-        0xfffffffe, 0xffffffff, 0xfffffffd, 0x00000004,
-    },
-    0x00000001, /* -p^-1 mod 2^32 */
-};
-
-/*
- * Data for Montgomery operations modulo the curve's n
- */
-static const m256_mod p256_n = {
-    {   /* the curve's n */
-        0xFC632551, 0xF3B9CAC2, 0xA7179E84, 0xBCE6FAAD,
-        0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0xFFFFFFFF,
-    },
-    {   /* 2^512 mod n */
-        0xbe79eea2, 0x83244c95, 0x49bd6fa6, 0x4699799c,
-        0x2b6bec59, 0x2845b239, 0xf3d95620, 0x66e12d94,
-    },
-    0xee00bc4f, /* -n^-1 mod 2^32 */
-};
-
-/*
- * Modular addition
- *
- * in: x, y in [0, m)
- *     mod must point to a valid m256_mod structure
- * out: z = (x + y) mod m, in [0, m)
- *
- * Note: as a memory area, z must be either equal to x or y, or not overlap.
- */
-static void m256_add(uint32_t z[8],
-                     const uint32_t x[8], const uint32_t y[8],
-                     const m256_mod *mod)
-{
-    uint32_t r[8];
-    uint32_t carry_add = u256_add(z, x, y);
-    uint32_t carry_sub = u256_sub(r, z, mod->m);
-    /* Need to subract m if:
-     *      x+y >= 2^256 > m (that is, carry_add == 1)
-     *   OR z >= m (that is, carry_sub == 0) */
-    uint32_t use_sub = carry_add | (1 - carry_sub);
-    u256_cmov(z, r, use_sub);
-}
-
-/*
- * Modular addition mod p
- *
- * in: x, y in [0, p)
- * out: z = (x + y) mod p, in [0, p)
- *
- * Note: as a memory area, z must be either equal to x or y, or not overlap.
- */
-static void m256_add_p(uint32_t z[8],
-                       const uint32_t x[8], const uint32_t y[8])
-{
-    m256_add(z, x, y, &p256_p);
-}
-
-/*
- * Modular subtraction
- *
- * in: x, y in [0, m)
- *     mod must point to a valid m256_mod structure
- * out: z = (x - y) mod m, in [0, m)
- *
- * Note: as a memory area, z must be either equal to x or y, or not overlap.
- */
-static void m256_sub(uint32_t z[8],
-                     const uint32_t x[8], const uint32_t y[8],
-                     const m256_mod *mod)
-{
-    uint32_t r[8];
-    uint32_t carry = u256_sub(z, x, y);
-    (void) u256_add(r, z, mod->m);
-    /* Need to add m if and only if x < y, that is carry == 1.
-     * In that case z is in [2^256 - m + 1, 2^256 - 1], so the
-     * addition will have a carry as well, which cancels out. */
-    u256_cmov(z, r, carry);
-}
-
-/*
- * Modular subtraction mod p
- *
- * in: x, y in [0, p)
- * out: z = (x + y) mod p, in [0, p)
- *
- * Note: as a memory area, z must be either equal to x or y, or not overlap.
- */
-static void m256_sub_p(uint32_t z[8],
-                       const uint32_t x[8], const uint32_t y[8])
-{
-    m256_sub(z, x, y, &p256_p);
-}
-
-/*
- * Montgomery modular multiplication
- *
- * in: x, y in [0, m)
- *     mod must point to a valid m256_mod structure
- * out: z = (x * y) / 2^256 mod m, in [0, m)
- *
- * Note: as a memory area, z may overlap with x or y.
- */
-static void m256_mul(uint32_t z[8],
-                     const uint32_t x[8], const uint32_t y[8],
-                     const m256_mod *mod)
-{
-    /*
-     * Algorithm 14.36 in Handbook of Applied Cryptography with:
-     * b = 2^32, n = 8, R = 2^256
-     */
-    uint32_t m_prime = mod->ni;
-    uint32_t a[9];
-
-    for (unsigned i = 0; i < 9; i++) {
-        a[i] = 0;
-    }
-
-    for (unsigned i = 0; i < 8; i++) {
-        /* the "mod 2^32" is implicit from the type */
-        uint32_t u = (a[0] + x[i] * y[0]) * m_prime;
-
-        /* a = (a + x[i] * y + u * m) div b */
-        uint32_t c = u288_muladd(a, x[i], y);
-        c += u288_muladd(a, u, mod->m);
-        u288_rshift32(a, c);
-    }
-
-    /* a = a > m ? a - m : a */
-    uint32_t carry_add = a[8];  // 0 or 1 since a < 2m, see HAC Note 14.37
-    uint32_t carry_sub = u256_sub(z, a, mod->m);
-    uint32_t use_sub = carry_add | (1 - carry_sub);     // see m256_add()
-    u256_cmov(z, a, 1 - use_sub);
-}
-
-/*
- * Montgomery modular multiplication modulo p.
- *
- * in: x, y in [0, p)
- * out: z = (x * y) / 2^256 mod p, in [0, p)
- *
- * Note: as a memory area, z may overlap with x or y.
- */
-static void m256_mul_p(uint32_t z[8],
-                       const uint32_t x[8], const uint32_t y[8])
-{
-    m256_mul(z, x, y, &p256_p);
-}
-
-/*
- * In-place conversion to Montgomery form
- *
- * in: z in [0, m)
- *     mod must point to a valid m256_mod structure
- * out: z_out = z_in * 2^256 mod m, in [0, m)
- */
-static void m256_prep(uint32_t z[8], const m256_mod *mod)
-{
-    m256_mul(z, z, mod->R2, mod);
-}
-
-/*
- * In-place conversion from Montgomery form
- *
- * in: z in [0, m)
- *     mod must point to a valid m256_mod structure
- * out: z_out = z_in / 2^256 mod m, in [0, m)
- * That is, z_in was z_actual * 2^256 mod m, and z_out is z_actual
- */
-static void m256_done(uint32_t z[8], const m256_mod *mod)
-{
-    uint32_t one[8];
-    u256_set32(one, 1);
-    m256_mul(z, z, one, mod);
-}
-
-/*
- * Set to 32-bit value
- *
- * in: x in [0, 2^32)
- *     mod must point to a valid m256_mod structure
- * out: z = x * 2^256 mod m, in [0, m)
- * That is, z is set to the image of x in the Montgomery domain.
- */
-static void m256_set32(uint32_t z[8], uint32_t x, const m256_mod *mod)
-{
-    u256_set32(z, x);
-    m256_prep(z, mod);
-}
-
-/*
- * Modular inversion in Montgomery form
- *
- * in: x in [0, m)
- *     mod must point to a valid m256_mod structure
- *     such that mod->m % 2^32 >= 2, assumed to be public.
- * out: z = x^-1 * 2^512 mod m if x != 0,
- *      z = 0 if x == 0
- * That is, if x = x_actual    * 2^256 mod m, then
- *             z = x_actual^-1 * 2^256 mod m
- *
- * Note: as a memory area, z may overlap with x.
- */
-static void m256_inv(uint32_t z[8], const uint32_t x[8],
-                     const m256_mod *mod)
-{
-    /*
-     * Use Fermat's little theorem to compute x^-1 as x^(m-2).
-     *
-     * Take advantage of the fact that both p's and n's least significant limb
-     * is at least 2 to perform the subtraction on the flight (no carry).
-     *
-     * Use plain right-to-left binary exponentiation;
-     * branches are OK as the exponent is not a secret.
-     */
-    uint32_t bitval[8];
-    u256_cmov(bitval, x, 1);    /* copy x before writing to z */
-
-    m256_set32(z, 1, mod);
-
-    unsigned i = 0;
-    uint32_t limb = mod->m[i] - 2;
-    while (1) {
-        for (unsigned j = 0; j < 32; j++) {
-            if ((limb & 1) != 0) {
-                m256_mul(z, z, bitval, mod);
-            }
-            m256_mul(bitval, bitval, bitval, mod);
-            limb >>= 1;
-        }
-
-        if (i == 7)
-            break;
-
-        i++;
-        limb = mod->m[i];
-    }
-}
-
-/*
- * Import modular integer from bytes to Montgomery domain
- *
- * in: p = p0, ..., p32
- *     mod must point to a valid m256_mod structure
- * out: z = (p0 * 2^248 + ... + p31) * 2^256 mod m, in [0, m)
- *      return 0 if the number was already in [0, m), or -1.
- *      z may be incorrect and must be discared when -1 is returned.
- */
-static int m256_from_bytes(uint32_t z[8],
-                           const uint8_t p[32], const m256_mod *mod)
-{
-    u256_from_bytes(z, p);
-
-    uint32_t t[8];
-    uint32_t lt_m = u256_sub(t, z, mod->m);
-    if (lt_m != 1)
-        return -1;
-
-    m256_prep(z, mod);
-    return 0;
-}
-
-/*
- * Export modular integer from Montgomery domain to bytes
- *
- * in: z in [0, 2^256)
- *     mod must point to a valid m256_mod structure
- * out: p = p0, ..., p31 such that
- *      z = (p0 * 2^248 + ... + p31) * 2^256 mod m
- */
-static void m256_to_bytes(uint8_t p[32],
-                          const uint32_t z[8], const m256_mod *mod)
-{
-    uint32_t zi[8];
-    u256_cmov(zi, z, 1);
-    m256_done(zi, mod);
-
-    u256_to_bytes(p, zi);
-}
-
-/**********************************************************************
- *
- * Operations on curve points
- *
- * Points are represented in two coordinates system:
- *  - affine (x, y) - extended to represent 0 (see below)
- *  - jacobian (x:y:z)
- * In either case, coordinates are integers modulo p256_p and
- * are always represented in the Montgomery domain.
- *
- * For background on jacobian coordinates, see for example [GECC] 3.2.2:
- * - conversions go (x, y) -> (x:y:1) and (x:y:z) -> (x/z^2, y/z^3)
- * - the curve equation becomes y^2 = x^3 - 3 x z^4 + b z^6
- * - 0 (aka the origin aka point at infinity) is (x:y:0) with y^2 = x^3.
- * - point negation goes -(x:y:z) = (x:-y:z)
- *
- * Normally 0 (the point at infinity) can't be represented in affine
- * coordinates. However we extend affine coordinates with the convention that
- * (0, 0) (which is normally not a point on the curve) is interpreted as 0.
- *
- * References:
- * - [GECC]: Guide to Elliptic Curve Cryptography; Hankerson, Menezes,
- *   Vanstone; Springer, 2004.
- * - [CMO98]: Efficient Elliptic Curve Exponentiation Using Mixed Coordinates;
- *   Cohen, Miyaji, Ono; Springer, ASIACRYPT 1998.
- *   https://link.springer.com/content/pdf/10.1007/3-540-49649-1_6.pdf
- * - [RCB15]: Complete addition formulas for prime order elliptic curves;
- *   Renes, Costello, Batina; IACR e-print 2015-1060.
- *   https://eprint.iacr.org/2015/1060.pdf
- *
- **********************************************************************/
-
-/*
- * The curve's b parameter in the Short Weierstrass equation
- *  y^2 = x^3 - 3*x + b
- * Compared to the standard, this is converted to the Montgomery domain.
- */
-static const uint32_t p256_b[8] = { /* b * 2^256 mod p */
-    0x29c4bddf, 0xd89cdf62, 0x78843090, 0xacf005cd,
-    0xf7212ed6, 0xe5a220ab, 0x04874834, 0xdc30061d,
-};
-
-/*
- * The curve's conventional base point G.
- * Compared to the standard, coordinates converted to the Montgomery domain.
- */
-static const uint32_t p256_gx[8] = { /* G_x * 2^256 mod p */
-    0x18a9143c, 0x79e730d4, 0x5fedb601, 0x75ba95fc,
-    0x77622510, 0x79fb732b, 0xa53755c6, 0x18905f76,
-};
-static const uint32_t p256_gy[8] = { /* G_y * 2^256 mod p */
-    0xce95560a, 0xddf25357, 0xba19e45c, 0x8b4ab8e4,
-    0xdd21f325, 0xd2e88688, 0x25885d85, 0x8571ff18,
-};
-
-/*
- * Point-on-curve check - do the coordinates satisfy the curve's equation?
- *
- * in: x, y in [0, p)   (Montgomery domain)
- * out: 0 if the point lies on the curve and is not 0,
- *      unspecified non-zero otherwise
- */
-static uint32_t point_check(const uint32_t x[8], const uint32_t y[8])
-{
-    uint32_t lhs[8], rhs[8];
-
-    /* lhs = y^2 */
-    m256_mul_p(lhs, y, y);
-
-    /* rhs = x^3 - 3x + b */
-    m256_mul_p(rhs, x,   x);      /* x^2 */
-    m256_mul_p(rhs, rhs, x);      /* x^3 */
-    for (unsigned i = 0; i < 3; i++)
-        m256_sub_p(rhs, rhs, x);  /* x^3 - 3x */
-    m256_add_p(rhs, rhs, p256_b); /* x^3 - 3x + b */
-
-    return u256_diff(lhs, rhs);
-}
-
-/*
- * In-place jacobian to affine coordinate conversion
- *
- * in: (x:y:z) must be on the curve (coordinates in Montegomery domain)
- * out: x_out = x_in / z_in^2   (Montgomery domain)
- *      y_out = y_in / z_in^3   (Montgomery domain)
- *      z_out unspecified, must be disregarded
- *
- * Note: if z is 0 (that is, the input point is 0), x_out = y_out = 0.
- */
-static void point_to_affine(uint32_t x[8], uint32_t y[8], uint32_t z[8])
-{
-    uint32_t t[8];
-
-    m256_inv(z, z, &p256_p);    /* z = z^-1 */
-
-    m256_mul_p(t, z, z);        /* t = z^-2 */
-    m256_mul_p(x, x, t);        /* x = x * z^-2 */
-
-    m256_mul_p(t, t, z);        /* t = z^-3 */
-    m256_mul_p(y, y, t);        /* y = y * z^-3 */
-}
-
-/*
- * In-place point doubling in jacobian coordinates (Montgomery domain)
- *
- * in: P_in = (x:y:z), must be on the curve
- * out: (x:y:z) = P_out = 2 * P_in
- */
-static void point_double(uint32_t x[8], uint32_t y[8], uint32_t z[8])
-{
-    /*
-     * This is formula 6 from [CMO98], cited as complete in [RCB15] (table 1).
-     * Notations as in the paper, except u added and t ommited (it's x3).
-     */
-    uint32_t m[8], s[8], u[8];
-
-    /* m = 3 * x^2 + a * z^4 = 3 * (x + z^2) * (x - z^2) */
-    m256_mul_p(s, z, z);
-    m256_add_p(m, x, s);
-    m256_sub_p(u, x, s);
-    m256_mul_p(s, m, u);
-    m256_add_p(m, s, s);
-    m256_add_p(m, m, s);
-
-    /* s = 4 * x * y^2 */
-    m256_mul_p(u, y, y);
-    m256_add_p(u, u, u); /* u = 2 * y^2 (used below) */
-    m256_mul_p(s, x, u);
-    m256_add_p(s, s, s);
-
-    /* u = 8 * y^4 (not named in the paper, first term of y3) */
-    m256_mul_p(u, u, u);
-    m256_add_p(u, u, u);
-
-    /* x3 = t = m^2 - 2 * s */
-    m256_mul_p(x, m, m);
-    m256_sub_p(x, x, s);
-    m256_sub_p(x, x, s);
-
-    /* z3 = 2 * y * z */
-    m256_mul_p(z, y, z);
-    m256_add_p(z, z, z);
-
-    /* y3 = -u + m * (s - t) */
-    m256_sub_p(y, s, x);
-    m256_mul_p(y, y, m);
-    m256_sub_p(y, y, u);
-}
-
-/*
- * In-place point addition in jacobian-affine coordinates (Montgomery domain)
- *
- * in: P_in = (x1:y1:z1), must be on the curve and not 0
- *     Q = (x2, y2), must be on the curve and not P_in or -P_in or 0
- * out: P_out = (x1:y1:z1) = P_in + Q
- */
-static void point_add(uint32_t x1[8], uint32_t y1[8], uint32_t z1[8],
-                      const uint32_t x2[8], const uint32_t y2[8])
-{
-    /*
-     * This is formula 5 from [CMO98], with z2 == 1 substituted. We use
-     * intermediates with neutral names, and names from the paper in comments.
-     */
-    uint32_t t1[8], t2[8], t3[8];
-
-    /* u1 = x1 and s1 = y1 (no computations) */
-
-    /* t1 = u2 = x2 z1^2 */
-    m256_mul_p(t1, z1, z1);
-    m256_mul_p(t2, t1, z1);
-    m256_mul_p(t1, t1, x2);
-
-    /* t2 = s2 = y2 z1^3 */
-    m256_mul_p(t2, t2, y2);
-
-    /* t1 = h = u2 - u1 */
-    m256_sub_p(t1, t1, x1); /* t1 = x2 * z1^2 - x1 */
-
-    /* t2 = r = s2 - s1 */
-    m256_sub_p(t2, t2, y1);
-
-    /* z3 = z1 * h */
-    m256_mul_p(z1, z1, t1);
-
-    /* t1 = h^3 */
-    m256_mul_p(t3, t1, t1);
-    m256_mul_p(t1, t3, t1);
-
-    /* t3 = x1 * h^2 */
-    m256_mul_p(t3, t3, x1);
-
-    /* x3 = r^2 - 2 * x1 * h^2 - h^3 */
-    m256_mul_p(x1, t2, t2);
-    m256_sub_p(x1, x1, t3);
-    m256_sub_p(x1, x1, t3);
-    m256_sub_p(x1, x1, t1);
-
-    /* y3 = r * (x1 * h^2 - x3) - y1 h^3 */
-    m256_sub_p(t3, t3, x1);
-    m256_mul_p(t3, t3, t2);
-    m256_mul_p(t1, t1, y1);
-    m256_sub_p(y1, t3, t1);
-}
-
-/*
- * Point addition or doubling (affine to jacobian, Montgomery domain)
- *
- * in: P = (x1, y1) - must be on the curve and not 0
- *     Q = (x2, y2) - must be on the curve and not 0
- * out: (x3, y3) = R = P + Q
- *
- * Note: unlike point_add(), this function works if P = +- Q;
- * however it leaks information on its input through timing,
- * branches taken and memory access patterns (if observable).
- */
-static void point_add_or_double_leaky(
-                        uint32_t x3[8], uint32_t y3[8],
-                        const uint32_t x1[8], const uint32_t y1[8],
-                        const uint32_t x2[8], const uint32_t y2[8])
-{
-
-    uint32_t z3[8];
-    u256_cmov(x3, x1, 1);
-    u256_cmov(y3, y1, 1);
-    m256_set32(z3, 1, &p256_p);
-
-    if (u256_diff(x1, x2) != 0) {
-        // P != +- Q -> generic addition
-        point_add(x3, y3, z3, x2, y2);
-        point_to_affine(x3, y3, z3);
-    }
-    else if (u256_diff(y1, y2) == 0) {
-        // P == Q -> double
-        point_double(x3, y3, z3);
-        point_to_affine(x3, y3, z3);
-    } else {
-        // P == -Q -> zero
-        m256_set32(x3, 0, &p256_p);
-        m256_set32(y3, 0, &p256_p);
-    }
-}
-
-/*
- * Import curve point from bytes
- *
- * in: p = (x, y) concatenated, fixed-width 256-bit big-endian integers
- * out: x, y in Mongomery domain
- *      return 0 if x and y are both in [0, p)
- *                  and (x, y) is on the curve and not 0
- *             unspecified non-zero otherwise.
- *      x and y are unspecified and must be discarded if returning non-zero.
- */
-static int point_from_bytes(uint32_t x[8], uint32_t y[8], const uint8_t p[64])
-{
-    int ret;
-
-    ret = m256_from_bytes(x, p, &p256_p);
-    if (ret != 0)
-        return ret;
-
-    ret = m256_from_bytes(y, p + 32, &p256_p);
-    if (ret != 0)
-        return ret;
-
-    return (int) point_check(x, y);
-}
-
-/*
- * Export curve point to bytes
- *
- * in: x, y affine coordinates of a point (Montgomery domain)
- *     must be on the curve and not 0
- * out: p = (x, y) concatenated, fixed-width 256-bit big-endian integers
- */
-static void point_to_bytes(uint8_t p[64],
-                           const uint32_t x[8], const uint32_t y[8])
-{
-    m256_to_bytes(p,        x, &p256_p);
-    m256_to_bytes(p + 32,   y, &p256_p);
-}
-
-/**********************************************************************
- *
- * Scalar multiplication and other scalar-related operations
- *
- **********************************************************************/
-
-/*
- * Scalar multiplication
- *
- * in: P = (px, py), affine (Montgomery), must be on the curve and not 0
- *     s in [1, n-1]
- * out: R = s * P = (rx, ry), affine coordinates (Montgomery).
- *
- * Note: as memory areas, none of the parameters may overlap.
- */
-static void scalar_mult(uint32_t rx[8], uint32_t ry[8],
-                        const uint32_t px[8], const uint32_t py[8],
-                        const uint32_t s[8])
-{
-    /*
-     * We use a signed binary ladder, see for example slides 10-14 of
-     * http://ecc2015.math.u-bordeaux1.fr/documents/hamburg.pdf but with
-     * implicit recoding, and a different loop initialisation to avoid feeding
-     * 0 to our addition formulas, as they don't support it.
-     */
-    uint32_t s_odd[8], py_neg[8], py_use[8], rz[8];
-
-    /*
-     * Make s odd by replacing it with n - s if necessary.
-     *
-     * If s was odd, we'll have s_odd = s, and define P' = P.
-     * Otherwise, we'll have s_odd = n - s and define P' = -P.
-     *
-     * Either way, we can compute s * P as s_odd * P'.
-     */
-    u256_sub(s_odd, p256_n.m, s); /* no carry, result still in [1, n-1] */
-    uint32_t negate = ~s[0] & 1;
-    u256_cmov(s_odd, s, 1 - negate);
-
-    /* Compute py_neg = - py mod p (that's the y coordinate of -P) */
-    u256_set32(py_use, 0);
-    m256_sub_p(py_neg, py_use, py);
-
-    /* Initialize R = P' = (x:(-1)^negate * y:1) */
-    u256_cmov(rx, px, 1);
-    u256_cmov(ry, py, 1);
-    m256_set32(rz, 1, &p256_p);
-    u256_cmov(ry, py_neg, negate);
-
-    /*
-     * For any odd number s_odd = b255 ... b1 1, we have
-     *      s_odd = 2^255 + 2^254 sbit(b255) + ... + 2 sbit(b2) + sbit(b1)
-     * writing
-     *      sbit(b) = 2 * b - 1 = b ? 1 : -1
-     *
-     * Use that to compute s_odd * P' by repeating R = 2 * R +- P':
-     *      s_odd * P' = 2 * ( ... (2 * P' + sbit(b255) P') ... ) + sbit(b1) P'
-     *
-     * The loop invariant is that when beginning an iteration we have
-     *      R = s_i P'
-     * with
-     *      s_i = 2^(255-i) + 2^(254-i) sbit(b_255) + ...
-     * where the sum has 256 - i terms.
-     *
-     * When updating R we need to make sure the input to point_add() is
-     * neither 0 not +-P'. Since that input is 2 s_i P', it is sufficient to
-     * see that 1 < 2 s_i < n-1. The lower bound is obvious since s_i is a
-     * positive integer, and for the upper bound we distinguish three cases.
-     *
-     * If i > 1, then s_i < 2^254, so 2 s_i < 2^255 < n-1.
-     * Otherwise, i == 1 and we have 2 s_i = s_odd - sbit(b1).
-     *      If s_odd <= n-4, then 2 s_1 <= n-3.
-     *      Otherwise, s_odd = n-2, and for this curve's value of n,
-     *      we have b1 == 1, so sbit(b1) = 1 and 2 s_1 <= n-3.
-     */
-    for (unsigned i = 255; i > 0; i--) {
-        uint32_t bit = (s_odd[i / 32] >> i % 32) & 1;
-
-        /* set (px, py_use) = sbit(bit) P' = sbit(bit) * (-1)^negate P */
-        u256_cmov(py_use, py, bit ^ negate);
-        u256_cmov(py_use, py_neg, (1 - bit) ^ negate);
-
-        /* Update R = 2 * R +- P' */
-        point_double(rx, ry, rz);
-        point_add(rx, ry, rz, px, py_use);
-    }
-
-    point_to_affine(rx, ry, rz);
-}
-
-/*
- * Scalar import from big-endian bytes
- *
- * in: p = p0, ..., p31
- * out: s = p0 * 2^248 + p1 * 2^240 + ... + p30 * 2^8 + p31
- *      return 0 if s in [1, n-1],
- *            -1 otherwise.
- */
-static int scalar_from_bytes(uint32_t s[8], const uint8_t p[32])
-{
-    u256_from_bytes(s, p);
-
-    uint32_t r[8];
-    uint32_t lt_n = u256_sub(r, s, p256_n.m);
-
-    u256_set32(r, 1);
-    uint32_t lt_1 = u256_sub(r, s, r);
-
-    if (lt_n && !lt_1)
-        return 0;
-
-    return -1;
-}
-
-/* Using RNG functions from Mbed TLS as p256-m does not come with a
- * cryptographically secure RNG function.
- */
-int p256_generate_random(uint8_t *output, unsigned output_size)
-{
-    int ret;
-    ret = psa_generate_random(output, output_size);
-
-    if (ret != 0){
-        return P256_RANDOM_FAILED;
-    }
-    return P256_SUCCESS;
-}
-
-/*
- * Scalar generation, with public key
- *
- * out: sbytes the big-endian bytes representation of the scalar
- *      s its u256 representation
- *      x, y the affine coordinates of s * G (Montgomery domain)
- *      return 0 if OK, -1 on failure
- *      sbytes, s, x, y must be discarded when returning non-zero.
- */
-static int scalar_gen_with_pub(uint8_t sbytes[32], uint32_t s[8],
-                               uint32_t x[8], uint32_t y[8])
-{
-    /* generate a random valid scalar */
-    int ret;
-    unsigned nb_tried = 0;
-    do {
-        if (nb_tried++ >= 4)
-            return -1;
-
-        ret = p256_generate_random(sbytes, 32);
-        CT_POISON(sbytes, 32);
-        if (ret != 0)
-            return -1;
-
-        ret = scalar_from_bytes(s, sbytes);
-        CT_UNPOISON(&ret, sizeof ret);
-    }
-    while (ret != 0);
-
-    /* compute and ouput the associated public key */
-    scalar_mult(x, y, p256_gx, p256_gy, s);
-
-    /* the associated public key is not a secret */
-    CT_UNPOISON(x, 32);
-    CT_UNPOISON(y, 32);
-
-    return 0;
-}
-
-/*
- * ECDH/ECDSA generate pair
- */
-int p256_gen_keypair(uint8_t priv[32], uint8_t pub[64])
-{
-    uint32_t s[8], x[8], y[8];
-    int ret = scalar_gen_with_pub(priv, s, x, y);
-    zeroize(s, sizeof s);
-    if (ret != 0)
-        return P256_RANDOM_FAILED;
-
-    point_to_bytes(pub, x, y);
-    return 0;
-}
-
-/**********************************************************************
- *
- * ECDH
- *
- **********************************************************************/
-
-/*
- * ECDH compute shared secret
- */
-int p256_ecdh_shared_secret(uint8_t secret[32],
-                            const uint8_t priv[32], const uint8_t peer[64])
-{
-    CT_POISON(priv, 32);
-
-    uint32_t s[8], px[8], py[8], x[8], y[8];
-    int ret;
-
-    ret = scalar_from_bytes(s, priv);
-    CT_UNPOISON(&ret, sizeof ret);
-    if (ret != 0) {
-        ret = P256_INVALID_PRIVKEY;
-        goto cleanup;
-    }
-
-    ret = point_from_bytes(px, py, peer);
-    if (ret != 0) {
-        ret = P256_INVALID_PUBKEY;
-        goto cleanup;
-    }
-
-    scalar_mult(x, y, px, py, s);
-
-    m256_to_bytes(secret, x, &p256_p);
-    CT_UNPOISON(secret, 32);
-
-cleanup:
-    zeroize(s, sizeof s);
-    return ret;
-}
-
-/**********************************************************************
- *
- * ECDSA
- *
- * Reference:
- * [SEC1] SEC 1: Elliptic Curve Cryptography, Certicom research, 2009.
- *        http://www.secg.org/sec1-v2.pdf
- **********************************************************************/
-
-/*
- * Reduction mod n of a small number
- *
- * in: x in [0, 2^256)
- * out: x_out = x_in mod n in [0, n)
- */
-static void ecdsa_m256_mod_n(uint32_t x[8])
-{
-    uint32_t t[8];
-    uint32_t c = u256_sub(t, x, p256_n.m);
-    u256_cmov(x, t, 1 - c);
-}
-
-/*
- * Import integer mod n (Montgomery domain) from hash
- *
- * in: h = h0, ..., h_hlen
- *     hlen the length of h in bytes
- * out: z = (h0 * 2^l-8 + ... + h_l) * 2^256 mod n
- *      with l = min(32, hlen)
- *
- * Note: in [SEC1] this is step 5 of 4.1.3 (sign) or step 3 or 4.1.4 (verify),
- * with obvious simplications since n's bit-length is a multiple of 8.
- */
-static void ecdsa_m256_from_hash(uint32_t z[8],
-                                 const uint8_t *h, size_t hlen)
-{
-    /* convert from h (big-endian) */
-    /* hlen is public data so it's OK to branch on it */
-    if (hlen < 32) {
-        uint8_t p[32];
-        for (unsigned i = 0; i < 32; i++)
-            p[i] = 0;
-        for (unsigned i = 0; i < hlen; i++)
-            p[32 - hlen + i] = h[i];
-        u256_from_bytes(z, p);
-    } else {
-        u256_from_bytes(z, h);
-    }
-
-    /* ensure the result is in [0, n) */
-    ecdsa_m256_mod_n(z);
-
-    /* map to Montgomery domain */
-    m256_prep(z, &p256_n);
-}
-
-/*
- * ECDSA sign
- */
-int p256_ecdsa_sign(uint8_t sig[64], const uint8_t priv[32],
-                    const uint8_t *hash, size_t hlen)
-{
-    CT_POISON(priv, 32);
-
-    /*
-     * Steps and notations from [SEC1] 4.1.3
-     *
-     * Instead of retrying on r == 0 or s == 0, just abort,
-     * as those events have negligible probability.
-     */
-    int ret;
-
-    /* Temporary buffers - the first two are mostly stable, so have names */
-    uint32_t xr[8], k[8], t3[8], t4[8];
-
-    /* 1. Set ephemeral keypair */
-    uint8_t *kb = (uint8_t *) t4;
-    /* kb will be erased by re-using t4 for dU - if we exit before that, we
-     * haven't read the private key yet so we kb isn't sensitive yet */
-    ret = scalar_gen_with_pub(kb, k, xr, t3);   /* xr = x_coord(k * G) */
-    if (ret != 0)
-        return P256_RANDOM_FAILED;
-    m256_prep(k, &p256_n);
-
-    /* 2. Convert xr to an integer */
-    m256_done(xr, &p256_p);
-
-    /* 3. Reduce xr mod n (extra: output it while at it) */
-    ecdsa_m256_mod_n(xr);    /* xr = int(xr) mod n */
-
-    /* xr is public data so it's OK to use a branch */
-    if (u256_diff0(xr) == 0)
-        return P256_RANDOM_FAILED;
-
-    u256_to_bytes(sig, xr);
-
-    m256_prep(xr, &p256_n);
-
-    /* 4. Skipped - we take the hash as an input, not the message */
-
-    /* 5. Derive an integer from the hash */
-    ecdsa_m256_from_hash(t3, hash, hlen);   /* t3 = e */
-
-    /* 6. Compute s = k^-1 * (e + r * dU) */
-
-    /* Note: dU will be erased by re-using t4 for the value of s (public) */
-    ret = scalar_from_bytes(t4, priv);   /* t4 = dU (integer domain) */
-    CT_UNPOISON(&ret, sizeof ret); /* Result of input validation */
-    if (ret != 0)
-        return P256_INVALID_PRIVKEY;
-    m256_prep(t4, &p256_n);         /* t4 = dU (Montgomery domain) */
-
-    m256_inv(k, k, &p256_n);        /* k^-1 */
-    m256_mul(t4, xr, t4, &p256_n);  /* t4 = r * dU */
-    m256_add(t4, t3, t4, &p256_n);  /* t4 = e + r * dU */
-    m256_mul(t4, k, t4, &p256_n);   /* t4 = s = k^-1 * (e + r * dU) */
-    zeroize(k, sizeof k);
-
-    /* 7. Output s (r already outputed at step 3) */
-    CT_UNPOISON(t4, 32);
-    if (u256_diff0(t4) == 0) {
-        /* undo early output of r */
-        u256_to_bytes(sig, t4);
-        return P256_RANDOM_FAILED;
-    }
-    m256_to_bytes(sig + 32, t4, &p256_n);
-
-    return P256_SUCCESS;
-}
-
-/*
- * ECDSA verify
- */
-int p256_ecdsa_verify(const uint8_t sig[64], const uint8_t pub[64],
-                      const uint8_t *hash, size_t hlen)
-{
-    /*
-     * Steps and notations from [SEC1] 4.1.3
-     *
-     * Note: we're using public data only, so branches are OK
-     */
-    int ret;
-
-    /* 1. Validate range of r and s : [1, n-1] */
-    uint32_t r[8], s[8];
-    ret = scalar_from_bytes(r, sig);
-    if (ret != 0)
-        return P256_INVALID_SIGNATURE;
-    ret = scalar_from_bytes(s, sig + 32);
-    if (ret != 0)
-        return P256_INVALID_SIGNATURE;
-
-    /* 2. Skipped - we take the hash as an input, not the message */
-
-    /* 3. Derive an integer from the hash */
-    uint32_t e[8];
-    ecdsa_m256_from_hash(e, hash, hlen);
-
-    /* 4. Compute u1 = e * s^-1 and u2 = r * s^-1 */
-    uint32_t u1[8], u2[8];
-    m256_prep(s, &p256_n);           /* s in Montgomery domain */
-    m256_inv(s, s, &p256_n);         /* s = s^-1 mod n */
-    m256_mul(u1, e, s, &p256_n);     /* u1 = e * s^-1 mod n */
-    m256_done(u1, &p256_n);          /* u1 out of Montgomery domain */
-
-    u256_cmov(u2, r, 1);
-    m256_prep(u2, &p256_n);          /* r in Montgomery domain */
-    m256_mul(u2, u2, s, &p256_n);    /* u2 = r * s^-1 mod n */
-    m256_done(u2, &p256_n);          /* u2 out of Montgomery domain */
-
-    /* 5. Compute R (and re-use (u1, u2) to store its coordinates */
-    uint32_t px[8], py[8];
-    ret = point_from_bytes(px, py, pub);
-    if (ret != 0)
-        return P256_INVALID_PUBKEY;
-
-    scalar_mult(e, s, px, py, u2);      /* (e, s) = R2 = u2 * Qu */
-
-    if (u256_diff0(u1) == 0) {
-        /* u1 out of range for scalar_mult() - just skip it */
-        u256_cmov(u1, e, 1);
-        /* we don't care about the y coordinate */
-    } else {
-        scalar_mult(px, py, p256_gx, p256_gy, u1); /* (px, py) = R1 = u1 * G */
-
-        /* (u1, u2) = R = R1 + R2 */
-        point_add_or_double_leaky(u1, u2, px, py, e, s);
-        /* No need to check if R == 0 here: if that's the case, it will be
-         * caught when comparating rx (which will be 0) to r (which isn't). */
-    }
-
-    /* 6. Convert xR to an integer */
-    m256_done(u1, &p256_p);
-
-    /* 7. Reduce xR mod n */
-    ecdsa_m256_mod_n(u1);
-
-    /* 8. Compare xR mod n to r */
-    uint32_t diff = u256_diff(u1, r);
-    if (diff == 0)
-        return P256_SUCCESS;
-
-    return P256_INVALID_SIGNATURE;
-}
-
-/**********************************************************************
- *
- * Key management utilities
- *
- **********************************************************************/
-
-int p256_validate_pubkey(const uint8_t pub[64])
-{
-    uint32_t x[8], y[8];
-    int ret = point_from_bytes(x, y, pub);
-
-    return ret == 0 ? P256_SUCCESS : P256_INVALID_PUBKEY;
-}
-
-int p256_validate_privkey(const uint8_t priv[32])
-{
-    uint32_t s[8];
-    int ret = scalar_from_bytes(s, priv);
-    zeroize(s, sizeof(s));
-
-    return ret == 0 ? P256_SUCCESS : P256_INVALID_PRIVKEY;
-}
-
-int p256_public_from_private(uint8_t pub[64], const uint8_t priv[32])
-{
-    int ret;
-    uint32_t s[8];
-
-    ret = scalar_from_bytes(s, priv);
-    if (ret != 0)
-        return P256_INVALID_PRIVKEY;
-
-    /* compute and ouput the associated public key */
-    uint32_t x[8], y[8];
-    scalar_mult(x, y, p256_gx, p256_gy, s);
-
-    /* the associated public key is not a secret, the scalar was */
-    CT_UNPOISON(x, 32);
-    CT_UNPOISON(y, 32);
-    zeroize(s, sizeof(s));
-
-    point_to_bytes(pub, x, y);
-    return P256_SUCCESS;
-}
-
-#endif
diff --git a/3rdparty/p256-m/p256-m/p256-m.h b/3rdparty/p256-m/p256-m/p256-m.h
deleted file mode 100644
index 28d319f..0000000
--- a/3rdparty/p256-m/p256-m/p256-m.h
+++ /dev/null
@@ -1,135 +0,0 @@
-/*
- * Interface of curve P-256 (ECDH and ECDSA)
- *
- * Copyright The Mbed TLS Contributors
- * Author: Manuel Pégourié-Gonnard.
- * SPDX-License-Identifier: Apache-2.0
- */
-#ifndef P256_M_H
-#define P256_M_H
-
-#include <stdint.h>
-#include <stddef.h>
-
-/* Status codes */
-#define P256_SUCCESS            0
-#define P256_RANDOM_FAILED      -1
-#define P256_INVALID_PUBKEY     -2
-#define P256_INVALID_PRIVKEY    -3
-#define P256_INVALID_SIGNATURE  -4
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/*
- * RNG function - must be provided externally and be cryptographically secure.
- *
- * in: output - must point to a writable buffer of at least output_size bytes.
- *     output_size - the number of random bytes to write to output.
- * out: output is filled with output_size random bytes.
- *      return 0 on success, non-zero on errors.
- */
-extern int p256_generate_random(uint8_t * output, unsigned output_size);
-
-/*
- * ECDH/ECDSA generate key pair
- *
- * [in] draws from p256_generate_random()
- * [out] priv: on success, holds the private key, as a big-endian integer
- * [out] pub: on success, holds the public key, as two big-endian integers
- *
- * return:  P256_SUCCESS on success
- *          P256_RANDOM_FAILED on failure
- */
-int p256_gen_keypair(uint8_t priv[32], uint8_t pub[64]);
-
-/*
- * ECDH compute shared secret
- *
- * [out] secret: on success, holds the shared secret, as a big-endian integer
- * [in] priv: our private key as a big-endian integer
- * [in] pub: the peer's public key, as two big-endian integers
- *
- * return:  P256_SUCCESS on success
- *          P256_INVALID_PRIVKEY if priv is invalid
- *          P256_INVALID_PUBKEY if pub is invalid
- */
-int p256_ecdh_shared_secret(uint8_t secret[32],
-                            const uint8_t priv[32], const uint8_t pub[64]);
-
-/*
- * ECDSA sign
- *
- * [in] draws from p256_generate_random()
- * [out] sig: on success, holds the signature, as two big-endian integers
- * [in] priv: our private key as a big-endian integer
- * [in] hash: the hash of the message to be signed
- * [in] hlen: the size of hash in bytes
- *
- * return:  P256_SUCCESS on success
- *          P256_RANDOM_FAILED on failure
- *          P256_INVALID_PRIVKEY if priv is invalid
- */
-int p256_ecdsa_sign(uint8_t sig[64], const uint8_t priv[32],
-                    const uint8_t *hash, size_t hlen);
-
-/*
- * ECDSA verify
- *
- * [in] sig: the signature to be verified, as two big-endian integers
- * [in] pub: the associated public key, as two big-endian integers
- * [in] hash: the hash of the message that was signed
- * [in] hlen: the size of hash in bytes
- *
- * return:  P256_SUCCESS on success - the signature was verified as valid
- *          P256_INVALID_PUBKEY if pub is invalid
- *          P256_INVALID_SIGNATURE if the signature was found to be invalid
- */
-int p256_ecdsa_verify(const uint8_t sig[64], const uint8_t pub[64],
-                      const uint8_t *hash, size_t hlen);
-
-/*
- * Public key validation
- *
- * Note: you never need to call this function, as all other functions always
- * validate their input; however it's availabe if you want to validate the key
- * without performing an operation.
- *
- * [in] pub: the public key, as two big-endian integers
- *
- * return:  P256_SUCCESS if the key is valid
- *          P256_INVALID_PUBKEY if pub is invalid
- */
-int p256_validate_pubkey(const uint8_t pub[64]);
-
-/*
- * Private key validation
- *
- * Note: you never need to call this function, as all other functions always
- * validate their input; however it's availabe if you want to validate the key
- * without performing an operation.
- *
- * [in] priv: the private key, as a big-endian integer
- *
- * return:  P256_SUCCESS if the key is valid
- *          P256_INVALID_PRIVKEY if priv is invalid
- */
-int p256_validate_privkey(const uint8_t priv[32]);
-
-/*
- * Compute public key from private key
- *
- * [out] pub: the associated public key, as two big-endian integers
- * [in] priv: the private key, as a big-endian integer
- *
- * return:  P256_SUCCESS on success
- *          P256_INVALID_PRIVKEY if priv is invalid
- */
-int p256_public_from_private(uint8_t pub[64], const uint8_t priv[32]);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* P256_M_H */
diff --git a/3rdparty/p256-m/p256-m_driver_entrypoints.c b/3rdparty/p256-m/p256-m_driver_entrypoints.c
deleted file mode 100644
index 61310a8..0000000
--- a/3rdparty/p256-m/p256-m_driver_entrypoints.c
+++ /dev/null
@@ -1,324 +0,0 @@
-/*
- *  Driver entry points for p256-m
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "mbedtls/platform.h"
-#include "p256-m_driver_entrypoints.h"
-#include "p256-m/p256-m.h"
-#include "psa/crypto.h"
-#include <stddef.h>
-#include <string.h>
-#include "psa_crypto_driver_wrappers_no_static.h"
-
-#if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)
-
-/* INFORMATION ON PSA KEY EXPORT FORMATS:
- *
- * PSA exports SECP256R1 keys in two formats:
- * 1. Keypair format: 32 byte string which is just the private key (public key
- *                    can be calculated from the private key)
- * 2. Public Key format: A leading byte 0x04 (indicating uncompressed format),
- *                       followed by the 64 byte public key. This results in a
- *                       total of 65 bytes.
- *
- * p256-m's internal format for private keys matches PSA. Its format for public
- * keys is only 64 bytes: the same as PSA but without the leading byte (0x04).
- * Hence, when passing public keys from PSA to p256-m, the leading byte is
- * removed.
- *
- * Shared secret and signature have the same format between PSA and p256-m.
- */
-#define PSA_PUBKEY_SIZE         65
-#define PSA_PUBKEY_HEADER_BYTE  0x04
-#define P256_PUBKEY_SIZE        64
-#define PRIVKEY_SIZE            32
-#define SHARED_SECRET_SIZE      32
-#define SIGNATURE_SIZE          64
-
-#define CURVE_BITS              256
-
-/* Convert between p256-m and PSA error codes */
-static psa_status_t p256_to_psa_error(int ret)
-{
-    switch (ret) {
-        case P256_SUCCESS:
-            return PSA_SUCCESS;
-        case P256_INVALID_PUBKEY:
-        case P256_INVALID_PRIVKEY:
-            return PSA_ERROR_INVALID_ARGUMENT;
-        case P256_INVALID_SIGNATURE:
-            return PSA_ERROR_INVALID_SIGNATURE;
-        case P256_RANDOM_FAILED:
-        default:
-            return PSA_ERROR_GENERIC_ERROR;
-    }
-}
-
-psa_status_t p256_transparent_import_key(const psa_key_attributes_t *attributes,
-                             const uint8_t *data,
-                             size_t data_length,
-                             uint8_t *key_buffer,
-                             size_t key_buffer_size,
-                             size_t *key_buffer_length,
-                             size_t *bits)
-{
-    /* Check the key size */
-    if (*bits != 0 && *bits != CURVE_BITS) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    /* Validate the key (and its type and size) */
-    psa_key_type_t type = psa_get_key_type(attributes);
-    if (type == PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1)) {
-        if (data_length != PSA_PUBKEY_SIZE) {
-            return *bits == 0 ? PSA_ERROR_NOT_SUPPORTED : PSA_ERROR_INVALID_ARGUMENT;
-        }
-        /* See INFORMATION ON PSA KEY EXPORT FORMATS near top of file */
-        if (p256_validate_pubkey(data + 1) != P256_SUCCESS) {
-            return PSA_ERROR_INVALID_ARGUMENT;
-        }
-    } else if (type == PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)) {
-        if (data_length != PRIVKEY_SIZE) {
-            return *bits == 0 ? PSA_ERROR_NOT_SUPPORTED : PSA_ERROR_INVALID_ARGUMENT;
-        }
-        if (p256_validate_privkey(data) != P256_SUCCESS) {
-            return PSA_ERROR_INVALID_ARGUMENT;
-        }
-    } else {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-    *bits = CURVE_BITS;
-
-    /* We only support the export format for input, so just copy. */
-    if (key_buffer_size < data_length) {
-        return PSA_ERROR_BUFFER_TOO_SMALL;
-    }
-    memcpy(key_buffer, data, data_length);
-    *key_buffer_length = data_length;
-
-    return PSA_SUCCESS;
-}
-
-psa_status_t p256_transparent_export_public_key(const psa_key_attributes_t *attributes,
-                                    const uint8_t *key_buffer,
-                                    size_t key_buffer_size,
-                                    uint8_t *data,
-                                    size_t data_size,
-                                    size_t *data_length)
-{
-    /* Is this the right curve? */
-    size_t bits = psa_get_key_bits(attributes);
-    psa_key_type_t type = psa_get_key_type(attributes);
-    if (bits != CURVE_BITS || type != PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    /* Validate sizes, as p256-m expects fixed-size buffers */
-    if (key_buffer_size != PRIVKEY_SIZE) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-    if (data_size < PSA_PUBKEY_SIZE) {
-        return PSA_ERROR_BUFFER_TOO_SMALL;
-    }
-
-    /* See INFORMATION ON PSA KEY EXPORT FORMATS near top of file */
-    data[0] = PSA_PUBKEY_HEADER_BYTE;
-    int ret = p256_public_from_private(data + 1, key_buffer);
-    if (ret == P256_SUCCESS) {
-        *data_length = PSA_PUBKEY_SIZE;
-    }
-
-    return p256_to_psa_error(ret);
-}
-
-psa_status_t p256_transparent_generate_key(
-    const psa_key_attributes_t *attributes,
-    uint8_t *key_buffer,
-    size_t key_buffer_size,
-    size_t *key_buffer_length)
-{
-    /* We don't use this argument, but the specification mandates the signature
-     * of driver entry-points. (void) used to avoid compiler warning. */
-    (void) attributes;
-
-    /* Validate sizes, as p256-m expects fixed-size buffers */
-    if (key_buffer_size != PRIVKEY_SIZE) {
-        return PSA_ERROR_BUFFER_TOO_SMALL;
-    }
-
-    /*
-     *  p256-m's keypair generation function outputs both public and private
-     *  keys. Allocate a buffer to which the public key will be written. The
-     *  private key will be written to key_buffer, which is passed to this
-     *  function as an argument. */
-    uint8_t public_key_buffer[P256_PUBKEY_SIZE];
-
-    int ret = p256_gen_keypair(key_buffer, public_key_buffer);
-    if (ret == P256_SUCCESS) {
-        *key_buffer_length = PRIVKEY_SIZE;
-    }
-
-    return p256_to_psa_error(ret);
-}
-
-psa_status_t p256_transparent_key_agreement(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    psa_algorithm_t alg,
-    const uint8_t *peer_key,
-    size_t peer_key_length,
-    uint8_t *shared_secret,
-    size_t shared_secret_size,
-    size_t *shared_secret_length)
-{
-    /* We don't use these arguments, but the specification mandates the
-     * sginature of driver entry-points. (void) used to avoid compiler
-     * warning. */
-    (void) attributes;
-    (void) alg;
-
-    /* Validate sizes, as p256-m expects fixed-size buffers */
-    if (key_buffer_size != PRIVKEY_SIZE || peer_key_length != PSA_PUBKEY_SIZE) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-    if (shared_secret_size < SHARED_SECRET_SIZE) {
-        return PSA_ERROR_BUFFER_TOO_SMALL;
-    }
-
-    /* See INFORMATION ON PSA KEY EXPORT FORMATS near top of file */
-    const uint8_t *peer_key_p256m = peer_key + 1;
-    int ret = p256_ecdh_shared_secret(shared_secret, key_buffer, peer_key_p256m);
-    if (ret == P256_SUCCESS) {
-        *shared_secret_length = SHARED_SECRET_SIZE;
-    }
-
-    return p256_to_psa_error(ret);
-}
-
-psa_status_t p256_transparent_sign_hash(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    psa_algorithm_t alg,
-    const uint8_t *hash,
-    size_t hash_length,
-    uint8_t *signature,
-    size_t signature_size,
-    size_t *signature_length)
-{
-    /* We don't use these arguments, but the specification mandates the
-     * sginature of driver entry-points. (void) used to avoid compiler
-     * warning. */
-    (void) attributes;
-    (void) alg;
-
-    /* Validate sizes, as p256-m expects fixed-size buffers */
-    if (key_buffer_size != PRIVKEY_SIZE) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-    if (signature_size < SIGNATURE_SIZE) {
-        return PSA_ERROR_BUFFER_TOO_SMALL;
-    }
-
-    int ret = p256_ecdsa_sign(signature, key_buffer, hash, hash_length);
-    if (ret == P256_SUCCESS) {
-        *signature_length = SIGNATURE_SIZE;
-    }
-
-    return p256_to_psa_error(ret);
-}
-
-/*  This function expects the key buffer to contain a PSA public key,
- *  as exported by psa_export_public_key() */
-static psa_status_t p256_verify_hash_with_public_key(
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    const uint8_t *hash,
-    size_t hash_length,
-    const uint8_t *signature,
-    size_t signature_length)
-{
-    /* Validate sizes, as p256-m expects fixed-size buffers */
-    if (key_buffer_size != PSA_PUBKEY_SIZE || *key_buffer != PSA_PUBKEY_HEADER_BYTE) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-    if (signature_length != SIGNATURE_SIZE) {
-        return PSA_ERROR_INVALID_SIGNATURE;
-    }
-
-    /* See INFORMATION ON PSA KEY EXPORT FORMATS near top of file */
-    const uint8_t *public_key_p256m = key_buffer + 1;
-    int ret = p256_ecdsa_verify(signature, public_key_p256m, hash, hash_length);
-
-    return p256_to_psa_error(ret);
-}
-
-psa_status_t p256_transparent_verify_hash(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    psa_algorithm_t alg,
-    const uint8_t *hash,
-    size_t hash_length,
-    const uint8_t *signature,
-    size_t signature_length)
-{
-    /* We don't use this argument, but the specification mandates the signature
-     * of driver entry-points. (void) used to avoid compiler warning. */
-    (void) alg;
-
-    psa_status_t status;
-    uint8_t public_key_buffer[PSA_PUBKEY_SIZE];
-    size_t public_key_buffer_size = PSA_PUBKEY_SIZE;
-
-    size_t public_key_length = PSA_PUBKEY_SIZE;
-    /* As p256-m doesn't require dynamic allocation, we want to avoid it in
-     * the entrypoint functions as well. psa_driver_wrapper_export_public_key()
-     * requires size_t*, so we use a pointer to a stack variable. */
-    size_t *public_key_length_ptr = &public_key_length;
-
-    /* The contents of key_buffer may either be the 32 byte private key
-     * (keypair format), or 0x04 followed by the 64 byte public key (public
-     * key format). To ensure the key is in the latter format, the public key
-     * is exported. */
-    status = psa_driver_wrapper_export_public_key(
-        attributes,
-        key_buffer,
-        key_buffer_size,
-        public_key_buffer,
-        public_key_buffer_size,
-        public_key_length_ptr);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = p256_verify_hash_with_public_key(
-        public_key_buffer,
-        public_key_buffer_size,
-        hash,
-        hash_length,
-        signature,
-        signature_length);
-
-exit:
-    return status;
-}
-
-#endif /* MBEDTLS_PSA_P256M_DRIVER_ENABLED */
diff --git a/3rdparty/p256-m/p256-m_driver_entrypoints.h b/3rdparty/p256-m/p256-m_driver_entrypoints.h
deleted file mode 100644
index d92a8f0..0000000
--- a/3rdparty/p256-m/p256-m_driver_entrypoints.h
+++ /dev/null
@@ -1,231 +0,0 @@
-/*
- *   Driver entry points for p256-m
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef P256M_DRIVER_ENTRYPOINTS_H
-#define P256M_DRIVER_ENTRYPOINTS_H
-
-#if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)
-#ifndef PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT
-#define PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT
-#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
-#endif /* MBEDTLS_PSA_P256M_DRIVER_ENABLED */
-
-#include "psa/crypto_types.h"
-
-/** Import SECP256R1 key.
- *
- * \param[in]  attributes           The attributes of the key to use for the
- *                                  operation.
- * \param[in]  data                 The raw key material. For private keys
- *                                  this must be a big-endian integer of 32
- *                                  bytes; for public key this must be an
- *                                  uncompressed ECPoint (65 bytes).
- * \param[in]  data_length          The size of the raw key material.
- * \param[out] key_buffer           The buffer to contain the key data in
- *                                  output format upon successful return.
- * \param[in]  key_buffer_size      Size of the \p key_buffer buffer in bytes.
- * \param[out] key_buffer_length    The length of the data written in \p
- *                                  key_buffer in bytes.
- * \param[out] bits                 The bitsize of the key.
- *
- * \retval  #PSA_SUCCESS
- *          Success. Keypair generated and stored in buffer.
- * \retval  #PSA_ERROR_NOT_SUPPORTED
- *          The input is not supported by this driver (not SECP256R1).
- * \retval  #PSA_ERROR_INVALID_ARGUMENT
- *          The input is invalid.
- * \retval  #PSA_ERROR_BUFFER_TOO_SMALL
- *          \p key_buffer_size is too small.
- */
-psa_status_t p256_transparent_import_key(const psa_key_attributes_t *attributes,
-                             const uint8_t *data,
-                             size_t data_length,
-                             uint8_t *key_buffer,
-                             size_t key_buffer_size,
-                             size_t *key_buffer_length,
-                             size_t *bits);
-
-/** Export SECP256R1 public key, from the private key.
- *
- * \param[in]  attributes           The attributes of the key to use for the
- *                                  operation.
- * \param[in]  key_buffer           The private key in the export format.
- * \param[in]  key_buffer_size      The size of the private key in bytes.
- * \param[out] data                 The buffer to contain the public key in
- *                                  the export format upon successful return.
- * \param[in]  data_size            The size of the \p data buffer in bytes.
- * \param[out] data_length          The length written to \p data in bytes.
- *
- * \retval  #PSA_SUCCESS
- *          Success. Keypair generated and stored in buffer.
- * \retval  #PSA_ERROR_NOT_SUPPORTED
- *          The input is not supported by this driver (not SECP256R1).
- * \retval  #PSA_ERROR_INVALID_ARGUMENT
- *          The input is invalid.
- * \retval  #PSA_ERROR_BUFFER_TOO_SMALL
- *          \p key_buffer_size is too small.
- */
-psa_status_t p256_transparent_export_public_key(const psa_key_attributes_t *attributes,
-                                    const uint8_t *key_buffer,
-                                    size_t key_buffer_size,
-                                    uint8_t *data,
-                                    size_t data_size,
-                                    size_t *data_length);
-
-/** Generate SECP256R1 ECC Key Pair.
- *  Interface function which calls the p256-m key generation function and
- *  places it in the key buffer provided by the caller (Mbed TLS) in the
- *  correct format. For a SECP256R1 curve this is the 32 bit private key.
- *
- * \param[in]  attributes           The attributes of the key to use for the
- *                                  operation.
- * \param[out]  key_buffer          The buffer to contain the key data in
- *                                  output format upon successful return.
- * \param[in]   key_buffer_size     Size of the \p key_buffer buffer in bytes.
- * \param[out]  key_buffer_length   The length of the data written in \p
- *                                  key_buffer in bytes.
- *
- * \retval  #PSA_SUCCESS
- *          Success. Keypair generated and stored in buffer.
- * \retval  #PSA_ERROR_BUFFER_TOO_SMALL
- *          \p key_buffer_size is too small.
- * \retval  #PSA_ERROR_GENERIC_ERROR
- *          The internal RNG failed.
- */
-psa_status_t p256_transparent_generate_key(
-    const psa_key_attributes_t *attributes,
-    uint8_t *key_buffer,
-    size_t key_buffer_size,
-    size_t *key_buffer_length);
-
-/** Perform raw key agreement using p256-m's ECDH implementation
- * \param[in]  attributes           The attributes of the key to use for the
- *                                  operation.
- * \param[in]  key_buffer           The buffer containing the private key
- *                                  in the format specified by PSA.
- * \param[in]  key_buffer_size      Size of the \p key_buffer buffer in bytes.
- * \param[in]  alg                  A key agreement algorithm that is
- *                                  compatible with the type of the key.
- * \param[in]  peer_key             The buffer containing the peer's public
- *                                  key in format specified by PSA.
- * \param[in]  peer_key_length      Size of the \p peer_key buffer in
- *                                  bytes.
- * \param[out] shared_secret        The buffer to which the shared secret
- *                                  is to be written.
- * \param[in]  shared_secret_size   Size of the \p shared_secret buffer in
- *                                  bytes.
- * \param[out] shared_secret_length On success, the number of bytes that
- *                                  make up the returned shared secret.
- * \retval  #PSA_SUCCESS
- *          Success. Shared secret successfully calculated.
- * \retval  #PSA_ERROR_INVALID_ARGUMENT
- *          The input is invalid.
- * \retval  #PSA_ERROR_BUFFER_TOO_SMALL
- *          \p shared_secret_size is too small.
- */
-psa_status_t p256_transparent_key_agreement(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    psa_algorithm_t alg,
-    const uint8_t *peer_key,
-    size_t peer_key_length,
-    uint8_t *shared_secret,
-    size_t shared_secret_size,
-    size_t *shared_secret_length);
-
-/** Sign an already-calculated hash with a private key using p256-m's ECDSA
- *  implementation
- * \param[in]  attributes           The attributes of the key to use for the
- *                                  operation.
- * \param[in]  key_buffer           The buffer containing the private key
- *                                  in the format specified by PSA.
- * \param[in]  key_buffer_size      Size of the \p key_buffer buffer in bytes.
- * \param[in]  alg                  A signature algorithm that is compatible
- *                                  with the type of the key.
- * \param[in]  hash                 The hash to sign.
- * \param[in]  hash_length          Size of the \p hash buffer in bytes.
- * \param[out] signature            Buffer where signature is to be written.
- * \param[in]  signature_size       Size of the \p signature buffer in bytes.
- * \param[out] signature_length     On success, the number of bytes
- *                                  that make up the returned signature value.
- *
- * \retval  #PSA_SUCCESS
- *          Success. Hash was signed successfully.
- * \retval  #PSA_ERROR_INVALID_ARGUMENT
- *          The input is invalid.
- * \retval  #PSA_ERROR_BUFFER_TOO_SMALL
- *          \p signature_size is too small.
- * \retval  #PSA_ERROR_GENERIC_ERROR
- *          The internal RNG failed.
- */
-psa_status_t p256_transparent_sign_hash(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    psa_algorithm_t alg,
-    const uint8_t *hash,
-    size_t hash_length,
-    uint8_t *signature,
-    size_t signature_size,
-    size_t *signature_length);
-
-/** Verify the signature of a hash using a SECP256R1 public key using p256-m's
- *  ECDSA implementation.
- *
- * \note p256-m expects a 64 byte public key, but the contents of the key
-         buffer may be the 32 byte keypair representation or the 65 byte
-         public key representation. As a result, this function calls
-         psa_driver_wrapper_export_public_key() to ensure the public key
-         can be passed to p256-m.
- *
- * \param[in]  attributes       The attributes of the key to use for the
- *                              operation.
- *
- * \param[in]  key_buffer       The buffer containing the key
- *                              in the format specified by PSA.
- * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
- * \param[in]  alg              A signature algorithm that is compatible with
- *                              the type of the key.
- * \param[in]  hash             The hash whose signature is to be
- *                              verified.
- * \param[in]  hash_length      Size of the \p hash buffer in bytes.
- * \param[in]  signature        Buffer containing the signature to verify.
- * \param[in]  signature_length Size of the \p signature buffer in bytes.
- *
- * \retval  #PSA_SUCCESS
- *          The signature is valid.
- * \retval  #PSA_ERROR_INVALID_SIGNATURE
- *          The calculation was performed successfully, but the passed
- *          signature is not a valid signature.
- * \retval  #PSA_ERROR_INVALID_ARGUMENT
- *          The input is invalid.
- */
-psa_status_t p256_transparent_verify_hash(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    psa_algorithm_t alg,
-    const uint8_t *hash,
-    size_t hash_length,
-    const uint8_t *signature,
-    size_t signature_length);
-
-#endif /* P256M_DRIVER_ENTRYPOINTS_H */
diff --git a/BRANCHES.md b/BRANCHES.md
index d3bd75e..bcceda8 100644
--- a/BRANCHES.md
+++ b/BRANCHES.md
@@ -2,31 +2,32 @@
 
 At any point in time, we have a number of maintained branches, currently consisting of:
 
-- The [`master`](https://github.com/Mbed-TLS/mbedtls/tree/master) branch:
+- The [`main`](https://github.com/Mbed-TLS/mbedtls/tree/main) branch:
   this always contains the latest release, including all publicly available
   security fixes.
 - The [`development`](https://github.com/Mbed-TLS/mbedtls/tree/development) branch:
-  this is where the current major version of Mbed TLS (version 3.x) is being
-  prepared. It has API changes that make it incompatible with Mbed TLS 2.x,
+  this is where the next major version of Mbed TLS (version 4.0) is being
+  prepared. It has API changes that make it incompatible with Mbed TLS 3.x,
   as well as all the new features and bug fixes and security fixes.
 - One or more long-time support (LTS) branches: these only get bug fixes and
-  security fixes. Currently, the only supported LTS branch is:
-  [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28).
+  security fixes. Currently, the supported LTS branches are:
+- [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28).
+- [`mbedtls-3.6`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-3.6).
 
 We retain a number of historical branches, whose names are prefixed by `archive/`,
 such as [`archive/mbedtls-2.7`](https://github.com/Mbed-TLS/mbedtls/tree/archive/mbedtls-2.7).
 These branches will not receive any changes or updates.
 
 We use [Semantic Versioning](https://semver.org/). In particular, we maintain
-API compatibility in the `master` branch across minor version changes (e.g.
+API compatibility in the `main` branch across minor version changes (e.g.
 the API of 3.(x+1) is backward compatible with 3.x). We only break API
 compatibility on major version changes (e.g. from 3.x to 4.0). We also maintain
 ABI compatibility within LTS branches; see the next section for details.
 
-Every major version will become an LTS branch when the next major version is
-released. We may occasionally create LTS branches from other releases at our
-discretion.
-When a new LTS branch is created, it usually remains supported for three years.
+We will make regular LTS releases on an 18-month cycle, each of which will have
+a 3 year support lifetime. On this basis, 3.6 LTS (released March 2024) will be
+supported until March 2027. The next LTS release will be a 4.x release, which is
+planned for September 2025.
 
 ## Backwards Compatibility for application code
 
@@ -102,10 +103,13 @@ CONTRIBUTING](CONTRIBUTING.md#backwards-compatibility).
 
 The following branches are currently maintained:
 
-- [master](https://github.com/Mbed-TLS/mbedtls/tree/master)
+- [main](https://github.com/Mbed-TLS/mbedtls/tree/main)
 - [`development`](https://github.com/Mbed-TLS/mbedtls/)
+- [`mbedtls-3.6`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-3.6)
+ maintained until March 2027, see
+  <https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.6.0>.
 - [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28)
- maintained until at least the end of 2024, see
-  <https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.5>.
+ maintained until the end of 2024, see
+  <https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.8>.
 
 Users are urged to always use the latest version of a maintained branch.
diff --git a/BUGS.md b/BUGS.md
index 47bde07..a65c606 100644
--- a/BUGS.md
+++ b/BUGS.md
@@ -7,7 +7,7 @@ Known issues in Mbed TLS are [tracked on GitHub](https://github.com/Mbed-TLS/mbe
 If you think you've found a bug in Mbed TLS, please follow these steps:
 
 1. Make sure you're using the latest version of a
-   [maintained branch](BRANCHES.md): `master`, `development`,
+   [maintained branch](BRANCHES.md): `main`, `development`,
    or a long-time support branch.
 2. Check [GitHub](https://github.com/Mbed-TLS/mbedtls/issues) to see if
    your issue has already been reported. If not, …
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 7bc0cbb..e1bfbb5 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -34,9 +34,15 @@ cmake_policy(SET CMP0011 NEW)
 cmake_policy(SET CMP0012 NEW)
 
 if(TEST_CPP)
-    project("Mbed TLS" LANGUAGES C CXX)
+    project("Mbed TLS"
+        LANGUAGES C CXX
+        VERSION 3.6.0
+    )
 else()
-    project("Mbed TLS" LANGUAGES C)
+    project("Mbed TLS"
+        LANGUAGES C
+        VERSION 3.6.0
+    )
 endif()
 
 include(GNUInstallDirs)
@@ -120,10 +126,15 @@ if(MBEDTLS_PYTHON_EXECUTABLE)
 
 endif()
 
+# We now potentially need to link all executables against PThreads, if available
+set(CMAKE_THREAD_PREFER_PTHREAD TRUE)
+set(THREADS_PREFER_PTHREAD_FLAG TRUE)
+find_package(Threads)
+
 # If this is the root project add longer list of available CMAKE_BUILD_TYPE values
 if(CMAKE_SOURCE_DIR STREQUAL CMAKE_CURRENT_SOURCE_DIR)
     set(CMAKE_BUILD_TYPE ${CMAKE_BUILD_TYPE}
-        CACHE STRING "Choose the type of build: None Debug Release Coverage ASan ASanDbg MemSan MemSanDbg Check CheckFull"
+        CACHE STRING "Choose the type of build: None Debug Release Coverage ASan ASanDbg MemSan MemSanDbg Check CheckFull TSan TSanDbg"
         FORCE)
 endif()
 
@@ -216,6 +227,8 @@ if(CMAKE_COMPILER_IS_GNU)
     set(CMAKE_C_FLAGS_COVERAGE    "-O0 -g3 --coverage")
     set(CMAKE_C_FLAGS_ASAN        "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O3")
     set(CMAKE_C_FLAGS_ASANDBG     "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
+    set(CMAKE_C_FLAGS_TSAN        "-fsanitize=thread -O3")
+    set(CMAKE_C_FLAGS_TSANDBG     "-fsanitize=thread -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
     set(CMAKE_C_FLAGS_CHECK       "-Os")
     set(CMAKE_C_FLAGS_CHECKFULL   "${CMAKE_C_FLAGS_CHECK} -Wcast-qual")
 endif(CMAKE_COMPILER_IS_GNU)
@@ -229,6 +242,8 @@ if(CMAKE_COMPILER_IS_CLANG)
     set(CMAKE_C_FLAGS_ASANDBG     "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
     set(CMAKE_C_FLAGS_MEMSAN      "-fsanitize=memory -O3")
     set(CMAKE_C_FLAGS_MEMSANDBG   "-fsanitize=memory -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls -fsanitize-memory-track-origins=2")
+    set(CMAKE_C_FLAGS_TSAN        "-fsanitize=thread -O3")
+    set(CMAKE_C_FLAGS_TSANDBG     "-fsanitize=thread -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
     set(CMAKE_C_FLAGS_CHECK       "-Os")
 endif(CMAKE_COMPILER_IS_CLANG)
 
@@ -272,12 +287,19 @@ if(LIB_INSTALL_DIR)
     set(CMAKE_INSTALL_LIBDIR "${LIB_INSTALL_DIR}")
 endif()
 
+if (NOT EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/framework/CMakeLists.txt")
+    message(FATAL_ERROR "${CMAKE_CURRENT_SOURCE_DIR}/framework/CMakeLists.txt not found. Run `git submodule update --init` from the source tree to fetch the submodule contents.")
+endif()
+add_subdirectory(framework)
+
 add_subdirectory(include)
 
-add_subdirectory(3rdparty)
+add_subdirectory(tf-psa-crypto)
 
 add_subdirectory(library)
 
+add_subdirectory(pkgconfig)
+
 #
 # The C files in tests/src directory contain test code shared among test suites
 # and programs. This shared test code is compiled and linked to test suites and
@@ -297,10 +319,47 @@ if(ENABLE_TESTING OR ENABLE_PROGRAMS)
          ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/*.c
          ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/drivers/*.c)
     add_library(mbedtls_test OBJECT ${MBEDTLS_TEST_FILES})
+    if(GEN_FILES)
+        add_custom_command(
+            OUTPUT
+                ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_keys.h
+            WORKING_DIRECTORY
+                ${CMAKE_CURRENT_SOURCE_DIR}/tests
+            COMMAND
+                "${MBEDTLS_PYTHON_EXECUTABLE}"
+                "${CMAKE_CURRENT_SOURCE_DIR}/framework/scripts/generate_test_keys.py"
+                "--output"
+                "${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_keys.h"
+            DEPENDS
+                ${CMAKE_CURRENT_SOURCE_DIR}/framework/scripts/generate_test_keys.py
+        )
+        add_custom_target(test_keys_header DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_keys.h)
+        add_custom_command(
+            OUTPUT
+                ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_certs.h
+            WORKING_DIRECTORY
+                ${CMAKE_CURRENT_SOURCE_DIR}/tests
+            COMMAND
+                "${MBEDTLS_PYTHON_EXECUTABLE}"
+                "${CMAKE_CURRENT_SOURCE_DIR}/framework/scripts/generate_test_cert_macros.py"
+                "--output"
+                "${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_certs.h"
+            DEPENDS
+                ${CMAKE_CURRENT_SOURCE_DIR}/framework/scripts/generate_test_cert_macros.py
+        )
+        add_custom_target(test_certs_header DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_certs.h)
+        add_dependencies(mbedtls_test test_keys_header test_certs_header)
+    endif()
     target_include_directories(mbedtls_test
         PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tests/include
         PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/include
-        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/library)
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/include
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/drivers/builtin/include
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/library
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/core
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/drivers/builtin/src)
+    # Request C11, needed for memory poisoning tests
+    set_target_properties(mbedtls_test PROPERTIES C_STANDARD 11)
 
     file(GLOB MBEDTLS_TEST_HELPER_FILES
          ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_helpers/*.c)
@@ -308,8 +367,12 @@ if(ENABLE_TESTING OR ENABLE_PROGRAMS)
     target_include_directories(mbedtls_test_helpers
         PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tests/include
         PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/include
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/include
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/drivers/builtin/include
         PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/library
-        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/everest/include)
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/core
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/drivers/builtin/src
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/drivers/everest/include)
 
     # Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
     if(MBEDTLS_CONFIG_FILE)
@@ -381,7 +444,7 @@ if(NOT DISABLE_PACKAGE_CONFIG_AND_INSTALL)
     write_basic_package_version_file(
         "cmake/MbedTLSConfigVersion.cmake"
             COMPATIBILITY SameMajorVersion
-            VERSION 3.5.0)
+            VERSION 3.6.0)
 
     install(
         FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfig.cmake"
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 8454fb8..d793434 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -84,11 +84,11 @@ Mbed TLS is well documented, but if you think documentation is needed, speak out
 License and Copyright
 ---------------------
 
-Unless specifically indicated otherwise in a file, Mbed TLS files are provided under the [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) license. See the [LICENSE](LICENSE) file for the full text of this license.
+Unless specifically indicated otherwise in a file, Mbed TLS files are provided under a dual [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) license. See the [LICENSE](LICENSE) file for the full text of these licenses. This means that users may choose which of these licenses they take the code under.
 
-Contributors must accept that their contributions are made under both the Apache-2.0 AND [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) licenses. This enables LTS (Long Term Support) branches of the software to be provided under either the Apache-2.0 or GPL-2.0-or-later licenses.
+Contributors must accept that their contributions are made under both the Apache-2.0 AND [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) licenses.
 
-All new files should include the [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) standard license header where possible.
+All new files should include the standard SPDX license identifier where possible, i.e. "SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later".
 
 The copyright on contributions is retained by the original authors of the code. Where possible for new files, this should be noted in a comment at the top of the file in the form: "Copyright The Mbed TLS Contributors".
 
diff --git a/ChangeLog b/ChangeLog
index 85f3665..b691a0f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,12 +1,298 @@
 Mbed TLS ChangeLog (Sorted per branch, date)
 
+= Mbed TLS 3.6.0 branch released 2024-03-28
+
+API changes
+   * Remove `tls13_` in mbedtls_ssl_tls13_conf_early_data() and
+     mbedtls_ssl_tls13_conf_max_early_data_size() API names. Early data
+     feature may not be TLS 1.3 specific in the future. Fixes #6909.
+
+Default behavior changes
+   * psa_import_key() now only accepts RSA keys in the PSA standard formats.
+     The undocumented ability to import other formats (PKCS#8, SubjectPublicKey,
+     PEM) accepted by the pkparse module has been removed. Applications that
+     need these formats can call mbedtls_pk_parse_{public,}key() followed by
+     mbedtls_pk_import_into_psa().
+
+Requirement changes
+   * Drop support for Visual Studio 2013 and 2015, and Arm Compiler 5.
+
+New deprecations
+   * Rename the MBEDTLS_SHA256_USE_A64_CRYPTO_xxx config options to
+     MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_xxx. The old names may still
+     be used, but are deprecated.
+   * In the PSA API, domain parameters are no longer used for anything.
+     They are deprecated and will be removed in a future version of the
+     library.
+   * mbedtls_ecp_write_key() is deprecated in favor of
+     mbedtls_ecp_write_key_ext().
+
+Removals
+   * In the PSA API, the experimental way to encode the public exponent of
+     an RSA key as a domain parameter is no longer supported. Use
+     psa_generate_key_ext() instead.
+   * Temporary function mbedtls_pk_wrap_as_opaque() is removed. To mimic the
+     same behavior mbedtls_pk_get_psa_attributes() and
+     mbedtls_pk_import_into_psa() can be used to import a PK key into PSA,
+     while mbedtls_pk_setup_opaque() can be used to wrap a PSA key into a opaque
+     PK context.
+
+Features
+   * Added an example program showing how to hash with the PSA API.
+   * Support Armv8-A Crypto Extension acceleration for SHA-256
+     when compiling for Thumb (T32) or 32-bit Arm (A32).
+   * AES-NI is now supported in Windows builds with clang and clang-cl.
+     Resolves #8372.
+   * Add new mbedtls_x509_csr_parse_der_with_ext_cb() routine which allows
+     parsing unsupported certificate extensions via user provided callback.
+   * Enable the new option MBEDTLS_BLOCK_CIPHER_NO_DECRYPT to omit
+     the decryption direction of block ciphers (AES, ARIA, Camellia).
+     This affects both the low-level modules and the high-level APIs
+     (the cipher and PSA interfaces). This option is incompatible with modes
+     that use the decryption direction (ECB in PSA, CBC, XTS, KW) and with DES.
+   * Support use of Armv8-A Cryptographic Extensions for hardware acclerated
+     AES when compiling for Thumb (T32) or 32-bit Arm (A32).
+   * If a cipher or AEAD mechanism has a PSA driver, you can now build the
+     library without the corresponding built-in implementation. Generally
+     speaking that requires both the key type and algorithm to be accelerated
+     or they'll both be built in. However, for CCM and GCM the built-in
+     implementation is able to take advantage of a driver that only
+     accelerates the key type (that is, the block cipher primitive). See
+     docs/driver-only-builds.md for full details and current limitations.
+   * The CTR_DRBG module will now use AES from a PSA driver if MBEDTLS_AES_C is
+     disabled. This requires PSA_WANT_ALG_ECB_NO_PADDING in addition to
+     MBEDTLS_PSA_CRYPTO_C and PSA_WANT_KEY_TYPE_AES.
+   * Fewer modules depend on MBEDTLS_CIPHER_C, making it possible to save code
+     size by disabling it in more circumstances. In particular, the CCM and
+     GCM modules no longer depend on MBEDTLS_CIPHER_C. Also,
+     MBEDTLS_PSA_CRYPTO can now be enabled without MBEDTLS_CIPHER_C if all
+     unauthenticated (non-AEAD) ciphers are disabled, or if they're all
+     fully provided by drivers. See docs/driver-only-builds.md for full
+     details and current limitations; in particular, NIST_KW and PKCS5/PKCS12
+     decryption still unconditionally depend on MBEDTLS_CIPHER_C.
+   * Add support for record size limit extension as defined by RFC 8449
+     and configured with MBEDTLS_SSL_RECORD_SIZE_LIMIT.
+     Application data sent and received will be fragmented according to
+     Record size limits negotiated during handshake.
+   * Improve performance of AES-GCM, AES-CTR and CTR-DRBG when
+     hardware accelerated AES is not present (around 13-23% on 64-bit Arm).
+   * Add functions mbedtls_ecc_group_to_psa() and mbedtls_ecc_group_from_psa()
+     to convert between Mbed TLS and PSA curve identifiers.
+   * Add utility functions to manipulate mbedtls_ecp_keypair objects, filling
+     gaps made by making its fields private: mbedtls_ecp_set_public_key(),
+     mbedtls_ecp_write_public_key(), mbedtls_ecp_keypair_calc_public(),
+     mbedtls_ecp_keypair_get_group_id(). Fixes #5017, #5441, #8367, #8652.
+   * Add functions mbedtls_md_psa_alg_from_type() and
+     mbedtls_md_type_from_psa_alg() to convert between mbedtls_md_type_t and
+     psa_algorithm_t.
+   * Add partial platform support for z/OS.
+   * Improve performance for gcc (versions older than 9.3.0) and IAR.
+   * Add functions mbedtls_ecdsa_raw_to_der() and mbedtls_ecdsa_der_to_raw() to
+     convert ECDSA signatures between raw and DER (ASN.1) formats.
+   * Add support for using AES-CBC 128, 192, and 256 bit schemes
+     with PKCS#5 PBES2. Keys encrypted this way can now be parsed by PK parse.
+   * The new function mbedtls_rsa_get_bitlen() returns the length of the modulus
+     in bits, i.e. the key size for an RSA key.
+   * Add pc files for pkg-config, e.g.:
+     pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509)
+   * Add getter (mbedtls_ssl_session_get_ticket_creation_time()) to access
+     `mbedtls_ssl_session.ticket_creation_time`.
+   * The new functions mbedtls_pk_get_psa_attributes() and
+     mbedtls_pk_import_into_psa() provide a uniform way to create a PSA
+     key from a PK key.
+   * The benchmark program now reports times for both ephemeral and static
+     ECDH in all ECDH configurations.
+   * Add support for 8-bit GCM tables for Shoup's algorithm to speedup GCM
+     operations when hardware accelerated AES is not present. Improves
+     performance by around 30% on 64-bit Intel; 125% on Armv7-M.
+   * The new function psa_generate_key_ext() allows generating an RSA
+     key pair with a custom public exponent.
+   * The new function mbedtls_ecp_write_key_ext() is similar to
+     mbedtls_ecp_write_key(), but can be used without separately calculating
+     the output length.
+   * Add new accessor to expose the private group id member of
+     `mbedtls_ecdh_context` structure.
+   * Add new accessor to expose the `MBEDTLS_PRIVATE(ca_istrue)` member of
+     `mbedtls_x509_crt` structure. This requires setting
+     the MBEDTLS_X509_EXT_BASIC_CONSTRAINTS bit in the certificate's
+     ext_types field.
+   * mbedtls_psa_get_random() is always available as soon as
+     MBEDTLS_PSA_CRYPTO_CLIENT is enabled at build time and psa_crypto_init() is
+     called at runtime. This together with MBEDTLS_PSA_RANDOM_STATE can be
+     used as random number generator function (f_rng) and context (p_rng) in
+     legacy functions.
+   * The new functions mbedtls_pk_copy_from_psa() and
+     mbedtls_pk_copy_public_from_psa() provide ways to set up a PK context
+     with the same content as a PSA key.
+   * Add new accessors to expose the private session-id,
+     session-id length, and ciphersuite-id members of
+     `mbedtls_ssl_session` structure.
+     Add new accessor to expose the ciphersuite-id of
+     `mbedtls_ssl_ciphersuite_t` structure.Design ref: #8529
+   * Mbed TLS now supports the writing and reading of TLS 1.3 early data (see
+     docs/tls13-early-data.md). The support enablement is controlled at build
+     time by the MBEDTLS_SSL_EARLY_DATA configuration option and at runtime by
+     the mbedtls_ssl_conf_early_data() API (by default disabled in both cases).
+   * Add protection for multithreaded access to the PSA keystore and protection
+     for multithreaded access to the the PSA global state, including
+     concurrently calling psa_crypto_init() when MBEDTLS_THREADING_C and
+     MBEDTLS_THREADING_PTHREAD are defined. See
+     docs/architecture/psa-thread-safety/psa-thread-safety.md for more details.
+     Resolves issues #3263 and #7945.
+
+Security
+   * Fix a stack buffer overread (less than 256 bytes) when parsing a TLS 1.3
+     ClientHello in a TLS 1.3 server supporting some PSK key exchange mode. A
+     malicious client could cause information disclosure or a denial of service.
+     Fixes CVE-2024-30166.
+   * Passing buffers that are stored in untrusted memory as arguments
+     to PSA functions is now secure by default.
+     The PSA core now protects against modification of inputs or exposure
+     of intermediate outputs during operations. This is currently implemented
+     by copying buffers.
+     This feature increases code size and memory usage. If buffers passed to
+     PSA functions are owned exclusively by the PSA core for the duration of
+     the function call (i.e. no buffer parameters are in shared memory),
+     copying may be disabled by setting MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS.
+     Note that setting this option will cause input-output buffer overlap to
+     be only partially supported (#3266).
+     Fixes CVE-2024-28960.
+   * Restore the maximum TLS version to be negotiated to the configured one
+     when an SSL context is reset with the mbedtls_ssl_session_reset() API.
+     An attacker was able to prevent an Mbed TLS server from establishing any
+     TLS 1.3 connection potentially resulting in a Denial of Service or forced
+     version downgrade from TLS 1.3 to TLS 1.2. Fixes #8654 reported by hey3e.
+     Fixes CVE-2024-28755.
+   * When negotiating TLS version on server side, do not fall back to the
+     TLS 1.2 implementation of the protocol if it is disabled.
+     - If the TLS 1.2 implementation was disabled at build time, a TLS 1.2
+       client could put the TLS 1.3-only server in an infinite loop processing
+       a TLS 1.2 ClientHello, resulting in a denial of service. Reported by
+       Matthias Mucha and Thomas Blattmann, SICK AG.
+     - If the TLS 1.2 implementation was disabled at runtime, a TLS 1.2 client
+       was able to successfully establish a TLS 1.2 connection with the server.
+       Reported by alluettiv on GitHub.
+    Fixes CVE-2024-28836.
+
+Bugfix
+   * Fix the build with CMake when Everest or P256-m is enabled through
+     a user configuration file or the compiler command line. Fixes #8165.
+   * Fix compilation error in C++ programs when MBEDTLS_ASN1_PARSE_C is
+     disabled.
+   * Fix possible NULL dereference issue in X509 cert_req program if an entry
+     in the san parameter is not separated by a colon.
+   * Fix possible NULL dereference issue in X509 cert_write program if an entry
+     in the san parameter is not separated by a colon.
+   * Fix an inconsistency between implementations and usages of `__cpuid`,
+     which mainly causes failures when building Windows target using
+     mingw or clang. Fixes #8334 & #8332.
+   * Fix build failure in conda-forge.  Fixes #8422.
+   * Fix parsing of CSRs with critical extensions.
+   * Switch to milliseconds as the unit for ticket creation and reception time
+     instead of seconds. That avoids rounding errors when computing the age of
+     tickets compared to peer using a millisecond clock (observed with GnuTLS).
+     Fixes #6623.
+   * Fix TLS server accepting TLS 1.2 handshake while TLS 1.2
+     is disabled at runtime. Fixes #8593.
+   * Remove accidental introduction of RSA signature algorithms
+     in TLS Suite B Profile. Fixes #8221.
+   * Fix unsupported PSA asymmetric encryption and decryption
+     (psa_asymmetric_[en|de]crypt) with opaque keys.
+     Resolves #8461.
+   * On Linux on ARMv8, fix a build error with SHA-256 and SHA-512
+     acceleration detection when the libc headers do not define the
+     corresponding constant. Reported by valord577.
+   * Correct initial capacities for key derivation algorithms:TLS12_PRF,
+     TLS12_PSK_TO_MS, PBKDF2-HMAC, PBKDF2-CMAC
+   * Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a
+     multiple of 8. Fixes #868.
+   * Avoid segmentation fault caused by releasing not initialized
+     entropy resource in gen_key example. Fixes #8809.
+   * mbedtls_pem_read_buffer() now performs a check on the padding data of
+     decrypted keys and it rejects invalid ones.
+   * Fix mbedtls_pk_sign(), mbedtls_pk_verify(), mbedtls_pk_decrypt() and
+     mbedtls_pk_encrypt() on non-opaque RSA keys to honor the padding mode in
+     the RSA context. Before, if MBEDTLS_USE_PSA_CRYPTO was enabled and the
+     RSA context was configured for PKCS#1 v2.1 (PSS/OAEP), the sign/verify
+     functions performed a PKCS#1 v1.5 signature instead and the
+     encrypt/decrypt functions returned an error. Fixes #8824.
+   * Fix missing bitflags in SSL session serialization headers. Their absence
+     allowed SSL sessions saved in one configuration to be loaded in a
+     different, incompatible configuration.
+   * In TLS 1.3 clients, fix an interoperability problem due to the client
+     generating a new random after a HelloRetryRequest. Fixes #8669.
+   * Fix the restoration of the ALPN when loading serialized connection with
+     the mbedtls_ssl_context_load() API.
+   * Fix NULL pointer dereference in mbedtls_pk_verify_ext() when called using
+     an opaque RSA context and specifying MBEDTLS_PK_RSASSA_PSS as key type.
+   * Fix RSA opaque keys always using PKCS1 v1.5 algorithms instead of the
+     primary algorithm of the wrapped PSA key.
+   * Fully support arbitrary overlap between inputs and outputs of PSA
+     functions. Note that overlap is still only partially supported when
+     MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set (#3266).
+
+Changes
+   * Use heap memory to allocate DER encoded public/private key.
+     This reduces stack usage significantly for writing a public/private
+     key to a PEM string.
+   * PSA_WANT_ALG_CCM and PSA_WANT_ALG_CCM_STAR_NO_TAG are no more synonyms and
+     they are now treated separately. This means that they should be
+     individually enabled in order to enable respective support; also the
+     corresponding MBEDTLS_PSA_ACCEL symbol should be defined in case
+     acceleration is required.
+   * Moved declaration of functions mbedtls_ecc_group_to_psa and
+     mbedtls_ecc_group_of_psa from psa/crypto_extra.h to mbedtls/psa_util.h
+   * mbedtls_pk_sign_ext() is now always available, not just when
+     PSA (MBEDTLS_PSA_CRYPTO_C) is enabled.
+   * Extended PSA Crypto configurations options for FFDH by making it possible
+     to select only some of the parameters / groups, with the macros
+     PSA_WANT_DH_RFC7919_XXXX. You now need to defined the corresponding macro
+     for each size you want to support. Also, if you have an FFDH accelerator,
+     you'll need to define the appropriate MBEDTLS_PSA_ACCEL macros to signal
+     support for these domain parameters.
+   * RSA support in PSA no longer auto-enables the pkparse and pkwrite modules,
+     saving code size when those are not otherwise enabled.
+   * mbedtls_mpi_exp_mod and code that uses it, notably RSA and DHM operations,
+     have changed their speed/memory compromise as part of a proactive security
+     improvement. The new default value of MBEDTLS_MPI_WINDOW_SIZE roughly
+     preserves the current speed, at the expense of increasing memory
+     consumption.
+   * Rename directory containing Visual Studio files from visualc/VS2013 to
+     visualc/VS2017.
+   * The TLS 1.3 protocol is now enabled in the default configuration.
+
+= Mbed TLS 3.5.2 branch released 2024-01-26
+
+Security
+   * Fix a timing side channel in private key RSA operations. This side channel
+     could be sufficient for an attacker to recover the plaintext. A local
+     attacker or a remote attacker who is close to the victim on the network
+     might have precise enough timing measurements to exploit this. It requires
+     the attacker to send a large number of messages for decryption. For
+     details, see "Everlasting ROBOT: the Marvin Attack", Hubert Kario. Reported
+     by Hubert Kario, Red Hat.
+   * Fix a failure to validate input when writing x509 extensions lengths which
+     could result in an integer overflow, causing a zero-length buffer to be
+     allocated to hold the extension. The extension would then be copied into
+     the buffer, causing a heap buffer overflow.
+
+= Mbed TLS 3.5.1 branch released 2023-11-06
+
+Changes
+   *  Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later
+      license. Users may choose which license they take the code under.
+
+Bugfix
+   * Fix accidental omission of MBEDTLS_TARGET_PREFIX in 3rdparty modules
+     in CMake.
+
 = Mbed TLS 3.5.0 branch released 2023-10-05
 
 API changes
    * Mbed TLS 3.4 introduced support for omitting the built-in implementation
      of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
-     their was a flaw in the logic checking if the built-in implementation, in
-     that if failed to check if all the relevant curves were supported by the
+     there was a flaw in the logic checking if the built-in implementation, in
+     that it failed to check if all the relevant curves were supported by the
      accelerator. As a result, it was possible to declare no curves as
      accelerated and still have the built-in implementation compiled out.
      Starting with this release, it is necessary to declare which curves are
diff --git a/ChangeLog.d/9126.txt b/ChangeLog.d/9126.txt
new file mode 100644
index 0000000..22939df
--- /dev/null
+++ b/ChangeLog.d/9126.txt
@@ -0,0 +1,5 @@
+Default behavior changes
+   * In a PSA-client-only build (i.e. MBEDTLS_PSA_CRYPTO_CLIENT &&
+     !MBEDTLS_PSA_CRYPTO_C), do not automatically enable local crypto when the
+     corresponding PSA mechanism is enabled, since the server provides the
+     crypto. Fixes #9126.
diff --git a/ChangeLog.d/add-psa-example-program-hash.txt b/ChangeLog.d/add-psa-example-program-hash.txt
deleted file mode 100644
index ba4da20..0000000
--- a/ChangeLog.d/add-psa-example-program-hash.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Features
-   * Added an example program showing how to hash with the PSA API.
diff --git a/ChangeLog.d/asn1-missing-guard-in-rsa.txt b/ChangeLog.d/asn1-missing-guard-in-rsa.txt
new file mode 100644
index 0000000..bb5b470
--- /dev/null
+++ b/ChangeLog.d/asn1-missing-guard-in-rsa.txt
@@ -0,0 +1,3 @@
+Bugfix
+   * MBEDTLS_ASN1_PARSE_C and MBEDTLS_ASN1_WRITE_C are now automatically enabled
+     as soon as MBEDTLS_RSA_C is enabled. Fixes #9041.
diff --git a/ChangeLog.d/check-config.txt b/ChangeLog.d/check-config.txt
new file mode 100644
index 0000000..8570a11
--- /dev/null
+++ b/ChangeLog.d/check-config.txt
@@ -0,0 +1,9 @@
+Changes
+   * Warn if mbedtls/check_config.h is included manually, as this can
+     lead to spurious errors. Error if a *adjust*.h header is included
+     manually, as this can lead to silently inconsistent configurations,
+     potentially resulting in buffer overflows.
+     When migrating from Mbed TLS 2.x, if you had a custom config.h that
+     included check_config.h, remove this inclusion from the Mbed TLS 3.x
+     configuration file (renamed to mbedtls_config.h). This change was made
+     in Mbed TLS 3.0, but was not announced in a changelog entry at the time.
diff --git a/ChangeLog.d/fix-3rdparty-target-prefix.txt b/ChangeLog.d/fix-3rdparty-target-prefix.txt
deleted file mode 100644
index db8ed07..0000000
--- a/ChangeLog.d/fix-3rdparty-target-prefix.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix accidental omission of MBEDTLS_TARGET_PREFIX in 3rdparty modules
-     in CMake.
diff --git a/ChangeLog.d/fix-cmake-3rdparty-custom-config.txt b/ChangeLog.d/fix-cmake-3rdparty-custom-config.txt
deleted file mode 100644
index ec543aa..0000000
--- a/ChangeLog.d/fix-cmake-3rdparty-custom-config.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix the build with CMake when Everest or P256-m is enabled through
-     a user configuration file or the compiler command line. Fixes #8165.
diff --git a/ChangeLog.d/fix-compilation-when-memcpy-is-function-like-macro.txt b/ChangeLog.d/fix-compilation-when-memcpy-is-function-like-macro.txt
new file mode 100644
index 0000000..11e7d25
--- /dev/null
+++ b/ChangeLog.d/fix-compilation-when-memcpy-is-function-like-macro.txt
@@ -0,0 +1,2 @@
+Bugfix
+   * Fix compilation error when memcpy() is a function-like macros. Fixes #8994.
diff --git a/ChangeLog.d/fix-concurrently-loading-non-existent-keys.txt b/ChangeLog.d/fix-concurrently-loading-non-existent-keys.txt
new file mode 100644
index 0000000..8a406a1
--- /dev/null
+++ b/ChangeLog.d/fix-concurrently-loading-non-existent-keys.txt
@@ -0,0 +1,4 @@
+Bugfix
+   * Fix rare concurrent access bug where attempting to operate on a
+     non-existent key while concurrently creating a new key could potentially
+     corrupt the key store.
diff --git a/ChangeLog.d/fix-cpp-compilation-error.txt b/ChangeLog.d/fix-cpp-compilation-error.txt
deleted file mode 100644
index 32d86dc..0000000
--- a/ChangeLog.d/fix-cpp-compilation-error.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix compilation error in C++ programs when MBEDTLS_ASN1_PARSE_C is
-     disabled.
diff --git a/ChangeLog.d/fix-issue-x509-cert_req.txt b/ChangeLog.d/fix-issue-x509-cert_req.txt
deleted file mode 100644
index 3a5171b..0000000
--- a/ChangeLog.d/fix-issue-x509-cert_req.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix possible NULL dereference issue in X509 cert_req program if an entry
-     in the san parameter is not separated by a colon.
diff --git a/ChangeLog.d/fix-issue-x509-cert_write.txt b/ChangeLog.d/fix-issue-x509-cert_write.txt
deleted file mode 100644
index 43d67c2..0000000
--- a/ChangeLog.d/fix-issue-x509-cert_write.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix possible NULL dereference issue in X509 cert_write program if an entry
-     in the san parameter is not separated by a colon.
diff --git a/ChangeLog.d/fix-psa-cmac.txt b/ChangeLog.d/fix-psa-cmac.txt
new file mode 100644
index 0000000..e3c8aec
--- /dev/null
+++ b/ChangeLog.d/fix-psa-cmac.txt
@@ -0,0 +1,4 @@
+Bugfix
+   * Fix the build when MBEDTLS_PSA_CRYPTO_CONFIG is enabled and the built-in
+     CMAC is enabled, but no built-in unauthenticated cipher is enabled.
+     Fixes #9209.
diff --git a/ChangeLog.d/fix-redefination_warning_messages_for_GNU_SOURCE.txt b/ChangeLog.d/fix-redefination_warning_messages_for_GNU_SOURCE.txt
new file mode 100644
index 0000000..b5c2650
--- /dev/null
+++ b/ChangeLog.d/fix-redefination_warning_messages_for_GNU_SOURCE.txt
@@ -0,0 +1,5 @@
+Bugfix
+   * Fix issue of redefinition warning messages for _GNU_SOURCE in
+     entropy_poll.c and sha_256.c. There was a build warning during
+     building for linux platform.
+     Resolves #9026
diff --git a/ChangeLog.d/fix-secure-element-key-creation.txt b/ChangeLog.d/fix-secure-element-key-creation.txt
new file mode 100644
index 0000000..23a46c0
--- /dev/null
+++ b/ChangeLog.d/fix-secure-element-key-creation.txt
@@ -0,0 +1,5 @@
+Bugfix
+   * Fix error handling when creating a key in a dynamic secure element
+     (feature enabled by MBEDTLS_PSA_CRYPTO_SE_C). In a low memory condition,
+     the creation could return PSA_SUCCESS but using or destroying the key
+     would not work. Fixes #8537.
diff --git a/ChangeLog.d/fix-test-suite-pk-warnings.txt b/ChangeLog.d/fix-test-suite-pk-warnings.txt
new file mode 100644
index 0000000..2604219
--- /dev/null
+++ b/ChangeLog.d/fix-test-suite-pk-warnings.txt
@@ -0,0 +1,3 @@
+Bugfix
+   * Fix redefinition warnings when SECP192R1 and/or SECP192K1 are disabled.
+     Fixes #9029.
diff --git a/ChangeLog.d/fix_ubsan_mp_aead_gcm.txt b/ChangeLog.d/fix_ubsan_mp_aead_gcm.txt
new file mode 100644
index 0000000..e4726a4
--- /dev/null
+++ b/ChangeLog.d/fix_ubsan_mp_aead_gcm.txt
@@ -0,0 +1,3 @@
+Bugfix
+   * Fix undefined behaviour (incrementing a NULL pointer by zero length) when
+     passing in zero length additional data to multipart AEAD.
diff --git a/ChangeLog.d/pk-norsa-warning.txt b/ChangeLog.d/pk-norsa-warning.txt
new file mode 100644
index 0000000..d00aa8a
--- /dev/null
+++ b/ChangeLog.d/pk-norsa-warning.txt
@@ -0,0 +1,2 @@
+Bugfix
+   * Fix a compilation warning in pk.c when PSA is enabled and RSA is disabled.
diff --git a/ChangeLog.d/pkwrite-pem-use-heap.txt b/ChangeLog.d/pkwrite-pem-use-heap.txt
deleted file mode 100644
index 11db7b6..0000000
--- a/ChangeLog.d/pkwrite-pem-use-heap.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Changes
-   * Use heap memory to allocate DER encoded public/private key.
-     This reduces stack usage significantly for writing a public/private
-     key to a PEM string.
diff --git a/ChangeLog.d/psa_cipher_decrypt-ccm_star-iv_length_enforcement.txt b/ChangeLog.d/psa_cipher_decrypt-ccm_star-iv_length_enforcement.txt
new file mode 100644
index 0000000..39e03b9
--- /dev/null
+++ b/ChangeLog.d/psa_cipher_decrypt-ccm_star-iv_length_enforcement.txt
@@ -0,0 +1,3 @@
+Bugfix
+   * Fix psa_cipher_decrypt() with CCM* rejecting messages less than 3 bytes
+     long. Credit to Cryptofuzz. Fixes #9314.
diff --git a/ChangeLog.d/remove-via-padlock-support.txt b/ChangeLog.d/remove-via-padlock-support.txt
new file mode 100644
index 0000000..a3f4b96
--- /dev/null
+++ b/ChangeLog.d/remove-via-padlock-support.txt
@@ -0,0 +1,3 @@
+Removals
+   * Drop support for VIA Padlock. Removes MBEDTLS_PADLOCK_C.
+     Fixes #5903.
diff --git a/ChangeLog.d/tls13-without-tickets.txt b/ChangeLog.d/tls13-without-tickets.txt
new file mode 100644
index 0000000..8ceef21
--- /dev/null
+++ b/ChangeLog.d/tls13-without-tickets.txt
@@ -0,0 +1,3 @@
+Bugfix
+   * Fix TLS 1.3 client build and runtime when support for session tickets is
+     disabled (MBEDTLS_SSL_SESSION_TICKETS configuration option). Fixes #6395.
diff --git a/LICENSE b/LICENSE
index d645695..776ac77 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,3 +1,10 @@
+Mbed TLS files are provided under a dual [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html)
+OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) license.
+This means that users may choose which of these licenses they take the code
+under.
+
+The full text of each of these licenses is given below.
+
 
                                  Apache License
                            Version 2.0, January 2004
@@ -200,3 +207,347 @@
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
+
+
+===============================================================================
+
+
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+                            NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.
diff --git a/Makefile b/Makefile
index 885948c..b638804 100644
--- a/Makefile
+++ b/Makefile
@@ -2,6 +2,20 @@ DESTDIR=/usr/local
 PREFIX=mbedtls_
 PERL ?= perl
 
+ifneq (,$(filter-out lib library/%,$(or $(MAKECMDGOALS),all)))
+    ifeq (,$(wildcard framework/exported.make))
+        # Use the define keyword to get a multi-line message.
+        # GNU make appends ".  Stop.", so tweak the ending of our message accordingly.
+        define error_message
+$(MBEDTLS_PATH)/framework/exported.make not found.
+Run `git submodule update --init` to fetch the submodule contents.
+This is a fatal error
+        endef
+        $(error $(error_message))
+    endif
+    include framework/exported.make
+endif
+
 .SILENT:
 
 .PHONY: all no_test programs lib tests install uninstall clean test check lcov apidoc apidoc_clean
@@ -17,7 +31,10 @@ programs: lib mbedtls_test
 lib:
 	$(MAKE) -C library
 
-tests: lib mbedtls_test
+ifndef PSASIM
+tests: lib
+endif
+tests: mbedtls_test
 	$(MAKE) -C tests
 
 mbedtls_test:
@@ -60,7 +77,7 @@ gen_file_dep = |
 endif
 
 .PHONY: visualc_files
-VISUALC_FILES = visualc/VS2013/mbedTLS.sln visualc/VS2013/mbedTLS.vcxproj
+VISUALC_FILES = visualc/VS2017/mbedTLS.sln visualc/VS2017/mbedTLS.vcxproj
 # TODO: $(app).vcxproj for each $(app) in programs/
 visualc_files: $(VISUALC_FILES)
 
@@ -69,9 +86,9 @@ visualc_files: $(VISUALC_FILES)
 # they just need to be present.
 $(VISUALC_FILES): | library/generated_files
 $(VISUALC_FILES): $(gen_file_dep) scripts/generate_visualc_files.pl
-$(VISUALC_FILES): $(gen_file_dep) scripts/data_files/vs2013-app-template.vcxproj
-$(VISUALC_FILES): $(gen_file_dep) scripts/data_files/vs2013-main-template.vcxproj
-$(VISUALC_FILES): $(gen_file_dep) scripts/data_files/vs2013-sln-template.sln
+$(VISUALC_FILES): $(gen_file_dep) scripts/data_files/vs2017-app-template.vcxproj
+$(VISUALC_FILES): $(gen_file_dep) scripts/data_files/vs2017-main-template.vcxproj
+$(VISUALC_FILES): $(gen_file_dep) scripts/data_files/vs2017-sln-template.sln
 # TODO: also the list of .c and .h source files, but not their content
 $(VISUALC_FILES):
 	echo "  Gen   $@ ..."
@@ -81,8 +98,9 @@ ifndef WINDOWS
 install: no_test
 	mkdir -p $(DESTDIR)/include/mbedtls
 	cp -rp include/mbedtls $(DESTDIR)/include
+	cp -rp tf-psa-crypto/drivers/builtin/include/mbedtls $(DESTDIR)/include
 	mkdir -p $(DESTDIR)/include/psa
-	cp -rp include/psa $(DESTDIR)/include
+	cp -rp tf-psa-crypto/include/psa $(DESTDIR)/include
 
 	mkdir -p $(DESTDIR)/lib
 	cp -RP library/libmbedtls.*    $(DESTDIR)/lib
@@ -147,13 +165,16 @@ neat: clean_more_on_top
 	$(MAKE) -C programs neat
 	$(MAKE) -C tests neat
 ifndef WINDOWS
-	rm -f visualc/VS2013/*.vcxproj visualc/VS2013/mbedTLS.sln
+	rm -f visualc/VS2017/*.vcxproj visualc/VS2017/mbedTLS.sln
 else
-	if exist visualc\VS2013\*.vcxproj del /Q /F visualc\VS2013\*.vcxproj
-	if exist visualc\VS2013\mbedTLS.sln del /Q /F visualc\VS2013\mbedTLS.sln
+	if exist visualc\VS2017\*.vcxproj del /Q /F visualc\VS2017\*.vcxproj
+	if exist visualc\VS2017\mbedTLS.sln del /Q /F visualc\VS2017\mbedTLS.sln
 endif
 
-check: lib tests
+ifndef PSASIM
+check: lib
+endif
+check: tests
 	$(MAKE) -C tests check
 
 test: check
@@ -179,10 +200,18 @@ endif
 
 ## Editor navigation files
 C_SOURCE_FILES = $(wildcard \
-	3rdparty/*/include/*/*.h 3rdparty/*/include/*/*/*.h 3rdparty/*/include/*/*/*/*.h \
-	3rdparty/*/*.c 3rdparty/*/*/*.c 3rdparty/*/*/*/*.c 3rdparty/*/*/*/*/*.c \
 	include/*/*.h \
 	library/*.[hc] \
+	tf-psa-crypto/core/*.[hc] \
+	tf-psa-crypto/include/*/*.h \
+	tf-psa-crypto/drivers/*/include/*/*.h \
+	tf-psa-crypto/drivers/*/include/*/*/*.h \
+	tf-psa-crypto/drivers/*/include/*/*/*/*.h \
+	tf-psa-crypto/drivers/builtin/src/*.[hc] \
+	tf-psa-crypto/drivers/*/*.c \
+	tf-psa-crypto/drivers/*/*/*.c \
+	tf-psa-crypto/drivers/*/*/*/*.c \
+	tf-psa-crypto/drivers/*/*/*/*/*.c \
 	programs/*/*.[hc] \
 	tests/include/*/*.h tests/include/*/*/*.h \
 	tests/src/*.c tests/src/*/*.c \
@@ -199,5 +228,8 @@ GPATH GRTAGS GSYMS GTAGS: $(C_SOURCE_FILES)
 	ls $(C_SOURCE_FILES) | gtags -f - --gtagsconf .globalrc
 cscope: cscope.in.out cscope.po.out cscope.out
 cscope.in.out cscope.po.out cscope.out: $(C_SOURCE_FILES)
-	cscope -bq -u -Iinclude -Ilibrary $(patsubst %,-I%,$(wildcard 3rdparty/*/include)) -Itests/include $(C_SOURCE_FILES)
+	cscope -bq -u -Iinclude -Ilibrary -Itf-psa-crypto/core \
+        -Itf-psa-crypto/include \
+	-Itf-psa-crypto/drivers/builtin/src \
+	$(patsubst %,-I%,$(wildcard tf-psa-crypto/drivers/*/include)) -Itests/include $(C_SOURCE_FILES)
 .PHONY: cscope global
diff --git a/README.md b/README.md
index a3fcd2e..966b276 100644
--- a/README.md
+++ b/README.md
@@ -47,13 +47,17 @@ The Make and CMake build systems create three libraries: libmbedcrypto, libmbedx
 You need the following tools to build the library with the provided makefiles:
 
 * GNU Make 3.82 or a build tool that CMake supports.
-* A C99 toolchain (compiler, linker, archiver). We actively test with GCC 5.4, Clang 3.8, IAR 8 and Visual Studio 2013. More recent versions should work. Slightly older versions may work.
+* A C99 toolchain (compiler, linker, archiver). We actively test with GCC 5.4, Clang 3.8, Arm Compiler 6, IAR 8 and Visual Studio 2017. More recent versions should work. Slightly older versions may work.
 * Python 3.8 to generate the test code. Python is also needed to integrate PSA drivers and to build the development branch (see next section).
 * Perl to run the tests, and to generate some source files in the development branch.
 * CMake 3.10.2 or later (if using CMake).
-* Microsoft Visual Studio 2013 or later (if using Visual Studio).
+* Microsoft Visual Studio 2017 or later (if using Visual Studio).
 * Doxygen 1.8.11 or later (if building the documentation; slightly older versions should work).
 
+### Git usage
+
+The `development` branch and the `mbedtls-3.6` long-term support branch of Mbed TLS use a [Git submodule](https://git-scm.com/book/en/v2/Git-Tools-Submodules#_cloning_submodules) ([framework](https://github.com/Mbed-TLS/mbedtls-framework)). This is not needed to merely compile the library at a release tag. This is not needed to consume a release archive (zip or tar).
+
 ### Generated source files in the development branch
 
 The source code of Mbed TLS includes some files that are automatically generated by scripts and whose content depends only on the Mbed TLS source, not on the platform or on the library configuration. These files are not included in the development branch of Mbed TLS, but the generated files are included in official releases. This section explains how to generate the missing files in the development branch.
@@ -221,7 +225,7 @@ subproject.
 
 ### Microsoft Visual Studio
 
-The build files for Microsoft Visual Studio are generated for Visual Studio 2013.
+The build files for Microsoft Visual Studio are generated for Visual Studio 2017.
 
 The solution file `mbedTLS.sln` contains all the basic projects needed to build the library and all the programs. The files in tests are not generated and compiled, as these need Python and perl environments as well. However, the selftest program in `programs/test/` is still available.
 
@@ -246,7 +250,7 @@ For machines with a Unix shell and OpenSSL (and optionally GnuTLS) installed, ad
 -   `tests/scripts/depends.py` test builds in configurations with a single curve, key exchange, hash, cipher, or pkalg on.
 -   `tests/scripts/all.sh` runs a combination of the above tests, plus some more, with various build options (such as ASan, full `mbedtls_config.h`, etc).
 
-Instead of manually installing the required versions of all tools required for testing, it is possible to use the Docker images from our CI systems, as explained in [our testing infrastructure repository](https://github.com/Mbed-TLS/mbedtls-test/blob/master/README.md#quick-start).
+Instead of manually installing the required versions of all tools required for testing, it is possible to use the Docker images from our CI systems, as explained in [our testing infrastructure repository](https://github.com/Mbed-TLS/mbedtls-test/blob/main/README.md#quick-start).
 
 Porting Mbed TLS
 ----------------
@@ -307,14 +311,14 @@ When using drivers, you will generally want to enable two compilation options (s
 License
 -------
 
-Unless specifically indicated otherwise in a file, Mbed TLS files are provided under the [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) license. See the [LICENSE](LICENSE) file for the full text of this license, and [the 'License and Copyright' section in the contributing guidelines](CONTRIBUTING.md#License-and-Copyright) for more information.
+Unless specifically indicated otherwise in a file, Mbed TLS files are provided under a dual [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) license. See the [LICENSE](LICENSE) file for the full text of these licenses, and [the 'License and Copyright' section in the contributing guidelines](CONTRIBUTING.md#License-and-Copyright) for more information.
 
 ### Third-party code included in Mbed TLS
 
-This project contains code from other projects. This code is located within the `3rdparty/` directory. The original license text is included within project subdirectories, and in source files. The projects are listed below:
+This project contains code from other projects. This code is located within the `tf-psa-crypto/drivers/` directory. The original license text is included within project subdirectories, where it differs from the normal Mbed TLS license, and/or in source files. The projects are listed below:
 
-* `3rdparty/everest/`: Files stem from [Project Everest](https://project-everest.github.io/) and are distributed under the Apache 2.0 license.
-* `3rdparty/p256-m/p256-m/`: Files have been taken from the [p256-m](https://github.com/mpg/p256-m) repository. The code in the original repository is distributed under the Apache 2.0 license. It is also used by Mbed TLS under the Apache 2.0 license. We do not plan to regularly update these files, so they may not contain fixes and improvements present in the upstream project.
+* `drivers/everest/`: Files stem from [Project Everest](https://project-everest.github.io/) and are distributed under the Apache 2.0 license.
+* `drivers/p256-m/p256-m/`: Files have been taken from the [p256-m](https://github.com/mpg/p256-m) repository. The code in the original repository is distributed under the Apache 2.0 license. It is distributed in Mbed TLS under a dual Apache-2.0 OR GPL-2.0-or-later license with permission from the author.
 
 Contributing
 ------------
diff --git a/SECURITY.md b/SECURITY.md
index 7ed72de..9506eb9 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -128,7 +128,7 @@ even a remote. The attacks can result in key recovery.
 
 - Turn on hardware acceleration for AES. This is supported only on selected
   architectures and currently only available for AES. See configuration options
-  `MBEDTLS_AESCE_C`, `MBEDTLS_AESNI_C` and `MBEDTLS_PADLOCK_C` for details.
+  `MBEDTLS_AESCE_C`, `MBEDTLS_AESNI_C` for details.
 - Add a secure alternative implementation (typically hardware acceleration) for
   the vulnerable cipher. See the [Alternative Implementations
 Guide](docs/architecture/alternative-implementations.md) for more information.
diff --git a/configs/config-ccm-psk-dtls1_2.h b/configs/config-ccm-psk-dtls1_2.h
index af2415f..be785b7 100644
--- a/configs/config-ccm-psk-dtls1_2.h
+++ b/configs/config-ccm-psk-dtls1_2.h
@@ -5,19 +5,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 /*
  * Minimal configuration for DTLS 1.2 with PSK and AES-CCM ciphersuites
@@ -35,19 +23,20 @@
  * See README.txt for usage instructions.
  */
 
+#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-ccm-psk-tls1_2.h"
+
+#define MBEDTLS_PSA_CRYPTO_C
+#define MBEDTLS_PSA_CRYPTO_CONFIG
+#define MBEDTLS_USE_PSA_CRYPTO
+
 /* System support */
 //#define MBEDTLS_HAVE_TIME /* Optionally used in Hello messages */
 /* Other MBEDTLS_HAVE_XXX flags irrelevant for this configuration */
 
 /* Mbed TLS modules */
-#define MBEDTLS_AES_C
-#define MBEDTLS_CCM_C
-#define MBEDTLS_CIPHER_C
 #define MBEDTLS_CTR_DRBG_C
 #define MBEDTLS_ENTROPY_C
-#define MBEDTLS_MD_C
 #define MBEDTLS_NET_C
-#define MBEDTLS_SHA256_C
 #define MBEDTLS_SSL_CLI_C
 #define MBEDTLS_SSL_COOKIE_C
 #define MBEDTLS_SSL_SRV_C
@@ -93,11 +82,6 @@
  */
 #define MBEDTLS_ENTROPY_MAX_SOURCES 2
 
-/* These defines are present so that the config modifying scripts can enable
- * them during tests/scripts/test-ref-configs.pl */
-//#define MBEDTLS_USE_PSA_CRYPTO
-//#define MBEDTLS_PSA_CRYPTO_C
-
 /* Error messages and TLS debugging traces
  * (huge code size increase, needed for tests/ssl-opt.sh) */
 //#define MBEDTLS_DEBUG_C
diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h
index 62c1d80..d8f4f9c 100644
--- a/configs/config-ccm-psk-tls1_2.h
+++ b/configs/config-ccm-psk-tls1_2.h
@@ -5,19 +5,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 /*
  * Minimal configuration for TLS 1.2 with PSK and AES-CCM ciphersuites
@@ -34,19 +22,20 @@
  * See README.txt for usage instructions.
  */
 
+#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-ccm-psk-tls1_2.h"
+
+#define MBEDTLS_PSA_CRYPTO_C
+#define MBEDTLS_PSA_CRYPTO_CONFIG
+#define MBEDTLS_USE_PSA_CRYPTO
+
 /* System support */
 //#define MBEDTLS_HAVE_TIME /* Optionally used in Hello messages */
 /* Other MBEDTLS_HAVE_XXX flags irrelevant for this configuration */
 
 /* Mbed TLS modules */
-#define MBEDTLS_AES_C
-#define MBEDTLS_CCM_C
-#define MBEDTLS_CIPHER_C
 #define MBEDTLS_CTR_DRBG_C
 #define MBEDTLS_ENTROPY_C
-#define MBEDTLS_MD_C
 #define MBEDTLS_NET_C
-#define MBEDTLS_SHA256_C
 #define MBEDTLS_SSL_CLI_C
 #define MBEDTLS_SSL_SRV_C
 #define MBEDTLS_SSL_TLS_C
@@ -84,11 +73,6 @@
  */
 #define MBEDTLS_ENTROPY_MAX_SOURCES 2
 
-/* These defines are present so that the config modifying scripts can enable
- * them during tests/scripts/test-ref-configs.pl */
-//#define MBEDTLS_USE_PSA_CRYPTO
-//#define MBEDTLS_PSA_CRYPTO_C
-
 /* Error messages and TLS debugging traces
  * (huge code size increase, needed for tests/ssl-opt.sh) */
 //#define MBEDTLS_DEBUG_C
diff --git a/configs/config-no-entropy.h b/configs/config-no-entropy.h
deleted file mode 100644
index 1964e8e..0000000
--- a/configs/config-no-entropy.h
+++ /dev/null
@@ -1,85 +0,0 @@
-/**
- * \file config-no-entropy.h
- *
- * \brief Minimal configuration of features that do not require an entropy source
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-/*
- * Minimal configuration of features that do not require an entropy source
- * Distinguishing features:
- * - no entropy module
- * - no TLS protocol implementation available due to absence of an entropy
- *   source
- *
- * See README.txt for usage instructions.
- */
-
-/* System support */
-#define MBEDTLS_HAVE_ASM
-#define MBEDTLS_HAVE_TIME
-
-/* Mbed TLS feature support */
-#define MBEDTLS_CIPHER_MODE_CBC
-#define MBEDTLS_CIPHER_PADDING_PKCS7
-#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
-#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
-#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
-#define MBEDTLS_ECP_NIST_OPTIM
-#define MBEDTLS_ECDSA_DETERMINISTIC
-#define MBEDTLS_PK_RSA_ALT_SUPPORT
-#define MBEDTLS_PKCS1_V15
-#define MBEDTLS_PKCS1_V21
-#define MBEDTLS_SELF_TEST
-#define MBEDTLS_VERSION_FEATURES
-
-/* Mbed TLS modules */
-#define MBEDTLS_AES_C
-#define MBEDTLS_ASN1_PARSE_C
-#define MBEDTLS_ASN1_WRITE_C
-#define MBEDTLS_BASE64_C
-#define MBEDTLS_BIGNUM_C
-#define MBEDTLS_CCM_C
-#define MBEDTLS_CIPHER_C
-#define MBEDTLS_ECDSA_C
-#define MBEDTLS_ECP_C
-#define MBEDTLS_ERROR_C
-#define MBEDTLS_GCM_C
-#define MBEDTLS_HMAC_DRBG_C
-#define MBEDTLS_MD_C
-#define MBEDTLS_OID_C
-#define MBEDTLS_PEM_PARSE_C
-#define MBEDTLS_PK_C
-#define MBEDTLS_PK_PARSE_C
-#define MBEDTLS_PK_WRITE_C
-#define MBEDTLS_PLATFORM_C
-#define MBEDTLS_RSA_C
-/* The library does not currently support enabling SHA-224 without SHA-256.
- * A future version of the library will have this option disabled
- * by default. */
-#define MBEDTLS_SHA224_C
-#define MBEDTLS_SHA256_C
-#define MBEDTLS_SHA384_C
-#define MBEDTLS_SHA512_C
-#define MBEDTLS_VERSION_C
-#define MBEDTLS_X509_USE_C
-#define MBEDTLS_X509_CRT_PARSE_C
-#define MBEDTLS_X509_CRL_PARSE_C
-//#define MBEDTLS_CMAC_C
-
-/* Miscellaneous options */
-#define MBEDTLS_AES_ROM_TABLES
diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h
index 56a700f..cdea16e 100644
--- a/configs/config-suite-b.h
+++ b/configs/config-suite-b.h
@@ -5,19 +5,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 /*
  * Minimal configuration for TLS NSA Suite B Profile (RFC 6460)
@@ -33,36 +21,29 @@
  * See README.txt for usage instructions.
  */
 
+#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-suite-b.h"
+
+#define MBEDTLS_PSA_CRYPTO_C
+#define MBEDTLS_PSA_CRYPTO_CONFIG
+#define MBEDTLS_USE_PSA_CRYPTO
+
 /* System support */
 #define MBEDTLS_HAVE_ASM
 #define MBEDTLS_HAVE_TIME
 
 /* Mbed TLS feature support */
-#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
-#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 #define MBEDTLS_SSL_PROTO_TLS1_2
 
 /* Mbed TLS modules */
-#define MBEDTLS_AES_C
 #define MBEDTLS_ASN1_PARSE_C
 #define MBEDTLS_ASN1_WRITE_C
-#define MBEDTLS_BIGNUM_C
-#define MBEDTLS_CIPHER_C
 #define MBEDTLS_CTR_DRBG_C
-#define MBEDTLS_ECDH_C
-#define MBEDTLS_ECDSA_C
-#define MBEDTLS_ECP_C
 #define MBEDTLS_ENTROPY_C
-#define MBEDTLS_GCM_C
-#define MBEDTLS_MD_C
 #define MBEDTLS_NET_C
 #define MBEDTLS_OID_C
 #define MBEDTLS_PK_C
 #define MBEDTLS_PK_PARSE_C
-#define MBEDTLS_SHA256_C
-#define MBEDTLS_SHA384_C
-#define MBEDTLS_SHA512_C
 #define MBEDTLS_SSL_CLI_C
 #define MBEDTLS_SSL_SRV_C
 #define MBEDTLS_SSL_TLS_C
@@ -107,11 +88,6 @@
 #define MBEDTLS_SSL_IN_CONTENT_LEN             1024
 #define MBEDTLS_SSL_OUT_CONTENT_LEN             1024
 
-/* These defines are present so that the config modifying scripts can enable
- * them during tests/scripts/test-ref-configs.pl */
-//#define MBEDTLS_USE_PSA_CRYPTO
-//#define MBEDTLS_PSA_CRYPTO_C
-
 /* Error messages and TLS debugging traces
  * (huge code size increase, needed for tests/ssl-opt.sh) */
 //#define MBEDTLS_DEBUG_C
diff --git a/configs/config-symmetric-only.h b/configs/config-symmetric-only.h
index a014b52..13e4d26 100644
--- a/configs/config-symmetric-only.h
+++ b/configs/config-symmetric-only.h
@@ -5,85 +5,46 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
+#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-symmetric-only.h"
+
+#define MBEDTLS_PSA_CRYPTO_C
+#define MBEDTLS_PSA_CRYPTO_CONFIG
+#define MBEDTLS_USE_PSA_CRYPTO
+
 /* System support */
 //#define MBEDTLS_HAVE_ASM
 #define MBEDTLS_HAVE_TIME
 #define MBEDTLS_HAVE_TIME_DATE
 
 /* Mbed TLS feature support */
-#define MBEDTLS_CIPHER_MODE_CBC
-#define MBEDTLS_CIPHER_MODE_CFB
-#define MBEDTLS_CIPHER_MODE_CTR
-#define MBEDTLS_CIPHER_MODE_OFB
-#define MBEDTLS_CIPHER_MODE_XTS
-#define MBEDTLS_CIPHER_PADDING_PKCS7
-#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
-#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
-#define MBEDTLS_CIPHER_PADDING_ZEROS
 #define MBEDTLS_ERROR_STRERROR_DUMMY
 #define MBEDTLS_FS_IO
 #define MBEDTLS_ENTROPY_NV_SEED
 #define MBEDTLS_SELF_TEST
-#define MBEDTLS_USE_PSA_CRYPTO
 #define MBEDTLS_VERSION_FEATURES
 
 /* Mbed TLS modules */
-#define MBEDTLS_AES_C
 #define MBEDTLS_ASN1_PARSE_C
 #define MBEDTLS_ASN1_WRITE_C
 #define MBEDTLS_BASE64_C
-#define MBEDTLS_CAMELLIA_C
-#define MBEDTLS_ARIA_C
-#define MBEDTLS_CCM_C
-#define MBEDTLS_CHACHA20_C
-#define MBEDTLS_CHACHAPOLY_C
-#define MBEDTLS_CIPHER_C
-#define MBEDTLS_CMAC_C
 #define MBEDTLS_CTR_DRBG_C
-#define MBEDTLS_DES_C
 #define MBEDTLS_ENTROPY_C
 #define MBEDTLS_ERROR_C
-#define MBEDTLS_GCM_C
-#define MBEDTLS_HKDF_C
 #define MBEDTLS_HMAC_DRBG_C
 #define MBEDTLS_NIST_KW_C
-#define MBEDTLS_MD_C
-#define MBEDTLS_MD5_C
 #define MBEDTLS_OID_C
 #define MBEDTLS_PEM_PARSE_C
 #define MBEDTLS_PEM_WRITE_C
 #define MBEDTLS_PKCS5_C
 #define MBEDTLS_PKCS12_C
 #define MBEDTLS_PLATFORM_C
-#define MBEDTLS_POLY1305_C
-#define MBEDTLS_PSA_CRYPTO_C
 #define MBEDTLS_PSA_CRYPTO_SE_C
 #define MBEDTLS_PSA_CRYPTO_STORAGE_C
 #define MBEDTLS_PSA_ITS_FILE_C
-#define MBEDTLS_RIPEMD160_C
-#define MBEDTLS_SHA1_C
-/* The library does not currently support enabling SHA-224 without SHA-256.
- * A future version of the library will have this option disabled
- * by default. */
-#define MBEDTLS_SHA224_C
-#define MBEDTLS_SHA256_C
-#define MBEDTLS_SHA384_C
-#define MBEDTLS_SHA512_C
+
 //#define MBEDTLS_THREADING_C
 #define MBEDTLS_TIMING_C
 #define MBEDTLS_VERSION_C
diff --git a/configs/config-tfm.h b/configs/config-tfm.h
new file mode 100644
index 0000000..14896d4
--- /dev/null
+++ b/configs/config-tfm.h
@@ -0,0 +1,68 @@
+/**
+ * \file config-tfm.h
+ *
+ * \brief TF-M medium profile, adapted to work on other platforms.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/* TF-M medium profile: mbedtls legacy configuration */
+#include "../configs/ext/tfm_mbedcrypto_config_profile_medium.h"
+
+/* TF-M medium profile: PSA crypto configuration */
+#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/ext/crypto_config_profile_medium.h"
+
+/***********************************************************/
+/* Tweak the configuration to remove dependencies on TF-M. */
+/***********************************************************/
+
+/* MBEDTLS_PSA_CRYPTO_SPM needs third-party files, so disable it. */
+#undef MBEDTLS_PSA_CRYPTO_SPM
+
+/* Disable buffer-based memory allocator. This isn't strictly required,
+ * but using the native allocator is faster and works better with
+ * memory management analysis frameworks such as ASan. */
+#undef MBEDTLS_MEMORY_BUFFER_ALLOC_C
+
+// This macro is enabled in TFM Medium but is disabled here because it is
+// incompatible with baremetal builds in Mbed TLS.
+#undef MBEDTLS_PSA_CRYPTO_STORAGE_C
+
+// This macro is enabled in TFM Medium but is disabled here because it is
+// incompatible with baremetal builds in Mbed TLS.
+#undef MBEDTLS_ENTROPY_NV_SEED
+
+// These platform-related TF-M settings are not useful here.
+#undef MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+#undef MBEDTLS_PLATFORM_STD_MEM_HDR
+#undef MBEDTLS_PLATFORM_SNPRINTF_MACRO
+#undef MBEDTLS_PLATFORM_PRINTF_ALT
+#undef MBEDTLS_PLATFORM_STD_EXIT_SUCCESS
+#undef MBEDTLS_PLATFORM_STD_EXIT_FAILURE
+
+/*
+ * In order to get an example config that works cleanly out-of-the-box
+ * for both baremetal and non-baremetal builds, we detect baremetal builds
+ * (either IAR, Arm compiler or __ARM_EABI__ defined), and adjust some
+ * variables accordingly.
+ */
+#if defined(__IAR_SYSTEMS_ICC__) || defined(__ARMCC_VERSION) || defined(__ARM_EABI__)
+#define MBEDTLS_NO_PLATFORM_ENTROPY
+#else
+/* Use built-in platform entropy functions (TF-M provides its own). */
+#undef MBEDTLS_NO_PLATFORM_ENTROPY
+#endif
+
+/***********************************************************************
+ * Local changes to crypto config below this delimiter
+ **********************************************************************/
+
+// We expect TF-M to pick this up soon
+#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
+
+/* CCM is the only cipher/AEAD enabled in TF-M configuration files, but it
+ * does not need CIPHER_C to be enabled, so we can disable it in order
+ * to reduce code size further. */
+#undef MBEDTLS_CIPHER_C
diff --git a/configs/config-thread.h b/configs/config-thread.h
index e05b557..160aded 100644
--- a/configs/config-thread.h
+++ b/configs/config-thread.h
@@ -5,19 +5,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /*
@@ -29,15 +17,21 @@
  * - no X.509
  * - support for experimental EC J-PAKE key exchange
  *
+ * To be used in conjunction with configs/crypto-config-thread.h.
  * See README.txt for usage instructions.
  */
 
+#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-thread.h"
+
+#define MBEDTLS_PSA_CRYPTO_C
+#define MBEDTLS_PSA_CRYPTO_CONFIG
+#define MBEDTLS_USE_PSA_CRYPTO
+
 /* System support */
 #define MBEDTLS_HAVE_ASM
 
 /* Mbed TLS feature support */
 #define MBEDTLS_AES_ROM_TABLES
-#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
 #define MBEDTLS_ECP_NIST_OPTIM
 #define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
 #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
@@ -47,23 +41,15 @@
 #define MBEDTLS_SSL_DTLS_HELLO_VERIFY
 
 /* Mbed TLS modules */
-#define MBEDTLS_AES_C
 #define MBEDTLS_ASN1_PARSE_C
 #define MBEDTLS_ASN1_WRITE_C
-#define MBEDTLS_BIGNUM_C
-#define MBEDTLS_CCM_C
-#define MBEDTLS_CIPHER_C
 #define MBEDTLS_CTR_DRBG_C
-#define MBEDTLS_CMAC_C
-#define MBEDTLS_ECJPAKE_C
-#define MBEDTLS_ECP_C
 #define MBEDTLS_ENTROPY_C
 #define MBEDTLS_HMAC_DRBG_C
 #define MBEDTLS_MD_C
 #define MBEDTLS_OID_C
 #define MBEDTLS_PK_C
 #define MBEDTLS_PK_PARSE_C
-#define MBEDTLS_SHA256_C
 #define MBEDTLS_SSL_COOKIE_C
 #define MBEDTLS_SSL_CLI_C
 #define MBEDTLS_SSL_SRV_C
@@ -81,8 +67,3 @@
 
 /* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */
 #define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
-
-/* These defines are present so that the config modifying scripts can enable
- * them during tests/scripts/test-ref-configs.pl */
-//#define MBEDTLS_USE_PSA_CRYPTO
-//#define MBEDTLS_PSA_CRYPTO_C
diff --git a/configs/crypto-config-ccm-aes-sha256.h b/configs/crypto-config-ccm-aes-sha256.h
index 6c12bd7..68a9c0a 100644
--- a/configs/crypto-config-ccm-aes-sha256.h
+++ b/configs/crypto-config-ccm-aes-sha256.h
@@ -2,35 +2,21 @@
  * \file configs/crypto-config-ccm-aes-sha256.h
  *
  * \brief PSA crypto configuration with only symmetric cryptography: CCM-AES,
- *        SHA-256, HMAC and key derivation
+ *        SHA-256 and key derivation (uses HMAC).
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef PSA_CRYPTO_CONFIG_H
 #define PSA_CRYPTO_CONFIG_H
 
 #define PSA_WANT_ALG_CCM 1
-#define PSA_WANT_ALG_HMAC 1
 #define PSA_WANT_ALG_SHA_256 1
 #define PSA_WANT_ALG_TLS12_PRF 1
 #define PSA_WANT_ALG_TLS12_PSK_TO_MS 1
 #define PSA_WANT_KEY_TYPE_DERIVE 1
-#define PSA_WANT_KEY_TYPE_HMAC 1
 #define PSA_WANT_KEY_TYPE_AES 1
 #define PSA_WANT_KEY_TYPE_RAW_DATA 1
 
diff --git a/configs/crypto-config-ccm-psk-tls1_2.h b/configs/crypto-config-ccm-psk-tls1_2.h
new file mode 100644
index 0000000..f4928e2
--- /dev/null
+++ b/configs/crypto-config-ccm-psk-tls1_2.h
@@ -0,0 +1,25 @@
+/**
+ * \file crypto-config-ccm-psk-tls1_2.h
+ *
+ * \brief Minimal crypto configuration for TLS 1.2 with
+ * PSK and AES-CCM ciphersuites
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/**
+ * To be used in conjunction with configs/config-ccm-psk-tls1_2.h
+ * or configs/config-ccm-psk-dtls1_2.h. */
+
+#ifndef PSA_CRYPTO_CONFIG_H
+#define PSA_CRYPTO_CONFIG_H
+
+#define PSA_WANT_ALG_CCM                        1
+#define PSA_WANT_ALG_SHA_256                    1
+#define PSA_WANT_ALG_TLS12_PRF                  1
+#define PSA_WANT_ALG_TLS12_PSK_TO_MS            1
+
+#define PSA_WANT_KEY_TYPE_AES                   1
+#endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/configs/crypto-config-suite-b.h b/configs/crypto-config-suite-b.h
new file mode 100644
index 0000000..ec20919
--- /dev/null
+++ b/configs/crypto-config-suite-b.h
@@ -0,0 +1,41 @@
+/**
+ * \file crypto-config-symmetric-only.h
+ *
+ * \brief \brief Minimal crypto configuration for
+ * TLS NSA Suite B Profile (RFC 6460).
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/**
+ * Minimal crypto configuration for TLS NSA Suite B Profile (RFC 6460)
+ *
+ * Distinguishing features:
+ * - no RSA or classic DH, fully based on ECC
+ * - optimized for low RAM usage
+ *
+ * Possible improvements:
+ * - if 128-bit security is enough, disable secp384r1 and SHA-512
+ *
+ * To be used in conjunction with configs/config-suite-b.h. */
+
+#ifndef PSA_CRYPTO_CONFIG_H
+#define PSA_CRYPTO_CONFIG_H
+
+#define PSA_WANT_ALG_ECDH                        1
+#define PSA_WANT_ALG_ECDSA                       1
+#define PSA_WANT_ALG_GCM                         1
+#define PSA_WANT_ALG_SHA_256                     1
+#define PSA_WANT_ALG_SHA_384                     1
+#define PSA_WANT_ALG_SHA_512                     1
+#define PSA_WANT_ECC_SECP_R1_256                 1
+#define PSA_WANT_ECC_SECP_R1_384                 1
+#define PSA_WANT_ALG_TLS12_PRF                   1
+
+#define PSA_WANT_KEY_TYPE_AES                    1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC     1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT    1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE  1
+#endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/configs/crypto-config-symmetric-only.h b/configs/crypto-config-symmetric-only.h
new file mode 100644
index 0000000..5d6bf85
--- /dev/null
+++ b/configs/crypto-config-symmetric-only.h
@@ -0,0 +1,58 @@
+/**
+ * \file crypto-config-symmetric-only.h
+ *
+ * \brief Crypto configuration without any asymmetric cryptography.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/**
+ * To be used in conjunction with configs/config-symmetric-only.h. */
+
+#ifndef PSA_CRYPTO_CONFIG_H
+#define PSA_CRYPTO_CONFIG_H
+
+#define PSA_WANT_ALG_CBC_NO_PADDING             1
+#define PSA_WANT_ALG_CBC_PKCS7                  1
+#define PSA_WANT_ALG_CCM                        1
+#define PSA_WANT_ALG_CCM_STAR_NO_TAG            1
+#define PSA_WANT_ALG_CFB                        1
+#define PSA_WANT_ALG_CHACHA20_POLY1305          1
+#define PSA_WANT_ALG_CMAC                       1
+#define PSA_WANT_ALG_CTR                        1
+#define PSA_WANT_ALG_ECB_NO_PADDING             1
+#define PSA_WANT_ALG_GCM                        1
+#define PSA_WANT_ALG_HKDF                       1
+#define PSA_WANT_ALG_HKDF_EXTRACT               1
+#define PSA_WANT_ALG_HKDF_EXPAND                1
+#define PSA_WANT_ALG_HMAC                       1
+#define PSA_WANT_ALG_MD5                        1
+#define PSA_WANT_ALG_OFB                        1
+#define PSA_WANT_ALG_RIPEMD160                  1
+#define PSA_WANT_ALG_SHA_1                      1
+#define PSA_WANT_ALG_STREAM_CIPHER              1
+#define PSA_WANT_ALG_SHA_224                    1
+#define PSA_WANT_ALG_SHA_256                    1
+#define PSA_WANT_ALG_SHA_384                    1
+#define PSA_WANT_ALG_SHA_512                    1
+#define PSA_WANT_ALG_SHA3_224                   1
+#define PSA_WANT_ALG_SHA3_256                   1
+#define PSA_WANT_ALG_SHA3_384                   1
+#define PSA_WANT_ALG_SHA3_512                   1
+#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS       1
+#define PSA_WANT_ALG_TLS12_PRF                  1
+#define PSA_WANT_ALG_TLS12_PSK_TO_MS            1
+
+/* XTS is not yet supported via the PSA API in Mbed TLS. */
+//#define PSA_WANT_ALG_XTS                        1
+
+#define PSA_WANT_KEY_TYPE_AES                   1
+#define PSA_WANT_KEY_TYPE_ARIA                  1
+#define PSA_WANT_KEY_TYPE_CAMELLIA              1
+#define PSA_WANT_KEY_TYPE_CHACHA20              1
+#define PSA_WANT_KEY_TYPE_DES                   1
+#define PSA_WANT_KEY_TYPE_HMAC                  1
+
+#endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/configs/crypto-config-thread.h b/configs/crypto-config-thread.h
new file mode 100644
index 0000000..3c5fe24
--- /dev/null
+++ b/configs/crypto-config-thread.h
@@ -0,0 +1,47 @@
+/**
+ * \file crypto-config-thread.h
+ *
+ * \brief Minimal crypto configuration for using TLS as part of Thread
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/**
+ * Minimal crypto configuration for using TLS as part of Thread
+ * http://threadgroup.org/
+ *
+ * Distinguishing features:
+ * - no RSA or classic DH, fully based on ECC
+ * - no X.509
+ * - support for experimental EC J-PAKE key exchange
+ * - support for PBKDF2-AES-CMAC-PRF-128 password-hashing or key-stretching
+ *   algorithm.
+ *
+ * To be used in conjunction with configs/config-thread.h.
+ * See README.txt for usage instructions.
+ */
+
+#ifndef PSA_CRYPTO_CONFIG_H
+#define PSA_CRYPTO_CONFIG_H
+
+#define PSA_WANT_ALG_CCM                        1
+#define PSA_WANT_ALG_ECB_NO_PADDING             1
+#define PSA_WANT_ALG_HMAC                       1
+#define PSA_WANT_ALG_JPAKE                      1
+#define PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128    1
+#define PSA_WANT_ALG_SHA_256                    1
+#define PSA_WANT_ALG_TLS12_PRF                  1
+#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS       1
+#define PSA_WANT_ECC_SECP_R1_256                1
+
+#define PSA_WANT_KEY_TYPE_AES                   1
+#define PSA_WANT_KEY_TYPE_DERIVE                1
+#define PSA_WANT_KEY_TYPE_HMAC                  1
+#define PSA_WANT_KEY_TYPE_RAW_DATA              1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC    1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT   1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
+
+#endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/configs/crypto_config_profile_medium.h b/configs/crypto_config_profile_medium.h
deleted file mode 100644
index 3fa8552..0000000
--- a/configs/crypto_config_profile_medium.h
+++ /dev/null
@@ -1,138 +0,0 @@
-/*
- * Copyright (c) 2018-2022, Arm Limited. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- *
- */
-/**
- * \file psa/crypto_config.h
- * \brief PSA crypto configuration options (set of defines)
- *
- */
-#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
-/**
- * When #MBEDTLS_PSA_CRYPTO_CONFIG is enabled in mbedtls_config.h,
- * this file determines which cryptographic mechanisms are enabled
- * through the PSA Cryptography API (\c psa_xxx() functions).
- *
- * To enable a cryptographic mechanism, uncomment the definition of
- * the corresponding \c PSA_WANT_xxx preprocessor symbol.
- * To disable a cryptographic mechanism, comment out the definition of
- * the corresponding \c PSA_WANT_xxx preprocessor symbol.
- * The names of cryptographic mechanisms correspond to values
- * defined in psa/crypto_values.h, with the prefix \c PSA_WANT_ instead
- * of \c PSA_.
- *
- * Note that many cryptographic mechanisms involve two symbols: one for
- * the key type (\c PSA_WANT_KEY_TYPE_xxx) and one for the algorithm
- * (\c PSA_WANT_ALG_xxx). Mechanisms with additional parameters may involve
- * additional symbols.
- */
-#else
-/**
- * When \c MBEDTLS_PSA_CRYPTO_CONFIG is disabled in mbedtls_config.h,
- * this file is not used, and cryptographic mechanisms are supported
- * through the PSA API if and only if they are supported through the
- * mbedtls_xxx API.
- */
-#endif
-
-#ifndef PROFILE_M_PSA_CRYPTO_CONFIG_H
-#define PROFILE_M_PSA_CRYPTO_CONFIG_H
-
-/*
- * CBC-MAC is not yet supported via the PSA API in Mbed TLS.
- */
-//#define PSA_WANT_ALG_CBC_MAC                    1
-//#define PSA_WANT_ALG_CBC_NO_PADDING             1
-//#define PSA_WANT_ALG_CBC_PKCS7                  1
-#define PSA_WANT_ALG_CCM                        1
-//#define PSA_WANT_ALG_CMAC                       1
-//#define PSA_WANT_ALG_CFB                        1
-//#define PSA_WANT_ALG_CHACHA20_POLY1305          1
-//#define PSA_WANT_ALG_CTR                        1
-#define PSA_WANT_ALG_DETERMINISTIC_ECDSA        1
-//#define PSA_WANT_ALG_ECB_NO_PADDING             1
-#define PSA_WANT_ALG_ECDH                       1
-#define PSA_WANT_ALG_ECDSA                      1
-//#define PSA_WANT_ALG_GCM                        1
-#define PSA_WANT_ALG_HKDF                       1
-#define PSA_WANT_ALG_HMAC                       1
-//#define PSA_WANT_ALG_MD5                        1
-//#define PSA_WANT_ALG_OFB                        1
-/* PBKDF2-HMAC is not yet supported via the PSA API in Mbed TLS.
- * Note: when adding support, also adjust include/mbedtls/config_psa.h */
-//#define PSA_WANT_ALG_PBKDF2_HMAC                1
-//#define PSA_WANT_ALG_RIPEMD160                  1
-//#define PSA_WANT_ALG_RSA_OAEP                   1
-//#define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT         1
-//#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN          1
-//#define PSA_WANT_ALG_RSA_PSS                    1
-//#define PSA_WANT_ALG_SHA_1                      1
-#define PSA_WANT_ALG_SHA_224                    1
-#define PSA_WANT_ALG_SHA_256                    1
-//#define PSA_WANT_ALG_SHA_384                    1
-//#define PSA_WANT_ALG_SHA_512                    1
-//#define PSA_WANT_ALG_STREAM_CIPHER              1
-#define PSA_WANT_ALG_TLS12_PRF                  1
-#define PSA_WANT_ALG_TLS12_PSK_TO_MS            1
-/* PBKDF2-HMAC is not yet supported via the PSA API in Mbed TLS.
- * Note: when adding support, also adjust include/mbedtls/config_psa.h */
-//#define PSA_WANT_ALG_XTS                        1
-
-//#define PSA_WANT_ECC_BRAINPOOL_P_R1_256         1
-//#define PSA_WANT_ECC_BRAINPOOL_P_R1_384         1
-//#define PSA_WANT_ECC_BRAINPOOL_P_R1_512         1
-//#define PSA_WANT_ECC_MONTGOMERY_255             1
-//#define PSA_WANT_ECC_MONTGOMERY_448             1
-//#define PSA_WANT_ECC_SECP_K1_192                1
-/*
- * SECP224K1 is buggy via the PSA API in Mbed TLS
- * (https://github.com/Mbed-TLS/mbedtls/issues/3541). Thus, do not enable it by
- * default.
- */
-//#define PSA_WANT_ECC_SECP_K1_224                1
-//#define PSA_WANT_ECC_SECP_K1_256                1
-//#define PSA_WANT_ECC_SECP_R1_192                1
-//#define PSA_WANT_ECC_SECP_R1_224                1
-#define PSA_WANT_ECC_SECP_R1_256                1
-//#define PSA_WANT_ECC_SECP_R1_384                1
-//#define PSA_WANT_ECC_SECP_R1_521                1
-
-#define PSA_WANT_KEY_TYPE_DERIVE                1
-#define PSA_WANT_KEY_TYPE_HMAC                  1
-#define PSA_WANT_KEY_TYPE_AES                   1
-//#define PSA_WANT_KEY_TYPE_ARIA                  1
-//#define PSA_WANT_KEY_TYPE_CAMELLIA              1
-//#define PSA_WANT_KEY_TYPE_CHACHA20              1
-//#define PSA_WANT_KEY_TYPE_DES                   1
-#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC    1
-#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT   1
-#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT   1
-#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
-#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE   1
-#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY        1
-#define PSA_WANT_KEY_TYPE_RAW_DATA              1
-//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR          1
-//#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY        1
-
-/***********************************************************************
- * Local edits below this delimiter
- **********************************************************************/
-
-/* Between Mbed TLS 3.4 and 3.5, the PSA_WANT_KEY_TYPE_RSA_KEY_PAIR macro
- * (commented-out above) has been replaced with the following new macros: */
-//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC      1
-//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT     1
-//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT     1
-//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE   1
-//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE     1 /* Not supported */
-
-/* Between Mbed TLS 3.4 and 3.5, the following macros have been added: */
-//#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC       1
-//#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT    1
-//#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT    1
-//#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE  1
-//#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE    1 // Not supported
-
-#endif /* PROFILE_M_PSA_CRYPTO_CONFIG_H */
diff --git a/configs/ext/README.md b/configs/ext/README.md
new file mode 100644
index 0000000..1358bd4
--- /dev/null
+++ b/configs/ext/README.md
@@ -0,0 +1,25 @@
+Summary
+-------
+
+The two files:
+
+* crypto_config_profile_medium.h
+* tfm_mbedcrypto_config_profile_medium.h
+
+are copyright The Mbed TLS Contributors, and are distributed under the license normally
+used by Mbed TLS: a dual Apache 2.0 or GPLv2-or-later license.
+
+Background
+----------
+
+The two files crypto_config_profile_medium.h and tfm_mbedcrypto_config_profile_medium.h
+are taken verbatim from the TF-M source code here:
+
+https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/lib/ext/mbedcrypto/mbedcrypto_config
+
+In TF-M, they are distributed under a 3-Clause BSD license, as noted at the top of the files.
+
+In Mbed TLS, with permission from the TF-M project, they are distributed under a dual [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) license, with copyright assigned to The Mbed TLS Contributors.
+
+We only retain the note at the top of the files because we are taking the files verbatim, for ease of
+maintenance.
diff --git a/configs/ext/config_tfm.h b/configs/ext/config_tfm.h
new file mode 100644
index 0000000..60d855e
--- /dev/null
+++ b/configs/ext/config_tfm.h
@@ -0,0 +1,13 @@
+/*
+ *  Empty placeholder
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * This file is intentionally empty.
+ *
+ * Having an empty file here allows us to build the TF-M config, which references this file,
+ * without making any changes to the TF-M config.
+ */
diff --git a/configs/ext/crypto_config_profile_medium.h b/configs/ext/crypto_config_profile_medium.h
new file mode 100644
index 0000000..af8869f
--- /dev/null
+++ b/configs/ext/crypto_config_profile_medium.h
@@ -0,0 +1,132 @@
+/*
+ * Copyright (c) 2018-2023, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+/**
+ * \file psa/crypto_config.h
+ * \brief PSA crypto configuration options (set of defines)
+ *
+ */
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+/**
+ * When #MBEDTLS_PSA_CRYPTO_CONFIG is enabled in mbedtls_config.h,
+ * this file determines which cryptographic mechanisms are enabled
+ * through the PSA Cryptography API (\c psa_xxx() functions).
+ *
+ * To enable a cryptographic mechanism, uncomment the definition of
+ * the corresponding \c PSA_WANT_xxx preprocessor symbol.
+ * To disable a cryptographic mechanism, comment out the definition of
+ * the corresponding \c PSA_WANT_xxx preprocessor symbol.
+ * The names of cryptographic mechanisms correspond to values
+ * defined in psa/crypto_values.h, with the prefix \c PSA_WANT_ instead
+ * of \c PSA_.
+ *
+ * Note that many cryptographic mechanisms involve two symbols: one for
+ * the key type (\c PSA_WANT_KEY_TYPE_xxx) and one for the algorithm
+ * (\c PSA_WANT_ALG_xxx). Mechanisms with additional parameters may involve
+ * additional symbols.
+ */
+#else
+/**
+ * When \c MBEDTLS_PSA_CRYPTO_CONFIG is disabled in mbedtls_config.h,
+ * this file is not used, and cryptographic mechanisms are supported
+ * through the PSA API if and only if they are supported through the
+ * mbedtls_xxx API.
+ */
+#endif
+
+#ifndef PROFILE_M_PSA_CRYPTO_CONFIG_H
+#define PROFILE_M_PSA_CRYPTO_CONFIG_H
+
+/*
+ * CBC-MAC is not yet supported via the PSA API in Mbed TLS.
+ */
+//#define PSA_WANT_ALG_CBC_MAC                    1
+//#define PSA_WANT_ALG_CBC_NO_PADDING             1
+//#define PSA_WANT_ALG_CBC_PKCS7                  1
+#define PSA_WANT_ALG_CCM                        1
+//#define PSA_WANT_ALG_CMAC                       1
+//#define PSA_WANT_ALG_CFB                        1
+//#define PSA_WANT_ALG_CHACHA20_POLY1305          1
+//#define PSA_WANT_ALG_CTR                        1
+//#define PSA_WANT_ALG_DETERMINISTIC_ECDSA        1
+//#define PSA_WANT_ALG_ECB_NO_PADDING             1
+#define PSA_WANT_ALG_ECDH                       1
+#define PSA_WANT_ALG_ECDSA                      1
+//#define PSA_WANT_ALG_GCM                        1
+#define PSA_WANT_ALG_HKDF                       1
+#define PSA_WANT_ALG_HMAC                       1
+//#define PSA_WANT_ALG_MD5                        1
+//#define PSA_WANT_ALG_OFB                        1
+/* PBKDF2-HMAC is not yet supported via the PSA API in Mbed TLS.
+ * Note: when adding support, also adjust include/mbedtls/config_psa.h */
+//#define PSA_WANT_ALG_PBKDF2_HMAC                1
+//#define PSA_WANT_ALG_RIPEMD160                  1
+//#define PSA_WANT_ALG_RSA_OAEP                   1
+//#define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT         1
+//#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN          1
+//#define PSA_WANT_ALG_RSA_PSS                    1
+//#define PSA_WANT_ALG_SHA_1                      1
+#define PSA_WANT_ALG_SHA_224                    1
+#define PSA_WANT_ALG_SHA_256                    1
+//#define PSA_WANT_ALG_SHA_384                    1
+//#define PSA_WANT_ALG_SHA_512                    1
+//#define PSA_WANT_ALG_STREAM_CIPHER              1
+#define PSA_WANT_ALG_TLS12_PRF                  1
+#define PSA_WANT_ALG_TLS12_PSK_TO_MS            1
+/* PBKDF2-HMAC is not yet supported via the PSA API in Mbed TLS.
+ * Note: when adding support, also adjust include/mbedtls/config_psa.h */
+//#define PSA_WANT_ALG_XTS                        1
+
+//#define PSA_WANT_ECC_BRAINPOOL_P_R1_256         1
+//#define PSA_WANT_ECC_BRAINPOOL_P_R1_384         1
+//#define PSA_WANT_ECC_BRAINPOOL_P_R1_512         1
+//#define PSA_WANT_ECC_MONTGOMERY_255             1
+//#define PSA_WANT_ECC_MONTGOMERY_448             1
+//#define PSA_WANT_ECC_SECP_K1_192                1
+/*
+ * SECP224K1 is buggy via the PSA API in Mbed TLS
+ * (https://github.com/Mbed-TLS/mbedtls/issues/3541). Thus, do not enable it by
+ * default.
+ */
+//#define PSA_WANT_ECC_SECP_K1_224                1
+//#define PSA_WANT_ECC_SECP_K1_256                1
+//#define PSA_WANT_ECC_SECP_R1_192                1
+//#define PSA_WANT_ECC_SECP_R1_224                1
+#define PSA_WANT_ECC_SECP_R1_256                1
+//#define PSA_WANT_ECC_SECP_R1_384                1
+//#define PSA_WANT_ECC_SECP_R1_521                1
+
+#define PSA_WANT_KEY_TYPE_DERIVE                1
+#define PSA_WANT_KEY_TYPE_HMAC                  1
+#define PSA_WANT_KEY_TYPE_AES                   1
+//#define PSA_WANT_KEY_TYPE_ARIA                  1
+//#define PSA_WANT_KEY_TYPE_CAMELLIA              1
+//#define PSA_WANT_KEY_TYPE_CHACHA20              1
+//#define PSA_WANT_KEY_TYPE_DES                   1
+//#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR          1 /* Deprecated */
+#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY        1
+#define PSA_WANT_KEY_TYPE_RAW_DATA              1
+//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR          1 /* Deprecated */
+//#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY        1
+
+/*
+ * The following symbols extend and deprecate the legacy
+ * PSA_WANT_KEY_TYPE_xxx_KEY_PAIR ones. They include the usage of that key in
+ * the name's suffix. "_USE" is the most generic and it can be used to describe
+ * a generic suport, whereas other ones add more features on top of that and
+ * they are more specific.
+ */
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC      1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT   1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT   1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
+//#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE   1
+
+#ifdef CRYPTO_HW_ACCELERATOR
+#include "crypto_accelerator_config.h"
+#endif
+
+#endif /* PROFILE_M_PSA_CRYPTO_CONFIG_H */
diff --git a/configs/ext/mbedtls_entropy_nv_seed_config.h b/configs/ext/mbedtls_entropy_nv_seed_config.h
new file mode 100644
index 0000000..60d855e
--- /dev/null
+++ b/configs/ext/mbedtls_entropy_nv_seed_config.h
@@ -0,0 +1,13 @@
+/*
+ *  Empty placeholder
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * This file is intentionally empty.
+ *
+ * Having an empty file here allows us to build the TF-M config, which references this file,
+ * without making any changes to the TF-M config.
+ */
diff --git a/configs/ext/tfm_mbedcrypto_config_profile_medium.h b/configs/ext/tfm_mbedcrypto_config_profile_medium.h
new file mode 100644
index 0000000..0e7bc68
--- /dev/null
+++ b/configs/ext/tfm_mbedcrypto_config_profile_medium.h
@@ -0,0 +1,572 @@
+/**
+ * \file config.h
+ *
+ * \brief Configuration options (set of defines)
+ *
+ *  This set of compile-time options may be used to enable
+ *  or disable features selectively, and reduce the global
+ *  memory footprint.
+ */
+/*
+ *  Copyright (C) 2006-2023, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef PROFILE_M_MBEDTLS_CONFIG_H
+#define PROFILE_M_MBEDTLS_CONFIG_H
+
+#include "config_tfm.h"
+
+#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+/**
+ * \name SECTION: System support
+ *
+ * This section sets system specific settings.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_HAVE_ASM
+ *
+ * The compiler has support for asm().
+ *
+ * Requires support for asm() in compiler.
+ *
+ * Used in:
+ *      library/aria.c
+ *      library/timing.c
+ *      include/mbedtls/bn_mul.h
+ *
+ * Required by:
+ *      MBEDTLS_AESNI_C
+ *
+ * Comment to disable the use of assembly code.
+ */
+#define MBEDTLS_HAVE_ASM
+
+/**
+ * \def MBEDTLS_PLATFORM_MEMORY
+ *
+ * Enable the memory allocation layer.
+ *
+ * By default mbed TLS uses the system-provided calloc() and free().
+ * This allows different allocators (self-implemented or provided) to be
+ * provided to the platform abstraction layer.
+ *
+ * Enabling MBEDTLS_PLATFORM_MEMORY without the
+ * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide
+ * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and
+ * free() function pointer at runtime.
+ *
+ * Enabling MBEDTLS_PLATFORM_MEMORY and specifying
+ * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the
+ * alternate function at compile time.
+ *
+ * Requires: MBEDTLS_PLATFORM_C
+ *
+ * Enable this layer to allow use of alternative memory allocators.
+ */
+#define MBEDTLS_PLATFORM_MEMORY
+
+/* \} name SECTION: System support */
+
+/**
+ * \name SECTION: mbed TLS feature support
+ *
+ * This section sets support for features that are or are not needed
+ * within the modules that are enabled.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_AES_ROM_TABLES
+ *
+ * Use precomputed AES tables stored in ROM.
+ *
+ * Uncomment this macro to use precomputed AES tables stored in ROM.
+ * Comment this macro to generate AES tables in RAM at runtime.
+ *
+ * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb
+ * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the
+ * initialization time before the first AES operation can be performed.
+ * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c
+ * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded
+ * performance if ROM access is slower than RAM access.
+ *
+ * This option is independent of \c MBEDTLS_AES_FEWER_TABLES.
+ *
+ */
+#define MBEDTLS_AES_ROM_TABLES
+
+/**
+ * \def MBEDTLS_AES_FEWER_TABLES
+ *
+ * Use less ROM/RAM for AES tables.
+ *
+ * Uncommenting this macro omits 75% of the AES tables from
+ * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES)
+ * by computing their values on the fly during operations
+ * (the tables are entry-wise rotations of one another).
+ *
+ * Tradeoff: Uncommenting this reduces the RAM / ROM footprint
+ * by ~6kb but at the cost of more arithmetic operations during
+ * runtime. Specifically, one has to compare 4 accesses within
+ * different tables to 4 accesses with additional arithmetic
+ * operations within the same table. The performance gain/loss
+ * depends on the system and memory details.
+ *
+ * This option is independent of \c MBEDTLS_AES_ROM_TABLES.
+ *
+ */
+#define MBEDTLS_AES_FEWER_TABLES
+
+/**
+ * \def MBEDTLS_ECP_NIST_OPTIM
+ *
+ * Enable specific 'modulo p' routines for each NIST prime.
+ * Depending on the prime and architecture, makes operations 4 to 8 times
+ * faster on the corresponding curve.
+ *
+ * Comment this macro to disable NIST curves optimisation.
+ */
+#define MBEDTLS_ECP_NIST_OPTIM
+
+/**
+ * \def MBEDTLS_NO_PLATFORM_ENTROPY
+ *
+ * Do not use built-in platform entropy functions.
+ * This is useful if your platform does not support
+ * standards like the /dev/urandom or Windows CryptoAPI.
+ *
+ * Uncomment this macro to disable the built-in platform entropy functions.
+ */
+#define MBEDTLS_NO_PLATFORM_ENTROPY
+
+/**
+ * \def MBEDTLS_ENTROPY_NV_SEED
+ *
+ * Enable the non-volatile (NV) seed file-based entropy source.
+ * (Also enables the NV seed read/write functions in the platform layer)
+ *
+ * This is crucial (if not required) on systems that do not have a
+ * cryptographic entropy source (in hardware or kernel) available.
+ *
+ * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
+ *
+ * \note The read/write functions that are used by the entropy source are
+ *       determined in the platform layer, and can be modified at runtime and/or
+ *       compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
+ *
+ * \note If you use the default implementation functions that read a seedfile
+ *       with regular fopen(), please make sure you make a seedfile with the
+ *       proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
+ *       least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
+ *       and written to or you will get an entropy source error! The default
+ *       implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
+ *       bytes from the file.
+ *
+ * \note The entropy collector will write to the seed file before entropy is
+ *       given to an external source, to update it.
+ */
+#define MBEDTLS_ENTROPY_NV_SEED
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_SPM
+ *
+ * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure
+ * Partition Manager) integration which separates the code into two parts: a
+ * NSPE (Non-Secure Process Environment) and an SPE (Secure Process
+ * Environment).
+ *
+ * Module:  library/psa_crypto.c
+ * Requires: MBEDTLS_PSA_CRYPTO_C
+ *
+ */
+#define MBEDTLS_PSA_CRYPTO_SPM
+
+/**
+ * \def MBEDTLS_SHA256_SMALLER
+ *
+ * Enable an implementation of SHA-256 that has lower ROM footprint but also
+ * lower performance.
+ *
+ * The default implementation is meant to be a reasonnable compromise between
+ * performance and size. This version optimizes more aggressively for size at
+ * the expense of performance. Eg on Cortex-M4 it reduces the size of
+ * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about
+ * 30%.
+ *
+ * Uncomment to enable the smaller implementation of SHA256.
+ */
+#define MBEDTLS_SHA256_SMALLER
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_CONFIG
+ *
+ * This setting allows support for cryptographic mechanisms through the PSA
+ * API to be configured separately from support through the mbedtls API.
+ *
+ * When this option is disabled, the PSA API exposes the cryptographic
+ * mechanisms that can be implemented on top of the `mbedtls_xxx` API
+ * configured with `MBEDTLS_XXX` symbols.
+ *
+ * When this option is enabled, the PSA API exposes the cryptographic
+ * mechanisms requested by the `PSA_WANT_XXX` symbols defined in
+ * include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are
+ * automatically enabled if required (i.e. if no PSA driver provides the
+ * mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols
+ * in mbedtls_config.h.
+ *
+ * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies
+ * an alternative header to include instead of include/psa/crypto_config.h.
+ *
+ * This feature is still experimental and is not ready for production since
+ * it is not completed.
+ */
+#define MBEDTLS_PSA_CRYPTO_CONFIG
+
+/* \} name SECTION: mbed TLS feature support */
+
+/**
+ * \name SECTION: mbed TLS modules
+ *
+ * This section enables or disables entire modules in mbed TLS
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_AES_C
+ *
+ * Enable the AES block cipher.
+ *
+ * Module:  library/aes.c
+ * Caller:  library/cipher.c
+ *          library/pem.c
+ *          library/ctr_drbg.c
+ *
+ * This module is required to support the TLS ciphersuites that use the AES
+ * cipher.
+ *
+ * PEM_PARSE uses AES for decrypting encrypted keys.
+ */
+#define MBEDTLS_AES_C
+
+/**
+ * \def MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+ *
+ * Use only 128-bit keys in AES operations to save ROM.
+ *
+ * Uncomment this macro to remove support for AES operations that use 192-
+ * or 256-bit keys.
+ *
+ * Uncommenting this macro reduces the size of AES code by ~300 bytes
+ * on v8-M/Thumb2.
+ *
+ * Module:  library/aes.c
+ *
+ * Requires: MBEDTLS_AES_C
+ */
+#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+
+/**
+ * \def MBEDTLS_CIPHER_C
+ *
+ * Enable the generic cipher layer.
+ *
+ * Module:  library/cipher.c
+ *
+ * Uncomment to enable generic cipher wrappers.
+ */
+#define MBEDTLS_CIPHER_C
+
+/**
+ * \def MBEDTLS_CTR_DRBG_C
+ *
+ * Enable the CTR_DRBG AES-based random generator.
+ * The CTR_DRBG generator uses AES-256 by default.
+ * To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below.
+ *
+ * Module:  library/ctr_drbg.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_AES_C
+ *
+ * This module provides the CTR_DRBG AES random number generator.
+ */
+#define MBEDTLS_CTR_DRBG_C
+
+/**
+ * \def MBEDTLS_ENTROPY_C
+ *
+ * Enable the platform-specific entropy code.
+ *
+ * Module:  library/entropy.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
+ *
+ * This module provides a generic entropy pool
+ */
+#define MBEDTLS_ENTROPY_C
+
+/**
+ * \def MBEDTLS_HKDF_C
+ *
+ * Enable the HKDF algorithm (RFC 5869).
+ *
+ * Module:  library/hkdf.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_MD_C
+ *
+ * This module adds support for the Hashed Message Authentication Code
+ * (HMAC)-based key derivation function (HKDF).
+ */
+//#define MBEDTLS_HKDF_C /* Used for HUK deriviation */
+
+/**
+ * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
+ *
+ * Enable the buffer allocator implementation that makes use of a (stack)
+ * based buffer to 'allocate' dynamic memory. (replaces calloc() and free()
+ * calls)
+ *
+ * Module:  library/memory_buffer_alloc.c
+ *
+ * Requires: MBEDTLS_PLATFORM_C
+ *           MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS)
+ *
+ * Enable this module to enable the buffer memory allocator.
+ */
+#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
+
+/**
+ * \def MBEDTLS_PLATFORM_C
+ *
+ * Enable the platform abstraction layer that allows you to re-assign
+ * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
+ *
+ * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT
+ * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned
+ * above to be specified at runtime or compile time respectively.
+ *
+ * \note This abstraction layer must be enabled on Windows (including MSYS2)
+ * as other module rely on it for a fixed snprintf implementation.
+ *
+ * Module:  library/platform.c
+ * Caller:  Most other .c files
+ *
+ * This module enables abstraction of common (libc) functions.
+ */
+#define MBEDTLS_PLATFORM_C
+
+#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+#define MBEDTLS_PLATFORM_STD_MEM_HDR   <stdlib.h>
+
+#include <stdio.h>
+
+#define MBEDTLS_PLATFORM_SNPRINTF_MACRO      snprintf
+#define MBEDTLS_PLATFORM_PRINTF_ALT
+#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS  EXIT_SUCCESS
+#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE  EXIT_FAILURE
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_C
+ *
+ * Enable the Platform Security Architecture cryptography API.
+ *
+ * Module:  library/psa_crypto.c
+ *
+ * Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C
+ *
+ */
+#define MBEDTLS_PSA_CRYPTO_C
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_STORAGE_C
+ *
+ * Enable the Platform Security Architecture persistent key storage.
+ *
+ * Module:  library/psa_crypto_storage.c
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C,
+ *           either MBEDTLS_PSA_ITS_FILE_C or a native implementation of
+ *           the PSA ITS interface
+ */
+#define MBEDTLS_PSA_CRYPTO_STORAGE_C
+
+/* \} name SECTION: mbed TLS modules */
+
+/**
+ * \name SECTION: General configuration options
+ *
+ * This section contains Mbed TLS build settings that are not associated
+ * with a particular module.
+ *
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included instead of
+ * `"mbedtls/mbedtls_config.h"`.
+ * This header file specifies the compile-time configuration of Mbed TLS.
+ * Unlike other configuration options, this one must be defined on the
+ * compiler command line: a definition in `mbedtls_config.h` would have
+ * no effect.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h"
+
+/**
+ * \def MBEDTLS_USER_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included after
+ * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE.
+ * This allows you to modify the default configuration, including the ability
+ * to undefine options that are enabled by default.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_USER_CONFIG_FILE "/dev/null"
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included instead of
+ * `"psa/crypto_config.h"`.
+ * This header file specifies which cryptographic mechanisms are available
+ * through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and
+ * is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h"
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included after
+ * `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE.
+ * This allows you to modify the default configuration, including the ability
+ * to undefine options that are enabled by default.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null"
+
+/** \} name SECTION: General configuration options */
+
+/**
+ * \name SECTION: Module configuration options
+ *
+ * This section allows for the setting of module specific sizes and
+ * configuration options. The default values are already present in the
+ * relevant header files and should suffice for the regular use cases.
+ *
+ * Our advice is to enable options and change their values here
+ * only if you have a good reason and know the consequences.
+ *
+ * Please check the respective header file for documentation on these
+ * parameters (to prevent duplicate documentation).
+ * \{
+ */
+
+/* ECP options */
+#define MBEDTLS_ECP_FIXED_POINT_OPTIM        0 /**< Disable fixed-point speed-up */
+
+/**
+ * Uncomment to enable p256-m. This is an alternative implementation of
+ * key generation, ECDH and (randomized) ECDSA on the curve SECP256R1.
+ * Compared to the default implementation:
+ *
+ * - p256-m has a much smaller code size and RAM footprint.
+ * - p256-m is only available via the PSA API. This includes the pk module
+ *   when #MBEDTLS_USE_PSA_CRYPTO is enabled.
+ * - p256-m does not support deterministic ECDSA, EC-JPAKE, custom protocols
+ *   over the core arithmetic, or deterministic derivation of keys.
+ *
+ * We recommend enabling this option if your application uses the PSA API
+ * and the only elliptic curve support it needs is ECDH and ECDSA over
+ * SECP256R1.
+ *
+ * If you enable this option, you do not need to enable any ECC-related
+ * MBEDTLS_xxx option. You do need to separately request support for the
+ * cryptographic mechanisms through the PSA API:
+ * - #MBEDTLS_PSA_CRYPTO_C and #MBEDTLS_PSA_CRYPTO_CONFIG for PSA-based
+ *   configuration;
+ * - #MBEDTLS_USE_PSA_CRYPTO if you want to use p256-m from PK, X.509 or TLS;
+ * - #PSA_WANT_ECC_SECP_R1_256;
+ * - #PSA_WANT_ALG_ECDH and/or #PSA_WANT_ALG_ECDSA as needed;
+ * - #PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY, #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC,
+ *   #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT,
+ *   #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT and/or
+ *   #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE as needed.
+ *
+ * \note To benefit from the smaller code size of p256-m, make sure that you
+ *       do not enable any ECC-related option not supported by p256-m: this
+ *       would cause the built-in ECC implementation to be built as well, in
+ *       order to provide the required option.
+ *       Make sure #PSA_WANT_ALG_DETERMINISTIC_ECDSA, #PSA_WANT_ALG_JPAKE and
+ *       #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE, and curves other than
+ *       SECP256R1 are disabled as they are not supported by this driver.
+ *       Also, avoid defining #MBEDTLS_PK_PARSE_EC_COMPRESSED or
+ *       #MBEDTLS_PK_PARSE_EC_EXTENDED as those currently require a subset of
+ *       the built-in ECC implementation, see docs/driver-only-builds.md.
+ */
+#define MBEDTLS_PSA_P256M_DRIVER_ENABLED
+
+/* \} name SECTION: Customisation configuration options */
+
+#if CRYPTO_NV_SEED
+#include "tfm_mbedcrypto_config_extra_nv_seed.h"
+#endif /* CRYPTO_NV_SEED */
+
+#if !defined(CRYPTO_HW_ACCELERATOR) && defined(MBEDTLS_ENTROPY_NV_SEED)
+#include "mbedtls_entropy_nv_seed_config.h"
+#endif
+
+#ifdef CRYPTO_HW_ACCELERATOR
+#include "mbedtls_accelerator_config.h"
+#endif
+
+#endif /* PROFILE_M_MBEDTLS_CONFIG_H */
diff --git a/configs/tfm_mbedcrypto_config_profile_medium.h b/configs/tfm_mbedcrypto_config_profile_medium.h
deleted file mode 100644
index 88736b5..0000000
--- a/configs/tfm_mbedcrypto_config_profile_medium.h
+++ /dev/null
@@ -1,623 +0,0 @@
-/**
- * \file config.h
- *
- * \brief Configuration options (set of defines)
- *
- *  This set of compile-time options may be used to enable
- *  or disable features selectively, and reduce the global
- *  memory footprint.
- */
-/*
- *  Copyright (C) 2006-2022, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
- */
-
-#ifndef PROFILE_M_MBEDTLS_CONFIG_H
-#define PROFILE_M_MBEDTLS_CONFIG_H
-
-#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
-#define _CRT_SECURE_NO_DEPRECATE 1
-#endif
-
-/**
- * \name SECTION: System support
- *
- * This section sets system specific settings.
- * \{
- */
-
-/**
- * \def MBEDTLS_HAVE_ASM
- *
- * The compiler has support for asm().
- *
- * Requires support for asm() in compiler.
- *
- * Used in:
- *      library/aria.c
- *      library/timing.c
- *      include/mbedtls/bn_mul.h
- *
- * Required by:
- *      MBEDTLS_AESNI_C
- *      MBEDTLS_PADLOCK_C
- *
- * Comment to disable the use of assembly code.
- */
-#define MBEDTLS_HAVE_ASM
-
-/**
- * \def MBEDTLS_PLATFORM_MEMORY
- *
- * Enable the memory allocation layer.
- *
- * By default mbed TLS uses the system-provided calloc() and free().
- * This allows different allocators (self-implemented or provided) to be
- * provided to the platform abstraction layer.
- *
- * Enabling MBEDTLS_PLATFORM_MEMORY without the
- * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide
- * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and
- * free() function pointer at runtime.
- *
- * Enabling MBEDTLS_PLATFORM_MEMORY and specifying
- * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the
- * alternate function at compile time.
- *
- * Requires: MBEDTLS_PLATFORM_C
- *
- * Enable this layer to allow use of alternative memory allocators.
- */
-#define MBEDTLS_PLATFORM_MEMORY
-
-/* \} name SECTION: System support */
-
-/**
- * \name SECTION: mbed TLS feature support
- *
- * This section sets support for features that are or are not needed
- * within the modules that are enabled.
- * \{
- */
-
-/**
- * \def MBEDTLS_MD2_PROCESS_ALT
- *
- * MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you
- * alternate core implementation of symmetric crypto or hash function. Keep in
- * mind that function prototypes should remain the same.
- *
- * This replaces only one function. The header file from mbed TLS is still
- * used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags.
- *
- * Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, mbed TLS will
- * no longer provide the mbedtls_sha1_process() function, but it will still provide
- * the other function (using your mbedtls_sha1_process() function) and the definition
- * of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible
- * with this definition.
- *
- * \note Because of a signature change, the core AES encryption and decryption routines are
- *       currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt,
- *       respectively. When setting up alternative implementations, these functions should
- *       be overridden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt
- *       must stay untouched.
- *
- * \note If you use the AES_xxx_ALT macros, then is is recommended to also set
- *       MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES
- *       tables.
- *
- * Uncomment a macro to enable alternate implementation of the corresponding
- * function.
- *
- * \warning   MD2, MD4, MD5, DES and SHA-1 are considered weak and their use
- *            constitutes a security risk. If possible, we recommend avoiding
- *            dependencies on them, and considering stronger message digests
- *            and ciphers instead.
- *
- */
-#define MBEDTLS_AES_SETKEY_DEC_ALT
-#define MBEDTLS_AES_DECRYPT_ALT
-
-/**
- * \def MBEDTLS_AES_ROM_TABLES
- *
- * Use precomputed AES tables stored in ROM.
- *
- * Uncomment this macro to use precomputed AES tables stored in ROM.
- * Comment this macro to generate AES tables in RAM at runtime.
- *
- * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb
- * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the
- * initialization time before the first AES operation can be performed.
- * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c
- * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded
- * performance if ROM access is slower than RAM access.
- *
- * This option is independent of \c MBEDTLS_AES_FEWER_TABLES.
- *
- */
-#define MBEDTLS_AES_ROM_TABLES
-
-/**
- * \def MBEDTLS_AES_FEWER_TABLES
- *
- * Use less ROM/RAM for AES tables.
- *
- * Uncommenting this macro omits 75% of the AES tables from
- * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES)
- * by computing their values on the fly during operations
- * (the tables are entry-wise rotations of one another).
- *
- * Tradeoff: Uncommenting this reduces the RAM / ROM footprint
- * by ~6kb but at the cost of more arithmetic operations during
- * runtime. Specifically, one has to compare 4 accesses within
- * different tables to 4 accesses with additional arithmetic
- * operations within the same table. The performance gain/loss
- * depends on the system and memory details.
- *
- * This option is independent of \c MBEDTLS_AES_ROM_TABLES.
- *
- */
-#define MBEDTLS_AES_FEWER_TABLES
-
-/**
- * \def MBEDTLS_ECP_NIST_OPTIM
- *
- * Enable specific 'modulo p' routines for each NIST prime.
- * Depending on the prime and architecture, makes operations 4 to 8 times
- * faster on the corresponding curve.
- *
- * Comment this macro to disable NIST curves optimisation.
- */
-#define MBEDTLS_ECP_NIST_OPTIM
-
-/**
- * \def MBEDTLS_ERROR_STRERROR_DUMMY
- *
- * Enable a dummy error function to make use of mbedtls_strerror() in
- * third party libraries easier when MBEDTLS_ERROR_C is disabled
- * (no effect when MBEDTLS_ERROR_C is enabled).
- *
- * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're
- * not using mbedtls_strerror() or error_strerror() in your application.
- *
- * Disable if you run into name conflicts and want to really remove the
- * mbedtls_strerror()
- */
-#define MBEDTLS_ERROR_STRERROR_DUMMY
-
-/**
- * \def MBEDTLS_NO_PLATFORM_ENTROPY
- *
- * Do not use built-in platform entropy functions.
- * This is useful if your platform does not support
- * standards like the /dev/urandom or Windows CryptoAPI.
- *
- * Uncomment this macro to disable the built-in platform entropy functions.
- */
-#define MBEDTLS_NO_PLATFORM_ENTROPY
-
-/**
- * \def MBEDTLS_ENTROPY_NV_SEED
- *
- * Enable the non-volatile (NV) seed file-based entropy source.
- * (Also enables the NV seed read/write functions in the platform layer)
- *
- * This is crucial (if not required) on systems that do not have a
- * cryptographic entropy source (in hardware or kernel) available.
- *
- * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
- *
- * \note The read/write functions that are used by the entropy source are
- *       determined in the platform layer, and can be modified at runtime and/or
- *       compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
- *
- * \note If you use the default implementation functions that read a seedfile
- *       with regular fopen(), please make sure you make a seedfile with the
- *       proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
- *       least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
- *       and written to or you will get an entropy source error! The default
- *       implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
- *       bytes from the file.
- *
- * \note The entropy collector will write to the seed file before entropy is
- *       given to an external source, to update it.
- */
-// This macro is enabled in TFM Medium but is disabled here because it is
-// incompatible with baremetal builds in Mbed TLS.
-//#define MBEDTLS_ENTROPY_NV_SEED
-
-/* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
- *
- * Enable key identifiers that encode a key owner identifier.
- *
- * This is only meaningful when building the library as part of a
- * multi-client service. When you activate this option, you must provide an
- * implementation of the type mbedtls_key_owner_id_t and a translation from
- * mbedtls_svc_key_id_t to file name in all the storage backends that you
- * you wish to support.
- *
- * Note that while this define has been removed from TF-M's copy of this config
- * file, TF-M still passes this option to Mbed TLS during the build via CMake.
- * Therefore we keep it in our copy. See discussion on PR #7426 for more info.
- *
- */
-#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
-
-/**
- * \def MBEDTLS_PSA_CRYPTO_SPM
- *
- * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure
- * Partition Manager) integration which separates the code into two parts: a
- * NSPE (Non-Secure Process Environment) and an SPE (Secure Process
- * Environment).
- *
- * Module:  library/psa_crypto.c
- * Requires: MBEDTLS_PSA_CRYPTO_C
- *
- */
-#define MBEDTLS_PSA_CRYPTO_SPM
-
-/**
- * \def MBEDTLS_SHA256_SMALLER
- *
- * Enable an implementation of SHA-256 that has lower ROM footprint but also
- * lower performance.
- *
- * The default implementation is meant to be a reasonnable compromise between
- * performance and size. This version optimizes more aggressively for size at
- * the expense of performance. Eg on Cortex-M4 it reduces the size of
- * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about
- * 30%.
- *
- * Uncomment to enable the smaller implementation of SHA256.
- */
-#define MBEDTLS_SHA256_SMALLER
-
-/**
- * \def MBEDTLS_PSA_CRYPTO_CONFIG
- *
- * This setting allows support for cryptographic mechanisms through the PSA
- * API to be configured separately from support through the mbedtls API.
- *
- * When this option is disabled, the PSA API exposes the cryptographic
- * mechanisms that can be implemented on top of the `mbedtls_xxx` API
- * configured with `MBEDTLS_XXX` symbols.
- *
- * When this option is enabled, the PSA API exposes the cryptographic
- * mechanisms requested by the `PSA_WANT_XXX` symbols defined in
- * include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are
- * automatically enabled if required (i.e. if no PSA driver provides the
- * mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols
- * in mbedtls_config.h.
- *
- * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies
- * an alternative header to include instead of include/psa/crypto_config.h.
- *
- * This feature is still experimental and is not ready for production since
- * it is not completed.
- */
-#define MBEDTLS_PSA_CRYPTO_CONFIG
-
-/* \} name SECTION: mbed TLS feature support */
-
-/**
- * \name SECTION: mbed TLS modules
- *
- * This section enables or disables entire modules in mbed TLS
- * \{
- */
-
-/**
- * \def MBEDTLS_AES_C
- *
- * Enable the AES block cipher.
- *
- * Module:  library/aes.c
- * Caller:  library/cipher.c
- *          library/pem.c
- *          library/ctr_drbg.c
- *
- * This module is required to support the TLS ciphersuites that use the AES
- * cipher.
- *
- * PEM_PARSE uses AES for decrypting encrypted keys.
- */
-#define MBEDTLS_AES_C
-
-/**
- * \def MBEDTLS_CIPHER_C
- *
- * Enable the generic cipher layer.
- *
- * Module:  library/cipher.c
- *
- * Uncomment to enable generic cipher wrappers.
- */
-#define MBEDTLS_CIPHER_C
-
-/**
- * \def MBEDTLS_CTR_DRBG_C
- *
- * Enable the CTR_DRBG AES-based random generator.
- * The CTR_DRBG generator uses AES-256 by default.
- * To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below.
- *
- * Module:  library/ctr_drbg.c
- * Caller:
- *
- * Requires: MBEDTLS_AES_C
- *
- * This module provides the CTR_DRBG AES random number generator.
- */
-#define MBEDTLS_CTR_DRBG_C
-
-/**
- * \def MBEDTLS_ENTROPY_C
- *
- * Enable the platform-specific entropy code.
- *
- * Module:  library/entropy.c
- * Caller:
- *
- * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
- *
- * This module provides a generic entropy pool
- */
-#define MBEDTLS_ENTROPY_C
-
-/**
- * \def MBEDTLS_ERROR_C
- *
- * Enable error code to error string conversion.
- *
- * Module:  library/error.c
- * Caller:
- *
- * This module enables mbedtls_strerror().
- */
-#define MBEDTLS_ERROR_C
-
-/**
- * \def MBEDTLS_HKDF_C
- *
- * Enable the HKDF algorithm (RFC 5869).
- *
- * Module:  library/hkdf.c
- * Caller:
- *
- * Requires: MBEDTLS_MD_C
- *
- * This module adds support for the Hashed Message Authentication Code
- * (HMAC)-based key derivation function (HKDF).
- */
-#define MBEDTLS_HKDF_C /* Used for HUK deriviation */
-
-/**
- * \def MBEDTLS_MD_C
- *
- * Enable the generic layer for message digest (hashing) and HMAC.
- *
- * Requires: one of: MBEDTLS_MD5_C, MBEDTLS_RIPEMD160_C, MBEDTLS_SHA1_C,
- *                   MBEDTLS_SHA224_C, MBEDTLS_SHA256_C, MBEDTLS_SHA384_C,
- *                   MBEDTLS_SHA512_C, or MBEDTLS_PSA_CRYPTO_C with at least
- *                   one hash.
- * Module:  library/md.c
- * Caller:  library/constant_time.c
- *          library/ecdsa.c
- *          library/ecjpake.c
- *          library/hkdf.c
- *          library/hmac_drbg.c
- *          library/pk.c
- *          library/pkcs5.c
- *          library/pkcs12.c
- *          library/psa_crypto_ecp.c
- *          library/psa_crypto_rsa.c
- *          library/rsa.c
- *          library/ssl_cookie.c
- *          library/ssl_msg.c
- *          library/ssl_tls.c
- *          library/x509.c
- *          library/x509_crt.c
- *          library/x509write_crt.c
- *          library/x509write_csr.c
- *
- * Uncomment to enable generic message digest wrappers.
- */
-#define MBEDTLS_MD_C
-
-/**
- * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
- *
- * Enable the buffer allocator implementation that makes use of a (stack)
- * based buffer to 'allocate' dynamic memory. (replaces calloc() and free()
- * calls)
- *
- * Module:  library/memory_buffer_alloc.c
- *
- * Requires: MBEDTLS_PLATFORM_C
- *           MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS)
- *
- * Enable this module to enable the buffer memory allocator.
- */
-#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
-
-/**
- * \def MBEDTLS_PLATFORM_C
- *
- * Enable the platform abstraction layer that allows you to re-assign
- * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
- *
- * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT
- * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned
- * above to be specified at runtime or compile time respectively.
- *
- * \note This abstraction layer must be enabled on Windows (including MSYS2)
- * as other module rely on it for a fixed snprintf implementation.
- *
- * Module:  library/platform.c
- * Caller:  Most other .c files
- *
- * This module enables abstraction of common (libc) functions.
- */
-#define MBEDTLS_PLATFORM_C
-
-
-/**
- * \def MBEDTLS_PSA_CRYPTO_C
- *
- * Enable the Platform Security Architecture cryptography API.
- *
- * Module:  library/psa_crypto.c
- *
- * Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C
- *
- */
-#define MBEDTLS_PSA_CRYPTO_C
-
-/**
- * \def MBEDTLS_PSA_CRYPTO_STORAGE_C
- *
- * Enable the Platform Security Architecture persistent key storage.
- *
- * Module:  library/psa_crypto_storage.c
- *
- * Requires: MBEDTLS_PSA_CRYPTO_C,
- *           either MBEDTLS_PSA_ITS_FILE_C or a native implementation of
- *           the PSA ITS interface
- */
-// This macro is enabled in TFM Medium but is disabled here because it is
-// incompatible with baremetal builds in Mbed TLS.
-//#define MBEDTLS_PSA_CRYPTO_STORAGE_C
-
-/* \} name SECTION: mbed TLS modules */
-
-/**
- * \name SECTION: General configuration options
- *
- * This section contains Mbed TLS build settings that are not associated
- * with a particular module.
- *
- * \{
- */
-
-/**
- * \def MBEDTLS_CONFIG_FILE
- *
- * If defined, this is a header which will be included instead of
- * `"mbedtls/mbedtls_config.h"`.
- * This header file specifies the compile-time configuration of Mbed TLS.
- * Unlike other configuration options, this one must be defined on the
- * compiler command line: a definition in `mbedtls_config.h` would have
- * no effect.
- *
- * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
- * non-standard feature of the C language, so this feature is only available
- * with compilers that perform macro expansion on an <tt>\#include</tt> line.
- *
- * The value of this symbol is typically a path in double quotes, either
- * absolute or relative to a directory on the include search path.
- */
-//#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h"
-
-/**
- * \def MBEDTLS_USER_CONFIG_FILE
- *
- * If defined, this is a header which will be included after
- * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE.
- * This allows you to modify the default configuration, including the ability
- * to undefine options that are enabled by default.
- *
- * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
- * non-standard feature of the C language, so this feature is only available
- * with compilers that perform macro expansion on an <tt>\#include</tt> line.
- *
- * The value of this symbol is typically a path in double quotes, either
- * absolute or relative to a directory on the include search path.
- */
-//#define MBEDTLS_USER_CONFIG_FILE "/dev/null"
-
-/**
- * \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE
- *
- * If defined, this is a header which will be included instead of
- * `"psa/crypto_config.h"`.
- * This header file specifies which cryptographic mechanisms are available
- * through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and
- * is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
- *
- * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
- * non-standard feature of the C language, so this feature is only available
- * with compilers that perform macro expansion on an <tt>\#include</tt> line.
- *
- * The value of this symbol is typically a path in double quotes, either
- * absolute or relative to a directory on the include search path.
- */
-//#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h"
-
-/**
- * \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE
- *
- * If defined, this is a header which will be included after
- * `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE.
- * This allows you to modify the default configuration, including the ability
- * to undefine options that are enabled by default.
- *
- * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
- * non-standard feature of the C language, so this feature is only available
- * with compilers that perform macro expansion on an <tt>\#include</tt> line.
- *
- * The value of this symbol is typically a path in double quotes, either
- * absolute or relative to a directory on the include search path.
- */
-//#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null"
-
-/** \} name SECTION: General configuration options */
-
-/**
- * \name SECTION: Module configuration options
- *
- * This section allows for the setting of module specific sizes and
- * configuration options. The default values are already present in the
- * relevant header files and should suffice for the regular use cases.
- *
- * Our advice is to enable options and change their values here
- * only if you have a good reason and know the consequences.
- *
- * Please check the respective header file for documentation on these
- * parameters (to prevent duplicate documentation).
- * \{
- */
-
-/* ECP options */
-#define MBEDTLS_ECP_FIXED_POINT_OPTIM        0 /**< Disable fixed-point speed-up */
-
-/* \} name SECTION: Customisation configuration options */
-
-#if CRYPTO_NV_SEED
-#include "tfm_mbedcrypto_config_extra_nv_seed.h"
-#endif /* CRYPTO_NV_SEED */
-
-#if !defined(CRYPTO_HW_ACCELERATOR) && defined(MBEDTLS_ENTROPY_NV_SEED)
-#include "mbedtls_entropy_nv_seed_config.h"
-#endif
-
-#ifdef CRYPTO_HW_ACCELERATOR
-#include "mbedtls_accelerator_config.h"
-#endif
-
-#endif /* PROFILE_M_MBEDTLS_CONFIG_H */
diff --git a/docs/architecture/Makefile b/docs/architecture/Makefile
index 6252ab0..5bee504 100644
--- a/docs/architecture/Makefile
+++ b/docs/architecture/Makefile
@@ -2,20 +2,7 @@ PANDOC = pandoc
 
 default: all
 
-all_markdown = \
-               alternative-implementations.md \
-               mbed-crypto-storage-specification.md \
-               psa-crypto-implementation-structure.md \
-               psa-migration/psa-limitations.md \
-               psa-migration/strategy.md \
-               psa-migration/tasks-g2.md \
-               psa-migration/testing.md \
-               testing/driver-interface-test-strategy.md \
-               testing/invasive-testing.md \
-               testing/psa-storage-format-testing.md \
-               testing/test-framework.md \
-               tls13-support.md \
-	       # This line is intentionally left blank
+all_markdown = $(wildcard *.md */*.md)
 
 html: $(all_markdown:.md=.html)
 pdf: $(all_markdown:.md=.pdf)
diff --git a/docs/architecture/alternative-implementations.md b/docs/architecture/alternative-implementations.md
index eacdea7..549d47c 100644
--- a/docs/architecture/alternative-implementations.md
+++ b/docs/architecture/alternative-implementations.md
@@ -46,7 +46,7 @@ Generally, alternative implementations can define their context types to any C t
 
 Where a context type needs to have a certain field, the field must have the same type and semantics as in the built-in implementation, but does not need to be at the same position in the structure. Furthermore, unless otherwise indicated, only read access is necessary: the field can be `const`, and modifications to it do not need to be supported. For example, if an alternative implementation of asymmetric cryptography uses a different representation of large integers, it is sufficient to provide a read-only copy of the fields listed here of type `mbedtls_mpi`.
 
-* AES: if `MBEDTLS_AESNI_C` or `MBEDTLS_PADLOCK_C` is enabled, `mbedtls_aes_context` must have the fields `nr` and `rk`.
+* AES: if `MBEDTLS_AESNI_C` is enabled, `mbedtls_aes_context` must have the fields `nr` and `rk`.
 * DHM: if `MBEDTLS_DEBUG_C` is enabled, `mbedtls_dhm_context` must have the fields `P`, `Q`, `G`, `GX`, `GY` and `K`.
 * ECP: `mbedtls_ecp_group` must have the fields `id`, `P`, `A`, `B`, `G`, `N`, `pbits` and `nbits`.
     * If `MBEDTLS_PK_PARSE_EC_EXTENDED` is enabled, those fields must be writable, and `mbedtls_ecp_point_read_binary()` must support a group structure where only `P`, `pbits`, `A` and `B` are set.
diff --git a/docs/architecture/psa-crypto-implementation-structure.md b/docs/architecture/psa-crypto-implementation-structure.md
index d7e4f9c..0954602 100644
--- a/docs/architecture/psa-crypto-implementation-structure.md
+++ b/docs/architecture/psa-crypto-implementation-structure.md
@@ -86,7 +86,7 @@ Summary of files to modify when adding a new algorithm or key type:
 * [ ] `tests/suites/test_suite_psa_crypto_metadata.data` — [New functions and macros](#new-functions-and-macros)
 * (If adding `PSA_IS_xxx`) `tests/suites/test_suite_psa_crypto_metadata.function` — [New functions and macros](#new-functions-and-macros)
 * [ ] `tests/suites/test_suite_psa_crypto*.data`, `tests/suites/test_suite_psa_crypto*.function` — [Unit tests](#unit-tests)
-* [ ] `scripts/mbedtls_dev/crypto_knowledge.py`, `scripts/mbedtls_dev/asymmetric_key_data.py` — [Unit tests](#unit-tests)
+* [ ] `framework/scripts/mbedtls_framework/crypto_knowledge.py`, `framework/scripts/mbedtls_framework/asymmetric_key_data.py` — [Unit tests](#unit-tests)
 * [ ] `ChangeLog.d/*.txt` — changelog entry
 
 Summary of files to modify when adding new API functions:
@@ -153,7 +153,7 @@ The size of operation structures needs to be known at compile time, since caller
 
 ### Unit tests
 
-A number of unit tests are automatically generated by `tests/scripts/generate_psa_tests.py` based on the algorithms and key types declared in `include/psa/crypto_values.h` and `include/psa/crypto_extra.h`:
+A number of unit tests are automatically generated by `framework/scripts/generate_psa_tests.py` based on the algorithms and key types declared in `include/psa/crypto_values.h` and `include/psa/crypto_extra.h`:
 
 * Attempt to create a key with a key type that is not supported.
 * Attempt to perform an operation with a combination of key type and algorithm that is not valid or not supported.
@@ -161,8 +161,8 @@ A number of unit tests are automatically generated by `tests/scripts/generate_ps
 
 When adding a new key type or algorithm:
 
-* `scripts/mbedtls_dev/crypto_knowledge.py` contains knowledge about the compatibility of key types, key sizes and algorithms.
-* `scripts/mbedtls_dev/asymmetric_key_data.py` contains valid key data for asymmetric key types.
+* `framework/scripts/mbedtls_framework/crypto_knowledge.py` contains knowledge about the compatibility of key types, key sizes and algorithms.
+* `framework/scripts/mbedtls_framework/asymmetric_key_data.py` contains valid key data for asymmetric key types.
 
 Other things need to be tested manually, either in `tests/suites/test_sutie_psa_crypto.data` or in another file. For example (this is not an exhaustive list):
 
diff --git a/docs/architecture/psa-migration/md-cipher-dispatch.md b/docs/architecture/psa-migration/md-cipher-dispatch.md
index 355f561..eda65a3 100644
--- a/docs/architecture/psa-migration/md-cipher-dispatch.md
+++ b/docs/architecture/psa-migration/md-cipher-dispatch.md
@@ -99,8 +99,8 @@ We can classify code that implements or uses cryptographic mechanisms into sever
 * Software implementations of primitive cryptographic mechanisms. These are not expected to change.
 * Software implementations of constructed cryptographic mechanisms (e.g. HMAC, CTR_DRBG, RSA (calling a hash for PSS/OAEP, and needing to know the hash length in PKCS1v1.5 sign/verify), …). These need to keep working whenever a legacy implementation of the auxiliary mechanism is available, regardless of whether a PSA implementation is also available.
 * Code implementing the PSA crypto interface. This is not expected to change, except perhaps to expose some internal functionality to overhauled glue code.
-* Code that's subject to `MBEDTLS_USE_PSA_CRYPTO`: `pk.h`, X.509, TLS (excluding TLS 1.3).
-* Code that always uses PSA for crypto: TLS 1.3, LMS.
+* Code that's subject to `MBEDTLS_USE_PSA_CRYPTO`: `pk.h`, X.509, TLS (excluding parts specific TLS 1.3).
+* Code that always uses PSA for crypto: TLS 1.3 (except things common with 1.2), LMS.
 
 For the purposes of this work, three domains emerge:
 
@@ -110,23 +110,79 @@ For the purposes of this work, three domains emerge:
 
 #### Non-use-PSA modules
 
-The following modules in Mbed TLS call another module to perform cryptographic operations which, in the long term, will be provided through a PSA interface, but cannot make any PSA-related assumption:
+The following modules in Mbed TLS call another module to perform cryptographic operations which, in the long term, will be provided through a PSA interface, but cannot make any PSA-related assumption.
 
-* CCM (block cipher in ECB mode; interdependent with cipher)
-* cipher (cipher and AEAD algorithms)
-* CMAC (AES-ECB and DES-ECB, but could be extended to the other block ciphers; interdependent with cipher)
-* CTR\_DRBG (AES-ECB, but could be extended to the other block ciphers)
-* entropy (hashes via low-level)
+Hashes and HMAC (after the work on driver-only hashes):
+
+* entropy (hashes via MD-light)
 * ECDSA (HMAC\_DRBG; `md.h` exposed through API)
-* ECJPAKE (hashes via md; `md.h` exposed through API)
-* GCM (block cipher in ECB mode; interdependent with cipher)
-* md (hashes and HMAC)
-* NIST\_KW (AES-ECB; interdependent with cipher)
+* ECJPAKE (hashes via MD-light; `md.h` exposed through API)
+* MD (hashes and HMAC)
+* HKDF (HMAC via `md.h`; `md.h` exposed through API)
 * HMAC\_DRBG (hashes and HMAC via `md.h`; `md.h` exposed through API)
-* PEM (AES and DES in CBC mode without padding; MD5 hash via low-level)
-* PKCS12 (cipher, generically, selected from ASN.1 or function parameters; hashes via md; `cipher.h` exposed through API)
-* PKCS5 (cipher, generically, selected from ASN.1; HMAC via `md.h`; `md.h` exposed through API)
-* RSA (hash via md for PSS and OAEP; `md.h` exposed through API)
+* PKCS12 (hashes via MD-light)
+* PKCS5 (HMAC via `md.h`; `md.h` exposed through API)
+* PKCS7 (hashes via MD)
+* RSA (hash via MD-light for PSS and OAEP; `md.h` exposed through API)
+* PEM (MD5 hash via MD-light)
+
+Symmetric ciphers and AEADs (before work on driver-only cipher):
+
+* PEM:
+  * AES, DES or 3DES in CBC mode without padding, decrypt only (!).
+  * Currently using low-level non-generic APIs.
+  * No hard dependency, features guarded by `AES_C` resp. `DES_C`.
+  * Functions called: `setkey_dec()` + `crypt_cbc()`.
+* PKCS12:
+  * In practice: 2DES or 3DES in CBC mode with PKCS7 padding, decrypt only
+    (when called from pkparse).
+  * In principle: any cipher-mode (default padding), passed an
+    `mbedtls_cipher_type_t` as an argument, no documented restriction.
+  * Cipher, generically, selected from ASN.1 or function parameters;
+    no documented restriction but in practice TODO (inc. padding and
+    en/decrypt, look at standards and tests)
+  * Unconditional dependency on `CIPHER_C` in `check_config.h`.
+  * Note: `cipher.h` exposed through API.
+  * Functions called: `setup`, `setkey`, `set_iv`, `reset`, `update`, `finish` (in sequence, once).
+* PKCS5 (PBES2, `mbedtls_pkcs5_pbes2()`):
+  * 3DES or DES in CBC mode with PKCS7 padding, both encrypt and decrypt.
+  * Note: could also be AES in the future, see #7038.
+  * Unconditional dependency on `CIPHER_C` in `check_config.h`.
+  * Functions called: `setup`, `setkey`, `crypt`.
+* CTR\_DRBG:
+  * AES in ECB mode, encrypt only.
+  * Currently using low-level non-generic API (`aes.h`).
+  * Unconditional dependency on `AES_C` in `check_config.h`.
+  * Functions called: `setkey_enc`, `crypt_ecb`.
+* CCM:
+  * AES, Camellia or Aria in ECB mode, encrypt only.
+  * Unconditional dependency on `AES_C || CAMELLIA_C || ARIA_C` in `check_config.h`.
+  * Unconditional dependency on `CIPHER_C` in `check_config.h`.
+  * Note: also called by `cipher.c` if enabled.
+  * Functions called: `info`, `setup`, `setkey`, `update` (several times) - (never finish)
+* CMAC:
+  * AES or DES in ECB mode, encrypt only.
+  * Unconditional dependency on `AES_C || DES_C` in `check_config.h`.
+  * Unconditional dependency on `CIPHER_C` in `check_config.h`.
+  * Note: also called by `cipher.c` if enabled.
+  * Functions called: `info`, `setup`, `setkey`, `update` (several times) - (never finish)
+* GCM:
+  * AES, Camellia or Aria in ECB mode, encrypt only.
+  * Unconditional dependency on `AES_C || CAMELLIA_C || ARIA_C` in `check_config.h`.
+  * Unconditional dependency on `CIPHER_C` in `check_config.h`.
+  * Note: also called by `cipher.c` if enabled.
+  * Functions called: `info`, `setup`, `setkey`, `update` (several times) - (never finish)
+* NIST\_KW:
+  * AES in ECB mode, both encryt and decrypt.
+  * Unconditional dependency on `AES_C || DES_C` in `check_config.h`.
+  * Unconditional dependency on `CIPHER_C` in `check_config.h`.
+  * Note: also called by `cipher.c` if enabled.
+  * Note: `cipher.h` exposed through API.
+  * Functions called: `info`, `setup`, `setkey`, `update` (several times) - (never finish)
+* Cipher:
+  * potentially any cipher/AEAD in any mode and any direction
+
+Note: PSA cipher is built on Cipher, but PSA AEAD directly calls the underlying AEAD modules (GCM, CCM, ChachaPoly).
 
 ### Difficulties
 
@@ -263,12 +319,72 @@ These problems are easily solvable.
 * We can make names and HMAC optional. The mixed-domain hash interface won't be the full `MBEDTLS_MD_C` but a subset.
 * We can optimize `md.c` without making API changes to `md.h`.
 
+### Scope reductions and priorities for 3.x
+
+This section documents things that we chose to temporarily exclude from the scope in the 3.x branch (which will eventually be in scope again after 4.0) as well as things we chose to prioritize if we don't have time to support everything.
+
+#### Don't support PK, X.509 and TLS without `MBEDTLS_USE_PSA_CRYPTO`
+
+We do not need to support driver-only hashes and ciphers in PK. X.509 and TLS without `MBEDTLS_USE_PSA_CRYPTO`. Users who want to take full advantage of drivers will need to enabled this macro.
+
+Note that this applies to TLS 1.3 as well, as some uses of hashes and all uses of ciphers there are common with TLS 1.2, hence governed by `MBEDTLS_USE_PSA_CRYPTO`, see [this macro's extended documentation](../../docs/use-psa-crypto.html).
+
+This will go away naturally in 4.0 when this macros is not longer an option (because it's always on).
+
+#### Don't support for `MBEDTLS_PSA_CRYPTO_CLIENT` without `MBEDTLS_PSA_CRYPTO_C`
+
+We generally don't really support builds with `MBEDTLS_PSA_CRYPTO_CLIENT` without `MBEDTLS_PSA_CRYPTO_C`. For example, both `MBEDTLS_USE_PSA_CRYPTO` and `MBEDTLS_SSL_PROTO_TLS1_3` require `MBEDTLS_PSA_CRYPTO_C`, while in principle they should only require `MBEDTLS_PSA_CRYPTO_CLIENT`.
+
+Considering this existing restriction which we do not plan to lift before 4.0, it is acceptable driver-only hashes and cipher support to have the same restriction in 3.x.
+
+It is however desirable for the design to keep support for `MBEDTLS_PSA_CRYPTO_CLIENT` in mind, in order to avoid making it more difficult to add in the future.
+
+#### For cipher: prioritize constrained devices and modern TLS
+
+The primary target is a configuration like TF-M's medium profile, plus TLS with only AEAD ciphersuites.
+
+This excludes things like:
+- Support for encrypted PEM, PKCS5 and PKCS12 encryption, and PKCS8 encrypted keys in PK parse. (Not widely used on highly constrained devices.)
+- Support for NIST-KW. (Same justification.)
+- Support for CMAC. (Same justification, plus can be directly accelerated.)
+- Support for CBC ciphersuites in TLS. (They've been recommended against for a while now.)
+
+### Dual-dispatch for block cipher primitives
+
+Considering the priorities stated above, initially we want to support GCM, CCM and CTR-DRBG. All three of them use the block cipher primitive only in the encrypt direction. Currently, GCM and CCM use the Cipher layer in order to work with AES, Aria and Camellia (DES is excluded by the standards due to its smaller block size) and CTR-DRBG directly uses the low-level API from `aes.h`. In all cases, access to the "block cipher primitive" is done by using "ECB mode" (which for both Cipher and `aes.h` only allows a single block, contrary to PSA which implements actual ECB mode).
+
+The two AEAD modes, GCM and CCM, have very similar needs and positions in the stack, strongly suggesting using the same design for both. On the other hand, there are a number of differences between CTR-DRBG and them.
+- CTR-DRBG only uses AES (and there is no plan to extend it to other block ciphers at the moment), while GCM and CCM need to work with 3 block ciphers already.
+- CTR-DRBG holds a special position in the stack: most users don't care about it per se, they only care about getting random numbers - in fact PSA users don't even need to know what DRBG is used. In particular, no part of the stack is asking questions like "is CTR-DRBG-AES available?" - an RNG needs to be available and that's it - contrary to similar questions about AES-GCM etc. which are asked for example by TLS.
+
+So, it makes sense to use different designs for CTR-DRBG on one hand, and GCM/CCM on the other hand:
+- CTR-DRBG can just check if `AES_C` is present and "fall back" to PSA if not.
+- GCM and CCM need an common abstraction layer that allows:
+  - Using AES, Aria or Camellia in a uniform way.
+  - Dispatching to built-in or driver.
+
+The abstraction layer used by GCM and CCM may either be a new internal module, or a subset of the existing Cipher API, extended with the ability to dispatch to a PSA driver.
+
+Reasons for making this layer's API a subset of the existing Cipher API:
+- No need to design, implement and test a new module. (Will need to test the new subset though, as well as the extended behaviour.)
+- No code change in GCM and CCM - only need to update dependencies.
+- No risk for code duplication between a potential new module and Cipher: source-level, and in in particular in builds that still have `CIPHER_C` enabled. (Compiled-code duplication could be avoided by excluding the new module in such builds, though.)
+- If want to support other users of Cipher later (such as NIST-KW, CMAC, PKCS5 and PKCS12), we can just extend dual-dispatch support to other modes/operations in Cipher and keep those extra modules unchanged as well.
+
+Possible costs of re-using (a subset of) the existing Cipher API instead of defining a new one:
+- We carry over costs associated with `cipher_info_t` structures. (Currently the info structure is used for 3 things: (1) to check if the cipher is supported, (2) to check its block size, (3) because `setup()` requires it).
+- We carry over questionable implementation decisions, like dynamic allocation of context.
+
+Those costs could be avoided by refactoring (parts of) Cipher, but that would probably mean either:
+- significant differences in how the `cipher.h` API is implemented between builds with the full Cipher or only a subset;
+- or more work to apply the simplifications to all of Cipher.
+
+Prototyping both approaches showed better code size savings and cleaner code with a new internal module (see section "Internal "block cipher" abstraction (Cipher light)" below).
+
 ## Specification
 
 ### MD light
 
-https://github.com/Mbed-TLS/mbedtls/pull/6474 implements part of this specification, but it's based on Mbed TLS 3.2, so it needs to be rewritten for 3.3.
-
 #### Definition of MD light
 
 MD light is a subset of `md.h` that implements the hash calculation interface described in ”[Designing an interface for hashes](#designing-an-interface-for-hashes)”. It is activated by `MBEDTLS_MD_LIGHT` in `mbedtls_config.h`.
@@ -378,7 +494,7 @@ int psa_can_do_hash(psa_algorithm_t hash_alg);
 
 The job of this private function is to return 1 if `hash_alg` can be performed through PSA now, and 0 otherwise. It is only defined on algorithms that are enabled via PSA.
 
-As a starting point, return 1 if PSA crypto has been initialized. This will be refined later (to return 1 if the [accelerator subsystem](https://github.com/Mbed-TLS/mbedtls/issues/6007) has been initialized).
+As a starting point, return 1 if PSA crypto's driver subsystem has been initialized.
 
 Usage note: for algorithms that are not enabled via PSA, calling `psa_can_do_hash` is generally safe: whether it returns 0 or 1, you can call a PSA hash function on the algorithm and it will return `PSA_ERROR_NOT_SUPPORTED`.
 
@@ -398,31 +514,7 @@ Note that this assumes that an operation that has been started via PSA can be co
 
 #### Error code conversion
 
-After calling a PSA function, call `mbedtls_md_error_from_psa` to convert its status code. This function is currently defined in `hash_info.c`.
-
-### Migration to MD light
-
-#### Migration of modules that used to call MD and now do the legacy-or-PSA dance
-
-Get rid of the case where `MBEDTLS_MD_C` is undefined. Enable `MBEDTLS_MD_LIGHT` in `build_info.h`.
-
-#### Migration of modules that used to call a low-level hash module and now do the legacy-or-PSA dance
-
-Switch to calling MD (light) unconditionally. Enable `MBEDTLS_MD_LIGHT` in `build_info.h`.
-
-#### Migration of modules that call a low-level hash module
-
-Switch to calling MD (light). Enable `MBEDTLS_MD_LIGHT` in `build_info.h`.
-
-#### Migration of use-PSA mixed code
-
-Instead of calling `hash_info.h` functions to obtain metadata, get it from `md.h`.
-
-Optionally, code that currently tests on `MBEDTLS_USE_PSA_CRYPTO` just to determine whether to call MD or PSA to calculate hashes can switch to just having the MD variant.
-
-#### Remove `legacy_or_psa.h`
-
-It's no longer used.
+After calling a PSA function, MD light calls `mbedtls_md_error_from_psa` to convert its status code.
 
 ### Support all legacy algorithms in PSA
 
@@ -461,10 +553,6 @@ static inline psa_algorithm_t psa_alg_of_md_info(
 
 Work in progress on this conversion is at https://github.com/gilles-peskine-arm/mbedtls/tree/hash-unify-ids-wip-1
 
-#### Get rid of the hash_info module
-
-The hash_info module is redundant with MD light. Move `mbedtls_md_error_from_psa` to `md.c`, defined only when `MBEDTLS_MD_SOME_PSA` is defined. The rest is no longer used.
-
 #### Unify HMAC with PSA
 
 PSA has its own HMAC implementation. In builds with both `MBEDTLS_MD_C` and `PSA_WANT_ALG_HMAC` not fully provided by drivers, we should have a single implementation. Replace the one in `md.h` by calls to the PSA driver interface. This will also give mixed-domain modules access to HMAC accelerated directly by a PSA driver (eliminating the need to a HMAC interface in software if all supported hashes have an accelerator that includes HMAC support).
@@ -477,3 +565,52 @@ The architecture can be extended to support `MBEDTLS_PSA_CRYPTO_CLIENT` with a l
 
 * Compile-time dependencies: instead of checking `defined(MBEDTLS_PSA_CRYPTO_C)`, check `defined(MBEDTLS_PSA_CRYPTO_C) || defined(MBEDTLS_PSA_CRYPTO_CLIENT)`.
 * Implementers of `MBEDTLS_PSA_CRYPTO_CLIENT` will need to provide `psa_can_do_hash()` (or a more general function `psa_can_do`) alongside `psa_crypto_init()`. Note that at this point, it will become a public interface, hence we won't be able to change it at a whim.
+
+### Internal "block cipher" abstraction (previously known as "Cipher light")
+
+#### Definition
+
+The new module is automatically enabled in `config_adjust_legacy_crypto.h` by modules that need
+it (namely: CCM, GCM) only when `CIPHER_C` is not available, or the new module
+is needed for PSA dispatch (see next section). Note: CCM and GCM currently
+depend on the full `CIPHER_C` (enforced by `check_config.h`); this hard
+dependency would be replaced by the above auto-enablement.
+
+The following API functions are offered:
+```
+void mbedtls_block_cipher_init(mbedtls_block_cipher_context_t *ctx);
+void mbedtls_block_cipher_free(mbedtls_block_cipher_context_t *ctx);
+int mbedtls_block_cipher_setup(mbedtls_block_cipher_context_t *ctx,
+                               mbedtls_cipher_id_t cipher_id);
+int mbedtls_block_cipher_setkey(mbedtls_block_cipher_context_t *ctx,
+                                const unsigned char *key,
+                                unsigned key_bitlen);
+int mbedtls_block_cipher_encrypt(mbedtls_block_cipher_context_t *ctx,
+                                 const unsigned char input[16],
+                                 unsigned char output[16]);
+```
+
+The only supported ciphers are AES, ARIA and Camellia. They are identified by
+an `mbedtls_cipher_id_t` in the `setup()` function, because that's how they're
+identifed by callers (GCM/CCM).
+
+#### Block cipher dual dispatch
+
+Support for dual dispatch in the new internal module `block_cipher` is extremely similar to that in MD light.
+
+A block cipher context contains either a legacy module's context (AES, ARIA, Camellia) or a PSA key identifier; it has a field indicating which one is in use. All fields are private.
+
+The `engine` field is almost redundant with knowledge about `type`. However, when an algorithm is available both via a legacy module and a PSA accelerator, we will choose based on the runtime availability of the accelerator when the context is set up. This choice needs to be recorded in the context structure.
+
+Support is determined at runtime using the new internal function
+```
+int psa_can_do_cipher(psa_key_type_t key_type, psa_algorithm_t cipher_alg);
+```
+
+The job of this private function is to return 1 if `hash_alg` can be performed through PSA now, and 0 otherwise. It is only defined on algorithms that are enabled via PSA. As a starting point, return 1 if PSA crypto's driver subsystem has been initialized.
+
+Each function in the module needs to know whether to dispatch via PSA or legacy. All functions consult the context's `engine` field, except `setup()` which will set it according to the key type and the return value of `psa_can_do_cipher()` as discussed above.
+
+Note that this assumes that an operation that has been started via PSA can be completed. This implies that `mbedtls_psa_crypto_free` must not be called while an operation using PSA is in progress.
+
+After calling a PSA function, `block_cipher` functions call `mbedtls_cipher_error_from_psa` to convert its status code.
diff --git a/docs/architecture/psa-migration/outcome-analysis.sh b/docs/architecture/psa-migration/outcome-analysis.sh
index 1805a3c..bbcdffd 100755
--- a/docs/architecture/psa-migration/outcome-analysis.sh
+++ b/docs/architecture/psa-migration/outcome-analysis.sh
@@ -27,7 +27,7 @@ set -eu
 
 cleanup() {
     make clean
-    git checkout -- include/mbedtls/mbedtls_config.h include/psa/crypto_config.h
+    git checkout -- include/mbedtls/mbedtls_config.h tf-psa-crypto/include/psa/crypto_config.h
 }
 
 record() {
diff --git a/docs/architecture/psa-migration/psa-legacy-bridges.md b/docs/architecture/psa-migration/psa-legacy-bridges.md
new file mode 100644
index 0000000..912344e
--- /dev/null
+++ b/docs/architecture/psa-migration/psa-legacy-bridges.md
@@ -0,0 +1,344 @@
+Bridges between legacy and PSA crypto APIs
+==========================================
+
+## Introduction
+
+### Goal of this document
+
+This document explores the needs of applications that use both Mbed TLS legacy crypto interfaces and PSA crypto interfaces. Based on [requirements](#requirements), we [analyze gaps](#gap-analysis) and [API design](#api-design).
+
+This is a design document. The target audience is library maintainers. See the companion document [“Transitioning to the PSA API”](../../psa-transition.md) for a user focus on the same topic.
+
+### Keywords
+
+* [TODO] A part of the analysis that isn't finished.
+* [OPEN] Open question: a specific aspect of the design where there are several plausible decisions.
+* [ACTION] A finalized part of the design that will need to be carried out.
+
+### Context
+
+Mbed TLS 3.x supports two cryptographic APIs:
+
+* The legacy API `mbedtls_xxx` is inherited from PolarSSL.
+* The PSA API `psa_xxx` was introduced in Mbed TLS 2.17.
+
+Mbed TLS is gradually shifting from the legacy API to the PSA API. Mbed TLS 4.0 will be the first version where the PSA API is considered the main API, and large parts of the legacy API will be removed.
+
+In Mbed TLS 4.0, the cryptography will be provided by a separate project [TF-PSA-Crypto](https://github.com/Mbed-TLS/TF-PSA-Crypto). For simplicity, in this document, we just refer to the whole as “Mbed TLS”.
+
+### Document history
+
+This document was originally written when preparing Mbed TLS 3.6. Mbed TLS 3.6 includes both PSA and legacy APIs covering largely overlapping ground. Many legacy APIs will be removed in Mbed TLS 4.0.
+
+## Requirements
+
+### Why mix APIs?
+
+There is functionality that is tied to one API and is not directly available in the other API:
+
+* Only PSA fully supports PSA accelerators and secure element integration.
+* Only PSA supports isolating cryptographic material in a secure service.
+* The legacy API has features that are not present (yet) in PSA, notably parsing and formatting asymmetric keys.
+
+The legacy API can partially leverage PSA features via `MBEDTLS_USE_PSA_CRYPTO`, but this has limited scope.
+
+In addition, many applications cannot be migrated in a single go. For large projects, it is impractical to rewrite a significant part of the code all at once. (For example, Mbed TLS itself will have taken more than 6 years to transition.) Projects that use one or more library in addition to Mbed TLS must follow the evolution of these libraries, each of which might have its own pace.
+
+### Where mixing happens
+
+Mbed TLS can be, and normally is, built with support for both APIs. Therefore no special effort is necessary to allow an application to use both APIs.
+
+Special effort is necessary to use both APIs as part of the implementation of the same feature. From an informal analysis of typical application requirements, we identify four parts of the use of cryptography which can be provided by different APIs:
+
+* Metadata manipulation: parsing and producing encrypted or signed files, finding mutually supported algorithms in a network protocol negotiation, etc.
+* Key management: parsing, generating, deriving and formatting cryptographic keys.
+* Data manipulation other than keys. In practice, most data formats within the scope of the legacy crypto APIs are trivial (ciphertexts, hashes, MACs, shared secrets). The one exception is ECDSA signatures.
+* Cryptographic operations: hash, sign, encrypt, etc.
+
+From this, we deduce the following requirements:
+
+* Convert between PSA and legacy metadata.
+* Creating a key with the legacy API and consuming it in the PSA API.
+* Creating a key with the PSA API and consuming it in the legacy API.
+* Manipulating data formats, other than keys, where the PSA API is lacking.
+
+### Scope limitations
+
+The goal of this document is to bridge the legacy API and the PSA API. The goal is not to provide a PSA way to do everything that is currently possible with the legacy API. The PSA API is less flexible in some regards, and extending it is out of scope in the present study.
+
+With respect to the legacy API, we do not consider functionality of low-level modules for individual algorithms. Our focus is on applications that use high-level legacy crypto modules (md, cipher, pk) and need to combine that with uses of the PSA APIs.
+
+## Gap analysis
+
+The document [“Transitioning to the PSA API”](../../psa-transition.md) enumerates the public header files in Mbed TLS 3.4 and the API elements (especially enums and functions) that they provide, listing PSA equivalents where they exist. There are gaps in two cases:
+
+* Where the PSA equivalents do not provide the same functionality. A typical example is parsing and formatting asymmetric keys.
+* To convert between data representations used by legacy APIs and data representations used by PSA APIs.
+
+Based on “[Where mixing happens](#where-mixing-happens)”, we focus the gap analysis on two topics: metadata and keys. This chapter explores the gaps in each family of cryptographic mechanisms.
+
+### Generic metadata gaps
+
+#### Need for error code conversion
+
+Do we need public functions to convert between `MBEDTLS_ERR_xxx` error codes and `PSA_ERROR_xxx` error codes? We have such functions for internal use.
+
+Mbed TLS needs these conversions because it has many functions that expose one API (legacy/API) but are implemented on top of the other API. Most applications would convert legacy and PSA error code to their own error codes, and converting between `MBEDTLS_ERR_xxx` error codes and `PSA_ERROR_xxx` is not particularly helpful for that. Application code might need such conversion functions when implementing an X.509 or TLS callback (returning `MBEDTLS_ERR_xxx`) on top of PSA functions, but this is a very limited use case.
+
+Conclusion: no need for public error code conversion functions.
+
+### Hash gap analysis
+
+Hashes do not involve keys, and involves no nontrivial data format. Therefore the only gap is with metadata, namely specifying a hash algorithm.
+
+Hashes are often used as building blocks for other mechanisms (HMAC, signatures, key derivation, etc.). Therefore metadata about hashes is relevant not only when calculating hashes, but also when performing many other cryptographic operations.
+
+Gap: functions to convert between `psa_algorithm_t` hash algorithms and `mbedtls_md_type_t`. Such functions exist in Mbed TLS 3.5 (`mbedtls_md_psa_alg_from_type`, `mbedtls_md_type_from_psa_alg`) but they are declared only in private headers.
+
+### MAC gap analysis
+
+[TODO]
+
+### Cipher and AEAD gap analysis
+
+[TODO]
+
+### Key derivation gap analysis
+
+[TODO]
+
+### Random generation gap analysis
+
+[TODO]
+
+### Asymmetric cryptography gap analysis
+
+#### Asymmetric cryptography metadata
+
+The legacy API only has generic support for two key types: RSA and ECC, via the pk module. ECC keys can also be further classified according to their curve. The legacy API also supports DHM (Diffie-Hellman-Merkle = FFDH: finite-field Diffie-Hellman) keys, but those are not integrated in the pk module.
+
+An RSA or ECC key can potentially be used for different algorithms in the scope of the pk module:
+
+* RSA: PKCS#1v1.5 signature, PSS signature, PKCS#1v1.5 encryption, OAEP encryption.
+* ECC: ECDSA signature (randomized or deterministic), ECDH key agreement (via `mbedtls_pk_ec`).
+
+ECC keys are also involved in EC-JPAKE, but this happens internally: the EC-JPAKE interface only needs one piece of metadata, namely, to identify a curve.
+
+Since there is no algorithm that can be used with multiple types, and PSA keys have a policy that (for the most part) limits them to one algorithm, there does not seem to be a need to convert between legacy and PSA asymmetric key types on their own. The useful metadata conversions are:
+
+* Selecting an **elliptic curve**.
+
+  This means converting between an `mbedtls_ecp_group_id` and a pair of `{psa_ecc_family_t; size_t}`.
+
+  This is fulfilled by `mbedtls_ecc_group_to_psa` and `mbedtls_ecc_group_from_psa`, which were introduced into the public API between Mbed TLS 3.5 and 3.6 ([#8664](https://github.com/Mbed-TLS/mbedtls/pull/8664)).
+
+* Selecting A **DHM group**.
+
+  PSA only supports predefined groups, whereas legacy only supports ad hoc groups. An existing application referring to `MBEDTLS_DHM_RFC7919_FFDHExxx` values would need to refer to `PSA_DH_FAMILY_RFC7919`; an existing application using arbitrary groups cannot migrate to PSA.
+
+* Simultaneously supporting **a key type and an algorithm**.
+
+  On the legacy side, this is an `mbedtls_pk_type_t` value and more. For ECDSA, the choice between randomized and deterministic is made at compile time. For RSA, the choice of encryption or signature algorithm is made either by configuring the underlying `mbedtls_rsa_context` or when calling the operation function.
+
+  On the PSA side, this is a `psa_key_type_t` value and an algorithm which is normally encoded as policy information in a `psa_key_attributes_t`. The algorithm is also needed in its own right when calling operation functions.
+
+#### Using a legacy key pair or public key with PSA
+
+There are several scenarios where an application has a legacy key pair or public key (`mbedtls_pk_context`) and needs to create a PSA key object (`psa_key_id_t`).
+
+Reasons for first creating a legacy key object, where it's impossible or impractical to directly create a PSA key:
+
+* A very common case where the input is a legacy key object is parsing. PSA does not (yet) have an equivalent of the `mbedtls_pk_parse_xxx` functions.
+* The PSA key creation interface is less flexible in some cases. In particular, PSA RSA key generation does not (yet) allow choosing the public exponent.
+* The pk object may be created by a part of the application (or a third-party library) that hasn't been migrated to the PSA API yet.
+
+Reasons for needing a PSA key object:
+
+* Using the key with third-party interface that takes a PSA key identifier as input. (Mbed TLS itself has a few TLS functions that take PSA key identifiers, but as of Mbed TLS 3.5, it is always possible to use a legacy key instead.)
+* Benefiting from a PSA accelerator, or from PSA's world separation, even without `MBEDTLS_USE_PSA_CRYPTO`. (Not a priority scenario: we generally expect people to activate `MBEDTLS_USE_PSA_CRYPTO` at an early stage of their migration to PSA.)
+
+Gap: a way to create a PSA key object from an `mbedtls_pk_context`. This partially exists in the form of `mbedtls_pk_wrap_as_opaque`, but it is not fully satisfactory, for reasons that are detailed in “[API to create a PSA key from a PK context](#api-to-create-a-psa-key-from-a-pk-context)” below.
+
+#### Using a PSA key as a PK context
+
+There are several scenarios where an application has a PSA key and needs to use it through an interface that wants an `mbedtls_pk_context` object. Typically, there is an existing key in the PSA key store (possibly in a secure element and non-exportable), and the key needs to be used in an interface that requires a `mbedtls_pk_context *` input, such as Mbed TLS's X.509 and TLS APIs or a similar third-party interface, or the `mbedtls_pk_write_xxx` interfaces which do not (yet) have PSA equivalents.
+
+There is a function `mbedtls_pk_setup_opaque` that mostly does this. However, it has several limitations:
+
+* It creates a PK key of type `MBEDTLS_PK_OPAQUE` that wraps the PSA key. This is good enough in some scenarios, but not others. For example, it's ok for pkwrite, because we've upgraded the pkwrite code to handle `MBEDTLS_PK_OPAQUE`. That doesn't help users of third-party libraries that haven't yet been upgraded.
+* It ties the lifetime of the PK object to the PSA key, which is error-prone: if the PSA key is destroyed but the PK object isn't, there is no way to reliably detect any subsequent misuse of the PK object.
+* It is only available under `MBEDTLS_USE_PSA_CRYPTO`. This is not a priority concern, since we generally expect people to activate `MBEDTLS_USE_PSA_CRYPTO` at an early stage of their migration to PSA. However, this function is useful to use specific PSA keys in X.509/TLS regardless of whether X.509/TLS use the PSA API for all cryptographic operations, so this is a wart in the current API.
+
+It therefore appears that we need two ways to “convert” a PSA key to PK:
+
+* Wrapping, which is what `mbedtls_pk_setup_opaque` does. This works for any PSA key but is limited by the key's lifetime and creates a PK object with limited functionality.
+* Copying, which requires a new function. This requires an exportable key but creates a fully independent, fully functional PK object.
+
+Gap: a way to copy a PSA key into a PK context. This can only be expected to work if the PSA key is exportable.
+
+After some discussion, have not identified anything we want to change in the behavior of `mbedtls_pk_setup_opaque`. We only want to generalize it to non-`MBEDTLS_USE_PSA_CRYPTO` and to document it better.
+
+#### Signature formats
+
+The pk module uses signature formats intended for X.509. The PSA module uses the simplest sensible signature format.
+
+* For RSA, the formats are the same.
+* For ECDSA, PSA uses a fixed-size concatenation of (r,s), whereas X.509 and pk use an ASN.1 DER encoding of the sequence (r,s).
+
+Gap: We need APIs to convert between these two formats. The conversion code already exists under the hood, but it's in pieces that can't be called directly.
+
+There is a design choice here: do we provide conversions functions for ECDSA specifically, or do we provide conversion functions that take an algorithm as argument and just happen to be a no-op with RSA? One factor is plausible extensions. These conversions functions will remain useful in Mbed TLS 4.x and perhaps beyond. We will at least add EdDSA support, and its signature encoding is the fixed-size concatenation (r,s) even in X.509. We may well also add support for some post-quantum signatures, and their concrete format is still uncertain.
+
+Given the uncertainty, it would be nice to provide a sufficiently generic interface to convert between the PSA and the pk signature format, parametrized by the algorithm. However, it is difficult to predict exactly what parameters are needed. For example, converting from an ASN.1 ECDSA signature to (r,s) requires the knowledge of the curve, or at least the curve's size. Therefore we are not going to add a generic function at this stage.
+
+For ECDSA, there are two plausible APIs: follow the ASN.1/X.509 write/parse APIs, or present an ordinary input/output API. The ASN.1 APIs are the way they are to accommodate nested TLV structures. But ECDSA signatures do not appear nested in TLV structures in either TLS (there's just a signature field) or X.509 (the signature is inside a BITSTRING, not directly in a SEQUENCE). So there does not seem to be a need for an ASN.1-like API for the ASN.1 format, just the format conversion itself in a buffer that just contains the signature.
+
+#### Asymmetric cryptography TODO
+
+[TODO] Other gaps?
+
+## New APIs
+
+This section presents new APIs to implement based on the [gap analysis](#gap-analysis).
+
+### General notes
+
+Each action to implement a function entails:
+
+* Implement the library function.
+* Document it precisely, including error conditions.
+* Unit-test it.
+* Mention it where relevant in the PSA transition guide.
+
+### Hash APIs
+
+Based on the [gap analysis](#hash-gap-analysis):
+
+[ACTION] [#8340](https://github.com/Mbed-TLS/mbedtls/issues/8340) Move `mbedtls_md_psa_alg_from_type` and `mbedtls_md_type_from_psa_alg` from `library/md_psa.h` to `include/mbedtls/md.h`.
+
+### MAC APIs
+
+[TODO]
+
+### Cipher and AEAD APIs
+
+[TODO]
+
+### Key derivation APIs
+
+[TODO]
+
+### Random generation APIs
+
+[TODO]
+
+### Asymmetric cryptography APIs
+
+#### Asymmetric cryptography metadata APIs
+
+Based on the [gap analysis](#asymmetric-cryptography-metadata):
+
+* No further work is needed about RSA specifically. The amount of metadata other than hashes is sufficiently small to be handled in ad hoc ways in applications, and hashes have [their own conversions](#hash-apis).
+* No further work is needed about ECC specifically. We have just added adequate functions.
+* No further work is needed about DHM specifically. There is no good way to translate the relevant information.
+* [OPEN] Is there a decent way to convert between `mbedtls_pk_type_t` plus extra information, and `psa_key_type_t` plus policy information? The two APIs are different in crucial ways, with different splits between key type, policy information and operation algorithm.
+  Thinking so far: there isn't really a nice way to present this conversion. For a specific key, `mbedtls_pk_get_psa_attributes` and `mbedtls_pk_copy_from_psa` do the job.
+
+#### API to create a PSA key from a PK context
+
+Based on the [gap analysis](#using-a-legacy-key-pair-or-public-key-with-psa):
+
+Given an `mbedtls_pk_context`, we want a function that creates a PSA key with the same key material and algorithm. “Same key material” is straightforward, but “same algorithm” is not, because a PK context has incomplete algorithm information. For example, there is no way to distinguish between an RSA key that is intended for signature or for encryption. Between algorithms of the same nature, there is no way to distinguish a key intended for PKCS#1v1.5 and one intended for PKCS#1v2.1 (OAEP/PSS): this is indicated in the underlying RSA context, but the indication there is only a default that can be overridden by calling `mbedtls_pk_{sign,verify}_ext`. Also there is no way to distinguish between `PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg)` and `PSA_ALG_RSA_PKCS1V15_SIGN_RAW`: in the legacy interface, this is only determined when actually doing a signature/verification operation. Therefore the function that creates the PSA key needs extra information to indicate which algorithm to put in the key's policy.
+
+When creating a PSA key, apart from the key material, the key is determined by attributes, which fall under three categories:
+
+* Type and size. These are directly related to the key material and can be deduced from it if the key material is in a structured format, which is the case with an `mbedtls_pk_context` input.
+* Policy. This includes the chosen algorithm, which as discussed above cannot be fully deduced from the `mbedtls_pk_context` object. Just choosing one algorithm is problematic because it doesn't allow implementation-specific extensions, such as Mbed TLS's enrollment algorithm. The intended usage flags cannot be deduced from the PK context either, but the conversion function could sensibly just enable all the relevant usage flags. Users who want a more restrictive usage can call `psa_copy_key` and `psa_destroy_key` to obtain a PSA key object with a more restrictive usage.
+* Persistence and location. This is completely orthogonal to the information from the `mbedtls_pk_context` object. It is convenient, but not necessary, for the conversion function to allow customizing these aspects. If it doesn't, users can call the conversion function and then call `psa_copy_key` and `psa_destroy_key` to move the key to its desired location.
+
+To allow the full flexibility around policies, and make the creation of a persistent key more convenient, the conversion function shall take a `const psa_key_attributes_t *` input, like all other functions that create a PSA key. In addition, there shall be a helper function to populate a `psa_key_attributes_t` with a sensible default. This lets the caller choose a more flexible, or just different usage policy, unlike the default-then-copy approach which only allows restricting the policy.
+
+This is close to the existing function `mbedtls_pk_wrap_as_opaque`, but does not bake in the implementation-specific consideration that a PSA key has exactly two algorithms, and also allows the caller to benefit from default for the policy in more cases.
+
+[ACTION] [#8708](https://github.com/Mbed-TLS/mbedtls/issues/8708) Implement `mbedtls_pk_get_psa_attributes` and `mbedtls_pk_import_into_psa` as described below. These functions are available whenever `MBEDTLS_PK_C` and `MBEDTLS_PSA_CRYPTO_CLIENT` are both defined. Deprecate `mbedtls_pk_wrap_as_opaque`.
+
+```
+int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk,
+                                  psa_key_usage_flags_t usage,
+                                  psa_key_attributes_t *attributes);
+int mbedtls_pk_import_into_psa(const mbedtls_pk_context *pk,
+                               const psa_key_attributes_t *attributes,
+                               mbedtls_svc_key_id_t *key_id);
+```
+
+* `mbedtls_pk_get_psa_attributes` does not change the id/lifetime fields of the attributes (which indicate a volatile key by default).
+    * [OPEN] Or should it reset them to 0? Resetting is more convenient for the case where the pk key is a `MBEDTLS_PK_OPAQUE`. But that's an uncommon use case. It's probably less surprising if this function leaves the lifetime-related alone, since its job is to set the type-related and policy-related attributes.
+* `mbedtls_pk_get_psa_attributes` sets the type and size based on what's in the pk context.
+    * The key type is a key pair if the context contains a private key and the indicated usage is a private-key usage. The key type is a public key if the context only contains a public key, in which case a private-key usage is an error.
+* `mbedtls_pk_get_psa_attributes` sets the usage flags based on the `usage` parameter. It extends the usage to other usage that is possible:
+    * `EXPORT` and `COPY` are always set.
+    * If `SIGN_{HASH,MESSAGE}` is set then so is `VERIFY_{HASH,MESSAGE}`.
+    * If `DECRYPT` is set then so is `ENCRYPT`.
+    * It is an error if `usage` has more than one flag set, or has a usage that is incompatible with the key type.
+* `mbedtls_pk_get_psa_attributes` sets the algorithm usage policy based on information in the key object and on `usage`.
+    * For an RSA key with the `MBEDTLS_RSA_PKCS_V15` padding mode, the algorithm policy is `PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH)` for a sign/verify usage, and `PSA_ALG_RSA_PKCS1V15_CRYPT` for an encrypt/decrypt usage.
+    * For an RSA key with the `MBEDTLS_RSA_PKCS_V21` padding mode, the algorithm policy is `PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH)` for a sign/verify usage, and `PSA_ALG_RSA_OAEP(hash)` for an encrypt/decrypt usage where `hash` is from the RSA key's parameters. (Note that `PSA_ALG_ANY_HASH` is only allowed in signature algorithms.)
+    * For an `MBEDTLS_PK_ECKEY` or `MBEDTLS_PK_ECDSA` with a sign/verify usage, the algorithm policy is `PSA_ALG_DETERMINISTIC_ECDSA` if `MBEDTLS_ECDSA_DETERMINISTIC` is enabled and `PSA_ALG_ECDSA` otherwise. In either case, the hash policy is `PSA_ALG_ANY_HASH`.
+    * For an `MBEDTLS_PK_ECKEY` or `MBEDTLS_PK_ECDKEY_DH` with the usage `PSA_KEY_USAGE_DERIVE`, the algorithm is `PSA_ALG_ECDH`.
+    * For a `MBEDTLS_PK_OPAQUE`, this function reads the attributes of the existing PK key and copies them (without overriding the lifetime and key identifier in `attributes`), then applies a public-key restriction if needed.
+        * Public-key restriction: if `usage` is a public-key usage, change the type to the corresponding public-key type, and remove private-key usage flags from the usage flags read from the existing key.
+* `mbedtls_pk_import_into_psa` checks that the type field in the attributes is consistent with the content of the `mbedtls_pk_context` object (RSA/ECC, and availability of the private key).
+    * The key type can be a public key even if the private key is available.
+* `mbedtls_pk_import_into_psa` does not need to check the bit-size in the attributes: `psa_import_key` will do enough checks.
+* `mbedtls_pk_import_into_psa` does not check that the policy in the attributes is sensible. That's on the user.
+
+#### API to copy a PSA key to a PK context
+
+Based on the [gap analysis](#using-a-psa-key-as-a-pk-context):
+
+[ACTION] [#8709](https://github.com/Mbed-TLS/mbedtls/issues/8709) Implement `mbedtls_pk_copy_from_psa` as described below.
+
+```
+int mbedtls_pk_copy_from_psa(mbedtls_svc_key_id_t key_id,
+                             mbedtls_pk_context *pk);
+```
+
+* `pk` must be initialized, but not set up.
+* It is an error if the key is neither a key pair nor a public key.
+* It is an error if the key is not exportable.
+* The resulting pk object has a transparent type, not `MBEDTLS_PK_OPAQUE`. That's `MBEDTLS_PK_RSA` for RSA keys (since pk objects don't use `MBEDTLS_PK_RSASSA_PSS` as a type), and `MBEDTLS_PK_ECKEY` for ECC keys (following the example of pkparse).
+* Once this function returns, the pk object is completely independent of the PSA key.
+* Calling `mbedtls_pk_sign`, `mbedtls_pk_verify`, `mbedtls_pk_encrypt`, `mbedtls_pk_decrypt` on the resulting pk context will perform an algorithm that is compatible with the PSA key's primary algorithm policy (`psa_get_key_algorithm`) if that is a matching operation type (sign/verify, encrypt/decrypt), but with no restriction on the hash (as if the policy had `PSA_ALG_ANY_HASH` instead of a specific hash, and with `PSA_ALG_RSA_PKCS1V15_SIGN_RAW` merged with `PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg)`).
+    * For ECDSA, the choice of deterministic vs randomized will be based on the compile-time setting `MBEDTLS_ECDSA_DETERMINISTIC`, like `mbedtls_pk_sign` today.
+    * For an RSA key, the output key will allow both encrypt/decrypt and sign/verify regardless of the original key's policy. The original key's policy determines the output key's padding mode.
+    * The primary intent of this requirement is to allow an application to switch to PSA for creating the key material (for example to benefit from a PSA accelerator driver, or to start using a secure element), without modifying the code that consumes the key. For RSA keys, the PSA primary algorithm policy is how one conveys the same information as RSA key padding information in the legacy API. Convey this in the documentation.
+
+#### API to create a PK object that wraps a PSA key
+
+Based on the [gap analysis](#using-a-psa-key-as-a-pk-context):
+
+[ACTION] [#8712](https://github.com/Mbed-TLS/mbedtls/issues/8712) Clarify the documentation of `mbedtls_pk_setup_opaque` regarding which algorithms the resulting key will perform with `mbedtls_pk_sign`, `mbedtls_pk_verify`, `mbedtls_pk_encrypt`, `mbedtls_pk_decrypt`.
+
+[ACTION] [#8710](https://github.com/Mbed-TLS/mbedtls/issues/8710) Provide `mbedtls_pk_setup_opaque` whenever `MBEDTLS_PSA_CRYPTO_CLIENT` is enabled, not just when `MBEDTLS_USE_PSA_CRYPTO` is enabled. This is nice-to-have, not critical. Update `use-psa-crypto.md` accordingly.
+
+[OPEN] What about `mbedtls_pk_sign_ext` and  `mbedtls_pk_verify_ext`?
+
+#### API to convert between signature formats
+
+Based on the [gap analysis](#signature-formats):
+
+[ACTION] [#7765](https://github.com/Mbed-TLS/mbedtls/issues/7765) Implement `mbedtls_ecdsa_raw_to_der` and `mbedtls_ecdsa_der_to_raw` as described below.
+
+```
+int mbedtls_ecdsa_raw_to_der(size_t bits,
+                             const unsigned char *raw, size_t raw_len,
+                             unsigned char *der, size_t der_size, size_t *der_len);
+int mbedtls_ecdsa_der_to_raw(size_t bits,
+                             const unsigned char *der, size_t der_len,
+                             unsigned char *raw, size_t raw_size, size_t *raw_len);
+```
+
+* These functions convert between the signature format used by `mbedtls_pk_{sign,verify}{,_ext}` and the signature format used by `psa_{sign,verify}_{hash,message}`.
+* The input and output buffers can overlap.
+* The `bits` parameter is necessary in the DER-to-raw direction because the DER format lacks leading zeros, so something else needs to convey the size of (r,s). The `bits` parameter is redundant in the raw-to-DER direction, but we have it anyway because [it helps catch errors](https://github.com/Mbed-TLS/mbedtls/pull/8681#discussion_r1445980971), and it isn't a burden on the caller because the information is readily available in practice.
+* Should these functions rely on the ASN.1 module? We experimented [calling ASN.1 functions](https://github.com/Mbed-TLS/mbedtls/pull/8681), [reimplementing simpler ASN.1 functions](https://github.com/Mbed-TLS/mbedtls/pull/8696), and [providing the functions from the ASN.1 module](https://github.com/Mbed-TLS/mbedtls/pull/8703). Providing the functions from the ASN.1 module [won on a compromise of code size and simplicity](https://github.com/Mbed-TLS/mbedtls/issues/7765#issuecomment-1893670015).
diff --git a/docs/architecture/psa-migration/syms.sh b/docs/architecture/psa-migration/syms.sh
index 1e1ec8c..6c9686e 100755
--- a/docs/architecture/psa-migration/syms.sh
+++ b/docs/architecture/psa-migration/syms.sh
@@ -1,19 +1,7 @@
 #!/bin/sh
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 #
 # Purpose
 #
diff --git a/docs/architecture/psa-shared-memory.md b/docs/architecture/psa-shared-memory.md
new file mode 100644
index 0000000..283ffc6
--- /dev/null
+++ b/docs/architecture/psa-shared-memory.md
@@ -0,0 +1,685 @@
+PSA API functions and shared memory
+===================================
+
+## Introduction
+
+This document discusses the security architecture of systems where PSA API functions might receive arguments that are in memory that is shared with an untrusted process. On such systems, the untrusted process might access a shared memory buffer while the cryptography library is using it, and thus cause unexpected behavior in the cryptography code.
+
+### Core assumptions
+
+We assume the following scope limitations:
+
+* Only PSA Crypto API functions are in scope (including Mbed TLS extensions to the official API specification). Legacy crypto, X.509, TLS, or any other function which is not called `psa_xxx` is out of scope.
+* We only consider [input buffers](https://arm-software.github.io/psa-api/crypto/1.1/overview/conventions.html#input-buffer-sizes) and [output buffers](https://arm-software.github.io/psa-api/crypto/1.1/overview/conventions.html#output-buffer-sizes). Any other data is assumed to be in non-shared memory.
+
+## System architecture discussion
+
+### Architecture overview
+
+We consider a system that has memory separation between partitions: a partition can't access another partition's memory directly. Partitions are meant to be isolated from each other: a partition may only affect the integrity of another partition via well-defined system interfaces. For example, this can be a Unix/POSIX-like system that isolates processes, or isolation between the secure world and the non-secure world relying on a mechanism such as TrustZone, or isolation between secure-world applications on such a system.
+
+More precisely, we consider such a system where our PSA Crypto implementation is running inside one partition, called the **crypto service**. The crypto service receives remote procedure calls (RPC) from other partitions, validates their arguments (e.g. validation of key identifier ownership), and calls a PSA Crypto API function. This document is concerned with environments where the arguments passed to a PSA Crypto API function may be in shared memory (as opposed to environments where the inputs are always copied into memory that is solely accessible by the crypto service before calling the API function, and likewise with output buffers after the function returns).
+
+When the data is accessible to another partition, there is a risk that this other partition will access it while the crypto implementation is working. Although this could be prevented by suspending the whole system while crypto is working, such a limitation is rarely desirable and most systems don't offer a way to do it. (Even systems that have absolute thread priorities, and where crypto has a higher priority than any untrusted partition, may be vulnerable due to having multiple cores or asynchronous data transfers with peripherals.)
+
+The crypto service must guarantee that it behaves as if the rest of the world was suspended while it is executed. A behavior that is only possible if an untrusted entity accesses a buffer while the crypto service is processing the data is a security violation.
+
+### Risks and vulnerabilities
+
+We consider a security architecture with two or three entities:
+
+* a crypto service, which offers PSA crypto API calls over RPC (remote procedure call) using shared memory for some input or output arguments;
+* a client of the crypto service, which makes a RPC to the crypto service;
+* in some scenarios, a client of the client, which makes a RPC to the crypto client which re-shares the memory with the crypto service.
+
+The behavior of RPC is defined for in terms of values of inputs and outputs. This models an ideal world where the content of input and output buffers is not accessible outside the crypto service while it is processing an RPC. It is a security violation if the crypto service behaves in a way that cannot be achieved by setting the inputs before the RPC call, and reading the outputs after the RPC call is finished.
+
+#### Read-read inconsistency
+
+If an input argument is in shared memory, there is a risk of a **read-read inconsistency**:
+
+1. The crypto code reads part of the input and validates it, or injects it into a calculation.
+2. The client (or client's client) modifies the input.
+3. The crypto code reads the same part again, and performs an action which would be impossible if the input had had the same value all along.
+
+Vulnerability example (parsing): suppose the input contains data with a type-length-value or length-value encoding (for example, importing an RSA key). The crypto code reads the length field and checks that it fits within the buffer. (This could be the length of the overall data, or the length of an embedded field) Later, the crypto code reads the length again and uses it without validation. A malicious client can modify the length field in the shared memory between the two reads and thus cause a buffer overread on the second read.
+
+Vulnerability example (dual processing): consider an RPC to perform authenticated encryption, using a mechanism with an encrypt-and-MAC structure. The authenticated encryption implementation separately calculates the ciphertext and the MAC from the plaintext. A client sets the plaintext input to `"PPPP"`, then starts the RPC call, then changes the input buffer to `"QQQQ"` while the crypto service is working.
+
+* Any of `enc("PPPP")+mac("PPPP")`, `enc("PPQQ")+mac("PPQQ")` or `enc("QQQQ")+mac("QQQQ")` are valid outputs: they are outputs that can be produced by this authenticated encryption RPC.
+* If the authenticated encryption calculates the ciphertext before the client changes the output buffer and calculates the MAC after that change, reading the input buffer again each time, the output will be `enc("PPPP")+mac("QQQQ")`. There is no input that can lead to this output, hence this behavior violates the security guarantees of the crypto service.
+
+#### Write-read inconsistency
+
+If an output argument is in shared memory, there is a risk of a **write-read inconsistency**:
+
+1. The crypto code writes some intermediate data into the output buffer.
+2. The client (or client's client) modifies the intermediate data.
+3. The crypto code reads the intermediate data back and continues the calculation, leading to an outcome that would not be possible if the intermediate data had not been modified.
+
+Vulnerability example: suppose that an RSA signature function works by formatting the data in place in the output buffer, then applying the RSA private-key operation in place. (This is how `mbedtls_rsa_pkcs1_sign` works.) A malicious client may write badly formatted data into the buffer, so that the private-key operation is not a valid signature (e.g. it could be a decryption), violating the RSA key's usage policy.
+
+Vulnerability example with chained calls: we consider the same RSA signature operation as before. In this example, we additionally assume that the data to sign comes from an attestation application which signs some data on behalf of a final client: the key and the data to sign are under the attestation application's control, and the final client must not be able to obtain arbitrary signatures. The final client shares an output buffer for the signature with the attestation application, and the attestation application re-shares this buffer with the crypto service. A malicious final client can modify the intermediate data and thus sign arbitrary data.
+
+#### Write-write disclosure
+
+If an output argument is in shared memory, there is a risk of a **write-write disclosure**:
+
+1. The crypto code writes some intermediate data into the output buffer. This intermediate data must remain confidential.
+2. The client (or client's client) reads the intermediate data.
+3. The crypto code overwrites the intermediate data.
+
+Vulnerability example with chained calls (temporary exposure): an application encrypts some data, and lets its clients store the ciphertext. Clients may not have access to the plaintext. To save memory, when it calls the crypto service, it passes an output buffer that is in the final client's memory. Suppose the encryption mechanism works by copying its input to the output buffer then encrypting in place (for example, to simplify considerations related to overlap, or because the implementation relies on a low-level API that works in place). In this scenario, the plaintext is exposed to the final client while the encryption in progress, which violates the confidentiality of the plaintext.
+
+Vulnerability example with chained calls (backtrack): we consider a provisioning application that provides a data encryption service on behalf of multiple clients, using a single shared key. Clients are not allowed to access each other's data. The provisioning application isolates clients by including the client identity in the associated data. Suppose that an AEAD decryption function processes the ciphertext incrementally by simultaneously writing the plaintext to the output buffer and calculating the tag. (This is how AEAD decryption usually works.) At the end, if the tag is wrong, the decryption function wipes the output buffer. Assume that the output buffer for the plaintext is shared from the client to the provisioning application, which re-shares it with the crypto service. A malicious client can read another client (the victim)'s encrypted data by passing the ciphertext to the provisioning application, which will attempt to decrypt it with associated data identifying the requesting client. Although the operation will fail beacuse the tag is wrong, the malicious client still reads the victim plaintext.
+
+#### Write-read feedback
+
+If a function both has an input argument and an output argument in shared memory, and processes its input incrementally to emit output incrementally, the following sequence of events is possible:
+
+1. The crypto code processes part of the input and writes the corresponding part of the output.
+2. The client reads the early output and uses that to calculate the next part of the input.
+3. The crypto code processes the rest of the input.
+
+There are cryptographic mechanisms for which this breaks security properties. An example is [CBC encryption](https://link.springer.com/content/pdf/10.1007/3-540-45708-9_2.pdf): if the client can choose the content of a plaintext block after seeing the immediately preceding ciphertext block, this gives the client a decryption oracle. This is a security violation if the key policy only allowed the client to encrypt, not to decrypt.
+
+TODO: is this a risk we want to take into account? Although this extends the possible behaviors of the one-shot interface, the client can do the same thing legitimately with the multipart interface.
+
+### Possible countermeasures
+
+In this section, we briefly discuss generic countermeasures.
+
+#### Copying
+
+Copying is a valid countermeasure. It is conceptually simple. However, it is often unattractive because it requires additional memory and time.
+
+Note that although copying is very easy to write into a program, there is a risk that a compiler (especially with whole-program optimization) may optimize the copy away, if it does not understand that copies between shared memory and non-shared memory are semantically meaningful.
+
+Example: the PSA Firmware Framework 1.0 forbids shared memory between partitions. This restriction is lifted in version 1.1 due to concerns over RAM usage.
+
+#### Careful accesses
+
+The following rules guarantee that shared memory cannot result in a security violation other than [write-read feedback](#write-read-feedback):
+
+* Never read the same input twice at the same index.
+* Never read back from an output.
+* Never write to the output twice at the same index.
+    * This rule can usefully be relaxed in many circumstances. It is ok to write data that is independent of the inputs (and not otherwise confidential), then overwrite it. For example, it is ok to zero the output buffer before starting to process the input.
+
+These rules are very difficult to enforce.
+
+Example: these are the rules that a GlobalPlatform TEE Trusted Application (application running on the secure side of TrustZone on Cortex-A) must follow.
+
+## Protection requirements
+
+### Responsibility for protection
+
+A call to a crypto service to perform a crypto operation involves the following components:
+
+1. The remote procedure call framework provided by the operating system.
+2. The code of the crypto service.
+3. The code of the PSA Crypto dispatch layer (also known as the core), which is provided by Mbed TLS.
+4. The driver implementing the cryptographic mechanism, which may be provided by Mbed TLS (built-in driver) or by a third-party driver.
+
+The [PSA Crypto API specification](https://arm-software.github.io/psa-api/crypto/1.1/overview/conventions.html#stability-of-parameters) puts the responsibility for protection on the implementation of the PSA Crypto API, i.e. (3) or (4).
+
+> In an environment with multiple threads or with shared memory, the implementation carefully accesses non-overlapping buffer parameters in order to prevent any security risk resulting from the content of the buffer being modified or observed during the execution of the function. (...)
+
+In Mbed TLS 2.x and 3.x up to and including 3.5.0, there is no defense against buffers in shared memory. The responsibility shifts to (1) or (2), but this is not documented.
+
+In the remainder of this chapter, we will discuss how to implement this high-level requirement where it belongs: inside the implementation of the PSA Crypto API. Note that this allows two possible levels: in the dispatch layer (independently of the implementation of each mechanism) or in the driver (specific to each implementation).
+
+#### Protection in the dispatch layer
+
+The dispatch layer has no control over how the driver layer will access buffers. Therefore the only possible protection at this layer method is to ensure that drivers have no access to shared memory. This means that any buffer located in shared memory must be copied into or out of a buffer in memory owned by the crypto service (heap or stack). This adds inefficiency, mostly in terms of RAM usage.
+
+For buffers with a small static size limit, this is something we often do for convenience, especially with output buffers. However, as of Mbed TLS 3.5.0, it is not done systematically.
+
+It is ok to skip the copy if it is known for sure that a buffer is not in shared memory. However, the location of the buffer is not under the control of Mbed TLS. This means skipping the copy would have to be a compile-time or run-time option which has to be set by the application using Mbed TLS. This is both an additional maintenance cost (more code to analyze, more testing burden), and a residual security risk in case the party who is responsible for setting this option does not set it correctly. As a consequence, Mbed TLS will not offer this configurability unless there is a compelling argument.
+
+#### Protection in the driver layer
+
+Putting the responsibility for protection in the driver layer increases the overall amount of work since there are more driver implementations than dispatch implementations. (This is true even inside Mbed TLS: almost all API functions have multiple underlying implementations, one for each algorithm.) It also increases the risk to the ecosystem since some drivers might not protect correctly. Therefore having drivers be responsible for protection is only a good choice if there is a definite benefit to it, compared to allocating an internal buffer and copying. An expected benefit in some cases is that there are practical protection methods other than copying.
+
+Some cryptographic mechanisms are naturally implemented by processing the input in a single pass, with a low risk of ever reading the same byte twice, and by writing the final output directly into the output buffer. For such mechanism, it is sensible to mandate that drivers respect these rules.
+
+In the next section, we will analyze how susceptible various cryptographic mechanisms are to shared memory vulnerabilities.
+
+### Susceptibility of different mechanisms
+
+#### Operations involving small buffers
+
+For operations involving **small buffers**, the cost of copying is low. For many of those, the risk of not copying is high:
+
+* Any parsing of formatted data has a high risk of [read-read inconsistency](#read-read-inconsistency).
+* An internal review shows that for RSA operations, it is natural for an implementation to have a [write-read inconsistency](#write-read-inconsistency) or a [write-write disclosure](#write-write-disclosure).
+
+Note that in this context, a “small buffer” is one with a size limit that is known at compile time, and small enough that copying the data is not prohibitive. For example, an RSA key fits in a small buffer. A hash input is not a small buffer, even if it happens to be only a few bytes long in one particular call.
+
+The following buffers are considered small buffers:
+
+* Any input or output directly related to asymmetric cryptography (signature, encryption/decryption, key exchange, PAKE), including key import and export.
+    * Note that this does not include inputs or outputs that are not processed by an asymmetric primitives, for example the message input to `psa_sign_message` or `psa_verify_message`.
+* Cooked key derivation output.
+* The output of a hash or MAC operation.
+
+**Design decision: the dispatch layer shall copy all small buffers**.
+
+#### Symmetric cryptography inputs with small output
+
+Message inputs to hash, MAC and key derivation operations are at a low risk of [read-read inconsistency](#read-read-inconsistency) because they are unformatted data, and for all specified algorithms, it is natural to process the input one byte at a time.
+
+**Design decision: require symmetric cryptography drivers to read their input without a risk of read-read inconsistency**.
+
+TODO: what about IV/nonce inputs? They are typically small, but don't necessarily have a static size limit (e.g. GCM recommends a 12-byte nonce, but also allows large nonces).
+
+#### Key derivation outputs
+
+Key derivation typically emits its output as a stream, with no error condition detected after setup other than operational failures (e.g. communication failure with an accelerator) or running out of data to emit (which can easily be checked before emitting any data, since the data size is known in advance).
+
+(Note that this is about raw byte output, not about cooked key derivation, i.e. deriving a structured key, which is considered a [small buffer](#operations-involving-small-buffers).)
+
+**Design decision: require key derivation drivers to emit their output without reading back from the output buffer**.
+
+#### Cipher and AEAD
+
+AEAD decryption is at risk of [write-write disclosure](#write-write-disclosure) when the tag does not match.
+
+AEAD encryption and decryption are at risk of [read-read inconsistency](#read-read-inconsistency) if they process the input multiple times, which is natural in a number of cases:
+
+* when encrypting with an encrypt-and-authenticate or authenticate-then-encrypt structure (one read to calculate the authentication tag and another read to encrypt);
+* when decrypting with an encrypt-then-authenticate structure (one read to decrypt and one read to calculate the authentication tag);
+* with SIV modes (not yet present in the PSA API, but likely to come one day) (one full pass to calculate the IV, then another full pass for the core authenticated encryption);
+
+Cipher and AEAD outputs are at risk of [write-read inconsistency](#write-read-inconsistency) and [write-write disclosure](#write-write-disclosure) if they are implemented by copying the input into the output buffer with `memmove`, then processing the data in place. In particular, this approach makes it easy to fully support overlapping, since `memmove` will take care of overlapping cases correctly, which is otherwise hard to do portably (C99 does not offer an efficient, portable way to check whether two buffers overlap).
+
+**Design decision: the dispatch layer shall allocate an intermediate buffer for cipher and AEAD plaintext/ciphertext inputs and outputs**.
+
+Note that this can be a single buffer for the input and the output if the driver supports in-place operation (which it is supposed to, since it is supposed to support arbitrary overlap, although this is not always the case in Mbed TLS, a [known issue](https://github.com/Mbed-TLS/mbedtls/issues/3266)). A side benefit of doing this intermediate copy is that overlap will be supported.
+
+For all currently implemented AEAD modes, the associated data is only processed once to calculate an intermediate value of the authentication tag.
+
+**Design decision: for now, require AEAD drivers to read the additional data without a risk of read-read inconsistency**. Make a note to revisit this when we start supporting an SIV mode, at which point the dispatch layer shall copy the input for modes that are not known to be low-risk.
+
+#### Message signature
+
+For signature algorithms with a hash-and-sign framework, the input to sign/verify-message is passed to a hash, and thus can follow the same rules as [symmetric cryptography inputs with small output](#symmetric-cryptography-inputs-with-small-output). This is also true for `PSA_ALG_RSA_PKCS1V15_SIGN_RAW`, which is the only non-hash-and-sign signature mechanism implemented in Mbed TLS 3.5. This is not true for PureEdDSA (`#PSA_ALG_PURE_EDDSA`), which is not yet implemented: [PureEdDSA signature](https://www.rfc-editor.org/rfc/rfc8032#section-5.1.6) processes the message twice. (However, PureEdDSA verification only processes the message once.)
+
+**Design decision: for now, require sign/verify-message drivers to read their input without a risk of read-read inconsistency**. Make a note to revisit this when we start supporting PureEdDSA, at which point the dispatch layer shall copy the input for algorithms such as PureEdDSA that are not known to be low-risk.
+
+## Design of shared memory protection
+
+This section explains how Mbed TLS implements the shared memory protection strategy summarized below.
+
+### Shared memory protection strategy
+
+* The core (dispatch layer) shall make a copy of the following buffers, so that drivers do not receive arguments that are in shared memory:
+    * Any input or output from asymmetric cryptography (signature, encryption/decryption, key exchange, PAKE), including key import and export.
+    * Plaintext/ciphertext inputs and outputs for cipher and AEAD.
+    * The output of a hash or MAC operation.
+    * Cooked key derivation output.
+
+* A document shall explain the requirements on drivers for arguments whose access needs to be protected:
+    * Hash and MAC input.
+    * Cipher/AEAD IV/nonce (to be confirmed).
+    * AEAD associated data (to be confirmed).
+    * Key derivation input (excluding key agreement).
+    * Raw key derivation output (excluding cooked key derivation output).
+
+* The built-in implementations of cryptographic mechanisms with arguments whose access needs to be protected shall protect those arguments.
+
+Justification: see “[Susceptibility of different mechanisms](#susceptibility-of-different-mechanisms)”.
+
+### Implementation of copying
+
+Copy what needs copying. This is broadly straightforward, however there are a few things to consider.
+
+#### Compiler optimization of copies
+
+It is unclear whether the compiler will attempt to optimize away copying operations.
+
+Once the copying code is implemented, it should be evaluated to see whether compiler optimization is a problem. Specifically, for the major compilers supported by Mbed TLS:
+* Write a small program that uses a PSA function which copies inputs or outputs.
+* Build the program with link-time optimization / full-program optimization enabled (e.g. `-flto` with `gcc`). Try also enabling the most extreme optimization options such as `-Ofast` (`gcc`) and `-Oz` (`clang`).
+* Inspect the generated code with `objdump` or a similar tool to see if copying operations are preserved.
+
+If copying behaviour is preserved by all major compilers then assume that compiler optimization is not a problem.
+
+If copying behaviour is optimized away by the compiler, further investigation is needed. Experiment with using the `volatile` keyword to force the compiler not to optimize accesses to the copied buffers. If the `volatile` keyword is not sufficient, we may be able to use compiler or target-specific techniques to prevent optimization, for example memory barriers or empty `asm` blocks. These may be implemented and verified for important platforms while retaining a C implementation that is likely to be correct on most platforms as a fallback - the same approach taken by the constant-time module.
+
+**Open questions: Will the compiler optimize away copies? If so, can it be prevented from doing so in a portable way?**
+
+#### Copying code
+
+We may either copy buffers on an ad-hoc basis using `memcpy()` in each PSA function, or use a unified set of functions for copying input and output data. The advantages of the latter are obvious:
+
+* Any test hooks need only be added in one place.
+* Copying code must only be reviewed for correctness in one place, rather than in all functions where it occurs.
+* Copy bypass is simpler as we can just replace these functions with no-ops in a single place.
+* Any complexity needed to prevent the compiler optimizing copies away does not have to be duplicated.
+
+On the other hand, the only advantage of ad-hoc copying is slightly greater flexibility.
+
+**Design decision: Create a unified set of functions for copying input and output data.**
+
+#### Copying in multipart APIs
+
+Multipart APIs may follow one of 2 possible approaches for copying of input:
+
+##### 1. Allocate a buffer and copy input on each call to `update()`
+
+This is simple and mirrors the approach for one-shot APIs nicely. However, allocating memory in the middle of a multi-part operation is likely to be bad for performance. Multipart APIs are designed in part for systems that do not have time to perform an operation at once, so introducing poor performance may be a problem here.
+
+**Open question: Does memory allocation in `update()` cause a performance problem? If so, to what extent?**
+
+##### 2. Allocate a buffer at the start of the operation and subdivide calls to `update()`
+
+In this approach, input and output buffers are allocated at the start of the operation that are large enough to hold the expected average call to `update()`. When `update()` is called with larger buffers than these, the PSA API layer makes multiple calls to the driver, chopping the input into chunks of the temporary buffer size and filling the output from the results until the operation is finished.
+
+This would be more complicated than approach (1) and introduces some extra issues. For example, if one of the intermediate calls to the driver's `update()` returns an error, it is not possible for the driver's state to be rolled back to before the first call to `update()`. It is unclear how this could be solved.
+
+However, this approach would reduce memory usage in some cases and prevent memory allocation during an operation. Additionally, since the input and output buffers would be fixed-size it would be possible to allocate them statically, avoiding the need for any dynamic memory allocation at all.
+
+**Design decision: Initially use approach (1) and treat approach (2) as an optimization to be done if necessary.**
+
+### Validation of copying
+
+#### Validation of copying by review
+
+This is fairly self-explanatory. Review all functions that use shared memory and ensure that they each copy memory. This is the simplest strategy to implement but is less reliable than automated validation.
+
+#### Validation of copying with memory pools
+
+Proposed general idea: have tests where the test code calling API functions allocates memory in a certain pool, and code in the library allocates memory in a different pool. Test drivers check that needs-copying arguments are within the library pool, not within the test pool.
+
+#### Validation of copying by memory poisoning
+
+Proposed general idea: in test code, “poison” the memory area used by input and output parameters that must be copied. Poisoning means something that prevents accessing memory while it is poisoned. This could be via memory protection (allocate with `mmap` then disable access with `mprotect`), or some kind of poisoning for an analyzer such as MSan or Valgrind.
+
+In the library, the code that does the copying temporarily unpoisons the memory by calling a test hook.
+
+```c
+static void copy_to_user(void *copy_buffer, void *const input_buffer, size_t length) {
+#if defined(MBEDTLS_TEST_HOOKS)
+    if (memory_poison_hook != NULL) {
+        memory_poison_hook(copy_buffer, length);
+    }
+#endif
+    memcpy(copy_buffer, input_buffer, length);
+#if defined(MBEDTLS_TEST_HOOKS)
+    if (memory_unpoison_hook != NULL) {
+        memory_unpoison_hook(copy_buffer, length);
+    }
+#endif
+}
+```
+The reason to poison the memory before calling the library, rather than after the copy-in (and symmetrically for output buffers) is so that the test will fail if we forget to copy, or we copy the wrong thing. This would not be the case if we relied on the library's copy function to do the poisoning: that would only validate that the driver code does not access the memory on the condition that the copy is done as expected.
+
+##### Options for implementing poisoning
+
+There are several different ways that poisoning could be implemented:
+
+1. Using Valgrind's memcheck tool. Valgrind provides a macro `VALGRIND_MAKE_MEM_NO_ACCESS` that allows manual memory poisoning. Valgrind memory poisoning is already used for constant-flow testing in Mbed TLS.
+2. Using Memory Sanitizer (MSan), which allows us to mark memory as uninitialized. This is also used for constant-flow testing. It is suitable for input buffers only, since it allows us to detect when a poisoned buffer is read but not when it is written.
+3. Using Address Sanitizer (ASan). This provides `ASAN_POISON_MEMORY_REGION` which marks memory as inaccessible.
+4. Allocating buffers separate pages and calling `mprotect()` to set pages as inaccessible. This has the disadvantage that we will have to manually ensure that buffers sit in their own pages, which likely means making a copy.
+5. Filling buffers with random data, keeping a copy of the original. For input buffers, keep a copy of the original and copy it back once the PSA function returns. For output buffers, fill them with random data and keep a separate copy of it. In the memory poisoning hooks, compare the copy of random data with the original to ensure that the output buffer has not been written directly.
+
+Approach (2) is insufficient for the full testing we require as we need to be able to check both input and output buffers.
+
+Approach (5) is simple and requires no extra tooling. It is likely to have good performance as it does not use any sanitizers. However, it requires the memory poisoning test hooks to maintain extra copies of the buffers, which seems difficult to implement in practice. Additionally, it does not precisely test the property we want to validate, so we are relying on the tests to fail if given random data as input. It is possible (if unlikely) that the PSA function will access the poisoned buffer without causing the test to fail. This becomes more likely when we consider test cases that call PSA functions on incorrect inputs to check that the correct error is returned. For these reasons, this memory poisoning approach seems unsuitable.
+
+All three remaining approaches are suitable for our purposes. However, approach (4) is more complex than the other two. To implement it, we would need to allocate poisoned buffers in separate memory pages. They would require special handling and test code would likely have to be designed around this special handling.
+
+Meanwhile, approaches (1) and (3) are much more convenient. We are simply required to call a special macro on some buffer that was allocated by us and the sanitizer takes care of everything else. Of these two, ASan appears to have a limitation related to buffer alignment. From code comments quoted in [the documentation](https://github.com/google/sanitizers/wiki/AddressSanitizerManualPoisoning):
+
+> This function is not guaranteed to poison the whole region - it may poison only subregion of [addr, addr+size) due to ASan alignment restrictions.
+
+Specifically, ASan will round the buffer size down to 8 bytes before poisoning due to details of its implementation. For more information on this, see [Microsoft documentation of this feature](https://learn.microsoft.com/en-us/cpp/sanitizers/asan-runtime?view=msvc-170#alignment-requirements-for-addresssanitizer-poisoning).
+
+It should be possible to work around this by manually rounding buffer lengths up to the nearest multiple of 8 in the poisoning function, although it's remotely possible that this will cause other problems. Valgrind does not appear to have this limitation (unless Valgrind is simply more poorly documented). However, running tests under Valgrind causes a much greater slowdown compared with ASan. As a result, it would be beneficial to implement support for both Valgrind and ASan, to give the extra flexibility to choose either performance or accuracy as required. This should be simple as both have very similar memory poisoning interfaces.
+
+**Design decision: Implement memory poisoning tests with both Valgrind's memcheck and ASan manual poisoning.**
+
+##### Validation with new tests
+
+Validation with newly created tests would be simpler to implement than using existing tests, since the tests can be written to take into account memory poisoning. It is also possible to build such a testsuite using existing tests as a starting point - `mbedtls_test_psa_exercise_key` is a test helper that already exercises many PSA operations on a key. This would need to be extended to cover operations without keys (e.g. hashes) and multipart operations, but it provides a good base from which to build all of the required testing.
+
+Additionally, we can ensure that all functions are exercised by automatically generating test data files.
+
+##### Validation with existing tests
+
+An alternative approach would be to integrate memory poisoning validation with existing tests. This has two main advantages:
+
+* All of the tests are written already, potentially saving development time.
+* The code coverage of these tests is greater than would be achievable writing new tests from scratch. In practice this advantage is small as buffer copying will take place in the dispatch layer. The tests are therefore independent of the values of parameters passed to the driver, so extra coverage in these parameters does not gain anything.
+
+It may be possible to transparently implement memory poisoning so that existing tests can work without modification. This would be achieved by replacing the implementation of `malloc()` with one that allocates poisoned buffers. However, there are some difficulties with this:
+
+* Not all buffers allocated by tests are used as inputs and outputs to PSA functions being tested.
+* Those buffers that are inputs to a PSA function need to be unpoisoned right up until the function is called, so that they can be filled with input data.
+* Those buffers that are outputs from a PSA function need to be unpoisoned straight after the function returns, so that they can be read to check the output is correct.
+
+These issues may be solved by creating some kind of test wrapper around every PSA function call that poisons the memory. However, it is unclear how straightforward this will be in practice. If this is simple to achieve, the extra coverage and time saved on new tests will be a benefit. If not, writing new tests is the best strategy.
+
+**Design decision: Add memory poisoning transparently to existing tests.**
+
+#### Discussion of copying validation
+
+Of all discussed approaches, validation by memory poisoning appears as the best. This is because it:
+
+* Does not require complex linking against different versions of `malloc()` (as is the case with the memory pool approach).
+* Allows automated testing (unlike the review approach).
+
+**Design decision: Use a memory poisoning approach to validate copying.**
+
+### Shared memory protection requirements
+
+TODO: write document and reference it here.
+
+### Validation of careful access for built-in drivers
+
+For PSA functions whose inputs and outputs are not copied, it is important that we validate that the builtin drivers are correctly accessing their inputs and outputs so as not to cause a security issue. Specifically, we must check that each memory location in a shared buffer is not accessed more than once by a driver function. In this section we examine various possible methods for performing this validation.
+
+Note: We are focusing on read-read inconsistencies for now, as most of the cases where we aren't copying are inputs.
+
+#### Review
+
+As with validation of copying, the simplest method of validation we can implement is careful code review. This is the least desirable method of validation for several reasons:
+
+1. It is tedious for the reviewers.
+2. Reviewers are prone to make mistakes (especially when performing tedious tasks).
+3. It requires engineering time linear in the number of PSA functions to be tested.
+4. It cannot assure the quality of third-party drivers, whereas automated tests can be ported to any driver implementation in principle.
+
+If all other approaches turn out to be prohibitively difficult, code review exists as a fallback option. However, it should be understood that this is far from ideal.
+
+#### Tests using `mprotect()`
+
+Checking that a memory location is not accessed more than once may be achieved by using `mprotect()` on a Linux system to cause a segmentation fault whenever a memory access happens. Tests based on this approach are sketched below.
+
+##### Linux mprotect+ptrace
+
+Idea: call `mmap` to allocate memory for arguments and `mprotect` to deny or reenable access. Use `ptrace` from a parent process to react to SIGSEGV from a denied access. On SIGSEGV happening in the faulting region:
+
+1. Use `ptrace` to execute a `mprotect` system call in the child to enable access. TODO: How? `ptrace` can modify registers and memory in the child, which includes changing parameters of a syscall that's about to be executed, but not directly cause the child process to execute a syscall that it wasn't about to execute.
+2. Use `ptrace` with `PTRACE_SINGLESTEP` to re-execute the failed load/store instrution.
+3. Use `ptrace` to execute a `mprotect` system call in the child to disable access.
+4. Use `PTRACE_CONT` to resume the child execution.
+
+Record the addresses that are accessed. Mark the test as failed if the same address is read twice.
+
+##### Debugger + mprotect
+
+Idea: call `mmap` to allocate memory for arguments and `mprotect` to deny or reenable access. Use a debugger to handle SIGSEGV (Gdb: set signal catchpoint). If the segfault was due to accessing the protected region:
+
+1. Execute `mprotect` to allow access.
+2. Single-step the load/store instruction.
+3. Execute `mprotect` to disable access.
+4. Continue execution.
+
+Record the addresses that are accessed. Mark the test as failed if the same address is read twice. This part might be hard to do in the gdb language, so we may want to just log the addresses and then use a separate program to analyze the logs, or do the gdb tasks from Python.
+
+#### Instrumentation (Valgrind)
+
+An alternative approach is to use a dynamic instrumentation tool (the most obvious being Valgrind) to trace memory accesses and check that each of the important memory addresses is accessed no more than once.
+
+Valgrind has no tool specifically that checks the property that we are looking for. However, it is possible to generate a memory trace with Valgrind using the following:
+
+```
+valgrind --tool=lackey --trace-mem=yes --log-file=logfile ./myprogram
+```
+This will execute `myprogram` and dump a record of every memory access to `logfile`, with its address and data width. If `myprogram` is a test that does the following:
+
+1. Set up input and output buffers for a PSA function call.
+2. Leak the start and end address of each buffer via `print()`.
+3. Write data into the input buffer exactly once.
+4. Call the PSA function.
+5. Read data from the output buffer exactly once.
+
+Then it should be possible to parse the output from the program and from Valgrind and check that each location was accessed exactly twice: once by the program's setup and once by the PSA function.
+
+#### Fixed Virtual Platform testing
+
+It may be possible to measure double accesses by running tests on a Fixed Virtual Platform such as Corstone 310 ecosystem FVP, available [here](https://developer.arm.com/downloads/-/arm-ecosystem-fvps). There exists a pre-packaged example program for the Corstone 310 FVP available as part of the Open IoT SDK [here](https://git.gitlab.arm.com/iot/open-iot-sdk/examples/sdk-examples/-/tree/main/examples/mbedtls/cmsis-rtx/corstone-310) that could provide a starting point for a set of tests.
+
+Running on an FVP allows two approaches to careful-access testing:
+
+* Convenient scripted use of a debugger with [Iris](https://developer.arm.com/documentation/101196/latest/). This allows memory watchpoints to be set, perhaps more flexibly than with GDB.
+* Tracing of all memory accesses with [Tarmac Trace](https://developer.arm.com/documentation/100964/1123/Plug-ins-for-Fast-Models/TarmacTrace). To validate the single-access properties, the [processor memory access trace source](https://developer.arm.com/documentation/100964/1123/Plug-ins-for-Fast-Models/TarmacTrace/Processor-memory-access-trace) can be used to output all memory accesses happening on the FVP. This output can then be easily parsed and processed to ensure that the input and output buffers are accessed only once. The addresses of buffers can either be leaked by the program through printing to the serial port or set to fixed values in the FVP's linker script.
+
+#### Discussion of careful-access validation
+
+The best approach for validating the correctness of memory accesses is an open question that requires further investigation. To answer this question, each of the test strategies discussed above must be prototyped as follows:
+
+1. Take 1-2 days to create a basic prototype of a test that uses the approach.
+2. Document the prototype - write a short guide that can be followed to arrive at the same prototype.
+3. Evaluate the prototype according to its usefulness. The criteria of evaluation should include:
+   * Ease of implementation - Was the prototype simple to implement? Having implemented it, is it simple to extend it to do all of the required testing?
+   * Flexibility - Could the prototype be extended to cover other careful-access testing that may be needed in future?
+   * Performance - Does the test method perform well? Will it cause significant slowdown to CI jobs?
+   * Ease of reproduction - Does the prototype require a particular platform or tool to be set up? How easy would it be for an external user to run the prototype?
+   * Comprehensibility - Accounting for the lower code quality of a prototype, would developers unfamiliar with the tests based on the prototype be able to understand them easily?
+   * Portability - How well can this approach be ported to multiple platforms? This would allow us to ensure that there are no double-accesses due to a bug that only affects a specific target.
+
+Once each prototype is complete, choose the best approach to implement the careful-access testing. Implement tests using this approach for each of the PSA interfaces that require careful-access testing:
+
+* Hash
+* MAC
+* AEAD (additional data only)
+* Key derivation
+* Asymmetric signature (input only)
+
+##### New vs existing tests
+
+Most of the test methods discussed above need extra setup. Some require leaking of buffer bounds, predictable memory access patterns or allocation of special buffers. FVP testing even requires the tests to be run on a non-host target.
+
+With this complexity in mind it does not seem feasible to run careful-access tests using existing testsuites. Instead, new tests should be written that exercise the drivers in the required way. Fortunately, the only interfaces that need testing are hash, MAC, AEAD (testing over AD only), Key derivation and Asymmetric signature, which limits the number of new tests that must be written.
+
+#### Validation of validation for careful-access
+
+In order to ensure that the careful-access validation works, it is necessary to write tests to check that we can correctly detect careful-access violations when they occur. To do this, write a test function that:
+
+* Reads its input multiple times at the same location.
+* Writes to its output multiple times at the same location.
+
+Then, write a careful-access test for this function and ensure that it fails.
+
+## Analysis of argument protection in built-in drivers
+
+TODO: analyze the built-in implementations of mechanisms for which there is a requirement on drivers. By code inspection, how satisfied are we that they meet the requirement?
+
+## Copy bypass
+
+For efficiency, we are likely to want mechanisms to bypass the copy and process buffers directly in builds that are not affected by shared memory considerations.
+
+Expand this section to document any mechanisms that bypass the copy.
+
+Make sure that such mechanisms preserve the guarantees when buffers overlap.
+
+## Detailed design
+
+### Implementation by module
+
+Module | Input protection strategy | Output protection strategy | Notes
+---|---|---|---
+Hash and MAC | Careful access | Careful access | Low risk of multiple-access as the input and output are raw unformatted data.
+Cipher | Copying | Copying |
+AEAD | Copying (careful access for additional data) | Copying |
+Key derivation | Careful access | Careful access |
+Asymmetric signature | Careful access | Copying | Inputs to signatures are passed to a hash. This will no longer hold once PureEdDSA support is implemented.
+Asymmetric encryption | Copying | Copying |
+Key agreement | Copying | Copying |
+PAKE | Copying | Copying |
+Key import / export | Copying | Copying | Keys may be imported and exported in DER format, which is a structured format and therefore susceptible to read-read inconsistencies and potentially write-read inconsistencies.
+
+### Copying functions
+
+As discussed in [Copying code](#copying-code), it is simpler to use a single unified API for copying. Therefore, we create the following functions:
+
+* `psa_crypto_copy_input(const uint8_t *input, size_t input_length, uint8_t *input_copy, size_t input_copy_length)`
+* `psa_crypto_copy_output(const uint8_t *output_copy, size_t output_copy_length, uint8_t *output, size_t output_length)`
+
+These seem to be a repeat of the same function, however it is useful to retain two separate functions for input and output parameters so that we can use different test hooks in each when using memory poisoning for tests.
+
+Given that the majority of functions will be allocating memory on the heap to copy, it is helpful to build convenience functions that allocate the memory as well.
+
+In order to keep track of allocated copies on the heap, we can create new structs:
+
+```c
+typedef struct psa_crypto_local_input_s {
+    uint8_t *buffer;
+    size_t length;
+} psa_crypto_local_input_t;
+
+typedef struct psa_crypto_local_output_s {
+    uint8_t *original;
+    uint8_t *buffer;
+    size_t length;
+} psa_crypto_local_output_t;
+```
+
+These may be used to keep track of input and output copies' state, and ensure that their length is always stored with them. In the case of output copies, we keep a pointer to the original buffer so that it is easy to perform a writeback to the original once we have finished outputting.
+
+With these structs we may create 2 pairs of functions, one pair for input copies:
+
+```c
+psa_status_t psa_crypto_local_input_alloc(const uint8_t *input, size_t input_len,
+                                          psa_crypto_local_input_t *local_input);
+
+void psa_crypto_local_input_free(psa_crypto_local_input_t *local_input);
+```
+
+* `psa_crypto_local_input_alloc()` calls `calloc()` to allocate a new buffer of length `input_len`, copies the contents across from `input`. It then stores `input_len` and the pointer to the copy in the struct `local_input`.
+* `psa_crypto_local_input_free()` calls `free()` on the local input that is referred to by `local_input` and sets the pointer in the struct to `NULL`.
+
+We also create a pair of functions for output copies:
+
+```c
+psa_status_t psa_crypto_local_output_alloc(uint8_t *output, size_t output_len,
+                                           psa_crypto_local_output_t *local_output);
+
+psa_status_t psa_crypto_local_output_free(psa_crypto_local_output_t *local_output);
+```
+
+* `psa_crypto_local_output_alloc()` calls `calloc()` to allocate a new buffer of length `output_len` and stores `output_len` and the pointer to the buffer in the struct `local_output`. It also stores a pointer to `output` in `local_output->original`.
+* `psa_crypto_local_output_free()` copies the contents of the output buffer `local_output->buffer` into the buffer `local_output->original`, calls `free()` on `local_output->buffer` and sets it to `NULL`.
+
+Some PSA functions may not use these convenience functions as they may have local optimizations that reduce memory usage. For example, ciphers may be able to use a single intermediate buffer for both input and output.
+
+In order to abstract the management of the copy state further, to make it simpler to add, we create the following 6 convenience macros:
+
+For inputs:
+
+* `LOCAL_INPUT_DECLARE(input, input_copy_name)`, which declares and initializes a `psa_crypto_local_input_t` and a pointer with the name `input_copy_name` in the current scope.
+* `LOCAL_INPUT_ALLOC(input, input_size, input_copy)`, which tries to allocate an input using `psa_crypto_local_input_alloc()`. On failure, it sets an error code and jumps to an exit label. On success, it sets `input_copy` to point to the copy of the buffer.
+* `LOCAL_INPUT_FREE(input, input_copy)`, which frees the input copy using `psa_crypto_local_input_free()` and sets `input_copy` to `NULL`.
+
+For outputs:
+
+* `LOCAL_OUTPUT_DECLARE(output, output_copy_name)`, analogous to `LOCAL_INPUT_DECLARE()` for `psa_crypto_local_output_t`.
+* `LOCAL_OUTPUT_ALLOC(output, output_size, output_copy)`, analogous to `LOCAL_INPUT_ALLOC()` for outputs, calling `psa_crypto_local_output_alloc()`.
+* `LOCAL_OUTPUT_FREE(output, output_copy)`, analogous to `LOCAL_INPUT_FREE()` for outputs. If the `psa_crypto_local_output_t` is in an invalid state (the copy pointer is valid, but the original pointer is `NULL`) this macro sets an error status.
+
+These macros allow PSA functions to have copying added while keeping the code mostly unmodified. Consider a hypothetical PSA function:
+
+```c
+psa_status_t psa_foo(const uint8_t *input, size_t input_length,
+                     uint8_t *output, size_t output_size, size_t *output_length)
+{
+    /* Do some operation on input and output */
+}
+```
+
+By changing the name of the input and output parameters, we can retain the original variable name as the name of the local copy while using a new name (e.g. with the suffix `_external`) for the original buffer. This allows copying to be added near-seamlessly as follows:
+
+```c
+psa_status_t psa_foo(const uint8_t *input_external, size_t input_length,
+                     uint8_t *output_external, size_t output_size, size_t *output_length)
+{
+    psa_status_t status;
+
+    LOCAL_INPUT_DECLARE(input_external, input);
+    LOCAL_OUTPUT_DECLARE(output_external, output);
+
+    LOCAL_INPUT_ALLOC(input_external, input);
+    LOCAL_OUTPUT_ALLOC(output_external, output);
+
+    /* Do some operation on input and output */
+
+exit:
+    LOCAL_INPUT_FREE(input_external, input);
+    LOCAL_OUTPUT_FREE(output_external, output);
+}
+```
+
+A second advantage of using macros for the copying (other than simple convenience) is that it allows copying to be easily disabled by defining alternate macros that function as no-ops. Since buffer copying is specific to systems where shared memory is passed to PSA functions, it is useful to be able to disable it where it is not needed, to save code size.
+
+To this end, the macros above are defined conditionally on a new config option, `MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS`, which may be set whenever PSA functions are assumed to have exclusive access to their input and output buffers. When `MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS` is set, the macros do not perform copying.
+
+### Implementation of copying validation
+
+As discussed in the [design exploration of copying validation](#validation-of-copying), the best strategy for validation of copies appears to be validation by memory poisoning, implemented using Valgrind and ASan.
+
+To perform memory poisoning, we must implement the functions alluded to in [Validation of copying by memory poisoning](#validation-of-copying-by-memory-poisoning):
+```c
+void mbedtls_test_memory_poison(const unsigned char *ptr, size_t size);
+void mbedtls_test_memory_unpoison(const unsigned char *ptr, size_t size);
+```
+This should poison or unpoison the given buffer, respectively.
+
+* `mbedtls_test_memory_poison()` is equivalent to calling `VALGRIND_MAKE_MEM_NOACCESS(ptr, size)` or `ASAN_POISON_MEMORY_REGION(ptr, size)`.
+* `mbedtls_test_memory_unpoison()` is equivalent to calling `VALGRIND_MAKE_MEM_DEFINED(ptr, size)` or `ASAN_UNPOISON_MEMORY_REGION(ptr, size)`.
+
+The PSA copying function must then have test hooks implemented as outlined in [Validation of copying by memory poisoning](#validation-of-copying-by-memory-poisoning).
+
+As discussed in [the design exploration](#validation-with-existing-tests), the preferred approach for implementing copy-testing is to implement it transparently using existing tests. This is specified in more detail below.
+
+#### Transparent allocation-based memory poisoning
+
+In order to implement transparent memory poisoning we require a wrapper around all PSA function calls that poisons any input and output buffers.
+
+The easiest way to do this is to create wrapper functions that poison the memory and then `#define` PSA function names to be wrapped versions of themselves. For example, to replace `psa_aead_update()`:
+```c
+psa_status_t mem_poison_psa_aead_update(psa_aead_operation_t *operation,
+                                        const uint8_t *input,
+                                        size_t input_length,
+                                        uint8_t *output,
+                                        size_t output_size,
+                                        size_t *output_length)
+{
+    mbedtls_test_memory_poison(input, input_length);
+    mbedtls_test_memory_poison(output, output_size);
+    psa_status_t status = psa_aead_update(operation, input, input_length,
+                                          output, output_size, output_length);
+    mbedtls_test_memory_unpoison(input, input_length);
+    mbedtls_test_memory_unpoison(output, output_size);
+
+    return status;
+}
+
+#define psa_aead_update(...) mem_poison_psa_aead_update(__VA_ARGS__)
+```
+
+There now exists a more generic mechanism for making exactly this kind of transformation - the PSA test wrappers, which exist in the files `tests/include/test/psa_test_wrappers.h` and `tests/src/psa_test_wrappers.c`. These are wrappers around all PSA functions that allow testing code to be inserted at the start and end of a PSA function call.
+
+The test wrappers are generated by a script, although they are not automatically generated as part of the build process. Instead, they are checked into source control and must be manually updated when functions change by running `framework/scripts/generate_psa_wrappers.py`.
+
+Poisoning code is added to these test wrappers where relevant in order to pre-poison and post-unpoison the parameters to the functions.
+
+#### Configuration of poisoning tests
+
+Since the memory poisoning tests will require the use of interfaces specific to the sanitizers used to poison memory, they must only be enabled when we are building with ASan or Valgrind. For now, we can auto-detect ASan at compile-time and set an option: `MBEDTLS_TEST_MEMORY_CAN_POISON`. When this option is enabled, we build with memory-poisoning support. This enables transparent testing with ASan without needing any extra configuration options.
+
+Auto-detection and memory-poisoning with Valgrind is left for future work.
+
+#### Validation of validation for copying
+
+To make sure that we can correctly detect functions that access their input/output buffers rather than the copies, it would be best to write a test function that misbehaves and test it with memory poisoning. Specifically, the function should:
+
+* Read its input buffer and after calling the input-buffer-copying function to create a local copy of its input.
+* Write to its output buffer before and after calling the output-buffer-copying function to copy-back its output.
+
+Then, we could write a test that uses this function with memory poisoning and ensure that it fails. Since we are expecting a failure due to memory-poisoning, we would run this test separately from the rest of the memory-poisoning testing.
+
+This testing is implemented in `programs/test/metatest.c`, which is a program designed to check that test failures happen correctly. It may be run via the script `tests/scripts/run-metatests.sh`.
diff --git a/docs/architecture/psa-thread-safety.md b/docs/architecture/psa-thread-safety.md
deleted file mode 100644
index 06bdcc0..0000000
--- a/docs/architecture/psa-thread-safety.md
+++ /dev/null
@@ -1,300 +0,0 @@
-Thread safety of the PSA subsystem
-==================================
-
-## Requirements
-
-### Backward compatibility requirement
-
-Code that is currently working must keep working. There can be an exception for code that uses features that are advertised as experimental; for example, it would be annoying but ok to add extra requirements for drivers.
-
-(In this section, “currently” means Mbed TLS releases without proper concurrency management: 3.0.0, 3.1.0, and any other subsequent 3.x version.)
-
-In particular, if you either protect all PSA calls with a mutex, or only ever call PSA functions from a single thread, your application currently works and must keep working. If your application currently builds and works with `MBEDTLS_PSA_CRYPTO_C` and `MBEDTLS_THREADING_C` enabled, it must keep building and working.
-
-As a consequence, we must not add a new platform requirement beyond mutexes for the base case. It would be ok to add new platform requirements if they're only needed for PSA drivers, or if they're only performance improvements.
-
-Tempting platform requirements that we cannot add to the default `MBEDTLS_THREADING_C` include:
-
-* Releasing a mutex from a different thread than the one that acquired it. This isn't even guaranteed to work with pthreads.
-* New primitives such as semaphores or condition variables.
-
-### Correctness out of the box
-
-If you build with `MBEDTLS_PSA_CRYPTO_C` and `MBEDTLS_THREADING_C`, the code must be functionally correct: no race conditions, deadlocks or livelocks.
-
-The [PSA Crypto API specification](https://armmbed.github.io/mbed-crypto/html/overview/conventions.html#concurrent-calls) defines minimum expectations for concurrent calls. They must work as if they had been executed one at a time, except that the following cases have undefined behavior:
-
-* Destroying a key while it's in use.
-* Concurrent calls using the same operation object. (An operation object may not be used by more than one thread at a time. But it can move from one thread to another between calls.)
-* Overlap of an output buffer with an input or output of a concurrent call.
-* Modification of an input buffer during a call.
-
-Note that while the specification does not define the behavior in such cases, Mbed TLS can be used as a crypto service. It's acceptable if an application can mess itself up, but it is not acceptable if an application can mess up the crypto service. As a consequence, destroying a key while it's in use may violate the security property that all key material is erased as soon as `psa_destroy_key` returns, but it may not cause data corruption or read-after-free inside the key store.
-
-### No spinning
-
-The code must not spin on a potentially non-blocking task. For example, this is proscribed:
-```
-lock(m);
-while (!its_my_turn) {
-    unlock(m);
-    lock(m);
-}
-```
-
-Rationale: this can cause battery drain, and can even be a livelock (spinning forever), e.g. if the thread that might unblock this one has a lower priority.
-
-### Driver requirements
-
-At the time of writing, the driver interface specification does not consider multithreaded environments.
-
-We need to define clear policies so that driver implementers know what to expect. Here are two possible policies at two ends of the spectrum; what is desirable is probably somewhere in between.
-
-* Driver entry points may be called concurrently from multiple threads, even if they're using the same key, and even including destroying a key while an operation is in progress on it.
-* At most one driver entry point is active at any given time.
-
-A more reasonable policy could be:
-
-* By default, each driver only has at most one entry point active at any given time. In other words, each driver has its own exclusive lock.
-* Drivers have an optional `"thread_safe"` boolean property. If true, it allows concurrent calls to this driver.
-* Even with a thread-safe driver, the core never starts the destruction of a key while there are operations in progress on it, and never performs concurrent calls on the same multipart operation.
-
-### Long-term performance requirements
-
-In the short term, correctness is the important thing. We can start with a global lock.
-
-In the medium to long term, performing a slow or blocking operation (for example, a driver call, or an RSA decryption) should not block other threads, even if they're calling the same driver or using the same key object.
-
-We may want to go directly to a more sophisticated approach because when a system works with a global lock, it's typically hard to get rid of it to get more fine-grained concurrency.
-
-### Key destruction short-term requirements
-
-#### Summary of guarantees in the short term
-
-When `psa_destroy_key` returns:
-
-1. The key identifier doesn't exist. Rationale: this is a functional requirement for persistent keys: the caller can immediately create a new key with the same identifier.
-2. The resources from the key have been freed. Rationale: in a low-resource condition, this may be necessary for the caller to re-create a similar key, which should be possible.
-3. The call must not block indefinitely, and in particular cannot wait for an event that is triggered by application code such as calling an abort function. Rationale: this may not strictly be a functional requirement, but it is an expectation `psa_destroy_key` does not block forever due to another thread, which could potentially be another process on a multi-process system. In particular, it is only acceptable for `psa_destroy_key` to block, when waiting for another thread to complete a PSA Cryptography API call that it had already started.
-
-When `psa_destroy_key` is called on a key that is in use, guarantee 2. might be violated. (This is consistent with the requirement [“Correctness out of the box”](#correctness-out-of-the-box), as destroying a key while it's in use is undefined behavior.)
-
-### Key destruction long-term requirements
-
-The [PSA Crypto API specification](https://armmbed.github.io/mbed-crypto/html/api/keys/management.html#key-destruction) mandates that implementations make a best effort to ensure that the key material cannot be recovered. In the long term, it would be good to guarantee that `psa_destroy_key` wipes all copies of the key material.
-
-#### Summary of guarantees in the long term
-
-When `psa_destroy_key` returns:
-
-1. The key identifier doesn't exist. Rationale: this is a functional requirement for persistent keys: the caller can immediately create a new key with the same identifier.
-2. The resources from the key have been freed. Rationale: in a low-resource condition, this may be necessary for the caller to re-create a similar key, which should be possible.
-3. The call must not block indefinitely, and in particular cannot wait for an event that is triggered by application code such as calling an abort function. Rationale: this may not strictly be a functional requirement, but it is an expectation `psa_destroy_key` does not block forever due to another thread, which could potentially be another process on a multi-process system. In particular, it is only acceptable for `psa_destroy_key` to block, when waiting for another thread to complete a PSA Cryptography API call that it had already started.
-4. No copy of the key material exists. Rationale: this is a security requirement. We do not have this requirement yet, but we need to document this as a security weakness, and we would like to satisfy this security requirement in the future.
-
-As opposed to the short term requirements, all the above guarantees hold even if `psa_destroy_key` is called on a key that is in use.
-
-## Resources to protect
-
-Analysis of the behavior of the PSA key store as of Mbed TLS 9202ba37b19d3ea25c8451fd8597fce69eaa6867.
-
-### Global variables
-
-* `psa_crypto_slot_management::global_data.key_slots[i]`: see [“Key slots”](#key-slots).
-
-* `psa_crypto_slot_management::global_data.key_slots_initialized`:
-    * `psa_initialize_key_slots`: modification.
-    * `psa_wipe_all_key_slots`: modification.
-    * `psa_get_empty_key_slot`: read.
-    * `psa_get_and_lock_key_slot`: read.
-
-* `psa_crypto::global_data.rng`: depends on the RNG implementation. See [“Random generator”](#random-generator).
-    * `psa_generate_random`: query.
-    * `mbedtls_psa_crypto_configure_entropy_sources` (only if `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` is enabled): setup. Only called from `psa_crypto_init` via `mbedtls_psa_random_init`, or from test code.
-    * `mbedtls_psa_crypto_free`: deinit.
-    * `psa_crypto_init`: seed (via `mbedtls_psa_random_seed`); setup via `mbedtls_psa_crypto_configure_entropy_sources.
-
-* `psa_crypto::global_data.{initialized,rng_state}`: these are bit-fields and cannot be modified independently so they must be protected by the same mutex. The following functions access these fields:
-    * `mbedtls_psa_crypto_configure_entropy_sources` [`rng_state`] (only if `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` is enabled): read. Only called from `psa_crypto_init` via `mbedtls_psa_random_init`, or from test code.
-    * `mbedtls_psa_crypto_free`: modification.
-    * `psa_crypto_init`: modification.
-    * Many functions via `GUARD_MODULE_INITIALIZED`: read.
-
-### Key slots
-
-#### Key slot array traversal
-
-“Occupied key slot” is determined by `psa_is_key_slot_occupied` based on `slot->attr.type`.
-
-The following functions traverse the key slot array:
-
-* `psa_get_and_lock_key_slot_in_memory`: reads `slot->attr.id`.
-* `psa_get_and_lock_key_slot_in_memory`: calls `psa_lock_key_slot` on one occupied slot.
-* `psa_get_empty_key_slot`: calls `psa_is_key_slot_occupied`.
-* `psa_get_empty_key_slot`: calls `psa_wipe_key_slot` and more modifications on one occupied slot with no active user.
-* `psa_get_empty_key_slot`: calls `psa_lock_key_slot` and more modification on one unoccupied slot.
-* `psa_wipe_all_key_slots`: writes to all slots.
-* `mbedtls_psa_get_stats`: reads from all slots.
-
-#### Key slot state
-
-The following functions modify a slot's usage state:
-
-* `psa_lock_key_slot`: writes to `slot->lock_count`.
-* `psa_unlock_key_slot`: writes to `slot->lock_count`.
-* `psa_wipe_key_slot`: writes to `slot->lock_count`.
-* `psa_destroy_key`: reads `slot->lock_count`, calls `psa_lock_key_slot`.
-* `psa_wipe_all_key_slots`: writes to all slots.
-* `psa_get_empty_key_slot`: writes to `slot->lock_count` and calls `psa_wipe_key_slot` and `psa_lock_key_slot` on one occupied slot with no active user; calls `psa_lock_key_slot` on one unoccupied slot.
-* `psa_close_key`: reads `slot->lock_count`; calls `psa_get_and_lock_key_slot_in_memory`, `psa_wipe_key_slot` and `psa_unlock_key_slot`.
-* `psa_purge_key`: reads `slot->lock_count`; calls `psa_get_and_lock_key_slot_in_memory`, `psa_wipe_key_slot` and `psa_unlock_key_slot`.
-
-**slot->attr access:**
-`psa_crypto_core.h`:
-* `psa_key_slot_set_flags` - writes to attr.flags
-* `psa_key_slot_set_bits_in_flags` - writes to attr.flags
-* `psa_key_slot_clear_bits` - writes to attr.flags
-* `psa_is_key_slot_occupied` - reads attr.type (but see “[Determining whether a key slot is occupied](#determining-whether-a-key-slot-is-occupied)”)
-* `psa_key_slot_get_flags` - reads attr.flags
-
-`psa_crypto_slot_management.c`:
-* `psa_get_and_lock_key_slot_in_memory` - reads attr.id
-* `psa_get_empty_key_slot` - reads attr.lifetime
-* `psa_load_persistent_key_into_slot` - passes attr pointer to psa_load_persistent_key
-* `psa_load_persistent_key` - reads attr.id and passes pointer to psa_parse_key_data_from_storage
-* `psa_parse_key_data_from_storage` - writes to many attributes
-* `psa_get_and_lock_key_slot` - writes to attr.id, attr.lifetime, and attr.policy.usage
-* `psa_purge_key` - reads attr.lifetime, calls psa_wipe_key_slot
-* `mbedtls_psa_get_stats` - reads attr.lifetime, attr.id
-
-`psa_crypto.c`:
-* `psa_get_and_lock_key_slot_with_policy` - reads attr.type, attr.policy.
-* `psa_get_and_lock_transparent_key_slot_with_policy` - reads attr.lifetime
-* `psa_destroy_key` - reads attr.lifetime, attr.id
-* `psa_get_key_attributes` - copies all publicly available attributes of a key
-* `psa_export_key` - copies attributes
-* `psa_export_public_key` - reads attr.type, copies attributes
-* `psa_start_key_creation` - writes to the whole attr structure 
-* `psa_validate_optional_attributes` - reads attr.type, attr.bits
-* `psa_import_key` - reads attr.bits
-* `psa_copy_key` - reads attr.bits, attr.type, attr.lifetime, attr.policy
-* `psa_mac_setup` - copies whole attr structure
-* `psa_mac_compute_internal` - copies whole attr structure
-* `psa_verify_internal` - copies whole attr structure
-* `psa_sign_internal` - copies whole attr structure, reads attr.type
-* `psa_assymmetric_encrypt` - reads attr.type
-* `psa_assymetric_decrypt` - reads attr.type
-* `psa_cipher_setup` - copies whole attr structure, reads attr.type
-* `psa_cipher_encrypt` - copies whole attr structure, reads attr.type
-* `psa_cipher_decrypt` - copies whole attr structure, reads attr.type
-* `psa_aead_encrypt` - copies whole attr structure
-* `psa_aead_decrypt` - copies whole attr structure
-* `psa_aead_setup` - copies whole attr structure
-* `psa_generate_derived_key_internal` - reads attr.type, writes to and reads from attr.bits, copies whole attr structure
-* `psa_key_derivation_input_key` - reads attr.type
-* `psa_key_agreement_raw_internal` - reads attr.type and attr.bits
-
-#### Determining whether a key slot is occupied
-
-`psa_is_key_slot_occupied` currently uses the `attr.type` field to determine whether a key slot is occupied. This works because we maintain the invariant that an occupied slot contains key material. With concurrency, it is desirable to allow a key slot to be reserved, but not yet contain key material or even metadata. When creating a key, determining the key type can be costly, for example when loading a persistent key from storage or (not yet implemented) when importing or unwrapping a key using an interface that determines the key type from the data that it parses. So we should not need to hold the global key store lock while the key type is undetermined.
-
-Instead, `psa_is_key_slot_occupied` should use the key identifier to decide whether a slot is occupied. The key identifier is always readily available: when allocating a slot for a persistent key, it's an input of the function that allocates the key slot; when allocating a slot for a volatile key, the identifier is calculated from the choice of slot.
-
-#### Key slot content
-
-Other than what is used to determine the [“key slot state”](#key-slot-state), the contents of a key slot are only accessed as follows:
-
-* Modification during key creation (between `psa_start_key_creation` and `psa_finish_key_creation` or `psa_fail_key_creation`).
-* Destruction in `psa_wipe_key_slot`.
-* Read in many functions, between calls to `psa_lock_key_slot` and `psa_unlock_key_slot`.
-
-**slot->key access:** 
-* `psa_allocate_buffer_to_slot` - allocates key.data, sets key.bytes;
-* `psa_copy_key_material_into_slot` - writes to key.data
-* `psa_remove_key_data_from_memory` - writes and reads to/from key data
-* `psa_get_key_attributes` - reads from key data
-* `psa_export_key` - passes key data to psa_driver_wrapper_export_key
-* `psa_export_public_key` - passes key data to psa_driver_wrapper_export_public_key
-* `psa_finish_key_creation` - passes key data to psa_save_persistent_key
-* `psa_validate_optional_attributes` - passes key data and bytes to mbedtls_psa_rsa_load_representation
-* `psa_import_key` - passes key data to psa_driver_wrapper_import_key
-* `psa_copy_key` - passes key data to psa_driver_wrapper_copy_key, psa_copy_key_material_into_slot
-* `psa_mac_setup` - passes key data to psa_driver_wrapper_mac_sign_setup, psa_driver_wrapper_mac_verify_setup
-* `psa_mac_compute_internal` - passes key data to psa_driver_wrapper_mac_compute
-* `psa_sign_internal` - passes key data to psa_driver_wrapper_sign_message, psa_driver_wrapper_sign_hash
-* `psa_verify_internal` - passes key data to psa_driver_wrapper_verify_message, psa_driver_wrapper_verify_hash
-* `psa_asymmetric_encrypt` - passes key data to mbedtls_psa_rsa_load_representation
-* `psa_asymmetric_decrypt` - passes key data to mbedtls_psa_rsa_load_representation
-* `psa_cipher_setup ` - passes key data to psa_driver_wrapper_cipher_encrypt_setup and psa_driver_wrapper_cipher_decrypt_setup
-* `psa_cipher_encrypt` - passes key data to psa_driver_wrapper_cipher_encrypt
-* `psa_cipher_decrypt` - passes key data to psa_driver_wrapper_cipher_decrypt
-* `psa_aead_encrypt` - passes key data to psa_driver_wrapper_aead_encrypt
-* `psa_aead_decrypt` - passes key data to psa_driver_wrapper_aead_decrypt
-* `psa_aead_setup` - passes key data to psa_driver_wrapper_aead_encrypt_setup and psa_driver_wrapper_aead_decrypt_setup
-* `psa_generate_derived_key_internal` - passes key data to psa_driver_wrapper_import_key
-* `psa_key_derivation_input_key` - passes key data to psa_key_derivation_input_internal
-* `psa_key_agreement_raw_internal` - passes key data to mbedtls_psa_ecp_load_representation
-* `psa_generate_key` - passes key data to psa_driver_wrapper_generate_key
-
-### Random generator
-
-The PSA RNG can be accessed both from various PSA functions, and from application code via `mbedtls_psa_get_random`.
-
-With the built-in RNG implementations using `mbedtls_ctr_drbg_context` or `mbedtls_hmac_drbg_context`, querying the RNG with `mbedtls_xxx_drbg_random()` is thread-safe (protected by a mutex inside the RNG implementation), but other operations (init, free, seed) are not.
-
-When `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` is enabled, thread safety depends on the implementation.
-
-### Driver resources
-
-Depends on the driver. The PSA driver interface specification does not discuss whether drivers must support concurrent calls.
-
-## Simple global lock strategy
-
-Have a single mutex protecting all accesses to the key store and other global variables. In practice, this means every PSA API function needs to take the lock on entry and release on exit, except for:
-
-* Hash function.
-* Accessors for key attributes and other local structures.
-
-Note that operation functions do need to take the lock, since they need to prevent the destruction of the key.
-
-Note that this does not protect access to the RNG via `mbedtls_psa_get_random`, which is guaranteed to be thread-safe when `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` is disabled.
-
-This approach is conceptually simple, but requires extra instrumentation to every function and has bad performance in a multithreaded environment since a slow operation in one thread blocks unrelated operations on other threads.
-
-## Global lock excluding slot content
-
-Have a single mutex protecting all accesses to the key store and other global variables, except that it's ok to access the content of a key slot without taking the lock if one of the following conditions holds:
-
-* The key slot is in a state that guarantees that the thread has exclusive access.
-* The key slot is in a state that guarantees that no other thread can modify the slot content, and the accessing thread is only reading the slot.
-
-Note that a thread must hold the global mutex when it reads or changes a slot's state.
-
-### Slot states
-
-For concurrency purposes, a slot can be in one of three states:
-
-* UNUSED: no thread is currently accessing the slot. It may be occupied by a volatile key or a cached key.
-* WRITING: a thread has exclusive access to the slot. This can only happen in specific circumstances as detailed below.
-* READING: any thread may read from the slot.
-
-A high-level view of state transitions:
-
-* `psa_get_empty_key_slot`: UNUSED → WRITING.
-* `psa_get_and_lock_key_slot_in_memory`: UNUSED or READING → READING. This function only accepts slots in the UNUSED or READING state. A slot with the correct id but in the WRITING state is considered free.
-* `psa_unlock_key_slot`: READING → UNUSED or READING.
-* `psa_finish_key_creation`: WRITING → READING.
-* `psa_fail_key_creation`: WRITING → UNUSED.
-* `psa_wipe_key_slot`: any → UNUSED. If the slot is READING or WRITING on entry, this function must wait until the writer or all readers have finished. (By the way, the WRITING state is possible if `mbedtls_psa_crypto_free` is called while a key creation is in progress.) See [“Destruction of a key in use”](#destruction of a key in use).
-
-The current `state->lock_count` corresponds to the difference between UNUSED and READING: a slot is in use iff its lock count is nonzero, so `lock_count == 0` corresponds to UNUSED and `lock_count != 0` corresponds to READING.
-
-There is currently no indication of when a slot is in the WRITING state. This only happens between a call to `psa_start_key_creation` and a call to one of `psa_finish_key_creation` or `psa_fail_key_creation`. This new state can be conveyed by a new boolean flag, or by setting `lock_count` to `~0`.
-
-### Destruction of a key in use
-
-Problem: a key slot is destroyed (by `psa_wipe_key_slot`) while it's in use (READING or WRITING).
-
-TODO: how do we ensure that? This needs something more sophisticated than mutexes (concurrency number >2)! Even a per-slot mutex isn't enough (we'd need a reader-writer lock).
-
-Solution: after some team discussion, we've decided to rely on a new threading abstraction which mimics C11 (i.e. `mbedtls_fff` where `fff` is the C11 function name, having the same parameters and return type, with default implementations for C11, pthreads and Windows). We'll likely use condition variables in addition to mutexes.
diff --git a/docs/architecture/psa-thread-safety/key-slot-state-transitions.png b/docs/architecture/psa-thread-safety/key-slot-state-transitions.png
new file mode 100644
index 0000000..08e4cc0
--- /dev/null
+++ b/docs/architecture/psa-thread-safety/key-slot-state-transitions.png
diff --git a/docs/architecture/psa-thread-safety/psa-thread-safety.md b/docs/architecture/psa-thread-safety/psa-thread-safety.md
new file mode 100644
index 0000000..edb94c5
--- /dev/null
+++ b/docs/architecture/psa-thread-safety/psa-thread-safety.md
@@ -0,0 +1,367 @@
+# Thread-safety of the PSA subsystem
+
+Currently, PSA Crypto API calls in Mbed TLS releases are not thread-safe.
+
+As of Mbed TLS 3.6, an MVP for making the [PSA Crypto key management API](https://arm-software.github.io/psa-api/crypto/1.1/api/keys/management.html) and [`psa_crypto_init`](https://arm-software.github.io/psa-api/crypto/1.1/api/library/library.html#c.psa_crypto_init) thread-safe has been implemented. Implementations which only ever call PSA functions from a single thread are not affected by this new feature.
+
+Summary of recent work:
+
+- Key Store:
+    - Slot states are described in the [Key slot states](#key-slot-states) section. They guarantee safe concurrent access to slot contents.
+    - Key slots are protected by a global mutex, as described in [Key store consistency and abstraction function](#key-store-consistency-and-abstraction-function).
+    - Key destruction strategy abiding by [Key destruction guarantees](#key-destruction-guarantees), with an implementation discussed in [Key destruction implementation](#key-destruction-implementation).
+- `global_data` variables in `psa_crypto.c` and `psa_crypto_slot_management.c` are now protected by mutexes, as described in the [Global data](#global-data) section.
+- The testing system has now been made thread-safe. Tests can now spin up multiple threads, see [Thread-safe testing](#thread-safe-testing) for details.
+- Some multithreaded testing of the key management API has been added, this is outlined in [Testing-and-analysis](#testing-and-analysis).
+- The solution uses the pre-existing `MBEDTLS_THREADING_C` threading abstraction.
+- The core makes no additional guarantees for drivers. See [Driver policy](#driver-policy) for details.
+
+The other functions in the PSA Crypto API are planned to be made thread-safe in future, but currently we are not testing this.
+
+## Overview of the document
+
+* The [Guarantees](#guarantees) section describes the properties that are followed when PSA functions are invoked by multiple threads.
+* The [Usage guide](#usage-guide) section gives guidance on initializing, using and freeing PSA when using multiple threads.
+* The [Current strategy](#current-strategy) section describes how thread-safety of key management and `global_data` is achieved.
+* The [Testing and analysis](#testing-and-analysis) section discusses the state of our testing, as well as how this testing will be extended in future.
+* The [Future work](#future-work) section outlines our long-term goals for thread-safety; it also analyses how we might go about achieving these goals.
+
+## Definitions
+
+*Concurrent calls*
+
+The PSA specification defines concurrent calls as: "In some environments, an application can make calls to the Crypto API in separate threads. In such an environment, concurrent calls are two or more calls to the API whose execution can overlap in time." (See PSA documentation [here](https://arm-software.github.io/psa-api/crypto/1.1/overview/conventions.html#concurrent-calls).)
+
+*Thread-safety*
+
+In general, a system is thread-safe if any valid set of concurrent calls is handled as if the effect and return code of every call is equivalent to some sequential ordering. We implement a weaker notion of thread-safety, we only guarantee thread-safety in the circumstances described in the [PSA Concurrent calling conventions](#psa-concurrent-calling-conventions) section.
+
+## Guarantees
+
+### Correctness out of the box
+
+Building with `MBEDTLS_PSA_CRYPTO_C` and `MBEDTLS_THREADING_C` gives code which is correct; there are no race-conditions, deadlocks or livelocks when concurrently calling any set of PSA key management functions once `psa_crypto_init` has been called (see the [Initialization](#initialization) section for details on how to correctly initialize the PSA subsystem when using multiple threads).
+
+We do not test or support calling other PSA API functions concurrently.
+
+There is no busy-waiting in our implementation, every API call completes in a finite number of steps regardless of the locking policy of the underlying mutexes.
+
+When only considering key management functions: Mbed TLS 3.6 abides by the minimum expectation for concurrent calls set by the PSA specification (see [PSA Concurrent calling conventions](#psa-concurrent-calling-conventions)).
+
+#### PSA Concurrent calling conventions
+
+These are the conventions which are planned to be added to the PSA 1.2 specification, Mbed TLS 3.6 abides by these when only considering [key management functions](https://arm-software.github.io/psa-api/crypto/1.1/api/keys/management.html):
+
+> The result of two or more concurrent calls must be consistent with the same set of calls being executed sequentially in some order, provided that the calls obey the following constraints:
+>
+> * There is no overlap between an output parameter of one call and an input or output parameter of another call. Overlap between input parameters is permitted.
+>
+> * A call to `psa_destroy_key()` must not overlap with a concurrent call to any of the following functions:
+>     - Any call where the same key identifier is a parameter to the call.
+>     - Any call in a multi-part operation, where the same key identifier was used as a parameter to a previous step in the multi-part operation.
+>
+> * Concurrent calls must not use the same operation object.
+>
+> If any of these constraints are violated, the behaviour is undefined.
+>
+> The consistency requirement does not apply to errors that arise from resource failures or limitations. For example, errors resulting from resource exhaustion can arise in concurrent execution that do not arise in sequential execution.
+>
+> As an example of this rule: suppose two calls are executed concurrently which both attempt to create a new key with the same key identifier that is not already in the key store. Then:
+> * If one call returns `PSA_ERROR_ALREADY_EXISTS`, then the other call must succeed.
+> * If one of the calls succeeds, then the other must fail: either with `PSA_ERROR_ALREADY_EXISTS` or some other error status.
+> * Both calls can fail with error codes that are not `PSA_ERROR_ALREADY_EXISTS`.
+>
+> If the application concurrently modifies an input parameter while a function call is in progress, the behaviour is undefined.
+
+### Backwards compatibility
+
+Code which was working prior to Mbed TLS 3.6 will still work. Implementations which only ever call PSA functions from a single thread, or which protect all PSA calls using a mutex, are not affected by this new feature. If an application previously worked with a 3.X version, it will still work on version 3.6.
+
+### Supported threading implementations
+
+Currently, the only threading library with support shipped in the code base is pthread (enabled by `MBEDTLS_THREADING_PTHREAD`). The only concurrency primitives we use are mutexes, see [Condition variables](#condition-variables) for discussion about implementing new primitives in future major releases.
+
+Users can add support to any platform which has mutexes using the Mbed TLS platform abstraction layer (see `include/mbedtls/threading.h` for details).
+
+We intend to ship support for other platforms including Windows in future releases.
+
+### Key destruction guarantees
+
+Much like all other API calls, `psa_destroy_key` does not block indefinitely, and when `psa_destroy_key` returns:
+
+1. The key identifier does not exist. This is a functional requirement for persistent keys: any thread can immediately create a new key with the same identifier.
+2. The resources from the key have been freed. This allows threads to create similar keys immediately after destruction, regardless of resources.
+
+When `psa_destroy_key` is called on a key that is in use, guarantee 2 may be violated. This is consistent with the PSA specification requirements, as destruction of a key in use is undefined.
+
+In future versions we aim to enforce stronger requirements for key destruction, see [Long term key destruction requirements](#long-term-key-destruction-requirements) for details.
+
+### Driver policy
+
+The core makes no additional guarantees for drivers. Driver entry points may be called concurrently from multiple threads. Threads can concurrently call entry points using the same key, there is also no protection from destroying a key which is in use.
+
+### Random number generators
+
+The PSA RNG can be accessed both from various PSA functions, and from application code via `mbedtls_psa_get_random`.
+
+When using the built-in RNG implementations, i.e. when `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` is disabled, querying the RNG is thread-safe (`mbedtls_psa_random_init` and `mbedtls_psa_random_seed` are only thread-safe when called while holding `mbedtls_threading_psa_rngdata_mutex`. `mbedtls_psa_random_free` is not thread-safe).
+
+When `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` is enabled, it is down to the external implementation to ensure thread-safety, should threading be enabled.
+
+## Usage guide
+
+### Initialization
+
+The PSA subsystem is initialized via a call to [`psa_crypto_init`](https://arm-software.github.io/psa-api/crypto/1.1/api/library/library.html#c.psa_crypto_init). This is a thread-safe function, and multiple calls to `psa_crypto_init` are explicitly allowed. It is valid to have multiple threads each calling `psa_crypto_init` followed by a call to any PSA key management function (if the init succeeds).
+
+### General usage
+
+Once initialized, threads can use any PSA function if there is no overlap between their calls. All threads share the same set of keys, as soon as one thread returns from creating/loading a key via a key management API call the key can be used by any thread. If multiple threads attempt to load the same persistent key, with the same key identifier, only one thread can succeed - the others will return `PSA_ERROR_ALREADY_EXISTS`.
+
+Applications may need careful handling of resource management errors. As explained in ([PSA Concurrent calling conventions](#psa-concurrent-calling-conventions)), operations in progress can have memory related side effects. It is possible for a lack of resources to cause errors which do not arise in sequential execution. For example, multiple threads attempting to load the same persistent key can lead to some threads returning `PSA_ERROR_INSUFFICIENT_MEMORY` if the key is not currently in the key store - while trying to load a persistent key into the key store a thread temporarily reserves a free key slot.
+
+If a mutex operation fails, which only happens if the mutex implementation fails, the error code `PSA_ERROR_SERVICE_FAILURE` will be returned. If this code is returned, execution of the PSA subsystem must be stopped. All functions which have internal mutex locks and unlocks (except for when the lock/unlock occurs in a function that has no return value) will return with this error code in this situation.
+
+### Freeing
+
+There is no thread-safe way to free all PSA resources. This is because any such operation would need to wait for all other threads to complete their tasks before wiping resources.
+
+`mbedtls_psa_crypto_free` must only be called by a single thread once all threads have completed their operations.
+
+## Current strategy
+
+This section describes how we have implemented thread-safety. There is discussion of: techniques, internal properties for enforcing thread-safe access, how the system stays consistent and our abstraction model.
+
+### Protected resources
+
+#### Global data
+
+We have added a mutex `mbedtls_threading_psa_globaldata_mutex` defined in `include/mbedtls/threading.h`, which is used to make `psa_crypto_init` thread-safe.
+
+There are two `psa_global_data_t` structs, each with a single instance `global_data`:
+
+* The struct in `library/psa_crypto.c` is protected by `mbedtls_threading_psa_globaldata_mutex`. The RNG fields within this struct are not protected by this mutex, and are not always thread-safe (see [Random number generators](#random-number-generators)).
+* The struct in `library/psa_crypto_slot_management.c` has two fields: `key_slots` is protected as described in [Key slots](#key-slots), `key_slots_initialized` is protected by the global data mutex.
+
+#### Mutex usage
+
+A deadlock would occur if a thread attempts to lock a mutex while already holding it. Functions which need to be called while holding the global mutex have documentation to say this.
+
+To avoid performance degradation, functions must hold mutexes for as short a time as possible. In particular, they must not start expensive operations (eg. doing cryptography) while holding the mutex.
+
+#### Key slots
+
+
+Keys are stored internally in a global array of key slots known as the "key store", defined in `library/psa_slot_management.c`.
+
+##### Key slot states
+
+Each key slot has a state variable and a `registered_readers` counter. These two variables dictate whether an operation can access a slot, and in what way the slot can be used.
+
+There are four possible states for a key slot:
+
+* `PSA_SLOT_EMPTY`: no thread is currently accessing the slot, and no information is stored in the slot. Any thread is able to change the slot's state to `PSA_SLOT_FILLING` and begin to load data into the slot.
+* `PSA_SLOT_FILLING`: one thread is currently loading or creating material to fill the slot, this thread is responsible for the next state transition. Other threads cannot read the contents of a slot which is in this state.
+* `PSA_SLOT_FULL`: the slot contains a key, and any thread is able to use the key after registering as a reader, increasing `registered_readers` by 1.
+* `PSA_SLOT_PENDING_DELETION`: the key within the slot has been destroyed or marked for destruction, but at least one thread is still registered as a reader (`registered_readers > 0`). No thread can register to read this slot. The slot must not be wiped until the last reader unregisters. It is during the last unregister that the contents of the slot are wiped, and the slot's state is set to `PSA_SLOT_EMPTY`.
+
+###### Key slot state transition diagram
+![](key-slot-state-transitions.png)
+
+In the state transition diagram above, an arrow between two states `q1` and `q2` with label `f` indicates that if the state of a slot is `q1` immediately before `f`'s linearization point, it may be `q2` immediately after `f`'s linearization point. Internal functions have italicized labels. The `PSA_SLOT_PENDING_DELETION -> PSA_SLOT_EMPTY` transition can be done by any function which calls `psa_unregister_read`.
+
+The state transition diagram can be generated in https://app.diagrams.net/ via this [url](https://viewer.diagrams.net/?tags=%7B%7D&highlight=0000ff&edit=_blank&layers=1&nav=1#R3Vxbd5s4EP4t%2B%2BDH5CBxf6zrJJvW7aYn7W7dFx9qZFstBg7gW379CnMxkoUtY%2BGQ%2BiVISCPQjD59mhnSU98vNg%2BRE84%2FBS7yelBxNz110IMQAEsnf9KabVZjmHnFLMJu3mhf8YxfUF6p5LVL7KKYapgEgZfgkK6cBL6PJglV50RRsKabTQOPHjV0Zuig4nnieIe1%2F2E3mWe1FjT39X8jPJsXIwPDzu4snKJx%2Fibx3HGDdaVKveup76MgSLKrxeY98tLJK%2BYl63dfc7d8sAj5iUiHH%2BBlOP338cP6i%2B37%2Ff7oV%2Fjr442aSVk53jJ%2F4R40PCKv7%2BIVuZyll%2FffhsOimsiv3OE0njvxOEKOi6K4uPszYtuzUnbzk2yLSScPTvRLCv31HCfoOXQm6Z01MbF0hGThkRIgl04cZkqf4g1yS1HVScnnaYWiBG0qVfkkPaBggZJoS5rkdzUrV1hhsUpeXlf0n1fNK6ov6pzc4mal5L1SyEWulzN0BABHSeyM%2Be671NpJaeI5cYwn9ERFwdJ30xkaKKREJifafs9v7QqjamGwqbYbbIvSBidlJ3I9qtTvu6SFoketNuJgGU3QabtMnGiGkiPttKwdcqlVfKjbiu50ju6Kugh5ToJX9NrnKTQf4SnA5M1qTUc3GJvI3jvvVV2rrCDTvrUrP4sSq6mM2GyaDsTurK2chAsMENaiBC7WcBg746UfoRmOExTtEKCy2HH9UieaGzo%2Fya5BL2wPz%2FzUmInloIhUpOsXE1h%2Bl99YYNdNZfQjFOMX5%2BdOXmpzYToLu3nR%2Bz19wLXC48uMRYpyc8lHofCbhyDKLVRMm1LZDbzMwAoxgOkSTKcxakfpIjvD3aenr6O3CfOdQ3lbOsrneK1U8BocxetyXygLo2qhZl9ojvJQEOVBt1CetpwDNBYG%2BRObRcuoXvDSU6g%2BdbA3%2Fo224wkB9QQH%2FlvD9WJhdRHXc8mQEsr2bw%2FkDzf2%2B8fh8PHzQ6exWjVeGas1kb3xrFPTX3%2FcsenVlaSLKOnp7vNgZ%2B6CehrcDe%2B%2BPv7z%2BW3qqHOkx2yL84ifUZudhZtznsKJdYrzwE5xHqiQzc%2FSoAnI2VTTDXoX1DXj1gS6CS1TJwWVES9KiIDBMCvtuozIEkEMLkciZAVFKzSeRgjtuFLsBQmfJwkCDXeYmExAwuViXBw6OWpnOVuBC12kbKUY7VosDfD4hnyYvNWbHA6zXq96POyWEzCFSkUpoNIgqEaDGkhdewVWqpZiNgNLTWHAkti6yphk237B5oA5xT6O5wLHyjcGXOVSvRi5bogVabZJQ5cqx0ItrtQrABmPkzO6nCzJRuqWFOx6YQ1xN1lzRBMNa6idQjStiNmWMdyGHi%2FdYASxB4sawCI24GwrzfLlWf%2FANo2NpqIcfy7ItAcn2mvWMfnkInvipotn0NcmAD9MQu8FLR%2Fxs%2F7uaSN2nq1hpyejMpew0pqwTzNKKjYkMZKx47tjL5j8Lvn2%2BPtFA6VyJ14Q7wj8Wb3CJbHaaq%2BDwf8wel7iuIxdDqgWvZou5Oe5ZJr0Q%2F1ae5zKS6mQQtarG5SgT6PCztuN5GiCG1u3IjnQhJSV6HrDjQ3UOdauxMRV3gmRi1UuipMo2F6OcXLwtLMQVy5jCS4IzTLoM2CxDC403xuaTdktQByXicj32nKJ%2Bym0Oh8X28e3bnltVYbX6k1D1arJOBsEibssi6t3NDR1w3YBeI4uLinUymYc9ZJwBxRujjY9CNzZuUqSjLAnlIarFj2hon4DvdPwY4Cm8MOkyhjtJUByra547orZHXCpzgKKtPSXFFCKrpKJDO3mbCP9ha%2FXK2VWn4aGJjDUHE50QTjp2Gmtxkt3NpxAhs0Y7WXe8c0O1tKZhr42eZ61NQ4PqdPbdV8dX%2FYywsvlF05yIRGorwSJPKrNaFJ6iKaxX6oryMTEGxoHSFTNvIWWpWtQszUbqpbKyqVCy1AIts6NnpC3qY4CbPohTEW9NaFS%2FtTjbwTso8IAOEeY3vzJ2gnKcLP23%2FKnMcdBQQJgKrpFc0hJFLKNbJwnvNwMp3BsWbMvqx%2F3Hye%2BH3I%2FjJHDGanEmkZf47XGGEWzFruViqMyOTI667YSxmX9hCNNHmPk2pwQYUxxBi%2FCIEsRPMtPP0M%2BipykgYM%2FCM%2BPJaT00kURXu3yfsbBMgmX1DOfn1X9GlB5FB0kIKWuAe65%2BGLvHSX0almMsLMJDCeyCeScfv6wT%2FdEAyKimUz7YFkRebtSbpNNu7IPcs6F8zEZQaIh4L0gqUvww0j7vh7F%2FW9ujL7iR%2FfmYWy1QF0KOy2JxzmWSicnvP4nF93KumPJi9n4UMmQFxOKWea550bW3W9qcrPiuCZdz4yaJ4x1gVwcXb8SyAWwDTlsQmUijIxPogmYkeL%2B3%2BJkzff%2FXEi9%2Bx8%3D).
+##### Key slot access primitives
+
+The state of a key slot is updated via the internal function `psa_key_slot_state_transition`. To change the state of `slot` from `expected_state` to `new_state`, when `new_state` is not `PSA_SLOT_EMPTY`, one must call `psa_key_slot_state_transition(slot, expected_state, new_state)`; if the state was not `expected_state` then `PSA_ERROR_CORRUPTION_DETECTED` is returned. The sole reason for having an expected state parameter here is to help guarantee that our functions work as expected, this error code cannot occur without an internal coding error.
+
+Changing a slot's state to `PSA_SLOT_EMPTY` is done via `psa_wipe_key_slot`, this function wipes the entirety of the key slot.
+
+The reader count of a slot is incremented via `psa_register_read`, and decremented via `psa_unregister_read`. Library functions register to read a slot via the `psa_get_and_lock_key_slot_X` functions, read from the slot, then call `psa_unregister_read` to make known that they have finished reading the slot's contents.
+
+##### Key store consistency and abstraction function
+
+The key store is protected by a single global mutex `mbedtls_threading_key_slot_mutex`.
+
+We maintain the consistency of the key store by ensuring that all reads and writes to `slot->state` and `slot->registered_readers` are performed under `mbedtls_threading_key_slot_mutex`. All the access primitives described above must be called while the mutex is held; there is a convenience function `psa_unregister_read_under_mutex` which wraps a call to `psa_unregister_read` in a mutex lock/unlock pair.
+
+A thread can only traverse the key store while holding `mbedtls_threading_key_slot_mutex`, the set of keys within the key store which the thread holding the mutex can access is equivalent to the set:
+
+    {mbedtls_svc_key_id_t k : (\exists slot := &global_data.key_slots[i]) [
+                                  (slot->state == PSA_SLOT_FULL) &&
+                                  (slot->attr.id == k)]}
+
+The union of this set and the set of persistent keys not currently loaded into slots is our abstraction function for the key store, any key not in this union does not currently exist as far as the code is concerned (even if the key is in a slot which has a `PSA_SLOT_FILLING` or `PSA_SLOT_PENDING_DELETION` state). Attempting to start using any key which is not a member of the union will result in a `PSA_ERROR_INVALID_HANDLE` error code.
+
+##### Locking and unlocking the mutex
+
+If a lock or unlock operation fails and this is the first failure within a function, the function will return `PSA_ERROR_SERVICE_FAILURE`. If a lock or unlock operation fails after a different failure has been identified, the status code is not overwritten.
+
+We have defined a set of macros in `library/psa_crypto_core.h` to capture the common pattern of (un)locking the mutex and returning or jumping to an exit label upon failure.
+
+##### Key creation and loading
+
+To load a new key into a slot, the following internal utility functions are used:
+
+* `psa_reserve_free_key_slot` - This function, which must be called under `mbedtls_threading_key_slot_mutex`, iterates through the key store to find a slot whose state is `PSA_SLOT_EMPTY`. If found, it reserves the slot by setting its state to `PSA_SLOT_FILLING`. If not found, it will see if there are any persistent keys loaded which do not have any readers, if there are it will kick one such key out of the key store.
+* `psa_start_key_creation` - This function wraps around `psa_reserve_free_key_slot`, if a slot has been found then the slot id is set. This second step is not done under the mutex, at this point the calling thread has exclusive access to the slot.
+* `psa_finish_key_creation` - After the contents of the key have been loaded (again this loading is not done under the mutex), the thread calls `psa_finish_key_creation`. This function takes the mutex, checks that the key does not exist in the key store (this check cannot be done before this stage), sets the slot's state to `PSA_SLOT_FULL` and releases the mutex. Upon success, any thread is immediately able to use the new key.
+* `psa_fail_key_creation` - If there is a failure at any point in the key creation stage, this clean-up function takes the mutex, wipes the slot, and releases the mutex. Immediately after this unlock, any thread can start to use the slot for another key load.
+
+##### Re-loading persistent keys
+
+As described above, persistent keys can be kicked out of the key slot array provided they are not currently being used (`registered_readers == 0`). When attempting to use a persistent key that has been kicked out of a slot, the call to `psa_get_and_lock_key_slot` will see that the key is not in a slot, call `psa_reserve_free_key_slot` and load the key back into the reserved slot. This entire sequence is done during a single mutex lock, which is necessary for thread-safety (see documentation of `psa_get_and_lock_key_slot`).
+
+If `psa_reserve_free_key_slot` cannot find a suitable slot, the key cannot be loaded back in. This will lead to a `PSA_ERROR_INSUFFICIENT_MEMORY` error.
+
+##### Using existing keys
+
+One-shot operations follow a standard pattern when using an existing key:
+
+* They call one of the `psa_get_and_lock_key_slot_X` functions, which then finds the key and registers the thread as a reader.
+* They operate on the key slot, usually copying the key into a separate buffer to be used by the operation. This step is not performed under the key slot mutex.
+* Once finished, they call `psa_unregister_read_under_mutex`.
+
+Multi-part and restartable operations each have a "setup" function where the key is passed in, these functions follow the above pattern. The key is copied into the `operation` object, and the thread unregisters from reading the key (the operations do not access the key slots again). The copy of the key will not be destroyed during a call to `psa_destroy_key`, the thread running the operation is responsible for deleting its copy in the clean-up. This may need to change to enforce the long term key requirements ([Long term key destruction requirements](#long-term-key-destruction-requirements)).
+
+##### Key destruction implementation
+
+The locking strategy here is explained in `library/psa_crypto.c`. The destroying thread (the thread calling `psa_destroy_key`) does not always wipe the key slot. The destroying thread registers to read the key, sets the slot's state to `PSA_SLOT_PENDING_DELETION`, wipes the slot from memory if the key is persistent, and then unregisters from reading the slot.
+
+`psa_unregister_read` internally calls `psa_wipe_key_slot` if and only if the slot's state is `PSA_SLOT_PENDING_DELETION` and the slot's registered reader counter is equal to 1. This implements a "last one out closes the door" approach. The final thread to unregister from reading a destroyed key will automatically wipe the contents of the slot; no readers remain to reference the slot post deletion, so there cannot be corruption.
+
+### linearizability of the system
+
+To satisfy the requirements in [Correctness out of the box](#correctness-out-of-the-box), we require our functions to be "linearizable" (under certain constraints). This means that any (constraint satisfying) set of concurrent calls are performed as if they were executed in some sequential order.
+
+The standard way of reasoning that this is the case is to identify a "linearization point" for each call, this is a single execution step where the function takes effect (this is usually a step in which the effects of the call become visible to other threads). If every call has a linearization point, the set of calls is equivalent to sequentially performing the calls in order of when their linearization point occurred.
+
+We only require linearizability to hold in the case where a resource-management error is not returned. In a set of concurrent calls, it is permitted for a call c to fail with a `PSA_ERROR_INSUFFICIENT_MEMORY` return code even if there does not exist a sequential ordering of the calls in which c returns this error. Even if such an error occurs, all calls are still required to be functionally correct.
+
+To help justify that our system is linearizable, here are the linearization points/planned linearization points of each PSA call :
+
+* Key creation functions (including `psa_copy_key`) - The linearization point for a successful call is the mutex unlock within `psa_finish_key_creation`; it is at this point that the key becomes visible to other threads. The linearization point for a failed call is the closest mutex unlock after the failure is first identified.
+* `psa_destroy_key` - The linearization point for a successful destruction is the mutex unlock, the slot is now in the state `PSA_SLOT_PENDING_DELETION` meaning that the key has been destroyed. For failures, the linearization point is the same.
+* `psa_purge_key`, `psa_close_key` - The linearization point is the mutex unlock after wiping the slot for a success, or unregistering for a failure.
+* One shot operations - The linearization point is the final unlock of the mutex within `psa_get_and_lock_key_slot`, as that is the point in which it is decided whether or not the key exists.
+* Multi-part operations - The linearization point of the key input function is the final unlock of the mutex within `psa_get_and_lock_key_slot`. All other steps have no non resource-related side effects (except for key derivation, covered in the key creation functions).
+
+Please note that one shot operations and multi-part operations are not yet considered thread-safe, as we have not yet tested whether they rely on unprotected global resources. The key slot access in these operations is thread-safe.
+
+## Testing and analysis
+
+### Thread-safe testing
+
+It is now possible for individual tests to spin up multiple threads. This work has made the global variables used in tests thread-safe. If multiple threads fail a test assert, the first failure will be reported with correct line numbers.
+
+Although the `step` feature used in some tests is thread-safe, it may produce unexpected results for multi-threaded tests. `mbedtls_test_set_step` or `mbedtls_test_increment_step` calls within threads can happen in any order, thus may not produce the desired result when precise ordering is required.
+
+### Current state of testing
+
+Our testing is a work in progress. It is not feasible to run our traditional, single-threaded, tests in such a way that tests concurrency. We need to write new test suites for concurrency testing.
+
+Our tests currently only run on pthread, we hope to expand this in the future (our API already allows this).
+
+We run tests using [ThreadSanitizer](https://clang.llvm.org/docs/ThreadSanitizer.html) to detect data races. We test the key store, and test that our key slot state system is enforced. We also test the thread-safety of `psa_crypto_init`.
+
+Currently, not every API call is tested, we also cannot feasibly test every combination of concurrent API calls. API calls can in general be split into a few categories, each category calling the same internal key management functions in the same order - it is the internal functions that are in charge of locking mutexes and interacting with the key store; we test the thread-safety of these functions.
+
+Since we do not run every cryptographic operation concurrently, we do not test that operations are free of unexpected global variables.
+
+### Expanding testing
+
+Through future work on testing, it would be good to:
+
+* For every API call, have a test which runs multiple copies of the call simultaneously.
+* After implementing other threading platforms, expand the tests to these platforms.
+* Have increased testing for kicking persistent keys out of slots.
+* Explicitly test that all global variables are protected, for this we would need to cover every operation in a concurrent scenario while running ThreadSanitizer.
+* Run tests on more threading implementations, once these implementations are supported.
+
+### Performance
+
+Key loading does somewhat run in parallel, deriving the key and copying it key into the slot is not done under any mutex.
+
+Key destruction is entirely sequential, this is required for persistent keys to stop issues with re-loading keys which cannot otherwise be avoided without changing our approach to thread-safety.
+
+
+## Future work
+
+### Long term requirements
+
+As explained previously, we eventually aim to make the entirety of the PSA API thread-safe. This will build on the work that we have already completed. This requires a full suite of testing, see [Expanding testing](#expanding-testing) for details.
+
+### Long term performance requirements
+
+Our plan for cryptographic operations is that they are not performed under any global mutex. One-shot operations and multi-part operations will each only hold the global mutex for finding the relevant key in the key slot, and unregistering as a reader after the operation, using their own operation-specific mutexes to guard any shared data that they use.
+
+We aim to eventually replace some/all of the mutexes with RWLocks, if possible.
+
+### Long term key destruction requirements
+
+The [PSA Crypto Key destruction specification](https://arm-software.github.io/psa-api/crypto/1.1/api/keys/management.html#key-destruction) mandates that implementations make a best effort to ensure that the key material cannot be recovered. In the long term, it would be good to guarantee that `psa_destroy_key` wipes all copies of the key material.
+
+Here are our long term key destruction goals:
+
+`psa_destroy_key` does not block indefinitely, and when `psa_destroy_key` returns:
+
+1. The key identifier does not exist. This is a functional requirement for persistent keys: any thread can immediately create a new key with the same identifier.
+2. The resources from the key have been freed. This allows threads to create similar keys immediately after destruction, regardless of resources.
+4. No copy of the key material exists. Rationale: this is a security requirement. We do not have this requirement yet, but we need to document this as a security weakness, and we would like to satisfy this security requirement in the future.
+
+#### Condition variables
+
+It would be ideal to add these to a future major version; we cannot add these as requirements to the default `MBEDTLS_THREADING_C` for backwards compatibility reasons.
+
+Condition variables would enable us to fulfil the final requirement in [Long term key destruction requirements](#long-term-key-destruction-requirements). Destruction would then work as follows:
+
+ * When a thread calls `psa_destroy_key`, they continue as normal until the `psa_unregister_read` call.
+ * Instead of calling `psa_unregister_read`, the thread waits until the condition `slot->registered_readers == 1` is true (the destroying thread is the final reader).
+ * At this point, the destroying thread directly calls `psa_wipe_key_slot`.
+
+A few changes are needed for this to follow our destruction requirements:
+
+ * Multi-part operations will need to remain registered as readers of their key slot until their copy of the key is destroyed, i.e. at the end of the finish/abort call.
+ * The functionality where `psa_unregister_read` can wipe the key slot will need to be removed, slot wiping is now only done by the destroying/wiping thread.
+
+### Protecting operation contexts
+
+Currently, we rely on the crypto service to ensure that the same operation is not invoked concurrently. This abides by the PSA Crypto API Specification ([PSA Concurrent calling conventions](#psa-concurrent-calling-conventions)).
+
+Concurrent access to the same operation object can compromise the crypto service. For example, if the operation context has a pointer (depending on the compiler and the platform, the pointer assignment may or may not be atomic). This violates the functional correctness requirement of the crypto service.
+
+If, in future, we want to protect against this within the library then operations will require a status field protected by a global mutex. On entry, API calls would check the state and return an error if the state is ACTIVE. If the state is INACTIVE, then the call will set the state to ACTIVE, do the operation section and then restore the state to INACTIVE before returning.
+
+### Future driver work
+
+A future policy we may wish to enforce for drivers is:
+
+* By default, each driver only has at most one entry point active at any given time. In other words, each driver has its own exclusive lock.
+* Drivers have an optional `"thread_safe"` boolean property. If true, it allows concurrent calls to this driver.
+* Even with a thread-safe driver, the core never starts the destruction of a key while there are operations in progress on it, and never performs concurrent calls on the same multipart operation.
+
+In the non-thread-safe case we have these natural assumptions/requirements:
+
+1. Drivers don't call the core for any operation for which they provide an entry point.
+2. The core doesn't hold the driver mutex between calls to entry points.
+
+With these, the only way of a deadlock is when there are several drivers with circular dependencies. That is, Driver A makes a call that is dispatched to Driver B; upon executing this call Driver B makes a call that is dispatched to Driver A. For example Driver A does CCM, which calls driver B to do CBC-MAC, which in turn calls Driver A to perform AES.
+
+Potential ways for resolving this:
+
+1. Non-thread-safe drivers must not call the core.
+2. Provide a new public API that drivers can safely call.
+3. Make the dispatch layer public for drivers to call.
+4. There is a whitelist of core APIs that drivers can call. Drivers providing entry points to these must not make a call to the core when handling these calls. (Drivers are still allowed to call any core API that can't have a driver entry point.)
+
+The first is too restrictive, the second and the third would require making it a stable API, and would likely increase the code size for a relatively rare feature. We are choosing the fourth as that is the most viable option.
+
+**Thread-safe drivers:**
+
+A driver would be non-thread-safe if the `thread-safe` property is set to true.
+
+To make re-entrancy in non-thread-safe drivers work, thread-safe drivers must not make a call to the core when handling a call that is on the non-thread-safe driver core API whitelist.
+
+Thread-safe drivers have fewer guarantees from the core and need to implement more complex logic. We can reasonably expect them to be more flexible in terms of re-entrancy as well. At this point it is hard to see what further guarantees would be useful and feasible. Therefore, we don't provide any further guarantees for now.
+
+Thread-safe drivers must not make any assumption about the operation of the core beyond what is discussed here.
diff --git a/docs/architecture/testing/driver-interface-test-strategy.md b/docs/architecture/testing/driver-interface-test-strategy.md
index 380fd39..5fc5e18 100644
--- a/docs/architecture/testing/driver-interface-test-strategy.md
+++ b/docs/architecture/testing/driver-interface-test-strategy.md
@@ -114,7 +114,7 @@ We should have at least one driver that covers the whole interface:
 
 A PKCS#11 driver would be a good candidate. It would be useful as part of our product offering.
 
-## Transparent driver interface testing
+## Unified driver interface testing
 
 The [unified driver interface](../../proposed/psa-driver-interface.md) defines interfaces for accelerators.
 
@@ -128,6 +128,470 @@ Every cryptographic mechanism for which a transparent driver interface exists (k
 
 The driver interface includes a fallback mechanism so that a driver can reject a request at runtime and let another driver handle the request. For each entry point, there must be at least three test runs with two or more drivers available with driver A configured to fall back to driver B, with one run where A returns `PSA_SUCCESS`, one where A returns `PSA_ERROR_NOT_SUPPORTED` and B is invoked, and one where A returns a different error and B is not invoked.
 
-## Entropy and randomness interface testing
+### Test drivers
+
+We have test drivers that are enabled by `PSA_CRYPTO_DRIVER_TEST` (not present
+in the usual config files, must be defined on the command line or in a custom
+config file). Those test drivers are implemented in `tests/src/drivers/*.c`
+and their API is declared in `tests/include/test/drivers/*.h`.
+
+We have two test driver registered: `mbedtls_test_opaque_driver` and
+`mbedtls_test_transparent_driver`. These are described in
+`scripts/data_files/driver_jsons/mbedtls_test_xxx_driver.json` (as much as our
+JSON support currently allows). Each of the drivers can potentially implement
+support for several mechanism; conversely, each of the file mentioned in the
+previous paragraph can potentially contribute to both the opaque and the
+transparent test driver.
+
+Each entry point is instrumented to record the number of hits for each part of
+the driver (same division as the files) and the status of the last call. It is
+also possible to force the next call to return a specified status, and
+sometimes more things can be forced: see the various
+`mbedtls_test_driver_XXX_hooks_t` structures declared by each driver (and
+subsections below).
+
+The drivers can use one of two back-ends:
+- internal: this requires the built-in implementation to be present.
+- libtestdriver1: this allows the built-in implementation to be omitted from
+  the build.
+
+Historical note: internal was initially the only back-end; then support for
+libtestdriver1 was added gradually. Support for libtestdriver1 is now complete
+(see following sub-sections), so we could remove internal now. Note it's
+useful to have builds with both a driver and the built-in, in order to test
+fallback to built-in, which is currently done only with internal, but this can
+be achieved with libtestdriver1 just as well.
+
+Note on instrumentation: originally, when only the internal backend was
+available, hits were how we knew that the driver was called, as opposed to
+directly calling the built-in code. With libtestdriver1, we can check that by
+ensuring that the built-in code is not present, so if the operation gives the
+correct result, only a driver call can have calculated that result. So,
+nowadays there is low value in checking the hit count. There is still some
+value for hit counts, e.g. checking that we don't call a multipart entry point
+when we intended to call the one-shot entry point, but it's limited.
+
+Note: our test drivers tend to provide all possible entry points (with a few
+exceptions that may not be intentional, see the next sections). However, in
+some cases, when an entry point is not available, the core is supposed to
+implement it using other entry points, for example:
+- `mac_verify` may use `mac_compute` if the driver does no provide verify;
+- for things that have both one-shot and multi-part API, the driver can
+  provide only the multi-part entry points, and the core is supposed to
+implement one-shot on top of it (but still call the one-shot entry points when
+they're available);
+- `sign/verify_message` can be implemented on top of `sign/verify_hash` for
+  some algorithms;
+- (not sure if the list is exhaustive).
+
+Ideally, we'd want build options for the test drivers so that we can test with
+different combinations of entry points present, and make sure the core behaves
+appropriately when some entry points are absent but other entry points allow
+implementing the operation. This will remain hard to test until we have proper
+support for JSON-defined drivers with auto-generation of dispatch code.
+(The `MBEDTLS_PSA_ACCEL_xxx` macros we currently use are not expressive enough
+to specify which entry points are supported for a given mechanism.)
+
+Our implementation of PSA Crypto is structured in a way that the built-in
+implementation of each operation follows the driver API, see
+[`../architecture/psa-crypto-implementation-structure.md`](../architecture/psa-crypto-implementation-structure.html).
+This makes implementing the test drivers very easy: each entry point has a
+corresponding `mbedtls_psa_xxx()` function that it can call as its
+implementation - with the `libtestdriver1` back-end the function is called
+`libtestdriver1_mbedtls_psa_xxx()` instead.
+
+A nice consequence of that strategy is that when an entry point has
+test-driver support, most of the time, it automatically works for all
+algorithms and key types supported by the library. (The exception being when
+the driver needs to call a different function for different key types, as is
+the case with some asymmetric key management operations.) (Note: it's still
+useful to test drivers in configurations with partial algorithm support, and
+that can still be done by configuring libtestdriver1 and the main library as
+desired.)
+
+The renaming process for `libtestdriver1` is implemented as a few Perl regexes
+applied to a copy of the library code, see the `libtestdriver1.a` target in
+`tests/Makefile`. Another modification that's done to this copy is appending
+`tests/include/test/drivers/crypto_config_test_driver_extension.h` to
+`psa/crypto_config.h`. This file reverses the `ACCEL`/`BUILTIN` macros so that
+`libtestdriver1` includes as built-in what the main `libmbedcrypto.a` will
+have accelerated; see that file's initial comment for details. See also
+`helper_libtestdriver1_` functions and the preceding comment in `all.sh` for
+how libtestdriver is used in practice.
+
+This general framework needs specific code for each family of operations. At a
+given point in time, not all operations have the same level of support. The
+following sub-sections describe the status of the test driver support, mostly
+following the structure and order of sections 9.6 and 10.2 to 10.10 of the
+[PSA Crypto standard](https://arm-software.github.io/psa-api/crypto/1.1/) as
+that is also a natural division for implementing test drivers (that's how the
+code is divided into files).
+
+#### Key management
+
+The following entry points are declared in `test/drivers/key_management.h`:
+
+- `"init"` (transparent and opaque)
+- `"generate_key"` (transparent and opaque)
+- `"export_public_key"` (transparent and opaque)
+- `"import_key"` (transparent and opaque)
+- `"export_key"` (opaque only)
+- `"get_builtin_key"` (opaque only)
+- `"copy_key"` (opaque only)
+
+The transparent driver fully implements the declared entry points, and can use
+any backend: internal or libtestdriver1.
+
+The opaque's driver implementation status is as follows:
+- `"generate_key"`: not implemented, always returns `NOT_SUPPORTED`.
+- `"export_public_key"`: implemented only for ECC and RSA keys, both backends.
+- `"import_key"`: implemented except for DH keys, both backends.
+- `"export_key"`: implemented for built-in keys (ECC and AES), and for
+  non-builtin keys except DH keys. (Backend not relevant.)
+- `"get_builtin_key"`: implemented - provisioned keys: AES-128 and ECC
+  secp2456r1. (Backend not relevant.)
+- `"copy_key"`: implemented - emulates a SE without storage. (Backend not
+  relevant.)
+
+Note: the `"init"` entry point is not part of the "key management" family, but
+listed here as it's declared and implemented in the same file. With the
+transparent driver and the libtestdriver1 backend, it calls
+`libtestdriver1_psa_crypto_init()`, which partially but not fully ensures
+that this entry point is called before other entry points in the test drivers.
+With the opaque driver, this entry point just does nothing an returns success.
+
+The following entry points are defined by the driver interface but missing
+from our test drivers:
+- `"allocate_key"`, `"destroy_key"`: this is for opaque drivers that store the
+  key material internally.
+
+Note: the instrumentation also allows forcing the output and its length.
+
+#### Message digests (Hashes)
+
+The following entry points are declared (transparent only):
+- `"hash_compute"`
+- `"hash_setup"`
+- `"hash_clone"`
+- `"hash_update"`
+- `"hash_finish"`
+- `"hash_abort"`
+
+The transparent driver fully implements the declared entry points, and can use
+any backend: internal or libtestdriver1.
+
+This familly is not part of the opaque driver as it doesn't use keys.
+
+#### Message authentication codes (MAC)
+
+The following entry points are declared (transparent and opaque):
+- `"mac_compute"`
+- `"mac_sign_setup"`
+- `"mac_verify_setup"`
+- `"mac_update"`
+- `"mac_sign_finish"`
+- `"mac_verify_finish"`
+- `"mac_abort"`
+
+The transparent driver fully implements the declared entry points, and can use
+any backend: internal or libtestdriver1.
+
+The opaque driver only implements the instrumentation but not the actual
+operations: entry points will always return `NOT_SUPPORTED`, unless another
+status is forced.
+
+The following entry points are not implemented:
+- `mac_verify`: this mostly makes sense for opaque drivers; the core will fall
+  back to using `"mac_compute"` if this is not implemented. So, perhaps
+ideally we should test both with `"mac_verify"` implemented and with it not
+implemented? Anyway, we have a test gap here.
+
+#### Unauthenticated ciphers
+
+The following entry points are declared (transparent and opaque):
+- `"cipher_encrypt"`
+- `"cipher_decrypt"`
+- `"cipher_encrypt_setup"`
+- `"cipher_decrypt_setup"`
+- `"cipher_set_iv"`
+- `"cipher_update"`
+- `"cipher_finish"`
+- `"cipher_abort"`
 
-TODO
+The transparent driver fully implements the declared entry points, and can use
+any backend: internal or libtestdriver1.
+
+The opaque driver is not implemented at all, neither instumentation nor the
+operation: entry points always return `NOT_SUPPORTED`.
+
+Note: the instrumentation also allows forcing a specific output and output
+length.
+
+#### Authenticated encryption with associated data (AEAD)
+
+The following entry points are declared (transparent only):
+- `"aead_encrypt"`
+- `"aead_decrypt"`
+- `"aead_encrypt_setup"`
+- `"aead_decrypt_setup"`
+- `"aead_set_nonce"`
+- `"aead_set_lengths"`
+- `"aead_update_ad"`
+- `"aead_update"`
+- `"aead_finish"`
+- `"aead_verify"`
+- `"aead_abort"`
+
+The transparent driver fully implements the declared entry points, and can use
+any backend: internal or libtestdriver1.
+
+The opaque driver does not implement or even declare entry points for this
+family.
+
+Note: the instrumentation records the number of hits per entry point, not just
+the total number of hits for this family.
+
+#### Key derivation
+
+Not covered at all by the test drivers.
+
+That's a test gap which reflects a feature gap: the driver interface does
+define a key derivation family of entry points, but we don't currently
+implement that part of the driver interface, see #5488 and related issues.
+
+#### Asymmetric signature
+
+The following entry points are declared (transparent and opaque):
+
+- `"sign_message"`
+- `"verify_message"`
+- `"sign_hash"`
+- `"verify_hash"`
+
+The transparent driver fully implements the declared entry points, and can use
+any backend: internal or libtestdriver1.
+
+The opaque driver is not implemented at all, neither instumentation nor the
+operation: entry points always return `NOT_SUPPORTED`.
+
+Note: the instrumentation also allows forcing a specific output and output
+length, and has two instance of the hooks structure: one for sign, the other
+for verify.
+
+Note: when a driver implements only the `"xxx_hash"` entry points, the core is
+supposed to implement the `psa_xxx_message()` functions by computing the hash
+itself before calling the `"xxx_hash"` entry point. Since the test driver does
+implement the `"xxx_message"` entry point, it's not exercising that part of
+the core's expected behaviour.
+
+#### Asymmetric encryption
+
+The following entry points are declared (transparent and opaque):
+
+- `"asymmetric_encrypt"`
+- `"asymmetric_decrypt"`
+
+The transparent driver fully implements the declared entry points, and can use
+any backend: internal or libtestdriver1.
+
+The opaque driver implements the declared entry points, and can use any
+backend: internal or libtestdriver1. However it does not implement the
+instrumentation (hits, forced output/status), as this [was not an immediate
+priority](https://github.com/Mbed-TLS/mbedtls/pull/8700#issuecomment-1892466159).
+
+Note: the instrumentation also allows forcing a specific output and output
+length.
+
+#### Key agreement
+
+The following entry points are declared (transparent and opaque):
+
+- `"key_agreement"`
+
+The transparent driver fully implements the declared entry points, and can use
+any backend: internal or libtestdriver1.
+
+The opaque driver is not implemented at all, neither instumentation nor the
+operation: entry points always return `NOT_SUPPORTED`.
+
+Note: the instrumentation also allows forcing a specific output and output
+length.
+
+#### Other cryptographic services (Random number generation)
+
+Not covered at all by the test drivers.
+
+The driver interface defines a `"get_entropy"` entry point, as well as a
+"Random generation" family of entry points. None of those are currently
+implemented in the library. Part of it will be planned for 4.0, see #8150.
+
+#### PAKE extension
+
+The following entry points are declared (transparent only):
+- `"pake_setup"`
+- `"pake_output"`
+- `"pake_input"`
+- `"pake_get_implicit_key"`
+- `"pake_abort"`
+
+Note: the instrumentation records hits per entry point and allows forcing the
+output and its length, as well as forcing the status of setup independently
+from the others.
+
+The transparent driver fully implements the declared entry points, and can use
+any backend: internal or libtestdriver1.
+
+The opaque driver does not implement or even declare entry points for this
+family.
+
+### Driver wrapper test suite
+
+We have a test suite dedicated to driver dispatch, which takes advantage of the
+instrumentation in the test drivers described in the previous section, in
+order to check that drivers are called when they're supposed to, and that the
+core behaves as expected when they return errors (in particular, that we fall
+back to the built-in implementation when the driver returns `NOT_SUPPORTED`).
+
+This is `test_suite_psa_crypto_driver_wrappers`, which is maintained manually
+(that is, the test cases in the `.data` files are not auto-generated). The
+entire test suite depends on the test drivers being enabled
+(`PSA_CRYPTO_DRIVER_TEST`), which is not the case in the default or full
+config.
+
+The test suite is focused on driver usage (mostly by checking the expected
+number of hits) but also does some validation of the results: for
+deterministic algorithms, known-answers tests are used, and for the rest, some
+consistency checks are done (more or less detailled depending on the algorithm
+and build configuration).
+
+#### Configurations coverage
+
+The driver wrappers test suite has cases that expect both the driver and the
+built-in to be present, and also cases that expect the driver to be present
+but not the built-in. As such, it's impossible for a single configuration to
+run all test cases, and we need at least two: driver+built-in, and
+driver-only.
+
+- The driver+built-in case is covered by `test_psa_crypto_drivers` in `all.sh`.
+This covers all areas (key types and algs) at once.
+- The driver-only case is split into multiple `all.sh` components whose names
+  start with `test_psa_crypto_config_accel`; we have one or more component per
+area, see below.
+
+Here's a summary of driver-only coverage, grouped by families of key types.
+
+Hash (key types: none)
+- `test_psa_crypto_config_accel_hash`: all algs, default config, no parity
+  testing.
+- `test_psa_crypto_config_accel_hash_use_psa`: all algs, full config, with
+  parity testing.
+
+HMAC (key type: HMAC)
+- `test_psa_crypto_config_accel_hmac`: all algs, full config except a few
+  exclusions (PKCS5, PKCS7, HMAC-DRBG, legacy HKDF, deterministic ECDSA), with
+parity testing.
+
+Cipher, AEAD and CMAC (key types: DES, AES, ARIA, CHACHA20, CAMELLIA):
+- `test_psa_crypto_config_accel_cipher_aead_cmac`: all key types and algs, full
+  config with a few exclusions (NIST-KW), with parity testing.
+- `test_psa_crypto_config_accel_des`: only DES (with all algs), full
+  config, no parity testing.
+- `test_psa_crypto_config_accel_aead`: only AEAD algs (with all relevant key
+  types), full config, no parity testing.
+
+Key derivation (key types: `DERIVE`, `RAW_DATA`, `PASSWORD`, `PEPPER`,
+`PASSWORD_HASH`):
+- No testing as we don't have driver support yet (see previous section).
+
+RSA (key types: `RSA_KEY_PAIR_xxx`, `RSA_PUBLIC_KEY`):
+- `test_psa_crypto_config_accel_rsa_crypto`: all 4 algs (encryption &
+  signature, v1.5 & v2.1), config `crypto_full`, with parity testing excluding
+PK.
+
+DH (key types: `DH_KEY_PAIR_xxx`, `DH_PUBLIC_KEY`):
+- `test_psa_crypto_config_accel_ffdh`: all key types and algs, full config,
+  with parity testing.
+- `test_psa_crypto_config_accel_ecc_ffdh_no_bignum`: with also bignum removed.
+
+ECC (key types: `ECC_KEY_PAIR_xxx`, `ECC_PUBLIC_KEY`):
+- Single algorithm accelerated (both key types, all curves):
+  - `test_psa_crypto_config_accel_ecdh`: default config, no parity testing.
+  - `test_psa_crypto_config_accel_ecdsa`: default config, no parity testing.
+  - `test_psa_crypto_config_accel_pake`: full config, no parity testing.
+- All key types, algs and curves accelerated (full config with exceptions,
+  with parity testing):
+  - `test_psa_crypto_config_accel_ecc_ecp_light_only`: `ECP_C` mostly disabled
+  - `test_psa_crypto_config_accel_ecc_no_ecp_at_all`: `ECP_C` fully disabled
+  - `test_psa_crypto_config_accel_ecc_no_bignum`: `BIGNUM_C` disabled (DH disabled)
+  - `test_psa_crypto_config_accel_ecc_ffdh_no_bignum`: `BIGNUM_C` disabled (DH accelerated)
+- Other - all algs accelerated but only some algs/curves (full config with
+  exceptions, no parity testing):
+  - `test_psa_crypto_config_accel_ecc_some_key_types`
+  - `test_psa_crypto_config_accel_ecc_non_weierstrass_curves`
+  - `test_psa_crypto_config_accel_ecc_weierstrass_curves`
+
+Note: `analyze_outcomes.py` provides a list of test cases that are not
+executed in any configuration tested on the CI. We're missing driver-only HMAC
+testing, but no test is flagged as never executed there; this reveals we don't
+have "fallback not available" cases for MAC, see #8565.
+
+#### Test case coverage
+
+Since `test_suite_psa_crypto_driver_wrappers.data` is maintained manually,
+we need to make sure it exercises all the cases that need to be tested. In the
+future, this file should be generated in order to ensure exhaustiveness.
+
+In the meantime, one way to observe (lack of) completeness is to look at line
+coverage in test driver implementaitons - this doesn't reveal all gaps, but it
+does reveal cases where we thought about something when writing the test
+driver, but not when writing test functions/data.
+
+Key management:
+- `mbedtls_test_transparent_generate_key()` is not tested with RSA keys.
+- `mbedtls_test_transparent_import_key()` is not tested with DH keys.
+- `mbedtls_test_opaque_import_key()` is not tested with unstructured keys nor
+  with RSA keys (nor DH keys since that's not implemented).
+- `mbedtls_test_opaque_export_key()` is not tested with non-built-in keys.
+- `mbedtls_test_transparent_export_public_key()` is not tested with RSA or DH keys.
+- `mbedtls_test_opaque_export_public_key()` is not tested with non-built-in keys.
+- `mbedtls_test_opaque_copy_key()` is not tested at all.
+
+Hash:
+- `mbedtls_test_transparent_hash_finish()` is not tested with a forced status.
+
+MAC:
+- The following are not tested with a forced status:
+  - `mbedtls_test_transparent_mac_sign_setup()`
+  - `mbedtls_test_transparent_mac_verify_setup()`
+  - `mbedtls_test_transparent_mac_update()`
+  - `mbedtls_test_transparent_mac_verify_finish()`
+  - `mbedtls_test_transparent_mac_abort()`
+- No opaque entry point is tested (they're not implemented either).
+
+Cipher:
+- The following are not tested with a forced status nor with a forced output:
+  - `mbedtls_test_transparent_cipher_encrypt()`
+  - `mbedtls_test_transparent_cipher_finish()`
+- No opaque entry point is tested (they're not implemented either).
+
+AEAD:
+- The following are not tested with a forced status:
+  - `mbedtls_test_transparent_aead_set_nonce()`
+  - `mbedtls_test_transparent_aead_set_lengths()`
+  - `mbedtls_test_transparent_aead_update_ad()`
+  - `mbedtls_test_transparent_aead_update()`
+  - `mbedtls_test_transparent_aead_finish()`
+  - `mbedtls_test_transparent_aead_verify()`
+- `mbedtls_test_transparent_aead_verify()` is not tested with an invalid tag
+  (though it might be in another test suite).
+
+Signature:
+- `sign_hash()` is not tested with RSA-PSS
+- No opaque entry point is tested (they're not implemented either).
+
+Key agreement:
+- `mbedtls_test_transparent_key_agreement()` is not tested with FFDH.
+- No opaque entry point is tested (they're not implemented either).
+
+PAKE:
+- All lines are covered.
diff --git a/docs/architecture/tls13-support.md b/docs/architecture/tls13-support.md
index 6db0e54..d6fc19e 100644
--- a/docs/architecture/tls13-support.md
+++ b/docs/architecture/tls13-support.md
@@ -4,17 +4,8 @@ TLS 1.3 support
 Overview
 --------
 
-Mbed TLS provides a partial implementation of the TLS 1.3 protocol defined in
-the "Support description" section below. The TLS 1.3 support enablement
-is controlled by the MBEDTLS_SSL_PROTO_TLS1_3 configuration option.
-
-The development of the TLS 1.3 protocol is based on the TLS 1.3 prototype
-located at https://github.com/hannestschofenig/mbedtls. The prototype is
-itself based on a version of the development branch that we aim to keep as
-recent as possible (ideally the head) by merging regularly commits of the
-development branch into the prototype. The section "Prototype upstreaming
-status" below describes what remains to be upstreamed.
-
+Mbed TLS provides an implementation of the TLS 1.3 protocol. The TLS 1.3 support
+may be enabled using the MBEDTLS_SSL_PROTO_TLS1_3 configuration option.
 
 Support description
 -------------------
@@ -26,14 +17,14 @@ Support description
 
   - Mbed TLS supports ECDHE key establishment.
 
-  - Mbed TLS does not support DHE key establishment.
+  - Mbed TLS supports DHE key establishment.
 
   - Mbed TLS supports pre-shared keys for key establishment, pre-shared keys
     provisioned externally as well as provisioned via the ticket mechanism.
 
   - Mbed TLS supports session resumption via the ticket mechanism.
 
-  - Mbed TLS does not support sending or receiving early data (0-RTT data).
+  - Mbed TLS supports sending and receiving early data (0-RTT data).
 
 - Supported cipher suites: depends on the library configuration. Potentially
   all of them:
@@ -51,7 +42,7 @@ Support description
   | signature_algorithms         | YES     |
   | use_srtp                     | no      |
   | heartbeat                    | no      |
-  | apln                         | YES     |
+  | alpn                         | YES     |
   | signed_certificate_timestamp | no      |
   | client_certificate_type      | no      |
   | server_certificate_type      | no      |
@@ -59,7 +50,7 @@ Support description
   | key_share                    | YES     |
   | pre_shared_key               | YES     |
   | psk_key_exchange_modes       | YES     |
-  | early_data                   | no      |
+  | early_data                   | YES     |
   | cookie                       | no      |
   | supported_versions           | YES     |
   | certificate_authorities      | no      |
@@ -71,7 +62,8 @@ Support description
   Potentially all ECDHE groups:
   secp256r1, x25519, secp384r1, x448 and secp521r1.
 
-  Finite field groups (DHE) are not supported.
+  Potentially all DHE groups:
+  ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144 and ffdhe8192.
 
 - Supported signature algorithms (both for certificates and CertificateVerify):
   depends on the library configuration.
@@ -105,7 +97,7 @@ Support description
 
   | Mbed TLS configuration option            | Support |
   | ---------------------------------------- | ------- |
-  | MBEDTLS_SSL_ALL_ALERT_MESSAGES           | no      |
+  | MBEDTLS_SSL_ALL_ALERT_MESSAGES           | yes     |
   | MBEDTLS_SSL_ASYNC_PRIVATE                | no      |
   | MBEDTLS_SSL_CONTEXT_SERIALIZATION        | no      |
   | MBEDTLS_SSL_DEBUG_ALL                    | no      |
@@ -167,33 +159,6 @@ Support description
     TLS 1.3 specification.
 
 
-Prototype upstreaming status
-----------------------------
-
-The following parts of the TLS 1.3 prototype remain to be upstreamed:
-
-- Sending (client) and receiving (server) early data (0-RTT data).
-
-- New TLS Message Processing Stack (MPS)
-
-  The TLS 1.3 prototype is developed alongside a rewrite of the TLS messaging layer,
-  encompassing low-level details such as record parsing, handshake reassembly, and
-  DTLS retransmission state machine.
-
-  MPS has the following components:
-  - Layer 1 (Datagram handling)
-  - Layer 2 (Record handling)
-  - Layer 3 (Message handling)
-  - Layer 4 (Retransmission State Machine)
-  - Reader  (Abstracted pointer arithmetic and reassembly logic for incoming data)
-  - Writer  (Abstracted pointer arithmetic and fragmentation logic for outgoing data)
-
-  Of those components, the following have been upstreamed
-  as part of `MBEDTLS_SSL_PROTO_TLS1_3`:
-
-  - Reader ([`library/mps_reader.h`](../../library/mps_reader.h))
-
-
 Coding rules checklist for TLS 1.3
 ----------------------------------
 
@@ -266,10 +231,6 @@ TLS 1.3 specific coding rules:
     - the macro to check for data when reading from an input buffer
       `MBEDTLS_SSL_CHK_BUF_READ_PTR`.
 
-    These macros were introduced after the prototype was written thus are
-    likely not to be used in prototype where we now would use them in
-    development.
-
     The three first types, MBEDTLS_BYTE_{0-8}, MBEDTLS_PUT_UINT{8|16|32|64}_BE
     and MBEDTLS_GET_UINT{8|16|32|64}_BE improve the readability of the code and
     reduce the risk of writing or reading bytes in the wrong order.
@@ -472,175 +433,3 @@ outbound message on server side as well.
 
 * state change: the state change is done in the main state handler to ease
 the navigation of the state machine transitions.
-
-
-Writing and reading early or 0-RTT data
----------------------------------------
-
-An application function to write and send a buffer of data to a server through
-TLS may plausibly look like:
-
-```
-int write_data( mbedtls_ssl_context *ssl,
-                const unsigned char *data_to_write,
-                size_t data_to_write_len,
-                size_t *data_written )
-{
-    *data_written = 0;
-
-    while( *data_written < data_to_write_len )
-    {
-        ret = mbedtls_ssl_write( ssl, data_to_write + *data_written,
-                                 data_to_write_len - *data_written );
-
-        if( ret < 0 &&
-            ret != MBEDTLS_ERR_SSL_WANT_READ &&
-            ret != MBEDTLS_ERR_SSL_WANT_WRITE )
-        {
-            return( ret );
-        }
-
-        *data_written += ret;
-    }
-
-    return( 0 );
-}
-```
-where ssl is the SSL context to use, data_to_write the address of the data
-buffer and data_to_write_len the number of data bytes. The handshake may
-not be completed, not even started for the SSL context ssl when the function is
-called and in that case the mbedtls_ssl_write() API takes care transparently of
-completing the handshake before to write and send data to the server. The
-mbedtls_ssl_write() may not been able to write and send all data in one go thus
-the need for a loop calling it as long as there are still data to write and
-send.
-
-An application function to write and send early data and only early data,
-data sent during the first flight of client messages while the handshake is in
-its initial phase, would look completely similar but the call to
-mbedtls_ssl_write_early_data() instead of mbedtls_ssl_write().
-```
-int write_early_data( mbedtls_ssl_context *ssl,
-                      const unsigned char *data_to_write,
-                      size_t data_to_write_len,
-                      size_t *data_written )
-{
-    *data_written = 0;
-
-    while( *data_written < data_to_write_len )
-    {
-        ret = mbedtls_ssl_write_early_data( ssl, data_to_write + *data_written,
-                                            data_to_write_len - *data_written );
-
-        if( ret < 0 &&
-            ret != MBEDTLS_ERR_SSL_WANT_READ &&
-            ret != MBEDTLS_ERR_SSL_WANT_WRITE )
-        {
-            return( ret );
-        }
-
-        *data_written += ret;
-    }
-
-    return( 0 );
-}
-```
-Note that compared to write_data(), write_early_data() can also return
-MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA and that should be handled
-specifically by the user of write_early_data(). A fresh SSL context (typically
-just after a call to mbedtls_ssl_setup() or mbedtls_ssl_session_reset()) would
-be expected when calling `write_early_data`.
-
-All together, code to write and send a buffer of data as long as possible as
-early data and then as standard post-handshake application data could
-plausibly look like:
-
-```
-ret = write_early_data( ssl, data_to_write, data_to_write_len,
-                        &early_data_written );
-if( ret < 0 &&
-    ret != MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA )
-{
-    goto error;
-}
-
-ret = write_data( ssl, data_to_write + early_data_written,
-                  data_to_write_len - early_data_written, &data_written );
-if( ret < 0 )
-    goto error;
-
-data_written += early_data_written;
-```
-
-Finally, taking into account that the server may reject early data, application
-code to write and send a buffer of data could plausibly look like:
-```
-ret = write_early_data( ssl, data_to_write, data_to_write_len,
-                        &early_data_written );
-if( ret < 0 &&
-    ret != MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA )
-{
-    goto error;
-}
-
-/*
- * Make sure the handshake is completed as it is a requisite to
- * mbedtls_ssl_get_early_data_status().
- */
-while( !mbedtls_ssl_is_handshake_over( ssl ) )
-{
-    ret = mbedtls_ssl_handshake( ssl );
-    if( ret < 0 &&
-        ret != MBEDTLS_ERR_SSL_WANT_READ &&
-        ret != MBEDTLS_ERR_SSL_WANT_WRITE )
-    {
-        goto error;
-    }
-}
-
-ret = mbedtls_ssl_get_early_data_status( ssl );
-if( ret < 0 )
-    goto error;
-
-if( ret == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED )
-   early_data_written = 0;
-
-ret = write_data( ssl, data_to_write + early_data_written,
-                  data_to_write_len - early_data_written, &data_written );
-if( ret < 0 )
-    goto error;
-
-data_written += early_data_written;
-```
-
-Basically, the same holds for reading early data on the server side without the
-complication of possible rejection. An application function to read early data
-into a given buffer could plausibly look like:
-```
-int read_early_data( mbedtls_ssl_context *ssl,
-                     unsigned char *buffer,
-                     size_t buffer_size,
-                     size_t *data_len )
-{
-    *data_len = 0;
-
-    while( *data_len < buffer_size )
-    {
-        ret = mbedtls_ssl_read_early_data( ssl, buffer + *data_len,
-                                           buffer_size - *data_len );
-
-        if( ret < 0 &&
-            ret != MBEDTLS_ERR_SSL_WANT_READ &&
-            ret != MBEDTLS_ERR_SSL_WANT_WRITE )
-        {
-            return( ret );
-        }
-
-        *data_len += ret;
-    }
-
-    return( 0 );
-}
-```
-with again calls to read_early_data() expected to be done with a fresh SSL
-context.
diff --git a/docs/driver-only-builds.md b/docs/driver-only-builds.md
index 4bad2e8..5d950b0 100644
--- a/docs/driver-only-builds.md
+++ b/docs/driver-only-builds.md
@@ -16,6 +16,7 @@ driver.
 
 In order to have some mechanism provided only by a driver, you'll want
 the following compile-time configuration options enabled:
+
 - `MBEDTLS_PSA_CRYPTO_C` (enabled by default) - this enables PSA Crypto.
 - `MBEDTLS_USE_PSA_CRYPTO` (disabled by default) - this makes PK, X.509 and
   TLS use PSA Crypto. You need to enable this if you're using PK, X.509 or TLS
@@ -28,6 +29,7 @@ mechanism through the PSA API in Mbed
 TLS](proposed/psa-conditional-inclusion-c.md) for details.
 
 In addition, for each mechanism you want provided only by your driver:
+
 - Define the corresponding `PSA_WANT` macro in `psa/crypto_config.h` - this
   means the algorithm will be available in the PSA Crypto API.
 - Define the corresponding `MBEDTLS_PSA_ACCEL` in your build. This could be
@@ -52,9 +54,21 @@ Mechanisms covered
 ------------------
 
 For now, only the following (families of) mechanisms are supported:
+
 - hashes: SHA-3, SHA-2, SHA-1, MD5, etc.
 - elliptic-curve cryptography (ECC): ECDH, ECDSA, EC J-PAKE, ECC key types.
 - finite-field Diffie-Hellman: FFDH algorithm, DH key types.
+- RSA: PKCS#1 v1.5 and v2.1 signature and encryption algorithms, RSA key types
+  (for now, only crypto, no X.509 or TLS support).
+- AEADs:
+  - GCM and CCM with AES, ARIA and Camellia key types
+  - ChachaPoly with ChaCha20 Key type
+- Unauthenticated ciphers:
+  - key types: AES, ARIA, Camellia, DES
+  - modes: ECB, CBC, CTR, CFB, OFB, XTS
+
+For each family listed above, all the mentioned alorithms/key types are also
+all the mechanisms that exist in PSA API.
 
 Supported means that when those are provided only by drivers, everything
 (including PK, X.509 and TLS if `MBEDTLS_USE_PSA_CRYPTO` is enabled) should
@@ -62,18 +76,13 @@ work in the same way as if the mechanisms where built-in, except as documented
 in the "Limitations" sub-sections of the sections dedicated to each family
 below.
 
-In the near future (end of 2023), we are planning to also add support for
-ciphers (AES) and AEADs (GCM, CCM, ChachaPoly).
-
-Currently (mid-2023) we don't have plans to extend this to RSA. If
-you're interested in driver-only support for RSA, please let us know.
-
 Hashes
 ------
 
 It is possible to have all hash operations provided only by a driver.
 
 More precisely:
+
 - you can enable `PSA_WANT_ALG_SHA_256` without `MBEDTLS_SHA256_C`, provided
   you have `MBEDTLS_PSA_ACCEL_ALG_SHA_256` enabled;
 - and similarly for all supported hash algorithms: `MD5`, `RIPEMD160`,
@@ -92,19 +101,43 @@ considerations](#general-considerations) above.
 If you want to check at compile-time whether a certain hash algorithm is
 available in the present build of Mbed TLS, regardless of whether it's
 provided by a driver or built-in, you should use the following macros:
+
 - for code that uses only the PSA Crypto API: `PSA_WANT_ALG_xxx` from
   `psa/crypto.h`;
 - for code that uses non-PSA crypto APIs: `MBEDTLS_MD_CAN_xxx` from
-  `mbedtls/md.h`.
+  `mbedtls/config_adjust_legacy_crypto.h`.
+
+### HMAC
+
+In addition to accelerated hash operations, it is also possible to accelerate
+HMAC by enabling and accelerating:
+- HMAC algorithm and key type, i.e. `[PSA_WANT|MBEDTLS_PSA_ACCEL]_ALG_HMAC` and
+  `[PSA_WANT|MBEDTLS_PSA_ACCEL]KEY_TYPE_HMAC`.
+- Required hash algorithm(s) as explained in [Hashes](#hashes) section.
+
+In such a build it is possible to disable legacy HMAC support by disabling
+`MBEDTLS_MD_C` and still getting crypto operations, X.509 and TLS to work as
+usual. Exceptions are:
+- As mentioned in [Hashes](#hashes) direct calls to legacy lo-level hash APIs
+  (`mbedtls_sha256()` etc.) will not be possible for the legacy modules that
+  are disabled.
+- Legacy HMAC support (`mbedtls_md_hmac_xxx()`) won't be possible.
+- `MBEDTLS_PKCS[5|7]_C`, `MBEDTLS_HMAC_DRBG_C` and `MBEDTLS_HKDF_C` since they
+  depend on the legacy implementation of HMAC.
+  - disabling HMAC_DRBG_C cause deterministic ECDSA (i.e.
+  `MBEDTLS_DETERMINISTIC_ECDSA` on the legacy side and 
+  `PSA_WANT_ALG_DETERMINISTIC_ECDSA` on the PSA one) to be not available.
 
 Elliptic-curve cryptography (ECC)
 ---------------------------------
 
 It is possible to have most ECC operations provided only by a driver:
+
 - the ECDH, ECDSA and EC J-PAKE algorithms;
 - key import, export, and random generation.
 
 More precisely, if:
+
 - you have driver support for ECC public and using private keys (that is,
 `MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY` and
 `MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC` are enabled), and
@@ -113,6 +146,7 @@ More precisely, if:
 `MBEDTLS_PSA_ACCEL_ECC_xxx` macros is enabled as well);
 
 then you can:
+
 - enable `PSA_WANT_ALG_ECDH` without `MBEDTLS_ECDH_C`, provided
   `MBEDTLS_PSA_ACCEL_ALG_ECDH` is enabled
 - enable `PSA_WANT_ALG_ECDSA` without `MBEDTLS_ECDSA_C`, provided
@@ -121,6 +155,7 @@ then you can:
   `MBEDTLS_PSA_ACCEL_ALG_JPAKE` is enabled.
 
 In addition, if:
+
 - none of `MBEDTLS_ECDH_C`, `MBEDTLS_ECDSA_C`, `MBEDTLS_ECJPAKE_C` are enabled
   (see conditions above), and
 - you have driver support for all enabled ECC key pair operations - that is,
@@ -132,9 +167,11 @@ then you can also disable `MBEDTLS_ECP_C`. However, a small subset of it might
 still be included in the build, see limitations sub-section below.
 
 In addition, if:
-- `MBEDTLS_ECP_C` is fully removed (see limitation sub-section below), and
-- support for RSA key types and algorithms is fully disabled, and
-- support for DH key types and the FFDH algorithm is either disabled, or
+
+- `MBEDTLS_ECP_C` is fully removed (see limitation sub-section below),
+- and support for RSA key types and algorithms is either fully disabled or
+  fully provided by a driver,
+- and support for DH key types and the FFDH algorithm is either disabled or
   fully provided by a driver,
 
 then you can also disable `MBEDTLS_BIGNUM_C`.
@@ -142,6 +179,7 @@ then you can also disable `MBEDTLS_BIGNUM_C`.
 In such builds, all crypto operations via the PSA Crypto API will work as
 usual, as well as the PK, X.509 and TLS modules if `MBEDTLS_USE_PSA_CRYPTO` is
 enabled, with the following exceptions:
+
 - direct calls to APIs from the disabled modules are not possible;
 - PK, X.509 and TLS will not support restartable ECC operations (see
   limitation sub-section below).
@@ -149,6 +187,7 @@ enabled, with the following exceptions:
 If you want to check at compile-time whether a certain curve is available in
 the present build of Mbed TLS, regardless of whether ECC is provided by a
 driver or built-in, you should use the following macros:
+
 - for code that uses only the PSA Crypto API: `PSA_WANT_ECC_xxx` from
   `psa/crypto.h`;
 - for code that may also use non-PSA crypto APIs: `MBEDTLS_ECP_HAVE_xxx` from
@@ -164,6 +203,7 @@ automatically defined when enabling `MBEDTLS_PSA_P256M_DRIVER_ENABLED`.
 
 A limited subset of `ecp.c` will still be automatically re-enabled if any of
 the following is enabled:
+
 - `MBEDTLS_PK_PARSE_EC_COMPRESSED` - support for parsing ECC keys where the
   public part is in compressed format;
 - `MBEDTLS_PK_PARSE_EC_EXTENDED` - support for parsing ECC keys where the
@@ -237,6 +277,189 @@ The same holds for the associated algorithm:
 `[PSA_WANT|MBEDTLS_PSA_ACCEL]_ALG_FFDH` allow builds accelerating FFDH and
 removing builtin support (i.e. `MBEDTLS_DHM_C`).
 
-### Limitations
-Support for deterministic derivation of a DH keypair
-(i.e. `PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE`) is not supported.
+Note that the PSA API only supports FFDH with RFC 7919 groups, whereas the
+Mbed TLS legacy API supports custom groups. As a consequence, the TLS layer
+of Mbed TLS only supports DHE cipher suites if built-in FFDH
+(`MBEDTLS_DHM_C`) is present, even when `MBEDTLS_USE_PSA_CRYPTO` is enabled.
+
+RSA
+---
+
+It is possible for all RSA operations to be provided only by a driver.
+
+More precisely, if:
+
+- all the RSA algorithms that are enabled (`PSA_WANT_ALG_RSA_*`) are also
+  accelerated (`MBEDTLS_PSA_ACCEL_ALG_RSA_*`),
+- and all the RSA key types that are enabled (`PSA_WANT_KEY_TYPE_RSA_*`) are
+  also accelerated (`MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_*`),
+
+then you can disable `MBEDTLS_RSA_C`, `MBEDTLS_PKCS1_V15` and
+`MBEDTLS_PKCS1_V21`, and RSA will still work in PSA Crypto.
+
+### Limitations on RSA acceleration
+
+Unlike other mechanisms, for now in configurations with driver-only RSA, only
+PSA Crypto works. In particular, PK, X.509 and TLS will _not_ work with
+driver-only RSA even if `MBEDTLS_USE_PSA_CRYPTO` is enabled.
+
+Currently (early 2024) we don't have plans to extend this support. If you're
+interested in wider driver-only support for RSA, please let us know.
+
+Ciphers (unauthenticated and AEAD)
+----------------------------------
+
+It is possible to have all ciphers and AEAD operations provided only by a
+driver. More precisely, for each desired combination of key type and
+algorithm/mode you can:
+
+- Enable desired PSA key type(s):
+  - `PSA_WANT_KEY_TYPE_AES`,
+  - `PSA_WANT_KEY_TYPE_ARIA`,
+  - `PSA_WANT_KEY_TYPE_CAMELLIA`,
+  - `PSA_WANT_KEY_TYPE_CHACHA20`,
+  - `PSA_WANT_KEY_TYPE_DES`.
+- Enable desired PSA algorithm(s):
+  - Unauthenticated ciphers modes:
+    - `PSA_WANT_ALG_CBC_NO_PADDING`,
+    - `PSA_WANT_ALG_CBC_PKCS7`,
+    - `PSA_WANT_ALG_CCM_STAR_NO_TAG`,
+    - `PSA_WANT_ALG_CFB`,
+    - `PSA_WANT_ALG_CTR`,
+    - `PSA_WANT_ALG_ECB_NO_PADDING`,
+    - `PSA_WANT_ALG_OFB`,
+    - `PSA_WANT_ALG_STREAM_CIPHER`.
+  - AEADs:
+    - `PSA_WANT_ALG_CCM`,
+    - `PSA_WANT_ALG_GCM`,
+    - `PSA_WANT_ALG_CHACHA20_POLY1305`.
+- Enable `MBEDTLS_PSA_ACCEL_[KEY_TYPE_xxx|ALG_yyy]` symbol(s) which correspond
+   to the `PSA_WANT_KEY_TYPE_xxx` and `PSA_WANT_ALG_yyy` of the previous steps.
+- Disable builtin support of key types:
+  - `MBEDTLS_AES_C`,
+  - `MBEDTLS_ARIA_C`,
+  - `MBEDTLS_CAMELLIA_C`,
+  - `MBEDTLS_DES_C`,
+  - `MBEDTLS_CHACHA20_C`.
+  and algorithms/modes:
+  - `MBEDTLS_CBC_C`,
+  - `MBEDTLS_CFB_C`,
+  - `MBEDTLS_CTR_C`,
+  - `MBEDTLS_OFB_C`,
+  - `MBEDTLS_XTS_C`,
+  - `MBEDTLS_CCM_C`,
+  - `MBEDTLS_GCM_C`,
+  - `MBEDTLS_CHACHAPOLY_C`,
+  - `MBEDTLS_NULL_CIPHER`.
+
+Once a key type and related algorithm are accelerated, all the PSA Crypto APIs
+will work, as well as X.509 and TLS (with `MBEDTLS_USE_PSA_CRYPTO` enabled) but
+some non-PSA APIs will be absent or have reduced functionality, see
+[Restrictions](#restrictions) for details.
+
+### Restrictions
+
+- If an algorithm other than CCM and GCM (see
+  ["Partial acceleration for CCM/GCM"](#partial-acceleration-for-ccmgcm) below)
+  is enabled but not accelerated, then all key types that can be used with it
+  will need to be built-in.
+- If a key type is enabled but not accelerated, then all algorithms that can be
+  used with it will need to be built-in.
+
+Some legacy modules can't take advantage of PSA drivers yet, and will either
+need to be disabled, or have reduced features when the built-in implementations
+of some ciphers are removed:
+
+- `MBEDTLS_NIST_KW_C` needs built-in AES: it must be disabled when
+  `MBEDTLS_AES_C` is disabled.
+- `MBEDTLS_CMAC_C` needs built-in AES/DES: it must be disabled when
+  `MBEDTLS_AES_C` and `MBEDTLS_DES_C` are both disabled. When only one of them
+  is enabled, then only the corresponding cipher will be available at runtime
+  for use with `mbedtls_cipher_cmac_xxx`. (Note: if there is driver support for
+  CMAC and all compatible key types, then `PSA_WANT_ALG_CMAC` can be enabled
+  without `MBEDTLS_CMAC_C` and CMAC will be usable with `psa_max_xxx` APIs.)
+- `MBEDTLS_CIPHER_C`: the `mbedtls_cipher_xxx()` APIs will only work with
+  ciphers that are built-in - that is, both the underlying cipher
+  (eg `MBEDTLS_AES_C`) and the mode (eg `MBEDTLS_CIPHER_MODE_CBC` or
+  `MBEDTLS_GCM_C`).
+- `MBEDTLS_PKCS5_C`: encryption/decryption (PBES2, PBE) will only work with
+  ciphers that are built-in.
+- PEM decryption will only work with ciphers that are built-in.
+- PK parse will only be able to parse encrypted keys using built-in ciphers.
+
+Note that if you also disable `MBEDTLS_CIPHER_C`, there will be additional
+restrictions, see [Disabling `MBEDTLS_CIPHER_C`](#disabling-mbedtls_cipher_c).
+
+### Legacy <-> PSA matching
+
+Note that the relationship between legacy (i.e. `MBEDTLS_xxx_C`) and PSA
+(i.e. `PSA_WANT_xxx`) symbols is not always 1:1. For example:
+
+- ECB mode is always enabled in the legacy configuration for each key type that
+  allows it (AES, ARIA, Camellia, DES), whereas it must be explicitly enabled
+  in PSA with `PSA_WANT_ALG_ECB_NO_PADDING`.
+- In the legacy API, `MBEDTLS_CHACHA20_C` enables the ChaCha20 stream cipher, and
+  enabling `MBEDTLS_CHACHAPOLY_C` also enables the ChaCha20-Poly1305 AEAD. In the
+  PSA API, you need to enable `PSA_KEY_TYPE_CHACHA20` for both, plus
+  `PSA_ALG_STREAM_CIPHER` or `PSA_ALG_CHACHA20_POLY1305` as desired.
+- The legacy symbol `MBEDTLS_CCM_C` adds support for both cipher and AEAD,
+  whereas in PSA there are 2 different symbols: `PSA_WANT_ALG_CCM_STAR_NO_TAG`
+  and `PSA_WANT_ALG_CCM`, respectively.
+
+### Partial acceleration for CCM/GCM
+
+[This section depends on #8598 so it might be updated while that PR progresses.]
+
+In case legacy CCM/GCM algorithms are enabled, it is still possible to benefit
+from PSA acceleration of the underlying block cipher by enabling support for
+ECB mode (`PSA_WANT_ALG_ECB_NO_PADDING` + `MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING`)
+together with desired key type(s) (`PSA_WANT_KEY_TYPE_[AES|ARIA|CAMELLIA]` +
+`MBEDTLS_PSA_ACCEL_KEY_TYPE_[AES|ARIA|CAMELLIA]`).
+
+In such configurations it is possible to:
+
+- Use CCM and GCM via the PSA Crypto APIs.
+- Use CCM and GCM via legacy functions `mbedtls_[ccm|gcm]_xxx()` (but not the
+  legacy functions `mbedtls_cipher_xxx()`).
+- Disable legacy key types (`MBEDTLS_[AES|ARIA|CAMELLIA]_C`) if there is no
+  other dependency requiring them.
+
+ChaChaPoly has no such feature, so it requires full acceleration (key type +
+algorithm) in order to work with a driver.
+
+### CTR-DRBG
+
+The legacy CTR-DRBG module (enabled by `MBEDTLS_CTR_DRBG_C`) can also benefit
+from PSA acceleration if both of the following conditions are met:
+
+- The legacy AES module (`MBEDTLS_AES_C`) is not enabled and
+- AES is supported on the PSA side together with ECB mode, i.e.
+  `PSA_WANT_KEY_TYPE_AES` + `PSA_WANT_ALG_ECB_NO_PADDING`.
+
+### Disabling `MBEDTLS_CIPHER_C`
+
+It is possible to save code size by disabling MBEDTLS_CIPHER_C when all of the 
+following conditions are met:
+
+- The application is not using the `mbedtls_cipher_` API.
+- In PSA, all unauthenticated (that is, non-AEAD) ciphers are either disabled or
+  fully accelerated (that is, all compatible key types are accelerated too).
+- Either TLS is disabled, or `MBEDTLS_USE_PSA_CRYPTO` is enabled.
+- `MBEDTLS_NIST_KW` is disabled.
+- `MBEDTLS_CMAC_C` is disabled. (Note: support for CMAC in PSA can be provided by
+  a driver.)
+
+In such a build, everything will work as usual except for the following:
+
+- Encryption/decryption functions from the PKCS5 and PKCS12 module will not be
+  available (only key derivation functions).
+- Parsing of PKCS5- or PKCS12-encrypted keys in PK parse will fail.
+
+Note: AEAD ciphers (CCM, GCM, ChachaPoly) do not have a dependency on
+MBEDTLS_CIPHER_C even when using the built-in implementations.
+
+If you also have some ciphers fully accelerated and the built-ins removed, see
+[Restrictions](#restrictions) for restrictions related to removing the built-ins.
+
+
+
diff --git a/docs/proposed/psa-driver-wrappers-codegen-migration-guide.md b/docs/proposed/psa-driver-wrappers-codegen-migration-guide.md
index 8875921..f9b108d 100644
--- a/docs/proposed/psa-driver-wrappers-codegen-migration-guide.md
+++ b/docs/proposed/psa-driver-wrappers-codegen-migration-guide.md
@@ -4,7 +4,7 @@ Migrating to an auto generated psa_crypto_driver_wrappers.h file
 This document describes how to migrate to the auto generated psa_crypto_driver_wrappers.h file.
 It is meant to give the library user migration guidelines while the Mbed TLS project tides over multiple minor revs of version 1.0, after which this will be merged into psa-driver-interface.md.
 
-For a practical guide with a description of the current state of drivers Mbed TLS, see our [PSA Cryptoprocessor driver development examples](../psa-driver-example-and-guide.html).
+For a practical guide with a description of the current state of drivers Mbed TLS, see our [PSA Cryptoprocessor driver development examples](../psa-driver-example-and-guide.md).
 
 ## Introduction
 
diff --git a/docs/psa-driver-example-and-guide.md b/docs/psa-driver-example-and-guide.md
index d041723..a5e9b16 100644
--- a/docs/psa-driver-example-and-guide.md
+++ b/docs/psa-driver-example-and-guide.md
@@ -138,7 +138,7 @@ This guide assumes you are building Mbed TLS from source alongside your project.
 
 ### Example: Manually integrating a software accelerator alongside Mbed TLS
 
-[p256-m](https://github.com/mpg/p256-m) is a minimalistic implementation of ECDH and ECDSA on the NIST P-256 curve, specifically optimized for use in constrained 32-bit environments. It started out as an independent project and has been integrated in Mbed TLS as a PSA transparent driver. The source code of p256-m and the driver entry points is located in the Mbed TLS source tree under `3rdparty/p256-m`. In this section, we will look at how this integration was done.
+[p256-m](https://github.com/mpg/p256-m) is a minimalistic implementation of ECDH and ECDSA on the NIST P-256 curve, specifically optimized for use in constrained 32-bit environments. It started out as an independent project and has been integrated in Mbed TLS as a PSA transparent driver. The source code of p256-m and the driver entry points is located in the Mbed TLS source tree under `drivers/p256-m`. In this section, we will look at how this integration was done.
 
 The Mbed TLS build system includes the instructions needed to build p256-m. To build with and use p256-m, set the macro `MBEDTLS_PSA_P256M_DRIVER_ENABLED` using `config.py`, then build as usual using make/cmake. From the root of the `mbedtls/` directory, run:
 
@@ -157,11 +157,11 @@ The driver wrapper functions in `psa_crypto_driver_wrappers.h.jinja` for all fou
 
 ```
 #if defined (MBEDTLS_PSA_P256M_DRIVER_ENABLED)
-            if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) &&
+            if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) &&
                 PSA_ALG_IS_ECDSA(alg) &&
                 !PSA_ALG_ECDSA_IS_DETERMINISTIC( alg ) &&
-                PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->core.type) == PSA_ECC_FAMILY_SECP_R1 &&
-                attributes->core.bits == 256 )
+                PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(attributes)) == PSA_ECC_FAMILY_SECP_R1 &&
+                psa_get_key_bits(attributes) == 256 )
             {
                 status = p256_transparent_sign_hash( attributes,
                                                      key_buffer,
diff --git a/docs/psa-transition.md b/docs/psa-transition.md
new file mode 100644
index 0000000..bbb7da2
--- /dev/null
+++ b/docs/psa-transition.md
@@ -0,0 +1,1322 @@
+# Transitioning to the PSA API
+
+> I have code written for `mbedtls_` cryptography APIs. How do I migrate to `psa_` APIs?
+
+## Introduction
+
+Mbed TLS is gradually moving from legacy `mbedtls_xxx` APIs to newer `psa_xxx` APIs for cryptography. Note that this only concerns cryptography APIs, not X.509 or SSL/TLS APIs.
+
+This guide is intended to help migrate existing applications that use Mbed TLS for cryptography. It aims to cover common use cases, but cannot cover all possible scenarios.
+
+### Suggested reading
+
+This document is long, but you probably don't need to read all of it. You should start with the following sections:
+
+1. [Where can I find documentation?](#where-can-i-find-documentation)
+2. [General considerations](#general-considerations)
+
+Then use the [summary of API modules](#summary-of-api-modules), the table of contents or a text search to locate the sections that interest you, based on what legacy interfaces your code is currently using.
+
+### Where can I find documentation?
+
+**Tutorial**: See the [getting started guide](https://mbed-tls.readthedocs.io/en/latest/getting_started/psa/).
+
+**Reference**: The [PSA Crypto API specification](https://arm-software.github.io/psa-api/crypto/) is available online. Mbed TLS implements a large subset of the specification which is documented in the [`psa/crypto*.h` headers](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto_8h/).
+
+### Additional resources
+
+* [Mbed TLS open issues](https://github.com/Mbed-TLS/mbedtls/issues)
+* [PSA API open issues](https://github.com/ARM-software/psa-api/issues) (not just cryptography APIs)
+* [Mbed TLS mailing list](https://lists.trustedfirmware.org/mailman3/lists/mbed-tls.lists.trustedfirmware.org/)
+
+### Why change the API?
+
+* Mbed TLS APIs are traditionally very transparent: the caller can access internal fields of operations. This is less true in the 3.x major version than before, but still the case to some extent. This offers applications some flexibility, but it removes flexibility from the implementation. For example, it is hard to support hardware acceleration, because the API constrains how the data must be represented. PSA APIs were designed to be more opaque, giving more freedom to the implementation.
+* Mbed TLS legacy APIs require key material to be present in the application memory. The PSA Crypto API natively supports operations on keys stored in an external [location](https://arm-software.github.io/psa-api/crypto/1.1/api/keys/lifetimes.html#c.psa_key_location_t) (secure enclave, secure element, HSM, etc.).
+* PSA APIs have [consistent conventions](https://arm-software.github.io/psa-api/crypto/1.1/overview/conventions.html#parameter-conventions) which many legacy APIs in Mbed TLS do not follow. For example, many legacy cryptography functions require the caller to know how large an output buffer needs to be based on the selected algorithm, whereas in the PSA API, all buffer arguments have a well-defined size and those sizes are checked.
+* Mbed TLS legacy APIs require passing around a random generator argument where needed. This has historically been problematic with functions that were created without an RNG argument but later needed one as part of a security countermeasure. The PSA crypto subsystem maintains a global random generator, resolving this problem.
+
+### Migration timeline
+
+* Mbed TLS 2.15.0 (Nov 2018): first release with a draft implementation of the PSA API.
+* Mbed TLS 2.18.0 (Jun 2019): The PSA API is available in the default build.
+* Mbed TLS 3.1.0 (Dec 2021): TLS 1.3 support is the first major feature that requires the PSA API.
+* Mbed TLS 4.0.0 (2024?): X.509 and TLS require the PSA API. Removal of some legacy crypto APIs.
+* Mbed TLS 5.0.0 (??): Removal of the remaining non-PSA crypto APIs.
+
+## General considerations
+
+### Configuration of the PSA subsystem
+
+To make the PSA API available, make sure that the configuration option [`MBEDTLS_PSA_CRYPTO_C`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/mbedtls__config_8h/#c.MBEDTLS_PSA_CRYPTO_C) is enabled. (It is enabled in the default configuration.)
+
+You should probably enable [`MBEDTLS_USE_PSA_CRYPTO`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/mbedtls__config_8h/#mbedtls__config_8h_1a70fd7b97d5f11170546583f2095942a6) as well (it is disabled by default). This option causes the PK, X.509 and TLS modules to use PSA crypto under the hood.
+
+By default, the PSA crypto API offers a similar set of cryptographic mechanisms as those offered by the legacy API (configured by `MBEDTLS_XXX` macros). The PSA crypto API also has its own configuration mechanism; see “[Cryptographic mechanism availability](#cryptographic-mechanism-availability)”.
+
+### Header files
+
+Applications only need to include a single header file:
+```
+#include <psa/crypto.h>
+```
+
+### General application layout
+
+Before any cryptographic operation, call [`psa_crypto_init`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__initialization/#group__initialization_1ga2de150803fc2f7dc6101d5af7e921dd9) and check that it succeeds. (A failure indicates an abnormal system state from which most applications cannot recover.)
+
+If you wish to free all resources associated with PSA cryptography, call [`mbedtls_psa_crypto_free`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__extra_8h/#_CPPv423mbedtls_psa_crypto_freev).
+
+The PSA subsystem has an internal random generator. As a consequence, you do not need to instantiate one manually (no need to create an `mbedtls_entropy_context` and an `mbedtls_xxx_drbg_context`).
+
+### Error codes
+
+Mbed TLS functions return a status of type `int`: 0 for success (or occasionally a positive value which is the output length), or a negative value `MBEDTLS_ERR_xxx` indicating an error.
+
+PSA functions return a status of type [`psa_status_t`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__error/#group__error_1ga05676e70ba5c6a7565aff3c36677c1f9): `PSA_SUCCESS == 0` for success, or a negative value [`PSA_ERROR_xxx`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__error/) indicating an error.
+
+### Memory management
+
+Apart from keys, as described in “[Key management](#key-management)” below, APIs that need to preserve state between function calls store this state in a structure allocated by the calling code. For example, multipart operations store state in a multipart operation object.
+
+All PSA operation objects must be zero-initialized (or equivalently, initialized with the provided `PSA_XXX_INIT` macro or `psa_xxx_init()` function) before calling any API function.
+
+Functions that output data require an output buffer of sufficient size. For all PSA crypto API functions that have an output buffer, there is a corresponding macro, generally called `PSA_XXX_OUTPUT_SIZE`, that calculates a sufficient size for the output buffer, given the relevant parameters. In some cases, there may be macros with less precision which can be resolved at compile time. For example, for the size of a buffer containing a hash, you can use `PSA_HASH_LENGTH(hash_alg)` where `hash_alg` is a specific hash algorithm, or `PSA_HASH_MAX_SIZE` for a buffer that is long enough for any supported hash. See the relevant sections of this document and of the reference documentation for more details.
+
+#### Key management
+
+One of the major differences between the legacy API and the PSA API is that in the PSA API, access to keys is indirect. Operations that require a key take a parameter of type [`psa_key_id_t`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__types_8h/#_CPPv412psa_key_id_t), which is an identifier for the key. This allows the API to be used with keys that are not directly accessible to the application, for example because they are stored in a secure environment that does not allow the key material to be exported.
+
+To use a key:
+
+1. First create a key object with a key creation function. The two most common ones are [`psa_import_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga0336ea76bf30587ab204a8296462327b) if you have the key material available and [`psa_generate_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__random/#group__random_1ga1985eae417dfbccedf50d5fff54ea8c5) to create a random key. The key creation function has the key identifier as an output parameter.
+2. Use the key as desired, passing the key identifier obtained during the key creation.
+3. Finally destroy the key object with [`psa_destroy_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__management/#group__key__management_1ga5f52644312291335682fbc0292c43cd2).
+
+See “[Cipher key management](#cipher-key-management)”, “[MAC key management](#mac-key-management)”, “[Key lifecycle for asymmetric cryptography](#key-lifecycle-for-asymmetric-cryptography)”, “[Creating keys for asymmetric cryptography](#creating-keys-for-asymmetric-cryptography)” and “[Diffie-Hellman key pair management](#diffie-hellman-key-pair-management)” for more details about key management in specific workflows, including information about choosing the key's attributes.
+
+If you need access to the key material, call [`psa_export_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga668e35be8d2852ad3feeef74ac6f75bf). If you need the public key corresponding to a key pair object, call [`psa_export_public_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1gaf22ae73312217aaede2ea02cdebb6062).
+
+Note that a key consumes a key store entry, which is distinct from heap memory, until it is destroyed or the application exits. (This is not true for persistent keys, which instead consume disk space. Since persistent keys have no analog in the legacy API, we will not discuss them further in this document.)
+
+## Summary of API modules
+
+| Header | Function prefix | PSA equivalent |
+| ------ | --------------- | -------------- |
+| `aes.h` | `mbedtls_aes_` | [Symmetric encryption](#symmetric-encryption) |
+| `aria.h` | `mbedtls_aria_` | [Symmetric encryption](#symmetric-encryption) |
+| `asn1.h` | `mbedtls_asn1_` | No change ([PK support interface](#pk-format-support-interfaces)) |
+| `asn1write.h` | `mbedtls_asn1_write_` | No change ([PK support interface](#pk-format-support-interfaces)) |
+| `base64.h` | `mbedtls_base64_` | No change ([PK support interface](#pk-format-support-interfaces)) |
+| `bignum.h` | `mbedtls_mpi_` | None (no low-level arithmetic) |
+| `build_info.h` | `MBEDTLS_` | No change (not a crypto API) |
+| `camellia.h` | `mbedtls_camellia_` | [Symmetric encryption](#symmetric-encryption) |
+| `ccm.h` | `mbedtls_ccm_` | [Symmetric encryption](#symmetric-encryption), [Authenticated cipher operations](#authenticated-cipher-operations) |
+| `chacha20.h` | `mbedtls_chacha20_` | [Symmetric encryption](#symmetric-encryption) |
+| `chachapoly.h` | `mbedtls_chachapoly_` | [Symmetric encryption](#symmetric-encryption), [Authenticated cipher operations](#authenticated-cipher-operations) |
+| `check_config.h` | N/A | No public APIs (internal support header) |
+| `cipher.h` | `mbedtls_cipher_` | [Symmetric encryption](#symmetric-encryption) |
+| `cmac.h` | `mbedtls_cipher_cmac_` | [Hashes and MAC](#hashes-and-mac), [MAC calculation](#mac-calculation) |
+| `compat-2.x.h` | various | None (transitional APIs) |
+| `config_psa.h` | N/A | No public APIs (internal support header) |
+| `constant_time.h` | `mbedtls_ct_` | [Constant-time functions](#constant-time-functions) |
+| `ctr_drbg.h` | `mbedtls_ctr_drbg_` | [Random generation interface](#random-generation-interface), [Deterministic pseudorandom generation](#deterministic-pseudorandom-generation) |
+| `debug.h` | `mbedtls_debug_` | No change (not a crypto API) |
+| `des.h` | `mbedtls_des_` | [Symmetric encryption](#symmetric-encryption) |
+| `dhm.h` | `mbedtls_dhm_` | [Asymmetric cryptography](#asymmetric-cryptography) |
+| `ecdh.h` | `mbedtls_ecdh_` | [Asymmetric cryptography](#asymmetric-cryptography) |
+| `ecdsa.h` | `mbedtls_ecdsa_` | [Asymmetric cryptography](#asymmetric-cryptography) |
+| `ecjpake.h` | `mbedtls_ecjpake_` | [EC-JPAKE](#ec-jpake) |
+| `ecp.h` | `mbedtls_ecp_` | [Asymmetric cryptography](#asymmetric-cryptography) |
+| `entropy.h` | `mbedtls_entropy_` | [Random generation interface](#random-generation-interface), [Entropy sources](#entropy-sources) |
+| `error.h` | `mbedtls_*err*` | [Error messages](#error-messages) |
+| `gcm.h` | `mbedtls_gcm_` | [Symmetric encryption](#symmetric-encryption), [Authenticated cipher operations](#authenticated-cipher-operations) |
+| `hkdf.h` | `mbedtls_hkdf_` | [HKDF](#hkdf) |
+| `hmac_drbg.h` | `mbedtls_hmac_drbg_` | [Random generation interface](#random-generation-interface), [Deterministic pseudorandom generation](#deterministic-pseudorandom-generation) |
+| `lms.h` | `mbedtls_lms_` | No change ([LMS signatures](#lms-signatures)) |
+| `mbedtls_config.h` | `MBEDTLS_` | [Compile-time configuration](#compile-time-configuration) |
+| `md.h` | `mbedtls_md_` | [Hashes and MAC](#hashes-and-mac) |
+| `md5.h` | `mbedtls_md5_` | [Hashes and MAC](#hashes-and-mac) |
+| `memory_buffer_alloc.h` | `mbedtls_memory_buffer_alloc_` | No change (not a crypto API) |
+| `net_sockets.h` | `mbedtls_net_` | No change (not a crypto API) |
+| `nist_kw.h` | `mbedtls_nist_kw_` | Migration path not yet defined |
+| `oid.h` | `mbedtls_oid_` | No change ([PK support interface](#pk-format-support-interfaces)) |
+| `pem.h` | `mbedtls_pem_` | No change ([PK support interface](#pk-format-support-interfaces)) |
+| `pk.h` | `mbedtls_pk_` | [Asymmetric cryptography](#asymmetric-cryptography) |
+| `pkcs5.h` | `mbedtls_pkcs5_` | [PKCS#5 module](#pkcs5-module) |
+| `pkcs7.h` | `mbedtls_pkcs7_` | No change (not a crypto API) |
+| `pkcs12.h` | `mbedtls_pkcs12_` | [PKCS#12 module](#pkcs12-module) |
+| `platform.h` | `mbedtls_platform_` | No change (not a crypto API) |
+| `platform_time.h` | `mbedtls_*time*` | No change (not a crypto API) |
+| `platform_util.h` | `mbedtls_platform_` | No change (not a crypto API) |
+| `poly1305.h` | `mbedtls_poly1305_` | None (but there is Chacha20-Poly1305 [AEAD](#symmetric-encryption)) |
+| `private_access.h` | N/A | No public APIs (internal support header) |
+| `psa_util.h` | N/A | No public APIs (internal support header) |
+| `ripemd160.h` | `mbedtls_ripemd160_` | [Hashes and MAC](#hashes-and-mac) |
+| `rsa.h` | `mbedtls_rsa_` | [Asymmetric cryptography](#asymmetric-cryptography) |
+| `sha1.h` | `mbedtls_sha1_` | [Hashes and MAC](#hashes-and-mac) |
+| `sha3.h` | `mbedtls_sha3_` | [Hashes and MAC](#hashes-and-mac) |
+| `sha256.h` | `mbedtls_sha256_` | [Hashes and MAC](#hashes-and-mac) |
+| `sha512.h` | `mbedtls_sha512_` | [Hashes and MAC](#hashes-and-mac) |
+| `ssl.h` | `mbedtls_ssl_` | No change (not a crypto API) |
+| `ssl_cache.h` | `mbedtls_ssl_cache_` | No change (not a crypto API) |
+| `ssl_ciphersuites.h` | `mbedtls_ssl_ciphersuite_` | No change (not a crypto API) |
+| `ssl_cookie.h` | `mbedtls_ssl_cookie_` | No change (not a crypto API) |
+| `ssl_ticket.h` | `mbedtls_ssl_ticket_` | No change (not a crypto API) |
+| `threading.h` | `mbedtls_threading_` | No change (not a crypto API) |
+| `timing.h` | `mbedtls_timing_` | No change (not a crypto API) |
+| `version.h` | `mbedtls_version_` | No change (not a crypto API) |
+| `x509.h` | `mbedtls_x509` | No change (not a crypto API) |
+| `x509_crl.h` | `mbedtls_x509` | No change (not a crypto API) |
+| `x509_crt.h` | `mbedtls_x509` | No change (not a crypto API) |
+| `x509_csr.h` | `mbedtls_x509` | No change (not a crypto API) |
+
+## Compile-time configuration
+
+### Cryptographic mechanism availability
+
+**This section only applies if `MBEDTLS_PSA_CRYPTO_CONFIG` is enabled.** This option is disabled in the default configuration.
+
+When the configuration option [`MBEDTLS_PSA_CRYPTO_CONFIG`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/mbedtls__config_8h/#mbedtls__config_8h_1a5aca5ddcffb586acad82f9aef26db056) is enabled, the cryptographic mechanisms available through the PSA API are determined by the contents of the header file `"psa/crypto_config.h"`. You can override the file location with the macro [`MBEDTLS_PSA_CRYPTO_CONFIG_FILE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/mbedtls__config_8h/#mbedtls__config_8h_1a25f7e358caa101570cb9519705c2b873), and you can set [`MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/mbedtls__config_8h/#mbedtls__config_8h_1abd1870cc0d2681183a3018a7247cb137) to the path of an additional file (similar to `MBEDTLS_CONFIG_FILE` and `MBEDTLS_USER_CONFIG_FILE` for legacy configuration symbols).
+
+The availability of cryptographic mechanisms in the PSA API is based on a systematic pattern:
+
+* To make `PSA_ALG_aaa` available, enable `PSA_WANT_ALG_aaa`.
+  For parametrized algorithms, there is a `PSA_WANT_` symbol both for the main macro and for each argument. For example, to make `PSA_ALG_HMAC(PSA_ALG_SHA_256)` available, enable both `PSA_WANT_ALG_HMAC` and `PSA_WANT_ALG_SHA_256`.
+
+* To make `PSA_KEY_TYPE_ttt` available, enable `PSA_WANT_KEY_TYPE_ttt`.
+
+    As an exception, starting in Mbed TLS 3.5.0, for key pair types, the feature selection is more fine-grained, with an additional suffix:
+    * `PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_BASIC` enables basic support for the key type, and in particular support for operations with a key of that type for enabled algorithms. This is automatically enabled if any of the other `PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy` options are enabled.
+    * `PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_IMPORT` enables support for `psa_import_key` to import a key of that type.
+    * `PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_GENERATE` enables support for `psa_generate_key` to randomly generate a key of that type.
+    * `PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_DERIVE` enables support for `psa_key_derivation_output_key` to deterministically derive a key of that type.
+    * `PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_EXPORT` enables support for `psa_export_key` to export a key of that type.
+
+    Enabling any support for a key pair type automatically enables support for the corresponding public key type, as well as support for `psa_export_public_key` on the private key.
+
+* To make `PSA_ECC_FAMILY_fff` available for size sss, enable `PSA_WANT_ECC_fff_sss`.
+
+Note that all `PSA_WANT_xxx` symbols must be set to a non-zero value. In particular, setting `PSA_WANT_xxx` to an empty value may not be handled consistently.
+
+For example, the following configuration enables hashing with SHA-256, AEAD with AES-GCM, signature with deterministic ECDSA using SHA-256 on the curve secp256r1 using a randomly generated key as well as the corresponding verification, and ECDH key exchange on secp256r1 and Curve25519.
+
+```
+#define PSA_WANT_ALG_SHA_256 1
+
+#define PSA_WANT_KEY_TYPE_AES 1
+#define PSA_WANT_ALG_GCM 1
+
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
+// ^^ In Mbed TLS <= 3.4, enable PSA_WANT_KEY_TYPE_ECC_KEY_PAIR instead
+// ^^ implicitly enables PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC, PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
+#define PSA_WANT_ECC_SECP_R1_256 1 // secp256r1 (suitable for ECDSA and ECDH)
+#define PSA_WANT_ECC_MONTGOMERY_255 1 // Curve25519 (suitable for ECDH)
+#define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1
+#define PSA_WANT_ALG_ECDH
+```
+
+If a mechanism is not enabled by `PSA_WANT_xxx`, Mbed TLS will normally not include it. This allows builds that use few features to have a small code size. However, this is not guaranteed: a mechanism that is not explicitly requested can be enabled because it is a dependency of another configuration option, because it is used internally, or because the granularity is not fine enough to distinguish between it and another mechanism that is requested.
+
+Under the hood, `PSA_WANT_xxx` enables the necessary legacy modules. Note that if a mechanism has a PSA accelerator driver, the corresponding legacy module is typically not needed. Thus applications that use a cryptographic mechanism both through the legacy API and through the PSA API need to explicitly enable both the `PSA_WANT_xxx` symbols and the `MBEDTLS_xxx` symbols.
+
+### Optimization options
+
+When PSA Crypto mechanisms are implemented by the built-in code from Mbed TLS, the legacy optimization options (e.g. `MBEDTLS_SHA256_SMALLER`, `MBEDTLS_ECP_WINDOW_SIZE`, etc.) apply to the PSA implementation as well (they invoke the same code under the hood).
+
+The PSA Crypto API may use accelerator drivers. In this case any options controlling the driver behavior are driver-specific.
+
+### Alternative implementations (`MBEDTLS_xxx_ALT` options)
+
+In the Mbed TLS legacy interface, you can replace some cryptographic primitives and modes by an alternative implementation, by enabling configuration options of the form `MBEDTLS_xxx_ALT` and linking with your own implementation of the affected function or module. Alternative implementations remain supported in Mbed TLS 3.x even if the application code uses the PSA API. However, they will be removed from the next version of the library.
+
+The corresponding PSA feature is accelerator drivers. To implement an accelerator driver, see the [PSA cryptoprocessor driver example and guide](https://github.com/Mbed-TLS/mbedtls/blob/development/docs/psa-driver-example-and-guide.md). In an application that uses both the legacy interface and the PSA interface for the same mechanism, only some algorithms support calling a PSA driver from the legacy interface. See the [Guide to driver-only builds](https://github.com/Mbed-TLS/mbedtls/blob/development/docs/driver-only-builds.md) for more information.
+
+### Self-tests
+
+There is currently [no PSA equivalent to the self-tests](https://github.com/Mbed-TLS/mbedtls/issues/7781) enabled by `MBEDTLS_SELF_TEST`.
+
+## Miscellaneous support modules
+
+### Error messages
+
+At the time of writing, there is no equivalent to the error messages provided by `mbedtls_strerror`. However, you can use the companion program `programs/psa/psa_constant_names` to convert various numbers (`psa_status_t`, `psa_algorithm_t`, `psa_key_type_t`, `psa_ecc_family_t`, `psa_dh_family_t`, `psa_key_usage_t`) to a programmer-friendly representation. The conversion doesn't depend on the library configuration or the target platform, so you can use a native build of this program even if you cross-compile your application.
+
+```
+$ programs/psa/psa_constant_names error -138
+PSA_ERROR_BUFFER_TOO_SMALL
+$ programs/psa/psa_constant_names type 0x7112
+PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)
+$ programs/psa/psa_constant_names alg 0x06000609
+PSA_ALG_ECDSA(PSA_ALG_SHA_256)
+```
+
+The other functions in `error.h` are specific to the construction of Mbed TLS error code and are not relevant to the PSA API. PSA error codes are never the combination of multiple codes.
+
+### Constant-time functions
+
+The PSA API does not have an equivalent to the timing-side-channel-resistance utility functions in `constant_time.h`. Continue using `constant_time.h` as needed.
+
+Note that the PSA API does include features that reduce the need for `mbedtls_ct_memcmp`:
+
+* To compare a MAC with a reference value, use `psa_mac_verify` rather than `psa_mac_compute` followed by `mbedtls_ct_memcmp`, or use `psa_mac_verify_setup` and `psa_mac_verify_finish` in the multi-part case. See “[MAC calculation](#mac-calculation)”.
+* The AEAD decryption functions take care of verifying the tag. See “[Authenticated cipher operations](#authenticated-cipher-operations)”.
+
+## Symmetric encryption
+
+All PSA APIs have algorithm agility, where the functions depend only on the nature of the operation and the choice of a specific algorithm comes from an argument. There is no special API for a particular block cipher (`aes.h`, `aria.h`, `camellia.h`, `des.h`), a particular block cipher mode (`ccm.h`, `gcm.h`) or a particular stream cipher (`chacha20.h`, `chachapoly.h`). To migrate code using those low-level modules, please follow the recommendations in the following sections, using the same principles as the corresponding `cipher.h` API.
+
+### Cipher mechanism selection
+
+Instead of `mbedtls_cipher_id_t` (`MBEDTLS_CIPHER_ID_xxx` constants), `mbedtls_cipher_type_t` (`MBEDTLS_CIPHER_base_size_mode` constants), `mbedtls_cipher_mode_t` (`MBEDTLS_CIPHER_MODE_xxx` constants) and `mbedtls_cipher_padding_t` (`MBEDTLS_CIPHER_PADDING_xxx` constants), use the [`PSA_KEY_TYPE_xxx` and `PSA_ALG_xxx` constants](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/).
+
+For modes that are based on a block cipher, the key type encodes the choice of block cipher:
+[`PSA_KEY_TYPE_AES`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga6ee54579dcf278c677eda4bb1a29575e),
+[`PSA_KEY_TYPE_ARIA`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#c.PSA_KEY_TYPE_ARIA),
+[`PSA_KEY_TYPE_CAMELLIA`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gad8e5da742343fd5519f9d8a630c2ed81),
+[`PSA_KEY_TYPE_DES`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga577562bfbbc691c820d55ec308333138).
+The algorithm encodes the mode and if relevant the padding type:
+
+* Unauthenticated cipher modes:
+  [`PSA_ALG_CTR`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gad318309706a769cffdc64e4c7e06b2e9),
+  [`PSA_ALG_CFB`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga0088c933e01d671f263a9a1f177cb5bc),
+  [`PSA_ALG_OFB`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gae96bb421fa634c6fa8f571f0112f1ddb),
+  [`PSA_ALG_XTS`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gaa722c0e426a797fd6d99623f59748125),
+  [`PSA_ALG_ECB_NO_PADDING`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gab8f0609cd0f12cccc9c950fd5a81a0e3),
+  [`PSA_ALG_CBC_NO_PADDING`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gacb332d72716958880ee7f97d8365ae66),
+  [`PSA_ALG_CBC_PKCS7`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gaef50d2e9716eb6d476046608e4e0c78c),
+  [`PSA_ALG_CCM_STAR_NO_TAG`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga89627bb27ec3ce642853ab8554a88572).
+* Other padding modes, which are obsolete, are not available in the PSA API. If you need them, handle the padding in your application code and use the `NO_PADDING` algorithm.
+* AEAD modes:
+  [`PSA_ALG_CCM`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gac2c0e7d21f1b2df5e76bcb4a8f84273c),
+  [`PSA_ALG_GCM`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga0d7d02b15aaae490d38277d99f1c637c).
+* KW/KWP modes are not available in the PSA API at the time of writing.
+
+For the ChaCha20 unauthenticated cipher, use [`PSA_KEY_TYPE_CHACHA20`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga901548883b3bce56cc21c3a22cf8d93c) with [`PSA_ALG_STREAM_CIPHER`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gad98c105198f7428f7d1dffcb2cd398cd).
+For the Chacha20+Poly1305 AEAD, use [`PSA_KEY_TYPE_CHACHA20`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga901548883b3bce56cc21c3a22cf8d93c) with [`PSA_ALG_CHACHA20_POLY1305`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga1fec55093541640a71bdd022d4adfb9c)
+
+### Cipher mechanism availability
+
+For each key type value `PSA_KEY_TYPE_xxx`, the symbol `PSA_WANT_KEY_TYPE_xxx` is defined with a non-zero value if the library is built with support for that key type. For each algorithm value `PSA_ALG_yyy`, the symbol `PSA_WANT_ALG_yyy` is defined with a non-zero value if the library is built with support for that algorithm. Note that for a mechanism to be supported, both the key type and the algorithm must be supported.
+
+For example, to test if AES-CBC-PKCS7 is supported, in the legacy API, you could write:
+```
+#if defined(MBEDTLS_AES_C) && \
+    defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+```
+The equivalent in the PSA API is
+```
+#if PSA_WANT_KEY_TYPE_AES && PSA_WANT_ALG_CBC_PKCS7
+```
+
+### Cipher metadata
+
+Both APIs express key sizes in bits. Note however that in the PSA API, the size of a _buffer_ is always expressed in bytes, even if that buffer contains a key.
+
+The following table lists corresponding PSA macros for maximum-size macros that take all supported algorithms into account.
+
+| Legacy macro | PSA macro |
+| ------------ | --------- |
+| `MBEDTLS_MAX_IV_LENGTH` | [`PSA_CIPHER_IV_MAX_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_CIPHER_IV_MAX_SIZE), [`PSA_AEAD_NONCE_MAX_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#crypto__sizes_8h_1ac2a332765ba4ccfc24935d6f7f48fcc7) |
+| `MBEDTLS_MAX_BLOCK_LENGTH` | [`PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE) |
+| `MBEDTLS_MAX_KEY_LENGTH` | no equivalent|
+
+There is no equivalent to the type `mbedtls_cipher_info_t` and the functions `mbedtls_cipher_info_from_type` and `mbedtls_cipher_info_from_values` in the PSA API because it is unnecessary. All macros and functions operate directly on key type values (`psa_key_type_t`, `PSA_KEY_TYPE_xxx` constants) and algorithm values (`psa_algorithm_t`, `PSA_ALG_xxx` constants).
+
+| Legacy function | PSA macro |
+| --------------- | --------- |
+| `mbedtls_cipher_info_get_iv_size` | [`PSA_CIPHER_IV_LENGTH`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_CIPHER_IV_LENGTH), [`PSA_AEAD_NONCE_LENGTH`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_AEAD_NONCE_LENGTH) |
+| `mbedtls_cipher_info_get_block_size` | not available (use specific macros for the IV, nonce or tag length) |
+
+The following features have no PSA equivalent:
+
+* `mbedtls_cipher_list`: the PSA API does not currently have a discovery mechanism for cryptographic mechanisms, but one may be added in the future.
+* `mbedtls_cipher_info_has_variable_key_bitlen`, `mbedtls_cipher_info_has_variable_iv_size`: the PSA API does not currently have such mechanism for high-level metadata information.
+* `mbedtls_cipher_info_from_string`: there is no equivalent of Mbed TLS's lookup based on a (nonstandard) name.
+
+### Cipher key management
+
+The legacy API and the PSA API have a different organization of operations in several respects:
+
+* In the legacy API, each operation object contains the necessary key material. In the PSA API, an operation object contains a reference to a key object. To perform a cryptographic operation, you must create a key object first. However, for a one-shot operation, you do not need an operation object, just a single function call.
+* The legacy API uses the same interface for authenticated and non-authenticated ciphers, while the PSA API has separate functions.
+* The legacy API uses the same functions for encryption and decryption, while the PSA API has separate functions where applicable.
+
+Here is an overview of the lifecycle of a key object.
+
+1. First define the attributes of the key by filling a [`psa_key_attributes_t` structure](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1ga0ec645e1fdafe59d591104451ebf5680). You need to set the following parameters:
+    * Call [`psa_set_key_type`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1ga6857ef0ecb3fa844d4536939d9c64025) to set the key type to the desired `PSA_KEY_TYPE_xxx` value (see “[Cipher mechanism selection](#cipher-mechanism-selection)”).
+    * Call [`psa_set_key_bits`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1gaf61683ac87f87687a40262b5afbfa018) to set the key's size in bits. This is optional with `psa_import_key`, which determines the key size from the length of the key material.
+    * Call [`psa_set_key_algorithm`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1gaeb8341ca52baa0279475ea3fd3bcdc98) to set the algorithm to the desired `PSA_ALG_xxx` value (see “[Cipher mechanism selection](#cipher-mechanism-selection)”). By design, the same key cannot be used with multiple algorithms.
+    * Call [`psa_set_key_usage_flags`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1ga42a65b3c4522ce9b67ea5ea7720e17de) to enable at least [`PSA_KEY_USAGE_ENCRYPT`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__policy/#c.PSA_KEY_USAGE_ENCRYPT) or [`PSA_KEY_USAGE_DECRYPT`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__policy/#c.PSA_KEY_USAGE_DECRYPT), depending on which direction you want to use the key in. To allow both directions, use the flag mask `PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT`. The same policy flags cover authenticated and non-authenticated encryption/decryption.
+2. Call one of the key creation functions, passing the attributes defined in the previous step, to get an identifier of type [`psa_key_id_t`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__types_8h/#_CPPv412psa_key_id_t) to the key object.
+    * Use [`psa_import_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga0336ea76bf30587ab204a8296462327b) to directly import key material.
+    * If the key is randomly generated, use [`psa_generate_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__random/#group__random_1ga1985eae417dfbccedf50d5fff54ea8c5).
+    * If the key is derived from other material (for example from a key exchange), use the [key derivation interface](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/) and create the key with [`psa_key_derivation_output_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1gada7a6e17222ea9e7a6be6864a00316e1).
+3. Call the functions in the following sections to perform operations on the key. The same key object can be used in multiple operations.
+4. To free the resources used by the key object, call [`psa_destroy_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__management/#group__key__management_1ga5f52644312291335682fbc0292c43cd2) after all operations with that key are finished.
+
+### Unauthenticated cipher operations
+
+Recall the workflow of an unauthenticated cipher operation in the legacy Mbed TLS cipher API:
+
+1. Create a cipher context of type `mbedtls_cipher_context_t` and initialize it with `mbedtls_cipher_init`.
+2. Establish the operation parameters (algorithm, key, mode) with `mbedtls_cipher_setup`, `mbedtls_cipher_setkey` (or `mbedtls_cipher_setup_psa`), `mbedtls_cipher_set_padding_mode` if applicable.
+3. Set the IV with `mbedtls_cipher_set_iv` (except for ECB which does not use an IV).
+4. For a one-shot operation, call `mbedtls_cipher_crypt`. To pass the input in multiple parts, call `mbedtls_cipher_update` as many times as necessary followed by `mbedtls_cipher_finish`.
+5. Finally free the resources associated with the operation object by calling `mbedtls_cipher_free`.
+
+For a one-shot operation (where the whole plaintext or ciphertext is passed as a single input), the equivalent workflow with the PSA API is to call a single function:
+
+* [`psa_cipher_encrypt`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__cipher/#group__cipher_1ga61f02fbfa681c2659546eca52277dbf1) to perform encryption with a random IV of the default size (indicated by [`PSA_CIPHER_IV_LENGTH`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_CIPHER_IV_LENGTH)). (To encrypt with a specified IV, use the multi-part API described below.) You can use the macro [`PSA_CIPHER_ENCRYPT_OUTPUT_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_CIPHER_ENCRYPT_OUTPUT_SIZE) or [`PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE) to determine a sufficient size for the output buffer.
+* [`psa_cipher_decrypt`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__cipher/#group__cipher_1gab3593f5f14d8c0431dd306d80929215e) to perform decryption with a specified IV. You can use the macro [`PSA_CIPHER_DECRYPT_OUTPUT_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_CIPHER_DECRYPT_OUTPUT_SIZE) or [`PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE) to determine a sufficient size for the output buffer.
+
+For a multi-part operation, the equivalent workflow with the PSA API is as follows:
+
+1. Create an operation object of type [`psa_cipher_operation_t`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__cipher/#group__cipher_1ga1399de29db657e3737bb09927aae51fa) and zero-initialize it (or use the corresponding `INIT` macro).
+2. Select the key and algorithm with [`psa_cipher_encrypt_setup`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__cipher/#group__cipher_1ga587374c0eb8137a572f8e2fc409bb2b4) or [`psa_cipher_decrypt_setup`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__cipher/#group__cipher_1gaa4ba3a167066eaef2ea49abc5dcd1d4b) depending on the desired direction.
+3. When encrypting with a random IV, use [`psa_cipher_generate_iv`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__cipher/#group__cipher_1ga29fd7d32a5729226a2f73e7b6487bd8a). When encrypting with a chosen IV, or when decrypting, set the IV with [`psa_cipher_set_iv`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__cipher/#group__cipher_1ga9caddac1a429a5032d6d4a907fb70ba1). Skip this step with ECB since it does not use an IV.
+4. Call [`psa_cipher_update`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__cipher/#group__cipher_1gac3ca27ac6682917c48247d01fd96cd0f) as many times as needed. You can use [`PSA_CIPHER_UPDATE_OUTPUT_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_CIPHER_UPDATE_OUTPUT_SIZE) or [`PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#crypto__sizes_8h_1ab1f6598efd6a7dc56e7ad7e34719eb32) to determine a sufficient size for the output buffer.
+5. Call [`psa_cipher_finish`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__cipher/#group__cipher_1ga1dcb58b8befe23f8a4d7a1d49c99249b) to obtain the last part of the output. You can use [`PSA_CIPHER_FINISH_OUTPUT_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_CIPHER_FINISH_OUTPUT_SIZE) or [`PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE) to determine a sufficient size for the output buffer.
+
+If you need to interrupt the operation after calling the setup function without calling the finish function, call [`psa_cipher_abort`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__cipher/#group__cipher_1gaad482cdca2098bca0620596aaa02eaa4).
+
+### Authenticated cipher operations
+
+Recall the workflow of an authenticated cipher operation in the legacy Mbed TLS cipher API (or similar workflows in the `chachapoly`, `ccm` and `gcm` modules):
+
+1. Create a cipher context of type `mbedtls_cipher_context_t` and initialize it with `mbedtls_cipher_init`.
+2. Establish the operation parameters (algorithm, key, mode) with `mbedtls_cipher_setup`, `mbedtls_cipher_setkey` (or `mbedtls_cipher_setup_psa`), `mbedtls_cipher_set_padding_mode` if applicable.
+3. Set the nonce with `mbedtls_cipher_set_iv` (or the `starts` function for low-level modules). For CCM, which requires direct use of the `ccm` module, also call `mbedtls_ccm_set_lengths` to set the length of the additional data and of the plaintext.
+4. Call `mbedtls_cipher_update_ad` to pass the unencrypted additional data.
+5. Call `mbedtls_cipher_update` as many times as necessary to pass the input plaintext or ciphertext.
+6. Call `mbedtls_cipher_finish` to obtain the last part of the output. Then call `mbedtls_cipher_write_tag` (when encrypting) or `mbedtls_cipher_check_tag` (when decrypting) to process the authentication tag.
+7. Finally free the resources associated with the operation object by calling `mbedtls_cipher_free`.
+
+Steps 3–6 can be replaced by a single call to `mbedtls_cipher_auth_encrypt_ext` or `mbedtls_cipher_auth_decrypt_ext` for a one-shot operation (where the whole plaintext or ciphertext is passed as a single input).
+
+For a one-shot operation, the PSA API allows you to call a single function:
+
+* [`psa_aead_encrypt`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__aead/#group__aead_1gae72e1eb3c2da3ebd843bb9c8db8df509) to perform authenticated encryption with a random nonce of the default size (indicated by [`PSA_AEAD_NONCE_LENGTH`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_AEAD_NONCE_LENGTH)), with the authentication tag written at the end of the output. (To encrypt with a specified nonce, or to separate the tag from the rest of the ciphertext, use the multi-part API described below.)  You can use the macro [`PSA_AEAD_ENCRYPT_OUTPUT_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_AEAD_ENCRYPT_OUTPUT_SIZE) or [`PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE) to determine a sufficient size for the output buffer.
+* [`psa_aead_decrypt`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__aead/#group__aead_1gae799f6196a22d50c216c947e0320d3ba) to perform authenticated decryption of a ciphertext with the authentication tag at the end. (If the tag is separate, use the multi-part API described below.) You can use the macro [`PSA_AEAD_DECRYPT_OUTPUT_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_CIPHER_DECRYPT_OUTPUT_SIZE) or [`PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE) to determine a sufficient size for the output buffer.
+
+For a multi-part operation, the equivalent workflow with the PSA API is as follows:
+
+1. Create an operation object of type [`psa_aead_operation_t`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__aead/#group__aead_1ga14f6a01afbaa8c5b3d8c5d345cbaa3ed) and zero-initialize it (or use the corresponding `INIT` macro).
+2. Select the key and algorithm with [`psa_aead_encrypt_setup`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__aead/#group__aead_1ga2732c40ce8f3619d41359a329e9b46c4) or [`psa_aead_decrypt_setup`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__aead/#group__aead_1gaaa5c5018e67a7a6514b7e76b9a14de26) depending on the desired direction.
+3. When encrypting with a random nonce, use [`psa_aead_generate_nonce`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__aead/#group__aead_1ga5799df1c555efd35970b65be51cb07d1). When encrypting with a chosen nonce, or when decrypting, set the nonce with [`psa_aead_set_nonce`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__aead/#group__aead_1ga59132751a6f843d038924cb217b5e13b). If the algorithm is CCM, you must also call [`psa_aead_set_lengths`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__aead/#group__aead_1gad3431e28d05002c2a7b0760610176050) before or after setting the nonce (for other algorithms, this is permitted but not needed).
+4. Call [`psa_aead_update_ad`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__aead/#group__aead_1ga6d0eed03f832e5c9c91cb8adf2882569) as many times as needed.
+5. Call [`psa_aead_update`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__aead/#group__aead_1gaf6d49864951ca42136b4a9b71ea26e5c) as many times as needed. You can use [`PSA_AEAD_UPDATE_OUTPUT_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_AEAD_UPDATE_OUTPUT_SIZE) or [`PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE) to determine a sufficient size for the output buffer.
+6. Finally:
+    * When encrypting, call [`psa_aead_finish`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__aead/#group__aead_1ga759791bbe1763b377c3b5447641f1fc8) to obtain the last part of the ciphertext and the authentication tag. You can use [`PSA_AEAD_FINISH_OUTPUT_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_AEAD_FINISH_OUTPUT_SIZE) or [`PSA_AEAD_FINISH_OUTPUT_MAX_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_AEAD_FINISH_OUTPUT_MAX_SIZE) to determine a sufficient size for the output buffer.
+    * When decrypting, call [`psa_aead_verify`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__aead/#group__aead_1gae0280e2e61a185b893c36d858453f0d0) to obtain the last part of the plaintext and check the authentication tag. You can use [`PSA_AEAD_VERIFY_OUTPUT_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_AEAD_VERIFY_OUTPUT_SIZE) or [`PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE) to determine a sufficient size for the output buffer.
+
+If you need to interrupt the operation after calling the setup function without calling the finish or verify function, call [`psa_aead_abort`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__aead/#group__aead_1gae8a5f93d92318c8f592ee9fbb9d36ba0).
+
+### Miscellaneous cipher operation management
+
+The equivalent of `mbedtls_cipher_reset` is to call [`psa_cipher_abort`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__cipher/#group__cipher_1gaad482cdca2098bca0620596aaa02eaa4) or [`psa_aead_abort`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__aead/#group__aead_1gae8a5f93d92318c8f592ee9fbb9d36ba0). Note that you must set the key again with a setup function: the PSA API does not have a special way to reuse an operation object with the same key.
+
+There is no equivalent for the `mbedtls_cipher_get_xxx` functions to extract information from an ongoing PSA cipher or AEAD operation. Applications that need this information will need to save it from the key and operation parameters.
+
+## Hashes and MAC
+
+The PSA API groups functions by purpose rather than by underlying primitive: there is a MAC API (equivalent to `md.h` for HMAC, and `cmac.h` for CMAC) and a hash API (equivalent to `md.h` for hashing). There is no special API for a particular hash algorithm (`md5.h`, `sha1.h`, `sha256.h`, `sha512.h`, `sha3.h`). To migrate code using those low-level modules, please follow the recommendations in the following section, using the same principles as the corresponding `md.h` API.
+
+The PSA API does not have a direct interface for the AES-CMAC-PRF-128 algorithm from RFC 4615 calculated by `mbedtls_aes_cmac_prf_128` at the time of writing. You can implement it using the MAC interface with an AES key and the CMAC algorithm.
+
+### Hash mechanism selection
+
+The equivalent to `mbedtls_md_type_t` and `MBEDTLS_MD_XXX` constants is the type `psa_algorithm_t` and `PSA_ALG_xxx` constants (the type encompasses all categories of cryptographic algorithms, not just hashes). PSA offers a similar selection of algorithms, but note that SHA-1 and SHA-2 are spelled slightly differently.
+
+| Mbed TLS constant      | PSA constant        |
+| ---------------------- | ------------------- |
+| `MBEDTLS_MD_MD5`       | `PSA_ALG_MD5`       |
+| `MBEDTLS_MD_SHA1`      | `PSA_ALG_SHA_1`     |
+| `MBEDTLS_MD_SHA224`    | `PSA_ALG_SHA_224`   |
+| `MBEDTLS_MD_SHA256`    | `PSA_ALG_SHA_256`   |
+| `MBEDTLS_MD_SHA384`    | `PSA_ALG_SHA_384`   |
+| `MBEDTLS_MD_SHA512`    | `PSA_ALG_SHA_512`   |
+| `MBEDTLS_MD_RIPEMD160` | `PSA_ALG_RIPEMD160` |
+| `MBEDTLS_MD_SHA3_224`  | `PSA_ALG_SHA3_224`  |
+| `MBEDTLS_MD_SHA3_256`  | `PSA_ALG_SHA3_256`  |
+| `MBEDTLS_MD_SHA3_384`  | `PSA_ALG_SHA3_384`  |
+| `MBEDTLS_MD_SHA3_512`  | `PSA_ALG_SHA3_512`  |
+
+The following helper functions can be used to convert between the 2 types:
+- `mbedtls_md_psa_alg_from_type()` converts from legacy `mbedtls_md_type_t` to PSA's `psa_algorithm_t`.
+- `mbedtls_md_type_from_psa_alg()` converts from PSA's `psa_algorithm_t` to legacy `mbedtls_md_type_t`.
+
+### MAC mechanism selection
+
+PSA Crypto has a generic API with the same functions for all MAC mechanisms. The mechanism is determined by a combination of an algorithm value of type [`psa_algorithm_t`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gac2e4d47f1300d73c2f829a6d99252d69) and a key type value of type [`psa_key_type_t`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga63fce6880ca5933b5d6baa257febf1f6).
+
+* For HMAC, the algorithm is [`PSA_ALG_HMAC`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga70f397425684b3efcde1e0e34c28261f)`(hash)` where `hash` is the underlying hash algorithm (see “[Hash mechanism selection](#hash-mechanism-selection)”),
+  for example `PSA_ALG_HMAC(PSA_ALG_SHA_256)` for HMAC-SHA-256.
+  The key type is [`PSA_KEY_TYPE_HMAC`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__values_8h/#c.PSA_KEY_TYPE_HMAC) regardless of the hash algorithm.
+* For CMAC, the algorithm is [`PSA_ALG_CMAC`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__values_8h/#c.PSA_ALG_CMAC) regardless of the underlying block cipher. The key type determines the block cipher:
+  [`PSA_KEY_TYPE_AES`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga6ee54579dcf278c677eda4bb1a29575e),
+  [`PSA_KEY_TYPE_ARIA`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#c.PSA_KEY_TYPE_ARIA),
+  [`PSA_KEY_TYPE_CAMELLIA`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gad8e5da742343fd5519f9d8a630c2ed81) or
+  [`PSA_KEY_TYPE_DES`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga577562bfbbc691c820d55ec308333138).
+
+### Hash and MAC mechanism availability
+
+For each key type value `PSA_KEY_TYPE_xxx`, the symbol `PSA_WANT_KEY_TYPE_xxx` is defined with a non-zero value if the library is built with support for that key type. For each algorithm value `PSA_ALG_yyy`, the symbol `PSA_WANT_ALG_yyy` is defined with a non-zero value if the library is built with support for that algorithm. For a compound mechanism, all parts must be supported. In particular, for HMAC, all three of `PSA_WANT_KEY_TYPE_HMAC`, `PSA_WANT_ALG_HMAC` and the underlying hash must be enabled. (A configuration with only one of `PSA_WANT_KEY_TYPE_HMAC` and `PSA_WANT_ALG_HMAC` is technically possible but not useful.)
+
+For example, to test if HMAC-SHA-256 is supported, in the legacy API, you could write:
+```
+#if defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA256_C)
+```
+The equivalent in the PSA API is
+```
+#if PSA_WANT_KEY_TYPE_HMAC && PSA_WANT_ALG_HMAC && PSA_WANT_ALG_SHA_256
+```
+
+To test if AES-CMAC is supported, in the legacy API, you could write:
+```
+if defined(MBEDTLS_AES_C) && defined(MBEDTLS_CMAC_C)
+```
+The equivalent in the PSA API is
+```
+#if PSA_WANT_KEY_TYPE_AES && PSA_WANT_ALG_CMAC
+```
+
+### Hash algorithm metadata
+
+There is no equivalent to the type `mbedtls_md_info_t` and the functions `mbedtls_md_info_from_type` and `mbedtls_md_get_type` in the PSA API because it is unnecessary. All macros and functions operate directly on algorithm (`psa_algorithm_t`, `PSA_ALG_xxx` constants).
+
+| Legacy macro | PSA macro |
+| ------------ | --------- |
+| `MBEDTLS_MD_MAX_SIZE` | [`PSA_HASH_MAX_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_HASH_MAX_SIZE) |
+| `MBEDTLS_MD_MAX_BLOCK_SIZE` | [`PSA_HMAC_MAX_HASH_BLOCK_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_HMAC_MAX_HASH_BLOCK_SIZE) |
+| `mbedtls_md_get_size` | [`PSA_HASH_LENGTH`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_HASH_LENGTH) |
+| `mbedtls_md_get_size_from_type` | [`PSA_HASH_LENGTH`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_HASH_LENGTH) |
+
+The following features have no PSA equivalent:
+
+* `mbedtls_md_list`: the PSA API does not currently have a discovery mechanism for cryptographic mechanisms, but one may be added in the future.
+* `mbedtls_md_info_from_ctx`
+* `mbedtls_cipher_info_from_string`, `mbedtls_md_get_name`: there is no equivalent of Mbed TLS's lookup based on a (nonstandard) name.
+
+### Hash calculation
+
+The equivalent of `mbedtls_md` for a one-shot hash calculation is [`psa_hash_compute`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__hash/#group__hash_1gac69f7f19d96a56c28cf3799d11b12156). In addition, to compare the hash of a message with an expected value, you can call [`psa_hash_compare`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__hash/#group__hash_1ga0c08f4797bec96b886c8c8d7acc2a553) instead of `mbedtls_md` followed by `memcmp` or a constant-time equivalent.
+
+For a multi-part hash calculation, the legacy process is as follows:
+
+1. Create a digest context of type `mbedtls_md_context_t` and initialize it with `mbedtls_md_init`.
+2. Call `mbedtls_md_setup` to select the hash algorithm, with `hmac=0`. Then call `mbedtls_md_starts` to start the hash operation.
+3. Call `mbedtls_md_update` as many times as necessary.
+4. Call `mbedtls_md_finish`. If verifying the hash against an expected value, compare the result with the expected value.
+5. Finally free the resources associated with the operation object by calling `mbedtls_md_free`.
+
+The equivalent process in the PSA API is as follows:
+
+1. Create an operation object of type [`psa_hash_operation_t`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__hash/#group__hash_1ga3c4205d2ce66c4095fc5c78c25273fab) and zero-initialize it (or use the corresponding `INIT` macro).
+2. Call [`psa_hash_setup`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__hash/#group__hash_1ga8d72896cf70fc4d514c5c6b978912515) to specify the algorithm.
+3. Call [`psa_hash_update`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__hash/#group__hash_1ga65b16ef97d7f650899b7db4b7d1112ff) as many times as necessary.
+4. To obtain the hash, call [`psa_hash_finish`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__hash/#group__hash_1ga4795fd06a0067b0adcd92e9627b8c97e). Alternatively, to verify the hash against an expected value, call [`psa_hash_verify`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__hash/#group__hash_1ga7be923c5700c9c70ef77ee9b76d1a5c0).
+
+If you need to interrupt the operation after calling the setup function without calling the finish or verify function, call [`psa_hash_abort`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__hash/#group__hash_1gab0b4d5f9912a615559497a467b532928).
+
+There is no equivalent to `mbedtls_md_file` in the PSA API. Load the file data and calculate its hash.
+
+### MAC key management
+
+The legacy API and the PSA API have a different organization of operations in several respects:
+
+* In the legacy API, each operation object contains the necessary key material. In the PSA API, an operation object contains a reference to a key object. To perform a cryptographic operation, you must create a key object first. However, for a one-shot operation, you do not need an operation object, just a single function call.
+* The legacy API uses the same interface for authenticated and non-authenticated ciphers, while the PSA API has separate functions.
+* The legacy API uses the same functions for encryption and decryption, while the PSA API has separate functions where applicable.
+
+Here is an overview of the lifecycle of a key object.
+
+1. First define the attributes of the key by filling a [`psa_key_attributes_t` structure](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1ga0ec645e1fdafe59d591104451ebf5680). You need to set the following parameters:
+    * Call [`psa_set_key_type`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1ga6857ef0ecb3fa844d4536939d9c64025) to set the key type to the desired `PSA_KEY_TYPE_xxx` value (see “[Cipher mechanism selection](#cipher-mechanism-selection)”).
+    * Call [`psa_set_key_bits`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1gaf61683ac87f87687a40262b5afbfa018) to set the key's size in bits. This is optional with `psa_import_key`, which determines the key size from the length of the key material.
+    * Call [`psa_set_key_algorithm`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1gaeb8341ca52baa0279475ea3fd3bcdc98) to set the algorithm to the desired `PSA_ALG_xxx` value (see “[Cipher mechanism selection](#cipher-mechanism-selection)”). By design, the same key cannot be used with multiple algorithms.
+    * Call [`psa_set_key_usage_flags`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1ga42a65b3c4522ce9b67ea5ea7720e17de) to enable at least [`PSA_KEY_USAGE_SIGN_MESSAGE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__policy/#c.PSA_KEY_USAGE_SIGN_MESSAGE) to calculate a MAC or [`PSA_KEY_USAGE_VERIFY_MESSAGE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__policy/#c.PSA_KEY_USAGE_VERIFY_MESSAGE) to verify the MAC of a message. To allow both directions, use the flag mask `PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE`.
+2. Call one of the key creation functions, passing the attributes defined in the previous step, to get an identifier of type [`psa_key_id_t`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__types_8h/#_CPPv412psa_key_id_t) to the key object.
+    * Use [`psa_import_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga0336ea76bf30587ab204a8296462327b) to directly import key material.
+    * If the key is randomly generated, use [`psa_generate_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__random/#group__random_1ga1985eae417dfbccedf50d5fff54ea8c5).
+    * If the key is derived from other material (for example from a key exchange), use the [key derivation interface](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/) and create the key with [`psa_key_derivation_output_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1gada7a6e17222ea9e7a6be6864a00316e1).
+3. Call the functions in the following sections to perform operations on the key. The same key object can be used in multiple operations.
+4. To free the resources used by the key object, call [`psa_destroy_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__management/#group__key__management_1ga5f52644312291335682fbc0292c43cd2) after all operations with that key are finished.
+
+### MAC calculation
+
+The process for a HMAC operation in the legacy API is as follows:
+
+1. Create a digest context of type `mbedtls_md_context_t` and initialize it with `mbedtls_md_init`.
+2. Call `mbedtls_md_setup` to select the hash algorithm, with `hmac=1`. Then call `mbedtls_md_hmac_starts` to set the key.
+3. Call `mbedtls_md_hmac_update` as many times as necessary.
+4. Call `mbedtls_md_hmac_finish`. If verifying the MAC against an expected value, compare the result with the expected value. Note that this comparison should be in constant time to avoid a side channel vulnerability, for example using `mbedtls_ct_memcmp`.
+5. Finally free the resources associated with the operation object by calling `mbedtls_md_free`.
+
+The process for a CMAC operation in the legacy API is as follows:
+
+1. Create a cipher context of type `mbedtls_cipher_context_t` and initialize it with `mbedtls_cipher_init`.
+2. Call `mbedtls_cipher_setup` to select the block cipher. Then call `mbedtls_md_cmac_starts` to set the key.
+3. Call `mbedtls_cipher_cmac_update` as many times as necessary.
+4. Call `mbedtls_cipher_cmac_finish`. If verifying the MAC against an expected value, compare the result with the expected value. Note that this comparison should be in constant time to avoid a side channel vulnerability, for example using `mbedtls_ct_memcmp`.
+5. Finally free the resources associated with the operation object by calling `mbedtls_cipher_free`.
+
+The process in the PSA API to calculate a MAC is as follows:
+
+1. Create an operation object of type [`psa_mac_operation_t`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group___m_a_c/#group___m_a_c_1ga78f0838b0c4e3db28b26355624d4bd37) and zero-initialize it (or use the corresponding `INIT` macro).
+2. Call [`psa_mac_sign_setup`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group___m_a_c/#group___m_a_c_1ga03bc3e3c0b7e55b20d2a238e418d46cd) to specify the algorithm and the key. See “[MAC key management](#mac-key-management)” for how to obtain a key identifier.
+3. Call [`psa_mac_update`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group___m_a_c/#group___m_a_c_1ga5560af371497babefe03c9da4e8a1c05) as many times as necessary.
+4. To obtain the MAC, call [`psa_mac_sign_finish`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group___m_a_c/#group___m_a_c_1gac22bc0125580c96724a09226cfbc97f2).
+
+To verify a MAC against an expected value, use the following process instead:
+
+1. Create an operation object of type [`psa_mac_operation_t`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group___m_a_c/#group___m_a_c_1ga78f0838b0c4e3db28b26355624d4bd37) and zero-initialize it (or use the corresponding `INIT` macro).
+2. Call [`psa_mac_verify_setup`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group___m_a_c/#group___m_a_c_1ga08ae327fcbc5f8e201172fe11e536984) to specify the algorithm and the key. See “[MAC key management](#mac-key-management)” for how to obtain a key identifier.
+3. Call [`psa_mac_update`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group___m_a_c/#group___m_a_c_1ga5560af371497babefe03c9da4e8a1c05) as many times as necessary.
+4. To verify the MAC against an expected value, call [`psa_mac_verify_finish`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group___m_a_c/#group___m_a_c_1gac92b2930d6728e1be4d011c05d485822).
+
+If you need to interrupt the operation after calling the setup function without calling the finish function, call [`psa_mac_abort`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group___m_a_c/#group___m_a_c_1gacd8dd54855ba1bc0a03f104f252884fd).
+
+The PSA API also offers functions for a one-shot MAC calculation, similar to `mbedtls_cipher_cmac` and `mbedtls_md_hmac`:
+
+* [`psa_mac_compute`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group___m_a_c/#group___m_a_c_1gabf02ebd3595ea15436967092b5d52878) to calculate the MAC of a buffer in memory.
+* [`psa_mac_verify`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group___m_a_c/#group___m_a_c_1gaf6988545df5d5e2466c34d753443b15a) to verify the MAC of a buffer in memory against an expected value.
+
+In both cases, see “[MAC key management](#mac-key-management)” for how to obtain a key identifier.
+
+### Miscellaneous hash or MAC operation management
+
+The equivalent of `mbedtls_md_reset`, `mbedtls_md_hmac_reset` or `mbedtls_cmac_reset` is to call [`psa_hash_abort`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__hash/#group__hash_1gab0b4d5f9912a615559497a467b532928) or [`psa_mac_abort`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group___m_a_c/#group___m_a_c_1gacd8dd54855ba1bc0a03f104f252884fd). Note that you must call a setup function to specify the algorithm and the key (for MAC) again, and they can be different ones.
+
+The equivalent of `mbedtls_md_clone` to clone a hash operation is [`psa_hash_clone`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__hash/#group__hash_1ga39673348f3302b4646bd780034a5aeda). A PSA MAC operation cannot be cloned.
+
+## Key derivation
+
+### HKDF
+
+PSA Crypto provides access to HKDF, HKDF-Extract and HKDF-Expand via its [key derivation interface](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/). This is a generic interface using an operation object with one function call for each input and one function call for each output.
+
+1. Create an operation object of type [`psa_key_derivation_operation_t`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1ga5f099b63799a0959c3d46718c86c2609) and zero-initialize it (or use the corresponding `INIT` macro).
+2. Call [`psa_key_derivation_setup`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1gac0b6a76e45cceb1862752bf041701859) to select the algorithm, which is a value of type [`psa_algorithm_t`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gac2e4d47f1300d73c2f829a6d99252d69). For HKDF and variants, use one of the macros [`PSA_ALG_HKDF`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__values_8h/#c.PSA_ALG_HKDF), [`PSA_ALG_HKDF_EXTRACT`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__values_8h/#c.PSA_ALG_HKDF_EXTRACT) or [`PSA_ALG_HKDF_EXPAND`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__values_8h/#c.PSA_ALG_HKDF_EXPAND) with the [hash algorithm](#hash-mechanism-selection) passed as an argument. For example `PSA_ALG_HKDF(PSA_ALG_SHA_256)` selects HKDF-SHA-256.
+3. Call [`psa_key_derivation_input_bytes`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1ga8fd934dfb0ca45cbf89542ef2a5494c2) on each of the inputs in the order listed below. (Use [`psa_key_derivation_input_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1gab2d7ce8705dd8e4a093f4b8a21a0c15a) instead for an input that is a PSA key object.) The input step value for each step is as follows:
+    1. [`PSA_KEY_DERIVATION_INPUT_SALT`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__derivation/#group__derivation_1gab62757fb125243562c3947a752470d4a) for the salt used during the extraction step. Omit this step for HKDF-Expand. For HKDF, you may omit this step if the salt is empty.
+    2. [`PSA_KEY_DERIVATION_INPUT_SECRET`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__derivation/#group__derivation_1ga0ddfbe764baba995c402b1b0ef59392e) for the secret input.
+    3. [`PSA_KEY_DERIVATION_INPUT_INFO`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__derivation/#group__derivation_1gacef8df989e09c769233f4b779acb5b7d) for the info string used during the expansion step. Omit this step for HKDF-Extract.
+4. Call [`psa_key_derivation_output_bytes`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1ga06b7eb34a2fa88965f68e3d023fa12b9) to obtain the output of the derivation. You may call this function more than once to retrieve the output in successive chunks. Use [`psa_key_derivation_output_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1gada7a6e17222ea9e7a6be6864a00316e1) instead if you want to use a chunk as a PSA key.
+5. Call [`psa_key_derivation_abort`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1ga90fdd2716124d0bd258826184824675f) to free the resources associated with the key derivation object.
+
+### PKCS#5 module
+
+Applications currently using `mbedtls_pkcs5_pbkdf2_hmac` or `mbedtls_pkcs5_pbkdf2_hmac_ext` can switch to the PSA key derivation API for PBKDF2. This is a generic interface using an operation object with one function call for each input and one function call for each output.
+
+1. Create an operation object of type [`psa_key_derivation_operation_t`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1ga5f099b63799a0959c3d46718c86c2609) and zero-initialize it (or use the corresponding `INIT` macro).
+2. Call [`psa_key_derivation_setup`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1gac0b6a76e45cceb1862752bf041701859) to select the algorithm, which is a value of type [`psa_algorithm_t`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gac2e4d47f1300d73c2f829a6d99252d69). For PBKDF2-HMAC, select `PSA_ALG_PBKDF2_HMAC(hash)` where `hash` is the underlying hash algorithm (see “[Hash mechanism selection](#hash-mechanism-selection)”).
+3. Call `psa_key_derivation_input_cost` with the step `PSA_KEY_DERIVATION_INPUT_COST` to select the iteration count.
+4. Call [`psa_key_derivation_input_bytes`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1ga8fd934dfb0ca45cbf89542ef2a5494c2) on each of the inputs in the order listed below. (Use [`psa_key_derivation_input_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1gab2d7ce8705dd8e4a093f4b8a21a0c15a) instead for an input that is a PSA key object.) The input step value for each step is as follows:
+    1. [`PSA_KEY_DERIVATION_INPUT_SALT`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__derivation/#group__derivation_1gab62757fb125243562c3947a752470d4a) for the salt used during the extraction step. You may repeat this step to pass the salt in pieces (for example a salt and a pepper).
+    2. [`PSA_KEY_DERIVATION_INPUT_SECRET`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__derivation/#group__derivation_1ga0ddfbe764baba995c402b1b0ef59392e) for the password.
+5. Call [`psa_key_derivation_output_bytes`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1ga06b7eb34a2fa88965f68e3d023fa12b9) to obtain the output of the derivation. You may call this function more than once to retrieve the output in successive chunks.
+  Use [`psa_key_derivation_output_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1gada7a6e17222ea9e7a6be6864a00316e1) instead if you want to use a chunk as a PSA key.  
+  If you want to verify the output against an expected value (for authentication, rather than to derive key material), call [`psa_key_derivation_verify_bytes`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1gaf01520beb7ba932143ffe733b0795b08) or [`psa_key_derivation_verify_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1gac041714e34a94742e8ee006ac7dfea5a) instead of `psa_key_derivation_output_bytes`. (Note that the `verify` functions are not yet present in the 3.5 release of Mbed TLS. They are expected to be released in version 3.6.0.)
+6. Call [`psa_key_derivation_abort`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1ga90fdd2716124d0bd258826184824675f) to free the resources associated with the key derivation object.
+
+The function `mbedtls_pkcs5_pbes2` is only intended as a support function to parse encrypted private keys in the PK module. It has no PSA equivalent.
+
+### PKCS#12 module
+
+The functions `mbedtls_pkcs12_derivation` and `mbedtls_pkcs12_pbe` are only intended as support functions to parse encrypted private keys in the PK module. They have no PSA equivalent.
+
+## Random generation
+
+### Random generation interface
+
+The PSA subsystem has an internal random generator. As a consequence, you do not need to instantiate one manually, so most applications using PSA crypto do not need the interfaces from `entropy.h`, `ctr_drbg.h` and `hmac_drbg.h`. See the next sections for remaining use cases for [entropy](#entropy-sources) and [DRBG](#deterministic-pseudorandom-generation).
+
+The PSA API uses its internal random generator to generate keys (`psa_generate_key`), nonces for encryption (`psa_cipher_generate_iv`, `psa_cipher_encrypt`, `psa_aead_generate_nonce`, `psa_aead_encrypt`, `psa_asymmetric_encrypt`), and other random material as needed. If you need random data for some other purposes, call [`psa_generate_random`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__random/#group__random_1ga1985eae417dfbccedf50d5fff54ea8c5).
+
+If your application mixes uses of the PSA crypto API and the mbedtls API and you need to pass an RNG argument to a legacy or X.509/TLS function, include the header file `<mbedtls/psa_util.h>` and use:
+
+* [`mbedtls_psa_get_random`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/psa__util_8h/#_CPPv422mbedtls_psa_get_randomPvPh6size_t) as the `f_rng` argument;
+* [`MBEDTLS_PSA_RANDOM_STATE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/psa__util_8h/#c.MBEDTLS_PSA_RANDOM_STATE) as the `p_rng` argument.
+
+You can remove the Mbed TLS RNG boilerplate (`mbedtls_entropy_init`, `mbedtls_ctr_drbg_init`, `mbedtls_ctr_drbg_seed`, `mbedtls_ctr_drbg_random`, `mbedtls_ctr_drbg_free`, `mbedtls_entropy_free` — or `hmac_drbg` equivalents of the `ctr_drbg` functions) once you have finished replacing the references to `mbedtls_ctr_drbg_random` (or `mbedtls_hmac_drbg_random`) by `mbedtls_psa_get_random`.
+
+### Entropy sources
+
+Unless explicitly configured otherwise, the PSA random generator uses the default entropy sources configured through the legacy interface (`MBEDTLS_ENTROPY_xxx` symbols). Its set of sources is equivalent to an entropy object configured with `mbedtls_entropy_init`.
+
+A future version of Mbed TLS will include a PSA interface for configuring entropy sources. This is likely to replace the legacy interface in Mbed TLS 4.0.
+
+### Deterministic pseudorandom generation
+
+The PSA API does not have a dedicated interface for pseudorandom generation. The [key derivation interface](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/) can serve a similar purpose in some applications, but it does not offer CTR\_DRBG or HMAC\_DRBG. If you need these algorithms, keep using `ctr_drbg.h` and `hmac_drbg.h`, but note that they may be removed from the public API in Mbed TLS 4.0.
+
+## Asymmetric cryptography
+
+The PSA API supports RSA (see “[RSA mechanism selection](#rsa-mechanism-selection)”), elliptic curve cryptography (see “[ECC mechanism selection](#elliptic-curve-mechanism-selection)” and “[EC-JPAKE](#ec-jpake)”) and finite-field Diffie-Hellman (see “[Diffie-Hellman mechanism selection](#diffie-hellman-mechanism-selection)”).
+
+### Key lifecycle for asymmetric cryptography
+
+In the PSA API, keys are referenced by an identifier of type [`psa_key_id_t`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__types_8h/#_CPPv412psa_key_id_t).
+(Some documentation references [`mbedtls_svc_key_id_t`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__types_8h/#_CPPv420mbedtls_svc_key_id_t); the two types are identical except when the library is configured for use in a multi-client cryptography service.)
+The PSA key identifier tends to play the same role as an `mbedtls_pk_context`, `mbedtls_rsa_context` or `mbedtls_ecp_keypair` structure in the legacy API. However, there are major differences in the way the two APIs can be used to create keys or to obtain information about a key.
+
+Here is an overview of the lifecycle of a PSA key object.
+
+1. First define the attributes of the key by filling a [`psa_key_attributes_t` structure](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1ga0ec645e1fdafe59d591104451ebf5680). You need to set the following parameters:
+    * Call [`psa_set_key_type`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1ga6857ef0ecb3fa844d4536939d9c64025) to set the key type to the desired `PSA_KEY_TYPE_xxx` value (see “[RSA mechanism selection](#rsa-mechanism-selection)”, “[Elliptic curve mechanism selection](#elliptic-curve-mechanism-selection)” and “[Diffie-Hellman mechanism selection](#diffie-hellman-mechanism-selection)”).
+    * Call [`psa_set_key_bits`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1gaf61683ac87f87687a40262b5afbfa018) to set the key's conceptual size in bits. This is optional with `psa_import_key`, which determines the key size from the length of the key material.
+    * Call [`psa_set_key_algorithm`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1gaeb8341ca52baa0279475ea3fd3bcdc98) to set the permitted algorithm to the desired `PSA_ALG_xxx` value (see “[RSA mechanism selection](#rsa-mechanism-selection)”, “[Elliptic curve mechanism selection](#elliptic-curve-mechanism-selection)” and “[Diffie-Hellman mechanism selection](#diffie-hellman-mechanism-selection)” as well as “[Public-key cryptography policies](#public-key-cryptography-policies)”).
+    * Call [`psa_set_key_usage_flags`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1ga42a65b3c4522ce9b67ea5ea7720e17de) to enable the desired usage types (see “[Public-key cryptography policies](#public-key-cryptography-policies)”).
+2. Call one of the key creation functions, passing the attributes defined in the previous step, to get an identifier of type [`psa_key_id_t`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__types_8h/#_CPPv412psa_key_id_t) to the key object.
+    * Use [`psa_import_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga0336ea76bf30587ab204a8296462327b) to directly import key material.
+    * If the key is randomly generated, use [`psa_generate_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__random/#group__random_1ga1985eae417dfbccedf50d5fff54ea8c5).
+    * If the key is derived from other material (for example from a key exchange), use the [key derivation interface](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/) and create the key with [`psa_key_derivation_output_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1gada7a6e17222ea9e7a6be6864a00316e1).
+3. Call the functions in the following sections to perform operations on the key. The same key object can be used in multiple operations.
+4. To free the resources used by the key object, call [`psa_destroy_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__management/#group__key__management_1ga5f52644312291335682fbc0292c43cd2) after all operations with that key are finished.
+
+### Public-key cryptography policies
+
+A key's policy indicates what algorithm(s) it can be used with (usage algorithm policy) and what operations are permitted (usage flags).
+
+The following table lists the relevant usage flags for asymmetric cryptography. You can pass those flags (combined with bitwise-or) to [`psa_set_key_usage_flags`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1ga42a65b3c4522ce9b67ea5ea7720e17de).
+
+| Usage | Flag |
+| ----- | ---- |
+| export public key | 0 (always permitted) |
+| export private key | [`PSA_KEY_USAGE_EXPORT`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__policy/#group__policy_1ga7dddccdd1303176e87a4d20c87b589ed) |
+| Sign a message directly | [`PSA_KEY_USAGE_SIGN_MESSAGE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__policy/#group__policy_1ga552117ac92b79500cae87d4e65a85c54) |
+| Sign an already-calculated hash | at least one of [`PSA_KEY_USAGE_SIGN_MESSAGE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__policy/#group__policy_1ga552117ac92b79500cae87d4e65a85c54) or [`PSA_KEY_USAGE_SIGN_HASH`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__policy/#group__policy_1ga552117ac92b79500cae87d4e65a85c54) |
+| Verify a message directly | [`PSA_KEY_USAGE_VERIFY_MESSAGE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__policy/#group__policy_1gabea7ec4173f4f943110329ac2953b2b1) |
+| Verify an already-calculated hash | at least one of [`PSA_KEY_USAGE_VERIFY_MESSAGE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__policy/#group__policy_1gabea7ec4173f4f943110329ac2953b2b1) or [`PSA_KEY_USAGE_VERIFY_HASH`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__policy/#group__policy_1gafadf131ef2182045e3483d03aadaa1bd) |
+| Encryption | [`PSA_KEY_USAGE_ENCRYPT`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__policy/#group__policy_1ga75153b296d045d529d97203a6a995dad) |
+| Decryption | [`PSA_KEY_USAGE_DECRYPT`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__policy/#group__policy_1gac3f2d2e5983db1edde9f142ca9bf8e6a) |
+| Key agreement | [`PSA_KEY_USAGE_DERIVE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__policy/#group__policy_1gaf19022acc5ef23cf12477f632b48a0b2) |
+
+The sections “[RSA mechanism selection](#rsa-mechanism-selection)”, “[Elliptic curve mechanism selection](#elliptic-curve-mechanism-selection)” and “[Diffie-Hellman mechanism selection](#diffie-hellman-mechanism-selection)” cover the available algorithm values for each key type. Normally, a key can only be used with a single algorithm, following standard good practice. However, there are two ways to relax this requirement.
+
+* Many signature algorithms encode a hash algorithm. Sometimes the same key may need to be used to sign messages with multiple different hashes. In an algorithm policy, you can use [`PSA_ALG_ANY_HASH`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__values_8h/#c.PSA_ALG_ANY_HASH) instead of a hash algorithm value to allow the key to be used with any hash. For example, `psa_set_key_algorithm(&attributes, PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH))` allows the key to be used with RSASSA-PSS, with different hash algorithms in each operation.
+* In addition to the algorithm (or wildcard) selected with [`psa_set_key_algorithm`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1gaeb8341ca52baa0279475ea3fd3bcdc98), you can use [`psa_set_key_enrollment_algorithm`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1gaffa134b74aa52aa3ed9397fcab4005aa) to permit a second algorithm (or wildcard). This is intended for scenarios where a key is normally used with a single algorithm, but needs to be used with a different algorithm for enrollment (such as an ECDH key for which an ECDSA proof-of-possession is also required).
+
+### Asymmetric cryptographic mechanisms
+
+#### RSA mechanism selection
+
+The PK types `MBEDTLS_PK_RSA`, `MBEDTLS_PK_RSASSA_PSS` and `MBEDTLS_PK_RSA_ALT` correspond to RSA key types in the PSA API. In the PSA API, key pairs and public keys are separate object types.
+See “[RSA-ALT interface](#rsa-alt-interface)” for more information about `MBEDTLS_PK_RSA_ALT`.
+
+The PSA API uses policies and algorithm parameters rather than key types to distinguish between RSA-based mechanisms. The PSA algorithm selection corresponds to the `mbedtls_pk_type_t` value passed to `mbedtls_pk_{sign,verify}_ext`. It also replaces the use of `mbedtls_rsa_set_padding` on an `mbedtls_rsa_context` object. See the list of algorithms below and the signature and encryption sections for more information.
+
+An RSA public key has the type [`PSA_KEY_TYPE_RSA_PUBLIC_KEY`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga9ba0878f56c8bcd1995ac017a74f513b).
+
+An RSA key pair has the type [`PSA_KEY_TYPE_RSA_KEY_PAIR`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga11745b110166e927e2abeabc7d532051). A key with this type can be used both for private-key and public-key operations (there is no separate key type for a private key without the corresponding public key).
+You can always use a private key for operations on the corresponding public key (as long as the policy permits it).
+
+The following cryptographic algorithms work with RSA keys:
+
+* PKCS#1v1.5 RSA signature: [`PSA_ALG_RSA_PKCS1V15_SIGN`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga702ff75385a6ae7d4247033f479439af), [`PSA_ALG_RSA_PKCS1V15_SIGN_RAW`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga4215e2a78dcf834e9a625927faa2a817).
+* PKCS#1v1.5 RSA encryption: [`PSA_ALG_RSA_PKCS1V15_CRYPT`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga4c540d3abe43fb9abcb94f2bc51acef9).
+* PKCS#1 RSASSA-PSS signature: [`PSA_ALG_RSA_PSS`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga62152bf4cb4bf6aace5e1be8f143564d), [`PSA_ALG_RSA_PSS_ANY_SALT`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga9b7355a2cd6bde88177634d539127f2b).
+* PKCS#1 RSAES-OAEP encryption: [`PSA_ALG_RSA_OAEP`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gaa1235dc3fdd9839c6c1b1a9857344c76).
+
+#### Elliptic curve mechanism selection
+
+The PK types `MBEDTLS_PK_ECKEY`, `MBEDTLS_PK_ECKEY_DH` and `MBEDTLS_PK_ECDSA` correspond to elliptic-curve key types in the PSA API. In the PSA API, key pairs and public keys are separate object types. The PSA API uses policies and algorithm parameters rather than key types to distinguish between the PK EC types.
+
+An ECC public key has the type [`PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve)`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gad54c03d3b47020e571a72cd01d978cf2) where `curve` is a curve family identifier.
+
+An ECC key pair has the type [`PSA_KEY_TYPE_ECC_KEY_PAIR(curve)`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga0b6f5d4d5037c54ffa850d8059c32df0) where `curve` is a curve family identifier. A key with this type can be used both for private-key and public-key operations (there is no separate key type for a private key without the corresponding public key).
+You can always use a private key for operations on the corresponding public key (as long as the policy permits it).
+
+A curve is fully determined by a curve family identifier and the private key size in bits. You can use the following functions to convert between the PSA and legacy elliptic curve designations:
+- [`mbedtls_ecc_group_to_psa()`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__psa__tls__helpers/#group__psa__tls__helpers_1ga9c83c095adfec7da99401cf81e164f99) converts from the legacy curve type identifier to PSA curve family and bit-size.
+- [`mbedtls_ecc_group_from_psa()`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__psa__tls__helpers/#group__psa__tls__helpers_1ga6243eb619d5b2f5fe4667811adeb8a12) converts from PSA curve family and bit-size to the legacy identifier.
+
+The following table gives the correspondence between legacy and PSA elliptic curve designations.
+
+| Mbed TLS legacy curve identifier | PSA curve family | Curve bit-size |
+| -------------------------------- | ---------------- | -------------- |
+| `MBEDTLS_ECP_DP_SECP192R1` | [`PSA_ECC_FAMILY_SECP_R1`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga48bb340b5544ba617b0f5b89542665a7) | 192 |
+| `MBEDTLS_ECP_DP_SECP224R1` | [`PSA_ECC_FAMILY_SECP_R1`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga48bb340b5544ba617b0f5b89542665a7) | 224 |
+| `MBEDTLS_ECP_DP_SECP256R1` | [`PSA_ECC_FAMILY_SECP_R1`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga48bb340b5544ba617b0f5b89542665a7) | 256 |
+| `MBEDTLS_ECP_DP_SECP384R1` | [`PSA_ECC_FAMILY_SECP_R1`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga48bb340b5544ba617b0f5b89542665a7) | 384 |
+| `MBEDTLS_ECP_DP_SECP521R1` | [`PSA_ECC_FAMILY_SECP_R1`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga48bb340b5544ba617b0f5b89542665a7) | 521 |
+| `MBEDTLS_ECP_DP_BP256R1` | [`PSA_ECC_FAMILY_BRAINPOOL_P_R1`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gac1643f1baf38b30d07c20a6eac697f15) | 256 |
+| `MBEDTLS_ECP_DP_BP384R1` | [`PSA_ECC_FAMILY_BRAINPOOL_P_R1`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gac1643f1baf38b30d07c20a6eac697f15) | 384 |
+| `MBEDTLS_ECP_DP_BP512R1` | [`PSA_ECC_FAMILY_BRAINPOOL_P_R1`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gac1643f1baf38b30d07c20a6eac697f15) | 512 |
+| `MBEDTLS_ECP_DP_CURVE25519` | [`PSA_ECC_FAMILY_MONTGOMERY`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga1f624c5cdaf25b21287af33024e1aff8) | 255 |
+| `MBEDTLS_ECP_DP_SECP192K1` | [`PSA_ECC_FAMILY_SECP_K1`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga48bb340b5544ba617b0f5b89542665a7) | 192 |
+| `MBEDTLS_ECP_DP_SECP224K1` | not supported | N/A |
+| `MBEDTLS_ECP_DP_SECP256K1` | [`PSA_ECC_FAMILY_SECP_K1`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga48bb340b5544ba617b0f5b89542665a7) | 256 |
+| `MBEDTLS_ECP_DP_CURVE448` | [`PSA_ECC_FAMILY_MONTGOMERY`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga1f624c5cdaf25b21287af33024e1aff8) | 448 |
+
+The following cryptographic algorithms work with ECC keys:
+
+* ECDH key agreement (including X25519 and X448): [`PSA_ALG_ECDH`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gab2dbcf71b63785e7dd7b54a100edee43).
+* ECDSA: [`PSA_ALG_ECDSA`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga7e3ce9f514a227d5ba5d8318870452e3), [`PSA_ALG_ECDSA_ANY`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga51d6b6044a62e33cae0cf64bfc3b22a4), [`PSA_ALG_DETERMINISTIC_ECDSA`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga11da566bcd341661c8de921e2ca5ed03).
+* EC-JPAKE (see “[EC-JPAKE](#ec-jpake)”.
+
+#### Diffie-Hellman mechanism selection
+
+A finite-field Diffie-Hellman key pair has the type [`PSA_KEY_TYPE_DH_KEY_PAIR(group)`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gab4f857c4cd56f5fe65ded421e61bcc8c) where `group` is a group family as explained below.
+
+A finite-field Diffie-Hellman public key has the type [`PSA_KEY_TYPE_DH_PUBLIC_KEY(group)`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gaa22f0f2ea89b929f2fadc19890cc5d5c) where `group` is a group family as explained below. Due to the design of the API, there is rarely a need to use Diffie-Hellman public key objects.
+
+The PSA API only supports Diffie-Hellman with predefined groups. A group is fully determined by a group family identifier and the public key size in bits.
+
+| Mbed TLS DH group P value | PSA DH group family | Bit-size |
+| ------------------------- | ------------------- | -------- |
+| `MBEDTLS_DHM_RFC7919_FFDHE2048_P_BIN` | [`PSA_DH_FAMILY_RFC7919`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga7be917e67fe4a567fb36864035822ff7) | 2048 |
+| `MBEDTLS_DHM_RFC7919_FFDHE3072_P_BIN` | [`PSA_DH_FAMILY_RFC7919`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga7be917e67fe4a567fb36864035822ff7) | 3072 |
+| `MBEDTLS_DHM_RFC7919_FFDHE4096_P_BIN` | [`PSA_DH_FAMILY_RFC7919`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga7be917e67fe4a567fb36864035822ff7) | 4096 |
+| `MBEDTLS_DHM_RFC7919_FFDHE6144_P_BIN` | [`PSA_DH_FAMILY_RFC7919`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga7be917e67fe4a567fb36864035822ff7) | 6144 |
+| `MBEDTLS_DHM_RFC7919_FFDHE8192_P_BIN` | [`PSA_DH_FAMILY_RFC7919`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga7be917e67fe4a567fb36864035822ff7) | 8192 |
+
+A finite-field Diffie-Hellman key can be used for key agreement with the algorithm [`PSA_ALG_FFDH`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga0ebbb6f93a05b6511e6f108ffd2d1eb4).
+
+### Creating keys for asymmetric cryptography
+
+The easiest way to create a key pair object is by randomly generating it with [`psa_generate_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__random/#group__random_1ga1985eae417dfbccedf50d5fff54ea8c5). Compared with the low-level functions from the legacy API (`mbedtls_rsa_gen_key`, `mbedtls_ecp_gen_privkey`, `mbedtls_ecp_gen_keypair`, `mbedtls_ecp_gen_keypair_base`, `mbedtls_ecdsa_genkey`), this directly creates an object that can be used with high-level APIs, but removes some of the flexibility. Note that if you want to export the generated private key, you must pass the flag [`PSA_KEY_USAGE_EXPORT`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__policy/#group__policy_1ga7dddccdd1303176e87a4d20c87b589ed) to [`psa_set_key_usage_flags`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1ga42a65b3c4522ce9b67ea5ea7720e17de); exporting the public key with [`psa_export_public_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1gaf22ae73312217aaede2ea02cdebb6062) is always permitted.
+
+For RSA keys, `psa_generate_key` uses 65537 as the public exponent. You can use [`psa_generate_key_ext`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__random/#group__random_1ga6776360ae8046a4456a5f990f997da58) to select a different public exponent. As of Mbed TLS 3.6.0, selecting a different public exponent is only supported with the built-in RSA implementation, not with PSA drivers.
+
+To create a key object from existing material, use [`psa_import_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga0336ea76bf30587ab204a8296462327b). This function has the same basic goal as the PK parse functions (`mbedtls_pk_parse_key`, `mbedtls_pk_parse_public_key`, `mbedtls_pk_parse_subpubkey`), but only supports a single format that just contains the number(s) that make up the key, with very little metadata. The table below summarizes the PSA import/export format for key pairs and public keys; see the documentation of [`psa_export_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga668e35be8d2852ad3feeef74ac6f75bf) and [`psa_export_public_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1gaf22ae73312217aaede2ea02cdebb6062) for more details.
+
+| Key type | PSA import/export format |
+| -------- | ------------------------ |
+| RSA key pair | PKCS#1 RSAPrivateKey DER encoding (including both private exponent and CRT parameters) |
+| RSA public key | PKCS#1 RSAPublicKey DER encoding |
+| ECC key pair | Fixed-length private value (not containing the public key) |
+| ECC public key (Weierstrass curve) | Fixed-length uncompressed point |
+| ECC public key (Montgomery curve) | Fixed-length public value |
+| FFDH key pair | Fixed-length private value (not containing the public key) |
+| FFDH public key | Fixed-length public value |
+
+There is no equivalent of `mbedtls_pk_parse_keyfile` and `mbedtls_pk_parse_public_keyfile`. Either call the legacy function or load the file data manually.
+
+A future extension of the PSA API will support other import formats. Until those are implemented, see the following subsection for how to use the PK module for key parsing and construct a PSA key object from the PK object.
+
+### Creating a PSA key via PK
+
+You can use the PK module as an intermediate step to create an RSA or ECC key for use with PSA. This is useful for use cases that the PSA API does not currently cover, such as:
+
+* Parsing a key in a format with metadata without knowing its type ahead of time.
+* Parsing a key in a format that the PK module supports, but `psa_import_key` doesn't.
+* Importing a key which you have in the form of a list of numbers, rather than the binary encoding required by `psa_import_key`.
+* Importing a key with less information than what the PSA API needs, for example an ECC public key in a compressed format, an RSA private key without the private exponent, or an RSA private key without the CRT parameters.
+
+For such use cases:
+
+1. First create a PK object with the desired key material.
+2. Call [`mbedtls_pk_get_psa_attributes`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/pk_8h/#pk_8h_1a7aa7b33cffb6981d95d1632631de9244) to fill PSA attributes corresponding to the PK key. Pass one of the following values as the `usage` parameter:
+    * `PSA_KEY_USAGE_SIGN_HASH` or `PSA_KEY_USAGE_SIGN_MESSAGE` for a key pair used for signing.
+    * `PSA_KEY_USAGE_DECRYPT` for a key pair used for decryption.
+    * `PSA_KEY_USAGE_DERIVE` for a key pair used for key agreement.
+    * `PSA_KEY_USAGE_VERIFY_HASH` or `PSA_KEY_USAGE_VERIFY_MESSAGE` for a public key pair used for signature verification.
+    * `PSA_KEY_USAGE_ENCRYPT` for a key pair used for encryption.
+3. Optionally, tweak the attributes (this is rarely necessary). For example:
+    * Call [`psa_set_key_usage_flags`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1ga42a65b3c4522ce9b67ea5ea7720e17de), [`psa_set_key_algorithm`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1gaeb8341ca52baa0279475ea3fd3bcdc98) and/or [`psa_set_key_enrollment_algorithm`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__extra_8h/#group__attributes_1gaffa134b74aa52aa3ed9397fcab4005aa) to change the key's policy (by default, it allows what can be done through the PK module).
+    · Call [`psa_set_key_id`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1gae48fcfdc72a23e7499957d7f54ff5a64) and perhaps [`psa_set_key_lifetime`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1gac03ccf09ca6d36cc3d5b43f8303db6f7) to create a PSA persistent key.
+4. Call [`mbedtls_pk_import_into_psa`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/pk_8h/#pk_8h_1ad59835d14832daf0f4b4bd0a4555abb9) to import the key into the PSA key store.
+5. You can now free the PK object with `mbedtls_pk_free`.
+
+Here is some sample code illustrating the above process, with error checking omitted.
+
+```
+mbedtls_pk_context pk;
+mbedtls_pk_init(&pk);
+mbedtls_pk_parse_key(&pk, key_buffer, key_buffer_length, NULL, 0,
+                     mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE);
+psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_SIGN_HASH, &attributes);
+psa_key_id_t key_id;
+mbedtls_pk_import_into_psa(&pk, &attributes, &key_id);
+mbedtls_pk_free(&pk);
+psa_sign_hash(key_id, ...);
+```
+
+#### Importing an elliptic curve key from ECP
+
+This section explains how to use the `ecp.h` API to create an elliptic curve key in a format suitable for `psa_import_key`.
+
+You can use this, for example, to import an ECC key in the form of a compressed point by calling `mbedtls_ecp_point_read_binary` then following the process below.
+
+The following code snippet illustrates how to import a private key which is initially in an `mbedtls_ecp_keypair` object. (This includes `mbedtls_ecdsa_keypair` objects since that is just a type alias.) Error checks are omitted for simplicity. A future version of Mbed TLS [will provide a function to calculate the curve family](https://github.com/Mbed-TLS/mbedtls/issues/7764).
+
+```
+mbedtls_ecp_keypair ec;
+mbedtls_ecp_keypair_init(&ec);
+// Omitted: fill ec with key material
+// (the public key will not be used and does not need to be set)
+unsigned char buf[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
+size_t length;
+mbedtls_ecp_write_key_ext(&ec, &length, buf, sizeof(buf));
+psa_ecc_curve_t curve = ...; // need to determine the curve family manually
+psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+psa_set_key_attributes(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
+psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_... | ...);
+psa_set_key_algorithm(&attributes, PSA_ALGORITHM_...);
+psa_key_id_t key_id = 0;
+psa_import_key(&attributes, buf, length, &key_id);
+mbedtls_ecp_keypair_free(&ec);
+```
+The following code snippet illustrates how to import a private key which is initially in an `mbedtls_ecp_keypair` object. Error checks are omitted for simplicity.
+
+```
+mbedtls_ecp_group grp;
+mbedtls_ecp_group_init(&grp);
+mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_...);
+mbedtls_ecp_point pt;
+mbedtls_ecp_point_init(&pt);
+// Omitted: fill pt with key material
+unsigned char buf[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_PUBLIC_KEY_MAX_SIZE)];
+size_t length;
+mbedtls_ecp_point_write_binary(&grp, &pt, &length, buf, sizeof(buf));
+psa_ecc_curve_t curve = ...; // need to determine the curve family manually
+psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+psa_set_key_attributes(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve));
+psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_... | ...);
+psa_set_key_algorithm(&attributes, PSA_ALGORITHM_...);
+psa_key_id_t key_id = 0;
+psa_import_key(&attributes, buf, length, &key_id);
+mbedtls_ecp_point_free(&pt);
+mbedtls_ecp_group_free(&grp);
+```
+
+### Key pair and public key metadata
+
+There is no equivalent to the type `mbedtls_pk_info_t` and the functions `mbedtls_pk_info_from_type` in the PSA API because it is unnecessary. All macros and functions operate directly on key type values (`psa_key_type_t`, `PSA_KEY_TYPE_xxx` constants) and algorithm values (`psa_algorithm_t`, `PSA_ALG_xxx` constants).
+
+You can call [`psa_get_key_attributes`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1gacbbf5c11eac6cd70c87ffb936e1b9be2) to populate a structure with the attributes of a key, then functions such as [`psa_get_key_type`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1gae4fb812af4f57aa1ad85e335a865b918) and [`psa_get_key_bits`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1ga5bee85c2164ad3d4c0d42501241eeb06) to obtain a key's type (`PSA_KEY_TYPE_xxx` value) and size (nominal size in bits).
+
+The bit-size from `psa_get_key_bits` is the same as the one from `mbedtls_pk_get_bitlen`. To convert to bytes as `mbedtls_pk_get_len` or `mbedtls_rsa_get_len` do, you can use the macro `PSA_BITS_TO_BYTES`. However, note that the PSA API has generic macros for each related buffer size (export, signature size, etc.), so you should generally use those instead. The present document lists those macros where it explains the usage of the corresponding function.
+
+Most code that calls `mbedtls_pk_get_type` or `mbedtls_pk_can_do` only requires the key's type as reported by [`psa_get_key_type`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1gae4fb812af4f57aa1ad85e335a865b918). For code that uses both `mbedtls_pk_context` objects and PSA metadata encoding, [`mbedtls_pk_can_do_ext`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/pk_8h/#pk_8h_1a256d3e8d4323a45aafa7d2b6c59a36f6) checks the compatibility between a key object and a mechanism. If needed, you can also access a key's policy from its attributes with [`psa_get_key_usage_flags`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1gaa1af20f142ca722222c6d98678a0c448), [`psa_get_key_algorithm`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1gac255da850a00bbed925390044f016b34) and [`psa_get_key_enrollment_algorithm`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1ga39803b62a97198cf630854db9b53c588). The algorithm policy also conveys the padding and hash information provided by `mbedtls_rsa_get_padding_mode` and `mbedtls_rsa_get_md_alg`.
+
+### Exporting a public key or a key pair
+
+To export a PSA key pair or public key, call [`psa_export_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga668e35be8d2852ad3feeef74ac6f75bf). If the key is a key pair, its policy must allow `PSA_KEY_USAGE_EXPORT` (see “[Public-key cryptography policies](#public-key-cryptography-policies)”).
+
+To export a PSA public key or to export the public key of a PSA key pair object, call [`psa_export_public_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1gaf22ae73312217aaede2ea02cdebb6062). This is always permitted regardless of the key's policy.
+
+The export format is the same format used for `psa_import_key`, described in “[Creating keys for asymmetric cryptography](#creating-keys-for-asymmetric-cryptography)” above.
+
+A future extension of the PSA API will support other export formats. Until those are implemented, see “[Exposing a PSA key via PK](#exposing-a-psa-key-via-pk)” for ways to use the PK module to format a PSA key.
+
+#### Exposing a PSA key via PK
+
+This section discusses how to use a PSA key in a context that requires a PK object, such as PK formatting functions (`mbedtls_pk_write_key_der`, `mbedtls_pk_write_pubkey_der`, `mbedtls_pk_write_pubkey_pem`, `mbedtls_pk_write_key_pem` or `mbedtls_pk_write_pubkey`), Mbed TLS X.509 functions, Mbed TLS SSL functions, or another API that involves `mbedtls_pk_context` objects. The PSA key must be an RSA or ECC key since the PK module does not support DH keys. Three functions from `pk.h` help with that:
+
+* [`mbedtls_pk_copy_from_psa`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/pk_8h/#pk_8h_1ab8e88836fd9ee344ffe630c40447bd08) copies a PSA key into a PK object. The PSA key must be exportable. The PK object remains valid even if the PSA key is destroyed.
+* [`mbedtls_pk_copy_public_from_psa`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/pk_8h/#pk_8h_1a2a50247a528889c12ea0ddddb8b15a4e) copies the public part of a PSA key into a PK object. The PK object remains valid even if the PSA key is destroyed.
+* [`mbedtls_pk_setup_opaque`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/pk_8h/#pk_8h_1a4c04ac22ab9c1ae09cc29438c308bf05) sets up a PK object that wraps the PSA key. This functionality is only available when `MBEDTLS_USE_PSA_CRYPTO` is enabled. The PK object has the type `MBEDTLS_PK_OPAQUE` regardless of whether the key is an RSA or ECC key. The PK object can only be used as permitted by the PSA key's policy. The PK object contains a reference to the PSA key identifier, therefore PSA key must not be destroyed as long as the PK object remains alive.
+
+Here is some sample code illustrating how to use the PK module to format a PSA public key or the public key of a PSA key pair.
+```
+int write_psa_pubkey(psa_key_id_t key_id,
+                     unsigned char *buf, size_t size, size_t *len) {
+    mbedtls_pk_context pk;
+    mbedtls_pk_init(&pk);
+    int ret = mbedtls_pk_copy_public_from_psa(key_id, &pk);
+    if (ret != 0) goto exit;
+    ret = mbedtls_pk_write_pubkey_der(&pk, buf, size);
+    if (ret < 0) goto exit;
+    *len = ret;
+    memmove(buf, buf + size - ret, ret);
+    ret = 0;
+exit:
+    mbedtls_pk_free(&pk);
+}
+```
+
+### Signature operations
+
+The equivalent of `mbedtls_pk_sign` or `mbedtls_pk_sign_ext` to sign an already calculated hash is [`psa_sign_hash`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__asymmetric/#group__asymmetric_1ga785e746a31a7b2a35ae5175c5ace3c5c).
+The key must be a key pair allowing the usage `PSA_KEY_USAGE_SIGN_HASH` (see “[Public-key cryptography policies](#public-key-cryptography-policies)”).
+Use [`PSA_SIGN_OUTPUT_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_SIGN_OUTPUT_SIZE) or [`PSA_SIGNATURE_MAX_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_SIGNATURE_MAX_SIZE) (similar to `MBEDTLS_PK_SIGNATURE_MAX_SIZE`) to determine a sufficient size for the output buffer.
+This is also the equivalent of the type-specific functions `mbedtls_rsa_pkcs1_sign`, `mbedtls_rsa_rsassa_pkcs1_v15_sign`, `mbedtls_rsa_rsassa_pss_sign`, `mbedtls_rsa_rsassa_pss_sign_ext`, `mbedtls_ecdsa_sign`, `mbedtls_ecdsa_sign_det_ext` and `mbedtls_ecdsa_write_signature`. Note that the PSA API uses the raw format for ECDSA signatures, not the ASN.1 format; see “[ECDSA signature](#ecdsa-signature)” for more details.
+
+The equivalent of `mbedtls_pk_verify` or `mbedtls_pk_verify_ext` to verify an already calculated hash is [`psa_verify_hash`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__asymmetric/#group__asymmetric_1gae2ffbf01e5266391aff22b101a49f5f5).
+The key must be a public key (or a key pair) allowing the usage `PSA_KEY_USAGE_VERIFY_HASH` (see “[Public-key cryptography policies](#public-key-cryptography-policies)”).
+This is also the equivalent of the type-specific functions `mbedtls_rsa_pkcs1_verify`, `mbedtls_rsa_rsassa_pkcs1_v15_verify`, `mbedtls_rsa_rsassa_pss_verify`, `mbedtls_rsa_rsassa_pss_verify_ext`, `mbedtls_ecdsa_verify` amd `mbedtls_ecdsa_read_signature`. Note that the PSA API uses the raw format for ECDSA signatures, not the ASN.1 format; see “[ECDSA signature](#ecdsa-signature)” for more details.
+
+Generally, `psa_sign_hash` and `psa_verify_hash` require the input to have the correct length for the hash (this has historically not always been enforced in the corresponding legacy APIs).
+
+See also “[Restartable ECDSA signature](#restartable-ecdsa-signature)” for a restartable variant of this API.
+
+The PSA API also has functions [`psa_sign_message`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__asymmetric/#group__asymmetric_1ga963ecadae9c38c85826f9a13cf1529b9) and [`psa_verify_message`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__asymmetric/#group__asymmetric_1ga01c11f480b185a4268bebd013df7c14c). These functions combine the hash calculation with the signature calculation or verification.
+For `psa_sign_message`, either the usage flag `PSA_KEY_USAGE_SIGN_MESSAGE` or `PSA_KEY_USAGE_SIGN_HASH` is sufficient.
+For `psa_verify_message`, either the usage flag `PSA_KEY_USAGE_VERIFY_MESSAGE` or `PSA_KEY_USAGE_VERIFY_HASH` is sufficient.
+
+Most signature algorithms involve a hash algorithm. See “[Hash mechanism selection](#hash-mechanism-selection)”.
+
+The following subsections describe the PSA signature mechanisms that correspond to legacy Mbed TLS mechanisms.
+
+#### ECDSA signature
+
+**Note: in the PSA API, the format of an ECDSA signature is the raw fixed-size format. This is different from the legacy API** which uses the ASN.1 DER format for ECDSA signatures. To convert between the two formats, use [`mbedtls_ecdsa_raw_to_der`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/psa__util_8h/#group__psa__tls__helpers_1ga9295799b5437bdff8ce8abd524c5ef2e) or [`mbedtls_ecdsa_der_to_raw`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/psa__util_8h/#group__psa__tls__helpers_1ga33b3cf65d5992ccc724b7ee00186ae61).
+
+<!-- The following are specific to the DER format and therefore have no PSA equivalent: MBEDTLS_ECDSA_MAX_SIG_LEN, MBEDTLS_ECDSA_MAX_LEN -->
+
+ECDSA is the mechanism provided by `mbedtls_pk_sign` and `mbedtls_pk_verify` for ECDSA keys, as well as by `mbedtls_ecdsa_sign`, `mbedtls_ecdsa_sign_det_ext`, `mbedtls_ecdsa_write_signature`, `mbedtls_ecdsa_verify` and `mbedtls_ecdsa_read_signature`.
+
+The PSA API offers three algorithm constructors for ECDSA. They differ only for signature, and have exactly the same behavior for verification.
+
+* [`PSA_ALG_ECDSA(hash)`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga7e3ce9f514a227d5ba5d8318870452e3) is a randomized ECDSA signature of a hash calculated with the algorithm `hash`.
+* [`PSA_ALG_ECDSA_ANY`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga51d6b6044a62e33cae0cf64bfc3b22a4) is equivalent to `PSA_ALG_ECDSA`, but does not require specifying a hash as part of the algorithm. It can only be used with `psa_sign_hash` and `psa_verify_hash`, with no constraint on the length of the hash.
+* [`PSA_ALG_DETERMINISTIC_ECDSA(hash)`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga11da566bcd341661c8de921e2ca5ed03) is a deterministic ECDSA signature of a hash calculated with the algorithm `hash`. This is the same as the functionality offered by `MBEDTLS_ECDSA_DETERMINISTIC` in the legacy API.
+    * For `psa_sign_message` with `PSA_ALG_DETERMINISTIC_ECDSA`, the same hash algorithm is used to hash the message and to parametrize the deterministic signature generation.
+
+Unlike the legacy API, where `mbedtls_pk_sign` and `mbedtls_ecdsa_write_signature` automatically select deterministic ECDSA if both are available, the PSA API requires the application to select the preferred variant. ECDSA verification cannot distinguish between randomized and deterministic ECDSA (except in so far as if the same message is signed twice and the signatures are different, then at least one of the signatures is not the determinstic variant), so in most cases switching between the two is a compatible change.
+
+#### Restartable ECDSA signature
+
+The legacy API includes an API for “restartable” ECC operations: the operation returns after doing partial computation, and can be resumed. This is intended for highly constrained devices where long cryptographic calculations need to be broken up to poll some inputs, where interrupt-based scheduling is not desired. The legacy API consists of the functions `mbedtls_pk_sign_restartable`, `mbedtls_pk_verify_restartable`, `mbedtls_ecdsa_sign_restartable`, `mbedtls_ecdsa_verify_restartable`, `mbedtls_ecdsa_write_signature_restartable`, `mbedtls_ecdsa_read_signature_restartable`, as well as several configuration and data manipulation functions.
+
+The PSA API offers similar functionality via “interruptible” public-key operations. As of Mbed TLS 3.5, it is only implemented for ECDSA, for the same curves as the legacy API. This will likely be extended to ECDH in the short term. At the time of writing, no extension is planned to other curves or other algorithms.
+
+The flow of operations for an interruptible signature operation is as follows:
+
+1. Create an operation object of type [`psa_sign_hash_interruptible_operation_t`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__interruptible__hash/#group__interruptible__hash_1ga6948d4653175b1b530a265540066a7e7) and zero-initialize it (or use the corresponding `INIT` macro).
+2. Call [`psa_sign_hash_start`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__interruptible__hash/#group__interruptible__hash_1ga441988da830205182b3e791352537fac) with the private key object and the hash to verify.
+3. Call [`psa_sign_hash_complete`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__interruptible__hash/#group__interruptible__hash_1ga79849aaa7004a85d2ffbc4b658a333dd) repeatedly until it returns a status other than `PSA_OPERATION_INCOMPLETE`.
+
+The flow of operations for an interruptible signature verification operation is as follows:
+
+1. Create an operation object of type [`psa_verify_hash_interruptible_operation_t`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__interruptible__hash/#group__interruptible__hash_1ga537054cf4909ad1426331ae4ce7148bb) and zero-initialize it (or use the corresponding `INIT` macro).
+2. Call [`psa_verify_hash_start`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__interruptible__hash/#group__interruptible__hash_1ga912eb51fb94056858f451f276ee289cb) with the private key object and the hash and signature to verify.
+3. Call [`psa_verify_hash_complete`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__interruptible__hash/#group__interruptible__hash_1ga67fe82352bc2f8c0343e231a70a5bc7d) repeatedly until it returns a status other than `PSA_OPERATION_INCOMPLETE`.
+
+If you need to cancel the operation after calling the start function without waiting for the loop calling the complete function to finish, call [`psa_sign_hash_abort`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__interruptible__hash/#group__interruptible__hash_1gae893a4813aa8e03bd201fe4f1bbbb403) or [`psa_verify_hash_abort`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__interruptible__hash/#group__interruptible__hash_1ga18dc9c0cc27d590c5e3b186094d90f88).
+
+Call [`psa_interruptible_set_max_ops`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__interruptible__hash/#group__interruptible__hash_1ga6d86790b31657c13705214f373af869e) to set the number of basic operations per call. This is the same unit as `mbedtls_ecp_set_max_ops`. You can retrieve the current value with [`psa_interruptible_get_max_ops`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__interruptible__hash/#group__interruptible__hash_1ga73e66a6d93f2690b626fcea20ada62b2). The value is [`PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__interruptible/#group__interruptible_1gad19c1da7f6b7d59d5873d5b68eb943d4) if operations are not restartable, which corresponds to `mbedtls_ecp_restart_is_enabled()` being false.
+
+#### PKCS#1 v1.5 RSA signature
+
+This mechanism corresponds to `mbedtls_pk_sign`, `mbedtls_pk_verify`, `mbedtls_rsa_pkcs1_sign` and `mbedtls_rsa_pkcs1_verify` for an RSA key, unless PSS has been selected with `mbedtls_rsa_set_padding` on the underlying RSA key context. This mechanism also corresponds to `mbedtls_rsa_rsassa_pkcs1_v15_sign` and `mbedtls_rsa_rsassa_pkcs1_v15_verify`.
+
+The PSA API has two algorithm constructors:
+
+* [`PSA_ALG_RSA_PKCS1V15_SIGN(hash)`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga702ff75385a6ae7d4247033f479439af) formats the hash as specified in PKCS#1. The hash algorithm corresponds to the `md_alg` parameter of the legacy functions.
+* [`PSA_ALG_RSA_PKCS1V15_SIGN_RAW`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga4215e2a78dcf834e9a625927faa2a817) uses the “hash” input in lieu of a DigestInfo structure. This is the same as calling the legacy functions with `md_alg=MBEDTLS_MD_NONE`.
+
+#### PKCS#1 RSASSA-PSS signature
+
+This mechanism corresponds to `mbedtls_pk_sign_ext` and `mbedtls_pk_verify_ext` for an RSA key, as well as `mbedtls_pk_sign`, `mbedtls_pk_verify`, `mbedtls_rsa_pkcs1_sign` and `mbedtls_rsa_pkcs1_verify` if PSS has been selected on the underlying RSA context with `mbedlts_rsa_set_padding`.
+It also corresponds to `mbedtls_rsa_rsassa_pss_sign` and `mbedtls_rsa_rsassa_pss_sign_ext`, `mbedtls_rsa_rsassa_pss_verify` and `mbedtls_rsa_rsassa_pss_verify_ext`.
+
+The PSA API has two algorithm constructors: [`PSA_ALG_RSA_PSS(hash)`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga62152bf4cb4bf6aace5e1be8f143564d) and [`PSA_ALG_RSA_PSS_ANY_SALT(hash)`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga9b7355a2cd6bde88177634d539127f2b). They differ only for verification, and have exactly the same behavior for signature. The hash algorithm `hash` corresponds to the `md_alg` parameter passed to the legacy API. It is used to hash the message, to create the salted hash, and for the mask generation with MGF1. The PSA API does not support using different hash algorithms for these different purposes.
+
+With respect to the salt length:
+
+* When signing, the salt is random, and the salt length is the largest possible salt length up to the hash length. This is the same as passing `MBEDTLS_RSA_SALT_LEN_ANY` as the salt length to `xxx_ext` legacy functions or using a legacy function that does not have a `saltlen` argument.
+* When verifying, `PSA_ALG_RSA_PSS` requires the the salt length to the largest possible salt length up to the hash length (i.e. the same that would be used for signing).
+* When verifying, `PSA_ALG_RSA_PSS_ANY_SALT` accepts any salt length. This is the same as passing `MBEDTLS_RSA_SALT_LEN_ANY` as the salt length to `xxx_ext` legacy functions or using a legacy function that does not have a `saltlen` argument.
+
+### Asymmetric encryption and decryption
+
+The equivalent of `mbedtls_pk_encrypt`, `mbedtls_rsa_pkcs1_encrypt`, `mbedtls_rsa_rsaes_pkcs1_v15_encrypt` or `mbedtls_rsa_rsaes_oaep_encrypt` to encrypt a short message (typically a symmetric key) is [`psa_asymmetric_encrypt`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__asymmetric/#group__asymmetric_1gaa17f61e4ddafd1823d2c834b3706c290).
+The key must be a public key (or a key pair) allowing the usage `PSA_KEY_USAGE_ENCRYPT` (see “[Public-key cryptography policies](#public-key-cryptography-policies)”).
+Use the macro [`PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#crypto__sizes_8h_1a66ba3bd93e5ec52870ccc3848778bad8) or [`PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE) to determine the output buffer size.
+
+The equivalent of `mbedtls_pk_decrypt`, `mbedtls_rsa_pkcs1_decrypt`, `mbedtls_rsa_rsaes_pkcs1_v15_decrypt` or `mbedtls_rsa_rsaes_oaep_decrypt` to decrypt a short message (typically a symmetric key) is [`psa_asymmetric_decrypt`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__asymmetric/#group__asymmetric_1ga4f968756f6b22aab362b598b202d83d7).
+The key must be a key pair allowing the usage `PSA_KEY_USAGE_DECRYPT` (see “[Public-key cryptography policies](#public-key-cryptography-policies)”).
+Use the macro [`PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#crypto__sizes_8h_1a61a246f3eac41989821d982e56fea6c1) or [`PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE) to determine the output buffer size.
+
+The following subsections describe the PSA asymmetric encryption mechanisms that correspond to legacy Mbed TLS mechanisms.
+
+#### RSA PKCS#1v1.5 encryption
+
+This is the mechanism used by the PK functions and by `mbedtls_rsa_pkcs1_{encrypt,decrypt}` unless `mbedtls_rsa_set_padding` has been called on the underlying RSA key context.
+This is also the mechanism used by `mbedtls_rsa_rsaes_pkcs1_v15_{encrypt,decrypt}`.
+
+The PSA algorithm is [`PSA_ALG_RSA_PKCS1V15_CRYPT`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga4c540d3abe43fb9abcb94f2bc51acef9).
+
+Beware that PKCS#1v1.5 decryption is subject to padding oracle attacks. Revealing when `psa_asymmetric_decrypt` returns `PSA_ERROR_INVALID_PADDING` may allow an adversary to decrypt arbitrary ciphertexts.
+
+#### RSA RSAES-OAEP
+
+This is the mechanism used by `mbedtls_rsa_rsaes_oaep_{encrypt,decrypt}`.
+
+The PSA algorithm is [`PSA_ALG_RSA_OAEP(hash)`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gaa1235dc3fdd9839c6c1b1a9857344c76) where `hash` is a hash algorithm value (`PSA_ALG_xxx`, see “[Hash mechanism selection](#hash-mechanism-selection)”).
+
+As with the PK API, the mask generation is MGF1, the label is empty, and the same hash algorithm is used for MGF1 and to hash the label. The PSA API does not offer a way to choose a different label or a different hash algorithm for the label.
+
+### Private-public key consistency
+
+There is no direct equivalent of the functions `mbedtls_rsa_check_privkey`, `mbedtls_rsa_check_pubkey`,`mbedtls_ecp_check_privkey`, `mbedtls_ecp_check_pubkey`. The PSA API performs some basic checks when it imports a key, and may perform additional checks before performing an operation if needed, so it will never perform an operation on a key that does not satisfy these checks, but the details of when the check is performed may change between versions of the library.
+
+The legacy API provides functions `mbedtls_pk_check_pair`, `mbedtls_rsa_check_pub_priv` and `mbedtls_ecp_check_pub_priv`, which can be used to check the consistency between a private key and a public key. To perform such a check with the PSA API, you can export the public keys; this works because the PSA representation of public keys is canonical.
+
+* Prepare a key object containing the private key, for example with [`psa_import_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga0336ea76bf30587ab204a8296462327b).
+* Prepare a key object containing the public key, for example with [`psa_import_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga0336ea76bf30587ab204a8296462327b).
+* Export both public keys with [`psa_export_public_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1gaf22ae73312217aaede2ea02cdebb6062) (this is possible regardless of the usage policies on the keys) and compare the output.
+    ```
+    // Error checking omitted
+    unsigned char pub1[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
+    unsigned char pub2[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
+    size_t length1, length2;
+    psa_export_public_key(key1, pub1, sizeof(pub1), &length1);
+    psa_export_public_key(key2, pub2, sizeof(pub2), &length2);
+    if (length1 == length2 && !memcmp(pub1, pub2, length1))
+        puts("The keys match");
+    else
+        puts("The keys do not match");
+    ```
+
+### PK functionality with no PSA equivalent
+
+There is no PSA equivalent of the debug functionality provided by `mbedtls_pk_debug`. Use `psa_export_key` to export the key if desired.
+
+There is no PSA equivalent to Mbed TLS's custom key type names exposed by `mbedtls_pk_get_name`.
+
+### Key agreement
+
+The PSA API has a generic interface for key agreement, covering the main use of both `ecdh.h` and `dhm.h`.
+
+<!-- TODO: static FFDH/ECDH (including `mbedtls_ecdh_get_params`)
+ https://github.com/Mbed-TLS/mbedtls/pull/7766#discussion_r1410568541
+ -->
+
+#### Diffie-Hellman key pair management
+
+The PSA API manipulates keys as such, rather than via an operation context. Thus, to use Diffie-Hellman, you need to create a key object, then perform the key exchange, then destroy the key. There is no equivalent to the types `mbedtls_ecdh_context` and `mbedtls_dhm_context`.
+
+Here is an overview of the lifecycle of a key object.
+
+1. First define the attributes of the key by filling a [`psa_key_attributes_t` structure](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1ga0ec645e1fdafe59d591104451ebf5680). You need to set the following parameters:
+    * Call [`psa_set_key_type`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1ga6857ef0ecb3fa844d4536939d9c64025) to set the key type to the desired `PSA_KEY_TYPE_xxx` value:
+        * [`PSA_KEY_TYPE_DH_KEY_PAIR(group)`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gab4f857c4cd56f5fe65ded421e61bcc8c) for finite-field Diffie-Hellman (see “[Diffie-Hellman mechanism selection](#diffie-hellman-mechanism-selection)”).
+    * [`PSA_KEY_TYPE_ECC_KEY_PAIR(curve)`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga0b6f5d4d5037c54ffa850d8059c32df0) for elliptic-curve Diffie-Hellman (see “[Elliptic curve mechanism selection](#elliptic-curve-mechanism-selection)”).
+    * Call [`psa_set_key_bits`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1gaf61683ac87f87687a40262b5afbfa018) to set the private key size in bits. This is optional with `psa_import_key`, which determines the key size from the length of the key material.
+    * Call [`psa_set_key_algorithm`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1gaeb8341ca52baa0279475ea3fd3bcdc98) to select the appropriate algorithm:
+    * [`PSA_ALG_ECDH`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1gab2dbcf71b63785e7dd7b54a100edee43) or [`PSA_ALG_FFDH`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga0ebbb6f93a05b6511e6f108ffd2d1eb4) for a raw key agreement.
+    * [`PSA_ALG_KEY_AGREEMENT(ka, kdf)`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__crypto__types/#group__crypto__types_1ga78bb81cffb87a635c247725eeb2a2682) if the key will be used as part of a key derivation, where:
+        * `ka` is either `PSA_ALG_ECDH` or `PSA_ALG_FFDH`.
+        * `kdf` is a key derivation algorithm.
+    * Call [`psa_set_key_usage_flags`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1ga42a65b3c4522ce9b67ea5ea7720e17de) to enable at least [`PSA_KEY_USAGE_DERIVE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__policy/#c.PSA_KEY_USAGE_DERIVE). See “[Public-key cryptography policies](#public-key-cryptography-policies)” for more information.
+2. Call one of the key creation functions, passing the attributes defined in the previous step, to get an identifier of type [`psa_key_id_t`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__types_8h/#_CPPv412psa_key_id_t) to the key object.
+    * Use [`psa_generate_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__random/#group__random_1ga1985eae417dfbccedf50d5fff54ea8c5) to generate a random key. This is normally the case for a Diffie-Hellman key.
+    * Use [`psa_import_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga0336ea76bf30587ab204a8296462327b) to directly import key material.
+    * If the key is derived deterministically from other material, use the [key derivation interface](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/) and create the key with [`psa_key_derivation_output_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1gada7a6e17222ea9e7a6be6864a00316e1).
+3. Call the functions in the following sections to perform operations on the key. The same key object can be used in multiple operations.
+4. To free the resources used by the key object, call [`psa_destroy_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__management/#group__key__management_1ga5f52644312291335682fbc0292c43cd2) after all operations with that key are finished.
+
+#### Performing a key agreement
+
+Call [`psa_export_public_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1gaf22ae73312217aaede2ea02cdebb6062) to obtain the public key that needs to be sent to the other party.
+Use the macros [`PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE) or [`PSA_EXPORT_PUBLIC_KEY_MAX_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_EXPORT_PUBLIC_KEY_MAX_SIZE) to determine a sufficient size for the output buffer.
+
+Call [`psa_raw_key_agreement`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1ga90fdd2716124d0bd258826184824675f) to calculate the shared secret from your private key and the other party's public key.
+Use the macros [`PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE) or [`PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE) to determine a sufficient size for the output buffer.
+
+Call [`psa_key_derivation_key_agreement`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1ga2cd5a8ac906747d3204ec442db78745f) instead of `psa_raw_key_agreement` to use the resulting shared secret as the secret input to a key derivation. See “[HKDF](#hkdf)” for an example of the key derivation interface.
+
+#### Translating a legacy key agreement contextless workflow
+
+A typical workflow for ECDH using the legacy API without a context object is:
+
+1. Initialize objects:
+    * `mbedtls_ecp_group grp` for the curve;
+    * `mbedtls_mpi our_priv` for our private key;
+    * `mbedtls_ecp_point our_pub` for our public key;
+    * `mbedtls_ecp_point their_pub` for their public key (this may be the same variable as `our_pub` if the application does not need to hold both at the same time);
+    * `mbedtls_mpi z` for the shared secret (this may be the same variable as `our_priv` when doing ephemeral ECDH).
+2. Call `mbedtls_ecp_group_load` on `grp` to select the curve.
+3. Call `mbedtls_ecdh_gen_public` on `grp`, `our_priv` (output) and `our_pub` (output) to generate a key pair and retrieve the corresponding public key.
+4. Send `our_pub` to the peer. Retrieve the peer's public key and import it into `their_pub`. These two actions may be performed in either order.
+5. Call `mbedtls_ecdh_compute_shared` on `grp`, `z` (output), `their_pub` and `our_priv`. Use the raw shared secret `z`, typically, to construct a shared key.
+6. Free `grp`, `our_priv`, `our_pub`, `their_pub` and `z`.
+
+The corresponding workflow with the PSA API is as follows:
+
+1. Initialize objects:
+    * `psa_key_id_t our_key`: a handle to our key pair;
+    * `psa_key_attributes_t attributes`: key attributes used in steps 2–3;;
+    * `our_pub`: a buffer of size [`PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, bits)`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE) (where `key_type` is the value passed to `psa_set_key_size` in step 2) or [`PSA_EXPORT_PUBLIC_KEY_MAX_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_EXPORT_PUBLIC_KEY_MAX_SIZE) to hold our key.
+    * `their_pub`: a buffer of the same size, to hold the peer's key. This can be the same as `our_pub` if the application does not need to hold both at the same time;
+    * `shared_secret`: a buffer of size [`PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(key_type, bits)`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE) or [`PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE) (if not using a key derivation operation).
+2. Prepare an attribute structure as described in “[Diffie-Hellman key pair management](#diffie-hellman-key-pair-management)”, in particular selecting the curve with `psa_set_key_type`.
+3. Call [`psa_generate_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__random/#group__random_1ga1985eae417dfbccedf50d5fff54ea8c5) on `attributes` and `our_key` (output) to generate a key pair, then [`psa_export_public_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1gaf22ae73312217aaede2ea02cdebb6062) on `our_key` and `our_pub` (output) to obtain our public key.
+4. Send `our_pub` to the peer. Retrieve the peer's public key and import it into `their_pub`. These two actions may be performed in either order.
+5. Call [`psa_raw_key_agreement`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1ga90fdd2716124d0bd258826184824675f) on `our_key`, `their_pub` and `shared_secret` (output).  
+   Alternatively, call `psa_key_derivation_key_agreement` to use the shared secret directly in a key derivation operation (see “[Performing a key agreement](#performing-a-key-agreement)”).
+6. Call [`psa_destroy_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__management/#group__key__management_1ga5f52644312291335682fbc0292c43cd2) on `key_id`, and free the memory buffers.
+
+Steps 4–6 are only performed once for a "true" ephemeral Diffie-Hellman. They may be repeated multiple times for a "fake ephemeral" Diffie-Hellman where the same private key is used for multiple key exchanges, but it not saved.
+
+#### Translating a legacy ephemeral key agreement TLS server workflow
+
+The legacy API offers the following workflow for an ephemeral Diffie-Hellman key agreement in a TLS 1.2 server. The PSA version of this workflow can also be used with other protocols, on the side of the party that selects the curve or group and sends its public key first.
+
+1. Setup phase:
+    1. Initialize a context of type `mbedtls_ecdh_context` or `mbedtls_dhm_context` with `mbedtls_ecdh_init` or `mbedtls_dhm_init`.
+    2. Call `mbedtls_ecdh_setup` or `mbedtls_dhm_set_group` to select the curve or group.
+    3. Call `mbedtls_ecdh_make_params` or `mbedtls_dhm_make_params` to generate our key pair and obtain a TLS ServerKeyExchange message encoding the selected curve/group and our public key.
+2. Send the ServerKeyExchange message to the peer.
+3. Retrieve the peer's public key.
+4. Call `mbedtls_ecdh_read_public` or `mbedtls_dhm_read_public` on the peer's public key, then call `mbedtls_ecdh_calc_secret` or `mbedtls_dhm_calc_secret` to calculate the shared secret.
+5. Free the context with `mbedtls_ecdh_free` or `mbedtls_dhm_free`.
+
+The corresponding workflow with the PSA API is as follows:
+
+1. Setup phase:
+    1. Generate an ECDH or DHM key pair with `psa_generate_key` as described in “[Diffie-Hellman key pair management](#diffie-hellman-key-pair-management)”.
+    2. Call [`psa_export_public_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1gaf22ae73312217aaede2ea02cdebb6062) to obtain our public key.
+    3. Format a ServerKeyExchange message containing the curve/group selection and our public key.
+2. Send the ServerKeyExchange message to the peer.
+3. Retrieve the peer's public key.
+4. Call [`psa_raw_key_agreement`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1ga90fdd2716124d0bd258826184824675f) on `our_key`, `their_pub` and `shared_secret` (output).  
+   Alternatively, call `psa_key_derivation_key_agreement` to use the shared secret directly in a key derivation operation (see “[Performing a key agreement](#performing-a-key-agreement)”).
+5. Call [`psa_destroy_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__management/#group__key__management_1ga5f52644312291335682fbc0292c43cd2) to free the resources associated with our key pair.
+
+#### Translating a legacy ephemeral key agreement TLS client workflow
+
+The legacy API offers the following workflow for an ephemeral Diffie-Hellman key agreement in a TLS 1.2 client. The PSA version of this workflow can also be used with other protocols, on the side of the party that receives a message indicating both the choice of curve or group, and the peer's public key.
+
+1. Upon reception of a TLS ServerKeyExchange message received from the peer, which encodes the selected curve/group and the peer's public key:
+    1. Initialize a context of type `mbedtls_ecdh_context` or `mbedtls_dhm_context` with `mbedtls_ecdh_init` or `mbedtls_dhm_init`.
+    2. Call `mbedtls_ecdh_read_params` or `mbedtls_dhm_read_params` to input the data from the ServerKeyExchange message.
+2. Call `mbedtls_ecdh_make_public` or `mbedtls_dh_make_public` to generate our private key and export our public key.
+3. Send our public key to the peer.
+4. Call `mbedtls_ecdh_calc_secret` or `mbedtls_dhm_calc_secret` to calculate the shared secret.
+5. Free the context with `mbedtls_ecdh_free` or `mbedtls_dhm_free`.
+
+The corresponding workflow with the PSA API is as follows:
+
+1. Upon reception of a TLS ServerKeyExchange message received from the peer, which encodes the selected curve/group and the peer's public key:
+    1. Decode the selected curve/group and use this to determine a PSA key type (`PSA_KEY_TYPE_ECC_KEY_PAIR(curve)` or `PSA_KEY_TYPE_DH_KEY_PAIR(group)`), a key size and an algorithm.
+2. Generate an ECDH or DHM key pair with `psa_generate_key` as described in “[Diffie-Hellman key pair management](#diffie-hellman-key-pair-management)”.
+   Call [`psa_export_public_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1gaf22ae73312217aaede2ea02cdebb6062) to obtain our public key.
+3. Send our public key to the peer.
+4. Call [`psa_raw_key_agreement`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__derivation/#group__key__derivation_1ga90fdd2716124d0bd258826184824675f) on `our_key`, `their_pub` and `shared_secret` (output).  
+   Alternatively, call `psa_key_derivation_key_agreement` to use the shared secret directly in a key derivation operation (see “[Performing a key agreement](#performing-a-key-agreement)”).
+5. Call [`psa_destroy_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__key__management/#group__key__management_1ga5f52644312291335682fbc0292c43cd2) to free the resources associated with our key pair.
+
+#### ECDH and DHM metadata functions
+
+You can obtain data and metadata from an ECDH key agreement through the PSA API as follows:
+
+* With either side, accessing the group: call [`psa_get_key_attributes`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1gacbbf5c11eac6cd70c87ffb936e1b9be2) on the key identifier, then [`psa_get_key_type`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1gae4fb812af4f57aa1ad85e335a865b918) and [`psa_get_key_bits`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1ga5bee85c2164ad3d4c0d42501241eeb06) to obtain metadata about the key.
+* Accessing our public key: call [`psa_export_public_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1gaf22ae73312217aaede2ea02cdebb6062) on the PSA key identifier.
+* Accessing our private key: call [`psa_export_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga668e35be8d2852ad3feeef74ac6f75bf) on the key identifier. Note that the key policy must allow `PSA_KEY_USAGE_EXPORT` (see “[Public-key cryptography policies](#public-key-cryptography-policies)”).
+* Accessing the peer's public key: there is no PSA equivalent since the PSA API only uses the peer's public key to immediately calculate the shared secret. If your application needs the peer's public key for some other purpose, store it separately.
+
+The functions `mbedtls_dhm_get_bitlen`, `mbedtls_dhm_get_len` and `mbedtls_dhm_get_value` allow the caller to obtain metadata about the keys used for the key exchange. The PSA equivalents access the key identifier:
+
+* `mbedtls_dhm_get_bitlen`, `mbedtls_dhm_get_len`: call [`psa_get_key_attributes`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1gacbbf5c11eac6cd70c87ffb936e1b9be2) on the PSA key identifier, then [`psa_get_key_bits`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1ga5bee85c2164ad3d4c0d42501241eeb06).
+* `mbedtls_dhm_get_value` for `MBEDTLS_DHM_PARAM_X` (our private key): call [`psa_export_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga668e35be8d2852ad3feeef74ac6f75bf) on the key identifier. Note that the key policy must allow `PSA_KEY_USAGE_EXPORT` (see “[Public-key cryptography policies](#public-key-cryptography-policies)”).
+* `mbedtls_dhm_get_value` for `MBEDTLS_DHM_PARAM_GX` (our public key): call [`psa_export_public_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1gaf22ae73312217aaede2ea02cdebb6062) on the PSA key identifier.
+* `mbedtls_dhm_get_value` for `MBEDTLS_DHM_PARAM_GY` (peer's public key): the there is no PSA equivalent since the PSA API only uses the peer's public key to immediately calculate the shared secret. If your application needs the peer's public key for some other purpose, store it separately.
+* `mbedtls_dhm_get_value` for `MBEDTLS_DHM_PARAM_K` (shared secret): this is the value calculated by `psa_raw_key_agreement` or `psa_key_derivation_key_agreement`. If you need to use it multiple times (for example to derive multiple values independently), call `psa_raw_key_agreement` and make a copy.
+* `mbedtls_dhm_get_value` for `MBEDTLS_DHM_PARAM_P` or `MBEDTLS_DHM_PARAM_G` (group parameters): [there is no PSA API to retrieve these values](https://github.com/Mbed-TLS/mbedtls/issues/7780).
+
+The PSA API for finite-field Diffie-Hellman only supports predefined groups. Therefore there is no equivalent to `mbedtls_dhm_parse_dhm`, `mbedtls_dhm_parse_dhmfile`, and the `MBEDTLS_DHM_xxx_BIN` macros.
+
+#### Restartable key agreement
+
+Restartable key agreement (enabled by `mbedtls_ecdh_enable_restart`) is not yet available through the PSA API. It will be added under the name “interruptible key agreement” in a future version of the library, with an interface that's similar to the interruptible signature interface described in “[Restartable ECDSA signature](#restartable-ecdsa-signature)”.
+
+### Additional information about Elliptic-curve cryptography
+
+#### Information about a curve
+
+The legacy API identifies a curve by an `MBEDTLS_ECP_DP_xxx` value of type `mbedtls_ecp_group_id`. The PSA API identifies a curve by a `PSA_ECC_FAMILY_xxx` value and the private value's bit-size. See “[Elliptic curve mechanism selection](#elliptic-curve-mechanism-selection)” for the correspondence between the two sets of values.
+
+There is no PSA equivalent of the `mbedtls_ecp_group` data structure (and so no equivalent to `mbedtls_ecp_group_init`, `mbedtls_ecp_group_load`, `mbedtls_ecp_group_copy` and `mbedtls_ecp_group_free`) or of the `mbedtls_ecp_curve_info` data structure (and so no equivalent to `mbedtls_ecp_curve_info_from_grp_id`) because they are not needed. All API elements identify the curve directly by its family and size.
+
+The bit-size used by the PSA API is the size of the private key. For most curves, the PSA bit-size, the `bit_size` field in `mbedtls_ecp_curve_info`, the `nbits` field in `mbedtls_ecp_group` and the `pbits` field in `mbedtls_ecp_group` are the same. The following table lists curves for which they are different.
+
+| Curve | `grp->nbits` | `grp->pbits` | `curve_info->bit_size` | PSA bit-size |
+| ----- | ------------ | ------------ | ---------------------- | ------------ |
+| secp224k1 | 225 | 224 | 224 | not supported |
+| Curve25519 | 253 | 255 | 256 | 255 |
+| Curve448 | 446 | 448 | 448 | 448 |
+
+There is no exact PSA equivalent of the type `mbedtls_ecp_curve_type` and the function `mbedtls_ecp_get_type`, but the curve family encodes the same information. `PSA_ECC_FAMILY_MONTGOMERY` is the only Montgomery family. All other families supported in Mbed TLS 3.4.0 are short Weierstrass families.
+
+There is no PSA equivalent for the following functionality:
+
+* The `name` field of `mbedtls_ecp_curve_info`, and the function `mbedtls_ecp_curve_info_from_name`. There is no equivalent of Mbed TLS's lookup based on the name used for the curve in TLS specifications.
+* The `tls_id` field of `mbedtls_ecp_curve_info`, the constant `MBEDTLS_ECP_TLS_NAMED_CURVE`, and the functions `mbedtls_ecp_curve_info_from_tls_id`, `mbedtls_ecp_tls_read_group`, `mbedtls_ecp_tls_read_group_id` and `mbedtls_ecp_tls_write_group`. The PSA crypto API does not have this dedicated support for the TLS protocol.
+* Retrieving the parameters of a curve from the fields of an `mbedtls_ecp_group` structure.
+
+#### Information about supported curves
+
+The PSA API does not currently have a discovery mechanism for cryptographic mechanisms (although one may be added in the future). Thus there is no equivalent for `MBEDTLS_ECP_DP_MAX` and the functions `mbedtls_ecp_curve_list` and `mbedtls_ecp_grp_id_list`.
+
+The API provides macros that give the maximum supported sizes for various kinds of objects. The following table lists equivalents for `MBEDTLS_ECP_MAX_xxx` macros.
+
+| Legacy macro | PSA equivalent |
+| ------------ | -------------- |
+| `MBEDTLS_ECP_MAX_BITS` | [`PSA_VENDOR_ECC_MAX_CURVE_BITS`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_VENDOR_ECC_MAX_CURVE_BITS) |
+| `MBEDTLS_ECP_MAX_BYTES` | `PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)` |
+| `MBEDTLS_ECP_MAX_PT_LEN` | [`PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__sizes_8h/#c.PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE) |
+
+#### Restartable ECC
+
+The PSA API supports the equivalent of restartable operations, but only for signatures at the time of writing. See “[Restartable ECDSA signature](#restartable-ecdsa-signature)”.
+
+There is no PSA API for elliptic curve arithmetic as such, and therefore no equivalent of `mbedtls_ecp_restart_ctx` and functions that operate on it.
+
+There is PSA no equivalent of the `MBEDTLS_ECP_OPS_xxx` constants.
+
+#### ECC functionality with no PSA equivalent
+
+There is no PSA equivalent of `mbedtls_ecdsa_can_do` and `mbedtls_ecdh_can_do` to query the capabilities of a curve at runtime. Check the documentation of each curve family to see what algorithms it supports.
+
+There is no PSA equivalent to the types `mbedtls_ecdsa_context` and `mbedtls_ecdsa_restart_ctx`, and to basic ECDSA context manipulation functions including `mbedtls_ecdsa_from_keypair`, because they are not needed: the PSA API does not have ECDSA-specific context types.
+
+#### No curve arithmetic
+
+The PSA API is a cryptography API, not an arithmetic API. As a consequence, there is no PSA equivalent for the ECC arithmetic functionality exposed by `ecp.h`:
+
+* Manipulation of point objects and input-output: the type `mbedtls_ecp_point` and functions operating on it (`mbedtls_ecp_point_xxx`, `mbedtls_ecp_copy`, `mbedtls_ecp_{set,is}_zero`, `mbedtls_ecp_tls_{read,write}_point`). Note that the PSA export format for public keys corresponds to the uncompressed point format (`MBEDTLS_ECP_PF_UNCOMPRESSED`), so [`psa_import_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga0336ea76bf30587ab204a8296462327b), [`psa_export_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga668e35be8d2852ad3feeef74ac6f75bf) and [`psa_export_public_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1gaf22ae73312217aaede2ea02cdebb6062) are equivalent to `mbedtls_ecp_point_read_binary` and `mbedtls_ecp_point_write_binary` for uncompressed points. The PSA API does not currently support compressed points, but it is likely that such support will be added in the future.
+* Manipulation of key pairs as such, with a bridge to bignum arithmetic (`mbedtls_ecp_keypair` type, `mbedtls_ecp_export`). However, the PSA export format for ECC private keys used by [`psa_import_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga0336ea76bf30587ab204a8296462327b), [`psa_export_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga668e35be8d2852ad3feeef74ac6f75bf) is the same as the format used by `mbedtls_ecp_read_key` and `mbedtls_ecp_write_key_ext`.
+* Elliptic curve arithmetic (`mbedtls_ecp_mul`, `mbedtls_ecp_muladd` and their restartable variants).
+
+### Additional information about RSA
+
+#### RSA-ALT interface
+
+Implementers of the RSA-ALT interface (`MBEDTLS_PK_RSA_ALT` pk type, `mbedtls_pk_setup_rsa_alt` setup function) should migrate to the [PSA cryptoprocessor driver interface](https://github.com/Mbed-TLS/mbedtls/blob/development/docs/psa-driver-example-and-guide.md).
+
+* If the purpose of the ALT interface is acceleration only: use the accelerator driver interface. This is fully transparent to application code.
+* If the purpose of the ALT interface is to isolate the private key in a high-security environment: use the opaque driver interface. This is mostly transparent to user code. Code that uses a key via its key identifier does not need to know whether the key is transparent (equivalent of `MBEDTLS_PK_RSA`) or opaque (equivalent of `MBEDTLS_PK_RSA_ALT`). When creating a key, it will be transparent by default; to create an opaque key, call [`psa_set_key_lifetime`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1gac03ccf09ca6d36cc3d5b43f8303db6f7) to set the key's location to the chosen location value for the driver, e.g.
+    ```
+    psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
+        PSA_KEY_PERSISTENCE_VOLATILE, MY_RSA_DRIVER_LOCATION));
+    ```
+
+The PSA subsystem uses its internal random generator both for randomized algorithms and to generate blinding values. As a consequence, none of the API functions take an RNG parameter.
+
+#### RSA functionality with no PSA equivalent
+
+The PSA API does not provide direct access to the exponentiation primitive as with `mbedtls_rsa_public` and `mbedtls_rsa_private`. If you need an RSA-based mechanism that is not supported by the PSA API, please [submit an issue on GitHub](https://github.com/ARM-software/psa-api/issues) so that we can extend the API to support it.
+
+The PSA API does not support constructing RSA keys progressively from numbers with `mbedtls_rsa_import` or `mbedtls_rsa_import_raw` followed by `mbedtls_rsa_complete`. See “[Importing a PK key by wrapping](#importing-a-pk-key-by-wrapping)”.
+
+There is no direct equivalent of `mbedtls_rsa_export`, `mbedtls_rsa_export_raw` and `mbedtls_rsa_export_crt` to export some of the numbers in a key. You can export the whole key with `psa_export_key`, or with `psa_export_public_key` to export the public key from a key pair object. See also “[Exporting a public key or a key pair](#exporting-a-public-key-or-a-key-pair)”.
+
+A PSA key object is immutable, so there is no need for an equivalent of `mbedtls_rsa_copy`. (There is a function `psa_copy_key`, but it is only useful to make a copy of a key with a different policy of ownership; both concepts are out of scope of this document since they have no equivalent in the legacy API.)
+
+### LMS signatures
+
+A future version of Mbed TLS will support LMS keys and signatures through the PSA API (`psa_generate_key`, `psa_export_public_key`, `psa_import_key`, `psa_sign_hash`, `psa_verify_hash`, etc.). However, this is likely to happen after Mbed TLS 4.0, therefore the next major version of Mbed TLS will likely keep the existing `lms.h` interface.
+
+### PK format support interfaces
+
+The interfaces in `base64.h`, `asn1.h`, `asn1write.h`, `oid.h` and `pem.h` are intended to support X.509 and key file formats. They have no PSA equivalent since they are not directly about cryptography.
+
+In Mbed TLS 4.0, we are planning to keep the ASN.1 interfaces mostly unchanged. The evolution of Base64, OID and PEM as separate interfaces is still undecided at the time of writing.
+
+## EC-JPAKE
+
+The PSA API exposes EC-JPAKE via the algorithm [`PSA_ALG_JPAKE`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/crypto__extra_8h/#c.PSA_ALG_JPAKE) and the PAKE API functions. At the time of writing, the PAKE API is still experimental, but it should offer the same functionality as the legacy `ecjpake.h`. Please consult the documentation of your version of Mbed TLS for more information.
+
+Please note a few differences between the two APIs: the legacy API is geared towards the use of EC-JPAKE in TLS 1.2, whereas the PSA API is protocol-agnostic.
+
+* The PSA API is finer-grained and offers more flexibility in message ordering. Where the legacy API makes a single function call, the PSA API may require multiple calls.
+* The legacy API uses the TLS 1.2 wire format in the input or output format of several functions. In particular, one of the messages embeds the curve identifier in the TLS protocol. The PSA API uses protocol-agnostic formats.
+* The legacy API always applies the key derivation specified by TLS 1.2 to the shared secret. With the PSA API, use a key derivation with `PSA_ALG_TLS12_ECJPAKE_TO_PMS` for the same calculation.
diff --git a/docs/redirects.yaml b/docs/redirects.yaml
index 7ea1d95..969ffe4 100644
--- a/docs/redirects.yaml
+++ b/docs/redirects.yaml
@@ -7,5 +7,5 @@
 # expose it.
 
 - type: exact
-  from_url: /projects/api/en/latest/$rest
-  to_url: /projects/api/en/development/
+  from_url: /projects/api/en/latest/*
+  to_url: /projects/api/en/development/:splat
diff --git a/docs/tls13-early-data.md b/docs/tls13-early-data.md
new file mode 100644
index 0000000..4b6f5d3
--- /dev/null
+++ b/docs/tls13-early-data.md
@@ -0,0 +1,192 @@
+
+Writing early data
+------------------
+
+An application function to write and send a buffer of data to a server through
+TLS may plausibly look like:
+
+```
+int write_data(mbedtls_ssl_context *ssl,
+               const unsigned char *data_to_write,
+               size_t data_to_write_len,
+               size_t *data_written)
+{
+    int ret;
+    *data_written = 0;
+
+    while (*data_written < data_to_write_len) {
+        ret = mbedtls_ssl_write(ssl, data_to_write + *data_written,
+                                data_to_write_len - *data_written);
+
+        if (ret < 0 &&
+            ret != MBEDTLS_ERR_SSL_WANT_READ &&
+            ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
+            return ret;
+        }
+
+        *data_written += ret;
+    }
+
+    return 0;
+}
+```
+where ssl is the SSL context to use, data_to_write the address of the data
+buffer and data_to_write_len the number of data bytes. The handshake may
+not be completed, not even started for the SSL context ssl when the function is
+called and in that case the mbedtls_ssl_write() API takes care transparently of
+completing the handshake before to write and send data to the server. The
+mbedtls_ssl_write() may not be able to write and send all data in one go thus
+the need for a loop calling it as long as there are still data to write and
+send.
+
+An application function to write and send early data and only early data,
+data sent during the first flight of client messages while the handshake is in
+its initial phase, would look completely similar but the call to
+mbedtls_ssl_write_early_data() instead of mbedtls_ssl_write().
+```
+int write_early_data(mbedtls_ssl_context *ssl,
+                     const unsigned char *data_to_write,
+                     size_t data_to_write_len,
+                     size_t *data_written)
+{
+    int ret;
+    *data_written = 0;
+
+    while (*data_written < data_to_write_len) {
+        ret = mbedtls_ssl_write_early_data(ssl, data_to_write + *data_written,
+                                           data_to_write_len - *data_written);
+
+        if (ret < 0 &&
+            ret != MBEDTLS_ERR_SSL_WANT_READ &&
+            ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
+            return ret;
+        }
+
+        *data_written += ret;
+    }
+
+    return 0;
+}
+```
+Note that compared to write_data(), write_early_data() can also return
+MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA and that should be handled
+specifically by the user of write_early_data(). A fresh SSL context (typically
+just after a call to mbedtls_ssl_setup() or mbedtls_ssl_session_reset()) would
+be expected when calling `write_early_data`.
+
+All together, code to write and send a buffer of data as long as possible as
+early data and then as standard post-handshake application data could
+plausibly look like:
+
+```
+ret = write_early_data(ssl,
+                       data_to_write,
+                       data_to_write_len,
+                       &early_data_written);
+if (ret < 0 &&
+    ret != MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA) {
+    goto error;
+}
+
+ret = write_data(ssl,
+                 data_to_write + early_data_written,
+                 data_to_write_len - early_data_written,
+                 &data_written);
+if (ret < 0) {
+    goto error;
+}
+
+data_written += early_data_written;
+```
+
+Finally, taking into account that the server may reject early data, application
+code to write and send a buffer of data could plausibly look like:
+```
+ret = write_early_data(ssl,
+                       data_to_write,
+                       data_to_write_len,
+                       &early_data_written);
+if (ret < 0 &&
+    ret != MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA) {
+    goto error;
+}
+
+/*
+ * Make sure the handshake is completed as it is a requisite of
+ * mbedtls_ssl_get_early_data_status().
+ */
+while (!mbedtls_ssl_is_handshake_over(ssl)) {
+    ret = mbedtls_ssl_handshake(ssl);
+    if (ret < 0 &&
+        ret != MBEDTLS_ERR_SSL_WANT_READ &&
+        ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
+        goto error;
+    }
+}
+
+ret = mbedtls_ssl_get_early_data_status(ssl);
+if (ret < 0) {
+    goto error;
+}
+
+if (ret == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) {
+   early_data_written = 0;
+}
+
+ret = write_data(ssl,
+                 data_to_write + early_data_written,
+                 data_to_write_len - early_data_written,
+                 &data_written);
+if (ret < 0) {
+    goto error;
+}
+
+data_written += early_data_written;
+```
+
+Reading early data
+------------------
+Mbed TLS provides the mbedtls_ssl_read_early_data() API to read the early data
+that a TLS 1.3 server might receive during the TLS 1.3 handshake.
+
+While establishing a TLS 1.3 connection with a client using a combination
+of the mbedtls_ssl_handshake(), mbedtls_ssl_read() and mbedtls_ssl_write() APIs,
+the reception of early data is signaled by an API returning the
+MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA error code. Early data can then be read
+with the mbedtls_ssl_read_early_data() API.
+
+For example, a typical code to establish a TLS connection, where ssl is the SSL
+context to use:
+```
+while ((int ret = mbedtls_ssl_handshake(&ssl)) != 0) {
+
+    if (ret < 0 &&
+        ret != MBEDTLS_ERR_SSL_WANT_READ &&
+        ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
+        break;
+    }
+}
+```
+could be adapted to handle early data in the following way:
+```
+size_t data_read_len = 0;
+while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) {
+
+    if (ret == MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA) {
+        ret = mbedtls_ssl_read_early_data(&ssl,
+                                          buffer + data_read_len,
+                                          sizeof(buffer) - data_read_len);
+        if (ret < 0) {
+            break;
+        }
+        data_read_len += ret;
+        continue;
+    }
+
+    if (ret < 0 &&
+        ret != MBEDTLS_ERR_SSL_WANT_READ &&
+        ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
+        break;
+    }
+}
+```
diff --git a/docs/use-psa-crypto.md b/docs/use-psa-crypto.md
index 92d0985..f2983bd 100644
--- a/docs/use-psa-crypto.md
+++ b/docs/use-psa-crypto.md
@@ -75,13 +75,8 @@ operations and its public part can be exported.
 
 **Benefits:** isolation of long-term secrets, use of PSA Crypto drivers.
 
-**Limitations:** can only wrap a key pair, can only use it for private key
-operations. (That is, signature generation, and for RSA decryption too.)
-Note: for ECDSA, currently this uses randomized ECDSA while Mbed TLS uses
-deterministic ECDSA by default. The following operations are not supported
-with a context set this way, while they would be available with a normal
-context: `mbedtls_pk_check_pair()`, `mbedtls_pk_debug()`, all public key
-operations.
+**Limitations:** please refer to the documentation of `mbedtls_pk_setup_opaque()`
+for a full list of supported operations and limitations.
 
 **Use in X.509 and TLS:** opt-in. The application needs to construct the PK context
 using the new API in order to get the benefits; it can then pass the
diff --git a/doxygen/input/doc_encdec.h b/doxygen/input/doc_encdec.h
index ec149ae..cf77690 100644
--- a/doxygen/input/doc_encdec.h
+++ b/doxygen/input/doc_encdec.h
@@ -6,19 +6,7 @@
 /*
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /**
diff --git a/doxygen/input/doc_hashing.h b/doxygen/input/doc_hashing.h
index 931e6e9..83613bf 100644
--- a/doxygen/input/doc_hashing.h
+++ b/doxygen/input/doc_hashing.h
@@ -6,19 +6,7 @@
 /*
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /**
diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h
index b67237f..3eb5f75 100644
--- a/doxygen/input/doc_mainpage.h
+++ b/doxygen/input/doc_mainpage.h
@@ -6,23 +6,11 @@
 /*
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /**
- * @mainpage Mbed TLS v3.5.0 API Documentation
+ * @mainpage Mbed TLS v3.6.0 API Documentation
  *
  * This documentation describes the internal structure of Mbed TLS.  It was
  * automatically generated from specially formatted comment blocks in
diff --git a/doxygen/input/doc_rng.h b/doxygen/input/doc_rng.h
index 7da13cd..22608a8 100644
--- a/doxygen/input/doc_rng.h
+++ b/doxygen/input/doc_rng.h
@@ -6,19 +6,7 @@
 /*
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /**
diff --git a/doxygen/input/doc_ssltls.h b/doxygen/input/doc_ssltls.h
index 6961124..5757574 100644
--- a/doxygen/input/doc_ssltls.h
+++ b/doxygen/input/doc_ssltls.h
@@ -6,19 +6,7 @@
 /*
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /**
diff --git a/doxygen/input/doc_tcpip.h b/doxygen/input/doc_tcpip.h
index a705de1..f8d8c69 100644
--- a/doxygen/input/doc_tcpip.h
+++ b/doxygen/input/doc_tcpip.h
@@ -6,19 +6,7 @@
 /*
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /**
diff --git a/doxygen/input/doc_x509.h b/doxygen/input/doc_x509.h
index 9049675..945830f 100644
--- a/doxygen/input/doc_x509.h
+++ b/doxygen/input/doc_x509.h
@@ -6,19 +6,7 @@
 /*
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /**
diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile
index 98b2d79..1e494a0 100644
--- a/doxygen/mbedtls.doxyfile
+++ b/doxygen/mbedtls.doxyfile
@@ -1,4 +1,4 @@
-PROJECT_NAME           = "Mbed TLS v3.5.0"
+PROJECT_NAME           = "Mbed TLS v3.6.0"
 OUTPUT_DIRECTORY       = ../apidoc/
 FULL_PATH_NAMES        = NO
 OPTIMIZE_OUTPUT_FOR_C  = YES
@@ -6,7 +6,7 @@ EXTRACT_ALL            = YES
 EXTRACT_PRIVATE        = YES
 EXTRACT_STATIC         = YES
 CASE_SENSE_NAMES       = NO
-INPUT                  = ../include input
+INPUT                  = ../include ../tf-psa-crypto/include input ../tf-psa-crypto/drivers/builtin/include ../tests/include/alt-dummy
 FILE_PATTERNS          = *.h
 RECURSIVE              = YES
 EXCLUDE_SYMLINKS       = YES
@@ -21,7 +21,7 @@ GENERATE_LATEX         = NO
 GENERATE_XML           = YES
 MACRO_EXPANSION        = YES
 EXPAND_ONLY_PREDEF     = YES
-INCLUDE_PATH           = ../include
+INCLUDE_PATH           = ../include ../tf-psa-crypto/include ../tf-psa-crypto/drivers/builtin/include
 EXPAND_AS_DEFINED      = MBEDTLS_PRIVATE
 CLASS_DIAGRAMS         = NO
 HAVE_DOT               = YES
diff --git a/framework b/framework
new file mode 160000
+Subproject 9eeacb7125d6630a11e29d8a7aab5873b3638b6
diff --git a/include/CMakeLists.txt b/include/CMakeLists.txt
index e11e271..755efed 100644
--- a/include/CMakeLists.txt
+++ b/include/CMakeLists.txt
@@ -3,20 +3,13 @@ option(INSTALL_MBEDTLS_HEADERS "Install Mbed TLS headers." ON)
 if(INSTALL_MBEDTLS_HEADERS)
 
     file(GLOB headers "mbedtls/*.h")
-    file(GLOB psa_headers "psa/*.h")
 
     install(FILES ${headers}
         DESTINATION include/mbedtls
         PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
-
-    install(FILES ${psa_headers}
-        DESTINATION include/psa
-        PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
-
 endif(INSTALL_MBEDTLS_HEADERS)
 
 # Make mbedtls_config.h available in an out-of-source build. ssl-opt.sh requires it.
 if (ENABLE_TESTING AND NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR})
     link_to_source(mbedtls)
-    link_to_source(psa)
 endif()
diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h
deleted file mode 100644
index 7c92162..0000000
--- a/include/mbedtls/aes.h
+++ /dev/null
@@ -1,639 +0,0 @@
-/**
- * \file aes.h
- *
- * \brief   This file contains AES definitions and functions.
- *
- *          The Advanced Encryption Standard (AES) specifies a FIPS-approved
- *          cryptographic algorithm that can be used to protect electronic
- *          data.
- *
- *          The AES algorithm is a symmetric block cipher that can
- *          encrypt and decrypt information. For more information, see
- *          <em>FIPS Publication 197: Advanced Encryption Standard</em> and
- *          <em>ISO/IEC 18033-2:2006: Information technology -- Security
- *          techniques -- Encryption algorithms -- Part 2: Asymmetric
- *          ciphers</em>.
- *
- *          The AES-XTS block mode is standardized by NIST SP 800-38E
- *          <https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38e.pdf>
- *          and described in detail by IEEE P1619
- *          <https://ieeexplore.ieee.org/servlet/opac?punumber=4375278>.
- */
-
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_AES_H
-#define MBEDTLS_AES_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-#include "mbedtls/platform_util.h"
-
-#include <stddef.h>
-#include <stdint.h>
-
-/* padlock.c and aesni.c rely on these values! */
-#define MBEDTLS_AES_ENCRYPT     1 /**< AES encryption. */
-#define MBEDTLS_AES_DECRYPT     0 /**< AES decryption. */
-
-/* Error codes in range 0x0020-0x0022 */
-/** Invalid key length. */
-#define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH                -0x0020
-/** Invalid data input length. */
-#define MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH              -0x0022
-
-/* Error codes in range 0x0021-0x0025 */
-/** Invalid input data. */
-#define MBEDTLS_ERR_AES_BAD_INPUT_DATA                    -0x0021
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if !defined(MBEDTLS_AES_ALT)
-// Regular implementation
-//
-
-/**
- * \brief The AES context-type definition.
- */
-typedef struct mbedtls_aes_context {
-    int MBEDTLS_PRIVATE(nr);                     /*!< The number of rounds. */
-    size_t MBEDTLS_PRIVATE(rk_offset);           /*!< The offset in array elements to AES
-                                                    round keys in the buffer. */
-#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) && !defined(MBEDTLS_PADLOCK_C)
-    uint32_t MBEDTLS_PRIVATE(buf)[44];           /*!< Aligned data buffer to hold
-                                                    10 round keys for 128-bit case. */
-#else
-    uint32_t MBEDTLS_PRIVATE(buf)[68];           /*!< Unaligned data buffer. This buffer can
-                                                    hold 32 extra Bytes, which can be used for
-                                                    one of the following purposes:
-                                                    <ul><li>Alignment if VIA padlock is
-                                                    used.</li>
-                                                    <li>Simplifying key expansion in the 256-bit
-                                                    case by generating an extra round key.
-                                                    </li></ul> */
-#endif /* MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH && !MBEDTLS_PADLOCK_C */
-}
-mbedtls_aes_context;
-
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-/**
- * \brief The AES XTS context-type definition.
- */
-typedef struct mbedtls_aes_xts_context {
-    mbedtls_aes_context MBEDTLS_PRIVATE(crypt); /*!< The AES context to use for AES block
-                                                   encryption or decryption. */
-    mbedtls_aes_context MBEDTLS_PRIVATE(tweak); /*!< The AES context used for tweak
-                                                   computation. */
-} mbedtls_aes_xts_context;
-#endif /* MBEDTLS_CIPHER_MODE_XTS */
-
-#else  /* MBEDTLS_AES_ALT */
-#include "aes_alt.h"
-#endif /* MBEDTLS_AES_ALT */
-
-/**
- * \brief          This function initializes the specified AES context.
- *
- *                 It must be the first API called before using
- *                 the context.
- *
- * \param ctx      The AES context to initialize. This must not be \c NULL.
- */
-void mbedtls_aes_init(mbedtls_aes_context *ctx);
-
-/**
- * \brief          This function releases and clears the specified AES context.
- *
- * \param ctx      The AES context to clear.
- *                 If this is \c NULL, this function does nothing.
- *                 Otherwise, the context must have been at least initialized.
- */
-void mbedtls_aes_free(mbedtls_aes_context *ctx);
-
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-/**
- * \brief          This function initializes the specified AES XTS context.
- *
- *                 It must be the first API called before using
- *                 the context.
- *
- * \param ctx      The AES XTS context to initialize. This must not be \c NULL.
- */
-void mbedtls_aes_xts_init(mbedtls_aes_xts_context *ctx);
-
-/**
- * \brief          This function releases and clears the specified AES XTS context.
- *
- * \param ctx      The AES XTS context to clear.
- *                 If this is \c NULL, this function does nothing.
- *                 Otherwise, the context must have been at least initialized.
- */
-void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx);
-#endif /* MBEDTLS_CIPHER_MODE_XTS */
-
-/**
- * \brief          This function sets the encryption key.
- *
- * \param ctx      The AES context to which the key should be bound.
- *                 It must be initialized.
- * \param key      The encryption key.
- *                 This must be a readable buffer of size \p keybits bits.
- * \param keybits  The size of data passed in bits. Valid options are:
- *                 <ul><li>128 bits</li>
- *                 <li>192 bits</li>
- *                 <li>256 bits</li></ul>
- *
- * \return         \c 0 on success.
- * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
-                           unsigned int keybits);
-
-/**
- * \brief          This function sets the decryption key.
- *
- * \param ctx      The AES context to which the key should be bound.
- *                 It must be initialized.
- * \param key      The decryption key.
- *                 This must be a readable buffer of size \p keybits bits.
- * \param keybits  The size of data passed. Valid options are:
- *                 <ul><li>128 bits</li>
- *                 <li>192 bits</li>
- *                 <li>256 bits</li></ul>
- *
- * \return         \c 0 on success.
- * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
-                           unsigned int keybits);
-
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-/**
- * \brief          This function prepares an XTS context for encryption and
- *                 sets the encryption key.
- *
- * \param ctx      The AES XTS context to which the key should be bound.
- *                 It must be initialized.
- * \param key      The encryption key. This is comprised of the XTS key1
- *                 concatenated with the XTS key2.
- *                 This must be a readable buffer of size \p keybits bits.
- * \param keybits  The size of \p key passed in bits. Valid options are:
- *                 <ul><li>256 bits (each of key1 and key2 is a 128-bit key)</li>
- *                 <li>512 bits (each of key1 and key2 is a 256-bit key)</li></ul>
- *
- * \return         \c 0 on success.
- * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context *ctx,
-                               const unsigned char *key,
-                               unsigned int keybits);
-
-/**
- * \brief          This function prepares an XTS context for decryption and
- *                 sets the decryption key.
- *
- * \param ctx      The AES XTS context to which the key should be bound.
- *                 It must be initialized.
- * \param key      The decryption key. This is comprised of the XTS key1
- *                 concatenated with the XTS key2.
- *                 This must be a readable buffer of size \p keybits bits.
- * \param keybits  The size of \p key passed in bits. Valid options are:
- *                 <ul><li>256 bits (each of key1 and key2 is a 128-bit key)</li>
- *                 <li>512 bits (each of key1 and key2 is a 256-bit key)</li></ul>
- *
- * \return         \c 0 on success.
- * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context *ctx,
-                               const unsigned char *key,
-                               unsigned int keybits);
-#endif /* MBEDTLS_CIPHER_MODE_XTS */
-
-/**
- * \brief          This function performs an AES single-block encryption or
- *                 decryption operation.
- *
- *                 It performs the operation defined in the \p mode parameter
- *                 (encrypt or decrypt), on the input data buffer defined in
- *                 the \p input parameter.
- *
- *                 mbedtls_aes_init(), and either mbedtls_aes_setkey_enc() or
- *                 mbedtls_aes_setkey_dec() must be called before the first
- *                 call to this API with the same context.
- *
- * \param ctx      The AES context to use for encryption or decryption.
- *                 It must be initialized and bound to a key.
- * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
- *                 #MBEDTLS_AES_DECRYPT.
- * \param input    The buffer holding the input data.
- *                 It must be readable and at least \c 16 Bytes long.
- * \param output   The buffer where the output data will be written.
- *                 It must be writeable and at least \c 16 Bytes long.
-
- * \return         \c 0 on success.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx,
-                          int mode,
-                          const unsigned char input[16],
-                          unsigned char output[16]);
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-/**
- * \brief  This function performs an AES-CBC encryption or decryption operation
- *         on full blocks.
- *
- *         It performs the operation defined in the \p mode
- *         parameter (encrypt/decrypt), on the input data buffer defined in
- *         the \p input parameter.
- *
- *         It can be called as many times as needed, until all the input
- *         data is processed. mbedtls_aes_init(), and either
- *         mbedtls_aes_setkey_enc() or mbedtls_aes_setkey_dec() must be called
- *         before the first call to this API with the same context.
- *
- * \note   This function operates on full blocks, that is, the input size
- *         must be a multiple of the AES block size of \c 16 Bytes.
- *
- * \note   Upon exit, the content of the IV is updated so that you can
- *         call the same function again on the next
- *         block(s) of data and get the same result as if it was
- *         encrypted in one call. This allows a "streaming" usage.
- *         If you need to retain the contents of the IV, you should
- *         either save it manually or use the cipher module instead.
- *
- *
- * \param ctx      The AES context to use for encryption or decryption.
- *                 It must be initialized and bound to a key.
- * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
- *                 #MBEDTLS_AES_DECRYPT.
- * \param length   The length of the input data in Bytes. This must be a
- *                 multiple of the block size (\c 16 Bytes).
- * \param iv       Initialization vector (updated after use).
- *                 It must be a readable and writeable buffer of \c 16 Bytes.
- * \param input    The buffer holding the input data.
- *                 It must be readable and of size \p length Bytes.
- * \param output   The buffer holding the output data.
- *                 It must be writeable and of size \p length Bytes.
- *
- * \return         \c 0 on success.
- * \return         #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
- *                 on failure.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx,
-                          int mode,
-                          size_t length,
-                          unsigned char iv[16],
-                          const unsigned char *input,
-                          unsigned char *output);
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-/**
- * \brief      This function performs an AES-XTS encryption or decryption
- *             operation for an entire XTS data unit.
- *
- *             AES-XTS encrypts or decrypts blocks based on their location as
- *             defined by a data unit number. The data unit number must be
- *             provided by \p data_unit.
- *
- *             NIST SP 800-38E limits the maximum size of a data unit to 2^20
- *             AES blocks. If the data unit is larger than this, this function
- *             returns #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH.
- *
- * \param ctx          The AES XTS context to use for AES XTS operations.
- *                     It must be initialized and bound to a key.
- * \param mode         The AES operation: #MBEDTLS_AES_ENCRYPT or
- *                     #MBEDTLS_AES_DECRYPT.
- * \param length       The length of a data unit in Bytes. This can be any
- *                     length between 16 bytes and 2^24 bytes inclusive
- *                     (between 1 and 2^20 block cipher blocks).
- * \param data_unit    The address of the data unit encoded as an array of 16
- *                     bytes in little-endian format. For disk encryption, this
- *                     is typically the index of the block device sector that
- *                     contains the data.
- * \param input        The buffer holding the input data (which is an entire
- *                     data unit). This function reads \p length Bytes from \p
- *                     input.
- * \param output       The buffer holding the output data (which is an entire
- *                     data unit). This function writes \p length Bytes to \p
- *                     output.
- *
- * \return             \c 0 on success.
- * \return             #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH if \p length is
- *                     smaller than an AES block in size (16 Bytes) or if \p
- *                     length is larger than 2^20 blocks (16 MiB).
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_aes_crypt_xts(mbedtls_aes_xts_context *ctx,
-                          int mode,
-                          size_t length,
-                          const unsigned char data_unit[16],
-                          const unsigned char *input,
-                          unsigned char *output);
-#endif /* MBEDTLS_CIPHER_MODE_XTS */
-
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-/**
- * \brief This function performs an AES-CFB128 encryption or decryption
- *        operation.
- *
- *        It performs the operation defined in the \p mode
- *        parameter (encrypt or decrypt), on the input data buffer
- *        defined in the \p input parameter.
- *
- *        For CFB, you must set up the context with mbedtls_aes_setkey_enc(),
- *        regardless of whether you are performing an encryption or decryption
- *        operation, that is, regardless of the \p mode parameter. This is
- *        because CFB mode uses the same key schedule for encryption and
- *        decryption.
- *
- * \note  Upon exit, the content of the IV is updated so that you can
- *        call the same function again on the next
- *        block(s) of data and get the same result as if it was
- *        encrypted in one call. This allows a "streaming" usage.
- *        If you need to retain the contents of the
- *        IV, you must either save it manually or use the cipher
- *        module instead.
- *
- *
- * \param ctx      The AES context to use for encryption or decryption.
- *                 It must be initialized and bound to a key.
- * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
- *                 #MBEDTLS_AES_DECRYPT.
- * \param length   The length of the input data in Bytes.
- * \param iv_off   The offset in IV (updated after use).
- *                 It must point to a valid \c size_t.
- * \param iv       The initialization vector (updated after use).
- *                 It must be a readable and writeable buffer of \c 16 Bytes.
- * \param input    The buffer holding the input data.
- *                 It must be readable and of size \p length Bytes.
- * \param output   The buffer holding the output data.
- *                 It must be writeable and of size \p length Bytes.
- *
- * \return         \c 0 on success.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_aes_crypt_cfb128(mbedtls_aes_context *ctx,
-                             int mode,
-                             size_t length,
-                             size_t *iv_off,
-                             unsigned char iv[16],
-                             const unsigned char *input,
-                             unsigned char *output);
-
-/**
- * \brief This function performs an AES-CFB8 encryption or decryption
- *        operation.
- *
- *        It performs the operation defined in the \p mode
- *        parameter (encrypt/decrypt), on the input data buffer defined
- *        in the \p input parameter.
- *
- *        Due to the nature of CFB, you must use the same key schedule for
- *        both encryption and decryption operations. Therefore, you must
- *        use the context initialized with mbedtls_aes_setkey_enc() for
- *        both #MBEDTLS_AES_ENCRYPT and #MBEDTLS_AES_DECRYPT.
- *
- * \note  Upon exit, the content of the IV is updated so that you can
- *        call the same function again on the next
- *        block(s) of data and get the same result as if it was
- *        encrypted in one call. This allows a "streaming" usage.
- *        If you need to retain the contents of the
- *        IV, you should either save it manually or use the cipher
- *        module instead.
- *
- *
- * \param ctx      The AES context to use for encryption or decryption.
- *                 It must be initialized and bound to a key.
- * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
- *                 #MBEDTLS_AES_DECRYPT
- * \param length   The length of the input data.
- * \param iv       The initialization vector (updated after use).
- *                 It must be a readable and writeable buffer of \c 16 Bytes.
- * \param input    The buffer holding the input data.
- *                 It must be readable and of size \p length Bytes.
- * \param output   The buffer holding the output data.
- *                 It must be writeable and of size \p length Bytes.
- *
- * \return         \c 0 on success.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_aes_crypt_cfb8(mbedtls_aes_context *ctx,
-                           int mode,
-                           size_t length,
-                           unsigned char iv[16],
-                           const unsigned char *input,
-                           unsigned char *output);
-#endif /*MBEDTLS_CIPHER_MODE_CFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-/**
- * \brief       This function performs an AES-OFB (Output Feedback Mode)
- *              encryption or decryption operation.
- *
- *              For OFB, you must set up the context with
- *              mbedtls_aes_setkey_enc(), regardless of whether you are
- *              performing an encryption or decryption operation. This is
- *              because OFB mode uses the same key schedule for encryption and
- *              decryption.
- *
- *              The OFB operation is identical for encryption or decryption,
- *              therefore no operation mode needs to be specified.
- *
- * \note        Upon exit, the content of iv, the Initialisation Vector, is
- *              updated so that you can call the same function again on the next
- *              block(s) of data and get the same result as if it was encrypted
- *              in one call. This allows a "streaming" usage, by initialising
- *              iv_off to 0 before the first call, and preserving its value
- *              between calls.
- *
- *              For non-streaming use, the iv should be initialised on each call
- *              to a unique value, and iv_off set to 0 on each call.
- *
- *              If you need to retain the contents of the initialisation vector,
- *              you must either save it manually or use the cipher module
- *              instead.
- *
- * \warning     For the OFB mode, the initialisation vector must be unique
- *              every encryption operation. Reuse of an initialisation vector
- *              will compromise security.
- *
- * \param ctx      The AES context to use for encryption or decryption.
- *                 It must be initialized and bound to a key.
- * \param length   The length of the input data.
- * \param iv_off   The offset in IV (updated after use).
- *                 It must point to a valid \c size_t.
- * \param iv       The initialization vector (updated after use).
- *                 It must be a readable and writeable buffer of \c 16 Bytes.
- * \param input    The buffer holding the input data.
- *                 It must be readable and of size \p length Bytes.
- * \param output   The buffer holding the output data.
- *                 It must be writeable and of size \p length Bytes.
- *
- * \return         \c 0 on success.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_aes_crypt_ofb(mbedtls_aes_context *ctx,
-                          size_t length,
-                          size_t *iv_off,
-                          unsigned char iv[16],
-                          const unsigned char *input,
-                          unsigned char *output);
-
-#endif /* MBEDTLS_CIPHER_MODE_OFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-/**
- * \brief      This function performs an AES-CTR encryption or decryption
- *             operation.
- *
- *             Due to the nature of CTR, you must use the same key schedule
- *             for both encryption and decryption operations. Therefore, you
- *             must use the context initialized with mbedtls_aes_setkey_enc()
- *             for both #MBEDTLS_AES_ENCRYPT and #MBEDTLS_AES_DECRYPT.
- *
- * \warning    You must never reuse a nonce value with the same key. Doing so
- *             would void the encryption for the two messages encrypted with
- *             the same nonce and key.
- *
- *             There are two common strategies for managing nonces with CTR:
- *
- *             1. You can handle everything as a single message processed over
- *             successive calls to this function. In that case, you want to
- *             set \p nonce_counter and \p nc_off to 0 for the first call, and
- *             then preserve the values of \p nonce_counter, \p nc_off and \p
- *             stream_block across calls to this function as they will be
- *             updated by this function.
- *
- *             With this strategy, you must not encrypt more than 2**128
- *             blocks of data with the same key.
- *
- *             2. You can encrypt separate messages by dividing the \p
- *             nonce_counter buffer in two areas: the first one used for a
- *             per-message nonce, handled by yourself, and the second one
- *             updated by this function internally.
- *
- *             For example, you might reserve the first 12 bytes for the
- *             per-message nonce, and the last 4 bytes for internal use. In that
- *             case, before calling this function on a new message you need to
- *             set the first 12 bytes of \p nonce_counter to your chosen nonce
- *             value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
- *             stream_block to be ignored). That way, you can encrypt at most
- *             2**96 messages of up to 2**32 blocks each with the same key.
- *
- *             The per-message nonce (or information sufficient to reconstruct
- *             it) needs to be communicated with the ciphertext and must be unique.
- *             The recommended way to ensure uniqueness is to use a message
- *             counter. An alternative is to generate random nonces, but this
- *             limits the number of messages that can be securely encrypted:
- *             for example, with 96-bit random nonces, you should not encrypt
- *             more than 2**32 messages with the same key.
- *
- *             Note that for both strategies, sizes are measured in blocks and
- *             that an AES block is 16 bytes.
- *
- * \warning    Upon return, \p stream_block contains sensitive data. Its
- *             content must not be written to insecure storage and should be
- *             securely discarded as soon as it's no longer needed.
- *
- * \param ctx              The AES context to use for encryption or decryption.
- *                         It must be initialized and bound to a key.
- * \param length           The length of the input data.
- * \param nc_off           The offset in the current \p stream_block, for
- *                         resuming within the current cipher stream. The
- *                         offset pointer should be 0 at the start of a stream.
- *                         It must point to a valid \c size_t.
- * \param nonce_counter    The 128-bit nonce and counter.
- *                         It must be a readable-writeable buffer of \c 16 Bytes.
- * \param stream_block     The saved stream block for resuming. This is
- *                         overwritten by the function.
- *                         It must be a readable-writeable buffer of \c 16 Bytes.
- * \param input            The buffer holding the input data.
- *                         It must be readable and of size \p length Bytes.
- * \param output           The buffer holding the output data.
- *                         It must be writeable and of size \p length Bytes.
- *
- * \return                 \c 0 on success.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_aes_crypt_ctr(mbedtls_aes_context *ctx,
-                          size_t length,
-                          size_t *nc_off,
-                          unsigned char nonce_counter[16],
-                          unsigned char stream_block[16],
-                          const unsigned char *input,
-                          unsigned char *output);
-#endif /* MBEDTLS_CIPHER_MODE_CTR */
-
-/**
- * \brief           Internal AES block encryption function. This is only
- *                  exposed to allow overriding it using
- *                  \c MBEDTLS_AES_ENCRYPT_ALT.
- *
- * \param ctx       The AES context to use for encryption.
- * \param input     The plaintext block.
- * \param output    The output (ciphertext) block.
- *
- * \return          \c 0 on success.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_internal_aes_encrypt(mbedtls_aes_context *ctx,
-                                 const unsigned char input[16],
-                                 unsigned char output[16]);
-
-/**
- * \brief           Internal AES block decryption function. This is only
- *                  exposed to allow overriding it using see
- *                  \c MBEDTLS_AES_DECRYPT_ALT.
- *
- * \param ctx       The AES context to use for decryption.
- * \param input     The ciphertext block.
- * \param output    The output (plaintext) block.
- *
- * \return          \c 0 on success.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx,
-                                 const unsigned char input[16],
-                                 unsigned char output[16]);
-
-#if defined(MBEDTLS_SELF_TEST)
-/**
- * \brief          Checkup routine.
- *
- * \return         \c 0 on success.
- * \return         \c 1 on failure.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_aes_self_test(int verbose);
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* aes.h */
diff --git a/include/mbedtls/aria.h b/include/mbedtls/aria.h
deleted file mode 100644
index 7e55df7..0000000
--- a/include/mbedtls/aria.h
+++ /dev/null
@@ -1,353 +0,0 @@
-/**
- * \file aria.h
- *
- * \brief ARIA block cipher
- *
- *        The ARIA algorithm is a symmetric block cipher that can encrypt and
- *        decrypt information. It is defined by the Korean Agency for
- *        Technology and Standards (KATS) in <em>KS X 1213:2004</em> (in
- *        Korean, but see http://210.104.33.10/ARIA/index-e.html in English)
- *        and also described by the IETF in <em>RFC 5794</em>.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_ARIA_H
-#define MBEDTLS_ARIA_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include "mbedtls/platform_util.h"
-
-#define MBEDTLS_ARIA_ENCRYPT     1 /**< ARIA encryption. */
-#define MBEDTLS_ARIA_DECRYPT     0 /**< ARIA decryption. */
-
-#define MBEDTLS_ARIA_BLOCKSIZE   16 /**< ARIA block size in bytes. */
-#define MBEDTLS_ARIA_MAX_ROUNDS  16 /**< Maximum number of rounds in ARIA. */
-#define MBEDTLS_ARIA_MAX_KEYSIZE 32 /**< Maximum size of an ARIA key in bytes. */
-
-/** Bad input data. */
-#define MBEDTLS_ERR_ARIA_BAD_INPUT_DATA -0x005C
-
-/** Invalid data input length. */
-#define MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH -0x005E
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if !defined(MBEDTLS_ARIA_ALT)
-// Regular implementation
-//
-
-/**
- * \brief The ARIA context-type definition.
- */
-typedef struct mbedtls_aria_context {
-    unsigned char MBEDTLS_PRIVATE(nr);           /*!< The number of rounds (12, 14 or 16) */
-    /*! The ARIA round keys. */
-    uint32_t MBEDTLS_PRIVATE(rk)[MBEDTLS_ARIA_MAX_ROUNDS + 1][MBEDTLS_ARIA_BLOCKSIZE / 4];
-}
-mbedtls_aria_context;
-
-#else  /* MBEDTLS_ARIA_ALT */
-#include "aria_alt.h"
-#endif /* MBEDTLS_ARIA_ALT */
-
-/**
- * \brief          This function initializes the specified ARIA context.
- *
- *                 It must be the first API called before using
- *                 the context.
- *
- * \param ctx      The ARIA context to initialize. This must not be \c NULL.
- */
-void mbedtls_aria_init(mbedtls_aria_context *ctx);
-
-/**
- * \brief          This function releases and clears the specified ARIA context.
- *
- * \param ctx      The ARIA context to clear. This may be \c NULL, in which
- *                 case this function returns immediately. If it is not \c NULL,
- *                 it must point to an initialized ARIA context.
- */
-void mbedtls_aria_free(mbedtls_aria_context *ctx);
-
-/**
- * \brief          This function sets the encryption key.
- *
- * \param ctx      The ARIA context to which the key should be bound.
- *                 This must be initialized.
- * \param key      The encryption key. This must be a readable buffer
- *                 of size \p keybits Bits.
- * \param keybits  The size of \p key in Bits. Valid options are:
- *                 <ul><li>128 bits</li>
- *                 <li>192 bits</li>
- *                 <li>256 bits</li></ul>
- *
- * \return         \c 0 on success.
- * \return         A negative error code on failure.
- */
-int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
-                            const unsigned char *key,
-                            unsigned int keybits);
-
-/**
- * \brief          This function sets the decryption key.
- *
- * \param ctx      The ARIA context to which the key should be bound.
- *                 This must be initialized.
- * \param key      The decryption key. This must be a readable buffer
- *                 of size \p keybits Bits.
- * \param keybits  The size of data passed. Valid options are:
- *                 <ul><li>128 bits</li>
- *                 <li>192 bits</li>
- *                 <li>256 bits</li></ul>
- *
- * \return         \c 0 on success.
- * \return         A negative error code on failure.
- */
-int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
-                            const unsigned char *key,
-                            unsigned int keybits);
-
-/**
- * \brief          This function performs an ARIA single-block encryption or
- *                 decryption operation.
- *
- *                 It performs encryption or decryption (depending on whether
- *                 the key was set for encryption on decryption) on the input
- *                 data buffer defined in the \p input parameter.
- *
- *                 mbedtls_aria_init(), and either mbedtls_aria_setkey_enc() or
- *                 mbedtls_aria_setkey_dec() must be called before the first
- *                 call to this API with the same context.
- *
- * \param ctx      The ARIA context to use for encryption or decryption.
- *                 This must be initialized and bound to a key.
- * \param input    The 16-Byte buffer holding the input data.
- * \param output   The 16-Byte buffer holding the output data.
-
- * \return         \c 0 on success.
- * \return         A negative error code on failure.
- */
-int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
-                           const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
-                           unsigned char output[MBEDTLS_ARIA_BLOCKSIZE]);
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-/**
- * \brief  This function performs an ARIA-CBC encryption or decryption operation
- *         on full blocks.
- *
- *         It performs the operation defined in the \p mode
- *         parameter (encrypt/decrypt), on the input data buffer defined in
- *         the \p input parameter.
- *
- *         It can be called as many times as needed, until all the input
- *         data is processed. mbedtls_aria_init(), and either
- *         mbedtls_aria_setkey_enc() or mbedtls_aria_setkey_dec() must be called
- *         before the first call to this API with the same context.
- *
- * \note   This function operates on aligned blocks, that is, the input size
- *         must be a multiple of the ARIA block size of 16 Bytes.
- *
- * \note   Upon exit, the content of the IV is updated so that you can
- *         call the same function again on the next
- *         block(s) of data and get the same result as if it was
- *         encrypted in one call. This allows a "streaming" usage.
- *         If you need to retain the contents of the IV, you should
- *         either save it manually or use the cipher module instead.
- *
- *
- * \param ctx      The ARIA context to use for encryption or decryption.
- *                 This must be initialized and bound to a key.
- * \param mode     The mode of operation. This must be either
- *                 #MBEDTLS_ARIA_ENCRYPT for encryption, or
- *                 #MBEDTLS_ARIA_DECRYPT for decryption.
- * \param length   The length of the input data in Bytes. This must be a
- *                 multiple of the block size (16 Bytes).
- * \param iv       Initialization vector (updated after use).
- *                 This must be a readable buffer of size 16 Bytes.
- * \param input    The buffer holding the input data. This must
- *                 be a readable buffer of length \p length Bytes.
- * \param output   The buffer holding the output data. This must
- *                 be a writable buffer of length \p length Bytes.
- *
- * \return         \c 0 on success.
- * \return         A negative error code on failure.
- */
-int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
-                           int mode,
-                           size_t length,
-                           unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
-                           const unsigned char *input,
-                           unsigned char *output);
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-/**
- * \brief This function performs an ARIA-CFB128 encryption or decryption
- *        operation.
- *
- *        It performs the operation defined in the \p mode
- *        parameter (encrypt or decrypt), on the input data buffer
- *        defined in the \p input parameter.
- *
- *        For CFB, you must set up the context with mbedtls_aria_setkey_enc(),
- *        regardless of whether you are performing an encryption or decryption
- *        operation, that is, regardless of the \p mode parameter. This is
- *        because CFB mode uses the same key schedule for encryption and
- *        decryption.
- *
- * \note  Upon exit, the content of the IV is updated so that you can
- *        call the same function again on the next
- *        block(s) of data and get the same result as if it was
- *        encrypted in one call. This allows a "streaming" usage.
- *        If you need to retain the contents of the
- *        IV, you must either save it manually or use the cipher
- *        module instead.
- *
- *
- * \param ctx      The ARIA context to use for encryption or decryption.
- *                 This must be initialized and bound to a key.
- * \param mode     The mode of operation. This must be either
- *                 #MBEDTLS_ARIA_ENCRYPT for encryption, or
- *                 #MBEDTLS_ARIA_DECRYPT for decryption.
- * \param length   The length of the input data \p input in Bytes.
- * \param iv_off   The offset in IV (updated after use).
- *                 This must not be larger than 15.
- * \param iv       The initialization vector (updated after use).
- *                 This must be a readable buffer of size 16 Bytes.
- * \param input    The buffer holding the input data. This must
- *                 be a readable buffer of length \p length Bytes.
- * \param output   The buffer holding the output data. This must
- *                 be a writable buffer of length \p length Bytes.
- *
- * \return         \c 0 on success.
- * \return         A negative error code on failure.
- */
-int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
-                              int mode,
-                              size_t length,
-                              size_t *iv_off,
-                              unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
-                              const unsigned char *input,
-                              unsigned char *output);
-#endif /* MBEDTLS_CIPHER_MODE_CFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-/**
- * \brief      This function performs an ARIA-CTR encryption or decryption
- *             operation.
- *
- *             Due to the nature of CTR, you must use the same key schedule
- *             for both encryption and decryption operations. Therefore, you
- *             must use the context initialized with mbedtls_aria_setkey_enc()
- *             for both #MBEDTLS_ARIA_ENCRYPT and #MBEDTLS_ARIA_DECRYPT.
- *
- * \warning    You must never reuse a nonce value with the same key. Doing so
- *             would void the encryption for the two messages encrypted with
- *             the same nonce and key.
- *
- *             There are two common strategies for managing nonces with CTR:
- *
- *             1. You can handle everything as a single message processed over
- *             successive calls to this function. In that case, you want to
- *             set \p nonce_counter and \p nc_off to 0 for the first call, and
- *             then preserve the values of \p nonce_counter, \p nc_off and \p
- *             stream_block across calls to this function as they will be
- *             updated by this function.
- *
- *             With this strategy, you must not encrypt more than 2**128
- *             blocks of data with the same key.
- *
- *             2. You can encrypt separate messages by dividing the \p
- *             nonce_counter buffer in two areas: the first one used for a
- *             per-message nonce, handled by yourself, and the second one
- *             updated by this function internally.
- *
- *             For example, you might reserve the first 12 bytes for the
- *             per-message nonce, and the last 4 bytes for internal use. In that
- *             case, before calling this function on a new message you need to
- *             set the first 12 bytes of \p nonce_counter to your chosen nonce
- *             value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
- *             stream_block to be ignored). That way, you can encrypt at most
- *             2**96 messages of up to 2**32 blocks each with the same key.
- *
- *             The per-message nonce (or information sufficient to reconstruct
- *             it) needs to be communicated with the ciphertext and must be unique.
- *             The recommended way to ensure uniqueness is to use a message
- *             counter. An alternative is to generate random nonces, but this
- *             limits the number of messages that can be securely encrypted:
- *             for example, with 96-bit random nonces, you should not encrypt
- *             more than 2**32 messages with the same key.
- *
- *             Note that for both strategies, sizes are measured in blocks and
- *             that an ARIA block is 16 bytes.
- *
- * \warning    Upon return, \p stream_block contains sensitive data. Its
- *             content must not be written to insecure storage and should be
- *             securely discarded as soon as it's no longer needed.
- *
- * \param ctx              The ARIA context to use for encryption or decryption.
- *                         This must be initialized and bound to a key.
- * \param length           The length of the input data \p input in Bytes.
- * \param nc_off           The offset in Bytes in the current \p stream_block,
- *                         for resuming within the current cipher stream. The
- *                         offset pointer should be \c 0 at the start of a
- *                         stream. This must not be larger than \c 15 Bytes.
- * \param nonce_counter    The 128-bit nonce and counter. This must point to
- *                         a read/write buffer of length \c 16 bytes.
- * \param stream_block     The saved stream block for resuming. This must
- *                         point to a read/write buffer of length \c 16 bytes.
- *                         This is overwritten by the function.
- * \param input            The buffer holding the input data. This must
- *                         be a readable buffer of length \p length Bytes.
- * \param output           The buffer holding the output data. This must
- *                         be a writable buffer of length \p length Bytes.
- *
- * \return                 \c 0 on success.
- * \return                 A negative error code on failure.
- */
-int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
-                           size_t length,
-                           size_t *nc_off,
-                           unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
-                           unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
-                           const unsigned char *input,
-                           unsigned char *output);
-#endif /* MBEDTLS_CIPHER_MODE_CTR */
-
-#if defined(MBEDTLS_SELF_TEST)
-/**
- * \brief          Checkup routine.
- *
- * \return         \c 0 on success, or \c 1 on failure.
- */
-int mbedtls_aria_self_test(int verbose);
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* aria.h */
diff --git a/include/mbedtls/asn1.h b/include/mbedtls/asn1.h
deleted file mode 100644
index a044543..0000000
--- a/include/mbedtls/asn1.h
+++ /dev/null
@@ -1,653 +0,0 @@
-/**
- * \file asn1.h
- *
- * \brief Generic ASN.1 parsing
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_ASN1_H
-#define MBEDTLS_ASN1_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-#include "mbedtls/platform_util.h"
-
-#include <stddef.h>
-
-#if defined(MBEDTLS_BIGNUM_C)
-#include "mbedtls/bignum.h"
-#endif
-
-/**
- * \addtogroup asn1_module
- * \{
- */
-
-/**
- * \name ASN1 Error codes
- * These error codes are combined with other error codes for
- * higher error granularity.
- * e.g. X.509 and PKCS #7 error codes
- * ASN1 is a standard to specify data structures.
- * \{
- */
-/** Out of data when parsing an ASN1 data structure. */
-#define MBEDTLS_ERR_ASN1_OUT_OF_DATA                      -0x0060
-/** ASN1 tag was of an unexpected value. */
-#define MBEDTLS_ERR_ASN1_UNEXPECTED_TAG                   -0x0062
-/** Error when trying to determine the length or invalid length. */
-#define MBEDTLS_ERR_ASN1_INVALID_LENGTH                   -0x0064
-/** Actual length differs from expected length. */
-#define MBEDTLS_ERR_ASN1_LENGTH_MISMATCH                  -0x0066
-/** Data is invalid. */
-#define MBEDTLS_ERR_ASN1_INVALID_DATA                     -0x0068
-/** Memory allocation failed */
-#define MBEDTLS_ERR_ASN1_ALLOC_FAILED                     -0x006A
-/** Buffer too small when writing ASN.1 data structure. */
-#define MBEDTLS_ERR_ASN1_BUF_TOO_SMALL                    -0x006C
-
-/** \} name ASN1 Error codes */
-
-/**
- * \name DER constants
- * These constants comply with the DER encoded ASN.1 type tags.
- * DER encoding uses hexadecimal representation.
- * An example DER sequence is:\n
- * - 0x02 -- tag indicating INTEGER
- * - 0x01 -- length in octets
- * - 0x05 -- value
- * Such sequences are typically read into \c ::mbedtls_x509_buf.
- * \{
- */
-#define MBEDTLS_ASN1_BOOLEAN                 0x01
-#define MBEDTLS_ASN1_INTEGER                 0x02
-#define MBEDTLS_ASN1_BIT_STRING              0x03
-#define MBEDTLS_ASN1_OCTET_STRING            0x04
-#define MBEDTLS_ASN1_NULL                    0x05
-#define MBEDTLS_ASN1_OID                     0x06
-#define MBEDTLS_ASN1_ENUMERATED              0x0A
-#define MBEDTLS_ASN1_UTF8_STRING             0x0C
-#define MBEDTLS_ASN1_SEQUENCE                0x10
-#define MBEDTLS_ASN1_SET                     0x11
-#define MBEDTLS_ASN1_PRINTABLE_STRING        0x13
-#define MBEDTLS_ASN1_T61_STRING              0x14
-#define MBEDTLS_ASN1_IA5_STRING              0x16
-#define MBEDTLS_ASN1_UTC_TIME                0x17
-#define MBEDTLS_ASN1_GENERALIZED_TIME        0x18
-#define MBEDTLS_ASN1_UNIVERSAL_STRING        0x1C
-#define MBEDTLS_ASN1_BMP_STRING              0x1E
-#define MBEDTLS_ASN1_PRIMITIVE               0x00
-#define MBEDTLS_ASN1_CONSTRUCTED             0x20
-#define MBEDTLS_ASN1_CONTEXT_SPECIFIC        0x80
-
-/* Slightly smaller way to check if tag is a string tag
- * compared to canonical implementation. */
-#define MBEDTLS_ASN1_IS_STRING_TAG(tag)                                \
-    ((unsigned int) (tag) < 32u && (                                   \
-         ((1u << (tag)) & ((1u << MBEDTLS_ASN1_BMP_STRING)       |     \
-                           (1u << MBEDTLS_ASN1_UTF8_STRING)      |     \
-                           (1u << MBEDTLS_ASN1_T61_STRING)       |     \
-                           (1u << MBEDTLS_ASN1_IA5_STRING)       |     \
-                           (1u << MBEDTLS_ASN1_UNIVERSAL_STRING) |     \
-                           (1u << MBEDTLS_ASN1_PRINTABLE_STRING))) != 0))
-
-/*
- * Bit masks for each of the components of an ASN.1 tag as specified in
- * ITU X.690 (08/2015), section 8.1 "General rules for encoding",
- * paragraph 8.1.2.2:
- *
- * Bit  8     7   6   5          1
- *     +-------+-----+------------+
- *     | Class | P/C | Tag number |
- *     +-------+-----+------------+
- */
-#define MBEDTLS_ASN1_TAG_CLASS_MASK          0xC0
-#define MBEDTLS_ASN1_TAG_PC_MASK             0x20
-#define MBEDTLS_ASN1_TAG_VALUE_MASK          0x1F
-
-/** \} name DER constants */
-
-/** Returns the size of the binary string, without the trailing \\0 */
-#define MBEDTLS_OID_SIZE(x) (sizeof(x) - 1)
-
-/**
- * Compares an mbedtls_asn1_buf structure to a reference OID.
- *
- * Only works for 'defined' oid_str values (MBEDTLS_OID_HMAC_SHA1), you cannot use a
- * 'unsigned char *oid' here!
- */
-#define MBEDTLS_OID_CMP(oid_str, oid_buf)                                   \
-    ((MBEDTLS_OID_SIZE(oid_str) != (oid_buf)->len) ||                \
-     memcmp((oid_str), (oid_buf)->p, (oid_buf)->len) != 0)
-
-#define MBEDTLS_OID_CMP_RAW(oid_str, oid_buf, oid_buf_len)              \
-    ((MBEDTLS_OID_SIZE(oid_str) != (oid_buf_len)) ||             \
-     memcmp((oid_str), (oid_buf), (oid_buf_len)) != 0)
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \name Functions to parse ASN.1 data structures
- * \{
- */
-
-/**
- * Type-length-value structure that allows for ASN1 using DER.
- */
-typedef struct mbedtls_asn1_buf {
-    int tag;                /**< ASN1 type, e.g. MBEDTLS_ASN1_UTF8_STRING. */
-    size_t len;             /**< ASN1 length, in octets. */
-    unsigned char *p;       /**< ASN1 data, e.g. in ASCII. */
-}
-mbedtls_asn1_buf;
-
-/**
- * Container for ASN1 bit strings.
- */
-typedef struct mbedtls_asn1_bitstring {
-    size_t len;                 /**< ASN1 length, in octets. */
-    unsigned char unused_bits;  /**< Number of unused bits at the end of the string */
-    unsigned char *p;           /**< Raw ASN1 data for the bit string */
-}
-mbedtls_asn1_bitstring;
-
-/**
- * Container for a sequence of ASN.1 items
- */
-typedef struct mbedtls_asn1_sequence {
-    mbedtls_asn1_buf buf;                   /**< Buffer containing the given ASN.1 item. */
-
-    /** The next entry in the sequence.
-     *
-     * The details of memory management for sequences are not documented and
-     * may change in future versions. Set this field to \p NULL when
-     * initializing a structure, and do not modify it except via Mbed TLS
-     * library functions.
-     */
-    struct mbedtls_asn1_sequence *next;
-}
-mbedtls_asn1_sequence;
-
-/**
- * Container for a sequence or list of 'named' ASN.1 data items
- */
-typedef struct mbedtls_asn1_named_data {
-    mbedtls_asn1_buf oid;                   /**< The object identifier. */
-    mbedtls_asn1_buf val;                   /**< The named value. */
-
-    /** The next entry in the sequence.
-     *
-     * The details of memory management for named data sequences are not
-     * documented and may change in future versions. Set this field to \p NULL
-     * when initializing a structure, and do not modify it except via Mbed TLS
-     * library functions.
-     */
-    struct mbedtls_asn1_named_data *next;
-
-    /** Merge next item into the current one?
-     *
-     * This field exists for the sake of Mbed TLS's X.509 certificate parsing
-     * code and may change in future versions of the library.
-     */
-    unsigned char MBEDTLS_PRIVATE(next_merged);
-}
-mbedtls_asn1_named_data;
-
-#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C)
-/**
- * \brief       Get the length of an ASN.1 element.
- *              Updates the pointer to immediately behind the length.
- *
- * \param p     On entry, \c *p points to the first byte of the length,
- *              i.e. immediately after the tag.
- *              On successful completion, \c *p points to the first byte
- *              after the length, i.e. the first byte of the content.
- *              On error, the value of \c *p is undefined.
- * \param end   End of data.
- * \param len   On successful completion, \c *len contains the length
- *              read from the ASN.1 input.
- *
- * \return      0 if successful.
- * \return      #MBEDTLS_ERR_ASN1_OUT_OF_DATA if the ASN.1 element
- *              would end beyond \p end.
- * \return      #MBEDTLS_ERR_ASN1_INVALID_LENGTH if the length is unparsable.
- */
-int mbedtls_asn1_get_len(unsigned char **p,
-                         const unsigned char *end,
-                         size_t *len);
-
-/**
- * \brief       Get the tag and length of the element.
- *              Check for the requested tag.
- *              Updates the pointer to immediately behind the tag and length.
- *
- * \param p     On entry, \c *p points to the start of the ASN.1 element.
- *              On successful completion, \c *p points to the first byte
- *              after the length, i.e. the first byte of the content.
- *              On error, the value of \c *p is undefined.
- * \param end   End of data.
- * \param len   On successful completion, \c *len contains the length
- *              read from the ASN.1 input.
- * \param tag   The expected tag.
- *
- * \return      0 if successful.
- * \return      #MBEDTLS_ERR_ASN1_UNEXPECTED_TAG if the data does not start
- *              with the requested tag.
- * \return      #MBEDTLS_ERR_ASN1_OUT_OF_DATA if the ASN.1 element
- *              would end beyond \p end.
- * \return      #MBEDTLS_ERR_ASN1_INVALID_LENGTH if the length is unparsable.
- */
-int mbedtls_asn1_get_tag(unsigned char **p,
-                         const unsigned char *end,
-                         size_t *len, int tag);
-#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C */
-
-#if defined(MBEDTLS_ASN1_PARSE_C)
-/**
- * \brief       Retrieve a boolean ASN.1 tag and its value.
- *              Updates the pointer to immediately behind the full tag.
- *
- * \param p     On entry, \c *p points to the start of the ASN.1 element.
- *              On successful completion, \c *p points to the first byte
- *              beyond the ASN.1 element.
- *              On error, the value of \c *p is undefined.
- * \param end   End of data.
- * \param val   On success, the parsed value (\c 0 or \c 1).
- *
- * \return      0 if successful.
- * \return      An ASN.1 error code if the input does not start with
- *              a valid ASN.1 BOOLEAN.
- */
-int mbedtls_asn1_get_bool(unsigned char **p,
-                          const unsigned char *end,
-                          int *val);
-
-/**
- * \brief       Retrieve an integer ASN.1 tag and its value.
- *              Updates the pointer to immediately behind the full tag.
- *
- * \param p     On entry, \c *p points to the start of the ASN.1 element.
- *              On successful completion, \c *p points to the first byte
- *              beyond the ASN.1 element.
- *              On error, the value of \c *p is undefined.
- * \param end   End of data.
- * \param val   On success, the parsed value.
- *
- * \return      0 if successful.
- * \return      An ASN.1 error code if the input does not start with
- *              a valid ASN.1 INTEGER.
- * \return      #MBEDTLS_ERR_ASN1_INVALID_LENGTH if the parsed value does
- *              not fit in an \c int.
- */
-int mbedtls_asn1_get_int(unsigned char **p,
-                         const unsigned char *end,
-                         int *val);
-
-/**
- * \brief       Retrieve an enumerated ASN.1 tag and its value.
- *              Updates the pointer to immediately behind the full tag.
- *
- * \param p     On entry, \c *p points to the start of the ASN.1 element.
- *              On successful completion, \c *p points to the first byte
- *              beyond the ASN.1 element.
- *              On error, the value of \c *p is undefined.
- * \param end   End of data.
- * \param val   On success, the parsed value.
- *
- * \return      0 if successful.
- * \return      An ASN.1 error code if the input does not start with
- *              a valid ASN.1 ENUMERATED.
- * \return      #MBEDTLS_ERR_ASN1_INVALID_LENGTH if the parsed value does
- *              not fit in an \c int.
- */
-int mbedtls_asn1_get_enum(unsigned char **p,
-                          const unsigned char *end,
-                          int *val);
-
-/**
- * \brief       Retrieve a bitstring ASN.1 tag and its value.
- *              Updates the pointer to immediately behind the full tag.
- *
- * \param p     On entry, \c *p points to the start of the ASN.1 element.
- *              On successful completion, \c *p is equal to \p end.
- *              On error, the value of \c *p is undefined.
- * \param end   End of data.
- * \param bs    On success, ::mbedtls_asn1_bitstring information about
- *              the parsed value.
- *
- * \return      0 if successful.
- * \return      #MBEDTLS_ERR_ASN1_LENGTH_MISMATCH if the input contains
- *              extra data after a valid BIT STRING.
- * \return      An ASN.1 error code if the input does not start with
- *              a valid ASN.1 BIT STRING.
- */
-int mbedtls_asn1_get_bitstring(unsigned char **p, const unsigned char *end,
-                               mbedtls_asn1_bitstring *bs);
-
-/**
- * \brief       Retrieve a bitstring ASN.1 tag without unused bits and its
- *              value.
- *              Updates the pointer to the beginning of the bit/octet string.
- *
- * \param p     On entry, \c *p points to the start of the ASN.1 element.
- *              On successful completion, \c *p points to the first byte
- *              of the content of the BIT STRING.
- *              On error, the value of \c *p is undefined.
- * \param end   End of data.
- * \param len   On success, \c *len is the length of the content in bytes.
- *
- * \return      0 if successful.
- * \return      #MBEDTLS_ERR_ASN1_INVALID_DATA if the input starts with
- *              a valid BIT STRING with a nonzero number of unused bits.
- * \return      An ASN.1 error code if the input does not start with
- *              a valid ASN.1 BIT STRING.
- */
-int mbedtls_asn1_get_bitstring_null(unsigned char **p,
-                                    const unsigned char *end,
-                                    size_t *len);
-
-/**
- * \brief       Parses and splits an ASN.1 "SEQUENCE OF <tag>".
- *              Updates the pointer to immediately behind the full sequence tag.
- *
- * This function allocates memory for the sequence elements. You can free
- * the allocated memory with mbedtls_asn1_sequence_free().
- *
- * \note        On error, this function may return a partial list in \p cur.
- *              You must set `cur->next = NULL` before calling this function!
- *              Otherwise it is impossible to distinguish a previously non-null
- *              pointer from a pointer to an object allocated by this function.
- *
- * \note        If the sequence is empty, this function does not modify
- *              \c *cur. If the sequence is valid and non-empty, this
- *              function sets `cur->buf.tag` to \p tag. This allows
- *              callers to distinguish between an empty sequence and
- *              a one-element sequence.
- *
- * \param p     On entry, \c *p points to the start of the ASN.1 element.
- *              On successful completion, \c *p is equal to \p end.
- *              On error, the value of \c *p is undefined.
- * \param end   End of data.
- * \param cur   A ::mbedtls_asn1_sequence which this function fills.
- *              When this function returns, \c *cur is the head of a linked
- *              list. Each node in this list is allocated with
- *              mbedtls_calloc() apart from \p cur itself, and should
- *              therefore be freed with mbedtls_free().
- *              The list describes the content of the sequence.
- *              The head of the list (i.e. \c *cur itself) describes the
- *              first element, `*cur->next` describes the second element, etc.
- *              For each element, `buf.tag == tag`, `buf.len` is the length
- *              of the content of the content of the element, and `buf.p`
- *              points to the first byte of the content (i.e. immediately
- *              past the length of the element).
- *              Note that list elements may be allocated even on error.
- * \param tag   Each element of the sequence must have this tag.
- *
- * \return      0 if successful.
- * \return      #MBEDTLS_ERR_ASN1_LENGTH_MISMATCH if the input contains
- *              extra data after a valid SEQUENCE OF \p tag.
- * \return      #MBEDTLS_ERR_ASN1_UNEXPECTED_TAG if the input starts with
- *              an ASN.1 SEQUENCE in which an element has a tag that
- *              is different from \p tag.
- * \return      #MBEDTLS_ERR_ASN1_ALLOC_FAILED if a memory allocation failed.
- * \return      An ASN.1 error code if the input does not start with
- *              a valid ASN.1 SEQUENCE.
- */
-int mbedtls_asn1_get_sequence_of(unsigned char **p,
-                                 const unsigned char *end,
-                                 mbedtls_asn1_sequence *cur,
-                                 int tag);
-/**
- * \brief          Free a heap-allocated linked list presentation of
- *                 an ASN.1 sequence, including the first element.
- *
- * There are two common ways to manage the memory used for the representation
- * of a parsed ASN.1 sequence:
- * - Allocate a head node `mbedtls_asn1_sequence *head` with mbedtls_calloc().
- *   Pass this node as the `cur` argument to mbedtls_asn1_get_sequence_of().
- *   When you have finished processing the sequence,
- *   call mbedtls_asn1_sequence_free() on `head`.
- * - Allocate a head node `mbedtls_asn1_sequence *head` in any manner,
- *   for example on the stack. Make sure that `head->next == NULL`.
- *   Pass `head` as the `cur` argument to mbedtls_asn1_get_sequence_of().
- *   When you have finished processing the sequence,
- *   call mbedtls_asn1_sequence_free() on `head->cur`,
- *   then free `head` itself in the appropriate manner.
- *
- * \param seq      The address of the first sequence component. This may
- *                 be \c NULL, in which case this functions returns
- *                 immediately.
- */
-void mbedtls_asn1_sequence_free(mbedtls_asn1_sequence *seq);
-
-/**
- * \brief                Traverse an ASN.1 SEQUENCE container and
- *                       call a callback for each entry.
- *
- * This function checks that the input is a SEQUENCE of elements that
- * each have a "must" tag, and calls a callback function on the elements
- * that have a "may" tag.
- *
- * For example, to validate that the input is a SEQUENCE of `tag1` and call
- * `cb` on each element, use
- * ```
- * mbedtls_asn1_traverse_sequence_of(&p, end, 0xff, tag1, 0, 0, cb, ctx);
- * ```
- *
- * To validate that the input is a SEQUENCE of ANY and call `cb` on
- * each element, use
- * ```
- * mbedtls_asn1_traverse_sequence_of(&p, end, 0, 0, 0, 0, cb, ctx);
- * ```
- *
- * To validate that the input is a SEQUENCE of CHOICE {NULL, OCTET STRING}
- * and call `cb` on each element that is an OCTET STRING, use
- * ```
- * mbedtls_asn1_traverse_sequence_of(&p, end, 0xfe, 0x04, 0xff, 0x04, cb, ctx);
- * ```
- *
- * The callback is called on the elements with a "may" tag from left to
- * right. If the input is not a valid SEQUENCE of elements with a "must" tag,
- * the callback is called on the elements up to the leftmost point where
- * the input is invalid.
- *
- * \warning              This function is still experimental and may change
- *                       at any time.
- *
- * \param p              The address of the pointer to the beginning of
- *                       the ASN.1 SEQUENCE header. This is updated to
- *                       point to the end of the ASN.1 SEQUENCE container
- *                       on a successful invocation.
- * \param end            The end of the ASN.1 SEQUENCE container.
- * \param tag_must_mask  A mask to be applied to the ASN.1 tags found within
- *                       the SEQUENCE before comparing to \p tag_must_val.
- * \param tag_must_val   The required value of each ASN.1 tag found in the
- *                       SEQUENCE, after masking with \p tag_must_mask.
- *                       Mismatching tags lead to an error.
- *                       For example, a value of \c 0 for both \p tag_must_mask
- *                       and \p tag_must_val means that every tag is allowed,
- *                       while a value of \c 0xFF for \p tag_must_mask means
- *                       that \p tag_must_val is the only allowed tag.
- * \param tag_may_mask   A mask to be applied to the ASN.1 tags found within
- *                       the SEQUENCE before comparing to \p tag_may_val.
- * \param tag_may_val    The desired value of each ASN.1 tag found in the
- *                       SEQUENCE, after masking with \p tag_may_mask.
- *                       Mismatching tags will be silently ignored.
- *                       For example, a value of \c 0 for \p tag_may_mask and
- *                       \p tag_may_val means that any tag will be considered,
- *                       while a value of \c 0xFF for \p tag_may_mask means
- *                       that all tags with value different from \p tag_may_val
- *                       will be ignored.
- * \param cb             The callback to trigger for each component
- *                       in the ASN.1 SEQUENCE that matches \p tag_may_val.
- *                       The callback function is called with the following
- *                       parameters:
- *                       - \p ctx.
- *                       - The tag of the current element.
- *                       - A pointer to the start of the current element's
- *                         content inside the input.
- *                       - The length of the content of the current element.
- *                       If the callback returns a non-zero value,
- *                       the function stops immediately,
- *                       forwarding the callback's return value.
- * \param ctx            The context to be passed to the callback \p cb.
- *
- * \return               \c 0 if successful the entire ASN.1 SEQUENCE
- *                       was traversed without parsing or callback errors.
- * \return               #MBEDTLS_ERR_ASN1_LENGTH_MISMATCH if the input
- *                       contains extra data after a valid SEQUENCE
- *                       of elements with an accepted tag.
- * \return               #MBEDTLS_ERR_ASN1_UNEXPECTED_TAG if the input starts
- *                       with an ASN.1 SEQUENCE in which an element has a tag
- *                       that is not accepted.
- * \return               An ASN.1 error code if the input does not start with
- *                       a valid ASN.1 SEQUENCE.
- * \return               A non-zero error code forwarded from the callback
- *                       \p cb in case the latter returns a non-zero value.
- */
-int mbedtls_asn1_traverse_sequence_of(
-    unsigned char **p,
-    const unsigned char *end,
-    unsigned char tag_must_mask, unsigned char tag_must_val,
-    unsigned char tag_may_mask, unsigned char tag_may_val,
-    int (*cb)(void *ctx, int tag,
-              unsigned char *start, size_t len),
-    void *ctx);
-
-#if defined(MBEDTLS_BIGNUM_C)
-/**
- * \brief       Retrieve an integer ASN.1 tag and its value.
- *              Updates the pointer to immediately behind the full tag.
- *
- * \param p     On entry, \c *p points to the start of the ASN.1 element.
- *              On successful completion, \c *p points to the first byte
- *              beyond the ASN.1 element.
- *              On error, the value of \c *p is undefined.
- * \param end   End of data.
- * \param X     On success, the parsed value.
- *
- * \return      0 if successful.
- * \return      An ASN.1 error code if the input does not start with
- *              a valid ASN.1 INTEGER.
- * \return      #MBEDTLS_ERR_ASN1_INVALID_LENGTH if the parsed value does
- *              not fit in an \c int.
- * \return      An MPI error code if the parsed value is too large.
- */
-int mbedtls_asn1_get_mpi(unsigned char **p,
-                         const unsigned char *end,
-                         mbedtls_mpi *X);
-#endif /* MBEDTLS_BIGNUM_C */
-
-/**
- * \brief       Retrieve an AlgorithmIdentifier ASN.1 sequence.
- *              Updates the pointer to immediately behind the full
- *              AlgorithmIdentifier.
- *
- * \param p     On entry, \c *p points to the start of the ASN.1 element.
- *              On successful completion, \c *p points to the first byte
- *              beyond the AlgorithmIdentifier element.
- *              On error, the value of \c *p is undefined.
- * \param end   End of data.
- * \param alg   The buffer to receive the OID.
- * \param params The buffer to receive the parameters.
- *              This is zeroized if there are no parameters.
- *
- * \return      0 if successful or a specific ASN.1 or MPI error code.
- */
-int mbedtls_asn1_get_alg(unsigned char **p,
-                         const unsigned char *end,
-                         mbedtls_asn1_buf *alg, mbedtls_asn1_buf *params);
-
-/**
- * \brief       Retrieve an AlgorithmIdentifier ASN.1 sequence with NULL or no
- *              params.
- *              Updates the pointer to immediately behind the full
- *              AlgorithmIdentifier.
- *
- * \param p     On entry, \c *p points to the start of the ASN.1 element.
- *              On successful completion, \c *p points to the first byte
- *              beyond the AlgorithmIdentifier element.
- *              On error, the value of \c *p is undefined.
- * \param end   End of data.
- * \param alg   The buffer to receive the OID.
- *
- * \return      0 if successful or a specific ASN.1 or MPI error code.
- */
-int mbedtls_asn1_get_alg_null(unsigned char **p,
-                              const unsigned char *end,
-                              mbedtls_asn1_buf *alg);
-
-/**
- * \brief       Find a specific named_data entry in a sequence or list based on
- *              the OID.
- *
- * \param list  The list to seek through
- * \param oid   The OID to look for
- * \param len   Size of the OID
- *
- * \return      NULL if not found, or a pointer to the existing entry.
- */
-const mbedtls_asn1_named_data *mbedtls_asn1_find_named_data(const mbedtls_asn1_named_data *list,
-                                                            const char *oid, size_t len);
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-/**
- * \brief       Free a mbedtls_asn1_named_data entry
- *
- * \deprecated  This function is deprecated and will be removed in a
- *              future version of the library.
- *              Please use mbedtls_asn1_free_named_data_list()
- *              or mbedtls_asn1_free_named_data_list_shallow().
- *
- * \param entry The named data entry to free.
- *              This function calls mbedtls_free() on
- *              `entry->oid.p` and `entry->val.p`.
- */
-void MBEDTLS_DEPRECATED mbedtls_asn1_free_named_data(mbedtls_asn1_named_data *entry);
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-
-/**
- * \brief       Free all entries in a mbedtls_asn1_named_data list.
- *
- * \param head  Pointer to the head of the list of named data entries to free.
- *              This function calls mbedtls_free() on
- *              `entry->oid.p` and `entry->val.p` and then on `entry`
- *              for each list entry, and sets \c *head to \c NULL.
- */
-void mbedtls_asn1_free_named_data_list(mbedtls_asn1_named_data **head);
-
-/**
- * \brief       Free all shallow entries in a mbedtls_asn1_named_data list,
- *              but do not free internal pointer targets.
- *
- * \param name  Head of the list of named data entries to free.
- *              This function calls mbedtls_free() on each list element.
- */
-void mbedtls_asn1_free_named_data_list_shallow(mbedtls_asn1_named_data *name);
-
-/** \} name Functions to parse ASN.1 data structures */
-/** \} addtogroup asn1_module */
-
-#endif /* MBEDTLS_ASN1_PARSE_C */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* asn1.h */
diff --git a/include/mbedtls/asn1write.h b/include/mbedtls/asn1write.h
deleted file mode 100644
index 6fe57c8..0000000
--- a/include/mbedtls/asn1write.h
+++ /dev/null
@@ -1,401 +0,0 @@
-/**
- * \file asn1write.h
- *
- * \brief ASN.1 buffer writing functionality
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_ASN1_WRITE_H
-#define MBEDTLS_ASN1_WRITE_H
-
-#include "mbedtls/build_info.h"
-
-#include "mbedtls/asn1.h"
-
-#define MBEDTLS_ASN1_CHK_ADD(g, f)                      \
-    do                                                  \
-    {                                                   \
-        if ((ret = (f)) < 0)                         \
-        return ret;                              \
-        else                                            \
-        (g) += ret;                                 \
-    } while (0)
-
-#define MBEDTLS_ASN1_CHK_CLEANUP_ADD(g, f)                      \
-    do                                                  \
-    {                                                   \
-        if ((ret = (f)) < 0)                         \
-        goto cleanup;                              \
-        else                                            \
-        (g) += ret;                                 \
-    } while (0)
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if defined(MBEDTLS_ASN1_WRITE_C) || defined(MBEDTLS_X509_USE_C)
-/**
- * \brief           Write a length field in ASN.1 format.
- *
- * \note            This function works backwards in data buffer.
- *
- * \param p         The reference to the current position pointer.
- * \param start     The start of the buffer, for bounds-checking.
- * \param len       The length value to write.
- *
- * \return          The number of bytes written to \p p on success.
- * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
- */
-int mbedtls_asn1_write_len(unsigned char **p, const unsigned char *start,
-                           size_t len);
-/**
- * \brief           Write an ASN.1 tag in ASN.1 format.
- *
- * \note            This function works backwards in data buffer.
- *
- * \param p         The reference to the current position pointer.
- * \param start     The start of the buffer, for bounds-checking.
- * \param tag       The tag to write.
- *
- * \return          The number of bytes written to \p p on success.
- * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
- */
-int mbedtls_asn1_write_tag(unsigned char **p, const unsigned char *start,
-                           unsigned char tag);
-#endif /* MBEDTLS_ASN1_WRITE_C || MBEDTLS_X509_USE_C */
-
-#if defined(MBEDTLS_ASN1_WRITE_C)
-/**
- * \brief           Write raw buffer data.
- *
- * \note            This function works backwards in data buffer.
- *
- * \param p         The reference to the current position pointer.
- * \param start     The start of the buffer, for bounds-checking.
- * \param buf       The data buffer to write.
- * \param size      The length of the data buffer.
- *
- * \return          The number of bytes written to \p p on success.
- * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
- */
-int mbedtls_asn1_write_raw_buffer(unsigned char **p, const unsigned char *start,
-                                  const unsigned char *buf, size_t size);
-
-#if defined(MBEDTLS_BIGNUM_C)
-/**
- * \brief           Write an arbitrary-precision number (#MBEDTLS_ASN1_INTEGER)
- *                  in ASN.1 format.
- *
- * \note            This function works backwards in data buffer.
- *
- * \param p         The reference to the current position pointer.
- * \param start     The start of the buffer, for bounds-checking.
- * \param X         The MPI to write.
- *                  It must be non-negative.
- *
- * \return          The number of bytes written to \p p on success.
- * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
- */
-int mbedtls_asn1_write_mpi(unsigned char **p, const unsigned char *start,
-                           const mbedtls_mpi *X);
-#endif /* MBEDTLS_BIGNUM_C */
-
-/**
- * \brief           Write a NULL tag (#MBEDTLS_ASN1_NULL) with zero data
- *                  in ASN.1 format.
- *
- * \note            This function works backwards in data buffer.
- *
- * \param p         The reference to the current position pointer.
- * \param start     The start of the buffer, for bounds-checking.
- *
- * \return          The number of bytes written to \p p on success.
- * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
- */
-int mbedtls_asn1_write_null(unsigned char **p, const unsigned char *start);
-
-/**
- * \brief           Write an OID tag (#MBEDTLS_ASN1_OID) and data
- *                  in ASN.1 format.
- *
- * \note            This function works backwards in data buffer.
- *
- * \param p         The reference to the current position pointer.
- * \param start     The start of the buffer, for bounds-checking.
- * \param oid       The OID to write.
- * \param oid_len   The length of the OID.
- *
- * \return          The number of bytes written to \p p on success.
- * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
- */
-int mbedtls_asn1_write_oid(unsigned char **p, const unsigned char *start,
-                           const char *oid, size_t oid_len);
-
-/**
- * \brief           Write an AlgorithmIdentifier sequence in ASN.1 format.
- *
- * \note            This function works backwards in data buffer.
- *
- * \param p         The reference to the current position pointer.
- * \param start     The start of the buffer, for bounds-checking.
- * \param oid       The OID of the algorithm to write.
- * \param oid_len   The length of the algorithm's OID.
- * \param par_len   The length of the parameters, which must be already written.
- *                  If 0, NULL parameters are added
- *
- * \return          The number of bytes written to \p p on success.
- * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
- */
-int mbedtls_asn1_write_algorithm_identifier(unsigned char **p,
-                                            const unsigned char *start,
-                                            const char *oid, size_t oid_len,
-                                            size_t par_len);
-
-/**
- * \brief           Write an AlgorithmIdentifier sequence in ASN.1 format.
- *
- * \note            This function works backwards in data buffer.
- *
- * \param p         The reference to the current position pointer.
- * \param start     The start of the buffer, for bounds-checking.
- * \param oid       The OID of the algorithm to write.
- * \param oid_len   The length of the algorithm's OID.
- * \param par_len   The length of the parameters, which must be already written.
- * \param has_par   If there are any parameters. If 0, par_len must be 0. If 1
- *                  and \p par_len is 0, NULL parameters are added.
- *
- * \return          The number of bytes written to \p p on success.
- * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
- */
-int mbedtls_asn1_write_algorithm_identifier_ext(unsigned char **p,
-                                                const unsigned char *start,
-                                                const char *oid, size_t oid_len,
-                                                size_t par_len, int has_par);
-
-/**
- * \brief           Write a boolean tag (#MBEDTLS_ASN1_BOOLEAN) and value
- *                  in ASN.1 format.
- *
- * \note            This function works backwards in data buffer.
- *
- * \param p         The reference to the current position pointer.
- * \param start     The start of the buffer, for bounds-checking.
- * \param boolean   The boolean value to write, either \c 0 or \c 1.
- *
- * \return          The number of bytes written to \p p on success.
- * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
- */
-int mbedtls_asn1_write_bool(unsigned char **p, const unsigned char *start,
-                            int boolean);
-
-/**
- * \brief           Write an int tag (#MBEDTLS_ASN1_INTEGER) and value
- *                  in ASN.1 format.
- *
- * \note            This function works backwards in data buffer.
- *
- * \param p         The reference to the current position pointer.
- * \param start     The start of the buffer, for bounds-checking.
- * \param val       The integer value to write.
- *                  It must be non-negative.
- *
- * \return          The number of bytes written to \p p on success.
- * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
- */
-int mbedtls_asn1_write_int(unsigned char **p, const unsigned char *start, int val);
-
-/**
- * \brief           Write an enum tag (#MBEDTLS_ASN1_ENUMERATED) and value
- *                  in ASN.1 format.
- *
- * \note            This function works backwards in data buffer.
- *
- * \param p         The reference to the current position pointer.
- * \param start     The start of the buffer, for bounds-checking.
- * \param val       The integer value to write.
- *
- * \return          The number of bytes written to \p p on success.
- * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
- */
-int mbedtls_asn1_write_enum(unsigned char **p, const unsigned char *start, int val);
-
-/**
- * \brief           Write a string in ASN.1 format using a specific
- *                  string encoding tag.
-
- * \note            This function works backwards in data buffer.
- *
- * \param p         The reference to the current position pointer.
- * \param start     The start of the buffer, for bounds-checking.
- * \param tag       The string encoding tag to write, e.g.
- *                  #MBEDTLS_ASN1_UTF8_STRING.
- * \param text      The string to write.
- * \param text_len  The length of \p text in bytes (which might
- *                  be strictly larger than the number of characters).
- *
- * \return          The number of bytes written to \p p on success.
- * \return          A negative error code on failure.
- */
-int mbedtls_asn1_write_tagged_string(unsigned char **p, const unsigned char *start,
-                                     int tag, const char *text,
-                                     size_t text_len);
-
-/**
- * \brief           Write a string in ASN.1 format using the PrintableString
- *                  string encoding tag (#MBEDTLS_ASN1_PRINTABLE_STRING).
- *
- * \note            This function works backwards in data buffer.
- *
- * \param p         The reference to the current position pointer.
- * \param start     The start of the buffer, for bounds-checking.
- * \param text      The string to write.
- * \param text_len  The length of \p text in bytes (which might
- *                  be strictly larger than the number of characters).
- *
- * \return          The number of bytes written to \p p on success.
- * \return          A negative error code on failure.
- */
-int mbedtls_asn1_write_printable_string(unsigned char **p,
-                                        const unsigned char *start,
-                                        const char *text, size_t text_len);
-
-/**
- * \brief           Write a UTF8 string in ASN.1 format using the UTF8String
- *                  string encoding tag (#MBEDTLS_ASN1_UTF8_STRING).
- *
- * \note            This function works backwards in data buffer.
- *
- * \param p         The reference to the current position pointer.
- * \param start     The start of the buffer, for bounds-checking.
- * \param text      The string to write.
- * \param text_len  The length of \p text in bytes (which might
- *                  be strictly larger than the number of characters).
- *
- * \return          The number of bytes written to \p p on success.
- * \return          A negative error code on failure.
- */
-int mbedtls_asn1_write_utf8_string(unsigned char **p, const unsigned char *start,
-                                   const char *text, size_t text_len);
-
-/**
- * \brief           Write a string in ASN.1 format using the IA5String
- *                  string encoding tag (#MBEDTLS_ASN1_IA5_STRING).
- *
- * \note            This function works backwards in data buffer.
- *
- * \param p         The reference to the current position pointer.
- * \param start     The start of the buffer, for bounds-checking.
- * \param text      The string to write.
- * \param text_len  The length of \p text in bytes (which might
- *                  be strictly larger than the number of characters).
- *
- * \return          The number of bytes written to \p p on success.
- * \return          A negative error code on failure.
- */
-int mbedtls_asn1_write_ia5_string(unsigned char **p, const unsigned char *start,
-                                  const char *text, size_t text_len);
-
-/**
- * \brief           Write a bitstring tag (#MBEDTLS_ASN1_BIT_STRING) and
- *                  value in ASN.1 format.
- *
- * \note            This function works backwards in data buffer.
- *
- * \param p         The reference to the current position pointer.
- * \param start     The start of the buffer, for bounds-checking.
- * \param buf       The bitstring to write.
- * \param bits      The total number of bits in the bitstring.
- *
- * \return          The number of bytes written to \p p on success.
- * \return          A negative error code on failure.
- */
-int mbedtls_asn1_write_bitstring(unsigned char **p, const unsigned char *start,
-                                 const unsigned char *buf, size_t bits);
-
-/**
- * \brief           This function writes a named bitstring tag
- *                  (#MBEDTLS_ASN1_BIT_STRING) and value in ASN.1 format.
- *
- *                  As stated in RFC 5280 Appendix B, trailing zeroes are
- *                  omitted when encoding named bitstrings in DER.
- *
- * \note            This function works backwards within the data buffer.
- *
- * \param p         The reference to the current position pointer.
- * \param start     The start of the buffer which is used for bounds-checking.
- * \param buf       The bitstring to write.
- * \param bits      The total number of bits in the bitstring.
- *
- * \return          The number of bytes written to \p p on success.
- * \return          A negative error code on failure.
- */
-int mbedtls_asn1_write_named_bitstring(unsigned char **p,
-                                       const unsigned char *start,
-                                       const unsigned char *buf,
-                                       size_t bits);
-
-/**
- * \brief           Write an octet string tag (#MBEDTLS_ASN1_OCTET_STRING)
- *                  and value in ASN.1 format.
- *
- * \note            This function works backwards in data buffer.
- *
- * \param p         The reference to the current position pointer.
- * \param start     The start of the buffer, for bounds-checking.
- * \param buf       The buffer holding the data to write.
- * \param size      The length of the data buffer \p buf.
- *
- * \return          The number of bytes written to \p p on success.
- * \return          A negative error code on failure.
- */
-int mbedtls_asn1_write_octet_string(unsigned char **p, const unsigned char *start,
-                                    const unsigned char *buf, size_t size);
-
-/**
- * \brief           Create or find a specific named_data entry for writing in a
- *                  sequence or list based on the OID. If not already in there,
- *                  a new entry is added to the head of the list.
- *                  Warning: Destructive behaviour for the val data!
- *
- * \param list      The pointer to the location of the head of the list to seek
- *                  through (will be updated in case of a new entry).
- * \param oid       The OID to look for.
- * \param oid_len   The size of the OID.
- * \param val       The associated data to store. If this is \c NULL,
- *                  no data is copied to the new or existing buffer.
- * \param val_len   The minimum length of the data buffer needed.
- *                  If this is 0, do not allocate a buffer for the associated
- *                  data.
- *                  If the OID was already present, enlarge, shrink or free
- *                  the existing buffer to fit \p val_len.
- *
- * \return          A pointer to the new / existing entry on success.
- * \return          \c NULL if there was a memory allocation error.
- */
-mbedtls_asn1_named_data *mbedtls_asn1_store_named_data(mbedtls_asn1_named_data **list,
-                                                       const char *oid, size_t oid_len,
-                                                       const unsigned char *val,
-                                                       size_t val_len);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* MBEDTLS_ASN1_WRITE_C */
-
-#endif /* MBEDTLS_ASN1_WRITE_H */
diff --git a/include/mbedtls/base64.h b/include/mbedtls/base64.h
deleted file mode 100644
index 635be71..0000000
--- a/include/mbedtls/base64.h
+++ /dev/null
@@ -1,94 +0,0 @@
-/**
- * \file base64.h
- *
- * \brief RFC 1521 base64 encoding/decoding
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_BASE64_H
-#define MBEDTLS_BASE64_H
-
-#include "mbedtls/build_info.h"
-
-#include <stddef.h>
-
-/** Output buffer too small. */
-#define MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL               -0x002A
-/** Invalid character in input. */
-#define MBEDTLS_ERR_BASE64_INVALID_CHARACTER              -0x002C
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          Encode a buffer into base64 format
- *
- * \param dst      destination buffer
- * \param dlen     size of the destination buffer
- * \param olen     number of bytes written
- * \param src      source buffer
- * \param slen     amount of data to be encoded
- *
- * \return         0 if successful, or MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL.
- *                 *olen is always updated to reflect the amount
- *                 of data that has (or would have) been written.
- *                 If that length cannot be represented, then no data is
- *                 written to the buffer and *olen is set to the maximum
- *                 length representable as a size_t.
- *
- * \note           Call this function with dlen = 0 to obtain the
- *                 required buffer size in *olen
- */
-int mbedtls_base64_encode(unsigned char *dst, size_t dlen, size_t *olen,
-                          const unsigned char *src, size_t slen);
-
-/**
- * \brief          Decode a base64-formatted buffer
- *
- * \param dst      destination buffer (can be NULL for checking size)
- * \param dlen     size of the destination buffer
- * \param olen     number of bytes written
- * \param src      source buffer
- * \param slen     amount of data to be decoded
- *
- * \return         0 if successful, MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL, or
- *                 MBEDTLS_ERR_BASE64_INVALID_CHARACTER if the input data is
- *                 not correct. *olen is always updated to reflect the amount
- *                 of data that has (or would have) been written.
- *
- * \note           Call this function with *dst = NULL or dlen = 0 to obtain
- *                 the required buffer size in *olen
- */
-int mbedtls_base64_decode(unsigned char *dst, size_t dlen, size_t *olen,
-                          const unsigned char *src, size_t slen);
-
-#if defined(MBEDTLS_SELF_TEST)
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int mbedtls_base64_self_test(int verbose);
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* base64.h */
diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h
deleted file mode 100644
index eb8446e..0000000
--- a/include/mbedtls/bignum.h
+++ /dev/null
@@ -1,1096 +0,0 @@
-/**
- * \file bignum.h
- *
- * \brief Multi-precision integer library
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_BIGNUM_H
-#define MBEDTLS_BIGNUM_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include <stddef.h>
-#include <stdint.h>
-
-#if defined(MBEDTLS_FS_IO)
-#include <stdio.h>
-#endif
-
-/** An error occurred while reading from or writing to a file. */
-#define MBEDTLS_ERR_MPI_FILE_IO_ERROR                     -0x0002
-/** Bad input parameters to function. */
-#define MBEDTLS_ERR_MPI_BAD_INPUT_DATA                    -0x0004
-/** There is an invalid character in the digit string. */
-#define MBEDTLS_ERR_MPI_INVALID_CHARACTER                 -0x0006
-/** The buffer is too small to write to. */
-#define MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL                  -0x0008
-/** The input arguments are negative or result in illegal output. */
-#define MBEDTLS_ERR_MPI_NEGATIVE_VALUE                    -0x000A
-/** The input argument for division is zero, which is not allowed. */
-#define MBEDTLS_ERR_MPI_DIVISION_BY_ZERO                  -0x000C
-/** The input arguments are not acceptable. */
-#define MBEDTLS_ERR_MPI_NOT_ACCEPTABLE                    -0x000E
-/** Memory allocation failed. */
-#define MBEDTLS_ERR_MPI_ALLOC_FAILED                      -0x0010
-
-#define MBEDTLS_MPI_CHK(f)       \
-    do                           \
-    {                            \
-        if ((ret = (f)) != 0) \
-        goto cleanup;        \
-    } while (0)
-
-/*
- * Maximum size MPIs are allowed to grow to in number of limbs.
- */
-#define MBEDTLS_MPI_MAX_LIMBS                             10000
-
-#if !defined(MBEDTLS_MPI_WINDOW_SIZE)
-/*
- * Maximum window size used for modular exponentiation. Default: 2
- * Minimum value: 1. Maximum value: 6.
- *
- * Result is an array of ( 2 ** MBEDTLS_MPI_WINDOW_SIZE ) MPIs used
- * for the sliding window calculation. (So 64 by default)
- *
- * Reduction in size, reduces speed.
- */
-#define MBEDTLS_MPI_WINDOW_SIZE                           2        /**< Maximum window size used. */
-#endif /* !MBEDTLS_MPI_WINDOW_SIZE */
-
-#if !defined(MBEDTLS_MPI_MAX_SIZE)
-/*
- * Maximum size of MPIs allowed in bits and bytes for user-MPIs.
- * ( Default: 512 bytes => 4096 bits, Maximum tested: 2048 bytes => 16384 bits )
- *
- * Note: Calculations can temporarily result in larger MPIs. So the number
- * of limbs required (MBEDTLS_MPI_MAX_LIMBS) is higher.
- */
-#define MBEDTLS_MPI_MAX_SIZE                              1024     /**< Maximum number of bytes for usable MPIs. */
-#endif /* !MBEDTLS_MPI_MAX_SIZE */
-
-#define MBEDTLS_MPI_MAX_BITS                              (8 * MBEDTLS_MPI_MAX_SIZE)      /**< Maximum number of bits for usable MPIs. */
-
-/*
- * When reading from files with mbedtls_mpi_read_file() and writing to files with
- * mbedtls_mpi_write_file() the buffer should have space
- * for a (short) label, the MPI (in the provided radix), the newline
- * characters and the '\0'.
- *
- * By default we assume at least a 10 char label, a minimum radix of 10
- * (decimal) and a maximum of 4096 bit numbers (1234 decimal chars).
- * Autosized at compile time for at least a 10 char label, a minimum radix
- * of 10 (decimal) for a number of MBEDTLS_MPI_MAX_BITS size.
- *
- * This used to be statically sized to 1250 for a maximum of 4096 bit
- * numbers (1234 decimal chars).
- *
- * Calculate using the formula:
- *  MBEDTLS_MPI_RW_BUFFER_SIZE = ceil(MBEDTLS_MPI_MAX_BITS / ln(10) * ln(2)) +
- *                                LabelSize + 6
- */
-#define MBEDTLS_MPI_MAX_BITS_SCALE100          (100 * MBEDTLS_MPI_MAX_BITS)
-#define MBEDTLS_LN_2_DIV_LN_10_SCALE100                 332
-#define MBEDTLS_MPI_RW_BUFFER_SIZE             (((MBEDTLS_MPI_MAX_BITS_SCALE100 + \
-                                                  MBEDTLS_LN_2_DIV_LN_10_SCALE100 - 1) / \
-                                                 MBEDTLS_LN_2_DIV_LN_10_SCALE100) + 10 + 6)
-
-/*
- * Define the base integer type, architecture-wise.
- *
- * 32 or 64-bit integer types can be forced regardless of the underlying
- * architecture by defining MBEDTLS_HAVE_INT32 or MBEDTLS_HAVE_INT64
- * respectively and undefining MBEDTLS_HAVE_ASM.
- *
- * Double-width integers (e.g. 128-bit in 64-bit architectures) can be
- * disabled by defining MBEDTLS_NO_UDBL_DIVISION.
- */
-#if !defined(MBEDTLS_HAVE_INT32)
-    #if defined(_MSC_VER) && defined(_M_AMD64)
-/* Always choose 64-bit when using MSC */
-        #if !defined(MBEDTLS_HAVE_INT64)
-            #define MBEDTLS_HAVE_INT64
-        #endif /* !MBEDTLS_HAVE_INT64 */
-typedef  int64_t mbedtls_mpi_sint;
-typedef uint64_t mbedtls_mpi_uint;
-#define MBEDTLS_MPI_UINT_MAX                UINT64_MAX
-    #elif defined(__GNUC__) && (                         \
-    defined(__amd64__) || defined(__x86_64__)     || \
-    defined(__ppc64__) || defined(__powerpc64__)  || \
-    defined(__ia64__)  || defined(__alpha__)      || \
-    (defined(__sparc__) && defined(__arch64__)) || \
-    defined(__s390x__) || defined(__mips64)       || \
-    defined(__aarch64__))
-        #if !defined(MBEDTLS_HAVE_INT64)
-            #define MBEDTLS_HAVE_INT64
-        #endif /* MBEDTLS_HAVE_INT64 */
-typedef  int64_t mbedtls_mpi_sint;
-typedef uint64_t mbedtls_mpi_uint;
-#define MBEDTLS_MPI_UINT_MAX                UINT64_MAX
-        #if !defined(MBEDTLS_NO_UDBL_DIVISION)
-/* mbedtls_t_udbl defined as 128-bit unsigned int */
-typedef unsigned int mbedtls_t_udbl __attribute__((mode(TI)));
-            #define MBEDTLS_HAVE_UDBL
-        #endif /* !MBEDTLS_NO_UDBL_DIVISION */
-    #elif defined(__ARMCC_VERSION) && defined(__aarch64__)
-/*
- * __ARMCC_VERSION is defined for both armcc and armclang and
- * __aarch64__ is only defined by armclang when compiling 64-bit code
- */
-        #if !defined(MBEDTLS_HAVE_INT64)
-            #define MBEDTLS_HAVE_INT64
-        #endif /* !MBEDTLS_HAVE_INT64 */
-typedef  int64_t mbedtls_mpi_sint;
-typedef uint64_t mbedtls_mpi_uint;
-#define MBEDTLS_MPI_UINT_MAX                UINT64_MAX
-        #if !defined(MBEDTLS_NO_UDBL_DIVISION)
-/* mbedtls_t_udbl defined as 128-bit unsigned int */
-typedef __uint128_t mbedtls_t_udbl;
-            #define MBEDTLS_HAVE_UDBL
-        #endif /* !MBEDTLS_NO_UDBL_DIVISION */
-    #elif defined(MBEDTLS_HAVE_INT64)
-/* Force 64-bit integers with unknown compiler */
-typedef  int64_t mbedtls_mpi_sint;
-typedef uint64_t mbedtls_mpi_uint;
-#define MBEDTLS_MPI_UINT_MAX                UINT64_MAX
-    #endif
-#endif /* !MBEDTLS_HAVE_INT32 */
-
-#if !defined(MBEDTLS_HAVE_INT64)
-/* Default to 32-bit compilation */
-    #if !defined(MBEDTLS_HAVE_INT32)
-        #define MBEDTLS_HAVE_INT32
-    #endif /* !MBEDTLS_HAVE_INT32 */
-typedef  int32_t mbedtls_mpi_sint;
-typedef uint32_t mbedtls_mpi_uint;
-#define MBEDTLS_MPI_UINT_MAX                UINT32_MAX
-    #if !defined(MBEDTLS_NO_UDBL_DIVISION)
-typedef uint64_t mbedtls_t_udbl;
-        #define MBEDTLS_HAVE_UDBL
-    #endif /* !MBEDTLS_NO_UDBL_DIVISION */
-#endif /* !MBEDTLS_HAVE_INT64 */
-
-/*
- * Sanity check that exactly one of MBEDTLS_HAVE_INT32 or MBEDTLS_HAVE_INT64 is defined,
- * so that code elsewhere doesn't have to check.
- */
-#if (!(defined(MBEDTLS_HAVE_INT32) || defined(MBEDTLS_HAVE_INT64))) || \
-    (defined(MBEDTLS_HAVE_INT32) && defined(MBEDTLS_HAVE_INT64))
-#error "Only 32-bit or 64-bit limbs are supported in bignum"
-#endif
-
-/** \typedef mbedtls_mpi_uint
- * \brief The type of machine digits in a bignum, called _limbs_.
- *
- * This is always an unsigned integer type with no padding bits. The size
- * is platform-dependent.
- */
-
-/** \typedef mbedtls_mpi_sint
- * \brief The signed type corresponding to #mbedtls_mpi_uint.
- *
- * This is always an signed integer type with no padding bits. The size
- * is platform-dependent.
- */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          MPI structure
- */
-typedef struct mbedtls_mpi {
-    /** Pointer to limbs.
-     *
-     * This may be \c NULL if \c n is 0.
-     */
-    mbedtls_mpi_uint *MBEDTLS_PRIVATE(p);
-
-    /** Sign: -1 if the mpi is negative, 1 otherwise.
-     *
-     * The number 0 must be represented with `s = +1`. Although many library
-     * functions treat all-limbs-zero as equivalent to a valid representation
-     * of 0 regardless of the sign bit, there are exceptions, so bignum
-     * functions and external callers must always set \c s to +1 for the
-     * number zero.
-     *
-     * Note that this implies that calloc() or `... = {0}` does not create
-     * a valid MPI representation. You must call mbedtls_mpi_init().
-     */
-    signed short MBEDTLS_PRIVATE(s);
-
-    /** Total number of limbs in \c p.  */
-    unsigned short MBEDTLS_PRIVATE(n);
-    /* Make sure that MBEDTLS_MPI_MAX_LIMBS fits in n.
-     * Use the same limit value on all platforms so that we don't have to
-     * think about different behavior on the rare platforms where
-     * unsigned short can store values larger than the minimum required by
-     * the C language, which is 65535.
-     */
-#if MBEDTLS_MPI_MAX_LIMBS > 65535
-#error "MBEDTLS_MPI_MAX_LIMBS > 65535 is not supported"
-#endif
-}
-mbedtls_mpi;
-
-/**
- * \brief           Initialize an MPI context.
- *
- *                  This makes the MPI ready to be set or freed,
- *                  but does not define a value for the MPI.
- *
- * \param X         The MPI context to initialize. This must not be \c NULL.
- */
-void mbedtls_mpi_init(mbedtls_mpi *X);
-
-/**
- * \brief          This function frees the components of an MPI context.
- *
- * \param X        The MPI context to be cleared. This may be \c NULL,
- *                 in which case this function is a no-op. If it is
- *                 not \c NULL, it must point to an initialized MPI.
- */
-void mbedtls_mpi_free(mbedtls_mpi *X);
-
-/**
- * \brief          Enlarge an MPI to the specified number of limbs.
- *
- * \note           This function does nothing if the MPI is
- *                 already large enough.
- *
- * \param X        The MPI to grow. It must be initialized.
- * \param nblimbs  The target number of limbs.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
- * \return         Another negative error code on other kinds of failure.
- */
-int mbedtls_mpi_grow(mbedtls_mpi *X, size_t nblimbs);
-
-/**
- * \brief          This function resizes an MPI downwards, keeping at least the
- *                 specified number of limbs.
- *
- *                 If \c X is smaller than \c nblimbs, it is resized up
- *                 instead.
- *
- * \param X        The MPI to shrink. This must point to an initialized MPI.
- * \param nblimbs  The minimum number of limbs to keep.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
- *                 (this can only happen when resizing up).
- * \return         Another negative error code on other kinds of failure.
- */
-int mbedtls_mpi_shrink(mbedtls_mpi *X, size_t nblimbs);
-
-/**
- * \brief          Make a copy of an MPI.
- *
- * \param X        The destination MPI. This must point to an initialized MPI.
- * \param Y        The source MPI. This must point to an initialized MPI.
- *
- * \note           The limb-buffer in the destination MPI is enlarged
- *                 if necessary to hold the value in the source MPI.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
- * \return         Another negative error code on other kinds of failure.
- */
-int mbedtls_mpi_copy(mbedtls_mpi *X, const mbedtls_mpi *Y);
-
-/**
- * \brief          Swap the contents of two MPIs.
- *
- * \param X        The first MPI. It must be initialized.
- * \param Y        The second MPI. It must be initialized.
- */
-void mbedtls_mpi_swap(mbedtls_mpi *X, mbedtls_mpi *Y);
-
-/**
- * \brief          Perform a safe conditional copy of MPI which doesn't
- *                 reveal whether the condition was true or not.
- *
- * \param X        The MPI to conditionally assign to. This must point
- *                 to an initialized MPI.
- * \param Y        The MPI to be assigned from. This must point to an
- *                 initialized MPI.
- * \param assign   The condition deciding whether to perform the
- *                 assignment or not. Must be either 0 or 1:
- *                 * \c 1: Perform the assignment `X = Y`.
- *                 * \c 0: Keep the original value of \p X.
- *
- * \note           This function is equivalent to
- *                      `if( assign ) mbedtls_mpi_copy( X, Y );`
- *                 except that it avoids leaking any information about whether
- *                 the assignment was done or not (the above code may leak
- *                 information through branch prediction and/or memory access
- *                 patterns analysis).
- *
- * \warning        If \p assign is neither 0 nor 1, the result of this function
- *                 is indeterminate, and the resulting value in \p X might be
- *                 neither its original value nor the value in \p Y.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
- * \return         Another negative error code on other kinds of failure.
- */
-int mbedtls_mpi_safe_cond_assign(mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned char assign);
-
-/**
- * \brief          Perform a safe conditional swap which doesn't
- *                 reveal whether the condition was true or not.
- *
- * \param X        The first MPI. This must be initialized.
- * \param Y        The second MPI. This must be initialized.
- * \param swap     The condition deciding whether to perform
- *                 the swap or not. Must be either 0 or 1:
- *                 * \c 1: Swap the values of \p X and \p Y.
- *                 * \c 0: Keep the original values of \p X and \p Y.
- *
- * \note           This function is equivalent to
- *                      if( swap ) mbedtls_mpi_swap( X, Y );
- *                 except that it avoids leaking any information about whether
- *                 the swap was done or not (the above code may leak
- *                 information through branch prediction and/or memory access
- *                 patterns analysis).
- *
- * \warning        If \p swap is neither 0 nor 1, the result of this function
- *                 is indeterminate, and both \p X and \p Y might end up with
- *                 values different to either of the original ones.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
- * \return         Another negative error code on other kinds of failure.
- *
- */
-int mbedtls_mpi_safe_cond_swap(mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char swap);
-
-/**
- * \brief          Store integer value in MPI.
- *
- * \param X        The MPI to set. This must be initialized.
- * \param z        The value to use.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
- * \return         Another negative error code on other kinds of failure.
- */
-int mbedtls_mpi_lset(mbedtls_mpi *X, mbedtls_mpi_sint z);
-
-/**
- * \brief          Get a specific bit from an MPI.
- *
- * \param X        The MPI to query. This must be initialized.
- * \param pos      Zero-based index of the bit to query.
- *
- * \return         \c 0 or \c 1 on success, depending on whether bit \c pos
- *                 of \c X is unset or set.
- * \return         A negative error code on failure.
- */
-int mbedtls_mpi_get_bit(const mbedtls_mpi *X, size_t pos);
-
-/**
- * \brief          Modify a specific bit in an MPI.
- *
- * \note           This function will grow the target MPI if necessary to set a
- *                 bit to \c 1 in a not yet existing limb. It will not grow if
- *                 the bit should be set to \c 0.
- *
- * \param X        The MPI to modify. This must be initialized.
- * \param pos      Zero-based index of the bit to modify.
- * \param val      The desired value of bit \c pos: \c 0 or \c 1.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
- * \return         Another negative error code on other kinds of failure.
- */
-int mbedtls_mpi_set_bit(mbedtls_mpi *X, size_t pos, unsigned char val);
-
-/**
- * \brief          Return the number of bits of value \c 0 before the
- *                 least significant bit of value \c 1.
- *
- * \note           This is the same as the zero-based index of
- *                 the least significant bit of value \c 1.
- *
- * \param X        The MPI to query.
- *
- * \return         The number of bits of value \c 0 before the least significant
- *                 bit of value \c 1 in \p X.
- */
-size_t mbedtls_mpi_lsb(const mbedtls_mpi *X);
-
-/**
- * \brief          Return the number of bits up to and including the most
- *                 significant bit of value \c 1.
- *
- * * \note         This is same as the one-based index of the most
- *                 significant bit of value \c 1.
- *
- * \param X        The MPI to query. This must point to an initialized MPI.
- *
- * \return         The number of bits up to and including the most
- *                 significant bit of value \c 1.
- */
-size_t mbedtls_mpi_bitlen(const mbedtls_mpi *X);
-
-/**
- * \brief          Return the total size of an MPI value in bytes.
- *
- * \param X        The MPI to use. This must point to an initialized MPI.
- *
- * \note           The value returned by this function may be less than
- *                 the number of bytes used to store \p X internally.
- *                 This happens if and only if there are trailing bytes
- *                 of value zero.
- *
- * \return         The least number of bytes capable of storing
- *                 the absolute value of \p X.
- */
-size_t mbedtls_mpi_size(const mbedtls_mpi *X);
-
-/**
- * \brief          Import an MPI from an ASCII string.
- *
- * \param X        The destination MPI. This must point to an initialized MPI.
- * \param radix    The numeric base of the input string.
- * \param s        Null-terminated string buffer.
- *
- * \return         \c 0 if successful.
- * \return         A negative error code on failure.
- */
-int mbedtls_mpi_read_string(mbedtls_mpi *X, int radix, const char *s);
-
-/**
- * \brief          Export an MPI to an ASCII string.
- *
- * \param X        The source MPI. This must point to an initialized MPI.
- * \param radix    The numeric base of the output string.
- * \param buf      The buffer to write the string to. This must be writable
- *                 buffer of length \p buflen Bytes.
- * \param buflen   The available size in Bytes of \p buf.
- * \param olen     The address at which to store the length of the string
- *                 written, including the  final \c NULL byte. This must
- *                 not be \c NULL.
- *
- * \note           You can call this function with `buflen == 0` to obtain the
- *                 minimum required buffer size in `*olen`.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if the target buffer \p buf
- *                 is too small to hold the value of \p X in the desired base.
- *                 In this case, `*olen` is nonetheless updated to contain the
- *                 size of \p buf required for a successful call.
- * \return         Another negative error code on different kinds of failure.
- */
-int mbedtls_mpi_write_string(const mbedtls_mpi *X, int radix,
-                             char *buf, size_t buflen, size_t *olen);
-
-#if defined(MBEDTLS_FS_IO)
-/**
- * \brief          Read an MPI from a line in an opened file.
- *
- * \param X        The destination MPI. This must point to an initialized MPI.
- * \param radix    The numeric base of the string representation used
- *                 in the source line.
- * \param fin      The input file handle to use. This must not be \c NULL.
- *
- * \note           On success, this function advances the file stream
- *                 to the end of the current line or to EOF.
- *
- *                 The function returns \c 0 on an empty line.
- *
- *                 Leading whitespaces are ignored, as is a
- *                 '0x' prefix for radix \c 16.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if the file read buffer
- *                 is too small.
- * \return         Another negative error code on failure.
- */
-int mbedtls_mpi_read_file(mbedtls_mpi *X, int radix, FILE *fin);
-
-/**
- * \brief          Export an MPI into an opened file.
- *
- * \param p        A string prefix to emit prior to the MPI data.
- *                 For example, this might be a label, or "0x" when
- *                 printing in base \c 16. This may be \c NULL if no prefix
- *                 is needed.
- * \param X        The source MPI. This must point to an initialized MPI.
- * \param radix    The numeric base to be used in the emitted string.
- * \param fout     The output file handle. This may be \c NULL, in which case
- *                 the output is written to \c stdout.
- *
- * \return         \c 0 if successful.
- * \return         A negative error code on failure.
- */
-int mbedtls_mpi_write_file(const char *p, const mbedtls_mpi *X,
-                           int radix, FILE *fout);
-#endif /* MBEDTLS_FS_IO */
-
-/**
- * \brief          Import an MPI from unsigned big endian binary data.
- *
- * \param X        The destination MPI. This must point to an initialized MPI.
- * \param buf      The input buffer. This must be a readable buffer of length
- *                 \p buflen Bytes.
- * \param buflen   The length of the input buffer \p buf in Bytes.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
- * \return         Another negative error code on different kinds of failure.
- */
-int mbedtls_mpi_read_binary(mbedtls_mpi *X, const unsigned char *buf,
-                            size_t buflen);
-
-/**
- * \brief          Import X from unsigned binary data, little endian
- *
- * \param X        The destination MPI. This must point to an initialized MPI.
- * \param buf      The input buffer. This must be a readable buffer of length
- *                 \p buflen Bytes.
- * \param buflen   The length of the input buffer \p buf in Bytes.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
- * \return         Another negative error code on different kinds of failure.
- */
-int mbedtls_mpi_read_binary_le(mbedtls_mpi *X,
-                               const unsigned char *buf, size_t buflen);
-
-/**
- * \brief          Export X into unsigned binary data, big endian.
- *                 Always fills the whole buffer, which will start with zeros
- *                 if the number is smaller.
- *
- * \param X        The source MPI. This must point to an initialized MPI.
- * \param buf      The output buffer. This must be a writable buffer of length
- *                 \p buflen Bytes.
- * \param buflen   The size of the output buffer \p buf in Bytes.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p buf isn't
- *                 large enough to hold the value of \p X.
- * \return         Another negative error code on different kinds of failure.
- */
-int mbedtls_mpi_write_binary(const mbedtls_mpi *X, unsigned char *buf,
-                             size_t buflen);
-
-/**
- * \brief          Export X into unsigned binary data, little endian.
- *                 Always fills the whole buffer, which will end with zeros
- *                 if the number is smaller.
- *
- * \param X        The source MPI. This must point to an initialized MPI.
- * \param buf      The output buffer. This must be a writable buffer of length
- *                 \p buflen Bytes.
- * \param buflen   The size of the output buffer \p buf in Bytes.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p buf isn't
- *                 large enough to hold the value of \p X.
- * \return         Another negative error code on different kinds of failure.
- */
-int mbedtls_mpi_write_binary_le(const mbedtls_mpi *X,
-                                unsigned char *buf, size_t buflen);
-
-/**
- * \brief          Perform a left-shift on an MPI: X <<= count
- *
- * \param X        The MPI to shift. This must point to an initialized MPI.
- *                 The MPI pointed by \p X may be resized to fit
- *                 the resulting number.
- * \param count    The number of bits to shift by.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
- * \return         Another negative error code on different kinds of failure.
- */
-int mbedtls_mpi_shift_l(mbedtls_mpi *X, size_t count);
-
-/**
- * \brief          Perform a right-shift on an MPI: X >>= count
- *
- * \param X        The MPI to shift. This must point to an initialized MPI.
- * \param count    The number of bits to shift by.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
- * \return         Another negative error code on different kinds of failure.
- */
-int mbedtls_mpi_shift_r(mbedtls_mpi *X, size_t count);
-
-/**
- * \brief          Compare the absolute values of two MPIs.
- *
- * \param X        The left-hand MPI. This must point to an initialized MPI.
- * \param Y        The right-hand MPI. This must point to an initialized MPI.
- *
- * \return         \c 1 if `|X|` is greater than `|Y|`.
- * \return         \c -1 if `|X|` is lesser than `|Y|`.
- * \return         \c 0 if `|X|` is equal to `|Y|`.
- */
-int mbedtls_mpi_cmp_abs(const mbedtls_mpi *X, const mbedtls_mpi *Y);
-
-/**
- * \brief          Compare two MPIs.
- *
- * \param X        The left-hand MPI. This must point to an initialized MPI.
- * \param Y        The right-hand MPI. This must point to an initialized MPI.
- *
- * \return         \c 1 if \p X is greater than \p Y.
- * \return         \c -1 if \p X is lesser than \p Y.
- * \return         \c 0 if \p X is equal to \p Y.
- */
-int mbedtls_mpi_cmp_mpi(const mbedtls_mpi *X, const mbedtls_mpi *Y);
-
-/**
- * \brief          Check if an MPI is less than the other in constant time.
- *
- * \param X        The left-hand MPI. This must point to an initialized MPI
- *                 with the same allocated length as Y.
- * \param Y        The right-hand MPI. This must point to an initialized MPI
- *                 with the same allocated length as X.
- * \param ret      The result of the comparison:
- *                 \c 1 if \p X is less than \p Y.
- *                 \c 0 if \p X is greater than or equal to \p Y.
- *
- * \return         0 on success.
- * \return         MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the allocated length of
- *                 the two input MPIs is not the same.
- */
-int mbedtls_mpi_lt_mpi_ct(const mbedtls_mpi *X, const mbedtls_mpi *Y,
-                          unsigned *ret);
-
-/**
- * \brief          Compare an MPI with an integer.
- *
- * \param X        The left-hand MPI. This must point to an initialized MPI.
- * \param z        The integer value to compare \p X to.
- *
- * \return         \c 1 if \p X is greater than \p z.
- * \return         \c -1 if \p X is lesser than \p z.
- * \return         \c 0 if \p X is equal to \p z.
- */
-int mbedtls_mpi_cmp_int(const mbedtls_mpi *X, mbedtls_mpi_sint z);
-
-/**
- * \brief          Perform an unsigned addition of MPIs: X = |A| + |B|
- *
- * \param X        The destination MPI. This must point to an initialized MPI.
- * \param A        The first summand. This must point to an initialized MPI.
- * \param B        The second summand. This must point to an initialized MPI.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
- * \return         Another negative error code on different kinds of failure.
- */
-int mbedtls_mpi_add_abs(mbedtls_mpi *X, const mbedtls_mpi *A,
-                        const mbedtls_mpi *B);
-
-/**
- * \brief          Perform an unsigned subtraction of MPIs: X = |A| - |B|
- *
- * \param X        The destination MPI. This must point to an initialized MPI.
- * \param A        The minuend. This must point to an initialized MPI.
- * \param B        The subtrahend. This must point to an initialized MPI.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p B is greater than \p A.
- * \return         Another negative error code on different kinds of failure.
- *
- */
-int mbedtls_mpi_sub_abs(mbedtls_mpi *X, const mbedtls_mpi *A,
-                        const mbedtls_mpi *B);
-
-/**
- * \brief          Perform a signed addition of MPIs: X = A + B
- *
- * \param X        The destination MPI. This must point to an initialized MPI.
- * \param A        The first summand. This must point to an initialized MPI.
- * \param B        The second summand. This must point to an initialized MPI.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
- * \return         Another negative error code on different kinds of failure.
- */
-int mbedtls_mpi_add_mpi(mbedtls_mpi *X, const mbedtls_mpi *A,
-                        const mbedtls_mpi *B);
-
-/**
- * \brief          Perform a signed subtraction of MPIs: X = A - B
- *
- * \param X        The destination MPI. This must point to an initialized MPI.
- * \param A        The minuend. This must point to an initialized MPI.
- * \param B        The subtrahend. This must point to an initialized MPI.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
- * \return         Another negative error code on different kinds of failure.
- */
-int mbedtls_mpi_sub_mpi(mbedtls_mpi *X, const mbedtls_mpi *A,
-                        const mbedtls_mpi *B);
-
-/**
- * \brief          Perform a signed addition of an MPI and an integer: X = A + b
- *
- * \param X        The destination MPI. This must point to an initialized MPI.
- * \param A        The first summand. This must point to an initialized MPI.
- * \param b        The second summand.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
- * \return         Another negative error code on different kinds of failure.
- */
-int mbedtls_mpi_add_int(mbedtls_mpi *X, const mbedtls_mpi *A,
-                        mbedtls_mpi_sint b);
-
-/**
- * \brief          Perform a signed subtraction of an MPI and an integer:
- *                 X = A - b
- *
- * \param X        The destination MPI. This must point to an initialized MPI.
- * \param A        The minuend. This must point to an initialized MPI.
- * \param b        The subtrahend.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
- * \return         Another negative error code on different kinds of failure.
- */
-int mbedtls_mpi_sub_int(mbedtls_mpi *X, const mbedtls_mpi *A,
-                        mbedtls_mpi_sint b);
-
-/**
- * \brief          Perform a multiplication of two MPIs: X = A * B
- *
- * \param X        The destination MPI. This must point to an initialized MPI.
- * \param A        The first factor. This must point to an initialized MPI.
- * \param B        The second factor. This must point to an initialized MPI.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
- * \return         Another negative error code on different kinds of failure.
- *
- */
-int mbedtls_mpi_mul_mpi(mbedtls_mpi *X, const mbedtls_mpi *A,
-                        const mbedtls_mpi *B);
-
-/**
- * \brief          Perform a multiplication of an MPI with an unsigned integer:
- *                 X = A * b
- *
- * \param X        The destination MPI. This must point to an initialized MPI.
- * \param A        The first factor. This must point to an initialized MPI.
- * \param b        The second factor.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
- * \return         Another negative error code on different kinds of failure.
- *
- */
-int mbedtls_mpi_mul_int(mbedtls_mpi *X, const mbedtls_mpi *A,
-                        mbedtls_mpi_uint b);
-
-/**
- * \brief          Perform a division with remainder of two MPIs:
- *                 A = Q * B + R
- *
- * \param Q        The destination MPI for the quotient.
- *                 This may be \c NULL if the value of the
- *                 quotient is not needed. This must not alias A or B.
- * \param R        The destination MPI for the remainder value.
- *                 This may be \c NULL if the value of the
- *                 remainder is not needed. This must not alias A or B.
- * \param A        The dividend. This must point to an initialized MPI.
- * \param B        The divisor. This must point to an initialized MPI.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
- * \return         #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p B equals zero.
- * \return         Another negative error code on different kinds of failure.
- */
-int mbedtls_mpi_div_mpi(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
-                        const mbedtls_mpi *B);
-
-/**
- * \brief          Perform a division with remainder of an MPI by an integer:
- *                 A = Q * b + R
- *
- * \param Q        The destination MPI for the quotient.
- *                 This may be \c NULL if the value of the
- *                 quotient is not needed.  This must not alias A.
- * \param R        The destination MPI for the remainder value.
- *                 This may be \c NULL if the value of the
- *                 remainder is not needed.  This must not alias A.
- * \param A        The dividend. This must point to an initialized MPi.
- * \param b        The divisor.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
- * \return         #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p b equals zero.
- * \return         Another negative error code on different kinds of failure.
- */
-int mbedtls_mpi_div_int(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
-                        mbedtls_mpi_sint b);
-
-/**
- * \brief          Perform a modular reduction. R = A mod B
- *
- * \param R        The destination MPI for the residue value.
- *                 This must point to an initialized MPI.
- * \param A        The MPI to compute the residue of.
- *                 This must point to an initialized MPI.
- * \param B        The base of the modular reduction.
- *                 This must point to an initialized MPI.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
- * \return         #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p B equals zero.
- * \return         #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p B is negative.
- * \return         Another negative error code on different kinds of failure.
- *
- */
-int mbedtls_mpi_mod_mpi(mbedtls_mpi *R, const mbedtls_mpi *A,
-                        const mbedtls_mpi *B);
-
-/**
- * \brief          Perform a modular reduction with respect to an integer.
- *                 r = A mod b
- *
- * \param r        The address at which to store the residue.
- *                 This must not be \c NULL.
- * \param A        The MPI to compute the residue of.
- *                 This must point to an initialized MPi.
- * \param b        The integer base of the modular reduction.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
- * \return         #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p b equals zero.
- * \return         #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p b is negative.
- * \return         Another negative error code on different kinds of failure.
- */
-int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A,
-                        mbedtls_mpi_sint b);
-
-/**
- * \brief          Perform a sliding-window exponentiation: X = A^E mod N
- *
- * \param X        The destination MPI. This must point to an initialized MPI.
- *                 This must not alias E or N.
- * \param A        The base of the exponentiation.
- *                 This must point to an initialized MPI.
- * \param E        The exponent MPI. This must point to an initialized MPI.
- * \param N        The base for the modular reduction. This must point to an
- *                 initialized MPI.
- * \param prec_RR  A helper MPI depending solely on \p N which can be used to
- *                 speed-up multiple modular exponentiations for the same value
- *                 of \p N. This may be \c NULL. If it is not \c NULL, it must
- *                 point to an initialized MPI. If it hasn't been used after
- *                 the call to mbedtls_mpi_init(), this function will compute
- *                 the helper value and store it in \p prec_RR for reuse on
- *                 subsequent calls to this function. Otherwise, the function
- *                 will assume that \p prec_RR holds the helper value set by a
- *                 previous call to mbedtls_mpi_exp_mod(), and reuse it.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
- * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \c N is negative or
- *                 even, or if \c E is negative.
- * \return         Another negative error code on different kinds of failures.
- *
- */
-int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
-                        const mbedtls_mpi *E, const mbedtls_mpi *N,
-                        mbedtls_mpi *prec_RR);
-
-/**
- * \brief          Fill an MPI with a number of random bytes.
- *
- * \param X        The destination MPI. This must point to an initialized MPI.
- * \param size     The number of random bytes to generate.
- * \param f_rng    The RNG function to use. This must not be \c NULL.
- * \param p_rng    The RNG parameter to be passed to \p f_rng. This may be
- *                 \c NULL if \p f_rng doesn't need a context argument.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
- * \return         Another negative error code on failure.
- *
- * \note           The bytes obtained from the RNG are interpreted
- *                 as a big-endian representation of an MPI; this can
- *                 be relevant in applications like deterministic ECDSA.
- */
-int mbedtls_mpi_fill_random(mbedtls_mpi *X, size_t size,
-                            int (*f_rng)(void *, unsigned char *, size_t),
-                            void *p_rng);
-
-/** Generate a random number uniformly in a range.
- *
- * This function generates a random number between \p min inclusive and
- * \p N exclusive.
- *
- * The procedure complies with RFC 6979 §3.3 (deterministic ECDSA)
- * when the RNG is a suitably parametrized instance of HMAC_DRBG
- * and \p min is \c 1.
- *
- * \note           There are `N - min` possible outputs. The lower bound
- *                 \p min can be reached, but the upper bound \p N cannot.
- *
- * \param X        The destination MPI. This must point to an initialized MPI.
- * \param min      The minimum value to return.
- *                 It must be nonnegative.
- * \param N        The upper bound of the range, exclusive.
- *                 In other words, this is one plus the maximum value to return.
- *                 \p N must be strictly larger than \p min.
- * \param f_rng    The RNG function to use. This must not be \c NULL.
- * \param p_rng    The RNG parameter to be passed to \p f_rng.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
- * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p min or \p N is invalid
- *                 or if they are incompatible.
- * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if the implementation was
- *                 unable to find a suitable value within a limited number
- *                 of attempts. This has a negligible probability if \p N
- *                 is significantly larger than \p min, which is the case
- *                 for all usual cryptographic applications.
- * \return         Another negative error code on failure.
- */
-int mbedtls_mpi_random(mbedtls_mpi *X,
-                       mbedtls_mpi_sint min,
-                       const mbedtls_mpi *N,
-                       int (*f_rng)(void *, unsigned char *, size_t),
-                       void *p_rng);
-
-/**
- * \brief          Compute the greatest common divisor: G = gcd(A, B)
- *
- * \param G        The destination MPI. This must point to an initialized MPI.
- * \param A        The first operand. This must point to an initialized MPI.
- * \param B        The second operand. This must point to an initialized MPI.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
- * \return         Another negative error code on different kinds of failure.
- */
-int mbedtls_mpi_gcd(mbedtls_mpi *G, const mbedtls_mpi *A,
-                    const mbedtls_mpi *B);
-
-/**
- * \brief          Compute the modular inverse: X = A^-1 mod N
- *
- * \param X        The destination MPI. This must point to an initialized MPI.
- * \param A        The MPI to calculate the modular inverse of. This must point
- *                 to an initialized MPI.
- * \param N        The base of the modular inversion. This must point to an
- *                 initialized MPI.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
- * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p N is less than
- *                 or equal to one.
- * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p A has no modular
- *                 inverse with respect to \p N.
- */
-int mbedtls_mpi_inv_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
-                        const mbedtls_mpi *N);
-
-/**
- * \brief          Miller-Rabin primality test.
- *
- * \warning        If \p X is potentially generated by an adversary, for example
- *                 when validating cryptographic parameters that you didn't
- *                 generate yourself and that are supposed to be prime, then
- *                 \p rounds should be at least the half of the security
- *                 strength of the cryptographic algorithm. On the other hand,
- *                 if \p X is chosen uniformly or non-adversarially (as is the
- *                 case when mbedtls_mpi_gen_prime calls this function), then
- *                 \p rounds can be much lower.
- *
- * \param X        The MPI to check for primality.
- *                 This must point to an initialized MPI.
- * \param rounds   The number of bases to perform the Miller-Rabin primality
- *                 test for. The probability of returning 0 on a composite is
- *                 at most 2<sup>-2*\p rounds </sup>.
- * \param f_rng    The RNG function to use. This must not be \c NULL.
- * \param p_rng    The RNG parameter to be passed to \p f_rng.
- *                 This may be \c NULL if \p f_rng doesn't use
- *                 a context parameter.
- *
- * \return         \c 0 if successful, i.e. \p X is probably prime.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
- * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p X is not prime.
- * \return         Another negative error code on other kinds of failure.
- */
-int mbedtls_mpi_is_prime_ext(const mbedtls_mpi *X, int rounds,
-                             int (*f_rng)(void *, unsigned char *, size_t),
-                             void *p_rng);
-/**
- * \brief Flags for mbedtls_mpi_gen_prime()
- *
- * Each of these flags is a constraint on the result X returned by
- * mbedtls_mpi_gen_prime().
- */
-typedef enum {
-    MBEDTLS_MPI_GEN_PRIME_FLAG_DH =      0x0001, /**< (X-1)/2 is prime too */
-    MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR = 0x0002, /**< lower error rate from 2<sup>-80</sup> to 2<sup>-128</sup> */
-} mbedtls_mpi_gen_prime_flag_t;
-
-/**
- * \brief          Generate a prime number.
- *
- * \param X        The destination MPI to store the generated prime in.
- *                 This must point to an initialized MPi.
- * \param nbits    The required size of the destination MPI in bits.
- *                 This must be between \c 3 and #MBEDTLS_MPI_MAX_BITS.
- * \param flags    A mask of flags of type #mbedtls_mpi_gen_prime_flag_t.
- * \param f_rng    The RNG function to use. This must not be \c NULL.
- * \param p_rng    The RNG parameter to be passed to \p f_rng.
- *                 This may be \c NULL if \p f_rng doesn't use
- *                 a context parameter.
- *
- * \return         \c 0 if successful, in which case \p X holds a
- *                 probably prime number.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
- * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if `nbits` is not between
- *                 \c 3 and #MBEDTLS_MPI_MAX_BITS.
- */
-int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int flags,
-                          int (*f_rng)(void *, unsigned char *, size_t),
-                          void *p_rng);
-
-#if defined(MBEDTLS_SELF_TEST)
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int mbedtls_mpi_self_test(int verbose);
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* bignum.h */
diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h
index 842f15c..cf38f90 100644
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h
@@ -8,19 +8,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef MBEDTLS_BUILD_INFO_H
@@ -37,7 +25,7 @@
  * Major, Minor, Patchlevel
  */
 #define MBEDTLS_VERSION_MAJOR  3
-#define MBEDTLS_VERSION_MINOR  5
+#define MBEDTLS_VERSION_MINOR  6
 #define MBEDTLS_VERSION_PATCH  0
 
 /**
@@ -45,9 +33,9 @@
  *    MMNNPP00
  *    Major version | Minor version | Patch version
  */
-#define MBEDTLS_VERSION_NUMBER         0x03050000
-#define MBEDTLS_VERSION_STRING         "3.5.0"
-#define MBEDTLS_VERSION_STRING_FULL    "Mbed TLS 3.5.0"
+#define MBEDTLS_VERSION_NUMBER         0x03060000
+#define MBEDTLS_VERSION_STRING         "3.6.0"
+#define MBEDTLS_VERSION_STRING_FULL    "Mbed TLS 3.6.0"
 
 /* Macros for build-time platform detection */
 
@@ -74,6 +62,35 @@
 #define MBEDTLS_ARCH_IS_X86
 #endif
 
+#if !defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64) && \
+    (defined(_M_ARM64) || defined(_M_ARM64EC))
+#define MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64
+#endif
+
+/* This is defined if the architecture is Armv8-A, or higher */
+#if !defined(MBEDTLS_ARCH_IS_ARMV8_A)
+#if defined(__ARM_ARCH) && defined(__ARM_ARCH_PROFILE)
+#if (__ARM_ARCH >= 8) && (__ARM_ARCH_PROFILE == 'A')
+/* GCC, clang, armclang and IAR */
+#define MBEDTLS_ARCH_IS_ARMV8_A
+#endif
+#elif defined(__ARM_ARCH_8A)
+/* Alternative defined by clang */
+#define MBEDTLS_ARCH_IS_ARMV8_A
+#elif defined(_M_ARM64) || defined(_M_ARM64EC)
+/* MSVC ARM64 is at least Armv8.0-A */
+#define MBEDTLS_ARCH_IS_ARMV8_A
+#endif
+#endif
+
+#if defined(__GNUC__) && !defined(__ARMCC_VERSION) && !defined(__clang__) \
+    && !defined(__llvm__) && !defined(__INTEL_COMPILER)
+/* Defined if the compiler really is gcc and not clang, etc */
+#define MBEDTLS_COMPILER_IS_GCC
+#define MBEDTLS_GCC_VERSION \
+    (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__)
+#endif
+
 #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
 #define _CRT_SECURE_NO_DEPRECATE 1
 #endif
@@ -84,6 +101,13 @@
 #define inline __inline
 #endif
 
+#if defined(MBEDTLS_CONFIG_FILES_READ)
+#error "Something went wrong: MBEDTLS_CONFIG_FILES_READ defined before reading the config files!"
+#endif
+#if defined(MBEDTLS_CONFIG_IS_FINALIZED)
+#error "Something went wrong: MBEDTLS_CONFIG_IS_FINALIZED defined before reading the config files!"
+#endif
+
 /* X.509, TLS and non-PSA crypto configuration */
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "mbedtls/mbedtls_config.h"
@@ -118,6 +142,12 @@
 #endif
 #endif /* defined(MBEDTLS_PSA_CRYPTO_CONFIG) */
 
+/* Indicate that all configuration files have been read.
+ * It is now time to adjust the configuration (follow through on dependencies,
+ * make PSA and legacy crypto consistent, etc.).
+ */
+#define MBEDTLS_CONFIG_FILES_READ
+
 /* Auto-enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY if
  * MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH and MBEDTLS_CTR_DRBG_C defined
  * to ensure a 128-bit key size in CTR_DRBG.
@@ -141,7 +171,8 @@
  *   (e.g. MBEDTLS_MD_LIGHT)
  */
 #if defined(MBEDTLS_PSA_CRYPTO_CONFIG) /* PSA_WANT_xxx influences MBEDTLS_xxx */ || \
-    defined(MBEDTLS_PSA_CRYPTO_C) /* MBEDTLS_xxx influences PSA_WANT_xxx */
+    defined(MBEDTLS_PSA_CRYPTO_C) /* MBEDTLS_xxx influences PSA_WANT_xxx */ || \
+    defined(MBEDTLS_PSA_CRYPTO_CLIENT) /* The same as the previous, but with separation only */
 #include "mbedtls/config_psa.h"
 #endif
 
@@ -151,8 +182,13 @@
 
 #include "mbedtls/config_adjust_ssl.h"
 
-/* Make sure all configuration symbols are set before including check_config.h,
- * even the ones that are calculated programmatically. */
+/* Indicate that all configuration symbols are set,
+ * even the ones that are calculated programmatically.
+ * It is now safe to query the configuration (to check it, to size buffers,
+ * etc.).
+ */
+#define MBEDTLS_CONFIG_IS_FINALIZED
+
 #include "mbedtls/check_config.h"
 
 #endif /* MBEDTLS_BUILD_INFO_H */
diff --git a/include/mbedtls/camellia.h b/include/mbedtls/camellia.h
deleted file mode 100644
index 8033c13..0000000
--- a/include/mbedtls/camellia.h
+++ /dev/null
@@ -1,315 +0,0 @@
-/**
- * \file camellia.h
- *
- * \brief Camellia block cipher
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_CAMELLIA_H
-#define MBEDTLS_CAMELLIA_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include "mbedtls/platform_util.h"
-
-#define MBEDTLS_CAMELLIA_ENCRYPT     1
-#define MBEDTLS_CAMELLIA_DECRYPT     0
-
-/** Bad input data. */
-#define MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA -0x0024
-
-/** Invalid data input length. */
-#define MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH -0x0026
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if !defined(MBEDTLS_CAMELLIA_ALT)
-// Regular implementation
-//
-
-/**
- * \brief          CAMELLIA context structure
- */
-typedef struct mbedtls_camellia_context {
-    int MBEDTLS_PRIVATE(nr);                     /*!<  number of rounds  */
-    uint32_t MBEDTLS_PRIVATE(rk)[68];            /*!<  CAMELLIA round keys    */
-}
-mbedtls_camellia_context;
-
-#else  /* MBEDTLS_CAMELLIA_ALT */
-#include "camellia_alt.h"
-#endif /* MBEDTLS_CAMELLIA_ALT */
-
-/**
- * \brief          Initialize a CAMELLIA context.
- *
- * \param ctx      The CAMELLIA context to be initialized.
- *                 This must not be \c NULL.
- */
-void mbedtls_camellia_init(mbedtls_camellia_context *ctx);
-
-/**
- * \brief          Clear a CAMELLIA context.
- *
- * \param ctx      The CAMELLIA context to be cleared. This may be \c NULL,
- *                 in which case this function returns immediately. If it is not
- *                 \c NULL, it must be initialized.
- */
-void mbedtls_camellia_free(mbedtls_camellia_context *ctx);
-
-/**
- * \brief          Perform a CAMELLIA key schedule operation for encryption.
- *
- * \param ctx      The CAMELLIA context to use. This must be initialized.
- * \param key      The encryption key to use. This must be a readable buffer
- *                 of size \p keybits Bits.
- * \param keybits  The length of \p key in Bits. This must be either \c 128,
- *                 \c 192 or \c 256.
- *
- * \return         \c 0 if successful.
- * \return         A negative error code on failure.
- */
-int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx,
-                                const unsigned char *key,
-                                unsigned int keybits);
-
-/**
- * \brief          Perform a CAMELLIA key schedule operation for decryption.
- *
- * \param ctx      The CAMELLIA context to use. This must be initialized.
- * \param key      The decryption key. This must be a readable buffer
- *                 of size \p keybits Bits.
- * \param keybits  The length of \p key in Bits. This must be either \c 128,
- *                 \c 192 or \c 256.
- *
- * \return         \c 0 if successful.
- * \return         A negative error code on failure.
- */
-int mbedtls_camellia_setkey_dec(mbedtls_camellia_context *ctx,
-                                const unsigned char *key,
-                                unsigned int keybits);
-
-/**
- * \brief          Perform a CAMELLIA-ECB block encryption/decryption operation.
- *
- * \param ctx      The CAMELLIA context to use. This must be initialized
- *                 and bound to a key.
- * \param mode     The mode of operation. This must be either
- *                 #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
- * \param input    The input block. This must be a readable buffer
- *                 of size \c 16 Bytes.
- * \param output   The output block. This must be a writable buffer
- *                 of size \c 16 Bytes.
- *
- * \return         \c 0 if successful.
- * \return         A negative error code on failure.
- */
-int mbedtls_camellia_crypt_ecb(mbedtls_camellia_context *ctx,
-                               int mode,
-                               const unsigned char input[16],
-                               unsigned char output[16]);
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-/**
- * \brief          Perform a CAMELLIA-CBC buffer encryption/decryption operation.
- *
- * \note           Upon exit, the content of the IV is updated so that you can
- *                 call the function same function again on the following
- *                 block(s) of data and get the same result as if it was
- *                 encrypted in one call. This allows a "streaming" usage.
- *                 If on the other hand you need to retain the contents of the
- *                 IV, you should either save it manually or use the cipher
- *                 module instead.
- *
- * \param ctx      The CAMELLIA context to use. This must be initialized
- *                 and bound to a key.
- * \param mode     The mode of operation. This must be either
- *                 #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
- * \param length   The length in Bytes of the input data \p input.
- *                 This must be a multiple of \c 16 Bytes.
- * \param iv       The initialization vector. This must be a read/write buffer
- *                 of length \c 16 Bytes. It is updated to allow streaming
- *                 use as explained above.
- * \param input    The buffer holding the input data. This must point to a
- *                 readable buffer of length \p length Bytes.
- * \param output   The buffer holding the output data. This must point to a
- *                 writable buffer of length \p length Bytes.
- *
- * \return         \c 0 if successful.
- * \return         A negative error code on failure.
- */
-int mbedtls_camellia_crypt_cbc(mbedtls_camellia_context *ctx,
-                               int mode,
-                               size_t length,
-                               unsigned char iv[16],
-                               const unsigned char *input,
-                               unsigned char *output);
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-/**
- * \brief          Perform a CAMELLIA-CFB128 buffer encryption/decryption
- *                 operation.
- *
- * \note           Due to the nature of CFB mode, you should use the same
- *                 key for both encryption and decryption. In particular, calls
- *                 to this function should be preceded by a key-schedule via
- *                 mbedtls_camellia_setkey_enc() regardless of whether \p mode
- *                 is #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
- *
- * \note           Upon exit, the content of the IV is updated so that you can
- *                 call the function same function again on the following
- *                 block(s) of data and get the same result as if it was
- *                 encrypted in one call. This allows a "streaming" usage.
- *                 If on the other hand you need to retain the contents of the
- *                 IV, you should either save it manually or use the cipher
- *                 module instead.
- *
- * \param ctx      The CAMELLIA context to use. This must be initialized
- *                 and bound to a key.
- * \param mode     The mode of operation. This must be either
- *                 #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
- * \param length   The length of the input data \p input. Any value is allowed.
- * \param iv_off   The current offset in the IV. This must be smaller
- *                 than \c 16 Bytes. It is updated after this call to allow
- *                 the aforementioned streaming usage.
- * \param iv       The initialization vector. This must be a read/write buffer
- *                 of length \c 16 Bytes. It is updated after this call to
- *                 allow the aforementioned streaming usage.
- * \param input    The buffer holding the input data. This must be a readable
- *                 buffer of size \p length Bytes.
- * \param output   The buffer to hold the output data. This must be a writable
- *                 buffer of length \p length Bytes.
- *
- * \return         \c 0 if successful.
- * \return         A negative error code on failure.
- */
-int mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context *ctx,
-                                  int mode,
-                                  size_t length,
-                                  size_t *iv_off,
-                                  unsigned char iv[16],
-                                  const unsigned char *input,
-                                  unsigned char *output);
-#endif /* MBEDTLS_CIPHER_MODE_CFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-/**
- * \brief      Perform a CAMELLIA-CTR buffer encryption/decryption operation.
- *
- * *note       Due to the nature of CTR mode, you should use the same
- *             key for both encryption and decryption. In particular, calls
- *             to this function should be preceded by a key-schedule via
- *             mbedtls_camellia_setkey_enc() regardless of whether the mode
- *             is #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
- *
- * \warning    You must never reuse a nonce value with the same key. Doing so
- *             would void the encryption for the two messages encrypted with
- *             the same nonce and key.
- *
- *             There are two common strategies for managing nonces with CTR:
- *
- *             1. You can handle everything as a single message processed over
- *             successive calls to this function. In that case, you want to
- *             set \p nonce_counter and \p nc_off to 0 for the first call, and
- *             then preserve the values of \p nonce_counter, \p nc_off and \p
- *             stream_block across calls to this function as they will be
- *             updated by this function.
- *
- *             With this strategy, you must not encrypt more than 2**128
- *             blocks of data with the same key.
- *
- *             2. You can encrypt separate messages by dividing the \p
- *             nonce_counter buffer in two areas: the first one used for a
- *             per-message nonce, handled by yourself, and the second one
- *             updated by this function internally.
- *
- *             For example, you might reserve the first \c 12 Bytes for the
- *             per-message nonce, and the last \c 4 Bytes for internal use.
- *             In that case, before calling this function on a new message you
- *             need to set the first \c 12 Bytes of \p nonce_counter to your
- *             chosen nonce value, the last four to \c 0, and \p nc_off to \c 0
- *             (which will cause \p stream_block to be ignored). That way, you
- *             can encrypt at most \c 2**96 messages of up to \c 2**32 blocks
- *             each  with the same key.
- *
- *             The per-message nonce (or information sufficient to reconstruct
- *             it) needs to be communicated with the ciphertext and must be
- *             unique. The recommended way to ensure uniqueness is to use a
- *             message counter. An alternative is to generate random nonces,
- *             but this limits the number of messages that can be securely
- *             encrypted: for example, with 96-bit random nonces, you should
- *             not encrypt more than 2**32 messages with the same key.
- *
- *             Note that for both strategies, sizes are measured in blocks and
- *             that a CAMELLIA block is \c 16 Bytes.
- *
- * \warning    Upon return, \p stream_block contains sensitive data. Its
- *             content must not be written to insecure storage and should be
- *             securely discarded as soon as it's no longer needed.
- *
- * \param ctx           The CAMELLIA context to use. This must be initialized
- *                      and bound to a key.
- * \param length        The length of the input data \p input in Bytes.
- *                      Any value is allowed.
- * \param nc_off        The offset in the current \p stream_block (for resuming
- *                      within current cipher stream). The offset pointer to
- *                      should be \c 0 at the start of a stream. It is updated
- *                      at the end of this call.
- * \param nonce_counter The 128-bit nonce and counter. This must be a read/write
- *                      buffer of length \c 16 Bytes.
- * \param stream_block  The saved stream-block for resuming. This must be a
- *                      read/write buffer of length \c 16 Bytes.
- * \param input         The input data stream. This must be a readable buffer of
- *                      size \p length Bytes.
- * \param output        The output data stream. This must be a writable buffer
- *                      of size \p length Bytes.
- *
- * \return              \c 0 if successful.
- * \return              A negative error code on failure.
- */
-int mbedtls_camellia_crypt_ctr(mbedtls_camellia_context *ctx,
-                               size_t length,
-                               size_t *nc_off,
-                               unsigned char nonce_counter[16],
-                               unsigned char stream_block[16],
-                               const unsigned char *input,
-                               unsigned char *output);
-#endif /* MBEDTLS_CIPHER_MODE_CTR */
-
-#if defined(MBEDTLS_SELF_TEST)
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int mbedtls_camellia_self_test(int verbose);
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* camellia.h */
diff --git a/include/mbedtls/ccm.h b/include/mbedtls/ccm.h
deleted file mode 100644
index e00e747..0000000
--- a/include/mbedtls/ccm.h
+++ /dev/null
@@ -1,530 +0,0 @@
-/**
- * \file ccm.h
- *
- * \brief This file provides an API for the CCM authenticated encryption
- *        mode for block ciphers.
- *
- * CCM combines Counter mode encryption with CBC-MAC authentication
- * for 128-bit block ciphers.
- *
- * Input to CCM includes the following elements:
- * <ul><li>Payload - data that is both authenticated and encrypted.</li>
- * <li>Associated data (Adata) - data that is authenticated but not
- * encrypted, For example, a header.</li>
- * <li>Nonce - A unique value that is assigned to the payload and the
- * associated data.</li></ul>
- *
- * Definition of CCM:
- * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
- * RFC 3610 "Counter with CBC-MAC (CCM)"
- *
- * Related:
- * RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
- *
- * Definition of CCM*:
- * IEEE 802.15.4 - IEEE Standard for Local and metropolitan area networks
- * Integer representation is fixed most-significant-octet-first order and
- * the representation of octets is most-significant-bit-first order. This is
- * consistent with RFC 3610.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_CCM_H
-#define MBEDTLS_CCM_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include "mbedtls/cipher.h"
-
-#define MBEDTLS_CCM_DECRYPT       0
-#define MBEDTLS_CCM_ENCRYPT       1
-#define MBEDTLS_CCM_STAR_DECRYPT  2
-#define MBEDTLS_CCM_STAR_ENCRYPT  3
-
-/** Bad input parameters to the function. */
-#define MBEDTLS_ERR_CCM_BAD_INPUT       -0x000D
-/** Authenticated decryption failed. */
-#define MBEDTLS_ERR_CCM_AUTH_FAILED     -0x000F
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if !defined(MBEDTLS_CCM_ALT)
-// Regular implementation
-//
-
-/**
- * \brief    The CCM context-type definition. The CCM context is passed
- *           to the APIs called.
- */
-typedef struct mbedtls_ccm_context {
-    unsigned char MBEDTLS_PRIVATE(y)[16];    /*!< The Y working buffer */
-    unsigned char MBEDTLS_PRIVATE(ctr)[16];  /*!< The counter buffer */
-    size_t MBEDTLS_PRIVATE(plaintext_len);   /*!< Total plaintext length */
-    size_t MBEDTLS_PRIVATE(add_len);         /*!< Total authentication data length */
-    size_t MBEDTLS_PRIVATE(tag_len);         /*!< Total tag length */
-    size_t MBEDTLS_PRIVATE(processed);       /*!< Track how many bytes of input data
-                                                  were processed (chunked input).
-                                                  Used independently for both auth data
-                                                  and plaintext/ciphertext.
-                                                  This variable is set to zero after
-                                                  auth data input is finished. */
-    unsigned int MBEDTLS_PRIVATE(q);         /*!< The Q working value */
-    unsigned int MBEDTLS_PRIVATE(mode);      /*!< The operation to perform:
-                                              #MBEDTLS_CCM_ENCRYPT or
-                                              #MBEDTLS_CCM_DECRYPT or
-                                              #MBEDTLS_CCM_STAR_ENCRYPT or
-                                              #MBEDTLS_CCM_STAR_DECRYPT. */
-    mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx);    /*!< The cipher context used. */
-    int MBEDTLS_PRIVATE(state);              /*!< Working value holding context's
-                                                  state. Used for chunked data input */
-}
-mbedtls_ccm_context;
-
-#else  /* MBEDTLS_CCM_ALT */
-#include "ccm_alt.h"
-#endif /* MBEDTLS_CCM_ALT */
-
-/**
- * \brief           This function initializes the specified CCM context,
- *                  to make references valid, and prepare the context
- *                  for mbedtls_ccm_setkey() or mbedtls_ccm_free().
- *
- * \param ctx       The CCM context to initialize. This must not be \c NULL.
- */
-void mbedtls_ccm_init(mbedtls_ccm_context *ctx);
-
-/**
- * \brief           This function initializes the CCM context set in the
- *                  \p ctx parameter and sets the encryption key.
- *
- * \param ctx       The CCM context to initialize. This must be an initialized
- *                  context.
- * \param cipher    The 128-bit block cipher to use.
- * \param key       The encryption key. This must not be \c NULL.
- * \param keybits   The key size in bits. This must be acceptable by the cipher.
- *
- * \return          \c 0 on success.
- * \return          A CCM or cipher-specific error code on failure.
- */
-int mbedtls_ccm_setkey(mbedtls_ccm_context *ctx,
-                       mbedtls_cipher_id_t cipher,
-                       const unsigned char *key,
-                       unsigned int keybits);
-
-/**
- * \brief   This function releases and clears the specified CCM context
- *          and underlying cipher sub-context.
- *
- * \param ctx       The CCM context to clear. If this is \c NULL, the function
- *                  has no effect. Otherwise, this must be initialized.
- */
-void mbedtls_ccm_free(mbedtls_ccm_context *ctx);
-
-/**
- * \brief           This function encrypts a buffer using CCM.
- *
- * \note            The tag is written to a separate buffer. To concatenate
- *                  the \p tag with the \p output, as done in <em>RFC-3610:
- *                  Counter with CBC-MAC (CCM)</em>, use
- *                  \p tag = \p output + \p length, and make sure that the
- *                  output buffer is at least \p length + \p tag_len wide.
- *
- * \param ctx       The CCM context to use for encryption. This must be
- *                  initialized and bound to a key.
- * \param length    The length of the input data in Bytes.
- * \param iv        The initialization vector (nonce). This must be a readable
- *                  buffer of at least \p iv_len Bytes.
- * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
- *                  or 13. The length L of the message length field is
- *                  15 - \p iv_len.
- * \param ad        The additional data field. If \p ad_len is greater than
- *                  zero, \p ad must be a readable buffer of at least that
- *                  length.
- * \param ad_len    The length of additional data in Bytes.
- *                  This must be less than `2^16 - 2^8`.
- * \param input     The buffer holding the input data. If \p length is greater
- *                  than zero, \p input must be a readable buffer of at least
- *                  that length.
- * \param output    The buffer holding the output data. If \p length is greater
- *                  than zero, \p output must be a writable buffer of at least
- *                  that length.
- * \param tag       The buffer holding the authentication field. This must be a
- *                  writable buffer of at least \p tag_len Bytes.
- * \param tag_len   The length of the authentication field to generate in Bytes:
- *                  4, 6, 8, 10, 12, 14 or 16.
- *
- * \return          \c 0 on success.
- * \return          A CCM or cipher-specific error code on failure.
- */
-int mbedtls_ccm_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,
-                                const unsigned char *iv, size_t iv_len,
-                                const unsigned char *ad, size_t ad_len,
-                                const unsigned char *input, unsigned char *output,
-                                unsigned char *tag, size_t tag_len);
-
-/**
- * \brief           This function encrypts a buffer using CCM*.
- *
- * \note            The tag is written to a separate buffer. To concatenate
- *                  the \p tag with the \p output, as done in <em>RFC-3610:
- *                  Counter with CBC-MAC (CCM)</em>, use
- *                  \p tag = \p output + \p length, and make sure that the
- *                  output buffer is at least \p length + \p tag_len wide.
- *
- * \note            When using this function in a variable tag length context,
- *                  the tag length has to be encoded into the \p iv passed to
- *                  this function.
- *
- * \param ctx       The CCM context to use for encryption. This must be
- *                  initialized and bound to a key.
- * \param length    The length of the input data in Bytes.
- *                  For tag length = 0, input length is ignored.
- * \param iv        The initialization vector (nonce). This must be a readable
- *                  buffer of at least \p iv_len Bytes.
- * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
- *                  or 13. The length L of the message length field is
- *                  15 - \p iv_len.
- * \param ad        The additional data field. This must be a readable buffer of
- *                  at least \p ad_len Bytes.
- * \param ad_len    The length of additional data in Bytes.
- *                  This must be less than 2^16 - 2^8.
- * \param input     The buffer holding the input data. If \p length is greater
- *                  than zero, \p input must be a readable buffer of at least
- *                  that length.
- * \param output    The buffer holding the output data. If \p length is greater
- *                  than zero, \p output must be a writable buffer of at least
- *                  that length.
- * \param tag       The buffer holding the authentication field. This must be a
- *                  writable buffer of at least \p tag_len Bytes.
- * \param tag_len   The length of the authentication field to generate in Bytes:
- *                  0, 4, 6, 8, 10, 12, 14 or 16.
- *
- * \warning         Passing \c 0 as \p tag_len means that the message is no
- *                  longer authenticated.
- *
- * \return          \c 0 on success.
- * \return          A CCM or cipher-specific error code on failure.
- */
-int mbedtls_ccm_star_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,
-                                     const unsigned char *iv, size_t iv_len,
-                                     const unsigned char *ad, size_t ad_len,
-                                     const unsigned char *input, unsigned char *output,
-                                     unsigned char *tag, size_t tag_len);
-
-/**
- * \brief           This function performs a CCM authenticated decryption of a
- *                  buffer.
- *
- * \param ctx       The CCM context to use for decryption. This must be
- *                  initialized and bound to a key.
- * \param length    The length of the input data in Bytes.
- * \param iv        The initialization vector (nonce). This must be a readable
- *                  buffer of at least \p iv_len Bytes.
- * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
- *                  or 13. The length L of the message length field is
- *                  15 - \p iv_len.
- * \param ad        The additional data field. This must be a readable buffer
- *                  of at least that \p ad_len Bytes..
- * \param ad_len    The length of additional data in Bytes.
- *                  This must be less than 2^16 - 2^8.
- * \param input     The buffer holding the input data. If \p length is greater
- *                  than zero, \p input must be a readable buffer of at least
- *                  that length.
- * \param output    The buffer holding the output data. If \p length is greater
- *                  than zero, \p output must be a writable buffer of at least
- *                  that length.
- * \param tag       The buffer holding the authentication field. This must be a
- *                  readable buffer of at least \p tag_len Bytes.
- * \param tag_len   The length of the authentication field to generate in Bytes:
- *                  4, 6, 8, 10, 12, 14 or 16.
- *
- * \return          \c 0 on success. This indicates that the message is authentic.
- * \return          #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match.
- * \return          A cipher-specific error code on calculation failure.
- */
-int mbedtls_ccm_auth_decrypt(mbedtls_ccm_context *ctx, size_t length,
-                             const unsigned char *iv, size_t iv_len,
-                             const unsigned char *ad, size_t ad_len,
-                             const unsigned char *input, unsigned char *output,
-                             const unsigned char *tag, size_t tag_len);
-
-/**
- * \brief           This function performs a CCM* authenticated decryption of a
- *                  buffer.
- *
- * \note            When using this function in a variable tag length context,
- *                  the tag length has to be decoded from \p iv and passed to
- *                  this function as \p tag_len. (\p tag needs to be adjusted
- *                  accordingly.)
- *
- * \param ctx       The CCM context to use for decryption. This must be
- *                  initialized and bound to a key.
- * \param length    The length of the input data in Bytes.
- *                  For tag length = 0, input length is ignored.
- * \param iv        The initialization vector (nonce). This must be a readable
- *                  buffer of at least \p iv_len Bytes.
- * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
- *                  or 13. The length L of the message length field is
- *                  15 - \p iv_len.
- * \param ad        The additional data field. This must be a readable buffer of
- *                  at least that \p ad_len Bytes.
- * \param ad_len    The length of additional data in Bytes.
- *                  This must be less than 2^16 - 2^8.
- * \param input     The buffer holding the input data. If \p length is greater
- *                  than zero, \p input must be a readable buffer of at least
- *                  that length.
- * \param output    The buffer holding the output data. If \p length is greater
- *                  than zero, \p output must be a writable buffer of at least
- *                  that length.
- * \param tag       The buffer holding the authentication field. This must be a
- *                  readable buffer of at least \p tag_len Bytes.
- * \param tag_len   The length of the authentication field in Bytes.
- *                  0, 4, 6, 8, 10, 12, 14 or 16.
- *
- * \warning         Passing \c 0 as \p tag_len means that the message is nos
- *                  longer authenticated.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match.
- * \return          A cipher-specific error code on calculation failure.
- */
-int mbedtls_ccm_star_auth_decrypt(mbedtls_ccm_context *ctx, size_t length,
-                                  const unsigned char *iv, size_t iv_len,
-                                  const unsigned char *ad, size_t ad_len,
-                                  const unsigned char *input, unsigned char *output,
-                                  const unsigned char *tag, size_t tag_len);
-
-/**
- * \brief           This function starts a CCM encryption or decryption
- *                  operation.
- *
- *                  This function and mbedtls_ccm_set_lengths() must be called
- *                  before calling mbedtls_ccm_update_ad() or
- *                  mbedtls_ccm_update(). This function can be called before
- *                  or after mbedtls_ccm_set_lengths().
- *
- * \note            This function is not implemented in Mbed TLS yet.
- *
- * \param ctx       The CCM context. This must be initialized.
- * \param mode      The operation to perform: #MBEDTLS_CCM_ENCRYPT or
- *                  #MBEDTLS_CCM_DECRYPT or #MBEDTLS_CCM_STAR_ENCRYPT or
- *                  #MBEDTLS_CCM_STAR_DECRYPT.
- * \param iv        The initialization vector. This must be a readable buffer
- *                  of at least \p iv_len Bytes.
- * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
- *                  or 13. The length L of the message length field is
- *                  15 - \p iv_len.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_CCM_BAD_INPUT on failure:
- *                  \p ctx is in an invalid state,
- *                  \p mode is invalid,
- *                  \p iv_len is invalid (lower than \c 7 or greater than
- *                  \c 13).
- */
-int mbedtls_ccm_starts(mbedtls_ccm_context *ctx,
-                       int mode,
-                       const unsigned char *iv,
-                       size_t iv_len);
-
-/**
- * \brief           This function declares the lengths of the message
- *                  and additional data for a CCM encryption or decryption
- *                  operation.
- *
- *                  This function and mbedtls_ccm_starts() must be called
- *                  before calling mbedtls_ccm_update_ad() or
- *                  mbedtls_ccm_update(). This function can be called before
- *                  or after mbedtls_ccm_starts().
- *
- * \note            This function is not implemented in Mbed TLS yet.
- *
- * \param ctx       The CCM context. This must be initialized.
- * \param total_ad_len   The total length of additional data in bytes.
- *                       This must be less than `2^16 - 2^8`.
- * \param plaintext_len  The length in bytes of the plaintext to encrypt or
- *                       result of the decryption (thus not encompassing the
- *                       additional data that are not encrypted).
- * \param tag_len   The length of the tag to generate in Bytes:
- *                  4, 6, 8, 10, 12, 14 or 16.
- *                  For CCM*, zero is also valid.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_CCM_BAD_INPUT on failure:
- *                  \p ctx is in an invalid state,
- *                  \p total_ad_len is greater than \c 0xFF00.
- */
-int mbedtls_ccm_set_lengths(mbedtls_ccm_context *ctx,
-                            size_t total_ad_len,
-                            size_t plaintext_len,
-                            size_t tag_len);
-
-/**
- * \brief           This function feeds an input buffer as associated data
- *                  (authenticated but not encrypted data) in a CCM
- *                  encryption or decryption operation.
- *
- *                  You may call this function zero, one or more times
- *                  to pass successive parts of the additional data. The
- *                  lengths \p ad_len of the data parts should eventually add
- *                  up exactly to the total length of additional data
- *                  \c total_ad_len passed to mbedtls_ccm_set_lengths(). You
- *                  may not call this function after calling
- *                  mbedtls_ccm_update().
- *
- * \note            This function is not implemented in Mbed TLS yet.
- *
- * \param ctx       The CCM context. This must have been started with
- *                  mbedtls_ccm_starts(), the lengths of the message and
- *                  additional data must have been declared with
- *                  mbedtls_ccm_set_lengths() and this must not have yet
- *                  received any input with mbedtls_ccm_update().
- * \param ad        The buffer holding the additional data, or \c NULL
- *                  if \p ad_len is \c 0.
- * \param ad_len    The length of the additional data. If \c 0,
- *                  \p ad may be \c NULL.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_CCM_BAD_INPUT on failure:
- *                  \p ctx is in an invalid state,
- *                  total input length too long.
- */
-int mbedtls_ccm_update_ad(mbedtls_ccm_context *ctx,
-                          const unsigned char *ad,
-                          size_t ad_len);
-
-/**
- * \brief           This function feeds an input buffer into an ongoing CCM
- *                  encryption or decryption operation.
- *
- *                  You may call this function zero, one or more times
- *                  to pass successive parts of the input: the plaintext to
- *                  encrypt, or the ciphertext (not including the tag) to
- *                  decrypt. After the last part of the input, call
- *                  mbedtls_ccm_finish(). The lengths \p input_len of the
- *                  data parts should eventually add up exactly to the
- *                  plaintext length \c plaintext_len passed to
- *                  mbedtls_ccm_set_lengths().
- *
- *                  This function may produce output in one of the following
- *                  ways:
- *                  - Immediate output: the output length is always equal
- *                    to the input length.
- *                  - Buffered output: except for the last part of input data,
- *                    the output consists of a whole number of 16-byte blocks.
- *                    If the total input length so far (not including
- *                    associated data) is 16 \* *B* + *A* with *A* < 16 then
- *                    the total output length is 16 \* *B*.
- *                    For the last part of input data, the output length is
- *                    equal to the input length plus the number of bytes (*A*)
- *                    buffered in the previous call to the function (if any).
- *                    The function uses the plaintext length
- *                    \c plaintext_len passed to mbedtls_ccm_set_lengths()
- *                    to detect the last part of input data.
- *
- *                  In particular:
- *                  - It is always correct to call this function with
- *                    \p output_size >= \p input_len + 15.
- *                  - If \p input_len is a multiple of 16 for all the calls
- *                    to this function during an operation (not necessary for
- *                    the last one) then it is correct to use \p output_size
- *                    =\p input_len.
- *
- * \note            This function is not implemented in Mbed TLS yet.
- *
- * \param ctx           The CCM context. This must have been started with
- *                      mbedtls_ccm_starts() and the lengths of the message and
- *                      additional data must have been declared with
- *                      mbedtls_ccm_set_lengths().
- * \param input         The buffer holding the input data. If \p input_len
- *                      is greater than zero, this must be a readable buffer
- *                      of at least \p input_len bytes.
- * \param input_len     The length of the input data in bytes.
- * \param output        The buffer for the output data. If \p output_size
- *                      is greater than zero, this must be a writable buffer of
- *                      at least \p output_size bytes.
- * \param output_size   The size of the output buffer in bytes.
- *                      See the function description regarding the output size.
- * \param output_len    On success, \p *output_len contains the actual
- *                      length of the output written in \p output.
- *                      On failure, the content of \p *output_len is
- *                      unspecified.
- *
- * \return         \c 0 on success.
- * \return         #MBEDTLS_ERR_CCM_BAD_INPUT on failure:
- *                 \p ctx is in an invalid state,
- *                 total input length too long,
- *                 or \p output_size too small.
- */
-int mbedtls_ccm_update(mbedtls_ccm_context *ctx,
-                       const unsigned char *input, size_t input_len,
-                       unsigned char *output, size_t output_size,
-                       size_t *output_len);
-
-/**
- * \brief           This function finishes the CCM operation and generates
- *                  the authentication tag.
- *
- *                  It wraps up the CCM stream, and generates the
- *                  tag. The tag can have a maximum length of 16 Bytes.
- *
- * \note            This function is not implemented in Mbed TLS yet.
- *
- * \param ctx       The CCM context. This must have been started with
- *                  mbedtls_ccm_starts() and the lengths of the message and
- *                  additional data must have been declared with
- *                  mbedtls_ccm_set_lengths().
- * \param tag       The buffer for holding the tag. If \p tag_len is greater
- *                  than zero, this must be a writable buffer of at least \p
- *                  tag_len Bytes.
- * \param tag_len   The length of the tag. Must match the tag length passed to
- *                  mbedtls_ccm_set_lengths() function.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_CCM_BAD_INPUT on failure:
- *                  \p ctx is in an invalid state,
- *                  invalid value of \p tag_len,
- *                  the total amount of additional data passed to
- *                  mbedtls_ccm_update_ad() was lower than the total length of
- *                  additional data \c total_ad_len passed to
- *                  mbedtls_ccm_set_lengths(),
- *                  the total amount of input data passed to
- *                  mbedtls_ccm_update() was lower than the plaintext length
- *                  \c plaintext_len passed to mbedtls_ccm_set_lengths().
- */
-int mbedtls_ccm_finish(mbedtls_ccm_context *ctx,
-                       unsigned char *tag, size_t tag_len);
-
-#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
-/**
- * \brief          The CCM checkup routine.
- *
- * \return         \c 0 on success.
- * \return         \c 1 on failure.
- */
-int mbedtls_ccm_self_test(int verbose);
-#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* MBEDTLS_CCM_H */
diff --git a/include/mbedtls/chacha20.h b/include/mbedtls/chacha20.h
deleted file mode 100644
index e24e56b..0000000
--- a/include/mbedtls/chacha20.h
+++ /dev/null
@@ -1,214 +0,0 @@
-/**
- * \file chacha20.h
- *
- * \brief   This file contains ChaCha20 definitions and functions.
- *
- *          ChaCha20 is a stream cipher that can encrypt and decrypt
- *          information. ChaCha was created by Daniel Bernstein as a variant of
- *          its Salsa cipher https://cr.yp.to/chacha/chacha-20080128.pdf
- *          ChaCha20 is the variant with 20 rounds, that was also standardized
- *          in RFC 7539.
- *
- * \author Daniel King <damaki.gh@gmail.com>
- */
-
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_CHACHA20_H
-#define MBEDTLS_CHACHA20_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include <stdint.h>
-#include <stddef.h>
-
-/** Invalid input parameter(s). */
-#define MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA         -0x0051
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if !defined(MBEDTLS_CHACHA20_ALT)
-
-typedef struct mbedtls_chacha20_context {
-    uint32_t MBEDTLS_PRIVATE(state)[16];          /*! The state (before round operations). */
-    uint8_t  MBEDTLS_PRIVATE(keystream8)[64];     /*! Leftover keystream bytes. */
-    size_t MBEDTLS_PRIVATE(keystream_bytes_used); /*! Number of keystream bytes already used. */
-}
-mbedtls_chacha20_context;
-
-#else  /* MBEDTLS_CHACHA20_ALT */
-#include "chacha20_alt.h"
-#endif /* MBEDTLS_CHACHA20_ALT */
-
-/**
- * \brief           This function initializes the specified ChaCha20 context.
- *
- *                  It must be the first API called before using
- *                  the context.
- *
- *                  It is usually followed by calls to
- *                  \c mbedtls_chacha20_setkey() and
- *                  \c mbedtls_chacha20_starts(), then one or more calls to
- *                  to \c mbedtls_chacha20_update(), and finally to
- *                  \c mbedtls_chacha20_free().
- *
- * \param ctx       The ChaCha20 context to initialize.
- *                  This must not be \c NULL.
- */
-void mbedtls_chacha20_init(mbedtls_chacha20_context *ctx);
-
-/**
- * \brief           This function releases and clears the specified
- *                  ChaCha20 context.
- *
- * \param ctx       The ChaCha20 context to clear. This may be \c NULL,
- *                  in which case this function is a no-op. If it is not
- *                  \c NULL, it must point to an initialized context.
- *
- */
-void mbedtls_chacha20_free(mbedtls_chacha20_context *ctx);
-
-/**
- * \brief           This function sets the encryption/decryption key.
- *
- * \note            After using this function, you must also call
- *                  \c mbedtls_chacha20_starts() to set a nonce before you
- *                  start encrypting/decrypting data with
- *                  \c mbedtls_chacha_update().
- *
- * \param ctx       The ChaCha20 context to which the key should be bound.
- *                  It must be initialized.
- * \param key       The encryption/decryption key. This must be \c 32 Bytes
- *                  in length.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or key is NULL.
- */
-int mbedtls_chacha20_setkey(mbedtls_chacha20_context *ctx,
-                            const unsigned char key[32]);
-
-/**
- * \brief           This function sets the nonce and initial counter value.
- *
- * \note            A ChaCha20 context can be re-used with the same key by
- *                  calling this function to change the nonce.
- *
- * \warning         You must never use the same nonce twice with the same key.
- *                  This would void any confidentiality guarantees for the
- *                  messages encrypted with the same nonce and key.
- *
- * \param ctx       The ChaCha20 context to which the nonce should be bound.
- *                  It must be initialized and bound to a key.
- * \param nonce     The nonce. This must be \c 12 Bytes in size.
- * \param counter   The initial counter value. This is usually \c 0.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or nonce is
- *                  NULL.
- */
-int mbedtls_chacha20_starts(mbedtls_chacha20_context *ctx,
-                            const unsigned char nonce[12],
-                            uint32_t counter);
-
-/**
- * \brief           This function encrypts or decrypts data.
- *
- *                  Since ChaCha20 is a stream cipher, the same operation is
- *                  used for encrypting and decrypting data.
- *
- * \note            The \p input and \p output pointers must either be equal or
- *                  point to non-overlapping buffers.
- *
- * \note            \c mbedtls_chacha20_setkey() and
- *                  \c mbedtls_chacha20_starts() must be called at least once
- *                  to setup the context before this function can be called.
- *
- * \note            This function can be called multiple times in a row in
- *                  order to encrypt of decrypt data piecewise with the same
- *                  key and nonce.
- *
- * \param ctx       The ChaCha20 context to use for encryption or decryption.
- *                  It must be initialized and bound to a key and nonce.
- * \param size      The length of the input data in Bytes.
- * \param input     The buffer holding the input data.
- *                  This pointer can be \c NULL if `size == 0`.
- * \param output    The buffer holding the output data.
- *                  This must be able to hold \p size Bytes.
- *                  This pointer can be \c NULL if `size == 0`.
- *
- * \return          \c 0 on success.
- * \return          A negative error code on failure.
- */
-int mbedtls_chacha20_update(mbedtls_chacha20_context *ctx,
-                            size_t size,
-                            const unsigned char *input,
-                            unsigned char *output);
-
-/**
- * \brief           This function encrypts or decrypts data with ChaCha20 and
- *                  the given key and nonce.
- *
- *                  Since ChaCha20 is a stream cipher, the same operation is
- *                  used for encrypting and decrypting data.
- *
- * \warning         You must never use the same (key, nonce) pair more than
- *                  once. This would void any confidentiality guarantees for
- *                  the messages encrypted with the same nonce and key.
- *
- * \note            The \p input and \p output pointers must either be equal or
- *                  point to non-overlapping buffers.
- *
- * \param key       The encryption/decryption key.
- *                  This must be \c 32 Bytes in length.
- * \param nonce     The nonce. This must be \c 12 Bytes in size.
- * \param counter   The initial counter value. This is usually \c 0.
- * \param size      The length of the input data in Bytes.
- * \param input     The buffer holding the input data.
- *                  This pointer can be \c NULL if `size == 0`.
- * \param output    The buffer holding the output data.
- *                  This must be able to hold \p size Bytes.
- *                  This pointer can be \c NULL if `size == 0`.
- *
- * \return          \c 0 on success.
- * \return          A negative error code on failure.
- */
-int mbedtls_chacha20_crypt(const unsigned char key[32],
-                           const unsigned char nonce[12],
-                           uint32_t counter,
-                           size_t size,
-                           const unsigned char *input,
-                           unsigned char *output);
-
-#if defined(MBEDTLS_SELF_TEST)
-/**
- * \brief           The ChaCha20 checkup routine.
- *
- * \return          \c 0 on success.
- * \return          \c 1 on failure.
- */
-int mbedtls_chacha20_self_test(int verbose);
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* MBEDTLS_CHACHA20_H */
diff --git a/include/mbedtls/chachapoly.h b/include/mbedtls/chachapoly.h
deleted file mode 100644
index 19baade..0000000
--- a/include/mbedtls/chachapoly.h
+++ /dev/null
@@ -1,354 +0,0 @@
-/**
- * \file chachapoly.h
- *
- * \brief   This file contains the AEAD-ChaCha20-Poly1305 definitions and
- *          functions.
- *
- *          ChaCha20-Poly1305 is an algorithm for Authenticated Encryption
- *          with Associated Data (AEAD) that can be used to encrypt and
- *          authenticate data. It is based on ChaCha20 and Poly1305 by Daniel
- *          Bernstein and was standardized in RFC 7539.
- *
- * \author Daniel King <damaki.gh@gmail.com>
- */
-
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_CHACHAPOLY_H
-#define MBEDTLS_CHACHAPOLY_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-/* for shared error codes */
-#include "mbedtls/poly1305.h"
-
-/** The requested operation is not permitted in the current state. */
-#define MBEDTLS_ERR_CHACHAPOLY_BAD_STATE            -0x0054
-/** Authenticated decryption failed: data was not authentic. */
-#define MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED          -0x0056
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-typedef enum {
-    MBEDTLS_CHACHAPOLY_ENCRYPT,     /**< The mode value for performing encryption. */
-    MBEDTLS_CHACHAPOLY_DECRYPT      /**< The mode value for performing decryption. */
-}
-mbedtls_chachapoly_mode_t;
-
-#if !defined(MBEDTLS_CHACHAPOLY_ALT)
-
-#include "mbedtls/chacha20.h"
-
-typedef struct mbedtls_chachapoly_context {
-    mbedtls_chacha20_context MBEDTLS_PRIVATE(chacha20_ctx);  /**< The ChaCha20 context. */
-    mbedtls_poly1305_context MBEDTLS_PRIVATE(poly1305_ctx);  /**< The Poly1305 context. */
-    uint64_t MBEDTLS_PRIVATE(aad_len);                       /**< The length (bytes) of the Additional Authenticated Data. */
-    uint64_t MBEDTLS_PRIVATE(ciphertext_len);                /**< The length (bytes) of the ciphertext. */
-    int MBEDTLS_PRIVATE(state);                              /**< The current state of the context. */
-    mbedtls_chachapoly_mode_t MBEDTLS_PRIVATE(mode);         /**< Cipher mode (encrypt or decrypt). */
-}
-mbedtls_chachapoly_context;
-
-#else /* !MBEDTLS_CHACHAPOLY_ALT */
-#include "chachapoly_alt.h"
-#endif /* !MBEDTLS_CHACHAPOLY_ALT */
-
-/**
- * \brief           This function initializes the specified ChaCha20-Poly1305 context.
- *
- *                  It must be the first API called before using
- *                  the context. It must be followed by a call to
- *                  \c mbedtls_chachapoly_setkey() before any operation can be
- *                  done, and to \c mbedtls_chachapoly_free() once all
- *                  operations with that context have been finished.
- *
- *                  In order to encrypt or decrypt full messages at once, for
- *                  each message you should make a single call to
- *                  \c mbedtls_chachapoly_crypt_and_tag() or
- *                  \c mbedtls_chachapoly_auth_decrypt().
- *
- *                  In order to encrypt messages piecewise, for each
- *                  message you should make a call to
- *                  \c mbedtls_chachapoly_starts(), then 0 or more calls to
- *                  \c mbedtls_chachapoly_update_aad(), then 0 or more calls to
- *                  \c mbedtls_chachapoly_update(), then one call to
- *                  \c mbedtls_chachapoly_finish().
- *
- * \warning         Decryption with the piecewise API is discouraged! Always
- *                  use \c mbedtls_chachapoly_auth_decrypt() when possible!
- *
- *                  If however this is not possible because the data is too
- *                  large to fit in memory, you need to:
- *
- *                  - call \c mbedtls_chachapoly_starts() and (if needed)
- *                  \c mbedtls_chachapoly_update_aad() as above,
- *                  - call \c mbedtls_chachapoly_update() multiple times and
- *                  ensure its output (the plaintext) is NOT used in any other
- *                  way than placing it in temporary storage at this point,
- *                  - call \c mbedtls_chachapoly_finish() to compute the
- *                  authentication tag and compared it in constant time to the
- *                  tag received with the ciphertext.
- *
- *                  If the tags are not equal, you must immediately discard
- *                  all previous outputs of \c mbedtls_chachapoly_update(),
- *                  otherwise you can now safely use the plaintext.
- *
- * \param ctx       The ChachaPoly context to initialize. Must not be \c NULL.
- */
-void mbedtls_chachapoly_init(mbedtls_chachapoly_context *ctx);
-
-/**
- * \brief           This function releases and clears the specified
- *                  ChaCha20-Poly1305 context.
- *
- * \param ctx       The ChachaPoly context to clear. This may be \c NULL, in which
- *                  case this function is a no-op.
- */
-void mbedtls_chachapoly_free(mbedtls_chachapoly_context *ctx);
-
-/**
- * \brief           This function sets the ChaCha20-Poly1305
- *                  symmetric encryption key.
- *
- * \param ctx       The ChaCha20-Poly1305 context to which the key should be
- *                  bound. This must be initialized.
- * \param key       The \c 256 Bit (\c 32 Bytes) key.
- *
- * \return          \c 0 on success.
- * \return          A negative error code on failure.
- */
-int mbedtls_chachapoly_setkey(mbedtls_chachapoly_context *ctx,
-                              const unsigned char key[32]);
-
-/**
- * \brief           This function starts a ChaCha20-Poly1305 encryption or
- *                  decryption operation.
- *
- * \warning         You must never use the same nonce twice with the same key.
- *                  This would void any confidentiality and authenticity
- *                  guarantees for the messages encrypted with the same nonce
- *                  and key.
- *
- * \note            If the context is being used for AAD only (no data to
- *                  encrypt or decrypt) then \p mode can be set to any value.
- *
- * \warning         Decryption with the piecewise API is discouraged, see the
- *                  warning on \c mbedtls_chachapoly_init().
- *
- * \param ctx       The ChaCha20-Poly1305 context. This must be initialized
- *                  and bound to a key.
- * \param nonce     The nonce/IV to use for the message.
- *                  This must be a readable buffer of length \c 12 Bytes.
- * \param mode      The operation to perform: #MBEDTLS_CHACHAPOLY_ENCRYPT or
- *                  #MBEDTLS_CHACHAPOLY_DECRYPT (discouraged, see warning).
- *
- * \return          \c 0 on success.
- * \return          A negative error code on failure.
- */
-int mbedtls_chachapoly_starts(mbedtls_chachapoly_context *ctx,
-                              const unsigned char nonce[12],
-                              mbedtls_chachapoly_mode_t mode);
-
-/**
- * \brief           This function feeds additional data to be authenticated
- *                  into an ongoing ChaCha20-Poly1305 operation.
- *
- *                  The Additional Authenticated Data (AAD), also called
- *                  Associated Data (AD) is only authenticated but not
- *                  encrypted nor included in the encrypted output. It is
- *                  usually transmitted separately from the ciphertext or
- *                  computed locally by each party.
- *
- * \note            This function is called before data is encrypted/decrypted.
- *                  I.e. call this function to process the AAD before calling
- *                  \c mbedtls_chachapoly_update().
- *
- *                  You may call this function multiple times to process
- *                  an arbitrary amount of AAD. It is permitted to call
- *                  this function 0 times, if no AAD is used.
- *
- *                  This function cannot be called any more if data has
- *                  been processed by \c mbedtls_chachapoly_update(),
- *                  or if the context has been finished.
- *
- * \warning         Decryption with the piecewise API is discouraged, see the
- *                  warning on \c mbedtls_chachapoly_init().
- *
- * \param ctx       The ChaCha20-Poly1305 context. This must be initialized
- *                  and bound to a key.
- * \param aad_len   The length in Bytes of the AAD. The length has no
- *                  restrictions.
- * \param aad       Buffer containing the AAD.
- *                  This pointer can be \c NULL if `aad_len == 0`.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
- *                  if \p ctx or \p aad are NULL.
- * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
- *                  if the operations has not been started or has been
- *                  finished, or if the AAD has been finished.
- */
-int mbedtls_chachapoly_update_aad(mbedtls_chachapoly_context *ctx,
-                                  const unsigned char *aad,
-                                  size_t aad_len);
-
-/**
- * \brief           Thus function feeds data to be encrypted or decrypted
- *                  into an on-going ChaCha20-Poly1305
- *                  operation.
- *
- *                  The direction (encryption or decryption) depends on the
- *                  mode that was given when calling
- *                  \c mbedtls_chachapoly_starts().
- *
- *                  You may call this function multiple times to process
- *                  an arbitrary amount of data. It is permitted to call
- *                  this function 0 times, if no data is to be encrypted
- *                  or decrypted.
- *
- * \warning         Decryption with the piecewise API is discouraged, see the
- *                  warning on \c mbedtls_chachapoly_init().
- *
- * \param ctx       The ChaCha20-Poly1305 context to use. This must be initialized.
- * \param len       The length (in bytes) of the data to encrypt or decrypt.
- * \param input     The buffer containing the data to encrypt or decrypt.
- *                  This pointer can be \c NULL if `len == 0`.
- * \param output    The buffer to where the encrypted or decrypted data is
- *                  written. This must be able to hold \p len bytes.
- *                  This pointer can be \c NULL if `len == 0`.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
- *                  if the operation has not been started or has been
- *                  finished.
- * \return          Another negative error code on other kinds of failure.
- */
-int mbedtls_chachapoly_update(mbedtls_chachapoly_context *ctx,
-                              size_t len,
-                              const unsigned char *input,
-                              unsigned char *output);
-
-/**
- * \brief           This function finished the ChaCha20-Poly1305 operation and
- *                  generates the MAC (authentication tag).
- *
- * \param ctx       The ChaCha20-Poly1305 context to use. This must be initialized.
- * \param mac       The buffer to where the 128-bit (16 bytes) MAC is written.
- *
- * \warning         Decryption with the piecewise API is discouraged, see the
- *                  warning on \c mbedtls_chachapoly_init().
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
- *                  if the operation has not been started or has been
- *                  finished.
- * \return          Another negative error code on other kinds of failure.
- */
-int mbedtls_chachapoly_finish(mbedtls_chachapoly_context *ctx,
-                              unsigned char mac[16]);
-
-/**
- * \brief           This function performs a complete ChaCha20-Poly1305
- *                  authenticated encryption with the previously-set key.
- *
- * \note            Before using this function, you must set the key with
- *                  \c mbedtls_chachapoly_setkey().
- *
- * \warning         You must never use the same nonce twice with the same key.
- *                  This would void any confidentiality and authenticity
- *                  guarantees for the messages encrypted with the same nonce
- *                  and key.
- *
- * \param ctx       The ChaCha20-Poly1305 context to use (holds the key).
- *                  This must be initialized.
- * \param length    The length (in bytes) of the data to encrypt or decrypt.
- * \param nonce     The 96-bit (12 bytes) nonce/IV to use.
- * \param aad       The buffer containing the additional authenticated
- *                  data (AAD). This pointer can be \c NULL if `aad_len == 0`.
- * \param aad_len   The length (in bytes) of the AAD data to process.
- * \param input     The buffer containing the data to encrypt or decrypt.
- *                  This pointer can be \c NULL if `ilen == 0`.
- * \param output    The buffer to where the encrypted or decrypted data
- *                  is written. This pointer can be \c NULL if `ilen == 0`.
- * \param tag       The buffer to where the computed 128-bit (16 bytes) MAC
- *                  is written. This must not be \c NULL.
- *
- * \return          \c 0 on success.
- * \return          A negative error code on failure.
- */
-int mbedtls_chachapoly_encrypt_and_tag(mbedtls_chachapoly_context *ctx,
-                                       size_t length,
-                                       const unsigned char nonce[12],
-                                       const unsigned char *aad,
-                                       size_t aad_len,
-                                       const unsigned char *input,
-                                       unsigned char *output,
-                                       unsigned char tag[16]);
-
-/**
- * \brief           This function performs a complete ChaCha20-Poly1305
- *                  authenticated decryption with the previously-set key.
- *
- * \note            Before using this function, you must set the key with
- *                  \c mbedtls_chachapoly_setkey().
- *
- * \param ctx       The ChaCha20-Poly1305 context to use (holds the key).
- * \param length    The length (in Bytes) of the data to decrypt.
- * \param nonce     The \c 96 Bit (\c 12 bytes) nonce/IV to use.
- * \param aad       The buffer containing the additional authenticated data (AAD).
- *                  This pointer can be \c NULL if `aad_len == 0`.
- * \param aad_len   The length (in bytes) of the AAD data to process.
- * \param tag       The buffer holding the authentication tag.
- *                  This must be a readable buffer of length \c 16 Bytes.
- * \param input     The buffer containing the data to decrypt.
- *                  This pointer can be \c NULL if `ilen == 0`.
- * \param output    The buffer to where the decrypted data is written.
- *                  This pointer can be \c NULL if `ilen == 0`.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED
- *                  if the data was not authentic.
- * \return          Another negative error code on other kinds of failure.
- */
-int mbedtls_chachapoly_auth_decrypt(mbedtls_chachapoly_context *ctx,
-                                    size_t length,
-                                    const unsigned char nonce[12],
-                                    const unsigned char *aad,
-                                    size_t aad_len,
-                                    const unsigned char tag[16],
-                                    const unsigned char *input,
-                                    unsigned char *output);
-
-#if defined(MBEDTLS_SELF_TEST)
-/**
- * \brief           The ChaCha20-Poly1305 checkup routine.
- *
- * \return          \c 0 on success.
- * \return          \c 1 on failure.
- */
-int mbedtls_chachapoly_self_test(int verbose);
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* MBEDTLS_CHACHAPOLY_H */
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 2e3ffc2..178bd39 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -2,28 +2,30 @@
  * \file check_config.h
  *
  * \brief Consistency checks for configuration options
+ *
+ * This is an internal header. Do not include it directly.
+ *
+ * This header is included automatically by all public Mbed TLS headers
+ * (via mbedtls/build_info.h). Do not include it directly in a configuration
+ * file such as mbedtls/mbedtls_config.h or #MBEDTLS_USER_CONFIG_FILE!
+ * It would run at the wrong time due to missing derived symbols.
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef MBEDTLS_CHECK_CONFIG_H
 #define MBEDTLS_CHECK_CONFIG_H
 
 /* *INDENT-OFF* */
+
+#if !defined(MBEDTLS_CONFIG_IS_FINALIZED)
+#warning "Do not include mbedtls/check_config.h manually! " \
+         "This may cause spurious errors. " \
+         "It is included automatically at the right point since Mbed TLS 3.0."
+#endif /* !MBEDTLS_CONFIG_IS_FINALIZED */
+
 /*
  * We assume CHAR_BIT is 8 in many places. In practice, this is true on our
  * target platforms, so not an issue, but let's just be extra sure.
@@ -39,18 +41,8 @@
 #if !defined(MBEDTLS_PLATFORM_C)
 #error "MBEDTLS_PLATFORM_C is required on Windows"
 #endif
-
-/* Fix the config here. Not convenient to put an #ifdef _WIN32 in mbedtls_config.h as
- * it would confuse config.py. */
-#if !defined(MBEDTLS_PLATFORM_SNPRINTF_ALT) && \
-    !defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO)
-#define MBEDTLS_PLATFORM_SNPRINTF_ALT
-#endif
-
-#if !defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT) && \
-    !defined(MBEDTLS_PLATFORM_VSNPRINTF_MACRO)
-#define MBEDTLS_PLATFORM_VSNPRINTF_ALT
-#endif
+/* See auto-enabling SNPRINTF_ALT and VSNPRINTF_ALT
+ * in * config_adjust_legacy_crypto.h */
 #endif /* _MINGW32__ || (_MSC_VER && (_MSC_VER <= 1900)) */
 
 #if defined(TARGET_LIKE_MBED) && defined(MBEDTLS_NET_C)
@@ -66,65 +58,6 @@
 #error "MBEDTLS_HAVE_TIME_DATE without MBEDTLS_HAVE_TIME does not make sense"
 #endif
 
-/* Check that each MBEDTLS_ECP_DP_xxx symbol has its PSA_WANT_ECC_xxx counterpart
- * when PSA crypto is enabled. */
-#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) || defined(MBEDTLS_PSA_CRYPTO_C)
-
-#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) && !defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
-#error "MBEDTLS_ECP_DP_BP256R1_ENABLED defined, but not its PSA counterpart"
-#endif
-
-#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) && !defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
-#error "MBEDTLS_ECP_DP_BP384R1_ENABLED defined, but not its PSA counterpart"
-#endif
-
-#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) && !defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
-#error "MBEDTLS_ECP_DP_BP512R1_ENABLED defined, but not its PSA counterpart"
-#endif
-
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) && !defined(PSA_WANT_ECC_MONTGOMERY_255)
-#error "MBEDTLS_ECP_DP_CURVE25519_ENABLED defined, but not its PSA counterpart"
-#endif
-
-#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) && !defined(PSA_WANT_ECC_MONTGOMERY_448)
-#error "MBEDTLS_ECP_DP_CURVE448_ENABLED defined, but not its PSA counterpart"
-#endif
-
-#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) && !defined(PSA_WANT_ECC_SECP_R1_192)
-#error "MBEDTLS_ECP_DP_SECP192R1_ENABLED defined, but not its PSA counterpart"
-#endif
-
-#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) && !defined(PSA_WANT_ECC_SECP_R1_224)
-#error "MBEDTLS_ECP_DP_SECP224R1_ENABLED defined, but not its PSA counterpart"
-#endif
-
-#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && !defined(PSA_WANT_ECC_SECP_R1_256)
-#error "MBEDTLS_ECP_DP_SECP256R1_ENABLED defined, but not its PSA counterpart"
-#endif
-
-#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) && !defined(PSA_WANT_ECC_SECP_R1_384)
-#error "MBEDTLS_ECP_DP_SECP384R1_ENABLED defined, but not its PSA counterpart"
-#endif
-
-#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) && !defined(PSA_WANT_ECC_SECP_R1_521)
-#error "MBEDTLS_ECP_DP_SECP521R1_ENABLED defined, but not its PSA counterpart"
-#endif
-
-#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) && !defined(PSA_WANT_ECC_SECP_K1_192)
-#error "MBEDTLS_ECP_DP_SECP192K1_ENABLED defined, but not its PSA counterpart"
-#endif
-
-/* SECP224K1 is buggy in PSA API so we skip this check */
-#if 0 && defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) && !defined(PSA_WANT_ECC_SECP_K1_224)
-#error "MBEDTLS_ECP_DP_SECP224K1_ENABLED defined, but not its PSA counterpart"
-#endif
-
-#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) && !defined(PSA_WANT_ECC_SECP_K1_256)
-#error "MBEDTLS_ECP_DP_SECP256K1_ENABLED defined, but not its PSA counterpart"
-#endif
-
-#endif /* MBEDTLS_PSA_CRYPTO_CONFIG || MBEDTLS_PSA_CRYPTO_C */
-
 /* Limitations on ECC key types acceleration: if we have any of `PUBLIC_KEY`,
  * `KEY_PAIR_BASIC`, `KEY_PAIR_IMPORT`, `KEY_PAIR_EXPORT` then we must have
  * all 4 of them.
@@ -165,7 +98,9 @@
 #endif /* not all curves accelerated */
 #endif /* some curve accelerated */
 
-#if defined(MBEDTLS_CTR_DRBG_C) && !defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_CTR_DRBG_C) && !(defined(MBEDTLS_AES_C) || \
+    (defined(MBEDTLS_PSA_CRYPTO_CLIENT) && defined(PSA_WANT_KEY_TYPE_AES) && \
+    defined(PSA_WANT_ALG_ECB_NO_PADDING)))
 #error "MBEDTLS_CTR_DRBG_C defined, but not all prerequisites"
 #endif
 
@@ -183,6 +118,36 @@
 #error "MBEDTLS_NIST_KW_C defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) && defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
+#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and PSA_WANT_ALG_CBC_NO_PADDING cannot be defined simultaneously"
+#endif
+#if defined(PSA_WANT_ALG_CBC_PKCS7)
+#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and PSA_WANT_ALG_CBC_PKCS7 cannot be defined simultaneously"
+#endif
+#if defined(PSA_WANT_ALG_ECB_NO_PADDING)
+#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and PSA_WANT_ALG_ECB_NO_PADDING cannot be defined simultaneously"
+#endif
+#if defined(PSA_WANT_KEY_TYPE_DES)
+#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and PSA_WANT_KEY_TYPE_DES cannot be defined simultaneously"
+#endif
+#endif
+
+#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and MBEDTLS_CIPHER_MODE_CBC cannot be defined simultaneously"
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and MBEDTLS_CIPHER_MODE_XTS cannot be defined simultaneously"
+#endif
+#if defined(MBEDTLS_DES_C)
+#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and MBEDTLS_DES_C cannot be defined simultaneously"
+#endif
+#if defined(MBEDTLS_NIST_KW_C)
+#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and MBEDTLS_NIST_KW_C cannot be defined simultaneously"
+#endif
+#endif
+
 #if defined(MBEDTLS_ECDH_C) && !defined(MBEDTLS_ECP_C)
 #error "MBEDTLS_ECDH_C defined, but not all prerequisites"
 #endif
@@ -205,9 +170,17 @@
 #error "MBEDTLS_ECDSA_C defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_ECJPAKE_C) &&           \
-    ( !defined(MBEDTLS_ECP_C) ||            \
-      !( defined(MBEDTLS_MD_C) || defined(MBEDTLS_PSA_CRYPTO_C) ) )
+#if defined(MBEDTLS_PK_C) && defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) && !defined(MBEDTLS_ASN1_WRITE_C)
+#error "MBEDTLS_PK_C with MBEDTLS_USE_PSA_CRYPTO needs MBEDTLS_ASN1_WRITE_C for ECDSA signature"
+#endif
+#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) && !defined(MBEDTLS_ASN1_PARSE_C)
+#error "MBEDTLS_PK_C with MBEDTLS_USE_PSA_CRYPTO needs MBEDTLS_ASN1_PARSE_C for ECDSA verification"
+#endif
+#endif /* MBEDTLS_PK_C && MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_ECJPAKE_C) && \
+    !defined(MBEDTLS_ECP_C)
 #error "MBEDTLS_ECJPAKE_C defined, but not all prerequisites"
 #endif
 
@@ -216,9 +189,7 @@
       defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT)     || \
       defined(MBEDTLS_ECDSA_SIGN_ALT)          || \
       defined(MBEDTLS_ECDSA_VERIFY_ALT)        || \
-      defined(MBEDTLS_ECDSA_GENKEY_ALT)        || \
-      defined(MBEDTLS_ECP_INTERNAL_ALT)        || \
-      defined(MBEDTLS_ECP_ALT) )
+      defined(MBEDTLS_ECDSA_GENKEY_ALT) )
 #error "MBEDTLS_ECP_RESTARTABLE defined, but it cannot coexist with an alternative ECP implementation"
 #endif
 
@@ -248,36 +219,8 @@
 #error "MBEDTLS_ECP_C defined (or a subset enabled), but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_ASN1_PARSE_C)
-#error "MBEDTLS_PK_PARSE_C defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_PKCS12_C) && !defined(MBEDTLS_CIPHER_C)
-#error "MBEDTLS_PKCS12_C defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_PKCS5_C) && \
-    !defined(MBEDTLS_CIPHER_C)
-#error "MBEDTLS_PKCS5_C defined, but not all prerequisites"
-#endif
-
-/* Helpers for hash dependencies, will be undefined at the end of the file */
-/* Do SHA-256, 384, 512 to cover Entropy and TLS. */
-#if defined(MBEDTLS_SHA256_C) || \
-    (defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_256))
-#define MBEDTLS_MD_HAVE_SHA256
-#endif
-#if defined(MBEDTLS_SHA384_C) || \
-    (defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_384))
-#define MBEDTLS_MD_HAVE_SHA384
-#endif
-#if defined(MBEDTLS_SHA512_C) || \
-    (defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_512))
-#define MBEDTLS_MD_HAVE_SHA512
-#endif
-
 #if defined(MBEDTLS_ENTROPY_C) && \
-    !(defined(MBEDTLS_MD_HAVE_SHA512) || defined(MBEDTLS_MD_HAVE_SHA256))
+    !(defined(MBEDTLS_MD_CAN_SHA512) || defined(MBEDTLS_MD_CAN_SHA256))
 #error "MBEDTLS_ENTROPY_C defined, but not all prerequisites"
 #endif
 #if defined(MBEDTLS_ENTROPY_C) && \
@@ -285,40 +228,34 @@
 #error "MBEDTLS_CTR_DRBG_ENTROPY_LEN value too high"
 #endif
 #if defined(MBEDTLS_ENTROPY_C) &&                                            \
-    (defined(MBEDTLS_ENTROPY_FORCE_SHA256) || !defined(MBEDTLS_MD_HAVE_SHA512)) \
+    (defined(MBEDTLS_ENTROPY_FORCE_SHA256) || !defined(MBEDTLS_MD_CAN_SHA512)) \
     && defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) && (MBEDTLS_CTR_DRBG_ENTROPY_LEN > 32)
 #error "MBEDTLS_CTR_DRBG_ENTROPY_LEN value too high"
 #endif
 #if defined(MBEDTLS_ENTROPY_C) && \
-    defined(MBEDTLS_ENTROPY_FORCE_SHA256) && !defined(MBEDTLS_MD_HAVE_SHA256)
+    defined(MBEDTLS_ENTROPY_FORCE_SHA256) && !defined(MBEDTLS_MD_CAN_SHA256)
 #error "MBEDTLS_ENTROPY_FORCE_SHA256 defined, but not all prerequisites"
 #endif
 
 #if defined(__has_feature)
 #if __has_feature(memory_sanitizer)
-#define MBEDTLS_HAS_MEMSAN
+#define MBEDTLS_HAS_MEMSAN // #undef at the end of this paragraph
 #endif
 #endif
 #if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) &&  !defined(MBEDTLS_HAS_MEMSAN)
 #error "MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN requires building with MemorySanitizer"
 #endif
-#undef MBEDTLS_HAS_MEMSAN
+#undef MBEDTLS_HAS_MEMSAN // temporary macro defined above
 
-#if defined(MBEDTLS_CCM_C) && (                                        \
-    !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_CAMELLIA_C) && !defined(MBEDTLS_ARIA_C) )
+#if defined(MBEDTLS_CCM_C) && \
+    !(defined(MBEDTLS_CCM_GCM_CAN_AES) || defined(MBEDTLS_CCM_GCM_CAN_ARIA) || \
+    defined(MBEDTLS_CCM_GCM_CAN_CAMELLIA))
 #error "MBEDTLS_CCM_C defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_CCM_C) && !defined(MBEDTLS_CIPHER_C)
-#error "MBEDTLS_CCM_C defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_GCM_C) && (                                        \
-    !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_CAMELLIA_C) && !defined(MBEDTLS_ARIA_C) )
-#error "MBEDTLS_GCM_C defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_GCM_C) && !defined(MBEDTLS_CIPHER_C)
+#if defined(MBEDTLS_GCM_C) && \
+    !(defined(MBEDTLS_CCM_GCM_CAN_AES) || defined(MBEDTLS_CCM_GCM_CAN_ARIA) || \
+    defined(MBEDTLS_CCM_GCM_CAN_CAMELLIA))
 #error "MBEDTLS_GCM_C defined, but not all prerequisites"
 #endif
 
@@ -330,42 +267,6 @@
 #error "MBEDTLS_CHACHAPOLY_C defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
-#error "MBEDTLS_ECP_RANDOMIZE_JAC_ALT defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_ECP_ADD_MIXED_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
-#error "MBEDTLS_ECP_ADD_MIXED_ALT defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
-#error "MBEDTLS_ECP_DOUBLE_JAC_ALT defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
-#error "MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
-#error "MBEDTLS_ECP_NORMALIZE_JAC_ALT defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
-#error "MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
-#error "MBEDTLS_ECP_RANDOMIZE_MXZ_ALT defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
-#error "MBEDTLS_ECP_NORMALIZE_MXZ_ALT defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_ECP_NO_FALLBACK) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
-#error "MBEDTLS_ECP_NO_FALLBACK defined, but no alternative implementation enabled"
-#endif
-
 #if defined(MBEDTLS_HKDF_C) && !defined(MBEDTLS_MD_C)
 #error "MBEDTLS_HKDF_C defined, but not all prerequisites"
 #endif
@@ -374,28 +275,6 @@
 #error "MBEDTLS_HMAC_DRBG_C defined, but not all prerequisites"
 #endif
 
-/* Helper for JPAKE dependencies, will be undefined at the end of the file */
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#if defined(PSA_WANT_ALG_JPAKE) && defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC)
-#define MBEDTLS_PK_HAVE_JPAKE
-#endif
-#else /* MBEDTLS_USE_PSA_CRYPTO */
-#if defined(MBEDTLS_ECJPAKE_C)
-#define MBEDTLS_PK_HAVE_JPAKE
-#endif
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-/* Helper for curve SECP256R1 */
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#if defined(PSA_WANT_ECC_SECP_R1_256)
-#define MBEDTLS_PK_HAVE_CURVE_SECP256R1
-#endif
-#else /* MBEDTLS_USE_PSA_CRYPTO */
-#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
-#define MBEDTLS_PK_HAVE_CURVE_SECP256R1
-#endif
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) &&                 \
     ( !defined(MBEDTLS_CAN_ECDH) ||                                       \
       !defined(MBEDTLS_PK_CAN_ECDSA_SIGN) ||                                \
@@ -449,47 +328,52 @@
 #error "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) &&                    \
-    ( !defined(MBEDTLS_PK_HAVE_JPAKE) ||                                \
-      !defined(MBEDTLS_PK_HAVE_CURVE_SECP256R1) )
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) &&    \
+    ( !defined(PSA_WANT_ALG_JPAKE) ||                   \
+      !defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
+      !defined(PSA_WANT_ECC_SECP_R1_256) )
 #error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
 #endif
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) &&    \
+    ( !defined(MBEDTLS_ECJPAKE_C) ||                    \
+      !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) )
+#error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
+#endif
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
 
 /* Use of EC J-PAKE in TLS requires SHA-256. */
 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) &&                    \
-    !defined(MBEDTLS_MD_HAVE_SHA256)
+    !defined(MBEDTLS_MD_CAN_SHA256)
 #error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
 #endif
 
 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) &&        \
-    !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) &&              \
-    ( !defined(MBEDTLS_SHA256_C) &&                             \
-      !defined(MBEDTLS_SHA512_C) &&                             \
-      !defined(MBEDTLS_SHA1_C) )
-#error "!MBEDTLS_SSL_KEEP_PEER_CERTIFICATE requires MBEDTLS_SHA512_C, MBEDTLS_SHA256_C or MBEDTLS_SHA1_C"
-#endif
-
-#if defined(MBEDTLS_MD_C) && !( \
-    defined(MBEDTLS_MD5_C) || \
-    defined(MBEDTLS_RIPEMD160_C) || \
-    defined(MBEDTLS_SHA1_C) || \
-    defined(MBEDTLS_SHA224_C) || \
-    defined(MBEDTLS_SHA256_C) || \
-    defined(MBEDTLS_SHA384_C) || \
-    defined(MBEDTLS_SHA512_C) || \
-    (defined(MBEDTLS_PSA_CRYPTO_C) && \
-     (defined(PSA_WANT_ALG_MD5) || \
-      defined(PSA_WANT_ALG_RIPEMD160) || \
-      defined(PSA_WANT_ALG_SHA_1) || \
-      defined(PSA_WANT_ALG_SHA_224) || \
-      defined(PSA_WANT_ALG_SHA_256) || \
-      defined(PSA_WANT_ALG_SHA_384) || \
-      defined(PSA_WANT_ALG_SHA_512))))
-#error "MBEDTLS_MD_C defined, but not all prerequisites"
+    !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) &&            \
+    !defined(MBEDTLS_MD_CAN_SHA256) &&                        \
+    !defined(MBEDTLS_MD_CAN_SHA512) &&                        \
+    !defined(MBEDTLS_MD_CAN_SHA1)
+#error "!MBEDTLS_SSL_KEEP_PEER_CERTIFICATE requires SHA-512, SHA-256 or SHA-1".
+#endif
+
+#if defined(MBEDTLS_MD_C) && \
+    !defined(MBEDTLS_MD_CAN_MD5) && \
+    !defined(MBEDTLS_MD_CAN_RIPEMD160) && \
+    !defined(MBEDTLS_MD_CAN_SHA1) && \
+    !defined(MBEDTLS_MD_CAN_SHA224) && \
+    !defined(MBEDTLS_MD_CAN_SHA256) && \
+    !defined(MBEDTLS_MD_CAN_SHA384) && \
+    !defined(MBEDTLS_MD_CAN_SHA512) && \
+    !defined(MBEDTLS_MD_CAN_SHA3_224) && \
+    !defined(MBEDTLS_MD_CAN_SHA3_256) && \
+    !defined(MBEDTLS_MD_CAN_SHA3_384) && \
+    !defined(MBEDTLS_MD_CAN_SHA3_512)
+#error "MBEDTLS_MD_C defined, but no hash algorithm"
 #endif
 
 #if defined(MBEDTLS_LMS_C) &&                                          \
-    ! ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_256) )
+    ! ( defined(MBEDTLS_PSA_CRYPTO_CLIENT) && defined(PSA_WANT_ALG_SHA_256) )
 #error "MBEDTLS_LMS_C requires MBEDTLS_PSA_CRYPTO_C and PSA_WANT_ALG_SHA_256"
 #endif
 
@@ -524,11 +408,17 @@
 #error "MBEDTLS_PK_C defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_PK_C)
+#if defined(MBEDTLS_PK_PARSE_C) && \
+    (!defined(MBEDTLS_ASN1_PARSE_C) || \
+     !defined(MBEDTLS_OID_C)        || \
+     !defined(MBEDTLS_PK_C))
 #error "MBEDTLS_PK_PARSE_C defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_PK_WRITE_C) && !defined(MBEDTLS_PK_C)
+#if defined(MBEDTLS_PK_WRITE_C) && \
+    (!defined(MBEDTLS_ASN1_WRITE_C) || \
+     !defined(MBEDTLS_OID_C)        || \
+     !defined(MBEDTLS_PK_C))
 #error "MBEDTLS_PK_WRITE_C defined, but not all prerequisites"
 #endif
 
@@ -766,7 +656,8 @@
 #error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites (missing RNG)"
 #endif
 
-#if defined(MBEDTLS_PSA_CRYPTO_C) && !defined(MBEDTLS_CIPHER_C )
+#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_HAVE_SOFT_BLOCK_MODE) && \
+    defined(PSA_HAVE_SOFT_BLOCK_CIPHER) && !defined(MBEDTLS_CIPHER_C)
 #error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites"
 #endif
 
@@ -849,25 +740,24 @@
 #error "MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY defined on non-Aarch64 system"
 #endif
 
-#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) && \
-    defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
-#error "Must only define one of MBEDTLS_SHA256_USE_A64_CRYPTO_*"
+#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) && \
+    defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
+#error "Must only define one of MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
 #endif
 
-#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \
-    defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
+#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \
+    defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
 #if !defined(MBEDTLS_SHA256_C)
-#error "MBEDTLS_SHA256_USE_A64_CRYPTO_* defined without MBEDTLS_SHA256_C"
+#error "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_* defined without MBEDTLS_SHA256_C"
 #endif
 #if defined(MBEDTLS_SHA256_ALT) || defined(MBEDTLS_SHA256_PROCESS_ALT)
-#error "MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_A64_CRYPTO_*"
+#error "MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
 #endif
 
 #endif
 
-#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) && \
-    !defined(__aarch64__) && !defined(_M_ARM64)
-#error "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY defined on non-Aarch64 system"
+#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) && !defined(MBEDTLS_ARCH_IS_ARMV8_A)
+#error "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY defined on non-Armv8-A system"
 #endif
 
 /* TLS 1.3 requires separate HKDF parts from PSA,
@@ -877,7 +767,7 @@
  * Note: for dependencies common with TLS 1.2 (running handshake hash),
  * see MBEDTLS_SSL_TLS_C. */
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
-    !(defined(MBEDTLS_PSA_CRYPTO_C) && \
+    !(defined(MBEDTLS_PSA_CRYPTO_CLIENT) && \
       defined(PSA_WANT_ALG_HKDF_EXTRACT) && \
       defined(PSA_WANT_ALG_HKDF_EXPAND) && \
       (defined(PSA_WANT_ALG_SHA_256) || defined(PSA_WANT_ALG_SHA_384)))
@@ -948,7 +838,8 @@
 #error "MBEDTLS_SSL_ASYNC_PRIVATE defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_SSL_TLS_C) && !defined(MBEDTLS_CIPHER_C)
+#if defined(MBEDTLS_SSL_TLS_C) && !(defined(MBEDTLS_CIPHER_C) || \
+    defined(MBEDTLS_USE_PSA_CRYPTO))
 #error "MBEDTLS_SSL_TLS_C defined, but not all prerequisites"
 #endif
 
@@ -960,7 +851,7 @@
 #endif
 #else /* MBEDTLS_USE_PSA_CRYPTO */
 #if !defined(MBEDTLS_MD_C) || \
-    !(defined(MBEDTLS_MD_HAVE_SHA256) || defined(MBEDTLS_MD_HAVE_SHA384))
+    !(defined(MBEDTLS_MD_CAN_SHA256) || defined(MBEDTLS_MD_CAN_SHA384))
 #error "MBEDTLS_SSL_TLS_C defined, but not all prerequisites"
 #endif
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
@@ -1059,22 +950,20 @@
 #if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL)
 #error "MBEDTLS_THREADING_PTHREAD defined, but not all prerequisites"
 #endif
-#define MBEDTLS_THREADING_IMPL
+#define MBEDTLS_THREADING_IMPL // undef at the end of this paragraph
 #endif
-
 #if defined(MBEDTLS_THREADING_ALT)
 #if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL)
 #error "MBEDTLS_THREADING_ALT defined, but not all prerequisites"
 #endif
-#define MBEDTLS_THREADING_IMPL
+#define MBEDTLS_THREADING_IMPL // undef at the end of this paragraph
 #endif
-
 #if defined(MBEDTLS_THREADING_C) && !defined(MBEDTLS_THREADING_IMPL)
 #error "MBEDTLS_THREADING_C defined, single threading implementation required"
 #endif
-#undef MBEDTLS_THREADING_IMPL
+#undef MBEDTLS_THREADING_IMPL // temporary macro defined above
 
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_PSA_CRYPTO_C)
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_PSA_CRYPTO_CLIENT)
 #error "MBEDTLS_USE_PSA_CRYPTO defined, but not all prerequisites"
 #endif
 
@@ -1203,13 +1092,6 @@
 #error  "MBEDTLS_PKCS7_C is defined, but not all prerequisites"
 #endif
 
-/* Undefine helper symbols */
-#undef MBEDTLS_PK_HAVE_JPAKE
-#undef MBEDTLS_MD_HAVE_SHA256
-#undef MBEDTLS_MD_HAVE_SHA384
-#undef MBEDTLS_MD_HAVE_SHA512
-#undef MBEDTLS_PK_HAVE_CURVE_SECP256R1
-
 /*
  * Avoid warning from -pedantic. This is a convenient place for this
  * workaround since this is included by every single file before the
diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h
deleted file mode 100644
index 9c8701d..0000000
--- a/include/mbedtls/cipher.h
+++ /dev/null
@@ -1,1195 +0,0 @@
-/**
- * \file cipher.h
- *
- * \brief This file contains an abstraction interface for use with the cipher
- * primitives provided by the library. It provides a common interface to all of
- * the available cipher operations.
- *
- * \author Adriaan de Jong <dejong@fox-it.com>
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_CIPHER_H
-#define MBEDTLS_CIPHER_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include <stddef.h>
-#include "mbedtls/platform_util.h"
-
-#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
-#define MBEDTLS_CIPHER_MODE_AEAD
-#endif
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-#define MBEDTLS_CIPHER_MODE_WITH_PADDING
-#endif
-
-#if defined(MBEDTLS_CIPHER_NULL_CIPHER) || \
-    defined(MBEDTLS_CHACHA20_C)
-#define MBEDTLS_CIPHER_MODE_STREAM
-#endif
-
-/** The selected feature is not available. */
-#define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE  -0x6080
-/** Bad input parameters. */
-#define MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA       -0x6100
-/** Failed to allocate memory. */
-#define MBEDTLS_ERR_CIPHER_ALLOC_FAILED         -0x6180
-/** Input data contains invalid padding and is rejected. */
-#define MBEDTLS_ERR_CIPHER_INVALID_PADDING      -0x6200
-/** Decryption of block requires a full block. */
-#define MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED  -0x6280
-/** Authentication failed (for AEAD modes). */
-#define MBEDTLS_ERR_CIPHER_AUTH_FAILED          -0x6300
-/** The context is invalid. For example, because it was freed. */
-#define MBEDTLS_ERR_CIPHER_INVALID_CONTEXT      -0x6380
-
-#define MBEDTLS_CIPHER_VARIABLE_IV_LEN     0x01    /**< Cipher accepts IVs of variable length. */
-#define MBEDTLS_CIPHER_VARIABLE_KEY_LEN    0x02    /**< Cipher accepts keys of variable length. */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief     Supported cipher types.
- *
- * \warning   DES/3DES are considered weak ciphers and their use
- *            constitutes a security risk. We recommend considering stronger
- *            ciphers instead.
- */
-typedef enum {
-    MBEDTLS_CIPHER_ID_NONE = 0,  /**< Placeholder to mark the end of cipher ID lists. */
-    MBEDTLS_CIPHER_ID_NULL,      /**< The identity cipher, treated as a stream cipher. */
-    MBEDTLS_CIPHER_ID_AES,       /**< The AES cipher. */
-    MBEDTLS_CIPHER_ID_DES,       /**< The DES cipher. \warning DES is considered weak. */
-    MBEDTLS_CIPHER_ID_3DES,      /**< The Triple DES cipher. \warning 3DES is considered weak. */
-    MBEDTLS_CIPHER_ID_CAMELLIA,  /**< The Camellia cipher. */
-    MBEDTLS_CIPHER_ID_ARIA,      /**< The Aria cipher. */
-    MBEDTLS_CIPHER_ID_CHACHA20,  /**< The ChaCha20 cipher. */
-} mbedtls_cipher_id_t;
-
-/**
- * \brief     Supported {cipher type, cipher mode} pairs.
- *
- * \warning   DES/3DES are considered weak ciphers and their use
- *            constitutes a security risk. We recommend considering stronger
- *            ciphers instead.
- */
-typedef enum {
-    MBEDTLS_CIPHER_NONE = 0,             /**< Placeholder to mark the end of cipher-pair lists. */
-    MBEDTLS_CIPHER_NULL,                 /**< The identity stream cipher. */
-    MBEDTLS_CIPHER_AES_128_ECB,          /**< AES cipher with 128-bit ECB mode. */
-    MBEDTLS_CIPHER_AES_192_ECB,          /**< AES cipher with 192-bit ECB mode. */
-    MBEDTLS_CIPHER_AES_256_ECB,          /**< AES cipher with 256-bit ECB mode. */
-    MBEDTLS_CIPHER_AES_128_CBC,          /**< AES cipher with 128-bit CBC mode. */
-    MBEDTLS_CIPHER_AES_192_CBC,          /**< AES cipher with 192-bit CBC mode. */
-    MBEDTLS_CIPHER_AES_256_CBC,          /**< AES cipher with 256-bit CBC mode. */
-    MBEDTLS_CIPHER_AES_128_CFB128,       /**< AES cipher with 128-bit CFB128 mode. */
-    MBEDTLS_CIPHER_AES_192_CFB128,       /**< AES cipher with 192-bit CFB128 mode. */
-    MBEDTLS_CIPHER_AES_256_CFB128,       /**< AES cipher with 256-bit CFB128 mode. */
-    MBEDTLS_CIPHER_AES_128_CTR,          /**< AES cipher with 128-bit CTR mode. */
-    MBEDTLS_CIPHER_AES_192_CTR,          /**< AES cipher with 192-bit CTR mode. */
-    MBEDTLS_CIPHER_AES_256_CTR,          /**< AES cipher with 256-bit CTR mode. */
-    MBEDTLS_CIPHER_AES_128_GCM,          /**< AES cipher with 128-bit GCM mode. */
-    MBEDTLS_CIPHER_AES_192_GCM,          /**< AES cipher with 192-bit GCM mode. */
-    MBEDTLS_CIPHER_AES_256_GCM,          /**< AES cipher with 256-bit GCM mode. */
-    MBEDTLS_CIPHER_CAMELLIA_128_ECB,     /**< Camellia cipher with 128-bit ECB mode. */
-    MBEDTLS_CIPHER_CAMELLIA_192_ECB,     /**< Camellia cipher with 192-bit ECB mode. */
-    MBEDTLS_CIPHER_CAMELLIA_256_ECB,     /**< Camellia cipher with 256-bit ECB mode. */
-    MBEDTLS_CIPHER_CAMELLIA_128_CBC,     /**< Camellia cipher with 128-bit CBC mode. */
-    MBEDTLS_CIPHER_CAMELLIA_192_CBC,     /**< Camellia cipher with 192-bit CBC mode. */
-    MBEDTLS_CIPHER_CAMELLIA_256_CBC,     /**< Camellia cipher with 256-bit CBC mode. */
-    MBEDTLS_CIPHER_CAMELLIA_128_CFB128,  /**< Camellia cipher with 128-bit CFB128 mode. */
-    MBEDTLS_CIPHER_CAMELLIA_192_CFB128,  /**< Camellia cipher with 192-bit CFB128 mode. */
-    MBEDTLS_CIPHER_CAMELLIA_256_CFB128,  /**< Camellia cipher with 256-bit CFB128 mode. */
-    MBEDTLS_CIPHER_CAMELLIA_128_CTR,     /**< Camellia cipher with 128-bit CTR mode. */
-    MBEDTLS_CIPHER_CAMELLIA_192_CTR,     /**< Camellia cipher with 192-bit CTR mode. */
-    MBEDTLS_CIPHER_CAMELLIA_256_CTR,     /**< Camellia cipher with 256-bit CTR mode. */
-    MBEDTLS_CIPHER_CAMELLIA_128_GCM,     /**< Camellia cipher with 128-bit GCM mode. */
-    MBEDTLS_CIPHER_CAMELLIA_192_GCM,     /**< Camellia cipher with 192-bit GCM mode. */
-    MBEDTLS_CIPHER_CAMELLIA_256_GCM,     /**< Camellia cipher with 256-bit GCM mode. */
-    MBEDTLS_CIPHER_DES_ECB,              /**< DES cipher with ECB mode. \warning DES is considered weak. */
-    MBEDTLS_CIPHER_DES_CBC,              /**< DES cipher with CBC mode. \warning DES is considered weak. */
-    MBEDTLS_CIPHER_DES_EDE_ECB,          /**< DES cipher with EDE ECB mode. \warning 3DES is considered weak. */
-    MBEDTLS_CIPHER_DES_EDE_CBC,          /**< DES cipher with EDE CBC mode. \warning 3DES is considered weak. */
-    MBEDTLS_CIPHER_DES_EDE3_ECB,         /**< DES cipher with EDE3 ECB mode. \warning 3DES is considered weak. */
-    MBEDTLS_CIPHER_DES_EDE3_CBC,         /**< DES cipher with EDE3 CBC mode. \warning 3DES is considered weak. */
-    MBEDTLS_CIPHER_AES_128_CCM,          /**< AES cipher with 128-bit CCM mode. */
-    MBEDTLS_CIPHER_AES_192_CCM,          /**< AES cipher with 192-bit CCM mode. */
-    MBEDTLS_CIPHER_AES_256_CCM,          /**< AES cipher with 256-bit CCM mode. */
-    MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG, /**< AES cipher with 128-bit CCM_STAR_NO_TAG mode. */
-    MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG, /**< AES cipher with 192-bit CCM_STAR_NO_TAG mode. */
-    MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG, /**< AES cipher with 256-bit CCM_STAR_NO_TAG mode. */
-    MBEDTLS_CIPHER_CAMELLIA_128_CCM,     /**< Camellia cipher with 128-bit CCM mode. */
-    MBEDTLS_CIPHER_CAMELLIA_192_CCM,     /**< Camellia cipher with 192-bit CCM mode. */
-    MBEDTLS_CIPHER_CAMELLIA_256_CCM,     /**< Camellia cipher with 256-bit CCM mode. */
-    MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG, /**< Camellia cipher with 128-bit CCM_STAR_NO_TAG mode. */
-    MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG, /**< Camellia cipher with 192-bit CCM_STAR_NO_TAG mode. */
-    MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG, /**< Camellia cipher with 256-bit CCM_STAR_NO_TAG mode. */
-    MBEDTLS_CIPHER_ARIA_128_ECB,         /**< Aria cipher with 128-bit key and ECB mode. */
-    MBEDTLS_CIPHER_ARIA_192_ECB,         /**< Aria cipher with 192-bit key and ECB mode. */
-    MBEDTLS_CIPHER_ARIA_256_ECB,         /**< Aria cipher with 256-bit key and ECB mode. */
-    MBEDTLS_CIPHER_ARIA_128_CBC,         /**< Aria cipher with 128-bit key and CBC mode. */
-    MBEDTLS_CIPHER_ARIA_192_CBC,         /**< Aria cipher with 192-bit key and CBC mode. */
-    MBEDTLS_CIPHER_ARIA_256_CBC,         /**< Aria cipher with 256-bit key and CBC mode. */
-    MBEDTLS_CIPHER_ARIA_128_CFB128,      /**< Aria cipher with 128-bit key and CFB-128 mode. */
-    MBEDTLS_CIPHER_ARIA_192_CFB128,      /**< Aria cipher with 192-bit key and CFB-128 mode. */
-    MBEDTLS_CIPHER_ARIA_256_CFB128,      /**< Aria cipher with 256-bit key and CFB-128 mode. */
-    MBEDTLS_CIPHER_ARIA_128_CTR,         /**< Aria cipher with 128-bit key and CTR mode. */
-    MBEDTLS_CIPHER_ARIA_192_CTR,         /**< Aria cipher with 192-bit key and CTR mode. */
-    MBEDTLS_CIPHER_ARIA_256_CTR,         /**< Aria cipher with 256-bit key and CTR mode. */
-    MBEDTLS_CIPHER_ARIA_128_GCM,         /**< Aria cipher with 128-bit key and GCM mode. */
-    MBEDTLS_CIPHER_ARIA_192_GCM,         /**< Aria cipher with 192-bit key and GCM mode. */
-    MBEDTLS_CIPHER_ARIA_256_GCM,         /**< Aria cipher with 256-bit key and GCM mode. */
-    MBEDTLS_CIPHER_ARIA_128_CCM,         /**< Aria cipher with 128-bit key and CCM mode. */
-    MBEDTLS_CIPHER_ARIA_192_CCM,         /**< Aria cipher with 192-bit key and CCM mode. */
-    MBEDTLS_CIPHER_ARIA_256_CCM,         /**< Aria cipher with 256-bit key and CCM mode. */
-    MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG, /**< Aria cipher with 128-bit key and CCM_STAR_NO_TAG mode. */
-    MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG, /**< Aria cipher with 192-bit key and CCM_STAR_NO_TAG mode. */
-    MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG, /**< Aria cipher with 256-bit key and CCM_STAR_NO_TAG mode. */
-    MBEDTLS_CIPHER_AES_128_OFB,          /**< AES 128-bit cipher in OFB mode. */
-    MBEDTLS_CIPHER_AES_192_OFB,          /**< AES 192-bit cipher in OFB mode. */
-    MBEDTLS_CIPHER_AES_256_OFB,          /**< AES 256-bit cipher in OFB mode. */
-    MBEDTLS_CIPHER_AES_128_XTS,          /**< AES 128-bit cipher in XTS block mode. */
-    MBEDTLS_CIPHER_AES_256_XTS,          /**< AES 256-bit cipher in XTS block mode. */
-    MBEDTLS_CIPHER_CHACHA20,             /**< ChaCha20 stream cipher. */
-    MBEDTLS_CIPHER_CHACHA20_POLY1305,    /**< ChaCha20-Poly1305 AEAD cipher. */
-    MBEDTLS_CIPHER_AES_128_KW,           /**< AES cipher with 128-bit NIST KW mode. */
-    MBEDTLS_CIPHER_AES_192_KW,           /**< AES cipher with 192-bit NIST KW mode. */
-    MBEDTLS_CIPHER_AES_256_KW,           /**< AES cipher with 256-bit NIST KW mode. */
-    MBEDTLS_CIPHER_AES_128_KWP,          /**< AES cipher with 128-bit NIST KWP mode. */
-    MBEDTLS_CIPHER_AES_192_KWP,          /**< AES cipher with 192-bit NIST KWP mode. */
-    MBEDTLS_CIPHER_AES_256_KWP,          /**< AES cipher with 256-bit NIST KWP mode. */
-} mbedtls_cipher_type_t;
-
-/** Supported cipher modes. */
-typedef enum {
-    MBEDTLS_MODE_NONE = 0,               /**< None.                        */
-    MBEDTLS_MODE_ECB,                    /**< The ECB cipher mode.         */
-    MBEDTLS_MODE_CBC,                    /**< The CBC cipher mode.         */
-    MBEDTLS_MODE_CFB,                    /**< The CFB cipher mode.         */
-    MBEDTLS_MODE_OFB,                    /**< The OFB cipher mode.         */
-    MBEDTLS_MODE_CTR,                    /**< The CTR cipher mode.         */
-    MBEDTLS_MODE_GCM,                    /**< The GCM cipher mode.         */
-    MBEDTLS_MODE_STREAM,                 /**< The stream cipher mode.      */
-    MBEDTLS_MODE_CCM,                    /**< The CCM cipher mode.         */
-    MBEDTLS_MODE_CCM_STAR_NO_TAG,        /**< The CCM*-no-tag cipher mode. */
-    MBEDTLS_MODE_XTS,                    /**< The XTS cipher mode.         */
-    MBEDTLS_MODE_CHACHAPOLY,             /**< The ChaCha-Poly cipher mode. */
-    MBEDTLS_MODE_KW,                     /**< The SP800-38F KW mode */
-    MBEDTLS_MODE_KWP,                    /**< The SP800-38F KWP mode */
-} mbedtls_cipher_mode_t;
-
-/** Supported cipher padding types. */
-typedef enum {
-    MBEDTLS_PADDING_PKCS7 = 0,     /**< PKCS7 padding (default).        */
-    MBEDTLS_PADDING_ONE_AND_ZEROS, /**< ISO/IEC 7816-4 padding.         */
-    MBEDTLS_PADDING_ZEROS_AND_LEN, /**< ANSI X.923 padding.             */
-    MBEDTLS_PADDING_ZEROS,         /**< Zero padding (not reversible). */
-    MBEDTLS_PADDING_NONE,          /**< Never pad (full blocks only).   */
-} mbedtls_cipher_padding_t;
-
-/** Type of operation. */
-typedef enum {
-    MBEDTLS_OPERATION_NONE = -1,
-    MBEDTLS_DECRYPT = 0,
-    MBEDTLS_ENCRYPT,
-} mbedtls_operation_t;
-
-enum {
-    /** Undefined key length. */
-    MBEDTLS_KEY_LENGTH_NONE = 0,
-    /** Key length, in bits (including parity), for DES keys. \warning DES is considered weak. */
-    MBEDTLS_KEY_LENGTH_DES  = 64,
-    /** Key length in bits, including parity, for DES in two-key EDE. \warning 3DES is considered weak. */
-    MBEDTLS_KEY_LENGTH_DES_EDE = 128,
-    /** Key length in bits, including parity, for DES in three-key EDE. \warning 3DES is considered weak. */
-    MBEDTLS_KEY_LENGTH_DES_EDE3 = 192,
-};
-
-/** Maximum length of any IV, in Bytes. */
-/* This should ideally be derived automatically from list of ciphers.
- * This should be kept in sync with MBEDTLS_SSL_MAX_IV_LENGTH defined
- * in library/ssl_misc.h. */
-#define MBEDTLS_MAX_IV_LENGTH      16
-
-/** Maximum block size of any cipher, in Bytes. */
-/* This should ideally be derived automatically from list of ciphers.
- * This should be kept in sync with MBEDTLS_SSL_MAX_BLOCK_LENGTH defined
- * in library/ssl_misc.h. */
-#define MBEDTLS_MAX_BLOCK_LENGTH   16
-
-/** Maximum key length, in Bytes. */
-/* This should ideally be derived automatically from list of ciphers.
- * For now, only check whether XTS is enabled which uses 64 Byte keys,
- * and use 32 Bytes as an upper bound for the maximum key length otherwise.
- * This should be kept in sync with MBEDTLS_SSL_MAX_BLOCK_LENGTH defined
- * in library/ssl_misc.h, which however deliberately ignores the case of XTS
- * since the latter isn't used in SSL/TLS. */
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-#define MBEDTLS_MAX_KEY_LENGTH     64
-#else
-#define MBEDTLS_MAX_KEY_LENGTH     32
-#endif /* MBEDTLS_CIPHER_MODE_XTS */
-
-/**
- * Base cipher information (opaque struct).
- */
-typedef struct mbedtls_cipher_base_t mbedtls_cipher_base_t;
-
-/**
- * CMAC context (opaque struct).
- */
-typedef struct mbedtls_cmac_context_t mbedtls_cmac_context_t;
-
-/**
- * Cipher information. Allows calling cipher functions
- * in a generic way.
- *
- * \note        The library does not support custom cipher info structures,
- *              only built-in structures returned by the functions
- *              mbedtls_cipher_info_from_string(),
- *              mbedtls_cipher_info_from_type(),
- *              mbedtls_cipher_info_from_values(),
- *              mbedtls_cipher_info_from_psa().
- *
- * \note        Some fields store a value that has been right-shifted to save
- *              code-size, so should not be used directly. The accessor
- *              functions adjust for this and return the "natural" value.
- */
-typedef struct mbedtls_cipher_info_t {
-    /** Name of the cipher. */
-    const char *MBEDTLS_PRIVATE(name);
-
-    /** The block size, in bytes. */
-    unsigned int MBEDTLS_PRIVATE(block_size) : 5;
-
-    /** IV or nonce size, in bytes (right shifted by #MBEDTLS_IV_SIZE_SHIFT).
-     * For ciphers that accept variable IV sizes,
-     * this is the recommended size.
-     */
-    unsigned int MBEDTLS_PRIVATE(iv_size) : 3;
-
-    /** The cipher key length, in bits (right shifted by #MBEDTLS_KEY_BITLEN_SHIFT).
-     * This is the default length for variable sized ciphers.
-     * Includes parity bits for ciphers like DES.
-     */
-    unsigned int MBEDTLS_PRIVATE(key_bitlen) : 4;
-
-    /** The cipher mode (as per mbedtls_cipher_mode_t).
-     * For example, MBEDTLS_MODE_CBC.
-     */
-    unsigned int MBEDTLS_PRIVATE(mode) : 4;
-
-    /** Full cipher identifier (as per mbedtls_cipher_type_t).
-     * For example, MBEDTLS_CIPHER_AES_256_CBC.
-     *
-     * This could be 7 bits, but 8 bits retains byte alignment for the
-     * next field, which reduces code size to access that field.
-     */
-    unsigned int MBEDTLS_PRIVATE(type) : 8;
-
-    /** Bitflag comprised of MBEDTLS_CIPHER_VARIABLE_IV_LEN and
-     *  MBEDTLS_CIPHER_VARIABLE_KEY_LEN indicating whether the
-     *  cipher supports variable IV or variable key sizes, respectively.
-     */
-    unsigned int MBEDTLS_PRIVATE(flags) : 2;
-
-    /** Index to LUT for base cipher information and functions. */
-    unsigned int MBEDTLS_PRIVATE(base_idx) : 5;
-
-} mbedtls_cipher_info_t;
-
-/* For internal use only.
- * These are used to more compactly represent the fields above. */
-#define MBEDTLS_KEY_BITLEN_SHIFT  6
-#define MBEDTLS_IV_SIZE_SHIFT     2
-/**
- * Generic cipher context.
- */
-typedef struct mbedtls_cipher_context_t {
-    /** Information about the associated cipher. */
-    const mbedtls_cipher_info_t *MBEDTLS_PRIVATE(cipher_info);
-
-    /** Key length to use. */
-    int MBEDTLS_PRIVATE(key_bitlen);
-
-    /** Operation that the key of the context has been
-     * initialized for.
-     */
-    mbedtls_operation_t MBEDTLS_PRIVATE(operation);
-
-#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
-    /** Padding functions to use, if relevant for
-     * the specific cipher mode.
-     */
-    void(*MBEDTLS_PRIVATE(add_padding))(unsigned char *output, size_t olen, size_t data_len);
-    int(*MBEDTLS_PRIVATE(get_padding))(unsigned char *input, size_t ilen, size_t *data_len);
-#endif
-
-    /** Buffer for input that has not been processed yet. */
-    unsigned char MBEDTLS_PRIVATE(unprocessed_data)[MBEDTLS_MAX_BLOCK_LENGTH];
-
-    /** Number of Bytes that have not been processed yet. */
-    size_t MBEDTLS_PRIVATE(unprocessed_len);
-
-    /** Current IV or NONCE_COUNTER for CTR-mode, data unit (or sector) number
-     * for XTS-mode. */
-    unsigned char MBEDTLS_PRIVATE(iv)[MBEDTLS_MAX_IV_LENGTH];
-
-    /** IV size in Bytes, for ciphers with variable-length IVs. */
-    size_t MBEDTLS_PRIVATE(iv_size);
-
-    /** The cipher-specific context. */
-    void *MBEDTLS_PRIVATE(cipher_ctx);
-
-#if defined(MBEDTLS_CMAC_C)
-    /** CMAC-specific context. */
-    mbedtls_cmac_context_t *MBEDTLS_PRIVATE(cmac_ctx);
-#endif
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
-    /** Indicates whether the cipher operations should be performed
-     *  by Mbed TLS' own crypto library or an external implementation
-     *  of the PSA Crypto API.
-     *  This is unset if the cipher context was established through
-     *  mbedtls_cipher_setup(), and set if it was established through
-     *  mbedtls_cipher_setup_psa().
-     */
-    unsigned char MBEDTLS_PRIVATE(psa_enabled);
-#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
-
-} mbedtls_cipher_context_t;
-
-/**
- * \brief This function retrieves the list of ciphers supported
- *        by the generic cipher module.
- *
- *        For any cipher identifier in the returned list, you can
- *        obtain the corresponding generic cipher information structure
- *        via mbedtls_cipher_info_from_type(), which can then be used
- *        to prepare a cipher context via mbedtls_cipher_setup().
- *
- *
- * \return      A statically-allocated array of cipher identifiers
- *              of type cipher_type_t. The last entry is zero.
- */
-const int *mbedtls_cipher_list(void);
-
-/**
- * \brief               This function retrieves the cipher-information
- *                      structure associated with the given cipher name.
- *
- * \param cipher_name   Name of the cipher to search for. This must not be
- *                      \c NULL.
- *
- * \return              The cipher information structure associated with the
- *                      given \p cipher_name.
- * \return              \c NULL if the associated cipher information is not found.
- */
-const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(const char *cipher_name);
-
-/**
- * \brief               This function retrieves the cipher-information
- *                      structure associated with the given cipher type.
- *
- * \param cipher_type   Type of the cipher to search for.
- *
- * \return              The cipher information structure associated with the
- *                      given \p cipher_type.
- * \return              \c NULL if the associated cipher information is not found.
- */
-const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(const mbedtls_cipher_type_t cipher_type);
-
-/**
- * \brief               This function retrieves the cipher-information
- *                      structure associated with the given cipher ID,
- *                      key size and mode.
- *
- * \param cipher_id     The ID of the cipher to search for. For example,
- *                      #MBEDTLS_CIPHER_ID_AES.
- * \param key_bitlen    The length of the key in bits.
- * \param mode          The cipher mode. For example, #MBEDTLS_MODE_CBC.
- *
- * \return              The cipher information structure associated with the
- *                      given \p cipher_id.
- * \return              \c NULL if the associated cipher information is not found.
- */
-const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(const mbedtls_cipher_id_t cipher_id,
-                                                             int key_bitlen,
-                                                             const mbedtls_cipher_mode_t mode);
-
-/**
- * \brief               Retrieve the identifier for a cipher info structure.
- *
- * \param[in] info      The cipher info structure to query.
- *                      This may be \c NULL.
- *
- * \return              The full cipher identifier (\c MBEDTLS_CIPHER_xxx).
- * \return              #MBEDTLS_CIPHER_NONE if \p info is \c NULL.
- */
-static inline mbedtls_cipher_type_t mbedtls_cipher_info_get_type(
-    const mbedtls_cipher_info_t *info)
-{
-    if (info == NULL) {
-        return MBEDTLS_CIPHER_NONE;
-    } else {
-        return (mbedtls_cipher_type_t) info->MBEDTLS_PRIVATE(type);
-    }
-}
-
-/**
- * \brief               Retrieve the operation mode for a cipher info structure.
- *
- * \param[in] info      The cipher info structure to query.
- *                      This may be \c NULL.
- *
- * \return              The cipher mode (\c MBEDTLS_MODE_xxx).
- * \return              #MBEDTLS_MODE_NONE if \p info is \c NULL.
- */
-static inline mbedtls_cipher_mode_t mbedtls_cipher_info_get_mode(
-    const mbedtls_cipher_info_t *info)
-{
-    if (info == NULL) {
-        return MBEDTLS_MODE_NONE;
-    } else {
-        return (mbedtls_cipher_mode_t) info->MBEDTLS_PRIVATE(mode);
-    }
-}
-
-/**
- * \brief               Retrieve the key size for a cipher info structure.
- *
- * \param[in] info      The cipher info structure to query.
- *                      This may be \c NULL.
- *
- * \return              The key length in bits.
- *                      For variable-sized ciphers, this is the default length.
- *                      For DES, this includes the parity bits.
- * \return              \c 0 if \p info is \c NULL.
- */
-static inline size_t mbedtls_cipher_info_get_key_bitlen(
-    const mbedtls_cipher_info_t *info)
-{
-    if (info == NULL) {
-        return 0;
-    } else {
-        return info->MBEDTLS_PRIVATE(key_bitlen) << MBEDTLS_KEY_BITLEN_SHIFT;
-    }
-}
-
-/**
- * \brief               Retrieve the human-readable name for a
- *                      cipher info structure.
- *
- * \param[in] info      The cipher info structure to query.
- *                      This may be \c NULL.
- *
- * \return              The cipher name, which is a human readable string,
- *                      with static storage duration.
- * \return              \c NULL if \p info is \c NULL.
- */
-static inline const char *mbedtls_cipher_info_get_name(
-    const mbedtls_cipher_info_t *info)
-{
-    if (info == NULL) {
-        return NULL;
-    } else {
-        return info->MBEDTLS_PRIVATE(name);
-    }
-}
-
-/**
- * \brief       This function returns the size of the IV or nonce
- *              for the cipher info structure, in bytes.
- *
- * \param info  The cipher info structure. This may be \c NULL.
- *
- * \return      The recommended IV size.
- * \return      \c 0 for ciphers not using an IV or a nonce.
- * \return      \c 0 if \p info is \c NULL.
- */
-static inline size_t mbedtls_cipher_info_get_iv_size(
-    const mbedtls_cipher_info_t *info)
-{
-    if (info == NULL) {
-        return 0;
-    }
-
-    return ((size_t) info->MBEDTLS_PRIVATE(iv_size)) << MBEDTLS_IV_SIZE_SHIFT;
-}
-
-/**
- * \brief        This function returns the block size of the given
- *               cipher info structure in bytes.
- *
- * \param info   The cipher info structure. This may be \c NULL.
- *
- * \return       The block size of the cipher.
- * \return       \c 1 if the cipher is a stream cipher.
- * \return       \c 0 if \p info is \c NULL.
- */
-static inline size_t mbedtls_cipher_info_get_block_size(
-    const mbedtls_cipher_info_t *info)
-{
-    if (info == NULL) {
-        return 0;
-    }
-
-    return (size_t) (info->MBEDTLS_PRIVATE(block_size));
-}
-
-/**
- * \brief        This function returns a non-zero value if the key length for
- *               the given cipher is variable.
- *
- * \param info   The cipher info structure. This may be \c NULL.
- *
- * \return       Non-zero if the key length is variable, \c 0 otherwise.
- * \return       \c 0 if the given pointer is \c NULL.
- */
-static inline int mbedtls_cipher_info_has_variable_key_bitlen(
-    const mbedtls_cipher_info_t *info)
-{
-    if (info == NULL) {
-        return 0;
-    }
-
-    return info->MBEDTLS_PRIVATE(flags) & MBEDTLS_CIPHER_VARIABLE_KEY_LEN;
-}
-
-/**
- * \brief        This function returns a non-zero value if the IV size for
- *               the given cipher is variable.
- *
- * \param info   The cipher info structure. This may be \c NULL.
- *
- * \return       Non-zero if the IV size is variable, \c 0 otherwise.
- * \return       \c 0 if the given pointer is \c NULL.
- */
-static inline int mbedtls_cipher_info_has_variable_iv_size(
-    const mbedtls_cipher_info_t *info)
-{
-    if (info == NULL) {
-        return 0;
-    }
-
-    return info->MBEDTLS_PRIVATE(flags) & MBEDTLS_CIPHER_VARIABLE_IV_LEN;
-}
-
-/**
- * \brief               This function initializes a \p ctx as NONE.
- *
- * \param ctx           The context to be initialized. This must not be \c NULL.
- */
-void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx);
-
-/**
- * \brief               This function frees and clears the cipher-specific
- *                      context of \p ctx. Freeing \p ctx itself remains the
- *                      responsibility of the caller.
- *
- * \param ctx           The context to be freed. If this is \c NULL, the
- *                      function has no effect, otherwise this must point to an
- *                      initialized context.
- */
-void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx);
-
-
-/**
- * \brief               This function prepares a cipher context for
- *                      use with the given cipher primitive.
- *
- * \note                After calling this function, you should call
- *                      mbedtls_cipher_setkey() and, if the mode uses padding,
- *                      mbedtls_cipher_set_padding_mode(), then for each
- *                      message to encrypt or decrypt with this key, either:
- *                      - mbedtls_cipher_crypt() for one-shot processing with
- *                      non-AEAD modes;
- *                      - mbedtls_cipher_auth_encrypt_ext() or
- *                      mbedtls_cipher_auth_decrypt_ext() for one-shot
- *                      processing with AEAD modes or NIST_KW;
- *                      - for multi-part processing, see the documentation of
- *                      mbedtls_cipher_reset().
- *
- * \param ctx           The context to prepare. This must be initialized by
- *                      a call to mbedtls_cipher_init() first.
- * \param cipher_info   The cipher to use.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
- *                      parameter-verification failure.
- * \return              #MBEDTLS_ERR_CIPHER_ALLOC_FAILED if allocation of the
- *                      cipher-specific context fails.
- */
-int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx,
-                         const mbedtls_cipher_info_t *cipher_info);
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-/**
- * \brief               This function initializes a cipher context for
- *                      PSA-based use with the given cipher primitive.
- *
- * \deprecated          This function is deprecated and will be removed in a
- *                      future version of the library.
- *                      Please use psa_aead_xxx() / psa_cipher_xxx() directly
- *                      instead.
- *
- * \note                See #MBEDTLS_USE_PSA_CRYPTO for information on PSA.
- *
- * \param ctx           The context to initialize. May not be \c NULL.
- * \param cipher_info   The cipher to use.
- * \param taglen        For AEAD ciphers, the length in bytes of the
- *                      authentication tag to use. Subsequent uses of
- *                      mbedtls_cipher_auth_encrypt_ext() or
- *                      mbedtls_cipher_auth_decrypt_ext() must provide
- *                      the same tag length.
- *                      For non-AEAD ciphers, the value must be \c 0.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
- *                      parameter-verification failure.
- * \return              #MBEDTLS_ERR_CIPHER_ALLOC_FAILED if allocation of the
- *                      cipher-specific context fails.
- */
-int MBEDTLS_DEPRECATED mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx,
-                                                const mbedtls_cipher_info_t *cipher_info,
-                                                size_t taglen);
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-/**
- * \brief        This function returns the block size of the given cipher
- *               in bytes.
- *
- * \param ctx    The context of the cipher.
- *
- * \return       The block size of the underlying cipher.
- * \return       \c 1 if the cipher is a stream cipher.
- * \return       \c 0 if \p ctx has not been initialized.
- */
-static inline unsigned int mbedtls_cipher_get_block_size(
-    const mbedtls_cipher_context_t *ctx)
-{
-    MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, 0);
-    if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
-        return 0;
-    }
-
-    return (unsigned int) ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(block_size);
-}
-
-/**
- * \brief        This function returns the mode of operation for
- *               the cipher. For example, MBEDTLS_MODE_CBC.
- *
- * \param ctx    The context of the cipher. This must be initialized.
- *
- * \return       The mode of operation.
- * \return       #MBEDTLS_MODE_NONE if \p ctx has not been initialized.
- */
-static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode(
-    const mbedtls_cipher_context_t *ctx)
-{
-    MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, MBEDTLS_MODE_NONE);
-    if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
-        return MBEDTLS_MODE_NONE;
-    }
-
-    return (mbedtls_cipher_mode_t) ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(mode);
-}
-
-/**
- * \brief       This function returns the size of the IV or nonce
- *              of the cipher, in Bytes.
- *
- * \param ctx   The context of the cipher. This must be initialized.
- *
- * \return      The recommended IV size if no IV has been set.
- * \return      \c 0 for ciphers not using an IV or a nonce.
- * \return      The actual size if an IV has been set.
- */
-static inline int mbedtls_cipher_get_iv_size(
-    const mbedtls_cipher_context_t *ctx)
-{
-    MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, 0);
-    if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
-        return 0;
-    }
-
-    if (ctx->MBEDTLS_PRIVATE(iv_size) != 0) {
-        return (int) ctx->MBEDTLS_PRIVATE(iv_size);
-    }
-
-    return (int) (((int) ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(iv_size)) <<
-                  MBEDTLS_IV_SIZE_SHIFT);
-}
-
-/**
- * \brief               This function returns the type of the given cipher.
- *
- * \param ctx           The context of the cipher. This must be initialized.
- *
- * \return              The type of the cipher.
- * \return              #MBEDTLS_CIPHER_NONE if \p ctx has not been initialized.
- */
-static inline mbedtls_cipher_type_t mbedtls_cipher_get_type(
-    const mbedtls_cipher_context_t *ctx)
-{
-    MBEDTLS_INTERNAL_VALIDATE_RET(
-        ctx != NULL, MBEDTLS_CIPHER_NONE);
-    if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
-        return MBEDTLS_CIPHER_NONE;
-    }
-
-    return (mbedtls_cipher_type_t) ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(type);
-}
-
-/**
- * \brief               This function returns the name of the given cipher
- *                      as a string.
- *
- * \param ctx           The context of the cipher. This must be initialized.
- *
- * \return              The name of the cipher.
- * \return              NULL if \p ctx has not been not initialized.
- */
-static inline const char *mbedtls_cipher_get_name(
-    const mbedtls_cipher_context_t *ctx)
-{
-    MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, 0);
-    if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
-        return 0;
-    }
-
-    return ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(name);
-}
-
-/**
- * \brief               This function returns the key length of the cipher.
- *
- * \param ctx           The context of the cipher. This must be initialized.
- *
- * \return              The key length of the cipher in bits.
- * \return              #MBEDTLS_KEY_LENGTH_NONE if \p ctx has not been
- *                      initialized.
- */
-static inline int mbedtls_cipher_get_key_bitlen(
-    const mbedtls_cipher_context_t *ctx)
-{
-    MBEDTLS_INTERNAL_VALIDATE_RET(
-        ctx != NULL, MBEDTLS_KEY_LENGTH_NONE);
-    if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
-        return MBEDTLS_KEY_LENGTH_NONE;
-    }
-
-    return (int) ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(key_bitlen) <<
-           MBEDTLS_KEY_BITLEN_SHIFT;
-}
-
-/**
- * \brief          This function returns the operation of the given cipher.
- *
- * \param ctx      The context of the cipher. This must be initialized.
- *
- * \return         The type of operation: #MBEDTLS_ENCRYPT or #MBEDTLS_DECRYPT.
- * \return         #MBEDTLS_OPERATION_NONE if \p ctx has not been initialized.
- */
-static inline mbedtls_operation_t mbedtls_cipher_get_operation(
-    const mbedtls_cipher_context_t *ctx)
-{
-    MBEDTLS_INTERNAL_VALIDATE_RET(
-        ctx != NULL, MBEDTLS_OPERATION_NONE);
-    if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
-        return MBEDTLS_OPERATION_NONE;
-    }
-
-    return ctx->MBEDTLS_PRIVATE(operation);
-}
-
-/**
- * \brief               This function sets the key to use with the given context.
- *
- * \param ctx           The generic cipher context. This must be initialized and
- *                      bound to a cipher information structure.
- * \param key           The key to use. This must be a readable buffer of at
- *                      least \p key_bitlen Bits.
- * \param key_bitlen    The key length to use, in Bits.
- * \param operation     The operation that the key will be used for:
- *                      #MBEDTLS_ENCRYPT or #MBEDTLS_DECRYPT.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
- *                      parameter-verification failure.
- * \return              A cipher-specific error code on failure.
- */
-int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
-                          const unsigned char *key,
-                          int key_bitlen,
-                          const mbedtls_operation_t operation);
-
-#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
-/**
- * \brief               This function sets the padding mode, for cipher modes
- *                      that use padding.
- *
- *
- * \param ctx           The generic cipher context. This must be initialized and
- *                      bound to a cipher information structure.
- * \param mode          The padding mode.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
- *                      if the selected padding mode is not supported.
- * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if the cipher mode
- *                      does not support padding.
- */
-int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx,
-                                    mbedtls_cipher_padding_t mode);
-#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
-
-/**
- * \brief           This function sets the initialization vector (IV)
- *                  or nonce.
- *
- * \note            Some ciphers do not use IVs nor nonce. For these
- *                  ciphers, this function has no effect.
- *
- * \note            For #MBEDTLS_CIPHER_CHACHA20, the nonce length must
- *                  be 12, and the initial counter value is 0.
- *
- * \note            For #MBEDTLS_CIPHER_CHACHA20_POLY1305, the nonce length
- *                  must be 12.
- *
- * \param ctx       The generic cipher context. This must be initialized and
- *                  bound to a cipher information structure.
- * \param iv        The IV to use, or NONCE_COUNTER for CTR-mode ciphers. This
- *                  must be a readable buffer of at least \p iv_len Bytes.
- * \param iv_len    The IV length for ciphers with variable-size IV.
- *                  This parameter is discarded by ciphers with fixed-size IV.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
- *                  parameter-verification failure.
- */
-int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
-                          const unsigned char *iv,
-                          size_t iv_len);
-
-/**
- * \brief         This function resets the cipher state.
- *
- * \note          With non-AEAD ciphers, the order of calls for each message
- *                is as follows:
- *                1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce.
- *                2. mbedtls_cipher_reset()
- *                3. mbedtls_cipher_update() one or more times
- *                4. mbedtls_cipher_finish()
- *                .
- *                This sequence can be repeated to encrypt or decrypt multiple
- *                messages with the same key.
- *
- * \note          With AEAD ciphers, the order of calls for each message
- *                is as follows:
- *                1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce.
- *                2. mbedtls_cipher_reset()
- *                3. mbedtls_cipher_update_ad()
- *                4. mbedtls_cipher_update() one or more times
- *                5. mbedtls_cipher_finish()
- *                6. mbedtls_cipher_check_tag() (for decryption) or
- *                mbedtls_cipher_write_tag() (for encryption).
- *                .
- *                This sequence can be repeated to encrypt or decrypt multiple
- *                messages with the same key.
- *
- * \param ctx     The generic cipher context. This must be bound to a key.
- *
- * \return        \c 0 on success.
- * \return        #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
- *                parameter-verification failure.
- */
-int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx);
-
-#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
-/**
- * \brief               This function adds additional data for AEAD ciphers.
- *                      Currently supported with GCM and ChaCha20+Poly1305.
- *
- * \param ctx           The generic cipher context. This must be initialized.
- * \param ad            The additional data to use. This must be a readable
- *                      buffer of at least \p ad_len Bytes.
- * \param ad_len        The length of \p ad in Bytes.
- *
- * \return              \c 0 on success.
- * \return              A specific error code on failure.
- */
-int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx,
-                             const unsigned char *ad, size_t ad_len);
-#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
-
-/**
- * \brief               The generic cipher update function. It encrypts or
- *                      decrypts using the given cipher context. Writes as
- *                      many block-sized blocks of data as possible to output.
- *                      Any data that cannot be written immediately is either
- *                      added to the next block, or flushed when
- *                      mbedtls_cipher_finish() is called.
- *                      Exception: For MBEDTLS_MODE_ECB, expects a single block
- *                      in size. For example, 16 Bytes for AES.
- *
- * \param ctx           The generic cipher context. This must be initialized and
- *                      bound to a key.
- * \param input         The buffer holding the input data. This must be a
- *                      readable buffer of at least \p ilen Bytes.
- * \param ilen          The length of the input data.
- * \param output        The buffer for the output data. This must be able to
- *                      hold at least `ilen + block_size`. This must not be the
- *                      same buffer as \p input.
- * \param olen          The length of the output data, to be updated with the
- *                      actual number of Bytes written. This must not be
- *                      \c NULL.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
- *                      parameter-verification failure.
- * \return              #MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE on an
- *                      unsupported mode for a cipher.
- * \return              A cipher-specific error code on failure.
- */
-int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx,
-                          const unsigned char *input,
-                          size_t ilen, unsigned char *output,
-                          size_t *olen);
-
-/**
- * \brief               The generic cipher finalization function. If data still
- *                      needs to be flushed from an incomplete block, the data
- *                      contained in it is padded to the size of
- *                      the last block, and written to the \p output buffer.
- *
- * \param ctx           The generic cipher context. This must be initialized and
- *                      bound to a key.
- * \param output        The buffer to write data to. This needs to be a writable
- *                      buffer of at least block_size Bytes.
- * \param olen          The length of the data written to the \p output buffer.
- *                      This may not be \c NULL.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
- *                      parameter-verification failure.
- * \return              #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption
- *                      expecting a full block but not receiving one.
- * \return              #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding
- *                      while decrypting.
- * \return              A cipher-specific error code on failure.
- */
-int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
-                          unsigned char *output, size_t *olen);
-
-#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
-/**
- * \brief               This function writes a tag for AEAD ciphers.
- *                      Currently supported with GCM and ChaCha20+Poly1305.
- *                      This must be called after mbedtls_cipher_finish().
- *
- * \param ctx           The generic cipher context. This must be initialized,
- *                      bound to a key, and have just completed a cipher
- *                      operation through mbedtls_cipher_finish() the tag for
- *                      which should be written.
- * \param tag           The buffer to write the tag to. This must be a writable
- *                      buffer of at least \p tag_len Bytes.
- * \param tag_len       The length of the tag to write.
- *
- * \return              \c 0 on success.
- * \return              A specific error code on failure.
- */
-int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx,
-                             unsigned char *tag, size_t tag_len);
-
-/**
- * \brief               This function checks the tag for AEAD ciphers.
- *                      Currently supported with GCM and ChaCha20+Poly1305.
- *                      This must be called after mbedtls_cipher_finish().
- *
- * \param ctx           The generic cipher context. This must be initialized.
- * \param tag           The buffer holding the tag. This must be a readable
- *                      buffer of at least \p tag_len Bytes.
- * \param tag_len       The length of the tag to check.
- *
- * \return              \c 0 on success.
- * \return              A specific error code on failure.
- */
-int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx,
-                             const unsigned char *tag, size_t tag_len);
-#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
-
-/**
- * \brief               The generic all-in-one encryption/decryption function,
- *                      for all ciphers except AEAD constructs.
- *
- * \param ctx           The generic cipher context. This must be initialized.
- * \param iv            The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
- *                      This must be a readable buffer of at least \p iv_len
- *                      Bytes.
- * \param iv_len        The IV length for ciphers with variable-size IV.
- *                      This parameter is discarded by ciphers with fixed-size
- *                      IV.
- * \param input         The buffer holding the input data. This must be a
- *                      readable buffer of at least \p ilen Bytes.
- * \param ilen          The length of the input data in Bytes.
- * \param output        The buffer for the output data. This must be able to
- *                      hold at least `ilen + block_size`. This must not be the
- *                      same buffer as \p input.
- * \param olen          The length of the output data, to be updated with the
- *                      actual number of Bytes written. This must not be
- *                      \c NULL.
- *
- * \note                Some ciphers do not use IVs nor nonce. For these
- *                      ciphers, use \p iv = NULL and \p iv_len = 0.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
- *                      parameter-verification failure.
- * \return              #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption
- *                      expecting a full block but not receiving one.
- * \return              #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding
- *                      while decrypting.
- * \return              A cipher-specific error code on failure.
- */
-int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx,
-                         const unsigned char *iv, size_t iv_len,
-                         const unsigned char *input, size_t ilen,
-                         unsigned char *output, size_t *olen);
-
-#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
-/**
- * \brief               The authenticated encryption (AEAD/NIST_KW) function.
- *
- * \note                For AEAD modes, the tag will be appended to the
- *                      ciphertext, as recommended by RFC 5116.
- *                      (NIST_KW doesn't have a separate tag.)
- *
- * \param ctx           The generic cipher context. This must be initialized and
- *                      bound to a key, with an AEAD algorithm or NIST_KW.
- * \param iv            The nonce to use. This must be a readable buffer of
- *                      at least \p iv_len Bytes and may be \c NULL if \p
- *                      iv_len is \c 0.
- * \param iv_len        The length of the nonce. For AEAD ciphers, this must
- *                      satisfy the constraints imposed by the cipher used.
- *                      For NIST_KW, this must be \c 0.
- * \param ad            The additional data to authenticate. This must be a
- *                      readable buffer of at least \p ad_len Bytes, and may
- *                      be \c NULL is \p ad_len is \c 0.
- * \param ad_len        The length of \p ad. For NIST_KW, this must be \c 0.
- * \param input         The buffer holding the input data. This must be a
- *                      readable buffer of at least \p ilen Bytes, and may be
- *                      \c NULL if \p ilen is \c 0.
- * \param ilen          The length of the input data.
- * \param output        The buffer for the output data. This must be a
- *                      writable buffer of at least \p output_len Bytes, and
- *                      must not be \c NULL.
- * \param output_len    The length of the \p output buffer in Bytes. For AEAD
- *                      ciphers, this must be at least \p ilen + \p tag_len.
- *                      For NIST_KW, this must be at least \p ilen + 8
- *                      (rounded up to a multiple of 8 if KWP is used);
- *                      \p ilen + 15 is always a safe value.
- * \param olen          This will be filled with the actual number of Bytes
- *                      written to the \p output buffer. This must point to a
- *                      writable object of type \c size_t.
- * \param tag_len       The desired length of the authentication tag. For AEAD
- *                      ciphers, this must match the constraints imposed by
- *                      the cipher used, and in particular must not be \c 0.
- *                      For NIST_KW, this must be \c 0.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
- *                      parameter-verification failure.
- * \return              A cipher-specific error code on failure.
- */
-int mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t *ctx,
-                                    const unsigned char *iv, size_t iv_len,
-                                    const unsigned char *ad, size_t ad_len,
-                                    const unsigned char *input, size_t ilen,
-                                    unsigned char *output, size_t output_len,
-                                    size_t *olen, size_t tag_len);
-
-/**
- * \brief               The authenticated encryption (AEAD/NIST_KW) function.
- *
- * \note                If the data is not authentic, then the output buffer
- *                      is zeroed out to prevent the unauthentic plaintext being
- *                      used, making this interface safer.
- *
- * \note                For AEAD modes, the tag must be appended to the
- *                      ciphertext, as recommended by RFC 5116.
- *                      (NIST_KW doesn't have a separate tag.)
- *
- * \param ctx           The generic cipher context. This must be initialized and
- *                      bound to a key, with an AEAD algorithm or NIST_KW.
- * \param iv            The nonce to use. This must be a readable buffer of
- *                      at least \p iv_len Bytes and may be \c NULL if \p
- *                      iv_len is \c 0.
- * \param iv_len        The length of the nonce. For AEAD ciphers, this must
- *                      satisfy the constraints imposed by the cipher used.
- *                      For NIST_KW, this must be \c 0.
- * \param ad            The additional data to authenticate. This must be a
- *                      readable buffer of at least \p ad_len Bytes, and may
- *                      be \c NULL is \p ad_len is \c 0.
- * \param ad_len        The length of \p ad. For NIST_KW, this must be \c 0.
- * \param input         The buffer holding the input data. This must be a
- *                      readable buffer of at least \p ilen Bytes, and may be
- *                      \c NULL if \p ilen is \c 0.
- * \param ilen          The length of the input data. For AEAD ciphers this
- *                      must be at least \p tag_len. For NIST_KW this must be
- *                      at least \c 8.
- * \param output        The buffer for the output data. This must be a
- *                      writable buffer of at least \p output_len Bytes, and
- *                      may be \c NULL if \p output_len is \c 0.
- * \param output_len    The length of the \p output buffer in Bytes. For AEAD
- *                      ciphers, this must be at least \p ilen - \p tag_len.
- *                      For NIST_KW, this must be at least \p ilen - 8.
- * \param olen          This will be filled with the actual number of Bytes
- *                      written to the \p output buffer. This must point to a
- *                      writable object of type \c size_t.
- * \param tag_len       The actual length of the authentication tag. For AEAD
- *                      ciphers, this must match the constraints imposed by
- *                      the cipher used, and in particular must not be \c 0.
- *                      For NIST_KW, this must be \c 0.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
- *                      parameter-verification failure.
- * \return              #MBEDTLS_ERR_CIPHER_AUTH_FAILED if data is not authentic.
- * \return              A cipher-specific error code on failure.
- */
-int mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t *ctx,
-                                    const unsigned char *iv, size_t iv_len,
-                                    const unsigned char *ad, size_t ad_len,
-                                    const unsigned char *input, size_t ilen,
-                                    unsigned char *output, size_t output_len,
-                                    size_t *olen, size_t tag_len);
-#endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* MBEDTLS_CIPHER_H */
diff --git a/include/mbedtls/cmac.h b/include/mbedtls/cmac.h
deleted file mode 100644
index b2aca5d..0000000
--- a/include/mbedtls/cmac.h
+++ /dev/null
@@ -1,258 +0,0 @@
-/**
- * \file cmac.h
- *
- * \brief This file contains CMAC definitions and functions.
- *
- * The Cipher-based Message Authentication Code (CMAC) Mode for
- * Authentication is defined in <em>RFC-4493: The AES-CMAC Algorithm</em>.
- * It is supported with AES and DES.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_CMAC_H
-#define MBEDTLS_CMAC_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include "mbedtls/cipher.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#define MBEDTLS_AES_BLOCK_SIZE          16
-#define MBEDTLS_DES3_BLOCK_SIZE         8
-
-/* We don't support Camellia or ARIA in this module */
-#if defined(MBEDTLS_AES_C)
-#define MBEDTLS_CMAC_MAX_BLOCK_SIZE      16  /**< The longest block used by CMAC is that of AES. */
-#else
-#define MBEDTLS_CMAC_MAX_BLOCK_SIZE      8   /**< The longest block used by CMAC is that of 3DES. */
-#endif
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-/** The longest block supported by the cipher module.
- *
- * \deprecated
- * For the maximum block size of a cipher supported by the CMAC module,
- * use #MBEDTLS_CMAC_MAX_BLOCK_SIZE.
- * For the maximum block size of a cipher supported by the cipher module,
- * use #MBEDTLS_MAX_BLOCK_LENGTH.
- */
-/* Before Mbed TLS 3.5, this was the maximum block size supported by the CMAC
- * module, so it didn't take Camellia or ARIA into account. Since the name
- * of the macro doesn't even convey "CMAC", this was misleading. Now the size
- * is sufficient for any cipher, but the name is defined in cmac.h for
- * backward compatibility. */
-#define MBEDTLS_CIPHER_BLKSIZE_MAX MBEDTLS_MAX_BLOCK_LENGTH
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-
-#if !defined(MBEDTLS_CMAC_ALT)
-
-/**
- * The CMAC context structure.
- */
-struct mbedtls_cmac_context_t {
-    /** The internal state of the CMAC algorithm.  */
-    unsigned char       MBEDTLS_PRIVATE(state)[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
-
-    /** Unprocessed data - either data that was not block aligned and is still
-     *  pending processing, or the final block. */
-    unsigned char       MBEDTLS_PRIVATE(unprocessed_block)[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
-
-    /** The length of data pending processing. */
-    size_t              MBEDTLS_PRIVATE(unprocessed_len);
-};
-
-#else  /* !MBEDTLS_CMAC_ALT */
-#include "cmac_alt.h"
-#endif /* !MBEDTLS_CMAC_ALT */
-
-/**
- * \brief               This function starts a new CMAC computation
- *                      by setting the CMAC key, and preparing to authenticate
- *                      the input data.
- *                      It must be called with an initialized cipher context.
- *
- *                      Once this function has completed, data can be supplied
- *                      to the CMAC computation by calling
- *                      mbedtls_cipher_cmac_update().
- *
- *                      To start a CMAC computation using the same key as a previous
- *                      CMAC computation, use mbedtls_cipher_cmac_finish().
- *
- * \note                When the CMAC implementation is supplied by an alternate
- *                      implementation (through #MBEDTLS_CMAC_ALT), some ciphers
- *                      may not be supported by that implementation, and thus
- *                      return an error. Alternate implementations must support
- *                      AES-128 and AES-256, and may support AES-192 and 3DES.
- *
- * \param ctx           The cipher context used for the CMAC operation, initialized
- *                      as one of the following types: MBEDTLS_CIPHER_AES_128_ECB,
- *                      MBEDTLS_CIPHER_AES_192_ECB, MBEDTLS_CIPHER_AES_256_ECB,
- *                      or MBEDTLS_CIPHER_DES_EDE3_ECB.
- * \param key           The CMAC key.
- * \param keybits       The length of the CMAC key in bits.
- *                      Must be supported by the cipher.
- *
- * \return              \c 0 on success.
- * \return              A cipher-specific error code on failure.
- */
-int mbedtls_cipher_cmac_starts(mbedtls_cipher_context_t *ctx,
-                               const unsigned char *key, size_t keybits);
-
-/**
- * \brief               This function feeds an input buffer into an ongoing CMAC
- *                      computation.
- *
- *                      The CMAC computation must have previously been started
- *                      by calling mbedtls_cipher_cmac_starts() or
- *                      mbedtls_cipher_cmac_reset().
- *
- *                      Call this function as many times as needed to input the
- *                      data to be authenticated.
- *                      Once all of the required data has been input,
- *                      call mbedtls_cipher_cmac_finish() to obtain the result
- *                      of the CMAC operation.
- *
- * \param ctx           The cipher context used for the CMAC operation.
- * \param input         The buffer holding the input data.
- * \param ilen          The length of the input data.
- *
- * \return             \c 0 on success.
- * \return             #MBEDTLS_ERR_MD_BAD_INPUT_DATA
- *                     if parameter verification fails.
- */
-int mbedtls_cipher_cmac_update(mbedtls_cipher_context_t *ctx,
-                               const unsigned char *input, size_t ilen);
-
-/**
- * \brief               This function finishes an ongoing CMAC operation, and
- *                      writes the result to the output buffer.
- *
- *                      It should be followed either by
- *                      mbedtls_cipher_cmac_reset(), which starts another CMAC
- *                      operation with the same key, or mbedtls_cipher_free(),
- *                      which clears the cipher context.
- *
- * \param ctx           The cipher context used for the CMAC operation.
- * \param output        The output buffer for the CMAC checksum result.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA
- *                      if parameter verification fails.
- */
-int mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t *ctx,
-                               unsigned char *output);
-
-/**
- * \brief               This function starts a new CMAC operation with the same
- *                      key as the previous one.
- *
- *                      It should be called after finishing the previous CMAC
- *                      operation with mbedtls_cipher_cmac_finish().
- *                      After calling this function,
- *                      call mbedtls_cipher_cmac_update() to supply the new
- *                      CMAC operation with data.
- *
- * \param ctx           The cipher context used for the CMAC operation.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA
- *                      if parameter verification fails.
- */
-int mbedtls_cipher_cmac_reset(mbedtls_cipher_context_t *ctx);
-
-/**
- * \brief               This function calculates the full generic CMAC
- *                      on the input buffer with the provided key.
- *
- *                      The function allocates the context, performs the
- *                      calculation, and frees the context.
- *
- *                      The CMAC result is calculated as
- *                      output = generic CMAC(cmac key, input buffer).
- *
- * \note                When the CMAC implementation is supplied by an alternate
- *                      implementation (through #MBEDTLS_CMAC_ALT), some ciphers
- *                      may not be supported by that implementation, and thus
- *                      return an error. Alternate implementations must support
- *                      AES-128 and AES-256, and may support AES-192 and 3DES.
- *
- * \param cipher_info   The cipher information.
- * \param key           The CMAC key.
- * \param keylen        The length of the CMAC key in bits.
- * \param input         The buffer holding the input data.
- * \param ilen          The length of the input data.
- * \param output        The buffer for the generic CMAC result.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA
- *                      if parameter verification fails.
- */
-int mbedtls_cipher_cmac(const mbedtls_cipher_info_t *cipher_info,
-                        const unsigned char *key, size_t keylen,
-                        const unsigned char *input, size_t ilen,
-                        unsigned char *output);
-
-#if defined(MBEDTLS_AES_C)
-/**
- * \brief           This function implements the AES-CMAC-PRF-128 pseudorandom
- *                  function, as defined in
- *                  <em>RFC-4615: The Advanced Encryption Standard-Cipher-based
- *                  Message Authentication Code-Pseudo-Random Function-128
- *                  (AES-CMAC-PRF-128) Algorithm for the Internet Key
- *                  Exchange Protocol (IKE).</em>
- *
- * \param key       The key to use.
- * \param key_len   The key length in Bytes.
- * \param input     The buffer holding the input data.
- * \param in_len    The length of the input data in Bytes.
- * \param output    The buffer holding the generated 16 Bytes of
- *                  pseudorandom output.
- *
- * \return          \c 0 on success.
- */
-int mbedtls_aes_cmac_prf_128(const unsigned char *key, size_t key_len,
-                             const unsigned char *input, size_t in_len,
-                             unsigned char output[16]);
-#endif /* MBEDTLS_AES_C */
-
-#if defined(MBEDTLS_SELF_TEST) && (defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C))
-/**
- * \brief          The CMAC checkup routine.
- *
- * \note           In case the CMAC routines are provided by an alternative
- *                 implementation (i.e. #MBEDTLS_CMAC_ALT is defined), the
- *                 checkup routine will succeed even if the implementation does
- *                 not support the less widely used AES-192 or 3DES primitives.
- *                 The self-test requires at least AES-128 and AES-256 to be
- *                 supported by the underlying implementation.
- *
- * \return         \c 0 on success.
- * \return         \c 1 on failure.
- */
-int mbedtls_cmac_self_test(int verbose);
-#endif /* MBEDTLS_SELF_TEST && ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* MBEDTLS_CMAC_H */
diff --git a/include/mbedtls/compat-2.x.h b/include/mbedtls/compat-2.x.h
index cdf81dc..096341b 100644
--- a/include/mbedtls/compat-2.x.h
+++ b/include/mbedtls/compat-2.x.h
@@ -7,19 +7,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #if defined(MBEDTLS_DEPRECATED_WARNING)
diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h
index 53c03b5..7dafbae 100644
--- a/include/mbedtls/config_adjust_legacy_crypto.h
+++ b/include/mbedtls/config_adjust_legacy_crypto.h
@@ -2,6 +2,8 @@
  * \file mbedtls/config_adjust_legacy_crypto.h
  * \brief Adjust legacy configuration configuration
  *
+ * This is an internal header. Do not include it directly.
+ *
  * Automatically enable certain dependencies. Generally, MBEDLTS_xxx
  * configurations need to be explicitly enabled by the user: enabling
  * MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a
@@ -16,24 +18,51 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
 #define MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
 
+#if !defined(MBEDTLS_CONFIG_FILES_READ)
+#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \
+    "up to and including runtime errors such as buffer overflows. " \
+    "If you're trying to fix a complaint from check_config.h, just remove " \
+    "it from your configuration file: since Mbed TLS 3.0, it is included " \
+    "automatically at the right point."
+#endif /* */
+
+/* Ideally, we'd set those as defaults in mbedtls_config.h, but
+ * putting an #ifdef _WIN32 in mbedtls_config.h would confuse config.py.
+ *
+ * So, adjust it here.
+ * Not related to crypto, but this is the bottom of the stack. */
+#if defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER <= 1900)
+#if !defined(MBEDTLS_PLATFORM_SNPRINTF_ALT) && \
+    !defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO)
+#define MBEDTLS_PLATFORM_SNPRINTF_ALT
+#endif
+#if !defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT) && \
+    !defined(MBEDTLS_PLATFORM_VSNPRINTF_MACRO)
+#define MBEDTLS_PLATFORM_VSNPRINTF_ALT
+#endif
+#endif /* _MINGW32__ || (_MSC_VER && (_MSC_VER <= 1900)) */
+
+/* Auto-enable CIPHER_C when any of the unauthenticated ciphers is builtin
+ * in PSA. */
+#if defined(MBEDTLS_PSA_CRYPTO_C) && \
+    (defined(MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_CTR) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_CFB) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_OFB) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC))
+#define MBEDTLS_CIPHER_C
+#endif
+
 /* Auto-enable MBEDTLS_MD_LIGHT based on MBEDTLS_MD_C.
  * This allows checking for MD_LIGHT rather than MD_LIGHT || MD_C.
  */
@@ -56,6 +85,202 @@
 #define MBEDTLS_MD_LIGHT
 #endif
 
+#if defined(MBEDTLS_MD_LIGHT)
+/*
+ * - MBEDTLS_MD_CAN_xxx is defined if the md module can perform xxx.
+ * - MBEDTLS_MD_xxx_VIA_PSA is defined if the md module may perform xxx via PSA
+ *   (see below).
+ * - MBEDTLS_MD_SOME_PSA is defined if at least one algorithm may be performed
+ *   via PSA (see below).
+ * - MBEDTLS_MD_SOME_LEGACY is defined if at least one algorithm may be performed
+ *   via a direct legacy call (see below).
+ *
+ * The md module performs an algorithm via PSA if there is a PSA hash
+ * accelerator and the PSA driver subsytem is initialized at the time the
+ * operation is started, and makes a direct legacy call otherwise.
+ */
+
+/* PSA accelerated implementations */
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#if defined(MBEDTLS_PSA_ACCEL_ALG_MD5)
+#define MBEDTLS_MD_CAN_MD5
+#define MBEDTLS_MD_MD5_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_1)
+#define MBEDTLS_MD_CAN_SHA1
+#define MBEDTLS_MD_SHA1_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_224)
+#define MBEDTLS_MD_CAN_SHA224
+#define MBEDTLS_MD_SHA224_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_256)
+#define MBEDTLS_MD_CAN_SHA256
+#define MBEDTLS_MD_SHA256_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_384)
+#define MBEDTLS_MD_CAN_SHA384
+#define MBEDTLS_MD_SHA384_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_512)
+#define MBEDTLS_MD_CAN_SHA512
+#define MBEDTLS_MD_SHA512_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_ALG_RIPEMD160)
+#define MBEDTLS_MD_CAN_RIPEMD160
+#define MBEDTLS_MD_RIPEMD160_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_224)
+#define MBEDTLS_MD_CAN_SHA3_224
+#define MBEDTLS_MD_SHA3_224_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_256)
+#define MBEDTLS_MD_CAN_SHA3_256
+#define MBEDTLS_MD_SHA3_256_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_384)
+#define MBEDTLS_MD_CAN_SHA3_384
+#define MBEDTLS_MD_SHA3_384_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_512)
+#define MBEDTLS_MD_CAN_SHA3_512
+#define MBEDTLS_MD_SHA3_512_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+
+/* Built-in implementations */
+#if defined(MBEDTLS_MD5_C)
+#define MBEDTLS_MD_CAN_MD5
+#define MBEDTLS_MD_SOME_LEGACY
+#endif
+#if defined(MBEDTLS_SHA1_C)
+#define MBEDTLS_MD_CAN_SHA1
+#define MBEDTLS_MD_SOME_LEGACY
+#endif
+#if defined(MBEDTLS_SHA224_C)
+#define MBEDTLS_MD_CAN_SHA224
+#define MBEDTLS_MD_SOME_LEGACY
+#endif
+#if defined(MBEDTLS_SHA256_C)
+#define MBEDTLS_MD_CAN_SHA256
+#define MBEDTLS_MD_SOME_LEGACY
+#endif
+#if defined(MBEDTLS_SHA384_C)
+#define MBEDTLS_MD_CAN_SHA384
+#define MBEDTLS_MD_SOME_LEGACY
+#endif
+#if defined(MBEDTLS_SHA512_C)
+#define MBEDTLS_MD_CAN_SHA512
+#define MBEDTLS_MD_SOME_LEGACY
+#endif
+#if defined(MBEDTLS_SHA3_C)
+#define MBEDTLS_MD_CAN_SHA3_224
+#define MBEDTLS_MD_CAN_SHA3_256
+#define MBEDTLS_MD_CAN_SHA3_384
+#define MBEDTLS_MD_CAN_SHA3_512
+#define MBEDTLS_MD_SOME_LEGACY
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+#define MBEDTLS_MD_CAN_RIPEMD160
+#define MBEDTLS_MD_SOME_LEGACY
+#endif
+
+#endif /* MBEDTLS_MD_LIGHT */
+
+/* BLOCK_CIPHER module can dispatch to PSA when:
+ * - PSA is enabled and drivers have been initialized
+ * - desired key type is supported on the PSA side
+ * If the above conditions are not met, but the legacy support is enabled, then
+ * BLOCK_CIPHER will dynamically fallback to it.
+ *
+ * In case BLOCK_CIPHER is defined (see below) the following symbols/helpers
+ * can be used to define its capabilities:
+ * - MBEDTLS_BLOCK_CIPHER_SOME_PSA: there is at least 1 key type between AES,
+ *   ARIA and Camellia which is supported through a driver;
+ * - MBEDTLS_BLOCK_CIPHER_xxx_VIA_PSA: xxx key type is supported through a
+ *   driver;
+ * - MBEDTLS_BLOCK_CIPHER_xxx_VIA_LEGACY: xxx key type is supported through
+ *   a legacy module (i.e. MBEDTLS_xxx_C)
+ */
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES)
+#define MBEDTLS_BLOCK_CIPHER_AES_VIA_PSA
+#define MBEDTLS_BLOCK_CIPHER_SOME_PSA
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA)
+#define MBEDTLS_BLOCK_CIPHER_ARIA_VIA_PSA
+#define MBEDTLS_BLOCK_CIPHER_SOME_PSA
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA)
+#define MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_PSA
+#define MBEDTLS_BLOCK_CIPHER_SOME_PSA
+#endif
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+
+#if defined(MBEDTLS_AES_C)
+#define MBEDTLS_BLOCK_CIPHER_AES_VIA_LEGACY
+#endif
+#if defined(MBEDTLS_ARIA_C)
+#define MBEDTLS_BLOCK_CIPHER_ARIA_VIA_LEGACY
+#endif
+#if defined(MBEDTLS_CAMELLIA_C)
+#define MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_LEGACY
+#endif
+
+/* Helpers to state that BLOCK_CIPHER module supports AES, ARIA and/or Camellia
+ * block ciphers via either PSA or legacy. */
+#if defined(MBEDTLS_BLOCK_CIPHER_AES_VIA_PSA) || \
+    defined(MBEDTLS_BLOCK_CIPHER_AES_VIA_LEGACY)
+#define MBEDTLS_BLOCK_CIPHER_CAN_AES
+#endif
+#if defined(MBEDTLS_BLOCK_CIPHER_ARIA_VIA_PSA) || \
+    defined(MBEDTLS_BLOCK_CIPHER_ARIA_VIA_LEGACY)
+#define MBEDTLS_BLOCK_CIPHER_CAN_ARIA
+#endif
+#if defined(MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_PSA) || \
+    defined(MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_LEGACY)
+#define MBEDTLS_BLOCK_CIPHER_CAN_CAMELLIA
+#endif
+
+/* GCM_C and CCM_C can either depend on (in order of preference) BLOCK_CIPHER_C
+ * or CIPHER_C. The former is auto-enabled when:
+ * - CIPHER_C is not defined, which is also the legacy solution;
+ * - BLOCK_CIPHER_SOME_PSA because in this case BLOCK_CIPHER can take advantage
+ *   of the driver's acceleration.
+ */
+#if (defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)) && \
+    (!defined(MBEDTLS_CIPHER_C) || defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA))
+#define MBEDTLS_BLOCK_CIPHER_C
+#endif
+
+/* Helpers for GCM/CCM capabilities */
+#if (defined(MBEDTLS_CIPHER_C) && defined(MBEDTLS_AES_C)) || \
+    (defined(MBEDTLS_BLOCK_CIPHER_C) && defined(MBEDTLS_BLOCK_CIPHER_CAN_AES))
+#define MBEDTLS_CCM_GCM_CAN_AES
+#endif
+
+#if (defined(MBEDTLS_CIPHER_C) && defined(MBEDTLS_ARIA_C)) || \
+    (defined(MBEDTLS_BLOCK_CIPHER_C) && defined(MBEDTLS_BLOCK_CIPHER_CAN_ARIA))
+#define MBEDTLS_CCM_GCM_CAN_ARIA
+#endif
+
+#if (defined(MBEDTLS_CIPHER_C) && defined(MBEDTLS_CAMELLIA_C)) || \
+    (defined(MBEDTLS_BLOCK_CIPHER_C) && defined(MBEDTLS_BLOCK_CIPHER_CAN_CAMELLIA))
+#define MBEDTLS_CCM_GCM_CAN_CAMELLIA
+#endif
+
 /* MBEDTLS_ECP_LIGHT is auto-enabled by the following symbols:
  * - MBEDTLS_ECP_C because now it consists of MBEDTLS_ECP_LIGHT plus functions
  *   for curve arithmetic. As a consequence if MBEDTLS_ECP_C is required for
@@ -79,6 +304,14 @@
 #define MBEDTLS_ECP_LIGHT
 #endif
 
+/* Backward compatibility: after #8740 the RSA module offers functions to parse
+ * and write RSA private/public keys without relying on the PK one. Of course
+ * this needs ASN1 support to do so, so we enable it here. */
+#if defined(MBEDTLS_RSA_C)
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_ASN1_WRITE_C
+#endif
+
 /* MBEDTLS_PK_PARSE_EC_COMPRESSED is introduced in Mbed TLS version 3.5, while
  * in previous version compressed points were automatically supported as long
  * as PK_PARSE_C and ECP_C were enabled. As a consequence, for backward
@@ -126,15 +359,6 @@
 #define MBEDTLS_PSA_CRYPTO_CLIENT
 #endif /* MBEDTLS_PSA_CRYPTO_C */
 
-/* The PK wrappers need pk_write functions to format RSA key objects
- * when they are dispatching to the PSA API. This happens under USE_PSA_CRYPTO,
- * and also even without USE_PSA_CRYPTO for mbedtls_pk_sign_ext(). */
-#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_RSA_C)
-#define MBEDTLS_PK_C
-#define MBEDTLS_PK_WRITE_C
-#define MBEDTLS_PK_PARSE_C
-#endif
-
 /* Helpers to state that each key is supported either on the builtin or PSA side. */
 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_521)
 #define MBEDTLS_ECP_HAVE_SECP521R1
@@ -192,6 +416,43 @@
 #define MBEDTLS_CIPHER_PADDING_PKCS7
 #endif
 
+/* Backwards compatibility for some macros which were renamed to reflect that
+ * they are related to Armv8, not aarch64. */
+#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) && \
+    !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
+#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
+#endif
+#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) && !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
+#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
+#endif
+
+/* psa_util file features some ECDSA conversion functions, to convert between
+ * legacy's ASN.1 DER format and PSA's raw one. */
+#if defined(MBEDTLS_ECDSA_C) || (defined(MBEDTLS_PSA_CRYPTO_C) && \
+    (defined(PSA_WANT_ALG_ECDSA) || defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)))
+#define MBEDTLS_PSA_UTIL_HAVE_ECDSA
+#endif
+
+/* Some internal helpers to determine which keys are availble. */
+#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_AES_C)) || \
+    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_AES))
+#define MBEDTLS_SSL_HAVE_AES
+#endif
+#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ARIA_C)) || \
+    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_ARIA))
+#define MBEDTLS_SSL_HAVE_ARIA
+#endif
+#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CAMELLIA_C)) || \
+    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_CAMELLIA))
+#define MBEDTLS_SSL_HAVE_CAMELLIA
+#endif
+
+/* Some internal helpers to determine which operation modes are availble. */
+#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CIPHER_MODE_CBC)) || \
+    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CBC_NO_PADDING))
+#define MBEDTLS_SSL_HAVE_CBC
+#endif
+
 #if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_GCM_C)) || \
     (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_GCM))
 #define MBEDTLS_SSL_HAVE_GCM
diff --git a/include/mbedtls/config_adjust_legacy_from_psa.h b/include/mbedtls/config_adjust_legacy_from_psa.h
deleted file mode 100644
index e3c2ed1..0000000
--- a/include/mbedtls/config_adjust_legacy_from_psa.h
+++ /dev/null
@@ -1,889 +0,0 @@
-/**
- * \file mbedtls/config_adjust_legacy_from_psa.h
- * \brief Adjust PSA configuration: activate legacy implementations
- *
- * When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, activate legacy implementations
- * of cryptographic mechanisms as needed to fulfill the needs of the PSA
- * configuration. Generally speaking, we activate a legacy mechanism if
- * it's needed for a requested PSA mechanism and there is no PSA driver
- * for it.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_FROM_PSA_H
-#define MBEDTLS_CONFIG_ADJUST_LEGACY_FROM_PSA_H
-
-/* Define appropriate ACCEL macros for the p256-m driver.
- * In the future, those should be generated from the drivers JSON description.
- */
-#if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)
-#define MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256
-#define MBEDTLS_PSA_ACCEL_ALG_ECDSA
-#define MBEDTLS_PSA_ACCEL_ALG_ECDH
-#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY
-#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC
-#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT
-#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT
-#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE
-#endif
-
-/*
- * ECC: support for a feature is controlled by a triplet or a pair:
- * (curve, key_type public/basic, alg) or (curve, key_type_<action>).
- *
- * A triplet/pair is accelerated if all of is components are accelerated;
- * otherwise each component needs to be built in.
- *
- * We proceed in two passes:
- * 1. Check if acceleration is complete for curves, key types, algs.
- * 2. Then enable built-ins for each thing that's either not accelerated of
- * doesn't have complete acceleration of the other triplet/pair components.
- *
- * Note: this needs psa/crypto_adjust_keypair_types.h to have been included
- * already, so that we know the full set of key types that are requested.
- */
-
-/* ECC: curves: is acceleration complete? */
-#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) && \
-    !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_256)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
-#endif
-
-#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) && \
-    !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_384)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
-#endif
-
-#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) && \
-    !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_512)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
-#endif
-
-#if defined(PSA_WANT_ECC_MONTGOMERY_255) && \
-    !defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
-#endif
-
-#if defined(PSA_WANT_ECC_MONTGOMERY_448) && \
-    !defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
-#endif
-
-#if defined(PSA_WANT_ECC_SECP_R1_192) && \
-    !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
-#endif
-
-#if defined(PSA_WANT_ECC_SECP_R1_224) && \
-    !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
-#endif
-
-#if defined(PSA_WANT_ECC_SECP_R1_256) && \
-    !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
-#endif
-
-#if defined(PSA_WANT_ECC_SECP_R1_384) && \
-    !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
-#endif
-
-#if defined(PSA_WANT_ECC_SECP_R1_521) && \
-    !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
-#endif
-
-#if defined(PSA_WANT_ECC_SECP_K1_192) && \
-    !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
-#endif
-
-#if defined(PSA_WANT_ECC_SECP_K1_224) && \
-    !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
-#endif
-
-#if defined(PSA_WANT_ECC_SECP_K1_256) && \
-    !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
-#endif
-
-/* ECC: algs: is acceleration complete? */
-#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && \
-    !defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS
-#endif
-
-#if defined(PSA_WANT_ALG_ECDH) && \
-    !defined(MBEDTLS_PSA_ACCEL_ALG_ECDH)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS
-#endif
-
-#if defined(PSA_WANT_ALG_ECDSA) && \
-    !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS
-#endif
-
-#if defined(PSA_WANT_ALG_JPAKE) && \
-    !defined(MBEDTLS_PSA_ACCEL_ALG_JPAKE)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS
-#endif
-
-/* ECC: key types: is acceleration complete? */
-#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) && \
-    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC
-#endif
-
-#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) && \
-    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC
-#endif
-
-#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT) && \
-    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
-#endif
-
-#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT) && \
-    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
-#endif
-
-#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) && \
-    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
-#endif
-
-/* Special case: we don't support cooked key derivation in drivers yet */
-#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
-#undef MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE
-#endif
-
-/* Note: the condition is always true as DERIVE can't be accelerated yet */
-#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) && \
-    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
-#endif
-
-/* ECC: curves: enable built-ins as needed.
- *
- * We need the curve built-in:
- * - if it's not accelerated, or
- * - if there's a key type with missing acceleration, or
- * - if there's a alg with missing acceleration.
- */
-#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
-#if !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_256) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
-#define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_256 1
-#define MBEDTLS_ECP_DP_BP256R1_ENABLED
-#endif /* missing accel */
-#endif /* PSA_WANT_ECC_BRAINPOOL_P_R1_256 */
-
-#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
-#if !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_384) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
-#define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_384 1
-#define MBEDTLS_ECP_DP_BP384R1_ENABLED
-#endif /* missing accel */
-#endif /* PSA_WANT_ECC_BRAINPOOL_P_R1_384 */
-
-#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
-#if !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_512) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
-#define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_512 1
-#define MBEDTLS_ECP_DP_BP512R1_ENABLED
-#endif /* missing accel */
-#endif /* PSA_WANT_ECC_BRAINPOOL_P_R1_512 */
-
-#if defined(PSA_WANT_ECC_MONTGOMERY_255)
-#if !defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
-#define MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_255 1
-#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
-#endif /* missing accel */
-#endif /* PSA_WANT_ECC_MONTGOMERY_255 */
-
-#if defined(PSA_WANT_ECC_MONTGOMERY_448)
-#if !defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
-#define MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_448 1
-#define MBEDTLS_ECP_DP_CURVE448_ENABLED
-#endif /* missing accel */
-#endif /* PSA_WANT_ECC_MONTGOMERY_448 */
-
-#if defined(PSA_WANT_ECC_SECP_R1_192)
-#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
-#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_192 1
-#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
-#endif /* missing accel */
-#endif /* PSA_WANT_ECC_SECP_R1_192 */
-
-#if defined(PSA_WANT_ECC_SECP_R1_224)
-#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
-#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_224 1
-#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
-#endif /* missing accel */
-#endif /* PSA_WANT_ECC_SECP_R1_224 */
-
-#if defined(PSA_WANT_ECC_SECP_R1_256)
-#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
-#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_256 1
-#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
-#endif /* missing accel */
-#endif /* PSA_WANT_ECC_SECP_R1_256 */
-
-#if defined(PSA_WANT_ECC_SECP_R1_384)
-#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
-#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_384 1
-#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
-#endif /* missing accel */
-#endif /* PSA_WANT_ECC_SECP_R1_384 */
-
-#if defined(PSA_WANT_ECC_SECP_R1_521)
-#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
-#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_521 1
-#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
-#endif /* missing accel */
-#endif /* PSA_WANT_ECC_SECP_R1_521 */
-
-#if defined(PSA_WANT_ECC_SECP_K1_192)
-#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
-#define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_192 1
-#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
-#endif /* missing accel */
-#endif /* PSA_WANT_ECC_SECP_K1_192 */
-
-#if defined(PSA_WANT_ECC_SECP_K1_224)
-#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
-#define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_224 1
-#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
-/* https://github.com/Mbed-TLS/mbedtls/issues/3541 */
-#error "SECP224K1 is buggy via the PSA API in Mbed TLS."
-#endif /* missing accel */
-#endif /* PSA_WANT_ECC_SECP_K1_224 */
-
-#if defined(PSA_WANT_ECC_SECP_K1_256)
-#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
-#define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_256 1
-#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
-#endif /* missing accel */
-#endif /* PSA_WANT_ECC_SECP_K1_256 */
-
-/* ECC: algs: enable built-ins as needed.
- *
- * We need the alg built-in:
- * - if it's not accelerated, or
- * - if there's a relevant curve (see below) with missing acceleration, or
- * - if there's a key type among (public, basic) with missing acceleration.
- *
- * Relevant curves are:
- * - all curves for ECDH
- * - Weierstrass curves for (deterministic) ECDSA
- * - secp256r1 for EC J-PAKE
- */
-#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC)
-#define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA 1
-#define MBEDTLS_ECDSA_DETERMINISTIC
-#define MBEDTLS_HMAC_DRBG_C
-#define MBEDTLS_MD_C
-#define MBEDTLS_ECDSA_C
-#define MBEDTLS_ECP_C
-#define MBEDTLS_BIGNUM_C
-#define MBEDTLS_ASN1_PARSE_C
-#define MBEDTLS_ASN1_WRITE_C
-#endif /* missing accel */
-#endif /* PSA_WANT_ALG_DETERMINISTIC_ECDSA */
-
-#if defined(PSA_WANT_ALG_ECDH)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDH) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC)
-#define MBEDTLS_PSA_BUILTIN_ALG_ECDH 1
-#define MBEDTLS_ECDH_C
-#define MBEDTLS_ECP_C
-#define MBEDTLS_BIGNUM_C
-#endif /* missing accel */
-#endif /* PSA_WANT_ALG_ECDH */
-
-#if defined(PSA_WANT_ALG_ECDSA)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC)
-#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA 1
-#define MBEDTLS_ECDSA_C
-#define MBEDTLS_ECP_C
-#define MBEDTLS_BIGNUM_C
-#define MBEDTLS_ASN1_PARSE_C
-#define MBEDTLS_ASN1_WRITE_C
-#endif /* missing accel */
-#endif /* PSA_WANT_ALG_ECDSA */
-
-#if defined(PSA_WANT_ALG_JPAKE)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_JPAKE) || \
-    !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC)
-#define MBEDTLS_PSA_BUILTIN_PAKE 1
-#define MBEDTLS_PSA_BUILTIN_ALG_JPAKE 1
-#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
-#define MBEDTLS_BIGNUM_C
-#define MBEDTLS_ECP_C
-#define MBEDTLS_ECJPAKE_C
-#endif /* missing accel */
-#endif /* PSA_WANT_ALG_JPAKE */
-
-/* ECC: key types: enable built-ins as needed.
- *
- * We need the key type built-in:
- * - if it's not accelerated, or
- * - if there's a curve with missing acceleration, or
- * - only for public/basic: if there's an alg with missing acceleration.
- */
-#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
-#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY 1
-#define MBEDTLS_ECP_LIGHT
-#define MBEDTLS_BIGNUM_C
-#endif /* missing accel */
-#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
-
-#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC)
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
-#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC 1
-#define MBEDTLS_ECP_LIGHT
-#define MBEDTLS_BIGNUM_C
-#endif /* missing accel */
-#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC */
-
-#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT)
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
-#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1
-#define MBEDTLS_ECP_LIGHT
-#define MBEDTLS_BIGNUM_C
-#endif /* missing accel */
-#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT */
-
-#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT)
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
-#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT 1
-#define MBEDTLS_ECP_C
-#define MBEDTLS_BIGNUM_C
-#endif /* missing accel */
-#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT */
-
-#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
-#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
-#define MBEDTLS_ECP_C
-#define MBEDTLS_BIGNUM_C
-#endif /* missing accel */
-#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE */
-
-/* Note: the condition is always true as DERIVE can't be accelerated yet */
-#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
-#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1
-#define MBEDTLS_ECP_LIGHT
-#define MBEDTLS_BIGNUM_C
-#endif /* missing accel */
-#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE */
-
-/* End of ECC section */
-
-#if defined(PSA_WANT_ALG_FFDH)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_FFDH)
-#define MBEDTLS_PSA_BUILTIN_ALG_FFDH 1
-#define MBEDTLS_BIGNUM_C
-#endif /* !MBEDTLS_PSA_ACCEL_ALG_FFDH */
-#endif /* PSA_WANT_ALG_FFDH */
-
-#if defined(PSA_WANT_ALG_HKDF)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF)
-/*
- * The PSA implementation has its own implementation of HKDF, separate from
- * hkdf.c. No need to enable MBEDTLS_HKDF_C here.
- */
-#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
-#define MBEDTLS_PSA_BUILTIN_ALG_HKDF 1
-#endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF */
-#endif /* PSA_WANT_ALG_HKDF */
-
-#if defined(PSA_WANT_ALG_HKDF_EXTRACT)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT)
-/*
- * The PSA implementation has its own implementation of HKDF, separate from
- * hkdf.c. No need to enable MBEDTLS_HKDF_C here.
- */
-#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
-#define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT 1
-#endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT */
-#endif /* PSA_WANT_ALG_HKDF_EXTRACT */
-
-#if defined(PSA_WANT_ALG_HKDF_EXPAND)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND)
-/*
- * The PSA implementation has its own implementation of HKDF, separate from
- * hkdf.c. No need to enable MBEDTLS_HKDF_C here.
- */
-#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
-#define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND 1
-#endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND */
-#endif /* PSA_WANT_ALG_HKDF_EXPAND */
-
-#if defined(PSA_WANT_ALG_HMAC)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC)
-#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
-#endif /* !MBEDTLS_PSA_ACCEL_ALG_HMAC */
-#endif /* PSA_WANT_ALG_HMAC */
-
-#if defined(PSA_WANT_ALG_MD5) && !defined(MBEDTLS_PSA_ACCEL_ALG_MD5)
-#define MBEDTLS_PSA_BUILTIN_ALG_MD5 1
-#define MBEDTLS_MD5_C
-#endif
-
-#if defined(PSA_WANT_ALG_RIPEMD160) && !defined(MBEDTLS_PSA_ACCEL_ALG_RIPEMD160)
-#define MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160 1
-#define MBEDTLS_RIPEMD160_C
-#endif
-
-#if defined(PSA_WANT_ALG_RSA_OAEP)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP)
-#define MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP 1
-#define MBEDTLS_RSA_C
-#define MBEDTLS_BIGNUM_C
-#define MBEDTLS_OID_C
-#define MBEDTLS_PKCS1_V21
-#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP */
-#endif /* PSA_WANT_ALG_RSA_OAEP */
-
-#if defined(PSA_WANT_ALG_RSA_PKCS1V15_CRYPT)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT)
-#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT 1
-#define MBEDTLS_RSA_C
-#define MBEDTLS_BIGNUM_C
-#define MBEDTLS_OID_C
-#define MBEDTLS_PKCS1_V15
-#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT */
-#endif /* PSA_WANT_ALG_RSA_PKCS1V15_CRYPT */
-
-#if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN)
-#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN 1
-#define MBEDTLS_RSA_C
-#define MBEDTLS_BIGNUM_C
-#define MBEDTLS_OID_C
-#define MBEDTLS_PKCS1_V15
-#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN */
-#endif /* PSA_WANT_ALG_RSA_PKCS1V15_SIGN */
-
-#if defined(PSA_WANT_ALG_RSA_PSS)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS)
-#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS 1
-#define MBEDTLS_RSA_C
-#define MBEDTLS_BIGNUM_C
-#define MBEDTLS_OID_C
-#define MBEDTLS_PKCS1_V21
-#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_PSS */
-#endif /* PSA_WANT_ALG_RSA_PSS */
-
-#if defined(PSA_WANT_ALG_SHA_1) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_1)
-#define MBEDTLS_PSA_BUILTIN_ALG_SHA_1 1
-#define MBEDTLS_SHA1_C
-#endif
-
-#if defined(PSA_WANT_ALG_SHA_224) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_224)
-#define MBEDTLS_PSA_BUILTIN_ALG_SHA_224 1
-#define MBEDTLS_SHA224_C
-#endif
-
-#if defined(PSA_WANT_ALG_SHA_256) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_256)
-#define MBEDTLS_PSA_BUILTIN_ALG_SHA_256 1
-#define MBEDTLS_SHA256_C
-#endif
-
-#if defined(PSA_WANT_ALG_SHA_384) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_384)
-#define MBEDTLS_PSA_BUILTIN_ALG_SHA_384 1
-#define MBEDTLS_SHA384_C
-#endif
-
-#if defined(PSA_WANT_ALG_SHA_512) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_512)
-#define MBEDTLS_PSA_BUILTIN_ALG_SHA_512 1
-#define MBEDTLS_SHA512_C
-#endif
-
-#if defined(PSA_WANT_ALG_SHA3_224) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_224)
-#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_224 1
-#define MBEDTLS_SHA3_C
-#endif
-
-#if defined(PSA_WANT_ALG_SHA3_256) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_256)
-#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_256 1
-#define MBEDTLS_SHA3_C
-#endif
-
-#if defined(PSA_WANT_ALG_SHA3_384) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_384)
-#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_384 1
-#define MBEDTLS_SHA3_C
-#endif
-
-#if defined(PSA_WANT_ALG_SHA3_512) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_512)
-#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_512 1
-#define MBEDTLS_SHA3_C
-#endif
-
-#if defined(PSA_WANT_ALG_PBKDF2_HMAC)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_HMAC)
-#define MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC 1
-#define PSA_HAVE_SOFT_PBKDF2_HMAC 1
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC)
-#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
-#endif /* !MBEDTLS_PSA_ACCEL_ALG_HMAC */
-#endif /* !MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
-#endif /* PSA_WANT_ALG_PBKDF2_HMAC */
-
-#if defined(PSA_WANT_ALG_TLS12_PRF)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF)
-#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF 1
-#endif /* !MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF */
-#endif /* PSA_WANT_ALG_TLS12_PRF */
-
-#if defined(PSA_WANT_ALG_TLS12_PSK_TO_MS)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS)
-#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS 1
-#endif /* !MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS */
-#endif /* PSA_WANT_ALG_TLS12_PSK_TO_MS */
-
-#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_ECJPAKE_TO_PMS)
-#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS 1
-#endif /* !MBEDTLS_PSA_ACCEL_ALG_TLS12_ECJPAKE_TO_PMS */
-#endif /* PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS */
-
-#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT)
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_IMPORT)
-#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT 1
-#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_IMPORT */
-#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT */
-
-#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT)
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_EXPORT)
-#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1
-#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_EXPORT */
-#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT */
-
-#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
-#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1
-#define MBEDTLS_GENPRIME
-#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE */
-#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE */
-
-#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_BASIC)
-#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_BASIC 1
-#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_BASIC */
-#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
-
-#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT)
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_IMPORT)
-#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT 1
-#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_IMPORT */
-#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT */
-
-#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT)
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_EXPORT)
-#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT 1
-#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_EXPORT */
-#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT */
-
-#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE)
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_GENERATE)
-#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE 1
-#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_GENERATE */
-#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE */
-
-#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC)
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_BASIC)
-#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_BASIC 1
-#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_BASIC */
-#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC */
-
-#if defined(PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY)
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY)
-#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY 1
-#define MBEDTLS_BIGNUM_C
-#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY */
-#endif /* PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY */
-
-#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY)
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY)
-#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY 1
-#define MBEDTLS_RSA_C
-#define MBEDTLS_BIGNUM_C
-#define MBEDTLS_OID_C
-#define MBEDTLS_PK_PARSE_C
-#define MBEDTLS_PK_WRITE_C
-#define MBEDTLS_PK_C
-#define MBEDTLS_ASN1_PARSE_C
-#define MBEDTLS_ASN1_WRITE_C
-#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY */
-#endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY */
-
-/* If any of the block modes are requested that don't have an
- * associated HW assist, define PSA_HAVE_SOFT_BLOCK_MODE for checking
- * in the block cipher key types. */
-#if (defined(PSA_WANT_ALG_CTR) && !defined(MBEDTLS_PSA_ACCEL_ALG_CTR)) || \
-    (defined(PSA_WANT_ALG_CFB) && !defined(MBEDTLS_PSA_ACCEL_ALG_CFB)) || \
-    (defined(PSA_WANT_ALG_OFB) && !defined(MBEDTLS_PSA_ACCEL_ALG_OFB)) || \
-    defined(PSA_WANT_ALG_ECB_NO_PADDING) || \
-    (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
-    !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING)) || \
-    (defined(PSA_WANT_ALG_CBC_PKCS7) && \
-    !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7)) || \
-    (defined(PSA_WANT_ALG_CMAC) && !defined(MBEDTLS_PSA_ACCEL_ALG_CMAC))
-#define PSA_HAVE_SOFT_BLOCK_MODE 1
-#endif
-
-#if (defined(PSA_WANT_ALG_GCM) && !defined(MBEDTLS_PSA_ACCEL_ALG_GCM)) || \
-    (defined(PSA_WANT_ALG_CCM) && !defined(MBEDTLS_PSA_ACCEL_ALG_CCM))
-#define PSA_HAVE_SOFT_BLOCK_AEAD 1
-#endif
-
-#if defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_AES_CMAC_PRF_128)
-#define MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128 1
-#define PSA_HAVE_SOFT_PBKDF2_CMAC 1
-#endif /* !MBEDTLS_PSA_ACCEL_ALG_PBKDF2_AES_CMAC_PRF_128 */
-#endif /* PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 */
-
-#if defined(PSA_WANT_KEY_TYPE_AES)
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES)
-#define PSA_HAVE_SOFT_KEY_TYPE_AES 1
-#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_AES */
-#if defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
-    defined(PSA_HAVE_SOFT_BLOCK_MODE) || \
-    defined(PSA_HAVE_SOFT_BLOCK_AEAD) || \
-    defined(PSA_HAVE_SOFT_PBKDF2_CMAC)
-#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES 1
-#define MBEDTLS_AES_C
-#endif /* PSA_HAVE_SOFT_KEY_TYPE_AES || PSA_HAVE_SOFT_BLOCK_MODE */
-#endif /* PSA_WANT_KEY_TYPE_AES */
-
-#if defined(PSA_WANT_KEY_TYPE_ARIA)
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA)
-#define PSA_HAVE_SOFT_KEY_TYPE_ARIA 1
-#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA */
-#if defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
-    defined(PSA_HAVE_SOFT_BLOCK_MODE) || \
-    defined(PSA_HAVE_SOFT_BLOCK_AEAD)
-#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARIA 1
-#define MBEDTLS_ARIA_C
-#endif /* PSA_HAVE_SOFT_KEY_TYPE_ARIA || PSA_HAVE_SOFT_BLOCK_MODE */
-#endif /* PSA_WANT_KEY_TYPE_ARIA */
-
-#if defined(PSA_WANT_KEY_TYPE_CAMELLIA)
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA)
-#define PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA 1
-#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA */
-#if defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA) || \
-    defined(PSA_HAVE_SOFT_BLOCK_MODE) || \
-    defined(PSA_HAVE_SOFT_BLOCK_AEAD)
-#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CAMELLIA 1
-#define MBEDTLS_CAMELLIA_C
-#endif /* PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA || PSA_HAVE_SOFT_BLOCK_MODE */
-#endif /* PSA_WANT_KEY_TYPE_CAMELLIA */
-
-#if defined(PSA_WANT_KEY_TYPE_DES)
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DES)
-#define PSA_HAVE_SOFT_KEY_TYPE_DES 1
-#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DES */
-#if defined(PSA_HAVE_SOFT_KEY_TYPE_DES) || \
-    defined(PSA_HAVE_SOFT_BLOCK_MODE)
-#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES 1
-#define MBEDTLS_DES_C
-#endif /*PSA_HAVE_SOFT_KEY_TYPE_DES || PSA_HAVE_SOFT_BLOCK_MODE */
-#endif /* PSA_WANT_KEY_TYPE_DES */
-
-#if defined(PSA_WANT_KEY_TYPE_CHACHA20)
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20)
-#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20 1
-#define MBEDTLS_CHACHA20_C
-#endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20 */
-#endif /* PSA_WANT_KEY_TYPE_CHACHA20 */
-
-/* If any of the software block ciphers are selected, define
- * PSA_HAVE_SOFT_BLOCK_CIPHER, which can be used in any of these
- * situations. */
-#if defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
-    defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
-    defined(PSA_HAVE_SOFT_KEY_TYPE_DES) || \
-    defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA)
-#define PSA_HAVE_SOFT_BLOCK_CIPHER 1
-#endif
-
-#if defined(PSA_WANT_ALG_STREAM_CIPHER)
-#define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1
-#endif /* PSA_WANT_ALG_STREAM_CIPHER */
-
-#if defined(PSA_WANT_ALG_CBC_MAC)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_MAC)
-#error "CBC-MAC is not yet supported via the PSA API in Mbed TLS."
-#define MBEDTLS_PSA_BUILTIN_ALG_CBC_MAC 1
-#endif /* !MBEDTLS_PSA_ACCEL_ALG_CBC_MAC */
-#endif /* PSA_WANT_ALG_CBC_MAC */
-
-#if defined(PSA_WANT_ALG_CMAC)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_CMAC) || \
-    defined(PSA_HAVE_SOFT_BLOCK_CIPHER) || \
-    defined(PSA_HAVE_SOFT_PBKDF2_CMAC)
-#define MBEDTLS_PSA_BUILTIN_ALG_CMAC 1
-#define MBEDTLS_CMAC_C
-#endif /* !MBEDTLS_PSA_ACCEL_ALG_CMAC */
-#endif /* PSA_WANT_ALG_CMAC */
-
-#if defined(PSA_HAVE_SOFT_PBKDF2_HMAC) || \
-    defined(PSA_HAVE_SOFT_PBKDF2_CMAC)
-#define PSA_HAVE_SOFT_PBKDF2 1
-#endif /* PSA_HAVE_SOFT_PBKDF2_HMAC || PSA_HAVE_SOFT_PBKDF2_CMAC */
-
-#if defined(PSA_WANT_ALG_CTR)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_CTR) || \
-    defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
-#define MBEDTLS_PSA_BUILTIN_ALG_CTR 1
-#define MBEDTLS_CIPHER_MODE_CTR
-#endif
-#endif /* PSA_WANT_ALG_CTR */
-
-#if defined(PSA_WANT_ALG_CFB)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_CFB) || \
-    defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
-#define MBEDTLS_PSA_BUILTIN_ALG_CFB 1
-#define MBEDTLS_CIPHER_MODE_CFB
-#endif
-#endif /* PSA_WANT_ALG_CFB */
-
-#if defined(PSA_WANT_ALG_OFB)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_OFB) || \
-    defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
-#define MBEDTLS_PSA_BUILTIN_ALG_OFB 1
-#define MBEDTLS_CIPHER_MODE_OFB
-#endif
-#endif /* PSA_WANT_ALG_OFB */
-
-#if defined(PSA_WANT_ALG_ECB_NO_PADDING) &&     \
-    !defined(MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING)
-#define MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING 1
-#endif
-
-#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING) || \
-    defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
-#define MBEDTLS_CIPHER_MODE_CBC
-#define MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING 1
-#endif
-#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
-
-#if defined(PSA_WANT_ALG_CBC_PKCS7)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7) || \
-    defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
-#define MBEDTLS_CIPHER_MODE_CBC
-#define MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7 1
-#define MBEDTLS_CIPHER_PADDING_PKCS7
-#endif
-#endif /* PSA_WANT_ALG_CBC_PKCS7 */
-
-#if defined(PSA_WANT_ALG_CCM)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_CCM) || \
-    defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
-    defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
-    defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA)
-#define MBEDTLS_PSA_BUILTIN_ALG_CCM 1
-#define MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG 1
-#define MBEDTLS_CCM_C
-#endif
-#endif /* PSA_WANT_ALG_CCM */
-
-#if defined(PSA_WANT_ALG_GCM)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_GCM) || \
-    defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
-    defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
-    defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA)
-#define MBEDTLS_PSA_BUILTIN_ALG_GCM 1
-#define MBEDTLS_GCM_C
-#endif
-#endif /* PSA_WANT_ALG_GCM */
-
-#if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_CHACHA20_POLY1305)
-#if defined(PSA_WANT_KEY_TYPE_CHACHA20)
-#define MBEDTLS_CHACHAPOLY_C
-#define MBEDTLS_CHACHA20_C
-#define MBEDTLS_POLY1305_C
-#define MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 1
-#endif /* PSA_WANT_KEY_TYPE_CHACHA20 */
-#endif /* !MBEDTLS_PSA_ACCEL_ALG_CHACHA20_POLY1305 */
-#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
-
-#endif /* MBEDTLS_CONFIG_ADJUST_LEGACY_FROM_PSA_H */
diff --git a/include/mbedtls/config_adjust_psa_from_legacy.h b/include/mbedtls/config_adjust_psa_from_legacy.h
index 088711d..14ca146 100644
--- a/include/mbedtls/config_adjust_psa_from_legacy.h
+++ b/include/mbedtls/config_adjust_psa_from_legacy.h
@@ -2,6 +2,8 @@
  * \file mbedtls/config_adjust_psa_from_legacy.h
  * \brief Adjust PSA configuration: construct PSA configuration from legacy
  *
+ * This is an internal header. Do not include it directly.
+ *
  * When MBEDTLS_PSA_CRYPTO_CONFIG is disabled, we automatically enable
  * cryptographic mechanisms through the PSA interface when the corresponding
  * legacy mechanism is enabled. In many cases, this just enables the PSA
@@ -12,24 +14,20 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef MBEDTLS_CONFIG_ADJUST_PSA_FROM_LEGACY_H
 #define MBEDTLS_CONFIG_ADJUST_PSA_FROM_LEGACY_H
 
+#if !defined(MBEDTLS_CONFIG_FILES_READ)
+#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \
+    "up to and including runtime errors such as buffer overflows. " \
+    "If you're trying to fix a complaint from check_config.h, just remove " \
+    "it from your configuration file: since Mbed TLS 3.0, it is included " \
+    "automatically at the right point."
+#endif /* */
+
 /*
  * Ensure PSA_WANT_* defines are setup properly if MBEDTLS_PSA_CRYPTO_CONFIG
  * is not defined
@@ -37,9 +35,11 @@
 
 #if defined(MBEDTLS_CCM_C)
 #define MBEDTLS_PSA_BUILTIN_ALG_CCM 1
-#define MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG 1
 #define PSA_WANT_ALG_CCM 1
+#if defined(MBEDTLS_CIPHER_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG 1
 #define PSA_WANT_ALG_CCM_STAR_NO_TAG 1
+#endif /* MBEDTLS_CIPHER_C */
 #endif /* MBEDTLS_CCM_C */
 
 #if defined(MBEDTLS_CMAC_C)
@@ -91,13 +91,22 @@
 #define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE 1
 #define PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY 1
 #define PSA_WANT_ALG_FFDH 1
-#define PSA_WANT_DH_FAMILY_RFC7919 1
+#define PSA_WANT_DH_RFC7919_2048 1
+#define PSA_WANT_DH_RFC7919_3072 1
+#define PSA_WANT_DH_RFC7919_4096 1
+#define PSA_WANT_DH_RFC7919_6144 1
+#define PSA_WANT_DH_RFC7919_8192 1
 #define MBEDTLS_PSA_BUILTIN_ALG_FFDH 1
 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_BASIC 1
 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT 1
 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT 1
 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE 1
 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY 1
+#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 1
+#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 1
+#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 1
+#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 1
+#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 1
 #endif /* MBEDTLS_DHM_C */
 
 #if defined(MBEDTLS_GCM_C)
@@ -238,9 +247,12 @@
 
 #if defined(MBEDTLS_CHACHA20_C)
 #define PSA_WANT_KEY_TYPE_CHACHA20 1
-#define PSA_WANT_ALG_STREAM_CIPHER 1
 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20 1
+/* ALG_STREAM_CIPHER requires CIPHER_C in order to be supported in PSA */
+#if defined(MBEDTLS_CIPHER_C)
+#define PSA_WANT_ALG_STREAM_CIPHER 1
 #define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1
+#endif
 #if defined(MBEDTLS_CHACHAPOLY_C)
 #define PSA_WANT_ALG_CHACHA20_POLY1305 1
 #define MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 1
@@ -256,8 +268,9 @@
 #endif
 #endif
 
-#if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) || \
-    defined(MBEDTLS_ARIA_C) || defined(MBEDTLS_CAMELLIA_C)
+#if (defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) || \
+    defined(MBEDTLS_ARIA_C) || defined(MBEDTLS_CAMELLIA_C)) && \
+    defined(MBEDTLS_CIPHER_C)
 #define MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING 1
 #define PSA_WANT_ALG_ECB_NO_PADDING 1
 #endif
diff --git a/include/mbedtls/config_adjust_psa_superset_legacy.h b/include/mbedtls/config_adjust_psa_superset_legacy.h
deleted file mode 100644
index 3d9029b..0000000
--- a/include/mbedtls/config_adjust_psa_superset_legacy.h
+++ /dev/null
@@ -1,154 +0,0 @@
-/**
- * \file mbedtls/config_adjust_psa_superset_legacy.h
- * \brief Adjust PSA configuration: automatic enablement from legacy
- *
- * To simplify some edge cases, we automatically enable certain cryptographic
- * mechanisms in the PSA API if they are enabled in the legacy API. The general
- * idea is that if legacy module M uses mechanism A internally, and A has
- * both a legacy and a PSA implementation, we enable A through PSA whenever
- * it's enabled through legacy. This facilitates the transition to PSA
- * implementations of A for users of M.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_CONFIG_ADJUST_PSA_SUPERSET_LEGACY_H
-#define MBEDTLS_CONFIG_ADJUST_PSA_SUPERSET_LEGACY_H
-
-/****************************************************************/
-/* Hashes that are built in are also enabled in PSA.
- * This simplifies dependency declarations especially
- * for modules that obey MBEDTLS_USE_PSA_CRYPTO. */
-/****************************************************************/
-
-#if defined(MBEDTLS_MD5_C)
-#define PSA_WANT_ALG_MD5 1
-#endif
-
-#if defined(MBEDTLS_RIPEMD160_C)
-#define PSA_WANT_ALG_RIPEMD160 1
-#endif
-
-#if defined(MBEDTLS_SHA1_C)
-#define PSA_WANT_ALG_SHA_1 1
-#endif
-
-#if defined(MBEDTLS_SHA224_C)
-#define PSA_WANT_ALG_SHA_224 1
-#endif
-
-#if defined(MBEDTLS_SHA256_C)
-#define PSA_WANT_ALG_SHA_256 1
-#endif
-
-#if defined(MBEDTLS_SHA384_C)
-#define PSA_WANT_ALG_SHA_384 1
-#endif
-
-#if defined(MBEDTLS_SHA512_C)
-#define PSA_WANT_ALG_SHA_512 1
-#endif
-
-#if defined(MBEDTLS_SHA3_C)
-#define PSA_WANT_ALG_SHA3_224 1
-#define PSA_WANT_ALG_SHA3_256 1
-#define PSA_WANT_ALG_SHA3_384 1
-#define PSA_WANT_ALG_SHA3_512 1
-#endif
-
-/* Ensure that the PSA's supported curves (PSA_WANT_ECC_xxx) are always a
- * superset of the builtin ones (MBEDTLS_ECP_DP_xxx). */
-#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
-#if !defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
-#define PSA_WANT_ECC_BRAINPOOL_P_R1_256 1
-#endif /* PSA_WANT_ECC_BRAINPOOL_P_R1_256 */
-#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
-#if !defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
-#define PSA_WANT_ECC_BRAINPOOL_P_R1_384 1
-#endif /* PSA_WANT_ECC_BRAINPOOL_P_R1_384 */
-#endif /*MBEDTLS_ECP_DP_BP384R1_ENABLED  */
-
-#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
-#if !defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
-#define PSA_WANT_ECC_BRAINPOOL_P_R1_512 1
-#endif /* PSA_WANT_ECC_BRAINPOOL_P_R1_512 */
-#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-#if !defined(PSA_WANT_ECC_MONTGOMERY_255)
-#define PSA_WANT_ECC_MONTGOMERY_255 1
-#endif /* PSA_WANT_ECC_MONTGOMERY_255 */
-#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
-#if !defined(PSA_WANT_ECC_MONTGOMERY_448)
-#define PSA_WANT_ECC_MONTGOMERY_448 1
-#endif /* PSA_WANT_ECC_MONTGOMERY_448 */
-#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
-#if !defined(PSA_WANT_ECC_SECP_R1_192)
-#define PSA_WANT_ECC_SECP_R1_192 1
-#endif /* PSA_WANT_ECC_SECP_R1_192 */
-#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
-#if !defined(PSA_WANT_ECC_SECP_R1_224)
-#define PSA_WANT_ECC_SECP_R1_224 1
-#endif /* PSA_WANT_ECC_SECP_R1_224 */
-#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
-#if !defined(PSA_WANT_ECC_SECP_R1_256)
-#define PSA_WANT_ECC_SECP_R1_256 1
-#endif /* PSA_WANT_ECC_SECP_R1_256 */
-#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
-#if !defined(PSA_WANT_ECC_SECP_R1_384)
-#define PSA_WANT_ECC_SECP_R1_384 1
-#endif /* PSA_WANT_ECC_SECP_R1_384 */
-#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
-#if !defined(PSA_WANT_ECC_SECP_R1_521)
-#define PSA_WANT_ECC_SECP_R1_521 1
-#endif /* PSA_WANT_ECC_SECP_R1_521 */
-#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
-#if !defined(PSA_WANT_ECC_SECP_K1_192)
-#define PSA_WANT_ECC_SECP_K1_192 1
-#endif /* PSA_WANT_ECC_SECP_K1_192 */
-#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
-
-/* SECP224K1 is buggy via the PSA API (https://github.com/Mbed-TLS/mbedtls/issues/3541) */
-#if 0 && defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
-#if !defined(PSA_WANT_ECC_SECP_K1_224)
-#define PSA_WANT_ECC_SECP_K1_224 1
-#endif /* PSA_WANT_ECC_SECP_K1_224 */
-#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
-#if !defined(PSA_WANT_ECC_SECP_K1_256)
-#define PSA_WANT_ECC_SECP_K1_256 1
-#endif /* PSA_WANT_ECC_SECP_K1_256 */
-#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
-
-#endif /* MBEDTLS_CONFIG_ADJUST_PSA_SUPERSET_LEGACY_H */
diff --git a/include/mbedtls/config_adjust_ssl.h b/include/mbedtls/config_adjust_ssl.h
index 2275f3a..309524a 100644
--- a/include/mbedtls/config_adjust_ssl.h
+++ b/include/mbedtls/config_adjust_ssl.h
@@ -2,6 +2,8 @@
  * \file mbedtls/config_adjust_ssl.h
  * \brief Adjust TLS configuration
  *
+ * This is an internal header. Do not include it directly.
+ *
  * Automatically enable certain dependencies. Generally, MBEDLTS_xxx
  * configurations need to be explicitly enabled by the user: enabling
  * MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a
@@ -16,24 +18,20 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef MBEDTLS_CONFIG_ADJUST_SSL_H
 #define MBEDTLS_CONFIG_ADJUST_SSL_H
 
+#if !defined(MBEDTLS_CONFIG_FILES_READ)
+#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \
+    "up to and including runtime errors such as buffer overflows. " \
+    "If you're trying to fix a complaint from check_config.h, just remove " \
+    "it from your configuration file: since Mbed TLS 3.0, it is included " \
+    "automatically at the right point."
+#endif /* */
+
 /* The following blocks make it easier to disable all of TLS,
  * or of TLS 1.2 or 1.3 or DTLS, without having to manually disable all
  * key exchanges, options and extensions related to them. */
@@ -46,6 +44,10 @@
 #undef MBEDTLS_SSL_PROTO_DTLS
 #endif
 
+#if !(defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS))
+#undef MBEDTLS_SSL_TICKET_C
+#endif
+
 #if !defined(MBEDTLS_SSL_PROTO_DTLS)
 #undef MBEDTLS_SSL_DTLS_ANTI_REPLAY
 #undef MBEDTLS_SSL_DTLS_CONNECTION_ID
@@ -77,6 +79,7 @@
 #undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 #undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
 #undef MBEDTLS_SSL_EARLY_DATA
+#undef MBEDTLS_SSL_RECORD_SIZE_LIMIT
 #endif
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
diff --git a/include/mbedtls/config_adjust_x509.h b/include/mbedtls/config_adjust_x509.h
index 99a0ace..c063251 100644
--- a/include/mbedtls/config_adjust_x509.h
+++ b/include/mbedtls/config_adjust_x509.h
@@ -2,6 +2,8 @@
  * \file mbedtls/config_adjust_x509.h
  * \brief Adjust X.509 configuration
  *
+ * This is an internal header. Do not include it directly.
+ *
  * Automatically enable certain dependencies. Generally, MBEDLTS_xxx
  * configurations need to be explicitly enabled by the user: enabling
  * MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a
@@ -16,22 +18,18 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef MBEDTLS_CONFIG_ADJUST_X509_H
 #define MBEDTLS_CONFIG_ADJUST_X509_H
 
+#if !defined(MBEDTLS_CONFIG_FILES_READ)
+#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \
+    "up to and including runtime errors such as buffer overflows. " \
+    "If you're trying to fix a complaint from check_config.h, just remove " \
+    "it from your configuration file: since Mbed TLS 3.0, it is included " \
+    "automatically at the right point."
+#endif /* */
+
 #endif /* MBEDTLS_CONFIG_ADJUST_X509_H */
diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h
deleted file mode 100644
index 2d23971..0000000
--- a/include/mbedtls/config_psa.h
+++ /dev/null
@@ -1,67 +0,0 @@
-/**
- * \file mbedtls/config_psa.h
- * \brief PSA crypto configuration options (set of defines)
- *
- *  This set of compile-time options takes settings defined in
- *  include/mbedtls/mbedtls_config.h and include/psa/crypto_config.h and uses
- *  those definitions to define symbols used in the library code.
- *
- *  Users and integrators should not edit this file, please edit
- *  include/mbedtls/mbedtls_config.h for MBEDTLS_XXX settings or
- *  include/psa/crypto_config.h for PSA_WANT_XXX settings.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_CONFIG_PSA_H
-#define MBEDTLS_CONFIG_PSA_H
-
-#include "psa/crypto_legacy.h"
-
-#include "psa/crypto_adjust_config_synonyms.h"
-
-#include "mbedtls/config_adjust_psa_superset_legacy.h"
-
-#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
-
-/* Require built-in implementations based on PSA requirements */
-
-/* We need this to have a complete list of requirements
- * before we deduce what built-ins are required. */
-#include "psa/crypto_adjust_config_key_pair_types.h"
-
-#include "mbedtls/config_adjust_legacy_from_psa.h"
-
-#else /* MBEDTLS_PSA_CRYPTO_CONFIG */
-
-/* Infer PSA requirements from Mbed TLS capabilities */
-
-#include "mbedtls/config_adjust_psa_from_legacy.h"
-
-/* Hopefully the file above will have enabled keypair symbols in a consistent
- * way, but including this here fixes them if that wasn't the case. */
-#include "psa/crypto_adjust_config_key_pair_types.h"
-
-#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */
-
-#if defined(PSA_WANT_ALG_JPAKE)
-#define PSA_WANT_ALG_SOME_PAKE 1
-#endif
-
-#include "psa/crypto_adjust_auto_enabled.h"
-
-#endif /* MBEDTLS_CONFIG_PSA_H */
diff --git a/include/mbedtls/constant_time.h b/include/mbedtls/constant_time.h
deleted file mode 100644
index ebecf35..0000000
--- a/include/mbedtls/constant_time.h
+++ /dev/null
@@ -1,48 +0,0 @@
-/**
- *  Constant-time functions
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_CONSTANT_TIME_H
-#define MBEDTLS_CONSTANT_TIME_H
-
-#include <stddef.h>
-
-/** Constant-time buffer comparison without branches.
- *
- * This is equivalent to the standard memcmp function, but is likely to be
- * compiled to code using bitwise operations rather than a branch, such that
- * the time taken is constant w.r.t. the data pointed to by \p a and \p b,
- * and w.r.t. whether \p a and \p b are equal or not. It is not constant-time
- * w.r.t. \p n .
- *
- * This function can be used to write constant-time code by replacing branches
- * with bit operations using masks.
- *
- * \param a     Pointer to the first buffer, containing at least \p n bytes. May not be NULL.
- * \param b     Pointer to the second buffer, containing at least \p n bytes. May not be NULL.
- * \param n     The number of bytes to compare.
- *
- * \return      Zero if the contents of the two buffers are the same,
- *              otherwise non-zero.
- */
-int mbedtls_ct_memcmp(const void *a,
-                      const void *b,
-                      size_t n);
-
-#endif /* MBEDTLS_CONSTANT_TIME_H */
diff --git a/include/mbedtls/ctr_drbg.h b/include/mbedtls/ctr_drbg.h
deleted file mode 100644
index 0348281..0000000
--- a/include/mbedtls/ctr_drbg.h
+++ /dev/null
@@ -1,576 +0,0 @@
-/**
- * \file ctr_drbg.h
- *
- * \brief    This file contains definitions and functions for the
- *           CTR_DRBG pseudorandom generator.
- *
- * CTR_DRBG is a standardized way of building a PRNG from a block-cipher
- * in counter mode operation, as defined in <em>NIST SP 800-90A:
- * Recommendation for Random Number Generation Using Deterministic Random
- * Bit Generators</em>.
- *
- * The Mbed TLS implementation of CTR_DRBG uses AES-256 (default) or AES-128
- * (if \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled at compile time)
- * as the underlying block cipher, with a derivation function.
- *
- * The security strength as defined in NIST SP 800-90A is
- * 128 bits when AES-128 is used (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY enabled)
- * and 256 bits otherwise, provided that #MBEDTLS_CTR_DRBG_ENTROPY_LEN is
- * kept at its default value (and not overridden in mbedtls_config.h) and that the
- * DRBG instance is set up with default parameters.
- * See the documentation of mbedtls_ctr_drbg_seed() for more
- * information.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_CTR_DRBG_H
-#define MBEDTLS_CTR_DRBG_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include "mbedtls/aes.h"
-#include "entropy.h"
-
-#if defined(MBEDTLS_THREADING_C)
-#include "mbedtls/threading.h"
-#endif
-
-/** The entropy source failed. */
-#define MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED        -0x0034
-/** The requested random buffer length is too big. */
-#define MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG              -0x0036
-/** The input (entropy + additional data) is too large. */
-#define MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG                -0x0038
-/** Read or write error in file. */
-#define MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR                -0x003A
-
-#define MBEDTLS_CTR_DRBG_BLOCKSIZE          16 /**< The block size used by the cipher. */
-
-#if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
-#define MBEDTLS_CTR_DRBG_KEYSIZE            16
-/**< The key size in bytes used by the cipher.
- *
- * Compile-time choice: 16 bytes (128 bits)
- * because #MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled.
- */
-#else
-#define MBEDTLS_CTR_DRBG_KEYSIZE            32
-/**< The key size in bytes used by the cipher.
- *
- * Compile-time choice: 32 bytes (256 bits)
- * because \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled.
- */
-#endif
-
-#define MBEDTLS_CTR_DRBG_KEYBITS            (MBEDTLS_CTR_DRBG_KEYSIZE * 8)   /**< The key size for the DRBG operation, in bits. */
-#define MBEDTLS_CTR_DRBG_SEEDLEN            (MBEDTLS_CTR_DRBG_KEYSIZE + MBEDTLS_CTR_DRBG_BLOCKSIZE)   /**< The seed length, calculated as (counter + AES key). */
-
-/**
- * \name SECTION: Module settings
- *
- * The configuration options you can set for this module are in this section.
- * Either change them in mbedtls_config.h or define them using the compiler command
- * line.
- * \{
- */
-
-/** \def MBEDTLS_CTR_DRBG_ENTROPY_LEN
- *
- * \brief The amount of entropy used per seed by default, in bytes.
- */
-#if !defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN)
-#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
-/** This is 48 bytes because the entropy module uses SHA-512.
- */
-#define MBEDTLS_CTR_DRBG_ENTROPY_LEN        48
-
-#else /* MBEDTLS_ENTROPY_SHA512_ACCUMULATOR */
-
-/** This is 32 bytes because the entropy module uses SHA-256.
- */
-#if !defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
-/** \warning To achieve a 256-bit security strength, you must pass a nonce
- *           to mbedtls_ctr_drbg_seed().
- */
-#endif /* !defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY) */
-#define MBEDTLS_CTR_DRBG_ENTROPY_LEN        32
-#endif /* MBEDTLS_ENTROPY_SHA512_ACCUMULATOR */
-#endif /* !defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) */
-
-#if !defined(MBEDTLS_CTR_DRBG_RESEED_INTERVAL)
-#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL    10000
-/**< The interval before reseed is performed by default. */
-#endif
-
-#if !defined(MBEDTLS_CTR_DRBG_MAX_INPUT)
-#define MBEDTLS_CTR_DRBG_MAX_INPUT          256
-/**< The maximum number of additional input Bytes. */
-#endif
-
-#if !defined(MBEDTLS_CTR_DRBG_MAX_REQUEST)
-#define MBEDTLS_CTR_DRBG_MAX_REQUEST        1024
-/**< The maximum number of requested Bytes per call. */
-#endif
-
-#if !defined(MBEDTLS_CTR_DRBG_MAX_SEED_INPUT)
-#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT     384
-/**< The maximum size of seed or reseed buffer in bytes. */
-#endif
-
-/** \} name SECTION: Module settings */
-
-#define MBEDTLS_CTR_DRBG_PR_OFF             0
-/**< Prediction resistance is disabled. */
-#define MBEDTLS_CTR_DRBG_PR_ON              1
-/**< Prediction resistance is enabled. */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if MBEDTLS_CTR_DRBG_ENTROPY_LEN >= MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2
-/** The default length of the nonce read from the entropy source.
- *
- * This is \c 0 because a single read from the entropy source is sufficient
- * to include a nonce.
- * See the documentation of mbedtls_ctr_drbg_seed() for more information.
- */
-#define MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN 0
-#else
-/** The default length of the nonce read from the entropy source.
- *
- * This is half of the default entropy length because a single read from
- * the entropy source does not provide enough material to form a nonce.
- * See the documentation of mbedtls_ctr_drbg_seed() for more information.
- */
-#define MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN (MBEDTLS_CTR_DRBG_ENTROPY_LEN + 1) / 2
-#endif
-
-/**
- * \brief          The CTR_DRBG context structure.
- */
-typedef struct mbedtls_ctr_drbg_context {
-    unsigned char MBEDTLS_PRIVATE(counter)[16];  /*!< The counter (V). */
-    int MBEDTLS_PRIVATE(reseed_counter);         /*!< The reseed counter.
-                                                  * This is the number of requests that have
-                                                  * been made since the last (re)seeding,
-                                                  * minus one.
-                                                  * Before the initial seeding, this field
-                                                  * contains the amount of entropy in bytes
-                                                  * to use as a nonce for the initial seeding,
-                                                  * or -1 if no nonce length has been explicitly
-                                                  * set (see mbedtls_ctr_drbg_set_nonce_len()).
-                                                  */
-    int MBEDTLS_PRIVATE(prediction_resistance);  /*!< This determines whether prediction
-                                                    resistance is enabled, that is
-                                                    whether to systematically reseed before
-                                                    each random generation. */
-    size_t MBEDTLS_PRIVATE(entropy_len);         /*!< The amount of entropy grabbed on each
-                                                    seed or reseed operation, in bytes. */
-    int MBEDTLS_PRIVATE(reseed_interval);        /*!< The reseed interval.
-                                                  * This is the maximum number of requests
-                                                  * that can be made between reseedings. */
-
-    mbedtls_aes_context MBEDTLS_PRIVATE(aes_ctx);        /*!< The AES context. */
-
-    /*
-     * Callbacks (Entropy)
-     */
-    int(*MBEDTLS_PRIVATE(f_entropy))(void *, unsigned char *, size_t);
-    /*!< The entropy callback function. */
-
-    void *MBEDTLS_PRIVATE(p_entropy);            /*!< The context for the entropy function. */
-
-#if defined(MBEDTLS_THREADING_C)
-    /* Invariant: the mutex is initialized if and only if f_entropy != NULL.
-     * This means that the mutex is initialized during the initial seeding
-     * in mbedtls_ctr_drbg_seed() and freed in mbedtls_ctr_drbg_free().
-     *
-     * Note that this invariant may change without notice. Do not rely on it
-     * and do not access the mutex directly in application code.
-     */
-    mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex);
-#endif
-}
-mbedtls_ctr_drbg_context;
-
-/**
- * \brief               This function initializes the CTR_DRBG context,
- *                      and prepares it for mbedtls_ctr_drbg_seed()
- *                      or mbedtls_ctr_drbg_free().
- *
- * \note                The reseed interval is
- *                      #MBEDTLS_CTR_DRBG_RESEED_INTERVAL by default.
- *                      You can override it by calling
- *                      mbedtls_ctr_drbg_set_reseed_interval().
- *
- * \param ctx           The CTR_DRBG context to initialize.
- */
-void mbedtls_ctr_drbg_init(mbedtls_ctr_drbg_context *ctx);
-
-/**
- * \brief               This function seeds and sets up the CTR_DRBG
- *                      entropy source for future reseeds.
- *
- * A typical choice for the \p f_entropy and \p p_entropy parameters is
- * to use the entropy module:
- * - \p f_entropy is mbedtls_entropy_func();
- * - \p p_entropy is an instance of ::mbedtls_entropy_context initialized
- *   with mbedtls_entropy_init() (which registers the platform's default
- *   entropy sources).
- *
- * The entropy length is #MBEDTLS_CTR_DRBG_ENTROPY_LEN by default.
- * You can override it by calling mbedtls_ctr_drbg_set_entropy_len().
- *
- * The entropy nonce length is:
- * - \c 0 if the entropy length is at least 3/2 times the entropy length,
- *   which guarantees that the security strength is the maximum permitted
- *   by the key size and entropy length according to NIST SP 800-90A §10.2.1;
- * - Half the entropy length otherwise.
- * You can override it by calling mbedtls_ctr_drbg_set_nonce_len().
- * With the default entropy length, the entropy nonce length is
- * #MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN.
- *
- * You can provide a nonce and personalization string in addition to the
- * entropy source, to make this instantiation as unique as possible.
- * See SP 800-90A §8.6.7 for more details about nonces.
- *
- * The _seed_material_ value passed to the derivation function in
- * the CTR_DRBG Instantiate Process described in NIST SP 800-90A §10.2.1.3.2
- * is the concatenation of the following strings:
- * - A string obtained by calling \p f_entropy function for the entropy
- *   length.
- */
-#if MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN == 0
-/**
- * - If mbedtls_ctr_drbg_set_nonce_len() has been called, a string
- *   obtained by calling \p f_entropy function for the specified length.
- */
-#else
-/**
- * - A string obtained by calling \p f_entropy function for the entropy nonce
- *   length. If the entropy nonce length is \c 0, this function does not
- *   make a second call to \p f_entropy.
- */
-#endif
-#if defined(MBEDTLS_THREADING_C)
-/**
- * \note                When Mbed TLS is built with threading support,
- *                      after this function returns successfully,
- *                      it is safe to call mbedtls_ctr_drbg_random()
- *                      from multiple threads. Other operations, including
- *                      reseeding, are not thread-safe.
- */
-#endif /* MBEDTLS_THREADING_C */
-/**
- * - The \p custom string.
- *
- * \note                To achieve the nominal security strength permitted
- *                      by CTR_DRBG, the entropy length must be:
- *                      - at least 16 bytes for a 128-bit strength
- *                      (maximum achievable strength when using AES-128);
- *                      - at least 32 bytes for a 256-bit strength
- *                      (maximum achievable strength when using AES-256).
- *
- *                      In addition, if you do not pass a nonce in \p custom,
- *                      the sum of the entropy length
- *                      and the entropy nonce length must be:
- *                      - at least 24 bytes for a 128-bit strength
- *                      (maximum achievable strength when using AES-128);
- *                      - at least 48 bytes for a 256-bit strength
- *                      (maximum achievable strength when using AES-256).
- *
- * \param ctx           The CTR_DRBG context to seed.
- *                      It must have been initialized with
- *                      mbedtls_ctr_drbg_init().
- *                      After a successful call to mbedtls_ctr_drbg_seed(),
- *                      you may not call mbedtls_ctr_drbg_seed() again on
- *                      the same context unless you call
- *                      mbedtls_ctr_drbg_free() and mbedtls_ctr_drbg_init()
- *                      again first.
- *                      After a failed call to mbedtls_ctr_drbg_seed(),
- *                      you must call mbedtls_ctr_drbg_free().
- * \param f_entropy     The entropy callback, taking as arguments the
- *                      \p p_entropy context, the buffer to fill, and the
- *                      length of the buffer.
- *                      \p f_entropy is always called with a buffer size
- *                      less than or equal to the entropy length.
- * \param p_entropy     The entropy context to pass to \p f_entropy.
- * \param custom        The personalization string.
- *                      This can be \c NULL, in which case the personalization
- *                      string is empty regardless of the value of \p len.
- * \param len           The length of the personalization string.
- *                      This must be at most
- *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT
- *                      - #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure.
- */
-int mbedtls_ctr_drbg_seed(mbedtls_ctr_drbg_context *ctx,
-                          int (*f_entropy)(void *, unsigned char *, size_t),
-                          void *p_entropy,
-                          const unsigned char *custom,
-                          size_t len);
-
-/**
- * \brief               This function resets CTR_DRBG context to the state immediately
- *                      after initial call of mbedtls_ctr_drbg_init().
- *
- * \param ctx           The CTR_DRBG context to clear.
- */
-void mbedtls_ctr_drbg_free(mbedtls_ctr_drbg_context *ctx);
-
-/**
- * \brief               This function turns prediction resistance on or off.
- *                      The default value is off.
- *
- * \note                If enabled, entropy is gathered at the beginning of
- *                      every call to mbedtls_ctr_drbg_random_with_add()
- *                      or mbedtls_ctr_drbg_random().
- *                      Only use this if your entropy source has sufficient
- *                      throughput.
- *
- * \param ctx           The CTR_DRBG context.
- * \param resistance    #MBEDTLS_CTR_DRBG_PR_ON or #MBEDTLS_CTR_DRBG_PR_OFF.
- */
-void mbedtls_ctr_drbg_set_prediction_resistance(mbedtls_ctr_drbg_context *ctx,
-                                                int resistance);
-
-/**
- * \brief               This function sets the amount of entropy grabbed on each
- *                      seed or reseed.
- *
- * The default value is #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
- *
- * \note                The security strength of CTR_DRBG is bounded by the
- *                      entropy length. Thus:
- *                      - When using AES-256
- *                        (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled,
- *                        which is the default),
- *                        \p len must be at least 32 (in bytes)
- *                        to achieve a 256-bit strength.
- *                      - When using AES-128
- *                        (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled)
- *                        \p len must be at least 16 (in bytes)
- *                        to achieve a 128-bit strength.
- *
- * \param ctx           The CTR_DRBG context.
- * \param len           The amount of entropy to grab, in bytes.
- *                      This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT
- *                      and at most the maximum length accepted by the
- *                      entropy function that is set in the context.
- */
-void mbedtls_ctr_drbg_set_entropy_len(mbedtls_ctr_drbg_context *ctx,
-                                      size_t len);
-
-/**
- * \brief               This function sets the amount of entropy grabbed
- *                      as a nonce for the initial seeding.
- *
- * Call this function before calling mbedtls_ctr_drbg_seed() to read
- * a nonce from the entropy source during the initial seeding.
- *
- * \param ctx           The CTR_DRBG context.
- * \param len           The amount of entropy to grab for the nonce, in bytes.
- *                      This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT
- *                      and at most the maximum length accepted by the
- *                      entropy function that is set in the context.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if \p len is
- *                      more than #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
- * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED
- *                      if the initial seeding has already taken place.
- */
-int mbedtls_ctr_drbg_set_nonce_len(mbedtls_ctr_drbg_context *ctx,
-                                   size_t len);
-
-/**
- * \brief               This function sets the reseed interval.
- *
- * The reseed interval is the number of calls to mbedtls_ctr_drbg_random()
- * or mbedtls_ctr_drbg_random_with_add() after which the entropy function
- * is called again.
- *
- * The default value is #MBEDTLS_CTR_DRBG_RESEED_INTERVAL.
- *
- * \param ctx           The CTR_DRBG context.
- * \param interval      The reseed interval.
- */
-void mbedtls_ctr_drbg_set_reseed_interval(mbedtls_ctr_drbg_context *ctx,
-                                          int interval);
-
-/**
- * \brief               This function reseeds the CTR_DRBG context, that is
- *                      extracts data from the entropy source.
- *
- * \note                This function is not thread-safe. It is not safe
- *                      to call this function if another thread might be
- *                      concurrently obtaining random numbers from the same
- *                      context or updating or reseeding the same context.
- *
- * \param ctx           The CTR_DRBG context.
- * \param additional    Additional data to add to the state. Can be \c NULL.
- * \param len           The length of the additional data.
- *                      This must be less than
- *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len
- *                      where \c entropy_len is the entropy length
- *                      configured for the context.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure.
- */
-int mbedtls_ctr_drbg_reseed(mbedtls_ctr_drbg_context *ctx,
-                            const unsigned char *additional, size_t len);
-
-/**
- * \brief              This function updates the state of the CTR_DRBG context.
- *
- * \note                This function is not thread-safe. It is not safe
- *                      to call this function if another thread might be
- *                      concurrently obtaining random numbers from the same
- *                      context or updating or reseeding the same context.
- *
- * \param ctx          The CTR_DRBG context.
- * \param additional   The data to update the state with. This must not be
- *                     \c NULL unless \p add_len is \c 0.
- * \param add_len      Length of \p additional in bytes. This must be at
- *                     most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
- *
- * \return             \c 0 on success.
- * \return             #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if
- *                     \p add_len is more than
- *                     #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
- * \return             An error from the underlying AES cipher on failure.
- */
-int mbedtls_ctr_drbg_update(mbedtls_ctr_drbg_context *ctx,
-                            const unsigned char *additional,
-                            size_t add_len);
-
-/**
- * \brief   This function updates a CTR_DRBG instance with additional
- *          data and uses it to generate random data.
- *
- * This function automatically reseeds if the reseed counter is exceeded
- * or prediction resistance is enabled.
- *
- * \note                This function is not thread-safe. It is not safe
- *                      to call this function if another thread might be
- *                      concurrently obtaining random numbers from the same
- *                      context or updating or reseeding the same context.
- *
- * \param p_rng         The CTR_DRBG context. This must be a pointer to a
- *                      #mbedtls_ctr_drbg_context structure.
- * \param output        The buffer to fill.
- * \param output_len    The length of the buffer in bytes.
- * \param additional    Additional data to update. Can be \c NULL, in which
- *                      case the additional data is empty regardless of
- *                      the value of \p add_len.
- * \param add_len       The length of the additional data
- *                      if \p additional is not \c NULL.
- *                      This must be less than #MBEDTLS_CTR_DRBG_MAX_INPUT
- *                      and less than
- *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len
- *                      where \c entropy_len is the entropy length
- *                      configured for the context.
- *
- * \return    \c 0 on success.
- * \return    #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
- *            #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure.
- */
-int mbedtls_ctr_drbg_random_with_add(void *p_rng,
-                                     unsigned char *output, size_t output_len,
-                                     const unsigned char *additional, size_t add_len);
-
-/**
- * \brief   This function uses CTR_DRBG to generate random data.
- *
- * This function automatically reseeds if the reseed counter is exceeded
- * or prediction resistance is enabled.
- */
-#if defined(MBEDTLS_THREADING_C)
-/**
- * \note                When Mbed TLS is built with threading support,
- *                      it is safe to call mbedtls_ctr_drbg_random()
- *                      from multiple threads. Other operations, including
- *                      reseeding, are not thread-safe.
- */
-#endif /* MBEDTLS_THREADING_C */
-/**
- * \param p_rng         The CTR_DRBG context. This must be a pointer to a
- *                      #mbedtls_ctr_drbg_context structure.
- * \param output        The buffer to fill.
- * \param output_len    The length of the buffer in bytes.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
- *                      #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure.
- */
-int mbedtls_ctr_drbg_random(void *p_rng,
-                            unsigned char *output, size_t output_len);
-
-#if defined(MBEDTLS_FS_IO)
-/**
- * \brief               This function writes a seed file.
- *
- * \param ctx           The CTR_DRBG context.
- * \param path          The name of the file.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error.
- * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on reseed
- *                      failure.
- */
-int mbedtls_ctr_drbg_write_seed_file(mbedtls_ctr_drbg_context *ctx, const char *path);
-
-/**
- * \brief               This function reads and updates a seed file. The seed
- *                      is added to this instance.
- *
- * \param ctx           The CTR_DRBG context.
- * \param path          The name of the file.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error.
- * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on
- *                      reseed failure.
- * \return              #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if the existing
- *                      seed file is too large.
- */
-int mbedtls_ctr_drbg_update_seed_file(mbedtls_ctr_drbg_context *ctx, const char *path);
-#endif /* MBEDTLS_FS_IO */
-
-#if defined(MBEDTLS_SELF_TEST)
-
-/**
- * \brief               The CTR_DRBG checkup routine.
- *
- * \return              \c 0 on success.
- * \return              \c 1 on failure.
- */
-int mbedtls_ctr_drbg_self_test(int verbose);
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* ctr_drbg.h */
diff --git a/include/mbedtls/debug.h b/include/mbedtls/debug.h
index d6dd152..424ed4b 100644
--- a/include/mbedtls/debug.h
+++ b/include/mbedtls/debug.h
@@ -5,19 +5,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 #ifndef MBEDTLS_DEBUG_H
 #define MBEDTLS_DEBUG_H
@@ -132,7 +120,12 @@
     /* (defined(__MINGW32__)  && __USE_MINGW_ANSI_STDIO == 0) || (defined(_MSC_VER) && _MSC_VER < 1800) */
 
 #if !defined(MBEDTLS_PRINTF_MS_TIME)
+#include <inttypes.h>
+#if !defined(PRId64)
+#define MBEDTLS_PRINTF_MS_TIME MBEDTLS_PRINTF_LONGLONG
+#else
 #define MBEDTLS_PRINTF_MS_TIME PRId64
+#endif
 #endif /* MBEDTLS_PRINTF_MS_TIME */
 
 #ifdef __cplusplus
@@ -156,165 +149,8 @@ extern "C" {
  */
 void mbedtls_debug_set_threshold(int threshold);
 
-/**
- * \brief    Print a message to the debug output. This function is always used
- *          through the MBEDTLS_SSL_DEBUG_MSG() macro, which supplies the ssl
- *          context, file and line number parameters.
- *
- * \param ssl       SSL context
- * \param level     error level of the debug message
- * \param file      file the message has occurred in
- * \param line      line number the message has occurred at
- * \param format    format specifier, in printf format
- * \param ...       variables used by the format specifier
- *
- * \attention       This function is intended for INTERNAL usage within the
- *                  library only.
- */
-void mbedtls_debug_print_msg(const mbedtls_ssl_context *ssl, int level,
-                             const char *file, int line,
-                             const char *format, ...) MBEDTLS_PRINTF_ATTRIBUTE(5, 6);
-
-/**
- * \brief   Print the return value of a function to the debug output. This
- *          function is always used through the MBEDTLS_SSL_DEBUG_RET() macro,
- *          which supplies the ssl context, file and line number parameters.
- *
- * \param ssl       SSL context
- * \param level     error level of the debug message
- * \param file      file the error has occurred in
- * \param line      line number the error has occurred in
- * \param text      the name of the function that returned the error
- * \param ret       the return code value
- *
- * \attention       This function is intended for INTERNAL usage within the
- *                  library only.
- */
-void mbedtls_debug_print_ret(const mbedtls_ssl_context *ssl, int level,
-                             const char *file, int line,
-                             const char *text, int ret);
-
-/**
- * \brief   Output a buffer of size len bytes to the debug output. This function
- *          is always used through the MBEDTLS_SSL_DEBUG_BUF() macro,
- *          which supplies the ssl context, file and line number parameters.
- *
- * \param ssl       SSL context
- * \param level     error level of the debug message
- * \param file      file the error has occurred in
- * \param line      line number the error has occurred in
- * \param text      a name or label for the buffer being dumped. Normally the
- *                  variable or buffer name
- * \param buf       the buffer to be outputted
- * \param len       length of the buffer
- *
- * \attention       This function is intended for INTERNAL usage within the
- *                  library only.
- */
-void mbedtls_debug_print_buf(const mbedtls_ssl_context *ssl, int level,
-                             const char *file, int line, const char *text,
-                             const unsigned char *buf, size_t len);
-
-#if defined(MBEDTLS_BIGNUM_C)
-/**
- * \brief   Print a MPI variable to the debug output. This function is always
- *          used through the MBEDTLS_SSL_DEBUG_MPI() macro, which supplies the
- *          ssl context, file and line number parameters.
- *
- * \param ssl       SSL context
- * \param level     error level of the debug message
- * \param file      file the error has occurred in
- * \param line      line number the error has occurred in
- * \param text      a name or label for the MPI being output. Normally the
- *                  variable name
- * \param X         the MPI variable
- *
- * \attention       This function is intended for INTERNAL usage within the
- *                  library only.
- */
-void mbedtls_debug_print_mpi(const mbedtls_ssl_context *ssl, int level,
-                             const char *file, int line,
-                             const char *text, const mbedtls_mpi *X);
-#endif
-
-#if defined(MBEDTLS_ECP_C)
-/**
- * \brief   Print an ECP point to the debug output. This function is always
- *          used through the MBEDTLS_SSL_DEBUG_ECP() macro, which supplies the
- *          ssl context, file and line number parameters.
- *
- * \param ssl       SSL context
- * \param level     error level of the debug message
- * \param file      file the error has occurred in
- * \param line      line number the error has occurred in
- * \param text      a name or label for the ECP point being output. Normally the
- *                  variable name
- * \param X         the ECP point
- *
- * \attention       This function is intended for INTERNAL usage within the
- *                  library only.
- */
-void mbedtls_debug_print_ecp(const mbedtls_ssl_context *ssl, int level,
-                             const char *file, int line,
-                             const char *text, const mbedtls_ecp_point *X);
-#endif
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO)
-/**
- * \brief   Print a X.509 certificate structure to the debug output. This
- *          function is always used through the MBEDTLS_SSL_DEBUG_CRT() macro,
- *          which supplies the ssl context, file and line number parameters.
- *
- * \param ssl       SSL context
- * \param level     error level of the debug message
- * \param file      file the error has occurred in
- * \param line      line number the error has occurred in
- * \param text      a name or label for the certificate being output
- * \param crt       X.509 certificate structure
- *
- * \attention       This function is intended for INTERNAL usage within the
- *                  library only.
- */
-void mbedtls_debug_print_crt(const mbedtls_ssl_context *ssl, int level,
-                             const char *file, int line,
-                             const char *text, const mbedtls_x509_crt *crt);
-#endif
-
-/* Note: the MBEDTLS_ECDH_C guard here is mandatory because this debug function
-         only works for the built-in implementation. */
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) && \
-    defined(MBEDTLS_ECDH_C)
-typedef enum {
-    MBEDTLS_DEBUG_ECDH_Q,
-    MBEDTLS_DEBUG_ECDH_QP,
-    MBEDTLS_DEBUG_ECDH_Z,
-} mbedtls_debug_ecdh_attr;
-
-/**
- * \brief   Print a field of the ECDH structure in the SSL context to the debug
- *          output. This function is always used through the
- *          MBEDTLS_SSL_DEBUG_ECDH() macro, which supplies the ssl context, file
- *          and line number parameters.
- *
- * \param ssl       SSL context
- * \param level     error level of the debug message
- * \param file      file the error has occurred in
- * \param line      line number the error has occurred in
- * \param ecdh      the ECDH context
- * \param attr      the identifier of the attribute being output
- *
- * \attention       This function is intended for INTERNAL usage within the
- *                  library only.
- */
-void mbedtls_debug_printf_ecdh(const mbedtls_ssl_context *ssl, int level,
-                               const char *file, int line,
-                               const mbedtls_ecdh_context *ecdh,
-                               mbedtls_debug_ecdh_attr attr);
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED &&
-          MBEDTLS_ECDH_C */
-
 #ifdef __cplusplus
 }
 #endif
 
-#endif /* debug.h */
+#endif /* MBEDTLS_DEBUG_H */
diff --git a/include/mbedtls/des.h b/include/mbedtls/des.h
deleted file mode 100644
index f445102..0000000
--- a/include/mbedtls/des.h
+++ /dev/null
@@ -1,397 +0,0 @@
-/**
- * \file des.h
- *
- * \brief DES block cipher
- *
- * \warning   DES/3DES are considered weak ciphers and their use constitutes a
- *            security risk. We recommend considering stronger ciphers
- *            instead.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- */
-#ifndef MBEDTLS_DES_H
-#define MBEDTLS_DES_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-#include "mbedtls/platform_util.h"
-
-#include <stddef.h>
-#include <stdint.h>
-
-#define MBEDTLS_DES_ENCRYPT     1
-#define MBEDTLS_DES_DECRYPT     0
-
-/** The data input has an invalid length. */
-#define MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH              -0x0032
-
-#define MBEDTLS_DES_KEY_SIZE    8
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if !defined(MBEDTLS_DES_ALT)
-// Regular implementation
-//
-
-/**
- * \brief          DES context structure
- *
- * \warning        DES/3DES are considered weak ciphers and their use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- */
-typedef struct mbedtls_des_context {
-    uint32_t MBEDTLS_PRIVATE(sk)[32];            /*!<  DES subkeys       */
-}
-mbedtls_des_context;
-
-/**
- * \brief          Triple-DES context structure
- *
- * \warning        DES/3DES are considered weak ciphers and their use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- */
-typedef struct mbedtls_des3_context {
-    uint32_t MBEDTLS_PRIVATE(sk)[96];            /*!<  3DES subkeys      */
-}
-mbedtls_des3_context;
-
-#else  /* MBEDTLS_DES_ALT */
-#include "des_alt.h"
-#endif /* MBEDTLS_DES_ALT */
-
-/**
- * \brief          Initialize DES context
- *
- * \param ctx      DES context to be initialized
- *
- * \warning        DES/3DES are considered weak ciphers and their use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- */
-void mbedtls_des_init(mbedtls_des_context *ctx);
-
-/**
- * \brief          Clear DES context
- *
- * \param ctx      DES context to be cleared
- *
- * \warning        DES/3DES are considered weak ciphers and their use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- */
-void mbedtls_des_free(mbedtls_des_context *ctx);
-
-/**
- * \brief          Initialize Triple-DES context
- *
- * \param ctx      DES3 context to be initialized
- *
- * \warning        DES/3DES are considered weak ciphers and their use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- */
-void mbedtls_des3_init(mbedtls_des3_context *ctx);
-
-/**
- * \brief          Clear Triple-DES context
- *
- * \param ctx      DES3 context to be cleared
- *
- * \warning        DES/3DES are considered weak ciphers and their use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- */
-void mbedtls_des3_free(mbedtls_des3_context *ctx);
-
-/**
- * \brief          Set key parity on the given key to odd.
- *
- *                 DES keys are 56 bits long, but each byte is padded with
- *                 a parity bit to allow verification.
- *
- * \param key      8-byte secret key
- *
- * \warning        DES/3DES are considered weak ciphers and their use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- */
-void mbedtls_des_key_set_parity(unsigned char key[MBEDTLS_DES_KEY_SIZE]);
-
-/**
- * \brief          Check that key parity on the given key is odd.
- *
- *                 DES keys are 56 bits long, but each byte is padded with
- *                 a parity bit to allow verification.
- *
- * \param key      8-byte secret key
- *
- * \return         0 is parity was ok, 1 if parity was not correct.
- *
- * \warning        DES/3DES are considered weak ciphers and their use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_des_key_check_key_parity(const unsigned char key[MBEDTLS_DES_KEY_SIZE]);
-
-/**
- * \brief          Check that key is not a weak or semi-weak DES key
- *
- * \param key      8-byte secret key
- *
- * \return         0 if no weak key was found, 1 if a weak key was identified.
- *
- * \warning        DES/3DES are considered weak ciphers and their use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_des_key_check_weak(const unsigned char key[MBEDTLS_DES_KEY_SIZE]);
-
-/**
- * \brief          DES key schedule (56-bit, encryption)
- *
- * \param ctx      DES context to be initialized
- * \param key      8-byte secret key
- *
- * \return         0
- *
- * \warning        DES/3DES are considered weak ciphers and their use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_des_setkey_enc(mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE]);
-
-/**
- * \brief          DES key schedule (56-bit, decryption)
- *
- * \param ctx      DES context to be initialized
- * \param key      8-byte secret key
- *
- * \return         0
- *
- * \warning        DES/3DES are considered weak ciphers and their use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_des_setkey_dec(mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE]);
-
-/**
- * \brief          Triple-DES key schedule (112-bit, encryption)
- *
- * \param ctx      3DES context to be initialized
- * \param key      16-byte secret key
- *
- * \return         0
- *
- * \warning        DES/3DES are considered weak ciphers and their use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_des3_set2key_enc(mbedtls_des3_context *ctx,
-                             const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2]);
-
-/**
- * \brief          Triple-DES key schedule (112-bit, decryption)
- *
- * \param ctx      3DES context to be initialized
- * \param key      16-byte secret key
- *
- * \return         0
- *
- * \warning        DES/3DES are considered weak ciphers and their use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_des3_set2key_dec(mbedtls_des3_context *ctx,
-                             const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2]);
-
-/**
- * \brief          Triple-DES key schedule (168-bit, encryption)
- *
- * \param ctx      3DES context to be initialized
- * \param key      24-byte secret key
- *
- * \return         0
- *
- * \warning        DES/3DES are considered weak ciphers and their use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_des3_set3key_enc(mbedtls_des3_context *ctx,
-                             const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3]);
-
-/**
- * \brief          Triple-DES key schedule (168-bit, decryption)
- *
- * \param ctx      3DES context to be initialized
- * \param key      24-byte secret key
- *
- * \return         0
- *
- * \warning        DES/3DES are considered weak ciphers and their use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_des3_set3key_dec(mbedtls_des3_context *ctx,
-                             const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3]);
-
-/**
- * \brief          DES-ECB block encryption/decryption
- *
- * \param ctx      DES context
- * \param input    64-bit input block
- * \param output   64-bit output block
- *
- * \return         0 if successful
- *
- * \warning        DES/3DES are considered weak ciphers and their use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_des_crypt_ecb(mbedtls_des_context *ctx,
-                          const unsigned char input[8],
-                          unsigned char output[8]);
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-/**
- * \brief          DES-CBC buffer encryption/decryption
- *
- * \note           Upon exit, the content of the IV is updated so that you can
- *                 call the function same function again on the following
- *                 block(s) of data and get the same result as if it was
- *                 encrypted in one call. This allows a "streaming" usage.
- *                 If on the other hand you need to retain the contents of the
- *                 IV, you should either save it manually or use the cipher
- *                 module instead.
- *
- * \param ctx      DES context
- * \param mode     MBEDTLS_DES_ENCRYPT or MBEDTLS_DES_DECRYPT
- * \param length   length of the input data
- * \param iv       initialization vector (updated after use)
- * \param input    buffer holding the input data
- * \param output   buffer holding the output data
- *
- * \warning        DES/3DES are considered weak ciphers and their use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_des_crypt_cbc(mbedtls_des_context *ctx,
-                          int mode,
-                          size_t length,
-                          unsigned char iv[8],
-                          const unsigned char *input,
-                          unsigned char *output);
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-/**
- * \brief          3DES-ECB block encryption/decryption
- *
- * \param ctx      3DES context
- * \param input    64-bit input block
- * \param output   64-bit output block
- *
- * \return         0 if successful
- *
- * \warning        DES/3DES are considered weak ciphers and their use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_des3_crypt_ecb(mbedtls_des3_context *ctx,
-                           const unsigned char input[8],
-                           unsigned char output[8]);
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-/**
- * \brief          3DES-CBC buffer encryption/decryption
- *
- * \note           Upon exit, the content of the IV is updated so that you can
- *                 call the function same function again on the following
- *                 block(s) of data and get the same result as if it was
- *                 encrypted in one call. This allows a "streaming" usage.
- *                 If on the other hand you need to retain the contents of the
- *                 IV, you should either save it manually or use the cipher
- *                 module instead.
- *
- * \param ctx      3DES context
- * \param mode     MBEDTLS_DES_ENCRYPT or MBEDTLS_DES_DECRYPT
- * \param length   length of the input data
- * \param iv       initialization vector (updated after use)
- * \param input    buffer holding the input data
- * \param output   buffer holding the output data
- *
- * \return         0 if successful, or MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH
- *
- * \warning        DES/3DES are considered weak ciphers and their use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_des3_crypt_cbc(mbedtls_des3_context *ctx,
-                           int mode,
-                           size_t length,
-                           unsigned char iv[8],
-                           const unsigned char *input,
-                           unsigned char *output);
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-/**
- * \brief          Internal function for key expansion.
- *                 (Only exposed to allow overriding it,
- *                 see MBEDTLS_DES_SETKEY_ALT)
- *
- * \param SK       Round keys
- * \param key      Base key
- *
- * \warning        DES/3DES are considered weak ciphers and their use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- */
-void mbedtls_des_setkey(uint32_t SK[32],
-                        const unsigned char key[MBEDTLS_DES_KEY_SIZE]);
-
-#if defined(MBEDTLS_SELF_TEST)
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_des_self_test(int verbose);
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* des.h */
diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h
deleted file mode 100644
index 0232a71..0000000
--- a/include/mbedtls/dhm.h
+++ /dev/null
@@ -1,984 +0,0 @@
-/**
- * \file dhm.h
- *
- * \brief   This file contains Diffie-Hellman-Merkle (DHM) key exchange
- *          definitions and functions.
- *
- * Diffie-Hellman-Merkle (DHM) key exchange is defined in
- * <em>RFC-2631: Diffie-Hellman Key Agreement Method</em> and
- * <em>Public-Key Cryptography Standards (PKCS) #3: Diffie
- * Hellman Key Agreement Standard</em>.
- *
- * <em>RFC-3526: More Modular Exponential (MODP) Diffie-Hellman groups for
- * Internet Key Exchange (IKE)</em> defines a number of standardized
- * Diffie-Hellman groups for IKE.
- *
- * <em>RFC-5114: Additional Diffie-Hellman Groups for Use with IETF
- * Standards</em> defines a number of standardized Diffie-Hellman
- * groups that can be used.
- *
- * \warning  The security of the DHM key exchange relies on the proper choice
- *           of prime modulus - optimally, it should be a safe prime. The usage
- *           of non-safe primes both decreases the difficulty of the underlying
- *           discrete logarithm problem and can lead to small subgroup attacks
- *           leaking private exponent bits when invalid public keys are used
- *           and not detected. This is especially relevant if the same DHM
- *           parameters are reused for multiple key exchanges as in static DHM,
- *           while the criticality of small-subgroup attacks is lower for
- *           ephemeral DHM.
- *
- * \warning  For performance reasons, the code does neither perform primality
- *           nor safe primality tests, nor the expensive checks for invalid
- *           subgroups. Moreover, even if these were performed, non-standardized
- *           primes cannot be trusted because of the possibility of backdoors
- *           that can't be effectively checked for.
- *
- * \warning  Diffie-Hellman-Merkle is therefore a security risk when not using
- *           standardized primes generated using a trustworthy ("nothing up
- *           my sleeve") method, such as the RFC 3526 / 7919 primes. In the TLS
- *           protocol, DH parameters need to be negotiated, so using the default
- *           primes systematically is not always an option. If possible, use
- *           Elliptic Curve Diffie-Hellman (ECDH), which has better performance,
- *           and for which the TLS protocol mandates the use of standard
- *           parameters.
- *
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_DHM_H
-#define MBEDTLS_DHM_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-#include "mbedtls/bignum.h"
-
-/*
- * DHM Error codes
- */
-/** Bad input parameters. */
-#define MBEDTLS_ERR_DHM_BAD_INPUT_DATA                    -0x3080
-/** Reading of the DHM parameters failed. */
-#define MBEDTLS_ERR_DHM_READ_PARAMS_FAILED                -0x3100
-/** Making of the DHM parameters failed. */
-#define MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED                -0x3180
-/** Reading of the public values failed. */
-#define MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED                -0x3200
-/** Making of the public value failed. */
-#define MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED                -0x3280
-/** Calculation of the DHM secret failed. */
-#define MBEDTLS_ERR_DHM_CALC_SECRET_FAILED                -0x3300
-/** The ASN.1 data is not formatted correctly. */
-#define MBEDTLS_ERR_DHM_INVALID_FORMAT                    -0x3380
-/** Allocation of memory failed. */
-#define MBEDTLS_ERR_DHM_ALLOC_FAILED                      -0x3400
-/** Read or write of file failed. */
-#define MBEDTLS_ERR_DHM_FILE_IO_ERROR                     -0x3480
-/** Setting the modulus and generator failed. */
-#define MBEDTLS_ERR_DHM_SET_GROUP_FAILED                  -0x3580
-
-/** Which parameter to access in mbedtls_dhm_get_value(). */
-typedef enum {
-    MBEDTLS_DHM_PARAM_P,  /*!<  The prime modulus. */
-    MBEDTLS_DHM_PARAM_G,  /*!<  The generator. */
-    MBEDTLS_DHM_PARAM_X,  /*!<  Our secret value. */
-    MBEDTLS_DHM_PARAM_GX, /*!<  Our public key = \c G^X mod \c P. */
-    MBEDTLS_DHM_PARAM_GY, /*!<  The public key of the peer = \c G^Y mod \c P. */
-    MBEDTLS_DHM_PARAM_K,  /*!<  The shared secret = \c G^(XY) mod \c P. */
-} mbedtls_dhm_parameter;
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if !defined(MBEDTLS_DHM_ALT)
-
-/**
- * \brief          The DHM context structure.
- */
-typedef struct mbedtls_dhm_context {
-    mbedtls_mpi MBEDTLS_PRIVATE(P);      /*!<  The prime modulus. */
-    mbedtls_mpi MBEDTLS_PRIVATE(G);      /*!<  The generator. */
-    mbedtls_mpi MBEDTLS_PRIVATE(X);      /*!<  Our secret value. */
-    mbedtls_mpi MBEDTLS_PRIVATE(GX);     /*!<  Our public key = \c G^X mod \c P. */
-    mbedtls_mpi MBEDTLS_PRIVATE(GY);     /*!<  The public key of the peer = \c G^Y mod \c P. */
-    mbedtls_mpi MBEDTLS_PRIVATE(K);      /*!<  The shared secret = \c G^(XY) mod \c P. */
-    mbedtls_mpi MBEDTLS_PRIVATE(RP);     /*!<  The cached value = \c R^2 mod \c P. */
-    mbedtls_mpi MBEDTLS_PRIVATE(Vi);     /*!<  The blinding value. */
-    mbedtls_mpi MBEDTLS_PRIVATE(Vf);     /*!<  The unblinding value. */
-    mbedtls_mpi MBEDTLS_PRIVATE(pX);     /*!<  The previous \c X. */
-}
-mbedtls_dhm_context;
-
-#else /* MBEDTLS_DHM_ALT */
-#include "dhm_alt.h"
-#endif /* MBEDTLS_DHM_ALT */
-
-/**
- * \brief          This function initializes the DHM context.
- *
- * \param ctx      The DHM context to initialize.
- */
-void mbedtls_dhm_init(mbedtls_dhm_context *ctx);
-
-/**
- * \brief          This function parses the DHM parameters in a
- *                 TLS ServerKeyExchange handshake message
- *                 (DHM modulus, generator, and public key).
- *
- * \note           In a TLS handshake, this is the how the client
- *                 sets up its DHM context from the server's public
- *                 DHM key material.
- *
- * \param ctx      The DHM context to use. This must be initialized.
- * \param p        On input, *p must be the start of the input buffer.
- *                 On output, *p is updated to point to the end of the data
- *                 that has been read. On success, this is the first byte
- *                 past the end of the ServerKeyExchange parameters.
- *                 On error, this is the point at which an error has been
- *                 detected, which is usually not useful except to debug
- *                 failures.
- * \param end      The end of the input buffer.
- *
- * \return         \c 0 on success.
- * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
- */
-int mbedtls_dhm_read_params(mbedtls_dhm_context *ctx,
-                            unsigned char **p,
-                            const unsigned char *end);
-
-/**
- * \brief          This function generates a DHM key pair and exports its
- *                 public part together with the DHM parameters in the format
- *                 used in a TLS ServerKeyExchange handshake message.
- *
- * \note           This function assumes that the DHM parameters \c ctx->P
- *                 and \c ctx->G have already been properly set. For that, use
- *                 mbedtls_dhm_set_group() below in conjunction with
- *                 mbedtls_mpi_read_binary() and mbedtls_mpi_read_string().
- *
- * \note           In a TLS handshake, this is the how the server generates
- *                 and exports its DHM key material.
- *
- * \param ctx      The DHM context to use. This must be initialized
- *                 and have the DHM parameters set. It may or may not
- *                 already have imported the peer's public key.
- * \param x_size   The private key size in Bytes.
- * \param olen     The address at which to store the number of Bytes
- *                 written on success. This must not be \c NULL.
- * \param output   The destination buffer. This must be a writable buffer of
- *                 sufficient size to hold the reduced binary presentation of
- *                 the modulus, the generator and the public key, each wrapped
- *                 with a 2-byte length field. It is the responsibility of the
- *                 caller to ensure that enough space is available. Refer to
- *                 mbedtls_mpi_size() to computing the byte-size of an MPI.
- * \param f_rng    The RNG function. Must not be \c NULL.
- * \param p_rng    The RNG context to be passed to \p f_rng. This may be
- *                 \c NULL if \p f_rng doesn't need a context parameter.
- *
- * \return         \c 0 on success.
- * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
- */
-int mbedtls_dhm_make_params(mbedtls_dhm_context *ctx, int x_size,
-                            unsigned char *output, size_t *olen,
-                            int (*f_rng)(void *, unsigned char *, size_t),
-                            void *p_rng);
-
-/**
- * \brief          This function sets the prime modulus and generator.
- *
- * \note           This function can be used to set \c ctx->P, \c ctx->G
- *                 in preparation for mbedtls_dhm_make_params().
- *
- * \param ctx      The DHM context to configure. This must be initialized.
- * \param P        The MPI holding the DHM prime modulus. This must be
- *                 an initialized MPI.
- * \param G        The MPI holding the DHM generator. This must be an
- *                 initialized MPI.
- *
- * \return         \c 0 if successful.
- * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
- */
-int mbedtls_dhm_set_group(mbedtls_dhm_context *ctx,
-                          const mbedtls_mpi *P,
-                          const mbedtls_mpi *G);
-
-/**
- * \brief          This function imports the raw public value of the peer.
- *
- * \note           In a TLS handshake, this is the how the server imports
- *                 the Client's public DHM key.
- *
- * \param ctx      The DHM context to use. This must be initialized and have
- *                 its DHM parameters set, e.g. via mbedtls_dhm_set_group().
- *                 It may or may not already have generated its own private key.
- * \param input    The input buffer containing the \c G^Y value of the peer.
- *                 This must be a readable buffer of size \p ilen Bytes.
- * \param ilen     The size of the input buffer \p input in Bytes.
- *
- * \return         \c 0 on success.
- * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
- */
-int mbedtls_dhm_read_public(mbedtls_dhm_context *ctx,
-                            const unsigned char *input, size_t ilen);
-
-/**
- * \brief          This function creates a DHM key pair and exports
- *                 the raw public key in big-endian format.
- *
- * \note           The destination buffer is always fully written
- *                 so as to contain a big-endian representation of G^X mod P.
- *                 If it is larger than \c ctx->len, it is padded accordingly
- *                 with zero-bytes at the beginning.
- *
- * \param ctx      The DHM context to use. This must be initialized and
- *                 have the DHM parameters set. It may or may not already
- *                 have imported the peer's public key.
- * \param x_size   The private key size in Bytes.
- * \param output   The destination buffer. This must be a writable buffer of
- *                 size \p olen Bytes.
- * \param olen     The length of the destination buffer. This must be at least
- *                 equal to `ctx->len` (the size of \c P).
- * \param f_rng    The RNG function. This must not be \c NULL.
- * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
- *                 if \p f_rng doesn't need a context argument.
- *
- * \return         \c 0 on success.
- * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
- */
-int mbedtls_dhm_make_public(mbedtls_dhm_context *ctx, int x_size,
-                            unsigned char *output, size_t olen,
-                            int (*f_rng)(void *, unsigned char *, size_t),
-                            void *p_rng);
-
-/**
- * \brief          This function derives and exports the shared secret
- *                 \c (G^Y)^X mod \c P.
- *
- * \note           If \p f_rng is not \c NULL, it is used to blind the input as
- *                 a countermeasure against timing attacks. Blinding is used
- *                 only if our private key \c X is re-used, and not used
- *                 otherwise. We recommend always passing a non-NULL
- *                 \p f_rng argument.
- *
- * \param ctx           The DHM context to use. This must be initialized
- *                      and have its own private key generated and the peer's
- *                      public key imported.
- * \param output        The buffer to write the generated shared key to. This
- *                      must be a writable buffer of size \p output_size Bytes.
- * \param output_size   The size of the destination buffer. This must be at
- *                      least the size of \c ctx->len (the size of \c P).
- * \param olen          On exit, holds the actual number of Bytes written.
- * \param f_rng         The RNG function. Must not be \c NULL. Used for
- *                      blinding.
- * \param p_rng         The RNG context to be passed to \p f_rng. This may be
- *                      \c NULL if \p f_rng doesn't need a context parameter.
- *
- * \return              \c 0 on success.
- * \return              An \c MBEDTLS_ERR_DHM_XXX error code on failure.
- */
-int mbedtls_dhm_calc_secret(mbedtls_dhm_context *ctx,
-                            unsigned char *output, size_t output_size, size_t *olen,
-                            int (*f_rng)(void *, unsigned char *, size_t),
-                            void *p_rng);
-
-/**
- * \brief          This function returns the size of the prime modulus in bits.
- *
- * \param ctx      The DHM context to query.
- *
- * \return         The size of the prime modulus in bits,
- *                 i.e. the number n such that 2^(n-1) <= P < 2^n.
- */
-size_t mbedtls_dhm_get_bitlen(const mbedtls_dhm_context *ctx);
-
-/**
- * \brief          This function returns the size of the prime modulus in bytes.
- *
- * \param ctx      The DHM context to query.
- *
- * \return         The size of the prime modulus in bytes,
- *                 i.e. the number n such that 2^(8*(n-1)) <= P < 2^(8*n).
- */
-size_t mbedtls_dhm_get_len(const mbedtls_dhm_context *ctx);
-
-/**
- * \brief          This function copies a parameter of a DHM key.
- *
- * \param ctx      The DHM context to query.
- * \param param    The parameter to copy.
- * \param dest     The MPI object to copy the value into. It must be
- *                 initialized.
- *
- * \return         \c 0 on success.
- * \return         #MBEDTLS_ERR_DHM_BAD_INPUT_DATA if \p param is invalid.
- * \return         An \c MBEDTLS_ERR_MPI_XXX error code if the copy fails.
- */
-int mbedtls_dhm_get_value(const mbedtls_dhm_context *ctx,
-                          mbedtls_dhm_parameter param,
-                          mbedtls_mpi *dest);
-
-/**
- * \brief          This function frees and clears the components
- *                 of a DHM context.
- *
- * \param ctx      The DHM context to free and clear. This may be \c NULL,
- *                 in which case this function is a no-op. If it is not \c NULL,
- *                 it must point to an initialized DHM context.
- */
-void mbedtls_dhm_free(mbedtls_dhm_context *ctx);
-
-#if defined(MBEDTLS_ASN1_PARSE_C)
-/**
- * \brief             This function parses DHM parameters in PEM or DER format.
- *
- * \param dhm         The DHM context to import the DHM parameters into.
- *                    This must be initialized.
- * \param dhmin       The input buffer. This must be a readable buffer of
- *                    length \p dhminlen Bytes.
- * \param dhminlen    The size of the input buffer \p dhmin, including the
- *                    terminating \c NULL Byte for PEM data.
- *
- * \return            \c 0 on success.
- * \return            An \c MBEDTLS_ERR_DHM_XXX or \c MBEDTLS_ERR_PEM_XXX error
- *                    code on failure.
- */
-int mbedtls_dhm_parse_dhm(mbedtls_dhm_context *dhm, const unsigned char *dhmin,
-                          size_t dhminlen);
-
-#if defined(MBEDTLS_FS_IO)
-/**
- * \brief          This function loads and parses DHM parameters from a file.
- *
- * \param dhm      The DHM context to load the parameters to.
- *                 This must be initialized.
- * \param path     The filename to read the DHM parameters from.
- *                 This must not be \c NULL.
- *
- * \return         \c 0 on success.
- * \return         An \c MBEDTLS_ERR_DHM_XXX or \c MBEDTLS_ERR_PEM_XXX
- *                 error code on failure.
- */
-int mbedtls_dhm_parse_dhmfile(mbedtls_dhm_context *dhm, const char *path);
-#endif /* MBEDTLS_FS_IO */
-#endif /* MBEDTLS_ASN1_PARSE_C */
-
-#if defined(MBEDTLS_SELF_TEST)
-
-/**
- * \brief          The DMH checkup routine.
- *
- * \return         \c 0 on success.
- * \return         \c 1 on failure.
- */
-int mbedtls_dhm_self_test(int verbose);
-
-#endif /* MBEDTLS_SELF_TEST */
-#ifdef __cplusplus
-}
-#endif
-
-/**
- * RFC 3526, RFC 5114 and RFC 7919 standardize a number of
- * Diffie-Hellman groups, some of which are included here
- * for use within the SSL/TLS module and the user's convenience
- * when configuring the Diffie-Hellman parameters by hand
- * through \c mbedtls_ssl_conf_dh_param.
- *
- * The following lists the source of the above groups in the standards:
- * - RFC 5114 section 2.2:  2048-bit MODP Group with 224-bit Prime Order Subgroup
- * - RFC 3526 section 3:    2048-bit MODP Group
- * - RFC 3526 section 4:    3072-bit MODP Group
- * - RFC 3526 section 5:    4096-bit MODP Group
- * - RFC 7919 section A.1:  ffdhe2048
- * - RFC 7919 section A.2:  ffdhe3072
- * - RFC 7919 section A.3:  ffdhe4096
- * - RFC 7919 section A.4:  ffdhe6144
- * - RFC 7919 section A.5:  ffdhe8192
- *
- * The constants with suffix "_p" denote the chosen prime moduli, while
- * the constants with suffix "_g" denote the chosen generator
- * of the associated prime field.
- *
- * The constants further suffixed with "_bin" are provided in binary format,
- * while all other constants represent null-terminated strings holding the
- * hexadecimal presentation of the respective numbers.
- *
- * The primes from RFC 3526 and RFC 7919 have been generating by the following
- * trust-worthy procedure:
- * - Fix N in { 2048, 3072, 4096, 6144, 8192 } and consider the N-bit number
- *   the first and last 64 bits are all 1, and the remaining N - 128 bits of
- *   which are 0x7ff...ff.
- * - Add the smallest multiple of the first N - 129 bits of the binary expansion
- *   of pi (for RFC 5236) or e (for RFC 7919) to this intermediate bit-string
- *   such that the resulting integer is a safe-prime.
- * - The result is the respective RFC 3526 / 7919 prime, and the corresponding
- *   generator is always chosen to be 2 (which is a square for these prime,
- *   hence the corresponding subgroup has order (p-1)/2 and avoids leaking a
- *   bit in the private exponent).
- *
- */
-
-/*
- * Trustworthy DHM parameters in binary form
- */
-
-#define MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN {        \
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
-        0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, \
-        0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, \
-        0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, \
-        0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, \
-        0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, \
-        0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, \
-        0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, \
-        0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, \
-        0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, \
-        0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, \
-        0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, \
-        0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, \
-        0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, \
-        0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, \
-        0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, \
-        0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, \
-        0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, \
-        0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, \
-        0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, \
-        0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, \
-        0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, \
-        0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, \
-        0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, \
-        0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, \
-        0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, \
-        0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, \
-        0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, \
-        0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, \
-        0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, \
-        0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, \
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
-
-#define MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN { 0x02 }
-
-#define MBEDTLS_DHM_RFC3526_MODP_3072_P_BIN {       \
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
-        0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, \
-        0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, \
-        0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, \
-        0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, \
-        0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, \
-        0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, \
-        0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, \
-        0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, \
-        0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, \
-        0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, \
-        0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, \
-        0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, \
-        0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, \
-        0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, \
-        0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, \
-        0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, \
-        0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, \
-        0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, \
-        0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, \
-        0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, \
-        0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, \
-        0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, \
-        0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, \
-        0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, \
-        0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, \
-        0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, \
-        0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, \
-        0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, \
-        0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, \
-        0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, \
-        0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, \
-        0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, \
-        0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, \
-        0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, \
-        0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, \
-        0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, \
-        0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, \
-        0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, \
-        0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, \
-        0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, \
-        0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, \
-        0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, \
-        0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, \
-        0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, \
-        0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, \
-        0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x3A, 0xD2, 0xCA, \
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
-
-#define MBEDTLS_DHM_RFC3526_MODP_3072_G_BIN { 0x02 }
-
-#define MBEDTLS_DHM_RFC3526_MODP_4096_P_BIN  {       \
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,  \
-        0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,  \
-        0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,  \
-        0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,  \
-        0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22,  \
-        0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,  \
-        0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B,  \
-        0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37,  \
-        0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,  \
-        0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6,  \
-        0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B,  \
-        0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,  \
-        0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5,  \
-        0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6,  \
-        0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,  \
-        0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05,  \
-        0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A,  \
-        0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,  \
-        0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96,  \
-        0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB,  \
-        0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,  \
-        0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04,  \
-        0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C,  \
-        0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,  \
-        0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03,  \
-        0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F,  \
-        0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,  \
-        0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18,  \
-        0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5,  \
-        0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,  \
-        0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D,  \
-        0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33,  \
-        0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64,  \
-        0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A,  \
-        0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D,  \
-        0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7,  \
-        0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7,  \
-        0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D,  \
-        0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B,  \
-        0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64,  \
-        0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64,  \
-        0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C,  \
-        0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C,  \
-        0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2,  \
-        0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31,  \
-        0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E,  \
-        0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01,  \
-        0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7,  \
-        0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26,  \
-        0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C,  \
-        0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA,  \
-        0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8,  \
-        0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9,  \
-        0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6,  \
-        0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D,  \
-        0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2,  \
-        0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED,  \
-        0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF,  \
-        0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C,  \
-        0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9,  \
-        0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1,  \
-        0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F,  \
-        0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x06, 0x31, 0x99,  \
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
-
-#define MBEDTLS_DHM_RFC3526_MODP_4096_G_BIN { 0x02 }
-
-#define MBEDTLS_DHM_RFC7919_FFDHE2048_P_BIN {        \
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
-        0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
-        0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
-        0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
-        0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
-        0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
-        0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
-        0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
-        0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
-        0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
-        0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
-        0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
-        0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
-        0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
-        0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
-        0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
-        0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
-        0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
-        0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
-        0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
-        0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
-        0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
-        0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
-        0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
-        0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
-        0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
-        0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
-        0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
-        0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
-        0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
-        0x88, 0x6B, 0x42, 0x38, 0x61, 0x28, 0x5C, 0x97, \
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, }
-
-#define MBEDTLS_DHM_RFC7919_FFDHE2048_G_BIN { 0x02 }
-
-#define MBEDTLS_DHM_RFC7919_FFDHE3072_P_BIN { \
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
-        0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
-        0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
-        0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
-        0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
-        0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
-        0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
-        0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
-        0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
-        0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
-        0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
-        0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
-        0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
-        0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
-        0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
-        0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
-        0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
-        0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
-        0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
-        0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
-        0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
-        0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
-        0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
-        0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
-        0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
-        0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
-        0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
-        0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
-        0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
-        0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
-        0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \
-        0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \
-        0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \
-        0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \
-        0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \
-        0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \
-        0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \
-        0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \
-        0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \
-        0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \
-        0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \
-        0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \
-        0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \
-        0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \
-        0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \
-        0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \
-        0x25, 0xE4, 0x1D, 0x2B, 0x66, 0xC6, 0x2E, 0x37, \
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
-
-#define MBEDTLS_DHM_RFC7919_FFDHE3072_G_BIN { 0x02 }
-
-#define MBEDTLS_DHM_RFC7919_FFDHE4096_P_BIN {        \
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
-        0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
-        0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
-        0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
-        0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
-        0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
-        0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
-        0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
-        0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
-        0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
-        0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
-        0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
-        0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
-        0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
-        0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
-        0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
-        0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
-        0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
-        0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
-        0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
-        0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
-        0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
-        0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
-        0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
-        0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
-        0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
-        0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
-        0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
-        0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
-        0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
-        0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \
-        0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \
-        0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \
-        0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \
-        0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \
-        0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \
-        0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \
-        0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \
-        0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \
-        0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \
-        0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \
-        0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \
-        0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \
-        0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \
-        0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \
-        0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \
-        0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, \
-        0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, \
-        0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, \
-        0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, \
-        0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, \
-        0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, \
-        0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, \
-        0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, \
-        0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, \
-        0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, \
-        0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, \
-        0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, \
-        0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, \
-        0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, \
-        0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, \
-        0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, \
-        0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x65, 0x5F, 0x6A, \
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
-
-#define MBEDTLS_DHM_RFC7919_FFDHE4096_G_BIN { 0x02 }
-
-#define MBEDTLS_DHM_RFC7919_FFDHE6144_P_BIN {        \
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
-        0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
-        0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
-        0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
-        0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
-        0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
-        0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
-        0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
-        0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
-        0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
-        0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
-        0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
-        0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
-        0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
-        0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
-        0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
-        0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
-        0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
-        0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
-        0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
-        0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
-        0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
-        0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
-        0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
-        0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
-        0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
-        0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
-        0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
-        0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
-        0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
-        0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \
-        0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \
-        0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \
-        0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \
-        0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \
-        0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \
-        0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \
-        0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \
-        0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \
-        0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \
-        0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \
-        0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \
-        0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \
-        0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \
-        0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \
-        0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \
-        0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, \
-        0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, \
-        0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, \
-        0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, \
-        0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, \
-        0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, \
-        0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, \
-        0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, \
-        0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, \
-        0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, \
-        0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, \
-        0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, \
-        0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, \
-        0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, \
-        0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, \
-        0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, \
-        0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02, \
-        0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A, \
-        0x4E, 0x67, 0x7D, 0x2C, 0x38, 0x53, 0x2A, 0x3A, \
-        0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6, \
-        0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8, \
-        0x91, 0x7B, 0xDD, 0x64, 0xB1, 0xC0, 0xFD, 0x4C, \
-        0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A, \
-        0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71, \
-        0x9B, 0x1F, 0x5C, 0x3E, 0x4E, 0x46, 0x04, 0x1F, \
-        0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77, \
-        0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10, \
-        0xB8, 0x55, 0x32, 0x2E, 0xDB, 0x63, 0x40, 0xD8, \
-        0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3, \
-        0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E, \
-        0x7F, 0xB2, 0x9F, 0x8C, 0x18, 0x30, 0x23, 0xC3, \
-        0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4, \
-        0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1, \
-        0x94, 0xC6, 0x65, 0x1E, 0x77, 0xCA, 0xF9, 0x92, \
-        0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6, \
-        0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82, \
-        0x0A, 0xE8, 0xDB, 0x58, 0x47, 0xA6, 0x7C, 0xBE, \
-        0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C, \
-        0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E, \
-        0x62, 0x29, 0x2C, 0x31, 0x15, 0x62, 0xA8, 0x46, \
-        0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A, \
-        0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17, \
-        0x8C, 0xCF, 0x2D, 0xD5, 0xCA, 0xCE, 0xF4, 0x03, \
-        0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04, \
-        0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6, \
-        0x3F, 0xDD, 0x4A, 0x8E, 0x9A, 0xDB, 0x1E, 0x69, \
-        0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1, \
-        0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4, \
-        0xA4, 0x0E, 0x32, 0x9C, 0xD0, 0xE4, 0x0E, 0x65, \
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
-
-#define MBEDTLS_DHM_RFC7919_FFDHE6144_G_BIN { 0x02 }
-
-#define MBEDTLS_DHM_RFC7919_FFDHE8192_P_BIN {        \
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
-        0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
-        0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
-        0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
-        0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
-        0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
-        0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
-        0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
-        0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
-        0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
-        0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
-        0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
-        0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
-        0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
-        0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
-        0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
-        0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
-        0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
-        0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
-        0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
-        0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
-        0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
-        0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
-        0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
-        0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
-        0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
-        0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
-        0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
-        0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
-        0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
-        0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \
-        0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \
-        0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \
-        0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \
-        0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \
-        0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \
-        0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \
-        0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \
-        0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \
-        0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \
-        0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \
-        0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \
-        0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \
-        0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \
-        0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \
-        0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \
-        0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, \
-        0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, \
-        0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, \
-        0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, \
-        0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, \
-        0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, \
-        0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, \
-        0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, \
-        0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, \
-        0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, \
-        0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, \
-        0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, \
-        0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, \
-        0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, \
-        0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, \
-        0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, \
-        0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02, \
-        0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A, \
-        0x4E, 0x67, 0x7D, 0x2C, 0x38, 0x53, 0x2A, 0x3A, \
-        0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6, \
-        0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8, \
-        0x91, 0x7B, 0xDD, 0x64, 0xB1, 0xC0, 0xFD, 0x4C, \
-        0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A, \
-        0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71, \
-        0x9B, 0x1F, 0x5C, 0x3E, 0x4E, 0x46, 0x04, 0x1F, \
-        0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77, \
-        0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10, \
-        0xB8, 0x55, 0x32, 0x2E, 0xDB, 0x63, 0x40, 0xD8, \
-        0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3, \
-        0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E, \
-        0x7F, 0xB2, 0x9F, 0x8C, 0x18, 0x30, 0x23, 0xC3, \
-        0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4, \
-        0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1, \
-        0x94, 0xC6, 0x65, 0x1E, 0x77, 0xCA, 0xF9, 0x92, \
-        0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6, \
-        0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82, \
-        0x0A, 0xE8, 0xDB, 0x58, 0x47, 0xA6, 0x7C, 0xBE, \
-        0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C, \
-        0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E, \
-        0x62, 0x29, 0x2C, 0x31, 0x15, 0x62, 0xA8, 0x46, \
-        0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A, \
-        0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17, \
-        0x8C, 0xCF, 0x2D, 0xD5, 0xCA, 0xCE, 0xF4, 0x03, \
-        0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04, \
-        0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6, \
-        0x3F, 0xDD, 0x4A, 0x8E, 0x9A, 0xDB, 0x1E, 0x69, \
-        0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1, \
-        0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4, \
-        0xA4, 0x0E, 0x32, 0x9C, 0xCF, 0xF4, 0x6A, 0xAA, \
-        0x36, 0xAD, 0x00, 0x4C, 0xF6, 0x00, 0xC8, 0x38, \
-        0x1E, 0x42, 0x5A, 0x31, 0xD9, 0x51, 0xAE, 0x64, \
-        0xFD, 0xB2, 0x3F, 0xCE, 0xC9, 0x50, 0x9D, 0x43, \
-        0x68, 0x7F, 0xEB, 0x69, 0xED, 0xD1, 0xCC, 0x5E, \
-        0x0B, 0x8C, 0xC3, 0xBD, 0xF6, 0x4B, 0x10, 0xEF, \
-        0x86, 0xB6, 0x31, 0x42, 0xA3, 0xAB, 0x88, 0x29, \
-        0x55, 0x5B, 0x2F, 0x74, 0x7C, 0x93, 0x26, 0x65, \
-        0xCB, 0x2C, 0x0F, 0x1C, 0xC0, 0x1B, 0xD7, 0x02, \
-        0x29, 0x38, 0x88, 0x39, 0xD2, 0xAF, 0x05, 0xE4, \
-        0x54, 0x50, 0x4A, 0xC7, 0x8B, 0x75, 0x82, 0x82, \
-        0x28, 0x46, 0xC0, 0xBA, 0x35, 0xC3, 0x5F, 0x5C, \
-        0x59, 0x16, 0x0C, 0xC0, 0x46, 0xFD, 0x82, 0x51, \
-        0x54, 0x1F, 0xC6, 0x8C, 0x9C, 0x86, 0xB0, 0x22, \
-        0xBB, 0x70, 0x99, 0x87, 0x6A, 0x46, 0x0E, 0x74, \
-        0x51, 0xA8, 0xA9, 0x31, 0x09, 0x70, 0x3F, 0xEE, \
-        0x1C, 0x21, 0x7E, 0x6C, 0x38, 0x26, 0xE5, 0x2C, \
-        0x51, 0xAA, 0x69, 0x1E, 0x0E, 0x42, 0x3C, 0xFC, \
-        0x99, 0xE9, 0xE3, 0x16, 0x50, 0xC1, 0x21, 0x7B, \
-        0x62, 0x48, 0x16, 0xCD, 0xAD, 0x9A, 0x95, 0xF9, \
-        0xD5, 0xB8, 0x01, 0x94, 0x88, 0xD9, 0xC0, 0xA0, \
-        0xA1, 0xFE, 0x30, 0x75, 0xA5, 0x77, 0xE2, 0x31, \
-        0x83, 0xF8, 0x1D, 0x4A, 0x3F, 0x2F, 0xA4, 0x57, \
-        0x1E, 0xFC, 0x8C, 0xE0, 0xBA, 0x8A, 0x4F, 0xE8, \
-        0xB6, 0x85, 0x5D, 0xFE, 0x72, 0xB0, 0xA6, 0x6E, \
-        0xDE, 0xD2, 0xFB, 0xAB, 0xFB, 0xE5, 0x8A, 0x30, \
-        0xFA, 0xFA, 0xBE, 0x1C, 0x5D, 0x71, 0xA8, 0x7E, \
-        0x2F, 0x74, 0x1E, 0xF8, 0xC1, 0xFE, 0x86, 0xFE, \
-        0xA6, 0xBB, 0xFD, 0xE5, 0x30, 0x67, 0x7F, 0x0D, \
-        0x97, 0xD1, 0x1D, 0x49, 0xF7, 0xA8, 0x44, 0x3D, \
-        0x08, 0x22, 0xE5, 0x06, 0xA9, 0xF4, 0x61, 0x4E, \
-        0x01, 0x1E, 0x2A, 0x94, 0x83, 0x8F, 0xF8, 0x8C, \
-        0xD6, 0x8C, 0x8B, 0xB7, 0xC5, 0xC6, 0x42, 0x4C, \
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
-
-#define MBEDTLS_DHM_RFC7919_FFDHE8192_G_BIN { 0x02 }
-
-#endif /* dhm.h */
diff --git a/include/mbedtls/ecdh.h b/include/mbedtls/ecdh.h
deleted file mode 100644
index 67c94f0..0000000
--- a/include/mbedtls/ecdh.h
+++ /dev/null
@@ -1,453 +0,0 @@
-/**
- * \file ecdh.h
- *
- * \brief This file contains ECDH definitions and functions.
- *
- * The Elliptic Curve Diffie-Hellman (ECDH) protocol is an anonymous
- * key agreement protocol allowing two parties to establish a shared
- * secret over an insecure channel. Each party must have an
- * elliptic-curve public–private key pair.
- *
- * For more information, see <em>NIST SP 800-56A Rev. 2: Recommendation for
- * Pair-Wise Key Establishment Schemes Using Discrete Logarithm
- * Cryptography</em>.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_ECDH_H
-#define MBEDTLS_ECDH_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include "mbedtls/ecp.h"
-
-/*
- * Mbed TLS supports two formats for ECDH contexts (#mbedtls_ecdh_context
- * defined in `ecdh.h`). For most applications, the choice of format makes
- * no difference, since all library functions can work with either format,
- * except that the new format is incompatible with MBEDTLS_ECP_RESTARTABLE.
-
- * The new format used when this option is disabled is smaller
- * (56 bytes on a 32-bit platform). In future versions of the library, it
- * will support alternative implementations of ECDH operations.
- * The new format is incompatible with applications that access
- * context fields directly and with restartable ECP operations.
- */
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-#define MBEDTLS_ECDH_LEGACY_CONTEXT
-#else
-#undef MBEDTLS_ECDH_LEGACY_CONTEXT
-#endif
-
-#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
-#undef MBEDTLS_ECDH_LEGACY_CONTEXT
-#include "everest/everest.h"
-#endif
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * Defines the source of the imported EC key.
- */
-typedef enum {
-    MBEDTLS_ECDH_OURS,   /**< Our key. */
-    MBEDTLS_ECDH_THEIRS, /**< The key of the peer. */
-} mbedtls_ecdh_side;
-
-#if !defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
-/**
- * Defines the ECDH implementation used.
- *
- * Later versions of the library may add new variants, therefore users should
- * not make any assumptions about them.
- */
-typedef enum {
-    MBEDTLS_ECDH_VARIANT_NONE = 0,   /*!< Implementation not defined. */
-    MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0,/*!< The default Mbed TLS implementation */
-#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
-    MBEDTLS_ECDH_VARIANT_EVEREST     /*!< Everest implementation */
-#endif
-} mbedtls_ecdh_variant;
-
-/**
- * The context used by the default ECDH implementation.
- *
- * Later versions might change the structure of this context, therefore users
- * should not make any assumptions about the structure of
- * mbedtls_ecdh_context_mbed.
- */
-typedef struct mbedtls_ecdh_context_mbed {
-    mbedtls_ecp_group MBEDTLS_PRIVATE(grp);   /*!< The elliptic curve used. */
-    mbedtls_mpi MBEDTLS_PRIVATE(d);           /*!< The private key. */
-    mbedtls_ecp_point MBEDTLS_PRIVATE(Q);     /*!< The public key. */
-    mbedtls_ecp_point MBEDTLS_PRIVATE(Qp);    /*!< The value of the public key of the peer. */
-    mbedtls_mpi MBEDTLS_PRIVATE(z);           /*!< The shared secret. */
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    mbedtls_ecp_restart_ctx MBEDTLS_PRIVATE(rs); /*!< The restart context for EC computations. */
-#endif
-} mbedtls_ecdh_context_mbed;
-#endif
-
-/**
- *
- * \warning         Performing multiple operations concurrently on the same
- *                  ECDSA context is not supported; objects of this type
- *                  should not be shared between multiple threads.
- * \brief           The ECDH context structure.
- */
-typedef struct mbedtls_ecdh_context {
-#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
-    mbedtls_ecp_group MBEDTLS_PRIVATE(grp);   /*!< The elliptic curve used. */
-    mbedtls_mpi MBEDTLS_PRIVATE(d);           /*!< The private key. */
-    mbedtls_ecp_point MBEDTLS_PRIVATE(Q);     /*!< The public key. */
-    mbedtls_ecp_point MBEDTLS_PRIVATE(Qp);    /*!< The value of the public key of the peer. */
-    mbedtls_mpi MBEDTLS_PRIVATE(z);           /*!< The shared secret. */
-    int MBEDTLS_PRIVATE(point_format);        /*!< The format of point export in TLS messages. */
-    mbedtls_ecp_point MBEDTLS_PRIVATE(Vi);    /*!< The blinding value. */
-    mbedtls_ecp_point MBEDTLS_PRIVATE(Vf);    /*!< The unblinding value. */
-    mbedtls_mpi MBEDTLS_PRIVATE(_d);          /*!< The previous \p d. */
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    int MBEDTLS_PRIVATE(restart_enabled);        /*!< The flag for restartable mode. */
-    mbedtls_ecp_restart_ctx MBEDTLS_PRIVATE(rs); /*!< The restart context for EC computations. */
-#endif /* MBEDTLS_ECP_RESTARTABLE */
-#else
-    uint8_t MBEDTLS_PRIVATE(point_format);       /*!< The format of point export in TLS messages
-                                                    as defined in RFC 4492. */
-    mbedtls_ecp_group_id MBEDTLS_PRIVATE(grp_id);/*!< The elliptic curve used. */
-    mbedtls_ecdh_variant MBEDTLS_PRIVATE(var);   /*!< The ECDH implementation/structure used. */
-    union {
-        mbedtls_ecdh_context_mbed   MBEDTLS_PRIVATE(mbed_ecdh);
-#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
-        mbedtls_ecdh_context_everest MBEDTLS_PRIVATE(everest_ecdh);
-#endif
-    } MBEDTLS_PRIVATE(ctx);                      /*!< Implementation-specific context. The
-                                                    context in use is specified by the \c var
-                                                    field. */
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    uint8_t MBEDTLS_PRIVATE(restart_enabled);    /*!< The flag for restartable mode. Functions of
-                                                    an alternative implementation not supporting
-                                                    restartable mode must return
-                                                    MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED error
-                                                    if this flag is set. */
-#endif /* MBEDTLS_ECP_RESTARTABLE */
-#endif /* MBEDTLS_ECDH_LEGACY_CONTEXT */
-}
-mbedtls_ecdh_context;
-
-/**
- * \brief          Check whether a given group can be used for ECDH.
- *
- * \param gid      The ECP group ID to check.
- *
- * \return         \c 1 if the group can be used, \c 0 otherwise
- */
-int mbedtls_ecdh_can_do(mbedtls_ecp_group_id gid);
-
-/**
- * \brief           This function generates an ECDH keypair on an elliptic
- *                  curve.
- *
- *                  This function performs the first of two core computations
- *                  implemented during the ECDH key exchange. The second core
- *                  computation is performed by mbedtls_ecdh_compute_shared().
- *
- * \see             ecp.h
- *
- * \param grp       The ECP group to use. This must be initialized and have
- *                  domain parameters loaded, for example through
- *                  mbedtls_ecp_load() or mbedtls_ecp_tls_read_group().
- * \param d         The destination MPI (private key).
- *                  This must be initialized.
- * \param Q         The destination point (public key).
- *                  This must be initialized.
- * \param f_rng     The RNG function to use. This must not be \c NULL.
- * \param p_rng     The RNG context to be passed to \p f_rng. This may be
- *                  \c NULL in case \p f_rng doesn't need a context argument.
- *
- * \return          \c 0 on success.
- * \return          Another \c MBEDTLS_ERR_ECP_XXX or
- *                  \c MBEDTLS_MPI_XXX error code on failure.
- */
-int mbedtls_ecdh_gen_public(mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
-                            int (*f_rng)(void *, unsigned char *, size_t),
-                            void *p_rng);
-
-/**
- * \brief           This function computes the shared secret.
- *
- *                  This function performs the second of two core computations
- *                  implemented during the ECDH key exchange. The first core
- *                  computation is performed by mbedtls_ecdh_gen_public().
- *
- * \see             ecp.h
- *
- * \note            If \p f_rng is not NULL, it is used to implement
- *                  countermeasures against side-channel attacks.
- *                  For more information, see mbedtls_ecp_mul().
- *
- * \param grp       The ECP group to use. This must be initialized and have
- *                  domain parameters loaded, for example through
- *                  mbedtls_ecp_load() or mbedtls_ecp_tls_read_group().
- * \param z         The destination MPI (shared secret).
- *                  This must be initialized.
- * \param Q         The public key from another party.
- *                  This must be initialized.
- * \param d         Our secret exponent (private key).
- *                  This must be initialized.
- * \param f_rng     The RNG function to use. This must not be \c NULL.
- * \param p_rng     The RNG context to be passed to \p f_rng. This may be
- *                  \c NULL if \p f_rng is \c NULL or doesn't need a
- *                  context argument.
- *
- * \return          \c 0 on success.
- * \return          Another \c MBEDTLS_ERR_ECP_XXX or
- *                  \c MBEDTLS_MPI_XXX error code on failure.
- */
-int mbedtls_ecdh_compute_shared(mbedtls_ecp_group *grp, mbedtls_mpi *z,
-                                const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
-                                int (*f_rng)(void *, unsigned char *, size_t),
-                                void *p_rng);
-
-/**
- * \brief           This function initializes an ECDH context.
- *
- * \param ctx       The ECDH context to initialize. This must not be \c NULL.
- */
-void mbedtls_ecdh_init(mbedtls_ecdh_context *ctx);
-
-/**
- * \brief           This function sets up the ECDH context with the information
- *                  given.
- *
- *                  This function should be called after mbedtls_ecdh_init() but
- *                  before mbedtls_ecdh_make_params(). There is no need to call
- *                  this function before mbedtls_ecdh_read_params().
- *
- *                  This is the first function used by a TLS server for ECDHE
- *                  ciphersuites.
- *
- * \param ctx       The ECDH context to set up. This must be initialized.
- * \param grp_id    The group id of the group to set up the context for.
- *
- * \return          \c 0 on success.
- */
-int mbedtls_ecdh_setup(mbedtls_ecdh_context *ctx,
-                       mbedtls_ecp_group_id grp_id);
-
-/**
- * \brief           This function frees a context.
- *
- * \param ctx       The context to free. This may be \c NULL, in which
- *                  case this function does nothing. If it is not \c NULL,
- *                  it must point to an initialized ECDH context.
- */
-void mbedtls_ecdh_free(mbedtls_ecdh_context *ctx);
-
-/**
- * \brief           This function generates an EC key pair and exports its
- *                  in the format used in a TLS ServerKeyExchange handshake
- *                  message.
- *
- *                  This is the second function used by a TLS server for ECDHE
- *                  ciphersuites. (It is called after mbedtls_ecdh_setup().)
- *
- * \see             ecp.h
- *
- * \param ctx       The ECDH context to use. This must be initialized
- *                  and bound to a group, for example via mbedtls_ecdh_setup().
- * \param olen      The address at which to store the number of Bytes written.
- * \param buf       The destination buffer. This must be a writable buffer of
- *                  length \p blen Bytes.
- * \param blen      The length of the destination buffer \p buf in Bytes.
- * \param f_rng     The RNG function to use. This must not be \c NULL.
- * \param p_rng     The RNG context to be passed to \p f_rng. This may be
- *                  \c NULL in case \p f_rng doesn't need a context argument.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
- *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
- * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
- */
-int mbedtls_ecdh_make_params(mbedtls_ecdh_context *ctx, size_t *olen,
-                             unsigned char *buf, size_t blen,
-                             int (*f_rng)(void *, unsigned char *, size_t),
-                             void *p_rng);
-
-/**
- * \brief           This function parses the ECDHE parameters in a
- *                  TLS ServerKeyExchange handshake message.
- *
- * \note            In a TLS handshake, this is the how the client
- *                  sets up its ECDHE context from the server's public
- *                  ECDHE key material.
- *
- * \see             ecp.h
- *
- * \param ctx       The ECDHE context to use. This must be initialized.
- * \param buf       On input, \c *buf must be the start of the input buffer.
- *                  On output, \c *buf is updated to point to the end of the
- *                  data that has been read. On success, this is the first byte
- *                  past the end of the ServerKeyExchange parameters.
- *                  On error, this is the point at which an error has been
- *                  detected, which is usually not useful except to debug
- *                  failures.
- * \param end       The end of the input buffer.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX error code on failure.
- *
- */
-int mbedtls_ecdh_read_params(mbedtls_ecdh_context *ctx,
-                             const unsigned char **buf,
-                             const unsigned char *end);
-
-/**
- * \brief           This function sets up an ECDH context from an EC key.
- *
- *                  It is used by clients and servers in place of the
- *                  ServerKeyEchange for static ECDH, and imports ECDH
- *                  parameters from the EC key information of a certificate.
- *
- * \see             ecp.h
- *
- * \param ctx       The ECDH context to set up. This must be initialized.
- * \param key       The EC key to use. This must be initialized.
- * \param side      Defines the source of the key. Possible values are:
- *                  - #MBEDTLS_ECDH_OURS: The key is ours.
- *                  - #MBEDTLS_ECDH_THEIRS: The key is that of the peer.
- *
- * \return          \c 0 on success.
- * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
- *
- */
-int mbedtls_ecdh_get_params(mbedtls_ecdh_context *ctx,
-                            const mbedtls_ecp_keypair *key,
-                            mbedtls_ecdh_side side);
-
-/**
- * \brief           This function generates a public key and exports it
- *                  as a TLS ClientKeyExchange payload.
- *
- *                  This is the second function used by a TLS client for ECDH(E)
- *                  ciphersuites.
- *
- * \see             ecp.h
- *
- * \param ctx       The ECDH context to use. This must be initialized
- *                  and bound to a group, the latter usually by
- *                  mbedtls_ecdh_read_params().
- * \param olen      The address at which to store the number of Bytes written.
- *                  This must not be \c NULL.
- * \param buf       The destination buffer. This must be a writable buffer
- *                  of length \p blen Bytes.
- * \param blen      The size of the destination buffer \p buf in Bytes.
- * \param f_rng     The RNG function to use. This must not be \c NULL.
- * \param p_rng     The RNG context to be passed to \p f_rng. This may be
- *                  \c NULL in case \p f_rng doesn't need a context argument.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
- *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
- * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
- */
-int mbedtls_ecdh_make_public(mbedtls_ecdh_context *ctx, size_t *olen,
-                             unsigned char *buf, size_t blen,
-                             int (*f_rng)(void *, unsigned char *, size_t),
-                             void *p_rng);
-
-/**
- * \brief       This function parses and processes the ECDHE payload of a
- *              TLS ClientKeyExchange message.
- *
- *              This is the third function used by a TLS server for ECDH(E)
- *              ciphersuites. (It is called after mbedtls_ecdh_setup() and
- *              mbedtls_ecdh_make_params().)
- *
- * \see         ecp.h
- *
- * \param ctx   The ECDH context to use. This must be initialized
- *              and bound to a group, for example via mbedtls_ecdh_setup().
- * \param buf   The pointer to the ClientKeyExchange payload. This must
- *              be a readable buffer of length \p blen Bytes.
- * \param blen  The length of the input buffer \p buf in Bytes.
- *
- * \return      \c 0 on success.
- * \return      An \c MBEDTLS_ERR_ECP_XXX error code on failure.
- */
-int mbedtls_ecdh_read_public(mbedtls_ecdh_context *ctx,
-                             const unsigned char *buf, size_t blen);
-
-/**
- * \brief           This function derives and exports the shared secret.
- *
- *                  This is the last function used by both TLS client
- *                  and servers.
- *
- * \note            If \p f_rng is not NULL, it is used to implement
- *                  countermeasures against side-channel attacks.
- *                  For more information, see mbedtls_ecp_mul().
- *
- * \see             ecp.h
-
- * \param ctx       The ECDH context to use. This must be initialized
- *                  and have its own private key generated and the peer's
- *                  public key imported.
- * \param olen      The address at which to store the total number of
- *                  Bytes written on success. This must not be \c NULL.
- * \param buf       The buffer to write the generated shared key to. This
- *                  must be a writable buffer of size \p blen Bytes.
- * \param blen      The length of the destination buffer \p buf in Bytes.
- * \param f_rng     The RNG function to use. This must not be \c NULL.
- * \param p_rng     The RNG context. This may be \c NULL if \p f_rng
- *                  doesn't need a context argument.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
- *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
- * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
- */
-int mbedtls_ecdh_calc_secret(mbedtls_ecdh_context *ctx, size_t *olen,
-                             unsigned char *buf, size_t blen,
-                             int (*f_rng)(void *, unsigned char *, size_t),
-                             void *p_rng);
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-/**
- * \brief           This function enables restartable EC computations for this
- *                  context.  (Default: disabled.)
- *
- * \see             \c mbedtls_ecp_set_max_ops()
- *
- * \note            It is not possible to safely disable restartable
- *                  computations once enabled, except by free-ing the context,
- *                  which cancels possible in-progress operations.
- *
- * \param ctx       The ECDH context to use. This must be initialized.
- */
-void mbedtls_ecdh_enable_restart(mbedtls_ecdh_context *ctx);
-#endif /* MBEDTLS_ECP_RESTARTABLE */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* ecdh.h */
diff --git a/include/mbedtls/ecdsa.h b/include/mbedtls/ecdsa.h
deleted file mode 100644
index 3b2b418..0000000
--- a/include/mbedtls/ecdsa.h
+++ /dev/null
@@ -1,683 +0,0 @@
-/**
- * \file ecdsa.h
- *
- * \brief This file contains ECDSA definitions and functions.
- *
- * The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in
- * <em>Standards for Efficient Cryptography Group (SECG):
- * SEC1 Elliptic Curve Cryptography</em>.
- * The use of ECDSA for TLS is defined in <em>RFC-4492: Elliptic Curve
- * Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)</em>.
- *
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_ECDSA_H
-#define MBEDTLS_ECDSA_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include "mbedtls/ecp.h"
-#include "mbedtls/md.h"
-
-/**
- * \brief           Maximum ECDSA signature size for a given curve bit size
- *
- * \param bits      Curve size in bits
- * \return          Maximum signature size in bytes
- *
- * \note            This macro returns a compile-time constant if its argument
- *                  is one. It may evaluate its argument multiple times.
- */
-/*
- *     Ecdsa-Sig-Value ::= SEQUENCE {
- *         r       INTEGER,
- *         s       INTEGER
- *     }
- *
- * For each of r and s, the value (V) may include an extra initial "0" bit.
- */
-#define MBEDTLS_ECDSA_MAX_SIG_LEN(bits)                               \
-    (/*T,L of SEQUENCE*/ ((bits) >= 61 * 8 ? 3 : 2) +              \
-     /*T,L of r,s*/ 2 * (((bits) >= 127 * 8 ? 3 : 2) +     \
-                         /*V of r,s*/ ((bits) + 8) / 8))
-
-/** The maximal size of an ECDSA signature in Bytes. */
-#define MBEDTLS_ECDSA_MAX_LEN  MBEDTLS_ECDSA_MAX_SIG_LEN(MBEDTLS_ECP_MAX_BITS)
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief           The ECDSA context structure.
- *
- * \warning         Performing multiple operations concurrently on the same
- *                  ECDSA context is not supported; objects of this type
- *                  should not be shared between multiple threads.
- *
- * \note            pk_wrap module assumes that "ecdsa_context" is identical
- *                  to "ecp_keypair" (see for example structure
- *                  "mbedtls_eckey_info" where ECDSA sign/verify functions
- *                  are used also for EC key)
- */
-typedef mbedtls_ecp_keypair mbedtls_ecdsa_context;
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-
-/**
- * \brief           Internal restart context for ecdsa_verify()
- *
- * \note            Opaque struct, defined in ecdsa.c
- */
-typedef struct mbedtls_ecdsa_restart_ver mbedtls_ecdsa_restart_ver_ctx;
-
-/**
- * \brief           Internal restart context for ecdsa_sign()
- *
- * \note            Opaque struct, defined in ecdsa.c
- */
-typedef struct mbedtls_ecdsa_restart_sig mbedtls_ecdsa_restart_sig_ctx;
-
-#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
-/**
- * \brief           Internal restart context for ecdsa_sign_det()
- *
- * \note            Opaque struct, defined in ecdsa.c
- */
-typedef struct mbedtls_ecdsa_restart_det mbedtls_ecdsa_restart_det_ctx;
-#endif
-
-/**
- * \brief           General context for resuming ECDSA operations
- */
-typedef struct {
-    mbedtls_ecp_restart_ctx MBEDTLS_PRIVATE(ecp);        /*!<  base context for ECP restart and
-                                                            shared administrative info    */
-    mbedtls_ecdsa_restart_ver_ctx *MBEDTLS_PRIVATE(ver); /*!<  ecdsa_verify() sub-context    */
-    mbedtls_ecdsa_restart_sig_ctx *MBEDTLS_PRIVATE(sig); /*!<  ecdsa_sign() sub-context      */
-#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
-    mbedtls_ecdsa_restart_det_ctx *MBEDTLS_PRIVATE(det); /*!<  ecdsa_sign_det() sub-context  */
-#endif
-} mbedtls_ecdsa_restart_ctx;
-
-#else /* MBEDTLS_ECP_RESTARTABLE */
-
-/* Now we can declare functions that take a pointer to that */
-typedef void mbedtls_ecdsa_restart_ctx;
-
-#endif /* MBEDTLS_ECP_RESTARTABLE */
-
-/**
- * \brief          This function checks whether a given group can be used
- *                 for ECDSA.
- *
- * \param gid      The ECP group ID to check.
- *
- * \return         \c 1 if the group can be used, \c 0 otherwise
- */
-int mbedtls_ecdsa_can_do(mbedtls_ecp_group_id gid);
-
-/**
- * \brief           This function computes the ECDSA signature of a
- *                  previously-hashed message.
- *
- * \note            The deterministic version implemented in
- *                  mbedtls_ecdsa_sign_det_ext() is usually preferred.
- *
- * \note            If the bitlength of the message hash is larger than the
- *                  bitlength of the group order, then the hash is truncated
- *                  as defined in <em>Standards for Efficient Cryptography Group
- *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
- *                  4.1.3, step 5.
- *
- * \see             ecp.h
- *
- * \param grp       The context for the elliptic curve to use.
- *                  This must be initialized and have group parameters
- *                  set, for example through mbedtls_ecp_group_load().
- * \param r         The MPI context in which to store the first part
- *                  the signature. This must be initialized.
- * \param s         The MPI context in which to store the second part
- *                  the signature. This must be initialized.
- * \param d         The private signing key. This must be initialized.
- * \param buf       The content to be signed. This is usually the hash of
- *                  the original data to be signed. This must be a readable
- *                  buffer of length \p blen Bytes. It may be \c NULL if
- *                  \p blen is zero.
- * \param blen      The length of \p buf in Bytes.
- * \param f_rng     The RNG function. This must not be \c NULL.
- * \param p_rng     The RNG context to be passed to \p f_rng. This may be
- *                  \c NULL if \p f_rng doesn't need a context parameter.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX
- *                  or \c MBEDTLS_MPI_XXX error code on failure.
- */
-int mbedtls_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
-                       const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
-                       int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
-
-#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
-/**
- * \brief           This function computes the ECDSA signature of a
- *                  previously-hashed message, deterministic version.
- *
- *                  For more information, see <em>RFC-6979: Deterministic
- *                  Usage of the Digital Signature Algorithm (DSA) and Elliptic
- *                  Curve Digital Signature Algorithm (ECDSA)</em>.
- *
- * \note            If the bitlength of the message hash is larger than the
- *                  bitlength of the group order, then the hash is truncated as
- *                  defined in <em>Standards for Efficient Cryptography Group
- *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
- *                  4.1.3, step 5.
- *
- * \see             ecp.h
- *
- * \param grp           The context for the elliptic curve to use.
- *                      This must be initialized and have group parameters
- *                      set, for example through mbedtls_ecp_group_load().
- * \param r             The MPI context in which to store the first part
- *                      the signature. This must be initialized.
- * \param s             The MPI context in which to store the second part
- *                      the signature. This must be initialized.
- * \param d             The private signing key. This must be initialized
- *                      and setup, for example through mbedtls_ecp_gen_privkey().
- * \param buf           The hashed content to be signed. This must be a readable
- *                      buffer of length \p blen Bytes. It may be \c NULL if
- *                      \p blen is zero.
- * \param blen          The length of \p buf in Bytes.
- * \param md_alg        The hash algorithm used to hash the original data.
- * \param f_rng_blind   The RNG function used for blinding. This must not be
- *                      \c NULL.
- * \param p_rng_blind   The RNG context to be passed to \p f_rng_blind. This
- *                      may be \c NULL if \p f_rng_blind doesn't need a context
- *                      parameter.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
- *                  error code on failure.
- */
-int mbedtls_ecdsa_sign_det_ext(mbedtls_ecp_group *grp, mbedtls_mpi *r,
-                               mbedtls_mpi *s, const mbedtls_mpi *d,
-                               const unsigned char *buf, size_t blen,
-                               mbedtls_md_type_t md_alg,
-                               int (*f_rng_blind)(void *, unsigned char *, size_t),
-                               void *p_rng_blind);
-#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
-
-#if !defined(MBEDTLS_ECDSA_SIGN_ALT)
-/**
- * \brief               This function computes the ECDSA signature of a
- *                      previously-hashed message, in a restartable way.
- *
- * \note                The deterministic version implemented in
- *                      mbedtls_ecdsa_sign_det_restartable() is usually
- *                      preferred.
- *
- * \note                This function is like \c mbedtls_ecdsa_sign() but
- *                      it can return early and restart according to the
- *                      limit set with \c mbedtls_ecp_set_max_ops() to
- *                      reduce blocking.
- *
- * \note                If the bitlength of the message hash is larger
- *                      than the bitlength of the group order, then the
- *                      hash is truncated as defined in <em>Standards for
- *                      Efficient Cryptography Group (SECG): SEC1 Elliptic
- *                      Curve Cryptography</em>, section 4.1.3, step 5.
- *
- * \see                 ecp.h
- *
- * \param grp           The context for the elliptic curve to use.
- *                      This must be initialized and have group parameters
- *                      set, for example through mbedtls_ecp_group_load().
- * \param r             The MPI context in which to store the first part
- *                      the signature. This must be initialized.
- * \param s             The MPI context in which to store the second part
- *                      the signature. This must be initialized.
- * \param d             The private signing key. This must be initialized
- *                      and setup, for example through
- *                      mbedtls_ecp_gen_privkey().
- * \param buf           The hashed content to be signed. This must be a readable
- *                      buffer of length \p blen Bytes. It may be \c NULL if
- *                      \p blen is zero.
- * \param blen          The length of \p buf in Bytes.
- * \param f_rng         The RNG function. This must not be \c NULL.
- * \param p_rng         The RNG context to be passed to \p f_rng. This may be
- *                      \c NULL if \p f_rng doesn't need a context parameter.
- * \param f_rng_blind   The RNG function used for blinding. This must not be
- *                      \c NULL.
- * \param p_rng_blind   The RNG context to be passed to \p f_rng. This may be
- *                      \c NULL if \p f_rng doesn't need a context parameter.
- * \param rs_ctx        The restart context to use. This may be \c NULL
- *                      to disable restarting. If it is not \c NULL, it
- *                      must point to an initialized restart context.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
- *                      operations was reached: see \c
- *                      mbedtls_ecp_set_max_ops().
- * \return              Another \c MBEDTLS_ERR_ECP_XXX, \c
- *                      MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX
- *                      error code on failure.
- */
-int mbedtls_ecdsa_sign_restartable(
-    mbedtls_ecp_group *grp,
-    mbedtls_mpi *r, mbedtls_mpi *s,
-    const mbedtls_mpi *d,
-    const unsigned char *buf, size_t blen,
-    int (*f_rng)(void *, unsigned char *, size_t),
-    void *p_rng,
-    int (*f_rng_blind)(void *, unsigned char *, size_t),
-    void *p_rng_blind,
-    mbedtls_ecdsa_restart_ctx *rs_ctx);
-
-#endif /* !MBEDTLS_ECDSA_SIGN_ALT */
-
-#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
-
-/**
- * \brief               This function computes the ECDSA signature of a
- *                      previously-hashed message, in a restartable way.
- *
- * \note                This function is like \c
- *                      mbedtls_ecdsa_sign_det_ext() but it can return
- *                      early and restart according to the limit set with
- *                      \c mbedtls_ecp_set_max_ops() to reduce blocking.
- *
- * \note                If the bitlength of the message hash is larger
- *                      than the bitlength of the group order, then the
- *                      hash is truncated as defined in <em>Standards for
- *                      Efficient Cryptography Group (SECG): SEC1 Elliptic
- *                      Curve Cryptography</em>, section 4.1.3, step 5.
- *
- * \see                 ecp.h
- *
- * \param grp           The context for the elliptic curve to use.
- *                      This must be initialized and have group parameters
- *                      set, for example through mbedtls_ecp_group_load().
- * \param r             The MPI context in which to store the first part
- *                      the signature. This must be initialized.
- * \param s             The MPI context in which to store the second part
- *                      the signature. This must be initialized.
- * \param d             The private signing key. This must be initialized
- *                      and setup, for example through
- *                      mbedtls_ecp_gen_privkey().
- * \param buf           The hashed content to be signed. This must be a readable
- *                      buffer of length \p blen Bytes. It may be \c NULL if
- *                      \p blen is zero.
- * \param blen          The length of \p buf in Bytes.
- * \param md_alg        The hash algorithm used to hash the original data.
- * \param f_rng_blind   The RNG function used for blinding. This must not be
- *                      \c NULL.
- * \param p_rng_blind   The RNG context to be passed to \p f_rng_blind. This may be
- *                      \c NULL if \p f_rng_blind doesn't need a context parameter.
- * \param rs_ctx        The restart context to use. This may be \c NULL
- *                      to disable restarting. If it is not \c NULL, it
- *                      must point to an initialized restart context.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
- *                      operations was reached: see \c
- *                      mbedtls_ecp_set_max_ops().
- * \return              Another \c MBEDTLS_ERR_ECP_XXX, \c
- *                      MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX
- *                      error code on failure.
- */
-int mbedtls_ecdsa_sign_det_restartable(
-    mbedtls_ecp_group *grp,
-    mbedtls_mpi *r, mbedtls_mpi *s,
-    const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
-    mbedtls_md_type_t md_alg,
-    int (*f_rng_blind)(void *, unsigned char *, size_t),
-    void *p_rng_blind,
-    mbedtls_ecdsa_restart_ctx *rs_ctx);
-
-#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
-
-/**
- * \brief           This function verifies the ECDSA signature of a
- *                  previously-hashed message.
- *
- * \note            If the bitlength of the message hash is larger than the
- *                  bitlength of the group order, then the hash is truncated as
- *                  defined in <em>Standards for Efficient Cryptography Group
- *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
- *                  4.1.4, step 3.
- *
- * \see             ecp.h
- *
- * \param grp       The ECP group to use.
- *                  This must be initialized and have group parameters
- *                  set, for example through mbedtls_ecp_group_load().
- * \param buf       The hashed content that was signed. This must be a readable
- *                  buffer of length \p blen Bytes. It may be \c NULL if
- *                  \p blen is zero.
- * \param blen      The length of \p buf in Bytes.
- * \param Q         The public key to use for verification. This must be
- *                  initialized and setup.
- * \param r         The first integer of the signature.
- *                  This must be initialized.
- * \param s         The second integer of the signature.
- *                  This must be initialized.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
- *                  error code on failure.
- */
-int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp,
-                         const unsigned char *buf, size_t blen,
-                         const mbedtls_ecp_point *Q, const mbedtls_mpi *r,
-                         const mbedtls_mpi *s);
-
-#if !defined(MBEDTLS_ECDSA_VERIFY_ALT)
-/**
- * \brief           This function verifies the ECDSA signature of a
- *                  previously-hashed message, in a restartable manner
- *
- * \note            If the bitlength of the message hash is larger than the
- *                  bitlength of the group order, then the hash is truncated as
- *                  defined in <em>Standards for Efficient Cryptography Group
- *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
- *                  4.1.4, step 3.
- *
- * \see             ecp.h
- *
- * \param grp       The ECP group to use.
- *                  This must be initialized and have group parameters
- *                  set, for example through mbedtls_ecp_group_load().
- * \param buf       The hashed content that was signed. This must be a readable
- *                  buffer of length \p blen Bytes. It may be \c NULL if
- *                  \p blen is zero.
- * \param blen      The length of \p buf in Bytes.
- * \param Q         The public key to use for verification. This must be
- *                  initialized and setup.
- * \param r         The first integer of the signature.
- *                  This must be initialized.
- * \param s         The second integer of the signature.
- *                  This must be initialized.
- * \param rs_ctx    The restart context to use. This may be \c NULL to disable
- *                  restarting. If it is not \c NULL, it must point to an
- *                  initialized restart context.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
- *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
- * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
- *                  error code on failure.
- */
-int mbedtls_ecdsa_verify_restartable(mbedtls_ecp_group *grp,
-                                     const unsigned char *buf, size_t blen,
-                                     const mbedtls_ecp_point *Q,
-                                     const mbedtls_mpi *r,
-                                     const mbedtls_mpi *s,
-                                     mbedtls_ecdsa_restart_ctx *rs_ctx);
-
-#endif /* !MBEDTLS_ECDSA_VERIFY_ALT */
-
-/**
- * \brief           This function computes the ECDSA signature and writes it
- *                  to a buffer, serialized as defined in <em>RFC-4492:
- *                  Elliptic Curve Cryptography (ECC) Cipher Suites for
- *                  Transport Layer Security (TLS)</em>.
- *
- * \warning         It is not thread-safe to use the same context in
- *                  multiple threads.
- *
- * \note            The deterministic version is used if
- *                  #MBEDTLS_ECDSA_DETERMINISTIC is defined. For more
- *                  information, see <em>RFC-6979: Deterministic Usage
- *                  of the Digital Signature Algorithm (DSA) and Elliptic
- *                  Curve Digital Signature Algorithm (ECDSA)</em>.
- *
- * \note            If the bitlength of the message hash is larger than the
- *                  bitlength of the group order, then the hash is truncated as
- *                  defined in <em>Standards for Efficient Cryptography Group
- *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
- *                  4.1.3, step 5.
- *
- * \see             ecp.h
- *
- * \param ctx       The ECDSA context to use. This must be initialized
- *                  and have a group and private key bound to it, for example
- *                  via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
- * \param md_alg    The message digest that was used to hash the message.
- * \param hash      The message hash to be signed. This must be a readable
- *                  buffer of length \p hlen Bytes.
- * \param hlen      The length of the hash \p hash in Bytes.
- * \param sig       The buffer to which to write the signature. This must be a
- *                  writable buffer of length at least twice as large as the
- *                  size of the curve used, plus 9. For example, 73 Bytes if
- *                  a 256-bit curve is used. A buffer length of
- *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
- * \param sig_size  The size of the \p sig buffer in bytes.
- * \param slen      The address at which to store the actual length of
- *                  the signature written. Must not be \c NULL.
- * \param f_rng     The RNG function. This must not be \c NULL if
- *                  #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise,
- *                  it is used only for blinding and may be set to \c NULL, but
- *                  doing so is DEPRECATED.
- * \param p_rng     The RNG context to be passed to \p f_rng. This may be
- *                  \c NULL if \p f_rng is \c NULL or doesn't use a context.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
- *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
- */
-int mbedtls_ecdsa_write_signature(mbedtls_ecdsa_context *ctx,
-                                  mbedtls_md_type_t md_alg,
-                                  const unsigned char *hash, size_t hlen,
-                                  unsigned char *sig, size_t sig_size, size_t *slen,
-                                  int (*f_rng)(void *, unsigned char *, size_t),
-                                  void *p_rng);
-
-/**
- * \brief           This function computes the ECDSA signature and writes it
- *                  to a buffer, in a restartable way.
- *
- * \see             \c mbedtls_ecdsa_write_signature()
- *
- * \note            This function is like \c mbedtls_ecdsa_write_signature()
- *                  but it can return early and restart according to the limit
- *                  set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
- *
- * \param ctx       The ECDSA context to use. This must be initialized
- *                  and have a group and private key bound to it, for example
- *                  via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
- * \param md_alg    The message digest that was used to hash the message.
- * \param hash      The message hash to be signed. This must be a readable
- *                  buffer of length \p hlen Bytes.
- * \param hlen      The length of the hash \p hash in Bytes.
- * \param sig       The buffer to which to write the signature. This must be a
- *                  writable buffer of length at least twice as large as the
- *                  size of the curve used, plus 9. For example, 73 Bytes if
- *                  a 256-bit curve is used. A buffer length of
- *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
- * \param sig_size  The size of the \p sig buffer in bytes.
- * \param slen      The address at which to store the actual length of
- *                  the signature written. Must not be \c NULL.
- * \param f_rng     The RNG function. This must not be \c NULL if
- *                  #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise,
- *                  it is unused and may be set to \c NULL.
- * \param p_rng     The RNG context to be passed to \p f_rng. This may be
- *                  \c NULL if \p f_rng is \c NULL or doesn't use a context.
- * \param rs_ctx    The restart context to use. This may be \c NULL to disable
- *                  restarting. If it is not \c NULL, it must point to an
- *                  initialized restart context.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
- *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
- * \return          Another \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
- *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
- */
-int mbedtls_ecdsa_write_signature_restartable(mbedtls_ecdsa_context *ctx,
-                                              mbedtls_md_type_t md_alg,
-                                              const unsigned char *hash, size_t hlen,
-                                              unsigned char *sig, size_t sig_size, size_t *slen,
-                                              int (*f_rng)(void *, unsigned char *, size_t),
-                                              void *p_rng,
-                                              mbedtls_ecdsa_restart_ctx *rs_ctx);
-
-/**
- * \brief           This function reads and verifies an ECDSA signature.
- *
- * \note            If the bitlength of the message hash is larger than the
- *                  bitlength of the group order, then the hash is truncated as
- *                  defined in <em>Standards for Efficient Cryptography Group
- *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
- *                  4.1.4, step 3.
- *
- * \see             ecp.h
- *
- * \param ctx       The ECDSA context to use. This must be initialized
- *                  and have a group and public key bound to it.
- * \param hash      The message hash that was signed. This must be a readable
- *                  buffer of length \p hlen Bytes.
- * \param hlen      The size of the hash \p hash.
- * \param sig       The signature to read and verify. This must be a readable
- *                  buffer of length \p slen Bytes.
- * \param slen      The size of \p sig in Bytes.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid.
- * \return          #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid
- *                  signature in \p sig, but its length is less than \p siglen.
- * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX
- *                  error code on failure for any other reason.
- */
-int mbedtls_ecdsa_read_signature(mbedtls_ecdsa_context *ctx,
-                                 const unsigned char *hash, size_t hlen,
-                                 const unsigned char *sig, size_t slen);
-
-/**
- * \brief           This function reads and verifies an ECDSA signature,
- *                  in a restartable way.
- *
- * \see             \c mbedtls_ecdsa_read_signature()
- *
- * \note            This function is like \c mbedtls_ecdsa_read_signature()
- *                  but it can return early and restart according to the limit
- *                  set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
- *
- * \param ctx       The ECDSA context to use. This must be initialized
- *                  and have a group and public key bound to it.
- * \param hash      The message hash that was signed. This must be a readable
- *                  buffer of length \p hlen Bytes.
- * \param hlen      The size of the hash \p hash.
- * \param sig       The signature to read and verify. This must be a readable
- *                  buffer of length \p slen Bytes.
- * \param slen      The size of \p sig in Bytes.
- * \param rs_ctx    The restart context to use. This may be \c NULL to disable
- *                  restarting. If it is not \c NULL, it must point to an
- *                  initialized restart context.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid.
- * \return          #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid
- *                  signature in \p sig, but its length is less than \p siglen.
- * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
- *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
- * \return          Another \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX
- *                  error code on failure for any other reason.
- */
-int mbedtls_ecdsa_read_signature_restartable(mbedtls_ecdsa_context *ctx,
-                                             const unsigned char *hash, size_t hlen,
-                                             const unsigned char *sig, size_t slen,
-                                             mbedtls_ecdsa_restart_ctx *rs_ctx);
-
-/**
- * \brief          This function generates an ECDSA keypair on the given curve.
- *
- * \see            ecp.h
- *
- * \param ctx      The ECDSA context to store the keypair in.
- *                 This must be initialized.
- * \param gid      The elliptic curve to use. One of the various
- *                 \c MBEDTLS_ECP_DP_XXX macros depending on configuration.
- * \param f_rng    The RNG function to use. This must not be \c NULL.
- * \param p_rng    The RNG context to be passed to \p f_rng. This may be
- *                 \c NULL if \p f_rng doesn't need a context argument.
- *
- * \return         \c 0 on success.
- * \return         An \c MBEDTLS_ERR_ECP_XXX code on failure.
- */
-int mbedtls_ecdsa_genkey(mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
-                         int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
-
-/**
- * \brief           This function sets up an ECDSA context from an EC key pair.
- *
- * \see             ecp.h
- *
- * \param ctx       The ECDSA context to setup. This must be initialized.
- * \param key       The EC key to use. This must be initialized and hold
- *                  a private-public key pair or a public key. In the former
- *                  case, the ECDSA context may be used for signature creation
- *                  and verification after this call. In the latter case, it
- *                  may be used for signature verification.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX code on failure.
- */
-int mbedtls_ecdsa_from_keypair(mbedtls_ecdsa_context *ctx,
-                               const mbedtls_ecp_keypair *key);
-
-/**
- * \brief           This function initializes an ECDSA context.
- *
- * \param ctx       The ECDSA context to initialize.
- *                  This must not be \c NULL.
- */
-void mbedtls_ecdsa_init(mbedtls_ecdsa_context *ctx);
-
-/**
- * \brief           This function frees an ECDSA context.
- *
- * \param ctx       The ECDSA context to free. This may be \c NULL,
- *                  in which case this function does nothing. If it
- *                  is not \c NULL, it must be initialized.
- */
-void mbedtls_ecdsa_free(mbedtls_ecdsa_context *ctx);
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-/**
- * \brief           Initialize a restart context.
- *
- * \param ctx       The restart context to initialize.
- *                  This must not be \c NULL.
- */
-void mbedtls_ecdsa_restart_init(mbedtls_ecdsa_restart_ctx *ctx);
-
-/**
- * \brief           Free the components of a restart context.
- *
- * \param ctx       The restart context to free. This may be \c NULL,
- *                  in which case this function does nothing. If it
- *                  is not \c NULL, it must be initialized.
- */
-void mbedtls_ecdsa_restart_free(mbedtls_ecdsa_restart_ctx *ctx);
-#endif /* MBEDTLS_ECP_RESTARTABLE */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* ecdsa.h */
diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h
deleted file mode 100644
index 0008d73..0000000
--- a/include/mbedtls/ecjpake.h
+++ /dev/null
@@ -1,310 +0,0 @@
-/**
- * \file ecjpake.h
- *
- * \brief Elliptic curve J-PAKE
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_ECJPAKE_H
-#define MBEDTLS_ECJPAKE_H
-#include "mbedtls/private_access.h"
-
-/*
- * J-PAKE is a password-authenticated key exchange that allows deriving a
- * strong shared secret from a (potentially low entropy) pre-shared
- * passphrase, with forward secrecy and mutual authentication.
- * https://en.wikipedia.org/wiki/Password_Authenticated_Key_Exchange_by_Juggling
- *
- * This file implements the Elliptic Curve variant of J-PAKE,
- * as defined in Chapter 7.4 of the Thread v1.0 Specification,
- * available to members of the Thread Group http://threadgroup.org/
- *
- * As the J-PAKE algorithm is inherently symmetric, so is our API.
- * Each party needs to send its first round message, in any order, to the
- * other party, then each sends its second round message, in any order.
- * The payloads are serialized in a way suitable for use in TLS, but could
- * also be use outside TLS.
- */
-#include "mbedtls/build_info.h"
-
-#include "mbedtls/ecp.h"
-#include "mbedtls/md.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * Roles in the EC J-PAKE exchange
- */
-typedef enum {
-    MBEDTLS_ECJPAKE_CLIENT = 0,         /**< Client                         */
-    MBEDTLS_ECJPAKE_SERVER,             /**< Server                         */
-    MBEDTLS_ECJPAKE_NONE,               /**< Undefined                      */
-} mbedtls_ecjpake_role;
-
-#if !defined(MBEDTLS_ECJPAKE_ALT)
-/**
- * EC J-PAKE context structure.
- *
- * J-PAKE is a symmetric protocol, except for the identifiers used in
- * Zero-Knowledge Proofs, and the serialization of the second message
- * (KeyExchange) as defined by the Thread spec.
- *
- * In order to benefit from this symmetry, we choose a different naming
- * convention from the Thread v1.0 spec. Correspondence is indicated in the
- * description as a pair C: client name, S: server name
- */
-typedef struct mbedtls_ecjpake_context {
-    mbedtls_md_type_t MBEDTLS_PRIVATE(md_type);          /**< Hash to use                    */
-    mbedtls_ecp_group MBEDTLS_PRIVATE(grp);              /**< Elliptic curve                 */
-    mbedtls_ecjpake_role MBEDTLS_PRIVATE(role);          /**< Are we client or server?       */
-    int MBEDTLS_PRIVATE(point_format);                   /**< Format for point export        */
-
-    mbedtls_ecp_point MBEDTLS_PRIVATE(Xm1);              /**< My public key 1   C: X1, S: X3 */
-    mbedtls_ecp_point MBEDTLS_PRIVATE(Xm2);              /**< My public key 2   C: X2, S: X4 */
-    mbedtls_ecp_point MBEDTLS_PRIVATE(Xp1);              /**< Peer public key 1 C: X3, S: X1 */
-    mbedtls_ecp_point MBEDTLS_PRIVATE(Xp2);              /**< Peer public key 2 C: X4, S: X2 */
-    mbedtls_ecp_point MBEDTLS_PRIVATE(Xp);               /**< Peer public key   C: Xs, S: Xc */
-
-    mbedtls_mpi MBEDTLS_PRIVATE(xm1);                    /**< My private key 1  C: x1, S: x3 */
-    mbedtls_mpi MBEDTLS_PRIVATE(xm2);                    /**< My private key 2  C: x2, S: x4 */
-
-    mbedtls_mpi MBEDTLS_PRIVATE(s);                      /**< Pre-shared secret (passphrase) */
-} mbedtls_ecjpake_context;
-
-#else  /* MBEDTLS_ECJPAKE_ALT */
-#include "ecjpake_alt.h"
-#endif /* MBEDTLS_ECJPAKE_ALT */
-
-/**
- * \brief           Initialize an ECJPAKE context.
- *
- * \param ctx       The ECJPAKE context to initialize.
- *                  This must not be \c NULL.
- */
-void mbedtls_ecjpake_init(mbedtls_ecjpake_context *ctx);
-
-/**
- * \brief           Set up an ECJPAKE context for use.
- *
- * \note            Currently the only values for hash/curve allowed by the
- *                  standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1.
- *
- * \param ctx       The ECJPAKE context to set up. This must be initialized.
- * \param role      The role of the caller. This must be either
- *                  #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER.
- * \param hash      The identifier of the hash function to use,
- *                  for example #MBEDTLS_MD_SHA256.
- * \param curve     The identifier of the elliptic curve to use,
- *                  for example #MBEDTLS_ECP_DP_SECP256R1.
- * \param secret    The pre-shared secret (passphrase). This must be
- *                  a readable not empty buffer of length \p len Bytes. It need
- *                  only be valid for the duration of this call.
- * \param len       The length of the pre-shared secret \p secret.
- *
- * \return          \c 0 if successful.
- * \return          A negative error code on failure.
- */
-int mbedtls_ecjpake_setup(mbedtls_ecjpake_context *ctx,
-                          mbedtls_ecjpake_role role,
-                          mbedtls_md_type_t hash,
-                          mbedtls_ecp_group_id curve,
-                          const unsigned char *secret,
-                          size_t len);
-
-/**
- * \brief               Set the point format for future reads and writes.
- *
- * \param ctx           The ECJPAKE context to configure.
- * \param point_format  The point format to use:
- *                      #MBEDTLS_ECP_PF_UNCOMPRESSED (default)
- *                      or #MBEDTLS_ECP_PF_COMPRESSED.
- *
- * \return              \c 0 if successful.
- * \return              #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p point_format
- *                      is invalid.
- */
-int mbedtls_ecjpake_set_point_format(mbedtls_ecjpake_context *ctx,
-                                     int point_format);
-
-/**
- * \brief           Check if an ECJPAKE context is ready for use.
- *
- * \param ctx       The ECJPAKE context to check. This must be
- *                  initialized.
- *
- * \return          \c 0 if the context is ready for use.
- * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise.
- */
-int mbedtls_ecjpake_check(const mbedtls_ecjpake_context *ctx);
-
-/**
- * \brief           Generate and write the first round message
- *                  (TLS: contents of the Client/ServerHello extension,
- *                  excluding extension type and length bytes).
- *
- * \param ctx       The ECJPAKE context to use. This must be
- *                  initialized and set up.
- * \param buf       The buffer to write the contents to. This must be a
- *                  writable buffer of length \p len Bytes.
- * \param len       The length of \p buf in Bytes.
- * \param olen      The address at which to store the total number
- *                  of Bytes written to \p buf. This must not be \c NULL.
- * \param f_rng     The RNG function to use. This must not be \c NULL.
- * \param p_rng     The RNG parameter to be passed to \p f_rng. This
- *                  may be \c NULL if \p f_rng doesn't use a context.
- *
- * \return          \c 0 if successful.
- * \return          A negative error code on failure.
- */
-int mbedtls_ecjpake_write_round_one(mbedtls_ecjpake_context *ctx,
-                                    unsigned char *buf, size_t len, size_t *olen,
-                                    int (*f_rng)(void *, unsigned char *, size_t),
-                                    void *p_rng);
-
-/**
- * \brief           Read and process the first round message
- *                  (TLS: contents of the Client/ServerHello extension,
- *                  excluding extension type and length bytes).
- *
- * \param ctx       The ECJPAKE context to use. This must be initialized
- *                  and set up.
- * \param buf       The buffer holding the first round message. This must
- *                  be a readable buffer of length \p len Bytes.
- * \param len       The length in Bytes of \p buf.
- *
- * \return          \c 0 if successful.
- * \return          A negative error code on failure.
- */
-int mbedtls_ecjpake_read_round_one(mbedtls_ecjpake_context *ctx,
-                                   const unsigned char *buf,
-                                   size_t len);
-
-/**
- * \brief           Generate and write the second round message
- *                  (TLS: contents of the Client/ServerKeyExchange).
- *
- * \param ctx       The ECJPAKE context to use. This must be initialized,
- *                  set up, and already have performed round one.
- * \param buf       The buffer to write the round two contents to.
- *                  This must be a writable buffer of length \p len Bytes.
- * \param len       The size of \p buf in Bytes.
- * \param olen      The address at which to store the total number of Bytes
- *                  written to \p buf. This must not be \c NULL.
- * \param f_rng     The RNG function to use. This must not be \c NULL.
- * \param p_rng     The RNG parameter to be passed to \p f_rng. This
- *                  may be \c NULL if \p f_rng doesn't use a context.
- *
- * \return          \c 0 if successful.
- * \return          A negative error code on failure.
- */
-int mbedtls_ecjpake_write_round_two(mbedtls_ecjpake_context *ctx,
-                                    unsigned char *buf, size_t len, size_t *olen,
-                                    int (*f_rng)(void *, unsigned char *, size_t),
-                                    void *p_rng);
-
-/**
- * \brief           Read and process the second round message
- *                  (TLS: contents of the Client/ServerKeyExchange).
- *
- * \param ctx       The ECJPAKE context to use. This must be initialized
- *                  and set up and already have performed round one.
- * \param buf       The buffer holding the second round message. This must
- *                  be a readable buffer of length \p len Bytes.
- * \param len       The length in Bytes of \p buf.
- *
- * \return          \c 0 if successful.
- * \return          A negative error code on failure.
- */
-int mbedtls_ecjpake_read_round_two(mbedtls_ecjpake_context *ctx,
-                                   const unsigned char *buf,
-                                   size_t len);
-
-/**
- * \brief           Derive the shared secret
- *                  (TLS: Pre-Master Secret).
- *
- * \param ctx       The ECJPAKE context to use. This must be initialized,
- *                  set up and have performed both round one and two.
- * \param buf       The buffer to write the derived secret to. This must
- *                  be a writable buffer of length \p len Bytes.
- * \param len       The length of \p buf in Bytes.
- * \param olen      The address at which to store the total number of Bytes
- *                  written to \p buf. This must not be \c NULL.
- * \param f_rng     The RNG function to use. This must not be \c NULL.
- * \param p_rng     The RNG parameter to be passed to \p f_rng. This
- *                  may be \c NULL if \p f_rng doesn't use a context.
- *
- * \return          \c 0 if successful.
- * \return          A negative error code on failure.
- */
-int mbedtls_ecjpake_derive_secret(mbedtls_ecjpake_context *ctx,
-                                  unsigned char *buf, size_t len, size_t *olen,
-                                  int (*f_rng)(void *, unsigned char *, size_t),
-                                  void *p_rng);
-
-/**
- * \brief           Write the shared key material to be passed to a Key
- *                  Derivation Function as described in RFC8236.
- *
- * \param ctx       The ECJPAKE context to use. This must be initialized,
- *                  set up and have performed both round one and two.
- * \param buf       The buffer to write the derived secret to. This must
- *                  be a writable buffer of length \p len Bytes.
- * \param len       The length of \p buf in Bytes.
- * \param olen      The address at which to store the total number of bytes
- *                  written to \p buf. This must not be \c NULL.
- * \param f_rng     The RNG function to use. This must not be \c NULL.
- * \param p_rng     The RNG parameter to be passed to \p f_rng. This
- *                  may be \c NULL if \p f_rng doesn't use a context.
- *
- * \return          \c 0 if successful.
- * \return          A negative error code on failure.
- */
-int mbedtls_ecjpake_write_shared_key(mbedtls_ecjpake_context *ctx,
-                                     unsigned char *buf, size_t len, size_t *olen,
-                                     int (*f_rng)(void *, unsigned char *, size_t),
-                                     void *p_rng);
-
-/**
- * \brief           This clears an ECJPAKE context and frees any
- *                  embedded data structure.
- *
- * \param ctx       The ECJPAKE context to free. This may be \c NULL,
- *                  in which case this function does nothing. If it is not
- *                  \c NULL, it must point to an initialized ECJPAKE context.
- */
-void mbedtls_ecjpake_free(mbedtls_ecjpake_context *ctx);
-
-#if defined(MBEDTLS_SELF_TEST)
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if a test failed
- */
-int mbedtls_ecjpake_self_test(int verbose);
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-
-#endif /* ecjpake.h */
diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h
deleted file mode 100644
index bf95b90..0000000
--- a/include/mbedtls/ecp.h
+++ /dev/null
@@ -1,1374 +0,0 @@
-/**
- * \file ecp.h
- *
- * \brief This file provides an API for Elliptic Curves over GF(P) (ECP).
- *
- * The use of ECP in cryptography and TLS is defined in
- * <em>Standards for Efficient Cryptography Group (SECG): SEC1
- * Elliptic Curve Cryptography</em> and
- * <em>RFC-4492: Elliptic Curve Cryptography (ECC) Cipher Suites
- * for Transport Layer Security (TLS)</em>.
- *
- * <em>RFC-2409: The Internet Key Exchange (IKE)</em> defines ECP
- * group types.
- *
- */
-
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_ECP_H
-#define MBEDTLS_ECP_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include "mbedtls/bignum.h"
-
-/*
- * ECP error codes
- */
-/** Bad input parameters to function. */
-#define MBEDTLS_ERR_ECP_BAD_INPUT_DATA                    -0x4F80
-/** The buffer is too small to write to. */
-#define MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL                  -0x4F00
-/** The requested feature is not available, for example, the requested curve is not supported. */
-#define MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE               -0x4E80
-/** The signature is not valid. */
-#define MBEDTLS_ERR_ECP_VERIFY_FAILED                     -0x4E00
-/** Memory allocation failed. */
-#define MBEDTLS_ERR_ECP_ALLOC_FAILED                      -0x4D80
-/** Generation of random value, such as ephemeral key, failed. */
-#define MBEDTLS_ERR_ECP_RANDOM_FAILED                     -0x4D00
-/** Invalid private or public key. */
-#define MBEDTLS_ERR_ECP_INVALID_KEY                       -0x4C80
-/** The buffer contains a valid signature followed by more data. */
-#define MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH                  -0x4C00
-/** Operation in progress, call again with the same parameters to continue. */
-#define MBEDTLS_ERR_ECP_IN_PROGRESS                       -0x4B00
-
-/* Flags indicating whether to include code that is specific to certain
- * types of curves. These flags are for internal library use only. */
-#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \
-    defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
-    defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
-    defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || \
-    defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || \
-    defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || \
-    defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || \
-    defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || \
-    defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \
-    defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \
-    defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
-#define MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED
-#endif
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || \
-    defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
-#define MBEDTLS_ECP_MONTGOMERY_ENABLED
-#endif
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * Domain-parameter identifiers: curve, subgroup, and generator.
- *
- * \note Only curves over prime fields are supported.
- *
- * \warning This library does not support validation of arbitrary domain
- * parameters. Therefore, only standardized domain parameters from trusted
- * sources should be used. See mbedtls_ecp_group_load().
- */
-/* Note: when adding a new curve:
- * - Add it at the end of this enum, otherwise you'll break the ABI by
- *   changing the numerical value for existing curves.
- * - Increment MBEDTLS_ECP_DP_MAX below if needed.
- * - Update the calculation of MBEDTLS_ECP_MAX_BITS below.
- * - Add the corresponding MBEDTLS_ECP_DP_xxx_ENABLED macro definition to
- *   mbedtls_config.h.
- * - List the curve as a dependency of MBEDTLS_ECP_C and
- *   MBEDTLS_ECDSA_C if supported in check_config.h.
- * - Add the curve to the appropriate curve type macro
- *   MBEDTLS_ECP_yyy_ENABLED above.
- * - Add the necessary definitions to ecp_curves.c.
- * - Add the curve to the ecp_supported_curves array in ecp.c.
- * - Add the curve to applicable profiles in x509_crt.c.
- * - Add the curve to applicable presets in ssl_tls.c.
- */
-typedef enum {
-    MBEDTLS_ECP_DP_NONE = 0,       /*!< Curve not defined. */
-    MBEDTLS_ECP_DP_SECP192R1,      /*!< Domain parameters for the 192-bit curve defined by FIPS 186-4 and SEC1. */
-    MBEDTLS_ECP_DP_SECP224R1,      /*!< Domain parameters for the 224-bit curve defined by FIPS 186-4 and SEC1. */
-    MBEDTLS_ECP_DP_SECP256R1,      /*!< Domain parameters for the 256-bit curve defined by FIPS 186-4 and SEC1. */
-    MBEDTLS_ECP_DP_SECP384R1,      /*!< Domain parameters for the 384-bit curve defined by FIPS 186-4 and SEC1. */
-    MBEDTLS_ECP_DP_SECP521R1,      /*!< Domain parameters for the 521-bit curve defined by FIPS 186-4 and SEC1. */
-    MBEDTLS_ECP_DP_BP256R1,        /*!< Domain parameters for 256-bit Brainpool curve. */
-    MBEDTLS_ECP_DP_BP384R1,        /*!< Domain parameters for 384-bit Brainpool curve. */
-    MBEDTLS_ECP_DP_BP512R1,        /*!< Domain parameters for 512-bit Brainpool curve. */
-    MBEDTLS_ECP_DP_CURVE25519,     /*!< Domain parameters for Curve25519. */
-    MBEDTLS_ECP_DP_SECP192K1,      /*!< Domain parameters for 192-bit "Koblitz" curve. */
-    MBEDTLS_ECP_DP_SECP224K1,      /*!< Domain parameters for 224-bit "Koblitz" curve. */
-    MBEDTLS_ECP_DP_SECP256K1,      /*!< Domain parameters for 256-bit "Koblitz" curve. */
-    MBEDTLS_ECP_DP_CURVE448,       /*!< Domain parameters for Curve448. */
-} mbedtls_ecp_group_id;
-
-/**
- * The number of supported curves, plus one for #MBEDTLS_ECP_DP_NONE.
- */
-#define MBEDTLS_ECP_DP_MAX     14
-
-/*
- * Curve types
- */
-typedef enum {
-    MBEDTLS_ECP_TYPE_NONE = 0,
-    MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS,    /* y^2 = x^3 + a x + b      */
-    MBEDTLS_ECP_TYPE_MONTGOMERY,           /* y^2 = x^3 + a x^2 + x    */
-} mbedtls_ecp_curve_type;
-
-/**
- * Curve information, for use by other modules.
- *
- * The fields of this structure are part of the public API and can be
- * accessed directly by applications. Future versions of the library may
- * add extra fields or reorder existing fields.
- */
-typedef struct mbedtls_ecp_curve_info {
-    mbedtls_ecp_group_id grp_id;    /*!< An internal identifier. */
-    uint16_t tls_id;                /*!< The TLS NamedCurve identifier. */
-    uint16_t bit_size;              /*!< The curve size in bits. */
-    const char *name;               /*!< A human-friendly name. */
-} mbedtls_ecp_curve_info;
-
-/**
- * \brief           The ECP point structure, in Jacobian coordinates.
- *
- * \note            All functions expect and return points satisfying
- *                  the following condition: <code>Z == 0</code> or
- *                  <code>Z == 1</code>. Other values of \p Z are
- *                  used only by internal functions.
- *                  The point is zero, or "at infinity", if <code>Z == 0</code>.
- *                  Otherwise, \p X and \p Y are its standard (affine)
- *                  coordinates.
- */
-typedef struct mbedtls_ecp_point {
-    mbedtls_mpi MBEDTLS_PRIVATE(X);          /*!< The X coordinate of the ECP point. */
-    mbedtls_mpi MBEDTLS_PRIVATE(Y);          /*!< The Y coordinate of the ECP point. */
-    mbedtls_mpi MBEDTLS_PRIVATE(Z);          /*!< The Z coordinate of the ECP point. */
-}
-mbedtls_ecp_point;
-
-#if !defined(MBEDTLS_ECP_ALT)
-/*
- * default Mbed TLS elliptic curve arithmetic implementation
- *
- * (in case MBEDTLS_ECP_ALT is defined then the developer has to provide an
- * alternative implementation for the whole module and it will replace this
- * one.)
- */
-
-/**
- * \brief           The ECP group structure.
- *
- * We consider two types of curve equations:
- * <ul><li>Short Weierstrass: <code>y^2 = x^3 + A x + B mod P</code>
- * (SEC1 + RFC-4492)</li>
- * <li>Montgomery: <code>y^2 = x^3 + A x^2 + x mod P</code> (Curve25519,
- * Curve448)</li></ul>
- * In both cases, the generator (\p G) for a prime-order subgroup is fixed.
- *
- * For Short Weierstrass, this subgroup is the whole curve, and its
- * cardinality is denoted by \p N. Our code requires that \p N is an
- * odd prime as mbedtls_ecp_mul() requires an odd number, and
- * mbedtls_ecdsa_sign() requires that it is prime for blinding purposes.
- *
- * The default implementation only initializes \p A without setting it to the
- * authentic value for curves with <code>A = -3</code>(SECP256R1, etc), in which
- * case you need to load \p A by yourself when using domain parameters directly,
- * for example:
- * \code
- * mbedtls_mpi_init(&A);
- * mbedtls_ecp_group_init(&grp);
- * CHECK_RETURN(mbedtls_ecp_group_load(&grp, grp_id));
- * if (mbedtls_ecp_group_a_is_minus_3(&grp)) {
- *     CHECK_RETURN(mbedtls_mpi_sub_int(&A, &grp.P, 3));
- * } else {
- *     CHECK_RETURN(mbedtls_mpi_copy(&A, &grp.A));
- * }
- *
- * do_something_with_a(&A);
- *
- * cleanup:
- * mbedtls_mpi_free(&A);
- * mbedtls_ecp_group_free(&grp);
- * \endcode
- *
- * For Montgomery curves, we do not store \p A, but <code>(A + 2) / 4</code>,
- * which is the quantity used in the formulas. Additionally, \p nbits is
- * not the size of \p N but the required size for private keys.
- *
- * If \p modp is NULL, reduction modulo \p P is done using a generic algorithm.
- * Otherwise, \p modp must point to a function that takes an \p mbedtls_mpi in the
- * range of <code>0..2^(2*pbits)-1</code>, and transforms it in-place to an integer
- * which is congruent mod \p P to the given MPI, and is close enough to \p pbits
- * in size, so that it may be efficiently brought in the 0..P-1 range by a few
- * additions or subtractions. Therefore, it is only an approximative modular
- * reduction. It must return 0 on success and non-zero on failure.
- *
- * \note        Alternative implementations of the ECP module must obey the
- *              following constraints.
- *              * Group IDs must be distinct: if two group structures have
- *                the same ID, then they must be identical.
- *              * The fields \c id, \c P, \c A, \c B, \c G, \c N,
- *                \c pbits and \c nbits must have the same type and semantics
- *                as in the built-in implementation.
- *                They must be available for reading, but direct modification
- *                of these fields does not need to be supported.
- *                They do not need to be at the same offset in the structure.
- */
-typedef struct mbedtls_ecp_group {
-    mbedtls_ecp_group_id id;    /*!< An internal group identifier. */
-    mbedtls_mpi P;              /*!< The prime modulus of the base field. */
-    mbedtls_mpi A;              /*!< For Short Weierstrass: \p A in the equation. Note that
-                                     \p A is not set to the authentic value in some cases.
-                                     Refer to detailed description of ::mbedtls_ecp_group if
-                                     using domain parameters in the structure.
-                                     For Montgomery curves: <code>(A + 2) / 4</code>. */
-    mbedtls_mpi B;              /*!< For Short Weierstrass: \p B in the equation.
-                                     For Montgomery curves: unused. */
-    mbedtls_ecp_point G;        /*!< The generator of the subgroup used. */
-    mbedtls_mpi N;              /*!< The order of \p G. */
-    size_t pbits;               /*!< The number of bits in \p P.*/
-    size_t nbits;               /*!< For Short Weierstrass: The number of bits in \p P.
-                                     For Montgomery curves: the number of bits in the
-                                     private keys. */
-    /* End of public fields */
-
-    unsigned int MBEDTLS_PRIVATE(h);             /*!< \internal 1 if the constants are static. */
-    int(*MBEDTLS_PRIVATE(modp))(mbedtls_mpi *);  /*!< The function for fast pseudo-reduction
-                                                    mod \p P (see above).*/
-    int(*MBEDTLS_PRIVATE(t_pre))(mbedtls_ecp_point *, void *);   /*!< Unused. */
-    int(*MBEDTLS_PRIVATE(t_post))(mbedtls_ecp_point *, void *);  /*!< Unused. */
-    void *MBEDTLS_PRIVATE(t_data);               /*!< Unused. */
-    mbedtls_ecp_point *MBEDTLS_PRIVATE(T);       /*!< Pre-computed points for ecp_mul_comb(). */
-    size_t MBEDTLS_PRIVATE(T_size);              /*!< The number of dynamic allocated pre-computed points. */
-}
-mbedtls_ecp_group;
-
-/**
- * \name SECTION: Module settings
- *
- * The configuration options you can set for this module are in this section.
- * Either change them in mbedtls_config.h, or define them using the compiler command line.
- * \{
- */
-
-#if !defined(MBEDTLS_ECP_WINDOW_SIZE)
-/*
- * Maximum "window" size used for point multiplication.
- * Default: a point where higher memory usage yields diminishing performance
- *          returns.
- * Minimum value: 2. Maximum value: 7.
- *
- * Result is an array of at most ( 1 << ( MBEDTLS_ECP_WINDOW_SIZE - 1 ) )
- * points used for point multiplication. This value is directly tied to EC
- * peak memory usage, so decreasing it by one should roughly cut memory usage
- * by two (if large curves are in use).
- *
- * Reduction in size may reduce speed, but larger curves are impacted first.
- * Sample performances (in ECDHE handshakes/s, with FIXED_POINT_OPTIM = 1):
- *      w-size:     6       5       4       3       2
- *      521       145     141     135     120      97
- *      384       214     209     198     177     146
- *      256       320     320     303     262     226
- *      224       475     475     453     398     342
- *      192       640     640     633     587     476
- */
-#define MBEDTLS_ECP_WINDOW_SIZE    4   /**< The maximum window size used. */
-#endif /* MBEDTLS_ECP_WINDOW_SIZE */
-
-#if !defined(MBEDTLS_ECP_FIXED_POINT_OPTIM)
-/*
- * Trade code size for speed on fixed-point multiplication.
- *
- * This speeds up repeated multiplication of the generator (that is, the
- * multiplication in ECDSA signatures, and half of the multiplications in
- * ECDSA verification and ECDHE) by a factor roughly 3 to 4.
- *
- * For each n-bit Short Weierstrass curve that is enabled, this adds 4n bytes
- * of code size if n < 384 and 8n otherwise.
- *
- * Change this value to 0 to reduce code size.
- */
-#define MBEDTLS_ECP_FIXED_POINT_OPTIM  1   /**< Enable fixed-point speed-up. */
-#endif /* MBEDTLS_ECP_FIXED_POINT_OPTIM */
-
-/** \} name SECTION: Module settings */
-
-#else  /* MBEDTLS_ECP_ALT */
-#include "ecp_alt.h"
-#endif /* MBEDTLS_ECP_ALT */
-
-/**
- * The maximum size of the groups, that is, of \c N and \c P.
- */
-#if !defined(MBEDTLS_ECP_LIGHT)
-/* Dummy definition to help code that has optional ECP support and
- * defines an MBEDTLS_ECP_MAX_BYTES-sized array unconditionally. */
-#define MBEDTLS_ECP_MAX_BITS 1
-/* Note: the curves must be listed in DECREASING size! */
-#elif defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS 521
-#elif defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS 512
-#elif defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS 448
-#elif defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS 384
-#elif defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS 384
-#elif defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS 256
-#elif defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS 256
-#elif defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS 256
-#elif defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS 255
-#elif defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS 225 // n is slightly above 2^224
-#elif defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS 224
-#elif defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS 192
-#elif defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS 192
-#else /* !MBEDTLS_ECP_LIGHT */
-#error "Missing definition of MBEDTLS_ECP_MAX_BITS"
-#endif /* !MBEDTLS_ECP_LIGHT */
-
-#define MBEDTLS_ECP_MAX_BYTES    ((MBEDTLS_ECP_MAX_BITS + 7) / 8)
-#define MBEDTLS_ECP_MAX_PT_LEN   (2 * MBEDTLS_ECP_MAX_BYTES + 1)
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-
-/**
- * \brief           Internal restart context for multiplication
- *
- * \note            Opaque struct
- */
-typedef struct mbedtls_ecp_restart_mul mbedtls_ecp_restart_mul_ctx;
-
-/**
- * \brief           Internal restart context for ecp_muladd()
- *
- * \note            Opaque struct
- */
-typedef struct mbedtls_ecp_restart_muladd mbedtls_ecp_restart_muladd_ctx;
-
-/**
- * \brief           General context for resuming ECC operations
- */
-typedef struct {
-    unsigned MBEDTLS_PRIVATE(ops_done);                  /*!<  current ops count             */
-    unsigned MBEDTLS_PRIVATE(depth);                     /*!<  call depth (0 = top-level)    */
-    mbedtls_ecp_restart_mul_ctx *MBEDTLS_PRIVATE(rsm);   /*!<  ecp_mul_comb() sub-context    */
-    mbedtls_ecp_restart_muladd_ctx *MBEDTLS_PRIVATE(ma); /*!<  ecp_muladd() sub-context      */
-} mbedtls_ecp_restart_ctx;
-
-/*
- * Operation counts for restartable functions
- */
-#define MBEDTLS_ECP_OPS_CHK   3 /*!< basic ops count for ecp_check_pubkey()  */
-#define MBEDTLS_ECP_OPS_DBL   8 /*!< basic ops count for ecp_double_jac()    */
-#define MBEDTLS_ECP_OPS_ADD  11 /*!< basic ops count for see ecp_add_mixed() */
-#define MBEDTLS_ECP_OPS_INV 120 /*!< empirical equivalent for mpi_mod_inv()  */
-
-/**
- * \brief           Internal; for restartable functions in other modules.
- *                  Check and update basic ops budget.
- *
- * \param grp       Group structure
- * \param rs_ctx    Restart context
- * \param ops       Number of basic ops to do
- *
- * \return          \c 0 if doing \p ops basic ops is still allowed,
- * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS otherwise.
- */
-int mbedtls_ecp_check_budget(const mbedtls_ecp_group *grp,
-                             mbedtls_ecp_restart_ctx *rs_ctx,
-                             unsigned ops);
-
-/* Utility macro for checking and updating ops budget */
-#define MBEDTLS_ECP_BUDGET(ops)   \
-    MBEDTLS_MPI_CHK(mbedtls_ecp_check_budget(grp, rs_ctx, \
-                                             (unsigned) (ops)));
-
-#else /* MBEDTLS_ECP_RESTARTABLE */
-
-#define MBEDTLS_ECP_BUDGET(ops)     /* no-op; for compatibility */
-
-/* We want to declare restartable versions of existing functions anyway */
-typedef void mbedtls_ecp_restart_ctx;
-
-#endif /* MBEDTLS_ECP_RESTARTABLE */
-
-/**
- * \brief    The ECP key-pair structure.
- *
- * A generic key-pair that may be used for ECDSA and fixed ECDH, for example.
- *
- * \note    Members are deliberately in the same order as in the
- *          ::mbedtls_ecdsa_context structure.
- */
-typedef struct mbedtls_ecp_keypair {
-    mbedtls_ecp_group MBEDTLS_PRIVATE(grp);      /*!<  Elliptic curve and base point     */
-    mbedtls_mpi MBEDTLS_PRIVATE(d);              /*!<  our secret value                  */
-    mbedtls_ecp_point MBEDTLS_PRIVATE(Q);        /*!<  our public value                  */
-}
-mbedtls_ecp_keypair;
-
-/**
- * The uncompressed point format for Short Weierstrass curves
- * (MBEDTLS_ECP_DP_SECP_XXX and MBEDTLS_ECP_DP_BP_XXX).
- */
-#define MBEDTLS_ECP_PF_UNCOMPRESSED    0
-/**
- * The compressed point format for Short Weierstrass curves
- * (MBEDTLS_ECP_DP_SECP_XXX and MBEDTLS_ECP_DP_BP_XXX).
- *
- * \warning     While this format is supported for all concerned curves for
- *              writing, when it comes to parsing, it is not supported for all
- *              curves. Specifically, parsing compressed points on
- *              MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1 is not
- *              supported.
- */
-#define MBEDTLS_ECP_PF_COMPRESSED      1
-
-/*
- * Some other constants from RFC 4492
- */
-#define MBEDTLS_ECP_TLS_NAMED_CURVE    3   /**< The named_curve of ECCurveType. */
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-/**
- * \brief           Set the maximum number of basic operations done in a row.
- *
- *                  If more operations are needed to complete a computation,
- *                  #MBEDTLS_ERR_ECP_IN_PROGRESS will be returned by the
- *                  function performing the computation. It is then the
- *                  caller's responsibility to either call again with the same
- *                  parameters until it returns 0 or an error code; or to free
- *                  the restart context if the operation is to be aborted.
- *
- *                  It is strictly required that all input parameters and the
- *                  restart context be the same on successive calls for the
- *                  same operation, but output parameters need not be the
- *                  same; they must not be used until the function finally
- *                  returns 0.
- *
- *                  This only applies to functions whose documentation
- *                  mentions they may return #MBEDTLS_ERR_ECP_IN_PROGRESS (or
- *                  #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS for functions in the
- *                  SSL module). For functions that accept a "restart context"
- *                  argument, passing NULL disables restart and makes the
- *                  function equivalent to the function with the same name
- *                  with \c _restartable removed. For functions in the ECDH
- *                  module, restart is disabled unless the function accepts
- *                  an "ECDH context" argument and
- *                  mbedtls_ecdh_enable_restart() was previously called on
- *                  that context. For function in the SSL module, restart is
- *                  only enabled for specific sides and key exchanges
- *                  (currently only for clients and ECDHE-ECDSA).
- *
- * \warning         Using the PSA interruptible interfaces with keys in local
- *                  storage and no accelerator driver will also call this
- *                  function to set the values specified via those interfaces,
- *                  overwriting values previously set. Care should be taken if
- *                  mixing these two interfaces.
- *
- * \param max_ops   Maximum number of basic operations done in a row.
- *                  Default: 0 (unlimited).
- *                  Lower (non-zero) values mean ECC functions will block for
- *                  a lesser maximum amount of time.
- *
- * \note            A "basic operation" is defined as a rough equivalent of a
- *                  multiplication in GF(p) for the NIST P-256 curve.
- *                  As an indication, with default settings, a scalar
- *                  multiplication (full run of \c mbedtls_ecp_mul()) is:
- *                  - about 3300 basic operations for P-256
- *                  - about 9400 basic operations for P-384
- *
- * \note            Very low values are not always respected: sometimes
- *                  functions need to block for a minimum number of
- *                  operations, and will do so even if max_ops is set to a
- *                  lower value.  That minimum depends on the curve size, and
- *                  can be made lower by decreasing the value of
- *                  \c MBEDTLS_ECP_WINDOW_SIZE.  As an indication, here is the
- *                  lowest effective value for various curves and values of
- *                  that parameter (w for short):
- *                          w=6     w=5     w=4     w=3     w=2
- *                  P-256   208     208     160     136     124
- *                  P-384   682     416     320     272     248
- *                  P-521  1364     832     640     544     496
- *
- * \note            This setting is currently ignored by Curve25519.
- */
-void mbedtls_ecp_set_max_ops(unsigned max_ops);
-
-/**
- * \brief           Check if restart is enabled (max_ops != 0)
- *
- * \return          \c 0 if \c max_ops == 0 (restart disabled)
- * \return          \c 1 otherwise (restart enabled)
- */
-int mbedtls_ecp_restart_is_enabled(void);
-#endif /* MBEDTLS_ECP_RESTARTABLE */
-
-/*
- * Get the type of a curve
- */
-mbedtls_ecp_curve_type mbedtls_ecp_get_type(const mbedtls_ecp_group *grp);
-
-/**
- * \brief           This function retrieves the information defined in
- *                  mbedtls_ecp_curve_info() for all supported curves.
- *
- * \note            This function returns information about all curves
- *                  supported by the library. Some curves may not be
- *                  supported for all algorithms. Call mbedtls_ecdh_can_do()
- *                  or mbedtls_ecdsa_can_do() to check if a curve is
- *                  supported for ECDH or ECDSA.
- *
- * \return          A statically allocated array. The last entry is 0.
- */
-const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list(void);
-
-/**
- * \brief           This function retrieves the list of internal group
- *                  identifiers of all supported curves in the order of
- *                  preference.
- *
- * \note            This function returns information about all curves
- *                  supported by the library. Some curves may not be
- *                  supported for all algorithms. Call mbedtls_ecdh_can_do()
- *                  or mbedtls_ecdsa_can_do() to check if a curve is
- *                  supported for ECDH or ECDSA.
- *
- * \return          A statically allocated array,
- *                  terminated with MBEDTLS_ECP_DP_NONE.
- */
-const mbedtls_ecp_group_id *mbedtls_ecp_grp_id_list(void);
-
-/**
- * \brief           This function retrieves curve information from an internal
- *                  group identifier.
- *
- * \param grp_id    An \c MBEDTLS_ECP_DP_XXX value.
- *
- * \return          The associated curve information on success.
- * \return          NULL on failure.
- */
-const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_grp_id(mbedtls_ecp_group_id grp_id);
-
-/**
- * \brief           This function retrieves curve information from a TLS
- *                  NamedCurve value.
- *
- * \param tls_id    An \c MBEDTLS_ECP_DP_XXX value.
- *
- * \return          The associated curve information on success.
- * \return          NULL on failure.
- */
-const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_tls_id(uint16_t tls_id);
-
-/**
- * \brief           This function retrieves curve information from a
- *                  human-readable name.
- *
- * \param name      The human-readable name.
- *
- * \return          The associated curve information on success.
- * \return          NULL on failure.
- */
-const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name(const char *name);
-
-/**
- * \brief           This function initializes a point as zero.
- *
- * \param pt        The point to initialize.
- */
-void mbedtls_ecp_point_init(mbedtls_ecp_point *pt);
-
-/**
- * \brief           This function initializes an ECP group context
- *                  without loading any domain parameters.
- *
- * \note            After this function is called, domain parameters
- *                  for various ECP groups can be loaded through the
- *                  mbedtls_ecp_group_load() or mbedtls_ecp_tls_read_group()
- *                  functions.
- */
-void mbedtls_ecp_group_init(mbedtls_ecp_group *grp);
-
-/**
- * \brief           This function initializes a key pair as an invalid one.
- *
- * \param key       The key pair to initialize.
- */
-void mbedtls_ecp_keypair_init(mbedtls_ecp_keypair *key);
-
-/**
- * \brief           This function frees the components of a point.
- *
- * \param pt        The point to free.
- */
-void mbedtls_ecp_point_free(mbedtls_ecp_point *pt);
-
-/**
- * \brief           This function frees the components of an ECP group.
- *
- * \param grp       The group to free. This may be \c NULL, in which
- *                  case this function returns immediately. If it is not
- *                  \c NULL, it must point to an initialized ECP group.
- */
-void mbedtls_ecp_group_free(mbedtls_ecp_group *grp);
-
-/**
- * \brief           This function frees the components of a key pair.
- *
- * \param key       The key pair to free. This may be \c NULL, in which
- *                  case this function returns immediately. If it is not
- *                  \c NULL, it must point to an initialized ECP key pair.
- */
-void mbedtls_ecp_keypair_free(mbedtls_ecp_keypair *key);
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-/**
- * \brief           Initialize a restart context.
- *
- * \param ctx       The restart context to initialize. This must
- *                  not be \c NULL.
- */
-void mbedtls_ecp_restart_init(mbedtls_ecp_restart_ctx *ctx);
-
-/**
- * \brief           Free the components of a restart context.
- *
- * \param ctx       The restart context to free. This may be \c NULL, in which
- *                  case this function returns immediately. If it is not
- *                  \c NULL, it must point to an initialized restart context.
- */
-void mbedtls_ecp_restart_free(mbedtls_ecp_restart_ctx *ctx);
-#endif /* MBEDTLS_ECP_RESTARTABLE */
-
-/**
- * \brief           This function copies the contents of point \p Q into
- *                  point \p P.
- *
- * \param P         The destination point. This must be initialized.
- * \param Q         The source point. This must be initialized.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
- * \return          Another negative error code for other kinds of failure.
- */
-int mbedtls_ecp_copy(mbedtls_ecp_point *P, const mbedtls_ecp_point *Q);
-
-/**
- * \brief           This function copies the contents of group \p src into
- *                  group \p dst.
- *
- * \param dst       The destination group. This must be initialized.
- * \param src       The source group. This must be initialized.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
- * \return          Another negative error code on other kinds of failure.
- */
-int mbedtls_ecp_group_copy(mbedtls_ecp_group *dst,
-                           const mbedtls_ecp_group *src);
-
-/**
- * \brief           This function sets a point to the point at infinity.
- *
- * \param pt        The point to set. This must be initialized.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
- * \return          Another negative error code on other kinds of failure.
- */
-int mbedtls_ecp_set_zero(mbedtls_ecp_point *pt);
-
-/**
- * \brief           This function checks if a point is the point at infinity.
- *
- * \param pt        The point to test. This must be initialized.
- *
- * \return          \c 1 if the point is zero.
- * \return          \c 0 if the point is non-zero.
- * \return          A negative error code on failure.
- */
-int mbedtls_ecp_is_zero(mbedtls_ecp_point *pt);
-
-/**
- * \brief           This function compares two points.
- *
- * \note            This assumes that the points are normalized. Otherwise,
- *                  they may compare as "not equal" even if they are.
- *
- * \param P         The first point to compare. This must be initialized.
- * \param Q         The second point to compare. This must be initialized.
- *
- * \return          \c 0 if the points are equal.
- * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the points are not equal.
- */
-int mbedtls_ecp_point_cmp(const mbedtls_ecp_point *P,
-                          const mbedtls_ecp_point *Q);
-
-/**
- * \brief           This function imports a non-zero point from two ASCII
- *                  strings.
- *
- * \param P         The destination point. This must be initialized.
- * \param radix     The numeric base of the input.
- * \param x         The first affine coordinate, as a null-terminated string.
- * \param y         The second affine coordinate, as a null-terminated string.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_MPI_XXX error code on failure.
- */
-int mbedtls_ecp_point_read_string(mbedtls_ecp_point *P, int radix,
-                                  const char *x, const char *y);
-
-/**
- * \brief           This function exports a point into unsigned binary data.
- *
- * \param grp       The group to which the point should belong.
- *                  This must be initialized and have group parameters
- *                  set, for example through mbedtls_ecp_group_load().
- * \param P         The point to export. This must be initialized.
- * \param format    The point format. This must be either
- *                  #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED.
- *                  (For groups without these formats, this parameter is
- *                  ignored. But it still has to be either of the above
- *                  values.)
- * \param olen      The address at which to store the length of
- *                  the output in Bytes. This must not be \c NULL.
- * \param buf       The output buffer. This must be a writable buffer
- *                  of length \p buflen Bytes.
- * \param buflen    The length of the output buffer \p buf in Bytes.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer
- *                  is too small to hold the point.
- * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format
- *                  or the export for the given group is not implemented.
- * \return          Another negative error code on other kinds of failure.
- */
-int mbedtls_ecp_point_write_binary(const mbedtls_ecp_group *grp,
-                                   const mbedtls_ecp_point *P,
-                                   int format, size_t *olen,
-                                   unsigned char *buf, size_t buflen);
-
-/**
- * \brief           This function imports a point from unsigned binary data.
- *
- * \note            This function does not check that the point actually
- *                  belongs to the given group, see mbedtls_ecp_check_pubkey()
- *                  for that.
- *
- * \note            For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for
- *                  limitations.
- *
- * \param grp       The group to which the point should belong.
- *                  This must be initialized and have group parameters
- *                  set, for example through mbedtls_ecp_group_load().
- * \param P         The destination context to import the point to.
- *                  This must be initialized.
- * \param buf       The input buffer. This must be a readable buffer
- *                  of length \p ilen Bytes.
- * \param ilen      The length of the input buffer \p buf in Bytes.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid.
- * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
- * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the import for the
- *                  given group is not implemented.
- */
-int mbedtls_ecp_point_read_binary(const mbedtls_ecp_group *grp,
-                                  mbedtls_ecp_point *P,
-                                  const unsigned char *buf, size_t ilen);
-
-/**
- * \brief           This function imports a point from a TLS ECPoint record.
- *
- * \note            On function return, \p *buf is updated to point immediately
- *                  after the ECPoint record.
- *
- * \param grp       The ECP group to use.
- *                  This must be initialized and have group parameters
- *                  set, for example through mbedtls_ecp_group_load().
- * \param pt        The destination point.
- * \param buf       The address of the pointer to the start of the input buffer.
- * \param len       The length of the buffer.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_MPI_XXX error code on initialization
- *                  failure.
- * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
- */
-int mbedtls_ecp_tls_read_point(const mbedtls_ecp_group *grp,
-                               mbedtls_ecp_point *pt,
-                               const unsigned char **buf, size_t len);
-
-/**
- * \brief           This function exports a point as a TLS ECPoint record
- *                  defined in RFC 4492, Section 5.4.
- *
- * \param grp       The ECP group to use.
- *                  This must be initialized and have group parameters
- *                  set, for example through mbedtls_ecp_group_load().
- * \param pt        The point to be exported. This must be initialized.
- * \param format    The point format to use. This must be either
- *                  #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED.
- * \param olen      The address at which to store the length in Bytes
- *                  of the data written.
- * \param buf       The target buffer. This must be a writable buffer of
- *                  length \p blen Bytes.
- * \param blen      The length of the target buffer \p buf in Bytes.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid.
- * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the target buffer
- *                  is too small to hold the exported point.
- * \return          Another negative error code on other kinds of failure.
- */
-int mbedtls_ecp_tls_write_point(const mbedtls_ecp_group *grp,
-                                const mbedtls_ecp_point *pt,
-                                int format, size_t *olen,
-                                unsigned char *buf, size_t blen);
-
-/**
- * \brief           This function sets up an ECP group context
- *                  from a standardized set of domain parameters.
- *
- * \note            The index should be a value of the NamedCurve enum,
- *                  as defined in <em>RFC-4492: Elliptic Curve Cryptography
- *                  (ECC) Cipher Suites for Transport Layer Security (TLS)</em>,
- *                  usually in the form of an \c MBEDTLS_ECP_DP_XXX macro.
- *
- * \param grp       The group context to setup. This must be initialized.
- * \param id        The identifier of the domain parameter set to load.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p id doesn't
- *                  correspond to a known group.
- * \return          Another negative error code on other kinds of failure.
- */
-int mbedtls_ecp_group_load(mbedtls_ecp_group *grp, mbedtls_ecp_group_id id);
-
-/**
- * \brief           This function sets up an ECP group context from a TLS
- *                  ECParameters record as defined in RFC 4492, Section 5.4.
- *
- * \note            The read pointer \p buf is updated to point right after
- *                  the ECParameters record on exit.
- *
- * \param grp       The group context to setup. This must be initialized.
- * \param buf       The address of the pointer to the start of the input buffer.
- * \param len       The length of the input buffer \c *buf in Bytes.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
- * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not
- *                  recognized.
- * \return          Another negative error code on other kinds of failure.
- */
-int mbedtls_ecp_tls_read_group(mbedtls_ecp_group *grp,
-                               const unsigned char **buf, size_t len);
-
-/**
- * \brief           This function extracts an elliptic curve group ID from a
- *                  TLS ECParameters record as defined in RFC 4492, Section 5.4.
- *
- * \note            The read pointer \p buf is updated to point right after
- *                  the ECParameters record on exit.
- *
- * \param grp       The address at which to store the group id.
- *                  This must not be \c NULL.
- * \param buf       The address of the pointer to the start of the input buffer.
- * \param len       The length of the input buffer \c *buf in Bytes.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
- * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not
- *                  recognized.
- * \return          Another negative error code on other kinds of failure.
- */
-int mbedtls_ecp_tls_read_group_id(mbedtls_ecp_group_id *grp,
-                                  const unsigned char **buf,
-                                  size_t len);
-/**
- * \brief           This function exports an elliptic curve as a TLS
- *                  ECParameters record as defined in RFC 4492, Section 5.4.
- *
- * \param grp       The ECP group to be exported.
- *                  This must be initialized and have group parameters
- *                  set, for example through mbedtls_ecp_group_load().
- * \param olen      The address at which to store the number of Bytes written.
- *                  This must not be \c NULL.
- * \param buf       The buffer to write to. This must be a writable buffer
- *                  of length \p blen Bytes.
- * \param blen      The length of the output buffer \p buf in Bytes.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output
- *                  buffer is too small to hold the exported group.
- * \return          Another negative error code on other kinds of failure.
- */
-int mbedtls_ecp_tls_write_group(const mbedtls_ecp_group *grp,
-                                size_t *olen,
-                                unsigned char *buf, size_t blen);
-
-/**
- * \brief           This function performs a scalar multiplication of a point
- *                  by an integer: \p R = \p m * \p P.
- *
- *                  It is not thread-safe to use same group in multiple threads.
- *
- * \note            To prevent timing attacks, this function
- *                  executes the exact same sequence of base-field
- *                  operations for any valid \p m. It avoids any if-branch or
- *                  array index depending on the value of \p m. It also uses
- *                  \p f_rng to randomize some intermediate results.
- *
- * \param grp       The ECP group to use.
- *                  This must be initialized and have group parameters
- *                  set, for example through mbedtls_ecp_group_load().
- * \param R         The point in which to store the result of the calculation.
- *                  This must be initialized.
- * \param m         The integer by which to multiply. This must be initialized.
- * \param P         The point to multiply. This must be initialized.
- * \param f_rng     The RNG function. This must not be \c NULL.
- * \param p_rng     The RNG context to be passed to \p f_rng. This may be \c
- *                  NULL if \p f_rng doesn't need a context.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private
- *                  key, or \p P is not a valid public key.
- * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
- * \return          Another negative error code on other kinds of failure.
- */
-int mbedtls_ecp_mul(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
-                    const mbedtls_mpi *m, const mbedtls_ecp_point *P,
-                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
-
-/**
- * \brief           This function performs multiplication of a point by
- *                  an integer: \p R = \p m * \p P in a restartable way.
- *
- * \see             mbedtls_ecp_mul()
- *
- * \note            This function does the same as \c mbedtls_ecp_mul(), but
- *                  it can return early and restart according to the limit set
- *                  with \c mbedtls_ecp_set_max_ops() to reduce blocking.
- *
- * \param grp       The ECP group to use.
- *                  This must be initialized and have group parameters
- *                  set, for example through mbedtls_ecp_group_load().
- * \param R         The point in which to store the result of the calculation.
- *                  This must be initialized.
- * \param m         The integer by which to multiply. This must be initialized.
- * \param P         The point to multiply. This must be initialized.
- * \param f_rng     The RNG function. This must not be \c NULL.
- * \param p_rng     The RNG context to be passed to \p f_rng. This may be \c
- *                  NULL if \p f_rng doesn't need a context.
- * \param rs_ctx    The restart context (NULL disables restart).
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private
- *                  key, or \p P is not a valid public key.
- * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
- * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
- *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
- * \return          Another negative error code on other kinds of failure.
- */
-int mbedtls_ecp_mul_restartable(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
-                                const mbedtls_mpi *m, const mbedtls_ecp_point *P,
-                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
-                                mbedtls_ecp_restart_ctx *rs_ctx);
-
-#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
-/**
- * \brief           This function checks if domain parameter A of the curve is
- *                  \c -3.
- *
- * \note            This function is only defined for short Weierstrass curves.
- *                  It may not be included in builds without any short
- *                  Weierstrass curve.
- *
- * \param grp       The ECP group to use.
- *                  This must be initialized and have group parameters
- *                  set, for example through mbedtls_ecp_group_load().
- *
- * \return          \c 1 if <code>A = -3</code>.
- * \return          \c 0 Otherwise.
- */
-static inline int mbedtls_ecp_group_a_is_minus_3(const mbedtls_ecp_group *grp)
-{
-    return grp->A.MBEDTLS_PRIVATE(p) == NULL;
-}
-
-/**
- * \brief           This function performs multiplication and addition of two
- *                  points by integers: \p R = \p m * \p P + \p n * \p Q
- *
- *                  It is not thread-safe to use same group in multiple threads.
- *
- * \note            In contrast to mbedtls_ecp_mul(), this function does not
- *                  guarantee a constant execution flow and timing.
- *
- * \note            This function is only defined for short Weierstrass curves.
- *                  It may not be included in builds without any short
- *                  Weierstrass curve.
- *
- * \param grp       The ECP group to use.
- *                  This must be initialized and have group parameters
- *                  set, for example through mbedtls_ecp_group_load().
- * \param R         The point in which to store the result of the calculation.
- *                  This must be initialized.
- * \param m         The integer by which to multiply \p P.
- *                  This must be initialized.
- * \param P         The point to multiply by \p m. This must be initialized.
- * \param n         The integer by which to multiply \p Q.
- *                  This must be initialized.
- * \param Q         The point to be multiplied by \p n.
- *                  This must be initialized.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not
- *                  valid private keys, or \p P or \p Q are not valid public
- *                  keys.
- * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
- * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not
- *                  designate a short Weierstrass curve.
- * \return          Another negative error code on other kinds of failure.
- */
-int mbedtls_ecp_muladd(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
-                       const mbedtls_mpi *m, const mbedtls_ecp_point *P,
-                       const mbedtls_mpi *n, const mbedtls_ecp_point *Q);
-
-/**
- * \brief           This function performs multiplication and addition of two
- *                  points by integers: \p R = \p m * \p P + \p n * \p Q in a
- *                  restartable way.
- *
- * \see             \c mbedtls_ecp_muladd()
- *
- * \note            This function works the same as \c mbedtls_ecp_muladd(),
- *                  but it can return early and restart according to the limit
- *                  set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
- *
- * \note            This function is only defined for short Weierstrass curves.
- *                  It may not be included in builds without any short
- *                  Weierstrass curve.
- *
- * \param grp       The ECP group to use.
- *                  This must be initialized and have group parameters
- *                  set, for example through mbedtls_ecp_group_load().
- * \param R         The point in which to store the result of the calculation.
- *                  This must be initialized.
- * \param m         The integer by which to multiply \p P.
- *                  This must be initialized.
- * \param P         The point to multiply by \p m. This must be initialized.
- * \param n         The integer by which to multiply \p Q.
- *                  This must be initialized.
- * \param Q         The point to be multiplied by \p n.
- *                  This must be initialized.
- * \param rs_ctx    The restart context (NULL disables restart).
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not
- *                  valid private keys, or \p P or \p Q are not valid public
- *                  keys.
- * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
- * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not
- *                  designate a short Weierstrass curve.
- * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
- *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
- * \return          Another negative error code on other kinds of failure.
- */
-int mbedtls_ecp_muladd_restartable(
-    mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
-    const mbedtls_mpi *m, const mbedtls_ecp_point *P,
-    const mbedtls_mpi *n, const mbedtls_ecp_point *Q,
-    mbedtls_ecp_restart_ctx *rs_ctx);
-#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
-
-/**
- * \brief           This function checks that a point is a valid public key
- *                  on this curve.
- *
- *                  It only checks that the point is non-zero, has
- *                  valid coordinates and lies on the curve. It does not verify
- *                  that it is indeed a multiple of \c G. This additional
- *                  check is computationally more expensive, is not required
- *                  by standards, and should not be necessary if the group
- *                  used has a small cofactor. In particular, it is useless for
- *                  the NIST groups which all have a cofactor of 1.
- *
- * \note            This function uses bare components rather than an
- *                  ::mbedtls_ecp_keypair structure, to ease use with other
- *                  structures, such as ::mbedtls_ecdh_context or
- *                  ::mbedtls_ecdsa_context.
- *
- * \param grp       The ECP group the point should belong to.
- *                  This must be initialized and have group parameters
- *                  set, for example through mbedtls_ecp_group_load().
- * \param pt        The point to check. This must be initialized.
- *
- * \return          \c 0 if the point is a valid public key.
- * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not
- *                  a valid public key for the given curve.
- * \return          Another negative error code on other kinds of failure.
- */
-int mbedtls_ecp_check_pubkey(const mbedtls_ecp_group *grp,
-                             const mbedtls_ecp_point *pt);
-
-/**
- * \brief           This function checks that an \c mbedtls_mpi is a
- *                  valid private key for this curve.
- *
- * \note            This function uses bare components rather than an
- *                  ::mbedtls_ecp_keypair structure to ease use with other
- *                  structures, such as ::mbedtls_ecdh_context or
- *                  ::mbedtls_ecdsa_context.
- *
- * \param grp       The ECP group the private key should belong to.
- *                  This must be initialized and have group parameters
- *                  set, for example through mbedtls_ecp_group_load().
- * \param d         The integer to check. This must be initialized.
- *
- * \return          \c 0 if the point is a valid private key.
- * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not a valid
- *                  private key for the given curve.
- * \return          Another negative error code on other kinds of failure.
- */
-int mbedtls_ecp_check_privkey(const mbedtls_ecp_group *grp,
-                              const mbedtls_mpi *d);
-
-/**
- * \brief           This function generates a private key.
- *
- * \param grp       The ECP group to generate a private key for.
- *                  This must be initialized and have group parameters
- *                  set, for example through mbedtls_ecp_group_load().
- * \param d         The destination MPI (secret part). This must be initialized.
- * \param f_rng     The RNG function. This must not be \c NULL.
- * \param p_rng     The RNG parameter to be passed to \p f_rng. This may be
- *                  \c NULL if \p f_rng doesn't need a context argument.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
- *                  on failure.
- */
-int mbedtls_ecp_gen_privkey(const mbedtls_ecp_group *grp,
-                            mbedtls_mpi *d,
-                            int (*f_rng)(void *, unsigned char *, size_t),
-                            void *p_rng);
-
-/**
- * \brief           This function generates a keypair with a configurable base
- *                  point.
- *
- * \note            This function uses bare components rather than an
- *                  ::mbedtls_ecp_keypair structure to ease use with other
- *                  structures, such as ::mbedtls_ecdh_context or
- *                  ::mbedtls_ecdsa_context.
- *
- * \param grp       The ECP group to generate a key pair for.
- *                  This must be initialized and have group parameters
- *                  set, for example through mbedtls_ecp_group_load().
- * \param G         The base point to use. This must be initialized
- *                  and belong to \p grp. It replaces the default base
- *                  point \c grp->G used by mbedtls_ecp_gen_keypair().
- * \param d         The destination MPI (secret part).
- *                  This must be initialized.
- * \param Q         The destination point (public part).
- *                  This must be initialized.
- * \param f_rng     The RNG function. This must not be \c NULL.
- * \param p_rng     The RNG context to be passed to \p f_rng. This may
- *                  be \c NULL if \p f_rng doesn't need a context argument.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
- *                  on failure.
- */
-int mbedtls_ecp_gen_keypair_base(mbedtls_ecp_group *grp,
-                                 const mbedtls_ecp_point *G,
-                                 mbedtls_mpi *d, mbedtls_ecp_point *Q,
-                                 int (*f_rng)(void *, unsigned char *, size_t),
-                                 void *p_rng);
-
-/**
- * \brief           This function generates an ECP keypair.
- *
- * \note            This function uses bare components rather than an
- *                  ::mbedtls_ecp_keypair structure to ease use with other
- *                  structures, such as ::mbedtls_ecdh_context or
- *                  ::mbedtls_ecdsa_context.
- *
- * \param grp       The ECP group to generate a key pair for.
- *                  This must be initialized and have group parameters
- *                  set, for example through mbedtls_ecp_group_load().
- * \param d         The destination MPI (secret part).
- *                  This must be initialized.
- * \param Q         The destination point (public part).
- *                  This must be initialized.
- * \param f_rng     The RNG function. This must not be \c NULL.
- * \param p_rng     The RNG context to be passed to \p f_rng. This may
- *                  be \c NULL if \p f_rng doesn't need a context argument.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
- *                  on failure.
- */
-int mbedtls_ecp_gen_keypair(mbedtls_ecp_group *grp, mbedtls_mpi *d,
-                            mbedtls_ecp_point *Q,
-                            int (*f_rng)(void *, unsigned char *, size_t),
-                            void *p_rng);
-
-/**
- * \brief           This function generates an ECP key.
- *
- * \param grp_id    The ECP group identifier.
- * \param key       The destination key. This must be initialized.
- * \param f_rng     The RNG function to use. This must not be \c NULL.
- * \param p_rng     The RNG context to be passed to \p f_rng. This may
- *                  be \c NULL if \p f_rng doesn't need a context argument.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
- *                  on failure.
- */
-int mbedtls_ecp_gen_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
-                        int (*f_rng)(void *, unsigned char *, size_t),
-                        void *p_rng);
-
-/**
- * \brief           This function reads an elliptic curve private key.
- *
- * \param grp_id    The ECP group identifier.
- * \param key       The destination key.
- * \param buf       The buffer containing the binary representation of the
- *                  key. (Big endian integer for Weierstrass curves, byte
- *                  string for Montgomery curves.)
- * \param buflen    The length of the buffer in bytes.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_INVALID_KEY error if the key is
- *                  invalid.
- * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
- * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for
- *                  the group is not implemented.
- * \return          Another negative error code on different kinds of failure.
- */
-int mbedtls_ecp_read_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
-                         const unsigned char *buf, size_t buflen);
-
-/**
- * \brief           This function exports an elliptic curve private key.
- *
- * \param key       The private key.
- * \param buf       The output buffer for containing the binary representation
- *                  of the key. (Big endian integer for Weierstrass curves, byte
- *                  string for Montgomery curves.)
- * \param buflen    The total length of the buffer in bytes.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the \p key
-                    representation is larger than the available space in \p buf.
- * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for
- *                  the group is not implemented.
- * \return          Another negative error code on different kinds of failure.
- */
-int mbedtls_ecp_write_key(mbedtls_ecp_keypair *key,
-                          unsigned char *buf, size_t buflen);
-
-/**
- * \brief           This function checks that the keypair objects
- *                  \p pub and \p prv have the same group and the
- *                  same public point, and that the private key in
- *                  \p prv is consistent with the public key.
- *
- * \param pub       The keypair structure holding the public key. This
- *                  must be initialized. If it contains a private key, that
- *                  part is ignored.
- * \param prv       The keypair structure holding the full keypair.
- *                  This must be initialized.
- * \param f_rng     The RNG function. This must not be \c NULL.
- * \param p_rng     The RNG context to be passed to \p f_rng. This may be \c
- *                  NULL if \p f_rng doesn't need a context.
- *
- * \return          \c 0 on success, meaning that the keys are valid and match.
- * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the keys are invalid or do not match.
- * \return          An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX
- *                  error code on calculation failure.
- */
-int mbedtls_ecp_check_pub_priv(
-    const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv,
-    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
-
-/**
- * \brief           This function exports generic key-pair parameters.
- *
- * \param key       The key pair to export from.
- * \param grp       Slot for exported ECP group.
- *                  It must point to an initialized ECP group.
- * \param d         Slot for the exported secret value.
- *                  It must point to an initialized mpi.
- * \param Q         Slot for the exported public value.
- *                  It must point to an initialized ECP point.
- *
- * \return          \c 0 on success,
- * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
- * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if key id doesn't
- *                  correspond to a known group.
- * \return          Another negative error code on other kinds of failure.
- */
-int mbedtls_ecp_export(const mbedtls_ecp_keypair *key, mbedtls_ecp_group *grp,
-                       mbedtls_mpi *d, mbedtls_ecp_point *Q);
-
-#if defined(MBEDTLS_SELF_TEST)
-
-/**
- * \brief          The ECP checkup routine.
- *
- * \return         \c 0 on success.
- * \return         \c 1 on failure.
- */
-int mbedtls_ecp_self_test(int verbose);
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* ecp.h */
diff --git a/include/mbedtls/entropy.h b/include/mbedtls/entropy.h
deleted file mode 100644
index c2bba41..0000000
--- a/include/mbedtls/entropy.h
+++ /dev/null
@@ -1,285 +0,0 @@
-/**
- * \file entropy.h
- *
- * \brief Entropy accumulator implementation
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_ENTROPY_H
-#define MBEDTLS_ENTROPY_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include <stddef.h>
-
-#include "md.h"
-
-#if defined(MBEDTLS_MD_CAN_SHA512) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256)
-#define MBEDTLS_ENTROPY_SHA512_ACCUMULATOR
-#define MBEDTLS_ENTROPY_MD  MBEDTLS_MD_SHA512
-#define MBEDTLS_ENTROPY_BLOCK_SIZE      64      /**< Block size of entropy accumulator (SHA-512) */
-#else
-#if defined(MBEDTLS_MD_CAN_SHA256)
-#define MBEDTLS_ENTROPY_SHA256_ACCUMULATOR
-#define MBEDTLS_ENTROPY_MD  MBEDTLS_MD_SHA256
-#define MBEDTLS_ENTROPY_BLOCK_SIZE      32      /**< Block size of entropy accumulator (SHA-256) */
-#endif
-#endif
-
-#if defined(MBEDTLS_THREADING_C)
-#include "mbedtls/threading.h"
-#endif
-
-
-/** Critical entropy source failure. */
-#define MBEDTLS_ERR_ENTROPY_SOURCE_FAILED                 -0x003C
-/** No more sources can be added. */
-#define MBEDTLS_ERR_ENTROPY_MAX_SOURCES                   -0x003E
-/** No sources have been added to poll. */
-#define MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED            -0x0040
-/** No strong sources have been added to poll. */
-#define MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE              -0x003D
-/** Read/write error in file. */
-#define MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR                 -0x003F
-
-/**
- * \name SECTION: Module settings
- *
- * The configuration options you can set for this module are in this section.
- * Either change them in mbedtls_config.h or define them on the compiler command line.
- * \{
- */
-
-#if !defined(MBEDTLS_ENTROPY_MAX_SOURCES)
-#define MBEDTLS_ENTROPY_MAX_SOURCES     20      /**< Maximum number of sources supported */
-#endif
-
-#if !defined(MBEDTLS_ENTROPY_MAX_GATHER)
-#define MBEDTLS_ENTROPY_MAX_GATHER      128     /**< Maximum amount requested from entropy sources */
-#endif
-
-/** \} name SECTION: Module settings */
-
-#define MBEDTLS_ENTROPY_MAX_SEED_SIZE   1024    /**< Maximum size of seed we read from seed file */
-#define MBEDTLS_ENTROPY_SOURCE_MANUAL   MBEDTLS_ENTROPY_MAX_SOURCES
-
-#define MBEDTLS_ENTROPY_SOURCE_STRONG   1       /**< Entropy source is strong   */
-#define MBEDTLS_ENTROPY_SOURCE_WEAK     0       /**< Entropy source is weak     */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief           Entropy poll callback pointer
- *
- * \param data      Callback-specific data pointer
- * \param output    Data to fill
- * \param len       Maximum size to provide
- * \param olen      The actual amount of bytes put into the buffer (Can be 0)
- *
- * \return          0 if no critical failures occurred,
- *                  MBEDTLS_ERR_ENTROPY_SOURCE_FAILED otherwise
- */
-typedef int (*mbedtls_entropy_f_source_ptr)(void *data, unsigned char *output, size_t len,
-                                            size_t *olen);
-
-/**
- * \brief           Entropy source state
- */
-typedef struct mbedtls_entropy_source_state {
-    mbedtls_entropy_f_source_ptr    MBEDTLS_PRIVATE(f_source);   /**< The entropy source callback */
-    void *MBEDTLS_PRIVATE(p_source);             /**< The callback data pointer */
-    size_t          MBEDTLS_PRIVATE(size);       /**< Amount received in bytes */
-    size_t          MBEDTLS_PRIVATE(threshold);  /**< Minimum bytes required before release */
-    int             MBEDTLS_PRIVATE(strong);     /**< Is the source strong? */
-}
-mbedtls_entropy_source_state;
-
-/**
- * \brief           Entropy context structure
- */
-typedef struct mbedtls_entropy_context {
-    mbedtls_md_context_t  MBEDTLS_PRIVATE(accumulator);
-    int MBEDTLS_PRIVATE(accumulator_started); /* 0 after init.
-                                               * 1 after the first update.
-                                               * -1 after free. */
-    int             MBEDTLS_PRIVATE(source_count); /* Number of entries used in source. */
-    mbedtls_entropy_source_state    MBEDTLS_PRIVATE(source)[MBEDTLS_ENTROPY_MAX_SOURCES];
-#if defined(MBEDTLS_THREADING_C)
-    mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex);    /*!< mutex                  */
-#endif
-#if defined(MBEDTLS_ENTROPY_NV_SEED)
-    int MBEDTLS_PRIVATE(initial_entropy_run);
-#endif
-}
-mbedtls_entropy_context;
-
-#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
-/**
- * \brief           Platform-specific entropy poll callback
- */
-int mbedtls_platform_entropy_poll(void *data,
-                                  unsigned char *output, size_t len, size_t *olen);
-#endif
-
-/**
- * \brief           Initialize the context
- *
- * \param ctx       Entropy context to initialize
- */
-void mbedtls_entropy_init(mbedtls_entropy_context *ctx);
-
-/**
- * \brief           Free the data in the context
- *
- * \param ctx       Entropy context to free
- */
-void mbedtls_entropy_free(mbedtls_entropy_context *ctx);
-
-/**
- * \brief           Adds an entropy source to poll
- *                  (Thread-safe if MBEDTLS_THREADING_C is enabled)
- *
- * \param ctx       Entropy context
- * \param f_source  Entropy function
- * \param p_source  Function data
- * \param threshold Minimum required from source before entropy is released
- *                  ( with mbedtls_entropy_func() ) (in bytes)
- * \param strong    MBEDTLS_ENTROPY_SOURCE_STRONG or
- *                  MBEDTLS_ENTROPY_SOURCE_WEAK.
- *                  At least one strong source needs to be added.
- *                  Weaker sources (such as the cycle counter) can be used as
- *                  a complement.
- *
- * \return          0 if successful or MBEDTLS_ERR_ENTROPY_MAX_SOURCES
- */
-int mbedtls_entropy_add_source(mbedtls_entropy_context *ctx,
-                               mbedtls_entropy_f_source_ptr f_source, void *p_source,
-                               size_t threshold, int strong);
-
-/**
- * \brief           Trigger an extra gather poll for the accumulator
- *                  (Thread-safe if MBEDTLS_THREADING_C is enabled)
- *
- * \param ctx       Entropy context
- *
- * \return          0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
- */
-int mbedtls_entropy_gather(mbedtls_entropy_context *ctx);
-
-/**
- * \brief           Retrieve entropy from the accumulator
- *                  (Maximum length: MBEDTLS_ENTROPY_BLOCK_SIZE)
- *                  (Thread-safe if MBEDTLS_THREADING_C is enabled)
- *
- * \param data      Entropy context
- * \param output    Buffer to fill
- * \param len       Number of bytes desired, must be at most MBEDTLS_ENTROPY_BLOCK_SIZE
- *
- * \return          0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
- */
-int mbedtls_entropy_func(void *data, unsigned char *output, size_t len);
-
-/**
- * \brief           Add data to the accumulator manually
- *                  (Thread-safe if MBEDTLS_THREADING_C is enabled)
- *
- * \param ctx       Entropy context
- * \param data      Data to add
- * \param len       Length of data
- *
- * \return          0 if successful
- */
-int mbedtls_entropy_update_manual(mbedtls_entropy_context *ctx,
-                                  const unsigned char *data, size_t len);
-
-#if defined(MBEDTLS_ENTROPY_NV_SEED)
-/**
- * \brief           Trigger an update of the seed file in NV by using the
- *                  current entropy pool.
- *
- * \param ctx       Entropy context
- *
- * \return          0 if successful
- */
-int mbedtls_entropy_update_nv_seed(mbedtls_entropy_context *ctx);
-#endif /* MBEDTLS_ENTROPY_NV_SEED */
-
-#if defined(MBEDTLS_FS_IO)
-/**
- * \brief               Write a seed file
- *
- * \param ctx           Entropy context
- * \param path          Name of the file
- *
- * \return              0 if successful,
- *                      MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR on file error, or
- *                      MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
- */
-int mbedtls_entropy_write_seed_file(mbedtls_entropy_context *ctx, const char *path);
-
-/**
- * \brief               Read and update a seed file. Seed is added to this
- *                      instance. No more than MBEDTLS_ENTROPY_MAX_SEED_SIZE bytes are
- *                      read from the seed file. The rest is ignored.
- *
- * \param ctx           Entropy context
- * \param path          Name of the file
- *
- * \return              0 if successful,
- *                      MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR on file error,
- *                      MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
- */
-int mbedtls_entropy_update_seed_file(mbedtls_entropy_context *ctx, const char *path);
-#endif /* MBEDTLS_FS_IO */
-
-#if defined(MBEDTLS_SELF_TEST)
-/**
- * \brief          Checkup routine
- *
- *                 This module self-test also calls the entropy self-test,
- *                 mbedtls_entropy_source_self_test();
- *
- * \return         0 if successful, or 1 if a test failed
- */
-int mbedtls_entropy_self_test(int verbose);
-
-#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
-/**
- * \brief          Checkup routine
- *
- *                 Verifies the integrity of the hardware entropy source
- *                 provided by the function 'mbedtls_hardware_poll()'.
- *
- *                 Note this is the only hardware entropy source that is known
- *                 at link time, and other entropy sources configured
- *                 dynamically at runtime by the function
- *                 mbedtls_entropy_add_source() will not be tested.
- *
- * \return         0 if successful, or 1 if a test failed
- */
-int mbedtls_entropy_source_self_test(int verbose);
-#endif /* MBEDTLS_ENTROPY_HARDWARE_ALT */
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* entropy.h */
diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h
deleted file mode 100644
index a7454f2..0000000
--- a/include/mbedtls/error.h
+++ /dev/null
@@ -1,213 +0,0 @@
-/**
- * \file error.h
- *
- * \brief Error to string translation
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_ERROR_H
-#define MBEDTLS_ERROR_H
-
-#include "mbedtls/build_info.h"
-
-#include <stddef.h>
-
-/**
- * Error code layout.
- *
- * Currently we try to keep all error codes within the negative space of 16
- * bits signed integers to support all platforms (-0x0001 - -0x7FFF). In
- * addition we'd like to give two layers of information on the error if
- * possible.
- *
- * For that purpose the error codes are segmented in the following manner:
- *
- * 16 bit error code bit-segmentation
- *
- * 1 bit  - Unused (sign bit)
- * 3 bits - High level module ID
- * 5 bits - Module-dependent error code
- * 7 bits - Low level module errors
- *
- * For historical reasons, low-level error codes are divided in even and odd,
- * even codes were assigned first, and -1 is reserved for other errors.
- *
- * Low-level module errors (0x0002-0x007E, 0x0001-0x007F)
- *
- * Module   Nr  Codes assigned
- * ERROR     2  0x006E          0x0001
- * MPI       7  0x0002-0x0010
- * GCM       3  0x0012-0x0016   0x0013-0x0013
- * THREADING 3  0x001A-0x001E
- * AES       5  0x0020-0x0022   0x0021-0x0025
- * CAMELLIA  3  0x0024-0x0026   0x0027-0x0027
- * BASE64    2  0x002A-0x002C
- * OID       1  0x002E-0x002E   0x000B-0x000B
- * PADLOCK   1  0x0030-0x0030
- * DES       2  0x0032-0x0032   0x0033-0x0033
- * CTR_DBRG  4  0x0034-0x003A
- * ENTROPY   3  0x003C-0x0040   0x003D-0x003F
- * NET      13  0x0042-0x0052   0x0043-0x0049
- * ARIA      4  0x0058-0x005E
- * ASN1      7  0x0060-0x006C
- * CMAC      1  0x007A-0x007A
- * PBKDF2    1  0x007C-0x007C
- * HMAC_DRBG 4                  0x0003-0x0009
- * CCM       3                  0x000D-0x0011
- * MD5       1                  0x002F-0x002F
- * RIPEMD160 1                  0x0031-0x0031
- * SHA1      1                  0x0035-0x0035 0x0073-0x0073
- * SHA256    1                  0x0037-0x0037 0x0074-0x0074
- * SHA512    1                  0x0039-0x0039 0x0075-0x0075
- * SHA-3     1                  0x0076-0x0076
- * CHACHA20  3                  0x0051-0x0055
- * POLY1305  3                  0x0057-0x005B
- * CHACHAPOLY 2 0x0054-0x0056
- * PLATFORM  2  0x0070-0x0072
- * LMS       5  0x0011-0x0019
- *
- * High-level module nr (3 bits - 0x0...-0x7...)
- * Name      ID  Nr of Errors
- * PEM       1   9
- * PKCS#12   1   4 (Started from top)
- * X509      2   20
- * PKCS5     2   4 (Started from top)
- * DHM       3   11
- * PK        3   15 (Started from top)
- * RSA       4   11
- * ECP       4   10 (Started from top)
- * MD        5   5
- * HKDF      5   1 (Started from top)
- * PKCS7     5   12 (Started from 0x5300)
- * SSL       5   2 (Started from 0x5F00)
- * CIPHER    6   8 (Started from 0x6080)
- * SSL       6   22 (Started from top, plus 0x6000)
- * SSL       7   20 (Started from 0x7000, gaps at
- *                   0x7380, 0x7900-0x7980, 0x7A80-0x7E80)
- *
- * Module dependent error code (5 bits 0x.00.-0x.F8.)
- */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/** Generic error */
-#define MBEDTLS_ERR_ERROR_GENERIC_ERROR       -0x0001
-/** This is a bug in the library */
-#define MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED -0x006E
-
-/** Hardware accelerator failed */
-#define MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED     -0x0070
-/** The requested feature is not supported by the platform */
-#define MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED -0x0072
-
-/**
- * \brief Combines a high-level and low-level error code together.
- *
- *        Wrapper macro for mbedtls_error_add(). See that function for
- *        more details.
- */
-#define MBEDTLS_ERROR_ADD(high, low) \
-    mbedtls_error_add(high, low, __FILE__, __LINE__)
-
-#if defined(MBEDTLS_TEST_HOOKS)
-/**
- * \brief Testing hook called before adding/combining two error codes together.
- *        Only used when invasive testing is enabled via MBEDTLS_TEST_HOOKS.
- */
-extern void (*mbedtls_test_hook_error_add)(int, int, const char *, int);
-#endif
-
-/**
- * \brief Combines a high-level and low-level error code together.
- *
- *        This function can be called directly however it is usually
- *        called via the #MBEDTLS_ERROR_ADD macro.
- *
- *        While a value of zero is not a negative error code, it is still an
- *        error code (that denotes success) and can be combined with both a
- *        negative error code or another value of zero.
- *
- * \note  When invasive testing is enabled via #MBEDTLS_TEST_HOOKS, also try to
- *        call \link mbedtls_test_hook_error_add \endlink.
- *
- * \param high      high-level error code. See error.h for more details.
- * \param low       low-level error code. See error.h for more details.
- * \param file      file where this error code addition occurred.
- * \param line      line where this error code addition occurred.
- */
-static inline int mbedtls_error_add(int high, int low,
-                                    const char *file, int line)
-{
-#if defined(MBEDTLS_TEST_HOOKS)
-    if (*mbedtls_test_hook_error_add != NULL) {
-        (*mbedtls_test_hook_error_add)(high, low, file, line);
-    }
-#endif
-    (void) file;
-    (void) line;
-
-    return high + low;
-}
-
-/**
- * \brief Translate an Mbed TLS error code into a string representation.
- *        The result is truncated if necessary and always includes a
- *        terminating null byte.
- *
- * \param errnum    error code
- * \param buffer    buffer to place representation in
- * \param buflen    length of the buffer
- */
-void mbedtls_strerror(int errnum, char *buffer, size_t buflen);
-
-/**
- * \brief Translate the high-level part of an Mbed TLS error code into a string
- *        representation.
- *
- * This function returns a const pointer to an un-modifiable string. The caller
- * must not try to modify the string. It is intended to be used mostly for
- * logging purposes.
- *
- * \param error_code    error code
- *
- * \return The string representation of the error code, or \c NULL if the error
- *         code is unknown.
- */
-const char *mbedtls_high_level_strerr(int error_code);
-
-/**
- * \brief Translate the low-level part of an Mbed TLS error code into a string
- *        representation.
- *
- * This function returns a const pointer to an un-modifiable string. The caller
- * must not try to modify the string. It is intended to be used mostly for
- * logging purposes.
- *
- * \param error_code    error code
- *
- * \return The string representation of the error code, or \c NULL if the error
- *         code is unknown.
- */
-const char *mbedtls_low_level_strerr(int error_code);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* error.h */
diff --git a/include/mbedtls/gcm.h b/include/mbedtls/gcm.h
deleted file mode 100644
index c3343e6..0000000
--- a/include/mbedtls/gcm.h
+++ /dev/null
@@ -1,382 +0,0 @@
-/**
- * \file gcm.h
- *
- * \brief This file contains GCM definitions and functions.
- *
- * The Galois/Counter Mode (GCM) for 128-bit block ciphers is defined
- * in <em>D. McGrew, J. Viega, The Galois/Counter Mode of Operation
- * (GCM), Natl. Inst. Stand. Technol.</em>
- *
- * For more information on GCM, see <em>NIST SP 800-38D: Recommendation for
- * Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</em>.
- *
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_GCM_H
-#define MBEDTLS_GCM_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include "mbedtls/cipher.h"
-
-#include <stdint.h>
-
-#define MBEDTLS_GCM_ENCRYPT     1
-#define MBEDTLS_GCM_DECRYPT     0
-
-/** Authenticated decryption failed. */
-#define MBEDTLS_ERR_GCM_AUTH_FAILED                       -0x0012
-/** Bad input parameters to function. */
-#define MBEDTLS_ERR_GCM_BAD_INPUT                         -0x0014
-/** An output buffer is too small. */
-#define MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL                  -0x0016
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if !defined(MBEDTLS_GCM_ALT)
-
-/**
- * \brief          The GCM context structure.
- */
-typedef struct mbedtls_gcm_context {
-    mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx);  /*!< The cipher context used. */
-    uint64_t MBEDTLS_PRIVATE(HL)[16];                      /*!< Precalculated HTable low. */
-    uint64_t MBEDTLS_PRIVATE(HH)[16];                      /*!< Precalculated HTable high. */
-    uint64_t MBEDTLS_PRIVATE(len);                         /*!< The total length of the encrypted data. */
-    uint64_t MBEDTLS_PRIVATE(add_len);                     /*!< The total length of the additional data. */
-    unsigned char MBEDTLS_PRIVATE(base_ectr)[16];          /*!< The first ECTR for tag. */
-    unsigned char MBEDTLS_PRIVATE(y)[16];                  /*!< The Y working value. */
-    unsigned char MBEDTLS_PRIVATE(buf)[16];                /*!< The buf working value. */
-    int MBEDTLS_PRIVATE(mode);                             /*!< The operation to perform:
-                                                            #MBEDTLS_GCM_ENCRYPT or
-                                                            #MBEDTLS_GCM_DECRYPT. */
-}
-mbedtls_gcm_context;
-
-#else  /* !MBEDTLS_GCM_ALT */
-#include "gcm_alt.h"
-#endif /* !MBEDTLS_GCM_ALT */
-
-/**
- * \brief           This function initializes the specified GCM context,
- *                  to make references valid, and prepares the context
- *                  for mbedtls_gcm_setkey() or mbedtls_gcm_free().
- *
- *                  The function does not bind the GCM context to a particular
- *                  cipher, nor set the key. For this purpose, use
- *                  mbedtls_gcm_setkey().
- *
- * \param ctx       The GCM context to initialize. This must not be \c NULL.
- */
-void mbedtls_gcm_init(mbedtls_gcm_context *ctx);
-
-/**
- * \brief           This function associates a GCM context with a
- *                  cipher algorithm and a key.
- *
- * \param ctx       The GCM context. This must be initialized.
- * \param cipher    The 128-bit block cipher to use.
- * \param key       The encryption key. This must be a readable buffer of at
- *                  least \p keybits bits.
- * \param keybits   The key size in bits. Valid options are:
- *                  <ul><li>128 bits</li>
- *                  <li>192 bits</li>
- *                  <li>256 bits</li></ul>
- *
- * \return          \c 0 on success.
- * \return          A cipher-specific error code on failure.
- */
-int mbedtls_gcm_setkey(mbedtls_gcm_context *ctx,
-                       mbedtls_cipher_id_t cipher,
-                       const unsigned char *key,
-                       unsigned int keybits);
-
-/**
- * \brief           This function performs GCM encryption or decryption of a buffer.
- *
- * \note            For encryption, the output buffer can be the same as the
- *                  input buffer. For decryption, the output buffer cannot be
- *                  the same as input buffer. If the buffers overlap, the output
- *                  buffer must trail at least 8 Bytes behind the input buffer.
- *
- * \warning         When this function performs a decryption, it outputs the
- *                  authentication tag and does not verify that the data is
- *                  authentic. You should use this function to perform encryption
- *                  only. For decryption, use mbedtls_gcm_auth_decrypt() instead.
- *
- * \param ctx       The GCM context to use for encryption or decryption. This
- *                  must be initialized.
- * \param mode      The operation to perform:
- *                  - #MBEDTLS_GCM_ENCRYPT to perform authenticated encryption.
- *                    The ciphertext is written to \p output and the
- *                    authentication tag is written to \p tag.
- *                  - #MBEDTLS_GCM_DECRYPT to perform decryption.
- *                    The plaintext is written to \p output and the
- *                    authentication tag is written to \p tag.
- *                    Note that this mode is not recommended, because it does
- *                    not verify the authenticity of the data. For this reason,
- *                    you should use mbedtls_gcm_auth_decrypt() instead of
- *                    calling this function in decryption mode.
- * \param length    The length of the input data, which is equal to the length
- *                  of the output data.
- * \param iv        The initialization vector. This must be a readable buffer of
- *                  at least \p iv_len Bytes.
- * \param iv_len    The length of the IV.
- * \param add       The buffer holding the additional data. This must be of at
- *                  least that size in Bytes.
- * \param add_len   The length of the additional data.
- * \param input     The buffer holding the input data. If \p length is greater
- *                  than zero, this must be a readable buffer of at least that
- *                  size in Bytes.
- * \param output    The buffer for holding the output data. If \p length is greater
- *                  than zero, this must be a writable buffer of at least that
- *                  size in Bytes.
- * \param tag_len   The length of the tag to generate.
- * \param tag       The buffer for holding the tag. This must be a writable
- *                  buffer of at least \p tag_len Bytes.
- *
- * \return          \c 0 if the encryption or decryption was performed
- *                  successfully. Note that in #MBEDTLS_GCM_DECRYPT mode,
- *                  this does not indicate that the data is authentic.
- * \return          #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are
- *                  not valid or a cipher-specific error code if the encryption
- *                  or decryption failed.
- */
-int mbedtls_gcm_crypt_and_tag(mbedtls_gcm_context *ctx,
-                              int mode,
-                              size_t length,
-                              const unsigned char *iv,
-                              size_t iv_len,
-                              const unsigned char *add,
-                              size_t add_len,
-                              const unsigned char *input,
-                              unsigned char *output,
-                              size_t tag_len,
-                              unsigned char *tag);
-
-/**
- * \brief           This function performs a GCM authenticated decryption of a
- *                  buffer.
- *
- * \note            For decryption, the output buffer cannot be the same as
- *                  input buffer. If the buffers overlap, the output buffer
- *                  must trail at least 8 Bytes behind the input buffer.
- *
- * \param ctx       The GCM context. This must be initialized.
- * \param length    The length of the ciphertext to decrypt, which is also
- *                  the length of the decrypted plaintext.
- * \param iv        The initialization vector. This must be a readable buffer
- *                  of at least \p iv_len Bytes.
- * \param iv_len    The length of the IV.
- * \param add       The buffer holding the additional data. This must be of at
- *                  least that size in Bytes.
- * \param add_len   The length of the additional data.
- * \param tag       The buffer holding the tag to verify. This must be a
- *                  readable buffer of at least \p tag_len Bytes.
- * \param tag_len   The length of the tag to verify.
- * \param input     The buffer holding the ciphertext. If \p length is greater
- *                  than zero, this must be a readable buffer of at least that
- *                  size.
- * \param output    The buffer for holding the decrypted plaintext. If \p length
- *                  is greater than zero, this must be a writable buffer of at
- *                  least that size.
- *
- * \return          \c 0 if successful and authenticated.
- * \return          #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match.
- * \return          #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are
- *                  not valid or a cipher-specific error code if the decryption
- *                  failed.
- */
-int mbedtls_gcm_auth_decrypt(mbedtls_gcm_context *ctx,
-                             size_t length,
-                             const unsigned char *iv,
-                             size_t iv_len,
-                             const unsigned char *add,
-                             size_t add_len,
-                             const unsigned char *tag,
-                             size_t tag_len,
-                             const unsigned char *input,
-                             unsigned char *output);
-
-/**
- * \brief           This function starts a GCM encryption or decryption
- *                  operation.
- *
- * \param ctx       The GCM context. This must be initialized.
- * \param mode      The operation to perform: #MBEDTLS_GCM_ENCRYPT or
- *                  #MBEDTLS_GCM_DECRYPT.
- * \param iv        The initialization vector. This must be a readable buffer of
- *                  at least \p iv_len Bytes.
- * \param iv_len    The length of the IV.
- *
- * \return          \c 0 on success.
- */
-int mbedtls_gcm_starts(mbedtls_gcm_context *ctx,
-                       int mode,
-                       const unsigned char *iv,
-                       size_t iv_len);
-
-/**
- * \brief           This function feeds an input buffer as associated data
- *                  (authenticated but not encrypted data) in a GCM
- *                  encryption or decryption operation.
- *
- *                  Call this function after mbedtls_gcm_starts() to pass
- *                  the associated data. If the associated data is empty,
- *                  you do not need to call this function. You may not
- *                  call this function after calling mbedtls_cipher_update().
- *
- * \param ctx       The GCM context. This must have been started with
- *                  mbedtls_gcm_starts() and must not have yet received
- *                  any input with mbedtls_gcm_update().
- * \param add       The buffer holding the additional data, or \c NULL
- *                  if \p add_len is \c 0.
- * \param add_len   The length of the additional data. If \c 0,
- *                  \p add may be \c NULL.
- *
- * \return          \c 0 on success.
- */
-int mbedtls_gcm_update_ad(mbedtls_gcm_context *ctx,
-                          const unsigned char *add,
-                          size_t add_len);
-
-/**
- * \brief           This function feeds an input buffer into an ongoing GCM
- *                  encryption or decryption operation.
- *
- *                  You may call this function zero, one or more times
- *                  to pass successive parts of the input: the plaintext to
- *                  encrypt, or the ciphertext (not including the tag) to
- *                  decrypt. After the last part of the input, call
- *                  mbedtls_gcm_finish().
- *
- *                  This function may produce output in one of the following
- *                  ways:
- *                  - Immediate output: the output length is always equal
- *                    to the input length.
- *                  - Buffered output: the output consists of a whole number
- *                    of 16-byte blocks. If the total input length so far
- *                    (not including associated data) is 16 \* *B* + *A*
- *                    with *A* < 16 then the total output length is 16 \* *B*.
- *
- *                  In particular:
- *                  - It is always correct to call this function with
- *                    \p output_size >= \p input_length + 15.
- *                  - If \p input_length is a multiple of 16 for all the calls
- *                    to this function during an operation, then it is
- *                    correct to use \p output_size = \p input_length.
- *
- * \note            For decryption, the output buffer cannot be the same as
- *                  input buffer. If the buffers overlap, the output buffer
- *                  must trail at least 8 Bytes behind the input buffer.
- *
- * \param ctx           The GCM context. This must be initialized.
- * \param input         The buffer holding the input data. If \p input_length
- *                      is greater than zero, this must be a readable buffer
- *                      of at least \p input_length bytes.
- * \param input_length  The length of the input data in bytes.
- * \param output        The buffer for the output data. If \p output_size
- *                      is greater than zero, this must be a writable buffer of
- *                      of at least \p output_size bytes.
- * \param output_size   The size of the output buffer in bytes.
- *                      See the function description regarding the output size.
- * \param output_length On success, \p *output_length contains the actual
- *                      length of the output written in \p output.
- *                      On failure, the content of \p *output_length is
- *                      unspecified.
- *
- * \return         \c 0 on success.
- * \return         #MBEDTLS_ERR_GCM_BAD_INPUT on failure:
- *                 total input length too long,
- *                 unsupported input/output buffer overlap detected,
- *                 or \p output_size too small.
- */
-int mbedtls_gcm_update(mbedtls_gcm_context *ctx,
-                       const unsigned char *input, size_t input_length,
-                       unsigned char *output, size_t output_size,
-                       size_t *output_length);
-
-/**
- * \brief           This function finishes the GCM operation and generates
- *                  the authentication tag.
- *
- *                  It wraps up the GCM stream, and generates the
- *                  tag. The tag can have a maximum length of 16 Bytes.
- *
- * \param ctx       The GCM context. This must be initialized.
- * \param tag       The buffer for holding the tag. This must be a writable
- *                  buffer of at least \p tag_len Bytes.
- * \param tag_len   The length of the tag to generate. This must be at least
- *                  four.
- * \param output    The buffer for the final output.
- *                  If \p output_size is nonzero, this must be a writable
- *                  buffer of at least \p output_size bytes.
- * \param output_size  The size of the \p output buffer in bytes.
- *                  This must be large enough for the output that
- *                  mbedtls_gcm_update() has not produced. In particular:
- *                  - If mbedtls_gcm_update() produces immediate output,
- *                    or if the total input size is a multiple of \c 16,
- *                    then mbedtls_gcm_finish() never produces any output,
- *                    so \p output_size can be \c 0.
- *                  - \p output_size never needs to be more than \c 15.
- * \param output_length On success, \p *output_length contains the actual
- *                      length of the output written in \p output.
- *                      On failure, the content of \p *output_length is
- *                      unspecified.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_GCM_BAD_INPUT on failure:
- *                  invalid value of \p tag_len,
- *                  or \p output_size too small.
- */
-int mbedtls_gcm_finish(mbedtls_gcm_context *ctx,
-                       unsigned char *output, size_t output_size,
-                       size_t *output_length,
-                       unsigned char *tag, size_t tag_len);
-
-/**
- * \brief           This function clears a GCM context and the underlying
- *                  cipher sub-context.
- *
- * \param ctx       The GCM context to clear. If this is \c NULL, the call has
- *                  no effect. Otherwise, this must be initialized.
- */
-void mbedtls_gcm_free(mbedtls_gcm_context *ctx);
-
-#if defined(MBEDTLS_SELF_TEST)
-
-/**
- * \brief          The GCM checkup routine.
- *
- * \return         \c 0 on success.
- * \return         \c 1 on failure.
- */
-int mbedtls_gcm_self_test(int verbose);
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-
-#endif /* gcm.h */
diff --git a/include/mbedtls/hkdf.h b/include/mbedtls/hkdf.h
index 699c6d9..930e93f 100644
--- a/include/mbedtls/hkdf.h
+++ b/include/mbedtls/hkdf.h
@@ -8,19 +8,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 #ifndef MBEDTLS_HKDF_H
 #define MBEDTLS_HKDF_H
diff --git a/include/mbedtls/hmac_drbg.h b/include/mbedtls/hmac_drbg.h
deleted file mode 100644
index 2e5aa6d..0000000
--- a/include/mbedtls/hmac_drbg.h
+++ /dev/null
@@ -1,446 +0,0 @@
-/**
- * \file hmac_drbg.h
- *
- * \brief The HMAC_DRBG pseudorandom generator.
- *
- * This module implements the HMAC_DRBG pseudorandom generator described
- * in <em>NIST SP 800-90A: Recommendation for Random Number Generation Using
- * Deterministic Random Bit Generators</em>.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_HMAC_DRBG_H
-#define MBEDTLS_HMAC_DRBG_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include "mbedtls/md.h"
-
-#if defined(MBEDTLS_THREADING_C)
-#include "mbedtls/threading.h"
-#endif
-
-/*
- * Error codes
- */
-/** Too many random requested in single call. */
-#define MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG              -0x0003
-/** Input too large (Entropy + additional). */
-#define MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG                -0x0005
-/** Read/write error in file. */
-#define MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR                -0x0007
-/** The entropy source failed. */
-#define MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED        -0x0009
-
-/**
- * \name SECTION: Module settings
- *
- * The configuration options you can set for this module are in this section.
- * Either change them in mbedtls_config.h or define them on the compiler command line.
- * \{
- */
-
-#if !defined(MBEDTLS_HMAC_DRBG_RESEED_INTERVAL)
-#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL   10000   /**< Interval before reseed is performed by default */
-#endif
-
-#if !defined(MBEDTLS_HMAC_DRBG_MAX_INPUT)
-#define MBEDTLS_HMAC_DRBG_MAX_INPUT         256     /**< Maximum number of additional input bytes */
-#endif
-
-#if !defined(MBEDTLS_HMAC_DRBG_MAX_REQUEST)
-#define MBEDTLS_HMAC_DRBG_MAX_REQUEST       1024    /**< Maximum number of requested bytes per call */
-#endif
-
-#if !defined(MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT)
-#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT    384     /**< Maximum size of (re)seed buffer */
-#endif
-
-/** \} name SECTION: Module settings */
-
-#define MBEDTLS_HMAC_DRBG_PR_OFF   0   /**< No prediction resistance       */
-#define MBEDTLS_HMAC_DRBG_PR_ON    1   /**< Prediction resistance enabled  */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * HMAC_DRBG context.
- */
-typedef struct mbedtls_hmac_drbg_context {
-    /* Working state: the key K is not stored explicitly,
-     * but is implied by the HMAC context */
-    mbedtls_md_context_t MBEDTLS_PRIVATE(md_ctx);                    /*!< HMAC context (inc. K)  */
-    unsigned char MBEDTLS_PRIVATE(V)[MBEDTLS_MD_MAX_SIZE];  /*!< V in the spec          */
-    int MBEDTLS_PRIVATE(reseed_counter);                     /*!< reseed counter         */
-
-    /* Administrative state */
-    size_t MBEDTLS_PRIVATE(entropy_len);         /*!< entropy bytes grabbed on each (re)seed */
-    int MBEDTLS_PRIVATE(prediction_resistance);  /*!< enable prediction resistance (Automatic
-                                                    reseed before every random generation) */
-    int MBEDTLS_PRIVATE(reseed_interval);        /*!< reseed interval   */
-
-    /* Callbacks */
-    int(*MBEDTLS_PRIVATE(f_entropy))(void *, unsigned char *, size_t);  /*!< entropy function */
-    void *MBEDTLS_PRIVATE(p_entropy);            /*!< context for the entropy function        */
-
-#if defined(MBEDTLS_THREADING_C)
-    /* Invariant: the mutex is initialized if and only if
-     * md_ctx->md_info != NULL. This means that the mutex is initialized
-     * during the initial seeding in mbedtls_hmac_drbg_seed() or
-     * mbedtls_hmac_drbg_seed_buf() and freed in mbedtls_ctr_drbg_free().
-     *
-     * Note that this invariant may change without notice. Do not rely on it
-     * and do not access the mutex directly in application code.
-     */
-    mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex);
-#endif
-} mbedtls_hmac_drbg_context;
-
-/**
- * \brief               HMAC_DRBG context initialization.
- *
- * This function makes the context ready for mbedtls_hmac_drbg_seed(),
- * mbedtls_hmac_drbg_seed_buf() or mbedtls_hmac_drbg_free().
- *
- * \note                The reseed interval is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL
- *                      by default. Override this value by calling
- *                      mbedtls_hmac_drbg_set_reseed_interval().
- *
- * \param ctx           HMAC_DRBG context to be initialized.
- */
-void mbedtls_hmac_drbg_init(mbedtls_hmac_drbg_context *ctx);
-
-/**
- * \brief               HMAC_DRBG initial seeding.
- *
- * Set the initial seed and set up the entropy source for future reseeds.
- *
- * A typical choice for the \p f_entropy and \p p_entropy parameters is
- * to use the entropy module:
- * - \p f_entropy is mbedtls_entropy_func();
- * - \p p_entropy is an instance of ::mbedtls_entropy_context initialized
- *   with mbedtls_entropy_init() (which registers the platform's default
- *   entropy sources).
- *
- * You can provide a personalization string in addition to the
- * entropy source, to make this instantiation as unique as possible.
- *
- * \note                By default, the security strength as defined by NIST is:
- *                      - 128 bits if \p md_info is SHA-1;
- *                      - 192 bits if \p md_info is SHA-224;
- *                      - 256 bits if \p md_info is SHA-256, SHA-384 or SHA-512.
- *                      Note that SHA-256 is just as efficient as SHA-224.
- *                      The security strength can be reduced if a smaller
- *                      entropy length is set with
- *                      mbedtls_hmac_drbg_set_entropy_len().
- *
- * \note                The default entropy length is the security strength
- *                      (converted from bits to bytes). You can override
- *                      it by calling mbedtls_hmac_drbg_set_entropy_len().
- *
- * \note                During the initial seeding, this function calls
- *                      the entropy source to obtain a nonce
- *                      whose length is half the entropy length.
- */
-#if defined(MBEDTLS_THREADING_C)
-/**
- * \note                When Mbed TLS is built with threading support,
- *                      after this function returns successfully,
- *                      it is safe to call mbedtls_hmac_drbg_random()
- *                      from multiple threads. Other operations, including
- *                      reseeding, are not thread-safe.
- */
-#endif /* MBEDTLS_THREADING_C */
-/**
- * \param ctx           HMAC_DRBG context to be seeded.
- * \param md_info       MD algorithm to use for HMAC_DRBG.
- * \param f_entropy     The entropy callback, taking as arguments the
- *                      \p p_entropy context, the buffer to fill, and the
- *                      length of the buffer.
- *                      \p f_entropy is always called with a length that is
- *                      less than or equal to the entropy length.
- * \param p_entropy     The entropy context to pass to \p f_entropy.
- * \param custom        The personalization string.
- *                      This can be \c NULL, in which case the personalization
- *                      string is empty regardless of the value of \p len.
- * \param len           The length of the personalization string.
- *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT
- *                      and also at most
- *                      #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \c entropy_len * 3 / 2
- *                      where \c entropy_len is the entropy length
- *                      described above.
- *
- * \return              \c 0 if successful.
- * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is
- *                      invalid.
- * \return              #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough
- *                      memory to allocate context data.
- * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
- *                      if the call to \p f_entropy failed.
- */
-int mbedtls_hmac_drbg_seed(mbedtls_hmac_drbg_context *ctx,
-                           const mbedtls_md_info_t *md_info,
-                           int (*f_entropy)(void *, unsigned char *, size_t),
-                           void *p_entropy,
-                           const unsigned char *custom,
-                           size_t len);
-
-/**
- * \brief               Initialisation of simplified HMAC_DRBG (never reseeds).
- *
- * This function is meant for use in algorithms that need a pseudorandom
- * input such as deterministic ECDSA.
- */
-#if defined(MBEDTLS_THREADING_C)
-/**
- * \note                When Mbed TLS is built with threading support,
- *                      after this function returns successfully,
- *                      it is safe to call mbedtls_hmac_drbg_random()
- *                      from multiple threads. Other operations, including
- *                      reseeding, are not thread-safe.
- */
-#endif /* MBEDTLS_THREADING_C */
-/**
- * \param ctx           HMAC_DRBG context to be initialised.
- * \param md_info       MD algorithm to use for HMAC_DRBG.
- * \param data          Concatenation of the initial entropy string and
- *                      the additional data.
- * \param data_len      Length of \p data in bytes.
- *
- * \return              \c 0 if successful. or
- * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is
- *                      invalid.
- * \return              #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough
- *                      memory to allocate context data.
- */
-int mbedtls_hmac_drbg_seed_buf(mbedtls_hmac_drbg_context *ctx,
-                               const mbedtls_md_info_t *md_info,
-                               const unsigned char *data, size_t data_len);
-
-/**
- * \brief               This function turns prediction resistance on or off.
- *                      The default value is off.
- *
- * \note                If enabled, entropy is gathered at the beginning of
- *                      every call to mbedtls_hmac_drbg_random_with_add()
- *                      or mbedtls_hmac_drbg_random().
- *                      Only use this if your entropy source has sufficient
- *                      throughput.
- *
- * \param ctx           The HMAC_DRBG context.
- * \param resistance    #MBEDTLS_HMAC_DRBG_PR_ON or #MBEDTLS_HMAC_DRBG_PR_OFF.
- */
-void mbedtls_hmac_drbg_set_prediction_resistance(mbedtls_hmac_drbg_context *ctx,
-                                                 int resistance);
-
-/**
- * \brief               This function sets the amount of entropy grabbed on each
- *                      seed or reseed.
- *
- * See the documentation of mbedtls_hmac_drbg_seed() for the default value.
- *
- * \param ctx           The HMAC_DRBG context.
- * \param len           The amount of entropy to grab, in bytes.
- */
-void mbedtls_hmac_drbg_set_entropy_len(mbedtls_hmac_drbg_context *ctx,
-                                       size_t len);
-
-/**
- * \brief               Set the reseed interval.
- *
- * The reseed interval is the number of calls to mbedtls_hmac_drbg_random()
- * or mbedtls_hmac_drbg_random_with_add() after which the entropy function
- * is called again.
- *
- * The default value is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL.
- *
- * \param ctx           The HMAC_DRBG context.
- * \param interval      The reseed interval.
- */
-void mbedtls_hmac_drbg_set_reseed_interval(mbedtls_hmac_drbg_context *ctx,
-                                           int interval);
-
-/**
- * \brief               This function updates the state of the HMAC_DRBG context.
- *
- * \note                This function is not thread-safe. It is not safe
- *                      to call this function if another thread might be
- *                      concurrently obtaining random numbers from the same
- *                      context or updating or reseeding the same context.
- *
- * \param ctx           The HMAC_DRBG context.
- * \param additional    The data to update the state with.
- *                      If this is \c NULL, there is no additional data.
- * \param add_len       Length of \p additional in bytes.
- *                      Unused if \p additional is \c NULL.
- *
- * \return              \c 0 on success, or an error from the underlying
- *                      hash calculation.
- */
-int mbedtls_hmac_drbg_update(mbedtls_hmac_drbg_context *ctx,
-                             const unsigned char *additional, size_t add_len);
-
-/**
- * \brief               This function reseeds the HMAC_DRBG context, that is
- *                      extracts data from the entropy source.
- *
- * \note                This function is not thread-safe. It is not safe
- *                      to call this function if another thread might be
- *                      concurrently obtaining random numbers from the same
- *                      context or updating or reseeding the same context.
- *
- * \param ctx           The HMAC_DRBG context.
- * \param additional    Additional data to add to the state.
- *                      If this is \c NULL, there is no additional data
- *                      and \p len should be \c 0.
- * \param len           The length of the additional data.
- *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT
- *                      and also at most
- *                      #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \c entropy_len
- *                      where \c entropy_len is the entropy length
- *                      (see mbedtls_hmac_drbg_set_entropy_len()).
- *
- * \return              \c 0 if successful.
- * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
- *                      if a call to the entropy function failed.
- */
-int mbedtls_hmac_drbg_reseed(mbedtls_hmac_drbg_context *ctx,
-                             const unsigned char *additional, size_t len);
-
-/**
- * \brief   This function updates an HMAC_DRBG instance with additional
- *          data and uses it to generate random data.
- *
- * This function automatically reseeds if the reseed counter is exceeded
- * or prediction resistance is enabled.
- *
- * \note                This function is not thread-safe. It is not safe
- *                      to call this function if another thread might be
- *                      concurrently obtaining random numbers from the same
- *                      context or updating or reseeding the same context.
- *
- * \param p_rng         The HMAC_DRBG context. This must be a pointer to a
- *                      #mbedtls_hmac_drbg_context structure.
- * \param output        The buffer to fill.
- * \param output_len    The length of the buffer in bytes.
- *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
- * \param additional    Additional data to update with.
- *                      If this is \c NULL, there is no additional data
- *                      and \p add_len should be \c 0.
- * \param add_len       The length of the additional data.
- *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT.
- *
- * \return              \c 0 if successful.
- * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
- *                      if a call to the entropy source failed.
- * \return              #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if
- *                      \p output_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
- * \return              #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if
- *                      \p add_len > #MBEDTLS_HMAC_DRBG_MAX_INPUT.
- */
-int mbedtls_hmac_drbg_random_with_add(void *p_rng,
-                                      unsigned char *output, size_t output_len,
-                                      const unsigned char *additional,
-                                      size_t add_len);
-
-/**
- * \brief   This function uses HMAC_DRBG to generate random data.
- *
- * This function automatically reseeds if the reseed counter is exceeded
- * or prediction resistance is enabled.
- */
-#if defined(MBEDTLS_THREADING_C)
-/**
- * \note                When Mbed TLS is built with threading support,
- *                      it is safe to call mbedtls_ctr_drbg_random()
- *                      from multiple threads. Other operations, including
- *                      reseeding, are not thread-safe.
- */
-#endif /* MBEDTLS_THREADING_C */
-/**
- * \param p_rng         The HMAC_DRBG context. This must be a pointer to a
- *                      #mbedtls_hmac_drbg_context structure.
- * \param output        The buffer to fill.
- * \param out_len       The length of the buffer in bytes.
- *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
- *
- * \return              \c 0 if successful.
- * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
- *                      if a call to the entropy source failed.
- * \return              #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if
- *                      \p out_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
- */
-int mbedtls_hmac_drbg_random(void *p_rng, unsigned char *output, size_t out_len);
-
-/**
- * \brief               This function resets HMAC_DRBG context to the state immediately
- *                      after initial call of mbedtls_hmac_drbg_init().
- *
- * \param ctx           The HMAC_DRBG context to free.
- */
-void mbedtls_hmac_drbg_free(mbedtls_hmac_drbg_context *ctx);
-
-#if defined(MBEDTLS_FS_IO)
-/**
- * \brief               This function writes a seed file.
- *
- * \param ctx           The HMAC_DRBG context.
- * \param path          The name of the file.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error.
- * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on reseed
- *                      failure.
- */
-int mbedtls_hmac_drbg_write_seed_file(mbedtls_hmac_drbg_context *ctx, const char *path);
-
-/**
- * \brief               This function reads and updates a seed file. The seed
- *                      is added to this instance.
- *
- * \param ctx           The HMAC_DRBG context.
- * \param path          The name of the file.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error.
- * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on
- *                      reseed failure.
- * \return              #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if the existing
- *                      seed file is too large.
- */
-int mbedtls_hmac_drbg_update_seed_file(mbedtls_hmac_drbg_context *ctx, const char *path);
-#endif /* MBEDTLS_FS_IO */
-
-
-#if defined(MBEDTLS_SELF_TEST)
-/**
- * \brief               The HMAC_DRBG Checkup routine.
- *
- * \return              \c 0 if successful.
- * \return              \c 1 if the test failed.
- */
-int mbedtls_hmac_drbg_self_test(int verbose);
-#endif
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* hmac_drbg.h */
diff --git a/include/mbedtls/lms.h b/include/mbedtls/lms.h
deleted file mode 100644
index 5c8df42..0000000
--- a/include/mbedtls/lms.h
+++ /dev/null
@@ -1,452 +0,0 @@
-/**
- * \file lms.h
- *
- * \brief This file provides an API for the LMS post-quantum-safe stateful-hash
-          public-key signature scheme as defined in RFC8554 and NIST.SP.200-208.
- *        This implementation currently only supports a single parameter set
- *        MBEDTLS_LMS_SHA256_M32_H10 in order to reduce complexity. This is one
- *        of the signature schemes recommended by the IETF draft SUIT standard
- *        for IOT firmware upgrades (RFC9019).
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_LMS_H
-#define MBEDTLS_LMS_H
-
-#include <stdint.h>
-#include <stddef.h>
-
-#include "mbedtls/private_access.h"
-#include "mbedtls/build_info.h"
-
-#define MBEDTLS_ERR_LMS_BAD_INPUT_DATA   -0x0011 /**< Bad data has been input to an LMS function */
-#define MBEDTLS_ERR_LMS_OUT_OF_PRIVATE_KEYS -0x0013 /**< Specified LMS key has utilised all of its private keys */
-#define MBEDTLS_ERR_LMS_VERIFY_FAILED    -0x0015 /**< LMS signature verification failed */
-#define MBEDTLS_ERR_LMS_ALLOC_FAILED     -0x0017 /**< LMS failed to allocate space for a private key */
-#define MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL -0x0019 /**< Input/output buffer is too small to contain requited data */
-
-/* Currently only defined for SHA256, 32 is the max hash output size */
-#define MBEDTLS_LMOTS_N_HASH_LEN_MAX           (32u)
-#define MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX    (34u)
-#define MBEDTLS_LMOTS_N_HASH_LEN(type)         ((type) == MBEDTLS_LMOTS_SHA256_N32_W8 ? 32u : 0)
-#define MBEDTLS_LMOTS_I_KEY_ID_LEN             (16u)
-#define MBEDTLS_LMOTS_Q_LEAF_ID_LEN            (4u)
-#define MBEDTLS_LMOTS_TYPE_LEN                 (4u)
-#define MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(type)  ((type) == MBEDTLS_LMOTS_SHA256_N32_W8 ? 34u : 0)
-#define MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(type) (MBEDTLS_LMOTS_N_HASH_LEN(type))
-
-#define MBEDTLS_LMOTS_SIG_LEN(type) (MBEDTLS_LMOTS_TYPE_LEN + \
-                                     MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(type) + \
-                                     (MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(type) * \
-                                      MBEDTLS_LMOTS_N_HASH_LEN(type)))
-
-
-#define MBEDTLS_LMS_TYPE_LEN            (4)
-#define MBEDTLS_LMS_H_TREE_HEIGHT(type) ((type) == MBEDTLS_LMS_SHA256_M32_H10 ? 10u : 0)
-
-/* The length of a hash output, Currently only implemented for SHA256.
- * Max is 32 bytes.
- */
-#define MBEDTLS_LMS_M_NODE_BYTES(type) ((type) == MBEDTLS_LMS_SHA256_M32_H10 ? 32 : 0)
-#define MBEDTLS_LMS_M_NODE_BYTES_MAX 32
-
-#define MBEDTLS_LMS_SIG_LEN(type, otstype) (MBEDTLS_LMOTS_Q_LEAF_ID_LEN + \
-                                            MBEDTLS_LMOTS_SIG_LEN(otstype) + \
-                                            MBEDTLS_LMS_TYPE_LEN + \
-                                            (MBEDTLS_LMS_H_TREE_HEIGHT(type) * \
-                                             MBEDTLS_LMS_M_NODE_BYTES(type)))
-
-#define MBEDTLS_LMS_PUBLIC_KEY_LEN(type) (MBEDTLS_LMS_TYPE_LEN + \
-                                          MBEDTLS_LMOTS_TYPE_LEN + \
-                                          MBEDTLS_LMOTS_I_KEY_ID_LEN + \
-                                          MBEDTLS_LMS_M_NODE_BYTES(type))
-
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/** The Identifier of the LMS parameter set, as per
- * https://www.iana.org/assignments/leighton-micali-signatures/leighton-micali-signatures.xhtml
- * We are only implementing a subset of the types, particularly H10, for the sake of simplicity.
- */
-typedef enum {
-    MBEDTLS_LMS_SHA256_M32_H10 = 0x6,
-} mbedtls_lms_algorithm_type_t;
-
-/** The Identifier of the LMOTS parameter set, as per
- *  https://www.iana.org/assignments/leighton-micali-signatures/leighton-micali-signatures.xhtml.
- *  We are only implementing a subset of the types, particularly N32_W8, for the sake of simplicity.
- */
-typedef enum {
-    MBEDTLS_LMOTS_SHA256_N32_W8 = 4
-} mbedtls_lmots_algorithm_type_t;
-
-/** LMOTS parameters structure.
- *
- * This contains the metadata associated with an LMOTS key, detailing the
- * algorithm type, the key ID, and the leaf identifier should be key be part of
- * a LMS key.
- */
-typedef struct {
-    unsigned char MBEDTLS_PRIVATE(I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN]); /*!< The key
-                                                                                    identifier. */
-    unsigned char MBEDTLS_PRIVATE(q_leaf_identifier[MBEDTLS_LMOTS_Q_LEAF_ID_LEN]); /*!< Which
-                                                                                      leaf of the LMS key this is.
-                                                                                      0 if the key is not part of an LMS key. */
-    mbedtls_lmots_algorithm_type_t MBEDTLS_PRIVATE(type); /*!< The LM-OTS key type identifier as
-                                                               per IANA. Only SHA256_N32_W8 is
-                                                               currently supported. */
-} mbedtls_lmots_parameters_t;
-
-/** LMOTS public context structure.
- *
- * A LMOTS public key is a hash output, and the applicable parameter set.
- *
- * The context must be initialized before it is used. A public key must either
- * be imported or generated from a private context.
- *
- * \dot
- * digraph lmots_public_t {
- *   UNINITIALIZED -> INIT [label="init"];
- *   HAVE_PUBLIC_KEY -> INIT [label="free"];
- *   INIT -> HAVE_PUBLIC_KEY [label="import_public_key"];
- *   INIT -> HAVE_PUBLIC_KEY [label="calculate_public_key from private key"];
- *   HAVE_PUBLIC_KEY -> HAVE_PUBLIC_KEY [label="export_public_key"];
- * }
- * \enddot
- */
-typedef struct {
-    mbedtls_lmots_parameters_t MBEDTLS_PRIVATE(params);
-    unsigned char MBEDTLS_PRIVATE(public_key)[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
-    unsigned char MBEDTLS_PRIVATE(have_public_key); /*!< Whether the context contains a public key.
-                                                       Boolean values only. */
-} mbedtls_lmots_public_t;
-
-#if defined(MBEDTLS_LMS_PRIVATE)
-/** LMOTS private context structure.
- *
- * A LMOTS private key is one hash output for each of digit of the digest +
- * checksum, and the applicable parameter set.
- *
- * The context must be initialized before it is used. A public key must either
- * be imported or generated from a private context.
- *
- * \dot
- * digraph lmots_public_t {
- *   UNINITIALIZED -> INIT [label="init"];
- *   HAVE_PRIVATE_KEY -> INIT [label="free"];
- *   INIT -> HAVE_PRIVATE_KEY [label="generate_private_key"];
- *   HAVE_PRIVATE_KEY -> INIT [label="sign"];
- * }
- * \enddot
- */
-typedef struct {
-    mbedtls_lmots_parameters_t MBEDTLS_PRIVATE(params);
-    unsigned char MBEDTLS_PRIVATE(private_key)[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][
-        MBEDTLS_LMOTS_N_HASH_LEN_MAX];
-    unsigned char MBEDTLS_PRIVATE(have_private_key); /*!< Whether the context contains a private key.
-                                                        Boolean values only. */
-} mbedtls_lmots_private_t;
-#endif /* defined(MBEDTLS_LMS_PRIVATE) */
-
-
-/** LMS parameters structure.
- *
- * This contains the metadata associated with an LMS key, detailing the
- * algorithm type, the type of the underlying OTS algorithm, and the key ID.
- */
-typedef struct {
-    unsigned char MBEDTLS_PRIVATE(I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN]); /*!< The key
-                                                                                    identifier. */
-    mbedtls_lmots_algorithm_type_t MBEDTLS_PRIVATE(otstype); /*!< The LM-OTS key type identifier as
-                                                                per IANA. Only SHA256_N32_W8 is
-                                                                currently supported. */
-    mbedtls_lms_algorithm_type_t MBEDTLS_PRIVATE(type); /*!< The LMS key type identifier as per
-                                                             IANA. Only SHA256_M32_H10 is currently
-                                                             supported. */
-} mbedtls_lms_parameters_t;
-
-/** LMS public context structure.
- *
- * A LMS public key is the hash output that is the root of the Merkle tree, and
- * the applicable parameter set
- *
- * The context must be initialized before it is used. A public key must either
- * be imported or generated from a private context.
- *
- * \dot
- * digraph lms_public_t {
- *   UNINITIALIZED -> INIT [label="init"];
- *   HAVE_PUBLIC_KEY -> INIT [label="free"];
- *   INIT -> HAVE_PUBLIC_KEY [label="import_public_key"];
- *   INIT -> HAVE_PUBLIC_KEY [label="calculate_public_key from private key"];
- *   HAVE_PUBLIC_KEY -> HAVE_PUBLIC_KEY [label="export_public_key"];
- * }
- * \enddot
- */
-typedef struct {
-    mbedtls_lms_parameters_t MBEDTLS_PRIVATE(params);
-    unsigned char MBEDTLS_PRIVATE(T_1_pub_key)[MBEDTLS_LMS_M_NODE_BYTES_MAX]; /*!< The public key, in
-                                                                                 the form of the Merkle tree root node. */
-    unsigned char MBEDTLS_PRIVATE(have_public_key); /*!< Whether the context contains a public key.
-                                                       Boolean values only. */
-} mbedtls_lms_public_t;
-
-
-#if defined(MBEDTLS_LMS_PRIVATE)
-/** LMS private context structure.
- *
- * A LMS private key is a set of LMOTS private keys, an index to the next usable
- * key, and the applicable parameter set.
- *
- * The context must be initialized before it is used. A public key must either
- * be imported or generated from a private context.
- *
- * \dot
- * digraph lms_public_t {
- *   UNINITIALIZED -> INIT [label="init"];
- *   HAVE_PRIVATE_KEY -> INIT [label="free"];
- *   INIT -> HAVE_PRIVATE_KEY [label="generate_private_key"];
- * }
- * \enddot
- */
-typedef struct {
-    mbedtls_lms_parameters_t MBEDTLS_PRIVATE(params);
-    uint32_t MBEDTLS_PRIVATE(q_next_usable_key); /*!< The index of the next OTS key that has not
-                                                      been used. */
-    mbedtls_lmots_private_t *MBEDTLS_PRIVATE(ots_private_keys); /*!< The private key material. One OTS key
-                                                                   for each leaf node in the Merkle tree. NULL
-                                                                   when have_private_key is 0 and non-NULL otherwise.
-                                                                   is 2^MBEDTLS_LMS_H_TREE_HEIGHT(type) in length. */
-    mbedtls_lmots_public_t *MBEDTLS_PRIVATE(ots_public_keys); /*!< The OTS key public keys, used to
-                                                                   build the Merkle tree. NULL
-                                                                   when have_private_key is 0 and
-                                                                   non-NULL otherwise.
-                                                                   Is 2^MBEDTLS_LMS_H_TREE_HEIGHT(type)
-                                                                   in length. */
-    unsigned char MBEDTLS_PRIVATE(have_private_key); /*!< Whether the context contains a private key.
-                                                        Boolean values only. */
-} mbedtls_lms_private_t;
-#endif /* defined(MBEDTLS_LMS_PRIVATE) */
-
-/**
- * \brief                    This function initializes an LMS public context
- *
- * \param ctx                The uninitialized LMS context that will then be
- *                           initialized.
- */
-void mbedtls_lms_public_init(mbedtls_lms_public_t *ctx);
-
-/**
- * \brief                    This function uninitializes an LMS public context
- *
- * \param ctx                The initialized LMS context that will then be
- *                           uninitialized.
- */
-void mbedtls_lms_public_free(mbedtls_lms_public_t *ctx);
-
-/**
- * \brief                    This function imports an LMS public key into a
- *                           public LMS context.
- *
- * \note                     Before this function is called, the context must
- *                           have been initialized.
- *
- * \note                     See IETF RFC8554 for details of the encoding of
- *                           this public key.
- *
- * \param ctx                The initialized LMS context store the key in.
- * \param key                The buffer from which the key will be read.
- *                           #MBEDTLS_LMS_PUBLIC_KEY_LEN bytes will be read from
- *                           this.
- * \param key_size           The size of the key being imported.
- *
- * \return         \c 0 on success.
- * \return         A non-zero error code on failure.
- */
-int mbedtls_lms_import_public_key(mbedtls_lms_public_t *ctx,
-                                  const unsigned char *key, size_t key_size);
-
-/**
- * \brief                    This function exports an LMS public key from a
- *                           LMS public context that already contains a public
- *                           key.
- *
- * \note                     Before this function is called, the context must
- *                           have been initialized and the context must contain
- *                           a public key.
- *
- * \note                     See IETF RFC8554 for details of the encoding of
- *                           this public key.
- *
- * \param ctx                The initialized LMS public context that contains
- *                           the public key.
- * \param key                The buffer into which the key will be output. Must
- *                           be at least #MBEDTLS_LMS_PUBLIC_KEY_LEN in size.
- * \param key_size           The size of the key buffer.
- * \param key_len            If not NULL, will be written with the size of the
- *                           key.
- *
- * \return         \c 0 on success.
- * \return         A non-zero error code on failure.
- */
-int mbedtls_lms_export_public_key(const mbedtls_lms_public_t *ctx,
-                                  unsigned char *key, size_t key_size,
-                                  size_t *key_len);
-
-/**
- * \brief                    This function verifies a LMS signature, using a
- *                           LMS context that contains a public key.
- *
- * \note                     Before this function is called, the context must
- *                           have been initialized and must contain a public key
- *                           (either by import or generation).
- *
- * \param ctx                The initialized LMS public context from which the
- *                           public key will be read.
- * \param msg                The buffer from which the message will be read.
- * \param msg_size           The size of the message that will be read.
- * \param sig                The buf from which the signature will be read.
- *                           #MBEDTLS_LMS_SIG_LEN bytes will be read from
- *                           this.
- * \param sig_size           The size of the signature to be verified.
- *
- * \return         \c 0 on successful verification.
- * \return         A non-zero error code on failure.
- */
-int mbedtls_lms_verify(const mbedtls_lms_public_t *ctx,
-                       const unsigned char *msg, size_t msg_size,
-                       const unsigned char *sig, size_t sig_size);
-
-#if defined(MBEDTLS_LMS_PRIVATE)
-/**
- * \brief                    This function initializes an LMS private context
- *
- * \param ctx                The uninitialized LMS private context that will
- *                           then be initialized. */
-void mbedtls_lms_private_init(mbedtls_lms_private_t *ctx);
-
-/**
- * \brief                    This function uninitializes an LMS private context
- *
- * \param ctx                The initialized LMS private context that will then
- *                           be uninitialized.
- */
-void mbedtls_lms_private_free(mbedtls_lms_private_t *ctx);
-
-/**
- * \brief                    This function generates an LMS private key, and
- *                           stores in into an LMS private context.
- *
- * \warning                  This function is **not intended for use in
- *                           production**, due to as-yet unsolved problems with
- *                           handling stateful keys. The API for this function
- *                           may change considerably in future versions.
- *
- * \note                     The seed must have at least 256 bits of entropy.
- *
- * \param ctx                The initialized LMOTS context to generate the key
- *                           into.
- * \param type               The LMS parameter set identifier.
- * \param otstype            The LMOTS parameter set identifier.
- * \param f_rng              The RNG function to be used to generate the key ID.
- * \param p_rng              The RNG context to be passed to f_rng
- * \param seed               The seed used to deterministically generate the
- *                           key.
- * \param seed_size          The length of the seed.
- *
- * \return         \c 0 on success.
- * \return         A non-zero error code on failure.
- */
-int mbedtls_lms_generate_private_key(mbedtls_lms_private_t *ctx,
-                                     mbedtls_lms_algorithm_type_t type,
-                                     mbedtls_lmots_algorithm_type_t otstype,
-                                     int (*f_rng)(void *, unsigned char *, size_t),
-                                     void *p_rng, const unsigned char *seed,
-                                     size_t seed_size);
-
-/**
- * \brief                    This function calculates an LMS public key from a
- *                           LMS context that already contains a private key.
- *
- * \note                     Before this function is called, the context must
- *                           have been initialized and the context must contain
- *                           a private key.
- *
- * \param ctx                The initialized LMS public context to calculate the key
- *                           from and store it into.
- *
- * \param priv_ctx           The LMS private context to read the private key
- *                           from. This must have been initialized and contain a
- *                           private key.
- *
- * \return         \c 0 on success.
- * \return         A non-zero error code on failure.
- */
-int mbedtls_lms_calculate_public_key(mbedtls_lms_public_t *ctx,
-                                     const mbedtls_lms_private_t *priv_ctx);
-
-/**
- * \brief                    This function creates a LMS signature, using a
- *                           LMS context that contains unused private keys.
- *
- * \warning                  This function is **not intended for use in
- *                           production**, due to as-yet unsolved problems with
- *                           handling stateful keys. The API for this function
- *                           may change considerably in future versions.
- *
- * \note                     Before this function is called, the context must
- *                           have been initialized and must contain a private
- *                           key.
- *
- * \note                     Each of the LMOTS private keys inside a LMS private
- *                           key can only be used once. If they are reused, then
- *                           attackers may be able to forge signatures with that
- *                           key. This is all handled transparently, but it is
- *                           important to not perform copy operations on LMS
- *                           contexts that contain private key material.
- *
- * \param ctx                The initialized LMS private context from which the
- *                           private key will be read.
- * \param f_rng              The RNG function to be used for signature
- *                           generation.
- * \param p_rng              The RNG context to be passed to f_rng
- * \param msg                The buffer from which the message will be read.
- * \param msg_size           The size of the message that will be read.
- * \param sig                The buf into which the signature will be stored.
- *                           Must be at least #MBEDTLS_LMS_SIG_LEN in size.
- * \param sig_size           The size of the buffer the signature will be
- *                           written into.
- * \param sig_len            If not NULL, will be written with the size of the
- *                           signature.
- *
- * \return         \c 0 on success.
- * \return         A non-zero error code on failure.
- */
-int mbedtls_lms_sign(mbedtls_lms_private_t *ctx,
-                     int (*f_rng)(void *, unsigned char *, size_t),
-                     void *p_rng, const unsigned char *msg,
-                     unsigned int msg_size, unsigned char *sig, size_t sig_size,
-                     size_t *sig_len);
-#endif /* defined(MBEDTLS_LMS_PRIVATE) */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* MBEDTLS_LMS_H */
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index af07613..618d10e 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -9,19 +9,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /**
@@ -52,12 +40,10 @@
  *      library/aria.c
  *      library/bn_mul.h
  *      library/constant_time.c
- *      library/padlock.h
  *
  * Required by:
  *      MBEDTLS_AESCE_C
  *      MBEDTLS_AESNI_C (on some platforms)
- *      MBEDTLS_PADLOCK_C
  *
  * Comment to disable the use of assembly code.
  */
@@ -397,29 +383,15 @@
 //#define MBEDTLS_CHACHAPOLY_ALT
 //#define MBEDTLS_CMAC_ALT
 //#define MBEDTLS_DES_ALT
-//#define MBEDTLS_DHM_ALT
-//#define MBEDTLS_ECJPAKE_ALT
 //#define MBEDTLS_GCM_ALT
 //#define MBEDTLS_NIST_KW_ALT
 //#define MBEDTLS_MD5_ALT
 //#define MBEDTLS_POLY1305_ALT
 //#define MBEDTLS_RIPEMD160_ALT
-//#define MBEDTLS_RSA_ALT
 //#define MBEDTLS_SHA1_ALT
 //#define MBEDTLS_SHA256_ALT
 //#define MBEDTLS_SHA512_ALT
 
-/*
- * When replacing the elliptic curve module, please consider, that it is
- * implemented with two .c files:
- *      - ecp.c
- *      - ecp_curves.c
- * You can replace them very much like all the other MBEDTLS__MODULE_NAME__ALT
- * macros as described above. The only difference is that you have to make sure
- * that you provide functionality for both .c files.
- */
-//#define MBEDTLS_ECP_ALT
-
 /**
  * \def MBEDTLS_SHA256_PROCESS_ALT
  *
@@ -476,71 +448,6 @@
 //#define MBEDTLS_ECDSA_GENKEY_ALT
 
 /**
- * \def MBEDTLS_ECP_INTERNAL_ALT
- *
- * Expose a part of the internal interface of the Elliptic Curve Point module.
- *
- * MBEDTLS_ECP__FUNCTION_NAME__ALT: Uncomment a macro to let Mbed TLS use your
- * alternative core implementation of elliptic curve arithmetic. Keep in mind
- * that function prototypes should remain the same.
- *
- * This partially replaces one function. The header file from Mbed TLS is still
- * used, in contrast to the MBEDTLS_ECP_ALT flag. The original implementation
- * is still present and it is used for group structures not supported by the
- * alternative.
- *
- * The original implementation can in addition be removed by setting the
- * MBEDTLS_ECP_NO_FALLBACK option, in which case any function for which the
- * corresponding MBEDTLS_ECP__FUNCTION_NAME__ALT macro is defined will not be
- * able to fallback to curves not supported by the alternative implementation.
- *
- * Any of these options become available by defining MBEDTLS_ECP_INTERNAL_ALT
- * and implementing the following functions:
- *      unsigned char mbedtls_internal_ecp_grp_capable(
- *          const mbedtls_ecp_group *grp )
- *      int  mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp )
- *      void mbedtls_internal_ecp_free( const mbedtls_ecp_group *grp )
- * The mbedtls_internal_ecp_grp_capable function should return 1 if the
- * replacement functions implement arithmetic for the given group and 0
- * otherwise.
- * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_free are
- * called before and after each point operation and provide an opportunity to
- * implement optimized set up and tear down instructions.
- *
- * Example: In case you set MBEDTLS_ECP_INTERNAL_ALT and
- * MBEDTLS_ECP_DOUBLE_JAC_ALT, Mbed TLS will still provide the ecp_double_jac()
- * function, but will use your mbedtls_internal_ecp_double_jac() if the group
- * for the operation is supported by your implementation (i.e. your
- * mbedtls_internal_ecp_grp_capable() function returns 1 for this group). If the
- * group is not supported by your implementation, then the original Mbed TLS
- * implementation of ecp_double_jac() is used instead, unless this fallback
- * behaviour is disabled by setting MBEDTLS_ECP_NO_FALLBACK (in which case
- * ecp_double_jac() will return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE).
- *
- * The function prototypes and the definition of mbedtls_ecp_group and
- * mbedtls_ecp_point will not change based on MBEDTLS_ECP_INTERNAL_ALT, so your
- * implementation of mbedtls_internal_ecp__function_name__ must be compatible
- * with their definitions.
- *
- * Uncomment a macro to enable alternate implementation of the corresponding
- * function.
- */
-/* Required for all the functions in this section */
-//#define MBEDTLS_ECP_INTERNAL_ALT
-/* Turn off software fallback for curves not supported in hardware */
-//#define MBEDTLS_ECP_NO_FALLBACK
-/* Support for Weierstrass curves with Jacobi representation */
-//#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT
-//#define MBEDTLS_ECP_ADD_MIXED_ALT
-//#define MBEDTLS_ECP_DOUBLE_JAC_ALT
-//#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT
-//#define MBEDTLS_ECP_NORMALIZE_JAC_ALT
-/* Support for curves with Montgomery arithmetic */
-//#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT
-//#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT
-//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT
-
-/**
  * \def MBEDTLS_ENTROPY_HARDWARE_ALT
  *
  * Uncomment this macro to let Mbed TLS use your own implementation of a
@@ -754,6 +661,9 @@
  * contexts and therefore is a compatibility break for applications that access
  * fields of a mbedtls_ecdh_context structure directly. See also
  * MBEDTLS_ECDH_LEGACY_CONTEXT in include/mbedtls/ecdh.h.
+ *
+ * The Everest code is provided under the Apache 2.0 license only; therefore enabling this
+ * option is not compatible with taking the library under the GPL v2.0-or-later license.
  */
 //#define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
 
@@ -839,7 +749,7 @@
  *
  * \note  This option only works with the default software implementation of
  *        elliptic curve functionality. It is incompatible with
- *        MBEDTLS_ECP_ALT, MBEDTLS_ECDH_XXX_ALT, MBEDTLS_ECDSA_XXX_ALT.
+ *        MBEDTLS_ECDH_XXX_ALT, MBEDTLS_ECDSA_XXX_ALT.
  *
  * Requires: MBEDTLS_ECP_C
  *
@@ -1478,6 +1388,26 @@
 //#define MBEDTLS_PSA_INJECT_ENTROPY
 
 /**
+ * \def MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
+ *
+ * Assume all buffers passed to PSA functions are owned exclusively by the
+ * PSA function and are not stored in shared memory.
+ *
+ * This option may be enabled if all buffers passed to any PSA function reside
+ * in memory that is accessible only to the PSA function during its execution.
+ *
+ * This option MUST be disabled whenever buffer arguments are in memory shared
+ * with an untrusted party, for example where arguments to PSA calls are passed
+ * across a trust boundary.
+ *
+ * \note Enabling this option reduces memory usage and code size.
+ *
+ * \note Enabling this option causes overlap of input and output buffers
+ *       not to be supported by PSA functions.
+ */
+//#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
+
+/**
  * \def MBEDTLS_RSA_NO_CRT
  *
  * Do not use the Chinese Remainder Theorem
@@ -1733,9 +1663,6 @@
  *
  * Enable support for RFC 8449 record_size_limit extension in SSL (TLS 1.3 only).
  *
- * \warning This extension is currently in development and must NOT be used except
- *          for testing purposes.
- *
  * Requires: MBEDTLS_SSL_PROTO_TLS1_3
  *
  * Uncomment this macro to enable support for the record_size_limit extension
@@ -1783,7 +1710,7 @@
  *
  * Uncomment this macro to enable the support for TLS 1.3.
  */
-//#define MBEDTLS_SSL_PROTO_TLS1_3
+#define MBEDTLS_SSL_PROTO_TLS1_3
 
 /**
  * \def MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
@@ -1805,7 +1732,7 @@
  * effect on the build.
  *
  */
-//#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 
 /**
  * \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
@@ -1863,9 +1790,6 @@
  * Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3
  * is not enabled, this option does not have any effect on the build.
  *
- * This feature is experimental, not completed and thus not ready for
- * production.
- *
  * \note The maximum amount of early data can be set with
  *       MBEDTLS_SSL_MAX_EARLY_DATA_SIZE.
  *
@@ -2200,6 +2124,8 @@
  * Enable parsing and verification of X.509 certificates, CRLs and CSRS
  * signed with RSASSA-PSS (aka PKCS#1 v2.1).
  *
+ * Requires: MBEDTLS_PKCS1_V21
+ *
  * Comment this macro to disallow using RSASSA-PSS in certificates.
  */
 #define MBEDTLS_X509_RSASSA_PSS_SUPPORT
@@ -2218,7 +2144,7 @@
  * Enable AES-NI support on x86-64 or x86-32.
  *
  * \note AESNI is only supported with certain compilers and target options:
- * - Visual Studio 2013: supported.
+ * - Visual Studio: supported
  * - GCC, x86-64, target not explicitly supporting AESNI:
  *   requires MBEDTLS_HAVE_ASM.
  * - GCC, x86-32, target not explicitly supporting AESNI:
@@ -2247,7 +2173,7 @@
 /**
  * \def MBEDTLS_AESCE_C
  *
- * Enable AES cryptographic extension support on 64-bit Arm.
+ * Enable AES cryptographic extension support on Armv8.
  *
  * Module:  library/aesce.c
  * Caller:  library/aes.c
@@ -2258,13 +2184,15 @@
  *          system, Armv8-A Cryptographic Extensions must be supported by
  *          the CPU when this option is enabled.
  *
- * \note    Minimum compiler versions for this feature are Clang 4.0,
- *          armclang 6.6, GCC 6.0 or MSVC 2019 version 16.11.2.
+ * \note    Minimum compiler versions for this feature when targeting aarch64
+ *          are Clang 4.0; armclang 6.6; GCC 6.0; or MSVC 2019 version 16.11.2.
+ *          Minimum compiler versions for this feature when targeting 32-bit
+ *          Arm or Thumb are Clang 11.0; armclang 6.20; or GCC 6.0.
  *
  * \note \c CFLAGS must be set to a minimum of \c -march=armv8-a+crypto for
  * armclang <= 6.9
  *
- * This module adds support for the AES Armv8-A Cryptographic Extensions on Aarch64 systems.
+ * This module adds support for the AES Armv8-A Cryptographic Extensions on Armv8 systems.
  */
 #define MBEDTLS_AESCE_C
 
@@ -2384,6 +2312,28 @@
 #define MBEDTLS_BASE64_C
 
 /**
+ * \def MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
+ *
+ * Remove decryption operation for AES, ARIA and Camellia block cipher.
+ *
+ * \note  This feature is incompatible with insecure block cipher,
+ *        MBEDTLS_DES_C, and cipher modes which always require decryption
+ *        operation, MBEDTLS_CIPHER_MODE_CBC, MBEDTLS_CIPHER_MODE_XTS and
+ *        MBEDTLS_NIST_KW_C. When #MBEDTLS_PSA_CRYPTO_CONFIG is enabled,
+ *        this feature is incompatible with following supported PSA equivalence,
+ *        PSA_WANT_ALG_ECB_NO_PADDING, PSA_WANT_ALG_CBC_NO_PADDING,
+ *        PSA_WANT_ALG_CBC_PKCS7 and PSA_WANT_KEY_TYPE_DES.
+ *
+ * Module:  library/aes.c
+ *          library/aesce.c
+ *          library/aesni.c
+ *          library/aria.c
+ *          library/camellia.c
+ *          library/cipher.c
+ */
+//#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
+
+/**
  * \def MBEDTLS_BIGNUM_C
  *
  * Enable the multi-precision integer library.
@@ -2562,6 +2512,8 @@
  *          library/ssl_ciphersuites.c
  *          library/ssl_msg.c
  *          library/ssl_ticket.c (unless MBEDTLS_USE_PSA_CRYPTO is enabled)
+ * Auto-enabled by: MBEDTLS_PSA_CRYPTO_C depending on which ciphers are enabled
+ *                  (see the documentation of that option for details).
  *
  * Uncomment to enable generic cipher wrappers.
  */
@@ -2592,6 +2544,13 @@
  * The CTR_DRBG generator uses AES-256 by default.
  * To use AES-128 instead, enable \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY above.
  *
+ * AES support can either be achived through builtin (MBEDTLS_AES_C) or PSA.
+ * Builtin is the default option when MBEDTLS_AES_C is defined otherwise PSA
+ * is used.
+ *
+ * \warning When using PSA, the user should call `psa_crypto_init()` before
+ *          using any CTR_DRBG operation (except `mbedtls_ctr_drbg_init()`).
+ *
  * \note AES-128 will be used if \c MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH is set.
  *
  * \note To achieve a 256-bit security strength with CTR_DRBG,
@@ -2601,7 +2560,9 @@
  * Module:  library/ctr_drbg.c
  * Caller:
  *
- * Requires: MBEDTLS_AES_C
+ * Requires: MBEDTLS_AES_C or
+ *           (PSA_WANT_KEY_TYPE_AES and PSA_WANT_ALG_ECB_NO_PADDING and
+ *            MBEDTLS_PSA_CRYPTO_C)
  *
  * This module provides the CTR_DRBG AES random number generator.
  */
@@ -2773,6 +2734,22 @@
 #define MBEDTLS_GCM_C
 
 /**
+ * \def MBEDTLS_GCM_LARGE_TABLE
+ *
+ * Enable large pre-computed tables for  Galois/Counter Mode (GCM).
+ * Can significantly increase throughput on systems without GCM hardware
+ * acceleration (e.g., AESNI, AESCE).
+ *
+ * The mbedtls_gcm_context size will increase by 3840 bytes.
+ * The code size will increase by roughly 344 bytes.
+ *
+ * Module:  library/gcm.c
+ *
+ * Requires: MBEDTLS_GCM_C
+ */
+//#define MBEDTLS_GCM_LARGE_TABLE
+
+/**
  * \def MBEDTLS_HKDF_C
  *
  * Enable the HKDF algorithm (RFC 5869).
@@ -2953,20 +2930,6 @@
 #define MBEDTLS_OID_C
 
 /**
- * \def MBEDTLS_PADLOCK_C
- *
- * Enable VIA Padlock support on x86.
- *
- * Module:  library/padlock.c
- * Caller:  library/aes.c
- *
- * Requires: MBEDTLS_HAVE_ASM
- *
- * This modules adds support for the VIA PadLock on x86.
- */
-#define MBEDTLS_PADLOCK_C
-
-/**
  * \def MBEDTLS_PEM_PARSE_C
  *
  * Enable PEM decoding / parsing.
@@ -3031,7 +2994,7 @@
  * Caller:  library/x509_crt.c
  *          library/x509_csr.c
  *
- * Requires: MBEDTLS_PK_C
+ * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_C
  *
  * Uncomment to enable generic public key parse functions.
  */
@@ -3045,7 +3008,7 @@
  * Module:  library/pkwrite.c
  * Caller:  library/x509write.c
  *
- * Requires: MBEDTLS_PK_C
+ * Requires: MBEDTLS_ASN1_WRITE_C, MBEDTLS_OID_C, MBEDTLS_PK_C
  *
  * Uncomment to enable generic public key write functions.
  */
@@ -3058,7 +3021,6 @@
  *
  * Module:  library/pkcs5.c
  *
- * Requires: MBEDTLS_CIPHER_C
  * Auto-enables: MBEDTLS_MD_C
  *
  * \warning If using a hash that is only provided by PSA drivers, you must
@@ -3093,8 +3055,8 @@
  * Module:  library/pkcs12.c
  * Caller:  library/pkparse.c
  *
- * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C and either
- * MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C.
+ * Requires: MBEDTLS_ASN1_PARSE_C and either MBEDTLS_MD_C or
+ *           MBEDTLS_PSA_CRYPTO_C.
  *
  * \warning If using a hash that is only provided by PSA drivers, you must
  * call psa_crypto_init() before doing any PKCS12 operations.
@@ -3140,11 +3102,12 @@
  *
  * Module:  library/psa_crypto.c
  *
- * Requires: MBEDTLS_CIPHER_C,
- *           either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C,
+ * Requires: either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C,
  *           or MBEDTLS_HMAC_DRBG_C and MBEDTLS_ENTROPY_C,
  *           or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
- *
+ * Auto-enables: MBEDTLS_CIPHER_C if any unauthenticated (ie, non-AEAD) cipher
+ *               is enabled in PSA (unless it's fully accelerated, see
+ *               docs/driver-only-builds.md about that).
  */
 #define MBEDTLS_PSA_CRYPTO_C
 
@@ -3157,6 +3120,9 @@
  * \deprecated This feature is deprecated. Please switch to the PSA driver
  *             interface.
  *
+ * \warning    This feature is not thread-safe, and should not be used in a
+ *             multi-threaded environment.
+ *
  * Module:  library/psa_crypto_se.c
  *
  * Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_PSA_CRYPTO_STORAGE_C
@@ -3270,14 +3236,14 @@
 #define MBEDTLS_SHA256_C
 
 /**
- * \def MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
+ * \def MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
  *
  * Enable acceleration of the SHA-256 and SHA-224 cryptographic hash algorithms
  * with the ARMv8 cryptographic extensions if they are available at runtime.
  * If not, the library will fall back to the C implementation.
  *
- * \note If MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT is defined when building
- * for a non-Aarch64 build it will be silently ignored.
+ * \note If MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT is defined when building
+ * for a non-Armv8-A build it will be silently ignored.
  *
  * \note    Minimum compiler versions for this feature are Clang 4.0,
  * armclang 6.6 or GCC 6.0.
@@ -3285,27 +3251,40 @@
  * \note \c CFLAGS must be set to a minimum of \c -march=armv8-a+crypto for
  * armclang <= 6.9
  *
- * \warning MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT cannot be defined at the
- * same time as MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY.
+ * \note This was previously known as MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT.
+ * That name is deprecated, but may still be used as an alternative form for this
+ * option.
+ *
+ * \warning MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT cannot be defined at the
+ * same time as MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY.
  *
  * Requires: MBEDTLS_SHA256_C.
  *
  * Module:  library/sha256.c
  *
- * Uncomment to have the library check for the A64 SHA-256 crypto extensions
+ * Uncomment to have the library check for the Armv8-A SHA-256 crypto extensions
  * and use them if available.
  */
+//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
+
+/**
+ * \def MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
+ *
+ * \deprecated This is now known as MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT.
+ * This name is now deprecated, but may still be used as an alternative form for
+ * this option.
+ */
 //#define MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
 
 /**
- * \def MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
+ * \def MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
  *
  * Enable acceleration of the SHA-256 and SHA-224 cryptographic hash algorithms
  * with the ARMv8 cryptographic extensions, which must be available at runtime
  * or else an illegal instruction fault will occur.
  *
  * \note This allows builds with a smaller code size than with
- * MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
+ * MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
  *
  * \note    Minimum compiler versions for this feature are Clang 4.0,
  * armclang 6.6 or GCC 6.0.
@@ -3313,16 +3292,29 @@
  * \note \c CFLAGS must be set to a minimum of \c -march=armv8-a+crypto for
  * armclang <= 6.9
  *
- * \warning MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY cannot be defined at the same
- * time as MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT.
+ * \note This was previously known as MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY.
+ * That name is deprecated, but may still be used as an alternative form for this
+ * option.
+ *
+ * \warning MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY cannot be defined at the same
+ * time as MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT.
  *
  * Requires: MBEDTLS_SHA256_C.
  *
  * Module:  library/sha256.c
  *
- * Uncomment to have the library use the A64 SHA-256 crypto extensions
+ * Uncomment to have the library use the Armv8-A SHA-256 crypto extensions
  * unconditionally.
  */
+//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
+
+/**
+ * \def MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
+ *
+ * \deprecated This is now known as MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY.
+ * This name is now deprecated, but may still be used as an alternative form for
+ * this option.
+ */
 //#define MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
 
 /**
@@ -4066,36 +4058,35 @@
  * \def MBEDTLS_SSL_MAX_EARLY_DATA_SIZE
  *
  * The default maximum amount of 0-RTT data. See the documentation of
- * \c mbedtls_ssl_tls13_conf_max_early_data_size() for more information.
+ * \c mbedtls_ssl_conf_max_early_data_size() for more information.
  *
  * It must be positive and smaller than UINT32_MAX.
  *
  * If MBEDTLS_SSL_EARLY_DATA is not defined, this default value does not
  * have any impact on the build.
- *
- * This feature is experimental, not completed and thus not ready for
- * production.
- *
  */
 //#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE        1024
 
 /**
  * \def MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE
  *
- * Maximum time difference in milliseconds tolerated between the age of a
- * ticket from the server and client point of view.
- * From the client point of view, the age of a ticket is the time difference
- * between the time when the client proposes to the server to use the ticket
- * (time of writing of the Pre-Shared Key Extension including the ticket) and
- * the time the client received the ticket from the server.
- * From the server point of view, the age of a ticket is the time difference
- * between the time when the server receives a proposition from the client
- * to use the ticket and the time when the ticket was created by the server.
- * The server age is expected to be always greater than the client one and
- * MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE defines the
- * maximum difference tolerated for the server to accept the ticket.
- * This is not used in TLS 1.2.
+ * Maximum allowed ticket age difference in milliseconds tolerated between
+ * server and client. Default value is 6000. This is not used in TLS 1.2.
+ *
+ * - The client ticket age is the time difference between the time when the
+ *   client proposes to the server to use the ticket and the time the client
+ *   received the ticket from the server.
+ * - The server ticket age is the time difference between the time when the
+ *   server receives a proposition from the client to use the ticket and the
+ *   time when the ticket was created by the server.
+ *
+ * The ages might be different due to the client and server clocks not running
+ * at the same pace. The typical accuracy of an RTC crystal is ±100 to ±20 parts
+ * per million (360 to 72 milliseconds per hour). Default tolerance window is
+ * 6s, thus in the worst case clients and servers must sync up their system time
+ * every 6000/360/2~=8 hours.
  *
+ * See section 8.3 of the TLS 1.3 specification(RFC 8446) for more information.
  */
 //#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000
 
diff --git a/include/mbedtls/md.h b/include/mbedtls/md.h
deleted file mode 100644
index c9a7858..0000000
--- a/include/mbedtls/md.h
+++ /dev/null
@@ -1,652 +0,0 @@
-/**
- * \file md.h
- *
- * \brief   This file contains the generic functions for message-digest
- *          (hashing) and HMAC.
- *
- * \author Adriaan de Jong <dejong@fox-it.com>
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_MD_H
-#define MBEDTLS_MD_H
-#include "mbedtls/private_access.h"
-
-#include <stddef.h>
-
-#include "mbedtls/build_info.h"
-#include "mbedtls/platform_util.h"
-
-#if defined(MBEDTLS_MD_LIGHT)
-
-/*
- * - MBEDTLS_MD_CAN_xxx is defined if the md module can perform xxx.
- * - MBEDTLS_MD_xxx_VIA_PSA is defined if the md module may perform xxx via PSA
- *   (see below).
- * - MBEDTLS_MD_SOME_PSA is defined if at least one algorithm may be performed
- *   via PSA (see below).
- * - MBEDTLS_MD_SOME_LEGACY is defined if at least one algorithm may be performed
- *   via a direct legacy call (see below).
- *
- * The md module performs an algorithm via PSA if there is a PSA hash
- * accelerator and the PSA driver subsytem is initialized at the time the
- * operation is started, and makes a direct legacy call otherwise.
- */
-
-/* PSA accelerated implementations */
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-#if defined(MBEDTLS_PSA_ACCEL_ALG_MD5)
-#define MBEDTLS_MD_CAN_MD5
-#define MBEDTLS_MD_MD5_VIA_PSA
-#define MBEDTLS_MD_SOME_PSA
-#endif
-#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_1)
-#define MBEDTLS_MD_CAN_SHA1
-#define MBEDTLS_MD_SHA1_VIA_PSA
-#define MBEDTLS_MD_SOME_PSA
-#endif
-#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_224)
-#define MBEDTLS_MD_CAN_SHA224
-#define MBEDTLS_MD_SHA224_VIA_PSA
-#define MBEDTLS_MD_SOME_PSA
-#endif
-#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_256)
-#define MBEDTLS_MD_CAN_SHA256
-#define MBEDTLS_MD_SHA256_VIA_PSA
-#define MBEDTLS_MD_SOME_PSA
-#endif
-#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_384)
-#define MBEDTLS_MD_CAN_SHA384
-#define MBEDTLS_MD_SHA384_VIA_PSA
-#define MBEDTLS_MD_SOME_PSA
-#endif
-#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_512)
-#define MBEDTLS_MD_CAN_SHA512
-#define MBEDTLS_MD_SHA512_VIA_PSA
-#define MBEDTLS_MD_SOME_PSA
-#endif
-#if defined(MBEDTLS_PSA_ACCEL_ALG_RIPEMD160)
-#define MBEDTLS_MD_CAN_RIPEMD160
-#define MBEDTLS_MD_RIPEMD160_VIA_PSA
-#define MBEDTLS_MD_SOME_PSA
-#endif
-#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_224)
-#define MBEDTLS_MD_CAN_SHA3_224
-#define MBEDTLS_MD_SHA3_224_VIA_PSA
-#define MBEDTLS_MD_SOME_PSA
-#endif
-#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_256)
-#define MBEDTLS_MD_CAN_SHA3_256
-#define MBEDTLS_MD_SHA3_256_VIA_PSA
-#define MBEDTLS_MD_SOME_PSA
-#endif
-#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_384)
-#define MBEDTLS_MD_CAN_SHA3_384
-#define MBEDTLS_MD_SHA3_384_VIA_PSA
-#define MBEDTLS_MD_SOME_PSA
-#endif
-#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_512)
-#define MBEDTLS_MD_CAN_SHA3_512
-#define MBEDTLS_MD_SHA3_512_VIA_PSA
-#define MBEDTLS_MD_SOME_PSA
-#endif
-#endif /* MBEDTLS_PSA_CRYPTO_C */
-
-/* Built-in implementations */
-#if defined(MBEDTLS_MD5_C)
-#define MBEDTLS_MD_CAN_MD5
-#define MBEDTLS_MD_SOME_LEGACY
-#endif
-#if defined(MBEDTLS_SHA1_C)
-#define MBEDTLS_MD_CAN_SHA1
-#define MBEDTLS_MD_SOME_LEGACY
-#endif
-#if defined(MBEDTLS_SHA224_C)
-#define MBEDTLS_MD_CAN_SHA224
-#define MBEDTLS_MD_SOME_LEGACY
-#endif
-#if defined(MBEDTLS_SHA256_C)
-#define MBEDTLS_MD_CAN_SHA256
-#define MBEDTLS_MD_SOME_LEGACY
-#endif
-#if defined(MBEDTLS_SHA384_C)
-#define MBEDTLS_MD_CAN_SHA384
-#define MBEDTLS_MD_SOME_LEGACY
-#endif
-#if defined(MBEDTLS_SHA512_C)
-#define MBEDTLS_MD_CAN_SHA512
-#define MBEDTLS_MD_SOME_LEGACY
-#endif
-#if defined(MBEDTLS_SHA3_C)
-#define MBEDTLS_MD_CAN_SHA3_224
-#define MBEDTLS_MD_CAN_SHA3_256
-#define MBEDTLS_MD_CAN_SHA3_384
-#define MBEDTLS_MD_CAN_SHA3_512
-#define MBEDTLS_MD_SOME_LEGACY
-#endif
-#if defined(MBEDTLS_RIPEMD160_C)
-#define MBEDTLS_MD_CAN_RIPEMD160
-#define MBEDTLS_MD_SOME_LEGACY
-#endif
-
-#endif /* MBEDTLS_MD_LIGHT */
-
-/** The selected feature is not available. */
-#define MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE                -0x5080
-/** Bad input parameters to function. */
-#define MBEDTLS_ERR_MD_BAD_INPUT_DATA                     -0x5100
-/** Failed to allocate memory. */
-#define MBEDTLS_ERR_MD_ALLOC_FAILED                       -0x5180
-/** Opening or reading of file failed. */
-#define MBEDTLS_ERR_MD_FILE_IO_ERROR                      -0x5200
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief     Supported message digests.
- *
- * \warning   MD5 and SHA-1 are considered weak message digests and
- *            their use constitutes a security risk. We recommend considering
- *            stronger message digests instead.
- *
- */
-/* Note: these are aligned with the definitions of PSA_ALG_ macros for hashes,
- * in order to enable an efficient implementation of conversion functions.
- * This is tested by md_to_from_psa() in test_suite_md. */
-typedef enum {
-    MBEDTLS_MD_NONE=0,    /**< None. */
-    MBEDTLS_MD_MD5=0x03,       /**< The MD5 message digest. */
-    MBEDTLS_MD_RIPEMD160=0x04, /**< The RIPEMD-160 message digest. */
-    MBEDTLS_MD_SHA1=0x05,      /**< The SHA-1 message digest. */
-    MBEDTLS_MD_SHA224=0x08,    /**< The SHA-224 message digest. */
-    MBEDTLS_MD_SHA256=0x09,    /**< The SHA-256 message digest. */
-    MBEDTLS_MD_SHA384=0x0a,    /**< The SHA-384 message digest. */
-    MBEDTLS_MD_SHA512=0x0b,    /**< The SHA-512 message digest. */
-    MBEDTLS_MD_SHA3_224=0x10,  /**< The SHA3-224 message digest. */
-    MBEDTLS_MD_SHA3_256=0x11,  /**< The SHA3-256 message digest. */
-    MBEDTLS_MD_SHA3_384=0x12,  /**< The SHA3-384 message digest. */
-    MBEDTLS_MD_SHA3_512=0x13,  /**< The SHA3-512 message digest. */
-} mbedtls_md_type_t;
-
-/* Note: this should always be >= PSA_HASH_MAX_SIZE
- * in all builds with both CRYPTO_C and MD_LIGHT.
- *
- * This is to make things easier for modules such as TLS that may define a
- * buffer size using MD_MAX_SIZE in a part of the code that's common to PSA
- * and legacy, then assume the buffer's size is PSA_HASH_MAX_SIZE in another
- * part of the code based on PSA.
- */
-#if defined(MBEDTLS_MD_CAN_SHA512) || defined(MBEDTLS_MD_CAN_SHA3_512)
-#define MBEDTLS_MD_MAX_SIZE         64  /* longest known is SHA512 */
-#elif defined(MBEDTLS_MD_CAN_SHA384) || defined(MBEDTLS_MD_CAN_SHA3_384)
-#define MBEDTLS_MD_MAX_SIZE         48  /* longest known is SHA384 */
-#elif defined(MBEDTLS_MD_CAN_SHA256) || defined(MBEDTLS_MD_CAN_SHA3_256)
-#define MBEDTLS_MD_MAX_SIZE         32  /* longest known is SHA256 */
-#elif defined(MBEDTLS_MD_CAN_SHA224) || defined(MBEDTLS_MD_CAN_SHA3_224)
-#define MBEDTLS_MD_MAX_SIZE         28  /* longest known is SHA224 */
-#else
-#define MBEDTLS_MD_MAX_SIZE         20  /* longest known is SHA1 or RIPE MD-160
-                                           or smaller (MD5 and earlier) */
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA3_224)
-#define MBEDTLS_MD_MAX_BLOCK_SIZE         144 /* the longest known is SHA3-224 */
-#elif defined(MBEDTLS_MD_CAN_SHA3_256)
-#define MBEDTLS_MD_MAX_BLOCK_SIZE         136
-#elif defined(MBEDTLS_MD_CAN_SHA512) || defined(MBEDTLS_MD_CAN_SHA384)
-#define MBEDTLS_MD_MAX_BLOCK_SIZE         128
-#elif defined(MBEDTLS_MD_CAN_SHA3_384)
-#define MBEDTLS_MD_MAX_BLOCK_SIZE         104
-#elif defined(MBEDTLS_MD_CAN_SHA3_512)
-#define MBEDTLS_MD_MAX_BLOCK_SIZE         72
-#else
-#define MBEDTLS_MD_MAX_BLOCK_SIZE         64
-#endif
-
-/**
- * Opaque struct.
- *
- * Constructed using either #mbedtls_md_info_from_string or
- * #mbedtls_md_info_from_type.
- *
- * Fields can be accessed with #mbedtls_md_get_size,
- * #mbedtls_md_get_type and #mbedtls_md_get_name.
- */
-/* Defined internally in library/md_wrap.h. */
-typedef struct mbedtls_md_info_t mbedtls_md_info_t;
-
-/**
- * Used internally to indicate whether a context uses legacy or PSA.
- *
- * Internal use only.
- */
-typedef enum {
-    MBEDTLS_MD_ENGINE_LEGACY = 0,
-    MBEDTLS_MD_ENGINE_PSA,
-} mbedtls_md_engine_t;
-
-/**
- * The generic message-digest context.
- */
-typedef struct mbedtls_md_context_t {
-    /** Information about the associated message digest. */
-    const mbedtls_md_info_t *MBEDTLS_PRIVATE(md_info);
-
-#if defined(MBEDTLS_MD_SOME_PSA)
-    /** Are hash operations dispatched to PSA or legacy? */
-    mbedtls_md_engine_t MBEDTLS_PRIVATE(engine);
-#endif
-
-    /** The digest-specific context (legacy) or the PSA operation. */
-    void *MBEDTLS_PRIVATE(md_ctx);
-
-#if defined(MBEDTLS_MD_C)
-    /** The HMAC part of the context. */
-    void *MBEDTLS_PRIVATE(hmac_ctx);
-#endif
-} mbedtls_md_context_t;
-
-/**
- * \brief           This function returns the message-digest information
- *                  associated with the given digest type.
- *
- * \param md_type   The type of digest to search for.
- *
- * \return          The message-digest information associated with \p md_type.
- * \return          NULL if the associated message-digest information is not found.
- */
-const mbedtls_md_info_t *mbedtls_md_info_from_type(mbedtls_md_type_t md_type);
-
-/**
- * \brief           This function initializes a message-digest context without
- *                  binding it to a particular message-digest algorithm.
- *
- *                  This function should always be called first. It prepares the
- *                  context for mbedtls_md_setup() for binding it to a
- *                  message-digest algorithm.
- */
-void mbedtls_md_init(mbedtls_md_context_t *ctx);
-
-/**
- * \brief           This function clears the internal structure of \p ctx and
- *                  frees any embedded internal structure, but does not free
- *                  \p ctx itself.
- *
- *                  If you have called mbedtls_md_setup() on \p ctx, you must
- *                  call mbedtls_md_free() when you are no longer using the
- *                  context.
- *                  Calling this function if you have previously
- *                  called mbedtls_md_init() and nothing else is optional.
- *                  You must not call this function if you have not called
- *                  mbedtls_md_init().
- */
-void mbedtls_md_free(mbedtls_md_context_t *ctx);
-
-
-/**
- * \brief           This function selects the message digest algorithm to use,
- *                  and allocates internal structures.
- *
- *                  It should be called after mbedtls_md_init() or
- *                  mbedtls_md_free(). Makes it necessary to call
- *                  mbedtls_md_free() later.
- *
- * \param ctx       The context to set up.
- * \param md_info   The information structure of the message-digest algorithm
- *                  to use.
- * \param hmac      Defines if HMAC is used. 0: HMAC is not used (saves some memory),
- *                  or non-zero: HMAC is used with this context.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
- *                  failure.
- * \return          #MBEDTLS_ERR_MD_ALLOC_FAILED on memory-allocation failure.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_md_setup(mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info, int hmac);
-
-/**
- * \brief           This function clones the state of a message-digest
- *                  context.
- *
- * \note            You must call mbedtls_md_setup() on \c dst before calling
- *                  this function.
- *
- * \note            The two contexts must have the same type,
- *                  for example, both are SHA-256.
- *
- * \warning         This function clones the message-digest state, not the
- *                  HMAC state.
- *
- * \param dst       The destination context.
- * \param src       The context to be cloned.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification failure.
- * \return          #MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE if both contexts are
- *                  not using the same engine. This can be avoided by moving
- *                  the call to psa_crypto_init() before the first call to
- *                  mbedtls_md_setup().
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_md_clone(mbedtls_md_context_t *dst,
-                     const mbedtls_md_context_t *src);
-
-/**
- * \brief           This function extracts the message-digest size from the
- *                  message-digest information structure.
- *
- * \param md_info   The information structure of the message-digest algorithm
- *                  to use.
- *
- * \return          The size of the message-digest output in Bytes.
- */
-unsigned char mbedtls_md_get_size(const mbedtls_md_info_t *md_info);
-
-/**
- * \brief           This function gives the message-digest size associated to
- *                  message-digest type.
- *
- * \param md_type   The message-digest type.
- *
- * \return          The size of the message-digest output in Bytes,
- *                  or 0 if the message-digest type is not known.
- */
-static inline unsigned char mbedtls_md_get_size_from_type(mbedtls_md_type_t md_type)
-{
-    return mbedtls_md_get_size(mbedtls_md_info_from_type(md_type));
-}
-
-/**
- * \brief           This function extracts the message-digest type from the
- *                  message-digest information structure.
- *
- * \param md_info   The information structure of the message-digest algorithm
- *                  to use.
- *
- * \return          The type of the message digest.
- */
-mbedtls_md_type_t mbedtls_md_get_type(const mbedtls_md_info_t *md_info);
-
-/**
- * \brief           This function starts a message-digest computation.
- *
- *                  You must call this function after setting up the context
- *                  with mbedtls_md_setup(), and before passing data with
- *                  mbedtls_md_update().
- *
- * \param ctx       The generic message-digest context.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
- *                  failure.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_md_starts(mbedtls_md_context_t *ctx);
-
-/**
- * \brief           This function feeds an input buffer into an ongoing
- *                  message-digest computation.
- *
- *                  You must call mbedtls_md_starts() before calling this
- *                  function. You may call this function multiple times.
- *                  Afterwards, call mbedtls_md_finish().
- *
- * \param ctx       The generic message-digest context.
- * \param input     The buffer holding the input data.
- * \param ilen      The length of the input data.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
- *                  failure.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_md_update(mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen);
-
-/**
- * \brief           This function finishes the digest operation,
- *                  and writes the result to the output buffer.
- *
- *                  Call this function after a call to mbedtls_md_starts(),
- *                  followed by any number of calls to mbedtls_md_update().
- *                  Afterwards, you may either clear the context with
- *                  mbedtls_md_free(), or call mbedtls_md_starts() to reuse
- *                  the context for another digest operation with the same
- *                  algorithm.
- *
- * \param ctx       The generic message-digest context.
- * \param output    The buffer for the generic message-digest checksum result.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
- *                  failure.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_md_finish(mbedtls_md_context_t *ctx, unsigned char *output);
-
-/**
- * \brief          This function calculates the message-digest of a buffer,
- *                 with respect to a configurable message-digest algorithm
- *                 in a single call.
- *
- *                 The result is calculated as
- *                 Output = message_digest(input buffer).
- *
- * \param md_info  The information structure of the message-digest algorithm
- *                 to use.
- * \param input    The buffer holding the data.
- * \param ilen     The length of the input data.
- * \param output   The generic message-digest checksum result.
- *
- * \return         \c 0 on success.
- * \return         #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
- *                 failure.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_md(const mbedtls_md_info_t *md_info, const unsigned char *input, size_t ilen,
-               unsigned char *output);
-
-/**
- * \brief           This function returns the list of digests supported by the
- *                  generic digest module.
- *
- * \note            The list starts with the strongest available hashes.
- *
- * \return          A statically allocated array of digests. Each element
- *                  in the returned list is an integer belonging to the
- *                  message-digest enumeration #mbedtls_md_type_t.
- *                  The last entry is 0.
- */
-const int *mbedtls_md_list(void);
-
-/**
- * \brief           This function returns the message-digest information
- *                  associated with the given digest name.
- *
- * \param md_name   The name of the digest to search for.
- *
- * \return          The message-digest information associated with \p md_name.
- * \return          NULL if the associated message-digest information is not found.
- */
-const mbedtls_md_info_t *mbedtls_md_info_from_string(const char *md_name);
-
-/**
- * \brief           This function returns the name of the message digest for
- *                  the message-digest information structure given.
- *
- * \param md_info   The information structure of the message-digest algorithm
- *                  to use.
- *
- * \return          The name of the message digest.
- */
-const char *mbedtls_md_get_name(const mbedtls_md_info_t *md_info);
-
-/**
- * \brief           This function returns the message-digest information
- *                  from the given context.
- *
- * \param ctx       The context from which to extract the information.
- *                  This must be initialized (or \c NULL).
- *
- * \return          The message-digest information associated with \p ctx.
- * \return          \c NULL if \p ctx is \c NULL.
- */
-const mbedtls_md_info_t *mbedtls_md_info_from_ctx(
-    const mbedtls_md_context_t *ctx);
-
-#if defined(MBEDTLS_FS_IO)
-/**
- * \brief          This function calculates the message-digest checksum
- *                 result of the contents of the provided file.
- *
- *                 The result is calculated as
- *                 Output = message_digest(file contents).
- *
- * \param md_info  The information structure of the message-digest algorithm
- *                 to use.
- * \param path     The input file name.
- * \param output   The generic message-digest checksum result.
- *
- * \return         \c 0 on success.
- * \return         #MBEDTLS_ERR_MD_FILE_IO_ERROR on an I/O error accessing
- *                 the file pointed by \p path.
- * \return         #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info was NULL.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_md_file(const mbedtls_md_info_t *md_info, const char *path,
-                    unsigned char *output);
-#endif /* MBEDTLS_FS_IO */
-
-/**
- * \brief           This function sets the HMAC key and prepares to
- *                  authenticate a new message.
- *
- *                  Call this function after mbedtls_md_setup(), to use
- *                  the MD context for an HMAC calculation, then call
- *                  mbedtls_md_hmac_update() to provide the input data, and
- *                  mbedtls_md_hmac_finish() to get the HMAC value.
- *
- * \param ctx       The message digest context containing an embedded HMAC
- *                  context.
- * \param key       The HMAC secret key.
- * \param keylen    The length of the HMAC key in Bytes.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
- *                  failure.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_md_hmac_starts(mbedtls_md_context_t *ctx, const unsigned char *key,
-                           size_t keylen);
-
-/**
- * \brief           This function feeds an input buffer into an ongoing HMAC
- *                  computation.
- *
- *                  Call mbedtls_md_hmac_starts() or mbedtls_md_hmac_reset()
- *                  before calling this function.
- *                  You may call this function multiple times to pass the
- *                  input piecewise.
- *                  Afterwards, call mbedtls_md_hmac_finish().
- *
- * \param ctx       The message digest context containing an embedded HMAC
- *                  context.
- * \param input     The buffer holding the input data.
- * \param ilen      The length of the input data.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
- *                  failure.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_md_hmac_update(mbedtls_md_context_t *ctx, const unsigned char *input,
-                           size_t ilen);
-
-/**
- * \brief           This function finishes the HMAC operation, and writes
- *                  the result to the output buffer.
- *
- *                  Call this function after mbedtls_md_hmac_starts() and
- *                  mbedtls_md_hmac_update() to get the HMAC value. Afterwards
- *                  you may either call mbedtls_md_free() to clear the context,
- *                  or call mbedtls_md_hmac_reset() to reuse the context with
- *                  the same HMAC key.
- *
- * \param ctx       The message digest context containing an embedded HMAC
- *                  context.
- * \param output    The generic HMAC checksum result.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
- *                  failure.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_md_hmac_finish(mbedtls_md_context_t *ctx, unsigned char *output);
-
-/**
- * \brief           This function prepares to authenticate a new message with
- *                  the same key as the previous HMAC operation.
- *
- *                  You may call this function after mbedtls_md_hmac_finish().
- *                  Afterwards call mbedtls_md_hmac_update() to pass the new
- *                  input.
- *
- * \param ctx       The message digest context containing an embedded HMAC
- *                  context.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
- *                  failure.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_md_hmac_reset(mbedtls_md_context_t *ctx);
-
-/**
- * \brief          This function calculates the full generic HMAC
- *                 on the input buffer with the provided key.
- *
- *                 The function allocates the context, performs the
- *                 calculation, and frees the context.
- *
- *                 The HMAC result is calculated as
- *                 output = generic HMAC(hmac key, input buffer).
- *
- * \param md_info  The information structure of the message-digest algorithm
- *                 to use.
- * \param key      The HMAC secret key.
- * \param keylen   The length of the HMAC secret key in Bytes.
- * \param input    The buffer holding the input data.
- * \param ilen     The length of the input data.
- * \param output   The generic HMAC result.
- *
- * \return         \c 0 on success.
- * \return         #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
- *                 failure.
- */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_md_hmac(const mbedtls_md_info_t *md_info, const unsigned char *key, size_t keylen,
-                    const unsigned char *input, size_t ilen,
-                    unsigned char *output);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* MBEDTLS_MD_H */
diff --git a/include/mbedtls/md5.h b/include/mbedtls/md5.h
deleted file mode 100644
index 8081886..0000000
--- a/include/mbedtls/md5.h
+++ /dev/null
@@ -1,202 +0,0 @@
-/**
- * \file md5.h
- *
- * \brief MD5 message digest algorithm (hash function)
- *
- * \warning   MD5 is considered a weak message digest and its use constitutes a
- *            security risk. We recommend considering stronger message
- *            digests instead.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_MD5_H
-#define MBEDTLS_MD5_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include <stddef.h>
-#include <stdint.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if !defined(MBEDTLS_MD5_ALT)
-// Regular implementation
-//
-
-/**
- * \brief          MD5 context structure
- *
- * \warning        MD5 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-typedef struct mbedtls_md5_context {
-    uint32_t MBEDTLS_PRIVATE(total)[2];          /*!< number of bytes processed  */
-    uint32_t MBEDTLS_PRIVATE(state)[4];          /*!< intermediate digest state  */
-    unsigned char MBEDTLS_PRIVATE(buffer)[64];   /*!< data block being processed */
-}
-mbedtls_md5_context;
-
-#else  /* MBEDTLS_MD5_ALT */
-#include "md5_alt.h"
-#endif /* MBEDTLS_MD5_ALT */
-
-/**
- * \brief          Initialize MD5 context
- *
- * \param ctx      MD5 context to be initialized
- *
- * \warning        MD5 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-void mbedtls_md5_init(mbedtls_md5_context *ctx);
-
-/**
- * \brief          Clear MD5 context
- *
- * \param ctx      MD5 context to be cleared
- *
- * \warning        MD5 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-void mbedtls_md5_free(mbedtls_md5_context *ctx);
-
-/**
- * \brief          Clone (the state of) an MD5 context
- *
- * \param dst      The destination context
- * \param src      The context to be cloned
- *
- * \warning        MD5 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-void mbedtls_md5_clone(mbedtls_md5_context *dst,
-                       const mbedtls_md5_context *src);
-
-/**
- * \brief          MD5 context setup
- *
- * \param ctx      context to be initialized
- *
- * \return         0 if successful
- *
- * \warning        MD5 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-int mbedtls_md5_starts(mbedtls_md5_context *ctx);
-
-/**
- * \brief          MD5 process buffer
- *
- * \param ctx      MD5 context
- * \param input    buffer holding the data
- * \param ilen     length of the input data
- *
- * \return         0 if successful
- *
- * \warning        MD5 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-int mbedtls_md5_update(mbedtls_md5_context *ctx,
-                       const unsigned char *input,
-                       size_t ilen);
-
-/**
- * \brief          MD5 final digest
- *
- * \param ctx      MD5 context
- * \param output   MD5 checksum result
- *
- * \return         0 if successful
- *
- * \warning        MD5 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-int mbedtls_md5_finish(mbedtls_md5_context *ctx,
-                       unsigned char output[16]);
-
-/**
- * \brief          MD5 process data block (internal use only)
- *
- * \param ctx      MD5 context
- * \param data     buffer holding one block of data
- *
- * \return         0 if successful
- *
- * \warning        MD5 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-int mbedtls_internal_md5_process(mbedtls_md5_context *ctx,
-                                 const unsigned char data[64]);
-
-/**
- * \brief          Output = MD5( input buffer )
- *
- * \param input    buffer holding the data
- * \param ilen     length of the input data
- * \param output   MD5 checksum result
- *
- * \return         0 if successful
- *
- * \warning        MD5 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-int mbedtls_md5(const unsigned char *input,
-                size_t ilen,
-                unsigned char output[16]);
-
-#if defined(MBEDTLS_SELF_TEST)
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- *
- * \warning        MD5 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-int mbedtls_md5_self_test(int verbose);
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* mbedtls_md5.h */
diff --git a/include/mbedtls/memory_buffer_alloc.h b/include/mbedtls/memory_buffer_alloc.h
deleted file mode 100644
index 9694d24..0000000
--- a/include/mbedtls/memory_buffer_alloc.h
+++ /dev/null
@@ -1,154 +0,0 @@
-/**
- * \file memory_buffer_alloc.h
- *
- * \brief Buffer-based memory allocator
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_MEMORY_BUFFER_ALLOC_H
-#define MBEDTLS_MEMORY_BUFFER_ALLOC_H
-
-#include "mbedtls/build_info.h"
-
-#include <stddef.h>
-
-/**
- * \name SECTION: Module settings
- *
- * The configuration options you can set for this module are in this section.
- * Either change them in mbedtls_config.h or define them on the compiler command line.
- * \{
- */
-
-#if !defined(MBEDTLS_MEMORY_ALIGN_MULTIPLE)
-#define MBEDTLS_MEMORY_ALIGN_MULTIPLE       4 /**< Align on multiples of this value */
-#endif
-
-/** \} name SECTION: Module settings */
-
-#define MBEDTLS_MEMORY_VERIFY_NONE         0
-#define MBEDTLS_MEMORY_VERIFY_ALLOC        (1 << 0)
-#define MBEDTLS_MEMORY_VERIFY_FREE         (1 << 1)
-#define MBEDTLS_MEMORY_VERIFY_ALWAYS       (MBEDTLS_MEMORY_VERIFY_ALLOC | \
-                                            MBEDTLS_MEMORY_VERIFY_FREE)
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief   Initialize use of stack-based memory allocator.
- *          The stack-based allocator does memory management inside the
- *          presented buffer and does not call calloc() and free().
- *          It sets the global mbedtls_calloc() and mbedtls_free() pointers
- *          to its own functions.
- *          (Provided mbedtls_calloc() and mbedtls_free() are thread-safe if
- *           MBEDTLS_THREADING_C is defined)
- *
- * \note    This code is not optimized and provides a straight-forward
- *          implementation of a stack-based memory allocator.
- *
- * \param buf   buffer to use as heap
- * \param len   size of the buffer
- */
-void mbedtls_memory_buffer_alloc_init(unsigned char *buf, size_t len);
-
-/**
- * \brief   Free the mutex for thread-safety and clear remaining memory
- */
-void mbedtls_memory_buffer_alloc_free(void);
-
-/**
- * \brief   Determine when the allocator should automatically verify the state
- *          of the entire chain of headers / meta-data.
- *          (Default: MBEDTLS_MEMORY_VERIFY_NONE)
- *
- * \param verify    One of MBEDTLS_MEMORY_VERIFY_NONE, MBEDTLS_MEMORY_VERIFY_ALLOC,
- *                  MBEDTLS_MEMORY_VERIFY_FREE or MBEDTLS_MEMORY_VERIFY_ALWAYS
- */
-void mbedtls_memory_buffer_set_verify(int verify);
-
-#if defined(MBEDTLS_MEMORY_DEBUG)
-/**
- * \brief   Print out the status of the allocated memory (primarily for use
- *          after a program should have de-allocated all memory)
- *          Prints out a list of 'still allocated' blocks and their stack
- *          trace if MBEDTLS_MEMORY_BACKTRACE is defined.
- */
-void mbedtls_memory_buffer_alloc_status(void);
-
-/**
- * \brief   Get the number of alloc/free so far.
- *
- * \param alloc_count   Number of allocations.
- * \param free_count    Number of frees.
- */
-void mbedtls_memory_buffer_alloc_count_get(size_t *alloc_count, size_t *free_count);
-
-/**
- * \brief   Get the peak heap usage so far
- *
- * \param max_used      Peak number of bytes in use or committed. This
- *                      includes bytes in allocated blocks too small to split
- *                      into smaller blocks but larger than the requested size.
- * \param max_blocks    Peak number of blocks in use, including free and used
- */
-void mbedtls_memory_buffer_alloc_max_get(size_t *max_used, size_t *max_blocks);
-
-/**
- * \brief   Reset peak statistics
- */
-void mbedtls_memory_buffer_alloc_max_reset(void);
-
-/**
- * \brief   Get the current heap usage
- *
- * \param cur_used      Current number of bytes in use or committed. This
- *                      includes bytes in allocated blocks too small to split
- *                      into smaller blocks but larger than the requested size.
- * \param cur_blocks    Current number of blocks in use, including free and used
- */
-void mbedtls_memory_buffer_alloc_cur_get(size_t *cur_used, size_t *cur_blocks);
-#endif /* MBEDTLS_MEMORY_DEBUG */
-
-/**
- * \brief   Verifies that all headers in the memory buffer are correct
- *          and contain sane values. Helps debug buffer-overflow errors.
- *
- *          Prints out first failure if MBEDTLS_MEMORY_DEBUG is defined.
- *          Prints out full header information if MBEDTLS_MEMORY_DEBUG
- *          is defined. (Includes stack trace information for each block if
- *          MBEDTLS_MEMORY_BACKTRACE is defined as well).
- *
- * \return             0 if verified, 1 otherwise
- */
-int mbedtls_memory_buffer_alloc_verify(void);
-
-#if defined(MBEDTLS_SELF_TEST)
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if a test failed
- */
-int mbedtls_memory_buffer_alloc_self_test(int verbose);
-#endif
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* memory_buffer_alloc.h */
diff --git a/include/mbedtls/net_sockets.h b/include/mbedtls/net_sockets.h
index 1096d66..85c1197 100644
--- a/include/mbedtls/net_sockets.h
+++ b/include/mbedtls/net_sockets.h
@@ -21,19 +21,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 #ifndef MBEDTLS_NET_SOCKETS_H
 #define MBEDTLS_NET_SOCKETS_H
@@ -155,7 +143,7 @@ int mbedtls_net_bind(mbedtls_net_context *ctx, const char *bind_ip, const char *
  * \param client_ctx Will contain the connected client socket
  * \param client_ip Will contain the client IP address, can be NULL
  * \param buf_size  Size of the client_ip buffer
- * \param ip_len    Will receive the size of the client IP written,
+ * \param cip_len   Will receive the size of the client IP written,
  *                  can be NULL if client_ip is null
  *
  * \return          0 if successful, or
@@ -168,7 +156,7 @@ int mbedtls_net_bind(mbedtls_net_context *ctx, const char *bind_ip, const char *
  */
 int mbedtls_net_accept(mbedtls_net_context *bind_ctx,
                        mbedtls_net_context *client_ctx,
-                       void *client_ip, size_t buf_size, size_t *ip_len);
+                       void *client_ip, size_t buf_size, size_t *cip_len);
 
 /**
  * \brief          Check and wait for the context to be ready for read/write
diff --git a/include/mbedtls/nist_kw.h b/include/mbedtls/nist_kw.h
deleted file mode 100644
index 0c95c90..0000000
--- a/include/mbedtls/nist_kw.h
+++ /dev/null
@@ -1,178 +0,0 @@
-/**
- * \file nist_kw.h
- *
- * \brief This file provides an API for key wrapping (KW) and key wrapping with
- *        padding (KWP) as defined in NIST SP 800-38F.
- *        https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
- *
- *        Key wrapping specifies a deterministic authenticated-encryption mode
- *        of operation, according to <em>NIST SP 800-38F: Recommendation for
- *        Block Cipher Modes of Operation: Methods for Key Wrapping</em>. Its
- *        purpose is to protect cryptographic keys.
- *
- *        Its equivalent is RFC 3394 for KW, and RFC 5649 for KWP.
- *        https://tools.ietf.org/html/rfc3394
- *        https://tools.ietf.org/html/rfc5649
- *
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_NIST_KW_H
-#define MBEDTLS_NIST_KW_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include "mbedtls/cipher.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-typedef enum {
-    MBEDTLS_KW_MODE_KW = 0,
-    MBEDTLS_KW_MODE_KWP = 1
-} mbedtls_nist_kw_mode_t;
-
-#if !defined(MBEDTLS_NIST_KW_ALT)
-// Regular implementation
-//
-
-/**
- * \brief    The key wrapping context-type definition. The key wrapping context is passed
- *           to the APIs called.
- *
- * \note     The definition of this type may change in future library versions.
- *           Don't make any assumptions on this context!
- */
-typedef struct {
-    mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx);    /*!< The cipher context used. */
-} mbedtls_nist_kw_context;
-
-#else  /* MBEDTLS_NIST_key wrapping_ALT */
-#include "nist_kw_alt.h"
-#endif /* MBEDTLS_NIST_KW_ALT */
-
-/**
- * \brief           This function initializes the specified key wrapping context
- *                  to make references valid and prepare the context
- *                  for mbedtls_nist_kw_setkey() or mbedtls_nist_kw_free().
- *
- * \param ctx       The key wrapping context to initialize.
- *
- */
-void mbedtls_nist_kw_init(mbedtls_nist_kw_context *ctx);
-
-/**
- * \brief           This function initializes the key wrapping context set in the
- *                  \p ctx parameter and sets the encryption key.
- *
- * \param ctx       The key wrapping context.
- * \param cipher    The 128-bit block cipher to use. Only AES is supported.
- * \param key       The Key Encryption Key (KEK).
- * \param keybits   The KEK size in bits. This must be acceptable by the cipher.
- * \param is_wrap   Specify whether the operation within the context is wrapping or unwrapping
- *
- * \return          \c 0 on success.
- * \return          \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for any invalid input.
- * \return          \c MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE for 128-bit block ciphers
- *                  which are not supported.
- * \return          cipher-specific error code on failure of the underlying cipher.
- */
-int mbedtls_nist_kw_setkey(mbedtls_nist_kw_context *ctx,
-                           mbedtls_cipher_id_t cipher,
-                           const unsigned char *key,
-                           unsigned int keybits,
-                           const int is_wrap);
-
-/**
- * \brief   This function releases and clears the specified key wrapping context
- *          and underlying cipher sub-context.
- *
- * \param ctx       The key wrapping context to clear.
- */
-void mbedtls_nist_kw_free(mbedtls_nist_kw_context *ctx);
-
-/**
- * \brief           This function encrypts a buffer using key wrapping.
- *
- * \param ctx       The key wrapping context to use for encryption.
- * \param mode      The key wrapping mode to use (MBEDTLS_KW_MODE_KW or MBEDTLS_KW_MODE_KWP)
- * \param input     The buffer holding the input data.
- * \param in_len    The length of the input data in Bytes.
- *                  The input uses units of 8 Bytes called semiblocks.
- *                  <ul><li>For KW mode: a multiple of 8 bytes between 16 and 2^57-8 inclusive. </li>
- *                  <li>For KWP mode: any length between 1 and 2^32-1 inclusive.</li></ul>
- * \param[out] output    The buffer holding the output data.
- *                  <ul><li>For KW mode: Must be at least 8 bytes larger than \p in_len.</li>
- *                  <li>For KWP mode: Must be at least 8 bytes larger rounded up to a multiple of
- *                  8 bytes for KWP (15 bytes at most).</li></ul>
- * \param[out] out_len The number of bytes written to the output buffer. \c 0 on failure.
- * \param[in] out_size The capacity of the output buffer.
- *
- * \return          \c 0 on success.
- * \return          \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for invalid input length.
- * \return          cipher-specific error code on failure of the underlying cipher.
- */
-int mbedtls_nist_kw_wrap(mbedtls_nist_kw_context *ctx, mbedtls_nist_kw_mode_t mode,
-                         const unsigned char *input, size_t in_len,
-                         unsigned char *output, size_t *out_len, size_t out_size);
-
-/**
- * \brief           This function decrypts a buffer using key wrapping.
- *
- * \param ctx       The key wrapping context to use for decryption.
- * \param mode      The key wrapping mode to use (MBEDTLS_KW_MODE_KW or MBEDTLS_KW_MODE_KWP)
- * \param input     The buffer holding the input data.
- * \param in_len    The length of the input data in Bytes.
- *                  The input uses units of 8 Bytes called semiblocks.
- *                  The input must be a multiple of semiblocks.
- *                  <ul><li>For KW mode: a multiple of 8 bytes between 24 and 2^57 inclusive. </li>
- *                  <li>For KWP mode: a multiple of 8 bytes between 16 and 2^32 inclusive.</li></ul>
- * \param[out] output    The buffer holding the output data.
- *                  The output buffer's minimal length is 8 bytes shorter than \p in_len.
- * \param[out] out_len The number of bytes written to the output buffer. \c 0 on failure.
- *                  For KWP mode, the length could be up to 15 bytes shorter than \p in_len,
- *                  depending on how much padding was added to the data.
- * \param[in] out_size The capacity of the output buffer.
- *
- * \return          \c 0 on success.
- * \return          \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for invalid input length.
- * \return          \c MBEDTLS_ERR_CIPHER_AUTH_FAILED for verification failure of the ciphertext.
- * \return          cipher-specific error code on failure of the underlying cipher.
- */
-int mbedtls_nist_kw_unwrap(mbedtls_nist_kw_context *ctx, mbedtls_nist_kw_mode_t mode,
-                           const unsigned char *input, size_t in_len,
-                           unsigned char *output, size_t *out_len, size_t out_size);
-
-
-#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
-/**
- * \brief          The key wrapping checkup routine.
- *
- * \return         \c 0 on success.
- * \return         \c 1 on failure.
- */
-int mbedtls_nist_kw_self_test(int verbose);
-#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* MBEDTLS_NIST_KW_H */
diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h
deleted file mode 100644
index 9545072..0000000
--- a/include/mbedtls/oid.h
+++ /dev/null
@@ -1,734 +0,0 @@
-/**
- * \file oid.h
- *
- * \brief Object Identifier (OID) database
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_OID_H
-#define MBEDTLS_OID_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include "mbedtls/asn1.h"
-#include "mbedtls/pk.h"
-
-#include <stddef.h>
-
-#if defined(MBEDTLS_CIPHER_C)
-#include "mbedtls/cipher.h"
-#endif
-
-#include "mbedtls/md.h"
-
-/** OID is not found. */
-#define MBEDTLS_ERR_OID_NOT_FOUND                         -0x002E
-/** output buffer is too small */
-#define MBEDTLS_ERR_OID_BUF_TOO_SMALL                     -0x000B
-
-/* This is for the benefit of X.509, but defined here in order to avoid
- * having a "backwards" include of x.509.h here */
-/*
- * X.509 extension types (internal, arbitrary values for bitsets)
- */
-#define MBEDTLS_OID_X509_EXT_AUTHORITY_KEY_IDENTIFIER    (1 << 0)
-#define MBEDTLS_OID_X509_EXT_SUBJECT_KEY_IDENTIFIER      (1 << 1)
-#define MBEDTLS_OID_X509_EXT_KEY_USAGE                   (1 << 2)
-#define MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES        (1 << 3)
-#define MBEDTLS_OID_X509_EXT_POLICY_MAPPINGS             (1 << 4)
-#define MBEDTLS_OID_X509_EXT_SUBJECT_ALT_NAME            (1 << 5)
-#define MBEDTLS_OID_X509_EXT_ISSUER_ALT_NAME             (1 << 6)
-#define MBEDTLS_OID_X509_EXT_SUBJECT_DIRECTORY_ATTRS     (1 << 7)
-#define MBEDTLS_OID_X509_EXT_BASIC_CONSTRAINTS           (1 << 8)
-#define MBEDTLS_OID_X509_EXT_NAME_CONSTRAINTS            (1 << 9)
-#define MBEDTLS_OID_X509_EXT_POLICY_CONSTRAINTS          (1 << 10)
-#define MBEDTLS_OID_X509_EXT_EXTENDED_KEY_USAGE          (1 << 11)
-#define MBEDTLS_OID_X509_EXT_CRL_DISTRIBUTION_POINTS     (1 << 12)
-#define MBEDTLS_OID_X509_EXT_INIHIBIT_ANYPOLICY          (1 << 13)
-#define MBEDTLS_OID_X509_EXT_FRESHEST_CRL                (1 << 14)
-#define MBEDTLS_OID_X509_EXT_NS_CERT_TYPE                (1 << 16)
-
-/*
- * Maximum number of OID components allowed
- */
-#define MBEDTLS_OID_MAX_COMPONENTS              128
-
-/*
- * Top level OID tuples
- */
-#define MBEDTLS_OID_ISO_MEMBER_BODIES           "\x2a"          /* {iso(1) member-body(2)} */
-#define MBEDTLS_OID_ISO_IDENTIFIED_ORG          "\x2b"          /* {iso(1) identified-organization(3)} */
-#define MBEDTLS_OID_ISO_CCITT_DS                "\x55"          /* {joint-iso-ccitt(2) ds(5)} */
-#define MBEDTLS_OID_ISO_ITU_COUNTRY             "\x60"          /* {joint-iso-itu-t(2) country(16)} */
-
-/*
- * ISO Member bodies OID parts
- */
-#define MBEDTLS_OID_COUNTRY_US                  "\x86\x48"      /* {us(840)} */
-#define MBEDTLS_OID_ORG_RSA_DATA_SECURITY       "\x86\xf7\x0d"  /* {rsadsi(113549)} */
-#define MBEDTLS_OID_RSA_COMPANY                 MBEDTLS_OID_ISO_MEMBER_BODIES MBEDTLS_OID_COUNTRY_US \
-        MBEDTLS_OID_ORG_RSA_DATA_SECURITY                                 /* {iso(1) member-body(2) us(840) rsadsi(113549)} */
-#define MBEDTLS_OID_ORG_ANSI_X9_62              "\xce\x3d" /* ansi-X9-62(10045) */
-#define MBEDTLS_OID_ANSI_X9_62                  MBEDTLS_OID_ISO_MEMBER_BODIES MBEDTLS_OID_COUNTRY_US \
-        MBEDTLS_OID_ORG_ANSI_X9_62
-
-/*
- * ISO Identified organization OID parts
- */
-#define MBEDTLS_OID_ORG_DOD                     "\x06"          /* {dod(6)} */
-#define MBEDTLS_OID_ORG_OIW                     "\x0e"
-#define MBEDTLS_OID_OIW_SECSIG                  MBEDTLS_OID_ORG_OIW "\x03"
-#define MBEDTLS_OID_OIW_SECSIG_ALG              MBEDTLS_OID_OIW_SECSIG "\x02"
-#define MBEDTLS_OID_OIW_SECSIG_SHA1             MBEDTLS_OID_OIW_SECSIG_ALG "\x1a"
-#define MBEDTLS_OID_ORG_THAWTE                  "\x65"          /* thawte(101) */
-#define MBEDTLS_OID_THAWTE                      MBEDTLS_OID_ISO_IDENTIFIED_ORG \
-        MBEDTLS_OID_ORG_THAWTE
-#define MBEDTLS_OID_ORG_CERTICOM                "\x81\x04"  /* certicom(132) */
-#define MBEDTLS_OID_CERTICOM                    MBEDTLS_OID_ISO_IDENTIFIED_ORG \
-        MBEDTLS_OID_ORG_CERTICOM
-#define MBEDTLS_OID_ORG_TELETRUST               "\x24" /* teletrust(36) */
-#define MBEDTLS_OID_TELETRUST                   MBEDTLS_OID_ISO_IDENTIFIED_ORG \
-        MBEDTLS_OID_ORG_TELETRUST
-
-/*
- * ISO ITU OID parts
- */
-#define MBEDTLS_OID_ORGANIZATION                "\x01"          /* {organization(1)} */
-#define MBEDTLS_OID_ISO_ITU_US_ORG              MBEDTLS_OID_ISO_ITU_COUNTRY MBEDTLS_OID_COUNTRY_US \
-        MBEDTLS_OID_ORGANIZATION                                                                                            /* {joint-iso-itu-t(2) country(16) us(840) organization(1)} */
-
-#define MBEDTLS_OID_ORG_GOV                     "\x65"          /* {gov(101)} */
-#define MBEDTLS_OID_GOV                         MBEDTLS_OID_ISO_ITU_US_ORG MBEDTLS_OID_ORG_GOV /* {joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)} */
-
-#define MBEDTLS_OID_ORG_NETSCAPE                "\x86\xF8\x42"  /* {netscape(113730)} */
-#define MBEDTLS_OID_NETSCAPE                    MBEDTLS_OID_ISO_ITU_US_ORG MBEDTLS_OID_ORG_NETSCAPE /* Netscape OID {joint-iso-itu-t(2) country(16) us(840) organization(1) netscape(113730)} */
-
-/* ISO arc for standard certificate and CRL extensions */
-#define MBEDTLS_OID_ID_CE                       MBEDTLS_OID_ISO_CCITT_DS "\x1D" /**< id-ce OBJECT IDENTIFIER  ::=  {joint-iso-ccitt(2) ds(5) 29} */
-
-#define MBEDTLS_OID_NIST_ALG                    MBEDTLS_OID_GOV "\x03\x04" /** { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) */
-
-/**
- * Private Internet Extensions
- * { iso(1) identified-organization(3) dod(6) internet(1)
- *                      security(5) mechanisms(5) pkix(7) }
- */
-#define MBEDTLS_OID_INTERNET                    MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_ORG_DOD \
-    "\x01"
-#define MBEDTLS_OID_PKIX                        MBEDTLS_OID_INTERNET "\x05\x05\x07"
-
-/*
- * Arc for standard naming attributes
- */
-#define MBEDTLS_OID_AT                          MBEDTLS_OID_ISO_CCITT_DS "\x04" /**< id-at OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 4} */
-#define MBEDTLS_OID_AT_CN                       MBEDTLS_OID_AT "\x03" /**< id-at-commonName AttributeType:= {id-at 3} */
-#define MBEDTLS_OID_AT_SUR_NAME                 MBEDTLS_OID_AT "\x04" /**< id-at-surName AttributeType:= {id-at 4} */
-#define MBEDTLS_OID_AT_SERIAL_NUMBER            MBEDTLS_OID_AT "\x05" /**< id-at-serialNumber AttributeType:= {id-at 5} */
-#define MBEDTLS_OID_AT_COUNTRY                  MBEDTLS_OID_AT "\x06" /**< id-at-countryName AttributeType:= {id-at 6} */
-#define MBEDTLS_OID_AT_LOCALITY                 MBEDTLS_OID_AT "\x07" /**< id-at-locality AttributeType:= {id-at 7} */
-#define MBEDTLS_OID_AT_STATE                    MBEDTLS_OID_AT "\x08" /**< id-at-state AttributeType:= {id-at 8} */
-#define MBEDTLS_OID_AT_ORGANIZATION             MBEDTLS_OID_AT "\x0A" /**< id-at-organizationName AttributeType:= {id-at 10} */
-#define MBEDTLS_OID_AT_ORG_UNIT                 MBEDTLS_OID_AT "\x0B" /**< id-at-organizationalUnitName AttributeType:= {id-at 11} */
-#define MBEDTLS_OID_AT_TITLE                    MBEDTLS_OID_AT "\x0C" /**< id-at-title AttributeType:= {id-at 12} */
-#define MBEDTLS_OID_AT_POSTAL_ADDRESS           MBEDTLS_OID_AT "\x10" /**< id-at-postalAddress AttributeType:= {id-at 16} */
-#define MBEDTLS_OID_AT_POSTAL_CODE              MBEDTLS_OID_AT "\x11" /**< id-at-postalCode AttributeType:= {id-at 17} */
-#define MBEDTLS_OID_AT_GIVEN_NAME               MBEDTLS_OID_AT "\x2A" /**< id-at-givenName AttributeType:= {id-at 42} */
-#define MBEDTLS_OID_AT_INITIALS                 MBEDTLS_OID_AT "\x2B" /**< id-at-initials AttributeType:= {id-at 43} */
-#define MBEDTLS_OID_AT_GENERATION_QUALIFIER     MBEDTLS_OID_AT "\x2C" /**< id-at-generationQualifier AttributeType:= {id-at 44} */
-#define MBEDTLS_OID_AT_UNIQUE_IDENTIFIER        MBEDTLS_OID_AT "\x2D" /**< id-at-uniqueIdentifier AttributeType:= {id-at 45} */
-#define MBEDTLS_OID_AT_DN_QUALIFIER             MBEDTLS_OID_AT "\x2E" /**< id-at-dnQualifier AttributeType:= {id-at 46} */
-#define MBEDTLS_OID_AT_PSEUDONYM                MBEDTLS_OID_AT "\x41" /**< id-at-pseudonym AttributeType:= {id-at 65} */
-
-#define MBEDTLS_OID_UID                         "\x09\x92\x26\x89\x93\xF2\x2C\x64\x01\x01" /** id-domainComponent AttributeType:= {itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) pilotAttributeType(1) uid(1)} */
-#define MBEDTLS_OID_DOMAIN_COMPONENT            "\x09\x92\x26\x89\x93\xF2\x2C\x64\x01\x19" /** id-domainComponent AttributeType:= {itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) pilotAttributeType(1) domainComponent(25)} */
-
-/*
- * OIDs for standard certificate extensions
- */
-#define MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER    MBEDTLS_OID_ID_CE "\x23" /**< id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 35 } */
-#define MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER      MBEDTLS_OID_ID_CE "\x0E" /**< id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 14 } */
-#define MBEDTLS_OID_KEY_USAGE                   MBEDTLS_OID_ID_CE "\x0F" /**< id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 } */
-#define MBEDTLS_OID_CERTIFICATE_POLICIES        MBEDTLS_OID_ID_CE "\x20" /**< id-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-ce 32 } */
-#define MBEDTLS_OID_POLICY_MAPPINGS             MBEDTLS_OID_ID_CE "\x21" /**< id-ce-policyMappings OBJECT IDENTIFIER ::=  { id-ce 33 } */
-#define MBEDTLS_OID_SUBJECT_ALT_NAME            MBEDTLS_OID_ID_CE "\x11" /**< id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 } */
-#define MBEDTLS_OID_ISSUER_ALT_NAME             MBEDTLS_OID_ID_CE "\x12" /**< id-ce-issuerAltName OBJECT IDENTIFIER ::=  { id-ce 18 } */
-#define MBEDTLS_OID_SUBJECT_DIRECTORY_ATTRS     MBEDTLS_OID_ID_CE "\x09" /**< id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::=  { id-ce 9 } */
-#define MBEDTLS_OID_BASIC_CONSTRAINTS           MBEDTLS_OID_ID_CE "\x13" /**< id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 } */
-#define MBEDTLS_OID_NAME_CONSTRAINTS            MBEDTLS_OID_ID_CE "\x1E" /**< id-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-ce 30 } */
-#define MBEDTLS_OID_POLICY_CONSTRAINTS          MBEDTLS_OID_ID_CE "\x24" /**< id-ce-policyConstraints OBJECT IDENTIFIER ::=  { id-ce 36 } */
-#define MBEDTLS_OID_EXTENDED_KEY_USAGE          MBEDTLS_OID_ID_CE "\x25" /**< id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 } */
-#define MBEDTLS_OID_CRL_DISTRIBUTION_POINTS     MBEDTLS_OID_ID_CE "\x1F" /**< id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::=  { id-ce 31 } */
-#define MBEDTLS_OID_INIHIBIT_ANYPOLICY          MBEDTLS_OID_ID_CE "\x36" /**< id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::=  { id-ce 54 } */
-#define MBEDTLS_OID_FRESHEST_CRL                MBEDTLS_OID_ID_CE "\x2E" /**< id-ce-freshestCRL OBJECT IDENTIFIER ::=  { id-ce 46 } */
-
-/*
- * Certificate policies
- */
-#define MBEDTLS_OID_ANY_POLICY              MBEDTLS_OID_CERTIFICATE_POLICIES "\x00" /**< anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificatePolicies 0 } */
-
-/*
- * Netscape certificate extensions
- */
-#define MBEDTLS_OID_NS_CERT                 MBEDTLS_OID_NETSCAPE "\x01"
-#define MBEDTLS_OID_NS_CERT_TYPE            MBEDTLS_OID_NS_CERT  "\x01"
-#define MBEDTLS_OID_NS_BASE_URL             MBEDTLS_OID_NS_CERT  "\x02"
-#define MBEDTLS_OID_NS_REVOCATION_URL       MBEDTLS_OID_NS_CERT  "\x03"
-#define MBEDTLS_OID_NS_CA_REVOCATION_URL    MBEDTLS_OID_NS_CERT  "\x04"
-#define MBEDTLS_OID_NS_RENEWAL_URL          MBEDTLS_OID_NS_CERT  "\x07"
-#define MBEDTLS_OID_NS_CA_POLICY_URL        MBEDTLS_OID_NS_CERT  "\x08"
-#define MBEDTLS_OID_NS_SSL_SERVER_NAME      MBEDTLS_OID_NS_CERT  "\x0C"
-#define MBEDTLS_OID_NS_COMMENT              MBEDTLS_OID_NS_CERT  "\x0D"
-#define MBEDTLS_OID_NS_DATA_TYPE            MBEDTLS_OID_NETSCAPE "\x02"
-#define MBEDTLS_OID_NS_CERT_SEQUENCE        MBEDTLS_OID_NS_DATA_TYPE "\x05"
-
-/*
- * OIDs for CRL extensions
- */
-#define MBEDTLS_OID_PRIVATE_KEY_USAGE_PERIOD    MBEDTLS_OID_ID_CE "\x10"
-#define MBEDTLS_OID_CRL_NUMBER                  MBEDTLS_OID_ID_CE "\x14" /**< id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } */
-
-/*
- * X.509 v3 Extended key usage OIDs
- */
-#define MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE      MBEDTLS_OID_EXTENDED_KEY_USAGE "\x00" /**< anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } */
-
-#define MBEDTLS_OID_KP                          MBEDTLS_OID_PKIX "\x03" /**< id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } */
-#define MBEDTLS_OID_SERVER_AUTH                 MBEDTLS_OID_KP "\x01" /**< id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } */
-#define MBEDTLS_OID_CLIENT_AUTH                 MBEDTLS_OID_KP "\x02" /**< id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } */
-#define MBEDTLS_OID_CODE_SIGNING                MBEDTLS_OID_KP "\x03" /**< id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } */
-#define MBEDTLS_OID_EMAIL_PROTECTION            MBEDTLS_OID_KP "\x04" /**< id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } */
-#define MBEDTLS_OID_TIME_STAMPING               MBEDTLS_OID_KP "\x08" /**< id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } */
-#define MBEDTLS_OID_OCSP_SIGNING                MBEDTLS_OID_KP "\x09" /**< id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } */
-
-/**
- * Wi-SUN Alliance Field Area Network
- * { iso(1) identified-organization(3) dod(6) internet(1)
- *                      private(4) enterprise(1) WiSUN(45605) FieldAreaNetwork(1) }
- */
-#define MBEDTLS_OID_WISUN_FAN                   MBEDTLS_OID_INTERNET "\x04\x01\x82\xe4\x25\x01"
-
-#define MBEDTLS_OID_ON                          MBEDTLS_OID_PKIX "\x08" /**< id-on OBJECT IDENTIFIER ::= { id-pkix 8 } */
-#define MBEDTLS_OID_ON_HW_MODULE_NAME           MBEDTLS_OID_ON "\x04" /**< id-on-hardwareModuleName OBJECT IDENTIFIER ::= { id-on 4 } */
-
-/*
- * PKCS definition OIDs
- */
-
-#define MBEDTLS_OID_PKCS                MBEDTLS_OID_RSA_COMPANY "\x01" /**< pkcs OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) 1 } */
-#define MBEDTLS_OID_PKCS1               MBEDTLS_OID_PKCS "\x01" /**< pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } */
-#define MBEDTLS_OID_PKCS5               MBEDTLS_OID_PKCS "\x05" /**< pkcs-5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 5 } */
-#define MBEDTLS_OID_PKCS7               MBEDTLS_OID_PKCS "\x07" /**< pkcs-7 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 7 } */
-#define MBEDTLS_OID_PKCS9               MBEDTLS_OID_PKCS "\x09" /**< pkcs-9 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } */
-#define MBEDTLS_OID_PKCS12              MBEDTLS_OID_PKCS "\x0c" /**< pkcs-12 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 12 } */
-
-/*
- * PKCS#1 OIDs
- */
-#define MBEDTLS_OID_PKCS1_RSA           MBEDTLS_OID_PKCS1 "\x01" /**< rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } */
-#define MBEDTLS_OID_PKCS1_MD5           MBEDTLS_OID_PKCS1 "\x04" /**< md5WithRSAEncryption ::= { pkcs-1 4 } */
-#define MBEDTLS_OID_PKCS1_SHA1          MBEDTLS_OID_PKCS1 "\x05" /**< sha1WithRSAEncryption ::= { pkcs-1 5 } */
-#define MBEDTLS_OID_PKCS1_SHA224        MBEDTLS_OID_PKCS1 "\x0e" /**< sha224WithRSAEncryption ::= { pkcs-1 14 } */
-#define MBEDTLS_OID_PKCS1_SHA256        MBEDTLS_OID_PKCS1 "\x0b" /**< sha256WithRSAEncryption ::= { pkcs-1 11 } */
-#define MBEDTLS_OID_PKCS1_SHA384        MBEDTLS_OID_PKCS1 "\x0c" /**< sha384WithRSAEncryption ::= { pkcs-1 12 } */
-#define MBEDTLS_OID_PKCS1_SHA512        MBEDTLS_OID_PKCS1 "\x0d" /**< sha512WithRSAEncryption ::= { pkcs-1 13 } */
-
-#define MBEDTLS_OID_RSA_SHA_OBS         "\x2B\x0E\x03\x02\x1D"
-
-#define MBEDTLS_OID_PKCS9_EMAIL         MBEDTLS_OID_PKCS9 "\x01" /**< emailAddress AttributeType ::= { pkcs-9 1 } */
-
-/* RFC 4055 */
-#define MBEDTLS_OID_RSASSA_PSS          MBEDTLS_OID_PKCS1 "\x0a" /**< id-RSASSA-PSS ::= { pkcs-1 10 } */
-#define MBEDTLS_OID_MGF1                MBEDTLS_OID_PKCS1 "\x08" /**< id-mgf1 ::= { pkcs-1 8 } */
-
-/*
- * Digest algorithms
- */
-#define MBEDTLS_OID_DIGEST_ALG_MD5              MBEDTLS_OID_RSA_COMPANY "\x02\x05" /**< id-mbedtls_md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 5 } */
-#define MBEDTLS_OID_DIGEST_ALG_SHA1             MBEDTLS_OID_ISO_IDENTIFIED_ORG \
-        MBEDTLS_OID_OIW_SECSIG_SHA1                                                                        /**< id-mbedtls_sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 26 } */
-#define MBEDTLS_OID_DIGEST_ALG_SHA224           MBEDTLS_OID_NIST_ALG "\x02\x04" /**< id-sha224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 4 } */
-#define MBEDTLS_OID_DIGEST_ALG_SHA256           MBEDTLS_OID_NIST_ALG "\x02\x01" /**< id-mbedtls_sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 } */
-
-#define MBEDTLS_OID_DIGEST_ALG_SHA384           MBEDTLS_OID_NIST_ALG "\x02\x02" /**< id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 } */
-
-#define MBEDTLS_OID_DIGEST_ALG_SHA512           MBEDTLS_OID_NIST_ALG "\x02\x03" /**< id-mbedtls_sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 } */
-
-#define MBEDTLS_OID_DIGEST_ALG_RIPEMD160        MBEDTLS_OID_TELETRUST "\x03\x02\x01" /**< id-ripemd160 OBJECT IDENTIFIER :: { iso(1) identified-organization(3) teletrust(36) algorithm(3) hashAlgorithm(2) ripemd160(1) } */
-
-#define MBEDTLS_OID_DIGEST_ALG_SHA3_224         MBEDTLS_OID_NIST_ALG "\x02\x07" /**< id-sha3-224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) sha3-224(7) } */
-
-#define MBEDTLS_OID_DIGEST_ALG_SHA3_256         MBEDTLS_OID_NIST_ALG "\x02\x08" /**< id-sha3-256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) sha3-256(8) } */
-
-#define MBEDTLS_OID_DIGEST_ALG_SHA3_384         MBEDTLS_OID_NIST_ALG "\x02\x09" /**< id-sha3-384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) sha3-384(9) } */
-
-#define MBEDTLS_OID_DIGEST_ALG_SHA3_512         MBEDTLS_OID_NIST_ALG "\x02\x0a" /**< id-sha3-512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) sha3-512(10) } */
-
-
-#define MBEDTLS_OID_HMAC_SHA1                   MBEDTLS_OID_RSA_COMPANY "\x02\x07" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 7 } */
-
-#define MBEDTLS_OID_HMAC_SHA224                 MBEDTLS_OID_RSA_COMPANY "\x02\x08" /**< id-hmacWithSHA224 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 8 } */
-
-#define MBEDTLS_OID_HMAC_SHA256                 MBEDTLS_OID_RSA_COMPANY "\x02\x09" /**< id-hmacWithSHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 9 } */
-
-#define MBEDTLS_OID_HMAC_SHA384                 MBEDTLS_OID_RSA_COMPANY "\x02\x0A" /**< id-hmacWithSHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 10 } */
-
-#define MBEDTLS_OID_HMAC_SHA512                 MBEDTLS_OID_RSA_COMPANY "\x02\x0B" /**< id-hmacWithSHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 11 } */
-
-#define MBEDTLS_OID_HMAC_SHA3_224               MBEDTLS_OID_NIST_ALG "\x02\x0d" /**< id-hmacWithSHA3-512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) hmacWithSHA3-224(13) } */
-
-#define MBEDTLS_OID_HMAC_SHA3_256               MBEDTLS_OID_NIST_ALG "\x02\x0e" /**< id-hmacWithSHA3-512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) hmacWithSHA3-256(14) } */
-
-#define MBEDTLS_OID_HMAC_SHA3_384               MBEDTLS_OID_NIST_ALG "\x02\x0f" /**< id-hmacWithSHA3-512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) hmacWithSHA3-384(15) } */
-
-#define MBEDTLS_OID_HMAC_SHA3_512               MBEDTLS_OID_NIST_ALG "\x02\x10" /**< id-hmacWithSHA3-512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) hmacWithSHA3-512(16) } */
-
-#define MBEDTLS_OID_HMAC_RIPEMD160              MBEDTLS_OID_INTERNET "\x05\x05\x08\x01\x04" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= {iso(1) iso-identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) ipsec(8) isakmpOakley(1) hmacRIPEMD160(4)} */
-
-/*
- * Encryption algorithms
- */
-#define MBEDTLS_OID_DES_CBC                     MBEDTLS_OID_ISO_IDENTIFIED_ORG \
-        MBEDTLS_OID_OIW_SECSIG_ALG "\x07"                                                                        /**< desCBC OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 7 } */
-#define MBEDTLS_OID_DES_EDE3_CBC                MBEDTLS_OID_RSA_COMPANY "\x03\x07" /**< des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) -- us(840) rsadsi(113549) encryptionAlgorithm(3) 7 } */
-#define MBEDTLS_OID_AES                         MBEDTLS_OID_NIST_ALG "\x01" /** aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } */
-
-/*
- * Key Wrapping algorithms
- */
-/*
- * RFC 5649
- */
-#define MBEDTLS_OID_AES128_KW                   MBEDTLS_OID_AES "\x05" /** id-aes128-wrap     OBJECT IDENTIFIER ::= { aes 5 } */
-#define MBEDTLS_OID_AES128_KWP                  MBEDTLS_OID_AES "\x08" /** id-aes128-wrap-pad OBJECT IDENTIFIER ::= { aes 8 } */
-#define MBEDTLS_OID_AES192_KW                   MBEDTLS_OID_AES "\x19" /** id-aes192-wrap     OBJECT IDENTIFIER ::= { aes 25 } */
-#define MBEDTLS_OID_AES192_KWP                  MBEDTLS_OID_AES "\x1c" /** id-aes192-wrap-pad OBJECT IDENTIFIER ::= { aes 28 } */
-#define MBEDTLS_OID_AES256_KW                   MBEDTLS_OID_AES "\x2d" /** id-aes256-wrap     OBJECT IDENTIFIER ::= { aes 45 } */
-#define MBEDTLS_OID_AES256_KWP                  MBEDTLS_OID_AES "\x30" /** id-aes256-wrap-pad OBJECT IDENTIFIER ::= { aes 48 } */
-/*
- * PKCS#5 OIDs
- */
-#define MBEDTLS_OID_PKCS5_PBKDF2                MBEDTLS_OID_PKCS5 "\x0c" /**< id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12} */
-#define MBEDTLS_OID_PKCS5_PBES2                 MBEDTLS_OID_PKCS5 "\x0d" /**< id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13} */
-#define MBEDTLS_OID_PKCS5_PBMAC1                MBEDTLS_OID_PKCS5 "\x0e" /**< id-PBMAC1 OBJECT IDENTIFIER ::= {pkcs-5 14} */
-
-/*
- * PKCS#5 PBES1 algorithms
- */
-#define MBEDTLS_OID_PKCS5_PBE_MD5_DES_CBC       MBEDTLS_OID_PKCS5 "\x03" /**< pbeWithMD5AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 3} */
-#define MBEDTLS_OID_PKCS5_PBE_MD5_RC2_CBC       MBEDTLS_OID_PKCS5 "\x06" /**< pbeWithMD5AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 6} */
-#define MBEDTLS_OID_PKCS5_PBE_SHA1_DES_CBC      MBEDTLS_OID_PKCS5 "\x0a" /**< pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10} */
-#define MBEDTLS_OID_PKCS5_PBE_SHA1_RC2_CBC      MBEDTLS_OID_PKCS5 "\x0b" /**< pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11} */
-
-/*
- * PKCS#7 OIDs
- */
-#define MBEDTLS_OID_PKCS7_DATA                        MBEDTLS_OID_PKCS7 "\x01" /**< Content type is Data OBJECT IDENTIFIER ::= {pkcs-7 1} */
-#define MBEDTLS_OID_PKCS7_SIGNED_DATA                 MBEDTLS_OID_PKCS7 "\x02" /**< Content type is Signed Data OBJECT IDENTIFIER ::= {pkcs-7 2} */
-#define MBEDTLS_OID_PKCS7_ENVELOPED_DATA              MBEDTLS_OID_PKCS7 "\x03" /**< Content type is Enveloped Data OBJECT IDENTIFIER ::= {pkcs-7 3} */
-#define MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA   MBEDTLS_OID_PKCS7 "\x04" /**< Content type is Signed and Enveloped Data OBJECT IDENTIFIER ::= {pkcs-7 4} */
-#define MBEDTLS_OID_PKCS7_DIGESTED_DATA               MBEDTLS_OID_PKCS7 "\x05" /**< Content type is Digested Data OBJECT IDENTIFIER ::= {pkcs-7 5} */
-#define MBEDTLS_OID_PKCS7_ENCRYPTED_DATA              MBEDTLS_OID_PKCS7 "\x06" /**< Content type is Encrypted Data OBJECT IDENTIFIER ::= {pkcs-7 6} */
-
-/*
- * PKCS#8 OIDs
- */
-#define MBEDTLS_OID_PKCS9_CSR_EXT_REQ           MBEDTLS_OID_PKCS9 "\x0e" /**< extensionRequest OBJECT IDENTIFIER ::= {pkcs-9 14} */
-
-/*
- * PKCS#12 PBE OIDs
- */
-#define MBEDTLS_OID_PKCS12_PBE                      MBEDTLS_OID_PKCS12 "\x01" /**< pkcs-12PbeIds OBJECT IDENTIFIER ::= {pkcs-12 1} */
-
-#define MBEDTLS_OID_PKCS12_PBE_SHA1_DES3_EDE_CBC    MBEDTLS_OID_PKCS12_PBE "\x03" /**< pbeWithSHAAnd3-KeyTripleDES-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 3} */
-#define MBEDTLS_OID_PKCS12_PBE_SHA1_DES2_EDE_CBC    MBEDTLS_OID_PKCS12_PBE "\x04" /**< pbeWithSHAAnd2-KeyTripleDES-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 4} */
-#define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_128_CBC     MBEDTLS_OID_PKCS12_PBE "\x05" /**< pbeWithSHAAnd128BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 5} */
-#define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_40_CBC      MBEDTLS_OID_PKCS12_PBE "\x06" /**< pbeWithSHAAnd40BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 6} */
-
-/*
- * EC key algorithms from RFC 5480
- */
-
-/* id-ecPublicKey OBJECT IDENTIFIER ::= {
- *       iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } */
-#define MBEDTLS_OID_EC_ALG_UNRESTRICTED         MBEDTLS_OID_ANSI_X9_62 "\x02\01"
-
-/*   id-ecDH OBJECT IDENTIFIER ::= {
- *     iso(1) identified-organization(3) certicom(132)
- *     schemes(1) ecdh(12) } */
-#define MBEDTLS_OID_EC_ALG_ECDH                 MBEDTLS_OID_CERTICOM "\x01\x0c"
-
-/*
- * ECParameters namedCurve identifiers, from RFC 5480, RFC 5639, and SEC2
- */
-
-/* secp192r1 OBJECT IDENTIFIER ::= {
- *   iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) prime(1) 1 } */
-#define MBEDTLS_OID_EC_GRP_SECP192R1        MBEDTLS_OID_ANSI_X9_62 "\x03\x01\x01"
-
-/* secp224r1 OBJECT IDENTIFIER ::= {
- *   iso(1) identified-organization(3) certicom(132) curve(0) 33 } */
-#define MBEDTLS_OID_EC_GRP_SECP224R1        MBEDTLS_OID_CERTICOM "\x00\x21"
-
-/* secp256r1 OBJECT IDENTIFIER ::= {
- *   iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) prime(1) 7 } */
-#define MBEDTLS_OID_EC_GRP_SECP256R1        MBEDTLS_OID_ANSI_X9_62 "\x03\x01\x07"
-
-/* secp384r1 OBJECT IDENTIFIER ::= {
- *   iso(1) identified-organization(3) certicom(132) curve(0) 34 } */
-#define MBEDTLS_OID_EC_GRP_SECP384R1        MBEDTLS_OID_CERTICOM "\x00\x22"
-
-/* secp521r1 OBJECT IDENTIFIER ::= {
- *   iso(1) identified-organization(3) certicom(132) curve(0) 35 } */
-#define MBEDTLS_OID_EC_GRP_SECP521R1        MBEDTLS_OID_CERTICOM "\x00\x23"
-
-/* secp192k1 OBJECT IDENTIFIER ::= {
- *   iso(1) identified-organization(3) certicom(132) curve(0) 31 } */
-#define MBEDTLS_OID_EC_GRP_SECP192K1        MBEDTLS_OID_CERTICOM "\x00\x1f"
-
-/* secp224k1 OBJECT IDENTIFIER ::= {
- *   iso(1) identified-organization(3) certicom(132) curve(0) 32 } */
-#define MBEDTLS_OID_EC_GRP_SECP224K1        MBEDTLS_OID_CERTICOM "\x00\x20"
-
-/* secp256k1 OBJECT IDENTIFIER ::= {
- *   iso(1) identified-organization(3) certicom(132) curve(0) 10 } */
-#define MBEDTLS_OID_EC_GRP_SECP256K1        MBEDTLS_OID_CERTICOM "\x00\x0a"
-
-/* RFC 5639 4.1
- * ecStdCurvesAndGeneration OBJECT IDENTIFIER::= {iso(1)
- * identified-organization(3) teletrust(36) algorithm(3) signature-
- * algorithm(3) ecSign(2) 8}
- * ellipticCurve OBJECT IDENTIFIER ::= {ecStdCurvesAndGeneration 1}
- * versionOne OBJECT IDENTIFIER ::= {ellipticCurve 1} */
-#define MBEDTLS_OID_EC_BRAINPOOL_V1         MBEDTLS_OID_TELETRUST "\x03\x03\x02\x08\x01\x01"
-
-/* brainpoolP256r1 OBJECT IDENTIFIER ::= {versionOne 7} */
-#define MBEDTLS_OID_EC_GRP_BP256R1          MBEDTLS_OID_EC_BRAINPOOL_V1 "\x07"
-
-/* brainpoolP384r1 OBJECT IDENTIFIER ::= {versionOne 11} */
-#define MBEDTLS_OID_EC_GRP_BP384R1          MBEDTLS_OID_EC_BRAINPOOL_V1 "\x0B"
-
-/* brainpoolP512r1 OBJECT IDENTIFIER ::= {versionOne 13} */
-#define MBEDTLS_OID_EC_GRP_BP512R1          MBEDTLS_OID_EC_BRAINPOOL_V1 "\x0D"
-
-/*
- * SEC1 C.1
- *
- * prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 }
- * id-fieldType OBJECT IDENTIFIER ::= { ansi-X9-62 fieldType(1)}
- */
-#define MBEDTLS_OID_ANSI_X9_62_FIELD_TYPE   MBEDTLS_OID_ANSI_X9_62 "\x01"
-#define MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD  MBEDTLS_OID_ANSI_X9_62_FIELD_TYPE "\x01"
-
-/*
- * ECDSA signature identifiers, from RFC 5480
- */
-#define MBEDTLS_OID_ANSI_X9_62_SIG          MBEDTLS_OID_ANSI_X9_62 "\x04" /* signatures(4) */
-#define MBEDTLS_OID_ANSI_X9_62_SIG_SHA2     MBEDTLS_OID_ANSI_X9_62_SIG "\x03" /* ecdsa-with-SHA2(3) */
-
-/* ecdsa-with-SHA1 OBJECT IDENTIFIER ::= {
- *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1 } */
-#define MBEDTLS_OID_ECDSA_SHA1              MBEDTLS_OID_ANSI_X9_62_SIG "\x01"
-
-/* ecdsa-with-SHA224 OBJECT IDENTIFIER ::= {
- *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
- *   ecdsa-with-SHA2(3) 1 } */
-#define MBEDTLS_OID_ECDSA_SHA224            MBEDTLS_OID_ANSI_X9_62_SIG_SHA2 "\x01"
-
-/* ecdsa-with-SHA256 OBJECT IDENTIFIER ::= {
- *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
- *   ecdsa-with-SHA2(3) 2 } */
-#define MBEDTLS_OID_ECDSA_SHA256            MBEDTLS_OID_ANSI_X9_62_SIG_SHA2 "\x02"
-
-/* ecdsa-with-SHA384 OBJECT IDENTIFIER ::= {
- *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
- *   ecdsa-with-SHA2(3) 3 } */
-#define MBEDTLS_OID_ECDSA_SHA384            MBEDTLS_OID_ANSI_X9_62_SIG_SHA2 "\x03"
-
-/* ecdsa-with-SHA512 OBJECT IDENTIFIER ::= {
- *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
- *   ecdsa-with-SHA2(3) 4 } */
-#define MBEDTLS_OID_ECDSA_SHA512            MBEDTLS_OID_ANSI_X9_62_SIG_SHA2 "\x04"
-
-/*
- * EC key algorithms from RFC 8410
- */
-
-#define MBEDTLS_OID_X25519                  MBEDTLS_OID_THAWTE "\x6e" /**< id-X25519    OBJECT IDENTIFIER ::= { 1 3 101 110 } */
-#define MBEDTLS_OID_X448                    MBEDTLS_OID_THAWTE "\x6f" /**< id-X448      OBJECT IDENTIFIER ::= { 1 3 101 111 } */
-#define MBEDTLS_OID_ED25519                 MBEDTLS_OID_THAWTE "\x70" /**< id-Ed25519   OBJECT IDENTIFIER ::= { 1 3 101 112 } */
-#define MBEDTLS_OID_ED448                   MBEDTLS_OID_THAWTE "\x71" /**< id-Ed448     OBJECT IDENTIFIER ::= { 1 3 101 113 } */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief Base OID descriptor structure
- */
-typedef struct mbedtls_oid_descriptor_t {
-    const char *MBEDTLS_PRIVATE(asn1);               /*!< OID ASN.1 representation       */
-    size_t MBEDTLS_PRIVATE(asn1_len);                /*!< length of asn1                 */
-#if !defined(MBEDTLS_X509_REMOVE_INFO)
-    const char *MBEDTLS_PRIVATE(name);               /*!< official name (e.g. from RFC)  */
-    const char *MBEDTLS_PRIVATE(description);        /*!< human friendly description     */
-#endif
-} mbedtls_oid_descriptor_t;
-
-/**
- * \brief           Translate an ASN.1 OID into its numeric representation
- *                  (e.g. "\x2A\x86\x48\x86\xF7\x0D" into "1.2.840.113549")
- *
- * \param buf       buffer to put representation in
- * \param size      size of the buffer
- * \param oid       OID to translate
- *
- * \return          Length of the string written (excluding final NULL) or
- *                  MBEDTLS_ERR_OID_BUF_TOO_SMALL in case of error
- */
-int mbedtls_oid_get_numeric_string(char *buf, size_t size, const mbedtls_asn1_buf *oid);
-
-/**
- * \brief           Translate a string containing a dotted-decimal
- *                  representation of an ASN.1 OID into its encoded form
- *                  (e.g. "1.2.840.113549" into "\x2A\x86\x48\x86\xF7\x0D").
- *                  On success, this function allocates oid->buf from the
- *                  heap. It must be freed by the caller using mbedtls_free().
- *
- * \param oid       #mbedtls_asn1_buf to populate with the DER-encoded OID
- * \param oid_str   string representation of the OID to parse
- * \param size      length of the OID string, not including any null terminator
- *
- * \return          0 if successful
- * \return          #MBEDTLS_ERR_ASN1_INVALID_DATA if \p oid_str does not
- *                  represent a valid OID
- * \return          #MBEDTLS_ERR_ASN1_ALLOC_FAILED if the function fails to
- *                  allocate oid->buf
- */
-int mbedtls_oid_from_numeric_string(mbedtls_asn1_buf *oid, const char *oid_str, size_t size);
-
-/**
- * \brief          Translate an X.509 extension OID into local values
- *
- * \param oid      OID to use
- * \param ext_type place to store the extension type
- *
- * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
- */
-int mbedtls_oid_get_x509_ext_type(const mbedtls_asn1_buf *oid, int *ext_type);
-
-/**
- * \brief          Translate an X.509 attribute type OID into the short name
- *                 (e.g. the OID for an X520 Common Name into "CN")
- *
- * \param oid      OID to use
- * \param short_name    place to store the string pointer
- *
- * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
- */
-int mbedtls_oid_get_attr_short_name(const mbedtls_asn1_buf *oid, const char **short_name);
-
-/**
- * \brief          Translate PublicKeyAlgorithm OID into pk_type
- *
- * \param oid      OID to use
- * \param pk_alg   place to store public key algorithm
- *
- * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
- */
-int mbedtls_oid_get_pk_alg(const mbedtls_asn1_buf *oid, mbedtls_pk_type_t *pk_alg);
-
-/**
- * \brief          Translate pk_type into PublicKeyAlgorithm OID
- *
- * \param pk_alg   Public key type to look for
- * \param oid      place to store ASN.1 OID string pointer
- * \param olen     length of the OID
- *
- * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
- */
-int mbedtls_oid_get_oid_by_pk_alg(mbedtls_pk_type_t pk_alg,
-                                  const char **oid, size_t *olen);
-
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-/**
- * \brief          Translate NamedCurve OID into an EC group identifier
- *
- * \param oid      OID to use
- * \param grp_id   place to store group id
- *
- * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
- */
-int mbedtls_oid_get_ec_grp(const mbedtls_asn1_buf *oid, mbedtls_ecp_group_id *grp_id);
-
-/**
- * \brief          Translate EC group identifier into NamedCurve OID
- *
- * \param grp_id   EC group identifier
- * \param oid      place to store ASN.1 OID string pointer
- * \param olen     length of the OID
- *
- * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
- */
-int mbedtls_oid_get_oid_by_ec_grp(mbedtls_ecp_group_id grp_id,
-                                  const char **oid, size_t *olen);
-
-/**
- * \brief          Translate AlgorithmIdentifier OID into an EC group identifier,
- *                 for curves that are directly encoded at this level
- *
- * \param oid      OID to use
- * \param grp_id   place to store group id
- *
- * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
- */
-int mbedtls_oid_get_ec_grp_algid(const mbedtls_asn1_buf *oid, mbedtls_ecp_group_id *grp_id);
-
-/**
- * \brief          Translate EC group identifier into AlgorithmIdentifier OID,
- *                 for curves that are directly encoded at this level
- *
- * \param grp_id   EC group identifier
- * \param oid      place to store ASN.1 OID string pointer
- * \param olen     length of the OID
- *
- * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
- */
-int mbedtls_oid_get_oid_by_ec_grp_algid(mbedtls_ecp_group_id grp_id,
-                                        const char **oid, size_t *olen);
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-
-/**
- * \brief          Translate SignatureAlgorithm OID into md_type and pk_type
- *
- * \param oid      OID to use
- * \param md_alg   place to store message digest algorithm
- * \param pk_alg   place to store public key algorithm
- *
- * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
- */
-int mbedtls_oid_get_sig_alg(const mbedtls_asn1_buf *oid,
-                            mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg);
-
-/**
- * \brief          Translate SignatureAlgorithm OID into description
- *
- * \param oid      OID to use
- * \param desc     place to store string pointer
- *
- * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
- */
-int mbedtls_oid_get_sig_alg_desc(const mbedtls_asn1_buf *oid, const char **desc);
-
-/**
- * \brief          Translate md_type and pk_type into SignatureAlgorithm OID
- *
- * \param md_alg   message digest algorithm
- * \param pk_alg   public key algorithm
- * \param oid      place to store ASN.1 OID string pointer
- * \param olen     length of the OID
- *
- * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
- */
-int mbedtls_oid_get_oid_by_sig_alg(mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
-                                   const char **oid, size_t *olen);
-
-/**
- * \brief          Translate hmac algorithm OID into md_type
- *
- * \param oid      OID to use
- * \param md_hmac  place to store message hmac algorithm
- *
- * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
- */
-int mbedtls_oid_get_md_hmac(const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_hmac);
-
-/**
- * \brief          Translate hash algorithm OID into md_type
- *
- * \param oid      OID to use
- * \param md_alg   place to store message digest algorithm
- *
- * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
- */
-int mbedtls_oid_get_md_alg(const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg);
-
-#if !defined(MBEDTLS_X509_REMOVE_INFO)
-/**
- * \brief          Translate Extended Key Usage OID into description
- *
- * \param oid      OID to use
- * \param desc     place to store string pointer
- *
- * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
- */
-int mbedtls_oid_get_extended_key_usage(const mbedtls_asn1_buf *oid, const char **desc);
-#endif
-
-/**
- * \brief          Translate certificate policies OID into description
- *
- * \param oid      OID to use
- * \param desc     place to store string pointer
- *
- * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
- */
-int mbedtls_oid_get_certificate_policies(const mbedtls_asn1_buf *oid, const char **desc);
-
-/**
- * \brief          Translate md_type into hash algorithm OID
- *
- * \param md_alg   message digest algorithm
- * \param oid      place to store ASN.1 OID string pointer
- * \param olen     length of the OID
- *
- * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
- */
-int mbedtls_oid_get_oid_by_md(mbedtls_md_type_t md_alg, const char **oid, size_t *olen);
-
-#if defined(MBEDTLS_CIPHER_C)
-/**
- * \brief          Translate encryption algorithm OID into cipher_type
- *
- * \param oid           OID to use
- * \param cipher_alg    place to store cipher algorithm
- *
- * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
- */
-int mbedtls_oid_get_cipher_alg(const mbedtls_asn1_buf *oid, mbedtls_cipher_type_t *cipher_alg);
-#endif /* MBEDTLS_CIPHER_C */
-
-#if defined(MBEDTLS_PKCS12_C)
-/**
- * \brief          Translate PKCS#12 PBE algorithm OID into md_type and
- *                 cipher_type
- *
- * \param oid           OID to use
- * \param md_alg        place to store message digest algorithm
- * \param cipher_alg    place to store cipher algorithm
- *
- * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
- */
-int mbedtls_oid_get_pkcs12_pbe_alg(const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg,
-                                   mbedtls_cipher_type_t *cipher_alg);
-#endif /* MBEDTLS_PKCS12_C */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* oid.h */
diff --git a/include/mbedtls/pem.h b/include/mbedtls/pem.h
deleted file mode 100644
index a33fc65..0000000
--- a/include/mbedtls/pem.h
+++ /dev/null
@@ -1,172 +0,0 @@
-/**
- * \file pem.h
- *
- * \brief Privacy Enhanced Mail (PEM) decoding
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_PEM_H
-#define MBEDTLS_PEM_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include <stddef.h>
-
-/**
- * \name PEM Error codes
- * These error codes are returned in case of errors reading the
- * PEM data.
- * \{
- */
-/** No PEM header or footer found. */
-#define MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT          -0x1080
-/** PEM string is not as expected. */
-#define MBEDTLS_ERR_PEM_INVALID_DATA                      -0x1100
-/** Failed to allocate memory. */
-#define MBEDTLS_ERR_PEM_ALLOC_FAILED                      -0x1180
-/** RSA IV is not in hex-format. */
-#define MBEDTLS_ERR_PEM_INVALID_ENC_IV                    -0x1200
-/** Unsupported key encryption algorithm. */
-#define MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG                   -0x1280
-/** Private key password can't be empty. */
-#define MBEDTLS_ERR_PEM_PASSWORD_REQUIRED                 -0x1300
-/** Given private key password does not allow for correct decryption. */
-#define MBEDTLS_ERR_PEM_PASSWORD_MISMATCH                 -0x1380
-/** Unavailable feature, e.g. hashing/encryption combination. */
-#define MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE               -0x1400
-/** Bad input parameters to function. */
-#define MBEDTLS_ERR_PEM_BAD_INPUT_DATA                    -0x1480
-/** \} name PEM Error codes */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if defined(MBEDTLS_PEM_PARSE_C)
-/**
- * \brief       PEM context structure
- */
-typedef struct mbedtls_pem_context {
-    unsigned char *MBEDTLS_PRIVATE(buf);     /*!< buffer for decoded data             */
-    size_t MBEDTLS_PRIVATE(buflen);          /*!< length of the buffer                */
-    unsigned char *MBEDTLS_PRIVATE(info);    /*!< buffer for extra header information */
-}
-mbedtls_pem_context;
-
-/**
- * \brief       PEM context setup
- *
- * \param ctx   context to be initialized
- */
-void mbedtls_pem_init(mbedtls_pem_context *ctx);
-
-/**
- * \brief       Read a buffer for PEM information and store the resulting
- *              data into the specified context buffers.
- *
- * \param ctx       context to use
- * \param header    header string to seek and expect
- * \param footer    footer string to seek and expect
- * \param data      source data to look in (must be nul-terminated)
- * \param pwd       password for decryption (can be NULL)
- * \param pwdlen    length of password
- * \param use_len   destination for total length used (set after header is
- *                  correctly read, so unless you get
- *                  MBEDTLS_ERR_PEM_BAD_INPUT_DATA or
- *                  MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT, use_len is
- *                  the length to skip)
- *
- * \note            Attempts to check password correctness by verifying if
- *                  the decrypted text starts with an ASN.1 sequence of
- *                  appropriate length
- *
- * \note            \c mbedtls_pem_free must be called on PEM context before
- *                  the PEM context can be reused in another call to
- *                  \c mbedtls_pem_read_buffer
- *
- * \return          0 on success, or a specific PEM error code
- */
-int mbedtls_pem_read_buffer(mbedtls_pem_context *ctx, const char *header, const char *footer,
-                            const unsigned char *data,
-                            const unsigned char *pwd,
-                            size_t pwdlen, size_t *use_len);
-
-/**
- * \brief       Get the pointer to the decoded binary data in a PEM context.
- *
- * \param ctx       PEM context to access.
- * \param buflen    On success, this will contain the length of the binary data.
- *                  This must be a valid (non-null) pointer.
- *
- * \return          A pointer to the decoded binary data.
- *
- * \note            The returned pointer remains valid only until \p ctx is
-                    modified or freed.
- */
-static inline const unsigned char *mbedtls_pem_get_buffer(mbedtls_pem_context *ctx, size_t *buflen)
-{
-    *buflen = ctx->MBEDTLS_PRIVATE(buflen);
-    return ctx->MBEDTLS_PRIVATE(buf);
-}
-
-
-/**
- * \brief       PEM context memory freeing
- *
- * \param ctx   context to be freed
- */
-void mbedtls_pem_free(mbedtls_pem_context *ctx);
-#endif /* MBEDTLS_PEM_PARSE_C */
-
-#if defined(MBEDTLS_PEM_WRITE_C)
-/**
- * \brief           Write a buffer of PEM information from a DER encoded
- *                  buffer.
- *
- * \param header    The header string to write.
- * \param footer    The footer string to write.
- * \param der_data  The DER data to encode.
- * \param der_len   The length of the DER data \p der_data in Bytes.
- * \param buf       The buffer to write to.
- * \param buf_len   The length of the output buffer \p buf in Bytes.
- * \param olen      The address at which to store the total length written
- *                  or required (if \p buf_len is not enough).
- *
- * \note            You may pass \c NULL for \p buf and \c 0 for \p buf_len
- *                  to request the length of the resulting PEM buffer in
- *                  `*olen`.
- *
- * \note            This function may be called with overlapping \p der_data
- *                  and \p buf buffers.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL if \p buf isn't large
- *                  enough to hold the PEM buffer. In  this case, `*olen` holds
- *                  the required minimum size of \p buf.
- * \return          Another PEM or BASE64 error code on other kinds of failure.
- */
-int mbedtls_pem_write_buffer(const char *header, const char *footer,
-                             const unsigned char *der_data, size_t der_len,
-                             unsigned char *buf, size_t buf_len, size_t *olen);
-#endif /* MBEDTLS_PEM_WRITE_C */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* pem.h */
diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h
deleted file mode 100644
index aea602b..0000000
--- a/include/mbedtls/pk.h
+++ /dev/null
@@ -1,1103 +0,0 @@
-/**
- * \file pk.h
- *
- * \brief Public Key abstraction layer
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_PK_H
-#define MBEDTLS_PK_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include "mbedtls/md.h"
-
-#if defined(MBEDTLS_RSA_C)
-#include "mbedtls/rsa.h"
-#endif
-
-#if defined(MBEDTLS_ECP_C)
-#include "mbedtls/ecp.h"
-#endif
-
-#if defined(MBEDTLS_ECDSA_C)
-#include "mbedtls/ecdsa.h"
-#endif
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_PSA_CRYPTO_C)
-#include "psa/crypto.h"
-#endif
-
-/** Memory allocation failed. */
-#define MBEDTLS_ERR_PK_ALLOC_FAILED        -0x3F80
-/** Type mismatch, eg attempt to encrypt with an ECDSA key */
-#define MBEDTLS_ERR_PK_TYPE_MISMATCH       -0x3F00
-/** Bad input parameters to function. */
-#define MBEDTLS_ERR_PK_BAD_INPUT_DATA      -0x3E80
-/** Read/write of file failed. */
-#define MBEDTLS_ERR_PK_FILE_IO_ERROR       -0x3E00
-/** Unsupported key version */
-#define MBEDTLS_ERR_PK_KEY_INVALID_VERSION -0x3D80
-/** Invalid key tag or value. */
-#define MBEDTLS_ERR_PK_KEY_INVALID_FORMAT  -0x3D00
-/** Key algorithm is unsupported (only RSA and EC are supported). */
-#define MBEDTLS_ERR_PK_UNKNOWN_PK_ALG      -0x3C80
-/** Private key password can't be empty. */
-#define MBEDTLS_ERR_PK_PASSWORD_REQUIRED   -0x3C00
-/** Given private key password does not allow for correct decryption. */
-#define MBEDTLS_ERR_PK_PASSWORD_MISMATCH   -0x3B80
-/** The pubkey tag or value is invalid (only RSA and EC are supported). */
-#define MBEDTLS_ERR_PK_INVALID_PUBKEY      -0x3B00
-/** The algorithm tag or value is invalid. */
-#define MBEDTLS_ERR_PK_INVALID_ALG         -0x3A80
-/** Elliptic curve is unsupported (only NIST curves are supported). */
-#define MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE -0x3A00
-/** Unavailable feature, e.g. RSA disabled for RSA key. */
-#define MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE -0x3980
-/** The buffer contains a valid signature followed by more data. */
-#define MBEDTLS_ERR_PK_SIG_LEN_MISMATCH    -0x3900
-/** The output buffer is too small. */
-#define MBEDTLS_ERR_PK_BUFFER_TOO_SMALL    -0x3880
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          Public key types
- */
-typedef enum {
-    MBEDTLS_PK_NONE=0,
-    MBEDTLS_PK_RSA,
-    MBEDTLS_PK_ECKEY,
-    MBEDTLS_PK_ECKEY_DH,
-    MBEDTLS_PK_ECDSA,
-    MBEDTLS_PK_RSA_ALT,
-    MBEDTLS_PK_RSASSA_PSS,
-    MBEDTLS_PK_OPAQUE,
-} mbedtls_pk_type_t;
-
-/**
- * \brief           Options for RSASSA-PSS signature verification.
- *                  See \c mbedtls_rsa_rsassa_pss_verify_ext()
- */
-typedef struct mbedtls_pk_rsassa_pss_options {
-    /** The digest to use for MGF1 in PSS.
-     *
-     * \note When #MBEDTLS_USE_PSA_CRYPTO is enabled and #MBEDTLS_RSA_C is
-     *       disabled, this must be equal to the \c md_alg argument passed
-     *       to mbedtls_pk_verify_ext(). In a future version of the library,
-     *       this constraint may apply whenever #MBEDTLS_USE_PSA_CRYPTO is
-     *       enabled regardless of the status of #MBEDTLS_RSA_C.
-     */
-    mbedtls_md_type_t mgf1_hash_id;
-
-    /** The expected length of the salt, in bytes. This may be
-     * #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length.
-     *
-     * \note When #MBEDTLS_USE_PSA_CRYPTO is enabled, only
-     *       #MBEDTLS_RSA_SALT_LEN_ANY is valid. Any other value may be
-     *       ignored (allowing any salt length).
-     */
-    int expected_salt_len;
-
-} mbedtls_pk_rsassa_pss_options;
-
-/**
- * \brief           Maximum size of a signature made by mbedtls_pk_sign().
- */
-/* We need to set MBEDTLS_PK_SIGNATURE_MAX_SIZE to the maximum signature
- * size among the supported signature types. Do it by starting at 0,
- * then incrementally increasing to be large enough for each supported
- * signature mechanism.
- *
- * The resulting value can be 0, for example if MBEDTLS_ECDH_C is enabled
- * (which allows the pk module to be included) but neither MBEDTLS_ECDSA_C
- * nor MBEDTLS_RSA_C nor any opaque signature mechanism (PSA or RSA_ALT).
- */
-#define MBEDTLS_PK_SIGNATURE_MAX_SIZE 0
-
-#if (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PK_RSA_ALT_SUPPORT)) && \
-    MBEDTLS_MPI_MAX_SIZE > MBEDTLS_PK_SIGNATURE_MAX_SIZE
-/* For RSA, the signature can be as large as the bignum module allows.
- * For RSA_ALT, the signature size is not necessarily tied to what the
- * bignum module can do, but in the absence of any specific setting,
- * we use that (rsa_alt_sign_wrap in library/pk_wrap.h will check). */
-#undef MBEDTLS_PK_SIGNATURE_MAX_SIZE
-#define MBEDTLS_PK_SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
-#endif
-
-#if defined(MBEDTLS_ECDSA_C) &&                                 \
-    MBEDTLS_ECDSA_MAX_LEN > MBEDTLS_PK_SIGNATURE_MAX_SIZE
-/* For ECDSA, the ecdsa module exports a constant for the maximum
- * signature size. */
-#undef MBEDTLS_PK_SIGNATURE_MAX_SIZE
-#define MBEDTLS_PK_SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN
-#endif
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#if PSA_SIGNATURE_MAX_SIZE > MBEDTLS_PK_SIGNATURE_MAX_SIZE
-/* PSA_SIGNATURE_MAX_SIZE is the maximum size of a signature made
- * through the PSA API in the PSA representation. */
-#undef MBEDTLS_PK_SIGNATURE_MAX_SIZE
-#define MBEDTLS_PK_SIGNATURE_MAX_SIZE PSA_SIGNATURE_MAX_SIZE
-#endif
-
-#if PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE + 11 > MBEDTLS_PK_SIGNATURE_MAX_SIZE
-/* The Mbed TLS representation is different for ECDSA signatures:
- * PSA uses the raw concatenation of r and s,
- * whereas Mbed TLS uses the ASN.1 representation (SEQUENCE of two INTEGERs).
- * Add the overhead of ASN.1: up to (1+2) + 2 * (1+2+1) for the
- * types, lengths (represented by up to 2 bytes), and potential leading
- * zeros of the INTEGERs and the SEQUENCE. */
-#undef MBEDTLS_PK_SIGNATURE_MAX_SIZE
-#define MBEDTLS_PK_SIGNATURE_MAX_SIZE (PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE + 11)
-#endif
-#endif /* defined(MBEDTLS_USE_PSA_CRYPTO) */
-
-/* Internal helper to define which fields in the pk_context structure below
- * should be used for EC keys: legacy ecp_keypair or the raw (PSA friendly)
- * format. It should be noted that this only affects how data is stored, not
- * which functions are used for various operations. The overall picture looks
- * like this:
- * - if USE_PSA is not defined and ECP_C is defined then use ecp_keypair data
- *   structure and legacy functions
- * - if USE_PSA is defined and
- *     - if ECP_C then use ecp_keypair structure, convert data to a PSA friendly
- *       format and use PSA functions
- *     - if !ECP_C then use new raw data and PSA functions directly.
- *
- * The main reason for the "intermediate" (USE_PSA + ECP_C) above is that as long
- * as ECP_C is defined mbedtls_pk_ec() gives the user a read/write access to the
- * ecp_keypair structure inside the pk_context so they can modify it using
- * ECP functions which are not under PK module's control.
- */
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) && \
-    !defined(MBEDTLS_ECP_C)
-#define MBEDTLS_PK_USE_PSA_EC_DATA
-#endif
-
-/* Helper symbol to state that the PK module has support for EC keys. This
- * can either be provided through the legacy ECP solution or through the
- * PSA friendly MBEDTLS_PK_USE_PSA_EC_DATA. */
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) || defined(MBEDTLS_ECP_C)
-#define MBEDTLS_PK_HAVE_ECC_KEYS
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA || MBEDTLS_ECP_C */
-
-/**
- * \brief           Types for interfacing with the debug module
- */
-typedef enum {
-    MBEDTLS_PK_DEBUG_NONE = 0,
-    MBEDTLS_PK_DEBUG_MPI,
-    MBEDTLS_PK_DEBUG_ECP,
-    MBEDTLS_PK_DEBUG_PSA_EC,
-} mbedtls_pk_debug_type;
-
-/**
- * \brief           Item to send to the debug module
- */
-typedef struct mbedtls_pk_debug_item {
-    mbedtls_pk_debug_type MBEDTLS_PRIVATE(type);
-    const char *MBEDTLS_PRIVATE(name);
-    void *MBEDTLS_PRIVATE(value);
-} mbedtls_pk_debug_item;
-
-/** Maximum number of item send for debugging, plus 1 */
-#define MBEDTLS_PK_DEBUG_MAX_ITEMS 3
-
-/**
- * \brief           Public key information and operations
- *
- * \note        The library does not support custom pk info structures,
- *              only built-in structures returned by
- *              mbedtls_cipher_info_from_type().
- */
-typedef struct mbedtls_pk_info_t mbedtls_pk_info_t;
-
-#define MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN \
-    PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
-/**
- * \brief           Public key container
- */
-typedef struct mbedtls_pk_context {
-    const mbedtls_pk_info_t *MBEDTLS_PRIVATE(pk_info);    /**< Public key information         */
-    void *MBEDTLS_PRIVATE(pk_ctx);                        /**< Underlying public key context  */
-    /* The following field is used to store the ID of a private key in the
-     * following cases:
-     * - opaque key when MBEDTLS_PSA_CRYPTO_C is defined
-     * - normal key when MBEDTLS_PK_USE_PSA_EC_DATA is defined. In this case:
-     *    - the pk_ctx above is not not used to store the private key anymore.
-     *      Actually that field not populated at all in this case because also
-     *      the public key will be stored in raw format as explained below
-     *    - this ID is used for all private key operations (ex: sign, check
-     *      key pair, key write, etc) using PSA functions
-     *
-     * Note: this private key storing solution only affects EC keys, not the
-     *       other ones. The latters still use the pk_ctx to store their own
-     *       context.
-     *
-     * Note: this priv_id is guarded by MBEDTLS_PSA_CRYPTO_C and not by
-     *       MBEDTLS_PK_USE_PSA_EC_DATA (as the public counterpart below) because,
-     *       when working with opaque keys, it can be used also in
-     *       mbedtls_pk_sign_ext for RSA keys. */
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-    mbedtls_svc_key_id_t MBEDTLS_PRIVATE(priv_id);      /**< Key ID for opaque keys */
-#endif /* MBEDTLS_PSA_CRYPTO_C */
-    /* The following fields are meant for storing the public key in raw format
-     * which is handy for:
-     * - easily importing it into the PSA context
-     * - reducing the ECP module dependencies in the PK one.
-     *
-     * When MBEDTLS_PK_USE_PSA_EC_DATA is enabled:
-     * - the pk_ctx above is not used anymore for storing the public key
-     *   inside the ecp_keypair structure
-     * - the following fields are used for all public key operations: signature
-     *   verify, key pair check and key write.
-     * Of course, when MBEDTLS_PK_USE_PSA_EC_DATA is not enabled, the legacy
-     * ecp_keypair structure is used for storing the public key and performing
-     * all the operations.
-     *
-     * Note: This new public key storing solution only works for EC keys, not
-     *       other ones. The latters still use pk_ctx to store their own
-     *       context.
-     */
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-    uint8_t MBEDTLS_PRIVATE(pub_raw)[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN]; /**< Raw public key   */
-    size_t MBEDTLS_PRIVATE(pub_raw_len);            /**< Valid bytes in "pub_raw" */
-    psa_ecc_family_t MBEDTLS_PRIVATE(ec_family);    /**< EC family of pk */
-    size_t MBEDTLS_PRIVATE(ec_bits);                /**< Curve's bits of pk */
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-} mbedtls_pk_context;
-
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
-/**
- * \brief           Context for resuming operations
- */
-typedef struct {
-    const mbedtls_pk_info_t *MBEDTLS_PRIVATE(pk_info);    /**< Public key information         */
-    void *MBEDTLS_PRIVATE(rs_ctx);                        /**< Underlying restart context     */
-} mbedtls_pk_restart_ctx;
-#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
-/* Now we can declare functions that take a pointer to that */
-typedef void mbedtls_pk_restart_ctx;
-#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
-
-#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
-/**
- * \brief           Types for RSA-alt abstraction
- */
-typedef int (*mbedtls_pk_rsa_alt_decrypt_func)(void *ctx, size_t *olen,
-                                               const unsigned char *input, unsigned char *output,
-                                               size_t output_max_len);
-typedef int (*mbedtls_pk_rsa_alt_sign_func)(void *ctx,
-                                            int (*f_rng)(void *, unsigned char *, size_t),
-                                            void *p_rng,
-                                            mbedtls_md_type_t md_alg, unsigned int hashlen,
-                                            const unsigned char *hash, unsigned char *sig);
-typedef size_t (*mbedtls_pk_rsa_alt_key_len_func)(void *ctx);
-#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
-
-/**
- * \brief           Return information associated with the given PK type
- *
- * \param pk_type   PK type to search for.
- *
- * \return          The PK info associated with the type or NULL if not found.
- */
-const mbedtls_pk_info_t *mbedtls_pk_info_from_type(mbedtls_pk_type_t pk_type);
-
-/**
- * \brief           Initialize a #mbedtls_pk_context (as NONE).
- *
- * \param ctx       The context to initialize.
- *                  This must not be \c NULL.
- */
-void mbedtls_pk_init(mbedtls_pk_context *ctx);
-
-/**
- * \brief           Free the components of a #mbedtls_pk_context.
- *
- * \param ctx       The context to clear. It must have been initialized.
- *                  If this is \c NULL, this function does nothing.
- *
- * \note            For contexts that have been set up with
- *                  mbedtls_pk_setup_opaque(), this does not free the underlying
- *                  PSA key and you still need to call psa_destroy_key()
- *                  independently if you want to destroy that key.
- */
-void mbedtls_pk_free(mbedtls_pk_context *ctx);
-
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
-/**
- * \brief           Initialize a restart context
- *
- * \param ctx       The context to initialize.
- *                  This must not be \c NULL.
- */
-void mbedtls_pk_restart_init(mbedtls_pk_restart_ctx *ctx);
-
-/**
- * \brief           Free the components of a restart context
- *
- * \param ctx       The context to clear. It must have been initialized.
- *                  If this is \c NULL, this function does nothing.
- */
-void mbedtls_pk_restart_free(mbedtls_pk_restart_ctx *ctx);
-#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
-
-/**
- * \brief           Initialize a PK context with the information given
- *                  and allocates the type-specific PK subcontext.
- *
- * \param ctx       Context to initialize. It must not have been set
- *                  up yet (type #MBEDTLS_PK_NONE).
- * \param info      Information to use
- *
- * \return          0 on success,
- *                  MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input,
- *                  MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure.
- *
- * \note            For contexts holding an RSA-alt key, use
- *                  \c mbedtls_pk_setup_rsa_alt() instead.
- */
-int mbedtls_pk_setup(mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info);
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-/**
- * \brief           Initialize a PK context to wrap a PSA key.
- *
- * \note            This function replaces mbedtls_pk_setup() for contexts
- *                  that wrap a (possibly opaque) PSA key instead of
- *                  storing and manipulating the key material directly.
- *
- * \param ctx       The context to initialize. It must be empty (type NONE).
- * \param key       The PSA key to wrap, which must hold an ECC or RSA key
- *                  pair (see notes below).
- *
- * \note            The wrapped key must remain valid as long as the
- *                  wrapping PK context is in use, that is at least between
- *                  the point this function is called and the point
- *                  mbedtls_pk_free() is called on this context. The wrapped
- *                  key might then be independently used or destroyed.
- *
- * \note            This function is currently only available for ECC or RSA
- *                  key pairs (that is, keys containing private key material).
- *                  Support for other key types may be added later.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input
- *                  (context already used, invalid key identifier).
- * \return          #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the key is not an
- *                  ECC key pair.
- * \return          #MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure.
- */
-int mbedtls_pk_setup_opaque(mbedtls_pk_context *ctx,
-                            const mbedtls_svc_key_id_t key);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
-/**
- * \brief           Initialize an RSA-alt context
- *
- * \param ctx       Context to initialize. It must not have been set
- *                  up yet (type #MBEDTLS_PK_NONE).
- * \param key       RSA key pointer
- * \param decrypt_func  Decryption function
- * \param sign_func     Signing function
- * \param key_len_func  Function returning key length in bytes
- *
- * \return          0 on success, or MBEDTLS_ERR_PK_BAD_INPUT_DATA if the
- *                  context wasn't already initialized as RSA_ALT.
- *
- * \note            This function replaces \c mbedtls_pk_setup() for RSA-alt.
- */
-int mbedtls_pk_setup_rsa_alt(mbedtls_pk_context *ctx, void *key,
-                             mbedtls_pk_rsa_alt_decrypt_func decrypt_func,
-                             mbedtls_pk_rsa_alt_sign_func sign_func,
-                             mbedtls_pk_rsa_alt_key_len_func key_len_func);
-#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
-
-/**
- * \brief           Get the size in bits of the underlying key
- *
- * \param ctx       The context to query. It must have been initialized.
- *
- * \return          Key size in bits, or 0 on error
- */
-size_t mbedtls_pk_get_bitlen(const mbedtls_pk_context *ctx);
-
-/**
- * \brief           Get the length in bytes of the underlying key
- *
- * \param ctx       The context to query. It must have been initialized.
- *
- * \return          Key length in bytes, or 0 on error
- */
-static inline size_t mbedtls_pk_get_len(const mbedtls_pk_context *ctx)
-{
-    return (mbedtls_pk_get_bitlen(ctx) + 7) / 8;
-}
-
-/**
- * \brief           Tell if a context can do the operation given by type
- *
- * \param ctx       The context to query. It must have been initialized.
- * \param type      The desired type.
- *
- * \return          1 if the context can do operations on the given type.
- * \return          0 if the context cannot do the operations on the given
- *                  type. This is always the case for a context that has
- *                  been initialized but not set up, or that has been
- *                  cleared with mbedtls_pk_free().
- */
-int mbedtls_pk_can_do(const mbedtls_pk_context *ctx, mbedtls_pk_type_t type);
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-/**
- * \brief           Tell if context can do the operation given by PSA algorithm
- *
- * \param ctx       The context to query. It must have been initialized.
- * \param alg       PSA algorithm to check against, the following are allowed:
- *                  PSA_ALG_RSA_PKCS1V15_SIGN(hash),
- *                  PSA_ALG_RSA_PSS(hash),
- *                  PSA_ALG_RSA_PKCS1V15_CRYPT,
- *                  PSA_ALG_ECDSA(hash),
- *                  PSA_ALG_ECDH, where hash is a specific hash.
- * \param usage  PSA usage flag to check against, must be composed of:
- *                  PSA_KEY_USAGE_SIGN_HASH
- *                  PSA_KEY_USAGE_DECRYPT
- *                  PSA_KEY_USAGE_DERIVE.
- *                  Context key must match all passed usage flags.
- *
- * \warning         Since the set of allowed algorithms and usage flags may be
- *                  expanded in the future, the return value \c 0 should not
- *                  be taken in account for non-allowed algorithms and usage
- *                  flags.
- *
- * \return          1 if the context can do operations on the given type.
- * \return          0 if the context cannot do the operations on the given
- *                  type, for non-allowed algorithms and usage flags, or
- *                  for a context that has been initialized but not set up
- *                  or that has been cleared with mbedtls_pk_free().
- */
-int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg,
-                          psa_key_usage_t usage);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-/**
- * \brief           Verify signature (including padding if relevant).
- *
- * \param ctx       The PK context to use. It must have been set up.
- * \param md_alg    Hash algorithm used.
- *                  This can be #MBEDTLS_MD_NONE if the signature algorithm
- *                  does not rely on a hash algorithm (non-deterministic
- *                  ECDSA, RSA PKCS#1 v1.5).
- *                  For PKCS#1 v1.5, if \p md_alg is #MBEDTLS_MD_NONE, then
- *                  \p hash is the DigestInfo structure used by RFC 8017
- *                  &sect;9.2 steps 3&ndash;6. If \p md_alg is a valid hash
- *                  algorithm then \p hash is the digest itself, and this
- *                  function calculates the DigestInfo encoding internally.
- * \param hash      Hash of the message to sign
- * \param hash_len  Hash length
- * \param sig       Signature to verify
- * \param sig_len   Signature length
- *
- * \return          0 on success (signature is valid),
- *                  #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid
- *                  signature in \p sig but its length is less than \p sig_len,
- *                  or a specific error code.
- *
- * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
- *                  Use \c mbedtls_pk_verify_ext( MBEDTLS_PK_RSASSA_PSS, ... )
- *                  to verify RSASSA_PSS signatures.
- */
-int mbedtls_pk_verify(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
-                      const unsigned char *hash, size_t hash_len,
-                      const unsigned char *sig, size_t sig_len);
-
-/**
- * \brief           Restartable version of \c mbedtls_pk_verify()
- *
- * \note            Performs the same job as \c mbedtls_pk_verify(), but can
- *                  return early and restart according to the limit set with
- *                  \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC
- *                  operations. For RSA, same as \c mbedtls_pk_verify().
- *
- * \param ctx       The PK context to use. It must have been set up.
- * \param md_alg    Hash algorithm used (see notes)
- * \param hash      Hash of the message to sign
- * \param hash_len  Hash length or 0 (see notes)
- * \param sig       Signature to verify
- * \param sig_len   Signature length
- * \param rs_ctx    Restart context (NULL to disable restart)
- *
- * \return          See \c mbedtls_pk_verify(), or
- * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
- *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
- */
-int mbedtls_pk_verify_restartable(mbedtls_pk_context *ctx,
-                                  mbedtls_md_type_t md_alg,
-                                  const unsigned char *hash, size_t hash_len,
-                                  const unsigned char *sig, size_t sig_len,
-                                  mbedtls_pk_restart_ctx *rs_ctx);
-
-/**
- * \brief           Verify signature, with options.
- *                  (Includes verification of the padding depending on type.)
- *
- * \param type      Signature type (inc. possible padding type) to verify
- * \param options   Pointer to type-specific options, or NULL
- * \param ctx       The PK context to use. It must have been set up.
- * \param md_alg    Hash algorithm used (see notes)
- * \param hash      Hash of the message to sign
- * \param hash_len  Hash length or 0 (see notes)
- * \param sig       Signature to verify
- * \param sig_len   Signature length
- *
- * \return          0 on success (signature is valid),
- *                  #MBEDTLS_ERR_PK_TYPE_MISMATCH if the PK context can't be
- *                  used for this type of signatures,
- *                  #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid
- *                  signature in \p sig but its length is less than \p sig_len,
- *                  or a specific error code.
- *
- * \note            If hash_len is 0, then the length associated with md_alg
- *                  is used instead, or an error returned if it is invalid.
- *
- * \note            md_alg may be MBEDTLS_MD_NONE, only if hash_len != 0
- *
- * \note            If type is MBEDTLS_PK_RSASSA_PSS, then options must point
- *                  to a mbedtls_pk_rsassa_pss_options structure,
- *                  otherwise it must be NULL. Note that if
- *                  #MBEDTLS_USE_PSA_CRYPTO is defined, the salt length is not
- *                  verified as PSA_ALG_RSA_PSS_ANY_SALT is used.
- */
-int mbedtls_pk_verify_ext(mbedtls_pk_type_t type, const void *options,
-                          mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
-                          const unsigned char *hash, size_t hash_len,
-                          const unsigned char *sig, size_t sig_len);
-
-/**
- * \brief           Make signature, including padding if relevant.
- *
- * \param ctx       The PK context to use. It must have been set up
- *                  with a private key.
- * \param md_alg    Hash algorithm used (see notes)
- * \param hash      Hash of the message to sign
- * \param hash_len  Hash length
- * \param sig       Place to write the signature.
- *                  It must have enough room for the signature.
- *                  #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough.
- *                  You may use a smaller buffer if it is large enough
- *                  given the key type.
- * \param sig_size  The size of the \p sig buffer in bytes.
- * \param sig_len   On successful return,
- *                  the number of bytes written to \p sig.
- * \param f_rng     RNG function, must not be \c NULL.
- * \param p_rng     RNG parameter
- *
- * \return          0 on success, or a specific error code.
- *
- * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
- *                  There is no interface in the PK module to make RSASSA-PSS
- *                  signatures yet.
- *
- * \note            For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0.
- *                  For ECDSA, md_alg may never be MBEDTLS_MD_NONE.
- */
-int mbedtls_pk_sign(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
-                    const unsigned char *hash, size_t hash_len,
-                    unsigned char *sig, size_t sig_size, size_t *sig_len,
-                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
-
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-/**
- * \brief           Make signature given a signature type.
- *
- * \param pk_type   Signature type.
- * \param ctx       The PK context to use. It must have been set up
- *                  with a private key.
- * \param md_alg    Hash algorithm used (see notes)
- * \param hash      Hash of the message to sign
- * \param hash_len  Hash length
- * \param sig       Place to write the signature.
- *                  It must have enough room for the signature.
- *                  #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough.
- *                  You may use a smaller buffer if it is large enough
- *                  given the key type.
- * \param sig_size  The size of the \p sig buffer in bytes.
- * \param sig_len   On successful return,
- *                  the number of bytes written to \p sig.
- * \param f_rng     RNG function, must not be \c NULL.
- * \param p_rng     RNG parameter
- *
- * \return          0 on success, or a specific error code.
- *
- * \note            When \p pk_type is #MBEDTLS_PK_RSASSA_PSS,
- *                  see #PSA_ALG_RSA_PSS for a description of PSS options used.
- *
- * \note            For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0.
- *                  For ECDSA, md_alg may never be MBEDTLS_MD_NONE.
- *
- */
-int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,
-                        mbedtls_pk_context *ctx,
-                        mbedtls_md_type_t md_alg,
-                        const unsigned char *hash, size_t hash_len,
-                        unsigned char *sig, size_t sig_size, size_t *sig_len,
-                        int (*f_rng)(void *, unsigned char *, size_t),
-                        void *p_rng);
-#endif /* MBEDTLS_PSA_CRYPTO_C */
-
-/**
- * \brief           Restartable version of \c mbedtls_pk_sign()
- *
- * \note            Performs the same job as \c mbedtls_pk_sign(), but can
- *                  return early and restart according to the limit set with
- *                  \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC
- *                  operations. For RSA, same as \c mbedtls_pk_sign().
- *
- * \param ctx       The PK context to use. It must have been set up
- *                  with a private key.
- * \param md_alg    Hash algorithm used (see notes for mbedtls_pk_sign())
- * \param hash      Hash of the message to sign
- * \param hash_len  Hash length
- * \param sig       Place to write the signature.
- *                  It must have enough room for the signature.
- *                  #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough.
- *                  You may use a smaller buffer if it is large enough
- *                  given the key type.
- * \param sig_size  The size of the \p sig buffer in bytes.
- * \param sig_len   On successful return,
- *                  the number of bytes written to \p sig.
- * \param f_rng     RNG function, must not be \c NULL.
- * \param p_rng     RNG parameter
- * \param rs_ctx    Restart context (NULL to disable restart)
- *
- * \return          See \c mbedtls_pk_sign().
- * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
- *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
- */
-int mbedtls_pk_sign_restartable(mbedtls_pk_context *ctx,
-                                mbedtls_md_type_t md_alg,
-                                const unsigned char *hash, size_t hash_len,
-                                unsigned char *sig, size_t sig_size, size_t *sig_len,
-                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
-                                mbedtls_pk_restart_ctx *rs_ctx);
-
-/**
- * \brief           Decrypt message (including padding if relevant).
- *
- * \param ctx       The PK context to use. It must have been set up
- *                  with a private key.
- * \param input     Input to decrypt
- * \param ilen      Input size
- * \param output    Decrypted output
- * \param olen      Decrypted message length
- * \param osize     Size of the output buffer
- * \param f_rng     RNG function, must not be \c NULL.
- * \param p_rng     RNG parameter
- *
- * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
- *
- * \return          0 on success, or a specific error code.
- */
-int mbedtls_pk_decrypt(mbedtls_pk_context *ctx,
-                       const unsigned char *input, size_t ilen,
-                       unsigned char *output, size_t *olen, size_t osize,
-                       int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
-
-/**
- * \brief           Encrypt message (including padding if relevant).
- *
- * \param ctx       The PK context to use. It must have been set up.
- * \param input     Message to encrypt
- * \param ilen      Message size
- * \param output    Encrypted output
- * \param olen      Encrypted output length
- * \param osize     Size of the output buffer
- * \param f_rng     RNG function, must not be \c NULL.
- * \param p_rng     RNG parameter
- *
- * \note            \p f_rng is used for padding generation.
- *
- * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
- *
- * \return          0 on success, or a specific error code.
- */
-int mbedtls_pk_encrypt(mbedtls_pk_context *ctx,
-                       const unsigned char *input, size_t ilen,
-                       unsigned char *output, size_t *olen, size_t osize,
-                       int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
-
-/**
- * \brief           Check if a public-private pair of keys matches.
- *
- * \param pub       Context holding a public key.
- * \param prv       Context holding a private (and public) key.
- * \param f_rng     RNG function, must not be \c NULL.
- * \param p_rng     RNG parameter
- *
- * \return          \c 0 on success (keys were checked and match each other).
- * \return          #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the keys could not
- *                  be checked - in that case they may or may not match.
- * \return          #MBEDTLS_ERR_PK_BAD_INPUT_DATA if a context is invalid.
- * \return          Another non-zero value if the keys do not match.
- */
-int mbedtls_pk_check_pair(const mbedtls_pk_context *pub,
-                          const mbedtls_pk_context *prv,
-                          int (*f_rng)(void *, unsigned char *, size_t),
-                          void *p_rng);
-
-/**
- * \brief           Export debug information
- *
- * \param ctx       The PK context to use. It must have been initialized.
- * \param items     Place to write debug items
- *
- * \return          0 on success or MBEDTLS_ERR_PK_BAD_INPUT_DATA
- */
-int mbedtls_pk_debug(const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *items);
-
-/**
- * \brief           Access the type name
- *
- * \param ctx       The PK context to use. It must have been initialized.
- *
- * \return          Type name on success, or "invalid PK"
- */
-const char *mbedtls_pk_get_name(const mbedtls_pk_context *ctx);
-
-/**
- * \brief           Get the key type
- *
- * \param ctx       The PK context to use. It must have been initialized.
- *
- * \return          Type on success.
- * \return          #MBEDTLS_PK_NONE for a context that has not been set up.
- */
-mbedtls_pk_type_t mbedtls_pk_get_type(const mbedtls_pk_context *ctx);
-
-#if defined(MBEDTLS_RSA_C)
-/**
- * Quick access to an RSA context inside a PK context.
- *
- * \warning This function can only be used when the type of the context, as
- * returned by mbedtls_pk_get_type(), is #MBEDTLS_PK_RSA.
- * Ensuring that is the caller's responsibility.
- * Alternatively, you can check whether this function returns NULL.
- *
- * \return The internal RSA context held by the PK context, or NULL.
- */
-static inline mbedtls_rsa_context *mbedtls_pk_rsa(const mbedtls_pk_context pk)
-{
-    switch (mbedtls_pk_get_type(&pk)) {
-        case MBEDTLS_PK_RSA:
-            return (mbedtls_rsa_context *) (pk).MBEDTLS_PRIVATE(pk_ctx);
-        default:
-            return NULL;
-    }
-}
-#endif /* MBEDTLS_RSA_C */
-
-#if defined(MBEDTLS_ECP_C)
-/**
- * Quick access to an EC context inside a PK context.
- *
- * \warning This function can only be used when the type of the context, as
- * returned by mbedtls_pk_get_type(), is #MBEDTLS_PK_ECKEY,
- * #MBEDTLS_PK_ECKEY_DH, or #MBEDTLS_PK_ECDSA.
- * Ensuring that is the caller's responsibility.
- * Alternatively, you can check whether this function returns NULL.
- *
- * \return The internal EC context held by the PK context, or NULL.
- */
-static inline mbedtls_ecp_keypair *mbedtls_pk_ec(const mbedtls_pk_context pk)
-{
-    switch (mbedtls_pk_get_type(&pk)) {
-        case MBEDTLS_PK_ECKEY:
-        case MBEDTLS_PK_ECKEY_DH:
-        case MBEDTLS_PK_ECDSA:
-            return (mbedtls_ecp_keypair *) (pk).MBEDTLS_PRIVATE(pk_ctx);
-        default:
-            return NULL;
-    }
-}
-#endif /* MBEDTLS_ECP_C */
-
-#if defined(MBEDTLS_PK_PARSE_C)
-/** \ingroup pk_module */
-/**
- * \brief           Parse a private key in PEM or DER format
- *
- * \note            If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
- *                  subsystem must have been initialized by calling
- *                  psa_crypto_init() before calling this function.
- *
- * \param ctx       The PK context to fill. It must have been initialized
- *                  but not set up.
- * \param key       Input buffer to parse.
- *                  The buffer must contain the input exactly, with no
- *                  extra trailing material. For PEM, the buffer must
- *                  contain a null-terminated string.
- * \param keylen    Size of \b key in bytes.
- *                  For PEM data, this includes the terminating null byte,
- *                  so \p keylen must be equal to `strlen(key) + 1`.
- * \param pwd       Optional password for decryption.
- *                  Pass \c NULL if expecting a non-encrypted key.
- *                  Pass a string of \p pwdlen bytes if expecting an encrypted
- *                  key; a non-encrypted key will also be accepted.
- *                  The empty password is not supported.
- * \param pwdlen    Size of the password in bytes.
- *                  Ignored if \p pwd is \c NULL.
- * \param f_rng     RNG function, must not be \c NULL. Used for blinding.
- * \param p_rng     RNG parameter
- *
- * \note            On entry, ctx must be empty, either freshly initialised
- *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
- *                  specific key type, check the result with mbedtls_pk_can_do().
- *
- * \note            The key is also checked for correctness.
- *
- * \return          0 if successful, or a specific PK or PEM error code
- */
-int mbedtls_pk_parse_key(mbedtls_pk_context *ctx,
-                         const unsigned char *key, size_t keylen,
-                         const unsigned char *pwd, size_t pwdlen,
-                         int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
-
-/** \ingroup pk_module */
-/**
- * \brief           Parse a public key in PEM or DER format
- *
- * \note            If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
- *                  subsystem must have been initialized by calling
- *                  psa_crypto_init() before calling this function.
- *
- * \param ctx       The PK context to fill. It must have been initialized
- *                  but not set up.
- * \param key       Input buffer to parse.
- *                  The buffer must contain the input exactly, with no
- *                  extra trailing material. For PEM, the buffer must
- *                  contain a null-terminated string.
- * \param keylen    Size of \b key in bytes.
- *                  For PEM data, this includes the terminating null byte,
- *                  so \p keylen must be equal to `strlen(key) + 1`.
- *
- * \note            On entry, ctx must be empty, either freshly initialised
- *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
- *                  specific key type, check the result with mbedtls_pk_can_do().
- *
- * \note            For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for
- *                  limitations.
- *
- * \note            The key is also checked for correctness.
- *
- * \return          0 if successful, or a specific PK or PEM error code
- */
-int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx,
-                                const unsigned char *key, size_t keylen);
-
-#if defined(MBEDTLS_FS_IO)
-/** \ingroup pk_module */
-/**
- * \brief           Load and parse a private key
- *
- * \note            If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
- *                  subsystem must have been initialized by calling
- *                  psa_crypto_init() before calling this function.
- *
- * \param ctx       The PK context to fill. It must have been initialized
- *                  but not set up.
- * \param path      filename to read the private key from
- * \param password  Optional password to decrypt the file.
- *                  Pass \c NULL if expecting a non-encrypted key.
- *                  Pass a null-terminated string if expecting an encrypted
- *                  key; a non-encrypted key will also be accepted.
- *                  The empty password is not supported.
- * \param f_rng     RNG function, must not be \c NULL. Used for blinding.
- * \param p_rng     RNG parameter
- *
- * \note            On entry, ctx must be empty, either freshly initialised
- *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
- *                  specific key type, check the result with mbedtls_pk_can_do().
- *
- * \note            The key is also checked for correctness.
- *
- * \return          0 if successful, or a specific PK or PEM error code
- */
-int mbedtls_pk_parse_keyfile(mbedtls_pk_context *ctx,
-                             const char *path, const char *password,
-                             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
-
-/** \ingroup pk_module */
-/**
- * \brief           Load and parse a public key
- *
- * \param ctx       The PK context to fill. It must have been initialized
- *                  but not set up.
- * \param path      filename to read the public key from
- *
- * \note            On entry, ctx must be empty, either freshly initialised
- *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If
- *                  you need a specific key type, check the result with
- *                  mbedtls_pk_can_do().
- *
- * \note            The key is also checked for correctness.
- *
- * \return          0 if successful, or a specific PK or PEM error code
- */
-int mbedtls_pk_parse_public_keyfile(mbedtls_pk_context *ctx, const char *path);
-#endif /* MBEDTLS_FS_IO */
-#endif /* MBEDTLS_PK_PARSE_C */
-
-#if defined(MBEDTLS_PK_WRITE_C)
-/**
- * \brief           Write a private key to a PKCS#1 or SEC1 DER structure
- *                  Note: data is written at the end of the buffer! Use the
- *                        return value to determine where you should start
- *                        using the buffer
- *
- * \param ctx       PK context which must contain a valid private key.
- * \param buf       buffer to write to
- * \param size      size of the buffer
- *
- * \return          length of data written if successful, or a specific
- *                  error code
- */
-int mbedtls_pk_write_key_der(const mbedtls_pk_context *ctx, unsigned char *buf, size_t size);
-
-/**
- * \brief           Write a public key to a SubjectPublicKeyInfo DER structure
- *                  Note: data is written at the end of the buffer! Use the
- *                        return value to determine where you should start
- *                        using the buffer
- *
- * \param ctx       PK context which must contain a valid public or private key.
- * \param buf       buffer to write to
- * \param size      size of the buffer
- *
- * \return          length of data written if successful, or a specific
- *                  error code
- */
-int mbedtls_pk_write_pubkey_der(const mbedtls_pk_context *ctx, unsigned char *buf, size_t size);
-
-#if defined(MBEDTLS_PEM_WRITE_C)
-/**
- * \brief           Write a public key to a PEM string
- *
- * \param ctx       PK context which must contain a valid public or private key.
- * \param buf       Buffer to write to. The output includes a
- *                  terminating null byte.
- * \param size      Size of the buffer in bytes.
- *
- * \return          0 if successful, or a specific error code
- */
-int mbedtls_pk_write_pubkey_pem(const mbedtls_pk_context *ctx, unsigned char *buf, size_t size);
-
-/**
- * \brief           Write a private key to a PKCS#1 or SEC1 PEM string
- *
- * \param ctx       PK context which must contain a valid private key.
- * \param buf       Buffer to write to. The output includes a
- *                  terminating null byte.
- * \param size      Size of the buffer in bytes.
- *
- * \return          0 if successful, or a specific error code
- */
-int mbedtls_pk_write_key_pem(const mbedtls_pk_context *ctx, unsigned char *buf, size_t size);
-#endif /* MBEDTLS_PEM_WRITE_C */
-#endif /* MBEDTLS_PK_WRITE_C */
-
-/*
- * WARNING: Low-level functions. You probably do not want to use these unless
- *          you are certain you do ;)
- */
-
-#if defined(MBEDTLS_PK_PARSE_C)
-/**
- * \brief           Parse a SubjectPublicKeyInfo DER structure
- *
- * \param p         the position in the ASN.1 data
- * \param end       end of the buffer
- * \param pk        The PK context to fill. It must have been initialized
- *                  but not set up.
- *
- * \return          0 if successful, or a specific PK error code
- */
-int mbedtls_pk_parse_subpubkey(unsigned char **p, const unsigned char *end,
-                               mbedtls_pk_context *pk);
-#endif /* MBEDTLS_PK_PARSE_C */
-
-#if defined(MBEDTLS_PK_WRITE_C)
-/**
- * \brief           Write a subjectPublicKey to ASN.1 data
- *                  Note: function works backwards in data buffer
- *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param key       PK context which must contain a valid public or private key.
- *
- * \return          the length written or a negative error code
- */
-int mbedtls_pk_write_pubkey(unsigned char **p, unsigned char *start,
-                            const mbedtls_pk_context *key);
-#endif /* MBEDTLS_PK_WRITE_C */
-
-/*
- * Internal module functions. You probably do not want to use these unless you
- * know you do.
- */
-#if defined(MBEDTLS_FS_IO)
-int mbedtls_pk_load_file(const char *path, unsigned char **buf, size_t *n);
-#endif
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-/**
- * \brief           Turn an EC or RSA key into an opaque one.
- *
- * \warning         This is a temporary utility function for tests. It might
- *                  change or be removed at any time without notice.
- *
- * \param pk        Input: the EC or RSA key to import to a PSA key.
- *                  Output: a PK context wrapping that PSA key.
- * \param key       Output: a PSA key identifier.
- *                  It's the caller's responsibility to call
- *                  psa_destroy_key() on that key identifier after calling
- *                  mbedtls_pk_free() on the PK context.
- * \param alg       The algorithm to allow for use with that key.
- * \param usage     The usage to allow for use with that key.
- * \param alg2      The secondary algorithm to allow for use with that key.
- *
- * \return          \c 0 if successful.
- * \return          An Mbed TLS error code otherwise.
- */
-int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk,
-                              mbedtls_svc_key_id_t *key,
-                              psa_algorithm_t alg,
-                              psa_key_usage_t usage,
-                              psa_algorithm_t alg2);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* MBEDTLS_PK_H */
diff --git a/include/mbedtls/pkcs12.h b/include/mbedtls/pkcs12.h
deleted file mode 100644
index ba1a2ed..0000000
--- a/include/mbedtls/pkcs12.h
+++ /dev/null
@@ -1,198 +0,0 @@
-/**
- * \file pkcs12.h
- *
- * \brief PKCS#12 Personal Information Exchange Syntax
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_PKCS12_H
-#define MBEDTLS_PKCS12_H
-
-#include "mbedtls/build_info.h"
-
-#include "mbedtls/md.h"
-#include "mbedtls/cipher.h"
-#include "mbedtls/asn1.h"
-
-#include <stddef.h>
-
-/** Bad input parameters to function. */
-#define MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA                 -0x1F80
-/** Feature not available, e.g. unsupported encryption scheme. */
-#define MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE            -0x1F00
-/** PBE ASN.1 data not as expected. */
-#define MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT             -0x1E80
-/** Given private key password does not allow for correct decryption. */
-#define MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH              -0x1E00
-
-#define MBEDTLS_PKCS12_DERIVE_KEY       1   /**< encryption/decryption key */
-#define MBEDTLS_PKCS12_DERIVE_IV        2   /**< initialization vector     */
-#define MBEDTLS_PKCS12_DERIVE_MAC_KEY   3   /**< integrity / MAC key       */
-
-#define MBEDTLS_PKCS12_PBE_DECRYPT      0
-#define MBEDTLS_PKCS12_PBE_ENCRYPT      1
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if defined(MBEDTLS_ASN1_PARSE_C)
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-/**
- * \brief            PKCS12 Password Based function (encryption / decryption)
- *                   for cipher-based and mbedtls_md-based PBE's
- *
- * \note             When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must
- *                   be enabled at compile time.
- *
- * \deprecated       This function is deprecated and will be removed in a
- *                   future version of the library.
- *                   Please use mbedtls_pkcs12_pbe_ext() instead.
- *
- * \warning          When decrypting:
- *                   - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile
- *                     time, this function validates the CBC padding and returns
- *                     #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is
- *                     invalid. Note that this can help active adversaries
- *                     attempting to brute-forcing the password. Note also that
- *                     there is no guarantee that an invalid password will be
- *                     detected (the chances of a valid padding with a random
- *                     password are about 1/255).
- *                   - if #MBEDTLS_CIPHER_PADDING_PKCS7 is disabled at compile
- *                     time, this function does not validate the CBC padding.
- *
- * \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure
- * \param mode       either #MBEDTLS_PKCS12_PBE_ENCRYPT or
- *                   #MBEDTLS_PKCS12_PBE_DECRYPT
- * \param cipher_type the cipher used
- * \param md_type    the mbedtls_md used
- * \param pwd        Latin1-encoded password used. This may only be \c NULL when
- *                   \p pwdlen is 0. No null terminator should be used.
- * \param pwdlen     length of the password (may be 0)
- * \param data       the input data
- * \param len        data length
- * \param output     Output buffer.
- *                   On success, it contains the encrypted or decrypted data,
- *                   possibly followed by the CBC padding.
- *                   On failure, the content is indeterminate.
- *                   For decryption, there must be enough room for \p len
- *                   bytes.
- *                   For encryption, there must be enough room for
- *                   \p len + 1 bytes, rounded up to the block size of
- *                   the block cipher identified by \p pbe_params.
- *
- * \return           0 if successful, or a MBEDTLS_ERR_XXX code
- */
-int MBEDTLS_DEPRECATED mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
-                                          mbedtls_cipher_type_t cipher_type,
-                                          mbedtls_md_type_t md_type,
-                                          const unsigned char *pwd,  size_t pwdlen,
-                                          const unsigned char *data, size_t len,
-                                          unsigned char *output);
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-
-#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
-
-/**
- * \brief            PKCS12 Password Based function (encryption / decryption)
- *                   for cipher-based and mbedtls_md-based PBE's
- *
- *
- * \warning          When decrypting:
- *                   - This function validates the CBC padding and returns
- *                     #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is
- *                     invalid. Note that this can help active adversaries
- *                     attempting to brute-forcing the password. Note also that
- *                     there is no guarantee that an invalid password will be
- *                     detected (the chances of a valid padding with a random
- *                     password are about 1/255).
- *
- * \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure
- * \param mode       either #MBEDTLS_PKCS12_PBE_ENCRYPT or
- *                   #MBEDTLS_PKCS12_PBE_DECRYPT
- * \param cipher_type the cipher used
- * \param md_type    the mbedtls_md used
- * \param pwd        Latin1-encoded password used. This may only be \c NULL when
- *                   \p pwdlen is 0. No null terminator should be used.
- * \param pwdlen     length of the password (may be 0)
- * \param data       the input data
- * \param len        data length
- * \param output     Output buffer.
- *                   On success, it contains the encrypted or decrypted data,
- *                   possibly followed by the CBC padding.
- *                   On failure, the content is indeterminate.
- *                   For decryption, there must be enough room for \p len
- *                   bytes.
- *                   For encryption, there must be enough room for
- *                   \p len + 1 bytes, rounded up to the block size of
- *                   the block cipher identified by \p pbe_params.
- * \param output_size size of output buffer.
- *                    This must be big enough to accommodate for output plus
- *                    padding data.
- * \param output_len On success, length of actual data written to the output buffer.
- *
- * \return           0 if successful, or a MBEDTLS_ERR_XXX code
- */
-int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
-                           mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
-                           const unsigned char *pwd,  size_t pwdlen,
-                           const unsigned char *data, size_t len,
-                           unsigned char *output, size_t output_size,
-                           size_t *output_len);
-
-#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
-
-#endif /* MBEDTLS_ASN1_PARSE_C */
-
-/**
- * \brief            The PKCS#12 derivation function uses a password and a salt
- *                   to produce pseudo-random bits for a particular "purpose".
- *
- *                   Depending on the given id, this function can produce an
- *                   encryption/decryption key, an initialization vector or an
- *                   integrity key.
- *
- * \param data       buffer to store the derived data in
- * \param datalen    length of buffer to fill
- * \param pwd        The password to use. For compliance with PKCS#12 §B.1, this
- *                   should be a BMPString, i.e. a Unicode string where each
- *                   character is encoded as 2 bytes in big-endian order, with
- *                   no byte order mark and with a null terminator (i.e. the
- *                   last two bytes should be 0x00 0x00).
- * \param pwdlen     length of the password (may be 0).
- * \param salt       Salt buffer to use. This may only be \c NULL when
- *                   \p saltlen is 0.
- * \param saltlen    length of the salt (may be zero)
- * \param mbedtls_md mbedtls_md type to use during the derivation
- * \param id         id that describes the purpose (can be
- *                   #MBEDTLS_PKCS12_DERIVE_KEY, #MBEDTLS_PKCS12_DERIVE_IV or
- *                   #MBEDTLS_PKCS12_DERIVE_MAC_KEY)
- * \param iterations number of iterations
- *
- * \return          0 if successful, or a MD, BIGNUM type error.
- */
-int mbedtls_pkcs12_derivation(unsigned char *data, size_t datalen,
-                              const unsigned char *pwd, size_t pwdlen,
-                              const unsigned char *salt, size_t saltlen,
-                              mbedtls_md_type_t mbedtls_md, int id, int iterations);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* pkcs12.h */
diff --git a/include/mbedtls/pkcs5.h b/include/mbedtls/pkcs5.h
deleted file mode 100644
index 8b086aa..0000000
--- a/include/mbedtls/pkcs5.h
+++ /dev/null
@@ -1,209 +0,0 @@
-/**
- * \file pkcs5.h
- *
- * \brief PKCS#5 functions
- *
- * \author Mathias Olsson <mathias@kompetensum.com>
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_PKCS5_H
-#define MBEDTLS_PKCS5_H
-
-#include "mbedtls/build_info.h"
-#include "mbedtls/platform_util.h"
-
-#include "mbedtls/asn1.h"
-#include "mbedtls/md.h"
-
-#include <stddef.h>
-#include <stdint.h>
-
-/** Bad input parameters to function. */
-#define MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA                  -0x2f80
-/** Unexpected ASN.1 data. */
-#define MBEDTLS_ERR_PKCS5_INVALID_FORMAT                  -0x2f00
-/** Requested encryption or digest alg not available. */
-#define MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE             -0x2e80
-/** Given private key password does not allow for correct decryption. */
-#define MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH               -0x2e00
-
-#define MBEDTLS_PKCS5_DECRYPT      0
-#define MBEDTLS_PKCS5_ENCRYPT      1
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if defined(MBEDTLS_ASN1_PARSE_C)
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-/**
- * \brief          PKCS#5 PBES2 function
- *
- * \note           When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must
- *                 be enabled at compile time.
- *
- * \deprecated     This function is deprecated and will be removed in a
- *                 future version of the library.
- *                 Please use mbedtls_pkcs5_pbes2_ext() instead.
- *
- * \warning        When decrypting:
- *                 - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile
- *                   time, this function validates the CBC padding and returns
- *                   #MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH if the padding is
- *                   invalid. Note that this can help active adversaries
- *                   attempting to brute-forcing the password. Note also that
- *                   there is no guarantee that an invalid password will be
- *                   detected (the chances of a valid padding with a random
- *                   password are about 1/255).
- *                 - if #MBEDTLS_CIPHER_PADDING_PKCS7 is disabled at compile
- *                   time, this function does not validate the CBC padding.
- *
- * \param pbe_params the ASN.1 algorithm parameters
- * \param mode       either #MBEDTLS_PKCS5_DECRYPT or #MBEDTLS_PKCS5_ENCRYPT
- * \param pwd        password to use when generating key
- * \param pwdlen     length of password
- * \param data       data to process
- * \param datalen    length of data
- * \param output     Output buffer.
- *                   On success, it contains the encrypted or decrypted data,
- *                   possibly followed by the CBC padding.
- *                   On failure, the content is indeterminate.
- *                   For decryption, there must be enough room for \p datalen
- *                   bytes.
- *                   For encryption, there must be enough room for
- *                   \p datalen + 1 bytes, rounded up to the block size of
- *                   the block cipher identified by \p pbe_params.
- *
- * \returns        0 on success, or a MBEDTLS_ERR_XXX code if verification fails.
- */
-int MBEDTLS_DEPRECATED mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
-                                           const unsigned char *pwd,  size_t pwdlen,
-                                           const unsigned char *data, size_t datalen,
-                                           unsigned char *output);
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-
-#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
-
-/**
- * \brief          PKCS#5 PBES2 function
- *
- * \warning        When decrypting:
- *                 - This function validates the CBC padding and returns
- *                   #MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH if the padding is
- *                   invalid. Note that this can help active adversaries
- *                   attempting to brute-forcing the password. Note also that
- *                   there is no guarantee that an invalid password will be
- *                   detected (the chances of a valid padding with a random
- *                   password are about 1/255).
- *
- * \param pbe_params the ASN.1 algorithm parameters
- * \param mode       either #MBEDTLS_PKCS5_DECRYPT or #MBEDTLS_PKCS5_ENCRYPT
- * \param pwd        password to use when generating key
- * \param pwdlen     length of password
- * \param data       data to process
- * \param datalen    length of data
- * \param output     Output buffer.
- *                   On success, it contains the decrypted data.
- *                   On failure, the content is indetermidate.
- *                   For decryption, there must be enough room for \p datalen
- *                   bytes.
- *                   For encryption, there must be enough room for
- *                   \p datalen + 1 bytes, rounded up to the block size of
- *                   the block cipher identified by \p pbe_params.
- * \param output_size size of output buffer.
- *                    This must be big enough to accommodate for output plus
- *                    padding data.
- * \param output_len On success, length of actual data written to the output buffer.
- *
- * \returns        0 on success, or a MBEDTLS_ERR_XXX code if parsing or decryption fails.
- */
-int mbedtls_pkcs5_pbes2_ext(const mbedtls_asn1_buf *pbe_params, int mode,
-                            const unsigned char *pwd,  size_t pwdlen,
-                            const unsigned char *data, size_t datalen,
-                            unsigned char *output, size_t output_size,
-                            size_t *output_len);
-
-#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
-
-#endif /* MBEDTLS_ASN1_PARSE_C */
-
-/**
- * \brief          PKCS#5 PBKDF2 using HMAC without using the HMAC context
- *
- * \param md_type  Hash algorithm used
- * \param password Password to use when generating key
- * \param plen     Length of password
- * \param salt     Salt to use when generating key
- * \param slen     Length of salt
- * \param iteration_count       Iteration count
- * \param key_length            Length of generated key in bytes
- * \param output   Generated key. Must be at least as big as key_length
- *
- * \returns        0 on success, or a MBEDTLS_ERR_XXX code if verification fails.
- */
-int mbedtls_pkcs5_pbkdf2_hmac_ext(mbedtls_md_type_t md_type,
-                                  const unsigned char *password,
-                                  size_t plen, const unsigned char *salt, size_t slen,
-                                  unsigned int iteration_count,
-                                  uint32_t key_length, unsigned char *output);
-
-#if defined(MBEDTLS_MD_C)
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-/**
- * \brief          PKCS#5 PBKDF2 using HMAC
- *
- * \deprecated     Superseded by mbedtls_pkcs5_pbkdf2_hmac_ext().
- *
- * \param ctx      Generic HMAC context
- * \param password Password to use when generating key
- * \param plen     Length of password
- * \param salt     Salt to use when generating key
- * \param slen     Length of salt
- * \param iteration_count       Iteration count
- * \param key_length            Length of generated key in bytes
- * \param output   Generated key. Must be at least as big as key_length
- *
- * \returns        0 on success, or a MBEDTLS_ERR_XXX code if verification fails.
- */
-int MBEDTLS_DEPRECATED mbedtls_pkcs5_pbkdf2_hmac(mbedtls_md_context_t *ctx,
-                                                 const unsigned char *password,
-                                                 size_t plen,
-                                                 const unsigned char *salt,
-                                                 size_t slen,
-                                                 unsigned int iteration_count,
-                                                 uint32_t key_length,
-                                                 unsigned char *output);
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-#endif /* MBEDTLS_MD_C */
-#if defined(MBEDTLS_SELF_TEST)
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int mbedtls_pkcs5_self_test(int verbose);
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* pkcs5.h */
diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h
index 1231e34..e9b4822 100644
--- a/include/mbedtls/pkcs7.h
+++ b/include/mbedtls/pkcs7.h
@@ -6,19 +6,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /**
@@ -53,7 +41,6 @@
 #include "mbedtls/build_info.h"
 
 #include "mbedtls/asn1.h"
-#include "mbedtls/x509.h"
 #include "mbedtls/x509_crt.h"
 
 /**
diff --git a/include/mbedtls/platform.h b/include/mbedtls/platform.h
deleted file mode 100644
index 3fc1fd0..0000000
--- a/include/mbedtls/platform.h
+++ /dev/null
@@ -1,497 +0,0 @@
-/**
- * \file platform.h
- *
- * \brief This file contains the definitions and functions of the
- *        Mbed TLS platform abstraction layer.
- *
- *        The platform abstraction layer removes the need for the library
- *        to directly link to standard C library functions or operating
- *        system services, making the library easier to port and embed.
- *        Application developers and users of the library can provide their own
- *        implementations of these functions, or implementations specific to
- *        their platform, which can be statically linked to the library or
- *        dynamically configured at runtime.
- *
- *        When all compilation options related to platform abstraction are
- *        disabled, this header just defines `mbedtls_xxx` function names
- *        as aliases to the standard `xxx` function.
- *
- *        Most modules in the library and example programs are expected to
- *        include this header.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_PLATFORM_H
-#define MBEDTLS_PLATFORM_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#if defined(MBEDTLS_HAVE_TIME)
-#include "mbedtls/platform_time.h"
-#endif
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \name SECTION: Module settings
- *
- * The configuration options you can set for this module are in this section.
- * Either change them in mbedtls_config.h or define them on the compiler command line.
- * \{
- */
-
-/* The older Microsoft Windows common runtime provides non-conforming
- * implementations of some standard library functions, including snprintf
- * and vsnprintf. This affects MSVC and MinGW builds.
- */
-#if defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER <= 1900)
-#define MBEDTLS_PLATFORM_HAS_NON_CONFORMING_SNPRINTF
-#define MBEDTLS_PLATFORM_HAS_NON_CONFORMING_VSNPRINTF
-#endif
-
-#if !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS)
-#include <stdio.h>
-#include <stdlib.h>
-#if defined(MBEDTLS_HAVE_TIME)
-#include <time.h>
-#endif
-#if !defined(MBEDTLS_PLATFORM_STD_SNPRINTF)
-#if defined(MBEDTLS_PLATFORM_HAS_NON_CONFORMING_SNPRINTF)
-#define MBEDTLS_PLATFORM_STD_SNPRINTF   mbedtls_platform_win32_snprintf /**< The default \c snprintf function to use.  */
-#else
-#define MBEDTLS_PLATFORM_STD_SNPRINTF   snprintf /**< The default \c snprintf function to use.  */
-#endif
-#endif
-#if !defined(MBEDTLS_PLATFORM_STD_VSNPRINTF)
-#if defined(MBEDTLS_PLATFORM_HAS_NON_CONFORMING_VSNPRINTF)
-#define MBEDTLS_PLATFORM_STD_VSNPRINTF   mbedtls_platform_win32_vsnprintf /**< The default \c vsnprintf function to use.  */
-#else
-#define MBEDTLS_PLATFORM_STD_VSNPRINTF   vsnprintf /**< The default \c vsnprintf function to use.  */
-#endif
-#endif
-#if !defined(MBEDTLS_PLATFORM_STD_PRINTF)
-#define MBEDTLS_PLATFORM_STD_PRINTF   printf /**< The default \c printf function to use. */
-#endif
-#if !defined(MBEDTLS_PLATFORM_STD_FPRINTF)
-#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< The default \c fprintf function to use. */
-#endif
-#if !defined(MBEDTLS_PLATFORM_STD_CALLOC)
-#define MBEDTLS_PLATFORM_STD_CALLOC   calloc /**< The default \c calloc function to use. */
-#endif
-#if !defined(MBEDTLS_PLATFORM_STD_FREE)
-#define MBEDTLS_PLATFORM_STD_FREE       free /**< The default \c free function to use. */
-#endif
-#if !defined(MBEDTLS_PLATFORM_STD_SETBUF)
-#define MBEDTLS_PLATFORM_STD_SETBUF   setbuf /**< The default \c setbuf function to use. */
-#endif
-#if !defined(MBEDTLS_PLATFORM_STD_EXIT)
-#define MBEDTLS_PLATFORM_STD_EXIT      exit /**< The default \c exit function to use. */
-#endif
-#if !defined(MBEDTLS_PLATFORM_STD_TIME)
-#define MBEDTLS_PLATFORM_STD_TIME       time    /**< The default \c time function to use. */
-#endif
-#if !defined(MBEDTLS_PLATFORM_STD_EXIT_SUCCESS)
-#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS  EXIT_SUCCESS /**< The default exit value to use. */
-#endif
-#if !defined(MBEDTLS_PLATFORM_STD_EXIT_FAILURE)
-#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE  EXIT_FAILURE /**< The default exit value to use. */
-#endif
-#if defined(MBEDTLS_FS_IO)
-#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_READ)
-#define MBEDTLS_PLATFORM_STD_NV_SEED_READ   mbedtls_platform_std_nv_seed_read
-#endif
-#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_WRITE)
-#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE  mbedtls_platform_std_nv_seed_write
-#endif
-#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_FILE)
-#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE   "seedfile"
-#endif
-#endif /* MBEDTLS_FS_IO */
-#else /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
-#if defined(MBEDTLS_PLATFORM_STD_MEM_HDR)
-#include MBEDTLS_PLATFORM_STD_MEM_HDR
-#endif
-#endif /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
-
-/* Enable certain documented defines only when generating doxygen to avoid
- * an "unrecognized define" error. */
-#if defined(__DOXYGEN__) && !defined(MBEDTLS_PLATFORM_STD_CALLOC)
-#define MBEDTLS_PLATFORM_STD_CALLOC
-#endif
-
-#if defined(__DOXYGEN__) && !defined(MBEDTLS_PLATFORM_STD_FREE)
-#define MBEDTLS_PLATFORM_STD_FREE
-#endif
-
-/** \} name SECTION: Module settings */
-
-/*
- * The function pointers for calloc and free.
- * Please see MBEDTLS_PLATFORM_STD_CALLOC and MBEDTLS_PLATFORM_STD_FREE
- * in mbedtls_config.h for more information about behaviour and requirements.
- */
-#if defined(MBEDTLS_PLATFORM_MEMORY)
-#if defined(MBEDTLS_PLATFORM_FREE_MACRO) && \
-    defined(MBEDTLS_PLATFORM_CALLOC_MACRO)
-#undef mbedtls_free
-#undef mbedtls_calloc
-#define mbedtls_free       MBEDTLS_PLATFORM_FREE_MACRO
-#define mbedtls_calloc     MBEDTLS_PLATFORM_CALLOC_MACRO
-#else
-/* For size_t */
-#include <stddef.h>
-extern void *mbedtls_calloc(size_t n, size_t size);
-extern void mbedtls_free(void *ptr);
-
-/**
- * \brief               This function dynamically sets the memory-management
- *                      functions used by the library, during runtime.
- *
- * \param calloc_func   The \c calloc function implementation.
- * \param free_func     The \c free function implementation.
- *
- * \return              \c 0.
- */
-int mbedtls_platform_set_calloc_free(void *(*calloc_func)(size_t, size_t),
-                                     void (*free_func)(void *));
-#endif /* MBEDTLS_PLATFORM_FREE_MACRO && MBEDTLS_PLATFORM_CALLOC_MACRO */
-#else /* !MBEDTLS_PLATFORM_MEMORY */
-#undef mbedtls_free
-#undef mbedtls_calloc
-#define mbedtls_free       free
-#define mbedtls_calloc     calloc
-#endif /* MBEDTLS_PLATFORM_MEMORY && !MBEDTLS_PLATFORM_{FREE,CALLOC}_MACRO */
-
-/*
- * The function pointers for fprintf
- */
-#if defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
-/* We need FILE * */
-#include <stdio.h>
-extern int (*mbedtls_fprintf)(FILE *stream, const char *format, ...);
-
-/**
- * \brief                This function dynamically configures the fprintf
- *                       function that is called when the
- *                       mbedtls_fprintf() function is invoked by the library.
- *
- * \param fprintf_func   The \c fprintf function implementation.
- *
- * \return               \c 0.
- */
-int mbedtls_platform_set_fprintf(int (*fprintf_func)(FILE *stream, const char *,
-                                                     ...));
-#else
-#undef mbedtls_fprintf
-#if defined(MBEDTLS_PLATFORM_FPRINTF_MACRO)
-#define mbedtls_fprintf    MBEDTLS_PLATFORM_FPRINTF_MACRO
-#else
-#define mbedtls_fprintf    fprintf
-#endif /* MBEDTLS_PLATFORM_FPRINTF_MACRO */
-#endif /* MBEDTLS_PLATFORM_FPRINTF_ALT */
-
-/*
- * The function pointers for printf
- */
-#if defined(MBEDTLS_PLATFORM_PRINTF_ALT)
-extern int (*mbedtls_printf)(const char *format, ...);
-
-/**
- * \brief               This function dynamically configures the snprintf
- *                      function that is called when the mbedtls_snprintf()
- *                      function is invoked by the library.
- *
- * \param printf_func   The \c printf function implementation.
- *
- * \return              \c 0 on success.
- */
-int mbedtls_platform_set_printf(int (*printf_func)(const char *, ...));
-#else /* !MBEDTLS_PLATFORM_PRINTF_ALT */
-#undef mbedtls_printf
-#if defined(MBEDTLS_PLATFORM_PRINTF_MACRO)
-#define mbedtls_printf     MBEDTLS_PLATFORM_PRINTF_MACRO
-#else
-#define mbedtls_printf     printf
-#endif /* MBEDTLS_PLATFORM_PRINTF_MACRO */
-#endif /* MBEDTLS_PLATFORM_PRINTF_ALT */
-
-/*
- * The function pointers for snprintf
- *
- * The snprintf implementation should conform to C99:
- * - it *must* always correctly zero-terminate the buffer
- *   (except when n == 0, then it must leave the buffer untouched)
- * - however it is acceptable to return -1 instead of the required length when
- *   the destination buffer is too short.
- */
-#if defined(MBEDTLS_PLATFORM_HAS_NON_CONFORMING_SNPRINTF)
-/* For Windows (inc. MSYS2), we provide our own fixed implementation */
-int mbedtls_platform_win32_snprintf(char *s, size_t n, const char *fmt, ...);
-#endif
-
-#if defined(MBEDTLS_PLATFORM_SNPRINTF_ALT)
-extern int (*mbedtls_snprintf)(char *s, size_t n, const char *format, ...);
-
-/**
- * \brief                 This function allows configuring a custom
- *                        \c snprintf function pointer.
- *
- * \param snprintf_func   The \c snprintf function implementation.
- *
- * \return                \c 0 on success.
- */
-int mbedtls_platform_set_snprintf(int (*snprintf_func)(char *s, size_t n,
-                                                       const char *format, ...));
-#else /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
-#undef mbedtls_snprintf
-#if defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO)
-#define mbedtls_snprintf   MBEDTLS_PLATFORM_SNPRINTF_MACRO
-#else
-#define mbedtls_snprintf   MBEDTLS_PLATFORM_STD_SNPRINTF
-#endif /* MBEDTLS_PLATFORM_SNPRINTF_MACRO */
-#endif /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
-
-/*
- * The function pointers for vsnprintf
- *
- * The vsnprintf implementation should conform to C99:
- * - it *must* always correctly zero-terminate the buffer
- *   (except when n == 0, then it must leave the buffer untouched)
- * - however it is acceptable to return -1 instead of the required length when
- *   the destination buffer is too short.
- */
-#if defined(MBEDTLS_PLATFORM_HAS_NON_CONFORMING_VSNPRINTF)
-#include <stdarg.h>
-/* For Older Windows (inc. MSYS2), we provide our own fixed implementation */
-int mbedtls_platform_win32_vsnprintf(char *s, size_t n, const char *fmt, va_list arg);
-#endif
-
-#if defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT)
-#include <stdarg.h>
-extern int (*mbedtls_vsnprintf)(char *s, size_t n, const char *format, va_list arg);
-
-/**
- * \brief   Set your own snprintf function pointer
- *
- * \param   vsnprintf_func   The \c vsnprintf function implementation
- *
- * \return  \c 0
- */
-int mbedtls_platform_set_vsnprintf(int (*vsnprintf_func)(char *s, size_t n,
-                                                         const char *format, va_list arg));
-#else /* MBEDTLS_PLATFORM_VSNPRINTF_ALT */
-#undef mbedtls_vsnprintf
-#if defined(MBEDTLS_PLATFORM_VSNPRINTF_MACRO)
-#define mbedtls_vsnprintf   MBEDTLS_PLATFORM_VSNPRINTF_MACRO
-#else
-#define mbedtls_vsnprintf   vsnprintf
-#endif /* MBEDTLS_PLATFORM_VSNPRINTF_MACRO */
-#endif /* MBEDTLS_PLATFORM_VSNPRINTF_ALT */
-
-/*
- * The function pointers for setbuf
- */
-#if defined(MBEDTLS_PLATFORM_SETBUF_ALT)
-#include <stdio.h>
-/**
- * \brief                  Function pointer to call for `setbuf()` functionality
- *                         (changing the internal buffering on stdio calls).
- *
- * \note                   The library calls this function to disable
- *                         buffering when reading or writing sensitive data,
- *                         to avoid having extra copies of sensitive data
- *                         remaining in stdio buffers after the file is
- *                         closed. If this is not a concern, for example if
- *                         your platform's stdio doesn't have any buffering,
- *                         you can set mbedtls_setbuf to a function that
- *                         does nothing.
- *
- *                         The library always calls this function with
- *                         `buf` equal to `NULL`.
- */
-extern void (*mbedtls_setbuf)(FILE *stream, char *buf);
-
-/**
- * \brief                  Dynamically configure the function that is called
- *                         when the mbedtls_setbuf() function is called by the
- *                         library.
- *
- * \param   setbuf_func   The \c setbuf function implementation
- *
- * \return                 \c 0
- */
-int mbedtls_platform_set_setbuf(void (*setbuf_func)(
-                                    FILE *stream, char *buf));
-#else
-#undef mbedtls_setbuf
-#if defined(MBEDTLS_PLATFORM_SETBUF_MACRO)
-/**
- * \brief                  Macro defining the function for the library to
- *                         call for `setbuf` functionality (changing the
- *                         internal buffering on stdio calls).
- *
- * \note                   See extra comments on the mbedtls_setbuf() function
- *                         pointer above.
- *
- * \return                 \c 0 on success, negative on error.
- */
-#define mbedtls_setbuf    MBEDTLS_PLATFORM_SETBUF_MACRO
-#else
-#define mbedtls_setbuf    setbuf
-#endif /* MBEDTLS_PLATFORM_SETBUF_MACRO */
-#endif /* MBEDTLS_PLATFORM_SETBUF_ALT */
-
-/*
- * The function pointers for exit
- */
-#if defined(MBEDTLS_PLATFORM_EXIT_ALT)
-extern void (*mbedtls_exit)(int status);
-
-/**
- * \brief             This function dynamically configures the exit
- *                    function that is called when the mbedtls_exit()
- *                    function is invoked by the library.
- *
- * \param exit_func   The \c exit function implementation.
- *
- * \return            \c 0 on success.
- */
-int mbedtls_platform_set_exit(void (*exit_func)(int status));
-#else
-#undef mbedtls_exit
-#if defined(MBEDTLS_PLATFORM_EXIT_MACRO)
-#define mbedtls_exit   MBEDTLS_PLATFORM_EXIT_MACRO
-#else
-#define mbedtls_exit   exit
-#endif /* MBEDTLS_PLATFORM_EXIT_MACRO */
-#endif /* MBEDTLS_PLATFORM_EXIT_ALT */
-
-/*
- * The default exit values
- */
-#if defined(MBEDTLS_PLATFORM_STD_EXIT_SUCCESS)
-#define MBEDTLS_EXIT_SUCCESS MBEDTLS_PLATFORM_STD_EXIT_SUCCESS
-#else
-#define MBEDTLS_EXIT_SUCCESS 0
-#endif
-#if defined(MBEDTLS_PLATFORM_STD_EXIT_FAILURE)
-#define MBEDTLS_EXIT_FAILURE MBEDTLS_PLATFORM_STD_EXIT_FAILURE
-#else
-#define MBEDTLS_EXIT_FAILURE 1
-#endif
-
-/*
- * The function pointers for reading from and writing a seed file to
- * Non-Volatile storage (NV) in a platform-independent way
- *
- * Only enabled when the NV seed entropy source is enabled
- */
-#if defined(MBEDTLS_ENTROPY_NV_SEED)
-#if !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS) && defined(MBEDTLS_FS_IO)
-/* Internal standard platform definitions */
-int mbedtls_platform_std_nv_seed_read(unsigned char *buf, size_t buf_len);
-int mbedtls_platform_std_nv_seed_write(unsigned char *buf, size_t buf_len);
-#endif
-
-#if defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
-extern int (*mbedtls_nv_seed_read)(unsigned char *buf, size_t buf_len);
-extern int (*mbedtls_nv_seed_write)(unsigned char *buf, size_t buf_len);
-
-/**
- * \brief   This function allows configuring custom seed file writing and
- *          reading functions.
- *
- * \param   nv_seed_read_func   The seed reading function implementation.
- * \param   nv_seed_write_func  The seed writing function implementation.
- *
- * \return  \c 0 on success.
- */
-int mbedtls_platform_set_nv_seed(
-    int (*nv_seed_read_func)(unsigned char *buf, size_t buf_len),
-    int (*nv_seed_write_func)(unsigned char *buf, size_t buf_len)
-    );
-#else
-#undef mbedtls_nv_seed_read
-#undef mbedtls_nv_seed_write
-#if defined(MBEDTLS_PLATFORM_NV_SEED_READ_MACRO) && \
-    defined(MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO)
-#define mbedtls_nv_seed_read    MBEDTLS_PLATFORM_NV_SEED_READ_MACRO
-#define mbedtls_nv_seed_write   MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO
-#else
-#define mbedtls_nv_seed_read    mbedtls_platform_std_nv_seed_read
-#define mbedtls_nv_seed_write   mbedtls_platform_std_nv_seed_write
-#endif
-#endif /* MBEDTLS_PLATFORM_NV_SEED_ALT */
-#endif /* MBEDTLS_ENTROPY_NV_SEED */
-
-#if !defined(MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT)
-
-/**
- * \brief   The platform context structure.
- *
- * \note    This structure may be used to assist platform-specific
- *          setup or teardown operations.
- */
-typedef struct mbedtls_platform_context {
-    char MBEDTLS_PRIVATE(dummy); /**< A placeholder member, as empty structs are not portable. */
-}
-mbedtls_platform_context;
-
-#else
-#include "platform_alt.h"
-#endif /* !MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT */
-
-/**
- * \brief   This function performs any platform-specific initialization
- *          operations.
- *
- * \note    This function should be called before any other library functions.
- *
- *          Its implementation is platform-specific, and unless
- *          platform-specific code is provided, it does nothing.
- *
- * \note    The usage and necessity of this function is dependent on the platform.
- *
- * \param   ctx     The platform context.
- *
- * \return  \c 0 on success.
- */
-int mbedtls_platform_setup(mbedtls_platform_context *ctx);
-/**
- * \brief   This function performs any platform teardown operations.
- *
- * \note    This function should be called after every other Mbed TLS module
- *          has been correctly freed using the appropriate free function.
- *
- *          Its implementation is platform-specific, and unless
- *          platform-specific code is provided, it does nothing.
- *
- * \note    The usage and necessity of this function is dependent on the platform.
- *
- * \param   ctx     The platform context.
- *
- */
-void mbedtls_platform_teardown(mbedtls_platform_context *ctx);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* platform.h */
diff --git a/include/mbedtls/platform_time.h b/include/mbedtls/platform_time.h
deleted file mode 100644
index 21b3697..0000000
--- a/include/mbedtls/platform_time.h
+++ /dev/null
@@ -1,91 +0,0 @@
-/**
- * \file platform_time.h
- *
- * \brief Mbed TLS Platform time abstraction
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_PLATFORM_TIME_H
-#define MBEDTLS_PLATFORM_TIME_H
-
-#include "mbedtls/build_info.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/*
- * The time_t datatype
- */
-#if defined(MBEDTLS_PLATFORM_TIME_TYPE_MACRO)
-typedef MBEDTLS_PLATFORM_TIME_TYPE_MACRO mbedtls_time_t;
-#else
-/* For time_t */
-#include <time.h>
-typedef time_t mbedtls_time_t;
-#endif /* MBEDTLS_PLATFORM_TIME_TYPE_MACRO */
-
-#if defined(MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO)
-typedef MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO mbedtls_ms_time_t;
-#else
-#include <stdint.h>
-#include <inttypes.h>
-typedef int64_t mbedtls_ms_time_t;
-#endif /* MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO */
-
-/**
- * \brief   Get time in milliseconds.
- *
- * \return Monotonically-increasing current time in milliseconds.
- *
- * \note Define MBEDTLS_PLATFORM_MS_TIME_ALT to be able to provide an
- *       alternative implementation
- *
- * \warning This function returns a monotonically-increasing time value from a
- *          start time that will differ from platform to platform, and possibly
- *          from run to run of the process.
- *
- */
-mbedtls_ms_time_t mbedtls_ms_time(void);
-
-/*
- * The function pointers for time
- */
-#if defined(MBEDTLS_PLATFORM_TIME_ALT)
-extern mbedtls_time_t (*mbedtls_time)(mbedtls_time_t *time);
-
-/**
- * \brief   Set your own time function pointer
- *
- * \param   time_func   the time function implementation
- *
- * \return              0
- */
-int mbedtls_platform_set_time(mbedtls_time_t (*time_func)(mbedtls_time_t *time));
-#else
-#if defined(MBEDTLS_PLATFORM_TIME_MACRO)
-#define mbedtls_time    MBEDTLS_PLATFORM_TIME_MACRO
-#else
-#define mbedtls_time   time
-#endif /* MBEDTLS_PLATFORM_TIME_MACRO */
-#endif /* MBEDTLS_PLATFORM_TIME_ALT */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* platform_time.h */
diff --git a/include/mbedtls/platform_util.h b/include/mbedtls/platform_util.h
deleted file mode 100644
index 3f23fef..0000000
--- a/include/mbedtls/platform_util.h
+++ /dev/null
@@ -1,213 +0,0 @@
-/**
- * \file platform_util.h
- *
- * \brief Common and shared functions used by multiple modules in the Mbed TLS
- *        library.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_PLATFORM_UTIL_H
-#define MBEDTLS_PLATFORM_UTIL_H
-
-#include "mbedtls/build_info.h"
-
-#include <stddef.h>
-#if defined(MBEDTLS_HAVE_TIME_DATE)
-#include "mbedtls/platform_time.h"
-#include <time.h>
-#endif /* MBEDTLS_HAVE_TIME_DATE */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* Internal macros meant to be called only from within the library. */
-#define MBEDTLS_INTERNAL_VALIDATE_RET(cond, ret)  do { } while (0)
-#define MBEDTLS_INTERNAL_VALIDATE(cond)           do { } while (0)
-
-/* Internal helper macros for deprecating API constants. */
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED __attribute__((deprecated))
-MBEDTLS_DEPRECATED typedef char const *mbedtls_deprecated_string_constant_t;
-#define MBEDTLS_DEPRECATED_STRING_CONSTANT(VAL)       \
-    ((mbedtls_deprecated_string_constant_t) (VAL))
-MBEDTLS_DEPRECATED typedef int mbedtls_deprecated_numeric_constant_t;
-#define MBEDTLS_DEPRECATED_NUMERIC_CONSTANT(VAL)       \
-    ((mbedtls_deprecated_numeric_constant_t) (VAL))
-#else /* MBEDTLS_DEPRECATED_WARNING */
-#define MBEDTLS_DEPRECATED
-#define MBEDTLS_DEPRECATED_STRING_CONSTANT(VAL) VAL
-#define MBEDTLS_DEPRECATED_NUMERIC_CONSTANT(VAL) VAL
-#endif /* MBEDTLS_DEPRECATED_WARNING */
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-
-/* Implementation of the check-return facility.
- * See the user documentation in mbedtls_config.h.
- *
- * Do not use this macro directly to annotate function: instead,
- * use one of MBEDTLS_CHECK_RETURN_CRITICAL or MBEDTLS_CHECK_RETURN_TYPICAL
- * depending on how important it is to check the return value.
- */
-#if !defined(MBEDTLS_CHECK_RETURN)
-#if defined(__GNUC__)
-#define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__))
-#elif defined(_MSC_VER) && _MSC_VER >= 1700
-#include <sal.h>
-#define MBEDTLS_CHECK_RETURN _Check_return_
-#else
-#define MBEDTLS_CHECK_RETURN
-#endif
-#endif
-
-/** Critical-failure function
- *
- * This macro appearing at the beginning of the declaration of a function
- * indicates that its return value should be checked in all applications.
- * Omitting the check is very likely to indicate a bug in the application
- * and will result in a compile-time warning if #MBEDTLS_CHECK_RETURN
- * is implemented for the compiler in use.
- *
- * \note  The use of this macro is a work in progress.
- *        This macro may be added to more functions in the future.
- *        Such an extension is not considered an API break, provided that
- *        there are near-unavoidable circumstances under which the function
- *        can fail. For example, signature/MAC/AEAD verification functions,
- *        and functions that require a random generator, are considered
- *        return-check-critical.
- */
-#define MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN
-
-/** Ordinary-failure function
- *
- * This macro appearing at the beginning of the declaration of a function
- * indicates that its return value should be generally be checked in portable
- * applications. Omitting the check will result in a compile-time warning if
- * #MBEDTLS_CHECK_RETURN is implemented for the compiler in use and
- * #MBEDTLS_CHECK_RETURN_WARNING is enabled in the compile-time configuration.
- *
- * You can use #MBEDTLS_IGNORE_RETURN to explicitly ignore the return value
- * of a function that is annotated with #MBEDTLS_CHECK_RETURN.
- *
- * \note  The use of this macro is a work in progress.
- *        This macro will be added to more functions in the future.
- *        Eventually this should appear before most functions returning
- *        an error code (as \c int in the \c mbedtls_xxx API or
- *        as ::psa_status_t in the \c psa_xxx API).
- */
-#if defined(MBEDTLS_CHECK_RETURN_WARNING)
-#define MBEDTLS_CHECK_RETURN_TYPICAL MBEDTLS_CHECK_RETURN
-#else
-#define MBEDTLS_CHECK_RETURN_TYPICAL
-#endif
-
-/** Benign-failure function
- *
- * This macro appearing at the beginning of the declaration of a function
- * indicates that it is rarely useful to check its return value.
- *
- * This macro has an empty expansion. It exists for documentation purposes:
- * a #MBEDTLS_CHECK_RETURN_OPTIONAL annotation indicates that the function
- * has been analyzed for return-check usefulness, whereas the lack of
- * an annotation indicates that the function has not been analyzed and its
- * return-check usefulness is unknown.
- */
-#define MBEDTLS_CHECK_RETURN_OPTIONAL
-
-/** \def MBEDTLS_IGNORE_RETURN
- *
- * Call this macro with one argument, a function call, to suppress a warning
- * from #MBEDTLS_CHECK_RETURN due to that function call.
- */
-#if !defined(MBEDTLS_IGNORE_RETURN)
-/* GCC doesn't silence the warning with just (void)(result).
- * (void)!(result) is known to work up at least up to GCC 10, as well
- * as with Clang and MSVC.
- *
- * https://gcc.gnu.org/onlinedocs/gcc-3.4.6/gcc/Non_002dbugs.html
- * https://stackoverflow.com/questions/40576003/ignoring-warning-wunused-result
- * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425#c34
- */
-#define MBEDTLS_IGNORE_RETURN(result) ((void) !(result))
-#endif
-
-/* If the following macro is defined, the library is being built by the test
- * framework, and the framework is going to provide a replacement
- * mbedtls_platform_zeroize() using a preprocessor macro, so the function
- * declaration should be omitted.  */
-#if !defined(MBEDTLS_TEST_DEFINES_ZEROIZE) //no-check-names
-/**
- * \brief       Securely zeroize a buffer
- *
- *              The function is meant to wipe the data contained in a buffer so
- *              that it can no longer be recovered even if the program memory
- *              is later compromised. Call this function on sensitive data
- *              stored on the stack before returning from a function, and on
- *              sensitive data stored on the heap before freeing the heap
- *              object.
- *
- *              It is extremely difficult to guarantee that calls to
- *              mbedtls_platform_zeroize() are not removed by aggressive
- *              compiler optimizations in a portable way. For this reason, Mbed
- *              TLS provides the configuration option
- *              MBEDTLS_PLATFORM_ZEROIZE_ALT, which allows users to configure
- *              mbedtls_platform_zeroize() to use a suitable implementation for
- *              their platform and needs
- *
- * \param buf   Buffer to be zeroized
- * \param len   Length of the buffer in bytes
- *
- */
-void mbedtls_platform_zeroize(void *buf, size_t len);
-#endif
-
-#if defined(MBEDTLS_HAVE_TIME_DATE)
-/**
- * \brief      Platform-specific implementation of gmtime_r()
- *
- *             The function is a thread-safe abstraction that behaves
- *             similarly to the gmtime_r() function from Unix/POSIX.
- *
- *             Mbed TLS will try to identify the underlying platform and
- *             make use of an appropriate underlying implementation (e.g.
- *             gmtime_r() for POSIX and gmtime_s() for Windows). If this is
- *             not possible, then gmtime() will be used. In this case, calls
- *             from the library to gmtime() will be guarded by the mutex
- *             mbedtls_threading_gmtime_mutex if MBEDTLS_THREADING_C is
- *             enabled. It is recommended that calls from outside the library
- *             are also guarded by this mutex.
- *
- *             If MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, then Mbed TLS will
- *             unconditionally use the alternative implementation for
- *             mbedtls_platform_gmtime_r() supplied by the user at compile time.
- *
- * \param tt     Pointer to an object containing time (in seconds) since the
- *               epoch to be converted
- * \param tm_buf Pointer to an object where the results will be stored
- *
- * \return      Pointer to an object of type struct tm on success, otherwise
- *              NULL
- */
-struct tm *mbedtls_platform_gmtime_r(const mbedtls_time_t *tt,
-                                     struct tm *tm_buf);
-#endif /* MBEDTLS_HAVE_TIME_DATE */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* MBEDTLS_PLATFORM_UTIL_H */
diff --git a/include/mbedtls/poly1305.h b/include/mbedtls/poly1305.h
deleted file mode 100644
index 3025ef1..0000000
--- a/include/mbedtls/poly1305.h
+++ /dev/null
@@ -1,180 +0,0 @@
-/**
- * \file poly1305.h
- *
- * \brief   This file contains Poly1305 definitions and functions.
- *
- *          Poly1305 is a one-time message authenticator that can be used to
- *          authenticate messages. Poly1305-AES was created by Daniel
- *          Bernstein https://cr.yp.to/mac/poly1305-20050329.pdf The generic
- *          Poly1305 algorithm (not tied to AES) was also standardized in RFC
- *          7539.
- *
- * \author Daniel King <damaki.gh@gmail.com>
- */
-
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_POLY1305_H
-#define MBEDTLS_POLY1305_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include <stdint.h>
-#include <stddef.h>
-
-/** Invalid input parameter(s). */
-#define MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA         -0x0057
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if !defined(MBEDTLS_POLY1305_ALT)
-
-typedef struct mbedtls_poly1305_context {
-    uint32_t MBEDTLS_PRIVATE(r)[4];      /** The value for 'r' (low 128 bits of the key). */
-    uint32_t MBEDTLS_PRIVATE(s)[4];      /** The value for 's' (high 128 bits of the key). */
-    uint32_t MBEDTLS_PRIVATE(acc)[5];    /** The accumulator number. */
-    uint8_t MBEDTLS_PRIVATE(queue)[16];  /** The current partial block of data. */
-    size_t MBEDTLS_PRIVATE(queue_len);   /** The number of bytes stored in 'queue'. */
-}
-mbedtls_poly1305_context;
-
-#else  /* MBEDTLS_POLY1305_ALT */
-#include "poly1305_alt.h"
-#endif /* MBEDTLS_POLY1305_ALT */
-
-/**
- * \brief           This function initializes the specified Poly1305 context.
- *
- *                  It must be the first API called before using
- *                  the context.
- *
- *                  It is usually followed by a call to
- *                  \c mbedtls_poly1305_starts(), then one or more calls to
- *                  \c mbedtls_poly1305_update(), then one call to
- *                  \c mbedtls_poly1305_finish(), then finally
- *                  \c mbedtls_poly1305_free().
- *
- * \param ctx       The Poly1305 context to initialize. This must
- *                  not be \c NULL.
- */
-void mbedtls_poly1305_init(mbedtls_poly1305_context *ctx);
-
-/**
- * \brief           This function releases and clears the specified
- *                  Poly1305 context.
- *
- * \param ctx       The Poly1305 context to clear. This may be \c NULL, in which
- *                  case this function is a no-op. If it is not \c NULL, it must
- *                  point to an initialized Poly1305 context.
- */
-void mbedtls_poly1305_free(mbedtls_poly1305_context *ctx);
-
-/**
- * \brief           This function sets the one-time authentication key.
- *
- * \warning         The key must be unique and unpredictable for each
- *                  invocation of Poly1305.
- *
- * \param ctx       The Poly1305 context to which the key should be bound.
- *                  This must be initialized.
- * \param key       The buffer containing the \c 32 Byte (\c 256 Bit) key.
- *
- * \return          \c 0 on success.
- * \return          A negative error code on failure.
- */
-int mbedtls_poly1305_starts(mbedtls_poly1305_context *ctx,
-                            const unsigned char key[32]);
-
-/**
- * \brief           This functions feeds an input buffer into an ongoing
- *                  Poly1305 computation.
- *
- *                  It is called between \c mbedtls_cipher_poly1305_starts() and
- *                  \c mbedtls_cipher_poly1305_finish().
- *                  It can be called repeatedly to process a stream of data.
- *
- * \param ctx       The Poly1305 context to use for the Poly1305 operation.
- *                  This must be initialized and bound to a key.
- * \param ilen      The length of the input data in Bytes.
- *                  Any value is accepted.
- * \param input     The buffer holding the input data.
- *                  This pointer can be \c NULL if `ilen == 0`.
- *
- * \return          \c 0 on success.
- * \return          A negative error code on failure.
- */
-int mbedtls_poly1305_update(mbedtls_poly1305_context *ctx,
-                            const unsigned char *input,
-                            size_t ilen);
-
-/**
- * \brief           This function generates the Poly1305 Message
- *                  Authentication Code (MAC).
- *
- * \param ctx       The Poly1305 context to use for the Poly1305 operation.
- *                  This must be initialized and bound to a key.
- * \param mac       The buffer to where the MAC is written. This must
- *                  be a writable buffer of length \c 16 Bytes.
- *
- * \return          \c 0 on success.
- * \return          A negative error code on failure.
- */
-int mbedtls_poly1305_finish(mbedtls_poly1305_context *ctx,
-                            unsigned char mac[16]);
-
-/**
- * \brief           This function calculates the Poly1305 MAC of the input
- *                  buffer with the provided key.
- *
- * \warning         The key must be unique and unpredictable for each
- *                  invocation of Poly1305.
- *
- * \param key       The buffer containing the \c 32 Byte (\c 256 Bit) key.
- * \param ilen      The length of the input data in Bytes.
- *                  Any value is accepted.
- * \param input     The buffer holding the input data.
- *                  This pointer can be \c NULL if `ilen == 0`.
- * \param mac       The buffer to where the MAC is written. This must be
- *                  a writable buffer of length \c 16 Bytes.
- *
- * \return          \c 0 on success.
- * \return          A negative error code on failure.
- */
-int mbedtls_poly1305_mac(const unsigned char key[32],
-                         const unsigned char *input,
-                         size_t ilen,
-                         unsigned char mac[16]);
-
-#if defined(MBEDTLS_SELF_TEST)
-/**
- * \brief           The Poly1305 checkup routine.
- *
- * \return          \c 0 on success.
- * \return          \c 1 on failure.
- */
-int mbedtls_poly1305_self_test(int verbose);
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* MBEDTLS_POLY1305_H */
diff --git a/include/mbedtls/private_access.h b/include/mbedtls/private_access.h
deleted file mode 100644
index 61fa877..0000000
--- a/include/mbedtls/private_access.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/**
- * \file private_access.h
- *
- * \brief Macro wrapper for struct's members.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_PRIVATE_ACCESS_H
-#define MBEDTLS_PRIVATE_ACCESS_H
-
-#ifndef MBEDTLS_ALLOW_PRIVATE_ACCESS
-#define MBEDTLS_PRIVATE(member) private_##member
-#else
-#define MBEDTLS_PRIVATE(member) member
-#endif
-
-#endif /* MBEDTLS_PRIVATE_ACCESS_H */
diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h
deleted file mode 100644
index 8ce1592..0000000
--- a/include/mbedtls/psa_util.h
+++ /dev/null
@@ -1,116 +0,0 @@
-/**
- * \file psa_util.h
- *
- * \brief Utility functions for the use of the PSA Crypto library.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_PSA_UTIL_H
-#define MBEDTLS_PSA_UTIL_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-
-/* Expose whatever RNG the PSA subsystem uses to applications using the
- * mbedtls_xxx API. The declarations and definitions here need to be
- * consistent with the implementation in library/psa_crypto_random_impl.h.
- * See that file for implementation documentation. */
-
-
-/* The type of a `f_rng` random generator function that many library functions
- * take.
- *
- * This type name is not part of the Mbed TLS stable API. It may be renamed
- * or moved without warning.
- */
-typedef int mbedtls_f_rng_t(void *p_rng, unsigned char *output, size_t output_size);
-
-#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
-
-/** The random generator function for the PSA subsystem.
- *
- * This function is suitable as the `f_rng` random generator function
- * parameter of many `mbedtls_xxx` functions. Use #MBEDTLS_PSA_RANDOM_STATE
- * to obtain the \p p_rng parameter.
- *
- * The implementation of this function depends on the configuration of the
- * library.
- *
- * \note Depending on the configuration, this may be a function or
- *       a pointer to a function.
- *
- * \note This function may only be used if the PSA crypto subsystem is active.
- *       This means that you must call psa_crypto_init() before any call to
- *       this function, and you must not call this function after calling
- *       mbedtls_psa_crypto_free().
- *
- * \param p_rng         The random generator context. This must be
- *                      #MBEDTLS_PSA_RANDOM_STATE. No other state is
- *                      supported.
- * \param output        The buffer to fill. It must have room for
- *                      \c output_size bytes.
- * \param output_size   The number of bytes to write to \p output.
- *                      This function may fail if \p output_size is too
- *                      large. It is guaranteed to accept any output size
- *                      requested by Mbed TLS library functions. The
- *                      maximum request size depends on the library
- *                      configuration.
- *
- * \return              \c 0 on success.
- * \return              An `MBEDTLS_ERR_ENTROPY_xxx`,
- *                      `MBEDTLS_ERR_PLATFORM_xxx,
- *                      `MBEDTLS_ERR_CTR_DRBG_xxx` or
- *                      `MBEDTLS_ERR_HMAC_DRBG_xxx` on error.
- */
-int mbedtls_psa_get_random(void *p_rng,
-                           unsigned char *output,
-                           size_t output_size);
-
-/** The random generator state for the PSA subsystem.
- *
- * This macro expands to an expression which is suitable as the `p_rng`
- * random generator state parameter of many `mbedtls_xxx` functions.
- * It must be used in combination with the random generator function
- * mbedtls_psa_get_random().
- *
- * The implementation of this macro depends on the configuration of the
- * library. Do not make any assumption on its nature.
- */
-#define MBEDTLS_PSA_RANDOM_STATE NULL
-
-#else /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
-
-#if defined(MBEDTLS_CTR_DRBG_C)
-#include "mbedtls/ctr_drbg.h"
-typedef mbedtls_ctr_drbg_context mbedtls_psa_drbg_context_t;
-static mbedtls_f_rng_t *const mbedtls_psa_get_random = mbedtls_ctr_drbg_random;
-#elif defined(MBEDTLS_HMAC_DRBG_C)
-#include "mbedtls/hmac_drbg.h"
-typedef mbedtls_hmac_drbg_context mbedtls_psa_drbg_context_t;
-static mbedtls_f_rng_t *const mbedtls_psa_get_random = mbedtls_hmac_drbg_random;
-#endif
-extern mbedtls_psa_drbg_context_t *const mbedtls_psa_random_state;
-
-#define MBEDTLS_PSA_RANDOM_STATE mbedtls_psa_random_state
-
-#endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
-
-#endif /* MBEDTLS_PSA_CRYPTO_C */
-#endif /* MBEDTLS_PSA_UTIL_H */
diff --git a/include/mbedtls/ripemd160.h b/include/mbedtls/ripemd160.h
deleted file mode 100644
index acec3c5..0000000
--- a/include/mbedtls/ripemd160.h
+++ /dev/null
@@ -1,148 +0,0 @@
-/**
- * \file ripemd160.h
- *
- * \brief RIPE MD-160 message digest
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_RIPEMD160_H
-#define MBEDTLS_RIPEMD160_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include <stddef.h>
-#include <stdint.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if !defined(MBEDTLS_RIPEMD160_ALT)
-// Regular implementation
-//
-
-/**
- * \brief          RIPEMD-160 context structure
- */
-typedef struct mbedtls_ripemd160_context {
-    uint32_t MBEDTLS_PRIVATE(total)[2];          /*!< number of bytes processed  */
-    uint32_t MBEDTLS_PRIVATE(state)[5];          /*!< intermediate digest state  */
-    unsigned char MBEDTLS_PRIVATE(buffer)[64];   /*!< data block being processed */
-}
-mbedtls_ripemd160_context;
-
-#else  /* MBEDTLS_RIPEMD160_ALT */
-#include "ripemd160_alt.h"
-#endif /* MBEDTLS_RIPEMD160_ALT */
-
-/**
- * \brief          Initialize RIPEMD-160 context
- *
- * \param ctx      RIPEMD-160 context to be initialized
- */
-void mbedtls_ripemd160_init(mbedtls_ripemd160_context *ctx);
-
-/**
- * \brief          Clear RIPEMD-160 context
- *
- * \param ctx      RIPEMD-160 context to be cleared
- */
-void mbedtls_ripemd160_free(mbedtls_ripemd160_context *ctx);
-
-/**
- * \brief          Clone (the state of) a RIPEMD-160 context
- *
- * \param dst      The destination context
- * \param src      The context to be cloned
- */
-void mbedtls_ripemd160_clone(mbedtls_ripemd160_context *dst,
-                             const mbedtls_ripemd160_context *src);
-
-/**
- * \brief          RIPEMD-160 context setup
- *
- * \param ctx      context to be initialized
- *
- * \return         0 if successful
- */
-int mbedtls_ripemd160_starts(mbedtls_ripemd160_context *ctx);
-
-/**
- * \brief          RIPEMD-160 process buffer
- *
- * \param ctx      RIPEMD-160 context
- * \param input    buffer holding the data
- * \param ilen     length of the input data
- *
- * \return         0 if successful
- */
-int mbedtls_ripemd160_update(mbedtls_ripemd160_context *ctx,
-                             const unsigned char *input,
-                             size_t ilen);
-
-/**
- * \brief          RIPEMD-160 final digest
- *
- * \param ctx      RIPEMD-160 context
- * \param output   RIPEMD-160 checksum result
- *
- * \return         0 if successful
- */
-int mbedtls_ripemd160_finish(mbedtls_ripemd160_context *ctx,
-                             unsigned char output[20]);
-
-/**
- * \brief          RIPEMD-160 process data block (internal use only)
- *
- * \param ctx      RIPEMD-160 context
- * \param data     buffer holding one block of data
- *
- * \return         0 if successful
- */
-int mbedtls_internal_ripemd160_process(mbedtls_ripemd160_context *ctx,
-                                       const unsigned char data[64]);
-
-/**
- * \brief          Output = RIPEMD-160( input buffer )
- *
- * \param input    buffer holding the data
- * \param ilen     length of the input data
- * \param output   RIPEMD-160 checksum result
- *
- * \return         0 if successful
- */
-int mbedtls_ripemd160(const unsigned char *input,
-                      size_t ilen,
-                      unsigned char output[20]);
-
-#if defined(MBEDTLS_SELF_TEST)
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int mbedtls_ripemd160_self_test(int verbose);
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* mbedtls_ripemd160.h */
diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h
deleted file mode 100644
index 69f3981..0000000
--- a/include/mbedtls/rsa.h
+++ /dev/null
@@ -1,1155 +0,0 @@
-/**
- * \file rsa.h
- *
- * \brief This file provides an API for the RSA public-key cryptosystem.
- *
- * The RSA public-key cryptosystem is defined in <em>Public-Key
- * Cryptography Standards (PKCS) #1 v1.5: RSA Encryption</em>
- * and <em>Public-Key Cryptography Standards (PKCS) #1 v2.1:
- * RSA Cryptography Specifications</em>.
- *
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_RSA_H
-#define MBEDTLS_RSA_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include "mbedtls/bignum.h"
-#include "mbedtls/md.h"
-
-#if defined(MBEDTLS_THREADING_C)
-#include "mbedtls/threading.h"
-#endif
-
-/*
- * RSA Error codes
- */
-/** Bad input parameters to function. */
-#define MBEDTLS_ERR_RSA_BAD_INPUT_DATA                    -0x4080
-/** Input data contains invalid padding and is rejected. */
-#define MBEDTLS_ERR_RSA_INVALID_PADDING                   -0x4100
-/** Something failed during generation of a key. */
-#define MBEDTLS_ERR_RSA_KEY_GEN_FAILED                    -0x4180
-/** Key failed to pass the validity check of the library. */
-#define MBEDTLS_ERR_RSA_KEY_CHECK_FAILED                  -0x4200
-/** The public key operation failed. */
-#define MBEDTLS_ERR_RSA_PUBLIC_FAILED                     -0x4280
-/** The private key operation failed. */
-#define MBEDTLS_ERR_RSA_PRIVATE_FAILED                    -0x4300
-/** The PKCS#1 verification failed. */
-#define MBEDTLS_ERR_RSA_VERIFY_FAILED                     -0x4380
-/** The output buffer for decryption is not large enough. */
-#define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE                  -0x4400
-/** The random generator failed to generate non-zeros. */
-#define MBEDTLS_ERR_RSA_RNG_FAILED                        -0x4480
-
-/*
- * RSA constants
- */
-
-#define MBEDTLS_RSA_PKCS_V15    0 /**< Use PKCS#1 v1.5 encoding. */
-#define MBEDTLS_RSA_PKCS_V21    1 /**< Use PKCS#1 v2.1 encoding. */
-
-#define MBEDTLS_RSA_SIGN        1 /**< Identifier for RSA signature operations. */
-#define MBEDTLS_RSA_CRYPT       2 /**< Identifier for RSA encryption and decryption operations. */
-
-#define MBEDTLS_RSA_SALT_LEN_ANY    -1
-
-/*
- * The above constants may be used even if the RSA module is compile out,
- * eg for alternative (PKCS#11) RSA implementations in the PK layers.
- */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if !defined(MBEDTLS_RSA_ALT)
-// Regular implementation
-//
-
-#if !defined(MBEDTLS_RSA_GEN_KEY_MIN_BITS)
-#define MBEDTLS_RSA_GEN_KEY_MIN_BITS 1024
-#elif MBEDTLS_RSA_GEN_KEY_MIN_BITS < 128
-#error "MBEDTLS_RSA_GEN_KEY_MIN_BITS must be at least 128 bits"
-#endif
-
-/**
- * \brief   The RSA context structure.
- */
-typedef struct mbedtls_rsa_context {
-    int MBEDTLS_PRIVATE(ver);                    /*!<  Reserved for internal purposes.
-                                                  *    Do not set this field in application
-                                                  *    code. Its meaning might change without
-                                                  *    notice. */
-    size_t MBEDTLS_PRIVATE(len);                 /*!<  The size of \p N in Bytes. */
-
-    mbedtls_mpi MBEDTLS_PRIVATE(N);              /*!<  The public modulus. */
-    mbedtls_mpi MBEDTLS_PRIVATE(E);              /*!<  The public exponent. */
-
-    mbedtls_mpi MBEDTLS_PRIVATE(D);              /*!<  The private exponent. */
-    mbedtls_mpi MBEDTLS_PRIVATE(P);              /*!<  The first prime factor. */
-    mbedtls_mpi MBEDTLS_PRIVATE(Q);              /*!<  The second prime factor. */
-
-    mbedtls_mpi MBEDTLS_PRIVATE(DP);             /*!<  <code>D % (P - 1)</code>. */
-    mbedtls_mpi MBEDTLS_PRIVATE(DQ);             /*!<  <code>D % (Q - 1)</code>. */
-    mbedtls_mpi MBEDTLS_PRIVATE(QP);             /*!<  <code>1 / (Q % P)</code>. */
-
-    mbedtls_mpi MBEDTLS_PRIVATE(RN);             /*!<  cached <code>R^2 mod N</code>. */
-
-    mbedtls_mpi MBEDTLS_PRIVATE(RP);             /*!<  cached <code>R^2 mod P</code>. */
-    mbedtls_mpi MBEDTLS_PRIVATE(RQ);             /*!<  cached <code>R^2 mod Q</code>. */
-
-    mbedtls_mpi MBEDTLS_PRIVATE(Vi);             /*!<  The cached blinding value. */
-    mbedtls_mpi MBEDTLS_PRIVATE(Vf);             /*!<  The cached un-blinding value. */
-
-    int MBEDTLS_PRIVATE(padding);                /*!< Selects padding mode:
-                                                  #MBEDTLS_RSA_PKCS_V15 for 1.5 padding and
-                                                  #MBEDTLS_RSA_PKCS_V21 for OAEP or PSS. */
-    int MBEDTLS_PRIVATE(hash_id);                /*!< Hash identifier of mbedtls_md_type_t type,
-                                                    as specified in md.h for use in the MGF
-                                                    mask generating function used in the
-                                                    EME-OAEP and EMSA-PSS encodings. */
-#if defined(MBEDTLS_THREADING_C)
-    /* Invariant: the mutex is initialized iff ver != 0. */
-    mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex);    /*!<  Thread-safety mutex. */
-#endif
-}
-mbedtls_rsa_context;
-
-#else  /* MBEDTLS_RSA_ALT */
-#include "rsa_alt.h"
-#endif /* MBEDTLS_RSA_ALT */
-
-/**
- * \brief          This function initializes an RSA context.
- *
- * \note           This function initializes the padding and the hash
- *                 identifier to respectively #MBEDTLS_RSA_PKCS_V15 and
- *                 #MBEDTLS_MD_NONE. See mbedtls_rsa_set_padding() for more
- *                 information about those parameters.
- *
- * \param ctx      The RSA context to initialize. This must not be \c NULL.
- */
-void mbedtls_rsa_init(mbedtls_rsa_context *ctx);
-
-/**
- * \brief          This function sets padding for an already initialized RSA
- *                 context.
- *
- * \note           Set padding to #MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP
- *                 encryption scheme and the RSASSA-PSS signature scheme.
- *
- * \note           The \p hash_id parameter is ignored when using
- *                 #MBEDTLS_RSA_PKCS_V15 padding.
- *
- * \note           The choice of padding mode is strictly enforced for private
- *                 key operations, since there might be security concerns in
- *                 mixing padding modes. For public key operations it is
- *                 a default value, which can be overridden by calling specific
- *                 \c mbedtls_rsa_rsaes_xxx or \c mbedtls_rsa_rsassa_xxx
- *                 functions.
- *
- * \note           The hash selected in \p hash_id is always used for OEAP
- *                 encryption. For PSS signatures, it is always used for
- *                 making signatures, but can be overridden for verifying them.
- *                 If set to #MBEDTLS_MD_NONE, it is always overridden.
- *
- * \param ctx      The initialized RSA context to be configured.
- * \param padding  The padding mode to use. This must be either
- *                 #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21.
- * \param hash_id  The hash identifier for PSS or OAEP, if \p padding is
- *                 #MBEDTLS_RSA_PKCS_V21. #MBEDTLS_MD_NONE is accepted by this
- *                 function but may be not suitable for some operations.
- *                 Ignored if \p padding is #MBEDTLS_RSA_PKCS_V15.
- *
- * \return         \c 0 on success.
- * \return         #MBEDTLS_ERR_RSA_INVALID_PADDING failure:
- *                 \p padding or \p hash_id is invalid.
- */
-int mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx, int padding,
-                            mbedtls_md_type_t hash_id);
-
-/**
- * \brief          This function retrieves padding mode of initialized
- *                 RSA context.
- *
- * \param ctx      The initialized RSA context.
- *
- * \return         RSA padding mode.
- *
- */
-int mbedtls_rsa_get_padding_mode(const mbedtls_rsa_context *ctx);
-
-/**
- * \brief          This function retrieves hash identifier of mbedtls_md_type_t
- *                 type.
- *
- * \param ctx      The initialized RSA context.
- *
- * \return         Hash identifier of mbedtls_md_type_t type.
- *
- */
-int mbedtls_rsa_get_md_alg(const mbedtls_rsa_context *ctx);
-
-/**
- * \brief          This function imports a set of core parameters into an
- *                 RSA context.
- *
- * \note           This function can be called multiple times for successive
- *                 imports, if the parameters are not simultaneously present.
- *
- *                 Any sequence of calls to this function should be followed
- *                 by a call to mbedtls_rsa_complete(), which checks and
- *                 completes the provided information to a ready-for-use
- *                 public or private RSA key.
- *
- * \note           See mbedtls_rsa_complete() for more information on which
- *                 parameters are necessary to set up a private or public
- *                 RSA key.
- *
- * \note           The imported parameters are copied and need not be preserved
- *                 for the lifetime of the RSA context being set up.
- *
- * \param ctx      The initialized RSA context to store the parameters in.
- * \param N        The RSA modulus. This may be \c NULL.
- * \param P        The first prime factor of \p N. This may be \c NULL.
- * \param Q        The second prime factor of \p N. This may be \c NULL.
- * \param D        The private exponent. This may be \c NULL.
- * \param E        The public exponent. This may be \c NULL.
- *
- * \return         \c 0 on success.
- * \return         A non-zero error code on failure.
- */
-int mbedtls_rsa_import(mbedtls_rsa_context *ctx,
-                       const mbedtls_mpi *N,
-                       const mbedtls_mpi *P, const mbedtls_mpi *Q,
-                       const mbedtls_mpi *D, const mbedtls_mpi *E);
-
-/**
- * \brief          This function imports core RSA parameters, in raw big-endian
- *                 binary format, into an RSA context.
- *
- * \note           This function can be called multiple times for successive
- *                 imports, if the parameters are not simultaneously present.
- *
- *                 Any sequence of calls to this function should be followed
- *                 by a call to mbedtls_rsa_complete(), which checks and
- *                 completes the provided information to a ready-for-use
- *                 public or private RSA key.
- *
- * \note           See mbedtls_rsa_complete() for more information on which
- *                 parameters are necessary to set up a private or public
- *                 RSA key.
- *
- * \note           The imported parameters are copied and need not be preserved
- *                 for the lifetime of the RSA context being set up.
- *
- * \param ctx      The initialized RSA context to store the parameters in.
- * \param N        The RSA modulus. This may be \c NULL.
- * \param N_len    The Byte length of \p N; it is ignored if \p N == NULL.
- * \param P        The first prime factor of \p N. This may be \c NULL.
- * \param P_len    The Byte length of \p P; it is ignored if \p P == NULL.
- * \param Q        The second prime factor of \p N. This may be \c NULL.
- * \param Q_len    The Byte length of \p Q; it is ignored if \p Q == NULL.
- * \param D        The private exponent. This may be \c NULL.
- * \param D_len    The Byte length of \p D; it is ignored if \p D == NULL.
- * \param E        The public exponent. This may be \c NULL.
- * \param E_len    The Byte length of \p E; it is ignored if \p E == NULL.
- *
- * \return         \c 0 on success.
- * \return         A non-zero error code on failure.
- */
-int mbedtls_rsa_import_raw(mbedtls_rsa_context *ctx,
-                           unsigned char const *N, size_t N_len,
-                           unsigned char const *P, size_t P_len,
-                           unsigned char const *Q, size_t Q_len,
-                           unsigned char const *D, size_t D_len,
-                           unsigned char const *E, size_t E_len);
-
-/**
- * \brief          This function completes an RSA context from
- *                 a set of imported core parameters.
- *
- *                 To setup an RSA public key, precisely \c N and \c E
- *                 must have been imported.
- *
- *                 To setup an RSA private key, sufficient information must
- *                 be present for the other parameters to be derivable.
- *
- *                 The default implementation supports the following:
- *                 <ul><li>Derive \c P, \c Q from \c N, \c D, \c E.</li>
- *                 <li>Derive \c N, \c D from \c P, \c Q, \c E.</li></ul>
- *                 Alternative implementations need not support these.
- *
- *                 If this function runs successfully, it guarantees that
- *                 the RSA context can be used for RSA operations without
- *                 the risk of failure or crash.
- *
- * \warning        This function need not perform consistency checks
- *                 for the imported parameters. In particular, parameters that
- *                 are not needed by the implementation might be silently
- *                 discarded and left unchecked. To check the consistency
- *                 of the key material, see mbedtls_rsa_check_privkey().
- *
- * \param ctx      The initialized RSA context holding imported parameters.
- *
- * \return         \c 0 on success.
- * \return         #MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the attempted derivations
- *                 failed.
- *
- */
-int mbedtls_rsa_complete(mbedtls_rsa_context *ctx);
-
-/**
- * \brief          This function exports the core parameters of an RSA key.
- *
- *                 If this function runs successfully, the non-NULL buffers
- *                 pointed to by \p N, \p P, \p Q, \p D, and \p E are fully
- *                 written, with additional unused space filled leading by
- *                 zero Bytes.
- *
- *                 Possible reasons for returning
- *                 #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:<ul>
- *                 <li>An alternative RSA implementation is in use, which
- *                 stores the key externally, and either cannot or should
- *                 not export it into RAM.</li>
- *                 <li>A SW or HW implementation might not support a certain
- *                 deduction. For example, \p P, \p Q from \p N, \p D,
- *                 and \p E if the former are not part of the
- *                 implementation.</li></ul>
- *
- *                 If the function fails due to an unsupported operation,
- *                 the RSA context stays intact and remains usable.
- *
- * \param ctx      The initialized RSA context.
- * \param N        The MPI to hold the RSA modulus.
- *                 This may be \c NULL if this field need not be exported.
- * \param P        The MPI to hold the first prime factor of \p N.
- *                 This may be \c NULL if this field need not be exported.
- * \param Q        The MPI to hold the second prime factor of \p N.
- *                 This may be \c NULL if this field need not be exported.
- * \param D        The MPI to hold the private exponent.
- *                 This may be \c NULL if this field need not be exported.
- * \param E        The MPI to hold the public exponent.
- *                 This may be \c NULL if this field need not be exported.
- *
- * \return         \c 0 on success.
- * \return         #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the
- *                 requested parameters cannot be done due to missing
- *                 functionality or because of security policies.
- * \return         A non-zero return code on any other failure.
- *
- */
-int mbedtls_rsa_export(const mbedtls_rsa_context *ctx,
-                       mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
-                       mbedtls_mpi *D, mbedtls_mpi *E);
-
-/**
- * \brief          This function exports core parameters of an RSA key
- *                 in raw big-endian binary format.
- *
- *                 If this function runs successfully, the non-NULL buffers
- *                 pointed to by \p N, \p P, \p Q, \p D, and \p E are fully
- *                 written, with additional unused space filled leading by
- *                 zero Bytes.
- *
- *                 Possible reasons for returning
- *                 #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:<ul>
- *                 <li>An alternative RSA implementation is in use, which
- *                 stores the key externally, and either cannot or should
- *                 not export it into RAM.</li>
- *                 <li>A SW or HW implementation might not support a certain
- *                 deduction. For example, \p P, \p Q from \p N, \p D,
- *                 and \p E if the former are not part of the
- *                 implementation.</li></ul>
- *                 If the function fails due to an unsupported operation,
- *                 the RSA context stays intact and remains usable.
- *
- * \note           The length parameters are ignored if the corresponding
- *                 buffer pointers are NULL.
- *
- * \param ctx      The initialized RSA context.
- * \param N        The Byte array to store the RSA modulus,
- *                 or \c NULL if this field need not be exported.
- * \param N_len    The size of the buffer for the modulus.
- * \param P        The Byte array to hold the first prime factor of \p N,
- *                 or \c NULL if this field need not be exported.
- * \param P_len    The size of the buffer for the first prime factor.
- * \param Q        The Byte array to hold the second prime factor of \p N,
- *                 or \c NULL if this field need not be exported.
- * \param Q_len    The size of the buffer for the second prime factor.
- * \param D        The Byte array to hold the private exponent,
- *                 or \c NULL if this field need not be exported.
- * \param D_len    The size of the buffer for the private exponent.
- * \param E        The Byte array to hold the public exponent,
- *                 or \c NULL if this field need not be exported.
- * \param E_len    The size of the buffer for the public exponent.
- *
- * \return         \c 0 on success.
- * \return         #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the
- *                 requested parameters cannot be done due to missing
- *                 functionality or because of security policies.
- * \return         A non-zero return code on any other failure.
- */
-int mbedtls_rsa_export_raw(const mbedtls_rsa_context *ctx,
-                           unsigned char *N, size_t N_len,
-                           unsigned char *P, size_t P_len,
-                           unsigned char *Q, size_t Q_len,
-                           unsigned char *D, size_t D_len,
-                           unsigned char *E, size_t E_len);
-
-/**
- * \brief          This function exports CRT parameters of a private RSA key.
- *
- * \note           Alternative RSA implementations not using CRT-parameters
- *                 internally can implement this function based on
- *                 mbedtls_rsa_deduce_opt().
- *
- * \param ctx      The initialized RSA context.
- * \param DP       The MPI to hold \c D modulo `P-1`,
- *                 or \c NULL if it need not be exported.
- * \param DQ       The MPI to hold \c D modulo `Q-1`,
- *                 or \c NULL if it need not be exported.
- * \param QP       The MPI to hold modular inverse of \c Q modulo \c P,
- *                 or \c NULL if it need not be exported.
- *
- * \return         \c 0 on success.
- * \return         A non-zero error code on failure.
- *
- */
-int mbedtls_rsa_export_crt(const mbedtls_rsa_context *ctx,
-                           mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP);
-
-/**
- * \brief          This function retrieves the length of RSA modulus in Bytes.
- *
- * \param ctx      The initialized RSA context.
- *
- * \return         The length of the RSA modulus in Bytes.
- *
- */
-size_t mbedtls_rsa_get_len(const mbedtls_rsa_context *ctx);
-
-/**
- * \brief          This function generates an RSA keypair.
- *
- * \note           mbedtls_rsa_init() must be called before this function,
- *                 to set up the RSA context.
- *
- * \param ctx      The initialized RSA context used to hold the key.
- * \param f_rng    The RNG function to be used for key generation.
- *                 This is mandatory and must not be \c NULL.
- * \param p_rng    The RNG context to be passed to \p f_rng.
- *                 This may be \c NULL if \p f_rng doesn't need a context.
- * \param nbits    The size of the public key in bits.
- * \param exponent The public exponent to use. For example, \c 65537.
- *                 This must be odd and greater than \c 1.
- *
- * \return         \c 0 on success.
- * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
- */
-int mbedtls_rsa_gen_key(mbedtls_rsa_context *ctx,
-                        int (*f_rng)(void *, unsigned char *, size_t),
-                        void *p_rng,
-                        unsigned int nbits, int exponent);
-
-/**
- * \brief          This function checks if a context contains at least an RSA
- *                 public key.
- *
- *                 If the function runs successfully, it is guaranteed that
- *                 enough information is present to perform an RSA public key
- *                 operation using mbedtls_rsa_public().
- *
- * \param ctx      The initialized RSA context to check.
- *
- * \return         \c 0 on success.
- * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
- *
- */
-int mbedtls_rsa_check_pubkey(const mbedtls_rsa_context *ctx);
-
-/**
- * \brief      This function checks if a context contains an RSA private key
- *             and perform basic consistency checks.
- *
- * \note       The consistency checks performed by this function not only
- *             ensure that mbedtls_rsa_private() can be called successfully
- *             on the given context, but that the various parameters are
- *             mutually consistent with high probability, in the sense that
- *             mbedtls_rsa_public() and mbedtls_rsa_private() are inverses.
- *
- * \warning    This function should catch accidental misconfigurations
- *             like swapping of parameters, but it cannot establish full
- *             trust in neither the quality nor the consistency of the key
- *             material that was used to setup the given RSA context:
- *             <ul><li>Consistency: Imported parameters that are irrelevant
- *             for the implementation might be silently dropped. If dropped,
- *             the current function does not have access to them,
- *             and therefore cannot check them. See mbedtls_rsa_complete().
- *             If you want to check the consistency of the entire
- *             content of a PKCS1-encoded RSA private key, for example, you
- *             should use mbedtls_rsa_validate_params() before setting
- *             up the RSA context.
- *             Additionally, if the implementation performs empirical checks,
- *             these checks substantiate but do not guarantee consistency.</li>
- *             <li>Quality: This function is not expected to perform
- *             extended quality assessments like checking that the prime
- *             factors are safe. Additionally, it is the responsibility of the
- *             user to ensure the trustworthiness of the source of his RSA
- *             parameters, which goes beyond what is effectively checkable
- *             by the library.</li></ul>
- *
- * \param ctx  The initialized RSA context to check.
- *
- * \return     \c 0 on success.
- * \return     An \c MBEDTLS_ERR_RSA_XXX error code on failure.
- */
-int mbedtls_rsa_check_privkey(const mbedtls_rsa_context *ctx);
-
-/**
- * \brief          This function checks a public-private RSA key pair.
- *
- *                 It checks each of the contexts, and makes sure they match.
- *
- * \param pub      The initialized RSA context holding the public key.
- * \param prv      The initialized RSA context holding the private key.
- *
- * \return         \c 0 on success.
- * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
- */
-int mbedtls_rsa_check_pub_priv(const mbedtls_rsa_context *pub,
-                               const mbedtls_rsa_context *prv);
-
-/**
- * \brief          This function performs an RSA public key operation.
- *
- * \param ctx      The initialized RSA context to use.
- * \param input    The input buffer. This must be a readable buffer
- *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
- *                 for an 2048-bit RSA modulus.
- * \param output   The output buffer. This must be a writable buffer
- *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
- *                 for an 2048-bit RSA modulus.
- *
- * \note           This function does not handle message padding.
- *
- * \note           Make sure to set \p input[0] = 0 or ensure that
- *                 input is smaller than \c N.
- *
- * \return         \c 0 on success.
- * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
- */
-int mbedtls_rsa_public(mbedtls_rsa_context *ctx,
-                       const unsigned char *input,
-                       unsigned char *output);
-
-/**
- * \brief          This function performs an RSA private key operation.
- *
- * \note           Blinding is used if and only if a PRNG is provided.
- *
- * \note           If blinding is used, both the base of exponentiation
- *                 and the exponent are blinded, providing protection
- *                 against some side-channel attacks.
- *
- * \warning        It is deprecated and a security risk to not provide
- *                 a PRNG here and thereby prevent the use of blinding.
- *                 Future versions of the library may enforce the presence
- *                 of a PRNG.
- *
- * \param ctx      The initialized RSA context to use.
- * \param f_rng    The RNG function, used for blinding. It is mandatory.
- * \param p_rng    The RNG context to pass to \p f_rng. This may be \c NULL
- *                 if \p f_rng doesn't need a context.
- * \param input    The input buffer. This must be a readable buffer
- *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
- *                 for an 2048-bit RSA modulus.
- * \param output   The output buffer. This must be a writable buffer
- *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
- *                 for an 2048-bit RSA modulus.
- *
- * \return         \c 0 on success.
- * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
- *
- */
-int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
-                        int (*f_rng)(void *, unsigned char *, size_t),
-                        void *p_rng,
-                        const unsigned char *input,
-                        unsigned char *output);
-
-/**
- * \brief          This function adds the message padding, then performs an RSA
- *                 operation.
- *
- *                 It is the generic wrapper for performing a PKCS#1 encryption
- *                 operation.
- *
- * \param ctx      The initialized RSA context to use.
- * \param f_rng    The RNG to use. It is used for padding generation
- *                 and it is mandatory.
- * \param p_rng    The RNG context to be passed to \p f_rng. May be
- *                 \c NULL if \p f_rng doesn't need a context argument.
- * \param ilen     The length of the plaintext in Bytes.
- * \param input    The input data to encrypt. This must be a readable
- *                 buffer of size \p ilen Bytes. It may be \c NULL if
- *                 `ilen == 0`.
- * \param output   The output buffer. This must be a writable buffer
- *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
- *                 for an 2048-bit RSA modulus.
- *
- * \return         \c 0 on success.
- * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
- */
-int mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context *ctx,
-                              int (*f_rng)(void *, unsigned char *, size_t),
-                              void *p_rng,
-                              size_t ilen,
-                              const unsigned char *input,
-                              unsigned char *output);
-
-/**
- * \brief          This function performs a PKCS#1 v1.5 encryption operation
- *                 (RSAES-PKCS1-v1_5-ENCRYPT).
- *
- * \param ctx      The initialized RSA context to use.
- * \param f_rng    The RNG function to use. It is mandatory and used for
- *                 padding generation.
- * \param p_rng    The RNG context to be passed to \p f_rng. This may
- *                 be \c NULL if \p f_rng doesn't need a context argument.
- * \param ilen     The length of the plaintext in Bytes.
- * \param input    The input data to encrypt. This must be a readable
- *                 buffer of size \p ilen Bytes. It may be \c NULL if
- *                 `ilen == 0`.
- * \param output   The output buffer. This must be a writable buffer
- *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
- *                 for an 2048-bit RSA modulus.
- *
- * \return         \c 0 on success.
- * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
- */
-int mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context *ctx,
-                                        int (*f_rng)(void *, unsigned char *, size_t),
-                                        void *p_rng,
-                                        size_t ilen,
-                                        const unsigned char *input,
-                                        unsigned char *output);
-
-/**
- * \brief            This function performs a PKCS#1 v2.1 OAEP encryption
- *                   operation (RSAES-OAEP-ENCRYPT).
- *
- * \note             The output buffer must be as large as the size
- *                   of ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
- * \param ctx        The initialized RSA context to use.
- * \param f_rng      The RNG function to use. This is needed for padding
- *                   generation and is mandatory.
- * \param p_rng      The RNG context to be passed to \p f_rng. This may
- *                   be \c NULL if \p f_rng doesn't need a context argument.
- * \param label      The buffer holding the custom label to use.
- *                   This must be a readable buffer of length \p label_len
- *                   Bytes. It may be \c NULL if \p label_len is \c 0.
- * \param label_len  The length of the label in Bytes.
- * \param ilen       The length of the plaintext buffer \p input in Bytes.
- * \param input      The input data to encrypt. This must be a readable
- *                   buffer of size \p ilen Bytes. It may be \c NULL if
- *                   `ilen == 0`.
- * \param output     The output buffer. This must be a writable buffer
- *                   of length \c ctx->len Bytes. For example, \c 256 Bytes
- *                   for an 2048-bit RSA modulus.
- *
- * \return           \c 0 on success.
- * \return           An \c MBEDTLS_ERR_RSA_XXX error code on failure.
- */
-int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx,
-                                   int (*f_rng)(void *, unsigned char *, size_t),
-                                   void *p_rng,
-                                   const unsigned char *label, size_t label_len,
-                                   size_t ilen,
-                                   const unsigned char *input,
-                                   unsigned char *output);
-
-/**
- * \brief          This function performs an RSA operation, then removes the
- *                 message padding.
- *
- *                 It is the generic wrapper for performing a PKCS#1 decryption
- *                 operation.
- *
- * \note           The output buffer length \c output_max_len should be
- *                 as large as the size \p ctx->len of \p ctx->N (for example,
- *                 128 Bytes if RSA-1024 is used) to be able to hold an
- *                 arbitrary decrypted message. If it is not large enough to
- *                 hold the decryption of the particular ciphertext provided,
- *                 the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
- *
- * \param ctx      The initialized RSA context to use.
- * \param f_rng    The RNG function. This is used for blinding and is
- *                 mandatory; see mbedtls_rsa_private() for more.
- * \param p_rng    The RNG context to be passed to \p f_rng. This may be
- *                 \c NULL if \p f_rng doesn't need a context.
- * \param olen     The address at which to store the length of
- *                 the plaintext. This must not be \c NULL.
- * \param input    The ciphertext buffer. This must be a readable buffer
- *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
- *                 for an 2048-bit RSA modulus.
- * \param output   The buffer used to hold the plaintext. This must
- *                 be a writable buffer of length \p output_max_len Bytes.
- * \param output_max_len The length in Bytes of the output buffer \p output.
- *
- * \return         \c 0 on success.
- * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
- */
-int mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context *ctx,
-                              int (*f_rng)(void *, unsigned char *, size_t),
-                              void *p_rng,
-                              size_t *olen,
-                              const unsigned char *input,
-                              unsigned char *output,
-                              size_t output_max_len);
-
-/**
- * \brief          This function performs a PKCS#1 v1.5 decryption
- *                 operation (RSAES-PKCS1-v1_5-DECRYPT).
- *
- * \note           The output buffer length \c output_max_len should be
- *                 as large as the size \p ctx->len of \p ctx->N, for example,
- *                 128 Bytes if RSA-1024 is used, to be able to hold an
- *                 arbitrary decrypted message. If it is not large enough to
- *                 hold the decryption of the particular ciphertext provided,
- *                 the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
- *
- * \param ctx      The initialized RSA context to use.
- * \param f_rng    The RNG function. This is used for blinding and is
- *                 mandatory; see mbedtls_rsa_private() for more.
- * \param p_rng    The RNG context to be passed to \p f_rng. This may be
- *                 \c NULL if \p f_rng doesn't need a context.
- * \param olen     The address at which to store the length of
- *                 the plaintext. This must not be \c NULL.
- * \param input    The ciphertext buffer. This must be a readable buffer
- *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
- *                 for an 2048-bit RSA modulus.
- * \param output   The buffer used to hold the plaintext. This must
- *                 be a writable buffer of length \p output_max_len Bytes.
- * \param output_max_len The length in Bytes of the output buffer \p output.
- *
- * \return         \c 0 on success.
- * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
- *
- */
-int mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context *ctx,
-                                        int (*f_rng)(void *, unsigned char *, size_t),
-                                        void *p_rng,
-                                        size_t *olen,
-                                        const unsigned char *input,
-                                        unsigned char *output,
-                                        size_t output_max_len);
-
-/**
- * \brief            This function performs a PKCS#1 v2.1 OAEP decryption
- *                   operation (RSAES-OAEP-DECRYPT).
- *
- * \note             The output buffer length \c output_max_len should be
- *                   as large as the size \p ctx->len of \p ctx->N, for
- *                   example, 128 Bytes if RSA-1024 is used, to be able to
- *                   hold an arbitrary decrypted message. If it is not
- *                   large enough to hold the decryption of the particular
- *                   ciphertext provided, the function returns
- *                   #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
- *
- * \param ctx        The initialized RSA context to use.
- * \param f_rng      The RNG function. This is used for blinding and is
- *                   mandatory.
- * \param p_rng      The RNG context to be passed to \p f_rng. This may be
- *                   \c NULL if \p f_rng doesn't need a context.
- * \param label      The buffer holding the custom label to use.
- *                   This must be a readable buffer of length \p label_len
- *                   Bytes. It may be \c NULL if \p label_len is \c 0.
- * \param label_len  The length of the label in Bytes.
- * \param olen       The address at which to store the length of
- *                   the plaintext. This must not be \c NULL.
- * \param input      The ciphertext buffer. This must be a readable buffer
- *                   of length \c ctx->len Bytes. For example, \c 256 Bytes
- *                   for an 2048-bit RSA modulus.
- * \param output     The buffer used to hold the plaintext. This must
- *                   be a writable buffer of length \p output_max_len Bytes.
- * \param output_max_len The length in Bytes of the output buffer \p output.
- *
- * \return         \c 0 on success.
- * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
- */
-int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
-                                   int (*f_rng)(void *, unsigned char *, size_t),
-                                   void *p_rng,
-                                   const unsigned char *label, size_t label_len,
-                                   size_t *olen,
-                                   const unsigned char *input,
-                                   unsigned char *output,
-                                   size_t output_max_len);
-
-/**
- * \brief          This function performs a private RSA operation to sign
- *                 a message digest using PKCS#1.
- *
- *                 It is the generic wrapper for performing a PKCS#1
- *                 signature.
- *
- * \note           The \p sig buffer must be as large as the size
- *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
- * \note           For PKCS#1 v2.1 encoding, see comments on
- *                 mbedtls_rsa_rsassa_pss_sign() for details on
- *                 \p md_alg and \p hash_id.
- *
- * \param ctx      The initialized RSA context to use.
- * \param f_rng    The RNG function to use. This is mandatory and
- *                 must not be \c NULL.
- * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
- *                 if \p f_rng doesn't need a context argument.
- * \param md_alg   The message-digest algorithm used to hash the original data.
- *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest or raw data in Bytes.
- *                 If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
- *                 output length of the corresponding hash algorithm.
- * \param hash     The buffer holding the message digest or raw data.
- *                 This must be a readable buffer of at least \p hashlen Bytes.
- * \param sig      The buffer to hold the signature. This must be a writable
- *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
- *                 for an 2048-bit RSA modulus. A buffer length of
- *                 #MBEDTLS_MPI_MAX_SIZE is always safe.
- *
- * \return         \c 0 if the signing operation was successful.
- * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
- */
-int mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context *ctx,
-                           int (*f_rng)(void *, unsigned char *, size_t),
-                           void *p_rng,
-                           mbedtls_md_type_t md_alg,
-                           unsigned int hashlen,
-                           const unsigned char *hash,
-                           unsigned char *sig);
-
-/**
- * \brief          This function performs a PKCS#1 v1.5 signature
- *                 operation (RSASSA-PKCS1-v1_5-SIGN).
- *
- * \param ctx      The initialized RSA context to use.
- * \param f_rng    The RNG function. This is used for blinding and is
- *                 mandatory; see mbedtls_rsa_private() for more.
- * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
- *                 if \p f_rng doesn't need a context argument.
- * \param md_alg   The message-digest algorithm used to hash the original data.
- *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest or raw data in Bytes.
- *                 If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
- *                 output length of the corresponding hash algorithm.
- * \param hash     The buffer holding the message digest or raw data.
- *                 This must be a readable buffer of at least \p hashlen Bytes.
- * \param sig      The buffer to hold the signature. This must be a writable
- *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
- *                 for an 2048-bit RSA modulus. A buffer length of
- *                 #MBEDTLS_MPI_MAX_SIZE is always safe.
- *
- * \return         \c 0 if the signing operation was successful.
- * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
- */
-int mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context *ctx,
-                                      int (*f_rng)(void *, unsigned char *, size_t),
-                                      void *p_rng,
-                                      mbedtls_md_type_t md_alg,
-                                      unsigned int hashlen,
-                                      const unsigned char *hash,
-                                      unsigned char *sig);
-
-/**
- * \brief          This function performs a PKCS#1 v2.1 PSS signature
- *                 operation (RSASSA-PSS-SIGN).
- *
- * \note           The \c hash_id set in \p ctx by calling
- *                 mbedtls_rsa_set_padding() selects the hash used for the
- *                 encoding operation and for the mask generation function
- *                 (MGF1). For more details on the encoding operation and the
- *                 mask generation function, consult <em>RFC-3447: Public-Key
- *                 Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
- *                 Specifications</em>.
- *
- * \note           This function enforces that the provided salt length complies
- *                 with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 v2.2) §9.1.1
- *                 step 3. The constraint is that the hash length plus the salt
- *                 length plus 2 bytes must be at most the key length. If this
- *                 constraint is not met, this function returns
- *                 #MBEDTLS_ERR_RSA_BAD_INPUT_DATA.
- *
- * \param ctx      The initialized RSA context to use.
- * \param f_rng    The RNG function. It is mandatory and must not be \c NULL.
- * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
- *                 if \p f_rng doesn't need a context argument.
- * \param md_alg   The message-digest algorithm used to hash the original data.
- *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest or raw data in Bytes.
- *                 If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
- *                 output length of the corresponding hash algorithm.
- * \param hash     The buffer holding the message digest or raw data.
- *                 This must be a readable buffer of at least \p hashlen Bytes.
- * \param saltlen  The length of the salt that should be used.
- *                 If passed #MBEDTLS_RSA_SALT_LEN_ANY, the function will use
- *                 the largest possible salt length up to the hash length,
- *                 which is the largest permitted by some standards including
- *                 FIPS 186-4 §5.5.
- * \param sig      The buffer to hold the signature. This must be a writable
- *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
- *                 for an 2048-bit RSA modulus. A buffer length of
- *                 #MBEDTLS_MPI_MAX_SIZE is always safe.
- *
- * \return         \c 0 if the signing operation was successful.
- * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
- */
-int mbedtls_rsa_rsassa_pss_sign_ext(mbedtls_rsa_context *ctx,
-                                    int (*f_rng)(void *, unsigned char *, size_t),
-                                    void *p_rng,
-                                    mbedtls_md_type_t md_alg,
-                                    unsigned int hashlen,
-                                    const unsigned char *hash,
-                                    int saltlen,
-                                    unsigned char *sig);
-
-/**
- * \brief          This function performs a PKCS#1 v2.1 PSS signature
- *                 operation (RSASSA-PSS-SIGN).
- *
- * \note           The \c hash_id set in \p ctx by calling
- *                 mbedtls_rsa_set_padding() selects the hash used for the
- *                 encoding operation and for the mask generation function
- *                 (MGF1). For more details on the encoding operation and the
- *                 mask generation function, consult <em>RFC-3447: Public-Key
- *                 Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
- *                 Specifications</em>.
- *
- * \note           This function always uses the maximum possible salt size,
- *                 up to the length of the payload hash. This choice of salt
- *                 size complies with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1
- *                 v2.2) §9.1.1 step 3. Furthermore this function enforces a
- *                 minimum salt size which is the hash size minus 2 bytes. If
- *                 this minimum size is too large given the key size (the salt
- *                 size, plus the hash size, plus 2 bytes must be no more than
- *                 the key size in bytes), this function returns
- *                 #MBEDTLS_ERR_RSA_BAD_INPUT_DATA.
- *
- * \param ctx      The initialized RSA context to use.
- * \param f_rng    The RNG function. It is mandatory and must not be \c NULL.
- * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
- *                 if \p f_rng doesn't need a context argument.
- * \param md_alg   The message-digest algorithm used to hash the original data.
- *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest or raw data in Bytes.
- *                 If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
- *                 output length of the corresponding hash algorithm.
- * \param hash     The buffer holding the message digest or raw data.
- *                 This must be a readable buffer of at least \p hashlen Bytes.
- * \param sig      The buffer to hold the signature. This must be a writable
- *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
- *                 for an 2048-bit RSA modulus. A buffer length of
- *                 #MBEDTLS_MPI_MAX_SIZE is always safe.
- *
- * \return         \c 0 if the signing operation was successful.
- * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
- */
-int mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
-                                int (*f_rng)(void *, unsigned char *, size_t),
-                                void *p_rng,
-                                mbedtls_md_type_t md_alg,
-                                unsigned int hashlen,
-                                const unsigned char *hash,
-                                unsigned char *sig);
-
-/**
- * \brief          This function performs a public RSA operation and checks
- *                 the message digest.
- *
- *                 This is the generic wrapper for performing a PKCS#1
- *                 verification.
- *
- * \note           For PKCS#1 v2.1 encoding, see comments on
- *                 mbedtls_rsa_rsassa_pss_verify() about \c md_alg and
- *                 \c hash_id.
- *
- * \param ctx      The initialized RSA public key context to use.
- * \param md_alg   The message-digest algorithm used to hash the original data.
- *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest or raw data in Bytes.
- *                 If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
- *                 output length of the corresponding hash algorithm.
- * \param hash     The buffer holding the message digest or raw data.
- *                 This must be a readable buffer of at least \p hashlen Bytes.
- * \param sig      The buffer holding the signature. This must be a readable
- *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
- *                 for an 2048-bit RSA modulus.
- *
- * \return         \c 0 if the verify operation was successful.
- * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
- */
-int mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context *ctx,
-                             mbedtls_md_type_t md_alg,
-                             unsigned int hashlen,
-                             const unsigned char *hash,
-                             const unsigned char *sig);
-
-/**
- * \brief          This function performs a PKCS#1 v1.5 verification
- *                 operation (RSASSA-PKCS1-v1_5-VERIFY).
- *
- * \param ctx      The initialized RSA public key context to use.
- * \param md_alg   The message-digest algorithm used to hash the original data.
- *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest or raw data in Bytes.
- *                 If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
- *                 output length of the corresponding hash algorithm.
- * \param hash     The buffer holding the message digest or raw data.
- *                 This must be a readable buffer of at least \p hashlen Bytes.
- * \param sig      The buffer holding the signature. This must be a readable
- *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
- *                 for an 2048-bit RSA modulus.
- *
- * \return         \c 0 if the verify operation was successful.
- * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
- */
-int mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context *ctx,
-                                        mbedtls_md_type_t md_alg,
-                                        unsigned int hashlen,
-                                        const unsigned char *hash,
-                                        const unsigned char *sig);
-
-/**
- * \brief          This function performs a PKCS#1 v2.1 PSS verification
- *                 operation (RSASSA-PSS-VERIFY).
- *
- * \note           The \c hash_id set in \p ctx by calling
- *                 mbedtls_rsa_set_padding() selects the hash used for the
- *                 encoding operation and for the mask generation function
- *                 (MGF1). For more details on the encoding operation and the
- *                 mask generation function, consult <em>RFC-3447: Public-Key
- *                 Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
- *                 Specifications</em>. If the \c hash_id set in \p ctx by
- *                 mbedtls_rsa_set_padding() is #MBEDTLS_MD_NONE, the \p md_alg
- *                 parameter is used.
- *
- * \param ctx      The initialized RSA public key context to use.
- * \param md_alg   The message-digest algorithm used to hash the original data.
- *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest or raw data in Bytes.
- *                 If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
- *                 output length of the corresponding hash algorithm.
- * \param hash     The buffer holding the message digest or raw data.
- *                 This must be a readable buffer of at least \p hashlen Bytes.
- * \param sig      The buffer holding the signature. This must be a readable
- *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
- *                 for an 2048-bit RSA modulus.
- *
- * \return         \c 0 if the verify operation was successful.
- * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
- */
-int mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context *ctx,
-                                  mbedtls_md_type_t md_alg,
-                                  unsigned int hashlen,
-                                  const unsigned char *hash,
-                                  const unsigned char *sig);
-
-/**
- * \brief          This function performs a PKCS#1 v2.1 PSS verification
- *                 operation (RSASSA-PSS-VERIFY).
- *
- * \note           The \p sig buffer must be as large as the size
- *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
- * \note           The \c hash_id set in \p ctx by mbedtls_rsa_set_padding() is
- *                 ignored.
- *
- * \param ctx      The initialized RSA public key context to use.
- * \param md_alg   The message-digest algorithm used to hash the original data.
- *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest or raw data in Bytes.
- *                 If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
- *                 output length of the corresponding hash algorithm.
- * \param hash     The buffer holding the message digest or raw data.
- *                 This must be a readable buffer of at least \p hashlen Bytes.
- * \param mgf1_hash_id      The message digest algorithm used for the
- *                          verification operation and the mask generation
- *                          function (MGF1). For more details on the encoding
- *                          operation and the mask generation function, consult
- *                          <em>RFC-3447: Public-Key Cryptography Standards
- *                          (PKCS) #1 v2.1: RSA Cryptography
- *                          Specifications</em>.
- * \param expected_salt_len The length of the salt used in padding. Use
- *                          #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length.
- * \param sig      The buffer holding the signature. This must be a readable
- *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
- *                 for an 2048-bit RSA modulus.
- *
- * \return         \c 0 if the verify operation was successful.
- * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
- */
-int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx,
-                                      mbedtls_md_type_t md_alg,
-                                      unsigned int hashlen,
-                                      const unsigned char *hash,
-                                      mbedtls_md_type_t mgf1_hash_id,
-                                      int expected_salt_len,
-                                      const unsigned char *sig);
-
-/**
- * \brief          This function copies the components of an RSA context.
- *
- * \param dst      The destination context. This must be initialized.
- * \param src      The source context. This must be initialized.
- *
- * \return         \c 0 on success.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure.
- */
-int mbedtls_rsa_copy(mbedtls_rsa_context *dst, const mbedtls_rsa_context *src);
-
-/**
- * \brief          This function frees the components of an RSA key.
- *
- * \param ctx      The RSA context to free. May be \c NULL, in which case
- *                 this function is a no-op. If it is not \c NULL, it must
- *                 point to an initialized RSA context.
- */
-void mbedtls_rsa_free(mbedtls_rsa_context *ctx);
-
-#if defined(MBEDTLS_SELF_TEST)
-
-/**
- * \brief          The RSA checkup routine.
- *
- * \return         \c 0 on success.
- * \return         \c 1 on failure.
- */
-int mbedtls_rsa_self_test(int verbose);
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* rsa.h */
diff --git a/include/mbedtls/sha1.h b/include/mbedtls/sha1.h
deleted file mode 100644
index 18bde93..0000000
--- a/include/mbedtls/sha1.h
+++ /dev/null
@@ -1,231 +0,0 @@
-/**
- * \file sha1.h
- *
- * \brief This file contains SHA-1 definitions and functions.
- *
- * The Secure Hash Algorithm 1 (SHA-1) cryptographic hash function is defined in
- * <em>FIPS 180-4: Secure Hash Standard (SHS)</em>.
- *
- * \warning   SHA-1 is considered a weak message digest and its use constitutes
- *            a security risk. We recommend considering stronger message
- *            digests instead.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_SHA1_H
-#define MBEDTLS_SHA1_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include <stddef.h>
-#include <stdint.h>
-
-/** SHA-1 input data was malformed. */
-#define MBEDTLS_ERR_SHA1_BAD_INPUT_DATA                   -0x0073
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if !defined(MBEDTLS_SHA1_ALT)
-// Regular implementation
-//
-
-/**
- * \brief          The SHA-1 context structure.
- *
- * \warning        SHA-1 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-typedef struct mbedtls_sha1_context {
-    uint32_t MBEDTLS_PRIVATE(total)[2];          /*!< The number of Bytes processed.  */
-    uint32_t MBEDTLS_PRIVATE(state)[5];          /*!< The intermediate digest state.  */
-    unsigned char MBEDTLS_PRIVATE(buffer)[64];   /*!< The data block being processed. */
-}
-mbedtls_sha1_context;
-
-#else  /* MBEDTLS_SHA1_ALT */
-#include "sha1_alt.h"
-#endif /* MBEDTLS_SHA1_ALT */
-
-/**
- * \brief          This function initializes a SHA-1 context.
- *
- * \warning        SHA-1 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- * \param ctx      The SHA-1 context to initialize.
- *                 This must not be \c NULL.
- *
- */
-void mbedtls_sha1_init(mbedtls_sha1_context *ctx);
-
-/**
- * \brief          This function clears a SHA-1 context.
- *
- * \warning        SHA-1 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- * \param ctx      The SHA-1 context to clear. This may be \c NULL,
- *                 in which case this function does nothing. If it is
- *                 not \c NULL, it must point to an initialized
- *                 SHA-1 context.
- *
- */
-void mbedtls_sha1_free(mbedtls_sha1_context *ctx);
-
-/**
- * \brief          This function clones the state of a SHA-1 context.
- *
- * \warning        SHA-1 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- * \param dst      The SHA-1 context to clone to. This must be initialized.
- * \param src      The SHA-1 context to clone from. This must be initialized.
- *
- */
-void mbedtls_sha1_clone(mbedtls_sha1_context *dst,
-                        const mbedtls_sha1_context *src);
-
-/**
- * \brief          This function starts a SHA-1 checksum calculation.
- *
- * \warning        SHA-1 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- * \param ctx      The SHA-1 context to initialize. This must be initialized.
- *
- * \return         \c 0 on success.
- * \return         A negative error code on failure.
- *
- */
-int mbedtls_sha1_starts(mbedtls_sha1_context *ctx);
-
-/**
- * \brief          This function feeds an input buffer into an ongoing SHA-1
- *                 checksum calculation.
- *
- * \warning        SHA-1 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- * \param ctx      The SHA-1 context. This must be initialized
- *                 and have a hash operation started.
- * \param input    The buffer holding the input data.
- *                 This must be a readable buffer of length \p ilen Bytes.
- * \param ilen     The length of the input data \p input in Bytes.
- *
- * \return         \c 0 on success.
- * \return         A negative error code on failure.
- */
-int mbedtls_sha1_update(mbedtls_sha1_context *ctx,
-                        const unsigned char *input,
-                        size_t ilen);
-
-/**
- * \brief          This function finishes the SHA-1 operation, and writes
- *                 the result to the output buffer.
- *
- * \warning        SHA-1 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- * \param ctx      The SHA-1 context to use. This must be initialized and
- *                 have a hash operation started.
- * \param output   The SHA-1 checksum result. This must be a writable
- *                 buffer of length \c 20 Bytes.
- *
- * \return         \c 0 on success.
- * \return         A negative error code on failure.
- */
-int mbedtls_sha1_finish(mbedtls_sha1_context *ctx,
-                        unsigned char output[20]);
-
-/**
- * \brief          SHA-1 process data block (internal use only).
- *
- * \warning        SHA-1 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- * \param ctx      The SHA-1 context to use. This must be initialized.
- * \param data     The data block being processed. This must be a
- *                 readable buffer of length \c 64 Bytes.
- *
- * \return         \c 0 on success.
- * \return         A negative error code on failure.
- *
- */
-int mbedtls_internal_sha1_process(mbedtls_sha1_context *ctx,
-                                  const unsigned char data[64]);
-
-/**
- * \brief          This function calculates the SHA-1 checksum of a buffer.
- *
- *                 The function allocates the context, performs the
- *                 calculation, and frees the context.
- *
- *                 The SHA-1 result is calculated as
- *                 output = SHA-1(input buffer).
- *
- * \warning        SHA-1 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- * \param input    The buffer holding the input data.
- *                 This must be a readable buffer of length \p ilen Bytes.
- * \param ilen     The length of the input data \p input in Bytes.
- * \param output   The SHA-1 checksum result.
- *                 This must be a writable buffer of length \c 20 Bytes.
- *
- * \return         \c 0 on success.
- * \return         A negative error code on failure.
- *
- */
-int mbedtls_sha1(const unsigned char *input,
-                 size_t ilen,
-                 unsigned char output[20]);
-
-#if defined(MBEDTLS_SELF_TEST)
-
-/**
- * \brief          The SHA-1 checkup routine.
- *
- * \warning        SHA-1 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- * \return         \c 0 on success.
- * \return         \c 1 on failure.
- *
- */
-int mbedtls_sha1_self_test(int verbose);
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* mbedtls_sha1.h */
diff --git a/include/mbedtls/sha256.h b/include/mbedtls/sha256.h
deleted file mode 100644
index 45a5f90..0000000
--- a/include/mbedtls/sha256.h
+++ /dev/null
@@ -1,212 +0,0 @@
-/**
- * \file sha256.h
- *
- * \brief This file contains SHA-224 and SHA-256 definitions and functions.
- *
- * The Secure Hash Algorithms 224 and 256 (SHA-224 and SHA-256) cryptographic
- * hash functions are defined in <em>FIPS 180-4: Secure Hash Standard (SHS)</em>.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_SHA256_H
-#define MBEDTLS_SHA256_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include <stddef.h>
-#include <stdint.h>
-
-/** SHA-256 input data was malformed. */
-#define MBEDTLS_ERR_SHA256_BAD_INPUT_DATA                 -0x0074
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if !defined(MBEDTLS_SHA256_ALT)
-// Regular implementation
-//
-
-/**
- * \brief          The SHA-256 context structure.
- *
- *                 The structure is used both for SHA-256 and for SHA-224
- *                 checksum calculations. The choice between these two is
- *                 made in the call to mbedtls_sha256_starts().
- */
-typedef struct mbedtls_sha256_context {
-    unsigned char MBEDTLS_PRIVATE(buffer)[64];   /*!< The data block being processed. */
-    uint32_t MBEDTLS_PRIVATE(total)[2];          /*!< The number of Bytes processed.  */
-    uint32_t MBEDTLS_PRIVATE(state)[8];          /*!< The intermediate digest state.  */
-#if defined(MBEDTLS_SHA224_C)
-    int MBEDTLS_PRIVATE(is224);                  /*!< Determines which function to use:
-                                                    0: Use SHA-256, or 1: Use SHA-224. */
-#endif
-}
-mbedtls_sha256_context;
-
-#else  /* MBEDTLS_SHA256_ALT */
-#include "sha256_alt.h"
-#endif /* MBEDTLS_SHA256_ALT */
-
-/**
- * \brief          This function initializes a SHA-256 context.
- *
- * \param ctx      The SHA-256 context to initialize. This must not be \c NULL.
- */
-void mbedtls_sha256_init(mbedtls_sha256_context *ctx);
-
-/**
- * \brief          This function clears a SHA-256 context.
- *
- * \param ctx      The SHA-256 context to clear. This may be \c NULL, in which
- *                 case this function returns immediately. If it is not \c NULL,
- *                 it must point to an initialized SHA-256 context.
- */
-void mbedtls_sha256_free(mbedtls_sha256_context *ctx);
-
-/**
- * \brief          This function clones the state of a SHA-256 context.
- *
- * \param dst      The destination context. This must be initialized.
- * \param src      The context to clone. This must be initialized.
- */
-void mbedtls_sha256_clone(mbedtls_sha256_context *dst,
-                          const mbedtls_sha256_context *src);
-
-/**
- * \brief          This function starts a SHA-224 or SHA-256 checksum
- *                 calculation.
- *
- * \param ctx      The context to use. This must be initialized.
- * \param is224    This determines which function to use. This must be
- *                 either \c 0 for SHA-256, or \c 1 for SHA-224.
- *
- * \note           is224 must be defined accordingly to the enabled
- *                 MBEDTLS_SHA224_C/MBEDTLS_SHA256_C symbols otherwise the
- *                 function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA.
- *
- * \return         \c 0 on success.
- * \return         A negative error code on failure.
- */
-int mbedtls_sha256_starts(mbedtls_sha256_context *ctx, int is224);
-
-/**
- * \brief          This function feeds an input buffer into an ongoing
- *                 SHA-256 checksum calculation.
- *
- * \param ctx      The SHA-256 context. This must be initialized
- *                 and have a hash operation started.
- * \param input    The buffer holding the data. This must be a readable
- *                 buffer of length \p ilen Bytes.
- * \param ilen     The length of the input data in Bytes.
- *
- * \return         \c 0 on success.
- * \return         A negative error code on failure.
- */
-int mbedtls_sha256_update(mbedtls_sha256_context *ctx,
-                          const unsigned char *input,
-                          size_t ilen);
-
-/**
- * \brief          This function finishes the SHA-256 operation, and writes
- *                 the result to the output buffer.
- *
- * \param ctx      The SHA-256 context. This must be initialized
- *                 and have a hash operation started.
- * \param output   The SHA-224 or SHA-256 checksum result.
- *                 This must be a writable buffer of length \c 32 bytes
- *                 for SHA-256, \c 28 bytes for SHA-224.
- *
- * \return         \c 0 on success.
- * \return         A negative error code on failure.
- */
-int mbedtls_sha256_finish(mbedtls_sha256_context *ctx,
-                          unsigned char *output);
-
-/**
- * \brief          This function processes a single data block within
- *                 the ongoing SHA-256 computation. This function is for
- *                 internal use only.
- *
- * \param ctx      The SHA-256 context. This must be initialized.
- * \param data     The buffer holding one block of data. This must
- *                 be a readable buffer of length \c 64 Bytes.
- *
- * \return         \c 0 on success.
- * \return         A negative error code on failure.
- */
-int mbedtls_internal_sha256_process(mbedtls_sha256_context *ctx,
-                                    const unsigned char data[64]);
-
-/**
- * \brief          This function calculates the SHA-224 or SHA-256
- *                 checksum of a buffer.
- *
- *                 The function allocates the context, performs the
- *                 calculation, and frees the context.
- *
- *                 The SHA-256 result is calculated as
- *                 output = SHA-256(input buffer).
- *
- * \param input    The buffer holding the data. This must be a readable
- *                 buffer of length \p ilen Bytes.
- * \param ilen     The length of the input data in Bytes.
- * \param output   The SHA-224 or SHA-256 checksum result.
- *                 This must be a writable buffer of length \c 32 bytes
- *                 for SHA-256, \c 28 bytes for SHA-224.
- * \param is224    Determines which function to use. This must be
- *                 either \c 0 for SHA-256, or \c 1 for SHA-224.
- *
- * \return         \c 0 on success.
- * \return         A negative error code on failure.
- */
-int mbedtls_sha256(const unsigned char *input,
-                   size_t ilen,
-                   unsigned char *output,
-                   int is224);
-
-#if defined(MBEDTLS_SELF_TEST)
-
-#if defined(MBEDTLS_SHA224_C)
-/**
- * \brief          The SHA-224 checkup routine.
- *
- * \return         \c 0 on success.
- * \return         \c 1 on failure.
- */
-int mbedtls_sha224_self_test(int verbose);
-#endif /* MBEDTLS_SHA224_C */
-
-#if defined(MBEDTLS_SHA256_C)
-/**
- * \brief          The SHA-256 checkup routine.
- *
- * \return         \c 0 on success.
- * \return         \c 1 on failure.
- */
-int mbedtls_sha256_self_test(int verbose);
-#endif /* MBEDTLS_SHA256_C */
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* mbedtls_sha256.h */
diff --git a/include/mbedtls/sha3.h b/include/mbedtls/sha3.h
deleted file mode 100644
index 77748be..0000000
--- a/include/mbedtls/sha3.h
+++ /dev/null
@@ -1,184 +0,0 @@
-/**
- * \file sha3.h
- *
- * \brief This file contains SHA-3 definitions and functions.
- *
- * The Secure Hash Algorithms cryptographic
- * hash functions are defined in <em>FIPS 202: SHA-3 Standard:
- * Permutation-Based Hash and Extendable-Output Functions </em>.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_SHA3_H
-#define MBEDTLS_SHA3_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include <stddef.h>
-#include <stdint.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/** SHA-3 input data was malformed. */
-#define MBEDTLS_ERR_SHA3_BAD_INPUT_DATA                 -0x0076
-
-/**
- * SHA-3 family id.
- *
- * It identifies the family (SHA3-256, SHA3-512, etc.)
- */
-
-typedef enum {
-    MBEDTLS_SHA3_NONE = 0, /*!< Operation not defined. */
-    MBEDTLS_SHA3_224, /*!< SHA3-224 */
-    MBEDTLS_SHA3_256, /*!< SHA3-256 */
-    MBEDTLS_SHA3_384, /*!< SHA3-384 */
-    MBEDTLS_SHA3_512, /*!< SHA3-512 */
-} mbedtls_sha3_id;
-
-/**
- * \brief          The SHA-3 context structure.
- *
- *                 The structure is used SHA-3 checksum calculations.
- */
-typedef struct {
-    uint64_t MBEDTLS_PRIVATE(state[25]);
-    uint32_t MBEDTLS_PRIVATE(index);
-    uint16_t MBEDTLS_PRIVATE(olen);
-    uint16_t MBEDTLS_PRIVATE(max_block_size);
-}
-mbedtls_sha3_context;
-
-/**
- * \brief          This function initializes a SHA-3 context.
- *
- * \param ctx      The SHA-3 context to initialize. This must not be \c NULL.
- */
-void mbedtls_sha3_init(mbedtls_sha3_context *ctx);
-
-/**
- * \brief          This function clears a SHA-3 context.
- *
- * \param ctx      The SHA-3 context to clear. This may be \c NULL, in which
- *                 case this function returns immediately. If it is not \c NULL,
- *                 it must point to an initialized SHA-3 context.
- */
-void mbedtls_sha3_free(mbedtls_sha3_context *ctx);
-
-/**
- * \brief          This function clones the state of a SHA-3 context.
- *
- * \param dst      The destination context. This must be initialized.
- * \param src      The context to clone. This must be initialized.
- */
-void mbedtls_sha3_clone(mbedtls_sha3_context *dst,
-                        const mbedtls_sha3_context *src);
-
-/**
- * \brief          This function starts a SHA-3 checksum
- *                 calculation.
- *
- * \param ctx      The context to use. This must be initialized.
- * \param id       The id of the SHA-3 family.
- *
- * \return         \c 0 on success.
- * \return         A negative error code on failure.
- */
-int mbedtls_sha3_starts(mbedtls_sha3_context *ctx, mbedtls_sha3_id id);
-
-/**
- * \brief          This function feeds an input buffer into an ongoing
- *                 SHA-3 checksum calculation.
- *
- * \param ctx      The SHA-3 context. This must be initialized
- *                 and have a hash operation started.
- * \param input    The buffer holding the data. This must be a readable
- *                 buffer of length \p ilen Bytes.
- * \param ilen     The length of the input data in Bytes.
- *
- * \return         \c 0 on success.
- * \return         A negative error code on failure.
- */
-int mbedtls_sha3_update(mbedtls_sha3_context *ctx,
-                        const uint8_t *input,
-                        size_t ilen);
-
-/**
- * \brief          This function finishes the SHA-3 operation, and writes
- *                 the result to the output buffer.
- *
- * \param ctx      The SHA-3 context. This must be initialized
- *                 and have a hash operation started.
- * \param output   The SHA-3 checksum result.
- *                 This must be a writable buffer of length \c olen bytes.
- * \param olen     Defines the length of output buffer (in bytes). For SHA-3 224, SHA-3 256,
- *                 SHA-3 384 and SHA-3 512 \c olen must equal to 28, 32, 48 and 64,
- *                 respectively.
- *
- * \return         \c 0 on success.
- * \return         A negative error code on failure.
- */
-int mbedtls_sha3_finish(mbedtls_sha3_context *ctx,
-                        uint8_t *output, size_t olen);
-
-/**
- * \brief          This function calculates the SHA-3
- *                 checksum of a buffer.
- *
- *                 The function allocates the context, performs the
- *                 calculation, and frees the context.
- *
- *                 The SHA-3 result is calculated as
- *                 output = SHA-3(id, input buffer, d).
- *
- * \param id       The id of the SHA-3 family.
- * \param input    The buffer holding the data. This must be a readable
- *                 buffer of length \p ilen Bytes.
- * \param ilen     The length of the input data in Bytes.
- * \param output   The SHA-3 checksum result.
- *                 This must be a writable buffer of length \c olen bytes.
- * \param olen     Defines the length of output buffer (in bytes). For SHA-3 224, SHA-3 256,
- *                 SHA-3 384 and SHA-3 512 \c olen must equal to 28, 32, 48 and 64,
- *                 respectively.
- *
- * \return         \c 0 on success.
- * \return         A negative error code on failure.
- */
-int mbedtls_sha3(mbedtls_sha3_id id, const uint8_t *input,
-                 size_t ilen,
-                 uint8_t *output,
-                 size_t olen);
-
-#if defined(MBEDTLS_SELF_TEST)
-/**
- * \brief          Checkup routine for the algorithms implemented
- *                 by this module: SHA3-224, SHA3-256, SHA3-384, SHA3-512.
- *
- * \return         0 if successful, or 1 if the test failed.
- */
-int mbedtls_sha3_self_test(int verbose);
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* mbedtls_sha3.h */
diff --git a/include/mbedtls/sha512.h b/include/mbedtls/sha512.h
deleted file mode 100644
index ea54678..0000000
--- a/include/mbedtls/sha512.h
+++ /dev/null
@@ -1,220 +0,0 @@
-/**
- * \file sha512.h
- * \brief This file contains SHA-384 and SHA-512 definitions and functions.
- *
- * The Secure Hash Algorithms 384 and 512 (SHA-384 and SHA-512) cryptographic
- * hash functions are defined in <em>FIPS 180-4: Secure Hash Standard (SHS)</em>.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_SHA512_H
-#define MBEDTLS_SHA512_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include <stddef.h>
-#include <stdint.h>
-
-/** SHA-512 input data was malformed. */
-#define MBEDTLS_ERR_SHA512_BAD_INPUT_DATA                 -0x0075
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if !defined(MBEDTLS_SHA512_ALT)
-// Regular implementation
-//
-
-/**
- * \brief          The SHA-512 context structure.
- *
- *                 The structure is used both for SHA-384 and for SHA-512
- *                 checksum calculations. The choice between these two is
- *                 made in the call to mbedtls_sha512_starts().
- */
-typedef struct mbedtls_sha512_context {
-    uint64_t MBEDTLS_PRIVATE(total)[2];          /*!< The number of Bytes processed. */
-    uint64_t MBEDTLS_PRIVATE(state)[8];          /*!< The intermediate digest state. */
-    unsigned char MBEDTLS_PRIVATE(buffer)[128];  /*!< The data block being processed. */
-#if defined(MBEDTLS_SHA384_C)
-    int MBEDTLS_PRIVATE(is384);                  /*!< Determines which function to use:
-                                                      0: Use SHA-512, or 1: Use SHA-384. */
-#endif
-}
-mbedtls_sha512_context;
-
-#else  /* MBEDTLS_SHA512_ALT */
-#include "sha512_alt.h"
-#endif /* MBEDTLS_SHA512_ALT */
-
-/**
- * \brief          This function initializes a SHA-512 context.
- *
- * \param ctx      The SHA-512 context to initialize. This must
- *                 not be \c NULL.
- */
-void mbedtls_sha512_init(mbedtls_sha512_context *ctx);
-
-/**
- * \brief          This function clears a SHA-512 context.
- *
- * \param ctx      The SHA-512 context to clear. This may be \c NULL,
- *                 in which case this function does nothing. If it
- *                 is not \c NULL, it must point to an initialized
- *                 SHA-512 context.
- */
-void mbedtls_sha512_free(mbedtls_sha512_context *ctx);
-
-/**
- * \brief          This function clones the state of a SHA-512 context.
- *
- * \param dst      The destination context. This must be initialized.
- * \param src      The context to clone. This must be initialized.
- */
-void mbedtls_sha512_clone(mbedtls_sha512_context *dst,
-                          const mbedtls_sha512_context *src);
-
-/**
- * \brief          This function starts a SHA-384 or SHA-512 checksum
- *                 calculation.
- *
- * \param ctx      The SHA-512 context to use. This must be initialized.
- * \param is384    Determines which function to use. This must be
- *                 either \c 0 for SHA-512, or \c 1 for SHA-384.
- *
- * \note           is384 must be defined accordingly to the enabled
- *                 MBEDTLS_SHA384_C/MBEDTLS_SHA512_C symbols otherwise the
- *                 function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA.
- *
- * \return         \c 0 on success.
- * \return         A negative error code on failure.
- */
-int mbedtls_sha512_starts(mbedtls_sha512_context *ctx, int is384);
-
-/**
- * \brief          This function feeds an input buffer into an ongoing
- *                 SHA-512 checksum calculation.
- *
- * \param ctx      The SHA-512 context. This must be initialized
- *                 and have a hash operation started.
- * \param input    The buffer holding the input data. This must
- *                 be a readable buffer of length \p ilen Bytes.
- * \param ilen     The length of the input data in Bytes.
- *
- * \return         \c 0 on success.
- * \return         A negative error code on failure.
- */
-int mbedtls_sha512_update(mbedtls_sha512_context *ctx,
-                          const unsigned char *input,
-                          size_t ilen);
-
-/**
- * \brief          This function finishes the SHA-512 operation, and writes
- *                 the result to the output buffer.
- *
- * \param ctx      The SHA-512 context. This must be initialized
- *                 and have a hash operation started.
- * \param output   The SHA-384 or SHA-512 checksum result.
- *                 This must be a writable buffer of length \c 64 bytes
- *                 for SHA-512, \c 48 bytes for SHA-384.
- *
- * \return         \c 0 on success.
- * \return         A negative error code on failure.
- */
-int mbedtls_sha512_finish(mbedtls_sha512_context *ctx,
-                          unsigned char *output);
-
-/**
- * \brief          This function processes a single data block within
- *                 the ongoing SHA-512 computation.
- *                 This function is for internal use only.
- *
- * \param ctx      The SHA-512 context. This must be initialized.
- * \param data     The buffer holding one block of data. This
- *                 must be a readable buffer of length \c 128 Bytes.
- *
- * \return         \c 0 on success.
- * \return         A negative error code on failure.
- */
-int mbedtls_internal_sha512_process(mbedtls_sha512_context *ctx,
-                                    const unsigned char data[128]);
-
-/**
- * \brief          This function calculates the SHA-512 or SHA-384
- *                 checksum of a buffer.
- *
- *                 The function allocates the context, performs the
- *                 calculation, and frees the context.
- *
- *                 The SHA-512 result is calculated as
- *                 output = SHA-512(input buffer).
- *
- * \param input    The buffer holding the input data. This must be
- *                 a readable buffer of length \p ilen Bytes.
- * \param ilen     The length of the input data in Bytes.
- * \param output   The SHA-384 or SHA-512 checksum result.
- *                 This must be a writable buffer of length \c 64 bytes
- *                 for SHA-512, \c 48 bytes for SHA-384.
- * \param is384    Determines which function to use. This must be either
- *                 \c 0 for SHA-512, or \c 1 for SHA-384.
- *
- * \note           is384 must be defined accordingly with the supported
- *                 symbols in the config file. If:
- *                 - is384 is 0, but \c MBEDTLS_SHA384_C is not defined, or
- *                 - is384 is 1, but \c MBEDTLS_SHA512_C is not defined
- *                 then the function will return
- *                 #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA.
- *
- * \return         \c 0 on success.
- * \return         A negative error code on failure.
- */
-int mbedtls_sha512(const unsigned char *input,
-                   size_t ilen,
-                   unsigned char *output,
-                   int is384);
-
-#if defined(MBEDTLS_SELF_TEST)
-
-#if defined(MBEDTLS_SHA384_C)
-/**
- * \brief          The SHA-384 checkup routine.
- *
- * \return         \c 0 on success.
- * \return         \c 1 on failure.
- */
-int mbedtls_sha384_self_test(int verbose);
-#endif /* MBEDTLS_SHA384_C */
-
-#if defined(MBEDTLS_SHA512_C)
-/**
- * \brief          The SHA-512 checkup routine.
- *
- * \return         \c 0 on success.
- * \return         \c 1 on failure.
- */
-int mbedtls_sha512_self_test(int verbose);
-#endif /* MBEDTLS_SHA512_C */
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* mbedtls_sha512.h */
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index debb1cc..3781b51 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -5,19 +5,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 #ifndef MBEDTLS_SSL_H
 #define MBEDTLS_SSL_H
@@ -102,8 +90,18 @@
 #define MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET       -0x7B00
 /** Not possible to read early data */
 #define MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA            -0x7B80
+/**
+ * Early data has been received as part of an on-going handshake.
+ * This error code can be returned only on server side if and only if early
+ * data has been enabled by means of the mbedtls_ssl_conf_early_data() API.
+ * This error code can then be returned by mbedtls_ssl_handshake(),
+ * mbedtls_ssl_handshake_step(), mbedtls_ssl_read() or mbedtls_ssl_write() if
+ * early data has been received as part of the handshake sequence they
+ * triggered. To read the early data, call mbedtls_ssl_read_early_data().
+ */
+#define MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA               -0x7C00
 /** Not possible to write early data */
-#define MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA           -0x7C00
+#define MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA           -0x7C80
 /* Error space gap */
 /* Error space gap */
 /* Error space gap */
@@ -355,6 +353,26 @@
 #define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN    1000
 #define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX   60000
 
+/*
+ * Whether early data record should be discarded or not and how.
+ *
+ * The client has indicated early data and the server has rejected them.
+ * The server has then to skip past early data by either:
+ * - attempting to deprotect received records using the handshake traffic
+ *   key, discarding records which fail deprotection (up to the configured
+ *   max_early_data_size). Once a record is deprotected successfully,
+ *   it is treated as the start of the client's second flight and the
+ *   server proceeds as with an ordinary 1-RTT handshake.
+ * - skipping all records with an external content type of
+ *   "application_data" (indicating that they are encrypted), up to the
+ *   configured max_early_data_size. This is the expected behavior if the
+ *   server has sent an HelloRetryRequest message. The server ignores
+ *   application data message before 2nd ClientHello.
+ */
+#define MBEDTLS_SSL_EARLY_DATA_NO_DISCARD 0
+#define MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD 1
+#define MBEDTLS_SSL_EARLY_DATA_DISCARD 2
+
 /**
  * \name SECTION: Module settings
  *
@@ -459,7 +477,7 @@
 
 /*
  * TLS 1.3 signature algorithms
- * RFC 8446, Section 4.2.2
+ * RFC 8446, Section 4.2.3
  */
 
 /* RSASSA-PKCS1-v1_5 algorithms */
@@ -625,8 +643,8 @@
  */
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
     defined(MBEDTLS_SSL_SESSION_TICKETS) && \
-    defined(MBEDTLS_AES_C) && defined(MBEDTLS_GCM_C) && \
-    defined(MBEDTLS_MD_CAN_SHA384)
+    defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM) && \
+    defined(PSA_WANT_ALG_SHA_384)
 #define MBEDTLS_PSK_MAX_LEN 48 /* 384 bits */
 #else
 #define MBEDTLS_PSK_MAX_LEN 32 /* 256 bits */
@@ -699,7 +717,6 @@ typedef enum {
     MBEDTLS_SSL_SERVER_FINISHED,
     MBEDTLS_SSL_FLUSH_BUFFERS,
     MBEDTLS_SSL_HANDSHAKE_WRAPUP,
-
     MBEDTLS_SSL_NEW_SESSION_TICKET,
     MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT,
     MBEDTLS_SSL_HELLO_RETRY_REQUEST,
@@ -717,6 +734,21 @@ typedef enum {
 }
 mbedtls_ssl_states;
 
+/*
+ * Early data status, client side only.
+ */
+
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
+typedef enum {
+/*
+ * See documentation of mbedtls_ssl_get_early_data_status().
+ */
+    MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_INDICATED,
+    MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED,
+    MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED,
+} mbedtls_ssl_early_data_status;
+#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */
+
 /**
  * \brief          Callback type: send data on the network.
  *
@@ -1124,7 +1156,7 @@ typedef void mbedtls_ssl_async_cancel_t(mbedtls_ssl_context *ssl);
 #if defined(MBEDTLS_MD_CAN_SHA256)
 #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA256
 #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN  32
-#elif defined(MBEDTLS_MD_CAN_SHA384)
+#elif defined(PSA_WANT_ALG_SHA_384)
 #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA384
 #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN  48
 #elif defined(MBEDTLS_MD_CAN_SHA1)
@@ -1201,7 +1233,13 @@ struct mbedtls_ssl_session {
     unsigned char MBEDTLS_PRIVATE(mfl_code);     /*!< MaxFragmentLength negotiated by peer */
 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
 
+/*!< RecordSizeLimit received from the peer */
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+    uint16_t MBEDTLS_PRIVATE(record_size_limit);
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+
     unsigned char MBEDTLS_PRIVATE(exported);
+    uint8_t MBEDTLS_PRIVATE(endpoint);          /*!< 0: client, 1: server */
 
     /** TLS version negotiated in the session. Used if and when renegotiating
      *  or resuming a session instead of the configured minor TLS version.
@@ -1209,7 +1247,7 @@ struct mbedtls_ssl_session {
     mbedtls_ssl_protocol_version MBEDTLS_PRIVATE(tls_version);
 
 #if defined(MBEDTLS_HAVE_TIME)
-    mbedtls_time_t MBEDTLS_PRIVATE(start);       /*!< starting time      */
+    mbedtls_time_t MBEDTLS_PRIVATE(start);       /*!< start time of current session */
 #endif
     int MBEDTLS_PRIVATE(ciphersuite);            /*!< chosen ciphersuite */
     size_t MBEDTLS_PRIVATE(id_len);              /*!< session id length  */
@@ -1235,23 +1273,52 @@ struct mbedtls_ssl_session {
     uint32_t MBEDTLS_PRIVATE(ticket_lifetime);   /*!< ticket lifetime hint    */
 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
 
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C) && \
+    defined(MBEDTLS_HAVE_TIME)
+    /*! When a ticket is created by a TLS server as part of an established TLS
+     *  session, the ticket creation time may need to be saved for the ticket
+     *  module to be able to check the ticket age when the ticket is used.
+     *  That's the purpose of this field.
+     *  Before creating a new ticket, an Mbed TLS server set this field with
+     *  its current time in milliseconds. This time may then be saved in the
+     *  session ticket data by the session ticket writing function and
+     *  recovered by the ticket parsing function later when the ticket is used.
+     *  The ticket module may then use this time to compute the ticket age and
+     *  determine if it has expired or not.
+     *  The Mbed TLS implementations of the session ticket writing and parsing
+     *  functions save and retrieve the ticket creation time as part of the
+     *  session ticket data. The session ticket parsing function relies on
+     *  the mbedtls_ssl_session_get_ticket_creation_time() API to get the
+     *  ticket creation time from the session ticket data.
+     */
+    mbedtls_ms_time_t MBEDTLS_PRIVATE(ticket_creation_time);
+#endif
+
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
-    uint8_t MBEDTLS_PRIVATE(endpoint);          /*!< 0: client, 1: server */
-    uint8_t MBEDTLS_PRIVATE(ticket_flags);      /*!< Ticket flags */
-    uint32_t MBEDTLS_PRIVATE(ticket_age_add);               /*!< Randomly generated value used to obscure the age of the ticket */
-    uint8_t MBEDTLS_PRIVATE(resumption_key_len);            /*!< resumption_key length */
+    uint32_t MBEDTLS_PRIVATE(ticket_age_add);     /*!< Randomly generated value used to obscure the age of the ticket */
+    uint8_t MBEDTLS_PRIVATE(ticket_flags);        /*!< Ticket flags */
+    uint8_t MBEDTLS_PRIVATE(resumption_key_len);  /*!< resumption_key length */
     unsigned char MBEDTLS_PRIVATE(resumption_key)[MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN];
 
 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && defined(MBEDTLS_SSL_CLI_C)
     char *MBEDTLS_PRIVATE(hostname);             /*!< host name binded with tickets */
 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION && MBEDTLS_SSL_CLI_C */
 
-#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_CLI_C)
-    mbedtls_time_t MBEDTLS_PRIVATE(ticket_received);        /*!< time ticket was received */
-#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C)
+    char *ticket_alpn;                      /*!< ALPN negotiated in the session
+                                                 during which the ticket was generated. */
+#endif
 
+#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_CLI_C)
+    /*! Time in milliseconds when the last ticket was received. */
+    mbedtls_ms_time_t MBEDTLS_PRIVATE(ticket_reception_time);
+#endif
 #endif /*  MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+    uint32_t MBEDTLS_PRIVATE(max_early_data_size);          /*!< maximum amount of early data in tickets */
+#endif
+
 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
     int MBEDTLS_PRIVATE(encrypt_then_mac);       /*!< flag for EtM activation                */
 #endif
@@ -1626,23 +1693,31 @@ struct mbedtls_ssl_context {
 #endif /* MBEDTLS_SSL_RENEGOTIATION */
 
     /**
-     *  Maximum TLS version to be negotiated, then negotiated TLS version.
+     * Maximum TLS version to be negotiated, then negotiated TLS version.
      *
-     *  It is initialized as the configured maximum TLS version to be
-     *  negotiated by mbedtls_ssl_setup().
+     * It is initialized as the configured maximum TLS version to be
+     * negotiated by mbedtls_ssl_setup().
      *
-     *  When renegotiating or resuming a session, it is overwritten in the
-     *  ClientHello writing preparation stage with the previously negotiated
-     *  TLS version.
+     * When renegotiating or resuming a session, it is overwritten in the
+     * ClientHello writing preparation stage with the previously negotiated
+     * TLS version.
      *
-     *  On client side, it is updated to the TLS version selected by the server
-     *  for the handshake when the ServerHello is received.
+     * On client side, it is updated to the TLS version selected by the server
+     * for the handshake when the ServerHello is received.
      *
-     *  On server side, it is updated to the TLS version the server selects for
-     *  the handshake when the ClientHello is received.
+     * On server side, it is updated to the TLS version the server selects for
+     * the handshake when the ClientHello is received.
      */
     mbedtls_ssl_protocol_version MBEDTLS_PRIVATE(tls_version);
 
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
+    /**
+     * State of the negotiation and transfer of early data. Reset to
+     * MBEDTLS_SSL_EARLY_DATA_STATE_IDLE when the context is reset.
+     */
+    int MBEDTLS_PRIVATE(early_data_state);
+#endif
+
     unsigned MBEDTLS_PRIVATE(badmac_seen);       /*!< records with a bad MAC received    */
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
@@ -1759,6 +1834,19 @@ struct mbedtls_ssl_context {
                                                          *   within a single datagram.  */
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+#if defined(MBEDTLS_SSL_SRV_C)
+    /*
+     * One of:
+     * MBEDTLS_SSL_EARLY_DATA_NO_DISCARD
+     * MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD
+     * MBEDTLS_SSL_EARLY_DATA_DISCARD
+     */
+    uint8_t MBEDTLS_PRIVATE(discard_early_data_record);
+#endif
+    uint32_t MBEDTLS_PRIVATE(total_early_data_size); /*!< Number of received/written early data bytes */
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
     /*
      * Record layer (outgoing data)
      */
@@ -1840,10 +1928,6 @@ struct mbedtls_ssl_context {
                                              *   and #MBEDTLS_SSL_CID_DISABLED. */
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
 
-#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
-    int MBEDTLS_PRIVATE(early_data_status);
-#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */
-
     /** Callback to export key block and master secret                      */
     mbedtls_ssl_export_keys_t *MBEDTLS_PRIVATE(f_export_keys);
     void *MBEDTLS_PRIVATE(p_export_keys);            /*!< context for key export callback    */
@@ -1992,7 +2076,7 @@ void mbedtls_ssl_conf_transport(mbedtls_ssl_config *conf, int transport);
  */
 void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode);
 
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_EARLY_DATA)
+#if defined(MBEDTLS_SSL_EARLY_DATA)
 /**
  * \brief    Set the early data mode
  *           Default: disabled on server and client
@@ -2000,20 +2084,27 @@ void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode);
  * \param conf   The SSL configuration to use.
  * \param early_data_enabled can be:
  *
- *  MBEDTLS_SSL_EARLY_DATA_DISABLED:  early data functionality is disabled
- *                                    This is the default on client and server.
- *
- *  MBEDTLS_SSL_EARLY_DATA_ENABLED:  early data functionality is enabled and
- *                        may be negotiated in the handshake. Application using
- *                        early data functionality needs to be aware of the
- *                        lack of replay protection of the early data application
- *                        payloads.
- *
- * \warning This interface is experimental and may change without notice.
- *
- */
-void mbedtls_ssl_tls13_conf_early_data(mbedtls_ssl_config *conf,
-                                       int early_data_enabled);
+ *  MBEDTLS_SSL_EARLY_DATA_DISABLED:
+ *  Early data functionality is disabled. This is the default on client and
+ *  server.
+ *
+ *  MBEDTLS_SSL_EARLY_DATA_ENABLED:
+ *  Early data functionality is enabled and may be negotiated in the handshake.
+ *  Application using early data functionality needs to be aware that the
+ *  security properties for early data (also refered to as 0-RTT data) are
+ *  weaker than those for other kinds of TLS data. See the documentation of
+ *  mbedtls_ssl_write_early_data() and mbedtls_ssl_read_early_data() for more
+ *  information.
+ *  When early data functionality is enabled on server and only in that case,
+ *  the call to one of the APIs that trigger or resume an handshake sequence,
+ *  namely mbedtls_ssl_handshake(), mbedtls_ssl_handshake_step(),
+ *  mbedtls_ssl_read() or mbedtls_ssl_write() may return with the error code
+ *  MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA indicating that some early data have
+ *  been received. To read the early data, call mbedtls_ssl_read_early_data()
+ *  before calling the original function again.
+ */
+void mbedtls_ssl_conf_early_data(mbedtls_ssl_config *conf,
+                                 int early_data_enabled);
 
 #if defined(MBEDTLS_SSL_SRV_C)
 /**
@@ -2036,14 +2127,15 @@ void mbedtls_ssl_tls13_conf_early_data(mbedtls_ssl_config *conf,
  * \param[in] conf                  The SSL configuration to use.
  * \param[in] max_early_data_size   The maximum amount of 0-RTT data.
  *
- * \warning This interface is experimental and may change without notice.
- *
+ * \warning This interface DOES NOT influence/limit the amount of early data
+ *          that can be received through previously created and issued tickets,
+ *          which clients may have stored.
  */
-void mbedtls_ssl_tls13_conf_max_early_data_size(
+void mbedtls_ssl_conf_max_early_data_size(
     mbedtls_ssl_config *conf, uint32_t max_early_data_size);
 #endif /* MBEDTLS_SSL_SRV_C */
 
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_EARLY_DATA */
+#endif /* MBEDTLS_SSL_EARLY_DATA */
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
 /**
@@ -2272,7 +2364,7 @@ int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl,
  */
 int mbedtls_ssl_get_own_cid(mbedtls_ssl_context *ssl,
                             int *enabled,
-                            unsigned char own_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],
+                            unsigned char own_cid[MBEDTLS_SSL_CID_IN_LEN_MAX],
                             size_t *own_cid_len);
 
 /**
@@ -2567,9 +2659,74 @@ void mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config *conf,
                                          mbedtls_ssl_ticket_write_t *f_ticket_write,
                                          mbedtls_ssl_ticket_parse_t *f_ticket_parse,
                                          void *p_ticket);
+
+#if defined(MBEDTLS_HAVE_TIME)
+/**
+ * \brief Get the creation time of a session ticket.
+ *
+ * \note See the documentation of \c ticket_creation_time for information about
+ *       the intended usage of this function.
+ *
+ * \param session  SSL session
+ * \param ticket_creation_time  On exit, holds the ticket creation time in
+ *                              milliseconds.
+ *
+ * \return         0 on success,
+ *                 MBEDTLS_ERR_SSL_BAD_INPUT_DATA if an input is not valid.
+ */
+static inline int mbedtls_ssl_session_get_ticket_creation_time(
+    mbedtls_ssl_session *session, mbedtls_ms_time_t *ticket_creation_time)
+{
+    if (session == NULL || ticket_creation_time == NULL ||
+        session->MBEDTLS_PRIVATE(endpoint) != MBEDTLS_SSL_IS_SERVER) {
+        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+    }
+
+    *ticket_creation_time = session->MBEDTLS_PRIVATE(ticket_creation_time);
+
+    return 0;
+}
+#endif /* MBEDTLS_HAVE_TIME */
 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */
 
 /**
+ * \brief          Get the session-id buffer.
+ *
+ * \param session  SSL session.
+ *
+ * \return         The address of the session-id buffer.
+ */
+static inline unsigned const char (*mbedtls_ssl_session_get_id(const mbedtls_ssl_session *
+                                                               session))[32]
+{
+    return &session->MBEDTLS_PRIVATE(id);
+}
+
+/**
+ * \brief          Get the size of the session-id.
+ *
+ * \param session  SSL session.
+ *
+ * \return         size_t size of session-id buffer.
+ */
+static inline size_t mbedtls_ssl_session_get_id_len(const mbedtls_ssl_session *session)
+{
+    return session->MBEDTLS_PRIVATE(id_len);
+}
+
+/**
+ * \brief          Get the ciphersuite-id.
+ *
+ * \param session  SSL session.
+ *
+ * \return         int represetation for ciphersuite.
+ */
+static inline int mbedtls_ssl_session_get_ciphersuite_id(const mbedtls_ssl_session *session)
+{
+    return session->MBEDTLS_PRIVATE(ciphersuite);
+}
+
+/**
  * \brief   Configure a key export callback.
  *          (Default: none.)
  *
@@ -3059,16 +3216,16 @@ void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf,
  *                 a full handshake.
  *
  * \note           This function can handle a variety of mechanisms for session
- *                 resumption: For TLS 1.2, both session ID-based resumption and
- *                 ticket-based resumption will be considered. For TLS 1.3,
- *                 once implemented, sessions equate to tickets, and loading
- *                 one or more sessions via this call will lead to their
- *                 corresponding tickets being advertised as resumption PSKs
- *                 by the client.
- *
- * \note           Calling this function multiple times will only be useful
- *                 once TLS 1.3 is supported. For TLS 1.2 connections, this
- *                 function should be called at most once.
+ *                 resumption: For TLS 1.2, both session ID-based resumption
+ *                 and ticket-based resumption will be considered. For TLS 1.3,
+ *                 sessions equate to tickets, and loading one session by
+ *                 calling this function will lead to its corresponding ticket
+ *                 being advertised as resumption PSK by the client. This
+ *                 depends on session tickets being enabled (see
+ *                 #MBEDTLS_SSL_SESSION_TICKETS configuration option) though.
+ *                 If session tickets are disabled, a call to this function
+ *                 with a TLS 1.3 session, will not have any effect on the next
+ *                 handshake for the SSL context \p ssl.
  *
  * \param ssl      The SSL context representing the connection which should
  *                 be attempted to be setup using session resumption. This
@@ -3083,9 +3240,10 @@ void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf,
  *
  * \return         \c 0 if successful.
  * \return         \c MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the session
- *                 could not be loaded because of an implementation limitation.
- *                 This error is non-fatal, and has no observable effect on
- *                 the SSL context or the session that was attempted to be loaded.
+ *                 could not be loaded because one session has already been
+ *                 loaded. This error is non-fatal, and has no observable
+ *                 effect on the SSL context or the session that was attempted
+ *                 to be loaded.
  * \return         Another negative error code on other kinds of failure.
  *
  * \sa             mbedtls_ssl_get_session()
@@ -3152,8 +3310,16 @@ int mbedtls_ssl_session_load(mbedtls_ssl_session *session,
  *                 to determine the necessary size by calling this function
  *                 with \p buf set to \c NULL and \p buf_len to \c 0.
  *
+ * \note           For TLS 1.3 sessions, this feature is supported only if the
+ *                 MBEDTLS_SSL_SESSION_TICKETS configuration option is enabled,
+ *                 as in TLS 1.3 session resumption is possible only with
+ *                 tickets.
+ *
  * \return         \c 0 if successful.
  * \return         #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if \p buf is too small.
+ * \return         #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the
+ *                 MBEDTLS_SSL_SESSION_TICKETS configuration option is disabled
+ *                 and the session is a TLS 1.3 session.
  */
 int mbedtls_ssl_session_save(const mbedtls_ssl_session *session,
                              unsigned char *buf,
@@ -3751,6 +3917,8 @@ void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf,
  *                 used for certificate signature are controlled by the
  *                 verification profile, see \c mbedtls_ssl_conf_cert_profile().
  *
+ * \deprecated     Superseded by mbedtls_ssl_conf_sig_algs().
+ *
  * \note           This list should be ordered by decreasing preference
  *                 (preferred hash first).
  *
@@ -3775,13 +3943,16 @@ void MBEDTLS_DEPRECATED mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config *conf,
 #endif /* !MBEDTLS_DEPRECATED_REMOVED && MBEDTLS_SSL_PROTO_TLS1_2 */
 
 /**
- * \brief          Configure allowed signature algorithms for use in TLS 1.3
+ * \brief          Configure allowed signature algorithms for use in TLS
  *
  * \param conf     The SSL configuration to use.
  * \param sig_algs List of allowed IANA values for TLS 1.3 signature algorithms,
- *                 terminated by \c MBEDTLS_TLS1_3_SIG_NONE. The list must remain
- *                 available throughout the lifetime of the conf object. Supported
- *                 values are available as \c MBEDTLS_TLS1_3_SIG_XXXX
+ *                 terminated by #MBEDTLS_TLS1_3_SIG_NONE. The list must remain
+ *                 available throughout the lifetime of the conf object.
+ *                 - For TLS 1.3, values of \c MBEDTLS_TLS1_3_SIG_XXXX should be
+ *                   used.
+ *                 - For TLS 1.2, values should be given as
+ *                   "(HashAlgorithm << 8) | SignatureAlgorithm".
  */
 void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf,
                                const uint16_t *sig_algs);
@@ -4669,29 +4840,22 @@ const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl
  * \param ssl      The SSL context representing the connection for which to
  *                 to export a session structure for later resumption.
  * \param session  The target structure in which to store the exported session.
- *                 This must have been initialized with mbedtls_ssl_init_session()
+ *                 This must have been initialized with mbedtls_ssl_session_init()
  *                 but otherwise be unused.
  *
  * \note           This function can handle a variety of mechanisms for session
  *                 resumption: For TLS 1.2, both session ID-based resumption and
  *                 ticket-based resumption will be considered. For TLS 1.3,
- *                 once implemented, sessions equate to tickets, and calling
- *                 this function multiple times will export the available
- *                 tickets one a time until no further tickets are available,
- *                 in which case MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE will
- *                 be returned.
- *
- * \note           Calling this function multiple times will only be useful
- *                 once TLS 1.3 is supported. For TLS 1.2 connections, this
- *                 function should be called at most once.
+ *                 sessions equate to tickets, and if session tickets are
+ *                 enabled (see #MBEDTLS_SSL_SESSION_TICKETS configuration
+ *                 option), this function exports the last received ticket and
+ *                 the exported session may be used to resume the TLS 1.3
+ *                 session. If session tickets are disabled, exported sessions
+ *                 cannot be used to resume a TLS 1.3 session.
  *
  * \return         \c 0 if successful. In this case, \p session can be used for
  *                 session resumption by passing it to mbedtls_ssl_set_session(),
  *                 and serialized for storage via mbedtls_ssl_session_save().
- * \return         #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if no further session
- *                 is available for export.
- *                 This error is a non-fatal, and has no observable effect on
- *                 the SSL context or the destination session.
  * \return         Another negative error code on other kinds of failure.
  *
  * \sa             mbedtls_ssl_set_session()
@@ -4723,6 +4887,13 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
  * \return         #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED if DTLS is in use
  *                 and the client did not demonstrate reachability yet - in
  *                 this case you must stop using the context (see below).
+ * \return         #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as
+ *                 defined in RFC 8446 (TLS 1.3 specification), has been
+ *                 received as part of the handshake. This is server specific
+ *                 and may occur only if the early data feature has been
+ *                 enabled on server (see mbedtls_ssl_conf_early_data()
+ *                 documentation). You must call mbedtls_ssl_read_early_data()
+ *                 to read the early data before resuming the handshake.
  * \return         Another SSL error code - in this case you must stop using
  *                 the context (see below).
  *
@@ -4731,7 +4902,8 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
  *                 #MBEDTLS_ERR_SSL_WANT_READ,
  *                 #MBEDTLS_ERR_SSL_WANT_WRITE,
  *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
- *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS,
+ *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or
+ *                 #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA,
  *                 you must stop using the SSL context for reading or writing,
  *                 and either free it or call \c mbedtls_ssl_session_reset()
  *                 on it before re-using it for a new connection; the current
@@ -4800,8 +4972,9 @@ static inline int mbedtls_ssl_is_handshake_over(mbedtls_ssl_context *ssl)
  *
  * \warning        If this function returns something other than \c 0,
  *                 #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE,
- *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
- *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using
+ *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS,
+ *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or
+ *                 #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, you must stop using
  *                 the SSL context for reading or writing, and either free it
  *                 or call \c mbedtls_ssl_session_reset() on it before
  *                 re-using it for a new connection; the current connection
@@ -4869,6 +5042,13 @@ int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl);
  * \return         #MBEDTLS_ERR_SSL_CLIENT_RECONNECT if we're at the server
  *                 side of a DTLS connection and the client is initiating a
  *                 new connection using the same source port. See below.
+ * \return         #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as
+ *                 defined in RFC 8446 (TLS 1.3 specification), has been
+ *                 received as part of the handshake. This is server specific
+ *                 and may occur only if the early data feature has been
+ *                 enabled on server (see mbedtls_ssl_conf_early_data()
+ *                 documentation). You must call mbedtls_ssl_read_early_data()
+ *                 to read the early data before resuming the handshake.
  * \return         Another SSL error code - in this case you must stop using
  *                 the context (see below).
  *
@@ -4877,8 +5057,9 @@ int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl);
  *                 #MBEDTLS_ERR_SSL_WANT_READ,
  *                 #MBEDTLS_ERR_SSL_WANT_WRITE,
  *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS,
- *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or
- *                 #MBEDTLS_ERR_SSL_CLIENT_RECONNECT,
+ *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS,
+ *                 #MBEDTLS_ERR_SSL_CLIENT_RECONNECT or
+ *                 #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA,
  *                 you must stop using the SSL context for reading or writing,
  *                 and either free it or call \c mbedtls_ssl_session_reset()
  *                 on it before re-using it for a new connection; the current
@@ -4943,6 +5124,13 @@ int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len);
  *                 operation is in progress (see mbedtls_ecp_set_max_ops()) -
  *                 in this case you must call this function again to complete
  *                 the handshake when you're done attending other tasks.
+ * \return         #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as
+ *                 defined in RFC 8446 (TLS 1.3 specification), has been
+ *                 received as part of the handshake. This is server specific
+ *                 and may occur only if the early data feature has been
+ *                 enabled on server (see mbedtls_ssl_conf_early_data()
+ *                 documentation). You must call mbedtls_ssl_read_early_data()
+ *                 to read the early data before resuming the handshake.
  * \return         Another SSL error code - in this case you must stop using
  *                 the context (see below).
  *
@@ -4950,8 +5138,9 @@ int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len);
  *                 a non-negative value,
  *                 #MBEDTLS_ERR_SSL_WANT_READ,
  *                 #MBEDTLS_ERR_SSL_WANT_WRITE,
- *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
- *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS,
+ *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS,
+ *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or
+ *                 #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA,
  *                 you must stop using the SSL context for reading or writing,
  *                 and either free it or call \c mbedtls_ssl_session_reset()
  *                 on it before re-using it for a new connection; the current
@@ -5015,48 +5204,51 @@ int mbedtls_ssl_close_notify(mbedtls_ssl_context *ssl);
 
 #if defined(MBEDTLS_SSL_SRV_C)
 /**
- * \brief          Read at most 'len' application data bytes while performing
- *                 the handshake (early data).
- *
- * \note           This function behaves mainly as mbedtls_ssl_read(). The
- *                 specification of mbedtls_ssl_read() relevant to TLS 1.3
- *                 (thus not the parts specific to (D)TLS 1.2) applies to this
- *                 function and the present documentation is restricted to the
- *                 differences with mbedtls_ssl_read().
- *
- * \param ssl      SSL context
+ * \brief          Read at most 'len' bytes of early data
+ *
+ * \note           This API is server specific.
+ *
+ * \warning        Early data is defined in the TLS 1.3 specification, RFC 8446.
+ *                 IMPORTANT NOTE from section 2.3 of the specification:
+ *
+ *                 The security properties for 0-RTT data are weaker than
+ *                 those for other kinds of TLS data. Specifically:
+ *                 - This data is not forward secret, as it is encrypted
+ *                   solely under keys derived using the offered PSK.
+ *                 - There are no guarantees of non-replay between connections.
+ *                   Protection against replay for ordinary TLS 1.3 1-RTT data
+ *                   is provided via the server's Random value, but 0-RTT data
+ *                   does not depend on the ServerHello and therefore has
+ *                   weaker guarantees. This is especially relevant if the
+ *                   data is authenticated either with TLS client
+ *                   authentication or inside the application protocol. The
+ *                   same warnings apply to any use of the
+ *                   early_exporter_master_secret.
+ *
+ * \warning        Mbed TLS does not implement any of the anti-replay defenses
+ *                 defined in section 8 of the TLS 1.3 specification:
+ *                 single-use of tickets or ClientHello recording within a
+ *                 given time window.
+ *
+ * \note           This function is used in conjunction with
+ *                 mbedtls_ssl_handshake(), mbedtls_ssl_handshake_step(),
+ *                 mbedtls_ssl_read() and mbedtls_ssl_write() to read early
+ *                 data when these functions return
+ *                 #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA.
+ *
+ * \param ssl      SSL context, it must have been initialized and set up.
  * \param buf      buffer that will hold the data
  * \param len      maximum number of bytes to read
  *
- * \return         One additional specific return value:
- *                 #MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA.
- *
- *                 #MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA is returned when it
- *                 is not possible to read early data for the SSL context
- *                 \p ssl.
- *
- *                 It may have been possible and it is not possible
- *                 anymore because the server received the End of Early Data
- *                 message or the maximum number of allowed early data for the
- *                 PSK in use has been reached.
- *
- *                 It may never have been possible and will never be possible
- *                 for the SSL context \p ssl because the use of early data
- *                 is disabled for that context or more generally the context
- *                 is not suitably configured to enable early data or the
- *                 client does not use early data or the first call to the
- *                 function was done while the handshake was already too
- *                 advanced to gather and accept early data.
- *
- *                 It is not possible to read early data for the SSL context
- *                 \p ssl but this does not preclude for using it with
- *                 mbedtls_ssl_write(), mbedtls_ssl_read() or
- *                 mbedtls_ssl_handshake().
- *
- * \note           When a server wants to retrieve early data, it is expected
- *                 that this function starts the handshake for the SSL context
- *                 \p ssl. But this is not mandatory.
- *
+ * \return         The (positive) number of bytes read if successful.
+ * \return         #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid.
+ * \return         #MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA if it is not
+ *                 possible to read early data for the SSL context \p ssl. Note
+ *                 that this function is intended to be called for an SSL
+ *                 context \p ssl only after a call to mbedtls_ssl_handshake(),
+ *                 mbedtls_ssl_handshake_step(), mbedtls_ssl_read() or
+ *                 mbedtls_ssl_write() for \p ssl that has returned
+ *                 #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA.
  */
 int mbedtls_ssl_read_early_data(mbedtls_ssl_context *ssl,
                                 unsigned char *buf, size_t len);
@@ -5067,17 +5259,43 @@ int mbedtls_ssl_read_early_data(mbedtls_ssl_context *ssl,
  * \brief          Try to write exactly 'len' application data bytes while
  *                 performing the handshake (early data).
  *
+ * \warning        Early data is defined in the TLS 1.3 specification, RFC 8446.
+ *                 IMPORTANT NOTE from section 2.3 of the specification:
+ *
+ *                 The security properties for 0-RTT data are weaker than
+ *                 those for other kinds of TLS data. Specifically:
+ *                 - This data is not forward secret, as it is encrypted
+ *                   solely under keys derived using the offered PSK.
+ *                 - There are no guarantees of non-replay between connections.
+ *                   Protection against replay for ordinary TLS 1.3 1-RTT data
+ *                   is provided via the server's Random value, but 0-RTT data
+ *                   does not depend on the ServerHello and therefore has
+ *                   weaker guarantees. This is especially relevant if the
+ *                   data is authenticated either with TLS client
+ *                   authentication or inside the application protocol. The
+ *                   same warnings apply to any use of the
+ *                   early_exporter_master_secret.
+ *
  * \note           This function behaves mainly as mbedtls_ssl_write(). The
  *                 specification of mbedtls_ssl_write() relevant to TLS 1.3
  *                 (thus not the parts specific to (D)TLS1.2) applies to this
- *                 function and the present documentation is restricted to the
- *                 differences with mbedtls_ssl_write().
+ *                 function and the present documentation is mainly restricted
+ *                 to the differences with mbedtls_ssl_write(). One noticeable
+ *                 difference though is that mbedtls_ssl_write() aims to
+ *                 complete the handshake before to write application data
+ *                 while mbedtls_ssl_write_early() aims to drive the handshake
+ *                 just past the point where it is not possible to send early
+ *                 data anymore.
  *
  * \param ssl      SSL context
  * \param buf      buffer holding the data
  * \param len      how many bytes must be written
  *
- * \return         One additional specific return value:
+ * \return         The (non-negative) number of bytes actually written if
+ *                 successful (may be less than \p len).
+ *
+ * \return         One additional specific error code compared to
+ *                 mbedtls_ssl_write():
  *                 #MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA.
  *
  *                 #MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA is returned when it
@@ -5098,9 +5316,11 @@ int mbedtls_ssl_read_early_data(mbedtls_ssl_context *ssl,
  *                 already completed.
  *
  *                 It is not possible to write early data for the SSL context
- *                 \p ssl but this does not preclude for using it with
+ *                 \p ssl and any subsequent call to this API will return this
+ *                 error code. But this does not preclude for using it with
  *                 mbedtls_ssl_write(), mbedtls_ssl_read() or
- *                 mbedtls_ssl_handshake().
+ *                 mbedtls_ssl_handshake() and the handshake can be
+ *                 completed by calling one of these APIs.
  *
  * \note           This function may write early data only if the SSL context
  *                 has been configured for the handshake with a PSK for which
@@ -5122,9 +5342,6 @@ int mbedtls_ssl_read_early_data(mbedtls_ssl_context *ssl,
 int mbedtls_ssl_write_early_data(mbedtls_ssl_context *ssl,
                                  const unsigned char *buf, size_t len);
 
-#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT  0
-#define MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED  1
-#define MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED  2
 /**
  * \brief Get the status of the negotiation of the use of early data.
  *
@@ -5136,8 +5353,8 @@ int mbedtls_ssl_write_early_data(mbedtls_ssl_context *ssl,
  * \return         #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if this function is called
  *                 prior to completion of the handshake.
  *
- * \return         #MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT if the client has
- *                 not indicated the use of early data to the server.
+ * \return         #MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_INDICATED if the client
+ *                 has not indicated the use of early data to the server.
  *
  * \return         #MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED if the client has
  *                 indicated the use of early data and the server has accepted
diff --git a/include/mbedtls/ssl_cache.h b/include/mbedtls/ssl_cache.h
index 7a90191..a1307b4 100644
--- a/include/mbedtls/ssl_cache.h
+++ b/include/mbedtls/ssl_cache.h
@@ -5,19 +5,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 #ifndef MBEDTLS_SSL_CACHE_H
 #define MBEDTLS_SSL_CACHE_H
diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h
index 07f2fac..12d4462 100644
--- a/include/mbedtls/ssl_ciphersuites.h
+++ b/include/mbedtls/ssl_ciphersuites.h
@@ -5,19 +5,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 #ifndef MBEDTLS_SSL_CIPHERSUITES_H
 #define MBEDTLS_SSL_CIPHERSUITES_H
@@ -475,151 +463,17 @@ const int *mbedtls_ssl_list_ciphersuites(void);
 const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string(const char *ciphersuite_name);
 const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id(int ciphersuite_id);
 
-#if defined(MBEDTLS_PK_C)
-mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_ciphersuite_t *info);
-psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(const mbedtls_ssl_ciphersuite_t *info);
-#endif
-mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info);
-#endif
-
-int mbedtls_ssl_ciphersuite_uses_ec(const mbedtls_ssl_ciphersuite_t *info);
-int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info);
-
 static inline const char *mbedtls_ssl_ciphersuite_get_name(const mbedtls_ssl_ciphersuite_t *info)
 {
     return info->MBEDTLS_PRIVATE(name);
 }
 
-size_t mbedtls_ssl_ciphersuite_get_cipher_key_bitlen(const mbedtls_ssl_ciphersuite_t *info);
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
-static inline int mbedtls_ssl_ciphersuite_has_pfs(const mbedtls_ssl_ciphersuite_t *info)
-{
-    switch (info->MBEDTLS_PRIVATE(key_exchange)) {
-        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
-        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
-        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
-        case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
-            return 1;
-
-        default:
-            return 0;
-    }
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
-static inline int mbedtls_ssl_ciphersuite_no_pfs(const mbedtls_ssl_ciphersuite_t *info)
-{
-    switch (info->MBEDTLS_PRIVATE(key_exchange)) {
-        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
-        case MBEDTLS_KEY_EXCHANGE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_PSK:
-        case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
-            return 1;
-
-        default:
-            return 0;
-    }
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
-static inline int mbedtls_ssl_ciphersuite_uses_ecdh(const mbedtls_ssl_ciphersuite_t *info)
+static inline int mbedtls_ssl_ciphersuite_get_id(const mbedtls_ssl_ciphersuite_t *info)
 {
-    switch (info->MBEDTLS_PRIVATE(key_exchange)) {
-        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
-            return 1;
-
-        default:
-            return 0;
-    }
+    return info->MBEDTLS_PRIVATE(id);
 }
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
 
-static inline int mbedtls_ssl_ciphersuite_cert_req_allowed(const mbedtls_ssl_ciphersuite_t *info)
-{
-    switch (info->MBEDTLS_PRIVATE(key_exchange)) {
-        case MBEDTLS_KEY_EXCHANGE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
-            return 1;
-
-        default:
-            return 0;
-    }
-}
-
-static inline int mbedtls_ssl_ciphersuite_uses_srv_cert(const mbedtls_ssl_ciphersuite_t *info)
-{
-    switch (info->MBEDTLS_PRIVATE(key_exchange)) {
-        case MBEDTLS_KEY_EXCHANGE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
-        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
-            return 1;
-
-        default:
-            return 0;
-    }
-}
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
-static inline int mbedtls_ssl_ciphersuite_uses_dhe(const mbedtls_ssl_ciphersuite_t *info)
-{
-    switch (info->MBEDTLS_PRIVATE(key_exchange)) {
-        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
-            return 1;
-
-        default:
-            return 0;
-    }
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED) */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
-static inline int mbedtls_ssl_ciphersuite_uses_ecdhe(const mbedtls_ssl_ciphersuite_t *info)
-{
-    switch (info->MBEDTLS_PRIVATE(key_exchange)) {
-        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
-            return 1;
-
-        default:
-            return 0;
-    }
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
-static inline int mbedtls_ssl_ciphersuite_uses_server_signature(
-    const mbedtls_ssl_ciphersuite_t *info)
-{
-    switch (info->MBEDTLS_PRIVATE(key_exchange)) {
-        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
-            return 1;
-
-        default:
-            return 0;
-    }
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
+size_t mbedtls_ssl_ciphersuite_get_cipher_key_bitlen(const mbedtls_ssl_ciphersuite_t *info);
 
 #ifdef __cplusplus
 }
diff --git a/include/mbedtls/ssl_cookie.h b/include/mbedtls/ssl_cookie.h
index 5cd1847..71c258e 100644
--- a/include/mbedtls/ssl_cookie.h
+++ b/include/mbedtls/ssl_cookie.h
@@ -5,19 +5,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 #ifndef MBEDTLS_SSL_COOKIE_H
 #define MBEDTLS_SSL_COOKIE_H
diff --git a/include/mbedtls/ssl_ticket.h b/include/mbedtls/ssl_ticket.h
index 0cefe43..2ee1400 100644
--- a/include/mbedtls/ssl_ticket.h
+++ b/include/mbedtls/ssl_ticket.h
@@ -5,19 +5,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 #ifndef MBEDTLS_SSL_TICKET_H
 #define MBEDTLS_SSL_TICKET_H
@@ -62,6 +50,10 @@ typedef struct mbedtls_ssl_ticket_key {
 #if defined(MBEDTLS_HAVE_TIME)
     mbedtls_time_t MBEDTLS_PRIVATE(generation_time); /*!< key generation timestamp (seconds) */
 #endif
+    /*! Lifetime of the key in seconds. This is also the lifetime of the
+     *  tickets created under that key.
+     */
+    uint32_t MBEDTLS_PRIVATE(lifetime);
 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
     mbedtls_cipher_context_t MBEDTLS_PRIVATE(ctx);   /*!< context for auth enc/decryption    */
 #else
@@ -116,10 +108,16 @@ void mbedtls_ssl_ticket_init(mbedtls_ssl_ticket_context *ctx);
  *                  least as strong as the strongest ciphersuite
  *                  supported. Usually that means a 256-bit key.
  *
- * \note            The lifetime of the keys is twice the lifetime of tickets.
- *                  It is recommended to pick a reasonable lifetime so as not
+ * \note            It is recommended to pick a reasonable lifetime so as not
  *                  to negate the benefits of forward secrecy.
  *
+ * \note            The TLS 1.3 specification states that ticket lifetime must
+ *                  be smaller than seven days. If ticket lifetime has been
+ *                  set to a value greater than seven days in this module then
+ *                  if the TLS 1.3 is configured to send tickets after the
+ *                  handshake it will fail the connection when trying to send
+ *                  the first ticket.
+ *
  * \return          0 if successful,
  *                  or a specific MBEDTLS_ERR_XXX error code
  */
@@ -153,10 +151,16 @@ int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
  * \note            \c klength must be sufficient for use by cipher specified
  *                  to \c mbedtls_ssl_ticket_setup
  *
- * \note            The lifetime of the keys is twice the lifetime of tickets.
- *                  It is recommended to pick a reasonable lifetime so as not
+ * \note            It is recommended to pick a reasonable lifetime so as not
  *                  to negate the benefits of forward secrecy.
  *
+ * \note            The TLS 1.3 specification states that ticket lifetime must
+ *                  be smaller than seven days. If ticket lifetime has been
+ *                  set to a value greater than seven days in this module then
+ *                  if the TLS 1.3 is configured to send tickets after the
+ *                  handshake it will fail the connection when trying to send
+ *                  the first ticket.
+ *
  * \return          0 if successful,
  *                  or a specific MBEDTLS_ERR_XXX error code
  */
diff --git a/include/mbedtls/threading.h b/include/mbedtls/threading.h
deleted file mode 100644
index 6a336c3..0000000
--- a/include/mbedtls/threading.h
+++ /dev/null
@@ -1,117 +0,0 @@
-/**
- * \file threading.h
- *
- * \brief Threading abstraction layer
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_THREADING_H
-#define MBEDTLS_THREADING_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include <stdlib.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/** Bad input parameters to function. */
-#define MBEDTLS_ERR_THREADING_BAD_INPUT_DATA              -0x001C
-/** Locking / unlocking / free failed with error code. */
-#define MBEDTLS_ERR_THREADING_MUTEX_ERROR                 -0x001E
-
-#if defined(MBEDTLS_THREADING_PTHREAD)
-#include <pthread.h>
-typedef struct mbedtls_threading_mutex_t {
-    pthread_mutex_t MBEDTLS_PRIVATE(mutex);
-    /* is_valid is 0 after a failed init or a free, and nonzero after a
-     * successful init. This field is not considered part of the public
-     * API of Mbed TLS and may change without notice. */
-    char MBEDTLS_PRIVATE(is_valid);
-} mbedtls_threading_mutex_t;
-#endif
-
-#if defined(MBEDTLS_THREADING_ALT)
-/* You should define the mbedtls_threading_mutex_t type in your header */
-#include "threading_alt.h"
-
-/**
- * \brief           Set your alternate threading implementation function
- *                  pointers and initialize global mutexes. If used, this
- *                  function must be called once in the main thread before any
- *                  other Mbed TLS function is called, and
- *                  mbedtls_threading_free_alt() must be called once in the main
- *                  thread after all other Mbed TLS functions.
- *
- * \note            mutex_init() and mutex_free() don't return a status code.
- *                  If mutex_init() fails, it should leave its argument (the
- *                  mutex) in a state such that mutex_lock() will fail when
- *                  called with this argument.
- *
- * \param mutex_init    the init function implementation
- * \param mutex_free    the free function implementation
- * \param mutex_lock    the lock function implementation
- * \param mutex_unlock  the unlock function implementation
- */
-void mbedtls_threading_set_alt(void (*mutex_init)(mbedtls_threading_mutex_t *),
-                               void (*mutex_free)(mbedtls_threading_mutex_t *),
-                               int (*mutex_lock)(mbedtls_threading_mutex_t *),
-                               int (*mutex_unlock)(mbedtls_threading_mutex_t *));
-
-/**
- * \brief               Free global mutexes.
- */
-void mbedtls_threading_free_alt(void);
-#endif /* MBEDTLS_THREADING_ALT */
-
-#if defined(MBEDTLS_THREADING_C)
-/*
- * The function pointers for mutex_init, mutex_free, mutex_ and mutex_unlock
- *
- * All these functions are expected to work or the result will be undefined.
- */
-extern void (*mbedtls_mutex_init)(mbedtls_threading_mutex_t *mutex);
-extern void (*mbedtls_mutex_free)(mbedtls_threading_mutex_t *mutex);
-extern int (*mbedtls_mutex_lock)(mbedtls_threading_mutex_t *mutex);
-extern int (*mbedtls_mutex_unlock)(mbedtls_threading_mutex_t *mutex);
-
-/*
- * Global mutexes
- */
-#if defined(MBEDTLS_FS_IO)
-extern mbedtls_threading_mutex_t mbedtls_threading_readdir_mutex;
-#endif
-
-#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
-/* This mutex may or may not be used in the default definition of
- * mbedtls_platform_gmtime_r(), but in order to determine that,
- * we need to check POSIX features, hence modify _POSIX_C_SOURCE.
- * With the current approach, this declaration is orphaned, lacking
- * an accompanying definition, in case mbedtls_platform_gmtime_r()
- * doesn't need it, but that's not a problem. */
-extern mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex;
-#endif /* MBEDTLS_HAVE_TIME_DATE && !MBEDTLS_PLATFORM_GMTIME_R_ALT */
-
-#endif /* MBEDTLS_THREADING_C */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* threading.h */
diff --git a/include/mbedtls/timing.h b/include/mbedtls/timing.h
deleted file mode 100644
index 830dcee..0000000
--- a/include/mbedtls/timing.h
+++ /dev/null
@@ -1,106 +0,0 @@
-/**
- * \file timing.h
- *
- * \brief Portable interface to timeouts and to the CPU cycle counter
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_TIMING_H
-#define MBEDTLS_TIMING_H
-#include "mbedtls/private_access.h"
-
-#include "mbedtls/build_info.h"
-
-#include <stdint.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if !defined(MBEDTLS_TIMING_ALT)
-// Regular implementation
-//
-
-/**
- * \brief          timer structure
- */
-struct mbedtls_timing_hr_time {
-    uint64_t MBEDTLS_PRIVATE(opaque)[4];
-};
-
-/**
- * \brief          Context for mbedtls_timing_set/get_delay()
- */
-typedef struct mbedtls_timing_delay_context {
-    struct mbedtls_timing_hr_time   MBEDTLS_PRIVATE(timer);
-    uint32_t                        MBEDTLS_PRIVATE(int_ms);
-    uint32_t                        MBEDTLS_PRIVATE(fin_ms);
-} mbedtls_timing_delay_context;
-
-#else  /* MBEDTLS_TIMING_ALT */
-#include "timing_alt.h"
-#endif /* MBEDTLS_TIMING_ALT */
-
-/* Internal use */
-unsigned long mbedtls_timing_get_timer(struct mbedtls_timing_hr_time *val, int reset);
-
-/**
- * \brief          Set a pair of delays to watch
- *                 (See \c mbedtls_timing_get_delay().)
- *
- * \param data     Pointer to timing data.
- *                 Must point to a valid \c mbedtls_timing_delay_context struct.
- * \param int_ms   First (intermediate) delay in milliseconds.
- *                 The effect if int_ms > fin_ms is unspecified.
- * \param fin_ms   Second (final) delay in milliseconds.
- *                 Pass 0 to cancel the current delay.
- *
- * \note           To set a single delay, either use \c mbedtls_timing_set_timer
- *                 directly or use this function with int_ms == fin_ms.
- */
-void mbedtls_timing_set_delay(void *data, uint32_t int_ms, uint32_t fin_ms);
-
-/**
- * \brief          Get the status of delays
- *                 (Memory helper: number of delays passed.)
- *
- * \param data     Pointer to timing data
- *                 Must point to a valid \c mbedtls_timing_delay_context struct.
- *
- * \return         -1 if cancelled (fin_ms = 0),
- *                  0 if none of the delays are passed,
- *                  1 if only the intermediate delay is passed,
- *                  2 if the final delay is passed.
- */
-int mbedtls_timing_get_delay(void *data);
-
-/**
- * \brief          Get the final timing delay
- *
- * \param data     Pointer to timing data
- *                 Must point to a valid \c mbedtls_timing_delay_context struct.
- *
- * \return         Final timing delay in milliseconds.
- */
-uint32_t mbedtls_timing_get_final_delay(
-    const mbedtls_timing_delay_context *data);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* timing.h */
diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h
deleted file mode 100644
index 073211a..0000000
--- a/include/mbedtls/version.h
+++ /dev/null
@@ -1,90 +0,0 @@
-/**
- * \file version.h
- *
- * \brief Run-time version information
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-/*
- * This set of run-time variables can be used to determine the version number of
- * the Mbed TLS library used. Compile-time version defines for the same can be
- * found in build_info.h
- */
-#ifndef MBEDTLS_VERSION_H
-#define MBEDTLS_VERSION_H
-
-#include "mbedtls/build_info.h"
-
-#if defined(MBEDTLS_VERSION_C)
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * Get the version number.
- *
- * \return          The constructed version number in the format
- *                  MMNNPP00 (Major, Minor, Patch).
- */
-unsigned int mbedtls_version_get_number(void);
-
-/**
- * Get the version string ("x.y.z").
- *
- * \param string    The string that will receive the value.
- *                  (Should be at least 9 bytes in size)
- */
-void mbedtls_version_get_string(char *string);
-
-/**
- * Get the full version string ("Mbed TLS x.y.z").
- *
- * \param string    The string that will receive the value. The Mbed TLS version
- *                  string will use 18 bytes AT MOST including a terminating
- *                  null byte.
- *                  (So the buffer should be at least 18 bytes to receive this
- *                  version string).
- */
-void mbedtls_version_get_string_full(char *string);
-
-/**
- * \brief           Check if support for a feature was compiled into this
- *                  Mbed TLS binary. This allows you to see at runtime if the
- *                  library was for instance compiled with or without
- *                  Multi-threading support.
- *
- * \note            only checks against defines in the sections "System
- *                  support", "Mbed TLS modules" and "Mbed TLS feature
- *                  support" in mbedtls_config.h
- *
- * \param feature   The string for the define to check (e.g. "MBEDTLS_AES_C")
- *
- * \return          0 if the feature is present,
- *                  -1 if the feature is not present and
- *                  -2 if support for feature checking as a whole was not
- *                  compiled in.
- */
-int mbedtls_version_check_feature(const char *feature);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* MBEDTLS_VERSION_C */
-
-#endif /* version.h */
diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h
index a9267c7..453f598 100644
--- a/include/mbedtls/x509.h
+++ b/include/mbedtls/x509.h
@@ -5,19 +5,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 #ifndef MBEDTLS_X509_H
 #define MBEDTLS_X509_H
@@ -319,6 +307,7 @@ typedef struct mbedtls_x509_san_list {
 mbedtls_x509_san_list;
 
 /** \} name Structures for parsing X.509 certificates, CRLs and CSRs */
+/** \} addtogroup x509_module */
 
 /**
  * \brief          Store the certificate DN in printable form into buf;
@@ -334,6 +323,23 @@ mbedtls_x509_san_list;
 int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn);
 
 /**
+ * \brief            Convert the certificate DN string \p name into
+ *                   a linked list of mbedtls_x509_name (equivalent to
+ *                   mbedtls_asn1_named_data).
+ *
+ * \note             This function allocates a linked list, and places the head
+ *                   pointer in \p head. This list must later be freed by a
+ *                   call to mbedtls_asn1_free_named_data_list().
+ *
+ * \param[out] head  Address in which to store the pointer to the head of the
+ *                   allocated list of mbedtls_x509_name
+ * \param[in] name   The string representation of a DN to convert
+ *
+ * \return           0 on success, or a negative error code.
+ */
+int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *name);
+
+/**
  * \brief          Return the next relative DN in an X509 name.
  *
  * \note           Intended use is to compare function result to dn->next
@@ -460,75 +466,6 @@ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
  */
 void mbedtls_x509_free_subject_alt_name(mbedtls_x509_subject_alternative_name *san);
 
-/** \} addtogroup x509_module */
-
-/*
- * Internal module functions. You probably do not want to use these unless you
- * know you do.
- */
-int mbedtls_x509_get_name(unsigned char **p, const unsigned char *end,
-                          mbedtls_x509_name *cur);
-int mbedtls_x509_get_alg_null(unsigned char **p, const unsigned char *end,
-                              mbedtls_x509_buf *alg);
-int mbedtls_x509_get_alg(unsigned char **p, const unsigned char *end,
-                         mbedtls_x509_buf *alg, mbedtls_x509_buf *params);
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
-int mbedtls_x509_get_rsassa_pss_params(const mbedtls_x509_buf *params,
-                                       mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md,
-                                       int *salt_len);
-#endif
-int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig);
-int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params,
-                             mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg,
-                             void **sig_opts);
-int mbedtls_x509_get_time(unsigned char **p, const unsigned char *end,
-                          mbedtls_x509_time *t);
-int mbedtls_x509_get_serial(unsigned char **p, const unsigned char *end,
-                            mbedtls_x509_buf *serial);
-int mbedtls_x509_get_ext(unsigned char **p, const unsigned char *end,
-                         mbedtls_x509_buf *ext, int tag);
-#if !defined(MBEDTLS_X509_REMOVE_INFO)
-int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *sig_oid,
-                              mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
-                              const void *sig_opts);
-#endif
-int mbedtls_x509_key_size_helper(char *buf, size_t buf_size, const char *name);
-int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *name);
-int mbedtls_x509_set_extension(mbedtls_asn1_named_data **head, const char *oid, size_t oid_len,
-                               int critical, const unsigned char *val,
-                               size_t val_len);
-int mbedtls_x509_write_extensions(unsigned char **p, unsigned char *start,
-                                  mbedtls_asn1_named_data *first);
-int mbedtls_x509_write_names(unsigned char **p, unsigned char *start,
-                             mbedtls_asn1_named_data *first);
-int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start,
-                           const char *oid, size_t oid_len,
-                           unsigned char *sig, size_t size,
-                           mbedtls_pk_type_t pk_alg);
-int mbedtls_x509_get_ns_cert_type(unsigned char **p,
-                                  const unsigned char *end,
-                                  unsigned char *ns_cert_type);
-int mbedtls_x509_get_key_usage(unsigned char **p,
-                               const unsigned char *end,
-                               unsigned int *key_usage);
-int mbedtls_x509_get_subject_alt_name(unsigned char **p,
-                                      const unsigned char *end,
-                                      mbedtls_x509_sequence *subject_alt_name);
-int mbedtls_x509_get_subject_alt_name_ext(unsigned char **p,
-                                          const unsigned char *end,
-                                          mbedtls_x509_sequence *subject_alt_name);
-int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
-                                       const mbedtls_x509_sequence
-                                       *subject_alt_name,
-                                       const char *prefix);
-int mbedtls_x509_info_cert_type(char **buf, size_t *size,
-                                unsigned char ns_cert_type);
-int mbedtls_x509_info_key_usage(char **buf, size_t *size,
-                                unsigned int key_usage);
-
-int mbedtls_x509_write_set_san_common(mbedtls_asn1_named_data **extensions,
-                                      const mbedtls_x509_san_list *san_list);
-
 /**
  * \brief          This function parses a CN string as an IP address.
  *
@@ -559,4 +496,4 @@ size_t mbedtls_x509_crt_parse_cn_inet_pton(const char *cn, void *dst);
 }
 #endif
 
-#endif /* x509.h */
+#endif /* MBEDTLS_X509_H */
diff --git a/include/mbedtls/x509_crl.h b/include/mbedtls/x509_crl.h
index 62694ae..6625a44 100644
--- a/include/mbedtls/x509_crl.h
+++ b/include/mbedtls/x509_crl.h
@@ -5,19 +5,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 #ifndef MBEDTLS_X509_CRL_H
 #define MBEDTLS_X509_CRL_H
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 3f9b250..1ce0d23 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -5,19 +5,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 #ifndef MBEDTLS_X509_CRT_H
 #define MBEDTLS_X509_CRT_H
@@ -928,6 +916,18 @@ static inline int mbedtls_x509_crt_has_ext_type(const mbedtls_x509_crt *ctx,
     return ctx->MBEDTLS_PRIVATE(ext_types) & ext_type;
 }
 
+/**
+ * \brief               Access the ca_istrue field
+ *
+ * \param[in] crt       Certificate to be queried, must not be \c NULL
+ *
+ * \return              \c 1 if this a CA certificate \c 0 otherwise.
+ * \return              MBEDTLS_ERR_X509_INVALID_EXTENSIONS if the certificate does not contain
+ *                      the Optional Basic Constraint extension.
+ *
+ */
+int mbedtls_x509_crt_get_ca_istrue(const mbedtls_x509_crt *crt);
+
 /** \} name Structures and functions for parsing and writing X.509 certificates */
 
 #if defined(MBEDTLS_X509_CRT_WRITE_C)
diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h
index 513a83e..8c31c09 100644
--- a/include/mbedtls/x509_csr.h
+++ b/include/mbedtls/x509_csr.h
@@ -5,19 +5,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 #ifndef MBEDTLS_X509_CSR_H
 #define MBEDTLS_X509_CSR_H
@@ -87,7 +75,9 @@ mbedtls_x509write_csr;
 /**
  * \brief          Load a Certificate Signing Request (CSR) in DER format
  *
- * \note           CSR attributes (if any) are currently silently ignored.
+ * \note           Any unsupported requested extensions are silently
+ *                 ignored, unless the critical flag is set, in which case
+ *                 the CSR is rejected.
  *
  * \note           If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
  *                 subsystem must have been initialized by calling
@@ -103,6 +93,67 @@ int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
                                const unsigned char *buf, size_t buflen);
 
 /**
+ * \brief          The type of certificate extension callbacks.
+ *
+ *                 Callbacks of this type are passed to and used by the
+ *                 mbedtls_x509_csr_parse_der_with_ext_cb() routine when
+ *                 it encounters either an unsupported extension.
+ *                 Future versions of the library may invoke the callback
+ *                 in other cases, if and when the need arises.
+ *
+ * \param p_ctx    An opaque context passed to the callback.
+ * \param csr      The CSR being parsed.
+ * \param oid      The OID of the extension.
+ * \param critical Whether the extension is critical.
+ * \param p        Pointer to the start of the extension value
+ *                 (the content of the OCTET STRING).
+ * \param end      End of extension value.
+ *
+ * \note           The callback must fail and return a negative error code
+ *                 if it can not parse or does not support the extension.
+ *                 When the callback fails to parse a critical extension
+ *                 mbedtls_x509_csr_parse_der_with_ext_cb() also fails.
+ *                 When the callback fails to parse a non critical extension
+ *                 mbedtls_x509_csr_parse_der_with_ext_cb() simply skips
+ *                 the extension and continues parsing.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+typedef int (*mbedtls_x509_csr_ext_cb_t)(void *p_ctx,
+                                         mbedtls_x509_csr const *csr,
+                                         mbedtls_x509_buf const *oid,
+                                         int critical,
+                                         const unsigned char *p,
+                                         const unsigned char *end);
+
+/**
+ * \brief          Load a Certificate Signing Request (CSR) in DER format
+ *
+ * \note           Any unsupported requested extensions are silently
+ *                 ignored, unless the critical flag is set, in which case
+ *                 the result of the callback function decides whether
+ *                 CSR is rejected.
+ *
+ * \note           If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
+ *                 subsystem must have been initialized by calling
+ *                 psa_crypto_init() before calling this function.
+ *
+ * \param csr      CSR context to fill
+ * \param buf      buffer holding the CRL data
+ * \param buflen   size of the buffer
+ * \param cb       A callback invoked for every unsupported certificate
+ *                 extension.
+ * \param p_ctx    An opaque context passed to the callback.
+ *
+ * \return         0 if successful, or a specific X509 error code
+ */
+int mbedtls_x509_csr_parse_der_with_ext_cb(mbedtls_x509_csr *csr,
+                                           const unsigned char *buf, size_t buflen,
+                                           mbedtls_x509_csr_ext_cb_t cb,
+                                           void *p_ctx);
+
+/**
  * \brief          Load a Certificate Signing Request (CSR), DER or PEM format
  *
  * \note           See notes for \c mbedtls_x509_csr_parse_der()
diff --git a/include/psa/build_info.h b/include/psa/build_info.h
deleted file mode 100644
index 34a138d..0000000
--- a/include/psa/build_info.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/**
- * \file psa/build_info.h
- *
- * \brief Build-time PSA configuration info
- *
- *  Include this file if you need to depend on the
- *  configuration options defined in mbedtls_config.h or MBEDTLS_CONFIG_FILE
- *  in PSA cryptography core specific files.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_BUILD_INFO_H
-#define PSA_CRYPTO_BUILD_INFO_H
-
-#include "mbedtls/build_info.h"
-
-#endif /* PSA_CRYPTO_BUILD_INFO_H */
diff --git a/include/psa/crypto.h b/include/psa/crypto.h
deleted file mode 100644
index 6b06187..0000000
--- a/include/psa/crypto.h
+++ /dev/null
@@ -1,4697 +0,0 @@
-/**
- * \file psa/crypto.h
- * \brief Platform Security Architecture cryptography module
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_H
-#define PSA_CRYPTO_H
-
-#if defined(MBEDTLS_PSA_CRYPTO_PLATFORM_FILE)
-#include MBEDTLS_PSA_CRYPTO_PLATFORM_FILE
-#else
-#include "crypto_platform.h"
-#endif
-
-#include <stddef.h>
-
-#ifdef __DOXYGEN_ONLY__
-/* This __DOXYGEN_ONLY__ block contains mock definitions for things that
- * must be defined in the crypto_platform.h header. These mock definitions
- * are present in this file as a convenience to generate pretty-printed
- * documentation that includes those definitions. */
-
-/** \defgroup platform Implementation-specific definitions
- * @{
- */
-
-/**@}*/
-#endif /* __DOXYGEN_ONLY__ */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* The file "crypto_types.h" declares types that encode errors,
- * algorithms, key types, policies, etc. */
-#include "crypto_types.h"
-
-/** \defgroup version API version
- * @{
- */
-
-/**
- * The major version of this implementation of the PSA Crypto API
- */
-#define PSA_CRYPTO_API_VERSION_MAJOR 1
-
-/**
- * The minor version of this implementation of the PSA Crypto API
- */
-#define PSA_CRYPTO_API_VERSION_MINOR 0
-
-/**@}*/
-
-/* The file "crypto_values.h" declares macros to build and analyze values
- * of integral types defined in "crypto_types.h". */
-#include "crypto_values.h"
-
-/** \defgroup initialization Library initialization
- * @{
- */
-
-/**
- * \brief Library initialization.
- *
- * Applications must call this function before calling any other
- * function in this module.
- *
- * Applications may call this function more than once. Once a call
- * succeeds, subsequent calls are guaranteed to succeed.
- *
- * If the application calls other functions before calling psa_crypto_init(),
- * the behavior is undefined. Implementations are encouraged to either perform
- * the operation as if the library had been initialized or to return
- * #PSA_ERROR_BAD_STATE or some other applicable error. In particular,
- * implementations should not return a success status if the lack of
- * initialization may have security implications, for example due to improper
- * seeding of the random number generator.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- */
-psa_status_t psa_crypto_init(void);
-
-/**@}*/
-
-/** \addtogroup attributes
- * @{
- */
-
-/** \def PSA_KEY_ATTRIBUTES_INIT
- *
- * This macro returns a suitable initializer for a key attribute structure
- * of type #psa_key_attributes_t.
- */
-
-/** Return an initial value for a key attributes structure.
- */
-static psa_key_attributes_t psa_key_attributes_init(void);
-
-/** Declare a key as persistent and set its key identifier.
- *
- * If the attribute structure currently declares the key as volatile (which
- * is the default content of an attribute structure), this function sets
- * the lifetime attribute to #PSA_KEY_LIFETIME_PERSISTENT.
- *
- * This function does not access storage, it merely stores the given
- * value in the structure.
- * The persistent key will be written to storage when the attribute
- * structure is passed to a key creation function such as
- * psa_import_key(), psa_generate_key(),
- * psa_key_derivation_output_key() or psa_copy_key().
- *
- * This function may be declared as `static` (i.e. without external
- * linkage). This function may be provided as a function-like macro,
- * but in this case it must evaluate each of its arguments exactly once.
- *
- * \param[out] attributes  The attribute structure to write to.
- * \param key              The persistent identifier for the key.
- */
-static void psa_set_key_id(psa_key_attributes_t *attributes,
-                           mbedtls_svc_key_id_t key);
-
-#ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
-/** Set the owner identifier of a key.
- *
- * When key identifiers encode key owner identifiers, psa_set_key_id() does
- * not allow to define in key attributes the owner of volatile keys as
- * psa_set_key_id() enforces the key to be persistent.
- *
- * This function allows to set in key attributes the owner identifier of a
- * key. It is intended to be used for volatile keys. For persistent keys,
- * it is recommended to use the PSA Cryptography API psa_set_key_id() to define
- * the owner of a key.
- *
- * \param[out] attributes  The attribute structure to write to.
- * \param owner            The key owner identifier.
- */
-static void mbedtls_set_key_owner_id(psa_key_attributes_t *attributes,
-                                     mbedtls_key_owner_id_t owner);
-#endif
-
-/** Set the location of a persistent key.
- *
- * To make a key persistent, you must give it a persistent key identifier
- * with psa_set_key_id(). By default, a key that has a persistent identifier
- * is stored in the default storage area identifier by
- * #PSA_KEY_LIFETIME_PERSISTENT. Call this function to choose a storage
- * area, or to explicitly declare the key as volatile.
- *
- * This function does not access storage, it merely stores the given
- * value in the structure.
- * The persistent key will be written to storage when the attribute
- * structure is passed to a key creation function such as
- * psa_import_key(), psa_generate_key(),
- * psa_key_derivation_output_key() or psa_copy_key().
- *
- * This function may be declared as `static` (i.e. without external
- * linkage). This function may be provided as a function-like macro,
- * but in this case it must evaluate each of its arguments exactly once.
- *
- * \param[out] attributes       The attribute structure to write to.
- * \param lifetime              The lifetime for the key.
- *                              If this is #PSA_KEY_LIFETIME_VOLATILE, the
- *                              key will be volatile, and the key identifier
- *                              attribute is reset to 0.
- */
-static void psa_set_key_lifetime(psa_key_attributes_t *attributes,
-                                 psa_key_lifetime_t lifetime);
-
-/** Retrieve the key identifier from key attributes.
- *
- * This function may be declared as `static` (i.e. without external
- * linkage). This function may be provided as a function-like macro,
- * but in this case it must evaluate its argument exactly once.
- *
- * \param[in] attributes        The key attribute structure to query.
- *
- * \return The persistent identifier stored in the attribute structure.
- *         This value is unspecified if the attribute structure declares
- *         the key as volatile.
- */
-static mbedtls_svc_key_id_t psa_get_key_id(
-    const psa_key_attributes_t *attributes);
-
-/** Retrieve the lifetime from key attributes.
- *
- * This function may be declared as `static` (i.e. without external
- * linkage). This function may be provided as a function-like macro,
- * but in this case it must evaluate its argument exactly once.
- *
- * \param[in] attributes        The key attribute structure to query.
- *
- * \return The lifetime value stored in the attribute structure.
- */
-static psa_key_lifetime_t psa_get_key_lifetime(
-    const psa_key_attributes_t *attributes);
-
-/** Declare usage flags for a key.
- *
- * Usage flags are part of a key's usage policy. They encode what
- * kind of operations are permitted on the key. For more details,
- * refer to the documentation of the type #psa_key_usage_t.
- *
- * This function overwrites any usage flags
- * previously set in \p attributes.
- *
- * This function may be declared as `static` (i.e. without external
- * linkage). This function may be provided as a function-like macro,
- * but in this case it must evaluate each of its arguments exactly once.
- *
- * \param[out] attributes       The attribute structure to write to.
- * \param usage_flags           The usage flags to write.
- */
-static void psa_set_key_usage_flags(psa_key_attributes_t *attributes,
-                                    psa_key_usage_t usage_flags);
-
-/** Retrieve the usage flags from key attributes.
- *
- * This function may be declared as `static` (i.e. without external
- * linkage). This function may be provided as a function-like macro,
- * but in this case it must evaluate its argument exactly once.
- *
- * \param[in] attributes        The key attribute structure to query.
- *
- * \return The usage flags stored in the attribute structure.
- */
-static psa_key_usage_t psa_get_key_usage_flags(
-    const psa_key_attributes_t *attributes);
-
-/** Declare the permitted algorithm policy for a key.
- *
- * The permitted algorithm policy of a key encodes which algorithm or
- * algorithms are permitted to be used with this key. The following
- * algorithm policies are supported:
- * - 0 does not allow any cryptographic operation with the key. The key
- *   may be used for non-cryptographic actions such as exporting (if
- *   permitted by the usage flags).
- * - An algorithm value permits this particular algorithm.
- * - An algorithm wildcard built from #PSA_ALG_ANY_HASH allows the specified
- *   signature scheme with any hash algorithm.
- * - An algorithm built from #PSA_ALG_AT_LEAST_THIS_LENGTH_MAC allows
- *   any MAC algorithm from the same base class (e.g. CMAC) which
- *   generates/verifies a MAC length greater than or equal to the length
- *   encoded in the wildcard algorithm.
- * - An algorithm built from #PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG
- *   allows any AEAD algorithm from the same base class (e.g. CCM) which
- *   generates/verifies a tag length greater than or equal to the length
- *   encoded in the wildcard algorithm.
- *
- * This function overwrites any algorithm policy
- * previously set in \p attributes.
- *
- * This function may be declared as `static` (i.e. without external
- * linkage). This function may be provided as a function-like macro,
- * but in this case it must evaluate each of its arguments exactly once.
- *
- * \param[out] attributes       The attribute structure to write to.
- * \param alg                   The permitted algorithm policy to write.
- */
-static void psa_set_key_algorithm(psa_key_attributes_t *attributes,
-                                  psa_algorithm_t alg);
-
-
-/** Retrieve the algorithm policy from key attributes.
- *
- * This function may be declared as `static` (i.e. without external
- * linkage). This function may be provided as a function-like macro,
- * but in this case it must evaluate its argument exactly once.
- *
- * \param[in] attributes        The key attribute structure to query.
- *
- * \return The algorithm stored in the attribute structure.
- */
-static psa_algorithm_t psa_get_key_algorithm(
-    const psa_key_attributes_t *attributes);
-
-/** Declare the type of a key.
- *
- * This function overwrites any key type
- * previously set in \p attributes.
- *
- * This function may be declared as `static` (i.e. without external
- * linkage). This function may be provided as a function-like macro,
- * but in this case it must evaluate each of its arguments exactly once.
- *
- * \param[out] attributes       The attribute structure to write to.
- * \param type                  The key type to write.
- *                              If this is 0, the key type in \p attributes
- *                              becomes unspecified.
- */
-static void psa_set_key_type(psa_key_attributes_t *attributes,
-                             psa_key_type_t type);
-
-
-/** Declare the size of a key.
- *
- * This function overwrites any key size previously set in \p attributes.
- *
- * This function may be declared as `static` (i.e. without external
- * linkage). This function may be provided as a function-like macro,
- * but in this case it must evaluate each of its arguments exactly once.
- *
- * \param[out] attributes       The attribute structure to write to.
- * \param bits                  The key size in bits.
- *                              If this is 0, the key size in \p attributes
- *                              becomes unspecified. Keys of size 0 are
- *                              not supported.
- */
-static void psa_set_key_bits(psa_key_attributes_t *attributes,
-                             size_t bits);
-
-/** Retrieve the key type from key attributes.
- *
- * This function may be declared as `static` (i.e. without external
- * linkage). This function may be provided as a function-like macro,
- * but in this case it must evaluate its argument exactly once.
- *
- * \param[in] attributes        The key attribute structure to query.
- *
- * \return The key type stored in the attribute structure.
- */
-static psa_key_type_t psa_get_key_type(const psa_key_attributes_t *attributes);
-
-/** Retrieve the key size from key attributes.
- *
- * This function may be declared as `static` (i.e. without external
- * linkage). This function may be provided as a function-like macro,
- * but in this case it must evaluate its argument exactly once.
- *
- * \param[in] attributes        The key attribute structure to query.
- *
- * \return The key size stored in the attribute structure, in bits.
- */
-static size_t psa_get_key_bits(const psa_key_attributes_t *attributes);
-
-/** Retrieve the attributes of a key.
- *
- * This function first resets the attribute structure as with
- * psa_reset_key_attributes(). It then copies the attributes of
- * the given key into the given attribute structure.
- *
- * \note This function may allocate memory or other resources.
- *       Once you have called this function on an attribute structure,
- *       you must call psa_reset_key_attributes() to free these resources.
- *
- * \param[in] key               Identifier of the key to query.
- * \param[in,out] attributes    On success, the attributes of the key.
- *                              On failure, equivalent to a
- *                              freshly-initialized structure.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key,
-                                    psa_key_attributes_t *attributes);
-
-/** Reset a key attribute structure to a freshly initialized state.
- *
- * You must initialize the attribute structure as described in the
- * documentation of the type #psa_key_attributes_t before calling this
- * function. Once the structure has been initialized, you may call this
- * function at any time.
- *
- * This function frees any auxiliary resources that the structure
- * may contain.
- *
- * \param[in,out] attributes    The attribute structure to reset.
- */
-void psa_reset_key_attributes(psa_key_attributes_t *attributes);
-
-/**@}*/
-
-/** \defgroup key_management Key management
- * @{
- */
-
-/** Remove non-essential copies of key material from memory.
- *
- * If the key identifier designates a volatile key, this functions does not do
- * anything and returns successfully.
- *
- * If the key identifier designates a persistent key, then this function will
- * free all resources associated with the key in volatile memory. The key
- * data in persistent storage is not affected and the key can still be used.
- *
- * \param key Identifier of the key to purge.
- *
- * \retval #PSA_SUCCESS
- *         The key material will have been removed from memory if it is not
- *         currently required.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p key is not a valid key identifier.
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_purge_key(mbedtls_svc_key_id_t key);
-
-/** Make a copy of a key.
- *
- * Copy key material from one location to another.
- *
- * This function is primarily useful to copy a key from one location
- * to another, since it populates a key using the material from
- * another key which may have a different lifetime.
- *
- * This function may be used to share a key with a different party,
- * subject to implementation-defined restrictions on key sharing.
- *
- * The policy on the source key must have the usage flag
- * #PSA_KEY_USAGE_COPY set.
- * This flag is sufficient to permit the copy if the key has the lifetime
- * #PSA_KEY_LIFETIME_VOLATILE or #PSA_KEY_LIFETIME_PERSISTENT.
- * Some secure elements do not provide a way to copy a key without
- * making it extractable from the secure element. If a key is located
- * in such a secure element, then the key must have both usage flags
- * #PSA_KEY_USAGE_COPY and #PSA_KEY_USAGE_EXPORT in order to make
- * a copy of the key outside the secure element.
- *
- * The resulting key may only be used in a way that conforms to
- * both the policy of the original key and the policy specified in
- * the \p attributes parameter:
- * - The usage flags on the resulting key are the bitwise-and of the
- *   usage flags on the source policy and the usage flags in \p attributes.
- * - If both allow the same algorithm or wildcard-based
- *   algorithm policy, the resulting key has the same algorithm policy.
- * - If either of the policies allows an algorithm and the other policy
- *   allows a wildcard-based algorithm policy that includes this algorithm,
- *   the resulting key allows the same algorithm.
- * - If the policies do not allow any algorithm in common, this function
- *   fails with the status #PSA_ERROR_INVALID_ARGUMENT.
- *
- * The effect of this function on implementation-defined attributes is
- * implementation-defined.
- *
- * \param source_key        The key to copy. It must allow the usage
- *                          #PSA_KEY_USAGE_COPY. If a private or secret key is
- *                          being copied outside of a secure element it must
- *                          also allow #PSA_KEY_USAGE_EXPORT.
- * \param[in] attributes    The attributes for the new key.
- *                          They are used as follows:
- *                          - The key type and size may be 0. If either is
- *                            nonzero, it must match the corresponding
- *                            attribute of the source key.
- *                          - The key location (the lifetime and, for
- *                            persistent keys, the key identifier) is
- *                            used directly.
- *                          - The policy constraints (usage flags and
- *                            algorithm policy) are combined from
- *                            the source key and \p attributes so that
- *                            both sets of restrictions apply, as
- *                            described in the documentation of this function.
- * \param[out] target_key   On success, an identifier for the newly created
- *                          key. For persistent keys, this is the key
- *                          identifier defined in \p attributes.
- *                          \c 0 on failure.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_INVALID_HANDLE
- *         \p source_key is invalid.
- * \retval #PSA_ERROR_ALREADY_EXISTS
- *         This is an attempt to create a persistent key, and there is
- *         already a persistent key with the given identifier.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The lifetime or identifier in \p attributes are invalid, or
- *         the policy constraints on the source and specified in
- *         \p attributes are incompatible, or
- *         \p attributes specifies a key type or key size
- *         which does not match the attributes of the source key.
- * \retval #PSA_ERROR_NOT_PERMITTED
- *         The source key does not have the #PSA_KEY_USAGE_COPY usage flag, or
- *         the source key is not exportable and its lifetime does not
- *         allow copying it to the target's lifetime.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_copy_key(mbedtls_svc_key_id_t source_key,
-                          const psa_key_attributes_t *attributes,
-                          mbedtls_svc_key_id_t *target_key);
-
-
-/**
- * \brief Destroy a key.
- *
- * This function destroys a key from both volatile
- * memory and, if applicable, non-volatile storage. Implementations shall
- * make a best effort to ensure that the key material cannot be recovered.
- *
- * This function also erases any metadata such as policies and frees
- * resources associated with the key.
- *
- * If a key is currently in use in a multipart operation, then destroying the
- * key will cause the multipart operation to fail.
- *
- * \param key  Identifier of the key to erase. If this is \c 0, do nothing and
- *             return #PSA_SUCCESS.
- *
- * \retval #PSA_SUCCESS
- *         \p key was a valid identifier and the key material that it
- *         referred to has been erased. Alternatively, \p key is \c 0.
- * \retval #PSA_ERROR_NOT_PERMITTED
- *         The key cannot be erased because it is
- *         read-only, either due to a policy or due to physical restrictions.
- * \retval #PSA_ERROR_INVALID_HANDLE
- *         \p key is not a valid identifier nor \c 0.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- *         There was a failure in communication with the cryptoprocessor.
- *         The key material may still be present in the cryptoprocessor.
- * \retval #PSA_ERROR_DATA_INVALID
- *         This error is typically a result of either storage corruption on a
- *         cleartext storage backend, or an attempt to read data that was
- *         written by an incompatible version of the library.
- * \retval #PSA_ERROR_STORAGE_FAILURE
- *         The storage is corrupted. Implementations shall make a best effort
- *         to erase key material even in this stage, however applications
- *         should be aware that it may be impossible to guarantee that the
- *         key material is not recoverable in such cases.
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- *         An unexpected condition which is not a storage corruption or
- *         a communication failure occurred. The cryptoprocessor may have
- *         been compromised.
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_destroy_key(mbedtls_svc_key_id_t key);
-
-/**@}*/
-
-/** \defgroup import_export Key import and export
- * @{
- */
-
-/**
- * \brief Import a key in binary format.
- *
- * This function supports any output from psa_export_key(). Refer to the
- * documentation of psa_export_public_key() for the format of public keys
- * and to the documentation of psa_export_key() for the format for
- * other key types.
- *
- * The key data determines the key size. The attributes may optionally
- * specify a key size; in this case it must match the size determined
- * from the key data. A key size of 0 in \p attributes indicates that
- * the key size is solely determined by the key data.
- *
- * Implementations must reject an attempt to import a key of size 0.
- *
- * This specification supports a single format for each key type.
- * Implementations may support other formats as long as the standard
- * format is supported. Implementations that support other formats
- * should ensure that the formats are clearly unambiguous so as to
- * minimize the risk that an invalid input is accidentally interpreted
- * according to a different format.
- *
- * \param[in] attributes    The attributes for the new key.
- *                          The key size is always determined from the
- *                          \p data buffer.
- *                          If the key size in \p attributes is nonzero,
- *                          it must be equal to the size from \p data.
- * \param[out] key          On success, an identifier to the newly created key.
- *                          For persistent keys, this is the key identifier
- *                          defined in \p attributes.
- *                          \c 0 on failure.
- * \param[in] data    Buffer containing the key data. The content of this
- *                    buffer is interpreted according to the type declared
- *                    in \p attributes.
- *                    All implementations must support at least the format
- *                    described in the documentation
- *                    of psa_export_key() or psa_export_public_key() for
- *                    the chosen type. Implementations may allow other
- *                    formats, but should be conservative: implementations
- *                    should err on the side of rejecting content if it
- *                    may be erroneous (e.g. wrong type or truncated data).
- * \param data_length Size of the \p data buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- *         If the key is persistent, the key material and the key's metadata
- *         have been saved to persistent storage.
- * \retval #PSA_ERROR_ALREADY_EXISTS
- *         This is an attempt to create a persistent key, and there is
- *         already a persistent key with the given identifier.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         The key type or key size is not supported, either by the
- *         implementation in general or in this particular persistent location.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The key attributes, as a whole, are invalid, or
- *         the key data is not correctly formatted, or
- *         the size in \p attributes is nonzero and does not match the size
- *         of the key data.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
-                            const uint8_t *data,
-                            size_t data_length,
-                            mbedtls_svc_key_id_t *key);
-
-
-
-/**
- * \brief Export a key in binary format.
- *
- * The output of this function can be passed to psa_import_key() to
- * create an equivalent object.
- *
- * If the implementation of psa_import_key() supports other formats
- * beyond the format specified here, the output from psa_export_key()
- * must use the representation specified here, not the original
- * representation.
- *
- * For standard key types, the output format is as follows:
- *
- * - For symmetric keys (including MAC keys), the format is the
- *   raw bytes of the key.
- * - For DES, the key data consists of 8 bytes. The parity bits must be
- *   correct.
- * - For Triple-DES, the format is the concatenation of the
- *   two or three DES keys.
- * - For RSA key pairs (#PSA_KEY_TYPE_RSA_KEY_PAIR), the format
- *   is the non-encrypted DER encoding of the representation defined by
- *   PKCS\#1 (RFC 8017) as `RSAPrivateKey`, version 0.
- *   ```
- *   RSAPrivateKey ::= SEQUENCE {
- *       version             INTEGER,  -- must be 0
- *       modulus             INTEGER,  -- n
- *       publicExponent      INTEGER,  -- e
- *       privateExponent     INTEGER,  -- d
- *       prime1              INTEGER,  -- p
- *       prime2              INTEGER,  -- q
- *       exponent1           INTEGER,  -- d mod (p-1)
- *       exponent2           INTEGER,  -- d mod (q-1)
- *       coefficient         INTEGER,  -- (inverse of q) mod p
- *   }
- *   ```
- * - For elliptic curve key pairs (key types for which
- *   #PSA_KEY_TYPE_IS_ECC_KEY_PAIR is true), the format is
- *   a representation of the private value as a `ceiling(m/8)`-byte string
- *   where `m` is the bit size associated with the curve, i.e. the bit size
- *   of the order of the curve's coordinate field. This byte string is
- *   in little-endian order for Montgomery curves (curve types
- *   `PSA_ECC_FAMILY_CURVEXXX`), and in big-endian order for Weierstrass
- *   curves (curve types `PSA_ECC_FAMILY_SECTXXX`, `PSA_ECC_FAMILY_SECPXXX`
- *   and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`).
- *   For Weierstrass curves, this is the content of the `privateKey` field of
- *   the `ECPrivateKey` format defined by RFC 5915.  For Montgomery curves,
- *   the format is defined by RFC 7748, and output is masked according to §5.
- *   For twisted Edwards curves, the private key is as defined by RFC 8032
- *   (a 32-byte string for Edwards25519, a 57-byte string for Edwards448).
- * - For Diffie-Hellman key exchange key pairs (key types for which
- *   #PSA_KEY_TYPE_IS_DH_KEY_PAIR is true), the
- *   format is the representation of the private key `x` as a big-endian byte
- *   string. The length of the byte string is the private key size in bytes
- *   (leading zeroes are not stripped).
- * - For public keys (key types for which #PSA_KEY_TYPE_IS_PUBLIC_KEY is
- *   true), the format is the same as for psa_export_public_key().
- *
- * The policy on the key must have the usage flag #PSA_KEY_USAGE_EXPORT set.
- *
- * \param key               Identifier of the key to export. It must allow the
- *                          usage #PSA_KEY_USAGE_EXPORT, unless it is a public
- *                          key.
- * \param[out] data         Buffer where the key data is to be written.
- * \param data_size         Size of the \p data buffer in bytes.
- * \param[out] data_length  On success, the number of bytes
- *                          that make up the key data.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED
- *         The key does not have the #PSA_KEY_USAGE_EXPORT flag.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p data buffer is too small. You can determine a
- *         sufficient buffer size by calling
- *         #PSA_EXPORT_KEY_OUTPUT_SIZE(\c type, \c bits)
- *         where \c type is the key type
- *         and \c bits is the key size in bits.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_export_key(mbedtls_svc_key_id_t key,
-                            uint8_t *data,
-                            size_t data_size,
-                            size_t *data_length);
-
-/**
- * \brief Export a public key or the public part of a key pair in binary format.
- *
- * The output of this function can be passed to psa_import_key() to
- * create an object that is equivalent to the public key.
- *
- * This specification supports a single format for each key type.
- * Implementations may support other formats as long as the standard
- * format is supported. Implementations that support other formats
- * should ensure that the formats are clearly unambiguous so as to
- * minimize the risk that an invalid input is accidentally interpreted
- * according to a different format.
- *
- * For standard key types, the output format is as follows:
- * - For RSA public keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY), the DER encoding of
- *   the representation defined by RFC 3279 &sect;2.3.1 as `RSAPublicKey`.
- *   ```
- *   RSAPublicKey ::= SEQUENCE {
- *      modulus            INTEGER,    -- n
- *      publicExponent     INTEGER  }  -- e
- *   ```
- * - For elliptic curve keys on a twisted Edwards curve (key types for which
- *   #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true and #PSA_KEY_TYPE_ECC_GET_FAMILY
- *   returns #PSA_ECC_FAMILY_TWISTED_EDWARDS), the public key is as defined
- *   by RFC 8032
- *   (a 32-byte string for Edwards25519, a 57-byte string for Edwards448).
- * - For other elliptic curve public keys (key types for which
- *   #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true), the format is the uncompressed
- *   representation defined by SEC1 &sect;2.3.3 as the content of an ECPoint.
- *   Let `m` be the bit size associated with the curve, i.e. the bit size of
- *   `q` for a curve over `F_q`. The representation consists of:
- *      - The byte 0x04;
- *      - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
- *      - `y_P` as a `ceiling(m/8)`-byte string, big-endian.
- * - For Diffie-Hellman key exchange public keys (key types for which
- *   #PSA_KEY_TYPE_IS_DH_PUBLIC_KEY is true),
- *   the format is the representation of the public key `y = g^x mod p` as a
- *   big-endian byte string. The length of the byte string is the length of the
- *   base prime `p` in bytes.
- *
- * Exporting a public key object or the public part of a key pair is
- * always permitted, regardless of the key's usage flags.
- *
- * \param key               Identifier of the key to export.
- * \param[out] data         Buffer where the key data is to be written.
- * \param data_size         Size of the \p data buffer in bytes.
- * \param[out] data_length  On success, the number of bytes
- *                          that make up the key data.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The key is neither a public key nor a key pair.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p data buffer is too small. You can determine a
- *         sufficient buffer size by calling
- *         #PSA_EXPORT_KEY_OUTPUT_SIZE(#PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(\c type), \c bits)
- *         where \c type is the key type
- *         and \c bits is the key size in bits.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_export_public_key(mbedtls_svc_key_id_t key,
-                                   uint8_t *data,
-                                   size_t data_size,
-                                   size_t *data_length);
-
-
-
-/**@}*/
-
-/** \defgroup hash Message digests
- * @{
- */
-
-/** Calculate the hash (digest) of a message.
- *
- * \note To verify the hash of a message against an
- *       expected value, use psa_hash_compare() instead.
- *
- * \param alg               The hash algorithm to compute (\c PSA_ALG_XXX value
- *                          such that #PSA_ALG_IS_HASH(\p alg) is true).
- * \param[in] input         Buffer containing the message to hash.
- * \param input_length      Size of the \p input buffer in bytes.
- * \param[out] hash         Buffer where the hash is to be written.
- * \param hash_size         Size of the \p hash buffer in bytes.
- * \param[out] hash_length  On success, the number of bytes
- *                          that make up the hash value. This is always
- *                          #PSA_HASH_LENGTH(\p alg).
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not supported or is not a hash algorithm.
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         \p hash_size is too small
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_hash_compute(psa_algorithm_t alg,
-                              const uint8_t *input,
-                              size_t input_length,
-                              uint8_t *hash,
-                              size_t hash_size,
-                              size_t *hash_length);
-
-/** Calculate the hash (digest) of a message and compare it with a
- * reference value.
- *
- * \param alg               The hash algorithm to compute (\c PSA_ALG_XXX value
- *                          such that #PSA_ALG_IS_HASH(\p alg) is true).
- * \param[in] input         Buffer containing the message to hash.
- * \param input_length      Size of the \p input buffer in bytes.
- * \param[out] hash         Buffer containing the expected hash value.
- * \param hash_length       Size of the \p hash buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         The expected hash is identical to the actual hash of the input.
- * \retval #PSA_ERROR_INVALID_SIGNATURE
- *         The hash of the message was calculated successfully, but it
- *         differs from the expected hash.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not supported or is not a hash algorithm.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p input_length or \p hash_length do not match the hash size for \p alg
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_hash_compare(psa_algorithm_t alg,
-                              const uint8_t *input,
-                              size_t input_length,
-                              const uint8_t *hash,
-                              size_t hash_length);
-
-/** The type of the state data structure for multipart hash operations.
- *
- * Before calling any function on a hash operation object, the application must
- * initialize it by any of the following means:
- * - Set the structure to all-bits-zero, for example:
- *   \code
- *   psa_hash_operation_t operation;
- *   memset(&operation, 0, sizeof(operation));
- *   \endcode
- * - Initialize the structure to logical zero values, for example:
- *   \code
- *   psa_hash_operation_t operation = {0};
- *   \endcode
- * - Initialize the structure to the initializer #PSA_HASH_OPERATION_INIT,
- *   for example:
- *   \code
- *   psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
- *   \endcode
- * - Assign the result of the function psa_hash_operation_init()
- *   to the structure, for example:
- *   \code
- *   psa_hash_operation_t operation;
- *   operation = psa_hash_operation_init();
- *   \endcode
- *
- * This is an implementation-defined \c struct. Applications should not
- * make any assumptions about the content of this structure.
- * Implementation details can change in future versions without notice. */
-typedef struct psa_hash_operation_s psa_hash_operation_t;
-
-/** \def PSA_HASH_OPERATION_INIT
- *
- * This macro returns a suitable initializer for a hash operation object
- * of type #psa_hash_operation_t.
- */
-
-/** Return an initial value for a hash operation object.
- */
-static psa_hash_operation_t psa_hash_operation_init(void);
-
-/** Set up a multipart hash operation.
- *
- * The sequence of operations to calculate a hash (message digest)
- * is as follows:
- * -# Allocate an operation object which will be passed to all the functions
- *    listed here.
- * -# Initialize the operation object with one of the methods described in the
- *    documentation for #psa_hash_operation_t, e.g. #PSA_HASH_OPERATION_INIT.
- * -# Call psa_hash_setup() to specify the algorithm.
- * -# Call psa_hash_update() zero, one or more times, passing a fragment
- *    of the message each time. The hash that is calculated is the hash
- *    of the concatenation of these messages in order.
- * -# To calculate the hash, call psa_hash_finish().
- *    To compare the hash with an expected value, call psa_hash_verify().
- *
- * If an error occurs at any step after a call to psa_hash_setup(), the
- * operation will need to be reset by a call to psa_hash_abort(). The
- * application may call psa_hash_abort() at any time after the operation
- * has been initialized.
- *
- * After a successful call to psa_hash_setup(), the application must
- * eventually terminate the operation. The following events terminate an
- * operation:
- * - A successful call to psa_hash_finish() or psa_hash_verify().
- * - A call to psa_hash_abort().
- *
- * \param[in,out] operation The operation object to set up. It must have
- *                          been initialized as per the documentation for
- *                          #psa_hash_operation_t and not yet in use.
- * \param alg               The hash algorithm to compute (\c PSA_ALG_XXX value
- *                          such that #PSA_ALG_IS_HASH(\p alg) is true).
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not a supported hash algorithm.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p alg is not a hash algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be inactive), or
- *         the library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_hash_setup(psa_hash_operation_t *operation,
-                            psa_algorithm_t alg);
-
-/** Add a message fragment to a multipart hash operation.
- *
- * The application must call psa_hash_setup() before calling this function.
- *
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling psa_hash_abort().
- *
- * \param[in,out] operation Active hash operation.
- * \param[in] input         Buffer containing the message fragment to hash.
- * \param input_length      Size of the \p input buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be active), or
- *         the library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_hash_update(psa_hash_operation_t *operation,
-                             const uint8_t *input,
-                             size_t input_length);
-
-/** Finish the calculation of the hash of a message.
- *
- * The application must call psa_hash_setup() before calling this function.
- * This function calculates the hash of the message formed by concatenating
- * the inputs passed to preceding calls to psa_hash_update().
- *
- * When this function returns successfully, the operation becomes inactive.
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling psa_hash_abort().
- *
- * \warning Applications should not call this function if they expect
- *          a specific value for the hash. Call psa_hash_verify() instead.
- *          Beware that comparing integrity or authenticity data such as
- *          hash values with a function such as \c memcmp is risky
- *          because the time taken by the comparison may leak information
- *          about the hashed data which could allow an attacker to guess
- *          a valid hash and thereby bypass security controls.
- *
- * \param[in,out] operation     Active hash operation.
- * \param[out] hash             Buffer where the hash is to be written.
- * \param hash_size             Size of the \p hash buffer in bytes.
- * \param[out] hash_length      On success, the number of bytes
- *                              that make up the hash value. This is always
- *                              #PSA_HASH_LENGTH(\c alg) where \c alg is the
- *                              hash algorithm that is calculated.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p hash buffer is too small. You can determine a
- *         sufficient buffer size by calling #PSA_HASH_LENGTH(\c alg)
- *         where \c alg is the hash algorithm that is calculated.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be active), or
- *         the library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_hash_finish(psa_hash_operation_t *operation,
-                             uint8_t *hash,
-                             size_t hash_size,
-                             size_t *hash_length);
-
-/** Finish the calculation of the hash of a message and compare it with
- * an expected value.
- *
- * The application must call psa_hash_setup() before calling this function.
- * This function calculates the hash of the message formed by concatenating
- * the inputs passed to preceding calls to psa_hash_update(). It then
- * compares the calculated hash with the expected hash passed as a
- * parameter to this function.
- *
- * When this function returns successfully, the operation becomes inactive.
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling psa_hash_abort().
- *
- * \note Implementations shall make the best effort to ensure that the
- * comparison between the actual hash and the expected hash is performed
- * in constant time.
- *
- * \param[in,out] operation     Active hash operation.
- * \param[in] hash              Buffer containing the expected hash value.
- * \param hash_length           Size of the \p hash buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         The expected hash is identical to the actual hash of the message.
- * \retval #PSA_ERROR_INVALID_SIGNATURE
- *         The hash of the message was calculated successfully, but it
- *         differs from the expected hash.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be active), or
- *         the library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_hash_verify(psa_hash_operation_t *operation,
-                             const uint8_t *hash,
-                             size_t hash_length);
-
-/** Abort a hash operation.
- *
- * Aborting an operation frees all associated resources except for the
- * \p operation structure itself. Once aborted, the operation object
- * can be reused for another operation by calling
- * psa_hash_setup() again.
- *
- * You may call this function any time after the operation object has
- * been initialized by one of the methods described in #psa_hash_operation_t.
- *
- * In particular, calling psa_hash_abort() after the operation has been
- * terminated by a call to psa_hash_abort(), psa_hash_finish() or
- * psa_hash_verify() is safe and has no effect.
- *
- * \param[in,out] operation     Initialized hash operation.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_hash_abort(psa_hash_operation_t *operation);
-
-/** Clone a hash operation.
- *
- * This function copies the state of an ongoing hash operation to
- * a new operation object. In other words, this function is equivalent
- * to calling psa_hash_setup() on \p target_operation with the same
- * algorithm that \p source_operation was set up for, then
- * psa_hash_update() on \p target_operation with the same input that
- * that was passed to \p source_operation. After this function returns, the
- * two objects are independent, i.e. subsequent calls involving one of
- * the objects do not affect the other object.
- *
- * \param[in] source_operation      The active hash operation to clone.
- * \param[in,out] target_operation  The operation object to set up.
- *                                  It must be initialized but not active.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The \p source_operation state is not valid (it must be active), or
- *         the \p target_operation state is not valid (it must be inactive), or
- *         the library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation,
-                            psa_hash_operation_t *target_operation);
-
-/**@}*/
-
-/** \defgroup MAC Message authentication codes
- * @{
- */
-
-/** Calculate the MAC (message authentication code) of a message.
- *
- * \note To verify the MAC of a message against an
- *       expected value, use psa_mac_verify() instead.
- *       Beware that comparing integrity or authenticity data such as
- *       MAC values with a function such as \c memcmp is risky
- *       because the time taken by the comparison may leak information
- *       about the MAC value which could allow an attacker to guess
- *       a valid MAC and thereby bypass security controls.
- *
- * \param key               Identifier of the key to use for the operation. It
- *                          must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE.
- * \param alg               The MAC algorithm to compute (\c PSA_ALG_XXX value
- *                          such that #PSA_ALG_IS_MAC(\p alg) is true).
- * \param[in] input         Buffer containing the input message.
- * \param input_length      Size of the \p input buffer in bytes.
- * \param[out] mac          Buffer where the MAC value is to be written.
- * \param mac_size          Size of the \p mac buffer in bytes.
- * \param[out] mac_length   On success, the number of bytes
- *                          that make up the MAC value.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p key is not compatible with \p alg.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not supported or is not a MAC algorithm.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         \p mac_size is too small
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE
- *         The key could not be retrieved from storage.
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_mac_compute(mbedtls_svc_key_id_t key,
-                             psa_algorithm_t alg,
-                             const uint8_t *input,
-                             size_t input_length,
-                             uint8_t *mac,
-                             size_t mac_size,
-                             size_t *mac_length);
-
-/** Calculate the MAC of a message and compare it with a reference value.
- *
- * \param key               Identifier of the key to use for the operation. It
- *                          must allow the usage PSA_KEY_USAGE_VERIFY_MESSAGE.
- * \param alg               The MAC algorithm to compute (\c PSA_ALG_XXX value
- *                          such that #PSA_ALG_IS_MAC(\p alg) is true).
- * \param[in] input         Buffer containing the input message.
- * \param input_length      Size of the \p input buffer in bytes.
- * \param[out] mac          Buffer containing the expected MAC value.
- * \param mac_length        Size of the \p mac buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         The expected MAC is identical to the actual MAC of the input.
- * \retval #PSA_ERROR_INVALID_SIGNATURE
- *         The MAC of the message was calculated successfully, but it
- *         differs from the expected value.
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p key is not compatible with \p alg.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not supported or is not a MAC algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE
- *         The key could not be retrieved from storage.
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_mac_verify(mbedtls_svc_key_id_t key,
-                            psa_algorithm_t alg,
-                            const uint8_t *input,
-                            size_t input_length,
-                            const uint8_t *mac,
-                            size_t mac_length);
-
-/** The type of the state data structure for multipart MAC operations.
- *
- * Before calling any function on a MAC operation object, the application must
- * initialize it by any of the following means:
- * - Set the structure to all-bits-zero, for example:
- *   \code
- *   psa_mac_operation_t operation;
- *   memset(&operation, 0, sizeof(operation));
- *   \endcode
- * - Initialize the structure to logical zero values, for example:
- *   \code
- *   psa_mac_operation_t operation = {0};
- *   \endcode
- * - Initialize the structure to the initializer #PSA_MAC_OPERATION_INIT,
- *   for example:
- *   \code
- *   psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
- *   \endcode
- * - Assign the result of the function psa_mac_operation_init()
- *   to the structure, for example:
- *   \code
- *   psa_mac_operation_t operation;
- *   operation = psa_mac_operation_init();
- *   \endcode
- *
- *
- * This is an implementation-defined \c struct. Applications should not
- * make any assumptions about the content of this structure.
- * Implementation details can change in future versions without notice. */
-typedef struct psa_mac_operation_s psa_mac_operation_t;
-
-/** \def PSA_MAC_OPERATION_INIT
- *
- * This macro returns a suitable initializer for a MAC operation object of type
- * #psa_mac_operation_t.
- */
-
-/** Return an initial value for a MAC operation object.
- */
-static psa_mac_operation_t psa_mac_operation_init(void);
-
-/** Set up a multipart MAC calculation operation.
- *
- * This function sets up the calculation of the MAC
- * (message authentication code) of a byte string.
- * To verify the MAC of a message against an
- * expected value, use psa_mac_verify_setup() instead.
- *
- * The sequence of operations to calculate a MAC is as follows:
- * -# Allocate an operation object which will be passed to all the functions
- *    listed here.
- * -# Initialize the operation object with one of the methods described in the
- *    documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT.
- * -# Call psa_mac_sign_setup() to specify the algorithm and key.
- * -# Call psa_mac_update() zero, one or more times, passing a fragment
- *    of the message each time. The MAC that is calculated is the MAC
- *    of the concatenation of these messages in order.
- * -# At the end of the message, call psa_mac_sign_finish() to finish
- *    calculating the MAC value and retrieve it.
- *
- * If an error occurs at any step after a call to psa_mac_sign_setup(), the
- * operation will need to be reset by a call to psa_mac_abort(). The
- * application may call psa_mac_abort() at any time after the operation
- * has been initialized.
- *
- * After a successful call to psa_mac_sign_setup(), the application must
- * eventually terminate the operation through one of the following methods:
- * - A successful call to psa_mac_sign_finish().
- * - A call to psa_mac_abort().
- *
- * \param[in,out] operation The operation object to set up. It must have
- *                          been initialized as per the documentation for
- *                          #psa_mac_operation_t and not yet in use.
- * \param key               Identifier of the key to use for the operation. It
- *                          must remain valid until the operation terminates.
- *                          It must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE.
- * \param alg               The MAC algorithm to compute (\c PSA_ALG_XXX value
- *                          such that #PSA_ALG_IS_MAC(\p alg) is true).
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p key is not compatible with \p alg.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not supported or is not a MAC algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE
- *         The key could not be retrieved from storage.
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be inactive), or
- *         the library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
-                                mbedtls_svc_key_id_t key,
-                                psa_algorithm_t alg);
-
-/** Set up a multipart MAC verification operation.
- *
- * This function sets up the verification of the MAC
- * (message authentication code) of a byte string against an expected value.
- *
- * The sequence of operations to verify a MAC is as follows:
- * -# Allocate an operation object which will be passed to all the functions
- *    listed here.
- * -# Initialize the operation object with one of the methods described in the
- *    documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT.
- * -# Call psa_mac_verify_setup() to specify the algorithm and key.
- * -# Call psa_mac_update() zero, one or more times, passing a fragment
- *    of the message each time. The MAC that is calculated is the MAC
- *    of the concatenation of these messages in order.
- * -# At the end of the message, call psa_mac_verify_finish() to finish
- *    calculating the actual MAC of the message and verify it against
- *    the expected value.
- *
- * If an error occurs at any step after a call to psa_mac_verify_setup(), the
- * operation will need to be reset by a call to psa_mac_abort(). The
- * application may call psa_mac_abort() at any time after the operation
- * has been initialized.
- *
- * After a successful call to psa_mac_verify_setup(), the application must
- * eventually terminate the operation through one of the following methods:
- * - A successful call to psa_mac_verify_finish().
- * - A call to psa_mac_abort().
- *
- * \param[in,out] operation The operation object to set up. It must have
- *                          been initialized as per the documentation for
- *                          #psa_mac_operation_t and not yet in use.
- * \param key               Identifier of the key to use for the operation. It
- *                          must remain valid until the operation terminates.
- *                          It must allow the usage
- *                          PSA_KEY_USAGE_VERIFY_MESSAGE.
- * \param alg               The MAC algorithm to compute (\c PSA_ALG_XXX value
- *                          such that #PSA_ALG_IS_MAC(\p alg) is true).
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \c key is not compatible with \c alg.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \c alg is not supported or is not a MAC algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE
- *         The key could not be retrieved from storage.
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be inactive), or
- *         the library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
-                                  mbedtls_svc_key_id_t key,
-                                  psa_algorithm_t alg);
-
-/** Add a message fragment to a multipart MAC operation.
- *
- * The application must call psa_mac_sign_setup() or psa_mac_verify_setup()
- * before calling this function.
- *
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling psa_mac_abort().
- *
- * \param[in,out] operation Active MAC operation.
- * \param[in] input         Buffer containing the message fragment to add to
- *                          the MAC calculation.
- * \param input_length      Size of the \p input buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be active), or
- *         the library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_mac_update(psa_mac_operation_t *operation,
-                            const uint8_t *input,
-                            size_t input_length);
-
-/** Finish the calculation of the MAC of a message.
- *
- * The application must call psa_mac_sign_setup() before calling this function.
- * This function calculates the MAC of the message formed by concatenating
- * the inputs passed to preceding calls to psa_mac_update().
- *
- * When this function returns successfully, the operation becomes inactive.
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling psa_mac_abort().
- *
- * \warning Applications should not call this function if they expect
- *          a specific value for the MAC. Call psa_mac_verify_finish() instead.
- *          Beware that comparing integrity or authenticity data such as
- *          MAC values with a function such as \c memcmp is risky
- *          because the time taken by the comparison may leak information
- *          about the MAC value which could allow an attacker to guess
- *          a valid MAC and thereby bypass security controls.
- *
- * \param[in,out] operation Active MAC operation.
- * \param[out] mac          Buffer where the MAC value is to be written.
- * \param mac_size          Size of the \p mac buffer in bytes.
- * \param[out] mac_length   On success, the number of bytes
- *                          that make up the MAC value. This is always
- *                          #PSA_MAC_LENGTH(\c key_type, \c key_bits, \c alg)
- *                          where \c key_type and \c key_bits are the type and
- *                          bit-size respectively of the key and \c alg is the
- *                          MAC algorithm that is calculated.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p mac buffer is too small. You can determine a
- *         sufficient buffer size by calling PSA_MAC_LENGTH().
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be an active mac sign
- *         operation), or the library has not been previously initialized
- *         by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_mac_sign_finish(psa_mac_operation_t *operation,
-                                 uint8_t *mac,
-                                 size_t mac_size,
-                                 size_t *mac_length);
-
-/** Finish the calculation of the MAC of a message and compare it with
- * an expected value.
- *
- * The application must call psa_mac_verify_setup() before calling this function.
- * This function calculates the MAC of the message formed by concatenating
- * the inputs passed to preceding calls to psa_mac_update(). It then
- * compares the calculated MAC with the expected MAC passed as a
- * parameter to this function.
- *
- * When this function returns successfully, the operation becomes inactive.
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling psa_mac_abort().
- *
- * \note Implementations shall make the best effort to ensure that the
- * comparison between the actual MAC and the expected MAC is performed
- * in constant time.
- *
- * \param[in,out] operation Active MAC operation.
- * \param[in] mac           Buffer containing the expected MAC value.
- * \param mac_length        Size of the \p mac buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         The expected MAC is identical to the actual MAC of the message.
- * \retval #PSA_ERROR_INVALID_SIGNATURE
- *         The MAC of the message was calculated successfully, but it
- *         differs from the expected MAC.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be an active mac verify
- *         operation), or the library has not been previously initialized
- *         by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_mac_verify_finish(psa_mac_operation_t *operation,
-                                   const uint8_t *mac,
-                                   size_t mac_length);
-
-/** Abort a MAC operation.
- *
- * Aborting an operation frees all associated resources except for the
- * \p operation structure itself. Once aborted, the operation object
- * can be reused for another operation by calling
- * psa_mac_sign_setup() or psa_mac_verify_setup() again.
- *
- * You may call this function any time after the operation object has
- * been initialized by one of the methods described in #psa_mac_operation_t.
- *
- * In particular, calling psa_mac_abort() after the operation has been
- * terminated by a call to psa_mac_abort(), psa_mac_sign_finish() or
- * psa_mac_verify_finish() is safe and has no effect.
- *
- * \param[in,out] operation Initialized MAC operation.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_mac_abort(psa_mac_operation_t *operation);
-
-/**@}*/
-
-/** \defgroup cipher Symmetric ciphers
- * @{
- */
-
-/** Encrypt a message using a symmetric cipher.
- *
- * This function encrypts a message with a random IV (initialization
- * vector). Use the multipart operation interface with a
- * #psa_cipher_operation_t object to provide other forms of IV.
- *
- * \param key                   Identifier of the key to use for the operation.
- *                              It must allow the usage #PSA_KEY_USAGE_ENCRYPT.
- * \param alg                   The cipher algorithm to compute
- *                              (\c PSA_ALG_XXX value such that
- *                              #PSA_ALG_IS_CIPHER(\p alg) is true).
- * \param[in] input             Buffer containing the message to encrypt.
- * \param input_length          Size of the \p input buffer in bytes.
- * \param[out] output           Buffer where the output is to be written.
- *                              The output contains the IV followed by
- *                              the ciphertext proper.
- * \param output_size           Size of the \p output buffer in bytes.
- * \param[out] output_length    On success, the number of bytes
- *                              that make up the output.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p key is not compatible with \p alg.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not supported or is not a cipher algorithm.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_cipher_encrypt(mbedtls_svc_key_id_t key,
-                                psa_algorithm_t alg,
-                                const uint8_t *input,
-                                size_t input_length,
-                                uint8_t *output,
-                                size_t output_size,
-                                size_t *output_length);
-
-/** Decrypt a message using a symmetric cipher.
- *
- * This function decrypts a message encrypted with a symmetric cipher.
- *
- * \param key                   Identifier of the key to use for the operation.
- *                              It must remain valid until the operation
- *                              terminates. It must allow the usage
- *                              #PSA_KEY_USAGE_DECRYPT.
- * \param alg                   The cipher algorithm to compute
- *                              (\c PSA_ALG_XXX value such that
- *                              #PSA_ALG_IS_CIPHER(\p alg) is true).
- * \param[in] input             Buffer containing the message to decrypt.
- *                              This consists of the IV followed by the
- *                              ciphertext proper.
- * \param input_length          Size of the \p input buffer in bytes.
- * \param[out] output           Buffer where the plaintext is to be written.
- * \param output_size           Size of the \p output buffer in bytes.
- * \param[out] output_length    On success, the number of bytes
- *                              that make up the output.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p key is not compatible with \p alg.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not supported or is not a cipher algorithm.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_cipher_decrypt(mbedtls_svc_key_id_t key,
-                                psa_algorithm_t alg,
-                                const uint8_t *input,
-                                size_t input_length,
-                                uint8_t *output,
-                                size_t output_size,
-                                size_t *output_length);
-
-/** The type of the state data structure for multipart cipher operations.
- *
- * Before calling any function on a cipher operation object, the application
- * must initialize it by any of the following means:
- * - Set the structure to all-bits-zero, for example:
- *   \code
- *   psa_cipher_operation_t operation;
- *   memset(&operation, 0, sizeof(operation));
- *   \endcode
- * - Initialize the structure to logical zero values, for example:
- *   \code
- *   psa_cipher_operation_t operation = {0};
- *   \endcode
- * - Initialize the structure to the initializer #PSA_CIPHER_OPERATION_INIT,
- *   for example:
- *   \code
- *   psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
- *   \endcode
- * - Assign the result of the function psa_cipher_operation_init()
- *   to the structure, for example:
- *   \code
- *   psa_cipher_operation_t operation;
- *   operation = psa_cipher_operation_init();
- *   \endcode
- *
- * This is an implementation-defined \c struct. Applications should not
- * make any assumptions about the content of this structure.
- * Implementation details can change in future versions without notice. */
-typedef struct psa_cipher_operation_s psa_cipher_operation_t;
-
-/** \def PSA_CIPHER_OPERATION_INIT
- *
- * This macro returns a suitable initializer for a cipher operation object of
- * type #psa_cipher_operation_t.
- */
-
-/** Return an initial value for a cipher operation object.
- */
-static psa_cipher_operation_t psa_cipher_operation_init(void);
-
-/** Set the key for a multipart symmetric encryption operation.
- *
- * The sequence of operations to encrypt a message with a symmetric cipher
- * is as follows:
- * -# Allocate an operation object which will be passed to all the functions
- *    listed here.
- * -# Initialize the operation object with one of the methods described in the
- *    documentation for #psa_cipher_operation_t, e.g.
- *    #PSA_CIPHER_OPERATION_INIT.
- * -# Call psa_cipher_encrypt_setup() to specify the algorithm and key.
- * -# Call either psa_cipher_generate_iv() or psa_cipher_set_iv() to
- *    generate or set the IV (initialization vector). You should use
- *    psa_cipher_generate_iv() unless the protocol you are implementing
- *    requires a specific IV value.
- * -# Call psa_cipher_update() zero, one or more times, passing a fragment
- *    of the message each time.
- * -# Call psa_cipher_finish().
- *
- * If an error occurs at any step after a call to psa_cipher_encrypt_setup(),
- * the operation will need to be reset by a call to psa_cipher_abort(). The
- * application may call psa_cipher_abort() at any time after the operation
- * has been initialized.
- *
- * After a successful call to psa_cipher_encrypt_setup(), the application must
- * eventually terminate the operation. The following events terminate an
- * operation:
- * - A successful call to psa_cipher_finish().
- * - A call to psa_cipher_abort().
- *
- * \param[in,out] operation     The operation object to set up. It must have
- *                              been initialized as per the documentation for
- *                              #psa_cipher_operation_t and not yet in use.
- * \param key                   Identifier of the key to use for the operation.
- *                              It must remain valid until the operation
- *                              terminates. It must allow the usage
- *                              #PSA_KEY_USAGE_ENCRYPT.
- * \param alg                   The cipher algorithm to compute
- *                              (\c PSA_ALG_XXX value such that
- *                              #PSA_ALG_IS_CIPHER(\p alg) is true).
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p key is not compatible with \p alg.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not supported or is not a cipher algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be inactive), or
- *         the library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
-                                      mbedtls_svc_key_id_t key,
-                                      psa_algorithm_t alg);
-
-/** Set the key for a multipart symmetric decryption operation.
- *
- * The sequence of operations to decrypt a message with a symmetric cipher
- * is as follows:
- * -# Allocate an operation object which will be passed to all the functions
- *    listed here.
- * -# Initialize the operation object with one of the methods described in the
- *    documentation for #psa_cipher_operation_t, e.g.
- *    #PSA_CIPHER_OPERATION_INIT.
- * -# Call psa_cipher_decrypt_setup() to specify the algorithm and key.
- * -# Call psa_cipher_set_iv() with the IV (initialization vector) for the
- *    decryption. If the IV is prepended to the ciphertext, you can call
- *    psa_cipher_update() on a buffer containing the IV followed by the
- *    beginning of the message.
- * -# Call psa_cipher_update() zero, one or more times, passing a fragment
- *    of the message each time.
- * -# Call psa_cipher_finish().
- *
- * If an error occurs at any step after a call to psa_cipher_decrypt_setup(),
- * the operation will need to be reset by a call to psa_cipher_abort(). The
- * application may call psa_cipher_abort() at any time after the operation
- * has been initialized.
- *
- * After a successful call to psa_cipher_decrypt_setup(), the application must
- * eventually terminate the operation. The following events terminate an
- * operation:
- * - A successful call to psa_cipher_finish().
- * - A call to psa_cipher_abort().
- *
- * \param[in,out] operation     The operation object to set up. It must have
- *                              been initialized as per the documentation for
- *                              #psa_cipher_operation_t and not yet in use.
- * \param key                   Identifier of the key to use for the operation.
- *                              It must remain valid until the operation
- *                              terminates. It must allow the usage
- *                              #PSA_KEY_USAGE_DECRYPT.
- * \param alg                   The cipher algorithm to compute
- *                              (\c PSA_ALG_XXX value such that
- *                              #PSA_ALG_IS_CIPHER(\p alg) is true).
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p key is not compatible with \p alg.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not supported or is not a cipher algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be inactive), or
- *         the library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
-                                      mbedtls_svc_key_id_t key,
-                                      psa_algorithm_t alg);
-
-/** Generate an IV for a symmetric encryption operation.
- *
- * This function generates a random IV (initialization vector), nonce
- * or initial counter value for the encryption operation as appropriate
- * for the chosen algorithm, key type and key size.
- *
- * The application must call psa_cipher_encrypt_setup() before
- * calling this function.
- *
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling psa_cipher_abort().
- *
- * \param[in,out] operation     Active cipher operation.
- * \param[out] iv               Buffer where the generated IV is to be written.
- * \param iv_size               Size of the \p iv buffer in bytes.
- * \param[out] iv_length        On success, the number of bytes of the
- *                              generated IV.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p iv buffer is too small.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be active, with no IV set),
- *         or the library has not been previously initialized
- *         by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_cipher_generate_iv(psa_cipher_operation_t *operation,
-                                    uint8_t *iv,
-                                    size_t iv_size,
-                                    size_t *iv_length);
-
-/** Set the IV for a symmetric encryption or decryption operation.
- *
- * This function sets the IV (initialization vector), nonce
- * or initial counter value for the encryption or decryption operation.
- *
- * The application must call psa_cipher_encrypt_setup() before
- * calling this function.
- *
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling psa_cipher_abort().
- *
- * \note When encrypting, applications should use psa_cipher_generate_iv()
- * instead of this function, unless implementing a protocol that requires
- * a non-random IV.
- *
- * \param[in,out] operation     Active cipher operation.
- * \param[in] iv                Buffer containing the IV to use.
- * \param iv_length             Size of the IV in bytes.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The size of \p iv is not acceptable for the chosen algorithm,
- *         or the chosen algorithm does not use an IV.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be an active cipher
- *         encrypt operation, with no IV set), or the library has not been
- *         previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation,
-                               const uint8_t *iv,
-                               size_t iv_length);
-
-/** Encrypt or decrypt a message fragment in an active cipher operation.
- *
- * Before calling this function, you must:
- * 1. Call either psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup().
- *    The choice of setup function determines whether this function
- *    encrypts or decrypts its input.
- * 2. If the algorithm requires an IV, call psa_cipher_generate_iv()
- *    (recommended when encrypting) or psa_cipher_set_iv().
- *
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling psa_cipher_abort().
- *
- * \param[in,out] operation     Active cipher operation.
- * \param[in] input             Buffer containing the message fragment to
- *                              encrypt or decrypt.
- * \param input_length          Size of the \p input buffer in bytes.
- * \param[out] output           Buffer where the output is to be written.
- * \param output_size           Size of the \p output buffer in bytes.
- * \param[out] output_length    On success, the number of bytes
- *                              that make up the returned output.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p output buffer is too small.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be active, with an IV set
- *         if required for the algorithm), or the library has not been
- *         previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_cipher_update(psa_cipher_operation_t *operation,
-                               const uint8_t *input,
-                               size_t input_length,
-                               uint8_t *output,
-                               size_t output_size,
-                               size_t *output_length);
-
-/** Finish encrypting or decrypting a message in a cipher operation.
- *
- * The application must call psa_cipher_encrypt_setup() or
- * psa_cipher_decrypt_setup() before calling this function. The choice
- * of setup function determines whether this function encrypts or
- * decrypts its input.
- *
- * This function finishes the encryption or decryption of the message
- * formed by concatenating the inputs passed to preceding calls to
- * psa_cipher_update().
- *
- * When this function returns successfully, the operation becomes inactive.
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling psa_cipher_abort().
- *
- * \param[in,out] operation     Active cipher operation.
- * \param[out] output           Buffer where the output is to be written.
- * \param output_size           Size of the \p output buffer in bytes.
- * \param[out] output_length    On success, the number of bytes
- *                              that make up the returned output.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The total input size passed to this operation is not valid for
- *         this particular algorithm. For example, the algorithm is a based
- *         on block cipher and requires a whole number of blocks, but the
- *         total input size is not a multiple of the block size.
- * \retval #PSA_ERROR_INVALID_PADDING
- *         This is a decryption operation for an algorithm that includes
- *         padding, and the ciphertext does not contain valid padding.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p output buffer is too small.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be active, with an IV set
- *         if required for the algorithm), or the library has not been
- *         previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_cipher_finish(psa_cipher_operation_t *operation,
-                               uint8_t *output,
-                               size_t output_size,
-                               size_t *output_length);
-
-/** Abort a cipher operation.
- *
- * Aborting an operation frees all associated resources except for the
- * \p operation structure itself. Once aborted, the operation object
- * can be reused for another operation by calling
- * psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup() again.
- *
- * You may call this function any time after the operation object has
- * been initialized as described in #psa_cipher_operation_t.
- *
- * In particular, calling psa_cipher_abort() after the operation has been
- * terminated by a call to psa_cipher_abort() or psa_cipher_finish()
- * is safe and has no effect.
- *
- * \param[in,out] operation     Initialized cipher operation.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation);
-
-/**@}*/
-
-/** \defgroup aead Authenticated encryption with associated data (AEAD)
- * @{
- */
-
-/** Process an authenticated encryption operation.
- *
- * \param key                     Identifier of the key to use for the
- *                                operation. It must allow the usage
- *                                #PSA_KEY_USAGE_ENCRYPT.
- * \param alg                     The AEAD algorithm to compute
- *                                (\c PSA_ALG_XXX value such that
- *                                #PSA_ALG_IS_AEAD(\p alg) is true).
- * \param[in] nonce               Nonce or IV to use.
- * \param nonce_length            Size of the \p nonce buffer in bytes.
- * \param[in] additional_data     Additional data that will be authenticated
- *                                but not encrypted.
- * \param additional_data_length  Size of \p additional_data in bytes.
- * \param[in] plaintext           Data that will be authenticated and
- *                                encrypted.
- * \param plaintext_length        Size of \p plaintext in bytes.
- * \param[out] ciphertext         Output buffer for the authenticated and
- *                                encrypted data. The additional data is not
- *                                part of this output. For algorithms where the
- *                                encrypted data and the authentication tag
- *                                are defined as separate outputs, the
- *                                authentication tag is appended to the
- *                                encrypted data.
- * \param ciphertext_size         Size of the \p ciphertext buffer in bytes.
- *                                This must be appropriate for the selected
- *                                algorithm and key:
- *                                - A sufficient output size is
- *                                  #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type,
- *                                  \p alg, \p plaintext_length) where
- *                                  \c key_type is the type of \p key.
- *                                - #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p
- *                                  plaintext_length) evaluates to the maximum
- *                                  ciphertext size of any supported AEAD
- *                                  encryption.
- * \param[out] ciphertext_length  On success, the size of the output
- *                                in the \p ciphertext buffer.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p key is not compatible with \p alg.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not supported or is not an AEAD algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         \p ciphertext_size is too small.
- *         #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, \p alg,
- *         \p plaintext_length) or
- *         #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length) can be used to
- *         determine the required buffer size.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key,
-                              psa_algorithm_t alg,
-                              const uint8_t *nonce,
-                              size_t nonce_length,
-                              const uint8_t *additional_data,
-                              size_t additional_data_length,
-                              const uint8_t *plaintext,
-                              size_t plaintext_length,
-                              uint8_t *ciphertext,
-                              size_t ciphertext_size,
-                              size_t *ciphertext_length);
-
-/** Process an authenticated decryption operation.
- *
- * \param key                     Identifier of the key to use for the
- *                                operation. It must allow the usage
- *                                #PSA_KEY_USAGE_DECRYPT.
- * \param alg                     The AEAD algorithm to compute
- *                                (\c PSA_ALG_XXX value such that
- *                                #PSA_ALG_IS_AEAD(\p alg) is true).
- * \param[in] nonce               Nonce or IV to use.
- * \param nonce_length            Size of the \p nonce buffer in bytes.
- * \param[in] additional_data     Additional data that has been authenticated
- *                                but not encrypted.
- * \param additional_data_length  Size of \p additional_data in bytes.
- * \param[in] ciphertext          Data that has been authenticated and
- *                                encrypted. For algorithms where the
- *                                encrypted data and the authentication tag
- *                                are defined as separate inputs, the buffer
- *                                must contain the encrypted data followed
- *                                by the authentication tag.
- * \param ciphertext_length       Size of \p ciphertext in bytes.
- * \param[out] plaintext          Output buffer for the decrypted data.
- * \param plaintext_size          Size of the \p plaintext buffer in bytes.
- *                                This must be appropriate for the selected
- *                                algorithm and key:
- *                                - A sufficient output size is
- *                                  #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type,
- *                                  \p alg, \p ciphertext_length) where
- *                                  \c key_type is the type of \p key.
- *                                - #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p
- *                                  ciphertext_length) evaluates to the maximum
- *                                  plaintext size of any supported AEAD
- *                                  decryption.
- * \param[out] plaintext_length   On success, the size of the output
- *                                in the \p plaintext buffer.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_INVALID_SIGNATURE
- *         The ciphertext is not authentic.
- * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p key is not compatible with \p alg.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not supported or is not an AEAD algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         \p plaintext_size is too small.
- *         #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, \p alg,
- *         \p ciphertext_length) or
- *         #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length) can be used
- *         to determine the required buffer size.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_aead_decrypt(mbedtls_svc_key_id_t key,
-                              psa_algorithm_t alg,
-                              const uint8_t *nonce,
-                              size_t nonce_length,
-                              const uint8_t *additional_data,
-                              size_t additional_data_length,
-                              const uint8_t *ciphertext,
-                              size_t ciphertext_length,
-                              uint8_t *plaintext,
-                              size_t plaintext_size,
-                              size_t *plaintext_length);
-
-/** The type of the state data structure for multipart AEAD operations.
- *
- * Before calling any function on an AEAD operation object, the application
- * must initialize it by any of the following means:
- * - Set the structure to all-bits-zero, for example:
- *   \code
- *   psa_aead_operation_t operation;
- *   memset(&operation, 0, sizeof(operation));
- *   \endcode
- * - Initialize the structure to logical zero values, for example:
- *   \code
- *   psa_aead_operation_t operation = {0};
- *   \endcode
- * - Initialize the structure to the initializer #PSA_AEAD_OPERATION_INIT,
- *   for example:
- *   \code
- *   psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
- *   \endcode
- * - Assign the result of the function psa_aead_operation_init()
- *   to the structure, for example:
- *   \code
- *   psa_aead_operation_t operation;
- *   operation = psa_aead_operation_init();
- *   \endcode
- *
- * This is an implementation-defined \c struct. Applications should not
- * make any assumptions about the content of this structure.
- * Implementation details can change in future versions without notice. */
-typedef struct psa_aead_operation_s psa_aead_operation_t;
-
-/** \def PSA_AEAD_OPERATION_INIT
- *
- * This macro returns a suitable initializer for an AEAD operation object of
- * type #psa_aead_operation_t.
- */
-
-/** Return an initial value for an AEAD operation object.
- */
-static psa_aead_operation_t psa_aead_operation_init(void);
-
-/** Set the key for a multipart authenticated encryption operation.
- *
- * The sequence of operations to encrypt a message with authentication
- * is as follows:
- * -# Allocate an operation object which will be passed to all the functions
- *    listed here.
- * -# Initialize the operation object with one of the methods described in the
- *    documentation for #psa_aead_operation_t, e.g.
- *    #PSA_AEAD_OPERATION_INIT.
- * -# Call psa_aead_encrypt_setup() to specify the algorithm and key.
- * -# If needed, call psa_aead_set_lengths() to specify the length of the
- *    inputs to the subsequent calls to psa_aead_update_ad() and
- *    psa_aead_update(). See the documentation of psa_aead_set_lengths()
- *    for details.
- * -# Call either psa_aead_generate_nonce() or psa_aead_set_nonce() to
- *    generate or set the nonce. You should use
- *    psa_aead_generate_nonce() unless the protocol you are implementing
- *    requires a specific nonce value.
- * -# Call psa_aead_update_ad() zero, one or more times, passing a fragment
- *    of the non-encrypted additional authenticated data each time.
- * -# Call psa_aead_update() zero, one or more times, passing a fragment
- *    of the message to encrypt each time.
- * -# Call psa_aead_finish().
- *
- * If an error occurs at any step after a call to psa_aead_encrypt_setup(),
- * the operation will need to be reset by a call to psa_aead_abort(). The
- * application may call psa_aead_abort() at any time after the operation
- * has been initialized.
- *
- * After a successful call to psa_aead_encrypt_setup(), the application must
- * eventually terminate the operation. The following events terminate an
- * operation:
- * - A successful call to psa_aead_finish().
- * - A call to psa_aead_abort().
- *
- * \param[in,out] operation     The operation object to set up. It must have
- *                              been initialized as per the documentation for
- *                              #psa_aead_operation_t and not yet in use.
- * \param key                   Identifier of the key to use for the operation.
- *                              It must remain valid until the operation
- *                              terminates. It must allow the usage
- *                              #PSA_KEY_USAGE_ENCRYPT.
- * \param alg                   The AEAD algorithm to compute
- *                              (\c PSA_ALG_XXX value such that
- *                              #PSA_ALG_IS_AEAD(\p alg) is true).
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be inactive), or
- *         the library has not been previously initialized by psa_crypto_init().
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p key is not compatible with \p alg.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not supported or is not an AEAD algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
-                                    mbedtls_svc_key_id_t key,
-                                    psa_algorithm_t alg);
-
-/** Set the key for a multipart authenticated decryption operation.
- *
- * The sequence of operations to decrypt a message with authentication
- * is as follows:
- * -# Allocate an operation object which will be passed to all the functions
- *    listed here.
- * -# Initialize the operation object with one of the methods described in the
- *    documentation for #psa_aead_operation_t, e.g.
- *    #PSA_AEAD_OPERATION_INIT.
- * -# Call psa_aead_decrypt_setup() to specify the algorithm and key.
- * -# If needed, call psa_aead_set_lengths() to specify the length of the
- *    inputs to the subsequent calls to psa_aead_update_ad() and
- *    psa_aead_update(). See the documentation of psa_aead_set_lengths()
- *    for details.
- * -# Call psa_aead_set_nonce() with the nonce for the decryption.
- * -# Call psa_aead_update_ad() zero, one or more times, passing a fragment
- *    of the non-encrypted additional authenticated data each time.
- * -# Call psa_aead_update() zero, one or more times, passing a fragment
- *    of the ciphertext to decrypt each time.
- * -# Call psa_aead_verify().
- *
- * If an error occurs at any step after a call to psa_aead_decrypt_setup(),
- * the operation will need to be reset by a call to psa_aead_abort(). The
- * application may call psa_aead_abort() at any time after the operation
- * has been initialized.
- *
- * After a successful call to psa_aead_decrypt_setup(), the application must
- * eventually terminate the operation. The following events terminate an
- * operation:
- * - A successful call to psa_aead_verify().
- * - A call to psa_aead_abort().
- *
- * \param[in,out] operation     The operation object to set up. It must have
- *                              been initialized as per the documentation for
- *                              #psa_aead_operation_t and not yet in use.
- * \param key                   Identifier of the key to use for the operation.
- *                              It must remain valid until the operation
- *                              terminates. It must allow the usage
- *                              #PSA_KEY_USAGE_DECRYPT.
- * \param alg                   The AEAD algorithm to compute
- *                              (\c PSA_ALG_XXX value such that
- *                              #PSA_ALG_IS_AEAD(\p alg) is true).
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p key is not compatible with \p alg.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not supported or is not an AEAD algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be inactive), or the
- *         library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_aead_decrypt_setup(psa_aead_operation_t *operation,
-                                    mbedtls_svc_key_id_t key,
-                                    psa_algorithm_t alg);
-
-/** Generate a random nonce for an authenticated encryption operation.
- *
- * This function generates a random nonce for the authenticated encryption
- * operation with an appropriate size for the chosen algorithm, key type
- * and key size.
- *
- * The application must call psa_aead_encrypt_setup() before
- * calling this function.
- *
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling psa_aead_abort().
- *
- * \param[in,out] operation     Active AEAD operation.
- * \param[out] nonce            Buffer where the generated nonce is to be
- *                              written.
- * \param nonce_size            Size of the \p nonce buffer in bytes.
- * \param[out] nonce_length     On success, the number of bytes of the
- *                              generated nonce.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p nonce buffer is too small.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be an active aead encrypt
- *         operation, with no nonce set), or the library has not been
- *         previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_aead_generate_nonce(psa_aead_operation_t *operation,
-                                     uint8_t *nonce,
-                                     size_t nonce_size,
-                                     size_t *nonce_length);
-
-/** Set the nonce for an authenticated encryption or decryption operation.
- *
- * This function sets the nonce for the authenticated
- * encryption or decryption operation.
- *
- * The application must call psa_aead_encrypt_setup() or
- * psa_aead_decrypt_setup() before calling this function.
- *
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling psa_aead_abort().
- *
- * \note When encrypting, applications should use psa_aead_generate_nonce()
- * instead of this function, unless implementing a protocol that requires
- * a non-random IV.
- *
- * \param[in,out] operation     Active AEAD operation.
- * \param[in] nonce             Buffer containing the nonce to use.
- * \param nonce_length          Size of the nonce in bytes.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The size of \p nonce is not acceptable for the chosen algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be active, with no nonce
- *         set), or the library has not been previously initialized
- *         by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_aead_set_nonce(psa_aead_operation_t *operation,
-                                const uint8_t *nonce,
-                                size_t nonce_length);
-
-/** Declare the lengths of the message and additional data for AEAD.
- *
- * The application must call this function before calling
- * psa_aead_update_ad() or psa_aead_update() if the algorithm for
- * the operation requires it. If the algorithm does not require it,
- * calling this function is optional, but if this function is called
- * then the implementation must enforce the lengths.
- *
- * You may call this function before or after setting the nonce with
- * psa_aead_set_nonce() or psa_aead_generate_nonce().
- *
- * - For #PSA_ALG_CCM, calling this function is required.
- * - For the other AEAD algorithms defined in this specification, calling
- *   this function is not required.
- * - For vendor-defined algorithm, refer to the vendor documentation.
- *
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling psa_aead_abort().
- *
- * \param[in,out] operation     Active AEAD operation.
- * \param ad_length             Size of the non-encrypted additional
- *                              authenticated data in bytes.
- * \param plaintext_length      Size of the plaintext to encrypt in bytes.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         At least one of the lengths is not acceptable for the chosen
- *         algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be active, and
- *         psa_aead_update_ad() and psa_aead_update() must not have been
- *         called yet), or the library has not been previously initialized
- *         by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_aead_set_lengths(psa_aead_operation_t *operation,
-                                  size_t ad_length,
-                                  size_t plaintext_length);
-
-/** Pass additional data to an active AEAD operation.
- *
- * Additional data is authenticated, but not encrypted.
- *
- * You may call this function multiple times to pass successive fragments
- * of the additional data. You may not call this function after passing
- * data to encrypt or decrypt with psa_aead_update().
- *
- * Before calling this function, you must:
- * 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup().
- * 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce().
- *
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling psa_aead_abort().
- *
- * \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS,
- *          there is no guarantee that the input is valid. Therefore, until
- *          you have called psa_aead_verify() and it has returned #PSA_SUCCESS,
- *          treat the input as untrusted and prepare to undo any action that
- *          depends on the input if psa_aead_verify() returns an error status.
- *
- * \param[in,out] operation     Active AEAD operation.
- * \param[in] input             Buffer containing the fragment of
- *                              additional data.
- * \param input_length          Size of the \p input buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The total input length overflows the additional data length that
- *         was previously specified with psa_aead_set_lengths().
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be active, have a nonce
- *         set, have lengths set if required by the algorithm, and
- *         psa_aead_update() must not have been called yet), or the library
- *         has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_aead_update_ad(psa_aead_operation_t *operation,
-                                const uint8_t *input,
-                                size_t input_length);
-
-/** Encrypt or decrypt a message fragment in an active AEAD operation.
- *
- * Before calling this function, you must:
- * 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup().
- *    The choice of setup function determines whether this function
- *    encrypts or decrypts its input.
- * 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce().
- * 3. Call psa_aead_update_ad() to pass all the additional data.
- *
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling psa_aead_abort().
- *
- * \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS,
- *          there is no guarantee that the input is valid. Therefore, until
- *          you have called psa_aead_verify() and it has returned #PSA_SUCCESS:
- *          - Do not use the output in any way other than storing it in a
- *            confidential location. If you take any action that depends
- *            on the tentative decrypted data, this action will need to be
- *            undone if the input turns out not to be valid. Furthermore,
- *            if an adversary can observe that this action took place
- *            (for example through timing), they may be able to use this
- *            fact as an oracle to decrypt any message encrypted with the
- *            same key.
- *          - In particular, do not copy the output anywhere but to a
- *            memory or storage space that you have exclusive access to.
- *
- * This function does not require the input to be aligned to any
- * particular block boundary. If the implementation can only process
- * a whole block at a time, it must consume all the input provided, but
- * it may delay the end of the corresponding output until a subsequent
- * call to psa_aead_update(), psa_aead_finish() or psa_aead_verify()
- * provides sufficient input. The amount of data that can be delayed
- * in this way is bounded by #PSA_AEAD_UPDATE_OUTPUT_SIZE.
- *
- * \param[in,out] operation     Active AEAD operation.
- * \param[in] input             Buffer containing the message fragment to
- *                              encrypt or decrypt.
- * \param input_length          Size of the \p input buffer in bytes.
- * \param[out] output           Buffer where the output is to be written.
- * \param output_size           Size of the \p output buffer in bytes.
- *                              This must be appropriate for the selected
- *                                algorithm and key:
- *                                - A sufficient output size is
- *                                  #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type,
- *                                  \c alg, \p input_length) where
- *                                  \c key_type is the type of key and \c alg is
- *                                  the algorithm that were used to set up the
- *                                  operation.
- *                                - #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p
- *                                  input_length) evaluates to the maximum
- *                                  output size of any supported AEAD
- *                                  algorithm.
- * \param[out] output_length    On success, the number of bytes
- *                              that make up the returned output.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p output buffer is too small.
- *         #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, \c alg, \p input_length) or
- *         #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length) can be used to
- *         determine the required buffer size.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The total length of input to psa_aead_update_ad() so far is
- *         less than the additional data length that was previously
- *         specified with psa_aead_set_lengths(), or
- *         the total input length overflows the plaintext length that
- *         was previously specified with psa_aead_set_lengths().
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be active, have a nonce
- *         set, and have lengths set if required by the algorithm), or the
- *         library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_aead_update(psa_aead_operation_t *operation,
-                             const uint8_t *input,
-                             size_t input_length,
-                             uint8_t *output,
-                             size_t output_size,
-                             size_t *output_length);
-
-/** Finish encrypting a message in an AEAD operation.
- *
- * The operation must have been set up with psa_aead_encrypt_setup().
- *
- * This function finishes the authentication of the additional data
- * formed by concatenating the inputs passed to preceding calls to
- * psa_aead_update_ad() with the plaintext formed by concatenating the
- * inputs passed to preceding calls to psa_aead_update().
- *
- * This function has two output buffers:
- * - \p ciphertext contains trailing ciphertext that was buffered from
- *   preceding calls to psa_aead_update().
- * - \p tag contains the authentication tag.
- *
- * When this function returns successfully, the operation becomes inactive.
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling psa_aead_abort().
- *
- * \param[in,out] operation     Active AEAD operation.
- * \param[out] ciphertext       Buffer where the last part of the ciphertext
- *                              is to be written.
- * \param ciphertext_size       Size of the \p ciphertext buffer in bytes.
- *                              This must be appropriate for the selected
- *                              algorithm and key:
- *                              - A sufficient output size is
- *                                #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type,
- *                                \c alg) where \c key_type is the type of key
- *                                and \c alg is the algorithm that were used to
- *                                set up the operation.
- *                              - #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE evaluates to
- *                                the maximum output size of any supported AEAD
- *                                algorithm.
- * \param[out] ciphertext_length On success, the number of bytes of
- *                              returned ciphertext.
- * \param[out] tag              Buffer where the authentication tag is
- *                              to be written.
- * \param tag_size              Size of the \p tag buffer in bytes.
- *                              This must be appropriate for the selected
- *                              algorithm and key:
- *                              - The exact tag size is #PSA_AEAD_TAG_LENGTH(\c
- *                                key_type, \c key_bits, \c alg) where
- *                                \c key_type and \c key_bits are the type and
- *                                bit-size of the key, and \c alg is the
- *                                algorithm that were used in the call to
- *                                psa_aead_encrypt_setup().
- *                              - #PSA_AEAD_TAG_MAX_SIZE evaluates to the
- *                                maximum tag size of any supported AEAD
- *                                algorithm.
- * \param[out] tag_length       On success, the number of bytes
- *                              that make up the returned tag.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p ciphertext or \p tag buffer is too small.
- *         #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, \c alg) or
- *         #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE can be used to determine the
- *         required \p ciphertext buffer size. #PSA_AEAD_TAG_LENGTH(\c key_type,
- *         \c key_bits, \c alg) or #PSA_AEAD_TAG_MAX_SIZE can be used to
- *         determine the required \p tag buffer size.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The total length of input to psa_aead_update_ad() so far is
- *         less than the additional data length that was previously
- *         specified with psa_aead_set_lengths(), or
- *         the total length of input to psa_aead_update() so far is
- *         less than the plaintext length that was previously
- *         specified with psa_aead_set_lengths().
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be an active encryption
- *         operation with a nonce set), or the library has not been previously
- *         initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_aead_finish(psa_aead_operation_t *operation,
-                             uint8_t *ciphertext,
-                             size_t ciphertext_size,
-                             size_t *ciphertext_length,
-                             uint8_t *tag,
-                             size_t tag_size,
-                             size_t *tag_length);
-
-/** Finish authenticating and decrypting a message in an AEAD operation.
- *
- * The operation must have been set up with psa_aead_decrypt_setup().
- *
- * This function finishes the authenticated decryption of the message
- * components:
- *
- * -  The additional data consisting of the concatenation of the inputs
- *    passed to preceding calls to psa_aead_update_ad().
- * -  The ciphertext consisting of the concatenation of the inputs passed to
- *    preceding calls to psa_aead_update().
- * -  The tag passed to this function call.
- *
- * If the authentication tag is correct, this function outputs any remaining
- * plaintext and reports success. If the authentication tag is not correct,
- * this function returns #PSA_ERROR_INVALID_SIGNATURE.
- *
- * When this function returns successfully, the operation becomes inactive.
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling psa_aead_abort().
- *
- * \note Implementations shall make the best effort to ensure that the
- * comparison between the actual tag and the expected tag is performed
- * in constant time.
- *
- * \param[in,out] operation     Active AEAD operation.
- * \param[out] plaintext        Buffer where the last part of the plaintext
- *                              is to be written. This is the remaining data
- *                              from previous calls to psa_aead_update()
- *                              that could not be processed until the end
- *                              of the input.
- * \param plaintext_size        Size of the \p plaintext buffer in bytes.
- *                              This must be appropriate for the selected algorithm and key:
- *                              - A sufficient output size is
- *                                #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type,
- *                                \c alg) where \c key_type is the type of key
- *                                and \c alg is the algorithm that were used to
- *                                set up the operation.
- *                              - #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE evaluates to
- *                                the maximum output size of any supported AEAD
- *                                algorithm.
- * \param[out] plaintext_length On success, the number of bytes of
- *                              returned plaintext.
- * \param[in] tag               Buffer containing the authentication tag.
- * \param tag_length            Size of the \p tag buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_SIGNATURE
- *         The calculations were successful, but the authentication tag is
- *         not correct.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p plaintext buffer is too small.
- *         #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, \c alg) or
- *         #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE can be used to determine the
- *         required buffer size.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The total length of input to psa_aead_update_ad() so far is
- *         less than the additional data length that was previously
- *         specified with psa_aead_set_lengths(), or
- *         the total length of input to psa_aead_update() so far is
- *         less than the plaintext length that was previously
- *         specified with psa_aead_set_lengths().
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be an active decryption
- *         operation with a nonce set), or the library has not been previously
- *         initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_aead_verify(psa_aead_operation_t *operation,
-                             uint8_t *plaintext,
-                             size_t plaintext_size,
-                             size_t *plaintext_length,
-                             const uint8_t *tag,
-                             size_t tag_length);
-
-/** Abort an AEAD operation.
- *
- * Aborting an operation frees all associated resources except for the
- * \p operation structure itself. Once aborted, the operation object
- * can be reused for another operation by calling
- * psa_aead_encrypt_setup() or psa_aead_decrypt_setup() again.
- *
- * You may call this function any time after the operation object has
- * been initialized as described in #psa_aead_operation_t.
- *
- * In particular, calling psa_aead_abort() after the operation has been
- * terminated by a call to psa_aead_abort(), psa_aead_finish() or
- * psa_aead_verify() is safe and has no effect.
- *
- * \param[in,out] operation     Initialized AEAD operation.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_aead_abort(psa_aead_operation_t *operation);
-
-/**@}*/
-
-/** \defgroup asymmetric Asymmetric cryptography
- * @{
- */
-
-/**
- * \brief Sign a message with a private key. For hash-and-sign algorithms,
- *        this includes the hashing step.
- *
- * \note To perform a multi-part hash-and-sign signature algorithm, first use
- *       a multi-part hash operation and then pass the resulting hash to
- *       psa_sign_hash(). PSA_ALG_GET_HASH(\p alg) can be used to determine the
- *       hash algorithm to use.
- *
- * \param[in]  key              Identifier of the key to use for the operation.
- *                              It must be an asymmetric key pair. The key must
- *                              allow the usage #PSA_KEY_USAGE_SIGN_MESSAGE.
- * \param[in]  alg              An asymmetric signature algorithm (PSA_ALG_XXX
- *                              value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg)
- *                              is true), that is compatible with the type of
- *                              \p key.
- * \param[in]  input            The input message to sign.
- * \param[in]  input_length     Size of the \p input buffer in bytes.
- * \param[out] signature        Buffer where the signature is to be written.
- * \param[in]  signature_size   Size of the \p signature buffer in bytes. This
- *                              must be appropriate for the selected
- *                              algorithm and key:
- *                              - The required signature size is
- *                                #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
- *                                where \c key_type and \c key_bits are the type and
- *                                bit-size respectively of key.
- *                              - #PSA_SIGNATURE_MAX_SIZE evaluates to the
- *                                maximum signature size of any supported
- *                                signature algorithm.
- * \param[out] signature_length On success, the number of bytes that make up
- *                              the returned signature value.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED
- *         The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag,
- *         or it does not permit the requested algorithm.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p signature buffer is too small. You can
- *         determine a sufficient buffer size by calling
- *         #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
- *         where \c key_type and \c key_bits are the type and bit-size
- *         respectively of \p key.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_sign_message(mbedtls_svc_key_id_t key,
-                              psa_algorithm_t alg,
-                              const uint8_t *input,
-                              size_t input_length,
-                              uint8_t *signature,
-                              size_t signature_size,
-                              size_t *signature_length);
-
-/** \brief Verify the signature of a message with a public key, using
- *         a hash-and-sign verification algorithm.
- *
- * \note To perform a multi-part hash-and-sign signature verification
- *       algorithm, first use a multi-part hash operation to hash the message
- *       and then pass the resulting hash to psa_verify_hash().
- *       PSA_ALG_GET_HASH(\p alg) can be used to determine the hash algorithm
- *       to use.
- *
- * \param[in]  key              Identifier of the key to use for the operation.
- *                              It must be a public key or an asymmetric key
- *                              pair. The key must allow the usage
- *                              #PSA_KEY_USAGE_VERIFY_MESSAGE.
- * \param[in]  alg              An asymmetric signature algorithm (PSA_ALG_XXX
- *                              value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg)
- *                              is true), that is compatible with the type of
- *                              \p key.
- * \param[in]  input            The message whose signature is to be verified.
- * \param[in]  input_length     Size of the \p input buffer in bytes.
- * \param[out] signature        Buffer containing the signature to verify.
- * \param[in]  signature_length Size of the \p signature buffer in bytes.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED
- *         The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag,
- *         or it does not permit the requested algorithm.
- * \retval #PSA_ERROR_INVALID_SIGNATURE
- *         The calculation was performed successfully, but the passed signature
- *         is not a valid signature.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_verify_message(mbedtls_svc_key_id_t key,
-                                psa_algorithm_t alg,
-                                const uint8_t *input,
-                                size_t input_length,
-                                const uint8_t *signature,
-                                size_t signature_length);
-
-/**
- * \brief Sign a hash or short message with a private key.
- *
- * Note that to perform a hash-and-sign signature algorithm, you must
- * first calculate the hash by calling psa_hash_setup(), psa_hash_update()
- * and psa_hash_finish(), or alternatively by calling psa_hash_compute().
- * Then pass the resulting hash as the \p hash
- * parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg)
- * to determine the hash algorithm to use.
- *
- * \param key                   Identifier of the key to use for the operation.
- *                              It must be an asymmetric key pair. The key must
- *                              allow the usage #PSA_KEY_USAGE_SIGN_HASH.
- * \param alg                   A signature algorithm (PSA_ALG_XXX
- *                              value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
- *                              is true), that is compatible with
- *                              the type of \p key.
- * \param[in] hash              The hash or message to sign.
- * \param hash_length           Size of the \p hash buffer in bytes.
- * \param[out] signature        Buffer where the signature is to be written.
- * \param signature_size        Size of the \p signature buffer in bytes.
- * \param[out] signature_length On success, the number of bytes
- *                              that make up the returned signature value.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p signature buffer is too small. You can
- *         determine a sufficient buffer size by calling
- *         #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
- *         where \c key_type and \c key_bits are the type and bit-size
- *         respectively of \p key.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_sign_hash(mbedtls_svc_key_id_t key,
-                           psa_algorithm_t alg,
-                           const uint8_t *hash,
-                           size_t hash_length,
-                           uint8_t *signature,
-                           size_t signature_size,
-                           size_t *signature_length);
-
-/**
- * \brief Verify the signature of a hash or short message using a public key.
- *
- * Note that to perform a hash-and-sign signature algorithm, you must
- * first calculate the hash by calling psa_hash_setup(), psa_hash_update()
- * and psa_hash_finish(), or alternatively by calling psa_hash_compute().
- * Then pass the resulting hash as the \p hash
- * parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg)
- * to determine the hash algorithm to use.
- *
- * \param key               Identifier of the key to use for the operation. It
- *                          must be a public key or an asymmetric key pair. The
- *                          key must allow the usage
- *                          #PSA_KEY_USAGE_VERIFY_HASH.
- * \param alg               A signature algorithm (PSA_ALG_XXX
- *                          value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
- *                          is true), that is compatible with
- *                          the type of \p key.
- * \param[in] hash          The hash or message whose signature is to be
- *                          verified.
- * \param hash_length       Size of the \p hash buffer in bytes.
- * \param[in] signature     Buffer containing the signature to verify.
- * \param signature_length  Size of the \p signature buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         The signature is valid.
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
- * \retval #PSA_ERROR_INVALID_SIGNATURE
- *         The calculation was performed successfully, but the passed
- *         signature is not a valid signature.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_verify_hash(mbedtls_svc_key_id_t key,
-                             psa_algorithm_t alg,
-                             const uint8_t *hash,
-                             size_t hash_length,
-                             const uint8_t *signature,
-                             size_t signature_length);
-
-/**
- * \brief Encrypt a short message with a public key.
- *
- * \param key                   Identifier of the key to use for the operation.
- *                              It must be a public key or an asymmetric key
- *                              pair. It must allow the usage
- *                              #PSA_KEY_USAGE_ENCRYPT.
- * \param alg                   An asymmetric encryption algorithm that is
- *                              compatible with the type of \p key.
- * \param[in] input             The message to encrypt.
- * \param input_length          Size of the \p input buffer in bytes.
- * \param[in] salt              A salt or label, if supported by the
- *                              encryption algorithm.
- *                              If the algorithm does not support a
- *                              salt, pass \c NULL.
- *                              If the algorithm supports an optional
- *                              salt and you do not want to pass a salt,
- *                              pass \c NULL.
- *
- *                              - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is
- *                                supported.
- * \param salt_length           Size of the \p salt buffer in bytes.
- *                              If \p salt is \c NULL, pass 0.
- * \param[out] output           Buffer where the encrypted message is to
- *                              be written.
- * \param output_size           Size of the \p output buffer in bytes.
- * \param[out] output_length    On success, the number of bytes
- *                              that make up the returned output.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p output buffer is too small. You can
- *         determine a sufficient buffer size by calling
- *         #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
- *         where \c key_type and \c key_bits are the type and bit-size
- *         respectively of \p key.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_asymmetric_encrypt(mbedtls_svc_key_id_t key,
-                                    psa_algorithm_t alg,
-                                    const uint8_t *input,
-                                    size_t input_length,
-                                    const uint8_t *salt,
-                                    size_t salt_length,
-                                    uint8_t *output,
-                                    size_t output_size,
-                                    size_t *output_length);
-
-/**
- * \brief Decrypt a short message with a private key.
- *
- * \param key                   Identifier of the key to use for the operation.
- *                              It must be an asymmetric key pair. It must
- *                              allow the usage #PSA_KEY_USAGE_DECRYPT.
- * \param alg                   An asymmetric encryption algorithm that is
- *                              compatible with the type of \p key.
- * \param[in] input             The message to decrypt.
- * \param input_length          Size of the \p input buffer in bytes.
- * \param[in] salt              A salt or label, if supported by the
- *                              encryption algorithm.
- *                              If the algorithm does not support a
- *                              salt, pass \c NULL.
- *                              If the algorithm supports an optional
- *                              salt and you do not want to pass a salt,
- *                              pass \c NULL.
- *
- *                              - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is
- *                                supported.
- * \param salt_length           Size of the \p salt buffer in bytes.
- *                              If \p salt is \c NULL, pass 0.
- * \param[out] output           Buffer where the decrypted message is to
- *                              be written.
- * \param output_size           Size of the \c output buffer in bytes.
- * \param[out] output_length    On success, the number of bytes
- *                              that make up the returned output.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p output buffer is too small. You can
- *         determine a sufficient buffer size by calling
- *         #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
- *         where \c key_type and \c key_bits are the type and bit-size
- *         respectively of \p key.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
- * \retval #PSA_ERROR_INVALID_PADDING \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_asymmetric_decrypt(mbedtls_svc_key_id_t key,
-                                    psa_algorithm_t alg,
-                                    const uint8_t *input,
-                                    size_t input_length,
-                                    const uint8_t *salt,
-                                    size_t salt_length,
-                                    uint8_t *output,
-                                    size_t output_size,
-                                    size_t *output_length);
-
-/**@}*/
-
-/** \defgroup key_derivation Key derivation and pseudorandom generation
- * @{
- */
-
-/** The type of the state data structure for key derivation operations.
- *
- * Before calling any function on a key derivation operation object, the
- * application must initialize it by any of the following means:
- * - Set the structure to all-bits-zero, for example:
- *   \code
- *   psa_key_derivation_operation_t operation;
- *   memset(&operation, 0, sizeof(operation));
- *   \endcode
- * - Initialize the structure to logical zero values, for example:
- *   \code
- *   psa_key_derivation_operation_t operation = {0};
- *   \endcode
- * - Initialize the structure to the initializer #PSA_KEY_DERIVATION_OPERATION_INIT,
- *   for example:
- *   \code
- *   psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
- *   \endcode
- * - Assign the result of the function psa_key_derivation_operation_init()
- *   to the structure, for example:
- *   \code
- *   psa_key_derivation_operation_t operation;
- *   operation = psa_key_derivation_operation_init();
- *   \endcode
- *
- * This is an implementation-defined \c struct. Applications should not
- * make any assumptions about the content of this structure.
- * Implementation details can change in future versions without notice.
- */
-typedef struct psa_key_derivation_s psa_key_derivation_operation_t;
-
-/** \def PSA_KEY_DERIVATION_OPERATION_INIT
- *
- * This macro returns a suitable initializer for a key derivation operation
- * object of type #psa_key_derivation_operation_t.
- */
-
-/** Return an initial value for a key derivation operation object.
- */
-static psa_key_derivation_operation_t psa_key_derivation_operation_init(void);
-
-/** Set up a key derivation operation.
- *
- * A key derivation algorithm takes some inputs and uses them to generate
- * a byte stream in a deterministic way.
- * This byte stream can be used to produce keys and other
- * cryptographic material.
- *
- * To derive a key:
- * -# Start with an initialized object of type #psa_key_derivation_operation_t.
- * -# Call psa_key_derivation_setup() to select the algorithm.
- * -# Provide the inputs for the key derivation by calling
- *    psa_key_derivation_input_bytes() or psa_key_derivation_input_key()
- *    as appropriate. Which inputs are needed, in what order, and whether
- *    they may be keys and if so of what type depends on the algorithm.
- * -# Optionally set the operation's maximum capacity with
- *    psa_key_derivation_set_capacity(). You may do this before, in the middle
- *    of or after providing inputs. For some algorithms, this step is mandatory
- *    because the output depends on the maximum capacity.
- * -# To derive a key, call psa_key_derivation_output_key().
- *    To derive a byte string for a different purpose, call
- *    psa_key_derivation_output_bytes().
- *    Successive calls to these functions use successive output bytes
- *    calculated by the key derivation algorithm.
- * -# Clean up the key derivation operation object with
- *    psa_key_derivation_abort().
- *
- * If this function returns an error, the key derivation operation object is
- * not changed.
- *
- * If an error occurs at any step after a call to psa_key_derivation_setup(),
- * the operation will need to be reset by a call to psa_key_derivation_abort().
- *
- * Implementations must reject an attempt to derive a key of size 0.
- *
- * \param[in,out] operation       The key derivation operation object
- *                                to set up. It must
- *                                have been initialized but not set up yet.
- * \param alg                     The key derivation algorithm to compute
- *                                (\c PSA_ALG_XXX value such that
- *                                #PSA_ALG_IS_KEY_DERIVATION(\p alg) is true).
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \c alg is not a key derivation algorithm.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \c alg is not supported or is not a key derivation algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be inactive), or
- *         the library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_key_derivation_setup(
-    psa_key_derivation_operation_t *operation,
-    psa_algorithm_t alg);
-
-/** Retrieve the current capacity of a key derivation operation.
- *
- * The capacity of a key derivation is the maximum number of bytes that it can
- * return. When you get *N* bytes of output from a key derivation operation,
- * this reduces its capacity by *N*.
- *
- * \param[in] operation     The operation to query.
- * \param[out] capacity     On success, the capacity of the operation.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be active), or
- *         the library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_key_derivation_get_capacity(
-    const psa_key_derivation_operation_t *operation,
-    size_t *capacity);
-
-/** Set the maximum capacity of a key derivation operation.
- *
- * The capacity of a key derivation operation is the maximum number of bytes
- * that the key derivation operation can return from this point onwards.
- *
- * \param[in,out] operation The key derivation operation object to modify.
- * \param capacity          The new capacity of the operation.
- *                          It must be less or equal to the operation's
- *                          current capacity.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p capacity is larger than the operation's current capacity.
- *         In this case, the operation object remains valid and its capacity
- *         remains unchanged.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be active), or the
- *         library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_key_derivation_set_capacity(
-    psa_key_derivation_operation_t *operation,
-    size_t capacity);
-
-/** Use the maximum possible capacity for a key derivation operation.
- *
- * Use this value as the capacity argument when setting up a key derivation
- * to indicate that the operation should have the maximum possible capacity.
- * The value of the maximum possible capacity depends on the key derivation
- * algorithm.
- */
-#define PSA_KEY_DERIVATION_UNLIMITED_CAPACITY ((size_t) (-1))
-
-/** Provide an input for key derivation or key agreement.
- *
- * Which inputs are required and in what order depends on the algorithm.
- * Refer to the documentation of each key derivation or key agreement
- * algorithm for information.
- *
- * This function passes direct inputs, which is usually correct for
- * non-secret inputs. To pass a secret input, which should be in a key
- * object, call psa_key_derivation_input_key() instead of this function.
- * Refer to the documentation of individual step types
- * (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t)
- * for more information.
- *
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling psa_key_derivation_abort().
- *
- * \param[in,out] operation       The key derivation operation object to use.
- *                                It must have been set up with
- *                                psa_key_derivation_setup() and must not
- *                                have produced any output yet.
- * \param step                    Which step the input data is for.
- * \param[in] data                Input data to use.
- * \param data_length             Size of the \p data buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \c step is not compatible with the operation's algorithm, or
- *         \c step does not allow direct inputs.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid for this input \p step, or
- *         the library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_key_derivation_input_bytes(
-    psa_key_derivation_operation_t *operation,
-    psa_key_derivation_step_t step,
-    const uint8_t *data,
-    size_t data_length);
-
-/** Provide a numeric input for key derivation or key agreement.
- *
- * Which inputs are required and in what order depends on the algorithm.
- * However, when an algorithm requires a particular order, numeric inputs
- * usually come first as they tend to be configuration parameters.
- * Refer to the documentation of each key derivation or key agreement
- * algorithm for information.
- *
- * This function is used for inputs which are fixed-size non-negative
- * integers.
- *
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling psa_key_derivation_abort().
- *
- * \param[in,out] operation       The key derivation operation object to use.
- *                                It must have been set up with
- *                                psa_key_derivation_setup() and must not
- *                                have produced any output yet.
- * \param step                    Which step the input data is for.
- * \param[in] value               The value of the numeric input.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \c step is not compatible with the operation's algorithm, or
- *         \c step does not allow numeric inputs.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid for this input \p step, or
- *         the library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_key_derivation_input_integer(
-    psa_key_derivation_operation_t *operation,
-    psa_key_derivation_step_t step,
-    uint64_t value);
-
-/** Provide an input for key derivation in the form of a key.
- *
- * Which inputs are required and in what order depends on the algorithm.
- * Refer to the documentation of each key derivation or key agreement
- * algorithm for information.
- *
- * This function obtains input from a key object, which is usually correct for
- * secret inputs or for non-secret personalization strings kept in the key
- * store. To pass a non-secret parameter which is not in the key store,
- * call psa_key_derivation_input_bytes() instead of this function.
- * Refer to the documentation of individual step types
- * (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t)
- * for more information.
- *
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling psa_key_derivation_abort().
- *
- * \param[in,out] operation       The key derivation operation object to use.
- *                                It must have been set up with
- *                                psa_key_derivation_setup() and must not
- *                                have produced any output yet.
- * \param step                    Which step the input data is for.
- * \param key                     Identifier of the key. It must have an
- *                                appropriate type for step and must allow the
- *                                usage #PSA_KEY_USAGE_DERIVE or
- *                                #PSA_KEY_USAGE_VERIFY_DERIVATION (see note)
- *                                and the algorithm used by the operation.
- *
- * \note Once all inputs steps are completed, the operations will allow:
- * - psa_key_derivation_output_bytes() if each input was either a direct input
- *   or  a key with #PSA_KEY_USAGE_DERIVE set;
- * - psa_key_derivation_output_key() if the input for step
- *   #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD
- *   was from a key slot with #PSA_KEY_USAGE_DERIVE and each other input was
- *   either a direct input or a key with #PSA_KEY_USAGE_DERIVE set;
- * - psa_key_derivation_verify_bytes() if each input was either a direct input
- *   or  a key with #PSA_KEY_USAGE_VERIFY_DERIVATION set;
- * - psa_key_derivation_verify_key() under the same conditions as
- *   psa_key_derivation_verify_bytes().
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED
- *         The key allows neither #PSA_KEY_USAGE_DERIVE nor
- *         #PSA_KEY_USAGE_VERIFY_DERIVATION, or it doesn't allow this
- *         algorithm.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \c step is not compatible with the operation's algorithm, or
- *         \c step does not allow key inputs of the given type
- *         or does not allow key inputs at all.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid for this input \p step, or
- *         the library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_key_derivation_input_key(
-    psa_key_derivation_operation_t *operation,
-    psa_key_derivation_step_t step,
-    mbedtls_svc_key_id_t key);
-
-/** Perform a key agreement and use the shared secret as input to a key
- * derivation.
- *
- * A key agreement algorithm takes two inputs: a private key \p private_key
- * a public key \p peer_key.
- * The result of this function is passed as input to a key derivation.
- * The output of this key derivation can be extracted by reading from the
- * resulting operation to produce keys and other cryptographic material.
- *
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling psa_key_derivation_abort().
- *
- * \param[in,out] operation       The key derivation operation object to use.
- *                                It must have been set up with
- *                                psa_key_derivation_setup() with a
- *                                key agreement and derivation algorithm
- *                                \c alg (\c PSA_ALG_XXX value such that
- *                                #PSA_ALG_IS_KEY_AGREEMENT(\c alg) is true
- *                                and #PSA_ALG_IS_RAW_KEY_AGREEMENT(\c alg)
- *                                is false).
- *                                The operation must be ready for an
- *                                input of the type given by \p step.
- * \param step                    Which step the input data is for.
- * \param private_key             Identifier of the private key to use. It must
- *                                allow the usage #PSA_KEY_USAGE_DERIVE.
- * \param[in] peer_key      Public key of the peer. The peer key must be in the
- *                          same format that psa_import_key() accepts for the
- *                          public key type corresponding to the type of
- *                          private_key. That is, this function performs the
- *                          equivalent of
- *                          #psa_import_key(...,
- *                          `peer_key`, `peer_key_length`) where
- *                          with key attributes indicating the public key
- *                          type corresponding to the type of `private_key`.
- *                          For example, for EC keys, this means that peer_key
- *                          is interpreted as a point on the curve that the
- *                          private key is on. The standard formats for public
- *                          keys are documented in the documentation of
- *                          psa_export_public_key().
- * \param peer_key_length         Size of \p peer_key in bytes.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \c private_key is not compatible with \c alg,
- *         or \p peer_key is not valid for \c alg or not compatible with
- *         \c private_key, or \c step does not allow an input resulting
- *         from a key agreement.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \c alg is not supported or is not a key derivation algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid for this key agreement \p step,
- *         or the library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_key_derivation_key_agreement(
-    psa_key_derivation_operation_t *operation,
-    psa_key_derivation_step_t step,
-    mbedtls_svc_key_id_t private_key,
-    const uint8_t *peer_key,
-    size_t peer_key_length);
-
-/** Read some data from a key derivation operation.
- *
- * This function calculates output bytes from a key derivation algorithm and
- * return those bytes.
- * If you view the key derivation's output as a stream of bytes, this
- * function destructively reads the requested number of bytes from the
- * stream.
- * The operation's capacity decreases by the number of bytes read.
- *
- * If this function returns an error status other than
- * #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error
- * state and must be aborted by calling psa_key_derivation_abort().
- *
- * \param[in,out] operation The key derivation operation object to read from.
- * \param[out] output       Buffer where the output will be written.
- * \param output_length     Number of bytes to output.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED
- *         One of the inputs was a key whose policy didn't allow
- *         #PSA_KEY_USAGE_DERIVE.
- * \retval #PSA_ERROR_INSUFFICIENT_DATA
- *                          The operation's capacity was less than
- *                          \p output_length bytes. Note that in this case,
- *                          no output is written to the output buffer.
- *                          The operation's capacity is set to 0, thus
- *                          subsequent calls to this function will not
- *                          succeed, even with a smaller output buffer.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be active and completed
- *         all required input steps), or the library has not been previously
- *         initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_key_derivation_output_bytes(
-    psa_key_derivation_operation_t *operation,
-    uint8_t *output,
-    size_t output_length);
-
-/** Derive a key from an ongoing key derivation operation.
- *
- * This function calculates output bytes from a key derivation algorithm
- * and uses those bytes to generate a key deterministically.
- * The key's location, usage policy, type and size are taken from
- * \p attributes.
- *
- * If you view the key derivation's output as a stream of bytes, this
- * function destructively reads as many bytes as required from the
- * stream.
- * The operation's capacity decreases by the number of bytes read.
- *
- * If this function returns an error status other than
- * #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error
- * state and must be aborted by calling psa_key_derivation_abort().
- *
- * How much output is produced and consumed from the operation, and how
- * the key is derived, depends on the key type and on the key size
- * (denoted \c bits below):
- *
- * - For key types for which the key is an arbitrary sequence of bytes
- *   of a given size, this function is functionally equivalent to
- *   calling #psa_key_derivation_output_bytes
- *   and passing the resulting output to #psa_import_key.
- *   However, this function has a security benefit:
- *   if the implementation provides an isolation boundary then
- *   the key material is not exposed outside the isolation boundary.
- *   As a consequence, for these key types, this function always consumes
- *   exactly (\c bits / 8) bytes from the operation.
- *   The following key types defined in this specification follow this scheme:
- *
- *     - #PSA_KEY_TYPE_AES;
- *     - #PSA_KEY_TYPE_ARIA;
- *     - #PSA_KEY_TYPE_CAMELLIA;
- *     - #PSA_KEY_TYPE_DERIVE;
- *     - #PSA_KEY_TYPE_HMAC;
- *     - #PSA_KEY_TYPE_PASSWORD_HASH.
- *
- * - For ECC keys on a Montgomery elliptic curve
- *   (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a
- *   Montgomery curve), this function always draws a byte string whose
- *   length is determined by the curve, and sets the mandatory bits
- *   accordingly. That is:
- *
- *     - Curve25519 (#PSA_ECC_FAMILY_MONTGOMERY, 255 bits): draw a 32-byte
- *       string and process it as specified in RFC 7748 &sect;5.
- *     - Curve448 (#PSA_ECC_FAMILY_MONTGOMERY, 448 bits): draw a 56-byte
- *       string and process it as specified in RFC 7748 &sect;5.
- *
- * - For key types for which the key is represented by a single sequence of
- *   \c bits bits with constraints as to which bit sequences are acceptable,
- *   this function draws a byte string of length (\c bits / 8) bytes rounded
- *   up to the nearest whole number of bytes. If the resulting byte string
- *   is acceptable, it becomes the key, otherwise the drawn bytes are discarded.
- *   This process is repeated until an acceptable byte string is drawn.
- *   The byte string drawn from the operation is interpreted as specified
- *   for the output produced by psa_export_key().
- *   The following key types defined in this specification follow this scheme:
- *
- *     - #PSA_KEY_TYPE_DES.
- *       Force-set the parity bits, but discard forbidden weak keys.
- *       For 2-key and 3-key triple-DES, the three keys are generated
- *       successively (for example, for 3-key triple-DES,
- *       if the first 8 bytes specify a weak key and the next 8 bytes do not,
- *       discard the first 8 bytes, use the next 8 bytes as the first key,
- *       and continue reading output from the operation to derive the other
- *       two keys).
- *     - Finite-field Diffie-Hellman keys (#PSA_KEY_TYPE_DH_KEY_PAIR(\c group)
- *       where \c group designates any Diffie-Hellman group) and
- *       ECC keys on a Weierstrass elliptic curve
- *       (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a
- *       Weierstrass curve).
- *       For these key types, interpret the byte string as integer
- *       in big-endian order. Discard it if it is not in the range
- *       [0, *N* - 2] where *N* is the boundary of the private key domain
- *       (the prime *p* for Diffie-Hellman, the subprime *q* for DSA,
- *       or the order of the curve's base point for ECC).
- *       Add 1 to the resulting integer and use this as the private key *x*.
- *       This method allows compliance to NIST standards, specifically
- *       the methods titled "key-pair generation by testing candidates"
- *       in NIST SP 800-56A &sect;5.6.1.1.4 for Diffie-Hellman,
- *       in FIPS 186-4 &sect;B.1.2 for DSA, and
- *       in NIST SP 800-56A &sect;5.6.1.2.2 or
- *       FIPS 186-4 &sect;B.4.2 for elliptic curve keys.
- *
- * - For other key types, including #PSA_KEY_TYPE_RSA_KEY_PAIR,
- *   the way in which the operation output is consumed is
- *   implementation-defined.
- *
- * In all cases, the data that is read is discarded from the operation.
- * The operation's capacity is decreased by the number of bytes read.
- *
- * For algorithms that take an input step #PSA_KEY_DERIVATION_INPUT_SECRET,
- * the input to that step must be provided with psa_key_derivation_input_key().
- * Future versions of this specification may include additional restrictions
- * on the derived key based on the attributes and strength of the secret key.
- *
- * \param[in] attributes    The attributes for the new key.
- *                          If the key type to be created is
- *                          #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in
- *                          the policy must be the same as in the current
- *                          operation.
- * \param[in,out] operation The key derivation operation object to read from.
- * \param[out] key          On success, an identifier for the newly created
- *                          key. For persistent keys, this is the key
- *                          identifier defined in \p attributes.
- *                          \c 0 on failure.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- *         If the key is persistent, the key material and the key's metadata
- *         have been saved to persistent storage.
- * \retval #PSA_ERROR_ALREADY_EXISTS
- *         This is an attempt to create a persistent key, and there is
- *         already a persistent key with the given identifier.
- * \retval #PSA_ERROR_INSUFFICIENT_DATA
- *         There was not enough data to create the desired key.
- *         Note that in this case, no output is written to the output buffer.
- *         The operation's capacity is set to 0, thus subsequent calls to
- *         this function will not succeed, even with a smaller output buffer.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         The key type or key size is not supported, either by the
- *         implementation in general or in this particular location.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The provided key attributes are not valid for the operation.
- * \retval #PSA_ERROR_NOT_PERMITTED
- *         The #PSA_KEY_DERIVATION_INPUT_SECRET or
- *         #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a
- *         key; or one of the inputs was a key whose policy didn't allow
- *         #PSA_KEY_USAGE_DERIVE.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be active and completed
- *         all required input steps), or the library has not been previously
- *         initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_key_derivation_output_key(
-    const psa_key_attributes_t *attributes,
-    psa_key_derivation_operation_t *operation,
-    mbedtls_svc_key_id_t *key);
-
-/** Compare output data from a key derivation operation to an expected value.
- *
- * This function calculates output bytes from a key derivation algorithm and
- * compares those bytes to an expected value in constant time.
- * If you view the key derivation's output as a stream of bytes, this
- * function destructively reads the expected number of bytes from the
- * stream before comparing them.
- * The operation's capacity decreases by the number of bytes read.
- *
- * This is functionally equivalent to the following code:
- * \code
- * psa_key_derivation_output_bytes(operation, tmp, output_length);
- * if (memcmp(output, tmp, output_length) != 0)
- *     return PSA_ERROR_INVALID_SIGNATURE;
- * \endcode
- * except (1) it works even if the key's policy does not allow outputting the
- * bytes, and (2) the comparison will be done in constant time.
- *
- * If this function returns an error status other than
- * #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE,
- * the operation enters an error state and must be aborted by calling
- * psa_key_derivation_abort().
- *
- * \param[in,out] operation The key derivation operation object to read from.
- * \param[in] expected_output Buffer containing the expected derivation output.
- * \param output_length     Length of the expected output; this is also the
- *                          number of bytes that will be read.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_INVALID_SIGNATURE
- *         The output was read successfully, but it differs from the expected
- *         output.
- * \retval #PSA_ERROR_NOT_PERMITTED
- *         One of the inputs was a key whose policy didn't allow
- *         #PSA_KEY_USAGE_VERIFY_DERIVATION.
- * \retval #PSA_ERROR_INSUFFICIENT_DATA
- *                          The operation's capacity was less than
- *                          \p output_length bytes. Note that in this case,
- *                          the operation's capacity is set to 0, thus
- *                          subsequent calls to this function will not
- *                          succeed, even with a smaller expected output.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be active and completed
- *         all required input steps), or the library has not been previously
- *         initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_key_derivation_verify_bytes(
-    psa_key_derivation_operation_t *operation,
-    const uint8_t *expected_output,
-    size_t output_length);
-
-/** Compare output data from a key derivation operation to an expected value
- * stored in a key object.
- *
- * This function calculates output bytes from a key derivation algorithm and
- * compares those bytes to an expected value, provided as key of type
- * #PSA_KEY_TYPE_PASSWORD_HASH.
- * If you view the key derivation's output as a stream of bytes, this
- * function destructively reads the number of bytes corresponding to the
- * length of the expected value from the stream before comparing them.
- * The operation's capacity decreases by the number of bytes read.
- *
- * This is functionally equivalent to exporting the key and calling
- * psa_key_derivation_verify_bytes() on the result, except that it
- * works even if the key cannot be exported.
- *
- * If this function returns an error status other than
- * #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE,
- * the operation enters an error state and must be aborted by calling
- * psa_key_derivation_abort().
- *
- * \param[in,out] operation The key derivation operation object to read from.
- * \param[in] expected      A key of type #PSA_KEY_TYPE_PASSWORD_HASH
- *                          containing the expected output. Its policy must
- *                          include the #PSA_KEY_USAGE_VERIFY_DERIVATION flag
- *                          and the permitted algorithm must match the
- *                          operation. The value of this key was likely
- *                          computed by a previous call to
- *                          psa_key_derivation_output_key().
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_INVALID_SIGNATURE
- *         The output was read successfully, but if differs from the expected
- *         output.
- * \retval #PSA_ERROR_INVALID_HANDLE
- *         The key passed as the expected value does not exist.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The key passed as the expected value has an invalid type.
- * \retval #PSA_ERROR_NOT_PERMITTED
- *         The key passed as the expected value does not allow this usage or
- *         this algorithm; or one of the inputs was a key whose policy didn't
- *         allow #PSA_KEY_USAGE_VERIFY_DERIVATION.
- * \retval #PSA_ERROR_INSUFFICIENT_DATA
- *                          The operation's capacity was less than
- *                          the length of the expected value. In this case,
- *                          the operation's capacity is set to 0, thus
- *                          subsequent calls to this function will not
- *                          succeed, even with a smaller expected output.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be active and completed
- *         all required input steps), or the library has not been previously
- *         initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_key_derivation_verify_key(
-    psa_key_derivation_operation_t *operation,
-    psa_key_id_t expected);
-
-/** Abort a key derivation operation.
- *
- * Aborting an operation frees all associated resources except for the \c
- * operation structure itself. Once aborted, the operation object can be reused
- * for another operation by calling psa_key_derivation_setup() again.
- *
- * This function may be called at any time after the operation
- * object has been initialized as described in #psa_key_derivation_operation_t.
- *
- * In particular, it is valid to call psa_key_derivation_abort() twice, or to
- * call psa_key_derivation_abort() on an operation that has not been set up.
- *
- * \param[in,out] operation    The operation to abort.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_key_derivation_abort(
-    psa_key_derivation_operation_t *operation);
-
-/** Perform a key agreement and return the raw shared secret.
- *
- * \warning The raw result of a key agreement algorithm such as finite-field
- * Diffie-Hellman or elliptic curve Diffie-Hellman has biases and should
- * not be used directly as key material. It should instead be passed as
- * input to a key derivation algorithm. To chain a key agreement with
- * a key derivation, use psa_key_derivation_key_agreement() and other
- * functions from the key derivation interface.
- *
- * \param alg                     The key agreement algorithm to compute
- *                                (\c PSA_ALG_XXX value such that
- *                                #PSA_ALG_IS_RAW_KEY_AGREEMENT(\p alg)
- *                                is true).
- * \param private_key             Identifier of the private key to use. It must
- *                                allow the usage #PSA_KEY_USAGE_DERIVE.
- * \param[in] peer_key            Public key of the peer. It must be
- *                                in the same format that psa_import_key()
- *                                accepts. The standard formats for public
- *                                keys are documented in the documentation
- *                                of psa_export_public_key().
- * \param peer_key_length         Size of \p peer_key in bytes.
- * \param[out] output             Buffer where the decrypted message is to
- *                                be written.
- * \param output_size             Size of the \c output buffer in bytes.
- * \param[out] output_length      On success, the number of bytes
- *                                that make up the returned output.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p alg is not a key agreement algorithm, or
- *         \p private_key is not compatible with \p alg,
- *         or \p peer_key is not valid for \p alg or not compatible with
- *         \p private_key.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         \p output_size is too small
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not a supported key agreement algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_raw_key_agreement(psa_algorithm_t alg,
-                                   mbedtls_svc_key_id_t private_key,
-                                   const uint8_t *peer_key,
-                                   size_t peer_key_length,
-                                   uint8_t *output,
-                                   size_t output_size,
-                                   size_t *output_length);
-
-/**@}*/
-
-/** \defgroup random Random generation
- * @{
- */
-
-/**
- * \brief Generate random bytes.
- *
- * \warning This function **can** fail! Callers MUST check the return status
- *          and MUST NOT use the content of the output buffer if the return
- *          status is not #PSA_SUCCESS.
- *
- * \note    To generate a key, use psa_generate_key() instead.
- *
- * \param[out] output       Output buffer for the generated data.
- * \param output_size       Number of bytes to generate and output.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_generate_random(uint8_t *output,
-                                 size_t output_size);
-
-/**
- * \brief Generate a key or key pair.
- *
- * The key is generated randomly.
- * Its location, usage policy, type and size are taken from \p attributes.
- *
- * Implementations must reject an attempt to generate a key of size 0.
- *
- * The following type-specific considerations apply:
- * - For RSA keys (#PSA_KEY_TYPE_RSA_KEY_PAIR),
- *   the public exponent is 65537.
- *   The modulus is a product of two probabilistic primes
- *   between 2^{n-1} and 2^n where n is the bit size specified in the
- *   attributes.
- *
- * \param[in] attributes    The attributes for the new key.
- * \param[out] key          On success, an identifier for the newly created
- *                          key. For persistent keys, this is the key
- *                          identifier defined in \p attributes.
- *                          \c 0 on failure.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- *         If the key is persistent, the key material and the key's metadata
- *         have been saved to persistent storage.
- * \retval #PSA_ERROR_ALREADY_EXISTS
- *         This is an attempt to create a persistent key, and there is
- *         already a persistent key with the given identifier.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
-                              mbedtls_svc_key_id_t *key);
-
-/**@}*/
-
-/** \defgroup interruptible_hash Interruptible sign/verify hash
- * @{
- */
-
-/** The type of the state data structure for interruptible hash
- *  signing operations.
- *
- * Before calling any function on a sign hash operation object, the
- * application must initialize it by any of the following means:
- * - Set the structure to all-bits-zero, for example:
- *   \code
- *   psa_sign_hash_interruptible_operation_t operation;
- *   memset(&operation, 0, sizeof(operation));
- *   \endcode
- * - Initialize the structure to logical zero values, for example:
- *   \code
- *   psa_sign_hash_interruptible_operation_t operation = {0};
- *   \endcode
- * - Initialize the structure to the initializer
- *   #PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT, for example:
- *   \code
- *   psa_sign_hash_interruptible_operation_t operation =
- *   PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT;
- *   \endcode
- * - Assign the result of the function
- *   psa_sign_hash_interruptible_operation_init() to the structure, for
- *   example:
- *   \code
- *   psa_sign_hash_interruptible_operation_t operation;
- *   operation = psa_sign_hash_interruptible_operation_init();
- *   \endcode
- *
- * This is an implementation-defined \c struct. Applications should not
- * make any assumptions about the content of this structure.
- * Implementation details can change in future versions without notice. */
-typedef struct psa_sign_hash_interruptible_operation_s psa_sign_hash_interruptible_operation_t;
-
-/** The type of the state data structure for interruptible hash
- *  verification operations.
- *
- * Before calling any function on a sign hash operation object, the
- * application must initialize it by any of the following means:
- * - Set the structure to all-bits-zero, for example:
- *   \code
- *   psa_verify_hash_interruptible_operation_t operation;
- *   memset(&operation, 0, sizeof(operation));
- *   \endcode
- * - Initialize the structure to logical zero values, for example:
- *   \code
- *   psa_verify_hash_interruptible_operation_t operation = {0};
- *   \endcode
- * - Initialize the structure to the initializer
- *   #PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT, for example:
- *   \code
- *   psa_verify_hash_interruptible_operation_t operation =
- *   PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT;
- *   \endcode
- * - Assign the result of the function
- *   psa_verify_hash_interruptible_operation_init() to the structure, for
- *   example:
- *   \code
- *   psa_verify_hash_interruptible_operation_t operation;
- *   operation = psa_verify_hash_interruptible_operation_init();
- *   \endcode
- *
- * This is an implementation-defined \c struct. Applications should not
- * make any assumptions about the content of this structure.
- * Implementation details can change in future versions without notice. */
-typedef struct psa_verify_hash_interruptible_operation_s psa_verify_hash_interruptible_operation_t;
-
-/**
- * \brief                       Set the maximum number of ops allowed to be
- *                              executed by an interruptible function in a
- *                              single call.
- *
- * \warning                     This is a beta API, and thus subject to change
- *                              at any point. It is not bound by the usual
- *                              interface stability promises.
- *
- * \note                        The time taken to execute a single op is
- *                              implementation specific and depends on
- *                              software, hardware, the algorithm, key type and
- *                              curve chosen. Even within a single operation,
- *                              successive ops can take differing amounts of
- *                              time. The only guarantee is that lower values
- *                              for \p max_ops means functions will block for a
- *                              lesser maximum amount of time. The functions
- *                              \c psa_sign_interruptible_get_num_ops() and
- *                              \c psa_verify_interruptible_get_num_ops() are
- *                              provided to help with tuning this value.
- *
- * \note                        This value defaults to
- *                              #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, which
- *                              means the whole operation will be done in one
- *                              go, regardless of the number of ops required.
- *
- * \note                        If more ops are needed to complete a
- *                              computation, #PSA_OPERATION_INCOMPLETE will be
- *                              returned by the function performing the
- *                              computation. It is then the caller's
- *                              responsibility to either call again with the
- *                              same operation context until it returns 0 or an
- *                              error code; or to call the relevant abort
- *                              function if the answer is no longer required.
- *
- * \note                        The interpretation of \p max_ops is also
- *                              implementation defined. On a hard real time
- *                              system, this can indicate a hard deadline, as a
- *                              real-time system needs a guarantee of not
- *                              spending more than X time, however care must be
- *                              taken in such an implementation to avoid the
- *                              situation whereby calls just return, not being
- *                              able to do any actual work within the allotted
- *                              time.  On a non-real-time system, the
- *                              implementation can be more relaxed, but again
- *                              whether this number should be interpreted as as
- *                              hard or soft limit or even whether a less than
- *                              or equals as regards to ops executed in a
- *                              single call is implementation defined.
- *
- * \note                        For keys in local storage when no accelerator
- *                              driver applies, please see also the
- *                              documentation for \c mbedtls_ecp_set_max_ops(),
- *                              which is the internal implementation in these
- *                              cases.
- *
- * \warning                     With implementations that interpret this number
- *                              as a hard limit, setting this number too small
- *                              may result in an infinite loop, whereby each
- *                              call results in immediate return with no ops
- *                              done (as there is not enough time to execute
- *                              any), and thus no result will ever be achieved.
- *
- * \note                        This only applies to functions whose
- *                              documentation mentions they may return
- *                              #PSA_OPERATION_INCOMPLETE.
- *
- * \param max_ops               The maximum number of ops to be executed in a
- *                              single call. This can be a number from 0 to
- *                              #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0
- *                              is the least amount of work done per call.
- */
-void psa_interruptible_set_max_ops(uint32_t max_ops);
-
-/**
- * \brief                       Get the maximum number of ops allowed to be
- *                              executed by an interruptible function in a
- *                              single call. This will return the last
- *                              value set by
- *                              \c psa_interruptible_set_max_ops() or
- *                              #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED if
- *                              that function has never been called.
- *
- * \warning                     This is a beta API, and thus subject to change
- *                              at any point. It is not bound by the usual
- *                              interface stability promises.
- *
- * \return                      Maximum number of ops allowed to be
- *                              executed by an interruptible function in a
- *                              single call.
- */
-uint32_t psa_interruptible_get_max_ops(void);
-
-/**
- * \brief                       Get the number of ops that a hash signing
- *                              operation has taken so far. If the operation
- *                              has completed, then this will represent the
- *                              number of ops required for the entire
- *                              operation. After initialization or calling
- *                              \c psa_sign_hash_interruptible_abort() on
- *                              the operation, a value of 0 will be returned.
- *
- * \note                        This interface is guaranteed re-entrant and
- *                              thus may be called from driver code.
- *
- * \warning                     This is a beta API, and thus subject to change
- *                              at any point. It is not bound by the usual
- *                              interface stability promises.
- *
- *                              This is a helper provided to help you tune the
- *                              value passed to \c
- *                              psa_interruptible_set_max_ops().
- *
- * \param operation             The \c psa_sign_hash_interruptible_operation_t
- *                              to use. This must be initialized first.
- *
- * \return                      Number of ops that the operation has taken so
- *                              far.
- */
-uint32_t psa_sign_hash_get_num_ops(
-    const psa_sign_hash_interruptible_operation_t *operation);
-
-/**
- * \brief                       Get the number of ops that a hash verification
- *                              operation has taken so far. If the operation
- *                              has completed, then this will represent the
- *                              number of ops required for the entire
- *                              operation. After initialization or calling \c
- *                              psa_verify_hash_interruptible_abort() on the
- *                              operation, a value of 0 will be returned.
- *
- * \warning                     This is a beta API, and thus subject to change
- *                              at any point. It is not bound by the usual
- *                              interface stability promises.
- *
- *                              This is a helper provided to help you tune the
- *                              value passed to \c
- *                              psa_interruptible_set_max_ops().
- *
- * \param operation             The \c
- *                              psa_verify_hash_interruptible_operation_t to
- *                              use. This must be initialized first.
- *
- * \return                      Number of ops that the operation has taken so
- *                              far.
- */
-uint32_t psa_verify_hash_get_num_ops(
-    const psa_verify_hash_interruptible_operation_t *operation);
-
-/**
- * \brief                       Start signing a hash or short message with a
- *                              private key, in an interruptible manner.
- *
- * \see                         \c psa_sign_hash_complete()
- *
- * \warning                     This is a beta API, and thus subject to change
- *                              at any point. It is not bound by the usual
- *                              interface stability promises.
- *
- * \note                        This function combined with \c
- *                              psa_sign_hash_complete() is equivalent to
- *                              \c psa_sign_hash() but
- *                              \c psa_sign_hash_complete() can return early and
- *                              resume according to the limit set with \c
- *                              psa_interruptible_set_max_ops() to reduce the
- *                              maximum time spent in a function call.
- *
- * \note                        Users should call \c psa_sign_hash_complete()
- *                              repeatedly on the same context after a
- *                              successful call to this function until \c
- *                              psa_sign_hash_complete() either returns 0 or an
- *                              error. \c psa_sign_hash_complete() will return
- *                              #PSA_OPERATION_INCOMPLETE if there is more work
- *                              to do. Alternatively users can call
- *                              \c psa_sign_hash_abort() at any point if they no
- *                              longer want the result.
- *
- * \note                        If this function returns an error status, the
- *                              operation enters an error state and must be
- *                              aborted by calling \c psa_sign_hash_abort().
- *
- * \param[in, out] operation    The \c psa_sign_hash_interruptible_operation_t
- *                              to use. This must be initialized first.
- *
- * \param key                   Identifier of the key to use for the operation.
- *                              It must be an asymmetric key pair. The key must
- *                              allow the usage #PSA_KEY_USAGE_SIGN_HASH.
- * \param alg                   A signature algorithm (\c PSA_ALG_XXX
- *                              value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
- *                              is true), that is compatible with
- *                              the type of \p key.
- * \param[in] hash              The hash or message to sign.
- * \param hash_length           Size of the \p hash buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         The operation started successfully - call \c psa_sign_hash_complete()
- *         with the same context to complete the operation
- *
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED
- *         The key does not have the #PSA_KEY_USAGE_SIGN_HASH flag, or it does
- *         not permit the requested algorithm.
- * \retval #PSA_ERROR_BAD_STATE
- *         An operation has previously been started on this context, and is
- *         still in progress.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_sign_hash_start(
-    psa_sign_hash_interruptible_operation_t *operation,
-    mbedtls_svc_key_id_t key, psa_algorithm_t alg,
-    const uint8_t *hash, size_t hash_length);
-
-/**
- * \brief                       Continue and eventually complete the action of
- *                              signing a hash or short message with a private
- *                              key, in an interruptible manner.
- *
- * \see                         \c psa_sign_hash_start()
- *
- * \warning                     This is a beta API, and thus subject to change
- *                              at any point. It is not bound by the usual
- *                              interface stability promises.
- *
- * \note                        This function combined with \c
- *                              psa_sign_hash_start() is equivalent to
- *                              \c psa_sign_hash() but this function can return
- *                              early and resume according to the limit set with
- *                              \c psa_interruptible_set_max_ops() to reduce the
- *                              maximum time spent in a function call.
- *
- * \note                        Users should call this function on the same
- *                              operation object repeatedly until it either
- *                              returns 0 or an error. This function will return
- *                              #PSA_OPERATION_INCOMPLETE if there is more work
- *                              to do. Alternatively users can call
- *                              \c psa_sign_hash_abort() at any point if they no
- *                              longer want the result.
- *
- * \note                        When this function returns successfully, the
- *                              operation becomes inactive. If this function
- *                              returns an error status, the operation enters an
- *                              error state and must be aborted by calling
- *                              \c psa_sign_hash_abort().
- *
- * \param[in, out] operation    The \c psa_sign_hash_interruptible_operation_t
- *                              to use. This must be initialized first, and have
- *                              had \c psa_sign_hash_start() called with it
- *                              first.
- *
- * \param[out] signature        Buffer where the signature is to be written.
- * \param signature_size        Size of the \p signature buffer in bytes. This
- *                              must be appropriate for the selected
- *                              algorithm and key:
- *                              - The required signature size is
- *                                #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c
- *                                key_bits, \c alg) where \c key_type and \c
- *                                key_bits are the type and bit-size
- *                                respectively of key.
- *                              - #PSA_SIGNATURE_MAX_SIZE evaluates to the
- *                                maximum signature size of any supported
- *                                signature algorithm.
- * \param[out] signature_length On success, the number of bytes that make up
- *                              the returned signature value.
- *
- * \retval #PSA_SUCCESS
- *         Operation completed successfully
- *
- * \retval #PSA_OPERATION_INCOMPLETE
- *         Operation was interrupted due to the setting of \c
- *         psa_interruptible_set_max_ops(). There is still work to be done.
- *         Call this function again with the same operation object.
- *
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p signature buffer is too small. You can
- *         determine a sufficient buffer size by calling
- *         #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \c alg)
- *         where \c key_type and \c key_bits are the type and bit-size
- *         respectively of \c key.
- *
- * \retval #PSA_ERROR_BAD_STATE
- *         An operation was not previously started on this context via
- *         \c psa_sign_hash_start().
- *
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has either not been previously initialized by
- *         psa_crypto_init() or you did not previously call
- *         psa_sign_hash_start() with this operation object. It is
- *         implementation-dependent whether a failure to initialize results in
- *         this error code.
- */
-psa_status_t psa_sign_hash_complete(
-    psa_sign_hash_interruptible_operation_t *operation,
-    uint8_t *signature, size_t signature_size,
-    size_t *signature_length);
-
-/**
- * \brief                       Abort a sign hash operation.
- *
- * \warning                     This is a beta API, and thus subject to change
- *                              at any point. It is not bound by the usual
- *                              interface stability promises.
- *
- * \note                        This function is the only function that clears
- *                              the number of ops completed as part of the
- *                              operation. Please ensure you copy this value via
- *                              \c psa_sign_hash_get_num_ops() if required
- *                              before calling.
- *
- * \note                        Aborting an operation frees all associated
- *                              resources except for the \p operation structure
- *                              itself. Once aborted, the operation object can
- *                              be reused for another operation by calling \c
- *                              psa_sign_hash_start() again.
- *
- * \note                        You may call this function any time after the
- *                              operation object has been initialized. In
- *                              particular, calling \c psa_sign_hash_abort()
- *                              after the operation has already been terminated
- *                              by a call to \c psa_sign_hash_abort() or
- *                              psa_sign_hash_complete() is safe.
- *
- * \param[in,out] operation     Initialized sign hash operation.
- *
- * \retval #PSA_SUCCESS
- *         The operation was aborted successfully.
- *
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_sign_hash_abort(
-    psa_sign_hash_interruptible_operation_t *operation);
-
-/**
- * \brief                       Start reading and verifying a hash or short
- *                              message, in an interruptible manner.
- *
- * \see                         \c psa_verify_hash_complete()
- *
- * \warning                     This is a beta API, and thus subject to change
- *                              at any point. It is not bound by the usual
- *                              interface stability promises.
- *
- * \note                        This function combined with \c
- *                              psa_verify_hash_complete() is equivalent to
- *                              \c psa_verify_hash() but \c
- *                              psa_verify_hash_complete() can return early and
- *                              resume according to the limit set with \c
- *                              psa_interruptible_set_max_ops() to reduce the
- *                              maximum time spent in a function.
- *
- * \note                        Users should call \c psa_verify_hash_complete()
- *                              repeatedly on the same operation object after a
- *                              successful call to this function until \c
- *                              psa_verify_hash_complete() either returns 0 or
- *                              an error. \c psa_verify_hash_complete() will
- *                              return #PSA_OPERATION_INCOMPLETE if there is
- *                              more work to do. Alternatively users can call
- *                              \c psa_verify_hash_abort() at any point if they
- *                              no longer want the result.
- *
- * \note                        If this function returns an error status, the
- *                              operation enters an error state and must be
- *                              aborted by calling \c psa_verify_hash_abort().
- *
- * \param[in, out] operation    The \c psa_verify_hash_interruptible_operation_t
- *                              to use. This must be initialized first.
- *
- * \param key                   Identifier of the key to use for the operation.
- *                              The key must allow the usage
- *                              #PSA_KEY_USAGE_VERIFY_HASH.
- * \param alg                   A signature algorithm (\c PSA_ALG_XXX
- *                              value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
- *                              is true), that is compatible with
- *                              the type of \p key.
- * \param[in] hash              The hash whose signature is to be verified.
- * \param hash_length           Size of the \p hash buffer in bytes.
- * \param[in] signature         Buffer containing the signature to verify.
- * \param signature_length      Size of the \p signature buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         The operation started successfully - please call \c
- *         psa_verify_hash_complete() with the same context to complete the
- *         operation.
- *
- * \retval #PSA_ERROR_BAD_STATE
- *         Another operation has already been started on this context, and is
- *         still in progress.
- *
- * \retval #PSA_ERROR_NOT_PERMITTED
- *         The key does not have the #PSA_KEY_USAGE_VERIFY_HASH flag, or it does
- *         not permit the requested algorithm.
- *
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval PSA_ERROR_DATA_CORRUPT \emptydescription
- * \retval PSA_ERROR_DATA_INVALID \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_verify_hash_start(
-    psa_verify_hash_interruptible_operation_t *operation,
-    mbedtls_svc_key_id_t key, psa_algorithm_t alg,
-    const uint8_t *hash, size_t hash_length,
-    const uint8_t *signature, size_t signature_length);
-
-/**
- * \brief                       Continue and eventually complete the action of
- *                              reading and verifying a hash or short message
- *                              signed with a private key, in an interruptible
- *                              manner.
- *
- * \see                         \c psa_verify_hash_start()
- *
- * \warning                     This is a beta API, and thus subject to change
- *                              at any point. It is not bound by the usual
- *                              interface stability promises.
- *
- * \note                        This function combined with \c
- *                              psa_verify_hash_start() is equivalent to
- *                              \c psa_verify_hash() but this function can
- *                              return early and resume according to the limit
- *                              set with \c psa_interruptible_set_max_ops() to
- *                              reduce the maximum time spent in a function
- *                              call.
- *
- * \note                        Users should call this function on the same
- *                              operation object repeatedly until it either
- *                              returns 0 or an error. This function will return
- *                              #PSA_OPERATION_INCOMPLETE if there is more work
- *                              to do. Alternatively users can call
- *                              \c psa_verify_hash_abort() at any point if they
- *                              no longer want the result.
- *
- * \note                        When this function returns successfully, the
- *                              operation becomes inactive. If this function
- *                              returns an error status, the operation enters an
- *                              error state and must be aborted by calling
- *                              \c psa_verify_hash_abort().
- *
- * \param[in, out] operation    The \c psa_verify_hash_interruptible_operation_t
- *                              to use. This must be initialized first, and have
- *                              had \c psa_verify_hash_start() called with it
- *                              first.
- *
- * \retval #PSA_SUCCESS
- *         Operation completed successfully, and the passed signature is valid.
- *
- * \retval #PSA_OPERATION_INCOMPLETE
- *         Operation was interrupted due to the setting of \c
- *         psa_interruptible_set_max_ops(). There is still work to be done.
- *         Call this function again with the same operation object.
- *
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_INVALID_SIGNATURE
- *         The calculation was performed successfully, but the passed
- *         signature is not a valid signature.
- * \retval #PSA_ERROR_BAD_STATE
- *         An operation was not previously started on this context via
- *         \c psa_verify_hash_start().
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has either not been previously initialized by
- *         psa_crypto_init() or you did not previously call
- *         psa_verify_hash_start() on this object. It is
- *         implementation-dependent whether a failure to initialize results in
- *         this error code.
- */
-psa_status_t psa_verify_hash_complete(
-    psa_verify_hash_interruptible_operation_t *operation);
-
-/**
- * \brief                     Abort a verify hash operation.
- *
- * \warning                   This is a beta API, and thus subject to change at
- *                            any point. It is not bound by the usual interface
- *                            stability promises.
- *
- * \note                      This function is the only function that clears the
- *                            number of ops completed as part of the operation.
- *                            Please ensure you copy this value via
- *                            \c psa_verify_hash_get_num_ops() if required
- *                            before calling.
- *
- * \note                      Aborting an operation frees all associated
- *                            resources except for the operation structure
- *                            itself. Once aborted, the operation object can be
- *                            reused for another operation by calling \c
- *                            psa_verify_hash_start() again.
- *
- * \note                      You may call this function any time after the
- *                            operation object has been initialized.
- *                            In particular, calling \c psa_verify_hash_abort()
- *                            after the operation has already been terminated by
- *                            a call to \c psa_verify_hash_abort() or
- *                            psa_verify_hash_complete() is safe.
- *
- * \param[in,out] operation   Initialized verify hash operation.
- *
- * \retval #PSA_SUCCESS
- *         The operation was aborted successfully.
- *
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_verify_hash_abort(
-    psa_verify_hash_interruptible_operation_t *operation);
-
-
-/**@}*/
-
-#ifdef __cplusplus
-}
-#endif
-
-/* The file "crypto_sizes.h" contains definitions for size calculation
- * macros whose definitions are implementation-specific. */
-#include "crypto_sizes.h"
-
-/* The file "crypto_struct.h" contains definitions for
- * implementation-specific structs that are declared above. */
-#if defined(MBEDTLS_PSA_CRYPTO_STRUCT_FILE)
-#include MBEDTLS_PSA_CRYPTO_STRUCT_FILE
-#else
-#include "crypto_struct.h"
-#endif
-
-/* The file "crypto_extra.h" contains vendor-specific definitions. This
- * can include vendor-defined algorithms, extra functions, etc. */
-#include "crypto_extra.h"
-
-#endif /* PSA_CRYPTO_H */
diff --git a/include/psa/crypto_adjust_auto_enabled.h b/include/psa/crypto_adjust_auto_enabled.h
deleted file mode 100644
index 5e18298..0000000
--- a/include/psa/crypto_adjust_auto_enabled.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/**
- * \file psa/crypto_adjust_auto_enabled.h
- * \brief Adjust PSA configuration: enable always-on features
- *
- * Always enable certain features which require a negligible amount of code
- * to implement, to avoid some edge cases in the configuration combinatorics.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_ADJUST_AUTO_ENABLED_H
-#define PSA_CRYPTO_ADJUST_AUTO_ENABLED_H
-
-#define PSA_WANT_KEY_TYPE_DERIVE 1
-#define PSA_WANT_KEY_TYPE_PASSWORD 1
-#define PSA_WANT_KEY_TYPE_PASSWORD_HASH 1
-#define PSA_WANT_KEY_TYPE_RAW_DATA 1
-
-#endif /* PSA_CRYPTO_ADJUST_AUTO_ENABLED_H */
diff --git a/include/psa/crypto_adjust_config_key_pair_types.h b/include/psa/crypto_adjust_config_key_pair_types.h
deleted file mode 100644
index 7736e75..0000000
--- a/include/psa/crypto_adjust_config_key_pair_types.h
+++ /dev/null
@@ -1,103 +0,0 @@
-/**
- * \file psa/crypto_adjust_config_key_pair_types.h
- * \brief Adjust PSA configuration for key pair types.
- *
- * See docs/proposed/psa-conditional-inclusion-c.md.
- * - Support non-basic operations in a keypair type implicitly enables basic
- *   support for that keypair type.
- * - Support for a keypair type implicitly enables the corresponding public
- *   key type.
- * - Basic support for a keypair type implicilty enables import/export support
- *   for that keypair type. Warning: this is implementation-specific (mainly
- *   for the benefit of testing) and may change in the future!
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_ADJUST_KEYPAIR_TYPES_H
-#define PSA_CRYPTO_ADJUST_KEYPAIR_TYPES_H
-
-/*****************************************************************
- * ANYTHING -> BASIC
- ****************************************************************/
-
-#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
-    defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
-    defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) || \
-    defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
-#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC 1
-#endif
-
-#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT) || \
-    defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || \
-    defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) || \
-    defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE)
-#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC 1
-#endif
-
-#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \
-    defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \
-    defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE) || \
-    defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE)
-#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC 1
-#endif
-
-/*****************************************************************
- * BASIC -> corresponding PUBLIC
- ****************************************************************/
-
-#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC)
-#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1
-#endif
-
-#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
-#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
-#endif
-
-#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC)
-#define PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY 1
-#endif
-
-/*****************************************************************
- * BASIC -> IMPORT+EXPORT
- *
- * (Implementation-specific, may change in the future.)
- ****************************************************************/
-
-/* Even though KEY_PAIR symbols' feature several level of support (BASIC, IMPORT,
- * EXPORT, GENERATE, DERIVE) we're not planning to have support only for BASIC
- * without IMPORT/EXPORT since these last 2 features are strongly used in tests.
- * In general it is allowed to include more feature than what is strictly
- * requested.
- * As a consequence IMPORT and EXPORT features will be automatically enabled
- * as soon as the BASIC one is. */
-#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC)
-#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1
-#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT 1
-#endif
-
-#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
-#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT 1
-#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1
-#endif
-
-#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC)
-#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT 1
-#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT 1
-#endif
-
-#endif /* PSA_CRYPTO_ADJUST_KEYPAIR_TYPES_H */
diff --git a/include/psa/crypto_adjust_config_synonyms.h b/include/psa/crypto_adjust_config_synonyms.h
deleted file mode 100644
index 5142ef0..0000000
--- a/include/psa/crypto_adjust_config_synonyms.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/**
- * \file psa/crypto_adjust_config_synonyms.h
- * \brief Adjust PSA configuration: enable quasi-synonyms
- *
- * When two features require almost the same code, we automatically enable
- * both when either one is requested, to reduce the combinatorics of
- * possible configurations.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_ADJUST_CONFIG_SYNONYMS_H
-#define PSA_CRYPTO_ADJUST_CONFIG_SYNONYMS_H
-
-/****************************************************************/
-/* De facto synonyms */
-/****************************************************************/
-
-#if defined(PSA_WANT_ALG_ECDSA_ANY) && !defined(PSA_WANT_ALG_ECDSA)
-#define PSA_WANT_ALG_ECDSA PSA_WANT_ALG_ECDSA_ANY
-#elif !defined(PSA_WANT_ALG_ECDSA_ANY) && defined(PSA_WANT_ALG_ECDSA)
-#define PSA_WANT_ALG_ECDSA_ANY PSA_WANT_ALG_ECDSA
-#endif
-
-#if defined(PSA_WANT_ALG_CCM_STAR_NO_TAG) && !defined(PSA_WANT_ALG_CCM)
-#define PSA_WANT_ALG_CCM PSA_WANT_ALG_CCM_STAR_NO_TAG
-#elif !defined(PSA_WANT_ALG_CCM_STAR_NO_TAG) && defined(PSA_WANT_ALG_CCM)
-#define PSA_WANT_ALG_CCM_STAR_NO_TAG PSA_WANT_ALG_CCM
-#endif
-
-#if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN_RAW) && !defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN)
-#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN PSA_WANT_ALG_RSA_PKCS1V15_SIGN_RAW
-#elif !defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN_RAW) && defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN)
-#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN_RAW PSA_WANT_ALG_RSA_PKCS1V15_SIGN
-#endif
-
-#if defined(PSA_WANT_ALG_RSA_PSS_ANY_SALT) && !defined(PSA_WANT_ALG_RSA_PSS)
-#define PSA_WANT_ALG_RSA_PSS PSA_WANT_ALG_RSA_PSS_ANY_SALT
-#elif !defined(PSA_WANT_ALG_RSA_PSS_ANY_SALT) && defined(PSA_WANT_ALG_RSA_PSS)
-#define PSA_WANT_ALG_RSA_PSS_ANY_SALT PSA_WANT_ALG_RSA_PSS
-#endif
-
-#endif /* PSA_CRYPTO_ADJUST_CONFIG_SYNONYMS_H */
diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h
deleted file mode 100644
index d9473ac..0000000
--- a/include/psa/crypto_builtin_composites.h
+++ /dev/null
@@ -1,222 +0,0 @@
-/*
- *  Context structure declaration of the Mbed TLS software-based PSA drivers
- *  called through the PSA Crypto driver dispatch layer.
- *  This file contains the context structures of those algorithms which need to
- *  rely on other algorithms, i.e. are 'composite' algorithms.
- *
- * \note This file may not be included directly. Applications must
- * include psa/crypto.h.
- *
- * \note This header and its content are not part of the Mbed TLS API and
- * applications must not depend on it. Its main purpose is to define the
- * multi-part state objects of the Mbed TLS software-based PSA drivers. The
- * definitions of these objects are then used by crypto_struct.h to define the
- * implementation-defined types of PSA multi-part state objects.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_BUILTIN_COMPOSITES_H
-#define PSA_CRYPTO_BUILTIN_COMPOSITES_H
-#include "mbedtls/private_access.h"
-
-#include <psa/crypto_driver_common.h>
-
-#include "mbedtls/cmac.h"
-#include "mbedtls/gcm.h"
-#include "mbedtls/ccm.h"
-#include "mbedtls/chachapoly.h"
-
-/*
- * MAC multi-part operation definitions.
- */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
-#define MBEDTLS_PSA_BUILTIN_MAC
-#endif
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || defined(PSA_CRYPTO_DRIVER_TEST)
-typedef struct {
-    /** The HMAC algorithm in use */
-    psa_algorithm_t MBEDTLS_PRIVATE(alg);
-    /** The hash context. */
-    struct psa_hash_operation_s hash_ctx;
-    /** The HMAC part of the context. */
-    uint8_t MBEDTLS_PRIVATE(opad)[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
-} mbedtls_psa_hmac_operation_t;
-
-#define MBEDTLS_PSA_HMAC_OPERATION_INIT { 0, PSA_HASH_OPERATION_INIT, { 0 } }
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
-
-typedef struct {
-    psa_algorithm_t MBEDTLS_PRIVATE(alg);
-    union {
-        unsigned MBEDTLS_PRIVATE(dummy); /* Make the union non-empty even with no supported algorithms. */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || defined(PSA_CRYPTO_DRIVER_TEST)
-        mbedtls_psa_hmac_operation_t MBEDTLS_PRIVATE(hmac);
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC) || defined(PSA_CRYPTO_DRIVER_TEST)
-        mbedtls_cipher_context_t MBEDTLS_PRIVATE(cmac);
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
-    } MBEDTLS_PRIVATE(ctx);
-} mbedtls_psa_mac_operation_t;
-
-#define MBEDTLS_PSA_MAC_OPERATION_INIT { 0, { 0 } }
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
-#define MBEDTLS_PSA_BUILTIN_AEAD  1
-#endif
-
-/* Context structure for the Mbed TLS AEAD implementation. */
-typedef struct {
-    psa_algorithm_t MBEDTLS_PRIVATE(alg);
-    psa_key_type_t MBEDTLS_PRIVATE(key_type);
-
-    unsigned int MBEDTLS_PRIVATE(is_encrypt) : 1;
-
-    uint8_t MBEDTLS_PRIVATE(tag_length);
-
-    union {
-        unsigned dummy; /* Enable easier initializing of the union. */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
-        mbedtls_ccm_context MBEDTLS_PRIVATE(ccm);
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
-        mbedtls_gcm_context MBEDTLS_PRIVATE(gcm);
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
-        mbedtls_chachapoly_context MBEDTLS_PRIVATE(chachapoly);
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
-
-    } ctx;
-
-} mbedtls_psa_aead_operation_t;
-
-#define MBEDTLS_PSA_AEAD_OPERATION_INIT { 0, 0, 0, 0, { 0 } }
-
-#include "mbedtls/ecdsa.h"
-
-/* Context structure for the Mbed TLS interruptible sign hash implementation. */
-typedef struct {
-#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
-    defined(MBEDTLS_ECP_RESTARTABLE)
-    mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx);
-    mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx);
-
-    uint32_t MBEDTLS_PRIVATE(num_ops);
-
-    size_t MBEDTLS_PRIVATE(coordinate_bytes);
-    psa_algorithm_t MBEDTLS_PRIVATE(alg);
-    mbedtls_md_type_t MBEDTLS_PRIVATE(md_alg);
-    uint8_t MBEDTLS_PRIVATE(hash)[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
-    size_t MBEDTLS_PRIVATE(hash_length);
-
-#else
-    /* Make the struct non-empty if algs not supported. */
-    unsigned MBEDTLS_PRIVATE(dummy);
-
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
-        * defined( MBEDTLS_ECP_RESTARTABLE ) */
-} mbedtls_psa_sign_hash_interruptible_operation_t;
-
-#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
-    defined(MBEDTLS_ECP_RESTARTABLE)
-#define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, 0, 0, 0 }
-#else
-#define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 }
-#endif
-
-/* Context structure for the Mbed TLS interruptible verify hash
- * implementation.*/
-typedef struct {
-#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
-    defined(MBEDTLS_ECP_RESTARTABLE)
-
-    mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx);
-    mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx);
-
-    uint32_t MBEDTLS_PRIVATE(num_ops);
-
-    uint8_t MBEDTLS_PRIVATE(hash)[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
-    size_t MBEDTLS_PRIVATE(hash_length);
-
-    mbedtls_mpi MBEDTLS_PRIVATE(r);
-    mbedtls_mpi MBEDTLS_PRIVATE(s);
-
-#else
-    /* Make the struct non-empty if algs not supported. */
-    unsigned MBEDTLS_PRIVATE(dummy);
-
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
-        * defined( MBEDTLS_ECP_RESTARTABLE ) */
-
-} mbedtls_psa_verify_hash_interruptible_operation_t;
-
-#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
-    defined(MBEDTLS_ECP_RESTARTABLE)
-#define MBEDTLS_VERIFY_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, 0, { 0 }, \
-        { 0 } }
-#else
-#define MBEDTLS_VERIFY_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 }
-#endif
-
-
-/* EC-JPAKE operation definitions */
-
-#include "mbedtls/ecjpake.h"
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
-#define MBEDTLS_PSA_BUILTIN_PAKE  1
-#endif
-
-/* Note: the format for mbedtls_ecjpake_read/write function has an extra
- * length byte for each step, plus an extra 3 bytes for ECParameters in the
- * server's 2nd round. */
-#define MBEDTLS_PSA_JPAKE_BUFFER_SIZE ((3 + 1 + 65 + 1 + 65 + 1 + 32) * 2)
-
-typedef struct {
-    psa_algorithm_t MBEDTLS_PRIVATE(alg);
-
-    uint8_t *MBEDTLS_PRIVATE(password);
-    size_t MBEDTLS_PRIVATE(password_len);
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
-    mbedtls_ecjpake_role MBEDTLS_PRIVATE(role);
-    uint8_t MBEDTLS_PRIVATE(buffer[MBEDTLS_PSA_JPAKE_BUFFER_SIZE]);
-    size_t MBEDTLS_PRIVATE(buffer_length);
-    size_t MBEDTLS_PRIVATE(buffer_offset);
-#endif
-    /* Context structure for the Mbed TLS EC-JPAKE implementation. */
-    union {
-        unsigned int MBEDTLS_PRIVATE(dummy);
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
-        mbedtls_ecjpake_context MBEDTLS_PRIVATE(jpake);
-#endif
-    } MBEDTLS_PRIVATE(ctx);
-
-} mbedtls_psa_pake_operation_t;
-
-#define MBEDTLS_PSA_PAKE_OPERATION_INIT { { 0 } }
-
-#endif /* PSA_CRYPTO_BUILTIN_COMPOSITES_H */
diff --git a/include/psa/crypto_builtin_key_derivation.h b/include/psa/crypto_builtin_key_derivation.h
deleted file mode 100644
index 8a2143a..0000000
--- a/include/psa/crypto_builtin_key_derivation.h
+++ /dev/null
@@ -1,130 +0,0 @@
-/*
- *  Context structure declaration of the Mbed TLS software-based PSA drivers
- *  called through the PSA Crypto driver dispatch layer.
- *  This file contains the context structures of key derivation algorithms
- *  which need to rely on other algorithms.
- *
- * \note This file may not be included directly. Applications must
- * include psa/crypto.h.
- *
- * \note This header and its content are not part of the Mbed TLS API and
- * applications must not depend on it. Its main purpose is to define the
- * multi-part state objects of the Mbed TLS software-based PSA drivers. The
- * definitions of these objects are then used by crypto_struct.h to define the
- * implementation-defined types of PSA multi-part state objects.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_BUILTIN_KEY_DERIVATION_H
-#define PSA_CRYPTO_BUILTIN_KEY_DERIVATION_H
-#include "mbedtls/private_access.h"
-
-#include <psa/crypto_driver_common.h>
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
-typedef struct {
-    uint8_t *MBEDTLS_PRIVATE(info);
-    size_t MBEDTLS_PRIVATE(info_length);
-#if PSA_HASH_MAX_SIZE > 0xff
-#error "PSA_HASH_MAX_SIZE does not fit in uint8_t"
-#endif
-    uint8_t MBEDTLS_PRIVATE(offset_in_block);
-    uint8_t MBEDTLS_PRIVATE(block_number);
-    unsigned int MBEDTLS_PRIVATE(state) : 2;
-    unsigned int MBEDTLS_PRIVATE(info_set) : 1;
-    uint8_t MBEDTLS_PRIVATE(output_block)[PSA_HASH_MAX_SIZE];
-    uint8_t MBEDTLS_PRIVATE(prk)[PSA_HASH_MAX_SIZE];
-    struct psa_mac_operation_s MBEDTLS_PRIVATE(hmac);
-} psa_hkdf_key_derivation_t;
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF ||
-          MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT ||
-          MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
-typedef struct {
-    uint8_t MBEDTLS_PRIVATE(data)[PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE];
-} psa_tls12_ecjpake_to_pms_t;
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
-typedef enum {
-    PSA_TLS12_PRF_STATE_INIT,             /* no input provided */
-    PSA_TLS12_PRF_STATE_SEED_SET,         /* seed has been set */
-    PSA_TLS12_PRF_STATE_OTHER_KEY_SET,    /* other key has been set - optional */
-    PSA_TLS12_PRF_STATE_KEY_SET,          /* key has been set */
-    PSA_TLS12_PRF_STATE_LABEL_SET,        /* label has been set */
-    PSA_TLS12_PRF_STATE_OUTPUT            /* output has been started */
-} psa_tls12_prf_key_derivation_state_t;
-
-typedef struct psa_tls12_prf_key_derivation_s {
-#if PSA_HASH_MAX_SIZE > 0xff
-#error "PSA_HASH_MAX_SIZE does not fit in uint8_t"
-#endif
-
-    /* Indicates how many bytes in the current HMAC block have
-     * not yet been read by the user. */
-    uint8_t MBEDTLS_PRIVATE(left_in_block);
-
-    /* The 1-based number of the block. */
-    uint8_t MBEDTLS_PRIVATE(block_number);
-
-    psa_tls12_prf_key_derivation_state_t MBEDTLS_PRIVATE(state);
-
-    uint8_t *MBEDTLS_PRIVATE(secret);
-    size_t MBEDTLS_PRIVATE(secret_length);
-    uint8_t *MBEDTLS_PRIVATE(seed);
-    size_t MBEDTLS_PRIVATE(seed_length);
-    uint8_t *MBEDTLS_PRIVATE(label);
-    size_t MBEDTLS_PRIVATE(label_length);
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
-    uint8_t *MBEDTLS_PRIVATE(other_secret);
-    size_t MBEDTLS_PRIVATE(other_secret_length);
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
-
-    uint8_t MBEDTLS_PRIVATE(Ai)[PSA_HASH_MAX_SIZE];
-
-    /* `HMAC_hash( prk, A( i ) + seed )` in the notation of RFC 5246, Sect. 5. */
-    uint8_t MBEDTLS_PRIVATE(output_block)[PSA_HASH_MAX_SIZE];
-} psa_tls12_prf_key_derivation_t;
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) ||
-        * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
-#if defined(PSA_HAVE_SOFT_PBKDF2)
-typedef enum {
-    PSA_PBKDF2_STATE_INIT,             /* no input provided */
-    PSA_PBKDF2_STATE_INPUT_COST_SET,   /* input cost has been set */
-    PSA_PBKDF2_STATE_SALT_SET,         /* salt has been set */
-    PSA_PBKDF2_STATE_PASSWORD_SET,     /* password has been set */
-    PSA_PBKDF2_STATE_OUTPUT            /* output has been started */
-} psa_pbkdf2_key_derivation_state_t;
-
-typedef struct {
-    psa_pbkdf2_key_derivation_state_t MBEDTLS_PRIVATE(state);
-    uint64_t MBEDTLS_PRIVATE(input_cost);
-    uint8_t *MBEDTLS_PRIVATE(salt);
-    size_t MBEDTLS_PRIVATE(salt_length);
-    uint8_t MBEDTLS_PRIVATE(password)[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
-    size_t MBEDTLS_PRIVATE(password_length);
-    uint8_t MBEDTLS_PRIVATE(output_block)[PSA_HASH_MAX_SIZE];
-    uint8_t MBEDTLS_PRIVATE(bytes_used);
-    uint32_t MBEDTLS_PRIVATE(block_number);
-} psa_pbkdf2_key_derivation_t;
-#endif /* PSA_HAVE_SOFT_PBKDF2 */
-
-#endif /* PSA_CRYPTO_BUILTIN_KEY_DERIVATION_H */
diff --git a/include/psa/crypto_builtin_primitives.h b/include/psa/crypto_builtin_primitives.h
deleted file mode 100644
index d3e0692..0000000
--- a/include/psa/crypto_builtin_primitives.h
+++ /dev/null
@@ -1,126 +0,0 @@
-/*
- *  Context structure declaration of the Mbed TLS software-based PSA drivers
- *  called through the PSA Crypto driver dispatch layer.
- *  This file contains the context structures of those algorithms which do not
- *  rely on other algorithms, i.e. are 'primitive' algorithms.
- *
- * \note This file may not be included directly. Applications must
- * include psa/crypto.h.
- *
- * \note This header and its content are not part of the Mbed TLS API and
- * applications must not depend on it. Its main purpose is to define the
- * multi-part state objects of the Mbed TLS software-based PSA drivers. The
- * definitions of these objects are then used by crypto_struct.h to define the
- * implementation-defined types of PSA multi-part state objects.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_BUILTIN_PRIMITIVES_H
-#define PSA_CRYPTO_BUILTIN_PRIMITIVES_H
-#include "mbedtls/private_access.h"
-
-#include <psa/crypto_driver_common.h>
-
-/*
- * Hash multi-part operation definitions.
- */
-
-#include "mbedtls/md5.h"
-#include "mbedtls/ripemd160.h"
-#include "mbedtls/sha1.h"
-#include "mbedtls/sha256.h"
-#include "mbedtls/sha512.h"
-#include "mbedtls/sha3.h"
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
-#define MBEDTLS_PSA_BUILTIN_HASH
-#endif
-
-typedef struct {
-    psa_algorithm_t MBEDTLS_PRIVATE(alg);
-    union {
-        unsigned dummy; /* Make the union non-empty even with no supported algorithms. */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
-        mbedtls_md5_context md5;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
-        mbedtls_ripemd160_context ripemd160;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
-        mbedtls_sha1_context sha1;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256) || \
-        defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
-        mbedtls_sha256_context sha256;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512) || \
-        defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
-        mbedtls_sha512_context sha512;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
-        defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
-        defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
-        defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
-        mbedtls_sha3_context sha3;
-#endif
-    } MBEDTLS_PRIVATE(ctx);
-} mbedtls_psa_hash_operation_t;
-
-#define MBEDTLS_PSA_HASH_OPERATION_INIT { 0, { 0 } }
-
-/*
- * Cipher multi-part operation definitions.
- */
-
-#include "mbedtls/cipher.h"
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_CTR) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_CFB) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_OFB) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG)
-#define MBEDTLS_PSA_BUILTIN_CIPHER  1
-#endif
-
-typedef struct {
-    /* Context structure for the Mbed TLS cipher implementation. */
-    psa_algorithm_t MBEDTLS_PRIVATE(alg);
-    uint8_t MBEDTLS_PRIVATE(iv_length);
-    uint8_t MBEDTLS_PRIVATE(block_length);
-    union {
-        unsigned int MBEDTLS_PRIVATE(dummy);
-        mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher);
-    } MBEDTLS_PRIVATE(ctx);
-} mbedtls_psa_cipher_operation_t;
-
-#define MBEDTLS_PSA_CIPHER_OPERATION_INIT { 0, 0, 0, { 0 } }
-
-#endif /* PSA_CRYPTO_BUILTIN_PRIMITIVES_H */
diff --git a/include/psa/crypto_compat.h b/include/psa/crypto_compat.h
deleted file mode 100644
index 70fa14e..0000000
--- a/include/psa/crypto_compat.h
+++ /dev/null
@@ -1,165 +0,0 @@
-/**
- * \file psa/crypto_compat.h
- *
- * \brief PSA cryptography module: Backward compatibility aliases
- *
- * This header declares alternative names for macro and functions.
- * New application code should not use these names.
- * These names may be removed in a future version of Mbed TLS.
- *
- * \note This file may not be included directly. Applications must
- * include psa/crypto.h.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_COMPAT_H
-#define PSA_CRYPTO_COMPAT_H
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/*
- * To support both openless APIs and psa_open_key() temporarily, define
- * psa_key_handle_t to be equal to mbedtls_svc_key_id_t. Do not mark the
- * type and its utility macros and functions deprecated yet. This will be done
- * in a subsequent phase.
- */
-typedef mbedtls_svc_key_id_t psa_key_handle_t;
-
-#define PSA_KEY_HANDLE_INIT MBEDTLS_SVC_KEY_ID_INIT
-
-/** Check whether a handle is null.
- *
- * \param handle  Handle
- *
- * \return Non-zero if the handle is null, zero otherwise.
- */
-static inline int psa_key_handle_is_null(psa_key_handle_t handle)
-{
-    return mbedtls_svc_key_id_is_null(handle);
-}
-
-/** Open a handle to an existing persistent key.
- *
- * Open a handle to a persistent key. A key is persistent if it was created
- * with a lifetime other than #PSA_KEY_LIFETIME_VOLATILE. A persistent key
- * always has a nonzero key identifier, set with psa_set_key_id() when
- * creating the key. Implementations may provide additional pre-provisioned
- * keys that can be opened with psa_open_key(). Such keys have an application
- * key identifier in the vendor range, as documented in the description of
- * #psa_key_id_t.
- *
- * The application must eventually close the handle with psa_close_key() or
- * psa_destroy_key() to release associated resources. If the application dies
- * without calling one of these functions, the implementation should perform
- * the equivalent of a call to psa_close_key().
- *
- * Some implementations permit an application to open the same key multiple
- * times. If this is successful, each call to psa_open_key() will return a
- * different key handle.
- *
- * \note This API is not part of the PSA Cryptography API Release 1.0.0
- * specification. It was defined in the 1.0 Beta 3 version of the
- * specification but was removed in the 1.0.0 released version. This API is
- * kept for the time being to not break applications relying on it. It is not
- * deprecated yet but will be in the near future.
- *
- * \note Applications that rely on opening a key multiple times will not be
- * portable to implementations that only permit a single key handle to be
- * opened. See also :ref:\`key-handles\`.
- *
- *
- * \param key           The persistent identifier of the key.
- * \param[out] handle   On success, a handle to the key.
- *
- * \retval #PSA_SUCCESS
- *         Success. The application can now use the value of `*handle`
- *         to access the key.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- *         The implementation does not have sufficient resources to open the
- *         key. This can be due to reaching an implementation limit on the
- *         number of open keys, the number of open key handles, or available
- *         memory.
- * \retval #PSA_ERROR_DOES_NOT_EXIST
- *         There is no persistent key with key identifier \p key.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p key is not a valid persistent key identifier.
- * \retval #PSA_ERROR_NOT_PERMITTED
- *         The specified key exists, but the application does not have the
- *         permission to access it. Note that this specification does not
- *         define any way to create such a key, but it may be possible
- *         through implementation-specific means.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_open_key(mbedtls_svc_key_id_t key,
-                          psa_key_handle_t *handle);
-
-/** Close a key handle.
- *
- * If the handle designates a volatile key, this will destroy the key material
- * and free all associated resources, just like psa_destroy_key().
- *
- * If this is the last open handle to a persistent key, then closing the handle
- * will free all resources associated with the key in volatile memory. The key
- * data in persistent storage is not affected and can be opened again later
- * with a call to psa_open_key().
- *
- * Closing the key handle makes the handle invalid, and the key handle
- * must not be used again by the application.
- *
- * \note This API is not part of the PSA Cryptography API Release 1.0.0
- * specification. It was defined in the 1.0 Beta 3 version of the
- * specification but was removed in the 1.0.0 released version. This API is
- * kept for the time being to not break applications relying on it. It is not
- * deprecated yet but will be in the near future.
- *
- * \note If the key handle was used to set up an active
- * :ref:\`multipart operation <multipart-operations>\`, then closing the
- * key handle can cause the multipart operation to fail. Applications should
- * maintain the key handle until after the multipart operation has finished.
- *
- * \param handle        The key handle to close.
- *                      If this is \c 0, do nothing and return \c PSA_SUCCESS.
- *
- * \retval #PSA_SUCCESS
- *         \p handle was a valid handle or \c 0. It is now closed.
- * \retval #PSA_ERROR_INVALID_HANDLE
- *         \p handle is not a valid handle nor \c 0.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_close_key(psa_key_handle_t handle);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* PSA_CRYPTO_COMPAT_H */
diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h
deleted file mode 100644
index d34cbf3..0000000
--- a/include/psa/crypto_config.h
+++ /dev/null
@@ -1,165 +0,0 @@
-/**
- * \file psa/crypto_config.h
- * \brief PSA crypto configuration options (set of defines)
- *
- */
-#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
-/**
- * When #MBEDTLS_PSA_CRYPTO_CONFIG is enabled in mbedtls_config.h,
- * this file determines which cryptographic mechanisms are enabled
- * through the PSA Cryptography API (\c psa_xxx() functions).
- *
- * To enable a cryptographic mechanism, uncomment the definition of
- * the corresponding \c PSA_WANT_xxx preprocessor symbol.
- * To disable a cryptographic mechanism, comment out the definition of
- * the corresponding \c PSA_WANT_xxx preprocessor symbol.
- * The names of cryptographic mechanisms correspond to values
- * defined in psa/crypto_values.h, with the prefix \c PSA_WANT_ instead
- * of \c PSA_.
- *
- * Note that many cryptographic mechanisms involve two symbols: one for
- * the key type (\c PSA_WANT_KEY_TYPE_xxx) and one for the algorithm
- * (\c PSA_WANT_ALG_xxx). Mechanisms with additional parameters may involve
- * additional symbols.
- */
-#else
-/**
- * When \c MBEDTLS_PSA_CRYPTO_CONFIG is disabled in mbedtls_config.h,
- * this file is not used, and cryptographic mechanisms are supported
- * through the PSA API if and only if they are supported through the
- * mbedtls_xxx API.
- */
-#endif
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_CONFIG_H
-#define PSA_CRYPTO_CONFIG_H
-
-/*
- * CBC-MAC is not yet supported via the PSA API in Mbed TLS.
- */
-//#define PSA_WANT_ALG_CBC_MAC                    1
-#define PSA_WANT_ALG_CBC_NO_PADDING             1
-#define PSA_WANT_ALG_CBC_PKCS7                  1
-#define PSA_WANT_ALG_CCM                        1
-#define PSA_WANT_ALG_CCM_STAR_NO_TAG            1
-#define PSA_WANT_ALG_CMAC                       1
-#define PSA_WANT_ALG_CFB                        1
-#define PSA_WANT_ALG_CHACHA20_POLY1305          1
-#define PSA_WANT_ALG_CTR                        1
-#define PSA_WANT_ALG_DETERMINISTIC_ECDSA        1
-#define PSA_WANT_ALG_ECB_NO_PADDING             1
-#define PSA_WANT_ALG_ECDH                       1
-#define PSA_WANT_ALG_FFDH                       1
-#define PSA_WANT_ALG_ECDSA                      1
-#define PSA_WANT_ALG_JPAKE                      1
-#define PSA_WANT_ALG_GCM                        1
-#define PSA_WANT_ALG_HKDF                       1
-#define PSA_WANT_ALG_HKDF_EXTRACT               1
-#define PSA_WANT_ALG_HKDF_EXPAND                1
-#define PSA_WANT_ALG_HMAC                       1
-#define PSA_WANT_ALG_MD5                        1
-#define PSA_WANT_ALG_OFB                        1
-#define PSA_WANT_ALG_PBKDF2_HMAC                1
-#define PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128    1
-#define PSA_WANT_ALG_RIPEMD160                  1
-#define PSA_WANT_ALG_RSA_OAEP                   1
-#define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT         1
-#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN          1
-#define PSA_WANT_ALG_RSA_PSS                    1
-#define PSA_WANT_ALG_SHA_1                      1
-#define PSA_WANT_ALG_SHA_224                    1
-#define PSA_WANT_ALG_SHA_256                    1
-#define PSA_WANT_ALG_SHA_384                    1
-#define PSA_WANT_ALG_SHA_512                    1
-#define PSA_WANT_ALG_SHA3_224                   1
-#define PSA_WANT_ALG_SHA3_256                   1
-#define PSA_WANT_ALG_SHA3_384                   1
-#define PSA_WANT_ALG_SHA3_512                   1
-#define PSA_WANT_ALG_STREAM_CIPHER              1
-#define PSA_WANT_ALG_TLS12_PRF                  1
-#define PSA_WANT_ALG_TLS12_PSK_TO_MS            1
-#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS       1
-
-/* XTS is not yet supported via the PSA API in Mbed TLS.
- * Note: when adding support, also adjust include/mbedtls/config_psa.h */
-//#define PSA_WANT_ALG_XTS                        1
-
-#define PSA_WANT_ECC_BRAINPOOL_P_R1_256         1
-#define PSA_WANT_ECC_BRAINPOOL_P_R1_384         1
-#define PSA_WANT_ECC_BRAINPOOL_P_R1_512         1
-#define PSA_WANT_ECC_MONTGOMERY_255             1
-#define PSA_WANT_ECC_MONTGOMERY_448             1
-#define PSA_WANT_ECC_SECP_K1_192                1
-/*
- * SECP224K1 is buggy via the PSA API in Mbed TLS
- * (https://github.com/Mbed-TLS/mbedtls/issues/3541). Thus, do not enable it by
- * default.
- */
-//#define PSA_WANT_ECC_SECP_K1_224                1
-#define PSA_WANT_ECC_SECP_K1_256                1
-#define PSA_WANT_ECC_SECP_R1_192                1
-#define PSA_WANT_ECC_SECP_R1_224                1
-/* For secp256r1, consider enabling #MBEDTLS_PSA_P256M_DRIVER_ENABLED
- * (see the description in mbedtls/mbedtls_config.h for details). */
-#define PSA_WANT_ECC_SECP_R1_256                1
-#define PSA_WANT_ECC_SECP_R1_384                1
-#define PSA_WANT_ECC_SECP_R1_521                1
-
-#define PSA_WANT_KEY_TYPE_DERIVE                1
-#define PSA_WANT_KEY_TYPE_PASSWORD              1
-#define PSA_WANT_KEY_TYPE_PASSWORD_HASH         1
-#define PSA_WANT_KEY_TYPE_HMAC                  1
-#define PSA_WANT_KEY_TYPE_AES                   1
-#define PSA_WANT_KEY_TYPE_ARIA                  1
-#define PSA_WANT_KEY_TYPE_CAMELLIA              1
-#define PSA_WANT_KEY_TYPE_CHACHA20              1
-#define PSA_WANT_KEY_TYPE_DES                   1
-//#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR          1 /* Deprecated */
-#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY        1
-#define PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY         1
-#define PSA_WANT_KEY_TYPE_RAW_DATA              1
-//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR          1 /* Deprecated */
-#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY        1
-
-/*
- * The following symbols extend and deprecate the legacy
- * PSA_WANT_KEY_TYPE_xxx_KEY_PAIR ones. They include the usage of that key in
- * the name's suffix. "_USE" is the most generic and it can be used to describe
- * a generic suport, whereas other ones add more features on top of that and
- * they are more specific.
- */
-#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC      1
-#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT   1
-#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT   1
-#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
-#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE   1
-
-#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC      1
-#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT   1
-#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT   1
-#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1
-//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE   1 /* Not supported */
-
-#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC       1
-#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT    1
-#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT    1
-#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE  1
-//#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE    1 /* Not supported */
-
-#endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/include/psa/crypto_driver_common.h b/include/psa/crypto_driver_common.h
deleted file mode 100644
index 26363c6..0000000
--- a/include/psa/crypto_driver_common.h
+++ /dev/null
@@ -1,56 +0,0 @@
-/**
- * \file psa/crypto_driver_common.h
- * \brief Definitions for all PSA crypto drivers
- *
- * This file contains common definitions shared by all PSA crypto drivers.
- * Do not include it directly: instead, include the header file(s) for
- * the type(s) of driver that you are implementing. For example, if
- * you are writing a dynamically registered driver for a secure element,
- * include `psa/crypto_se_driver.h`.
- *
- * This file is part of the PSA Crypto Driver Model, containing functions for
- * driver developers to implement to enable hardware to be called in a
- * standardized way by a PSA Cryptographic API implementation. The functions
- * comprising the driver model, which driver authors implement, are not
- * intended to be called by application developers.
- */
-
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef PSA_CRYPTO_DRIVER_COMMON_H
-#define PSA_CRYPTO_DRIVER_COMMON_H
-
-#include <stddef.h>
-#include <stdint.h>
-
-/* Include type definitions (psa_status_t, psa_algorithm_t,
- * psa_key_type_t, etc.) and macros to build and analyze values
- * of these types. */
-#include "crypto_types.h"
-#include "crypto_values.h"
-/* Include size definitions which are used to size some arrays in operation
- * structures. */
-#include <psa/crypto_sizes.h>
-
-/** For encrypt-decrypt functions, whether the operation is an encryption
- * or a decryption. */
-typedef enum {
-    PSA_CRYPTO_DRIVER_DECRYPT,
-    PSA_CRYPTO_DRIVER_ENCRYPT
-} psa_encrypt_or_decrypt_t;
-
-#endif /* PSA_CRYPTO_DRIVER_COMMON_H */
diff --git a/include/psa/crypto_driver_contexts_composites.h b/include/psa/crypto_driver_contexts_composites.h
deleted file mode 100644
index d018864..0000000
--- a/include/psa/crypto_driver_contexts_composites.h
+++ /dev/null
@@ -1,163 +0,0 @@
-/*
- *  Declaration of context structures for use with the PSA driver wrapper
- *  interface. This file contains the context structures for 'composite'
- *  operations, i.e. those operations which need to make use of other operations
- *  from the primitives (crypto_driver_contexts_primitives.h)
- *
- *  Warning: This file will be auto-generated in the future.
- *
- * \note This file may not be included directly. Applications must
- * include psa/crypto.h.
- *
- * \note This header and its content are not part of the Mbed TLS API and
- * applications must not depend on it. Its main purpose is to define the
- * multi-part state objects of the PSA drivers included in the cryptographic
- * library. The definitions of these objects are then used by crypto_struct.h
- * to define the implementation-defined types of PSA multi-part state objects.
- */
-/*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_DRIVER_CONTEXTS_COMPOSITES_H
-#define PSA_CRYPTO_DRIVER_CONTEXTS_COMPOSITES_H
-
-#include "psa/crypto_driver_common.h"
-
-/* Include the context structure definitions for the Mbed TLS software drivers */
-#include "psa/crypto_builtin_composites.h"
-
-/* Include the context structure definitions for those drivers that were
- * declared during the autogeneration process. */
-
-#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
-#include <libtestdriver1/include/psa/crypto.h>
-#endif
-
-#if defined(PSA_CRYPTO_DRIVER_TEST)
-#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
-    defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_MAC)
-typedef libtestdriver1_mbedtls_psa_mac_operation_t
-    mbedtls_transparent_test_driver_mac_operation_t;
-typedef libtestdriver1_mbedtls_psa_mac_operation_t
-    mbedtls_opaque_test_driver_mac_operation_t;
-
-#define MBEDTLS_TRANSPARENT_TEST_DRIVER_MAC_OPERATION_INIT \
-    LIBTESTDRIVER1_MBEDTLS_PSA_MAC_OPERATION_INIT
-#define MBEDTLS_OPAQUE_TEST_DRIVER_MAC_OPERATION_INIT \
-    LIBTESTDRIVER1_MBEDTLS_PSA_MAC_OPERATION_INIT
-
-#else
-typedef mbedtls_psa_mac_operation_t
-    mbedtls_transparent_test_driver_mac_operation_t;
-typedef mbedtls_psa_mac_operation_t
-    mbedtls_opaque_test_driver_mac_operation_t;
-
-#define MBEDTLS_TRANSPARENT_TEST_DRIVER_MAC_OPERATION_INIT \
-    MBEDTLS_PSA_MAC_OPERATION_INIT
-#define MBEDTLS_OPAQUE_TEST_DRIVER_MAC_OPERATION_INIT \
-    MBEDTLS_PSA_MAC_OPERATION_INIT
-
-#endif /* MBEDTLS_TEST_LIBTESTDRIVER1 && LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_MAC */
-
-#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
-    defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_AEAD)
-typedef libtestdriver1_mbedtls_psa_aead_operation_t
-    mbedtls_transparent_test_driver_aead_operation_t;
-
-#define MBEDTLS_TRANSPARENT_TEST_DRIVER_AEAD_OPERATION_INIT \
-    LIBTESTDRIVER1_MBEDTLS_PSA_AEAD_OPERATION_INIT
-#else
-typedef mbedtls_psa_aead_operation_t
-    mbedtls_transparent_test_driver_aead_operation_t;
-
-#define MBEDTLS_TRANSPARENT_TEST_DRIVER_AEAD_OPERATION_INIT \
-    MBEDTLS_PSA_AEAD_OPERATION_INIT
-
-#endif /* MBEDTLS_TEST_LIBTESTDRIVER1 && LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_AEAD */
-
-#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
-    defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE)
-
-typedef libtestdriver1_mbedtls_psa_pake_operation_t
-    mbedtls_transparent_test_driver_pake_operation_t;
-typedef libtestdriver1_mbedtls_psa_pake_operation_t
-    mbedtls_opaque_test_driver_pake_operation_t;
-
-#define MBEDTLS_TRANSPARENT_TEST_DRIVER_PAKE_OPERATION_INIT \
-    LIBTESTDRIVER1_MBEDTLS_PSA_PAKE_OPERATION_INIT
-#define MBEDTLS_OPAQUE_TEST_DRIVER_PAKE_OPERATION_INIT \
-    LIBTESTDRIVER1_MBEDTLS_PSA_PAKE_OPERATION_INIT
-
-#else
-typedef mbedtls_psa_pake_operation_t
-    mbedtls_transparent_test_driver_pake_operation_t;
-typedef mbedtls_psa_pake_operation_t
-    mbedtls_opaque_test_driver_pake_operation_t;
-
-#define MBEDTLS_TRANSPARENT_TEST_DRIVER_PAKE_OPERATION_INIT \
-    MBEDTLS_PSA_PAKE_OPERATION_INIT
-#define MBEDTLS_OPAQUE_TEST_DRIVER_PAKE_OPERATION_INIT \
-    MBEDTLS_PSA_PAKE_OPERATION_INIT
-
-#endif /* MBEDTLS_TEST_LIBTESTDRIVER1 && LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE */
-
-#endif /* PSA_CRYPTO_DRIVER_TEST */
-
-/* Define the context to be used for an operation that is executed through the
- * PSA Driver wrapper layer as the union of all possible driver's contexts.
- *
- * The union members are the driver's context structures, and the member names
- * are formatted as `'drivername'_ctx`. This allows for procedural generation
- * of both this file and the content of psa_crypto_driver_wrappers.h */
-
-typedef union {
-    unsigned dummy; /* Make sure this union is always non-empty */
-    mbedtls_psa_mac_operation_t mbedtls_ctx;
-#if defined(PSA_CRYPTO_DRIVER_TEST)
-    mbedtls_transparent_test_driver_mac_operation_t transparent_test_driver_ctx;
-    mbedtls_opaque_test_driver_mac_operation_t opaque_test_driver_ctx;
-#endif
-} psa_driver_mac_context_t;
-
-typedef union {
-    unsigned dummy; /* Make sure this union is always non-empty */
-    mbedtls_psa_aead_operation_t mbedtls_ctx;
-#if defined(PSA_CRYPTO_DRIVER_TEST)
-    mbedtls_transparent_test_driver_aead_operation_t transparent_test_driver_ctx;
-#endif
-} psa_driver_aead_context_t;
-
-typedef union {
-    unsigned dummy; /* Make sure this union is always non-empty */
-    mbedtls_psa_sign_hash_interruptible_operation_t mbedtls_ctx;
-} psa_driver_sign_hash_interruptible_context_t;
-
-typedef union {
-    unsigned dummy; /* Make sure this union is always non-empty */
-    mbedtls_psa_verify_hash_interruptible_operation_t mbedtls_ctx;
-} psa_driver_verify_hash_interruptible_context_t;
-
-typedef union {
-    unsigned dummy; /* Make sure this union is always non-empty */
-    mbedtls_psa_pake_operation_t mbedtls_ctx;
-#if defined(PSA_CRYPTO_DRIVER_TEST)
-    mbedtls_transparent_test_driver_pake_operation_t transparent_test_driver_ctx;
-    mbedtls_opaque_test_driver_pake_operation_t opaque_test_driver_ctx;
-#endif
-} psa_driver_pake_context_t;
-
-#endif /* PSA_CRYPTO_DRIVER_CONTEXTS_COMPOSITES_H */
-/* End of automatically generated file. */
diff --git a/include/psa/crypto_driver_contexts_key_derivation.h b/include/psa/crypto_driver_contexts_key_derivation.h
deleted file mode 100644
index 3fb29ff..0000000
--- a/include/psa/crypto_driver_contexts_key_derivation.h
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- *  Declaration of context structures for use with the PSA driver wrapper
- *  interface. This file contains the context structures for key derivation
- *  operations.
- *
- *  Warning: This file will be auto-generated in the future.
- *
- * \note This file may not be included directly. Applications must
- * include psa/crypto.h.
- *
- * \note This header and its content are not part of the Mbed TLS API and
- * applications must not depend on it. Its main purpose is to define the
- * multi-part state objects of the PSA drivers included in the cryptographic
- * library. The definitions of these objects are then used by crypto_struct.h
- * to define the implementation-defined types of PSA multi-part state objects.
- */
-/*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_DRIVER_CONTEXTS_KEY_DERIVATION_H
-#define PSA_CRYPTO_DRIVER_CONTEXTS_KEY_DERIVATION_H
-
-#include "psa/crypto_driver_common.h"
-
-/* Include the context structure definitions for the Mbed TLS software drivers */
-#include "psa/crypto_builtin_key_derivation.h"
-
-/* Include the context structure definitions for those drivers that were
- * declared during the autogeneration process. */
-
-typedef union {
-    unsigned dummy; /* Make sure this union is always non-empty */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
-    psa_hkdf_key_derivation_t MBEDTLS_PRIVATE(hkdf);
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
-    psa_tls12_prf_key_derivation_t MBEDTLS_PRIVATE(tls12_prf);
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
-    psa_tls12_ecjpake_to_pms_t MBEDTLS_PRIVATE(tls12_ecjpake_to_pms);
-#endif
-#if defined(PSA_HAVE_SOFT_PBKDF2)
-    psa_pbkdf2_key_derivation_t MBEDTLS_PRIVATE(pbkdf2);
-#endif
-} psa_driver_key_derivation_context_t;
-
-#endif /* PSA_CRYPTO_DRIVER_CONTEXTS_KEY_DERIVATION_H */
-/* End of automatically generated file. */
diff --git a/include/psa/crypto_driver_contexts_primitives.h b/include/psa/crypto_driver_contexts_primitives.h
deleted file mode 100644
index b27a768..0000000
--- a/include/psa/crypto_driver_contexts_primitives.h
+++ /dev/null
@@ -1,117 +0,0 @@
-/*
- *  Declaration of context structures for use with the PSA driver wrapper
- *  interface. This file contains the context structures for 'primitive'
- *  operations, i.e. those operations which do not rely on other contexts.
- *
- *  Warning: This file will be auto-generated in the future.
- *
- * \note This file may not be included directly. Applications must
- * include psa/crypto.h.
- *
- * \note This header and its content are not part of the Mbed TLS API and
- * applications must not depend on it. Its main purpose is to define the
- * multi-part state objects of the PSA drivers included in the cryptographic
- * library. The definitions of these objects are then used by crypto_struct.h
- * to define the implementation-defined types of PSA multi-part state objects.
- */
-/*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_DRIVER_CONTEXTS_PRIMITIVES_H
-#define PSA_CRYPTO_DRIVER_CONTEXTS_PRIMITIVES_H
-
-#include "psa/crypto_driver_common.h"
-
-/* Include the context structure definitions for the Mbed TLS software drivers */
-#include "psa/crypto_builtin_primitives.h"
-
-/* Include the context structure definitions for those drivers that were
- * declared during the autogeneration process. */
-
-#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
-#include <libtestdriver1/include/psa/crypto.h>
-#endif
-
-#if defined(PSA_CRYPTO_DRIVER_TEST)
-
-#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
-    defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER)
-typedef libtestdriver1_mbedtls_psa_cipher_operation_t
-    mbedtls_transparent_test_driver_cipher_operation_t;
-
-#define MBEDTLS_TRANSPARENT_TEST_DRIVER_CIPHER_OPERATION_INIT \
-    LIBTESTDRIVER1_MBEDTLS_PSA_CIPHER_OPERATION_INIT
-#else
-typedef mbedtls_psa_cipher_operation_t
-    mbedtls_transparent_test_driver_cipher_operation_t;
-
-#define MBEDTLS_TRANSPARENT_TEST_DRIVER_CIPHER_OPERATION_INIT \
-    MBEDTLS_PSA_CIPHER_OPERATION_INIT
-#endif /* MBEDTLS_TEST_LIBTESTDRIVER1 &&
-          LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER */
-
-#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
-    defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_HASH)
-typedef libtestdriver1_mbedtls_psa_hash_operation_t
-    mbedtls_transparent_test_driver_hash_operation_t;
-
-#define MBEDTLS_TRANSPARENT_TEST_DRIVER_HASH_OPERATION_INIT \
-    LIBTESTDRIVER1_MBEDTLS_PSA_HASH_OPERATION_INIT
-#else
-typedef mbedtls_psa_hash_operation_t
-    mbedtls_transparent_test_driver_hash_operation_t;
-
-#define MBEDTLS_TRANSPARENT_TEST_DRIVER_HASH_OPERATION_INIT \
-    MBEDTLS_PSA_HASH_OPERATION_INIT
-#endif /* MBEDTLS_TEST_LIBTESTDRIVER1 &&
-          LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_HASH */
-
-typedef struct {
-    unsigned int initialised : 1;
-    mbedtls_transparent_test_driver_cipher_operation_t ctx;
-} mbedtls_opaque_test_driver_cipher_operation_t;
-
-#define MBEDTLS_OPAQUE_TEST_DRIVER_CIPHER_OPERATION_INIT \
-    { 0, MBEDTLS_TRANSPARENT_TEST_DRIVER_CIPHER_OPERATION_INIT }
-
-#endif /* PSA_CRYPTO_DRIVER_TEST */
-
-/* Define the context to be used for an operation that is executed through the
- * PSA Driver wrapper layer as the union of all possible driver's contexts.
- *
- * The union members are the driver's context structures, and the member names
- * are formatted as `'drivername'_ctx`. This allows for procedural generation
- * of both this file and the content of psa_crypto_driver_wrappers.h */
-
-typedef union {
-    unsigned dummy; /* Make sure this union is always non-empty */
-    mbedtls_psa_hash_operation_t mbedtls_ctx;
-#if defined(PSA_CRYPTO_DRIVER_TEST)
-    mbedtls_transparent_test_driver_hash_operation_t test_driver_ctx;
-#endif
-} psa_driver_hash_context_t;
-
-typedef union {
-    unsigned dummy; /* Make sure this union is always non-empty */
-    mbedtls_psa_cipher_operation_t mbedtls_ctx;
-#if defined(PSA_CRYPTO_DRIVER_TEST)
-    mbedtls_transparent_test_driver_cipher_operation_t transparent_test_driver_ctx;
-    mbedtls_opaque_test_driver_cipher_operation_t opaque_test_driver_ctx;
-#endif
-} psa_driver_cipher_context_t;
-
-#endif /* PSA_CRYPTO_DRIVER_CONTEXTS_PRIMITIVES_H */
-/* End of automatically generated file. */
diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h
deleted file mode 100644
index 4b0cc70..0000000
--- a/include/psa/crypto_extra.h
+++ /dev/null
@@ -1,2076 +0,0 @@
-/**
- * \file psa/crypto_extra.h
- *
- * \brief PSA cryptography module: Mbed TLS vendor extensions
- *
- * \note This file may not be included directly. Applications must
- * include psa/crypto.h.
- *
- * This file is reserved for vendor-specific definitions.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_EXTRA_H
-#define PSA_CRYPTO_EXTRA_H
-#include "mbedtls/private_access.h"
-
-#include "crypto_types.h"
-#include "crypto_compat.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* UID for secure storage seed */
-#define PSA_CRYPTO_ITS_RANDOM_SEED_UID 0xFFFFFF52
-
-/* See mbedtls_config.h for definition */
-#if !defined(MBEDTLS_PSA_KEY_SLOT_COUNT)
-#define MBEDTLS_PSA_KEY_SLOT_COUNT 32
-#endif
-
-/** \addtogroup attributes
- * @{
- */
-
-/** \brief Declare the enrollment algorithm for a key.
- *
- * An operation on a key may indifferently use the algorithm set with
- * psa_set_key_algorithm() or with this function.
- *
- * \param[out] attributes       The attribute structure to write to.
- * \param alg2                  A second algorithm that the key may be used
- *                              for, in addition to the algorithm set with
- *                              psa_set_key_algorithm().
- *
- * \warning Setting an enrollment algorithm is not recommended, because
- *          using the same key with different algorithms can allow some
- *          attacks based on arithmetic relations between different
- *          computations made with the same key, or can escalate harmless
- *          side channels into exploitable ones. Use this function only
- *          if it is necessary to support a protocol for which it has been
- *          verified that the usage of the key with multiple algorithms
- *          is safe.
- */
-static inline void psa_set_key_enrollment_algorithm(
-    psa_key_attributes_t *attributes,
-    psa_algorithm_t alg2)
-{
-    attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg2) = alg2;
-}
-
-/** Retrieve the enrollment algorithm policy from key attributes.
- *
- * \param[in] attributes        The key attribute structure to query.
- *
- * \return The enrollment algorithm stored in the attribute structure.
- */
-static inline psa_algorithm_t psa_get_key_enrollment_algorithm(
-    const psa_key_attributes_t *attributes)
-{
-    return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg2);
-}
-
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-
-/** Retrieve the slot number where a key is stored.
- *
- * A slot number is only defined for keys that are stored in a secure
- * element.
- *
- * This information is only useful if the secure element is not entirely
- * managed through the PSA Cryptography API. It is up to the secure
- * element driver to decide how PSA slot numbers map to any other interface
- * that the secure element may have.
- *
- * \param[in] attributes        The key attribute structure to query.
- * \param[out] slot_number      On success, the slot number containing the key.
- *
- * \retval #PSA_SUCCESS
- *         The key is located in a secure element, and \p *slot_number
- *         indicates the slot number that contains it.
- * \retval #PSA_ERROR_NOT_PERMITTED
- *         The caller is not permitted to query the slot number.
- *         Mbed TLS currently does not return this error.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The key is not located in a secure element.
- */
-psa_status_t psa_get_key_slot_number(
-    const psa_key_attributes_t *attributes,
-    psa_key_slot_number_t *slot_number);
-
-/** Choose the slot number where a key is stored.
- *
- * This function declares a slot number in the specified attribute
- * structure.
- *
- * A slot number is only meaningful for keys that are stored in a secure
- * element. It is up to the secure element driver to decide how PSA slot
- * numbers map to any other interface that the secure element may have.
- *
- * \note Setting a slot number in key attributes for a key creation can
- *       cause the following errors when creating the key:
- *       - #PSA_ERROR_NOT_SUPPORTED if the selected secure element does
- *         not support choosing a specific slot number.
- *       - #PSA_ERROR_NOT_PERMITTED if the caller is not permitted to
- *         choose slot numbers in general or to choose this specific slot.
- *       - #PSA_ERROR_INVALID_ARGUMENT if the chosen slot number is not
- *         valid in general or not valid for this specific key.
- *       - #PSA_ERROR_ALREADY_EXISTS if there is already a key in the
- *         selected slot.
- *
- * \param[out] attributes       The attribute structure to write to.
- * \param slot_number           The slot number to set.
- */
-static inline void psa_set_key_slot_number(
-    psa_key_attributes_t *attributes,
-    psa_key_slot_number_t slot_number)
-{
-    attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(flags) |= MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER;
-    attributes->MBEDTLS_PRIVATE(slot_number) = slot_number;
-}
-
-/** Remove the slot number attribute from a key attribute structure.
- *
- * This function undoes the action of psa_set_key_slot_number().
- *
- * \param[out] attributes       The attribute structure to write to.
- */
-static inline void psa_clear_key_slot_number(
-    psa_key_attributes_t *attributes)
-{
-    attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(flags) &=
-        ~MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER;
-}
-
-/** Register a key that is already present in a secure element.
- *
- * The key must be located in a secure element designated by the
- * lifetime field in \p attributes, in the slot set with
- * psa_set_key_slot_number() in the attribute structure.
- * This function makes the key available through the key identifier
- * specified in \p attributes.
- *
- * \param[in] attributes        The attributes of the existing key.
- *
- * \retval #PSA_SUCCESS
- *         The key was successfully registered.
- *         Note that depending on the design of the driver, this may or may
- *         not guarantee that a key actually exists in the designated slot
- *         and is compatible with the specified attributes.
- * \retval #PSA_ERROR_ALREADY_EXISTS
- *         There is already a key with the identifier specified in
- *         \p attributes.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         The secure element driver for the specified lifetime does not
- *         support registering a key.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The identifier in \p attributes is invalid, namely the identifier is
- *         not in the user range, or
- *         \p attributes specifies a lifetime which is not located
- *         in a secure element, or no slot number is specified in \p attributes,
- *         or the specified slot number is not valid.
- * \retval #PSA_ERROR_NOT_PERMITTED
- *         The caller is not authorized to register the specified key slot.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t mbedtls_psa_register_se_key(
-    const psa_key_attributes_t *attributes);
-
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
-
-/**@}*/
-
-/**
- * \brief Library deinitialization.
- *
- * This function clears all data associated with the PSA layer,
- * including the whole key store.
- *
- * This is an Mbed TLS extension.
- */
-void mbedtls_psa_crypto_free(void);
-
-/** \brief Statistics about
- * resource consumption related to the PSA keystore.
- *
- * \note The content of this structure is not part of the stable API and ABI
- *       of Mbed TLS and may change arbitrarily from version to version.
- */
-typedef struct mbedtls_psa_stats_s {
-    /** Number of slots containing key material for a volatile key. */
-    size_t MBEDTLS_PRIVATE(volatile_slots);
-    /** Number of slots containing key material for a key which is in
-     * internal persistent storage. */
-    size_t MBEDTLS_PRIVATE(persistent_slots);
-    /** Number of slots containing a reference to a key in a
-     * secure element. */
-    size_t MBEDTLS_PRIVATE(external_slots);
-    /** Number of slots which are occupied, but do not contain
-     * key material yet. */
-    size_t MBEDTLS_PRIVATE(half_filled_slots);
-    /** Number of slots that contain cache data. */
-    size_t MBEDTLS_PRIVATE(cache_slots);
-    /** Number of slots that are not used for anything. */
-    size_t MBEDTLS_PRIVATE(empty_slots);
-    /** Number of slots that are locked. */
-    size_t MBEDTLS_PRIVATE(locked_slots);
-    /** Largest key id value among open keys in internal persistent storage. */
-    psa_key_id_t MBEDTLS_PRIVATE(max_open_internal_key_id);
-    /** Largest key id value among open keys in secure elements. */
-    psa_key_id_t MBEDTLS_PRIVATE(max_open_external_key_id);
-} mbedtls_psa_stats_t;
-
-/** \brief Get statistics about
- * resource consumption related to the PSA keystore.
- *
- * \note When Mbed TLS is built as part of a service, with isolation
- *       between the application and the keystore, the service may or
- *       may not expose this function.
- */
-void mbedtls_psa_get_stats(mbedtls_psa_stats_t *stats);
-
-/**
- * \brief Inject an initial entropy seed for the random generator into
- *        secure storage.
- *
- * This function injects data to be used as a seed for the random generator
- * used by the PSA Crypto implementation. On devices that lack a trusted
- * entropy source (preferably a hardware random number generator),
- * the Mbed PSA Crypto implementation uses this value to seed its
- * random generator.
- *
- * On devices without a trusted entropy source, this function must be
- * called exactly once in the lifetime of the device. On devices with
- * a trusted entropy source, calling this function is optional.
- * In all cases, this function may only be called before calling any
- * other function in the PSA Crypto API, including psa_crypto_init().
- *
- * When this function returns successfully, it populates a file in
- * persistent storage. Once the file has been created, this function
- * can no longer succeed.
- *
- * If any error occurs, this function does not change the system state.
- * You can call this function again after correcting the reason for the
- * error if possible.
- *
- * \warning This function **can** fail! Callers MUST check the return status.
- *
- * \warning If you use this function, you should use it as part of a
- *          factory provisioning process. The value of the injected seed
- *          is critical to the security of the device. It must be
- *          *secret*, *unpredictable* and (statistically) *unique per device*.
- *          You should be generate it randomly using a cryptographically
- *          secure random generator seeded from trusted entropy sources.
- *          You should transmit it securely to the device and ensure
- *          that its value is not leaked or stored anywhere beyond the
- *          needs of transmitting it from the point of generation to
- *          the call of this function, and erase all copies of the value
- *          once this function returns.
- *
- * This is an Mbed TLS extension.
- *
- * \note This function is only available on the following platforms:
- * * If the compile-time option MBEDTLS_PSA_INJECT_ENTROPY is enabled.
- *   Note that you must provide compatible implementations of
- *   mbedtls_nv_seed_read and mbedtls_nv_seed_write.
- * * In a client-server integration of PSA Cryptography, on the client side,
- *   if the server supports this feature.
- * \param[in] seed          Buffer containing the seed value to inject.
- * \param[in] seed_size     Size of the \p seed buffer.
- *                          The size of the seed in bytes must be greater
- *                          or equal to both #MBEDTLS_ENTROPY_BLOCK_SIZE
- *                          and the value of \c MBEDTLS_ENTROPY_MIN_PLATFORM
- *                          in `library/entropy_poll.h` in the Mbed TLS source
- *                          code.
- *                          It must be less or equal to
- *                          #MBEDTLS_ENTROPY_MAX_SEED_SIZE.
- *
- * \retval #PSA_SUCCESS
- *         The seed value was injected successfully. The random generator
- *         of the PSA Crypto implementation is now ready for use.
- *         You may now call psa_crypto_init() and use the PSA Crypto
- *         implementation.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p seed_size is out of range.
- * \retval #PSA_ERROR_STORAGE_FAILURE
- *         There was a failure reading or writing from storage.
- * \retval #PSA_ERROR_NOT_PERMITTED
- *         The library has already been initialized. It is no longer
- *         possible to call this function.
- */
-psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
-                                        size_t seed_size);
-
-/** \addtogroup crypto_types
- * @{
- */
-
-/** DSA public key.
- *
- * The import and export format is the
- * representation of the public key `y = g^x mod p` as a big-endian byte
- * string. The length of the byte string is the length of the base prime `p`
- * in bytes.
- */
-#define PSA_KEY_TYPE_DSA_PUBLIC_KEY                 ((psa_key_type_t) 0x4002)
-
-/** DSA key pair (private and public key).
- *
- * The import and export format is the
- * representation of the private key `x` as a big-endian byte string. The
- * length of the byte string is the private key size in bytes (leading zeroes
- * are not stripped).
- *
- * Deterministic DSA key derivation with psa_generate_derived_key follows
- * FIPS 186-4 &sect;B.1.2: interpret the byte string as integer
- * in big-endian order. Discard it if it is not in the range
- * [0, *N* - 2] where *N* is the boundary of the private key domain
- * (the prime *p* for Diffie-Hellman, the subprime *q* for DSA,
- * or the order of the curve's base point for ECC).
- * Add 1 to the resulting integer and use this as the private key *x*.
- *
- */
-#define PSA_KEY_TYPE_DSA_KEY_PAIR                    ((psa_key_type_t) 0x7002)
-
-/** Whether a key type is a DSA key (pair or public-only). */
-#define PSA_KEY_TYPE_IS_DSA(type)                                       \
-    (PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) == PSA_KEY_TYPE_DSA_PUBLIC_KEY)
-
-#define PSA_ALG_DSA_BASE                        ((psa_algorithm_t) 0x06000400)
-/** DSA signature with hashing.
- *
- * This is the signature scheme defined by FIPS 186-4,
- * with a random per-message secret number (*k*).
- *
- * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
- *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
- *                      This includes #PSA_ALG_ANY_HASH
- *                      when specifying the algorithm in a usage policy.
- *
- * \return              The corresponding DSA signature algorithm.
- * \return              Unspecified if \p hash_alg is not a supported
- *                      hash algorithm.
- */
-#define PSA_ALG_DSA(hash_alg)                             \
-    (PSA_ALG_DSA_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
-#define PSA_ALG_DETERMINISTIC_DSA_BASE          ((psa_algorithm_t) 0x06000500)
-#define PSA_ALG_DSA_DETERMINISTIC_FLAG PSA_ALG_ECDSA_DETERMINISTIC_FLAG
-/** Deterministic DSA signature with hashing.
- *
- * This is the deterministic variant defined by RFC 6979 of
- * the signature scheme defined by FIPS 186-4.
- *
- * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
- *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
- *                      This includes #PSA_ALG_ANY_HASH
- *                      when specifying the algorithm in a usage policy.
- *
- * \return              The corresponding DSA signature algorithm.
- * \return              Unspecified if \p hash_alg is not a supported
- *                      hash algorithm.
- */
-#define PSA_ALG_DETERMINISTIC_DSA(hash_alg)                             \
-    (PSA_ALG_DETERMINISTIC_DSA_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
-#define PSA_ALG_IS_DSA(alg)                                             \
-    (((alg) & ~PSA_ALG_HASH_MASK & ~PSA_ALG_DSA_DETERMINISTIC_FLAG) ==  \
-     PSA_ALG_DSA_BASE)
-#define PSA_ALG_DSA_IS_DETERMINISTIC(alg)               \
-    (((alg) & PSA_ALG_DSA_DETERMINISTIC_FLAG) != 0)
-#define PSA_ALG_IS_DETERMINISTIC_DSA(alg)                       \
-    (PSA_ALG_IS_DSA(alg) && PSA_ALG_DSA_IS_DETERMINISTIC(alg))
-#define PSA_ALG_IS_RANDOMIZED_DSA(alg)                          \
-    (PSA_ALG_IS_DSA(alg) && !PSA_ALG_DSA_IS_DETERMINISTIC(alg))
-
-
-/* We need to expand the sample definition of this macro from
- * the API definition. */
-#undef PSA_ALG_IS_VENDOR_HASH_AND_SIGN
-#define PSA_ALG_IS_VENDOR_HASH_AND_SIGN(alg)    \
-    PSA_ALG_IS_DSA(alg)
-
-/**@}*/
-
-/** \addtogroup attributes
- * @{
- */
-
-/** Custom Diffie-Hellman group.
- *
- * For keys of type #PSA_KEY_TYPE_DH_PUBLIC_KEY(#PSA_DH_FAMILY_CUSTOM) or
- * #PSA_KEY_TYPE_DH_KEY_PAIR(#PSA_DH_FAMILY_CUSTOM), the group data comes
- * from domain parameters set by psa_set_key_domain_parameters().
- */
-#define PSA_DH_FAMILY_CUSTOM             ((psa_dh_family_t) 0x7e)
-
-/** PAKE operation stages. */
-#define PSA_PAKE_OPERATION_STAGE_SETUP 0
-#define PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS 1
-#define PSA_PAKE_OPERATION_STAGE_COMPUTATION 2
-
-/**
- * \brief Set domain parameters for a key.
- *
- * Some key types require additional domain parameters in addition to
- * the key type identifier and the key size. Use this function instead
- * of psa_set_key_type() when you need to specify domain parameters.
- *
- * The format for the required domain parameters varies based on the key type.
- *
- * - For RSA keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY or #PSA_KEY_TYPE_RSA_KEY_PAIR),
- *   the domain parameter data consists of the public exponent,
- *   represented as a big-endian integer with no leading zeros.
- *   This information is used when generating an RSA key pair.
- *   When importing a key, the public exponent is read from the imported
- *   key data and the exponent recorded in the attribute structure is ignored.
- *   As an exception, the public exponent 65537 is represented by an empty
- *   byte string.
- * - For DSA keys (#PSA_KEY_TYPE_DSA_PUBLIC_KEY or #PSA_KEY_TYPE_DSA_KEY_PAIR),
- *   the `Dss-Params` format as defined by RFC 3279 &sect;2.3.2.
- *   ```
- *   Dss-Params ::= SEQUENCE  {
- *      p       INTEGER,
- *      q       INTEGER,
- *      g       INTEGER
- *   }
- *   ```
- * - For Diffie-Hellman key exchange keys
- *   (#PSA_KEY_TYPE_DH_PUBLIC_KEY(#PSA_DH_FAMILY_CUSTOM) or
- *   #PSA_KEY_TYPE_DH_KEY_PAIR(#PSA_DH_FAMILY_CUSTOM)), the
- *   `DomainParameters` format as defined by RFC 3279 &sect;2.3.3.
- *   ```
- *   DomainParameters ::= SEQUENCE {
- *      p               INTEGER,                    -- odd prime, p=jq +1
- *      g               INTEGER,                    -- generator, g
- *      q               INTEGER,                    -- factor of p-1
- *      j               INTEGER OPTIONAL,           -- subgroup factor
- *      validationParams ValidationParams OPTIONAL
- *   }
- *   ValidationParams ::= SEQUENCE {
- *      seed            BIT STRING,
- *      pgenCounter     INTEGER
- *   }
- *   ```
- *
- * \note This function may allocate memory or other resources.
- *       Once you have called this function on an attribute structure,
- *       you must call psa_reset_key_attributes() to free these resources.
- *
- * \note This is an experimental extension to the interface. It may change
- *       in future versions of the library.
- *
- * \param[in,out] attributes    Attribute structure where the specified domain
- *                              parameters will be stored.
- *                              If this function fails, the content of
- *                              \p attributes is not modified.
- * \param type                  Key type (a \c PSA_KEY_TYPE_XXX value).
- * \param[in] data              Buffer containing the key domain parameters.
- *                              The content of this buffer is interpreted
- *                              according to \p type as described above.
- * \param data_length           Size of the \p data buffer in bytes.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- */
-psa_status_t psa_set_key_domain_parameters(psa_key_attributes_t *attributes,
-                                           psa_key_type_t type,
-                                           const uint8_t *data,
-                                           size_t data_length);
-
-/**
- * \brief Get domain parameters for a key.
- *
- * Get the domain parameters for a key with this function, if any. The format
- * of the domain parameters written to \p data is specified in the
- * documentation for psa_set_key_domain_parameters().
- *
- * \note This is an experimental extension to the interface. It may change
- *       in future versions of the library.
- *
- * \param[in] attributes        The key attribute structure to query.
- * \param[out] data             On success, the key domain parameters.
- * \param data_size             Size of the \p data buffer in bytes.
- *                              The buffer is guaranteed to be large
- *                              enough if its size in bytes is at least
- *                              the value given by
- *                              PSA_KEY_DOMAIN_PARAMETERS_SIZE().
- * \param[out] data_length      On success, the number of bytes
- *                              that make up the key domain parameters data.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription
- */
-psa_status_t psa_get_key_domain_parameters(
-    const psa_key_attributes_t *attributes,
-    uint8_t *data,
-    size_t data_size,
-    size_t *data_length);
-
-/** Safe output buffer size for psa_get_key_domain_parameters().
- *
- * This macro returns a compile-time constant if its arguments are
- * compile-time constants.
- *
- * \warning This function may call its arguments multiple times or
- *          zero times, so you should not pass arguments that contain
- *          side effects.
- *
- * \note This is an experimental extension to the interface. It may change
- *       in future versions of the library.
- *
- * \param key_type  A supported key type.
- * \param key_bits  The size of the key in bits.
- *
- * \return If the parameters are valid and supported, return
- *         a buffer size in bytes that guarantees that
- *         psa_get_key_domain_parameters() will not fail with
- *         #PSA_ERROR_BUFFER_TOO_SMALL.
- *         If the parameters are a valid combination that is not supported
- *         by the implementation, this macro shall return either a
- *         sensible size or 0.
- *         If the parameters are not valid, the
- *         return value is unspecified.
- */
-#define PSA_KEY_DOMAIN_PARAMETERS_SIZE(key_type, key_bits)              \
-    (PSA_KEY_TYPE_IS_RSA(key_type) ? sizeof(int) :                      \
-     PSA_KEY_TYPE_IS_DH(key_type) ? PSA_DH_KEY_DOMAIN_PARAMETERS_SIZE(key_bits) : \
-     PSA_KEY_TYPE_IS_DSA(key_type) ? PSA_DSA_KEY_DOMAIN_PARAMETERS_SIZE(key_bits) : \
-     0)
-#define PSA_DH_KEY_DOMAIN_PARAMETERS_SIZE(key_bits)     \
-    (4 + (PSA_BITS_TO_BYTES(key_bits) + 5) * 3 /*without optional parts*/)
-#define PSA_DSA_KEY_DOMAIN_PARAMETERS_SIZE(key_bits)    \
-    (4 + (PSA_BITS_TO_BYTES(key_bits) + 5) * 2 /*p, g*/ + 34 /*q*/)
-
-/**@}*/
-
-/** \defgroup psa_tls_helpers TLS helper functions
- * @{
- */
-#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
-#include <mbedtls/ecp.h>
-
-/** Convert an ECC curve identifier from the Mbed TLS encoding to PSA.
- *
- * \note This function is provided solely for the convenience of
- *       Mbed TLS and may be removed at any time without notice.
- *
- * \param grpid         An Mbed TLS elliptic curve identifier
- *                      (`MBEDTLS_ECP_DP_xxx`).
- * \param[out] bits     On success, the bit size of the curve.
- *
- * \return              The corresponding PSA elliptic curve identifier
- *                      (`PSA_ECC_FAMILY_xxx`).
- * \return              \c 0 on failure (\p grpid is not recognized).
- */
-psa_ecc_family_t mbedtls_ecc_group_to_psa(mbedtls_ecp_group_id grpid,
-                                          size_t *bits);
-
-/** Convert an ECC curve identifier from the PSA encoding to Mbed TLS.
- *
- * \note This function is provided solely for the convenience of
- *       Mbed TLS and may be removed at any time without notice.
- *
- * \param curve         A PSA elliptic curve identifier
- *                      (`PSA_ECC_FAMILY_xxx`).
- * \param bits          The bit-length of a private key on \p curve.
- * \param bits_is_sloppy If true, \p bits may be the bit-length rounded up
- *                      to the nearest multiple of 8. This allows the caller
- *                      to infer the exact curve from the length of a key
- *                      which is supplied as a byte string.
- *
- * \return              The corresponding Mbed TLS elliptic curve identifier
- *                      (`MBEDTLS_ECP_DP_xxx`).
- * \return              #MBEDTLS_ECP_DP_NONE if \c curve is not recognized.
- * \return              #MBEDTLS_ECP_DP_NONE if \p bits is not
- *                      correct for \p curve.
- */
-mbedtls_ecp_group_id mbedtls_ecc_group_of_psa(psa_ecc_family_t curve,
-                                              size_t bits,
-                                              int bits_is_sloppy);
-#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
-
-/**@}*/
-
-/** \defgroup psa_external_rng External random generator
- * @{
- */
-
-#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
-/** External random generator function, implemented by the platform.
- *
- * When the compile-time option #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is enabled,
- * this function replaces Mbed TLS's entropy and DRBG modules for all
- * random generation triggered via PSA crypto interfaces.
- *
- * \note This random generator must deliver random numbers with cryptographic
- *       quality and high performance. It must supply unpredictable numbers
- *       with a uniform distribution. The implementation of this function
- *       is responsible for ensuring that the random generator is seeded
- *       with sufficient entropy. If you have a hardware TRNG which is slow
- *       or delivers non-uniform output, declare it as an entropy source
- *       with mbedtls_entropy_add_source() instead of enabling this option.
- *
- * \param[in,out] context       Pointer to the random generator context.
- *                              This is all-bits-zero on the first call
- *                              and preserved between successive calls.
- * \param[out] output           Output buffer. On success, this buffer
- *                              contains random data with a uniform
- *                              distribution.
- * \param output_size           The size of the \p output buffer in bytes.
- * \param[out] output_length    On success, set this value to \p output_size.
- *
- * \retval #PSA_SUCCESS
- *         Success. The output buffer contains \p output_size bytes of
- *         cryptographic-quality random data, and \c *output_length is
- *         set to \p output_size.
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
- *         The random generator requires extra entropy and there is no
- *         way to obtain entropy under current environment conditions.
- *         This error should not happen under normal circumstances since
- *         this function is responsible for obtaining as much entropy as
- *         it needs. However implementations of this function may return
- *         #PSA_ERROR_INSUFFICIENT_ENTROPY if there is no way to obtain
- *         entropy without blocking indefinitely.
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- *         A failure of the random generator hardware that isn't covered
- *         by #PSA_ERROR_INSUFFICIENT_ENTROPY.
- */
-psa_status_t mbedtls_psa_external_get_random(
-    mbedtls_psa_external_random_context_t *context,
-    uint8_t *output, size_t output_size, size_t *output_length);
-#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
-
-/**@}*/
-
-/** \defgroup psa_builtin_keys Built-in keys
- * @{
- */
-
-/** The minimum value for a key identifier that is built into the
- * implementation.
- *
- * The range of key identifiers from #MBEDTLS_PSA_KEY_ID_BUILTIN_MIN
- * to #MBEDTLS_PSA_KEY_ID_BUILTIN_MAX within the range from
- * #PSA_KEY_ID_VENDOR_MIN and #PSA_KEY_ID_VENDOR_MAX and must not intersect
- * with any other set of implementation-chosen key identifiers.
- *
- * This value is part of the library's ABI since changing it would invalidate
- * the values of built-in key identifiers in applications.
- */
-#define MBEDTLS_PSA_KEY_ID_BUILTIN_MIN          ((psa_key_id_t) 0x7fff0000)
-
-/** The maximum value for a key identifier that is built into the
- * implementation.
- *
- * See #MBEDTLS_PSA_KEY_ID_BUILTIN_MIN for more information.
- */
-#define MBEDTLS_PSA_KEY_ID_BUILTIN_MAX          ((psa_key_id_t) 0x7fffefff)
-
-/** A slot number identifying a key in a driver.
- *
- * Values of this type are used to identify built-in keys.
- */
-typedef uint64_t psa_drv_slot_number_t;
-
-#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
-/** Test whether a key identifier belongs to the builtin key range.
- *
- * \param key_id  Key identifier to test.
- *
- * \retval 1
- *         The key identifier is a builtin key identifier.
- * \retval 0
- *         The key identifier is not a builtin key identifier.
- */
-static inline int psa_key_id_is_builtin(psa_key_id_t key_id)
-{
-    return (key_id >= MBEDTLS_PSA_KEY_ID_BUILTIN_MIN) &&
-           (key_id <= MBEDTLS_PSA_KEY_ID_BUILTIN_MAX);
-}
-
-/** Platform function to obtain the location and slot number of a built-in key.
- *
- * An application-specific implementation of this function must be provided if
- * #MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS is enabled. This would typically be provided
- * as part of a platform's system image.
- *
- * #MBEDTLS_SVC_KEY_ID_GET_KEY_ID(\p key_id) needs to be in the range from
- * #MBEDTLS_PSA_KEY_ID_BUILTIN_MIN to #MBEDTLS_PSA_KEY_ID_BUILTIN_MAX.
- *
- * In a multi-application configuration
- * (\c MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER is defined),
- * this function should check that #MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(\p key_id)
- * is allowed to use the given key.
- *
- * \param key_id                The key ID for which to retrieve the
- *                              location and slot attributes.
- * \param[out] lifetime         On success, the lifetime associated with the key
- *                              corresponding to \p key_id. Lifetime is a
- *                              combination of which driver contains the key,
- *                              and with what persistence level the key is
- *                              intended to be used. If the platform
- *                              implementation does not contain specific
- *                              information about the intended key persistence
- *                              level, the persistence level may be reported as
- *                              #PSA_KEY_PERSISTENCE_DEFAULT.
- * \param[out] slot_number      On success, the slot number known to the driver
- *                              registered at the lifetime location reported
- *                              through \p lifetime which corresponds to the
- *                              requested built-in key.
- *
- * \retval #PSA_SUCCESS
- *         The requested key identifier designates a built-in key.
- *         In a multi-application configuration, the requested owner
- *         is allowed to access it.
- * \retval #PSA_ERROR_DOES_NOT_EXIST
- *         The requested key identifier is not a built-in key which is known
- *         to this function. If a key exists in the key storage with this
- *         identifier, the data from the storage will be used.
- * \return (any other error)
- *         Any other error is propagated to the function that requested the key.
- *         Common errors include:
- *         - #PSA_ERROR_NOT_PERMITTED: the key exists but the requested owner
- *           is not allowed to access it.
- */
-psa_status_t mbedtls_psa_platform_get_builtin_key(
-    mbedtls_svc_key_id_t key_id,
-    psa_key_lifetime_t *lifetime,
-    psa_drv_slot_number_t *slot_number);
-#endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
-
-/** @} */
-
-/** \addtogroup crypto_types
- * @{
- */
-
-#define PSA_ALG_CATEGORY_PAKE                   ((psa_algorithm_t) 0x0a000000)
-
-/** Whether the specified algorithm is a password-authenticated key exchange.
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \p alg is a password-authenticated key exchange (PAKE)
- *         algorithm, 0 otherwise.
- *         This macro may return either 0 or 1 if \p alg is not a supported
- *         algorithm identifier.
- */
-#define PSA_ALG_IS_PAKE(alg)                                        \
-    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_PAKE)
-
-/** The Password-authenticated key exchange by juggling (J-PAKE) algorithm.
- *
- * This is J-PAKE as defined by RFC 8236, instantiated with the following
- * parameters:
- *
- * - The group can be either an elliptic curve or defined over a finite field.
- * - Schnorr NIZK proof as defined by RFC 8235 and using the same group as the
- *   J-PAKE algorithm.
- * - A cryptographic hash function.
- *
- * To select these parameters and set up the cipher suite, call these functions
- * in any order:
- *
- * \code
- * psa_pake_cs_set_algorithm(cipher_suite, PSA_ALG_JPAKE);
- * psa_pake_cs_set_primitive(cipher_suite,
- *                           PSA_PAKE_PRIMITIVE(type, family, bits));
- * psa_pake_cs_set_hash(cipher_suite, hash);
- * \endcode
- *
- * For more information on how to set a specific curve or field, refer to the
- * documentation of the individual \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants.
- *
- * After initializing a J-PAKE operation, call
- *
- * \code
- * psa_pake_setup(operation, cipher_suite);
- * psa_pake_set_user(operation, ...);
- * psa_pake_set_peer(operation, ...);
- * psa_pake_set_password_key(operation, ...);
- * \endcode
- *
- * The password is provided as a key. This can be the password text itself,
- * in an agreed character encoding, or some value derived from the password
- * as required by a higher level protocol.
- *
- * (The implementation converts the key material to a number as described in
- * Section 2.3.8 of _SEC 1: Elliptic Curve Cryptography_
- * (https://www.secg.org/sec1-v2.pdf), before reducing it modulo \c q. Here
- * \c q is order of the group defined by the primitive set in the cipher suite.
- * The \c psa_pake_set_password_key() function returns an error if the result
- * of the reduction is 0.)
- *
- * The key exchange flow for J-PAKE is as follows:
- * -# To get the first round data that needs to be sent to the peer, call
- *    \code
- *    // Get g1
- *    psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...);
- *    // Get the ZKP public key for x1
- *    psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...);
- *    // Get the ZKP proof for x1
- *    psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...);
- *    // Get g2
- *    psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...);
- *    // Get the ZKP public key for x2
- *    psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...);
- *    // Get the ZKP proof for x2
- *    psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...);
- *    \endcode
- * -# To provide the first round data received from the peer to the operation,
- *    call
- *    \code
- *    // Set g3
- *    psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...);
- *    // Set the ZKP public key for x3
- *    psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...);
- *    // Set the ZKP proof for x3
- *    psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...);
- *    // Set g4
- *    psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...);
- *    // Set the ZKP public key for x4
- *    psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...);
- *    // Set the ZKP proof for x4
- *    psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...);
- *    \endcode
- * -# To get the second round data that needs to be sent to the peer, call
- *    \code
- *    // Get A
- *    psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...);
- *    // Get ZKP public key for x2*s
- *    psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...);
- *    // Get ZKP proof for x2*s
- *    psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...);
- *    \endcode
- * -# To provide the second round data received from the peer to the operation,
- *    call
- *    \code
- *    // Set B
- *    psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...);
- *    // Set ZKP public key for x4*s
- *    psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...);
- *    // Set ZKP proof for x4*s
- *    psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...);
- *    \endcode
- * -# To access the shared secret call
- *    \code
- *    // Get Ka=Kb=K
- *    psa_pake_get_implicit_key()
- *    \endcode
- *
- * For more information consult the documentation of the individual
- * \c PSA_PAKE_STEP_XXX constants.
- *
- * At this point there is a cryptographic guarantee that only the authenticated
- * party who used the same password is able to compute the key. But there is no
- * guarantee that the peer is the party it claims to be and was able to do so.
- *
- * That is, the authentication is only implicit (the peer is not authenticated
- * at this point, and no action should be taken that assume that they are - like
- * for example accessing restricted files).
- *
- * To make the authentication explicit there are various methods, see Section 5
- * of RFC 8236 for two examples.
- *
- */
-#define PSA_ALG_JPAKE                   ((psa_algorithm_t) 0x0a000100)
-
-/** @} */
-
-/** \defgroup pake Password-authenticated key exchange (PAKE)
- *
- * This is a proposed PAKE interface for the PSA Crypto API. It is not part of
- * the official PSA Crypto API yet.
- *
- * \note The content of this section is not part of the stable API and ABI
- *       of Mbed TLS and may change arbitrarily from version to version.
- *       Same holds for the corresponding macros #PSA_ALG_CATEGORY_PAKE and
- *       #PSA_ALG_JPAKE.
- * @{
- */
-
-/** \brief Encoding of the application role of PAKE
- *
- * Encodes the application's role in the algorithm is being executed. For more
- * information see the documentation of individual \c PSA_PAKE_ROLE_XXX
- * constants.
- */
-typedef uint8_t psa_pake_role_t;
-
-/** Encoding of input and output indicators for PAKE.
- *
- * Some PAKE algorithms need to exchange more data than just a single key share.
- * This type is for encoding additional input and output data for such
- * algorithms.
- */
-typedef uint8_t psa_pake_step_t;
-
-/** Encoding of the type of the PAKE's primitive.
- *
- * Values defined by this standard will never be in the range 0x80-0xff.
- * Vendors who define additional types must use an encoding in this range.
- *
- * For more information see the documentation of individual
- * \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants.
- */
-typedef uint8_t psa_pake_primitive_type_t;
-
-/** \brief Encoding of the family of the primitive associated with the PAKE.
- *
- * For more information see the documentation of individual
- * \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants.
- */
-typedef uint8_t psa_pake_family_t;
-
-/** \brief Encoding of the primitive associated with the PAKE.
- *
- * For more information see the documentation of the #PSA_PAKE_PRIMITIVE macro.
- */
-typedef uint32_t psa_pake_primitive_t;
-
-/** A value to indicate no role in a PAKE algorithm.
- * This value can be used in a call to psa_pake_set_role() for symmetric PAKE
- * algorithms which do not assign roles.
- */
-#define PSA_PAKE_ROLE_NONE                  ((psa_pake_role_t) 0x00)
-
-/** The first peer in a balanced PAKE.
- *
- * Although balanced PAKE algorithms are symmetric, some of them needs an
- * ordering of peers for the transcript calculations. If the algorithm does not
- * need this, both #PSA_PAKE_ROLE_FIRST and #PSA_PAKE_ROLE_SECOND are
- * accepted.
- */
-#define PSA_PAKE_ROLE_FIRST                ((psa_pake_role_t) 0x01)
-
-/** The second peer in a balanced PAKE.
- *
- * Although balanced PAKE algorithms are symmetric, some of them needs an
- * ordering of peers for the transcript calculations. If the algorithm does not
- * need this, either #PSA_PAKE_ROLE_FIRST or #PSA_PAKE_ROLE_SECOND are
- * accepted.
- */
-#define PSA_PAKE_ROLE_SECOND                ((psa_pake_role_t) 0x02)
-
-/** The client in an augmented PAKE.
- *
- * Augmented PAKE algorithms need to differentiate between client and server.
- */
-#define PSA_PAKE_ROLE_CLIENT                ((psa_pake_role_t) 0x11)
-
-/** The server in an augmented PAKE.
- *
- * Augmented PAKE algorithms need to differentiate between client and server.
- */
-#define PSA_PAKE_ROLE_SERVER                ((psa_pake_role_t) 0x12)
-
-/** The PAKE primitive type indicating the use of elliptic curves.
- *
- * The values of the \c family and \c bits fields of the cipher suite identify a
- * specific elliptic curve, using the same mapping that is used for ECC
- * (::psa_ecc_family_t) keys.
- *
- * (Here \c family means the value returned by psa_pake_cs_get_family() and
- * \c bits means the value returned by psa_pake_cs_get_bits().)
- *
- * Input and output during the operation can involve group elements and scalar
- * values:
- * -# The format for group elements is the same as for public keys on the
- *  specific curve would be. For more information, consult the documentation of
- *  psa_export_public_key().
- * -# The format for scalars is the same as for private keys on the specific
- *  curve would be. For more information, consult the documentation of
- *  psa_export_key().
- */
-#define PSA_PAKE_PRIMITIVE_TYPE_ECC       ((psa_pake_primitive_type_t) 0x01)
-
-/** The PAKE primitive type indicating the use of Diffie-Hellman groups.
- *
- * The values of the \c family and \c bits fields of the cipher suite identify
- * a specific Diffie-Hellman group, using the same mapping that is used for
- * Diffie-Hellman (::psa_dh_family_t) keys.
- *
- * (Here \c family means the value returned by psa_pake_cs_get_family() and
- * \c bits means the value returned by psa_pake_cs_get_bits().)
- *
- * Input and output during the operation can involve group elements and scalar
- * values:
- * -# The format for group elements is the same as for public keys on the
- *  specific group would be. For more information, consult the documentation of
- *  psa_export_public_key().
- * -# The format for scalars is the same as for private keys on the specific
- *  group would be. For more information, consult the documentation of
- *  psa_export_key().
- */
-#define PSA_PAKE_PRIMITIVE_TYPE_DH       ((psa_pake_primitive_type_t) 0x02)
-
-/** Construct a PAKE primitive from type, family and bit-size.
- *
- * \param pake_type     The type of the primitive
- *                      (value of type ::psa_pake_primitive_type_t).
- * \param pake_family   The family of the primitive
- *                      (the type and interpretation of this parameter depends
- *                      on \p pake_type, for more information consult the
- *                      documentation of individual ::psa_pake_primitive_type_t
- *                      constants).
- * \param pake_bits     The bit-size of the primitive
- *                      (Value of type \c size_t. The interpretation
- *                      of this parameter depends on \p pake_family, for more
- *                      information consult the documentation of individual
- *                      ::psa_pake_primitive_type_t constants).
- *
- * \return The constructed primitive value of type ::psa_pake_primitive_t.
- *         Return 0 if the requested primitive can't be encoded as
- *         ::psa_pake_primitive_t.
- */
-#define PSA_PAKE_PRIMITIVE(pake_type, pake_family, pake_bits) \
-    ((pake_bits & 0xFFFF) != pake_bits) ? 0 :                 \
-    ((psa_pake_primitive_t) (((pake_type) << 24 |             \
-                              (pake_family) << 16) | (pake_bits)))
-
-/** The key share being sent to or received from the peer.
- *
- * The format for both input and output at this step is the same as for public
- * keys on the group determined by the primitive (::psa_pake_primitive_t) would
- * be.
- *
- * For more information on the format, consult the documentation of
- * psa_export_public_key().
- *
- * For information regarding how the group is determined, consult the
- * documentation #PSA_PAKE_PRIMITIVE.
- */
-#define PSA_PAKE_STEP_KEY_SHARE                 ((psa_pake_step_t) 0x01)
-
-/** A Schnorr NIZKP public key.
- *
- * This is the ephemeral public key in the Schnorr Non-Interactive
- * Zero-Knowledge Proof (the value denoted by the letter 'V' in RFC 8235).
- *
- * The format for both input and output at this step is the same as for public
- * keys on the group determined by the primitive (::psa_pake_primitive_t) would
- * be.
- *
- * For more information on the format, consult the documentation of
- * psa_export_public_key().
- *
- * For information regarding how the group is determined, consult the
- * documentation #PSA_PAKE_PRIMITIVE.
- */
-#define PSA_PAKE_STEP_ZK_PUBLIC                 ((psa_pake_step_t) 0x02)
-
-/** A Schnorr NIZKP proof.
- *
- * This is the proof in the Schnorr Non-Interactive Zero-Knowledge Proof (the
- * value denoted by the letter 'r' in RFC 8235).
- *
- * Both for input and output, the value at this step is an integer less than
- * the order of the group selected in the cipher suite. The format depends on
- * the group as well:
- *
- * - For Montgomery curves, the encoding is little endian.
- * - For everything else the encoding is big endian (see Section 2.3.8 of
- *   _SEC 1: Elliptic Curve Cryptography_ at https://www.secg.org/sec1-v2.pdf).
- *
- * In both cases leading zeroes are allowed as long as the length in bytes does
- * not exceed the byte length of the group order.
- *
- * For information regarding how the group is determined, consult the
- * documentation #PSA_PAKE_PRIMITIVE.
- */
-#define PSA_PAKE_STEP_ZK_PROOF                  ((psa_pake_step_t) 0x03)
-
-/** The type of the data structure for PAKE cipher suites.
- *
- * This is an implementation-defined \c struct. Applications should not
- * make any assumptions about the content of this structure.
- * Implementation details can change in future versions without notice.
- */
-typedef struct psa_pake_cipher_suite_s psa_pake_cipher_suite_t;
-
-/** Return an initial value for a PAKE cipher suite object.
- */
-static psa_pake_cipher_suite_t psa_pake_cipher_suite_init(void);
-
-/** Retrieve the PAKE algorithm from a PAKE cipher suite.
- *
- * \param[in] cipher_suite     The cipher suite structure to query.
- *
- * \return The PAKE algorithm stored in the cipher suite structure.
- */
-static psa_algorithm_t psa_pake_cs_get_algorithm(
-    const psa_pake_cipher_suite_t *cipher_suite);
-
-/** Declare the PAKE algorithm for the cipher suite.
- *
- * This function overwrites any PAKE algorithm
- * previously set in \p cipher_suite.
- *
- * \param[out] cipher_suite    The cipher suite structure to write to.
- * \param algorithm            The PAKE algorithm to write.
- *                             (`PSA_ALG_XXX` values of type ::psa_algorithm_t
- *                             such that #PSA_ALG_IS_PAKE(\c alg) is true.)
- *                             If this is 0, the PAKE algorithm in
- *                             \p cipher_suite becomes unspecified.
- */
-static void psa_pake_cs_set_algorithm(psa_pake_cipher_suite_t *cipher_suite,
-                                      psa_algorithm_t algorithm);
-
-/** Retrieve the primitive from a PAKE cipher suite.
- *
- * \param[in] cipher_suite     The cipher suite structure to query.
- *
- * \return The primitive stored in the cipher suite structure.
- */
-static psa_pake_primitive_t psa_pake_cs_get_primitive(
-    const psa_pake_cipher_suite_t *cipher_suite);
-
-/** Declare the primitive for a PAKE cipher suite.
- *
- * This function overwrites any primitive previously set in \p cipher_suite.
- *
- * \param[out] cipher_suite    The cipher suite structure to write to.
- * \param primitive            The primitive to write. If this is 0, the
- *                             primitive type in \p cipher_suite becomes
- *                             unspecified.
- */
-static void psa_pake_cs_set_primitive(psa_pake_cipher_suite_t *cipher_suite,
-                                      psa_pake_primitive_t primitive);
-
-/** Retrieve the PAKE family from a PAKE cipher suite.
- *
- * \param[in] cipher_suite     The cipher suite structure to query.
- *
- * \return The PAKE family stored in the cipher suite structure.
- */
-static psa_pake_family_t psa_pake_cs_get_family(
-    const psa_pake_cipher_suite_t *cipher_suite);
-
-/** Retrieve the PAKE primitive bit-size from a PAKE cipher suite.
- *
- * \param[in] cipher_suite     The cipher suite structure to query.
- *
- * \return The PAKE primitive bit-size stored in the cipher suite structure.
- */
-static uint16_t psa_pake_cs_get_bits(
-    const psa_pake_cipher_suite_t *cipher_suite);
-
-/** Retrieve the hash algorithm from a PAKE cipher suite.
- *
- * \param[in] cipher_suite      The cipher suite structure to query.
- *
- * \return The hash algorithm stored in the cipher suite structure. The return
- *         value is 0 if the PAKE is not parametrised by a hash algorithm or if
- *         the hash algorithm is not set.
- */
-static psa_algorithm_t psa_pake_cs_get_hash(
-    const psa_pake_cipher_suite_t *cipher_suite);
-
-/** Declare the hash algorithm for a PAKE cipher suite.
- *
- * This function overwrites any hash algorithm
- * previously set in \p cipher_suite.
- *
- * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX`
- * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true)
- * for more information.
- *
- * \param[out] cipher_suite     The cipher suite structure to write to.
- * \param hash                  The hash involved in the cipher suite.
- *                              (`PSA_ALG_XXX` values of type ::psa_algorithm_t
- *                              such that #PSA_ALG_IS_HASH(\c alg) is true.)
- *                              If this is 0, the hash algorithm in
- *                              \p cipher_suite becomes unspecified.
- */
-static void psa_pake_cs_set_hash(psa_pake_cipher_suite_t *cipher_suite,
-                                 psa_algorithm_t hash);
-
-/** The type of the state data structure for PAKE operations.
- *
- * Before calling any function on a PAKE operation object, the application
- * must initialize it by any of the following means:
- * - Set the structure to all-bits-zero, for example:
- *   \code
- *   psa_pake_operation_t operation;
- *   memset(&operation, 0, sizeof(operation));
- *   \endcode
- * - Initialize the structure to logical zero values, for example:
- *   \code
- *   psa_pake_operation_t operation = {0};
- *   \endcode
- * - Initialize the structure to the initializer #PSA_PAKE_OPERATION_INIT,
- *   for example:
- *   \code
- *   psa_pake_operation_t operation = PSA_PAKE_OPERATION_INIT;
- *   \endcode
- * - Assign the result of the function psa_pake_operation_init()
- *   to the structure, for example:
- *   \code
- *   psa_pake_operation_t operation;
- *   operation = psa_pake_operation_init();
- *   \endcode
- *
- * This is an implementation-defined \c struct. Applications should not
- * make any assumptions about the content of this structure.
- * Implementation details can change in future versions without notice. */
-typedef struct psa_pake_operation_s psa_pake_operation_t;
-
-/** The type of input values for PAKE operations. */
-typedef struct psa_crypto_driver_pake_inputs_s psa_crypto_driver_pake_inputs_t;
-
-/** The type of computation stage for J-PAKE operations. */
-typedef struct psa_jpake_computation_stage_s psa_jpake_computation_stage_t;
-
-/** Return an initial value for a PAKE operation object.
- */
-static psa_pake_operation_t psa_pake_operation_init(void);
-
-/** Get the length of the password in bytes from given inputs.
- *
- * \param[in]  inputs           Operation inputs.
- * \param[out] password_len     Password length.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_BAD_STATE
- *         Password hasn't been set yet.
- */
-psa_status_t psa_crypto_driver_pake_get_password_len(
-    const psa_crypto_driver_pake_inputs_t *inputs,
-    size_t *password_len);
-
-/** Get the password from given inputs.
- *
- * \param[in]  inputs           Operation inputs.
- * \param[out] buffer           Return buffer for password.
- * \param      buffer_size      Size of the return buffer in bytes.
- * \param[out] buffer_length    Actual size of the password in bytes.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_BAD_STATE
- *         Password hasn't been set yet.
- */
-psa_status_t psa_crypto_driver_pake_get_password(
-    const psa_crypto_driver_pake_inputs_t *inputs,
-    uint8_t *buffer, size_t buffer_size, size_t *buffer_length);
-
-/** Get the length of the user id in bytes from given inputs.
- *
- * \param[in]  inputs           Operation inputs.
- * \param[out] user_len         User id length.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_BAD_STATE
- *         User id hasn't been set yet.
- */
-psa_status_t psa_crypto_driver_pake_get_user_len(
-    const psa_crypto_driver_pake_inputs_t *inputs,
-    size_t *user_len);
-
-/** Get the length of the peer id in bytes from given inputs.
- *
- * \param[in]  inputs           Operation inputs.
- * \param[out] peer_len         Peer id length.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_BAD_STATE
- *         Peer id hasn't been set yet.
- */
-psa_status_t psa_crypto_driver_pake_get_peer_len(
-    const psa_crypto_driver_pake_inputs_t *inputs,
-    size_t *peer_len);
-
-/** Get the user id from given inputs.
- *
- * \param[in]  inputs           Operation inputs.
- * \param[out] user_id          User id.
- * \param      user_id_size     Size of \p user_id in bytes.
- * \param[out] user_id_len      Size of the user id in bytes.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_BAD_STATE
- *         User id hasn't been set yet.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p user_id is too small.
- */
-psa_status_t psa_crypto_driver_pake_get_user(
-    const psa_crypto_driver_pake_inputs_t *inputs,
-    uint8_t *user_id, size_t user_id_size, size_t *user_id_len);
-
-/** Get the peer id from given inputs.
- *
- * \param[in]  inputs           Operation inputs.
- * \param[out] peer_id          Peer id.
- * \param      peer_id_size     Size of \p peer_id in bytes.
- * \param[out] peer_id_length   Size of the peer id in bytes.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_BAD_STATE
- *         Peer id hasn't been set yet.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p peer_id is too small.
- */
-psa_status_t psa_crypto_driver_pake_get_peer(
-    const psa_crypto_driver_pake_inputs_t *inputs,
-    uint8_t *peer_id, size_t peer_id_size, size_t *peer_id_length);
-
-/** Get the cipher suite from given inputs.
- *
- * \param[in]  inputs           Operation inputs.
- * \param[out] cipher_suite     Return buffer for role.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_BAD_STATE
- *         Cipher_suite hasn't been set yet.
- */
-psa_status_t psa_crypto_driver_pake_get_cipher_suite(
-    const psa_crypto_driver_pake_inputs_t *inputs,
-    psa_pake_cipher_suite_t *cipher_suite);
-
-/** Set the session information for a password-authenticated key exchange.
- *
- * The sequence of operations to set up a password-authenticated key exchange
- * is as follows:
- * -# Allocate an operation object which will be passed to all the functions
- *    listed here.
- * -# Initialize the operation object with one of the methods described in the
- *    documentation for #psa_pake_operation_t, e.g.
- *    #PSA_PAKE_OPERATION_INIT.
- * -# Call psa_pake_setup() to specify the cipher suite.
- * -# Call \c psa_pake_set_xxx() functions on the operation to complete the
- *    setup. The exact sequence of \c psa_pake_set_xxx() functions that needs
- *    to be called depends on the algorithm in use.
- *
- * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX`
- * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true)
- * for more information.
- *
- * A typical sequence of calls to perform a password-authenticated key
- * exchange:
- * -# Call psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to get the
- *    key share that needs to be sent to the peer.
- * -# Call psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to provide
- *    the key share that was received from the peer.
- * -# Depending on the algorithm additional calls to psa_pake_output() and
- *    psa_pake_input() might be necessary.
- * -# Call psa_pake_get_implicit_key() for accessing the shared secret.
- *
- * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX`
- * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true)
- * for more information.
- *
- * If an error occurs at any step after a call to psa_pake_setup(),
- * the operation will need to be reset by a call to psa_pake_abort(). The
- * application may call psa_pake_abort() at any time after the operation
- * has been initialized.
- *
- * After a successful call to psa_pake_setup(), the application must
- * eventually terminate the operation. The following events terminate an
- * operation:
- * - A call to psa_pake_abort().
- * - A successful call to psa_pake_get_implicit_key().
- *
- * \param[in,out] operation     The operation object to set up. It must have
- *                              been initialized but not set up yet.
- * \param[in] cipher_suite      The cipher suite to use. (A cipher suite fully
- *                              characterizes a PAKE algorithm and determines
- *                              the algorithm as well.)
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The algorithm in \p cipher_suite is not a PAKE algorithm, or the
- *         PAKE primitive in \p cipher_suite is not compatible with the
- *         PAKE algorithm, or the hash algorithm in \p cipher_suite is invalid
- *         or not compatible with the PAKE algorithm and primitive.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         The algorithm in \p cipher_suite is not a supported PAKE algorithm,
- *         or the PAKE primitive in \p cipher_suite is not supported or not
- *         compatible with the PAKE algorithm, or the hash algorithm in
- *         \p cipher_suite is not supported or not compatible with the PAKE
- *         algorithm and primitive.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid, or
- *         the library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_pake_setup(psa_pake_operation_t *operation,
-                            const psa_pake_cipher_suite_t *cipher_suite);
-
-/** Set the password for a password-authenticated key exchange from key ID.
- *
- * Call this function when the password, or a value derived from the password,
- * is already present in the key store.
- *
- * \param[in,out] operation     The operation object to set the password for. It
- *                              must have been set up by psa_pake_setup() and
- *                              not yet in use (neither psa_pake_output() nor
- *                              psa_pake_input() has been called yet). It must
- *                              be on operation for which the password hasn't
- *                              been set yet (psa_pake_set_password_key()
- *                              hasn't been called yet).
- * \param password              Identifier of the key holding the password or a
- *                              value derived from the password (eg. by a
- *                              memory-hard function).  It must remain valid
- *                              until the operation terminates. It must be of
- *                              type #PSA_KEY_TYPE_PASSWORD or
- *                              #PSA_KEY_TYPE_PASSWORD_HASH. It has to allow
- *                              the usage #PSA_KEY_USAGE_DERIVE.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_HANDLE
- *         \p password is not a valid key identifier.
- * \retval #PSA_ERROR_NOT_PERMITTED
- *         The key does not have the #PSA_KEY_USAGE_DERIVE flag, or it does not
- *         permit the \p operation's algorithm.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The key type for \p password is not #PSA_KEY_TYPE_PASSWORD or
- *         #PSA_KEY_TYPE_PASSWORD_HASH, or \p password is not compatible with
- *         the \p operation's cipher suite.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         The key type or key size of \p password is not supported with the
- *         \p operation's cipher suite.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must have been set up.), or
- *         the library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation,
-                                       mbedtls_svc_key_id_t password);
-
-/** Set the user ID for a password-authenticated key exchange.
- *
- * Call this function to set the user ID. For PAKE algorithms that associate a
- * user identifier with each side of the session you need to call
- * psa_pake_set_peer() as well. For PAKE algorithms that associate a single
- * user identifier with the session, call psa_pake_set_user() only.
- *
- * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX`
- * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true)
- * for more information.
- *
- * \param[in,out] operation     The operation object to set the user ID for. It
- *                              must have been set up by psa_pake_setup() and
- *                              not yet in use (neither psa_pake_output() nor
- *                              psa_pake_input() has been called yet). It must
- *                              be on operation for which the user ID hasn't
- *                              been set (psa_pake_set_user() hasn't been
- *                              called yet).
- * \param[in] user_id           The user ID to authenticate with.
- * \param user_id_len           Size of the \p user_id buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p user_id is not valid for the \p operation's algorithm and cipher
- *         suite.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         The value of \p user_id is not supported by the implementation.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid, or
- *         the library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_pake_set_user(psa_pake_operation_t *operation,
-                               const uint8_t *user_id,
-                               size_t user_id_len);
-
-/** Set the peer ID for a password-authenticated key exchange.
- *
- * Call this function in addition to psa_pake_set_user() for PAKE algorithms
- * that associate a user identifier with each side of the session. For PAKE
- * algorithms that associate a single user identifier with the session, call
- * psa_pake_set_user() only.
- *
- * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX`
- * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true)
- * for more information.
- *
- * \param[in,out] operation     The operation object to set the peer ID for. It
- *                              must have been set up by psa_pake_setup() and
- *                              not yet in use (neither psa_pake_output() nor
- *                              psa_pake_input() has been called yet). It must
- *                              be on operation for which the peer ID hasn't
- *                              been set (psa_pake_set_peer() hasn't been
- *                              called yet).
- * \param[in] peer_id           The peer's ID to authenticate.
- * \param peer_id_len           Size of the \p peer_id buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p peer_id is not valid for the \p operation's algorithm and cipher
- *         suite.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         The algorithm doesn't associate a second identity with the session.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         Calling psa_pake_set_peer() is invalid with the \p operation's
- *         algorithm, the operation state is not valid, or the library has not
- *         been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_pake_set_peer(psa_pake_operation_t *operation,
-                               const uint8_t *peer_id,
-                               size_t peer_id_len);
-
-/** Set the application role for a password-authenticated key exchange.
- *
- * Not all PAKE algorithms need to differentiate the communicating entities.
- * It is optional to call this function for PAKEs that don't require a role
- * to be specified. For such PAKEs the application role parameter is ignored,
- * or #PSA_PAKE_ROLE_NONE can be passed as \c role.
- *
- * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX`
- * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true)
- * for more information.
- *
- * \param[in,out] operation     The operation object to specify the
- *                              application's role for. It must have been set up
- *                              by psa_pake_setup() and not yet in use (neither
- *                              psa_pake_output() nor psa_pake_input() has been
- *                              called yet). It must be on operation for which
- *                              the application's role hasn't been specified
- *                              (psa_pake_set_role() hasn't been called yet).
- * \param role                  A value of type ::psa_pake_role_t indicating the
- *                              application's role in the PAKE the algorithm
- *                              that is being set up. For more information see
- *                              the documentation of \c PSA_PAKE_ROLE_XXX
- *                              constants.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The \p role is not a valid PAKE role in the \p operation’s algorithm.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         The \p role for this algorithm is not supported or is not valid.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid, or
- *         the library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_pake_set_role(psa_pake_operation_t *operation,
-                               psa_pake_role_t role);
-
-/** Get output for a step of a password-authenticated key exchange.
- *
- * Depending on the algorithm being executed, you might need to call this
- * function several times or you might not need to call this at all.
- *
- * The exact sequence of calls to perform a password-authenticated key
- * exchange depends on the algorithm in use.  Refer to the documentation of
- * individual PAKE algorithm types (`PSA_ALG_XXX` values of type
- * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more
- * information.
- *
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling psa_pake_abort().
- *
- * \param[in,out] operation    Active PAKE operation.
- * \param step                 The step of the algorithm for which the output is
- *                             requested.
- * \param[out] output          Buffer where the output is to be written in the
- *                             format appropriate for this \p step. Refer to
- *                             the documentation of the individual
- *                             \c PSA_PAKE_STEP_XXX constants for more
- *                             information.
- * \param output_size          Size of the \p output buffer in bytes. This must
- *                             be at least #PSA_PAKE_OUTPUT_SIZE(\c alg, \c
- *                             primitive, \p output_step) where \c alg and
- *                             \p primitive are the PAKE algorithm and primitive
- *                             in the operation's cipher suite, and \p step is
- *                             the output step.
- *
- * \param[out] output_length   On success, the number of bytes of the returned
- *                             output.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p output buffer is too small.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p step is not compatible with the operation's algorithm.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p step is not supported with the operation's algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be active, and fully set
- *         up, and this call must conform to the algorithm's requirements
- *         for ordering of input and output steps), or
- *         the library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_pake_output(psa_pake_operation_t *operation,
-                             psa_pake_step_t step,
-                             uint8_t *output,
-                             size_t output_size,
-                             size_t *output_length);
-
-/** Provide input for a step of a password-authenticated key exchange.
- *
- * Depending on the algorithm being executed, you might need to call this
- * function several times or you might not need to call this at all.
- *
- * The exact sequence of calls to perform a password-authenticated key
- * exchange depends on the algorithm in use.  Refer to the documentation of
- * individual PAKE algorithm types (`PSA_ALG_XXX` values of type
- * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more
- * information.
- *
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling psa_pake_abort().
- *
- * \param[in,out] operation    Active PAKE operation.
- * \param step                 The step for which the input is provided.
- * \param[in] input            Buffer containing the input in the format
- *                             appropriate for this \p step. Refer to the
- *                             documentation of the individual
- *                             \c PSA_PAKE_STEP_XXX constants for more
- *                             information.
- * \param input_length         Size of the \p input buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_SIGNATURE
- *         The verification fails for a #PSA_PAKE_STEP_ZK_PROOF input step.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p input_length is not compatible with the \p operation’s algorithm,
- *         or the \p input is not valid for the \p operation's algorithm,
- *         cipher suite or \p step.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p step p is not supported with the \p operation's algorithm, or the
- *         \p input is not supported for the \p operation's algorithm, cipher
- *         suite or \p step.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be active, and fully set
- *         up, and this call must conform to the algorithm's requirements
- *         for ordering of input and output steps), or
- *         the library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_pake_input(psa_pake_operation_t *operation,
-                            psa_pake_step_t step,
-                            const uint8_t *input,
-                            size_t input_length);
-
-/** Get implicitly confirmed shared secret from a PAKE.
- *
- * At this point there is a cryptographic guarantee that only the authenticated
- * party who used the same password is able to compute the key. But there is no
- * guarantee that the peer is the party it claims to be and was able to do so.
- *
- * That is, the authentication is only implicit. Since the peer is not
- * authenticated yet, no action should be taken yet that assumes that the peer
- * is who it claims to be. For example, do not access restricted files on the
- * peer's behalf until an explicit authentication has succeeded.
- *
- * This function can be called after the key exchange phase of the operation
- * has completed. It imports the shared secret output of the PAKE into the
- * provided derivation operation. The input step
- * #PSA_KEY_DERIVATION_INPUT_SECRET is used when placing the shared key
- * material in the key derivation operation.
- *
- * The exact sequence of calls to perform a password-authenticated key
- * exchange depends on the algorithm in use.  Refer to the documentation of
- * individual PAKE algorithm types (`PSA_ALG_XXX` values of type
- * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more
- * information.
- *
- * When this function returns successfully, \p operation becomes inactive.
- * If this function returns an error status, both \p operation
- * and \c key_derivation operations enter an error state and must be aborted by
- * calling psa_pake_abort() and psa_key_derivation_abort() respectively.
- *
- * \param[in,out] operation    Active PAKE operation.
- * \param[out] output          A key derivation operation that is ready
- *                             for an input step of type
- *                             #PSA_KEY_DERIVATION_INPUT_SECRET.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         #PSA_KEY_DERIVATION_INPUT_SECRET is not compatible with the
- *         algorithm in the \p output key derivation operation.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         Input from a PAKE is not supported by the algorithm in the \p output
- *         key derivation operation.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The PAKE operation state is not valid (it must be active, but beyond
- *         that validity is specific to the algorithm), or
- *         the library has not been previously initialized by psa_crypto_init(),
- *         or the state of \p output is not valid for
- *         the #PSA_KEY_DERIVATION_INPUT_SECRET step. This can happen if the
- *         step is out of order or the application has done this step already
- *         and it may not be repeated.
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_pake_get_implicit_key(psa_pake_operation_t *operation,
-                                       psa_key_derivation_operation_t *output);
-
-/** Abort a PAKE operation.
- *
- * Aborting an operation frees all associated resources except for the \c
- * operation structure itself. Once aborted, the operation object can be reused
- * for another operation by calling psa_pake_setup() again.
- *
- * This function may be called at any time after the operation
- * object has been initialized as described in #psa_pake_operation_t.
- *
- * In particular, calling psa_pake_abort() after the operation has been
- * terminated by a call to psa_pake_abort() or psa_pake_get_implicit_key()
- * is safe and has no effect.
- *
- * \param[in,out] operation    The operation to abort.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_pake_abort(psa_pake_operation_t *operation);
-
-/**@}*/
-
-/** A sufficient output buffer size for psa_pake_output().
- *
- * If the size of the output buffer is at least this large, it is guaranteed
- * that psa_pake_output() will not fail due to an insufficient output buffer
- * size. The actual size of the output might be smaller in any given call.
- *
- * See also #PSA_PAKE_OUTPUT_MAX_SIZE
- *
- * \param alg           A PAKE algorithm (\c PSA_ALG_XXX value such that
- *                      #PSA_ALG_IS_PAKE(\p alg) is true).
- * \param primitive     A primitive of type ::psa_pake_primitive_t that is
- *                      compatible with algorithm \p alg.
- * \param output_step   A value of type ::psa_pake_step_t that is valid for the
- *                      algorithm \p alg.
- * \return              A sufficient output buffer size for the specified
- *                      PAKE algorithm, primitive, and output step. If the
- *                      PAKE algorithm, primitive, or output step is not
- *                      recognized, or the parameters are incompatible,
- *                      return 0.
- */
-#define PSA_PAKE_OUTPUT_SIZE(alg, primitive, output_step)               \
-    (alg == PSA_ALG_JPAKE &&                                           \
-     primitive == PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC,      \
-                                     PSA_ECC_FAMILY_SECP_R1, 256) ?    \
-     (                                                                 \
-         output_step == PSA_PAKE_STEP_KEY_SHARE ? 65 :                   \
-         output_step == PSA_PAKE_STEP_ZK_PUBLIC ? 65 :                   \
-         32                                                              \
-     ) :                                                               \
-     0)
-
-/** A sufficient input buffer size for psa_pake_input().
- *
- * The value returned by this macro is guaranteed to be large enough for any
- * valid input to psa_pake_input() in an operation with the specified
- * parameters.
- *
- * See also #PSA_PAKE_INPUT_MAX_SIZE
- *
- * \param alg           A PAKE algorithm (\c PSA_ALG_XXX value such that
- *                      #PSA_ALG_IS_PAKE(\p alg) is true).
- * \param primitive     A primitive of type ::psa_pake_primitive_t that is
- *                      compatible with algorithm \p alg.
- * \param input_step    A value of type ::psa_pake_step_t that is valid for the
- *                      algorithm \p alg.
- * \return              A sufficient input buffer size for the specified
- *                      input, cipher suite and algorithm. If the cipher suite,
- *                      the input type or PAKE algorithm is not recognized, or
- *                      the parameters are incompatible, return 0.
- */
-#define PSA_PAKE_INPUT_SIZE(alg, primitive, input_step)                 \
-    (alg == PSA_ALG_JPAKE &&                                           \
-     primitive == PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC,      \
-                                     PSA_ECC_FAMILY_SECP_R1, 256) ?    \
-     (                                                                 \
-         input_step == PSA_PAKE_STEP_KEY_SHARE ? 65 :                    \
-         input_step == PSA_PAKE_STEP_ZK_PUBLIC ? 65 :                    \
-         32                                                              \
-     ) :                                                               \
-     0)
-
-/** Output buffer size for psa_pake_output() for any of the supported PAKE
- * algorithm and primitive suites and output step.
- *
- * This macro must expand to a compile-time constant integer.
- *
- * The value of this macro must be at least as large as the largest value
- * returned by PSA_PAKE_OUTPUT_SIZE()
- *
- * See also #PSA_PAKE_OUTPUT_SIZE(\p alg, \p primitive, \p output_step).
- */
-#define PSA_PAKE_OUTPUT_MAX_SIZE 65
-
-/** Input buffer size for psa_pake_input() for any of the supported PAKE
- * algorithm and primitive suites and input step.
- *
- * This macro must expand to a compile-time constant integer.
- *
- * The value of this macro must be at least as large as the largest value
- * returned by PSA_PAKE_INPUT_SIZE()
- *
- * See also #PSA_PAKE_INPUT_SIZE(\p alg, \p primitive, \p output_step).
- */
-#define PSA_PAKE_INPUT_MAX_SIZE 65
-
-/** Returns a suitable initializer for a PAKE cipher suite object of type
- * psa_pake_cipher_suite_t.
- */
-#define PSA_PAKE_CIPHER_SUITE_INIT { PSA_ALG_NONE, 0, 0, 0, PSA_ALG_NONE }
-
-/** Returns a suitable initializer for a PAKE operation object of type
- * psa_pake_operation_t.
- */
-#define PSA_PAKE_OPERATION_INIT { 0, PSA_ALG_NONE, 0, PSA_PAKE_OPERATION_STAGE_SETUP, \
-                                  { 0 }, { { 0 } } }
-
-struct psa_pake_cipher_suite_s {
-    psa_algorithm_t algorithm;
-    psa_pake_primitive_type_t type;
-    psa_pake_family_t family;
-    uint16_t  bits;
-    psa_algorithm_t hash;
-};
-
-static inline psa_algorithm_t psa_pake_cs_get_algorithm(
-    const psa_pake_cipher_suite_t *cipher_suite)
-{
-    return cipher_suite->algorithm;
-}
-
-static inline void psa_pake_cs_set_algorithm(
-    psa_pake_cipher_suite_t *cipher_suite,
-    psa_algorithm_t algorithm)
-{
-    if (!PSA_ALG_IS_PAKE(algorithm)) {
-        cipher_suite->algorithm = 0;
-    } else {
-        cipher_suite->algorithm = algorithm;
-    }
-}
-
-static inline psa_pake_primitive_t psa_pake_cs_get_primitive(
-    const psa_pake_cipher_suite_t *cipher_suite)
-{
-    return PSA_PAKE_PRIMITIVE(cipher_suite->type, cipher_suite->family,
-                              cipher_suite->bits);
-}
-
-static inline void psa_pake_cs_set_primitive(
-    psa_pake_cipher_suite_t *cipher_suite,
-    psa_pake_primitive_t primitive)
-{
-    cipher_suite->type = (psa_pake_primitive_type_t) (primitive >> 24);
-    cipher_suite->family = (psa_pake_family_t) (0xFF & (primitive >> 16));
-    cipher_suite->bits = (uint16_t) (0xFFFF & primitive);
-}
-
-static inline psa_pake_family_t psa_pake_cs_get_family(
-    const psa_pake_cipher_suite_t *cipher_suite)
-{
-    return cipher_suite->family;
-}
-
-static inline uint16_t psa_pake_cs_get_bits(
-    const psa_pake_cipher_suite_t *cipher_suite)
-{
-    return cipher_suite->bits;
-}
-
-static inline psa_algorithm_t psa_pake_cs_get_hash(
-    const psa_pake_cipher_suite_t *cipher_suite)
-{
-    return cipher_suite->hash;
-}
-
-static inline void psa_pake_cs_set_hash(psa_pake_cipher_suite_t *cipher_suite,
-                                        psa_algorithm_t hash)
-{
-    if (!PSA_ALG_IS_HASH(hash)) {
-        cipher_suite->hash = 0;
-    } else {
-        cipher_suite->hash = hash;
-    }
-}
-
-struct psa_crypto_driver_pake_inputs_s {
-    uint8_t *MBEDTLS_PRIVATE(password);
-    size_t MBEDTLS_PRIVATE(password_len);
-    uint8_t *MBEDTLS_PRIVATE(user);
-    size_t MBEDTLS_PRIVATE(user_len);
-    uint8_t *MBEDTLS_PRIVATE(peer);
-    size_t MBEDTLS_PRIVATE(peer_len);
-    psa_key_attributes_t MBEDTLS_PRIVATE(attributes);
-    psa_pake_cipher_suite_t MBEDTLS_PRIVATE(cipher_suite);
-};
-
-typedef enum psa_crypto_driver_pake_step {
-    PSA_JPAKE_STEP_INVALID        = 0,  /* Invalid step */
-    PSA_JPAKE_X1_STEP_KEY_SHARE   = 1,  /* Round 1: input/output key share (for ephemeral private key X1).*/
-    PSA_JPAKE_X1_STEP_ZK_PUBLIC   = 2,  /* Round 1: input/output Schnorr NIZKP public key for the X1 key */
-    PSA_JPAKE_X1_STEP_ZK_PROOF    = 3,  /* Round 1: input/output Schnorr NIZKP proof for the X1 key */
-    PSA_JPAKE_X2_STEP_KEY_SHARE   = 4,  /* Round 1: input/output key share (for ephemeral private key X2).*/
-    PSA_JPAKE_X2_STEP_ZK_PUBLIC   = 5,  /* Round 1: input/output Schnorr NIZKP public key for the X2 key */
-    PSA_JPAKE_X2_STEP_ZK_PROOF    = 6,  /* Round 1: input/output Schnorr NIZKP proof for the X2 key */
-    PSA_JPAKE_X2S_STEP_KEY_SHARE  = 7,  /* Round 2: output X2S key (our key) */
-    PSA_JPAKE_X2S_STEP_ZK_PUBLIC  = 8,  /* Round 2: output Schnorr NIZKP public key for the X2S key (our key) */
-    PSA_JPAKE_X2S_STEP_ZK_PROOF   = 9,  /* Round 2: output Schnorr NIZKP proof for the X2S key (our key) */
-    PSA_JPAKE_X4S_STEP_KEY_SHARE  = 10, /* Round 2: input X4S key (from peer) */
-    PSA_JPAKE_X4S_STEP_ZK_PUBLIC  = 11, /* Round 2: input Schnorr NIZKP public key for the X4S key (from peer) */
-    PSA_JPAKE_X4S_STEP_ZK_PROOF   = 12  /* Round 2: input Schnorr NIZKP proof for the X4S key (from peer) */
-} psa_crypto_driver_pake_step_t;
-
-typedef enum psa_jpake_round {
-    PSA_JPAKE_FIRST = 0,
-    PSA_JPAKE_SECOND = 1,
-    PSA_JPAKE_FINISHED = 2
-} psa_jpake_round_t;
-
-typedef enum psa_jpake_io_mode {
-    PSA_JPAKE_INPUT = 0,
-    PSA_JPAKE_OUTPUT = 1
-} psa_jpake_io_mode_t;
-
-struct psa_jpake_computation_stage_s {
-    /* The J-PAKE round we are currently on */
-    psa_jpake_round_t MBEDTLS_PRIVATE(round);
-    /* The 'mode' we are currently in (inputting or outputting) */
-    psa_jpake_io_mode_t MBEDTLS_PRIVATE(io_mode);
-    /* The number of completed inputs so far this round */
-    uint8_t MBEDTLS_PRIVATE(inputs);
-    /* The number of completed outputs so far this round */
-    uint8_t MBEDTLS_PRIVATE(outputs);
-    /* The next expected step (KEY_SHARE, ZK_PUBLIC or ZK_PROOF) */
-    psa_pake_step_t MBEDTLS_PRIVATE(step);
-};
-
-#define PSA_JPAKE_EXPECTED_INPUTS(round) ((round) == PSA_JPAKE_FINISHED ? 0 : \
-                                          ((round) == PSA_JPAKE_FIRST ? 2 : 1))
-#define PSA_JPAKE_EXPECTED_OUTPUTS(round) ((round) == PSA_JPAKE_FINISHED ? 0 : \
-                                           ((round) == PSA_JPAKE_FIRST ? 2 : 1))
-
-struct psa_pake_operation_s {
-    /** Unique ID indicating which driver got assigned to do the
-     * operation. Since driver contexts are driver-specific, swapping
-     * drivers halfway through the operation is not supported.
-     * ID values are auto-generated in psa_crypto_driver_wrappers.h
-     * ID value zero means the context is not valid or not assigned to
-     * any driver (i.e. none of the driver contexts are active). */
-    unsigned int MBEDTLS_PRIVATE(id);
-    /* Algorithm of the PAKE operation */
-    psa_algorithm_t MBEDTLS_PRIVATE(alg);
-    /* A primitive of type compatible with algorithm */
-    psa_pake_primitive_t MBEDTLS_PRIVATE(primitive);
-    /* Stage of the PAKE operation: waiting for the setup, collecting inputs
-     * or computing. */
-    uint8_t MBEDTLS_PRIVATE(stage);
-    /* Holds computation stage of the PAKE algorithms. */
-    union {
-        uint8_t MBEDTLS_PRIVATE(dummy);
-#if defined(PSA_WANT_ALG_JPAKE)
-        psa_jpake_computation_stage_t MBEDTLS_PRIVATE(jpake);
-#endif
-    } MBEDTLS_PRIVATE(computation_stage);
-    union {
-        psa_driver_pake_context_t MBEDTLS_PRIVATE(ctx);
-        psa_crypto_driver_pake_inputs_t MBEDTLS_PRIVATE(inputs);
-    } MBEDTLS_PRIVATE(data);
-};
-
-static inline struct psa_pake_cipher_suite_s psa_pake_cipher_suite_init(void)
-{
-    const struct psa_pake_cipher_suite_s v = PSA_PAKE_CIPHER_SUITE_INIT;
-    return v;
-}
-
-static inline struct psa_pake_operation_s psa_pake_operation_init(void)
-{
-    const struct psa_pake_operation_s v = PSA_PAKE_OPERATION_INIT;
-    return v;
-}
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* PSA_CRYPTO_EXTRA_H */
diff --git a/include/psa/crypto_legacy.h b/include/psa/crypto_legacy.h
deleted file mode 100644
index 7a038d9..0000000
--- a/include/psa/crypto_legacy.h
+++ /dev/null
@@ -1,100 +0,0 @@
-/**
- * \file psa/crypto_legacy.h
- *
- * \brief Add temporary suppport for deprecated symbols before they are
- *        removed from the library.
- *
- * PSA_WANT_KEY_TYPE_xxx_KEY_PAIR and MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR
- * symbols are deprecated.
- * New symols add a suffix to that base name in order to clearly state what is
- * the expected use for the key (use, import, export, generate, derive).
- * Here we define some backward compatibility support for uses stil using
- * the legacy symbols.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_PSA_CRYPTO_LEGACY_H
-#define MBEDTLS_PSA_CRYPTO_LEGACY_H
-
-#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) //no-check-names
-#if !defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC)
-#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC      1
-#endif
-#if !defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT)
-#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT   1
-#endif
-#if !defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT)
-#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT   1
-#endif
-#if !defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
-#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
-#endif
-#if !defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
-#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE   1
-#endif
-#endif
-
-#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) //no-check-names
-#if !defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
-#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC      1
-#endif
-#if !defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT)
-#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT   1
-#endif
-#if !defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT)
-#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT   1
-#endif
-#if !defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
-#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1
-#endif
-#endif
-
-#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) //no-check-names
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC)
-#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC
-#endif
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT)
-#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT
-#endif
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT)
-#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT
-#endif
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
-#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE
-#endif
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
-#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE
-#endif
-#endif
-
-#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) //no-check-names
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_BASIC)
-#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_BASIC
-#endif
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_IMPORT)
-#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_IMPORT
-#endif
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_EXPORT)
-#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_EXPORT
-#endif
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
-#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE
-#endif
-#endif
-
-#endif /* MBEDTLS_PSA_CRYPTO_LEGACY_H */
diff --git a/include/psa/crypto_platform.h b/include/psa/crypto_platform.h
deleted file mode 100644
index 8c81ded..0000000
--- a/include/psa/crypto_platform.h
+++ /dev/null
@@ -1,104 +0,0 @@
-/**
- * \file psa/crypto_platform.h
- *
- * \brief PSA cryptography module: Mbed TLS platform definitions
- *
- * \note This file may not be included directly. Applications must
- * include psa/crypto.h.
- *
- * This file contains platform-dependent type definitions.
- *
- * In implementations with isolation between the application and the
- * cryptography module, implementers should take care to ensure that
- * the definitions that are exposed to applications match what the
- * module implements.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_PLATFORM_H
-#define PSA_CRYPTO_PLATFORM_H
-#include "mbedtls/private_access.h"
-
-/*
- * Include the build-time configuration information header. Here, we do not
- * include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which
- * is basically just an alias to it. This is to ease the maintenance of the
- * TF-PSA-Crypto repository which has a different build system and
- * configuration.
- */
-#include "psa/build_info.h"
-
-/* PSA requires several types which C99 provides in stdint.h. */
-#include <stdint.h>
-
-#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
-
-/* Building for the PSA Crypto service on a PSA platform, a key owner is a PSA
- * partition identifier.
- *
- * The function psa_its_identifier_of_slot() in psa_crypto_storage.c that
- * translates a key identifier to a key storage file name assumes that
- * mbedtls_key_owner_id_t is a 32-bit integer. This function thus needs
- * reworking if mbedtls_key_owner_id_t is not defined as a 32-bit integer
- * here anymore.
- */
-typedef int32_t mbedtls_key_owner_id_t;
-
-/** Compare two key owner identifiers.
- *
- * \param id1 First key owner identifier.
- * \param id2 Second key owner identifier.
- *
- * \return Non-zero if the two key owner identifiers are equal, zero otherwise.
- */
-static inline int mbedtls_key_owner_id_equal(mbedtls_key_owner_id_t id1,
-                                             mbedtls_key_owner_id_t id2)
-{
-    return id1 == id2;
-}
-
-#endif /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
-
-/*
- * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is being built for SPM
- * (Secure Partition Manager) integration which separates the code into two
- * parts: NSPE (Non-Secure Processing Environment) and SPE (Secure Processing
- * Environment). When building for the SPE, an additional header file should be
- * included.
- */
-#if defined(MBEDTLS_PSA_CRYPTO_SPM)
-#define PSA_CRYPTO_SECURE 1
-#include "crypto_spe.h"
-#endif // MBEDTLS_PSA_CRYPTO_SPM
-
-#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
-/** The type of the context passed to mbedtls_psa_external_get_random().
- *
- * Mbed TLS initializes the context to all-bits-zero before calling
- * mbedtls_psa_external_get_random() for the first time.
- *
- * The definition of this type in the Mbed TLS source code is for
- * demonstration purposes. Implementers of mbedtls_psa_external_get_random()
- * are expected to replace it with a custom definition.
- */
-typedef struct {
-    uintptr_t MBEDTLS_PRIVATE(opaque)[2];
-} mbedtls_psa_external_random_context_t;
-#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
-
-#endif /* PSA_CRYPTO_PLATFORM_H */
diff --git a/include/psa/crypto_se_driver.h b/include/psa/crypto_se_driver.h
deleted file mode 100644
index f39e229..0000000
--- a/include/psa/crypto_se_driver.h
+++ /dev/null
@@ -1,1395 +0,0 @@
-/**
- * \file psa/crypto_se_driver.h
- * \brief PSA external cryptoprocessor driver module
- *
- * This header declares types and function signatures for cryptography
- * drivers that access key material via opaque references.
- * This is meant for cryptoprocessors that have a separate key storage from the
- * space in which the PSA Crypto implementation runs, typically secure
- * elements (SEs).
- *
- * This file is part of the PSA Crypto Driver HAL (hardware abstraction layer),
- * containing functions for driver developers to implement to enable hardware
- * to be called in a standardized way by a PSA Cryptography API
- * implementation. The functions comprising the driver HAL, which driver
- * authors implement, are not intended to be called by application developers.
- */
-
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef PSA_CRYPTO_SE_DRIVER_H
-#define PSA_CRYPTO_SE_DRIVER_H
-#include "mbedtls/private_access.h"
-
-#include "crypto_driver_common.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/** \defgroup se_init Secure element driver initialization
- */
-/**@{*/
-
-/** \brief Driver context structure
- *
- * Driver functions receive a pointer to this structure.
- * Each registered driver has one instance of this structure.
- *
- * Implementations must include the fields specified here and
- * may include other fields.
- */
-typedef struct {
-    /** A read-only pointer to the driver's persistent data.
-     *
-     * Drivers typically use this persistent data to keep track of
-     * which slot numbers are available. This is only a guideline:
-     * drivers may use the persistent data for any purpose, keeping
-     * in mind the restrictions on when the persistent data is saved
-     * to storage: the persistent data is only saved after calling
-     * certain functions that receive a writable pointer to the
-     * persistent data.
-     *
-     * The core allocates a memory buffer for the persistent data.
-     * The pointer is guaranteed to be suitably aligned for any data type,
-     * like a pointer returned by `malloc` (but the core can use any
-     * method to allocate the buffer, not necessarily `malloc`).
-     *
-     * The size of this buffer is in the \c persistent_data_size field of
-     * this structure.
-     *
-     * Before the driver is initialized for the first time, the content of
-     * the persistent data is all-bits-zero. After a driver upgrade, if the
-     * size of the persistent data has increased, the original data is padded
-     * on the right with zeros; if the size has decreased, the original data
-     * is truncated to the new size.
-     *
-     * This pointer is to read-only data. Only a few driver functions are
-     * allowed to modify the persistent data. These functions receive a
-     * writable pointer. These functions are:
-     * - psa_drv_se_t::p_init
-     * - psa_drv_se_key_management_t::p_allocate
-     * - psa_drv_se_key_management_t::p_destroy
-     *
-     * The PSA Cryptography core saves the persistent data from one
-     * session to the next. It does this before returning from API functions
-     * that call a driver method that is allowed to modify the persistent
-     * data, specifically:
-     * - psa_crypto_init() causes a call to psa_drv_se_t::p_init, and may call
-     *   psa_drv_se_key_management_t::p_destroy to complete an action
-     *   that was interrupted by a power failure.
-     * - Key creation functions cause a call to
-     *   psa_drv_se_key_management_t::p_allocate, and may cause a call to
-     *   psa_drv_se_key_management_t::p_destroy in case an error occurs.
-     * - psa_destroy_key() causes a call to
-     *   psa_drv_se_key_management_t::p_destroy.
-     */
-    const void *const MBEDTLS_PRIVATE(persistent_data);
-
-    /** The size of \c persistent_data in bytes.
-     *
-     * This is always equal to the value of the `persistent_data_size` field
-     * of the ::psa_drv_se_t structure when the driver is registered.
-     */
-    const size_t MBEDTLS_PRIVATE(persistent_data_size);
-
-    /** Driver transient data.
-     *
-     * The core initializes this value to 0 and does not read or modify it
-     * afterwards. The driver may store whatever it wants in this field.
-     */
-    uintptr_t MBEDTLS_PRIVATE(transient_data);
-} psa_drv_se_context_t;
-
-/** \brief A driver initialization function.
- *
- * \param[in,out] drv_context       The driver context structure.
- * \param[in,out] persistent_data   A pointer to the persistent data
- *                                  that allows writing.
- * \param location                  The location value for which this driver
- *                                  is registered. The driver will be invoked
- *                                  for all keys whose lifetime is in this
- *                                  location.
- *
- * \retval #PSA_SUCCESS
- *         The driver is operational.
- *         The core will update the persistent data in storage.
- * \return
- *         Any other return value prevents the driver from being used in
- *         this session.
- *         The core will NOT update the persistent data in storage.
- */
-typedef psa_status_t (*psa_drv_se_init_t)(psa_drv_se_context_t *drv_context,
-                                          void *persistent_data,
-                                          psa_key_location_t location);
-
-#if defined(__DOXYGEN_ONLY__) || !defined(MBEDTLS_PSA_CRYPTO_SE_C)
-/* Mbed TLS with secure element support enabled defines this type in
- * crypto_types.h because it is also visible to applications through an
- * implementation-specific extension.
- * For the PSA Cryptography specification, this type is only visible
- * via crypto_se_driver.h. */
-/** An internal designation of a key slot between the core part of the
- * PSA Crypto implementation and the driver. The meaning of this value
- * is driver-dependent. */
-typedef uint64_t psa_key_slot_number_t;
-#endif /* __DOXYGEN_ONLY__ || !MBEDTLS_PSA_CRYPTO_SE_C */
-
-/**@}*/
-
-/** \defgroup se_mac Secure Element Message Authentication Codes
- * Generation and authentication of Message Authentication Codes (MACs) using
- * a secure element can be done either as a single function call (via the
- * `psa_drv_se_mac_generate_t` or `psa_drv_se_mac_verify_t` functions), or in
- * parts using the following sequence:
- * - `psa_drv_se_mac_setup_t`
- * - `psa_drv_se_mac_update_t`
- * - `psa_drv_se_mac_update_t`
- * - ...
- * - `psa_drv_se_mac_finish_t` or `psa_drv_se_mac_finish_verify_t`
- *
- * If a previously started secure element MAC operation needs to be terminated,
- * it should be done so by the `psa_drv_se_mac_abort_t`. Failure to do so may
- * result in allocated resources not being freed or in other undefined
- * behavior.
- */
-/**@{*/
-/** \brief A function that starts a secure element  MAC operation for a PSA
- * Crypto Driver implementation
- *
- * \param[in,out] drv_context   The driver context structure.
- * \param[in,out] op_context    A structure that will contain the
- *                              hardware-specific MAC context
- * \param[in] key_slot          The slot of the key to be used for the
- *                              operation
- * \param[in] algorithm         The algorithm to be used to underly the MAC
- *                              operation
- *
- * \retval  #PSA_SUCCESS
- *          Success.
- */
-typedef psa_status_t (*psa_drv_se_mac_setup_t)(psa_drv_se_context_t *drv_context,
-                                               void *op_context,
-                                               psa_key_slot_number_t key_slot,
-                                               psa_algorithm_t algorithm);
-
-/** \brief A function that continues a previously started secure element MAC
- * operation
- *
- * \param[in,out] op_context    A hardware-specific structure for the
- *                              previously-established MAC operation to be
- *                              updated
- * \param[in] p_input           A buffer containing the message to be appended
- *                              to the MAC operation
- * \param[in] input_length      The size in bytes of the input message buffer
- */
-typedef psa_status_t (*psa_drv_se_mac_update_t)(void *op_context,
-                                                const uint8_t *p_input,
-                                                size_t input_length);
-
-/** \brief a function that completes a previously started secure element MAC
- * operation by returning the resulting MAC.
- *
- * \param[in,out] op_context    A hardware-specific structure for the
- *                              previously started MAC operation to be
- *                              finished
- * \param[out] p_mac            A buffer where the generated MAC will be
- *                              placed
- * \param[in] mac_size          The size in bytes of the buffer that has been
- *                              allocated for the `output` buffer
- * \param[out] p_mac_length     After completion, will contain the number of
- *                              bytes placed in the `p_mac` buffer
- *
- * \retval  #PSA_SUCCESS
- *          Success.
- */
-typedef psa_status_t (*psa_drv_se_mac_finish_t)(void *op_context,
-                                                uint8_t *p_mac,
-                                                size_t mac_size,
-                                                size_t *p_mac_length);
-
-/** \brief A function that completes a previously started secure element MAC
- * operation by comparing the resulting MAC against a provided value
- *
- * \param[in,out] op_context    A hardware-specific structure for the previously
- *                              started MAC operation to be finished
- * \param[in] p_mac             The MAC value against which the resulting MAC
- *                              will be compared against
- * \param[in] mac_length        The size in bytes of the value stored in `p_mac`
- *
- * \retval #PSA_SUCCESS
- *         The operation completed successfully and the MACs matched each
- *         other
- * \retval #PSA_ERROR_INVALID_SIGNATURE
- *         The operation completed successfully, but the calculated MAC did
- *         not match the provided MAC
- */
-typedef psa_status_t (*psa_drv_se_mac_finish_verify_t)(void *op_context,
-                                                       const uint8_t *p_mac,
-                                                       size_t mac_length);
-
-/** \brief A function that aborts a previous started secure element MAC
- * operation
- *
- * \param[in,out] op_context    A hardware-specific structure for the previously
- *                              started MAC operation to be aborted
- */
-typedef psa_status_t (*psa_drv_se_mac_abort_t)(void *op_context);
-
-/** \brief A function that performs a secure element MAC operation in one
- * command and returns the calculated MAC
- *
- * \param[in,out] drv_context   The driver context structure.
- * \param[in] p_input           A buffer containing the message to be MACed
- * \param[in] input_length      The size in bytes of `p_input`
- * \param[in] key_slot          The slot of the key to be used
- * \param[in] alg               The algorithm to be used to underlie the MAC
- *                              operation
- * \param[out] p_mac            A buffer where the generated MAC will be
- *                              placed
- * \param[in] mac_size          The size in bytes of the `p_mac` buffer
- * \param[out] p_mac_length     After completion, will contain the number of
- *                              bytes placed in the `output` buffer
- *
- * \retval #PSA_SUCCESS
- *         Success.
- */
-typedef psa_status_t (*psa_drv_se_mac_generate_t)(psa_drv_se_context_t *drv_context,
-                                                  const uint8_t *p_input,
-                                                  size_t input_length,
-                                                  psa_key_slot_number_t key_slot,
-                                                  psa_algorithm_t alg,
-                                                  uint8_t *p_mac,
-                                                  size_t mac_size,
-                                                  size_t *p_mac_length);
-
-/** \brief A function that performs a secure element MAC operation in one
- * command and compares the resulting MAC against a provided value
- *
- * \param[in,out] drv_context       The driver context structure.
- * \param[in] p_input       A buffer containing the message to be MACed
- * \param[in] input_length  The size in bytes of `input`
- * \param[in] key_slot      The slot of the key to be used
- * \param[in] alg           The algorithm to be used to underlie the MAC
- *                          operation
- * \param[in] p_mac         The MAC value against which the resulting MAC will
- *                          be compared against
- * \param[in] mac_length   The size in bytes of `mac`
- *
- * \retval #PSA_SUCCESS
- *         The operation completed successfully and the MACs matched each
- *         other
- * \retval #PSA_ERROR_INVALID_SIGNATURE
- *         The operation completed successfully, but the calculated MAC did
- *         not match the provided MAC
- */
-typedef psa_status_t (*psa_drv_se_mac_verify_t)(psa_drv_se_context_t *drv_context,
-                                                const uint8_t *p_input,
-                                                size_t input_length,
-                                                psa_key_slot_number_t key_slot,
-                                                psa_algorithm_t alg,
-                                                const uint8_t *p_mac,
-                                                size_t mac_length);
-
-/** \brief A struct containing all of the function pointers needed to
- * perform secure element MAC operations
- *
- * PSA Crypto API implementations should populate the table as appropriate
- * upon startup.
- *
- * If one of the functions is not implemented (such as
- * `psa_drv_se_mac_generate_t`), it should be set to NULL.
- *
- * Driver implementers should ensure that they implement all of the functions
- * that make sense for their hardware, and that they provide a full solution
- * (for example, if they support `p_setup`, they should also support
- * `p_update` and at least one of `p_finish` or `p_finish_verify`).
- *
- */
-typedef struct {
-    /**The size in bytes of the hardware-specific secure element MAC context
-     * structure
-     */
-    size_t                    MBEDTLS_PRIVATE(context_size);
-    /** Function that performs a MAC setup operation
-     */
-    psa_drv_se_mac_setup_t          MBEDTLS_PRIVATE(p_setup);
-    /** Function that performs a MAC update operation
-     */
-    psa_drv_se_mac_update_t         MBEDTLS_PRIVATE(p_update);
-    /** Function that completes a MAC operation
-     */
-    psa_drv_se_mac_finish_t         MBEDTLS_PRIVATE(p_finish);
-    /** Function that completes a MAC operation with a verify check
-     */
-    psa_drv_se_mac_finish_verify_t  MBEDTLS_PRIVATE(p_finish_verify);
-    /** Function that aborts a previously started MAC operation
-     */
-    psa_drv_se_mac_abort_t          MBEDTLS_PRIVATE(p_abort);
-    /** Function that performs a MAC operation in one call
-     */
-    psa_drv_se_mac_generate_t       MBEDTLS_PRIVATE(p_mac);
-    /** Function that performs a MAC and verify operation in one call
-     */
-    psa_drv_se_mac_verify_t         MBEDTLS_PRIVATE(p_mac_verify);
-} psa_drv_se_mac_t;
-/**@}*/
-
-/** \defgroup se_cipher Secure Element Symmetric Ciphers
- *
- * Encryption and Decryption using secure element keys in block modes other
- * than ECB must be done in multiple parts, using the following flow:
- * - `psa_drv_se_cipher_setup_t`
- * - `psa_drv_se_cipher_set_iv_t` (optional depending upon block mode)
- * - `psa_drv_se_cipher_update_t`
- * - `psa_drv_se_cipher_update_t`
- * - ...
- * - `psa_drv_se_cipher_finish_t`
- *
- * If a previously started secure element Cipher operation needs to be
- * terminated, it should be done so by the `psa_drv_se_cipher_abort_t`. Failure
- * to do so may result in allocated resources not being freed or in other
- * undefined behavior.
- *
- * In situations where a PSA Cryptographic API implementation is using a block
- * mode not-supported by the underlying hardware or driver, it can construct
- * the block mode itself, while calling the `psa_drv_se_cipher_ecb_t` function
- * for the cipher operations.
- */
-/**@{*/
-
-/** \brief A function that provides the cipher setup function for a
- * secure element driver
- *
- * \param[in,out] drv_context   The driver context structure.
- * \param[in,out] op_context    A structure that will contain the
- *                              hardware-specific cipher context.
- * \param[in] key_slot          The slot of the key to be used for the
- *                              operation
- * \param[in] algorithm         The algorithm to be used in the cipher
- *                              operation
- * \param[in] direction         Indicates whether the operation is an encrypt
- *                              or decrypt
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- */
-typedef psa_status_t (*psa_drv_se_cipher_setup_t)(psa_drv_se_context_t *drv_context,
-                                                  void *op_context,
-                                                  psa_key_slot_number_t key_slot,
-                                                  psa_algorithm_t algorithm,
-                                                  psa_encrypt_or_decrypt_t direction);
-
-/** \brief A function that sets the initialization vector (if
- * necessary) for a secure element cipher operation
- *
- * Rationale: The `psa_se_cipher_*` operation in the PSA Cryptographic API has
- * two IV functions: one to set the IV, and one to generate it internally. The
- * generate function is not necessary for the drivers to implement as the PSA
- * Crypto implementation can do the generation using its RNG features.
- *
- * \param[in,out] op_context    A structure that contains the previously set up
- *                              hardware-specific cipher context
- * \param[in] p_iv              A buffer containing the initialization vector
- * \param[in] iv_length         The size (in bytes) of the `p_iv` buffer
- *
- * \retval #PSA_SUCCESS \emptydescription
- */
-typedef psa_status_t (*psa_drv_se_cipher_set_iv_t)(void *op_context,
-                                                   const uint8_t *p_iv,
-                                                   size_t iv_length);
-
-/** \brief A function that continues a previously started secure element cipher
- * operation
- *
- * \param[in,out] op_context        A hardware-specific structure for the
- *                                  previously started cipher operation
- * \param[in] p_input               A buffer containing the data to be
- *                                  encrypted/decrypted
- * \param[in] input_size            The size in bytes of the buffer pointed to
- *                                  by `p_input`
- * \param[out] p_output             The caller-allocated buffer where the
- *                                  output will be placed
- * \param[in] output_size           The allocated size in bytes of the
- *                                  `p_output` buffer
- * \param[out] p_output_length      After completion, will contain the number
- *                                  of bytes placed in the `p_output` buffer
- *
- * \retval #PSA_SUCCESS \emptydescription
- */
-typedef psa_status_t (*psa_drv_se_cipher_update_t)(void *op_context,
-                                                   const uint8_t *p_input,
-                                                   size_t input_size,
-                                                   uint8_t *p_output,
-                                                   size_t output_size,
-                                                   size_t *p_output_length);
-
-/** \brief A function that completes a previously started secure element cipher
- * operation
- *
- * \param[in,out] op_context    A hardware-specific structure for the
- *                              previously started cipher operation
- * \param[out] p_output         The caller-allocated buffer where the output
- *                              will be placed
- * \param[in] output_size       The allocated size in bytes of the `p_output`
- *                              buffer
- * \param[out] p_output_length  After completion, will contain the number of
- *                              bytes placed in the `p_output` buffer
- *
- * \retval #PSA_SUCCESS \emptydescription
- */
-typedef psa_status_t (*psa_drv_se_cipher_finish_t)(void *op_context,
-                                                   uint8_t *p_output,
-                                                   size_t output_size,
-                                                   size_t *p_output_length);
-
-/** \brief A function that aborts a previously started secure element cipher
- * operation
- *
- * \param[in,out] op_context    A hardware-specific structure for the
- *                              previously started cipher operation
- */
-typedef psa_status_t (*psa_drv_se_cipher_abort_t)(void *op_context);
-
-/** \brief A function that performs the ECB block mode for secure element
- * cipher operations
- *
- * Note: this function should only be used with implementations that do not
- * provide a needed higher-level operation.
- *
- * \param[in,out] drv_context   The driver context structure.
- * \param[in] key_slot          The slot of the key to be used for the operation
- * \param[in] algorithm         The algorithm to be used in the cipher operation
- * \param[in] direction         Indicates whether the operation is an encrypt or
- *                              decrypt
- * \param[in] p_input           A buffer containing the data to be
- *                              encrypted/decrypted
- * \param[in] input_size        The size in bytes of the buffer pointed to by
- *                              `p_input`
- * \param[out] p_output         The caller-allocated buffer where the output
- *                              will be placed
- * \param[in] output_size       The allocated size in bytes of the `p_output`
- *                              buffer
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- */
-typedef psa_status_t (*psa_drv_se_cipher_ecb_t)(psa_drv_se_context_t *drv_context,
-                                                psa_key_slot_number_t key_slot,
-                                                psa_algorithm_t algorithm,
-                                                psa_encrypt_or_decrypt_t direction,
-                                                const uint8_t *p_input,
-                                                size_t input_size,
-                                                uint8_t *p_output,
-                                                size_t output_size);
-
-/**
- * \brief A struct containing all of the function pointers needed to implement
- * cipher operations using secure elements.
- *
- * PSA Crypto API implementations should populate instances of the table as
- * appropriate upon startup or at build time.
- *
- * If one of the functions is not implemented (such as
- * `psa_drv_se_cipher_ecb_t`), it should be set to NULL.
- */
-typedef struct {
-    /** The size in bytes of the hardware-specific secure element cipher
-     * context structure
-     */
-    size_t               MBEDTLS_PRIVATE(context_size);
-    /** Function that performs a cipher setup operation */
-    psa_drv_se_cipher_setup_t  MBEDTLS_PRIVATE(p_setup);
-    /** Function that sets a cipher IV (if necessary) */
-    psa_drv_se_cipher_set_iv_t MBEDTLS_PRIVATE(p_set_iv);
-    /** Function that performs a cipher update operation */
-    psa_drv_se_cipher_update_t MBEDTLS_PRIVATE(p_update);
-    /** Function that completes a cipher operation */
-    psa_drv_se_cipher_finish_t MBEDTLS_PRIVATE(p_finish);
-    /** Function that aborts a cipher operation */
-    psa_drv_se_cipher_abort_t  MBEDTLS_PRIVATE(p_abort);
-    /** Function that performs ECB mode for a cipher operation
-     * (Danger: ECB mode should not be used directly by clients of the PSA
-     * Crypto Client API)
-     */
-    psa_drv_se_cipher_ecb_t    MBEDTLS_PRIVATE(p_ecb);
-} psa_drv_se_cipher_t;
-
-/**@}*/
-
-/** \defgroup se_asymmetric Secure Element Asymmetric Cryptography
- *
- * Since the amount of data that can (or should) be encrypted or signed using
- * asymmetric keys is limited by the key size, asymmetric key operations using
- * keys in a secure element must be done in single function calls.
- */
-/**@{*/
-
-/**
- * \brief A function that signs a hash or short message with a private key in
- * a secure element
- *
- * \param[in,out] drv_context       The driver context structure.
- * \param[in] key_slot              Key slot of an asymmetric key pair
- * \param[in] alg                   A signature algorithm that is compatible
- *                                  with the type of `key`
- * \param[in] p_hash                The hash to sign
- * \param[in] hash_length           Size of the `p_hash` buffer in bytes
- * \param[out] p_signature          Buffer where the signature is to be written
- * \param[in] signature_size        Size of the `p_signature` buffer in bytes
- * \param[out] p_signature_length   On success, the number of bytes
- *                                  that make up the returned signature value
- *
- * \retval #PSA_SUCCESS \emptydescription
- */
-typedef psa_status_t (*psa_drv_se_asymmetric_sign_t)(psa_drv_se_context_t *drv_context,
-                                                     psa_key_slot_number_t key_slot,
-                                                     psa_algorithm_t alg,
-                                                     const uint8_t *p_hash,
-                                                     size_t hash_length,
-                                                     uint8_t *p_signature,
-                                                     size_t signature_size,
-                                                     size_t *p_signature_length);
-
-/**
- * \brief A function that verifies the signature a hash or short message using
- * an asymmetric public key in a secure element
- *
- * \param[in,out] drv_context   The driver context structure.
- * \param[in] key_slot          Key slot of a public key or an asymmetric key
- *                              pair
- * \param[in] alg               A signature algorithm that is compatible with
- *                              the type of `key`
- * \param[in] p_hash            The hash whose signature is to be verified
- * \param[in] hash_length       Size of the `p_hash` buffer in bytes
- * \param[in] p_signature       Buffer containing the signature to verify
- * \param[in] signature_length  Size of the `p_signature` buffer in bytes
- *
- * \retval #PSA_SUCCESS
- *         The signature is valid.
- */
-typedef psa_status_t (*psa_drv_se_asymmetric_verify_t)(psa_drv_se_context_t *drv_context,
-                                                       psa_key_slot_number_t key_slot,
-                                                       psa_algorithm_t alg,
-                                                       const uint8_t *p_hash,
-                                                       size_t hash_length,
-                                                       const uint8_t *p_signature,
-                                                       size_t signature_length);
-
-/**
- * \brief A function that encrypts a short message with an asymmetric public
- * key in a secure element
- *
- * \param[in,out] drv_context   The driver context structure.
- * \param[in] key_slot          Key slot of a public key or an asymmetric key
- *                              pair
- * \param[in] alg               An asymmetric encryption algorithm that is
- *                              compatible with the type of `key`
- * \param[in] p_input           The message to encrypt
- * \param[in] input_length      Size of the `p_input` buffer in bytes
- * \param[in] p_salt            A salt or label, if supported by the
- *                              encryption algorithm
- *                              If the algorithm does not support a
- *                              salt, pass `NULL`.
- *                              If the algorithm supports an optional
- *                              salt and you do not want to pass a salt,
- *                              pass `NULL`.
- *                              For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is
- *                              supported.
- * \param[in] salt_length       Size of the `p_salt` buffer in bytes
- *                              If `p_salt` is `NULL`, pass 0.
- * \param[out] p_output         Buffer where the encrypted message is to
- *                              be written
- * \param[in] output_size       Size of the `p_output` buffer in bytes
- * \param[out] p_output_length  On success, the number of bytes that make up
- *                              the returned output
- *
- * \retval #PSA_SUCCESS \emptydescription
- */
-typedef psa_status_t (*psa_drv_se_asymmetric_encrypt_t)(psa_drv_se_context_t *drv_context,
-                                                        psa_key_slot_number_t key_slot,
-                                                        psa_algorithm_t alg,
-                                                        const uint8_t *p_input,
-                                                        size_t input_length,
-                                                        const uint8_t *p_salt,
-                                                        size_t salt_length,
-                                                        uint8_t *p_output,
-                                                        size_t output_size,
-                                                        size_t *p_output_length);
-
-/**
- * \brief A function that decrypts a short message with an asymmetric private
- * key in a secure element.
- *
- * \param[in,out] drv_context   The driver context structure.
- * \param[in] key_slot          Key slot of an asymmetric key pair
- * \param[in] alg               An asymmetric encryption algorithm that is
- *                              compatible with the type of `key`
- * \param[in] p_input           The message to decrypt
- * \param[in] input_length      Size of the `p_input` buffer in bytes
- * \param[in] p_salt            A salt or label, if supported by the
- *                              encryption algorithm
- *                              If the algorithm does not support a
- *                              salt, pass `NULL`.
- *                              If the algorithm supports an optional
- *                              salt and you do not want to pass a salt,
- *                              pass `NULL`.
- *                              For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is
- *                              supported.
- * \param[in] salt_length       Size of the `p_salt` buffer in bytes
- *                              If `p_salt` is `NULL`, pass 0.
- * \param[out] p_output         Buffer where the decrypted message is to
- *                              be written
- * \param[in] output_size       Size of the `p_output` buffer in bytes
- * \param[out] p_output_length  On success, the number of bytes
- *                              that make up the returned output
- *
- * \retval #PSA_SUCCESS \emptydescription
- */
-typedef psa_status_t (*psa_drv_se_asymmetric_decrypt_t)(psa_drv_se_context_t *drv_context,
-                                                        psa_key_slot_number_t key_slot,
-                                                        psa_algorithm_t alg,
-                                                        const uint8_t *p_input,
-                                                        size_t input_length,
-                                                        const uint8_t *p_salt,
-                                                        size_t salt_length,
-                                                        uint8_t *p_output,
-                                                        size_t output_size,
-                                                        size_t *p_output_length);
-
-/**
- * \brief A struct containing all of the function pointers needed to implement
- * asymmetric cryptographic operations using secure elements.
- *
- * PSA Crypto API implementations should populate instances of the table as
- * appropriate upon startup or at build time.
- *
- * If one of the functions is not implemented, it should be set to NULL.
- */
-typedef struct {
-    /** Function that performs an asymmetric sign operation */
-    psa_drv_se_asymmetric_sign_t    MBEDTLS_PRIVATE(p_sign);
-    /** Function that performs an asymmetric verify operation */
-    psa_drv_se_asymmetric_verify_t  MBEDTLS_PRIVATE(p_verify);
-    /** Function that performs an asymmetric encrypt operation */
-    psa_drv_se_asymmetric_encrypt_t MBEDTLS_PRIVATE(p_encrypt);
-    /** Function that performs an asymmetric decrypt operation */
-    psa_drv_se_asymmetric_decrypt_t MBEDTLS_PRIVATE(p_decrypt);
-} psa_drv_se_asymmetric_t;
-
-/**@}*/
-
-/** \defgroup se_aead Secure Element Authenticated Encryption with Additional Data
- * Authenticated Encryption with Additional Data (AEAD) operations with secure
- * elements must be done in one function call. While this creates a burden for
- * implementers as there must be sufficient space in memory for the entire
- * message, it prevents decrypted data from being made available before the
- * authentication operation is complete and the data is known to be authentic.
- */
-/**@{*/
-
-/** \brief A function that performs a secure element authenticated encryption
- * operation
- *
- * \param[in,out] drv_context           The driver context structure.
- * \param[in] key_slot                  Slot containing the key to use.
- * \param[in] algorithm                 The AEAD algorithm to compute
- *                                      (\c PSA_ALG_XXX value such that
- *                                      #PSA_ALG_IS_AEAD(`alg`) is true)
- * \param[in] p_nonce                   Nonce or IV to use
- * \param[in] nonce_length              Size of the `p_nonce` buffer in bytes
- * \param[in] p_additional_data         Additional data that will be
- *                                      authenticated but not encrypted
- * \param[in] additional_data_length    Size of `p_additional_data` in bytes
- * \param[in] p_plaintext               Data that will be authenticated and
- *                                      encrypted
- * \param[in] plaintext_length          Size of `p_plaintext` in bytes
- * \param[out] p_ciphertext             Output buffer for the authenticated and
- *                                      encrypted data. The additional data is
- *                                      not part of this output. For algorithms
- *                                      where the encrypted data and the
- *                                      authentication tag are defined as
- *                                      separate outputs, the authentication
- *                                      tag is appended to the encrypted data.
- * \param[in] ciphertext_size           Size of the `p_ciphertext` buffer in
- *                                      bytes
- * \param[out] p_ciphertext_length      On success, the size of the output in
- *                                      the `p_ciphertext` buffer
- *
- * \retval #PSA_SUCCESS
- *         Success.
- */
-typedef psa_status_t (*psa_drv_se_aead_encrypt_t)(psa_drv_se_context_t *drv_context,
-                                                  psa_key_slot_number_t key_slot,
-                                                  psa_algorithm_t algorithm,
-                                                  const uint8_t *p_nonce,
-                                                  size_t nonce_length,
-                                                  const uint8_t *p_additional_data,
-                                                  size_t additional_data_length,
-                                                  const uint8_t *p_plaintext,
-                                                  size_t plaintext_length,
-                                                  uint8_t *p_ciphertext,
-                                                  size_t ciphertext_size,
-                                                  size_t *p_ciphertext_length);
-
-/** A function that performs a secure element authenticated decryption operation
- *
- * \param[in,out] drv_context           The driver context structure.
- * \param[in] key_slot                  Slot containing the key to use
- * \param[in] algorithm                 The AEAD algorithm to compute
- *                                      (\c PSA_ALG_XXX value such that
- *                                      #PSA_ALG_IS_AEAD(`alg`) is true)
- * \param[in] p_nonce                   Nonce or IV to use
- * \param[in] nonce_length              Size of the `p_nonce` buffer in bytes
- * \param[in] p_additional_data         Additional data that has been
- *                                      authenticated but not encrypted
- * \param[in] additional_data_length    Size of `p_additional_data` in bytes
- * \param[in] p_ciphertext              Data that has been authenticated and
- *                                      encrypted.
- *                                      For algorithms where the encrypted data
- *                                      and the authentication tag are defined
- *                                      as separate inputs, the buffer must
- *                                      contain the encrypted data followed by
- *                                      the authentication tag.
- * \param[in] ciphertext_length         Size of `p_ciphertext` in bytes
- * \param[out] p_plaintext              Output buffer for the decrypted data
- * \param[in] plaintext_size            Size of the `p_plaintext` buffer in
- *                                      bytes
- * \param[out] p_plaintext_length       On success, the size of the output in
- *                                      the `p_plaintext` buffer
- *
- * \retval #PSA_SUCCESS
- *         Success.
- */
-typedef psa_status_t (*psa_drv_se_aead_decrypt_t)(psa_drv_se_context_t *drv_context,
-                                                  psa_key_slot_number_t key_slot,
-                                                  psa_algorithm_t algorithm,
-                                                  const uint8_t *p_nonce,
-                                                  size_t nonce_length,
-                                                  const uint8_t *p_additional_data,
-                                                  size_t additional_data_length,
-                                                  const uint8_t *p_ciphertext,
-                                                  size_t ciphertext_length,
-                                                  uint8_t *p_plaintext,
-                                                  size_t plaintext_size,
-                                                  size_t *p_plaintext_length);
-
-/**
- * \brief A struct containing all of the function pointers needed to implement
- * secure element Authenticated Encryption with Additional Data operations
- *
- * PSA Crypto API implementations should populate instances of the table as
- * appropriate upon startup.
- *
- * If one of the functions is not implemented, it should be set to NULL.
- */
-typedef struct {
-    /** Function that performs the AEAD encrypt operation */
-    psa_drv_se_aead_encrypt_t MBEDTLS_PRIVATE(p_encrypt);
-    /** Function that performs the AEAD decrypt operation */
-    psa_drv_se_aead_decrypt_t MBEDTLS_PRIVATE(p_decrypt);
-} psa_drv_se_aead_t;
-/**@}*/
-
-/** \defgroup se_key_management Secure Element Key Management
- * Currently, key management is limited to importing keys in the clear,
- * destroying keys, and exporting keys in the clear.
- * Whether a key may be exported is determined by the key policies in place
- * on the key slot.
- */
-/**@{*/
-
-/** An enumeration indicating how a key is created.
- */
-typedef enum {
-    PSA_KEY_CREATION_IMPORT, /**< During psa_import_key() */
-    PSA_KEY_CREATION_GENERATE, /**< During psa_generate_key() */
-    PSA_KEY_CREATION_DERIVE, /**< During psa_key_derivation_output_key() */
-    PSA_KEY_CREATION_COPY, /**< During psa_copy_key() */
-
-#ifndef __DOXYGEN_ONLY__
-    /** A key is being registered with mbedtls_psa_register_se_key().
-     *
-     * The core only passes this value to
-     * psa_drv_se_key_management_t::p_validate_slot_number, not to
-     * psa_drv_se_key_management_t::p_allocate. The call to
-     * `p_validate_slot_number` is not followed by any other call to the
-     * driver: the key is considered successfully registered if the call to
-     * `p_validate_slot_number` succeeds, or if `p_validate_slot_number` is
-     * null.
-     *
-     * With this creation method, the driver must return #PSA_SUCCESS if
-     * the given attributes are compatible with the existing key in the slot,
-     * and #PSA_ERROR_DOES_NOT_EXIST if the driver can determine that there
-     * is no key with the specified slot number.
-     *
-     * This is an Mbed TLS extension.
-     */
-    PSA_KEY_CREATION_REGISTER,
-#endif
-} psa_key_creation_method_t;
-
-/** \brief A function that allocates a slot for a key.
- *
- * To create a key in a specific slot in a secure element, the core
- * first calls this function to determine a valid slot number,
- * then calls a function to create the key material in that slot.
- * In nominal conditions (that is, if no error occurs),
- * the effect of a call to a key creation function in the PSA Cryptography
- * API with a lifetime that places the key in a secure element is the
- * following:
- * -# The core calls psa_drv_se_key_management_t::p_allocate
- *    (or in some implementations
- *    psa_drv_se_key_management_t::p_validate_slot_number). The driver
- *    selects (or validates) a suitable slot number given the key attributes
- *    and the state of the secure element.
- * -# The core calls a key creation function in the driver.
- *
- * The key creation functions in the PSA Cryptography API are:
- * - psa_import_key(), which causes
- *   a call to `p_allocate` with \p method = #PSA_KEY_CREATION_IMPORT
- *   then a call to psa_drv_se_key_management_t::p_import.
- * - psa_generate_key(), which causes
- *   a call to `p_allocate` with \p method = #PSA_KEY_CREATION_GENERATE
- *   then a call to psa_drv_se_key_management_t::p_import.
- * - psa_key_derivation_output_key(), which causes
- *   a call to `p_allocate` with \p method = #PSA_KEY_CREATION_DERIVE
- *   then a call to psa_drv_se_key_derivation_t::p_derive.
- * - psa_copy_key(), which causes
- *   a call to `p_allocate` with \p method = #PSA_KEY_CREATION_COPY
- *   then a call to psa_drv_se_key_management_t::p_export.
- *
- * In case of errors, other behaviors are possible.
- * - If the PSA Cryptography subsystem dies after the first step,
- *   for example because the device has lost power abruptly,
- *   the second step may never happen, or may happen after a reset
- *   and re-initialization. Alternatively, after a reset and
- *   re-initialization, the core may call
- *   psa_drv_se_key_management_t::p_destroy on the slot number that
- *   was allocated (or validated) instead of calling a key creation function.
- * - If an error occurs, the core may call
- *   psa_drv_se_key_management_t::p_destroy on the slot number that
- *   was allocated (or validated) instead of calling a key creation function.
- *
- * Errors and system resets also have an impact on the driver's persistent
- * data. If a reset happens before the overall key creation process is
- * completed (before or after the second step above), it is unspecified
- * whether the persistent data after the reset is identical to what it
- * was before or after the call to `p_allocate` (or `p_validate_slot_number`).
- *
- * \param[in,out] drv_context       The driver context structure.
- * \param[in,out] persistent_data   A pointer to the persistent data
- *                                  that allows writing.
- * \param[in] attributes            Attributes of the key.
- * \param method                    The way in which the key is being created.
- * \param[out] key_slot             Slot where the key will be stored.
- *                                  This must be a valid slot for a key of the
- *                                  chosen type. It must be unoccupied.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- *         The core will record \c *key_slot as the key slot where the key
- *         is stored and will update the persistent data in storage.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
- */
-typedef psa_status_t (*psa_drv_se_allocate_key_t)(
-    psa_drv_se_context_t *drv_context,
-    void *persistent_data,
-    const psa_key_attributes_t *attributes,
-    psa_key_creation_method_t method,
-    psa_key_slot_number_t *key_slot);
-
-/** \brief A function that determines whether a slot number is valid
- * for a key.
- *
- * To create a key in a specific slot in a secure element, the core
- * first calls this function to validate the choice of slot number,
- * then calls a function to create the key material in that slot.
- * See the documentation of #psa_drv_se_allocate_key_t for more details.
- *
- * As of the PSA Cryptography API specification version 1.0, there is no way
- * for applications to trigger a call to this function. However some
- * implementations offer the capability to create or declare a key in
- * a specific slot via implementation-specific means, generally for the
- * sake of initial device provisioning or onboarding. Such a mechanism may
- * be added to a future version of the PSA Cryptography API specification.
- *
- * This function may update the driver's persistent data through
- * \p persistent_data. The core will save the updated persistent data at the
- * end of the key creation process. See the description of
- * ::psa_drv_se_allocate_key_t for more information.
- *
- * \param[in,out] drv_context   The driver context structure.
- * \param[in,out] persistent_data   A pointer to the persistent data
- *                                  that allows writing.
- * \param[in] attributes        Attributes of the key.
- * \param method                The way in which the key is being created.
- * \param[in] key_slot          Slot where the key is to be stored.
- *
- * \retval #PSA_SUCCESS
- *         The given slot number is valid for a key with the given
- *         attributes.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The given slot number is not valid for a key with the
- *         given attributes. This includes the case where the slot
- *         number is not valid at all.
- * \retval #PSA_ERROR_ALREADY_EXISTS
- *         There is already a key with the specified slot number.
- *         Drivers may choose to return this error from the key
- *         creation function instead.
- */
-typedef psa_status_t (*psa_drv_se_validate_slot_number_t)(
-    psa_drv_se_context_t *drv_context,
-    void *persistent_data,
-    const psa_key_attributes_t *attributes,
-    psa_key_creation_method_t method,
-    psa_key_slot_number_t key_slot);
-
-/** \brief A function that imports a key into a secure element in binary format
- *
- * This function can support any output from psa_export_key(). Refer to the
- * documentation of psa_export_key() for the format for each key type.
- *
- * \param[in,out] drv_context   The driver context structure.
- * \param key_slot              Slot where the key will be stored.
- *                              This must be a valid slot for a key of the
- *                              chosen type. It must be unoccupied.
- * \param[in] attributes        The key attributes, including the lifetime,
- *                              the key type and the usage policy.
- *                              Drivers should not access the key size stored
- *                              in the attributes: it may not match the
- *                              data passed in \p data.
- *                              Drivers can call psa_get_key_lifetime(),
- *                              psa_get_key_type(),
- *                              psa_get_key_usage_flags() and
- *                              psa_get_key_algorithm() to access this
- *                              information.
- * \param[in] data              Buffer containing the key data.
- * \param[in] data_length       Size of the \p data buffer in bytes.
- * \param[out] bits             On success, the key size in bits. The driver
- *                              must determine this value after parsing the
- *                              key according to the key type.
- *                              This value is not used if the function fails.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- */
-typedef psa_status_t (*psa_drv_se_import_key_t)(
-    psa_drv_se_context_t *drv_context,
-    psa_key_slot_number_t key_slot,
-    const psa_key_attributes_t *attributes,
-    const uint8_t *data,
-    size_t data_length,
-    size_t *bits);
-
-/**
- * \brief A function that destroys a secure element key and restore the slot to
- * its default state
- *
- * This function destroys the content of the key from a secure element.
- * Implementations shall make a best effort to ensure that any previous content
- * of the slot is unrecoverable.
- *
- * This function returns the specified slot to its default state.
- *
- * \param[in,out] drv_context       The driver context structure.
- * \param[in,out] persistent_data   A pointer to the persistent data
- *                                  that allows writing.
- * \param key_slot                  The key slot to erase.
- *
- * \retval #PSA_SUCCESS
- *         The slot's content, if any, has been erased.
- */
-typedef psa_status_t (*psa_drv_se_destroy_key_t)(
-    psa_drv_se_context_t *drv_context,
-    void *persistent_data,
-    psa_key_slot_number_t key_slot);
-
-/**
- * \brief A function that exports a secure element key in binary format
- *
- * The output of this function can be passed to psa_import_key() to
- * create an equivalent object.
- *
- * If a key is created with `psa_import_key()` and then exported with
- * this function, it is not guaranteed that the resulting data is
- * identical: the implementation may choose a different representation
- * of the same key if the format permits it.
- *
- * This function should generate output in the same format that
- * `psa_export_key()` does. Refer to the
- * documentation of `psa_export_key()` for the format for each key type.
- *
- * \param[in,out] drv_context   The driver context structure.
- * \param[in] key               Slot whose content is to be exported. This must
- *                              be an occupied key slot.
- * \param[out] p_data           Buffer where the key data is to be written.
- * \param[in] data_size         Size of the `p_data` buffer in bytes.
- * \param[out] p_data_length    On success, the number of bytes
- *                              that make up the key data.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- */
-typedef psa_status_t (*psa_drv_se_export_key_t)(psa_drv_se_context_t *drv_context,
-                                                psa_key_slot_number_t key,
-                                                uint8_t *p_data,
-                                                size_t data_size,
-                                                size_t *p_data_length);
-
-/**
- * \brief A function that generates a symmetric or asymmetric key on a secure
- * element
- *
- * If the key type \c type recorded in \p attributes
- * is asymmetric (#PSA_KEY_TYPE_IS_ASYMMETRIC(\c type) = 1),
- * the driver may export the public key at the time of generation,
- * in the format documented for psa_export_public_key() by writing it
- * to the \p pubkey buffer.
- * This is optional, intended for secure elements that output the
- * public key at generation time and that cannot export the public key
- * later. Drivers that do not need this feature should leave
- * \p *pubkey_length set to 0 and should
- * implement the psa_drv_key_management_t::p_export_public function.
- * Some implementations do not support this feature, in which case
- * \p pubkey is \c NULL and \p pubkey_size is 0.
- *
- * \param[in,out] drv_context   The driver context structure.
- * \param key_slot              Slot where the key will be stored.
- *                              This must be a valid slot for a key of the
- *                              chosen type. It must be unoccupied.
- * \param[in] attributes        The key attributes, including the lifetime,
- *                              the key type and size, and the usage policy.
- *                              Drivers can call psa_get_key_lifetime(),
- *                              psa_get_key_type(), psa_get_key_bits(),
- *                              psa_get_key_usage_flags() and
- *                              psa_get_key_algorithm() to access this
- *                              information.
- * \param[out] pubkey           A buffer where the driver can write the
- *                              public key, when generating an asymmetric
- *                              key pair.
- *                              This is \c NULL when generating a symmetric
- *                              key or if the core does not support
- *                              exporting the public key at generation time.
- * \param pubkey_size           The size of the `pubkey` buffer in bytes.
- *                              This is 0 when generating a symmetric
- *                              key or if the core does not support
- *                              exporting the public key at generation time.
- * \param[out] pubkey_length    On entry, this is always 0.
- *                              On success, the number of bytes written to
- *                              \p pubkey. If this is 0 or unchanged on return,
- *                              the core will not read the \p pubkey buffer,
- *                              and will instead call the driver's
- *                              psa_drv_key_management_t::p_export_public
- *                              function to export the public key when needed.
- */
-typedef psa_status_t (*psa_drv_se_generate_key_t)(
-    psa_drv_se_context_t *drv_context,
-    psa_key_slot_number_t key_slot,
-    const psa_key_attributes_t *attributes,
-    uint8_t *pubkey, size_t pubkey_size, size_t *pubkey_length);
-
-/**
- * \brief A struct containing all of the function pointers needed to for secure
- * element key management
- *
- * PSA Crypto API implementations should populate instances of the table as
- * appropriate upon startup or at build time.
- *
- * If one of the functions is not implemented, it should be set to NULL.
- */
-typedef struct {
-    /** Function that allocates a slot for a key. */
-    psa_drv_se_allocate_key_t   MBEDTLS_PRIVATE(p_allocate);
-    /** Function that checks the validity of a slot for a key. */
-    psa_drv_se_validate_slot_number_t MBEDTLS_PRIVATE(p_validate_slot_number);
-    /** Function that performs a key import operation */
-    psa_drv_se_import_key_t     MBEDTLS_PRIVATE(p_import);
-    /** Function that performs a generation */
-    psa_drv_se_generate_key_t   MBEDTLS_PRIVATE(p_generate);
-    /** Function that performs a key destroy operation */
-    psa_drv_se_destroy_key_t    MBEDTLS_PRIVATE(p_destroy);
-    /** Function that performs a key export operation */
-    psa_drv_se_export_key_t     MBEDTLS_PRIVATE(p_export);
-    /** Function that performs a public key export operation */
-    psa_drv_se_export_key_t     MBEDTLS_PRIVATE(p_export_public);
-} psa_drv_se_key_management_t;
-
-/**@}*/
-
-/** \defgroup driver_derivation Secure Element Key Derivation and Agreement
- * Key derivation is the process of generating new key material using an
- * existing key and additional parameters, iterating through a basic
- * cryptographic function, such as a hash.
- * Key agreement is a part of cryptographic protocols that allows two parties
- * to agree on the same key value, but starting from different original key
- * material.
- * The flows are similar, and the PSA Crypto Driver Model uses the same functions
- * for both of the flows.
- *
- * There are two different final functions for the flows,
- * `psa_drv_se_key_derivation_derive` and `psa_drv_se_key_derivation_export`.
- * `psa_drv_se_key_derivation_derive` is used when the key material should be
- * placed in a slot on the hardware and not exposed to the caller.
- * `psa_drv_se_key_derivation_export` is used when the key material should be
- * returned to the PSA Cryptographic API implementation.
- *
- * Different key derivation algorithms require a different number of inputs.
- * Instead of having an API that takes as input variable length arrays, which
- * can be problematic to manage on embedded platforms, the inputs are passed
- * to the driver via a function, `psa_drv_se_key_derivation_collateral`, that
- * is called multiple times with different `collateral_id`s. Thus, for a key
- * derivation algorithm that required 3 parameter inputs, the flow would look
- * something like:
- * ~~~~~~~~~~~~~{.c}
- * psa_drv_se_key_derivation_setup(kdf_algorithm, source_key, dest_key_size_bytes);
- * psa_drv_se_key_derivation_collateral(kdf_algorithm_collateral_id_0,
- *                                      p_collateral_0,
- *                                      collateral_0_size);
- * psa_drv_se_key_derivation_collateral(kdf_algorithm_collateral_id_1,
- *                                      p_collateral_1,
- *                                      collateral_1_size);
- * psa_drv_se_key_derivation_collateral(kdf_algorithm_collateral_id_2,
- *                                      p_collateral_2,
- *                                      collateral_2_size);
- * psa_drv_se_key_derivation_derive();
- * ~~~~~~~~~~~~~
- *
- * key agreement example:
- * ~~~~~~~~~~~~~{.c}
- * psa_drv_se_key_derivation_setup(alg, source_key. dest_key_size_bytes);
- * psa_drv_se_key_derivation_collateral(DHE_PUBKEY, p_pubkey, pubkey_size);
- * psa_drv_se_key_derivation_export(p_session_key,
- *                                  session_key_size,
- *                                  &session_key_length);
- * ~~~~~~~~~~~~~
- */
-/**@{*/
-
-/** \brief A function that Sets up a secure element key derivation operation by
- * specifying the algorithm and the source key sot
- *
- * \param[in,out] drv_context   The driver context structure.
- * \param[in,out] op_context    A hardware-specific structure containing any
- *                              context information for the implementation
- * \param[in] kdf_alg           The algorithm to be used for the key derivation
- * \param[in] source_key        The key to be used as the source material for
- *                              the key derivation
- *
- * \retval #PSA_SUCCESS \emptydescription
- */
-typedef psa_status_t (*psa_drv_se_key_derivation_setup_t)(psa_drv_se_context_t *drv_context,
-                                                          void *op_context,
-                                                          psa_algorithm_t kdf_alg,
-                                                          psa_key_slot_number_t source_key);
-
-/** \brief A function that provides collateral (parameters) needed for a secure
- * element key derivation or key agreement operation
- *
- * Since many key derivation algorithms require multiple parameters, it is
- * expected that this function may be called multiple times for the same
- * operation, each with a different algorithm-specific `collateral_id`
- *
- * \param[in,out] op_context    A hardware-specific structure containing any
- *                              context information for the implementation
- * \param[in] collateral_id     An ID for the collateral being provided
- * \param[in] p_collateral      A buffer containing the collateral data
- * \param[in] collateral_size   The size in bytes of the collateral
- *
- * \retval #PSA_SUCCESS \emptydescription
- */
-typedef psa_status_t (*psa_drv_se_key_derivation_collateral_t)(void *op_context,
-                                                               uint32_t collateral_id,
-                                                               const uint8_t *p_collateral,
-                                                               size_t collateral_size);
-
-/** \brief A function that performs the final secure element key derivation
- * step and place the generated key material in a slot
- *
- * \param[in,out] op_context    A hardware-specific structure containing any
- *                              context information for the implementation
- * \param[in] dest_key          The slot where the generated key material
- *                              should be placed
- *
- * \retval #PSA_SUCCESS \emptydescription
- */
-typedef psa_status_t (*psa_drv_se_key_derivation_derive_t)(void *op_context,
-                                                           psa_key_slot_number_t dest_key);
-
-/** \brief A function that performs the final step of a secure element key
- * agreement and place the generated key material in a buffer
- *
- * \param[out] p_output         Buffer in which to place the generated key
- *                              material
- * \param[in] output_size       The size in bytes of `p_output`
- * \param[out] p_output_length  Upon success, contains the number of bytes of
- *                              key material placed in `p_output`
- *
- * \retval #PSA_SUCCESS \emptydescription
- */
-typedef psa_status_t (*psa_drv_se_key_derivation_export_t)(void *op_context,
-                                                           uint8_t *p_output,
-                                                           size_t output_size,
-                                                           size_t *p_output_length);
-
-/**
- * \brief A struct containing all of the function pointers needed to for secure
- * element key derivation and agreement
- *
- * PSA Crypto API implementations should populate instances of the table as
- * appropriate upon startup.
- *
- * If one of the functions is not implemented, it should be set to NULL.
- */
-typedef struct {
-    /** The driver-specific size of the key derivation context */
-    size_t                           MBEDTLS_PRIVATE(context_size);
-    /** Function that performs a key derivation setup */
-    psa_drv_se_key_derivation_setup_t      MBEDTLS_PRIVATE(p_setup);
-    /** Function that sets key derivation collateral */
-    psa_drv_se_key_derivation_collateral_t MBEDTLS_PRIVATE(p_collateral);
-    /** Function that performs a final key derivation step */
-    psa_drv_se_key_derivation_derive_t     MBEDTLS_PRIVATE(p_derive);
-    /** Function that performs a final key derivation or agreement and
-     * exports the key */
-    psa_drv_se_key_derivation_export_t     MBEDTLS_PRIVATE(p_export);
-} psa_drv_se_key_derivation_t;
-
-/**@}*/
-
-/** \defgroup se_registration Secure element driver registration
- */
-/**@{*/
-
-/** A structure containing pointers to all the entry points of a
- * secure element driver.
- *
- * Future versions of this specification may add extra substructures at
- * the end of this structure.
- */
-typedef struct {
-    /** The version of the driver HAL that this driver implements.
-     * This is a protection against loading driver binaries built against
-     * a different version of this specification.
-     * Use #PSA_DRV_SE_HAL_VERSION.
-     */
-    uint32_t MBEDTLS_PRIVATE(hal_version);
-
-    /** The size of the driver's persistent data in bytes.
-     *
-     * This can be 0 if the driver does not need persistent data.
-     *
-     * See the documentation of psa_drv_se_context_t::persistent_data
-     * for more information about why and how a driver can use
-     * persistent data.
-     */
-    size_t MBEDTLS_PRIVATE(persistent_data_size);
-
-    /** The driver initialization function.
-     *
-     * This function is called once during the initialization of the
-     * PSA Cryptography subsystem, before any other function of the
-     * driver is called. If this function returns a failure status,
-     * the driver will be unusable, at least until the next system reset.
-     *
-     * If this field is \c NULL, it is equivalent to a function that does
-     * nothing and returns #PSA_SUCCESS.
-     */
-    psa_drv_se_init_t MBEDTLS_PRIVATE(p_init);
-
-    const psa_drv_se_key_management_t *MBEDTLS_PRIVATE(key_management);
-    const psa_drv_se_mac_t *MBEDTLS_PRIVATE(mac);
-    const psa_drv_se_cipher_t *MBEDTLS_PRIVATE(cipher);
-    const psa_drv_se_aead_t *MBEDTLS_PRIVATE(aead);
-    const psa_drv_se_asymmetric_t *MBEDTLS_PRIVATE(asymmetric);
-    const psa_drv_se_key_derivation_t *MBEDTLS_PRIVATE(derivation);
-} psa_drv_se_t;
-
-/** The current version of the secure element driver HAL.
- */
-/* 0.0.0 patchlevel 5 */
-#define PSA_DRV_SE_HAL_VERSION 0x00000005
-
-/** Register an external cryptoprocessor (secure element) driver.
- *
- * This function is only intended to be used by driver code, not by
- * application code. In implementations with separation between the
- * PSA cryptography module and applications, this function should
- * only be available to callers that run in the same memory space as
- * the cryptography module, and should not be exposed to applications
- * running in a different memory space.
- *
- * This function may be called before psa_crypto_init(). It is
- * implementation-defined whether this function may be called
- * after psa_crypto_init().
- *
- * \note Implementations store metadata about keys including the lifetime
- *       value, which contains the driver's location indicator. Therefore,
- *       from one instantiation of the PSA Cryptography
- *       library to the next one, if there is a key in storage with a certain
- *       lifetime value, you must always register the same driver (or an
- *       updated version that communicates with the same secure element)
- *       with the same location value.
- *
- * \param location      The location value through which this driver will
- *                      be exposed to applications.
- *                      This driver will be used for all keys such that
- *                      `location == #PSA_KEY_LIFETIME_GET_LOCATION( lifetime )`.
- *                      The value #PSA_KEY_LOCATION_LOCAL_STORAGE is reserved
- *                      and may not be used for drivers. Implementations
- *                      may reserve other values.
- * \param[in] methods   The method table of the driver. This structure must
- *                      remain valid for as long as the cryptography
- *                      module keeps running. It is typically a global
- *                      constant.
- *
- * \return #PSA_SUCCESS
- *         The driver was successfully registered. Applications can now
- *         use \p location to access keys through the methods passed to
- *         this function.
- * \return #PSA_ERROR_BAD_STATE
- *         This function was called after the initialization of the
- *         cryptography module, and this implementation does not support
- *         driver registration at this stage.
- * \return #PSA_ERROR_ALREADY_EXISTS
- *         There is already a registered driver for this value of \p location.
- * \return #PSA_ERROR_INVALID_ARGUMENT
- *         \p location is a reserved value.
- * \return #PSA_ERROR_NOT_SUPPORTED
- *         `methods->hal_version` is not supported by this implementation.
- * \return #PSA_ERROR_INSUFFICIENT_MEMORY
- * \return #PSA_ERROR_NOT_PERMITTED
- * \return #PSA_ERROR_STORAGE_FAILURE
- * \return #PSA_ERROR_DATA_CORRUPT
- */
-psa_status_t psa_register_se_driver(
-    psa_key_location_t location,
-    const psa_drv_se_t *methods);
-
-/**@}*/
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* PSA_CRYPTO_SE_DRIVER_H */
diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h
deleted file mode 100644
index 31e45fe..0000000
--- a/include/psa/crypto_sizes.h
+++ /dev/null
@@ -1,1294 +0,0 @@
-/**
- * \file psa/crypto_sizes.h
- *
- * \brief PSA cryptography module: Mbed TLS buffer size macros
- *
- * \note This file may not be included directly. Applications must
- * include psa/crypto.h.
- *
- * This file contains the definitions of macros that are useful to
- * compute buffer sizes. The signatures and semantics of these macros
- * are standardized, but the definitions are not, because they depend on
- * the available algorithms and, in some cases, on permitted tolerances
- * on buffer sizes.
- *
- * In implementations with isolation between the application and the
- * cryptography module, implementers should take care to ensure that
- * the definitions that are exposed to applications match what the
- * module implements.
- *
- * Macros that compute sizes whose values do not depend on the
- * implementation are in crypto.h.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_SIZES_H
-#define PSA_CRYPTO_SIZES_H
-
-/*
- * Include the build-time configuration information header. Here, we do not
- * include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which
- * is basically just an alias to it. This is to ease the maintenance of the
- * TF-PSA-Crypto repository which has a different build system and
- * configuration.
- */
-#include "psa/build_info.h"
-
-#define PSA_BITS_TO_BYTES(bits) (((bits) + 7u) / 8u)
-#define PSA_BYTES_TO_BITS(bytes) ((bytes) * 8u)
-#define PSA_MAX_OF_THREE(a, b, c) ((a) <= (b) ? (b) <= (c) ? \
-                                   (c) : (b) : (a) <= (c) ? (c) : (a))
-
-#define PSA_ROUND_UP_TO_MULTIPLE(block_size, length) \
-    (((length) + (block_size) - 1) / (block_size) * (block_size))
-
-/** The size of the output of psa_hash_finish(), in bytes.
- *
- * This is also the hash size that psa_hash_verify() expects.
- *
- * \param alg   A hash algorithm (\c PSA_ALG_XXX value such that
- *              #PSA_ALG_IS_HASH(\p alg) is true), or an HMAC algorithm
- *              (#PSA_ALG_HMAC(\c hash_alg) where \c hash_alg is a
- *              hash algorithm).
- *
- * \return The hash size for the specified hash algorithm.
- *         If the hash algorithm is not recognized, return 0.
- */
-#define PSA_HASH_LENGTH(alg)                                        \
-    (                                                               \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_MD5 ? 16u :           \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_RIPEMD160 ? 20u :     \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_1 ? 20u :         \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_224 ? 28u :       \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_256 ? 32u :       \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_384 ? 48u :       \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512 ? 64u :       \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_224 ? 28u :   \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_256 ? 32u :   \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_224 ? 28u :      \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_256 ? 32u :      \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_384 ? 48u :      \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_512 ? 64u :      \
-        0u)
-
-/** The input block size of a hash algorithm, in bytes.
- *
- * Hash algorithms process their input data in blocks. Hash operations will
- * retain any partial blocks until they have enough input to fill the block or
- * until the operation is finished.
- * This affects the output from psa_hash_suspend().
- *
- * \param alg   A hash algorithm (\c PSA_ALG_XXX value such that
- *              PSA_ALG_IS_HASH(\p alg) is true).
- *
- * \return      The block size in bytes for the specified hash algorithm.
- *              If the hash algorithm is not recognized, return 0.
- *              An implementation can return either 0 or the correct size for a
- *              hash algorithm that it recognizes, but does not support.
- */
-#define PSA_HASH_BLOCK_LENGTH(alg)                                  \
-    (                                                               \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_MD5 ? 64u :           \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_RIPEMD160 ? 64u :     \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_1 ? 64u :         \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_224 ? 64u :       \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_256 ? 64u :       \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_384 ? 128u :      \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512 ? 128u :      \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_224 ? 128u :  \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_256 ? 128u :  \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_224 ? 144u :     \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_256 ? 136u :     \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_384 ? 104u :     \
-        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_512 ? 72u :      \
-        0u)
-
-/** \def PSA_HASH_MAX_SIZE
- *
- * Maximum size of a hash.
- *
- * This macro expands to a compile-time constant integer. This value
- * is the maximum size of a hash in bytes.
- */
-/* Note: for HMAC-SHA-3, the block size is 144 bytes for HMAC-SHA3-224,
- * 136 bytes for HMAC-SHA3-256, 104 bytes for SHA3-384, 72 bytes for
- * HMAC-SHA3-512. */
-/* Note: PSA_HASH_MAX_SIZE should be kept in sync with MBEDTLS_MD_MAX_SIZE,
- * see the note on MBEDTLS_MD_MAX_SIZE for details. */
-#if defined(PSA_WANT_ALG_SHA3_224)
-#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 144u
-#elif defined(PSA_WANT_ALG_SHA3_256)
-#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 136u
-#elif defined(PSA_WANT_ALG_SHA_512)
-#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 128u
-#elif defined(PSA_WANT_ALG_SHA_384)
-#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 128u
-#elif defined(PSA_WANT_ALG_SHA3_384)
-#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 104u
-#elif defined(PSA_WANT_ALG_SHA3_512)
-#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 72u
-#elif defined(PSA_WANT_ALG_SHA_256)
-#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64u
-#elif defined(PSA_WANT_ALG_SHA_224)
-#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64u
-#else /* SHA-1 or smaller */
-#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64u
-#endif
-
-#if defined(PSA_WANT_ALG_SHA_512) || defined(PSA_WANT_ALG_SHA3_512)
-#define PSA_HASH_MAX_SIZE 64u
-#elif defined(PSA_WANT_ALG_SHA_384) || defined(PSA_WANT_ALG_SHA3_384)
-#define PSA_HASH_MAX_SIZE 48u
-#elif defined(PSA_WANT_ALG_SHA_256) || defined(PSA_WANT_ALG_SHA3_256)
-#define PSA_HASH_MAX_SIZE 32u
-#elif defined(PSA_WANT_ALG_SHA_224) || defined(PSA_WANT_ALG_SHA3_224)
-#define PSA_HASH_MAX_SIZE 28u
-#else /* SHA-1 or smaller */
-#define PSA_HASH_MAX_SIZE 20u
-#endif
-
-/** \def PSA_MAC_MAX_SIZE
- *
- * Maximum size of a MAC.
- *
- * This macro expands to a compile-time constant integer. This value
- * is the maximum size of a MAC in bytes.
- */
-/* All non-HMAC MACs have a maximum size that's smaller than the
- * minimum possible value of PSA_HASH_MAX_SIZE in this implementation. */
-/* Note that the encoding of truncated MAC algorithms limits this value
- * to 64 bytes.
- */
-#define PSA_MAC_MAX_SIZE PSA_HASH_MAX_SIZE
-
-/** The length of a tag for an AEAD algorithm, in bytes.
- *
- * This macro can be used to allocate a buffer of sufficient size to store the
- * tag output from psa_aead_finish().
- *
- * See also #PSA_AEAD_TAG_MAX_SIZE.
- *
- * \param key_type            The type of the AEAD key.
- * \param key_bits            The size of the AEAD key in bits.
- * \param alg                 An AEAD algorithm
- *                            (\c PSA_ALG_XXX value such that
- *                            #PSA_ALG_IS_AEAD(\p alg) is true).
- *
- * \return                    The tag length for the specified algorithm and key.
- *                            If the AEAD algorithm does not have an identified
- *                            tag that can be distinguished from the rest of
- *                            the ciphertext, return 0.
- *                            If the key type or AEAD algorithm is not
- *                            recognized, or the parameters are incompatible,
- *                            return 0.
- */
-#define PSA_AEAD_TAG_LENGTH(key_type, key_bits, alg)                        \
-    (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 ?                            \
-     PSA_ALG_AEAD_GET_TAG_LENGTH(alg) :                                     \
-     ((void) (key_bits), 0u))
-
-/** The maximum tag size for all supported AEAD algorithms, in bytes.
- *
- * See also #PSA_AEAD_TAG_LENGTH(\p key_type, \p key_bits, \p alg).
- */
-#define PSA_AEAD_TAG_MAX_SIZE       16u
-
-/* The maximum size of an RSA key on this implementation, in bits.
- * This is a vendor-specific macro.
- *
- * Mbed TLS does not set a hard limit on the size of RSA keys: any key
- * whose parameters fit in a bignum is accepted. However large keys can
- * induce a large memory usage and long computation times. Unlike other
- * auxiliary macros in this file and in crypto.h, which reflect how the
- * library is configured, this macro defines how the library is
- * configured. This implementation refuses to import or generate an
- * RSA key whose size is larger than the value defined here.
- *
- * Note that an implementation may set different size limits for different
- * operations, and does not need to accept all key sizes up to the limit. */
-#define PSA_VENDOR_RSA_MAX_KEY_BITS 4096u
-
-/* The minimum size of an RSA key on this implementation, in bits.
- * This is a vendor-specific macro.
- *
- * Limits RSA key generation to a minimum due to avoid accidental misuse.
- * This value cannot be less than 128 bits.
- */
-#if defined(MBEDTLS_RSA_GEN_KEY_MIN_BITS)
-#define PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS MBEDTLS_RSA_GEN_KEY_MIN_BITS
-#else
-#define PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS 1024
-#endif
-
-/* The maximum size of an DH key on this implementation, in bits.
- *
- * Note that an implementation may set different size limits for different
- * operations, and does not need to accept all key sizes up to the limit. */
-#define PSA_VENDOR_FFDH_MAX_KEY_BITS 8192u
-
-/* The maximum size of an ECC key on this implementation, in bits.
- * This is a vendor-specific macro. */
-#if defined(PSA_WANT_ECC_SECP_R1_521)
-#define PSA_VENDOR_ECC_MAX_CURVE_BITS 521u
-#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
-#define PSA_VENDOR_ECC_MAX_CURVE_BITS 512u
-#elif defined(PSA_WANT_ECC_MONTGOMERY_448)
-#define PSA_VENDOR_ECC_MAX_CURVE_BITS 448u
-#elif defined(PSA_WANT_ECC_SECP_R1_384)
-#define PSA_VENDOR_ECC_MAX_CURVE_BITS 384u
-#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
-#define PSA_VENDOR_ECC_MAX_CURVE_BITS 384u
-#elif defined(PSA_WANT_ECC_SECP_R1_256)
-#define PSA_VENDOR_ECC_MAX_CURVE_BITS 256u
-#elif defined(PSA_WANT_ECC_SECP_K1_256)
-#define PSA_VENDOR_ECC_MAX_CURVE_BITS 256u
-#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
-#define PSA_VENDOR_ECC_MAX_CURVE_BITS 256u
-#elif defined(PSA_WANT_ECC_MONTGOMERY_255)
-#define PSA_VENDOR_ECC_MAX_CURVE_BITS 255u
-#elif defined(PSA_WANT_ECC_SECP_R1_224)
-#define PSA_VENDOR_ECC_MAX_CURVE_BITS 224u
-#elif defined(PSA_WANT_ECC_SECP_K1_224)
-#define PSA_VENDOR_ECC_MAX_CURVE_BITS 224u
-#elif defined(PSA_WANT_ECC_SECP_R1_192)
-#define PSA_VENDOR_ECC_MAX_CURVE_BITS 192u
-#elif defined(PSA_WANT_ECC_SECP_K1_192)
-#define PSA_VENDOR_ECC_MAX_CURVE_BITS 192u
-#else
-#define PSA_VENDOR_ECC_MAX_CURVE_BITS 0u
-#endif
-
-/** This macro returns the maximum supported length of the PSK for the
- * TLS-1.2 PSK-to-MS key derivation
- * (#PSA_ALG_TLS12_PSK_TO_MS(\c hash_alg)).
- *
- * The maximum supported length does not depend on the chosen hash algorithm.
- *
- * Quoting RFC 4279, Sect 5.3:
- * TLS implementations supporting these ciphersuites MUST support
- * arbitrary PSK identities up to 128 octets in length, and arbitrary
- * PSKs up to 64 octets in length.  Supporting longer identities and
- * keys is RECOMMENDED.
- *
- * Therefore, no implementation should define a value smaller than 64
- * for #PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE.
- */
-#define PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE 128u
-
-/* The expected size of input passed to psa_tls12_ecjpake_to_pms_input,
- * which is expected to work with P-256 curve only. */
-#define PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE 65u
-
-/* The size of a serialized K.X coordinate to be used in
- * psa_tls12_ecjpake_to_pms_input. This function only accepts the P-256
- * curve. */
-#define PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE 32u
-
-/* The maximum number of iterations for PBKDF2 on this implementation, in bits.
- * This is a vendor-specific macro. This can be configured if necessary */
-#define PSA_VENDOR_PBKDF2_MAX_ITERATIONS 0xffffffffU
-
-/** The maximum size of a block cipher. */
-#define PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE 16u
-
-/** The size of the output of psa_mac_sign_finish(), in bytes.
- *
- * This is also the MAC size that psa_mac_verify_finish() expects.
- *
- * \warning This macro may evaluate its arguments multiple times or
- *          zero times, so you should not pass arguments that contain
- *          side effects.
- *
- * \param key_type      The type of the MAC key.
- * \param key_bits      The size of the MAC key in bits.
- * \param alg           A MAC algorithm (\c PSA_ALG_XXX value such that
- *                      #PSA_ALG_IS_MAC(\p alg) is true).
- *
- * \return              The MAC size for the specified algorithm with
- *                      the specified key parameters.
- * \return              0 if the MAC algorithm is not recognized.
- * \return              Either 0 or the correct size for a MAC algorithm that
- *                      the implementation recognizes, but does not support.
- * \return              Unspecified if the key parameters are not consistent
- *                      with the algorithm.
- */
-#define PSA_MAC_LENGTH(key_type, key_bits, alg)                                   \
-    ((alg) & PSA_ALG_MAC_TRUNCATION_MASK ? PSA_MAC_TRUNCATED_LENGTH(alg) :        \
-     PSA_ALG_IS_HMAC(alg) ? PSA_HASH_LENGTH(PSA_ALG_HMAC_GET_HASH(alg)) :         \
-     PSA_ALG_IS_BLOCK_CIPHER_MAC(alg) ? PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \
-     ((void) (key_type), (void) (key_bits), 0u))
-
-/** The maximum size of the output of psa_aead_encrypt(), in bytes.
- *
- * If the size of the ciphertext buffer is at least this large, it is
- * guaranteed that psa_aead_encrypt() will not fail due to an
- * insufficient buffer size. Depending on the algorithm, the actual size of
- * the ciphertext may be smaller.
- *
- * See also #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length).
- *
- * \warning This macro may evaluate its arguments multiple times or
- *          zero times, so you should not pass arguments that contain
- *          side effects.
- *
- * \param key_type            A symmetric key type that is
- *                            compatible with algorithm \p alg.
- * \param alg                 An AEAD algorithm
- *                            (\c PSA_ALG_XXX value such that
- *                            #PSA_ALG_IS_AEAD(\p alg) is true).
- * \param plaintext_length    Size of the plaintext in bytes.
- *
- * \return                    The AEAD ciphertext size for the specified
- *                            algorithm.
- *                            If the key type or AEAD algorithm is not
- *                            recognized, or the parameters are incompatible,
- *                            return 0.
- */
-#define PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg, plaintext_length) \
-    (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 ?                      \
-     (plaintext_length) + PSA_ALG_AEAD_GET_TAG_LENGTH(alg) :          \
-     0u)
-
-/** A sufficient output buffer size for psa_aead_encrypt(), for any of the
- *  supported key types and AEAD algorithms.
- *
- * If the size of the ciphertext buffer is at least this large, it is guaranteed
- * that psa_aead_encrypt() will not fail due to an insufficient buffer size.
- *
- * \note This macro returns a compile-time constant if its arguments are
- *       compile-time constants.
- *
- * See also #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\p key_type, \p alg,
- * \p plaintext_length).
- *
- * \param plaintext_length    Size of the plaintext in bytes.
- *
- * \return                    A sufficient output buffer size for any of the
- *                            supported key types and AEAD algorithms.
- *
- */
-#define PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(plaintext_length)          \
-    ((plaintext_length) + PSA_AEAD_TAG_MAX_SIZE)
-
-
-/** The maximum size of the output of psa_aead_decrypt(), in bytes.
- *
- * If the size of the plaintext buffer is at least this large, it is
- * guaranteed that psa_aead_decrypt() will not fail due to an
- * insufficient buffer size. Depending on the algorithm, the actual size of
- * the plaintext may be smaller.
- *
- * See also #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length).
- *
- * \warning This macro may evaluate its arguments multiple times or
- *          zero times, so you should not pass arguments that contain
- *          side effects.
- *
- * \param key_type            A symmetric key type that is
- *                            compatible with algorithm \p alg.
- * \param alg                 An AEAD algorithm
- *                            (\c PSA_ALG_XXX value such that
- *                            #PSA_ALG_IS_AEAD(\p alg) is true).
- * \param ciphertext_length   Size of the plaintext in bytes.
- *
- * \return                    The AEAD ciphertext size for the specified
- *                            algorithm.
- *                            If the key type or AEAD algorithm is not
- *                            recognized, or the parameters are incompatible,
- *                            return 0.
- */
-#define PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg, ciphertext_length) \
-    (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 &&                      \
-     (ciphertext_length) > PSA_ALG_AEAD_GET_TAG_LENGTH(alg) ?      \
-     (ciphertext_length) - PSA_ALG_AEAD_GET_TAG_LENGTH(alg) :      \
-     0u)
-
-/** A sufficient output buffer size for psa_aead_decrypt(), for any of the
- *  supported key types and AEAD algorithms.
- *
- * If the size of the plaintext buffer is at least this large, it is guaranteed
- * that psa_aead_decrypt() will not fail due to an insufficient buffer size.
- *
- * \note This macro returns a compile-time constant if its arguments are
- *       compile-time constants.
- *
- * See also #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\p key_type, \p alg,
- * \p ciphertext_length).
- *
- * \param ciphertext_length   Size of the ciphertext in bytes.
- *
- * \return                    A sufficient output buffer size for any of the
- *                            supported key types and AEAD algorithms.
- *
- */
-#define PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(ciphertext_length)     \
-    (ciphertext_length)
-
-/** The default nonce size for an AEAD algorithm, in bytes.
- *
- * This macro can be used to allocate a buffer of sufficient size to
- * store the nonce output from #psa_aead_generate_nonce().
- *
- * See also #PSA_AEAD_NONCE_MAX_SIZE.
- *
- * \note This is not the maximum size of nonce supported as input to
- *       #psa_aead_set_nonce(), #psa_aead_encrypt() or #psa_aead_decrypt(),
- *       just the default size that is generated by #psa_aead_generate_nonce().
- *
- * \warning This macro may evaluate its arguments multiple times or
- *          zero times, so you should not pass arguments that contain
- *          side effects.
- *
- * \param key_type  A symmetric key type that is compatible with
- *                  algorithm \p alg.
- *
- * \param alg       An AEAD algorithm (\c PSA_ALG_XXX value such that
- *                  #PSA_ALG_IS_AEAD(\p alg) is true).
- *
- * \return The default nonce size for the specified key type and algorithm.
- *         If the key type or AEAD algorithm is not recognized,
- *         or the parameters are incompatible, return 0.
- */
-#define PSA_AEAD_NONCE_LENGTH(key_type, alg) \
-    (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) == 16 ? \
-     MBEDTLS_PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_CCM) ? 13u : \
-     MBEDTLS_PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_GCM) ? 12u : \
-     0u : \
-     (key_type) == PSA_KEY_TYPE_CHACHA20 && \
-     MBEDTLS_PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_CHACHA20_POLY1305) ? 12u : \
-     0u)
-
-/** The maximum default nonce size among all supported pairs of key types and
- *  AEAD algorithms, in bytes.
- *
- * This is equal to or greater than any value that #PSA_AEAD_NONCE_LENGTH()
- * may return.
- *
- * \note This is not the maximum size of nonce supported as input to
- *       #psa_aead_set_nonce(), #psa_aead_encrypt() or #psa_aead_decrypt(),
- *       just the largest size that may be generated by
- *       #psa_aead_generate_nonce().
- */
-#define PSA_AEAD_NONCE_MAX_SIZE 13u
-
-/** A sufficient output buffer size for psa_aead_update().
- *
- * If the size of the output buffer is at least this large, it is
- * guaranteed that psa_aead_update() will not fail due to an
- * insufficient buffer size. The actual size of the output may be smaller
- * in any given call.
- *
- * See also #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length).
- *
- * \warning This macro may evaluate its arguments multiple times or
- *          zero times, so you should not pass arguments that contain
- *          side effects.
- *
- * \param key_type            A symmetric key type that is
- *                            compatible with algorithm \p alg.
- * \param alg                 An AEAD algorithm
- *                            (\c PSA_ALG_XXX value such that
- *                            #PSA_ALG_IS_AEAD(\p alg) is true).
- * \param input_length        Size of the input in bytes.
- *
- * \return                    A sufficient output buffer size for the specified
- *                            algorithm.
- *                            If the key type or AEAD algorithm is not
- *                            recognized, or the parameters are incompatible,
- *                            return 0.
- */
-/* For all the AEAD modes defined in this specification, it is possible
- * to emit output without delay. However, hardware may not always be
- * capable of this. So for modes based on a block cipher, allow the
- * implementation to delay the output until it has a full block. */
-#define PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_length)                             \
-    (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 ?                                             \
-     PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) ?                                              \
-     PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type), (input_length)) : \
-     (input_length) : \
-     0u)
-
-/** A sufficient output buffer size for psa_aead_update(), for any of the
- *  supported key types and AEAD algorithms.
- *
- * If the size of the output buffer is at least this large, it is guaranteed
- * that psa_aead_update() will not fail due to an insufficient buffer size.
- *
- * See also #PSA_AEAD_UPDATE_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).
- *
- * \param input_length      Size of the input in bytes.
- */
-#define PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(input_length)                           \
-    (PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE, (input_length)))
-
-/** A sufficient ciphertext buffer size for psa_aead_finish().
- *
- * If the size of the ciphertext buffer is at least this large, it is
- * guaranteed that psa_aead_finish() will not fail due to an
- * insufficient ciphertext buffer size. The actual size of the output may
- * be smaller in any given call.
- *
- * See also #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE.
- *
- * \param key_type            A symmetric key type that is
-                              compatible with algorithm \p alg.
- * \param alg                 An AEAD algorithm
- *                            (\c PSA_ALG_XXX value such that
- *                            #PSA_ALG_IS_AEAD(\p alg) is true).
- *
- * \return                    A sufficient ciphertext buffer size for the
- *                            specified algorithm.
- *                            If the key type or AEAD algorithm is not
- *                            recognized, or the parameters are incompatible,
- *                            return 0.
- */
-#define PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg) \
-    (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 &&  \
-     PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) ?    \
-     PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \
-     0u)
-
-/** A sufficient ciphertext buffer size for psa_aead_finish(), for any of the
- *  supported key types and AEAD algorithms.
- *
- * See also #PSA_AEAD_FINISH_OUTPUT_SIZE(\p key_type, \p alg).
- */
-#define PSA_AEAD_FINISH_OUTPUT_MAX_SIZE     (PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE)
-
-/** A sufficient plaintext buffer size for psa_aead_verify().
- *
- * If the size of the plaintext buffer is at least this large, it is
- * guaranteed that psa_aead_verify() will not fail due to an
- * insufficient plaintext buffer size. The actual size of the output may
- * be smaller in any given call.
- *
- * See also #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE.
- *
- * \param key_type            A symmetric key type that is
- *                            compatible with algorithm \p alg.
- * \param alg                 An AEAD algorithm
- *                            (\c PSA_ALG_XXX value such that
- *                            #PSA_ALG_IS_AEAD(\p alg) is true).
- *
- * \return                    A sufficient plaintext buffer size for the
- *                            specified algorithm.
- *                            If the key type or AEAD algorithm is not
- *                            recognized, or the parameters are incompatible,
- *                            return 0.
- */
-#define PSA_AEAD_VERIFY_OUTPUT_SIZE(key_type, alg) \
-    (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 &&  \
-     PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) ?    \
-     PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \
-     0u)
-
-/** A sufficient plaintext buffer size for psa_aead_verify(), for any of the
- *  supported key types and AEAD algorithms.
- *
- * See also #PSA_AEAD_VERIFY_OUTPUT_SIZE(\p key_type, \p alg).
- */
-#define PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE     (PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE)
-
-#define PSA_RSA_MINIMUM_PADDING_SIZE(alg)                         \
-    (PSA_ALG_IS_RSA_OAEP(alg) ?                                   \
-     2u * PSA_HASH_LENGTH(PSA_ALG_RSA_OAEP_GET_HASH(alg)) + 1u :   \
-     11u /*PKCS#1v1.5*/)
-
-/**
- * \brief ECDSA signature size for a given curve bit size
- *
- * \param curve_bits    Curve size in bits.
- * \return              Signature size in bytes.
- *
- * \note This macro returns a compile-time constant if its argument is one.
- */
-#define PSA_ECDSA_SIGNATURE_SIZE(curve_bits)    \
-    (PSA_BITS_TO_BYTES(curve_bits) * 2u)
-
-/** Sufficient signature buffer size for psa_sign_hash().
- *
- * This macro returns a sufficient buffer size for a signature using a key
- * of the specified type and size, with the specified algorithm.
- * Note that the actual size of the signature may be smaller
- * (some algorithms produce a variable-size signature).
- *
- * \warning This function may call its arguments multiple times or
- *          zero times, so you should not pass arguments that contain
- *          side effects.
- *
- * \param key_type  An asymmetric key type (this may indifferently be a
- *                  key pair type or a public key type).
- * \param key_bits  The size of the key in bits.
- * \param alg       The signature algorithm.
- *
- * \return If the parameters are valid and supported, return
- *         a buffer size in bytes that guarantees that
- *         psa_sign_hash() will not fail with
- *         #PSA_ERROR_BUFFER_TOO_SMALL.
- *         If the parameters are a valid combination that is not supported,
- *         return either a sensible size or 0.
- *         If the parameters are not valid, the
- *         return value is unspecified.
- */
-#define PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg)        \
-    (PSA_KEY_TYPE_IS_RSA(key_type) ? ((void) alg, PSA_BITS_TO_BYTES(key_bits)) : \
-     PSA_KEY_TYPE_IS_ECC(key_type) ? PSA_ECDSA_SIGNATURE_SIZE(key_bits) : \
-     ((void) alg, 0u))
-
-#define PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE     \
-    PSA_ECDSA_SIGNATURE_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
-
-/** \def PSA_SIGNATURE_MAX_SIZE
- *
- * Maximum size of an asymmetric signature.
- *
- * This macro expands to a compile-time constant integer. This value
- * is the maximum size of a signature in bytes.
- */
-#define PSA_SIGNATURE_MAX_SIZE      1
-
-#if (defined(PSA_WANT_ALG_ECDSA) || defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)) && \
-    (PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE > PSA_SIGNATURE_MAX_SIZE)
-#undef PSA_SIGNATURE_MAX_SIZE
-#define PSA_SIGNATURE_MAX_SIZE      PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE
-#endif
-#if (defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN) || defined(PSA_WANT_ALG_RSA_PSS)) && \
-    (PSA_BITS_TO_BYTES(PSA_VENDOR_RSA_MAX_KEY_BITS) > PSA_SIGNATURE_MAX_SIZE)
-#undef PSA_SIGNATURE_MAX_SIZE
-#define PSA_SIGNATURE_MAX_SIZE      PSA_BITS_TO_BYTES(PSA_VENDOR_RSA_MAX_KEY_BITS)
-#endif
-
-/** Sufficient output buffer size for psa_asymmetric_encrypt().
- *
- * This macro returns a sufficient buffer size for a ciphertext produced using
- * a key of the specified type and size, with the specified algorithm.
- * Note that the actual size of the ciphertext may be smaller, depending
- * on the algorithm.
- *
- * \warning This function may call its arguments multiple times or
- *          zero times, so you should not pass arguments that contain
- *          side effects.
- *
- * \param key_type  An asymmetric key type (this may indifferently be a
- *                  key pair type or a public key type).
- * \param key_bits  The size of the key in bits.
- * \param alg       The asymmetric encryption algorithm.
- *
- * \return If the parameters are valid and supported, return
- *         a buffer size in bytes that guarantees that
- *         psa_asymmetric_encrypt() will not fail with
- *         #PSA_ERROR_BUFFER_TOO_SMALL.
- *         If the parameters are a valid combination that is not supported,
- *         return either a sensible size or 0.
- *         If the parameters are not valid, the
- *         return value is unspecified.
- */
-#define PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(key_type, key_bits, alg)     \
-    (PSA_KEY_TYPE_IS_RSA(key_type) ?                                    \
-     ((void) alg, PSA_BITS_TO_BYTES(key_bits)) :                         \
-     0u)
-
-/** A sufficient output buffer size for psa_asymmetric_encrypt(), for any
- *  supported asymmetric encryption.
- *
- * See also #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\p key_type, \p key_bits, \p alg).
- */
-/* This macro assumes that RSA is the only supported asymmetric encryption. */
-#define PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE          \
-    (PSA_BITS_TO_BYTES(PSA_VENDOR_RSA_MAX_KEY_BITS))
-
-/** Sufficient output buffer size for psa_asymmetric_decrypt().
- *
- * This macro returns a sufficient buffer size for a plaintext produced using
- * a key of the specified type and size, with the specified algorithm.
- * Note that the actual size of the plaintext may be smaller, depending
- * on the algorithm.
- *
- * \warning This function may call its arguments multiple times or
- *          zero times, so you should not pass arguments that contain
- *          side effects.
- *
- * \param key_type  An asymmetric key type (this may indifferently be a
- *                  key pair type or a public key type).
- * \param key_bits  The size of the key in bits.
- * \param alg       The asymmetric encryption algorithm.
- *
- * \return If the parameters are valid and supported, return
- *         a buffer size in bytes that guarantees that
- *         psa_asymmetric_decrypt() will not fail with
- *         #PSA_ERROR_BUFFER_TOO_SMALL.
- *         If the parameters are a valid combination that is not supported,
- *         return either a sensible size or 0.
- *         If the parameters are not valid, the
- *         return value is unspecified.
- */
-#define PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(key_type, key_bits, alg)     \
-    (PSA_KEY_TYPE_IS_RSA(key_type) ?                                    \
-     PSA_BITS_TO_BYTES(key_bits) - PSA_RSA_MINIMUM_PADDING_SIZE(alg) :  \
-     0u)
-
-/** A sufficient output buffer size for psa_asymmetric_decrypt(), for any
- *  supported asymmetric decryption.
- *
- * This macro assumes that RSA is the only supported asymmetric encryption.
- *
- * See also #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\p key_type, \p key_bits, \p alg).
- */
-#define PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE          \
-    (PSA_BITS_TO_BYTES(PSA_VENDOR_RSA_MAX_KEY_BITS))
-
-/* Maximum size of the ASN.1 encoding of an INTEGER with the specified
- * number of bits.
- *
- * This definition assumes that bits <= 2^19 - 9 so that the length field
- * is at most 3 bytes. The length of the encoding is the length of the
- * bit string padded to a whole number of bytes plus:
- * - 1 type byte;
- * - 1 to 3 length bytes;
- * - 0 to 1 bytes of leading 0 due to the sign bit.
- */
-#define PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(bits)      \
-    ((bits) / 8u + 5u)
-
-/* Maximum size of the export encoding of an RSA public key.
- * Assumes that the public exponent is less than 2^32.
- *
- * RSAPublicKey  ::=  SEQUENCE  {
- *    modulus            INTEGER,    -- n
- *    publicExponent     INTEGER  }  -- e
- *
- * - 4 bytes of SEQUENCE overhead;
- * - n : INTEGER;
- * - 7 bytes for the public exponent.
- */
-#define PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(key_bits)        \
-    (PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(key_bits) + 11u)
-
-/* Maximum size of the export encoding of an RSA key pair.
- * Assumes that the public exponent is less than 2^32 and that the size
- * difference between the two primes is at most 1 bit.
- *
- * RSAPrivateKey ::= SEQUENCE {
- *     version           Version,  -- 0
- *     modulus           INTEGER,  -- N-bit
- *     publicExponent    INTEGER,  -- 32-bit
- *     privateExponent   INTEGER,  -- N-bit
- *     prime1            INTEGER,  -- N/2-bit
- *     prime2            INTEGER,  -- N/2-bit
- *     exponent1         INTEGER,  -- N/2-bit
- *     exponent2         INTEGER,  -- N/2-bit
- *     coefficient       INTEGER,  -- N/2-bit
- * }
- *
- * - 4 bytes of SEQUENCE overhead;
- * - 3 bytes of version;
- * - 7 half-size INTEGERs plus 2 full-size INTEGERs,
- *   overapproximated as 9 half-size INTEGERS;
- * - 7 bytes for the public exponent.
- */
-#define PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(key_bits)   \
-    (9u * PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE((key_bits) / 2u + 1u) + 14u)
-
-/* Maximum size of the export encoding of a DSA public key.
- *
- * SubjectPublicKeyInfo  ::=  SEQUENCE  {
- *      algorithm            AlgorithmIdentifier,
- *      subjectPublicKey     BIT STRING  } -- contains DSAPublicKey
- * AlgorithmIdentifier  ::=  SEQUENCE  {
- *      algorithm               OBJECT IDENTIFIER,
- *      parameters              Dss-Params  } -- SEQUENCE of 3 INTEGERs
- * DSAPublicKey  ::=  INTEGER -- public key, Y
- *
- * - 3 * 4 bytes of SEQUENCE overhead;
- * - 1 + 1 + 7 bytes of algorithm (DSA OID);
- * - 4 bytes of BIT STRING overhead;
- * - 3 full-size INTEGERs (p, g, y);
- * - 1 + 1 + 32 bytes for 1 sub-size INTEGER (q <= 256 bits).
- */
-#define PSA_KEY_EXPORT_DSA_PUBLIC_KEY_MAX_SIZE(key_bits)        \
-    (PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(key_bits) * 3u + 59u)
-
-/* Maximum size of the export encoding of a DSA key pair.
- *
- * DSAPrivateKey ::= SEQUENCE {
- *     version             Version,  -- 0
- *     prime               INTEGER,  -- p
- *     subprime            INTEGER,  -- q
- *     generator           INTEGER,  -- g
- *     public              INTEGER,  -- y
- *     private             INTEGER,  -- x
- * }
- *
- * - 4 bytes of SEQUENCE overhead;
- * - 3 bytes of version;
- * - 3 full-size INTEGERs (p, g, y);
- * - 2 * (1 + 1 + 32) bytes for 2 sub-size INTEGERs (q, x <= 256 bits).
- */
-#define PSA_KEY_EXPORT_DSA_KEY_PAIR_MAX_SIZE(key_bits)   \
-    (PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(key_bits) * 3u + 75u)
-
-/* Maximum size of the export encoding of an ECC public key.
- *
- * The representation of an ECC public key is:
- *      - The byte 0x04;
- *      - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
- *      - `y_P` as a `ceiling(m/8)`-byte string, big-endian;
- *      - where m is the bit size associated with the curve.
- *
- * - 1 byte + 2 * point size.
- */
-#define PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits)        \
-    (2u * PSA_BITS_TO_BYTES(key_bits) + 1u)
-
-/* Maximum size of the export encoding of an ECC key pair.
- *
- * An ECC key pair is represented by the secret value.
- */
-#define PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(key_bits)   \
-    (PSA_BITS_TO_BYTES(key_bits))
-
-/* Maximum size of the export encoding of an DH key pair.
- *
- * An DH key pair is represented by the secret value.
- */
-#define PSA_KEY_EXPORT_FFDH_KEY_PAIR_MAX_SIZE(key_bits)   \
-    (PSA_BITS_TO_BYTES(key_bits))
-
-/* Maximum size of the export encoding of an DH public key.
- */
-#define PSA_KEY_EXPORT_FFDH_PUBLIC_KEY_MAX_SIZE(key_bits)   \
-    (PSA_BITS_TO_BYTES(key_bits))
-
-/** Sufficient output buffer size for psa_export_key() or
- * psa_export_public_key().
- *
- * This macro returns a compile-time constant if its arguments are
- * compile-time constants.
- *
- * \warning This macro may evaluate its arguments multiple times or
- *          zero times, so you should not pass arguments that contain
- *          side effects.
- *
- * The following code illustrates how to allocate enough memory to export
- * a key by querying the key type and size at runtime.
- * \code{c}
- * psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
- * psa_status_t status;
- * status = psa_get_key_attributes(key, &attributes);
- * if (status != PSA_SUCCESS) handle_error(...);
- * psa_key_type_t key_type = psa_get_key_type(&attributes);
- * size_t key_bits = psa_get_key_bits(&attributes);
- * size_t buffer_size = PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, key_bits);
- * psa_reset_key_attributes(&attributes);
- * uint8_t *buffer = malloc(buffer_size);
- * if (buffer == NULL) handle_error(...);
- * size_t buffer_length;
- * status = psa_export_key(key, buffer, buffer_size, &buffer_length);
- * if (status != PSA_SUCCESS) handle_error(...);
- * \endcode
- *
- * \param key_type  A supported key type.
- * \param key_bits  The size of the key in bits.
- *
- * \return If the parameters are valid and supported, return
- *         a buffer size in bytes that guarantees that
- *         psa_export_key() or psa_export_public_key() will not fail with
- *         #PSA_ERROR_BUFFER_TOO_SMALL.
- *         If the parameters are a valid combination that is not supported,
- *         return either a sensible size or 0.
- *         If the parameters are not valid, the return value is unspecified.
- */
-#define PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, key_bits)                                              \
-    (PSA_KEY_TYPE_IS_UNSTRUCTURED(key_type) ? PSA_BITS_TO_BYTES(key_bits) :                         \
-     PSA_KEY_TYPE_IS_DH(key_type) ? PSA_BITS_TO_BYTES(key_bits) :                                   \
-     (key_type) == PSA_KEY_TYPE_RSA_KEY_PAIR ? PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(key_bits) :     \
-     (key_type) == PSA_KEY_TYPE_RSA_PUBLIC_KEY ? PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(key_bits) : \
-     (key_type) == PSA_KEY_TYPE_DSA_KEY_PAIR ? PSA_KEY_EXPORT_DSA_KEY_PAIR_MAX_SIZE(key_bits) :     \
-     (key_type) == PSA_KEY_TYPE_DSA_PUBLIC_KEY ? PSA_KEY_EXPORT_DSA_PUBLIC_KEY_MAX_SIZE(key_bits) : \
-     PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type) ? PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(key_bits) :      \
-     PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(key_type) ? PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits) :  \
-     0u)
-
-/** Sufficient output buffer size for psa_export_public_key().
- *
- * This macro returns a compile-time constant if its arguments are
- * compile-time constants.
- *
- * \warning This macro may evaluate its arguments multiple times or
- *          zero times, so you should not pass arguments that contain
- *          side effects.
- *
- * The following code illustrates how to allocate enough memory to export
- * a public key by querying the key type and size at runtime.
- * \code{c}
- * psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
- * psa_status_t status;
- * status = psa_get_key_attributes(key, &attributes);
- * if (status != PSA_SUCCESS) handle_error(...);
- * psa_key_type_t key_type = psa_get_key_type(&attributes);
- * size_t key_bits = psa_get_key_bits(&attributes);
- * size_t buffer_size = PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, key_bits);
- * psa_reset_key_attributes(&attributes);
- * uint8_t *buffer = malloc(buffer_size);
- * if (buffer == NULL) handle_error(...);
- * size_t buffer_length;
- * status = psa_export_public_key(key, buffer, buffer_size, &buffer_length);
- * if (status != PSA_SUCCESS) handle_error(...);
- * \endcode
- *
- * \param key_type      A public key or key pair key type.
- * \param key_bits      The size of the key in bits.
- *
- * \return              If the parameters are valid and supported, return
- *                      a buffer size in bytes that guarantees that
- *                      psa_export_public_key() will not fail with
- *                      #PSA_ERROR_BUFFER_TOO_SMALL.
- *                      If the parameters are a valid combination that is not
- *                      supported, return either a sensible size or 0.
- *                      If the parameters are not valid,
- *                      the return value is unspecified.
- *
- *                      If the parameters are valid and supported,
- *                      return the same result as
- *                      #PSA_EXPORT_KEY_OUTPUT_SIZE(
- *                          \p #PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(\p key_type),
- *                          \p key_bits).
- */
-#define PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, key_bits)                           \
-    (PSA_KEY_TYPE_IS_RSA(key_type) ? PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(key_bits) : \
-     PSA_KEY_TYPE_IS_ECC(key_type) ? PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits) : \
-     PSA_KEY_TYPE_IS_DH(key_type) ? PSA_BITS_TO_BYTES(key_bits) : \
-     0u)
-
-/** Sufficient buffer size for exporting any asymmetric key pair.
- *
- * This macro expands to a compile-time constant integer. This value is
- * a sufficient buffer size when calling psa_export_key() to export any
- * asymmetric key pair, regardless of the exact key type and key size.
- *
- * See also #PSA_EXPORT_KEY_OUTPUT_SIZE(\p key_type, \p key_bits).
- */
-#define PSA_EXPORT_KEY_PAIR_MAX_SIZE            1
-
-#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) && \
-    (PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS) > \
-     PSA_EXPORT_KEY_PAIR_MAX_SIZE)
-#undef PSA_EXPORT_KEY_PAIR_MAX_SIZE
-#define PSA_EXPORT_KEY_PAIR_MAX_SIZE    \
-    PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
-#endif
-#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) && \
-    (PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) > \
-     PSA_EXPORT_KEY_PAIR_MAX_SIZE)
-#undef PSA_EXPORT_KEY_PAIR_MAX_SIZE
-#define PSA_EXPORT_KEY_PAIR_MAX_SIZE    \
-    PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS)
-#endif
-#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC) && \
-    (PSA_KEY_EXPORT_FFDH_KEY_PAIR_MAX_SIZE(PSA_VENDOR_FFDH_MAX_KEY_BITS) > \
-     PSA_EXPORT_KEY_PAIR_MAX_SIZE)
-#undef PSA_EXPORT_KEY_PAIR_MAX_SIZE
-#define PSA_EXPORT_KEY_PAIR_MAX_SIZE    \
-    PSA_KEY_EXPORT_FFDH_KEY_PAIR_MAX_SIZE(PSA_VENDOR_FFDH_MAX_KEY_BITS)
-#endif
-
-/** Sufficient buffer size for exporting any asymmetric public key.
- *
- * This macro expands to a compile-time constant integer. This value is
- * a sufficient buffer size when calling psa_export_key() or
- * psa_export_public_key() to export any asymmetric public key,
- * regardless of the exact key type and key size.
- *
- * See also #PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(\p key_type, \p key_bits).
- */
-#define PSA_EXPORT_PUBLIC_KEY_MAX_SIZE            1
-
-#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) && \
-    (PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS) > \
-     PSA_EXPORT_PUBLIC_KEY_MAX_SIZE)
-#undef PSA_EXPORT_PUBLIC_KEY_MAX_SIZE
-#define PSA_EXPORT_PUBLIC_KEY_MAX_SIZE    \
-    PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
-#endif
-#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) && \
-    (PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) > \
-     PSA_EXPORT_PUBLIC_KEY_MAX_SIZE)
-#undef PSA_EXPORT_PUBLIC_KEY_MAX_SIZE
-#define PSA_EXPORT_PUBLIC_KEY_MAX_SIZE    \
-    PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS)
-#endif
-#if defined(PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY) && \
-    (PSA_KEY_EXPORT_FFDH_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_FFDH_MAX_KEY_BITS) > \
-     PSA_EXPORT_PUBLIC_KEY_MAX_SIZE)
-#undef PSA_EXPORT_PUBLIC_KEY_MAX_SIZE
-#define PSA_EXPORT_PUBLIC_KEY_MAX_SIZE    \
-    PSA_KEY_EXPORT_FFDH_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_FFDH_MAX_KEY_BITS)
-#endif
-
-/** Sufficient output buffer size for psa_raw_key_agreement().
- *
- * This macro returns a compile-time constant if its arguments are
- * compile-time constants.
- *
- * \warning This macro may evaluate its arguments multiple times or
- *          zero times, so you should not pass arguments that contain
- *          side effects.
- *
- * See also #PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE.
- *
- * \param key_type      A supported key type.
- * \param key_bits      The size of the key in bits.
- *
- * \return              If the parameters are valid and supported, return
- *                      a buffer size in bytes that guarantees that
- *                      psa_raw_key_agreement() will not fail with
- *                      #PSA_ERROR_BUFFER_TOO_SMALL.
- *                      If the parameters are a valid combination that
- *                      is not supported, return either a sensible size or 0.
- *                      If the parameters are not valid,
- *                      the return value is unspecified.
- */
-#define PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(key_type, key_bits)   \
-    ((PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type) || \
-      PSA_KEY_TYPE_IS_DH_KEY_PAIR(key_type)) ? PSA_BITS_TO_BYTES(key_bits) : 0u)
-
-/** Maximum size of the output from psa_raw_key_agreement().
- *
- * This macro expands to a compile-time constant integer. This value is the
- * maximum size of the output any raw key agreement algorithm, in bytes.
- *
- * See also #PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(\p key_type, \p key_bits).
- */
-#define PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE       1
-
-#if defined(PSA_WANT_ALG_ECDH) && \
-    (PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS) > PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE)
-#undef PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE
-#define PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE    PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)
-#endif
-#if defined(PSA_WANT_ALG_FFDH) && \
-    (PSA_BITS_TO_BYTES(PSA_VENDOR_FFDH_MAX_KEY_BITS) > PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE)
-#undef PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE
-#define PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE    PSA_BITS_TO_BYTES(PSA_VENDOR_FFDH_MAX_KEY_BITS)
-#endif
-
-/** The default IV size for a cipher algorithm, in bytes.
- *
- * The IV that is generated as part of a call to #psa_cipher_encrypt() is always
- * the default IV length for the algorithm.
- *
- * This macro can be used to allocate a buffer of sufficient size to
- * store the IV output from #psa_cipher_generate_iv() when using
- * a multi-part cipher operation.
- *
- * See also #PSA_CIPHER_IV_MAX_SIZE.
- *
- * \warning This macro may evaluate its arguments multiple times or
- *          zero times, so you should not pass arguments that contain
- *          side effects.
- *
- * \param key_type  A symmetric key type that is compatible with algorithm \p alg.
- *
- * \param alg       A cipher algorithm (\c PSA_ALG_XXX value such that #PSA_ALG_IS_CIPHER(\p alg) is true).
- *
- * \return The default IV size for the specified key type and algorithm.
- *         If the algorithm does not use an IV, return 0.
- *         If the key type or cipher algorithm is not recognized,
- *         or the parameters are incompatible, return 0.
- */
-#define PSA_CIPHER_IV_LENGTH(key_type, alg) \
-    (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) > 1 && \
-     ((alg) == PSA_ALG_CTR || \
-      (alg) == PSA_ALG_CFB || \
-      (alg) == PSA_ALG_OFB || \
-      (alg) == PSA_ALG_XTS || \
-      (alg) == PSA_ALG_CBC_NO_PADDING || \
-      (alg) == PSA_ALG_CBC_PKCS7) ? PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \
-     (key_type) == PSA_KEY_TYPE_CHACHA20 && \
-     (alg) == PSA_ALG_STREAM_CIPHER ? 12u : \
-     (alg) == PSA_ALG_CCM_STAR_NO_TAG ? 13u : \
-     0u)
-
-/** The maximum IV size for all supported cipher algorithms, in bytes.
- *
- * See also #PSA_CIPHER_IV_LENGTH().
- */
-#define PSA_CIPHER_IV_MAX_SIZE 16u
-
-/** The maximum size of the output of psa_cipher_encrypt(), in bytes.
- *
- * If the size of the output buffer is at least this large, it is guaranteed
- * that psa_cipher_encrypt() will not fail due to an insufficient buffer size.
- * Depending on the algorithm, the actual size of the output might be smaller.
- *
- * See also #PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(\p input_length).
- *
- * \warning This macro may evaluate its arguments multiple times or
- *          zero times, so you should not pass arguments that contain
- *          side effects.
- *
- * \param key_type      A symmetric key type that is compatible with algorithm
- *                      alg.
- * \param alg           A cipher algorithm (\c PSA_ALG_XXX value such that
- *                      #PSA_ALG_IS_CIPHER(\p alg) is true).
- * \param input_length  Size of the input in bytes.
- *
- * \return              A sufficient output size for the specified key type and
- *                      algorithm. If the key type or cipher algorithm is not
- *                      recognized, or the parameters are incompatible,
- *                      return 0.
- */
-#define PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input_length)     \
-    (alg == PSA_ALG_CBC_PKCS7 ?                                         \
-     (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) != 0 ?                    \
-      PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type), \
-                               (input_length) + 1u) +                   \
-      PSA_CIPHER_IV_LENGTH((key_type), (alg)) : 0u) :                   \
-     (PSA_ALG_IS_CIPHER(alg) ?                                          \
-      (input_length) + PSA_CIPHER_IV_LENGTH((key_type), (alg)) :        \
-      0u))
-
-/** A sufficient output buffer size for psa_cipher_encrypt(), for any of the
- *  supported key types and cipher algorithms.
- *
- * If the size of the output buffer is at least this large, it is guaranteed
- * that psa_cipher_encrypt() will not fail due to an insufficient buffer size.
- *
- * See also #PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).
- *
- * \param input_length  Size of the input in bytes.
- *
- */
-#define PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(input_length)                \
-    (PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE,          \
-                              (input_length) + 1u) +                    \
-     PSA_CIPHER_IV_MAX_SIZE)
-
-/** The maximum size of the output of psa_cipher_decrypt(), in bytes.
- *
- * If the size of the output buffer is at least this large, it is guaranteed
- * that psa_cipher_decrypt() will not fail due to an insufficient buffer size.
- * Depending on the algorithm, the actual size of the output might be smaller.
- *
- * See also #PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(\p input_length).
- *
- * \param key_type      A symmetric key type that is compatible with algorithm
- *                      alg.
- * \param alg           A cipher algorithm (\c PSA_ALG_XXX value such that
- *                      #PSA_ALG_IS_CIPHER(\p alg) is true).
- * \param input_length  Size of the input in bytes.
- *
- * \return              A sufficient output size for the specified key type and
- *                      algorithm. If the key type or cipher algorithm is not
- *                      recognized, or the parameters are incompatible,
- *                      return 0.
- */
-#define PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, input_length)     \
-    (PSA_ALG_IS_CIPHER(alg) &&                                          \
-     ((key_type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_SYMMETRIC ? \
-     (input_length) :                                                   \
-     0u)
-
-/** A sufficient output buffer size for psa_cipher_decrypt(), for any of the
- *  supported key types and cipher algorithms.
- *
- * If the size of the output buffer is at least this large, it is guaranteed
- * that psa_cipher_decrypt() will not fail due to an insufficient buffer size.
- *
- * See also #PSA_CIPHER_DECRYPT_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).
- *
- * \param input_length  Size of the input in bytes.
- */
-#define PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(input_length)    \
-    (input_length)
-
-/** A sufficient output buffer size for psa_cipher_update().
- *
- * If the size of the output buffer is at least this large, it is guaranteed
- * that psa_cipher_update() will not fail due to an insufficient buffer size.
- * The actual size of the output might be smaller in any given call.
- *
- * See also #PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(\p input_length).
- *
- * \param key_type      A symmetric key type that is compatible with algorithm
- *                      alg.
- * \param alg           A cipher algorithm (PSA_ALG_XXX value such that
- *                      #PSA_ALG_IS_CIPHER(\p alg) is true).
- * \param input_length  Size of the input in bytes.
- *
- * \return              A sufficient output size for the specified key type and
- *                      algorithm. If the key type or cipher algorithm is not
- *                      recognized, or the parameters are incompatible, return 0.
- */
-#define PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input_length)      \
-    (PSA_ALG_IS_CIPHER(alg) ?                                           \
-     (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) != 0 ?                    \
-      (((alg) == PSA_ALG_CBC_PKCS7      ||                              \
-        (alg) == PSA_ALG_CBC_NO_PADDING ||                              \
-        (alg) == PSA_ALG_ECB_NO_PADDING) ?                              \
-       PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type), \
-                                input_length) :                         \
-       (input_length)) : 0u) :                                          \
-     0u)
-
-/** A sufficient output buffer size for psa_cipher_update(), for any of the
- *  supported key types and cipher algorithms.
- *
- * If the size of the output buffer is at least this large, it is guaranteed
- * that psa_cipher_update() will not fail due to an insufficient buffer size.
- *
- * See also #PSA_CIPHER_UPDATE_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).
- *
- * \param input_length  Size of the input in bytes.
- */
-#define PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input_length)     \
-    (PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE, input_length))
-
-/** A sufficient ciphertext buffer size for psa_cipher_finish().
- *
- * If the size of the ciphertext buffer is at least this large, it is
- * guaranteed that psa_cipher_finish() will not fail due to an insufficient
- * ciphertext buffer size. The actual size of the output might be smaller in
- * any given call.
- *
- * See also #PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE().
- *
- * \param key_type      A symmetric key type that is compatible with algorithm
- *                      alg.
- * \param alg           A cipher algorithm (PSA_ALG_XXX value such that
- *                      #PSA_ALG_IS_CIPHER(\p alg) is true).
- * \return              A sufficient output size for the specified key type and
- *                      algorithm. If the key type or cipher algorithm is not
- *                      recognized, or the parameters are incompatible, return 0.
- */
-#define PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg)    \
-    (PSA_ALG_IS_CIPHER(alg) ?                           \
-     (alg == PSA_ALG_CBC_PKCS7 ?                        \
-      PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) :         \
-      0u) :                                             \
-     0u)
-
-/** A sufficient ciphertext buffer size for psa_cipher_finish(), for any of the
- *  supported key types and cipher algorithms.
- *
- * See also #PSA_CIPHER_FINISH_OUTPUT_SIZE(\p key_type, \p alg).
- */
-#define PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE           \
-    (PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE)
-
-#endif /* PSA_CRYPTO_SIZES_H */
diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h
deleted file mode 100644
index 6c46191..0000000
--- a/include/psa/crypto_struct.h
+++ /dev/null
@@ -1,477 +0,0 @@
-/**
- * \file psa/crypto_struct.h
- *
- * \brief PSA cryptography module: Mbed TLS structured type implementations
- *
- * \note This file may not be included directly. Applications must
- * include psa/crypto.h.
- *
- * This file contains the definitions of some data structures with
- * implementation-specific definitions.
- *
- * In implementations with isolation between the application and the
- * cryptography module, it is expected that the front-end and the back-end
- * would have different versions of this file.
- *
- * <h3>Design notes about multipart operation structures</h3>
- *
- * For multipart operations without driver delegation support, each multipart
- * operation structure contains a `psa_algorithm_t alg` field which indicates
- * which specific algorithm the structure is for. When the structure is not in
- * use, `alg` is 0. Most of the structure consists of a union which is
- * discriminated by `alg`.
- *
- * For multipart operations with driver delegation support, each multipart
- * operation structure contains an `unsigned int id` field indicating which
- * driver got assigned to do the operation. When the structure is not in use,
- * 'id' is 0. The structure contains also a driver context which is the union
- * of the contexts of all drivers able to handle the type of multipart
- * operation.
- *
- * Note that when `alg` or `id` is 0, the content of other fields is undefined.
- * In particular, it is not guaranteed that a freshly-initialized structure
- * is all-zero: we initialize structures to something like `{0, 0}`, which
- * is only guaranteed to initializes the first member of the union;
- * GCC and Clang initialize the whole structure to 0 (at the time of writing),
- * but MSVC and CompCert don't.
- *
- * In Mbed TLS, multipart operation structures live independently from
- * the key. This allows Mbed TLS to free the key objects when destroying
- * a key slot. If a multipart operation needs to remember the key after
- * the setup function returns, the operation structure needs to contain a
- * copy of the key.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_STRUCT_H
-#define PSA_CRYPTO_STRUCT_H
-#include "mbedtls/private_access.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/*
- * Include the build-time configuration information header. Here, we do not
- * include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which
- * is basically just an alias to it. This is to ease the maintenance of the
- * TF-PSA-Crypto repository which has a different build system and
- * configuration.
- */
-#include "psa/build_info.h"
-
-/* Include the context definition for the compiled-in drivers for the primitive
- * algorithms. */
-#include "psa/crypto_driver_contexts_primitives.h"
-
-struct psa_hash_operation_s {
-    /** Unique ID indicating which driver got assigned to do the
-     * operation. Since driver contexts are driver-specific, swapping
-     * drivers halfway through the operation is not supported.
-     * ID values are auto-generated in psa_driver_wrappers.h.
-     * ID value zero means the context is not valid or not assigned to
-     * any driver (i.e. the driver context is not active, in use). */
-    unsigned int MBEDTLS_PRIVATE(id);
-    psa_driver_hash_context_t MBEDTLS_PRIVATE(ctx);
-};
-
-#define PSA_HASH_OPERATION_INIT { 0, { 0 } }
-static inline struct psa_hash_operation_s psa_hash_operation_init(void)
-{
-    const struct psa_hash_operation_s v = PSA_HASH_OPERATION_INIT;
-    return v;
-}
-
-struct psa_cipher_operation_s {
-    /** Unique ID indicating which driver got assigned to do the
-     * operation. Since driver contexts are driver-specific, swapping
-     * drivers halfway through the operation is not supported.
-     * ID values are auto-generated in psa_crypto_driver_wrappers.h
-     * ID value zero means the context is not valid or not assigned to
-     * any driver (i.e. none of the driver contexts are active). */
-    unsigned int MBEDTLS_PRIVATE(id);
-
-    unsigned int MBEDTLS_PRIVATE(iv_required) : 1;
-    unsigned int MBEDTLS_PRIVATE(iv_set) : 1;
-
-    uint8_t MBEDTLS_PRIVATE(default_iv_length);
-
-    psa_driver_cipher_context_t MBEDTLS_PRIVATE(ctx);
-};
-
-#define PSA_CIPHER_OPERATION_INIT { 0, 0, 0, 0, { 0 } }
-static inline struct psa_cipher_operation_s psa_cipher_operation_init(void)
-{
-    const struct psa_cipher_operation_s v = PSA_CIPHER_OPERATION_INIT;
-    return v;
-}
-
-/* Include the context definition for the compiled-in drivers for the composite
- * algorithms. */
-#include "psa/crypto_driver_contexts_composites.h"
-
-struct psa_mac_operation_s {
-    /** Unique ID indicating which driver got assigned to do the
-     * operation. Since driver contexts are driver-specific, swapping
-     * drivers halfway through the operation is not supported.
-     * ID values are auto-generated in psa_driver_wrappers.h
-     * ID value zero means the context is not valid or not assigned to
-     * any driver (i.e. none of the driver contexts are active). */
-    unsigned int MBEDTLS_PRIVATE(id);
-    uint8_t MBEDTLS_PRIVATE(mac_size);
-    unsigned int MBEDTLS_PRIVATE(is_sign) : 1;
-    psa_driver_mac_context_t MBEDTLS_PRIVATE(ctx);
-};
-
-#define PSA_MAC_OPERATION_INIT { 0, 0, 0, { 0 } }
-static inline struct psa_mac_operation_s psa_mac_operation_init(void)
-{
-    const struct psa_mac_operation_s v = PSA_MAC_OPERATION_INIT;
-    return v;
-}
-
-struct psa_aead_operation_s {
-
-    /** Unique ID indicating which driver got assigned to do the
-     * operation. Since driver contexts are driver-specific, swapping
-     * drivers halfway through the operation is not supported.
-     * ID values are auto-generated in psa_crypto_driver_wrappers.h
-     * ID value zero means the context is not valid or not assigned to
-     * any driver (i.e. none of the driver contexts are active). */
-    unsigned int MBEDTLS_PRIVATE(id);
-
-    psa_algorithm_t MBEDTLS_PRIVATE(alg);
-    psa_key_type_t MBEDTLS_PRIVATE(key_type);
-
-    size_t MBEDTLS_PRIVATE(ad_remaining);
-    size_t MBEDTLS_PRIVATE(body_remaining);
-
-    unsigned int MBEDTLS_PRIVATE(nonce_set) : 1;
-    unsigned int MBEDTLS_PRIVATE(lengths_set) : 1;
-    unsigned int MBEDTLS_PRIVATE(ad_started) : 1;
-    unsigned int MBEDTLS_PRIVATE(body_started) : 1;
-    unsigned int MBEDTLS_PRIVATE(is_encrypt) : 1;
-
-    psa_driver_aead_context_t MBEDTLS_PRIVATE(ctx);
-};
-
-#define PSA_AEAD_OPERATION_INIT { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, { 0 } }
-static inline struct psa_aead_operation_s psa_aead_operation_init(void)
-{
-    const struct psa_aead_operation_s v = PSA_AEAD_OPERATION_INIT;
-    return v;
-}
-
-/* Include the context definition for the compiled-in drivers for the key
- * derivation algorithms. */
-#include "psa/crypto_driver_contexts_key_derivation.h"
-
-struct psa_key_derivation_s {
-    psa_algorithm_t MBEDTLS_PRIVATE(alg);
-    unsigned int MBEDTLS_PRIVATE(can_output_key) : 1;
-    size_t MBEDTLS_PRIVATE(capacity);
-    psa_driver_key_derivation_context_t MBEDTLS_PRIVATE(ctx);
-};
-
-/* This only zeroes out the first byte in the union, the rest is unspecified. */
-#define PSA_KEY_DERIVATION_OPERATION_INIT { 0, 0, 0, { 0 } }
-static inline struct psa_key_derivation_s psa_key_derivation_operation_init(
-    void)
-{
-    const struct psa_key_derivation_s v = PSA_KEY_DERIVATION_OPERATION_INIT;
-    return v;
-}
-
-struct psa_key_policy_s {
-    psa_key_usage_t MBEDTLS_PRIVATE(usage);
-    psa_algorithm_t MBEDTLS_PRIVATE(alg);
-    psa_algorithm_t MBEDTLS_PRIVATE(alg2);
-};
-typedef struct psa_key_policy_s psa_key_policy_t;
-
-#define PSA_KEY_POLICY_INIT { 0, 0, 0 }
-static inline struct psa_key_policy_s psa_key_policy_init(void)
-{
-    const struct psa_key_policy_s v = PSA_KEY_POLICY_INIT;
-    return v;
-}
-
-/* The type used internally for key sizes.
- * Public interfaces use size_t, but internally we use a smaller type. */
-typedef uint16_t psa_key_bits_t;
-/* The maximum value of the type used to represent bit-sizes.
- * This is used to mark an invalid key size. */
-#define PSA_KEY_BITS_TOO_LARGE          ((psa_key_bits_t) -1)
-/* The maximum size of a key in bits.
- * Currently defined as the maximum that can be represented, rounded down
- * to a whole number of bytes.
- * This is an uncast value so that it can be used in preprocessor
- * conditionals. */
-#define PSA_MAX_KEY_BITS 0xfff8
-
-/** A mask of flags that can be stored in key attributes.
- *
- * This type is also used internally to store flags in slots. Internal
- * flags are defined in library/psa_crypto_core.h. Internal flags may have
- * the same value as external flags if they are properly handled during
- * key creation and in psa_get_key_attributes.
- */
-typedef uint16_t psa_key_attributes_flag_t;
-
-#define MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER     \
-    ((psa_key_attributes_flag_t) 0x0001)
-
-/* A mask of key attribute flags used externally only.
- * Only meant for internal checks inside the library. */
-#define MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY (      \
-        MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER |    \
-        0)
-
-/* A mask of key attribute flags used both internally and externally.
- * Currently there aren't any. */
-#define MBEDTLS_PSA_KA_MASK_DUAL_USE (          \
-        0)
-
-typedef struct {
-    psa_key_type_t MBEDTLS_PRIVATE(type);
-    psa_key_bits_t MBEDTLS_PRIVATE(bits);
-    psa_key_lifetime_t MBEDTLS_PRIVATE(lifetime);
-    mbedtls_svc_key_id_t MBEDTLS_PRIVATE(id);
-    psa_key_policy_t MBEDTLS_PRIVATE(policy);
-    psa_key_attributes_flag_t MBEDTLS_PRIVATE(flags);
-} psa_core_key_attributes_t;
-
-#define PSA_CORE_KEY_ATTRIBUTES_INIT { PSA_KEY_TYPE_NONE, 0,            \
-                                       PSA_KEY_LIFETIME_VOLATILE,       \
-                                       MBEDTLS_SVC_KEY_ID_INIT,         \
-                                       PSA_KEY_POLICY_INIT, 0 }
-
-struct psa_key_attributes_s {
-    psa_core_key_attributes_t MBEDTLS_PRIVATE(core);
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-    psa_key_slot_number_t MBEDTLS_PRIVATE(slot_number);
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
-    void *MBEDTLS_PRIVATE(domain_parameters);
-    size_t MBEDTLS_PRIVATE(domain_parameters_size);
-};
-
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-#define PSA_KEY_ATTRIBUTES_INIT { PSA_CORE_KEY_ATTRIBUTES_INIT, 0, NULL, 0 }
-#else
-#define PSA_KEY_ATTRIBUTES_INIT { PSA_CORE_KEY_ATTRIBUTES_INIT, NULL, 0 }
-#endif
-
-static inline struct psa_key_attributes_s psa_key_attributes_init(void)
-{
-    const struct psa_key_attributes_s v = PSA_KEY_ATTRIBUTES_INIT;
-    return v;
-}
-
-static inline void psa_set_key_id(psa_key_attributes_t *attributes,
-                                  mbedtls_svc_key_id_t key)
-{
-    psa_key_lifetime_t lifetime = attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(lifetime);
-
-    attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(id) = key;
-
-    if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) {
-        attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(lifetime) =
-            PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
-                PSA_KEY_LIFETIME_PERSISTENT,
-                PSA_KEY_LIFETIME_GET_LOCATION(lifetime));
-    }
-}
-
-static inline mbedtls_svc_key_id_t psa_get_key_id(
-    const psa_key_attributes_t *attributes)
-{
-    return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(id);
-}
-
-#ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
-static inline void mbedtls_set_key_owner_id(psa_key_attributes_t *attributes,
-                                            mbedtls_key_owner_id_t owner)
-{
-    attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(id).MBEDTLS_PRIVATE(owner) = owner;
-}
-#endif
-
-static inline void psa_set_key_lifetime(psa_key_attributes_t *attributes,
-                                        psa_key_lifetime_t lifetime)
-{
-    attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(lifetime) = lifetime;
-    if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) {
-#ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
-        attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(id).MBEDTLS_PRIVATE(key_id) = 0;
-#else
-        attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(id) = 0;
-#endif
-    }
-}
-
-static inline psa_key_lifetime_t psa_get_key_lifetime(
-    const psa_key_attributes_t *attributes)
-{
-    return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(lifetime);
-}
-
-static inline void psa_extend_key_usage_flags(psa_key_usage_t *usage_flags)
-{
-    if (*usage_flags & PSA_KEY_USAGE_SIGN_HASH) {
-        *usage_flags |= PSA_KEY_USAGE_SIGN_MESSAGE;
-    }
-
-    if (*usage_flags & PSA_KEY_USAGE_VERIFY_HASH) {
-        *usage_flags |= PSA_KEY_USAGE_VERIFY_MESSAGE;
-    }
-}
-
-static inline void psa_set_key_usage_flags(psa_key_attributes_t *attributes,
-                                           psa_key_usage_t usage_flags)
-{
-    psa_extend_key_usage_flags(&usage_flags);
-    attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(usage) = usage_flags;
-}
-
-static inline psa_key_usage_t psa_get_key_usage_flags(
-    const psa_key_attributes_t *attributes)
-{
-    return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(usage);
-}
-
-static inline void psa_set_key_algorithm(psa_key_attributes_t *attributes,
-                                         psa_algorithm_t alg)
-{
-    attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg) = alg;
-}
-
-static inline psa_algorithm_t psa_get_key_algorithm(
-    const psa_key_attributes_t *attributes)
-{
-    return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg);
-}
-
-/* This function is declared in crypto_extra.h, which comes after this
- * header file, but we need the function here, so repeat the declaration. */
-psa_status_t psa_set_key_domain_parameters(psa_key_attributes_t *attributes,
-                                           psa_key_type_t type,
-                                           const uint8_t *data,
-                                           size_t data_length);
-
-static inline void psa_set_key_type(psa_key_attributes_t *attributes,
-                                    psa_key_type_t type)
-{
-    if (attributes->MBEDTLS_PRIVATE(domain_parameters) == NULL) {
-        /* Common case: quick path */
-        attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(type) = type;
-    } else {
-        /* Call the bigger function to free the old domain parameters.
-         * Ignore any errors which may arise due to type requiring
-         * non-default domain parameters, since this function can't
-         * report errors. */
-        (void) psa_set_key_domain_parameters(attributes, type, NULL, 0);
-    }
-}
-
-static inline psa_key_type_t psa_get_key_type(
-    const psa_key_attributes_t *attributes)
-{
-    return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(type);
-}
-
-static inline void psa_set_key_bits(psa_key_attributes_t *attributes,
-                                    size_t bits)
-{
-    if (bits > PSA_MAX_KEY_BITS) {
-        attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(bits) = PSA_KEY_BITS_TOO_LARGE;
-    } else {
-        attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(bits) = (psa_key_bits_t) bits;
-    }
-}
-
-static inline size_t psa_get_key_bits(
-    const psa_key_attributes_t *attributes)
-{
-    return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(bits);
-}
-
-/**
- * \brief The context for PSA interruptible hash signing.
- */
-struct psa_sign_hash_interruptible_operation_s {
-    /** Unique ID indicating which driver got assigned to do the
-     * operation. Since driver contexts are driver-specific, swapping
-     * drivers halfway through the operation is not supported.
-     * ID values are auto-generated in psa_crypto_driver_wrappers.h
-     * ID value zero means the context is not valid or not assigned to
-     * any driver (i.e. none of the driver contexts are active). */
-    unsigned int MBEDTLS_PRIVATE(id);
-
-    psa_driver_sign_hash_interruptible_context_t MBEDTLS_PRIVATE(ctx);
-
-    unsigned int MBEDTLS_PRIVATE(error_occurred) : 1;
-
-    uint32_t MBEDTLS_PRIVATE(num_ops);
-};
-
-#define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0, 0 }
-
-static inline struct psa_sign_hash_interruptible_operation_s
-psa_sign_hash_interruptible_operation_init(void)
-{
-    const struct psa_sign_hash_interruptible_operation_s v =
-        PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT;
-
-    return v;
-}
-
-/**
- * \brief The context for PSA interruptible hash verification.
- */
-struct psa_verify_hash_interruptible_operation_s {
-    /** Unique ID indicating which driver got assigned to do the
-     * operation. Since driver contexts are driver-specific, swapping
-     * drivers halfway through the operation is not supported.
-     * ID values are auto-generated in psa_crypto_driver_wrappers.h
-     * ID value zero means the context is not valid or not assigned to
-     * any driver (i.e. none of the driver contexts are active). */
-    unsigned int MBEDTLS_PRIVATE(id);
-
-    psa_driver_verify_hash_interruptible_context_t MBEDTLS_PRIVATE(ctx);
-
-    unsigned int MBEDTLS_PRIVATE(error_occurred) : 1;
-
-    uint32_t MBEDTLS_PRIVATE(num_ops);
-};
-
-#define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0, 0 }
-
-static inline struct psa_verify_hash_interruptible_operation_s
-psa_verify_hash_interruptible_operation_init(void)
-{
-    const struct psa_verify_hash_interruptible_operation_s v =
-        PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT;
-
-    return v;
-}
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* PSA_CRYPTO_STRUCT_H */
diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h
deleted file mode 100644
index 8d894b4..0000000
--- a/include/psa/crypto_types.h
+++ /dev/null
@@ -1,472 +0,0 @@
-/**
- * \file psa/crypto_types.h
- *
- * \brief PSA cryptography module: type aliases.
- *
- * \note This file may not be included directly. Applications must
- * include psa/crypto.h. Drivers must include the appropriate driver
- * header file.
- *
- * This file contains portable definitions of integral types for properties
- * of cryptographic keys, designations of cryptographic algorithms, and
- * error codes returned by the library.
- *
- * This header file does not declare any function.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_TYPES_H
-#define PSA_CRYPTO_TYPES_H
-
-/*
- * Include the build-time configuration information header. Here, we do not
- * include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which
- * is basically just an alias to it. This is to ease the maintenance of the
- * TF-PSA-Crypto repository which has a different build system and
- * configuration.
- */
-#include "psa/build_info.h"
-
-/* Define the MBEDTLS_PRIVATE macro. */
-#include "mbedtls/private_access.h"
-
-#if defined(MBEDTLS_PSA_CRYPTO_PLATFORM_FILE)
-#include MBEDTLS_PSA_CRYPTO_PLATFORM_FILE
-#else
-#include "crypto_platform.h"
-#endif
-
-#include <stdint.h>
-
-/** \defgroup error Error codes
- * @{
- */
-
-/**
- * \brief Function return status.
- *
- * This is either #PSA_SUCCESS (which is zero), indicating success,
- * or a small negative value indicating that an error occurred. Errors are
- * encoded as one of the \c PSA_ERROR_xxx values defined here. */
-/* If #PSA_SUCCESS is already defined, it means that #psa_status_t
- * is also defined in an external header, so prevent its multiple
- * definition.
- */
-#ifndef PSA_SUCCESS
-typedef int32_t psa_status_t;
-#endif
-
-/**@}*/
-
-/** \defgroup crypto_types Key and algorithm types
- * @{
- */
-
-/** \brief Encoding of a key type.
- *
- * Values of this type are generally constructed by macros called
- * `PSA_KEY_TYPE_xxx`.
- *
- * \note Values of this type are encoded in the persistent key store.
- *       Any changes to existing values will require bumping the storage
- *       format version and providing a translation when reading the old
- *       format.
- */
-typedef uint16_t psa_key_type_t;
-
-/** The type of PSA elliptic curve family identifiers.
- *
- * Values of this type are generally constructed by macros called
- * `PSA_ECC_FAMILY_xxx`.
- *
- * The curve identifier is required to create an ECC key using the
- * PSA_KEY_TYPE_ECC_KEY_PAIR() or PSA_KEY_TYPE_ECC_PUBLIC_KEY()
- * macros.
- *
- * Values defined by this standard will never be in the range 0x80-0xff.
- * Vendors who define additional families must use an encoding in this range.
- *
- * \note Values of this type are encoded in the persistent key store.
- *       Any changes to existing values will require bumping the storage
- *       format version and providing a translation when reading the old
- *       format.
- */
-typedef uint8_t psa_ecc_family_t;
-
-/** The type of PSA Diffie-Hellman group family identifiers.
- *
- * Values of this type are generally constructed by macros called
- * `PSA_DH_FAMILY_xxx`.
- *
- * The group identifier is required to create a Diffie-Hellman key using the
- * PSA_KEY_TYPE_DH_KEY_PAIR() or PSA_KEY_TYPE_DH_PUBLIC_KEY()
- * macros.
- *
- * Values defined by this standard will never be in the range 0x80-0xff.
- * Vendors who define additional families must use an encoding in this range.
- *
- * \note Values of this type are encoded in the persistent key store.
- *       Any changes to existing values will require bumping the storage
- *       format version and providing a translation when reading the old
- *       format.
- */
-typedef uint8_t psa_dh_family_t;
-
-/** \brief Encoding of a cryptographic algorithm.
- *
- * Values of this type are generally constructed by macros called
- * `PSA_ALG_xxx`.
- *
- * For algorithms that can be applied to multiple key types, this type
- * does not encode the key type. For example, for symmetric ciphers
- * based on a block cipher, #psa_algorithm_t encodes the block cipher
- * mode and the padding mode while the block cipher itself is encoded
- * via #psa_key_type_t.
- *
- * \note Values of this type are encoded in the persistent key store.
- *       Any changes to existing values will require bumping the storage
- *       format version and providing a translation when reading the old
- *       format.
- */
-typedef uint32_t psa_algorithm_t;
-
-/**@}*/
-
-/** \defgroup key_lifetimes Key lifetimes
- * @{
- */
-
-/** Encoding of key lifetimes.
- *
- * The lifetime of a key indicates where it is stored and what system actions
- * may create and destroy it.
- *
- * Lifetime values have the following structure:
- * - Bits 0-7 (#PSA_KEY_LIFETIME_GET_PERSISTENCE(\c lifetime)):
- *   persistence level. This value indicates what device management
- *   actions can cause it to be destroyed. In particular, it indicates
- *   whether the key is _volatile_ or _persistent_.
- *   See ::psa_key_persistence_t for more information.
- * - Bits 8-31 (#PSA_KEY_LIFETIME_GET_LOCATION(\c lifetime)):
- *   location indicator. This value indicates which part of the system
- *   has access to the key material and can perform operations using the key.
- *   See ::psa_key_location_t for more information.
- *
- * Volatile keys are automatically destroyed when the application instance
- * terminates or on a power reset of the device. Persistent keys are
- * preserved until the application explicitly destroys them or until an
- * integration-specific device management event occurs (for example,
- * a factory reset).
- *
- * Persistent keys have a key identifier of type #mbedtls_svc_key_id_t.
- * This identifier remains valid throughout the lifetime of the key,
- * even if the application instance that created the key terminates.
- * The application can call psa_open_key() to open a persistent key that
- * it created previously.
- *
- * The default lifetime of a key is #PSA_KEY_LIFETIME_VOLATILE. The lifetime
- * #PSA_KEY_LIFETIME_PERSISTENT is supported if persistent storage is
- * available. Other lifetime values may be supported depending on the
- * library configuration.
- *
- * Values of this type are generally constructed by macros called
- * `PSA_KEY_LIFETIME_xxx`.
- *
- * \note Values of this type are encoded in the persistent key store.
- *       Any changes to existing values will require bumping the storage
- *       format version and providing a translation when reading the old
- *       format.
- */
-typedef uint32_t psa_key_lifetime_t;
-
-/** Encoding of key persistence levels.
- *
- * What distinguishes different persistence levels is what device management
- * events may cause keys to be destroyed. _Volatile_ keys are destroyed
- * by a power reset. Persistent keys may be destroyed by events such as
- * a transfer of ownership or a factory reset. What management events
- * actually affect persistent keys at different levels is outside the
- * scope of the PSA Cryptography specification.
- *
- * The PSA Cryptography specification defines the following values of
- * persistence levels:
- * - \c 0 = #PSA_KEY_PERSISTENCE_VOLATILE: volatile key.
- *   A volatile key is automatically destroyed by the implementation when
- *   the application instance terminates. In particular, a volatile key
- *   is automatically destroyed on a power reset of the device.
- * - \c 1 = #PSA_KEY_PERSISTENCE_DEFAULT:
- *   persistent key with a default lifetime.
- * - \c 2-254: currently not supported by Mbed TLS.
- * - \c 255 = #PSA_KEY_PERSISTENCE_READ_ONLY:
- *   read-only or write-once key.
- *   A key with this persistence level cannot be destroyed.
- *   Mbed TLS does not currently offer a way to create such keys, but
- *   integrations of Mbed TLS can use it for built-in keys that the
- *   application cannot modify (for example, a hardware unique key (HUK)).
- *
- * \note Key persistence levels are 8-bit values. Key management
- *       interfaces operate on lifetimes (type ::psa_key_lifetime_t) which
- *       encode the persistence as the lower 8 bits of a 32-bit value.
- *
- * \note Values of this type are encoded in the persistent key store.
- *       Any changes to existing values will require bumping the storage
- *       format version and providing a translation when reading the old
- *       format.
- */
-typedef uint8_t psa_key_persistence_t;
-
-/** Encoding of key location indicators.
- *
- * If an integration of Mbed TLS can make calls to external
- * cryptoprocessors such as secure elements, the location of a key
- * indicates which secure element performs the operations on the key.
- * Depending on the design of the secure element, the key
- * material may be stored either in the secure element, or
- * in wrapped (encrypted) form alongside the key metadata in the
- * primary local storage.
- *
- * The PSA Cryptography API specification defines the following values of
- * location indicators:
- * - \c 0: primary local storage.
- *   This location is always available.
- *   The primary local storage is typically the same storage area that
- *   contains the key metadata.
- * - \c 1: primary secure element.
- *   Integrations of Mbed TLS should support this value if there is a secure
- *   element attached to the operating environment.
- *   As a guideline, secure elements may provide higher resistance against
- *   side channel and physical attacks than the primary local storage, but may
- *   have restrictions on supported key types, sizes, policies and operations
- *   and may have different performance characteristics.
- * - \c 2-0x7fffff: other locations defined by a PSA specification.
- *   The PSA Cryptography API does not currently assign any meaning to these
- *   locations, but future versions of that specification or other PSA
- *   specifications may do so.
- * - \c 0x800000-0xffffff: vendor-defined locations.
- *   No PSA specification will assign a meaning to locations in this range.
- *
- * \note Key location indicators are 24-bit values. Key management
- *       interfaces operate on lifetimes (type ::psa_key_lifetime_t) which
- *       encode the location as the upper 24 bits of a 32-bit value.
- *
- * \note Values of this type are encoded in the persistent key store.
- *       Any changes to existing values will require bumping the storage
- *       format version and providing a translation when reading the old
- *       format.
- */
-typedef uint32_t psa_key_location_t;
-
-/** Encoding of identifiers of persistent keys.
- *
- * - Applications may freely choose key identifiers in the range
- *   #PSA_KEY_ID_USER_MIN to #PSA_KEY_ID_USER_MAX.
- * - The implementation may define additional key identifiers in the range
- *   #PSA_KEY_ID_VENDOR_MIN to #PSA_KEY_ID_VENDOR_MAX.
- * - 0 is reserved as an invalid key identifier.
- * - Key identifiers outside these ranges are reserved for future use.
- *
- * \note Values of this type are encoded in the persistent key store.
- *       Any changes to how values are allocated must require careful
- *       consideration to allow backward compatibility.
- */
-typedef uint32_t psa_key_id_t;
-
-/** Encoding of key identifiers as seen inside the PSA Crypto implementation.
- *
- * When PSA Crypto is built as a library inside an application, this type
- * is identical to #psa_key_id_t. When PSA Crypto is built as a service
- * that can store keys on behalf of multiple clients, this type
- * encodes the #psa_key_id_t value seen by each client application as
- * well as extra information that identifies the client that owns
- * the key.
- *
- * \note Values of this type are encoded in the persistent key store.
- *       Any changes to existing values will require bumping the storage
- *       format version and providing a translation when reading the old
- *       format.
- */
-#if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
-typedef psa_key_id_t mbedtls_svc_key_id_t;
-
-#else /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
-/* Implementation-specific: The Mbed TLS library can be built as
- * part of a multi-client service that exposes the PSA Cryptography API in each
- * client and encodes the client identity in the key identifier argument of
- * functions such as psa_open_key().
- */
-typedef struct {
-    psa_key_id_t MBEDTLS_PRIVATE(key_id);
-    mbedtls_key_owner_id_t MBEDTLS_PRIVATE(owner);
-} mbedtls_svc_key_id_t;
-
-#endif /* !MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
-
-/**@}*/
-
-/** \defgroup policy Key policies
- * @{
- */
-
-/** \brief Encoding of permitted usage on a key.
- *
- * Values of this type are generally constructed as bitwise-ors of macros
- * called `PSA_KEY_USAGE_xxx`.
- *
- * \note Values of this type are encoded in the persistent key store.
- *       Any changes to existing values will require bumping the storage
- *       format version and providing a translation when reading the old
- *       format.
- */
-typedef uint32_t psa_key_usage_t;
-
-/**@}*/
-
-/** \defgroup attributes Key attributes
- * @{
- */
-
-/** The type of a structure containing key attributes.
- *
- * This is an opaque structure that can represent the metadata of a key
- * object. Metadata that can be stored in attributes includes:
- * - The location of the key in storage, indicated by its key identifier
- *   and its lifetime.
- * - The key's policy, comprising usage flags and a specification of
- *   the permitted algorithm(s).
- * - Information about the key itself: the key type and its size.
- * - Additional implementation-defined attributes.
- *
- * The actual key material is not considered an attribute of a key.
- * Key attributes do not contain information that is generally considered
- * highly confidential.
- *
- * An attribute structure works like a simple data structure where each function
- * `psa_set_key_xxx` sets a field and the corresponding function
- * `psa_get_key_xxx` retrieves the value of the corresponding field.
- * However, a future version of the library  may report values that are
- * equivalent to the original one, but have a different encoding. Invalid
- * values may be mapped to different, also invalid values.
- *
- * An attribute structure may contain references to auxiliary resources,
- * for example pointers to allocated memory or indirect references to
- * pre-calculated values. In order to free such resources, the application
- * must call psa_reset_key_attributes(). As an exception, calling
- * psa_reset_key_attributes() on an attribute structure is optional if
- * the structure has only been modified by the following functions
- * since it was initialized or last reset with psa_reset_key_attributes():
- * - psa_set_key_id()
- * - psa_set_key_lifetime()
- * - psa_set_key_type()
- * - psa_set_key_bits()
- * - psa_set_key_usage_flags()
- * - psa_set_key_algorithm()
- *
- * Before calling any function on a key attribute structure, the application
- * must initialize it by any of the following means:
- * - Set the structure to all-bits-zero, for example:
- *   \code
- *   psa_key_attributes_t attributes;
- *   memset(&attributes, 0, sizeof(attributes));
- *   \endcode
- * - Initialize the structure to logical zero values, for example:
- *   \code
- *   psa_key_attributes_t attributes = {0};
- *   \endcode
- * - Initialize the structure to the initializer #PSA_KEY_ATTRIBUTES_INIT,
- *   for example:
- *   \code
- *   psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
- *   \endcode
- * - Assign the result of the function psa_key_attributes_init()
- *   to the structure, for example:
- *   \code
- *   psa_key_attributes_t attributes;
- *   attributes = psa_key_attributes_init();
- *   \endcode
- *
- * A freshly initialized attribute structure contains the following
- * values:
- *
- * - lifetime: #PSA_KEY_LIFETIME_VOLATILE.
- * - key identifier: 0 (which is not a valid key identifier).
- * - type: \c 0 (meaning that the type is unspecified).
- * - key size: \c 0 (meaning that the size is unspecified).
- * - usage flags: \c 0 (which allows no usage except exporting a public key).
- * - algorithm: \c 0 (which allows no cryptographic usage, but allows
- *   exporting).
- *
- * A typical sequence to create a key is as follows:
- * -# Create and initialize an attribute structure.
- * -# If the key is persistent, call psa_set_key_id().
- *    Also call psa_set_key_lifetime() to place the key in a non-default
- *    location.
- * -# Set the key policy with psa_set_key_usage_flags() and
- *    psa_set_key_algorithm().
- * -# Set the key type with psa_set_key_type().
- *    Skip this step if copying an existing key with psa_copy_key().
- * -# When generating a random key with psa_generate_key() or deriving a key
- *    with psa_key_derivation_output_key(), set the desired key size with
- *    psa_set_key_bits().
- * -# Call a key creation function: psa_import_key(), psa_generate_key(),
- *    psa_key_derivation_output_key() or psa_copy_key(). This function reads
- *    the attribute structure, creates a key with these attributes, and
- *    outputs a key identifier to the newly created key.
- * -# The attribute structure is now no longer necessary.
- *    You may call psa_reset_key_attributes(), although this is optional
- *    with the workflow presented here because the attributes currently
- *    defined in this specification do not require any additional resources
- *    beyond the structure itself.
- *
- * A typical sequence to query a key's attributes is as follows:
- * -# Call psa_get_key_attributes().
- * -# Call `psa_get_key_xxx` functions to retrieve the attribute(s) that
- *    you are interested in.
- * -# Call psa_reset_key_attributes() to free any resources that may be
- *    used by the attribute structure.
- *
- * Once a key has been created, it is impossible to change its attributes.
- */
-typedef struct psa_key_attributes_s psa_key_attributes_t;
-
-
-#ifndef __DOXYGEN_ONLY__
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-/* Mbed TLS defines this type in crypto_types.h because it is also
- * visible to applications through an implementation-specific extension.
- * For the PSA Cryptography specification, this type is only visible
- * via crypto_se_driver.h. */
-typedef uint64_t psa_key_slot_number_t;
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
-#endif /* !__DOXYGEN_ONLY__ */
-
-/**@}*/
-
-/** \defgroup derivation Key derivation
- * @{
- */
-
-/** \brief Encoding of the step of a key derivation.
- *
- * Values of this type are generally constructed by macros called
- * `PSA_KEY_DERIVATION_INPUT_xxx`.
- */
-typedef uint16_t psa_key_derivation_step_t;
-
-/**@}*/
-
-#endif /* PSA_CRYPTO_TYPES_H */
diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h
deleted file mode 100644
index 241b7c8..0000000
--- a/include/psa/crypto_values.h
+++ /dev/null
@@ -1,2768 +0,0 @@
-/**
- * \file psa/crypto_values.h
- *
- * \brief PSA cryptography module: macros to build and analyze integer values.
- *
- * \note This file may not be included directly. Applications must
- * include psa/crypto.h. Drivers must include the appropriate driver
- * header file.
- *
- * This file contains portable definitions of macros to build and analyze
- * values of integral types that encode properties of cryptographic keys,
- * designations of cryptographic algorithms, and error codes returned by
- * the library.
- *
- * Note that many of the constants defined in this file are embedded in
- * the persistent key store, as part of key metadata (including usage
- * policies). As a consequence, they must not be changed (unless the storage
- * format version changes).
- *
- * This header file only defines preprocessor macros.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_VALUES_H
-#define PSA_CRYPTO_VALUES_H
-#include "mbedtls/private_access.h"
-
-/** \defgroup error Error codes
- * @{
- */
-
-/* PSA error codes */
-
-/* Error codes are standardized across PSA domains (framework, crypto, storage,
- * etc.). Do not change the values in this section or even the expansions
- * of each macro: it must be possible to `#include` both this header
- * and some other PSA component's headers in the same C source,
- * which will lead to duplicate definitions of the `PSA_SUCCESS` and
- * `PSA_ERROR_xxx` macros, which is ok if and only if the macros expand
- * to the same sequence of tokens.
- *
- * If you must add a new
- * value, check with the Arm PSA framework group to pick one that other
- * domains aren't already using. */
-
-/* Tell uncrustify not to touch the constant definitions, otherwise
- * it might change the spacing to something that is not PSA-compliant
- * (e.g. adding a space after casts).
- *
- * *INDENT-OFF*
- */
-
-/** The action was completed successfully. */
-#define PSA_SUCCESS ((psa_status_t)0)
-
-/** An error occurred that does not correspond to any defined
- * failure cause.
- *
- * Implementations may use this error code if none of the other standard
- * error codes are applicable. */
-#define PSA_ERROR_GENERIC_ERROR         ((psa_status_t)-132)
-
-/** The requested operation or a parameter is not supported
- * by this implementation.
- *
- * Implementations should return this error code when an enumeration
- * parameter such as a key type, algorithm, etc. is not recognized.
- * If a combination of parameters is recognized and identified as
- * not valid, return #PSA_ERROR_INVALID_ARGUMENT instead. */
-#define PSA_ERROR_NOT_SUPPORTED         ((psa_status_t)-134)
-
-/** The requested action is denied by a policy.
- *
- * Implementations should return this error code when the parameters
- * are recognized as valid and supported, and a policy explicitly
- * denies the requested operation.
- *
- * If a subset of the parameters of a function call identify a
- * forbidden operation, and another subset of the parameters are
- * not valid or not supported, it is unspecified whether the function
- * returns #PSA_ERROR_NOT_PERMITTED, #PSA_ERROR_NOT_SUPPORTED or
- * #PSA_ERROR_INVALID_ARGUMENT. */
-#define PSA_ERROR_NOT_PERMITTED         ((psa_status_t)-133)
-
-/** An output buffer is too small.
- *
- * Applications can call the \c PSA_xxx_SIZE macro listed in the function
- * description to determine a sufficient buffer size.
- *
- * Implementations should preferably return this error code only
- * in cases when performing the operation with a larger output
- * buffer would succeed. However implementations may return this
- * error if a function has invalid or unsupported parameters in addition
- * to the parameters that determine the necessary output buffer size. */
-#define PSA_ERROR_BUFFER_TOO_SMALL      ((psa_status_t)-138)
-
-/** Asking for an item that already exists
- *
- * Implementations should return this error, when attempting
- * to write an item (like a key) that already exists. */
-#define PSA_ERROR_ALREADY_EXISTS        ((psa_status_t)-139)
-
-/** Asking for an item that doesn't exist
- *
- * Implementations should return this error, if a requested item (like
- * a key) does not exist. */
-#define PSA_ERROR_DOES_NOT_EXIST        ((psa_status_t)-140)
-
-/** The requested action cannot be performed in the current state.
- *
- * Multipart operations return this error when one of the
- * functions is called out of sequence. Refer to the function
- * descriptions for permitted sequencing of functions.
- *
- * Implementations shall not return this error code to indicate
- * that a key either exists or not,
- * but shall instead return #PSA_ERROR_ALREADY_EXISTS or #PSA_ERROR_DOES_NOT_EXIST
- * as applicable.
- *
- * Implementations shall not return this error code to indicate that a
- * key identifier is invalid, but shall return #PSA_ERROR_INVALID_HANDLE
- * instead. */
-#define PSA_ERROR_BAD_STATE             ((psa_status_t)-137)
-
-/** The parameters passed to the function are invalid.
- *
- * Implementations may return this error any time a parameter or
- * combination of parameters are recognized as invalid.
- *
- * Implementations shall not return this error code to indicate that a
- * key identifier is invalid, but shall return #PSA_ERROR_INVALID_HANDLE
- * instead.
- */
-#define PSA_ERROR_INVALID_ARGUMENT      ((psa_status_t)-135)
-
-/** There is not enough runtime memory.
- *
- * If the action is carried out across multiple security realms, this
- * error can refer to available memory in any of the security realms. */
-#define PSA_ERROR_INSUFFICIENT_MEMORY   ((psa_status_t)-141)
-
-/** There is not enough persistent storage.
- *
- * Functions that modify the key storage return this error code if
- * there is insufficient storage space on the host media. In addition,
- * many functions that do not otherwise access storage may return this
- * error code if the implementation requires a mandatory log entry for
- * the requested action and the log storage space is full. */
-#define PSA_ERROR_INSUFFICIENT_STORAGE  ((psa_status_t)-142)
-
-/** There was a communication failure inside the implementation.
- *
- * This can indicate a communication failure between the application
- * and an external cryptoprocessor or between the cryptoprocessor and
- * an external volatile or persistent memory. A communication failure
- * may be transient or permanent depending on the cause.
- *
- * \warning If a function returns this error, it is undetermined
- * whether the requested action has completed or not. Implementations
- * should return #PSA_SUCCESS on successful completion whenever
- * possible, however functions may return #PSA_ERROR_COMMUNICATION_FAILURE
- * if the requested action was completed successfully in an external
- * cryptoprocessor but there was a breakdown of communication before
- * the cryptoprocessor could report the status to the application.
- */
-#define PSA_ERROR_COMMUNICATION_FAILURE ((psa_status_t)-145)
-
-/** There was a storage failure that may have led to data loss.
- *
- * This error indicates that some persistent storage is corrupted.
- * It should not be used for a corruption of volatile memory
- * (use #PSA_ERROR_CORRUPTION_DETECTED), for a communication error
- * between the cryptoprocessor and its external storage (use
- * #PSA_ERROR_COMMUNICATION_FAILURE), or when the storage is
- * in a valid state but is full (use #PSA_ERROR_INSUFFICIENT_STORAGE).
- *
- * Note that a storage failure does not indicate that any data that was
- * previously read is invalid. However this previously read data may no
- * longer be readable from storage.
- *
- * When a storage failure occurs, it is no longer possible to ensure
- * the global integrity of the keystore. Depending on the global
- * integrity guarantees offered by the implementation, access to other
- * data may or may not fail even if the data is still readable but
- * its integrity cannot be guaranteed.
- *
- * Implementations should only use this error code to report a
- * permanent storage corruption. However application writers should
- * keep in mind that transient errors while reading the storage may be
- * reported using this error code. */
-#define PSA_ERROR_STORAGE_FAILURE       ((psa_status_t)-146)
-
-/** A hardware failure was detected.
- *
- * A hardware failure may be transient or permanent depending on the
- * cause. */
-#define PSA_ERROR_HARDWARE_FAILURE      ((psa_status_t)-147)
-
-/** A tampering attempt was detected.
- *
- * If an application receives this error code, there is no guarantee
- * that previously accessed or computed data was correct and remains
- * confidential. Applications should not perform any security function
- * and should enter a safe failure state.
- *
- * Implementations may return this error code if they detect an invalid
- * state that cannot happen during normal operation and that indicates
- * that the implementation's security guarantees no longer hold. Depending
- * on the implementation architecture and on its security and safety goals,
- * the implementation may forcibly terminate the application.
- *
- * This error code is intended as a last resort when a security breach
- * is detected and it is unsure whether the keystore data is still
- * protected. Implementations shall only return this error code
- * to report an alarm from a tampering detector, to indicate that
- * the confidentiality of stored data can no longer be guaranteed,
- * or to indicate that the integrity of previously returned data is now
- * considered compromised. Implementations shall not use this error code
- * to indicate a hardware failure that merely makes it impossible to
- * perform the requested operation (use #PSA_ERROR_COMMUNICATION_FAILURE,
- * #PSA_ERROR_STORAGE_FAILURE, #PSA_ERROR_HARDWARE_FAILURE,
- * #PSA_ERROR_INSUFFICIENT_ENTROPY or other applicable error code
- * instead).
- *
- * This error indicates an attack against the application. Implementations
- * shall not return this error code as a consequence of the behavior of
- * the application itself. */
-#define PSA_ERROR_CORRUPTION_DETECTED    ((psa_status_t)-151)
-
-/** There is not enough entropy to generate random data needed
- * for the requested action.
- *
- * This error indicates a failure of a hardware random generator.
- * Application writers should note that this error can be returned not
- * only by functions whose purpose is to generate random data, such
- * as key, IV or nonce generation, but also by functions that execute
- * an algorithm with a randomized result, as well as functions that
- * use randomization of intermediate computations as a countermeasure
- * to certain attacks.
- *
- * Implementations should avoid returning this error after psa_crypto_init()
- * has succeeded. Implementations should generate sufficient
- * entropy during initialization and subsequently use a cryptographically
- * secure pseudorandom generator (PRNG). However implementations may return
- * this error at any time if a policy requires the PRNG to be reseeded
- * during normal operation. */
-#define PSA_ERROR_INSUFFICIENT_ENTROPY  ((psa_status_t)-148)
-
-/** The signature, MAC or hash is incorrect.
- *
- * Verification functions return this error if the verification
- * calculations completed successfully, and the value to be verified
- * was determined to be incorrect.
- *
- * If the value to verify has an invalid size, implementations may return
- * either #PSA_ERROR_INVALID_ARGUMENT or #PSA_ERROR_INVALID_SIGNATURE. */
-#define PSA_ERROR_INVALID_SIGNATURE     ((psa_status_t)-149)
-
-/** The decrypted padding is incorrect.
- *
- * \warning In some protocols, when decrypting data, it is essential that
- * the behavior of the application does not depend on whether the padding
- * is correct, down to precise timing. Applications should prefer
- * protocols that use authenticated encryption rather than plain
- * encryption. If the application must perform a decryption of
- * unauthenticated data, the application writer should take care not
- * to reveal whether the padding is invalid.
- *
- * Implementations should strive to make valid and invalid padding
- * as close as possible to indistinguishable to an external observer.
- * In particular, the timing of a decryption operation should not
- * depend on the validity of the padding. */
-#define PSA_ERROR_INVALID_PADDING       ((psa_status_t)-150)
-
-/** Return this error when there's insufficient data when attempting
- * to read from a resource. */
-#define PSA_ERROR_INSUFFICIENT_DATA     ((psa_status_t)-143)
-
-/** The key identifier is not valid. See also :ref:\`key-handles\`.
- */
-#define PSA_ERROR_INVALID_HANDLE        ((psa_status_t)-136)
-
-/** Stored data has been corrupted.
- *
- * This error indicates that some persistent storage has suffered corruption.
- * It does not indicate the following situations, which have specific error
- * codes:
- *
- * - A corruption of volatile memory - use #PSA_ERROR_CORRUPTION_DETECTED.
- * - A communication error between the cryptoprocessor and its external
- *   storage - use #PSA_ERROR_COMMUNICATION_FAILURE.
- * - When the storage is in a valid state but is full - use
- *   #PSA_ERROR_INSUFFICIENT_STORAGE.
- * - When the storage fails for other reasons - use
- *   #PSA_ERROR_STORAGE_FAILURE.
- * - When the stored data is not valid - use #PSA_ERROR_DATA_INVALID.
- *
- * \note A storage corruption does not indicate that any data that was
- * previously read is invalid. However this previously read data might no
- * longer be readable from storage.
- *
- * When a storage failure occurs, it is no longer possible to ensure the
- * global integrity of the keystore.
- */
-#define PSA_ERROR_DATA_CORRUPT          ((psa_status_t)-152)
-
-/** Data read from storage is not valid for the implementation.
- *
- * This error indicates that some data read from storage does not have a valid
- * format. It does not indicate the following situations, which have specific
- * error codes:
- *
- * - When the storage or stored data is corrupted - use #PSA_ERROR_DATA_CORRUPT
- * - When the storage fails for other reasons - use #PSA_ERROR_STORAGE_FAILURE
- * - An invalid argument to the API - use #PSA_ERROR_INVALID_ARGUMENT
- *
- * This error is typically a result of either storage corruption on a
- * cleartext storage backend, or an attempt to read data that was
- * written by an incompatible version of the library.
- */
-#define PSA_ERROR_DATA_INVALID          ((psa_status_t)-153)
-
-/** The function that returns this status is defined as interruptible and
- *  still has work to do, thus the user should call the function again with the
- *  same operation context until it either returns #PSA_SUCCESS or any other
- *  error. This is not an error per se, more a notification of status.
- */
-#define PSA_OPERATION_INCOMPLETE           ((psa_status_t)-248)
-
-/* *INDENT-ON* */
-
-/**@}*/
-
-/** \defgroup crypto_types Key and algorithm types
- * @{
- */
-
-/* Note that key type values, including ECC family and DH group values, are
- * embedded in the persistent key store, as part of key metadata. As a
- * consequence, they must not be changed (unless the storage format version
- * changes).
- */
-
-/** An invalid key type value.
- *
- * Zero is not the encoding of any key type.
- */
-#define PSA_KEY_TYPE_NONE                           ((psa_key_type_t) 0x0000)
-
-/** Vendor-defined key type flag.
- *
- * Key types defined by this standard will never have the
- * #PSA_KEY_TYPE_VENDOR_FLAG bit set. Vendors who define additional key types
- * must use an encoding with the #PSA_KEY_TYPE_VENDOR_FLAG bit set and should
- * respect the bitwise structure used by standard encodings whenever practical.
- */
-#define PSA_KEY_TYPE_VENDOR_FLAG                    ((psa_key_type_t) 0x8000)
-
-#define PSA_KEY_TYPE_CATEGORY_MASK                  ((psa_key_type_t) 0x7000)
-#define PSA_KEY_TYPE_CATEGORY_RAW                   ((psa_key_type_t) 0x1000)
-#define PSA_KEY_TYPE_CATEGORY_SYMMETRIC             ((psa_key_type_t) 0x2000)
-#define PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY            ((psa_key_type_t) 0x4000)
-#define PSA_KEY_TYPE_CATEGORY_KEY_PAIR              ((psa_key_type_t) 0x7000)
-
-#define PSA_KEY_TYPE_CATEGORY_FLAG_PAIR             ((psa_key_type_t) 0x3000)
-
-/** Whether a key type is vendor-defined.
- *
- * See also #PSA_KEY_TYPE_VENDOR_FLAG.
- */
-#define PSA_KEY_TYPE_IS_VENDOR_DEFINED(type) \
-    (((type) & PSA_KEY_TYPE_VENDOR_FLAG) != 0)
-
-/** Whether a key type is an unstructured array of bytes.
- *
- * This encompasses both symmetric keys and non-key data.
- */
-#define PSA_KEY_TYPE_IS_UNSTRUCTURED(type) \
-    (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_RAW || \
-     ((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_SYMMETRIC)
-
-/** Whether a key type is asymmetric: either a key pair or a public key. */
-#define PSA_KEY_TYPE_IS_ASYMMETRIC(type)                                \
-    (((type) & PSA_KEY_TYPE_CATEGORY_MASK                               \
-      & ~PSA_KEY_TYPE_CATEGORY_FLAG_PAIR) ==                            \
-     PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY)
-/** Whether a key type is the public part of a key pair. */
-#define PSA_KEY_TYPE_IS_PUBLIC_KEY(type)                                \
-    (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY)
-/** Whether a key type is a key pair containing a private part and a public
- * part. */
-#define PSA_KEY_TYPE_IS_KEY_PAIR(type)                                   \
-    (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_KEY_PAIR)
-/** The key pair type corresponding to a public key type.
- *
- * You may also pass a key pair type as \p type, it will be left unchanged.
- *
- * \param type      A public key type or key pair type.
- *
- * \return          The corresponding key pair type.
- *                  If \p type is not a public key or a key pair,
- *                  the return value is undefined.
- */
-#define PSA_KEY_TYPE_KEY_PAIR_OF_PUBLIC_KEY(type)        \
-    ((type) | PSA_KEY_TYPE_CATEGORY_FLAG_PAIR)
-/** The public key type corresponding to a key pair type.
- *
- * You may also pass a key pair type as \p type, it will be left unchanged.
- *
- * \param type      A public key type or key pair type.
- *
- * \return          The corresponding public key type.
- *                  If \p type is not a public key or a key pair,
- *                  the return value is undefined.
- */
-#define PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type)        \
-    ((type) & ~PSA_KEY_TYPE_CATEGORY_FLAG_PAIR)
-
-/** Raw data.
- *
- * A "key" of this type cannot be used for any cryptographic operation.
- * Applications may use this type to store arbitrary data in the keystore. */
-#define PSA_KEY_TYPE_RAW_DATA                       ((psa_key_type_t) 0x1001)
-
-/** HMAC key.
- *
- * The key policy determines which underlying hash algorithm the key can be
- * used for.
- *
- * HMAC keys should generally have the same size as the underlying hash.
- * This size can be calculated with #PSA_HASH_LENGTH(\c alg) where
- * \c alg is the HMAC algorithm or the underlying hash algorithm. */
-#define PSA_KEY_TYPE_HMAC                           ((psa_key_type_t) 0x1100)
-
-/** A secret for key derivation.
- *
- * This key type is for high-entropy secrets only. For low-entropy secrets,
- * #PSA_KEY_TYPE_PASSWORD should be used instead.
- *
- * These keys can be used as the #PSA_KEY_DERIVATION_INPUT_SECRET or
- * #PSA_KEY_DERIVATION_INPUT_PASSWORD input of key derivation algorithms.
- *
- * The key policy determines which key derivation algorithm the key
- * can be used for.
- */
-#define PSA_KEY_TYPE_DERIVE                         ((psa_key_type_t) 0x1200)
-
-/** A low-entropy secret for password hashing or key derivation.
- *
- * This key type is suitable for passwords and passphrases which are typically
- * intended to be memorizable by humans, and have a low entropy relative to
- * their size. It can be used for randomly generated or derived keys with
- * maximum or near-maximum entropy, but #PSA_KEY_TYPE_DERIVE is more suitable
- * for such keys. It is not suitable for passwords with extremely low entropy,
- * such as numerical PINs.
- *
- * These keys can be used as the #PSA_KEY_DERIVATION_INPUT_PASSWORD input of
- * key derivation algorithms. Algorithms that accept such an input were
- * designed to accept low-entropy secret and are known as password hashing or
- * key stretching algorithms.
- *
- * These keys cannot be used as the #PSA_KEY_DERIVATION_INPUT_SECRET input of
- * key derivation algorithms, as the algorithms that take such an input expect
- * it to be high-entropy.
- *
- * The key policy determines which key derivation algorithm the key can be
- * used for, among the permissible subset defined above.
- */
-#define PSA_KEY_TYPE_PASSWORD                       ((psa_key_type_t) 0x1203)
-
-/** A secret value that can be used to verify a password hash.
- *
- * The key policy determines which key derivation algorithm the key
- * can be used for, among the same permissible subset as for
- * #PSA_KEY_TYPE_PASSWORD.
- */
-#define PSA_KEY_TYPE_PASSWORD_HASH                  ((psa_key_type_t) 0x1205)
-
-/** A secret value that can be used in when computing a password hash.
- *
- * The key policy determines which key derivation algorithm the key
- * can be used for, among the subset of algorithms that can use pepper.
- */
-#define PSA_KEY_TYPE_PEPPER                         ((psa_key_type_t) 0x1206)
-
-/** Key for a cipher, AEAD or MAC algorithm based on the AES block cipher.
- *
- * The size of the key can be 16 bytes (AES-128), 24 bytes (AES-192) or
- * 32 bytes (AES-256).
- */
-#define PSA_KEY_TYPE_AES                            ((psa_key_type_t) 0x2400)
-
-/** Key for a cipher, AEAD or MAC algorithm based on the
- * ARIA block cipher. */
-#define PSA_KEY_TYPE_ARIA                           ((psa_key_type_t) 0x2406)
-
-/** Key for a cipher or MAC algorithm based on DES or 3DES (Triple-DES).
- *
- * The size of the key can be 64 bits (single DES), 128 bits (2-key 3DES) or
- * 192 bits (3-key 3DES).
- *
- * Note that single DES and 2-key 3DES are weak and strongly
- * deprecated and should only be used to decrypt legacy data. 3-key 3DES
- * is weak and deprecated and should only be used in legacy protocols.
- */
-#define PSA_KEY_TYPE_DES                            ((psa_key_type_t) 0x2301)
-
-/** Key for a cipher, AEAD or MAC algorithm based on the
- * Camellia block cipher. */
-#define PSA_KEY_TYPE_CAMELLIA                       ((psa_key_type_t) 0x2403)
-
-/** Key for the ChaCha20 stream cipher or the Chacha20-Poly1305 AEAD algorithm.
- *
- * ChaCha20 and the ChaCha20_Poly1305 construction are defined in RFC 7539.
- *
- * \note For ChaCha20 and ChaCha20_Poly1305, Mbed TLS only supports
- *       12-byte nonces.
- *
- * \note For ChaCha20, the initial counter value is 0. To encrypt or decrypt
- *       with the initial counter value 1, you can process and discard a
- *       64-byte block before the real data.
- */
-#define PSA_KEY_TYPE_CHACHA20                       ((psa_key_type_t) 0x2004)
-
-/** RSA public key.
- *
- * The size of an RSA key is the bit size of the modulus.
- */
-#define PSA_KEY_TYPE_RSA_PUBLIC_KEY                 ((psa_key_type_t) 0x4001)
-/** RSA key pair (private and public key).
- *
- * The size of an RSA key is the bit size of the modulus.
- */
-#define PSA_KEY_TYPE_RSA_KEY_PAIR                   ((psa_key_type_t) 0x7001)
-/** Whether a key type is an RSA key (pair or public-only). */
-#define PSA_KEY_TYPE_IS_RSA(type)                                       \
-    (PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) == PSA_KEY_TYPE_RSA_PUBLIC_KEY)
-
-#define PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE            ((psa_key_type_t) 0x4100)
-#define PSA_KEY_TYPE_ECC_KEY_PAIR_BASE              ((psa_key_type_t) 0x7100)
-#define PSA_KEY_TYPE_ECC_CURVE_MASK                 ((psa_key_type_t) 0x00ff)
-/** Elliptic curve key pair.
- *
- * The size of an elliptic curve key is the bit size associated with the curve,
- * i.e. the bit size of *q* for a curve over a field *F<sub>q</sub>*.
- * See the documentation of `PSA_ECC_FAMILY_xxx` curve families for details.
- *
- * \param curve     A value of type ::psa_ecc_family_t that
- *                  identifies the ECC curve to be used.
- */
-#define PSA_KEY_TYPE_ECC_KEY_PAIR(curve)         \
-    (PSA_KEY_TYPE_ECC_KEY_PAIR_BASE | (curve))
-/** Elliptic curve public key.
- *
- * The size of an elliptic curve public key is the same as the corresponding
- * private key (see #PSA_KEY_TYPE_ECC_KEY_PAIR and the documentation of
- * `PSA_ECC_FAMILY_xxx` curve families).
- *
- * \param curve     A value of type ::psa_ecc_family_t that
- *                  identifies the ECC curve to be used.
- */
-#define PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve)              \
-    (PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE | (curve))
-
-/** Whether a key type is an elliptic curve key (pair or public-only). */
-#define PSA_KEY_TYPE_IS_ECC(type)                                       \
-    ((PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) &                        \
-      ~PSA_KEY_TYPE_ECC_CURVE_MASK) == PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE)
-/** Whether a key type is an elliptic curve key pair. */
-#define PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type)                               \
-    (((type) & ~PSA_KEY_TYPE_ECC_CURVE_MASK) ==                         \
-     PSA_KEY_TYPE_ECC_KEY_PAIR_BASE)
-/** Whether a key type is an elliptic curve public key. */
-#define PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(type)                            \
-    (((type) & ~PSA_KEY_TYPE_ECC_CURVE_MASK) ==                         \
-     PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE)
-
-/** Extract the curve from an elliptic curve key type. */
-#define PSA_KEY_TYPE_ECC_GET_FAMILY(type)                        \
-    ((psa_ecc_family_t) (PSA_KEY_TYPE_IS_ECC(type) ?             \
-                         ((type) & PSA_KEY_TYPE_ECC_CURVE_MASK) : \
-                         0))
-
-/** Check if the curve of given family is Weierstrass elliptic curve. */
-#define PSA_ECC_FAMILY_IS_WEIERSTRASS(family) ((family & 0xc0) == 0)
-
-/** SEC Koblitz curves over prime fields.
- *
- * This family comprises the following curves:
- * secp192k1, secp224k1, secp256k1.
- * They are defined in _Standards for Efficient Cryptography_,
- * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
- * https://www.secg.org/sec2-v2.pdf
- */
-#define PSA_ECC_FAMILY_SECP_K1           ((psa_ecc_family_t) 0x17)
-
-/** SEC random curves over prime fields.
- *
- * This family comprises the following curves:
- * secp192k1, secp224r1, secp256r1, secp384r1, secp521r1.
- * They are defined in _Standards for Efficient Cryptography_,
- * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
- * https://www.secg.org/sec2-v2.pdf
- */
-#define PSA_ECC_FAMILY_SECP_R1           ((psa_ecc_family_t) 0x12)
-/* SECP160R2 (SEC2 v1, obsolete) */
-#define PSA_ECC_FAMILY_SECP_R2           ((psa_ecc_family_t) 0x1b)
-
-/** SEC Koblitz curves over binary fields.
- *
- * This family comprises the following curves:
- * sect163k1, sect233k1, sect239k1, sect283k1, sect409k1, sect571k1.
- * They are defined in _Standards for Efficient Cryptography_,
- * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
- * https://www.secg.org/sec2-v2.pdf
- */
-#define PSA_ECC_FAMILY_SECT_K1           ((psa_ecc_family_t) 0x27)
-
-/** SEC random curves over binary fields.
- *
- * This family comprises the following curves:
- * sect163r1, sect233r1, sect283r1, sect409r1, sect571r1.
- * They are defined in _Standards for Efficient Cryptography_,
- * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
- * https://www.secg.org/sec2-v2.pdf
- */
-#define PSA_ECC_FAMILY_SECT_R1           ((psa_ecc_family_t) 0x22)
-
-/** SEC additional random curves over binary fields.
- *
- * This family comprises the following curve:
- * sect163r2.
- * It is defined in _Standards for Efficient Cryptography_,
- * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
- * https://www.secg.org/sec2-v2.pdf
- */
-#define PSA_ECC_FAMILY_SECT_R2           ((psa_ecc_family_t) 0x2b)
-
-/** Brainpool P random curves.
- *
- * This family comprises the following curves:
- * brainpoolP160r1, brainpoolP192r1, brainpoolP224r1, brainpoolP256r1,
- * brainpoolP320r1, brainpoolP384r1, brainpoolP512r1.
- * It is defined in RFC 5639.
- */
-#define PSA_ECC_FAMILY_BRAINPOOL_P_R1    ((psa_ecc_family_t) 0x30)
-
-/** Curve25519 and Curve448.
- *
- * This family comprises the following Montgomery curves:
- * - 255-bit: Bernstein et al.,
- *   _Curve25519: new Diffie-Hellman speed records_, LNCS 3958, 2006.
- *   The algorithm #PSA_ALG_ECDH performs X25519 when used with this curve.
- * - 448-bit: Hamburg,
- *   _Ed448-Goldilocks, a new elliptic curve_, NIST ECC Workshop, 2015.
- *   The algorithm #PSA_ALG_ECDH performs X448 when used with this curve.
- */
-#define PSA_ECC_FAMILY_MONTGOMERY        ((psa_ecc_family_t) 0x41)
-
-/** The twisted Edwards curves Ed25519 and Ed448.
- *
- * These curves are suitable for EdDSA (#PSA_ALG_PURE_EDDSA for both curves,
- * #PSA_ALG_ED25519PH for the 255-bit curve,
- * #PSA_ALG_ED448PH for the 448-bit curve).
- *
- * This family comprises the following twisted Edwards curves:
- * - 255-bit: Edwards25519, the twisted Edwards curve birationally equivalent
- *   to Curve25519.
- *   Bernstein et al., _Twisted Edwards curves_, Africacrypt 2008.
- * - 448-bit: Edwards448, the twisted Edwards curve birationally equivalent
- *   to Curve448.
- *   Hamburg, _Ed448-Goldilocks, a new elliptic curve_, NIST ECC Workshop, 2015.
- */
-#define PSA_ECC_FAMILY_TWISTED_EDWARDS   ((psa_ecc_family_t) 0x42)
-
-#define PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE             ((psa_key_type_t) 0x4200)
-#define PSA_KEY_TYPE_DH_KEY_PAIR_BASE               ((psa_key_type_t) 0x7200)
-#define PSA_KEY_TYPE_DH_GROUP_MASK                  ((psa_key_type_t) 0x00ff)
-/** Diffie-Hellman key pair.
- *
- * \param group     A value of type ::psa_dh_family_t that identifies the
- *                  Diffie-Hellman group to be used.
- */
-#define PSA_KEY_TYPE_DH_KEY_PAIR(group)          \
-    (PSA_KEY_TYPE_DH_KEY_PAIR_BASE | (group))
-/** Diffie-Hellman public key.
- *
- * \param group     A value of type ::psa_dh_family_t that identifies the
- *                  Diffie-Hellman group to be used.
- */
-#define PSA_KEY_TYPE_DH_PUBLIC_KEY(group)               \
-    (PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE | (group))
-
-/** Whether a key type is a Diffie-Hellman key (pair or public-only). */
-#define PSA_KEY_TYPE_IS_DH(type)                                        \
-    ((PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) &                        \
-      ~PSA_KEY_TYPE_DH_GROUP_MASK) == PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE)
-/** Whether a key type is a Diffie-Hellman key pair. */
-#define PSA_KEY_TYPE_IS_DH_KEY_PAIR(type)                               \
-    (((type) & ~PSA_KEY_TYPE_DH_GROUP_MASK) ==                         \
-     PSA_KEY_TYPE_DH_KEY_PAIR_BASE)
-/** Whether a key type is a Diffie-Hellman public key. */
-#define PSA_KEY_TYPE_IS_DH_PUBLIC_KEY(type)                            \
-    (((type) & ~PSA_KEY_TYPE_DH_GROUP_MASK) ==                         \
-     PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE)
-
-/** Extract the group from a Diffie-Hellman key type. */
-#define PSA_KEY_TYPE_DH_GET_FAMILY(type)                        \
-    ((psa_dh_family_t) (PSA_KEY_TYPE_IS_DH(type) ?              \
-                        ((type) & PSA_KEY_TYPE_DH_GROUP_MASK) :  \
-                        0))
-
-/** Diffie-Hellman groups defined in RFC 7919 Appendix A.
- *
- * This family includes groups with the following key sizes (in bits):
- * 2048, 3072, 4096, 6144, 8192. A given implementation may support
- * all of these sizes or only a subset.
- */
-#define PSA_DH_FAMILY_RFC7919            ((psa_dh_family_t) 0x03)
-
-#define PSA_GET_KEY_TYPE_BLOCK_SIZE_EXPONENT(type)      \
-    (((type) >> 8) & 7)
-/** The block size of a block cipher.
- *
- * \param type  A cipher key type (value of type #psa_key_type_t).
- *
- * \return      The block size for a block cipher, or 1 for a stream cipher.
- *              The return value is undefined if \p type is not a supported
- *              cipher key type.
- *
- * \note It is possible to build stream cipher algorithms on top of a block
- *       cipher, for example CTR mode (#PSA_ALG_CTR).
- *       This macro only takes the key type into account, so it cannot be
- *       used to determine the size of the data that #psa_cipher_update()
- *       might buffer for future processing in general.
- *
- * \note This macro returns a compile-time constant if its argument is one.
- *
- * \warning This macro may evaluate its argument multiple times.
- */
-#define PSA_BLOCK_CIPHER_BLOCK_LENGTH(type)                                     \
-    (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_SYMMETRIC ? \
-     1u << PSA_GET_KEY_TYPE_BLOCK_SIZE_EXPONENT(type) :                         \
-        0u)
-
-/* Note that algorithm values are embedded in the persistent key store,
- * as part of key metadata. As a consequence, they must not be changed
- * (unless the storage format version changes).
- */
-
-/** Vendor-defined algorithm flag.
- *
- * Algorithms defined by this standard will never have the #PSA_ALG_VENDOR_FLAG
- * bit set. Vendors who define additional algorithms must use an encoding with
- * the #PSA_ALG_VENDOR_FLAG bit set and should respect the bitwise structure
- * used by standard encodings whenever practical.
- */
-#define PSA_ALG_VENDOR_FLAG                     ((psa_algorithm_t) 0x80000000)
-
-#define PSA_ALG_CATEGORY_MASK                   ((psa_algorithm_t) 0x7f000000)
-#define PSA_ALG_CATEGORY_HASH                   ((psa_algorithm_t) 0x02000000)
-#define PSA_ALG_CATEGORY_MAC                    ((psa_algorithm_t) 0x03000000)
-#define PSA_ALG_CATEGORY_CIPHER                 ((psa_algorithm_t) 0x04000000)
-#define PSA_ALG_CATEGORY_AEAD                   ((psa_algorithm_t) 0x05000000)
-#define PSA_ALG_CATEGORY_SIGN                   ((psa_algorithm_t) 0x06000000)
-#define PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION  ((psa_algorithm_t) 0x07000000)
-#define PSA_ALG_CATEGORY_KEY_DERIVATION         ((psa_algorithm_t) 0x08000000)
-#define PSA_ALG_CATEGORY_KEY_AGREEMENT          ((psa_algorithm_t) 0x09000000)
-
-/** Whether an algorithm is vendor-defined.
- *
- * See also #PSA_ALG_VENDOR_FLAG.
- */
-#define PSA_ALG_IS_VENDOR_DEFINED(alg)                                  \
-    (((alg) & PSA_ALG_VENDOR_FLAG) != 0)
-
-/** Whether the specified algorithm is a hash algorithm.
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \p alg is a hash algorithm, 0 otherwise.
- *         This macro may return either 0 or 1 if \p alg is not a supported
- *         algorithm identifier.
- */
-#define PSA_ALG_IS_HASH(alg)                                            \
-    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_HASH)
-
-/** Whether the specified algorithm is a MAC algorithm.
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \p alg is a MAC algorithm, 0 otherwise.
- *         This macro may return either 0 or 1 if \p alg is not a supported
- *         algorithm identifier.
- */
-#define PSA_ALG_IS_MAC(alg)                                             \
-    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_MAC)
-
-/** Whether the specified algorithm is a symmetric cipher algorithm.
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \p alg is a symmetric cipher algorithm, 0 otherwise.
- *         This macro may return either 0 or 1 if \p alg is not a supported
- *         algorithm identifier.
- */
-#define PSA_ALG_IS_CIPHER(alg)                                          \
-    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_CIPHER)
-
-/** Whether the specified algorithm is an authenticated encryption
- * with associated data (AEAD) algorithm.
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \p alg is an AEAD algorithm, 0 otherwise.
- *         This macro may return either 0 or 1 if \p alg is not a supported
- *         algorithm identifier.
- */
-#define PSA_ALG_IS_AEAD(alg)                                            \
-    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_AEAD)
-
-/** Whether the specified algorithm is an asymmetric signature algorithm,
- * also known as public-key signature algorithm.
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \p alg is an asymmetric signature algorithm, 0 otherwise.
- *         This macro may return either 0 or 1 if \p alg is not a supported
- *         algorithm identifier.
- */
-#define PSA_ALG_IS_SIGN(alg)                                            \
-    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_SIGN)
-
-/** Whether the specified algorithm is an asymmetric encryption algorithm,
- * also known as public-key encryption algorithm.
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \p alg is an asymmetric encryption algorithm, 0 otherwise.
- *         This macro may return either 0 or 1 if \p alg is not a supported
- *         algorithm identifier.
- */
-#define PSA_ALG_IS_ASYMMETRIC_ENCRYPTION(alg)                           \
-    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION)
-
-/** Whether the specified algorithm is a key agreement algorithm.
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \p alg is a key agreement algorithm, 0 otherwise.
- *         This macro may return either 0 or 1 if \p alg is not a supported
- *         algorithm identifier.
- */
-#define PSA_ALG_IS_KEY_AGREEMENT(alg)                                   \
-    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_KEY_AGREEMENT)
-
-/** Whether the specified algorithm is a key derivation algorithm.
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \p alg is a key derivation algorithm, 0 otherwise.
- *         This macro may return either 0 or 1 if \p alg is not a supported
- *         algorithm identifier.
- */
-#define PSA_ALG_IS_KEY_DERIVATION(alg)                                  \
-    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_KEY_DERIVATION)
-
-/** Whether the specified algorithm is a key stretching / password hashing
- * algorithm.
- *
- * A key stretching / password hashing algorithm is a key derivation algorithm
- * that is suitable for use with a low-entropy secret such as a password.
- * Equivalently, it's a key derivation algorithm that uses a
- * #PSA_KEY_DERIVATION_INPUT_PASSWORD input step.
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \p alg is a key stretching / password hashing algorithm, 0
- *         otherwise. This macro may return either 0 or 1 if \p alg is not a
- *         supported algorithm identifier.
- */
-#define PSA_ALG_IS_KEY_DERIVATION_STRETCHING(alg)                                  \
-    (PSA_ALG_IS_KEY_DERIVATION(alg) &&              \
-     (alg) & PSA_ALG_KEY_DERIVATION_STRETCHING_FLAG)
-
-/** An invalid algorithm identifier value. */
-/* *INDENT-OFF* (https://github.com/ARM-software/psa-arch-tests/issues/337) */
-#define PSA_ALG_NONE                            ((psa_algorithm_t)0)
-/* *INDENT-ON* */
-
-#define PSA_ALG_HASH_MASK                       ((psa_algorithm_t) 0x000000ff)
-/** MD5 */
-#define PSA_ALG_MD5                             ((psa_algorithm_t) 0x02000003)
-/** PSA_ALG_RIPEMD160 */
-#define PSA_ALG_RIPEMD160                       ((psa_algorithm_t) 0x02000004)
-/** SHA1 */
-#define PSA_ALG_SHA_1                           ((psa_algorithm_t) 0x02000005)
-/** SHA2-224 */
-#define PSA_ALG_SHA_224                         ((psa_algorithm_t) 0x02000008)
-/** SHA2-256 */
-#define PSA_ALG_SHA_256                         ((psa_algorithm_t) 0x02000009)
-/** SHA2-384 */
-#define PSA_ALG_SHA_384                         ((psa_algorithm_t) 0x0200000a)
-/** SHA2-512 */
-#define PSA_ALG_SHA_512                         ((psa_algorithm_t) 0x0200000b)
-/** SHA2-512/224 */
-#define PSA_ALG_SHA_512_224                     ((psa_algorithm_t) 0x0200000c)
-/** SHA2-512/256 */
-#define PSA_ALG_SHA_512_256                     ((psa_algorithm_t) 0x0200000d)
-/** SHA3-224 */
-#define PSA_ALG_SHA3_224                        ((psa_algorithm_t) 0x02000010)
-/** SHA3-256 */
-#define PSA_ALG_SHA3_256                        ((psa_algorithm_t) 0x02000011)
-/** SHA3-384 */
-#define PSA_ALG_SHA3_384                        ((psa_algorithm_t) 0x02000012)
-/** SHA3-512 */
-#define PSA_ALG_SHA3_512                        ((psa_algorithm_t) 0x02000013)
-/** The first 512 bits (64 bytes) of the SHAKE256 output.
- *
- * This is the prehashing for Ed448ph (see #PSA_ALG_ED448PH). For other
- * scenarios where a hash function based on SHA3/SHAKE is desired, SHA3-512
- * has the same output size and a (theoretically) higher security strength.
- */
-#define PSA_ALG_SHAKE256_512                    ((psa_algorithm_t) 0x02000015)
-
-/** In a hash-and-sign algorithm policy, allow any hash algorithm.
- *
- * This value may be used to form the algorithm usage field of a policy
- * for a signature algorithm that is parametrized by a hash. The key
- * may then be used to perform operations using the same signature
- * algorithm parametrized with any supported hash.
- *
- * That is, suppose that `PSA_xxx_SIGNATURE` is one of the following macros:
- * - #PSA_ALG_RSA_PKCS1V15_SIGN, #PSA_ALG_RSA_PSS, #PSA_ALG_RSA_PSS_ANY_SALT,
- * - #PSA_ALG_ECDSA, #PSA_ALG_DETERMINISTIC_ECDSA.
- * Then you may create and use a key as follows:
- * - Set the key usage field using #PSA_ALG_ANY_HASH, for example:
- *   ```
- *   psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); // or VERIFY
- *   psa_set_key_algorithm(&attributes, PSA_xxx_SIGNATURE(PSA_ALG_ANY_HASH));
- *   ```
- * - Import or generate key material.
- * - Call psa_sign_hash() or psa_verify_hash(), passing
- *   an algorithm built from `PSA_xxx_SIGNATURE` and a specific hash. Each
- *   call to sign or verify a message may use a different hash.
- *   ```
- *   psa_sign_hash(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA_256), ...);
- *   psa_sign_hash(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA_512), ...);
- *   psa_sign_hash(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA3_256), ...);
- *   ```
- *
- * This value may not be used to build other algorithms that are
- * parametrized over a hash. For any valid use of this macro to build
- * an algorithm \c alg, #PSA_ALG_IS_HASH_AND_SIGN(\c alg) is true.
- *
- * This value may not be used to build an algorithm specification to
- * perform an operation. It is only valid to build policies.
- */
-#define PSA_ALG_ANY_HASH                        ((psa_algorithm_t) 0x020000ff)
-
-#define PSA_ALG_MAC_SUBCATEGORY_MASK            ((psa_algorithm_t) 0x00c00000)
-#define PSA_ALG_HMAC_BASE                       ((psa_algorithm_t) 0x03800000)
-/** Macro to build an HMAC algorithm.
- *
- * For example, #PSA_ALG_HMAC(#PSA_ALG_SHA_256) is HMAC-SHA-256.
- *
- * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
- *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
- *
- * \return              The corresponding HMAC algorithm.
- * \return              Unspecified if \p hash_alg is not a supported
- *                      hash algorithm.
- */
-#define PSA_ALG_HMAC(hash_alg)                                  \
-    (PSA_ALG_HMAC_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
-
-#define PSA_ALG_HMAC_GET_HASH(hmac_alg)                             \
-    (PSA_ALG_CATEGORY_HASH | ((hmac_alg) & PSA_ALG_HASH_MASK))
-
-/** Whether the specified algorithm is an HMAC algorithm.
- *
- * HMAC is a family of MAC algorithms that are based on a hash function.
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \p alg is an HMAC algorithm, 0 otherwise.
- *         This macro may return either 0 or 1 if \p alg is not a supported
- *         algorithm identifier.
- */
-#define PSA_ALG_IS_HMAC(alg)                                            \
-    (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_MAC_SUBCATEGORY_MASK)) == \
-     PSA_ALG_HMAC_BASE)
-
-/* In the encoding of a MAC algorithm, the bits corresponding to
- * PSA_ALG_MAC_TRUNCATION_MASK encode the length to which the MAC is
- * truncated. As an exception, the value 0 means the untruncated algorithm,
- * whatever its length is. The length is encoded in 6 bits, so it can
- * reach up to 63; the largest MAC is 64 bytes so its trivial truncation
- * to full length is correctly encoded as 0 and any non-trivial truncation
- * is correctly encoded as a value between 1 and 63. */
-#define PSA_ALG_MAC_TRUNCATION_MASK             ((psa_algorithm_t) 0x003f0000)
-#define PSA_MAC_TRUNCATION_OFFSET 16
-
-/* In the encoding of a MAC algorithm, the bit corresponding to
- * #PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG encodes the fact that the algorithm
- * is a wildcard algorithm. A key with such wildcard algorithm as permitted
- * algorithm policy can be used with any algorithm corresponding to the
- * same base class and having a (potentially truncated) MAC length greater or
- * equal than the one encoded in #PSA_ALG_MAC_TRUNCATION_MASK. */
-#define PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG   ((psa_algorithm_t) 0x00008000)
-
-/** Macro to build a truncated MAC algorithm.
- *
- * A truncated MAC algorithm is identical to the corresponding MAC
- * algorithm except that the MAC value for the truncated algorithm
- * consists of only the first \p mac_length bytes of the MAC value
- * for the untruncated algorithm.
- *
- * \note    This macro may allow constructing algorithm identifiers that
- *          are not valid, either because the specified length is larger
- *          than the untruncated MAC or because the specified length is
- *          smaller than permitted by the implementation.
- *
- * \note    It is implementation-defined whether a truncated MAC that
- *          is truncated to the same length as the MAC of the untruncated
- *          algorithm is considered identical to the untruncated algorithm
- *          for policy comparison purposes.
- *
- * \param mac_alg       A MAC algorithm identifier (value of type
- *                      #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p mac_alg)
- *                      is true). This may be a truncated or untruncated
- *                      MAC algorithm.
- * \param mac_length    Desired length of the truncated MAC in bytes.
- *                      This must be at most the full length of the MAC
- *                      and must be at least an implementation-specified
- *                      minimum. The implementation-specified minimum
- *                      shall not be zero.
- *
- * \return              The corresponding MAC algorithm with the specified
- *                      length.
- * \return              Unspecified if \p mac_alg is not a supported
- *                      MAC algorithm or if \p mac_length is too small or
- *                      too large for the specified MAC algorithm.
- */
-#define PSA_ALG_TRUNCATED_MAC(mac_alg, mac_length)              \
-    (((mac_alg) & ~(PSA_ALG_MAC_TRUNCATION_MASK |               \
-                    PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG)) |   \
-     ((mac_length) << PSA_MAC_TRUNCATION_OFFSET & PSA_ALG_MAC_TRUNCATION_MASK))
-
-/** Macro to build the base MAC algorithm corresponding to a truncated
- * MAC algorithm.
- *
- * \param mac_alg       A MAC algorithm identifier (value of type
- *                      #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p mac_alg)
- *                      is true). This may be a truncated or untruncated
- *                      MAC algorithm.
- *
- * \return              The corresponding base MAC algorithm.
- * \return              Unspecified if \p mac_alg is not a supported
- *                      MAC algorithm.
- */
-#define PSA_ALG_FULL_LENGTH_MAC(mac_alg)                        \
-    ((mac_alg) & ~(PSA_ALG_MAC_TRUNCATION_MASK |                \
-                   PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG))
-
-/** Length to which a MAC algorithm is truncated.
- *
- * \param mac_alg       A MAC algorithm identifier (value of type
- *                      #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p mac_alg)
- *                      is true).
- *
- * \return              Length of the truncated MAC in bytes.
- * \return              0 if \p mac_alg is a non-truncated MAC algorithm.
- * \return              Unspecified if \p mac_alg is not a supported
- *                      MAC algorithm.
- */
-#define PSA_MAC_TRUNCATED_LENGTH(mac_alg)                               \
-    (((mac_alg) & PSA_ALG_MAC_TRUNCATION_MASK) >> PSA_MAC_TRUNCATION_OFFSET)
-
-/** Macro to build a MAC minimum-MAC-length wildcard algorithm.
- *
- * A minimum-MAC-length MAC wildcard algorithm permits all MAC algorithms
- * sharing the same base algorithm, and where the (potentially truncated) MAC
- * length of the specific algorithm is equal to or larger then the wildcard
- * algorithm's minimum MAC length.
- *
- * \note    When setting the minimum required MAC length to less than the
- *          smallest MAC length allowed by the base algorithm, this effectively
- *          becomes an 'any-MAC-length-allowed' policy for that base algorithm.
- *
- * \param mac_alg         A MAC algorithm identifier (value of type
- *                        #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p mac_alg)
- *                        is true).
- * \param min_mac_length  Desired minimum length of the message authentication
- *                        code in bytes. This must be at most the untruncated
- *                        length of the MAC and must be at least 1.
- *
- * \return                The corresponding MAC wildcard algorithm with the
- *                        specified minimum length.
- * \return                Unspecified if \p mac_alg is not a supported MAC
- *                        algorithm or if \p min_mac_length is less than 1 or
- *                        too large for the specified MAC algorithm.
- */
-#define PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(mac_alg, min_mac_length)   \
-    (PSA_ALG_TRUNCATED_MAC(mac_alg, min_mac_length) |              \
-     PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG)
-
-#define PSA_ALG_CIPHER_MAC_BASE                 ((psa_algorithm_t) 0x03c00000)
-/** The CBC-MAC construction over a block cipher
- *
- * \warning CBC-MAC is insecure in many cases.
- * A more secure mode, such as #PSA_ALG_CMAC, is recommended.
- */
-#define PSA_ALG_CBC_MAC                         ((psa_algorithm_t) 0x03c00100)
-/** The CMAC construction over a block cipher */
-#define PSA_ALG_CMAC                            ((psa_algorithm_t) 0x03c00200)
-
-/** Whether the specified algorithm is a MAC algorithm based on a block cipher.
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \p alg is a MAC algorithm based on a block cipher, 0 otherwise.
- *         This macro may return either 0 or 1 if \p alg is not a supported
- *         algorithm identifier.
- */
-#define PSA_ALG_IS_BLOCK_CIPHER_MAC(alg)                                \
-    (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_MAC_SUBCATEGORY_MASK)) == \
-     PSA_ALG_CIPHER_MAC_BASE)
-
-#define PSA_ALG_CIPHER_STREAM_FLAG              ((psa_algorithm_t) 0x00800000)
-#define PSA_ALG_CIPHER_FROM_BLOCK_FLAG          ((psa_algorithm_t) 0x00400000)
-
-/** Whether the specified algorithm is a stream cipher.
- *
- * A stream cipher is a symmetric cipher that encrypts or decrypts messages
- * by applying a bitwise-xor with a stream of bytes that is generated
- * from a key.
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \p alg is a stream cipher algorithm, 0 otherwise.
- *         This macro may return either 0 or 1 if \p alg is not a supported
- *         algorithm identifier or if it is not a symmetric cipher algorithm.
- */
-#define PSA_ALG_IS_STREAM_CIPHER(alg)            \
-    (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_CIPHER_STREAM_FLAG)) == \
-     (PSA_ALG_CATEGORY_CIPHER | PSA_ALG_CIPHER_STREAM_FLAG))
-
-/** The stream cipher mode of a stream cipher algorithm.
- *
- * The underlying stream cipher is determined by the key type.
- * - To use ChaCha20, use a key type of #PSA_KEY_TYPE_CHACHA20.
- */
-#define PSA_ALG_STREAM_CIPHER                   ((psa_algorithm_t) 0x04800100)
-
-/** The CTR stream cipher mode.
- *
- * CTR is a stream cipher which is built from a block cipher.
- * The underlying block cipher is determined by the key type.
- * For example, to use AES-128-CTR, use this algorithm with
- * a key of type #PSA_KEY_TYPE_AES and a length of 128 bits (16 bytes).
- */
-#define PSA_ALG_CTR                             ((psa_algorithm_t) 0x04c01000)
-
-/** The CFB stream cipher mode.
- *
- * The underlying block cipher is determined by the key type.
- */
-#define PSA_ALG_CFB                             ((psa_algorithm_t) 0x04c01100)
-
-/** The OFB stream cipher mode.
- *
- * The underlying block cipher is determined by the key type.
- */
-#define PSA_ALG_OFB                             ((psa_algorithm_t) 0x04c01200)
-
-/** The XTS cipher mode.
- *
- * XTS is a cipher mode which is built from a block cipher. It requires at
- * least one full block of input, but beyond this minimum the input
- * does not need to be a whole number of blocks.
- */
-#define PSA_ALG_XTS                             ((psa_algorithm_t) 0x0440ff00)
-
-/** The Electronic Code Book (ECB) mode of a block cipher, with no padding.
- *
- * \warning ECB mode does not protect the confidentiality of the encrypted data
- * except in extremely narrow circumstances. It is recommended that applications
- * only use ECB if they need to construct an operating mode that the
- * implementation does not provide. Implementations are encouraged to provide
- * the modes that applications need in preference to supporting direct access
- * to ECB.
- *
- * The underlying block cipher is determined by the key type.
- *
- * This symmetric cipher mode can only be used with messages whose lengths are a
- * multiple of the block size of the chosen block cipher.
- *
- * ECB mode does not accept an initialization vector (IV). When using a
- * multi-part cipher operation with this algorithm, psa_cipher_generate_iv()
- * and psa_cipher_set_iv() must not be called.
- */
-#define PSA_ALG_ECB_NO_PADDING                  ((psa_algorithm_t) 0x04404400)
-
-/** The CBC block cipher chaining mode, with no padding.
- *
- * The underlying block cipher is determined by the key type.
- *
- * This symmetric cipher mode can only be used with messages whose lengths
- * are whole number of blocks for the chosen block cipher.
- */
-#define PSA_ALG_CBC_NO_PADDING                  ((psa_algorithm_t) 0x04404000)
-
-/** The CBC block cipher chaining mode with PKCS#7 padding.
- *
- * The underlying block cipher is determined by the key type.
- *
- * This is the padding method defined by PKCS#7 (RFC 2315) &sect;10.3.
- */
-#define PSA_ALG_CBC_PKCS7                       ((psa_algorithm_t) 0x04404100)
-
-#define PSA_ALG_AEAD_FROM_BLOCK_FLAG            ((psa_algorithm_t) 0x00400000)
-
-/** Whether the specified algorithm is an AEAD mode on a block cipher.
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \p alg is an AEAD algorithm which is an AEAD mode based on
- *         a block cipher, 0 otherwise.
- *         This macro may return either 0 or 1 if \p alg is not a supported
- *         algorithm identifier.
- */
-#define PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg)    \
-    (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_AEAD_FROM_BLOCK_FLAG)) == \
-     (PSA_ALG_CATEGORY_AEAD | PSA_ALG_AEAD_FROM_BLOCK_FLAG))
-
-/** The CCM authenticated encryption algorithm.
- *
- * The underlying block cipher is determined by the key type.
- */
-#define PSA_ALG_CCM                             ((psa_algorithm_t) 0x05500100)
-
-/** The CCM* cipher mode without authentication.
- *
- * This is CCM* as specified in IEEE 802.15.4 §7, with a tag length of 0.
- * For CCM* with a nonzero tag length, use the AEAD algorithm #PSA_ALG_CCM.
- *
- * The underlying block cipher is determined by the key type.
- *
- * Currently only 13-byte long IV's are supported.
- */
-#define PSA_ALG_CCM_STAR_NO_TAG                 ((psa_algorithm_t) 0x04c01300)
-
-/** The GCM authenticated encryption algorithm.
- *
- * The underlying block cipher is determined by the key type.
- */
-#define PSA_ALG_GCM                             ((psa_algorithm_t) 0x05500200)
-
-/** The Chacha20-Poly1305 AEAD algorithm.
- *
- * The ChaCha20_Poly1305 construction is defined in RFC 7539.
- *
- * Implementations must support 12-byte nonces, may support 8-byte nonces,
- * and should reject other sizes.
- *
- * Implementations must support 16-byte tags and should reject other sizes.
- */
-#define PSA_ALG_CHACHA20_POLY1305               ((psa_algorithm_t) 0x05100500)
-
-/* In the encoding of an AEAD algorithm, the bits corresponding to
- * PSA_ALG_AEAD_TAG_LENGTH_MASK encode the length of the AEAD tag.
- * The constants for default lengths follow this encoding.
- */
-#define PSA_ALG_AEAD_TAG_LENGTH_MASK            ((psa_algorithm_t) 0x003f0000)
-#define PSA_AEAD_TAG_LENGTH_OFFSET 16
-
-/* In the encoding of an AEAD algorithm, the bit corresponding to
- * #PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG encodes the fact that the algorithm
- * is a wildcard algorithm. A key with such wildcard algorithm as permitted
- * algorithm policy can be used with any algorithm corresponding to the
- * same base class and having a tag length greater than or equal to the one
- * encoded in #PSA_ALG_AEAD_TAG_LENGTH_MASK. */
-#define PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG  ((psa_algorithm_t) 0x00008000)
-
-/** Macro to build a shortened AEAD algorithm.
- *
- * A shortened AEAD algorithm is similar to the corresponding AEAD
- * algorithm, but has an authentication tag that consists of fewer bytes.
- * Depending on the algorithm, the tag length may affect the calculation
- * of the ciphertext.
- *
- * \param aead_alg      An AEAD algorithm identifier (value of type
- *                      #psa_algorithm_t such that #PSA_ALG_IS_AEAD(\p aead_alg)
- *                      is true).
- * \param tag_length    Desired length of the authentication tag in bytes.
- *
- * \return              The corresponding AEAD algorithm with the specified
- *                      length.
- * \return              Unspecified if \p aead_alg is not a supported
- *                      AEAD algorithm or if \p tag_length is not valid
- *                      for the specified AEAD algorithm.
- */
-#define PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, tag_length)           \
-    (((aead_alg) & ~(PSA_ALG_AEAD_TAG_LENGTH_MASK |                     \
-                     PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG)) |         \
-     ((tag_length) << PSA_AEAD_TAG_LENGTH_OFFSET &                      \
-        PSA_ALG_AEAD_TAG_LENGTH_MASK))
-
-/** Retrieve the tag length of a specified AEAD algorithm
- *
- * \param aead_alg      An AEAD algorithm identifier (value of type
- *                      #psa_algorithm_t such that #PSA_ALG_IS_AEAD(\p aead_alg)
- *                      is true).
- *
- * \return              The tag length specified by the input algorithm.
- * \return              Unspecified if \p aead_alg is not a supported
- *                      AEAD algorithm.
- */
-#define PSA_ALG_AEAD_GET_TAG_LENGTH(aead_alg)                           \
-    (((aead_alg) & PSA_ALG_AEAD_TAG_LENGTH_MASK) >>                     \
-     PSA_AEAD_TAG_LENGTH_OFFSET)
-
-/** Calculate the corresponding AEAD algorithm with the default tag length.
- *
- * \param aead_alg      An AEAD algorithm (\c PSA_ALG_XXX value such that
- *                      #PSA_ALG_IS_AEAD(\p aead_alg) is true).
- *
- * \return              The corresponding AEAD algorithm with the default
- *                      tag length for that algorithm.
- */
-#define PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(aead_alg)                   \
-    (                                                                    \
-        PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG_CASE(aead_alg, PSA_ALG_CCM) \
-        PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG_CASE(aead_alg, PSA_ALG_GCM) \
-        PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG_CASE(aead_alg, PSA_ALG_CHACHA20_POLY1305) \
-        0)
-#define PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG_CASE(aead_alg, ref)         \
-    PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, 0) ==                      \
-    PSA_ALG_AEAD_WITH_SHORTENED_TAG(ref, 0) ?                            \
-    ref :
-
-/** Macro to build an AEAD minimum-tag-length wildcard algorithm.
- *
- * A minimum-tag-length AEAD wildcard algorithm permits all AEAD algorithms
- * sharing the same base algorithm, and where the tag length of the specific
- * algorithm is equal to or larger then the minimum tag length specified by the
- * wildcard algorithm.
- *
- * \note    When setting the minimum required tag length to less than the
- *          smallest tag length allowed by the base algorithm, this effectively
- *          becomes an 'any-tag-length-allowed' policy for that base algorithm.
- *
- * \param aead_alg        An AEAD algorithm identifier (value of type
- *                        #psa_algorithm_t such that
- *                        #PSA_ALG_IS_AEAD(\p aead_alg) is true).
- * \param min_tag_length  Desired minimum length of the authentication tag in
- *                        bytes. This must be at least 1 and at most the largest
- *                        allowed tag length of the algorithm.
- *
- * \return                The corresponding AEAD wildcard algorithm with the
- *                        specified minimum length.
- * \return                Unspecified if \p aead_alg is not a supported
- *                        AEAD algorithm or if \p min_tag_length is less than 1
- *                        or too large for the specified AEAD algorithm.
- */
-#define PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(aead_alg, min_tag_length) \
-    (PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, min_tag_length) |            \
-     PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG)
-
-#define PSA_ALG_RSA_PKCS1V15_SIGN_BASE          ((psa_algorithm_t) 0x06000200)
-/** RSA PKCS#1 v1.5 signature with hashing.
- *
- * This is the signature scheme defined by RFC 8017
- * (PKCS#1: RSA Cryptography Specifications) under the name
- * RSASSA-PKCS1-v1_5.
- *
- * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
- *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
- *                      This includes #PSA_ALG_ANY_HASH
- *                      when specifying the algorithm in a usage policy.
- *
- * \return              The corresponding RSA PKCS#1 v1.5 signature algorithm.
- * \return              Unspecified if \p hash_alg is not a supported
- *                      hash algorithm.
- */
-#define PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg)                             \
-    (PSA_ALG_RSA_PKCS1V15_SIGN_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
-/** Raw PKCS#1 v1.5 signature.
- *
- * The input to this algorithm is the DigestInfo structure used by
- * RFC 8017 (PKCS#1: RSA Cryptography Specifications), &sect;9.2
- * steps 3&ndash;6.
- */
-#define PSA_ALG_RSA_PKCS1V15_SIGN_RAW PSA_ALG_RSA_PKCS1V15_SIGN_BASE
-#define PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg)                               \
-    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PKCS1V15_SIGN_BASE)
-
-#define PSA_ALG_RSA_PSS_BASE               ((psa_algorithm_t) 0x06000300)
-#define PSA_ALG_RSA_PSS_ANY_SALT_BASE      ((psa_algorithm_t) 0x06001300)
-/** RSA PSS signature with hashing.
- *
- * This is the signature scheme defined by RFC 8017
- * (PKCS#1: RSA Cryptography Specifications) under the name
- * RSASSA-PSS, with the message generation function MGF1, and with
- * a salt length equal to the length of the hash, or the largest
- * possible salt length for the algorithm and key size if that is
- * smaller than the hash length. The specified hash algorithm is
- * used to hash the input message, to create the salted hash, and
- * for the mask generation.
- *
- * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
- *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
- *                      This includes #PSA_ALG_ANY_HASH
- *                      when specifying the algorithm in a usage policy.
- *
- * \return              The corresponding RSA PSS signature algorithm.
- * \return              Unspecified if \p hash_alg is not a supported
- *                      hash algorithm.
- */
-#define PSA_ALG_RSA_PSS(hash_alg)                               \
-    (PSA_ALG_RSA_PSS_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
-
-/** RSA PSS signature with hashing with relaxed verification.
- *
- * This algorithm has the same behavior as #PSA_ALG_RSA_PSS when signing,
- * but allows an arbitrary salt length (including \c 0) when verifying a
- * signature.
- *
- * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
- *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
- *                      This includes #PSA_ALG_ANY_HASH
- *                      when specifying the algorithm in a usage policy.
- *
- * \return              The corresponding RSA PSS signature algorithm.
- * \return              Unspecified if \p hash_alg is not a supported
- *                      hash algorithm.
- */
-#define PSA_ALG_RSA_PSS_ANY_SALT(hash_alg)                      \
-    (PSA_ALG_RSA_PSS_ANY_SALT_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
-
-/** Whether the specified algorithm is RSA PSS with standard salt.
- *
- * \param alg           An algorithm value or an algorithm policy wildcard.
- *
- * \return              1 if \p alg is of the form
- *                      #PSA_ALG_RSA_PSS(\c hash_alg),
- *                      where \c hash_alg is a hash algorithm or
- *                      #PSA_ALG_ANY_HASH. 0 otherwise.
- *                      This macro may return either 0 or 1 if \p alg is not
- *                      a supported algorithm identifier or policy.
- */
-#define PSA_ALG_IS_RSA_PSS_STANDARD_SALT(alg)                   \
-    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PSS_BASE)
-
-/** Whether the specified algorithm is RSA PSS with any salt.
- *
- * \param alg           An algorithm value or an algorithm policy wildcard.
- *
- * \return              1 if \p alg is of the form
- *                      #PSA_ALG_RSA_PSS_ANY_SALT_BASE(\c hash_alg),
- *                      where \c hash_alg is a hash algorithm or
- *                      #PSA_ALG_ANY_HASH. 0 otherwise.
- *                      This macro may return either 0 or 1 if \p alg is not
- *                      a supported algorithm identifier or policy.
- */
-#define PSA_ALG_IS_RSA_PSS_ANY_SALT(alg)                                \
-    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PSS_ANY_SALT_BASE)
-
-/** Whether the specified algorithm is RSA PSS.
- *
- * This includes any of the RSA PSS algorithm variants, regardless of the
- * constraints on salt length.
- *
- * \param alg           An algorithm value or an algorithm policy wildcard.
- *
- * \return              1 if \p alg is of the form
- *                      #PSA_ALG_RSA_PSS(\c hash_alg) or
- *                      #PSA_ALG_RSA_PSS_ANY_SALT_BASE(\c hash_alg),
- *                      where \c hash_alg is a hash algorithm or
- *                      #PSA_ALG_ANY_HASH. 0 otherwise.
- *                      This macro may return either 0 or 1 if \p alg is not
- *                      a supported algorithm identifier or policy.
- */
-#define PSA_ALG_IS_RSA_PSS(alg)                                 \
-    (PSA_ALG_IS_RSA_PSS_STANDARD_SALT(alg) ||                   \
-     PSA_ALG_IS_RSA_PSS_ANY_SALT(alg))
-
-#define PSA_ALG_ECDSA_BASE                      ((psa_algorithm_t) 0x06000600)
-/** ECDSA signature with hashing.
- *
- * This is the ECDSA signature scheme defined by ANSI X9.62,
- * with a random per-message secret number (*k*).
- *
- * The representation of the signature as a byte string consists of
- * the concatenation of the signature values *r* and *s*. Each of
- * *r* and *s* is encoded as an *N*-octet string, where *N* is the length
- * of the base point of the curve in octets. Each value is represented
- * in big-endian order (most significant octet first).
- *
- * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
- *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
- *                      This includes #PSA_ALG_ANY_HASH
- *                      when specifying the algorithm in a usage policy.
- *
- * \return              The corresponding ECDSA signature algorithm.
- * \return              Unspecified if \p hash_alg is not a supported
- *                      hash algorithm.
- */
-#define PSA_ALG_ECDSA(hash_alg)                                 \
-    (PSA_ALG_ECDSA_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
-/** ECDSA signature without hashing.
- *
- * This is the same signature scheme as #PSA_ALG_ECDSA(), but
- * without specifying a hash algorithm. This algorithm may only be
- * used to sign or verify a sequence of bytes that should be an
- * already-calculated hash. Note that the input is padded with
- * zeros on the left or truncated on the left as required to fit
- * the curve size.
- */
-#define PSA_ALG_ECDSA_ANY PSA_ALG_ECDSA_BASE
-#define PSA_ALG_DETERMINISTIC_ECDSA_BASE        ((psa_algorithm_t) 0x06000700)
-/** Deterministic ECDSA signature with hashing.
- *
- * This is the deterministic ECDSA signature scheme defined by RFC 6979.
- *
- * The representation of a signature is the same as with #PSA_ALG_ECDSA().
- *
- * Note that when this algorithm is used for verification, signatures
- * made with randomized ECDSA (#PSA_ALG_ECDSA(\p hash_alg)) with the
- * same private key are accepted. In other words,
- * #PSA_ALG_DETERMINISTIC_ECDSA(\p hash_alg) differs from
- * #PSA_ALG_ECDSA(\p hash_alg) only for signature, not for verification.
- *
- * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
- *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
- *                      This includes #PSA_ALG_ANY_HASH
- *                      when specifying the algorithm in a usage policy.
- *
- * \return              The corresponding deterministic ECDSA signature
- *                      algorithm.
- * \return              Unspecified if \p hash_alg is not a supported
- *                      hash algorithm.
- */
-#define PSA_ALG_DETERMINISTIC_ECDSA(hash_alg)                           \
-    (PSA_ALG_DETERMINISTIC_ECDSA_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
-#define PSA_ALG_ECDSA_DETERMINISTIC_FLAG        ((psa_algorithm_t) 0x00000100)
-#define PSA_ALG_IS_ECDSA(alg)                                           \
-    (((alg) & ~PSA_ALG_HASH_MASK & ~PSA_ALG_ECDSA_DETERMINISTIC_FLAG) ==  \
-     PSA_ALG_ECDSA_BASE)
-#define PSA_ALG_ECDSA_IS_DETERMINISTIC(alg)             \
-    (((alg) & PSA_ALG_ECDSA_DETERMINISTIC_FLAG) != 0)
-#define PSA_ALG_IS_DETERMINISTIC_ECDSA(alg)                             \
-    (PSA_ALG_IS_ECDSA(alg) && PSA_ALG_ECDSA_IS_DETERMINISTIC(alg))
-#define PSA_ALG_IS_RANDOMIZED_ECDSA(alg)                                \
-    (PSA_ALG_IS_ECDSA(alg) && !PSA_ALG_ECDSA_IS_DETERMINISTIC(alg))
-
-/** Edwards-curve digital signature algorithm without prehashing (PureEdDSA),
- * using standard parameters.
- *
- * Contexts are not supported in the current version of this specification
- * because there is no suitable signature interface that can take the
- * context as a parameter. A future version of this specification may add
- * suitable functions and extend this algorithm to support contexts.
- *
- * PureEdDSA requires an elliptic curve key on a twisted Edwards curve.
- * In this specification, the following curves are supported:
- * - #PSA_ECC_FAMILY_TWISTED_EDWARDS, 255-bit: Ed25519 as specified
- *   in RFC 8032.
- *   The curve is Edwards25519.
- *   The hash function used internally is SHA-512.
- * - #PSA_ECC_FAMILY_TWISTED_EDWARDS, 448-bit: Ed448 as specified
- *   in RFC 8032.
- *   The curve is Edwards448.
- *   The hash function used internally is the first 114 bytes of the
- *   SHAKE256 output.
- *
- * This algorithm can be used with psa_sign_message() and
- * psa_verify_message(). Since there is no prehashing, it cannot be used
- * with psa_sign_hash() or psa_verify_hash().
- *
- * The signature format is the concatenation of R and S as defined by
- * RFC 8032 §5.1.6 and §5.2.6 (a 64-byte string for Ed25519, a 114-byte
- * string for Ed448).
- */
-#define PSA_ALG_PURE_EDDSA                      ((psa_algorithm_t) 0x06000800)
-
-#define PSA_ALG_HASH_EDDSA_BASE                 ((psa_algorithm_t) 0x06000900)
-#define PSA_ALG_IS_HASH_EDDSA(alg)              \
-    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HASH_EDDSA_BASE)
-
-/** Edwards-curve digital signature algorithm with prehashing (HashEdDSA),
- * using SHA-512 and the Edwards25519 curve.
- *
- * See #PSA_ALG_PURE_EDDSA regarding context support and the signature format.
- *
- * This algorithm is Ed25519 as specified in RFC 8032.
- * The curve is Edwards25519.
- * The prehash is SHA-512.
- * The hash function used internally is SHA-512.
- *
- * This is a hash-and-sign algorithm: to calculate a signature,
- * you can either:
- * - call psa_sign_message() on the message;
- * - or calculate the SHA-512 hash of the message
- *   with psa_hash_compute()
- *   or with a multi-part hash operation started with psa_hash_setup(),
- *   using the hash algorithm #PSA_ALG_SHA_512,
- *   then sign the calculated hash with psa_sign_hash().
- * Verifying a signature is similar, using psa_verify_message() or
- * psa_verify_hash() instead of the signature function.
- */
-#define PSA_ALG_ED25519PH                               \
-    (PSA_ALG_HASH_EDDSA_BASE | (PSA_ALG_SHA_512 & PSA_ALG_HASH_MASK))
-
-/** Edwards-curve digital signature algorithm with prehashing (HashEdDSA),
- * using SHAKE256 and the Edwards448 curve.
- *
- * See #PSA_ALG_PURE_EDDSA regarding context support and the signature format.
- *
- * This algorithm is Ed448 as specified in RFC 8032.
- * The curve is Edwards448.
- * The prehash is the first 64 bytes of the SHAKE256 output.
- * The hash function used internally is the first 114 bytes of the
- * SHAKE256 output.
- *
- * This is a hash-and-sign algorithm: to calculate a signature,
- * you can either:
- * - call psa_sign_message() on the message;
- * - or calculate the first 64 bytes of the SHAKE256 output of the message
- *   with psa_hash_compute()
- *   or with a multi-part hash operation started with psa_hash_setup(),
- *   using the hash algorithm #PSA_ALG_SHAKE256_512,
- *   then sign the calculated hash with psa_sign_hash().
- * Verifying a signature is similar, using psa_verify_message() or
- * psa_verify_hash() instead of the signature function.
- */
-#define PSA_ALG_ED448PH                                 \
-    (PSA_ALG_HASH_EDDSA_BASE | (PSA_ALG_SHAKE256_512 & PSA_ALG_HASH_MASK))
-
-/* Default definition, to be overridden if the library is extended with
- * more hash-and-sign algorithms that we want to keep out of this header
- * file. */
-#define PSA_ALG_IS_VENDOR_HASH_AND_SIGN(alg) 0
-
-/** Whether the specified algorithm is a signature algorithm that can be used
- * with psa_sign_hash() and psa_verify_hash().
- *
- * This encompasses all strict hash-and-sign algorithms categorized by
- * PSA_ALG_IS_HASH_AND_SIGN(), as well as algorithms that follow the
- * paradigm more loosely:
- * - #PSA_ALG_RSA_PKCS1V15_SIGN_RAW (expects its input to be an encoded hash)
- * - #PSA_ALG_ECDSA_ANY (doesn't specify what kind of hash the input is)
- *
- * \param alg An algorithm identifier (value of type psa_algorithm_t).
- *
- * \return 1 if alg is a signature algorithm that can be used to sign a
- *         hash. 0 if alg is a signature algorithm that can only be used
- *         to sign a message. 0 if alg is not a signature algorithm.
- *         This macro can return either 0 or 1 if alg is not a
- *         supported algorithm identifier.
- */
-#define PSA_ALG_IS_SIGN_HASH(alg)                                       \
-    (PSA_ALG_IS_RSA_PSS(alg) || PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||    \
-     PSA_ALG_IS_ECDSA(alg) || PSA_ALG_IS_HASH_EDDSA(alg) ||             \
-     PSA_ALG_IS_VENDOR_HASH_AND_SIGN(alg))
-
-/** Whether the specified algorithm is a signature algorithm that can be used
- * with psa_sign_message() and psa_verify_message().
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if alg is a signature algorithm that can be used to sign a
- *         message. 0 if \p alg is a signature algorithm that can only be used
- *         to sign an already-calculated hash. 0 if \p alg is not a signature
- *         algorithm. This macro can return either 0 or 1 if \p alg is not a
- *         supported algorithm identifier.
- */
-#define PSA_ALG_IS_SIGN_MESSAGE(alg)                                    \
-    (PSA_ALG_IS_SIGN_HASH(alg) || (alg) == PSA_ALG_PURE_EDDSA)
-
-/** Whether the specified algorithm is a hash-and-sign algorithm.
- *
- * Hash-and-sign algorithms are asymmetric (public-key) signature algorithms
- * structured in two parts: first the calculation of a hash in a way that
- * does not depend on the key, then the calculation of a signature from the
- * hash value and the key. Hash-and-sign algorithms encode the hash
- * used for the hashing step, and you can call #PSA_ALG_SIGN_GET_HASH
- * to extract this algorithm.
- *
- * Thus, for a hash-and-sign algorithm,
- * `psa_sign_message(key, alg, input, ...)` is equivalent to
- * ```
- * psa_hash_compute(PSA_ALG_SIGN_GET_HASH(alg), input, ..., hash, ...);
- * psa_sign_hash(key, alg, hash, ..., signature, ...);
- * ```
- * Most usefully, separating the hash from the signature allows the hash
- * to be calculated in multiple steps with psa_hash_setup(), psa_hash_update()
- * and psa_hash_finish(). Likewise psa_verify_message() is equivalent to
- * calculating the hash and then calling psa_verify_hash().
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \p alg is a hash-and-sign algorithm, 0 otherwise.
- *         This macro may return either 0 or 1 if \p alg is not a supported
- *         algorithm identifier.
- */
-#define PSA_ALG_IS_HASH_AND_SIGN(alg)                                   \
-    (PSA_ALG_IS_SIGN_HASH(alg) &&                                       \
-     ((alg) & PSA_ALG_HASH_MASK) != 0)
-
-/** Get the hash used by a hash-and-sign signature algorithm.
- *
- * A hash-and-sign algorithm is a signature algorithm which is
- * composed of two phases: first a hashing phase which does not use
- * the key and produces a hash of the input message, then a signing
- * phase which only uses the hash and the key and not the message
- * itself.
- *
- * \param alg   A signature algorithm (\c PSA_ALG_XXX value such that
- *              #PSA_ALG_IS_SIGN(\p alg) is true).
- *
- * \return      The underlying hash algorithm if \p alg is a hash-and-sign
- *              algorithm.
- * \return      0 if \p alg is a signature algorithm that does not
- *              follow the hash-and-sign structure.
- * \return      Unspecified if \p alg is not a signature algorithm or
- *              if it is not supported by the implementation.
- */
-#define PSA_ALG_SIGN_GET_HASH(alg)                                     \
-    (PSA_ALG_IS_HASH_AND_SIGN(alg) ?                                   \
-     ((alg) & PSA_ALG_HASH_MASK) | PSA_ALG_CATEGORY_HASH :             \
-     0)
-
-/** RSA PKCS#1 v1.5 encryption.
- */
-#define PSA_ALG_RSA_PKCS1V15_CRYPT              ((psa_algorithm_t) 0x07000200)
-
-#define PSA_ALG_RSA_OAEP_BASE                   ((psa_algorithm_t) 0x07000300)
-/** RSA OAEP encryption.
- *
- * This is the encryption scheme defined by RFC 8017
- * (PKCS#1: RSA Cryptography Specifications) under the name
- * RSAES-OAEP, with the message generation function MGF1.
- *
- * \param hash_alg      The hash algorithm (\c PSA_ALG_XXX value such that
- *                      #PSA_ALG_IS_HASH(\p hash_alg) is true) to use
- *                      for MGF1.
- *
- * \return              The corresponding RSA OAEP encryption algorithm.
- * \return              Unspecified if \p hash_alg is not a supported
- *                      hash algorithm.
- */
-#define PSA_ALG_RSA_OAEP(hash_alg)                              \
-    (PSA_ALG_RSA_OAEP_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
-#define PSA_ALG_IS_RSA_OAEP(alg)                                \
-    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_OAEP_BASE)
-#define PSA_ALG_RSA_OAEP_GET_HASH(alg)                          \
-    (PSA_ALG_IS_RSA_OAEP(alg) ?                                 \
-     ((alg) & PSA_ALG_HASH_MASK) | PSA_ALG_CATEGORY_HASH :      \
-     0)
-
-#define PSA_ALG_HKDF_BASE                       ((psa_algorithm_t) 0x08000100)
-/** Macro to build an HKDF algorithm.
- *
- * For example, `PSA_ALG_HKDF(PSA_ALG_SHA_256)` is HKDF using HMAC-SHA-256.
- *
- * This key derivation algorithm uses the following inputs:
- * - #PSA_KEY_DERIVATION_INPUT_SALT is the salt used in the "extract" step.
- *   It is optional; if omitted, the derivation uses an empty salt.
- * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key used in the "extract" step.
- * - #PSA_KEY_DERIVATION_INPUT_INFO is the info string used in the "expand" step.
- * You must pass #PSA_KEY_DERIVATION_INPUT_SALT before #PSA_KEY_DERIVATION_INPUT_SECRET.
- * You may pass #PSA_KEY_DERIVATION_INPUT_INFO at any time after steup and before
- * starting to generate output.
- *
- *  \warning  HKDF processes the salt as follows: first hash it with hash_alg
- *  if the salt is longer than the block size of the hash algorithm; then
- *  pad with null bytes up to the block size. As a result, it is possible
- *  for distinct salt inputs to result in the same outputs. To ensure
- *  unique outputs, it is recommended to use a fixed length for salt values.
- *
- * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
- *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
- *
- * \return              The corresponding HKDF algorithm.
- * \return              Unspecified if \p hash_alg is not a supported
- *                      hash algorithm.
- */
-#define PSA_ALG_HKDF(hash_alg)                                  \
-    (PSA_ALG_HKDF_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
-/** Whether the specified algorithm is an HKDF algorithm.
- *
- * HKDF is a family of key derivation algorithms that are based on a hash
- * function and the HMAC construction.
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \c alg is an HKDF algorithm, 0 otherwise.
- *         This macro may return either 0 or 1 if \c alg is not a supported
- *         key derivation algorithm identifier.
- */
-#define PSA_ALG_IS_HKDF(alg)                            \
-    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_BASE)
-#define PSA_ALG_HKDF_GET_HASH(hkdf_alg)                         \
-    (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK))
-
-#define PSA_ALG_HKDF_EXTRACT_BASE                       ((psa_algorithm_t) 0x08000400)
-/** Macro to build an HKDF-Extract algorithm.
- *
- * For example, `PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256)` is
- * HKDF-Extract using HMAC-SHA-256.
- *
- * This key derivation algorithm uses the following inputs:
- *  - PSA_KEY_DERIVATION_INPUT_SALT is the salt.
- *  - PSA_KEY_DERIVATION_INPUT_SECRET is the input keying material used in the
- *    "extract" step.
- * The inputs are mandatory and must be passed in the order above.
- * Each input may only be passed once.
- *
- *  \warning HKDF-Extract is not meant to be used on its own. PSA_ALG_HKDF
- *  should be used instead if possible. PSA_ALG_HKDF_EXTRACT is provided
- *  as a separate algorithm for the sake of protocols that use it as a
- *  building block. It may also be a slight performance optimization
- *  in applications that use HKDF with the same salt and key but many
- *  different info strings.
- *
- *  \warning  HKDF processes the salt as follows: first hash it with hash_alg
- *  if the salt is longer than the block size of the hash algorithm; then
- *  pad with null bytes up to the block size. As a result, it is possible
- *  for distinct salt inputs to result in the same outputs. To ensure
- *  unique outputs, it is recommended to use a fixed length for salt values.
- *
- * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
- *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
- *
- * \return              The corresponding HKDF-Extract algorithm.
- * \return              Unspecified if \p hash_alg is not a supported
- *                      hash algorithm.
- */
-#define PSA_ALG_HKDF_EXTRACT(hash_alg)                                  \
-    (PSA_ALG_HKDF_EXTRACT_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
-/** Whether the specified algorithm is an HKDF-Extract algorithm.
- *
- * HKDF-Extract is a family of key derivation algorithms that are based
- * on a hash function and the HMAC construction.
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \c alg is an HKDF-Extract algorithm, 0 otherwise.
- *         This macro may return either 0 or 1 if \c alg is not a supported
- *         key derivation algorithm identifier.
- */
-#define PSA_ALG_IS_HKDF_EXTRACT(alg)                            \
-    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_EXTRACT_BASE)
-
-#define PSA_ALG_HKDF_EXPAND_BASE                       ((psa_algorithm_t) 0x08000500)
-/** Macro to build an HKDF-Expand algorithm.
- *
- * For example, `PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256)` is
- * HKDF-Expand using HMAC-SHA-256.
- *
- * This key derivation algorithm uses the following inputs:
- *  - PSA_KEY_DERIVATION_INPUT_SECRET is the pseudorandom key (PRK).
- *  - PSA_KEY_DERIVATION_INPUT_INFO is the info string.
- *
- *  The inputs are mandatory and must be passed in the order above.
- *  Each input may only be passed once.
- *
- *  \warning HKDF-Expand is not meant to be used on its own. `PSA_ALG_HKDF`
- *  should be used instead if possible. `PSA_ALG_HKDF_EXPAND` is provided as
- *  a separate algorithm for the sake of protocols that use it as a building
- *  block. It may also be a slight performance optimization in applications
- *  that use HKDF with the same salt and key but many different info strings.
- *
- * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
- *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
- *
- * \return              The corresponding HKDF-Expand algorithm.
- * \return              Unspecified if \p hash_alg is not a supported
- *                      hash algorithm.
- */
-#define PSA_ALG_HKDF_EXPAND(hash_alg)                                  \
-    (PSA_ALG_HKDF_EXPAND_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
-/** Whether the specified algorithm is an HKDF-Expand algorithm.
- *
- * HKDF-Expand is a family of key derivation algorithms that are based
- * on a hash function and the HMAC construction.
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \c alg is an HKDF-Expand algorithm, 0 otherwise.
- *         This macro may return either 0 or 1 if \c alg is not a supported
- *         key derivation algorithm identifier.
- */
-#define PSA_ALG_IS_HKDF_EXPAND(alg)                            \
-    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_EXPAND_BASE)
-
-/** Whether the specified algorithm is an HKDF or HKDF-Extract or
- *  HKDF-Expand algorithm.
- *
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \c alg is any HKDF type algorithm, 0 otherwise.
- *         This macro may return either 0 or 1 if \c alg is not a supported
- *         key derivation algorithm identifier.
- */
-#define PSA_ALG_IS_ANY_HKDF(alg)                                   \
-    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_BASE ||          \
-     ((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_EXTRACT_BASE ||  \
-     ((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_EXPAND_BASE)
-
-#define PSA_ALG_TLS12_PRF_BASE                  ((psa_algorithm_t) 0x08000200)
-/** Macro to build a TLS-1.2 PRF algorithm.
- *
- * TLS 1.2 uses a custom pseudorandom function (PRF) for key schedule,
- * specified in Section 5 of RFC 5246. It is based on HMAC and can be
- * used with either SHA-256 or SHA-384.
- *
- * This key derivation algorithm uses the following inputs, which must be
- * passed in the order given here:
- * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed.
- * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key.
- * - #PSA_KEY_DERIVATION_INPUT_LABEL is the label.
- *
- * For the application to TLS-1.2 key expansion, the seed is the
- * concatenation of ServerHello.Random + ClientHello.Random,
- * and the label is "key expansion".
- *
- * For example, `PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256)` represents the
- * TLS 1.2 PRF using HMAC-SHA-256.
- *
- * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
- *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
- *
- * \return              The corresponding TLS-1.2 PRF algorithm.
- * \return              Unspecified if \p hash_alg is not a supported
- *                      hash algorithm.
- */
-#define PSA_ALG_TLS12_PRF(hash_alg)                                  \
-    (PSA_ALG_TLS12_PRF_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
-
-/** Whether the specified algorithm is a TLS-1.2 PRF algorithm.
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \c alg is a TLS-1.2 PRF algorithm, 0 otherwise.
- *         This macro may return either 0 or 1 if \c alg is not a supported
- *         key derivation algorithm identifier.
- */
-#define PSA_ALG_IS_TLS12_PRF(alg)                                    \
-    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_TLS12_PRF_BASE)
-#define PSA_ALG_TLS12_PRF_GET_HASH(hkdf_alg)                         \
-    (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK))
-
-#define PSA_ALG_TLS12_PSK_TO_MS_BASE            ((psa_algorithm_t) 0x08000300)
-/** Macro to build a TLS-1.2 PSK-to-MasterSecret algorithm.
- *
- * In a pure-PSK handshake in TLS 1.2, the master secret is derived
- * from the PreSharedKey (PSK) through the application of padding
- * (RFC 4279, Section 2) and the TLS-1.2 PRF (RFC 5246, Section 5).
- * The latter is based on HMAC and can be used with either SHA-256
- * or SHA-384.
- *
- * This key derivation algorithm uses the following inputs, which must be
- * passed in the order given here:
- * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed.
- * - #PSA_KEY_DERIVATION_INPUT_OTHER_SECRET is the other secret for the
- *   computation of the premaster secret. This input is optional;
- *   if omitted, it defaults to a string of null bytes with the same length
- *   as the secret (PSK) input.
- * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key.
- * - #PSA_KEY_DERIVATION_INPUT_LABEL is the label.
- *
- * For the application to TLS-1.2, the seed (which is
- * forwarded to the TLS-1.2 PRF) is the concatenation of the
- * ClientHello.Random + ServerHello.Random,
- * the label is "master secret" or "extended master secret" and
- * the other secret depends on the key exchange specified in the cipher suite:
- * - for a plain PSK cipher suite (RFC 4279, Section 2), omit
- *   PSA_KEY_DERIVATION_INPUT_OTHER_SECRET
- * - for a DHE-PSK (RFC 4279, Section 3) or ECDHE-PSK cipher suite
- *   (RFC 5489, Section 2), the other secret should be the output of the
- *   PSA_ALG_FFDH or PSA_ALG_ECDH key agreement performed with the peer.
- *   The recommended way to pass this input is to use a key derivation
- *   algorithm constructed as
- *   PSA_ALG_KEY_AGREEMENT(ka_alg, PSA_ALG_TLS12_PSK_TO_MS(hash_alg))
- *   and to call psa_key_derivation_key_agreement(). Alternatively,
- *   this input may be an output of `psa_raw_key_agreement()` passed with
- *   psa_key_derivation_input_bytes(), or an equivalent input passed with
- *   psa_key_derivation_input_bytes() or psa_key_derivation_input_key().
- * - for a RSA-PSK cipher suite (RFC 4279, Section 4), the other secret
- *   should be the 48-byte client challenge (the PreMasterSecret of
- *   (RFC 5246, Section 7.4.7.1)) concatenation of the TLS version and
- *   a 46-byte random string chosen by the client. On the server, this is
- *   typically an output of psa_asymmetric_decrypt() using
- *   PSA_ALG_RSA_PKCS1V15_CRYPT, passed to the key derivation operation
- *   with `psa_key_derivation_input_bytes()`.
- *
- * For example, `PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256)` represents the
- * TLS-1.2 PSK to MasterSecret derivation PRF using HMAC-SHA-256.
- *
- * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
- *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
- *
- * \return              The corresponding TLS-1.2 PSK to MS algorithm.
- * \return              Unspecified if \p hash_alg is not a supported
- *                      hash algorithm.
- */
-#define PSA_ALG_TLS12_PSK_TO_MS(hash_alg)                                  \
-    (PSA_ALG_TLS12_PSK_TO_MS_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
-
-/** Whether the specified algorithm is a TLS-1.2 PSK to MS algorithm.
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \c alg is a TLS-1.2 PSK to MS algorithm, 0 otherwise.
- *         This macro may return either 0 or 1 if \c alg is not a supported
- *         key derivation algorithm identifier.
- */
-#define PSA_ALG_IS_TLS12_PSK_TO_MS(alg)                                    \
-    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_TLS12_PSK_TO_MS_BASE)
-#define PSA_ALG_TLS12_PSK_TO_MS_GET_HASH(hkdf_alg)                         \
-    (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK))
-
-/* The TLS 1.2 ECJPAKE-to-PMS KDF. It takes the shared secret K (an EC point
- * in case of EC J-PAKE) and calculates SHA256(K.X) that the rest of TLS 1.2
- * will use to derive the session secret, as defined by step 2 of
- * https://datatracker.ietf.org/doc/html/draft-cragie-tls-ecjpake-01#section-8.7.
- * Uses PSA_ALG_SHA_256.
- * This function takes a single input:
- * #PSA_KEY_DERIVATION_INPUT_SECRET is the shared secret K from EC J-PAKE.
- * The only supported curve is secp256r1 (the 256-bit curve in
- * #PSA_ECC_FAMILY_SECP_R1), so the input must be exactly 65 bytes.
- * The output has to be read as a single chunk of 32 bytes, defined as
- * PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE.
- */
-#define PSA_ALG_TLS12_ECJPAKE_TO_PMS            ((psa_algorithm_t) 0x08000609)
-
-/* This flag indicates whether the key derivation algorithm is suitable for
- * use on low-entropy secrets such as password - these algorithms are also
- * known as key stretching or password hashing schemes. These are also the
- * algorithms that accepts inputs of type #PSA_KEY_DERIVATION_INPUT_PASSWORD.
- *
- * Those algorithms cannot be combined with a key agreement algorithm.
- */
-#define PSA_ALG_KEY_DERIVATION_STRETCHING_FLAG  ((psa_algorithm_t) 0x00800000)
-
-#define PSA_ALG_PBKDF2_HMAC_BASE                ((psa_algorithm_t) 0x08800100)
-/** Macro to build a PBKDF2-HMAC password hashing / key stretching algorithm.
- *
- * PBKDF2 is defined by PKCS#5, republished as RFC 8018 (section 5.2).
- * This macro specifies the PBKDF2 algorithm constructed using a PRF based on
- * HMAC with the specified hash.
- * For example, `PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256)` specifies PBKDF2
- * using the PRF HMAC-SHA-256.
- *
- * This key derivation algorithm uses the following inputs, which must be
- * provided in the following order:
- * - #PSA_KEY_DERIVATION_INPUT_COST is the iteration count.
- *   This input step must be used exactly once.
- * - #PSA_KEY_DERIVATION_INPUT_SALT is the salt.
- *   This input step must be used one or more times; if used several times, the
- *   inputs will be concatenated. This can be used to build the final salt
- *   from multiple sources, both public and secret (also known as pepper).
- * - #PSA_KEY_DERIVATION_INPUT_PASSWORD is the password to be hashed.
- *   This input step must be used exactly once.
- *
- * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
- *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
- *
- * \return              The corresponding PBKDF2-HMAC-XXX algorithm.
- * \return              Unspecified if \p hash_alg is not a supported
- *                      hash algorithm.
- */
-#define PSA_ALG_PBKDF2_HMAC(hash_alg)                                  \
-    (PSA_ALG_PBKDF2_HMAC_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
-
-/** Whether the specified algorithm is a PBKDF2-HMAC algorithm.
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \c alg is a PBKDF2-HMAC algorithm, 0 otherwise.
- *         This macro may return either 0 or 1 if \c alg is not a supported
- *         key derivation algorithm identifier.
- */
-#define PSA_ALG_IS_PBKDF2_HMAC(alg)                                    \
-    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_PBKDF2_HMAC_BASE)
-#define PSA_ALG_PBKDF2_HMAC_GET_HASH(pbkdf2_alg)                         \
-    (PSA_ALG_CATEGORY_HASH | ((pbkdf2_alg) & PSA_ALG_HASH_MASK))
-/** The PBKDF2-AES-CMAC-PRF-128 password hashing / key stretching algorithm.
- *
- * PBKDF2 is defined by PKCS#5, republished as RFC 8018 (section 5.2).
- * This macro specifies the PBKDF2 algorithm constructed using the
- * AES-CMAC-PRF-128 PRF specified by RFC 4615.
- *
- * This key derivation algorithm uses the same inputs as
- * #PSA_ALG_PBKDF2_HMAC() with the same constraints.
- */
-#define PSA_ALG_PBKDF2_AES_CMAC_PRF_128         ((psa_algorithm_t) 0x08800200)
-
-#define PSA_ALG_IS_PBKDF2(kdf_alg)                                      \
-    (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg) || \
-     ((kdf_alg) == PSA_ALG_PBKDF2_AES_CMAC_PRF_128))
-
-#define PSA_ALG_KEY_DERIVATION_MASK             ((psa_algorithm_t) 0xfe00ffff)
-#define PSA_ALG_KEY_AGREEMENT_MASK              ((psa_algorithm_t) 0xffff0000)
-
-/** Macro to build a combined algorithm that chains a key agreement with
- * a key derivation.
- *
- * \param ka_alg        A key agreement algorithm (\c PSA_ALG_XXX value such
- *                      that #PSA_ALG_IS_KEY_AGREEMENT(\p ka_alg) is true).
- * \param kdf_alg       A key derivation algorithm (\c PSA_ALG_XXX value such
- *                      that #PSA_ALG_IS_KEY_DERIVATION(\p kdf_alg) is true).
- *
- * \return              The corresponding key agreement and derivation
- *                      algorithm.
- * \return              Unspecified if \p ka_alg is not a supported
- *                      key agreement algorithm or \p kdf_alg is not a
- *                      supported key derivation algorithm.
- */
-#define PSA_ALG_KEY_AGREEMENT(ka_alg, kdf_alg)  \
-    ((ka_alg) | (kdf_alg))
-
-#define PSA_ALG_KEY_AGREEMENT_GET_KDF(alg)                              \
-    (((alg) & PSA_ALG_KEY_DERIVATION_MASK) | PSA_ALG_CATEGORY_KEY_DERIVATION)
-
-#define PSA_ALG_KEY_AGREEMENT_GET_BASE(alg)                             \
-    (((alg) & PSA_ALG_KEY_AGREEMENT_MASK) | PSA_ALG_CATEGORY_KEY_AGREEMENT)
-
-/** Whether the specified algorithm is a raw key agreement algorithm.
- *
- * A raw key agreement algorithm is one that does not specify
- * a key derivation function.
- * Usually, raw key agreement algorithms are constructed directly with
- * a \c PSA_ALG_xxx macro while non-raw key agreement algorithms are
- * constructed with #PSA_ALG_KEY_AGREEMENT().
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \p alg is a raw key agreement algorithm, 0 otherwise.
- *         This macro may return either 0 or 1 if \p alg is not a supported
- *         algorithm identifier.
- */
-#define PSA_ALG_IS_RAW_KEY_AGREEMENT(alg)                               \
-    (PSA_ALG_IS_KEY_AGREEMENT(alg) &&                                   \
-     PSA_ALG_KEY_AGREEMENT_GET_KDF(alg) == PSA_ALG_CATEGORY_KEY_DERIVATION)
-
-#define PSA_ALG_IS_KEY_DERIVATION_OR_AGREEMENT(alg)     \
-    ((PSA_ALG_IS_KEY_DERIVATION(alg) || PSA_ALG_IS_KEY_AGREEMENT(alg)))
-
-/** The finite-field Diffie-Hellman (DH) key agreement algorithm.
- *
- * The shared secret produced by key agreement is
- * `g^{ab}` in big-endian format.
- * It is `ceiling(m / 8)` bytes long where `m` is the size of the prime `p`
- * in bits.
- */
-#define PSA_ALG_FFDH                            ((psa_algorithm_t) 0x09010000)
-
-/** Whether the specified algorithm is a finite field Diffie-Hellman algorithm.
- *
- * This includes the raw finite field Diffie-Hellman algorithm as well as
- * finite-field Diffie-Hellman followed by any supporter key derivation
- * algorithm.
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \c alg is a finite field Diffie-Hellman algorithm, 0 otherwise.
- *         This macro may return either 0 or 1 if \c alg is not a supported
- *         key agreement algorithm identifier.
- */
-#define PSA_ALG_IS_FFDH(alg) \
-    (PSA_ALG_KEY_AGREEMENT_GET_BASE(alg) == PSA_ALG_FFDH)
-
-/** The elliptic curve Diffie-Hellman (ECDH) key agreement algorithm.
- *
- * The shared secret produced by key agreement is the x-coordinate of
- * the shared secret point. It is always `ceiling(m / 8)` bytes long where
- * `m` is the bit size associated with the curve, i.e. the bit size of the
- * order of the curve's coordinate field. When `m` is not a multiple of 8,
- * the byte containing the most significant bit of the shared secret
- * is padded with zero bits. The byte order is either little-endian
- * or big-endian depending on the curve type.
- *
- * - For Montgomery curves (curve types `PSA_ECC_FAMILY_CURVEXXX`),
- *   the shared secret is the x-coordinate of `d_A Q_B = d_B Q_A`
- *   in little-endian byte order.
- *   The bit size is 448 for Curve448 and 255 for Curve25519.
- * - For Weierstrass curves over prime fields (curve types
- *   `PSA_ECC_FAMILY_SECPXXX` and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`),
- *   the shared secret is the x-coordinate of `d_A Q_B = d_B Q_A`
- *   in big-endian byte order.
- *   The bit size is `m = ceiling(log_2(p))` for the field `F_p`.
- * - For Weierstrass curves over binary fields (curve types
- *   `PSA_ECC_FAMILY_SECTXXX`),
- *   the shared secret is the x-coordinate of `d_A Q_B = d_B Q_A`
- *   in big-endian byte order.
- *   The bit size is `m` for the field `F_{2^m}`.
- */
-#define PSA_ALG_ECDH                            ((psa_algorithm_t) 0x09020000)
-
-/** Whether the specified algorithm is an elliptic curve Diffie-Hellman
- * algorithm.
- *
- * This includes the raw elliptic curve Diffie-Hellman algorithm as well as
- * elliptic curve Diffie-Hellman followed by any supporter key derivation
- * algorithm.
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \c alg is an elliptic curve Diffie-Hellman algorithm,
- *         0 otherwise.
- *         This macro may return either 0 or 1 if \c alg is not a supported
- *         key agreement algorithm identifier.
- */
-#define PSA_ALG_IS_ECDH(alg) \
-    (PSA_ALG_KEY_AGREEMENT_GET_BASE(alg) == PSA_ALG_ECDH)
-
-/** Whether the specified algorithm encoding is a wildcard.
- *
- * Wildcard values may only be used to set the usage algorithm field in
- * a policy, not to perform an operation.
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return 1 if \c alg is a wildcard algorithm encoding.
- * \return 0 if \c alg is a non-wildcard algorithm encoding (suitable for
- *         an operation).
- * \return This macro may return either 0 or 1 if \c alg is not a supported
- *         algorithm identifier.
- */
-#define PSA_ALG_IS_WILDCARD(alg)                            \
-    (PSA_ALG_IS_HASH_AND_SIGN(alg) ?                        \
-     PSA_ALG_SIGN_GET_HASH(alg) == PSA_ALG_ANY_HASH :       \
-     PSA_ALG_IS_MAC(alg) ?                                  \
-     (alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0 :   \
-     PSA_ALG_IS_AEAD(alg) ?                                 \
-     (alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0 :  \
-     (alg) == PSA_ALG_ANY_HASH)
-
-/** Get the hash used by a composite algorithm.
- *
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
- *
- * \return The underlying hash algorithm if alg is a composite algorithm that
- * uses a hash algorithm.
- *
- * \return \c 0 if alg is not a composite algorithm that uses a hash.
- */
-#define PSA_ALG_GET_HASH(alg) \
-    (((alg) & 0x000000ff) == 0 ? ((psa_algorithm_t) 0) : 0x02000000 | ((alg) & 0x000000ff))
-
-/**@}*/
-
-/** \defgroup key_lifetimes Key lifetimes
- * @{
- */
-
-/* Note that location and persistence level values are embedded in the
- * persistent key store, as part of key metadata. As a consequence, they
- * must not be changed (unless the storage format version changes).
- */
-
-/** The default lifetime for volatile keys.
- *
- * A volatile key only exists as long as the identifier to it is not destroyed.
- * The key material is guaranteed to be erased on a power reset.
- *
- * A key with this lifetime is typically stored in the RAM area of the
- * PSA Crypto subsystem. However this is an implementation choice.
- * If an implementation stores data about the key in a non-volatile memory,
- * it must release all the resources associated with the key and erase the
- * key material if the calling application terminates.
- */
-#define PSA_KEY_LIFETIME_VOLATILE               ((psa_key_lifetime_t) 0x00000000)
-
-/** The default lifetime for persistent keys.
- *
- * A persistent key remains in storage until it is explicitly destroyed or
- * until the corresponding storage area is wiped. This specification does
- * not define any mechanism to wipe a storage area, but integrations may
- * provide their own mechanism (for example to perform a factory reset,
- * to prepare for device refurbishment, or to uninstall an application).
- *
- * This lifetime value is the default storage area for the calling
- * application. Integrations of Mbed TLS may support other persistent lifetimes.
- * See ::psa_key_lifetime_t for more information.
- */
-#define PSA_KEY_LIFETIME_PERSISTENT             ((psa_key_lifetime_t) 0x00000001)
-
-/** The persistence level of volatile keys.
- *
- * See ::psa_key_persistence_t for more information.
- */
-#define PSA_KEY_PERSISTENCE_VOLATILE            ((psa_key_persistence_t) 0x00)
-
-/** The default persistence level for persistent keys.
- *
- * See ::psa_key_persistence_t for more information.
- */
-#define PSA_KEY_PERSISTENCE_DEFAULT             ((psa_key_persistence_t) 0x01)
-
-/** A persistence level indicating that a key is never destroyed.
- *
- * See ::psa_key_persistence_t for more information.
- */
-#define PSA_KEY_PERSISTENCE_READ_ONLY           ((psa_key_persistence_t) 0xff)
-
-#define PSA_KEY_LIFETIME_GET_PERSISTENCE(lifetime)      \
-    ((psa_key_persistence_t) ((lifetime) & 0x000000ff))
-
-#define PSA_KEY_LIFETIME_GET_LOCATION(lifetime)      \
-    ((psa_key_location_t) ((lifetime) >> 8))
-
-/** Whether a key lifetime indicates that the key is volatile.
- *
- * A volatile key is automatically destroyed by the implementation when
- * the application instance terminates. In particular, a volatile key
- * is automatically destroyed on a power reset of the device.
- *
- * A key that is not volatile is persistent. Persistent keys are
- * preserved until the application explicitly destroys them or until an
- * implementation-specific device management event occurs (for example,
- * a factory reset).
- *
- * \param lifetime      The lifetime value to query (value of type
- *                      ::psa_key_lifetime_t).
- *
- * \return \c 1 if the key is volatile, otherwise \c 0.
- */
-#define PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)  \
-    (PSA_KEY_LIFETIME_GET_PERSISTENCE(lifetime) == \
-     PSA_KEY_PERSISTENCE_VOLATILE)
-
-/** Whether a key lifetime indicates that the key is read-only.
- *
- * Read-only keys cannot be created or destroyed through the PSA Crypto API.
- * They must be created through platform-specific means that bypass the API.
- *
- * Some platforms may offer ways to destroy read-only keys. For example,
- * consider a platform with multiple levels of privilege, where a
- * low-privilege application can use a key but is not allowed to destroy
- * it, and the platform exposes the key to the application with a read-only
- * lifetime. High-privilege code can destroy the key even though the
- * application sees the key as read-only.
- *
- * \param lifetime      The lifetime value to query (value of type
- *                      ::psa_key_lifetime_t).
- *
- * \return \c 1 if the key is read-only, otherwise \c 0.
- */
-#define PSA_KEY_LIFETIME_IS_READ_ONLY(lifetime)  \
-    (PSA_KEY_LIFETIME_GET_PERSISTENCE(lifetime) == \
-     PSA_KEY_PERSISTENCE_READ_ONLY)
-
-/** Construct a lifetime from a persistence level and a location.
- *
- * \param persistence   The persistence level
- *                      (value of type ::psa_key_persistence_t).
- * \param location      The location indicator
- *                      (value of type ::psa_key_location_t).
- *
- * \return The constructed lifetime value.
- */
-#define PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(persistence, location) \
-    ((location) << 8 | (persistence))
-
-/** The local storage area for persistent keys.
- *
- * This storage area is available on all systems that can store persistent
- * keys without delegating the storage to a third-party cryptoprocessor.
- *
- * See ::psa_key_location_t for more information.
- */
-#define PSA_KEY_LOCATION_LOCAL_STORAGE          ((psa_key_location_t) 0x000000)
-
-#define PSA_KEY_LOCATION_VENDOR_FLAG            ((psa_key_location_t) 0x800000)
-
-/* Note that key identifier values are embedded in the
- * persistent key store, as part of key metadata. As a consequence, they
- * must not be changed (unless the storage format version changes).
- */
-
-/** The null key identifier.
- */
-/* *INDENT-OFF* (https://github.com/ARM-software/psa-arch-tests/issues/337) */
-#define PSA_KEY_ID_NULL                         ((psa_key_id_t)0)
-/* *INDENT-ON* */
-/** The minimum value for a key identifier chosen by the application.
- */
-#define PSA_KEY_ID_USER_MIN                     ((psa_key_id_t) 0x00000001)
-/** The maximum value for a key identifier chosen by the application.
- */
-#define PSA_KEY_ID_USER_MAX                     ((psa_key_id_t) 0x3fffffff)
-/** The minimum value for a key identifier chosen by the implementation.
- */
-#define PSA_KEY_ID_VENDOR_MIN                   ((psa_key_id_t) 0x40000000)
-/** The maximum value for a key identifier chosen by the implementation.
- */
-#define PSA_KEY_ID_VENDOR_MAX                   ((psa_key_id_t) 0x7fffffff)
-
-
-#if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
-
-#define MBEDTLS_SVC_KEY_ID_INIT ((psa_key_id_t) 0)
-#define MBEDTLS_SVC_KEY_ID_GET_KEY_ID(id) (id)
-#define MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(id) (0)
-
-/** Utility to initialize a key identifier at runtime.
- *
- * \param unused  Unused parameter.
- * \param key_id  Identifier of the key.
- */
-static inline mbedtls_svc_key_id_t mbedtls_svc_key_id_make(
-    unsigned int unused, psa_key_id_t key_id)
-{
-    (void) unused;
-
-    return key_id;
-}
-
-/** Compare two key identifiers.
- *
- * \param id1 First key identifier.
- * \param id2 Second key identifier.
- *
- * \return Non-zero if the two key identifier are equal, zero otherwise.
- */
-static inline int mbedtls_svc_key_id_equal(mbedtls_svc_key_id_t id1,
-                                           mbedtls_svc_key_id_t id2)
-{
-    return id1 == id2;
-}
-
-/** Check whether a key identifier is null.
- *
- * \param key Key identifier.
- *
- * \return Non-zero if the key identifier is null, zero otherwise.
- */
-static inline int mbedtls_svc_key_id_is_null(mbedtls_svc_key_id_t key)
-{
-    return key == 0;
-}
-
-#else /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
-
-#define MBEDTLS_SVC_KEY_ID_INIT ((mbedtls_svc_key_id_t){ 0, 0 })
-#define MBEDTLS_SVC_KEY_ID_GET_KEY_ID(id) ((id).MBEDTLS_PRIVATE(key_id))
-#define MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(id) ((id).MBEDTLS_PRIVATE(owner))
-
-/** Utility to initialize a key identifier at runtime.
- *
- * \param owner_id Identifier of the key owner.
- * \param key_id   Identifier of the key.
- */
-static inline mbedtls_svc_key_id_t mbedtls_svc_key_id_make(
-    mbedtls_key_owner_id_t owner_id, psa_key_id_t key_id)
-{
-    return (mbedtls_svc_key_id_t){ .MBEDTLS_PRIVATE(key_id) = key_id,
-                                   .MBEDTLS_PRIVATE(owner) = owner_id };
-}
-
-/** Compare two key identifiers.
- *
- * \param id1 First key identifier.
- * \param id2 Second key identifier.
- *
- * \return Non-zero if the two key identifier are equal, zero otherwise.
- */
-static inline int mbedtls_svc_key_id_equal(mbedtls_svc_key_id_t id1,
-                                           mbedtls_svc_key_id_t id2)
-{
-    return (id1.MBEDTLS_PRIVATE(key_id) == id2.MBEDTLS_PRIVATE(key_id)) &&
-           mbedtls_key_owner_id_equal(id1.MBEDTLS_PRIVATE(owner), id2.MBEDTLS_PRIVATE(owner));
-}
-
-/** Check whether a key identifier is null.
- *
- * \param key Key identifier.
- *
- * \return Non-zero if the key identifier is null, zero otherwise.
- */
-static inline int mbedtls_svc_key_id_is_null(mbedtls_svc_key_id_t key)
-{
-    return key.MBEDTLS_PRIVATE(key_id) == 0;
-}
-
-#endif /* !MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
-
-/**@}*/
-
-/** \defgroup policy Key policies
- * @{
- */
-
-/* Note that key usage flags are embedded in the
- * persistent key store, as part of key metadata. As a consequence, they
- * must not be changed (unless the storage format version changes).
- */
-
-/** Whether the key may be exported.
- *
- * A public key or the public part of a key pair may always be exported
- * regardless of the value of this permission flag.
- *
- * If a key does not have export permission, implementations shall not
- * allow the key to be exported in plain form from the cryptoprocessor,
- * whether through psa_export_key() or through a proprietary interface.
- * The key may however be exportable in a wrapped form, i.e. in a form
- * where it is encrypted by another key.
- */
-#define PSA_KEY_USAGE_EXPORT                    ((psa_key_usage_t) 0x00000001)
-
-/** Whether the key may be copied.
- *
- * This flag allows the use of psa_copy_key() to make a copy of the key
- * with the same policy or a more restrictive policy.
- *
- * For lifetimes for which the key is located in a secure element which
- * enforce the non-exportability of keys, copying a key outside the secure
- * element also requires the usage flag #PSA_KEY_USAGE_EXPORT.
- * Copying the key inside the secure element is permitted with just
- * #PSA_KEY_USAGE_COPY if the secure element supports it.
- * For keys with the lifetime #PSA_KEY_LIFETIME_VOLATILE or
- * #PSA_KEY_LIFETIME_PERSISTENT, the usage flag #PSA_KEY_USAGE_COPY
- * is sufficient to permit the copy.
- */
-#define PSA_KEY_USAGE_COPY                      ((psa_key_usage_t) 0x00000002)
-
-/** Whether the key may be used to encrypt a message.
- *
- * This flag allows the key to be used for a symmetric encryption operation,
- * for an AEAD encryption-and-authentication operation,
- * or for an asymmetric encryption operation,
- * if otherwise permitted by the key's type and policy.
- *
- * For a key pair, this concerns the public key.
- */
-#define PSA_KEY_USAGE_ENCRYPT                   ((psa_key_usage_t) 0x00000100)
-
-/** Whether the key may be used to decrypt a message.
- *
- * This flag allows the key to be used for a symmetric decryption operation,
- * for an AEAD decryption-and-verification operation,
- * or for an asymmetric decryption operation,
- * if otherwise permitted by the key's type and policy.
- *
- * For a key pair, this concerns the private key.
- */
-#define PSA_KEY_USAGE_DECRYPT                   ((psa_key_usage_t) 0x00000200)
-
-/** Whether the key may be used to sign a message.
- *
- * This flag allows the key to be used for a MAC calculation operation or for
- * an asymmetric message signature operation, if otherwise permitted by the
- * key’s type and policy.
- *
- * For a key pair, this concerns the private key.
- */
-#define PSA_KEY_USAGE_SIGN_MESSAGE              ((psa_key_usage_t) 0x00000400)
-
-/** Whether the key may be used to verify a message.
- *
- * This flag allows the key to be used for a MAC verification operation or for
- * an asymmetric message signature verification operation, if otherwise
- * permitted by the key’s type and policy.
- *
- * For a key pair, this concerns the public key.
- */
-#define PSA_KEY_USAGE_VERIFY_MESSAGE            ((psa_key_usage_t) 0x00000800)
-
-/** Whether the key may be used to sign a message.
- *
- * This flag allows the key to be used for a MAC calculation operation
- * or for an asymmetric signature operation,
- * if otherwise permitted by the key's type and policy.
- *
- * For a key pair, this concerns the private key.
- */
-#define PSA_KEY_USAGE_SIGN_HASH                 ((psa_key_usage_t) 0x00001000)
-
-/** Whether the key may be used to verify a message signature.
- *
- * This flag allows the key to be used for a MAC verification operation
- * or for an asymmetric signature verification operation,
- * if otherwise permitted by the key's type and policy.
- *
- * For a key pair, this concerns the public key.
- */
-#define PSA_KEY_USAGE_VERIFY_HASH               ((psa_key_usage_t) 0x00002000)
-
-/** Whether the key may be used to derive other keys or produce a password
- * hash.
- *
- * This flag allows the key to be used for a key derivation operation or for
- * a key agreement operation, if otherwise permitted by the key's type and
- * policy.
- *
- * If this flag is present on all keys used in calls to
- * psa_key_derivation_input_key() for a key derivation operation, then it
- * permits calling psa_key_derivation_output_bytes() or
- * psa_key_derivation_output_key() at the end of the operation.
- */
-#define PSA_KEY_USAGE_DERIVE                    ((psa_key_usage_t) 0x00004000)
-
-/** Whether the key may be used to verify the result of a key derivation,
- * including password hashing.
- *
- * This flag allows the key to be used:
- *
- * This flag allows the key to be used in a key derivation operation, if
- * otherwise permitted by the key's type and policy.
- *
- * If this flag is present on all keys used in calls to
- * psa_key_derivation_input_key() for a key derivation operation, then it
- * permits calling psa_key_derivation_verify_bytes() or
- * psa_key_derivation_verify_key() at the end of the operation.
- */
-#define PSA_KEY_USAGE_VERIFY_DERIVATION         ((psa_key_usage_t) 0x00008000)
-
-/**@}*/
-
-/** \defgroup derivation Key derivation
- * @{
- */
-
-/* Key input steps are not embedded in the persistent storage, so you can
- * change them if needed: it's only an ABI change. */
-
-/** A secret input for key derivation.
- *
- * This should be a key of type #PSA_KEY_TYPE_DERIVE
- * (passed to psa_key_derivation_input_key())
- * or the shared secret resulting from a key agreement
- * (obtained via psa_key_derivation_key_agreement()).
- *
- * The secret can also be a direct input (passed to
- * key_derivation_input_bytes()). In this case, the derivation operation
- * may not be used to derive keys: the operation will only allow
- * psa_key_derivation_output_bytes(),
- * psa_key_derivation_verify_bytes(), or
- * psa_key_derivation_verify_key(), but not
- * psa_key_derivation_output_key().
- */
-#define PSA_KEY_DERIVATION_INPUT_SECRET     ((psa_key_derivation_step_t) 0x0101)
-
-/** A low-entropy secret input for password hashing / key stretching.
- *
- * This is usually a key of type #PSA_KEY_TYPE_PASSWORD (passed to
- * psa_key_derivation_input_key()) or a direct input (passed to
- * psa_key_derivation_input_bytes()) that is a password or passphrase. It can
- * also be high-entropy secret such as a key of type #PSA_KEY_TYPE_DERIVE or
- * the shared secret resulting from a key agreement.
- *
- * The secret can also be a direct input (passed to
- * key_derivation_input_bytes()). In this case, the derivation operation
- * may not be used to derive keys: the operation will only allow
- * psa_key_derivation_output_bytes(),
- * psa_key_derivation_verify_bytes(), or
- * psa_key_derivation_verify_key(), but not
- * psa_key_derivation_output_key().
- */
-#define PSA_KEY_DERIVATION_INPUT_PASSWORD   ((psa_key_derivation_step_t) 0x0102)
-
-/** A high-entropy additional secret input for key derivation.
- *
- * This is typically the shared secret resulting from a key agreement obtained
- * via `psa_key_derivation_key_agreement()`. It may alternatively be a key of
- * type `PSA_KEY_TYPE_DERIVE` passed to `psa_key_derivation_input_key()`, or
- * a direct input passed to `psa_key_derivation_input_bytes()`.
- */
-#define PSA_KEY_DERIVATION_INPUT_OTHER_SECRET \
-    ((psa_key_derivation_step_t) 0x0103)
-
-/** A label for key derivation.
- *
- * This should be a direct input.
- * It can also be a key of type #PSA_KEY_TYPE_RAW_DATA.
- */
-#define PSA_KEY_DERIVATION_INPUT_LABEL      ((psa_key_derivation_step_t) 0x0201)
-
-/** A salt for key derivation.
- *
- * This should be a direct input.
- * It can also be a key of type #PSA_KEY_TYPE_RAW_DATA or
- * #PSA_KEY_TYPE_PEPPER.
- */
-#define PSA_KEY_DERIVATION_INPUT_SALT       ((psa_key_derivation_step_t) 0x0202)
-
-/** An information string for key derivation.
- *
- * This should be a direct input.
- * It can also be a key of type #PSA_KEY_TYPE_RAW_DATA.
- */
-#define PSA_KEY_DERIVATION_INPUT_INFO       ((psa_key_derivation_step_t) 0x0203)
-
-/** A seed for key derivation.
- *
- * This should be a direct input.
- * It can also be a key of type #PSA_KEY_TYPE_RAW_DATA.
- */
-#define PSA_KEY_DERIVATION_INPUT_SEED       ((psa_key_derivation_step_t) 0x0204)
-
-/** A cost parameter for password hashing / key stretching.
- *
- * This must be a direct input, passed to psa_key_derivation_input_integer().
- */
-#define PSA_KEY_DERIVATION_INPUT_COST       ((psa_key_derivation_step_t) 0x0205)
-
-/**@}*/
-
-/** \defgroup helper_macros Helper macros
- * @{
- */
-
-/* Helper macros */
-
-/** Check if two AEAD algorithm identifiers refer to the same AEAD algorithm
- *  regardless of the tag length they encode.
- *
- * \param aead_alg_1 An AEAD algorithm identifier.
- * \param aead_alg_2 An AEAD algorithm identifier.
- *
- * \return           1 if both identifiers refer to the same AEAD algorithm,
- *                   0 otherwise.
- *                   Unspecified if neither \p aead_alg_1 nor \p aead_alg_2 are
- *                   a supported AEAD algorithm.
- */
-#define MBEDTLS_PSA_ALG_AEAD_EQUAL(aead_alg_1, aead_alg_2) \
-    (!(((aead_alg_1) ^ (aead_alg_2)) & \
-       ~(PSA_ALG_AEAD_TAG_LENGTH_MASK | PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG)))
-
-/**@}*/
-
-/**@}*/
-
-/** \defgroup interruptible Interruptible operations
- * @{
- */
-
-/** Maximum value for use with \c psa_interruptible_set_max_ops() to determine
- *  the maximum number of ops allowed to be executed by an interruptible
- *  function in a single call.
- */
-#define PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED UINT32_MAX
-
-/**@}*/
-
-#endif /* PSA_CRYPTO_VALUES_H */
diff --git a/library/.gitignore b/library/.gitignore
index c6a39f5..9794129 100644
--- a/library/.gitignore
+++ b/library/.gitignore
@@ -6,6 +6,4 @@ libmbed*
 /error.c
 /version_features.c
 /ssl_debug_helpers_generated.c
-/psa_crypto_driver_wrappers.h
-/psa_crypto_driver_wrappers_no_static.c
 ###END_GENERATED_FILES###
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 6a4ce51..da109dc 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -10,86 +10,90 @@ if(NOT DEFINED MBEDTLS_DIR)
     set(MBEDTLS_DIR ${CMAKE_SOURCE_DIR})
 endif()
 
+set(TF_PSA_CRYPTO_CORE_DIR ../tf-psa-crypto/core)
+set(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR ../tf-psa-crypto/drivers/builtin/src)
+
 set(src_crypto
-    aes.c
-    aesni.c
-    aesce.c
-    aria.c
-    asn1parse.c
-    asn1write.c
-    base64.c
-    bignum.c
-    bignum_core.c
-    bignum_mod.c
-    bignum_mod_raw.c
-    camellia.c
-    ccm.c
-    chacha20.c
-    chachapoly.c
-    cipher.c
-    cipher_wrap.c
-    constant_time.c
-    cmac.c
-    ctr_drbg.c
-    des.c
-    dhm.c
-    ecdh.c
-    ecdsa.c
-    ecjpake.c
-    ecp.c
-    ecp_curves.c
-    ecp_curves_new.c
-    entropy.c
-    entropy_poll.c
-    error.c
-    gcm.c
-    hkdf.c
-    hmac_drbg.c
-    lmots.c
-    lms.c
-    md.c
-    md5.c
-    memory_buffer_alloc.c
-    nist_kw.c
-    oid.c
-    padlock.c
-    pem.c
-    pk.c
-    pk_wrap.c
-    pkcs12.c
-    pkcs5.c
-    pkparse.c
-    pkwrite.c
-    platform.c
-    platform_util.c
-    poly1305.c
-    psa_crypto.c
-    psa_crypto_aead.c
-    psa_crypto_cipher.c
-    psa_crypto_client.c
-    psa_crypto_driver_wrappers_no_static.c
-    psa_crypto_ecp.c
-    psa_crypto_ffdh.c
-    psa_crypto_hash.c
-    psa_crypto_mac.c
-    psa_crypto_pake.c
-    psa_crypto_rsa.c
-    psa_crypto_se.c
-    psa_crypto_slot_management.c
-    psa_crypto_storage.c
-    psa_its_file.c
-    psa_util.c
-    ripemd160.c
-    rsa.c
-    rsa_alt_helpers.c
-    sha1.c
-    sha256.c
-    sha512.c
-    sha3.c
-    threading.c
-    timing.c
-    version.c
-    version_features.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/aes.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/aesni.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/aesce.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/aria.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/asn1parse.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/asn1write.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/base64.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/bignum.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/bignum_core.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/bignum_mod.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/bignum_mod_raw.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/block_cipher.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/camellia.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ccm.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/chacha20.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/chachapoly.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/cipher.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/cipher_wrap.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/constant_time.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/cmac.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ctr_drbg.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/des.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/dhm.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ecdh.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ecdsa.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ecjpake.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ecp.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ecp_curves.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ecp_curves_new.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/entropy.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/entropy_poll.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/error.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/gcm.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/hkdf.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/hmac_drbg.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/lmots.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/lms.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/md.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/md5.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/memory_buffer_alloc.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/nist_kw.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/oid.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/pem.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/pk.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/pk_ecc.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/pk_wrap.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/pkcs12.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/pkcs5.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/pkparse.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/pkwrite.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/platform.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/platform_util.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/poly1305.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_aead.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_cipher.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_client.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_driver_wrappers_no_static.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_ecp.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_ffdh.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_hash.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_mac.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_pake.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_rsa.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_se.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_slot_management.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_storage.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_its_file.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_util.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ripemd160.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/rsa.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/rsa_alt_helpers.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/sha1.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/sha256.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/sha512.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/sha3.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/threading.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/timing.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/version.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/version_features.c
 )
 
 set(src_x509
@@ -128,31 +132,34 @@ set(src_tls
 if(GEN_FILES)
     find_package(Perl REQUIRED)
 
-    file(GLOB error_headers ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls/*.h)
+    file(GLOB crypto_error_headers ${CMAKE_CURRENT_SOURCE_DIR}/../tf-psa-crypto/drivers/builtin/include/mbedtls/*.h)
+    file(GLOB tls_error_headers ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls/*.h)
     add_custom_command(
         OUTPUT
-            ${CMAKE_CURRENT_BINARY_DIR}/error.c
+            ${CMAKE_CURRENT_BINARY_DIR}/${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/error.c
         COMMAND
             ${PERL_EXECUTABLE}
                 ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_errors.pl
+                ${CMAKE_CURRENT_SOURCE_DIR}/../tf-psa-crypto/drivers/builtin/include/mbedtls
                 ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls
                 ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files
-                ${CMAKE_CURRENT_BINARY_DIR}/error.c
+                ${CMAKE_CURRENT_BINARY_DIR}/${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/error.c
         DEPENDS
             ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_errors.pl
-            ${error_headers}
+            ${crypto_error_headers}
+            ${tls_error_headers}
             ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files/error.fmt
     )
 
     add_custom_command(
         OUTPUT
-            ${CMAKE_CURRENT_BINARY_DIR}/version_features.c
+            ${CMAKE_CURRENT_BINARY_DIR}/${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/version_features.c
         COMMAND
             ${PERL_EXECUTABLE}
                 ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_features.pl
                 ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls
                 ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files
-                ${CMAKE_CURRENT_BINARY_DIR}/version_features.c
+                ${CMAKE_CURRENT_BINARY_DIR}/${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/version_features.c
         DEPENDS
             ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_features.pl
             ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls/mbedtls_config.h
@@ -169,29 +176,28 @@ if(GEN_FILES)
                 ${CMAKE_CURRENT_BINARY_DIR}
         DEPENDS
             ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_ssl_debug_helpers.py
-            ${error_headers}
+            ${tls_error_headers}
     )
 
     add_custom_command(
         OUTPUT
-            ${CMAKE_CURRENT_BINARY_DIR}/psa_crypto_driver_wrappers.h
-            ${CMAKE_CURRENT_BINARY_DIR}/psa_crypto_driver_wrappers_no_static.c
+            ${CMAKE_CURRENT_BINARY_DIR}/${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_driver_wrappers.h
+            ${CMAKE_CURRENT_BINARY_DIR}/${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_driver_wrappers_no_static.c
         COMMAND
             ${MBEDTLS_PYTHON_EXECUTABLE}
                 ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_driver_wrappers.py
-                ${CMAKE_CURRENT_BINARY_DIR}
+                ${CMAKE_CURRENT_BINARY_DIR}/${TF_PSA_CRYPTO_CORE_DIR}
         DEPENDS
             ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_driver_wrappers.py
             ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
             ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja
     )
-
-
 else()
-    link_to_source(error.c)
-    link_to_source(version_features.c)
+    link_to_source(${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/error.c)
+    link_to_source(${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/version_features.c)
     link_to_source(ssl_debug_helpers_generated.c)
-    link_to_source(psa_crypto_driver_wrappers_no_static.c)
+    link_to_source(${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_driver_wrappers.h)
+    link_to_source(${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_driver_wrappers_no_static.c)
 endif()
 
 if(CMAKE_COMPILER_IS_GNUCC)
@@ -218,11 +224,13 @@ if(WIN32)
     set(libs ${libs} ws2_32 bcrypt)
 endif(WIN32)
 
-if(${CMAKE_SYSTEM_NAME} MATCHES "Darwin")
-    SET(CMAKE_C_ARCHIVE_CREATE   "<CMAKE_AR> Scr <TARGET> <LINK_FLAGS> <OBJECTS>")
-    SET(CMAKE_CXX_ARCHIVE_CREATE "<CMAKE_AR> Scr <TARGET> <LINK_FLAGS> <OBJECTS>")
-    SET(CMAKE_C_ARCHIVE_FINISH   "<CMAKE_RANLIB> -no_warning_for_no_symbols -c <TARGET>")
-    SET(CMAKE_CXX_ARCHIVE_FINISH "<CMAKE_RANLIB> -no_warning_for_no_symbols -c <TARGET>")
+if(CMAKE_C_COMPILER_ID MATCHES "AppleClang")
+    set(CMAKE_C_ARCHIVE_CREATE   "<CMAKE_AR> Scr <TARGET> <LINK_FLAGS> <OBJECTS>")
+    set(CMAKE_C_ARCHIVE_FINISH   "<CMAKE_RANLIB> -no_warning_for_no_symbols -c <TARGET>")
+endif()
+if(CMAKE_CXX_COMPILER_ID MATCHES "AppleClang")
+    set(CMAKE_CXX_ARCHIVE_CREATE "<CMAKE_AR> Scr <TARGET> <LINK_FLAGS> <OBJECTS>")
+    set(CMAKE_CXX_ARCHIVE_FINISH "<CMAKE_RANLIB> -no_warning_for_no_symbols -c <TARGET>")
 endif()
 
 if(HAIKU)
@@ -230,7 +238,7 @@ if(HAIKU)
 endif(HAIKU)
 
 if(LINK_WITH_PTHREAD)
-    set(libs ${libs} pthread)
+    set(libs ${libs} ${CMAKE_THREAD_LIBS_INIT})
 endif()
 
 if(LINK_WITH_TRUSTED_STORAGE)
@@ -296,7 +304,7 @@ endif(USE_STATIC_MBEDTLS_LIBRARY)
 if(USE_SHARED_MBEDTLS_LIBRARY)
     set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR})
     add_library(${mbedcrypto_target} SHARED ${src_crypto})
-    set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.5.0 SOVERSION 15)
+    set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.6.0 SOVERSION 16)
     target_link_libraries(${mbedcrypto_target} PUBLIC ${libs})
 
     if(TARGET ${everest_target})
@@ -308,27 +316,29 @@ if(USE_SHARED_MBEDTLS_LIBRARY)
     endif()
 
     add_library(${mbedx509_target} SHARED ${src_x509})
-    set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.5.0 SOVERSION 6)
+    set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.6.0 SOVERSION 7)
     target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target})
 
     add_library(${mbedtls_target} SHARED ${src_tls})
-    set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.5.0 SOVERSION 20)
+    set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.6.0 SOVERSION 21)
     target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target})
 endif(USE_SHARED_MBEDTLS_LIBRARY)
 
 foreach(target IN LISTS target_libraries)
     add_library(MbedTLS::${target} ALIAS ${target})  # add_subdirectory support
-    # Include public header files from /include and other directories
-    # declared by /3rdparty/**/CMakeLists.txt. Include private header files
-    # from /library and others declared by /3rdparty/**/CMakeLists.txt.
-    # /library needs to be listed explicitly when building .c files outside
-    # of /library (which currently means: under /3rdparty).
+    # Include public header files from /include, /tf-psa-crypto/include/ and
+    # tf-psa-crypto/drivers/builtin/include/. Include private header files
+    # from /library, tf-psa-crypto/core/ and tf-psa-crypto/drivers/builtin/src/.
     target_include_directories(${target}
         PUBLIC $<BUILD_INTERFACE:${MBEDTLS_DIR}/include/>
+               $<BUILD_INTERFACE:${MBEDTLS_DIR}/tf-psa-crypto/include/>
+               $<BUILD_INTERFACE:${MBEDTLS_DIR}/tf-psa-crypto/drivers/builtin/include/>
                $<INSTALL_INTERFACE:include/>
         PRIVATE ${MBEDTLS_DIR}/library/
+                ${MBEDTLS_DIR}/tf-psa-crypto/core
+                ${MBEDTLS_DIR}/tf-psa-crypto/drivers/builtin/src
                 # Needed to include psa_crypto_driver_wrappers.h
-                ${CMAKE_CURRENT_BINARY_DIR})
+                ${CMAKE_CURRENT_BINARY_DIR}/../tf-psa-crypto/core)
     # Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
     if(MBEDTLS_CONFIG_FILE)
         target_compile_definitions(${target}
diff --git a/library/Makefile b/library/Makefile
index 9e2d723..f7c4898 100644
--- a/library/Makefile
+++ b/library/Makefile
@@ -1,3 +1,30 @@
+ifndef MBEDTLS_PATH
+MBEDTLS_PATH := ..
+endif
+
+TF_PSA_CRYPTO_CORE_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/core
+TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/drivers/builtin/src
+
+GENERATED_FILES := \
+	$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/error.c \
+        $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/version_features.c \
+	ssl_debug_helpers_generated.c \
+	$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h \
+	$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.c
+
+ifneq ($(GENERATED_FILES),$(wildcard $(GENERATED_FILES)))
+    ifeq (,$(wildcard $(MBEDTLS_PATH)/framework/exported.make))
+        # Use the define keyword to get a multi-line message.
+        # GNU make appends ".  Stop.", so tweak the ending of our message accordingly.
+        define error_message
+$(MBEDTLS_PATH)/framework/exported.make not found.
+Run `git submodule update --init` to fetch the submodule contents.
+This is a fatal error
+        endef
+        $(error $(error_message))
+    endif
+    include $(MBEDTLS_PATH)/framework/exported.make
+endif
 
 # Also see "include/mbedtls/mbedtls_config.h"
 
@@ -5,11 +32,14 @@ CFLAGS	?= -O2
 WARNING_CFLAGS ?=  -Wall -Wextra -Wformat=2 -Wno-format-nonliteral
 LDFLAGS ?=
 
-# Include ../include for public headers and . for private headers.
-# Note that . needs to be included explicitly for the sake of library
-# files that are not in the /library directory (which currently means
-# under /3rdparty).
-LOCAL_CFLAGS = $(WARNING_CFLAGS) -I. -I../include -D_FILE_OFFSET_BITS=64
+# Include ../include, ../tf-psa-crypto/include and
+# ../tf-psa-crypto/drivers/builtin/include for public headers and .,
+# ../tf-psa-crypto/core and ../tf-psa-crypto/drivers/builtin/src for
+# private headers.
+LOCAL_CFLAGS = $(WARNING_CFLAGS) -I. -I../tf-psa-crypto/core \
+               -I../tf-psa-crypto/drivers/builtin/src \
+               -I../include -I../tf-psa-crypto/include \
+               -I../tf-psa-crypto/drivers/builtin/include -D_FILE_OFFSET_BITS=64
 LOCAL_LDFLAGS =
 
 ifdef DEBUG
@@ -51,9 +81,9 @@ LOCAL_CFLAGS += -fPIC -fpic
 endif
 endif
 
-SOEXT_TLS?=so.20
-SOEXT_X509?=so.6
-SOEXT_CRYPTO?=so.15
+SOEXT_TLS?=so.21
+SOEXT_X509?=so.7
+SOEXT_CRYPTO?=so.16
 
 # Set AR_DASH= (empty string) to use an ar implementation that does not accept
 # the - prefix for command line options (e.g. llvm-ar)
@@ -80,88 +110,91 @@ endif
 endif
 
 OBJS_CRYPTO= \
-	     aes.o \
-	     aesni.o \
-	     aesce.o \
-	     aria.o \
-	     asn1parse.o \
-	     asn1write.o \
-	     base64.o \
-	     bignum.o \
-	     bignum_core.o \
-	     bignum_mod.o \
-	     bignum_mod_raw.o \
-	     camellia.o \
-	     ccm.o \
-	     chacha20.o \
-	     chachapoly.o \
-	     cipher.o \
-	     cipher_wrap.o \
-	     cmac.o \
-	     constant_time.o \
-	     ctr_drbg.o \
-	     des.o \
-	     dhm.o \
-	     ecdh.o \
-	     ecdsa.o \
-	     ecjpake.o \
-	     ecp.o \
-	     ecp_curves.o \
-	     ecp_curves_new.o \
-	     entropy.o \
-	     entropy_poll.o \
-	     error.o \
-	     gcm.o \
-	     hkdf.o \
-	     hmac_drbg.o \
-	     lmots.o \
-	     lms.o \
-	     md.o \
-	     md5.o \
-	     memory_buffer_alloc.o \
-	     nist_kw.o \
-	     oid.o \
-	     padlock.o \
-	     pem.o \
-	     pk.o \
-	     pk_wrap.o \
-	     pkcs12.o \
-	     pkcs5.o \
-	     pkparse.o \
-	     pkwrite.o \
-	     platform.o \
-	     platform_util.o \
-	     poly1305.o \
-	     psa_crypto.o \
-	     psa_crypto_aead.o \
-	     psa_crypto_cipher.o \
-	     psa_crypto_client.o \
-	     psa_crypto_driver_wrappers_no_static.o \
-	     psa_crypto_ecp.o \
-	     psa_crypto_ffdh.o \
-	     psa_crypto_hash.o \
-	     psa_crypto_mac.o \
-	     psa_crypto_pake.o \
-	     psa_crypto_rsa.o \
-	     psa_crypto_se.o \
-	     psa_crypto_slot_management.o \
-	     psa_crypto_storage.o \
-	     psa_its_file.o \
-	     psa_util.o \
-	     ripemd160.o \
-	     rsa.o \
-	     rsa_alt_helpers.o \
-	     sha1.o \
-	     sha256.o \
-	     sha512.o \
-	     sha3.o \
-	     threading.o \
-	     timing.o \
-	     version.o \
-	     version_features.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_aead.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_cipher.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_client.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_ecp.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_ffdh.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_hash.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_mac.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_pake.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_rsa.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_se.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_slot_management.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_storage.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_its_file.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_util.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/aes.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/aesni.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/aesce.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/aria.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/asn1parse.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/asn1write.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/base64.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/bignum.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/bignum_core.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/bignum_mod.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/bignum_mod_raw.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/block_cipher.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/camellia.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ccm.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/chacha20.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/chachapoly.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/cipher.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/cipher_wrap.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/cmac.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/constant_time.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ctr_drbg.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/des.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/dhm.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecdh.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecdsa.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecjpake.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecp.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecp_curves.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecp_curves_new.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/entropy.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/entropy_poll.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/error.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/gcm.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/hkdf.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/hmac_drbg.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/lmots.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/lms.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/md.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/md5.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/memory_buffer_alloc.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/nist_kw.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/oid.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pem.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pk.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pk_ecc.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pk_wrap.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pkcs12.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pkcs5.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pkparse.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pkwrite.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/platform.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/platform_util.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/poly1305.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ripemd160.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/rsa.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/rsa_alt_helpers.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/sha1.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/sha256.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/sha512.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/sha3.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/threading.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/timing.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/version.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/version_features.o \
 	     # This line is intentionally left blank
 
-include ../3rdparty/Makefile.inc
+THIRDPARTY_DIR := $(MBEDTLS_PATH)/tf-psa-crypto/drivers
+include $(MBEDTLS_PATH)/tf-psa-crypto/drivers/everest/Makefile.inc
+include $(MBEDTLS_PATH)/tf-psa-crypto/drivers/p256-m/Makefile.inc
 LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES)
 OBJS_CRYPTO+=$(THIRDPARTY_CRYPTO_OBJECTS)
 
@@ -313,11 +346,6 @@ libmbedcrypto.dll: $(OBJS_CRYPTO)
 	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) -o $@ -c $<
 
 .PHONY: generated_files
-GENERATED_FILES = \
-	error.c version_features.c \
-	ssl_debug_helpers_generated.c \
-	psa_crypto_driver_wrappers.h \
-	psa_crypto_driver_wrappers_no_static.c
 generated_files: $(GENERATED_FILES)
 
 # See root Makefile
@@ -328,10 +356,10 @@ else
 gen_file_dep = |
 endif
 
-error.c: $(gen_file_dep) ../scripts/generate_errors.pl
-error.c: $(gen_file_dep) ../scripts/data_files/error.fmt
-error.c: $(gen_file_dep) $(filter-out %config%,$(wildcard ../include/mbedtls/*.h))
-error.c:
+$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/error.c: $(gen_file_dep) ../scripts/generate_errors.pl
+$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/error.c: $(gen_file_dep) ../scripts/data_files/error.fmt
+$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/error.c: $(gen_file_dep) $(filter-out %config%,$(wildcard ../include/mbedtls/*.h))
+$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/error.c:
 	echo "  Gen   $@"
 	$(PERL) ../scripts/generate_errors.pl
 
@@ -341,33 +369,34 @@ ssl_debug_helpers_generated.c:
 	echo "  Gen   $@"
 	$(PYTHON) ../scripts/generate_ssl_debug_helpers.py --mbedtls-root .. .
 
-version_features.c: $(gen_file_dep) ../scripts/generate_features.pl
-version_features.c: $(gen_file_dep) ../scripts/data_files/version_features.fmt
+$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/version_features.c: $(gen_file_dep) ../scripts/generate_features.pl
+$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/version_features.c: $(gen_file_dep) ../scripts/data_files/version_features.fmt
 ## The generated file only depends on the options that are present in mbedtls_config.h,
 ## not on which options are set. To avoid regenerating this file all the time
 ## when switching between configurations, don't declare mbedtls_config.h as a
 ## dependency. Remove this file from your working tree if you've just added or
 ## removed an option in mbedtls_config.h.
 #version_features.c: ../include/mbedtls/mbedtls_config.h
-version_features.c:
+$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/version_features.c:
 	echo "  Gen   $@"
 	$(PERL) ../scripts/generate_features.pl
 
 GENERATED_WRAPPER_FILES = \
-                    psa_crypto_driver_wrappers.h \
-                    psa_crypto_driver_wrappers_no_static.c
+                    $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h \
+                    $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.c
 $(GENERATED_WRAPPER_FILES): ../scripts/generate_driver_wrappers.py
 $(GENERATED_WRAPPER_FILES): ../scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
 $(GENERATED_WRAPPER_FILES): ../scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja
 $(GENERATED_WRAPPER_FILES):
 	echo "  Gen   $(GENERATED_WRAPPER_FILES)"
-	$(PYTHON) ../scripts/generate_driver_wrappers.py
+	$(PYTHON) ../scripts/generate_driver_wrappers.py $(TF_PSA_CRYPTO_CORE_PATH)
 
-psa_crypto.o:psa_crypto_driver_wrappers.h
+$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto.o:$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h
 
 clean:
 ifndef WINDOWS
 	rm -f *.o libmbed*
+	rm -f $(OBJS_CRYPTO)
 	rm -f $(THIRDPARTY_CRYPTO_OBJECTS)
 else
 	if exist *.o del /Q /F *.o
diff --git a/library/aes.c b/library/aes.c
deleted file mode 100644
index b61d089..0000000
--- a/library/aes.c
+++ /dev/null
@@ -1,2276 +0,0 @@
-/*
- *  FIPS-197 compliant AES implementation
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-/*
- *  The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
- *
- *  https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf
- *  http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_AES_C)
-
-#include <string.h>
-
-#include "mbedtls/aes.h"
-#include "mbedtls/platform.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
-#if !((defined(MBEDTLS_ARCH_IS_ARM64) && defined(MBEDTLS_AESCE_C)) || \
-    (defined(MBEDTLS_ARCH_IS_X64)   && defined(MBEDTLS_AESNI_C)) || \
-    (defined(MBEDTLS_ARCH_IS_X86)   && defined(MBEDTLS_AESNI_C)))
-#error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites"
-#endif
-#endif
-
-#if defined(MBEDTLS_ARCH_IS_X86)
-#if defined(MBEDTLS_PADLOCK_C)
-#if !defined(MBEDTLS_HAVE_ASM)
-#error "MBEDTLS_PADLOCK_C defined, but not all prerequisites"
-#endif
-#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
-#error "MBEDTLS_AES_USE_HARDWARE_ONLY cannot be defined when " \
-    "MBEDTLS_PADLOCK_C is set"
-#endif
-#endif
-#endif
-
-#if defined(MBEDTLS_PADLOCK_C)
-#include "padlock.h"
-#endif
-#if defined(MBEDTLS_AESNI_C)
-#include "aesni.h"
-#endif
-#if defined(MBEDTLS_AESCE_C)
-#include "aesce.h"
-#endif
-
-#include "mbedtls/platform.h"
-
-#if !defined(MBEDTLS_AES_ALT)
-
-#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
-static int aes_padlock_ace = -1;
-#endif
-
-#if defined(MBEDTLS_AES_ROM_TABLES)
-/*
- * Forward S-box
- */
-MBEDTLS_MAYBE_UNUSED static const unsigned char FSb[256] =
-{
-    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
-    0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
-    0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
-    0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
-    0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
-    0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
-    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
-    0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
-    0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
-    0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
-    0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
-    0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
-    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
-    0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
-    0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
-    0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
-    0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
-    0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
-    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
-    0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
-    0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
-    0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
-    0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
-    0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
-    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
-    0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
-    0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
-    0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
-    0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
-    0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
-    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
-    0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
-};
-
-/*
- * Forward tables
- */
-#define FT \
-\
-    V(A5, 63, 63, C6), V(84, 7C, 7C, F8), V(99, 77, 77, EE), V(8D, 7B, 7B, F6), \
-    V(0D, F2, F2, FF), V(BD, 6B, 6B, D6), V(B1, 6F, 6F, DE), V(54, C5, C5, 91), \
-    V(50, 30, 30, 60), V(03, 01, 01, 02), V(A9, 67, 67, CE), V(7D, 2B, 2B, 56), \
-    V(19, FE, FE, E7), V(62, D7, D7, B5), V(E6, AB, AB, 4D), V(9A, 76, 76, EC), \
-    V(45, CA, CA, 8F), V(9D, 82, 82, 1F), V(40, C9, C9, 89), V(87, 7D, 7D, FA), \
-    V(15, FA, FA, EF), V(EB, 59, 59, B2), V(C9, 47, 47, 8E), V(0B, F0, F0, FB), \
-    V(EC, AD, AD, 41), V(67, D4, D4, B3), V(FD, A2, A2, 5F), V(EA, AF, AF, 45), \
-    V(BF, 9C, 9C, 23), V(F7, A4, A4, 53), V(96, 72, 72, E4), V(5B, C0, C0, 9B), \
-    V(C2, B7, B7, 75), V(1C, FD, FD, E1), V(AE, 93, 93, 3D), V(6A, 26, 26, 4C), \
-    V(5A, 36, 36, 6C), V(41, 3F, 3F, 7E), V(02, F7, F7, F5), V(4F, CC, CC, 83), \
-    V(5C, 34, 34, 68), V(F4, A5, A5, 51), V(34, E5, E5, D1), V(08, F1, F1, F9), \
-    V(93, 71, 71, E2), V(73, D8, D8, AB), V(53, 31, 31, 62), V(3F, 15, 15, 2A), \
-    V(0C, 04, 04, 08), V(52, C7, C7, 95), V(65, 23, 23, 46), V(5E, C3, C3, 9D), \
-    V(28, 18, 18, 30), V(A1, 96, 96, 37), V(0F, 05, 05, 0A), V(B5, 9A, 9A, 2F), \
-    V(09, 07, 07, 0E), V(36, 12, 12, 24), V(9B, 80, 80, 1B), V(3D, E2, E2, DF), \
-    V(26, EB, EB, CD), V(69, 27, 27, 4E), V(CD, B2, B2, 7F), V(9F, 75, 75, EA), \
-    V(1B, 09, 09, 12), V(9E, 83, 83, 1D), V(74, 2C, 2C, 58), V(2E, 1A, 1A, 34), \
-    V(2D, 1B, 1B, 36), V(B2, 6E, 6E, DC), V(EE, 5A, 5A, B4), V(FB, A0, A0, 5B), \
-    V(F6, 52, 52, A4), V(4D, 3B, 3B, 76), V(61, D6, D6, B7), V(CE, B3, B3, 7D), \
-    V(7B, 29, 29, 52), V(3E, E3, E3, DD), V(71, 2F, 2F, 5E), V(97, 84, 84, 13), \
-    V(F5, 53, 53, A6), V(68, D1, D1, B9), V(00, 00, 00, 00), V(2C, ED, ED, C1), \
-    V(60, 20, 20, 40), V(1F, FC, FC, E3), V(C8, B1, B1, 79), V(ED, 5B, 5B, B6), \
-    V(BE, 6A, 6A, D4), V(46, CB, CB, 8D), V(D9, BE, BE, 67), V(4B, 39, 39, 72), \
-    V(DE, 4A, 4A, 94), V(D4, 4C, 4C, 98), V(E8, 58, 58, B0), V(4A, CF, CF, 85), \
-    V(6B, D0, D0, BB), V(2A, EF, EF, C5), V(E5, AA, AA, 4F), V(16, FB, FB, ED), \
-    V(C5, 43, 43, 86), V(D7, 4D, 4D, 9A), V(55, 33, 33, 66), V(94, 85, 85, 11), \
-    V(CF, 45, 45, 8A), V(10, F9, F9, E9), V(06, 02, 02, 04), V(81, 7F, 7F, FE), \
-    V(F0, 50, 50, A0), V(44, 3C, 3C, 78), V(BA, 9F, 9F, 25), V(E3, A8, A8, 4B), \
-    V(F3, 51, 51, A2), V(FE, A3, A3, 5D), V(C0, 40, 40, 80), V(8A, 8F, 8F, 05), \
-    V(AD, 92, 92, 3F), V(BC, 9D, 9D, 21), V(48, 38, 38, 70), V(04, F5, F5, F1), \
-    V(DF, BC, BC, 63), V(C1, B6, B6, 77), V(75, DA, DA, AF), V(63, 21, 21, 42), \
-    V(30, 10, 10, 20), V(1A, FF, FF, E5), V(0E, F3, F3, FD), V(6D, D2, D2, BF), \
-    V(4C, CD, CD, 81), V(14, 0C, 0C, 18), V(35, 13, 13, 26), V(2F, EC, EC, C3), \
-    V(E1, 5F, 5F, BE), V(A2, 97, 97, 35), V(CC, 44, 44, 88), V(39, 17, 17, 2E), \
-    V(57, C4, C4, 93), V(F2, A7, A7, 55), V(82, 7E, 7E, FC), V(47, 3D, 3D, 7A), \
-    V(AC, 64, 64, C8), V(E7, 5D, 5D, BA), V(2B, 19, 19, 32), V(95, 73, 73, E6), \
-    V(A0, 60, 60, C0), V(98, 81, 81, 19), V(D1, 4F, 4F, 9E), V(7F, DC, DC, A3), \
-    V(66, 22, 22, 44), V(7E, 2A, 2A, 54), V(AB, 90, 90, 3B), V(83, 88, 88, 0B), \
-    V(CA, 46, 46, 8C), V(29, EE, EE, C7), V(D3, B8, B8, 6B), V(3C, 14, 14, 28), \
-    V(79, DE, DE, A7), V(E2, 5E, 5E, BC), V(1D, 0B, 0B, 16), V(76, DB, DB, AD), \
-    V(3B, E0, E0, DB), V(56, 32, 32, 64), V(4E, 3A, 3A, 74), V(1E, 0A, 0A, 14), \
-    V(DB, 49, 49, 92), V(0A, 06, 06, 0C), V(6C, 24, 24, 48), V(E4, 5C, 5C, B8), \
-    V(5D, C2, C2, 9F), V(6E, D3, D3, BD), V(EF, AC, AC, 43), V(A6, 62, 62, C4), \
-    V(A8, 91, 91, 39), V(A4, 95, 95, 31), V(37, E4, E4, D3), V(8B, 79, 79, F2), \
-    V(32, E7, E7, D5), V(43, C8, C8, 8B), V(59, 37, 37, 6E), V(B7, 6D, 6D, DA), \
-    V(8C, 8D, 8D, 01), V(64, D5, D5, B1), V(D2, 4E, 4E, 9C), V(E0, A9, A9, 49), \
-    V(B4, 6C, 6C, D8), V(FA, 56, 56, AC), V(07, F4, F4, F3), V(25, EA, EA, CF), \
-    V(AF, 65, 65, CA), V(8E, 7A, 7A, F4), V(E9, AE, AE, 47), V(18, 08, 08, 10), \
-    V(D5, BA, BA, 6F), V(88, 78, 78, F0), V(6F, 25, 25, 4A), V(72, 2E, 2E, 5C), \
-    V(24, 1C, 1C, 38), V(F1, A6, A6, 57), V(C7, B4, B4, 73), V(51, C6, C6, 97), \
-    V(23, E8, E8, CB), V(7C, DD, DD, A1), V(9C, 74, 74, E8), V(21, 1F, 1F, 3E), \
-    V(DD, 4B, 4B, 96), V(DC, BD, BD, 61), V(86, 8B, 8B, 0D), V(85, 8A, 8A, 0F), \
-    V(90, 70, 70, E0), V(42, 3E, 3E, 7C), V(C4, B5, B5, 71), V(AA, 66, 66, CC), \
-    V(D8, 48, 48, 90), V(05, 03, 03, 06), V(01, F6, F6, F7), V(12, 0E, 0E, 1C), \
-    V(A3, 61, 61, C2), V(5F, 35, 35, 6A), V(F9, 57, 57, AE), V(D0, B9, B9, 69), \
-    V(91, 86, 86, 17), V(58, C1, C1, 99), V(27, 1D, 1D, 3A), V(B9, 9E, 9E, 27), \
-    V(38, E1, E1, D9), V(13, F8, F8, EB), V(B3, 98, 98, 2B), V(33, 11, 11, 22), \
-    V(BB, 69, 69, D2), V(70, D9, D9, A9), V(89, 8E, 8E, 07), V(A7, 94, 94, 33), \
-    V(B6, 9B, 9B, 2D), V(22, 1E, 1E, 3C), V(92, 87, 87, 15), V(20, E9, E9, C9), \
-    V(49, CE, CE, 87), V(FF, 55, 55, AA), V(78, 28, 28, 50), V(7A, DF, DF, A5), \
-    V(8F, 8C, 8C, 03), V(F8, A1, A1, 59), V(80, 89, 89, 09), V(17, 0D, 0D, 1A), \
-    V(DA, BF, BF, 65), V(31, E6, E6, D7), V(C6, 42, 42, 84), V(B8, 68, 68, D0), \
-    V(C3, 41, 41, 82), V(B0, 99, 99, 29), V(77, 2D, 2D, 5A), V(11, 0F, 0F, 1E), \
-    V(CB, B0, B0, 7B), V(FC, 54, 54, A8), V(D6, BB, BB, 6D), V(3A, 16, 16, 2C)
-
-#define V(a, b, c, d) 0x##a##b##c##d
-MBEDTLS_MAYBE_UNUSED static const uint32_t FT0[256] = { FT };
-#undef V
-
-#define V(a, b, c, d) 0x##b##c##d##a
-MBEDTLS_MAYBE_UNUSED static const uint32_t FT1[256] = { FT };
-#undef V
-
-#define V(a, b, c, d) 0x##c##d##a##b
-MBEDTLS_MAYBE_UNUSED static const uint32_t FT2[256] = { FT };
-#undef V
-
-#define V(a, b, c, d) 0x##d##a##b##c
-MBEDTLS_MAYBE_UNUSED static const uint32_t FT3[256] = { FT };
-#undef V
-
-#undef FT
-
-/*
- * Reverse S-box
- */
-MBEDTLS_MAYBE_UNUSED static const unsigned char RSb[256] =
-{
-    0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
-    0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
-    0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
-    0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
-    0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
-    0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
-    0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
-    0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
-    0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
-    0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
-    0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
-    0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
-    0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
-    0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
-    0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
-    0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
-    0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
-    0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
-    0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
-    0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
-    0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
-    0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
-    0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
-    0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
-    0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
-    0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
-    0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
-    0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
-    0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
-    0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
-    0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
-    0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
-};
-
-/*
- * Reverse tables
- */
-#define RT \
-\
-    V(50, A7, F4, 51), V(53, 65, 41, 7E), V(C3, A4, 17, 1A), V(96, 5E, 27, 3A), \
-    V(CB, 6B, AB, 3B), V(F1, 45, 9D, 1F), V(AB, 58, FA, AC), V(93, 03, E3, 4B), \
-    V(55, FA, 30, 20), V(F6, 6D, 76, AD), V(91, 76, CC, 88), V(25, 4C, 02, F5), \
-    V(FC, D7, E5, 4F), V(D7, CB, 2A, C5), V(80, 44, 35, 26), V(8F, A3, 62, B5), \
-    V(49, 5A, B1, DE), V(67, 1B, BA, 25), V(98, 0E, EA, 45), V(E1, C0, FE, 5D), \
-    V(02, 75, 2F, C3), V(12, F0, 4C, 81), V(A3, 97, 46, 8D), V(C6, F9, D3, 6B), \
-    V(E7, 5F, 8F, 03), V(95, 9C, 92, 15), V(EB, 7A, 6D, BF), V(DA, 59, 52, 95), \
-    V(2D, 83, BE, D4), V(D3, 21, 74, 58), V(29, 69, E0, 49), V(44, C8, C9, 8E), \
-    V(6A, 89, C2, 75), V(78, 79, 8E, F4), V(6B, 3E, 58, 99), V(DD, 71, B9, 27), \
-    V(B6, 4F, E1, BE), V(17, AD, 88, F0), V(66, AC, 20, C9), V(B4, 3A, CE, 7D), \
-    V(18, 4A, DF, 63), V(82, 31, 1A, E5), V(60, 33, 51, 97), V(45, 7F, 53, 62), \
-    V(E0, 77, 64, B1), V(84, AE, 6B, BB), V(1C, A0, 81, FE), V(94, 2B, 08, F9), \
-    V(58, 68, 48, 70), V(19, FD, 45, 8F), V(87, 6C, DE, 94), V(B7, F8, 7B, 52), \
-    V(23, D3, 73, AB), V(E2, 02, 4B, 72), V(57, 8F, 1F, E3), V(2A, AB, 55, 66), \
-    V(07, 28, EB, B2), V(03, C2, B5, 2F), V(9A, 7B, C5, 86), V(A5, 08, 37, D3), \
-    V(F2, 87, 28, 30), V(B2, A5, BF, 23), V(BA, 6A, 03, 02), V(5C, 82, 16, ED), \
-    V(2B, 1C, CF, 8A), V(92, B4, 79, A7), V(F0, F2, 07, F3), V(A1, E2, 69, 4E), \
-    V(CD, F4, DA, 65), V(D5, BE, 05, 06), V(1F, 62, 34, D1), V(8A, FE, A6, C4), \
-    V(9D, 53, 2E, 34), V(A0, 55, F3, A2), V(32, E1, 8A, 05), V(75, EB, F6, A4), \
-    V(39, EC, 83, 0B), V(AA, EF, 60, 40), V(06, 9F, 71, 5E), V(51, 10, 6E, BD), \
-    V(F9, 8A, 21, 3E), V(3D, 06, DD, 96), V(AE, 05, 3E, DD), V(46, BD, E6, 4D), \
-    V(B5, 8D, 54, 91), V(05, 5D, C4, 71), V(6F, D4, 06, 04), V(FF, 15, 50, 60), \
-    V(24, FB, 98, 19), V(97, E9, BD, D6), V(CC, 43, 40, 89), V(77, 9E, D9, 67), \
-    V(BD, 42, E8, B0), V(88, 8B, 89, 07), V(38, 5B, 19, E7), V(DB, EE, C8, 79), \
-    V(47, 0A, 7C, A1), V(E9, 0F, 42, 7C), V(C9, 1E, 84, F8), V(00, 00, 00, 00), \
-    V(83, 86, 80, 09), V(48, ED, 2B, 32), V(AC, 70, 11, 1E), V(4E, 72, 5A, 6C), \
-    V(FB, FF, 0E, FD), V(56, 38, 85, 0F), V(1E, D5, AE, 3D), V(27, 39, 2D, 36), \
-    V(64, D9, 0F, 0A), V(21, A6, 5C, 68), V(D1, 54, 5B, 9B), V(3A, 2E, 36, 24), \
-    V(B1, 67, 0A, 0C), V(0F, E7, 57, 93), V(D2, 96, EE, B4), V(9E, 91, 9B, 1B), \
-    V(4F, C5, C0, 80), V(A2, 20, DC, 61), V(69, 4B, 77, 5A), V(16, 1A, 12, 1C), \
-    V(0A, BA, 93, E2), V(E5, 2A, A0, C0), V(43, E0, 22, 3C), V(1D, 17, 1B, 12), \
-    V(0B, 0D, 09, 0E), V(AD, C7, 8B, F2), V(B9, A8, B6, 2D), V(C8, A9, 1E, 14), \
-    V(85, 19, F1, 57), V(4C, 07, 75, AF), V(BB, DD, 99, EE), V(FD, 60, 7F, A3), \
-    V(9F, 26, 01, F7), V(BC, F5, 72, 5C), V(C5, 3B, 66, 44), V(34, 7E, FB, 5B), \
-    V(76, 29, 43, 8B), V(DC, C6, 23, CB), V(68, FC, ED, B6), V(63, F1, E4, B8), \
-    V(CA, DC, 31, D7), V(10, 85, 63, 42), V(40, 22, 97, 13), V(20, 11, C6, 84), \
-    V(7D, 24, 4A, 85), V(F8, 3D, BB, D2), V(11, 32, F9, AE), V(6D, A1, 29, C7), \
-    V(4B, 2F, 9E, 1D), V(F3, 30, B2, DC), V(EC, 52, 86, 0D), V(D0, E3, C1, 77), \
-    V(6C, 16, B3, 2B), V(99, B9, 70, A9), V(FA, 48, 94, 11), V(22, 64, E9, 47), \
-    V(C4, 8C, FC, A8), V(1A, 3F, F0, A0), V(D8, 2C, 7D, 56), V(EF, 90, 33, 22), \
-    V(C7, 4E, 49, 87), V(C1, D1, 38, D9), V(FE, A2, CA, 8C), V(36, 0B, D4, 98), \
-    V(CF, 81, F5, A6), V(28, DE, 7A, A5), V(26, 8E, B7, DA), V(A4, BF, AD, 3F), \
-    V(E4, 9D, 3A, 2C), V(0D, 92, 78, 50), V(9B, CC, 5F, 6A), V(62, 46, 7E, 54), \
-    V(C2, 13, 8D, F6), V(E8, B8, D8, 90), V(5E, F7, 39, 2E), V(F5, AF, C3, 82), \
-    V(BE, 80, 5D, 9F), V(7C, 93, D0, 69), V(A9, 2D, D5, 6F), V(B3, 12, 25, CF), \
-    V(3B, 99, AC, C8), V(A7, 7D, 18, 10), V(6E, 63, 9C, E8), V(7B, BB, 3B, DB), \
-    V(09, 78, 26, CD), V(F4, 18, 59, 6E), V(01, B7, 9A, EC), V(A8, 9A, 4F, 83), \
-    V(65, 6E, 95, E6), V(7E, E6, FF, AA), V(08, CF, BC, 21), V(E6, E8, 15, EF), \
-    V(D9, 9B, E7, BA), V(CE, 36, 6F, 4A), V(D4, 09, 9F, EA), V(D6, 7C, B0, 29), \
-    V(AF, B2, A4, 31), V(31, 23, 3F, 2A), V(30, 94, A5, C6), V(C0, 66, A2, 35), \
-    V(37, BC, 4E, 74), V(A6, CA, 82, FC), V(B0, D0, 90, E0), V(15, D8, A7, 33), \
-    V(4A, 98, 04, F1), V(F7, DA, EC, 41), V(0E, 50, CD, 7F), V(2F, F6, 91, 17), \
-    V(8D, D6, 4D, 76), V(4D, B0, EF, 43), V(54, 4D, AA, CC), V(DF, 04, 96, E4), \
-    V(E3, B5, D1, 9E), V(1B, 88, 6A, 4C), V(B8, 1F, 2C, C1), V(7F, 51, 65, 46), \
-    V(04, EA, 5E, 9D), V(5D, 35, 8C, 01), V(73, 74, 87, FA), V(2E, 41, 0B, FB), \
-    V(5A, 1D, 67, B3), V(52, D2, DB, 92), V(33, 56, 10, E9), V(13, 47, D6, 6D), \
-    V(8C, 61, D7, 9A), V(7A, 0C, A1, 37), V(8E, 14, F8, 59), V(89, 3C, 13, EB), \
-    V(EE, 27, A9, CE), V(35, C9, 61, B7), V(ED, E5, 1C, E1), V(3C, B1, 47, 7A), \
-    V(59, DF, D2, 9C), V(3F, 73, F2, 55), V(79, CE, 14, 18), V(BF, 37, C7, 73), \
-    V(EA, CD, F7, 53), V(5B, AA, FD, 5F), V(14, 6F, 3D, DF), V(86, DB, 44, 78), \
-    V(81, F3, AF, CA), V(3E, C4, 68, B9), V(2C, 34, 24, 38), V(5F, 40, A3, C2), \
-    V(72, C3, 1D, 16), V(0C, 25, E2, BC), V(8B, 49, 3C, 28), V(41, 95, 0D, FF), \
-    V(71, 01, A8, 39), V(DE, B3, 0C, 08), V(9C, E4, B4, D8), V(90, C1, 56, 64), \
-    V(61, 84, CB, 7B), V(70, B6, 32, D5), V(74, 5C, 6C, 48), V(42, 57, B8, D0)
-
-
-#define V(a, b, c, d) 0x##a##b##c##d
-MBEDTLS_MAYBE_UNUSED static const uint32_t RT0[256] = { RT };
-#undef V
-
-#define V(a, b, c, d) 0x##b##c##d##a
-MBEDTLS_MAYBE_UNUSED static const uint32_t RT1[256] = { RT };
-#undef V
-
-#define V(a, b, c, d) 0x##c##d##a##b
-MBEDTLS_MAYBE_UNUSED static const uint32_t RT2[256] = { RT };
-#undef V
-
-#define V(a, b, c, d) 0x##d##a##b##c
-MBEDTLS_MAYBE_UNUSED static const uint32_t RT3[256] = { RT };
-#undef V
-
-#undef RT
-
-/*
- * Round constants
- */
-MBEDTLS_MAYBE_UNUSED static const uint32_t round_constants[10] =
-{
-    0x00000001, 0x00000002, 0x00000004, 0x00000008,
-    0x00000010, 0x00000020, 0x00000040, 0x00000080,
-    0x0000001B, 0x00000036
-};
-
-#else /* MBEDTLS_AES_ROM_TABLES */
-
-/*
- * Forward S-box & tables
- */
-MBEDTLS_MAYBE_UNUSED static unsigned char FSb[256];
-MBEDTLS_MAYBE_UNUSED static uint32_t FT0[256];
-MBEDTLS_MAYBE_UNUSED static uint32_t FT1[256];
-MBEDTLS_MAYBE_UNUSED static uint32_t FT2[256];
-MBEDTLS_MAYBE_UNUSED static uint32_t FT3[256];
-
-/*
- * Reverse S-box & tables
- */
-MBEDTLS_MAYBE_UNUSED static unsigned char RSb[256];
-
-MBEDTLS_MAYBE_UNUSED static uint32_t RT0[256];
-MBEDTLS_MAYBE_UNUSED static uint32_t RT1[256];
-MBEDTLS_MAYBE_UNUSED static uint32_t RT2[256];
-MBEDTLS_MAYBE_UNUSED static uint32_t RT3[256];
-
-/*
- * Round constants
- */
-MBEDTLS_MAYBE_UNUSED static uint32_t round_constants[10];
-
-/*
- * Tables generation code
- */
-#define ROTL8(x) (((x) << 8) & 0xFFFFFFFF) | ((x) >> 24)
-#define XTIME(x) (((x) << 1) ^ (((x) & 0x80) ? 0x1B : 0x00))
-#define MUL(x, y) (((x) && (y)) ? pow[(log[(x)]+log[(y)]) % 255] : 0)
-
-MBEDTLS_MAYBE_UNUSED static int aes_init_done = 0;
-
-MBEDTLS_MAYBE_UNUSED static void aes_gen_tables(void)
-{
-    int i;
-    uint8_t x, y, z;
-    uint8_t pow[256];
-    uint8_t log[256];
-
-    /*
-     * compute pow and log tables over GF(2^8)
-     */
-    for (i = 0, x = 1; i < 256; i++) {
-        pow[i] = x;
-        log[x] = (uint8_t) i;
-        x ^= XTIME(x);
-    }
-
-    /*
-     * calculate the round constants
-     */
-    for (i = 0, x = 1; i < 10; i++) {
-        round_constants[i] = x;
-        x = XTIME(x);
-    }
-
-    /*
-     * generate the forward and reverse S-boxes
-     */
-    FSb[0x00] = 0x63;
-    RSb[0x63] = 0x00;
-
-    for (i = 1; i < 256; i++) {
-        x = pow[255 - log[i]];
-
-        y  = x; y = (y << 1) | (y >> 7);
-        x ^= y; y = (y << 1) | (y >> 7);
-        x ^= y; y = (y << 1) | (y >> 7);
-        x ^= y; y = (y << 1) | (y >> 7);
-        x ^= y ^ 0x63;
-
-        FSb[i] = x;
-        RSb[x] = (unsigned char) i;
-    }
-
-    /*
-     * generate the forward and reverse tables
-     */
-    for (i = 0; i < 256; i++) {
-        x = FSb[i];
-        y = XTIME(x);
-        z = y ^ x;
-
-        FT0[i] = ((uint32_t) y) ^
-                 ((uint32_t) x <<  8) ^
-                 ((uint32_t) x << 16) ^
-                 ((uint32_t) z << 24);
-
-#if !defined(MBEDTLS_AES_FEWER_TABLES)
-        FT1[i] = ROTL8(FT0[i]);
-        FT2[i] = ROTL8(FT1[i]);
-        FT3[i] = ROTL8(FT2[i]);
-#endif /* !MBEDTLS_AES_FEWER_TABLES */
-
-        x = RSb[i];
-
-#if !defined(MBEDTLS_AES_DECRYPT_ALT) || \
-        (!defined(MBEDTLS_AES_SETKEY_DEC_ALT) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY))
-        RT0[i] = ((uint32_t) MUL(0x0E, x)) ^
-                 ((uint32_t) MUL(0x09, x) <<  8) ^
-                 ((uint32_t) MUL(0x0D, x) << 16) ^
-                 ((uint32_t) MUL(0x0B, x) << 24);
-
-#if !defined(MBEDTLS_AES_FEWER_TABLES)
-        RT1[i] = ROTL8(RT0[i]);
-        RT2[i] = ROTL8(RT1[i]);
-        RT3[i] = ROTL8(RT2[i]);
-#endif /* !MBEDTLS_AES_FEWER_TABLES */
-#endif \
-        /* !defined(MBEDTLS_AES_DECRYPT_ALT) || (!defined(MBEDTLS_AES_SETKEY_DEC_ALT) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)) */
-    }
-}
-
-#undef ROTL8
-
-#endif /* MBEDTLS_AES_ROM_TABLES */
-
-#if defined(MBEDTLS_AES_FEWER_TABLES)
-
-#define ROTL8(x)  ((uint32_t) ((x) <<  8) + (uint32_t) ((x) >> 24))
-#define ROTL16(x) ((uint32_t) ((x) << 16) + (uint32_t) ((x) >> 16))
-#define ROTL24(x) ((uint32_t) ((x) << 24) + (uint32_t) ((x) >>  8))
-
-#define AES_RT0(idx) RT0[idx]
-#define AES_RT1(idx) ROTL8(RT0[idx])
-#define AES_RT2(idx) ROTL16(RT0[idx])
-#define AES_RT3(idx) ROTL24(RT0[idx])
-
-#define AES_FT0(idx) FT0[idx]
-#define AES_FT1(idx) ROTL8(FT0[idx])
-#define AES_FT2(idx) ROTL16(FT0[idx])
-#define AES_FT3(idx) ROTL24(FT0[idx])
-
-#else /* MBEDTLS_AES_FEWER_TABLES */
-
-#define AES_RT0(idx) RT0[idx]
-#define AES_RT1(idx) RT1[idx]
-#define AES_RT2(idx) RT2[idx]
-#define AES_RT3(idx) RT3[idx]
-
-#define AES_FT0(idx) FT0[idx]
-#define AES_FT1(idx) FT1[idx]
-#define AES_FT2(idx) FT2[idx]
-#define AES_FT3(idx) FT3[idx]
-
-#endif /* MBEDTLS_AES_FEWER_TABLES */
-
-void mbedtls_aes_init(mbedtls_aes_context *ctx)
-{
-    memset(ctx, 0, sizeof(mbedtls_aes_context));
-}
-
-void mbedtls_aes_free(mbedtls_aes_context *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aes_context));
-}
-
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-void mbedtls_aes_xts_init(mbedtls_aes_xts_context *ctx)
-{
-    mbedtls_aes_init(&ctx->crypt);
-    mbedtls_aes_init(&ctx->tweak);
-}
-
-void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    mbedtls_aes_free(&ctx->crypt);
-    mbedtls_aes_free(&ctx->tweak);
-}
-#endif /* MBEDTLS_CIPHER_MODE_XTS */
-
-/* Some implementations need the round keys to be aligned.
- * Return an offset to be added to buf, such that (buf + offset) is
- * correctly aligned.
- * Note that the offset is in units of elements of buf, i.e. 32-bit words,
- * i.e. an offset of 1 means 4 bytes and so on.
- */
-#if (defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)) ||        \
-    (defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2)
-#define MAY_NEED_TO_ALIGN
-#endif
-
-MBEDTLS_MAYBE_UNUSED static unsigned mbedtls_aes_rk_offset(uint32_t *buf)
-{
-#if defined(MAY_NEED_TO_ALIGN)
-    int align_16_bytes = 0;
-
-#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
-    if (aes_padlock_ace == -1) {
-        aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE);
-    }
-    if (aes_padlock_ace) {
-        align_16_bytes = 1;
-    }
-#endif
-
-#if defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2
-    if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
-        align_16_bytes = 1;
-    }
-#endif
-
-    if (align_16_bytes) {
-        /* These implementations needs 16-byte alignment
-         * for the round key array. */
-        unsigned delta = ((uintptr_t) buf & 0x0000000fU) / 4;
-        if (delta == 0) {
-            return 0;
-        } else {
-            return 4 - delta; // 16 bytes = 4 uint32_t
-        }
-    }
-#else /* MAY_NEED_TO_ALIGN */
-    (void) buf;
-#endif /* MAY_NEED_TO_ALIGN */
-
-    return 0;
-}
-
-/*
- * AES key schedule (encryption)
- */
-#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
-int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
-                           unsigned int keybits)
-{
-    uint32_t *RK;
-
-    switch (keybits) {
-        case 128: ctx->nr = 10; break;
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-        case 192: ctx->nr = 12; break;
-        case 256: ctx->nr = 14; break;
-#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
-        default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
-    }
-
-#if !defined(MBEDTLS_AES_ROM_TABLES)
-    if (aes_init_done == 0) {
-        aes_gen_tables();
-        aes_init_done = 1;
-    }
-#endif
-
-    ctx->rk_offset = mbedtls_aes_rk_offset(ctx->buf);
-    RK = ctx->buf + ctx->rk_offset;
-
-#if defined(MBEDTLS_AESNI_HAVE_CODE)
-    if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
-        return mbedtls_aesni_setkey_enc((unsigned char *) RK, key, keybits);
-    }
-#endif
-
-#if defined(MBEDTLS_AESCE_HAVE_CODE)
-    if (MBEDTLS_AESCE_HAS_SUPPORT()) {
-        return mbedtls_aesce_setkey_enc((unsigned char *) RK, key, keybits);
-    }
-#endif
-
-#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
-    for (unsigned int i = 0; i < (keybits >> 5); i++) {
-        RK[i] = MBEDTLS_GET_UINT32_LE(key, i << 2);
-    }
-
-    switch (ctx->nr) {
-        case 10:
-
-            for (unsigned int i = 0; i < 10; i++, RK += 4) {
-                RK[4]  = RK[0] ^ round_constants[i] ^
-                         ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[3])]) ^
-                         ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[3])] <<  8) ^
-                         ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[3])] << 16) ^
-                         ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[3])] << 24);
-
-                RK[5]  = RK[1] ^ RK[4];
-                RK[6]  = RK[2] ^ RK[5];
-                RK[7]  = RK[3] ^ RK[6];
-            }
-            break;
-
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-        case 12:
-
-            for (unsigned int i = 0; i < 8; i++, RK += 6) {
-                RK[6]  = RK[0] ^ round_constants[i] ^
-                         ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[5])]) ^
-                         ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[5])] <<  8) ^
-                         ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[5])] << 16) ^
-                         ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[5])] << 24);
-
-                RK[7]  = RK[1] ^ RK[6];
-                RK[8]  = RK[2] ^ RK[7];
-                RK[9]  = RK[3] ^ RK[8];
-                RK[10] = RK[4] ^ RK[9];
-                RK[11] = RK[5] ^ RK[10];
-            }
-            break;
-
-        case 14:
-
-            for (unsigned int i = 0; i < 7; i++, RK += 8) {
-                RK[8]  = RK[0] ^ round_constants[i] ^
-                         ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[7])]) ^
-                         ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[7])] <<  8) ^
-                         ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[7])] << 16) ^
-                         ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[7])] << 24);
-
-                RK[9]  = RK[1] ^ RK[8];
-                RK[10] = RK[2] ^ RK[9];
-                RK[11] = RK[3] ^ RK[10];
-
-                RK[12] = RK[4] ^
-                         ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[11])]) ^
-                         ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[11])] <<  8) ^
-                         ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[11])] << 16) ^
-                         ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[11])] << 24);
-
-                RK[13] = RK[5] ^ RK[12];
-                RK[14] = RK[6] ^ RK[13];
-                RK[15] = RK[7] ^ RK[14];
-            }
-            break;
-#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
-    }
-
-    return 0;
-#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */
-}
-#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
-
-/*
- * AES key schedule (decryption)
- */
-#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
-int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
-                           unsigned int keybits)
-{
-#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
-    uint32_t *SK;
-#endif
-    int ret;
-    mbedtls_aes_context cty;
-    uint32_t *RK;
-
-
-    mbedtls_aes_init(&cty);
-
-    ctx->rk_offset = mbedtls_aes_rk_offset(ctx->buf);
-    RK = ctx->buf + ctx->rk_offset;
-
-    /* Also checks keybits */
-    if ((ret = mbedtls_aes_setkey_enc(&cty, key, keybits)) != 0) {
-        goto exit;
-    }
-
-    ctx->nr = cty.nr;
-
-#if defined(MBEDTLS_AESNI_HAVE_CODE)
-    if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
-        mbedtls_aesni_inverse_key((unsigned char *) RK,
-                                  (const unsigned char *) (cty.buf + cty.rk_offset), ctx->nr);
-        goto exit;
-    }
-#endif
-
-#if defined(MBEDTLS_AESCE_HAVE_CODE)
-    if (MBEDTLS_AESCE_HAS_SUPPORT()) {
-        mbedtls_aesce_inverse_key(
-            (unsigned char *) RK,
-            (const unsigned char *) (cty.buf + cty.rk_offset),
-            ctx->nr);
-        goto exit;
-    }
-#endif
-
-#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
-    SK = cty.buf + cty.rk_offset + cty.nr * 4;
-
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-    SK -= 8;
-    for (int i = ctx->nr - 1; i > 0; i--, SK -= 8) {
-        for (int j = 0; j < 4; j++, SK++) {
-            *RK++ = AES_RT0(FSb[MBEDTLS_BYTE_0(*SK)]) ^
-                    AES_RT1(FSb[MBEDTLS_BYTE_1(*SK)]) ^
-                    AES_RT2(FSb[MBEDTLS_BYTE_2(*SK)]) ^
-                    AES_RT3(FSb[MBEDTLS_BYTE_3(*SK)]);
-        }
-    }
-
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */
-exit:
-    mbedtls_aes_free(&cty);
-
-    return ret;
-}
-#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
-
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-static int mbedtls_aes_xts_decode_keys(const unsigned char *key,
-                                       unsigned int keybits,
-                                       const unsigned char **key1,
-                                       unsigned int *key1bits,
-                                       const unsigned char **key2,
-                                       unsigned int *key2bits)
-{
-    const unsigned int half_keybits = keybits / 2;
-    const unsigned int half_keybytes = half_keybits / 8;
-
-    switch (keybits) {
-        case 256: break;
-        case 512: break;
-        default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
-    }
-
-    *key1bits = half_keybits;
-    *key2bits = half_keybits;
-    *key1 = &key[0];
-    *key2 = &key[half_keybytes];
-
-    return 0;
-}
-
-int mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context *ctx,
-                               const unsigned char *key,
-                               unsigned int keybits)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    const unsigned char *key1, *key2;
-    unsigned int key1bits, key2bits;
-
-    ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits,
-                                      &key2, &key2bits);
-    if (ret != 0) {
-        return ret;
-    }
-
-    /* Set the tweak key. Always set tweak key for the encryption mode. */
-    ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits);
-    if (ret != 0) {
-        return ret;
-    }
-
-    /* Set crypt key for encryption. */
-    return mbedtls_aes_setkey_enc(&ctx->crypt, key1, key1bits);
-}
-
-int mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context *ctx,
-                               const unsigned char *key,
-                               unsigned int keybits)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    const unsigned char *key1, *key2;
-    unsigned int key1bits, key2bits;
-
-    ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits,
-                                      &key2, &key2bits);
-    if (ret != 0) {
-        return ret;
-    }
-
-    /* Set the tweak key. Always set tweak key for encryption. */
-    ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits);
-    if (ret != 0) {
-        return ret;
-    }
-
-    /* Set crypt key for decryption. */
-    return mbedtls_aes_setkey_dec(&ctx->crypt, key1, key1bits);
-}
-#endif /* MBEDTLS_CIPHER_MODE_XTS */
-
-#define AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3)                 \
-    do                                                      \
-    {                                                       \
-        (X0) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y0)) ^    \
-               AES_FT1(MBEDTLS_BYTE_1(Y1)) ^    \
-               AES_FT2(MBEDTLS_BYTE_2(Y2)) ^    \
-               AES_FT3(MBEDTLS_BYTE_3(Y3));     \
-                                                            \
-        (X1) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y1)) ^    \
-               AES_FT1(MBEDTLS_BYTE_1(Y2)) ^    \
-               AES_FT2(MBEDTLS_BYTE_2(Y3)) ^    \
-               AES_FT3(MBEDTLS_BYTE_3(Y0));     \
-                                                            \
-        (X2) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y2)) ^    \
-               AES_FT1(MBEDTLS_BYTE_1(Y3)) ^    \
-               AES_FT2(MBEDTLS_BYTE_2(Y0)) ^    \
-               AES_FT3(MBEDTLS_BYTE_3(Y1));     \
-                                                            \
-        (X3) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y3)) ^    \
-               AES_FT1(MBEDTLS_BYTE_1(Y0)) ^    \
-               AES_FT2(MBEDTLS_BYTE_2(Y1)) ^    \
-               AES_FT3(MBEDTLS_BYTE_3(Y2));     \
-    } while (0)
-
-#define AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3)                 \
-    do                                                      \
-    {                                                       \
-        (X0) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y0)) ^    \
-               AES_RT1(MBEDTLS_BYTE_1(Y3)) ^    \
-               AES_RT2(MBEDTLS_BYTE_2(Y2)) ^    \
-               AES_RT3(MBEDTLS_BYTE_3(Y1));     \
-                                                            \
-        (X1) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y1)) ^    \
-               AES_RT1(MBEDTLS_BYTE_1(Y0)) ^    \
-               AES_RT2(MBEDTLS_BYTE_2(Y3)) ^    \
-               AES_RT3(MBEDTLS_BYTE_3(Y2));     \
-                                                            \
-        (X2) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y2)) ^    \
-               AES_RT1(MBEDTLS_BYTE_1(Y1)) ^    \
-               AES_RT2(MBEDTLS_BYTE_2(Y0)) ^    \
-               AES_RT3(MBEDTLS_BYTE_3(Y3));     \
-                                                            \
-        (X3) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y3)) ^    \
-               AES_RT1(MBEDTLS_BYTE_1(Y2)) ^    \
-               AES_RT2(MBEDTLS_BYTE_2(Y1)) ^    \
-               AES_RT3(MBEDTLS_BYTE_3(Y0));     \
-    } while (0)
-
-/*
- * AES-ECB block encryption
- */
-#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
-int mbedtls_internal_aes_encrypt(mbedtls_aes_context *ctx,
-                                 const unsigned char input[16],
-                                 unsigned char output[16])
-{
-    int i;
-    uint32_t *RK = ctx->buf + ctx->rk_offset;
-    struct {
-        uint32_t X[4];
-        uint32_t Y[4];
-    } t;
-
-    t.X[0] = MBEDTLS_GET_UINT32_LE(input,  0); t.X[0] ^= *RK++;
-    t.X[1] = MBEDTLS_GET_UINT32_LE(input,  4); t.X[1] ^= *RK++;
-    t.X[2] = MBEDTLS_GET_UINT32_LE(input,  8); t.X[2] ^= *RK++;
-    t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++;
-
-    for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
-        AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
-        AES_FROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]);
-    }
-
-    AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
-
-    t.X[0] = *RK++ ^ \
-             ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[0])]) ^
-             ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[1])] <<  8) ^
-             ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^
-             ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[3])] << 24);
-
-    t.X[1] = *RK++ ^ \
-             ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[1])]) ^
-             ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[2])] <<  8) ^
-             ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^
-             ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[0])] << 24);
-
-    t.X[2] = *RK++ ^ \
-             ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[2])]) ^
-             ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[3])] <<  8) ^
-             ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^
-             ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[1])] << 24);
-
-    t.X[3] = *RK++ ^ \
-             ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[3])]) ^
-             ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[0])] <<  8) ^
-             ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^
-             ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[2])] << 24);
-
-    MBEDTLS_PUT_UINT32_LE(t.X[0], output,  0);
-    MBEDTLS_PUT_UINT32_LE(t.X[1], output,  4);
-    MBEDTLS_PUT_UINT32_LE(t.X[2], output,  8);
-    MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12);
-
-    mbedtls_platform_zeroize(&t, sizeof(t));
-
-    return 0;
-}
-#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
-
-/*
- * AES-ECB block decryption
- */
-#if !defined(MBEDTLS_AES_DECRYPT_ALT)
-int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx,
-                                 const unsigned char input[16],
-                                 unsigned char output[16])
-{
-    int i;
-    uint32_t *RK = ctx->buf + ctx->rk_offset;
-    struct {
-        uint32_t X[4];
-        uint32_t Y[4];
-    } t;
-
-    t.X[0] = MBEDTLS_GET_UINT32_LE(input,  0); t.X[0] ^= *RK++;
-    t.X[1] = MBEDTLS_GET_UINT32_LE(input,  4); t.X[1] ^= *RK++;
-    t.X[2] = MBEDTLS_GET_UINT32_LE(input,  8); t.X[2] ^= *RK++;
-    t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++;
-
-    for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
-        AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
-        AES_RROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]);
-    }
-
-    AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
-
-    t.X[0] = *RK++ ^ \
-             ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[0])]) ^
-             ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[3])] <<  8) ^
-             ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^
-             ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[1])] << 24);
-
-    t.X[1] = *RK++ ^ \
-             ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[1])]) ^
-             ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[0])] <<  8) ^
-             ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^
-             ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[2])] << 24);
-
-    t.X[2] = *RK++ ^ \
-             ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[2])]) ^
-             ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[1])] <<  8) ^
-             ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^
-             ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[3])] << 24);
-
-    t.X[3] = *RK++ ^ \
-             ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[3])]) ^
-             ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[2])] <<  8) ^
-             ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^
-             ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[0])] << 24);
-
-    MBEDTLS_PUT_UINT32_LE(t.X[0], output,  0);
-    MBEDTLS_PUT_UINT32_LE(t.X[1], output,  4);
-    MBEDTLS_PUT_UINT32_LE(t.X[2], output,  8);
-    MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12);
-
-    mbedtls_platform_zeroize(&t, sizeof(t));
-
-    return 0;
-}
-#endif /* !MBEDTLS_AES_DECRYPT_ALT */
-
-/* VIA Padlock and our intrinsics-based implementation of AESNI require
- * the round keys to be aligned on a 16-byte boundary. We take care of this
- * before creating them, but the AES context may have moved (this can happen
- * if the library is called from a language with managed memory), and in later
- * calls it might have a different alignment with respect to 16-byte memory.
- * So we may need to realign.
- */
-MBEDTLS_MAYBE_UNUSED static void aes_maybe_realign(mbedtls_aes_context *ctx)
-{
-    unsigned new_offset = mbedtls_aes_rk_offset(ctx->buf);
-    if (new_offset != ctx->rk_offset) {
-        memmove(ctx->buf + new_offset,     // new address
-                ctx->buf + ctx->rk_offset, // current address
-                (ctx->nr + 1) * 16);       // number of round keys * bytes per rk
-        ctx->rk_offset = new_offset;
-    }
-}
-
-/*
- * AES-ECB block encryption/decryption
- */
-int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx,
-                          int mode,
-                          const unsigned char input[16],
-                          unsigned char output[16])
-{
-    if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
-        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
-    }
-
-#if defined(MAY_NEED_TO_ALIGN)
-    aes_maybe_realign(ctx);
-#endif
-
-#if defined(MBEDTLS_AESNI_HAVE_CODE)
-    if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
-        return mbedtls_aesni_crypt_ecb(ctx, mode, input, output);
-    }
-#endif
-
-#if defined(MBEDTLS_AESCE_HAVE_CODE)
-    if (MBEDTLS_AESCE_HAS_SUPPORT()) {
-        return mbedtls_aesce_crypt_ecb(ctx, mode, input, output);
-    }
-#endif
-
-#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
-    if (aes_padlock_ace > 0) {
-        return mbedtls_padlock_xcryptecb(ctx, mode, input, output);
-    }
-#endif
-
-#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
-    if (mode == MBEDTLS_AES_ENCRYPT) {
-        return mbedtls_internal_aes_encrypt(ctx, input, output);
-    } else {
-        return mbedtls_internal_aes_decrypt(ctx, input, output);
-    }
-#endif
-
-}
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-
-/*
- * AES-CBC buffer encryption/decryption
- */
-int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx,
-                          int mode,
-                          size_t length,
-                          unsigned char iv[16],
-                          const unsigned char *input,
-                          unsigned char *output)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char temp[16];
-
-    if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
-        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
-    }
-
-    /* Nothing to do if length is zero. */
-    if (length == 0) {
-        return 0;
-    }
-
-    if (length % 16) {
-        return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
-    }
-
-#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
-    if (aes_padlock_ace > 0) {
-        if (mbedtls_padlock_xcryptcbc(ctx, mode, length, iv, input, output) == 0) {
-            return 0;
-        }
-
-        // If padlock data misaligned, we just fall back to
-        // unaccelerated mode
-        //
-    }
-#endif
-
-    const unsigned char *ivp = iv;
-
-    if (mode == MBEDTLS_AES_DECRYPT) {
-        while (length > 0) {
-            memcpy(temp, input, 16);
-            ret = mbedtls_aes_crypt_ecb(ctx, mode, input, output);
-            if (ret != 0) {
-                goto exit;
-            }
-            /* Avoid using the NEON implementation of mbedtls_xor. Because of the dependency on
-             * the result for the next block in CBC, and the cost of transferring that data from
-             * NEON registers, NEON is slower on aarch64. */
-            mbedtls_xor_no_simd(output, output, iv, 16);
-
-            memcpy(iv, temp, 16);
-
-            input  += 16;
-            output += 16;
-            length -= 16;
-        }
-    } else {
-        while (length > 0) {
-            mbedtls_xor_no_simd(output, input, ivp, 16);
-
-            ret = mbedtls_aes_crypt_ecb(ctx, mode, output, output);
-            if (ret != 0) {
-                goto exit;
-            }
-            ivp = output;
-
-            input  += 16;
-            output += 16;
-            length -= 16;
-        }
-        memcpy(iv, ivp, 16);
-    }
-    ret = 0;
-
-exit:
-    return ret;
-}
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-
-typedef unsigned char mbedtls_be128[16];
-
-/*
- * GF(2^128) multiplication function
- *
- * This function multiplies a field element by x in the polynomial field
- * representation. It uses 64-bit word operations to gain speed but compensates
- * for machine endianness and hence works correctly on both big and little
- * endian machines.
- */
-#if defined(MBEDTLS_AESCE_C) || defined(MBEDTLS_AESNI_C)
-MBEDTLS_OPTIMIZE_FOR_PERFORMANCE
-#endif
-static inline void mbedtls_gf128mul_x_ble(unsigned char r[16],
-                                          const unsigned char x[16])
-{
-    uint64_t a, b, ra, rb;
-
-    a = MBEDTLS_GET_UINT64_LE(x, 0);
-    b = MBEDTLS_GET_UINT64_LE(x, 8);
-
-    ra = (a << 1)  ^ 0x0087 >> (8 - ((b >> 63) << 3));
-    rb = (a >> 63) | (b << 1);
-
-    MBEDTLS_PUT_UINT64_LE(ra, r, 0);
-    MBEDTLS_PUT_UINT64_LE(rb, r, 8);
-}
-
-/*
- * AES-XTS buffer encryption/decryption
- *
- * Use of MBEDTLS_OPTIMIZE_FOR_PERFORMANCE here and for mbedtls_gf128mul_x_ble()
- * is a 3x performance improvement for gcc -Os, if we have hardware AES support.
- */
-#if defined(MBEDTLS_AESCE_C) || defined(MBEDTLS_AESNI_C)
-MBEDTLS_OPTIMIZE_FOR_PERFORMANCE
-#endif
-int mbedtls_aes_crypt_xts(mbedtls_aes_xts_context *ctx,
-                          int mode,
-                          size_t length,
-                          const unsigned char data_unit[16],
-                          const unsigned char *input,
-                          unsigned char *output)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t blocks = length / 16;
-    size_t leftover = length % 16;
-    unsigned char tweak[16];
-    unsigned char prev_tweak[16];
-    unsigned char tmp[16];
-
-    if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
-        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
-    }
-
-    /* Data units must be at least 16 bytes long. */
-    if (length < 16) {
-        return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
-    }
-
-    /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
-    if (length > (1 << 20) * 16) {
-        return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
-    }
-
-    /* Compute the tweak. */
-    ret = mbedtls_aes_crypt_ecb(&ctx->tweak, MBEDTLS_AES_ENCRYPT,
-                                data_unit, tweak);
-    if (ret != 0) {
-        return ret;
-    }
-
-    while (blocks--) {
-        if (MBEDTLS_UNLIKELY(leftover && (mode == MBEDTLS_AES_DECRYPT) && blocks == 0)) {
-            /* We are on the last block in a decrypt operation that has
-             * leftover bytes, so we need to use the next tweak for this block,
-             * and this tweak for the leftover bytes. Save the current tweak for
-             * the leftovers and then update the current tweak for use on this,
-             * the last full block. */
-            memcpy(prev_tweak, tweak, sizeof(tweak));
-            mbedtls_gf128mul_x_ble(tweak, tweak);
-        }
-
-        mbedtls_xor(tmp, input, tweak, 16);
-
-        ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp);
-        if (ret != 0) {
-            return ret;
-        }
-
-        mbedtls_xor(output, tmp, tweak, 16);
-
-        /* Update the tweak for the next block. */
-        mbedtls_gf128mul_x_ble(tweak, tweak);
-
-        output += 16;
-        input += 16;
-    }
-
-    if (leftover) {
-        /* If we are on the leftover bytes in a decrypt operation, we need to
-         * use the previous tweak for these bytes (as saved in prev_tweak). */
-        unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
-
-        /* We are now on the final part of the data unit, which doesn't divide
-         * evenly by 16. It's time for ciphertext stealing. */
-        size_t i;
-        unsigned char *prev_output = output - 16;
-
-        /* Copy ciphertext bytes from the previous block to our output for each
-         * byte of ciphertext we won't steal. */
-        for (i = 0; i < leftover; i++) {
-            output[i] = prev_output[i];
-        }
-
-        /* Copy the remainder of the input for this final round. */
-        mbedtls_xor(tmp, input, t, leftover);
-
-        /* Copy ciphertext bytes from the previous block for input in this
-         * round. */
-        mbedtls_xor(tmp + i, prev_output + i, t + i, 16 - i);
-
-        ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp);
-        if (ret != 0) {
-            return ret;
-        }
-
-        /* Write the result back to the previous block, overriding the previous
-         * output we copied. */
-        mbedtls_xor(prev_output, tmp, t, 16);
-    }
-
-    return 0;
-}
-#endif /* MBEDTLS_CIPHER_MODE_XTS */
-
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-/*
- * AES-CFB128 buffer encryption/decryption
- */
-int mbedtls_aes_crypt_cfb128(mbedtls_aes_context *ctx,
-                             int mode,
-                             size_t length,
-                             size_t *iv_off,
-                             unsigned char iv[16],
-                             const unsigned char *input,
-                             unsigned char *output)
-{
-    int c;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t n;
-
-    if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
-        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
-    }
-
-    n = *iv_off;
-
-    if (n > 15) {
-        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
-    }
-
-    if (mode == MBEDTLS_AES_DECRYPT) {
-        while (length--) {
-            if (n == 0) {
-                ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
-                if (ret != 0) {
-                    goto exit;
-                }
-            }
-
-            c = *input++;
-            *output++ = (unsigned char) (c ^ iv[n]);
-            iv[n] = (unsigned char) c;
-
-            n = (n + 1) & 0x0F;
-        }
-    } else {
-        while (length--) {
-            if (n == 0) {
-                ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
-                if (ret != 0) {
-                    goto exit;
-                }
-            }
-
-            iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
-
-            n = (n + 1) & 0x0F;
-        }
-    }
-
-    *iv_off = n;
-    ret = 0;
-
-exit:
-    return ret;
-}
-
-/*
- * AES-CFB8 buffer encryption/decryption
- */
-int mbedtls_aes_crypt_cfb8(mbedtls_aes_context *ctx,
-                           int mode,
-                           size_t length,
-                           unsigned char iv[16],
-                           const unsigned char *input,
-                           unsigned char *output)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char c;
-    unsigned char ov[17];
-
-    if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
-        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
-    }
-    while (length--) {
-        memcpy(ov, iv, 16);
-        ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
-        if (ret != 0) {
-            goto exit;
-        }
-
-        if (mode == MBEDTLS_AES_DECRYPT) {
-            ov[16] = *input;
-        }
-
-        c = *output++ = (unsigned char) (iv[0] ^ *input++);
-
-        if (mode == MBEDTLS_AES_ENCRYPT) {
-            ov[16] = c;
-        }
-
-        memcpy(iv, ov + 1, 16);
-    }
-    ret = 0;
-
-exit:
-    return ret;
-}
-#endif /* MBEDTLS_CIPHER_MODE_CFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-/*
- * AES-OFB (Output Feedback Mode) buffer encryption/decryption
- */
-int mbedtls_aes_crypt_ofb(mbedtls_aes_context *ctx,
-                          size_t length,
-                          size_t *iv_off,
-                          unsigned char iv[16],
-                          const unsigned char *input,
-                          unsigned char *output)
-{
-    int ret = 0;
-    size_t n;
-
-    n = *iv_off;
-
-    if (n > 15) {
-        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
-    }
-
-    while (length--) {
-        if (n == 0) {
-            ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
-            if (ret != 0) {
-                goto exit;
-            }
-        }
-        *output++ =  *input++ ^ iv[n];
-
-        n = (n + 1) & 0x0F;
-    }
-
-    *iv_off = n;
-
-exit:
-    return ret;
-}
-#endif /* MBEDTLS_CIPHER_MODE_OFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-/*
- * AES-CTR buffer encryption/decryption
- */
-int mbedtls_aes_crypt_ctr(mbedtls_aes_context *ctx,
-                          size_t length,
-                          size_t *nc_off,
-                          unsigned char nonce_counter[16],
-                          unsigned char stream_block[16],
-                          const unsigned char *input,
-                          unsigned char *output)
-{
-    int c, i;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t n;
-
-    n = *nc_off;
-
-    if (n > 0x0F) {
-        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
-    }
-
-    while (length--) {
-        if (n == 0) {
-            ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block);
-            if (ret != 0) {
-                goto exit;
-            }
-
-            for (i = 16; i > 0; i--) {
-                if (++nonce_counter[i - 1] != 0) {
-                    break;
-                }
-            }
-        }
-        c = *input++;
-        *output++ = (unsigned char) (c ^ stream_block[n]);
-
-        n = (n + 1) & 0x0F;
-    }
-
-    *nc_off = n;
-    ret = 0;
-
-exit:
-    return ret;
-}
-#endif /* MBEDTLS_CIPHER_MODE_CTR */
-
-#endif /* !MBEDTLS_AES_ALT */
-
-#if defined(MBEDTLS_SELF_TEST)
-/*
- * AES test vectors from:
- *
- * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
- */
-static const unsigned char aes_test_ecb_dec[][16] =
-{
-    { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
-      0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
-      0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
-    { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
-      0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
-#endif
-};
-
-static const unsigned char aes_test_ecb_enc[][16] =
-{
-    { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
-      0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
-      0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
-    { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
-      0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
-#endif
-};
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-static const unsigned char aes_test_cbc_dec[][16] =
-{
-    { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
-      0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
-      0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
-    { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
-      0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
-#endif
-};
-
-static const unsigned char aes_test_cbc_enc[][16] =
-{
-    { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
-      0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
-      0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
-    { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
-      0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
-#endif
-};
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-/*
- * AES-CFB128 test vectors from:
- *
- * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
- */
-static const unsigned char aes_test_cfb128_key[][32] =
-{
-    { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
-      0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
-      0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
-      0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
-    { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
-      0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
-      0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
-      0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
-#endif
-};
-
-static const unsigned char aes_test_cfb128_iv[16] =
-{
-    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
-};
-
-static const unsigned char aes_test_cfb128_pt[64] =
-{
-    0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
-    0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
-    0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
-    0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
-    0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
-    0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
-    0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
-    0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
-};
-
-static const unsigned char aes_test_cfb128_ct[][64] =
-{
-    { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
-      0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
-      0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
-      0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
-      0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
-      0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
-      0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
-      0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
-      0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
-      0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
-      0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
-      0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
-      0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
-      0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
-      0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
-    { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
-      0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
-      0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
-      0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
-      0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
-      0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
-      0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
-      0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
-#endif
-};
-#endif /* MBEDTLS_CIPHER_MODE_CFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-/*
- * AES-OFB test vectors from:
- *
- * https://csrc.nist.gov/publications/detail/sp/800-38a/final
- */
-static const unsigned char aes_test_ofb_key[][32] =
-{
-    { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
-      0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
-      0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
-      0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
-    { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
-      0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
-      0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
-      0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
-#endif
-};
-
-static const unsigned char aes_test_ofb_iv[16] =
-{
-    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
-};
-
-static const unsigned char aes_test_ofb_pt[64] =
-{
-    0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
-    0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
-    0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
-    0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
-    0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
-    0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
-    0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
-    0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
-};
-
-static const unsigned char aes_test_ofb_ct[][64] =
-{
-    { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
-      0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
-      0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
-      0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
-      0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
-      0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
-      0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
-      0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
-      0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
-      0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
-      0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
-      0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
-      0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
-      0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
-      0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
-    { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
-      0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
-      0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
-      0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
-      0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
-      0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
-      0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
-      0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
-#endif
-};
-#endif /* MBEDTLS_CIPHER_MODE_OFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-/*
- * AES-CTR test vectors from:
- *
- * http://www.faqs.org/rfcs/rfc3686.html
- */
-
-static const unsigned char aes_test_ctr_key[][16] =
-{
-    { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
-      0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
-    { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
-      0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
-    { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
-      0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
-};
-
-static const unsigned char aes_test_ctr_nonce_counter[][16] =
-{
-    { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
-    { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
-      0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
-    { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
-      0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
-};
-
-static const unsigned char aes_test_ctr_pt[][48] =
-{
-    { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
-      0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
-    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
-      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
-
-    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
-      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
-      0x20, 0x21, 0x22, 0x23 }
-};
-
-static const unsigned char aes_test_ctr_ct[][48] =
-{
-    { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
-      0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
-    { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
-      0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
-      0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
-      0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
-    { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
-      0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
-      0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
-      0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
-      0x25, 0xB2, 0x07, 0x2F }
-};
-
-static const int aes_test_ctr_len[3] =
-{ 16, 32, 36 };
-#endif /* MBEDTLS_CIPHER_MODE_CTR */
-
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-/*
- * AES-XTS test vectors from:
- *
- * IEEE P1619/D16 Annex B
- * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
- * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
- */
-static const unsigned char aes_test_xts_key[][32] =
-{
-    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-    { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
-      0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
-      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
-      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
-    { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
-      0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
-      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
-      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
-};
-
-static const unsigned char aes_test_xts_pt32[][32] =
-{
-    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-    { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
-      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
-      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
-      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
-    { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
-      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
-      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
-      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
-};
-
-static const unsigned char aes_test_xts_ct32[][32] =
-{
-    { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
-      0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
-      0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
-      0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
-    { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
-      0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
-      0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
-      0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
-    { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
-      0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
-      0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
-      0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
-};
-
-static const unsigned char aes_test_xts_data_unit[][16] =
-{
-    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-    { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-    { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-};
-
-#endif /* MBEDTLS_CIPHER_MODE_XTS */
-
-/*
- * Checkup routine
- */
-int mbedtls_aes_self_test(int verbose)
-{
-    int ret = 0, i, j, u, mode;
-    unsigned int keybits;
-    unsigned char key[32];
-    unsigned char buf[64];
-    const unsigned char *aes_tests;
-#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
-    defined(MBEDTLS_CIPHER_MODE_OFB)
-    unsigned char iv[16];
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    unsigned char prv[16];
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
-    defined(MBEDTLS_CIPHER_MODE_OFB)
-    size_t offset;
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
-    int len;
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    unsigned char nonce_counter[16];
-    unsigned char stream_block[16];
-#endif
-    mbedtls_aes_context ctx;
-
-    memset(key, 0, 32);
-    mbedtls_aes_init(&ctx);
-
-    if (verbose != 0) {
-#if defined(MBEDTLS_AES_ALT)
-        mbedtls_printf("  AES note: alternative implementation.\n");
-#else /* MBEDTLS_AES_ALT */
-#if defined(MBEDTLS_AESNI_HAVE_CODE)
-#if MBEDTLS_AESNI_HAVE_CODE == 1
-        mbedtls_printf("  AES note: AESNI code present (assembly implementation).\n");
-#elif MBEDTLS_AESNI_HAVE_CODE == 2
-        mbedtls_printf("  AES note: AESNI code present (intrinsics implementation).\n");
-#else
-#error "Unrecognised value for MBEDTLS_AESNI_HAVE_CODE"
-#endif
-        if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
-            mbedtls_printf("  AES note: using AESNI.\n");
-        } else
-#endif
-#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
-        if (mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE)) {
-            mbedtls_printf("  AES note: using VIA Padlock.\n");
-        } else
-#endif
-#if defined(MBEDTLS_AESCE_HAVE_CODE)
-        if (MBEDTLS_AESCE_HAS_SUPPORT()) {
-            mbedtls_printf("  AES note: using AESCE.\n");
-        } else
-#endif
-        {
-#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
-            mbedtls_printf("  AES note: built-in implementation.\n");
-#endif
-        }
-#endif /* MBEDTLS_AES_ALT */
-    }
-
-    /*
-     * ECB mode
-     */
-    {
-        static const int num_tests =
-            sizeof(aes_test_ecb_dec) / sizeof(*aes_test_ecb_dec);
-
-        for (i = 0; i < num_tests << 1; i++) {
-            u = i >> 1;
-            keybits = 128 + u * 64;
-            mode = i & 1;
-
-            if (verbose != 0) {
-                mbedtls_printf("  AES-ECB-%3u (%s): ", keybits,
-                               (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
-            }
-
-            memset(buf, 0, 16);
-
-            if (mode == MBEDTLS_AES_DECRYPT) {
-                ret = mbedtls_aes_setkey_dec(&ctx, key, keybits);
-                aes_tests = aes_test_ecb_dec[u];
-            } else {
-                ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
-                aes_tests = aes_test_ecb_enc[u];
-            }
-
-            /*
-             * AES-192 is an optional feature that may be unavailable when
-             * there is an alternative underlying implementation i.e. when
-             * MBEDTLS_AES_ALT is defined.
-             */
-            if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
-                mbedtls_printf("skipped\n");
-                continue;
-            } else if (ret != 0) {
-                goto exit;
-            }
-
-            for (j = 0; j < 10000; j++) {
-                ret = mbedtls_aes_crypt_ecb(&ctx, mode, buf, buf);
-                if (ret != 0) {
-                    goto exit;
-                }
-            }
-
-            if (memcmp(buf, aes_tests, 16) != 0) {
-                ret = 1;
-                goto exit;
-            }
-
-            if (verbose != 0) {
-                mbedtls_printf("passed\n");
-            }
-        }
-
-        if (verbose != 0) {
-            mbedtls_printf("\n");
-        }
-    }
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    /*
-     * CBC mode
-     */
-    {
-        static const int num_tests =
-            sizeof(aes_test_cbc_dec) / sizeof(*aes_test_cbc_dec);
-
-        for (i = 0; i < num_tests << 1; i++) {
-            u = i >> 1;
-            keybits = 128 + u * 64;
-            mode = i & 1;
-
-            if (verbose != 0) {
-                mbedtls_printf("  AES-CBC-%3u (%s): ", keybits,
-                               (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
-            }
-
-            memset(iv, 0, 16);
-            memset(prv, 0, 16);
-            memset(buf, 0, 16);
-
-            if (mode == MBEDTLS_AES_DECRYPT) {
-                ret = mbedtls_aes_setkey_dec(&ctx, key, keybits);
-                aes_tests = aes_test_cbc_dec[u];
-            } else {
-                ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
-                aes_tests = aes_test_cbc_enc[u];
-            }
-
-            /*
-             * AES-192 is an optional feature that may be unavailable when
-             * there is an alternative underlying implementation i.e. when
-             * MBEDTLS_AES_ALT is defined.
-             */
-            if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
-                mbedtls_printf("skipped\n");
-                continue;
-            } else if (ret != 0) {
-                goto exit;
-            }
-
-            for (j = 0; j < 10000; j++) {
-                if (mode == MBEDTLS_AES_ENCRYPT) {
-                    unsigned char tmp[16];
-
-                    memcpy(tmp, prv, 16);
-                    memcpy(prv, buf, 16);
-                    memcpy(buf, tmp, 16);
-                }
-
-                ret = mbedtls_aes_crypt_cbc(&ctx, mode, 16, iv, buf, buf);
-                if (ret != 0) {
-                    goto exit;
-                }
-
-            }
-
-            if (memcmp(buf, aes_tests, 16) != 0) {
-                ret = 1;
-                goto exit;
-            }
-
-            if (verbose != 0) {
-                mbedtls_printf("passed\n");
-            }
-        }
-
-        if (verbose != 0) {
-            mbedtls_printf("\n");
-        }
-    }
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-    /*
-     * CFB128 mode
-     */
-    {
-        static const int num_tests =
-            sizeof(aes_test_cfb128_key) / sizeof(*aes_test_cfb128_key);
-
-        for (i = 0; i < num_tests << 1; i++) {
-            u = i >> 1;
-            keybits = 128 + u * 64;
-            mode = i & 1;
-
-            if (verbose != 0) {
-                mbedtls_printf("  AES-CFB128-%3u (%s): ", keybits,
-                               (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
-            }
-
-            memcpy(iv,  aes_test_cfb128_iv, 16);
-            memcpy(key, aes_test_cfb128_key[u], keybits / 8);
-
-            offset = 0;
-            ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
-            /*
-             * AES-192 is an optional feature that may be unavailable when
-             * there is an alternative underlying implementation i.e. when
-             * MBEDTLS_AES_ALT is defined.
-             */
-            if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
-                mbedtls_printf("skipped\n");
-                continue;
-            } else if (ret != 0) {
-                goto exit;
-            }
-
-            if (mode == MBEDTLS_AES_DECRYPT) {
-                memcpy(buf, aes_test_cfb128_ct[u], 64);
-                aes_tests = aes_test_cfb128_pt;
-            } else {
-                memcpy(buf, aes_test_cfb128_pt, 64);
-                aes_tests = aes_test_cfb128_ct[u];
-            }
-
-            ret = mbedtls_aes_crypt_cfb128(&ctx, mode, 64, &offset, iv, buf, buf);
-            if (ret != 0) {
-                goto exit;
-            }
-
-            if (memcmp(buf, aes_tests, 64) != 0) {
-                ret = 1;
-                goto exit;
-            }
-
-            if (verbose != 0) {
-                mbedtls_printf("passed\n");
-            }
-        }
-
-        if (verbose != 0) {
-            mbedtls_printf("\n");
-        }
-    }
-#endif /* MBEDTLS_CIPHER_MODE_CFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-    /*
-     * OFB mode
-     */
-    {
-        static const int num_tests =
-            sizeof(aes_test_ofb_key) / sizeof(*aes_test_ofb_key);
-
-        for (i = 0; i < num_tests << 1; i++) {
-            u = i >> 1;
-            keybits = 128 + u * 64;
-            mode = i & 1;
-
-            if (verbose != 0) {
-                mbedtls_printf("  AES-OFB-%3u (%s): ", keybits,
-                               (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
-            }
-
-            memcpy(iv,  aes_test_ofb_iv, 16);
-            memcpy(key, aes_test_ofb_key[u], keybits / 8);
-
-            offset = 0;
-            ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
-            /*
-             * AES-192 is an optional feature that may be unavailable when
-             * there is an alternative underlying implementation i.e. when
-             * MBEDTLS_AES_ALT is defined.
-             */
-            if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
-                mbedtls_printf("skipped\n");
-                continue;
-            } else if (ret != 0) {
-                goto exit;
-            }
-
-            if (mode == MBEDTLS_AES_DECRYPT) {
-                memcpy(buf, aes_test_ofb_ct[u], 64);
-                aes_tests = aes_test_ofb_pt;
-            } else {
-                memcpy(buf, aes_test_ofb_pt, 64);
-                aes_tests = aes_test_ofb_ct[u];
-            }
-
-            ret = mbedtls_aes_crypt_ofb(&ctx, 64, &offset, iv, buf, buf);
-            if (ret != 0) {
-                goto exit;
-            }
-
-            if (memcmp(buf, aes_tests, 64) != 0) {
-                ret = 1;
-                goto exit;
-            }
-
-            if (verbose != 0) {
-                mbedtls_printf("passed\n");
-            }
-        }
-
-        if (verbose != 0) {
-            mbedtls_printf("\n");
-        }
-    }
-#endif /* MBEDTLS_CIPHER_MODE_OFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    /*
-     * CTR mode
-     */
-    {
-        static const int num_tests =
-            sizeof(aes_test_ctr_key) / sizeof(*aes_test_ctr_key);
-
-        for (i = 0; i < num_tests << 1; i++) {
-            u = i >> 1;
-            mode = i & 1;
-
-            if (verbose != 0) {
-                mbedtls_printf("  AES-CTR-128 (%s): ",
-                               (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
-            }
-
-            memcpy(nonce_counter, aes_test_ctr_nonce_counter[u], 16);
-            memcpy(key, aes_test_ctr_key[u], 16);
-
-            offset = 0;
-            if ((ret = mbedtls_aes_setkey_enc(&ctx, key, 128)) != 0) {
-                goto exit;
-            }
-
-            len = aes_test_ctr_len[u];
-
-            if (mode == MBEDTLS_AES_DECRYPT) {
-                memcpy(buf, aes_test_ctr_ct[u], len);
-                aes_tests = aes_test_ctr_pt[u];
-            } else {
-                memcpy(buf, aes_test_ctr_pt[u], len);
-                aes_tests = aes_test_ctr_ct[u];
-            }
-
-            ret = mbedtls_aes_crypt_ctr(&ctx, len, &offset, nonce_counter,
-                                        stream_block, buf, buf);
-            if (ret != 0) {
-                goto exit;
-            }
-
-            if (memcmp(buf, aes_tests, len) != 0) {
-                ret = 1;
-                goto exit;
-            }
-
-            if (verbose != 0) {
-                mbedtls_printf("passed\n");
-            }
-        }
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-#endif /* MBEDTLS_CIPHER_MODE_CTR */
-
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-    /*
-     * XTS mode
-     */
-    {
-        static const int num_tests =
-            sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
-        mbedtls_aes_xts_context ctx_xts;
-
-        mbedtls_aes_xts_init(&ctx_xts);
-
-        for (i = 0; i < num_tests << 1; i++) {
-            const unsigned char *data_unit;
-            u = i >> 1;
-            mode = i & 1;
-
-            if (verbose != 0) {
-                mbedtls_printf("  AES-XTS-128 (%s): ",
-                               (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
-            }
-
-            memset(key, 0, sizeof(key));
-            memcpy(key, aes_test_xts_key[u], 32);
-            data_unit = aes_test_xts_data_unit[u];
-
-            len = sizeof(*aes_test_xts_ct32);
-
-            if (mode == MBEDTLS_AES_DECRYPT) {
-                ret = mbedtls_aes_xts_setkey_dec(&ctx_xts, key, 256);
-                if (ret != 0) {
-                    goto exit;
-                }
-                memcpy(buf, aes_test_xts_ct32[u], len);
-                aes_tests = aes_test_xts_pt32[u];
-            } else {
-                ret = mbedtls_aes_xts_setkey_enc(&ctx_xts, key, 256);
-                if (ret != 0) {
-                    goto exit;
-                }
-                memcpy(buf, aes_test_xts_pt32[u], len);
-                aes_tests = aes_test_xts_ct32[u];
-            }
-
-
-            ret = mbedtls_aes_crypt_xts(&ctx_xts, mode, len, data_unit,
-                                        buf, buf);
-            if (ret != 0) {
-                goto exit;
-            }
-
-            if (memcmp(buf, aes_tests, len) != 0) {
-                ret = 1;
-                goto exit;
-            }
-
-            if (verbose != 0) {
-                mbedtls_printf("passed\n");
-            }
-        }
-
-        if (verbose != 0) {
-            mbedtls_printf("\n");
-        }
-
-        mbedtls_aes_xts_free(&ctx_xts);
-    }
-#endif /* MBEDTLS_CIPHER_MODE_XTS */
-
-    ret = 0;
-
-exit:
-    if (ret != 0 && verbose != 0) {
-        mbedtls_printf("failed\n");
-    }
-
-    mbedtls_aes_free(&ctx);
-
-    return ret;
-}
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* MBEDTLS_AES_C */
diff --git a/library/aesce.c b/library/aesce.c
deleted file mode 100644
index 8b42b03..0000000
--- a/library/aesce.c
+++ /dev/null
@@ -1,515 +0,0 @@
-/*
- *  Armv8-A Cryptographic Extension support functions for Aarch64
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#if defined(__aarch64__) && !defined(__ARM_FEATURE_CRYPTO) && \
-    defined(__clang__) && __clang_major__ >= 4
-/* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged.
- *
- * The intrinsic declaration are guarded by predefined ACLE macros in clang:
- * these are normally only enabled by the -march option on the command line.
- * By defining the macros ourselves we gain access to those declarations without
- * requiring -march on the command line.
- *
- * `arm_neon.h` could be included by any header file, so we put these defines
- * at the top of this file, before any includes.
- */
-#define __ARM_FEATURE_CRYPTO 1
-/* See: https://arm-software.github.io/acle/main/acle.html#cryptographic-extensions
- *
- * `__ARM_FEATURE_CRYPTO` is deprecated, but we need to continue to specify it
- * for older compilers.
- */
-#define __ARM_FEATURE_AES    1
-#define MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG
-#endif
-
-#include <string.h>
-#include "common.h"
-
-#if defined(MBEDTLS_AESCE_C)
-
-#include "aesce.h"
-
-#if defined(MBEDTLS_ARCH_IS_ARM64)
-
-/* Compiler version checks. */
-#if defined(__clang__)
-#   if __clang_major__ < 4
-#       error "Minimum version of Clang for MBEDTLS_AESCE_C is 4.0."
-#   endif
-#elif defined(__GNUC__)
-#   if __GNUC__ < 6
-#       error "Minimum version of GCC for MBEDTLS_AESCE_C is 6.0."
-#   endif
-#elif defined(_MSC_VER)
-/* TODO: We haven't verified MSVC from 1920 to 1928. If someone verified that,
- *       please update this and document of `MBEDTLS_AESCE_C` in
- *       `mbedtls_config.h`. */
-#   if _MSC_VER < 1929
-#       error "Minimum version of MSVC for MBEDTLS_AESCE_C is 2019 version 16.11.2."
-#   endif
-#endif
-
-#ifdef __ARM_NEON
-#include <arm_neon.h>
-#else
-#error "Target does not support NEON instructions"
-#endif
-
-#if !(defined(__ARM_FEATURE_CRYPTO) || defined(__ARM_FEATURE_AES)) || \
-    defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG)
-#   if defined(__ARMCOMPILER_VERSION)
-#       if __ARMCOMPILER_VERSION <= 6090000
-#           error "Must use minimum -march=armv8-a+crypto for MBEDTLS_AESCE_C"
-#       else
-#           pragma clang attribute push (__attribute__((target("aes"))), apply_to=function)
-#           define MBEDTLS_POP_TARGET_PRAGMA
-#       endif
-#   elif defined(__clang__)
-#       pragma clang attribute push (__attribute__((target("aes"))), apply_to=function)
-#       define MBEDTLS_POP_TARGET_PRAGMA
-#   elif defined(__GNUC__)
-#       pragma GCC push_options
-#       pragma GCC target ("+crypto")
-#       define MBEDTLS_POP_TARGET_PRAGMA
-#   elif defined(_MSC_VER)
-#       error "Required feature(__ARM_FEATURE_AES) is not enabled."
-#   endif
-#endif /* !(__ARM_FEATURE_CRYPTO || __ARM_FEATURE_AES) ||
-          MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG */
-
-#if defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
-
-#include <asm/hwcap.h>
-#include <sys/auxv.h>
-
-signed char mbedtls_aesce_has_support_result = -1;
-
-#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
-/*
- * AES instruction support detection routine
- */
-int mbedtls_aesce_has_support_impl(void)
-{
-    /* To avoid many calls to getauxval, cache the result. This is
-     * thread-safe, because we store the result in a char so cannot
-     * be vulnerable to non-atomic updates.
-     * It is possible that we could end up setting result more than
-     * once, but that is harmless.
-     */
-    if (mbedtls_aesce_has_support_result == -1) {
-        unsigned long auxval = getauxval(AT_HWCAP);
-        if ((auxval & (HWCAP_ASIMD | HWCAP_AES)) ==
-            (HWCAP_ASIMD | HWCAP_AES)) {
-            mbedtls_aesce_has_support_result = 1;
-        } else {
-            mbedtls_aesce_has_support_result = 0;
-        }
-    }
-    return mbedtls_aesce_has_support_result;
-}
-#endif
-
-#endif /* defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) */
-
-/* Single round of AESCE encryption */
-#define AESCE_ENCRYPT_ROUND                   \
-    block = vaeseq_u8(block, vld1q_u8(keys)); \
-    block = vaesmcq_u8(block);                \
-    keys += 16
-/* Two rounds of AESCE encryption */
-#define AESCE_ENCRYPT_ROUND_X2        AESCE_ENCRYPT_ROUND; AESCE_ENCRYPT_ROUND
-
-MBEDTLS_OPTIMIZE_FOR_PERFORMANCE
-static uint8x16_t aesce_encrypt_block(uint8x16_t block,
-                                      unsigned char *keys,
-                                      int rounds)
-{
-    /* 10, 12 or 14 rounds. Unroll loop. */
-    if (rounds == 10) {
-        goto rounds_10;
-    }
-    if (rounds == 12) {
-        goto rounds_12;
-    }
-    AESCE_ENCRYPT_ROUND_X2;
-rounds_12:
-    AESCE_ENCRYPT_ROUND_X2;
-rounds_10:
-    AESCE_ENCRYPT_ROUND_X2;
-    AESCE_ENCRYPT_ROUND_X2;
-    AESCE_ENCRYPT_ROUND_X2;
-    AESCE_ENCRYPT_ROUND_X2;
-    AESCE_ENCRYPT_ROUND;
-
-    /* AES AddRoundKey for the previous round.
-     * SubBytes, ShiftRows for the final round.  */
-    block = vaeseq_u8(block, vld1q_u8(keys));
-    keys += 16;
-
-    /* Final round: no MixColumns */
-
-    /* Final AddRoundKey */
-    block = veorq_u8(block, vld1q_u8(keys));
-
-    return block;
-}
-
-/* Single round of AESCE decryption
- *
- * AES AddRoundKey, SubBytes, ShiftRows
- *
- *      block = vaesdq_u8(block, vld1q_u8(keys));
- *
- * AES inverse MixColumns for the next round.
- *
- * This means that we switch the order of the inverse AddRoundKey and
- * inverse MixColumns operations. We have to do this as AddRoundKey is
- * done in an atomic instruction together with the inverses of SubBytes
- * and ShiftRows.
- *
- * It works because MixColumns is a linear operation over GF(2^8) and
- * AddRoundKey is an exclusive or, which is equivalent to addition over
- * GF(2^8). (The inverse of MixColumns needs to be applied to the
- * affected round keys separately which has been done when the
- * decryption round keys were calculated.)
- *
- *      block = vaesimcq_u8(block);
- */
-#define AESCE_DECRYPT_ROUND                   \
-    block = vaesdq_u8(block, vld1q_u8(keys)); \
-    block = vaesimcq_u8(block);               \
-    keys += 16
-/* Two rounds of AESCE decryption */
-#define AESCE_DECRYPT_ROUND_X2        AESCE_DECRYPT_ROUND; AESCE_DECRYPT_ROUND
-
-static uint8x16_t aesce_decrypt_block(uint8x16_t block,
-                                      unsigned char *keys,
-                                      int rounds)
-{
-    /* 10, 12 or 14 rounds. Unroll loop. */
-    if (rounds == 10) {
-        goto rounds_10;
-    }
-    if (rounds == 12) {
-        goto rounds_12;
-    }
-    AESCE_DECRYPT_ROUND_X2;
-rounds_12:
-    AESCE_DECRYPT_ROUND_X2;
-rounds_10:
-    AESCE_DECRYPT_ROUND_X2;
-    AESCE_DECRYPT_ROUND_X2;
-    AESCE_DECRYPT_ROUND_X2;
-    AESCE_DECRYPT_ROUND_X2;
-    AESCE_DECRYPT_ROUND;
-
-    /* The inverses of AES AddRoundKey, SubBytes, ShiftRows finishing up the
-     * last full round. */
-    block = vaesdq_u8(block, vld1q_u8(keys));
-    keys += 16;
-
-    /* Inverse AddRoundKey for inverting the initial round key addition. */
-    block = veorq_u8(block, vld1q_u8(keys));
-
-    return block;
-}
-
-/*
- * AES-ECB block en(de)cryption
- */
-int mbedtls_aesce_crypt_ecb(mbedtls_aes_context *ctx,
-                            int mode,
-                            const unsigned char input[16],
-                            unsigned char output[16])
-{
-    uint8x16_t block = vld1q_u8(&input[0]);
-    unsigned char *keys = (unsigned char *) (ctx->buf + ctx->rk_offset);
-
-    if (mode == MBEDTLS_AES_ENCRYPT) {
-        block = aesce_encrypt_block(block, keys, ctx->nr);
-    } else {
-        block = aesce_decrypt_block(block, keys, ctx->nr);
-    }
-    vst1q_u8(&output[0], block);
-
-    return 0;
-}
-
-/*
- * Compute decryption round keys from encryption round keys
- */
-void mbedtls_aesce_inverse_key(unsigned char *invkey,
-                               const unsigned char *fwdkey,
-                               int nr)
-{
-    int i, j;
-    j = nr;
-    vst1q_u8(invkey, vld1q_u8(fwdkey + j * 16));
-    for (i = 1, j--; j > 0; i++, j--) {
-        vst1q_u8(invkey + i * 16,
-                 vaesimcq_u8(vld1q_u8(fwdkey + j * 16)));
-    }
-    vst1q_u8(invkey + i * 16, vld1q_u8(fwdkey + j * 16));
-
-}
-
-static inline uint32_t aes_rot_word(uint32_t word)
-{
-    return (word << (32 - 8)) | (word >> 8);
-}
-
-static inline uint32_t aes_sub_word(uint32_t in)
-{
-    uint8x16_t v = vreinterpretq_u8_u32(vdupq_n_u32(in));
-    uint8x16_t zero = vdupq_n_u8(0);
-
-    /* vaeseq_u8 does both SubBytes and ShiftRows. Taking the first row yields
-     * the correct result as ShiftRows doesn't change the first row. */
-    v = vaeseq_u8(zero, v);
-    return vgetq_lane_u32(vreinterpretq_u32_u8(v), 0);
-}
-
-/*
- * Key expansion function
- */
-static void aesce_setkey_enc(unsigned char *rk,
-                             const unsigned char *key,
-                             const size_t key_bit_length)
-{
-    static uint8_t const rcon[] = { 0x01, 0x02, 0x04, 0x08, 0x10,
-                                    0x20, 0x40, 0x80, 0x1b, 0x36 };
-    /* See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf
-     *   - Section 5, Nr = Nk + 6
-     *   - Section 5.2, the length of round keys is Nb*(Nr+1)
-     */
-    const uint32_t key_len_in_words = key_bit_length / 32;  /* Nk */
-    const size_t round_key_len_in_words = 4;                /* Nb */
-    const size_t rounds_needed = key_len_in_words + 6;      /* Nr */
-    const size_t round_keys_len_in_words =
-        round_key_len_in_words * (rounds_needed + 1);       /* Nb*(Nr+1) */
-    const uint32_t *rko_end = (uint32_t *) rk + round_keys_len_in_words;
-
-    memcpy(rk, key, key_len_in_words * 4);
-
-    for (uint32_t *rki = (uint32_t *) rk;
-         rki + key_len_in_words < rko_end;
-         rki += key_len_in_words) {
-
-        size_t iteration = (rki - (uint32_t *) rk) / key_len_in_words;
-        uint32_t *rko;
-        rko = rki + key_len_in_words;
-        rko[0] = aes_rot_word(aes_sub_word(rki[key_len_in_words - 1]));
-        rko[0] ^= rcon[iteration] ^ rki[0];
-        rko[1] = rko[0] ^ rki[1];
-        rko[2] = rko[1] ^ rki[2];
-        rko[3] = rko[2] ^ rki[3];
-        if (rko + key_len_in_words > rko_end) {
-            /* Do not write overflow words.*/
-            continue;
-        }
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-        switch (key_bit_length) {
-            case 128:
-                break;
-            case 192:
-                rko[4] = rko[3] ^ rki[4];
-                rko[5] = rko[4] ^ rki[5];
-                break;
-            case 256:
-                rko[4] = aes_sub_word(rko[3]) ^ rki[4];
-                rko[5] = rko[4] ^ rki[5];
-                rko[6] = rko[5] ^ rki[6];
-                rko[7] = rko[6] ^ rki[7];
-                break;
-        }
-#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
-    }
-}
-
-/*
- * Key expansion, wrapper
- */
-int mbedtls_aesce_setkey_enc(unsigned char *rk,
-                             const unsigned char *key,
-                             size_t bits)
-{
-    switch (bits) {
-        case 128:
-        case 192:
-        case 256:
-            aesce_setkey_enc(rk, key, bits);
-            break;
-        default:
-            return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
-    }
-
-    return 0;
-}
-
-#if defined(MBEDTLS_GCM_C)
-
-#if !defined(__clang__) && defined(__GNUC__) && __GNUC__ == 5
-/* Some intrinsics are not available for GCC 5.X. */
-#define vreinterpretq_p64_u8(a) ((poly64x2_t) a)
-#define vreinterpretq_u8_p128(a) ((uint8x16_t) a)
-static inline poly64_t vget_low_p64(poly64x2_t __a)
-{
-    uint64x2_t tmp = (uint64x2_t) (__a);
-    uint64x1_t lo = vcreate_u64(vgetq_lane_u64(tmp, 0));
-    return (poly64_t) (lo);
-}
-#endif /* !__clang__ && __GNUC__ && __GNUC__ == 5*/
-
-/* vmull_p64/vmull_high_p64 wrappers.
- *
- * Older compilers miss some intrinsic functions for `poly*_t`. We use
- * uint8x16_t and uint8x16x3_t as input/output parameters.
- */
-#if defined(__GNUC__) && !defined(__clang__)
-/* GCC reports incompatible type error without cast. GCC think poly64_t and
- * poly64x1_t are different, that is different with MSVC and Clang. */
-#define MBEDTLS_VMULL_P64(a, b) vmull_p64((poly64_t) a, (poly64_t) b)
-#else
-/* MSVC reports `error C2440: 'type cast'` with cast. Clang does not report
- * error with/without cast. And I think poly64_t and poly64x1_t are same, no
- * cast for clang also. */
-#define MBEDTLS_VMULL_P64(a, b) vmull_p64(a, b)
-#endif
-static inline uint8x16_t pmull_low(uint8x16_t a, uint8x16_t b)
-{
-
-    return vreinterpretq_u8_p128(
-        MBEDTLS_VMULL_P64(
-            vget_low_p64(vreinterpretq_p64_u8(a)),
-            vget_low_p64(vreinterpretq_p64_u8(b))
-            ));
-}
-
-static inline uint8x16_t pmull_high(uint8x16_t a, uint8x16_t b)
-{
-    return vreinterpretq_u8_p128(
-        vmull_high_p64(vreinterpretq_p64_u8(a),
-                       vreinterpretq_p64_u8(b)));
-}
-
-/* GHASH does 128b polynomial multiplication on block in GF(2^128) defined by
- * `x^128 + x^7 + x^2 + x + 1`.
- *
- * Arm64 only has 64b->128b polynomial multipliers, we need to do 4 64b
- * multiplies to generate a 128b.
- *
- * `poly_mult_128` executes polynomial multiplication and outputs 256b that
- * represented by 3 128b due to code size optimization.
- *
- * Output layout:
- * |            |             |             |
- * |------------|-------------|-------------|
- * | ret.val[0] | h3:h2:00:00 | high   128b |
- * | ret.val[1] |   :m2:m1:00 | middle 128b |
- * | ret.val[2] |   :  :l1:l0 | low    128b |
- */
-static inline uint8x16x3_t poly_mult_128(uint8x16_t a, uint8x16_t b)
-{
-    uint8x16x3_t ret;
-    uint8x16_t h, m, l; /* retval high/middle/low */
-    uint8x16_t c, d, e;
-
-    h = pmull_high(a, b);                       /* h3:h2:00:00 = a1*b1 */
-    l = pmull_low(a, b);                        /*   :  :l1:l0 = a0*b0 */
-    c = vextq_u8(b, b, 8);                      /*      :c1:c0 = b0:b1 */
-    d = pmull_high(a, c);                       /*   :d2:d1:00 = a1*b0 */
-    e = pmull_low(a, c);                        /*   :e2:e1:00 = a0*b1 */
-    m = veorq_u8(d, e);                         /*   :m2:m1:00 = d + e */
-
-    ret.val[0] = h;
-    ret.val[1] = m;
-    ret.val[2] = l;
-    return ret;
-}
-
-/*
- * Modulo reduction.
- *
- * See: https://www.researchgate.net/publication/285612706_Implementing_GCM_on_ARMv8
- *
- * Section 4.3
- *
- * Modular reduction is slightly more complex. Write the GCM modulus as f(z) =
- * z^128 +r(z), where r(z) = z^7+z^2+z+ 1. The well known approach is to
- * consider that z^128 ≡r(z) (mod z^128 +r(z)), allowing us to write the 256-bit
- * operand to be reduced as a(z) = h(z)z^128 +l(z)≡h(z)r(z) + l(z). That is, we
- * simply multiply the higher part of the operand by r(z) and add it to l(z). If
- * the result is still larger than 128 bits, we reduce again.
- */
-static inline uint8x16_t poly_mult_reduce(uint8x16x3_t input)
-{
-    uint8x16_t const ZERO = vdupq_n_u8(0);
-
-    uint64x2_t r = vreinterpretq_u64_u8(vdupq_n_u8(0x87));
-#if defined(__GNUC__)
-    /* use 'asm' as an optimisation barrier to prevent loading MODULO from
-     * memory. It is for GNUC compatible compilers.
-     */
-    asm ("" : "+w" (r));
-#endif
-    uint8x16_t const MODULO = vreinterpretq_u8_u64(vshrq_n_u64(r, 64 - 8));
-    uint8x16_t h, m, l; /* input high/middle/low 128b */
-    uint8x16_t c, d, e, f, g, n, o;
-    h = input.val[0];            /* h3:h2:00:00                          */
-    m = input.val[1];            /*   :m2:m1:00                          */
-    l = input.val[2];            /*   :  :l1:l0                          */
-    c = pmull_high(h, MODULO);   /*   :c2:c1:00 = reduction of h3        */
-    d = pmull_low(h, MODULO);    /*   :  :d1:d0 = reduction of h2        */
-    e = veorq_u8(c, m);          /*   :e2:e1:00 = m2:m1:00 + c2:c1:00    */
-    f = pmull_high(e, MODULO);   /*   :  :f1:f0 = reduction of e2        */
-    g = vextq_u8(ZERO, e, 8);    /*   :  :g1:00 = e1:00                  */
-    n = veorq_u8(d, l);          /*   :  :n1:n0 = d1:d0 + l1:l0          */
-    o = veorq_u8(n, f);          /*       o1:o0 = f1:f0 + n1:n0          */
-    return veorq_u8(o, g);       /*             = o1:o0 + g1:00          */
-}
-
-/*
- * GCM multiplication: c = a times b in GF(2^128)
- */
-void mbedtls_aesce_gcm_mult(unsigned char c[16],
-                            const unsigned char a[16],
-                            const unsigned char b[16])
-{
-    uint8x16_t va, vb, vc;
-    va = vrbitq_u8(vld1q_u8(&a[0]));
-    vb = vrbitq_u8(vld1q_u8(&b[0]));
-    vc = vrbitq_u8(poly_mult_reduce(poly_mult_128(va, vb)));
-    vst1q_u8(&c[0], vc);
-}
-
-#endif /* MBEDTLS_GCM_C */
-
-#if defined(MBEDTLS_POP_TARGET_PRAGMA)
-#if defined(__clang__)
-#pragma clang attribute pop
-#elif defined(__GNUC__)
-#pragma GCC pop_options
-#endif
-#undef MBEDTLS_POP_TARGET_PRAGMA
-#endif
-
-#endif /* MBEDTLS_ARCH_IS_ARM64 */
-
-#endif /* MBEDTLS_AESCE_C */
diff --git a/library/aesce.h b/library/aesce.h
deleted file mode 100644
index d24c423..0000000
--- a/library/aesce.h
+++ /dev/null
@@ -1,133 +0,0 @@
-/**
- * \file aesce.h
- *
- * \brief Support hardware AES acceleration on Armv8-A processors with
- *        the Armv8-A Cryptographic Extension in AArch64 execution state.
- *
- * \warning These functions are only for internal use by other library
- *          functions; you must not call them directly.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_AESCE_H
-#define MBEDTLS_AESCE_H
-
-#include "mbedtls/build_info.h"
-
-#include "mbedtls/aes.h"
-
-
-#if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_ARCH_IS_ARM64)
-
-#define MBEDTLS_AESCE_HAVE_CODE
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
-
-extern signed char mbedtls_aesce_has_support_result;
-
-/**
- * \brief          Internal function to detect the crypto extension in CPUs.
- *
- * \return         1 if CPU has support for the feature, 0 otherwise
- */
-int mbedtls_aesce_has_support_impl(void);
-
-#define MBEDTLS_AESCE_HAS_SUPPORT() (mbedtls_aesce_has_support_result == -1 ? \
-                                     mbedtls_aesce_has_support_impl() : \
-                                     mbedtls_aesce_has_support_result)
-
-#else /* defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) */
-
-/* If we are not on Linux, we can't detect support so assume that it's supported.
- * Similarly, assume support if MBEDTLS_AES_USE_HARDWARE_ONLY is set.
- */
-#define MBEDTLS_AESCE_HAS_SUPPORT() 1
-
-#endif /* defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) */
-
-/**
- * \brief          Internal AES-ECB block encryption and decryption
- *
- * \warning        This assumes that the context specifies either 10, 12 or 14
- *                 rounds and will behave incorrectly if this is not the case.
- *
- * \param ctx      AES context
- * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
- * \param input    16-byte input block
- * \param output   16-byte output block
- *
- * \return         0 on success (cannot fail)
- */
-int mbedtls_aesce_crypt_ecb(mbedtls_aes_context *ctx,
-                            int mode,
-                            const unsigned char input[16],
-                            unsigned char output[16]);
-
-/**
- * \brief          Internal GCM multiplication: c = a * b in GF(2^128)
- *
- * \note           This function is only for internal use by other library
- *                 functions; you must not call it directly.
- *
- * \param c        Result
- * \param a        First operand
- * \param b        Second operand
- *
- * \note           Both operands and result are bit strings interpreted as
- *                 elements of GF(2^128) as per the GCM spec.
- */
-void mbedtls_aesce_gcm_mult(unsigned char c[16],
-                            const unsigned char a[16],
-                            const unsigned char b[16]);
-
-
-/**
- * \brief           Internal round key inversion. This function computes
- *                  decryption round keys from the encryption round keys.
- *
- * \param invkey    Round keys for the equivalent inverse cipher
- * \param fwdkey    Original round keys (for encryption)
- * \param nr        Number of rounds (that is, number of round keys minus one)
- */
-void mbedtls_aesce_inverse_key(unsigned char *invkey,
-                               const unsigned char *fwdkey,
-                               int nr);
-
-/**
- * \brief           Internal key expansion for encryption
- *
- * \param rk        Destination buffer where the round keys are written
- * \param key       Encryption key
- * \param bits      Key size in bits (must be 128, 192 or 256)
- *
- * \return          0 if successful, or MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
- */
-int mbedtls_aesce_setkey_enc(unsigned char *rk,
-                             const unsigned char *key,
-                             size_t bits);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* MBEDTLS_AESCE_C && MBEDTLS_ARCH_IS_ARM64 */
-
-#endif /* MBEDTLS_AESCE_H */
diff --git a/library/aesni.c b/library/aesni.c
deleted file mode 100644
index 5f25a82..0000000
--- a/library/aesni.c
+++ /dev/null
@@ -1,814 +0,0 @@
-/*
- *  AES-NI support functions
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/*
- * [AES-WP] https://www.intel.com/content/www/us/en/developer/articles/tool/intel-advanced-encryption-standard-aes-instructions-set.html
- * [CLMUL-WP] https://www.intel.com/content/www/us/en/develop/download/intel-carry-less-multiplication-instruction-and-its-usage-for-computing-the-gcm-mode.html
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_AESNI_C)
-
-#include "aesni.h"
-
-#include <string.h>
-
-#if defined(MBEDTLS_AESNI_HAVE_CODE)
-
-#if MBEDTLS_AESNI_HAVE_CODE == 2
-#if !defined(_WIN32)
-#include <cpuid.h>
-#else
-#include <intrin.h>
-#endif
-#include <immintrin.h>
-#endif
-
-#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
-/*
- * AES-NI support detection routine
- */
-int mbedtls_aesni_has_support(unsigned int what)
-{
-    static int done = 0;
-    static unsigned int c = 0;
-
-    if (!done) {
-#if MBEDTLS_AESNI_HAVE_CODE == 2
-        static unsigned info[4] = { 0, 0, 0, 0 };
-#if defined(_MSC_VER)
-        __cpuid(info, 1);
-#else
-        __cpuid(1, info[0], info[1], info[2], info[3]);
-#endif
-        c = info[2];
-#else /* AESNI using asm */
-        asm ("movl  $1, %%eax   \n\t"
-             "cpuid             \n\t"
-             : "=c" (c)
-             :
-             : "eax", "ebx", "edx");
-#endif /* MBEDTLS_AESNI_HAVE_CODE */
-        done = 1;
-    }
-
-    return (c & what) != 0;
-}
-#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */
-
-#if MBEDTLS_AESNI_HAVE_CODE == 2
-
-/*
- * AES-NI AES-ECB block en(de)cryption
- */
-int mbedtls_aesni_crypt_ecb(mbedtls_aes_context *ctx,
-                            int mode,
-                            const unsigned char input[16],
-                            unsigned char output[16])
-{
-    const __m128i *rk = (const __m128i *) (ctx->buf + ctx->rk_offset);
-    unsigned nr = ctx->nr; // Number of remaining rounds
-
-    // Load round key 0
-    __m128i state;
-    memcpy(&state, input, 16);
-    state = _mm_xor_si128(state, rk[0]);  // state ^= *rk;
-    ++rk;
-    --nr;
-
-    if (mode == 0) {
-        while (nr != 0) {
-            state = _mm_aesdec_si128(state, *rk);
-            ++rk;
-            --nr;
-        }
-        state = _mm_aesdeclast_si128(state, *rk);
-    } else {
-        while (nr != 0) {
-            state = _mm_aesenc_si128(state, *rk);
-            ++rk;
-            --nr;
-        }
-        state = _mm_aesenclast_si128(state, *rk);
-    }
-
-    memcpy(output, &state, 16);
-    return 0;
-}
-
-/*
- * GCM multiplication: c = a times b in GF(2^128)
- * Based on [CLMUL-WP] algorithms 1 (with equation 27) and 5.
- */
-
-static void gcm_clmul(const __m128i aa, const __m128i bb,
-                      __m128i *cc, __m128i *dd)
-{
-    /*
-     * Caryless multiplication dd:cc = aa * bb
-     * using [CLMUL-WP] algorithm 1 (p. 12).
-     */
-    *cc = _mm_clmulepi64_si128(aa, bb, 0x00); // a0*b0 = c1:c0
-    *dd = _mm_clmulepi64_si128(aa, bb, 0x11); // a1*b1 = d1:d0
-    __m128i ee = _mm_clmulepi64_si128(aa, bb, 0x10); // a0*b1 = e1:e0
-    __m128i ff = _mm_clmulepi64_si128(aa, bb, 0x01); // a1*b0 = f1:f0
-    ff = _mm_xor_si128(ff, ee);                      // e1+f1:e0+f0
-    ee = ff;                                         // e1+f1:e0+f0
-    ff = _mm_srli_si128(ff, 8);                      // 0:e1+f1
-    ee = _mm_slli_si128(ee, 8);                      // e0+f0:0
-    *dd = _mm_xor_si128(*dd, ff);                    // d1:d0+e1+f1
-    *cc = _mm_xor_si128(*cc, ee);                    // c1+e0+f0:c0
-}
-
-static void gcm_shift(__m128i *cc, __m128i *dd)
-{
-    /* [CMUCL-WP] Algorithm 5 Step 1: shift cc:dd one bit to the left,
-     * taking advantage of [CLMUL-WP] eq 27 (p. 18). */
-    //                                        // *cc = r1:r0
-    //                                        // *dd = r3:r2
-    __m128i cc_lo = _mm_slli_epi64(*cc, 1);   // r1<<1:r0<<1
-    __m128i dd_lo = _mm_slli_epi64(*dd, 1);   // r3<<1:r2<<1
-    __m128i cc_hi = _mm_srli_epi64(*cc, 63);  // r1>>63:r0>>63
-    __m128i dd_hi = _mm_srli_epi64(*dd, 63);  // r3>>63:r2>>63
-    __m128i xmm5 = _mm_srli_si128(cc_hi, 8);  // 0:r1>>63
-    cc_hi = _mm_slli_si128(cc_hi, 8);         // r0>>63:0
-    dd_hi = _mm_slli_si128(dd_hi, 8);         // 0:r1>>63
-
-    *cc = _mm_or_si128(cc_lo, cc_hi);         // r1<<1|r0>>63:r0<<1
-    *dd = _mm_or_si128(_mm_or_si128(dd_lo, dd_hi), xmm5); // r3<<1|r2>>62:r2<<1|r1>>63
-}
-
-static __m128i gcm_reduce(__m128i xx)
-{
-    //                                            // xx = x1:x0
-    /* [CLMUL-WP] Algorithm 5 Step 2 */
-    __m128i aa = _mm_slli_epi64(xx, 63);          // x1<<63:x0<<63 = stuff:a
-    __m128i bb = _mm_slli_epi64(xx, 62);          // x1<<62:x0<<62 = stuff:b
-    __m128i cc = _mm_slli_epi64(xx, 57);          // x1<<57:x0<<57 = stuff:c
-    __m128i dd = _mm_slli_si128(_mm_xor_si128(_mm_xor_si128(aa, bb), cc), 8); // a+b+c:0
-    return _mm_xor_si128(dd, xx);                 // x1+a+b+c:x0 = d:x0
-}
-
-static __m128i gcm_mix(__m128i dx)
-{
-    /* [CLMUL-WP] Algorithm 5 Steps 3 and 4 */
-    __m128i ee = _mm_srli_epi64(dx, 1);           // e1:x0>>1 = e1:e0'
-    __m128i ff = _mm_srli_epi64(dx, 2);           // f1:x0>>2 = f1:f0'
-    __m128i gg = _mm_srli_epi64(dx, 7);           // g1:x0>>7 = g1:g0'
-
-    // e0'+f0'+g0' is almost e0+f0+g0, except for some missing
-    // bits carried from d. Now get those bits back in.
-    __m128i eh = _mm_slli_epi64(dx, 63);          // d<<63:stuff
-    __m128i fh = _mm_slli_epi64(dx, 62);          // d<<62:stuff
-    __m128i gh = _mm_slli_epi64(dx, 57);          // d<<57:stuff
-    __m128i hh = _mm_srli_si128(_mm_xor_si128(_mm_xor_si128(eh, fh), gh), 8); // 0:missing bits of d
-
-    return _mm_xor_si128(_mm_xor_si128(_mm_xor_si128(_mm_xor_si128(ee, ff), gg), hh), dx);
-}
-
-void mbedtls_aesni_gcm_mult(unsigned char c[16],
-                            const unsigned char a[16],
-                            const unsigned char b[16])
-{
-    __m128i aa, bb, cc, dd;
-
-    /* The inputs are in big-endian order, so byte-reverse them */
-    for (size_t i = 0; i < 16; i++) {
-        ((uint8_t *) &aa)[i] = a[15 - i];
-        ((uint8_t *) &bb)[i] = b[15 - i];
-    }
-
-    gcm_clmul(aa, bb, &cc, &dd);
-    gcm_shift(&cc, &dd);
-    /*
-     * Now reduce modulo the GCM polynomial x^128 + x^7 + x^2 + x + 1
-     * using [CLMUL-WP] algorithm 5 (p. 18).
-     * Currently dd:cc holds x3:x2:x1:x0 (already shifted).
-     */
-    __m128i dx = gcm_reduce(cc);
-    __m128i xh = gcm_mix(dx);
-    cc = _mm_xor_si128(xh, dd); // x3+h1:x2+h0
-
-    /* Now byte-reverse the outputs */
-    for (size_t i = 0; i < 16; i++) {
-        c[i] = ((uint8_t *) &cc)[15 - i];
-    }
-
-    return;
-}
-
-/*
- * Compute decryption round keys from encryption round keys
- */
-void mbedtls_aesni_inverse_key(unsigned char *invkey,
-                               const unsigned char *fwdkey, int nr)
-{
-    __m128i *ik = (__m128i *) invkey;
-    const __m128i *fk = (const __m128i *) fwdkey + nr;
-
-    *ik = *fk;
-    for (--fk, ++ik; fk > (const __m128i *) fwdkey; --fk, ++ik) {
-        *ik = _mm_aesimc_si128(*fk);
-    }
-    *ik = *fk;
-}
-
-/*
- * Key expansion, 128-bit case
- */
-static __m128i aesni_set_rk_128(__m128i state, __m128i xword)
-{
-    /*
-     * Finish generating the next round key.
-     *
-     * On entry state is r3:r2:r1:r0 and xword is X:stuff:stuff:stuff
-     * with X = rot( sub( r3 ) ) ^ RCON (obtained with AESKEYGENASSIST).
-     *
-     * On exit, xword is r7:r6:r5:r4
-     * with r4 = X + r0, r5 = r4 + r1, r6 = r5 + r2, r7 = r6 + r3
-     * and this is returned, to be written to the round key buffer.
-     */
-    xword = _mm_shuffle_epi32(xword, 0xff);   // X:X:X:X
-    xword = _mm_xor_si128(xword, state);      // X+r3:X+r2:X+r1:r4
-    state = _mm_slli_si128(state, 4);         // r2:r1:r0:0
-    xword = _mm_xor_si128(xword, state);      // X+r3+r2:X+r2+r1:r5:r4
-    state = _mm_slli_si128(state, 4);         // r1:r0:0:0
-    xword = _mm_xor_si128(xword, state);      // X+r3+r2+r1:r6:r5:r4
-    state = _mm_slli_si128(state, 4);         // r0:0:0:0
-    state = _mm_xor_si128(xword, state);      // r7:r6:r5:r4
-    return state;
-}
-
-static void aesni_setkey_enc_128(unsigned char *rk_bytes,
-                                 const unsigned char *key)
-{
-    __m128i *rk = (__m128i *) rk_bytes;
-
-    memcpy(&rk[0], key, 16);
-    rk[1] = aesni_set_rk_128(rk[0], _mm_aeskeygenassist_si128(rk[0], 0x01));
-    rk[2] = aesni_set_rk_128(rk[1], _mm_aeskeygenassist_si128(rk[1], 0x02));
-    rk[3] = aesni_set_rk_128(rk[2], _mm_aeskeygenassist_si128(rk[2], 0x04));
-    rk[4] = aesni_set_rk_128(rk[3], _mm_aeskeygenassist_si128(rk[3], 0x08));
-    rk[5] = aesni_set_rk_128(rk[4], _mm_aeskeygenassist_si128(rk[4], 0x10));
-    rk[6] = aesni_set_rk_128(rk[5], _mm_aeskeygenassist_si128(rk[5], 0x20));
-    rk[7] = aesni_set_rk_128(rk[6], _mm_aeskeygenassist_si128(rk[6], 0x40));
-    rk[8] = aesni_set_rk_128(rk[7], _mm_aeskeygenassist_si128(rk[7], 0x80));
-    rk[9] = aesni_set_rk_128(rk[8], _mm_aeskeygenassist_si128(rk[8], 0x1B));
-    rk[10] = aesni_set_rk_128(rk[9], _mm_aeskeygenassist_si128(rk[9], 0x36));
-}
-
-/*
- * Key expansion, 192-bit case
- */
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-static void aesni_set_rk_192(__m128i *state0, __m128i *state1, __m128i xword,
-                             unsigned char *rk)
-{
-    /*
-     * Finish generating the next 6 quarter-keys.
-     *
-     * On entry state0 is r3:r2:r1:r0, state1 is stuff:stuff:r5:r4
-     * and xword is stuff:stuff:X:stuff with X = rot( sub( r3 ) ) ^ RCON
-     * (obtained with AESKEYGENASSIST).
-     *
-     * On exit, state0 is r9:r8:r7:r6 and state1 is stuff:stuff:r11:r10
-     * and those are written to the round key buffer.
-     */
-    xword = _mm_shuffle_epi32(xword, 0x55);   // X:X:X:X
-    xword = _mm_xor_si128(xword, *state0);    // X+r3:X+r2:X+r1:X+r0
-    *state0 = _mm_slli_si128(*state0, 4);     // r2:r1:r0:0
-    xword = _mm_xor_si128(xword, *state0);    // X+r3+r2:X+r2+r1:X+r1+r0:X+r0
-    *state0 = _mm_slli_si128(*state0, 4);     // r1:r0:0:0
-    xword = _mm_xor_si128(xword, *state0);    // X+r3+r2+r1:X+r2+r1+r0:X+r1+r0:X+r0
-    *state0 = _mm_slli_si128(*state0, 4);     // r0:0:0:0
-    xword = _mm_xor_si128(xword, *state0);    // X+r3+r2+r1+r0:X+r2+r1+r0:X+r1+r0:X+r0
-    *state0 = xword;                          // = r9:r8:r7:r6
-
-    xword = _mm_shuffle_epi32(xword, 0xff);   // r9:r9:r9:r9
-    xword = _mm_xor_si128(xword, *state1);    // stuff:stuff:r9+r5:r9+r4
-    *state1 = _mm_slli_si128(*state1, 4);     // stuff:stuff:r4:0
-    xword = _mm_xor_si128(xword, *state1);    // stuff:stuff:r9+r5+r4:r9+r4
-    *state1 = xword;                          // = stuff:stuff:r11:r10
-
-    /* Store state0 and the low half of state1 into rk, which is conceptually
-     * an array of 24-byte elements. Since 24 is not a multiple of 16,
-     * rk is not necessarily aligned so just `*rk = *state0` doesn't work. */
-    memcpy(rk, state0, 16);
-    memcpy(rk + 16, state1, 8);
-}
-
-static void aesni_setkey_enc_192(unsigned char *rk,
-                                 const unsigned char *key)
-{
-    /* First round: use original key */
-    memcpy(rk, key, 24);
-    /* aes.c guarantees that rk is aligned on a 16-byte boundary. */
-    __m128i state0 = ((__m128i *) rk)[0];
-    __m128i state1 = _mm_loadl_epi64(((__m128i *) rk) + 1);
-
-    aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x01), rk + 24 * 1);
-    aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x02), rk + 24 * 2);
-    aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x04), rk + 24 * 3);
-    aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x08), rk + 24 * 4);
-    aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x10), rk + 24 * 5);
-    aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x20), rk + 24 * 6);
-    aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x40), rk + 24 * 7);
-    aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x80), rk + 24 * 8);
-}
-#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
-
-/*
- * Key expansion, 256-bit case
- */
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-static void aesni_set_rk_256(__m128i state0, __m128i state1, __m128i xword,
-                             __m128i *rk0, __m128i *rk1)
-{
-    /*
-     * Finish generating the next two round keys.
-     *
-     * On entry state0 is r3:r2:r1:r0, state1 is r7:r6:r5:r4 and
-     * xword is X:stuff:stuff:stuff with X = rot( sub( r7 )) ^ RCON
-     * (obtained with AESKEYGENASSIST).
-     *
-     * On exit, *rk0 is r11:r10:r9:r8 and *rk1 is r15:r14:r13:r12
-     */
-    xword = _mm_shuffle_epi32(xword, 0xff);
-    xword = _mm_xor_si128(xword, state0);
-    state0 = _mm_slli_si128(state0, 4);
-    xword = _mm_xor_si128(xword, state0);
-    state0 = _mm_slli_si128(state0, 4);
-    xword = _mm_xor_si128(xword, state0);
-    state0 = _mm_slli_si128(state0, 4);
-    state0 = _mm_xor_si128(state0, xword);
-    *rk0 = state0;
-
-    /* Set xword to stuff:Y:stuff:stuff with Y = subword( r11 )
-     * and proceed to generate next round key from there */
-    xword = _mm_aeskeygenassist_si128(state0, 0x00);
-    xword = _mm_shuffle_epi32(xword, 0xaa);
-    xword = _mm_xor_si128(xword, state1);
-    state1 = _mm_slli_si128(state1, 4);
-    xword = _mm_xor_si128(xword, state1);
-    state1 = _mm_slli_si128(state1, 4);
-    xword = _mm_xor_si128(xword, state1);
-    state1 = _mm_slli_si128(state1, 4);
-    state1 = _mm_xor_si128(state1, xword);
-    *rk1 = state1;
-}
-
-static void aesni_setkey_enc_256(unsigned char *rk_bytes,
-                                 const unsigned char *key)
-{
-    __m128i *rk = (__m128i *) rk_bytes;
-
-    memcpy(&rk[0], key, 16);
-    memcpy(&rk[1], key + 16, 16);
-
-    /*
-     * Main "loop" - Generating one more key than necessary,
-     * see definition of mbedtls_aes_context.buf
-     */
-    aesni_set_rk_256(rk[0], rk[1], _mm_aeskeygenassist_si128(rk[1], 0x01), &rk[2], &rk[3]);
-    aesni_set_rk_256(rk[2], rk[3], _mm_aeskeygenassist_si128(rk[3], 0x02), &rk[4], &rk[5]);
-    aesni_set_rk_256(rk[4], rk[5], _mm_aeskeygenassist_si128(rk[5], 0x04), &rk[6], &rk[7]);
-    aesni_set_rk_256(rk[6], rk[7], _mm_aeskeygenassist_si128(rk[7], 0x08), &rk[8], &rk[9]);
-    aesni_set_rk_256(rk[8], rk[9], _mm_aeskeygenassist_si128(rk[9], 0x10), &rk[10], &rk[11]);
-    aesni_set_rk_256(rk[10], rk[11], _mm_aeskeygenassist_si128(rk[11], 0x20), &rk[12], &rk[13]);
-    aesni_set_rk_256(rk[12], rk[13], _mm_aeskeygenassist_si128(rk[13], 0x40), &rk[14], &rk[15]);
-}
-#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
-
-#else /* MBEDTLS_AESNI_HAVE_CODE == 1 */
-
-#if defined(__has_feature)
-#if __has_feature(memory_sanitizer)
-#warning \
-    "MBEDTLS_AESNI_C is known to cause spurious error reports with some memory sanitizers as they do not understand the assembly code."
-#endif
-#endif
-
-/*
- * Binutils needs to be at least 2.19 to support AES-NI instructions.
- * Unfortunately, a lot of users have a lower version now (2014-04).
- * Emit bytecode directly in order to support "old" version of gas.
- *
- * Opcodes from the Intel architecture reference manual, vol. 3.
- * We always use registers, so we don't need prefixes for memory operands.
- * Operand macros are in gas order (src, dst) as opposed to Intel order
- * (dst, src) in order to blend better into the surrounding assembly code.
- */
-#define AESDEC(regs)      ".byte 0x66,0x0F,0x38,0xDE," regs "\n\t"
-#define AESDECLAST(regs)  ".byte 0x66,0x0F,0x38,0xDF," regs "\n\t"
-#define AESENC(regs)      ".byte 0x66,0x0F,0x38,0xDC," regs "\n\t"
-#define AESENCLAST(regs)  ".byte 0x66,0x0F,0x38,0xDD," regs "\n\t"
-#define AESIMC(regs)      ".byte 0x66,0x0F,0x38,0xDB," regs "\n\t"
-#define AESKEYGENA(regs, imm)  ".byte 0x66,0x0F,0x3A,0xDF," regs "," imm "\n\t"
-#define PCLMULQDQ(regs, imm)   ".byte 0x66,0x0F,0x3A,0x44," regs "," imm "\n\t"
-
-#define xmm0_xmm0   "0xC0"
-#define xmm0_xmm1   "0xC8"
-#define xmm0_xmm2   "0xD0"
-#define xmm0_xmm3   "0xD8"
-#define xmm0_xmm4   "0xE0"
-#define xmm1_xmm0   "0xC1"
-#define xmm1_xmm2   "0xD1"
-
-/*
- * AES-NI AES-ECB block en(de)cryption
- */
-int mbedtls_aesni_crypt_ecb(mbedtls_aes_context *ctx,
-                            int mode,
-                            const unsigned char input[16],
-                            unsigned char output[16])
-{
-    asm ("movdqu    (%3), %%xmm0    \n\t" // load input
-         "movdqu    (%1), %%xmm1    \n\t" // load round key 0
-         "pxor      %%xmm1, %%xmm0  \n\t" // round 0
-         "add       $16, %1         \n\t" // point to next round key
-         "subl      $1, %0          \n\t" // normal rounds = nr - 1
-         "test      %2, %2          \n\t" // mode?
-         "jz        2f              \n\t" // 0 = decrypt
-
-         "1:                        \n\t" // encryption loop
-         "movdqu    (%1), %%xmm1    \n\t" // load round key
-         AESENC(xmm1_xmm0)                // do round
-         "add       $16, %1         \n\t" // point to next round key
-         "subl      $1, %0          \n\t" // loop
-         "jnz       1b              \n\t"
-         "movdqu    (%1), %%xmm1    \n\t" // load round key
-         AESENCLAST(xmm1_xmm0)            // last round
-         "jmp       3f              \n\t"
-
-         "2:                        \n\t" // decryption loop
-         "movdqu    (%1), %%xmm1    \n\t"
-         AESDEC(xmm1_xmm0)                // do round
-         "add       $16, %1         \n\t"
-         "subl      $1, %0          \n\t"
-         "jnz       2b              \n\t"
-         "movdqu    (%1), %%xmm1    \n\t" // load round key
-         AESDECLAST(xmm1_xmm0)            // last round
-
-         "3:                        \n\t"
-         "movdqu    %%xmm0, (%4)    \n\t" // export output
-         :
-         : "r" (ctx->nr), "r" (ctx->buf + ctx->rk_offset), "r" (mode), "r" (input), "r" (output)
-         : "memory", "cc", "xmm0", "xmm1");
-
-
-    return 0;
-}
-
-/*
- * GCM multiplication: c = a times b in GF(2^128)
- * Based on [CLMUL-WP] algorithms 1 (with equation 27) and 5.
- */
-void mbedtls_aesni_gcm_mult(unsigned char c[16],
-                            const unsigned char a[16],
-                            const unsigned char b[16])
-{
-    unsigned char aa[16], bb[16], cc[16];
-    size_t i;
-
-    /* The inputs are in big-endian order, so byte-reverse them */
-    for (i = 0; i < 16; i++) {
-        aa[i] = a[15 - i];
-        bb[i] = b[15 - i];
-    }
-
-    asm ("movdqu (%0), %%xmm0               \n\t" // a1:a0
-         "movdqu (%1), %%xmm1               \n\t" // b1:b0
-
-         /*
-          * Caryless multiplication xmm2:xmm1 = xmm0 * xmm1
-          * using [CLMUL-WP] algorithm 1 (p. 12).
-          */
-         "movdqa %%xmm1, %%xmm2             \n\t" // copy of b1:b0
-         "movdqa %%xmm1, %%xmm3             \n\t" // same
-         "movdqa %%xmm1, %%xmm4             \n\t" // same
-         PCLMULQDQ(xmm0_xmm1, "0x00")             // a0*b0 = c1:c0
-         PCLMULQDQ(xmm0_xmm2, "0x11")             // a1*b1 = d1:d0
-         PCLMULQDQ(xmm0_xmm3, "0x10")             // a0*b1 = e1:e0
-         PCLMULQDQ(xmm0_xmm4, "0x01")             // a1*b0 = f1:f0
-         "pxor %%xmm3, %%xmm4               \n\t" // e1+f1:e0+f0
-         "movdqa %%xmm4, %%xmm3             \n\t" // same
-         "psrldq $8, %%xmm4                 \n\t" // 0:e1+f1
-         "pslldq $8, %%xmm3                 \n\t" // e0+f0:0
-         "pxor %%xmm4, %%xmm2               \n\t" // d1:d0+e1+f1
-         "pxor %%xmm3, %%xmm1               \n\t" // c1+e0+f1:c0
-
-         /*
-          * Now shift the result one bit to the left,
-          * taking advantage of [CLMUL-WP] eq 27 (p. 18)
-          */
-         "movdqa %%xmm1, %%xmm3             \n\t" // r1:r0
-         "movdqa %%xmm2, %%xmm4             \n\t" // r3:r2
-         "psllq $1, %%xmm1                  \n\t" // r1<<1:r0<<1
-         "psllq $1, %%xmm2                  \n\t" // r3<<1:r2<<1
-         "psrlq $63, %%xmm3                 \n\t" // r1>>63:r0>>63
-         "psrlq $63, %%xmm4                 \n\t" // r3>>63:r2>>63
-         "movdqa %%xmm3, %%xmm5             \n\t" // r1>>63:r0>>63
-         "pslldq $8, %%xmm3                 \n\t" // r0>>63:0
-         "pslldq $8, %%xmm4                 \n\t" // r2>>63:0
-         "psrldq $8, %%xmm5                 \n\t" // 0:r1>>63
-         "por %%xmm3, %%xmm1                \n\t" // r1<<1|r0>>63:r0<<1
-         "por %%xmm4, %%xmm2                \n\t" // r3<<1|r2>>62:r2<<1
-         "por %%xmm5, %%xmm2                \n\t" // r3<<1|r2>>62:r2<<1|r1>>63
-
-         /*
-          * Now reduce modulo the GCM polynomial x^128 + x^7 + x^2 + x + 1
-          * using [CLMUL-WP] algorithm 5 (p. 18).
-          * Currently xmm2:xmm1 holds x3:x2:x1:x0 (already shifted).
-          */
-         /* Step 2 (1) */
-         "movdqa %%xmm1, %%xmm3             \n\t" // x1:x0
-         "movdqa %%xmm1, %%xmm4             \n\t" // same
-         "movdqa %%xmm1, %%xmm5             \n\t" // same
-         "psllq $63, %%xmm3                 \n\t" // x1<<63:x0<<63 = stuff:a
-         "psllq $62, %%xmm4                 \n\t" // x1<<62:x0<<62 = stuff:b
-         "psllq $57, %%xmm5                 \n\t" // x1<<57:x0<<57 = stuff:c
-
-         /* Step 2 (2) */
-         "pxor %%xmm4, %%xmm3               \n\t" // stuff:a+b
-         "pxor %%xmm5, %%xmm3               \n\t" // stuff:a+b+c
-         "pslldq $8, %%xmm3                 \n\t" // a+b+c:0
-         "pxor %%xmm3, %%xmm1               \n\t" // x1+a+b+c:x0 = d:x0
-
-         /* Steps 3 and 4 */
-         "movdqa %%xmm1,%%xmm0              \n\t" // d:x0
-         "movdqa %%xmm1,%%xmm4              \n\t" // same
-         "movdqa %%xmm1,%%xmm5              \n\t" // same
-         "psrlq $1, %%xmm0                  \n\t" // e1:x0>>1 = e1:e0'
-         "psrlq $2, %%xmm4                  \n\t" // f1:x0>>2 = f1:f0'
-         "psrlq $7, %%xmm5                  \n\t" // g1:x0>>7 = g1:g0'
-         "pxor %%xmm4, %%xmm0               \n\t" // e1+f1:e0'+f0'
-         "pxor %%xmm5, %%xmm0               \n\t" // e1+f1+g1:e0'+f0'+g0'
-         // e0'+f0'+g0' is almost e0+f0+g0, ex\tcept for some missing
-         // bits carried from d. Now get those\t bits back in.
-         "movdqa %%xmm1,%%xmm3              \n\t" // d:x0
-         "movdqa %%xmm1,%%xmm4              \n\t" // same
-         "movdqa %%xmm1,%%xmm5              \n\t" // same
-         "psllq $63, %%xmm3                 \n\t" // d<<63:stuff
-         "psllq $62, %%xmm4                 \n\t" // d<<62:stuff
-         "psllq $57, %%xmm5                 \n\t" // d<<57:stuff
-         "pxor %%xmm4, %%xmm3               \n\t" // d<<63+d<<62:stuff
-         "pxor %%xmm5, %%xmm3               \n\t" // missing bits of d:stuff
-         "psrldq $8, %%xmm3                 \n\t" // 0:missing bits of d
-         "pxor %%xmm3, %%xmm0               \n\t" // e1+f1+g1:e0+f0+g0
-         "pxor %%xmm1, %%xmm0               \n\t" // h1:h0
-         "pxor %%xmm2, %%xmm0               \n\t" // x3+h1:x2+h0
-
-         "movdqu %%xmm0, (%2)               \n\t" // done
-         :
-         : "r" (aa), "r" (bb), "r" (cc)
-         : "memory", "cc", "xmm0", "xmm1", "xmm2", "xmm3", "xmm4", "xmm5");
-
-    /* Now byte-reverse the outputs */
-    for (i = 0; i < 16; i++) {
-        c[i] = cc[15 - i];
-    }
-
-    return;
-}
-
-/*
- * Compute decryption round keys from encryption round keys
- */
-void mbedtls_aesni_inverse_key(unsigned char *invkey,
-                               const unsigned char *fwdkey, int nr)
-{
-    unsigned char *ik = invkey;
-    const unsigned char *fk = fwdkey + 16 * nr;
-
-    memcpy(ik, fk, 16);
-
-    for (fk -= 16, ik += 16; fk > fwdkey; fk -= 16, ik += 16) {
-        asm ("movdqu (%0), %%xmm0       \n\t"
-             AESIMC(xmm0_xmm0)
-             "movdqu %%xmm0, (%1)       \n\t"
-             :
-             : "r" (fk), "r" (ik)
-             : "memory", "xmm0");
-    }
-
-    memcpy(ik, fk, 16);
-}
-
-/*
- * Key expansion, 128-bit case
- */
-static void aesni_setkey_enc_128(unsigned char *rk,
-                                 const unsigned char *key)
-{
-    asm ("movdqu (%1), %%xmm0               \n\t" // copy the original key
-         "movdqu %%xmm0, (%0)               \n\t" // as round key 0
-         "jmp 2f                            \n\t" // skip auxiliary routine
-
-         /*
-          * Finish generating the next round key.
-          *
-          * On entry xmm0 is r3:r2:r1:r0 and xmm1 is X:stuff:stuff:stuff
-          * with X = rot( sub( r3 ) ) ^ RCON.
-          *
-          * On exit, xmm0 is r7:r6:r5:r4
-          * with r4 = X + r0, r5 = r4 + r1, r6 = r5 + r2, r7 = r6 + r3
-          * and those are written to the round key buffer.
-          */
-         "1:                                \n\t"
-         "pshufd $0xff, %%xmm1, %%xmm1      \n\t" // X:X:X:X
-         "pxor %%xmm0, %%xmm1               \n\t" // X+r3:X+r2:X+r1:r4
-         "pslldq $4, %%xmm0                 \n\t" // r2:r1:r0:0
-         "pxor %%xmm0, %%xmm1               \n\t" // X+r3+r2:X+r2+r1:r5:r4
-         "pslldq $4, %%xmm0                 \n\t" // etc
-         "pxor %%xmm0, %%xmm1               \n\t"
-         "pslldq $4, %%xmm0                 \n\t"
-         "pxor %%xmm1, %%xmm0               \n\t" // update xmm0 for next time!
-         "add $16, %0                       \n\t" // point to next round key
-         "movdqu %%xmm0, (%0)               \n\t" // write it
-         "ret                               \n\t"
-
-         /* Main "loop" */
-         "2:                                \n\t"
-         AESKEYGENA(xmm0_xmm1, "0x01")      "call 1b \n\t"
-         AESKEYGENA(xmm0_xmm1, "0x02")      "call 1b \n\t"
-         AESKEYGENA(xmm0_xmm1, "0x04")      "call 1b \n\t"
-         AESKEYGENA(xmm0_xmm1, "0x08")      "call 1b \n\t"
-         AESKEYGENA(xmm0_xmm1, "0x10")      "call 1b \n\t"
-         AESKEYGENA(xmm0_xmm1, "0x20")      "call 1b \n\t"
-         AESKEYGENA(xmm0_xmm1, "0x40")      "call 1b \n\t"
-         AESKEYGENA(xmm0_xmm1, "0x80")      "call 1b \n\t"
-         AESKEYGENA(xmm0_xmm1, "0x1B")      "call 1b \n\t"
-         AESKEYGENA(xmm0_xmm1, "0x36")      "call 1b \n\t"
-         :
-         : "r" (rk), "r" (key)
-         : "memory", "cc", "0");
-}
-
-/*
- * Key expansion, 192-bit case
- */
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-static void aesni_setkey_enc_192(unsigned char *rk,
-                                 const unsigned char *key)
-{
-    asm ("movdqu (%1), %%xmm0   \n\t" // copy original round key
-         "movdqu %%xmm0, (%0)   \n\t"
-         "add $16, %0           \n\t"
-         "movq 16(%1), %%xmm1   \n\t"
-         "movq %%xmm1, (%0)     \n\t"
-         "add $8, %0            \n\t"
-         "jmp 2f                \n\t" // skip auxiliary routine
-
-         /*
-          * Finish generating the next 6 quarter-keys.
-          *
-          * On entry xmm0 is r3:r2:r1:r0, xmm1 is stuff:stuff:r5:r4
-          * and xmm2 is stuff:stuff:X:stuff with X = rot( sub( r3 ) ) ^ RCON.
-          *
-          * On exit, xmm0 is r9:r8:r7:r6 and xmm1 is stuff:stuff:r11:r10
-          * and those are written to the round key buffer.
-          */
-         "1:                            \n\t"
-         "pshufd $0x55, %%xmm2, %%xmm2  \n\t" // X:X:X:X
-         "pxor %%xmm0, %%xmm2           \n\t" // X+r3:X+r2:X+r1:r4
-         "pslldq $4, %%xmm0             \n\t" // etc
-         "pxor %%xmm0, %%xmm2           \n\t"
-         "pslldq $4, %%xmm0             \n\t"
-         "pxor %%xmm0, %%xmm2           \n\t"
-         "pslldq $4, %%xmm0             \n\t"
-         "pxor %%xmm2, %%xmm0           \n\t" // update xmm0 = r9:r8:r7:r6
-         "movdqu %%xmm0, (%0)           \n\t"
-         "add $16, %0                   \n\t"
-         "pshufd $0xff, %%xmm0, %%xmm2  \n\t" // r9:r9:r9:r9
-         "pxor %%xmm1, %%xmm2           \n\t" // stuff:stuff:r9+r5:r10
-         "pslldq $4, %%xmm1             \n\t" // r2:r1:r0:0
-         "pxor %%xmm2, %%xmm1           \n\t" // xmm1 = stuff:stuff:r11:r10
-         "movq %%xmm1, (%0)             \n\t"
-         "add $8, %0                    \n\t"
-         "ret                           \n\t"
-
-         "2:                            \n\t"
-         AESKEYGENA(xmm1_xmm2, "0x01")  "call 1b \n\t"
-         AESKEYGENA(xmm1_xmm2, "0x02")  "call 1b \n\t"
-         AESKEYGENA(xmm1_xmm2, "0x04")  "call 1b \n\t"
-         AESKEYGENA(xmm1_xmm2, "0x08")  "call 1b \n\t"
-         AESKEYGENA(xmm1_xmm2, "0x10")  "call 1b \n\t"
-         AESKEYGENA(xmm1_xmm2, "0x20")  "call 1b \n\t"
-         AESKEYGENA(xmm1_xmm2, "0x40")  "call 1b \n\t"
-         AESKEYGENA(xmm1_xmm2, "0x80")  "call 1b \n\t"
-
-         :
-         : "r" (rk), "r" (key)
-         : "memory", "cc", "0");
-}
-#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
-
-/*
- * Key expansion, 256-bit case
- */
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-static void aesni_setkey_enc_256(unsigned char *rk,
-                                 const unsigned char *key)
-{
-    asm ("movdqu (%1), %%xmm0           \n\t"
-         "movdqu %%xmm0, (%0)           \n\t"
-         "add $16, %0                   \n\t"
-         "movdqu 16(%1), %%xmm1         \n\t"
-         "movdqu %%xmm1, (%0)           \n\t"
-         "jmp 2f                        \n\t" // skip auxiliary routine
-
-         /*
-          * Finish generating the next two round keys.
-          *
-          * On entry xmm0 is r3:r2:r1:r0, xmm1 is r7:r6:r5:r4 and
-          * xmm2 is X:stuff:stuff:stuff with X = rot( sub( r7 )) ^ RCON
-          *
-          * On exit, xmm0 is r11:r10:r9:r8 and xmm1 is r15:r14:r13:r12
-          * and those have been written to the output buffer.
-          */
-         "1:                                \n\t"
-         "pshufd $0xff, %%xmm2, %%xmm2      \n\t"
-         "pxor %%xmm0, %%xmm2               \n\t"
-         "pslldq $4, %%xmm0                 \n\t"
-         "pxor %%xmm0, %%xmm2               \n\t"
-         "pslldq $4, %%xmm0                 \n\t"
-         "pxor %%xmm0, %%xmm2               \n\t"
-         "pslldq $4, %%xmm0                 \n\t"
-         "pxor %%xmm2, %%xmm0               \n\t"
-         "add $16, %0                       \n\t"
-         "movdqu %%xmm0, (%0)               \n\t"
-
-         /* Set xmm2 to stuff:Y:stuff:stuff with Y = subword( r11 )
-          * and proceed to generate next round key from there */
-         AESKEYGENA(xmm0_xmm2, "0x00")
-         "pshufd $0xaa, %%xmm2, %%xmm2      \n\t"
-         "pxor %%xmm1, %%xmm2               \n\t"
-         "pslldq $4, %%xmm1                 \n\t"
-         "pxor %%xmm1, %%xmm2               \n\t"
-         "pslldq $4, %%xmm1                 \n\t"
-         "pxor %%xmm1, %%xmm2               \n\t"
-         "pslldq $4, %%xmm1                 \n\t"
-         "pxor %%xmm2, %%xmm1               \n\t"
-         "add $16, %0                       \n\t"
-         "movdqu %%xmm1, (%0)               \n\t"
-         "ret                               \n\t"
-
-         /*
-          * Main "loop" - Generating one more key than necessary,
-          * see definition of mbedtls_aes_context.buf
-          */
-         "2:                                \n\t"
-         AESKEYGENA(xmm1_xmm2, "0x01")      "call 1b \n\t"
-         AESKEYGENA(xmm1_xmm2, "0x02")      "call 1b \n\t"
-         AESKEYGENA(xmm1_xmm2, "0x04")      "call 1b \n\t"
-         AESKEYGENA(xmm1_xmm2, "0x08")      "call 1b \n\t"
-         AESKEYGENA(xmm1_xmm2, "0x10")      "call 1b \n\t"
-         AESKEYGENA(xmm1_xmm2, "0x20")      "call 1b \n\t"
-         AESKEYGENA(xmm1_xmm2, "0x40")      "call 1b \n\t"
-         :
-         : "r" (rk), "r" (key)
-         : "memory", "cc", "0");
-}
-#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
-
-#endif  /* MBEDTLS_AESNI_HAVE_CODE */
-
-/*
- * Key expansion, wrapper
- */
-int mbedtls_aesni_setkey_enc(unsigned char *rk,
-                             const unsigned char *key,
-                             size_t bits)
-{
-    switch (bits) {
-        case 128: aesni_setkey_enc_128(rk, key); break;
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-        case 192: aesni_setkey_enc_192(rk, key); break;
-        case 256: aesni_setkey_enc_256(rk, key); break;
-#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
-        default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
-    }
-
-    return 0;
-}
-
-#endif /* MBEDTLS_AESNI_HAVE_CODE */
-
-#endif /* MBEDTLS_AESNI_C */
diff --git a/library/aesni.h b/library/aesni.h
deleted file mode 100644
index ba14290..0000000
--- a/library/aesni.h
+++ /dev/null
@@ -1,170 +0,0 @@
-/**
- * \file aesni.h
- *
- * \brief AES-NI for hardware AES acceleration on some Intel processors
- *
- * \warning These functions are only for internal use by other library
- *          functions; you must not call them directly.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_AESNI_H
-#define MBEDTLS_AESNI_H
-
-#include "mbedtls/build_info.h"
-
-#include "mbedtls/aes.h"
-
-#define MBEDTLS_AESNI_AES      0x02000000u
-#define MBEDTLS_AESNI_CLMUL    0x00000002u
-
-#if defined(MBEDTLS_AESNI_C) && \
-    (defined(MBEDTLS_ARCH_IS_X64) || defined(MBEDTLS_ARCH_IS_X86))
-
-/* Can we do AESNI with intrinsics?
- * (Only implemented with certain compilers, only for certain targets.)
- */
-#undef MBEDTLS_AESNI_HAVE_INTRINSICS
-#if defined(_MSC_VER)
-/* Visual Studio supports AESNI intrinsics since VS 2008 SP1. We only support
- * VS 2013 and up for other reasons anyway, so no need to check the version. */
-#define MBEDTLS_AESNI_HAVE_INTRINSICS
-#endif
-/* GCC-like compilers: currently, we only support intrinsics if the requisite
- * target flag is enabled when building the library (e.g. `gcc -mpclmul -msse2`
- * or `clang -maes -mpclmul`). */
-#if defined(__GNUC__) && defined(__AES__) && defined(__PCLMUL__)
-#define MBEDTLS_AESNI_HAVE_INTRINSICS
-#endif
-
-/* Choose the implementation of AESNI, if one is available.
- *
- * Favor the intrinsics-based implementation if it's available, for better
- * maintainability.
- * Performance is about the same (see #7380).
- * In the long run, we will likely remove the assembly implementation. */
-#if defined(MBEDTLS_AESNI_HAVE_INTRINSICS)
-#define MBEDTLS_AESNI_HAVE_CODE 2 // via intrinsics
-#elif defined(MBEDTLS_HAVE_ASM) && \
-    defined(__GNUC__) && defined(MBEDTLS_ARCH_IS_X64)
-/* Can we do AESNI with inline assembly?
- * (Only implemented with gas syntax, only for 64-bit.)
- */
-#define MBEDTLS_AESNI_HAVE_CODE 1 // via assembly
-#elif defined(__GNUC__)
-#   error "Must use `-mpclmul -msse2 -maes` for MBEDTLS_AESNI_C"
-#else
-#error "MBEDTLS_AESNI_C defined, but neither intrinsics nor assembly available"
-#endif
-
-#if defined(MBEDTLS_AESNI_HAVE_CODE)
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          Internal function to detect the AES-NI feature in CPUs.
- *
- * \note           This function is only for internal use by other library
- *                 functions; you must not call it directly.
- *
- * \param what     The feature to detect
- *                 (MBEDTLS_AESNI_AES or MBEDTLS_AESNI_CLMUL)
- *
- * \return         1 if CPU has support for the feature, 0 otherwise
- */
-#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
-int mbedtls_aesni_has_support(unsigned int what);
-#else
-#define mbedtls_aesni_has_support(what) 1
-#endif
-
-/**
- * \brief          Internal AES-NI AES-ECB block encryption and decryption
- *
- * \note           This function is only for internal use by other library
- *                 functions; you must not call it directly.
- *
- * \param ctx      AES context
- * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
- * \param input    16-byte input block
- * \param output   16-byte output block
- *
- * \return         0 on success (cannot fail)
- */
-int mbedtls_aesni_crypt_ecb(mbedtls_aes_context *ctx,
-                            int mode,
-                            const unsigned char input[16],
-                            unsigned char output[16]);
-
-/**
- * \brief          Internal GCM multiplication: c = a * b in GF(2^128)
- *
- * \note           This function is only for internal use by other library
- *                 functions; you must not call it directly.
- *
- * \param c        Result
- * \param a        First operand
- * \param b        Second operand
- *
- * \note           Both operands and result are bit strings interpreted as
- *                 elements of GF(2^128) as per the GCM spec.
- */
-void mbedtls_aesni_gcm_mult(unsigned char c[16],
-                            const unsigned char a[16],
-                            const unsigned char b[16]);
-
-/**
- * \brief           Internal round key inversion. This function computes
- *                  decryption round keys from the encryption round keys.
- *
- * \note            This function is only for internal use by other library
- *                  functions; you must not call it directly.
- *
- * \param invkey    Round keys for the equivalent inverse cipher
- * \param fwdkey    Original round keys (for encryption)
- * \param nr        Number of rounds (that is, number of round keys minus one)
- */
-void mbedtls_aesni_inverse_key(unsigned char *invkey,
-                               const unsigned char *fwdkey,
-                               int nr);
-
-/**
- * \brief           Internal key expansion for encryption
- *
- * \note            This function is only for internal use by other library
- *                  functions; you must not call it directly.
- *
- * \param rk        Destination buffer where the round keys are written
- * \param key       Encryption key
- * \param bits      Key size in bits (must be 128, 192 or 256)
- *
- * \return          0 if successful, or MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
- */
-int mbedtls_aesni_setkey_enc(unsigned char *rk,
-                             const unsigned char *key,
-                             size_t bits);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* MBEDTLS_AESNI_HAVE_CODE */
-#endif  /* MBEDTLS_AESNI_C */
-
-#endif /* MBEDTLS_AESNI_H */
diff --git a/library/alignment.h b/library/alignment.h
deleted file mode 100644
index ab15986..0000000
--- a/library/alignment.h
+++ /dev/null
@@ -1,521 +0,0 @@
-/**
- * \file alignment.h
- *
- * \brief Utility code for dealing with unaligned memory accesses
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_LIBRARY_ALIGNMENT_H
-#define MBEDTLS_LIBRARY_ALIGNMENT_H
-
-#include <stdint.h>
-#include <string.h>
-#include <stdlib.h>
-
-/*
- * Define MBEDTLS_EFFICIENT_UNALIGNED_ACCESS for architectures where unaligned memory
- * accesses are known to be efficient.
- *
- * All functions defined here will behave correctly regardless, but might be less
- * efficient when this is not defined.
- */
-#if defined(__ARM_FEATURE_UNALIGNED) \
-    || defined(__i386__) || defined(__amd64__) || defined(__x86_64__)
-/*
- * __ARM_FEATURE_UNALIGNED is defined where appropriate by armcc, gcc 7, clang 9
- * (and later versions) for Arm v7 and later; all x86 platforms should have
- * efficient unaligned access.
- */
-#define MBEDTLS_EFFICIENT_UNALIGNED_ACCESS
-#endif
-
-/**
- * Read the unsigned 16 bits integer from the given address, which need not
- * be aligned.
- *
- * \param   p pointer to 2 bytes of data
- * \return  Data at the given address
- */
-inline uint16_t mbedtls_get_unaligned_uint16(const void *p)
-{
-    uint16_t r;
-    memcpy(&r, p, sizeof(r));
-    return r;
-}
-
-/**
- * Write the unsigned 16 bits integer to the given address, which need not
- * be aligned.
- *
- * \param   p pointer to 2 bytes of data
- * \param   x data to write
- */
-inline void mbedtls_put_unaligned_uint16(void *p, uint16_t x)
-{
-    memcpy(p, &x, sizeof(x));
-}
-
-/**
- * Read the unsigned 32 bits integer from the given address, which need not
- * be aligned.
- *
- * \param   p pointer to 4 bytes of data
- * \return  Data at the given address
- */
-inline uint32_t mbedtls_get_unaligned_uint32(const void *p)
-{
-    uint32_t r;
-    memcpy(&r, p, sizeof(r));
-    return r;
-}
-
-/**
- * Write the unsigned 32 bits integer to the given address, which need not
- * be aligned.
- *
- * \param   p pointer to 4 bytes of data
- * \param   x data to write
- */
-inline void mbedtls_put_unaligned_uint32(void *p, uint32_t x)
-{
-    memcpy(p, &x, sizeof(x));
-}
-
-/**
- * Read the unsigned 64 bits integer from the given address, which need not
- * be aligned.
- *
- * \param   p pointer to 8 bytes of data
- * \return  Data at the given address
- */
-inline uint64_t mbedtls_get_unaligned_uint64(const void *p)
-{
-    uint64_t r;
-    memcpy(&r, p, sizeof(r));
-    return r;
-}
-
-/**
- * Write the unsigned 64 bits integer to the given address, which need not
- * be aligned.
- *
- * \param   p pointer to 8 bytes of data
- * \param   x data to write
- */
-inline void mbedtls_put_unaligned_uint64(void *p, uint64_t x)
-{
-    memcpy(p, &x, sizeof(x));
-}
-
-/** Byte Reading Macros
- *
- * Given a multi-byte integer \p x, MBEDTLS_BYTE_n retrieves the n-th
- * byte from x, where byte 0 is the least significant byte.
- */
-#define MBEDTLS_BYTE_0(x) ((uint8_t) ((x)         & 0xff))
-#define MBEDTLS_BYTE_1(x) ((uint8_t) (((x) >>  8) & 0xff))
-#define MBEDTLS_BYTE_2(x) ((uint8_t) (((x) >> 16) & 0xff))
-#define MBEDTLS_BYTE_3(x) ((uint8_t) (((x) >> 24) & 0xff))
-#define MBEDTLS_BYTE_4(x) ((uint8_t) (((x) >> 32) & 0xff))
-#define MBEDTLS_BYTE_5(x) ((uint8_t) (((x) >> 40) & 0xff))
-#define MBEDTLS_BYTE_6(x) ((uint8_t) (((x) >> 48) & 0xff))
-#define MBEDTLS_BYTE_7(x) ((uint8_t) (((x) >> 56) & 0xff))
-
-/*
- * Detect GCC built-in byteswap routines
- */
-#if defined(__GNUC__) && defined(__GNUC_PREREQ)
-#if __GNUC_PREREQ(4, 8)
-#define MBEDTLS_BSWAP16 __builtin_bswap16
-#endif /* __GNUC_PREREQ(4,8) */
-#if __GNUC_PREREQ(4, 3)
-#define MBEDTLS_BSWAP32 __builtin_bswap32
-#define MBEDTLS_BSWAP64 __builtin_bswap64
-#endif /* __GNUC_PREREQ(4,3) */
-#endif /* defined(__GNUC__) && defined(__GNUC_PREREQ) */
-
-/*
- * Detect Clang built-in byteswap routines
- */
-#if defined(__clang__) && defined(__has_builtin)
-#if __has_builtin(__builtin_bswap16) && !defined(MBEDTLS_BSWAP16)
-#define MBEDTLS_BSWAP16 __builtin_bswap16
-#endif /* __has_builtin(__builtin_bswap16) */
-#if __has_builtin(__builtin_bswap32) && !defined(MBEDTLS_BSWAP32)
-#define MBEDTLS_BSWAP32 __builtin_bswap32
-#endif /* __has_builtin(__builtin_bswap32) */
-#if __has_builtin(__builtin_bswap64) && !defined(MBEDTLS_BSWAP64)
-#define MBEDTLS_BSWAP64 __builtin_bswap64
-#endif /* __has_builtin(__builtin_bswap64) */
-#endif /* defined(__clang__) && defined(__has_builtin) */
-
-/*
- * Detect MSVC built-in byteswap routines
- */
-#if defined(_MSC_VER)
-#if !defined(MBEDTLS_BSWAP16)
-#define MBEDTLS_BSWAP16 _byteswap_ushort
-#endif
-#if !defined(MBEDTLS_BSWAP32)
-#define MBEDTLS_BSWAP32 _byteswap_ulong
-#endif
-#if !defined(MBEDTLS_BSWAP64)
-#define MBEDTLS_BSWAP64 _byteswap_uint64
-#endif
-#endif /* defined(_MSC_VER) */
-
-/* Detect armcc built-in byteswap routine */
-#if defined(__ARMCC_VERSION) && (__ARMCC_VERSION >= 410000) && !defined(MBEDTLS_BSWAP32)
-#if defined(__ARM_ACLE)  /* ARM Compiler 6 - earlier versions don't need a header */
-#include <arm_acle.h>
-#endif
-#define MBEDTLS_BSWAP32 __rev
-#endif
-
-/*
- * Where compiler built-ins are not present, fall back to C code that the
- * compiler may be able to detect and transform into the relevant bswap or
- * similar instruction.
- */
-#if !defined(MBEDTLS_BSWAP16)
-static inline uint16_t mbedtls_bswap16(uint16_t x)
-{
-    return
-        (x & 0x00ff) << 8 |
-        (x & 0xff00) >> 8;
-}
-#define MBEDTLS_BSWAP16 mbedtls_bswap16
-#endif /* !defined(MBEDTLS_BSWAP16) */
-
-#if !defined(MBEDTLS_BSWAP32)
-static inline uint32_t mbedtls_bswap32(uint32_t x)
-{
-    return
-        (x & 0x000000ff) << 24 |
-        (x & 0x0000ff00) <<  8 |
-        (x & 0x00ff0000) >>  8 |
-        (x & 0xff000000) >> 24;
-}
-#define MBEDTLS_BSWAP32 mbedtls_bswap32
-#endif /* !defined(MBEDTLS_BSWAP32) */
-
-#if !defined(MBEDTLS_BSWAP64)
-static inline uint64_t mbedtls_bswap64(uint64_t x)
-{
-    return
-        (x & 0x00000000000000ffULL) << 56 |
-        (x & 0x000000000000ff00ULL) << 40 |
-        (x & 0x0000000000ff0000ULL) << 24 |
-        (x & 0x00000000ff000000ULL) <<  8 |
-        (x & 0x000000ff00000000ULL) >>  8 |
-        (x & 0x0000ff0000000000ULL) >> 24 |
-        (x & 0x00ff000000000000ULL) >> 40 |
-        (x & 0xff00000000000000ULL) >> 56;
-}
-#define MBEDTLS_BSWAP64 mbedtls_bswap64
-#endif /* !defined(MBEDTLS_BSWAP64) */
-
-#if !defined(__BYTE_ORDER__)
-static const uint16_t mbedtls_byte_order_detector = { 0x100 };
-#define MBEDTLS_IS_BIG_ENDIAN (*((unsigned char *) (&mbedtls_byte_order_detector)) == 0x01)
-#else
-#define MBEDTLS_IS_BIG_ENDIAN ((__BYTE_ORDER__) == (__ORDER_BIG_ENDIAN__))
-#endif /* !defined(__BYTE_ORDER__) */
-
-/**
- * Get the unsigned 32 bits integer corresponding to four bytes in
- * big-endian order (MSB first).
- *
- * \param   data    Base address of the memory to get the four bytes from.
- * \param   offset  Offset from \p data of the first and most significant
- *                  byte of the four bytes to build the 32 bits unsigned
- *                  integer from.
- */
-#define MBEDTLS_GET_UINT32_BE(data, offset)                                \
-    ((MBEDTLS_IS_BIG_ENDIAN)                                               \
-        ? mbedtls_get_unaligned_uint32((data) + (offset))                  \
-        : MBEDTLS_BSWAP32(mbedtls_get_unaligned_uint32((data) + (offset))) \
-    )
-
-/**
- * Put in memory a 32 bits unsigned integer in big-endian order.
- *
- * \param   n       32 bits unsigned integer to put in memory.
- * \param   data    Base address of the memory where to put the 32
- *                  bits unsigned integer in.
- * \param   offset  Offset from \p data where to put the most significant
- *                  byte of the 32 bits unsigned integer \p n.
- */
-#define MBEDTLS_PUT_UINT32_BE(n, data, offset)                                   \
-    {                                                                            \
-        if (MBEDTLS_IS_BIG_ENDIAN)                                               \
-        {                                                                        \
-            mbedtls_put_unaligned_uint32((data) + (offset), (uint32_t) (n));     \
-        }                                                                        \
-        else                                                                     \
-        {                                                                        \
-            mbedtls_put_unaligned_uint32((data) + (offset), MBEDTLS_BSWAP32((uint32_t) (n))); \
-        }                                                                        \
-    }
-
-/**
- * Get the unsigned 32 bits integer corresponding to four bytes in
- * little-endian order (LSB first).
- *
- * \param   data    Base address of the memory to get the four bytes from.
- * \param   offset  Offset from \p data of the first and least significant
- *                  byte of the four bytes to build the 32 bits unsigned
- *                  integer from.
- */
-#define MBEDTLS_GET_UINT32_LE(data, offset)                                \
-    ((MBEDTLS_IS_BIG_ENDIAN)                                               \
-        ? MBEDTLS_BSWAP32(mbedtls_get_unaligned_uint32((data) + (offset))) \
-        : mbedtls_get_unaligned_uint32((data) + (offset))                  \
-    )
-
-
-/**
- * Put in memory a 32 bits unsigned integer in little-endian order.
- *
- * \param   n       32 bits unsigned integer to put in memory.
- * \param   data    Base address of the memory where to put the 32
- *                  bits unsigned integer in.
- * \param   offset  Offset from \p data where to put the least significant
- *                  byte of the 32 bits unsigned integer \p n.
- */
-#define MBEDTLS_PUT_UINT32_LE(n, data, offset)                                   \
-    {                                                                            \
-        if (MBEDTLS_IS_BIG_ENDIAN)                                               \
-        {                                                                        \
-            mbedtls_put_unaligned_uint32((data) + (offset), MBEDTLS_BSWAP32((uint32_t) (n))); \
-        }                                                                        \
-        else                                                                     \
-        {                                                                        \
-            mbedtls_put_unaligned_uint32((data) + (offset), ((uint32_t) (n)));   \
-        }                                                                        \
-    }
-
-/**
- * Get the unsigned 16 bits integer corresponding to two bytes in
- * little-endian order (LSB first).
- *
- * \param   data    Base address of the memory to get the two bytes from.
- * \param   offset  Offset from \p data of the first and least significant
- *                  byte of the two bytes to build the 16 bits unsigned
- *                  integer from.
- */
-#define MBEDTLS_GET_UINT16_LE(data, offset)                                \
-    ((MBEDTLS_IS_BIG_ENDIAN)                                               \
-        ? MBEDTLS_BSWAP16(mbedtls_get_unaligned_uint16((data) + (offset))) \
-        : mbedtls_get_unaligned_uint16((data) + (offset))                  \
-    )
-
-/**
- * Put in memory a 16 bits unsigned integer in little-endian order.
- *
- * \param   n       16 bits unsigned integer to put in memory.
- * \param   data    Base address of the memory where to put the 16
- *                  bits unsigned integer in.
- * \param   offset  Offset from \p data where to put the least significant
- *                  byte of the 16 bits unsigned integer \p n.
- */
-#define MBEDTLS_PUT_UINT16_LE(n, data, offset)                                   \
-    {                                                                            \
-        if (MBEDTLS_IS_BIG_ENDIAN)                                               \
-        {                                                                        \
-            mbedtls_put_unaligned_uint16((data) + (offset), MBEDTLS_BSWAP16((uint16_t) (n))); \
-        }                                                                        \
-        else                                                                     \
-        {                                                                        \
-            mbedtls_put_unaligned_uint16((data) + (offset), (uint16_t) (n));     \
-        }                                                                        \
-    }
-
-/**
- * Get the unsigned 16 bits integer corresponding to two bytes in
- * big-endian order (MSB first).
- *
- * \param   data    Base address of the memory to get the two bytes from.
- * \param   offset  Offset from \p data of the first and most significant
- *                  byte of the two bytes to build the 16 bits unsigned
- *                  integer from.
- */
-#define MBEDTLS_GET_UINT16_BE(data, offset)                                \
-    ((MBEDTLS_IS_BIG_ENDIAN)                                               \
-        ? mbedtls_get_unaligned_uint16((data) + (offset))                  \
-        : MBEDTLS_BSWAP16(mbedtls_get_unaligned_uint16((data) + (offset))) \
-    )
-
-/**
- * Put in memory a 16 bits unsigned integer in big-endian order.
- *
- * \param   n       16 bits unsigned integer to put in memory.
- * \param   data    Base address of the memory where to put the 16
- *                  bits unsigned integer in.
- * \param   offset  Offset from \p data where to put the most significant
- *                  byte of the 16 bits unsigned integer \p n.
- */
-#define MBEDTLS_PUT_UINT16_BE(n, data, offset)                                   \
-    {                                                                            \
-        if (MBEDTLS_IS_BIG_ENDIAN)                                               \
-        {                                                                        \
-            mbedtls_put_unaligned_uint16((data) + (offset), (uint16_t) (n));     \
-        }                                                                        \
-        else                                                                     \
-        {                                                                        \
-            mbedtls_put_unaligned_uint16((data) + (offset), MBEDTLS_BSWAP16((uint16_t) (n))); \
-        }                                                                        \
-    }
-
-/**
- * Get the unsigned 24 bits integer corresponding to three bytes in
- * big-endian order (MSB first).
- *
- * \param   data    Base address of the memory to get the three bytes from.
- * \param   offset  Offset from \p data of the first and most significant
- *                  byte of the three bytes to build the 24 bits unsigned
- *                  integer from.
- */
-#define MBEDTLS_GET_UINT24_BE(data, offset)        \
-    (                                              \
-        ((uint32_t) (data)[(offset)] << 16)        \
-        | ((uint32_t) (data)[(offset) + 1] << 8)   \
-        | ((uint32_t) (data)[(offset) + 2])        \
-    )
-
-/**
- * Put in memory a 24 bits unsigned integer in big-endian order.
- *
- * \param   n       24 bits unsigned integer to put in memory.
- * \param   data    Base address of the memory where to put the 24
- *                  bits unsigned integer in.
- * \param   offset  Offset from \p data where to put the most significant
- *                  byte of the 24 bits unsigned integer \p n.
- */
-#define MBEDTLS_PUT_UINT24_BE(n, data, offset)                \
-    {                                                         \
-        (data)[(offset)] = MBEDTLS_BYTE_2(n);                 \
-        (data)[(offset) + 1] = MBEDTLS_BYTE_1(n);             \
-        (data)[(offset) + 2] = MBEDTLS_BYTE_0(n);             \
-    }
-
-/**
- * Get the unsigned 24 bits integer corresponding to three bytes in
- * little-endian order (LSB first).
- *
- * \param   data    Base address of the memory to get the three bytes from.
- * \param   offset  Offset from \p data of the first and least significant
- *                  byte of the three bytes to build the 24 bits unsigned
- *                  integer from.
- */
-#define MBEDTLS_GET_UINT24_LE(data, offset)               \
-    (                                                     \
-        ((uint32_t) (data)[(offset)])                     \
-        | ((uint32_t) (data)[(offset) + 1] <<  8)         \
-        | ((uint32_t) (data)[(offset) + 2] << 16)         \
-    )
-
-/**
- * Put in memory a 24 bits unsigned integer in little-endian order.
- *
- * \param   n       24 bits unsigned integer to put in memory.
- * \param   data    Base address of the memory where to put the 24
- *                  bits unsigned integer in.
- * \param   offset  Offset from \p data where to put the least significant
- *                  byte of the 24 bits unsigned integer \p n.
- */
-#define MBEDTLS_PUT_UINT24_LE(n, data, offset)                \
-    {                                                         \
-        (data)[(offset)] = MBEDTLS_BYTE_0(n);                 \
-        (data)[(offset) + 1] = MBEDTLS_BYTE_1(n);             \
-        (data)[(offset) + 2] = MBEDTLS_BYTE_2(n);             \
-    }
-
-/**
- * Get the unsigned 64 bits integer corresponding to eight bytes in
- * big-endian order (MSB first).
- *
- * \param   data    Base address of the memory to get the eight bytes from.
- * \param   offset  Offset from \p data of the first and most significant
- *                  byte of the eight bytes to build the 64 bits unsigned
- *                  integer from.
- */
-#define MBEDTLS_GET_UINT64_BE(data, offset)                                \
-    ((MBEDTLS_IS_BIG_ENDIAN)                                               \
-        ? mbedtls_get_unaligned_uint64((data) + (offset))                  \
-        : MBEDTLS_BSWAP64(mbedtls_get_unaligned_uint64((data) + (offset))) \
-    )
-
-/**
- * Put in memory a 64 bits unsigned integer in big-endian order.
- *
- * \param   n       64 bits unsigned integer to put in memory.
- * \param   data    Base address of the memory where to put the 64
- *                  bits unsigned integer in.
- * \param   offset  Offset from \p data where to put the most significant
- *                  byte of the 64 bits unsigned integer \p n.
- */
-#define MBEDTLS_PUT_UINT64_BE(n, data, offset)                                   \
-    {                                                                            \
-        if (MBEDTLS_IS_BIG_ENDIAN)                                               \
-        {                                                                        \
-            mbedtls_put_unaligned_uint64((data) + (offset), (uint64_t) (n));     \
-        }                                                                        \
-        else                                                                     \
-        {                                                                        \
-            mbedtls_put_unaligned_uint64((data) + (offset), MBEDTLS_BSWAP64((uint64_t) (n))); \
-        }                                                                        \
-    }
-
-/**
- * Get the unsigned 64 bits integer corresponding to eight bytes in
- * little-endian order (LSB first).
- *
- * \param   data    Base address of the memory to get the eight bytes from.
- * \param   offset  Offset from \p data of the first and least significant
- *                  byte of the eight bytes to build the 64 bits unsigned
- *                  integer from.
- */
-#define MBEDTLS_GET_UINT64_LE(data, offset)                                \
-    ((MBEDTLS_IS_BIG_ENDIAN)                                               \
-        ? MBEDTLS_BSWAP64(mbedtls_get_unaligned_uint64((data) + (offset))) \
-        : mbedtls_get_unaligned_uint64((data) + (offset))                  \
-    )
-
-/**
- * Put in memory a 64 bits unsigned integer in little-endian order.
- *
- * \param   n       64 bits unsigned integer to put in memory.
- * \param   data    Base address of the memory where to put the 64
- *                  bits unsigned integer in.
- * \param   offset  Offset from \p data where to put the least significant
- *                  byte of the 64 bits unsigned integer \p n.
- */
-#define MBEDTLS_PUT_UINT64_LE(n, data, offset)                                   \
-    {                                                                            \
-        if (MBEDTLS_IS_BIG_ENDIAN)                                               \
-        {                                                                        \
-            mbedtls_put_unaligned_uint64((data) + (offset), MBEDTLS_BSWAP64((uint64_t) (n))); \
-        }                                                                        \
-        else                                                                     \
-        {                                                                        \
-            mbedtls_put_unaligned_uint64((data) + (offset), (uint64_t) (n));     \
-        }                                                                        \
-    }
-
-#endif /* MBEDTLS_LIBRARY_ALIGNMENT_H */
diff --git a/library/aria.c b/library/aria.c
deleted file mode 100644
index 0980362..0000000
--- a/library/aria.c
+++ /dev/null
@@ -1,1003 +0,0 @@
-/*
- *  ARIA implementation
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/*
- * This implementation is based on the following standards:
- * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
- * [2] https://tools.ietf.org/html/rfc5794
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_ARIA_C)
-
-#include "mbedtls/aria.h"
-
-#include <string.h>
-
-#include "mbedtls/platform.h"
-
-#if !defined(MBEDTLS_ARIA_ALT)
-
-#include "mbedtls/platform_util.h"
-
-/* Parameter validation macros */
-#define ARIA_VALIDATE_RET(cond)                                       \
-    MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA)
-#define ARIA_VALIDATE(cond)                                           \
-    MBEDTLS_INTERNAL_VALIDATE(cond)
-
-/*
- * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
- *
- * This is submatrix P1 in [1] Appendix B.1
- *
- * Common compilers fail to translate this to minimal number of instructions,
- * so let's provide asm versions for common platforms with C fallback.
- */
-#if defined(MBEDTLS_HAVE_ASM)
-#if defined(__arm__) /* rev16 available from v6 up */
-/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
-#if defined(__GNUC__) && \
-    (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \
-    __ARM_ARCH >= 6
-static inline uint32_t aria_p1(uint32_t x)
-{
-    uint32_t r;
-    __asm("rev16 %0, %1" : "=l" (r) : "l" (x));
-    return r;
-}
-#define ARIA_P1 aria_p1
-#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
-    (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
-static inline uint32_t aria_p1(uint32_t x)
-{
-    uint32_t r;
-    __asm("rev16 r, x");
-    return r;
-}
-#define ARIA_P1 aria_p1
-#endif
-#endif /* arm */
-#if defined(__GNUC__) && \
-    defined(__i386__) || defined(__amd64__) || defined(__x86_64__)
-/* I couldn't find an Intel equivalent of rev16, so two instructions */
-#define ARIA_P1(x) ARIA_P2(ARIA_P3(x))
-#endif /* x86 gnuc */
-#endif /* MBEDTLS_HAVE_ASM && GNUC */
-#if !defined(ARIA_P1)
-#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
-#endif
-
-/*
- * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
- *
- * This is submatrix P2 in [1] Appendix B.1
- *
- * Common compilers will translate this to a single instruction.
- */
-#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
-
-/*
- * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
- *
- * This is submatrix P3 in [1] Appendix B.1
- */
-#define ARIA_P3(x) MBEDTLS_BSWAP32(x)
-
-/*
- * ARIA Affine Transform
- * (a, b, c, d) = state in/out
- *
- * If we denote the first byte of input by 0, ..., the last byte by f,
- * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
- *
- * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
- * rearrangements on adjacent pairs, output is:
- *
- * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
- *   = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
- * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
- *   = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
- * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
- *   = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
- * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
- *   = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
- *
- * Note: another presentation of the A transform can be found as the first
- * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
- * The implementation below uses only P1 and P2 as they are sufficient.
- */
-static inline void aria_a(uint32_t *a, uint32_t *b,
-                          uint32_t *c, uint32_t *d)
-{
-    uint32_t ta, tb, tc;
-    ta  =  *b;                      // 4567
-    *b  =  *a;                      // 0123
-    *a  =  ARIA_P2(ta);             // 6745
-    tb  =  ARIA_P2(*d);             // efcd
-    *d  =  ARIA_P1(*c);             // 98ba
-    *c  =  ARIA_P1(tb);             // fedc
-    ta  ^= *d;                      // 4567+98ba
-    tc  =  ARIA_P2(*b);             // 2301
-    ta  =  ARIA_P1(ta) ^ tc ^ *c;   // 2301+5476+89ab+fedc
-    tb  ^= ARIA_P2(*d);             // ba98+efcd
-    tc  ^= ARIA_P1(*a);             // 2301+7654
-    *b  ^= ta ^ tb;                 // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
-    tb  =  ARIA_P2(tb) ^ ta;        // 2301+5476+89ab+98ba+cdef+fedc
-    *a  ^= ARIA_P1(tb);             // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
-    ta  =  ARIA_P2(ta);             // 0123+7654+ab89+dcfe
-    *d  ^= ARIA_P1(ta) ^ tc;        // 1032+2301+6745+7654+98ba+ba98+cdef OUT
-    tc  =  ARIA_P2(tc);             // 0123+5476
-    *c  ^= ARIA_P1(tc) ^ ta;        // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
-}
-
-/*
- * ARIA Substitution Layer SL1 / SL2
- * (a, b, c, d) = state in/out
- * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
- *
- * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
- * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
- */
-static inline void aria_sl(uint32_t *a, uint32_t *b,
-                           uint32_t *c, uint32_t *d,
-                           const uint8_t sa[256], const uint8_t sb[256],
-                           const uint8_t sc[256], const uint8_t sd[256])
-{
-    *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^
-         (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) <<  8) ^
-         (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^
-         (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24);
-    *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^
-         (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) <<  8) ^
-         (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^
-         (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24);
-    *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^
-         (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) <<  8) ^
-         (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^
-         (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24);
-    *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^
-         (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) <<  8) ^
-         (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^
-         (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24);
-}
-
-/*
- * S-Boxes
- */
-static const uint8_t aria_sb1[256] =
-{
-    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
-    0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
-    0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
-    0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
-    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
-    0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
-    0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
-    0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
-    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
-    0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
-    0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
-    0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
-    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
-    0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
-    0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
-    0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
-    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
-    0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
-    0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
-    0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
-    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
-    0xB0, 0x54, 0xBB, 0x16
-};
-
-static const uint8_t aria_sb2[256] =
-{
-    0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
-    0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
-    0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
-    0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
-    0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
-    0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
-    0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
-    0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
-    0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
-    0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
-    0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
-    0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
-    0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
-    0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
-    0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
-    0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
-    0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
-    0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
-    0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
-    0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
-    0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
-    0xAF, 0xBA, 0xB5, 0x81
-};
-
-static const uint8_t aria_is1[256] =
-{
-    0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
-    0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
-    0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
-    0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
-    0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
-    0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
-    0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
-    0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
-    0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
-    0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
-    0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
-    0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
-    0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
-    0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
-    0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
-    0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
-    0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
-    0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
-    0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
-    0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
-    0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
-    0x55, 0x21, 0x0C, 0x7D
-};
-
-static const uint8_t aria_is2[256] =
-{
-    0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
-    0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
-    0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
-    0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
-    0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
-    0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
-    0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
-    0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
-    0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
-    0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
-    0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
-    0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
-    0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
-    0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
-    0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
-    0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
-    0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
-    0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
-    0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
-    0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
-    0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
-    0x03, 0xA2, 0xAC, 0x60
-};
-
-/*
- * Helper for key schedule: r = FO( p, k ) ^ x
- */
-static void aria_fo_xor(uint32_t r[4], const uint32_t p[4],
-                        const uint32_t k[4], const uint32_t x[4])
-{
-    uint32_t a, b, c, d;
-
-    a = p[0] ^ k[0];
-    b = p[1] ^ k[1];
-    c = p[2] ^ k[2];
-    d = p[3] ^ k[3];
-
-    aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
-    aria_a(&a, &b, &c, &d);
-
-    r[0] = a ^ x[0];
-    r[1] = b ^ x[1];
-    r[2] = c ^ x[2];
-    r[3] = d ^ x[3];
-}
-
-/*
- * Helper for key schedule: r = FE( p, k ) ^ x
- */
-static void aria_fe_xor(uint32_t r[4], const uint32_t p[4],
-                        const uint32_t k[4], const uint32_t x[4])
-{
-    uint32_t a, b, c, d;
-
-    a = p[0] ^ k[0];
-    b = p[1] ^ k[1];
-    c = p[2] ^ k[2];
-    d = p[3] ^ k[3];
-
-    aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
-    aria_a(&a, &b, &c, &d);
-
-    r[0] = a ^ x[0];
-    r[1] = b ^ x[1];
-    r[2] = c ^ x[2];
-    r[3] = d ^ x[3];
-}
-
-/*
- * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
- *
- * We chose to store bytes into 32-bit words in little-endian format (see
- * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
- * bytes here.
- */
-static void aria_rot128(uint32_t r[4], const uint32_t a[4],
-                        const uint32_t b[4], uint8_t n)
-{
-    uint8_t i, j;
-    uint32_t t, u;
-
-    const uint8_t n1 = n % 32;              // bit offset
-    const uint8_t n2 = n1 ? 32 - n1 : 0;    // reverse bit offset
-
-    j = (n / 32) % 4;                       // initial word offset
-    t = ARIA_P3(b[j]);                      // big endian
-    for (i = 0; i < 4; i++) {
-        j = (j + 1) % 4;                    // get next word, big endian
-        u = ARIA_P3(b[j]);
-        t <<= n1;                           // rotate
-        t |= u >> n2;
-        t = ARIA_P3(t);                     // back to little endian
-        r[i] = a[i] ^ t;                    // store
-        t = u;                              // move to next word
-    }
-}
-
-/*
- * Set encryption key
- */
-int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
-                            const unsigned char *key, unsigned int keybits)
-{
-    /* round constant masks */
-    const uint32_t rc[3][4] =
-    {
-        {   0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA  },
-        {   0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF  },
-        {   0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804  }
-    };
-
-    int i;
-    uint32_t w[4][4], *w2;
-    ARIA_VALIDATE_RET(ctx != NULL);
-    ARIA_VALIDATE_RET(key != NULL);
-
-    if (keybits != 128 && keybits != 192 && keybits != 256) {
-        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
-    }
-
-    /* Copy key to W0 (and potential remainder to W1) */
-    w[0][0] = MBEDTLS_GET_UINT32_LE(key,  0);
-    w[0][1] = MBEDTLS_GET_UINT32_LE(key,  4);
-    w[0][2] = MBEDTLS_GET_UINT32_LE(key,  8);
-    w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12);
-
-    memset(w[1], 0, 16);
-    if (keybits >= 192) {
-        w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16);    // 192 bit key
-        w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20);
-    }
-    if (keybits == 256) {
-        w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24);    // 256 bit key
-        w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28);
-    }
-
-    i = (keybits - 128) >> 6;               // index: 0, 1, 2
-    ctx->nr = 12 + 2 * i;                   // no. rounds: 12, 14, 16
-
-    aria_fo_xor(w[1], w[0], rc[i], w[1]);   // W1 = FO(W0, CK1) ^ KR
-    i = i < 2 ? i + 1 : 0;
-    aria_fe_xor(w[2], w[1], rc[i], w[0]);   // W2 = FE(W1, CK2) ^ W0
-    i = i < 2 ? i + 1 : 0;
-    aria_fo_xor(w[3], w[2], rc[i], w[1]);   // W3 = FO(W2, CK3) ^ W1
-
-    for (i = 0; i < 4; i++) {               // create round keys
-        w2 = w[(i + 1) & 3];
-        aria_rot128(ctx->rk[i], w[i], w2, 128 - 19);
-        aria_rot128(ctx->rk[i +  4], w[i], w2, 128 - 31);
-        aria_rot128(ctx->rk[i +  8], w[i], w2,       61);
-        aria_rot128(ctx->rk[i + 12], w[i], w2,       31);
-    }
-    aria_rot128(ctx->rk[16], w[0], w[1], 19);
-
-    /* w holds enough info to reconstruct the round keys */
-    mbedtls_platform_zeroize(w, sizeof(w));
-
-    return 0;
-}
-
-/*
- * Set decryption key
- */
-int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
-                            const unsigned char *key, unsigned int keybits)
-{
-    int i, j, k, ret;
-    ARIA_VALIDATE_RET(ctx != NULL);
-    ARIA_VALIDATE_RET(key != NULL);
-
-    ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
-    if (ret != 0) {
-        return ret;
-    }
-
-    /* flip the order of round keys */
-    for (i = 0, j = ctx->nr; i < j; i++, j--) {
-        for (k = 0; k < 4; k++) {
-            uint32_t t = ctx->rk[i][k];
-            ctx->rk[i][k] = ctx->rk[j][k];
-            ctx->rk[j][k] = t;
-        }
-    }
-
-    /* apply affine transform to middle keys */
-    for (i = 1; i < ctx->nr; i++) {
-        aria_a(&ctx->rk[i][0], &ctx->rk[i][1],
-               &ctx->rk[i][2], &ctx->rk[i][3]);
-    }
-
-    return 0;
-}
-
-/*
- * Encrypt a block
- */
-int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
-                           const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
-                           unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])
-{
-    int i;
-
-    uint32_t a, b, c, d;
-    ARIA_VALIDATE_RET(ctx != NULL);
-    ARIA_VALIDATE_RET(input != NULL);
-    ARIA_VALIDATE_RET(output != NULL);
-
-    a = MBEDTLS_GET_UINT32_LE(input,  0);
-    b = MBEDTLS_GET_UINT32_LE(input,  4);
-    c = MBEDTLS_GET_UINT32_LE(input,  8);
-    d = MBEDTLS_GET_UINT32_LE(input, 12);
-
-    i = 0;
-    while (1) {
-        a ^= ctx->rk[i][0];
-        b ^= ctx->rk[i][1];
-        c ^= ctx->rk[i][2];
-        d ^= ctx->rk[i][3];
-        i++;
-
-        aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
-        aria_a(&a, &b, &c, &d);
-
-        a ^= ctx->rk[i][0];
-        b ^= ctx->rk[i][1];
-        c ^= ctx->rk[i][2];
-        d ^= ctx->rk[i][3];
-        i++;
-
-        aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
-        if (i >= ctx->nr) {
-            break;
-        }
-        aria_a(&a, &b, &c, &d);
-    }
-
-    /* final key mixing */
-    a ^= ctx->rk[i][0];
-    b ^= ctx->rk[i][1];
-    c ^= ctx->rk[i][2];
-    d ^= ctx->rk[i][3];
-
-    MBEDTLS_PUT_UINT32_LE(a, output,  0);
-    MBEDTLS_PUT_UINT32_LE(b, output,  4);
-    MBEDTLS_PUT_UINT32_LE(c, output,  8);
-    MBEDTLS_PUT_UINT32_LE(d, output, 12);
-
-    return 0;
-}
-
-/* Initialize context */
-void mbedtls_aria_init(mbedtls_aria_context *ctx)
-{
-    ARIA_VALIDATE(ctx != NULL);
-    memset(ctx, 0, sizeof(mbedtls_aria_context));
-}
-
-/* Clear context */
-void mbedtls_aria_free(mbedtls_aria_context *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context));
-}
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-/*
- * ARIA-CBC buffer encryption/decryption
- */
-int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
-                           int mode,
-                           size_t length,
-                           unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
-                           const unsigned char *input,
-                           unsigned char *output)
-{
-    unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
-
-    ARIA_VALIDATE_RET(ctx != NULL);
-    ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
-                      mode == MBEDTLS_ARIA_DECRYPT);
-    ARIA_VALIDATE_RET(length == 0 || input  != NULL);
-    ARIA_VALIDATE_RET(length == 0 || output != NULL);
-    ARIA_VALIDATE_RET(iv != NULL);
-
-    if (length % MBEDTLS_ARIA_BLOCKSIZE) {
-        return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH;
-    }
-
-    if (mode == MBEDTLS_ARIA_DECRYPT) {
-        while (length > 0) {
-            memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE);
-            mbedtls_aria_crypt_ecb(ctx, input, output);
-
-            mbedtls_xor(output, output, iv, MBEDTLS_ARIA_BLOCKSIZE);
-
-            memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE);
-
-            input  += MBEDTLS_ARIA_BLOCKSIZE;
-            output += MBEDTLS_ARIA_BLOCKSIZE;
-            length -= MBEDTLS_ARIA_BLOCKSIZE;
-        }
-    } else {
-        while (length > 0) {
-            mbedtls_xor(output, input, iv, MBEDTLS_ARIA_BLOCKSIZE);
-
-            mbedtls_aria_crypt_ecb(ctx, output, output);
-            memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE);
-
-            input  += MBEDTLS_ARIA_BLOCKSIZE;
-            output += MBEDTLS_ARIA_BLOCKSIZE;
-            length -= MBEDTLS_ARIA_BLOCKSIZE;
-        }
-    }
-
-    return 0;
-}
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-/*
- * ARIA-CFB128 buffer encryption/decryption
- */
-int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
-                              int mode,
-                              size_t length,
-                              size_t *iv_off,
-                              unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
-                              const unsigned char *input,
-                              unsigned char *output)
-{
-    unsigned char c;
-    size_t n;
-
-    ARIA_VALIDATE_RET(ctx != NULL);
-    ARIA_VALIDATE_RET(mode == MBEDTLS_ARIA_ENCRYPT ||
-                      mode == MBEDTLS_ARIA_DECRYPT);
-    ARIA_VALIDATE_RET(length == 0 || input  != NULL);
-    ARIA_VALIDATE_RET(length == 0 || output != NULL);
-    ARIA_VALIDATE_RET(iv != NULL);
-    ARIA_VALIDATE_RET(iv_off != NULL);
-
-    n = *iv_off;
-
-    /* An overly large value of n can lead to an unlimited
-     * buffer overflow. Therefore, guard against this
-     * outside of parameter validation. */
-    if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
-        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
-    }
-
-    if (mode == MBEDTLS_ARIA_DECRYPT) {
-        while (length--) {
-            if (n == 0) {
-                mbedtls_aria_crypt_ecb(ctx, iv, iv);
-            }
-
-            c = *input++;
-            *output++ = c ^ iv[n];
-            iv[n] = c;
-
-            n = (n + 1) & 0x0F;
-        }
-    } else {
-        while (length--) {
-            if (n == 0) {
-                mbedtls_aria_crypt_ecb(ctx, iv, iv);
-            }
-
-            iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
-
-            n = (n + 1) & 0x0F;
-        }
-    }
-
-    *iv_off = n;
-
-    return 0;
-}
-#endif /* MBEDTLS_CIPHER_MODE_CFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-/*
- * ARIA-CTR buffer encryption/decryption
- */
-int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
-                           size_t length,
-                           size_t *nc_off,
-                           unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
-                           unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
-                           const unsigned char *input,
-                           unsigned char *output)
-{
-    int c, i;
-    size_t n;
-
-    ARIA_VALIDATE_RET(ctx != NULL);
-    ARIA_VALIDATE_RET(length == 0 || input  != NULL);
-    ARIA_VALIDATE_RET(length == 0 || output != NULL);
-    ARIA_VALIDATE_RET(nonce_counter != NULL);
-    ARIA_VALIDATE_RET(stream_block  != NULL);
-    ARIA_VALIDATE_RET(nc_off != NULL);
-
-    n = *nc_off;
-    /* An overly large value of n can lead to an unlimited
-     * buffer overflow. Therefore, guard against this
-     * outside of parameter validation. */
-    if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
-        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
-    }
-
-    while (length--) {
-        if (n == 0) {
-            mbedtls_aria_crypt_ecb(ctx, nonce_counter,
-                                   stream_block);
-
-            for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) {
-                if (++nonce_counter[i - 1] != 0) {
-                    break;
-                }
-            }
-        }
-        c = *input++;
-        *output++ = (unsigned char) (c ^ stream_block[n]);
-
-        n = (n + 1) & 0x0F;
-    }
-
-    *nc_off = n;
-
-    return 0;
-}
-#endif /* MBEDTLS_CIPHER_MODE_CTR */
-#endif /* !MBEDTLS_ARIA_ALT */
-
-#if defined(MBEDTLS_SELF_TEST)
-
-/*
- * Basic ARIA ECB test vectors from RFC 5794
- */
-static const uint8_t aria_test1_ecb_key[32] =           // test key
-{
-    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,     // 128 bit
-    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
-    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,     // 192 bit
-    0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F      // 256 bit
-};
-
-static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] =            // plaintext
-{
-    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // same for all
-    0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF      // key sizes
-};
-
-static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] =         // ciphertext
-{
-    { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73,   // 128 bit
-      0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
-    { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA,   // 192 bit
-      0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
-    { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F,   // 256 bit
-      0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
-};
-
-/*
- * Mode tests from "Test Vectors for ARIA"  Version 1.0
- * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
- */
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
-    defined(MBEDTLS_CIPHER_MODE_CTR))
-static const uint8_t aria_test2_key[32] =
-{
-    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 128 bit
-    0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
-    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 192 bit
-    0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff      // 256 bit
-};
-
-static const uint8_t aria_test2_pt[48] =
-{
-    0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa,     // same for all
-    0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
-    0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
-    0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
-    0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
-    0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
-};
-#endif
-
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
-static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
-{
-    0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78,     // same for CBC, CFB
-    0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0      // CTR has zero IV
-};
-#endif
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-static const uint8_t aria_test2_cbc_ct[3][48] =         // CBC ciphertext
-{
-    { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10,   // 128-bit key
-      0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
-      0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
-      0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
-      0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
-      0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
-    { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c,   // 192-bit key
-      0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
-      0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
-      0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
-      0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
-      0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
-    { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1,   // 256-bit key
-      0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
-      0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
-      0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
-      0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
-      0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
-};
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-static const uint8_t aria_test2_cfb_ct[3][48] =         // CFB ciphertext
-{
-    { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38,   // 128-bit key
-      0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
-      0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
-      0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
-      0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
-      0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
-    { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54,   // 192-bit key
-      0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
-      0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
-      0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
-      0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
-      0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
-    { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2,   // 256-bit key
-      0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
-      0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
-      0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
-      0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
-      0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
-};
-#endif /* MBEDTLS_CIPHER_MODE_CFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-static const uint8_t aria_test2_ctr_ct[3][48] =         // CTR ciphertext
-{
-    { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c,   // 128-bit key
-      0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
-      0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
-      0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
-      0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
-      0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
-    { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19,   // 192-bit key
-      0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
-      0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
-      0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
-      0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
-      0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
-    { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17,   // 256-bit key
-      0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
-      0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
-      0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
-      0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
-      0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
-};
-#endif /* MBEDTLS_CIPHER_MODE_CFB */
-
-#define ARIA_SELF_TEST_ASSERT(cond)                   \
-    do {                                            \
-        if (cond) {                                \
-            if (verbose)                           \
-            mbedtls_printf("failed\n");       \
-            goto exit;                              \
-        } else {                                    \
-            if (verbose)                           \
-            mbedtls_printf("passed\n");       \
-        }                                           \
-    } while (0)
-
-/*
- * Checkup routine
- */
-int mbedtls_aria_self_test(int verbose)
-{
-    int i;
-    uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
-    mbedtls_aria_context ctx;
-    int ret = 1;
-
-#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
-    size_t j;
-#endif
-
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
-    defined(MBEDTLS_CIPHER_MODE_CFB) || \
-    defined(MBEDTLS_CIPHER_MODE_CTR))
-    uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
-#endif
-
-    mbedtls_aria_init(&ctx);
-
-    /*
-     * Test set 1
-     */
-    for (i = 0; i < 3; i++) {
-        /* test ECB encryption */
-        if (verbose) {
-            mbedtls_printf("  ARIA-ECB-%d (enc): ", 128 + 64 * i);
-        }
-        mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i);
-        mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk);
-        ARIA_SELF_TEST_ASSERT(
-            memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE)
-            != 0);
-
-        /* test ECB decryption */
-        if (verbose) {
-            mbedtls_printf("  ARIA-ECB-%d (dec): ", 128 + 64 * i);
-        }
-        mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i);
-        mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk);
-        ARIA_SELF_TEST_ASSERT(
-            memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE)
-            != 0);
-    }
-    if (verbose) {
-        mbedtls_printf("\n");
-    }
-
-    /*
-     * Test set 2
-     */
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    for (i = 0; i < 3; i++) {
-        /* Test CBC encryption */
-        if (verbose) {
-            mbedtls_printf("  ARIA-CBC-%d (enc): ", 128 + 64 * i);
-        }
-        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
-        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
-        memset(buf, 0x55, sizeof(buf));
-        mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
-                               aria_test2_pt, buf);
-        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48)
-                              != 0);
-
-        /* Test CBC decryption */
-        if (verbose) {
-            mbedtls_printf("  ARIA-CBC-%d (dec): ", 128 + 64 * i);
-        }
-        mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i);
-        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
-        memset(buf, 0xAA, sizeof(buf));
-        mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
-                               aria_test2_cbc_ct[i], buf);
-        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
-    }
-    if (verbose) {
-        mbedtls_printf("\n");
-    }
-
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-    for (i = 0; i < 3; i++) {
-        /* Test CFB encryption */
-        if (verbose) {
-            mbedtls_printf("  ARIA-CFB-%d (enc): ", 128 + 64 * i);
-        }
-        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
-        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
-        memset(buf, 0x55, sizeof(buf));
-        j = 0;
-        mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
-                                  aria_test2_pt, buf);
-        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0);
-
-        /* Test CFB decryption */
-        if (verbose) {
-            mbedtls_printf("  ARIA-CFB-%d (dec): ", 128 + 64 * i);
-        }
-        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
-        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
-        memset(buf, 0xAA, sizeof(buf));
-        j = 0;
-        mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
-                                  iv, aria_test2_cfb_ct[i], buf);
-        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
-    }
-    if (verbose) {
-        mbedtls_printf("\n");
-    }
-#endif /* MBEDTLS_CIPHER_MODE_CFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    for (i = 0; i < 3; i++) {
-        /* Test CTR encryption */
-        if (verbose) {
-            mbedtls_printf("  ARIA-CTR-%d (enc): ", 128 + 64 * i);
-        }
-        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
-        memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE);                      // IV = 0
-        memset(buf, 0x55, sizeof(buf));
-        j = 0;
-        mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
-                               aria_test2_pt, buf);
-        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0);
-
-        /* Test CTR decryption */
-        if (verbose) {
-            mbedtls_printf("  ARIA-CTR-%d (dec): ", 128 + 64 * i);
-        }
-        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
-        memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE);                      // IV = 0
-        memset(buf, 0xAA, sizeof(buf));
-        j = 0;
-        mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
-                               aria_test2_ctr_ct[i], buf);
-        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
-    }
-    if (verbose) {
-        mbedtls_printf("\n");
-    }
-#endif /* MBEDTLS_CIPHER_MODE_CTR */
-
-    ret = 0;
-
-exit:
-    mbedtls_aria_free(&ctx);
-    return ret;
-}
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* MBEDTLS_ARIA_C */
diff --git a/library/asn1parse.c b/library/asn1parse.c
deleted file mode 100644
index abdd0b1..0000000
--- a/library/asn1parse.c
+++ /dev/null
@@ -1,479 +0,0 @@
-/*
- *  Generic ASN.1 parsing
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C)
-
-#include "mbedtls/asn1.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#include <string.h>
-
-#if defined(MBEDTLS_BIGNUM_C)
-#include "mbedtls/bignum.h"
-#endif
-
-#include "mbedtls/platform.h"
-
-/*
- * ASN.1 DER decoding routines
- */
-int mbedtls_asn1_get_len(unsigned char **p,
-                         const unsigned char *end,
-                         size_t *len)
-{
-    if ((end - *p) < 1) {
-        return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
-    }
-
-    if ((**p & 0x80) == 0) {
-        *len = *(*p)++;
-    } else {
-        int n = (**p) & 0x7F;
-        if (n == 0 || n > 4) {
-            return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
-        }
-        if ((end - *p) <= n) {
-            return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
-        }
-        *len = 0;
-        (*p)++;
-        while (n--) {
-            *len = (*len << 8) | **p;
-            (*p)++;
-        }
-    }
-
-    if (*len > (size_t) (end - *p)) {
-        return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
-    }
-
-    return 0;
-}
-
-int mbedtls_asn1_get_tag(unsigned char **p,
-                         const unsigned char *end,
-                         size_t *len, int tag)
-{
-    if ((end - *p) < 1) {
-        return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
-    }
-
-    if (**p != tag) {
-        return MBEDTLS_ERR_ASN1_UNEXPECTED_TAG;
-    }
-
-    (*p)++;
-
-    return mbedtls_asn1_get_len(p, end, len);
-}
-#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C */
-
-#if defined(MBEDTLS_ASN1_PARSE_C)
-int mbedtls_asn1_get_bool(unsigned char **p,
-                          const unsigned char *end,
-                          int *val)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t len;
-
-    if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_BOOLEAN)) != 0) {
-        return ret;
-    }
-
-    if (len != 1) {
-        return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
-    }
-
-    *val = (**p != 0) ? 1 : 0;
-    (*p)++;
-
-    return 0;
-}
-
-static int asn1_get_tagged_int(unsigned char **p,
-                               const unsigned char *end,
-                               int tag, int *val)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t len;
-
-    if ((ret = mbedtls_asn1_get_tag(p, end, &len, tag)) != 0) {
-        return ret;
-    }
-
-    /*
-     * len==0 is malformed (0 must be represented as 020100 for INTEGER,
-     * or 0A0100 for ENUMERATED tags
-     */
-    if (len == 0) {
-        return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
-    }
-    /* This is a cryptography library. Reject negative integers. */
-    if ((**p & 0x80) != 0) {
-        return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
-    }
-
-    /* Skip leading zeros. */
-    while (len > 0 && **p == 0) {
-        ++(*p);
-        --len;
-    }
-
-    /* Reject integers that don't fit in an int. This code assumes that
-     * the int type has no padding bit. */
-    if (len > sizeof(int)) {
-        return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
-    }
-    if (len == sizeof(int) && (**p & 0x80) != 0) {
-        return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
-    }
-
-    *val = 0;
-    while (len-- > 0) {
-        *val = (*val << 8) | **p;
-        (*p)++;
-    }
-
-    return 0;
-}
-
-int mbedtls_asn1_get_int(unsigned char **p,
-                         const unsigned char *end,
-                         int *val)
-{
-    return asn1_get_tagged_int(p, end, MBEDTLS_ASN1_INTEGER, val);
-}
-
-int mbedtls_asn1_get_enum(unsigned char **p,
-                          const unsigned char *end,
-                          int *val)
-{
-    return asn1_get_tagged_int(p, end, MBEDTLS_ASN1_ENUMERATED, val);
-}
-
-#if defined(MBEDTLS_BIGNUM_C)
-int mbedtls_asn1_get_mpi(unsigned char **p,
-                         const unsigned char *end,
-                         mbedtls_mpi *X)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t len;
-
-    if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) {
-        return ret;
-    }
-
-    ret = mbedtls_mpi_read_binary(X, *p, len);
-
-    *p += len;
-
-    return ret;
-}
-#endif /* MBEDTLS_BIGNUM_C */
-
-int mbedtls_asn1_get_bitstring(unsigned char **p, const unsigned char *end,
-                               mbedtls_asn1_bitstring *bs)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    /* Certificate type is a single byte bitstring */
-    if ((ret = mbedtls_asn1_get_tag(p, end, &bs->len, MBEDTLS_ASN1_BIT_STRING)) != 0) {
-        return ret;
-    }
-
-    /* Check length, subtract one for actual bit string length */
-    if (bs->len < 1) {
-        return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
-    }
-    bs->len -= 1;
-
-    /* Get number of unused bits, ensure unused bits <= 7 */
-    bs->unused_bits = **p;
-    if (bs->unused_bits > 7) {
-        return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
-    }
-    (*p)++;
-
-    /* Get actual bitstring */
-    bs->p = *p;
-    *p += bs->len;
-
-    if (*p != end) {
-        return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
-    }
-
-    return 0;
-}
-
-/*
- * Traverse an ASN.1 "SEQUENCE OF <tag>"
- * and call a callback for each entry found.
- */
-int mbedtls_asn1_traverse_sequence_of(
-    unsigned char **p,
-    const unsigned char *end,
-    unsigned char tag_must_mask, unsigned char tag_must_val,
-    unsigned char tag_may_mask, unsigned char tag_may_val,
-    int (*cb)(void *ctx, int tag,
-              unsigned char *start, size_t len),
-    void *ctx)
-{
-    int ret;
-    size_t len;
-
-    /* Get main sequence tag */
-    if ((ret = mbedtls_asn1_get_tag(p, end, &len,
-                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
-        return ret;
-    }
-
-    if (*p + len != end) {
-        return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
-    }
-
-    while (*p < end) {
-        unsigned char const tag = *(*p)++;
-
-        if ((tag & tag_must_mask) != tag_must_val) {
-            return MBEDTLS_ERR_ASN1_UNEXPECTED_TAG;
-        }
-
-        if ((ret = mbedtls_asn1_get_len(p, end, &len)) != 0) {
-            return ret;
-        }
-
-        if ((tag & tag_may_mask) == tag_may_val) {
-            if (cb != NULL) {
-                ret = cb(ctx, tag, *p, len);
-                if (ret != 0) {
-                    return ret;
-                }
-            }
-        }
-
-        *p += len;
-    }
-
-    return 0;
-}
-
-/*
- * Get a bit string without unused bits
- */
-int mbedtls_asn1_get_bitstring_null(unsigned char **p, const unsigned char *end,
-                                    size_t *len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if ((ret = mbedtls_asn1_get_tag(p, end, len, MBEDTLS_ASN1_BIT_STRING)) != 0) {
-        return ret;
-    }
-
-    if (*len == 0) {
-        return MBEDTLS_ERR_ASN1_INVALID_DATA;
-    }
-    --(*len);
-
-    if (**p != 0) {
-        return MBEDTLS_ERR_ASN1_INVALID_DATA;
-    }
-    ++(*p);
-
-    return 0;
-}
-
-void mbedtls_asn1_sequence_free(mbedtls_asn1_sequence *seq)
-{
-    while (seq != NULL) {
-        mbedtls_asn1_sequence *next = seq->next;
-        mbedtls_free(seq);
-        seq = next;
-    }
-}
-
-typedef struct {
-    int tag;
-    mbedtls_asn1_sequence *cur;
-} asn1_get_sequence_of_cb_ctx_t;
-
-static int asn1_get_sequence_of_cb(void *ctx,
-                                   int tag,
-                                   unsigned char *start,
-                                   size_t len)
-{
-    asn1_get_sequence_of_cb_ctx_t *cb_ctx =
-        (asn1_get_sequence_of_cb_ctx_t *) ctx;
-    mbedtls_asn1_sequence *cur =
-        cb_ctx->cur;
-
-    if (cur->buf.p != NULL) {
-        cur->next =
-            mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence));
-
-        if (cur->next == NULL) {
-            return MBEDTLS_ERR_ASN1_ALLOC_FAILED;
-        }
-
-        cur = cur->next;
-    }
-
-    cur->buf.p = start;
-    cur->buf.len = len;
-    cur->buf.tag = tag;
-
-    cb_ctx->cur = cur;
-    return 0;
-}
-
-/*
- *  Parses and splits an ASN.1 "SEQUENCE OF <tag>"
- */
-int mbedtls_asn1_get_sequence_of(unsigned char **p,
-                                 const unsigned char *end,
-                                 mbedtls_asn1_sequence *cur,
-                                 int tag)
-{
-    asn1_get_sequence_of_cb_ctx_t cb_ctx = { tag, cur };
-    memset(cur, 0, sizeof(mbedtls_asn1_sequence));
-    return mbedtls_asn1_traverse_sequence_of(
-        p, end, 0xFF, tag, 0, 0,
-        asn1_get_sequence_of_cb, &cb_ctx);
-}
-
-int mbedtls_asn1_get_alg(unsigned char **p,
-                         const unsigned char *end,
-                         mbedtls_asn1_buf *alg, mbedtls_asn1_buf *params)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t len;
-
-    if ((ret = mbedtls_asn1_get_tag(p, end, &len,
-                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
-        return ret;
-    }
-
-    if ((end - *p) < 1) {
-        return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
-    }
-
-    alg->tag = **p;
-    end = *p + len;
-
-    if ((ret = mbedtls_asn1_get_tag(p, end, &alg->len, MBEDTLS_ASN1_OID)) != 0) {
-        return ret;
-    }
-
-    alg->p = *p;
-    *p += alg->len;
-
-    if (*p == end) {
-        mbedtls_platform_zeroize(params, sizeof(mbedtls_asn1_buf));
-        return 0;
-    }
-
-    params->tag = **p;
-    (*p)++;
-
-    if ((ret = mbedtls_asn1_get_len(p, end, &params->len)) != 0) {
-        return ret;
-    }
-
-    params->p = *p;
-    *p += params->len;
-
-    if (*p != end) {
-        return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
-    }
-
-    return 0;
-}
-
-int mbedtls_asn1_get_alg_null(unsigned char **p,
-                              const unsigned char *end,
-                              mbedtls_asn1_buf *alg)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_asn1_buf params;
-
-    memset(&params, 0, sizeof(mbedtls_asn1_buf));
-
-    if ((ret = mbedtls_asn1_get_alg(p, end, alg, &params)) != 0) {
-        return ret;
-    }
-
-    if ((params.tag != MBEDTLS_ASN1_NULL && params.tag != 0) || params.len != 0) {
-        return MBEDTLS_ERR_ASN1_INVALID_DATA;
-    }
-
-    return 0;
-}
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_asn1_free_named_data(mbedtls_asn1_named_data *cur)
-{
-    if (cur == NULL) {
-        return;
-    }
-
-    mbedtls_free(cur->oid.p);
-    mbedtls_free(cur->val.p);
-
-    mbedtls_platform_zeroize(cur, sizeof(mbedtls_asn1_named_data));
-}
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-
-void mbedtls_asn1_free_named_data_list(mbedtls_asn1_named_data **head)
-{
-    mbedtls_asn1_named_data *cur;
-
-    while ((cur = *head) != NULL) {
-        *head = cur->next;
-        mbedtls_free(cur->oid.p);
-        mbedtls_free(cur->val.p);
-        mbedtls_free(cur);
-    }
-}
-
-void mbedtls_asn1_free_named_data_list_shallow(mbedtls_asn1_named_data *name)
-{
-    for (mbedtls_asn1_named_data *next; name != NULL; name = next) {
-        next = name->next;
-        mbedtls_free(name);
-    }
-}
-
-const mbedtls_asn1_named_data *mbedtls_asn1_find_named_data(const mbedtls_asn1_named_data *list,
-                                                            const char *oid, size_t len)
-{
-    while (list != NULL) {
-        if (list->oid.len == len &&
-            memcmp(list->oid.p, oid, len) == 0) {
-            break;
-        }
-
-        list = list->next;
-    }
-
-    return list;
-}
-
-#endif /* MBEDTLS_ASN1_PARSE_C */
diff --git a/library/asn1write.c b/library/asn1write.c
deleted file mode 100644
index 2e9b98a..0000000
--- a/library/asn1write.c
+++ /dev/null
@@ -1,448 +0,0 @@
-/*
- * ASN.1 buffer writing functionality
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_ASN1_WRITE_C) || defined(MBEDTLS_X509_USE_C)
-
-#include "mbedtls/asn1write.h"
-#include "mbedtls/error.h"
-
-#include <string.h>
-
-#include "mbedtls/platform.h"
-
-#if defined(MBEDTLS_ASN1_PARSE_C)
-#include "mbedtls/asn1.h"
-#endif
-
-int mbedtls_asn1_write_len(unsigned char **p, const unsigned char *start, size_t len)
-{
-#if SIZE_MAX > 0xFFFFFFFF
-    if (len > 0xFFFFFFFF) {
-        return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
-    }
-#endif
-
-    int required = 1;
-
-    if (len >= 0x80) {
-        for (size_t l = len; l != 0; l >>= 8) {
-            required++;
-        }
-    }
-
-    if (required > (*p - start)) {
-        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
-    }
-
-    do {
-        *--(*p) = MBEDTLS_BYTE_0(len);
-        len >>= 8;
-    } while (len);
-
-    if (required > 1) {
-        *--(*p) = (unsigned char) (0x80 + required - 1);
-    }
-
-    return required;
-}
-
-int mbedtls_asn1_write_tag(unsigned char **p, const unsigned char *start, unsigned char tag)
-{
-    if (*p - start < 1) {
-        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
-    }
-
-    *--(*p) = tag;
-
-    return 1;
-}
-#endif /* MBEDTLS_ASN1_WRITE_C || MBEDTLS_X509_USE_C */
-
-#if defined(MBEDTLS_ASN1_WRITE_C)
-static int mbedtls_asn1_write_len_and_tag(unsigned char **p,
-                                          const unsigned char *start,
-                                          size_t len,
-                                          unsigned char tag)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, tag));
-
-    return (int) len;
-}
-
-int mbedtls_asn1_write_raw_buffer(unsigned char **p, const unsigned char *start,
-                                  const unsigned char *buf, size_t size)
-{
-    size_t len = 0;
-
-    if (*p < start || (size_t) (*p - start) < size) {
-        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
-    }
-
-    len = size;
-    (*p) -= len;
-    memcpy(*p, buf, len);
-
-    return (int) len;
-}
-
-#if defined(MBEDTLS_BIGNUM_C)
-int mbedtls_asn1_write_mpi(unsigned char **p, const unsigned char *start, const mbedtls_mpi *X)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t len = 0;
-
-    // Write the MPI
-    //
-    len = mbedtls_mpi_size(X);
-
-    /* DER represents 0 with a sign bit (0=nonnegative) and 7 value bits, not
-     * as 0 digits. We need to end up with 020100, not with 0200. */
-    if (len == 0) {
-        len = 1;
-    }
-
-    if (*p < start || (size_t) (*p - start) < len) {
-        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
-    }
-
-    (*p) -= len;
-    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(X, *p, len));
-
-    // DER format assumes 2s complement for numbers, so the leftmost bit
-    // should be 0 for positive numbers and 1 for negative numbers.
-    //
-    if (X->s == 1 && **p & 0x80) {
-        if (*p - start < 1) {
-            return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
-        }
-
-        *--(*p) = 0x00;
-        len += 1;
-    }
-
-    ret = mbedtls_asn1_write_len_and_tag(p, start, len, MBEDTLS_ASN1_INTEGER);
-
-cleanup:
-    return ret;
-}
-#endif /* MBEDTLS_BIGNUM_C */
-
-int mbedtls_asn1_write_null(unsigned char **p, const unsigned char *start)
-{
-    // Write NULL
-    //
-    return mbedtls_asn1_write_len_and_tag(p, start, 0, MBEDTLS_ASN1_NULL);
-}
-
-int mbedtls_asn1_write_oid(unsigned char **p, const unsigned char *start,
-                           const char *oid, size_t oid_len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t len = 0;
-
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(p, start,
-                                                            (const unsigned char *) oid, oid_len));
-    return mbedtls_asn1_write_len_and_tag(p, start, len, MBEDTLS_ASN1_OID);
-}
-
-int mbedtls_asn1_write_algorithm_identifier(unsigned char **p, const unsigned char *start,
-                                            const char *oid, size_t oid_len,
-                                            size_t par_len)
-{
-    return mbedtls_asn1_write_algorithm_identifier_ext(p, start, oid, oid_len, par_len, 1);
-}
-
-int mbedtls_asn1_write_algorithm_identifier_ext(unsigned char **p, const unsigned char *start,
-                                                const char *oid, size_t oid_len,
-                                                size_t par_len, int has_par)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t len = 0;
-
-    if (has_par) {
-        if (par_len == 0) {
-            MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_null(p, start));
-        } else {
-            len += par_len;
-        }
-    }
-
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_oid(p, start, oid, oid_len));
-
-    return mbedtls_asn1_write_len_and_tag(p, start, len,
-                                          MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
-}
-
-int mbedtls_asn1_write_bool(unsigned char **p, const unsigned char *start, int boolean)
-{
-    size_t len = 0;
-
-    if (*p - start < 1) {
-        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
-    }
-
-    *--(*p) = (boolean) ? 255 : 0;
-    len++;
-
-    return mbedtls_asn1_write_len_and_tag(p, start, len, MBEDTLS_ASN1_BOOLEAN);
-}
-
-static int asn1_write_tagged_int(unsigned char **p, const unsigned char *start, int val, int tag)
-{
-    size_t len = 0;
-
-    do {
-        if (*p - start < 1) {
-            return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
-        }
-        len += 1;
-        *--(*p) = val & 0xff;
-        val >>= 8;
-    } while (val > 0);
-
-    if (**p & 0x80) {
-        if (*p - start < 1) {
-            return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
-        }
-        *--(*p) = 0x00;
-        len += 1;
-    }
-
-    return mbedtls_asn1_write_len_and_tag(p, start, len, tag);
-}
-
-int mbedtls_asn1_write_int(unsigned char **p, const unsigned char *start, int val)
-{
-    return asn1_write_tagged_int(p, start, val, MBEDTLS_ASN1_INTEGER);
-}
-
-int mbedtls_asn1_write_enum(unsigned char **p, const unsigned char *start, int val)
-{
-    return asn1_write_tagged_int(p, start, val, MBEDTLS_ASN1_ENUMERATED);
-}
-
-int mbedtls_asn1_write_tagged_string(unsigned char **p, const unsigned char *start, int tag,
-                                     const char *text, size_t text_len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t len = 0;
-
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(p, start,
-                                                            (const unsigned char *) text,
-                                                            text_len));
-
-    return mbedtls_asn1_write_len_and_tag(p, start, len, tag);
-}
-
-int mbedtls_asn1_write_utf8_string(unsigned char **p, const unsigned char *start,
-                                   const char *text, size_t text_len)
-{
-    return mbedtls_asn1_write_tagged_string(p, start, MBEDTLS_ASN1_UTF8_STRING, text, text_len);
-}
-
-int mbedtls_asn1_write_printable_string(unsigned char **p, const unsigned char *start,
-                                        const char *text, size_t text_len)
-{
-    return mbedtls_asn1_write_tagged_string(p, start, MBEDTLS_ASN1_PRINTABLE_STRING, text,
-                                            text_len);
-}
-
-int mbedtls_asn1_write_ia5_string(unsigned char **p, const unsigned char *start,
-                                  const char *text, size_t text_len)
-{
-    return mbedtls_asn1_write_tagged_string(p, start, MBEDTLS_ASN1_IA5_STRING, text, text_len);
-}
-
-int mbedtls_asn1_write_named_bitstring(unsigned char **p,
-                                       const unsigned char *start,
-                                       const unsigned char *buf,
-                                       size_t bits)
-{
-    size_t unused_bits, byte_len;
-    const unsigned char *cur_byte;
-    unsigned char cur_byte_shifted;
-    unsigned char bit;
-
-    byte_len = (bits + 7) / 8;
-    unused_bits = (byte_len * 8) - bits;
-
-    /*
-     * Named bitstrings require that trailing 0s are excluded in the encoding
-     * of the bitstring. Trailing 0s are considered part of the 'unused' bits
-     * when encoding this value in the first content octet
-     */
-    if (bits != 0) {
-        cur_byte = buf + byte_len - 1;
-        cur_byte_shifted = *cur_byte >> unused_bits;
-
-        for (;;) {
-            bit = cur_byte_shifted & 0x1;
-            cur_byte_shifted >>= 1;
-
-            if (bit != 0) {
-                break;
-            }
-
-            bits--;
-            if (bits == 0) {
-                break;
-            }
-
-            if (bits % 8 == 0) {
-                cur_byte_shifted = *--cur_byte;
-            }
-        }
-    }
-
-    return mbedtls_asn1_write_bitstring(p, start, buf, bits);
-}
-
-int mbedtls_asn1_write_bitstring(unsigned char **p, const unsigned char *start,
-                                 const unsigned char *buf, size_t bits)
-{
-    size_t len = 0;
-    size_t unused_bits, byte_len;
-
-    byte_len = (bits + 7) / 8;
-    unused_bits = (byte_len * 8) - bits;
-
-    if (*p < start || (size_t) (*p - start) < byte_len + 1) {
-        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
-    }
-
-    len = byte_len + 1;
-
-    /* Write the bitstring. Ensure the unused bits are zeroed */
-    if (byte_len > 0) {
-        byte_len--;
-        *--(*p) = buf[byte_len] & ~((0x1 << unused_bits) - 1);
-        (*p) -= byte_len;
-        memcpy(*p, buf, byte_len);
-    }
-
-    /* Write unused bits */
-    *--(*p) = (unsigned char) unused_bits;
-
-    return mbedtls_asn1_write_len_and_tag(p, start, len, MBEDTLS_ASN1_BIT_STRING);
-}
-
-int mbedtls_asn1_write_octet_string(unsigned char **p, const unsigned char *start,
-                                    const unsigned char *buf, size_t size)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t len = 0;
-
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(p, start, buf, size));
-
-    return mbedtls_asn1_write_len_and_tag(p, start, len, MBEDTLS_ASN1_OCTET_STRING);
-}
-
-
-#if !defined(MBEDTLS_ASN1_PARSE_C)
-/* This is a copy of the ASN.1 parsing function mbedtls_asn1_find_named_data(),
- * which is replicated to avoid a dependency ASN1_WRITE_C on ASN1_PARSE_C. */
-static mbedtls_asn1_named_data *asn1_find_named_data(
-    mbedtls_asn1_named_data *list,
-    const char *oid, size_t len)
-{
-    while (list != NULL) {
-        if (list->oid.len == len &&
-            memcmp(list->oid.p, oid, len) == 0) {
-            break;
-        }
-
-        list = list->next;
-    }
-
-    return list;
-}
-#else
-#define asn1_find_named_data(list, oid, len) \
-    ((mbedtls_asn1_named_data *) mbedtls_asn1_find_named_data(list, oid, len))
-#endif
-
-mbedtls_asn1_named_data *mbedtls_asn1_store_named_data(
-    mbedtls_asn1_named_data **head,
-    const char *oid, size_t oid_len,
-    const unsigned char *val,
-    size_t val_len)
-{
-    mbedtls_asn1_named_data *cur;
-
-    if ((cur = asn1_find_named_data(*head, oid, oid_len)) == NULL) {
-        // Add new entry if not present yet based on OID
-        //
-        cur = (mbedtls_asn1_named_data *) mbedtls_calloc(1,
-                                                         sizeof(mbedtls_asn1_named_data));
-        if (cur == NULL) {
-            return NULL;
-        }
-
-        cur->oid.len = oid_len;
-        cur->oid.p = mbedtls_calloc(1, oid_len);
-        if (cur->oid.p == NULL) {
-            mbedtls_free(cur);
-            return NULL;
-        }
-
-        memcpy(cur->oid.p, oid, oid_len);
-
-        cur->val.len = val_len;
-        if (val_len != 0) {
-            cur->val.p = mbedtls_calloc(1, val_len);
-            if (cur->val.p == NULL) {
-                mbedtls_free(cur->oid.p);
-                mbedtls_free(cur);
-                return NULL;
-            }
-        }
-
-        cur->next = *head;
-        *head = cur;
-    } else if (val_len == 0) {
-        mbedtls_free(cur->val.p);
-        cur->val.p = NULL;
-    } else if (cur->val.len != val_len) {
-        /*
-         * Enlarge existing value buffer if needed
-         * Preserve old data until the allocation succeeded, to leave list in
-         * a consistent state in case allocation fails.
-         */
-        void *p = mbedtls_calloc(1, val_len);
-        if (p == NULL) {
-            return NULL;
-        }
-
-        mbedtls_free(cur->val.p);
-        cur->val.p = p;
-        cur->val.len = val_len;
-    }
-
-    if (val != NULL && val_len != 0) {
-        memcpy(cur->val.p, val, val_len);
-    }
-
-    return cur;
-}
-#endif /* MBEDTLS_ASN1_WRITE_C */
diff --git a/library/base64.c b/library/base64.c
deleted file mode 100644
index fa22e53..0000000
--- a/library/base64.c
+++ /dev/null
@@ -1,311 +0,0 @@
-/*
- *  RFC 1521 base64 encoding/decoding
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include <limits.h>
-
-#include "common.h"
-
-#if defined(MBEDTLS_BASE64_C)
-
-#include "mbedtls/base64.h"
-#include "base64_internal.h"
-#include "constant_time_internal.h"
-
-#include <stdint.h>
-
-#if defined(MBEDTLS_SELF_TEST)
-#include <string.h>
-#include "mbedtls/platform.h"
-#endif /* MBEDTLS_SELF_TEST */
-
-MBEDTLS_STATIC_TESTABLE
-unsigned char mbedtls_ct_base64_enc_char(unsigned char value)
-{
-    unsigned char digit = 0;
-    /* For each range of values, if value is in that range, mask digit with
-     * the corresponding value. Since value can only be in a single range,
-     * only at most one masking will change digit. */
-    digit |= mbedtls_ct_uchar_in_range_if(0, 25, value, 'A' + value);
-    digit |= mbedtls_ct_uchar_in_range_if(26, 51, value, 'a' + value - 26);
-    digit |= mbedtls_ct_uchar_in_range_if(52, 61, value, '0' + value - 52);
-    digit |= mbedtls_ct_uchar_in_range_if(62, 62, value, '+');
-    digit |= mbedtls_ct_uchar_in_range_if(63, 63, value, '/');
-    return digit;
-}
-
-MBEDTLS_STATIC_TESTABLE
-signed char mbedtls_ct_base64_dec_value(unsigned char c)
-{
-    unsigned char val = 0;
-    /* For each range of digits, if c is in that range, mask val with
-     * the corresponding value. Since c can only be in a single range,
-     * only at most one masking will change val. Set val to one plus
-     * the desired value so that it stays 0 if c is in none of the ranges. */
-    val |= mbedtls_ct_uchar_in_range_if('A', 'Z', c, c - 'A' +  0 + 1);
-    val |= mbedtls_ct_uchar_in_range_if('a', 'z', c, c - 'a' + 26 + 1);
-    val |= mbedtls_ct_uchar_in_range_if('0', '9', c, c - '0' + 52 + 1);
-    val |= mbedtls_ct_uchar_in_range_if('+', '+', c, c - '+' + 62 + 1);
-    val |= mbedtls_ct_uchar_in_range_if('/', '/', c, c - '/' + 63 + 1);
-    /* At this point, val is 0 if c is an invalid digit and v+1 if c is
-     * a digit with the value v. */
-    return val - 1;
-}
-
-/*
- * Encode a buffer into base64 format
- */
-int mbedtls_base64_encode(unsigned char *dst, size_t dlen, size_t *olen,
-                          const unsigned char *src, size_t slen)
-{
-    size_t i, n;
-    int C1, C2, C3;
-    unsigned char *p;
-
-    if (slen == 0) {
-        *olen = 0;
-        return 0;
-    }
-
-    n = slen / 3 + (slen % 3 != 0);
-
-    if (n > (SIZE_MAX - 1) / 4) {
-        *olen = SIZE_MAX;
-        return MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL;
-    }
-
-    n *= 4;
-
-    if ((dlen < n + 1) || (NULL == dst)) {
-        *olen = n + 1;
-        return MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL;
-    }
-
-    n = (slen / 3) * 3;
-
-    for (i = 0, p = dst; i < n; i += 3) {
-        C1 = *src++;
-        C2 = *src++;
-        C3 = *src++;
-
-        *p++ = mbedtls_ct_base64_enc_char((C1 >> 2) & 0x3F);
-        *p++ = mbedtls_ct_base64_enc_char((((C1 &  3) << 4) + (C2 >> 4))
-                                          & 0x3F);
-        *p++ = mbedtls_ct_base64_enc_char((((C2 & 15) << 2) + (C3 >> 6))
-                                          & 0x3F);
-        *p++ = mbedtls_ct_base64_enc_char(C3 & 0x3F);
-    }
-
-    if (i < slen) {
-        C1 = *src++;
-        C2 = ((i + 1) < slen) ? *src++ : 0;
-
-        *p++ = mbedtls_ct_base64_enc_char((C1 >> 2) & 0x3F);
-        *p++ = mbedtls_ct_base64_enc_char((((C1 & 3) << 4) + (C2 >> 4))
-                                          & 0x3F);
-
-        if ((i + 1) < slen) {
-            *p++ = mbedtls_ct_base64_enc_char(((C2 & 15) << 2) & 0x3F);
-        } else {
-            *p++ = '=';
-        }
-
-        *p++ = '=';
-    }
-
-    *olen = p - dst;
-    *p = 0;
-
-    return 0;
-}
-
-/*
- * Decode a base64-formatted buffer
- */
-int mbedtls_base64_decode(unsigned char *dst, size_t dlen, size_t *olen,
-                          const unsigned char *src, size_t slen)
-{
-    size_t i; /* index in source */
-    size_t n; /* number of digits or trailing = in source */
-    uint32_t x; /* value accumulator */
-    unsigned accumulated_digits = 0;
-    unsigned equals = 0;
-    int spaces_present = 0;
-    unsigned char *p;
-
-    /* First pass: check for validity and get output length */
-    for (i = n = 0; i < slen; i++) {
-        /* Skip spaces before checking for EOL */
-        spaces_present = 0;
-        while (i < slen && src[i] == ' ') {
-            ++i;
-            spaces_present = 1;
-        }
-
-        /* Spaces at end of buffer are OK */
-        if (i == slen) {
-            break;
-        }
-
-        if ((slen - i) >= 2 &&
-            src[i] == '\r' && src[i + 1] == '\n') {
-            continue;
-        }
-
-        if (src[i] == '\n') {
-            continue;
-        }
-
-        /* Space inside a line is an error */
-        if (spaces_present) {
-            return MBEDTLS_ERR_BASE64_INVALID_CHARACTER;
-        }
-
-        if (src[i] > 127) {
-            return MBEDTLS_ERR_BASE64_INVALID_CHARACTER;
-        }
-
-        if (src[i] == '=') {
-            if (++equals > 2) {
-                return MBEDTLS_ERR_BASE64_INVALID_CHARACTER;
-            }
-        } else {
-            if (equals != 0) {
-                return MBEDTLS_ERR_BASE64_INVALID_CHARACTER;
-            }
-            if (mbedtls_ct_base64_dec_value(src[i]) < 0) {
-                return MBEDTLS_ERR_BASE64_INVALID_CHARACTER;
-            }
-        }
-        n++;
-    }
-
-    if (n == 0) {
-        *olen = 0;
-        return 0;
-    }
-
-    /* The following expression is to calculate the following formula without
-     * risk of integer overflow in n:
-     *     n = ( ( n * 6 ) + 7 ) >> 3;
-     */
-    n = (6 * (n >> 3)) + ((6 * (n & 0x7) + 7) >> 3);
-    n -= equals;
-
-    if (dst == NULL || dlen < n) {
-        *olen = n;
-        return MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL;
-    }
-
-    equals = 0;
-    for (x = 0, p = dst; i > 0; i--, src++) {
-        if (*src == '\r' || *src == '\n' || *src == ' ') {
-            continue;
-        }
-
-        x = x << 6;
-        if (*src == '=') {
-            ++equals;
-        } else {
-            x |= mbedtls_ct_base64_dec_value(*src);
-        }
-
-        if (++accumulated_digits == 4) {
-            accumulated_digits = 0;
-            *p++ = MBEDTLS_BYTE_2(x);
-            if (equals <= 1) {
-                *p++ = MBEDTLS_BYTE_1(x);
-            }
-            if (equals <= 0) {
-                *p++ = MBEDTLS_BYTE_0(x);
-            }
-        }
-    }
-
-    *olen = p - dst;
-
-    return 0;
-}
-
-#if defined(MBEDTLS_SELF_TEST)
-
-static const unsigned char base64_test_dec[64] =
-{
-    0x24, 0x48, 0x6E, 0x56, 0x87, 0x62, 0x5A, 0xBD,
-    0xBF, 0x17, 0xD9, 0xA2, 0xC4, 0x17, 0x1A, 0x01,
-    0x94, 0xED, 0x8F, 0x1E, 0x11, 0xB3, 0xD7, 0x09,
-    0x0C, 0xB6, 0xE9, 0x10, 0x6F, 0x22, 0xEE, 0x13,
-    0xCA, 0xB3, 0x07, 0x05, 0x76, 0xC9, 0xFA, 0x31,
-    0x6C, 0x08, 0x34, 0xFF, 0x8D, 0xC2, 0x6C, 0x38,
-    0x00, 0x43, 0xE9, 0x54, 0x97, 0xAF, 0x50, 0x4B,
-    0xD1, 0x41, 0xBA, 0x95, 0x31, 0x5A, 0x0B, 0x97
-};
-
-static const unsigned char base64_test_enc[] =
-    "JEhuVodiWr2/F9mixBcaAZTtjx4Rs9cJDLbpEG8i7hPK"
-    "swcFdsn6MWwINP+Nwmw4AEPpVJevUEvRQbqVMVoLlw==";
-
-/*
- * Checkup routine
- */
-int mbedtls_base64_self_test(int verbose)
-{
-    size_t len;
-    const unsigned char *src;
-    unsigned char buffer[128];
-
-    if (verbose != 0) {
-        mbedtls_printf("  Base64 encoding test: ");
-    }
-
-    src = base64_test_dec;
-
-    if (mbedtls_base64_encode(buffer, sizeof(buffer), &len, src, 64) != 0 ||
-        memcmp(base64_test_enc, buffer, 88) != 0) {
-        if (verbose != 0) {
-            mbedtls_printf("failed\n");
-        }
-
-        return 1;
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("passed\n  Base64 decoding test: ");
-    }
-
-    src = base64_test_enc;
-
-    if (mbedtls_base64_decode(buffer, sizeof(buffer), &len, src, 88) != 0 ||
-        memcmp(base64_test_dec, buffer, 64) != 0) {
-        if (verbose != 0) {
-            mbedtls_printf("failed\n");
-        }
-
-        return 1;
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("passed\n\n");
-    }
-
-    return 0;
-}
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* MBEDTLS_BASE64_C */
diff --git a/library/base64_internal.h b/library/base64_internal.h
deleted file mode 100644
index f9f56d7..0000000
--- a/library/base64_internal.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/**
- * \file base64_internal.h
- *
- * \brief RFC 1521 base64 encoding/decoding: interfaces for invasive testing
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_BASE64_INTERNAL
-#define MBEDTLS_BASE64_INTERNAL
-
-#include "common.h"
-
-#if defined(MBEDTLS_TEST_HOOKS)
-
-/** Given a value in the range 0..63, return the corresponding Base64 digit.
- *
- * The implementation assumes that letters are consecutive (e.g. ASCII
- * but not EBCDIC).
- *
- * \param value     A value in the range 0..63.
- *
- * \return          A base64 digit converted from \p value.
- */
-unsigned char mbedtls_ct_base64_enc_char(unsigned char value);
-
-/** Given a Base64 digit, return its value.
- *
- * If c is not a Base64 digit ('A'..'Z', 'a'..'z', '0'..'9', '+' or '/'),
- * return -1.
- *
- * The implementation assumes that letters are consecutive (e.g. ASCII
- * but not EBCDIC).
- *
- * \param c     A base64 digit.
- *
- * \return      The value of the base64 digit \p c.
- */
-signed char mbedtls_ct_base64_dec_value(unsigned char c);
-
-#endif /* MBEDTLS_TEST_HOOKS */
-
-#endif /* MBEDTLS_BASE64_INTERNAL */
diff --git a/library/bignum.c b/library/bignum.c
deleted file mode 100644
index 7c265e0..0000000
--- a/library/bignum.c
+++ /dev/null
@@ -1,2818 +0,0 @@
-/*
- *  Multi-precision integer library
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/*
- *  The following sources were referenced in the design of this Multi-precision
- *  Integer library:
- *
- *  [1] Handbook of Applied Cryptography - 1997
- *      Menezes, van Oorschot and Vanstone
- *
- *  [2] Multi-Precision Math
- *      Tom St Denis
- *      https://github.com/libtom/libtommath/blob/develop/tommath.pdf
- *
- *  [3] GNU Multi-Precision Arithmetic Library
- *      https://gmplib.org/manual/index.html
- *
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_BIGNUM_C)
-
-#include "mbedtls/bignum.h"
-#include "bignum_core.h"
-#include "bn_mul.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-#include "constant_time_internal.h"
-
-#include <limits.h>
-#include <string.h>
-
-#include "mbedtls/platform.h"
-
-#define MPI_VALIDATE_RET(cond)                                       \
-    MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_MPI_BAD_INPUT_DATA)
-#define MPI_VALIDATE(cond)                                           \
-    MBEDTLS_INTERNAL_VALIDATE(cond)
-
-/*
- * Compare signed values in constant time
- */
-int mbedtls_mpi_lt_mpi_ct(const mbedtls_mpi *X,
-                          const mbedtls_mpi *Y,
-                          unsigned *ret)
-{
-    mbedtls_ct_condition_t different_sign, X_is_negative, Y_is_negative, result;
-
-    MPI_VALIDATE_RET(X != NULL);
-    MPI_VALIDATE_RET(Y != NULL);
-    MPI_VALIDATE_RET(ret != NULL);
-
-    if (X->n != Y->n) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    /*
-     * Set N_is_negative to MBEDTLS_CT_FALSE if N >= 0, MBEDTLS_CT_TRUE if N < 0.
-     * We know that N->s == 1 if N >= 0 and N->s == -1 if N < 0.
-     */
-    X_is_negative = mbedtls_ct_bool((X->s & 2) >> 1);
-    Y_is_negative = mbedtls_ct_bool((Y->s & 2) >> 1);
-
-    /*
-     * If the signs are different, then the positive operand is the bigger.
-     * That is if X is negative (X_is_negative == 1), then X < Y is true and it
-     * is false if X is positive (X_is_negative == 0).
-     */
-    different_sign = mbedtls_ct_bool_ne(X_is_negative, Y_is_negative); // true if different sign
-    result = mbedtls_ct_bool_and(different_sign, X_is_negative);
-
-    /*
-     * Assuming signs are the same, compare X and Y. We switch the comparison
-     * order if they are negative so that we get the right result, regardles of
-     * sign.
-     */
-
-    /* This array is used to conditionally swap the pointers in const time */
-    void * const p[2] = { X->p, Y->p };
-    size_t i = mbedtls_ct_size_if_else_0(X_is_negative, 1);
-    mbedtls_ct_condition_t lt = mbedtls_mpi_core_lt_ct(p[i], p[i ^ 1], X->n);
-
-    /*
-     * Store in result iff the signs are the same (i.e., iff different_sign == false). If
-     * the signs differ, result has already been set, so we don't change it.
-     */
-    result = mbedtls_ct_bool_or(result,
-                                mbedtls_ct_bool_and(mbedtls_ct_bool_not(different_sign), lt));
-
-    *ret = mbedtls_ct_uint_if_else_0(result, 1);
-
-    return 0;
-}
-
-/*
- * Conditionally assign X = Y, without leaking information
- * about whether the assignment was made or not.
- * (Leaking information about the respective sizes of X and Y is ok however.)
- */
-#if defined(_MSC_VER) && defined(_M_ARM64) && (_MSC_FULL_VER < 193131103)
-/*
- * MSVC miscompiles this function if it's inlined prior to Visual Studio 2022 version 17.1. See:
- * https://developercommunity.visualstudio.com/t/c-compiler-miscompiles-part-of-mbedtls-library-on/1646989
- */
-__declspec(noinline)
-#endif
-int mbedtls_mpi_safe_cond_assign(mbedtls_mpi *X,
-                                 const mbedtls_mpi *Y,
-                                 unsigned char assign)
-{
-    int ret = 0;
-    MPI_VALIDATE_RET(X != NULL);
-    MPI_VALIDATE_RET(Y != NULL);
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, Y->n));
-
-    {
-        mbedtls_ct_condition_t do_assign = mbedtls_ct_bool(assign);
-
-        X->s = (int) mbedtls_ct_uint_if(do_assign, Y->s, X->s);
-
-        mbedtls_mpi_core_cond_assign(X->p, Y->p, Y->n, do_assign);
-
-        mbedtls_ct_condition_t do_not_assign = mbedtls_ct_bool_not(do_assign);
-        for (size_t i = Y->n; i < X->n; i++) {
-            X->p[i] = mbedtls_ct_mpi_uint_if_else_0(do_not_assign, X->p[i]);
-        }
-    }
-
-cleanup:
-    return ret;
-}
-
-/*
- * Conditionally swap X and Y, without leaking information
- * about whether the swap was made or not.
- * Here it is not ok to simply swap the pointers, which would lead to
- * different memory access patterns when X and Y are used afterwards.
- */
-int mbedtls_mpi_safe_cond_swap(mbedtls_mpi *X,
-                               mbedtls_mpi *Y,
-                               unsigned char swap)
-{
-    int ret = 0;
-    int s;
-    MPI_VALIDATE_RET(X != NULL);
-    MPI_VALIDATE_RET(Y != NULL);
-
-    if (X == Y) {
-        return 0;
-    }
-
-    mbedtls_ct_condition_t do_swap = mbedtls_ct_bool(swap);
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, Y->n));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(Y, X->n));
-
-    s = X->s;
-    X->s = (int) mbedtls_ct_uint_if(do_swap, Y->s, X->s);
-    Y->s = (int) mbedtls_ct_uint_if(do_swap, s, Y->s);
-
-    mbedtls_mpi_core_cond_swap(X->p, Y->p, X->n, do_swap);
-
-cleanup:
-    return ret;
-}
-
-/* Implementation that should never be optimized out by the compiler */
-#define mbedtls_mpi_zeroize_and_free(v, n) mbedtls_zeroize_and_free(v, ciL * (n))
-
-/*
- * Initialize one MPI
- */
-void mbedtls_mpi_init(mbedtls_mpi *X)
-{
-    MPI_VALIDATE(X != NULL);
-
-    X->s = 1;
-    X->n = 0;
-    X->p = NULL;
-}
-
-/*
- * Unallocate one MPI
- */
-void mbedtls_mpi_free(mbedtls_mpi *X)
-{
-    if (X == NULL) {
-        return;
-    }
-
-    if (X->p != NULL) {
-        mbedtls_mpi_zeroize_and_free(X->p, X->n);
-    }
-
-    X->s = 1;
-    X->n = 0;
-    X->p = NULL;
-}
-
-/*
- * Enlarge to the specified number of limbs
- */
-int mbedtls_mpi_grow(mbedtls_mpi *X, size_t nblimbs)
-{
-    mbedtls_mpi_uint *p;
-    MPI_VALIDATE_RET(X != NULL);
-
-    if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) {
-        return MBEDTLS_ERR_MPI_ALLOC_FAILED;
-    }
-
-    if (X->n < nblimbs) {
-        if ((p = (mbedtls_mpi_uint *) mbedtls_calloc(nblimbs, ciL)) == NULL) {
-            return MBEDTLS_ERR_MPI_ALLOC_FAILED;
-        }
-
-        if (X->p != NULL) {
-            memcpy(p, X->p, X->n * ciL);
-            mbedtls_mpi_zeroize_and_free(X->p, X->n);
-        }
-
-        /* nblimbs fits in n because we ensure that MBEDTLS_MPI_MAX_LIMBS
-         * fits, and we've checked that nblimbs <= MBEDTLS_MPI_MAX_LIMBS. */
-        X->n = (unsigned short) nblimbs;
-        X->p = p;
-    }
-
-    return 0;
-}
-
-/*
- * Resize down as much as possible,
- * while keeping at least the specified number of limbs
- */
-int mbedtls_mpi_shrink(mbedtls_mpi *X, size_t nblimbs)
-{
-    mbedtls_mpi_uint *p;
-    size_t i;
-    MPI_VALIDATE_RET(X != NULL);
-
-    if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) {
-        return MBEDTLS_ERR_MPI_ALLOC_FAILED;
-    }
-
-    /* Actually resize up if there are currently fewer than nblimbs limbs. */
-    if (X->n <= nblimbs) {
-        return mbedtls_mpi_grow(X, nblimbs);
-    }
-    /* After this point, then X->n > nblimbs and in particular X->n > 0. */
-
-    for (i = X->n - 1; i > 0; i--) {
-        if (X->p[i] != 0) {
-            break;
-        }
-    }
-    i++;
-
-    if (i < nblimbs) {
-        i = nblimbs;
-    }
-
-    if ((p = (mbedtls_mpi_uint *) mbedtls_calloc(i, ciL)) == NULL) {
-        return MBEDTLS_ERR_MPI_ALLOC_FAILED;
-    }
-
-    if (X->p != NULL) {
-        memcpy(p, X->p, i * ciL);
-        mbedtls_mpi_zeroize_and_free(X->p, X->n);
-    }
-
-    /* i fits in n because we ensure that MBEDTLS_MPI_MAX_LIMBS
-     * fits, and we've checked that i <= nblimbs <= MBEDTLS_MPI_MAX_LIMBS. */
-    X->n = (unsigned short) i;
-    X->p = p;
-
-    return 0;
-}
-
-/* Resize X to have exactly n limbs and set it to 0. */
-static int mbedtls_mpi_resize_clear(mbedtls_mpi *X, size_t limbs)
-{
-    if (limbs == 0) {
-        mbedtls_mpi_free(X);
-        return 0;
-    } else if (X->n == limbs) {
-        memset(X->p, 0, limbs * ciL);
-        X->s = 1;
-        return 0;
-    } else {
-        mbedtls_mpi_free(X);
-        return mbedtls_mpi_grow(X, limbs);
-    }
-}
-
-/*
- * Copy the contents of Y into X.
- *
- * This function is not constant-time. Leading zeros in Y may be removed.
- *
- * Ensure that X does not shrink. This is not guaranteed by the public API,
- * but some code in the bignum module relies on this property, for example
- * in mbedtls_mpi_exp_mod().
- */
-int mbedtls_mpi_copy(mbedtls_mpi *X, const mbedtls_mpi *Y)
-{
-    int ret = 0;
-    size_t i;
-    MPI_VALIDATE_RET(X != NULL);
-    MPI_VALIDATE_RET(Y != NULL);
-
-    if (X == Y) {
-        return 0;
-    }
-
-    if (Y->n == 0) {
-        if (X->n != 0) {
-            X->s = 1;
-            memset(X->p, 0, X->n * ciL);
-        }
-        return 0;
-    }
-
-    for (i = Y->n - 1; i > 0; i--) {
-        if (Y->p[i] != 0) {
-            break;
-        }
-    }
-    i++;
-
-    X->s = Y->s;
-
-    if (X->n < i) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, i));
-    } else {
-        memset(X->p + i, 0, (X->n - i) * ciL);
-    }
-
-    memcpy(X->p, Y->p, i * ciL);
-
-cleanup:
-
-    return ret;
-}
-
-/*
- * Swap the contents of X and Y
- */
-void mbedtls_mpi_swap(mbedtls_mpi *X, mbedtls_mpi *Y)
-{
-    mbedtls_mpi T;
-    MPI_VALIDATE(X != NULL);
-    MPI_VALIDATE(Y != NULL);
-
-    memcpy(&T,  X, sizeof(mbedtls_mpi));
-    memcpy(X,  Y, sizeof(mbedtls_mpi));
-    memcpy(Y, &T, sizeof(mbedtls_mpi));
-}
-
-static inline mbedtls_mpi_uint mpi_sint_abs(mbedtls_mpi_sint z)
-{
-    if (z >= 0) {
-        return z;
-    }
-    /* Take care to handle the most negative value (-2^(biL-1)) correctly.
-     * A naive -z would have undefined behavior.
-     * Write this in a way that makes popular compilers happy (GCC, Clang,
-     * MSVC). */
-    return (mbedtls_mpi_uint) 0 - (mbedtls_mpi_uint) z;
-}
-
-/* Convert x to a sign, i.e. to 1, if x is positive, or -1, if x is negative.
- * This looks awkward but generates smaller code than (x < 0 ? -1 : 1) */
-#define TO_SIGN(x) ((mbedtls_mpi_sint) (((mbedtls_mpi_uint) x) >> (biL - 1)) * -2 + 1)
-
-/*
- * Set value from integer
- */
-int mbedtls_mpi_lset(mbedtls_mpi *X, mbedtls_mpi_sint z)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    MPI_VALIDATE_RET(X != NULL);
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, 1));
-    memset(X->p, 0, X->n * ciL);
-
-    X->p[0] = mpi_sint_abs(z);
-    X->s    = TO_SIGN(z);
-
-cleanup:
-
-    return ret;
-}
-
-/*
- * Get a specific bit
- */
-int mbedtls_mpi_get_bit(const mbedtls_mpi *X, size_t pos)
-{
-    MPI_VALIDATE_RET(X != NULL);
-
-    if (X->n * biL <= pos) {
-        return 0;
-    }
-
-    return (X->p[pos / biL] >> (pos % biL)) & 0x01;
-}
-
-/*
- * Set a bit to a specific value of 0 or 1
- */
-int mbedtls_mpi_set_bit(mbedtls_mpi *X, size_t pos, unsigned char val)
-{
-    int ret = 0;
-    size_t off = pos / biL;
-    size_t idx = pos % biL;
-    MPI_VALIDATE_RET(X != NULL);
-
-    if (val != 0 && val != 1) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    if (X->n * biL <= pos) {
-        if (val == 0) {
-            return 0;
-        }
-
-        MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, off + 1));
-    }
-
-    X->p[off] &= ~((mbedtls_mpi_uint) 0x01 << idx);
-    X->p[off] |= (mbedtls_mpi_uint) val << idx;
-
-cleanup:
-
-    return ret;
-}
-
-/*
- * Return the number of less significant zero-bits
- */
-size_t mbedtls_mpi_lsb(const mbedtls_mpi *X)
-{
-    size_t i;
-    MBEDTLS_INTERNAL_VALIDATE_RET(X != NULL, 0);
-
-#if defined(__has_builtin)
-#if (MBEDTLS_MPI_UINT_MAX == UINT_MAX) && __has_builtin(__builtin_ctz)
-    #define mbedtls_mpi_uint_ctz __builtin_ctz
-#elif (MBEDTLS_MPI_UINT_MAX == ULONG_MAX) && __has_builtin(__builtin_ctzl)
-    #define mbedtls_mpi_uint_ctz __builtin_ctzl
-#elif (MBEDTLS_MPI_UINT_MAX == ULLONG_MAX) && __has_builtin(__builtin_ctzll)
-    #define mbedtls_mpi_uint_ctz __builtin_ctzll
-#endif
-#endif
-
-#if defined(mbedtls_mpi_uint_ctz)
-    for (i = 0; i < X->n; i++) {
-        if (X->p[i] != 0) {
-            return i * biL + mbedtls_mpi_uint_ctz(X->p[i]);
-        }
-    }
-#else
-    size_t count = 0;
-    for (i = 0; i < X->n; i++) {
-        for (size_t j = 0; j < biL; j++, count++) {
-            if (((X->p[i] >> j) & 1) != 0) {
-                return count;
-            }
-        }
-    }
-#endif
-
-    return 0;
-}
-
-/*
- * Return the number of bits
- */
-size_t mbedtls_mpi_bitlen(const mbedtls_mpi *X)
-{
-    return mbedtls_mpi_core_bitlen(X->p, X->n);
-}
-
-/*
- * Return the total size in bytes
- */
-size_t mbedtls_mpi_size(const mbedtls_mpi *X)
-{
-    return (mbedtls_mpi_bitlen(X) + 7) >> 3;
-}
-
-/*
- * Convert an ASCII character to digit value
- */
-static int mpi_get_digit(mbedtls_mpi_uint *d, int radix, char c)
-{
-    *d = 255;
-
-    if (c >= 0x30 && c <= 0x39) {
-        *d = c - 0x30;
-    }
-    if (c >= 0x41 && c <= 0x46) {
-        *d = c - 0x37;
-    }
-    if (c >= 0x61 && c <= 0x66) {
-        *d = c - 0x57;
-    }
-
-    if (*d >= (mbedtls_mpi_uint) radix) {
-        return MBEDTLS_ERR_MPI_INVALID_CHARACTER;
-    }
-
-    return 0;
-}
-
-/*
- * Import from an ASCII string
- */
-int mbedtls_mpi_read_string(mbedtls_mpi *X, int radix, const char *s)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t i, j, slen, n;
-    int sign = 1;
-    mbedtls_mpi_uint d;
-    mbedtls_mpi T;
-    MPI_VALIDATE_RET(X != NULL);
-    MPI_VALIDATE_RET(s != NULL);
-
-    if (radix < 2 || radix > 16) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    mbedtls_mpi_init(&T);
-
-    if (s[0] == 0) {
-        mbedtls_mpi_free(X);
-        return 0;
-    }
-
-    if (s[0] == '-') {
-        ++s;
-        sign = -1;
-    }
-
-    slen = strlen(s);
-
-    if (radix == 16) {
-        if (slen > SIZE_MAX >> 2) {
-            return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-        }
-
-        n = BITS_TO_LIMBS(slen << 2);
-
-        MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, n));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
-
-        for (i = slen, j = 0; i > 0; i--, j++) {
-            MBEDTLS_MPI_CHK(mpi_get_digit(&d, radix, s[i - 1]));
-            X->p[j / (2 * ciL)] |= d << ((j % (2 * ciL)) << 2);
-        }
-    } else {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
-
-        for (i = 0; i < slen; i++) {
-            MBEDTLS_MPI_CHK(mpi_get_digit(&d, radix, s[i]));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T, X, radix));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, &T, d));
-        }
-    }
-
-    if (sign < 0 && mbedtls_mpi_bitlen(X) != 0) {
-        X->s = -1;
-    }
-
-cleanup:
-
-    mbedtls_mpi_free(&T);
-
-    return ret;
-}
-
-/*
- * Helper to write the digits high-order first.
- */
-static int mpi_write_hlp(mbedtls_mpi *X, int radix,
-                         char **p, const size_t buflen)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi_uint r;
-    size_t length = 0;
-    char *p_end = *p + buflen;
-
-    do {
-        if (length >= buflen) {
-            return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
-        }
-
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, radix));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_div_int(X, NULL, X, radix));
-        /*
-         * Write the residue in the current position, as an ASCII character.
-         */
-        if (r < 0xA) {
-            *(--p_end) = (char) ('0' + r);
-        } else {
-            *(--p_end) = (char) ('A' + (r - 0xA));
-        }
-
-        length++;
-    } while (mbedtls_mpi_cmp_int(X, 0) != 0);
-
-    memmove(*p, p_end, length);
-    *p += length;
-
-cleanup:
-
-    return ret;
-}
-
-/*
- * Export into an ASCII string
- */
-int mbedtls_mpi_write_string(const mbedtls_mpi *X, int radix,
-                             char *buf, size_t buflen, size_t *olen)
-{
-    int ret = 0;
-    size_t n;
-    char *p;
-    mbedtls_mpi T;
-    MPI_VALIDATE_RET(X    != NULL);
-    MPI_VALIDATE_RET(olen != NULL);
-    MPI_VALIDATE_RET(buflen == 0 || buf != NULL);
-
-    if (radix < 2 || radix > 16) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    n = mbedtls_mpi_bitlen(X);   /* Number of bits necessary to present `n`. */
-    if (radix >=  4) {
-        n >>= 1;                 /* Number of 4-adic digits necessary to present
-                                  * `n`. If radix > 4, this might be a strict
-                                  * overapproximation of the number of
-                                  * radix-adic digits needed to present `n`. */
-    }
-    if (radix >= 16) {
-        n >>= 1;                 /* Number of hexadecimal digits necessary to
-                                  * present `n`. */
-
-    }
-    n += 1; /* Terminating null byte */
-    n += 1; /* Compensate for the divisions above, which round down `n`
-             * in case it's not even. */
-    n += 1; /* Potential '-'-sign. */
-    n += (n & 1);   /* Make n even to have enough space for hexadecimal writing,
-                     * which always uses an even number of hex-digits. */
-
-    if (buflen < n) {
-        *olen = n;
-        return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
-    }
-
-    p = buf;
-    mbedtls_mpi_init(&T);
-
-    if (X->s == -1) {
-        *p++ = '-';
-        buflen--;
-    }
-
-    if (radix == 16) {
-        int c;
-        size_t i, j, k;
-
-        for (i = X->n, k = 0; i > 0; i--) {
-            for (j = ciL; j > 0; j--) {
-                c = (X->p[i - 1] >> ((j - 1) << 3)) & 0xFF;
-
-                if (c == 0 && k == 0 && (i + j) != 2) {
-                    continue;
-                }
-
-                *(p++) = "0123456789ABCDEF" [c / 16];
-                *(p++) = "0123456789ABCDEF" [c % 16];
-                k = 1;
-            }
-        }
-    } else {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&T, X));
-
-        if (T.s == -1) {
-            T.s = 1;
-        }
-
-        MBEDTLS_MPI_CHK(mpi_write_hlp(&T, radix, &p, buflen));
-    }
-
-    *p++ = '\0';
-    *olen = p - buf;
-
-cleanup:
-
-    mbedtls_mpi_free(&T);
-
-    return ret;
-}
-
-#if defined(MBEDTLS_FS_IO)
-/*
- * Read X from an opened file
- */
-int mbedtls_mpi_read_file(mbedtls_mpi *X, int radix, FILE *fin)
-{
-    mbedtls_mpi_uint d;
-    size_t slen;
-    char *p;
-    /*
-     * Buffer should have space for (short) label and decimal formatted MPI,
-     * newline characters and '\0'
-     */
-    char s[MBEDTLS_MPI_RW_BUFFER_SIZE];
-
-    MPI_VALIDATE_RET(X   != NULL);
-    MPI_VALIDATE_RET(fin != NULL);
-
-    if (radix < 2 || radix > 16) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    memset(s, 0, sizeof(s));
-    if (fgets(s, sizeof(s) - 1, fin) == NULL) {
-        return MBEDTLS_ERR_MPI_FILE_IO_ERROR;
-    }
-
-    slen = strlen(s);
-    if (slen == sizeof(s) - 2) {
-        return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
-    }
-
-    if (slen > 0 && s[slen - 1] == '\n') {
-        slen--; s[slen] = '\0';
-    }
-    if (slen > 0 && s[slen - 1] == '\r') {
-        slen--; s[slen] = '\0';
-    }
-
-    p = s + slen;
-    while (p-- > s) {
-        if (mpi_get_digit(&d, radix, *p) != 0) {
-            break;
-        }
-    }
-
-    return mbedtls_mpi_read_string(X, radix, p + 1);
-}
-
-/*
- * Write X into an opened file (or stdout if fout == NULL)
- */
-int mbedtls_mpi_write_file(const char *p, const mbedtls_mpi *X, int radix, FILE *fout)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t n, slen, plen;
-    /*
-     * Buffer should have space for (short) label and decimal formatted MPI,
-     * newline characters and '\0'
-     */
-    char s[MBEDTLS_MPI_RW_BUFFER_SIZE];
-    MPI_VALIDATE_RET(X != NULL);
-
-    if (radix < 2 || radix > 16) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    memset(s, 0, sizeof(s));
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_write_string(X, radix, s, sizeof(s) - 2, &n));
-
-    if (p == NULL) {
-        p = "";
-    }
-
-    plen = strlen(p);
-    slen = strlen(s);
-    s[slen++] = '\r';
-    s[slen++] = '\n';
-
-    if (fout != NULL) {
-        if (fwrite(p, 1, plen, fout) != plen ||
-            fwrite(s, 1, slen, fout) != slen) {
-            return MBEDTLS_ERR_MPI_FILE_IO_ERROR;
-        }
-    } else {
-        mbedtls_printf("%s%s", p, s);
-    }
-
-cleanup:
-
-    return ret;
-}
-#endif /* MBEDTLS_FS_IO */
-
-/*
- * Import X from unsigned binary data, little endian
- *
- * This function is guaranteed to return an MPI with exactly the necessary
- * number of limbs (in particular, it does not skip 0s in the input).
- */
-int mbedtls_mpi_read_binary_le(mbedtls_mpi *X,
-                               const unsigned char *buf, size_t buflen)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    const size_t limbs = CHARS_TO_LIMBS(buflen);
-
-    /* Ensure that target MPI has exactly the necessary number of limbs */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_core_read_le(X->p, X->n, buf, buflen));
-
-cleanup:
-
-    /*
-     * This function is also used to import keys. However, wiping the buffers
-     * upon failure is not necessary because failure only can happen before any
-     * input is copied.
-     */
-    return ret;
-}
-
-/*
- * Import X from unsigned binary data, big endian
- *
- * This function is guaranteed to return an MPI with exactly the necessary
- * number of limbs (in particular, it does not skip 0s in the input).
- */
-int mbedtls_mpi_read_binary(mbedtls_mpi *X, const unsigned char *buf, size_t buflen)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    const size_t limbs = CHARS_TO_LIMBS(buflen);
-
-    MPI_VALIDATE_RET(X != NULL);
-    MPI_VALIDATE_RET(buflen == 0 || buf != NULL);
-
-    /* Ensure that target MPI has exactly the necessary number of limbs */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_core_read_be(X->p, X->n, buf, buflen));
-
-cleanup:
-
-    /*
-     * This function is also used to import keys. However, wiping the buffers
-     * upon failure is not necessary because failure only can happen before any
-     * input is copied.
-     */
-    return ret;
-}
-
-/*
- * Export X into unsigned binary data, little endian
- */
-int mbedtls_mpi_write_binary_le(const mbedtls_mpi *X,
-                                unsigned char *buf, size_t buflen)
-{
-    return mbedtls_mpi_core_write_le(X->p, X->n, buf, buflen);
-}
-
-/*
- * Export X into unsigned binary data, big endian
- */
-int mbedtls_mpi_write_binary(const mbedtls_mpi *X,
-                             unsigned char *buf, size_t buflen)
-{
-    return mbedtls_mpi_core_write_be(X->p, X->n, buf, buflen);
-}
-
-/*
- * Left-shift: X <<= count
- */
-int mbedtls_mpi_shift_l(mbedtls_mpi *X, size_t count)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t i;
-    MPI_VALIDATE_RET(X != NULL);
-
-    i = mbedtls_mpi_bitlen(X) + count;
-
-    if (X->n * biL < i) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, BITS_TO_LIMBS(i)));
-    }
-
-    ret = 0;
-
-    mbedtls_mpi_core_shift_l(X->p, X->n, count);
-cleanup:
-
-    return ret;
-}
-
-/*
- * Right-shift: X >>= count
- */
-int mbedtls_mpi_shift_r(mbedtls_mpi *X, size_t count)
-{
-    MPI_VALIDATE_RET(X != NULL);
-    if (X->n != 0) {
-        mbedtls_mpi_core_shift_r(X->p, X->n, count);
-    }
-    return 0;
-}
-
-/*
- * Compare unsigned values
- */
-int mbedtls_mpi_cmp_abs(const mbedtls_mpi *X, const mbedtls_mpi *Y)
-{
-    size_t i, j;
-    MPI_VALIDATE_RET(X != NULL);
-    MPI_VALIDATE_RET(Y != NULL);
-
-    for (i = X->n; i > 0; i--) {
-        if (X->p[i - 1] != 0) {
-            break;
-        }
-    }
-
-    for (j = Y->n; j > 0; j--) {
-        if (Y->p[j - 1] != 0) {
-            break;
-        }
-    }
-
-    /* If i == j == 0, i.e. abs(X) == abs(Y),
-     * we end up returning 0 at the end of the function. */
-
-    if (i > j) {
-        return 1;
-    }
-    if (j > i) {
-        return -1;
-    }
-
-    for (; i > 0; i--) {
-        if (X->p[i - 1] > Y->p[i - 1]) {
-            return 1;
-        }
-        if (X->p[i - 1] < Y->p[i - 1]) {
-            return -1;
-        }
-    }
-
-    return 0;
-}
-
-/*
- * Compare signed values
- */
-int mbedtls_mpi_cmp_mpi(const mbedtls_mpi *X, const mbedtls_mpi *Y)
-{
-    size_t i, j;
-    MPI_VALIDATE_RET(X != NULL);
-    MPI_VALIDATE_RET(Y != NULL);
-
-    for (i = X->n; i > 0; i--) {
-        if (X->p[i - 1] != 0) {
-            break;
-        }
-    }
-
-    for (j = Y->n; j > 0; j--) {
-        if (Y->p[j - 1] != 0) {
-            break;
-        }
-    }
-
-    if (i == 0 && j == 0) {
-        return 0;
-    }
-
-    if (i > j) {
-        return X->s;
-    }
-    if (j > i) {
-        return -Y->s;
-    }
-
-    if (X->s > 0 && Y->s < 0) {
-        return 1;
-    }
-    if (Y->s > 0 && X->s < 0) {
-        return -1;
-    }
-
-    for (; i > 0; i--) {
-        if (X->p[i - 1] > Y->p[i - 1]) {
-            return X->s;
-        }
-        if (X->p[i - 1] < Y->p[i - 1]) {
-            return -X->s;
-        }
-    }
-
-    return 0;
-}
-
-/*
- * Compare signed values
- */
-int mbedtls_mpi_cmp_int(const mbedtls_mpi *X, mbedtls_mpi_sint z)
-{
-    mbedtls_mpi Y;
-    mbedtls_mpi_uint p[1];
-    MPI_VALIDATE_RET(X != NULL);
-
-    *p  = mpi_sint_abs(z);
-    Y.s = TO_SIGN(z);
-    Y.n = 1;
-    Y.p = p;
-
-    return mbedtls_mpi_cmp_mpi(X, &Y);
-}
-
-/*
- * Unsigned addition: X = |A| + |B|  (HAC 14.7)
- */
-int mbedtls_mpi_add_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t j;
-    mbedtls_mpi_uint *p;
-    mbedtls_mpi_uint c;
-    MPI_VALIDATE_RET(X != NULL);
-    MPI_VALIDATE_RET(A != NULL);
-    MPI_VALIDATE_RET(B != NULL);
-
-    if (X == B) {
-        const mbedtls_mpi *T = A; A = X; B = T;
-    }
-
-    if (X != A) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));
-    }
-
-    /*
-     * X must always be positive as a result of unsigned additions.
-     */
-    X->s = 1;
-
-    for (j = B->n; j > 0; j--) {
-        if (B->p[j - 1] != 0) {
-            break;
-        }
-    }
-
-    /* Exit early to avoid undefined behavior on NULL+0 when X->n == 0
-     * and B is 0 (of any size). */
-    if (j == 0) {
-        return 0;
-    }
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, j));
-
-    /* j is the number of non-zero limbs of B. Add those to X. */
-
-    p = X->p;
-
-    c = mbedtls_mpi_core_add(p, p, B->p, j);
-
-    p += j;
-
-    /* Now propagate any carry */
-
-    while (c != 0) {
-        if (j >= X->n) {
-            MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, j + 1));
-            p = X->p + j;
-        }
-
-        *p += c; c = (*p < c); j++; p++;
-    }
-
-cleanup:
-
-    return ret;
-}
-
-/*
- * Unsigned subtraction: X = |A| - |B|  (HAC 14.9, 14.10)
- */
-int mbedtls_mpi_sub_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t n;
-    mbedtls_mpi_uint carry;
-    MPI_VALIDATE_RET(X != NULL);
-    MPI_VALIDATE_RET(A != NULL);
-    MPI_VALIDATE_RET(B != NULL);
-
-    for (n = B->n; n > 0; n--) {
-        if (B->p[n - 1] != 0) {
-            break;
-        }
-    }
-    if (n > A->n) {
-        /* B >= (2^ciL)^n > A */
-        ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
-        goto cleanup;
-    }
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, A->n));
-
-    /* Set the high limbs of X to match A. Don't touch the lower limbs
-     * because X might be aliased to B, and we must not overwrite the
-     * significant digits of B. */
-    if (A->n > n && A != X) {
-        memcpy(X->p + n, A->p + n, (A->n - n) * ciL);
-    }
-    if (X->n > A->n) {
-        memset(X->p + A->n, 0, (X->n - A->n) * ciL);
-    }
-
-    carry = mbedtls_mpi_core_sub(X->p, A->p, B->p, n);
-    if (carry != 0) {
-        /* Propagate the carry through the rest of X. */
-        carry = mbedtls_mpi_core_sub_int(X->p + n, X->p + n, carry, X->n - n);
-
-        /* If we have further carry/borrow, the result is negative. */
-        if (carry != 0) {
-            ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
-            goto cleanup;
-        }
-    }
-
-    /* X should always be positive as a result of unsigned subtractions. */
-    X->s = 1;
-
-cleanup:
-    return ret;
-}
-
-/* Common function for signed addition and subtraction.
- * Calculate A + B * flip_B where flip_B is 1 or -1.
- */
-static int add_sub_mpi(mbedtls_mpi *X,
-                       const mbedtls_mpi *A, const mbedtls_mpi *B,
-                       int flip_B)
-{
-    int ret, s;
-    MPI_VALIDATE_RET(X != NULL);
-    MPI_VALIDATE_RET(A != NULL);
-    MPI_VALIDATE_RET(B != NULL);
-
-    s = A->s;
-    if (A->s * B->s * flip_B < 0) {
-        int cmp = mbedtls_mpi_cmp_abs(A, B);
-        if (cmp >= 0) {
-            MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(X, A, B));
-            /* If |A| = |B|, the result is 0 and we must set the sign bit
-             * to +1 regardless of which of A or B was negative. Otherwise,
-             * since |A| > |B|, the sign is the sign of A. */
-            X->s = cmp == 0 ? 1 : s;
-        } else {
-            MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(X, B, A));
-            /* Since |A| < |B|, the sign is the opposite of A. */
-            X->s = -s;
-        }
-    } else {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(X, A, B));
-        X->s = s;
-    }
-
-cleanup:
-
-    return ret;
-}
-
-/*
- * Signed addition: X = A + B
- */
-int mbedtls_mpi_add_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
-{
-    return add_sub_mpi(X, A, B, 1);
-}
-
-/*
- * Signed subtraction: X = A - B
- */
-int mbedtls_mpi_sub_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
-{
-    return add_sub_mpi(X, A, B, -1);
-}
-
-/*
- * Signed addition: X = A + b
- */
-int mbedtls_mpi_add_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b)
-{
-    mbedtls_mpi B;
-    mbedtls_mpi_uint p[1];
-    MPI_VALIDATE_RET(X != NULL);
-    MPI_VALIDATE_RET(A != NULL);
-
-    p[0] = mpi_sint_abs(b);
-    B.s = TO_SIGN(b);
-    B.n = 1;
-    B.p = p;
-
-    return mbedtls_mpi_add_mpi(X, A, &B);
-}
-
-/*
- * Signed subtraction: X = A - b
- */
-int mbedtls_mpi_sub_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b)
-{
-    mbedtls_mpi B;
-    mbedtls_mpi_uint p[1];
-    MPI_VALIDATE_RET(X != NULL);
-    MPI_VALIDATE_RET(A != NULL);
-
-    p[0] = mpi_sint_abs(b);
-    B.s = TO_SIGN(b);
-    B.n = 1;
-    B.p = p;
-
-    return mbedtls_mpi_sub_mpi(X, A, &B);
-}
-
-/*
- * Baseline multiplication: X = A * B  (HAC 14.12)
- */
-int mbedtls_mpi_mul_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t i, j;
-    mbedtls_mpi TA, TB;
-    int result_is_zero = 0;
-    MPI_VALIDATE_RET(X != NULL);
-    MPI_VALIDATE_RET(A != NULL);
-    MPI_VALIDATE_RET(B != NULL);
-
-    mbedtls_mpi_init(&TA);
-    mbedtls_mpi_init(&TB);
-
-    if (X == A) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TA, A)); A = &TA;
-    }
-    if (X == B) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, B)); B = &TB;
-    }
-
-    for (i = A->n; i > 0; i--) {
-        if (A->p[i - 1] != 0) {
-            break;
-        }
-    }
-    if (i == 0) {
-        result_is_zero = 1;
-    }
-
-    for (j = B->n; j > 0; j--) {
-        if (B->p[j - 1] != 0) {
-            break;
-        }
-    }
-    if (j == 0) {
-        result_is_zero = 1;
-    }
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, i + j));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
-
-    mbedtls_mpi_core_mul(X->p, A->p, i, B->p, j);
-
-    /* If the result is 0, we don't shortcut the operation, which reduces
-     * but does not eliminate side channels leaking the zero-ness. We do
-     * need to take care to set the sign bit properly since the library does
-     * not fully support an MPI object with a value of 0 and s == -1. */
-    if (result_is_zero) {
-        X->s = 1;
-    } else {
-        X->s = A->s * B->s;
-    }
-
-cleanup:
-
-    mbedtls_mpi_free(&TB); mbedtls_mpi_free(&TA);
-
-    return ret;
-}
-
-/*
- * Baseline multiplication: X = A * b
- */
-int mbedtls_mpi_mul_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint b)
-{
-    MPI_VALIDATE_RET(X != NULL);
-    MPI_VALIDATE_RET(A != NULL);
-
-    size_t n = A->n;
-    while (n > 0 && A->p[n - 1] == 0) {
-        --n;
-    }
-
-    /* The general method below doesn't work if b==0. */
-    if (b == 0 || n == 0) {
-        return mbedtls_mpi_lset(X, 0);
-    }
-
-    /* Calculate A*b as A + A*(b-1) to take advantage of mbedtls_mpi_core_mla */
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    /* In general, A * b requires 1 limb more than b. If
-     * A->p[n - 1] * b / b == A->p[n - 1], then A * b fits in the same
-     * number of limbs as A and the call to grow() is not required since
-     * copy() will take care of the growth if needed. However, experimentally,
-     * making the call to grow() unconditional causes slightly fewer
-     * calls to calloc() in ECP code, presumably because it reuses the
-     * same mpi for a while and this way the mpi is more likely to directly
-     * grow to its final size.
-     *
-     * Note that calculating A*b as 0 + A*b doesn't work as-is because
-     * A,X can be the same. */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, n + 1));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));
-    mbedtls_mpi_core_mla(X->p, X->n, A->p, n, b - 1);
-
-cleanup:
-    return ret;
-}
-
-/*
- * Unsigned integer divide - double mbedtls_mpi_uint dividend, u1/u0, and
- * mbedtls_mpi_uint divisor, d
- */
-static mbedtls_mpi_uint mbedtls_int_div_int(mbedtls_mpi_uint u1,
-                                            mbedtls_mpi_uint u0,
-                                            mbedtls_mpi_uint d,
-                                            mbedtls_mpi_uint *r)
-{
-#if defined(MBEDTLS_HAVE_UDBL)
-    mbedtls_t_udbl dividend, quotient;
-#else
-    const mbedtls_mpi_uint radix = (mbedtls_mpi_uint) 1 << biH;
-    const mbedtls_mpi_uint uint_halfword_mask = ((mbedtls_mpi_uint) 1 << biH) - 1;
-    mbedtls_mpi_uint d0, d1, q0, q1, rAX, r0, quotient;
-    mbedtls_mpi_uint u0_msw, u0_lsw;
-    size_t s;
-#endif
-
-    /*
-     * Check for overflow
-     */
-    if (0 == d || u1 >= d) {
-        if (r != NULL) {
-            *r = ~(mbedtls_mpi_uint) 0u;
-        }
-
-        return ~(mbedtls_mpi_uint) 0u;
-    }
-
-#if defined(MBEDTLS_HAVE_UDBL)
-    dividend  = (mbedtls_t_udbl) u1 << biL;
-    dividend |= (mbedtls_t_udbl) u0;
-    quotient = dividend / d;
-    if (quotient > ((mbedtls_t_udbl) 1 << biL) - 1) {
-        quotient = ((mbedtls_t_udbl) 1 << biL) - 1;
-    }
-
-    if (r != NULL) {
-        *r = (mbedtls_mpi_uint) (dividend - (quotient * d));
-    }
-
-    return (mbedtls_mpi_uint) quotient;
-#else
-
-    /*
-     * Algorithm D, Section 4.3.1 - The Art of Computer Programming
-     *   Vol. 2 - Seminumerical Algorithms, Knuth
-     */
-
-    /*
-     * Normalize the divisor, d, and dividend, u0, u1
-     */
-    s = mbedtls_mpi_core_clz(d);
-    d = d << s;
-
-    u1 = u1 << s;
-    u1 |= (u0 >> (biL - s)) & (-(mbedtls_mpi_sint) s >> (biL - 1));
-    u0 =  u0 << s;
-
-    d1 = d >> biH;
-    d0 = d & uint_halfword_mask;
-
-    u0_msw = u0 >> biH;
-    u0_lsw = u0 & uint_halfword_mask;
-
-    /*
-     * Find the first quotient and remainder
-     */
-    q1 = u1 / d1;
-    r0 = u1 - d1 * q1;
-
-    while (q1 >= radix || (q1 * d0 > radix * r0 + u0_msw)) {
-        q1 -= 1;
-        r0 += d1;
-
-        if (r0 >= radix) {
-            break;
-        }
-    }
-
-    rAX = (u1 * radix) + (u0_msw - q1 * d);
-    q0 = rAX / d1;
-    r0 = rAX - q0 * d1;
-
-    while (q0 >= radix || (q0 * d0 > radix * r0 + u0_lsw)) {
-        q0 -= 1;
-        r0 += d1;
-
-        if (r0 >= radix) {
-            break;
-        }
-    }
-
-    if (r != NULL) {
-        *r = (rAX * radix + u0_lsw - q0 * d) >> s;
-    }
-
-    quotient = q1 * radix + q0;
-
-    return quotient;
-#endif
-}
-
-/*
- * Division by mbedtls_mpi: A = Q * B + R  (HAC 14.20)
- */
-int mbedtls_mpi_div_mpi(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
-                        const mbedtls_mpi *B)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t i, n, t, k;
-    mbedtls_mpi X, Y, Z, T1, T2;
-    mbedtls_mpi_uint TP2[3];
-    MPI_VALIDATE_RET(A != NULL);
-    MPI_VALIDATE_RET(B != NULL);
-
-    if (mbedtls_mpi_cmp_int(B, 0) == 0) {
-        return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO;
-    }
-
-    mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y); mbedtls_mpi_init(&Z);
-    mbedtls_mpi_init(&T1);
-    /*
-     * Avoid dynamic memory allocations for constant-size T2.
-     *
-     * T2 is used for comparison only and the 3 limbs are assigned explicitly,
-     * so nobody increase the size of the MPI and we're safe to use an on-stack
-     * buffer.
-     */
-    T2.s = 1;
-    T2.n = sizeof(TP2) / sizeof(*TP2);
-    T2.p = TP2;
-
-    if (mbedtls_mpi_cmp_abs(A, B) < 0) {
-        if (Q != NULL) {
-            MBEDTLS_MPI_CHK(mbedtls_mpi_lset(Q, 0));
-        }
-        if (R != NULL) {
-            MBEDTLS_MPI_CHK(mbedtls_mpi_copy(R, A));
-        }
-        return 0;
-    }
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&X, A));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Y, B));
-    X.s = Y.s = 1;
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&Z, A->n + 2));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&Z,  0));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&T1, A->n + 2));
-
-    k = mbedtls_mpi_bitlen(&Y) % biL;
-    if (k < biL - 1) {
-        k = biL - 1 - k;
-        MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&X, k));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&Y, k));
-    } else {
-        k = 0;
-    }
-
-    n = X.n - 1;
-    t = Y.n - 1;
-    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&Y, biL * (n - t)));
-
-    while (mbedtls_mpi_cmp_mpi(&X, &Y) >= 0) {
-        Z.p[n - t]++;
-        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&X, &X, &Y));
-    }
-    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Y, biL * (n - t)));
-
-    for (i = n; i > t; i--) {
-        if (X.p[i] >= Y.p[t]) {
-            Z.p[i - t - 1] = ~(mbedtls_mpi_uint) 0u;
-        } else {
-            Z.p[i - t - 1] = mbedtls_int_div_int(X.p[i], X.p[i - 1],
-                                                 Y.p[t], NULL);
-        }
-
-        T2.p[0] = (i < 2) ? 0 : X.p[i - 2];
-        T2.p[1] = (i < 1) ? 0 : X.p[i - 1];
-        T2.p[2] = X.p[i];
-
-        Z.p[i - t - 1]++;
-        do {
-            Z.p[i - t - 1]--;
-
-            MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&T1, 0));
-            T1.p[0] = (t < 1) ? 0 : Y.p[t - 1];
-            T1.p[1] = Y.p[t];
-            MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1, &T1, Z.p[i - t - 1]));
-        } while (mbedtls_mpi_cmp_mpi(&T1, &T2) > 0);
-
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1, &Y, Z.p[i - t - 1]));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&T1,  biL * (i - t - 1)));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&X, &X, &T1));
-
-        if (mbedtls_mpi_cmp_int(&X, 0) < 0) {
-            MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&T1, &Y));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&T1, biL * (i - t - 1)));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&X, &X, &T1));
-            Z.p[i - t - 1]--;
-        }
-    }
-
-    if (Q != NULL) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_copy(Q, &Z));
-        Q->s = A->s * B->s;
-    }
-
-    if (R != NULL) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&X, k));
-        X.s = A->s;
-        MBEDTLS_MPI_CHK(mbedtls_mpi_copy(R, &X));
-
-        if (mbedtls_mpi_cmp_int(R, 0) == 0) {
-            R->s = 1;
-        }
-    }
-
-cleanup:
-
-    mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y); mbedtls_mpi_free(&Z);
-    mbedtls_mpi_free(&T1);
-    mbedtls_platform_zeroize(TP2, sizeof(TP2));
-
-    return ret;
-}
-
-/*
- * Division by int: A = Q * b + R
- */
-int mbedtls_mpi_div_int(mbedtls_mpi *Q, mbedtls_mpi *R,
-                        const mbedtls_mpi *A,
-                        mbedtls_mpi_sint b)
-{
-    mbedtls_mpi B;
-    mbedtls_mpi_uint p[1];
-    MPI_VALIDATE_RET(A != NULL);
-
-    p[0] = mpi_sint_abs(b);
-    B.s = TO_SIGN(b);
-    B.n = 1;
-    B.p = p;
-
-    return mbedtls_mpi_div_mpi(Q, R, A, &B);
-}
-
-/*
- * Modulo: R = A mod B
- */
-int mbedtls_mpi_mod_mpi(mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    MPI_VALIDATE_RET(R != NULL);
-    MPI_VALIDATE_RET(A != NULL);
-    MPI_VALIDATE_RET(B != NULL);
-
-    if (mbedtls_mpi_cmp_int(B, 0) < 0) {
-        return MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
-    }
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(NULL, R, A, B));
-
-    while (mbedtls_mpi_cmp_int(R, 0) < 0) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(R, R, B));
-    }
-
-    while (mbedtls_mpi_cmp_mpi(R, B) >= 0) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(R, R, B));
-    }
-
-cleanup:
-
-    return ret;
-}
-
-/*
- * Modulo: r = A mod b
- */
-int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_sint b)
-{
-    size_t i;
-    mbedtls_mpi_uint x, y, z;
-    MPI_VALIDATE_RET(r != NULL);
-    MPI_VALIDATE_RET(A != NULL);
-
-    if (b == 0) {
-        return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO;
-    }
-
-    if (b < 0) {
-        return MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
-    }
-
-    /*
-     * handle trivial cases
-     */
-    if (b == 1 || A->n == 0) {
-        *r = 0;
-        return 0;
-    }
-
-    if (b == 2) {
-        *r = A->p[0] & 1;
-        return 0;
-    }
-
-    /*
-     * general case
-     */
-    for (i = A->n, y = 0; i > 0; i--) {
-        x  = A->p[i - 1];
-        y  = (y << biH) | (x >> biH);
-        z  = y / b;
-        y -= z * b;
-
-        x <<= biH;
-        y  = (y << biH) | (x >> biH);
-        z  = y / b;
-        y -= z * b;
-    }
-
-    /*
-     * If A is negative, then the current y represents a negative value.
-     * Flipping it to the positive side.
-     */
-    if (A->s < 0 && y != 0) {
-        y = b - y;
-    }
-
-    *r = y;
-
-    return 0;
-}
-
-static void mpi_montg_init(mbedtls_mpi_uint *mm, const mbedtls_mpi *N)
-{
-    *mm = mbedtls_mpi_core_montmul_init(N->p);
-}
-
-/** Montgomery multiplication: A = A * B * R^-1 mod N  (HAC 14.36)
- *
- * \param[in,out]   A   One of the numbers to multiply.
- *                      It must have at least as many limbs as N
- *                      (A->n >= N->n), and any limbs beyond n are ignored.
- *                      On successful completion, A contains the result of
- *                      the multiplication A * B * R^-1 mod N where
- *                      R = (2^ciL)^n.
- * \param[in]       B   One of the numbers to multiply.
- *                      It must be nonzero and must not have more limbs than N
- *                      (B->n <= N->n).
- * \param[in]       N   The modulus. \p N must be odd.
- * \param           mm  The value calculated by `mpi_montg_init(&mm, N)`.
- *                      This is -N^-1 mod 2^ciL.
- * \param[in,out]   T   A bignum for temporary storage.
- *                      It must be at least twice the limb size of N plus 1
- *                      (T->n >= 2 * N->n + 1).
- *                      Its initial content is unused and
- *                      its final content is indeterminate.
- *                      It does not get reallocated.
- */
-static void mpi_montmul(mbedtls_mpi *A, const mbedtls_mpi *B,
-                        const mbedtls_mpi *N, mbedtls_mpi_uint mm,
-                        mbedtls_mpi *T)
-{
-    mbedtls_mpi_core_montmul(A->p, A->p, B->p, B->n, N->p, N->n, mm, T->p);
-}
-
-/*
- * Montgomery reduction: A = A * R^-1 mod N
- *
- * See mpi_montmul() regarding constraints and guarantees on the parameters.
- */
-static void mpi_montred(mbedtls_mpi *A, const mbedtls_mpi *N,
-                        mbedtls_mpi_uint mm, mbedtls_mpi *T)
-{
-    mbedtls_mpi_uint z = 1;
-    mbedtls_mpi U;
-    U.n = 1;
-    U.s = 1;
-    U.p = &z;
-
-    mpi_montmul(A, &U, N, mm, T);
-}
-
-/**
- * Select an MPI from a table without leaking the index.
- *
- * This is functionally equivalent to mbedtls_mpi_copy(R, T[idx]) except it
- * reads the entire table in order to avoid leaking the value of idx to an
- * attacker able to observe memory access patterns.
- *
- * \param[out] R        Where to write the selected MPI.
- * \param[in] T         The table to read from.
- * \param[in] T_size    The number of elements in the table.
- * \param[in] idx       The index of the element to select;
- *                      this must satisfy 0 <= idx < T_size.
- *
- * \return \c 0 on success, or a negative error code.
- */
-static int mpi_select(mbedtls_mpi *R, const mbedtls_mpi *T, size_t T_size, size_t idx)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    for (size_t i = 0; i < T_size; i++) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign(R, &T[i],
-                                                     (unsigned char) mbedtls_ct_uint_eq(i, idx)));
-    }
-cleanup:
-    return ret;
-}
-
-/*
- * Sliding-window exponentiation: X = A^E mod N  (HAC 14.85)
- */
-int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
-                        const mbedtls_mpi *E, const mbedtls_mpi *N,
-                        mbedtls_mpi *prec_RR)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t window_bitsize;
-    size_t i, j, nblimbs;
-    size_t bufsize, nbits;
-    size_t exponent_bits_in_window = 0;
-    mbedtls_mpi_uint ei, mm, state;
-    mbedtls_mpi RR, T, W[(size_t) 1 << MBEDTLS_MPI_WINDOW_SIZE], WW, Apos;
-    int neg;
-
-    MPI_VALIDATE_RET(X != NULL);
-    MPI_VALIDATE_RET(A != NULL);
-    MPI_VALIDATE_RET(E != NULL);
-    MPI_VALIDATE_RET(N != NULL);
-
-    if (mbedtls_mpi_cmp_int(N, 0) <= 0 || (N->p[0] & 1) == 0) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    if (mbedtls_mpi_cmp_int(E, 0) < 0) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    if (mbedtls_mpi_bitlen(E) > MBEDTLS_MPI_MAX_BITS ||
-        mbedtls_mpi_bitlen(N) > MBEDTLS_MPI_MAX_BITS) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    /*
-     * Init temps and window size
-     */
-    mpi_montg_init(&mm, N);
-    mbedtls_mpi_init(&RR); mbedtls_mpi_init(&T);
-    mbedtls_mpi_init(&Apos);
-    mbedtls_mpi_init(&WW);
-    memset(W, 0, sizeof(W));
-
-    i = mbedtls_mpi_bitlen(E);
-
-    window_bitsize = (i > 671) ? 6 : (i > 239) ? 5 :
-                     (i >  79) ? 4 : (i >  23) ? 3 : 1;
-
-#if (MBEDTLS_MPI_WINDOW_SIZE < 6)
-    if (window_bitsize > MBEDTLS_MPI_WINDOW_SIZE) {
-        window_bitsize = MBEDTLS_MPI_WINDOW_SIZE;
-    }
-#endif
-
-    const size_t w_table_used_size = (size_t) 1 << window_bitsize;
-
-    /*
-     * This function is not constant-trace: its memory accesses depend on the
-     * exponent value. To defend against timing attacks, callers (such as RSA
-     * and DHM) should use exponent blinding. However this is not enough if the
-     * adversary can find the exponent in a single trace, so this function
-     * takes extra precautions against adversaries who can observe memory
-     * access patterns.
-     *
-     * This function performs a series of multiplications by table elements and
-     * squarings, and we want the prevent the adversary from finding out which
-     * table element was used, and from distinguishing between multiplications
-     * and squarings. Firstly, when multiplying by an element of the window
-     * W[i], we do a constant-trace table lookup to obfuscate i. This leaves
-     * squarings as having a different memory access patterns from other
-     * multiplications. So secondly, we put the accumulator in the table as
-     * well, and also do a constant-trace table lookup to multiply by the
-     * accumulator which is W[x_index].
-     *
-     * This way, all multiplications take the form of a lookup-and-multiply.
-     * The number of lookup-and-multiply operations inside each iteration of
-     * the main loop still depends on the bits of the exponent, but since the
-     * other operations in the loop don't have an easily recognizable memory
-     * trace, an adversary is unlikely to be able to observe the exact
-     * patterns.
-     *
-     * An adversary may still be able to recover the exponent if they can
-     * observe both memory accesses and branches. However, branch prediction
-     * exploitation typically requires many traces of execution over the same
-     * data, which is defeated by randomized blinding.
-     */
-    const size_t x_index = 0;
-    mbedtls_mpi_init(&W[x_index]);
-
-    j = N->n + 1;
-    /* All W[i] including the accumulator must have at least N->n limbs for
-     * the mpi_montmul() and mpi_montred() calls later. Here we ensure that
-     * W[1] and the accumulator W[x_index] are large enough. later we'll grow
-     * other W[i] to the same length. They must not be shrunk midway through
-     * this function!
-     */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[x_index], j));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[1],  j));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&T, j * 2));
-
-    /*
-     * Compensate for negative A (and correct at the end)
-     */
-    neg = (A->s == -1);
-    if (neg) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Apos, A));
-        Apos.s = 1;
-        A = &Apos;
-    }
-
-    /*
-     * If 1st call, pre-compute R^2 mod N
-     */
-    if (prec_RR == NULL || prec_RR->p == NULL) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&RR, 1));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&RR, N->n * 2 * biL));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&RR, &RR, N));
-
-        if (prec_RR != NULL) {
-            memcpy(prec_RR, &RR, sizeof(mbedtls_mpi));
-        }
-    } else {
-        memcpy(&RR, prec_RR, sizeof(mbedtls_mpi));
-    }
-
-    /*
-     * W[1] = A * R^2 * R^-1 mod N = A * R mod N
-     */
-    if (mbedtls_mpi_cmp_mpi(A, N) >= 0) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&W[1], A, N));
-        /* This should be a no-op because W[1] is already that large before
-         * mbedtls_mpi_mod_mpi(), but it's necessary to avoid an overflow
-         * in mpi_montmul() below, so let's make sure. */
-        MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[1], N->n + 1));
-    } else {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[1], A));
-    }
-
-    /* Note that this is safe because W[1] always has at least N->n limbs
-     * (it grew above and was preserved by mbedtls_mpi_copy()). */
-    mpi_montmul(&W[1], &RR, N, mm, &T);
-
-    /*
-     * W[x_index] = R^2 * R^-1 mod N = R mod N
-     */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[x_index], &RR));
-    mpi_montred(&W[x_index], N, mm, &T);
-
-
-    if (window_bitsize > 1) {
-        /*
-         * W[i] = W[1] ^ i
-         *
-         * The first bit of the sliding window is always 1 and therefore we
-         * only need to store the second half of the table.
-         *
-         * (There are two special elements in the table: W[0] for the
-         * accumulator/result and W[1] for A in Montgomery form. Both of these
-         * are already set at this point.)
-         */
-        j = w_table_used_size / 2;
-
-        MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[j], N->n + 1));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[j], &W[1]));
-
-        for (i = 0; i < window_bitsize - 1; i++) {
-            mpi_montmul(&W[j], &W[j], N, mm, &T);
-        }
-
-        /*
-         * W[i] = W[i - 1] * W[1]
-         */
-        for (i = j + 1; i < w_table_used_size; i++) {
-            MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[i], N->n + 1));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[i], &W[i - 1]));
-
-            mpi_montmul(&W[i], &W[1], N, mm, &T);
-        }
-    }
-
-    nblimbs = E->n;
-    bufsize = 0;
-    nbits   = 0;
-    state   = 0;
-
-    while (1) {
-        if (bufsize == 0) {
-            if (nblimbs == 0) {
-                break;
-            }
-
-            nblimbs--;
-
-            bufsize = sizeof(mbedtls_mpi_uint) << 3;
-        }
-
-        bufsize--;
-
-        ei = (E->p[nblimbs] >> bufsize) & 1;
-
-        /*
-         * skip leading 0s
-         */
-        if (ei == 0 && state == 0) {
-            continue;
-        }
-
-        if (ei == 0 && state == 1) {
-            /*
-             * out of window, square W[x_index]
-             */
-            MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, x_index));
-            mpi_montmul(&W[x_index], &WW, N, mm, &T);
-            continue;
-        }
-
-        /*
-         * add ei to current window
-         */
-        state = 2;
-
-        nbits++;
-        exponent_bits_in_window |= (ei << (window_bitsize - nbits));
-
-        if (nbits == window_bitsize) {
-            /*
-             * W[x_index] = W[x_index]^window_bitsize R^-1 mod N
-             */
-            for (i = 0; i < window_bitsize; i++) {
-                MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size,
-                                           x_index));
-                mpi_montmul(&W[x_index], &WW, N, mm, &T);
-            }
-
-            /*
-             * W[x_index] = W[x_index] * W[exponent_bits_in_window] R^-1 mod N
-             */
-            MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size,
-                                       exponent_bits_in_window));
-            mpi_montmul(&W[x_index], &WW, N, mm, &T);
-
-            state--;
-            nbits = 0;
-            exponent_bits_in_window = 0;
-        }
-    }
-
-    /*
-     * process the remaining bits
-     */
-    for (i = 0; i < nbits; i++) {
-        MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, x_index));
-        mpi_montmul(&W[x_index], &WW, N, mm, &T);
-
-        exponent_bits_in_window <<= 1;
-
-        if ((exponent_bits_in_window & ((size_t) 1 << window_bitsize)) != 0) {
-            MBEDTLS_MPI_CHK(mpi_select(&WW, W, w_table_used_size, 1));
-            mpi_montmul(&W[x_index], &WW, N, mm, &T);
-        }
-    }
-
-    /*
-     * W[x_index] = A^E * R * R^-1 mod N = A^E mod N
-     */
-    mpi_montred(&W[x_index], N, mm, &T);
-
-    if (neg && E->n != 0 && (E->p[0] & 1) != 0) {
-        W[x_index].s = -1;
-        MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&W[x_index], N, &W[x_index]));
-    }
-
-    /*
-     * Load the result in the output variable.
-     */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, &W[x_index]));
-
-cleanup:
-
-    /* The first bit of the sliding window is always 1 and therefore the first
-     * half of the table was unused. */
-    for (i = w_table_used_size/2; i < w_table_used_size; i++) {
-        mbedtls_mpi_free(&W[i]);
-    }
-
-    mbedtls_mpi_free(&W[x_index]);
-    mbedtls_mpi_free(&W[1]);
-    mbedtls_mpi_free(&T);
-    mbedtls_mpi_free(&Apos);
-    mbedtls_mpi_free(&WW);
-
-    if (prec_RR == NULL || prec_RR->p == NULL) {
-        mbedtls_mpi_free(&RR);
-    }
-
-    return ret;
-}
-
-/*
- * Greatest common divisor: G = gcd(A, B)  (HAC 14.54)
- */
-int mbedtls_mpi_gcd(mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t lz, lzt;
-    mbedtls_mpi TA, TB;
-
-    MPI_VALIDATE_RET(G != NULL);
-    MPI_VALIDATE_RET(A != NULL);
-    MPI_VALIDATE_RET(B != NULL);
-
-    mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TB);
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TA, A));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, B));
-
-    lz = mbedtls_mpi_lsb(&TA);
-    lzt = mbedtls_mpi_lsb(&TB);
-
-    /* The loop below gives the correct result when A==0 but not when B==0.
-     * So have a special case for B==0. Leverage the fact that we just
-     * calculated the lsb and lsb(B)==0 iff B is odd or 0 to make the test
-     * slightly more efficient than cmp_int(). */
-    if (lzt == 0 && mbedtls_mpi_get_bit(&TB, 0) == 0) {
-        ret = mbedtls_mpi_copy(G, A);
-        goto cleanup;
-    }
-
-    if (lzt < lz) {
-        lz = lzt;
-    }
-
-    TA.s = TB.s = 1;
-
-    /* We mostly follow the procedure described in HAC 14.54, but with some
-     * minor differences:
-     * - Sequences of multiplications or divisions by 2 are grouped into a
-     *   single shift operation.
-     * - The procedure in HAC assumes that 0 < TB <= TA.
-     *     - The condition TB <= TA is not actually necessary for correctness.
-     *       TA and TB have symmetric roles except for the loop termination
-     *       condition, and the shifts at the beginning of the loop body
-     *       remove any significance from the ordering of TA vs TB before
-     *       the shifts.
-     *     - If TA = 0, the loop goes through 0 iterations and the result is
-     *       correctly TB.
-     *     - The case TB = 0 was short-circuited above.
-     *
-     * For the correctness proof below, decompose the original values of
-     * A and B as
-     *   A = sa * 2^a * A' with A'=0 or A' odd, and sa = +-1
-     *   B = sb * 2^b * B' with B'=0 or B' odd, and sb = +-1
-     * Then gcd(A, B) = 2^{min(a,b)} * gcd(A',B'),
-     * and gcd(A',B') is odd or 0.
-     *
-     * At the beginning, we have TA = |A| and TB = |B| so gcd(A,B) = gcd(TA,TB).
-     * The code maintains the following invariant:
-     *     gcd(A,B) = 2^k * gcd(TA,TB) for some k   (I)
-     */
-
-    /* Proof that the loop terminates:
-     * At each iteration, either the right-shift by 1 is made on a nonzero
-     * value and the nonnegative integer bitlen(TA) + bitlen(TB) decreases
-     * by at least 1, or the right-shift by 1 is made on zero and then
-     * TA becomes 0 which ends the loop (TB cannot be 0 if it is right-shifted
-     * since in that case TB is calculated from TB-TA with the condition TB>TA).
-     */
-    while (mbedtls_mpi_cmp_int(&TA, 0) != 0) {
-        /* Divisions by 2 preserve the invariant (I). */
-        MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TA, mbedtls_mpi_lsb(&TA)));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TB, mbedtls_mpi_lsb(&TB)));
-
-        /* Set either TA or TB to |TA-TB|/2. Since TA and TB are both odd,
-         * TA-TB is even so the division by 2 has an integer result.
-         * Invariant (I) is preserved since any odd divisor of both TA and TB
-         * also divides |TA-TB|/2, and any odd divisor of both TA and |TA-TB|/2
-         * also divides TB, and any odd divisor of both TB and |TA-TB|/2 also
-         * divides TA.
-         */
-        if (mbedtls_mpi_cmp_mpi(&TA, &TB) >= 0) {
-            MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(&TA, &TA, &TB));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TA, 1));
-        } else {
-            MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(&TB, &TB, &TA));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TB, 1));
-        }
-        /* Note that one of TA or TB is still odd. */
-    }
-
-    /* By invariant (I), gcd(A,B) = 2^k * gcd(TA,TB) for some k.
-     * At the loop exit, TA = 0, so gcd(TA,TB) = TB.
-     * - If there was at least one loop iteration, then one of TA or TB is odd,
-     *   and TA = 0, so TB is odd and gcd(TA,TB) = gcd(A',B'). In this case,
-     *   lz = min(a,b) so gcd(A,B) = 2^lz * TB.
-     * - If there was no loop iteration, then A was 0, and gcd(A,B) = B.
-     *   In this case, lz = 0 and B = TB so gcd(A,B) = B = 2^lz * TB as well.
-     */
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&TB, lz));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(G, &TB));
-
-cleanup:
-
-    mbedtls_mpi_free(&TA); mbedtls_mpi_free(&TB);
-
-    return ret;
-}
-
-/*
- * Fill X with size bytes of random.
- * The bytes returned from the RNG are used in a specific order which
- * is suitable for deterministic ECDSA (see the specification of
- * mbedtls_mpi_random() and the implementation in mbedtls_mpi_fill_random()).
- */
-int mbedtls_mpi_fill_random(mbedtls_mpi *X, size_t size,
-                            int (*f_rng)(void *, unsigned char *, size_t),
-                            void *p_rng)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    const size_t limbs = CHARS_TO_LIMBS(size);
-
-    MPI_VALIDATE_RET(X     != NULL);
-    MPI_VALIDATE_RET(f_rng != NULL);
-
-    /* Ensure that target MPI has exactly the necessary number of limbs */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
-    if (size == 0) {
-        return 0;
-    }
-
-    ret = mbedtls_mpi_core_fill_random(X->p, X->n, size, f_rng, p_rng);
-
-cleanup:
-    return ret;
-}
-
-int mbedtls_mpi_random(mbedtls_mpi *X,
-                       mbedtls_mpi_sint min,
-                       const mbedtls_mpi *N,
-                       int (*f_rng)(void *, unsigned char *, size_t),
-                       void *p_rng)
-{
-    if (min < 0) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-    if (mbedtls_mpi_cmp_int(N, min) <= 0) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    /* Ensure that target MPI has exactly the same number of limbs
-     * as the upper bound, even if the upper bound has leading zeros.
-     * This is necessary for mbedtls_mpi_core_random. */
-    int ret = mbedtls_mpi_resize_clear(X, N->n);
-    if (ret != 0) {
-        return ret;
-    }
-
-    return mbedtls_mpi_core_random(X->p, min, N->p, X->n, f_rng, p_rng);
-}
-
-/*
- * Modular inverse: X = A^-1 mod N  (HAC 14.61 / 14.64)
- */
-int mbedtls_mpi_inv_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *N)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
-    MPI_VALIDATE_RET(X != NULL);
-    MPI_VALIDATE_RET(A != NULL);
-    MPI_VALIDATE_RET(N != NULL);
-
-    if (mbedtls_mpi_cmp_int(N, 1) <= 0) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TU); mbedtls_mpi_init(&U1); mbedtls_mpi_init(&U2);
-    mbedtls_mpi_init(&G); mbedtls_mpi_init(&TB); mbedtls_mpi_init(&TV);
-    mbedtls_mpi_init(&V1); mbedtls_mpi_init(&V2);
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, A, N));
-
-    if (mbedtls_mpi_cmp_int(&G, 1) != 0) {
-        ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
-        goto cleanup;
-    }
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&TA, A, N));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TU, &TA));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, N));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TV, N));
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&U1, 1));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&U2, 0));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&V1, 0));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&V2, 1));
-
-    do {
-        while ((TU.p[0] & 1) == 0) {
-            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TU, 1));
-
-            if ((U1.p[0] & 1) != 0 || (U2.p[0] & 1) != 0) {
-                MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&U1, &U1, &TB));
-                MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U2, &U2, &TA));
-            }
-
-            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&U1, 1));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&U2, 1));
-        }
-
-        while ((TV.p[0] & 1) == 0) {
-            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TV, 1));
-
-            if ((V1.p[0] & 1) != 0 || (V2.p[0] & 1) != 0) {
-                MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&V1, &V1, &TB));
-                MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V2, &V2, &TA));
-            }
-
-            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&V1, 1));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&V2, 1));
-        }
-
-        if (mbedtls_mpi_cmp_mpi(&TU, &TV) >= 0) {
-            MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&TU, &TU, &TV));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U1, &U1, &V1));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U2, &U2, &V2));
-        } else {
-            MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&TV, &TV, &TU));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V1, &V1, &U1));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V2, &V2, &U2));
-        }
-    } while (mbedtls_mpi_cmp_int(&TU, 0) != 0);
-
-    while (mbedtls_mpi_cmp_int(&V1, 0) < 0) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&V1, &V1, N));
-    }
-
-    while (mbedtls_mpi_cmp_mpi(&V1, N) >= 0) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V1, &V1, N));
-    }
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, &V1));
-
-cleanup:
-
-    mbedtls_mpi_free(&TA); mbedtls_mpi_free(&TU); mbedtls_mpi_free(&U1); mbedtls_mpi_free(&U2);
-    mbedtls_mpi_free(&G); mbedtls_mpi_free(&TB); mbedtls_mpi_free(&TV);
-    mbedtls_mpi_free(&V1); mbedtls_mpi_free(&V2);
-
-    return ret;
-}
-
-#if defined(MBEDTLS_GENPRIME)
-
-/* Gaps between primes, starting at 3. https://oeis.org/A001223 */
-static const unsigned char small_prime_gaps[] = {
-    2, 2, 4, 2, 4, 2, 4, 6,
-    2, 6, 4, 2, 4, 6, 6, 2,
-    6, 4, 2, 6, 4, 6, 8, 4,
-    2, 4, 2, 4, 14, 4, 6, 2,
-    10, 2, 6, 6, 4, 6, 6, 2,
-    10, 2, 4, 2, 12, 12, 4, 2,
-    4, 6, 2, 10, 6, 6, 6, 2,
-    6, 4, 2, 10, 14, 4, 2, 4,
-    14, 6, 10, 2, 4, 6, 8, 6,
-    6, 4, 6, 8, 4, 8, 10, 2,
-    10, 2, 6, 4, 6, 8, 4, 2,
-    4, 12, 8, 4, 8, 4, 6, 12,
-    2, 18, 6, 10, 6, 6, 2, 6,
-    10, 6, 6, 2, 6, 6, 4, 2,
-    12, 10, 2, 4, 6, 6, 2, 12,
-    4, 6, 8, 10, 8, 10, 8, 6,
-    6, 4, 8, 6, 4, 8, 4, 14,
-    10, 12, 2, 10, 2, 4, 2, 10,
-    14, 4, 2, 4, 14, 4, 2, 4,
-    20, 4, 8, 10, 8, 4, 6, 6,
-    14, 4, 6, 6, 8, 6, /*reaches 997*/
-    0 /* the last entry is effectively unused */
-};
-
-/*
- * Small divisors test (X must be positive)
- *
- * Return values:
- * 0: no small factor (possible prime, more tests needed)
- * 1: certain prime
- * MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: certain non-prime
- * other negative: error
- */
-static int mpi_check_small_factors(const mbedtls_mpi *X)
-{
-    int ret = 0;
-    size_t i;
-    mbedtls_mpi_uint r;
-    unsigned p = 3; /* The first odd prime */
-
-    if ((X->p[0] & 1) == 0) {
-        return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
-    }
-
-    for (i = 0; i < sizeof(small_prime_gaps); p += small_prime_gaps[i], i++) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, p));
-        if (r == 0) {
-            if (mbedtls_mpi_cmp_int(X, p) == 0) {
-                return 1;
-            } else {
-                return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
-            }
-        }
-    }
-
-cleanup:
-    return ret;
-}
-
-/*
- * Miller-Rabin pseudo-primality test  (HAC 4.24)
- */
-static int mpi_miller_rabin(const mbedtls_mpi *X, size_t rounds,
-                            int (*f_rng)(void *, unsigned char *, size_t),
-                            void *p_rng)
-{
-    int ret, count;
-    size_t i, j, k, s;
-    mbedtls_mpi W, R, T, A, RR;
-
-    MPI_VALIDATE_RET(X     != NULL);
-    MPI_VALIDATE_RET(f_rng != NULL);
-
-    mbedtls_mpi_init(&W); mbedtls_mpi_init(&R);
-    mbedtls_mpi_init(&T); mbedtls_mpi_init(&A);
-    mbedtls_mpi_init(&RR);
-
-    /*
-     * W = |X| - 1
-     * R = W >> lsb( W )
-     */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&W, X, 1));
-    s = mbedtls_mpi_lsb(&W);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&R, &W));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&R, s));
-
-    for (i = 0; i < rounds; i++) {
-        /*
-         * pick a random A, 1 < A < |X| - 1
-         */
-        count = 0;
-        do {
-            MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&A, X->n * ciL, f_rng, p_rng));
-
-            j = mbedtls_mpi_bitlen(&A);
-            k = mbedtls_mpi_bitlen(&W);
-            if (j > k) {
-                A.p[A.n - 1] &= ((mbedtls_mpi_uint) 1 << (k - (A.n - 1) * biL - 1)) - 1;
-            }
-
-            if (count++ > 30) {
-                ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
-                goto cleanup;
-            }
-
-        } while (mbedtls_mpi_cmp_mpi(&A, &W) >= 0 ||
-                 mbedtls_mpi_cmp_int(&A, 1)  <= 0);
-
-        /*
-         * A = A^R mod |X|
-         */
-        MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&A, &A, &R, X, &RR));
-
-        if (mbedtls_mpi_cmp_mpi(&A, &W) == 0 ||
-            mbedtls_mpi_cmp_int(&A,  1) == 0) {
-            continue;
-        }
-
-        j = 1;
-        while (j < s && mbedtls_mpi_cmp_mpi(&A, &W) != 0) {
-            /*
-             * A = A * A mod |X|
-             */
-            MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &A, &A));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&A, &T, X));
-
-            if (mbedtls_mpi_cmp_int(&A, 1) == 0) {
-                break;
-            }
-
-            j++;
-        }
-
-        /*
-         * not prime if A != |X| - 1 or A == 1
-         */
-        if (mbedtls_mpi_cmp_mpi(&A, &W) != 0 ||
-            mbedtls_mpi_cmp_int(&A,  1) == 0) {
-            ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
-            break;
-        }
-    }
-
-cleanup:
-    mbedtls_mpi_free(&W); mbedtls_mpi_free(&R);
-    mbedtls_mpi_free(&T); mbedtls_mpi_free(&A);
-    mbedtls_mpi_free(&RR);
-
-    return ret;
-}
-
-/*
- * Pseudo-primality test: small factors, then Miller-Rabin
- */
-int mbedtls_mpi_is_prime_ext(const mbedtls_mpi *X, int rounds,
-                             int (*f_rng)(void *, unsigned char *, size_t),
-                             void *p_rng)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi XX;
-    MPI_VALIDATE_RET(X     != NULL);
-    MPI_VALIDATE_RET(f_rng != NULL);
-
-    XX.s = 1;
-    XX.n = X->n;
-    XX.p = X->p;
-
-    if (mbedtls_mpi_cmp_int(&XX, 0) == 0 ||
-        mbedtls_mpi_cmp_int(&XX, 1) == 0) {
-        return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
-    }
-
-    if (mbedtls_mpi_cmp_int(&XX, 2) == 0) {
-        return 0;
-    }
-
-    if ((ret = mpi_check_small_factors(&XX)) != 0) {
-        if (ret == 1) {
-            return 0;
-        }
-
-        return ret;
-    }
-
-    return mpi_miller_rabin(&XX, rounds, f_rng, p_rng);
-}
-
-/*
- * Prime number generation
- *
- * To generate an RSA key in a way recommended by FIPS 186-4, both primes must
- * be either 1024 bits or 1536 bits long, and flags must contain
- * MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR.
- */
-int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int flags,
-                          int (*f_rng)(void *, unsigned char *, size_t),
-                          void *p_rng)
-{
-#ifdef MBEDTLS_HAVE_INT64
-// ceil(2^63.5)
-#define CEIL_MAXUINT_DIV_SQRT2 0xb504f333f9de6485ULL
-#else
-// ceil(2^31.5)
-#define CEIL_MAXUINT_DIV_SQRT2 0xb504f334U
-#endif
-    int ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
-    size_t k, n;
-    int rounds;
-    mbedtls_mpi_uint r;
-    mbedtls_mpi Y;
-
-    MPI_VALIDATE_RET(X     != NULL);
-    MPI_VALIDATE_RET(f_rng != NULL);
-
-    if (nbits < 3 || nbits > MBEDTLS_MPI_MAX_BITS) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    mbedtls_mpi_init(&Y);
-
-    n = BITS_TO_LIMBS(nbits);
-
-    if ((flags & MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR) == 0) {
-        /*
-         * 2^-80 error probability, number of rounds chosen per HAC, table 4.4
-         */
-        rounds = ((nbits >= 1300) ?  2 : (nbits >=  850) ?  3 :
-                  (nbits >=  650) ?  4 : (nbits >=  350) ?  8 :
-                  (nbits >=  250) ? 12 : (nbits >=  150) ? 18 : 27);
-    } else {
-        /*
-         * 2^-100 error probability, number of rounds computed based on HAC,
-         * fact 4.48
-         */
-        rounds = ((nbits >= 1450) ?  4 : (nbits >=  1150) ?  5 :
-                  (nbits >= 1000) ?  6 : (nbits >=   850) ?  7 :
-                  (nbits >=  750) ?  8 : (nbits >=   500) ? 13 :
-                  (nbits >=  250) ? 28 : (nbits >=   150) ? 40 : 51);
-    }
-
-    while (1) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(X, n * ciL, f_rng, p_rng));
-        /* make sure generated number is at least (nbits-1)+0.5 bits (FIPS 186-4 §B.3.3 steps 4.4, 5.5) */
-        if (X->p[n-1] < CEIL_MAXUINT_DIV_SQRT2) {
-            continue;
-        }
-
-        k = n * biL;
-        if (k > nbits) {
-            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(X, k - nbits));
-        }
-        X->p[0] |= 1;
-
-        if ((flags & MBEDTLS_MPI_GEN_PRIME_FLAG_DH) == 0) {
-            ret = mbedtls_mpi_is_prime_ext(X, rounds, f_rng, p_rng);
-
-            if (ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
-                goto cleanup;
-            }
-        } else {
-            /*
-             * A necessary condition for Y and X = 2Y + 1 to be prime
-             * is X = 2 mod 3 (which is equivalent to Y = 2 mod 3).
-             * Make sure it is satisfied, while keeping X = 3 mod 4
-             */
-
-            X->p[0] |= 2;
-
-            MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, 3));
-            if (r == 0) {
-                MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 8));
-            } else if (r == 1) {
-                MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 4));
-            }
-
-            /* Set Y = (X-1) / 2, which is X / 2 because X is odd */
-            MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Y, X));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Y, 1));
-
-            while (1) {
-                /*
-                 * First, check small factors for X and Y
-                 * before doing Miller-Rabin on any of them
-                 */
-                if ((ret = mpi_check_small_factors(X)) == 0 &&
-                    (ret = mpi_check_small_factors(&Y)) == 0 &&
-                    (ret = mpi_miller_rabin(X, rounds, f_rng, p_rng))
-                    == 0 &&
-                    (ret = mpi_miller_rabin(&Y, rounds, f_rng, p_rng))
-                    == 0) {
-                    goto cleanup;
-                }
-
-                if (ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
-                    goto cleanup;
-                }
-
-                /*
-                 * Next candidates. We want to preserve Y = (X-1) / 2 and
-                 * Y = 1 mod 2 and Y = 2 mod 3 (eq X = 3 mod 4 and X = 2 mod 3)
-                 * so up Y by 6 and X by 12.
-                 */
-                MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X,  X, 12));
-                MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&Y, &Y, 6));
-            }
-        }
-    }
-
-cleanup:
-
-    mbedtls_mpi_free(&Y);
-
-    return ret;
-}
-
-#endif /* MBEDTLS_GENPRIME */
-
-#if defined(MBEDTLS_SELF_TEST)
-
-#define GCD_PAIR_COUNT  3
-
-static const int gcd_pairs[GCD_PAIR_COUNT][3] =
-{
-    { 693, 609, 21 },
-    { 1764, 868, 28 },
-    { 768454923, 542167814, 1 }
-};
-
-/*
- * Checkup routine
- */
-int mbedtls_mpi_self_test(int verbose)
-{
-    int ret, i;
-    mbedtls_mpi A, E, N, X, Y, U, V;
-
-    mbedtls_mpi_init(&A); mbedtls_mpi_init(&E); mbedtls_mpi_init(&N); mbedtls_mpi_init(&X);
-    mbedtls_mpi_init(&Y); mbedtls_mpi_init(&U); mbedtls_mpi_init(&V);
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&A, 16,
-                                            "EFE021C2645FD1DC586E69184AF4A31E" \
-                                            "D5F53E93B5F123FA41680867BA110131" \
-                                            "944FE7952E2517337780CB0DB80E61AA" \
-                                            "E7C8DDC6C5C6AADEB34EB38A2F40D5E6"));
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&E, 16,
-                                            "B2E7EFD37075B9F03FF989C7C5051C20" \
-                                            "34D2A323810251127E7BF8625A4F49A5" \
-                                            "F3E27F4DA8BD59C47D6DAABA4C8127BD" \
-                                            "5B5C25763222FEFCCFC38B832366C29E"));
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&N, 16,
-                                            "0066A198186C18C10B2F5ED9B522752A" \
-                                            "9830B69916E535C8F047518A889A43A5" \
-                                            "94B6BED27A168D31D4A52F88925AA8F5"));
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&X, &A, &N));
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
-                                            "602AB7ECA597A3D6B56FF9829A5E8B85" \
-                                            "9E857EA95A03512E2BAE7391688D264A" \
-                                            "A5663B0341DB9CCFD2C4C5F421FEC814" \
-                                            "8001B72E848A38CAE1C65F78E56ABDEF" \
-                                            "E12D3C039B8A02D6BE593F0BBBDA56F1" \
-                                            "ECF677152EF804370C1A305CAF3B5BF1" \
-                                            "30879B56C61DE584A0F53A2447A51E"));
-
-    if (verbose != 0) {
-        mbedtls_printf("  MPI test #1 (mul_mpi): ");
-    }
-
-    if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
-        if (verbose != 0) {
-            mbedtls_printf("failed\n");
-        }
-
-        ret = 1;
-        goto cleanup;
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("passed\n");
-    }
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&X, &Y, &A, &N));
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
-                                            "256567336059E52CAE22925474705F39A94"));
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&V, 16,
-                                            "6613F26162223DF488E9CD48CC132C7A" \
-                                            "0AC93C701B001B092E4E5B9F73BCD27B" \
-                                            "9EE50D0657C77F374E903CDFA4C642"));
-
-    if (verbose != 0) {
-        mbedtls_printf("  MPI test #2 (div_mpi): ");
-    }
-
-    if (mbedtls_mpi_cmp_mpi(&X, &U) != 0 ||
-        mbedtls_mpi_cmp_mpi(&Y, &V) != 0) {
-        if (verbose != 0) {
-            mbedtls_printf("failed\n");
-        }
-
-        ret = 1;
-        goto cleanup;
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("passed\n");
-    }
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&X, &A, &E, &N, NULL));
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
-                                            "36E139AEA55215609D2816998ED020BB" \
-                                            "BD96C37890F65171D948E9BC7CBAA4D9" \
-                                            "325D24D6A3C12710F10A09FA08AB87"));
-
-    if (verbose != 0) {
-        mbedtls_printf("  MPI test #3 (exp_mod): ");
-    }
-
-    if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
-        if (verbose != 0) {
-            mbedtls_printf("failed\n");
-        }
-
-        ret = 1;
-        goto cleanup;
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("passed\n");
-    }
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&X, &A, &N));
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
-                                            "003A0AAEDD7E784FC07D8F9EC6E3BFD5" \
-                                            "C3DBA76456363A10869622EAC2DD84EC" \
-                                            "C5B8A74DAC4D09E03B5E0BE779F2DF61"));
-
-    if (verbose != 0) {
-        mbedtls_printf("  MPI test #4 (inv_mod): ");
-    }
-
-    if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
-        if (verbose != 0) {
-            mbedtls_printf("failed\n");
-        }
-
-        ret = 1;
-        goto cleanup;
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("passed\n");
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("  MPI test #5 (simple gcd): ");
-    }
-
-    for (i = 0; i < GCD_PAIR_COUNT; i++) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&X, gcd_pairs[i][0]));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&Y, gcd_pairs[i][1]));
-
-        MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&A, &X, &Y));
-
-        if (mbedtls_mpi_cmp_int(&A, gcd_pairs[i][2]) != 0) {
-            if (verbose != 0) {
-                mbedtls_printf("failed at %d\n", i);
-            }
-
-            ret = 1;
-            goto cleanup;
-        }
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("passed\n");
-    }
-
-cleanup:
-
-    if (ret != 0 && verbose != 0) {
-        mbedtls_printf("Unexpected error, return code = %08X\n", (unsigned int) ret);
-    }
-
-    mbedtls_mpi_free(&A); mbedtls_mpi_free(&E); mbedtls_mpi_free(&N); mbedtls_mpi_free(&X);
-    mbedtls_mpi_free(&Y); mbedtls_mpi_free(&U); mbedtls_mpi_free(&V);
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-
-    return ret;
-}
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* MBEDTLS_BIGNUM_C */
diff --git a/library/bignum_core.c b/library/bignum_core.c
deleted file mode 100644
index dbf6d1d..0000000
--- a/library/bignum_core.c
+++ /dev/null
@@ -1,906 +0,0 @@
-/*
- *  Core bignum functions
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_BIGNUM_C)
-
-#include <string.h>
-
-#include "mbedtls/error.h"
-#include "mbedtls/platform_util.h"
-#include "constant_time_internal.h"
-
-#include "mbedtls/platform.h"
-
-#include "bignum_core.h"
-#include "bn_mul.h"
-#include "constant_time_internal.h"
-
-size_t mbedtls_mpi_core_clz(mbedtls_mpi_uint a)
-{
-#if defined(__has_builtin)
-#if (MBEDTLS_MPI_UINT_MAX == UINT_MAX) && __has_builtin(__builtin_clz)
-    #define core_clz __builtin_clz
-#elif (MBEDTLS_MPI_UINT_MAX == ULONG_MAX) && __has_builtin(__builtin_clzl)
-    #define core_clz __builtin_clzl
-#elif (MBEDTLS_MPI_UINT_MAX == ULLONG_MAX) && __has_builtin(__builtin_clzll)
-    #define core_clz __builtin_clzll
-#endif
-#endif
-#if defined(core_clz)
-    return (size_t) core_clz(a);
-#else
-    size_t j;
-    mbedtls_mpi_uint mask = (mbedtls_mpi_uint) 1 << (biL - 1);
-
-    for (j = 0; j < biL; j++) {
-        if (a & mask) {
-            break;
-        }
-
-        mask >>= 1;
-    }
-
-    return j;
-#endif
-}
-
-size_t mbedtls_mpi_core_bitlen(const mbedtls_mpi_uint *A, size_t A_limbs)
-{
-    int i;
-    size_t j;
-
-    for (i = ((int) A_limbs) - 1; i >= 0; i--) {
-        if (A[i] != 0) {
-            j = biL - mbedtls_mpi_core_clz(A[i]);
-            return (i * biL) + j;
-        }
-    }
-
-    return 0;
-}
-
-static mbedtls_mpi_uint mpi_bigendian_to_host(mbedtls_mpi_uint a)
-{
-    if (MBEDTLS_IS_BIG_ENDIAN) {
-        /* Nothing to do on bigendian systems. */
-        return a;
-    } else {
-#if defined(MBEDTLS_HAVE_INT32)
-        return (mbedtls_mpi_uint) MBEDTLS_BSWAP32(a);
-#elif defined(MBEDTLS_HAVE_INT64)
-        return (mbedtls_mpi_uint) MBEDTLS_BSWAP64(a);
-#endif
-    }
-}
-
-void mbedtls_mpi_core_bigendian_to_host(mbedtls_mpi_uint *A,
-                                        size_t A_limbs)
-{
-    mbedtls_mpi_uint *cur_limb_left;
-    mbedtls_mpi_uint *cur_limb_right;
-    if (A_limbs == 0) {
-        return;
-    }
-
-    /*
-     * Traverse limbs and
-     * - adapt byte-order in each limb
-     * - swap the limbs themselves.
-     * For that, simultaneously traverse the limbs from left to right
-     * and from right to left, as long as the left index is not bigger
-     * than the right index (it's not a problem if limbs is odd and the
-     * indices coincide in the last iteration).
-     */
-    for (cur_limb_left = A, cur_limb_right = A + (A_limbs - 1);
-         cur_limb_left <= cur_limb_right;
-         cur_limb_left++, cur_limb_right--) {
-        mbedtls_mpi_uint tmp;
-        /* Note that if cur_limb_left == cur_limb_right,
-         * this code effectively swaps the bytes only once. */
-        tmp             = mpi_bigendian_to_host(*cur_limb_left);
-        *cur_limb_left  = mpi_bigendian_to_host(*cur_limb_right);
-        *cur_limb_right = tmp;
-    }
-}
-
-/* Whether min <= A, in constant time.
- * A_limbs must be at least 1. */
-mbedtls_ct_condition_t mbedtls_mpi_core_uint_le_mpi(mbedtls_mpi_uint min,
-                                                    const mbedtls_mpi_uint *A,
-                                                    size_t A_limbs)
-{
-    /* min <= least significant limb? */
-    mbedtls_ct_condition_t min_le_lsl = mbedtls_ct_uint_ge(A[0], min);
-
-    /* limbs other than the least significant one are all zero? */
-    mbedtls_ct_condition_t msll_mask = MBEDTLS_CT_FALSE;
-    for (size_t i = 1; i < A_limbs; i++) {
-        msll_mask = mbedtls_ct_bool_or(msll_mask, mbedtls_ct_bool(A[i]));
-    }
-
-    /* min <= A iff the lowest limb of A is >= min or the other limbs
-     * are not all zero. */
-    return mbedtls_ct_bool_or(msll_mask, min_le_lsl);
-}
-
-mbedtls_ct_condition_t mbedtls_mpi_core_lt_ct(const mbedtls_mpi_uint *A,
-                                              const mbedtls_mpi_uint *B,
-                                              size_t limbs)
-{
-    mbedtls_ct_condition_t ret = MBEDTLS_CT_FALSE, cond = MBEDTLS_CT_FALSE, done = MBEDTLS_CT_FALSE;
-
-    for (size_t i = limbs; i > 0; i--) {
-        /*
-         * If B[i - 1] < A[i - 1] then A < B is false and the result must
-         * remain 0.
-         *
-         * Again even if we can make a decision, we just mark the result and
-         * the fact that we are done and continue looping.
-         */
-        cond = mbedtls_ct_uint_lt(B[i - 1], A[i - 1]);
-        done = mbedtls_ct_bool_or(done, cond);
-
-        /*
-         * If A[i - 1] < B[i - 1] then A < B is true.
-         *
-         * Again even if we can make a decision, we just mark the result and
-         * the fact that we are done and continue looping.
-         */
-        cond = mbedtls_ct_uint_lt(A[i - 1], B[i - 1]);
-        ret  = mbedtls_ct_bool_or(ret, mbedtls_ct_bool_and(cond, mbedtls_ct_bool_not(done)));
-        done = mbedtls_ct_bool_or(done, cond);
-    }
-
-    /*
-     * If all the limbs were equal, then the numbers are equal, A < B is false
-     * and leaving the result 0 is correct.
-     */
-
-    return ret;
-}
-
-void mbedtls_mpi_core_cond_assign(mbedtls_mpi_uint *X,
-                                  const mbedtls_mpi_uint *A,
-                                  size_t limbs,
-                                  mbedtls_ct_condition_t assign)
-{
-    if (X == A) {
-        return;
-    }
-
-    /* This function is very performance-sensitive for RSA. For this reason
-     * we have the loop below, instead of calling mbedtls_ct_memcpy_if
-     * (this is more optimal since here we don't have to handle the case where
-     * we copy awkwardly sized data).
-     */
-    for (size_t i = 0; i < limbs; i++) {
-        X[i] = mbedtls_ct_mpi_uint_if(assign, A[i], X[i]);
-    }
-}
-
-void mbedtls_mpi_core_cond_swap(mbedtls_mpi_uint *X,
-                                mbedtls_mpi_uint *Y,
-                                size_t limbs,
-                                mbedtls_ct_condition_t swap)
-{
-    if (X == Y) {
-        return;
-    }
-
-    for (size_t i = 0; i < limbs; i++) {
-        mbedtls_mpi_uint tmp = X[i];
-        X[i] = mbedtls_ct_mpi_uint_if(swap, Y[i], X[i]);
-        Y[i] = mbedtls_ct_mpi_uint_if(swap, tmp, Y[i]);
-    }
-}
-
-int mbedtls_mpi_core_read_le(mbedtls_mpi_uint *X,
-                             size_t X_limbs,
-                             const unsigned char *input,
-                             size_t input_length)
-{
-    const size_t limbs = CHARS_TO_LIMBS(input_length);
-
-    if (X_limbs < limbs) {
-        return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
-    }
-
-    if (X != NULL) {
-        memset(X, 0, X_limbs * ciL);
-
-        for (size_t i = 0; i < input_length; i++) {
-            size_t offset = ((i % ciL) << 3);
-            X[i / ciL] |= ((mbedtls_mpi_uint) input[i]) << offset;
-        }
-    }
-
-    return 0;
-}
-
-int mbedtls_mpi_core_read_be(mbedtls_mpi_uint *X,
-                             size_t X_limbs,
-                             const unsigned char *input,
-                             size_t input_length)
-{
-    const size_t limbs = CHARS_TO_LIMBS(input_length);
-
-    if (X_limbs < limbs) {
-        return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
-    }
-
-    /* If X_limbs is 0, input_length must also be 0 (from previous test).
-     * Nothing to do. */
-    if (X_limbs == 0) {
-        return 0;
-    }
-
-    memset(X, 0, X_limbs * ciL);
-
-    /* memcpy() with (NULL, 0) is undefined behaviour */
-    if (input_length != 0) {
-        size_t overhead = (X_limbs * ciL) - input_length;
-        unsigned char *Xp = (unsigned char *) X;
-        memcpy(Xp + overhead, input, input_length);
-    }
-
-    mbedtls_mpi_core_bigendian_to_host(X, X_limbs);
-
-    return 0;
-}
-
-int mbedtls_mpi_core_write_le(const mbedtls_mpi_uint *A,
-                              size_t A_limbs,
-                              unsigned char *output,
-                              size_t output_length)
-{
-    size_t stored_bytes = A_limbs * ciL;
-    size_t bytes_to_copy;
-
-    if (stored_bytes < output_length) {
-        bytes_to_copy = stored_bytes;
-    } else {
-        bytes_to_copy = output_length;
-
-        /* The output buffer is smaller than the allocated size of A.
-         * However A may fit if its leading bytes are zero. */
-        for (size_t i = bytes_to_copy; i < stored_bytes; i++) {
-            if (GET_BYTE(A, i) != 0) {
-                return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
-            }
-        }
-    }
-
-    for (size_t i = 0; i < bytes_to_copy; i++) {
-        output[i] = GET_BYTE(A, i);
-    }
-
-    if (stored_bytes < output_length) {
-        /* Write trailing 0 bytes */
-        memset(output + stored_bytes, 0, output_length - stored_bytes);
-    }
-
-    return 0;
-}
-
-int mbedtls_mpi_core_write_be(const mbedtls_mpi_uint *X,
-                              size_t X_limbs,
-                              unsigned char *output,
-                              size_t output_length)
-{
-    size_t stored_bytes;
-    size_t bytes_to_copy;
-    unsigned char *p;
-
-    stored_bytes = X_limbs * ciL;
-
-    if (stored_bytes < output_length) {
-        /* There is enough space in the output buffer. Write initial
-         * null bytes and record the position at which to start
-         * writing the significant bytes. In this case, the execution
-         * trace of this function does not depend on the value of the
-         * number. */
-        bytes_to_copy = stored_bytes;
-        p = output + output_length - stored_bytes;
-        memset(output, 0, output_length - stored_bytes);
-    } else {
-        /* The output buffer is smaller than the allocated size of X.
-         * However X may fit if its leading bytes are zero. */
-        bytes_to_copy = output_length;
-        p = output;
-        for (size_t i = bytes_to_copy; i < stored_bytes; i++) {
-            if (GET_BYTE(X, i) != 0) {
-                return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
-            }
-        }
-    }
-
-    for (size_t i = 0; i < bytes_to_copy; i++) {
-        p[bytes_to_copy - i - 1] = GET_BYTE(X, i);
-    }
-
-    return 0;
-}
-
-void mbedtls_mpi_core_shift_r(mbedtls_mpi_uint *X, size_t limbs,
-                              size_t count)
-{
-    size_t i, v0, v1;
-    mbedtls_mpi_uint r0 = 0, r1;
-
-    v0 = count /  biL;
-    v1 = count & (biL - 1);
-
-    if (v0 > limbs || (v0 == limbs && v1 > 0)) {
-        memset(X, 0, limbs * ciL);
-        return;
-    }
-
-    /*
-     * shift by count / limb_size
-     */
-    if (v0 > 0) {
-        for (i = 0; i < limbs - v0; i++) {
-            X[i] = X[i + v0];
-        }
-
-        for (; i < limbs; i++) {
-            X[i] = 0;
-        }
-    }
-
-    /*
-     * shift by count % limb_size
-     */
-    if (v1 > 0) {
-        for (i = limbs; i > 0; i--) {
-            r1 = X[i - 1] << (biL - v1);
-            X[i - 1] >>= v1;
-            X[i - 1] |= r0;
-            r0 = r1;
-        }
-    }
-}
-
-void mbedtls_mpi_core_shift_l(mbedtls_mpi_uint *X, size_t limbs,
-                              size_t count)
-{
-    size_t i, v0, v1;
-    mbedtls_mpi_uint r0 = 0, r1;
-
-    v0 = count / (biL);
-    v1 = count & (biL - 1);
-
-    /*
-     * shift by count / limb_size
-     */
-    if (v0 > 0) {
-        for (i = limbs; i > v0; i--) {
-            X[i - 1] = X[i - v0 - 1];
-        }
-
-        for (; i > 0; i--) {
-            X[i - 1] = 0;
-        }
-    }
-
-    /*
-     * shift by count % limb_size
-     */
-    if (v1 > 0) {
-        for (i = v0; i < limbs; i++) {
-            r1 = X[i] >> (biL - v1);
-            X[i] <<= v1;
-            X[i] |= r0;
-            r0 = r1;
-        }
-    }
-}
-
-mbedtls_mpi_uint mbedtls_mpi_core_add(mbedtls_mpi_uint *X,
-                                      const mbedtls_mpi_uint *A,
-                                      const mbedtls_mpi_uint *B,
-                                      size_t limbs)
-{
-    mbedtls_mpi_uint c = 0;
-
-    for (size_t i = 0; i < limbs; i++) {
-        mbedtls_mpi_uint t = c + A[i];
-        c = (t < A[i]);
-        t += B[i];
-        c += (t < B[i]);
-        X[i] = t;
-    }
-
-    return c;
-}
-
-mbedtls_mpi_uint mbedtls_mpi_core_add_if(mbedtls_mpi_uint *X,
-                                         const mbedtls_mpi_uint *A,
-                                         size_t limbs,
-                                         unsigned cond)
-{
-    mbedtls_mpi_uint c = 0;
-
-    mbedtls_ct_condition_t do_add = mbedtls_ct_bool(cond);
-
-    for (size_t i = 0; i < limbs; i++) {
-        mbedtls_mpi_uint add = mbedtls_ct_mpi_uint_if_else_0(do_add, A[i]);
-        mbedtls_mpi_uint t = c + X[i];
-        c = (t < X[i]);
-        t += add;
-        c += (t < add);
-        X[i] = t;
-    }
-
-    return c;
-}
-
-mbedtls_mpi_uint mbedtls_mpi_core_sub(mbedtls_mpi_uint *X,
-                                      const mbedtls_mpi_uint *A,
-                                      const mbedtls_mpi_uint *B,
-                                      size_t limbs)
-{
-    mbedtls_mpi_uint c = 0;
-
-    for (size_t i = 0; i < limbs; i++) {
-        mbedtls_mpi_uint z = (A[i] < c);
-        mbedtls_mpi_uint t = A[i] - c;
-        c = (t < B[i]) + z;
-        X[i] = t - B[i];
-    }
-
-    return c;
-}
-
-mbedtls_mpi_uint mbedtls_mpi_core_mla(mbedtls_mpi_uint *d, size_t d_len,
-                                      const mbedtls_mpi_uint *s, size_t s_len,
-                                      mbedtls_mpi_uint b)
-{
-    mbedtls_mpi_uint c = 0; /* carry */
-    /*
-     * It is a documented precondition of this function that d_len >= s_len.
-     * If that's not the case, we swap these round: this turns what would be
-     * a buffer overflow into an incorrect result.
-     */
-    if (d_len < s_len) {
-        s_len = d_len;
-    }
-    size_t excess_len = d_len - s_len;
-    size_t steps_x8 = s_len / 8;
-    size_t steps_x1 = s_len & 7;
-
-    while (steps_x8--) {
-        MULADDC_X8_INIT
-        MULADDC_X8_CORE
-            MULADDC_X8_STOP
-    }
-
-    while (steps_x1--) {
-        MULADDC_X1_INIT
-        MULADDC_X1_CORE
-            MULADDC_X1_STOP
-    }
-
-    while (excess_len--) {
-        *d += c;
-        c = (*d < c);
-        d++;
-    }
-
-    return c;
-}
-
-void mbedtls_mpi_core_mul(mbedtls_mpi_uint *X,
-                          const mbedtls_mpi_uint *A, size_t A_limbs,
-                          const mbedtls_mpi_uint *B, size_t B_limbs)
-{
-    memset(X, 0, (A_limbs + B_limbs) * ciL);
-
-    for (size_t i = 0; i < B_limbs; i++) {
-        (void) mbedtls_mpi_core_mla(X + i, A_limbs + 1, A, A_limbs, B[i]);
-    }
-}
-
-/*
- * Fast Montgomery initialization (thanks to Tom St Denis).
- */
-mbedtls_mpi_uint mbedtls_mpi_core_montmul_init(const mbedtls_mpi_uint *N)
-{
-    mbedtls_mpi_uint x = N[0];
-
-    x += ((N[0] + 2) & 4) << 1;
-
-    for (unsigned int i = biL; i >= 8; i /= 2) {
-        x *= (2 - (N[0] * x));
-    }
-
-    return ~x + 1;
-}
-
-void mbedtls_mpi_core_montmul(mbedtls_mpi_uint *X,
-                              const mbedtls_mpi_uint *A,
-                              const mbedtls_mpi_uint *B,
-                              size_t B_limbs,
-                              const mbedtls_mpi_uint *N,
-                              size_t AN_limbs,
-                              mbedtls_mpi_uint mm,
-                              mbedtls_mpi_uint *T)
-{
-    memset(T, 0, (2 * AN_limbs + 1) * ciL);
-
-    for (size_t i = 0; i < AN_limbs; i++) {
-        /* T = (T + u0*B + u1*N) / 2^biL */
-        mbedtls_mpi_uint u0 = A[i];
-        mbedtls_mpi_uint u1 = (T[0] + u0 * B[0]) * mm;
-
-        (void) mbedtls_mpi_core_mla(T, AN_limbs + 2, B, B_limbs, u0);
-        (void) mbedtls_mpi_core_mla(T, AN_limbs + 2, N, AN_limbs, u1);
-
-        T++;
-    }
-
-    /*
-     * The result we want is (T >= N) ? T - N : T.
-     *
-     * For better constant-time properties in this function, we always do the
-     * subtraction, with the result in X.
-     *
-     * We also look to see if there was any carry in the final additions in the
-     * loop above.
-     */
-
-    mbedtls_mpi_uint carry  = T[AN_limbs];
-    mbedtls_mpi_uint borrow = mbedtls_mpi_core_sub(X, T, N, AN_limbs);
-
-    /*
-     * Using R as the Montgomery radix (auxiliary modulus) i.e. 2^(biL*AN_limbs):
-     *
-     * T can be in one of 3 ranges:
-     *
-     * 1) T < N      : (carry, borrow) = (0, 1): we want T
-     * 2) N <= T < R : (carry, borrow) = (0, 0): we want X
-     * 3) T >= R     : (carry, borrow) = (1, 1): we want X
-     *
-     * and (carry, borrow) = (1, 0) can't happen.
-     *
-     * So the correct return value is already in X if (carry ^ borrow) = 0,
-     * but is in (the lower AN_limbs limbs of) T if (carry ^ borrow) = 1.
-     */
-    mbedtls_ct_memcpy_if(mbedtls_ct_bool(carry ^ borrow),
-                         (unsigned char *) X,
-                         (unsigned char *) T,
-                         NULL,
-                         AN_limbs * sizeof(mbedtls_mpi_uint));
-}
-
-int mbedtls_mpi_core_get_mont_r2_unsafe(mbedtls_mpi *X,
-                                        const mbedtls_mpi *N)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 1));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(X, N->n * 2 * biL));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(X, X, N));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_shrink(X, N->n));
-
-cleanup:
-    return ret;
-}
-
-MBEDTLS_STATIC_TESTABLE
-void mbedtls_mpi_core_ct_uint_table_lookup(mbedtls_mpi_uint *dest,
-                                           const mbedtls_mpi_uint *table,
-                                           size_t limbs,
-                                           size_t count,
-                                           size_t index)
-{
-    for (size_t i = 0; i < count; i++, table += limbs) {
-        mbedtls_ct_condition_t assign = mbedtls_ct_uint_eq(i, index);
-        mbedtls_mpi_core_cond_assign(dest, table, limbs, assign);
-    }
-}
-
-/* Fill X with n_bytes random bytes.
- * X must already have room for those bytes.
- * The ordering of the bytes returned from the RNG is suitable for
- * deterministic ECDSA (see RFC 6979 §3.3 and the specification of
- * mbedtls_mpi_core_random()).
- */
-int mbedtls_mpi_core_fill_random(
-    mbedtls_mpi_uint *X, size_t X_limbs,
-    size_t n_bytes,
-    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    const size_t limbs = CHARS_TO_LIMBS(n_bytes);
-    const size_t overhead = (limbs * ciL) - n_bytes;
-
-    if (X_limbs < limbs) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    memset(X, 0, overhead);
-    memset((unsigned char *) X + limbs * ciL, 0, (X_limbs - limbs) * ciL);
-    MBEDTLS_MPI_CHK(f_rng(p_rng, (unsigned char *) X + overhead, n_bytes));
-    mbedtls_mpi_core_bigendian_to_host(X, limbs);
-
-cleanup:
-    return ret;
-}
-
-int mbedtls_mpi_core_random(mbedtls_mpi_uint *X,
-                            mbedtls_mpi_uint min,
-                            const mbedtls_mpi_uint *N,
-                            size_t limbs,
-                            int (*f_rng)(void *, unsigned char *, size_t),
-                            void *p_rng)
-{
-    mbedtls_ct_condition_t ge_lower = MBEDTLS_CT_TRUE, lt_upper = MBEDTLS_CT_FALSE;
-    size_t n_bits = mbedtls_mpi_core_bitlen(N, limbs);
-    size_t n_bytes = (n_bits + 7) / 8;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    /*
-     * When min == 0, each try has at worst a probability 1/2 of failing
-     * (the msb has a probability 1/2 of being 0, and then the result will
-     * be < N), so after 30 tries failure probability is a most 2**(-30).
-     *
-     * When N is just below a power of 2, as is the case when generating
-     * a random scalar on most elliptic curves, 1 try is enough with
-     * overwhelming probability. When N is just above a power of 2,
-     * as when generating a random scalar on secp224k1, each try has
-     * a probability of failing that is almost 1/2.
-     *
-     * The probabilities are almost the same if min is nonzero but negligible
-     * compared to N. This is always the case when N is crypto-sized, but
-     * it's convenient to support small N for testing purposes. When N
-     * is small, use a higher repeat count, otherwise the probability of
-     * failure is macroscopic.
-     */
-    int count = (n_bytes > 4 ? 30 : 250);
-
-    /*
-     * Match the procedure given in RFC 6979 §3.3 (deterministic ECDSA)
-     * when f_rng is a suitably parametrized instance of HMAC_DRBG:
-     * - use the same byte ordering;
-     * - keep the leftmost n_bits bits of the generated octet string;
-     * - try until result is in the desired range.
-     * This also avoids any bias, which is especially important for ECDSA.
-     */
-    do {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_core_fill_random(X, limbs,
-                                                     n_bytes,
-                                                     f_rng, p_rng));
-        mbedtls_mpi_core_shift_r(X, limbs, 8 * n_bytes - n_bits);
-
-        if (--count == 0) {
-            ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
-            goto cleanup;
-        }
-
-        ge_lower = mbedtls_mpi_core_uint_le_mpi(min, X, limbs);
-        lt_upper = mbedtls_mpi_core_lt_ct(X, N, limbs);
-    } while (mbedtls_ct_bool_and(ge_lower, lt_upper) == MBEDTLS_CT_FALSE);
-
-cleanup:
-    return ret;
-}
-
-static size_t exp_mod_get_window_size(size_t Ebits)
-{
-#if MBEDTLS_MPI_WINDOW_SIZE >= 6
-    return (Ebits > 671) ? 6 : (Ebits > 239) ? 5 : (Ebits >  79) ? 4 : 1;
-#elif MBEDTLS_MPI_WINDOW_SIZE == 5
-    return (Ebits > 239) ? 5 : (Ebits >  79) ? 4 : 1;
-#elif MBEDTLS_MPI_WINDOW_SIZE > 1
-    return (Ebits >  79) ? MBEDTLS_MPI_WINDOW_SIZE : 1;
-#else
-    (void) Ebits;
-    return 1;
-#endif
-}
-
-size_t mbedtls_mpi_core_exp_mod_working_limbs(size_t AN_limbs, size_t E_limbs)
-{
-    const size_t wsize = exp_mod_get_window_size(E_limbs * biL);
-    const size_t welem = ((size_t) 1) << wsize;
-
-    /* How big does each part of the working memory pool need to be? */
-    const size_t table_limbs   = welem * AN_limbs;
-    const size_t select_limbs  = AN_limbs;
-    const size_t temp_limbs    = 2 * AN_limbs + 1;
-
-    return table_limbs + select_limbs + temp_limbs;
-}
-
-static void exp_mod_precompute_window(const mbedtls_mpi_uint *A,
-                                      const mbedtls_mpi_uint *N,
-                                      size_t AN_limbs,
-                                      mbedtls_mpi_uint mm,
-                                      const mbedtls_mpi_uint *RR,
-                                      size_t welem,
-                                      mbedtls_mpi_uint *Wtable,
-                                      mbedtls_mpi_uint *temp)
-{
-    /* W[0] = 1 (in Montgomery presentation) */
-    memset(Wtable, 0, AN_limbs * ciL);
-    Wtable[0] = 1;
-    mbedtls_mpi_core_montmul(Wtable, Wtable, RR, AN_limbs, N, AN_limbs, mm, temp);
-
-    /* W[1] = A (already in Montgomery presentation) */
-    mbedtls_mpi_uint *W1 = Wtable + AN_limbs;
-    memcpy(W1, A, AN_limbs * ciL);
-
-    /* W[i+1] = W[i] * W[1], i >= 2 */
-    mbedtls_mpi_uint *Wprev = W1;
-    for (size_t i = 2; i < welem; i++) {
-        mbedtls_mpi_uint *Wcur = Wprev + AN_limbs;
-        mbedtls_mpi_core_montmul(Wcur, Wprev, W1, AN_limbs, N, AN_limbs, mm, temp);
-        Wprev = Wcur;
-    }
-}
-
-/* Exponentiation: X := A^E mod N.
- *
- * A must already be in Montgomery form.
- *
- * As in other bignum functions, assume that AN_limbs and E_limbs are nonzero.
- *
- * RR must contain 2^{2*biL} mod N.
- *
- * The algorithm is a variant of Left-to-right k-ary exponentiation: HAC 14.82
- * (The difference is that the body in our loop processes a single bit instead
- * of a full window.)
- */
-void mbedtls_mpi_core_exp_mod(mbedtls_mpi_uint *X,
-                              const mbedtls_mpi_uint *A,
-                              const mbedtls_mpi_uint *N,
-                              size_t AN_limbs,
-                              const mbedtls_mpi_uint *E,
-                              size_t E_limbs,
-                              const mbedtls_mpi_uint *RR,
-                              mbedtls_mpi_uint *T)
-{
-    const size_t wsize = exp_mod_get_window_size(E_limbs * biL);
-    const size_t welem = ((size_t) 1) << wsize;
-
-    /* This is how we will use the temporary storage T, which must have space
-     * for table_limbs, select_limbs and (2 * AN_limbs + 1) for montmul. */
-    const size_t table_limbs  = welem * AN_limbs;
-    const size_t select_limbs = AN_limbs;
-
-    /* Pointers to specific parts of the temporary working memory pool */
-    mbedtls_mpi_uint *const Wtable  = T;
-    mbedtls_mpi_uint *const Wselect = Wtable  +  table_limbs;
-    mbedtls_mpi_uint *const temp    = Wselect + select_limbs;
-
-    /*
-     * Window precomputation
-     */
-
-    const mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N);
-
-    /* Set Wtable[i] = A^(2^i) (in Montgomery representation) */
-    exp_mod_precompute_window(A, N, AN_limbs,
-                              mm, RR,
-                              welem, Wtable, temp);
-
-    /*
-     * Fixed window exponentiation
-     */
-
-    /* X = 1 (in Montgomery presentation) initially */
-    memcpy(X, Wtable, AN_limbs * ciL);
-
-    /* We'll process the bits of E from most significant
-     * (limb_index=E_limbs-1, E_bit_index=biL-1) to least significant
-     * (limb_index=0, E_bit_index=0). */
-    size_t E_limb_index = E_limbs;
-    size_t E_bit_index = 0;
-    /* At any given time, window contains window_bits bits from E.
-     * window_bits can go up to wsize. */
-    size_t window_bits = 0;
-    mbedtls_mpi_uint window = 0;
-
-    do {
-        /* Square */
-        mbedtls_mpi_core_montmul(X, X, X, AN_limbs, N, AN_limbs, mm, temp);
-
-        /* Move to the next bit of the exponent */
-        if (E_bit_index == 0) {
-            --E_limb_index;
-            E_bit_index = biL - 1;
-        } else {
-            --E_bit_index;
-        }
-        /* Insert next exponent bit into window */
-        ++window_bits;
-        window <<= 1;
-        window |= (E[E_limb_index] >> E_bit_index) & 1;
-
-        /* Clear window if it's full. Also clear the window at the end,
-         * when we've finished processing the exponent. */
-        if (window_bits == wsize ||
-            (E_bit_index == 0 && E_limb_index == 0)) {
-            /* Select Wtable[window] without leaking window through
-             * memory access patterns. */
-            mbedtls_mpi_core_ct_uint_table_lookup(Wselect, Wtable,
-                                                  AN_limbs, welem, window);
-            /* Multiply X by the selected element. */
-            mbedtls_mpi_core_montmul(X, X, Wselect, AN_limbs, N, AN_limbs, mm,
-                                     temp);
-            window = 0;
-            window_bits = 0;
-        }
-    } while (!(E_bit_index == 0 && E_limb_index == 0));
-}
-
-mbedtls_mpi_uint mbedtls_mpi_core_sub_int(mbedtls_mpi_uint *X,
-                                          const mbedtls_mpi_uint *A,
-                                          mbedtls_mpi_uint c,  /* doubles as carry */
-                                          size_t limbs)
-{
-    for (size_t i = 0; i < limbs; i++) {
-        mbedtls_mpi_uint s = A[i];
-        mbedtls_mpi_uint t = s - c;
-        c = (t > s);
-        X[i] = t;
-    }
-
-    return c;
-}
-
-mbedtls_mpi_uint mbedtls_mpi_core_check_zero_ct(const mbedtls_mpi_uint *A,
-                                                size_t limbs)
-{
-    mbedtls_mpi_uint bits = 0;
-
-    for (size_t i = 0; i < limbs; i++) {
-        bits |= A[i];
-    }
-
-    return bits;
-}
-
-void mbedtls_mpi_core_to_mont_rep(mbedtls_mpi_uint *X,
-                                  const mbedtls_mpi_uint *A,
-                                  const mbedtls_mpi_uint *N,
-                                  size_t AN_limbs,
-                                  mbedtls_mpi_uint mm,
-                                  const mbedtls_mpi_uint *rr,
-                                  mbedtls_mpi_uint *T)
-{
-    mbedtls_mpi_core_montmul(X, A, rr, AN_limbs, N, AN_limbs, mm, T);
-}
-
-void mbedtls_mpi_core_from_mont_rep(mbedtls_mpi_uint *X,
-                                    const mbedtls_mpi_uint *A,
-                                    const mbedtls_mpi_uint *N,
-                                    size_t AN_limbs,
-                                    mbedtls_mpi_uint mm,
-                                    mbedtls_mpi_uint *T)
-{
-    const mbedtls_mpi_uint Rinv = 1;    /* 1/R in Mont. rep => 1 */
-
-    mbedtls_mpi_core_montmul(X, A, &Rinv, 1, N, AN_limbs, mm, T);
-}
-
-#endif /* MBEDTLS_BIGNUM_C */
diff --git a/library/bignum_core.h b/library/bignum_core.h
deleted file mode 100644
index e5500f1..0000000
--- a/library/bignum_core.h
+++ /dev/null
@@ -1,775 +0,0 @@
-/**
- *  Core bignum functions
- *
- *  This interface should only be used by the legacy bignum module (bignum.h)
- *  and the modular bignum modules (bignum_mod.c, bignum_mod_raw.c). All other
- *  modules should use the high-level modular bignum interface (bignum_mod.h)
- *  or the legacy bignum interface (bignum.h).
- *
- * This module is about processing non-negative integers with a fixed upper
- * bound that's of the form 2^n-1 where n is a multiple of #biL.
- * These can be thought of integers written in base 2^#biL with a fixed
- * number of digits. Digits in this base are called *limbs*.
- * Many operations treat these numbers as the principal representation of
- * a number modulo 2^n or a smaller bound.
- *
- * The functions in this module obey the following conventions unless
- * explicitly indicated otherwise:
- *
- * - **Overflow**: some functions indicate overflow from the range
- *   [0, 2^n-1] by returning carry parameters, while others operate
- *   modulo and so cannot overflow. This should be clear from the function
- *   documentation.
- * - **Bignum parameters**: Bignums are passed as pointers to an array of
- *   limbs. A limb has the type #mbedtls_mpi_uint. Unless otherwise specified:
- *     - Bignum parameters called \p A, \p B, ... are inputs, and are
- *       not modified by the function.
- *     - For operations modulo some number, the modulus is called \p N
- *       and is input-only.
- *     - Bignum parameters called \p X, \p Y are outputs or input-output.
- *       The initial content of output-only parameters is ignored.
- *     - Some functions use different names that reflect traditional
- *       naming of operands of certain operations (e.g.
- *       divisor/dividend/quotient/remainder).
- *     - \p T is a temporary storage area. The initial content of such
- *       parameter is ignored and the final content is unspecified.
- * - **Bignum sizes**: bignum sizes are always expressed in limbs.
- *   Most functions work on bignums of a given size and take a single
- *   \p limbs parameter that applies to all parameters that are limb arrays.
- *   All bignum sizes must be at least 1 and must be significantly less than
- *   #SIZE_MAX. The behavior if a size is 0 is undefined. The behavior if the
- *   total size of all parameters overflows #SIZE_MAX is undefined.
- * - **Parameter ordering**: for bignum parameters, outputs come before inputs.
- *   Temporaries come last.
- * - **Aliasing**: in general, output bignums may be aliased to one or more
- *   inputs. As an exception, parameters that are documented as a modulus value
- *   may not be aliased to an output. Outputs may not be aliased to one another.
- *   Temporaries may not be aliased to any other parameter.
- * - **Overlap**: apart from aliasing of limb array pointers (where two
- *   arguments are equal pointers), overlap is not supported and may result
- *   in undefined behavior.
- * - **Error handling**: This is a low-level module. Functions generally do not
- *   try to protect against invalid arguments such as nonsensical sizes or
- *   null pointers. Note that some functions that operate on bignums of
- *   different sizes have constraints about their size, and violating those
- *   constraints may lead to buffer overflows.
- * - **Modular representatives**: functions that operate modulo \p N expect
- *   all modular inputs to be in the range [0, \p N - 1] and guarantee outputs
- *   in the range [0, \p N - 1]. If an input is out of range, outputs are
- *   fully unspecified, though bignum values out of range should not cause
- *   buffer overflows (beware that this is not extensively tested).
- */
-
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_BIGNUM_CORE_H
-#define MBEDTLS_BIGNUM_CORE_H
-
-#include "common.h"
-
-#if defined(MBEDTLS_BIGNUM_C)
-#include "mbedtls/bignum.h"
-#endif
-
-#include "constant_time_internal.h"
-
-#define ciL    (sizeof(mbedtls_mpi_uint))     /** chars in limb  */
-#define biL    (ciL << 3)                     /** bits  in limb  */
-#define biH    (ciL << 2)                     /** half limb size */
-
-/*
- * Convert between bits/chars and number of limbs
- * Divide first in order to avoid potential overflows
- */
-#define BITS_TO_LIMBS(i)  ((i) / biL + ((i) % biL != 0))
-#define CHARS_TO_LIMBS(i) ((i) / ciL + ((i) % ciL != 0))
-/* Get a specific byte, without range checks. */
-#define GET_BYTE(X, i)                                \
-    (((X)[(i) / ciL] >> (((i) % ciL) * 8)) & 0xff)
-
-/** Count leading zero bits in a given integer.
- *
- * \warning     The result is undefined if \p a == 0
- *
- * \param a     Integer to count leading zero bits.
- *
- * \return      The number of leading zero bits in \p a, if \p a != 0.
- *              If \p a == 0, the result is undefined.
- */
-size_t mbedtls_mpi_core_clz(mbedtls_mpi_uint a);
-
-/** Return the minimum number of bits required to represent the value held
- * in the MPI.
- *
- * \note This function returns 0 if all the limbs of \p A are 0.
- *
- * \param[in] A     The address of the MPI.
- * \param A_limbs   The number of limbs of \p A.
- *
- * \return      The number of bits in \p A.
- */
-size_t mbedtls_mpi_core_bitlen(const mbedtls_mpi_uint *A, size_t A_limbs);
-
-/** Convert a big-endian byte array aligned to the size of mbedtls_mpi_uint
- * into the storage form used by mbedtls_mpi.
- *
- * \param[in,out] A     The address of the MPI.
- * \param A_limbs       The number of limbs of \p A.
- */
-void mbedtls_mpi_core_bigendian_to_host(mbedtls_mpi_uint *A,
-                                        size_t A_limbs);
-
-/** \brief         Compare a machine integer with an MPI.
- *
- *                 This function operates in constant time with respect
- *                 to the values of \p min and \p A.
- *
- * \param min      A machine integer.
- * \param[in] A    An MPI.
- * \param A_limbs  The number of limbs of \p A.
- *                 This must be at least 1.
- *
- * \return         MBEDTLS_CT_TRUE if \p min is less than or equal to \p A, otherwise MBEDTLS_CT_FALSE.
- */
-mbedtls_ct_condition_t mbedtls_mpi_core_uint_le_mpi(mbedtls_mpi_uint min,
-                                                    const mbedtls_mpi_uint *A,
-                                                    size_t A_limbs);
-
-/**
- * \brief          Check if one unsigned MPI is less than another in constant
- *                 time.
- *
- * \param A        The left-hand MPI. This must point to an array of limbs
- *                 with the same allocated length as \p B.
- * \param B        The right-hand MPI. This must point to an array of limbs
- *                 with the same allocated length as \p A.
- * \param limbs    The number of limbs in \p A and \p B.
- *                 This must not be 0.
- *
- * \return         MBEDTLS_CT_TRUE  if \p A is less than \p B.
- *                 MBEDTLS_CT_FALSE if \p A is greater than or equal to \p B.
- */
-mbedtls_ct_condition_t mbedtls_mpi_core_lt_ct(const mbedtls_mpi_uint *A,
-                                              const mbedtls_mpi_uint *B,
-                                              size_t limbs);
-
-/**
- * \brief   Perform a safe conditional copy of an MPI which doesn't reveal
- *          whether assignment was done or not.
- *
- * \param[out] X        The address of the destination MPI.
- *                      This must be initialized. Must have enough limbs to
- *                      store the full value of \p A.
- * \param[in]  A        The address of the source MPI. This must be initialized.
- * \param      limbs    The number of limbs of \p A.
- * \param      assign   The condition deciding whether to perform the
- *                      assignment or not. Callers will need to use
- *                      the constant time interface (e.g. `mbedtls_ct_bool()`)
- *                      to construct this argument.
- *
- * \note           This function avoids leaking any information about whether
- *                 the assignment was done or not.
- */
-void mbedtls_mpi_core_cond_assign(mbedtls_mpi_uint *X,
-                                  const mbedtls_mpi_uint *A,
-                                  size_t limbs,
-                                  mbedtls_ct_condition_t assign);
-
-/**
- * \brief   Perform a safe conditional swap of two MPIs which doesn't reveal
- *          whether the swap was done or not.
- *
- * \param[in,out] X         The address of the first MPI.
- *                          This must be initialized.
- * \param[in,out] Y         The address of the second MPI.
- *                          This must be initialized.
- * \param         limbs     The number of limbs of \p X and \p Y.
- * \param         swap      The condition deciding whether to perform
- *                          the swap or not.
- *
- * \note           This function avoids leaking any information about whether
- *                 the swap was done or not.
- */
-void mbedtls_mpi_core_cond_swap(mbedtls_mpi_uint *X,
-                                mbedtls_mpi_uint *Y,
-                                size_t limbs,
-                                mbedtls_ct_condition_t swap);
-
-/** Import X from unsigned binary data, little-endian.
- *
- * The MPI needs to have enough limbs to store the full value (including any
- * most significant zero bytes in the input).
- *
- * \param[out] X         The address of the MPI.
- * \param X_limbs        The number of limbs of \p X.
- * \param[in] input      The input buffer to import from.
- * \param input_length   The length bytes of \p input.
- *
- * \return       \c 0 if successful.
- * \return       #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p X isn't
- *               large enough to hold the value in \p input.
- */
-int mbedtls_mpi_core_read_le(mbedtls_mpi_uint *X,
-                             size_t X_limbs,
-                             const unsigned char *input,
-                             size_t input_length);
-
-/** Import X from unsigned binary data, big-endian.
- *
- * The MPI needs to have enough limbs to store the full value (including any
- * most significant zero bytes in the input).
- *
- * \param[out] X        The address of the MPI.
- *                      May only be #NULL if \p X_limbs is 0 and \p input_length
- *                      is 0.
- * \param X_limbs       The number of limbs of \p X.
- * \param[in] input     The input buffer to import from.
- *                      May only be #NULL if \p input_length is 0.
- * \param input_length  The length in bytes of \p input.
- *
- * \return       \c 0 if successful.
- * \return       #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p X isn't
- *               large enough to hold the value in \p input.
- */
-int mbedtls_mpi_core_read_be(mbedtls_mpi_uint *X,
-                             size_t X_limbs,
-                             const unsigned char *input,
-                             size_t input_length);
-
-/** Export A into unsigned binary data, little-endian.
- *
- * \note If \p output is shorter than \p A the export is still successful if the
- *       value held in \p A fits in the buffer (that is, if enough of the most
- *       significant bytes of \p A are 0).
- *
- * \param[in] A         The address of the MPI.
- * \param A_limbs       The number of limbs of \p A.
- * \param[out] output   The output buffer to export to.
- * \param output_length The length in bytes of \p output.
- *
- * \return       \c 0 if successful.
- * \return       #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p output isn't
- *               large enough to hold the value of \p A.
- */
-int mbedtls_mpi_core_write_le(const mbedtls_mpi_uint *A,
-                              size_t A_limbs,
-                              unsigned char *output,
-                              size_t output_length);
-
-/** Export A into unsigned binary data, big-endian.
- *
- * \note If \p output is shorter than \p A the export is still successful if the
- *       value held in \p A fits in the buffer (that is, if enough of the most
- *       significant bytes of \p A are 0).
- *
- * \param[in] A         The address of the MPI.
- * \param A_limbs       The number of limbs of \p A.
- * \param[out] output   The output buffer to export to.
- * \param output_length The length in bytes of \p output.
- *
- * \return       \c 0 if successful.
- * \return       #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p output isn't
- *               large enough to hold the value of \p A.
- */
-int mbedtls_mpi_core_write_be(const mbedtls_mpi_uint *A,
-                              size_t A_limbs,
-                              unsigned char *output,
-                              size_t output_length);
-
-/** \brief              Shift an MPI in-place right by a number of bits.
- *
- *                      Shifting by more bits than there are bit positions
- *                      in \p X is valid and results in setting \p X to 0.
- *
- *                      This function's execution time depends on the value
- *                      of \p count (and of course \p limbs).
- *
- * \param[in,out] X     The number to shift.
- * \param limbs         The number of limbs of \p X. This must be at least 1.
- * \param count         The number of bits to shift by.
- */
-void mbedtls_mpi_core_shift_r(mbedtls_mpi_uint *X, size_t limbs,
-                              size_t count);
-
-/**
- * \brief               Shift an MPI in-place left by a number of bits.
- *
- *                      Shifting by more bits than there are bit positions
- *                      in \p X will produce an unspecified result.
- *
- *                      This function's execution time depends on the value
- *                      of \p count (and of course \p limbs).
- * \param[in,out] X     The number to shift.
- * \param limbs         The number of limbs of \p X. This must be at least 1.
- * \param count         The number of bits to shift by.
- */
-void mbedtls_mpi_core_shift_l(mbedtls_mpi_uint *X, size_t limbs,
-                              size_t count);
-
-/**
- * \brief Add two fixed-size large unsigned integers, returning the carry.
- *
- * Calculates `A + B` where `A` and `B` have the same size.
- *
- * This function operates modulo `2^(biL*limbs)` and returns the carry
- * (1 if there was a wraparound, and 0 otherwise).
- *
- * \p X may be aliased to \p A or \p B.
- *
- * \param[out] X    The result of the addition.
- * \param[in] A     Little-endian presentation of the left operand.
- * \param[in] B     Little-endian presentation of the right operand.
- * \param limbs     Number of limbs of \p X, \p A and \p B.
- *
- * \return          1 if `A + B >= 2^(biL*limbs)`, 0 otherwise.
- */
-mbedtls_mpi_uint mbedtls_mpi_core_add(mbedtls_mpi_uint *X,
-                                      const mbedtls_mpi_uint *A,
-                                      const mbedtls_mpi_uint *B,
-                                      size_t limbs);
-
-/**
- * \brief Conditional addition of two fixed-size large unsigned integers,
- *        returning the carry.
- *
- * Functionally equivalent to
- *
- * ```
- * if( cond )
- *    X += A;
- * return carry;
- * ```
- *
- * This function operates modulo `2^(biL*limbs)`.
- *
- * \param[in,out] X  The pointer to the (little-endian) array
- *                   representing the bignum to accumulate onto.
- * \param[in] A      The pointer to the (little-endian) array
- *                   representing the bignum to conditionally add
- *                   to \p X. This may be aliased to \p X but may not
- *                   overlap otherwise.
- * \param limbs      Number of limbs of \p X and \p A.
- * \param cond       Condition bit dictating whether addition should
- *                   happen or not. This must be \c 0 or \c 1.
- *
- * \warning          If \p cond is neither 0 nor 1, the result of this function
- *                   is unspecified, and the resulting value in \p X might be
- *                   neither its original value nor \p X + \p A.
- *
- * \return           1 if `X + cond * A >= 2^(biL*limbs)`, 0 otherwise.
- */
-mbedtls_mpi_uint mbedtls_mpi_core_add_if(mbedtls_mpi_uint *X,
-                                         const mbedtls_mpi_uint *A,
-                                         size_t limbs,
-                                         unsigned cond);
-
-/**
- * \brief Subtract two fixed-size large unsigned integers, returning the borrow.
- *
- * Calculate `A - B` where \p A and \p B have the same size.
- * This function operates modulo `2^(biL*limbs)` and returns the carry
- * (1 if there was a wraparound, i.e. if `A < B`, and 0 otherwise).
- *
- * \p X may be aliased to \p A or \p B, or even both, but may not overlap
- * either otherwise.
- *
- * \param[out] X    The result of the subtraction.
- * \param[in] A     Little-endian presentation of left operand.
- * \param[in] B     Little-endian presentation of right operand.
- * \param limbs     Number of limbs of \p X, \p A and \p B.
- *
- * \return          1 if `A < B`.
- *                  0 if `A >= B`.
- */
-mbedtls_mpi_uint mbedtls_mpi_core_sub(mbedtls_mpi_uint *X,
-                                      const mbedtls_mpi_uint *A,
-                                      const mbedtls_mpi_uint *B,
-                                      size_t limbs);
-
-/**
- * \brief Perform a fixed-size multiply accumulate operation: X += b * A
- *
- * \p X may be aliased to \p A (when \p X_limbs == \p A_limbs), but may not
- * otherwise overlap.
- *
- * This function operates modulo `2^(biL*X_limbs)`.
- *
- * \param[in,out] X  The pointer to the (little-endian) array
- *                   representing the bignum to accumulate onto.
- * \param X_limbs    The number of limbs of \p X. This must be
- *                   at least \p A_limbs.
- * \param[in] A      The pointer to the (little-endian) array
- *                   representing the bignum to multiply with.
- *                   This may be aliased to \p X but may not overlap
- *                   otherwise.
- * \param A_limbs    The number of limbs of \p A.
- * \param b          X scalar to multiply with.
- *
- * \return           The carry at the end of the operation.
- */
-mbedtls_mpi_uint mbedtls_mpi_core_mla(mbedtls_mpi_uint *X, size_t X_limbs,
-                                      const mbedtls_mpi_uint *A, size_t A_limbs,
-                                      mbedtls_mpi_uint b);
-
-/**
- * \brief Perform a known-size multiplication
- *
- * \p X may not be aliased to any of the inputs for this function.
- * \p A may be aliased to \p B.
- *
- * \param[out] X     The pointer to the (little-endian) array to receive
- *                   the product of \p A_limbs and \p B_limbs.
- *                   This must be of length \p A_limbs + \p B_limbs.
- * \param[in] A      The pointer to the (little-endian) array
- *                   representing the first factor.
- * \param A_limbs    The number of limbs in \p A.
- * \param[in] B      The pointer to the (little-endian) array
- *                   representing the second factor.
- * \param B_limbs    The number of limbs in \p B.
- */
-void mbedtls_mpi_core_mul(mbedtls_mpi_uint *X,
-                          const mbedtls_mpi_uint *A, size_t A_limbs,
-                          const mbedtls_mpi_uint *B, size_t B_limbs);
-
-/**
- * \brief Calculate initialisation value for fast Montgomery modular
- *        multiplication
- *
- * \param[in] N  Little-endian presentation of the modulus. This must have
- *               at least one limb.
- *
- * \return       The initialisation value for fast Montgomery modular multiplication
- */
-mbedtls_mpi_uint mbedtls_mpi_core_montmul_init(const mbedtls_mpi_uint *N);
-
-/**
- * \brief Montgomery multiplication: X = A * B * R^-1 mod N (HAC 14.36)
- *
- * \p A and \p B must be in canonical form. That is, < \p N.
- *
- * \p X may be aliased to \p A or \p N, or even \p B (if \p AN_limbs ==
- * \p B_limbs) but may not overlap any parameters otherwise.
- *
- * \p A and \p B may alias each other, if \p AN_limbs == \p B_limbs. They may
- * not alias \p N (since they must be in canonical form, they cannot == \p N).
- *
- * \param[out]    X         The destination MPI, as a little-endian array of
- *                          length \p AN_limbs.
- *                          On successful completion, X contains the result of
- *                          the multiplication `A * B * R^-1` mod N where
- *                          `R = 2^(biL*AN_limbs)`.
- * \param[in]     A         Little-endian presentation of first operand.
- *                          Must have the same number of limbs as \p N.
- * \param[in]     B         Little-endian presentation of second operand.
- * \param[in]     B_limbs   The number of limbs in \p B.
- *                          Must be <= \p AN_limbs.
- * \param[in]     N         Little-endian presentation of the modulus.
- *                          This must be odd, and have exactly the same number
- *                          of limbs as \p A.
- *                          It may alias \p X, but must not alias or otherwise
- *                          overlap any of the other parameters.
- * \param[in]     AN_limbs  The number of limbs in \p X, \p A and \p N.
- * \param         mm        The Montgomery constant for \p N: -N^-1 mod 2^biL.
- *                          This can be calculated by `mbedtls_mpi_core_montmul_init()`.
- * \param[in,out] T         Temporary storage of size at least 2*AN_limbs+1 limbs.
- *                          Its initial content is unused and
- *                          its final content is indeterminate.
- *                          It must not alias or otherwise overlap any of the
- *                          other parameters.
- */
-void mbedtls_mpi_core_montmul(mbedtls_mpi_uint *X,
-                              const mbedtls_mpi_uint *A,
-                              const mbedtls_mpi_uint *B, size_t B_limbs,
-                              const mbedtls_mpi_uint *N, size_t AN_limbs,
-                              mbedtls_mpi_uint mm, mbedtls_mpi_uint *T);
-
-/**
- * \brief Calculate the square of the Montgomery constant. (Needed
- *        for conversion and operations in Montgomery form.)
- *
- * \param[out] X  A pointer to the result of the calculation of
- *                the square of the Montgomery constant:
- *                2^{2*n*biL} mod N.
- * \param[in]  N  Little-endian presentation of the modulus, which must be odd.
- *
- * \return        0 if successful.
- * \return        #MBEDTLS_ERR_MPI_ALLOC_FAILED if there is not enough space
- *                to store the value of Montgomery constant squared.
- * \return        #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p N modulus is zero.
- * \return        #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p N modulus is negative.
- */
-int mbedtls_mpi_core_get_mont_r2_unsafe(mbedtls_mpi *X,
-                                        const mbedtls_mpi *N);
-
-#if defined(MBEDTLS_TEST_HOOKS)
-/**
- * Copy an MPI from a table without leaking the index.
- *
- * \param dest              The destination buffer. This must point to a writable
- *                          buffer of at least \p limbs limbs.
- * \param table             The address of the table. This must point to a readable
- *                          array of \p count elements of \p limbs limbs each.
- * \param limbs             The number of limbs in each table entry.
- * \param count             The number of entries in \p table.
- * \param index             The (secret) table index to look up. This must be in the
- *                          range `0 .. count-1`.
- */
-void mbedtls_mpi_core_ct_uint_table_lookup(mbedtls_mpi_uint *dest,
-                                           const mbedtls_mpi_uint *table,
-                                           size_t limbs,
-                                           size_t count,
-                                           size_t index);
-#endif /* MBEDTLS_TEST_HOOKS */
-
-/**
- * \brief          Fill an integer with a number of random bytes.
- *
- * \param X        The destination MPI.
- * \param X_limbs  The number of limbs of \p X.
- * \param bytes    The number of random bytes to generate.
- * \param f_rng    The RNG function to use. This must not be \c NULL.
- * \param p_rng    The RNG parameter to be passed to \p f_rng. This may be
- *                 \c NULL if \p f_rng doesn't need a context argument.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p X does not have
- *                 enough room for \p bytes bytes.
- * \return         A negative error code on RNG failure.
- *
- * \note           The bytes obtained from the RNG are interpreted
- *                 as a big-endian representation of an MPI; this can
- *                 be relevant in applications like deterministic ECDSA.
- */
-int mbedtls_mpi_core_fill_random(mbedtls_mpi_uint *X, size_t X_limbs,
-                                 size_t bytes,
-                                 int (*f_rng)(void *, unsigned char *, size_t),
-                                 void *p_rng);
-
-/** Generate a random number uniformly in a range.
- *
- * This function generates a random number between \p min inclusive and
- * \p N exclusive.
- *
- * The procedure complies with RFC 6979 §3.3 (deterministic ECDSA)
- * when the RNG is a suitably parametrized instance of HMAC_DRBG
- * and \p min is \c 1.
- *
- * \note           There are `N - min` possible outputs. The lower bound
- *                 \p min can be reached, but the upper bound \p N cannot.
- *
- * \param X        The destination MPI, with \p limbs limbs.
- *                 It must not be aliased with \p N or otherwise overlap it.
- * \param min      The minimum value to return.
- * \param N        The upper bound of the range, exclusive, with \p limbs limbs.
- *                 In other words, this is one plus the maximum value to return.
- *                 \p N must be strictly larger than \p min.
- * \param limbs    The number of limbs of \p N and \p X.
- *                 This must not be 0.
- * \param f_rng    The RNG function to use. This must not be \c NULL.
- * \param p_rng    The RNG parameter to be passed to \p f_rng.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if the implementation was
- *                 unable to find a suitable value within a limited number
- *                 of attempts. This has a negligible probability if \p N
- *                 is significantly larger than \p min, which is the case
- *                 for all usual cryptographic applications.
- */
-int mbedtls_mpi_core_random(mbedtls_mpi_uint *X,
-                            mbedtls_mpi_uint min,
-                            const mbedtls_mpi_uint *N,
-                            size_t limbs,
-                            int (*f_rng)(void *, unsigned char *, size_t),
-                            void *p_rng);
-
-/**
- * \brief          Returns the number of limbs of working memory required for
- *                 a call to `mbedtls_mpi_core_exp_mod()`.
- *
- * \note           This will always be at least
- *                 `mbedtls_mpi_core_montmul_working_limbs(AN_limbs)`,
- *                 i.e. sufficient for a call to `mbedtls_mpi_core_montmul()`.
- *
- * \param AN_limbs The number of limbs in the input `A` and the modulus `N`
- *                 (they must be the same size) that will be given to
- *                 `mbedtls_mpi_core_exp_mod()`.
- * \param E_limbs  The number of limbs in the exponent `E` that will be given
- *                 to `mbedtls_mpi_core_exp_mod()`.
- *
- * \return         The number of limbs of working memory required by
- *                 `mbedtls_mpi_core_exp_mod()`.
- */
-size_t mbedtls_mpi_core_exp_mod_working_limbs(size_t AN_limbs, size_t E_limbs);
-
-/**
- * \brief            Perform a modular exponentiation with secret exponent:
- *                   X = A^E mod N, where \p A is already in Montgomery form.
- *
- * \p X may be aliased to \p A, but not to \p RR or \p E, even if \p E_limbs ==
- * \p AN_limbs.
- *
- * \param[out] X     The destination MPI, as a little endian array of length
- *                   \p AN_limbs.
- * \param[in] A      The base MPI, as a little endian array of length \p AN_limbs.
- *                   Must be in Montgomery form.
- * \param[in] N      The modulus, as a little endian array of length \p AN_limbs.
- * \param AN_limbs   The number of limbs in \p X, \p A, \p N, \p RR.
- * \param[in] E      The exponent, as a little endian array of length \p E_limbs.
- * \param E_limbs    The number of limbs in \p E.
- * \param[in] RR     The precomputed residue of 2^{2*biL} modulo N, as a little
- *                   endian array of length \p AN_limbs.
- * \param[in,out] T  Temporary storage of at least the number of limbs returned
- *                   by `mbedtls_mpi_core_exp_mod_working_limbs()`.
- *                   Its initial content is unused and its final content is
- *                   indeterminate.
- *                   It must not alias or otherwise overlap any of the other
- *                   parameters.
- *                   It is up to the caller to zeroize \p T when it is no
- *                   longer needed, and before freeing it if it was dynamically
- *                   allocated.
- */
-void mbedtls_mpi_core_exp_mod(mbedtls_mpi_uint *X,
-                              const mbedtls_mpi_uint *A,
-                              const mbedtls_mpi_uint *N, size_t AN_limbs,
-                              const mbedtls_mpi_uint *E, size_t E_limbs,
-                              const mbedtls_mpi_uint *RR,
-                              mbedtls_mpi_uint *T);
-
-/**
- * \brief Subtract unsigned integer from known-size large unsigned integers.
- *        Return the borrow.
- *
- * \param[out] X    The result of the subtraction.
- * \param[in] A     The left operand.
- * \param b         The unsigned scalar to subtract.
- * \param limbs     Number of limbs of \p X and \p A.
- *
- * \return          1 if `A < b`.
- *                  0 if `A >= b`.
- */
-mbedtls_mpi_uint mbedtls_mpi_core_sub_int(mbedtls_mpi_uint *X,
-                                          const mbedtls_mpi_uint *A,
-                                          mbedtls_mpi_uint b,
-                                          size_t limbs);
-
-/**
- * \brief Determine if a given MPI has the value \c 0 in constant time with
- *        respect to the value (but not with respect to the number of limbs).
- *
- * \param[in] A   The MPI to test.
- * \param limbs   Number of limbs in \p A.
- *
- * \return        0 if `A == 0`
- *                non-0 (may be any value) if `A != 0`.
- */
-mbedtls_mpi_uint mbedtls_mpi_core_check_zero_ct(const mbedtls_mpi_uint *A,
-                                                size_t limbs);
-
-/**
- * \brief          Returns the number of limbs of working memory required for
- *                 a call to `mbedtls_mpi_core_montmul()`.
- *
- * \param AN_limbs The number of limbs in the input `A` and the modulus `N`
- *                 (they must be the same size) that will be given to
- *                 `mbedtls_mpi_core_montmul()` or one of the other functions
- *                 that specifies this as the amount of working memory needed.
- *
- * \return         The number of limbs of working memory required by
- *                 `mbedtls_mpi_core_montmul()` (or other similar function).
- */
-static inline size_t mbedtls_mpi_core_montmul_working_limbs(size_t AN_limbs)
-{
-    return 2 * AN_limbs + 1;
-}
-
-/** Convert an MPI into Montgomery form.
- *
- * \p X may be aliased to \p A, but may not otherwise overlap it.
- *
- * \p X may not alias \p N (it is in canonical form, so must be strictly less
- * than \p N). Nor may it alias or overlap \p rr (this is unlikely to be
- * required in practice.)
- *
- * This function is a thin wrapper around `mbedtls_mpi_core_montmul()` that is
- * an alternative to calling `mbedtls_mpi_mod_raw_to_mont_rep()` when we
- * don't want to allocate memory.
- *
- * \param[out]    X         The result of the conversion.
- *                          Must have the same number of limbs as \p A.
- * \param[in]     A         The MPI to convert into Montgomery form.
- *                          Must have the same number of limbs as the modulus.
- * \param[in]     N         The address of the modulus, which gives the size of
- *                          the base `R` = 2^(biL*N->limbs).
- * \param[in]     AN_limbs  The number of limbs in \p X, \p A, \p N and \p rr.
- * \param         mm        The Montgomery constant for \p N: -N^-1 mod 2^biL.
- *                          This can be determined by calling
- *                          `mbedtls_mpi_core_montmul_init()`.
- * \param[in]     rr        The residue for `2^{2*n*biL} mod N`.
- * \param[in,out] T         Temporary storage of size at least
- *                          `mbedtls_mpi_core_montmul_working_limbs(AN_limbs)`
- *                          limbs.
- *                          Its initial content is unused and
- *                          its final content is indeterminate.
- *                          It must not alias or otherwise overlap any of the
- *                          other parameters.
- */
-void mbedtls_mpi_core_to_mont_rep(mbedtls_mpi_uint *X,
-                                  const mbedtls_mpi_uint *A,
-                                  const mbedtls_mpi_uint *N,
-                                  size_t AN_limbs,
-                                  mbedtls_mpi_uint mm,
-                                  const mbedtls_mpi_uint *rr,
-                                  mbedtls_mpi_uint *T);
-
-/** Convert an MPI from Montgomery form.
- *
- * \p X may be aliased to \p A, but may not otherwise overlap it.
- *
- * \p X may not alias \p N (it is in canonical form, so must be strictly less
- * than \p N).
- *
- * This function is a thin wrapper around `mbedtls_mpi_core_montmul()` that is
- * an alternative to calling `mbedtls_mpi_mod_raw_from_mont_rep()` when we
- * don't want to allocate memory.
- *
- * \param[out]    X         The result of the conversion.
- *                          Must have the same number of limbs as \p A.
- * \param[in]     A         The MPI to convert from Montgomery form.
- *                          Must have the same number of limbs as the modulus.
- * \param[in]     N         The address of the modulus, which gives the size of
- *                          the base `R` = 2^(biL*N->limbs).
- * \param[in]     AN_limbs  The number of limbs in \p X, \p A and \p N.
- * \param         mm        The Montgomery constant for \p N: -N^-1 mod 2^biL.
- *                          This can be determined by calling
- *                          `mbedtls_mpi_core_montmul_init()`.
- * \param[in,out] T         Temporary storage of size at least
- *                          `mbedtls_mpi_core_montmul_working_limbs(AN_limbs)`
- *                          limbs.
- *                          Its initial content is unused and
- *                          its final content is indeterminate.
- *                          It must not alias or otherwise overlap any of the
- *                          other parameters.
- */
-void mbedtls_mpi_core_from_mont_rep(mbedtls_mpi_uint *X,
-                                    const mbedtls_mpi_uint *A,
-                                    const mbedtls_mpi_uint *N,
-                                    size_t AN_limbs,
-                                    mbedtls_mpi_uint mm,
-                                    mbedtls_mpi_uint *T);
-
-#endif /* MBEDTLS_BIGNUM_CORE_H */
diff --git a/library/bignum_mod.c b/library/bignum_mod.c
deleted file mode 100644
index 2f0e9ed..0000000
--- a/library/bignum_mod.c
+++ /dev/null
@@ -1,406 +0,0 @@
-/**
- *  Modular bignum functions
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_ECP_WITH_MPI_UINT)
-
-#include <string.h>
-
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-#include "mbedtls/bignum.h"
-
-#include "mbedtls/platform.h"
-
-#include "bignum_core.h"
-#include "bignum_mod.h"
-#include "bignum_mod_raw.h"
-#include "constant_time_internal.h"
-
-int mbedtls_mpi_mod_residue_setup(mbedtls_mpi_mod_residue *r,
-                                  const mbedtls_mpi_mod_modulus *N,
-                                  mbedtls_mpi_uint *p,
-                                  size_t p_limbs)
-{
-    if (p_limbs != N->limbs || !mbedtls_mpi_core_lt_ct(p, N->p, N->limbs)) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    r->limbs = N->limbs;
-    r->p = p;
-
-    return 0;
-}
-
-void mbedtls_mpi_mod_residue_release(mbedtls_mpi_mod_residue *r)
-{
-    if (r == NULL) {
-        return;
-    }
-
-    r->limbs = 0;
-    r->p = NULL;
-}
-
-void mbedtls_mpi_mod_modulus_init(mbedtls_mpi_mod_modulus *N)
-{
-    if (N == NULL) {
-        return;
-    }
-
-    N->p = NULL;
-    N->limbs = 0;
-    N->bits = 0;
-    N->int_rep = MBEDTLS_MPI_MOD_REP_INVALID;
-}
-
-void mbedtls_mpi_mod_modulus_free(mbedtls_mpi_mod_modulus *N)
-{
-    if (N == NULL) {
-        return;
-    }
-
-    switch (N->int_rep) {
-        case MBEDTLS_MPI_MOD_REP_MONTGOMERY:
-            if (N->rep.mont.rr != NULL) {
-                mbedtls_zeroize_and_free((mbedtls_mpi_uint *) N->rep.mont.rr,
-                                         N->limbs * sizeof(mbedtls_mpi_uint));
-                N->rep.mont.rr = NULL;
-            }
-            N->rep.mont.mm = 0;
-            break;
-        case MBEDTLS_MPI_MOD_REP_OPT_RED:
-            N->rep.ored.modp = NULL;
-            break;
-        case MBEDTLS_MPI_MOD_REP_INVALID:
-            break;
-    }
-
-    N->p = NULL;
-    N->limbs = 0;
-    N->bits = 0;
-    N->int_rep = MBEDTLS_MPI_MOD_REP_INVALID;
-}
-
-static int set_mont_const_square(const mbedtls_mpi_uint **X,
-                                 const mbedtls_mpi_uint *A,
-                                 size_t limbs)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi N;
-    mbedtls_mpi RR;
-    *X = NULL;
-
-    mbedtls_mpi_init(&N);
-    mbedtls_mpi_init(&RR);
-
-    if (A == NULL || limbs == 0 || limbs >= (MBEDTLS_MPI_MAX_LIMBS / 2) - 2) {
-        goto cleanup;
-    }
-
-    if (mbedtls_mpi_grow(&N, limbs)) {
-        goto cleanup;
-    }
-
-    memcpy(N.p, A, sizeof(mbedtls_mpi_uint) * limbs);
-
-    ret = mbedtls_mpi_core_get_mont_r2_unsafe(&RR, &N);
-
-    if (ret == 0) {
-        *X = RR.p;
-        RR.p = NULL;
-    }
-
-cleanup:
-    mbedtls_mpi_free(&N);
-    mbedtls_mpi_free(&RR);
-    ret = (ret != 0) ? MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED : 0;
-    return ret;
-}
-
-static inline void standard_modulus_setup(mbedtls_mpi_mod_modulus *N,
-                                          const mbedtls_mpi_uint *p,
-                                          size_t p_limbs,
-                                          mbedtls_mpi_mod_rep_selector int_rep)
-{
-    N->p = p;
-    N->limbs = p_limbs;
-    N->bits = mbedtls_mpi_core_bitlen(p, p_limbs);
-    N->int_rep = int_rep;
-}
-
-int mbedtls_mpi_mod_modulus_setup(mbedtls_mpi_mod_modulus *N,
-                                  const mbedtls_mpi_uint *p,
-                                  size_t p_limbs)
-{
-    int ret = 0;
-    standard_modulus_setup(N, p, p_limbs, MBEDTLS_MPI_MOD_REP_MONTGOMERY);
-    N->rep.mont.mm = mbedtls_mpi_core_montmul_init(N->p);
-    ret = set_mont_const_square(&N->rep.mont.rr, N->p, N->limbs);
-
-    if (ret != 0) {
-        mbedtls_mpi_mod_modulus_free(N);
-    }
-
-    return ret;
-}
-
-int mbedtls_mpi_mod_optred_modulus_setup(mbedtls_mpi_mod_modulus *N,
-                                         const mbedtls_mpi_uint *p,
-                                         size_t p_limbs,
-                                         mbedtls_mpi_modp_fn modp)
-{
-    standard_modulus_setup(N, p, p_limbs, MBEDTLS_MPI_MOD_REP_OPT_RED);
-    N->rep.ored.modp = modp;
-    return 0;
-}
-
-int mbedtls_mpi_mod_mul(mbedtls_mpi_mod_residue *X,
-                        const mbedtls_mpi_mod_residue *A,
-                        const mbedtls_mpi_mod_residue *B,
-                        const mbedtls_mpi_mod_modulus *N)
-{
-    if (N->limbs == 0) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    if (X->limbs != N->limbs || A->limbs != N->limbs || B->limbs != N->limbs) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    mbedtls_mpi_uint *T = mbedtls_calloc(N->limbs * 2 + 1, ciL);
-    if (T == NULL) {
-        return MBEDTLS_ERR_MPI_ALLOC_FAILED;
-    }
-
-    mbedtls_mpi_mod_raw_mul(X->p, A->p, B->p, N, T);
-
-    mbedtls_free(T);
-
-    return 0;
-}
-
-int mbedtls_mpi_mod_sub(mbedtls_mpi_mod_residue *X,
-                        const mbedtls_mpi_mod_residue *A,
-                        const mbedtls_mpi_mod_residue *B,
-                        const mbedtls_mpi_mod_modulus *N)
-{
-    if (X->limbs != N->limbs || A->limbs != N->limbs || B->limbs != N->limbs) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    mbedtls_mpi_mod_raw_sub(X->p, A->p, B->p, N);
-
-    return 0;
-}
-
-static int mbedtls_mpi_mod_inv_mont(mbedtls_mpi_mod_residue *X,
-                                    const mbedtls_mpi_mod_residue *A,
-                                    const mbedtls_mpi_mod_modulus *N,
-                                    mbedtls_mpi_uint *working_memory)
-{
-    /* Input already in Montgomery form, so there's little to do */
-    mbedtls_mpi_mod_raw_inv_prime(X->p, A->p,
-                                  N->p, N->limbs,
-                                  N->rep.mont.rr,
-                                  working_memory);
-    return 0;
-}
-
-static int mbedtls_mpi_mod_inv_non_mont(mbedtls_mpi_mod_residue *X,
-                                        const mbedtls_mpi_mod_residue *A,
-                                        const mbedtls_mpi_mod_modulus *N,
-                                        mbedtls_mpi_uint *working_memory)
-{
-    /* Need to convert input into Montgomery form */
-
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    mbedtls_mpi_mod_modulus Nmont;
-    mbedtls_mpi_mod_modulus_init(&Nmont);
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_modulus_setup(&Nmont, N->p, N->limbs));
-
-    /* We'll use X->p to hold the Montgomery form of the input A->p */
-    mbedtls_mpi_core_to_mont_rep(X->p, A->p, Nmont.p, Nmont.limbs,
-                                 Nmont.rep.mont.mm, Nmont.rep.mont.rr,
-                                 working_memory);
-
-    mbedtls_mpi_mod_raw_inv_prime(X->p, X->p,
-                                  Nmont.p, Nmont.limbs,
-                                  Nmont.rep.mont.rr,
-                                  working_memory);
-
-    /* And convert back from Montgomery form */
-
-    mbedtls_mpi_core_from_mont_rep(X->p, X->p, Nmont.p, Nmont.limbs,
-                                   Nmont.rep.mont.mm, working_memory);
-
-cleanup:
-    mbedtls_mpi_mod_modulus_free(&Nmont);
-    return ret;
-}
-
-int mbedtls_mpi_mod_inv(mbedtls_mpi_mod_residue *X,
-                        const mbedtls_mpi_mod_residue *A,
-                        const mbedtls_mpi_mod_modulus *N)
-{
-    if (X->limbs != N->limbs || A->limbs != N->limbs) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    /* Zero has the same value regardless of Montgomery form or not */
-    if (mbedtls_mpi_core_check_zero_ct(A->p, A->limbs) == 0) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    size_t working_limbs =
-        mbedtls_mpi_mod_raw_inv_prime_working_limbs(N->limbs);
-
-    mbedtls_mpi_uint *working_memory = mbedtls_calloc(working_limbs,
-                                                      sizeof(mbedtls_mpi_uint));
-    if (working_memory == NULL) {
-        return MBEDTLS_ERR_MPI_ALLOC_FAILED;
-    }
-
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    switch (N->int_rep) {
-        case MBEDTLS_MPI_MOD_REP_MONTGOMERY:
-            ret = mbedtls_mpi_mod_inv_mont(X, A, N, working_memory);
-            break;
-        case MBEDTLS_MPI_MOD_REP_OPT_RED:
-            ret = mbedtls_mpi_mod_inv_non_mont(X, A, N, working_memory);
-            break;
-        default:
-            ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-            break;
-    }
-
-    mbedtls_zeroize_and_free(working_memory,
-                             working_limbs * sizeof(mbedtls_mpi_uint));
-
-    return ret;
-}
-
-int mbedtls_mpi_mod_add(mbedtls_mpi_mod_residue *X,
-                        const mbedtls_mpi_mod_residue *A,
-                        const mbedtls_mpi_mod_residue *B,
-                        const mbedtls_mpi_mod_modulus *N)
-{
-    if (X->limbs != N->limbs || A->limbs != N->limbs || B->limbs != N->limbs) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    mbedtls_mpi_mod_raw_add(X->p, A->p, B->p, N);
-
-    return 0;
-}
-
-int mbedtls_mpi_mod_random(mbedtls_mpi_mod_residue *X,
-                           mbedtls_mpi_uint min,
-                           const mbedtls_mpi_mod_modulus *N,
-                           int (*f_rng)(void *, unsigned char *, size_t),
-                           void *p_rng)
-{
-    if (X->limbs != N->limbs) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-    return mbedtls_mpi_mod_raw_random(X->p, min, N, f_rng, p_rng);
-}
-
-int mbedtls_mpi_mod_read(mbedtls_mpi_mod_residue *r,
-                         const mbedtls_mpi_mod_modulus *N,
-                         const unsigned char *buf,
-                         size_t buflen,
-                         mbedtls_mpi_mod_ext_rep ext_rep)
-{
-    int ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-
-    /* Do our best to check if r and m have been set up */
-    if (r->limbs == 0 || N->limbs == 0) {
-        goto cleanup;
-    }
-    if (r->limbs != N->limbs) {
-        goto cleanup;
-    }
-
-    ret = mbedtls_mpi_mod_raw_read(r->p, N, buf, buflen, ext_rep);
-    if (ret != 0) {
-        goto cleanup;
-    }
-
-    r->limbs = N->limbs;
-
-    ret = mbedtls_mpi_mod_raw_canonical_to_modulus_rep(r->p, N);
-
-cleanup:
-    return ret;
-}
-
-int mbedtls_mpi_mod_write(const mbedtls_mpi_mod_residue *r,
-                          const mbedtls_mpi_mod_modulus *N,
-                          unsigned char *buf,
-                          size_t buflen,
-                          mbedtls_mpi_mod_ext_rep ext_rep)
-{
-    /* Do our best to check if r and m have been set up */
-    if (r->limbs == 0 || N->limbs == 0) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-    if (r->limbs != N->limbs) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi_uint *working_memory = r->p;
-    size_t working_memory_len = sizeof(mbedtls_mpi_uint) * r->limbs;
-
-    if (N->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY) {
-
-        working_memory = mbedtls_calloc(r->limbs, sizeof(mbedtls_mpi_uint));
-
-        if (working_memory == NULL) {
-            ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
-            goto cleanup;
-        }
-
-        memcpy(working_memory, r->p, working_memory_len);
-
-        ret = mbedtls_mpi_mod_raw_from_mont_rep(working_memory, N);
-        if (ret != 0) {
-            goto cleanup;
-        }
-    }
-
-    ret = mbedtls_mpi_mod_raw_write(working_memory, N, buf, buflen, ext_rep);
-
-cleanup:
-
-    if (N->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY &&
-        working_memory != NULL) {
-
-        mbedtls_zeroize_and_free(working_memory, working_memory_len);
-    }
-
-    return ret;
-}
-
-#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ECP_WITH_MPI_UINT */
diff --git a/library/bignum_mod.h b/library/bignum_mod.h
deleted file mode 100644
index 39e8fd2..0000000
--- a/library/bignum_mod.h
+++ /dev/null
@@ -1,464 +0,0 @@
-/**
- *  Modular bignum functions
- *
- * This module implements operations on integers modulo some fixed modulus.
- *
- * The functions in this module obey the following conventions unless
- * explicitly indicated otherwise:
- *
- * - **Modulus parameters**: the modulus is passed as a pointer to a structure
- *   of type #mbedtls_mpi_mod_modulus. The structure must be set up with an
- *   array of limbs storing the bignum value of the modulus. The modulus must
- *   be odd and is assumed to have no leading zeroes. The modulus is usually
- *   named \c N and is usually input-only. Functions which take a parameter
- *   of type \c const #mbedtls_mpi_mod_modulus* must not modify its value.
- * - **Bignum parameters**: Bignums are passed as pointers to an array of
- *   limbs or to a #mbedtls_mpi_mod_residue structure. A limb has the type
- *   #mbedtls_mpi_uint. Residues must be initialized before use, and must be
- *   associated with the modulus \c N. Unless otherwise specified:
- *     - Bignum parameters called \c A, \c B, ... are inputs and are not
- *       modified by the function. Functions which take a parameter of
- *       type \c const #mbedtls_mpi_mod_residue* must not modify its value.
- *     - Bignum parameters called \c X, \c Y, ... are outputs or input-output.
- *       The initial bignum value of output-only parameters is ignored, but
- *       they must be set up and associated with the modulus \c N. Some
- *       functions (typically constant-flow) require that the limbs in an
- *       output residue are initialized.
- *     - Bignum parameters called \c p are inputs used to set up a modulus or
- *       residue. These must be pointers to an array of limbs.
- *     - \c T is a temporary storage area. The initial content of such a
- *       parameter is ignored and the final content is unspecified.
- *     - Some functions use different names, such as \c r for the residue.
- * - **Bignum sizes**: bignum sizes are always expressed in limbs. Both
- *   #mbedtls_mpi_mod_modulus and #mbedtls_mpi_mod_residue have a \c limbs
- *   member storing its size. All bignum parameters must have the same
- *   number of limbs as the modulus. All bignum sizes must be at least 1 and
- *   must be significantly less than #SIZE_MAX. The behavior if a size is 0 is
- *   undefined.
- * - **Bignum representation**: the representation of inputs and outputs is
- *   specified by the \c int_rep field of the modulus.
- * - **Parameter ordering**: for bignum parameters, outputs come before inputs.
- *   The modulus is passed after residues. Temporaries come last.
- * - **Aliasing**: in general, output bignums may be aliased to one or more
- *   inputs. Modulus values may not be aliased to any other parameter. Outputs
- *   may not be aliased to one another. Temporaries may not be aliased to any
- *   other parameter.
- * - **Overlap**: apart from aliasing of residue pointers (where two residue
- *   arguments are equal pointers), overlap is not supported and may result
- *   in undefined behavior.
- * - **Error handling**: functions generally check compatibility of input
- *   sizes. Most functions will not check that input values are in canonical
- *   form (i.e. that \c A < \c N), this is only checked during setup of a
- *   residue structure.
- * - **Modular representatives**: all functions expect inputs to be in the
- *   range [0, \c N - 1] and guarantee outputs in the range [0, \c N - 1].
- *   Residues are set up with an associated modulus, and operations are only
- *   guaranteed to work if the modulus is associated with all residue
- *   parameters. If a residue is passed with a modulus other than the one it
- *   is associated with, then it may be out of range. If an input is out of
- *   range, outputs are fully unspecified, though bignum values out of range
- *   should not cause buffer overflows (beware that this is not extensively
- *   tested).
- */
-
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_BIGNUM_MOD_H
-#define MBEDTLS_BIGNUM_MOD_H
-
-#include "common.h"
-
-#if defined(MBEDTLS_BIGNUM_C)
-#include "mbedtls/bignum.h"
-#endif
-
-/** How residues associated with a modulus are represented.
- *
- * This also determines which fields of the modulus structure are valid and
- * what their contents are (see #mbedtls_mpi_mod_modulus).
- */
-typedef enum {
-    /** Representation not chosen (makes the modulus structure invalid). */
-    MBEDTLS_MPI_MOD_REP_INVALID    = 0,
-    /* Skip 1 as it is slightly easier to accidentally pass to functions. */
-    /** Montgomery representation. */
-    MBEDTLS_MPI_MOD_REP_MONTGOMERY = 2,
-    /* Optimised reduction available. This indicates a coordinate modulus (P)
-     * and one or more of the following have been configured:
-     * - A nist curve (MBEDTLS_ECP_DP_SECPXXXR1_ENABLED) & MBEDTLS_ECP_NIST_OPTIM.
-     * - A Kobliz Curve.
-     * - A Fast Reduction Curve CURVE25519 or CURVE448. */
-    MBEDTLS_MPI_MOD_REP_OPT_RED,
-} mbedtls_mpi_mod_rep_selector;
-
-/* Make mbedtls_mpi_mod_rep_selector and mbedtls_mpi_mod_ext_rep disjoint to
- * make it easier to catch when they are accidentally swapped. */
-typedef enum {
-    MBEDTLS_MPI_MOD_EXT_REP_INVALID = 0,
-    MBEDTLS_MPI_MOD_EXT_REP_LE      = 8,
-    MBEDTLS_MPI_MOD_EXT_REP_BE
-} mbedtls_mpi_mod_ext_rep;
-
-typedef struct {
-    mbedtls_mpi_uint *p;
-    size_t limbs;
-} mbedtls_mpi_mod_residue;
-
-typedef struct {
-    mbedtls_mpi_uint const *rr;  /* The residue for 2^{2*n*biL} mod N */
-    mbedtls_mpi_uint mm;         /* Montgomery const for -N^{-1} mod 2^{ciL} */
-} mbedtls_mpi_mont_struct;
-
-typedef int (*mbedtls_mpi_modp_fn)(mbedtls_mpi_uint *X, size_t X_limbs);
-
-typedef struct {
-    mbedtls_mpi_modp_fn modp;    /* The optimised reduction function pointer */
-} mbedtls_mpi_opt_red_struct;
-
-typedef struct {
-    const mbedtls_mpi_uint *p;
-    size_t limbs;                            // number of limbs
-    size_t bits;                             // bitlen of p
-    mbedtls_mpi_mod_rep_selector int_rep;    // selector to signal the active member of the union
-    union rep {
-        /* if int_rep == #MBEDTLS_MPI_MOD_REP_MONTGOMERY */
-        mbedtls_mpi_mont_struct mont;
-        /* if int_rep == #MBEDTLS_MPI_MOD_REP_OPT_RED */
-        mbedtls_mpi_opt_red_struct ored;
-    } rep;
-} mbedtls_mpi_mod_modulus;
-
-/** Setup a residue structure.
- *
- * The residue will be set up with the buffer \p p and modulus \p N.
- *
- * The memory pointed to by \p p will be used by the resulting residue structure.
- * The value at the pointed-to memory will be the initial value of \p r and must
- * hold a value that is less than the modulus. This value will be used as-is
- * and interpreted according to the value of the `N->int_rep` field.
- *
- * The modulus \p N will be the modulus associated with \p r. The residue \p r
- * should only be used in operations where the modulus is \p N.
- *
- * \param[out] r    The address of the residue to setup.
- * \param[in] N     The address of the modulus related to \p r.
- * \param[in] p     The address of the limb array containing the value of \p r.
- *                  The memory pointed to by \p p will be used by \p r and must
- *                  not be modified in any way until after
- *                  mbedtls_mpi_mod_residue_release() is called. The data
- *                  pointed to by \p p must be less than the modulus (the value
- *                  pointed to by `N->p`) and already in the representation
- *                  indicated by `N->int_rep`.
- * \param p_limbs   The number of limbs of \p p. Must be the same as the number
- *                  of limbs in the modulus \p N.
- *
- * \return      \c 0 if successful.
- * \return      #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p p_limbs is less than the
- *              limbs in \p N or if \p p is not less than \p N.
- */
-int mbedtls_mpi_mod_residue_setup(mbedtls_mpi_mod_residue *r,
-                                  const mbedtls_mpi_mod_modulus *N,
-                                  mbedtls_mpi_uint *p,
-                                  size_t p_limbs);
-
-/** Unbind elements of a residue structure.
- *
- * This function removes the reference to the limb array that was passed to
- * mbedtls_mpi_mod_residue_setup() to make it safe to free or use again.
- *
- * This function invalidates \p r and it must not be used until after
- * mbedtls_mpi_mod_residue_setup() is called on it again.
- *
- * \param[out] r     The address of residue to release.
- */
-void mbedtls_mpi_mod_residue_release(mbedtls_mpi_mod_residue *r);
-
-/** Initialize a modulus structure.
- *
- * \param[out] N     The address of the modulus structure to initialize.
- */
-void mbedtls_mpi_mod_modulus_init(mbedtls_mpi_mod_modulus *N);
-
-/** Setup a modulus structure.
- *
- * \param[out] N    The address of the modulus structure to populate.
- * \param[in] p     The address of the limb array storing the value of \p N.
- *                  The memory pointed to by \p p will be used by \p N and must
- *                  not be modified in any way until after
- *                  mbedtls_mpi_mod_modulus_free() is called.
- * \param p_limbs   The number of limbs of \p p.
- *
- * \return      \c 0 if successful.
- */
-int mbedtls_mpi_mod_modulus_setup(mbedtls_mpi_mod_modulus *N,
-                                  const mbedtls_mpi_uint *p,
-                                  size_t p_limbs);
-
-/** Setup an optimised-reduction compatible modulus structure.
- *
- * \param[out] N    The address of the modulus structure to populate.
- * \param[in] p     The address of the limb array storing the value of \p N.
- *                  The memory pointed to by \p p will be used by \p N and must
- *                  not be modified in any way until after
- *                  mbedtls_mpi_mod_modulus_free() is called.
- * \param p_limbs   The number of limbs of \p p.
- * \param modp      A pointer to the optimised reduction function to use. \p p.
- *
- * \return      \c 0 if successful.
- */
-int mbedtls_mpi_mod_optred_modulus_setup(mbedtls_mpi_mod_modulus *N,
-                                         const mbedtls_mpi_uint *p,
-                                         size_t p_limbs,
-                                         mbedtls_mpi_modp_fn modp);
-
-/** Free elements of a modulus structure.
- *
- * This function frees any memory allocated by mbedtls_mpi_mod_modulus_setup().
- *
- * \warning This function does not free the limb array passed to
- *          mbedtls_mpi_mod_modulus_setup() only removes the reference to it,
- *          making it safe to free or to use it again.
- *
- * \param[in,out] N     The address of the modulus structure to free.
- */
-void mbedtls_mpi_mod_modulus_free(mbedtls_mpi_mod_modulus *N);
-
-/** \brief  Multiply two residues, returning the residue modulo the specified
- *          modulus.
- *
- * \note Currently handles the case when `N->int_rep` is
- * MBEDTLS_MPI_MOD_REP_MONTGOMERY.
- *
- * The size of the operation is determined by \p N. \p A, \p B and \p X must
- * all be associated with the modulus \p N and must all have the same number
- * of limbs as \p N.
- *
- * \p X may be aliased to \p A or \p B, or even both, but may not overlap
- * either otherwise. They may not alias \p N (since they must be in canonical
- * form, they cannot == \p N).
- *
- * \param[out] X        The address of the result MPI. Must have the same
- *                      number of limbs as \p N.
- *                      On successful completion, \p X contains the result of
- *                      the multiplication `A * B * R^-1` mod N where
- *                      `R = 2^(biL * N->limbs)`.
- * \param[in]  A        The address of the first MPI.
- * \param[in]  B        The address of the second MPI.
- * \param[in]  N        The address of the modulus. Used to perform a modulo
- *                      operation on the result of the multiplication.
- *
- * \return      \c 0 if successful.
- * \return      #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if all the parameters do not
- *              have the same number of limbs or \p N is invalid.
- * \return      #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
- */
-int mbedtls_mpi_mod_mul(mbedtls_mpi_mod_residue *X,
-                        const mbedtls_mpi_mod_residue *A,
-                        const mbedtls_mpi_mod_residue *B,
-                        const mbedtls_mpi_mod_modulus *N);
-
-/**
- * \brief Perform a fixed-size modular subtraction.
- *
- * Calculate `A - B modulo N`.
- *
- * \p A, \p B and \p X must all have the same number of limbs as \p N.
- *
- * \p X may be aliased to \p A or \p B, or even both, but may not overlap
- * either otherwise.
- *
- * \note This function does not check that \p A or \p B are in canonical
- *       form (that is, are < \p N) - that will have been done by
- *       mbedtls_mpi_mod_residue_setup().
- *
- * \param[out] X    The address of the result MPI. Must be initialized.
- *                  Must have the same number of limbs as the modulus \p N.
- * \param[in]  A    The address of the first MPI.
- * \param[in]  B    The address of the second MPI.
- * \param[in]  N    The address of the modulus. Used to perform a modulo
- *                  operation on the result of the subtraction.
- *
- * \return          \c 0 if successful.
- * \return          #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the given MPIs do not
- *                  have the correct number of limbs.
- */
-int mbedtls_mpi_mod_sub(mbedtls_mpi_mod_residue *X,
-                        const mbedtls_mpi_mod_residue *A,
-                        const mbedtls_mpi_mod_residue *B,
-                        const mbedtls_mpi_mod_modulus *N);
-
-/**
- * \brief Perform modular inversion of an MPI with respect to a modulus \p N.
- *
- * \p A and \p X must be associated with the modulus \p N and will therefore
- * have the same number of limbs as \p N.
- *
- * \p X may be aliased to \p A.
- *
- * \warning  Currently only supports prime moduli, but does not check for them.
- *
- * \param[out] X   The modular inverse of \p A with respect to \p N.
- * \param[in] A    The number to calculate the modular inverse of.
- *                 Must not be 0.
- * \param[in] N    The modulus to use.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p A and \p N do not
- *                 have the same number of limbs.
- * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p A is zero.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if couldn't allocate enough
- *                 memory (needed for conversion to and from Mongtomery form
- *                 when not in Montgomery form already, and for temporary use
- *                 by the inversion calculation itself).
- */
-
-int mbedtls_mpi_mod_inv(mbedtls_mpi_mod_residue *X,
-                        const mbedtls_mpi_mod_residue *A,
-                        const mbedtls_mpi_mod_modulus *N);
-/**
- * \brief Perform a fixed-size modular addition.
- *
- * Calculate `A + B modulo N`.
- *
- * \p A, \p B and \p X must all be associated with the modulus \p N and must
- * all have the same number of limbs as \p N.
- *
- * \p X may be aliased to \p A or \p B, or even both, but may not overlap
- * either otherwise.
- *
- * \note This function does not check that \p A or \p B are in canonical
- *       form (that is, are < \p N) - that will have been done by
- *       mbedtls_mpi_mod_residue_setup().
- *
- * \param[out] X    The address of the result residue. Must be initialized.
- *                  Must have the same number of limbs as the modulus \p N.
- * \param[in]  A    The address of the first input residue.
- * \param[in]  B    The address of the second input residue.
- * \param[in]  N    The address of the modulus. Used to perform a modulo
- *                  operation on the result of the addition.
- *
- * \return          \c 0 if successful.
- * \return          #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the given MPIs do not
- *                  have the correct number of limbs.
- */
-int mbedtls_mpi_mod_add(mbedtls_mpi_mod_residue *X,
-                        const mbedtls_mpi_mod_residue *A,
-                        const mbedtls_mpi_mod_residue *B,
-                        const mbedtls_mpi_mod_modulus *N);
-
-/** Generate a random number uniformly in a range.
- *
- * This function generates a random number between \p min inclusive and
- * \p N exclusive.
- *
- * The procedure complies with RFC 6979 §3.3 (deterministic ECDSA)
- * when the RNG is a suitably parametrized instance of HMAC_DRBG
- * and \p min is \c 1.
- *
- * \note           There are `N - min` possible outputs. The lower bound
- *                 \p min can be reached, but the upper bound \p N cannot.
- *
- * \param X        The destination residue.
- * \param min      The minimum value to return. It must be strictly smaller
- *                 than \b N.
- * \param N        The modulus.
- *                 This is the upper bound of the output range, exclusive.
- * \param f_rng    The RNG function to use. This must not be \c NULL.
- * \param p_rng    The RNG parameter to be passed to \p f_rng.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if the implementation was
- *                 unable to find a suitable value within a limited number
- *                 of attempts. This has a negligible probability if \p N
- *                 is significantly larger than \p min, which is the case
- *                 for all usual cryptographic applications.
- */
-int mbedtls_mpi_mod_random(mbedtls_mpi_mod_residue *X,
-                           mbedtls_mpi_uint min,
-                           const mbedtls_mpi_mod_modulus *N,
-                           int (*f_rng)(void *, unsigned char *, size_t),
-                           void *p_rng);
-
-/** Read a residue from a byte buffer.
- *
- * The residue will be automatically converted to the internal representation
- * based on the value of the `N->int_rep` field.
- *
- * The modulus \p N will be the modulus associated with \p r. The residue \p r
- * should only be used in operations where the modulus is \p N or a modulus
- * equivalent to \p N (in the sense that all their fields or memory pointed by
- * their fields hold the same value).
- *
- * \param[out] r    The address of the residue. It must have exactly the same
- *                  number of limbs as the modulus \p N.
- * \param[in] N     The address of the modulus.
- * \param[in] buf   The input buffer to import from.
- * \param buflen    The length in bytes of \p buf.
- * \param ext_rep   The endianness of the number in the input buffer.
- *
- * \return       \c 0 if successful.
- * \return       #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p r isn't
- *               large enough to hold the value in \p buf.
- * \return       #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p ext_rep
- *               is invalid or the value in the buffer is not less than \p N.
- */
-int mbedtls_mpi_mod_read(mbedtls_mpi_mod_residue *r,
-                         const mbedtls_mpi_mod_modulus *N,
-                         const unsigned char *buf,
-                         size_t buflen,
-                         mbedtls_mpi_mod_ext_rep ext_rep);
-
-/** Write a residue into a byte buffer.
- *
- * The modulus \p N must be the modulus associated with \p r (see
- * mbedtls_mpi_mod_residue_setup() and mbedtls_mpi_mod_read()).
- *
- * The residue will be automatically converted from the internal representation
- * based on the value of `N->int_rep` field.
- *
- * \warning     If the buffer is smaller than `N->bits`, the number of
- *              leading zeroes is leaked through timing. If \p r is
- *              secret, the caller must ensure that \p buflen is at least
- *              (`N->bits`+7)/8.
- *
- * \param[in] r     The address of the residue. It must have the same number of
- *                  limbs as the modulus \p N. (\p r is an input parameter, but
- *                  its value will be modified during execution and restored
- *                  before the function returns.)
- * \param[in] N     The address of the modulus associated with \p r.
- * \param[out] buf  The output buffer to export to.
- * \param buflen    The length in bytes of \p buf.
- * \param ext_rep   The endianness in which the number should be written into
- *                  the output buffer.
- *
- * \return       \c 0 if successful.
- * \return       #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p buf isn't
- *               large enough to hold the value of \p r (without leading
- *               zeroes).
- * \return       #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p ext_rep is invalid.
- * \return       #MBEDTLS_ERR_MPI_ALLOC_FAILED if couldn't allocate enough
- *               memory for conversion. Can occur only for moduli with
- *               MBEDTLS_MPI_MOD_REP_MONTGOMERY.
- */
-int mbedtls_mpi_mod_write(const mbedtls_mpi_mod_residue *r,
-                          const mbedtls_mpi_mod_modulus *N,
-                          unsigned char *buf,
-                          size_t buflen,
-                          mbedtls_mpi_mod_ext_rep ext_rep);
-
-#endif /* MBEDTLS_BIGNUM_MOD_H */
diff --git a/library/bignum_mod_raw.c b/library/bignum_mod_raw.c
deleted file mode 100644
index 5ee1b19..0000000
--- a/library/bignum_mod_raw.c
+++ /dev/null
@@ -1,288 +0,0 @@
-/*
- *  Low-level modular bignum functions
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_ECP_WITH_MPI_UINT)
-
-#include <string.h>
-
-#include "mbedtls/error.h"
-#include "mbedtls/platform_util.h"
-
-#include "mbedtls/platform.h"
-
-#include "bignum_core.h"
-#include "bignum_mod_raw.h"
-#include "bignum_mod.h"
-#include "constant_time_internal.h"
-
-#include "bignum_mod_raw_invasive.h"
-
-void mbedtls_mpi_mod_raw_cond_assign(mbedtls_mpi_uint *X,
-                                     const mbedtls_mpi_uint *A,
-                                     const mbedtls_mpi_mod_modulus *N,
-                                     unsigned char assign)
-{
-    mbedtls_mpi_core_cond_assign(X, A, N->limbs, mbedtls_ct_bool(assign));
-}
-
-void mbedtls_mpi_mod_raw_cond_swap(mbedtls_mpi_uint *X,
-                                   mbedtls_mpi_uint *Y,
-                                   const mbedtls_mpi_mod_modulus *N,
-                                   unsigned char swap)
-{
-    mbedtls_mpi_core_cond_swap(X, Y, N->limbs, mbedtls_ct_bool(swap));
-}
-
-int mbedtls_mpi_mod_raw_read(mbedtls_mpi_uint *X,
-                             const mbedtls_mpi_mod_modulus *N,
-                             const unsigned char *input,
-                             size_t input_length,
-                             mbedtls_mpi_mod_ext_rep ext_rep)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    switch (ext_rep) {
-        case MBEDTLS_MPI_MOD_EXT_REP_LE:
-            ret = mbedtls_mpi_core_read_le(X, N->limbs,
-                                           input, input_length);
-            break;
-        case MBEDTLS_MPI_MOD_EXT_REP_BE:
-            ret = mbedtls_mpi_core_read_be(X, N->limbs,
-                                           input, input_length);
-            break;
-        default:
-            return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    if (ret != 0) {
-        goto cleanup;
-    }
-
-    if (!mbedtls_mpi_core_lt_ct(X, N->p, N->limbs)) {
-        ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-        goto cleanup;
-    }
-
-cleanup:
-
-    return ret;
-}
-
-int mbedtls_mpi_mod_raw_write(const mbedtls_mpi_uint *A,
-                              const mbedtls_mpi_mod_modulus *N,
-                              unsigned char *output,
-                              size_t output_length,
-                              mbedtls_mpi_mod_ext_rep ext_rep)
-{
-    switch (ext_rep) {
-        case MBEDTLS_MPI_MOD_EXT_REP_LE:
-            return mbedtls_mpi_core_write_le(A, N->limbs,
-                                             output, output_length);
-        case MBEDTLS_MPI_MOD_EXT_REP_BE:
-            return mbedtls_mpi_core_write_be(A, N->limbs,
-                                             output, output_length);
-        default:
-            return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-}
-
-void mbedtls_mpi_mod_raw_sub(mbedtls_mpi_uint *X,
-                             const mbedtls_mpi_uint *A,
-                             const mbedtls_mpi_uint *B,
-                             const mbedtls_mpi_mod_modulus *N)
-{
-    mbedtls_mpi_uint c = mbedtls_mpi_core_sub(X, A, B, N->limbs);
-
-    (void) mbedtls_mpi_core_add_if(X, N->p, N->limbs, (unsigned) c);
-}
-
-MBEDTLS_STATIC_TESTABLE
-void mbedtls_mpi_mod_raw_fix_quasi_reduction(mbedtls_mpi_uint *X,
-                                             const mbedtls_mpi_mod_modulus *N)
-{
-    mbedtls_mpi_uint c = mbedtls_mpi_core_sub(X, X, N->p, N->limbs);
-
-    (void) mbedtls_mpi_core_add_if(X, N->p, N->limbs, (unsigned) c);
-}
-
-
-void mbedtls_mpi_mod_raw_mul(mbedtls_mpi_uint *X,
-                             const mbedtls_mpi_uint *A,
-                             const mbedtls_mpi_uint *B,
-                             const mbedtls_mpi_mod_modulus *N,
-                             mbedtls_mpi_uint *T)
-{
-    /* Standard (A * B) multiplication stored into pre-allocated T
-     * buffer of fixed limb size of (2N + 1).
-     *
-     * The space may not not fully filled by when
-     * MBEDTLS_MPI_MOD_REP_OPT_RED is used. */
-    const size_t T_limbs = BITS_TO_LIMBS(N->bits) * 2;
-    switch (N->int_rep) {
-        case MBEDTLS_MPI_MOD_REP_MONTGOMERY:
-            mbedtls_mpi_core_montmul(X, A, B, N->limbs, N->p, N->limbs,
-                                     N->rep.mont.mm, T);
-            break;
-        case MBEDTLS_MPI_MOD_REP_OPT_RED:
-            mbedtls_mpi_core_mul(T, A, N->limbs, B, N->limbs);
-
-            /* Optimised Reduction */
-            (*N->rep.ored.modp)(T, T_limbs);
-
-            /* Convert back to canonical representation */
-            mbedtls_mpi_mod_raw_fix_quasi_reduction(T, N);
-            memcpy(X, T, N->limbs * sizeof(mbedtls_mpi_uint));
-            break;
-        default:
-            break;
-    }
-
-}
-
-size_t mbedtls_mpi_mod_raw_inv_prime_working_limbs(size_t AN_limbs)
-{
-    /* mbedtls_mpi_mod_raw_inv_prime() needs a temporary for the exponent,
-     * which will be the same size as the modulus and input (AN_limbs),
-     * and additional space to pass to mbedtls_mpi_core_exp_mod(). */
-    return AN_limbs +
-           mbedtls_mpi_core_exp_mod_working_limbs(AN_limbs, AN_limbs);
-}
-
-void mbedtls_mpi_mod_raw_inv_prime(mbedtls_mpi_uint *X,
-                                   const mbedtls_mpi_uint *A,
-                                   const mbedtls_mpi_uint *N,
-                                   size_t AN_limbs,
-                                   const mbedtls_mpi_uint *RR,
-                                   mbedtls_mpi_uint *T)
-{
-    /* Inversion by power: g^|G| = 1 => g^(-1) = g^(|G|-1), and
-     *                       |G| = N - 1, so we want
-     *                 g^(|G|-1) = g^(N - 2)
-     */
-
-    /* Use the first AN_limbs of T to hold N - 2 */
-    mbedtls_mpi_uint *Nminus2 = T;
-    (void) mbedtls_mpi_core_sub_int(Nminus2, N, 2, AN_limbs);
-
-    /* Rest of T is given to exp_mod for its working space */
-    mbedtls_mpi_core_exp_mod(X,
-                             A, N, AN_limbs, Nminus2, AN_limbs,
-                             RR, T + AN_limbs);
-}
-
-void mbedtls_mpi_mod_raw_add(mbedtls_mpi_uint *X,
-                             const mbedtls_mpi_uint *A,
-                             const mbedtls_mpi_uint *B,
-                             const mbedtls_mpi_mod_modulus *N)
-{
-    mbedtls_mpi_uint carry, borrow;
-    carry  = mbedtls_mpi_core_add(X, A, B, N->limbs);
-    borrow = mbedtls_mpi_core_sub(X, X, N->p, N->limbs);
-    (void) mbedtls_mpi_core_add_if(X, N->p, N->limbs, (unsigned) (carry ^ borrow));
-}
-
-int mbedtls_mpi_mod_raw_canonical_to_modulus_rep(
-    mbedtls_mpi_uint *X,
-    const mbedtls_mpi_mod_modulus *N)
-{
-    switch (N->int_rep) {
-        case MBEDTLS_MPI_MOD_REP_MONTGOMERY:
-            return mbedtls_mpi_mod_raw_to_mont_rep(X, N);
-        case MBEDTLS_MPI_MOD_REP_OPT_RED:
-            return 0;
-        default:
-            return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-}
-
-int mbedtls_mpi_mod_raw_modulus_to_canonical_rep(
-    mbedtls_mpi_uint *X,
-    const mbedtls_mpi_mod_modulus *N)
-{
-    switch (N->int_rep) {
-        case MBEDTLS_MPI_MOD_REP_MONTGOMERY:
-            return mbedtls_mpi_mod_raw_from_mont_rep(X, N);
-        case MBEDTLS_MPI_MOD_REP_OPT_RED:
-            return 0;
-        default:
-            return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-}
-
-int mbedtls_mpi_mod_raw_random(mbedtls_mpi_uint *X,
-                               mbedtls_mpi_uint min,
-                               const mbedtls_mpi_mod_modulus *N,
-                               int (*f_rng)(void *, unsigned char *, size_t),
-                               void *p_rng)
-{
-    int ret = mbedtls_mpi_core_random(X, min, N->p, N->limbs, f_rng, p_rng);
-    if (ret != 0) {
-        return ret;
-    }
-    return mbedtls_mpi_mod_raw_canonical_to_modulus_rep(X, N);
-}
-
-int mbedtls_mpi_mod_raw_to_mont_rep(mbedtls_mpi_uint *X,
-                                    const mbedtls_mpi_mod_modulus *N)
-{
-    mbedtls_mpi_uint *T;
-    const size_t t_limbs = mbedtls_mpi_core_montmul_working_limbs(N->limbs);
-
-    if ((T = (mbedtls_mpi_uint *) mbedtls_calloc(t_limbs, ciL)) == NULL) {
-        return MBEDTLS_ERR_MPI_ALLOC_FAILED;
-    }
-
-    mbedtls_mpi_core_to_mont_rep(X, X, N->p, N->limbs,
-                                 N->rep.mont.mm, N->rep.mont.rr, T);
-
-    mbedtls_zeroize_and_free(T, t_limbs * ciL);
-    return 0;
-}
-
-int mbedtls_mpi_mod_raw_from_mont_rep(mbedtls_mpi_uint *X,
-                                      const mbedtls_mpi_mod_modulus *N)
-{
-    const size_t t_limbs = mbedtls_mpi_core_montmul_working_limbs(N->limbs);
-    mbedtls_mpi_uint *T;
-
-    if ((T = (mbedtls_mpi_uint *) mbedtls_calloc(t_limbs, ciL)) == NULL) {
-        return MBEDTLS_ERR_MPI_ALLOC_FAILED;
-    }
-
-    mbedtls_mpi_core_from_mont_rep(X, X, N->p, N->limbs, N->rep.mont.mm, T);
-
-    mbedtls_zeroize_and_free(T, t_limbs * ciL);
-    return 0;
-}
-
-void mbedtls_mpi_mod_raw_neg(mbedtls_mpi_uint *X,
-                             const mbedtls_mpi_uint *A,
-                             const mbedtls_mpi_mod_modulus *N)
-{
-    mbedtls_mpi_core_sub(X, N->p, A, N->limbs);
-
-    /* If A=0 initially, then X=N now. Detect this by
-     * subtracting N and catching the carry. */
-    mbedtls_mpi_uint borrow = mbedtls_mpi_core_sub(X, X, N->p, N->limbs);
-    (void) mbedtls_mpi_core_add_if(X, N->p, N->limbs, (unsigned) borrow);
-}
-
-#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ECP_WITH_MPI_UINT */
diff --git a/library/bignum_mod_raw.h b/library/bignum_mod_raw.h
deleted file mode 100644
index c5ff937..0000000
--- a/library/bignum_mod_raw.h
+++ /dev/null
@@ -1,428 +0,0 @@
-/**
- *  Low-level modular bignum functions
- *
- *  This interface should only be used by the higher-level modular bignum
- *  module (bignum_mod.c) and the ECP module (ecp.c, ecp_curves.c). All other
- *  modules should use the high-level modular bignum interface (bignum_mod.h)
- *  or the legacy bignum interface (bignum.h).
- *
- * This is a low-level interface to operations on integers modulo which
- * has no protection against passing invalid arguments such as arrays of
- * the wrong size. The functions in bignum_mod.h provide a higher-level
- * interface that includes protections against accidental misuse, at the
- * expense of code size and sometimes more cumbersome memory management.
- *
- * The functions in this module obey the following conventions unless
- * explicitly indicated otherwise:
- * - **Modulus parameters**: the modulus is passed as a pointer to a structure
- *   of type #mbedtls_mpi_mod_modulus. The structure must be set up with an
- *   array of limbs storing the bignum value of the modulus. The modulus must
- *   be odd and is assumed to have no leading zeroes. The modulus is usually
- *   named \c N and is usually input-only.
- * - **Bignum parameters**: Bignums are passed as pointers to an array of
- *   limbs. A limb has the type #mbedtls_mpi_uint. Unless otherwise specified:
- *     - Bignum parameters called \c A, \c B, ... are inputs, and are not
- *       modified by the function.
- *     - Bignum parameters called \c X, \c Y are outputs or input-output.
- *       The initial content of output-only parameters is ignored.
- *     - \c T is a temporary storage area. The initial content of such a
- *       parameter is ignored and the final content is unspecified.
- * - **Bignum sizes**: bignum sizes are usually expressed by the \c limbs
- *   member of the modulus argument. All bignum parameters must have the same
- *   number of limbs as the modulus. All bignum sizes must be at least 1 and
- *   must be significantly less than #SIZE_MAX. The behavior if a size is 0 is
- *   undefined.
- * - **Bignum representation**: the representation of inputs and outputs is
- *   specified by the \c int_rep field of the modulus for arithmetic
- *   functions. Utility functions may allow for different representation.
- * - **Parameter ordering**: for bignum parameters, outputs come before inputs.
- *   The modulus is passed after other bignum input parameters. Temporaries
- *   come last.
- * - **Aliasing**: in general, output bignums may be aliased to one or more
- *   inputs. Modulus values may not be aliased to any other parameter. Outputs
- *   may not be aliased to one another. Temporaries may not be aliased to any
- *   other parameter.
- * - **Overlap**: apart from aliasing of limb array pointers (where two
- *   arguments are equal pointers), overlap is not supported and may result
- *   in undefined behavior.
- * - **Error handling**: This is a low-level module. Functions generally do not
- *   try to protect against invalid arguments such as nonsensical sizes or
- *   null pointers. Note that passing bignums with a different size than the
- *   modulus may lead to buffer overflows. Some functions which allocate
- *   memory or handle reading/writing of bignums will return an error if
- *   memory allocation fails or if buffer sizes are invalid.
- * - **Modular representatives**: all functions expect inputs to be in the
- *   range [0, \c N - 1] and guarantee outputs in the range [0, \c N - 1]. If
- *   an input is out of range, outputs are fully unspecified, though bignum
- *   values out of range should not cause buffer overflows (beware that this is
- *   not extensively tested).
- */
-
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_BIGNUM_MOD_RAW_H
-#define MBEDTLS_BIGNUM_MOD_RAW_H
-
-#include "common.h"
-
-#if defined(MBEDTLS_BIGNUM_C)
-#include "mbedtls/bignum.h"
-#endif
-
-#include "bignum_mod.h"
-
-/**
- * \brief   Perform a safe conditional copy of an MPI which doesn't reveal
- *          whether the assignment was done or not.
- *
- * The size to copy is determined by \p N.
- *
- * \param[out] X        The address of the destination MPI.
- *                      This must be initialized. Must have enough limbs to
- *                      store the full value of \p A.
- * \param[in]  A        The address of the source MPI. This must be initialized.
- * \param[in]  N        The address of the modulus related to \p X and \p A.
- * \param      assign   The condition deciding whether to perform the
- *                      assignment or not. Must be either 0 or 1:
- *                      * \c 1: Perform the assignment `X = A`.
- *                      * \c 0: Keep the original value of \p X.
- *
- * \note           This function avoids leaking any information about whether
- *                 the assignment was done or not.
- *
- * \warning        If \p assign is neither 0 nor 1, the result of this function
- *                 is indeterminate, and the resulting value in \p X might be
- *                 neither its original value nor the value in \p A.
- */
-void mbedtls_mpi_mod_raw_cond_assign(mbedtls_mpi_uint *X,
-                                     const mbedtls_mpi_uint *A,
-                                     const mbedtls_mpi_mod_modulus *N,
-                                     unsigned char assign);
-
-/**
- * \brief   Perform a safe conditional swap of two MPIs which doesn't reveal
- *          whether the swap was done or not.
- *
- * The size to swap is determined by \p N.
- *
- * \param[in,out] X     The address of the first MPI. This must be initialized.
- * \param[in,out] Y     The address of the second MPI. This must be initialized.
- * \param[in]     N     The address of the modulus related to \p X and \p Y.
- * \param         swap  The condition deciding whether to perform
- *                      the swap or not. Must be either 0 or 1:
- *                      * \c 1: Swap the values of \p X and \p Y.
- *                      * \c 0: Keep the original values of \p X and \p Y.
- *
- * \note           This function avoids leaking any information about whether
- *                 the swap was done or not.
- *
- * \warning        If \p swap is neither 0 nor 1, the result of this function
- *                 is indeterminate, and both \p X and \p Y might end up with
- *                 values different to either of the original ones.
- */
-void mbedtls_mpi_mod_raw_cond_swap(mbedtls_mpi_uint *X,
-                                   mbedtls_mpi_uint *Y,
-                                   const mbedtls_mpi_mod_modulus *N,
-                                   unsigned char swap);
-
-/** Import X from unsigned binary data.
- *
- * The MPI needs to have enough limbs to store the full value (including any
- * most significant zero bytes in the input).
- *
- * \param[out] X        The address of the MPI. The size is determined by \p N.
- *                      (In particular, it must have at least as many limbs as
- *                      the modulus \p N.)
- * \param[in] N         The address of the modulus related to \p X.
- * \param[in] input     The input buffer to import from.
- * \param input_length  The length in bytes of \p input.
- * \param ext_rep       The endianness of the number in the input buffer.
- *
- * \return       \c 0 if successful.
- * \return       #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p X isn't
- *               large enough to hold the value in \p input.
- * \return       #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the external representation
- *               of \p N is invalid or \p X is not less than \p N.
- */
-int mbedtls_mpi_mod_raw_read(mbedtls_mpi_uint *X,
-                             const mbedtls_mpi_mod_modulus *N,
-                             const unsigned char *input,
-                             size_t input_length,
-                             mbedtls_mpi_mod_ext_rep ext_rep);
-
-/** Export A into unsigned binary data.
- *
- * \param[in] A         The address of the MPI. The size is determined by \p N.
- *                      (In particular, it must have at least as many limbs as
- *                      the modulus \p N.)
- * \param[in] N         The address of the modulus related to \p A.
- * \param[out] output   The output buffer to export to.
- * \param output_length The length in bytes of \p output.
- * \param ext_rep       The endianness in which the number should be written into the output buffer.
- *
- * \return       \c 0 if successful.
- * \return       #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p output isn't
- *               large enough to hold the value of \p A.
- * \return       #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the external representation
- *               of \p N is invalid.
- */
-int mbedtls_mpi_mod_raw_write(const mbedtls_mpi_uint *A,
-                              const mbedtls_mpi_mod_modulus *N,
-                              unsigned char *output,
-                              size_t output_length,
-                              mbedtls_mpi_mod_ext_rep ext_rep);
-
-/** \brief  Subtract two MPIs, returning the residue modulo the specified
- *          modulus.
- *
- * The size of the operation is determined by \p N. \p A and \p B must have
- * the same number of limbs as \p N.
- *
- * \p X may be aliased to \p A or \p B, or even both, but may not overlap
- * either otherwise.
- *
- * \param[out] X        The address of the result MPI.
- *                      This must be initialized. Must have enough limbs to
- *                      store the full value of the result.
- * \param[in]  A        The address of the first MPI. This must be initialized.
- * \param[in]  B        The address of the second MPI. This must be initialized.
- * \param[in]  N        The address of the modulus. Used to perform a modulo
- *                      operation on the result of the subtraction.
- */
-void mbedtls_mpi_mod_raw_sub(mbedtls_mpi_uint *X,
-                             const mbedtls_mpi_uint *A,
-                             const mbedtls_mpi_uint *B,
-                             const mbedtls_mpi_mod_modulus *N);
-
-/** \brief  Multiply two MPIs, returning the residue modulo the specified
- *          modulus.
- *
- * \note Currently handles the case when `N->int_rep` is
- * MBEDTLS_MPI_MOD_REP_MONTGOMERY.
- *
- * The size of the operation is determined by \p N. \p A, \p B and \p X must
- * all be associated with the modulus \p N and must all have the same number
- * of limbs as \p N.
- *
- * \p X may be aliased to \p A or \p B, or even both, but may not overlap
- * either otherwise. They may not alias \p N (since they must be in canonical
- * form, they cannot == \p N).
- *
- * \param[out] X        The address of the result MPI. Must have the same
- *                      number of limbs as \p N.
- *                      On successful completion, \p X contains the result of
- *                      the multiplication `A * B * R^-1` mod N where
- *                      `R = 2^(biL * N->limbs)`.
- * \param[in]  A        The address of the first MPI.
- * \param[in]  B        The address of the second MPI.
- * \param[in]  N        The address of the modulus. Used to perform a modulo
- *                      operation on the result of the multiplication.
- * \param[in,out] T     Temporary storage of size at least 2 * N->limbs + 1
- *                      limbs. Its initial content is unused and
- *                      its final content is indeterminate.
- *                      It must not alias or otherwise overlap any of the
- *                      other parameters.
- */
-void mbedtls_mpi_mod_raw_mul(mbedtls_mpi_uint *X,
-                             const mbedtls_mpi_uint *A,
-                             const mbedtls_mpi_uint *B,
-                             const mbedtls_mpi_mod_modulus *N,
-                             mbedtls_mpi_uint *T);
-
-/**
- * \brief          Returns the number of limbs of working memory required for
- *                 a call to `mbedtls_mpi_mod_raw_inv_prime()`.
- *
- * \note           This will always be at least
- *                 `mbedtls_mpi_core_montmul_working_limbs(AN_limbs)`,
- *                 i.e. sufficient for a call to `mbedtls_mpi_core_montmul()`.
- *
- * \param AN_limbs The number of limbs in the input `A` and the modulus `N`
- *                 (they must be the same size) that will be given to
- *                 `mbedtls_mpi_mod_raw_inv_prime()`.
- *
- * \return         The number of limbs of working memory required by
- *                 `mbedtls_mpi_mod_raw_inv_prime()`.
- */
-size_t mbedtls_mpi_mod_raw_inv_prime_working_limbs(size_t AN_limbs);
-
-/**
- * \brief Perform fixed-width modular inversion of a Montgomery-form MPI with
- *        respect to a modulus \p N that must be prime.
- *
- * \p X may be aliased to \p A, but not to \p N or \p RR.
- *
- * \param[out] X     The modular inverse of \p A with respect to \p N.
- *                   Will be in Montgomery form.
- * \param[in] A      The number to calculate the modular inverse of.
- *                   Must be in Montgomery form. Must not be 0.
- * \param[in] N      The modulus, as a little-endian array of length \p AN_limbs.
- *                   Must be prime.
- * \param AN_limbs   The number of limbs in \p A, \p N and \p RR.
- * \param[in] RR     The precomputed residue of 2^{2*biL} modulo N, as a little-
- *                   endian array of length \p AN_limbs.
- * \param[in,out] T  Temporary storage of at least the number of limbs returned
- *                   by `mbedtls_mpi_mod_raw_inv_prime_working_limbs()`.
- *                   Its initial content is unused and its final content is
- *                   indeterminate.
- *                   It must not alias or otherwise overlap any of the other
- *                   parameters.
- *                   It is up to the caller to zeroize \p T when it is no
- *                   longer needed, and before freeing it if it was dynamically
- *                   allocated.
- */
-void mbedtls_mpi_mod_raw_inv_prime(mbedtls_mpi_uint *X,
-                                   const mbedtls_mpi_uint *A,
-                                   const mbedtls_mpi_uint *N,
-                                   size_t AN_limbs,
-                                   const mbedtls_mpi_uint *RR,
-                                   mbedtls_mpi_uint *T);
-
-/**
- * \brief Perform a known-size modular addition.
- *
- * Calculate `A + B modulo N`.
- *
- * The number of limbs in each operand, and the result, is given by the
- * modulus \p N.
- *
- * \p X may be aliased to \p A or \p B, or even both, but may not overlap
- * either otherwise.
- *
- * \param[out] X    The result of the modular addition.
- * \param[in] A     Little-endian presentation of the left operand. This
- *                  must be smaller than \p N.
- * \param[in] B     Little-endian presentation of the right operand. This
- *                  must be smaller than \p N.
- * \param[in] N     The address of the modulus.
- */
-void mbedtls_mpi_mod_raw_add(mbedtls_mpi_uint *X,
-                             const mbedtls_mpi_uint *A,
-                             const mbedtls_mpi_uint *B,
-                             const mbedtls_mpi_mod_modulus *N);
-
-/** Convert an MPI from canonical representation (little-endian limb array)
- * to the representation associated with the modulus.
- *
- * \param[in,out] X The limb array to convert.
- *                  It must have as many limbs as \p N.
- *                  It is converted in place.
- *                  If this function returns an error, the content of \p X
- *                  is unspecified.
- * \param[in] N     The modulus structure.
- *
- * \return          \c 0 if successful.
- *                  Otherwise an \c MBEDTLS_ERR_MPI_xxx error code.
- */
-int mbedtls_mpi_mod_raw_canonical_to_modulus_rep(
-    mbedtls_mpi_uint *X,
-    const mbedtls_mpi_mod_modulus *N);
-
-/** Convert an MPI from the representation associated with the modulus
- * to canonical representation (little-endian limb array).
- *
- * \param[in,out] X The limb array to convert.
- *                  It must have as many limbs as \p N.
- *                  It is converted in place.
- *                  If this function returns an error, the content of \p X
- *                  is unspecified.
- * \param[in] N     The modulus structure.
- *
- * \return          \c 0 if successful.
- *                  Otherwise an \c MBEDTLS_ERR_MPI_xxx error code.
- */
-int mbedtls_mpi_mod_raw_modulus_to_canonical_rep(
-    mbedtls_mpi_uint *X,
-    const mbedtls_mpi_mod_modulus *N);
-
-/** Generate a random number uniformly in a range.
- *
- * This function generates a random number between \p min inclusive and
- * \p N exclusive.
- *
- * The procedure complies with RFC 6979 §3.3 (deterministic ECDSA)
- * when the RNG is a suitably parametrized instance of HMAC_DRBG
- * and \p min is \c 1.
- *
- * \note           There are `N - min` possible outputs. The lower bound
- *                 \p min can be reached, but the upper bound \p N cannot.
- *
- * \param X        The destination MPI, in canonical representation modulo \p N.
- *                 It must not be aliased with \p N or otherwise overlap it.
- * \param min      The minimum value to return. It must be strictly smaller
- *                 than \b N.
- * \param N        The modulus.
- *                 This is the upper bound of the output range, exclusive.
- * \param f_rng    The RNG function to use. This must not be \c NULL.
- * \param p_rng    The RNG parameter to be passed to \p f_rng.
- *
- * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if the implementation was
- *                 unable to find a suitable value within a limited number
- *                 of attempts. This has a negligible probability if \p N
- *                 is significantly larger than \p min, which is the case
- *                 for all usual cryptographic applications.
- */
-int mbedtls_mpi_mod_raw_random(mbedtls_mpi_uint *X,
-                               mbedtls_mpi_uint min,
-                               const mbedtls_mpi_mod_modulus *N,
-                               int (*f_rng)(void *, unsigned char *, size_t),
-                               void *p_rng);
-
-/** Convert an MPI into Montgomery form.
- *
- * \param X      The address of the MPI.
- *               Must have the same number of limbs as \p N.
- * \param N      The address of the modulus, which gives the size of
- *               the base `R` = 2^(biL*N->limbs).
- *
- * \return       \c 0 if successful.
- */
-int mbedtls_mpi_mod_raw_to_mont_rep(mbedtls_mpi_uint *X,
-                                    const mbedtls_mpi_mod_modulus *N);
-
-/** Convert an MPI back from Montgomery representation.
- *
- * \param X      The address of the MPI.
- *               Must have the same number of limbs as \p N.
- * \param N      The address of the modulus, which gives the size of
- *               the base `R`= 2^(biL*N->limbs).
- *
- * \return       \c 0 if successful.
- */
-int mbedtls_mpi_mod_raw_from_mont_rep(mbedtls_mpi_uint *X,
-                                      const mbedtls_mpi_mod_modulus *N);
-
-/** \brief  Perform fixed width modular negation.
- *
- * The size of the operation is determined by \p N. \p A must have
- * the same number of limbs as \p N.
- *
- * \p X may be aliased to \p A.
- *
- * \param[out] X        The result of the modular negation.
- *                      This must be initialized.
- * \param[in] A         Little-endian presentation of the input operand. This
- *                      must be less than or equal to \p N.
- * \param[in] N         The modulus to use.
- */
-void mbedtls_mpi_mod_raw_neg(mbedtls_mpi_uint *X,
-                             const mbedtls_mpi_uint *A,
-                             const mbedtls_mpi_mod_modulus *N);
-
-#endif /* MBEDTLS_BIGNUM_MOD_RAW_H */
diff --git a/library/bignum_mod_raw_invasive.h b/library/bignum_mod_raw_invasive.h
deleted file mode 100644
index ead8394..0000000
--- a/library/bignum_mod_raw_invasive.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * \file bignum_mod_raw_invasive.h
- *
- * \brief Function declarations for invasive functions of Low-level
- *        modular bignum.
- */
-/**
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_BIGNUM_MOD_RAW_INVASIVE_H
-#define MBEDTLS_BIGNUM_MOD_RAW_INVASIVE_H
-
-#include "common.h"
-#include "mbedtls/bignum.h"
-#include "bignum_mod.h"
-
-#if defined(MBEDTLS_TEST_HOOKS)
-
-/** Convert the result of a quasi-reduction to its canonical representative.
- *
- * \param[in,out] X     The address of the MPI to be converted. Must have the
- *                      same number of limbs as \p N. The input value must
- *                      be in range 0 <= X < 2N.
- * \param[in]     N     The address of the modulus.
- */
-MBEDTLS_STATIC_TESTABLE
-void mbedtls_mpi_mod_raw_fix_quasi_reduction(mbedtls_mpi_uint *X,
-                                             const mbedtls_mpi_mod_modulus *N);
-
-#endif /* MBEDTLS_TEST_HOOKS */
-
-#endif /* MBEDTLS_BIGNUM_MOD_RAW_INVASIVE_H */
diff --git a/library/bn_mul.h b/library/bn_mul.h
deleted file mode 100644
index ab1a66a..0000000
--- a/library/bn_mul.h
+++ /dev/null
@@ -1,1106 +0,0 @@
-/**
- * \file bn_mul.h
- *
- * \brief Multi-precision integer library
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-/*
- *      Multiply source vector [s] with b, add result
- *       to destination vector [d] and set carry c.
- *
- *      Currently supports:
- *
- *         . IA-32 (386+)         . AMD64 / EM64T
- *         . IA-32 (SSE2)         . Motorola 68000
- *         . PowerPC, 32-bit      . MicroBlaze
- *         . PowerPC, 64-bit      . TriCore
- *         . SPARC v8             . ARM v3+
- *         . Alpha                . MIPS32
- *         . C, longlong          . C, generic
- */
-#ifndef MBEDTLS_BN_MUL_H
-#define MBEDTLS_BN_MUL_H
-
-#include "mbedtls/build_info.h"
-
-#include "mbedtls/bignum.h"
-
-
-/*
- * Conversion macros for embedded constants:
- * build lists of mbedtls_mpi_uint's from lists of unsigned char's grouped by 8, 4 or 2
- */
-#if defined(MBEDTLS_HAVE_INT32)
-
-#define MBEDTLS_BYTES_TO_T_UINT_4(a, b, c, d)               \
-    ((mbedtls_mpi_uint) (a) <<  0) |                        \
-    ((mbedtls_mpi_uint) (b) <<  8) |                        \
-    ((mbedtls_mpi_uint) (c) << 16) |                        \
-    ((mbedtls_mpi_uint) (d) << 24)
-
-#define MBEDTLS_BYTES_TO_T_UINT_2(a, b)                   \
-    MBEDTLS_BYTES_TO_T_UINT_4(a, b, 0, 0)
-
-#define MBEDTLS_BYTES_TO_T_UINT_8(a, b, c, d, e, f, g, h) \
-    MBEDTLS_BYTES_TO_T_UINT_4(a, b, c, d),                \
-    MBEDTLS_BYTES_TO_T_UINT_4(e, f, g, h)
-
-#else /* 64-bits */
-
-#define MBEDTLS_BYTES_TO_T_UINT_8(a, b, c, d, e, f, g, h)   \
-    ((mbedtls_mpi_uint) (a) <<  0) |                        \
-    ((mbedtls_mpi_uint) (b) <<  8) |                        \
-    ((mbedtls_mpi_uint) (c) << 16) |                        \
-    ((mbedtls_mpi_uint) (d) << 24) |                        \
-    ((mbedtls_mpi_uint) (e) << 32) |                        \
-    ((mbedtls_mpi_uint) (f) << 40) |                        \
-    ((mbedtls_mpi_uint) (g) << 48) |                        \
-    ((mbedtls_mpi_uint) (h) << 56)
-
-#define MBEDTLS_BYTES_TO_T_UINT_4(a, b, c, d)             \
-    MBEDTLS_BYTES_TO_T_UINT_8(a, b, c, d, 0, 0, 0, 0)
-
-#define MBEDTLS_BYTES_TO_T_UINT_2(a, b)                   \
-    MBEDTLS_BYTES_TO_T_UINT_8(a, b, 0, 0, 0, 0, 0, 0)
-
-#endif /* bits in mbedtls_mpi_uint */
-
-/* *INDENT-OFF* */
-#if defined(MBEDTLS_HAVE_ASM)
-
-/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
-#if defined(__GNUC__) && \
-    ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 )
-
-/*
- * GCC < 5.0 treated the x86 ebx (which is used for the GOT) as a
- * fixed reserved register when building as PIC, leading to errors
- * like: bn_mul.h:46:13: error: PIC register clobbered by 'ebx' in 'asm'
- *
- * This is fixed by an improved register allocator in GCC 5+. From the
- * release notes:
- * Register allocation improvements: Reuse of the PIC hard register,
- * instead of using a fixed register, was implemented on x86/x86-64
- * targets. This improves generated PIC code performance as more hard
- * registers can be used.
- */
-#if defined(__GNUC__) && __GNUC__ < 5 && defined(__PIC__)
-#define MULADDC_CANNOT_USE_EBX
-#endif
-
-/*
- * Disable use of the i386 assembly code below if option -O0, to disable all
- * compiler optimisations, is passed, detected with __OPTIMIZE__
- * This is done as the number of registers used in the assembly code doesn't
- * work with the -O0 option.
- */
-#if defined(__i386__) && defined(__OPTIMIZE__) && !defined(MULADDC_CANNOT_USE_EBX)
-
-#define MULADDC_X1_INIT                     \
-    { mbedtls_mpi_uint t;                   \
-    asm(                                    \
-        "movl   %%ebx, %0           \n\t"   \
-        "movl   %5, %%esi           \n\t"   \
-        "movl   %6, %%edi           \n\t"   \
-        "movl   %7, %%ecx           \n\t"   \
-        "movl   %8, %%ebx           \n\t"
-
-#define MULADDC_X1_CORE                     \
-        "lodsl                      \n\t"   \
-        "mull   %%ebx               \n\t"   \
-        "addl   %%ecx,   %%eax      \n\t"   \
-        "adcl   $0,      %%edx      \n\t"   \
-        "addl   (%%edi), %%eax      \n\t"   \
-        "adcl   $0,      %%edx      \n\t"   \
-        "movl   %%edx,   %%ecx      \n\t"   \
-        "stosl                      \n\t"
-
-#define MULADDC_X1_STOP                                 \
-        "movl   %4, %%ebx       \n\t"                   \
-        "movl   %%ecx, %1       \n\t"                   \
-        "movl   %%edi, %2       \n\t"                   \
-        "movl   %%esi, %3       \n\t"                   \
-        : "=m" (t), "=m" (c), "=m" (d), "=m" (s)        \
-        : "m" (t), "m" (s), "m" (d), "m" (c), "m" (b)   \
-        : "eax", "ebx", "ecx", "edx", "esi", "edi"      \
-    ); }
-
-#if defined(MBEDTLS_HAVE_SSE2)
-
-#define MULADDC_X8_INIT MULADDC_X1_INIT
-
-#define MULADDC_X8_CORE                         \
-        "movd     %%ecx,     %%mm1      \n\t"   \
-        "movd     %%ebx,     %%mm0      \n\t"   \
-        "movd     (%%edi),   %%mm3      \n\t"   \
-        "paddq    %%mm3,     %%mm1      \n\t"   \
-        "movd     (%%esi),   %%mm2      \n\t"   \
-        "pmuludq  %%mm0,     %%mm2      \n\t"   \
-        "movd     4(%%esi),  %%mm4      \n\t"   \
-        "pmuludq  %%mm0,     %%mm4      \n\t"   \
-        "movd     8(%%esi),  %%mm6      \n\t"   \
-        "pmuludq  %%mm0,     %%mm6      \n\t"   \
-        "movd     12(%%esi), %%mm7      \n\t"   \
-        "pmuludq  %%mm0,     %%mm7      \n\t"   \
-        "paddq    %%mm2,     %%mm1      \n\t"   \
-        "movd     4(%%edi),  %%mm3      \n\t"   \
-        "paddq    %%mm4,     %%mm3      \n\t"   \
-        "movd     8(%%edi),  %%mm5      \n\t"   \
-        "paddq    %%mm6,     %%mm5      \n\t"   \
-        "movd     12(%%edi), %%mm4      \n\t"   \
-        "paddq    %%mm4,     %%mm7      \n\t"   \
-        "movd     %%mm1,     (%%edi)    \n\t"   \
-        "movd     16(%%esi), %%mm2      \n\t"   \
-        "pmuludq  %%mm0,     %%mm2      \n\t"   \
-        "psrlq    $32,       %%mm1      \n\t"   \
-        "movd     20(%%esi), %%mm4      \n\t"   \
-        "pmuludq  %%mm0,     %%mm4      \n\t"   \
-        "paddq    %%mm3,     %%mm1      \n\t"   \
-        "movd     24(%%esi), %%mm6      \n\t"   \
-        "pmuludq  %%mm0,     %%mm6      \n\t"   \
-        "movd     %%mm1,     4(%%edi)   \n\t"   \
-        "psrlq    $32,       %%mm1      \n\t"   \
-        "movd     28(%%esi), %%mm3      \n\t"   \
-        "pmuludq  %%mm0,     %%mm3      \n\t"   \
-        "paddq    %%mm5,     %%mm1      \n\t"   \
-        "movd     16(%%edi), %%mm5      \n\t"   \
-        "paddq    %%mm5,     %%mm2      \n\t"   \
-        "movd     %%mm1,     8(%%edi)   \n\t"   \
-        "psrlq    $32,       %%mm1      \n\t"   \
-        "paddq    %%mm7,     %%mm1      \n\t"   \
-        "movd     20(%%edi), %%mm5      \n\t"   \
-        "paddq    %%mm5,     %%mm4      \n\t"   \
-        "movd     %%mm1,     12(%%edi)  \n\t"   \
-        "psrlq    $32,       %%mm1      \n\t"   \
-        "paddq    %%mm2,     %%mm1      \n\t"   \
-        "movd     24(%%edi), %%mm5      \n\t"   \
-        "paddq    %%mm5,     %%mm6      \n\t"   \
-        "movd     %%mm1,     16(%%edi)  \n\t"   \
-        "psrlq    $32,       %%mm1      \n\t"   \
-        "paddq    %%mm4,     %%mm1      \n\t"   \
-        "movd     28(%%edi), %%mm5      \n\t"   \
-        "paddq    %%mm5,     %%mm3      \n\t"   \
-        "movd     %%mm1,     20(%%edi)  \n\t"   \
-        "psrlq    $32,       %%mm1      \n\t"   \
-        "paddq    %%mm6,     %%mm1      \n\t"   \
-        "movd     %%mm1,     24(%%edi)  \n\t"   \
-        "psrlq    $32,       %%mm1      \n\t"   \
-        "paddq    %%mm3,     %%mm1      \n\t"   \
-        "movd     %%mm1,     28(%%edi)  \n\t"   \
-        "addl     $32,       %%edi      \n\t"   \
-        "addl     $32,       %%esi      \n\t"   \
-        "psrlq    $32,       %%mm1      \n\t"   \
-        "movd     %%mm1,     %%ecx      \n\t"
-
-#define MULADDC_X8_STOP                 \
-        "emms                   \n\t"   \
-        "movl   %4, %%ebx       \n\t"   \
-        "movl   %%ecx, %1       \n\t"   \
-        "movl   %%edi, %2       \n\t"   \
-        "movl   %%esi, %3       \n\t"   \
-        : "=m" (t), "=m" (c), "=m" (d), "=m" (s)        \
-        : "m" (t), "m" (s), "m" (d), "m" (c), "m" (b)   \
-        : "eax", "ebx", "ecx", "edx", "esi", "edi"      \
-    ); }                                                \
-
-#endif /* SSE2 */
-
-#endif /* i386 */
-
-#if defined(__amd64__) || defined (__x86_64__)
-
-#define MULADDC_X1_INIT                        \
-    asm(                                    \
-        "xorq   %%r8, %%r8\n"
-
-#define MULADDC_X1_CORE                        \
-        "movq   (%%rsi), %%rax\n"           \
-        "mulq   %%rbx\n"                    \
-        "addq   $8, %%rsi\n"                \
-        "addq   %%rcx, %%rax\n"             \
-        "movq   %%r8, %%rcx\n"              \
-        "adcq   $0, %%rdx\n"                \
-        "nop    \n"                         \
-        "addq   %%rax, (%%rdi)\n"           \
-        "adcq   %%rdx, %%rcx\n"             \
-        "addq   $8, %%rdi\n"
-
-#define MULADDC_X1_STOP                                              \
-        : "+c" (c), "+D" (d), "+S" (s), "+m" (*(uint64_t (*)[16]) d) \
-        : "b" (b), "m" (*(const uint64_t (*)[16]) s)                 \
-        : "rax", "rdx", "r8"                                         \
-    );
-
-#endif /* AMD64 */
-
-// The following assembly code assumes that a pointer will fit in a 64-bit register
-// (including ILP32 __aarch64__ ABIs such as on watchOS, hence the 2^32 - 1)
-#if defined(__aarch64__) && (UINTPTR_MAX == 0xfffffffful || UINTPTR_MAX == 0xfffffffffffffffful)
-
-/*
- * There are some issues around different compilers requiring different constraint
- * syntax for updating pointers from assembly code (see notes for
- * MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT in common.h), especially on aarch64_32 (aka ILP32).
- *
- * For this reason we cast the pointers to/from uintptr_t here.
- */
-#define MULADDC_X1_INIT             \
-    do { uintptr_t muladdc_d = (uintptr_t) d, muladdc_s = (uintptr_t) s; asm(
-
-#define MULADDC_X1_CORE             \
-        "ldr x4, [%x2], #8  \n\t"   \
-        "ldr x5, [%x1]      \n\t"   \
-        "mul x6, x4, %4     \n\t"   \
-        "umulh x7, x4, %4   \n\t"   \
-        "adds x5, x5, x6    \n\t"   \
-        "adc x7, x7, xzr    \n\t"   \
-        "adds x5, x5, %0    \n\t"   \
-        "adc %0, x7, xzr    \n\t"   \
-        "str x5, [%x1], #8  \n\t"
-
-#define MULADDC_X1_STOP                                                 \
-         : "+r" (c),                                                    \
-           "+r" (muladdc_d),                                            \
-           "+r" (muladdc_s),                                            \
-           "+m" (*(uint64_t (*)[16]) d)                                 \
-         : "r" (b), "m" (*(const uint64_t (*)[16]) s)                   \
-         : "x4", "x5", "x6", "x7", "cc"                                 \
-    ); d = (mbedtls_mpi_uint *)muladdc_d; s = (mbedtls_mpi_uint *)muladdc_s; } while (0);
-
-#endif /* Aarch64 */
-
-#if defined(__mc68020__) || defined(__mcpu32__)
-
-#define MULADDC_X1_INIT                 \
-    asm(                                \
-        "movl   %3, %%a2        \n\t"   \
-        "movl   %4, %%a3        \n\t"   \
-        "movl   %5, %%d3        \n\t"   \
-        "movl   %6, %%d2        \n\t"   \
-        "moveq  #0, %%d0        \n\t"
-
-#define MULADDC_X1_CORE                 \
-        "movel  %%a2@+, %%d1    \n\t"   \
-        "mulul  %%d2, %%d4:%%d1 \n\t"   \
-        "addl   %%d3, %%d1      \n\t"   \
-        "addxl  %%d0, %%d4      \n\t"   \
-        "moveq  #0,   %%d3      \n\t"   \
-        "addl   %%d1, %%a3@+    \n\t"   \
-        "addxl  %%d4, %%d3      \n\t"
-
-#define MULADDC_X1_STOP                 \
-        "movl   %%d3, %0        \n\t"   \
-        "movl   %%a3, %1        \n\t"   \
-        "movl   %%a2, %2        \n\t"   \
-        : "=m" (c), "=m" (d), "=m" (s)              \
-        : "m" (s), "m" (d), "m" (c), "m" (b)        \
-        : "d0", "d1", "d2", "d3", "d4", "a2", "a3"  \
-    );
-
-#define MULADDC_X8_INIT MULADDC_X1_INIT
-
-#define MULADDC_X8_CORE                     \
-        "movel  %%a2@+,  %%d1       \n\t"   \
-        "mulul  %%d2,    %%d4:%%d1  \n\t"   \
-        "addxl  %%d3,    %%d1       \n\t"   \
-        "addxl  %%d0,    %%d4       \n\t"   \
-        "addl   %%d1,    %%a3@+     \n\t"   \
-        "movel  %%a2@+,  %%d1       \n\t"   \
-        "mulul  %%d2,    %%d3:%%d1  \n\t"   \
-        "addxl  %%d4,    %%d1       \n\t"   \
-        "addxl  %%d0,    %%d3       \n\t"   \
-        "addl   %%d1,    %%a3@+     \n\t"   \
-        "movel  %%a2@+,  %%d1       \n\t"   \
-        "mulul  %%d2,    %%d4:%%d1  \n\t"   \
-        "addxl  %%d3,    %%d1       \n\t"   \
-        "addxl  %%d0,    %%d4       \n\t"   \
-        "addl   %%d1,    %%a3@+     \n\t"   \
-        "movel  %%a2@+,  %%d1       \n\t"   \
-        "mulul  %%d2,    %%d3:%%d1  \n\t"   \
-        "addxl  %%d4,    %%d1       \n\t"   \
-        "addxl  %%d0,    %%d3       \n\t"   \
-        "addl   %%d1,    %%a3@+     \n\t"   \
-        "movel  %%a2@+,  %%d1       \n\t"   \
-        "mulul  %%d2,    %%d4:%%d1  \n\t"   \
-        "addxl  %%d3,    %%d1       \n\t"   \
-        "addxl  %%d0,    %%d4       \n\t"   \
-        "addl   %%d1,    %%a3@+     \n\t"   \
-        "movel  %%a2@+,  %%d1       \n\t"   \
-        "mulul  %%d2,    %%d3:%%d1  \n\t"   \
-        "addxl  %%d4,    %%d1       \n\t"   \
-        "addxl  %%d0,    %%d3       \n\t"   \
-        "addl   %%d1,    %%a3@+     \n\t"   \
-        "movel  %%a2@+,  %%d1       \n\t"   \
-        "mulul  %%d2,    %%d4:%%d1  \n\t"   \
-        "addxl  %%d3,    %%d1       \n\t"   \
-        "addxl  %%d0,    %%d4       \n\t"   \
-        "addl   %%d1,    %%a3@+     \n\t"   \
-        "movel  %%a2@+,  %%d1       \n\t"   \
-        "mulul  %%d2,    %%d3:%%d1  \n\t"   \
-        "addxl  %%d4,    %%d1       \n\t"   \
-        "addxl  %%d0,    %%d3       \n\t"   \
-        "addl   %%d1,    %%a3@+     \n\t"   \
-        "addxl  %%d0,    %%d3       \n\t"
-
-#define MULADDC_X8_STOP MULADDC_X1_STOP
-
-#endif /* MC68000 */
-
-#if defined(__powerpc64__) || defined(__ppc64__)
-
-#if defined(__MACH__) && defined(__APPLE__)
-
-#define MULADDC_X1_INIT                     \
-    asm(                                    \
-        "ld     r3, %3              \n\t"   \
-        "ld     r4, %4              \n\t"   \
-        "ld     r5, %5              \n\t"   \
-        "ld     r6, %6              \n\t"   \
-        "addi   r3, r3, -8          \n\t"   \
-        "addi   r4, r4, -8          \n\t"   \
-        "addic  r5, r5,  0          \n\t"
-
-#define MULADDC_X1_CORE                     \
-        "ldu    r7, 8(r3)           \n\t"   \
-        "mulld  r8, r7, r6          \n\t"   \
-        "mulhdu r9, r7, r6          \n\t"   \
-        "adde   r8, r8, r5          \n\t"   \
-        "ld     r7, 8(r4)           \n\t"   \
-        "addze  r5, r9              \n\t"   \
-        "addc   r8, r8, r7          \n\t"   \
-        "stdu   r8, 8(r4)           \n\t"
-
-#define MULADDC_X1_STOP                     \
-        "addze  r5, r5              \n\t"   \
-        "addi   r4, r4, 8           \n\t"   \
-        "addi   r3, r3, 8           \n\t"   \
-        "std    r5, %0              \n\t"   \
-        "std    r4, %1              \n\t"   \
-        "std    r3, %2              \n\t"   \
-        : "=m" (c), "=m" (d), "=m" (s)              \
-        : "m" (s), "m" (d), "m" (c), "m" (b)        \
-        : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
-    );
-
-
-#else /* __MACH__ && __APPLE__ */
-
-#define MULADDC_X1_INIT                     \
-    asm(                                    \
-        "ld     %%r3, %3            \n\t"   \
-        "ld     %%r4, %4            \n\t"   \
-        "ld     %%r5, %5            \n\t"   \
-        "ld     %%r6, %6            \n\t"   \
-        "addi   %%r3, %%r3, -8      \n\t"   \
-        "addi   %%r4, %%r4, -8      \n\t"   \
-        "addic  %%r5, %%r5,  0      \n\t"
-
-#define MULADDC_X1_CORE                     \
-        "ldu    %%r7, 8(%%r3)       \n\t"   \
-        "mulld  %%r8, %%r7, %%r6    \n\t"   \
-        "mulhdu %%r9, %%r7, %%r6    \n\t"   \
-        "adde   %%r8, %%r8, %%r5    \n\t"   \
-        "ld     %%r7, 8(%%r4)       \n\t"   \
-        "addze  %%r5, %%r9          \n\t"   \
-        "addc   %%r8, %%r8, %%r7    \n\t"   \
-        "stdu   %%r8, 8(%%r4)       \n\t"
-
-#define MULADDC_X1_STOP                     \
-        "addze  %%r5, %%r5          \n\t"   \
-        "addi   %%r4, %%r4, 8       \n\t"   \
-        "addi   %%r3, %%r3, 8       \n\t"   \
-        "std    %%r5, %0            \n\t"   \
-        "std    %%r4, %1            \n\t"   \
-        "std    %%r3, %2            \n\t"   \
-        : "=m" (c), "=m" (d), "=m" (s)              \
-        : "m" (s), "m" (d), "m" (c), "m" (b)        \
-        : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
-    );
-
-#endif /* __MACH__ && __APPLE__ */
-
-#elif defined(__powerpc__) || defined(__ppc__) /* end PPC64/begin PPC32  */
-
-#if defined(__MACH__) && defined(__APPLE__)
-
-#define MULADDC_X1_INIT                 \
-    asm(                                \
-        "lwz    r3, %3          \n\t"   \
-        "lwz    r4, %4          \n\t"   \
-        "lwz    r5, %5          \n\t"   \
-        "lwz    r6, %6          \n\t"   \
-        "addi   r3, r3, -4      \n\t"   \
-        "addi   r4, r4, -4      \n\t"   \
-        "addic  r5, r5,  0      \n\t"
-
-#define MULADDC_X1_CORE                 \
-        "lwzu   r7, 4(r3)       \n\t"   \
-        "mullw  r8, r7, r6      \n\t"   \
-        "mulhwu r9, r7, r6      \n\t"   \
-        "adde   r8, r8, r5      \n\t"   \
-        "lwz    r7, 4(r4)       \n\t"   \
-        "addze  r5, r9          \n\t"   \
-        "addc   r8, r8, r7      \n\t"   \
-        "stwu   r8, 4(r4)       \n\t"
-
-#define MULADDC_X1_STOP                 \
-        "addze  r5, r5          \n\t"   \
-        "addi   r4, r4, 4       \n\t"   \
-        "addi   r3, r3, 4       \n\t"   \
-        "stw    r5, %0          \n\t"   \
-        "stw    r4, %1          \n\t"   \
-        "stw    r3, %2          \n\t"   \
-        : "=m" (c), "=m" (d), "=m" (s)              \
-        : "m" (s), "m" (d), "m" (c), "m" (b)        \
-        : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
-    );
-
-#else /* __MACH__ && __APPLE__ */
-
-#define MULADDC_X1_INIT                     \
-    asm(                                    \
-        "lwz    %%r3, %3            \n\t"   \
-        "lwz    %%r4, %4            \n\t"   \
-        "lwz    %%r5, %5            \n\t"   \
-        "lwz    %%r6, %6            \n\t"   \
-        "addi   %%r3, %%r3, -4      \n\t"   \
-        "addi   %%r4, %%r4, -4      \n\t"   \
-        "addic  %%r5, %%r5,  0      \n\t"
-
-#define MULADDC_X1_CORE                     \
-        "lwzu   %%r7, 4(%%r3)       \n\t"   \
-        "mullw  %%r8, %%r7, %%r6    \n\t"   \
-        "mulhwu %%r9, %%r7, %%r6    \n\t"   \
-        "adde   %%r8, %%r8, %%r5    \n\t"   \
-        "lwz    %%r7, 4(%%r4)       \n\t"   \
-        "addze  %%r5, %%r9          \n\t"   \
-        "addc   %%r8, %%r8, %%r7    \n\t"   \
-        "stwu   %%r8, 4(%%r4)       \n\t"
-
-#define MULADDC_X1_STOP                     \
-        "addze  %%r5, %%r5          \n\t"   \
-        "addi   %%r4, %%r4, 4       \n\t"   \
-        "addi   %%r3, %%r3, 4       \n\t"   \
-        "stw    %%r5, %0            \n\t"   \
-        "stw    %%r4, %1            \n\t"   \
-        "stw    %%r3, %2            \n\t"   \
-        : "=m" (c), "=m" (d), "=m" (s)              \
-        : "m" (s), "m" (d), "m" (c), "m" (b)        \
-        : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
-    );
-
-#endif /* __MACH__ && __APPLE__ */
-
-#endif /* PPC32 */
-
-/*
- * The Sparc(64) assembly is reported to be broken.
- * Disable it for now, until we're able to fix it.
- */
-#if 0 && defined(__sparc__)
-#if defined(__sparc64__)
-
-#define MULADDC_X1_INIT                                 \
-    asm(                                                \
-                "ldx     %3, %%o0               \n\t"   \
-                "ldx     %4, %%o1               \n\t"   \
-                "ld      %5, %%o2               \n\t"   \
-                "ld      %6, %%o3               \n\t"
-
-#define MULADDC_X1_CORE                                 \
-                "ld      [%%o0], %%o4           \n\t"   \
-                "inc     4, %%o0                \n\t"   \
-                "ld      [%%o1], %%o5           \n\t"   \
-                "umul    %%o3, %%o4, %%o4       \n\t"   \
-                "addcc   %%o4, %%o2, %%o4       \n\t"   \
-                "rd      %%y, %%g1              \n\t"   \
-                "addx    %%g1, 0, %%g1          \n\t"   \
-                "addcc   %%o4, %%o5, %%o4       \n\t"   \
-                "st      %%o4, [%%o1]           \n\t"   \
-                "addx    %%g1, 0, %%o2          \n\t"   \
-                "inc     4, %%o1                \n\t"
-
-#define MULADDC_X1_STOP                                 \
-                "st      %%o2, %0               \n\t"   \
-                "stx     %%o1, %1               \n\t"   \
-                "stx     %%o0, %2               \n\t"   \
-        : "=m" (c), "=m" (d), "=m" (s)          \
-        : "m" (s), "m" (d), "m" (c), "m" (b)    \
-        : "g1", "o0", "o1", "o2", "o3", "o4",   \
-          "o5"                                  \
-        );
-
-#else /* __sparc64__ */
-
-#define MULADDC_X1_INIT                                 \
-    asm(                                                \
-                "ld      %3, %%o0               \n\t"   \
-                "ld      %4, %%o1               \n\t"   \
-                "ld      %5, %%o2               \n\t"   \
-                "ld      %6, %%o3               \n\t"
-
-#define MULADDC_X1_CORE                                 \
-                "ld      [%%o0], %%o4           \n\t"   \
-                "inc     4, %%o0                \n\t"   \
-                "ld      [%%o1], %%o5           \n\t"   \
-                "umul    %%o3, %%o4, %%o4       \n\t"   \
-                "addcc   %%o4, %%o2, %%o4       \n\t"   \
-                "rd      %%y, %%g1              \n\t"   \
-                "addx    %%g1, 0, %%g1          \n\t"   \
-                "addcc   %%o4, %%o5, %%o4       \n\t"   \
-                "st      %%o4, [%%o1]           \n\t"   \
-                "addx    %%g1, 0, %%o2          \n\t"   \
-                "inc     4, %%o1                \n\t"
-
-#define MULADDC_X1_STOP                                 \
-                "st      %%o2, %0               \n\t"   \
-                "st      %%o1, %1               \n\t"   \
-                "st      %%o0, %2               \n\t"   \
-        : "=m" (c), "=m" (d), "=m" (s)          \
-        : "m" (s), "m" (d), "m" (c), "m" (b)    \
-        : "g1", "o0", "o1", "o2", "o3", "o4",   \
-          "o5"                                  \
-        );
-
-#endif /* __sparc64__ */
-#endif /* __sparc__ */
-
-#if defined(__microblaze__) || defined(microblaze)
-
-#define MULADDC_X1_INIT                 \
-    asm(                                \
-        "lwi   r3,   %3         \n\t"   \
-        "lwi   r4,   %4         \n\t"   \
-        "lwi   r5,   %5         \n\t"   \
-        "lwi   r6,   %6         \n\t"   \
-        "andi  r7,   r6, 0xffff \n\t"   \
-        "bsrli r6,   r6, 16     \n\t"
-
-#if(__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__)
-#define MULADDC_LHUI                    \
-        "lhui  r9,   r3,   0    \n\t"   \
-        "addi  r3,   r3,   2    \n\t"   \
-        "lhui  r8,   r3,   0    \n\t"
-#else
-#define MULADDC_LHUI                    \
-        "lhui  r8,   r3,   0    \n\t"   \
-        "addi  r3,   r3,   2    \n\t"   \
-        "lhui  r9,   r3,   0    \n\t"
-#endif
-
-#define MULADDC_X1_CORE                    \
-        MULADDC_LHUI                    \
-        "addi  r3,   r3,   2    \n\t"   \
-        "mul   r10,  r9,  r6    \n\t"   \
-        "mul   r11,  r8,  r7    \n\t"   \
-        "mul   r12,  r9,  r7    \n\t"   \
-        "mul   r13,  r8,  r6    \n\t"   \
-        "bsrli  r8, r10,  16    \n\t"   \
-        "bsrli  r9, r11,  16    \n\t"   \
-        "add   r13, r13,  r8    \n\t"   \
-        "add   r13, r13,  r9    \n\t"   \
-        "bslli r10, r10,  16    \n\t"   \
-        "bslli r11, r11,  16    \n\t"   \
-        "add   r12, r12, r10    \n\t"   \
-        "addc  r13, r13,  r0    \n\t"   \
-        "add   r12, r12, r11    \n\t"   \
-        "addc  r13, r13,  r0    \n\t"   \
-        "lwi   r10,  r4,   0    \n\t"   \
-        "add   r12, r12, r10    \n\t"   \
-        "addc  r13, r13,  r0    \n\t"   \
-        "add   r12, r12,  r5    \n\t"   \
-        "addc   r5, r13,  r0    \n\t"   \
-        "swi   r12,  r4,   0    \n\t"   \
-        "addi   r4,  r4,   4    \n\t"
-
-#define MULADDC_X1_STOP                 \
-        "swi   r5,   %0         \n\t"   \
-        "swi   r4,   %1         \n\t"   \
-        "swi   r3,   %2         \n\t"   \
-        : "=m" (c), "=m" (d), "=m" (s)              \
-        : "m" (s), "m" (d), "m" (c), "m" (b)        \
-        : "r3", "r4", "r5", "r6", "r7", "r8",       \
-          "r9", "r10", "r11", "r12", "r13"          \
-    );
-
-#endif /* MicroBlaze */
-
-#if defined(__tricore__)
-
-#define MULADDC_X1_INIT                         \
-    asm(                                        \
-        "ld.a   %%a2, %3                \n\t"   \
-        "ld.a   %%a3, %4                \n\t"   \
-        "ld.w   %%d4, %5                \n\t"   \
-        "ld.w   %%d1, %6                \n\t"   \
-        "xor    %%d5, %%d5              \n\t"
-
-#define MULADDC_X1_CORE                         \
-        "ld.w   %%d0,   [%%a2+]         \n\t"   \
-        "madd.u %%e2, %%e4, %%d0, %%d1  \n\t"   \
-        "ld.w   %%d0,   [%%a3]          \n\t"   \
-        "addx   %%d2,    %%d2,  %%d0    \n\t"   \
-        "addc   %%d3,    %%d3,    0     \n\t"   \
-        "mov    %%d4,    %%d3           \n\t"   \
-        "st.w  [%%a3+],  %%d2           \n\t"
-
-#define MULADDC_X1_STOP                         \
-        "st.w   %0, %%d4                \n\t"   \
-        "st.a   %1, %%a3                \n\t"   \
-        "st.a   %2, %%a2                \n\t"   \
-        : "=m" (c), "=m" (d), "=m" (s)          \
-        : "m" (s), "m" (d), "m" (c), "m" (b)    \
-        : "d0", "d1", "e2", "d4", "a2", "a3"    \
-    );
-
-#endif /* TriCore */
-
-#if defined(__arm__)
-
-#if defined(__thumb__) && !defined(__thumb2__)
-#if defined(MBEDTLS_COMPILER_IS_GCC)
-/*
- * Thumb 1 ISA. This code path has only been tested successfully on gcc;
- * it does not compile on clang or armclang.
- */
-
-#if !defined(__OPTIMIZE__) && defined(__GNUC__)
-/*
- * Note, gcc -O0 by default uses r7 for the frame pointer, so it complains about
- * our use of r7 below, unless -fomit-frame-pointer is passed.
- *
- * On the other hand, -fomit-frame-pointer is implied by any -Ox options with
- * x !=0, which we can detect using __OPTIMIZE__ (which is also defined by
- * clang and armcc5 under the same conditions).
- *
- * If gcc needs to use r7, we use r1 as a scratch register and have a few extra
- * instructions to preserve/restore it; otherwise, we can use r7 and avoid
- * the preserve/restore overhead.
- */
-#define MULADDC_SCRATCH              "RS .req r1         \n\t"
-#define MULADDC_PRESERVE_SCRATCH     "mov    r10, r1     \n\t"
-#define MULADDC_RESTORE_SCRATCH      "mov    r1, r10     \n\t"
-#define MULADDC_SCRATCH_CLOBBER      "r10"
-#else /* !defined(__OPTIMIZE__) && defined(__GNUC__) */
-#define MULADDC_SCRATCH              "RS .req r7         \n\t"
-#define MULADDC_PRESERVE_SCRATCH     ""
-#define MULADDC_RESTORE_SCRATCH      ""
-#define MULADDC_SCRATCH_CLOBBER      "r7"
-#endif /* !defined(__OPTIMIZE__) && defined(__GNUC__) */
-
-#define MULADDC_X1_INIT                                 \
-    asm(                                                \
-    MULADDC_SCRATCH                                     \
-            "ldr    r0, %3                      \n\t"   \
-            "ldr    r1, %4                      \n\t"   \
-            "ldr    r2, %5                      \n\t"   \
-            "ldr    r3, %6                      \n\t"   \
-            "lsr    r4, r3, #16                 \n\t"   \
-            "mov    r9, r4                      \n\t"   \
-            "lsl    r4, r3, #16                 \n\t"   \
-            "lsr    r4, r4, #16                 \n\t"   \
-            "mov    r8, r4                      \n\t"   \
-
-
-#define MULADDC_X1_CORE                                 \
-            MULADDC_PRESERVE_SCRATCH                    \
-            "ldmia  r0!, {r6}                   \n\t"   \
-            "lsr    RS, r6, #16                 \n\t"   \
-            "lsl    r6, r6, #16                 \n\t"   \
-            "lsr    r6, r6, #16                 \n\t"   \
-            "mov    r4, r8                      \n\t"   \
-            "mul    r4, r6                      \n\t"   \
-            "mov    r3, r9                      \n\t"   \
-            "mul    r6, r3                      \n\t"   \
-            "mov    r5, r9                      \n\t"   \
-            "mul    r5, RS                      \n\t"   \
-            "mov    r3, r8                      \n\t"   \
-            "mul    RS, r3                      \n\t"   \
-            "lsr    r3, r6, #16                 \n\t"   \
-            "add    r5, r5, r3                  \n\t"   \
-            "lsr    r3, RS, #16                 \n\t"   \
-            "add    r5, r5, r3                  \n\t"   \
-            "add    r4, r4, r2                  \n\t"   \
-            "mov    r2, #0                      \n\t"   \
-            "adc    r5, r2                      \n\t"   \
-            "lsl    r3, r6, #16                 \n\t"   \
-            "add    r4, r4, r3                  \n\t"   \
-            "adc    r5, r2                      \n\t"   \
-            "lsl    r3, RS, #16                 \n\t"   \
-            "add    r4, r4, r3                  \n\t"   \
-            "adc    r5, r2                      \n\t"   \
-            MULADDC_RESTORE_SCRATCH                     \
-            "ldr    r3, [r1]                    \n\t"   \
-            "add    r4, r4, r3                  \n\t"   \
-            "adc    r2, r5                      \n\t"   \
-            "stmia  r1!, {r4}                   \n\t"
-
-#define MULADDC_X1_STOP                                 \
-            "str    r2, %0                      \n\t"   \
-            "str    r1, %1                      \n\t"   \
-            "str    r0, %2                      \n\t"   \
-         : "=m" (c),  "=m" (d), "=m" (s)        \
-         : "m" (s), "m" (d), "m" (c), "m" (b)   \
-         : "r0", "r1", "r2", "r3", "r4", "r5",  \
-           "r6", MULADDC_SCRATCH_CLOBBER, "r8", "r9", "cc" \
-         );
-#endif /* !defined(__ARMCC_VERSION) && !defined(__clang__) */
-
-#elif (__ARM_ARCH >= 6) && \
-    defined (__ARM_FEATURE_DSP) && (__ARM_FEATURE_DSP == 1)
-/* Armv6-M (or later) with DSP Instruction Set Extensions.
- * Requires support for either Thumb 2 or Arm ISA.
- */
-
-#define MULADDC_X1_INIT                            \
-    {                                              \
-        mbedtls_mpi_uint tmp_a, tmp_b;             \
-        asm volatile (
-
-#define MULADDC_X1_CORE                                         \
-           ".p2align  2                                 \n\t"   \
-            "ldr      %[a], [%[in]], #4                 \n\t"   \
-            "ldr      %[b], [%[acc]]                    \n\t"   \
-            "umaal    %[b], %[carry], %[scalar], %[a]   \n\t"   \
-            "str      %[b], [%[acc]], #4                \n\t"
-
-#define MULADDC_X1_STOP                                      \
-            : [a]      "=&r" (tmp_a),                        \
-              [b]      "=&r" (tmp_b),                        \
-              [in]     "+r"  (s),                            \
-              [acc]    "+r"  (d),                            \
-              [carry]  "+l"  (c)                             \
-            : [scalar] "r"   (b)                             \
-            : "memory"                                       \
-        );                                                   \
-    }
-
-#define MULADDC_X2_INIT                              \
-    {                                                \
-        mbedtls_mpi_uint tmp_a0, tmp_b0;             \
-        mbedtls_mpi_uint tmp_a1, tmp_b1;             \
-        asm volatile (
-
-            /* - Make sure loop is 4-byte aligned to avoid stalls
-             *   upon repeated non-word aligned instructions in
-             *   some microarchitectures.
-             * - Don't use ldm with post-increment or back-to-back
-             *   loads with post-increment and same address register
-             *   to avoid stalls on some microarchitectures.
-             * - Bunch loads and stores to reduce latency on some
-             *   microarchitectures. E.g., on Cortex-M4, the first
-             *   in a series of load/store operations has latency
-             *   2 cycles, while subsequent loads/stores are single-cycle. */
-#define MULADDC_X2_CORE                                           \
-           ".p2align  2                                   \n\t"   \
-            "ldr      %[a0], [%[in]],  #+8                \n\t"   \
-            "ldr      %[b0], [%[acc]], #+8                \n\t"   \
-            "ldr      %[a1], [%[in],  #-4]                \n\t"   \
-            "ldr      %[b1], [%[acc], #-4]                \n\t"   \
-            "umaal    %[b0], %[carry], %[scalar], %[a0]   \n\t"   \
-            "umaal    %[b1], %[carry], %[scalar], %[a1]   \n\t"   \
-            "str      %[b0], [%[acc], #-8]                \n\t"   \
-            "str      %[b1], [%[acc], #-4]                \n\t"
-
-#define MULADDC_X2_STOP                                      \
-            : [a0]     "=&r" (tmp_a0),                       \
-              [b0]     "=&r" (tmp_b0),                       \
-              [a1]     "=&r" (tmp_a1),                       \
-              [b1]     "=&r" (tmp_b1),                       \
-              [in]     "+r"  (s),                            \
-              [acc]    "+r"  (d),                            \
-              [carry]  "+l"  (c)                             \
-            : [scalar] "r"   (b)                             \
-            : "memory"                                       \
-        );                                                   \
-    }
-
-#else /* Thumb 2 or Arm ISA, without DSP extensions */
-
-#define MULADDC_X1_INIT                                 \
-    asm(                                                \
-            "ldr    r0, %3                      \n\t"   \
-            "ldr    r1, %4                      \n\t"   \
-            "ldr    r2, %5                      \n\t"   \
-            "ldr    r3, %6                      \n\t"
-
-#define MULADDC_X1_CORE                                 \
-            "ldr    r4, [r0], #4                \n\t"   \
-            "mov    r5, #0                      \n\t"   \
-            "ldr    r6, [r1]                    \n\t"   \
-            "umlal  r2, r5, r3, r4              \n\t"   \
-            "adds   r4, r6, r2                  \n\t"   \
-            "adc    r2, r5, #0                  \n\t"   \
-            "str    r4, [r1], #4                \n\t"
-
-#define MULADDC_X1_STOP                                 \
-            "str    r2, %0                      \n\t"   \
-            "str    r1, %1                      \n\t"   \
-            "str    r0, %2                      \n\t"   \
-         : "=m" (c),  "=m" (d), "=m" (s)        \
-         : "m" (s), "m" (d), "m" (c), "m" (b)   \
-         : "r0", "r1", "r2", "r3", "r4", "r5",  \
-           "r6", "cc"                     \
-         );
-
-#endif /* ISA codepath selection */
-
-#endif /* defined(__arm__) */
-
-#if defined(__alpha__)
-
-#define MULADDC_X1_INIT                 \
-    asm(                                \
-        "ldq    $1, %3          \n\t"   \
-        "ldq    $2, %4          \n\t"   \
-        "ldq    $3, %5          \n\t"   \
-        "ldq    $4, %6          \n\t"
-
-#define MULADDC_X1_CORE                 \
-        "ldq    $6,  0($1)      \n\t"   \
-        "addq   $1,  8, $1      \n\t"   \
-        "mulq   $6, $4, $7      \n\t"   \
-        "umulh  $6, $4, $6      \n\t"   \
-        "addq   $7, $3, $7      \n\t"   \
-        "cmpult $7, $3, $3      \n\t"   \
-        "ldq    $5,  0($2)      \n\t"   \
-        "addq   $7, $5, $7      \n\t"   \
-        "cmpult $7, $5, $5      \n\t"   \
-        "stq    $7,  0($2)      \n\t"   \
-        "addq   $2,  8, $2      \n\t"   \
-        "addq   $6, $3, $3      \n\t"   \
-        "addq   $5, $3, $3      \n\t"
-
-#define MULADDC_X1_STOP                 \
-        "stq    $3, %0          \n\t"   \
-        "stq    $2, %1          \n\t"   \
-        "stq    $1, %2          \n\t"   \
-        : "=m" (c), "=m" (d), "=m" (s)              \
-        : "m" (s), "m" (d), "m" (c), "m" (b)        \
-        : "$1", "$2", "$3", "$4", "$5", "$6", "$7"  \
-    );
-#endif /* Alpha */
-
-#if defined(__mips__) && !defined(__mips64)
-
-#define MULADDC_X1_INIT                 \
-    asm(                                \
-        "lw     $10, %3         \n\t"   \
-        "lw     $11, %4         \n\t"   \
-        "lw     $12, %5         \n\t"   \
-        "lw     $13, %6         \n\t"
-
-#define MULADDC_X1_CORE                 \
-        "lw     $14, 0($10)     \n\t"   \
-        "multu  $13, $14        \n\t"   \
-        "addi   $10, $10, 4     \n\t"   \
-        "mflo   $14             \n\t"   \
-        "mfhi   $9              \n\t"   \
-        "addu   $14, $12, $14   \n\t"   \
-        "lw     $15, 0($11)     \n\t"   \
-        "sltu   $12, $14, $12   \n\t"   \
-        "addu   $15, $14, $15   \n\t"   \
-        "sltu   $14, $15, $14   \n\t"   \
-        "addu   $12, $12, $9    \n\t"   \
-        "sw     $15, 0($11)     \n\t"   \
-        "addu   $12, $12, $14   \n\t"   \
-        "addi   $11, $11, 4     \n\t"
-
-#define MULADDC_X1_STOP                 \
-        "sw     $12, %0         \n\t"   \
-        "sw     $11, %1         \n\t"   \
-        "sw     $10, %2         \n\t"   \
-        : "=m" (c), "=m" (d), "=m" (s)                      \
-        : "m" (s), "m" (d), "m" (c), "m" (b)                \
-        : "$9", "$10", "$11", "$12", "$13", "$14", "$15", "lo", "hi" \
-    );
-
-#endif /* MIPS */
-#endif /* GNUC */
-
-#if (defined(_MSC_VER) && defined(_M_IX86)) || defined(__WATCOMC__)
-
-#define MULADDC_X1_INIT                         \
-    __asm   mov     esi, s                      \
-    __asm   mov     edi, d                      \
-    __asm   mov     ecx, c                      \
-    __asm   mov     ebx, b
-
-#define MULADDC_X1_CORE                         \
-    __asm   lodsd                               \
-    __asm   mul     ebx                         \
-    __asm   add     eax, ecx                    \
-    __asm   adc     edx, 0                      \
-    __asm   add     eax, [edi]                  \
-    __asm   adc     edx, 0                      \
-    __asm   mov     ecx, edx                    \
-    __asm   stosd
-
-#define MULADDC_X1_STOP                         \
-    __asm   mov     c, ecx                      \
-    __asm   mov     d, edi                      \
-    __asm   mov     s, esi
-
-#if defined(MBEDTLS_HAVE_SSE2)
-
-#define EMIT __asm _emit
-
-#define MULADDC_X8_INIT MULADDC_X1_INIT
-
-#define MULADDC_X8_CORE                         \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0xC9             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0xC3             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x1F             \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCB             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x16             \
-    EMIT 0x0F  EMIT 0xF4  EMIT 0xD0             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x66  EMIT 0x04  \
-    EMIT 0x0F  EMIT 0xF4  EMIT 0xE0             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x76  EMIT 0x08  \
-    EMIT 0x0F  EMIT 0xF4  EMIT 0xF0             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x7E  EMIT 0x0C  \
-    EMIT 0x0F  EMIT 0xF4  EMIT 0xF8             \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCA             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x5F  EMIT 0x04  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xDC             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x08  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xEE             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x67  EMIT 0x0C  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xFC             \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0x0F             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x56  EMIT 0x10  \
-    EMIT 0x0F  EMIT 0xF4  EMIT 0xD0             \
-    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x66  EMIT 0x14  \
-    EMIT 0x0F  EMIT 0xF4  EMIT 0xE0             \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCB             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x76  EMIT 0x18  \
-    EMIT 0x0F  EMIT 0xF4  EMIT 0xF0             \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x04  \
-    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x5E  EMIT 0x1C  \
-    EMIT 0x0F  EMIT 0xF4  EMIT 0xD8             \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCD             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x10  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xD5             \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x08  \
-    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCF             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x14  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xE5             \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x0C  \
-    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCA             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x18  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xF5             \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x10  \
-    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCC             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x1C  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xDD             \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x14  \
-    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCE             \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x18  \
-    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCB             \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x1C  \
-    EMIT 0x83  EMIT 0xC7  EMIT 0x20             \
-    EMIT 0x83  EMIT 0xC6  EMIT 0x20             \
-    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0xC9
-
-#define MULADDC_X8_STOP                         \
-    EMIT 0x0F  EMIT 0x77                        \
-    __asm   mov     c, ecx                      \
-    __asm   mov     d, edi                      \
-    __asm   mov     s, esi
-
-#endif /* SSE2 */
-#endif /* MSVC */
-
-#endif /* MBEDTLS_HAVE_ASM */
-
-#if !defined(MULADDC_X1_CORE)
-#if defined(MBEDTLS_HAVE_UDBL)
-
-#define MULADDC_X1_INIT                 \
-{                                       \
-    mbedtls_t_udbl r;                           \
-    mbedtls_mpi_uint r0, r1;
-
-#define MULADDC_X1_CORE                 \
-    r   = *(s++) * (mbedtls_t_udbl) b;          \
-    r0  = (mbedtls_mpi_uint) r;                   \
-    r1  = (mbedtls_mpi_uint)( r >> biL );         \
-    r0 += c;  r1 += (r0 <  c);          \
-    r0 += *d; r1 += (r0 < *d);          \
-    c = r1; *(d++) = r0;
-
-#define MULADDC_X1_STOP                 \
-}
-
-#else /* MBEDTLS_HAVE_UDBL */
-
-#define MULADDC_X1_INIT                 \
-{                                       \
-    mbedtls_mpi_uint s0, s1, b0, b1;              \
-    mbedtls_mpi_uint r0, r1, rx, ry;              \
-    b0 = ( b << biH ) >> biH;           \
-    b1 = ( b >> biH );
-
-#define MULADDC_X1_CORE                 \
-    s0 = ( *s << biH ) >> biH;          \
-    s1 = ( *s >> biH ); s++;            \
-    rx = s0 * b1; r0 = s0 * b0;         \
-    ry = s1 * b0; r1 = s1 * b1;         \
-    r1 += ( rx >> biH );                \
-    r1 += ( ry >> biH );                \
-    rx <<= biH; ry <<= biH;             \
-    r0 += rx; r1 += (r0 < rx);          \
-    r0 += ry; r1 += (r0 < ry);          \
-    r0 +=  c; r1 += (r0 <  c);          \
-    r0 += *d; r1 += (r0 < *d);          \
-    c = r1; *(d++) = r0;
-
-#define MULADDC_X1_STOP                 \
-}
-
-#endif /* C (longlong) */
-#endif /* C (generic)  */
-
-#if !defined(MULADDC_X2_CORE)
-#define MULADDC_X2_INIT MULADDC_X1_INIT
-#define MULADDC_X2_STOP MULADDC_X1_STOP
-#define MULADDC_X2_CORE MULADDC_X1_CORE MULADDC_X1_CORE
-#endif /* MULADDC_X2_CORE */
-
-#if !defined(MULADDC_X4_CORE)
-#define MULADDC_X4_INIT MULADDC_X2_INIT
-#define MULADDC_X4_STOP MULADDC_X2_STOP
-#define MULADDC_X4_CORE MULADDC_X2_CORE MULADDC_X2_CORE
-#endif /* MULADDC_X4_CORE */
-
-#if !defined(MULADDC_X8_CORE)
-#define MULADDC_X8_INIT MULADDC_X4_INIT
-#define MULADDC_X8_STOP MULADDC_X4_STOP
-#define MULADDC_X8_CORE MULADDC_X4_CORE MULADDC_X4_CORE
-#endif /* MULADDC_X8_CORE */
-
-/* *INDENT-ON* */
-#endif /* bn_mul.h */
diff --git a/library/camellia.c b/library/camellia.c
deleted file mode 100644
index 409727d..0000000
--- a/library/camellia.c
+++ /dev/null
@@ -1,1056 +0,0 @@
-/*
- *  Camellia implementation
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-/*
- *  The Camellia block cipher was designed by NTT and Mitsubishi Electric
- *  Corporation.
- *
- *  http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_CAMELLIA_C)
-
-#include "mbedtls/camellia.h"
-#include "mbedtls/platform_util.h"
-
-#include <string.h>
-
-#include "mbedtls/platform.h"
-
-#if !defined(MBEDTLS_CAMELLIA_ALT)
-
-static const unsigned char SIGMA_CHARS[6][8] =
-{
-    { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
-    { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
-    { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
-    { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
-    { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
-    { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
-};
-
-#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
-
-static const unsigned char FSb[256] =
-{
-    112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
-    35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
-    134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
-    166, 225, 57, 202, 213, 71, 93, 61, 217,  1, 90, 214, 81, 86, 108, 77,
-    139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
-    223, 76, 203, 194, 52, 126, 118,  5, 109, 183, 169, 49, 209, 23,  4, 215,
-    20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
-    254, 68, 207, 178, 195, 181, 122, 145, 36,  8, 232, 168, 96, 252, 105, 80,
-    170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
-    16, 196,  0, 72, 163, 247, 117, 219, 138,  3, 230, 218,  9, 63, 221, 148,
-    135, 92, 131,  2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
-    82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
-    233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
-    120, 152,  6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
-    114,  7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
-    64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
-};
-
-#define SBOX1(n) FSb[(n)]
-#define SBOX2(n) (unsigned char) ((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
-#define SBOX3(n) (unsigned char) ((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
-#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
-
-#else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
-
-static const unsigned char FSb[256] =
-{
-    112, 130,  44, 236, 179,  39, 192, 229, 228, 133,  87,  53, 234,  12, 174,  65,
-    35, 239, 107, 147,  69,  25, 165,  33, 237,  14,  79,  78,  29, 101, 146, 189,
-    134, 184, 175, 143, 124, 235,  31, 206,  62,  48, 220,  95,  94, 197,  11,  26,
-    166, 225,  57, 202, 213,  71,  93,  61, 217,   1,  90, 214,  81,  86, 108,  77,
-    139,  13, 154, 102, 251, 204, 176,  45, 116,  18,  43,  32, 240, 177, 132, 153,
-    223,  76, 203, 194,  52, 126, 118,   5, 109, 183, 169,  49, 209,  23,   4, 215,
-    20,  88,  58,  97, 222,  27,  17,  28,  50,  15, 156,  22,  83,  24, 242,  34,
-    254,  68, 207, 178, 195, 181, 122, 145,  36,   8, 232, 168,  96, 252, 105,  80,
-    170, 208, 160, 125, 161, 137,  98, 151,  84,  91,  30, 149, 224, 255, 100, 210,
-    16, 196,   0,  72, 163, 247, 117, 219, 138,   3, 230, 218,   9,  63, 221, 148,
-    135,  92, 131,   2, 205,  74, 144,  51, 115, 103, 246, 243, 157, 127, 191, 226,
-    82, 155, 216,  38, 200,  55, 198,  59, 129, 150, 111,  75,  19, 190,  99,  46,
-    233, 121, 167, 140, 159, 110, 188, 142,  41, 245, 249, 182,  47, 253, 180,  89,
-    120, 152,   6, 106, 231,  70, 113, 186, 212,  37, 171,  66, 136, 162, 141, 250,
-    114,   7, 185,  85, 248, 238, 172,  10,  54,  73,  42, 104,  60,  56, 241, 164,
-    64,  40, 211, 123, 187, 201,  67, 193,  21, 227, 173, 244, 119, 199, 128, 158
-};
-
-static const unsigned char FSb2[256] =
-{
-    224,   5,  88, 217, 103,  78, 129, 203, 201,  11, 174, 106, 213,  24,  93, 130,
-    70, 223, 214,  39, 138,  50,  75,  66, 219,  28, 158, 156,  58, 202,  37, 123,
-    13, 113,  95,  31, 248, 215,  62, 157, 124,  96, 185, 190, 188, 139,  22,  52,
-    77, 195, 114, 149, 171, 142, 186, 122, 179,   2, 180, 173, 162, 172, 216, 154,
-    23,  26,  53, 204, 247, 153,  97,  90, 232,  36,  86,  64, 225,  99,   9,  51,
-    191, 152, 151, 133, 104, 252, 236,  10, 218, 111,  83,  98, 163,  46,   8, 175,
-    40, 176, 116, 194, 189,  54,  34,  56, 100,  30,  57,  44, 166,  48, 229,  68,
-    253, 136, 159, 101, 135, 107, 244,  35,  72,  16, 209,  81, 192, 249, 210, 160,
-    85, 161,  65, 250,  67,  19, 196,  47, 168, 182,  60,  43, 193, 255, 200, 165,
-    32, 137,   0, 144,  71, 239, 234, 183,  21,   6, 205, 181,  18, 126, 187,  41,
-    15, 184,   7,   4, 155, 148,  33, 102, 230, 206, 237, 231,  59, 254, 127, 197,
-    164,  55, 177,  76, 145, 110, 141, 118,   3,  45, 222, 150,  38, 125, 198,  92,
-    211, 242,  79,  25,  63, 220, 121,  29,  82, 235, 243, 109,  94, 251, 105, 178,
-    240,  49,  12, 212, 207, 140, 226, 117, 169,  74,  87, 132,  17,  69,  27, 245,
-    228,  14, 115, 170, 241, 221,  89,  20, 108, 146,  84, 208, 120, 112, 227,  73,
-    128,  80, 167, 246, 119, 147, 134, 131,  42, 199,  91, 233, 238, 143,   1,  61
-};
-
-static const unsigned char FSb3[256] =
-{
-    56,  65,  22, 118, 217, 147,  96, 242, 114, 194, 171, 154, 117,   6,  87, 160,
-    145, 247, 181, 201, 162, 140, 210, 144, 246,   7, 167,  39, 142, 178,  73, 222,
-    67,  92, 215, 199,  62, 245, 143, 103,  31,  24, 110, 175,  47, 226, 133,  13,
-    83, 240, 156, 101, 234, 163, 174, 158, 236, 128,  45, 107, 168,  43,  54, 166,
-    197, 134,  77,  51, 253, 102,  88, 150,  58,   9, 149,  16, 120, 216,  66, 204,
-    239,  38, 229,  97,  26,  63,  59, 130, 182, 219, 212, 152, 232, 139,   2, 235,
-    10,  44,  29, 176, 111, 141, 136,  14,  25, 135,  78,  11, 169,  12, 121,  17,
-    127,  34, 231,  89, 225, 218,  61, 200,  18,   4, 116,  84,  48, 126, 180,  40,
-    85, 104,  80, 190, 208, 196,  49, 203,  42, 173,  15, 202, 112, 255,  50, 105,
-    8,  98,   0,  36, 209, 251, 186, 237,  69, 129, 115, 109, 132, 159, 238,  74,
-    195,  46, 193,   1, 230,  37,  72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
-    41, 205, 108,  19, 100, 155,  99, 157, 192,  75, 183, 165, 137,  95, 177,  23,
-    244, 188, 211,  70, 207,  55,  94,  71, 148, 250, 252,  91, 151, 254,  90, 172,
-    60,  76,   3,  53, 243,  35, 184,  93, 106, 146, 213,  33,  68,  81, 198, 125,
-    57, 131, 220, 170, 124, 119,  86,   5,  27, 164,  21,  52,  30,  28, 248,  82,
-    32,  20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227,  64,  79
-};
-
-static const unsigned char FSb4[256] =
-{
-    112,  44, 179, 192, 228,  87, 234, 174,  35, 107,  69, 165, 237,  79,  29, 146,
-    134, 175, 124,  31,  62, 220,  94,  11, 166,  57, 213,  93, 217,  90,  81, 108,
-    139, 154, 251, 176, 116,  43, 240, 132, 223, 203,  52, 118, 109, 169, 209,   4,
-    20,  58, 222,  17,  50, 156,  83, 242, 254, 207, 195, 122,  36, 232,  96, 105,
-    170, 160, 161,  98,  84,  30, 224, 100,  16,   0, 163, 117, 138, 230,   9, 221,
-    135, 131, 205, 144, 115, 246, 157, 191,  82, 216, 200, 198, 129, 111,  19,  99,
-    233, 167, 159, 188,  41, 249,  47, 180, 120,   6, 231, 113, 212, 171, 136, 141,
-    114, 185, 248, 172,  54,  42,  60, 241,  64, 211, 187,  67,  21, 173, 119, 128,
-    130, 236,  39, 229, 133,  53,  12,  65, 239, 147,  25,  33,  14,  78, 101, 189,
-    184, 143, 235, 206,  48,  95, 197,  26, 225, 202,  71,  61,   1, 214,  86,  77,
-    13, 102, 204,  45,  18,  32, 177, 153,  76, 194, 126,   5, 183,  49,  23, 215,
-    88,  97,  27,  28,  15,  22,  24,  34,  68, 178, 181, 145,   8, 168, 252,  80,
-    208, 125, 137, 151,  91, 149, 255, 210, 196,  72, 247, 219,   3, 218,  63, 148,
-    92,   2,  74,  51, 103, 243, 127, 226, 155,  38,  55,  59, 150,  75, 190,  46,
-    121, 140, 110, 142, 245, 182, 253,  89, 152, 106,  70, 186,  37,  66, 162, 250,
-    7,  85, 238,  10,  73, 104,  56, 164,  40, 123, 201, 193, 227, 244, 199, 158
-};
-
-#define SBOX1(n) FSb[(n)]
-#define SBOX2(n) FSb2[(n)]
-#define SBOX3(n) FSb3[(n)]
-#define SBOX4(n) FSb4[(n)]
-
-#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
-
-static const unsigned char shifts[2][4][4] =
-{
-    {
-        { 1, 1, 1, 1 }, /* KL */
-        { 0, 0, 0, 0 }, /* KR */
-        { 1, 1, 1, 1 }, /* KA */
-        { 0, 0, 0, 0 }  /* KB */
-    },
-    {
-        { 1, 0, 1, 1 }, /* KL */
-        { 1, 1, 0, 1 }, /* KR */
-        { 1, 1, 1, 0 }, /* KA */
-        { 1, 1, 0, 1 }  /* KB */
-    }
-};
-
-static const signed char indexes[2][4][20] =
-{
-    {
-        {  0,  1,  2,  3,  8,  9, 10, 11, 38, 39,
-           36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
-        { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-          -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
-        {  4,  5,  6,  7, 12, 13, 14, 15, 16, 17,
-           18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
-        { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-          -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }  /* KB -> RK */
-    },
-    {
-        {  0,  1,  2,  3, 61, 62, 63, 60, -1, -1,
-           -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
-        { -1, -1, -1, -1,  8,  9, 10, 11, 16, 17,
-          18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
-        { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
-          56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
-        {  4,  5,  6,  7, 65, 66, 67, 64, 20, 21,
-           22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
-    }
-};
-
-static const signed char transposes[2][20] =
-{
-    {
-        21, 22, 23, 20,
-        -1, -1, -1, -1,
-        18, 19, 16, 17,
-        11,  8,  9, 10,
-        15, 12, 13, 14
-    },
-    {
-        25, 26, 27, 24,
-        29, 30, 31, 28,
-        18, 19, 16, 17,
-        -1, -1, -1, -1,
-        -1, -1, -1, -1
-    }
-};
-
-/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
-#define ROTL(DEST, SRC, SHIFT)                                      \
-    {                                                                   \
-        (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT));   \
-        (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT));   \
-        (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT));   \
-        (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT));   \
-    }
-
-#define FL(XL, XR, KL, KR)                                          \
-    {                                                                   \
-        (XR) = ((((XL) &(KL)) << 1) | (((XL) &(KL)) >> 31)) ^ (XR);   \
-        (XL) = ((XR) | (KR)) ^ (XL);                                    \
-    }
-
-#define FLInv(YL, YR, KL, KR)                                       \
-    {                                                                   \
-        (YL) = ((YR) | (KR)) ^ (YL);                                    \
-        (YR) = ((((YL) &(KL)) << 1) | (((YL) &(KL)) >> 31)) ^ (YR);   \
-    }
-
-#define SHIFT_AND_PLACE(INDEX, OFFSET)                      \
-    {                                                           \
-        TK[0] = KC[(OFFSET) * 4 + 0];                           \
-        TK[1] = KC[(OFFSET) * 4 + 1];                           \
-        TK[2] = KC[(OFFSET) * 4 + 2];                           \
-        TK[3] = KC[(OFFSET) * 4 + 3];                           \
-                                                            \
-        for (i = 1; i <= 4; i++)                               \
-        if (shifts[(INDEX)][(OFFSET)][i -1])               \
-        ROTL(TK + i * 4, TK, (15 * i) % 32);          \
-                                                            \
-        for (i = 0; i < 20; i++)                               \
-        if (indexes[(INDEX)][(OFFSET)][i] != -1) {         \
-            RK[indexes[(INDEX)][(OFFSET)][i]] = TK[i];    \
-        }                                                   \
-    }
-
-static void camellia_feistel(const uint32_t x[2], const uint32_t k[2],
-                             uint32_t z[2])
-{
-    uint32_t I0, I1;
-    I0 = x[0] ^ k[0];
-    I1 = x[1] ^ k[1];
-
-    I0 = ((uint32_t) SBOX1(MBEDTLS_BYTE_3(I0)) << 24) |
-         ((uint32_t) SBOX2(MBEDTLS_BYTE_2(I0)) << 16) |
-         ((uint32_t) SBOX3(MBEDTLS_BYTE_1(I0)) <<  8) |
-         ((uint32_t) SBOX4(MBEDTLS_BYTE_0(I0)));
-    I1 = ((uint32_t) SBOX2(MBEDTLS_BYTE_3(I1)) << 24) |
-         ((uint32_t) SBOX3(MBEDTLS_BYTE_2(I1)) << 16) |
-         ((uint32_t) SBOX4(MBEDTLS_BYTE_1(I1)) <<  8) |
-         ((uint32_t) SBOX1(MBEDTLS_BYTE_0(I1)));
-
-    I0 ^= (I1 << 8) | (I1 >> 24);
-    I1 ^= (I0 << 16) | (I0 >> 16);
-    I0 ^= (I1 >> 8) | (I1 << 24);
-    I1 ^= (I0 >> 8) | (I0 << 24);
-
-    z[0] ^= I1;
-    z[1] ^= I0;
-}
-
-void mbedtls_camellia_init(mbedtls_camellia_context *ctx)
-{
-    memset(ctx, 0, sizeof(mbedtls_camellia_context));
-}
-
-void mbedtls_camellia_free(mbedtls_camellia_context *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_camellia_context));
-}
-
-/*
- * Camellia key schedule (encryption)
- */
-int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx,
-                                const unsigned char *key,
-                                unsigned int keybits)
-{
-    int idx;
-    size_t i;
-    uint32_t *RK;
-    unsigned char t[64];
-    uint32_t SIGMA[6][2];
-    uint32_t KC[16];
-    uint32_t TK[20];
-
-    RK = ctx->rk;
-
-    memset(t, 0, 64);
-    memset(RK, 0, sizeof(ctx->rk));
-
-    switch (keybits) {
-        case 128: ctx->nr = 3; idx = 0; break;
-        case 192:
-        case 256: ctx->nr = 4; idx = 1; break;
-        default: return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
-    }
-
-    for (i = 0; i < keybits / 8; ++i) {
-        t[i] = key[i];
-    }
-
-    if (keybits == 192) {
-        for (i = 0; i < 8; i++) {
-            t[24 + i] = ~t[16 + i];
-        }
-    }
-
-    /*
-     * Prepare SIGMA values
-     */
-    for (i = 0; i < 6; i++) {
-        SIGMA[i][0] = MBEDTLS_GET_UINT32_BE(SIGMA_CHARS[i], 0);
-        SIGMA[i][1] = MBEDTLS_GET_UINT32_BE(SIGMA_CHARS[i], 4);
-    }
-
-    /*
-     * Key storage in KC
-     * Order: KL, KR, KA, KB
-     */
-    memset(KC, 0, sizeof(KC));
-
-    /* Store KL, KR */
-    for (i = 0; i < 8; i++) {
-        KC[i] = MBEDTLS_GET_UINT32_BE(t, i * 4);
-    }
-
-    /* Generate KA */
-    for (i = 0; i < 4; ++i) {
-        KC[8 + i] = KC[i] ^ KC[4 + i];
-    }
-
-    camellia_feistel(KC + 8, SIGMA[0], KC + 10);
-    camellia_feistel(KC + 10, SIGMA[1], KC + 8);
-
-    for (i = 0; i < 4; ++i) {
-        KC[8 + i] ^= KC[i];
-    }
-
-    camellia_feistel(KC + 8, SIGMA[2], KC + 10);
-    camellia_feistel(KC + 10, SIGMA[3], KC + 8);
-
-    if (keybits > 128) {
-        /* Generate KB */
-        for (i = 0; i < 4; ++i) {
-            KC[12 + i] = KC[4 + i] ^ KC[8 + i];
-        }
-
-        camellia_feistel(KC + 12, SIGMA[4], KC + 14);
-        camellia_feistel(KC + 14, SIGMA[5], KC + 12);
-    }
-
-    /*
-     * Generating subkeys
-     */
-
-    /* Manipulating KL */
-    SHIFT_AND_PLACE(idx, 0);
-
-    /* Manipulating KR */
-    if (keybits > 128) {
-        SHIFT_AND_PLACE(idx, 1);
-    }
-
-    /* Manipulating KA */
-    SHIFT_AND_PLACE(idx, 2);
-
-    /* Manipulating KB */
-    if (keybits > 128) {
-        SHIFT_AND_PLACE(idx, 3);
-    }
-
-    /* Do transpositions */
-    for (i = 0; i < 20; i++) {
-        if (transposes[idx][i] != -1) {
-            RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
-        }
-    }
-
-    return 0;
-}
-
-/*
- * Camellia key schedule (decryption)
- */
-int mbedtls_camellia_setkey_dec(mbedtls_camellia_context *ctx,
-                                const unsigned char *key,
-                                unsigned int keybits)
-{
-    int idx, ret;
-    size_t i;
-    mbedtls_camellia_context cty;
-    uint32_t *RK;
-    uint32_t *SK;
-
-    mbedtls_camellia_init(&cty);
-
-    /* Also checks keybits */
-    if ((ret = mbedtls_camellia_setkey_enc(&cty, key, keybits)) != 0) {
-        goto exit;
-    }
-
-    ctx->nr = cty.nr;
-    idx = (ctx->nr == 4);
-
-    RK = ctx->rk;
-    SK = cty.rk + 24 * 2 + 8 * idx * 2;
-
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-
-    for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4) {
-        *RK++ = *SK++;
-        *RK++ = *SK++;
-    }
-
-    SK -= 2;
-
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-
-exit:
-    mbedtls_camellia_free(&cty);
-
-    return ret;
-}
-
-/*
- * Camellia-ECB block encryption/decryption
- */
-int mbedtls_camellia_crypt_ecb(mbedtls_camellia_context *ctx,
-                               int mode,
-                               const unsigned char input[16],
-                               unsigned char output[16])
-{
-    int NR;
-    uint32_t *RK, X[4];
-    if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
-        return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
-    }
-
-    ((void) mode);
-
-    NR = ctx->nr;
-    RK = ctx->rk;
-
-    X[0] = MBEDTLS_GET_UINT32_BE(input,  0);
-    X[1] = MBEDTLS_GET_UINT32_BE(input,  4);
-    X[2] = MBEDTLS_GET_UINT32_BE(input,  8);
-    X[3] = MBEDTLS_GET_UINT32_BE(input, 12);
-
-    X[0] ^= *RK++;
-    X[1] ^= *RK++;
-    X[2] ^= *RK++;
-    X[3] ^= *RK++;
-
-    while (NR) {
-        --NR;
-        camellia_feistel(X, RK, X + 2);
-        RK += 2;
-        camellia_feistel(X + 2, RK, X);
-        RK += 2;
-        camellia_feistel(X, RK, X + 2);
-        RK += 2;
-        camellia_feistel(X + 2, RK, X);
-        RK += 2;
-        camellia_feistel(X, RK, X + 2);
-        RK += 2;
-        camellia_feistel(X + 2, RK, X);
-        RK += 2;
-
-        if (NR) {
-            FL(X[0], X[1], RK[0], RK[1]);
-            RK += 2;
-            FLInv(X[2], X[3], RK[0], RK[1]);
-            RK += 2;
-        }
-    }
-
-    X[2] ^= *RK++;
-    X[3] ^= *RK++;
-    X[0] ^= *RK++;
-    X[1] ^= *RK++;
-
-    MBEDTLS_PUT_UINT32_BE(X[2], output,  0);
-    MBEDTLS_PUT_UINT32_BE(X[3], output,  4);
-    MBEDTLS_PUT_UINT32_BE(X[0], output,  8);
-    MBEDTLS_PUT_UINT32_BE(X[1], output, 12);
-
-    return 0;
-}
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-/*
- * Camellia-CBC buffer encryption/decryption
- */
-int mbedtls_camellia_crypt_cbc(mbedtls_camellia_context *ctx,
-                               int mode,
-                               size_t length,
-                               unsigned char iv[16],
-                               const unsigned char *input,
-                               unsigned char *output)
-{
-    unsigned char temp[16];
-    if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
-        return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
-    }
-
-    if (length % 16) {
-        return MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH;
-    }
-
-    if (mode == MBEDTLS_CAMELLIA_DECRYPT) {
-        while (length > 0) {
-            memcpy(temp, input, 16);
-            mbedtls_camellia_crypt_ecb(ctx, mode, input, output);
-
-            mbedtls_xor(output, output, iv, 16);
-
-            memcpy(iv, temp, 16);
-
-            input  += 16;
-            output += 16;
-            length -= 16;
-        }
-    } else {
-        while (length > 0) {
-            mbedtls_xor(output, input, iv, 16);
-
-            mbedtls_camellia_crypt_ecb(ctx, mode, output, output);
-            memcpy(iv, output, 16);
-
-            input  += 16;
-            output += 16;
-            length -= 16;
-        }
-    }
-
-    return 0;
-}
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-/*
- * Camellia-CFB128 buffer encryption/decryption
- */
-int mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context *ctx,
-                                  int mode,
-                                  size_t length,
-                                  size_t *iv_off,
-                                  unsigned char iv[16],
-                                  const unsigned char *input,
-                                  unsigned char *output)
-{
-    int c;
-    size_t n;
-    if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
-        return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
-    }
-
-    n = *iv_off;
-    if (n >= 16) {
-        return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
-    }
-
-    if (mode == MBEDTLS_CAMELLIA_DECRYPT) {
-        while (length--) {
-            if (n == 0) {
-                mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv);
-            }
-
-            c = *input++;
-            *output++ = (unsigned char) (c ^ iv[n]);
-            iv[n] = (unsigned char) c;
-
-            n = (n + 1) & 0x0F;
-        }
-    } else {
-        while (length--) {
-            if (n == 0) {
-                mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv);
-            }
-
-            iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
-
-            n = (n + 1) & 0x0F;
-        }
-    }
-
-    *iv_off = n;
-
-    return 0;
-}
-#endif /* MBEDTLS_CIPHER_MODE_CFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-/*
- * Camellia-CTR buffer encryption/decryption
- */
-int mbedtls_camellia_crypt_ctr(mbedtls_camellia_context *ctx,
-                               size_t length,
-                               size_t *nc_off,
-                               unsigned char nonce_counter[16],
-                               unsigned char stream_block[16],
-                               const unsigned char *input,
-                               unsigned char *output)
-{
-    int c, i;
-    size_t n;
-
-    n = *nc_off;
-    if (n >= 16) {
-        return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
-    }
-
-    while (length--) {
-        if (n == 0) {
-            mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
-                                       stream_block);
-
-            for (i = 16; i > 0; i--) {
-                if (++nonce_counter[i - 1] != 0) {
-                    break;
-                }
-            }
-        }
-        c = *input++;
-        *output++ = (unsigned char) (c ^ stream_block[n]);
-
-        n = (n + 1) & 0x0F;
-    }
-
-    *nc_off = n;
-
-    return 0;
-}
-#endif /* MBEDTLS_CIPHER_MODE_CTR */
-#endif /* !MBEDTLS_CAMELLIA_ALT */
-
-#if defined(MBEDTLS_SELF_TEST)
-
-/*
- * Camellia test vectors from:
- *
- * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
- *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
- *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
- *                      (For each bitlength: Key 0, Nr 39)
- */
-#define CAMELLIA_TESTS_ECB  2
-
-static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
-{
-    {
-        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
-          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
-        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
-    },
-    {
-        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
-          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
-          0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
-        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
-    },
-    {
-        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
-          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
-          0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
-          0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
-        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
-    },
-};
-
-static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
-{
-    { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
-      0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
-    { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
-};
-
-static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
-{
-    {
-        { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
-          0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
-        { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
-          0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
-    },
-    {
-        { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
-          0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
-        { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
-          0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
-    },
-    {
-        { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
-          0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
-        { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
-          0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
-    }
-};
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-#define CAMELLIA_TESTS_CBC  3
-
-static const unsigned char camellia_test_cbc_key[3][32] =
-{
-    { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
-      0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
-    ,
-    { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
-      0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
-      0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
-    ,
-    { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
-      0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
-      0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
-      0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
-};
-
-static const unsigned char camellia_test_cbc_iv[16] =
-
-{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
-;
-
-static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
-{
-    { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
-      0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
-    { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
-      0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
-    { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
-      0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
-
-};
-
-static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
-{
-    {
-        { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
-          0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
-        { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
-          0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
-        { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
-          0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
-    },
-    {
-        { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
-          0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
-        { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
-          0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
-        { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
-          0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
-    },
-    {
-        { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
-          0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
-        { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
-          0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
-        { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
-          0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
-    }
-};
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-/*
- * Camellia-CTR test vectors from:
- *
- * http://www.faqs.org/rfcs/rfc5528.html
- */
-
-static const unsigned char camellia_test_ctr_key[3][16] =
-{
-    { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
-      0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
-    { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
-      0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
-    { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
-      0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
-};
-
-static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
-{
-    { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
-    { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
-      0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
-    { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
-      0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
-};
-
-static const unsigned char camellia_test_ctr_pt[3][48] =
-{
-    { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
-      0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
-
-    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
-      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
-
-    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
-      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
-      0x20, 0x21, 0x22, 0x23 }
-};
-
-static const unsigned char camellia_test_ctr_ct[3][48] =
-{
-    { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
-      0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
-    { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
-      0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
-      0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
-      0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
-    { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
-      0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
-      0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
-      0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
-      0xDF, 0x50, 0x86, 0x96 }
-};
-
-static const int camellia_test_ctr_len[3] =
-{ 16, 32, 36 };
-#endif /* MBEDTLS_CIPHER_MODE_CTR */
-
-/*
- * Checkup routine
- */
-int mbedtls_camellia_self_test(int verbose)
-{
-    int i, j, u, v;
-    unsigned char key[32];
-    unsigned char buf[64];
-    unsigned char src[16];
-    unsigned char dst[16];
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    unsigned char iv[16];
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    size_t offset, len;
-    unsigned char nonce_counter[16];
-    unsigned char stream_block[16];
-#endif
-    int ret = 1;
-
-    mbedtls_camellia_context ctx;
-
-    mbedtls_camellia_init(&ctx);
-    memset(key, 0, 32);
-
-    for (j = 0; j < 6; j++) {
-        u = j >> 1;
-        v = j & 1;
-
-        if (verbose != 0) {
-            mbedtls_printf("  CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
-                           (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
-        }
-
-        for (i = 0; i < CAMELLIA_TESTS_ECB; i++) {
-            memcpy(key, camellia_test_ecb_key[u][i], 16 + 8 * u);
-
-            if (v == MBEDTLS_CAMELLIA_DECRYPT) {
-                mbedtls_camellia_setkey_dec(&ctx, key, 128 + u * 64);
-                memcpy(src, camellia_test_ecb_cipher[u][i], 16);
-                memcpy(dst, camellia_test_ecb_plain[i], 16);
-            } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
-                mbedtls_camellia_setkey_enc(&ctx, key, 128 + u * 64);
-                memcpy(src, camellia_test_ecb_plain[i], 16);
-                memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
-            }
-
-            mbedtls_camellia_crypt_ecb(&ctx, v, src, buf);
-
-            if (memcmp(buf, dst, 16) != 0) {
-                if (verbose != 0) {
-                    mbedtls_printf("failed\n");
-                }
-                goto exit;
-            }
-        }
-
-        if (verbose != 0) {
-            mbedtls_printf("passed\n");
-        }
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    /*
-     * CBC mode
-     */
-    for (j = 0; j < 6; j++) {
-        u = j >> 1;
-        v = j  & 1;
-
-        if (verbose != 0) {
-            mbedtls_printf("  CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
-                           (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
-        }
-
-        memcpy(src, camellia_test_cbc_iv, 16);
-        memcpy(dst, camellia_test_cbc_iv, 16);
-        memcpy(key, camellia_test_cbc_key[u], 16 + 8 * u);
-
-        if (v == MBEDTLS_CAMELLIA_DECRYPT) {
-            mbedtls_camellia_setkey_dec(&ctx, key, 128 + u * 64);
-        } else {
-            mbedtls_camellia_setkey_enc(&ctx, key, 128 + u * 64);
-        }
-
-        for (i = 0; i < CAMELLIA_TESTS_CBC; i++) {
-
-            if (v == MBEDTLS_CAMELLIA_DECRYPT) {
-                memcpy(iv, src, 16);
-                memcpy(src, camellia_test_cbc_cipher[u][i], 16);
-                memcpy(dst, camellia_test_cbc_plain[i], 16);
-            } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
-                memcpy(iv, dst, 16);
-                memcpy(src, camellia_test_cbc_plain[i], 16);
-                memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
-            }
-
-            mbedtls_camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
-
-            if (memcmp(buf, dst, 16) != 0) {
-                if (verbose != 0) {
-                    mbedtls_printf("failed\n");
-                }
-                goto exit;
-            }
-        }
-
-        if (verbose != 0) {
-            mbedtls_printf("passed\n");
-        }
-    }
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    /*
-     * CTR mode
-     */
-    for (i = 0; i < 6; i++) {
-        u = i >> 1;
-        v = i  & 1;
-
-        if (verbose != 0) {
-            mbedtls_printf("  CAMELLIA-CTR-128 (%s): ",
-                           (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
-        }
-
-        memcpy(nonce_counter, camellia_test_ctr_nonce_counter[u], 16);
-        memcpy(key, camellia_test_ctr_key[u], 16);
-
-        offset = 0;
-        mbedtls_camellia_setkey_enc(&ctx, key, 128);
-
-        if (v == MBEDTLS_CAMELLIA_DECRYPT) {
-            len = camellia_test_ctr_len[u];
-            memcpy(buf, camellia_test_ctr_ct[u], len);
-
-            mbedtls_camellia_crypt_ctr(&ctx, len, &offset, nonce_counter, stream_block,
-                                       buf, buf);
-
-            if (memcmp(buf, camellia_test_ctr_pt[u], len) != 0) {
-                if (verbose != 0) {
-                    mbedtls_printf("failed\n");
-                }
-                goto exit;
-            }
-        } else {
-            len = camellia_test_ctr_len[u];
-            memcpy(buf, camellia_test_ctr_pt[u], len);
-
-            mbedtls_camellia_crypt_ctr(&ctx, len, &offset, nonce_counter, stream_block,
-                                       buf, buf);
-
-            if (memcmp(buf, camellia_test_ctr_ct[u], len) != 0) {
-                if (verbose != 0) {
-                    mbedtls_printf("failed\n");
-                }
-                goto exit;
-            }
-        }
-
-        if (verbose != 0) {
-            mbedtls_printf("passed\n");
-        }
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-#endif /* MBEDTLS_CIPHER_MODE_CTR */
-
-    ret = 0;
-
-exit:
-    mbedtls_camellia_free(&ctx);
-    return ret;
-}
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* MBEDTLS_CAMELLIA_C */
diff --git a/library/ccm.c b/library/ccm.c
deleted file mode 100644
index 237ef9f..0000000
--- a/library/ccm.c
+++ /dev/null
@@ -1,724 +0,0 @@
-/*
- *  NIST SP800-38C compliant CCM implementation
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/*
- * Definition of CCM:
- * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
- * RFC 3610 "Counter with CBC-MAC (CCM)"
- *
- * Related:
- * RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_CCM_C)
-
-#include "mbedtls/ccm.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-#include "mbedtls/constant_time.h"
-
-#include <string.h>
-
-#if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
-#else
-#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
-#include <stdio.h>
-#define mbedtls_printf printf
-#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
-#endif /* MBEDTLS_PLATFORM_C */
-
-#if !defined(MBEDTLS_CCM_ALT)
-
-
-/*
- * Initialize context
- */
-void mbedtls_ccm_init(mbedtls_ccm_context *ctx)
-{
-    memset(ctx, 0, sizeof(mbedtls_ccm_context));
-}
-
-int mbedtls_ccm_setkey(mbedtls_ccm_context *ctx,
-                       mbedtls_cipher_id_t cipher,
-                       const unsigned char *key,
-                       unsigned int keybits)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    const mbedtls_cipher_info_t *cipher_info;
-
-    cipher_info = mbedtls_cipher_info_from_values(cipher, keybits,
-                                                  MBEDTLS_MODE_ECB);
-    if (cipher_info == NULL) {
-        return MBEDTLS_ERR_CCM_BAD_INPUT;
-    }
-
-    if (mbedtls_cipher_info_get_block_size(cipher_info) != 16) {
-        return MBEDTLS_ERR_CCM_BAD_INPUT;
-    }
-
-    mbedtls_cipher_free(&ctx->cipher_ctx);
-
-    if ((ret = mbedtls_cipher_setup(&ctx->cipher_ctx, cipher_info)) != 0) {
-        return ret;
-    }
-
-    if ((ret = mbedtls_cipher_setkey(&ctx->cipher_ctx, key, keybits,
-                                     MBEDTLS_ENCRYPT)) != 0) {
-        return ret;
-    }
-
-    return 0;
-}
-
-/*
- * Free context
- */
-void mbedtls_ccm_free(mbedtls_ccm_context *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-    mbedtls_cipher_free(&ctx->cipher_ctx);
-    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ccm_context));
-}
-
-#define CCM_STATE__CLEAR                0
-#define CCM_STATE__STARTED              (1 << 0)
-#define CCM_STATE__LENGTHS_SET          (1 << 1)
-#define CCM_STATE__AUTH_DATA_STARTED    (1 << 2)
-#define CCM_STATE__AUTH_DATA_FINISHED   (1 << 3)
-#define CCM_STATE__ERROR                (1 << 4)
-
-/*
- * Encrypt or decrypt a partial block with CTR
- */
-static int mbedtls_ccm_crypt(mbedtls_ccm_context *ctx,
-                             size_t offset, size_t use_len,
-                             const unsigned char *input,
-                             unsigned char *output)
-{
-    size_t olen = 0;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char tmp_buf[16] = { 0 };
-
-    if ((ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->ctr, 16, tmp_buf,
-                                     &olen)) != 0) {
-        ctx->state |= CCM_STATE__ERROR;
-        mbedtls_platform_zeroize(tmp_buf, sizeof(tmp_buf));
-        return ret;
-    }
-
-    mbedtls_xor(output, input, tmp_buf + offset, use_len);
-
-    mbedtls_platform_zeroize(tmp_buf, sizeof(tmp_buf));
-    return ret;
-}
-
-static void mbedtls_ccm_clear_state(mbedtls_ccm_context *ctx)
-{
-    ctx->state = CCM_STATE__CLEAR;
-    memset(ctx->y, 0, 16);
-    memset(ctx->ctr, 0, 16);
-}
-
-static int ccm_calculate_first_block_if_ready(mbedtls_ccm_context *ctx)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char i;
-    size_t len_left, olen;
-
-    /* length calculation can be done only after both
-     * mbedtls_ccm_starts() and mbedtls_ccm_set_lengths() have been executed
-     */
-    if (!(ctx->state & CCM_STATE__STARTED) || !(ctx->state & CCM_STATE__LENGTHS_SET)) {
-        return 0;
-    }
-
-    /* CCM expects non-empty tag.
-     * CCM* allows empty tag. For CCM* without tag, ignore plaintext length.
-     */
-    if (ctx->tag_len == 0) {
-        if (ctx->mode == MBEDTLS_CCM_STAR_ENCRYPT || ctx->mode == MBEDTLS_CCM_STAR_DECRYPT) {
-            ctx->plaintext_len = 0;
-        } else {
-            return MBEDTLS_ERR_CCM_BAD_INPUT;
-        }
-    }
-
-    /*
-     * First block:
-     * 0        .. 0        flags
-     * 1        .. iv_len   nonce (aka iv)  - set by: mbedtls_ccm_starts()
-     * iv_len+1 .. 15       length
-     *
-     * With flags as (bits):
-     * 7        0
-     * 6        add present?
-     * 5 .. 3   (t - 2) / 2
-     * 2 .. 0   q - 1
-     */
-    ctx->y[0] |= (ctx->add_len > 0) << 6;
-    ctx->y[0] |= ((ctx->tag_len - 2) / 2) << 3;
-    ctx->y[0] |= ctx->q - 1;
-
-    for (i = 0, len_left = ctx->plaintext_len; i < ctx->q; i++, len_left >>= 8) {
-        ctx->y[15-i] = MBEDTLS_BYTE_0(len_left);
-    }
-
-    if (len_left > 0) {
-        ctx->state |= CCM_STATE__ERROR;
-        return MBEDTLS_ERR_CCM_BAD_INPUT;
-    }
-
-    /* Start CBC-MAC with first block*/
-    if ((ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen)) != 0) {
-        ctx->state |= CCM_STATE__ERROR;
-        return ret;
-    }
-
-    return 0;
-}
-
-int mbedtls_ccm_starts(mbedtls_ccm_context *ctx,
-                       int mode,
-                       const unsigned char *iv,
-                       size_t iv_len)
-{
-    /* Also implies q is within bounds */
-    if (iv_len < 7 || iv_len > 13) {
-        return MBEDTLS_ERR_CCM_BAD_INPUT;
-    }
-
-    ctx->mode = mode;
-    ctx->q = 16 - 1 - (unsigned char) iv_len;
-
-    /*
-     * Prepare counter block for encryption:
-     * 0        .. 0        flags
-     * 1        .. iv_len   nonce (aka iv)
-     * iv_len+1 .. 15       counter (initially 1)
-     *
-     * With flags as (bits):
-     * 7 .. 3   0
-     * 2 .. 0   q - 1
-     */
-    memset(ctx->ctr, 0, 16);
-    ctx->ctr[0] = ctx->q - 1;
-    memcpy(ctx->ctr + 1, iv, iv_len);
-    memset(ctx->ctr + 1 + iv_len, 0, ctx->q);
-    ctx->ctr[15] = 1;
-
-    /*
-     * See ccm_calculate_first_block_if_ready() for block layout description
-     */
-    memcpy(ctx->y + 1, iv, iv_len);
-
-    ctx->state |= CCM_STATE__STARTED;
-    return ccm_calculate_first_block_if_ready(ctx);
-}
-
-int mbedtls_ccm_set_lengths(mbedtls_ccm_context *ctx,
-                            size_t total_ad_len,
-                            size_t plaintext_len,
-                            size_t tag_len)
-{
-    /*
-     * Check length requirements: SP800-38C A.1
-     * Additional requirement: a < 2^16 - 2^8 to simplify the code.
-     * 'length' checked later (when writing it to the first block)
-     *
-     * Also, loosen the requirements to enable support for CCM* (IEEE 802.15.4).
-     */
-    if (tag_len == 2 || tag_len > 16 || tag_len % 2 != 0) {
-        return MBEDTLS_ERR_CCM_BAD_INPUT;
-    }
-
-    if (total_ad_len >= 0xFF00) {
-        return MBEDTLS_ERR_CCM_BAD_INPUT;
-    }
-
-    ctx->plaintext_len = plaintext_len;
-    ctx->add_len = total_ad_len;
-    ctx->tag_len = tag_len;
-    ctx->processed = 0;
-
-    ctx->state |= CCM_STATE__LENGTHS_SET;
-    return ccm_calculate_first_block_if_ready(ctx);
-}
-
-int mbedtls_ccm_update_ad(mbedtls_ccm_context *ctx,
-                          const unsigned char *add,
-                          size_t add_len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t olen, use_len, offset;
-
-    if (ctx->state & CCM_STATE__ERROR) {
-        return MBEDTLS_ERR_CCM_BAD_INPUT;
-    }
-
-    if (add_len > 0) {
-        if (ctx->state & CCM_STATE__AUTH_DATA_FINISHED) {
-            return MBEDTLS_ERR_CCM_BAD_INPUT;
-        }
-
-        if (!(ctx->state & CCM_STATE__AUTH_DATA_STARTED)) {
-            if (add_len > ctx->add_len) {
-                return MBEDTLS_ERR_CCM_BAD_INPUT;
-            }
-
-            ctx->y[0] ^= (unsigned char) ((ctx->add_len >> 8) & 0xFF);
-            ctx->y[1] ^= (unsigned char) ((ctx->add_len) & 0xFF);
-
-            ctx->state |= CCM_STATE__AUTH_DATA_STARTED;
-        } else if (ctx->processed + add_len > ctx->add_len) {
-            return MBEDTLS_ERR_CCM_BAD_INPUT;
-        }
-
-        while (add_len > 0) {
-            offset = (ctx->processed + 2) % 16; /* account for y[0] and y[1]
-                                                 * holding total auth data length */
-            use_len = 16 - offset;
-
-            if (use_len > add_len) {
-                use_len = add_len;
-            }
-
-            mbedtls_xor(ctx->y + offset, ctx->y + offset, add, use_len);
-
-            ctx->processed += use_len;
-            add_len -= use_len;
-            add += use_len;
-
-            if (use_len + offset == 16 || ctx->processed == ctx->add_len) {
-                if ((ret =
-                         mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen)) != 0) {
-                    ctx->state |= CCM_STATE__ERROR;
-                    return ret;
-                }
-            }
-        }
-
-        if (ctx->processed == ctx->add_len) {
-            ctx->state |= CCM_STATE__AUTH_DATA_FINISHED;
-            ctx->processed = 0; // prepare for mbedtls_ccm_update()
-        }
-    }
-
-    return 0;
-}
-
-int mbedtls_ccm_update(mbedtls_ccm_context *ctx,
-                       const unsigned char *input, size_t input_len,
-                       unsigned char *output, size_t output_size,
-                       size_t *output_len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char i;
-    size_t use_len, offset, olen;
-
-    unsigned char local_output[16];
-
-    if (ctx->state & CCM_STATE__ERROR) {
-        return MBEDTLS_ERR_CCM_BAD_INPUT;
-    }
-
-    /* Check against plaintext length only if performing operation with
-     * authentication
-     */
-    if (ctx->tag_len != 0 && ctx->processed + input_len > ctx->plaintext_len) {
-        return MBEDTLS_ERR_CCM_BAD_INPUT;
-    }
-
-    if (output_size < input_len) {
-        return MBEDTLS_ERR_CCM_BAD_INPUT;
-    }
-    *output_len = input_len;
-
-    ret = 0;
-
-    while (input_len > 0) {
-        offset = ctx->processed % 16;
-
-        use_len = 16 - offset;
-
-        if (use_len > input_len) {
-            use_len = input_len;
-        }
-
-        ctx->processed += use_len;
-
-        if (ctx->mode == MBEDTLS_CCM_ENCRYPT || \
-            ctx->mode == MBEDTLS_CCM_STAR_ENCRYPT) {
-            mbedtls_xor(ctx->y + offset, ctx->y + offset, input, use_len);
-
-            if (use_len + offset == 16 || ctx->processed == ctx->plaintext_len) {
-                if ((ret =
-                         mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen)) != 0) {
-                    ctx->state |= CCM_STATE__ERROR;
-                    goto exit;
-                }
-            }
-
-            ret = mbedtls_ccm_crypt(ctx, offset, use_len, input, output);
-            if (ret != 0) {
-                goto exit;
-            }
-        }
-
-        if (ctx->mode == MBEDTLS_CCM_DECRYPT || \
-            ctx->mode == MBEDTLS_CCM_STAR_DECRYPT) {
-            /* Since output may be in shared memory, we cannot be sure that
-             * it will contain what we wrote to it. Therefore, we should avoid using
-             * it as input to any operations.
-             * Write decrypted data to local_output to avoid using output variable as
-             * input in the XOR operation for Y.
-             */
-            ret = mbedtls_ccm_crypt(ctx, offset, use_len, input, local_output);
-            if (ret != 0) {
-                goto exit;
-            }
-
-            mbedtls_xor(ctx->y + offset, ctx->y + offset, local_output, use_len);
-
-            memcpy(output, local_output, use_len);
-
-            if (use_len + offset == 16 || ctx->processed == ctx->plaintext_len) {
-                if ((ret =
-                         mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen)) != 0) {
-                    ctx->state |= CCM_STATE__ERROR;
-                    goto exit;
-                }
-            }
-        }
-
-        if (use_len + offset == 16 || ctx->processed == ctx->plaintext_len) {
-            for (i = 0; i < ctx->q; i++) {
-                if (++(ctx->ctr)[15-i] != 0) {
-                    break;
-                }
-            }
-        }
-
-        input_len -= use_len;
-        input += use_len;
-        output += use_len;
-    }
-
-exit:
-    mbedtls_platform_zeroize(local_output, 16);
-
-    return ret;
-}
-
-int mbedtls_ccm_finish(mbedtls_ccm_context *ctx,
-                       unsigned char *tag, size_t tag_len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char i;
-
-    if (ctx->state & CCM_STATE__ERROR) {
-        return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    }
-
-    if (ctx->add_len > 0 && !(ctx->state & CCM_STATE__AUTH_DATA_FINISHED)) {
-        return MBEDTLS_ERR_CCM_BAD_INPUT;
-    }
-
-    if (ctx->plaintext_len > 0 && ctx->processed != ctx->plaintext_len) {
-        return MBEDTLS_ERR_CCM_BAD_INPUT;
-    }
-
-    /*
-     * Authentication: reset counter and crypt/mask internal tag
-     */
-    for (i = 0; i < ctx->q; i++) {
-        ctx->ctr[15-i] = 0;
-    }
-
-    ret = mbedtls_ccm_crypt(ctx, 0, 16, ctx->y, ctx->y);
-    if (ret != 0) {
-        return ret;
-    }
-    if (tag != NULL) {
-        memcpy(tag, ctx->y, tag_len);
-    }
-    mbedtls_ccm_clear_state(ctx);
-
-    return 0;
-}
-
-/*
- * Authenticated encryption or decryption
- */
-static int ccm_auth_crypt(mbedtls_ccm_context *ctx, int mode, size_t length,
-                          const unsigned char *iv, size_t iv_len,
-                          const unsigned char *add, size_t add_len,
-                          const unsigned char *input, unsigned char *output,
-                          unsigned char *tag, size_t tag_len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t olen;
-
-    if ((ret = mbedtls_ccm_starts(ctx, mode, iv, iv_len)) != 0) {
-        return ret;
-    }
-
-    if ((ret = mbedtls_ccm_set_lengths(ctx, add_len, length, tag_len)) != 0) {
-        return ret;
-    }
-
-    if ((ret = mbedtls_ccm_update_ad(ctx, add, add_len)) != 0) {
-        return ret;
-    }
-
-    if ((ret = mbedtls_ccm_update(ctx, input, length,
-                                  output, length, &olen)) != 0) {
-        return ret;
-    }
-
-    if ((ret = mbedtls_ccm_finish(ctx, tag, tag_len)) != 0) {
-        return ret;
-    }
-
-    return 0;
-}
-
-/*
- * Authenticated encryption
- */
-int mbedtls_ccm_star_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,
-                                     const unsigned char *iv, size_t iv_len,
-                                     const unsigned char *add, size_t add_len,
-                                     const unsigned char *input, unsigned char *output,
-                                     unsigned char *tag, size_t tag_len)
-{
-    return ccm_auth_crypt(ctx, MBEDTLS_CCM_STAR_ENCRYPT, length, iv, iv_len,
-                          add, add_len, input, output, tag, tag_len);
-}
-
-int mbedtls_ccm_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,
-                                const unsigned char *iv, size_t iv_len,
-                                const unsigned char *add, size_t add_len,
-                                const unsigned char *input, unsigned char *output,
-                                unsigned char *tag, size_t tag_len)
-{
-    return ccm_auth_crypt(ctx, MBEDTLS_CCM_ENCRYPT, length, iv, iv_len,
-                          add, add_len, input, output, tag, tag_len);
-}
-
-/*
- * Authenticated decryption
- */
-static int mbedtls_ccm_compare_tags(const unsigned char *tag1,
-                                    const unsigned char *tag2,
-                                    size_t tag_len)
-{
-    /* Check tag in "constant-time" */
-    int diff = mbedtls_ct_memcmp(tag1, tag2, tag_len);
-
-    if (diff != 0) {
-        return MBEDTLS_ERR_CCM_AUTH_FAILED;
-    }
-
-    return 0;
-}
-
-static int ccm_auth_decrypt(mbedtls_ccm_context *ctx, int mode, size_t length,
-                            const unsigned char *iv, size_t iv_len,
-                            const unsigned char *add, size_t add_len,
-                            const unsigned char *input, unsigned char *output,
-                            const unsigned char *tag, size_t tag_len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char check_tag[16];
-
-    if ((ret = ccm_auth_crypt(ctx, mode, length,
-                              iv, iv_len, add, add_len,
-                              input, output, check_tag, tag_len)) != 0) {
-        return ret;
-    }
-
-    if ((ret = mbedtls_ccm_compare_tags(tag, check_tag, tag_len)) != 0) {
-        mbedtls_platform_zeroize(output, length);
-        return ret;
-    }
-
-    return 0;
-}
-
-int mbedtls_ccm_star_auth_decrypt(mbedtls_ccm_context *ctx, size_t length,
-                                  const unsigned char *iv, size_t iv_len,
-                                  const unsigned char *add, size_t add_len,
-                                  const unsigned char *input, unsigned char *output,
-                                  const unsigned char *tag, size_t tag_len)
-{
-    return ccm_auth_decrypt(ctx, MBEDTLS_CCM_STAR_DECRYPT, length,
-                            iv, iv_len, add, add_len,
-                            input, output, tag, tag_len);
-}
-
-int mbedtls_ccm_auth_decrypt(mbedtls_ccm_context *ctx, size_t length,
-                             const unsigned char *iv, size_t iv_len,
-                             const unsigned char *add, size_t add_len,
-                             const unsigned char *input, unsigned char *output,
-                             const unsigned char *tag, size_t tag_len)
-{
-    return ccm_auth_decrypt(ctx, MBEDTLS_CCM_DECRYPT, length,
-                            iv, iv_len, add, add_len,
-                            input, output, tag, tag_len);
-}
-#endif /* !MBEDTLS_CCM_ALT */
-
-#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
-/*
- * Examples 1 to 3 from SP800-38C Appendix C
- */
-
-#define NB_TESTS 3
-#define CCM_SELFTEST_PT_MAX_LEN 24
-#define CCM_SELFTEST_CT_MAX_LEN 32
-/*
- * The data is the same for all tests, only the used length changes
- */
-static const unsigned char key_test_data[] = {
-    0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
-    0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f
-};
-
-static const unsigned char iv_test_data[] = {
-    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-    0x18, 0x19, 0x1a, 0x1b
-};
-
-static const unsigned char ad_test_data[] = {
-    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-    0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
-    0x10, 0x11, 0x12, 0x13
-};
-
-static const unsigned char msg_test_data[CCM_SELFTEST_PT_MAX_LEN] = {
-    0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
-    0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
-    0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
-};
-
-static const size_t iv_len_test_data[NB_TESTS] = { 7, 8,  12 };
-static const size_t add_len_test_data[NB_TESTS] = { 8, 16, 20 };
-static const size_t msg_len_test_data[NB_TESTS] = { 4, 16, 24 };
-static const size_t tag_len_test_data[NB_TESTS] = { 4, 6,  8  };
-
-static const unsigned char res_test_data[NB_TESTS][CCM_SELFTEST_CT_MAX_LEN] = {
-    {   0x71, 0x62, 0x01, 0x5b, 0x4d, 0xac, 0x25, 0x5d },
-    {   0xd2, 0xa1, 0xf0, 0xe0, 0x51, 0xea, 0x5f, 0x62,
-        0x08, 0x1a, 0x77, 0x92, 0x07, 0x3d, 0x59, 0x3d,
-        0x1f, 0xc6, 0x4f, 0xbf, 0xac, 0xcd },
-    {   0xe3, 0xb2, 0x01, 0xa9, 0xf5, 0xb7, 0x1a, 0x7a,
-        0x9b, 0x1c, 0xea, 0xec, 0xcd, 0x97, 0xe7, 0x0b,
-        0x61, 0x76, 0xaa, 0xd9, 0xa4, 0x42, 0x8a, 0xa5,
-        0x48, 0x43, 0x92, 0xfb, 0xc1, 0xb0, 0x99, 0x51 }
-};
-
-int mbedtls_ccm_self_test(int verbose)
-{
-    mbedtls_ccm_context ctx;
-    /*
-     * Some hardware accelerators require the input and output buffers
-     * would be in RAM, because the flash is not accessible.
-     * Use buffers on the stack to hold the test vectors data.
-     */
-    unsigned char plaintext[CCM_SELFTEST_PT_MAX_LEN];
-    unsigned char ciphertext[CCM_SELFTEST_CT_MAX_LEN];
-    size_t i;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    mbedtls_ccm_init(&ctx);
-
-    if (mbedtls_ccm_setkey(&ctx, MBEDTLS_CIPHER_ID_AES, key_test_data,
-                           8 * sizeof(key_test_data)) != 0) {
-        if (verbose != 0) {
-            mbedtls_printf("  CCM: setup failed");
-        }
-
-        return 1;
-    }
-
-    for (i = 0; i < NB_TESTS; i++) {
-        if (verbose != 0) {
-            mbedtls_printf("  CCM-AES #%u: ", (unsigned int) i + 1);
-        }
-
-        memset(plaintext, 0, CCM_SELFTEST_PT_MAX_LEN);
-        memset(ciphertext, 0, CCM_SELFTEST_CT_MAX_LEN);
-        memcpy(plaintext, msg_test_data, msg_len_test_data[i]);
-
-        ret = mbedtls_ccm_encrypt_and_tag(&ctx, msg_len_test_data[i],
-                                          iv_test_data, iv_len_test_data[i],
-                                          ad_test_data, add_len_test_data[i],
-                                          plaintext, ciphertext,
-                                          ciphertext + msg_len_test_data[i],
-                                          tag_len_test_data[i]);
-
-        if (ret != 0 ||
-            memcmp(ciphertext, res_test_data[i],
-                   msg_len_test_data[i] + tag_len_test_data[i]) != 0) {
-            if (verbose != 0) {
-                mbedtls_printf("failed\n");
-            }
-
-            return 1;
-        }
-        memset(plaintext, 0, CCM_SELFTEST_PT_MAX_LEN);
-
-        ret = mbedtls_ccm_auth_decrypt(&ctx, msg_len_test_data[i],
-                                       iv_test_data, iv_len_test_data[i],
-                                       ad_test_data, add_len_test_data[i],
-                                       ciphertext, plaintext,
-                                       ciphertext + msg_len_test_data[i],
-                                       tag_len_test_data[i]);
-
-        if (ret != 0 ||
-            memcmp(plaintext, msg_test_data, msg_len_test_data[i]) != 0) {
-            if (verbose != 0) {
-                mbedtls_printf("failed\n");
-            }
-
-            return 1;
-        }
-
-        if (verbose != 0) {
-            mbedtls_printf("passed\n");
-        }
-    }
-
-    mbedtls_ccm_free(&ctx);
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-
-    return 0;
-}
-
-#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
-
-#endif /* MBEDTLS_CCM_C */
diff --git a/library/chacha20.c b/library/chacha20.c
deleted file mode 100644
index cbb01f4..0000000
--- a/library/chacha20.c
+++ /dev/null
@@ -1,509 +0,0 @@
-/**
- * \file chacha20.c
- *
- * \brief ChaCha20 cipher.
- *
- * \author Daniel King <damaki.gh@gmail.com>
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_CHACHA20_C)
-
-#include "mbedtls/chacha20.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#include <stddef.h>
-#include <string.h>
-
-#include "mbedtls/platform.h"
-
-#if !defined(MBEDTLS_CHACHA20_ALT)
-
-#define ROTL32(value, amount) \
-    ((uint32_t) ((value) << (amount)) | ((value) >> (32 - (amount))))
-
-#define CHACHA20_CTR_INDEX (12U)
-
-#define CHACHA20_BLOCK_SIZE_BYTES (4U * 16U)
-
-/**
- * \brief           ChaCha20 quarter round operation.
- *
- *                  The quarter round is defined as follows (from RFC 7539):
- *                      1.  a += b; d ^= a; d <<<= 16;
- *                      2.  c += d; b ^= c; b <<<= 12;
- *                      3.  a += b; d ^= a; d <<<= 8;
- *                      4.  c += d; b ^= c; b <<<= 7;
- *
- * \param state     ChaCha20 state to modify.
- * \param a         The index of 'a' in the state.
- * \param b         The index of 'b' in the state.
- * \param c         The index of 'c' in the state.
- * \param d         The index of 'd' in the state.
- */
-static inline void chacha20_quarter_round(uint32_t state[16],
-                                          size_t a,
-                                          size_t b,
-                                          size_t c,
-                                          size_t d)
-{
-    /* a += b; d ^= a; d <<<= 16; */
-    state[a] += state[b];
-    state[d] ^= state[a];
-    state[d] = ROTL32(state[d], 16);
-
-    /* c += d; b ^= c; b <<<= 12 */
-    state[c] += state[d];
-    state[b] ^= state[c];
-    state[b] = ROTL32(state[b], 12);
-
-    /* a += b; d ^= a; d <<<= 8; */
-    state[a] += state[b];
-    state[d] ^= state[a];
-    state[d] = ROTL32(state[d], 8);
-
-    /* c += d; b ^= c; b <<<= 7; */
-    state[c] += state[d];
-    state[b] ^= state[c];
-    state[b] = ROTL32(state[b], 7);
-}
-
-/**
- * \brief           Perform the ChaCha20 inner block operation.
- *
- *                  This function performs two rounds: the column round and the
- *                  diagonal round.
- *
- * \param state     The ChaCha20 state to update.
- */
-static void chacha20_inner_block(uint32_t state[16])
-{
-    chacha20_quarter_round(state, 0, 4, 8,  12);
-    chacha20_quarter_round(state, 1, 5, 9,  13);
-    chacha20_quarter_round(state, 2, 6, 10, 14);
-    chacha20_quarter_round(state, 3, 7, 11, 15);
-
-    chacha20_quarter_round(state, 0, 5, 10, 15);
-    chacha20_quarter_round(state, 1, 6, 11, 12);
-    chacha20_quarter_round(state, 2, 7, 8,  13);
-    chacha20_quarter_round(state, 3, 4, 9,  14);
-}
-
-/**
- * \brief               Generates a keystream block.
- *
- * \param initial_state The initial ChaCha20 state (key, nonce, counter).
- * \param keystream     Generated keystream bytes are written to this buffer.
- */
-static void chacha20_block(const uint32_t initial_state[16],
-                           unsigned char keystream[64])
-{
-    uint32_t working_state[16];
-    size_t i;
-
-    memcpy(working_state,
-           initial_state,
-           CHACHA20_BLOCK_SIZE_BYTES);
-
-    for (i = 0U; i < 10U; i++) {
-        chacha20_inner_block(working_state);
-    }
-
-    working_state[0] += initial_state[0];
-    working_state[1] += initial_state[1];
-    working_state[2] += initial_state[2];
-    working_state[3] += initial_state[3];
-    working_state[4] += initial_state[4];
-    working_state[5] += initial_state[5];
-    working_state[6] += initial_state[6];
-    working_state[7] += initial_state[7];
-    working_state[8] += initial_state[8];
-    working_state[9] += initial_state[9];
-    working_state[10] += initial_state[10];
-    working_state[11] += initial_state[11];
-    working_state[12] += initial_state[12];
-    working_state[13] += initial_state[13];
-    working_state[14] += initial_state[14];
-    working_state[15] += initial_state[15];
-
-    for (i = 0U; i < 16; i++) {
-        size_t offset = i * 4U;
-
-        MBEDTLS_PUT_UINT32_LE(working_state[i], keystream, offset);
-    }
-
-    mbedtls_platform_zeroize(working_state, sizeof(working_state));
-}
-
-void mbedtls_chacha20_init(mbedtls_chacha20_context *ctx)
-{
-    mbedtls_platform_zeroize(ctx->state, sizeof(ctx->state));
-    mbedtls_platform_zeroize(ctx->keystream8, sizeof(ctx->keystream8));
-
-    /* Initially, there's no keystream bytes available */
-    ctx->keystream_bytes_used = CHACHA20_BLOCK_SIZE_BYTES;
-}
-
-void mbedtls_chacha20_free(mbedtls_chacha20_context *ctx)
-{
-    if (ctx != NULL) {
-        mbedtls_platform_zeroize(ctx, sizeof(mbedtls_chacha20_context));
-    }
-}
-
-int mbedtls_chacha20_setkey(mbedtls_chacha20_context *ctx,
-                            const unsigned char key[32])
-{
-    /* ChaCha20 constants - the string "expand 32-byte k" */
-    ctx->state[0] = 0x61707865;
-    ctx->state[1] = 0x3320646e;
-    ctx->state[2] = 0x79622d32;
-    ctx->state[3] = 0x6b206574;
-
-    /* Set key */
-    ctx->state[4]  = MBEDTLS_GET_UINT32_LE(key, 0);
-    ctx->state[5]  = MBEDTLS_GET_UINT32_LE(key, 4);
-    ctx->state[6]  = MBEDTLS_GET_UINT32_LE(key, 8);
-    ctx->state[7]  = MBEDTLS_GET_UINT32_LE(key, 12);
-    ctx->state[8]  = MBEDTLS_GET_UINT32_LE(key, 16);
-    ctx->state[9]  = MBEDTLS_GET_UINT32_LE(key, 20);
-    ctx->state[10] = MBEDTLS_GET_UINT32_LE(key, 24);
-    ctx->state[11] = MBEDTLS_GET_UINT32_LE(key, 28);
-
-    return 0;
-}
-
-int mbedtls_chacha20_starts(mbedtls_chacha20_context *ctx,
-                            const unsigned char nonce[12],
-                            uint32_t counter)
-{
-    /* Counter */
-    ctx->state[12] = counter;
-
-    /* Nonce */
-    ctx->state[13] = MBEDTLS_GET_UINT32_LE(nonce, 0);
-    ctx->state[14] = MBEDTLS_GET_UINT32_LE(nonce, 4);
-    ctx->state[15] = MBEDTLS_GET_UINT32_LE(nonce, 8);
-
-    mbedtls_platform_zeroize(ctx->keystream8, sizeof(ctx->keystream8));
-
-    /* Initially, there's no keystream bytes available */
-    ctx->keystream_bytes_used = CHACHA20_BLOCK_SIZE_BYTES;
-
-    return 0;
-}
-
-int mbedtls_chacha20_update(mbedtls_chacha20_context *ctx,
-                            size_t size,
-                            const unsigned char *input,
-                            unsigned char *output)
-{
-    size_t offset = 0U;
-
-    /* Use leftover keystream bytes, if available */
-    while (size > 0U && ctx->keystream_bytes_used < CHACHA20_BLOCK_SIZE_BYTES) {
-        output[offset] = input[offset]
-                         ^ ctx->keystream8[ctx->keystream_bytes_used];
-
-        ctx->keystream_bytes_used++;
-        offset++;
-        size--;
-    }
-
-    /* Process full blocks */
-    while (size >= CHACHA20_BLOCK_SIZE_BYTES) {
-        /* Generate new keystream block and increment counter */
-        chacha20_block(ctx->state, ctx->keystream8);
-        ctx->state[CHACHA20_CTR_INDEX]++;
-
-        mbedtls_xor(output + offset, input + offset, ctx->keystream8, 64U);
-
-        offset += CHACHA20_BLOCK_SIZE_BYTES;
-        size   -= CHACHA20_BLOCK_SIZE_BYTES;
-    }
-
-    /* Last (partial) block */
-    if (size > 0U) {
-        /* Generate new keystream block and increment counter */
-        chacha20_block(ctx->state, ctx->keystream8);
-        ctx->state[CHACHA20_CTR_INDEX]++;
-
-        mbedtls_xor(output + offset, input + offset, ctx->keystream8, size);
-
-        ctx->keystream_bytes_used = size;
-
-    }
-
-    return 0;
-}
-
-int mbedtls_chacha20_crypt(const unsigned char key[32],
-                           const unsigned char nonce[12],
-                           uint32_t counter,
-                           size_t data_len,
-                           const unsigned char *input,
-                           unsigned char *output)
-{
-    mbedtls_chacha20_context ctx;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    mbedtls_chacha20_init(&ctx);
-
-    ret = mbedtls_chacha20_setkey(&ctx, key);
-    if (ret != 0) {
-        goto cleanup;
-    }
-
-    ret = mbedtls_chacha20_starts(&ctx, nonce, counter);
-    if (ret != 0) {
-        goto cleanup;
-    }
-
-    ret = mbedtls_chacha20_update(&ctx, data_len, input, output);
-
-cleanup:
-    mbedtls_chacha20_free(&ctx);
-    return ret;
-}
-
-#endif /* !MBEDTLS_CHACHA20_ALT */
-
-#if defined(MBEDTLS_SELF_TEST)
-
-static const unsigned char test_keys[2][32] =
-{
-    {
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-    },
-    {
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
-    }
-};
-
-static const unsigned char test_nonces[2][12] =
-{
-    {
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00
-    },
-    {
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x02
-    }
-};
-
-static const uint32_t test_counters[2] =
-{
-    0U,
-    1U
-};
-
-static const unsigned char test_input[2][375] =
-{
-    {
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-    },
-    {
-        0x41, 0x6e, 0x79, 0x20, 0x73, 0x75, 0x62, 0x6d,
-        0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x20, 0x74,
-        0x6f, 0x20, 0x74, 0x68, 0x65, 0x20, 0x49, 0x45,
-        0x54, 0x46, 0x20, 0x69, 0x6e, 0x74, 0x65, 0x6e,
-        0x64, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x74,
-        0x68, 0x65, 0x20, 0x43, 0x6f, 0x6e, 0x74, 0x72,
-        0x69, 0x62, 0x75, 0x74, 0x6f, 0x72, 0x20, 0x66,
-        0x6f, 0x72, 0x20, 0x70, 0x75, 0x62, 0x6c, 0x69,
-        0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x61,
-        0x73, 0x20, 0x61, 0x6c, 0x6c, 0x20, 0x6f, 0x72,
-        0x20, 0x70, 0x61, 0x72, 0x74, 0x20, 0x6f, 0x66,
-        0x20, 0x61, 0x6e, 0x20, 0x49, 0x45, 0x54, 0x46,
-        0x20, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65,
-        0x74, 0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x20,
-        0x6f, 0x72, 0x20, 0x52, 0x46, 0x43, 0x20, 0x61,
-        0x6e, 0x64, 0x20, 0x61, 0x6e, 0x79, 0x20, 0x73,
-        0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e, 0x74,
-        0x20, 0x6d, 0x61, 0x64, 0x65, 0x20, 0x77, 0x69,
-        0x74, 0x68, 0x69, 0x6e, 0x20, 0x74, 0x68, 0x65,
-        0x20, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74,
-        0x20, 0x6f, 0x66, 0x20, 0x61, 0x6e, 0x20, 0x49,
-        0x45, 0x54, 0x46, 0x20, 0x61, 0x63, 0x74, 0x69,
-        0x76, 0x69, 0x74, 0x79, 0x20, 0x69, 0x73, 0x20,
-        0x63, 0x6f, 0x6e, 0x73, 0x69, 0x64, 0x65, 0x72,
-        0x65, 0x64, 0x20, 0x61, 0x6e, 0x20, 0x22, 0x49,
-        0x45, 0x54, 0x46, 0x20, 0x43, 0x6f, 0x6e, 0x74,
-        0x72, 0x69, 0x62, 0x75, 0x74, 0x69, 0x6f, 0x6e,
-        0x22, 0x2e, 0x20, 0x53, 0x75, 0x63, 0x68, 0x20,
-        0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e,
-        0x74, 0x73, 0x20, 0x69, 0x6e, 0x63, 0x6c, 0x75,
-        0x64, 0x65, 0x20, 0x6f, 0x72, 0x61, 0x6c, 0x20,
-        0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e,
-        0x74, 0x73, 0x20, 0x69, 0x6e, 0x20, 0x49, 0x45,
-        0x54, 0x46, 0x20, 0x73, 0x65, 0x73, 0x73, 0x69,
-        0x6f, 0x6e, 0x73, 0x2c, 0x20, 0x61, 0x73, 0x20,
-        0x77, 0x65, 0x6c, 0x6c, 0x20, 0x61, 0x73, 0x20,
-        0x77, 0x72, 0x69, 0x74, 0x74, 0x65, 0x6e, 0x20,
-        0x61, 0x6e, 0x64, 0x20, 0x65, 0x6c, 0x65, 0x63,
-        0x74, 0x72, 0x6f, 0x6e, 0x69, 0x63, 0x20, 0x63,
-        0x6f, 0x6d, 0x6d, 0x75, 0x6e, 0x69, 0x63, 0x61,
-        0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20, 0x6d, 0x61,
-        0x64, 0x65, 0x20, 0x61, 0x74, 0x20, 0x61, 0x6e,
-        0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x20, 0x6f,
-        0x72, 0x20, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x2c,
-        0x20, 0x77, 0x68, 0x69, 0x63, 0x68, 0x20, 0x61,
-        0x72, 0x65, 0x20, 0x61, 0x64, 0x64, 0x72, 0x65,
-        0x73, 0x73, 0x65, 0x64, 0x20, 0x74, 0x6f
-    }
-};
-
-static const unsigned char test_output[2][375] =
-{
-    {
-        0x76, 0xb8, 0xe0, 0xad, 0xa0, 0xf1, 0x3d, 0x90,
-        0x40, 0x5d, 0x6a, 0xe5, 0x53, 0x86, 0xbd, 0x28,
-        0xbd, 0xd2, 0x19, 0xb8, 0xa0, 0x8d, 0xed, 0x1a,
-        0xa8, 0x36, 0xef, 0xcc, 0x8b, 0x77, 0x0d, 0xc7,
-        0xda, 0x41, 0x59, 0x7c, 0x51, 0x57, 0x48, 0x8d,
-        0x77, 0x24, 0xe0, 0x3f, 0xb8, 0xd8, 0x4a, 0x37,
-        0x6a, 0x43, 0xb8, 0xf4, 0x15, 0x18, 0xa1, 0x1c,
-        0xc3, 0x87, 0xb6, 0x69, 0xb2, 0xee, 0x65, 0x86
-    },
-    {
-        0xa3, 0xfb, 0xf0, 0x7d, 0xf3, 0xfa, 0x2f, 0xde,
-        0x4f, 0x37, 0x6c, 0xa2, 0x3e, 0x82, 0x73, 0x70,
-        0x41, 0x60, 0x5d, 0x9f, 0x4f, 0x4f, 0x57, 0xbd,
-        0x8c, 0xff, 0x2c, 0x1d, 0x4b, 0x79, 0x55, 0xec,
-        0x2a, 0x97, 0x94, 0x8b, 0xd3, 0x72, 0x29, 0x15,
-        0xc8, 0xf3, 0xd3, 0x37, 0xf7, 0xd3, 0x70, 0x05,
-        0x0e, 0x9e, 0x96, 0xd6, 0x47, 0xb7, 0xc3, 0x9f,
-        0x56, 0xe0, 0x31, 0xca, 0x5e, 0xb6, 0x25, 0x0d,
-        0x40, 0x42, 0xe0, 0x27, 0x85, 0xec, 0xec, 0xfa,
-        0x4b, 0x4b, 0xb5, 0xe8, 0xea, 0xd0, 0x44, 0x0e,
-        0x20, 0xb6, 0xe8, 0xdb, 0x09, 0xd8, 0x81, 0xa7,
-        0xc6, 0x13, 0x2f, 0x42, 0x0e, 0x52, 0x79, 0x50,
-        0x42, 0xbd, 0xfa, 0x77, 0x73, 0xd8, 0xa9, 0x05,
-        0x14, 0x47, 0xb3, 0x29, 0x1c, 0xe1, 0x41, 0x1c,
-        0x68, 0x04, 0x65, 0x55, 0x2a, 0xa6, 0xc4, 0x05,
-        0xb7, 0x76, 0x4d, 0x5e, 0x87, 0xbe, 0xa8, 0x5a,
-        0xd0, 0x0f, 0x84, 0x49, 0xed, 0x8f, 0x72, 0xd0,
-        0xd6, 0x62, 0xab, 0x05, 0x26, 0x91, 0xca, 0x66,
-        0x42, 0x4b, 0xc8, 0x6d, 0x2d, 0xf8, 0x0e, 0xa4,
-        0x1f, 0x43, 0xab, 0xf9, 0x37, 0xd3, 0x25, 0x9d,
-        0xc4, 0xb2, 0xd0, 0xdf, 0xb4, 0x8a, 0x6c, 0x91,
-        0x39, 0xdd, 0xd7, 0xf7, 0x69, 0x66, 0xe9, 0x28,
-        0xe6, 0x35, 0x55, 0x3b, 0xa7, 0x6c, 0x5c, 0x87,
-        0x9d, 0x7b, 0x35, 0xd4, 0x9e, 0xb2, 0xe6, 0x2b,
-        0x08, 0x71, 0xcd, 0xac, 0x63, 0x89, 0x39, 0xe2,
-        0x5e, 0x8a, 0x1e, 0x0e, 0xf9, 0xd5, 0x28, 0x0f,
-        0xa8, 0xca, 0x32, 0x8b, 0x35, 0x1c, 0x3c, 0x76,
-        0x59, 0x89, 0xcb, 0xcf, 0x3d, 0xaa, 0x8b, 0x6c,
-        0xcc, 0x3a, 0xaf, 0x9f, 0x39, 0x79, 0xc9, 0x2b,
-        0x37, 0x20, 0xfc, 0x88, 0xdc, 0x95, 0xed, 0x84,
-        0xa1, 0xbe, 0x05, 0x9c, 0x64, 0x99, 0xb9, 0xfd,
-        0xa2, 0x36, 0xe7, 0xe8, 0x18, 0xb0, 0x4b, 0x0b,
-        0xc3, 0x9c, 0x1e, 0x87, 0x6b, 0x19, 0x3b, 0xfe,
-        0x55, 0x69, 0x75, 0x3f, 0x88, 0x12, 0x8c, 0xc0,
-        0x8a, 0xaa, 0x9b, 0x63, 0xd1, 0xa1, 0x6f, 0x80,
-        0xef, 0x25, 0x54, 0xd7, 0x18, 0x9c, 0x41, 0x1f,
-        0x58, 0x69, 0xca, 0x52, 0xc5, 0xb8, 0x3f, 0xa3,
-        0x6f, 0xf2, 0x16, 0xb9, 0xc1, 0xd3, 0x00, 0x62,
-        0xbe, 0xbc, 0xfd, 0x2d, 0xc5, 0xbc, 0xe0, 0x91,
-        0x19, 0x34, 0xfd, 0xa7, 0x9a, 0x86, 0xf6, 0xe6,
-        0x98, 0xce, 0xd7, 0x59, 0xc3, 0xff, 0x9b, 0x64,
-        0x77, 0x33, 0x8f, 0x3d, 0xa4, 0xf9, 0xcd, 0x85,
-        0x14, 0xea, 0x99, 0x82, 0xcc, 0xaf, 0xb3, 0x41,
-        0xb2, 0x38, 0x4d, 0xd9, 0x02, 0xf3, 0xd1, 0xab,
-        0x7a, 0xc6, 0x1d, 0xd2, 0x9c, 0x6f, 0x21, 0xba,
-        0x5b, 0x86, 0x2f, 0x37, 0x30, 0xe3, 0x7c, 0xfd,
-        0xc4, 0xfd, 0x80, 0x6c, 0x22, 0xf2, 0x21
-    }
-};
-
-static const size_t test_lengths[2] =
-{
-    64U,
-    375U
-};
-
-/* Make sure no other definition is already present. */
-#undef ASSERT
-
-#define ASSERT(cond, args)            \
-    do                                  \
-    {                                   \
-        if (!(cond))                \
-        {                               \
-            if (verbose != 0)          \
-            mbedtls_printf args;    \
-                                        \
-            return -1;               \
-        }                               \
-    }                                   \
-    while (0)
-
-int mbedtls_chacha20_self_test(int verbose)
-{
-    unsigned char output[381];
-    unsigned i;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    for (i = 0U; i < 2U; i++) {
-        if (verbose != 0) {
-            mbedtls_printf("  ChaCha20 test %u ", i);
-        }
-
-        ret = mbedtls_chacha20_crypt(test_keys[i],
-                                     test_nonces[i],
-                                     test_counters[i],
-                                     test_lengths[i],
-                                     test_input[i],
-                                     output);
-
-        ASSERT(0 == ret, ("error code: %i\n", ret));
-
-        ASSERT(0 == memcmp(output, test_output[i], test_lengths[i]),
-               ("failed (output)\n"));
-
-        if (verbose != 0) {
-            mbedtls_printf("passed\n");
-        }
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-
-    return 0;
-}
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* !MBEDTLS_CHACHA20_C */
diff --git a/library/chachapoly.c b/library/chachapoly.c
deleted file mode 100644
index aebc646..0000000
--- a/library/chachapoly.c
+++ /dev/null
@@ -1,490 +0,0 @@
-/**
- * \file chachapoly.c
- *
- * \brief ChaCha20-Poly1305 AEAD construction based on RFC 7539.
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#include "common.h"
-
-#if defined(MBEDTLS_CHACHAPOLY_C)
-
-#include "mbedtls/chachapoly.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-#include "mbedtls/constant_time.h"
-
-#include <string.h>
-
-#include "mbedtls/platform.h"
-
-#if !defined(MBEDTLS_CHACHAPOLY_ALT)
-
-#define CHACHAPOLY_STATE_INIT       (0)
-#define CHACHAPOLY_STATE_AAD        (1)
-#define CHACHAPOLY_STATE_CIPHERTEXT (2)   /* Encrypting or decrypting */
-#define CHACHAPOLY_STATE_FINISHED   (3)
-
-/**
- * \brief           Adds nul bytes to pad the AAD for Poly1305.
- *
- * \param ctx       The ChaCha20-Poly1305 context.
- */
-static int chachapoly_pad_aad(mbedtls_chachapoly_context *ctx)
-{
-    uint32_t partial_block_len = (uint32_t) (ctx->aad_len % 16U);
-    unsigned char zeroes[15];
-
-    if (partial_block_len == 0U) {
-        return 0;
-    }
-
-    memset(zeroes, 0, sizeof(zeroes));
-
-    return mbedtls_poly1305_update(&ctx->poly1305_ctx,
-                                   zeroes,
-                                   16U - partial_block_len);
-}
-
-/**
- * \brief           Adds nul bytes to pad the ciphertext for Poly1305.
- *
- * \param ctx       The ChaCha20-Poly1305 context.
- */
-static int chachapoly_pad_ciphertext(mbedtls_chachapoly_context *ctx)
-{
-    uint32_t partial_block_len = (uint32_t) (ctx->ciphertext_len % 16U);
-    unsigned char zeroes[15];
-
-    if (partial_block_len == 0U) {
-        return 0;
-    }
-
-    memset(zeroes, 0, sizeof(zeroes));
-    return mbedtls_poly1305_update(&ctx->poly1305_ctx,
-                                   zeroes,
-                                   16U - partial_block_len);
-}
-
-void mbedtls_chachapoly_init(mbedtls_chachapoly_context *ctx)
-{
-    mbedtls_chacha20_init(&ctx->chacha20_ctx);
-    mbedtls_poly1305_init(&ctx->poly1305_ctx);
-    ctx->aad_len        = 0U;
-    ctx->ciphertext_len = 0U;
-    ctx->state          = CHACHAPOLY_STATE_INIT;
-    ctx->mode           = MBEDTLS_CHACHAPOLY_ENCRYPT;
-}
-
-void mbedtls_chachapoly_free(mbedtls_chachapoly_context *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    mbedtls_chacha20_free(&ctx->chacha20_ctx);
-    mbedtls_poly1305_free(&ctx->poly1305_ctx);
-    ctx->aad_len        = 0U;
-    ctx->ciphertext_len = 0U;
-    ctx->state          = CHACHAPOLY_STATE_INIT;
-    ctx->mode           = MBEDTLS_CHACHAPOLY_ENCRYPT;
-}
-
-int mbedtls_chachapoly_setkey(mbedtls_chachapoly_context *ctx,
-                              const unsigned char key[32])
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    ret = mbedtls_chacha20_setkey(&ctx->chacha20_ctx, key);
-
-    return ret;
-}
-
-int mbedtls_chachapoly_starts(mbedtls_chachapoly_context *ctx,
-                              const unsigned char nonce[12],
-                              mbedtls_chachapoly_mode_t mode)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char poly1305_key[64];
-
-    /* Set counter = 0, will be update to 1 when generating Poly1305 key */
-    ret = mbedtls_chacha20_starts(&ctx->chacha20_ctx, nonce, 0U);
-    if (ret != 0) {
-        goto cleanup;
-    }
-
-    /* Generate the Poly1305 key by getting the ChaCha20 keystream output with
-     * counter = 0.  This is the same as encrypting a buffer of zeroes.
-     * Only the first 256-bits (32 bytes) of the key is used for Poly1305.
-     * The other 256 bits are discarded.
-     */
-    memset(poly1305_key, 0, sizeof(poly1305_key));
-    ret = mbedtls_chacha20_update(&ctx->chacha20_ctx, sizeof(poly1305_key),
-                                  poly1305_key, poly1305_key);
-    if (ret != 0) {
-        goto cleanup;
-    }
-
-    ret = mbedtls_poly1305_starts(&ctx->poly1305_ctx, poly1305_key);
-
-    if (ret == 0) {
-        ctx->aad_len        = 0U;
-        ctx->ciphertext_len = 0U;
-        ctx->state          = CHACHAPOLY_STATE_AAD;
-        ctx->mode           = mode;
-    }
-
-cleanup:
-    mbedtls_platform_zeroize(poly1305_key, 64U);
-    return ret;
-}
-
-int mbedtls_chachapoly_update_aad(mbedtls_chachapoly_context *ctx,
-                                  const unsigned char *aad,
-                                  size_t aad_len)
-{
-    if (ctx->state != CHACHAPOLY_STATE_AAD) {
-        return MBEDTLS_ERR_CHACHAPOLY_BAD_STATE;
-    }
-
-    ctx->aad_len += aad_len;
-
-    return mbedtls_poly1305_update(&ctx->poly1305_ctx, aad, aad_len);
-}
-
-int mbedtls_chachapoly_update(mbedtls_chachapoly_context *ctx,
-                              size_t len,
-                              const unsigned char *input,
-                              unsigned char *output)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if ((ctx->state != CHACHAPOLY_STATE_AAD) &&
-        (ctx->state != CHACHAPOLY_STATE_CIPHERTEXT)) {
-        return MBEDTLS_ERR_CHACHAPOLY_BAD_STATE;
-    }
-
-    if (ctx->state == CHACHAPOLY_STATE_AAD) {
-        ctx->state = CHACHAPOLY_STATE_CIPHERTEXT;
-
-        ret = chachapoly_pad_aad(ctx);
-        if (ret != 0) {
-            return ret;
-        }
-    }
-
-    ctx->ciphertext_len += len;
-
-    if (ctx->mode == MBEDTLS_CHACHAPOLY_ENCRYPT) {
-        ret = mbedtls_chacha20_update(&ctx->chacha20_ctx, len, input, output);
-        if (ret != 0) {
-            return ret;
-        }
-
-        ret = mbedtls_poly1305_update(&ctx->poly1305_ctx, output, len);
-        if (ret != 0) {
-            return ret;
-        }
-    } else { /* DECRYPT */
-        ret = mbedtls_poly1305_update(&ctx->poly1305_ctx, input, len);
-        if (ret != 0) {
-            return ret;
-        }
-
-        ret = mbedtls_chacha20_update(&ctx->chacha20_ctx, len, input, output);
-        if (ret != 0) {
-            return ret;
-        }
-    }
-
-    return 0;
-}
-
-int mbedtls_chachapoly_finish(mbedtls_chachapoly_context *ctx,
-                              unsigned char mac[16])
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char len_block[16];
-
-    if (ctx->state == CHACHAPOLY_STATE_INIT) {
-        return MBEDTLS_ERR_CHACHAPOLY_BAD_STATE;
-    }
-
-    if (ctx->state == CHACHAPOLY_STATE_AAD) {
-        ret = chachapoly_pad_aad(ctx);
-        if (ret != 0) {
-            return ret;
-        }
-    } else if (ctx->state == CHACHAPOLY_STATE_CIPHERTEXT) {
-        ret = chachapoly_pad_ciphertext(ctx);
-        if (ret != 0) {
-            return ret;
-        }
-    }
-
-    ctx->state = CHACHAPOLY_STATE_FINISHED;
-
-    /* The lengths of the AAD and ciphertext are processed by
-     * Poly1305 as the final 128-bit block, encoded as little-endian integers.
-     */
-    MBEDTLS_PUT_UINT64_LE(ctx->aad_len, len_block, 0);
-    MBEDTLS_PUT_UINT64_LE(ctx->ciphertext_len, len_block, 8);
-
-    ret = mbedtls_poly1305_update(&ctx->poly1305_ctx, len_block, 16U);
-    if (ret != 0) {
-        return ret;
-    }
-
-    ret = mbedtls_poly1305_finish(&ctx->poly1305_ctx, mac);
-
-    return ret;
-}
-
-static int chachapoly_crypt_and_tag(mbedtls_chachapoly_context *ctx,
-                                    mbedtls_chachapoly_mode_t mode,
-                                    size_t length,
-                                    const unsigned char nonce[12],
-                                    const unsigned char *aad,
-                                    size_t aad_len,
-                                    const unsigned char *input,
-                                    unsigned char *output,
-                                    unsigned char tag[16])
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    ret = mbedtls_chachapoly_starts(ctx, nonce, mode);
-    if (ret != 0) {
-        goto cleanup;
-    }
-
-    ret = mbedtls_chachapoly_update_aad(ctx, aad, aad_len);
-    if (ret != 0) {
-        goto cleanup;
-    }
-
-    ret = mbedtls_chachapoly_update(ctx, length, input, output);
-    if (ret != 0) {
-        goto cleanup;
-    }
-
-    ret = mbedtls_chachapoly_finish(ctx, tag);
-
-cleanup:
-    return ret;
-}
-
-int mbedtls_chachapoly_encrypt_and_tag(mbedtls_chachapoly_context *ctx,
-                                       size_t length,
-                                       const unsigned char nonce[12],
-                                       const unsigned char *aad,
-                                       size_t aad_len,
-                                       const unsigned char *input,
-                                       unsigned char *output,
-                                       unsigned char tag[16])
-{
-    return chachapoly_crypt_and_tag(ctx, MBEDTLS_CHACHAPOLY_ENCRYPT,
-                                    length, nonce, aad, aad_len,
-                                    input, output, tag);
-}
-
-int mbedtls_chachapoly_auth_decrypt(mbedtls_chachapoly_context *ctx,
-                                    size_t length,
-                                    const unsigned char nonce[12],
-                                    const unsigned char *aad,
-                                    size_t aad_len,
-                                    const unsigned char tag[16],
-                                    const unsigned char *input,
-                                    unsigned char *output)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char check_tag[16];
-    int diff;
-
-    if ((ret = chachapoly_crypt_and_tag(ctx,
-                                        MBEDTLS_CHACHAPOLY_DECRYPT, length, nonce,
-                                        aad, aad_len, input, output, check_tag)) != 0) {
-        return ret;
-    }
-
-    /* Check tag in "constant-time" */
-    diff = mbedtls_ct_memcmp(tag, check_tag, sizeof(check_tag));
-
-    if (diff != 0) {
-        mbedtls_platform_zeroize(output, length);
-        return MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED;
-    }
-
-    return 0;
-}
-
-#endif /* MBEDTLS_CHACHAPOLY_ALT */
-
-#if defined(MBEDTLS_SELF_TEST)
-
-static const unsigned char test_key[1][32] =
-{
-    {
-        0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
-        0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
-        0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
-        0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
-    }
-};
-
-static const unsigned char test_nonce[1][12] =
-{
-    {
-        0x07, 0x00, 0x00, 0x00,                         /* 32-bit common part */
-        0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47  /* 64-bit IV */
-    }
-};
-
-static const unsigned char test_aad[1][12] =
-{
-    {
-        0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3,
-        0xc4, 0xc5, 0xc6, 0xc7
-    }
-};
-
-static const size_t test_aad_len[1] =
-{
-    12U
-};
-
-static const unsigned char test_input[1][114] =
-{
-    {
-        0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61,
-        0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c,
-        0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20,
-        0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73,
-        0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39,
-        0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63,
-        0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66,
-        0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f,
-        0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20,
-        0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20,
-        0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75,
-        0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73,
-        0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f,
-        0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69,
-        0x74, 0x2e
-    }
-};
-
-static const unsigned char test_output[1][114] =
-{
-    {
-        0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb,
-        0x7b, 0x86, 0xaf, 0xbc, 0x53, 0xef, 0x7e, 0xc2,
-        0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,
-        0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6,
-        0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, 0x12,
-        0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,
-        0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29,
-        0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36,
-        0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,
-        0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58,
-        0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94,
-        0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,
-        0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d,
-        0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b,
-        0x61, 0x16
-    }
-};
-
-static const size_t test_input_len[1] =
-{
-    114U
-};
-
-static const unsigned char test_mac[1][16] =
-{
-    {
-        0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a,
-        0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91
-    }
-};
-
-/* Make sure no other definition is already present. */
-#undef ASSERT
-
-#define ASSERT(cond, args)            \
-    do                                  \
-    {                                   \
-        if (!(cond))                \
-        {                               \
-            if (verbose != 0)          \
-            mbedtls_printf args;    \
-                                        \
-            return -1;               \
-        }                               \
-    }                                   \
-    while (0)
-
-int mbedtls_chachapoly_self_test(int verbose)
-{
-    mbedtls_chachapoly_context ctx;
-    unsigned i;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char output[200];
-    unsigned char mac[16];
-
-    for (i = 0U; i < 1U; i++) {
-        if (verbose != 0) {
-            mbedtls_printf("  ChaCha20-Poly1305 test %u ", i);
-        }
-
-        mbedtls_chachapoly_init(&ctx);
-
-        ret = mbedtls_chachapoly_setkey(&ctx, test_key[i]);
-        ASSERT(0 == ret, ("setkey() error code: %i\n", ret));
-
-        ret = mbedtls_chachapoly_encrypt_and_tag(&ctx,
-                                                 test_input_len[i],
-                                                 test_nonce[i],
-                                                 test_aad[i],
-                                                 test_aad_len[i],
-                                                 test_input[i],
-                                                 output,
-                                                 mac);
-
-        ASSERT(0 == ret, ("crypt_and_tag() error code: %i\n", ret));
-
-        ASSERT(0 == memcmp(output, test_output[i], test_input_len[i]),
-               ("failure (wrong output)\n"));
-
-        ASSERT(0 == memcmp(mac, test_mac[i], 16U),
-               ("failure (wrong MAC)\n"));
-
-        mbedtls_chachapoly_free(&ctx);
-
-        if (verbose != 0) {
-            mbedtls_printf("passed\n");
-        }
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-
-    return 0;
-}
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* MBEDTLS_CHACHAPOLY_C */
diff --git a/library/check_crypto_config.h b/library/check_crypto_config.h
deleted file mode 100644
index b7d87fe..0000000
--- a/library/check_crypto_config.h
+++ /dev/null
@@ -1,153 +0,0 @@
-/**
- * \file check_crypto_config.h
- *
- * \brief Consistency checks for PSA configuration options
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/*
- * It is recommended to include this file from your crypto_config.h
- * in order to catch dependency issues early.
- */
-
-#ifndef MBEDTLS_CHECK_CRYPTO_CONFIG_H
-#define MBEDTLS_CHECK_CRYPTO_CONFIG_H
-
-#if defined(PSA_WANT_ALG_CCM) && \
-    !(defined(PSA_WANT_KEY_TYPE_AES) || \
-    defined(PSA_WANT_KEY_TYPE_CAMELLIA))
-#error "PSA_WANT_ALG_CCM defined, but not all prerequisites"
-#endif
-
-#if defined(PSA_WANT_ALG_CMAC) && \
-    !(defined(PSA_WANT_KEY_TYPE_AES) || \
-    defined(PSA_WANT_KEY_TYPE_CAMELLIA) || \
-    defined(PSA_WANT_KEY_TYPE_DES))
-#error "PSA_WANT_ALG_CMAC defined, but not all prerequisites"
-#endif
-
-#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && \
-    !(defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
-    defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY))
-#error "PSA_WANT_ALG_DETERMINISTIC_ECDSA defined, but not all prerequisites"
-#endif
-
-#if defined(PSA_WANT_ALG_ECDSA) && \
-    !(defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
-    defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY))
-#error "PSA_WANT_ALG_ECDSA defined, but not all prerequisites"
-#endif
-
-#if defined(PSA_WANT_ALG_GCM) && \
-    !(defined(PSA_WANT_KEY_TYPE_AES) || \
-    defined(PSA_WANT_KEY_TYPE_CAMELLIA))
-#error "PSA_WANT_ALG_GCM defined, but not all prerequisites"
-#endif
-
-#if defined(PSA_WANT_ALG_RSA_PKCS1V15_CRYPT) && \
-    !(defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || \
-    defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY))
-#error "PSA_WANT_ALG_RSA_PKCS1V15_CRYPT defined, but not all prerequisites"
-#endif
-
-#if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN) && \
-    !(defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || \
-    defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY))
-#error "PSA_WANT_ALG_RSA_PKCS1V15_SIGN defined, but not all prerequisites"
-#endif
-
-#if defined(PSA_WANT_ALG_RSA_OAEP) && \
-    !(defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || \
-    defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY))
-#error "PSA_WANT_ALG_RSA_OAEP defined, but not all prerequisites"
-#endif
-
-#if defined(PSA_WANT_ALG_RSA_PSS) && \
-    !(defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || \
-    defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY))
-#error "PSA_WANT_ALG_RSA_PSS defined, but not all prerequisites"
-#endif
-
-#if (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
-    defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
-    defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
-    defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) || \
-    defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE)) && \
-    !defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
-#error "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_xxx defined, but not all prerequisites"
-#endif
-
-#if (defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || \
-    defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT) || \
-    defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || \
-    defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)) && \
-    !defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY)
-#error "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_xxx defined, but not all prerequisites"
-#endif
-
-#if (defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC) || \
-    defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \
-    defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \
-    defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE)) && \
-    !defined(PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY)
-#error "PSA_WANT_KEY_TYPE_DH_KEY_PAIR_xxx defined, but not all prerequisites"
-#endif
-
-#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR)
-#if defined(MBEDTLS_DEPRECATED_REMOVED)
-#error "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR is deprecated and will be removed in a \
-    future version of Mbed TLS. Please switch to new PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_xxx \
-    symbols, where xxx can be: USE, IMPORT, EXPORT, GENERATE, DERIVE"
-#elif defined(MBEDTLS_DEPRECATED_WARNING)
-#warning "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR is deprecated and will be removed in a \
-    future version of Mbed TLS. Please switch to new PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_xxx \
-    symbols, where xxx can be: USE, IMPORT, EXPORT, GENERATE, DERIVE"
-#endif /* MBEDTLS_DEPRECATED_WARNING */
-#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR */
-
-#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR)
-#if defined(MBEDTLS_DEPRECATED_REMOVED)
-#error "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR is deprecated and will be removed in a \
-    future version of Mbed TLS. Please switch to new PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_xxx \
-    symbols, where xxx can be: USE, IMPORT, EXPORT, GENERATE, DERIVE"
-#elif defined(MBEDTLS_DEPRECATED_WARNING)
-#warning "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR is deprecated and will be removed in a \
-    future version of Mbed TLS. Please switch to new PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_xxx \
-    symbols, where xxx can be: USE, IMPORT, EXPORT, GENERATE, DERIVE"
-#endif /* MBEDTLS_DEPRECATED_WARNING */
-#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR */
-
-#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE)
-#error "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE defined, but feature is not supported"
-#endif
-
-#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE)
-#error "PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE defined, but feature is not supported"
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_USE_PSA_CRYPTO) && \
-    !(defined(PSA_WANT_ALG_SHA_1) || defined(PSA_WANT_ALG_SHA_256) || defined(PSA_WANT_ALG_SHA_512))
-#error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites"
-#endif
-
-#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS) && \
-    !defined(PSA_WANT_ALG_SHA_256)
-#error "PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS defined, but not all prerequisites"
-#endif
-
-#endif /* MBEDTLS_CHECK_CRYPTO_CONFIG_H */
diff --git a/library/cipher.c b/library/cipher.c
deleted file mode 100644
index 9f9f107..0000000
--- a/library/cipher.c
+++ /dev/null
@@ -1,1676 +0,0 @@
-/**
- * \file cipher.c
- *
- * \brief Generic cipher wrapper for Mbed TLS
- *
- * \author Adriaan de Jong <dejong@fox-it.com>
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_CIPHER_C)
-
-#include "mbedtls/cipher.h"
-#include "cipher_wrap.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-#include "mbedtls/constant_time.h"
-#include "constant_time_internal.h"
-
-#include <stdlib.h>
-#include <string.h>
-
-#if defined(MBEDTLS_CHACHAPOLY_C)
-#include "mbedtls/chachapoly.h"
-#endif
-
-#if defined(MBEDTLS_GCM_C)
-#include "mbedtls/gcm.h"
-#endif
-
-#if defined(MBEDTLS_CCM_C)
-#include "mbedtls/ccm.h"
-#endif
-
-#if defined(MBEDTLS_CHACHA20_C)
-#include "mbedtls/chacha20.h"
-#endif
-
-#if defined(MBEDTLS_CMAC_C)
-#include "mbedtls/cmac.h"
-#endif
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
-#include "psa/crypto.h"
-#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
-
-#if defined(MBEDTLS_NIST_KW_C)
-#include "mbedtls/nist_kw.h"
-#endif
-
-#include "mbedtls/platform.h"
-
-static int supported_init = 0;
-
-static inline const mbedtls_cipher_base_t *mbedtls_cipher_get_base(
-    const mbedtls_cipher_info_t *info)
-{
-    return mbedtls_cipher_base_lookup_table[info->base_idx];
-}
-
-const int *mbedtls_cipher_list(void)
-{
-    const mbedtls_cipher_definition_t *def;
-    int *type;
-
-    if (!supported_init) {
-        def = mbedtls_cipher_definitions;
-        type = mbedtls_cipher_supported;
-
-        while (def->type != 0) {
-            *type++ = (*def++).type;
-        }
-
-        *type = 0;
-
-        supported_init = 1;
-    }
-
-    return mbedtls_cipher_supported;
-}
-
-const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(
-    const mbedtls_cipher_type_t cipher_type)
-{
-    const mbedtls_cipher_definition_t *def;
-
-    for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
-        if (def->type == cipher_type) {
-            return def->info;
-        }
-    }
-
-    return NULL;
-}
-
-const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(
-    const char *cipher_name)
-{
-    const mbedtls_cipher_definition_t *def;
-
-    if (NULL == cipher_name) {
-        return NULL;
-    }
-
-    for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
-        if (!strcmp(def->info->name, cipher_name)) {
-            return def->info;
-        }
-    }
-
-    return NULL;
-}
-
-const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(
-    const mbedtls_cipher_id_t cipher_id,
-    int key_bitlen,
-    const mbedtls_cipher_mode_t mode)
-{
-    const mbedtls_cipher_definition_t *def;
-
-    for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
-        if (mbedtls_cipher_get_base(def->info)->cipher == cipher_id &&
-            mbedtls_cipher_info_get_key_bitlen(def->info) == (unsigned) key_bitlen &&
-            def->info->mode == mode) {
-            return def->info;
-        }
-    }
-
-    return NULL;
-}
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
-static inline psa_key_type_t mbedtls_psa_translate_cipher_type(
-    mbedtls_cipher_type_t cipher)
-{
-    switch (cipher) {
-        case MBEDTLS_CIPHER_AES_128_CCM:
-        case MBEDTLS_CIPHER_AES_192_CCM:
-        case MBEDTLS_CIPHER_AES_256_CCM:
-        case MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:
-        case MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:
-        case MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:
-        case MBEDTLS_CIPHER_AES_128_GCM:
-        case MBEDTLS_CIPHER_AES_192_GCM:
-        case MBEDTLS_CIPHER_AES_256_GCM:
-        case MBEDTLS_CIPHER_AES_128_CBC:
-        case MBEDTLS_CIPHER_AES_192_CBC:
-        case MBEDTLS_CIPHER_AES_256_CBC:
-        case MBEDTLS_CIPHER_AES_128_ECB:
-        case MBEDTLS_CIPHER_AES_192_ECB:
-        case MBEDTLS_CIPHER_AES_256_ECB:
-            return PSA_KEY_TYPE_AES;
-
-        /* ARIA not yet supported in PSA. */
-        /* case MBEDTLS_CIPHER_ARIA_128_CCM:
-           case MBEDTLS_CIPHER_ARIA_192_CCM:
-           case MBEDTLS_CIPHER_ARIA_256_CCM:
-           case MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:
-           case MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:
-           case MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:
-           case MBEDTLS_CIPHER_ARIA_128_GCM:
-           case MBEDTLS_CIPHER_ARIA_192_GCM:
-           case MBEDTLS_CIPHER_ARIA_256_GCM:
-           case MBEDTLS_CIPHER_ARIA_128_CBC:
-           case MBEDTLS_CIPHER_ARIA_192_CBC:
-           case MBEDTLS_CIPHER_ARIA_256_CBC:
-               return( PSA_KEY_TYPE_ARIA ); */
-
-        default:
-            return 0;
-    }
-}
-
-static inline psa_algorithm_t mbedtls_psa_translate_cipher_mode(
-    mbedtls_cipher_mode_t mode, size_t taglen)
-{
-    switch (mode) {
-        case MBEDTLS_MODE_ECB:
-            return PSA_ALG_ECB_NO_PADDING;
-        case MBEDTLS_MODE_GCM:
-            return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, taglen);
-        case MBEDTLS_MODE_CCM:
-            return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen);
-        case MBEDTLS_MODE_CCM_STAR_NO_TAG:
-            return PSA_ALG_CCM_STAR_NO_TAG;
-        case MBEDTLS_MODE_CBC:
-            if (taglen == 0) {
-                return PSA_ALG_CBC_NO_PADDING;
-            } else {
-                return 0;
-            }
-        default:
-            return 0;
-    }
-}
-#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
-
-void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx)
-{
-    memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
-}
-
-void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
-    if (ctx->psa_enabled == 1) {
-        if (ctx->cipher_ctx != NULL) {
-            mbedtls_cipher_context_psa * const cipher_psa =
-                (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
-
-            if (cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED) {
-                /* xxx_free() doesn't allow to return failures. */
-                (void) psa_destroy_key(cipher_psa->slot);
-            }
-
-            mbedtls_zeroize_and_free(cipher_psa, sizeof(*cipher_psa));
-        }
-
-        mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t));
-        return;
-    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
-
-#if defined(MBEDTLS_CMAC_C)
-    if (ctx->cmac_ctx) {
-        mbedtls_zeroize_and_free(ctx->cmac_ctx,
-                                 sizeof(mbedtls_cmac_context_t));
-    }
-#endif
-
-    if (ctx->cipher_ctx) {
-        mbedtls_cipher_get_base(ctx->cipher_info)->ctx_free_func(ctx->cipher_ctx);
-    }
-
-    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t));
-}
-
-int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx,
-                         const mbedtls_cipher_info_t *cipher_info)
-{
-    if (cipher_info == NULL) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
-
-    if (NULL == (ctx->cipher_ctx = mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func())) {
-        return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
-    }
-
-    ctx->cipher_info = cipher_info;
-
-    return 0;
-}
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
-int mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx,
-                             const mbedtls_cipher_info_t *cipher_info,
-                             size_t taglen)
-{
-    psa_algorithm_t alg;
-    mbedtls_cipher_context_psa *cipher_psa;
-
-    if (NULL == cipher_info || NULL == ctx) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    /* Check that the underlying cipher mode and cipher type are
-     * supported by the underlying PSA Crypto implementation. */
-    alg = mbedtls_psa_translate_cipher_mode(((mbedtls_cipher_mode_t) cipher_info->mode), taglen);
-    if (alg == 0) {
-        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-    }
-    if (mbedtls_psa_translate_cipher_type(((mbedtls_cipher_type_t) cipher_info->type)) == 0) {
-        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-    }
-
-    memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
-
-    cipher_psa = mbedtls_calloc(1, sizeof(mbedtls_cipher_context_psa));
-    if (cipher_psa == NULL) {
-        return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
-    }
-    cipher_psa->alg  = alg;
-    ctx->cipher_ctx  = cipher_psa;
-    ctx->cipher_info = cipher_info;
-    ctx->psa_enabled = 1;
-    return 0;
-}
-#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
-
-int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
-                          const unsigned char *key,
-                          int key_bitlen,
-                          const mbedtls_operation_t operation)
-{
-    if (operation != MBEDTLS_ENCRYPT && operation != MBEDTLS_DECRYPT) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-    if (ctx->cipher_info == NULL) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
-    if (ctx->psa_enabled == 1) {
-        mbedtls_cipher_context_psa * const cipher_psa =
-            (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
-
-        size_t const key_bytelen = ((size_t) key_bitlen + 7) / 8;
-
-        psa_status_t status;
-        psa_key_type_t key_type;
-        psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-
-        /* PSA Crypto API only accepts byte-aligned keys. */
-        if (key_bitlen % 8 != 0) {
-            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-        }
-
-        /* Don't allow keys to be set multiple times. */
-        if (cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET) {
-            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-        }
-
-        key_type = mbedtls_psa_translate_cipher_type(
-            ((mbedtls_cipher_type_t) ctx->cipher_info->type));
-        if (key_type == 0) {
-            return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-        }
-        psa_set_key_type(&attributes, key_type);
-
-        /* Mbed TLS' cipher layer doesn't enforce the mode of operation
-         * (encrypt vs. decrypt): it is possible to setup a key for encryption
-         * and use it for AEAD decryption. Until tests relying on this
-         * are changed, allow any usage in PSA. */
-        psa_set_key_usage_flags(&attributes,
-                                PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
-        psa_set_key_algorithm(&attributes, cipher_psa->alg);
-
-        status = psa_import_key(&attributes, key, key_bytelen,
-                                &cipher_psa->slot);
-        switch (status) {
-            case PSA_SUCCESS:
-                break;
-            case PSA_ERROR_INSUFFICIENT_MEMORY:
-                return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
-            case PSA_ERROR_NOT_SUPPORTED:
-                return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-            default:
-                return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
-        }
-        /* Indicate that we own the key slot and need to
-         * destroy it in mbedtls_cipher_free(). */
-        cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED;
-
-        ctx->key_bitlen = key_bitlen;
-        ctx->operation = operation;
-        return 0;
-    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
-
-    if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN) == 0 &&
-        (int) mbedtls_cipher_info_get_key_bitlen(ctx->cipher_info) != key_bitlen) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    ctx->key_bitlen = key_bitlen;
-    ctx->operation = operation;
-
-    /*
-     * For OFB, CFB and CTR mode always use the encryption key schedule
-     */
-    if (MBEDTLS_ENCRYPT == operation ||
-        MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
-        MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
-        MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
-        return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key,
-                                                                          ctx->key_bitlen);
-    }
-
-    if (MBEDTLS_DECRYPT == operation) {
-        return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_dec_func(ctx->cipher_ctx, key,
-                                                                          ctx->key_bitlen);
-    }
-
-    return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-}
-
-int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
-                          const unsigned char *iv,
-                          size_t iv_len)
-{
-    size_t actual_iv_size;
-
-    if (ctx->cipher_info == NULL) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
-    if (ctx->psa_enabled == 1) {
-        /* While PSA Crypto has an API for multipart
-         * operations, we currently don't make it
-         * accessible through the cipher layer. */
-        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
-
-    /* avoid buffer overflow in ctx->iv */
-    if (iv_len > MBEDTLS_MAX_IV_LENGTH) {
-        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-    }
-
-    if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN) != 0) {
-        actual_iv_size = iv_len;
-    } else {
-        actual_iv_size = mbedtls_cipher_info_get_iv_size(ctx->cipher_info);
-
-        /* avoid reading past the end of input buffer */
-        if (actual_iv_size > iv_len) {
-            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-        }
-    }
-
-#if defined(MBEDTLS_CHACHA20_C)
-    if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20) {
-        /* Even though the actual_iv_size is overwritten with a correct value
-         * of 12 from the cipher info, return an error to indicate that
-         * the input iv_len is wrong. */
-        if (iv_len != 12) {
-            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-        }
-
-        if (0 != mbedtls_chacha20_starts((mbedtls_chacha20_context *) ctx->cipher_ctx,
-                                         iv,
-                                         0U)) {   /* Initial counter value */
-            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-        }
-    }
-#if defined(MBEDTLS_CHACHAPOLY_C)
-    if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305 &&
-        iv_len != 12) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-#endif
-#endif
-
-#if defined(MBEDTLS_GCM_C)
-    if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
-        return mbedtls_gcm_starts((mbedtls_gcm_context *) ctx->cipher_ctx,
-                                  ctx->operation,
-                                  iv, iv_len);
-    }
-#endif
-
-#if defined(MBEDTLS_CCM_C)
-    if (MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
-        int set_lengths_result;
-        int ccm_star_mode;
-
-        set_lengths_result = mbedtls_ccm_set_lengths(
-            (mbedtls_ccm_context *) ctx->cipher_ctx,
-            0, 0, 0);
-        if (set_lengths_result != 0) {
-            return set_lengths_result;
-        }
-
-        if (ctx->operation == MBEDTLS_DECRYPT) {
-            ccm_star_mode = MBEDTLS_CCM_STAR_DECRYPT;
-        } else if (ctx->operation == MBEDTLS_ENCRYPT) {
-            ccm_star_mode = MBEDTLS_CCM_STAR_ENCRYPT;
-        } else {
-            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-        }
-
-        return mbedtls_ccm_starts((mbedtls_ccm_context *) ctx->cipher_ctx,
-                                  ccm_star_mode,
-                                  iv, iv_len);
-    }
-#endif
-
-    if (actual_iv_size != 0) {
-        memcpy(ctx->iv, iv, actual_iv_size);
-        ctx->iv_size = actual_iv_size;
-    }
-
-    return 0;
-}
-
-int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx)
-{
-    if (ctx->cipher_info == NULL) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
-    if (ctx->psa_enabled == 1) {
-        /* We don't support resetting PSA-based
-         * cipher contexts, yet. */
-        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
-
-    ctx->unprocessed_len = 0;
-
-    return 0;
-}
-
-#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
-int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx,
-                             const unsigned char *ad, size_t ad_len)
-{
-    if (ctx->cipher_info == NULL) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
-    if (ctx->psa_enabled == 1) {
-        /* While PSA Crypto has an API for multipart
-         * operations, we currently don't make it
-         * accessible through the cipher layer. */
-        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
-
-#if defined(MBEDTLS_GCM_C)
-    if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
-        return mbedtls_gcm_update_ad((mbedtls_gcm_context *) ctx->cipher_ctx,
-                                     ad, ad_len);
-    }
-#endif
-
-#if defined(MBEDTLS_CHACHAPOLY_C)
-    if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
-        int result;
-        mbedtls_chachapoly_mode_t mode;
-
-        mode = (ctx->operation == MBEDTLS_ENCRYPT)
-                ? MBEDTLS_CHACHAPOLY_ENCRYPT
-                : MBEDTLS_CHACHAPOLY_DECRYPT;
-
-        result = mbedtls_chachapoly_starts((mbedtls_chachapoly_context *) ctx->cipher_ctx,
-                                           ctx->iv,
-                                           mode);
-        if (result != 0) {
-            return result;
-        }
-
-        return mbedtls_chachapoly_update_aad((mbedtls_chachapoly_context *) ctx->cipher_ctx,
-                                             ad, ad_len);
-    }
-#endif
-
-    return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-}
-#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
-
-int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *input,
-                          size_t ilen, unsigned char *output, size_t *olen)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t block_size;
-
-    if (ctx->cipher_info == NULL) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
-    if (ctx->psa_enabled == 1) {
-        /* While PSA Crypto has an API for multipart
-         * operations, we currently don't make it
-         * accessible through the cipher layer. */
-        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
-
-    *olen = 0;
-    block_size = mbedtls_cipher_get_block_size(ctx);
-    if (0 == block_size) {
-        return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT;
-    }
-
-    if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_ECB) {
-        if (ilen != block_size) {
-            return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
-        }
-
-        *olen = ilen;
-
-        if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ecb_func(ctx->cipher_ctx,
-                                                                            ctx->operation, input,
-                                                                            output))) {
-            return ret;
-        }
-
-        return 0;
-    }
-
-#if defined(MBEDTLS_GCM_C)
-    if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_GCM) {
-        return mbedtls_gcm_update((mbedtls_gcm_context *) ctx->cipher_ctx,
-                                  input, ilen,
-                                  output, ilen, olen);
-    }
-#endif
-
-#if defined(MBEDTLS_CCM_C)
-    if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CCM_STAR_NO_TAG) {
-        return mbedtls_ccm_update((mbedtls_ccm_context *) ctx->cipher_ctx,
-                                  input, ilen,
-                                  output, ilen, olen);
-    }
-#endif
-
-#if defined(MBEDTLS_CHACHAPOLY_C)
-    if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305) {
-        *olen = ilen;
-        return mbedtls_chachapoly_update((mbedtls_chachapoly_context *) ctx->cipher_ctx,
-                                         ilen, input, output);
-    }
-#endif
-
-    if (input == output &&
-        (ctx->unprocessed_len != 0 || ilen % block_size)) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CBC) {
-        size_t copy_len = 0;
-
-        /*
-         * If there is not enough data for a full block, cache it.
-         */
-        if ((ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
-             ilen <= block_size - ctx->unprocessed_len) ||
-            (ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
-             ilen < block_size - ctx->unprocessed_len) ||
-            (ctx->operation == MBEDTLS_ENCRYPT &&
-             ilen < block_size - ctx->unprocessed_len)) {
-            memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input,
-                   ilen);
-
-            ctx->unprocessed_len += ilen;
-            return 0;
-        }
-
-        /*
-         * Process cached data first
-         */
-        if (0 != ctx->unprocessed_len) {
-            copy_len = block_size - ctx->unprocessed_len;
-
-            memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input,
-                   copy_len);
-
-            if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
-                                                                                ctx->operation,
-                                                                                block_size, ctx->iv,
-                                                                                ctx->
-                                                                                unprocessed_data,
-                                                                                output))) {
-                return ret;
-            }
-
-            *olen += block_size;
-            output += block_size;
-            ctx->unprocessed_len = 0;
-
-            input += copy_len;
-            ilen -= copy_len;
-        }
-
-        /*
-         * Cache final, incomplete block
-         */
-        if (0 != ilen) {
-            /* Encryption: only cache partial blocks
-             * Decryption w/ padding: always keep at least one whole block
-             * Decryption w/o padding: only cache partial blocks
-             */
-            copy_len = ilen % block_size;
-            if (copy_len == 0 &&
-                ctx->operation == MBEDTLS_DECRYPT &&
-                NULL != ctx->add_padding) {
-                copy_len = block_size;
-            }
-
-            memcpy(ctx->unprocessed_data, &(input[ilen - copy_len]),
-                   copy_len);
-
-            ctx->unprocessed_len += copy_len;
-            ilen -= copy_len;
-        }
-
-        /*
-         * Process remaining full blocks
-         */
-        if (ilen) {
-            if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
-                                                                                ctx->operation,
-                                                                                ilen, ctx->iv,
-                                                                                input,
-                                                                                output))) {
-                return ret;
-            }
-
-            *olen += ilen;
-        }
-
-        return 0;
-    }
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-    if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CFB) {
-        if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cfb_func(ctx->cipher_ctx,
-                                                                            ctx->operation, ilen,
-                                                                            &ctx->unprocessed_len,
-                                                                            ctx->iv,
-                                                                            input, output))) {
-            return ret;
-        }
-
-        *olen = ilen;
-
-        return 0;
-    }
-#endif /* MBEDTLS_CIPHER_MODE_CFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-    if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_OFB) {
-        if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ofb_func(ctx->cipher_ctx,
-                                                                            ilen,
-                                                                            &ctx->unprocessed_len,
-                                                                            ctx->iv,
-                                                                            input, output))) {
-            return ret;
-        }
-
-        *olen = ilen;
-
-        return 0;
-    }
-#endif /* MBEDTLS_CIPHER_MODE_OFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CTR) {
-        if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ctr_func(ctx->cipher_ctx,
-                                                                            ilen,
-                                                                            &ctx->unprocessed_len,
-                                                                            ctx->iv,
-                                                                            ctx->unprocessed_data,
-                                                                            input, output))) {
-            return ret;
-        }
-
-        *olen = ilen;
-
-        return 0;
-    }
-#endif /* MBEDTLS_CIPHER_MODE_CTR */
-
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-    if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_XTS) {
-        if (ctx->unprocessed_len > 0) {
-            /* We can only process an entire data unit at a time. */
-            return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-        }
-
-        ret = mbedtls_cipher_get_base(ctx->cipher_info)->xts_func(ctx->cipher_ctx,
-                                                                  ctx->operation,
-                                                                  ilen,
-                                                                  ctx->iv,
-                                                                  input,
-                                                                  output);
-        if (ret != 0) {
-            return ret;
-        }
-
-        *olen = ilen;
-
-        return 0;
-    }
-#endif /* MBEDTLS_CIPHER_MODE_XTS */
-
-#if defined(MBEDTLS_CIPHER_MODE_STREAM)
-    if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_STREAM) {
-        if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->stream_func(ctx->cipher_ctx,
-                                                                               ilen, input,
-                                                                               output))) {
-            return ret;
-        }
-
-        *olen = ilen;
-
-        return 0;
-    }
-#endif /* MBEDTLS_CIPHER_MODE_STREAM */
-
-    return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-}
-
-#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
-#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
-/*
- * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
- */
-static void add_pkcs_padding(unsigned char *output, size_t output_len,
-                             size_t data_len)
-{
-    size_t padding_len = output_len - data_len;
-    unsigned char i;
-
-    for (i = 0; i < padding_len; i++) {
-        output[data_len + i] = (unsigned char) padding_len;
-    }
-}
-
-static int get_pkcs_padding(unsigned char *input, size_t input_len,
-                            size_t *data_len)
-{
-    size_t i, pad_idx;
-    unsigned char padding_len;
-
-    if (NULL == input || NULL == data_len) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    padding_len = input[input_len - 1];
-    *data_len = input_len - padding_len;
-
-    mbedtls_ct_condition_t bad = mbedtls_ct_uint_gt(padding_len, input_len);
-    bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));
-
-    /* The number of bytes checked must be independent of padding_len,
-     * so pick input_len, which is usually 8 or 16 (one block) */
-    pad_idx = input_len - padding_len;
-    for (i = 0; i < input_len; i++) {
-        mbedtls_ct_condition_t in_padding = mbedtls_ct_uint_ge(i, pad_idx);
-        mbedtls_ct_condition_t different  = mbedtls_ct_uint_ne(input[i], padding_len);
-        bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_and(in_padding, different));
-    }
-
-    return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
-}
-#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
-
-#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
-/*
- * One and zeros padding: fill with 80 00 ... 00
- */
-static void add_one_and_zeros_padding(unsigned char *output,
-                                      size_t output_len, size_t data_len)
-{
-    size_t padding_len = output_len - data_len;
-    unsigned char i = 0;
-
-    output[data_len] = 0x80;
-    for (i = 1; i < padding_len; i++) {
-        output[data_len + i] = 0x00;
-    }
-}
-
-static int get_one_and_zeros_padding(unsigned char *input, size_t input_len,
-                                     size_t *data_len)
-{
-    if (NULL == input || NULL == data_len) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    mbedtls_ct_condition_t in_padding = MBEDTLS_CT_TRUE;
-    mbedtls_ct_condition_t bad = MBEDTLS_CT_TRUE;
-
-    *data_len = 0;
-
-    for (ptrdiff_t i = (ptrdiff_t) (input_len) - 1; i >= 0; i--) {
-        mbedtls_ct_condition_t is_nonzero = mbedtls_ct_bool(input[i]);
-
-        mbedtls_ct_condition_t hit_first_nonzero = mbedtls_ct_bool_and(is_nonzero, in_padding);
-
-        *data_len = mbedtls_ct_size_if(hit_first_nonzero, i, *data_len);
-
-        bad = mbedtls_ct_bool_if(hit_first_nonzero, mbedtls_ct_uint_ne(input[i], 0x80), bad);
-
-        in_padding = mbedtls_ct_bool_and(in_padding, mbedtls_ct_bool_not(is_nonzero));
-    }
-
-    return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
-}
-#endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
-
-#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
-/*
- * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
- */
-static void add_zeros_and_len_padding(unsigned char *output,
-                                      size_t output_len, size_t data_len)
-{
-    size_t padding_len = output_len - data_len;
-    unsigned char i = 0;
-
-    for (i = 1; i < padding_len; i++) {
-        output[data_len + i - 1] = 0x00;
-    }
-    output[output_len - 1] = (unsigned char) padding_len;
-}
-
-static int get_zeros_and_len_padding(unsigned char *input, size_t input_len,
-                                     size_t *data_len)
-{
-    size_t i, pad_idx;
-    unsigned char padding_len;
-    mbedtls_ct_condition_t bad;
-
-    if (NULL == input || NULL == data_len) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    padding_len = input[input_len - 1];
-    *data_len = input_len - padding_len;
-
-    /* Avoid logical || since it results in a branch */
-    bad = mbedtls_ct_uint_gt(padding_len, input_len);
-    bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));
-
-    /* The number of bytes checked must be independent of padding_len */
-    pad_idx = input_len - padding_len;
-    for (i = 0; i < input_len - 1; i++) {
-        mbedtls_ct_condition_t is_padding = mbedtls_ct_uint_ge(i, pad_idx);
-        mbedtls_ct_condition_t nonzero_pad_byte;
-        nonzero_pad_byte = mbedtls_ct_bool_if_else_0(is_padding, mbedtls_ct_bool(input[i]));
-        bad = mbedtls_ct_bool_or(bad, nonzero_pad_byte);
-    }
-
-    return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
-}
-#endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
-
-#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
-/*
- * Zero padding: fill with 00 ... 00
- */
-static void add_zeros_padding(unsigned char *output,
-                              size_t output_len, size_t data_len)
-{
-    memset(output + data_len, 0, output_len - data_len);
-}
-
-static int get_zeros_padding(unsigned char *input, size_t input_len,
-                             size_t *data_len)
-{
-    size_t i;
-    mbedtls_ct_condition_t done = MBEDTLS_CT_FALSE, prev_done;
-
-    if (NULL == input || NULL == data_len) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    *data_len = 0;
-    for (i = input_len; i > 0; i--) {
-        prev_done = done;
-        done = mbedtls_ct_bool_or(done, mbedtls_ct_uint_ne(input[i-1], 0));
-        *data_len = mbedtls_ct_size_if(mbedtls_ct_bool_ne(done, prev_done), i, *data_len);
-    }
-
-    return 0;
-}
-#endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
-
-/*
- * No padding: don't pad :)
- *
- * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
- * but a trivial get_padding function
- */
-static int get_no_padding(unsigned char *input, size_t input_len,
-                          size_t *data_len)
-{
-    if (NULL == input || NULL == data_len) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    *data_len = input_len;
-
-    return 0;
-}
-#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
-
-int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
-                          unsigned char *output, size_t *olen)
-{
-    if (ctx->cipher_info == NULL) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
-    if (ctx->psa_enabled == 1) {
-        /* While PSA Crypto has an API for multipart
-         * operations, we currently don't make it
-         * accessible through the cipher layer. */
-        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
-
-    *olen = 0;
-
-#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
-    /* CBC mode requires padding so we make sure a call to
-     * mbedtls_cipher_set_padding_mode has been done successfully. */
-    if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
-        if (ctx->get_padding == NULL) {
-            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-        }
-    }
-#endif
-
-    if (MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
-        MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
-        MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
-        MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
-        MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
-        MBEDTLS_MODE_XTS == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
-        MBEDTLS_MODE_STREAM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
-        return 0;
-    }
-
-    if ((MBEDTLS_CIPHER_CHACHA20          == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) ||
-        (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type))) {
-        return 0;
-    }
-
-    if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
-        if (ctx->unprocessed_len != 0) {
-            return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
-        }
-
-        return 0;
-    }
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
-        int ret = 0;
-
-        if (MBEDTLS_ENCRYPT == ctx->operation) {
-            /* check for 'no padding' mode */
-            if (NULL == ctx->add_padding) {
-                if (0 != ctx->unprocessed_len) {
-                    return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
-                }
-
-                return 0;
-            }
-
-            ctx->add_padding(ctx->unprocessed_data, mbedtls_cipher_get_iv_size(ctx),
-                             ctx->unprocessed_len);
-        } else if (mbedtls_cipher_get_block_size(ctx) != ctx->unprocessed_len) {
-            /*
-             * For decrypt operations, expect a full block,
-             * or an empty block if no padding
-             */
-            if (NULL == ctx->add_padding && 0 == ctx->unprocessed_len) {
-                return 0;
-            }
-
-            return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
-        }
-
-        /* cipher block */
-        if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
-                                                                            ctx->operation,
-                                                                            mbedtls_cipher_get_block_size(
-                                                                                ctx),
-                                                                            ctx->iv,
-                                                                            ctx->unprocessed_data,
-                                                                            output))) {
-            return ret;
-        }
-
-        /* Set output size for decryption */
-        if (MBEDTLS_DECRYPT == ctx->operation) {
-            return ctx->get_padding(output, mbedtls_cipher_get_block_size(ctx),
-                                    olen);
-        }
-
-        /* Set output size for encryption */
-        *olen = mbedtls_cipher_get_block_size(ctx);
-        return 0;
-    }
-#else
-    ((void) output);
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-    return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-}
-
-#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
-int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx,
-                                    mbedtls_cipher_padding_t mode)
-{
-    if (NULL == ctx->cipher_info ||
-        MBEDTLS_MODE_CBC != ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
-    if (ctx->psa_enabled == 1) {
-        /* While PSA Crypto knows about CBC padding
-         * schemes, we currently don't make them
-         * accessible through the cipher layer. */
-        if (mode != MBEDTLS_PADDING_NONE) {
-            return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-        }
-
-        return 0;
-    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
-
-    switch (mode) {
-#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
-        case MBEDTLS_PADDING_PKCS7:
-            ctx->add_padding = add_pkcs_padding;
-            ctx->get_padding = get_pkcs_padding;
-            break;
-#endif
-#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
-        case MBEDTLS_PADDING_ONE_AND_ZEROS:
-            ctx->add_padding = add_one_and_zeros_padding;
-            ctx->get_padding = get_one_and_zeros_padding;
-            break;
-#endif
-#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
-        case MBEDTLS_PADDING_ZEROS_AND_LEN:
-            ctx->add_padding = add_zeros_and_len_padding;
-            ctx->get_padding = get_zeros_and_len_padding;
-            break;
-#endif
-#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
-        case MBEDTLS_PADDING_ZEROS:
-            ctx->add_padding = add_zeros_padding;
-            ctx->get_padding = get_zeros_padding;
-            break;
-#endif
-        case MBEDTLS_PADDING_NONE:
-            ctx->add_padding = NULL;
-            ctx->get_padding = get_no_padding;
-            break;
-
-        default:
-            return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-    }
-
-    return 0;
-}
-#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
-
-#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
-int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx,
-                             unsigned char *tag, size_t tag_len)
-{
-    if (ctx->cipher_info == NULL) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    if (MBEDTLS_ENCRYPT != ctx->operation) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
-    if (ctx->psa_enabled == 1) {
-        /* While PSA Crypto has an API for multipart
-         * operations, we currently don't make it
-         * accessible through the cipher layer. */
-        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
-
-#if defined(MBEDTLS_GCM_C)
-    if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
-        size_t output_length;
-        /* The code here doesn't yet support alternative implementations
-         * that can delay up to a block of output. */
-        return mbedtls_gcm_finish((mbedtls_gcm_context *) ctx->cipher_ctx,
-                                  NULL, 0, &output_length,
-                                  tag, tag_len);
-    }
-#endif
-
-#if defined(MBEDTLS_CHACHAPOLY_C)
-    if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
-        /* Don't allow truncated MAC for Poly1305 */
-        if (tag_len != 16U) {
-            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-        }
-
-        return mbedtls_chachapoly_finish(
-            (mbedtls_chachapoly_context *) ctx->cipher_ctx, tag);
-    }
-#endif
-
-    return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-}
-
-int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx,
-                             const unsigned char *tag, size_t tag_len)
-{
-    unsigned char check_tag[16];
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if (ctx->cipher_info == NULL) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    if (MBEDTLS_DECRYPT != ctx->operation) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
-    if (ctx->psa_enabled == 1) {
-        /* While PSA Crypto has an API for multipart
-         * operations, we currently don't make it
-         * accessible through the cipher layer. */
-        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
-
-    /* Status to return on a non-authenticated algorithm. */
-    ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-
-#if defined(MBEDTLS_GCM_C)
-    if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
-        size_t output_length;
-        /* The code here doesn't yet support alternative implementations
-         * that can delay up to a block of output. */
-
-        if (tag_len > sizeof(check_tag)) {
-            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-        }
-
-        if (0 != (ret = mbedtls_gcm_finish(
-                      (mbedtls_gcm_context *) ctx->cipher_ctx,
-                      NULL, 0, &output_length,
-                      check_tag, tag_len))) {
-            return ret;
-        }
-
-        /* Check the tag in "constant-time" */
-        if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) {
-            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
-            goto exit;
-        }
-    }
-#endif /* MBEDTLS_GCM_C */
-
-#if defined(MBEDTLS_CHACHAPOLY_C)
-    if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
-        /* Don't allow truncated MAC for Poly1305 */
-        if (tag_len != sizeof(check_tag)) {
-            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-        }
-
-        ret = mbedtls_chachapoly_finish(
-            (mbedtls_chachapoly_context *) ctx->cipher_ctx, check_tag);
-        if (ret != 0) {
-            return ret;
-        }
-
-        /* Check the tag in "constant-time" */
-        if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) {
-            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
-            goto exit;
-        }
-    }
-#endif /* MBEDTLS_CHACHAPOLY_C */
-
-exit:
-    mbedtls_platform_zeroize(check_tag, tag_len);
-    return ret;
-}
-#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
-
-/*
- * Packet-oriented wrapper for non-AEAD modes
- */
-int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx,
-                         const unsigned char *iv, size_t iv_len,
-                         const unsigned char *input, size_t ilen,
-                         unsigned char *output, size_t *olen)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t finish_olen;
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
-    if (ctx->psa_enabled == 1) {
-        /* As in the non-PSA case, we don't check that
-         * a key has been set. If not, the key slot will
-         * still be in its default state of 0, which is
-         * guaranteed to be invalid, hence the PSA-call
-         * below will gracefully fail. */
-        mbedtls_cipher_context_psa * const cipher_psa =
-            (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
-
-        psa_status_t status;
-        psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
-        size_t part_len;
-
-        if (ctx->operation == MBEDTLS_DECRYPT) {
-            status = psa_cipher_decrypt_setup(&cipher_op,
-                                              cipher_psa->slot,
-                                              cipher_psa->alg);
-        } else if (ctx->operation == MBEDTLS_ENCRYPT) {
-            status = psa_cipher_encrypt_setup(&cipher_op,
-                                              cipher_psa->slot,
-                                              cipher_psa->alg);
-        } else {
-            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-        }
-
-        /* In the following, we can immediately return on an error,
-         * because the PSA Crypto API guarantees that cipher operations
-         * are terminated by unsuccessful calls to psa_cipher_update(),
-         * and by any call to psa_cipher_finish(). */
-        if (status != PSA_SUCCESS) {
-            return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
-        }
-
-        if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) != MBEDTLS_MODE_ECB) {
-            status = psa_cipher_set_iv(&cipher_op, iv, iv_len);
-            if (status != PSA_SUCCESS) {
-                return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
-            }
-        }
-
-        status = psa_cipher_update(&cipher_op,
-                                   input, ilen,
-                                   output, ilen, olen);
-        if (status != PSA_SUCCESS) {
-            return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
-        }
-
-        status = psa_cipher_finish(&cipher_op,
-                                   output + *olen, ilen - *olen,
-                                   &part_len);
-        if (status != PSA_SUCCESS) {
-            return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
-        }
-
-        *olen += part_len;
-        return 0;
-    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
-
-    if ((ret = mbedtls_cipher_set_iv(ctx, iv, iv_len)) != 0) {
-        return ret;
-    }
-
-    if ((ret = mbedtls_cipher_reset(ctx)) != 0) {
-        return ret;
-    }
-
-    if ((ret = mbedtls_cipher_update(ctx, input, ilen,
-                                     output, olen)) != 0) {
-        return ret;
-    }
-
-    if ((ret = mbedtls_cipher_finish(ctx, output + *olen,
-                                     &finish_olen)) != 0) {
-        return ret;
-    }
-
-    *olen += finish_olen;
-
-    return 0;
-}
-
-#if defined(MBEDTLS_CIPHER_MODE_AEAD)
-/*
- * Packet-oriented encryption for AEAD modes: internal function used by
- * mbedtls_cipher_auth_encrypt_ext().
- */
-static int mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t *ctx,
-                                       const unsigned char *iv, size_t iv_len,
-                                       const unsigned char *ad, size_t ad_len,
-                                       const unsigned char *input, size_t ilen,
-                                       unsigned char *output, size_t *olen,
-                                       unsigned char *tag, size_t tag_len)
-{
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
-    if (ctx->psa_enabled == 1) {
-        /* As in the non-PSA case, we don't check that
-         * a key has been set. If not, the key slot will
-         * still be in its default state of 0, which is
-         * guaranteed to be invalid, hence the PSA-call
-         * below will gracefully fail. */
-        mbedtls_cipher_context_psa * const cipher_psa =
-            (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
-
-        psa_status_t status;
-
-        /* PSA Crypto API always writes the authentication tag
-         * at the end of the encrypted message. */
-        if (output == NULL || tag != output + ilen) {
-            return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-        }
-
-        status = psa_aead_encrypt(cipher_psa->slot,
-                                  cipher_psa->alg,
-                                  iv, iv_len,
-                                  ad, ad_len,
-                                  input, ilen,
-                                  output, ilen + tag_len, olen);
-        if (status != PSA_SUCCESS) {
-            return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
-        }
-
-        *olen -= tag_len;
-        return 0;
-    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
-
-#if defined(MBEDTLS_GCM_C)
-    if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
-        *olen = ilen;
-        return mbedtls_gcm_crypt_and_tag(ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT,
-                                         ilen, iv, iv_len, ad, ad_len,
-                                         input, output, tag_len, tag);
-    }
-#endif /* MBEDTLS_GCM_C */
-#if defined(MBEDTLS_CCM_C)
-    if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
-        *olen = ilen;
-        return mbedtls_ccm_encrypt_and_tag(ctx->cipher_ctx, ilen,
-                                           iv, iv_len, ad, ad_len, input, output,
-                                           tag, tag_len);
-    }
-#endif /* MBEDTLS_CCM_C */
-#if defined(MBEDTLS_CHACHAPOLY_C)
-    if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
-        /* ChachaPoly has fixed length nonce and MAC (tag) */
-        if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) ||
-            (tag_len != 16U)) {
-            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-        }
-
-        *olen = ilen;
-        return mbedtls_chachapoly_encrypt_and_tag(ctx->cipher_ctx,
-                                                  ilen, iv, ad, ad_len, input, output, tag);
-    }
-#endif /* MBEDTLS_CHACHAPOLY_C */
-
-    return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-}
-
-/*
- * Packet-oriented encryption for AEAD modes: internal function used by
- * mbedtls_cipher_auth_encrypt_ext().
- */
-static int mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t *ctx,
-                                       const unsigned char *iv, size_t iv_len,
-                                       const unsigned char *ad, size_t ad_len,
-                                       const unsigned char *input, size_t ilen,
-                                       unsigned char *output, size_t *olen,
-                                       const unsigned char *tag, size_t tag_len)
-{
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
-    if (ctx->psa_enabled == 1) {
-        /* As in the non-PSA case, we don't check that
-         * a key has been set. If not, the key slot will
-         * still be in its default state of 0, which is
-         * guaranteed to be invalid, hence the PSA-call
-         * below will gracefully fail. */
-        mbedtls_cipher_context_psa * const cipher_psa =
-            (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
-
-        psa_status_t status;
-
-        /* PSA Crypto API always writes the authentication tag
-         * at the end of the encrypted message. */
-        if (input == NULL || tag != input + ilen) {
-            return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-        }
-
-        status = psa_aead_decrypt(cipher_psa->slot,
-                                  cipher_psa->alg,
-                                  iv, iv_len,
-                                  ad, ad_len,
-                                  input, ilen + tag_len,
-                                  output, ilen, olen);
-        if (status == PSA_ERROR_INVALID_SIGNATURE) {
-            return MBEDTLS_ERR_CIPHER_AUTH_FAILED;
-        } else if (status != PSA_SUCCESS) {
-            return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
-        }
-
-        return 0;
-    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
-
-#if defined(MBEDTLS_GCM_C)
-    if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
-        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-        *olen = ilen;
-        ret = mbedtls_gcm_auth_decrypt(ctx->cipher_ctx, ilen,
-                                       iv, iv_len, ad, ad_len,
-                                       tag, tag_len, input, output);
-
-        if (ret == MBEDTLS_ERR_GCM_AUTH_FAILED) {
-            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
-        }
-
-        return ret;
-    }
-#endif /* MBEDTLS_GCM_C */
-#if defined(MBEDTLS_CCM_C)
-    if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
-        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-        *olen = ilen;
-        ret = mbedtls_ccm_auth_decrypt(ctx->cipher_ctx, ilen,
-                                       iv, iv_len, ad, ad_len,
-                                       input, output, tag, tag_len);
-
-        if (ret == MBEDTLS_ERR_CCM_AUTH_FAILED) {
-            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
-        }
-
-        return ret;
-    }
-#endif /* MBEDTLS_CCM_C */
-#if defined(MBEDTLS_CHACHAPOLY_C)
-    if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
-        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-        /* ChachaPoly has fixed length nonce and MAC (tag) */
-        if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) ||
-            (tag_len != 16U)) {
-            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-        }
-
-        *olen = ilen;
-        ret = mbedtls_chachapoly_auth_decrypt(ctx->cipher_ctx, ilen,
-                                              iv, ad, ad_len, tag, input, output);
-
-        if (ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED) {
-            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
-        }
-
-        return ret;
-    }
-#endif /* MBEDTLS_CHACHAPOLY_C */
-
-    return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-}
-#endif /* MBEDTLS_CIPHER_MODE_AEAD */
-
-#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
-/*
- * Packet-oriented encryption for AEAD/NIST_KW: public function.
- */
-int mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t *ctx,
-                                    const unsigned char *iv, size_t iv_len,
-                                    const unsigned char *ad, size_t ad_len,
-                                    const unsigned char *input, size_t ilen,
-                                    unsigned char *output, size_t output_len,
-                                    size_t *olen, size_t tag_len)
-{
-#if defined(MBEDTLS_NIST_KW_C)
-    if (
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
-        ctx->psa_enabled == 0 &&
-#endif
-        (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
-         MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) {
-        mbedtls_nist_kw_mode_t mode =
-            (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ?
-            MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
-
-        /* There is no iv, tag or ad associated with KW and KWP,
-         * so these length should be 0 as documented. */
-        if (iv_len != 0 || tag_len != 0 || ad_len != 0) {
-            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-        }
-
-        (void) iv;
-        (void) ad;
-
-        return mbedtls_nist_kw_wrap(ctx->cipher_ctx, mode, input, ilen,
-                                    output, olen, output_len);
-    }
-#endif /* MBEDTLS_NIST_KW_C */
-
-#if defined(MBEDTLS_CIPHER_MODE_AEAD)
-    /* AEAD case: check length before passing on to shared function */
-    if (output_len < ilen + tag_len) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    int ret = mbedtls_cipher_aead_encrypt(ctx, iv, iv_len, ad, ad_len,
-                                          input, ilen, output, olen,
-                                          output + ilen, tag_len);
-    *olen += tag_len;
-    return ret;
-#else
-    return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-#endif /* MBEDTLS_CIPHER_MODE_AEAD */
-}
-
-/*
- * Packet-oriented decryption for AEAD/NIST_KW: public function.
- */
-int mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t *ctx,
-                                    const unsigned char *iv, size_t iv_len,
-                                    const unsigned char *ad, size_t ad_len,
-                                    const unsigned char *input, size_t ilen,
-                                    unsigned char *output, size_t output_len,
-                                    size_t *olen, size_t tag_len)
-{
-#if defined(MBEDTLS_NIST_KW_C)
-    if (
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
-        ctx->psa_enabled == 0 &&
-#endif
-        (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
-         MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) {
-        mbedtls_nist_kw_mode_t mode =
-            (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ?
-            MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
-
-        /* There is no iv, tag or ad associated with KW and KWP,
-         * so these length should be 0 as documented. */
-        if (iv_len != 0 || tag_len != 0 || ad_len != 0) {
-            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-        }
-
-        (void) iv;
-        (void) ad;
-
-        return mbedtls_nist_kw_unwrap(ctx->cipher_ctx, mode, input, ilen,
-                                      output, olen, output_len);
-    }
-#endif /* MBEDTLS_NIST_KW_C */
-
-#if defined(MBEDTLS_CIPHER_MODE_AEAD)
-    /* AEAD case: check length before passing on to shared function */
-    if (ilen < tag_len || output_len < ilen - tag_len) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    return mbedtls_cipher_aead_decrypt(ctx, iv, iv_len, ad, ad_len,
-                                       input, ilen - tag_len, output, olen,
-                                       input + ilen - tag_len, tag_len);
-#else
-    return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-#endif /* MBEDTLS_CIPHER_MODE_AEAD */
-}
-#endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
-
-#endif /* MBEDTLS_CIPHER_C */
diff --git a/library/cipher_wrap.c b/library/cipher_wrap.c
deleted file mode 100644
index 4e1e996..0000000
--- a/library/cipher_wrap.c
+++ /dev/null
@@ -1,2460 +0,0 @@
-/**
- * \file cipher_wrap.c
- *
- * \brief Generic cipher wrapper for Mbed TLS
- *
- * \author Adriaan de Jong <dejong@fox-it.com>
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_CIPHER_C)
-
-#include "cipher_wrap.h"
-#include "mbedtls/error.h"
-
-#if defined(MBEDTLS_CHACHAPOLY_C)
-#include "mbedtls/chachapoly.h"
-#endif
-
-#if defined(MBEDTLS_AES_C)
-#include "mbedtls/aes.h"
-#endif
-
-#if defined(MBEDTLS_CAMELLIA_C)
-#include "mbedtls/camellia.h"
-#endif
-
-#if defined(MBEDTLS_ARIA_C)
-#include "mbedtls/aria.h"
-#endif
-
-#if defined(MBEDTLS_DES_C)
-#include "mbedtls/des.h"
-#endif
-
-#if defined(MBEDTLS_CHACHA20_C)
-#include "mbedtls/chacha20.h"
-#endif
-
-#if defined(MBEDTLS_GCM_C)
-#include "mbedtls/gcm.h"
-#endif
-
-#if defined(MBEDTLS_CCM_C)
-#include "mbedtls/ccm.h"
-#endif
-
-#if defined(MBEDTLS_NIST_KW_C)
-#include "mbedtls/nist_kw.h"
-#endif
-
-#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
-#include <string.h>
-#endif
-
-#include "mbedtls/platform.h"
-
-enum mbedtls_cipher_base_index {
-#if defined(MBEDTLS_AES_C)
-    MBEDTLS_CIPHER_BASE_INDEX_AES,
-#endif
-#if defined(MBEDTLS_ARIA_C)
-    MBEDTLS_CIPHER_BASE_INDEX_ARIA,
-#endif
-#if defined(MBEDTLS_CAMELLIA_C)
-    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA,
-#endif
-#if defined(MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA)
-    MBEDTLS_CIPHER_BASE_INDEX_CCM_AES,
-#endif
-#if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_ARIA_C)
-    MBEDTLS_CIPHER_BASE_INDEX_CCM_ARIA,
-#endif
-#if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_CAMELLIA_C)
-    MBEDTLS_CIPHER_BASE_INDEX_CCM_CAMELLIA,
-#endif
-#if defined(MBEDTLS_CHACHA20_C)
-    MBEDTLS_CIPHER_BASE_INDEX_CHACHA20_BASE,
-#endif
-#if defined(MBEDTLS_CHACHAPOLY_C)
-    MBEDTLS_CIPHER_BASE_INDEX_CHACHAPOLY_BASE,
-#endif
-#if defined(MBEDTLS_DES_C)
-    MBEDTLS_CIPHER_BASE_INDEX_DES_EDE3,
-#endif
-#if defined(MBEDTLS_DES_C)
-    MBEDTLS_CIPHER_BASE_INDEX_DES_EDE,
-#endif
-#if defined(MBEDTLS_DES_C)
-    MBEDTLS_CIPHER_BASE_INDEX_DES,
-#endif
-#if defined(MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA)
-    MBEDTLS_CIPHER_BASE_INDEX_GCM_AES,
-#endif
-#if defined(MBEDTLS_GCM_C) && defined(MBEDTLS_ARIA_C)
-    MBEDTLS_CIPHER_BASE_INDEX_GCM_ARIA,
-#endif
-#if defined(MBEDTLS_GCM_C) && defined(MBEDTLS_CAMELLIA_C)
-    MBEDTLS_CIPHER_BASE_INDEX_GCM_CAMELLIA,
-#endif
-#if defined(MBEDTLS_NIST_KW_C)
-    MBEDTLS_CIPHER_BASE_INDEX_KW_AES,
-#endif
-#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
-    MBEDTLS_CIPHER_BASE_INDEX_NULL_BASE,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_XTS) && defined(MBEDTLS_AES_C)
-    MBEDTLS_CIPHER_BASE_INDEX_XTS_AES,
-#endif
-    /* Prevent compile failure due to empty enum */
-    MBEDTLS_CIPHER_BASE_PREVENT_EMPTY_ENUM
-};
-
-#if defined(MBEDTLS_GCM_C)
-/* shared by all GCM ciphers */
-static void *gcm_ctx_alloc(void)
-{
-    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_gcm_context));
-
-    if (ctx != NULL) {
-        mbedtls_gcm_init((mbedtls_gcm_context *) ctx);
-    }
-
-    return ctx;
-}
-
-static void gcm_ctx_free(void *ctx)
-{
-    mbedtls_gcm_free(ctx);
-    mbedtls_free(ctx);
-}
-#endif /* MBEDTLS_GCM_C */
-
-#if defined(MBEDTLS_CCM_C)
-/* shared by all CCM ciphers */
-static void *ccm_ctx_alloc(void)
-{
-    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ccm_context));
-
-    if (ctx != NULL) {
-        mbedtls_ccm_init((mbedtls_ccm_context *) ctx);
-    }
-
-    return ctx;
-}
-
-static void ccm_ctx_free(void *ctx)
-{
-    mbedtls_ccm_free(ctx);
-    mbedtls_free(ctx);
-}
-#endif /* MBEDTLS_CCM_C */
-
-#if defined(MBEDTLS_AES_C)
-
-static int aes_crypt_ecb_wrap(void *ctx, mbedtls_operation_t operation,
-                              const unsigned char *input, unsigned char *output)
-{
-    return mbedtls_aes_crypt_ecb((mbedtls_aes_context *) ctx, operation, input, output);
-}
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-static int aes_crypt_cbc_wrap(void *ctx, mbedtls_operation_t operation, size_t length,
-                              unsigned char *iv, const unsigned char *input, unsigned char *output)
-{
-    return mbedtls_aes_crypt_cbc((mbedtls_aes_context *) ctx, operation, length, iv, input,
-                                 output);
-}
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-static int aes_crypt_cfb128_wrap(void *ctx, mbedtls_operation_t operation,
-                                 size_t length, size_t *iv_off, unsigned char *iv,
-                                 const unsigned char *input, unsigned char *output)
-{
-    return mbedtls_aes_crypt_cfb128((mbedtls_aes_context *) ctx, operation, length, iv_off, iv,
-                                    input, output);
-}
-#endif /* MBEDTLS_CIPHER_MODE_CFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-static int aes_crypt_ofb_wrap(void *ctx, size_t length, size_t *iv_off,
-                              unsigned char *iv, const unsigned char *input, unsigned char *output)
-{
-    return mbedtls_aes_crypt_ofb((mbedtls_aes_context *) ctx, length, iv_off,
-                                 iv, input, output);
-}
-#endif /* MBEDTLS_CIPHER_MODE_OFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-static int aes_crypt_ctr_wrap(void *ctx, size_t length, size_t *nc_off,
-                              unsigned char *nonce_counter, unsigned char *stream_block,
-                              const unsigned char *input, unsigned char *output)
-{
-    return mbedtls_aes_crypt_ctr((mbedtls_aes_context *) ctx, length, nc_off, nonce_counter,
-                                 stream_block, input, output);
-}
-#endif /* MBEDTLS_CIPHER_MODE_CTR */
-
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-static int aes_crypt_xts_wrap(void *ctx, mbedtls_operation_t operation,
-                              size_t length,
-                              const unsigned char data_unit[16],
-                              const unsigned char *input,
-                              unsigned char *output)
-{
-    mbedtls_aes_xts_context *xts_ctx = ctx;
-    int mode;
-
-    switch (operation) {
-        case MBEDTLS_ENCRYPT:
-            mode = MBEDTLS_AES_ENCRYPT;
-            break;
-        case MBEDTLS_DECRYPT:
-            mode = MBEDTLS_AES_DECRYPT;
-            break;
-        default:
-            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    return mbedtls_aes_crypt_xts(xts_ctx, mode, length,
-                                 data_unit, input, output);
-}
-#endif /* MBEDTLS_CIPHER_MODE_XTS */
-
-static int aes_setkey_dec_wrap(void *ctx, const unsigned char *key,
-                               unsigned int key_bitlen)
-{
-    return mbedtls_aes_setkey_dec((mbedtls_aes_context *) ctx, key, key_bitlen);
-}
-
-static int aes_setkey_enc_wrap(void *ctx, const unsigned char *key,
-                               unsigned int key_bitlen)
-{
-    return mbedtls_aes_setkey_enc((mbedtls_aes_context *) ctx, key, key_bitlen);
-}
-
-static void *aes_ctx_alloc(void)
-{
-    mbedtls_aes_context *aes = mbedtls_calloc(1, sizeof(mbedtls_aes_context));
-
-    if (aes == NULL) {
-        return NULL;
-    }
-
-    mbedtls_aes_init(aes);
-
-    return aes;
-}
-
-static void aes_ctx_free(void *ctx)
-{
-    mbedtls_aes_free((mbedtls_aes_context *) ctx);
-    mbedtls_free(ctx);
-}
-
-static const mbedtls_cipher_base_t aes_info = {
-    MBEDTLS_CIPHER_ID_AES,
-    aes_crypt_ecb_wrap,
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    aes_crypt_cbc_wrap,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-    aes_crypt_cfb128_wrap,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-    aes_crypt_ofb_wrap,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    aes_crypt_ctr_wrap,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_STREAM)
-    NULL,
-#endif
-    aes_setkey_enc_wrap,
-    aes_setkey_dec_wrap,
-    aes_ctx_alloc,
-    aes_ctx_free
-};
-
-static const mbedtls_cipher_info_t aes_128_ecb_info = {
-    "AES-128-ECB",
-    16,
-    0 >> MBEDTLS_IV_SIZE_SHIFT,
-    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_ECB,
-    MBEDTLS_CIPHER_AES_128_ECB,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_AES
-};
-
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-static const mbedtls_cipher_info_t aes_192_ecb_info = {
-    "AES-192-ECB",
-    16,
-    0 >> MBEDTLS_IV_SIZE_SHIFT,
-    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_ECB,
-    MBEDTLS_CIPHER_AES_192_ECB,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_AES
-};
-
-static const mbedtls_cipher_info_t aes_256_ecb_info = {
-    "AES-256-ECB",
-    16,
-    0 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_ECB,
-    MBEDTLS_CIPHER_AES_256_ECB,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_AES
-};
-#endif
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-static const mbedtls_cipher_info_t aes_128_cbc_info = {
-    "AES-128-CBC",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CBC,
-    MBEDTLS_CIPHER_AES_128_CBC,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_AES
-};
-
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-static const mbedtls_cipher_info_t aes_192_cbc_info = {
-    "AES-192-CBC",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CBC,
-    MBEDTLS_CIPHER_AES_192_CBC,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_AES
-};
-
-static const mbedtls_cipher_info_t aes_256_cbc_info = {
-    "AES-256-CBC",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CBC,
-    MBEDTLS_CIPHER_AES_256_CBC,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_AES
-};
-#endif
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-static const mbedtls_cipher_info_t aes_128_cfb128_info = {
-    "AES-128-CFB128",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CFB,
-    MBEDTLS_CIPHER_AES_128_CFB128,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_AES
-};
-
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-static const mbedtls_cipher_info_t aes_192_cfb128_info = {
-    "AES-192-CFB128",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CFB,
-    MBEDTLS_CIPHER_AES_192_CFB128,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_AES
-};
-
-static const mbedtls_cipher_info_t aes_256_cfb128_info = {
-    "AES-256-CFB128",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CFB,
-    MBEDTLS_CIPHER_AES_256_CFB128,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_AES
-};
-#endif
-#endif /* MBEDTLS_CIPHER_MODE_CFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-static const mbedtls_cipher_info_t aes_128_ofb_info = {
-    "AES-128-OFB",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_OFB,
-    MBEDTLS_CIPHER_AES_128_OFB,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_AES
-};
-
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-static const mbedtls_cipher_info_t aes_192_ofb_info = {
-    "AES-192-OFB",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_OFB,
-    MBEDTLS_CIPHER_AES_192_OFB,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_AES
-};
-
-static const mbedtls_cipher_info_t aes_256_ofb_info = {
-    "AES-256-OFB",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_OFB,
-    MBEDTLS_CIPHER_AES_256_OFB,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_AES
-};
-#endif
-#endif /* MBEDTLS_CIPHER_MODE_OFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-static const mbedtls_cipher_info_t aes_128_ctr_info = {
-    "AES-128-CTR",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CTR,
-    MBEDTLS_CIPHER_AES_128_CTR,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_AES
-};
-
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-static const mbedtls_cipher_info_t aes_192_ctr_info = {
-    "AES-192-CTR",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CTR,
-    MBEDTLS_CIPHER_AES_192_CTR,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_AES
-};
-
-static const mbedtls_cipher_info_t aes_256_ctr_info = {
-    "AES-256-CTR",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CTR,
-    MBEDTLS_CIPHER_AES_256_CTR,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_AES
-};
-#endif
-#endif /* MBEDTLS_CIPHER_MODE_CTR */
-
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-static int xts_aes_setkey_enc_wrap(void *ctx, const unsigned char *key,
-                                   unsigned int key_bitlen)
-{
-    mbedtls_aes_xts_context *xts_ctx = ctx;
-    return mbedtls_aes_xts_setkey_enc(xts_ctx, key, key_bitlen);
-}
-
-static int xts_aes_setkey_dec_wrap(void *ctx, const unsigned char *key,
-                                   unsigned int key_bitlen)
-{
-    mbedtls_aes_xts_context *xts_ctx = ctx;
-    return mbedtls_aes_xts_setkey_dec(xts_ctx, key, key_bitlen);
-}
-
-static void *xts_aes_ctx_alloc(void)
-{
-    mbedtls_aes_xts_context *xts_ctx = mbedtls_calloc(1, sizeof(*xts_ctx));
-
-    if (xts_ctx != NULL) {
-        mbedtls_aes_xts_init(xts_ctx);
-    }
-
-    return xts_ctx;
-}
-
-static void xts_aes_ctx_free(void *ctx)
-{
-    mbedtls_aes_xts_context *xts_ctx = ctx;
-
-    if (xts_ctx == NULL) {
-        return;
-    }
-
-    mbedtls_aes_xts_free(xts_ctx);
-    mbedtls_free(xts_ctx);
-}
-
-static const mbedtls_cipher_base_t xts_aes_info = {
-    MBEDTLS_CIPHER_ID_AES,
-    NULL,
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-    aes_crypt_xts_wrap,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_STREAM)
-    NULL,
-#endif
-    xts_aes_setkey_enc_wrap,
-    xts_aes_setkey_dec_wrap,
-    xts_aes_ctx_alloc,
-    xts_aes_ctx_free
-};
-
-static const mbedtls_cipher_info_t aes_128_xts_info = {
-    "AES-128-XTS",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_XTS,
-    MBEDTLS_CIPHER_AES_128_XTS,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_XTS_AES
-};
-
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-static const mbedtls_cipher_info_t aes_256_xts_info = {
-    "AES-256-XTS",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    512 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_XTS,
-    MBEDTLS_CIPHER_AES_256_XTS,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_XTS_AES
-};
-#endif
-#endif /* MBEDTLS_CIPHER_MODE_XTS */
-
-#if defined(MBEDTLS_GCM_C)
-static int gcm_aes_setkey_wrap(void *ctx, const unsigned char *key,
-                               unsigned int key_bitlen)
-{
-    return mbedtls_gcm_setkey((mbedtls_gcm_context *) ctx, MBEDTLS_CIPHER_ID_AES,
-                              key, key_bitlen);
-}
-#endif /* MBEDTLS_GCM_C */
-
-#if defined(MBEDTLS_CIPHER_HAVE_GCM_VIA_LEGACY_OR_USE_PSA)
-static const mbedtls_cipher_base_t gcm_aes_info = {
-    MBEDTLS_CIPHER_ID_AES,
-    NULL,
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_STREAM)
-    NULL,
-#endif
-#if defined(MBEDTLS_GCM_C)
-    gcm_aes_setkey_wrap,
-    gcm_aes_setkey_wrap,
-    gcm_ctx_alloc,
-    gcm_ctx_free,
-#else
-    NULL,
-    NULL,
-    NULL,
-    NULL,
-#endif /* MBEDTLS_GCM_C */
-};
-#endif /* MBEDTLS_CIPHER_HAVE_GCM_VIA_LEGACY_OR_USE_PSA */
-
-#if defined(MBEDTLS_CIPHER_HAVE_GCM_VIA_LEGACY_OR_USE_PSA)
-static const mbedtls_cipher_info_t aes_128_gcm_info = {
-    "AES-128-GCM",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_GCM,
-    MBEDTLS_CIPHER_AES_128_GCM,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_GCM_AES
-};
-
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-static const mbedtls_cipher_info_t aes_192_gcm_info = {
-    "AES-192-GCM",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_GCM,
-    MBEDTLS_CIPHER_AES_192_GCM,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_GCM_AES
-};
-
-static const mbedtls_cipher_info_t aes_256_gcm_info = {
-    "AES-256-GCM",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_GCM,
-    MBEDTLS_CIPHER_AES_256_GCM,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_GCM_AES
-};
-#endif
-#endif /* MBEDTLS_CIPHER_HAVE_GCM_VIA_LEGACY_OR_USE_PSA */
-
-#if defined(MBEDTLS_CCM_C)
-static int ccm_aes_setkey_wrap(void *ctx, const unsigned char *key,
-                               unsigned int key_bitlen)
-{
-    return mbedtls_ccm_setkey((mbedtls_ccm_context *) ctx, MBEDTLS_CIPHER_ID_AES,
-                              key, key_bitlen);
-}
-#endif /* MBEDTLS_CCM_C */
-
-#if defined(MBEDTLS_CIPHER_HAVE_CCM_VIA_LEGACY_OR_USE_PSA)
-static const mbedtls_cipher_base_t ccm_aes_info = {
-    MBEDTLS_CIPHER_ID_AES,
-    NULL,
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_STREAM)
-    NULL,
-#endif
-#if defined(MBEDTLS_CCM_C)
-    ccm_aes_setkey_wrap,
-    ccm_aes_setkey_wrap,
-    ccm_ctx_alloc,
-    ccm_ctx_free,
-#else
-    NULL,
-    NULL,
-    NULL,
-    NULL,
-#endif
-};
-#endif /* MBEDTLS_CIPHER_HAVE_CCM_VIA_LEGACY_OR_USE_PSA */
-
-#if defined(MBEDTLS_CIPHER_HAVE_CCM_VIA_LEGACY_OR_USE_PSA)
-static const mbedtls_cipher_info_t aes_128_ccm_info = {
-    "AES-128-CCM",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CCM,
-    MBEDTLS_CIPHER_AES_128_CCM,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_CCM_AES
-};
-
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-static const mbedtls_cipher_info_t aes_192_ccm_info = {
-    "AES-192-CCM",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CCM,
-    MBEDTLS_CIPHER_AES_192_CCM,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_CCM_AES
-};
-
-static const mbedtls_cipher_info_t aes_256_ccm_info = {
-    "AES-256-CCM",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CCM,
-    MBEDTLS_CIPHER_AES_256_CCM,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_CCM_AES
-};
-#endif
-#endif /* MBEDTLS_CIPHER_HAVE_CCM_VIA_LEGACY_OR_USE_PSA */
-
-#if defined(MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_VIA_LEGACY_OR_USE_PSA)
-static const mbedtls_cipher_info_t aes_128_ccm_star_no_tag_info = {
-    "AES-128-CCM*-NO-TAG",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CCM_STAR_NO_TAG,
-    MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_CCM_AES
-};
-
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-static const mbedtls_cipher_info_t aes_192_ccm_star_no_tag_info = {
-    "AES-192-CCM*-NO-TAG",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CCM_STAR_NO_TAG,
-    MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_CCM_AES
-};
-
-static const mbedtls_cipher_info_t aes_256_ccm_star_no_tag_info = {
-    "AES-256-CCM*-NO-TAG",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CCM_STAR_NO_TAG,
-    MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_CCM_AES
-};
-#endif
-#endif /* MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_VIA_LEGACY_OR_USE_PSA */
-
-#endif /* MBEDTLS_AES_C */
-
-#if defined(MBEDTLS_CAMELLIA_C)
-
-static int camellia_crypt_ecb_wrap(void *ctx, mbedtls_operation_t operation,
-                                   const unsigned char *input, unsigned char *output)
-{
-    return mbedtls_camellia_crypt_ecb((mbedtls_camellia_context *) ctx, operation, input,
-                                      output);
-}
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-static int camellia_crypt_cbc_wrap(void *ctx, mbedtls_operation_t operation,
-                                   size_t length, unsigned char *iv,
-                                   const unsigned char *input, unsigned char *output)
-{
-    return mbedtls_camellia_crypt_cbc((mbedtls_camellia_context *) ctx, operation, length, iv,
-                                      input, output);
-}
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-static int camellia_crypt_cfb128_wrap(void *ctx, mbedtls_operation_t operation,
-                                      size_t length, size_t *iv_off, unsigned char *iv,
-                                      const unsigned char *input, unsigned char *output)
-{
-    return mbedtls_camellia_crypt_cfb128((mbedtls_camellia_context *) ctx, operation, length,
-                                         iv_off, iv, input, output);
-}
-#endif /* MBEDTLS_CIPHER_MODE_CFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-static int camellia_crypt_ctr_wrap(void *ctx, size_t length, size_t *nc_off,
-                                   unsigned char *nonce_counter, unsigned char *stream_block,
-                                   const unsigned char *input, unsigned char *output)
-{
-    return mbedtls_camellia_crypt_ctr((mbedtls_camellia_context *) ctx, length, nc_off,
-                                      nonce_counter, stream_block, input, output);
-}
-#endif /* MBEDTLS_CIPHER_MODE_CTR */
-
-static int camellia_setkey_dec_wrap(void *ctx, const unsigned char *key,
-                                    unsigned int key_bitlen)
-{
-    return mbedtls_camellia_setkey_dec((mbedtls_camellia_context *) ctx, key, key_bitlen);
-}
-
-static int camellia_setkey_enc_wrap(void *ctx, const unsigned char *key,
-                                    unsigned int key_bitlen)
-{
-    return mbedtls_camellia_setkey_enc((mbedtls_camellia_context *) ctx, key, key_bitlen);
-}
-
-static void *camellia_ctx_alloc(void)
-{
-    mbedtls_camellia_context *ctx;
-    ctx = mbedtls_calloc(1, sizeof(mbedtls_camellia_context));
-
-    if (ctx == NULL) {
-        return NULL;
-    }
-
-    mbedtls_camellia_init(ctx);
-
-    return ctx;
-}
-
-static void camellia_ctx_free(void *ctx)
-{
-    mbedtls_camellia_free((mbedtls_camellia_context *) ctx);
-    mbedtls_free(ctx);
-}
-
-static const mbedtls_cipher_base_t camellia_info = {
-    MBEDTLS_CIPHER_ID_CAMELLIA,
-    camellia_crypt_ecb_wrap,
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    camellia_crypt_cbc_wrap,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-    camellia_crypt_cfb128_wrap,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    camellia_crypt_ctr_wrap,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_STREAM)
-    NULL,
-#endif
-    camellia_setkey_enc_wrap,
-    camellia_setkey_dec_wrap,
-    camellia_ctx_alloc,
-    camellia_ctx_free
-};
-
-static const mbedtls_cipher_info_t camellia_128_ecb_info = {
-    "CAMELLIA-128-ECB",
-    16,
-    0 >> MBEDTLS_IV_SIZE_SHIFT,
-    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_ECB,
-    MBEDTLS_CIPHER_CAMELLIA_128_ECB,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
-};
-
-static const mbedtls_cipher_info_t camellia_192_ecb_info = {
-    "CAMELLIA-192-ECB",
-    16,
-    0 >> MBEDTLS_IV_SIZE_SHIFT,
-    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_ECB,
-    MBEDTLS_CIPHER_CAMELLIA_192_ECB,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
-};
-
-static const mbedtls_cipher_info_t camellia_256_ecb_info = {
-    "CAMELLIA-256-ECB",
-    16,
-    0 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_ECB,
-    MBEDTLS_CIPHER_CAMELLIA_256_ECB,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
-};
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-static const mbedtls_cipher_info_t camellia_128_cbc_info = {
-    "CAMELLIA-128-CBC",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CBC,
-    MBEDTLS_CIPHER_CAMELLIA_128_CBC,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
-};
-
-static const mbedtls_cipher_info_t camellia_192_cbc_info = {
-    "CAMELLIA-192-CBC",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CBC,
-    MBEDTLS_CIPHER_CAMELLIA_192_CBC,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
-};
-
-static const mbedtls_cipher_info_t camellia_256_cbc_info = {
-    "CAMELLIA-256-CBC",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CBC,
-    MBEDTLS_CIPHER_CAMELLIA_256_CBC,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
-};
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-static const mbedtls_cipher_info_t camellia_128_cfb128_info = {
-    "CAMELLIA-128-CFB128",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CFB,
-    MBEDTLS_CIPHER_CAMELLIA_128_CFB128,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
-};
-
-static const mbedtls_cipher_info_t camellia_192_cfb128_info = {
-    "CAMELLIA-192-CFB128",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CFB,
-    MBEDTLS_CIPHER_CAMELLIA_192_CFB128,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
-};
-
-static const mbedtls_cipher_info_t camellia_256_cfb128_info = {
-    "CAMELLIA-256-CFB128",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CFB,
-    MBEDTLS_CIPHER_CAMELLIA_256_CFB128,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
-};
-#endif /* MBEDTLS_CIPHER_MODE_CFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-static const mbedtls_cipher_info_t camellia_128_ctr_info = {
-    "CAMELLIA-128-CTR",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CTR,
-    MBEDTLS_CIPHER_CAMELLIA_128_CTR,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
-};
-
-static const mbedtls_cipher_info_t camellia_192_ctr_info = {
-    "CAMELLIA-192-CTR",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CTR,
-    MBEDTLS_CIPHER_CAMELLIA_192_CTR,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
-};
-
-static const mbedtls_cipher_info_t camellia_256_ctr_info = {
-    "CAMELLIA-256-CTR",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CTR,
-    MBEDTLS_CIPHER_CAMELLIA_256_CTR,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
-};
-#endif /* MBEDTLS_CIPHER_MODE_CTR */
-
-#if defined(MBEDTLS_GCM_C)
-static int gcm_camellia_setkey_wrap(void *ctx, const unsigned char *key,
-                                    unsigned int key_bitlen)
-{
-    return mbedtls_gcm_setkey((mbedtls_gcm_context *) ctx, MBEDTLS_CIPHER_ID_CAMELLIA,
-                              key, key_bitlen);
-}
-
-static const mbedtls_cipher_base_t gcm_camellia_info = {
-    MBEDTLS_CIPHER_ID_CAMELLIA,
-    NULL,
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_STREAM)
-    NULL,
-#endif
-    gcm_camellia_setkey_wrap,
-    gcm_camellia_setkey_wrap,
-    gcm_ctx_alloc,
-    gcm_ctx_free,
-};
-
-static const mbedtls_cipher_info_t camellia_128_gcm_info = {
-    "CAMELLIA-128-GCM",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_GCM,
-    MBEDTLS_CIPHER_CAMELLIA_128_GCM,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_GCM_CAMELLIA
-};
-
-static const mbedtls_cipher_info_t camellia_192_gcm_info = {
-    "CAMELLIA-192-GCM",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_GCM,
-    MBEDTLS_CIPHER_CAMELLIA_192_GCM,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_GCM_CAMELLIA
-};
-
-static const mbedtls_cipher_info_t camellia_256_gcm_info = {
-    "CAMELLIA-256-GCM",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_GCM,
-    MBEDTLS_CIPHER_CAMELLIA_256_GCM,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_GCM_CAMELLIA
-};
-#endif /* MBEDTLS_GCM_C */
-
-#if defined(MBEDTLS_CCM_C)
-static int ccm_camellia_setkey_wrap(void *ctx, const unsigned char *key,
-                                    unsigned int key_bitlen)
-{
-    return mbedtls_ccm_setkey((mbedtls_ccm_context *) ctx, MBEDTLS_CIPHER_ID_CAMELLIA,
-                              key, key_bitlen);
-}
-
-static const mbedtls_cipher_base_t ccm_camellia_info = {
-    MBEDTLS_CIPHER_ID_CAMELLIA,
-    NULL,
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_STREAM)
-    NULL,
-#endif
-    ccm_camellia_setkey_wrap,
-    ccm_camellia_setkey_wrap,
-    ccm_ctx_alloc,
-    ccm_ctx_free,
-};
-
-static const mbedtls_cipher_info_t camellia_128_ccm_info = {
-    "CAMELLIA-128-CCM",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CCM,
-    MBEDTLS_CIPHER_CAMELLIA_128_CCM,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_CCM_CAMELLIA
-};
-
-static const mbedtls_cipher_info_t camellia_192_ccm_info = {
-    "CAMELLIA-192-CCM",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CCM,
-    MBEDTLS_CIPHER_CAMELLIA_192_CCM,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_CCM_CAMELLIA
-};
-
-static const mbedtls_cipher_info_t camellia_256_ccm_info = {
-    "CAMELLIA-256-CCM",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CCM,
-    MBEDTLS_CIPHER_CAMELLIA_256_CCM,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_CCM_CAMELLIA
-};
-
-static const mbedtls_cipher_info_t camellia_128_ccm_star_no_tag_info = {
-    "CAMELLIA-128-CCM*-NO-TAG",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CCM_STAR_NO_TAG,
-    MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_CCM_CAMELLIA
-};
-
-static const mbedtls_cipher_info_t camellia_192_ccm_star_no_tag_info = {
-    "CAMELLIA-192-CCM*-NO-TAG",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CCM_STAR_NO_TAG,
-    MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_CCM_CAMELLIA
-};
-
-static const mbedtls_cipher_info_t camellia_256_ccm_star_no_tag_info = {
-    "CAMELLIA-256-CCM*-NO-TAG",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CCM_STAR_NO_TAG,
-    MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_CCM_CAMELLIA
-};
-#endif /* MBEDTLS_CCM_C */
-
-#endif /* MBEDTLS_CAMELLIA_C */
-
-#if defined(MBEDTLS_ARIA_C)
-
-static int aria_crypt_ecb_wrap(void *ctx, mbedtls_operation_t operation,
-                               const unsigned char *input, unsigned char *output)
-{
-    (void) operation;
-    return mbedtls_aria_crypt_ecb((mbedtls_aria_context *) ctx, input,
-                                  output);
-}
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-static int aria_crypt_cbc_wrap(void *ctx, mbedtls_operation_t operation,
-                               size_t length, unsigned char *iv,
-                               const unsigned char *input, unsigned char *output)
-{
-    return mbedtls_aria_crypt_cbc((mbedtls_aria_context *) ctx, operation, length, iv,
-                                  input, output);
-}
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-static int aria_crypt_cfb128_wrap(void *ctx, mbedtls_operation_t operation,
-                                  size_t length, size_t *iv_off, unsigned char *iv,
-                                  const unsigned char *input, unsigned char *output)
-{
-    return mbedtls_aria_crypt_cfb128((mbedtls_aria_context *) ctx, operation, length,
-                                     iv_off, iv, input, output);
-}
-#endif /* MBEDTLS_CIPHER_MODE_CFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-static int aria_crypt_ctr_wrap(void *ctx, size_t length, size_t *nc_off,
-                               unsigned char *nonce_counter, unsigned char *stream_block,
-                               const unsigned char *input, unsigned char *output)
-{
-    return mbedtls_aria_crypt_ctr((mbedtls_aria_context *) ctx, length, nc_off,
-                                  nonce_counter, stream_block, input, output);
-}
-#endif /* MBEDTLS_CIPHER_MODE_CTR */
-
-static int aria_setkey_dec_wrap(void *ctx, const unsigned char *key,
-                                unsigned int key_bitlen)
-{
-    return mbedtls_aria_setkey_dec((mbedtls_aria_context *) ctx, key, key_bitlen);
-}
-
-static int aria_setkey_enc_wrap(void *ctx, const unsigned char *key,
-                                unsigned int key_bitlen)
-{
-    return mbedtls_aria_setkey_enc((mbedtls_aria_context *) ctx, key, key_bitlen);
-}
-
-static void *aria_ctx_alloc(void)
-{
-    mbedtls_aria_context *ctx;
-    ctx = mbedtls_calloc(1, sizeof(mbedtls_aria_context));
-
-    if (ctx == NULL) {
-        return NULL;
-    }
-
-    mbedtls_aria_init(ctx);
-
-    return ctx;
-}
-
-static void aria_ctx_free(void *ctx)
-{
-    mbedtls_aria_free((mbedtls_aria_context *) ctx);
-    mbedtls_free(ctx);
-}
-
-static const mbedtls_cipher_base_t aria_info = {
-    MBEDTLS_CIPHER_ID_ARIA,
-    aria_crypt_ecb_wrap,
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    aria_crypt_cbc_wrap,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-    aria_crypt_cfb128_wrap,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    aria_crypt_ctr_wrap,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_STREAM)
-    NULL,
-#endif
-    aria_setkey_enc_wrap,
-    aria_setkey_dec_wrap,
-    aria_ctx_alloc,
-    aria_ctx_free
-};
-
-static const mbedtls_cipher_info_t aria_128_ecb_info = {
-    "ARIA-128-ECB",
-    16,
-    0 >> MBEDTLS_IV_SIZE_SHIFT,
-    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_ECB,
-    MBEDTLS_CIPHER_ARIA_128_ECB,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_ARIA
-};
-
-static const mbedtls_cipher_info_t aria_192_ecb_info = {
-    "ARIA-192-ECB",
-    16,
-    0 >> MBEDTLS_IV_SIZE_SHIFT,
-    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_ECB,
-    MBEDTLS_CIPHER_ARIA_192_ECB,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_ARIA
-};
-
-static const mbedtls_cipher_info_t aria_256_ecb_info = {
-    "ARIA-256-ECB",
-    16,
-    0 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_ECB,
-    MBEDTLS_CIPHER_ARIA_256_ECB,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_ARIA
-};
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-static const mbedtls_cipher_info_t aria_128_cbc_info = {
-    "ARIA-128-CBC",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CBC,
-    MBEDTLS_CIPHER_ARIA_128_CBC,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_ARIA
-};
-
-static const mbedtls_cipher_info_t aria_192_cbc_info = {
-    "ARIA-192-CBC",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CBC,
-    MBEDTLS_CIPHER_ARIA_192_CBC,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_ARIA
-};
-
-static const mbedtls_cipher_info_t aria_256_cbc_info = {
-    "ARIA-256-CBC",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CBC,
-    MBEDTLS_CIPHER_ARIA_256_CBC,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_ARIA
-};
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-static const mbedtls_cipher_info_t aria_128_cfb128_info = {
-    "ARIA-128-CFB128",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CFB,
-    MBEDTLS_CIPHER_ARIA_128_CFB128,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_ARIA
-};
-
-static const mbedtls_cipher_info_t aria_192_cfb128_info = {
-    "ARIA-192-CFB128",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CFB,
-    MBEDTLS_CIPHER_ARIA_192_CFB128,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_ARIA
-};
-
-static const mbedtls_cipher_info_t aria_256_cfb128_info = {
-    "ARIA-256-CFB128",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CFB,
-    MBEDTLS_CIPHER_ARIA_256_CFB128,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_ARIA
-};
-#endif /* MBEDTLS_CIPHER_MODE_CFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-static const mbedtls_cipher_info_t aria_128_ctr_info = {
-    "ARIA-128-CTR",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CTR,
-    MBEDTLS_CIPHER_ARIA_128_CTR,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_ARIA
-};
-
-static const mbedtls_cipher_info_t aria_192_ctr_info = {
-    "ARIA-192-CTR",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CTR,
-    MBEDTLS_CIPHER_ARIA_192_CTR,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_ARIA
-};
-
-static const mbedtls_cipher_info_t aria_256_ctr_info = {
-    "ARIA-256-CTR",
-    16,
-    16 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CTR,
-    MBEDTLS_CIPHER_ARIA_256_CTR,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_ARIA
-};
-#endif /* MBEDTLS_CIPHER_MODE_CTR */
-
-#if defined(MBEDTLS_GCM_C)
-static int gcm_aria_setkey_wrap(void *ctx, const unsigned char *key,
-                                unsigned int key_bitlen)
-{
-    return mbedtls_gcm_setkey((mbedtls_gcm_context *) ctx, MBEDTLS_CIPHER_ID_ARIA,
-                              key, key_bitlen);
-}
-
-static const mbedtls_cipher_base_t gcm_aria_info = {
-    MBEDTLS_CIPHER_ID_ARIA,
-    NULL,
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_STREAM)
-    NULL,
-#endif
-    gcm_aria_setkey_wrap,
-    gcm_aria_setkey_wrap,
-    gcm_ctx_alloc,
-    gcm_ctx_free,
-};
-
-static const mbedtls_cipher_info_t aria_128_gcm_info = {
-    "ARIA-128-GCM",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_GCM,
-    MBEDTLS_CIPHER_ARIA_128_GCM,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_GCM_ARIA
-};
-
-static const mbedtls_cipher_info_t aria_192_gcm_info = {
-    "ARIA-192-GCM",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_GCM,
-    MBEDTLS_CIPHER_ARIA_192_GCM,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_GCM_ARIA
-};
-
-static const mbedtls_cipher_info_t aria_256_gcm_info = {
-    "ARIA-256-GCM",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_GCM,
-    MBEDTLS_CIPHER_ARIA_256_GCM,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_GCM_ARIA
-};
-#endif /* MBEDTLS_GCM_C */
-
-#if defined(MBEDTLS_CCM_C)
-static int ccm_aria_setkey_wrap(void *ctx, const unsigned char *key,
-                                unsigned int key_bitlen)
-{
-    return mbedtls_ccm_setkey((mbedtls_ccm_context *) ctx, MBEDTLS_CIPHER_ID_ARIA,
-                              key, key_bitlen);
-}
-
-static const mbedtls_cipher_base_t ccm_aria_info = {
-    MBEDTLS_CIPHER_ID_ARIA,
-    NULL,
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_STREAM)
-    NULL,
-#endif
-    ccm_aria_setkey_wrap,
-    ccm_aria_setkey_wrap,
-    ccm_ctx_alloc,
-    ccm_ctx_free,
-};
-
-static const mbedtls_cipher_info_t aria_128_ccm_info = {
-    "ARIA-128-CCM",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CCM,
-    MBEDTLS_CIPHER_ARIA_128_CCM,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_CCM_ARIA
-};
-
-static const mbedtls_cipher_info_t aria_192_ccm_info = {
-    "ARIA-192-CCM",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CCM,
-    MBEDTLS_CIPHER_ARIA_192_CCM,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_CCM_ARIA
-};
-
-static const mbedtls_cipher_info_t aria_256_ccm_info = {
-    "ARIA-256-CCM",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CCM,
-    MBEDTLS_CIPHER_ARIA_256_CCM,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_CCM_ARIA
-};
-
-static const mbedtls_cipher_info_t aria_128_ccm_star_no_tag_info = {
-    "ARIA-128-CCM*-NO-TAG",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CCM_STAR_NO_TAG,
-    MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_CCM_ARIA
-};
-
-static const mbedtls_cipher_info_t aria_192_ccm_star_no_tag_info = {
-    "ARIA-192-CCM*-NO-TAG",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CCM_STAR_NO_TAG,
-    MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_CCM_ARIA
-};
-
-static const mbedtls_cipher_info_t aria_256_ccm_star_no_tag_info = {
-    "ARIA-256-CCM*-NO-TAG",
-    16,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CCM_STAR_NO_TAG,
-    MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG,
-    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
-    MBEDTLS_CIPHER_BASE_INDEX_CCM_ARIA
-};
-#endif /* MBEDTLS_CCM_C */
-
-#endif /* MBEDTLS_ARIA_C */
-
-#if defined(MBEDTLS_DES_C)
-
-static int des_crypt_ecb_wrap(void *ctx, mbedtls_operation_t operation,
-                              const unsigned char *input, unsigned char *output)
-{
-    ((void) operation);
-    return mbedtls_des_crypt_ecb((mbedtls_des_context *) ctx, input, output);
-}
-
-static int des3_crypt_ecb_wrap(void *ctx, mbedtls_operation_t operation,
-                               const unsigned char *input, unsigned char *output)
-{
-    ((void) operation);
-    return mbedtls_des3_crypt_ecb((mbedtls_des3_context *) ctx, input, output);
-}
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-static int des_crypt_cbc_wrap(void *ctx, mbedtls_operation_t operation, size_t length,
-                              unsigned char *iv, const unsigned char *input, unsigned char *output)
-{
-    return mbedtls_des_crypt_cbc((mbedtls_des_context *) ctx, operation, length, iv, input,
-                                 output);
-}
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-static int des3_crypt_cbc_wrap(void *ctx, mbedtls_operation_t operation, size_t length,
-                               unsigned char *iv, const unsigned char *input, unsigned char *output)
-{
-    return mbedtls_des3_crypt_cbc((mbedtls_des3_context *) ctx, operation, length, iv, input,
-                                  output);
-}
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-static int des_setkey_dec_wrap(void *ctx, const unsigned char *key,
-                               unsigned int key_bitlen)
-{
-    ((void) key_bitlen);
-
-    return mbedtls_des_setkey_dec((mbedtls_des_context *) ctx, key);
-}
-
-static int des_setkey_enc_wrap(void *ctx, const unsigned char *key,
-                               unsigned int key_bitlen)
-{
-    ((void) key_bitlen);
-
-    return mbedtls_des_setkey_enc((mbedtls_des_context *) ctx, key);
-}
-
-static int des3_set2key_dec_wrap(void *ctx, const unsigned char *key,
-                                 unsigned int key_bitlen)
-{
-    ((void) key_bitlen);
-
-    return mbedtls_des3_set2key_dec((mbedtls_des3_context *) ctx, key);
-}
-
-static int des3_set2key_enc_wrap(void *ctx, const unsigned char *key,
-                                 unsigned int key_bitlen)
-{
-    ((void) key_bitlen);
-
-    return mbedtls_des3_set2key_enc((mbedtls_des3_context *) ctx, key);
-}
-
-static int des3_set3key_dec_wrap(void *ctx, const unsigned char *key,
-                                 unsigned int key_bitlen)
-{
-    ((void) key_bitlen);
-
-    return mbedtls_des3_set3key_dec((mbedtls_des3_context *) ctx, key);
-}
-
-static int des3_set3key_enc_wrap(void *ctx, const unsigned char *key,
-                                 unsigned int key_bitlen)
-{
-    ((void) key_bitlen);
-
-    return mbedtls_des3_set3key_enc((mbedtls_des3_context *) ctx, key);
-}
-
-static void *des_ctx_alloc(void)
-{
-    mbedtls_des_context *des = mbedtls_calloc(1, sizeof(mbedtls_des_context));
-
-    if (des == NULL) {
-        return NULL;
-    }
-
-    mbedtls_des_init(des);
-
-    return des;
-}
-
-static void des_ctx_free(void *ctx)
-{
-    mbedtls_des_free((mbedtls_des_context *) ctx);
-    mbedtls_free(ctx);
-}
-
-static void *des3_ctx_alloc(void)
-{
-    mbedtls_des3_context *des3;
-    des3 = mbedtls_calloc(1, sizeof(mbedtls_des3_context));
-
-    if (des3 == NULL) {
-        return NULL;
-    }
-
-    mbedtls_des3_init(des3);
-
-    return des3;
-}
-
-static void des3_ctx_free(void *ctx)
-{
-    mbedtls_des3_free((mbedtls_des3_context *) ctx);
-    mbedtls_free(ctx);
-}
-
-static const mbedtls_cipher_base_t des_info = {
-    MBEDTLS_CIPHER_ID_DES,
-    des_crypt_ecb_wrap,
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    des_crypt_cbc_wrap,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_STREAM)
-    NULL,
-#endif
-    des_setkey_enc_wrap,
-    des_setkey_dec_wrap,
-    des_ctx_alloc,
-    des_ctx_free
-};
-
-static const mbedtls_cipher_info_t des_ecb_info = {
-    "DES-ECB",
-    8,
-    0 >> MBEDTLS_IV_SIZE_SHIFT,
-    MBEDTLS_KEY_LENGTH_DES >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_ECB,
-    MBEDTLS_CIPHER_DES_ECB,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_DES
-};
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-static const mbedtls_cipher_info_t des_cbc_info = {
-    "DES-CBC",
-    8,
-    8 >> MBEDTLS_IV_SIZE_SHIFT,
-    MBEDTLS_KEY_LENGTH_DES >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CBC,
-    MBEDTLS_CIPHER_DES_CBC,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_DES
-};
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-static const mbedtls_cipher_base_t des_ede_info = {
-    MBEDTLS_CIPHER_ID_DES,
-    des3_crypt_ecb_wrap,
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    des3_crypt_cbc_wrap,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_STREAM)
-    NULL,
-#endif
-    des3_set2key_enc_wrap,
-    des3_set2key_dec_wrap,
-    des3_ctx_alloc,
-    des3_ctx_free
-};
-
-static const mbedtls_cipher_info_t des_ede_ecb_info = {
-    "DES-EDE-ECB",
-    8,
-    0 >> MBEDTLS_IV_SIZE_SHIFT,
-    MBEDTLS_KEY_LENGTH_DES_EDE >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_ECB,
-    MBEDTLS_CIPHER_DES_EDE_ECB,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_DES_EDE
-};
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-static const mbedtls_cipher_info_t des_ede_cbc_info = {
-    "DES-EDE-CBC",
-    8,
-    8 >> MBEDTLS_IV_SIZE_SHIFT,
-    MBEDTLS_KEY_LENGTH_DES_EDE >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CBC,
-    MBEDTLS_CIPHER_DES_EDE_CBC,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_DES_EDE
-};
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-static const mbedtls_cipher_base_t des_ede3_info = {
-    MBEDTLS_CIPHER_ID_3DES,
-    des3_crypt_ecb_wrap,
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    des3_crypt_cbc_wrap,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_STREAM)
-    NULL,
-#endif
-    des3_set3key_enc_wrap,
-    des3_set3key_dec_wrap,
-    des3_ctx_alloc,
-    des3_ctx_free
-};
-
-static const mbedtls_cipher_info_t des_ede3_ecb_info = {
-    "DES-EDE3-ECB",
-    8,
-    0 >> MBEDTLS_IV_SIZE_SHIFT,
-    MBEDTLS_KEY_LENGTH_DES_EDE3 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_ECB,
-    MBEDTLS_CIPHER_DES_EDE3_ECB,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_DES_EDE3
-};
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-static const mbedtls_cipher_info_t des_ede3_cbc_info = {
-    "DES-EDE3-CBC",
-    8,
-    8 >> MBEDTLS_IV_SIZE_SHIFT,
-    MBEDTLS_KEY_LENGTH_DES_EDE3 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CBC,
-    MBEDTLS_CIPHER_DES_EDE3_CBC,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_DES_EDE3
-};
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-#endif /* MBEDTLS_DES_C */
-
-#if defined(MBEDTLS_CHACHA20_C)
-
-static int chacha20_setkey_wrap(void *ctx, const unsigned char *key,
-                                unsigned int key_bitlen)
-{
-    if (key_bitlen != 256U) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    if (0 != mbedtls_chacha20_setkey((mbedtls_chacha20_context *) ctx, key)) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    return 0;
-}
-
-static int chacha20_stream_wrap(void *ctx,  size_t length,
-                                const unsigned char *input,
-                                unsigned char *output)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    ret = mbedtls_chacha20_update(ctx, length, input, output);
-    if (ret == MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    return ret;
-}
-
-static void *chacha20_ctx_alloc(void)
-{
-    mbedtls_chacha20_context *ctx;
-    ctx = mbedtls_calloc(1, sizeof(mbedtls_chacha20_context));
-
-    if (ctx == NULL) {
-        return NULL;
-    }
-
-    mbedtls_chacha20_init(ctx);
-
-    return ctx;
-}
-
-static void chacha20_ctx_free(void *ctx)
-{
-    mbedtls_chacha20_free((mbedtls_chacha20_context *) ctx);
-    mbedtls_free(ctx);
-}
-
-static const mbedtls_cipher_base_t chacha20_base_info = {
-    MBEDTLS_CIPHER_ID_CHACHA20,
-    NULL,
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_STREAM)
-    chacha20_stream_wrap,
-#endif
-    chacha20_setkey_wrap,
-    chacha20_setkey_wrap,
-    chacha20_ctx_alloc,
-    chacha20_ctx_free
-};
-static const mbedtls_cipher_info_t chacha20_info = {
-    "CHACHA20",
-    1,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_STREAM,
-    MBEDTLS_CIPHER_CHACHA20,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_CHACHA20_BASE
-};
-#endif /* MBEDTLS_CHACHA20_C */
-
-#if defined(MBEDTLS_CHACHAPOLY_C)
-
-static int chachapoly_setkey_wrap(void *ctx,
-                                  const unsigned char *key,
-                                  unsigned int key_bitlen)
-{
-    if (key_bitlen != 256U) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    if (0 != mbedtls_chachapoly_setkey((mbedtls_chachapoly_context *) ctx, key)) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    return 0;
-}
-
-static void *chachapoly_ctx_alloc(void)
-{
-    mbedtls_chachapoly_context *ctx;
-    ctx = mbedtls_calloc(1, sizeof(mbedtls_chachapoly_context));
-
-    if (ctx == NULL) {
-        return NULL;
-    }
-
-    mbedtls_chachapoly_init(ctx);
-
-    return ctx;
-}
-
-static void chachapoly_ctx_free(void *ctx)
-{
-    mbedtls_chachapoly_free((mbedtls_chachapoly_context *) ctx);
-    mbedtls_free(ctx);
-}
-
-static const mbedtls_cipher_base_t chachapoly_base_info = {
-    MBEDTLS_CIPHER_ID_CHACHA20,
-    NULL,
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_STREAM)
-    NULL,
-#endif
-    chachapoly_setkey_wrap,
-    chachapoly_setkey_wrap,
-    chachapoly_ctx_alloc,
-    chachapoly_ctx_free
-};
-static const mbedtls_cipher_info_t chachapoly_info = {
-    "CHACHA20-POLY1305",
-    1,
-    12 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_CHACHAPOLY,
-    MBEDTLS_CIPHER_CHACHA20_POLY1305,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_CHACHAPOLY_BASE
-};
-#endif /* MBEDTLS_CHACHAPOLY_C */
-
-#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
-static int null_crypt_stream(void *ctx, size_t length,
-                             const unsigned char *input,
-                             unsigned char *output)
-{
-    ((void) ctx);
-    memmove(output, input, length);
-    return 0;
-}
-
-static int null_setkey(void *ctx, const unsigned char *key,
-                       unsigned int key_bitlen)
-{
-    ((void) ctx);
-    ((void) key);
-    ((void) key_bitlen);
-
-    return 0;
-}
-
-static void *null_ctx_alloc(void)
-{
-    return (void *) 1;
-}
-
-static void null_ctx_free(void *ctx)
-{
-    ((void) ctx);
-}
-
-static const mbedtls_cipher_base_t null_base_info = {
-    MBEDTLS_CIPHER_ID_NULL,
-    NULL,
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_STREAM)
-    null_crypt_stream,
-#endif
-    null_setkey,
-    null_setkey,
-    null_ctx_alloc,
-    null_ctx_free
-};
-
-static const mbedtls_cipher_info_t null_cipher_info = {
-    "NULL",
-    1,
-    0 >> MBEDTLS_IV_SIZE_SHIFT,
-    0 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_STREAM,
-    MBEDTLS_CIPHER_NULL,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_NULL_BASE
-};
-#endif /* defined(MBEDTLS_CIPHER_NULL_CIPHER) */
-
-#if defined(MBEDTLS_NIST_KW_C)
-static void *kw_ctx_alloc(void)
-{
-    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_nist_kw_context));
-
-    if (ctx != NULL) {
-        mbedtls_nist_kw_init((mbedtls_nist_kw_context *) ctx);
-    }
-
-    return ctx;
-}
-
-static void kw_ctx_free(void *ctx)
-{
-    mbedtls_nist_kw_free(ctx);
-    mbedtls_free(ctx);
-}
-
-static int kw_aes_setkey_wrap(void *ctx, const unsigned char *key,
-                              unsigned int key_bitlen)
-{
-    return mbedtls_nist_kw_setkey((mbedtls_nist_kw_context *) ctx,
-                                  MBEDTLS_CIPHER_ID_AES, key, key_bitlen, 1);
-}
-
-static int kw_aes_setkey_unwrap(void *ctx, const unsigned char *key,
-                                unsigned int key_bitlen)
-{
-    return mbedtls_nist_kw_setkey((mbedtls_nist_kw_context *) ctx,
-                                  MBEDTLS_CIPHER_ID_AES, key, key_bitlen, 0);
-}
-
-static const mbedtls_cipher_base_t kw_aes_info = {
-    MBEDTLS_CIPHER_ID_AES,
-    NULL,
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-    NULL,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_STREAM)
-    NULL,
-#endif
-    kw_aes_setkey_wrap,
-    kw_aes_setkey_unwrap,
-    kw_ctx_alloc,
-    kw_ctx_free,
-};
-
-static const mbedtls_cipher_info_t aes_128_nist_kw_info = {
-    "AES-128-KW",
-    16,
-    0 >> MBEDTLS_IV_SIZE_SHIFT,
-    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_KW,
-    MBEDTLS_CIPHER_AES_128_KW,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_KW_AES
-};
-
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-static const mbedtls_cipher_info_t aes_192_nist_kw_info = {
-    "AES-192-KW",
-    16,
-    0 >> MBEDTLS_IV_SIZE_SHIFT,
-    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_KW,
-    MBEDTLS_CIPHER_AES_192_KW,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_KW_AES
-};
-
-static const mbedtls_cipher_info_t aes_256_nist_kw_info = {
-    "AES-256-KW",
-    16,
-    0 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_KW,
-    MBEDTLS_CIPHER_AES_256_KW,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_KW_AES
-};
-#endif
-
-static const mbedtls_cipher_info_t aes_128_nist_kwp_info = {
-    "AES-128-KWP",
-    16,
-    0 >> MBEDTLS_IV_SIZE_SHIFT,
-    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_KWP,
-    MBEDTLS_CIPHER_AES_128_KWP,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_KW_AES
-};
-
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-static const mbedtls_cipher_info_t aes_192_nist_kwp_info = {
-    "AES-192-KWP",
-    16,
-    0 >> MBEDTLS_IV_SIZE_SHIFT,
-    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_KWP,
-    MBEDTLS_CIPHER_AES_192_KWP,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_KW_AES
-};
-
-static const mbedtls_cipher_info_t aes_256_nist_kwp_info = {
-    "AES-256-KWP",
-    16,
-    0 >> MBEDTLS_IV_SIZE_SHIFT,
-    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
-    MBEDTLS_MODE_KWP,
-    MBEDTLS_CIPHER_AES_256_KWP,
-    0,
-    MBEDTLS_CIPHER_BASE_INDEX_KW_AES
-};
-#endif
-#endif /* MBEDTLS_NIST_KW_C */
-
-const mbedtls_cipher_definition_t mbedtls_cipher_definitions[] =
-{
-#if defined(MBEDTLS_AES_C)
-    { MBEDTLS_CIPHER_AES_128_ECB,          &aes_128_ecb_info },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { MBEDTLS_CIPHER_AES_192_ECB,          &aes_192_ecb_info },
-    { MBEDTLS_CIPHER_AES_256_ECB,          &aes_256_ecb_info },
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    { MBEDTLS_CIPHER_AES_128_CBC,          &aes_128_cbc_info },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { MBEDTLS_CIPHER_AES_192_CBC,          &aes_192_cbc_info },
-    { MBEDTLS_CIPHER_AES_256_CBC,          &aes_256_cbc_info },
-#endif
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-    { MBEDTLS_CIPHER_AES_128_CFB128,       &aes_128_cfb128_info },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { MBEDTLS_CIPHER_AES_192_CFB128,       &aes_192_cfb128_info },
-    { MBEDTLS_CIPHER_AES_256_CFB128,       &aes_256_cfb128_info },
-#endif
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-    { MBEDTLS_CIPHER_AES_128_OFB,          &aes_128_ofb_info },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { MBEDTLS_CIPHER_AES_192_OFB,          &aes_192_ofb_info },
-    { MBEDTLS_CIPHER_AES_256_OFB,          &aes_256_ofb_info },
-#endif
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    { MBEDTLS_CIPHER_AES_128_CTR,          &aes_128_ctr_info },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { MBEDTLS_CIPHER_AES_192_CTR,          &aes_192_ctr_info },
-    { MBEDTLS_CIPHER_AES_256_CTR,          &aes_256_ctr_info },
-#endif
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-    { MBEDTLS_CIPHER_AES_128_XTS,          &aes_128_xts_info },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { MBEDTLS_CIPHER_AES_256_XTS,          &aes_256_xts_info },
-#endif
-#endif
-#if defined(MBEDTLS_CIPHER_HAVE_GCM_VIA_LEGACY_OR_USE_PSA)
-    { MBEDTLS_CIPHER_AES_128_GCM,          &aes_128_gcm_info },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { MBEDTLS_CIPHER_AES_192_GCM,          &aes_192_gcm_info },
-    { MBEDTLS_CIPHER_AES_256_GCM,          &aes_256_gcm_info },
-#endif
-#endif
-#if defined(MBEDTLS_CIPHER_HAVE_CCM_VIA_LEGACY_OR_USE_PSA)
-    { MBEDTLS_CIPHER_AES_128_CCM,          &aes_128_ccm_info },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { MBEDTLS_CIPHER_AES_192_CCM,          &aes_192_ccm_info },
-    { MBEDTLS_CIPHER_AES_256_CCM,          &aes_256_ccm_info },
-#endif
-#endif
-#if defined(MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_VIA_LEGACY_OR_USE_PSA)
-    { MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG,          &aes_128_ccm_star_no_tag_info },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG,          &aes_192_ccm_star_no_tag_info },
-    { MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG,          &aes_256_ccm_star_no_tag_info },
-#endif
-#endif
-#endif /* MBEDTLS_AES_C */
-
-#if defined(MBEDTLS_CAMELLIA_C)
-    { MBEDTLS_CIPHER_CAMELLIA_128_ECB,     &camellia_128_ecb_info },
-    { MBEDTLS_CIPHER_CAMELLIA_192_ECB,     &camellia_192_ecb_info },
-    { MBEDTLS_CIPHER_CAMELLIA_256_ECB,     &camellia_256_ecb_info },
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    { MBEDTLS_CIPHER_CAMELLIA_128_CBC,     &camellia_128_cbc_info },
-    { MBEDTLS_CIPHER_CAMELLIA_192_CBC,     &camellia_192_cbc_info },
-    { MBEDTLS_CIPHER_CAMELLIA_256_CBC,     &camellia_256_cbc_info },
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-    { MBEDTLS_CIPHER_CAMELLIA_128_CFB128,  &camellia_128_cfb128_info },
-    { MBEDTLS_CIPHER_CAMELLIA_192_CFB128,  &camellia_192_cfb128_info },
-    { MBEDTLS_CIPHER_CAMELLIA_256_CFB128,  &camellia_256_cfb128_info },
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    { MBEDTLS_CIPHER_CAMELLIA_128_CTR,     &camellia_128_ctr_info },
-    { MBEDTLS_CIPHER_CAMELLIA_192_CTR,     &camellia_192_ctr_info },
-    { MBEDTLS_CIPHER_CAMELLIA_256_CTR,     &camellia_256_ctr_info },
-#endif
-#if defined(MBEDTLS_GCM_C)
-    { MBEDTLS_CIPHER_CAMELLIA_128_GCM,     &camellia_128_gcm_info },
-    { MBEDTLS_CIPHER_CAMELLIA_192_GCM,     &camellia_192_gcm_info },
-    { MBEDTLS_CIPHER_CAMELLIA_256_GCM,     &camellia_256_gcm_info },
-#endif
-#if defined(MBEDTLS_CCM_C)
-    { MBEDTLS_CIPHER_CAMELLIA_128_CCM,     &camellia_128_ccm_info },
-    { MBEDTLS_CIPHER_CAMELLIA_192_CCM,     &camellia_192_ccm_info },
-    { MBEDTLS_CIPHER_CAMELLIA_256_CCM,     &camellia_256_ccm_info },
-    { MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG,     &camellia_128_ccm_star_no_tag_info },
-    { MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG,     &camellia_192_ccm_star_no_tag_info },
-    { MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG,     &camellia_256_ccm_star_no_tag_info },
-#endif
-#endif /* MBEDTLS_CAMELLIA_C */
-
-#if defined(MBEDTLS_ARIA_C)
-    { MBEDTLS_CIPHER_ARIA_128_ECB,     &aria_128_ecb_info },
-    { MBEDTLS_CIPHER_ARIA_192_ECB,     &aria_192_ecb_info },
-    { MBEDTLS_CIPHER_ARIA_256_ECB,     &aria_256_ecb_info },
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    { MBEDTLS_CIPHER_ARIA_128_CBC,     &aria_128_cbc_info },
-    { MBEDTLS_CIPHER_ARIA_192_CBC,     &aria_192_cbc_info },
-    { MBEDTLS_CIPHER_ARIA_256_CBC,     &aria_256_cbc_info },
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-    { MBEDTLS_CIPHER_ARIA_128_CFB128,  &aria_128_cfb128_info },
-    { MBEDTLS_CIPHER_ARIA_192_CFB128,  &aria_192_cfb128_info },
-    { MBEDTLS_CIPHER_ARIA_256_CFB128,  &aria_256_cfb128_info },
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    { MBEDTLS_CIPHER_ARIA_128_CTR,     &aria_128_ctr_info },
-    { MBEDTLS_CIPHER_ARIA_192_CTR,     &aria_192_ctr_info },
-    { MBEDTLS_CIPHER_ARIA_256_CTR,     &aria_256_ctr_info },
-#endif
-#if defined(MBEDTLS_GCM_C)
-    { MBEDTLS_CIPHER_ARIA_128_GCM,     &aria_128_gcm_info },
-    { MBEDTLS_CIPHER_ARIA_192_GCM,     &aria_192_gcm_info },
-    { MBEDTLS_CIPHER_ARIA_256_GCM,     &aria_256_gcm_info },
-#endif
-#if defined(MBEDTLS_CCM_C)
-    { MBEDTLS_CIPHER_ARIA_128_CCM,     &aria_128_ccm_info },
-    { MBEDTLS_CIPHER_ARIA_192_CCM,     &aria_192_ccm_info },
-    { MBEDTLS_CIPHER_ARIA_256_CCM,     &aria_256_ccm_info },
-    { MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG,     &aria_128_ccm_star_no_tag_info },
-    { MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG,     &aria_192_ccm_star_no_tag_info },
-    { MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG,     &aria_256_ccm_star_no_tag_info },
-#endif
-#endif /* MBEDTLS_ARIA_C */
-
-#if defined(MBEDTLS_DES_C)
-    { MBEDTLS_CIPHER_DES_ECB,              &des_ecb_info },
-    { MBEDTLS_CIPHER_DES_EDE_ECB,          &des_ede_ecb_info },
-    { MBEDTLS_CIPHER_DES_EDE3_ECB,         &des_ede3_ecb_info },
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    { MBEDTLS_CIPHER_DES_CBC,              &des_cbc_info },
-    { MBEDTLS_CIPHER_DES_EDE_CBC,          &des_ede_cbc_info },
-    { MBEDTLS_CIPHER_DES_EDE3_CBC,         &des_ede3_cbc_info },
-#endif
-#endif /* MBEDTLS_DES_C */
-
-#if defined(MBEDTLS_CHACHA20_C)
-    { MBEDTLS_CIPHER_CHACHA20,             &chacha20_info },
-#endif
-
-#if defined(MBEDTLS_CHACHAPOLY_C)
-    { MBEDTLS_CIPHER_CHACHA20_POLY1305,    &chachapoly_info },
-#endif
-
-#if defined(MBEDTLS_NIST_KW_C)
-    { MBEDTLS_CIPHER_AES_128_KW,          &aes_128_nist_kw_info },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { MBEDTLS_CIPHER_AES_192_KW,          &aes_192_nist_kw_info },
-    { MBEDTLS_CIPHER_AES_256_KW,          &aes_256_nist_kw_info },
-#endif
-    { MBEDTLS_CIPHER_AES_128_KWP,         &aes_128_nist_kwp_info },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { MBEDTLS_CIPHER_AES_192_KWP,         &aes_192_nist_kwp_info },
-    { MBEDTLS_CIPHER_AES_256_KWP,         &aes_256_nist_kwp_info },
-#endif
-#endif
-
-#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
-    { MBEDTLS_CIPHER_NULL,                 &null_cipher_info },
-#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
-
-    { MBEDTLS_CIPHER_NONE, NULL }
-};
-
-#define NUM_CIPHERS (sizeof(mbedtls_cipher_definitions) /      \
-                     sizeof(mbedtls_cipher_definitions[0]))
-int mbedtls_cipher_supported[NUM_CIPHERS];
-
-const mbedtls_cipher_base_t *mbedtls_cipher_base_lookup_table[] = {
-#if defined(MBEDTLS_AES_C)
-    [MBEDTLS_CIPHER_BASE_INDEX_AES] = &aes_info,
-#endif
-#if defined(MBEDTLS_ARIA_C)
-    [MBEDTLS_CIPHER_BASE_INDEX_ARIA] = &aria_info,
-#endif
-#if defined(MBEDTLS_CAMELLIA_C)
-    [MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA] = &camellia_info,
-#endif
-#if defined(MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA)
-    [MBEDTLS_CIPHER_BASE_INDEX_CCM_AES] = &ccm_aes_info,
-#endif
-#if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_ARIA_C)
-    [MBEDTLS_CIPHER_BASE_INDEX_CCM_ARIA] = &ccm_aria_info,
-#endif
-#if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_CAMELLIA_C)
-    [MBEDTLS_CIPHER_BASE_INDEX_CCM_CAMELLIA] = &ccm_camellia_info,
-#endif
-#if defined(MBEDTLS_CHACHA20_C)
-    [MBEDTLS_CIPHER_BASE_INDEX_CHACHA20_BASE] = &chacha20_base_info,
-#endif
-#if defined(MBEDTLS_CHACHAPOLY_C)
-    [MBEDTLS_CIPHER_BASE_INDEX_CHACHAPOLY_BASE] = &chachapoly_base_info,
-#endif
-#if defined(MBEDTLS_DES_C)
-    [MBEDTLS_CIPHER_BASE_INDEX_DES_EDE3] = &des_ede3_info,
-#endif
-#if defined(MBEDTLS_DES_C)
-    [MBEDTLS_CIPHER_BASE_INDEX_DES_EDE] = &des_ede_info,
-#endif
-#if defined(MBEDTLS_DES_C)
-    [MBEDTLS_CIPHER_BASE_INDEX_DES] = &des_info,
-#endif
-#if defined(MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA)
-    [MBEDTLS_CIPHER_BASE_INDEX_GCM_AES] = &gcm_aes_info,
-#endif
-#if defined(MBEDTLS_GCM_C) && defined(MBEDTLS_ARIA_C)
-    [MBEDTLS_CIPHER_BASE_INDEX_GCM_ARIA] = &gcm_aria_info,
-#endif
-#if defined(MBEDTLS_GCM_C) && defined(MBEDTLS_CAMELLIA_C)
-    [MBEDTLS_CIPHER_BASE_INDEX_GCM_CAMELLIA] = &gcm_camellia_info,
-#endif
-#if defined(MBEDTLS_NIST_KW_C)
-    [MBEDTLS_CIPHER_BASE_INDEX_KW_AES] = &kw_aes_info,
-#endif
-#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
-    [MBEDTLS_CIPHER_BASE_INDEX_NULL_BASE] = &null_base_info,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_XTS) && defined(MBEDTLS_AES_C)
-    [MBEDTLS_CIPHER_BASE_INDEX_XTS_AES] = &xts_aes_info
-#endif
-};
-
-#endif /* MBEDTLS_CIPHER_C */
diff --git a/library/cipher_wrap.h b/library/cipher_wrap.h
deleted file mode 100644
index c1915bc..0000000
--- a/library/cipher_wrap.h
+++ /dev/null
@@ -1,182 +0,0 @@
-/**
- * \file cipher_wrap.h
- *
- * \brief Cipher wrappers.
- *
- * \author Adriaan de Jong <dejong@fox-it.com>
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_CIPHER_WRAP_H
-#define MBEDTLS_CIPHER_WRAP_H
-
-#include "mbedtls/build_info.h"
-
-#include "mbedtls/cipher.h"
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "psa/crypto.h"
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* Support for GCM either through Mbed TLS SW implementation or PSA */
-#if defined(MBEDTLS_GCM_C) || \
-    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_GCM))
-#define MBEDTLS_CIPHER_HAVE_GCM_VIA_LEGACY_OR_USE_PSA
-#endif
-
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_AES_C)) || \
-    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_KEY_TYPE_AES))
-#define MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA
-#endif
-
-#if defined(MBEDTLS_CCM_C) || \
-    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CCM))
-#define MBEDTLS_CIPHER_HAVE_CCM_VIA_LEGACY_OR_USE_PSA
-#endif
-
-#if (defined(MBEDTLS_CCM_C) && defined(MBEDTLS_AES_C)) || \
-    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CCM) && defined(PSA_WANT_KEY_TYPE_AES))
-#define MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA
-#endif
-
-#if defined(MBEDTLS_CCM_C) || \
-    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CCM_STAR_NO_TAG))
-#define MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_VIA_LEGACY_OR_USE_PSA
-#endif
-
-#if defined(MBEDTLS_CHACHAPOLY_C) || \
-    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CHACHA20_POLY1305))
-#define MBEDTLS_CIPHER_HAVE_CHACHAPOLY_VIA_LEGACY_OR_USE_PSA
-#endif
-
-#if defined(MBEDTLS_CIPHER_HAVE_GCM_VIA_LEGACY_OR_USE_PSA) || \
-    defined(MBEDTLS_CIPHER_HAVE_CCM_VIA_LEGACY_OR_USE_PSA) || \
-    defined(MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_VIA_LEGACY_OR_USE_PSA) || \
-    defined(MBEDTLS_CIPHER_HAVE_CHACHAPOLY_VIA_LEGACY_OR_USE_PSA)
-#define MBEDTLS_CIPHER_HAVE_SOME_AEAD_VIA_LEGACY_OR_USE_PSA
-#endif
-
-/**
- * Base cipher information. The non-mode specific functions and values.
- */
-struct mbedtls_cipher_base_t {
-    /** Base Cipher type (e.g. MBEDTLS_CIPHER_ID_AES) */
-    mbedtls_cipher_id_t cipher;
-
-    /** Encrypt using ECB */
-    int (*ecb_func)(void *ctx, mbedtls_operation_t mode,
-                    const unsigned char *input, unsigned char *output);
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    /** Encrypt using CBC */
-    int (*cbc_func)(void *ctx, mbedtls_operation_t mode, size_t length,
-                    unsigned char *iv, const unsigned char *input,
-                    unsigned char *output);
-#endif
-
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-    /** Encrypt using CFB (Full length) */
-    int (*cfb_func)(void *ctx, mbedtls_operation_t mode, size_t length, size_t *iv_off,
-                    unsigned char *iv, const unsigned char *input,
-                    unsigned char *output);
-#endif
-
-#if defined(MBEDTLS_CIPHER_MODE_OFB)
-    /** Encrypt using OFB (Full length) */
-    int (*ofb_func)(void *ctx, size_t length, size_t *iv_off,
-                    unsigned char *iv,
-                    const unsigned char *input,
-                    unsigned char *output);
-#endif
-
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-    /** Encrypt using CTR */
-    int (*ctr_func)(void *ctx, size_t length, size_t *nc_off,
-                    unsigned char *nonce_counter, unsigned char *stream_block,
-                    const unsigned char *input, unsigned char *output);
-#endif
-
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-    /** Encrypt or decrypt using XTS. */
-    int (*xts_func)(void *ctx, mbedtls_operation_t mode, size_t length,
-                    const unsigned char data_unit[16],
-                    const unsigned char *input, unsigned char *output);
-#endif
-
-#if defined(MBEDTLS_CIPHER_MODE_STREAM)
-    /** Encrypt using STREAM */
-    int (*stream_func)(void *ctx, size_t length,
-                       const unsigned char *input, unsigned char *output);
-#endif
-
-    /** Set key for encryption purposes */
-    int (*setkey_enc_func)(void *ctx, const unsigned char *key,
-                           unsigned int key_bitlen);
-
-    /** Set key for decryption purposes */
-    int (*setkey_dec_func)(void *ctx, const unsigned char *key,
-                           unsigned int key_bitlen);
-
-    /** Allocate a new context */
-    void * (*ctx_alloc_func)(void);
-
-    /** Free the given context */
-    void (*ctx_free_func)(void *ctx);
-
-};
-
-typedef struct {
-    mbedtls_cipher_type_t type;
-    const mbedtls_cipher_info_t *info;
-} mbedtls_cipher_definition_t;
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-typedef enum {
-    MBEDTLS_CIPHER_PSA_KEY_UNSET = 0,
-    MBEDTLS_CIPHER_PSA_KEY_OWNED, /* Used for PSA-based cipher contexts which */
-                                  /* use raw key material internally imported */
-                                  /* as a volatile key, and which hence need  */
-                                  /* to destroy that key when the context is  */
-                                  /* freed.                                   */
-    MBEDTLS_CIPHER_PSA_KEY_NOT_OWNED, /* Used for PSA-based cipher contexts   */
-                                      /* which use a key provided by the      */
-                                      /* user, and which hence will not be    */
-                                      /* destroyed when the context is freed. */
-} mbedtls_cipher_psa_key_ownership;
-
-typedef struct {
-    psa_algorithm_t alg;
-    mbedtls_svc_key_id_t slot;
-    mbedtls_cipher_psa_key_ownership slot_state;
-} mbedtls_cipher_context_psa;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-extern const mbedtls_cipher_definition_t mbedtls_cipher_definitions[];
-
-extern int mbedtls_cipher_supported[];
-
-extern const mbedtls_cipher_base_t *mbedtls_cipher_base_lookup_table[];
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* MBEDTLS_CIPHER_WRAP_H */
diff --git a/library/cmac.c b/library/cmac.c
deleted file mode 100644
index c079686..0000000
--- a/library/cmac.c
+++ /dev/null
@@ -1,1079 +0,0 @@
-/**
- * \file cmac.c
- *
- * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/*
- * References:
- *
- * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
- *      CMAC Mode for Authentication
- *   http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
- *
- * - RFC 4493 - The AES-CMAC Algorithm
- *   https://tools.ietf.org/html/rfc4493
- *
- * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
- *      Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
- *      Algorithm for the Internet Key Exchange Protocol (IKE)
- *   https://tools.ietf.org/html/rfc4615
- *
- *   Additional test vectors: ISO/IEC 9797-1
- *
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_CMAC_C)
-
-#include "mbedtls/cmac.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-#include "mbedtls/platform.h"
-
-#include <string.h>
-
-#if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
-
-/*
- * Multiplication by u in the Galois field of GF(2^n)
- *
- * As explained in NIST SP 800-38B, this can be computed:
- *
- *   If MSB(p) = 0, then p = (p << 1)
- *   If MSB(p) = 1, then p = (p << 1) ^ R_n
- *   with R_64 = 0x1B and  R_128 = 0x87
- *
- * Input and output MUST NOT point to the same buffer
- * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
- */
-static int cmac_multiply_by_u(unsigned char *output,
-                              const unsigned char *input,
-                              size_t blocksize)
-{
-    const unsigned char R_128 = 0x87;
-    const unsigned char R_64 = 0x1B;
-    unsigned char R_n, mask;
-    unsigned char overflow = 0x00;
-    int i;
-
-    if (blocksize == MBEDTLS_AES_BLOCK_SIZE) {
-        R_n = R_128;
-    } else if (blocksize == MBEDTLS_DES3_BLOCK_SIZE) {
-        R_n = R_64;
-    } else {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    for (i = (int) blocksize - 1; i >= 0; i--) {
-        output[i] = input[i] << 1 | overflow;
-        overflow = input[i] >> 7;
-    }
-
-    /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
-     * using bit operations to avoid branches */
-
-    /* MSVC has a warning about unary minus on unsigned, but this is
-     * well-defined and precisely what we want to do here */
-#if defined(_MSC_VER)
-#pragma warning( push )
-#pragma warning( disable : 4146 )
-#endif
-    mask = -(input[0] >> 7);
-#if defined(_MSC_VER)
-#pragma warning( pop )
-#endif
-
-    output[blocksize - 1] ^= R_n & mask;
-
-    return 0;
-}
-
-/*
- * Generate subkeys
- *
- * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
- */
-static int cmac_generate_subkeys(mbedtls_cipher_context_t *ctx,
-                                 unsigned char *K1, unsigned char *K2)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char L[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
-    size_t olen, block_size;
-
-    mbedtls_platform_zeroize(L, sizeof(L));
-
-    block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
-
-    /* Calculate Ek(0) */
-    if ((ret = mbedtls_cipher_update(ctx, L, block_size, L, &olen)) != 0) {
-        goto exit;
-    }
-
-    /*
-     * Generate K1 and K2
-     */
-    if ((ret = cmac_multiply_by_u(K1, L, block_size)) != 0) {
-        goto exit;
-    }
-
-    if ((ret = cmac_multiply_by_u(K2, K1, block_size)) != 0) {
-        goto exit;
-    }
-
-exit:
-    mbedtls_platform_zeroize(L, sizeof(L));
-
-    return ret;
-}
-#endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
-
-#if !defined(MBEDTLS_CMAC_ALT)
-
-/*
- * Create padded last block from (partial) last block.
- *
- * We can't use the padding option from the cipher layer, as it only works for
- * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
- */
-static void cmac_pad(unsigned char padded_block[MBEDTLS_CMAC_MAX_BLOCK_SIZE],
-                     size_t padded_block_len,
-                     const unsigned char *last_block,
-                     size_t last_block_len)
-{
-    size_t j;
-
-    for (j = 0; j < padded_block_len; j++) {
-        if (j < last_block_len) {
-            padded_block[j] = last_block[j];
-        } else if (j == last_block_len) {
-            padded_block[j] = 0x80;
-        } else {
-            padded_block[j] = 0x00;
-        }
-    }
-}
-
-int mbedtls_cipher_cmac_starts(mbedtls_cipher_context_t *ctx,
-                               const unsigned char *key, size_t keybits)
-{
-    mbedtls_cipher_type_t type;
-    mbedtls_cmac_context_t *cmac_ctx;
-    int retval;
-
-    if (ctx == NULL || ctx->cipher_info == NULL || key == NULL) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    if ((retval = mbedtls_cipher_setkey(ctx, key, (int) keybits,
-                                        MBEDTLS_ENCRYPT)) != 0) {
-        return retval;
-    }
-
-    type = mbedtls_cipher_info_get_type(ctx->cipher_info);
-
-    switch (type) {
-        case MBEDTLS_CIPHER_AES_128_ECB:
-        case MBEDTLS_CIPHER_AES_192_ECB:
-        case MBEDTLS_CIPHER_AES_256_ECB:
-        case MBEDTLS_CIPHER_DES_EDE3_ECB:
-            break;
-        default:
-            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    /* Allocated and initialise in the cipher context memory for the CMAC
-     * context */
-    cmac_ctx = mbedtls_calloc(1, sizeof(mbedtls_cmac_context_t));
-    if (cmac_ctx == NULL) {
-        return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
-    }
-
-    ctx->cmac_ctx = cmac_ctx;
-
-    mbedtls_platform_zeroize(cmac_ctx->state, sizeof(cmac_ctx->state));
-
-    return 0;
-}
-
-int mbedtls_cipher_cmac_update(mbedtls_cipher_context_t *ctx,
-                               const unsigned char *input, size_t ilen)
-{
-    mbedtls_cmac_context_t *cmac_ctx;
-    unsigned char *state;
-    int ret = 0;
-    size_t n, j, olen, block_size;
-
-    if (ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
-        ctx->cmac_ctx == NULL) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    cmac_ctx = ctx->cmac_ctx;
-    block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
-    state = ctx->cmac_ctx->state;
-
-    /* Is there data still to process from the last call, that's greater in
-     * size than a block? */
-    if (cmac_ctx->unprocessed_len > 0 &&
-        ilen > block_size - cmac_ctx->unprocessed_len) {
-        memcpy(&cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
-               input,
-               block_size - cmac_ctx->unprocessed_len);
-
-        mbedtls_xor_no_simd(state, cmac_ctx->unprocessed_block, state, block_size);
-
-        if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
-                                         &olen)) != 0) {
-            goto exit;
-        }
-
-        input += block_size - cmac_ctx->unprocessed_len;
-        ilen -= block_size - cmac_ctx->unprocessed_len;
-        cmac_ctx->unprocessed_len = 0;
-    }
-
-    /* n is the number of blocks including any final partial block */
-    n = (ilen + block_size - 1) / block_size;
-
-    /* Iterate across the input data in block sized chunks, excluding any
-     * final partial or complete block */
-    for (j = 1; j < n; j++) {
-        mbedtls_xor_no_simd(state, input, state, block_size);
-
-        if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
-                                         &olen)) != 0) {
-            goto exit;
-        }
-
-        ilen -= block_size;
-        input += block_size;
-    }
-
-    /* If there is data left over that wasn't aligned to a block */
-    if (ilen > 0) {
-        memcpy(&cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
-               input,
-               ilen);
-        cmac_ctx->unprocessed_len += ilen;
-    }
-
-exit:
-    return ret;
-}
-
-int mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t *ctx,
-                               unsigned char *output)
-{
-    mbedtls_cmac_context_t *cmac_ctx;
-    unsigned char *state, *last_block;
-    unsigned char K1[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
-    unsigned char K2[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
-    unsigned char M_last[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t olen, block_size;
-
-    if (ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
-        output == NULL) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    cmac_ctx = ctx->cmac_ctx;
-    block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
-    state = cmac_ctx->state;
-
-    mbedtls_platform_zeroize(K1, sizeof(K1));
-    mbedtls_platform_zeroize(K2, sizeof(K2));
-    cmac_generate_subkeys(ctx, K1, K2);
-
-    last_block = cmac_ctx->unprocessed_block;
-
-    /* Calculate last block */
-    if (cmac_ctx->unprocessed_len < block_size) {
-        cmac_pad(M_last, block_size, last_block, cmac_ctx->unprocessed_len);
-        mbedtls_xor(M_last, M_last, K2, block_size);
-    } else {
-        /* Last block is complete block */
-        mbedtls_xor(M_last, last_block, K1, block_size);
-    }
-
-
-    mbedtls_xor(state, M_last, state, block_size);
-    if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
-                                     &olen)) != 0) {
-        goto exit;
-    }
-
-    memcpy(output, state, block_size);
-
-exit:
-    /* Wipe the generated keys on the stack, and any other transients to avoid
-     * side channel leakage */
-    mbedtls_platform_zeroize(K1, sizeof(K1));
-    mbedtls_platform_zeroize(K2, sizeof(K2));
-
-    cmac_ctx->unprocessed_len = 0;
-    mbedtls_platform_zeroize(cmac_ctx->unprocessed_block,
-                             sizeof(cmac_ctx->unprocessed_block));
-
-    mbedtls_platform_zeroize(state, MBEDTLS_CMAC_MAX_BLOCK_SIZE);
-    return ret;
-}
-
-int mbedtls_cipher_cmac_reset(mbedtls_cipher_context_t *ctx)
-{
-    mbedtls_cmac_context_t *cmac_ctx;
-
-    if (ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    cmac_ctx = ctx->cmac_ctx;
-
-    /* Reset the internal state */
-    cmac_ctx->unprocessed_len = 0;
-    mbedtls_platform_zeroize(cmac_ctx->unprocessed_block,
-                             sizeof(cmac_ctx->unprocessed_block));
-    mbedtls_platform_zeroize(cmac_ctx->state,
-                             sizeof(cmac_ctx->state));
-
-    return 0;
-}
-
-int mbedtls_cipher_cmac(const mbedtls_cipher_info_t *cipher_info,
-                        const unsigned char *key, size_t keylen,
-                        const unsigned char *input, size_t ilen,
-                        unsigned char *output)
-{
-    mbedtls_cipher_context_t ctx;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if (cipher_info == NULL || key == NULL || input == NULL || output == NULL) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    mbedtls_cipher_init(&ctx);
-
-    if ((ret = mbedtls_cipher_setup(&ctx, cipher_info)) != 0) {
-        goto exit;
-    }
-
-    ret = mbedtls_cipher_cmac_starts(&ctx, key, keylen);
-    if (ret != 0) {
-        goto exit;
-    }
-
-    ret = mbedtls_cipher_cmac_update(&ctx, input, ilen);
-    if (ret != 0) {
-        goto exit;
-    }
-
-    ret = mbedtls_cipher_cmac_finish(&ctx, output);
-
-exit:
-    mbedtls_cipher_free(&ctx);
-
-    return ret;
-}
-
-#if defined(MBEDTLS_AES_C)
-/*
- * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
- */
-int mbedtls_aes_cmac_prf_128(const unsigned char *key, size_t key_length,
-                             const unsigned char *input, size_t in_len,
-                             unsigned char output[16])
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    const mbedtls_cipher_info_t *cipher_info;
-    unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
-    unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
-
-    if (key == NULL || input == NULL || output == NULL) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_ECB);
-    if (cipher_info == NULL) {
-        /* Failing at this point must be due to a build issue */
-        ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-        goto exit;
-    }
-
-    if (key_length == MBEDTLS_AES_BLOCK_SIZE) {
-        /* Use key as is */
-        memcpy(int_key, key, MBEDTLS_AES_BLOCK_SIZE);
-    } else {
-        memset(zero_key, 0, MBEDTLS_AES_BLOCK_SIZE);
-
-        ret = mbedtls_cipher_cmac(cipher_info, zero_key, 128, key,
-                                  key_length, int_key);
-        if (ret != 0) {
-            goto exit;
-        }
-    }
-
-    ret = mbedtls_cipher_cmac(cipher_info, int_key, 128, input, in_len,
-                              output);
-
-exit:
-    mbedtls_platform_zeroize(int_key, sizeof(int_key));
-
-    return ret;
-}
-#endif /* MBEDTLS_AES_C */
-
-#endif /* !MBEDTLS_CMAC_ALT */
-
-#if defined(MBEDTLS_SELF_TEST)
-/*
- * CMAC test data for SP800-38B
- * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
- * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
- *
- * AES-CMAC-PRF-128 test data from RFC 4615
- * https://tools.ietf.org/html/rfc4615#page-4
- */
-
-#define NB_CMAC_TESTS_PER_KEY 4
-#define NB_PRF_TESTS 3
-
-#if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
-/* All CMAC test inputs are truncated from the same 64 byte buffer. */
-static const unsigned char test_message[] = {
-    /* PT */
-    0x6b, 0xc1, 0xbe, 0xe2,     0x2e, 0x40, 0x9f, 0x96,
-    0xe9, 0x3d, 0x7e, 0x11,     0x73, 0x93, 0x17, 0x2a,
-    0xae, 0x2d, 0x8a, 0x57,     0x1e, 0x03, 0xac, 0x9c,
-    0x9e, 0xb7, 0x6f, 0xac,     0x45, 0xaf, 0x8e, 0x51,
-    0x30, 0xc8, 0x1c, 0x46,     0xa3, 0x5c, 0xe4, 0x11,
-    0xe5, 0xfb, 0xc1, 0x19,     0x1a, 0x0a, 0x52, 0xef,
-    0xf6, 0x9f, 0x24, 0x45,     0xdf, 0x4f, 0x9b, 0x17,
-    0xad, 0x2b, 0x41, 0x7b,     0xe6, 0x6c, 0x37, 0x10
-};
-#endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
-
-#if defined(MBEDTLS_AES_C)
-/* Truncation point of message for AES CMAC tests  */
-static const  unsigned int  aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
-    /* Mlen */
-    0,
-    16,
-    20,
-    64
-};
-
-/* CMAC-AES128 Test Data */
-static const unsigned char aes_128_key[16] = {
-    0x2b, 0x7e, 0x15, 0x16,     0x28, 0xae, 0xd2, 0xa6,
-    0xab, 0xf7, 0x15, 0x88,     0x09, 0xcf, 0x4f, 0x3c
-};
-static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
-    {
-        /* K1 */
-        0xfb, 0xee, 0xd6, 0x18,     0x35, 0x71, 0x33, 0x66,
-        0x7c, 0x85, 0xe0, 0x8f,     0x72, 0x36, 0xa8, 0xde
-    },
-    {
-        /* K2 */
-        0xf7, 0xdd, 0xac, 0x30,     0x6a, 0xe2, 0x66, 0xcc,
-        0xf9, 0x0b, 0xc1, 0x1e,     0xe4, 0x6d, 0x51, 0x3b
-    }
-};
-static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] =
-{
-    {
-        /* Example #1 */
-        0xbb, 0x1d, 0x69, 0x29,     0xe9, 0x59, 0x37, 0x28,
-        0x7f, 0xa3, 0x7d, 0x12,     0x9b, 0x75, 0x67, 0x46
-    },
-    {
-        /* Example #2 */
-        0x07, 0x0a, 0x16, 0xb4,     0x6b, 0x4d, 0x41, 0x44,
-        0xf7, 0x9b, 0xdd, 0x9d,     0xd0, 0x4a, 0x28, 0x7c
-    },
-    {
-        /* Example #3 */
-        0x7d, 0x85, 0x44, 0x9e,     0xa6, 0xea, 0x19, 0xc8,
-        0x23, 0xa7, 0xbf, 0x78,     0x83, 0x7d, 0xfa, 0xde
-    },
-    {
-        /* Example #4 */
-        0x51, 0xf0, 0xbe, 0xbf,     0x7e, 0x3b, 0x9d, 0x92,
-        0xfc, 0x49, 0x74, 0x17,     0x79, 0x36, 0x3c, 0xfe
-    }
-};
-
-/* CMAC-AES192 Test Data */
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-static const unsigned char aes_192_key[24] = {
-    0x8e, 0x73, 0xb0, 0xf7,     0xda, 0x0e, 0x64, 0x52,
-    0xc8, 0x10, 0xf3, 0x2b,     0x80, 0x90, 0x79, 0xe5,
-    0x62, 0xf8, 0xea, 0xd2,     0x52, 0x2c, 0x6b, 0x7b
-};
-static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
-    {
-        /* K1 */
-        0x44, 0x8a, 0x5b, 0x1c,     0x93, 0x51, 0x4b, 0x27,
-        0x3e, 0xe6, 0x43, 0x9d,     0xd4, 0xda, 0xa2, 0x96
-    },
-    {
-        /* K2 */
-        0x89, 0x14, 0xb6, 0x39,     0x26, 0xa2, 0x96, 0x4e,
-        0x7d, 0xcc, 0x87, 0x3b,     0xa9, 0xb5, 0x45, 0x2c
-    }
-};
-static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] =
-{
-    {
-        /* Example #1 */
-        0xd1, 0x7d, 0xdf, 0x46,     0xad, 0xaa, 0xcd, 0xe5,
-        0x31, 0xca, 0xc4, 0x83,     0xde, 0x7a, 0x93, 0x67
-    },
-    {
-        /* Example #2 */
-        0x9e, 0x99, 0xa7, 0xbf,     0x31, 0xe7, 0x10, 0x90,
-        0x06, 0x62, 0xf6, 0x5e,     0x61, 0x7c, 0x51, 0x84
-    },
-    {
-        /* Example #3 */
-        0x3d, 0x75, 0xc1, 0x94,     0xed, 0x96, 0x07, 0x04,
-        0x44, 0xa9, 0xfa, 0x7e,     0xc7, 0x40, 0xec, 0xf8
-    },
-    {
-        /* Example #4 */
-        0xa1, 0xd5, 0xdf, 0x0e,     0xed, 0x79, 0x0f, 0x79,
-        0x4d, 0x77, 0x58, 0x96,     0x59, 0xf3, 0x9a, 0x11
-    }
-};
-#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
-
-/* CMAC-AES256 Test Data */
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-static const unsigned char aes_256_key[32] = {
-    0x60, 0x3d, 0xeb, 0x10,     0x15, 0xca, 0x71, 0xbe,
-    0x2b, 0x73, 0xae, 0xf0,     0x85, 0x7d, 0x77, 0x81,
-    0x1f, 0x35, 0x2c, 0x07,     0x3b, 0x61, 0x08, 0xd7,
-    0x2d, 0x98, 0x10, 0xa3,     0x09, 0x14, 0xdf, 0xf4
-};
-static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
-    {
-        /* K1 */
-        0xca, 0xd1, 0xed, 0x03,     0x29, 0x9e, 0xed, 0xac,
-        0x2e, 0x9a, 0x99, 0x80,     0x86, 0x21, 0x50, 0x2f
-    },
-    {
-        /* K2 */
-        0x95, 0xa3, 0xda, 0x06,     0x53, 0x3d, 0xdb, 0x58,
-        0x5d, 0x35, 0x33, 0x01,     0x0c, 0x42, 0xa0, 0xd9
-    }
-};
-static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] =
-{
-    {
-        /* Example #1 */
-        0x02, 0x89, 0x62, 0xf6,     0x1b, 0x7b, 0xf8, 0x9e,
-        0xfc, 0x6b, 0x55, 0x1f,     0x46, 0x67, 0xd9, 0x83
-    },
-    {
-        /* Example #2 */
-        0x28, 0xa7, 0x02, 0x3f,     0x45, 0x2e, 0x8f, 0x82,
-        0xbd, 0x4b, 0xf2, 0x8d,     0x8c, 0x37, 0xc3, 0x5c
-    },
-    {
-        /* Example #3 */
-        0x15, 0x67, 0x27, 0xdc,     0x08, 0x78, 0x94, 0x4a,
-        0x02, 0x3c, 0x1f, 0xe0,     0x3b, 0xad, 0x6d, 0x93
-    },
-    {
-        /* Example #4 */
-        0xe1, 0x99, 0x21, 0x90,     0x54, 0x9f, 0x6e, 0xd5,
-        0x69, 0x6a, 0x2c, 0x05,     0x6c, 0x31, 0x54, 0x10
-    }
-};
-#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
-#endif /* MBEDTLS_AES_C */
-
-#if defined(MBEDTLS_DES_C)
-/* Truncation point of message for 3DES CMAC tests  */
-static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
-    0,
-    16,
-    20,
-    32
-};
-
-/* CMAC-TDES (Generation) - 2 Key Test Data */
-static const unsigned char des3_2key_key[24] = {
-    /* Key1 */
-    0x01, 0x23, 0x45, 0x67,     0x89, 0xab, 0xcd, 0xef,
-    /* Key2 */
-    0x23, 0x45, 0x67, 0x89,     0xab, 0xcd, 0xEF, 0x01,
-    /* Key3 */
-    0x01, 0x23, 0x45, 0x67,     0x89, 0xab, 0xcd, 0xef
-};
-static const unsigned char des3_2key_subkeys[2][8] = {
-    {
-        /* K1 */
-        0x0d, 0xd2, 0xcb, 0x7a,     0x3d, 0x88, 0x88, 0xd9
-    },
-    {
-        /* K2 */
-        0x1b, 0xa5, 0x96, 0xf4,     0x7b, 0x11, 0x11, 0xb2
-    }
-};
-static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE]
-    = {
-    {
-        /* Sample #1 */
-        0x79, 0xce, 0x52, 0xa7,     0xf7, 0x86, 0xa9, 0x60
-    },
-    {
-        /* Sample #2 */
-        0xcc, 0x18, 0xa0, 0xb7,     0x9a, 0xf2, 0x41, 0x3b
-    },
-    {
-        /* Sample #3 */
-        0xc0, 0x6d, 0x37, 0x7e,     0xcd, 0x10, 0x19, 0x69
-    },
-    {
-        /* Sample #4 */
-        0x9c, 0xd3, 0x35, 0x80,     0xf9, 0xb6, 0x4d, 0xfb
-    }
-    };
-
-/* CMAC-TDES (Generation) - 3 Key Test Data */
-static const unsigned char des3_3key_key[24] = {
-    /* Key1 */
-    0x01, 0x23, 0x45, 0x67,     0x89, 0xaa, 0xcd, 0xef,
-    /* Key2 */
-    0x23, 0x45, 0x67, 0x89,     0xab, 0xcd, 0xef, 0x01,
-    /* Key3 */
-    0x45, 0x67, 0x89, 0xab,     0xcd, 0xef, 0x01, 0x23
-};
-static const unsigned char des3_3key_subkeys[2][8] = {
-    {
-        /* K1 */
-        0x9d, 0x74, 0xe7, 0x39,     0x33, 0x17, 0x96, 0xc0
-    },
-    {
-        /* K2 */
-        0x3a, 0xe9, 0xce, 0x72,     0x66, 0x2f, 0x2d, 0x9b
-    }
-};
-static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE]
-    = {
-    {
-        /* Sample #1 */
-        0x7d, 0xb0, 0xd3, 0x7d,     0xf9, 0x36, 0xc5, 0x50
-    },
-    {
-        /* Sample #2 */
-        0x30, 0x23, 0x9c, 0xf1,     0xf5, 0x2e, 0x66, 0x09
-    },
-    {
-        /* Sample #3 */
-        0x6c, 0x9f, 0x3e, 0xe4,     0x92, 0x3f, 0x6b, 0xe2
-    },
-    {
-        /* Sample #4 */
-        0x99, 0x42, 0x9b, 0xd0,     0xbF, 0x79, 0x04, 0xe5
-    }
-    };
-
-#endif /* MBEDTLS_DES_C */
-
-#if defined(MBEDTLS_AES_C)
-/* AES AES-CMAC-PRF-128 Test Data */
-static const unsigned char PRFK[] = {
-    /* Key */
-    0x00, 0x01, 0x02, 0x03,     0x04, 0x05, 0x06, 0x07,
-    0x08, 0x09, 0x0a, 0x0b,     0x0c, 0x0d, 0x0e, 0x0f,
-    0xed, 0xcb
-};
-
-/* Sizes in bytes */
-static const size_t PRFKlen[NB_PRF_TESTS] = {
-    18,
-    16,
-    10
-};
-
-/* Message */
-static const unsigned char PRFM[] = {
-    0x00, 0x01, 0x02, 0x03,     0x04, 0x05, 0x06, 0x07,
-    0x08, 0x09, 0x0a, 0x0b,     0x0c, 0x0d, 0x0e, 0x0f,
-    0x10, 0x11, 0x12, 0x13
-};
-
-static const unsigned char PRFT[NB_PRF_TESTS][16] = {
-    {
-        0x84, 0xa3, 0x48, 0xa4,     0xa4, 0x5d, 0x23, 0x5b,
-        0xab, 0xff, 0xfc, 0x0d,     0x2b, 0x4d, 0xa0, 0x9a
-    },
-    {
-        0x98, 0x0a, 0xe8, 0x7b,     0x5f, 0x4c, 0x9c, 0x52,
-        0x14, 0xf5, 0xb6, 0xa8,     0x45, 0x5e, 0x4c, 0x2d
-    },
-    {
-        0x29, 0x0d, 0x9e, 0x11,     0x2e, 0xdb, 0x09, 0xee,
-        0x14, 0x1f, 0xcf, 0x64,     0xc0, 0xb7, 0x2f, 0x3d
-    }
-};
-#endif /* MBEDTLS_AES_C */
-
-static int cmac_test_subkeys(int verbose,
-                             const char *testname,
-                             const unsigned char *key,
-                             int keybits,
-                             const unsigned char *subkeys,
-                             mbedtls_cipher_type_t cipher_type,
-                             int block_size,
-                             int num_tests)
-{
-    int i, ret = 0;
-    mbedtls_cipher_context_t ctx;
-    const mbedtls_cipher_info_t *cipher_info;
-    unsigned char K1[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
-    unsigned char K2[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
-
-    cipher_info = mbedtls_cipher_info_from_type(cipher_type);
-    if (cipher_info == NULL) {
-        /* Failing at this point must be due to a build issue */
-        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-    }
-
-    for (i = 0; i < num_tests; i++) {
-        if (verbose != 0) {
-            mbedtls_printf("  %s CMAC subkey #%d: ", testname, i + 1);
-        }
-
-        mbedtls_cipher_init(&ctx);
-
-        if ((ret = mbedtls_cipher_setup(&ctx, cipher_info)) != 0) {
-            if (verbose != 0) {
-                mbedtls_printf("test execution failed\n");
-            }
-
-            goto cleanup;
-        }
-
-        if ((ret = mbedtls_cipher_setkey(&ctx, key, keybits,
-                                         MBEDTLS_ENCRYPT)) != 0) {
-            /* When CMAC is implemented by an alternative implementation, or
-             * the underlying primitive itself is implemented alternatively,
-             * AES-192 may be unavailable. This should not cause the selftest
-             * function to fail. */
-            if ((ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
-                 ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) &&
-                cipher_type == MBEDTLS_CIPHER_AES_192_ECB) {
-                if (verbose != 0) {
-                    mbedtls_printf("skipped\n");
-                }
-                goto next_test;
-            }
-
-            if (verbose != 0) {
-                mbedtls_printf("test execution failed\n");
-            }
-
-            goto cleanup;
-        }
-
-        ret = cmac_generate_subkeys(&ctx, K1, K2);
-        if (ret != 0) {
-            if (verbose != 0) {
-                mbedtls_printf("failed\n");
-            }
-
-            goto cleanup;
-        }
-
-        if ((ret = memcmp(K1, subkeys, block_size)) != 0  ||
-            (ret = memcmp(K2, &subkeys[block_size], block_size)) != 0) {
-            if (verbose != 0) {
-                mbedtls_printf("failed\n");
-            }
-
-            goto cleanup;
-        }
-
-        if (verbose != 0) {
-            mbedtls_printf("passed\n");
-        }
-
-next_test:
-        mbedtls_cipher_free(&ctx);
-    }
-
-    ret = 0;
-    goto exit;
-
-cleanup:
-    mbedtls_cipher_free(&ctx);
-
-exit:
-    return ret;
-}
-
-static int cmac_test_wth_cipher(int verbose,
-                                const char *testname,
-                                const unsigned char *key,
-                                int keybits,
-                                const unsigned char *messages,
-                                const unsigned int message_lengths[4],
-                                const unsigned char *expected_result,
-                                mbedtls_cipher_type_t cipher_type,
-                                int block_size,
-                                int num_tests)
-{
-    const mbedtls_cipher_info_t *cipher_info;
-    int i, ret = 0;
-    unsigned char output[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
-
-    cipher_info = mbedtls_cipher_info_from_type(cipher_type);
-    if (cipher_info == NULL) {
-        /* Failing at this point must be due to a build issue */
-        ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-        goto exit;
-    }
-
-    for (i = 0; i < num_tests; i++) {
-        if (verbose != 0) {
-            mbedtls_printf("  %s CMAC #%d: ", testname, i + 1);
-        }
-
-        if ((ret = mbedtls_cipher_cmac(cipher_info, key, keybits, messages,
-                                       message_lengths[i], output)) != 0) {
-            /* When CMAC is implemented by an alternative implementation, or
-             * the underlying primitive itself is implemented alternatively,
-             * AES-192 and/or 3DES may be unavailable. This should not cause
-             * the selftest function to fail. */
-            if ((ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
-                 ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) &&
-                (cipher_type == MBEDTLS_CIPHER_AES_192_ECB ||
-                 cipher_type == MBEDTLS_CIPHER_DES_EDE3_ECB)) {
-                if (verbose != 0) {
-                    mbedtls_printf("skipped\n");
-                }
-                continue;
-            }
-
-            if (verbose != 0) {
-                mbedtls_printf("failed\n");
-            }
-            goto exit;
-        }
-
-        if ((ret = memcmp(output, &expected_result[i * block_size], block_size)) != 0) {
-            if (verbose != 0) {
-                mbedtls_printf("failed\n");
-            }
-            goto exit;
-        }
-
-        if (verbose != 0) {
-            mbedtls_printf("passed\n");
-        }
-    }
-    ret = 0;
-
-exit:
-    return ret;
-}
-
-#if defined(MBEDTLS_AES_C)
-static int test_aes128_cmac_prf(int verbose)
-{
-    int i;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
-
-    for (i = 0; i < NB_PRF_TESTS; i++) {
-        mbedtls_printf("  AES CMAC 128 PRF #%d: ", i);
-        ret = mbedtls_aes_cmac_prf_128(PRFK, PRFKlen[i], PRFM, 20, output);
-        if (ret != 0 ||
-            memcmp(output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE) != 0) {
-
-            if (verbose != 0) {
-                mbedtls_printf("failed\n");
-            }
-
-            return ret;
-        } else if (verbose != 0) {
-            mbedtls_printf("passed\n");
-        }
-    }
-    return ret;
-}
-#endif /* MBEDTLS_AES_C */
-
-int mbedtls_cmac_self_test(int verbose)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-#if defined(MBEDTLS_AES_C)
-    /* AES-128 */
-    if ((ret = cmac_test_subkeys(verbose,
-                                 "AES 128",
-                                 aes_128_key,
-                                 128,
-                                 (const unsigned char *) aes_128_subkeys,
-                                 MBEDTLS_CIPHER_AES_128_ECB,
-                                 MBEDTLS_AES_BLOCK_SIZE,
-                                 NB_CMAC_TESTS_PER_KEY)) != 0) {
-        return ret;
-    }
-
-    if ((ret = cmac_test_wth_cipher(verbose,
-                                    "AES 128",
-                                    aes_128_key,
-                                    128,
-                                    test_message,
-                                    aes_message_lengths,
-                                    (const unsigned char *) aes_128_expected_result,
-                                    MBEDTLS_CIPHER_AES_128_ECB,
-                                    MBEDTLS_AES_BLOCK_SIZE,
-                                    NB_CMAC_TESTS_PER_KEY)) != 0) {
-        return ret;
-    }
-
-    /* AES-192 */
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    if ((ret = cmac_test_subkeys(verbose,
-                                 "AES 192",
-                                 aes_192_key,
-                                 192,
-                                 (const unsigned char *) aes_192_subkeys,
-                                 MBEDTLS_CIPHER_AES_192_ECB,
-                                 MBEDTLS_AES_BLOCK_SIZE,
-                                 NB_CMAC_TESTS_PER_KEY)) != 0) {
-        return ret;
-    }
-
-    if ((ret = cmac_test_wth_cipher(verbose,
-                                    "AES 192",
-                                    aes_192_key,
-                                    192,
-                                    test_message,
-                                    aes_message_lengths,
-                                    (const unsigned char *) aes_192_expected_result,
-                                    MBEDTLS_CIPHER_AES_192_ECB,
-                                    MBEDTLS_AES_BLOCK_SIZE,
-                                    NB_CMAC_TESTS_PER_KEY)) != 0) {
-        return ret;
-    }
-#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
-
-    /* AES-256 */
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    if ((ret = cmac_test_subkeys(verbose,
-                                 "AES 256",
-                                 aes_256_key,
-                                 256,
-                                 (const unsigned char *) aes_256_subkeys,
-                                 MBEDTLS_CIPHER_AES_256_ECB,
-                                 MBEDTLS_AES_BLOCK_SIZE,
-                                 NB_CMAC_TESTS_PER_KEY)) != 0) {
-        return ret;
-    }
-
-    if ((ret = cmac_test_wth_cipher(verbose,
-                                    "AES 256",
-                                    aes_256_key,
-                                    256,
-                                    test_message,
-                                    aes_message_lengths,
-                                    (const unsigned char *) aes_256_expected_result,
-                                    MBEDTLS_CIPHER_AES_256_ECB,
-                                    MBEDTLS_AES_BLOCK_SIZE,
-                                    NB_CMAC_TESTS_PER_KEY)) != 0) {
-        return ret;
-    }
-#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
-#endif /* MBEDTLS_AES_C */
-
-#if defined(MBEDTLS_DES_C)
-    /* 3DES 2 key */
-    if ((ret = cmac_test_subkeys(verbose,
-                                 "3DES 2 key",
-                                 des3_2key_key,
-                                 192,
-                                 (const unsigned char *) des3_2key_subkeys,
-                                 MBEDTLS_CIPHER_DES_EDE3_ECB,
-                                 MBEDTLS_DES3_BLOCK_SIZE,
-                                 NB_CMAC_TESTS_PER_KEY)) != 0) {
-        return ret;
-    }
-
-    if ((ret = cmac_test_wth_cipher(verbose,
-                                    "3DES 2 key",
-                                    des3_2key_key,
-                                    192,
-                                    test_message,
-                                    des3_message_lengths,
-                                    (const unsigned char *) des3_2key_expected_result,
-                                    MBEDTLS_CIPHER_DES_EDE3_ECB,
-                                    MBEDTLS_DES3_BLOCK_SIZE,
-                                    NB_CMAC_TESTS_PER_KEY)) != 0) {
-        return ret;
-    }
-
-    /* 3DES 3 key */
-    if ((ret = cmac_test_subkeys(verbose,
-                                 "3DES 3 key",
-                                 des3_3key_key,
-                                 192,
-                                 (const unsigned char *) des3_3key_subkeys,
-                                 MBEDTLS_CIPHER_DES_EDE3_ECB,
-                                 MBEDTLS_DES3_BLOCK_SIZE,
-                                 NB_CMAC_TESTS_PER_KEY)) != 0) {
-        return ret;
-    }
-
-    if ((ret = cmac_test_wth_cipher(verbose,
-                                    "3DES 3 key",
-                                    des3_3key_key,
-                                    192,
-                                    test_message,
-                                    des3_message_lengths,
-                                    (const unsigned char *) des3_3key_expected_result,
-                                    MBEDTLS_CIPHER_DES_EDE3_ECB,
-                                    MBEDTLS_DES3_BLOCK_SIZE,
-                                    NB_CMAC_TESTS_PER_KEY)) != 0) {
-        return ret;
-    }
-#endif /* MBEDTLS_DES_C */
-
-#if defined(MBEDTLS_AES_C)
-    if ((ret = test_aes128_cmac_prf(verbose)) != 0) {
-        return ret;
-    }
-#endif /* MBEDTLS_AES_C */
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-
-    return 0;
-}
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* MBEDTLS_CMAC_C */
diff --git a/library/common.h b/library/common.h
index 570b97e..3936ffd 100644
--- a/library/common.h
+++ b/library/common.h
@@ -5,19 +5,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef MBEDTLS_LIBRARY_COMMON_H
@@ -33,7 +21,11 @@
 
 #if defined(__ARM_NEON)
 #include <arm_neon.h>
-#endif /* __ARM_NEON */
+#define MBEDTLS_HAVE_NEON_INTRINSICS
+#elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
+#include <arm64_neon.h>
+#define MBEDTLS_HAVE_NEON_INTRINSICS
+#endif
 
 /** Helper to define a function as static except when building invasive tests.
  *
@@ -166,6 +158,12 @@ static inline const unsigned char *mbedtls_buffer_offset_const(
     return p == NULL ? NULL : p + n;
 }
 
+/* Always inline mbedtls_xor() for similar reasons as mbedtls_xor_no_simd(). */
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
 /**
  * Perform a fast block XOR operation, such that
  * r[i] = a[i] ^ b[i] where 0 <= i < n
@@ -176,29 +174,61 @@ static inline const unsigned char *mbedtls_buffer_offset_const(
  * \param   a Pointer to input (buffer of at least \p n bytes)
  * \param   b Pointer to input (buffer of at least \p n bytes)
  * \param   n Number of bytes to process.
+ *
+ * \note      Depending on the situation, it may be faster to use either mbedtls_xor() or
+ *            mbedtls_xor_no_simd() (these are functionally equivalent).
+ *            If the result is used immediately after the xor operation in non-SIMD code (e.g, in
+ *            AES-CBC), there may be additional latency to transfer the data from SIMD to scalar
+ *            registers, and in this case, mbedtls_xor_no_simd() may be faster. In other cases where
+ *            the result is not used immediately (e.g., in AES-CTR), mbedtls_xor() may be faster.
+ *            For targets without SIMD support, they will behave the same.
  */
-inline void mbedtls_xor(unsigned char *r, const unsigned char *a, const unsigned char *b, size_t n)
+static inline void mbedtls_xor(unsigned char *r,
+                               const unsigned char *a,
+                               const unsigned char *b,
+                               size_t n)
 {
     size_t i = 0;
 #if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)
-#if defined(__ARM_NEON)
+#if defined(MBEDTLS_HAVE_NEON_INTRINSICS) && \
+    (!(defined(MBEDTLS_COMPILER_IS_GCC) && MBEDTLS_GCC_VERSION < 70300))
+    /* Old GCC versions generate a warning here, so disable the NEON path for these compilers */
     for (; (i + 16) <= n; i += 16) {
         uint8x16_t v1 = vld1q_u8(a + i);
         uint8x16_t v2 = vld1q_u8(b + i);
         uint8x16_t x = veorq_u8(v1, v2);
         vst1q_u8(r + i, x);
     }
-#elif defined(__amd64__) || defined(__x86_64__) || defined(__aarch64__)
+#if defined(__IAR_SYSTEMS_ICC__)
+    /* This if statement helps some compilers (e.g., IAR) optimise out the byte-by-byte tail case
+     * where n is a constant multiple of 16.
+     * For other compilers (e.g. recent gcc and clang) it makes no difference if n is a compile-time
+     * constant, and is a very small perf regression if n is not a compile-time constant. */
+    if (n % 16 == 0) {
+        return;
+    }
+#endif
+#elif defined(MBEDTLS_ARCH_IS_X64) || defined(MBEDTLS_ARCH_IS_ARM64)
     /* This codepath probably only makes sense on architectures with 64-bit registers */
     for (; (i + 8) <= n; i += 8) {
         uint64_t x = mbedtls_get_unaligned_uint64(a + i) ^ mbedtls_get_unaligned_uint64(b + i);
         mbedtls_put_unaligned_uint64(r + i, x);
     }
+#if defined(__IAR_SYSTEMS_ICC__)
+    if (n % 8 == 0) {
+        return;
+    }
+#endif
 #else
     for (; (i + 4) <= n; i += 4) {
         uint32_t x = mbedtls_get_unaligned_uint32(a + i) ^ mbedtls_get_unaligned_uint32(b + i);
         mbedtls_put_unaligned_uint32(r + i, x);
     }
+#if defined(__IAR_SYSTEMS_ICC__)
+    if (n % 4 == 0) {
+        return;
+    }
+#endif
 #endif
 #endif
     for (; i < n; i++) {
@@ -206,11 +236,18 @@ inline void mbedtls_xor(unsigned char *r, const unsigned char *a, const unsigned
     }
 }
 
+/* Always inline mbedtls_xor_no_simd() as we see significant perf regressions when it does not get
+ * inlined (e.g., observed about 3x perf difference in gcm_mult_largetable with gcc 7 - 12) */
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
 /**
  * Perform a fast block XOR operation, such that
  * r[i] = a[i] ^ b[i] where 0 <= i < n
  *
- * In some situations, this can perform better than mbedtls_xor (e.g., it's about 5%
+ * In some situations, this can perform better than mbedtls_xor() (e.g., it's about 5%
  * better in AES-CBC).
  *
  * \param   r Pointer to result (buffer of at least \p n bytes). \p r
@@ -219,6 +256,14 @@ inline void mbedtls_xor(unsigned char *r, const unsigned char *a, const unsigned
  * \param   a Pointer to input (buffer of at least \p n bytes)
  * \param   b Pointer to input (buffer of at least \p n bytes)
  * \param   n Number of bytes to process.
+ *
+ * \note      Depending on the situation, it may be faster to use either mbedtls_xor() or
+ *            mbedtls_xor_no_simd() (these are functionally equivalent).
+ *            If the result is used immediately after the xor operation in non-SIMD code (e.g, in
+ *            AES-CBC), there may be additional latency to transfer the data from SIMD to scalar
+ *            registers, and in this case, mbedtls_xor_no_simd() may be faster. In other cases where
+ *            the result is not used immediately (e.g., in AES-CTR), mbedtls_xor() may be faster.
+ *            For targets without SIMD support, they will behave the same.
  */
 static inline void mbedtls_xor_no_simd(unsigned char *r,
                                        const unsigned char *a,
@@ -227,17 +272,31 @@ static inline void mbedtls_xor_no_simd(unsigned char *r,
 {
     size_t i = 0;
 #if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)
-#if defined(__amd64__) || defined(__x86_64__) || defined(__aarch64__)
+#if defined(MBEDTLS_ARCH_IS_X64) || defined(MBEDTLS_ARCH_IS_ARM64)
     /* This codepath probably only makes sense on architectures with 64-bit registers */
     for (; (i + 8) <= n; i += 8) {
         uint64_t x = mbedtls_get_unaligned_uint64(a + i) ^ mbedtls_get_unaligned_uint64(b + i);
         mbedtls_put_unaligned_uint64(r + i, x);
     }
+#if defined(__IAR_SYSTEMS_ICC__)
+    /* This if statement helps some compilers (e.g., IAR) optimise out the byte-by-byte tail case
+     * where n is a constant multiple of 8.
+     * For other compilers (e.g. recent gcc and clang) it makes no difference if n is a compile-time
+     * constant, and is a very small perf regression if n is not a compile-time constant. */
+    if (n % 8 == 0) {
+        return;
+    }
+#endif
 #else
     for (; (i + 4) <= n; i += 4) {
         uint32_t x = mbedtls_get_unaligned_uint32(a + i) ^ mbedtls_get_unaligned_uint32(b + i);
         mbedtls_put_unaligned_uint32(r + i, x);
     }
+#if defined(__IAR_SYSTEMS_ICC__)
+    if (n % 4 == 0) {
+        return;
+    }
+#endif
 #endif
 #endif
     for (; i < n; i++) {
@@ -306,22 +365,34 @@ static inline void mbedtls_xor_no_simd(unsigned char *r,
 #define MBEDTLS_STATIC_ASSERT(expr, msg)
 #endif
 
-/* Define compiler branch hints */
 #if defined(__has_builtin)
-#if __has_builtin(__builtin_expect)
+#define MBEDTLS_HAS_BUILTIN(x) __has_builtin(x)
+#else
+#define MBEDTLS_HAS_BUILTIN(x) 0
+#endif
+
+/* Define compiler branch hints */
+#if MBEDTLS_HAS_BUILTIN(__builtin_expect)
 #define MBEDTLS_LIKELY(x)       __builtin_expect(!!(x), 1)
 #define MBEDTLS_UNLIKELY(x)     __builtin_expect(!!(x), 0)
-#endif
-#endif
-#if !defined(MBEDTLS_LIKELY)
+#else
 #define MBEDTLS_LIKELY(x)       x
 #define MBEDTLS_UNLIKELY(x)     x
 #endif
 
-#if defined(__GNUC__) && !defined(__ARMCC_VERSION) && !defined(__clang__) \
-    && !defined(__llvm__) && !defined(__INTEL_COMPILER)
-/* Defined if the compiler really is gcc and not clang, etc */
-#define MBEDTLS_COMPILER_IS_GCC
+/* MBEDTLS_ASSUME may be used to provide additional information to the compiler
+ * which can result in smaller code-size. */
+#if MBEDTLS_HAS_BUILTIN(__builtin_assume)
+/* clang provides __builtin_assume */
+#define MBEDTLS_ASSUME(x)       __builtin_assume(x)
+#elif MBEDTLS_HAS_BUILTIN(__builtin_unreachable)
+/* gcc and IAR can use __builtin_unreachable */
+#define MBEDTLS_ASSUME(x)       do { if (!(x)) __builtin_unreachable(); } while (0)
+#elif defined(_MSC_VER)
+/* Supported by MSVC since VS 2005 */
+#define MBEDTLS_ASSUME(x)       __assume(x)
+#else
+#define MBEDTLS_ASSUME(x)       do { } while (0)
 #endif
 
 /* For gcc -Os, override with -O2 for a given function.
@@ -344,8 +415,14 @@ static inline void mbedtls_xor_no_simd(unsigned char *r,
 #    define MBEDTLS_MAYBE_UNUSED __attribute__((unused))
 #endif
 #if !defined(MBEDTLS_MAYBE_UNUSED) && defined(__IAR_SYSTEMS_ICC__) && defined(__VER__)
-#    if (__VER__ >= 8010000) // IAR 8.1 or later
-#        define MBEDTLS_MAYBE_UNUSED __attribute__((unused))
+/* IAR does support __attribute__((unused)), but only if the -e flag (extended language support)
+ * is given; the pragma always works.
+ * Unfortunately the pragma affects the rest of the file where it is used, but this is harmless.
+ * Check for version 5.2 or later - this pragma may be supported by earlier versions, but I wasn't
+ * able to find documentation).
+ */
+#    if (__VER__ >= 5020000)
+#        define MBEDTLS_MAYBE_UNUSED _Pragma("diag_suppress=Pe177")
 #    endif
 #endif
 #if !defined(MBEDTLS_MAYBE_UNUSED) && defined(_MSC_VER)
diff --git a/library/constant_time.c b/library/constant_time.c
deleted file mode 100644
index 8b41aed..0000000
--- a/library/constant_time.c
+++ /dev/null
@@ -1,273 +0,0 @@
-/**
- *  Constant-time functions
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/*
- * The following functions are implemented without using comparison operators, as those
- * might be translated to branches by some compilers on some platforms.
- */
-
-#include <stdint.h>
-#include <limits.h>
-
-#include "common.h"
-#include "constant_time_internal.h"
-#include "mbedtls/constant_time.h"
-#include "mbedtls/error.h"
-#include "mbedtls/platform_util.h"
-
-#include <string.h>
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
-#include "psa/crypto.h"
-/* Define a local translating function to save code size by not using too many
- * arguments in each translating place. */
-static int local_err_translation(psa_status_t status)
-{
-    return psa_status_to_mbedtls(status, psa_to_ssl_errors,
-                                 ARRAY_LENGTH(psa_to_ssl_errors),
-                                 psa_generic_status_to_mbedtls);
-}
-#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
-#endif
-
-#if !defined(MBEDTLS_CT_ASM)
-/*
- * Define an object with the value zero, such that the compiler cannot prove that it
- * has the value zero (because it is volatile, it "may be modified in ways unknown to
- * the implementation").
- */
-volatile mbedtls_ct_uint_t mbedtls_ct_zero = 0;
-#endif
-
-/*
- * Define MBEDTLS_EFFICIENT_UNALIGNED_VOLATILE_ACCESS where assembly is present to
- * perform fast unaligned access to volatile data.
- *
- * This is needed because mbedtls_get_unaligned_uintXX etc don't support volatile
- * memory accesses.
- *
- * Some of these definitions could be moved into alignment.h but for now they are
- * only used here.
- */
-#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS) && \
-    ((defined(MBEDTLS_CT_ARM_ASM) && (UINTPTR_MAX == 0xfffffffful)) || \
-    defined(MBEDTLS_CT_AARCH64_ASM))
-/* We check pointer sizes to avoid issues with them not matching register size requirements */
-#define MBEDTLS_EFFICIENT_UNALIGNED_VOLATILE_ACCESS
-
-static inline uint32_t mbedtls_get_unaligned_volatile_uint32(volatile const unsigned char *p)
-{
-    /* This is UB, even where it's safe:
-     *    return *((volatile uint32_t*)p);
-     * so instead the same thing is expressed in assembly below.
-     */
-    uint32_t r;
-#if defined(MBEDTLS_CT_ARM_ASM)
-    asm volatile ("ldr %0, [%1]" : "=r" (r) : "r" (p) :);
-#elif defined(MBEDTLS_CT_AARCH64_ASM)
-    asm volatile ("ldr %w0, [%1]" : "=r" (r) : MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT(p) :);
-#else
-#error "No assembly defined for mbedtls_get_unaligned_volatile_uint32"
-#endif
-    return r;
-}
-#endif /* defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS) &&
-          (defined(MBEDTLS_CT_ARM_ASM) || defined(MBEDTLS_CT_AARCH64_ASM)) */
-
-int mbedtls_ct_memcmp(const void *a,
-                      const void *b,
-                      size_t n)
-{
-    size_t i = 0;
-    /*
-     * `A` and `B` are cast to volatile to ensure that the compiler
-     * generates code that always fully reads both buffers.
-     * Otherwise it could generate a test to exit early if `diff` has all
-     * bits set early in the loop.
-     */
-    volatile const unsigned char *A = (volatile const unsigned char *) a;
-    volatile const unsigned char *B = (volatile const unsigned char *) b;
-    uint32_t diff = 0;
-
-#if defined(MBEDTLS_EFFICIENT_UNALIGNED_VOLATILE_ACCESS)
-    for (; (i + 4) <= n; i += 4) {
-        uint32_t x = mbedtls_get_unaligned_volatile_uint32(A + i);
-        uint32_t y = mbedtls_get_unaligned_volatile_uint32(B + i);
-        diff |= x ^ y;
-    }
-#endif
-
-    for (; i < n; i++) {
-        /* Read volatile data in order before computing diff.
-         * This avoids IAR compiler warning:
-         * 'the order of volatile accesses is undefined ..' */
-        unsigned char x = A[i], y = B[i];
-        diff |= x ^ y;
-    }
-
-
-#if (INT_MAX < INT32_MAX)
-    /* We don't support int smaller than 32-bits, but if someone tried to build
-     * with this configuration, there is a risk that, for differing data, the
-     * only bits set in diff are in the top 16-bits, and would be lost by a
-     * simple cast from uint32 to int.
-     * This would have significant security implications, so protect against it. */
-#error "mbedtls_ct_memcmp() requires minimum 32-bit ints"
-#else
-    /* The bit-twiddling ensures that when we cast uint32_t to int, we are casting
-     * a value that is in the range 0..INT_MAX - a value larger than this would
-     * result in implementation defined behaviour.
-     *
-     * This ensures that the value returned by the function is non-zero iff
-     * diff is non-zero.
-     */
-    return (int) ((diff & 0xffff) | (diff >> 16));
-#endif
-}
-
-#if defined(MBEDTLS_NIST_KW_C)
-
-int mbedtls_ct_memcmp_partial(const void *a,
-                              const void *b,
-                              size_t n,
-                              size_t skip_head,
-                              size_t skip_tail)
-{
-    unsigned int diff = 0;
-
-    volatile const unsigned char *A = (volatile const unsigned char *) a;
-    volatile const unsigned char *B = (volatile const unsigned char *) b;
-
-    size_t valid_end = n - skip_tail;
-
-    for (size_t i = 0; i < n; i++) {
-        unsigned char x = A[i], y = B[i];
-        unsigned int d = x ^ y;
-        mbedtls_ct_condition_t valid = mbedtls_ct_bool_and(mbedtls_ct_uint_ge(i, skip_head),
-                                                           mbedtls_ct_uint_lt(i, valid_end));
-        diff |= mbedtls_ct_uint_if_else_0(valid, d);
-    }
-
-    /* Since we go byte-by-byte, the only bits set will be in the bottom 8 bits, so the
-     * cast from uint to int is safe. */
-    return (int) diff;
-}
-
-#endif
-
-#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
-
-void mbedtls_ct_memmove_left(void *start, size_t total, size_t offset)
-{
-    volatile unsigned char *buf = start;
-    for (size_t i = 0; i < total; i++) {
-        mbedtls_ct_condition_t no_op = mbedtls_ct_uint_gt(total - offset, i);
-        /* The first `total - offset` passes are a no-op. The last
-         * `offset` passes shift the data one byte to the left and
-         * zero out the last byte. */
-        for (size_t n = 0; n < total - 1; n++) {
-            unsigned char current = buf[n];
-            unsigned char next    = buf[n+1];
-            buf[n] = mbedtls_ct_uint_if(no_op, current, next);
-        }
-        buf[total-1] = mbedtls_ct_uint_if_else_0(no_op, buf[total-1]);
-    }
-}
-
-#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */
-
-void mbedtls_ct_memcpy_if(mbedtls_ct_condition_t condition,
-                          unsigned char *dest,
-                          const unsigned char *src1,
-                          const unsigned char *src2,
-                          size_t len)
-{
-#if defined(MBEDTLS_CT_SIZE_64)
-    const uint64_t mask     = (uint64_t) condition;
-    const uint64_t not_mask = (uint64_t) ~mbedtls_ct_compiler_opaque(condition);
-#else
-    const uint32_t mask     = (uint32_t) condition;
-    const uint32_t not_mask = (uint32_t) ~mbedtls_ct_compiler_opaque(condition);
-#endif
-
-    /* If src2 is NULL, setup src2 so that we read from the destination address.
-     *
-     * This means that if src2 == NULL && condition is false, the result will be a
-     * no-op because we read from dest and write the same data back into dest.
-     */
-    if (src2 == NULL) {
-        src2 = dest;
-    }
-
-    /* dest[i] = c1 == c2 ? src[i] : dest[i] */
-    size_t i = 0;
-#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)
-#if defined(MBEDTLS_CT_SIZE_64)
-    for (; (i + 8) <= len; i += 8) {
-        uint64_t a = mbedtls_get_unaligned_uint64(src1 + i) & mask;
-        uint64_t b = mbedtls_get_unaligned_uint64(src2 + i) & not_mask;
-        mbedtls_put_unaligned_uint64(dest + i, a | b);
-    }
-#else
-    for (; (i + 4) <= len; i += 4) {
-        uint32_t a = mbedtls_get_unaligned_uint32(src1 + i) & mask;
-        uint32_t b = mbedtls_get_unaligned_uint32(src2 + i) & not_mask;
-        mbedtls_put_unaligned_uint32(dest + i, a | b);
-    }
-#endif /* defined(MBEDTLS_CT_SIZE_64) */
-#endif /* MBEDTLS_EFFICIENT_UNALIGNED_ACCESS */
-    for (; i < len; i++) {
-        dest[i] = (src1[i] & mask) | (src2[i] & not_mask);
-    }
-}
-
-void mbedtls_ct_memcpy_offset(unsigned char *dest,
-                              const unsigned char *src,
-                              size_t offset,
-                              size_t offset_min,
-                              size_t offset_max,
-                              size_t len)
-{
-    size_t offsetval;
-
-    for (offsetval = offset_min; offsetval <= offset_max; offsetval++) {
-        mbedtls_ct_memcpy_if(mbedtls_ct_uint_eq(offsetval, offset), dest, src + offsetval, NULL,
-                             len);
-    }
-}
-
-#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
-
-void mbedtls_ct_zeroize_if(mbedtls_ct_condition_t condition, void *buf, size_t len)
-{
-    uint32_t mask = (uint32_t) ~condition;
-    uint8_t *p = (uint8_t *) buf;
-    size_t i = 0;
-#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)
-    for (; (i + 4) <= len; i += 4) {
-        mbedtls_put_unaligned_uint32((void *) (p + i),
-                                     mbedtls_get_unaligned_uint32((void *) (p + i)) & mask);
-    }
-#endif
-    for (; i < len; i++) {
-        p[i] = p[i] & mask;
-    }
-}
-
-#endif /* defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) */
diff --git a/library/constant_time_impl.h b/library/constant_time_impl.h
deleted file mode 100644
index 7759ac3..0000000
--- a/library/constant_time_impl.h
+++ /dev/null
@@ -1,566 +0,0 @@
-/**
- *  Constant-time functions
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_CONSTANT_TIME_IMPL_H
-#define MBEDTLS_CONSTANT_TIME_IMPL_H
-
-#include <stddef.h>
-
-#include "common.h"
-
-#if defined(MBEDTLS_BIGNUM_C)
-#include "mbedtls/bignum.h"
-#endif
-
-/*
- * To improve readability of constant_time_internal.h, the static inline
- * definitions are here, and constant_time_internal.h has only the declarations.
- *
- * This results in duplicate declarations of the form:
- *     static inline void f();         // from constant_time_internal.h
- *     static inline void f() { ... }  // from constant_time_impl.h
- * when constant_time_internal.h is included.
- *
- * This appears to behave as if the declaration-without-definition was not present
- * (except for warnings if gcc -Wredundant-decls or similar is used).
- *
- * Disable -Wredundant-decls so that gcc does not warn about this. This is re-enabled
- * at the bottom of this file.
- */
-#ifdef __GNUC__
-    #pragma GCC diagnostic push
-    #pragma GCC diagnostic ignored "-Wredundant-decls"
-#endif
-
-/* Disable asm under Memsan because it confuses Memsan and generates false errors.
- *
- * We also disable under Valgrind by default, because it's more useful
- * for Valgrind to test the plain C implementation. MBEDTLS_TEST_CONSTANT_FLOW_ASM //no-check-names
- * may be set to permit building asm under Valgrind.
- */
-#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) || \
-    (defined(MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND) && !defined(MBEDTLS_TEST_CONSTANT_FLOW_ASM)) //no-check-names
-#define MBEDTLS_CT_NO_ASM
-#elif defined(__has_feature)
-#if __has_feature(memory_sanitizer)
-#define MBEDTLS_CT_NO_ASM
-#endif
-#endif
-
-/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
-#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && (!defined(__ARMCC_VERSION) || \
-    __ARMCC_VERSION >= 6000000) && !defined(MBEDTLS_CT_NO_ASM)
-#define MBEDTLS_CT_ASM
-#if (defined(__arm__) || defined(__thumb__) || defined(__thumb2__))
-#define MBEDTLS_CT_ARM_ASM
-#elif defined(__aarch64__)
-#define MBEDTLS_CT_AARCH64_ASM
-#elif defined(__amd64__) || defined(__x86_64__)
-#define MBEDTLS_CT_X86_64_ASM
-#elif defined(__i386__)
-#define MBEDTLS_CT_X86_ASM
-#endif
-#endif
-
-#define MBEDTLS_CT_SIZE (sizeof(mbedtls_ct_uint_t) * 8)
-
-
-/* ============================================================================
- * Core const-time primitives
- */
-
-/* Ensure that the compiler cannot know the value of x (i.e., cannot optimise
- * based on its value) after this function is called.
- *
- * If we are not using assembly, this will be fairly inefficient, so its use
- * should be minimised.
- */
-
-#if !defined(MBEDTLS_CT_ASM)
-extern volatile mbedtls_ct_uint_t mbedtls_ct_zero;
-#endif
-
-/**
- * \brief   Ensure that a value cannot be known at compile time.
- *
- * \param x        The value to hide from the compiler.
- * \return         The same value that was passed in, such that the compiler
- *                 cannot prove its value (even for calls of the form
- *                 x = mbedtls_ct_compiler_opaque(1), x will be unknown).
- *
- * \note           This is mainly used in constructing mbedtls_ct_condition_t
- *                 values and performing operations over them, to ensure that
- *                 there is no way for the compiler to ever know anything about
- *                 the value of an mbedtls_ct_condition_t.
- */
-static inline mbedtls_ct_uint_t mbedtls_ct_compiler_opaque(mbedtls_ct_uint_t x)
-{
-#if defined(MBEDTLS_CT_ASM)
-    asm volatile ("" : [x] "+r" (x) :);
-    return x;
-#else
-    return x ^ mbedtls_ct_zero;
-#endif
-}
-
-/*
- * Selecting unified syntax is needed for gcc, and harmless on clang.
- *
- * This is needed because on Thumb 1, condition flags are always set, so
- * e.g. "negs" is supported but "neg" is not (on Thumb 2, both exist).
- *
- * Under Thumb 1 unified syntax, only the "negs" form is accepted, and
- * under divided syntax, only the "neg" form is accepted. clang only
- * supports unified syntax.
- *
- * On Thumb 2 and Arm, both compilers are happy with the "s" suffix,
- * although we don't actually care about setting the flags.
- *
- * For gcc, restore divided syntax afterwards - otherwise old versions of gcc
- * seem to apply unified syntax globally, which breaks other asm code.
- */
-#if !defined(__clang__)
-#define RESTORE_ASM_SYNTAX  ".syntax divided                      \n\t"
-#else
-#define RESTORE_ASM_SYNTAX
-#endif
-
-/* Convert a number into a condition in constant time. */
-static inline mbedtls_ct_condition_t mbedtls_ct_bool(mbedtls_ct_uint_t x)
-{
-    /*
-     * Define mask-generation code that, as far as possible, will not use branches or conditional instructions.
-     *
-     * For some platforms / type sizes, we define assembly to assure this.
-     *
-     * Otherwise, we define a plain C fallback which (in May 2023) does not get optimised into
-     * conditional instructions or branches by trunk clang, gcc, or MSVC v19.
-     */
-#if defined(MBEDTLS_CT_AARCH64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64))
-    mbedtls_ct_uint_t s;
-    asm volatile ("neg %x[s], %x[x]                               \n\t"
-                  "orr %x[x], %x[s], %x[x]                        \n\t"
-                  "asr %x[x], %x[x], 63                           \n\t"
-                  :
-                  [s] "=&r" (s),
-                  [x] "+&r" (x)
-                  :
-                  :
-                  );
-    return (mbedtls_ct_condition_t) x;
-#elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32)
-    uint32_t s;
-    asm volatile (".syntax unified                                \n\t"
-                  "negs %[s], %[x]                                \n\t"
-                  "orrs %[x], %[x], %[s]                          \n\t"
-                  "asrs %[x], %[x], #31                           \n\t"
-                  RESTORE_ASM_SYNTAX
-                  :
-                  [s] "=&l" (s),
-                  [x] "+&l" (x)
-                  :
-                  :
-                  "cc" /* clobbers flag bits */
-                  );
-    return (mbedtls_ct_condition_t) x;
-#elif defined(MBEDTLS_CT_X86_64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64))
-    uint64_t s;
-    asm volatile ("mov  %[x], %[s]                                \n\t"
-                  "neg  %[s]                                      \n\t"
-                  "or   %[x], %[s]                                \n\t"
-                  "sar  $63, %[s]                                 \n\t"
-                  :
-                  [s] "=&a" (s)
-                  :
-                  [x] "D" (x)
-                  :
-                  );
-    return (mbedtls_ct_condition_t) s;
-#elif defined(MBEDTLS_CT_X86_ASM) && defined(MBEDTLS_CT_SIZE_32)
-    uint32_t s;
-    asm volatile ("mov %[x], %[s]                                 \n\t"
-                  "neg %[s]                                       \n\t"
-                  "or %[s], %[x]                                  \n\t"
-                  "sar $31, %[x]                                  \n\t"
-                  :
-                  [s] "=&c" (s),
-                  [x] "+&a" (x)
-                  :
-                  :
-                  );
-    return (mbedtls_ct_condition_t) x;
-#else
-    const mbedtls_ct_uint_t xo = mbedtls_ct_compiler_opaque(x);
-#if defined(_MSC_VER)
-    /* MSVC has a warning about unary minus on unsigned, but this is
-     * well-defined and precisely what we want to do here */
-#pragma warning( push )
-#pragma warning( disable : 4146 )
-#endif
-    // y is negative (i.e., top bit set) iff x is non-zero
-    mbedtls_ct_int_t y = (-xo) | -(xo >> 1);
-
-    // extract only the sign bit of y so that y == 1 (if x is non-zero) or 0 (if x is zero)
-    y = (((mbedtls_ct_uint_t) y) >> (MBEDTLS_CT_SIZE - 1));
-
-    // -y has all bits set (if x is non-zero), or all bits clear (if x is zero)
-    return (mbedtls_ct_condition_t) (-y);
-#if defined(_MSC_VER)
-#pragma warning( pop )
-#endif
-#endif
-}
-
-static inline mbedtls_ct_uint_t mbedtls_ct_if(mbedtls_ct_condition_t condition,
-                                              mbedtls_ct_uint_t if1,
-                                              mbedtls_ct_uint_t if0)
-{
-#if defined(MBEDTLS_CT_AARCH64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64))
-    asm volatile ("and %x[if1], %x[if1], %x[condition]            \n\t"
-                  "mvn %x[condition], %x[condition]               \n\t"
-                  "and %x[condition], %x[condition], %x[if0]      \n\t"
-                  "orr %x[condition], %x[if1], %x[condition]"
-                  :
-                  [condition] "+&r" (condition),
-                  [if1] "+&r" (if1)
-                  :
-                  [if0] "r" (if0)
-                  :
-                  );
-    return (mbedtls_ct_uint_t) condition;
-#elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32)
-    asm volatile (".syntax unified                                \n\t"
-                  "ands %[if1], %[if1], %[condition]              \n\t"
-                  "mvns %[condition], %[condition]                \n\t"
-                  "ands %[condition], %[condition], %[if0]        \n\t"
-                  "orrs %[condition], %[if1], %[condition]        \n\t"
-                  RESTORE_ASM_SYNTAX
-                  :
-                  [condition] "+&l" (condition),
-                  [if1] "+&l" (if1)
-                  :
-                  [if0] "l" (if0)
-                  :
-                  "cc"
-                  );
-    return (mbedtls_ct_uint_t) condition;
-#elif defined(MBEDTLS_CT_X86_64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64))
-    asm volatile ("and  %[condition], %[if1]                      \n\t"
-                  "not  %[condition]                              \n\t"
-                  "and  %[condition], %[if0]                      \n\t"
-                  "or   %[if1], %[if0]                            \n\t"
-                  :
-                  [condition] "+&D" (condition),
-                  [if1] "+&S" (if1),
-                  [if0] "+&a" (if0)
-                  :
-                  :
-                  );
-    return if0;
-#elif defined(MBEDTLS_CT_X86_ASM) && defined(MBEDTLS_CT_SIZE_32)
-    asm volatile ("and %[condition], %[if1]                       \n\t"
-                  "not %[condition]                               \n\t"
-                  "and %[if0], %[condition]                       \n\t"
-                  "or %[condition], %[if1]                        \n\t"
-                  :
-                  [condition] "+&c" (condition),
-                  [if1] "+&a" (if1)
-                  :
-                  [if0] "b" (if0)
-                  :
-                  );
-    return if1;
-#else
-    mbedtls_ct_condition_t not_cond =
-        (mbedtls_ct_condition_t) (~mbedtls_ct_compiler_opaque(condition));
-    return (mbedtls_ct_uint_t) ((condition & if1) | (not_cond & if0));
-#endif
-}
-
-static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y)
-{
-#if defined(MBEDTLS_CT_AARCH64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64))
-    uint64_t s1;
-    asm volatile ("eor     %x[s1], %x[y], %x[x]                   \n\t"
-                  "sub     %x[x], %x[x], %x[y]                    \n\t"
-                  "bic     %x[x], %x[x], %x[s1]                   \n\t"
-                  "and     %x[s1], %x[s1], %x[y]                  \n\t"
-                  "orr     %x[s1], %x[x], %x[s1]                  \n\t"
-                  "asr     %x[x], %x[s1], 63"
-                  :
-                  [s1] "=&r" (s1),
-                  [x] "+&r" (x)
-                  :
-                  [y] "r" (y)
-                  :
-                  );
-    return (mbedtls_ct_condition_t) x;
-#elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32)
-    uint32_t s1;
-    asm volatile (
-        ".syntax unified                                          \n\t"
-#if defined(__thumb__) && !defined(__thumb2__)
-        "movs     %[s1], %[x]                                     \n\t"
-        "eors     %[s1], %[s1], %[y]                              \n\t"
-#else
-        "eors     %[s1], %[x], %[y]                               \n\t"
-#endif
-        "subs    %[x], %[x], %[y]                                 \n\t"
-        "bics    %[x], %[x], %[s1]                                \n\t"
-        "ands    %[y], %[s1], %[y]                                \n\t"
-        "orrs    %[x], %[x], %[y]                                 \n\t"
-        "asrs    %[x], %[x], #31                                  \n\t"
-        RESTORE_ASM_SYNTAX
-        :
-        [s1] "=&l" (s1),
-        [x] "+&l" (x),
-        [y] "+&l" (y)
-        :
-        :
-        "cc"
-        );
-    return (mbedtls_ct_condition_t) x;
-#elif defined(MBEDTLS_CT_X86_64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64))
-    uint64_t s;
-    asm volatile ("mov %[x], %[s]                                 \n\t"
-                  "xor %[y], %[s]                                 \n\t"
-                  "sub %[y], %[x]                                 \n\t"
-                  "and %[s], %[y]                                 \n\t"
-                  "not %[s]                                       \n\t"
-                  "and %[s], %[x]                                 \n\t"
-                  "or %[y], %[x]                                  \n\t"
-                  "sar $63, %[x]                                  \n\t"
-                  :
-                  [s] "=&a" (s),
-                  [x] "+&D" (x),
-                  [y] "+&S" (y)
-                  :
-                  :
-                  );
-    return (mbedtls_ct_condition_t) x;
-#elif defined(MBEDTLS_CT_X86_ASM) && defined(MBEDTLS_CT_SIZE_32)
-    uint32_t s;
-    asm volatile ("mov %[x], %[s]                                 \n\t"
-                  "xor %[y], %[s]                                 \n\t"
-                  "sub %[y], %[x]                                 \n\t"
-                  "and %[s], %[y]                                 \n\t"
-                  "not %[s]                                       \n\t"
-                  "and %[s], %[x]                                 \n\t"
-                  "or  %[y], %[x]                                 \n\t"
-                  "sar $31, %[x]                                  \n\t"
-                  :
-                  [s] "=&b" (s),
-                  [x] "+&a" (x),
-                  [y] "+&c" (y)
-                  :
-                  :
-                  );
-    return (mbedtls_ct_condition_t) x;
-#else
-    /* Ensure that the compiler cannot optimise the following operations over x and y,
-     * even if it knows the value of x and y.
-     */
-    const mbedtls_ct_uint_t xo = mbedtls_ct_compiler_opaque(x);
-    const mbedtls_ct_uint_t yo = mbedtls_ct_compiler_opaque(y);
-    /*
-     * Check if the most significant bits (MSB) of the operands are different.
-     * cond is true iff the MSBs differ.
-     */
-    mbedtls_ct_condition_t cond = mbedtls_ct_bool((xo ^ yo) >> (MBEDTLS_CT_SIZE - 1));
-
-    /*
-     * If the MSB are the same then the difference x-y will be negative (and
-     * have its MSB set to 1 during conversion to unsigned) if and only if x<y.
-     *
-     * If the MSB are different, then the operand with the MSB of 1 is the
-     * bigger. (That is if y has MSB of 1, then x<y is true and it is false if
-     * the MSB of y is 0.)
-     */
-
-    // Select either y, or x - y
-    mbedtls_ct_uint_t ret = mbedtls_ct_if(cond, yo, (mbedtls_ct_uint_t) (xo - yo));
-
-    // Extract only the MSB of ret
-    ret = ret >> (MBEDTLS_CT_SIZE - 1);
-
-    // Convert to a condition (i.e., all bits set iff non-zero)
-    return mbedtls_ct_bool(ret);
-#endif
-}
-
-static inline mbedtls_ct_condition_t mbedtls_ct_uint_ne(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y)
-{
-    /* diff = 0 if x == y, non-zero otherwise */
-    const mbedtls_ct_uint_t diff = mbedtls_ct_compiler_opaque(x) ^ mbedtls_ct_compiler_opaque(y);
-
-    /* all ones if x != y, 0 otherwise */
-    return mbedtls_ct_bool(diff);
-}
-
-static inline unsigned char mbedtls_ct_uchar_in_range_if(unsigned char low,
-                                                         unsigned char high,
-                                                         unsigned char c,
-                                                         unsigned char t)
-{
-    const unsigned char co = (unsigned char) mbedtls_ct_compiler_opaque(c);
-    const unsigned char to = (unsigned char) mbedtls_ct_compiler_opaque(t);
-
-    /* low_mask is: 0 if low <= c, 0x...ff if low > c */
-    unsigned low_mask = ((unsigned) co - low) >> 8;
-    /* high_mask is: 0 if c <= high, 0x...ff if c > high */
-    unsigned high_mask = ((unsigned) high - co) >> 8;
-
-    return (unsigned char) (~(low_mask | high_mask)) & to;
-}
-
-/* ============================================================================
- * Everything below here is trivial wrapper functions
- */
-
-static inline size_t mbedtls_ct_size_if(mbedtls_ct_condition_t condition,
-                                        size_t if1,
-                                        size_t if0)
-{
-    return (size_t) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) if1, (mbedtls_ct_uint_t) if0);
-}
-
-static inline unsigned mbedtls_ct_uint_if(mbedtls_ct_condition_t condition,
-                                          unsigned if1,
-                                          unsigned if0)
-{
-    return (unsigned) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) if1, (mbedtls_ct_uint_t) if0);
-}
-
-static inline mbedtls_ct_condition_t mbedtls_ct_bool_if(mbedtls_ct_condition_t condition,
-                                                        mbedtls_ct_condition_t if1,
-                                                        mbedtls_ct_condition_t if0)
-{
-    return (mbedtls_ct_condition_t) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) if1,
-                                                  (mbedtls_ct_uint_t) if0);
-}
-
-#if defined(MBEDTLS_BIGNUM_C)
-
-static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if(mbedtls_ct_condition_t condition,
-                                                      mbedtls_mpi_uint if1,
-                                                      mbedtls_mpi_uint if0)
-{
-    return (mbedtls_mpi_uint) mbedtls_ct_if(condition,
-                                            (mbedtls_ct_uint_t) if1,
-                                            (mbedtls_ct_uint_t) if0);
-}
-
-#endif
-
-static inline size_t mbedtls_ct_size_if_else_0(mbedtls_ct_condition_t condition, size_t if1)
-{
-    return (size_t) (condition & if1);
-}
-
-static inline unsigned mbedtls_ct_uint_if_else_0(mbedtls_ct_condition_t condition, unsigned if1)
-{
-    return (unsigned) (condition & if1);
-}
-
-static inline mbedtls_ct_condition_t mbedtls_ct_bool_if_else_0(mbedtls_ct_condition_t condition,
-                                                               mbedtls_ct_condition_t if1)
-{
-    return (mbedtls_ct_condition_t) (condition & if1);
-}
-
-#if defined(MBEDTLS_BIGNUM_C)
-
-static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if_else_0(mbedtls_ct_condition_t condition,
-                                                             mbedtls_mpi_uint if1)
-{
-    return (mbedtls_mpi_uint) (condition & if1);
-}
-
-#endif /* MBEDTLS_BIGNUM_C */
-
-static inline int mbedtls_ct_error_if(mbedtls_ct_condition_t condition, int if1, int if0)
-{
-    /* Coverting int -> uint -> int here is safe, because we require if1 and if0 to be
-     * in the range -32767..0, and we require 32-bit int and uint types.
-     *
-     * This means that (0 <= -if0 < INT_MAX), so negating if0 is safe, and similarly for
-     * converting back to int.
-     */
-    return -((int) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) (-if1),
-                                 (mbedtls_ct_uint_t) (-if0)));
-}
-
-static inline int mbedtls_ct_error_if_else_0(mbedtls_ct_condition_t condition, int if1)
-{
-    return -((int) (condition & (-if1)));
-}
-
-static inline mbedtls_ct_condition_t mbedtls_ct_uint_eq(mbedtls_ct_uint_t x,
-                                                        mbedtls_ct_uint_t y)
-{
-    return ~mbedtls_ct_uint_ne(x, y);
-}
-
-static inline mbedtls_ct_condition_t mbedtls_ct_uint_gt(mbedtls_ct_uint_t x,
-                                                        mbedtls_ct_uint_t y)
-{
-    return mbedtls_ct_uint_lt(y, x);
-}
-
-static inline mbedtls_ct_condition_t mbedtls_ct_uint_ge(mbedtls_ct_uint_t x,
-                                                        mbedtls_ct_uint_t y)
-{
-    return ~mbedtls_ct_uint_lt(x, y);
-}
-
-static inline mbedtls_ct_condition_t mbedtls_ct_uint_le(mbedtls_ct_uint_t x,
-                                                        mbedtls_ct_uint_t y)
-{
-    return ~mbedtls_ct_uint_gt(x, y);
-}
-
-static inline mbedtls_ct_condition_t mbedtls_ct_bool_ne(mbedtls_ct_condition_t x,
-                                                        mbedtls_ct_condition_t y)
-{
-    return (mbedtls_ct_condition_t) (x ^ y);
-}
-
-static inline mbedtls_ct_condition_t mbedtls_ct_bool_and(mbedtls_ct_condition_t x,
-                                                         mbedtls_ct_condition_t y)
-{
-    return (mbedtls_ct_condition_t) (x & y);
-}
-
-static inline mbedtls_ct_condition_t mbedtls_ct_bool_or(mbedtls_ct_condition_t x,
-                                                        mbedtls_ct_condition_t y)
-{
-    return (mbedtls_ct_condition_t) (x | y);
-}
-
-static inline mbedtls_ct_condition_t mbedtls_ct_bool_not(mbedtls_ct_condition_t x)
-{
-    return (mbedtls_ct_condition_t) (~x);
-}
-
-#ifdef __GNUC__
-/* Restore warnings for -Wredundant-decls on gcc */
-    #pragma GCC diagnostic pop
-#endif
-
-#endif /* MBEDTLS_CONSTANT_TIME_IMPL_H */
diff --git a/library/constant_time_internal.h b/library/constant_time_internal.h
deleted file mode 100644
index cc26edc..0000000
--- a/library/constant_time_internal.h
+++ /dev/null
@@ -1,591 +0,0 @@
-/**
- *  Constant-time functions
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_CONSTANT_TIME_INTERNAL_H
-#define MBEDTLS_CONSTANT_TIME_INTERNAL_H
-
-#include <stdint.h>
-#include <stddef.h>
-
-#include "common.h"
-
-#if defined(MBEDTLS_BIGNUM_C)
-#include "mbedtls/bignum.h"
-#endif
-
-/* The constant-time interface provides various operations that are likely
- * to result in constant-time code that does not branch or use conditional
- * instructions for secret data (for secret pointers, this also applies to
- * the data pointed to).
- *
- * It has three main parts:
- *
- * - boolean operations
- *   These are all named mbedtls_ct_<type>_<operation>.
- *   They operate over <type> and return mbedtls_ct_condition_t.
- *   All arguments are considered secret.
- *   example: bool x = y | z          =>    x = mbedtls_ct_bool_or(y, z)
- *   example: bool x = y == z         =>    x = mbedtls_ct_uint_eq(y, z)
- *
- * - conditional data selection
- *   These are all named mbedtls_ct_<type>_if and mbedtls_ct_<type>_if_else_0
- *   All arguments are considered secret.
- *   example: size_t a = x ? b : c    =>    a = mbedtls_ct_size_if(x, b, c)
- *   example: unsigned a = x ? b : 0  =>    a = mbedtls_ct_uint_if_else_0(x, b)
- *
- * - block memory operations
- *   Only some arguments are considered secret, as documented for each
- *   function.
- *   example: if (x) memcpy(...)      =>    mbedtls_ct_memcpy_if(x, ...)
- *
- * mbedtls_ct_condition_t must be treated as opaque and only created and
- * manipulated via the functions in this header. The compiler should never
- * be able to prove anything about its value at compile-time.
- *
- * mbedtls_ct_uint_t is an unsigned integer type over which constant time
- * operations may be performed via the functions in this header. It is as big
- * as the larger of size_t and mbedtls_mpi_uint, i.e. it is safe to cast
- * to/from "unsigned int", "size_t", and "mbedtls_mpi_uint" (and any other
- * not-larger integer types).
- *
- * For Arm (32-bit, 64-bit and Thumb), x86 and x86-64, assembly implementations
- * are used to ensure that the generated code is constant time. For other
- * architectures, it uses a plain C fallback designed to yield constant-time code
- * (this has been observed to be constant-time on latest gcc, clang and MSVC
- * as of May 2023).
- *
- * For readability, the static inline definitions are separated out into
- * constant_time_impl.h.
- */
-
-#if (SIZE_MAX > 0xffffffffffffffffULL)
-/* Pointer size > 64-bit */
-typedef size_t    mbedtls_ct_condition_t;
-typedef size_t    mbedtls_ct_uint_t;
-typedef ptrdiff_t mbedtls_ct_int_t;
-#define MBEDTLS_CT_TRUE  ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(SIZE_MAX))
-#elif (SIZE_MAX > 0xffffffff) || defined(MBEDTLS_HAVE_INT64)
-/* 32-bit < pointer size <= 64-bit, or 64-bit MPI */
-typedef uint64_t  mbedtls_ct_condition_t;
-typedef uint64_t  mbedtls_ct_uint_t;
-typedef int64_t   mbedtls_ct_int_t;
-#define MBEDTLS_CT_SIZE_64
-#define MBEDTLS_CT_TRUE  ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(UINT64_MAX))
-#else
-/* Pointer size <= 32-bit, and no 64-bit MPIs */
-typedef uint32_t  mbedtls_ct_condition_t;
-typedef uint32_t  mbedtls_ct_uint_t;
-typedef int32_t   mbedtls_ct_int_t;
-#define MBEDTLS_CT_SIZE_32
-#define MBEDTLS_CT_TRUE  ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(UINT32_MAX))
-#endif
-#define MBEDTLS_CT_FALSE ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(0))
-
-/* ============================================================================
- * Boolean operations
- */
-
-/** Convert a number into a mbedtls_ct_condition_t.
- *
- * \param x Number to convert.
- *
- * \return MBEDTLS_CT_TRUE if \p x != 0, or MBEDTLS_CT_FALSE if \p x == 0
- *
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_bool(mbedtls_ct_uint_t x);
-
-/** Boolean "not equal" operation.
- *
- * Functionally equivalent to:
- *
- * \p x != \p y
- *
- * \param x     The first value to analyze.
- * \param y     The second value to analyze.
- *
- * \return      MBEDTLS_CT_TRUE if \p x != \p y, otherwise MBEDTLS_CT_FALSE.
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_uint_ne(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y);
-
-/** Boolean "equals" operation.
- *
- * Functionally equivalent to:
- *
- * \p x == \p y
- *
- * \param x     The first value to analyze.
- * \param y     The second value to analyze.
- *
- * \return      MBEDTLS_CT_TRUE if \p x == \p y, otherwise MBEDTLS_CT_FALSE.
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_uint_eq(mbedtls_ct_uint_t x,
-                                                        mbedtls_ct_uint_t y);
-
-/** Boolean "less than" operation.
- *
- * Functionally equivalent to:
- *
- * \p x < \p y
- *
- * \param x     The first value to analyze.
- * \param y     The second value to analyze.
- *
- * \return      MBEDTLS_CT_TRUE if \p x < \p y, otherwise MBEDTLS_CT_FALSE.
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y);
-
-/** Boolean "greater than" operation.
- *
- * Functionally equivalent to:
- *
- * \p x > \p y
- *
- * \param x     The first value to analyze.
- * \param y     The second value to analyze.
- *
- * \return      MBEDTLS_CT_TRUE if \p x > \p y, otherwise MBEDTLS_CT_FALSE.
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_uint_gt(mbedtls_ct_uint_t x,
-                                                        mbedtls_ct_uint_t y);
-
-/** Boolean "greater or equal" operation.
- *
- * Functionally equivalent to:
- *
- * \p x >= \p y
- *
- * \param x     The first value to analyze.
- * \param y     The second value to analyze.
- *
- * \return      MBEDTLS_CT_TRUE if \p x >= \p y,
- *              otherwise MBEDTLS_CT_FALSE.
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_uint_ge(mbedtls_ct_uint_t x,
-                                                        mbedtls_ct_uint_t y);
-
-/** Boolean "less than or equal" operation.
- *
- * Functionally equivalent to:
- *
- * \p x <= \p y
- *
- * \param x     The first value to analyze.
- * \param y     The second value to analyze.
- *
- * \return      MBEDTLS_CT_TRUE if \p x <= \p y,
- *              otherwise MBEDTLS_CT_FALSE.
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_uint_le(mbedtls_ct_uint_t x,
-                                                        mbedtls_ct_uint_t y);
-
-/** Boolean not-equals operation.
- *
- * Functionally equivalent to:
- *
- * \p x != \p y
- *
- * \param x     The first value to analyze.
- * \param y     The second value to analyze.
- *
- * \note        This is more efficient than mbedtls_ct_uint_ne if both arguments are
- *              mbedtls_ct_condition_t.
- *
- * \return      MBEDTLS_CT_TRUE if \p x != \p y,
- *              otherwise MBEDTLS_CT_FALSE.
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_bool_ne(mbedtls_ct_condition_t x,
-                                                        mbedtls_ct_condition_t y);
-
-/** Boolean "and" operation.
- *
- * Functionally equivalent to:
- *
- * \p x && \p y
- *
- * \param x     The first value to analyze.
- * \param y     The second value to analyze.
- *
- * \return      MBEDTLS_CT_TRUE if \p x && \p y,
- *              otherwise MBEDTLS_CT_FALSE.
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_bool_and(mbedtls_ct_condition_t x,
-                                                         mbedtls_ct_condition_t y);
-
-/** Boolean "or" operation.
- *
- * Functionally equivalent to:
- *
- * \p x || \p y
- *
- * \param x     The first value to analyze.
- * \param y     The second value to analyze.
- *
- * \return      MBEDTLS_CT_TRUE if \p x || \p y,
- *              otherwise MBEDTLS_CT_FALSE.
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_bool_or(mbedtls_ct_condition_t x,
-                                                        mbedtls_ct_condition_t y);
-
-/** Boolean "not" operation.
- *
- * Functionally equivalent to:
- *
- * ! \p x
- *
- * \param x     The value to invert
- *
- * \return      MBEDTLS_CT_FALSE if \p x, otherwise MBEDTLS_CT_TRUE.
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_bool_not(mbedtls_ct_condition_t x);
-
-
-/* ============================================================================
- * Data selection operations
- */
-
-/** Choose between two size_t values.
- *
- * Functionally equivalent to:
- *
- * condition ? if1 : if0.
- *
- * \param condition     Condition to test.
- * \param if1           Value to use if \p condition == MBEDTLS_CT_TRUE.
- * \param if0           Value to use if \p condition == MBEDTLS_CT_FALSE.
- *
- * \return  \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
- */
-static inline size_t mbedtls_ct_size_if(mbedtls_ct_condition_t condition,
-                                        size_t if1,
-                                        size_t if0);
-
-/** Choose between two unsigned values.
- *
- * Functionally equivalent to:
- *
- * condition ? if1 : if0.
- *
- * \param condition     Condition to test.
- * \param if1           Value to use if \p condition == MBEDTLS_CT_TRUE.
- * \param if0           Value to use if \p condition == MBEDTLS_CT_FALSE.
- *
- * \return  \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
- */
-static inline unsigned mbedtls_ct_uint_if(mbedtls_ct_condition_t condition,
-                                          unsigned if1,
-                                          unsigned if0);
-
-/** Choose between two mbedtls_ct_condition_t values.
- *
- * Functionally equivalent to:
- *
- * condition ? if1 : if0.
- *
- * \param condition     Condition to test.
- * \param if1           Value to use if \p condition == MBEDTLS_CT_TRUE.
- * \param if0           Value to use if \p condition == MBEDTLS_CT_FALSE.
- *
- * \return  \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_bool_if(mbedtls_ct_condition_t condition,
-                                                        mbedtls_ct_condition_t if1,
-                                                        mbedtls_ct_condition_t if0);
-
-#if defined(MBEDTLS_BIGNUM_C)
-
-/** Choose between two mbedtls_mpi_uint values.
- *
- * Functionally equivalent to:
- *
- * condition ? if1 : if0.
- *
- * \param condition     Condition to test.
- * \param if1           Value to use if \p condition == MBEDTLS_CT_TRUE.
- * \param if0           Value to use if \p condition == MBEDTLS_CT_FALSE.
- *
- * \return  \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
- */
-static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if(mbedtls_ct_condition_t condition, \
-                                                      mbedtls_mpi_uint if1, \
-                                                      mbedtls_mpi_uint if0);
-
-#endif
-
-/** Choose between an unsigned value and 0.
- *
- * Functionally equivalent to:
- *
- * condition ? if1 : 0.
- *
- * Functionally equivalent to mbedtls_ct_uint_if(condition, if1, 0) but
- * results in smaller code size.
- *
- * \param condition     Condition to test.
- * \param if1           Value to use if \p condition == MBEDTLS_CT_TRUE.
- *
- * \return  \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
- */
-static inline unsigned mbedtls_ct_uint_if_else_0(mbedtls_ct_condition_t condition, unsigned if1);
-
-/** Choose between an mbedtls_ct_condition_t and 0.
- *
- * Functionally equivalent to:
- *
- * condition ? if1 : 0.
- *
- * Functionally equivalent to mbedtls_ct_bool_if(condition, if1, 0) but
- * results in smaller code size.
- *
- * \param condition     Condition to test.
- * \param if1           Value to use if \p condition == MBEDTLS_CT_TRUE.
- *
- * \return  \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_bool_if_else_0(mbedtls_ct_condition_t condition,
-                                                               mbedtls_ct_condition_t if1);
-
-/** Choose between a size_t value and 0.
- *
- * Functionally equivalent to:
- *
- * condition ? if1 : 0.
- *
- * Functionally equivalent to mbedtls_ct_size_if(condition, if1, 0) but
- * results in smaller code size.
- *
- * \param condition     Condition to test.
- * \param if1           Value to use if \p condition == MBEDTLS_CT_TRUE.
- *
- * \return  \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
- */
-static inline size_t mbedtls_ct_size_if_else_0(mbedtls_ct_condition_t condition, size_t if1);
-
-#if defined(MBEDTLS_BIGNUM_C)
-
-/** Choose between an mbedtls_mpi_uint value and 0.
- *
- * Functionally equivalent to:
- *
- * condition ? if1 : 0.
- *
- * Functionally equivalent to mbedtls_ct_mpi_uint_if(condition, if1, 0) but
- * results in smaller code size.
- *
- * \param condition     Condition to test.
- * \param if1           Value to use if \p condition == MBEDTLS_CT_TRUE.
- *
- * \return  \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
- */
-static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if_else_0(mbedtls_ct_condition_t condition,
-                                                             mbedtls_mpi_uint if1);
-
-#endif
-
-/** Constant-flow char selection
- *
- * \param low   Secret. Bottom of range
- * \param high  Secret. Top of range
- * \param c     Secret. Value to compare to range
- * \param t     Secret. Value to return, if in range
- *
- * \return      \p t if \p low <= \p c <= \p high, 0 otherwise.
- */
-static inline unsigned char mbedtls_ct_uchar_in_range_if(unsigned char low,
-                                                         unsigned char high,
-                                                         unsigned char c,
-                                                         unsigned char t);
-
-/** Choose between two error values. The values must be in the range [-32767..0].
- *
- * Functionally equivalent to:
- *
- * condition ? if1 : if0.
- *
- * \param condition     Condition to test.
- * \param if1           Value to use if \p condition == MBEDTLS_CT_TRUE.
- * \param if0           Value to use if \p condition == MBEDTLS_CT_FALSE.
- *
- * \return  \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
- */
-static inline int mbedtls_ct_error_if(mbedtls_ct_condition_t condition, int if1, int if0);
-
-/** Choose between an error value and 0. The error value must be in the range [-32767..0].
- *
- * Functionally equivalent to:
- *
- * condition ? if1 : 0.
- *
- * Functionally equivalent to mbedtls_ct_error_if(condition, if1, 0) but
- * results in smaller code size.
- *
- * \param condition     Condition to test.
- * \param if1           Value to use if \p condition == MBEDTLS_CT_TRUE.
- *
- * \return  \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
- */
-static inline int mbedtls_ct_error_if_else_0(mbedtls_ct_condition_t condition, int if1);
-
-/* ============================================================================
- * Block memory operations
- */
-
-#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
-
-/** Conditionally set a block of memory to zero.
- *
- * Regardless of the condition, every byte will be read once and written to
- * once.
- *
- * \param condition     Secret. Condition to test.
- * \param buf           Secret. Pointer to the start of the buffer.
- * \param len           Number of bytes to set to zero.
- *
- * \warning Unlike mbedtls_platform_zeroize, this does not have the same guarantees
- * about not being optimised away if the memory is never read again.
- */
-void mbedtls_ct_zeroize_if(mbedtls_ct_condition_t condition, void *buf, size_t len);
-
-/** Shift some data towards the left inside a buffer.
- *
- * Functionally equivalent to:
- *
- * memmove(start, start + offset, total - offset);
- * memset(start + (total - offset), 0, offset);
- *
- * Timing independence comes at the expense of performance.
- *
- * \param start     Secret. Pointer to the start of the buffer.
- * \param total     Total size of the buffer.
- * \param offset    Secret. Offset from which to copy \p total - \p offset bytes.
- */
-void mbedtls_ct_memmove_left(void *start,
-                             size_t total,
-                             size_t offset);
-
-#endif /* defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) */
-
-/** Conditional memcpy.
- *
- * Functionally equivalent to:
- *
- * if (condition) {
- *      memcpy(dest, src1, len);
- * } else {
- *      if (src2 != NULL)
- *          memcpy(dest, src2, len);
- * }
- *
- * It will always read len bytes from src1.
- * If src2 != NULL, it will always read len bytes from src2.
- * If src2 == NULL, it will instead read len bytes from dest (as if src2 == dest).
- *
- * \param condition The condition
- * \param dest      Secret. Destination pointer.
- * \param src1      Secret. Pointer to copy from (if \p condition == MBEDTLS_CT_TRUE).
- *                  This may be equal to \p dest, but may not overlap in other ways.
- * \param src2      Secret (contents only - may branch to determine if this parameter is NULL).
- *                  Pointer to copy from (if \p condition == MBEDTLS_CT_FALSE and \p src2 is not NULL). May be NULL.
- *                  This may be equal to \p dest, but may not overlap it in other ways. It may overlap with \p src1.
- * \param len       Number of bytes to copy.
- */
-void mbedtls_ct_memcpy_if(mbedtls_ct_condition_t condition,
-                          unsigned char *dest,
-                          const unsigned char *src1,
-                          const unsigned char *src2,
-                          size_t len
-                          );
-
-/** Copy data from a secret position.
- *
- * Functionally equivalent to:
- *
- * memcpy(dst, src + offset, len)
- *
- * This function copies \p len bytes from \p src + \p offset to
- * \p dst, with a code flow and memory access pattern that does not depend on
- * \p offset, but only on \p offset_min, \p offset_max and \p len.
- *
- * \note                This function reads from \p dest, but the value that
- *                      is read does not influence the result and this
- *                      function's behavior is well-defined regardless of the
- *                      contents of the buffers. This may result in false
- *                      positives from static or dynamic analyzers, especially
- *                      if \p dest is not initialized.
- *
- * \param dest          Secret. The destination buffer. This must point to a writable
- *                      buffer of at least \p len bytes.
- * \param src           Secret. The base of the source buffer. This must point to a
- *                      readable buffer of at least \p offset_max + \p len
- *                      bytes. Shouldn't overlap with \p dest
- * \param offset        Secret. The offset in the source buffer from which to copy.
- *                      This must be no less than \p offset_min and no greater
- *                      than \p offset_max.
- * \param offset_min    The minimal value of \p offset.
- * \param offset_max    The maximal value of \p offset.
- * \param len           The number of bytes to copy.
- */
-void mbedtls_ct_memcpy_offset(unsigned char *dest,
-                              const unsigned char *src,
-                              size_t offset,
-                              size_t offset_min,
-                              size_t offset_max,
-                              size_t len);
-
-/* Documented in include/mbedtls/constant_time.h. a and b are secret.
-
-   int mbedtls_ct_memcmp(const void *a,
-                         const void *b,
-                         size_t n);
- */
-
-#if defined(MBEDTLS_NIST_KW_C)
-
-/** Constant-time buffer comparison without branches.
- *
- * Similar to mbedtls_ct_memcmp, except that the result only depends on part of
- * the input data - differences in the head or tail are ignored. Functionally equivalent to:
- *
- * memcmp(a + skip_head, b + skip_head, size - skip_head - skip_tail)
- *
- * Time taken depends on \p n, but not on \p skip_head or \p skip_tail .
- *
- * Behaviour is undefined if ( \p skip_head + \p skip_tail) > \p n.
- *
- * \param a         Secret. Pointer to the first buffer, containing at least \p n bytes. May not be NULL.
- * \param b         Secret. Pointer to the second buffer, containing at least \p n bytes. May not be NULL.
- * \param n         The number of bytes to examine (total size of the buffers).
- * \param skip_head Secret. The number of bytes to treat as non-significant at the start of the buffer.
- *                  These bytes will still be read.
- * \param skip_tail Secret. The number of bytes to treat as non-significant at the end of the buffer.
- *                  These bytes will still be read.
- *
- * \return          Zero if the contents of the two buffers are the same, otherwise non-zero.
- */
-int mbedtls_ct_memcmp_partial(const void *a,
-                              const void *b,
-                              size_t n,
-                              size_t skip_head,
-                              size_t skip_tail);
-
-#endif
-
-/* Include the implementation of static inline functions above. */
-#include "constant_time_impl.h"
-
-#endif /* MBEDTLS_CONSTANT_TIME_INTERNAL_H */
diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c
deleted file mode 100644
index fdd753d..0000000
--- a/library/ctr_drbg.c
+++ /dev/null
@@ -1,893 +0,0 @@
-/*
- *  CTR_DRBG implementation based on AES-256 (NIST SP 800-90)
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-/*
- *  The NIST SP 800-90 DRBGs are described in the following publication.
- *
- *  https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-90r.pdf
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_CTR_DRBG_C)
-
-#include "mbedtls/ctr_drbg.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#include <string.h>
-
-#if defined(MBEDTLS_FS_IO)
-#include <stdio.h>
-#endif
-
-#include "mbedtls/platform.h"
-
-/*
- * CTR_DRBG context initialization
- */
-void mbedtls_ctr_drbg_init(mbedtls_ctr_drbg_context *ctx)
-{
-    memset(ctx, 0, sizeof(mbedtls_ctr_drbg_context));
-    mbedtls_aes_init(&ctx->aes_ctx);
-    /* Indicate that the entropy nonce length is not set explicitly.
-     * See mbedtls_ctr_drbg_set_nonce_len(). */
-    ctx->reseed_counter = -1;
-
-    ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
-}
-
-/*
- *  This function resets CTR_DRBG context to the state immediately
- *  after initial call of mbedtls_ctr_drbg_init().
- */
-void mbedtls_ctr_drbg_free(mbedtls_ctr_drbg_context *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-#if defined(MBEDTLS_THREADING_C)
-    /* The mutex is initialized iff f_entropy is set. */
-    if (ctx->f_entropy != NULL) {
-        mbedtls_mutex_free(&ctx->mutex);
-    }
-#endif
-    mbedtls_aes_free(&ctx->aes_ctx);
-    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ctr_drbg_context));
-    ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
-    ctx->reseed_counter = -1;
-}
-
-void mbedtls_ctr_drbg_set_prediction_resistance(mbedtls_ctr_drbg_context *ctx,
-                                                int resistance)
-{
-    ctx->prediction_resistance = resistance;
-}
-
-void mbedtls_ctr_drbg_set_entropy_len(mbedtls_ctr_drbg_context *ctx,
-                                      size_t len)
-{
-    ctx->entropy_len = len;
-}
-
-int mbedtls_ctr_drbg_set_nonce_len(mbedtls_ctr_drbg_context *ctx,
-                                   size_t len)
-{
-    /* If mbedtls_ctr_drbg_seed() has already been called, it's
-     * too late. Return the error code that's closest to making sense. */
-    if (ctx->f_entropy != NULL) {
-        return MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED;
-    }
-
-    if (len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT) {
-        return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
-    }
-
-    /* This shouldn't be an issue because
-     * MBEDTLS_CTR_DRBG_MAX_SEED_INPUT < INT_MAX in any sensible
-     * configuration, but make sure anyway. */
-    if (len > INT_MAX) {
-        return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
-    }
-
-    /* For backward compatibility with Mbed TLS <= 2.19, store the
-     * entropy nonce length in a field that already exists, but isn't
-     * used until after the initial seeding. */
-    /* Due to the capping of len above, the value fits in an int. */
-    ctx->reseed_counter = (int) len;
-    return 0;
-}
-
-void mbedtls_ctr_drbg_set_reseed_interval(mbedtls_ctr_drbg_context *ctx,
-                                          int interval)
-{
-    ctx->reseed_interval = interval;
-}
-
-static int block_cipher_df(unsigned char *output,
-                           const unsigned char *data, size_t data_len)
-{
-    unsigned char buf[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT +
-                      MBEDTLS_CTR_DRBG_BLOCKSIZE + 16];
-    unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
-    unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
-    unsigned char chain[MBEDTLS_CTR_DRBG_BLOCKSIZE];
-    unsigned char *p, *iv;
-    mbedtls_aes_context aes_ctx;
-    int ret = 0;
-
-    int i, j;
-    size_t buf_len, use_len;
-
-    if (data_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT) {
-        return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
-    }
-
-    memset(buf, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT +
-           MBEDTLS_CTR_DRBG_BLOCKSIZE + 16);
-    mbedtls_aes_init(&aes_ctx);
-
-    /*
-     * Construct IV (16 bytes) and S in buffer
-     * IV = Counter (in 32-bits) padded to 16 with zeroes
-     * S = Length input string (in 32-bits) || Length of output (in 32-bits) ||
-     *     data || 0x80
-     *     (Total is padded to a multiple of 16-bytes with zeroes)
-     */
-    p = buf + MBEDTLS_CTR_DRBG_BLOCKSIZE;
-    MBEDTLS_PUT_UINT32_BE(data_len, p, 0);
-    p += 4 + 3;
-    *p++ = MBEDTLS_CTR_DRBG_SEEDLEN;
-    memcpy(p, data, data_len);
-    p[data_len] = 0x80;
-
-    buf_len = MBEDTLS_CTR_DRBG_BLOCKSIZE + 8 + data_len + 1;
-
-    for (i = 0; i < MBEDTLS_CTR_DRBG_KEYSIZE; i++) {
-        key[i] = i;
-    }
-
-    if ((ret = mbedtls_aes_setkey_enc(&aes_ctx, key,
-                                      MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
-        goto exit;
-    }
-
-    /*
-     * Reduce data to MBEDTLS_CTR_DRBG_SEEDLEN bytes of data
-     */
-    for (j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE) {
-        p = buf;
-        memset(chain, 0, MBEDTLS_CTR_DRBG_BLOCKSIZE);
-        use_len = buf_len;
-
-        while (use_len > 0) {
-            mbedtls_xor(chain, chain, p, MBEDTLS_CTR_DRBG_BLOCKSIZE);
-            p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
-            use_len -= (use_len >= MBEDTLS_CTR_DRBG_BLOCKSIZE) ?
-                       MBEDTLS_CTR_DRBG_BLOCKSIZE : use_len;
-
-            if ((ret = mbedtls_aes_crypt_ecb(&aes_ctx, MBEDTLS_AES_ENCRYPT,
-                                             chain, chain)) != 0) {
-                goto exit;
-            }
-        }
-
-        memcpy(tmp + j, chain, MBEDTLS_CTR_DRBG_BLOCKSIZE);
-
-        /*
-         * Update IV
-         */
-        buf[3]++;
-    }
-
-    /*
-     * Do final encryption with reduced data
-     */
-    if ((ret = mbedtls_aes_setkey_enc(&aes_ctx, tmp,
-                                      MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
-        goto exit;
-    }
-    iv = tmp + MBEDTLS_CTR_DRBG_KEYSIZE;
-    p = output;
-
-    for (j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE) {
-        if ((ret = mbedtls_aes_crypt_ecb(&aes_ctx, MBEDTLS_AES_ENCRYPT,
-                                         iv, iv)) != 0) {
-            goto exit;
-        }
-        memcpy(p, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE);
-        p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
-    }
-exit:
-    mbedtls_aes_free(&aes_ctx);
-    /*
-     * tidy up the stack
-     */
-    mbedtls_platform_zeroize(buf, sizeof(buf));
-    mbedtls_platform_zeroize(tmp, sizeof(tmp));
-    mbedtls_platform_zeroize(key, sizeof(key));
-    mbedtls_platform_zeroize(chain, sizeof(chain));
-    if (0 != ret) {
-        /*
-         * wipe partial seed from memory
-         */
-        mbedtls_platform_zeroize(output, MBEDTLS_CTR_DRBG_SEEDLEN);
-    }
-
-    return ret;
-}
-
-/* CTR_DRBG_Update (SP 800-90A &sect;10.2.1.2)
- * ctr_drbg_update_internal(ctx, provided_data)
- * implements
- * CTR_DRBG_Update(provided_data, Key, V)
- * with inputs and outputs
- *   ctx->aes_ctx = Key
- *   ctx->counter = V
- */
-static int ctr_drbg_update_internal(mbedtls_ctr_drbg_context *ctx,
-                                    const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN])
-{
-    unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
-    unsigned char *p = tmp;
-    int i, j;
-    int ret = 0;
-
-    memset(tmp, 0, MBEDTLS_CTR_DRBG_SEEDLEN);
-
-    for (j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE) {
-        /*
-         * Increase counter
-         */
-        for (i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i--) {
-            if (++ctx->counter[i - 1] != 0) {
-                break;
-            }
-        }
-
-        /*
-         * Crypt counter block
-         */
-        if ((ret = mbedtls_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
-                                         ctx->counter, p)) != 0) {
-            goto exit;
-        }
-
-        p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
-    }
-
-    for (i = 0; i < MBEDTLS_CTR_DRBG_SEEDLEN; i++) {
-        tmp[i] ^= data[i];
-    }
-
-    /*
-     * Update key and counter
-     */
-    if ((ret = mbedtls_aes_setkey_enc(&ctx->aes_ctx, tmp,
-                                      MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
-        goto exit;
-    }
-    memcpy(ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE,
-           MBEDTLS_CTR_DRBG_BLOCKSIZE);
-
-exit:
-    mbedtls_platform_zeroize(tmp, sizeof(tmp));
-    return ret;
-}
-
-/* CTR_DRBG_Instantiate with derivation function (SP 800-90A &sect;10.2.1.3.2)
- * mbedtls_ctr_drbg_update(ctx, additional, add_len)
- * implements
- * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
- *                      security_strength) -> initial_working_state
- * with inputs
- *   ctx->counter = all-bits-0
- *   ctx->aes_ctx = context from all-bits-0 key
- *   additional[:add_len] = entropy_input || nonce || personalization_string
- * and with outputs
- *   ctx = initial_working_state
- */
-int mbedtls_ctr_drbg_update(mbedtls_ctr_drbg_context *ctx,
-                            const unsigned char *additional,
-                            size_t add_len)
-{
-    unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if (add_len == 0) {
-        return 0;
-    }
-
-    if ((ret = block_cipher_df(add_input, additional, add_len)) != 0) {
-        goto exit;
-    }
-    if ((ret = ctr_drbg_update_internal(ctx, add_input)) != 0) {
-        goto exit;
-    }
-
-exit:
-    mbedtls_platform_zeroize(add_input, sizeof(add_input));
-    return ret;
-}
-
-/* CTR_DRBG_Reseed with derivation function (SP 800-90A &sect;10.2.1.4.2)
- * mbedtls_ctr_drbg_reseed(ctx, additional, len, nonce_len)
- * implements
- * CTR_DRBG_Reseed(working_state, entropy_input, additional_input)
- *                -> new_working_state
- * with inputs
- *   ctx contains working_state
- *   additional[:len] = additional_input
- * and entropy_input comes from calling ctx->f_entropy
- *                              for (ctx->entropy_len + nonce_len) bytes
- * and with output
- *   ctx contains new_working_state
- */
-static int mbedtls_ctr_drbg_reseed_internal(mbedtls_ctr_drbg_context *ctx,
-                                            const unsigned char *additional,
-                                            size_t len,
-                                            size_t nonce_len)
-{
-    unsigned char seed[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT];
-    size_t seedlen = 0;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if (ctx->entropy_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT) {
-        return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
-    }
-    if (nonce_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len) {
-        return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
-    }
-    if (len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len - nonce_len) {
-        return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
-    }
-
-    memset(seed, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT);
-
-    /* Gather entropy_len bytes of entropy to seed state. */
-    if (0 != ctx->f_entropy(ctx->p_entropy, seed, ctx->entropy_len)) {
-        return MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED;
-    }
-    seedlen += ctx->entropy_len;
-
-    /* Gather entropy for a nonce if requested. */
-    if (nonce_len != 0) {
-        if (0 != ctx->f_entropy(ctx->p_entropy, seed + seedlen, nonce_len)) {
-            return MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED;
-        }
-        seedlen += nonce_len;
-    }
-
-    /* Add additional data if provided. */
-    if (additional != NULL && len != 0) {
-        memcpy(seed + seedlen, additional, len);
-        seedlen += len;
-    }
-
-    /* Reduce to 384 bits. */
-    if ((ret = block_cipher_df(seed, seed, seedlen)) != 0) {
-        goto exit;
-    }
-
-    /* Update state. */
-    if ((ret = ctr_drbg_update_internal(ctx, seed)) != 0) {
-        goto exit;
-    }
-    ctx->reseed_counter = 1;
-
-exit:
-    mbedtls_platform_zeroize(seed, sizeof(seed));
-    return ret;
-}
-
-int mbedtls_ctr_drbg_reseed(mbedtls_ctr_drbg_context *ctx,
-                            const unsigned char *additional, size_t len)
-{
-    return mbedtls_ctr_drbg_reseed_internal(ctx, additional, len, 0);
-}
-
-/* Return a "good" nonce length for CTR_DRBG. The chosen nonce length
- * is sufficient to achieve the maximum security strength given the key
- * size and entropy length. If there is enough entropy in the initial
- * call to the entropy function to serve as both the entropy input and
- * the nonce, don't make a second call to get a nonce. */
-static size_t good_nonce_len(size_t entropy_len)
-{
-    if (entropy_len >= MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2) {
-        return 0;
-    } else {
-        return (entropy_len + 1) / 2;
-    }
-}
-
-/* CTR_DRBG_Instantiate with derivation function (SP 800-90A &sect;10.2.1.3.2)
- * mbedtls_ctr_drbg_seed(ctx, f_entropy, p_entropy, custom, len)
- * implements
- * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
- *                      security_strength) -> initial_working_state
- * with inputs
- *   custom[:len] = nonce || personalization_string
- * where entropy_input comes from f_entropy for ctx->entropy_len bytes
- * and with outputs
- *   ctx = initial_working_state
- */
-int mbedtls_ctr_drbg_seed(mbedtls_ctr_drbg_context *ctx,
-                          int (*f_entropy)(void *, unsigned char *, size_t),
-                          void *p_entropy,
-                          const unsigned char *custom,
-                          size_t len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
-    size_t nonce_len;
-
-    memset(key, 0, MBEDTLS_CTR_DRBG_KEYSIZE);
-
-    /* The mutex is initialized iff f_entropy is set. */
-#if defined(MBEDTLS_THREADING_C)
-    mbedtls_mutex_init(&ctx->mutex);
-#endif
-
-    ctx->f_entropy = f_entropy;
-    ctx->p_entropy = p_entropy;
-
-    if (ctx->entropy_len == 0) {
-        ctx->entropy_len = MBEDTLS_CTR_DRBG_ENTROPY_LEN;
-    }
-    /* ctx->reseed_counter contains the desired amount of entropy to
-     * grab for a nonce (see mbedtls_ctr_drbg_set_nonce_len()).
-     * If it's -1, indicating that the entropy nonce length was not set
-     * explicitly, use a sufficiently large nonce for security. */
-    nonce_len = (ctx->reseed_counter >= 0 ?
-                 (size_t) ctx->reseed_counter :
-                 good_nonce_len(ctx->entropy_len));
-
-    /* Initialize with an empty key. */
-    if ((ret = mbedtls_aes_setkey_enc(&ctx->aes_ctx, key,
-                                      MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
-        return ret;
-    }
-
-    /* Do the initial seeding. */
-    if ((ret = mbedtls_ctr_drbg_reseed_internal(ctx, custom, len,
-                                                nonce_len)) != 0) {
-        return ret;
-    }
-    return 0;
-}
-
-/* CTR_DRBG_Generate with derivation function (SP 800-90A &sect;10.2.1.5.2)
- * mbedtls_ctr_drbg_random_with_add(ctx, output, output_len, additional, add_len)
- * implements
- * CTR_DRBG_Reseed(working_state, entropy_input, additional[:add_len])
- *                -> working_state_after_reseed
- *                if required, then
- * CTR_DRBG_Generate(working_state_after_reseed,
- *                   requested_number_of_bits, additional_input)
- *                -> status, returned_bits, new_working_state
- * with inputs
- *   ctx contains working_state
- *   requested_number_of_bits = 8 * output_len
- *   additional[:add_len] = additional_input
- * and entropy_input comes from calling ctx->f_entropy
- * and with outputs
- *   status = SUCCESS (this function does the reseed internally)
- *   returned_bits = output[:output_len]
- *   ctx contains new_working_state
- */
-int mbedtls_ctr_drbg_random_with_add(void *p_rng,
-                                     unsigned char *output, size_t output_len,
-                                     const unsigned char *additional, size_t add_len)
-{
-    int ret = 0;
-    mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
-    unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
-    unsigned char *p = output;
-    unsigned char tmp[MBEDTLS_CTR_DRBG_BLOCKSIZE];
-    int i;
-    size_t use_len;
-
-    if (output_len > MBEDTLS_CTR_DRBG_MAX_REQUEST) {
-        return MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG;
-    }
-
-    if (add_len > MBEDTLS_CTR_DRBG_MAX_INPUT) {
-        return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
-    }
-
-    memset(add_input, 0, MBEDTLS_CTR_DRBG_SEEDLEN);
-
-    if (ctx->reseed_counter > ctx->reseed_interval ||
-        ctx->prediction_resistance) {
-        if ((ret = mbedtls_ctr_drbg_reseed(ctx, additional, add_len)) != 0) {
-            return ret;
-        }
-        add_len = 0;
-    }
-
-    if (add_len > 0) {
-        if ((ret = block_cipher_df(add_input, additional, add_len)) != 0) {
-            goto exit;
-        }
-        if ((ret = ctr_drbg_update_internal(ctx, add_input)) != 0) {
-            goto exit;
-        }
-    }
-
-    while (output_len > 0) {
-        /*
-         * Increase counter
-         */
-        for (i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i--) {
-            if (++ctx->counter[i - 1] != 0) {
-                break;
-            }
-        }
-
-        /*
-         * Crypt counter block
-         */
-        if ((ret = mbedtls_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
-                                         ctx->counter, tmp)) != 0) {
-            goto exit;
-        }
-
-        use_len = (output_len > MBEDTLS_CTR_DRBG_BLOCKSIZE)
-            ? MBEDTLS_CTR_DRBG_BLOCKSIZE : output_len;
-        /*
-         * Copy random block to destination
-         */
-        memcpy(p, tmp, use_len);
-        p += use_len;
-        output_len -= use_len;
-    }
-
-    if ((ret = ctr_drbg_update_internal(ctx, add_input)) != 0) {
-        goto exit;
-    }
-
-    ctx->reseed_counter++;
-
-exit:
-    mbedtls_platform_zeroize(add_input, sizeof(add_input));
-    mbedtls_platform_zeroize(tmp, sizeof(tmp));
-    return ret;
-}
-
-int mbedtls_ctr_drbg_random(void *p_rng, unsigned char *output,
-                            size_t output_len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
-
-#if defined(MBEDTLS_THREADING_C)
-    if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
-        return ret;
-    }
-#endif
-
-    ret = mbedtls_ctr_drbg_random_with_add(ctx, output, output_len, NULL, 0);
-
-#if defined(MBEDTLS_THREADING_C)
-    if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
-        return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
-    }
-#endif
-
-    return ret;
-}
-
-#if defined(MBEDTLS_FS_IO)
-int mbedtls_ctr_drbg_write_seed_file(mbedtls_ctr_drbg_context *ctx,
-                                     const char *path)
-{
-    int ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
-    FILE *f;
-    unsigned char buf[MBEDTLS_CTR_DRBG_MAX_INPUT];
-
-    if ((f = fopen(path, "wb")) == NULL) {
-        return MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
-    }
-
-    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
-    mbedtls_setbuf(f, NULL);
-
-    if ((ret = mbedtls_ctr_drbg_random(ctx, buf,
-                                       MBEDTLS_CTR_DRBG_MAX_INPUT)) != 0) {
-        goto exit;
-    }
-
-    if (fwrite(buf, 1, MBEDTLS_CTR_DRBG_MAX_INPUT, f) !=
-        MBEDTLS_CTR_DRBG_MAX_INPUT) {
-        ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
-    } else {
-        ret = 0;
-    }
-
-exit:
-    mbedtls_platform_zeroize(buf, sizeof(buf));
-
-    fclose(f);
-    return ret;
-}
-
-int mbedtls_ctr_drbg_update_seed_file(mbedtls_ctr_drbg_context *ctx,
-                                      const char *path)
-{
-    int ret = 0;
-    FILE *f = NULL;
-    size_t n;
-    unsigned char buf[MBEDTLS_CTR_DRBG_MAX_INPUT];
-    unsigned char c;
-
-    if ((f = fopen(path, "rb")) == NULL) {
-        return MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
-    }
-
-    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
-    mbedtls_setbuf(f, NULL);
-
-    n = fread(buf, 1, sizeof(buf), f);
-    if (fread(&c, 1, 1, f) != 0) {
-        ret = MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
-        goto exit;
-    }
-    if (n == 0 || ferror(f)) {
-        ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
-        goto exit;
-    }
-    fclose(f);
-    f = NULL;
-
-    ret = mbedtls_ctr_drbg_update(ctx, buf, n);
-
-exit:
-    mbedtls_platform_zeroize(buf, sizeof(buf));
-    if (f != NULL) {
-        fclose(f);
-    }
-    if (ret != 0) {
-        return ret;
-    }
-    return mbedtls_ctr_drbg_write_seed_file(ctx, path);
-}
-#endif /* MBEDTLS_FS_IO */
-
-#if defined(MBEDTLS_SELF_TEST)
-
-/* The CTR_DRBG NIST test vectors used here are available at
- * https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/drbg/drbgtestvectors.zip
- *
- * The parameters used to derive the test data are:
- *
- * [AES-128 use df]
- * [PredictionResistance = True/False]
- * [EntropyInputLen = 128]
- * [NonceLen = 64]
- * [PersonalizationStringLen = 128]
- * [AdditionalInputLen = 0]
- * [ReturnedBitsLen = 512]
- *
- * [AES-256 use df]
- * [PredictionResistance = True/False]
- * [EntropyInputLen = 256]
- * [NonceLen = 128]
- * [PersonalizationStringLen = 256]
- * [AdditionalInputLen = 0]
- * [ReturnedBitsLen = 512]
- *
- */
-
-#if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
-static const unsigned char entropy_source_pr[] =
-{ 0x04, 0xd9, 0x49, 0xa6, 0xdc, 0xe8, 0x6e, 0xbb,
-  0xf1, 0x08, 0x77, 0x2b, 0x9e, 0x08, 0xca, 0x92,
-  0x65, 0x16, 0xda, 0x99, 0xa2, 0x59, 0xf3, 0xe8,
-  0x38, 0x7e, 0x3f, 0x6b, 0x51, 0x70, 0x7b, 0x20,
-  0xec, 0x53, 0xd0, 0x66, 0xc3, 0x0f, 0xe3, 0xb0,
-  0xe0, 0x86, 0xa6, 0xaa, 0x5f, 0x72, 0x2f, 0xad,
-  0xf7, 0xef, 0x06, 0xb8, 0xd6, 0x9c, 0x9d, 0xe8 };
-
-static const unsigned char entropy_source_nopr[] =
-{ 0x07, 0x0d, 0x59, 0x63, 0x98, 0x73, 0xa5, 0x45,
-  0x27, 0x38, 0x22, 0x7b, 0x76, 0x85, 0xd1, 0xa9,
-  0x74, 0x18, 0x1f, 0x3c, 0x22, 0xf6, 0x49, 0x20,
-  0x4a, 0x47, 0xc2, 0xf3, 0x85, 0x16, 0xb4, 0x6f,
-  0x00, 0x2e, 0x71, 0xda, 0xed, 0x16, 0x9b, 0x5c };
-
-static const unsigned char pers_pr[] =
-{ 0xbf, 0xa4, 0x9a, 0x8f, 0x7b, 0xd8, 0xb1, 0x7a,
-  0x9d, 0xfa, 0x45, 0xed, 0x21, 0x52, 0xb3, 0xad };
-
-static const unsigned char pers_nopr[] =
-{ 0x4e, 0x61, 0x79, 0xd4, 0xc2, 0x72, 0xa1, 0x4c,
-  0xf1, 0x3d, 0xf6, 0x5e, 0xa3, 0xa6, 0xe5, 0x0f };
-
-static const unsigned char result_pr[] =
-{ 0xc9, 0x0a, 0xaf, 0x85, 0x89, 0x71, 0x44, 0x66,
-  0x4f, 0x25, 0x0b, 0x2b, 0xde, 0xd8, 0xfa, 0xff,
-  0x52, 0x5a, 0x1b, 0x32, 0x5e, 0x41, 0x7a, 0x10,
-  0x1f, 0xef, 0x1e, 0x62, 0x23, 0xe9, 0x20, 0x30,
-  0xc9, 0x0d, 0xad, 0x69, 0xb4, 0x9c, 0x5b, 0xf4,
-  0x87, 0x42, 0xd5, 0xae, 0x5e, 0x5e, 0x43, 0xcc,
-  0xd9, 0xfd, 0x0b, 0x93, 0x4a, 0xe3, 0xd4, 0x06,
-  0x37, 0x36, 0x0f, 0x3f, 0x72, 0x82, 0x0c, 0xcf };
-
-static const unsigned char result_nopr[] =
-{ 0x31, 0xc9, 0x91, 0x09, 0xf8, 0xc5, 0x10, 0x13,
-  0x3c, 0xd3, 0x96, 0xf9, 0xbc, 0x2c, 0x12, 0xc0,
-  0x7c, 0xc1, 0x61, 0x5f, 0xa3, 0x09, 0x99, 0xaf,
-  0xd7, 0xf2, 0x36, 0xfd, 0x40, 0x1a, 0x8b, 0xf2,
-  0x33, 0x38, 0xee, 0x1d, 0x03, 0x5f, 0x83, 0xb7,
-  0xa2, 0x53, 0xdc, 0xee, 0x18, 0xfc, 0xa7, 0xf2,
-  0xee, 0x96, 0xc6, 0xc2, 0xcd, 0x0c, 0xff, 0x02,
-  0x76, 0x70, 0x69, 0xaa, 0x69, 0xd1, 0x3b, 0xe8 };
-#else /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
-
-static const unsigned char entropy_source_pr[] =
-{ 0xca, 0x58, 0xfd, 0xf2, 0xb9, 0x77, 0xcb, 0x49,
-  0xd4, 0xe0, 0x5b, 0xe2, 0x39, 0x50, 0xd9, 0x8a,
-  0x6a, 0xb3, 0xc5, 0x2f, 0xdf, 0x74, 0xd5, 0x85,
-  0x8f, 0xd1, 0xba, 0x64, 0x54, 0x7b, 0xdb, 0x1e,
-  0xc5, 0xea, 0x24, 0xc0, 0xfa, 0x0c, 0x90, 0x15,
-  0x09, 0x20, 0x92, 0x42, 0x32, 0x36, 0x45, 0x45,
-  0x7d, 0x20, 0x76, 0x6b, 0xcf, 0xa2, 0x15, 0xc8,
-  0x2f, 0x9f, 0xbc, 0x88, 0x3f, 0x80, 0xd1, 0x2c,
-  0xb7, 0x16, 0xd1, 0x80, 0x9e, 0xe1, 0xc9, 0xb3,
-  0x88, 0x1b, 0x21, 0x45, 0xef, 0xa1, 0x7f, 0xce,
-  0xc8, 0x92, 0x35, 0x55, 0x2a, 0xd9, 0x1d, 0x8e,
-  0x12, 0x38, 0xac, 0x01, 0x4e, 0x38, 0x18, 0x76,
-  0x9c, 0xf2, 0xb6, 0xd4, 0x13, 0xb6, 0x2c, 0x77,
-  0xc0, 0xe7, 0xe6, 0x0c, 0x47, 0x44, 0x95, 0xbe };
-
-static const unsigned char entropy_source_nopr[] =
-{ 0x4c, 0xfb, 0x21, 0x86, 0x73, 0x34, 0x6d, 0x9d,
-  0x50, 0xc9, 0x22, 0xe4, 0x9b, 0x0d, 0xfc, 0xd0,
-  0x90, 0xad, 0xf0, 0x4f, 0x5c, 0x3b, 0xa4, 0x73,
-  0x27, 0xdf, 0xcd, 0x6f, 0xa6, 0x3a, 0x78, 0x5c,
-  0x01, 0x69, 0x62, 0xa7, 0xfd, 0x27, 0x87, 0xa2,
-  0x4b, 0xf6, 0xbe, 0x47, 0xef, 0x37, 0x83, 0xf1,
-  0xb7, 0xec, 0x46, 0x07, 0x23, 0x63, 0x83, 0x4a,
-  0x1b, 0x01, 0x33, 0xf2, 0xc2, 0x38, 0x91, 0xdb,
-  0x4f, 0x11, 0xa6, 0x86, 0x51, 0xf2, 0x3e, 0x3a,
-  0x8b, 0x1f, 0xdc, 0x03, 0xb1, 0x92, 0xc7, 0xe7 };
-
-static const unsigned char pers_pr[] =
-{ 0x5a, 0x70, 0x95, 0xe9, 0x81, 0x40, 0x52, 0x33,
-  0x91, 0x53, 0x7e, 0x75, 0xd6, 0x19, 0x9d, 0x1e,
-  0xad, 0x0d, 0xc6, 0xa7, 0xde, 0x6c, 0x1f, 0xe0,
-  0xea, 0x18, 0x33, 0xa8, 0x7e, 0x06, 0x20, 0xe9 };
-
-static const unsigned char pers_nopr[] =
-{ 0x88, 0xee, 0xb8, 0xe0, 0xe8, 0x3b, 0xf3, 0x29,
-  0x4b, 0xda, 0xcd, 0x60, 0x99, 0xeb, 0xe4, 0xbf,
-  0x55, 0xec, 0xd9, 0x11, 0x3f, 0x71, 0xe5, 0xeb,
-  0xcb, 0x45, 0x75, 0xf3, 0xd6, 0xa6, 0x8a, 0x6b };
-
-static const unsigned char result_pr[] =
-{ 0xce, 0x2f, 0xdb, 0xb6, 0xd9, 0xb7, 0x39, 0x85,
-  0x04, 0xc5, 0xc0, 0x42, 0xc2, 0x31, 0xc6, 0x1d,
-  0x9b, 0x5a, 0x59, 0xf8, 0x7e, 0x0d, 0xcc, 0x62,
-  0x7b, 0x65, 0x11, 0x55, 0x10, 0xeb, 0x9e, 0x3d,
-  0xa4, 0xfb, 0x1c, 0x6a, 0x18, 0xc0, 0x74, 0xdb,
-  0xdd, 0xe7, 0x02, 0x23, 0x63, 0x21, 0xd0, 0x39,
-  0xf9, 0xa7, 0xc4, 0x52, 0x84, 0x3b, 0x49, 0x40,
-  0x72, 0x2b, 0xb0, 0x6c, 0x9c, 0xdb, 0xc3, 0x43 };
-
-static const unsigned char result_nopr[] =
-{ 0xa5, 0x51, 0x80, 0xa1, 0x90, 0xbe, 0xf3, 0xad,
-  0xaf, 0x28, 0xf6, 0xb7, 0x95, 0xe9, 0xf1, 0xf3,
-  0xd6, 0xdf, 0xa1, 0xb2, 0x7d, 0xd0, 0x46, 0x7b,
-  0x0c, 0x75, 0xf5, 0xfa, 0x93, 0x1e, 0x97, 0x14,
-  0x75, 0xb2, 0x7c, 0xae, 0x03, 0xa2, 0x96, 0x54,
-  0xe2, 0xf4, 0x09, 0x66, 0xea, 0x33, 0x64, 0x30,
-  0x40, 0xd1, 0x40, 0x0f, 0xe6, 0x77, 0x87, 0x3a,
-  0xf8, 0x09, 0x7c, 0x1f, 0xe9, 0xf0, 0x02, 0x98 };
-#endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
-
-static size_t test_offset;
-static int ctr_drbg_self_test_entropy(void *data, unsigned char *buf,
-                                      size_t len)
-{
-    const unsigned char *p = data;
-    memcpy(buf, p + test_offset, len);
-    test_offset += len;
-    return 0;
-}
-
-#define CHK(c)    if ((c) != 0)                          \
-    {                                       \
-        if (verbose != 0)                  \
-        mbedtls_printf("failed\n");  \
-        return 1;                        \
-    }
-
-#define SELF_TEST_OUTPUT_DISCARD_LENGTH 64
-
-/*
- * Checkup routine
- */
-int mbedtls_ctr_drbg_self_test(int verbose)
-{
-    mbedtls_ctr_drbg_context ctx;
-    unsigned char buf[sizeof(result_pr)];
-
-    mbedtls_ctr_drbg_init(&ctx);
-
-    /*
-     * Based on a NIST CTR_DRBG test vector (PR = True)
-     */
-    if (verbose != 0) {
-        mbedtls_printf("  CTR_DRBG (PR = TRUE) : ");
-    }
-
-    test_offset = 0;
-    mbedtls_ctr_drbg_set_entropy_len(&ctx, MBEDTLS_CTR_DRBG_KEYSIZE);
-    mbedtls_ctr_drbg_set_nonce_len(&ctx, MBEDTLS_CTR_DRBG_KEYSIZE / 2);
-    CHK(mbedtls_ctr_drbg_seed(&ctx,
-                              ctr_drbg_self_test_entropy,
-                              (void *) entropy_source_pr,
-                              pers_pr, MBEDTLS_CTR_DRBG_KEYSIZE));
-    mbedtls_ctr_drbg_set_prediction_resistance(&ctx, MBEDTLS_CTR_DRBG_PR_ON);
-    CHK(mbedtls_ctr_drbg_random(&ctx, buf, SELF_TEST_OUTPUT_DISCARD_LENGTH));
-    CHK(mbedtls_ctr_drbg_random(&ctx, buf, sizeof(result_pr)));
-    CHK(memcmp(buf, result_pr, sizeof(result_pr)));
-
-    mbedtls_ctr_drbg_free(&ctx);
-
-    if (verbose != 0) {
-        mbedtls_printf("passed\n");
-    }
-
-    /*
-     * Based on a NIST CTR_DRBG test vector (PR = FALSE)
-     */
-    if (verbose != 0) {
-        mbedtls_printf("  CTR_DRBG (PR = FALSE): ");
-    }
-
-    mbedtls_ctr_drbg_init(&ctx);
-
-    test_offset = 0;
-    mbedtls_ctr_drbg_set_entropy_len(&ctx, MBEDTLS_CTR_DRBG_KEYSIZE);
-    mbedtls_ctr_drbg_set_nonce_len(&ctx, MBEDTLS_CTR_DRBG_KEYSIZE / 2);
-    CHK(mbedtls_ctr_drbg_seed(&ctx,
-                              ctr_drbg_self_test_entropy,
-                              (void *) entropy_source_nopr,
-                              pers_nopr, MBEDTLS_CTR_DRBG_KEYSIZE));
-    CHK(mbedtls_ctr_drbg_reseed(&ctx, NULL, 0));
-    CHK(mbedtls_ctr_drbg_random(&ctx, buf, SELF_TEST_OUTPUT_DISCARD_LENGTH));
-    CHK(mbedtls_ctr_drbg_random(&ctx, buf, sizeof(result_nopr)));
-    CHK(memcmp(buf, result_nopr, sizeof(result_nopr)));
-
-    mbedtls_ctr_drbg_free(&ctx);
-
-    if (verbose != 0) {
-        mbedtls_printf("passed\n");
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-
-    return 0;
-}
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* MBEDTLS_CTR_DRBG_C */
diff --git a/library/debug.c b/library/debug.c
index 0983cb0..c36ed3c 100644
--- a/library/debug.c
+++ b/library/debug.c
@@ -2,19 +2,7 @@
  *  Debugging routines
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "common.h"
@@ -23,7 +11,7 @@
 
 #include "mbedtls/platform.h"
 
-#include "mbedtls/debug.h"
+#include "debug_internal.h"
 #include "mbedtls/error.h"
 
 #include <stdarg.h>
@@ -378,7 +366,7 @@ static void debug_print_line_by_line(const mbedtls_ssl_context *ssl, int level,
     start = text;
     for (cur = text; *cur != '\0'; cur++) {
         if (*cur == '\n') {
-            size_t len = cur - start + 1;
+            size_t len = (size_t) (cur - start) + 1;
             if (len > DEBUG_BUF_SIZE - 1) {
                 len = DEBUG_BUF_SIZE - 1;
             }
diff --git a/library/debug_internal.h b/library/debug_internal.h
new file mode 100644
index 0000000..4523b46
--- /dev/null
+++ b/library/debug_internal.h
@@ -0,0 +1,172 @@
+/**
+ * \file debug_internal.h
+ *
+ * \brief Internal part of the public "debug.h".
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_DEBUG_INTERNAL_H
+#define MBEDTLS_DEBUG_INTERNAL_H
+
+#include "mbedtls/debug.h"
+
+/**
+ * \brief    Print a message to the debug output. This function is always used
+ *          through the MBEDTLS_SSL_DEBUG_MSG() macro, which supplies the ssl
+ *          context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the message has occurred in
+ * \param line      line number the message has occurred at
+ * \param format    format specifier, in printf format
+ * \param ...       variables used by the format specifier
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_msg(const mbedtls_ssl_context *ssl, int level,
+                             const char *file, int line,
+                             const char *format, ...) MBEDTLS_PRINTF_ATTRIBUTE(5, 6);
+
+/**
+ * \brief   Print the return value of a function to the debug output. This
+ *          function is always used through the MBEDTLS_SSL_DEBUG_RET() macro,
+ *          which supplies the ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      the name of the function that returned the error
+ * \param ret       the return code value
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_ret(const mbedtls_ssl_context *ssl, int level,
+                             const char *file, int line,
+                             const char *text, int ret);
+
+/**
+ * \brief   Output a buffer of size len bytes to the debug output. This function
+ *          is always used through the MBEDTLS_SSL_DEBUG_BUF() macro,
+ *          which supplies the ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      a name or label for the buffer being dumped. Normally the
+ *                  variable or buffer name
+ * \param buf       the buffer to be outputted
+ * \param len       length of the buffer
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_buf(const mbedtls_ssl_context *ssl, int level,
+                             const char *file, int line, const char *text,
+                             const unsigned char *buf, size_t len);
+
+#if defined(MBEDTLS_BIGNUM_C)
+/**
+ * \brief   Print a MPI variable to the debug output. This function is always
+ *          used through the MBEDTLS_SSL_DEBUG_MPI() macro, which supplies the
+ *          ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      a name or label for the MPI being output. Normally the
+ *                  variable name
+ * \param X         the MPI variable
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_mpi(const mbedtls_ssl_context *ssl, int level,
+                             const char *file, int line,
+                             const char *text, const mbedtls_mpi *X);
+#endif
+
+#if defined(MBEDTLS_ECP_LIGHT)
+/**
+ * \brief   Print an ECP point to the debug output. This function is always
+ *          used through the MBEDTLS_SSL_DEBUG_ECP() macro, which supplies the
+ *          ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      a name or label for the ECP point being output. Normally the
+ *                  variable name
+ * \param X         the ECP point
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_ecp(const mbedtls_ssl_context *ssl, int level,
+                             const char *file, int line,
+                             const char *text, const mbedtls_ecp_point *X);
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO)
+/**
+ * \brief   Print a X.509 certificate structure to the debug output. This
+ *          function is always used through the MBEDTLS_SSL_DEBUG_CRT() macro,
+ *          which supplies the ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      a name or label for the certificate being output
+ * \param crt       X.509 certificate structure
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_crt(const mbedtls_ssl_context *ssl, int level,
+                             const char *file, int line,
+                             const char *text, const mbedtls_x509_crt *crt);
+#endif
+
+/* Note: the MBEDTLS_ECDH_C guard here is mandatory because this debug function
+         only works for the built-in implementation. */
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) && \
+    defined(MBEDTLS_ECDH_C)
+typedef enum {
+    MBEDTLS_DEBUG_ECDH_Q,
+    MBEDTLS_DEBUG_ECDH_QP,
+    MBEDTLS_DEBUG_ECDH_Z,
+} mbedtls_debug_ecdh_attr;
+
+/**
+ * \brief   Print a field of the ECDH structure in the SSL context to the debug
+ *          output. This function is always used through the
+ *          MBEDTLS_SSL_DEBUG_ECDH() macro, which supplies the ssl context, file
+ *          and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param ecdh      the ECDH context
+ * \param attr      the identifier of the attribute being output
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_printf_ecdh(const mbedtls_ssl_context *ssl, int level,
+                               const char *file, int line,
+                               const mbedtls_ecdh_context *ecdh,
+                               mbedtls_debug_ecdh_attr attr);
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED &&
+          MBEDTLS_ECDH_C */
+
+#endif /* MBEDTLS_DEBUG_INTERNAL_H */
diff --git a/library/des.c b/library/des.c
deleted file mode 100644
index eaddf28..0000000
--- a/library/des.c
+++ /dev/null
@@ -1,1054 +0,0 @@
-/*
- *  FIPS-46-3 compliant Triple-DES implementation
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-/*
- *  DES, on which TDES is based, was originally designed by Horst Feistel
- *  at IBM in 1974, and was adopted as a standard by NIST (formerly NBS).
- *
- *  http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_DES_C)
-
-#include "mbedtls/des.h"
-#include "mbedtls/error.h"
-#include "mbedtls/platform_util.h"
-
-#include <string.h>
-
-#include "mbedtls/platform.h"
-
-#if !defined(MBEDTLS_DES_ALT)
-
-/*
- * Expanded DES S-boxes
- */
-static const uint32_t SB1[64] =
-{
-    0x01010400, 0x00000000, 0x00010000, 0x01010404,
-    0x01010004, 0x00010404, 0x00000004, 0x00010000,
-    0x00000400, 0x01010400, 0x01010404, 0x00000400,
-    0x01000404, 0x01010004, 0x01000000, 0x00000004,
-    0x00000404, 0x01000400, 0x01000400, 0x00010400,
-    0x00010400, 0x01010000, 0x01010000, 0x01000404,
-    0x00010004, 0x01000004, 0x01000004, 0x00010004,
-    0x00000000, 0x00000404, 0x00010404, 0x01000000,
-    0x00010000, 0x01010404, 0x00000004, 0x01010000,
-    0x01010400, 0x01000000, 0x01000000, 0x00000400,
-    0x01010004, 0x00010000, 0x00010400, 0x01000004,
-    0x00000400, 0x00000004, 0x01000404, 0x00010404,
-    0x01010404, 0x00010004, 0x01010000, 0x01000404,
-    0x01000004, 0x00000404, 0x00010404, 0x01010400,
-    0x00000404, 0x01000400, 0x01000400, 0x00000000,
-    0x00010004, 0x00010400, 0x00000000, 0x01010004
-};
-
-static const uint32_t SB2[64] =
-{
-    0x80108020, 0x80008000, 0x00008000, 0x00108020,
-    0x00100000, 0x00000020, 0x80100020, 0x80008020,
-    0x80000020, 0x80108020, 0x80108000, 0x80000000,
-    0x80008000, 0x00100000, 0x00000020, 0x80100020,
-    0x00108000, 0x00100020, 0x80008020, 0x00000000,
-    0x80000000, 0x00008000, 0x00108020, 0x80100000,
-    0x00100020, 0x80000020, 0x00000000, 0x00108000,
-    0x00008020, 0x80108000, 0x80100000, 0x00008020,
-    0x00000000, 0x00108020, 0x80100020, 0x00100000,
-    0x80008020, 0x80100000, 0x80108000, 0x00008000,
-    0x80100000, 0x80008000, 0x00000020, 0x80108020,
-    0x00108020, 0x00000020, 0x00008000, 0x80000000,
-    0x00008020, 0x80108000, 0x00100000, 0x80000020,
-    0x00100020, 0x80008020, 0x80000020, 0x00100020,
-    0x00108000, 0x00000000, 0x80008000, 0x00008020,
-    0x80000000, 0x80100020, 0x80108020, 0x00108000
-};
-
-static const uint32_t SB3[64] =
-{
-    0x00000208, 0x08020200, 0x00000000, 0x08020008,
-    0x08000200, 0x00000000, 0x00020208, 0x08000200,
-    0x00020008, 0x08000008, 0x08000008, 0x00020000,
-    0x08020208, 0x00020008, 0x08020000, 0x00000208,
-    0x08000000, 0x00000008, 0x08020200, 0x00000200,
-    0x00020200, 0x08020000, 0x08020008, 0x00020208,
-    0x08000208, 0x00020200, 0x00020000, 0x08000208,
-    0x00000008, 0x08020208, 0x00000200, 0x08000000,
-    0x08020200, 0x08000000, 0x00020008, 0x00000208,
-    0x00020000, 0x08020200, 0x08000200, 0x00000000,
-    0x00000200, 0x00020008, 0x08020208, 0x08000200,
-    0x08000008, 0x00000200, 0x00000000, 0x08020008,
-    0x08000208, 0x00020000, 0x08000000, 0x08020208,
-    0x00000008, 0x00020208, 0x00020200, 0x08000008,
-    0x08020000, 0x08000208, 0x00000208, 0x08020000,
-    0x00020208, 0x00000008, 0x08020008, 0x00020200
-};
-
-static const uint32_t SB4[64] =
-{
-    0x00802001, 0x00002081, 0x00002081, 0x00000080,
-    0x00802080, 0x00800081, 0x00800001, 0x00002001,
-    0x00000000, 0x00802000, 0x00802000, 0x00802081,
-    0x00000081, 0x00000000, 0x00800080, 0x00800001,
-    0x00000001, 0x00002000, 0x00800000, 0x00802001,
-    0x00000080, 0x00800000, 0x00002001, 0x00002080,
-    0x00800081, 0x00000001, 0x00002080, 0x00800080,
-    0x00002000, 0x00802080, 0x00802081, 0x00000081,
-    0x00800080, 0x00800001, 0x00802000, 0x00802081,
-    0x00000081, 0x00000000, 0x00000000, 0x00802000,
-    0x00002080, 0x00800080, 0x00800081, 0x00000001,
-    0x00802001, 0x00002081, 0x00002081, 0x00000080,
-    0x00802081, 0x00000081, 0x00000001, 0x00002000,
-    0x00800001, 0x00002001, 0x00802080, 0x00800081,
-    0x00002001, 0x00002080, 0x00800000, 0x00802001,
-    0x00000080, 0x00800000, 0x00002000, 0x00802080
-};
-
-static const uint32_t SB5[64] =
-{
-    0x00000100, 0x02080100, 0x02080000, 0x42000100,
-    0x00080000, 0x00000100, 0x40000000, 0x02080000,
-    0x40080100, 0x00080000, 0x02000100, 0x40080100,
-    0x42000100, 0x42080000, 0x00080100, 0x40000000,
-    0x02000000, 0x40080000, 0x40080000, 0x00000000,
-    0x40000100, 0x42080100, 0x42080100, 0x02000100,
-    0x42080000, 0x40000100, 0x00000000, 0x42000000,
-    0x02080100, 0x02000000, 0x42000000, 0x00080100,
-    0x00080000, 0x42000100, 0x00000100, 0x02000000,
-    0x40000000, 0x02080000, 0x42000100, 0x40080100,
-    0x02000100, 0x40000000, 0x42080000, 0x02080100,
-    0x40080100, 0x00000100, 0x02000000, 0x42080000,
-    0x42080100, 0x00080100, 0x42000000, 0x42080100,
-    0x02080000, 0x00000000, 0x40080000, 0x42000000,
-    0x00080100, 0x02000100, 0x40000100, 0x00080000,
-    0x00000000, 0x40080000, 0x02080100, 0x40000100
-};
-
-static const uint32_t SB6[64] =
-{
-    0x20000010, 0x20400000, 0x00004000, 0x20404010,
-    0x20400000, 0x00000010, 0x20404010, 0x00400000,
-    0x20004000, 0x00404010, 0x00400000, 0x20000010,
-    0x00400010, 0x20004000, 0x20000000, 0x00004010,
-    0x00000000, 0x00400010, 0x20004010, 0x00004000,
-    0x00404000, 0x20004010, 0x00000010, 0x20400010,
-    0x20400010, 0x00000000, 0x00404010, 0x20404000,
-    0x00004010, 0x00404000, 0x20404000, 0x20000000,
-    0x20004000, 0x00000010, 0x20400010, 0x00404000,
-    0x20404010, 0x00400000, 0x00004010, 0x20000010,
-    0x00400000, 0x20004000, 0x20000000, 0x00004010,
-    0x20000010, 0x20404010, 0x00404000, 0x20400000,
-    0x00404010, 0x20404000, 0x00000000, 0x20400010,
-    0x00000010, 0x00004000, 0x20400000, 0x00404010,
-    0x00004000, 0x00400010, 0x20004010, 0x00000000,
-    0x20404000, 0x20000000, 0x00400010, 0x20004010
-};
-
-static const uint32_t SB7[64] =
-{
-    0x00200000, 0x04200002, 0x04000802, 0x00000000,
-    0x00000800, 0x04000802, 0x00200802, 0x04200800,
-    0x04200802, 0x00200000, 0x00000000, 0x04000002,
-    0x00000002, 0x04000000, 0x04200002, 0x00000802,
-    0x04000800, 0x00200802, 0x00200002, 0x04000800,
-    0x04000002, 0x04200000, 0x04200800, 0x00200002,
-    0x04200000, 0x00000800, 0x00000802, 0x04200802,
-    0x00200800, 0x00000002, 0x04000000, 0x00200800,
-    0x04000000, 0x00200800, 0x00200000, 0x04000802,
-    0x04000802, 0x04200002, 0x04200002, 0x00000002,
-    0x00200002, 0x04000000, 0x04000800, 0x00200000,
-    0x04200800, 0x00000802, 0x00200802, 0x04200800,
-    0x00000802, 0x04000002, 0x04200802, 0x04200000,
-    0x00200800, 0x00000000, 0x00000002, 0x04200802,
-    0x00000000, 0x00200802, 0x04200000, 0x00000800,
-    0x04000002, 0x04000800, 0x00000800, 0x00200002
-};
-
-static const uint32_t SB8[64] =
-{
-    0x10001040, 0x00001000, 0x00040000, 0x10041040,
-    0x10000000, 0x10001040, 0x00000040, 0x10000000,
-    0x00040040, 0x10040000, 0x10041040, 0x00041000,
-    0x10041000, 0x00041040, 0x00001000, 0x00000040,
-    0x10040000, 0x10000040, 0x10001000, 0x00001040,
-    0x00041000, 0x00040040, 0x10040040, 0x10041000,
-    0x00001040, 0x00000000, 0x00000000, 0x10040040,
-    0x10000040, 0x10001000, 0x00041040, 0x00040000,
-    0x00041040, 0x00040000, 0x10041000, 0x00001000,
-    0x00000040, 0x10040040, 0x00001000, 0x00041040,
-    0x10001000, 0x00000040, 0x10000040, 0x10040000,
-    0x10040040, 0x10000000, 0x00040000, 0x10001040,
-    0x00000000, 0x10041040, 0x00040040, 0x10000040,
-    0x10040000, 0x10001000, 0x10001040, 0x00000000,
-    0x10041040, 0x00041000, 0x00041000, 0x00001040,
-    0x00001040, 0x00040040, 0x10000000, 0x10041000
-};
-
-/*
- * PC1: left and right halves bit-swap
- */
-static const uint32_t LHs[16] =
-{
-    0x00000000, 0x00000001, 0x00000100, 0x00000101,
-    0x00010000, 0x00010001, 0x00010100, 0x00010101,
-    0x01000000, 0x01000001, 0x01000100, 0x01000101,
-    0x01010000, 0x01010001, 0x01010100, 0x01010101
-};
-
-static const uint32_t RHs[16] =
-{
-    0x00000000, 0x01000000, 0x00010000, 0x01010000,
-    0x00000100, 0x01000100, 0x00010100, 0x01010100,
-    0x00000001, 0x01000001, 0x00010001, 0x01010001,
-    0x00000101, 0x01000101, 0x00010101, 0x01010101,
-};
-
-/*
- * Initial Permutation macro
- */
-#define DES_IP(X, Y)                                                       \
-    do                                                                    \
-    {                                                                     \
-        T = (((X) >>  4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T <<  4); \
-        T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
-        T = (((Y) >>  2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T <<  2); \
-        T = (((Y) >>  8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T <<  8); \
-        (Y) = (((Y) << 1) | ((Y) >> 31)) & 0xFFFFFFFF;                    \
-        T = ((X) ^ (Y)) & 0xAAAAAAAA; (Y) ^= T; (X) ^= T;                 \
-        (X) = (((X) << 1) | ((X) >> 31)) & 0xFFFFFFFF;                    \
-    } while (0)
-
-/*
- * Final Permutation macro
- */
-#define DES_FP(X, Y)                                                       \
-    do                                                                    \
-    {                                                                     \
-        (X) = (((X) << 31) | ((X) >> 1)) & 0xFFFFFFFF;                    \
-        T = ((X) ^ (Y)) & 0xAAAAAAAA; (X) ^= T; (Y) ^= T;                 \
-        (Y) = (((Y) << 31) | ((Y) >> 1)) & 0xFFFFFFFF;                    \
-        T = (((Y) >>  8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T <<  8); \
-        T = (((Y) >>  2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T <<  2); \
-        T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
-        T = (((X) >>  4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T <<  4); \
-    } while (0)
-
-/*
- * DES round macro
- */
-#define DES_ROUND(X, Y)                              \
-    do                                              \
-    {                                               \
-        T = *SK++ ^ (X);                            \
-        (Y) ^= SB8[(T) & 0x3F] ^            \
-               SB6[(T >>  8) & 0x3F] ^            \
-               SB4[(T >> 16) & 0x3F] ^            \
-               SB2[(T >> 24) & 0x3F];             \
-                                                    \
-        T = *SK++ ^ (((X) << 28) | ((X) >> 4));     \
-        (Y) ^= SB7[(T) & 0x3F] ^            \
-               SB5[(T >>  8) & 0x3F] ^            \
-               SB3[(T >> 16) & 0x3F] ^            \
-               SB1[(T >> 24) & 0x3F];             \
-    } while (0)
-
-#define SWAP(a, b)                                       \
-    do                                                  \
-    {                                                   \
-        uint32_t t = (a); (a) = (b); (b) = t; t = 0;    \
-    } while (0)
-
-void mbedtls_des_init(mbedtls_des_context *ctx)
-{
-    memset(ctx, 0, sizeof(mbedtls_des_context));
-}
-
-void mbedtls_des_free(mbedtls_des_context *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_des_context));
-}
-
-void mbedtls_des3_init(mbedtls_des3_context *ctx)
-{
-    memset(ctx, 0, sizeof(mbedtls_des3_context));
-}
-
-void mbedtls_des3_free(mbedtls_des3_context *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_des3_context));
-}
-
-static const unsigned char odd_parity_table[128] = { 1,  2,  4,  7,  8,
-                                                     11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32,
-                                                     35, 37, 38, 41, 42, 44,
-                                                     47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69,
-                                                     70, 73, 74, 76, 79, 81,
-                                                     82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103,
-                                                     104, 107, 109, 110, 112,
-                                                     115, 117, 118, 121, 122, 124, 127, 128, 131,
-                                                     133, 134, 137, 138, 140,
-                                                     143, 145, 146, 148, 151, 152, 155, 157, 158,
-                                                     161, 162, 164, 167, 168,
-                                                     171, 173, 174, 176, 179, 181, 182, 185, 186,
-                                                     188, 191, 193, 194, 196,
-                                                     199, 200, 203, 205, 206, 208, 211, 213, 214,
-                                                     217, 218, 220, 223, 224,
-                                                     227, 229, 230, 233, 234, 236, 239, 241, 242,
-                                                     244, 247, 248, 251, 253,
-                                                     254 };
-
-void mbedtls_des_key_set_parity(unsigned char key[MBEDTLS_DES_KEY_SIZE])
-{
-    int i;
-
-    for (i = 0; i < MBEDTLS_DES_KEY_SIZE; i++) {
-        key[i] = odd_parity_table[key[i] / 2];
-    }
-}
-
-/*
- * Check the given key's parity, returns 1 on failure, 0 on SUCCESS
- */
-int mbedtls_des_key_check_key_parity(const unsigned char key[MBEDTLS_DES_KEY_SIZE])
-{
-    int i;
-
-    for (i = 0; i < MBEDTLS_DES_KEY_SIZE; i++) {
-        if (key[i] != odd_parity_table[key[i] / 2]) {
-            return 1;
-        }
-    }
-
-    return 0;
-}
-
-/*
- * Table of weak and semi-weak keys
- *
- * Source: http://en.wikipedia.org/wiki/Weak_key
- *
- * Weak:
- * Alternating ones + zeros (0x0101010101010101)
- * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
- * '0xE0E0E0E0F1F1F1F1'
- * '0x1F1F1F1F0E0E0E0E'
- *
- * Semi-weak:
- * 0x011F011F010E010E and 0x1F011F010E010E01
- * 0x01E001E001F101F1 and 0xE001E001F101F101
- * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
- * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
- * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
- * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
- *
- */
-
-#define WEAK_KEY_COUNT 16
-
-static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE] =
-{
-    { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
-    { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE },
-    { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E },
-    { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 },
-
-    { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E },
-    { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 },
-    { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 },
-    { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 },
-    { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE },
-    { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 },
-    { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 },
-    { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E },
-    { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE },
-    { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E },
-    { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE },
-    { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 }
-};
-
-int mbedtls_des_key_check_weak(const unsigned char key[MBEDTLS_DES_KEY_SIZE])
-{
-    int i;
-
-    for (i = 0; i < WEAK_KEY_COUNT; i++) {
-        if (memcmp(weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0) {
-            return 1;
-        }
-    }
-
-    return 0;
-}
-
-#if !defined(MBEDTLS_DES_SETKEY_ALT)
-void mbedtls_des_setkey(uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE])
-{
-    int i;
-    uint32_t X, Y, T;
-
-    X = MBEDTLS_GET_UINT32_BE(key, 0);
-    Y = MBEDTLS_GET_UINT32_BE(key, 4);
-
-    /*
-     * Permuted Choice 1
-     */
-    T =  ((Y >>  4) ^ X) & 0x0F0F0F0F;  X ^= T; Y ^= (T <<  4);
-    T =  ((Y) ^ X) & 0x10101010;  X ^= T; Y ^= (T);
-
-    X =   (LHs[(X) & 0xF] << 3) | (LHs[(X >>  8) & 0xF] << 2)
-        | (LHs[(X >> 16) & 0xF] << 1) | (LHs[(X >> 24) & 0xF])
-        | (LHs[(X >>  5) & 0xF] << 7) | (LHs[(X >> 13) & 0xF] << 6)
-        | (LHs[(X >> 21) & 0xF] << 5) | (LHs[(X >> 29) & 0xF] << 4);
-
-    Y =   (RHs[(Y >>  1) & 0xF] << 3) | (RHs[(Y >>  9) & 0xF] << 2)
-        | (RHs[(Y >> 17) & 0xF] << 1) | (RHs[(Y >> 25) & 0xF])
-        | (RHs[(Y >>  4) & 0xF] << 7) | (RHs[(Y >> 12) & 0xF] << 6)
-        | (RHs[(Y >> 20) & 0xF] << 5) | (RHs[(Y >> 28) & 0xF] << 4);
-
-    X &= 0x0FFFFFFF;
-    Y &= 0x0FFFFFFF;
-
-    /*
-     * calculate subkeys
-     */
-    for (i = 0; i < 16; i++) {
-        if (i < 2 || i == 8 || i == 15) {
-            X = ((X <<  1) | (X >> 27)) & 0x0FFFFFFF;
-            Y = ((Y <<  1) | (Y >> 27)) & 0x0FFFFFFF;
-        } else {
-            X = ((X <<  2) | (X >> 26)) & 0x0FFFFFFF;
-            Y = ((Y <<  2) | (Y >> 26)) & 0x0FFFFFFF;
-        }
-
-        *SK++ =   ((X <<  4) & 0x24000000) | ((X << 28) & 0x10000000)
-                | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000)
-                | ((X <<  6) & 0x01000000) | ((X <<  9) & 0x00200000)
-                | ((X >>  1) & 0x00100000) | ((X << 10) & 0x00040000)
-                | ((X <<  2) & 0x00020000) | ((X >> 10) & 0x00010000)
-                | ((Y >> 13) & 0x00002000) | ((Y >>  4) & 0x00001000)
-                | ((Y <<  6) & 0x00000800) | ((Y >>  1) & 0x00000400)
-                | ((Y >> 14) & 0x00000200) | ((Y) & 0x00000100)
-                | ((Y >>  5) & 0x00000020) | ((Y >> 10) & 0x00000010)
-                | ((Y >>  3) & 0x00000008) | ((Y >> 18) & 0x00000004)
-                | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001);
-
-        *SK++ =   ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000)
-                | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000)
-                | ((X >>  2) & 0x02000000) | ((X <<  1) & 0x01000000)
-                | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000)
-                | ((X <<  3) & 0x00080000) | ((X >>  6) & 0x00040000)
-                | ((X << 15) & 0x00020000) | ((X >>  4) & 0x00010000)
-                | ((Y >>  2) & 0x00002000) | ((Y <<  8) & 0x00001000)
-                | ((Y >> 14) & 0x00000808) | ((Y >>  9) & 0x00000400)
-                | ((Y) & 0x00000200) | ((Y <<  7) & 0x00000100)
-                | ((Y >>  7) & 0x00000020) | ((Y >>  3) & 0x00000011)
-                | ((Y <<  2) & 0x00000004) | ((Y >> 21) & 0x00000002);
-    }
-}
-#endif /* !MBEDTLS_DES_SETKEY_ALT */
-
-/*
- * DES key schedule (56-bit, encryption)
- */
-int mbedtls_des_setkey_enc(mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE])
-{
-    mbedtls_des_setkey(ctx->sk, key);
-
-    return 0;
-}
-
-/*
- * DES key schedule (56-bit, decryption)
- */
-int mbedtls_des_setkey_dec(mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE])
-{
-    int i;
-
-    mbedtls_des_setkey(ctx->sk, key);
-
-    for (i = 0; i < 16; i += 2) {
-        SWAP(ctx->sk[i], ctx->sk[30 - i]);
-        SWAP(ctx->sk[i + 1], ctx->sk[31 - i]);
-    }
-
-    return 0;
-}
-
-static void des3_set2key(uint32_t esk[96],
-                         uint32_t dsk[96],
-                         const unsigned char key[MBEDTLS_DES_KEY_SIZE*2])
-{
-    int i;
-
-    mbedtls_des_setkey(esk, key);
-    mbedtls_des_setkey(dsk + 32, key + 8);
-
-    for (i = 0; i < 32; i += 2) {
-        dsk[i] = esk[30 - i];
-        dsk[i +  1] = esk[31 - i];
-
-        esk[i + 32] = dsk[62 - i];
-        esk[i + 33] = dsk[63 - i];
-
-        esk[i + 64] = esk[i];
-        esk[i + 65] = esk[i + 1];
-
-        dsk[i + 64] = dsk[i];
-        dsk[i + 65] = dsk[i + 1];
-    }
-}
-
-/*
- * Triple-DES key schedule (112-bit, encryption)
- */
-int mbedtls_des3_set2key_enc(mbedtls_des3_context *ctx,
-                             const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])
-{
-    uint32_t sk[96];
-
-    des3_set2key(ctx->sk, sk, key);
-    mbedtls_platform_zeroize(sk,  sizeof(sk));
-
-    return 0;
-}
-
-/*
- * Triple-DES key schedule (112-bit, decryption)
- */
-int mbedtls_des3_set2key_dec(mbedtls_des3_context *ctx,
-                             const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])
-{
-    uint32_t sk[96];
-
-    des3_set2key(sk, ctx->sk, key);
-    mbedtls_platform_zeroize(sk,  sizeof(sk));
-
-    return 0;
-}
-
-static void des3_set3key(uint32_t esk[96],
-                         uint32_t dsk[96],
-                         const unsigned char key[24])
-{
-    int i;
-
-    mbedtls_des_setkey(esk, key);
-    mbedtls_des_setkey(dsk + 32, key +  8);
-    mbedtls_des_setkey(esk + 64, key + 16);
-
-    for (i = 0; i < 32; i += 2) {
-        dsk[i] = esk[94 - i];
-        dsk[i +  1] = esk[95 - i];
-
-        esk[i + 32] = dsk[62 - i];
-        esk[i + 33] = dsk[63 - i];
-
-        dsk[i + 64] = esk[30 - i];
-        dsk[i + 65] = esk[31 - i];
-    }
-}
-
-/*
- * Triple-DES key schedule (168-bit, encryption)
- */
-int mbedtls_des3_set3key_enc(mbedtls_des3_context *ctx,
-                             const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])
-{
-    uint32_t sk[96];
-
-    des3_set3key(ctx->sk, sk, key);
-    mbedtls_platform_zeroize(sk,  sizeof(sk));
-
-    return 0;
-}
-
-/*
- * Triple-DES key schedule (168-bit, decryption)
- */
-int mbedtls_des3_set3key_dec(mbedtls_des3_context *ctx,
-                             const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])
-{
-    uint32_t sk[96];
-
-    des3_set3key(sk, ctx->sk, key);
-    mbedtls_platform_zeroize(sk,  sizeof(sk));
-
-    return 0;
-}
-
-/*
- * DES-ECB block encryption/decryption
- */
-#if !defined(MBEDTLS_DES_CRYPT_ECB_ALT)
-int mbedtls_des_crypt_ecb(mbedtls_des_context *ctx,
-                          const unsigned char input[8],
-                          unsigned char output[8])
-{
-    int i;
-    uint32_t X, Y, T, *SK;
-
-    SK = ctx->sk;
-
-    X = MBEDTLS_GET_UINT32_BE(input, 0);
-    Y = MBEDTLS_GET_UINT32_BE(input, 4);
-
-    DES_IP(X, Y);
-
-    for (i = 0; i < 8; i++) {
-        DES_ROUND(Y, X);
-        DES_ROUND(X, Y);
-    }
-
-    DES_FP(Y, X);
-
-    MBEDTLS_PUT_UINT32_BE(Y, output, 0);
-    MBEDTLS_PUT_UINT32_BE(X, output, 4);
-
-    return 0;
-}
-#endif /* !MBEDTLS_DES_CRYPT_ECB_ALT */
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-/*
- * DES-CBC buffer encryption/decryption
- */
-int mbedtls_des_crypt_cbc(mbedtls_des_context *ctx,
-                          int mode,
-                          size_t length,
-                          unsigned char iv[8],
-                          const unsigned char *input,
-                          unsigned char *output)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char temp[8];
-
-    if (length % 8) {
-        return MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH;
-    }
-
-    if (mode == MBEDTLS_DES_ENCRYPT) {
-        while (length > 0) {
-            mbedtls_xor(output, input, iv, 8);
-
-            ret = mbedtls_des_crypt_ecb(ctx, output, output);
-            if (ret != 0) {
-                goto exit;
-            }
-            memcpy(iv, output, 8);
-
-            input  += 8;
-            output += 8;
-            length -= 8;
-        }
-    } else { /* MBEDTLS_DES_DECRYPT */
-        while (length > 0) {
-            memcpy(temp, input, 8);
-            ret = mbedtls_des_crypt_ecb(ctx, input, output);
-            if (ret != 0) {
-                goto exit;
-            }
-
-            mbedtls_xor(output, output, iv, 8);
-
-            memcpy(iv, temp, 8);
-
-            input  += 8;
-            output += 8;
-            length -= 8;
-        }
-    }
-    ret = 0;
-
-exit:
-    return ret;
-}
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-/*
- * 3DES-ECB block encryption/decryption
- */
-#if !defined(MBEDTLS_DES3_CRYPT_ECB_ALT)
-int mbedtls_des3_crypt_ecb(mbedtls_des3_context *ctx,
-                           const unsigned char input[8],
-                           unsigned char output[8])
-{
-    int i;
-    uint32_t X, Y, T, *SK;
-
-    SK = ctx->sk;
-
-    X = MBEDTLS_GET_UINT32_BE(input, 0);
-    Y = MBEDTLS_GET_UINT32_BE(input, 4);
-
-    DES_IP(X, Y);
-
-    for (i = 0; i < 8; i++) {
-        DES_ROUND(Y, X);
-        DES_ROUND(X, Y);
-    }
-
-    for (i = 0; i < 8; i++) {
-        DES_ROUND(X, Y);
-        DES_ROUND(Y, X);
-    }
-
-    for (i = 0; i < 8; i++) {
-        DES_ROUND(Y, X);
-        DES_ROUND(X, Y);
-    }
-
-    DES_FP(Y, X);
-
-    MBEDTLS_PUT_UINT32_BE(Y, output, 0);
-    MBEDTLS_PUT_UINT32_BE(X, output, 4);
-
-    return 0;
-}
-#endif /* !MBEDTLS_DES3_CRYPT_ECB_ALT */
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-/*
- * 3DES-CBC buffer encryption/decryption
- */
-int mbedtls_des3_crypt_cbc(mbedtls_des3_context *ctx,
-                           int mode,
-                           size_t length,
-                           unsigned char iv[8],
-                           const unsigned char *input,
-                           unsigned char *output)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char temp[8];
-
-    if (length % 8) {
-        return MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH;
-    }
-
-    if (mode == MBEDTLS_DES_ENCRYPT) {
-        while (length > 0) {
-            mbedtls_xor(output, input, iv, 8);
-
-            ret = mbedtls_des3_crypt_ecb(ctx, output, output);
-            if (ret != 0) {
-                goto exit;
-            }
-            memcpy(iv, output, 8);
-
-            input  += 8;
-            output += 8;
-            length -= 8;
-        }
-    } else { /* MBEDTLS_DES_DECRYPT */
-        while (length > 0) {
-            memcpy(temp, input, 8);
-            ret = mbedtls_des3_crypt_ecb(ctx, input, output);
-            if (ret != 0) {
-                goto exit;
-            }
-
-            mbedtls_xor(output, output, iv, 8);
-
-            memcpy(iv, temp, 8);
-
-            input  += 8;
-            output += 8;
-            length -= 8;
-        }
-    }
-    ret = 0;
-
-exit:
-    return ret;
-}
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-#endif /* !MBEDTLS_DES_ALT */
-
-#if defined(MBEDTLS_SELF_TEST)
-/*
- * DES and 3DES test vectors from:
- *
- * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip
- */
-static const unsigned char des3_test_keys[24] =
-{
-    0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
-    0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
-    0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23
-};
-
-static const unsigned char des3_test_buf[8] =
-{
-    0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74
-};
-
-static const unsigned char des3_test_ecb_dec[3][8] =
-{
-    { 0x37, 0x2B, 0x98, 0xBF, 0x52, 0x65, 0xB0, 0x59 },
-    { 0xC2, 0x10, 0x19, 0x9C, 0x38, 0x5A, 0x65, 0xA1 },
-    { 0xA2, 0x70, 0x56, 0x68, 0x69, 0xE5, 0x15, 0x1D }
-};
-
-static const unsigned char des3_test_ecb_enc[3][8] =
-{
-    { 0x1C, 0xD5, 0x97, 0xEA, 0x84, 0x26, 0x73, 0xFB },
-    { 0xB3, 0x92, 0x4D, 0xF3, 0xC5, 0xB5, 0x42, 0x93 },
-    { 0xDA, 0x37, 0x64, 0x41, 0xBA, 0x6F, 0x62, 0x6F }
-};
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-static const unsigned char des3_test_iv[8] =
-{
-    0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
-};
-
-static const unsigned char des3_test_cbc_dec[3][8] =
-{
-    { 0x58, 0xD9, 0x48, 0xEF, 0x85, 0x14, 0x65, 0x9A },
-    { 0x5F, 0xC8, 0x78, 0xD4, 0xD7, 0x92, 0xD9, 0x54 },
-    { 0x25, 0xF9, 0x75, 0x85, 0xA8, 0x1E, 0x48, 0xBF }
-};
-
-static const unsigned char des3_test_cbc_enc[3][8] =
-{
-    { 0x91, 0x1C, 0x6D, 0xCF, 0x48, 0xA7, 0xC3, 0x4D },
-    { 0x60, 0x1A, 0x76, 0x8F, 0xA1, 0xF9, 0x66, 0xF1 },
-    { 0xA1, 0x50, 0x0F, 0x99, 0xB2, 0xCD, 0x64, 0x76 }
-};
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-/*
- * Checkup routine
- */
-int mbedtls_des_self_test(int verbose)
-{
-    int i, j, u, v, ret = 0;
-    mbedtls_des_context ctx;
-    mbedtls_des3_context ctx3;
-    unsigned char buf[8];
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    unsigned char prv[8];
-    unsigned char iv[8];
-#endif
-
-    mbedtls_des_init(&ctx);
-    mbedtls_des3_init(&ctx3);
-    /*
-     * ECB mode
-     */
-    for (i = 0; i < 6; i++) {
-        u = i >> 1;
-        v = i  & 1;
-
-        if (verbose != 0) {
-            mbedtls_printf("  DES%c-ECB-%3d (%s): ",
-                           (u == 0) ? ' ' : '3', 56 + u * 56,
-                           (v == MBEDTLS_DES_DECRYPT) ? "dec" : "enc");
-        }
-
-        memcpy(buf, des3_test_buf, 8);
-
-        switch (i) {
-            case 0:
-                ret = mbedtls_des_setkey_dec(&ctx, des3_test_keys);
-                break;
-
-            case 1:
-                ret = mbedtls_des_setkey_enc(&ctx, des3_test_keys);
-                break;
-
-            case 2:
-                ret = mbedtls_des3_set2key_dec(&ctx3, des3_test_keys);
-                break;
-
-            case 3:
-                ret = mbedtls_des3_set2key_enc(&ctx3, des3_test_keys);
-                break;
-
-            case 4:
-                ret = mbedtls_des3_set3key_dec(&ctx3, des3_test_keys);
-                break;
-
-            case 5:
-                ret = mbedtls_des3_set3key_enc(&ctx3, des3_test_keys);
-                break;
-
-            default:
-                return 1;
-        }
-        if (ret != 0) {
-            goto exit;
-        }
-
-        for (j = 0; j < 100; j++) {
-            if (u == 0) {
-                ret = mbedtls_des_crypt_ecb(&ctx, buf, buf);
-            } else {
-                ret = mbedtls_des3_crypt_ecb(&ctx3, buf, buf);
-            }
-            if (ret != 0) {
-                goto exit;
-            }
-        }
-
-        if ((v == MBEDTLS_DES_DECRYPT &&
-             memcmp(buf, des3_test_ecb_dec[u], 8) != 0) ||
-            (v != MBEDTLS_DES_DECRYPT &&
-             memcmp(buf, des3_test_ecb_enc[u], 8) != 0)) {
-            if (verbose != 0) {
-                mbedtls_printf("failed\n");
-            }
-
-            ret = 1;
-            goto exit;
-        }
-
-        if (verbose != 0) {
-            mbedtls_printf("passed\n");
-        }
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    /*
-     * CBC mode
-     */
-    for (i = 0; i < 6; i++) {
-        u = i >> 1;
-        v = i  & 1;
-
-        if (verbose != 0) {
-            mbedtls_printf("  DES%c-CBC-%3d (%s): ",
-                           (u == 0) ? ' ' : '3', 56 + u * 56,
-                           (v == MBEDTLS_DES_DECRYPT) ? "dec" : "enc");
-        }
-
-        memcpy(iv,  des3_test_iv,  8);
-        memcpy(prv, des3_test_iv,  8);
-        memcpy(buf, des3_test_buf, 8);
-
-        switch (i) {
-            case 0:
-                ret = mbedtls_des_setkey_dec(&ctx, des3_test_keys);
-                break;
-
-            case 1:
-                ret = mbedtls_des_setkey_enc(&ctx, des3_test_keys);
-                break;
-
-            case 2:
-                ret = mbedtls_des3_set2key_dec(&ctx3, des3_test_keys);
-                break;
-
-            case 3:
-                ret = mbedtls_des3_set2key_enc(&ctx3, des3_test_keys);
-                break;
-
-            case 4:
-                ret = mbedtls_des3_set3key_dec(&ctx3, des3_test_keys);
-                break;
-
-            case 5:
-                ret = mbedtls_des3_set3key_enc(&ctx3, des3_test_keys);
-                break;
-
-            default:
-                return 1;
-        }
-        if (ret != 0) {
-            goto exit;
-        }
-
-        if (v == MBEDTLS_DES_DECRYPT) {
-            for (j = 0; j < 100; j++) {
-                if (u == 0) {
-                    ret = mbedtls_des_crypt_cbc(&ctx, v, 8, iv, buf, buf);
-                } else {
-                    ret = mbedtls_des3_crypt_cbc(&ctx3, v, 8, iv, buf, buf);
-                }
-                if (ret != 0) {
-                    goto exit;
-                }
-            }
-        } else {
-            for (j = 0; j < 100; j++) {
-                unsigned char tmp[8];
-
-                if (u == 0) {
-                    ret = mbedtls_des_crypt_cbc(&ctx, v, 8, iv, buf, buf);
-                } else {
-                    ret = mbedtls_des3_crypt_cbc(&ctx3, v, 8, iv, buf, buf);
-                }
-                if (ret != 0) {
-                    goto exit;
-                }
-
-                memcpy(tmp, prv, 8);
-                memcpy(prv, buf, 8);
-                memcpy(buf, tmp, 8);
-            }
-
-            memcpy(buf, prv, 8);
-        }
-
-        if ((v == MBEDTLS_DES_DECRYPT &&
-             memcmp(buf, des3_test_cbc_dec[u], 8) != 0) ||
-            (v != MBEDTLS_DES_DECRYPT &&
-             memcmp(buf, des3_test_cbc_enc[u], 8) != 0)) {
-            if (verbose != 0) {
-                mbedtls_printf("failed\n");
-            }
-
-            ret = 1;
-            goto exit;
-        }
-
-        if (verbose != 0) {
-            mbedtls_printf("passed\n");
-        }
-    }
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-
-exit:
-    mbedtls_des_free(&ctx);
-    mbedtls_des3_free(&ctx3);
-
-    if (ret != 0) {
-        ret = 1;
-    }
-    return ret;
-}
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* MBEDTLS_DES_C */
diff --git a/library/dhm.c b/library/dhm.c
deleted file mode 100644
index 174137d..0000000
--- a/library/dhm.c
+++ /dev/null
@@ -1,724 +0,0 @@
-/*
- *  Diffie-Hellman-Merkle key exchange
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-/*
- *  The following sources were referenced in the design of this implementation
- *  of the Diffie-Hellman-Merkle algorithm:
- *
- *  [1] Handbook of Applied Cryptography - 1997, Chapter 12
- *      Menezes, van Oorschot and Vanstone
- *
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_DHM_C)
-
-#include "mbedtls/dhm.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#include <string.h>
-
-#if defined(MBEDTLS_PEM_PARSE_C)
-#include "mbedtls/pem.h"
-#endif
-
-#if defined(MBEDTLS_ASN1_PARSE_C)
-#include "mbedtls/asn1.h"
-#endif
-
-#include "mbedtls/platform.h"
-
-#if !defined(MBEDTLS_DHM_ALT)
-
-/*
- * helper to validate the mbedtls_mpi size and import it
- */
-static int dhm_read_bignum(mbedtls_mpi *X,
-                           unsigned char **p,
-                           const unsigned char *end)
-{
-    int ret, n;
-
-    if (end - *p < 2) {
-        return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
-    }
-
-    n = ((*p)[0] << 8) | (*p)[1];
-    (*p) += 2;
-
-    if ((int) (end - *p) < n) {
-        return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
-    }
-
-    if ((ret = mbedtls_mpi_read_binary(X, *p, n)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_READ_PARAMS_FAILED, ret);
-    }
-
-    (*p) += n;
-
-    return 0;
-}
-
-/*
- * Verify sanity of parameter with regards to P
- *
- * Parameter should be: 2 <= public_param <= P - 2
- *
- * This means that we need to return an error if
- *              public_param < 2 or public_param > P-2
- *
- * For more information on the attack, see:
- *  http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf
- *  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2643
- */
-static int dhm_check_range(const mbedtls_mpi *param, const mbedtls_mpi *P)
-{
-    mbedtls_mpi U;
-    int ret = 0;
-
-    mbedtls_mpi_init(&U);
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&U, P, 2));
-
-    if (mbedtls_mpi_cmp_int(param, 2) < 0 ||
-        mbedtls_mpi_cmp_mpi(param, &U) > 0) {
-        ret = MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
-    }
-
-cleanup:
-    mbedtls_mpi_free(&U);
-    return ret;
-}
-
-void mbedtls_dhm_init(mbedtls_dhm_context *ctx)
-{
-    memset(ctx, 0, sizeof(mbedtls_dhm_context));
-}
-
-size_t mbedtls_dhm_get_bitlen(const mbedtls_dhm_context *ctx)
-{
-    return mbedtls_mpi_bitlen(&ctx->P);
-}
-
-size_t mbedtls_dhm_get_len(const mbedtls_dhm_context *ctx)
-{
-    return mbedtls_mpi_size(&ctx->P);
-}
-
-int mbedtls_dhm_get_value(const mbedtls_dhm_context *ctx,
-                          mbedtls_dhm_parameter param,
-                          mbedtls_mpi *dest)
-{
-    const mbedtls_mpi *src = NULL;
-    switch (param) {
-        case MBEDTLS_DHM_PARAM_P:
-            src = &ctx->P;
-            break;
-        case MBEDTLS_DHM_PARAM_G:
-            src = &ctx->G;
-            break;
-        case MBEDTLS_DHM_PARAM_X:
-            src = &ctx->X;
-            break;
-        case MBEDTLS_DHM_PARAM_GX:
-            src = &ctx->GX;
-            break;
-        case MBEDTLS_DHM_PARAM_GY:
-            src = &ctx->GY;
-            break;
-        case MBEDTLS_DHM_PARAM_K:
-            src = &ctx->K;
-            break;
-        default:
-            return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
-    }
-    return mbedtls_mpi_copy(dest, src);
-}
-
-/*
- * Parse the ServerKeyExchange parameters
- */
-int mbedtls_dhm_read_params(mbedtls_dhm_context *ctx,
-                            unsigned char **p,
-                            const unsigned char *end)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if ((ret = dhm_read_bignum(&ctx->P,  p, end)) != 0 ||
-        (ret = dhm_read_bignum(&ctx->G,  p, end)) != 0 ||
-        (ret = dhm_read_bignum(&ctx->GY, p, end)) != 0) {
-        return ret;
-    }
-
-    if ((ret = dhm_check_range(&ctx->GY, &ctx->P)) != 0) {
-        return ret;
-    }
-
-    return 0;
-}
-
-/*
- * Pick a random R in the range [2, M-2] for blinding or key generation.
- */
-static int dhm_random_below(mbedtls_mpi *R, const mbedtls_mpi *M,
-                            int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    int ret;
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_random(R, 3, M, f_rng, p_rng));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(R, R, 1));
-
-cleanup:
-    return ret;
-}
-
-static int dhm_make_common(mbedtls_dhm_context *ctx, int x_size,
-                           int (*f_rng)(void *, unsigned char *, size_t),
-                           void *p_rng)
-{
-    int ret = 0;
-
-    if (mbedtls_mpi_cmp_int(&ctx->P, 0) == 0) {
-        return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
-    }
-    if (x_size < 0) {
-        return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
-    }
-
-    if ((unsigned) x_size < mbedtls_mpi_size(&ctx->P)) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&ctx->X, x_size, f_rng, p_rng));
-    } else {
-        /* Generate X as large as possible ( <= P - 2 ) */
-        ret = dhm_random_below(&ctx->X, &ctx->P, f_rng, p_rng);
-        if (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
-            return MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED;
-        }
-        if (ret != 0) {
-            return ret;
-        }
-    }
-
-    /*
-     * Calculate GX = G^X mod P
-     */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->GX, &ctx->G, &ctx->X,
-                                        &ctx->P, &ctx->RP));
-
-    if ((ret = dhm_check_range(&ctx->GX, &ctx->P)) != 0) {
-        return ret;
-    }
-
-cleanup:
-    return ret;
-}
-
-/*
- * Setup and write the ServerKeyExchange parameters
- */
-int mbedtls_dhm_make_params(mbedtls_dhm_context *ctx, int x_size,
-                            unsigned char *output, size_t *olen,
-                            int (*f_rng)(void *, unsigned char *, size_t),
-                            void *p_rng)
-{
-    int ret;
-    size_t n1, n2, n3;
-    unsigned char *p;
-
-    ret = dhm_make_common(ctx, x_size, f_rng, p_rng);
-    if (ret != 0) {
-        goto cleanup;
-    }
-
-    /*
-     * Export P, G, GX. RFC 5246 §4.4 states that "leading zero octets are
-     * not required". We omit leading zeros for compactness.
-     */
-#define DHM_MPI_EXPORT(X, n)                                          \
-    do {                                                                \
-        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary((X),               \
-                                                 p + 2,               \
-                                                 (n)));           \
-        *p++ = MBEDTLS_BYTE_1(n);                                     \
-        *p++ = MBEDTLS_BYTE_0(n);                                     \
-        p += (n);                                                     \
-    } while (0)
-
-    n1 = mbedtls_mpi_size(&ctx->P);
-    n2 = mbedtls_mpi_size(&ctx->G);
-    n3 = mbedtls_mpi_size(&ctx->GX);
-
-    p = output;
-    DHM_MPI_EXPORT(&ctx->P, n1);
-    DHM_MPI_EXPORT(&ctx->G, n2);
-    DHM_MPI_EXPORT(&ctx->GX, n3);
-
-    *olen = p - output;
-
-cleanup:
-    if (ret != 0 && ret > -128) {
-        ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED, ret);
-    }
-    return ret;
-}
-
-/*
- * Set prime modulus and generator
- */
-int mbedtls_dhm_set_group(mbedtls_dhm_context *ctx,
-                          const mbedtls_mpi *P,
-                          const mbedtls_mpi *G)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if ((ret = mbedtls_mpi_copy(&ctx->P, P)) != 0 ||
-        (ret = mbedtls_mpi_copy(&ctx->G, G)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_SET_GROUP_FAILED, ret);
-    }
-
-    return 0;
-}
-
-/*
- * Import the peer's public value G^Y
- */
-int mbedtls_dhm_read_public(mbedtls_dhm_context *ctx,
-                            const unsigned char *input, size_t ilen)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if (ilen < 1 || ilen > mbedtls_dhm_get_len(ctx)) {
-        return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
-    }
-
-    if ((ret = mbedtls_mpi_read_binary(&ctx->GY, input, ilen)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED, ret);
-    }
-
-    return 0;
-}
-
-/*
- * Create own private value X and export G^X
- */
-int mbedtls_dhm_make_public(mbedtls_dhm_context *ctx, int x_size,
-                            unsigned char *output, size_t olen,
-                            int (*f_rng)(void *, unsigned char *, size_t),
-                            void *p_rng)
-{
-    int ret;
-
-    if (olen < 1 || olen > mbedtls_dhm_get_len(ctx)) {
-        return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
-    }
-
-    ret = dhm_make_common(ctx, x_size, f_rng, p_rng);
-    if (ret == MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED) {
-        return MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED;
-    }
-    if (ret != 0) {
-        goto cleanup;
-    }
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->GX, output, olen));
-
-cleanup:
-    if (ret != 0 && ret > -128) {
-        ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED, ret);
-    }
-    return ret;
-}
-
-
-/*
- * Use the blinding method and optimisation suggested in section 10 of:
- *  KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
- *  DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
- *  Berlin Heidelberg, 1996. p. 104-113.
- */
-static int dhm_update_blinding(mbedtls_dhm_context *ctx,
-                               int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    int ret;
-    mbedtls_mpi R;
-
-    mbedtls_mpi_init(&R);
-
-    /*
-     * Don't use any blinding the first time a particular X is used,
-     * but remember it to use blinding next time.
-     */
-    if (mbedtls_mpi_cmp_mpi(&ctx->X, &ctx->pX) != 0) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&ctx->pX, &ctx->X));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->Vi, 1));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->Vf, 1));
-
-        return 0;
-    }
-
-    /*
-     * Ok, we need blinding. Can we re-use existing values?
-     * If yes, just update them by squaring them.
-     */
-    if (mbedtls_mpi_cmp_int(&ctx->Vi, 1) != 0) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &ctx->Vi));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->P));
-
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &ctx->Vf));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->P));
-
-        return 0;
-    }
-
-    /*
-     * We need to generate blinding values from scratch
-     */
-
-    /* Vi = random( 2, P-2 ) */
-    MBEDTLS_MPI_CHK(dhm_random_below(&ctx->Vi, &ctx->P, f_rng, p_rng));
-
-    /* Vf = Vi^-X mod P
-     * First compute Vi^-1 = R * (R Vi)^-1, (avoiding leaks from inv_mod),
-     * then elevate to the Xth power. */
-    MBEDTLS_MPI_CHK(dhm_random_below(&R, &ctx->P, f_rng, p_rng));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vi, &R));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->P));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&ctx->Vf, &ctx->Vf, &ctx->P));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &R));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->P));
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->Vf, &ctx->Vf, &ctx->X, &ctx->P, &ctx->RP));
-
-cleanup:
-    mbedtls_mpi_free(&R);
-
-    return ret;
-}
-
-/*
- * Derive and export the shared secret (G^Y)^X mod P
- */
-int mbedtls_dhm_calc_secret(mbedtls_dhm_context *ctx,
-                            unsigned char *output, size_t output_size, size_t *olen,
-                            int (*f_rng)(void *, unsigned char *, size_t),
-                            void *p_rng)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi GYb;
-
-    if (f_rng == NULL) {
-        return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
-    }
-
-    if (output_size < mbedtls_dhm_get_len(ctx)) {
-        return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
-    }
-
-    if ((ret = dhm_check_range(&ctx->GY, &ctx->P)) != 0) {
-        return ret;
-    }
-
-    mbedtls_mpi_init(&GYb);
-
-    /* Blind peer's value */
-    MBEDTLS_MPI_CHK(dhm_update_blinding(ctx, f_rng, p_rng));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&GYb, &ctx->GY, &ctx->Vi));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&GYb, &GYb, &ctx->P));
-
-    /* Do modular exponentiation */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->K, &GYb, &ctx->X,
-                                        &ctx->P, &ctx->RP));
-
-    /* Unblind secret value */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->K, &ctx->K, &ctx->Vf));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->K, &ctx->K, &ctx->P));
-
-    /* Output the secret without any leading zero byte. This is mandatory
-     * for TLS per RFC 5246 §8.1.2. */
-    *olen = mbedtls_mpi_size(&ctx->K);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->K, output, *olen));
-
-cleanup:
-    mbedtls_mpi_free(&GYb);
-
-    if (ret != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_CALC_SECRET_FAILED, ret);
-    }
-
-    return 0;
-}
-
-/*
- * Free the components of a DHM key
- */
-void mbedtls_dhm_free(mbedtls_dhm_context *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    mbedtls_mpi_free(&ctx->pX);
-    mbedtls_mpi_free(&ctx->Vf);
-    mbedtls_mpi_free(&ctx->Vi);
-    mbedtls_mpi_free(&ctx->RP);
-    mbedtls_mpi_free(&ctx->K);
-    mbedtls_mpi_free(&ctx->GY);
-    mbedtls_mpi_free(&ctx->GX);
-    mbedtls_mpi_free(&ctx->X);
-    mbedtls_mpi_free(&ctx->G);
-    mbedtls_mpi_free(&ctx->P);
-
-    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_dhm_context));
-}
-
-#if defined(MBEDTLS_ASN1_PARSE_C)
-/*
- * Parse DHM parameters
- */
-int mbedtls_dhm_parse_dhm(mbedtls_dhm_context *dhm, const unsigned char *dhmin,
-                          size_t dhminlen)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t len;
-    unsigned char *p, *end;
-#if defined(MBEDTLS_PEM_PARSE_C)
-    mbedtls_pem_context pem;
-#endif /* MBEDTLS_PEM_PARSE_C */
-
-#if defined(MBEDTLS_PEM_PARSE_C)
-    mbedtls_pem_init(&pem);
-
-    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
-    if (dhminlen == 0 || dhmin[dhminlen - 1] != '\0') {
-        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
-    } else {
-        ret = mbedtls_pem_read_buffer(&pem,
-                                      "-----BEGIN DH PARAMETERS-----",
-                                      "-----END DH PARAMETERS-----",
-                                      dhmin, NULL, 0, &dhminlen);
-    }
-
-    if (ret == 0) {
-        /*
-         * Was PEM encoded
-         */
-        dhminlen = pem.buflen;
-    } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
-        goto exit;
-    }
-
-    p = (ret == 0) ? pem.buf : (unsigned char *) dhmin;
-#else
-    p = (unsigned char *) dhmin;
-#endif /* MBEDTLS_PEM_PARSE_C */
-    end = p + dhminlen;
-
-    /*
-     *  DHParams ::= SEQUENCE {
-     *      prime              INTEGER,  -- P
-     *      generator          INTEGER,  -- g
-     *      privateValueLength INTEGER OPTIONAL
-     *  }
-     */
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
-                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
-        ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_INVALID_FORMAT, ret);
-        goto exit;
-    }
-
-    end = p + len;
-
-    if ((ret = mbedtls_asn1_get_mpi(&p, end, &dhm->P)) != 0 ||
-        (ret = mbedtls_asn1_get_mpi(&p, end, &dhm->G)) != 0) {
-        ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_INVALID_FORMAT, ret);
-        goto exit;
-    }
-
-    if (p != end) {
-        /* This might be the optional privateValueLength.
-         * If so, we can cleanly discard it */
-        mbedtls_mpi rec;
-        mbedtls_mpi_init(&rec);
-        ret = mbedtls_asn1_get_mpi(&p, end, &rec);
-        mbedtls_mpi_free(&rec);
-        if (ret != 0) {
-            ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_INVALID_FORMAT, ret);
-            goto exit;
-        }
-        if (p != end) {
-            ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_INVALID_FORMAT,
-                                    MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-            goto exit;
-        }
-    }
-
-    ret = 0;
-
-exit:
-#if defined(MBEDTLS_PEM_PARSE_C)
-    mbedtls_pem_free(&pem);
-#endif
-    if (ret != 0) {
-        mbedtls_dhm_free(dhm);
-    }
-
-    return ret;
-}
-
-#if defined(MBEDTLS_FS_IO)
-/*
- * Load all data from a file into a given buffer.
- *
- * The file is expected to contain either PEM or DER encoded data.
- * A terminating null byte is always appended. It is included in the announced
- * length only if the data looks like it is PEM encoded.
- */
-static int load_file(const char *path, unsigned char **buf, size_t *n)
-{
-    FILE *f;
-    long size;
-
-    if ((f = fopen(path, "rb")) == NULL) {
-        return MBEDTLS_ERR_DHM_FILE_IO_ERROR;
-    }
-    /* The data loaded here is public, so don't bother disabling buffering. */
-
-    fseek(f, 0, SEEK_END);
-    if ((size = ftell(f)) == -1) {
-        fclose(f);
-        return MBEDTLS_ERR_DHM_FILE_IO_ERROR;
-    }
-    fseek(f, 0, SEEK_SET);
-
-    *n = (size_t) size;
-
-    if (*n + 1 == 0 ||
-        (*buf = mbedtls_calloc(1, *n + 1)) == NULL) {
-        fclose(f);
-        return MBEDTLS_ERR_DHM_ALLOC_FAILED;
-    }
-
-    if (fread(*buf, 1, *n, f) != *n) {
-        fclose(f);
-
-        mbedtls_zeroize_and_free(*buf, *n + 1);
-
-        return MBEDTLS_ERR_DHM_FILE_IO_ERROR;
-    }
-
-    fclose(f);
-
-    (*buf)[*n] = '\0';
-
-    if (strstr((const char *) *buf, "-----BEGIN ") != NULL) {
-        ++*n;
-    }
-
-    return 0;
-}
-
-/*
- * Load and parse DHM parameters
- */
-int mbedtls_dhm_parse_dhmfile(mbedtls_dhm_context *dhm, const char *path)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t n;
-    unsigned char *buf;
-
-    if ((ret = load_file(path, &buf, &n)) != 0) {
-        return ret;
-    }
-
-    ret = mbedtls_dhm_parse_dhm(dhm, buf, n);
-
-    mbedtls_zeroize_and_free(buf, n);
-
-    return ret;
-}
-#endif /* MBEDTLS_FS_IO */
-#endif /* MBEDTLS_ASN1_PARSE_C */
-#endif /* MBEDTLS_DHM_ALT */
-
-#if defined(MBEDTLS_SELF_TEST)
-
-#if defined(MBEDTLS_PEM_PARSE_C)
-static const char mbedtls_test_dhm_params[] =
-    "-----BEGIN DH PARAMETERS-----\r\n"
-    "MIGHAoGBAJ419DBEOgmQTzo5qXl5fQcN9TN455wkOL7052HzxxRVMyhYmwQcgJvh\r\n"
-    "1sa18fyfR9OiVEMYglOpkqVoGLN7qd5aQNNi5W7/C+VBdHTBJcGZJyyP5B3qcz32\r\n"
-    "9mLJKudlVudV0Qxk5qUJaPZ/xupz0NyoVpviuiBOI1gNi8ovSXWzAgEC\r\n"
-    "-----END DH PARAMETERS-----\r\n";
-#else /* MBEDTLS_PEM_PARSE_C */
-static const char mbedtls_test_dhm_params[] = {
-    0x30, 0x81, 0x87, 0x02, 0x81, 0x81, 0x00, 0x9e, 0x35, 0xf4, 0x30, 0x44,
-    0x3a, 0x09, 0x90, 0x4f, 0x3a, 0x39, 0xa9, 0x79, 0x79, 0x7d, 0x07, 0x0d,
-    0xf5, 0x33, 0x78, 0xe7, 0x9c, 0x24, 0x38, 0xbe, 0xf4, 0xe7, 0x61, 0xf3,
-    0xc7, 0x14, 0x55, 0x33, 0x28, 0x58, 0x9b, 0x04, 0x1c, 0x80, 0x9b, 0xe1,
-    0xd6, 0xc6, 0xb5, 0xf1, 0xfc, 0x9f, 0x47, 0xd3, 0xa2, 0x54, 0x43, 0x18,
-    0x82, 0x53, 0xa9, 0x92, 0xa5, 0x68, 0x18, 0xb3, 0x7b, 0xa9, 0xde, 0x5a,
-    0x40, 0xd3, 0x62, 0xe5, 0x6e, 0xff, 0x0b, 0xe5, 0x41, 0x74, 0x74, 0xc1,
-    0x25, 0xc1, 0x99, 0x27, 0x2c, 0x8f, 0xe4, 0x1d, 0xea, 0x73, 0x3d, 0xf6,
-    0xf6, 0x62, 0xc9, 0x2a, 0xe7, 0x65, 0x56, 0xe7, 0x55, 0xd1, 0x0c, 0x64,
-    0xe6, 0xa5, 0x09, 0x68, 0xf6, 0x7f, 0xc6, 0xea, 0x73, 0xd0, 0xdc, 0xa8,
-    0x56, 0x9b, 0xe2, 0xba, 0x20, 0x4e, 0x23, 0x58, 0x0d, 0x8b, 0xca, 0x2f,
-    0x49, 0x75, 0xb3, 0x02, 0x01, 0x02
-};
-#endif /* MBEDTLS_PEM_PARSE_C */
-
-static const size_t mbedtls_test_dhm_params_len = sizeof(mbedtls_test_dhm_params);
-
-/*
- * Checkup routine
- */
-int mbedtls_dhm_self_test(int verbose)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_dhm_context dhm;
-
-    mbedtls_dhm_init(&dhm);
-
-    if (verbose != 0) {
-        mbedtls_printf("  DHM parameter load: ");
-    }
-
-    if ((ret = mbedtls_dhm_parse_dhm(&dhm,
-                                     (const unsigned char *) mbedtls_test_dhm_params,
-                                     mbedtls_test_dhm_params_len)) != 0) {
-        if (verbose != 0) {
-            mbedtls_printf("failed\n");
-        }
-
-        ret = 1;
-        goto exit;
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("passed\n\n");
-    }
-
-exit:
-    mbedtls_dhm_free(&dhm);
-
-    return ret;
-}
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* MBEDTLS_DHM_C */
diff --git a/library/ecdh.c b/library/ecdh.c
deleted file mode 100644
index 58ef881..0000000
--- a/library/ecdh.c
+++ /dev/null
@@ -1,697 +0,0 @@
-/*
- *  Elliptic curve Diffie-Hellman
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/*
- * References:
- *
- * SEC1 https://www.secg.org/sec1-v2.pdf
- * RFC 4492
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_ECDH_C)
-
-#include "mbedtls/ecdh.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#include <string.h>
-
-#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
-typedef mbedtls_ecdh_context mbedtls_ecdh_context_mbed;
-#endif
-
-static mbedtls_ecp_group_id mbedtls_ecdh_grp_id(
-    const mbedtls_ecdh_context *ctx)
-{
-#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
-    return ctx->grp.id;
-#else
-    return ctx->grp_id;
-#endif
-}
-
-int mbedtls_ecdh_can_do(mbedtls_ecp_group_id gid)
-{
-    /* At this time, all groups support ECDH. */
-    (void) gid;
-    return 1;
-}
-
-#if !defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT)
-/*
- * Generate public key (restartable version)
- *
- * Note: this internal function relies on its caller preserving the value of
- * the output parameter 'd' across continuation calls. This would not be
- * acceptable for a public function but is OK here as we control call sites.
- */
-static int ecdh_gen_public_restartable(mbedtls_ecp_group *grp,
-                                       mbedtls_mpi *d, mbedtls_ecp_point *Q,
-                                       int (*f_rng)(void *, unsigned char *, size_t),
-                                       void *p_rng,
-                                       mbedtls_ecp_restart_ctx *rs_ctx)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    int restarting = 0;
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    restarting = (rs_ctx != NULL && rs_ctx->rsm != NULL);
-#endif
-    /* If multiplication is in progress, we already generated a privkey */
-    if (!restarting) {
-        MBEDTLS_MPI_CHK(mbedtls_ecp_gen_privkey(grp, d, f_rng, p_rng));
-    }
-
-    MBEDTLS_MPI_CHK(mbedtls_ecp_mul_restartable(grp, Q, d, &grp->G,
-                                                f_rng, p_rng, rs_ctx));
-
-cleanup:
-    return ret;
-}
-
-/*
- * Generate public key
- */
-int mbedtls_ecdh_gen_public(mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
-                            int (*f_rng)(void *, unsigned char *, size_t),
-                            void *p_rng)
-{
-    return ecdh_gen_public_restartable(grp, d, Q, f_rng, p_rng, NULL);
-}
-#endif /* !MBEDTLS_ECDH_GEN_PUBLIC_ALT */
-
-#if !defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT)
-/*
- * Compute shared secret (SEC1 3.3.1)
- */
-static int ecdh_compute_shared_restartable(mbedtls_ecp_group *grp,
-                                           mbedtls_mpi *z,
-                                           const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
-                                           int (*f_rng)(void *, unsigned char *, size_t),
-                                           void *p_rng,
-                                           mbedtls_ecp_restart_ctx *rs_ctx)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_ecp_point P;
-
-    mbedtls_ecp_point_init(&P);
-
-    MBEDTLS_MPI_CHK(mbedtls_ecp_mul_restartable(grp, &P, d, Q,
-                                                f_rng, p_rng, rs_ctx));
-
-    if (mbedtls_ecp_is_zero(&P)) {
-        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-        goto cleanup;
-    }
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(z, &P.X));
-
-cleanup:
-    mbedtls_ecp_point_free(&P);
-
-    return ret;
-}
-
-/*
- * Compute shared secret (SEC1 3.3.1)
- */
-int mbedtls_ecdh_compute_shared(mbedtls_ecp_group *grp, mbedtls_mpi *z,
-                                const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
-                                int (*f_rng)(void *, unsigned char *, size_t),
-                                void *p_rng)
-{
-    return ecdh_compute_shared_restartable(grp, z, Q, d,
-                                           f_rng, p_rng, NULL);
-}
-#endif /* !MBEDTLS_ECDH_COMPUTE_SHARED_ALT */
-
-static void ecdh_init_internal(mbedtls_ecdh_context_mbed *ctx)
-{
-    mbedtls_ecp_group_init(&ctx->grp);
-    mbedtls_mpi_init(&ctx->d);
-    mbedtls_ecp_point_init(&ctx->Q);
-    mbedtls_ecp_point_init(&ctx->Qp);
-    mbedtls_mpi_init(&ctx->z);
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    mbedtls_ecp_restart_init(&ctx->rs);
-#endif
-}
-
-/*
- * Initialize context
- */
-void mbedtls_ecdh_init(mbedtls_ecdh_context *ctx)
-{
-#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
-    ecdh_init_internal(ctx);
-    mbedtls_ecp_point_init(&ctx->Vi);
-    mbedtls_ecp_point_init(&ctx->Vf);
-    mbedtls_mpi_init(&ctx->_d);
-#else
-    memset(ctx, 0, sizeof(mbedtls_ecdh_context));
-
-    ctx->var = MBEDTLS_ECDH_VARIANT_NONE;
-#endif
-    ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    ctx->restart_enabled = 0;
-#endif
-}
-
-static int ecdh_setup_internal(mbedtls_ecdh_context_mbed *ctx,
-                               mbedtls_ecp_group_id grp_id)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    ret = mbedtls_ecp_group_load(&ctx->grp, grp_id);
-    if (ret != 0) {
-        return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
-    }
-
-    return 0;
-}
-
-/*
- * Setup context
- */
-int mbedtls_ecdh_setup(mbedtls_ecdh_context *ctx, mbedtls_ecp_group_id grp_id)
-{
-#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
-    return ecdh_setup_internal(ctx, grp_id);
-#else
-    switch (grp_id) {
-#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
-        case MBEDTLS_ECP_DP_CURVE25519:
-            ctx->point_format = MBEDTLS_ECP_PF_COMPRESSED;
-            ctx->var = MBEDTLS_ECDH_VARIANT_EVEREST;
-            ctx->grp_id = grp_id;
-            return mbedtls_everest_setup(&ctx->ctx.everest_ecdh, grp_id);
-#endif
-        default:
-            ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
-            ctx->var = MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0;
-            ctx->grp_id = grp_id;
-            ecdh_init_internal(&ctx->ctx.mbed_ecdh);
-            return ecdh_setup_internal(&ctx->ctx.mbed_ecdh, grp_id);
-    }
-#endif
-}
-
-static void ecdh_free_internal(mbedtls_ecdh_context_mbed *ctx)
-{
-    mbedtls_ecp_group_free(&ctx->grp);
-    mbedtls_mpi_free(&ctx->d);
-    mbedtls_ecp_point_free(&ctx->Q);
-    mbedtls_ecp_point_free(&ctx->Qp);
-    mbedtls_mpi_free(&ctx->z);
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    mbedtls_ecp_restart_free(&ctx->rs);
-#endif
-}
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-/*
- * Enable restartable operations for context
- */
-void mbedtls_ecdh_enable_restart(mbedtls_ecdh_context *ctx)
-{
-    ctx->restart_enabled = 1;
-}
-#endif
-
-/*
- * Free context
- */
-void mbedtls_ecdh_free(mbedtls_ecdh_context *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
-    mbedtls_ecp_point_free(&ctx->Vi);
-    mbedtls_ecp_point_free(&ctx->Vf);
-    mbedtls_mpi_free(&ctx->_d);
-    ecdh_free_internal(ctx);
-#else
-    switch (ctx->var) {
-#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
-        case MBEDTLS_ECDH_VARIANT_EVEREST:
-            mbedtls_everest_free(&ctx->ctx.everest_ecdh);
-            break;
-#endif
-        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
-            ecdh_free_internal(&ctx->ctx.mbed_ecdh);
-            break;
-        default:
-            break;
-    }
-
-    ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
-    ctx->var = MBEDTLS_ECDH_VARIANT_NONE;
-    ctx->grp_id = MBEDTLS_ECP_DP_NONE;
-#endif
-}
-
-static int ecdh_make_params_internal(mbedtls_ecdh_context_mbed *ctx,
-                                     size_t *olen, int point_format,
-                                     unsigned char *buf, size_t blen,
-                                     int (*f_rng)(void *,
-                                                  unsigned char *,
-                                                  size_t),
-                                     void *p_rng,
-                                     int restart_enabled)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t grp_len, pt_len;
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    mbedtls_ecp_restart_ctx *rs_ctx = NULL;
-#endif
-
-    if (ctx->grp.pbits == 0) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (restart_enabled) {
-        rs_ctx = &ctx->rs;
-    }
-#else
-    (void) restart_enabled;
-#endif
-
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if ((ret = ecdh_gen_public_restartable(&ctx->grp, &ctx->d, &ctx->Q,
-                                           f_rng, p_rng, rs_ctx)) != 0) {
-        return ret;
-    }
-#else
-    if ((ret = mbedtls_ecdh_gen_public(&ctx->grp, &ctx->d, &ctx->Q,
-                                       f_rng, p_rng)) != 0) {
-        return ret;
-    }
-#endif /* MBEDTLS_ECP_RESTARTABLE */
-
-    if ((ret = mbedtls_ecp_tls_write_group(&ctx->grp, &grp_len, buf,
-                                           blen)) != 0) {
-        return ret;
-    }
-
-    buf += grp_len;
-    blen -= grp_len;
-
-    if ((ret = mbedtls_ecp_tls_write_point(&ctx->grp, &ctx->Q, point_format,
-                                           &pt_len, buf, blen)) != 0) {
-        return ret;
-    }
-
-    *olen = grp_len + pt_len;
-    return 0;
-}
-
-/*
- * Setup and write the ServerKeyExchange parameters (RFC 4492)
- *      struct {
- *          ECParameters    curve_params;
- *          ECPoint         public;
- *      } ServerECDHParams;
- */
-int mbedtls_ecdh_make_params(mbedtls_ecdh_context *ctx, size_t *olen,
-                             unsigned char *buf, size_t blen,
-                             int (*f_rng)(void *, unsigned char *, size_t),
-                             void *p_rng)
-{
-    int restart_enabled = 0;
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    restart_enabled = ctx->restart_enabled;
-#else
-    (void) restart_enabled;
-#endif
-
-#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
-    return ecdh_make_params_internal(ctx, olen, ctx->point_format, buf, blen,
-                                     f_rng, p_rng, restart_enabled);
-#else
-    switch (ctx->var) {
-#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
-        case MBEDTLS_ECDH_VARIANT_EVEREST:
-            return mbedtls_everest_make_params(&ctx->ctx.everest_ecdh, olen,
-                                               buf, blen, f_rng, p_rng);
-#endif
-        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
-            return ecdh_make_params_internal(&ctx->ctx.mbed_ecdh, olen,
-                                             ctx->point_format, buf, blen,
-                                             f_rng, p_rng,
-                                             restart_enabled);
-        default:
-            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-#endif
-}
-
-static int ecdh_read_params_internal(mbedtls_ecdh_context_mbed *ctx,
-                                     const unsigned char **buf,
-                                     const unsigned char *end)
-{
-    return mbedtls_ecp_tls_read_point(&ctx->grp, &ctx->Qp, buf,
-                                      end - *buf);
-}
-
-/*
- * Read the ServerKeyExchange parameters (RFC 4492)
- *      struct {
- *          ECParameters    curve_params;
- *          ECPoint         public;
- *      } ServerECDHParams;
- */
-int mbedtls_ecdh_read_params(mbedtls_ecdh_context *ctx,
-                             const unsigned char **buf,
-                             const unsigned char *end)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_ecp_group_id grp_id;
-    if ((ret = mbedtls_ecp_tls_read_group_id(&grp_id, buf, end - *buf))
-        != 0) {
-        return ret;
-    }
-
-    if ((ret = mbedtls_ecdh_setup(ctx, grp_id)) != 0) {
-        return ret;
-    }
-
-#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
-    return ecdh_read_params_internal(ctx, buf, end);
-#else
-    switch (ctx->var) {
-#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
-        case MBEDTLS_ECDH_VARIANT_EVEREST:
-            return mbedtls_everest_read_params(&ctx->ctx.everest_ecdh,
-                                               buf, end);
-#endif
-        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
-            return ecdh_read_params_internal(&ctx->ctx.mbed_ecdh,
-                                             buf, end);
-        default:
-            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-#endif
-}
-
-static int ecdh_get_params_internal(mbedtls_ecdh_context_mbed *ctx,
-                                    const mbedtls_ecp_keypair *key,
-                                    mbedtls_ecdh_side side)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    /* If it's not our key, just import the public part as Qp */
-    if (side == MBEDTLS_ECDH_THEIRS) {
-        return mbedtls_ecp_copy(&ctx->Qp, &key->Q);
-    }
-
-    /* Our key: import public (as Q) and private parts */
-    if (side != MBEDTLS_ECDH_OURS) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    if ((ret = mbedtls_ecp_copy(&ctx->Q, &key->Q)) != 0 ||
-        (ret = mbedtls_mpi_copy(&ctx->d, &key->d)) != 0) {
-        return ret;
-    }
-
-    return 0;
-}
-
-/*
- * Get parameters from a keypair
- */
-int mbedtls_ecdh_get_params(mbedtls_ecdh_context *ctx,
-                            const mbedtls_ecp_keypair *key,
-                            mbedtls_ecdh_side side)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    if (side != MBEDTLS_ECDH_OURS && side != MBEDTLS_ECDH_THEIRS) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    if (mbedtls_ecdh_grp_id(ctx) == MBEDTLS_ECP_DP_NONE) {
-        /* This is the first call to get_params(). Set up the context
-         * for use with the group. */
-        if ((ret = mbedtls_ecdh_setup(ctx, key->grp.id)) != 0) {
-            return ret;
-        }
-    } else {
-        /* This is not the first call to get_params(). Check that the
-         * current key's group is the same as the context's, which was set
-         * from the first key's group. */
-        if (mbedtls_ecdh_grp_id(ctx) != key->grp.id) {
-            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-        }
-    }
-
-#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
-    return ecdh_get_params_internal(ctx, key, side);
-#else
-    switch (ctx->var) {
-#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
-        case MBEDTLS_ECDH_VARIANT_EVEREST:
-        {
-            mbedtls_everest_ecdh_side s = side == MBEDTLS_ECDH_OURS ?
-                                          MBEDTLS_EVEREST_ECDH_OURS :
-                                          MBEDTLS_EVEREST_ECDH_THEIRS;
-            return mbedtls_everest_get_params(&ctx->ctx.everest_ecdh,
-                                              key, s);
-        }
-#endif
-        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
-            return ecdh_get_params_internal(&ctx->ctx.mbed_ecdh,
-                                            key, side);
-        default:
-            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-#endif
-}
-
-static int ecdh_make_public_internal(mbedtls_ecdh_context_mbed *ctx,
-                                     size_t *olen, int point_format,
-                                     unsigned char *buf, size_t blen,
-                                     int (*f_rng)(void *,
-                                                  unsigned char *,
-                                                  size_t),
-                                     void *p_rng,
-                                     int restart_enabled)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    mbedtls_ecp_restart_ctx *rs_ctx = NULL;
-#endif
-
-    if (ctx->grp.pbits == 0) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (restart_enabled) {
-        rs_ctx = &ctx->rs;
-    }
-#else
-    (void) restart_enabled;
-#endif
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if ((ret = ecdh_gen_public_restartable(&ctx->grp, &ctx->d, &ctx->Q,
-                                           f_rng, p_rng, rs_ctx)) != 0) {
-        return ret;
-    }
-#else
-    if ((ret = mbedtls_ecdh_gen_public(&ctx->grp, &ctx->d, &ctx->Q,
-                                       f_rng, p_rng)) != 0) {
-        return ret;
-    }
-#endif /* MBEDTLS_ECP_RESTARTABLE */
-
-    return mbedtls_ecp_tls_write_point(&ctx->grp, &ctx->Q, point_format, olen,
-                                       buf, blen);
-}
-
-/*
- * Setup and export the client public value
- */
-int mbedtls_ecdh_make_public(mbedtls_ecdh_context *ctx, size_t *olen,
-                             unsigned char *buf, size_t blen,
-                             int (*f_rng)(void *, unsigned char *, size_t),
-                             void *p_rng)
-{
-    int restart_enabled = 0;
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    restart_enabled = ctx->restart_enabled;
-#endif
-
-#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
-    return ecdh_make_public_internal(ctx, olen, ctx->point_format, buf, blen,
-                                     f_rng, p_rng, restart_enabled);
-#else
-    switch (ctx->var) {
-#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
-        case MBEDTLS_ECDH_VARIANT_EVEREST:
-            return mbedtls_everest_make_public(&ctx->ctx.everest_ecdh, olen,
-                                               buf, blen, f_rng, p_rng);
-#endif
-        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
-            return ecdh_make_public_internal(&ctx->ctx.mbed_ecdh, olen,
-                                             ctx->point_format, buf, blen,
-                                             f_rng, p_rng,
-                                             restart_enabled);
-        default:
-            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-#endif
-}
-
-static int ecdh_read_public_internal(mbedtls_ecdh_context_mbed *ctx,
-                                     const unsigned char *buf, size_t blen)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    const unsigned char *p = buf;
-
-    if ((ret = mbedtls_ecp_tls_read_point(&ctx->grp, &ctx->Qp, &p,
-                                          blen)) != 0) {
-        return ret;
-    }
-
-    if ((size_t) (p - buf) != blen) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    return 0;
-}
-
-/*
- * Parse and import the client's public value
- */
-int mbedtls_ecdh_read_public(mbedtls_ecdh_context *ctx,
-                             const unsigned char *buf, size_t blen)
-{
-#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
-    return ecdh_read_public_internal(ctx, buf, blen);
-#else
-    switch (ctx->var) {
-#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
-        case MBEDTLS_ECDH_VARIANT_EVEREST:
-            return mbedtls_everest_read_public(&ctx->ctx.everest_ecdh,
-                                               buf, blen);
-#endif
-        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
-            return ecdh_read_public_internal(&ctx->ctx.mbed_ecdh,
-                                             buf, blen);
-        default:
-            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-#endif
-}
-
-static int ecdh_calc_secret_internal(mbedtls_ecdh_context_mbed *ctx,
-                                     size_t *olen, unsigned char *buf,
-                                     size_t blen,
-                                     int (*f_rng)(void *,
-                                                  unsigned char *,
-                                                  size_t),
-                                     void *p_rng,
-                                     int restart_enabled)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    mbedtls_ecp_restart_ctx *rs_ctx = NULL;
-#endif
-
-    if (ctx == NULL || ctx->grp.pbits == 0) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (restart_enabled) {
-        rs_ctx = &ctx->rs;
-    }
-#else
-    (void) restart_enabled;
-#endif
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if ((ret = ecdh_compute_shared_restartable(&ctx->grp, &ctx->z, &ctx->Qp,
-                                               &ctx->d, f_rng, p_rng,
-                                               rs_ctx)) != 0) {
-        return ret;
-    }
-#else
-    if ((ret = mbedtls_ecdh_compute_shared(&ctx->grp, &ctx->z, &ctx->Qp,
-                                           &ctx->d, f_rng, p_rng)) != 0) {
-        return ret;
-    }
-#endif /* MBEDTLS_ECP_RESTARTABLE */
-
-    if (mbedtls_mpi_size(&ctx->z) > blen) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    *olen = ctx->grp.pbits / 8 + ((ctx->grp.pbits % 8) != 0);
-
-    if (mbedtls_ecp_get_type(&ctx->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
-        return mbedtls_mpi_write_binary_le(&ctx->z, buf, *olen);
-    }
-
-    return mbedtls_mpi_write_binary(&ctx->z, buf, *olen);
-}
-
-/*
- * Derive and export the shared secret
- */
-int mbedtls_ecdh_calc_secret(mbedtls_ecdh_context *ctx, size_t *olen,
-                             unsigned char *buf, size_t blen,
-                             int (*f_rng)(void *, unsigned char *, size_t),
-                             void *p_rng)
-{
-    int restart_enabled = 0;
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    restart_enabled = ctx->restart_enabled;
-#endif
-
-#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
-    return ecdh_calc_secret_internal(ctx, olen, buf, blen, f_rng, p_rng,
-                                     restart_enabled);
-#else
-    switch (ctx->var) {
-#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
-        case MBEDTLS_ECDH_VARIANT_EVEREST:
-            return mbedtls_everest_calc_secret(&ctx->ctx.everest_ecdh, olen,
-                                               buf, blen, f_rng, p_rng);
-#endif
-        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
-            return ecdh_calc_secret_internal(&ctx->ctx.mbed_ecdh, olen, buf,
-                                             blen, f_rng, p_rng,
-                                             restart_enabled);
-        default:
-            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-#endif
-}
-#endif /* MBEDTLS_ECDH_C */
diff --git a/library/ecdsa.c b/library/ecdsa.c
deleted file mode 100644
index 6e55f22..0000000
--- a/library/ecdsa.c
+++ /dev/null
@@ -1,879 +0,0 @@
-/*
- *  Elliptic curve DSA
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/*
- * References:
- *
- * SEC1 https://www.secg.org/sec1-v2.pdf
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_ECDSA_C)
-
-#include "mbedtls/ecdsa.h"
-#include "mbedtls/asn1write.h"
-
-#include <string.h>
-
-#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
-#include "mbedtls/hmac_drbg.h"
-#endif
-
-#include "mbedtls/platform.h"
-
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-
-/*
- * Sub-context for ecdsa_verify()
- */
-struct mbedtls_ecdsa_restart_ver {
-    mbedtls_mpi u1, u2;     /* intermediate values  */
-    enum {                  /* what to do next?     */
-        ecdsa_ver_init = 0, /* getting started      */
-        ecdsa_ver_muladd,   /* muladd step          */
-    } state;
-};
-
-/*
- * Init verify restart sub-context
- */
-static void ecdsa_restart_ver_init(mbedtls_ecdsa_restart_ver_ctx *ctx)
-{
-    mbedtls_mpi_init(&ctx->u1);
-    mbedtls_mpi_init(&ctx->u2);
-    ctx->state = ecdsa_ver_init;
-}
-
-/*
- * Free the components of a verify restart sub-context
- */
-static void ecdsa_restart_ver_free(mbedtls_ecdsa_restart_ver_ctx *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    mbedtls_mpi_free(&ctx->u1);
-    mbedtls_mpi_free(&ctx->u2);
-
-    ecdsa_restart_ver_init(ctx);
-}
-
-/*
- * Sub-context for ecdsa_sign()
- */
-struct mbedtls_ecdsa_restart_sig {
-    int sign_tries;
-    int key_tries;
-    mbedtls_mpi k;          /* per-signature random */
-    mbedtls_mpi r;          /* r value              */
-    enum {                  /* what to do next?     */
-        ecdsa_sig_init = 0, /* getting started      */
-        ecdsa_sig_mul,      /* doing ecp_mul()      */
-        ecdsa_sig_modn,     /* mod N computations   */
-    } state;
-};
-
-/*
- * Init verify sign sub-context
- */
-static void ecdsa_restart_sig_init(mbedtls_ecdsa_restart_sig_ctx *ctx)
-{
-    ctx->sign_tries = 0;
-    ctx->key_tries = 0;
-    mbedtls_mpi_init(&ctx->k);
-    mbedtls_mpi_init(&ctx->r);
-    ctx->state = ecdsa_sig_init;
-}
-
-/*
- * Free the components of a sign restart sub-context
- */
-static void ecdsa_restart_sig_free(mbedtls_ecdsa_restart_sig_ctx *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    mbedtls_mpi_free(&ctx->k);
-    mbedtls_mpi_free(&ctx->r);
-}
-
-#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
-/*
- * Sub-context for ecdsa_sign_det()
- */
-struct mbedtls_ecdsa_restart_det {
-    mbedtls_hmac_drbg_context rng_ctx;  /* DRBG state   */
-    enum {                      /* what to do next?     */
-        ecdsa_det_init = 0,     /* getting started      */
-        ecdsa_det_sign,         /* make signature       */
-    } state;
-};
-
-/*
- * Init verify sign_det sub-context
- */
-static void ecdsa_restart_det_init(mbedtls_ecdsa_restart_det_ctx *ctx)
-{
-    mbedtls_hmac_drbg_init(&ctx->rng_ctx);
-    ctx->state = ecdsa_det_init;
-}
-
-/*
- * Free the components of a sign_det restart sub-context
- */
-static void ecdsa_restart_det_free(mbedtls_ecdsa_restart_det_ctx *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    mbedtls_hmac_drbg_free(&ctx->rng_ctx);
-
-    ecdsa_restart_det_init(ctx);
-}
-#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
-
-#define ECDSA_RS_ECP    (rs_ctx == NULL ? NULL : &rs_ctx->ecp)
-
-/* Utility macro for checking and updating ops budget */
-#define ECDSA_BUDGET(ops)   \
-    MBEDTLS_MPI_CHK(mbedtls_ecp_check_budget(grp, ECDSA_RS_ECP, ops));
-
-/* Call this when entering a function that needs its own sub-context */
-#define ECDSA_RS_ENTER(SUB)   do {                                 \
-        /* reset ops count for this call if top-level */                 \
-        if (rs_ctx != NULL && rs_ctx->ecp.depth++ == 0)                 \
-        rs_ctx->ecp.ops_done = 0;                                    \
-                                                                     \
-        /* set up our own sub-context if needed */                       \
-        if (mbedtls_ecp_restart_is_enabled() &&                          \
-            rs_ctx != NULL && rs_ctx->SUB == NULL)                      \
-        {                                                                \
-            rs_ctx->SUB = mbedtls_calloc(1, sizeof(*rs_ctx->SUB));   \
-            if (rs_ctx->SUB == NULL)                                    \
-            return MBEDTLS_ERR_ECP_ALLOC_FAILED;                  \
-                                                                   \
-            ecdsa_restart_## SUB ##_init(rs_ctx->SUB);                 \
-        }                                                                \
-} while (0)
-
-/* Call this when leaving a function that needs its own sub-context */
-#define ECDSA_RS_LEAVE(SUB)   do {                                 \
-        /* clear our sub-context when not in progress (done or error) */ \
-        if (rs_ctx != NULL && rs_ctx->SUB != NULL &&                     \
-            ret != MBEDTLS_ERR_ECP_IN_PROGRESS)                         \
-        {                                                                \
-            ecdsa_restart_## SUB ##_free(rs_ctx->SUB);                 \
-            mbedtls_free(rs_ctx->SUB);                                 \
-            rs_ctx->SUB = NULL;                                          \
-        }                                                                \
-                                                                     \
-        if (rs_ctx != NULL)                                             \
-        rs_ctx->ecp.depth--;                                         \
-} while (0)
-
-#else /* MBEDTLS_ECP_RESTARTABLE */
-
-#define ECDSA_RS_ECP    NULL
-
-#define ECDSA_BUDGET(ops)     /* no-op; for compatibility */
-
-#define ECDSA_RS_ENTER(SUB)   (void) rs_ctx
-#define ECDSA_RS_LEAVE(SUB)   (void) rs_ctx
-
-#endif /* MBEDTLS_ECP_RESTARTABLE */
-
-#if defined(MBEDTLS_ECDSA_DETERMINISTIC) || \
-    !defined(MBEDTLS_ECDSA_SIGN_ALT)     || \
-    !defined(MBEDTLS_ECDSA_VERIFY_ALT)
-/*
- * Derive a suitable integer for group grp from a buffer of length len
- * SEC1 4.1.3 step 5 aka SEC1 4.1.4 step 3
- */
-static int derive_mpi(const mbedtls_ecp_group *grp, mbedtls_mpi *x,
-                      const unsigned char *buf, size_t blen)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t n_size = (grp->nbits + 7) / 8;
-    size_t use_size = blen > n_size ? n_size : blen;
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(x, buf, use_size));
-    if (use_size * 8 > grp->nbits) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(x, use_size * 8 - grp->nbits));
-    }
-
-    /* While at it, reduce modulo N */
-    if (mbedtls_mpi_cmp_mpi(x, &grp->N) >= 0) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(x, x, &grp->N));
-    }
-
-cleanup:
-    return ret;
-}
-#endif /* ECDSA_DETERMINISTIC || !ECDSA_SIGN_ALT || !ECDSA_VERIFY_ALT */
-
-int mbedtls_ecdsa_can_do(mbedtls_ecp_group_id gid)
-{
-    switch (gid) {
-#ifdef MBEDTLS_ECP_DP_CURVE25519_ENABLED
-        case MBEDTLS_ECP_DP_CURVE25519: return 0;
-#endif
-#ifdef MBEDTLS_ECP_DP_CURVE448_ENABLED
-        case MBEDTLS_ECP_DP_CURVE448: return 0;
-#endif
-        default: return 1;
-    }
-}
-
-#if !defined(MBEDTLS_ECDSA_SIGN_ALT)
-/*
- * Compute ECDSA signature of a hashed message (SEC1 4.1.3)
- * Obviously, compared to SEC1 4.1.3, we skip step 4 (hash message)
- */
-int mbedtls_ecdsa_sign_restartable(mbedtls_ecp_group *grp,
-                                   mbedtls_mpi *r, mbedtls_mpi *s,
-                                   const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
-                                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
-                                   int (*f_rng_blind)(void *, unsigned char *, size_t),
-                                   void *p_rng_blind,
-                                   mbedtls_ecdsa_restart_ctx *rs_ctx)
-{
-    int ret, key_tries, sign_tries;
-    int *p_sign_tries = &sign_tries, *p_key_tries = &key_tries;
-    mbedtls_ecp_point R;
-    mbedtls_mpi k, e, t;
-    mbedtls_mpi *pk = &k, *pr = r;
-
-    /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
-    if (!mbedtls_ecdsa_can_do(grp->id) || grp->N.p == NULL) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    /* Make sure d is in range 1..n-1 */
-    if (mbedtls_mpi_cmp_int(d, 1) < 0 || mbedtls_mpi_cmp_mpi(d, &grp->N) >= 0) {
-        return MBEDTLS_ERR_ECP_INVALID_KEY;
-    }
-
-    mbedtls_ecp_point_init(&R);
-    mbedtls_mpi_init(&k); mbedtls_mpi_init(&e); mbedtls_mpi_init(&t);
-
-    ECDSA_RS_ENTER(sig);
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL && rs_ctx->sig != NULL) {
-        /* redirect to our context */
-        p_sign_tries = &rs_ctx->sig->sign_tries;
-        p_key_tries = &rs_ctx->sig->key_tries;
-        pk = &rs_ctx->sig->k;
-        pr = &rs_ctx->sig->r;
-
-        /* jump to current step */
-        if (rs_ctx->sig->state == ecdsa_sig_mul) {
-            goto mul;
-        }
-        if (rs_ctx->sig->state == ecdsa_sig_modn) {
-            goto modn;
-        }
-    }
-#endif /* MBEDTLS_ECP_RESTARTABLE */
-
-    *p_sign_tries = 0;
-    do {
-        if ((*p_sign_tries)++ > 10) {
-            ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
-            goto cleanup;
-        }
-
-        /*
-         * Steps 1-3: generate a suitable ephemeral keypair
-         * and set r = xR mod n
-         */
-        *p_key_tries = 0;
-        do {
-            if ((*p_key_tries)++ > 10) {
-                ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
-                goto cleanup;
-            }
-
-            MBEDTLS_MPI_CHK(mbedtls_ecp_gen_privkey(grp, pk, f_rng, p_rng));
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-            if (rs_ctx != NULL && rs_ctx->sig != NULL) {
-                rs_ctx->sig->state = ecdsa_sig_mul;
-            }
-
-mul:
-#endif
-            MBEDTLS_MPI_CHK(mbedtls_ecp_mul_restartable(grp, &R, pk, &grp->G,
-                                                        f_rng_blind,
-                                                        p_rng_blind,
-                                                        ECDSA_RS_ECP));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(pr, &R.X, &grp->N));
-        } while (mbedtls_mpi_cmp_int(pr, 0) == 0);
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-        if (rs_ctx != NULL && rs_ctx->sig != NULL) {
-            rs_ctx->sig->state = ecdsa_sig_modn;
-        }
-
-modn:
-#endif
-        /*
-         * Accounting for everything up to the end of the loop
-         * (step 6, but checking now avoids saving e and t)
-         */
-        ECDSA_BUDGET(MBEDTLS_ECP_OPS_INV + 4);
-
-        /*
-         * Step 5: derive MPI from hashed message
-         */
-        MBEDTLS_MPI_CHK(derive_mpi(grp, &e, buf, blen));
-
-        /*
-         * Generate a random value to blind inv_mod in next step,
-         * avoiding a potential timing leak.
-         */
-        MBEDTLS_MPI_CHK(mbedtls_ecp_gen_privkey(grp, &t, f_rng_blind,
-                                                p_rng_blind));
-
-        /*
-         * Step 6: compute s = (e + r * d) / k = t (e + rd) / (kt) mod n
-         */
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(s, pr, d));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&e, &e, s));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&e, &e, &t));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(pk, pk, &t));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(pk, pk, &grp->N));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(s, pk, &grp->N));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(s, s, &e));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(s, s, &grp->N));
-    } while (mbedtls_mpi_cmp_int(s, 0) == 0);
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL && rs_ctx->sig != NULL) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_copy(r, pr));
-    }
-#endif
-
-cleanup:
-    mbedtls_ecp_point_free(&R);
-    mbedtls_mpi_free(&k); mbedtls_mpi_free(&e); mbedtls_mpi_free(&t);
-
-    ECDSA_RS_LEAVE(sig);
-
-    return ret;
-}
-
-/*
- * Compute ECDSA signature of a hashed message
- */
-int mbedtls_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
-                       const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
-                       int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    /* Use the same RNG for both blinding and ephemeral key generation */
-    return mbedtls_ecdsa_sign_restartable(grp, r, s, d, buf, blen,
-                                          f_rng, p_rng, f_rng, p_rng, NULL);
-}
-#endif /* !MBEDTLS_ECDSA_SIGN_ALT */
-
-#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
-/*
- * Deterministic signature wrapper
- *
- * note:    The f_rng_blind parameter must not be NULL.
- *
- */
-int mbedtls_ecdsa_sign_det_restartable(mbedtls_ecp_group *grp,
-                                       mbedtls_mpi *r, mbedtls_mpi *s,
-                                       const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
-                                       mbedtls_md_type_t md_alg,
-                                       int (*f_rng_blind)(void *, unsigned char *, size_t),
-                                       void *p_rng_blind,
-                                       mbedtls_ecdsa_restart_ctx *rs_ctx)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_hmac_drbg_context rng_ctx;
-    mbedtls_hmac_drbg_context *p_rng = &rng_ctx;
-    unsigned char data[2 * MBEDTLS_ECP_MAX_BYTES];
-    size_t grp_len = (grp->nbits + 7) / 8;
-    const mbedtls_md_info_t *md_info;
-    mbedtls_mpi h;
-
-    if ((md_info = mbedtls_md_info_from_type(md_alg)) == NULL) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    mbedtls_mpi_init(&h);
-    mbedtls_hmac_drbg_init(&rng_ctx);
-
-    ECDSA_RS_ENTER(det);
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL && rs_ctx->det != NULL) {
-        /* redirect to our context */
-        p_rng = &rs_ctx->det->rng_ctx;
-
-        /* jump to current step */
-        if (rs_ctx->det->state == ecdsa_det_sign) {
-            goto sign;
-        }
-    }
-#endif /* MBEDTLS_ECP_RESTARTABLE */
-
-    /* Use private key and message hash (reduced) to initialize HMAC_DRBG */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(d, data, grp_len));
-    MBEDTLS_MPI_CHK(derive_mpi(grp, &h, buf, blen));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&h, data + grp_len, grp_len));
-    MBEDTLS_MPI_CHK(mbedtls_hmac_drbg_seed_buf(p_rng, md_info, data, 2 * grp_len));
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL && rs_ctx->det != NULL) {
-        rs_ctx->det->state = ecdsa_det_sign;
-    }
-
-sign:
-#endif
-#if defined(MBEDTLS_ECDSA_SIGN_ALT)
-    (void) f_rng_blind;
-    (void) p_rng_blind;
-    ret = mbedtls_ecdsa_sign(grp, r, s, d, buf, blen,
-                             mbedtls_hmac_drbg_random, p_rng);
-#else
-    ret = mbedtls_ecdsa_sign_restartable(grp, r, s, d, buf, blen,
-                                         mbedtls_hmac_drbg_random, p_rng,
-                                         f_rng_blind, p_rng_blind, rs_ctx);
-#endif /* MBEDTLS_ECDSA_SIGN_ALT */
-
-cleanup:
-    mbedtls_hmac_drbg_free(&rng_ctx);
-    mbedtls_mpi_free(&h);
-
-    ECDSA_RS_LEAVE(det);
-
-    return ret;
-}
-
-/*
- * Deterministic signature wrapper
- */
-int mbedtls_ecdsa_sign_det_ext(mbedtls_ecp_group *grp, mbedtls_mpi *r,
-                               mbedtls_mpi *s, const mbedtls_mpi *d,
-                               const unsigned char *buf, size_t blen,
-                               mbedtls_md_type_t md_alg,
-                               int (*f_rng_blind)(void *, unsigned char *,
-                                                  size_t),
-                               void *p_rng_blind)
-{
-    return mbedtls_ecdsa_sign_det_restartable(grp, r, s, d, buf, blen, md_alg,
-                                              f_rng_blind, p_rng_blind, NULL);
-}
-#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
-
-#if !defined(MBEDTLS_ECDSA_VERIFY_ALT)
-/*
- * Verify ECDSA signature of hashed message (SEC1 4.1.4)
- * Obviously, compared to SEC1 4.1.3, we skip step 2 (hash message)
- */
-int mbedtls_ecdsa_verify_restartable(mbedtls_ecp_group *grp,
-                                     const unsigned char *buf, size_t blen,
-                                     const mbedtls_ecp_point *Q,
-                                     const mbedtls_mpi *r,
-                                     const mbedtls_mpi *s,
-                                     mbedtls_ecdsa_restart_ctx *rs_ctx)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi e, s_inv, u1, u2;
-    mbedtls_ecp_point R;
-    mbedtls_mpi *pu1 = &u1, *pu2 = &u2;
-
-    mbedtls_ecp_point_init(&R);
-    mbedtls_mpi_init(&e); mbedtls_mpi_init(&s_inv);
-    mbedtls_mpi_init(&u1); mbedtls_mpi_init(&u2);
-
-    /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
-    if (!mbedtls_ecdsa_can_do(grp->id) || grp->N.p == NULL) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    ECDSA_RS_ENTER(ver);
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL && rs_ctx->ver != NULL) {
-        /* redirect to our context */
-        pu1 = &rs_ctx->ver->u1;
-        pu2 = &rs_ctx->ver->u2;
-
-        /* jump to current step */
-        if (rs_ctx->ver->state == ecdsa_ver_muladd) {
-            goto muladd;
-        }
-    }
-#endif /* MBEDTLS_ECP_RESTARTABLE */
-
-    /*
-     * Step 1: make sure r and s are in range 1..n-1
-     */
-    if (mbedtls_mpi_cmp_int(r, 1) < 0 || mbedtls_mpi_cmp_mpi(r, &grp->N) >= 0 ||
-        mbedtls_mpi_cmp_int(s, 1) < 0 || mbedtls_mpi_cmp_mpi(s, &grp->N) >= 0) {
-        ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
-        goto cleanup;
-    }
-
-    /*
-     * Step 3: derive MPI from hashed message
-     */
-    MBEDTLS_MPI_CHK(derive_mpi(grp, &e, buf, blen));
-
-    /*
-     * Step 4: u1 = e / s mod n, u2 = r / s mod n
-     */
-    ECDSA_BUDGET(MBEDTLS_ECP_OPS_CHK + MBEDTLS_ECP_OPS_INV + 2);
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&s_inv, s, &grp->N));
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(pu1, &e, &s_inv));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(pu1, pu1, &grp->N));
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(pu2, r, &s_inv));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(pu2, pu2, &grp->N));
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL && rs_ctx->ver != NULL) {
-        rs_ctx->ver->state = ecdsa_ver_muladd;
-    }
-
-muladd:
-#endif
-    /*
-     * Step 5: R = u1 G + u2 Q
-     */
-    MBEDTLS_MPI_CHK(mbedtls_ecp_muladd_restartable(grp,
-                                                   &R, pu1, &grp->G, pu2, Q, ECDSA_RS_ECP));
-
-    if (mbedtls_ecp_is_zero(&R)) {
-        ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
-        goto cleanup;
-    }
-
-    /*
-     * Step 6: convert xR to an integer (no-op)
-     * Step 7: reduce xR mod n (gives v)
-     */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&R.X, &R.X, &grp->N));
-
-    /*
-     * Step 8: check if v (that is, R.X) is equal to r
-     */
-    if (mbedtls_mpi_cmp_mpi(&R.X, r) != 0) {
-        ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
-        goto cleanup;
-    }
-
-cleanup:
-    mbedtls_ecp_point_free(&R);
-    mbedtls_mpi_free(&e); mbedtls_mpi_free(&s_inv);
-    mbedtls_mpi_free(&u1); mbedtls_mpi_free(&u2);
-
-    ECDSA_RS_LEAVE(ver);
-
-    return ret;
-}
-
-/*
- * Verify ECDSA signature of hashed message
- */
-int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp,
-                         const unsigned char *buf, size_t blen,
-                         const mbedtls_ecp_point *Q,
-                         const mbedtls_mpi *r,
-                         const mbedtls_mpi *s)
-{
-    return mbedtls_ecdsa_verify_restartable(grp, buf, blen, Q, r, s, NULL);
-}
-#endif /* !MBEDTLS_ECDSA_VERIFY_ALT */
-
-/*
- * Convert a signature (given by context) to ASN.1
- */
-static int ecdsa_signature_to_asn1(const mbedtls_mpi *r, const mbedtls_mpi *s,
-                                   unsigned char *sig, size_t sig_size,
-                                   size_t *slen)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char buf[MBEDTLS_ECDSA_MAX_LEN] = { 0 };
-    unsigned char *p = buf + sizeof(buf);
-    size_t len = 0;
-
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_mpi(&p, buf, s));
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_mpi(&p, buf, r));
-
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, buf, len));
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, buf,
-                                                     MBEDTLS_ASN1_CONSTRUCTED |
-                                                     MBEDTLS_ASN1_SEQUENCE));
-
-    if (len > sig_size) {
-        return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
-    }
-
-    memcpy(sig, p, len);
-    *slen = len;
-
-    return 0;
-}
-
-/*
- * Compute and write signature
- */
-int mbedtls_ecdsa_write_signature_restartable(mbedtls_ecdsa_context *ctx,
-                                              mbedtls_md_type_t md_alg,
-                                              const unsigned char *hash, size_t hlen,
-                                              unsigned char *sig, size_t sig_size, size_t *slen,
-                                              int (*f_rng)(void *, unsigned char *, size_t),
-                                              void *p_rng,
-                                              mbedtls_ecdsa_restart_ctx *rs_ctx)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi r, s;
-    if (f_rng == NULL) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    mbedtls_mpi_init(&r);
-    mbedtls_mpi_init(&s);
-
-#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
-    MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_det_restartable(&ctx->grp, &r, &s, &ctx->d,
-                                                       hash, hlen, md_alg, f_rng,
-                                                       p_rng, rs_ctx));
-#else
-    (void) md_alg;
-
-#if defined(MBEDTLS_ECDSA_SIGN_ALT)
-    (void) rs_ctx;
-
-    MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign(&ctx->grp, &r, &s, &ctx->d,
-                                       hash, hlen, f_rng, p_rng));
-#else
-    /* Use the same RNG for both blinding and ephemeral key generation */
-    MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_restartable(&ctx->grp, &r, &s, &ctx->d,
-                                                   hash, hlen, f_rng, p_rng, f_rng,
-                                                   p_rng, rs_ctx));
-#endif /* MBEDTLS_ECDSA_SIGN_ALT */
-#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
-
-    MBEDTLS_MPI_CHK(ecdsa_signature_to_asn1(&r, &s, sig, sig_size, slen));
-
-cleanup:
-    mbedtls_mpi_free(&r);
-    mbedtls_mpi_free(&s);
-
-    return ret;
-}
-
-/*
- * Compute and write signature
- */
-int mbedtls_ecdsa_write_signature(mbedtls_ecdsa_context *ctx,
-                                  mbedtls_md_type_t md_alg,
-                                  const unsigned char *hash, size_t hlen,
-                                  unsigned char *sig, size_t sig_size, size_t *slen,
-                                  int (*f_rng)(void *, unsigned char *, size_t),
-                                  void *p_rng)
-{
-    return mbedtls_ecdsa_write_signature_restartable(
-        ctx, md_alg, hash, hlen, sig, sig_size, slen,
-        f_rng, p_rng, NULL);
-}
-
-/*
- * Read and check signature
- */
-int mbedtls_ecdsa_read_signature(mbedtls_ecdsa_context *ctx,
-                                 const unsigned char *hash, size_t hlen,
-                                 const unsigned char *sig, size_t slen)
-{
-    return mbedtls_ecdsa_read_signature_restartable(
-        ctx, hash, hlen, sig, slen, NULL);
-}
-
-/*
- * Restartable read and check signature
- */
-int mbedtls_ecdsa_read_signature_restartable(mbedtls_ecdsa_context *ctx,
-                                             const unsigned char *hash, size_t hlen,
-                                             const unsigned char *sig, size_t slen,
-                                             mbedtls_ecdsa_restart_ctx *rs_ctx)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char *p = (unsigned char *) sig;
-    const unsigned char *end = sig + slen;
-    size_t len;
-    mbedtls_mpi r, s;
-    mbedtls_mpi_init(&r);
-    mbedtls_mpi_init(&s);
-
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
-                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
-        ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-        goto cleanup;
-    }
-
-    if (p + len != end) {
-        ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
-                                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-        goto cleanup;
-    }
-
-    if ((ret = mbedtls_asn1_get_mpi(&p, end, &r)) != 0 ||
-        (ret = mbedtls_asn1_get_mpi(&p, end, &s)) != 0) {
-        ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-        goto cleanup;
-    }
-#if defined(MBEDTLS_ECDSA_VERIFY_ALT)
-    (void) rs_ctx;
-
-    if ((ret = mbedtls_ecdsa_verify(&ctx->grp, hash, hlen,
-                                    &ctx->Q, &r, &s)) != 0) {
-        goto cleanup;
-    }
-#else
-    if ((ret = mbedtls_ecdsa_verify_restartable(&ctx->grp, hash, hlen,
-                                                &ctx->Q, &r, &s, rs_ctx)) != 0) {
-        goto cleanup;
-    }
-#endif /* MBEDTLS_ECDSA_VERIFY_ALT */
-
-    /* At this point we know that the buffer starts with a valid signature.
-     * Return 0 if the buffer just contains the signature, and a specific
-     * error code if the valid signature is followed by more data. */
-    if (p != end) {
-        ret = MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH;
-    }
-
-cleanup:
-    mbedtls_mpi_free(&r);
-    mbedtls_mpi_free(&s);
-
-    return ret;
-}
-
-#if !defined(MBEDTLS_ECDSA_GENKEY_ALT)
-/*
- * Generate key pair
- */
-int mbedtls_ecdsa_genkey(mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
-                         int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    int ret = 0;
-    ret = mbedtls_ecp_group_load(&ctx->grp, gid);
-    if (ret != 0) {
-        return ret;
-    }
-
-    return mbedtls_ecp_gen_keypair(&ctx->grp, &ctx->d,
-                                   &ctx->Q, f_rng, p_rng);
-}
-#endif /* !MBEDTLS_ECDSA_GENKEY_ALT */
-
-/*
- * Set context from an mbedtls_ecp_keypair
- */
-int mbedtls_ecdsa_from_keypair(mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    if ((ret = mbedtls_ecp_group_copy(&ctx->grp, &key->grp)) != 0 ||
-        (ret = mbedtls_mpi_copy(&ctx->d, &key->d)) != 0 ||
-        (ret = mbedtls_ecp_copy(&ctx->Q, &key->Q)) != 0) {
-        mbedtls_ecdsa_free(ctx);
-    }
-
-    return ret;
-}
-
-/*
- * Initialize context
- */
-void mbedtls_ecdsa_init(mbedtls_ecdsa_context *ctx)
-{
-    mbedtls_ecp_keypair_init(ctx);
-}
-
-/*
- * Free context
- */
-void mbedtls_ecdsa_free(mbedtls_ecdsa_context *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    mbedtls_ecp_keypair_free(ctx);
-}
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-/*
- * Initialize a restart context
- */
-void mbedtls_ecdsa_restart_init(mbedtls_ecdsa_restart_ctx *ctx)
-{
-    mbedtls_ecp_restart_init(&ctx->ecp);
-
-    ctx->ver = NULL;
-    ctx->sig = NULL;
-#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
-    ctx->det = NULL;
-#endif
-}
-
-/*
- * Free the components of a restart context
- */
-void mbedtls_ecdsa_restart_free(mbedtls_ecdsa_restart_ctx *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    mbedtls_ecp_restart_free(&ctx->ecp);
-
-    ecdsa_restart_ver_free(ctx->ver);
-    mbedtls_free(ctx->ver);
-    ctx->ver = NULL;
-
-    ecdsa_restart_sig_free(ctx->sig);
-    mbedtls_free(ctx->sig);
-    ctx->sig = NULL;
-
-#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
-    ecdsa_restart_det_free(ctx->det);
-    mbedtls_free(ctx->det);
-    ctx->det = NULL;
-#endif
-}
-#endif /* MBEDTLS_ECP_RESTARTABLE */
-
-#endif /* MBEDTLS_ECDSA_C */
diff --git a/library/ecjpake.c b/library/ecjpake.c
deleted file mode 100644
index 6355b5e..0000000
--- a/library/ecjpake.c
+++ /dev/null
@@ -1,1228 +0,0 @@
-/*
- *  Elliptic curve J-PAKE
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/*
- * References in the code are to the Thread v1.0 Specification,
- * available to members of the Thread Group http://threadgroup.org/
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_ECJPAKE_C)
-
-#include "mbedtls/ecjpake.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#include <string.h>
-
-#if !defined(MBEDTLS_ECJPAKE_ALT)
-
-/*
- * Convert a mbedtls_ecjpake_role to identifier string
- */
-static const char * const ecjpake_id[] = {
-    "client",
-    "server"
-};
-
-#define ID_MINE     (ecjpake_id[ctx->role])
-#define ID_PEER     (ecjpake_id[1 - ctx->role])
-
-/**
- * Helper to Compute a hash from md_type
- */
-static int mbedtls_ecjpake_compute_hash(mbedtls_md_type_t md_type,
-                                        const unsigned char *input, size_t ilen,
-                                        unsigned char *output)
-{
-    return mbedtls_md(mbedtls_md_info_from_type(md_type),
-                      input, ilen, output);
-}
-
-/*
- * Initialize context
- */
-void mbedtls_ecjpake_init(mbedtls_ecjpake_context *ctx)
-{
-    ctx->md_type = MBEDTLS_MD_NONE;
-    mbedtls_ecp_group_init(&ctx->grp);
-    ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
-
-    mbedtls_ecp_point_init(&ctx->Xm1);
-    mbedtls_ecp_point_init(&ctx->Xm2);
-    mbedtls_ecp_point_init(&ctx->Xp1);
-    mbedtls_ecp_point_init(&ctx->Xp2);
-    mbedtls_ecp_point_init(&ctx->Xp);
-
-    mbedtls_mpi_init(&ctx->xm1);
-    mbedtls_mpi_init(&ctx->xm2);
-    mbedtls_mpi_init(&ctx->s);
-}
-
-/*
- * Free context
- */
-void mbedtls_ecjpake_free(mbedtls_ecjpake_context *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    ctx->md_type = MBEDTLS_MD_NONE;
-    mbedtls_ecp_group_free(&ctx->grp);
-
-    mbedtls_ecp_point_free(&ctx->Xm1);
-    mbedtls_ecp_point_free(&ctx->Xm2);
-    mbedtls_ecp_point_free(&ctx->Xp1);
-    mbedtls_ecp_point_free(&ctx->Xp2);
-    mbedtls_ecp_point_free(&ctx->Xp);
-
-    mbedtls_mpi_free(&ctx->xm1);
-    mbedtls_mpi_free(&ctx->xm2);
-    mbedtls_mpi_free(&ctx->s);
-}
-
-/*
- * Setup context
- */
-int mbedtls_ecjpake_setup(mbedtls_ecjpake_context *ctx,
-                          mbedtls_ecjpake_role role,
-                          mbedtls_md_type_t hash,
-                          mbedtls_ecp_group_id curve,
-                          const unsigned char *secret,
-                          size_t len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if (role != MBEDTLS_ECJPAKE_CLIENT && role != MBEDTLS_ECJPAKE_SERVER) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    ctx->role = role;
-
-    if ((mbedtls_md_info_from_type(hash)) == NULL) {
-        return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
-    }
-
-    ctx->md_type = hash;
-
-    MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&ctx->grp, curve));
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->s, secret, len));
-
-cleanup:
-    if (ret != 0) {
-        mbedtls_ecjpake_free(ctx);
-    }
-
-    return ret;
-}
-
-int mbedtls_ecjpake_set_point_format(mbedtls_ecjpake_context *ctx,
-                                     int point_format)
-{
-    switch (point_format) {
-        case MBEDTLS_ECP_PF_UNCOMPRESSED:
-        case MBEDTLS_ECP_PF_COMPRESSED:
-            ctx->point_format = point_format;
-            return 0;
-        default:
-            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-}
-
-/*
- * Check if context is ready for use
- */
-int mbedtls_ecjpake_check(const mbedtls_ecjpake_context *ctx)
-{
-    if (ctx->md_type == MBEDTLS_MD_NONE ||
-        ctx->grp.id == MBEDTLS_ECP_DP_NONE ||
-        ctx->s.p == NULL) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    return 0;
-}
-
-/*
- * Write a point plus its length to a buffer
- */
-static int ecjpake_write_len_point(unsigned char **p,
-                                   const unsigned char *end,
-                                   const mbedtls_ecp_group *grp,
-                                   const int pf,
-                                   const mbedtls_ecp_point *P)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t len;
-
-    /* Need at least 4 for length plus 1 for point */
-    if (end < *p || end - *p < 5) {
-        return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
-    }
-
-    ret = mbedtls_ecp_point_write_binary(grp, P, pf,
-                                         &len, *p + 4, end - (*p + 4));
-    if (ret != 0) {
-        return ret;
-    }
-
-    MBEDTLS_PUT_UINT32_BE(len, *p, 0);
-
-    *p += 4 + len;
-
-    return 0;
-}
-
-/*
- * Size of the temporary buffer for ecjpake_hash:
- * 3 EC points plus their length, plus ID and its length (4 + 6 bytes)
- */
-#define ECJPAKE_HASH_BUF_LEN    (3 * (4 + MBEDTLS_ECP_MAX_PT_LEN) + 4 + 6)
-
-/*
- * Compute hash for ZKP (7.4.2.2.2.1)
- */
-static int ecjpake_hash(const mbedtls_md_type_t md_type,
-                        const mbedtls_ecp_group *grp,
-                        const int pf,
-                        const mbedtls_ecp_point *G,
-                        const mbedtls_ecp_point *V,
-                        const mbedtls_ecp_point *X,
-                        const char *id,
-                        mbedtls_mpi *h)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char buf[ECJPAKE_HASH_BUF_LEN];
-    unsigned char *p = buf;
-    const unsigned char *end = buf + sizeof(buf);
-    const size_t id_len = strlen(id);
-    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
-
-    /* Write things to temporary buffer */
-    MBEDTLS_MPI_CHK(ecjpake_write_len_point(&p, end, grp, pf, G));
-    MBEDTLS_MPI_CHK(ecjpake_write_len_point(&p, end, grp, pf, V));
-    MBEDTLS_MPI_CHK(ecjpake_write_len_point(&p, end, grp, pf, X));
-
-    if (end - p < 4) {
-        return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
-    }
-
-    MBEDTLS_PUT_UINT32_BE(id_len, p, 0);
-    p += 4;
-
-    if (end < p || (size_t) (end - p) < id_len) {
-        return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
-    }
-
-    memcpy(p, id, id_len);
-    p += id_len;
-
-    /* Compute hash */
-    MBEDTLS_MPI_CHK(mbedtls_ecjpake_compute_hash(md_type,
-                                                 buf, p - buf, hash));
-
-    /* Turn it into an integer mod n */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(h, hash,
-                                            mbedtls_md_get_size_from_type(md_type)));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(h, h, &grp->N));
-
-cleanup:
-    return ret;
-}
-
-/*
- * Parse a ECShnorrZKP (7.4.2.2.2) and verify it (7.4.2.3.3)
- */
-static int ecjpake_zkp_read(const mbedtls_md_type_t md_type,
-                            const mbedtls_ecp_group *grp,
-                            const int pf,
-                            const mbedtls_ecp_point *G,
-                            const mbedtls_ecp_point *X,
-                            const char *id,
-                            const unsigned char **p,
-                            const unsigned char *end)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_ecp_point V, VV;
-    mbedtls_mpi r, h;
-    size_t r_len;
-
-    mbedtls_ecp_point_init(&V);
-    mbedtls_ecp_point_init(&VV);
-    mbedtls_mpi_init(&r);
-    mbedtls_mpi_init(&h);
-
-    /*
-     * struct {
-     *     ECPoint V;
-     *     opaque r<1..2^8-1>;
-     * } ECSchnorrZKP;
-     */
-    if (end < *p) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    MBEDTLS_MPI_CHK(mbedtls_ecp_tls_read_point(grp, &V, p, end - *p));
-
-    if (end < *p || (size_t) (end - *p) < 1) {
-        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-        goto cleanup;
-    }
-
-    r_len = *(*p)++;
-
-    if (end < *p || (size_t) (end - *p) < r_len || r_len == 0) {
-        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-        goto cleanup;
-    }
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&r, *p, r_len));
-    *p += r_len;
-
-    /*
-     * Verification
-     */
-    MBEDTLS_MPI_CHK(ecjpake_hash(md_type, grp, pf, G, &V, X, id, &h));
-    MBEDTLS_MPI_CHK(mbedtls_ecp_muladd((mbedtls_ecp_group *) grp,
-                                       &VV, &h, X, &r, G));
-
-    if (mbedtls_ecp_point_cmp(&VV, &V) != 0) {
-        ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
-        goto cleanup;
-    }
-
-cleanup:
-    mbedtls_ecp_point_free(&V);
-    mbedtls_ecp_point_free(&VV);
-    mbedtls_mpi_free(&r);
-    mbedtls_mpi_free(&h);
-
-    return ret;
-}
-
-/*
- * Generate ZKP (7.4.2.3.2) and write it as ECSchnorrZKP (7.4.2.2.2)
- */
-static int ecjpake_zkp_write(const mbedtls_md_type_t md_type,
-                             const mbedtls_ecp_group *grp,
-                             const int pf,
-                             const mbedtls_ecp_point *G,
-                             const mbedtls_mpi *x,
-                             const mbedtls_ecp_point *X,
-                             const char *id,
-                             unsigned char **p,
-                             const unsigned char *end,
-                             int (*f_rng)(void *, unsigned char *, size_t),
-                             void *p_rng)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_ecp_point V;
-    mbedtls_mpi v;
-    mbedtls_mpi h; /* later recycled to hold r */
-    size_t len;
-
-    if (end < *p) {
-        return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
-    }
-
-    mbedtls_ecp_point_init(&V);
-    mbedtls_mpi_init(&v);
-    mbedtls_mpi_init(&h);
-
-    /* Compute signature */
-    MBEDTLS_MPI_CHK(mbedtls_ecp_gen_keypair_base((mbedtls_ecp_group *) grp,
-                                                 G, &v, &V, f_rng, p_rng));
-    MBEDTLS_MPI_CHK(ecjpake_hash(md_type, grp, pf, G, &V, X, id, &h));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&h, &h, x));     /* x*h */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&h, &v, &h));     /* v - x*h */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&h, &h, &grp->N));     /* r */
-
-    /* Write it out */
-    MBEDTLS_MPI_CHK(mbedtls_ecp_tls_write_point(grp, &V,
-                                                pf, &len, *p, end - *p));
-    *p += len;
-
-    len = mbedtls_mpi_size(&h);   /* actually r */
-    if (end < *p || (size_t) (end - *p) < 1 + len || len > 255) {
-        ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
-        goto cleanup;
-    }
-
-    *(*p)++ = MBEDTLS_BYTE_0(len);
-    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&h, *p, len));     /* r */
-    *p += len;
-
-cleanup:
-    mbedtls_ecp_point_free(&V);
-    mbedtls_mpi_free(&v);
-    mbedtls_mpi_free(&h);
-
-    return ret;
-}
-
-/*
- * Parse a ECJPAKEKeyKP (7.4.2.2.1) and check proof
- * Output: verified public key X
- */
-static int ecjpake_kkp_read(const mbedtls_md_type_t md_type,
-                            const mbedtls_ecp_group *grp,
-                            const int pf,
-                            const mbedtls_ecp_point *G,
-                            mbedtls_ecp_point *X,
-                            const char *id,
-                            const unsigned char **p,
-                            const unsigned char *end)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if (end < *p) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    /*
-     * struct {
-     *     ECPoint X;
-     *     ECSchnorrZKP zkp;
-     * } ECJPAKEKeyKP;
-     */
-    MBEDTLS_MPI_CHK(mbedtls_ecp_tls_read_point(grp, X, p, end - *p));
-    if (mbedtls_ecp_is_zero(X)) {
-        ret = MBEDTLS_ERR_ECP_INVALID_KEY;
-        goto cleanup;
-    }
-
-    MBEDTLS_MPI_CHK(ecjpake_zkp_read(md_type, grp, pf, G, X, id, p, end));
-
-cleanup:
-    return ret;
-}
-
-/*
- * Generate an ECJPAKEKeyKP
- * Output: the serialized structure, plus private/public key pair
- */
-static int ecjpake_kkp_write(const mbedtls_md_type_t md_type,
-                             const mbedtls_ecp_group *grp,
-                             const int pf,
-                             const mbedtls_ecp_point *G,
-                             mbedtls_mpi *x,
-                             mbedtls_ecp_point *X,
-                             const char *id,
-                             unsigned char **p,
-                             const unsigned char *end,
-                             int (*f_rng)(void *, unsigned char *, size_t),
-                             void *p_rng)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t len;
-
-    if (end < *p) {
-        return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
-    }
-
-    /* Generate key (7.4.2.3.1) and write it out */
-    MBEDTLS_MPI_CHK(mbedtls_ecp_gen_keypair_base((mbedtls_ecp_group *) grp, G, x, X,
-                                                 f_rng, p_rng));
-    MBEDTLS_MPI_CHK(mbedtls_ecp_tls_write_point(grp, X,
-                                                pf, &len, *p, end - *p));
-    *p += len;
-
-    /* Generate and write proof */
-    MBEDTLS_MPI_CHK(ecjpake_zkp_write(md_type, grp, pf, G, x, X, id,
-                                      p, end, f_rng, p_rng));
-
-cleanup:
-    return ret;
-}
-
-/*
- * Read a ECJPAKEKeyKPPairList (7.4.2.3) and check proofs
- * Outputs: verified peer public keys Xa, Xb
- */
-static int ecjpake_kkpp_read(const mbedtls_md_type_t md_type,
-                             const mbedtls_ecp_group *grp,
-                             const int pf,
-                             const mbedtls_ecp_point *G,
-                             mbedtls_ecp_point *Xa,
-                             mbedtls_ecp_point *Xb,
-                             const char *id,
-                             const unsigned char *buf,
-                             size_t len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    const unsigned char *p = buf;
-    const unsigned char *end = buf + len;
-
-    /*
-     * struct {
-     *     ECJPAKEKeyKP ecjpake_key_kp_pair_list[2];
-     * } ECJPAKEKeyKPPairList;
-     */
-    MBEDTLS_MPI_CHK(ecjpake_kkp_read(md_type, grp, pf, G, Xa, id, &p, end));
-    MBEDTLS_MPI_CHK(ecjpake_kkp_read(md_type, grp, pf, G, Xb, id, &p, end));
-
-    if (p != end) {
-        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-cleanup:
-    return ret;
-}
-
-/*
- * Generate a ECJPAKEKeyKPPairList
- * Outputs: the serialized structure, plus two private/public key pairs
- */
-static int ecjpake_kkpp_write(const mbedtls_md_type_t md_type,
-                              const mbedtls_ecp_group *grp,
-                              const int pf,
-                              const mbedtls_ecp_point *G,
-                              mbedtls_mpi *xm1,
-                              mbedtls_ecp_point *Xa,
-                              mbedtls_mpi *xm2,
-                              mbedtls_ecp_point *Xb,
-                              const char *id,
-                              unsigned char *buf,
-                              size_t len,
-                              size_t *olen,
-                              int (*f_rng)(void *, unsigned char *, size_t),
-                              void *p_rng)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char *p = buf;
-    const unsigned char *end = buf + len;
-
-    MBEDTLS_MPI_CHK(ecjpake_kkp_write(md_type, grp, pf, G, xm1, Xa, id,
-                                      &p, end, f_rng, p_rng));
-    MBEDTLS_MPI_CHK(ecjpake_kkp_write(md_type, grp, pf, G, xm2, Xb, id,
-                                      &p, end, f_rng, p_rng));
-
-    *olen = p - buf;
-
-cleanup:
-    return ret;
-}
-
-/*
- * Read and process the first round message
- */
-int mbedtls_ecjpake_read_round_one(mbedtls_ecjpake_context *ctx,
-                                   const unsigned char *buf,
-                                   size_t len)
-{
-    return ecjpake_kkpp_read(ctx->md_type, &ctx->grp, ctx->point_format,
-                             &ctx->grp.G,
-                             &ctx->Xp1, &ctx->Xp2, ID_PEER,
-                             buf, len);
-}
-
-/*
- * Generate and write the first round message
- */
-int mbedtls_ecjpake_write_round_one(mbedtls_ecjpake_context *ctx,
-                                    unsigned char *buf, size_t len, size_t *olen,
-                                    int (*f_rng)(void *, unsigned char *, size_t),
-                                    void *p_rng)
-{
-    return ecjpake_kkpp_write(ctx->md_type, &ctx->grp, ctx->point_format,
-                              &ctx->grp.G,
-                              &ctx->xm1, &ctx->Xm1, &ctx->xm2, &ctx->Xm2,
-                              ID_MINE, buf, len, olen, f_rng, p_rng);
-}
-
-/*
- * Compute the sum of three points R = A + B + C
- */
-static int ecjpake_ecp_add3(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
-                            const mbedtls_ecp_point *A,
-                            const mbedtls_ecp_point *B,
-                            const mbedtls_ecp_point *C)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi one;
-
-    mbedtls_mpi_init(&one);
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&one, 1));
-    MBEDTLS_MPI_CHK(mbedtls_ecp_muladd(grp, R, &one, A, &one, B));
-    MBEDTLS_MPI_CHK(mbedtls_ecp_muladd(grp, R, &one, R, &one, C));
-
-cleanup:
-    mbedtls_mpi_free(&one);
-
-    return ret;
-}
-
-/*
- * Read and process second round message (C: 7.4.2.5, S: 7.4.2.6)
- */
-int mbedtls_ecjpake_read_round_two(mbedtls_ecjpake_context *ctx,
-                                   const unsigned char *buf,
-                                   size_t len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    const unsigned char *p = buf;
-    const unsigned char *end = buf + len;
-    mbedtls_ecp_group grp;
-    mbedtls_ecp_point G;    /* C: GB, S: GA */
-
-    mbedtls_ecp_group_init(&grp);
-    mbedtls_ecp_point_init(&G);
-
-    /*
-     * Server: GA = X3  + X4  + X1      (7.4.2.6.1)
-     * Client: GB = X1  + X2  + X3      (7.4.2.5.1)
-     * Unified: G = Xm1 + Xm2 + Xp1
-     * We need that before parsing in order to check Xp as we read it
-     */
-    MBEDTLS_MPI_CHK(ecjpake_ecp_add3(&ctx->grp, &G,
-                                     &ctx->Xm1, &ctx->Xm2, &ctx->Xp1));
-
-    /*
-     * struct {
-     *     ECParameters curve_params;   // only client reading server msg
-     *     ECJPAKEKeyKP ecjpake_key_kp;
-     * } Client/ServerECJPAKEParams;
-     */
-    if (ctx->role == MBEDTLS_ECJPAKE_CLIENT) {
-        MBEDTLS_MPI_CHK(mbedtls_ecp_tls_read_group(&grp, &p, len));
-        if (grp.id != ctx->grp.id) {
-            ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
-            goto cleanup;
-        }
-    }
-
-    MBEDTLS_MPI_CHK(ecjpake_kkp_read(ctx->md_type, &ctx->grp,
-                                     ctx->point_format,
-                                     &G, &ctx->Xp, ID_PEER, &p, end));
-
-    if (p != end) {
-        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-        goto cleanup;
-    }
-
-cleanup:
-    mbedtls_ecp_group_free(&grp);
-    mbedtls_ecp_point_free(&G);
-
-    return ret;
-}
-
-/*
- * Compute R = +/- X * S mod N, taking care not to leak S
- */
-static int ecjpake_mul_secret(mbedtls_mpi *R, int sign,
-                              const mbedtls_mpi *X,
-                              const mbedtls_mpi *S,
-                              const mbedtls_mpi *N,
-                              int (*f_rng)(void *, unsigned char *, size_t),
-                              void *p_rng)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi b; /* Blinding value, then s + N * blinding */
-
-    mbedtls_mpi_init(&b);
-
-    /* b = s + rnd-128-bit * N */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&b, 16, f_rng, p_rng));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&b, &b, N));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&b, &b, S));
-
-    /* R = sign * X * b mod N */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(R, X, &b));
-    R->s *= sign;
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(R, R, N));
-
-cleanup:
-    mbedtls_mpi_free(&b);
-
-    return ret;
-}
-
-/*
- * Generate and write the second round message (S: 7.4.2.5, C: 7.4.2.6)
- */
-int mbedtls_ecjpake_write_round_two(mbedtls_ecjpake_context *ctx,
-                                    unsigned char *buf, size_t len, size_t *olen,
-                                    int (*f_rng)(void *, unsigned char *, size_t),
-                                    void *p_rng)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_ecp_point G;    /* C: GA, S: GB */
-    mbedtls_ecp_point Xm;   /* C: Xc, S: Xs */
-    mbedtls_mpi xm;         /* C: xc, S: xs */
-    unsigned char *p = buf;
-    const unsigned char *end = buf + len;
-    size_t ec_len;
-
-    mbedtls_ecp_point_init(&G);
-    mbedtls_ecp_point_init(&Xm);
-    mbedtls_mpi_init(&xm);
-
-    /*
-     * First generate private/public key pair (S: 7.4.2.5.1, C: 7.4.2.6.1)
-     *
-     * Client:  GA = X1  + X3  + X4  | xs = x2  * s | Xc = xc * GA
-     * Server:  GB = X3  + X1  + X2  | xs = x4  * s | Xs = xs * GB
-     * Unified: G  = Xm1 + Xp1 + Xp2 | xm = xm2 * s | Xm = xm * G
-     */
-    MBEDTLS_MPI_CHK(ecjpake_ecp_add3(&ctx->grp, &G,
-                                     &ctx->Xp1, &ctx->Xp2, &ctx->Xm1));
-    MBEDTLS_MPI_CHK(ecjpake_mul_secret(&xm, 1, &ctx->xm2, &ctx->s,
-                                       &ctx->grp.N, f_rng, p_rng));
-    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&ctx->grp, &Xm, &xm, &G, f_rng, p_rng));
-
-    /*
-     * Now write things out
-     *
-     * struct {
-     *     ECParameters curve_params;   // only server writing its message
-     *     ECJPAKEKeyKP ecjpake_key_kp;
-     * } Client/ServerECJPAKEParams;
-     */
-    if (ctx->role == MBEDTLS_ECJPAKE_SERVER) {
-        if (end < p) {
-            ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
-            goto cleanup;
-        }
-        MBEDTLS_MPI_CHK(mbedtls_ecp_tls_write_group(&ctx->grp, &ec_len,
-                                                    p, end - p));
-        p += ec_len;
-    }
-
-    if (end < p) {
-        ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
-        goto cleanup;
-    }
-    MBEDTLS_MPI_CHK(mbedtls_ecp_tls_write_point(&ctx->grp, &Xm,
-                                                ctx->point_format, &ec_len, p, end - p));
-    p += ec_len;
-
-    MBEDTLS_MPI_CHK(ecjpake_zkp_write(ctx->md_type, &ctx->grp,
-                                      ctx->point_format,
-                                      &G, &xm, &Xm, ID_MINE,
-                                      &p, end, f_rng, p_rng));
-
-    *olen = p - buf;
-
-cleanup:
-    mbedtls_ecp_point_free(&G);
-    mbedtls_ecp_point_free(&Xm);
-    mbedtls_mpi_free(&xm);
-
-    return ret;
-}
-
-/*
- * Derive PMS (7.4.2.7 / 7.4.2.8)
- */
-static int mbedtls_ecjpake_derive_k(mbedtls_ecjpake_context *ctx,
-                                    mbedtls_ecp_point *K,
-                                    int (*f_rng)(void *, unsigned char *, size_t),
-                                    void *p_rng)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi m_xm2_s, one;
-
-    mbedtls_mpi_init(&m_xm2_s);
-    mbedtls_mpi_init(&one);
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&one, 1));
-
-    /*
-     * Client:  K = ( Xs - X4  * x2  * s ) * x2
-     * Server:  K = ( Xc - X2  * x4  * s ) * x4
-     * Unified: K = ( Xp - Xp2 * xm2 * s ) * xm2
-     */
-    MBEDTLS_MPI_CHK(ecjpake_mul_secret(&m_xm2_s, -1, &ctx->xm2, &ctx->s,
-                                       &ctx->grp.N, f_rng, p_rng));
-    MBEDTLS_MPI_CHK(mbedtls_ecp_muladd(&ctx->grp, K,
-                                       &one, &ctx->Xp,
-                                       &m_xm2_s, &ctx->Xp2));
-    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&ctx->grp, K, &ctx->xm2, K,
-                                    f_rng, p_rng));
-
-cleanup:
-    mbedtls_mpi_free(&m_xm2_s);
-    mbedtls_mpi_free(&one);
-
-    return ret;
-}
-
-int mbedtls_ecjpake_derive_secret(mbedtls_ecjpake_context *ctx,
-                                  unsigned char *buf, size_t len, size_t *olen,
-                                  int (*f_rng)(void *, unsigned char *, size_t),
-                                  void *p_rng)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_ecp_point K;
-    unsigned char kx[MBEDTLS_ECP_MAX_BYTES];
-    size_t x_bytes;
-
-    *olen = mbedtls_md_get_size_from_type(ctx->md_type);
-    if (len < *olen) {
-        return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
-    }
-
-    mbedtls_ecp_point_init(&K);
-
-    ret = mbedtls_ecjpake_derive_k(ctx, &K, f_rng, p_rng);
-    if (ret) {
-        goto cleanup;
-    }
-
-    /* PMS = SHA-256( K.X ) */
-    x_bytes = (ctx->grp.pbits + 7) / 8;
-    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&K.X, kx, x_bytes));
-    MBEDTLS_MPI_CHK(mbedtls_ecjpake_compute_hash(ctx->md_type,
-                                                 kx, x_bytes, buf));
-
-cleanup:
-    mbedtls_ecp_point_free(&K);
-
-    return ret;
-}
-
-int mbedtls_ecjpake_write_shared_key(mbedtls_ecjpake_context *ctx,
-                                     unsigned char *buf, size_t len, size_t *olen,
-                                     int (*f_rng)(void *, unsigned char *, size_t),
-                                     void *p_rng)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_ecp_point K;
-
-    mbedtls_ecp_point_init(&K);
-
-    ret = mbedtls_ecjpake_derive_k(ctx, &K, f_rng, p_rng);
-    if (ret) {
-        goto cleanup;
-    }
-
-    ret = mbedtls_ecp_point_write_binary(&ctx->grp, &K, ctx->point_format,
-                                         olen, buf, len);
-    if (ret != 0) {
-        goto cleanup;
-    }
-
-cleanup:
-    mbedtls_ecp_point_free(&K);
-
-    return ret;
-}
-
-#undef ID_MINE
-#undef ID_PEER
-
-#endif /* ! MBEDTLS_ECJPAKE_ALT */
-
-#if defined(MBEDTLS_SELF_TEST)
-
-#include "mbedtls/platform.h"
-
-#if !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
-    !defined(MBEDTLS_MD_CAN_SHA256)
-int mbedtls_ecjpake_self_test(int verbose)
-{
-    (void) verbose;
-    return 0;
-}
-#else
-
-static const unsigned char ecjpake_test_password[] = {
-    0x74, 0x68, 0x72, 0x65, 0x61, 0x64, 0x6a, 0x70, 0x61, 0x6b, 0x65, 0x74,
-    0x65, 0x73, 0x74
-};
-
-#if !defined(MBEDTLS_ECJPAKE_ALT)
-
-static const unsigned char ecjpake_test_x1[] = {
-    0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c,
-    0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
-    0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x21
-};
-
-static const unsigned char ecjpake_test_x2[] = {
-    0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
-    0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
-    0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x81
-};
-
-static const unsigned char ecjpake_test_x3[] = {
-    0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
-    0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
-    0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x81
-};
-
-static const unsigned char ecjpake_test_x4[] = {
-    0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, 0xcc,
-    0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8,
-    0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe1
-};
-
-static const unsigned char ecjpake_test_cli_one[] = {
-    0x41, 0x04, 0xac, 0xcf, 0x01, 0x06, 0xef, 0x85, 0x8f, 0xa2, 0xd9, 0x19,
-    0x33, 0x13, 0x46, 0x80, 0x5a, 0x78, 0xb5, 0x8b, 0xba, 0xd0, 0xb8, 0x44,
-    0xe5, 0xc7, 0x89, 0x28, 0x79, 0x14, 0x61, 0x87, 0xdd, 0x26, 0x66, 0xad,
-    0xa7, 0x81, 0xbb, 0x7f, 0x11, 0x13, 0x72, 0x25, 0x1a, 0x89, 0x10, 0x62,
-    0x1f, 0x63, 0x4d, 0xf1, 0x28, 0xac, 0x48, 0xe3, 0x81, 0xfd, 0x6e, 0xf9,
-    0x06, 0x07, 0x31, 0xf6, 0x94, 0xa4, 0x41, 0x04, 0x1d, 0xd0, 0xbd, 0x5d,
-    0x45, 0x66, 0xc9, 0xbe, 0xd9, 0xce, 0x7d, 0xe7, 0x01, 0xb5, 0xe8, 0x2e,
-    0x08, 0xe8, 0x4b, 0x73, 0x04, 0x66, 0x01, 0x8a, 0xb9, 0x03, 0xc7, 0x9e,
-    0xb9, 0x82, 0x17, 0x22, 0x36, 0xc0, 0xc1, 0x72, 0x8a, 0xe4, 0xbf, 0x73,
-    0x61, 0x0d, 0x34, 0xde, 0x44, 0x24, 0x6e, 0xf3, 0xd9, 0xc0, 0x5a, 0x22,
-    0x36, 0xfb, 0x66, 0xa6, 0x58, 0x3d, 0x74, 0x49, 0x30, 0x8b, 0xab, 0xce,
-    0x20, 0x72, 0xfe, 0x16, 0x66, 0x29, 0x92, 0xe9, 0x23, 0x5c, 0x25, 0x00,
-    0x2f, 0x11, 0xb1, 0x50, 0x87, 0xb8, 0x27, 0x38, 0xe0, 0x3c, 0x94, 0x5b,
-    0xf7, 0xa2, 0x99, 0x5d, 0xda, 0x1e, 0x98, 0x34, 0x58, 0x41, 0x04, 0x7e,
-    0xa6, 0xe3, 0xa4, 0x48, 0x70, 0x37, 0xa9, 0xe0, 0xdb, 0xd7, 0x92, 0x62,
-    0xb2, 0xcc, 0x27, 0x3e, 0x77, 0x99, 0x30, 0xfc, 0x18, 0x40, 0x9a, 0xc5,
-    0x36, 0x1c, 0x5f, 0xe6, 0x69, 0xd7, 0x02, 0xe1, 0x47, 0x79, 0x0a, 0xeb,
-    0x4c, 0xe7, 0xfd, 0x65, 0x75, 0xab, 0x0f, 0x6c, 0x7f, 0xd1, 0xc3, 0x35,
-    0x93, 0x9a, 0xa8, 0x63, 0xba, 0x37, 0xec, 0x91, 0xb7, 0xe3, 0x2b, 0xb0,
-    0x13, 0xbb, 0x2b, 0x41, 0x04, 0xa4, 0x95, 0x58, 0xd3, 0x2e, 0xd1, 0xeb,
-    0xfc, 0x18, 0x16, 0xaf, 0x4f, 0xf0, 0x9b, 0x55, 0xfc, 0xb4, 0xca, 0x47,
-    0xb2, 0xa0, 0x2d, 0x1e, 0x7c, 0xaf, 0x11, 0x79, 0xea, 0x3f, 0xe1, 0x39,
-    0x5b, 0x22, 0xb8, 0x61, 0x96, 0x40, 0x16, 0xfa, 0xba, 0xf7, 0x2c, 0x97,
-    0x56, 0x95, 0xd9, 0x3d, 0x4d, 0xf0, 0xe5, 0x19, 0x7f, 0xe9, 0xf0, 0x40,
-    0x63, 0x4e, 0xd5, 0x97, 0x64, 0x93, 0x77, 0x87, 0xbe, 0x20, 0xbc, 0x4d,
-    0xee, 0xbb, 0xf9, 0xb8, 0xd6, 0x0a, 0x33, 0x5f, 0x04, 0x6c, 0xa3, 0xaa,
-    0x94, 0x1e, 0x45, 0x86, 0x4c, 0x7c, 0xad, 0xef, 0x9c, 0xf7, 0x5b, 0x3d,
-    0x8b, 0x01, 0x0e, 0x44, 0x3e, 0xf0
-};
-
-static const unsigned char ecjpake_test_srv_one[] = {
-    0x41, 0x04, 0x7e, 0xa6, 0xe3, 0xa4, 0x48, 0x70, 0x37, 0xa9, 0xe0, 0xdb,
-    0xd7, 0x92, 0x62, 0xb2, 0xcc, 0x27, 0x3e, 0x77, 0x99, 0x30, 0xfc, 0x18,
-    0x40, 0x9a, 0xc5, 0x36, 0x1c, 0x5f, 0xe6, 0x69, 0xd7, 0x02, 0xe1, 0x47,
-    0x79, 0x0a, 0xeb, 0x4c, 0xe7, 0xfd, 0x65, 0x75, 0xab, 0x0f, 0x6c, 0x7f,
-    0xd1, 0xc3, 0x35, 0x93, 0x9a, 0xa8, 0x63, 0xba, 0x37, 0xec, 0x91, 0xb7,
-    0xe3, 0x2b, 0xb0, 0x13, 0xbb, 0x2b, 0x41, 0x04, 0x09, 0xf8, 0x5b, 0x3d,
-    0x20, 0xeb, 0xd7, 0x88, 0x5c, 0xe4, 0x64, 0xc0, 0x8d, 0x05, 0x6d, 0x64,
-    0x28, 0xfe, 0x4d, 0xd9, 0x28, 0x7a, 0xa3, 0x65, 0xf1, 0x31, 0xf4, 0x36,
-    0x0f, 0xf3, 0x86, 0xd8, 0x46, 0x89, 0x8b, 0xc4, 0xb4, 0x15, 0x83, 0xc2,
-    0xa5, 0x19, 0x7f, 0x65, 0xd7, 0x87, 0x42, 0x74, 0x6c, 0x12, 0xa5, 0xec,
-    0x0a, 0x4f, 0xfe, 0x2f, 0x27, 0x0a, 0x75, 0x0a, 0x1d, 0x8f, 0xb5, 0x16,
-    0x20, 0x93, 0x4d, 0x74, 0xeb, 0x43, 0xe5, 0x4d, 0xf4, 0x24, 0xfd, 0x96,
-    0x30, 0x6c, 0x01, 0x17, 0xbf, 0x13, 0x1a, 0xfa, 0xbf, 0x90, 0xa9, 0xd3,
-    0x3d, 0x11, 0x98, 0xd9, 0x05, 0x19, 0x37, 0x35, 0x14, 0x41, 0x04, 0x19,
-    0x0a, 0x07, 0x70, 0x0f, 0xfa, 0x4b, 0xe6, 0xae, 0x1d, 0x79, 0xee, 0x0f,
-    0x06, 0xae, 0xb5, 0x44, 0xcd, 0x5a, 0xdd, 0xaa, 0xbe, 0xdf, 0x70, 0xf8,
-    0x62, 0x33, 0x21, 0x33, 0x2c, 0x54, 0xf3, 0x55, 0xf0, 0xfb, 0xfe, 0xc7,
-    0x83, 0xed, 0x35, 0x9e, 0x5d, 0x0b, 0xf7, 0x37, 0x7a, 0x0f, 0xc4, 0xea,
-    0x7a, 0xce, 0x47, 0x3c, 0x9c, 0x11, 0x2b, 0x41, 0xcc, 0xd4, 0x1a, 0xc5,
-    0x6a, 0x56, 0x12, 0x41, 0x04, 0x36, 0x0a, 0x1c, 0xea, 0x33, 0xfc, 0xe6,
-    0x41, 0x15, 0x64, 0x58, 0xe0, 0xa4, 0xea, 0xc2, 0x19, 0xe9, 0x68, 0x31,
-    0xe6, 0xae, 0xbc, 0x88, 0xb3, 0xf3, 0x75, 0x2f, 0x93, 0xa0, 0x28, 0x1d,
-    0x1b, 0xf1, 0xfb, 0x10, 0x60, 0x51, 0xdb, 0x96, 0x94, 0xa8, 0xd6, 0xe8,
-    0x62, 0xa5, 0xef, 0x13, 0x24, 0xa3, 0xd9, 0xe2, 0x78, 0x94, 0xf1, 0xee,
-    0x4f, 0x7c, 0x59, 0x19, 0x99, 0x65, 0xa8, 0xdd, 0x4a, 0x20, 0x91, 0x84,
-    0x7d, 0x2d, 0x22, 0xdf, 0x3e, 0xe5, 0x5f, 0xaa, 0x2a, 0x3f, 0xb3, 0x3f,
-    0xd2, 0xd1, 0xe0, 0x55, 0xa0, 0x7a, 0x7c, 0x61, 0xec, 0xfb, 0x8d, 0x80,
-    0xec, 0x00, 0xc2, 0xc9, 0xeb, 0x12
-};
-
-static const unsigned char ecjpake_test_srv_two[] = {
-    0x03, 0x00, 0x17, 0x41, 0x04, 0x0f, 0xb2, 0x2b, 0x1d, 0x5d, 0x11, 0x23,
-    0xe0, 0xef, 0x9f, 0xeb, 0x9d, 0x8a, 0x2e, 0x59, 0x0a, 0x1f, 0x4d, 0x7c,
-    0xed, 0x2c, 0x2b, 0x06, 0x58, 0x6e, 0x8f, 0x2a, 0x16, 0xd4, 0xeb, 0x2f,
-    0xda, 0x43, 0x28, 0xa2, 0x0b, 0x07, 0xd8, 0xfd, 0x66, 0x76, 0x54, 0xca,
-    0x18, 0xc5, 0x4e, 0x32, 0xa3, 0x33, 0xa0, 0x84, 0x54, 0x51, 0xe9, 0x26,
-    0xee, 0x88, 0x04, 0xfd, 0x7a, 0xf0, 0xaa, 0xa7, 0xa6, 0x41, 0x04, 0x55,
-    0x16, 0xea, 0x3e, 0x54, 0xa0, 0xd5, 0xd8, 0xb2, 0xce, 0x78, 0x6b, 0x38,
-    0xd3, 0x83, 0x37, 0x00, 0x29, 0xa5, 0xdb, 0xe4, 0x45, 0x9c, 0x9d, 0xd6,
-    0x01, 0xb4, 0x08, 0xa2, 0x4a, 0xe6, 0x46, 0x5c, 0x8a, 0xc9, 0x05, 0xb9,
-    0xeb, 0x03, 0xb5, 0xd3, 0x69, 0x1c, 0x13, 0x9e, 0xf8, 0x3f, 0x1c, 0xd4,
-    0x20, 0x0f, 0x6c, 0x9c, 0xd4, 0xec, 0x39, 0x22, 0x18, 0xa5, 0x9e, 0xd2,
-    0x43, 0xd3, 0xc8, 0x20, 0xff, 0x72, 0x4a, 0x9a, 0x70, 0xb8, 0x8c, 0xb8,
-    0x6f, 0x20, 0xb4, 0x34, 0xc6, 0x86, 0x5a, 0xa1, 0xcd, 0x79, 0x06, 0xdd,
-    0x7c, 0x9b, 0xce, 0x35, 0x25, 0xf5, 0x08, 0x27, 0x6f, 0x26, 0x83, 0x6c
-};
-
-static const unsigned char ecjpake_test_cli_two[] = {
-    0x41, 0x04, 0x69, 0xd5, 0x4e, 0xe8, 0x5e, 0x90, 0xce, 0x3f, 0x12, 0x46,
-    0x74, 0x2d, 0xe5, 0x07, 0xe9, 0x39, 0xe8, 0x1d, 0x1d, 0xc1, 0xc5, 0xcb,
-    0x98, 0x8b, 0x58, 0xc3, 0x10, 0xc9, 0xfd, 0xd9, 0x52, 0x4d, 0x93, 0x72,
-    0x0b, 0x45, 0x54, 0x1c, 0x83, 0xee, 0x88, 0x41, 0x19, 0x1d, 0xa7, 0xce,
-    0xd8, 0x6e, 0x33, 0x12, 0xd4, 0x36, 0x23, 0xc1, 0xd6, 0x3e, 0x74, 0x98,
-    0x9a, 0xba, 0x4a, 0xff, 0xd1, 0xee, 0x41, 0x04, 0x07, 0x7e, 0x8c, 0x31,
-    0xe2, 0x0e, 0x6b, 0xed, 0xb7, 0x60, 0xc1, 0x35, 0x93, 0xe6, 0x9f, 0x15,
-    0xbe, 0x85, 0xc2, 0x7d, 0x68, 0xcd, 0x09, 0xcc, 0xb8, 0xc4, 0x18, 0x36,
-    0x08, 0x91, 0x7c, 0x5c, 0x3d, 0x40, 0x9f, 0xac, 0x39, 0xfe, 0xfe, 0xe8,
-    0x2f, 0x72, 0x92, 0xd3, 0x6f, 0x0d, 0x23, 0xe0, 0x55, 0x91, 0x3f, 0x45,
-    0xa5, 0x2b, 0x85, 0xdd, 0x8a, 0x20, 0x52, 0xe9, 0xe1, 0x29, 0xbb, 0x4d,
-    0x20, 0x0f, 0x01, 0x1f, 0x19, 0x48, 0x35, 0x35, 0xa6, 0xe8, 0x9a, 0x58,
-    0x0c, 0x9b, 0x00, 0x03, 0xba, 0xf2, 0x14, 0x62, 0xec, 0xe9, 0x1a, 0x82,
-    0xcc, 0x38, 0xdb, 0xdc, 0xae, 0x60, 0xd9, 0xc5, 0x4c
-};
-
-static const unsigned char ecjpake_test_shared_key[] = {
-    0x04, 0x01, 0xab, 0xe9, 0xf2, 0xc7, 0x3a, 0x99, 0x14, 0xcb, 0x1f, 0x80,
-    0xfb, 0x9d, 0xdb, 0x7e, 0x00, 0x12, 0xa8, 0x9c, 0x2f, 0x39, 0x27, 0x79,
-    0xf9, 0x64, 0x40, 0x14, 0x75, 0xea, 0xc1, 0x31, 0x28, 0x43, 0x8f, 0xe1,
-    0x12, 0x41, 0xd6, 0xc1, 0xe5, 0x5f, 0x7b, 0x80, 0x88, 0x94, 0xc9, 0xc0,
-    0x27, 0xa3, 0x34, 0x41, 0xf5, 0xcb, 0xa1, 0xfe, 0x6c, 0xc7, 0xe6, 0x12,
-    0x17, 0xc3, 0xde, 0x27, 0xb4,
-};
-
-static const unsigned char ecjpake_test_pms[] = {
-    0xf3, 0xd4, 0x7f, 0x59, 0x98, 0x44, 0xdb, 0x92, 0xa5, 0x69, 0xbb, 0xe7,
-    0x98, 0x1e, 0x39, 0xd9, 0x31, 0xfd, 0x74, 0x3b, 0xf2, 0x2e, 0x98, 0xf9,
-    0xb4, 0x38, 0xf7, 0x19, 0xd3, 0xc4, 0xf3, 0x51
-};
-
-/*
- * PRNG for test - !!!INSECURE NEVER USE IN PRODUCTION!!!
- *
- * This is the linear congruential generator from numerical recipes,
- * except we only use the low byte as the output. See
- * https://en.wikipedia.org/wiki/Linear_congruential_generator#Parameters_in_common_use
- */
-static int self_test_rng(void *ctx, unsigned char *out, size_t len)
-{
-    static uint32_t state = 42;
-
-    (void) ctx;
-
-    for (size_t i = 0; i < len; i++) {
-        state = state * 1664525u + 1013904223u;
-        out[i] = (unsigned char) state;
-    }
-
-    return 0;
-}
-
-/* Load my private keys and generate the corresponding public keys */
-static int ecjpake_test_load(mbedtls_ecjpake_context *ctx,
-                             const unsigned char *xm1, size_t len1,
-                             const unsigned char *xm2, size_t len2)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->xm1, xm1, len1));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->xm2, xm2, len2));
-    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&ctx->grp, &ctx->Xm1, &ctx->xm1,
-                                    &ctx->grp.G, self_test_rng, NULL));
-    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&ctx->grp, &ctx->Xm2, &ctx->xm2,
-                                    &ctx->grp.G, self_test_rng, NULL));
-
-cleanup:
-    return ret;
-}
-
-#endif /* ! MBEDTLS_ECJPAKE_ALT */
-
-/* For tests we don't need a secure RNG;
- * use the LGC from Numerical Recipes for simplicity */
-static int ecjpake_lgc(void *p, unsigned char *out, size_t len)
-{
-    static uint32_t x = 42;
-    (void) p;
-
-    while (len > 0) {
-        size_t use_len = len > 4 ? 4 : len;
-        x = 1664525 * x + 1013904223;
-        memcpy(out, &x, use_len);
-        out += use_len;
-        len -= use_len;
-    }
-
-    return 0;
-}
-
-#define TEST_ASSERT(x)    \
-    do {                    \
-        if (x)             \
-        ret = 0;        \
-        else                \
-        {                   \
-            ret = 1;        \
-            goto cleanup;   \
-        }                   \
-    } while (0)
-
-/*
- * Checkup routine
- */
-int mbedtls_ecjpake_self_test(int verbose)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_ecjpake_context cli;
-    mbedtls_ecjpake_context srv;
-    unsigned char buf[512], pms[32];
-    size_t len, pmslen;
-
-    mbedtls_ecjpake_init(&cli);
-    mbedtls_ecjpake_init(&srv);
-
-    if (verbose != 0) {
-        mbedtls_printf("  ECJPAKE test #0 (setup): ");
-    }
-
-    TEST_ASSERT(mbedtls_ecjpake_setup(&cli, MBEDTLS_ECJPAKE_CLIENT,
-                                      MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1,
-                                      ecjpake_test_password,
-                                      sizeof(ecjpake_test_password)) == 0);
-
-    TEST_ASSERT(mbedtls_ecjpake_setup(&srv, MBEDTLS_ECJPAKE_SERVER,
-                                      MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1,
-                                      ecjpake_test_password,
-                                      sizeof(ecjpake_test_password)) == 0);
-
-    if (verbose != 0) {
-        mbedtls_printf("passed\n");
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("  ECJPAKE test #1 (random handshake): ");
-    }
-
-    TEST_ASSERT(mbedtls_ecjpake_write_round_one(&cli,
-                                                buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
-
-    TEST_ASSERT(mbedtls_ecjpake_read_round_one(&srv, buf, len) == 0);
-
-    TEST_ASSERT(mbedtls_ecjpake_write_round_one(&srv,
-                                                buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
-
-    TEST_ASSERT(mbedtls_ecjpake_read_round_one(&cli, buf, len) == 0);
-
-    TEST_ASSERT(mbedtls_ecjpake_write_round_two(&srv,
-                                                buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
-
-    TEST_ASSERT(mbedtls_ecjpake_read_round_two(&cli, buf, len) == 0);
-
-    TEST_ASSERT(mbedtls_ecjpake_derive_secret(&cli,
-                                              pms, sizeof(pms), &pmslen, ecjpake_lgc, NULL) == 0);
-
-    TEST_ASSERT(mbedtls_ecjpake_write_round_two(&cli,
-                                                buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
-
-    TEST_ASSERT(mbedtls_ecjpake_read_round_two(&srv, buf, len) == 0);
-
-    TEST_ASSERT(mbedtls_ecjpake_derive_secret(&srv,
-                                              buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
-
-    TEST_ASSERT(len == pmslen);
-    TEST_ASSERT(memcmp(buf, pms, len) == 0);
-
-    if (verbose != 0) {
-        mbedtls_printf("passed\n");
-    }
-
-#if !defined(MBEDTLS_ECJPAKE_ALT)
-    /* 'reference handshake' tests can only be run against implementations
-     * for which we have 100% control over how the random ephemeral keys
-     * are generated. This is only the case for the internal Mbed TLS
-     * implementation, so these tests are skipped in case the internal
-     * implementation is swapped out for an alternative one. */
-    if (verbose != 0) {
-        mbedtls_printf("  ECJPAKE test #2 (reference handshake): ");
-    }
-
-    /* Simulate generation of round one */
-    MBEDTLS_MPI_CHK(ecjpake_test_load(&cli,
-                                      ecjpake_test_x1, sizeof(ecjpake_test_x1),
-                                      ecjpake_test_x2, sizeof(ecjpake_test_x2)));
-
-    MBEDTLS_MPI_CHK(ecjpake_test_load(&srv,
-                                      ecjpake_test_x3, sizeof(ecjpake_test_x3),
-                                      ecjpake_test_x4, sizeof(ecjpake_test_x4)));
-
-    /* Read round one */
-    TEST_ASSERT(mbedtls_ecjpake_read_round_one(&srv,
-                                               ecjpake_test_cli_one,
-                                               sizeof(ecjpake_test_cli_one)) == 0);
-
-    TEST_ASSERT(mbedtls_ecjpake_read_round_one(&cli,
-                                               ecjpake_test_srv_one,
-                                               sizeof(ecjpake_test_srv_one)) == 0);
-
-    /* Skip generation of round two, read round two */
-    TEST_ASSERT(mbedtls_ecjpake_read_round_two(&cli,
-                                               ecjpake_test_srv_two,
-                                               sizeof(ecjpake_test_srv_two)) == 0);
-
-    TEST_ASSERT(mbedtls_ecjpake_read_round_two(&srv,
-                                               ecjpake_test_cli_two,
-                                               sizeof(ecjpake_test_cli_two)) == 0);
-
-    /* Server derives PMS */
-    TEST_ASSERT(mbedtls_ecjpake_derive_secret(&srv,
-                                              buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
-
-    TEST_ASSERT(len == sizeof(ecjpake_test_pms));
-    TEST_ASSERT(memcmp(buf, ecjpake_test_pms, len) == 0);
-
-    /* Server derives K as unsigned binary data */
-    TEST_ASSERT(mbedtls_ecjpake_write_shared_key(&srv,
-                                                 buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
-
-    TEST_ASSERT(len == sizeof(ecjpake_test_shared_key));
-    TEST_ASSERT(memcmp(buf, ecjpake_test_shared_key, len) == 0);
-
-    memset(buf, 0, len);   /* Avoid interferences with next step */
-
-    /* Client derives PMS */
-    TEST_ASSERT(mbedtls_ecjpake_derive_secret(&cli,
-                                              buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
-
-    TEST_ASSERT(len == sizeof(ecjpake_test_pms));
-    TEST_ASSERT(memcmp(buf, ecjpake_test_pms, len) == 0);
-
-    /* Client derives K as unsigned binary data */
-    TEST_ASSERT(mbedtls_ecjpake_write_shared_key(&cli,
-                                                 buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
-
-    TEST_ASSERT(len == sizeof(ecjpake_test_shared_key));
-    TEST_ASSERT(memcmp(buf, ecjpake_test_shared_key, len) == 0);
-
-    if (verbose != 0) {
-        mbedtls_printf("passed\n");
-    }
-#endif /* ! MBEDTLS_ECJPAKE_ALT */
-
-cleanup:
-    mbedtls_ecjpake_free(&cli);
-    mbedtls_ecjpake_free(&srv);
-
-    if (ret != 0) {
-        if (verbose != 0) {
-            mbedtls_printf("failed\n");
-        }
-
-        ret = 1;
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-
-    return ret;
-}
-
-#undef TEST_ASSERT
-
-#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED && MBEDTLS_MD_CAN_SHA256 */
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* MBEDTLS_ECJPAKE_C */
diff --git a/library/ecp.c b/library/ecp.c
deleted file mode 100644
index dfa0957..0000000
--- a/library/ecp.c
+++ /dev/null
@@ -1,3646 +0,0 @@
-/*
- *  Elliptic curves over GF(p): generic functions
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/*
- * References:
- *
- * SEC1 https://www.secg.org/sec1-v2.pdf
- * GECC = Guide to Elliptic Curve Cryptography - Hankerson, Menezes, Vanstone
- * FIPS 186-3 http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
- * RFC 4492 for the related TLS structures and constants
- * - https://www.rfc-editor.org/rfc/rfc4492
- * RFC 7748 for the Curve448 and Curve25519 curve definitions
- * - https://www.rfc-editor.org/rfc/rfc7748
- *
- * [Curve25519] https://cr.yp.to/ecdh/curve25519-20060209.pdf
- *
- * [2] CORON, Jean-S'ebastien. Resistance against differential power analysis
- *     for elliptic curve cryptosystems. In : Cryptographic Hardware and
- *     Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302.
- *     <http://link.springer.com/chapter/10.1007/3-540-48059-5_25>
- *
- * [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to
- *     render ECC resistant against Side Channel Attacks. IACR Cryptology
- *     ePrint Archive, 2004, vol. 2004, p. 342.
- *     <http://eprint.iacr.org/2004/342.pdf>
- */
-
-#include "common.h"
-
-/**
- * \brief Function level alternative implementation.
- *
- * The MBEDTLS_ECP_INTERNAL_ALT macro enables alternative implementations to
- * replace certain functions in this module. The alternative implementations are
- * typically hardware accelerators and need to activate the hardware before the
- * computation starts and deactivate it after it finishes. The
- * mbedtls_internal_ecp_init() and mbedtls_internal_ecp_free() functions serve
- * this purpose.
- *
- * To preserve the correct functionality the following conditions must hold:
- *
- * - The alternative implementation must be activated by
- *   mbedtls_internal_ecp_init() before any of the replaceable functions is
- *   called.
- * - mbedtls_internal_ecp_free() must \b only be called when the alternative
- *   implementation is activated.
- * - mbedtls_internal_ecp_init() must \b not be called when the alternative
- *   implementation is activated.
- * - Public functions must not return while the alternative implementation is
- *   activated.
- * - Replaceable functions are guarded by \c MBEDTLS_ECP_XXX_ALT macros and
- *   before calling them an \code if( mbedtls_internal_ecp_grp_capable( grp ) )
- *   \endcode ensures that the alternative implementation supports the current
- *   group.
- */
-#if defined(MBEDTLS_ECP_INTERNAL_ALT)
-#endif
-
-#if defined(MBEDTLS_ECP_LIGHT)
-
-#include "mbedtls/ecp.h"
-#include "mbedtls/threading.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#include "bn_mul.h"
-#include "ecp_invasive.h"
-
-#include <string.h>
-
-#if !defined(MBEDTLS_ECP_ALT)
-
-#include "mbedtls/platform.h"
-
-#include "ecp_internal_alt.h"
-
-#if defined(MBEDTLS_SELF_TEST)
-/*
- * Counts of point addition and doubling, and field multiplications.
- * Used to test resistance of point multiplication to simple timing attacks.
- */
-#if defined(MBEDTLS_ECP_C)
-static unsigned long add_count, dbl_count;
-#endif /* MBEDTLS_ECP_C */
-static unsigned long mul_count;
-#endif
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-/*
- * Maximum number of "basic operations" to be done in a row.
- *
- * Default value 0 means that ECC operations will not yield.
- * Note that regardless of the value of ecp_max_ops, always at
- * least one step is performed before yielding.
- *
- * Setting ecp_max_ops=1 can be suitable for testing purposes
- * as it will interrupt computation at all possible points.
- */
-static unsigned ecp_max_ops = 0;
-
-/*
- * Set ecp_max_ops
- */
-void mbedtls_ecp_set_max_ops(unsigned max_ops)
-{
-    ecp_max_ops = max_ops;
-}
-
-/*
- * Check if restart is enabled
- */
-int mbedtls_ecp_restart_is_enabled(void)
-{
-    return ecp_max_ops != 0;
-}
-
-/*
- * Restart sub-context for ecp_mul_comb()
- */
-struct mbedtls_ecp_restart_mul {
-    mbedtls_ecp_point R;    /* current intermediate result                  */
-    size_t i;               /* current index in various loops, 0 outside    */
-    mbedtls_ecp_point *T;   /* table for precomputed points                 */
-    unsigned char T_size;   /* number of points in table T                  */
-    enum {                  /* what were we doing last time we returned?    */
-        ecp_rsm_init = 0,       /* nothing so far, dummy initial state      */
-        ecp_rsm_pre_dbl,        /* precompute 2^n multiples                 */
-        ecp_rsm_pre_norm_dbl,   /* normalize precomputed 2^n multiples      */
-        ecp_rsm_pre_add,        /* precompute remaining points by adding    */
-        ecp_rsm_pre_norm_add,   /* normalize all precomputed points         */
-        ecp_rsm_comb_core,      /* ecp_mul_comb_core()                      */
-        ecp_rsm_final_norm,     /* do the final normalization               */
-    } state;
-};
-
-/*
- * Init restart_mul sub-context
- */
-static void ecp_restart_rsm_init(mbedtls_ecp_restart_mul_ctx *ctx)
-{
-    mbedtls_ecp_point_init(&ctx->R);
-    ctx->i = 0;
-    ctx->T = NULL;
-    ctx->T_size = 0;
-    ctx->state = ecp_rsm_init;
-}
-
-/*
- * Free the components of a restart_mul sub-context
- */
-static void ecp_restart_rsm_free(mbedtls_ecp_restart_mul_ctx *ctx)
-{
-    unsigned char i;
-
-    if (ctx == NULL) {
-        return;
-    }
-
-    mbedtls_ecp_point_free(&ctx->R);
-
-    if (ctx->T != NULL) {
-        for (i = 0; i < ctx->T_size; i++) {
-            mbedtls_ecp_point_free(ctx->T + i);
-        }
-        mbedtls_free(ctx->T);
-    }
-
-    ecp_restart_rsm_init(ctx);
-}
-
-/*
- * Restart context for ecp_muladd()
- */
-struct mbedtls_ecp_restart_muladd {
-    mbedtls_ecp_point mP;       /* mP value                             */
-    mbedtls_ecp_point R;        /* R intermediate result                */
-    enum {                      /* what should we do next?              */
-        ecp_rsma_mul1 = 0,      /* first multiplication                 */
-        ecp_rsma_mul2,          /* second multiplication                */
-        ecp_rsma_add,           /* addition                             */
-        ecp_rsma_norm,          /* normalization                        */
-    } state;
-};
-
-/*
- * Init restart_muladd sub-context
- */
-static void ecp_restart_ma_init(mbedtls_ecp_restart_muladd_ctx *ctx)
-{
-    mbedtls_ecp_point_init(&ctx->mP);
-    mbedtls_ecp_point_init(&ctx->R);
-    ctx->state = ecp_rsma_mul1;
-}
-
-/*
- * Free the components of a restart_muladd sub-context
- */
-static void ecp_restart_ma_free(mbedtls_ecp_restart_muladd_ctx *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    mbedtls_ecp_point_free(&ctx->mP);
-    mbedtls_ecp_point_free(&ctx->R);
-
-    ecp_restart_ma_init(ctx);
-}
-
-/*
- * Initialize a restart context
- */
-void mbedtls_ecp_restart_init(mbedtls_ecp_restart_ctx *ctx)
-{
-    ctx->ops_done = 0;
-    ctx->depth = 0;
-    ctx->rsm = NULL;
-    ctx->ma = NULL;
-}
-
-/*
- * Free the components of a restart context
- */
-void mbedtls_ecp_restart_free(mbedtls_ecp_restart_ctx *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    ecp_restart_rsm_free(ctx->rsm);
-    mbedtls_free(ctx->rsm);
-
-    ecp_restart_ma_free(ctx->ma);
-    mbedtls_free(ctx->ma);
-
-    mbedtls_ecp_restart_init(ctx);
-}
-
-/*
- * Check if we can do the next step
- */
-int mbedtls_ecp_check_budget(const mbedtls_ecp_group *grp,
-                             mbedtls_ecp_restart_ctx *rs_ctx,
-                             unsigned ops)
-{
-    if (rs_ctx != NULL && ecp_max_ops != 0) {
-        /* scale depending on curve size: the chosen reference is 256-bit,
-         * and multiplication is quadratic. Round to the closest integer. */
-        if (grp->pbits >= 512) {
-            ops *= 4;
-        } else if (grp->pbits >= 384) {
-            ops *= 2;
-        }
-
-        /* Avoid infinite loops: always allow first step.
-         * Because of that, however, it's not generally true
-         * that ops_done <= ecp_max_ops, so the check
-         * ops_done > ecp_max_ops below is mandatory. */
-        if ((rs_ctx->ops_done != 0) &&
-            (rs_ctx->ops_done > ecp_max_ops ||
-             ops > ecp_max_ops - rs_ctx->ops_done)) {
-            return MBEDTLS_ERR_ECP_IN_PROGRESS;
-        }
-
-        /* update running count */
-        rs_ctx->ops_done += ops;
-    }
-
-    return 0;
-}
-
-/* Call this when entering a function that needs its own sub-context */
-#define ECP_RS_ENTER(SUB)   do {                                      \
-        /* reset ops count for this call if top-level */                    \
-        if (rs_ctx != NULL && rs_ctx->depth++ == 0)                        \
-        rs_ctx->ops_done = 0;                                           \
-                                                                        \
-        /* set up our own sub-context if needed */                          \
-        if (mbedtls_ecp_restart_is_enabled() &&                             \
-            rs_ctx != NULL && rs_ctx->SUB == NULL)                         \
-        {                                                                   \
-            rs_ctx->SUB = mbedtls_calloc(1, sizeof(*rs_ctx->SUB));      \
-            if (rs_ctx->SUB == NULL)                                       \
-            return MBEDTLS_ERR_ECP_ALLOC_FAILED;                     \
-                                                                      \
-            ecp_restart_## SUB ##_init(rs_ctx->SUB);                      \
-        }                                                                   \
-} while (0)
-
-/* Call this when leaving a function that needs its own sub-context */
-#define ECP_RS_LEAVE(SUB)   do {                                      \
-        /* clear our sub-context when not in progress (done or error) */    \
-        if (rs_ctx != NULL && rs_ctx->SUB != NULL &&                        \
-            ret != MBEDTLS_ERR_ECP_IN_PROGRESS)                            \
-        {                                                                   \
-            ecp_restart_## SUB ##_free(rs_ctx->SUB);                      \
-            mbedtls_free(rs_ctx->SUB);                                    \
-            rs_ctx->SUB = NULL;                                             \
-        }                                                                   \
-                                                                        \
-        if (rs_ctx != NULL)                                                \
-        rs_ctx->depth--;                                                \
-} while (0)
-
-#else /* MBEDTLS_ECP_RESTARTABLE */
-
-#define ECP_RS_ENTER(sub)     (void) rs_ctx;
-#define ECP_RS_LEAVE(sub)     (void) rs_ctx;
-
-#endif /* MBEDTLS_ECP_RESTARTABLE */
-
-#if defined(MBEDTLS_ECP_C)
-static void mpi_init_many(mbedtls_mpi *arr, size_t size)
-{
-    while (size--) {
-        mbedtls_mpi_init(arr++);
-    }
-}
-
-static void mpi_free_many(mbedtls_mpi *arr, size_t size)
-{
-    while (size--) {
-        mbedtls_mpi_free(arr++);
-    }
-}
-#endif /* MBEDTLS_ECP_C */
-
-/*
- * List of supported curves:
- *  - internal ID
- *  - TLS NamedCurve ID (RFC 4492 sec. 5.1.1, RFC 7071 sec. 2, RFC 8446 sec. 4.2.7)
- *  - size in bits
- *  - readable name
- *
- * Curves are listed in order: largest curves first, and for a given size,
- * fastest curves first.
- *
- * Reminder: update profiles in x509_crt.c and ssl_tls.c when adding a new curve!
- */
-static const mbedtls_ecp_curve_info ecp_supported_curves[] =
-{
-#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
-    { MBEDTLS_ECP_DP_SECP521R1,    25,     521,    "secp521r1"         },
-#endif
-#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
-    { MBEDTLS_ECP_DP_BP512R1,      28,     512,    "brainpoolP512r1"   },
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
-    { MBEDTLS_ECP_DP_SECP384R1,    24,     384,    "secp384r1"         },
-#endif
-#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
-    { MBEDTLS_ECP_DP_BP384R1,      27,     384,    "brainpoolP384r1"   },
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
-    { MBEDTLS_ECP_DP_SECP256R1,    23,     256,    "secp256r1"         },
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
-    { MBEDTLS_ECP_DP_SECP256K1,    22,     256,    "secp256k1"         },
-#endif
-#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
-    { MBEDTLS_ECP_DP_BP256R1,      26,     256,    "brainpoolP256r1"   },
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
-    { MBEDTLS_ECP_DP_SECP224R1,    21,     224,    "secp224r1"         },
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
-    { MBEDTLS_ECP_DP_SECP224K1,    20,     224,    "secp224k1"         },
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
-    { MBEDTLS_ECP_DP_SECP192R1,    19,     192,    "secp192r1"         },
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
-    { MBEDTLS_ECP_DP_SECP192K1,    18,     192,    "secp192k1"         },
-#endif
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-    { MBEDTLS_ECP_DP_CURVE25519,   29,     256,    "x25519"            },
-#endif
-#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
-    { MBEDTLS_ECP_DP_CURVE448,     30,     448,    "x448"              },
-#endif
-    { MBEDTLS_ECP_DP_NONE,          0,     0,      NULL                },
-};
-
-#define ECP_NB_CURVES   sizeof(ecp_supported_curves) /    \
-    sizeof(ecp_supported_curves[0])
-
-static mbedtls_ecp_group_id ecp_supported_grp_id[ECP_NB_CURVES];
-
-/*
- * List of supported curves and associated info
- */
-const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list(void)
-{
-    return ecp_supported_curves;
-}
-
-/*
- * List of supported curves, group ID only
- */
-const mbedtls_ecp_group_id *mbedtls_ecp_grp_id_list(void)
-{
-    static int init_done = 0;
-
-    if (!init_done) {
-        size_t i = 0;
-        const mbedtls_ecp_curve_info *curve_info;
-
-        for (curve_info = mbedtls_ecp_curve_list();
-             curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
-             curve_info++) {
-            ecp_supported_grp_id[i++] = curve_info->grp_id;
-        }
-        ecp_supported_grp_id[i] = MBEDTLS_ECP_DP_NONE;
-
-        init_done = 1;
-    }
-
-    return ecp_supported_grp_id;
-}
-
-/*
- * Get the curve info for the internal identifier
- */
-const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_grp_id(mbedtls_ecp_group_id grp_id)
-{
-    const mbedtls_ecp_curve_info *curve_info;
-
-    for (curve_info = mbedtls_ecp_curve_list();
-         curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
-         curve_info++) {
-        if (curve_info->grp_id == grp_id) {
-            return curve_info;
-        }
-    }
-
-    return NULL;
-}
-
-/*
- * Get the curve info from the TLS identifier
- */
-const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_tls_id(uint16_t tls_id)
-{
-    const mbedtls_ecp_curve_info *curve_info;
-
-    for (curve_info = mbedtls_ecp_curve_list();
-         curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
-         curve_info++) {
-        if (curve_info->tls_id == tls_id) {
-            return curve_info;
-        }
-    }
-
-    return NULL;
-}
-
-/*
- * Get the curve info from the name
- */
-const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name(const char *name)
-{
-    const mbedtls_ecp_curve_info *curve_info;
-
-    if (name == NULL) {
-        return NULL;
-    }
-
-    for (curve_info = mbedtls_ecp_curve_list();
-         curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
-         curve_info++) {
-        if (strcmp(curve_info->name, name) == 0) {
-            return curve_info;
-        }
-    }
-
-    return NULL;
-}
-
-/*
- * Get the type of a curve
- */
-mbedtls_ecp_curve_type mbedtls_ecp_get_type(const mbedtls_ecp_group *grp)
-{
-    if (grp->G.X.p == NULL) {
-        return MBEDTLS_ECP_TYPE_NONE;
-    }
-
-    if (grp->G.Y.p == NULL) {
-        return MBEDTLS_ECP_TYPE_MONTGOMERY;
-    } else {
-        return MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS;
-    }
-}
-
-/*
- * Initialize (the components of) a point
- */
-void mbedtls_ecp_point_init(mbedtls_ecp_point *pt)
-{
-    mbedtls_mpi_init(&pt->X);
-    mbedtls_mpi_init(&pt->Y);
-    mbedtls_mpi_init(&pt->Z);
-}
-
-/*
- * Initialize (the components of) a group
- */
-void mbedtls_ecp_group_init(mbedtls_ecp_group *grp)
-{
-    grp->id = MBEDTLS_ECP_DP_NONE;
-    mbedtls_mpi_init(&grp->P);
-    mbedtls_mpi_init(&grp->A);
-    mbedtls_mpi_init(&grp->B);
-    mbedtls_ecp_point_init(&grp->G);
-    mbedtls_mpi_init(&grp->N);
-    grp->pbits = 0;
-    grp->nbits = 0;
-    grp->h = 0;
-    grp->modp = NULL;
-    grp->t_pre = NULL;
-    grp->t_post = NULL;
-    grp->t_data = NULL;
-    grp->T = NULL;
-    grp->T_size = 0;
-}
-
-/*
- * Initialize (the components of) a key pair
- */
-void mbedtls_ecp_keypair_init(mbedtls_ecp_keypair *key)
-{
-    mbedtls_ecp_group_init(&key->grp);
-    mbedtls_mpi_init(&key->d);
-    mbedtls_ecp_point_init(&key->Q);
-}
-
-/*
- * Unallocate (the components of) a point
- */
-void mbedtls_ecp_point_free(mbedtls_ecp_point *pt)
-{
-    if (pt == NULL) {
-        return;
-    }
-
-    mbedtls_mpi_free(&(pt->X));
-    mbedtls_mpi_free(&(pt->Y));
-    mbedtls_mpi_free(&(pt->Z));
-}
-
-/*
- * Check that the comb table (grp->T) is static initialized.
- */
-static int ecp_group_is_static_comb_table(const mbedtls_ecp_group *grp)
-{
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-    return grp->T != NULL && grp->T_size == 0;
-#else
-    (void) grp;
-    return 0;
-#endif
-}
-
-/*
- * Unallocate (the components of) a group
- */
-void mbedtls_ecp_group_free(mbedtls_ecp_group *grp)
-{
-    size_t i;
-
-    if (grp == NULL) {
-        return;
-    }
-
-    if (grp->h != 1) {
-        mbedtls_mpi_free(&grp->A);
-        mbedtls_mpi_free(&grp->B);
-        mbedtls_ecp_point_free(&grp->G);
-
-#if !defined(MBEDTLS_ECP_WITH_MPI_UINT)
-        mbedtls_mpi_free(&grp->N);
-        mbedtls_mpi_free(&grp->P);
-#endif
-    }
-
-    if (!ecp_group_is_static_comb_table(grp) && grp->T != NULL) {
-        for (i = 0; i < grp->T_size; i++) {
-            mbedtls_ecp_point_free(&grp->T[i]);
-        }
-        mbedtls_free(grp->T);
-    }
-
-    mbedtls_platform_zeroize(grp, sizeof(mbedtls_ecp_group));
-}
-
-/*
- * Unallocate (the components of) a key pair
- */
-void mbedtls_ecp_keypair_free(mbedtls_ecp_keypair *key)
-{
-    if (key == NULL) {
-        return;
-    }
-
-    mbedtls_ecp_group_free(&key->grp);
-    mbedtls_mpi_free(&key->d);
-    mbedtls_ecp_point_free(&key->Q);
-}
-
-/*
- * Copy the contents of a point
- */
-int mbedtls_ecp_copy(mbedtls_ecp_point *P, const mbedtls_ecp_point *Q)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&P->X, &Q->X));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&P->Y, &Q->Y));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&P->Z, &Q->Z));
-
-cleanup:
-    return ret;
-}
-
-/*
- * Copy the contents of a group object
- */
-int mbedtls_ecp_group_copy(mbedtls_ecp_group *dst, const mbedtls_ecp_group *src)
-{
-    return mbedtls_ecp_group_load(dst, src->id);
-}
-
-/*
- * Set point to zero
- */
-int mbedtls_ecp_set_zero(mbedtls_ecp_point *pt)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->X, 1));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Y, 1));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Z, 0));
-
-cleanup:
-    return ret;
-}
-
-/*
- * Tell if a point is zero
- */
-int mbedtls_ecp_is_zero(mbedtls_ecp_point *pt)
-{
-    return mbedtls_mpi_cmp_int(&pt->Z, 0) == 0;
-}
-
-/*
- * Compare two points lazily
- */
-int mbedtls_ecp_point_cmp(const mbedtls_ecp_point *P,
-                          const mbedtls_ecp_point *Q)
-{
-    if (mbedtls_mpi_cmp_mpi(&P->X, &Q->X) == 0 &&
-        mbedtls_mpi_cmp_mpi(&P->Y, &Q->Y) == 0 &&
-        mbedtls_mpi_cmp_mpi(&P->Z, &Q->Z) == 0) {
-        return 0;
-    }
-
-    return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-}
-
-/*
- * Import a non-zero point from ASCII strings
- */
-int mbedtls_ecp_point_read_string(mbedtls_ecp_point *P, int radix,
-                                  const char *x, const char *y)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&P->X, radix, x));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&P->Y, radix, y));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&P->Z, 1));
-
-cleanup:
-    return ret;
-}
-
-/*
- * Export a point into unsigned binary data (SEC1 2.3.3 and RFC7748)
- */
-int mbedtls_ecp_point_write_binary(const mbedtls_ecp_group *grp,
-                                   const mbedtls_ecp_point *P,
-                                   int format, size_t *olen,
-                                   unsigned char *buf, size_t buflen)
-{
-    int ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
-    size_t plen;
-    if (format != MBEDTLS_ECP_PF_UNCOMPRESSED &&
-        format != MBEDTLS_ECP_PF_COMPRESSED) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    plen = mbedtls_mpi_size(&grp->P);
-
-#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
-    (void) format; /* Montgomery curves always use the same point format */
-    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
-        *olen = plen;
-        if (buflen < *olen) {
-            return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
-        }
-
-        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary_le(&P->X, buf, plen));
-    }
-#endif
-#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
-    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
-        /*
-         * Common case: P == 0
-         */
-        if (mbedtls_mpi_cmp_int(&P->Z, 0) == 0) {
-            if (buflen < 1) {
-                return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
-            }
-
-            buf[0] = 0x00;
-            *olen = 1;
-
-            return 0;
-        }
-
-        if (format == MBEDTLS_ECP_PF_UNCOMPRESSED) {
-            *olen = 2 * plen + 1;
-
-            if (buflen < *olen) {
-                return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
-            }
-
-            buf[0] = 0x04;
-            MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&P->X, buf + 1, plen));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&P->Y, buf + 1 + plen, plen));
-        } else if (format == MBEDTLS_ECP_PF_COMPRESSED) {
-            *olen = plen + 1;
-
-            if (buflen < *olen) {
-                return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
-            }
-
-            buf[0] = 0x02 + mbedtls_mpi_get_bit(&P->Y, 0);
-            MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&P->X, buf + 1, plen));
-        }
-    }
-#endif
-
-cleanup:
-    return ret;
-}
-
-#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
-static int mbedtls_ecp_sw_derive_y(const mbedtls_ecp_group *grp,
-                                   const mbedtls_mpi *X,
-                                   mbedtls_mpi *Y,
-                                   int parity_bit);
-#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
-
-/*
- * Import a point from unsigned binary data (SEC1 2.3.4 and RFC7748)
- */
-int mbedtls_ecp_point_read_binary(const mbedtls_ecp_group *grp,
-                                  mbedtls_ecp_point *pt,
-                                  const unsigned char *buf, size_t ilen)
-{
-    int ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
-    size_t plen;
-    if (ilen < 1) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    plen = mbedtls_mpi_size(&grp->P);
-
-#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
-    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
-        if (plen != ilen) {
-            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-        }
-
-        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary_le(&pt->X, buf, plen));
-        mbedtls_mpi_free(&pt->Y);
-
-        if (grp->id == MBEDTLS_ECP_DP_CURVE25519) {
-            /* Set most significant bit to 0 as prescribed in RFC7748 §5 */
-            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&pt->X, plen * 8 - 1, 0));
-        }
-
-        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Z, 1));
-    }
-#endif
-#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
-    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
-        if (buf[0] == 0x00) {
-            if (ilen == 1) {
-                return mbedtls_ecp_set_zero(pt);
-            } else {
-                return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-            }
-        }
-
-        if (ilen < 1 + plen) {
-            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-        }
-
-        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&pt->X, buf + 1, plen));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Z, 1));
-
-        if (buf[0] == 0x04) {
-            /* format == MBEDTLS_ECP_PF_UNCOMPRESSED */
-            if (ilen != 1 + plen * 2) {
-                return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-            }
-            return mbedtls_mpi_read_binary(&pt->Y, buf + 1 + plen, plen);
-        } else if (buf[0] == 0x02 || buf[0] == 0x03) {
-            /* format == MBEDTLS_ECP_PF_COMPRESSED */
-            if (ilen != 1 + plen) {
-                return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-            }
-            return mbedtls_ecp_sw_derive_y(grp, &pt->X, &pt->Y,
-                                           (buf[0] & 1));
-        } else {
-            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-        }
-    }
-#endif
-
-cleanup:
-    return ret;
-}
-
-/*
- * Import a point from a TLS ECPoint record (RFC 4492)
- *      struct {
- *          opaque point <1..2^8-1>;
- *      } ECPoint;
- */
-int mbedtls_ecp_tls_read_point(const mbedtls_ecp_group *grp,
-                               mbedtls_ecp_point *pt,
-                               const unsigned char **buf, size_t buf_len)
-{
-    unsigned char data_len;
-    const unsigned char *buf_start;
-    /*
-     * We must have at least two bytes (1 for length, at least one for data)
-     */
-    if (buf_len < 2) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    data_len = *(*buf)++;
-    if (data_len < 1 || data_len > buf_len - 1) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    /*
-     * Save buffer start for read_binary and update buf
-     */
-    buf_start = *buf;
-    *buf += data_len;
-
-    return mbedtls_ecp_point_read_binary(grp, pt, buf_start, data_len);
-}
-
-/*
- * Export a point as a TLS ECPoint record (RFC 4492)
- *      struct {
- *          opaque point <1..2^8-1>;
- *      } ECPoint;
- */
-int mbedtls_ecp_tls_write_point(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt,
-                                int format, size_t *olen,
-                                unsigned char *buf, size_t blen)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    if (format != MBEDTLS_ECP_PF_UNCOMPRESSED &&
-        format != MBEDTLS_ECP_PF_COMPRESSED) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    /*
-     * buffer length must be at least one, for our length byte
-     */
-    if (blen < 1) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    if ((ret = mbedtls_ecp_point_write_binary(grp, pt, format,
-                                              olen, buf + 1, blen - 1)) != 0) {
-        return ret;
-    }
-
-    /*
-     * write length to the first byte and update total length
-     */
-    buf[0] = (unsigned char) *olen;
-    ++*olen;
-
-    return 0;
-}
-
-/*
- * Set a group from an ECParameters record (RFC 4492)
- */
-int mbedtls_ecp_tls_read_group(mbedtls_ecp_group *grp,
-                               const unsigned char **buf, size_t len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_ecp_group_id grp_id;
-    if ((ret = mbedtls_ecp_tls_read_group_id(&grp_id, buf, len)) != 0) {
-        return ret;
-    }
-
-    return mbedtls_ecp_group_load(grp, grp_id);
-}
-
-/*
- * Read a group id from an ECParameters record (RFC 4492) and convert it to
- * mbedtls_ecp_group_id.
- */
-int mbedtls_ecp_tls_read_group_id(mbedtls_ecp_group_id *grp,
-                                  const unsigned char **buf, size_t len)
-{
-    uint16_t tls_id;
-    const mbedtls_ecp_curve_info *curve_info;
-    /*
-     * We expect at least three bytes (see below)
-     */
-    if (len < 3) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    /*
-     * First byte is curve_type; only named_curve is handled
-     */
-    if (*(*buf)++ != MBEDTLS_ECP_TLS_NAMED_CURVE) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    /*
-     * Next two bytes are the namedcurve value
-     */
-    tls_id = MBEDTLS_GET_UINT16_BE(*buf, 0);
-    *buf += 2;
-
-    if ((curve_info = mbedtls_ecp_curve_info_from_tls_id(tls_id)) == NULL) {
-        return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
-    }
-
-    *grp = curve_info->grp_id;
-
-    return 0;
-}
-
-/*
- * Write the ECParameters record corresponding to a group (RFC 4492)
- */
-int mbedtls_ecp_tls_write_group(const mbedtls_ecp_group *grp, size_t *olen,
-                                unsigned char *buf, size_t blen)
-{
-    const mbedtls_ecp_curve_info *curve_info;
-    if ((curve_info = mbedtls_ecp_curve_info_from_grp_id(grp->id)) == NULL) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    /*
-     * We are going to write 3 bytes (see below)
-     */
-    *olen = 3;
-    if (blen < *olen) {
-        return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
-    }
-
-    /*
-     * First byte is curve_type, always named_curve
-     */
-    *buf++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
-
-    /*
-     * Next two bytes are the namedcurve value
-     */
-    MBEDTLS_PUT_UINT16_BE(curve_info->tls_id, buf, 0);
-
-    return 0;
-}
-
-/*
- * Wrapper around fast quasi-modp functions, with fall-back to mbedtls_mpi_mod_mpi.
- * See the documentation of struct mbedtls_ecp_group.
- *
- * This function is in the critial loop for mbedtls_ecp_mul, so pay attention to perf.
- */
-static int ecp_modp(mbedtls_mpi *N, const mbedtls_ecp_group *grp)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if (grp->modp == NULL) {
-        return mbedtls_mpi_mod_mpi(N, N, &grp->P);
-    }
-
-    /* N->s < 0 is a much faster test, which fails only if N is 0 */
-    if ((N->s < 0 && mbedtls_mpi_cmp_int(N, 0) != 0) ||
-        mbedtls_mpi_bitlen(N) > 2 * grp->pbits) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    MBEDTLS_MPI_CHK(grp->modp(N));
-
-    /* N->s < 0 is a much faster test, which fails only if N is 0 */
-    while (N->s < 0 && mbedtls_mpi_cmp_int(N, 0) != 0) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &grp->P));
-    }
-
-    while (mbedtls_mpi_cmp_mpi(N, &grp->P) >= 0) {
-        /* we known P, N and the result are positive */
-        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(N, N, &grp->P));
-    }
-
-cleanup:
-    return ret;
-}
-
-/*
- * Fast mod-p functions expect their argument to be in the 0..p^2 range.
- *
- * In order to guarantee that, we need to ensure that operands of
- * mbedtls_mpi_mul_mpi are in the 0..p range. So, after each operation we will
- * bring the result back to this range.
- *
- * The following macros are shortcuts for doing that.
- */
-
-/*
- * Reduce a mbedtls_mpi mod p in-place, general case, to use after mbedtls_mpi_mul_mpi
- */
-#if defined(MBEDTLS_SELF_TEST)
-#define INC_MUL_COUNT   mul_count++;
-#else
-#define INC_MUL_COUNT
-#endif
-
-#define MOD_MUL(N)                                                    \
-    do                                                                  \
-    {                                                                   \
-        MBEDTLS_MPI_CHK(ecp_modp(&(N), grp));                       \
-        INC_MUL_COUNT                                                   \
-    } while (0)
-
-static inline int mbedtls_mpi_mul_mod(const mbedtls_ecp_group *grp,
-                                      mbedtls_mpi *X,
-                                      const mbedtls_mpi *A,
-                                      const mbedtls_mpi *B)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(X, A, B));
-    MOD_MUL(*X);
-cleanup:
-    return ret;
-}
-
-/*
- * Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_sub_mpi
- * N->s < 0 is a very fast test, which fails only if N is 0
- */
-#define MOD_SUB(N)                                                          \
-    do {                                                                      \
-        while ((N)->s < 0 && mbedtls_mpi_cmp_int((N), 0) != 0)             \
-        MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi((N), (N), &grp->P));      \
-    } while (0)
-
-#if (defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED) && \
-    !(defined(MBEDTLS_ECP_NO_FALLBACK) && \
-    defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) && \
-    defined(MBEDTLS_ECP_ADD_MIXED_ALT))) || \
-    (defined(MBEDTLS_ECP_MONTGOMERY_ENABLED) && \
-    !(defined(MBEDTLS_ECP_NO_FALLBACK) && \
-    defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)))
-static inline int mbedtls_mpi_sub_mod(const mbedtls_ecp_group *grp,
-                                      mbedtls_mpi *X,
-                                      const mbedtls_mpi *A,
-                                      const mbedtls_mpi *B)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(X, A, B));
-    MOD_SUB(X);
-cleanup:
-    return ret;
-}
-#endif /* All functions referencing mbedtls_mpi_sub_mod() are alt-implemented without fallback */
-
-/*
- * Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_add_mpi and mbedtls_mpi_mul_int.
- * We known P, N and the result are positive, so sub_abs is correct, and
- * a bit faster.
- */
-#define MOD_ADD(N)                                                   \
-    while (mbedtls_mpi_cmp_mpi((N), &grp->P) >= 0)                  \
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs((N), (N), &grp->P))
-
-static inline int mbedtls_mpi_add_mod(const mbedtls_ecp_group *grp,
-                                      mbedtls_mpi *X,
-                                      const mbedtls_mpi *A,
-                                      const mbedtls_mpi *B)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(X, A, B));
-    MOD_ADD(X);
-cleanup:
-    return ret;
-}
-
-static inline int mbedtls_mpi_mul_int_mod(const mbedtls_ecp_group *grp,
-                                          mbedtls_mpi *X,
-                                          const mbedtls_mpi *A,
-                                          mbedtls_mpi_uint c)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(X, A, c));
-    MOD_ADD(X);
-cleanup:
-    return ret;
-}
-
-static inline int mbedtls_mpi_sub_int_mod(const mbedtls_ecp_group *grp,
-                                          mbedtls_mpi *X,
-                                          const mbedtls_mpi *A,
-                                          mbedtls_mpi_uint c)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(X, A, c));
-    MOD_SUB(X);
-cleanup:
-    return ret;
-}
-
-#define MPI_ECP_SUB_INT(X, A, c)             \
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int_mod(grp, X, A, c))
-
-#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED) && \
-    !(defined(MBEDTLS_ECP_NO_FALLBACK) && \
-    defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) && \
-    defined(MBEDTLS_ECP_ADD_MIXED_ALT))
-static inline int mbedtls_mpi_shift_l_mod(const mbedtls_ecp_group *grp,
-                                          mbedtls_mpi *X,
-                                          size_t count)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(X, count));
-    MOD_ADD(X);
-cleanup:
-    return ret;
-}
-#endif \
-    /* All functions referencing mbedtls_mpi_shift_l_mod() are alt-implemented without fallback */
-
-/*
- * Macro wrappers around ECP modular arithmetic
- *
- * Currently, these wrappers are defined via the bignum module.
- */
-
-#define MPI_ECP_ADD(X, A, B)                                                  \
-    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mod(grp, X, A, B))
-
-#define MPI_ECP_SUB(X, A, B)                                                  \
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mod(grp, X, A, B))
-
-#define MPI_ECP_MUL(X, A, B)                                                  \
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, X, A, B))
-
-#define MPI_ECP_SQR(X, A)                                                     \
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, X, A, A))
-
-#define MPI_ECP_MUL_INT(X, A, c)                                              \
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int_mod(grp, X, A, c))
-
-#define MPI_ECP_INV(dst, src)                                                 \
-    MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod((dst), (src), &grp->P))
-
-#define MPI_ECP_MOV(X, A)                                                     \
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A))
-
-#define MPI_ECP_SHIFT_L(X, count)                                             \
-    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l_mod(grp, X, count))
-
-#define MPI_ECP_LSET(X, c)                                                    \
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, c))
-
-#define MPI_ECP_CMP_INT(X, c)                                                 \
-    mbedtls_mpi_cmp_int(X, c)
-
-#define MPI_ECP_CMP(X, Y)                                                     \
-    mbedtls_mpi_cmp_mpi(X, Y)
-
-/* Needs f_rng, p_rng to be defined. */
-#define MPI_ECP_RAND(X)                                                       \
-    MBEDTLS_MPI_CHK(mbedtls_mpi_random((X), 2, &grp->P, f_rng, p_rng))
-
-/* Conditional negation
- * Needs grp and a temporary MPI tmp to be defined. */
-#define MPI_ECP_COND_NEG(X, cond)                                        \
-    do                                                                     \
-    {                                                                      \
-        unsigned char nonzero = mbedtls_mpi_cmp_int((X), 0) != 0;        \
-        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&tmp, &grp->P, (X)));      \
-        MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign((X), &tmp,          \
-                                                     nonzero & cond)); \
-    } while (0)
-
-#define MPI_ECP_NEG(X) MPI_ECP_COND_NEG((X), 1)
-
-#define MPI_ECP_VALID(X)                      \
-    ((X)->p != NULL)
-
-#define MPI_ECP_COND_ASSIGN(X, Y, cond)       \
-    MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign((X), (Y), (cond)))
-
-#define MPI_ECP_COND_SWAP(X, Y, cond)       \
-    MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_swap((X), (Y), (cond)))
-
-#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
-
-/*
- * Computes the right-hand side of the Short Weierstrass equation
- * RHS = X^3 + A X + B
- */
-static int ecp_sw_rhs(const mbedtls_ecp_group *grp,
-                      mbedtls_mpi *rhs,
-                      const mbedtls_mpi *X)
-{
-    int ret;
-
-    /* Compute X^3 + A X + B as X (X^2 + A) + B */
-    MPI_ECP_SQR(rhs, X);
-
-    /* Special case for A = -3 */
-    if (mbedtls_ecp_group_a_is_minus_3(grp)) {
-        MPI_ECP_SUB_INT(rhs, rhs, 3);
-    } else {
-        MPI_ECP_ADD(rhs, rhs, &grp->A);
-    }
-
-    MPI_ECP_MUL(rhs, rhs, X);
-    MPI_ECP_ADD(rhs, rhs, &grp->B);
-
-cleanup:
-    return ret;
-}
-
-/*
- * Derive Y from X and a parity bit
- */
-static int mbedtls_ecp_sw_derive_y(const mbedtls_ecp_group *grp,
-                                   const mbedtls_mpi *X,
-                                   mbedtls_mpi *Y,
-                                   int parity_bit)
-{
-    /* w = y^2 = x^3 + ax + b
-     * y = sqrt(w) = w^((p+1)/4) mod p   (for prime p where p = 3 mod 4)
-     *
-     * Note: this method for extracting square root does not validate that w
-     * was indeed a square so this function will return garbage in Y if X
-     * does not correspond to a point on the curve.
-     */
-
-    /* Check prerequisite p = 3 mod 4 */
-    if (mbedtls_mpi_get_bit(&grp->P, 0) != 1 ||
-        mbedtls_mpi_get_bit(&grp->P, 1) != 1) {
-        return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
-    }
-
-    int ret;
-    mbedtls_mpi exp;
-    mbedtls_mpi_init(&exp);
-
-    /* use Y to store intermediate result, actually w above */
-    MBEDTLS_MPI_CHK(ecp_sw_rhs(grp, Y, X));
-
-    /* w = y^2 */ /* Y contains y^2 intermediate result */
-    /* exp = ((p+1)/4) */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&exp, &grp->P, 1));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&exp, 2));
-    /* sqrt(w) = w^((p+1)/4) mod p   (for prime p where p = 3 mod 4) */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(Y, Y /*y^2*/, &exp, &grp->P, NULL));
-
-    /* check parity bit match or else invert Y */
-    /* This quick inversion implementation is valid because Y != 0 for all
-     * Short Weierstrass curves supported by mbedtls, as each supported curve
-     * has an order that is a large prime, so each supported curve does not
-     * have any point of order 2, and a point with Y == 0 would be of order 2 */
-    if (mbedtls_mpi_get_bit(Y, 0) != parity_bit) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(Y, &grp->P, Y));
-    }
-
-cleanup:
-
-    mbedtls_mpi_free(&exp);
-    return ret;
-}
-#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
-
-#if defined(MBEDTLS_ECP_C)
-#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
-/*
- * For curves in short Weierstrass form, we do all the internal operations in
- * Jacobian coordinates.
- *
- * For multiplication, we'll use a comb method with countermeasures against
- * SPA, hence timing attacks.
- */
-
-/*
- * Normalize jacobian coordinates so that Z == 0 || Z == 1  (GECC 3.2.1)
- * Cost: 1N := 1I + 3M + 1S
- */
-static int ecp_normalize_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt)
-{
-    if (MPI_ECP_CMP_INT(&pt->Z, 0) == 0) {
-        return 0;
-    }
-
-#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
-    if (mbedtls_internal_ecp_grp_capable(grp)) {
-        return mbedtls_internal_ecp_normalize_jac(grp, pt);
-    }
-#endif /* MBEDTLS_ECP_NORMALIZE_JAC_ALT */
-
-#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
-    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
-#else
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi T;
-    mbedtls_mpi_init(&T);
-
-    MPI_ECP_INV(&T,       &pt->Z);            /* T   <-          1 / Z   */
-    MPI_ECP_MUL(&pt->Y,   &pt->Y,     &T);    /* Y'  <- Y*T    = Y / Z   */
-    MPI_ECP_SQR(&T,       &T);                /* T   <- T^2    = 1 / Z^2 */
-    MPI_ECP_MUL(&pt->X,   &pt->X,     &T);    /* X   <- X  * T = X / Z^2 */
-    MPI_ECP_MUL(&pt->Y,   &pt->Y,     &T);    /* Y'' <- Y' * T = Y / Z^3 */
-
-    MPI_ECP_LSET(&pt->Z, 1);
-
-cleanup:
-
-    mbedtls_mpi_free(&T);
-
-    return ret;
-#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) */
-}
-
-/*
- * Normalize jacobian coordinates of an array of (pointers to) points,
- * using Montgomery's trick to perform only one inversion mod P.
- * (See for example Cohen's "A Course in Computational Algebraic Number
- * Theory", Algorithm 10.3.4.)
- *
- * Warning: fails (returning an error) if one of the points is zero!
- * This should never happen, see choice of w in ecp_mul_comb().
- *
- * Cost: 1N(t) := 1I + (6t - 3)M + 1S
- */
-static int ecp_normalize_jac_many(const mbedtls_ecp_group *grp,
-                                  mbedtls_ecp_point *T[], size_t T_size)
-{
-    if (T_size < 2) {
-        return ecp_normalize_jac(grp, *T);
-    }
-
-#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
-    if (mbedtls_internal_ecp_grp_capable(grp)) {
-        return mbedtls_internal_ecp_normalize_jac_many(grp, T, T_size);
-    }
-#endif
-
-#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
-    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
-#else
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t i;
-    mbedtls_mpi *c, t;
-
-    if ((c = mbedtls_calloc(T_size, sizeof(mbedtls_mpi))) == NULL) {
-        return MBEDTLS_ERR_ECP_ALLOC_FAILED;
-    }
-
-    mbedtls_mpi_init(&t);
-
-    mpi_init_many(c, T_size);
-    /*
-     * c[i] = Z_0 * ... * Z_i,   i = 0,..,n := T_size-1
-     */
-    MPI_ECP_MOV(&c[0], &T[0]->Z);
-    for (i = 1; i < T_size; i++) {
-        MPI_ECP_MUL(&c[i], &c[i-1], &T[i]->Z);
-    }
-
-    /*
-     * c[n] = 1 / (Z_0 * ... * Z_n) mod P
-     */
-    MPI_ECP_INV(&c[T_size-1], &c[T_size-1]);
-
-    for (i = T_size - 1;; i--) {
-        /* At the start of iteration i (note that i decrements), we have
-         * - c[j] = Z_0 * .... * Z_j        for j  < i,
-         * - c[j] = 1 / (Z_0 * .... * Z_j)  for j == i,
-         *
-         * This is maintained via
-         * - c[i-1] <- c[i] * Z_i
-         *
-         * We also derive 1/Z_i = c[i] * c[i-1] for i>0 and use that
-         * to do the actual normalization. For i==0, we already have
-         * c[0] = 1 / Z_0.
-         */
-
-        if (i > 0) {
-            /* Compute 1/Z_i and establish invariant for the next iteration. */
-            MPI_ECP_MUL(&t,      &c[i], &c[i-1]);
-            MPI_ECP_MUL(&c[i-1], &c[i], &T[i]->Z);
-        } else {
-            MPI_ECP_MOV(&t, &c[0]);
-        }
-
-        /* Now t holds 1 / Z_i; normalize as in ecp_normalize_jac() */
-        MPI_ECP_MUL(&T[i]->Y, &T[i]->Y, &t);
-        MPI_ECP_SQR(&t,       &t);
-        MPI_ECP_MUL(&T[i]->X, &T[i]->X, &t);
-        MPI_ECP_MUL(&T[i]->Y, &T[i]->Y, &t);
-
-        /*
-         * Post-precessing: reclaim some memory by shrinking coordinates
-         * - not storing Z (always 1)
-         * - shrinking other coordinates, but still keeping the same number of
-         *   limbs as P, as otherwise it will too likely be regrown too fast.
-         */
-        MBEDTLS_MPI_CHK(mbedtls_mpi_shrink(&T[i]->X, grp->P.n));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_shrink(&T[i]->Y, grp->P.n));
-
-        MPI_ECP_LSET(&T[i]->Z, 1);
-
-        if (i == 0) {
-            break;
-        }
-    }
-
-cleanup:
-
-    mbedtls_mpi_free(&t);
-    mpi_free_many(c, T_size);
-    mbedtls_free(c);
-
-    return ret;
-#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) */
-}
-
-/*
- * Conditional point inversion: Q -> -Q = (Q.X, -Q.Y, Q.Z) without leak.
- * "inv" must be 0 (don't invert) or 1 (invert) or the result will be invalid
- */
-static int ecp_safe_invert_jac(const mbedtls_ecp_group *grp,
-                               mbedtls_ecp_point *Q,
-                               unsigned char inv)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi tmp;
-    mbedtls_mpi_init(&tmp);
-
-    MPI_ECP_COND_NEG(&Q->Y, inv);
-
-cleanup:
-    mbedtls_mpi_free(&tmp);
-    return ret;
-}
-
-/*
- * Point doubling R = 2 P, Jacobian coordinates
- *
- * Based on http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-dbl-1998-cmo-2 .
- *
- * We follow the variable naming fairly closely. The formula variations that trade a MUL for a SQR
- * (plus a few ADDs) aren't useful as our bignum implementation doesn't distinguish squaring.
- *
- * Standard optimizations are applied when curve parameter A is one of { 0, -3 }.
- *
- * Cost: 1D := 3M + 4S          (A ==  0)
- *             4M + 4S          (A == -3)
- *             3M + 6S + 1a     otherwise
- */
-static int ecp_double_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
-                          const mbedtls_ecp_point *P,
-                          mbedtls_mpi tmp[4])
-{
-#if defined(MBEDTLS_SELF_TEST)
-    dbl_count++;
-#endif
-
-#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
-    if (mbedtls_internal_ecp_grp_capable(grp)) {
-        return mbedtls_internal_ecp_double_jac(grp, R, P);
-    }
-#endif /* MBEDTLS_ECP_DOUBLE_JAC_ALT */
-
-#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
-    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
-#else
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    /* Special case for A = -3 */
-    if (mbedtls_ecp_group_a_is_minus_3(grp)) {
-        /* tmp[0] <- M = 3(X + Z^2)(X - Z^2) */
-        MPI_ECP_SQR(&tmp[1],  &P->Z);
-        MPI_ECP_ADD(&tmp[2],  &P->X,  &tmp[1]);
-        MPI_ECP_SUB(&tmp[3],  &P->X,  &tmp[1]);
-        MPI_ECP_MUL(&tmp[1],  &tmp[2],     &tmp[3]);
-        MPI_ECP_MUL_INT(&tmp[0],  &tmp[1],     3);
-    } else {
-        /* tmp[0] <- M = 3.X^2 + A.Z^4 */
-        MPI_ECP_SQR(&tmp[1],  &P->X);
-        MPI_ECP_MUL_INT(&tmp[0],  &tmp[1],  3);
-
-        /* Optimize away for "koblitz" curves with A = 0 */
-        if (MPI_ECP_CMP_INT(&grp->A, 0) != 0) {
-            /* M += A.Z^4 */
-            MPI_ECP_SQR(&tmp[1],  &P->Z);
-            MPI_ECP_SQR(&tmp[2],  &tmp[1]);
-            MPI_ECP_MUL(&tmp[1],  &tmp[2],     &grp->A);
-            MPI_ECP_ADD(&tmp[0],  &tmp[0],     &tmp[1]);
-        }
-    }
-
-    /* tmp[1] <- S = 4.X.Y^2 */
-    MPI_ECP_SQR(&tmp[2],  &P->Y);
-    MPI_ECP_SHIFT_L(&tmp[2],  1);
-    MPI_ECP_MUL(&tmp[1],  &P->X, &tmp[2]);
-    MPI_ECP_SHIFT_L(&tmp[1],  1);
-
-    /* tmp[3] <- U = 8.Y^4 */
-    MPI_ECP_SQR(&tmp[3],  &tmp[2]);
-    MPI_ECP_SHIFT_L(&tmp[3],  1);
-
-    /* tmp[2] <- T = M^2 - 2.S */
-    MPI_ECP_SQR(&tmp[2],  &tmp[0]);
-    MPI_ECP_SUB(&tmp[2],  &tmp[2], &tmp[1]);
-    MPI_ECP_SUB(&tmp[2],  &tmp[2], &tmp[1]);
-
-    /* tmp[1] <- S = M(S - T) - U */
-    MPI_ECP_SUB(&tmp[1],  &tmp[1],     &tmp[2]);
-    MPI_ECP_MUL(&tmp[1],  &tmp[1],     &tmp[0]);
-    MPI_ECP_SUB(&tmp[1],  &tmp[1],     &tmp[3]);
-
-    /* tmp[3] <- U = 2.Y.Z */
-    MPI_ECP_MUL(&tmp[3],  &P->Y,  &P->Z);
-    MPI_ECP_SHIFT_L(&tmp[3],  1);
-
-    /* Store results */
-    MPI_ECP_MOV(&R->X, &tmp[2]);
-    MPI_ECP_MOV(&R->Y, &tmp[1]);
-    MPI_ECP_MOV(&R->Z, &tmp[3]);
-
-cleanup:
-
-    return ret;
-#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) */
-}
-
-/*
- * Addition: R = P + Q, mixed affine-Jacobian coordinates (GECC 3.22)
- *
- * The coordinates of Q must be normalized (= affine),
- * but those of P don't need to. R is not normalized.
- *
- * P,Q,R may alias, but only at the level of EC points: they must be either
- * equal as pointers, or disjoint (including the coordinate data buffers).
- * Fine-grained aliasing at the level of coordinates is not supported.
- *
- * Special cases: (1) P or Q is zero, (2) R is zero, (3) P == Q.
- * None of these cases can happen as intermediate step in ecp_mul_comb():
- * - at each step, P, Q and R are multiples of the base point, the factor
- *   being less than its order, so none of them is zero;
- * - Q is an odd multiple of the base point, P an even multiple,
- *   due to the choice of precomputed points in the modified comb method.
- * So branches for these cases do not leak secret information.
- *
- * Cost: 1A := 8M + 3S
- */
-static int ecp_add_mixed(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
-                         const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q,
-                         mbedtls_mpi tmp[4])
-{
-#if defined(MBEDTLS_SELF_TEST)
-    add_count++;
-#endif
-
-#if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
-    if (mbedtls_internal_ecp_grp_capable(grp)) {
-        return mbedtls_internal_ecp_add_mixed(grp, R, P, Q);
-    }
-#endif /* MBEDTLS_ECP_ADD_MIXED_ALT */
-
-#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_ADD_MIXED_ALT)
-    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
-#else
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    /* NOTE: Aliasing between input and output is allowed, so one has to make
-     *       sure that at the point X,Y,Z are written, {P,Q}->{X,Y,Z} are no
-     *       longer read from. */
-    mbedtls_mpi * const X = &R->X;
-    mbedtls_mpi * const Y = &R->Y;
-    mbedtls_mpi * const Z = &R->Z;
-
-    if (!MPI_ECP_VALID(&Q->Z)) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    /*
-     * Trivial cases: P == 0 or Q == 0 (case 1)
-     */
-    if (MPI_ECP_CMP_INT(&P->Z, 0) == 0) {
-        return mbedtls_ecp_copy(R, Q);
-    }
-
-    if (MPI_ECP_CMP_INT(&Q->Z, 0) == 0) {
-        return mbedtls_ecp_copy(R, P);
-    }
-
-    /*
-     * Make sure Q coordinates are normalized
-     */
-    if (MPI_ECP_CMP_INT(&Q->Z, 1) != 0) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    MPI_ECP_SQR(&tmp[0], &P->Z);
-    MPI_ECP_MUL(&tmp[1], &tmp[0], &P->Z);
-    MPI_ECP_MUL(&tmp[0], &tmp[0], &Q->X);
-    MPI_ECP_MUL(&tmp[1], &tmp[1], &Q->Y);
-    MPI_ECP_SUB(&tmp[0], &tmp[0], &P->X);
-    MPI_ECP_SUB(&tmp[1], &tmp[1], &P->Y);
-
-    /* Special cases (2) and (3) */
-    if (MPI_ECP_CMP_INT(&tmp[0], 0) == 0) {
-        if (MPI_ECP_CMP_INT(&tmp[1], 0) == 0) {
-            ret = ecp_double_jac(grp, R, P, tmp);
-            goto cleanup;
-        } else {
-            ret = mbedtls_ecp_set_zero(R);
-            goto cleanup;
-        }
-    }
-
-    /* {P,Q}->Z no longer used, so OK to write to Z even if there's aliasing. */
-    MPI_ECP_MUL(Z,        &P->Z,    &tmp[0]);
-    MPI_ECP_SQR(&tmp[2],  &tmp[0]);
-    MPI_ECP_MUL(&tmp[3],  &tmp[2],  &tmp[0]);
-    MPI_ECP_MUL(&tmp[2],  &tmp[2],  &P->X);
-
-    MPI_ECP_MOV(&tmp[0], &tmp[2]);
-    MPI_ECP_SHIFT_L(&tmp[0], 1);
-
-    /* {P,Q}->X no longer used, so OK to write to X even if there's aliasing. */
-    MPI_ECP_SQR(X,        &tmp[1]);
-    MPI_ECP_SUB(X,        X,        &tmp[0]);
-    MPI_ECP_SUB(X,        X,        &tmp[3]);
-    MPI_ECP_SUB(&tmp[2],  &tmp[2],  X);
-    MPI_ECP_MUL(&tmp[2],  &tmp[2],  &tmp[1]);
-    MPI_ECP_MUL(&tmp[3],  &tmp[3],  &P->Y);
-    /* {P,Q}->Y no longer used, so OK to write to Y even if there's aliasing. */
-    MPI_ECP_SUB(Y,     &tmp[2],     &tmp[3]);
-
-cleanup:
-
-    return ret;
-#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_ADD_MIXED_ALT) */
-}
-
-/*
- * Randomize jacobian coordinates:
- * (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l
- * This is sort of the reverse operation of ecp_normalize_jac().
- *
- * This countermeasure was first suggested in [2].
- */
-static int ecp_randomize_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt,
-                             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
-    if (mbedtls_internal_ecp_grp_capable(grp)) {
-        return mbedtls_internal_ecp_randomize_jac(grp, pt, f_rng, p_rng);
-    }
-#endif /* MBEDTLS_ECP_RANDOMIZE_JAC_ALT */
-
-#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
-    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
-#else
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi l;
-
-    mbedtls_mpi_init(&l);
-
-    /* Generate l such that 1 < l < p */
-    MPI_ECP_RAND(&l);
-
-    /* Z' = l * Z */
-    MPI_ECP_MUL(&pt->Z,   &pt->Z,     &l);
-
-    /* Y' = l * Y */
-    MPI_ECP_MUL(&pt->Y,   &pt->Y,     &l);
-
-    /* X' = l^2 * X */
-    MPI_ECP_SQR(&l,       &l);
-    MPI_ECP_MUL(&pt->X,   &pt->X,     &l);
-
-    /* Y'' = l^2 * Y' = l^3 * Y */
-    MPI_ECP_MUL(&pt->Y,   &pt->Y,     &l);
-
-cleanup:
-    mbedtls_mpi_free(&l);
-
-    if (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
-        ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
-    }
-    return ret;
-#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) */
-}
-
-/*
- * Check and define parameters used by the comb method (see below for details)
- */
-#if MBEDTLS_ECP_WINDOW_SIZE < 2 || MBEDTLS_ECP_WINDOW_SIZE > 7
-#error "MBEDTLS_ECP_WINDOW_SIZE out of bounds"
-#endif
-
-/* d = ceil( n / w ) */
-#define COMB_MAX_D      (MBEDTLS_ECP_MAX_BITS + 1) / 2
-
-/* number of precomputed points */
-#define COMB_MAX_PRE    (1 << (MBEDTLS_ECP_WINDOW_SIZE - 1))
-
-/*
- * Compute the representation of m that will be used with our comb method.
- *
- * The basic comb method is described in GECC 3.44 for example. We use a
- * modified version that provides resistance to SPA by avoiding zero
- * digits in the representation as in [3]. We modify the method further by
- * requiring that all K_i be odd, which has the small cost that our
- * representation uses one more K_i, due to carries, but saves on the size of
- * the precomputed table.
- *
- * Summary of the comb method and its modifications:
- *
- * - The goal is to compute m*P for some w*d-bit integer m.
- *
- * - The basic comb method splits m into the w-bit integers
- *   x[0] .. x[d-1] where x[i] consists of the bits in m whose
- *   index has residue i modulo d, and computes m * P as
- *   S[x[0]] + 2 * S[x[1]] + .. + 2^(d-1) S[x[d-1]], where
- *   S[i_{w-1} .. i_0] := i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + i_0 P.
- *
- * - If it happens that, say, x[i+1]=0 (=> S[x[i+1]]=0), one can replace the sum by
- *    .. + 2^{i-1} S[x[i-1]] - 2^i S[x[i]] + 2^{i+1} S[x[i]] + 2^{i+2} S[x[i+2]] ..,
- *   thereby successively converting it into a form where all summands
- *   are nonzero, at the cost of negative summands. This is the basic idea of [3].
- *
- * - More generally, even if x[i+1] != 0, we can first transform the sum as
- *   .. - 2^i S[x[i]] + 2^{i+1} ( S[x[i]] + S[x[i+1]] ) + 2^{i+2} S[x[i+2]] ..,
- *   and then replace S[x[i]] + S[x[i+1]] = S[x[i] ^ x[i+1]] + 2 S[x[i] & x[i+1]].
- *   Performing and iterating this procedure for those x[i] that are even
- *   (keeping track of carry), we can transform the original sum into one of the form
- *   S[x'[0]] +- 2 S[x'[1]] +- .. +- 2^{d-1} S[x'[d-1]] + 2^d S[x'[d]]
- *   with all x'[i] odd. It is therefore only necessary to know S at odd indices,
- *   which is why we are only computing half of it in the first place in
- *   ecp_precompute_comb and accessing it with index abs(i) / 2 in ecp_select_comb.
- *
- * - For the sake of compactness, only the seven low-order bits of x[i]
- *   are used to represent its absolute value (K_i in the paper), and the msb
- *   of x[i] encodes the sign (s_i in the paper): it is set if and only if
- *   if s_i == -1;
- *
- * Calling conventions:
- * - x is an array of size d + 1
- * - w is the size, ie number of teeth, of the comb, and must be between
- *   2 and 7 (in practice, between 2 and MBEDTLS_ECP_WINDOW_SIZE)
- * - m is the MPI, expected to be odd and such that bitlength(m) <= w * d
- *   (the result will be incorrect if these assumptions are not satisfied)
- */
-static void ecp_comb_recode_core(unsigned char x[], size_t d,
-                                 unsigned char w, const mbedtls_mpi *m)
-{
-    size_t i, j;
-    unsigned char c, cc, adjust;
-
-    memset(x, 0, d+1);
-
-    /* First get the classical comb values (except for x_d = 0) */
-    for (i = 0; i < d; i++) {
-        for (j = 0; j < w; j++) {
-            x[i] |= mbedtls_mpi_get_bit(m, i + d * j) << j;
-        }
-    }
-
-    /* Now make sure x_1 .. x_d are odd */
-    c = 0;
-    for (i = 1; i <= d; i++) {
-        /* Add carry and update it */
-        cc   = x[i] & c;
-        x[i] = x[i] ^ c;
-        c = cc;
-
-        /* Adjust if needed, avoiding branches */
-        adjust = 1 - (x[i] & 0x01);
-        c   |= x[i] & (x[i-1] * adjust);
-        x[i] = x[i] ^ (x[i-1] * adjust);
-        x[i-1] |= adjust << 7;
-    }
-}
-
-/*
- * Precompute points for the adapted comb method
- *
- * Assumption: T must be able to hold 2^{w - 1} elements.
- *
- * Operation: If i = i_{w-1} ... i_1 is the binary representation of i,
- *            sets T[i] = i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + P.
- *
- * Cost: d(w-1) D + (2^{w-1} - 1) A + 1 N(w-1) + 1 N(2^{w-1} - 1)
- *
- * Note: Even comb values (those where P would be omitted from the
- *       sum defining T[i] above) are not needed in our adaption
- *       the comb method. See ecp_comb_recode_core().
- *
- * This function currently works in four steps:
- * (1) [dbl]      Computation of intermediate T[i] for 2-power values of i
- * (2) [norm_dbl] Normalization of coordinates of these T[i]
- * (3) [add]      Computation of all T[i]
- * (4) [norm_add] Normalization of all T[i]
- *
- * Step 1 can be interrupted but not the others; together with the final
- * coordinate normalization they are the largest steps done at once, depending
- * on the window size. Here are operation counts for P-256:
- *
- * step     (2)     (3)     (4)
- * w = 5    142     165     208
- * w = 4    136      77     160
- * w = 3    130      33     136
- * w = 2    124      11     124
- *
- * So if ECC operations are blocking for too long even with a low max_ops
- * value, it's useful to set MBEDTLS_ECP_WINDOW_SIZE to a lower value in order
- * to minimize maximum blocking time.
- */
-static int ecp_precompute_comb(const mbedtls_ecp_group *grp,
-                               mbedtls_ecp_point T[], const mbedtls_ecp_point *P,
-                               unsigned char w, size_t d,
-                               mbedtls_ecp_restart_ctx *rs_ctx)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char i;
-    size_t j = 0;
-    const unsigned char T_size = 1U << (w - 1);
-    mbedtls_ecp_point *cur, *TT[COMB_MAX_PRE - 1] = { NULL };
-
-    mbedtls_mpi tmp[4];
-
-    mpi_init_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
-        if (rs_ctx->rsm->state == ecp_rsm_pre_dbl) {
-            goto dbl;
-        }
-        if (rs_ctx->rsm->state == ecp_rsm_pre_norm_dbl) {
-            goto norm_dbl;
-        }
-        if (rs_ctx->rsm->state == ecp_rsm_pre_add) {
-            goto add;
-        }
-        if (rs_ctx->rsm->state == ecp_rsm_pre_norm_add) {
-            goto norm_add;
-        }
-    }
-#else
-    (void) rs_ctx;
-#endif
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
-        rs_ctx->rsm->state = ecp_rsm_pre_dbl;
-
-        /* initial state for the loop */
-        rs_ctx->rsm->i = 0;
-    }
-
-dbl:
-#endif
-    /*
-     * Set T[0] = P and
-     * T[2^{l-1}] = 2^{dl} P for l = 1 .. w-1 (this is not the final value)
-     */
-    MBEDTLS_MPI_CHK(mbedtls_ecp_copy(&T[0], P));
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->i != 0) {
-        j = rs_ctx->rsm->i;
-    } else
-#endif
-    j = 0;
-
-    for (; j < d * (w - 1); j++) {
-        MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_DBL);
-
-        i = 1U << (j / d);
-        cur = T + i;
-
-        if (j % d == 0) {
-            MBEDTLS_MPI_CHK(mbedtls_ecp_copy(cur, T + (i >> 1)));
-        }
-
-        MBEDTLS_MPI_CHK(ecp_double_jac(grp, cur, cur, tmp));
-    }
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
-        rs_ctx->rsm->state = ecp_rsm_pre_norm_dbl;
-    }
-
-norm_dbl:
-#endif
-    /*
-     * Normalize current elements in T to allow them to be used in
-     * ecp_add_mixed() below, which requires one normalized input.
-     *
-     * As T has holes, use an auxiliary array of pointers to elements in T.
-     *
-     */
-    j = 0;
-    for (i = 1; i < T_size; i <<= 1) {
-        TT[j++] = T + i;
-    }
-
-    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV + 6 * j - 2);
-
-    MBEDTLS_MPI_CHK(ecp_normalize_jac_many(grp, TT, j));
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
-        rs_ctx->rsm->state = ecp_rsm_pre_add;
-    }
-
-add:
-#endif
-    /*
-     * Compute the remaining ones using the minimal number of additions
-     * Be careful to update T[2^l] only after using it!
-     */
-    MBEDTLS_ECP_BUDGET((T_size - 1) * MBEDTLS_ECP_OPS_ADD);
-
-    for (i = 1; i < T_size; i <<= 1) {
-        j = i;
-        while (j--) {
-            MBEDTLS_MPI_CHK(ecp_add_mixed(grp, &T[i + j], &T[j], &T[i], tmp));
-        }
-    }
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
-        rs_ctx->rsm->state = ecp_rsm_pre_norm_add;
-    }
-
-norm_add:
-#endif
-    /*
-     * Normalize final elements in T. Even though there are no holes now, we
-     * still need the auxiliary array for homogeneity with the previous
-     * call. Also, skip T[0] which is already normalised, being a copy of P.
-     */
-    for (j = 0; j + 1 < T_size; j++) {
-        TT[j] = T + j + 1;
-    }
-
-    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV + 6 * j - 2);
-
-    MBEDTLS_MPI_CHK(ecp_normalize_jac_many(grp, TT, j));
-
-    /* Free Z coordinate (=1 after normalization) to save RAM.
-     * This makes T[i] invalid as mbedtls_ecp_points, but this is OK
-     * since from this point onwards, they are only accessed indirectly
-     * via the getter function ecp_select_comb() which does set the
-     * target's Z coordinate to 1. */
-    for (i = 0; i < T_size; i++) {
-        mbedtls_mpi_free(&T[i].Z);
-    }
-
-cleanup:
-
-    mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL && rs_ctx->rsm != NULL &&
-        ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
-        if (rs_ctx->rsm->state == ecp_rsm_pre_dbl) {
-            rs_ctx->rsm->i = j;
-        }
-    }
-#endif
-
-    return ret;
-}
-
-/*
- * Select precomputed point: R = sign(i) * T[ abs(i) / 2 ]
- *
- * See ecp_comb_recode_core() for background
- */
-static int ecp_select_comb(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
-                           const mbedtls_ecp_point T[], unsigned char T_size,
-                           unsigned char i)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char ii, j;
-
-    /* Ignore the "sign" bit and scale down */
-    ii =  (i & 0x7Fu) >> 1;
-
-    /* Read the whole table to thwart cache-based timing attacks */
-    for (j = 0; j < T_size; j++) {
-        MPI_ECP_COND_ASSIGN(&R->X, &T[j].X, j == ii);
-        MPI_ECP_COND_ASSIGN(&R->Y, &T[j].Y, j == ii);
-    }
-
-    /* Safely invert result if i is "negative" */
-    MBEDTLS_MPI_CHK(ecp_safe_invert_jac(grp, R, i >> 7));
-
-    MPI_ECP_LSET(&R->Z, 1);
-
-cleanup:
-    return ret;
-}
-
-/*
- * Core multiplication algorithm for the (modified) comb method.
- * This part is actually common with the basic comb method (GECC 3.44)
- *
- * Cost: d A + d D + 1 R
- */
-static int ecp_mul_comb_core(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
-                             const mbedtls_ecp_point T[], unsigned char T_size,
-                             const unsigned char x[], size_t d,
-                             int (*f_rng)(void *, unsigned char *, size_t),
-                             void *p_rng,
-                             mbedtls_ecp_restart_ctx *rs_ctx)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_ecp_point Txi;
-    mbedtls_mpi tmp[4];
-    size_t i;
-
-    mbedtls_ecp_point_init(&Txi);
-    mpi_init_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
-
-#if !defined(MBEDTLS_ECP_RESTARTABLE)
-    (void) rs_ctx;
-#endif
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL && rs_ctx->rsm != NULL &&
-        rs_ctx->rsm->state != ecp_rsm_comb_core) {
-        rs_ctx->rsm->i = 0;
-        rs_ctx->rsm->state = ecp_rsm_comb_core;
-    }
-
-    /* new 'if' instead of nested for the sake of the 'else' branch */
-    if (rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->i != 0) {
-        /* restore current index (R already pointing to rs_ctx->rsm->R) */
-        i = rs_ctx->rsm->i;
-    } else
-#endif
-    {
-        /* Start with a non-zero point and randomize its coordinates */
-        i = d;
-        MBEDTLS_MPI_CHK(ecp_select_comb(grp, R, T, T_size, x[i]));
-        if (f_rng != 0) {
-            MBEDTLS_MPI_CHK(ecp_randomize_jac(grp, R, f_rng, p_rng));
-        }
-    }
-
-    while (i != 0) {
-        MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_DBL + MBEDTLS_ECP_OPS_ADD);
-        --i;
-
-        MBEDTLS_MPI_CHK(ecp_double_jac(grp, R, R, tmp));
-        MBEDTLS_MPI_CHK(ecp_select_comb(grp, &Txi, T, T_size, x[i]));
-        MBEDTLS_MPI_CHK(ecp_add_mixed(grp, R, R, &Txi, tmp));
-    }
-
-cleanup:
-
-    mbedtls_ecp_point_free(&Txi);
-    mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL && rs_ctx->rsm != NULL &&
-        ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
-        rs_ctx->rsm->i = i;
-        /* no need to save R, already pointing to rs_ctx->rsm->R */
-    }
-#endif
-
-    return ret;
-}
-
-/*
- * Recode the scalar to get constant-time comb multiplication
- *
- * As the actual scalar recoding needs an odd scalar as a starting point,
- * this wrapper ensures that by replacing m by N - m if necessary, and
- * informs the caller that the result of multiplication will be negated.
- *
- * This works because we only support large prime order for Short Weierstrass
- * curves, so N is always odd hence either m or N - m is.
- *
- * See ecp_comb_recode_core() for background.
- */
-static int ecp_comb_recode_scalar(const mbedtls_ecp_group *grp,
-                                  const mbedtls_mpi *m,
-                                  unsigned char k[COMB_MAX_D + 1],
-                                  size_t d,
-                                  unsigned char w,
-                                  unsigned char *parity_trick)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi M, mm;
-
-    mbedtls_mpi_init(&M);
-    mbedtls_mpi_init(&mm);
-
-    /* N is always odd (see above), just make extra sure */
-    if (mbedtls_mpi_get_bit(&grp->N, 0) != 1) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    /* do we need the parity trick? */
-    *parity_trick = (mbedtls_mpi_get_bit(m, 0) == 0);
-
-    /* execute parity fix in constant time */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&M, m));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&mm, &grp->N, m));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign(&M, &mm, *parity_trick));
-
-    /* actual scalar recoding */
-    ecp_comb_recode_core(k, d, w, &M);
-
-cleanup:
-    mbedtls_mpi_free(&mm);
-    mbedtls_mpi_free(&M);
-
-    return ret;
-}
-
-/*
- * Perform comb multiplication (for short Weierstrass curves)
- * once the auxiliary table has been pre-computed.
- *
- * Scalar recoding may use a parity trick that makes us compute -m * P,
- * if that is the case we'll need to recover m * P at the end.
- */
-static int ecp_mul_comb_after_precomp(const mbedtls_ecp_group *grp,
-                                      mbedtls_ecp_point *R,
-                                      const mbedtls_mpi *m,
-                                      const mbedtls_ecp_point *T,
-                                      unsigned char T_size,
-                                      unsigned char w,
-                                      size_t d,
-                                      int (*f_rng)(void *, unsigned char *, size_t),
-                                      void *p_rng,
-                                      mbedtls_ecp_restart_ctx *rs_ctx)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char parity_trick;
-    unsigned char k[COMB_MAX_D + 1];
-    mbedtls_ecp_point *RR = R;
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
-        RR = &rs_ctx->rsm->R;
-
-        if (rs_ctx->rsm->state == ecp_rsm_final_norm) {
-            goto final_norm;
-        }
-    }
-#endif
-
-    MBEDTLS_MPI_CHK(ecp_comb_recode_scalar(grp, m, k, d, w,
-                                           &parity_trick));
-    MBEDTLS_MPI_CHK(ecp_mul_comb_core(grp, RR, T, T_size, k, d,
-                                      f_rng, p_rng, rs_ctx));
-    MBEDTLS_MPI_CHK(ecp_safe_invert_jac(grp, RR, parity_trick));
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
-        rs_ctx->rsm->state = ecp_rsm_final_norm;
-    }
-
-final_norm:
-    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV);
-#endif
-    /*
-     * Knowledge of the jacobian coordinates may leak the last few bits of the
-     * scalar [1], and since our MPI implementation isn't constant-flow,
-     * inversion (used for coordinate normalization) may leak the full value
-     * of its input via side-channels [2].
-     *
-     * [1] https://eprint.iacr.org/2003/191
-     * [2] https://eprint.iacr.org/2020/055
-     *
-     * Avoid the leak by randomizing coordinates before we normalize them.
-     */
-    if (f_rng != 0) {
-        MBEDTLS_MPI_CHK(ecp_randomize_jac(grp, RR, f_rng, p_rng));
-    }
-
-    MBEDTLS_MPI_CHK(ecp_normalize_jac(grp, RR));
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
-        MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, RR));
-    }
-#endif
-
-cleanup:
-    return ret;
-}
-
-/*
- * Pick window size based on curve size and whether we optimize for base point
- */
-static unsigned char ecp_pick_window_size(const mbedtls_ecp_group *grp,
-                                          unsigned char p_eq_g)
-{
-    unsigned char w;
-
-    /*
-     * Minimize the number of multiplications, that is minimize
-     * 10 * d * w + 18 * 2^(w-1) + 11 * d + 7 * w, with d = ceil( nbits / w )
-     * (see costs of the various parts, with 1S = 1M)
-     */
-    w = grp->nbits >= 384 ? 5 : 4;
-
-    /*
-     * If P == G, pre-compute a bit more, since this may be re-used later.
-     * Just adding one avoids upping the cost of the first mul too much,
-     * and the memory cost too.
-     */
-    if (p_eq_g) {
-        w++;
-    }
-
-    /*
-     * If static comb table may not be used (!p_eq_g) or static comb table does
-     * not exists, make sure w is within bounds.
-     * (The last test is useful only for very small curves in the test suite.)
-     *
-     * The user reduces MBEDTLS_ECP_WINDOW_SIZE does not changes the size of
-     * static comb table, because the size of static comb table is fixed when
-     * it is generated.
-     */
-#if (MBEDTLS_ECP_WINDOW_SIZE < 6)
-    if ((!p_eq_g || !ecp_group_is_static_comb_table(grp)) && w > MBEDTLS_ECP_WINDOW_SIZE) {
-        w = MBEDTLS_ECP_WINDOW_SIZE;
-    }
-#endif
-    if (w >= grp->nbits) {
-        w = 2;
-    }
-
-    return w;
-}
-
-/*
- * Multiplication using the comb method - for curves in short Weierstrass form
- *
- * This function is mainly responsible for administrative work:
- * - managing the restart context if enabled
- * - managing the table of precomputed points (passed between the below two
- *   functions): allocation, computation, ownership transfer, freeing.
- *
- * It delegates the actual arithmetic work to:
- *      ecp_precompute_comb() and ecp_mul_comb_with_precomp()
- *
- * See comments on ecp_comb_recode_core() regarding the computation strategy.
- */
-static int ecp_mul_comb(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
-                        const mbedtls_mpi *m, const mbedtls_ecp_point *P,
-                        int (*f_rng)(void *, unsigned char *, size_t),
-                        void *p_rng,
-                        mbedtls_ecp_restart_ctx *rs_ctx)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char w, p_eq_g, i;
-    size_t d;
-    unsigned char T_size = 0, T_ok = 0;
-    mbedtls_ecp_point *T = NULL;
-
-    ECP_RS_ENTER(rsm);
-
-    /* Is P the base point ? */
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-    p_eq_g = (MPI_ECP_CMP(&P->Y, &grp->G.Y) == 0 &&
-              MPI_ECP_CMP(&P->X, &grp->G.X) == 0);
-#else
-    p_eq_g = 0;
-#endif
-
-    /* Pick window size and deduce related sizes */
-    w = ecp_pick_window_size(grp, p_eq_g);
-    T_size = 1U << (w - 1);
-    d = (grp->nbits + w - 1) / w;
-
-    /* Pre-computed table: do we have it already for the base point? */
-    if (p_eq_g && grp->T != NULL) {
-        /* second pointer to the same table, will be deleted on exit */
-        T = grp->T;
-        T_ok = 1;
-    } else
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    /* Pre-computed table: do we have one in progress? complete? */
-    if (rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->T != NULL) {
-        /* transfer ownership of T from rsm to local function */
-        T = rs_ctx->rsm->T;
-        rs_ctx->rsm->T = NULL;
-        rs_ctx->rsm->T_size = 0;
-
-        /* This effectively jumps to the call to mul_comb_after_precomp() */
-        T_ok = rs_ctx->rsm->state >= ecp_rsm_comb_core;
-    } else
-#endif
-    /* Allocate table if we didn't have any */
-    {
-        T = mbedtls_calloc(T_size, sizeof(mbedtls_ecp_point));
-        if (T == NULL) {
-            ret = MBEDTLS_ERR_ECP_ALLOC_FAILED;
-            goto cleanup;
-        }
-
-        for (i = 0; i < T_size; i++) {
-            mbedtls_ecp_point_init(&T[i]);
-        }
-
-        T_ok = 0;
-    }
-
-    /* Compute table (or finish computing it) if not done already */
-    if (!T_ok) {
-        MBEDTLS_MPI_CHK(ecp_precompute_comb(grp, T, P, w, d, rs_ctx));
-
-        if (p_eq_g) {
-            /* almost transfer ownership of T to the group, but keep a copy of
-             * the pointer to use for calling the next function more easily */
-            grp->T = T;
-            grp->T_size = T_size;
-        }
-    }
-
-    /* Actual comb multiplication using precomputed points */
-    MBEDTLS_MPI_CHK(ecp_mul_comb_after_precomp(grp, R, m,
-                                               T, T_size, w, d,
-                                               f_rng, p_rng, rs_ctx));
-
-cleanup:
-
-    /* does T belong to the group? */
-    if (T == grp->T) {
-        T = NULL;
-    }
-
-    /* does T belong to the restart context? */
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL && rs_ctx->rsm != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS && T != NULL) {
-        /* transfer ownership of T from local function to rsm */
-        rs_ctx->rsm->T_size = T_size;
-        rs_ctx->rsm->T = T;
-        T = NULL;
-    }
-#endif
-
-    /* did T belong to us? then let's destroy it! */
-    if (T != NULL) {
-        for (i = 0; i < T_size; i++) {
-            mbedtls_ecp_point_free(&T[i]);
-        }
-        mbedtls_free(T);
-    }
-
-    /* prevent caller from using invalid value */
-    int should_free_R = (ret != 0);
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    /* don't free R while in progress in case R == P */
-    if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
-        should_free_R = 0;
-    }
-#endif
-    if (should_free_R) {
-        mbedtls_ecp_point_free(R);
-    }
-
-    ECP_RS_LEAVE(rsm);
-
-    return ret;
-}
-
-#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
-
-#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
-/*
- * For Montgomery curves, we do all the internal arithmetic in projective
- * coordinates. Import/export of points uses only the x coordinates, which is
- * internally represented as X / Z.
- *
- * For scalar multiplication, we'll use a Montgomery ladder.
- */
-
-/*
- * Normalize Montgomery x/z coordinates: X = X/Z, Z = 1
- * Cost: 1M + 1I
- */
-static int ecp_normalize_mxz(const mbedtls_ecp_group *grp, mbedtls_ecp_point *P)
-{
-#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
-    if (mbedtls_internal_ecp_grp_capable(grp)) {
-        return mbedtls_internal_ecp_normalize_mxz(grp, P);
-    }
-#endif /* MBEDTLS_ECP_NORMALIZE_MXZ_ALT */
-
-#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
-    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
-#else
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    MPI_ECP_INV(&P->Z, &P->Z);
-    MPI_ECP_MUL(&P->X, &P->X, &P->Z);
-    MPI_ECP_LSET(&P->Z, 1);
-
-cleanup:
-    return ret;
-#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) */
-}
-
-/*
- * Randomize projective x/z coordinates:
- * (X, Z) -> (l X, l Z) for random l
- * This is sort of the reverse operation of ecp_normalize_mxz().
- *
- * This countermeasure was first suggested in [2].
- * Cost: 2M
- */
-static int ecp_randomize_mxz(const mbedtls_ecp_group *grp, mbedtls_ecp_point *P,
-                             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
-    if (mbedtls_internal_ecp_grp_capable(grp)) {
-        return mbedtls_internal_ecp_randomize_mxz(grp, P, f_rng, p_rng);
-    }
-#endif /* MBEDTLS_ECP_RANDOMIZE_MXZ_ALT */
-
-#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
-    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
-#else
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi l;
-    mbedtls_mpi_init(&l);
-
-    /* Generate l such that 1 < l < p */
-    MPI_ECP_RAND(&l);
-
-    MPI_ECP_MUL(&P->X, &P->X, &l);
-    MPI_ECP_MUL(&P->Z, &P->Z, &l);
-
-cleanup:
-    mbedtls_mpi_free(&l);
-
-    if (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
-        ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
-    }
-    return ret;
-#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) */
-}
-
-/*
- * Double-and-add: R = 2P, S = P + Q, with d = X(P - Q),
- * for Montgomery curves in x/z coordinates.
- *
- * http://www.hyperelliptic.org/EFD/g1p/auto-code/montgom/xz/ladder/mladd-1987-m.op3
- * with
- * d =  X1
- * P = (X2, Z2)
- * Q = (X3, Z3)
- * R = (X4, Z4)
- * S = (X5, Z5)
- * and eliminating temporary variables tO, ..., t4.
- *
- * Cost: 5M + 4S
- */
-static int ecp_double_add_mxz(const mbedtls_ecp_group *grp,
-                              mbedtls_ecp_point *R, mbedtls_ecp_point *S,
-                              const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q,
-                              const mbedtls_mpi *d,
-                              mbedtls_mpi T[4])
-{
-#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
-    if (mbedtls_internal_ecp_grp_capable(grp)) {
-        return mbedtls_internal_ecp_double_add_mxz(grp, R, S, P, Q, d);
-    }
-#endif /* MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT */
-
-#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
-    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
-#else
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    MPI_ECP_ADD(&T[0], &P->X,   &P->Z);   /* Pp := PX + PZ                    */
-    MPI_ECP_SUB(&T[1], &P->X,   &P->Z);   /* Pm := PX - PZ                    */
-    MPI_ECP_ADD(&T[2], &Q->X,   &Q->Z);   /* Qp := QX + XZ                    */
-    MPI_ECP_SUB(&T[3], &Q->X,   &Q->Z);   /* Qm := QX - QZ                    */
-    MPI_ECP_MUL(&T[3], &T[3],   &T[0]);   /* Qm * Pp                          */
-    MPI_ECP_MUL(&T[2], &T[2],   &T[1]);   /* Qp * Pm                          */
-    MPI_ECP_SQR(&T[0], &T[0]);            /* Pp^2                             */
-    MPI_ECP_SQR(&T[1], &T[1]);            /* Pm^2                             */
-    MPI_ECP_MUL(&R->X, &T[0],   &T[1]);   /* Pp^2 * Pm^2                      */
-    MPI_ECP_SUB(&T[0], &T[0],   &T[1]);   /* Pp^2 - Pm^2                      */
-    MPI_ECP_MUL(&R->Z, &grp->A, &T[0]);   /* A * (Pp^2 - Pm^2)                */
-    MPI_ECP_ADD(&R->Z, &T[1],   &R->Z);   /* [ A * (Pp^2-Pm^2) ] + Pm^2       */
-    MPI_ECP_ADD(&S->X, &T[3],   &T[2]);   /* Qm*Pp + Qp*Pm                    */
-    MPI_ECP_SQR(&S->X, &S->X);            /* (Qm*Pp + Qp*Pm)^2                */
-    MPI_ECP_SUB(&S->Z, &T[3],   &T[2]);   /* Qm*Pp - Qp*Pm                    */
-    MPI_ECP_SQR(&S->Z, &S->Z);            /* (Qm*Pp - Qp*Pm)^2                */
-    MPI_ECP_MUL(&S->Z, d,       &S->Z);   /* d * ( Qm*Pp - Qp*Pm )^2          */
-    MPI_ECP_MUL(&R->Z, &T[0],   &R->Z);   /* [A*(Pp^2-Pm^2)+Pm^2]*(Pp^2-Pm^2) */
-
-cleanup:
-
-    return ret;
-#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) */
-}
-
-/*
- * Multiplication with Montgomery ladder in x/z coordinates,
- * for curves in Montgomery form
- */
-static int ecp_mul_mxz(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
-                       const mbedtls_mpi *m, const mbedtls_ecp_point *P,
-                       int (*f_rng)(void *, unsigned char *, size_t),
-                       void *p_rng)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t i;
-    unsigned char b;
-    mbedtls_ecp_point RP;
-    mbedtls_mpi PX;
-    mbedtls_mpi tmp[4];
-    mbedtls_ecp_point_init(&RP); mbedtls_mpi_init(&PX);
-
-    mpi_init_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
-
-    if (f_rng == NULL) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    /* Save PX and read from P before writing to R, in case P == R */
-    MPI_ECP_MOV(&PX, &P->X);
-    MBEDTLS_MPI_CHK(mbedtls_ecp_copy(&RP, P));
-
-    /* Set R to zero in modified x/z coordinates */
-    MPI_ECP_LSET(&R->X, 1);
-    MPI_ECP_LSET(&R->Z, 0);
-    mbedtls_mpi_free(&R->Y);
-
-    /* RP.X might be slightly larger than P, so reduce it */
-    MOD_ADD(&RP.X);
-
-    /* Randomize coordinates of the starting point */
-    MBEDTLS_MPI_CHK(ecp_randomize_mxz(grp, &RP, f_rng, p_rng));
-
-    /* Loop invariant: R = result so far, RP = R + P */
-    i = grp->nbits + 1; /* one past the (zero-based) required msb for private keys */
-    while (i-- > 0) {
-        b = mbedtls_mpi_get_bit(m, i);
-        /*
-         *  if (b) R = 2R + P else R = 2R,
-         * which is:
-         *  if (b) double_add( RP, R, RP, R )
-         *  else   double_add( R, RP, R, RP )
-         * but using safe conditional swaps to avoid leaks
-         */
-        MPI_ECP_COND_SWAP(&R->X, &RP.X, b);
-        MPI_ECP_COND_SWAP(&R->Z, &RP.Z, b);
-        MBEDTLS_MPI_CHK(ecp_double_add_mxz(grp, R, &RP, R, &RP, &PX, tmp));
-        MPI_ECP_COND_SWAP(&R->X, &RP.X, b);
-        MPI_ECP_COND_SWAP(&R->Z, &RP.Z, b);
-    }
-
-    /*
-     * Knowledge of the projective coordinates may leak the last few bits of the
-     * scalar [1], and since our MPI implementation isn't constant-flow,
-     * inversion (used for coordinate normalization) may leak the full value
-     * of its input via side-channels [2].
-     *
-     * [1] https://eprint.iacr.org/2003/191
-     * [2] https://eprint.iacr.org/2020/055
-     *
-     * Avoid the leak by randomizing coordinates before we normalize them.
-     */
-    MBEDTLS_MPI_CHK(ecp_randomize_mxz(grp, R, f_rng, p_rng));
-    MBEDTLS_MPI_CHK(ecp_normalize_mxz(grp, R));
-
-cleanup:
-    mbedtls_ecp_point_free(&RP); mbedtls_mpi_free(&PX);
-
-    mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
-    return ret;
-}
-
-#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
-
-/*
- * Restartable multiplication R = m * P
- *
- * This internal function can be called without an RNG in case where we know
- * the inputs are not sensitive.
- */
-static int ecp_mul_restartable_internal(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
-                                        const mbedtls_mpi *m, const mbedtls_ecp_point *P,
-                                        int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
-                                        mbedtls_ecp_restart_ctx *rs_ctx)
-{
-    int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-#if defined(MBEDTLS_ECP_INTERNAL_ALT)
-    char is_grp_capable = 0;
-#endif
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    /* reset ops count for this call if top-level */
-    if (rs_ctx != NULL && rs_ctx->depth++ == 0) {
-        rs_ctx->ops_done = 0;
-    }
-#else
-    (void) rs_ctx;
-#endif
-
-#if defined(MBEDTLS_ECP_INTERNAL_ALT)
-    if ((is_grp_capable = mbedtls_internal_ecp_grp_capable(grp))) {
-        MBEDTLS_MPI_CHK(mbedtls_internal_ecp_init(grp));
-    }
-#endif /* MBEDTLS_ECP_INTERNAL_ALT */
-
-    int restarting = 0;
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    restarting = (rs_ctx != NULL && rs_ctx->rsm != NULL);
-#endif
-    /* skip argument check when restarting */
-    if (!restarting) {
-        /* check_privkey is free */
-        MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_CHK);
-
-        /* Common sanity checks */
-        MBEDTLS_MPI_CHK(mbedtls_ecp_check_privkey(grp, m));
-        MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
-    }
-
-    ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
-    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
-        MBEDTLS_MPI_CHK(ecp_mul_mxz(grp, R, m, P, f_rng, p_rng));
-    }
-#endif
-#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
-    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
-        MBEDTLS_MPI_CHK(ecp_mul_comb(grp, R, m, P, f_rng, p_rng, rs_ctx));
-    }
-#endif
-
-cleanup:
-
-#if defined(MBEDTLS_ECP_INTERNAL_ALT)
-    if (is_grp_capable) {
-        mbedtls_internal_ecp_free(grp);
-    }
-#endif /* MBEDTLS_ECP_INTERNAL_ALT */
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL) {
-        rs_ctx->depth--;
-    }
-#endif
-
-    return ret;
-}
-
-/*
- * Restartable multiplication R = m * P
- */
-int mbedtls_ecp_mul_restartable(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
-                                const mbedtls_mpi *m, const mbedtls_ecp_point *P,
-                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
-                                mbedtls_ecp_restart_ctx *rs_ctx)
-{
-    if (f_rng == NULL) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    return ecp_mul_restartable_internal(grp, R, m, P, f_rng, p_rng, rs_ctx);
-}
-
-/*
- * Multiplication R = m * P
- */
-int mbedtls_ecp_mul(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
-                    const mbedtls_mpi *m, const mbedtls_ecp_point *P,
-                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    return mbedtls_ecp_mul_restartable(grp, R, m, P, f_rng, p_rng, NULL);
-}
-#endif /* MBEDTLS_ECP_C */
-
-#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
-/*
- * Check that an affine point is valid as a public key,
- * short weierstrass curves (SEC1 3.2.3.1)
- */
-static int ecp_check_pubkey_sw(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi YY, RHS;
-
-    /* pt coordinates must be normalized for our checks */
-    if (mbedtls_mpi_cmp_int(&pt->X, 0) < 0 ||
-        mbedtls_mpi_cmp_int(&pt->Y, 0) < 0 ||
-        mbedtls_mpi_cmp_mpi(&pt->X, &grp->P) >= 0 ||
-        mbedtls_mpi_cmp_mpi(&pt->Y, &grp->P) >= 0) {
-        return MBEDTLS_ERR_ECP_INVALID_KEY;
-    }
-
-    mbedtls_mpi_init(&YY); mbedtls_mpi_init(&RHS);
-
-    /*
-     * YY = Y^2
-     * RHS = X^3 + A X + B
-     */
-    MPI_ECP_SQR(&YY,  &pt->Y);
-    MBEDTLS_MPI_CHK(ecp_sw_rhs(grp, &RHS, &pt->X));
-
-    if (MPI_ECP_CMP(&YY, &RHS) != 0) {
-        ret = MBEDTLS_ERR_ECP_INVALID_KEY;
-    }
-
-cleanup:
-
-    mbedtls_mpi_free(&YY); mbedtls_mpi_free(&RHS);
-
-    return ret;
-}
-#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
-
-#if defined(MBEDTLS_ECP_C)
-#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
-/*
- * R = m * P with shortcuts for m == 0, m == 1 and m == -1
- * NOT constant-time - ONLY for short Weierstrass!
- */
-static int mbedtls_ecp_mul_shortcuts(mbedtls_ecp_group *grp,
-                                     mbedtls_ecp_point *R,
-                                     const mbedtls_mpi *m,
-                                     const mbedtls_ecp_point *P,
-                                     mbedtls_ecp_restart_ctx *rs_ctx)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi tmp;
-    mbedtls_mpi_init(&tmp);
-
-    if (mbedtls_mpi_cmp_int(m, 0) == 0) {
-        MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
-        MBEDTLS_MPI_CHK(mbedtls_ecp_set_zero(R));
-    } else if (mbedtls_mpi_cmp_int(m, 1) == 0) {
-        MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
-        MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, P));
-    } else if (mbedtls_mpi_cmp_int(m, -1) == 0) {
-        MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
-        MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, P));
-        MPI_ECP_NEG(&R->Y);
-    } else {
-        MBEDTLS_MPI_CHK(ecp_mul_restartable_internal(grp, R, m, P,
-                                                     NULL, NULL, rs_ctx));
-    }
-
-cleanup:
-    mbedtls_mpi_free(&tmp);
-
-    return ret;
-}
-
-/*
- * Restartable linear combination
- * NOT constant-time
- */
-int mbedtls_ecp_muladd_restartable(
-    mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
-    const mbedtls_mpi *m, const mbedtls_ecp_point *P,
-    const mbedtls_mpi *n, const mbedtls_ecp_point *Q,
-    mbedtls_ecp_restart_ctx *rs_ctx)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_ecp_point mP;
-    mbedtls_ecp_point *pmP = &mP;
-    mbedtls_ecp_point *pR = R;
-    mbedtls_mpi tmp[4];
-#if defined(MBEDTLS_ECP_INTERNAL_ALT)
-    char is_grp_capable = 0;
-#endif
-    if (mbedtls_ecp_get_type(grp) != MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
-        return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
-    }
-
-    mbedtls_ecp_point_init(&mP);
-    mpi_init_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
-
-    ECP_RS_ENTER(ma);
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL && rs_ctx->ma != NULL) {
-        /* redirect intermediate results to restart context */
-        pmP = &rs_ctx->ma->mP;
-        pR  = &rs_ctx->ma->R;
-
-        /* jump to next operation */
-        if (rs_ctx->ma->state == ecp_rsma_mul2) {
-            goto mul2;
-        }
-        if (rs_ctx->ma->state == ecp_rsma_add) {
-            goto add;
-        }
-        if (rs_ctx->ma->state == ecp_rsma_norm) {
-            goto norm;
-        }
-    }
-#endif /* MBEDTLS_ECP_RESTARTABLE */
-
-    MBEDTLS_MPI_CHK(mbedtls_ecp_mul_shortcuts(grp, pmP, m, P, rs_ctx));
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL && rs_ctx->ma != NULL) {
-        rs_ctx->ma->state = ecp_rsma_mul2;
-    }
-
-mul2:
-#endif
-    MBEDTLS_MPI_CHK(mbedtls_ecp_mul_shortcuts(grp, pR,  n, Q, rs_ctx));
-
-#if defined(MBEDTLS_ECP_INTERNAL_ALT)
-    if ((is_grp_capable = mbedtls_internal_ecp_grp_capable(grp))) {
-        MBEDTLS_MPI_CHK(mbedtls_internal_ecp_init(grp));
-    }
-#endif /* MBEDTLS_ECP_INTERNAL_ALT */
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL && rs_ctx->ma != NULL) {
-        rs_ctx->ma->state = ecp_rsma_add;
-    }
-
-add:
-#endif
-    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_ADD);
-    MBEDTLS_MPI_CHK(ecp_add_mixed(grp, pR, pmP, pR, tmp));
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL && rs_ctx->ma != NULL) {
-        rs_ctx->ma->state = ecp_rsma_norm;
-    }
-
-norm:
-#endif
-    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV);
-    MBEDTLS_MPI_CHK(ecp_normalize_jac(grp, pR));
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-    if (rs_ctx != NULL && rs_ctx->ma != NULL) {
-        MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, pR));
-    }
-#endif
-
-cleanup:
-
-    mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
-
-#if defined(MBEDTLS_ECP_INTERNAL_ALT)
-    if (is_grp_capable) {
-        mbedtls_internal_ecp_free(grp);
-    }
-#endif /* MBEDTLS_ECP_INTERNAL_ALT */
-
-    mbedtls_ecp_point_free(&mP);
-
-    ECP_RS_LEAVE(ma);
-
-    return ret;
-}
-
-/*
- * Linear combination
- * NOT constant-time
- */
-int mbedtls_ecp_muladd(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
-                       const mbedtls_mpi *m, const mbedtls_ecp_point *P,
-                       const mbedtls_mpi *n, const mbedtls_ecp_point *Q)
-{
-    return mbedtls_ecp_muladd_restartable(grp, R, m, P, n, Q, NULL);
-}
-#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
-#endif /* MBEDTLS_ECP_C */
-
-#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-#define ECP_MPI_INIT(_p, _n) { .p = (mbedtls_mpi_uint *) (_p), .s = 1, .n = (_n) }
-#define ECP_MPI_INIT_ARRAY(x)   \
-    ECP_MPI_INIT(x, sizeof(x) / sizeof(mbedtls_mpi_uint))
-/*
- * Constants for the two points other than 0, 1, -1 (mod p) in
- * https://cr.yp.to/ecdh.html#validate
- * See ecp_check_pubkey_x25519().
- */
-static const mbedtls_mpi_uint x25519_bad_point_1[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00),
-};
-static const mbedtls_mpi_uint x25519_bad_point_2[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57),
-};
-static const mbedtls_mpi ecp_x25519_bad_point_1 = ECP_MPI_INIT_ARRAY(
-    x25519_bad_point_1);
-static const mbedtls_mpi ecp_x25519_bad_point_2 = ECP_MPI_INIT_ARRAY(
-    x25519_bad_point_2);
-#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
-
-/*
- * Check that the input point is not one of the low-order points.
- * This is recommended by the "May the Fourth" paper:
- * https://eprint.iacr.org/2017/806.pdf
- * Those points are never sent by an honest peer.
- */
-static int ecp_check_bad_points_mx(const mbedtls_mpi *X, const mbedtls_mpi *P,
-                                   const mbedtls_ecp_group_id grp_id)
-{
-    int ret;
-    mbedtls_mpi XmP;
-
-    mbedtls_mpi_init(&XmP);
-
-    /* Reduce X mod P so that we only need to check values less than P.
-     * We know X < 2^256 so we can proceed by subtraction. */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&XmP, X));
-    while (mbedtls_mpi_cmp_mpi(&XmP, P) >= 0) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&XmP, &XmP, P));
-    }
-
-    /* Check against the known bad values that are less than P. For Curve448
-     * these are 0, 1 and -1. For Curve25519 we check the values less than P
-     * from the following list: https://cr.yp.to/ecdh.html#validate */
-    if (mbedtls_mpi_cmp_int(&XmP, 1) <= 0) {  /* takes care of 0 and 1 */
-        ret = MBEDTLS_ERR_ECP_INVALID_KEY;
-        goto cleanup;
-    }
-
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-    if (grp_id == MBEDTLS_ECP_DP_CURVE25519) {
-        if (mbedtls_mpi_cmp_mpi(&XmP, &ecp_x25519_bad_point_1) == 0) {
-            ret = MBEDTLS_ERR_ECP_INVALID_KEY;
-            goto cleanup;
-        }
-
-        if (mbedtls_mpi_cmp_mpi(&XmP, &ecp_x25519_bad_point_2) == 0) {
-            ret = MBEDTLS_ERR_ECP_INVALID_KEY;
-            goto cleanup;
-        }
-    }
-#else
-    (void) grp_id;
-#endif
-
-    /* Final check: check if XmP + 1 is P (final because it changes XmP!) */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&XmP, &XmP, 1));
-    if (mbedtls_mpi_cmp_mpi(&XmP, P) == 0) {
-        ret = MBEDTLS_ERR_ECP_INVALID_KEY;
-        goto cleanup;
-    }
-
-    ret = 0;
-
-cleanup:
-    mbedtls_mpi_free(&XmP);
-
-    return ret;
-}
-
-/*
- * Check validity of a public key for Montgomery curves with x-only schemes
- */
-static int ecp_check_pubkey_mx(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt)
-{
-    /* [Curve25519 p. 5] Just check X is the correct number of bytes */
-    /* Allow any public value, if it's too big then we'll just reduce it mod p
-     * (RFC 7748 sec. 5 para. 3). */
-    if (mbedtls_mpi_size(&pt->X) > (grp->nbits + 7) / 8) {
-        return MBEDTLS_ERR_ECP_INVALID_KEY;
-    }
-
-    /* Implicit in all standards (as they don't consider negative numbers):
-     * X must be non-negative. This is normally ensured by the way it's
-     * encoded for transmission, but let's be extra sure. */
-    if (mbedtls_mpi_cmp_int(&pt->X, 0) < 0) {
-        return MBEDTLS_ERR_ECP_INVALID_KEY;
-    }
-
-    return ecp_check_bad_points_mx(&pt->X, &grp->P, grp->id);
-}
-#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
-
-/*
- * Check that a point is valid as a public key
- */
-int mbedtls_ecp_check_pubkey(const mbedtls_ecp_group *grp,
-                             const mbedtls_ecp_point *pt)
-{
-    /* Must use affine coordinates */
-    if (mbedtls_mpi_cmp_int(&pt->Z, 1) != 0) {
-        return MBEDTLS_ERR_ECP_INVALID_KEY;
-    }
-
-#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
-    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
-        return ecp_check_pubkey_mx(grp, pt);
-    }
-#endif
-#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
-    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
-        return ecp_check_pubkey_sw(grp, pt);
-    }
-#endif
-    return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-}
-
-/*
- * Check that an mbedtls_mpi is valid as a private key
- */
-int mbedtls_ecp_check_privkey(const mbedtls_ecp_group *grp,
-                              const mbedtls_mpi *d)
-{
-#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
-    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
-        /* see RFC 7748 sec. 5 para. 5 */
-        if (mbedtls_mpi_get_bit(d, 0) != 0 ||
-            mbedtls_mpi_get_bit(d, 1) != 0 ||
-            mbedtls_mpi_bitlen(d) - 1 != grp->nbits) {  /* mbedtls_mpi_bitlen is one-based! */
-            return MBEDTLS_ERR_ECP_INVALID_KEY;
-        }
-
-        /* see [Curve25519] page 5 */
-        if (grp->nbits == 254 && mbedtls_mpi_get_bit(d, 2) != 0) {
-            return MBEDTLS_ERR_ECP_INVALID_KEY;
-        }
-
-        return 0;
-    }
-#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
-#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
-    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
-        /* see SEC1 3.2 */
-        if (mbedtls_mpi_cmp_int(d, 1) < 0 ||
-            mbedtls_mpi_cmp_mpi(d, &grp->N) >= 0) {
-            return MBEDTLS_ERR_ECP_INVALID_KEY;
-        } else {
-            return 0;
-        }
-    }
-#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
-
-    return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-}
-
-#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_gen_privkey_mx(size_t high_bit,
-                               mbedtls_mpi *d,
-                               int (*f_rng)(void *, unsigned char *, size_t),
-                               void *p_rng)
-{
-    int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    size_t n_random_bytes = high_bit / 8 + 1;
-
-    /* [Curve25519] page 5 */
-    /* Generate a (high_bit+1)-bit random number by generating just enough
-     * random bytes, then shifting out extra bits from the top (necessary
-     * when (high_bit+1) is not a multiple of 8). */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(d, n_random_bytes,
-                                            f_rng, p_rng));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(d, 8 * n_random_bytes - high_bit - 1));
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, high_bit, 1));
-
-    /* Make sure the last two bits are unset for Curve448, three bits for
-       Curve25519 */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, 0, 0));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, 1, 0));
-    if (high_bit == 254) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, 2, 0));
-    }
-
-cleanup:
-    return ret;
-}
-#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
-
-#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
-static int mbedtls_ecp_gen_privkey_sw(
-    const mbedtls_mpi *N, mbedtls_mpi *d,
-    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    int ret = mbedtls_mpi_random(d, 1, N, f_rng, p_rng);
-    switch (ret) {
-        case MBEDTLS_ERR_MPI_NOT_ACCEPTABLE:
-            return MBEDTLS_ERR_ECP_RANDOM_FAILED;
-        default:
-            return ret;
-    }
-}
-#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
-
-/*
- * Generate a private key
- */
-int mbedtls_ecp_gen_privkey(const mbedtls_ecp_group *grp,
-                            mbedtls_mpi *d,
-                            int (*f_rng)(void *, unsigned char *, size_t),
-                            void *p_rng)
-{
-#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
-    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
-        return mbedtls_ecp_gen_privkey_mx(grp->nbits, d, f_rng, p_rng);
-    }
-#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
-
-#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
-    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
-        return mbedtls_ecp_gen_privkey_sw(&grp->N, d, f_rng, p_rng);
-    }
-#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
-
-    return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-}
-
-#if defined(MBEDTLS_ECP_C)
-/*
- * Generate a keypair with configurable base point
- */
-int mbedtls_ecp_gen_keypair_base(mbedtls_ecp_group *grp,
-                                 const mbedtls_ecp_point *G,
-                                 mbedtls_mpi *d, mbedtls_ecp_point *Q,
-                                 int (*f_rng)(void *, unsigned char *, size_t),
-                                 void *p_rng)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    MBEDTLS_MPI_CHK(mbedtls_ecp_gen_privkey(grp, d, f_rng, p_rng));
-    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(grp, Q, d, G, f_rng, p_rng));
-
-cleanup:
-    return ret;
-}
-
-/*
- * Generate key pair, wrapper for conventional base point
- */
-int mbedtls_ecp_gen_keypair(mbedtls_ecp_group *grp,
-                            mbedtls_mpi *d, mbedtls_ecp_point *Q,
-                            int (*f_rng)(void *, unsigned char *, size_t),
-                            void *p_rng)
-{
-    return mbedtls_ecp_gen_keypair_base(grp, &grp->G, d, Q, f_rng, p_rng);
-}
-
-/*
- * Generate a keypair, prettier wrapper
- */
-int mbedtls_ecp_gen_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
-                        int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    if ((ret = mbedtls_ecp_group_load(&key->grp, grp_id)) != 0) {
-        return ret;
-    }
-
-    return mbedtls_ecp_gen_keypair(&key->grp, &key->d, &key->Q, f_rng, p_rng);
-}
-#endif /* MBEDTLS_ECP_C */
-
-#define ECP_CURVE25519_KEY_SIZE 32
-#define ECP_CURVE448_KEY_SIZE   56
-/*
- * Read a private key.
- */
-int mbedtls_ecp_read_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
-                         const unsigned char *buf, size_t buflen)
-{
-    int ret = 0;
-
-    if ((ret = mbedtls_ecp_group_load(&key->grp, grp_id)) != 0) {
-        return ret;
-    }
-
-    ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
-
-#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
-    if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
-        /*
-         * Mask the key as mandated by RFC7748 for Curve25519 and Curve448.
-         */
-        if (grp_id == MBEDTLS_ECP_DP_CURVE25519) {
-            if (buflen != ECP_CURVE25519_KEY_SIZE) {
-                return MBEDTLS_ERR_ECP_INVALID_KEY;
-            }
-
-            MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary_le(&key->d, buf, buflen));
-
-            /* Set the three least significant bits to 0 */
-            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 0, 0));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 1, 0));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 2, 0));
-
-            /* Set the most significant bit to 0 */
-            MBEDTLS_MPI_CHK(
-                mbedtls_mpi_set_bit(&key->d,
-                                    ECP_CURVE25519_KEY_SIZE * 8 - 1, 0)
-                );
-
-            /* Set the second most significant bit to 1 */
-            MBEDTLS_MPI_CHK(
-                mbedtls_mpi_set_bit(&key->d,
-                                    ECP_CURVE25519_KEY_SIZE * 8 - 2, 1)
-                );
-        } else if (grp_id == MBEDTLS_ECP_DP_CURVE448) {
-            if (buflen != ECP_CURVE448_KEY_SIZE) {
-                return MBEDTLS_ERR_ECP_INVALID_KEY;
-            }
-
-            MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary_le(&key->d, buf, buflen));
-
-            /* Set the two least significant bits to 0 */
-            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 0, 0));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 1, 0));
-
-            /* Set the most significant bit to 1 */
-            MBEDTLS_MPI_CHK(
-                mbedtls_mpi_set_bit(&key->d,
-                                    ECP_CURVE448_KEY_SIZE * 8 - 1, 1)
-                );
-        }
-    }
-#endif
-#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
-    if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&key->d, buf, buflen));
-    }
-#endif
-
-    if (ret == 0) {
-        MBEDTLS_MPI_CHK(mbedtls_ecp_check_privkey(&key->grp, &key->d));
-    }
-
-cleanup:
-
-    if (ret != 0) {
-        mbedtls_mpi_free(&key->d);
-    }
-
-    return ret;
-}
-
-/*
- * Write a private key.
- */
-int mbedtls_ecp_write_key(mbedtls_ecp_keypair *key,
-                          unsigned char *buf, size_t buflen)
-{
-    int ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
-
-#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
-    if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
-        if (key->grp.id == MBEDTLS_ECP_DP_CURVE25519) {
-            if (buflen < ECP_CURVE25519_KEY_SIZE) {
-                return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
-            }
-
-        } else if (key->grp.id == MBEDTLS_ECP_DP_CURVE448) {
-            if (buflen < ECP_CURVE448_KEY_SIZE) {
-                return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
-            }
-        }
-        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary_le(&key->d, buf, buflen));
-    }
-#endif
-#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
-    if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&key->d, buf, buflen));
-    }
-
-#endif
-cleanup:
-
-    return ret;
-}
-
-#if defined(MBEDTLS_ECP_C)
-/*
- * Check a public-private key pair
- */
-int mbedtls_ecp_check_pub_priv(
-    const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv,
-    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_ecp_point Q;
-    mbedtls_ecp_group grp;
-    if (pub->grp.id == MBEDTLS_ECP_DP_NONE ||
-        pub->grp.id != prv->grp.id ||
-        mbedtls_mpi_cmp_mpi(&pub->Q.X, &prv->Q.X) ||
-        mbedtls_mpi_cmp_mpi(&pub->Q.Y, &prv->Q.Y) ||
-        mbedtls_mpi_cmp_mpi(&pub->Q.Z, &prv->Q.Z)) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    mbedtls_ecp_point_init(&Q);
-    mbedtls_ecp_group_init(&grp);
-
-    /* mbedtls_ecp_mul() needs a non-const group... */
-    mbedtls_ecp_group_copy(&grp, &prv->grp);
-
-    /* Also checks d is valid */
-    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&grp, &Q, &prv->d, &prv->grp.G, f_rng, p_rng));
-
-    if (mbedtls_mpi_cmp_mpi(&Q.X, &prv->Q.X) ||
-        mbedtls_mpi_cmp_mpi(&Q.Y, &prv->Q.Y) ||
-        mbedtls_mpi_cmp_mpi(&Q.Z, &prv->Q.Z)) {
-        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-        goto cleanup;
-    }
-
-cleanup:
-    mbedtls_ecp_point_free(&Q);
-    mbedtls_ecp_group_free(&grp);
-
-    return ret;
-}
-#endif /* MBEDTLS_ECP_C */
-
-/*
- * Export generic key-pair parameters.
- */
-int mbedtls_ecp_export(const mbedtls_ecp_keypair *key, mbedtls_ecp_group *grp,
-                       mbedtls_mpi *d, mbedtls_ecp_point *Q)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if ((ret = mbedtls_ecp_group_copy(grp, &key->grp)) != 0) {
-        return ret;
-    }
-
-    if ((ret = mbedtls_mpi_copy(d, &key->d)) != 0) {
-        return ret;
-    }
-
-    if ((ret = mbedtls_ecp_copy(Q, &key->Q)) != 0) {
-        return ret;
-    }
-
-    return 0;
-}
-
-#if defined(MBEDTLS_SELF_TEST)
-
-#if defined(MBEDTLS_ECP_C)
-/*
- * PRNG for test - !!!INSECURE NEVER USE IN PRODUCTION!!!
- *
- * This is the linear congruential generator from numerical recipes,
- * except we only use the low byte as the output. See
- * https://en.wikipedia.org/wiki/Linear_congruential_generator#Parameters_in_common_use
- */
-static int self_test_rng(void *ctx, unsigned char *out, size_t len)
-{
-    static uint32_t state = 42;
-
-    (void) ctx;
-
-    for (size_t i = 0; i < len; i++) {
-        state = state * 1664525u + 1013904223u;
-        out[i] = (unsigned char) state;
-    }
-
-    return 0;
-}
-
-/* Adjust the exponent to be a valid private point for the specified curve.
- * This is sometimes necessary because we use a single set of exponents
- * for all curves but the validity of values depends on the curve. */
-static int self_test_adjust_exponent(const mbedtls_ecp_group *grp,
-                                     mbedtls_mpi *m)
-{
-    int ret = 0;
-    switch (grp->id) {
-    /* If Curve25519 is available, then that's what we use for the
-     * Montgomery test, so we don't need the adjustment code. */
-#if !defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
-        case MBEDTLS_ECP_DP_CURVE448:
-            /* Move highest bit from 254 to N-1. Setting bit N-1 is
-             * necessary to enforce the highest-bit-set constraint. */
-            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(m, 254, 0));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(m, grp->nbits, 1));
-            /* Copy second-highest bit from 253 to N-2. This is not
-             * necessary but improves the test variety a bit. */
-            MBEDTLS_MPI_CHK(
-                mbedtls_mpi_set_bit(m, grp->nbits - 1,
-                                    mbedtls_mpi_get_bit(m, 253)));
-            break;
-#endif
-#endif /* ! defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) */
-        default:
-            /* Non-Montgomery curves and Curve25519 need no adjustment. */
-            (void) grp;
-            (void) m;
-            goto cleanup;
-    }
-cleanup:
-    return ret;
-}
-
-/* Calculate R = m.P for each m in exponents. Check that the number of
- * basic operations doesn't depend on the value of m. */
-static int self_test_point(int verbose,
-                           mbedtls_ecp_group *grp,
-                           mbedtls_ecp_point *R,
-                           mbedtls_mpi *m,
-                           const mbedtls_ecp_point *P,
-                           const char *const *exponents,
-                           size_t n_exponents)
-{
-    int ret = 0;
-    size_t i = 0;
-    unsigned long add_c_prev, dbl_c_prev, mul_c_prev;
-    add_count = 0;
-    dbl_count = 0;
-    mul_count = 0;
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(m, 16, exponents[0]));
-    MBEDTLS_MPI_CHK(self_test_adjust_exponent(grp, m));
-    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(grp, R, m, P, self_test_rng, NULL));
-
-    for (i = 1; i < n_exponents; i++) {
-        add_c_prev = add_count;
-        dbl_c_prev = dbl_count;
-        mul_c_prev = mul_count;
-        add_count = 0;
-        dbl_count = 0;
-        mul_count = 0;
-
-        MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(m, 16, exponents[i]));
-        MBEDTLS_MPI_CHK(self_test_adjust_exponent(grp, m));
-        MBEDTLS_MPI_CHK(mbedtls_ecp_mul(grp, R, m, P, self_test_rng, NULL));
-
-        if (add_count != add_c_prev ||
-            dbl_count != dbl_c_prev ||
-            mul_count != mul_c_prev) {
-            ret = 1;
-            break;
-        }
-    }
-
-cleanup:
-    if (verbose != 0) {
-        if (ret != 0) {
-            mbedtls_printf("failed (%u)\n", (unsigned int) i);
-        } else {
-            mbedtls_printf("passed\n");
-        }
-    }
-    return ret;
-}
-#endif /* MBEDTLS_ECP_C */
-
-/*
- * Checkup routine
- */
-int mbedtls_ecp_self_test(int verbose)
-{
-#if defined(MBEDTLS_ECP_C)
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_ecp_group grp;
-    mbedtls_ecp_point R, P;
-    mbedtls_mpi m;
-
-#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
-    /* Exponents especially adapted for secp192k1, which has the lowest
-     * order n of all supported curves (secp192r1 is in a slightly larger
-     * field but the order of its base point is slightly smaller). */
-    const char *sw_exponents[] =
-    {
-        "000000000000000000000000000000000000000000000001", /* one */
-        "FFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8C", /* n - 1 */
-        "5EA6F389A38B8BC81E767753B15AA5569E1782E30ABE7D25", /* random */
-        "400000000000000000000000000000000000000000000000", /* one and zeros */
-        "7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", /* all ones */
-        "555555555555555555555555555555555555555555555555", /* 101010... */
-    };
-#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
-#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
-    const char *m_exponents[] =
-    {
-        /* Valid private values for Curve25519. In a build with Curve448
-         * but not Curve25519, they will be adjusted in
-         * self_test_adjust_exponent(). */
-        "4000000000000000000000000000000000000000000000000000000000000000",
-        "5C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C30",
-        "5715ECCE24583F7A7023C24164390586842E816D7280A49EF6DF4EAE6B280BF8",
-        "41A2B017516F6D254E1F002BCCBADD54BE30F8CEC737A0E912B4963B6BA74460",
-        "5555555555555555555555555555555555555555555555555555555555555550",
-        "7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8",
-    };
-#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
-
-    mbedtls_ecp_group_init(&grp);
-    mbedtls_ecp_point_init(&R);
-    mbedtls_ecp_point_init(&P);
-    mbedtls_mpi_init(&m);
-
-#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
-    /* Use secp192r1 if available, or any available curve */
-#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
-    MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_SECP192R1));
-#else
-    MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, mbedtls_ecp_curve_list()->grp_id));
-#endif
-
-    if (verbose != 0) {
-        mbedtls_printf("  ECP SW test #1 (constant op_count, base point G): ");
-    }
-    /* Do a dummy multiplication first to trigger precomputation */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&m, 2));
-    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&grp, &P, &m, &grp.G, self_test_rng, NULL));
-    ret = self_test_point(verbose,
-                          &grp, &R, &m, &grp.G,
-                          sw_exponents,
-                          sizeof(sw_exponents) / sizeof(sw_exponents[0]));
-    if (ret != 0) {
-        goto cleanup;
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("  ECP SW test #2 (constant op_count, other point): ");
-    }
-    /* We computed P = 2G last time, use it */
-    ret = self_test_point(verbose,
-                          &grp, &R, &m, &P,
-                          sw_exponents,
-                          sizeof(sw_exponents) / sizeof(sw_exponents[0]));
-    if (ret != 0) {
-        goto cleanup;
-    }
-
-    mbedtls_ecp_group_free(&grp);
-    mbedtls_ecp_point_free(&R);
-#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
-
-#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
-    if (verbose != 0) {
-        mbedtls_printf("  ECP Montgomery test (constant op_count): ");
-    }
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-    MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_CURVE25519));
-#elif defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
-    MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_CURVE448));
-#else
-#error "MBEDTLS_ECP_MONTGOMERY_ENABLED is defined, but no curve is supported for self-test"
-#endif
-    ret = self_test_point(verbose,
-                          &grp, &R, &m, &grp.G,
-                          m_exponents,
-                          sizeof(m_exponents) / sizeof(m_exponents[0]));
-    if (ret != 0) {
-        goto cleanup;
-    }
-#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
-
-cleanup:
-
-    if (ret < 0 && verbose != 0) {
-        mbedtls_printf("Unexpected error, return code = %08X\n", (unsigned int) ret);
-    }
-
-    mbedtls_ecp_group_free(&grp);
-    mbedtls_ecp_point_free(&R);
-    mbedtls_ecp_point_free(&P);
-    mbedtls_mpi_free(&m);
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-
-    return ret;
-#else /* MBEDTLS_ECP_C */
-    (void) verbose;
-    return 0;
-#endif /* MBEDTLS_ECP_C */
-}
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* !MBEDTLS_ECP_ALT */
-
-#endif /* MBEDTLS_ECP_LIGHT */
diff --git a/library/ecp_curves.c b/library/ecp_curves.c
deleted file mode 100644
index 7b850e5..0000000
--- a/library/ecp_curves.c
+++ /dev/null
@@ -1,5479 +0,0 @@
-/*
- *  Elliptic curves over GF(p): curve-specific data and functions
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if !defined(MBEDTLS_ECP_WITH_MPI_UINT)
-
-#if defined(MBEDTLS_ECP_LIGHT)
-
-#include "mbedtls/ecp.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#include "bn_mul.h"
-#include "bignum_core.h"
-#include "ecp_invasive.h"
-
-#include <string.h>
-
-#if !defined(MBEDTLS_ECP_ALT)
-
-/* Parameter validation macros based on platform_util.h */
-#define ECP_VALIDATE_RET(cond)    \
-    MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA)
-#define ECP_VALIDATE(cond)        \
-    MBEDTLS_INTERNAL_VALIDATE(cond)
-
-#define ECP_MPI_INIT(_p, _n) { .p = (mbedtls_mpi_uint *) (_p), .s = 1, .n = (_n) }
-
-#define ECP_MPI_INIT_ARRAY(x)   \
-    ECP_MPI_INIT(x, sizeof(x) / sizeof(mbedtls_mpi_uint))
-
-#define ECP_POINT_INIT_XY_Z0(x, y) { \
-        ECP_MPI_INIT_ARRAY(x), ECP_MPI_INIT_ARRAY(y), ECP_MPI_INIT(NULL, 0) }
-#define ECP_POINT_INIT_XY_Z1(x, y) { \
-        ECP_MPI_INIT_ARRAY(x), ECP_MPI_INIT_ARRAY(y), ECP_MPI_INIT(mpi_one, 1) }
-
-#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)   ||   \
-    defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)   ||   \
-    defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)   ||   \
-    defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
-/* For these curves, we build the group parameters dynamically. */
-#define ECP_LOAD_GROUP
-static mbedtls_mpi_uint mpi_one[] = { 1 };
-#endif
-
-/*
- * Note: the constants are in little-endian order
- * to be directly usable in MPIs
- */
-
-/*
- * Domain parameters for secp192r1
- */
-#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
-static const mbedtls_mpi_uint secp192r1_p[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-};
-static const mbedtls_mpi_uint secp192r1_b[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64),
-};
-static const mbedtls_mpi_uint secp192r1_gx[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18),
-};
-static const mbedtls_mpi_uint secp192r1_gy[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07),
-};
-static const mbedtls_mpi_uint secp192r1_n[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-};
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-static const mbedtls_mpi_uint secp192r1_T_0_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18),
-};
-static const mbedtls_mpi_uint secp192r1_T_0_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07),
-};
-static const mbedtls_mpi_uint secp192r1_T_1_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x9E, 0xE3, 0x60, 0x59, 0xD1, 0xC4, 0xC2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xBD, 0x22, 0xD7, 0x2D, 0x07, 0xBD, 0xB6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x2A, 0xCF, 0x33, 0xF0, 0xBE, 0xD1, 0xED),
-};
-static const mbedtls_mpi_uint secp192r1_T_1_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x71, 0x4B, 0xA8, 0xED, 0x7E, 0xC9, 0x1A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x2A, 0xF6, 0xDF, 0x0E, 0xE8, 0x4C, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x35, 0xF7, 0x8A, 0xC3, 0xEC, 0xDE, 0x1E),
-};
-static const mbedtls_mpi_uint secp192r1_T_2_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x67, 0xC2, 0x1D, 0x32, 0x8F, 0x10, 0xFB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x2D, 0x17, 0xF3, 0xE4, 0xFE, 0xD8, 0x13),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x45, 0x10, 0x70, 0x2C, 0x3E, 0x52, 0x3E),
-};
-static const mbedtls_mpi_uint secp192r1_T_2_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xF1, 0x04, 0x5D, 0xEE, 0xD4, 0x56, 0xE6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xB7, 0x38, 0x27, 0x61, 0xAA, 0x81, 0x87),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x37, 0xD7, 0x0E, 0x29, 0x0E, 0x11, 0x14),
-};
-static const mbedtls_mpi_uint secp192r1_T_3_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x35, 0x52, 0xC6, 0x31, 0xB7, 0x27, 0xF5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xD4, 0x15, 0x98, 0x0F, 0xE7, 0xF3, 0x6A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x31, 0x70, 0x35, 0x09, 0xA0, 0x2B, 0xC2),
-};
-static const mbedtls_mpi_uint secp192r1_T_3_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x75, 0xA7, 0x4C, 0x88, 0xCF, 0x5B, 0xE4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x17, 0x48, 0x8D, 0xF2, 0xF0, 0x86, 0xED),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xCF, 0xFE, 0x6B, 0xB0, 0xA5, 0x06, 0xAB),
-};
-static const mbedtls_mpi_uint secp192r1_T_4_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x6A, 0xDC, 0x9A, 0x6D, 0x7B, 0x47, 0x2E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0xFC, 0x51, 0x12, 0x62, 0x66, 0x0B, 0x59),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x40, 0x93, 0xA0, 0xB5, 0x5A, 0x58, 0xD7),
-};
-static const mbedtls_mpi_uint secp192r1_T_4_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0xCB, 0xAF, 0xDC, 0x0B, 0xA1, 0x26, 0xFB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x36, 0x9D, 0xA3, 0xD7, 0x3B, 0xAD, 0x39),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x3B, 0x05, 0x9A, 0xA8, 0xAA, 0x69, 0xB2),
-};
-static const mbedtls_mpi_uint secp192r1_T_5_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xD9, 0xD1, 0x4D, 0x4A, 0x6E, 0x96, 0x1E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x66, 0x32, 0x39, 0xC6, 0x57, 0x7D, 0xE6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xA0, 0x36, 0xC2, 0x45, 0xF9, 0x00, 0x62),
-};
-static const mbedtls_mpi_uint secp192r1_T_5_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xEF, 0x59, 0x46, 0xDC, 0x60, 0xD9, 0x8F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0xB0, 0xE9, 0x41, 0xA4, 0x87, 0x76, 0x89),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0xD4, 0x0E, 0xB2, 0xFA, 0x16, 0x56, 0xDC),
-};
-static const mbedtls_mpi_uint secp192r1_T_6_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x62, 0xD2, 0xB1, 0x34, 0xB2, 0xF1, 0x06),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0xED, 0x55, 0xC5, 0x47, 0xB5, 0x07, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xF6, 0x2F, 0x94, 0xC3, 0xDD, 0x54, 0x2F),
-};
-static const mbedtls_mpi_uint secp192r1_T_6_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xA6, 0xD4, 0x8C, 0xA9, 0xCE, 0x4D, 0x2E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x4B, 0x46, 0xCC, 0xB2, 0x55, 0xC8, 0xB2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0xAE, 0x31, 0xED, 0x89, 0x65, 0x59, 0x55),
-};
-static const mbedtls_mpi_uint secp192r1_T_7_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x0A, 0xD1, 0x1A, 0xC5, 0xF6, 0xEA, 0x43),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xFC, 0x0C, 0x1A, 0xFB, 0xA0, 0xC8, 0x70),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xFD, 0x53, 0x6F, 0x6D, 0xBF, 0xBA, 0xAF),
-};
-static const mbedtls_mpi_uint secp192r1_T_7_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xB0, 0x7D, 0x83, 0x96, 0xE3, 0xCB, 0x9D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x6E, 0x55, 0x2C, 0x20, 0x53, 0x2F, 0x46),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0x66, 0x00, 0x17, 0x08, 0xFE, 0xAC, 0x31),
-};
-static const mbedtls_mpi_uint secp192r1_T_8_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x12, 0x97, 0x3A, 0xC7, 0x57, 0x45, 0xCD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x25, 0x99, 0x00, 0xF6, 0x97, 0xB4, 0x64),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x74, 0xE6, 0xE6, 0xA3, 0xDF, 0x9C, 0xCC),
-};
-static const mbedtls_mpi_uint secp192r1_T_8_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xF4, 0x76, 0xD5, 0x5F, 0x2A, 0xFD, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x80, 0x7E, 0x3E, 0xE5, 0xE8, 0xD6, 0x63),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0xAD, 0x1E, 0x70, 0x79, 0x3E, 0x3D, 0x83),
-};
-static const mbedtls_mpi_uint secp192r1_T_9_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x15, 0xBB, 0xB3, 0x42, 0x6A, 0xA1, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x58, 0xCB, 0x43, 0x25, 0x00, 0x14, 0x68),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x4E, 0x93, 0x11, 0xE0, 0x32, 0x54, 0x98),
-};
-static const mbedtls_mpi_uint secp192r1_T_9_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x52, 0xA2, 0xB4, 0x57, 0x32, 0xB9, 0x11),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x43, 0xA1, 0xB1, 0xFB, 0x01, 0xE1, 0xE7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xFB, 0x5A, 0x11, 0xB8, 0xC2, 0x03, 0xE5),
-};
-static const mbedtls_mpi_uint secp192r1_T_10_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x2B, 0x71, 0x26, 0x4E, 0x7C, 0xC5, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0xF5, 0xD3, 0xA8, 0xE4, 0x95, 0x48, 0x65),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xAE, 0xD9, 0x5D, 0x9F, 0x6A, 0x22, 0xAD),
-};
-static const mbedtls_mpi_uint secp192r1_T_10_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0xCC, 0xA3, 0x4D, 0xA0, 0x1C, 0x34, 0xEF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x3C, 0x62, 0xF8, 0x5E, 0xA6, 0x58, 0x7D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x6E, 0x66, 0x8A, 0x3D, 0x17, 0xFF, 0x0F),
-};
-static const mbedtls_mpi_uint secp192r1_T_11_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xCD, 0xA8, 0xDD, 0xD1, 0x20, 0x5C, 0xEA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0xFE, 0x17, 0xE2, 0xCF, 0xEA, 0x63, 0xDE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x51, 0xC9, 0x16, 0xDE, 0xB4, 0xB2, 0xDD),
-};
-static const mbedtls_mpi_uint secp192r1_T_11_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xBE, 0x12, 0xD7, 0xA3, 0x0A, 0x50, 0x33),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0x87, 0xC5, 0x8A, 0x76, 0x57, 0x07, 0x60),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x1F, 0xC6, 0x1B, 0x66, 0xC4, 0x3D, 0x8A),
-};
-static const mbedtls_mpi_uint secp192r1_T_12_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0xA4, 0x85, 0x13, 0x8F, 0xA7, 0x35, 0x19),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x0D, 0xFD, 0xFF, 0x1B, 0xD1, 0xD6, 0xEF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x7A, 0xD0, 0xC3, 0xB4, 0xEF, 0x39, 0x66),
-};
-static const mbedtls_mpi_uint secp192r1_T_12_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0xFE, 0xA5, 0x9C, 0x34, 0x30, 0x49, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0xC5, 0x39, 0x26, 0x06, 0xE3, 0x01, 0x17),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x2B, 0x66, 0xFC, 0x95, 0x5F, 0x35, 0xF7),
-};
-static const mbedtls_mpi_uint secp192r1_T_13_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xCF, 0x54, 0x63, 0x99, 0x57, 0x05, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x6F, 0x00, 0x5F, 0x65, 0x08, 0x47, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x2A, 0x90, 0x6D, 0x67, 0xC6, 0xBC, 0x45),
-};
-static const mbedtls_mpi_uint secp192r1_T_13_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x4D, 0x88, 0x0A, 0x35, 0x9E, 0x33, 0x9C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x17, 0x0C, 0xF8, 0xE1, 0x7A, 0x49, 0x02),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x44, 0x06, 0x8F, 0x0B, 0x70, 0x2F, 0x71),
-};
-static const mbedtls_mpi_uint secp192r1_T_14_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x4B, 0xCB, 0xF9, 0x8E, 0x6A, 0xDA, 0x1B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x43, 0xA1, 0x3F, 0xCE, 0x17, 0xD2, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x0D, 0xD2, 0x6C, 0x82, 0x37, 0xE5, 0xFC),
-};
-static const mbedtls_mpi_uint secp192r1_T_14_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x3C, 0xF4, 0x92, 0xB4, 0x8A, 0x95, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x96, 0xF1, 0x0A, 0x34, 0x2F, 0x74, 0x7E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xA1, 0xAA, 0xBA, 0x86, 0x77, 0x4F, 0xA2),
-};
-static const mbedtls_mpi_uint secp192r1_T_15_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x7F, 0xEF, 0x60, 0x50, 0x80, 0xD7, 0xD4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0xAC, 0xC9, 0xFE, 0xEC, 0x0A, 0x1A, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x2F, 0xBE, 0x91, 0xD7, 0xB7, 0x38, 0x48),
-};
-static const mbedtls_mpi_uint secp192r1_T_15_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xAE, 0x85, 0x98, 0xFE, 0x05, 0x7F, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xBE, 0xFD, 0x11, 0x31, 0x3D, 0x14, 0x13),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x75, 0xE8, 0x30, 0x01, 0xCB, 0x9B, 0x1C),
-};
-static const mbedtls_ecp_point secp192r1_T[16] = {
-    ECP_POINT_INIT_XY_Z1(secp192r1_T_0_X, secp192r1_T_0_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_1_X, secp192r1_T_1_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_2_X, secp192r1_T_2_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_3_X, secp192r1_T_3_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_4_X, secp192r1_T_4_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_5_X, secp192r1_T_5_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_6_X, secp192r1_T_6_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_7_X, secp192r1_T_7_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_8_X, secp192r1_T_8_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_9_X, secp192r1_T_9_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_10_X, secp192r1_T_10_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_11_X, secp192r1_T_11_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_12_X, secp192r1_T_12_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_13_X, secp192r1_T_13_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_14_X, secp192r1_T_14_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_15_X, secp192r1_T_15_Y),
-};
-#else
-#define secp192r1_T NULL
-#endif
-#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
-
-/*
- * Domain parameters for secp224r1
- */
-#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
-static const mbedtls_mpi_uint secp224r1_p[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_b[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C),
-    MBEDTLS_BYTES_TO_T_UINT_4(0x85, 0x0A, 0x05, 0xB4),
-};
-static const mbedtls_mpi_uint secp224r1_gx[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B),
-    MBEDTLS_BYTES_TO_T_UINT_4(0xBD, 0x0C, 0x0E, 0xB7),
-};
-static const mbedtls_mpi_uint secp224r1_gy[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5),
-    MBEDTLS_BYTES_TO_T_UINT_4(0x88, 0x63, 0x37, 0xBD),
-};
-static const mbedtls_mpi_uint secp224r1_n[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_4(0xFF, 0xFF, 0xFF, 0xFF),
-};
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-static const mbedtls_mpi_uint secp224r1_T_0_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x0C, 0x0E, 0xB7, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_0_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x63, 0x37, 0xBD, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_1_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0xF9, 0xB8, 0xD0, 0x3D, 0xD2, 0xD3, 0xFA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xFD, 0x99, 0x26, 0x19, 0xFE, 0x13, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x0E, 0x4C, 0x48, 0x7C, 0xA2, 0x17, 0x01),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xA3, 0x13, 0x57, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_1_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x16, 0x5C, 0x8F, 0xAA, 0xED, 0x0F, 0x58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0xC5, 0x43, 0x34, 0x93, 0x05, 0x2A, 0x4C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0xE3, 0x6C, 0xCA, 0xC6, 0x14, 0xC2, 0x25),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x43, 0x6C, 0xD7, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_2_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x5A, 0x98, 0x1E, 0xC8, 0xA5, 0x42, 0xA3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x49, 0x56, 0x78, 0xF8, 0xEF, 0xED, 0x65),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0xBB, 0x64, 0xB6, 0x4C, 0x54, 0x5F, 0xD1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x0C, 0x33, 0xCC, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_2_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x79, 0xCB, 0x2E, 0x08, 0xFF, 0xD8, 0xE6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2E, 0x1F, 0xD4, 0xD7, 0x57, 0xE9, 0x39, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xD6, 0x3B, 0x0A, 0x1C, 0x87, 0xB7, 0x6A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x30, 0xD8, 0x05, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_3_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x79, 0x74, 0x9A, 0xE6, 0xBB, 0xC2, 0xC2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x5B, 0xA6, 0x67, 0xC1, 0x91, 0xE7, 0x64),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0xDF, 0x38, 0x82, 0x19, 0x2C, 0x4C, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x2E, 0x39, 0xC5, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_3_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x36, 0x78, 0x4E, 0xAE, 0x5B, 0x02, 0x76),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0xF6, 0x8B, 0xF8, 0xF4, 0x92, 0x6B, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x4D, 0x71, 0x35, 0xE7, 0x0C, 0x2C, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xA5, 0x1F, 0xAE, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_4_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x1C, 0x4B, 0xDF, 0x5B, 0xF2, 0x51, 0xB7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x74, 0xB1, 0x5A, 0xC6, 0x0F, 0x0E, 0x61),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x24, 0x09, 0x62, 0xAF, 0xFC, 0xDB, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0xE1, 0x80, 0x55, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_4_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x82, 0xFE, 0xAD, 0xC3, 0xE5, 0xCF, 0xD8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0xA2, 0x62, 0x17, 0x76, 0xF0, 0x5A, 0xFA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xB8, 0xE5, 0xAC, 0xB7, 0x66, 0x38, 0xAA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0xFD, 0x86, 0x05, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_5_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xD3, 0x0C, 0x3C, 0xD1, 0x66, 0xB0, 0xF1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x59, 0xB4, 0x8D, 0x90, 0x10, 0xB7, 0xA2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x47, 0x9B, 0xE6, 0x55, 0x8A, 0xE4, 0xEE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x49, 0xDB, 0x78, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_5_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x97, 0xED, 0xDE, 0xFF, 0xB3, 0xDF, 0x48),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xB9, 0x83, 0xB7, 0xEB, 0xBE, 0x40, 0x8D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xD3, 0xD3, 0xCD, 0x0E, 0x82, 0x79, 0x3D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x83, 0x1B, 0xF0, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_6_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x22, 0xBB, 0x54, 0xD3, 0x31, 0x56, 0xFC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x36, 0xE5, 0xE0, 0x89, 0x96, 0x8E, 0x71),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0xEF, 0x0A, 0xED, 0xD0, 0x11, 0x4A, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x00, 0x57, 0x27, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_6_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0xCA, 0x3D, 0xF7, 0x64, 0x9B, 0x6E, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xE3, 0x70, 0x6B, 0x41, 0xD7, 0xED, 0x8F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x44, 0x44, 0x80, 0xCE, 0x13, 0x37, 0x92),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x73, 0x80, 0x79, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_7_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x4D, 0x70, 0x7D, 0x31, 0x0F, 0x1C, 0x58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x35, 0x88, 0x47, 0xC4, 0x24, 0x78, 0x3F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xF0, 0xCD, 0x91, 0x81, 0xB3, 0xDE, 0xB6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xCE, 0xC6, 0xF7, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_7_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x9C, 0x2D, 0xE8, 0xD2, 0x00, 0x8F, 0x10),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x5E, 0x7C, 0x0E, 0x0C, 0x6E, 0x58, 0x02),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x81, 0x21, 0xCE, 0x43, 0xF4, 0x24, 0x3D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0xBC, 0xF0, 0xF4, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_8_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x10, 0xC2, 0x74, 0x4A, 0x8F, 0x8A, 0xCF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x67, 0xF4, 0x2B, 0x38, 0x2B, 0x35, 0x17),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xE7, 0x0C, 0xA9, 0xFA, 0x77, 0x5C, 0xBD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x33, 0x19, 0x2B, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_8_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x3E, 0x96, 0x22, 0x53, 0xE1, 0xE9, 0xBE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x13, 0xBC, 0xA1, 0x16, 0xEC, 0x01, 0x1A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x00, 0xC9, 0x7A, 0xC3, 0x73, 0xA5, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0xF4, 0x5E, 0xC1, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_9_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x95, 0xD6, 0xD9, 0x32, 0x30, 0x2B, 0xD0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x42, 0x09, 0x05, 0x61, 0x2A, 0x7E, 0x82),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x84, 0xA2, 0x05, 0x88, 0x64, 0x65, 0xF9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x2D, 0x90, 0xB3, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_9_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0xE7, 0x2E, 0x85, 0x55, 0x80, 0x7C, 0x79),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xC1, 0xAC, 0x78, 0xB4, 0xAF, 0xFB, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0xC3, 0x28, 0x8E, 0x79, 0x18, 0x1F, 0x58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x46, 0xCF, 0x49, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_10_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x5F, 0xA8, 0x6C, 0x46, 0x83, 0x43, 0xFA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xA9, 0x93, 0x11, 0xB6, 0x07, 0x57, 0x74),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x2A, 0x9D, 0x03, 0x89, 0x7E, 0xD7, 0x3C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x8C, 0x62, 0xCF, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_10_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0x2C, 0x13, 0x59, 0xCC, 0xFA, 0x84, 0x9E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xB9, 0x48, 0xBC, 0x57, 0xC7, 0xB3, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x0A, 0x38, 0x24, 0x2E, 0x3A, 0x28, 0x25),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x0A, 0x43, 0xB8, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_11_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x25, 0xAB, 0xC1, 0xEE, 0x70, 0x3C, 0xE1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0xDB, 0x45, 0x1D, 0x4A, 0x80, 0x75, 0x35),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x1F, 0x4D, 0x2D, 0x9A, 0x05, 0xF4, 0xCB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x10, 0xF0, 0x5A, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_11_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x95, 0xE1, 0xDC, 0x15, 0x86, 0xC3, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0xDC, 0x27, 0xD1, 0x56, 0xA1, 0x14, 0x0D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x0B, 0xD6, 0x77, 0x4E, 0x44, 0xA2, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x42, 0x71, 0x1F, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_12_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x86, 0xB2, 0xB0, 0xC8, 0x2F, 0x7B, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xEF, 0xCB, 0xDB, 0xBC, 0x9E, 0x3B, 0xC5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x03, 0x86, 0xDD, 0x5B, 0xF5, 0x8D, 0x46),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x95, 0x79, 0xD6, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_12_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x32, 0x14, 0xDA, 0x9B, 0x4F, 0x07, 0x39),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x3E, 0xFB, 0x06, 0xEE, 0xA7, 0x40, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x1F, 0xDF, 0x71, 0x61, 0xFD, 0x8B, 0xBE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x8B, 0xAB, 0x8B, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_13_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x34, 0xB3, 0xB4, 0xBC, 0x9F, 0xB0, 0x5E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x58, 0x48, 0xA8, 0x77, 0xBB, 0x13, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xC6, 0xF7, 0x34, 0xCC, 0x89, 0x21, 0x0A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x33, 0xDD, 0x1F, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_13_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x81, 0xEF, 0xA4, 0xF2, 0x10, 0x0B, 0xCD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xF7, 0x6E, 0x72, 0x4A, 0xDF, 0xDD, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x23, 0x0A, 0x53, 0x03, 0x16, 0x62, 0xD2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x76, 0xFD, 0x3C, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_14_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x14, 0xA1, 0xFA, 0xA0, 0x18, 0xBE, 0x07),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x2A, 0xE1, 0xD7, 0xB0, 0x6C, 0xA0, 0xDE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xC0, 0xB0, 0xC6, 0x63, 0x24, 0xCD, 0x4E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x38, 0x2C, 0xB1, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_14_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xCD, 0x7D, 0x20, 0x0C, 0xFE, 0xAC, 0xC3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x97, 0x9F, 0xA2, 0xB6, 0x45, 0xF7, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x99, 0xF3, 0xD2, 0x20, 0x02, 0xEB, 0x04),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x18, 0x5B, 0x7B, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_15_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xDD, 0x77, 0x91, 0x60, 0xEA, 0xFD, 0xD3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0xD3, 0xB5, 0xD6, 0x90, 0x17, 0x0E, 0x1A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0xF4, 0x28, 0xC1, 0xF2, 0x53, 0xF6, 0x63),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0x58, 0xDC, 0x61, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_15_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x20, 0x01, 0xFB, 0xF1, 0xBD, 0x5F, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x7F, 0x06, 0xDA, 0x11, 0xCB, 0xBA, 0xA6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x41, 0x00, 0xA4, 0x1B, 0x30, 0x33, 0x79),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0xFF, 0x27, 0xCA, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_ecp_point secp224r1_T[16] = {
-    ECP_POINT_INIT_XY_Z1(secp224r1_T_0_X, secp224r1_T_0_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_1_X, secp224r1_T_1_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_2_X, secp224r1_T_2_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_3_X, secp224r1_T_3_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_4_X, secp224r1_T_4_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_5_X, secp224r1_T_5_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_6_X, secp224r1_T_6_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_7_X, secp224r1_T_7_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_8_X, secp224r1_T_8_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_9_X, secp224r1_T_9_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_10_X, secp224r1_T_10_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_11_X, secp224r1_T_11_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_12_X, secp224r1_T_12_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_13_X, secp224r1_T_13_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_14_X, secp224r1_T_14_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_15_X, secp224r1_T_15_Y),
-};
-#else
-#define secp224r1_T NULL
-#endif
-#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
-
-/*
- * Domain parameters for secp256r1
- */
-#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
-static const mbedtls_mpi_uint secp256r1_p[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
-};
-static const mbedtls_mpi_uint secp256r1_b[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A),
-};
-static const mbedtls_mpi_uint secp256r1_gx[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B),
-};
-static const mbedtls_mpi_uint secp256r1_gy[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F),
-};
-static const mbedtls_mpi_uint secp256r1_n[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
-};
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-static const mbedtls_mpi_uint secp256r1_T_0_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B),
-};
-static const mbedtls_mpi_uint secp256r1_T_0_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F),
-};
-static const mbedtls_mpi_uint secp256r1_T_1_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xC8, 0xBA, 0x04, 0xB7, 0x4B, 0xD2, 0xF7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0xC6, 0x23, 0x3A, 0xA0, 0x09, 0x3A, 0x59),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x9D, 0x4C, 0xF9, 0x58, 0x23, 0xCC, 0xDF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0xED, 0x7B, 0x29, 0x87, 0x0F, 0xFA, 0x3C),
-};
-static const mbedtls_mpi_uint secp256r1_T_1_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x69, 0xF2, 0x40, 0x0B, 0xA3, 0x98, 0xCE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xA8, 0x48, 0x02, 0x0D, 0x1C, 0x12, 0x62),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xAF, 0x09, 0x83, 0x80, 0xAA, 0x58, 0xA7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x12, 0xBE, 0x70, 0x94, 0x76, 0xE3, 0xE4),
-};
-static const mbedtls_mpi_uint secp256r1_T_2_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x7D, 0xEF, 0x86, 0xFF, 0xE3, 0x37, 0xDD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x86, 0x8B, 0x08, 0x27, 0x7C, 0xD7, 0xF6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x54, 0x4C, 0x25, 0x4F, 0x9A, 0xFE, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xFD, 0xF0, 0x6D, 0x37, 0x03, 0x69, 0xD6),
-};
-static const mbedtls_mpi_uint secp256r1_T_2_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xD5, 0xDA, 0xAD, 0x92, 0x49, 0xF0, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x73, 0x43, 0x9E, 0xAF, 0xA7, 0xD1, 0xF3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x41, 0x07, 0xDF, 0x78, 0x95, 0x3E, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x3D, 0xD1, 0xE6, 0x3C, 0xA5, 0xE2, 0x20),
-};
-static const mbedtls_mpi_uint secp256r1_T_3_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x6A, 0x5D, 0x52, 0x35, 0xD7, 0xBF, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0xA2, 0xBE, 0x96, 0xF4, 0xF8, 0x02, 0xC3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x20, 0x49, 0x54, 0xEA, 0xB3, 0x82, 0xDB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2E, 0xDB, 0xEA, 0x02, 0xD1, 0x75, 0x1C, 0x62),
-};
-static const mbedtls_mpi_uint secp256r1_T_3_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x85, 0xF4, 0x9E, 0x4C, 0xDC, 0x39, 0x89),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x6D, 0xC4, 0x57, 0xD8, 0x03, 0x5D, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x7F, 0x2D, 0x52, 0x6F, 0xC9, 0xDA, 0x4F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x64, 0xFA, 0xB4, 0xFE, 0xA4, 0xC4, 0xD7),
-};
-static const mbedtls_mpi_uint secp256r1_T_4_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x37, 0xB9, 0xC0, 0xAA, 0x59, 0xC6, 0x8B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x58, 0xD9, 0xED, 0x58, 0x99, 0x65, 0xF7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x7D, 0x26, 0x8C, 0x4A, 0xF9, 0x05, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x73, 0x9A, 0xC9, 0xE7, 0x46, 0xDC, 0x00),
-};
-static const mbedtls_mpi_uint secp256r1_T_4_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0xD0, 0x55, 0xDF, 0x00, 0x0A, 0xF5, 0x4A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0xBF, 0x56, 0x81, 0x2D, 0x20, 0xEB, 0xB5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xC1, 0x28, 0x52, 0xAB, 0xE3, 0xD1, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x34, 0x79, 0x45, 0x57, 0xA5, 0x12, 0x03),
-};
-static const mbedtls_mpi_uint secp256r1_T_5_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xCF, 0xB8, 0x7E, 0xF7, 0x92, 0x96, 0x8D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x01, 0x8C, 0x0D, 0x23, 0xF2, 0xE3, 0x05),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x2E, 0xE3, 0x84, 0x52, 0x7A, 0x34, 0x76),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0xA1, 0xB0, 0x15, 0x90, 0xE2, 0x53, 0x3C),
-};
-static const mbedtls_mpi_uint secp256r1_T_5_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x98, 0xE7, 0xFA, 0xA5, 0x7D, 0x8B, 0x53),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x35, 0xD2, 0x00, 0xD1, 0x1B, 0x9F, 0x1B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x69, 0x08, 0x9A, 0x72, 0xF0, 0xA9, 0x11),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0xFE, 0x0E, 0x14, 0xDA, 0x7C, 0x0E, 0xD3),
-};
-static const mbedtls_mpi_uint secp256r1_T_6_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xF6, 0xE8, 0xF8, 0x87, 0xF7, 0xFC, 0x6D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xBE, 0x7F, 0x3F, 0x7A, 0x2B, 0xD7, 0x13),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0x32, 0xF2, 0x2D, 0x94, 0x6D, 0x42, 0xFD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x9A, 0xE3, 0x5F, 0x42, 0xBB, 0x84, 0xED),
-};
-static const mbedtls_mpi_uint secp256r1_T_6_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x95, 0x29, 0x73, 0xA1, 0x67, 0x3E, 0x02),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x30, 0x54, 0x35, 0x8E, 0x0A, 0xDD, 0x67),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0xD7, 0xA1, 0x97, 0x61, 0x3B, 0xF8, 0x0C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x33, 0x3C, 0x58, 0x55, 0x34, 0x23, 0xA3),
-};
-static const mbedtls_mpi_uint secp256r1_T_7_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x5D, 0x16, 0x5F, 0x7B, 0xBC, 0xBB, 0xCE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xEE, 0x4E, 0x8A, 0xC1, 0x51, 0xCC, 0x50),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x0D, 0x4D, 0x1B, 0x53, 0x23, 0x1D, 0xB3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x2A, 0x38, 0x66, 0x52, 0x84, 0xE1, 0x95),
-};
-static const mbedtls_mpi_uint secp256r1_T_7_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x9B, 0x83, 0x0A, 0x81, 0x4F, 0xAD, 0xAC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xFF, 0x42, 0x41, 0x6E, 0xA9, 0xA2, 0xA0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xA1, 0x4F, 0x1F, 0x89, 0x82, 0xAA, 0x3E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0xB8, 0x0F, 0x6B, 0x8F, 0x8C, 0xD6, 0x68),
-};
-static const mbedtls_mpi_uint secp256r1_T_8_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0xB3, 0xBB, 0x51, 0x69, 0xA2, 0x11, 0x93),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x4F, 0x0F, 0x8D, 0xBD, 0x26, 0x0F, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xCB, 0xEC, 0x6B, 0x34, 0xC3, 0x3D, 0x9D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x5D, 0x1E, 0x10, 0xD5, 0x44, 0xE2, 0x54),
-};
-static const mbedtls_mpi_uint secp256r1_T_8_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x9E, 0xB1, 0xF1, 0x6E, 0x4C, 0xAD, 0xB3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xE3, 0xC2, 0x58, 0xC0, 0xFB, 0x34, 0x43),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x9C, 0xDF, 0x35, 0x07, 0x41, 0xBD, 0x19),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x6E, 0x10, 0xEC, 0x0E, 0xEC, 0xBB, 0xD6),
-};
-static const mbedtls_mpi_uint secp256r1_T_9_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xCF, 0xEF, 0x3F, 0x83, 0x1A, 0x88, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x29, 0xB5, 0xB9, 0xE0, 0xC9, 0xA3, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x46, 0x1E, 0x77, 0xCD, 0x7E, 0xB3, 0x10),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x21, 0xD0, 0xD4, 0xA3, 0x16, 0x08, 0xEE),
-};
-static const mbedtls_mpi_uint secp256r1_T_9_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0xCA, 0xA8, 0xB3, 0xBF, 0x29, 0x99, 0x8E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xF2, 0x05, 0xC1, 0xCF, 0x5D, 0x91, 0x48),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x01, 0x49, 0xDB, 0x82, 0xDF, 0x5F, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x06, 0x90, 0xAD, 0xE3, 0x38, 0xA4, 0xC4),
-};
-static const mbedtls_mpi_uint secp256r1_T_10_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xD2, 0x3A, 0xE8, 0x03, 0xC5, 0x6D, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x35, 0xD0, 0xAE, 0x1D, 0x7A, 0x9F, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x1E, 0xD2, 0xCB, 0xAC, 0x88, 0x27, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0xB9, 0x9C, 0xE0, 0x31, 0xDD, 0x99, 0x86),
-};
-static const mbedtls_mpi_uint secp256r1_T_10_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xF9, 0x9B, 0x32, 0x96, 0x41, 0x58, 0x38),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x5A, 0x2A, 0xB8, 0x96, 0x0E, 0xB2, 0x4C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x78, 0x2C, 0xC7, 0x08, 0x99, 0x19, 0x24),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x59, 0x28, 0xE9, 0x84, 0x54, 0xE6, 0x16),
-};
-static const mbedtls_mpi_uint secp256r1_T_11_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x38, 0x30, 0xDB, 0x70, 0x2C, 0x0A, 0xA2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x5C, 0x9D, 0xE9, 0xD5, 0x46, 0x0B, 0x5F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x0B, 0x60, 0x4B, 0x37, 0x7D, 0xB9, 0xC9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x24, 0xF3, 0x3D, 0x79, 0x7F, 0x6C, 0x18),
-};
-static const mbedtls_mpi_uint secp256r1_T_11_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7F, 0xE5, 0x1C, 0x4F, 0x60, 0x24, 0xF7, 0x2A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xD8, 0xE2, 0x91, 0x7F, 0x89, 0x49, 0x92),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0xA7, 0x2E, 0x8D, 0x6A, 0xB3, 0x39, 0x81),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x89, 0xB5, 0x9A, 0xB8, 0x8D, 0x42, 0x9C),
-};
-static const mbedtls_mpi_uint secp256r1_T_12_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0x45, 0xE6, 0x4B, 0x3F, 0x4F, 0x1E, 0x1F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x65, 0x5E, 0x59, 0x22, 0xCC, 0x72, 0x5F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x93, 0x1A, 0x27, 0x1E, 0x34, 0xC5, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0xF2, 0xA5, 0x58, 0x5C, 0x15, 0x2E, 0xC6),
-};
-static const mbedtls_mpi_uint secp256r1_T_12_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x7F, 0xBA, 0x58, 0x5A, 0x84, 0x6F, 0x5F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xA6, 0x36, 0x7E, 0xDC, 0xF7, 0xE1, 0x67),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x4D, 0xAA, 0xEE, 0x57, 0x76, 0x3A, 0xD3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x7E, 0x26, 0x18, 0x22, 0x23, 0x9F, 0xFF),
-};
-static const mbedtls_mpi_uint secp256r1_T_13_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x4C, 0x64, 0xC7, 0x55, 0x02, 0x3F, 0xE3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x02, 0x90, 0xBB, 0xC3, 0xEC, 0x30, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x6F, 0x64, 0xF4, 0x16, 0x69, 0x48, 0xA4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x44, 0x9C, 0x95, 0x0C, 0x7D, 0x67, 0x5E),
-};
-static const mbedtls_mpi_uint secp256r1_T_13_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0x91, 0x8B, 0xD8, 0xD0, 0xD7, 0xE7, 0xE2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0xF9, 0x48, 0x62, 0x6F, 0xA8, 0x93, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x3A, 0x99, 0x02, 0xD5, 0x0B, 0x3D, 0xE3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xD3, 0x00, 0x31, 0xE6, 0x0C, 0x9F, 0x44),
-};
-static const mbedtls_mpi_uint secp256r1_T_14_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0xB2, 0xAA, 0xFD, 0x88, 0x15, 0xDF, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4C, 0x35, 0x27, 0x31, 0x44, 0xCD, 0xC0, 0x68),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xF8, 0x91, 0xA5, 0x71, 0x94, 0x84, 0x2A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xCB, 0xD0, 0x93, 0xE9, 0x88, 0xDA, 0xE4),
-};
-static const mbedtls_mpi_uint secp256r1_T_14_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0xC6, 0x39, 0x16, 0x5D, 0xA3, 0x1E, 0x6D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x07, 0x37, 0x26, 0x36, 0x2A, 0xFE, 0x60),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xBC, 0xF3, 0xD0, 0xDE, 0x50, 0xFC, 0x97),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x2E, 0x06, 0x10, 0x15, 0x4D, 0xFA, 0xF7),
-};
-static const mbedtls_mpi_uint secp256r1_T_15_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x65, 0x69, 0x5B, 0x66, 0xA2, 0x75, 0x2E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x16, 0x00, 0x5A, 0xB0, 0x30, 0x25, 0x1A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xFB, 0x86, 0x42, 0x80, 0xC1, 0xC4, 0x76),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x1D, 0x83, 0x8E, 0x94, 0x01, 0x5F, 0x82),
-};
-static const mbedtls_mpi_uint secp256r1_T_15_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x37, 0x70, 0xEF, 0x1F, 0xA1, 0xF0, 0xDB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x10, 0x5B, 0xCE, 0xC4, 0x9B, 0x6F, 0x10),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x11, 0x11, 0x24, 0x4F, 0x4C, 0x79, 0x61),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x3A, 0x72, 0xBC, 0xFE, 0x72, 0x58, 0x43),
-};
-static const mbedtls_ecp_point secp256r1_T[16] = {
-    ECP_POINT_INIT_XY_Z1(secp256r1_T_0_X, secp256r1_T_0_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_1_X, secp256r1_T_1_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_2_X, secp256r1_T_2_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_3_X, secp256r1_T_3_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_4_X, secp256r1_T_4_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_5_X, secp256r1_T_5_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_6_X, secp256r1_T_6_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_7_X, secp256r1_T_7_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_8_X, secp256r1_T_8_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_9_X, secp256r1_T_9_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_10_X, secp256r1_T_10_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_11_X, secp256r1_T_11_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_12_X, secp256r1_T_12_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_13_X, secp256r1_T_13_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_14_X, secp256r1_T_14_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_15_X, secp256r1_T_15_Y),
-};
-#else
-#define secp256r1_T NULL
-#endif
-
-#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
-
-/*
- * Domain parameters for secp384r1
- */
-#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
-static const mbedtls_mpi_uint secp384r1_p[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-};
-static const mbedtls_mpi_uint secp384r1_b[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3),
-};
-static const mbedtls_mpi_uint secp384r1_gx[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA),
-};
-static const mbedtls_mpi_uint secp384r1_gy[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36),
-};
-static const mbedtls_mpi_uint secp384r1_n[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-};
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-static const mbedtls_mpi_uint secp384r1_T_0_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA),
-};
-static const mbedtls_mpi_uint secp384r1_T_0_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36),
-};
-static const mbedtls_mpi_uint secp384r1_T_1_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x92, 0x00, 0x2C, 0x78, 0xDB, 0x1F, 0x37),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xF3, 0xEB, 0xB7, 0x06, 0xF7, 0xB6, 0xBC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xBC, 0x2C, 0xCF, 0xD8, 0xED, 0x53, 0xE7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x75, 0x7B, 0xA3, 0xAB, 0xC3, 0x2C, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x9D, 0x78, 0x41, 0xF6, 0x76, 0x84, 0xAC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x56, 0xE8, 0x52, 0xB3, 0xCB, 0xA8, 0xBD),
-};
-static const mbedtls_mpi_uint secp384r1_T_1_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xF2, 0xAE, 0xA4, 0xB6, 0x89, 0x1B, 0xDA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x0F, 0xCE, 0x1C, 0x7C, 0xF6, 0x50, 0x4C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4C, 0xEB, 0x90, 0xE6, 0x4D, 0xC7, 0xD4, 0x7A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x49, 0x2D, 0x8A, 0x01, 0x99, 0x60, 0x94),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x80, 0x9B, 0x9B, 0x6A, 0xB0, 0x07, 0xD9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xA2, 0xEE, 0x59, 0xBE, 0x95, 0xBC, 0x23),
-};
-static const mbedtls_mpi_uint secp384r1_T_2_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x9D, 0x56, 0xAE, 0x59, 0xFB, 0x1F, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0xAC, 0x91, 0x80, 0x87, 0xA8, 0x6E, 0x58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x08, 0xA7, 0x08, 0x94, 0x32, 0xFC, 0x67),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x29, 0x9E, 0x84, 0xF4, 0xE5, 0x6E, 0x7E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x21, 0xB9, 0x50, 0x24, 0xF8, 0x9C, 0xC7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x04, 0x01, 0xC2, 0xFB, 0x77, 0x3E, 0xDE),
-};
-static const mbedtls_mpi_uint secp384r1_T_2_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x38, 0xEE, 0xE3, 0xC7, 0x9D, 0xEC, 0xA6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x88, 0xCF, 0x43, 0xFA, 0x92, 0x5E, 0x8E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0xCA, 0x43, 0xF8, 0x3B, 0x49, 0x7E, 0x75),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0xE7, 0xEB, 0x17, 0x45, 0x86, 0xC2, 0xE1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x69, 0x57, 0x32, 0xE0, 0x9C, 0xD1, 0x00),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x10, 0xB8, 0x4D, 0xB8, 0xF4, 0x0D, 0xE3),
-};
-static const mbedtls_mpi_uint secp384r1_T_3_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0xDC, 0x9A, 0xB2, 0x79, 0x39, 0x27, 0x16),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x71, 0xE4, 0x3B, 0x4D, 0x60, 0x0C, 0xA3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xBD, 0x19, 0x40, 0xFA, 0x19, 0x2A, 0x5A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xF8, 0x1E, 0x43, 0xA1, 0x50, 0x8D, 0xEF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x18, 0x7C, 0x41, 0xFA, 0x7C, 0x1B, 0x58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x59, 0x24, 0xC4, 0xE9, 0xB7, 0xD3, 0xAD),
-};
-static const mbedtls_mpi_uint secp384r1_T_3_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x01, 0x3D, 0x63, 0x54, 0x45, 0x6F, 0xB7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xB2, 0x19, 0xA3, 0x86, 0x1D, 0x42, 0x34),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x02, 0x87, 0x18, 0x92, 0x52, 0x1A, 0x71),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x18, 0xB1, 0x5D, 0x18, 0x1B, 0x37, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x74, 0x61, 0xBA, 0x18, 0xAF, 0x40, 0x30),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x7D, 0x3C, 0x52, 0x0F, 0x07, 0xB0, 0x6F),
-};
-static const mbedtls_mpi_uint secp384r1_T_4_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x39, 0x13, 0xAA, 0x60, 0x15, 0x99, 0x30),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x00, 0xCB, 0xC6, 0xB1, 0xDB, 0x97, 0x90),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xFA, 0x60, 0xB8, 0x24, 0xE4, 0x7D, 0xD3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x75, 0xB3, 0x70, 0xB2, 0x83, 0xB1, 0x9B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0xE3, 0x6C, 0xCD, 0x33, 0x62, 0x7A, 0x56),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x30, 0xDC, 0x0F, 0x9F, 0xBB, 0xB8, 0xAA),
-};
-static const mbedtls_mpi_uint secp384r1_T_4_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xD5, 0x0A, 0x60, 0x81, 0xB9, 0xC5, 0x16),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0xAA, 0x2F, 0xD6, 0xF2, 0x73, 0xDF, 0xEB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x7B, 0x74, 0xC9, 0xB3, 0x5B, 0x95, 0x6D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x04, 0xEB, 0x15, 0xC8, 0x5F, 0x00, 0xF6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x50, 0x20, 0x28, 0xD1, 0x01, 0xAF, 0xF0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x6D, 0x4F, 0x31, 0x81, 0x2F, 0x94, 0x48),
-};
-static const mbedtls_mpi_uint secp384r1_T_5_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x2F, 0xD8, 0xB6, 0x63, 0x7C, 0xE9, 0x50),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x8C, 0xB9, 0x14, 0xD9, 0x37, 0x63, 0xDE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x02, 0xB8, 0x46, 0xAD, 0xCE, 0x7B, 0x38),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x47, 0x2D, 0x66, 0xA7, 0xE9, 0x33, 0x23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xF9, 0x93, 0x94, 0xA8, 0x48, 0xB3, 0x4F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x4A, 0xAC, 0x51, 0x08, 0x72, 0x2F, 0x1A),
-};
-static const mbedtls_mpi_uint secp384r1_T_5_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0xAD, 0xA0, 0xF9, 0x81, 0xE1, 0x78, 0x97),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x9A, 0x63, 0xD8, 0xBA, 0x79, 0x1A, 0x17),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x31, 0x7B, 0x7A, 0x5A, 0x5D, 0x7D, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x96, 0x12, 0x4B, 0x19, 0x09, 0xE0, 0xB7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x8A, 0x57, 0xEE, 0x4E, 0x6E, 0x7E, 0xEC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x9D, 0x69, 0xDC, 0xB3, 0xDA, 0xD8, 0x08),
-};
-static const mbedtls_mpi_uint secp384r1_T_6_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x49, 0x03, 0x03, 0x33, 0x6F, 0x28, 0x4A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xDB, 0xA7, 0x05, 0x8C, 0xF3, 0x4D, 0xFB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x92, 0xB1, 0xA8, 0xEC, 0x0D, 0x64, 0x3B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0xFC, 0xFD, 0xD0, 0x4B, 0x88, 0x1B, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x9C, 0x51, 0x69, 0xCE, 0x71, 0x73, 0xF5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x5A, 0x14, 0x23, 0x1A, 0x46, 0x63, 0x5F),
-};
-static const mbedtls_mpi_uint secp384r1_T_6_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x4C, 0x70, 0x44, 0x18, 0xCD, 0xEF, 0xED),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x49, 0xDD, 0x64, 0x7E, 0x7E, 0x4D, 0x92),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x32, 0x7C, 0x09, 0xD0, 0x3F, 0xD6, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xE0, 0x4F, 0x65, 0x0C, 0x7A, 0x54, 0x3E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xFA, 0xFB, 0x4A, 0xB4, 0x79, 0x5A, 0x8C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x5D, 0x1B, 0x2B, 0xDA, 0xBC, 0x9A, 0x74),
-};
-static const mbedtls_mpi_uint secp384r1_T_7_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xAC, 0x56, 0xF7, 0x5F, 0x51, 0x68, 0x0B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xE0, 0x1D, 0xBC, 0x13, 0x4E, 0xAC, 0x03),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xF5, 0xC5, 0xE6, 0xD2, 0x88, 0xBA, 0xCB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x0E, 0x28, 0x23, 0x58, 0x67, 0xFA, 0xEE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x80, 0x4B, 0xD8, 0xC4, 0xDF, 0x15, 0xE4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x0E, 0x58, 0xE6, 0x2C, 0x59, 0xC2, 0x03),
-};
-static const mbedtls_mpi_uint secp384r1_T_7_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x26, 0x27, 0x99, 0x16, 0x2B, 0x22, 0x0B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xF3, 0x8F, 0xC3, 0x2A, 0x9B, 0xFC, 0x38),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x2E, 0x83, 0x3D, 0xFE, 0x9E, 0x3C, 0x1B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x57, 0xCD, 0x2D, 0xC1, 0x49, 0x38, 0xB5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x42, 0x8B, 0x33, 0x89, 0x1F, 0xEA, 0x01),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x1D, 0x13, 0xD7, 0x50, 0xBB, 0x3E, 0xEB),
-};
-static const mbedtls_mpi_uint secp384r1_T_8_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x9A, 0x52, 0xD2, 0x54, 0x7C, 0x97, 0xF2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x33, 0x6E, 0xED, 0xD9, 0x87, 0x50, 0xC5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x35, 0x7E, 0x16, 0x40, 0x15, 0x83, 0xB8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x2B, 0xA4, 0xAB, 0x03, 0x91, 0xEA, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x47, 0x39, 0xEF, 0x05, 0x59, 0xD0, 0x90),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x24, 0x0D, 0x76, 0x11, 0x53, 0x08, 0xAF),
-};
-static const mbedtls_mpi_uint secp384r1_T_8_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x2F, 0xDD, 0xBD, 0x50, 0x48, 0xB1, 0xE5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x1C, 0x84, 0x55, 0x78, 0x14, 0xEB, 0xF6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x5E, 0x3E, 0xA6, 0xAF, 0xF6, 0xC7, 0x04),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x11, 0xE2, 0x65, 0xCA, 0x41, 0x95, 0x3B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x83, 0xD8, 0xE6, 0x4D, 0x22, 0x06, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x7F, 0x25, 0x2A, 0xAA, 0x28, 0x46, 0x97),
-};
-static const mbedtls_mpi_uint secp384r1_T_9_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xDB, 0x15, 0x56, 0x84, 0xCB, 0xC0, 0x56),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0xDB, 0x0E, 0x08, 0xC9, 0xF5, 0xD4, 0x9E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x62, 0xD0, 0x1A, 0x7C, 0x13, 0xD5, 0x07),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0xAD, 0x53, 0xE0, 0x32, 0x21, 0xA0, 0xC0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x38, 0x81, 0x21, 0x23, 0x0E, 0xD2, 0xBB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x51, 0x05, 0xD0, 0x1E, 0x82, 0xA9, 0x71),
-};
-static const mbedtls_mpi_uint secp384r1_T_9_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xC3, 0x27, 0xBF, 0xC6, 0xAA, 0xB7, 0xB9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x65, 0x45, 0xDF, 0xB9, 0x46, 0x17, 0x46),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x38, 0x3F, 0xB2, 0xB1, 0x5D, 0xCA, 0x1C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x29, 0x6C, 0x63, 0xE9, 0xD7, 0x48, 0xB8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xF1, 0xD7, 0x99, 0x8C, 0xC2, 0x05, 0x99),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xE6, 0x5E, 0x82, 0x6D, 0xE5, 0x7E, 0xD5),
-};
-static const mbedtls_mpi_uint secp384r1_T_10_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x61, 0xFA, 0x7D, 0x01, 0xDB, 0xB6, 0x63),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xC6, 0x58, 0x39, 0xF4, 0xC6, 0x82, 0x23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x5A, 0x7A, 0x80, 0x08, 0xCD, 0xAA, 0xD8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x8C, 0xC6, 0x3F, 0x3C, 0xA5, 0x68, 0xF4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0xF5, 0xD5, 0x17, 0xAE, 0x36, 0xD8, 0x8A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xAD, 0x92, 0xC5, 0x57, 0x6C, 0xDA, 0x91),
-};
-static const mbedtls_mpi_uint secp384r1_T_10_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x67, 0x17, 0xC0, 0x40, 0x78, 0x8C, 0x84),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x9F, 0xF4, 0xAA, 0xDA, 0x5C, 0x7E, 0xB2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xDB, 0x42, 0x3E, 0x72, 0x64, 0xA0, 0x67),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0xF9, 0x41, 0x17, 0x43, 0xE3, 0xE8, 0xA8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xDD, 0xCC, 0x43, 0x7E, 0x16, 0x05, 0x03),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x4B, 0xCF, 0x48, 0x8F, 0x41, 0x90, 0xE5),
-};
-static const mbedtls_mpi_uint secp384r1_T_11_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x0C, 0x6B, 0x9D, 0x22, 0x04, 0xBC, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x63, 0x79, 0x2F, 0x6A, 0x0E, 0x8A, 0xDE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x67, 0x3F, 0x02, 0xB8, 0x91, 0x7F, 0x74),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x14, 0x64, 0xA0, 0x33, 0xF4, 0x6B, 0x50),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x44, 0x71, 0x87, 0xB8, 0x88, 0x3F, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x2B, 0x85, 0x05, 0xC5, 0x44, 0x53, 0x15),
-};
-static const mbedtls_mpi_uint secp384r1_T_11_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x2B, 0xFE, 0xD1, 0x1C, 0x73, 0xE3, 0x2E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x33, 0xA1, 0xD3, 0x69, 0x1C, 0x9D, 0xD2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x5A, 0xBA, 0xB6, 0xAE, 0x1B, 0x94, 0x04),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x74, 0x90, 0x5C, 0x57, 0xB0, 0x3A, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x2F, 0x93, 0x20, 0x24, 0x54, 0x1D, 0x8D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x78, 0x9D, 0x71, 0x67, 0x5D, 0x49, 0x98),
-};
-static const mbedtls_mpi_uint secp384r1_T_12_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0xC8, 0x0E, 0x11, 0x8D, 0xE0, 0x8F, 0x69),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x7F, 0x79, 0x6C, 0x5F, 0xB7, 0xBC, 0xB1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0xE1, 0x83, 0x3C, 0x12, 0xBB, 0xEE, 0x96),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xC2, 0xC4, 0x1B, 0x41, 0x71, 0xB9, 0x17),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0xEE, 0xBB, 0x1D, 0x89, 0x50, 0x88, 0xF2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x1C, 0x55, 0x74, 0xEB, 0xDE, 0x92, 0x3F),
-};
-static const mbedtls_mpi_uint secp384r1_T_12_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x38, 0x92, 0x06, 0x19, 0xD0, 0xB3, 0xB2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x99, 0x26, 0xA3, 0x5F, 0xE2, 0xC1, 0x81),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0xFC, 0xFD, 0xC3, 0xB6, 0x26, 0x24, 0x8F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xAD, 0xE7, 0x49, 0xB7, 0x64, 0x4B, 0x96),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x4E, 0x95, 0xAD, 0x07, 0xFE, 0xB6, 0x30),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x15, 0xE7, 0x2D, 0x19, 0xA9, 0x08, 0x10),
-};
-static const mbedtls_mpi_uint secp384r1_T_13_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xBD, 0xAC, 0x0A, 0x3F, 0x6B, 0xFF, 0xFA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0xE4, 0x74, 0x14, 0xD9, 0x70, 0x1D, 0x71),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0xB0, 0x71, 0xBB, 0xD8, 0x18, 0x96, 0x2B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0xB8, 0x19, 0x90, 0x80, 0xB5, 0xEE, 0x01),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x21, 0x20, 0xA6, 0x17, 0x48, 0x03, 0x6F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x1D, 0xBB, 0x6D, 0x94, 0x20, 0x34, 0xF1),
-};
-static const mbedtls_mpi_uint secp384r1_T_13_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x82, 0x67, 0x4B, 0x8E, 0x4E, 0xBE, 0xE2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xDA, 0x77, 0xF8, 0x23, 0x55, 0x2B, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x02, 0xDE, 0x25, 0x35, 0x2D, 0x74, 0x51),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x0C, 0xB8, 0x0B, 0x39, 0xBA, 0xAD, 0x04),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0x0E, 0x28, 0x4D, 0xE1, 0x3D, 0xE4, 0x1B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xEC, 0x0A, 0xD4, 0xB8, 0xC4, 0x8D, 0xB0),
-};
-static const mbedtls_mpi_uint secp384r1_T_14_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x68, 0xCE, 0xC2, 0x55, 0x4D, 0x0C, 0x6D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x20, 0x93, 0x32, 0x90, 0xD6, 0xAE, 0x47),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x78, 0xAB, 0x43, 0x9E, 0xEB, 0x73, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x97, 0xC3, 0x83, 0xA6, 0x3C, 0xF1, 0xBF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0x25, 0x25, 0x66, 0x08, 0x26, 0xFA, 0x4B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xFB, 0x44, 0x5D, 0x82, 0xEC, 0x3B, 0xAC),
-};
-static const mbedtls_mpi_uint secp384r1_T_14_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x90, 0xEA, 0xB5, 0x04, 0x99, 0xD0, 0x69),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0xF2, 0x22, 0xA0, 0xEB, 0xFD, 0x45, 0x87),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xA4, 0x81, 0x32, 0xFC, 0xFA, 0xEE, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0xBB, 0xA4, 0x6A, 0x77, 0x41, 0x5C, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x1E, 0xAA, 0x4F, 0xF0, 0x10, 0xB3, 0x50),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x74, 0x13, 0x14, 0x9E, 0x90, 0xD7, 0xE6),
-};
-static const mbedtls_mpi_uint secp384r1_T_15_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0xBD, 0x70, 0x4F, 0xA8, 0xD1, 0x06, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x4E, 0x2E, 0x68, 0xFC, 0x35, 0xFA, 0x50),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0x53, 0x75, 0xED, 0xF2, 0x5F, 0xC2, 0xEB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x87, 0x6B, 0x9F, 0x05, 0xE2, 0x22, 0x93),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x1A, 0xA8, 0xB7, 0x03, 0x9E, 0x6D, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0xD0, 0x69, 0x88, 0xA8, 0x39, 0x9E, 0x3A),
-};
-static const mbedtls_mpi_uint secp384r1_T_15_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0xEF, 0x68, 0xFE, 0xEC, 0x24, 0x08, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x06, 0x4B, 0x92, 0x0D, 0xB7, 0x34, 0x74),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xF4, 0xDD, 0x1A, 0xA0, 0x4A, 0xE4, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x63, 0x4F, 0x4F, 0xCE, 0xBB, 0xD6, 0xD3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xEE, 0x8D, 0xDF, 0x3F, 0x73, 0xB7, 0xAC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x06, 0xB6, 0x80, 0x4D, 0x81, 0xD9, 0x53),
-};
-static const mbedtls_mpi_uint secp384r1_T_16_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0xF5, 0x13, 0xDF, 0x13, 0x19, 0x97, 0x94),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xF9, 0xB3, 0x33, 0x66, 0x82, 0x21, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xFC, 0x39, 0x16, 0x23, 0x43, 0x76, 0x0E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x48, 0x25, 0xA1, 0x64, 0x95, 0x1C, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0xAC, 0x15, 0x57, 0xD9, 0xDE, 0xA0, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x5F, 0xB8, 0x3D, 0x48, 0x91, 0x24, 0xCC),
-};
-static const mbedtls_mpi_uint secp384r1_T_16_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xF2, 0xC8, 0x54, 0xD1, 0x32, 0xBD, 0xC4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x3B, 0xF0, 0xAA, 0x9D, 0xD8, 0xF4, 0x20),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0xC3, 0xBB, 0x6C, 0x66, 0xAC, 0x25, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x25, 0x10, 0xB2, 0xE1, 0x41, 0xDE, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xE8, 0x30, 0xB8, 0x37, 0xBC, 0x2A, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x57, 0x01, 0x4A, 0x1E, 0x78, 0x9F, 0x85),
-};
-static const mbedtls_mpi_uint secp384r1_T_17_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x19, 0xCD, 0x12, 0x0B, 0x51, 0x4F, 0x56),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x4B, 0x3D, 0x24, 0xA4, 0x16, 0x59, 0x05),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xEB, 0xD3, 0x59, 0x2E, 0x75, 0x7C, 0x01),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0xB9, 0xB4, 0xA5, 0xD9, 0x2E, 0x29, 0x4C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x16, 0x05, 0x75, 0x02, 0xB3, 0x06, 0xEE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x7C, 0x9F, 0x79, 0x91, 0xF1, 0x4F, 0x23),
-};
-static const mbedtls_mpi_uint secp384r1_T_17_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x98, 0x7C, 0x84, 0xE1, 0xFF, 0x30, 0x77),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0xE2, 0xC2, 0x5F, 0x55, 0x40, 0xBD, 0xCD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x65, 0x87, 0x3F, 0xC4, 0xC2, 0x24, 0x57),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0x30, 0x0A, 0x60, 0x15, 0xD1, 0x24, 0x48),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x99, 0xD9, 0xB6, 0xAE, 0xB1, 0xAF, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x80, 0xEE, 0xA2, 0x0F, 0x74, 0xB9, 0xF3),
-};
-static const mbedtls_mpi_uint secp384r1_T_18_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0xE6, 0x0F, 0x37, 0xC1, 0x10, 0x99, 0x1E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xAD, 0x9D, 0x5D, 0x80, 0x01, 0xA6, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x0F, 0x10, 0x2A, 0x9D, 0x20, 0x38, 0xEB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x60, 0xCB, 0xCE, 0x5A, 0xA0, 0xA7, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xCF, 0x14, 0xDF, 0xBF, 0xE5, 0x74, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x12, 0x1A, 0xDD, 0x59, 0x02, 0x5D, 0xC6),
-};
-static const mbedtls_mpi_uint secp384r1_T_18_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xC9, 0xF8, 0xF5, 0xB6, 0x13, 0x4D, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x45, 0xB1, 0x93, 0xB3, 0xA2, 0x79, 0xDC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xF6, 0xCF, 0xF7, 0xE6, 0x29, 0x9C, 0xCC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x50, 0x65, 0x80, 0xBC, 0x59, 0x0A, 0x59),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xF0, 0x24, 0x35, 0xA2, 0x46, 0xF0, 0x0C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x26, 0xC0, 0x9D, 0x61, 0x56, 0x62, 0x67),
-};
-static const mbedtls_mpi_uint secp384r1_T_19_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xBB, 0xC2, 0x24, 0x43, 0x2E, 0x37, 0x54),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0xF7, 0xCE, 0x35, 0xFC, 0x77, 0xF3, 0x3F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x34, 0x96, 0xD5, 0x4A, 0x76, 0x9D, 0x6B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x3B, 0x0F, 0xEA, 0xA8, 0x12, 0x0B, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x3F, 0x5D, 0x2D, 0x1C, 0xD4, 0x9E, 0xFB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x2E, 0xDD, 0xC7, 0x6E, 0xAB, 0xAF, 0xDC),
-};
-static const mbedtls_mpi_uint secp384r1_T_19_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0xB2, 0x7B, 0x0C, 0x9A, 0x83, 0x8E, 0x59),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x51, 0x90, 0x92, 0x79, 0x32, 0x19, 0xC3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x89, 0xF9, 0xD0, 0xCF, 0x2C, 0xA5, 0x8F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x50, 0x21, 0xDE, 0x50, 0x41, 0x9D, 0x81),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x7D, 0x2B, 0x9E, 0x9D, 0x95, 0xA8, 0xE3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xA5, 0x20, 0x87, 0x88, 0x97, 0x5F, 0xAA),
-};
-static const mbedtls_mpi_uint secp384r1_T_20_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x59, 0xB4, 0x66, 0x7E, 0xE8, 0x5A, 0x60),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x5C, 0x7E, 0xB2, 0xAD, 0xD9, 0xC9, 0xDA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x97, 0x49, 0xA3, 0x13, 0x83, 0x07, 0x2E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x26, 0xC7, 0x13, 0x35, 0x0D, 0xB0, 0x6B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x60, 0xAB, 0xFA, 0x4B, 0x93, 0x18, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x2D, 0x1C, 0x31, 0x4C, 0xE4, 0x61, 0xAE),
-};
-static const mbedtls_mpi_uint secp384r1_T_20_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0x4D, 0x1E, 0x51, 0x59, 0x6E, 0x91, 0xC5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x54, 0x4D, 0x51, 0xED, 0x36, 0xCC, 0x60),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0xA8, 0x56, 0xC7, 0x78, 0x27, 0x33, 0xC5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xB7, 0x95, 0xC9, 0x8B, 0xC8, 0x6A, 0xBC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xE9, 0x13, 0x96, 0xB3, 0xE1, 0xF9, 0xEE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x46, 0xB0, 0x5E, 0xC3, 0x94, 0x03, 0x05),
-};
-static const mbedtls_mpi_uint secp384r1_T_21_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x5B, 0x29, 0x30, 0x41, 0x1A, 0x9E, 0xB6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xCA, 0x83, 0x31, 0x5B, 0xA7, 0xCB, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x41, 0x50, 0x44, 0x4D, 0x64, 0x31, 0x89),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0x84, 0xC2, 0x5D, 0x97, 0xA5, 0x3C, 0x18),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x0F, 0xA5, 0xFD, 0x8E, 0x5A, 0x47, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x58, 0x02, 0x2D, 0x40, 0xB1, 0x0B, 0xBA),
-};
-static const mbedtls_mpi_uint secp384r1_T_21_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x33, 0x8C, 0x67, 0xCE, 0x23, 0x43, 0x99),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x53, 0x47, 0x72, 0x44, 0x1F, 0x5B, 0x2A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xC1, 0xD9, 0xA4, 0x50, 0x88, 0x63, 0x18),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xF2, 0x75, 0x69, 0x73, 0x00, 0xC4, 0x31),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x90, 0x1D, 0xDF, 0x1A, 0x00, 0xD8, 0x69),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0xB1, 0x89, 0x48, 0xA8, 0x70, 0x62, 0xEF),
-};
-static const mbedtls_mpi_uint secp384r1_T_22_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x8A, 0x55, 0x50, 0x7B, 0xEF, 0x8A, 0x3C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x1B, 0x23, 0x48, 0x23, 0x63, 0x91, 0xB6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x04, 0x54, 0x3C, 0x24, 0x9B, 0xC7, 0x9A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x38, 0xC3, 0x84, 0xFB, 0xFF, 0x9F, 0x49),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x2A, 0xE0, 0x6D, 0x68, 0x8A, 0x5C, 0xCB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x93, 0x53, 0x85, 0xA1, 0x0D, 0xAF, 0x63),
-};
-static const mbedtls_mpi_uint secp384r1_T_22_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x88, 0x95, 0x4C, 0x0B, 0xD0, 0x06, 0x51),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xAF, 0x8D, 0x49, 0xA2, 0xC8, 0xB4, 0xE0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x76, 0x53, 0x09, 0x88, 0x43, 0x87, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xA4, 0x77, 0x3F, 0x5E, 0x21, 0xB4, 0x0A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x9E, 0x86, 0x64, 0xCC, 0x91, 0xC1, 0x77),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x17, 0x56, 0xCB, 0xC3, 0x7D, 0x5B, 0xB1),
-};
-static const mbedtls_mpi_uint secp384r1_T_23_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x74, 0x9F, 0xB5, 0x91, 0x21, 0xB1, 0x1C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xED, 0xE1, 0x11, 0xEF, 0x45, 0xAF, 0xC1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x31, 0xBE, 0xB2, 0xBC, 0x72, 0x65, 0x1F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x4B, 0x8C, 0x77, 0xCE, 0x1E, 0x42, 0xB5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xC9, 0xAA, 0xB9, 0xD9, 0x86, 0x99, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x23, 0x80, 0xC6, 0x4E, 0x35, 0x0B, 0x6D),
-};
-static const mbedtls_mpi_uint secp384r1_T_23_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0xD8, 0xA2, 0x0A, 0x39, 0x32, 0x1D, 0x23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xC8, 0x86, 0xF1, 0x12, 0x9A, 0x4A, 0x05),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xF1, 0x7C, 0xAA, 0x70, 0x8E, 0xBC, 0x01),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x01, 0x47, 0x8F, 0xDD, 0x8B, 0xA5, 0xC8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x08, 0x21, 0xF4, 0xAB, 0xC7, 0xF5, 0x96),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x76, 0xA5, 0x95, 0xC4, 0x0F, 0x88, 0x1D),
-};
-static const mbedtls_mpi_uint secp384r1_T_24_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x42, 0x2A, 0x52, 0xCD, 0x75, 0x51, 0x49),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0x36, 0xE5, 0x04, 0x2B, 0x44, 0xC6, 0xEF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xEE, 0x16, 0x13, 0x07, 0x83, 0xB5, 0x30),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x59, 0xC6, 0xA2, 0x19, 0x05, 0xD3, 0xC6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x8B, 0xA8, 0x16, 0x09, 0xB7, 0xEA, 0xD6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xEE, 0x14, 0xAF, 0xB5, 0xFD, 0xD0, 0xEF),
-};
-static const mbedtls_mpi_uint secp384r1_T_24_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x7C, 0xCA, 0x71, 0x3E, 0x6E, 0x66, 0x75),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x31, 0x0E, 0x3F, 0xE5, 0x91, 0xC4, 0x7F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x3D, 0xC2, 0x3E, 0x95, 0x37, 0x58, 0x2B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x1F, 0x02, 0x03, 0xF3, 0xEF, 0xEE, 0x66),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x5B, 0x1A, 0xFC, 0x38, 0xCD, 0xE8, 0x24),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x57, 0x42, 0x85, 0xC6, 0x21, 0x68, 0x71),
-};
-static const mbedtls_mpi_uint secp384r1_T_25_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xA2, 0x4A, 0x66, 0xB1, 0x0A, 0xE6, 0xC0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x0C, 0x94, 0x9D, 0x5E, 0x99, 0xB2, 0xCE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x03, 0x40, 0xCA, 0xB2, 0xB3, 0x30, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x78, 0x48, 0x27, 0x34, 0x1E, 0xE2, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x72, 0x5B, 0xAC, 0xC1, 0x6D, 0xE3, 0x82),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xAB, 0x46, 0xCB, 0xEA, 0x5E, 0x4B, 0x0B),
-};
-static const mbedtls_mpi_uint secp384r1_T_25_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x08, 0xAD, 0x4E, 0x51, 0x9F, 0x2A, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x5C, 0x7D, 0x4C, 0xD6, 0xCF, 0xDD, 0x02),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x76, 0x26, 0xE0, 0x8B, 0x10, 0xD9, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0xA7, 0x23, 0x4E, 0x5F, 0xD2, 0x42, 0x17),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xE5, 0xA4, 0xEC, 0x77, 0x21, 0x34, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x14, 0x65, 0xEA, 0x4A, 0x85, 0xC3, 0x2F),
-};
-static const mbedtls_mpi_uint secp384r1_T_26_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0xD8, 0x40, 0x27, 0x73, 0x15, 0x7E, 0x65),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xBB, 0x53, 0x7E, 0x0F, 0x40, 0xC8, 0xD4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x37, 0x19, 0x73, 0xEF, 0x5A, 0x5E, 0x04),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x73, 0x2B, 0x49, 0x7E, 0xAC, 0x97, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0xB2, 0xC3, 0x1E, 0x0E, 0xE7, 0xD2, 0x21),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x08, 0xD6, 0xDD, 0xAC, 0x21, 0xD6, 0x3E),
-};
-static const mbedtls_mpi_uint secp384r1_T_26_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x26, 0xBE, 0x6D, 0x6D, 0xF2, 0x38, 0x3F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x6C, 0x31, 0xA7, 0x49, 0x50, 0x3A, 0x89),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x99, 0xC6, 0xF5, 0xD2, 0xC2, 0x30, 0x5A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xE4, 0xF6, 0x8B, 0x8B, 0x97, 0xE9, 0xB2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x21, 0xB7, 0x0D, 0xFC, 0x15, 0x54, 0x0B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x83, 0x1C, 0xA4, 0xCD, 0x6B, 0x9D, 0xF2),
-};
-static const mbedtls_mpi_uint secp384r1_T_27_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xE8, 0x4C, 0x48, 0xE4, 0xAA, 0x69, 0x93),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x7A, 0x27, 0xFC, 0x37, 0x96, 0x1A, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0xE7, 0x30, 0xA5, 0xCF, 0x13, 0x46, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0xD8, 0xAF, 0x74, 0x23, 0x4D, 0x56, 0x84),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x3D, 0x44, 0x14, 0x1B, 0x97, 0x83, 0xF0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x47, 0xD7, 0x5F, 0xFD, 0x98, 0x38, 0xF7),
-};
-static const mbedtls_mpi_uint secp384r1_T_27_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x73, 0x64, 0x36, 0xFD, 0x7B, 0xC1, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x5D, 0x32, 0xD2, 0x47, 0x94, 0x89, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xE9, 0x30, 0xAC, 0x06, 0xC8, 0x65, 0x04),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x6C, 0xB9, 0x1B, 0xF7, 0x61, 0x49, 0x53),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0xFF, 0x32, 0x43, 0x80, 0xDA, 0xA6, 0xB1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xF8, 0x04, 0x01, 0x95, 0x35, 0xCE, 0x21),
-};
-static const mbedtls_mpi_uint secp384r1_T_28_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x06, 0x46, 0x0D, 0x51, 0xE2, 0xD8, 0xAC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0x57, 0x1D, 0x6F, 0x79, 0xA0, 0xCD, 0xA6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0xFB, 0x36, 0xCA, 0xAD, 0xF5, 0x9E, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x7A, 0x1D, 0x9E, 0x1D, 0x95, 0x48, 0xDC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x26, 0xA5, 0xB7, 0x15, 0x2C, 0xC2, 0xC6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x42, 0x72, 0xAA, 0x11, 0xDC, 0xC9, 0xB6),
-};
-static const mbedtls_mpi_uint secp384r1_T_28_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x6C, 0x64, 0xA7, 0x62, 0x3C, 0xAB, 0xD4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x6A, 0x44, 0xD8, 0x60, 0xC0, 0xA8, 0x80),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x76, 0x58, 0x12, 0x57, 0x3C, 0x89, 0x46),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x4F, 0x83, 0xCE, 0xCB, 0xB8, 0xD0, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x84, 0x04, 0xB0, 0xAD, 0xEB, 0xFA, 0xDF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xA4, 0xC3, 0x41, 0x44, 0x4E, 0x65, 0x3E),
-};
-static const mbedtls_mpi_uint secp384r1_T_29_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x16, 0xA9, 0x1C, 0xE7, 0x65, 0x20, 0xC1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x53, 0x32, 0xF8, 0xC0, 0xA6, 0xBD, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xF0, 0xE6, 0x57, 0x31, 0xCC, 0x26, 0x6F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0xE3, 0x54, 0x1C, 0x34, 0xD3, 0x17, 0xBC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xAE, 0xED, 0xFB, 0xCD, 0xE7, 0x1E, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x16, 0x1C, 0x34, 0x40, 0x00, 0x1F, 0xB6),
-};
-static const mbedtls_mpi_uint secp384r1_T_29_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x32, 0x00, 0xC2, 0xD4, 0x3B, 0x1A, 0x09),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xE0, 0x99, 0x8F, 0x0C, 0x4A, 0x16, 0x44),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x73, 0x18, 0x1B, 0xD4, 0x94, 0x29, 0x62),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xA4, 0x2D, 0xB1, 0x9D, 0x74, 0x32, 0x67),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0xF4, 0xB1, 0x0C, 0x37, 0x62, 0x8B, 0x66),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xFF, 0xDA, 0xE2, 0x35, 0xA3, 0xB6, 0x42),
-};
-static const mbedtls_mpi_uint secp384r1_T_30_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x49, 0x99, 0x65, 0xC5, 0xED, 0x16, 0xEF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x42, 0x9A, 0xF3, 0xA7, 0x4E, 0x6F, 0x2B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x0A, 0x7E, 0xC0, 0xD7, 0x4E, 0x07, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x7A, 0x31, 0x69, 0xA6, 0xB9, 0x15, 0x34),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0xE0, 0x72, 0xA4, 0x3F, 0xB9, 0xF8, 0x0C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0x75, 0x32, 0x85, 0xA2, 0xDE, 0x37, 0x12),
-};
-static const mbedtls_mpi_uint secp384r1_T_30_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xC0, 0x0D, 0xCF, 0x25, 0x41, 0xA4, 0xF4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xFC, 0xB2, 0x48, 0xC3, 0x85, 0x83, 0x4B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xBE, 0x0B, 0x58, 0x2D, 0x7A, 0x9A, 0x62),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0xF3, 0x81, 0x18, 0x1B, 0x74, 0x4F, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x43, 0xA3, 0x0A, 0x16, 0x8B, 0xA3, 0x1E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x18, 0x81, 0x7B, 0x8D, 0xA2, 0x35, 0x77),
-};
-static const mbedtls_mpi_uint secp384r1_T_31_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xC4, 0x3F, 0x2C, 0xE7, 0x5F, 0x99, 0x03),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x2B, 0xB7, 0xB6, 0xAD, 0x5A, 0x56, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x00, 0xA4, 0x48, 0xC8, 0xE8, 0xBA, 0xBF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0xA1, 0xB5, 0x13, 0x5A, 0xCD, 0x99, 0x9C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x95, 0xAD, 0xFC, 0xE2, 0x7E, 0xE7, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x6B, 0xD1, 0x34, 0x99, 0x53, 0x63, 0x0B),
-};
-static const mbedtls_mpi_uint secp384r1_T_31_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x8A, 0x77, 0x5D, 0x2B, 0xAB, 0x01, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x85, 0xD0, 0xD5, 0x49, 0x83, 0x4D, 0x60),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0xC6, 0x91, 0x30, 0x3B, 0x00, 0xAF, 0x7A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0xAE, 0x61, 0x07, 0xE1, 0xB6, 0xE2, 0xC9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x43, 0x41, 0xFE, 0x9B, 0xB6, 0xF0, 0xA5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x97, 0xAE, 0xAD, 0x89, 0x88, 0x9E, 0x41),
-};
-static const mbedtls_ecp_point secp384r1_T[32] = {
-    ECP_POINT_INIT_XY_Z1(secp384r1_T_0_X, secp384r1_T_0_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_1_X, secp384r1_T_1_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_2_X, secp384r1_T_2_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_3_X, secp384r1_T_3_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_4_X, secp384r1_T_4_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_5_X, secp384r1_T_5_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_6_X, secp384r1_T_6_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_7_X, secp384r1_T_7_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_8_X, secp384r1_T_8_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_9_X, secp384r1_T_9_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_10_X, secp384r1_T_10_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_11_X, secp384r1_T_11_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_12_X, secp384r1_T_12_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_13_X, secp384r1_T_13_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_14_X, secp384r1_T_14_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_15_X, secp384r1_T_15_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_16_X, secp384r1_T_16_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_17_X, secp384r1_T_17_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_18_X, secp384r1_T_18_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_19_X, secp384r1_T_19_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_20_X, secp384r1_T_20_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_21_X, secp384r1_T_21_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_22_X, secp384r1_T_22_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_23_X, secp384r1_T_23_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_24_X, secp384r1_T_24_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_25_X, secp384r1_T_25_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_26_X, secp384r1_T_26_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_27_X, secp384r1_T_27_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_28_X, secp384r1_T_28_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_29_X, secp384r1_T_29_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_30_X, secp384r1_T_30_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_31_X, secp384r1_T_31_Y),
-};
-#else
-#define secp384r1_T NULL
-#endif
-
-#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
-
-/*
- * Domain parameters for secp521r1
- */
-#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
-static const mbedtls_mpi_uint secp521r1_p[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_2(0xFF, 0x01),
-};
-static const mbedtls_mpi_uint secp521r1_b[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95),
-    MBEDTLS_BYTES_TO_T_UINT_2(0x51, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_gx[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_2(0xC6, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_gy[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39),
-    MBEDTLS_BYTES_TO_T_UINT_2(0x18, 0x01),
-};
-static const mbedtls_mpi_uint secp521r1_n[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_2(0xFF, 0x01),
-};
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-static const mbedtls_mpi_uint secp521r1_T_0_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_0_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_1_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xB1, 0x2D, 0xEB, 0x27, 0x2F, 0xE8, 0xDA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x4B, 0x44, 0x25, 0xDB, 0x5C, 0x5F, 0x67),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x85, 0x28, 0x78, 0x2E, 0x75, 0x34, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x57, 0x0F, 0x73, 0x78, 0x7A, 0xE3, 0x53),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xD8, 0xEC, 0xDC, 0xDA, 0x04, 0xAD, 0xAB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x8A, 0x09, 0xF3, 0x58, 0x79, 0xD8, 0x29),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x03, 0xCB, 0x50, 0x1A, 0x7F, 0x56, 0x00),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xA6, 0x78, 0x38, 0x85, 0x67, 0x0B, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_1_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0xD5, 0xD2, 0x22, 0xC4, 0x00, 0x3B, 0xBA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x93, 0x0E, 0x7B, 0x85, 0x51, 0xC3, 0x06),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xA6, 0x5F, 0x54, 0x49, 0x02, 0x81, 0x78),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xE9, 0x6B, 0x3A, 0x92, 0xE7, 0x72, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x5F, 0x28, 0x9E, 0x91, 0x27, 0x88, 0xE3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x28, 0x31, 0xB3, 0x84, 0xCA, 0x12, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xF9, 0xAC, 0x22, 0x10, 0x0A, 0x64, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0xC6, 0x33, 0x1F, 0x69, 0x19, 0x18, 0xBF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_2_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x48, 0xB8, 0xC7, 0x37, 0x5A, 0x00, 0x36),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xCC, 0x32, 0xE0, 0xEE, 0x03, 0xC2, 0xBA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x29, 0xC2, 0xE4, 0x6E, 0x24, 0x20, 0x8D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x6B, 0x7F, 0x7B, 0xF9, 0xB0, 0xB8, 0x13),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x7B, 0x3C, 0xE1, 0x19, 0xA1, 0x23, 0x02),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xE3, 0xC2, 0x53, 0xC0, 0x07, 0x13, 0xA9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xFE, 0x36, 0x35, 0x9F, 0x5E, 0x59, 0xCE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x55, 0x89, 0x84, 0xBC, 0xEF, 0xA2, 0xC2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_2_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x1A, 0x08, 0x67, 0xB4, 0xE7, 0x22, 0xED),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x26, 0xDF, 0x81, 0x3C, 0x5F, 0x1C, 0xDA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x4D, 0xD0, 0x0A, 0x48, 0x06, 0xF4, 0x48),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x18, 0x39, 0xF7, 0xD1, 0x20, 0x77, 0x8D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0x8F, 0x44, 0x13, 0xCB, 0x78, 0x11, 0x11),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xE2, 0x49, 0xEA, 0x43, 0x79, 0x08, 0x39),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0xD1, 0xD8, 0x73, 0x2C, 0x71, 0x2F, 0x69),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xE5, 0xE7, 0xF4, 0x46, 0xAB, 0x20, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_3_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x0B, 0xB9, 0x71, 0x1A, 0x27, 0xB7, 0xA7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xA2, 0x2C, 0xD1, 0xDA, 0xBC, 0xC1, 0xBD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xA3, 0x10, 0x1F, 0x90, 0xF2, 0xA5, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0xFB, 0x20, 0xF4, 0xC0, 0x70, 0xC0, 0xF5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0xA7, 0x99, 0xF0, 0xA5, 0xD3, 0x09, 0xDD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0xE8, 0x14, 0x39, 0xBE, 0xCB, 0x60, 0xAF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0xD6, 0x14, 0xA9, 0xC9, 0x20, 0xC3, 0xEA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xA8, 0x5B, 0xFD, 0x2D, 0x96, 0xBC, 0x78),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_3_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x04, 0x45, 0xBE, 0xCE, 0x75, 0x95, 0xF6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0xDA, 0x58, 0x49, 0x35, 0x09, 0x8D, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xF0, 0xC0, 0x36, 0xF2, 0xA6, 0x2D, 0x14),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xFC, 0x3D, 0xA8, 0xFB, 0x3C, 0xD2, 0x51),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x4D, 0x71, 0x09, 0x18, 0x42, 0xF0, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xC1, 0xCE, 0x9E, 0x6A, 0x49, 0x60, 0x12),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xB1, 0x00, 0xF7, 0xA1, 0x7A, 0x31, 0xB4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xC3, 0x86, 0xCD, 0x20, 0x4A, 0x17, 0x86),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_4_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0xAB, 0x8B, 0x47, 0x8D, 0xAA, 0xA6, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x97, 0xF0, 0xBC, 0x2D, 0xDC, 0x9D, 0x84),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x86, 0xB0, 0x74, 0xB2, 0xF4, 0xF6, 0x67),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xBD, 0xAC, 0xE3, 0x8F, 0x43, 0x5C, 0xB1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xC3, 0xE2, 0x6E, 0x25, 0x49, 0xCD, 0x0B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x5E, 0x08, 0xB3, 0xB9, 0xAC, 0x5F, 0xD1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xB7, 0xD1, 0xF4, 0xDC, 0x19, 0xE9, 0xC8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xE4, 0xFA, 0xE1, 0x36, 0x3E, 0xED, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_4_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x67, 0x92, 0x84, 0x6E, 0x48, 0x03, 0x51),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x95, 0xEF, 0x8F, 0xB2, 0x82, 0x6B, 0x1C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xFA, 0xB9, 0x55, 0x23, 0xFE, 0x09, 0xB3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x79, 0x85, 0x4B, 0x0E, 0xD4, 0x35, 0xDB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x27, 0x45, 0x81, 0xE0, 0x88, 0x52, 0xAD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x63, 0xA2, 0x4B, 0xBC, 0x5D, 0xB1, 0x92),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x8C, 0x83, 0xD9, 0x3E, 0xD3, 0x42, 0xDA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x03, 0x3A, 0x31, 0xBA, 0xE9, 0x3A, 0xD1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_5_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x10, 0xCD, 0x2D, 0x00, 0xFE, 0x32, 0xA7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x6E, 0x1F, 0xDA, 0xF8, 0x6F, 0x4D, 0x03),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x79, 0x7D, 0x09, 0xE5, 0xD3, 0x03, 0x21),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xC3, 0xBE, 0xDF, 0x07, 0x65, 0x49, 0xCC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x57, 0x33, 0xEF, 0xAE, 0x4F, 0x04, 0x27),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0xE9, 0x9B, 0xFE, 0xBF, 0xE6, 0x85, 0xF6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0xBA, 0xAA, 0x06, 0xC4, 0xC6, 0xB8, 0x57),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x83, 0x01, 0xA9, 0xF6, 0x51, 0xE7, 0xB8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_5_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xA6, 0x15, 0x8E, 0xAB, 0x1F, 0x10, 0x87),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x08, 0x27, 0x1A, 0xA1, 0x21, 0xAD, 0xF5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x09, 0x90, 0x6E, 0x50, 0x90, 0x9A, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x9A, 0xFE, 0xD7, 0xA1, 0xF5, 0xA2, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x7D, 0xE3, 0xDC, 0x21, 0xFB, 0xA4, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xBF, 0x07, 0xFF, 0x45, 0xDF, 0x51, 0x77),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x5C, 0x34, 0x02, 0x62, 0x9B, 0x08, 0x12),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xCE, 0x9A, 0x6A, 0xEC, 0x75, 0xF6, 0x46),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_6_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x59, 0xF4, 0x78, 0x3C, 0x60, 0xB1, 0x4A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x37, 0x84, 0x6A, 0xDC, 0xF2, 0x9A, 0x7D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x9A, 0x9A, 0x15, 0x36, 0xE0, 0x2B, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x38, 0x9C, 0x50, 0x3D, 0x1E, 0x37, 0x82),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x79, 0xF0, 0x92, 0xF2, 0x8B, 0x18, 0x82),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xE0, 0x82, 0x1E, 0x80, 0x82, 0x4B, 0xD7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xBB, 0x59, 0x6B, 0x8A, 0x77, 0x41, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xF9, 0xD4, 0xB8, 0x4A, 0x82, 0xCF, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_6_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x8C, 0xC8, 0x9B, 0x72, 0x9E, 0xF7, 0xF9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0xCE, 0xE9, 0x77, 0x0A, 0x19, 0x59, 0x84),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xA1, 0x41, 0x6A, 0x72, 0x4B, 0xB4, 0xDC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x35, 0x43, 0xE2, 0x8C, 0xBE, 0x0D, 0xE3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0xEB, 0xAD, 0xF3, 0xA9, 0xA6, 0x68, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x2F, 0xE2, 0x48, 0x0C, 0xDB, 0x1F, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x1E, 0x60, 0x9B, 0x2A, 0xD2, 0xC1, 0x3C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x64, 0xB5, 0xD2, 0xF6, 0xF6, 0x6E, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_7_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x3D, 0x30, 0x78, 0x10, 0x18, 0x41, 0x51),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x1D, 0x1C, 0xE0, 0x6D, 0x83, 0xD1, 0x93),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x03, 0x0B, 0xF5, 0x2F, 0x6C, 0x04, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x3E, 0xD5, 0xFC, 0x31, 0x5B, 0x3A, 0xEB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x82, 0x2F, 0xFB, 0xFE, 0xF8, 0x76, 0x39),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x26, 0xDA, 0x9C, 0x36, 0xF5, 0x93, 0xD1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4C, 0xE7, 0x6E, 0xD2, 0x7D, 0x81, 0x09, 0xC6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x03, 0xF9, 0x58, 0x48, 0x24, 0xA2, 0xEE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_7_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x79, 0x0C, 0x8E, 0x6B, 0x95, 0xF3, 0xC4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x10, 0x5C, 0x87, 0x03, 0x39, 0xCF, 0x68),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xF0, 0xF7, 0xC1, 0x07, 0xA4, 0xF4, 0x3F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xE8, 0x02, 0x89, 0x65, 0xC4, 0x72, 0x36),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x88, 0xEA, 0x96, 0x67, 0x0B, 0x5D, 0xDF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x75, 0x60, 0xA8, 0xBD, 0x74, 0xDF, 0x68),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0xE5, 0x71, 0x50, 0x67, 0xD0, 0xD2, 0xE6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xFC, 0xE5, 0xC7, 0x77, 0xB0, 0x7F, 0x8C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_8_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x86, 0x69, 0xCD, 0x0D, 0x9A, 0xBD, 0x66),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x17, 0xBC, 0xBB, 0x59, 0x85, 0x7D, 0x0E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xA8, 0x76, 0xAC, 0x80, 0xA9, 0x72, 0xE0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x78, 0xC1, 0xE2, 0x4D, 0xAF, 0xF9, 0x3C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x97, 0x8E, 0x74, 0xC4, 0x4B, 0xB2, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xD8, 0xF6, 0xF3, 0xAF, 0x2F, 0x52, 0xE5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x57, 0xF4, 0xCE, 0xEE, 0x43, 0xED, 0x60),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x46, 0x38, 0xDE, 0x20, 0xFD, 0x59, 0x18),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_8_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x18, 0xE8, 0x58, 0xB9, 0x76, 0x2C, 0xE6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x54, 0xE4, 0xFE, 0xC7, 0xBC, 0x31, 0x37),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xF8, 0x89, 0xEE, 0x70, 0xB5, 0xB0, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x22, 0x26, 0x9A, 0x53, 0xB9, 0x38, 0x0A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xA7, 0x19, 0x8C, 0x74, 0x7E, 0x88, 0x46),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xDA, 0x0A, 0xE8, 0xDA, 0xA5, 0xBE, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0x5C, 0xF7, 0xB1, 0x0C, 0x72, 0xFB, 0x09),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xE2, 0x23, 0xE7, 0x46, 0xB7, 0xE0, 0x91),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_9_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x36, 0xBC, 0xBD, 0x48, 0x11, 0x8E, 0x72),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0xBB, 0xA1, 0xF7, 0x0B, 0x9E, 0xBF, 0xDF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x28, 0xE1, 0xA2, 0x8F, 0xFC, 0xFC, 0xD6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0xFE, 0x19, 0x0A, 0xE5, 0xE7, 0x69, 0x39),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xCD, 0x12, 0xF5, 0xBE, 0xD3, 0x04, 0xF1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xA8, 0x0D, 0x81, 0x59, 0xC4, 0x79, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0xF3, 0x4B, 0x92, 0x65, 0xC3, 0x31, 0xAD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0xB5, 0x4F, 0x4D, 0x91, 0xD4, 0xE2, 0xB2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_9_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x09, 0x41, 0x79, 0x1D, 0x4D, 0x0D, 0x33),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x31, 0x18, 0xBA, 0xA0, 0xF2, 0x6E, 0x7E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x5B, 0x4D, 0x4F, 0xAF, 0xC9, 0x8C, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x99, 0x9C, 0x06, 0x68, 0xDE, 0xD8, 0x29),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x04, 0xE1, 0xB5, 0x9D, 0x00, 0xBC, 0xB8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x95, 0x92, 0x8D, 0x72, 0xD3, 0x37, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x4B, 0x27, 0xA2, 0xE8, 0xA4, 0x26, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x45, 0x9C, 0xA9, 0xCB, 0x9F, 0xBA, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_10_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x7E, 0x1B, 0x64, 0xF4, 0xE8, 0xA5, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x20, 0xA9, 0xCA, 0xF3, 0x89, 0xE5, 0xE1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xED, 0xFC, 0xAB, 0xD9, 0x0A, 0xB9, 0x07),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x6F, 0x46, 0x7C, 0xCD, 0x78, 0xFF, 0x05),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0xAB, 0x71, 0x5A, 0x94, 0xAB, 0x20, 0x20),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x2E, 0xEE, 0x87, 0x57, 0x1F, 0xAD, 0xD3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x4C, 0x3D, 0xFB, 0x7E, 0xA1, 0x8B, 0x07),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0xCF, 0x07, 0x86, 0xBA, 0x53, 0x37, 0xCF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_10_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x26, 0xB2, 0xB9, 0xE2, 0x91, 0xE3, 0xB5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xC9, 0x54, 0x84, 0x08, 0x3D, 0x0B, 0xD2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xA8, 0x77, 0x2F, 0x64, 0x45, 0x99, 0x4C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x96, 0x16, 0x1F, 0xDB, 0x96, 0x28, 0x97),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x2B, 0x8D, 0xFF, 0xA2, 0x4F, 0x55, 0xD3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0xE6, 0x48, 0xBD, 0x99, 0x3D, 0x12, 0x57),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x84, 0x59, 0xDA, 0xB9, 0xB6, 0x66, 0x12),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x78, 0x41, 0x92, 0xDF, 0xF4, 0x3F, 0x63),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_11_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x86, 0x6F, 0x4F, 0xBF, 0x67, 0xDF, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x2B, 0x1E, 0x5F, 0x00, 0xEA, 0xF6, 0x56),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xB9, 0x6A, 0x89, 0xD8, 0xC0, 0xD7, 0xA7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x9A, 0x32, 0x23, 0xA0, 0x02, 0x91, 0x58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x7F, 0x6A, 0x15, 0x64, 0x6A, 0x8B, 0xBB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x57, 0x82, 0x58, 0xA9, 0x56, 0xB5, 0xFB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x50, 0x92, 0x60, 0xCC, 0x81, 0x24, 0xA8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x3D, 0xAD, 0xDA, 0xD9, 0x51, 0x3E, 0x57),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_11_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0xFE, 0x8F, 0xB0, 0x0B, 0xDE, 0x2E, 0x7E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xD2, 0xBE, 0xEF, 0xAC, 0x76, 0x71, 0xA3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xE8, 0x72, 0x0B, 0xAC, 0xFE, 0xCA, 0x5A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x5B, 0xC7, 0xFC, 0xE3, 0x3C, 0x7C, 0x4C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x04, 0xA7, 0xB9, 0x9B, 0x93, 0xC0, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x48, 0x4B, 0x8E, 0x32, 0xC5, 0xF0, 0x6B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x42, 0x07, 0xC1, 0xF2, 0xF1, 0x72, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x37, 0x54, 0x9C, 0x88, 0xD2, 0x62, 0xAA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_12_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x19, 0x8A, 0x89, 0x58, 0xA2, 0x0F, 0xDB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0xCC, 0x4C, 0x97, 0x30, 0x66, 0x34, 0x26),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x6A, 0x1E, 0x1F, 0xDB, 0xC9, 0x5E, 0x13),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x4D, 0x49, 0xFF, 0x9B, 0x9C, 0xAC, 0x9B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0xE4, 0x4B, 0xF2, 0xD4, 0x1A, 0xD2, 0x78),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xDA, 0xE8, 0x61, 0x9F, 0xC8, 0x49, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xCB, 0xF2, 0x2D, 0x85, 0xF6, 0x8D, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xC5, 0xCD, 0x2C, 0x79, 0xC6, 0x0E, 0x4F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_12_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x1D, 0x55, 0x0F, 0xF8, 0x22, 0x9F, 0x78),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x56, 0xBA, 0xE7, 0x57, 0x32, 0xEC, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x9A, 0xC6, 0x4C, 0x09, 0xC4, 0x52, 0x3F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x1E, 0x6F, 0xF4, 0x7D, 0x27, 0xDD, 0xAF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x11, 0x16, 0xEC, 0x79, 0x83, 0xAD, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x4E, 0x92, 0x1F, 0x19, 0x7D, 0x65, 0xDC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0xFF, 0x78, 0x15, 0x45, 0x63, 0x32, 0xE4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x91, 0xD0, 0x78, 0x58, 0xDA, 0x50, 0x47),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_13_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0xDE, 0x40, 0xF6, 0x41, 0xB4, 0x3B, 0x95),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x8D, 0xE0, 0xE1, 0xA9, 0xF0, 0x35, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xD4, 0xBA, 0x7B, 0xCC, 0x1B, 0x3A, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x5A, 0x2E, 0x74, 0x47, 0x14, 0xC3, 0x4D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0xF0, 0x8B, 0x06, 0x15, 0x8E, 0x0E, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0xD2, 0xEB, 0x97, 0x50, 0x7D, 0x31, 0xFC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x93, 0x4C, 0xDB, 0x97, 0x79, 0x44, 0xF5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0xA2, 0xA0, 0x0B, 0xC8, 0x3A, 0x8A, 0xF9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_13_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x50, 0x92, 0x9E, 0x24, 0x1F, 0xCB, 0x4C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x16, 0xC9, 0xC5, 0x3D, 0x5A, 0xAF, 0x97),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0xE3, 0x97, 0xE4, 0xA8, 0x50, 0xF6, 0x7E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x57, 0x97, 0x42, 0x78, 0x92, 0x49, 0x0D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0xEB, 0x62, 0x24, 0xFB, 0x8F, 0x32, 0xCF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x0C, 0x36, 0x6E, 0x8F, 0xE8, 0xE8, 0x8E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xD3, 0x7C, 0xC7, 0x8D, 0x3F, 0x5C, 0xE1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x64, 0x6A, 0x73, 0x10, 0x79, 0xB8, 0x5A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_14_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xF9, 0xEF, 0xA5, 0x20, 0x4A, 0x5C, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xF3, 0xF4, 0x49, 0x5B, 0x73, 0xAA, 0x1B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xF2, 0xEA, 0x0F, 0x00, 0xAD, 0x53, 0xAB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0xB8, 0x66, 0xED, 0xC4, 0x2B, 0x4C, 0x35),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x2F, 0xC1, 0x9A, 0x37, 0xD2, 0x7F, 0x58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xA7, 0x81, 0x38, 0x64, 0xC9, 0x37, 0x38),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x3B, 0x6C, 0x9F, 0x5B, 0xD9, 0x8B, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x14, 0xD9, 0x08, 0xD8, 0xD2, 0x7E, 0x23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_14_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x71, 0xE6, 0x3D, 0xD1, 0xB0, 0xE7, 0xCD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x81, 0x23, 0xEC, 0x2D, 0x42, 0x45, 0xE6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x5B, 0x44, 0x6B, 0x89, 0x03, 0x67, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x27, 0xAE, 0x80, 0x5A, 0x33, 0xBE, 0x11),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xB6, 0x64, 0x1A, 0xDF, 0xD3, 0x85, 0x91),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x8C, 0x22, 0xBA, 0xD0, 0xBD, 0xCC, 0xA0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x3C, 0x01, 0x3A, 0xFF, 0x9D, 0xC7, 0x6B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xC7, 0x64, 0xB4, 0x59, 0x4E, 0x9F, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_15_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x34, 0x0A, 0x41, 0x94, 0xA8, 0xF2, 0xB7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xD4, 0xE4, 0xF0, 0x97, 0x45, 0x6D, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0x1F, 0x4D, 0x6D, 0xFE, 0xA0, 0xC4, 0x84),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x28, 0x5C, 0x40, 0xBB, 0x65, 0xD4, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0xA8, 0x87, 0x35, 0x20, 0x3A, 0x89, 0x44),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xFD, 0x4F, 0xAB, 0x2D, 0xD1, 0xD0, 0xC0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xE8, 0x00, 0xFC, 0x69, 0x52, 0xF8, 0xD5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x9A, 0x99, 0xE1, 0xDC, 0x9C, 0x3F, 0xD9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_15_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x08, 0x98, 0xD9, 0xCA, 0x73, 0xD5, 0xA9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x2C, 0xE0, 0xA7, 0x3E, 0x91, 0xD7, 0x87),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x04, 0xB0, 0x54, 0x09, 0xF4, 0x72, 0xB7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xEE, 0x28, 0xCC, 0xE8, 0x50, 0x78, 0x20),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x91, 0x03, 0x76, 0xDB, 0x68, 0x24, 0x77),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xE0, 0x56, 0xB2, 0x5D, 0x12, 0xD3, 0xB5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x42, 0x59, 0x8B, 0xDF, 0x67, 0xB5, 0xBE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xCC, 0xE5, 0x31, 0x53, 0x7A, 0x46, 0xB3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_16_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x8D, 0x59, 0xB5, 0x1B, 0x0F, 0xF4, 0xAF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x2F, 0xD1, 0x2C, 0xE0, 0xD8, 0x04, 0xEF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xF4, 0xD7, 0xBA, 0xB0, 0xA3, 0x7E, 0xC9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x08, 0x51, 0x56, 0xA6, 0x76, 0x67, 0x33),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x17, 0x63, 0xFE, 0x56, 0xD0, 0xD9, 0x71),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0xF6, 0xC3, 0x14, 0x47, 0xC5, 0xA7, 0x31),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x4C, 0x80, 0xF6, 0xA2, 0x57, 0xA7, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xB3, 0x7B, 0xF8, 0x2F, 0xE1, 0x3E, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_16_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0xF4, 0xF9, 0x6B, 0x7B, 0x90, 0xDF, 0x30),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x82, 0xEF, 0x62, 0xA1, 0x4C, 0x53, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x99, 0x76, 0x01, 0xBA, 0x8D, 0x0F, 0x54),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xF4, 0x58, 0x73, 0x56, 0xFE, 0xDD, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xCE, 0xF9, 0xE8, 0xA1, 0x34, 0xC3, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x5F, 0xDC, 0x6A, 0x3D, 0xD8, 0x7F, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xF4, 0x51, 0xB8, 0xB8, 0xC1, 0xD7, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x7D, 0x58, 0xD1, 0xD4, 0x1B, 0x4D, 0x23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_17_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x95, 0xDF, 0x00, 0xD8, 0x21, 0xDE, 0x94),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x47, 0x3C, 0xC3, 0xB2, 0x01, 0x53, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x17, 0x43, 0x23, 0xBD, 0xCA, 0x71, 0xF2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xBA, 0x0F, 0x4F, 0xDC, 0x41, 0x54, 0xBE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x39, 0x26, 0x70, 0x53, 0x32, 0x18, 0x11),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x46, 0x07, 0x97, 0x3A, 0x57, 0xE0, 0x01),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x92, 0x4F, 0xCE, 0xDF, 0x25, 0x80, 0x26),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x6F, 0x9A, 0x03, 0x05, 0x4B, 0xD1, 0x47),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_17_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x01, 0x72, 0x30, 0x90, 0x17, 0x51, 0x20),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xFB, 0x41, 0x65, 0x5C, 0xB4, 0x2D, 0xEE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xCD, 0xCD, 0xAA, 0x41, 0xCC, 0xBB, 0x07),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xCE, 0x08, 0x0A, 0x63, 0xE9, 0xA2, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xA8, 0x21, 0x7F, 0x7A, 0x5B, 0x9B, 0x81),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x6B, 0x89, 0x44, 0x0A, 0x7F, 0x85, 0x5F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0xDE, 0x7C, 0x19, 0x5C, 0x65, 0x26, 0x61),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0xAC, 0x62, 0x29, 0x4A, 0xF1, 0xD0, 0x81),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_18_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x00, 0x40, 0x87, 0xEB, 0xA9, 0x58, 0x56),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x51, 0x0B, 0xFF, 0x56, 0x35, 0x51, 0xB3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xAC, 0x08, 0x94, 0x71, 0xDA, 0xEC, 0x99),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x4D, 0xC5, 0x7B, 0x31, 0x8B, 0x8D, 0x5E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x05, 0xF1, 0x3E, 0x9E, 0x8F, 0x17, 0x8F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x9C, 0x4B, 0x62, 0x94, 0xAD, 0x49, 0xFC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xC9, 0xC6, 0x8F, 0xFD, 0x33, 0x44, 0x34),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x96, 0x17, 0x7F, 0x42, 0xBE, 0xF7, 0x0D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_18_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0x29, 0x39, 0x13, 0x08, 0x8D, 0x91, 0x47),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x79, 0xF9, 0x2F, 0xA9, 0x0A, 0xCF, 0xD6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x87, 0x7A, 0xA3, 0x19, 0xAB, 0x55, 0xAD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x0B, 0x01, 0xC5, 0x56, 0x19, 0x9D, 0x9E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0xDE, 0x82, 0x3B, 0xEA, 0xD3, 0x0B, 0x8C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x6B, 0xC7, 0xF3, 0x0F, 0x82, 0x87, 0x6C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x2E, 0x23, 0xF2, 0x39, 0x9D, 0x49, 0x70),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0xDE, 0xAF, 0x7A, 0xEE, 0xB0, 0xDA, 0x70),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_19_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x4E, 0x2A, 0x50, 0xFD, 0x8E, 0xC0, 0xEB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x0F, 0x7C, 0x76, 0x63, 0xD8, 0x89, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x2D, 0xB9, 0x4E, 0xF4, 0xEE, 0x85, 0xCF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x95, 0x5C, 0x96, 0x5D, 0xAA, 0x59, 0x0B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xDB, 0xD2, 0x68, 0x8E, 0x5A, 0x94, 0x60),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x02, 0xBF, 0x77, 0x9F, 0xB9, 0x4C, 0xC9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xDC, 0xC0, 0xCF, 0x81, 0x1E, 0xC4, 0x6C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xCC, 0x37, 0x86, 0xDC, 0xE2, 0x64, 0x72),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_19_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x30, 0xB1, 0x59, 0x20, 0x9D, 0x98, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x0C, 0x9D, 0xF8, 0x20, 0xDC, 0x90, 0xBA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xA0, 0xF4, 0xE7, 0x3E, 0x9C, 0x9E, 0xA2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x25, 0xA2, 0xB0, 0x54, 0xCD, 0x2E, 0x33),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xD9, 0x42, 0xB0, 0x80, 0xB0, 0xA3, 0x38),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0xFE, 0x9D, 0x8D, 0x40, 0xFF, 0x27, 0x6D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x9D, 0xA6, 0x88, 0x3A, 0x8B, 0x6F, 0x14),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x39, 0xEE, 0x1F, 0x3F, 0xB1, 0x4F, 0x63),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_20_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xD7, 0x9E, 0xFF, 0xD2, 0x35, 0x67, 0x03),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x4F, 0x15, 0x5D, 0xE3, 0xE8, 0x53, 0x86),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xF7, 0x24, 0x98, 0xA2, 0xCB, 0x11, 0x68),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x2E, 0x25, 0xE1, 0x94, 0xC5, 0xA3, 0x96),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x82, 0x6E, 0xBA, 0xE7, 0x43, 0x25, 0xB0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x65, 0xB4, 0x49, 0x73, 0x18, 0x35, 0x54),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x5B, 0xBC, 0x62, 0x86, 0x4C, 0xC1, 0xB7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xF2, 0x95, 0xA2, 0xBB, 0xA2, 0x35, 0x65),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_20_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x59, 0x62, 0xB0, 0x4B, 0x1E, 0xB4, 0xD8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x55, 0xCE, 0xB0, 0x69, 0xBA, 0x63, 0x10),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0x69, 0x86, 0xDB, 0x34, 0x7D, 0x68, 0x64),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x06, 0xCA, 0x55, 0x44, 0x36, 0x2B, 0xBA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0xD4, 0xC4, 0x3D, 0xCD, 0x9E, 0x69, 0xA4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x44, 0xE4, 0xBF, 0x31, 0xE6, 0x40, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x4F, 0xFA, 0x75, 0xE3, 0xFB, 0x97, 0x0E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xC0, 0xBD, 0x1C, 0x48, 0xB0, 0x26, 0xD0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_21_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x7B, 0x32, 0xFA, 0xF2, 0x6D, 0x84, 0x8E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x21, 0x03, 0x1D, 0x0D, 0x22, 0x55, 0x67),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0xF9, 0x42, 0x03, 0x9C, 0xC2, 0xCB, 0xBA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0xA1, 0x96, 0xD9, 0x9D, 0x11, 0x6F, 0xBE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x40, 0x57, 0xEB, 0x40, 0x2D, 0xC0, 0x11),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x96, 0xBB, 0x4F, 0x2F, 0x23, 0xA8, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x29, 0x85, 0x21, 0xA5, 0x50, 0x62, 0x06),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x7D, 0x92, 0xCF, 0x87, 0x0C, 0x22, 0xF9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_21_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x0E, 0xA5, 0x32, 0x5B, 0xDF, 0x9C, 0xD5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x96, 0x37, 0x2C, 0x88, 0x35, 0x30, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xB4, 0x69, 0xFF, 0xEB, 0xC6, 0x94, 0x08),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x55, 0x60, 0xAD, 0xAA, 0x58, 0x14, 0x88),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xFF, 0xF2, 0xB2, 0xD5, 0xA7, 0xD9, 0x27),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xAE, 0x54, 0xD2, 0x60, 0x31, 0xF3, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x92, 0x83, 0xE3, 0xF1, 0x42, 0x83, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xD2, 0xC8, 0xB7, 0x76, 0x45, 0x7F, 0x7D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_22_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x11, 0xA4, 0xFB, 0x7A, 0x01, 0xBC, 0xC8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x27, 0x73, 0x8D, 0x02, 0x91, 0x27, 0x8E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x62, 0xF6, 0xDD, 0x6B, 0xFA, 0x5B, 0xB9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0xCA, 0xA2, 0x44, 0x2C, 0xF0, 0x28, 0xD8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xF1, 0x7A, 0xA2, 0x42, 0x4C, 0x50, 0xC6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x83, 0x3E, 0x50, 0xAB, 0x9C, 0xF7, 0x67),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xED, 0x78, 0xCB, 0x76, 0x69, 0xDA, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x01, 0x1E, 0x43, 0x27, 0x47, 0x6E, 0xDA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_22_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x4F, 0x54, 0xB9, 0x3E, 0xBD, 0xD5, 0x44),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x35, 0x40, 0x69, 0x7F, 0x74, 0x9D, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x06, 0x6F, 0x67, 0x68, 0x2B, 0x4D, 0x10),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x65, 0x41, 0xFC, 0x7C, 0x1E, 0xE8, 0xC8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x79, 0x37, 0xAF, 0xFD, 0xD2, 0xDA, 0x4C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xA8, 0x69, 0x56, 0x62, 0xA4, 0xE4, 0xA3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x71, 0x73, 0x21, 0x8A, 0x17, 0x81, 0xA2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0x55, 0x8F, 0x7B, 0xB8, 0xAF, 0xF7, 0x86),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_23_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0xD1, 0xBD, 0xBE, 0x8C, 0xBC, 0x60, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0xA6, 0x57, 0x8C, 0xAE, 0x5C, 0x19, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0x43, 0xE4, 0xD9, 0xD8, 0x7B, 0xE7, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xB9, 0xE4, 0x85, 0x7C, 0x2E, 0xFC, 0x20),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x2E, 0x01, 0x2A, 0x6D, 0x56, 0xBE, 0x97),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x0C, 0x25, 0x9B, 0xAE, 0x86, 0x37, 0x43),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x22, 0xB3, 0xCB, 0x99, 0x66, 0xB7, 0x9E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0xF7, 0x90, 0xF0, 0x1B, 0x09, 0x27, 0xF7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_23_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x16, 0x08, 0xEF, 0x39, 0x64, 0x49, 0x31),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xA0, 0xE3, 0x97, 0xA9, 0x07, 0x54, 0x26),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xFF, 0xE2, 0x00, 0x07, 0x21, 0x88, 0x20),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xFD, 0x59, 0x53, 0x05, 0x6C, 0x42, 0x27),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0xF7, 0x39, 0x5C, 0x82, 0x36, 0xE8, 0x03),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2E, 0x83, 0xA8, 0xE2, 0xA8, 0x43, 0x07, 0x38),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xAF, 0x2B, 0x79, 0xED, 0xD8, 0x39, 0x87),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x20, 0x91, 0x7A, 0xC4, 0x07, 0xEF, 0x6C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_24_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x10, 0x2F, 0xAA, 0x0C, 0x94, 0x0E, 0x5A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x81, 0x87, 0x41, 0x23, 0xEB, 0x55, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x53, 0xCC, 0x79, 0xB6, 0xEB, 0x6C, 0xCC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x77, 0x73, 0x9D, 0xFC, 0x64, 0x6F, 0x7F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x40, 0xE3, 0x6D, 0x1C, 0x16, 0x71, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0xF4, 0x1B, 0xFF, 0x1C, 0x2F, 0xA5, 0xD7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x0E, 0x0B, 0x11, 0xF4, 0x8D, 0x93, 0xAF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xC5, 0x64, 0x6F, 0x24, 0x19, 0xF2, 0x9B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_24_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xB3, 0xAF, 0xA5, 0x0E, 0x4F, 0x5E, 0xE1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0x77, 0xCA, 0xF2, 0x6D, 0xC5, 0xF6, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0x18, 0x8E, 0x33, 0x68, 0x6C, 0xE8, 0xE0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x8B, 0x80, 0x90, 0x19, 0x7F, 0x90, 0x96),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x80, 0x6B, 0x68, 0xE2, 0x7D, 0xD4, 0xD0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xC1, 0x67, 0xB3, 0x72, 0xCB, 0xBF, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0xD5, 0xD3, 0x1D, 0x14, 0x58, 0x0A, 0x80),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x7A, 0x65, 0x98, 0xB3, 0x07, 0x4B, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_25_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x87, 0x0F, 0x5F, 0xCF, 0xA2, 0x01, 0x08),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xC9, 0xC8, 0x6E, 0x35, 0x87, 0xA5, 0x67),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x3E, 0x91, 0xA0, 0xAB, 0x24, 0x1E, 0xF2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xBC, 0x02, 0x35, 0x70, 0xC1, 0x5F, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x59, 0xA0, 0x50, 0x04, 0x80, 0x52, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x56, 0x6E, 0x42, 0x8F, 0x8C, 0x91, 0x65),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xA2, 0xCB, 0xA5, 0xDE, 0x14, 0x24, 0x38),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0xCB, 0x74, 0x28, 0xE6, 0xA7, 0xE7, 0xC3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_25_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x73, 0xA8, 0x8F, 0x9E, 0x0E, 0x63, 0x96),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x1B, 0x77, 0xC7, 0xC1, 0x38, 0xF9, 0xDC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x3C, 0xCF, 0xA8, 0x7A, 0xD7, 0xF3, 0xC4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x5F, 0x9A, 0xC9, 0xAD, 0xE9, 0x1A, 0x93),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0xCF, 0x2B, 0x5E, 0xD5, 0x81, 0x95, 0xA8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x88, 0x75, 0x29, 0x1F, 0xC7, 0xC7, 0xD0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xA9, 0x5A, 0x4D, 0x63, 0x95, 0xF9, 0x4E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xCD, 0x04, 0x8F, 0xCD, 0x91, 0xDE, 0xC6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_26_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0xD4, 0xFD, 0x25, 0x11, 0x99, 0x6E, 0xEA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x83, 0x01, 0x3D, 0xFB, 0x56, 0xA5, 0x4E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x3A, 0xDC, 0x74, 0xC2, 0xD7, 0xCF, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0xBD, 0xF1, 0xDD, 0xA3, 0x07, 0x03, 0xE2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xBE, 0xE9, 0x2E, 0x58, 0x84, 0x66, 0xFC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x20, 0x78, 0x37, 0x79, 0x0B, 0xA6, 0x64),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xF2, 0xAC, 0x65, 0xC8, 0xC9, 0x2F, 0x61),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x93, 0xE5, 0x0D, 0x0C, 0xC6, 0xB8, 0xCB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_26_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0xAD, 0x5C, 0x19, 0x12, 0x61, 0x0E, 0x25),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x4F, 0x0B, 0x1F, 0x49, 0x7E, 0xCD, 0x81),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x2E, 0x30, 0x61, 0xDB, 0x08, 0x68, 0x9B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x78, 0xAF, 0xB3, 0x08, 0xC1, 0x69, 0xE5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x5F, 0x5D, 0xC1, 0x57, 0x6F, 0xD8, 0x34),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0xD3, 0x6A, 0xF7, 0xFD, 0x86, 0xE5, 0xB3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x63, 0xBD, 0x70, 0x7B, 0x47, 0xE8, 0x6D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x62, 0xC8, 0x7E, 0x9D, 0x11, 0x2B, 0xA5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_27_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x84, 0xFD, 0xD5, 0x9A, 0x56, 0x7F, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xBB, 0xA4, 0x6F, 0x12, 0x6E, 0x4D, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x08, 0xA1, 0x82, 0x9C, 0x62, 0x74, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x58, 0x22, 0x05, 0x1D, 0x15, 0x35, 0x79),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x88, 0xCF, 0x5C, 0x05, 0x78, 0xFB, 0x94),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x6B, 0x2F, 0x79, 0x09, 0x73, 0x67, 0xEC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xA0, 0x80, 0xD8, 0xE8, 0xEC, 0xFB, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xE7, 0x0B, 0xB7, 0x81, 0x48, 0x7B, 0xD9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_27_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x53, 0xA9, 0xED, 0x61, 0x92, 0xD7, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x49, 0xD9, 0x5D, 0x9B, 0x4E, 0x89, 0x35),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x12, 0xEB, 0x9A, 0xC9, 0xCB, 0xC1, 0x95),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0xDC, 0x95, 0x16, 0xFE, 0x29, 0x70, 0x01),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x33, 0xB1, 0xD6, 0x78, 0xB9, 0xE2, 0x36),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xCE, 0x88, 0xC3, 0xFD, 0x7A, 0x6B, 0xB8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x1E, 0x50, 0x1E, 0xAF, 0xB1, 0x25, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0xE7, 0xD7, 0xD5, 0xBD, 0x7A, 0x12, 0xF9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_28_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xAA, 0xA2, 0x80, 0x5D, 0x8F, 0xCD, 0xC8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x39, 0x79, 0x64, 0xA1, 0x67, 0x3C, 0xB7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xC7, 0x49, 0xFF, 0x7F, 0xAC, 0xAB, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x54, 0x3E, 0x83, 0xF0, 0x3D, 0xBC, 0xB5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x92, 0x4A, 0x38, 0x42, 0x8A, 0xAB, 0xF6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x0B, 0x4F, 0xEE, 0x9E, 0x92, 0xA5, 0xBE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xDD, 0x19, 0x96, 0xF2, 0xF0, 0x6B, 0x2E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xFC, 0xDD, 0xB2, 0x8A, 0xE5, 0x4C, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_28_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x06, 0x49, 0xAC, 0x99, 0x7E, 0xF8, 0x12),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xC8, 0x01, 0x51, 0xEA, 0xF6, 0x52, 0xE7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x89, 0x66, 0x2B, 0x1F, 0x9B, 0x2A, 0xA3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x0F, 0x95, 0x07, 0x2B, 0x6C, 0x6E, 0x9E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0xC3, 0xB4, 0xBB, 0x91, 0x1F, 0xA3, 0x72),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x6E, 0x54, 0x28, 0x7B, 0x9C, 0x79, 0x2E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x45, 0xFF, 0xA6, 0xDA, 0xA2, 0x83, 0x71),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xDE, 0x8F, 0x17, 0x37, 0x82, 0xCB, 0xE2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_29_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x94, 0x3F, 0x26, 0xC9, 0x1D, 0xD9, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x97, 0x28, 0x20, 0xCD, 0xC1, 0xF3, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0xC9, 0xB5, 0x60, 0x9B, 0x1E, 0xDC, 0x74),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0xB9, 0x5B, 0x7D, 0xA0, 0xB2, 0x8C, 0xF0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xD1, 0x42, 0xE6, 0x39, 0x33, 0x6D, 0xBB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xC0, 0xFC, 0xD2, 0x14, 0x5D, 0x3E, 0x3C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0x4A, 0x3E, 0x40, 0x16, 0x93, 0x15, 0xCF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x24, 0xC1, 0x27, 0x27, 0xE5, 0x4B, 0xD8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_29_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x50, 0xD8, 0xBC, 0xC1, 0x46, 0x22, 0xBB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x0E, 0x60, 0xA1, 0xB3, 0x50, 0xD4, 0x86),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0xB1, 0x26, 0xB6, 0x6D, 0x47, 0x5A, 0x6F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0xAC, 0x11, 0x35, 0x3E, 0xB9, 0xF4, 0x01),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x97, 0xFA, 0xBB, 0x6B, 0x39, 0x13, 0xD8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x7B, 0x34, 0x12, 0x75, 0x8E, 0x9B, 0xC6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x9E, 0xCD, 0x29, 0xB6, 0xEF, 0x8D, 0x10),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0xAC, 0xE9, 0x25, 0x27, 0xBB, 0x78, 0x47),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_30_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x7A, 0xA8, 0xD3, 0xE3, 0x66, 0xE5, 0x66),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x4C, 0xC4, 0x2C, 0x76, 0x81, 0x50, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x71, 0x08, 0xB8, 0x52, 0x7C, 0xAF, 0xDC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x59, 0x24, 0xDD, 0xFB, 0x2F, 0xD0, 0xDA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xCD, 0x56, 0xE9, 0xAC, 0x91, 0xE6, 0xB9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x64, 0x20, 0xC6, 0x9F, 0xE4, 0xEF, 0xDF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x2C, 0x8F, 0x8C, 0x97, 0xF6, 0x22, 0xC3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xF4, 0x88, 0xAA, 0xA8, 0xD7, 0xA5, 0x68),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_30_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x6C, 0xAE, 0x83, 0xB1, 0x55, 0x55, 0xEE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x67, 0x84, 0x47, 0x7C, 0x83, 0x5C, 0x89),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x10, 0x4D, 0xDD, 0x30, 0x60, 0xB0, 0xE6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xA7, 0x36, 0x76, 0x24, 0x32, 0x9F, 0x9D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x42, 0x81, 0xFB, 0xA4, 0x2E, 0x13, 0x68),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x94, 0x91, 0xFF, 0x99, 0xA0, 0x09, 0x61),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x83, 0xA1, 0x76, 0xAF, 0x37, 0x5C, 0x77),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xA8, 0x04, 0x86, 0xC4, 0xA9, 0x79, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_31_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x8C, 0xC2, 0x34, 0xFB, 0x83, 0x28, 0x27),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x03, 0x7D, 0x5E, 0x9E, 0x0E, 0xB0, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x02, 0x46, 0x7F, 0xB9, 0xAC, 0xBB, 0x23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0xED, 0x48, 0xC2, 0x96, 0x4D, 0x56, 0x27),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0xB5, 0xC5, 0xD1, 0xE6, 0x1C, 0x7E, 0x9B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x2E, 0x18, 0x71, 0x2D, 0x7B, 0xD7, 0xB3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x46, 0x9D, 0xDE, 0xAA, 0x78, 0x8E, 0xB1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xD7, 0x69, 0x2E, 0xE1, 0xD9, 0x48, 0xDE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_31_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xFF, 0x9E, 0x09, 0x22, 0x22, 0xE6, 0x8D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x14, 0x28, 0x13, 0x1B, 0x62, 0x12, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x7F, 0x67, 0x03, 0xB0, 0xC0, 0xF3, 0x05),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xC3, 0x0F, 0xFB, 0x25, 0x48, 0x3E, 0xF4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x6E, 0x53, 0x98, 0x36, 0xB3, 0xD3, 0x94),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x81, 0x54, 0x22, 0xA4, 0xCC, 0xC1, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xBA, 0xFC, 0xA9, 0xDF, 0x68, 0x86, 0x2B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x92, 0x0E, 0xC3, 0xF2, 0x58, 0xE8, 0x51),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_ecp_point secp521r1_T[32] = {
-    ECP_POINT_INIT_XY_Z1(secp521r1_T_0_X, secp521r1_T_0_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_1_X, secp521r1_T_1_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_2_X, secp521r1_T_2_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_3_X, secp521r1_T_3_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_4_X, secp521r1_T_4_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_5_X, secp521r1_T_5_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_6_X, secp521r1_T_6_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_7_X, secp521r1_T_7_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_8_X, secp521r1_T_8_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_9_X, secp521r1_T_9_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_10_X, secp521r1_T_10_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_11_X, secp521r1_T_11_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_12_X, secp521r1_T_12_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_13_X, secp521r1_T_13_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_14_X, secp521r1_T_14_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_15_X, secp521r1_T_15_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_16_X, secp521r1_T_16_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_17_X, secp521r1_T_17_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_18_X, secp521r1_T_18_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_19_X, secp521r1_T_19_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_20_X, secp521r1_T_20_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_21_X, secp521r1_T_21_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_22_X, secp521r1_T_22_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_23_X, secp521r1_T_23_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_24_X, secp521r1_T_24_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_25_X, secp521r1_T_25_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_26_X, secp521r1_T_26_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_27_X, secp521r1_T_27_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_28_X, secp521r1_T_28_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_29_X, secp521r1_T_29_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_30_X, secp521r1_T_30_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_31_X, secp521r1_T_31_Y),
-};
-#else
-#define secp521r1_T NULL
-#endif
-#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
-static const mbedtls_mpi_uint secp192k1_p[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-};
-static const mbedtls_mpi_uint secp192k1_a[] = {
-    MBEDTLS_BYTES_TO_T_UINT_2(0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp192k1_b[] = {
-    MBEDTLS_BYTES_TO_T_UINT_2(0x03, 0x00),
-};
-static const mbedtls_mpi_uint secp192k1_gx[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB),
-};
-static const mbedtls_mpi_uint secp192k1_gy[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B),
-};
-static const mbedtls_mpi_uint secp192k1_n[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-};
-
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-static const mbedtls_mpi_uint secp192k1_T_0_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB),
-};
-static const mbedtls_mpi_uint secp192k1_T_0_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B),
-};
-static const mbedtls_mpi_uint secp192k1_T_1_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x77, 0x3D, 0x0D, 0x85, 0x48, 0xA8, 0xA9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x07, 0xDF, 0x1D, 0xB3, 0xB3, 0x01, 0x54),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x86, 0xF6, 0xAF, 0x19, 0x2A, 0x88, 0x2E),
-};
-static const mbedtls_mpi_uint secp192k1_T_1_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x90, 0xB6, 0x2F, 0x48, 0x36, 0x4C, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x11, 0x14, 0xA6, 0xCB, 0xBA, 0x15, 0xD9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0xB0, 0xF2, 0xD4, 0xC9, 0xDA, 0xBA, 0xD7),
-};
-static const mbedtls_mpi_uint secp192k1_T_2_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0xC1, 0x9C, 0xE6, 0xBB, 0xFB, 0xCF, 0x23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x19, 0xAC, 0x5A, 0xC9, 0x8A, 0x1C, 0x75),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0xF6, 0x76, 0x86, 0x89, 0x27, 0x8D, 0x28),
-};
-static const mbedtls_mpi_uint secp192k1_T_2_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0xE0, 0x6F, 0x34, 0xBA, 0x5E, 0xD3, 0x96),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0xDC, 0xA6, 0x87, 0xC9, 0x9D, 0xC0, 0x82),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x11, 0x7E, 0xD6, 0xF7, 0x33, 0xFC, 0xE4),
-};
-static const mbedtls_mpi_uint secp192k1_T_3_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x37, 0x3E, 0xC0, 0x7F, 0x62, 0xE7, 0x54),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x3B, 0x69, 0x9D, 0x44, 0xBC, 0x82, 0x99),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x84, 0xB3, 0x5F, 0x2B, 0xA5, 0x9E, 0x2C),
-};
-static const mbedtls_mpi_uint secp192k1_T_3_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x95, 0xEB, 0x4C, 0x04, 0xB4, 0xF4, 0x75),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xAD, 0x4B, 0xD5, 0x9A, 0xEB, 0xC4, 0x4E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xB1, 0xC5, 0x59, 0xE3, 0xD5, 0x16, 0x2A),
-};
-static const mbedtls_mpi_uint secp192k1_T_4_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x2A, 0xCC, 0xAC, 0xD0, 0xEE, 0x50, 0xEC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x83, 0xE0, 0x5B, 0x14, 0x44, 0x52, 0x20),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x15, 0x2D, 0x78, 0xF6, 0x51, 0x32, 0xCF),
-};
-static const mbedtls_mpi_uint secp192k1_T_4_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x36, 0x9B, 0xDD, 0xF8, 0xDD, 0xEF, 0xB2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0xB1, 0x6A, 0x2B, 0xAF, 0xEB, 0x2B, 0xB1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x87, 0x7A, 0x66, 0x5D, 0x5B, 0xDF, 0x8F),
-};
-static const mbedtls_mpi_uint secp192k1_T_5_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x45, 0xE5, 0x81, 0x9B, 0xEB, 0x37, 0x23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x29, 0xE2, 0x20, 0x64, 0x23, 0x6B, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x1D, 0x41, 0xE1, 0x9B, 0x61, 0x7B, 0xD9),
-};
-static const mbedtls_mpi_uint secp192k1_T_5_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x57, 0xA3, 0x0A, 0x13, 0xE4, 0x59, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x6E, 0x4A, 0x48, 0x84, 0x90, 0xAC, 0xC7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0xB8, 0xF5, 0xF3, 0xDE, 0xA0, 0xA1, 0x1D),
-};
-static const mbedtls_mpi_uint secp192k1_T_6_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x32, 0x81, 0xA9, 0x91, 0x5A, 0x4E, 0x33),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0xA8, 0x90, 0xBE, 0x0F, 0xEC, 0xC0, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x30, 0xD7, 0x08, 0xAE, 0xC4, 0x3A, 0xA5),
-};
-static const mbedtls_mpi_uint secp192k1_T_6_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x55, 0xE3, 0x76, 0xB3, 0x64, 0x74, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x75, 0xD4, 0xDB, 0x98, 0xD7, 0x39, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xEB, 0x8A, 0xAB, 0x16, 0xD9, 0xD4, 0x0B),
-};
-static const mbedtls_mpi_uint secp192k1_T_7_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xBE, 0xF9, 0xC7, 0xC7, 0xBA, 0xF3, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x85, 0x59, 0xF3, 0x60, 0x41, 0x02, 0xD2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x1C, 0x4A, 0xA4, 0xC7, 0xED, 0x66, 0xBC),
-};
-static const mbedtls_mpi_uint secp192k1_T_7_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x9C, 0x2E, 0x46, 0x52, 0x18, 0x87, 0x14),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x35, 0x5A, 0x75, 0xAC, 0x4D, 0x75, 0x91),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0x2F, 0xAC, 0xFC, 0xBC, 0xE6, 0x93, 0x5E),
-};
-static const mbedtls_mpi_uint secp192k1_T_8_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x4D, 0xC9, 0x18, 0xE9, 0x00, 0xEB, 0x33),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x69, 0x72, 0x07, 0x5A, 0x59, 0xA8, 0x26),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x65, 0x83, 0x20, 0x10, 0xF9, 0x69, 0x82),
-};
-static const mbedtls_mpi_uint secp192k1_T_8_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0x56, 0x7F, 0x9F, 0xBF, 0x46, 0x0C, 0x7E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0xCF, 0xF0, 0xDC, 0xDF, 0x2D, 0xE6, 0xE5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0xF0, 0x72, 0x3A, 0x7A, 0x03, 0xE5, 0x22),
-};
-static const mbedtls_mpi_uint secp192k1_T_9_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xAA, 0x57, 0x13, 0x37, 0xA7, 0x2C, 0xD4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0xAC, 0xA2, 0x23, 0xF9, 0x84, 0x60, 0xD3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xEB, 0x51, 0x70, 0x64, 0x78, 0xCA, 0x05),
-};
-static const mbedtls_mpi_uint secp192k1_T_9_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xCC, 0x30, 0x62, 0x93, 0x46, 0x13, 0xE9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x26, 0xCC, 0x6C, 0x3D, 0x5C, 0xDA, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xAA, 0xB8, 0x03, 0xA4, 0x1A, 0x00, 0x96),
-};
-static const mbedtls_mpi_uint secp192k1_T_10_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x9D, 0xE6, 0xCC, 0x4E, 0x2E, 0xC2, 0xD5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xC3, 0x8A, 0xAE, 0x6F, 0x40, 0x05, 0xEB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x8F, 0x4A, 0x4D, 0x35, 0xD3, 0x50, 0x9D),
-};
-static const mbedtls_mpi_uint secp192k1_T_10_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0xFD, 0x98, 0xAB, 0xC7, 0x03, 0xB4, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x40, 0xD2, 0x9F, 0xCA, 0xD0, 0x53, 0x00),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x84, 0x00, 0x6F, 0xC8, 0xAD, 0xED, 0x8D),
-};
-static const mbedtls_mpi_uint secp192k1_T_11_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xD3, 0x57, 0xD7, 0xC3, 0x07, 0xBD, 0xD7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0xBA, 0x47, 0x1D, 0x3D, 0xEF, 0x98, 0x6C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xC0, 0x6C, 0x7F, 0x12, 0xEE, 0x9F, 0x67),
-};
-static const mbedtls_mpi_uint secp192k1_T_11_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x02, 0xDA, 0x79, 0xAA, 0xC9, 0x27, 0xC4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x79, 0xC7, 0x71, 0x84, 0xCB, 0xE5, 0x5A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x37, 0x06, 0xBA, 0xB5, 0xD5, 0x18, 0x4C),
-};
-static const mbedtls_mpi_uint secp192k1_T_12_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x65, 0x72, 0x6C, 0xF2, 0x63, 0x27, 0x6A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0xBC, 0x71, 0xDF, 0x75, 0xF8, 0x98, 0x4D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x70, 0x9B, 0xDC, 0xE7, 0x18, 0x71, 0xFF),
-};
-static const mbedtls_mpi_uint secp192k1_T_12_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x5B, 0x9F, 0x00, 0x5A, 0xB6, 0x80, 0x7A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xE0, 0xBB, 0xFC, 0x5E, 0x78, 0x9C, 0x89),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0x03, 0x68, 0x83, 0x3D, 0x2E, 0x4C, 0xDD),
-};
-static const mbedtls_mpi_uint secp192k1_T_13_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0x49, 0x23, 0xA8, 0xCB, 0x3B, 0x1A, 0xF6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0x3D, 0xA7, 0x46, 0xCF, 0x75, 0xB6, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xFD, 0x30, 0x01, 0xB6, 0xEF, 0xF9, 0xE8),
-};
-static const mbedtls_mpi_uint secp192k1_T_13_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xFA, 0xDA, 0xB8, 0x29, 0x42, 0xC9, 0xC7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0xD7, 0xA0, 0xE6, 0x6B, 0x86, 0x61, 0x39),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0xE9, 0xD3, 0x37, 0xD8, 0xE7, 0x35, 0xA9),
-};
-static const mbedtls_mpi_uint secp192k1_T_14_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xC8, 0x8E, 0xB1, 0xCB, 0xB1, 0xB5, 0x4D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xD7, 0x46, 0x7D, 0xAF, 0xE2, 0xDC, 0xBB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x46, 0xE7, 0xD8, 0x76, 0x31, 0x90, 0x76),
-};
-static const mbedtls_mpi_uint secp192k1_T_14_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xD3, 0xF4, 0x74, 0xE1, 0x67, 0xD8, 0x66),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x70, 0x3C, 0xC8, 0xAF, 0x5F, 0xF4, 0x58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x4E, 0xED, 0x5C, 0x43, 0xB3, 0x16, 0x35),
-};
-static const mbedtls_mpi_uint secp192k1_T_15_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xAE, 0xD1, 0xDD, 0x31, 0x14, 0xD3, 0xF0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x14, 0x06, 0x13, 0x12, 0x1C, 0x81, 0xF5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xF9, 0x0C, 0x91, 0xF7, 0x67, 0x59, 0x63),
-};
-static const mbedtls_mpi_uint secp192k1_T_15_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x91, 0xE2, 0xF4, 0x9D, 0xEB, 0x88, 0x87),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x82, 0x30, 0x9C, 0xAE, 0x18, 0x4D, 0xB7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x79, 0xCF, 0x17, 0xA5, 0x1E, 0xE8, 0xC8),
-};
-static const mbedtls_ecp_point secp192k1_T[16] = {
-    ECP_POINT_INIT_XY_Z1(secp192k1_T_0_X, secp192k1_T_0_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_1_X, secp192k1_T_1_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_2_X, secp192k1_T_2_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_3_X, secp192k1_T_3_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_4_X, secp192k1_T_4_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_5_X, secp192k1_T_5_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_6_X, secp192k1_T_6_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_7_X, secp192k1_T_7_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_8_X, secp192k1_T_8_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_9_X, secp192k1_T_9_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_10_X, secp192k1_T_10_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_11_X, secp192k1_T_11_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_12_X, secp192k1_T_12_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_13_X, secp192k1_T_13_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_14_X, secp192k1_T_14_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_15_X, secp192k1_T_15_Y),
-};
-#else
-#define secp192k1_T NULL
-#endif
-
-#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
-static const mbedtls_mpi_uint secp224k1_p[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_4(0xFF, 0xFF, 0xFF, 0xFF),
-};
-static const mbedtls_mpi_uint secp224k1_a[] = {
-    MBEDTLS_BYTES_TO_T_UINT_2(0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_b[] = {
-    MBEDTLS_BYTES_TO_T_UINT_2(0x05, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_gx[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D),
-    MBEDTLS_BYTES_TO_T_UINT_4(0x33, 0x5B, 0x45, 0xA1),
-};
-static const mbedtls_mpi_uint secp224k1_gy[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F),
-    MBEDTLS_BYTES_TO_T_UINT_4(0xED, 0x9F, 0x08, 0x7E),
-};
-static const mbedtls_mpi_uint secp224k1_n[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00),
-};
-
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-static const mbedtls_mpi_uint secp224k1_T_0_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x5B, 0x45, 0xA1, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_0_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x9F, 0x08, 0x7E, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_1_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x6C, 0x22, 0x22, 0x40, 0x89, 0xAE, 0x7A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x92, 0xE1, 0x87, 0x56, 0x35, 0xAF, 0x9B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0xAF, 0x08, 0x35, 0x27, 0xEA, 0x04, 0xED),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x53, 0xFD, 0xCF, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_1_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0xD0, 0x9F, 0x8D, 0xF3, 0x63, 0x54, 0x30),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0xDB, 0x0F, 0x61, 0x54, 0x26, 0xD1, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x21, 0xF7, 0x1B, 0xB5, 0x1D, 0xF6, 0x7E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x05, 0xDA, 0x8F, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_2_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x26, 0x73, 0xBC, 0xE4, 0x29, 0x62, 0x56),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x95, 0x17, 0x8B, 0xC3, 0x9B, 0xAC, 0xCC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xDB, 0x77, 0xDF, 0xDD, 0x13, 0x04, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0xFC, 0x22, 0x93, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_2_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x65, 0xF1, 0x5A, 0x37, 0xEF, 0x79, 0xAD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x01, 0x37, 0xAC, 0x9A, 0x5B, 0x51, 0x65),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x75, 0x13, 0xA9, 0x4A, 0xAD, 0xFE, 0x9B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x82, 0x6F, 0x66, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_3_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0x5E, 0xF0, 0x40, 0xC3, 0xA6, 0xE2, 0x1E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x9A, 0x6F, 0xCF, 0x11, 0x26, 0x66, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x73, 0xA8, 0xCF, 0x2B, 0x12, 0x36, 0x37),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xB3, 0x0A, 0x58, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_3_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x79, 0x00, 0x55, 0x04, 0x34, 0x90, 0x1A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x54, 0x1C, 0xC2, 0x45, 0x0C, 0x1B, 0x23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x19, 0xAB, 0xA8, 0xFC, 0x73, 0xDC, 0xEE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0xFB, 0x93, 0xCE, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_4_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x75, 0xD0, 0x66, 0x95, 0x86, 0xCA, 0x66),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xEA, 0x29, 0x16, 0x6A, 0x38, 0xDF, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xA2, 0x36, 0x2F, 0xDC, 0xBB, 0x5E, 0xF7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x89, 0x59, 0x49, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_4_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xA3, 0x99, 0x9D, 0xB8, 0x77, 0x9D, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x93, 0x43, 0x47, 0xC6, 0x5C, 0xF9, 0xFD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x00, 0x79, 0x42, 0x64, 0xB8, 0x25, 0x3E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x54, 0xB4, 0x33, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_5_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x0C, 0x42, 0x90, 0x83, 0x0B, 0x31, 0x5F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x2E, 0xAE, 0xC8, 0xC7, 0x5F, 0xD2, 0x70),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xBC, 0xAD, 0x41, 0xE7, 0x32, 0x3A, 0x81),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x97, 0x52, 0x83, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_5_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x13, 0x7A, 0xBD, 0xAE, 0x94, 0x60, 0xFD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x9B, 0x95, 0xB4, 0x6E, 0x68, 0xB2, 0x1F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x49, 0xBE, 0x51, 0xFE, 0x66, 0x15, 0x74),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x37, 0xE4, 0xFE, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_6_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x9B, 0xEE, 0x64, 0xC9, 0x1B, 0xBD, 0x77),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x5F, 0x34, 0xA9, 0x0B, 0xB7, 0x25, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0x13, 0xB1, 0x38, 0xFB, 0x9D, 0x78, 0xED),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0xE7, 0x1B, 0xFA, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_6_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xB3, 0xB7, 0x44, 0x92, 0x6B, 0x00, 0x82),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x82, 0x44, 0x3E, 0x18, 0x1A, 0x58, 0x6A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0xF8, 0xC0, 0xE4, 0xEE, 0xC1, 0xBF, 0x44),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x32, 0x27, 0xB2, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_7_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x9A, 0x42, 0x62, 0x8B, 0x26, 0x54, 0x21),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x85, 0x74, 0xA0, 0x79, 0xA8, 0xEE, 0xBE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x36, 0x60, 0xB3, 0x28, 0x4D, 0x55, 0xBE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x27, 0x82, 0x29, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_7_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0xFC, 0x73, 0x77, 0xAF, 0x5C, 0xAC, 0x78),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0xED, 0xE5, 0xF6, 0x1D, 0xA8, 0x67, 0x43),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0xDE, 0x33, 0x1C, 0xF1, 0x80, 0x73, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xE2, 0xDE, 0x3C, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_8_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x3E, 0x6B, 0xFE, 0xF0, 0x04, 0x28, 0x01),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0xB2, 0x14, 0x9D, 0x18, 0x11, 0x7D, 0x9D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xC4, 0xD6, 0x2E, 0x6E, 0x57, 0x4D, 0xE1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x55, 0x1B, 0xDE, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_8_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xF7, 0x17, 0xBC, 0x45, 0xAB, 0x16, 0xAB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xB0, 0xEF, 0x61, 0xE3, 0x20, 0x7C, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x85, 0x41, 0x4D, 0xF1, 0x7E, 0x4D, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xC2, 0x9B, 0x5E, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_9_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x2E, 0x49, 0x3D, 0x3E, 0x4B, 0xD3, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x2B, 0x9D, 0xD5, 0x27, 0xFA, 0xCA, 0xE0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0xB3, 0x6A, 0xE0, 0x79, 0x14, 0x28, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x1E, 0xDC, 0xF5, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_9_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x44, 0x56, 0xCD, 0xFC, 0x9F, 0x09, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x8C, 0x59, 0xA4, 0x64, 0x2A, 0x3A, 0xED),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xA0, 0xB5, 0x86, 0x4E, 0x69, 0xDA, 0x06),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x8B, 0x11, 0x38, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_10_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x17, 0x16, 0x12, 0x17, 0xDC, 0x00, 0x7E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x76, 0x24, 0x6C, 0x97, 0x2C, 0xB5, 0xF9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x71, 0xE3, 0xB0, 0xBB, 0x4E, 0x50, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0x48, 0x26, 0xD5, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_10_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x5F, 0x28, 0xF6, 0x01, 0x5A, 0x60, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x95, 0xFE, 0xD0, 0xAD, 0x15, 0xD4, 0xD9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x5B, 0x7A, 0xFD, 0x80, 0xF7, 0x9F, 0x64),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xBC, 0x1B, 0xDF, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_11_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0xE6, 0xDF, 0x14, 0x29, 0xF4, 0xD4, 0x14),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x12, 0xDD, 0xEC, 0x5B, 0x8A, 0x59, 0xE5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x92, 0x3E, 0x35, 0x08, 0xE9, 0xCF, 0x0E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x35, 0x29, 0x97, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_11_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xDB, 0xD6, 0x6A, 0xC5, 0x43, 0xA4, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x33, 0x50, 0x61, 0x70, 0xA1, 0xE9, 0xCE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x15, 0x6E, 0x5F, 0x01, 0x0C, 0x8C, 0xFA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0xA1, 0x9A, 0x9D, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_12_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0xC6, 0xF7, 0xE2, 0x4A, 0xCD, 0x9B, 0x61),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x4D, 0x5A, 0xB8, 0xE2, 0x6D, 0xA6, 0x50),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x3F, 0xB6, 0x17, 0xE3, 0x2C, 0x6F, 0x65),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xA4, 0x59, 0x51, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_12_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x4F, 0x7C, 0x49, 0xCD, 0x6E, 0xEB, 0x3C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0xC9, 0x1F, 0xB7, 0x4D, 0x98, 0xC7, 0x67),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4C, 0xFD, 0x98, 0x20, 0x95, 0xBB, 0x20, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0xF2, 0x73, 0x92, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_13_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0xEF, 0xFB, 0x30, 0xFA, 0x12, 0x1A, 0xB0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0x4C, 0x24, 0xB4, 0x5B, 0xC9, 0x4C, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xDD, 0x5E, 0x84, 0x95, 0x4D, 0x26, 0xED),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xFA, 0xF9, 0x3A, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_13_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0xA3, 0x2E, 0x7A, 0xDC, 0xA7, 0x53, 0xA9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x9F, 0x81, 0x84, 0xB2, 0x0D, 0xFE, 0x31),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x89, 0x1B, 0x77, 0x0C, 0x89, 0x71, 0xEC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xFF, 0x7F, 0xB2, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_14_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0xE9, 0x2C, 0x79, 0xA6, 0x3C, 0xAD, 0x93),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xE0, 0x23, 0x02, 0x86, 0x0F, 0x77, 0x2A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x93, 0x6D, 0xE9, 0xF9, 0x3C, 0xBE, 0xB9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xE7, 0x24, 0x92, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_14_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x3C, 0x5B, 0x4B, 0x1B, 0x25, 0x37, 0xD6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xE8, 0x38, 0x1B, 0xA1, 0x5A, 0x2E, 0x68),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x19, 0xFD, 0xF4, 0x78, 0x01, 0x6B, 0x44),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0x69, 0x37, 0x4F, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_15_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0xE2, 0xBF, 0xD3, 0xEC, 0x95, 0x9C, 0x03),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x7B, 0xFC, 0xD5, 0xD3, 0x25, 0x5E, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x55, 0x09, 0xA2, 0x58, 0x6A, 0xC9, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0xCC, 0x3B, 0xD9, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_15_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0x08, 0x65, 0x5E, 0xCB, 0xAB, 0x48, 0xC8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x79, 0x8B, 0xC0, 0x11, 0xC0, 0x69, 0x38),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xE8, 0x8C, 0x4C, 0xC5, 0x28, 0xE4, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x1F, 0x34, 0x5C, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_ecp_point secp224k1_T[16] = {
-    ECP_POINT_INIT_XY_Z1(secp224k1_T_0_X, secp224k1_T_0_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_1_X, secp224k1_T_1_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_2_X, secp224k1_T_2_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_3_X, secp224k1_T_3_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_4_X, secp224k1_T_4_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_5_X, secp224k1_T_5_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_6_X, secp224k1_T_6_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_7_X, secp224k1_T_7_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_8_X, secp224k1_T_8_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_9_X, secp224k1_T_9_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_10_X, secp224k1_T_10_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_11_X, secp224k1_T_11_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_12_X, secp224k1_T_12_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_13_X, secp224k1_T_13_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_14_X, secp224k1_T_14_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_15_X, secp224k1_T_15_Y),
-};
-#else
-#define secp224k1_T NULL
-#endif
-#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
-static const mbedtls_mpi_uint secp256k1_p[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-};
-static const mbedtls_mpi_uint secp256k1_a[] = {
-    MBEDTLS_BYTES_TO_T_UINT_2(0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp256k1_b[] = {
-    MBEDTLS_BYTES_TO_T_UINT_2(0x07, 0x00),
-};
-static const mbedtls_mpi_uint secp256k1_gx[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79),
-};
-static const mbedtls_mpi_uint secp256k1_gy[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48),
-};
-static const mbedtls_mpi_uint secp256k1_n[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-};
-
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-static const mbedtls_mpi_uint secp256k1_T_0_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79),
-};
-static const mbedtls_mpi_uint secp256k1_T_0_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48),
-};
-static const mbedtls_mpi_uint secp256k1_T_1_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xEE, 0xD7, 0x1E, 0x67, 0x86, 0x32, 0x74),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x73, 0xB1, 0xA9, 0xD5, 0xCC, 0x27, 0x78),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x0E, 0x11, 0x01, 0x71, 0xFE, 0x92, 0x73),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x28, 0x63, 0x6D, 0x72, 0x09, 0xA6, 0xC0),
-};
-static const mbedtls_mpi_uint secp256k1_T_1_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xE1, 0x69, 0xDC, 0x3E, 0x2C, 0x75, 0xC3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0xB7, 0x3F, 0x30, 0x26, 0x3C, 0xDF, 0x8E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xBE, 0xB9, 0x5D, 0x0E, 0xE8, 0x5E, 0x14),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0xC3, 0x05, 0xD6, 0xB7, 0xD5, 0x24, 0xFC),
-};
-static const mbedtls_mpi_uint secp256k1_T_2_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0xCF, 0x7B, 0xDC, 0xCD, 0xC3, 0x39, 0x9D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xDA, 0xB9, 0xE5, 0x64, 0xA7, 0x47, 0x91),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x46, 0xA8, 0x61, 0xF6, 0x23, 0xEB, 0x58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xC1, 0xFF, 0xE4, 0x55, 0xD5, 0xC2, 0xBF),
-};
-static const mbedtls_mpi_uint secp256k1_T_2_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xBE, 0xB9, 0x59, 0x24, 0x13, 0x4A, 0x2A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x45, 0x12, 0xDE, 0xBA, 0x4F, 0xEF, 0x56),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x08, 0xBF, 0xC1, 0x66, 0xAA, 0x0A, 0xBC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xFE, 0x30, 0x55, 0x31, 0x86, 0xA7, 0xB4),
-};
-static const mbedtls_mpi_uint secp256k1_T_3_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xBF, 0x18, 0x81, 0x67, 0x27, 0x42, 0xBD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x05, 0x83, 0xA4, 0xDD, 0x57, 0xD3, 0x50),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0x63, 0xAB, 0xE4, 0x90, 0x70, 0xD0, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x5D, 0xFD, 0xA0, 0xEF, 0xCF, 0x1C, 0x54),
-};
-static const mbedtls_mpi_uint secp256k1_T_3_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x80, 0xE4, 0xF6, 0x09, 0xBC, 0x57, 0x90),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x9F, 0x6E, 0x88, 0x54, 0x6E, 0x51, 0xF2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x5F, 0x85, 0xFB, 0x84, 0x3E, 0x4A, 0xAA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x19, 0xF5, 0x55, 0xC9, 0x07, 0xD8, 0xCE),
-};
-static const mbedtls_mpi_uint secp256k1_T_4_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0xB4, 0xC3, 0xD9, 0x5C, 0xA0, 0xD4, 0x90),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x30, 0xAF, 0x59, 0x9B, 0xF8, 0x04, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xA6, 0xFD, 0x66, 0x7B, 0xC3, 0x39, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0xBF, 0xF0, 0xC2, 0xE9, 0x71, 0xA4, 0x9E),
-};
-static const mbedtls_mpi_uint secp256k1_T_4_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0x2D, 0xB9, 0x88, 0x28, 0xF1, 0xBE, 0x78),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0xF3, 0x1A, 0x0E, 0xB9, 0x01, 0x66, 0x34),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0xA7, 0xA4, 0xF4, 0x05, 0xD0, 0xAA, 0x53),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x39, 0x1E, 0x47, 0xE5, 0x68, 0xC8, 0xC0),
-};
-static const mbedtls_mpi_uint secp256k1_T_5_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0xB9, 0xFC, 0xE0, 0x33, 0x8A, 0x7D, 0x96),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x93, 0xA5, 0x53, 0x55, 0x16, 0xB4, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x5F, 0xEA, 0x9B, 0x29, 0x52, 0x71, 0xDA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0xF0, 0x24, 0xB8, 0x7D, 0xB7, 0xA0, 0x9B),
-};
-static const mbedtls_mpi_uint secp256k1_T_5_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x00, 0x27, 0xB2, 0xDF, 0x73, 0xA2, 0xE0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x2E, 0x4D, 0x7C, 0xDE, 0x7A, 0x23, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x65, 0x60, 0xC7, 0x97, 0x1E, 0xA4, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x13, 0x5B, 0x77, 0x59, 0xCB, 0x36, 0xE1),
-};
-static const mbedtls_mpi_uint secp256k1_T_6_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xBC, 0x9F, 0x9E, 0x2D, 0x53, 0x2A, 0xA8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x5F, 0x64, 0x9F, 0x1A, 0x19, 0xE6, 0x77),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x7B, 0x39, 0xD2, 0xDB, 0x85, 0x84, 0xD5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xC7, 0x0D, 0x58, 0x6E, 0x3F, 0x52, 0x15),
-};
-static const mbedtls_mpi_uint secp256k1_T_6_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x68, 0x19, 0x0B, 0x68, 0xC9, 0x1E, 0xFB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x4E, 0x21, 0x49, 0x3D, 0x55, 0xCC, 0x25),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xF9, 0x25, 0x45, 0x54, 0x45, 0xB1, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xB3, 0xF7, 0xCD, 0x80, 0xA4, 0x04, 0x05),
-};
-static const mbedtls_mpi_uint secp256k1_T_7_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x1E, 0x88, 0xC4, 0xAA, 0x18, 0x7E, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0xAC, 0xD9, 0xB2, 0xA1, 0xC0, 0x71, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xA2, 0xF1, 0x15, 0xA6, 0x5F, 0x6C, 0x86),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x5B, 0x05, 0xBC, 0xB7, 0xC6, 0x4E, 0x72),
-};
-static const mbedtls_mpi_uint secp256k1_T_7_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x80, 0xF8, 0x5C, 0x20, 0x2A, 0xE1, 0xE2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x48, 0x2E, 0x68, 0x82, 0x7F, 0xEB, 0x5F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x3B, 0x25, 0xDB, 0x32, 0x4D, 0x88, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x6E, 0xA6, 0xB6, 0x6D, 0x62, 0x78, 0x22),
-};
-static const mbedtls_mpi_uint secp256k1_T_8_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x4D, 0x3E, 0x86, 0x58, 0xC3, 0xEB, 0xBA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x89, 0x33, 0x18, 0x21, 0x1D, 0x9B, 0xE7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x9D, 0xFF, 0xC3, 0x79, 0xC1, 0x88, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0xD4, 0x48, 0x53, 0xE8, 0xAD, 0x21, 0x16),
-};
-static const mbedtls_mpi_uint secp256k1_T_8_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x7B, 0xDE, 0xCB, 0xD8, 0x39, 0x17, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0xF3, 0x03, 0xF2, 0x5C, 0xBC, 0xC8, 0x8A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0xAE, 0x4C, 0xB0, 0x16, 0xA4, 0x93, 0x86),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x8B, 0x6B, 0xDC, 0xD7, 0x9A, 0x3E, 0x7E),
-};
-static const mbedtls_mpi_uint secp256k1_T_9_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x2D, 0x7A, 0xD2, 0x59, 0x05, 0xA2, 0x82),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x56, 0x09, 0x32, 0xF1, 0xE8, 0xE3, 0x72),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0xCA, 0xE5, 0x2E, 0xF0, 0xFB, 0x18, 0x19),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x85, 0xA9, 0x23, 0x15, 0x31, 0x1F, 0x0E),
-};
-static const mbedtls_mpi_uint secp256k1_T_9_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xE5, 0xB1, 0x86, 0xB9, 0x6E, 0x8D, 0xD3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x77, 0xFC, 0xC9, 0xA3, 0x3F, 0x89, 0xD2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x6A, 0xDC, 0x25, 0xB0, 0xC7, 0x41, 0x54),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x11, 0x6B, 0xA6, 0x11, 0x62, 0xD4, 0x2D),
-};
-static const mbedtls_mpi_uint secp256k1_T_10_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x7D, 0x34, 0xB3, 0x20, 0x7F, 0x37, 0xAA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0xD4, 0x45, 0xE8, 0xC2, 0xE9, 0xC5, 0xEA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x32, 0x3B, 0x25, 0x7E, 0x79, 0xAF, 0xE7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0xE4, 0x54, 0x71, 0xBE, 0x35, 0x4E, 0xD0),
-};
-static const mbedtls_mpi_uint secp256k1_T_10_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x94, 0xDD, 0x8F, 0xB5, 0xC2, 0xDD, 0x75),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x49, 0xE9, 0x1C, 0x2F, 0x08, 0x49, 0xC6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0xB6, 0x03, 0x88, 0x6F, 0xB8, 0x15, 0x67),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xD3, 0x1C, 0xF3, 0xA5, 0xEB, 0x79, 0x01),
-};
-static const mbedtls_mpi_uint secp256k1_T_11_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0xF9, 0x43, 0x88, 0x89, 0x0D, 0x06, 0xEA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x2D, 0xF5, 0x98, 0x32, 0xF6, 0xB1, 0x05),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x73, 0x8F, 0x2B, 0x50, 0x27, 0x0A, 0xE7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xE3, 0xBD, 0x16, 0x05, 0xC8, 0x93, 0x12),
-};
-static const mbedtls_mpi_uint secp256k1_T_11_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x6A, 0xF7, 0xE3, 0x3D, 0xDE, 0x5F, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0xA3, 0x9C, 0x22, 0x3C, 0x33, 0x36, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0x24, 0x4C, 0x69, 0x45, 0x78, 0x14, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xF8, 0xD4, 0xBF, 0xB8, 0xC0, 0xA1, 0x25),
-};
-static const mbedtls_mpi_uint secp256k1_T_12_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x88, 0xE1, 0x91, 0x03, 0xEB, 0xB3, 0x2B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x11, 0xA1, 0xEF, 0x14, 0x0D, 0xC4, 0x7D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xD4, 0x0D, 0x1D, 0x96, 0x33, 0x5C, 0x19),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x45, 0x2A, 0x1A, 0xE6, 0x57, 0x04, 0x9B),
-};
-static const mbedtls_mpi_uint secp256k1_T_12_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xB5, 0xA7, 0x80, 0xE9, 0x93, 0x97, 0x8D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xB9, 0x7C, 0xA0, 0xC9, 0x57, 0x26, 0x43),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0xEF, 0x56, 0xDA, 0x66, 0xF6, 0x1B, 0x9A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x89, 0x6B, 0x91, 0xE0, 0xA9, 0x65, 0x2B),
-};
-static const mbedtls_mpi_uint secp256k1_T_13_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x98, 0x96, 0x9B, 0x06, 0x7D, 0x5E, 0x5A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0xFA, 0xC1, 0x5F, 0x19, 0x37, 0x94, 0x9D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0xBE, 0x6B, 0x1A, 0x05, 0xE4, 0xBF, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0xCD, 0x5D, 0x35, 0xB4, 0x51, 0xF7, 0x64),
-};
-static const mbedtls_mpi_uint secp256k1_T_13_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0xEF, 0x96, 0xDB, 0xF2, 0x61, 0x63, 0x59),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x04, 0x88, 0xC9, 0x9F, 0x1B, 0x94, 0xB9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x30, 0x79, 0x7E, 0x24, 0xE7, 0x5F, 0xB8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0xB8, 0x90, 0xB7, 0x94, 0x25, 0xBB, 0x0F),
-};
-static const mbedtls_mpi_uint secp256k1_T_14_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x79, 0xEA, 0xAD, 0xC0, 0x6D, 0x18, 0x57),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0xA4, 0x58, 0x2A, 0x8D, 0x95, 0xB3, 0xE6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xC4, 0xC2, 0x12, 0x0D, 0x79, 0xE2, 0x2B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x6F, 0xBE, 0x97, 0x4D, 0xA4, 0x20, 0x07),
-};
-static const mbedtls_mpi_uint secp256k1_T_14_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x31, 0x71, 0xC6, 0xA6, 0x91, 0xEB, 0x1F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x9B, 0xA8, 0x4A, 0xE7, 0x77, 0xE1, 0xAA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x06, 0xD3, 0x3D, 0x94, 0x30, 0xEF, 0x8C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xDF, 0xCA, 0xFA, 0xF5, 0x28, 0xF8, 0xC9),
-};
-static const mbedtls_mpi_uint secp256k1_T_15_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0xE1, 0x32, 0xFD, 0x3E, 0x81, 0xF8, 0x11),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xF2, 0x4B, 0x1D, 0x19, 0xC9, 0x0F, 0xCC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xB1, 0x8A, 0x22, 0x8B, 0x05, 0x6B, 0x56),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x21, 0xEF, 0x30, 0xEC, 0x09, 0x2A, 0x89),
-};
-static const mbedtls_mpi_uint secp256k1_T_15_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x84, 0x4A, 0x46, 0x07, 0x6C, 0x3C, 0x4C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x18, 0x3A, 0xF4, 0xCC, 0xF5, 0xB2, 0xF2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x8F, 0xCD, 0x0A, 0x9C, 0xF4, 0xBD, 0x95),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x89, 0x7F, 0x8A, 0xB1, 0x52, 0x3A, 0xAB),
-};
-static const mbedtls_ecp_point secp256k1_T[16] = {
-    ECP_POINT_INIT_XY_Z1(secp256k1_T_0_X, secp256k1_T_0_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_1_X, secp256k1_T_1_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_2_X, secp256k1_T_2_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_3_X, secp256k1_T_3_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_4_X, secp256k1_T_4_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_5_X, secp256k1_T_5_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_6_X, secp256k1_T_6_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_7_X, secp256k1_T_7_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_8_X, secp256k1_T_8_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_9_X, secp256k1_T_9_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_10_X, secp256k1_T_10_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_11_X, secp256k1_T_11_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_12_X, secp256k1_T_12_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_13_X, secp256k1_T_13_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_14_X, secp256k1_T_14_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_15_X, secp256k1_T_15_Y),
-};
-#else
-#define secp256k1_T NULL
-#endif
-#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
-
-/*
- * Domain parameters for brainpoolP256r1 (RFC 5639 3.4)
- */
-#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
-static const mbedtls_mpi_uint brainpoolP256r1_p[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_a[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_b[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_gx[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_gy[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_n[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9),
-};
-
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-static const mbedtls_mpi_uint brainpoolP256r1_T_0_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_0_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_1_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xA2, 0xED, 0x52, 0xC9, 0x8C, 0xE3, 0xA5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0xC9, 0xC4, 0x87, 0x3F, 0x93, 0x7A, 0xD1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x12, 0x53, 0x61, 0x3E, 0x76, 0x08, 0xCB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x8C, 0x74, 0xF4, 0x08, 0xC3, 0x76, 0x80),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_1_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0xDD, 0x09, 0xA6, 0xED, 0xEE, 0xC4, 0x38),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xD9, 0xBE, 0x4B, 0xA5, 0xB7, 0x2B, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x20, 0x12, 0xCA, 0x0A, 0x38, 0x24, 0xAB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x72, 0x71, 0x90, 0x7A, 0x2E, 0xB7, 0x23),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_2_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x66, 0xA1, 0x93, 0x10, 0x2A, 0x51, 0x17),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x10, 0x11, 0x12, 0xBC, 0xB0, 0xB6, 0x93),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x58, 0xD7, 0x0A, 0x84, 0x05, 0xA3, 0x9C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x8E, 0x95, 0x61, 0xD3, 0x0B, 0xDF, 0x36),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_2_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x92, 0x12, 0x0F, 0x5E, 0x87, 0x70, 0x1B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0xE9, 0x9B, 0xEB, 0x3A, 0xFB, 0xCF, 0xC4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0x92, 0xB9, 0xF7, 0x45, 0xD3, 0x06, 0xB6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x28, 0x65, 0xE1, 0xC5, 0x6C, 0x57, 0x18),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_3_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x0E, 0x77, 0x01, 0x81, 0x9E, 0x38, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0xF0, 0xD5, 0xA5, 0x91, 0x2B, 0xDF, 0xC0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xEE, 0xB6, 0x25, 0xD6, 0x98, 0xDE, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xA1, 0x55, 0x63, 0x39, 0xEB, 0xB5, 0x47),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_3_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0xD6, 0xB8, 0xE3, 0x13, 0xED, 0x7F, 0xA3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0xE8, 0xAE, 0x36, 0xB8, 0xCD, 0x19, 0x02),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x82, 0x83, 0x7A, 0x7B, 0x46, 0x56, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x60, 0x46, 0x15, 0x5A, 0xAC, 0x99, 0x30),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_4_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x61, 0x50, 0xC6, 0xFF, 0x10, 0x7D, 0x04),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x51, 0xDF, 0xA9, 0x7D, 0x78, 0x26, 0x74),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0x15, 0x9A, 0xF7, 0x01, 0xC1, 0xBB, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x0F, 0xE6, 0x2A, 0xBD, 0x4A, 0x9E, 0x87),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_4_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xF8, 0xD1, 0x77, 0xD2, 0x49, 0xB3, 0xDD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x86, 0xFB, 0x9E, 0x1F, 0x5A, 0x60, 0x47),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0xC4, 0x8D, 0xCD, 0x86, 0x61, 0x2F, 0xF9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xF6, 0xB9, 0xAC, 0x37, 0x9D, 0xE9, 0x28),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_5_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x77, 0xAA, 0x97, 0x9C, 0x0B, 0x04, 0x20),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0xA6, 0x60, 0x81, 0xCE, 0x25, 0x13, 0x3E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x00, 0xF3, 0xBB, 0x82, 0x99, 0x95, 0xB7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x5A, 0xCE, 0x90, 0x71, 0x38, 0x2F, 0x10),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_5_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x1A, 0xC0, 0x84, 0x27, 0xD6, 0x9D, 0xB7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x37, 0x52, 0x16, 0x13, 0x0E, 0xCE, 0x92),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xBF, 0x5A, 0xDB, 0xDB, 0x6E, 0x1E, 0x69),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xB7, 0x5E, 0xF9, 0x86, 0xDD, 0x8A, 0x5C),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_6_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xAB, 0x5C, 0x8D, 0x1D, 0xF2, 0x2D, 0x1E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0xC5, 0xF8, 0xF7, 0x1D, 0x96, 0x0B, 0x4D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x4C, 0xA7, 0x45, 0x20, 0x6A, 0x1E, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x5D, 0xEF, 0xDE, 0xEE, 0x39, 0x44, 0x19),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_6_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x2F, 0x6D, 0x52, 0xC9, 0x58, 0x60, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0xC9, 0x62, 0xCB, 0x38, 0x3C, 0x55, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xA5, 0x09, 0x10, 0x88, 0xDB, 0xE3, 0xBD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xE0, 0x3C, 0xCE, 0x06, 0x0B, 0x4B, 0x5D),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_7_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x1D, 0xB4, 0x10, 0x76, 0x8F, 0xBA, 0x09),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x70, 0x5A, 0x07, 0xF5, 0x1A, 0x74, 0xC7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0xE9, 0x94, 0xA8, 0xC0, 0xD5, 0x4A, 0x4A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x6D, 0xD4, 0xE8, 0x9B, 0xE9, 0x6D, 0x0E),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_7_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x00, 0x32, 0x41, 0x57, 0x84, 0x89, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xC7, 0x14, 0xEC, 0xE9, 0x27, 0xFF, 0xF3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x67, 0x9E, 0xFB, 0xB6, 0xB8, 0x96, 0xF3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x4A, 0xE3, 0x97, 0x4B, 0x58, 0xDE, 0x30),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_8_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0x1E, 0x5C, 0xF5, 0x7F, 0xD5, 0xD4, 0xAA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x08, 0x7A, 0xF1, 0xBD, 0x89, 0xC7, 0x1E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0xF9, 0x11, 0x1B, 0xF5, 0x3C, 0x6D, 0x8C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x50, 0xE5, 0x69, 0x1D, 0x59, 0xFC, 0x0C),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_8_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x2F, 0xF8, 0x3F, 0xEC, 0x55, 0x99, 0x57),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xA7, 0x29, 0x90, 0x43, 0x81, 0x31, 0x4C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x18, 0x44, 0x50, 0x5D, 0x76, 0xCB, 0xDD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0xC5, 0x5B, 0x9A, 0x03, 0xE6, 0x17, 0x39),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_9_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x89, 0xFC, 0x55, 0x94, 0x91, 0x6A, 0xA2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x46, 0x35, 0xF2, 0x3A, 0x42, 0x08, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0xD2, 0x76, 0x49, 0x42, 0x87, 0xD3, 0x7F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xEA, 0xA0, 0x52, 0xF1, 0x6A, 0x30, 0x57),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_9_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0xB2, 0x57, 0xA3, 0x8A, 0x4D, 0x1B, 0x3C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0xA3, 0x99, 0x94, 0xB5, 0x3D, 0x64, 0x09),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0xC3, 0xD7, 0x53, 0xF6, 0x49, 0x1C, 0x60),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x23, 0x41, 0x4D, 0xFB, 0x7A, 0x5C, 0x53),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_10_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xB8, 0x15, 0x65, 0x5C, 0x85, 0x94, 0xD7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x37, 0xC7, 0xF8, 0x7E, 0xAE, 0x6C, 0x10),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xD8, 0x11, 0x54, 0x98, 0x44, 0xE3, 0xF1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x4D, 0xA6, 0x4B, 0x28, 0xF2, 0x57, 0x9E),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_10_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xD0, 0xEB, 0x1E, 0xAA, 0x30, 0xD3, 0x6A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x9B, 0x4D, 0xA7, 0x73, 0x6E, 0xB6, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x47, 0xF6, 0xED, 0x37, 0xEF, 0x71, 0x4D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0xB5, 0x49, 0x61, 0x5E, 0x45, 0xF6, 0x4A),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_11_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x0E, 0xB3, 0x84, 0x3A, 0x63, 0x72, 0x84),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x53, 0x5C, 0xA7, 0xC6, 0x2E, 0xAB, 0x9E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x0F, 0x8F, 0x87, 0x50, 0x28, 0xB4, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x98, 0x4A, 0x98, 0x31, 0x86, 0xCA, 0x51),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_11_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xC9, 0xE2, 0xFD, 0x5D, 0x1F, 0xE8, 0xC2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x90, 0x91, 0xC4, 0x84, 0xF0, 0xBA, 0xC5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x5A, 0xB3, 0x4E, 0xFB, 0xE0, 0x57, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x0B, 0x90, 0xA6, 0xFD, 0x9D, 0x8E, 0x02),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_12_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x41, 0x8F, 0x31, 0xFA, 0x5A, 0xF6, 0x33),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xE9, 0xE3, 0xF6, 0xE0, 0x4A, 0xE7, 0xD2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x4E, 0xCD, 0xA2, 0x22, 0x14, 0xD4, 0x12),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xED, 0x21, 0xB7, 0x0F, 0x53, 0x10, 0x17),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_12_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x06, 0x24, 0x2C, 0x4E, 0xD1, 0x1E, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x3F, 0xC1, 0x9F, 0xAB, 0xF0, 0x37, 0x95),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x5E, 0x12, 0xCE, 0x83, 0x1B, 0x2A, 0x18),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x65, 0xCF, 0xE8, 0x5C, 0xA5, 0xA2, 0x70),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_13_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x86, 0x76, 0x3A, 0x94, 0xF6, 0x1D, 0xC1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xDA, 0xC9, 0xA6, 0x29, 0x93, 0x15, 0x10),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x61, 0x6A, 0x7D, 0xC7, 0xA9, 0xF3, 0x76),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x03, 0x71, 0xA2, 0x15, 0xCE, 0x50, 0x72),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_13_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0xD0, 0xA8, 0x1E, 0x91, 0xC4, 0x4F, 0x24),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x4B, 0x7E, 0xD7, 0x71, 0x58, 0x7E, 0x1E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x45, 0xAF, 0x2A, 0x18, 0x93, 0x95, 0x3B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x8F, 0xC7, 0xFA, 0x4C, 0x7A, 0x86, 0x54),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_14_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0xAF, 0x68, 0x3A, 0x23, 0xC1, 0x2E, 0xBF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x50, 0x11, 0x67, 0x39, 0xB9, 0xAF, 0x48),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x86, 0xAA, 0x1E, 0x88, 0x21, 0x29, 0x8B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x28, 0xA4, 0x9D, 0x89, 0xA9, 0x9A, 0x10),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_14_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xBA, 0x04, 0x67, 0xB7, 0x01, 0x40, 0x38),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xE9, 0x09, 0xA3, 0xCA, 0xA6, 0x37, 0xF6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x97, 0xA8, 0xB6, 0x3C, 0xEE, 0x90, 0x3D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xED, 0xC4, 0xF7, 0xC3, 0x95, 0xEC, 0x85),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_15_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x84, 0xBD, 0xEB, 0xD5, 0x64, 0xBB, 0x9D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x9B, 0xE2, 0x28, 0x50, 0xC2, 0x72, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0xF2, 0x74, 0xD1, 0x26, 0xBF, 0x32, 0x68),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xCB, 0xAF, 0x72, 0xDB, 0x6D, 0x30, 0x98),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_15_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x50, 0x85, 0xF4, 0x2B, 0x48, 0xC1, 0xAD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x28, 0xBB, 0x11, 0xBA, 0x5B, 0x22, 0x6C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xA1, 0xE5, 0x5C, 0xC9, 0x1D, 0x44, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xE8, 0xE6, 0x6F, 0xBB, 0xC1, 0x81, 0x7F),
-};
-static const mbedtls_ecp_point brainpoolP256r1_T[16] = {
-    ECP_POINT_INIT_XY_Z1(brainpoolP256r1_T_0_X, brainpoolP256r1_T_0_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_1_X, brainpoolP256r1_T_1_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_2_X, brainpoolP256r1_T_2_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_3_X, brainpoolP256r1_T_3_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_4_X, brainpoolP256r1_T_4_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_5_X, brainpoolP256r1_T_5_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_6_X, brainpoolP256r1_T_6_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_7_X, brainpoolP256r1_T_7_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_8_X, brainpoolP256r1_T_8_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_9_X, brainpoolP256r1_T_9_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_10_X, brainpoolP256r1_T_10_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_11_X, brainpoolP256r1_T_11_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_12_X, brainpoolP256r1_T_12_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_13_X, brainpoolP256r1_T_13_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_14_X, brainpoolP256r1_T_14_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_15_X, brainpoolP256r1_T_15_Y),
-};
-#else
-#define brainpoolP256r1_T NULL
-#endif
-
-#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
-
-/*
- * Domain parameters for brainpoolP384r1 (RFC 5639 3.6)
- */
-#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
-static const mbedtls_mpi_uint brainpoolP384r1_p[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_a[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_b[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_gx[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_gy[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_n[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C),
-};
-
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-static const mbedtls_mpi_uint brainpoolP384r1_T_0_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_0_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_1_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0xD8, 0x8A, 0x54, 0x41, 0xD6, 0x6B, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x3B, 0xF1, 0x22, 0xFD, 0x2D, 0x4B, 0x03),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x55, 0xE3, 0x33, 0xF0, 0x73, 0x52, 0x5A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x3F, 0x30, 0x26, 0xCA, 0x7F, 0x52, 0xA3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x6E, 0x17, 0x9B, 0xD5, 0x2A, 0x4A, 0x31),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xDA, 0x6B, 0xE5, 0x03, 0x07, 0x1D, 0x2E),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_1_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x7A, 0xAF, 0x98, 0xE3, 0xA4, 0xF6, 0x19),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x7D, 0xFE, 0x51, 0x40, 0x3B, 0x47, 0xD2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x88, 0xEC, 0xC4, 0xE2, 0x8F, 0xCB, 0xA4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0xE2, 0x88, 0x2D, 0x4E, 0x50, 0xEB, 0x9A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x54, 0x94, 0x5E, 0xF4, 0x7F, 0x3A, 0x04),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x07, 0x1C, 0xE1, 0xBD, 0x0F, 0xF8, 0x63),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_2_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x92, 0x28, 0x2E, 0x32, 0x04, 0xB1, 0x4D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x82, 0x44, 0x43, 0x76, 0x0D, 0x55, 0xBF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0xE3, 0xFF, 0x89, 0x46, 0xDE, 0x4E, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x22, 0xBB, 0x67, 0x1A, 0x81, 0xEE, 0x27),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x54, 0xE2, 0x7A, 0xAE, 0xDA, 0x2C, 0xD0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x9A, 0x90, 0xAA, 0x6E, 0x8B, 0xCC, 0x5F),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_2_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x40, 0xAC, 0xED, 0x7D, 0x37, 0x87, 0xAC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0xF8, 0xB1, 0x80, 0x4C, 0x8C, 0x04, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x98, 0x2C, 0xAD, 0x30, 0x69, 0x35, 0xC0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x2E, 0x00, 0x2F, 0x44, 0x8C, 0xF0, 0xC0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x58, 0x07, 0xD7, 0xCD, 0x60, 0xA1, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xFB, 0x7B, 0x03, 0x05, 0x5E, 0x79, 0x73),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_3_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x17, 0xCE, 0x38, 0x4B, 0x5E, 0x5B, 0xC8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0x0E, 0x0A, 0x61, 0x9D, 0x7C, 0x62, 0x08),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0xF0, 0x98, 0x71, 0x7F, 0x17, 0x26, 0xD7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xD3, 0xFA, 0x3C, 0xF0, 0x70, 0x07, 0x82),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x47, 0x5C, 0x09, 0x43, 0xB7, 0x65, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xA9, 0xA7, 0x3E, 0xFA, 0xF3, 0xEC, 0x22),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_3_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x78, 0x22, 0x2B, 0x58, 0x71, 0xFA, 0xAA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x30, 0xCE, 0x6A, 0xB3, 0xB0, 0x4F, 0x83),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0x95, 0x20, 0xA9, 0x23, 0xC2, 0x65, 0xE7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xCF, 0x03, 0x5B, 0x8A, 0x80, 0x44, 0xBB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xF8, 0x91, 0xF7, 0xD5, 0xED, 0xEA, 0x81),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x5B, 0x16, 0x10, 0x25, 0xAC, 0x2A, 0x17),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_4_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0xEC, 0xDC, 0xC4, 0x7B, 0x8C, 0x6B, 0xE9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xBB, 0x1C, 0xD3, 0x5A, 0xEE, 0xD9, 0x97),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x5D, 0x30, 0x5E, 0xF7, 0xB2, 0x41, 0x9D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xCE, 0x0F, 0x1A, 0xC6, 0x41, 0x64, 0x62),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x18, 0xE1, 0xE3, 0x82, 0x15, 0x66, 0x4B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xE2, 0x24, 0x04, 0x72, 0x39, 0xA0, 0x7C),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_4_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0x51, 0xA2, 0x58, 0x88, 0x62, 0xE1, 0x02),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xD2, 0x65, 0x14, 0xE9, 0x4C, 0x82, 0x30),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xE1, 0xAC, 0x87, 0xAE, 0x31, 0x1A, 0x7A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x4F, 0x96, 0x1E, 0x85, 0x7A, 0xC3, 0x2B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x86, 0xBB, 0xF0, 0xC0, 0x9D, 0x08, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x53, 0x03, 0x09, 0x80, 0x91, 0xEF, 0x68),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_5_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xD7, 0xAF, 0x6F, 0x69, 0x7B, 0x88, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x13, 0xE4, 0x30, 0xA2, 0x47, 0xB5, 0xC1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xD2, 0xC0, 0xDD, 0x8A, 0x1C, 0x3C, 0xF2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x8C, 0xB3, 0x4C, 0xBA, 0x8B, 0x6D, 0xCF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0xC7, 0xA1, 0xA8, 0x6E, 0x3C, 0x4F, 0xF1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x4A, 0x97, 0xC8, 0x03, 0x6F, 0x01, 0x82),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_5_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x18, 0x12, 0xA9, 0x39, 0xD5, 0x22, 0x26),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0xA7, 0xC0, 0xBD, 0x9D, 0x8D, 0x78, 0x38),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xB3, 0xD0, 0x7F, 0xDF, 0xD0, 0x30, 0xDE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x25, 0x73, 0x96, 0xEC, 0xA8, 0x1D, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xD1, 0x65, 0x66, 0xDC, 0xD9, 0xCF, 0xDF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0xED, 0x7B, 0x37, 0xAD, 0xE2, 0xBE, 0x2D),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_6_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x79, 0x42, 0x6A, 0x07, 0x66, 0xB1, 0xBD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x53, 0x62, 0x65, 0x92, 0x09, 0x4C, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0xAF, 0xC3, 0x03, 0xF6, 0xF4, 0x2D, 0x9B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0xCA, 0x41, 0xD9, 0xA2, 0x69, 0x9B, 0xC9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0xB2, 0xA6, 0x8D, 0xE1, 0xAA, 0x61, 0x76),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xBA, 0x4D, 0x12, 0xB6, 0xBE, 0xF3, 0x7E),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_6_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xD9, 0x92, 0x22, 0x07, 0xCE, 0xC9, 0x26),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0xA1, 0x7C, 0x91, 0xDB, 0x32, 0xF7, 0xE5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x49, 0x4B, 0x6D, 0xFB, 0xD9, 0x70, 0x3B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0xFB, 0x4E, 0x4C, 0x5E, 0x66, 0x81, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0xB3, 0xE1, 0x00, 0xB7, 0xD9, 0xCC, 0x58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x36, 0x8B, 0xC4, 0x39, 0x20, 0xFD, 0x30),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_7_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x1F, 0x60, 0x03, 0xBB, 0xD7, 0x60, 0x57),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x3C, 0x62, 0xDD, 0x71, 0x95, 0xE9, 0x61),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x5B, 0x7A, 0x5F, 0x68, 0x81, 0xC5, 0x90),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xAF, 0xB5, 0xB9, 0x98, 0x42, 0x28, 0xA5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x29, 0x8E, 0x11, 0x49, 0xB4, 0xD7, 0x20),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x3E, 0xD2, 0x30, 0xA1, 0xBA, 0xCA, 0x03),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_7_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x37, 0x64, 0x44, 0x2F, 0x03, 0xE5, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x42, 0xBC, 0xFF, 0xA2, 0x1A, 0x5F, 0x06),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x04, 0xAB, 0x04, 0xE0, 0x24, 0xAD, 0x2A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x45, 0x17, 0x67, 0x1F, 0x3E, 0x53, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x0F, 0xB3, 0x1B, 0x57, 0x54, 0xC2, 0x03),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xD3, 0xF8, 0xC4, 0x1B, 0x9B, 0xFA, 0x30),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_8_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x90, 0xFD, 0xFB, 0xCA, 0x49, 0x38, 0x4E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0xCF, 0xC6, 0xDD, 0xF0, 0xFF, 0x8C, 0x11),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x69, 0x9D, 0xBD, 0x5F, 0x33, 0xE9, 0xB4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x19, 0x82, 0x3D, 0xAC, 0x1C, 0x40, 0x23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xC7, 0x02, 0x46, 0x14, 0x77, 0x00, 0xBE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x05, 0xF2, 0x77, 0x3A, 0x66, 0x5C, 0x39),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_8_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xE6, 0x17, 0xDE, 0xB2, 0xA1, 0xE5, 0xB8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x71, 0xEC, 0x9D, 0xD8, 0xF5, 0xD4, 0x66),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0xC6, 0x42, 0x5E, 0xE7, 0x18, 0xBA, 0xD0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x21, 0x68, 0x5A, 0x26, 0xFB, 0xD7, 0x17),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x00, 0x5C, 0xBA, 0x8A, 0x34, 0xEC, 0x75),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x9C, 0x3C, 0xAF, 0x53, 0xE8, 0x65, 0x35),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_9_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xEF, 0x28, 0xDC, 0x67, 0x05, 0xC8, 0xDF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x78, 0xC3, 0x85, 0x49, 0xA0, 0xBC, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x3E, 0x2D, 0xA0, 0xCF, 0xD4, 0x7A, 0xF5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x93, 0xFE, 0x60, 0xB3, 0x6E, 0x99, 0xE2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0xAD, 0x04, 0xE7, 0x49, 0xAF, 0x5E, 0xE3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x7A, 0xED, 0xA6, 0x9E, 0x18, 0x09, 0x31),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_9_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x05, 0x94, 0x44, 0xDC, 0xB8, 0x85, 0x94),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0xB7, 0x37, 0xC2, 0x50, 0x75, 0x15, 0xDA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xC6, 0x0F, 0xB2, 0xA9, 0x91, 0x3E, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x81, 0xAD, 0x25, 0xA1, 0x26, 0x73, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xF1, 0xD1, 0x61, 0x7C, 0x76, 0x8F, 0x13),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0xDB, 0x4A, 0xFF, 0x14, 0xA7, 0x48, 0x0B),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_10_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x73, 0xC6, 0xC2, 0xCC, 0xF1, 0x57, 0x04),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0xED, 0x73, 0x27, 0x70, 0x82, 0xB6, 0x5E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0xBA, 0xAC, 0x3A, 0xCF, 0xF4, 0xEA, 0xA6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xD6, 0xB1, 0x8F, 0x0E, 0x08, 0x2C, 0x5E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xE3, 0x8F, 0x2F, 0x0E, 0xA1, 0xF3, 0x07),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0xF5, 0x7C, 0x9B, 0x29, 0x0A, 0xF6, 0x28),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_10_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0xEE, 0x17, 0x47, 0x34, 0x15, 0xA3, 0xAF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xBE, 0x88, 0x48, 0xE7, 0xA2, 0xBB, 0xDE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0xAD, 0xDC, 0x65, 0x61, 0x37, 0x0F, 0xC1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x67, 0xAD, 0xA2, 0x3A, 0x1C, 0x91, 0x78),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x07, 0x0C, 0x3A, 0x41, 0x6E, 0x13, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0xBD, 0x7E, 0xED, 0xAA, 0x14, 0xDD, 0x61),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_11_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0xDC, 0x20, 0x01, 0x72, 0x11, 0x48, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xC4, 0x7B, 0xF8, 0x62, 0x3D, 0xF0, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0xC2, 0x3D, 0x2E, 0x52, 0xA3, 0x4A, 0x89),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xE2, 0x53, 0x46, 0x5E, 0x21, 0xF8, 0xCE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xC7, 0x8F, 0xA9, 0x26, 0x42, 0x32, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xA6, 0xA0, 0x8D, 0x4B, 0x9A, 0x19, 0x03),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_11_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xAB, 0x6D, 0x1E, 0xFB, 0xEE, 0x60, 0x0C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x56, 0x3C, 0xC5, 0x5D, 0x10, 0x79, 0x1C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0xBC, 0x41, 0x9F, 0x71, 0xEF, 0x02, 0xF9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x36, 0xC4, 0xD0, 0x88, 0x9B, 0x32, 0xFC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0xD4, 0x5D, 0x17, 0x39, 0xE6, 0x22, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x26, 0x01, 0xCE, 0xBE, 0x4A, 0x9C, 0x27),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_12_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x6D, 0x11, 0xCA, 0x6C, 0x5A, 0x93, 0x0C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x96, 0x26, 0xAF, 0x2F, 0xE4, 0x30, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0xC1, 0x4C, 0xC6, 0x30, 0x1F, 0x5C, 0x04),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xB3, 0xE8, 0xFC, 0x35, 0xEB, 0x63, 0x6C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x1D, 0xCA, 0xFC, 0x50, 0x36, 0x4B, 0x96),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x0E, 0x23, 0x5B, 0xAF, 0xEB, 0x2D, 0x31),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_12_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x88, 0xB6, 0xD7, 0x74, 0x4A, 0x23, 0xB6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x66, 0xE2, 0xBB, 0x29, 0xA6, 0x4F, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x6F, 0x7E, 0x68, 0x6E, 0xA0, 0x14, 0x94),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0x73, 0xD4, 0xE8, 0xAB, 0x5B, 0xF6, 0x0D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0xE0, 0x3C, 0x24, 0x00, 0x95, 0xE9, 0xAD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x0D, 0x4F, 0x81, 0xD0, 0xF2, 0x3F, 0x00),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_13_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x1D, 0xCD, 0x78, 0x39, 0xC4, 0x6B, 0xD9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x45, 0xC7, 0xB8, 0x2F, 0xAA, 0x5D, 0xE3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x8C, 0x6E, 0xA3, 0x24, 0xB2, 0xDB, 0x4B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x2D, 0xD9, 0xF1, 0xC7, 0x9B, 0x8A, 0xAF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0xE1, 0x2C, 0xB9, 0x40, 0x37, 0x91, 0x75),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x2C, 0xB5, 0x23, 0x03, 0x2B, 0xAF, 0x2F),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_13_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x9D, 0x5A, 0x20, 0x10, 0xA9, 0x84, 0xDA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x30, 0x89, 0x20, 0x13, 0xE9, 0xB2, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x6E, 0x52, 0xEB, 0x03, 0x18, 0x1F, 0xA6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x9E, 0x1C, 0x35, 0x87, 0x92, 0x69, 0xC7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0xC9, 0x88, 0xAF, 0xC6, 0x6C, 0x83, 0x72),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0xD5, 0x7A, 0x54, 0x34, 0x99, 0xB6, 0x6F),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_14_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0xAD, 0x45, 0x9B, 0x4B, 0x41, 0x4D, 0x50),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x5D, 0xAB, 0x7F, 0x35, 0x34, 0xE9, 0x29),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0xBE, 0x78, 0x34, 0x44, 0xF3, 0x4A, 0x87),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xDE, 0xE3, 0xC4, 0xEE, 0x0B, 0xF9, 0xEB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x86, 0x16, 0x48, 0x32, 0xB8, 0x74, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0xEE, 0x7C, 0xBA, 0xBD, 0x81, 0xE3, 0x55),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_14_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x6A, 0xFA, 0x84, 0xDA, 0xB8, 0xD5, 0x14),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0x9F, 0x8A, 0xD5, 0x1B, 0x2E, 0x1A, 0x0B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x0C, 0x61, 0xE2, 0xFF, 0x5B, 0xE6, 0xD5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0x62, 0xC1, 0x87, 0x53, 0x1B, 0x92, 0xA3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x90, 0x00, 0xD1, 0x6A, 0x0C, 0x0E, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0x2E, 0xB5, 0x3B, 0x44, 0xB5, 0xA0, 0x78),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_15_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x5D, 0x02, 0x58, 0xB5, 0xBE, 0x45, 0x14),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xEF, 0x8E, 0x90, 0x4D, 0x2A, 0x32, 0xAC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x99, 0x75, 0x5C, 0x0A, 0x33, 0x8F, 0x36),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x6C, 0x95, 0xD4, 0x1F, 0xF3, 0xEB, 0xDA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xE4, 0x4C, 0x91, 0x20, 0xF3, 0x25, 0xEB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x95, 0xEB, 0x29, 0x6F, 0x20, 0x34, 0x81),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_15_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x15, 0xE5, 0x13, 0x7E, 0x64, 0x8B, 0xAD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xBC, 0x0D, 0x18, 0x7E, 0x37, 0x9E, 0xFA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x82, 0x20, 0xF7, 0x2D, 0x7A, 0x77, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x29, 0xA2, 0xDB, 0x7A, 0xE6, 0x6F, 0xA5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xC6, 0x50, 0x5C, 0xBC, 0xE6, 0x4F, 0xBD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x9F, 0xD5, 0xE8, 0xC5, 0x3D, 0xB7, 0x30),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_16_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x03, 0x55, 0x10, 0xDB, 0xA6, 0x8B, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x17, 0xAE, 0x78, 0xC9, 0x1D, 0x43, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x35, 0x49, 0xD4, 0x47, 0x84, 0x8D, 0x20),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x95, 0x2F, 0xEA, 0xBC, 0xB4, 0x18, 0xB3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x48, 0xAE, 0x89, 0xF5, 0x65, 0x3D, 0x89),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xF2, 0x2B, 0x20, 0xD1, 0x75, 0x50, 0x63),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_16_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xE6, 0x5C, 0x2C, 0xE0, 0x7D, 0xDF, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x07, 0x3E, 0xCE, 0x9F, 0x18, 0xB6, 0x05),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0xF8, 0xF0, 0xD5, 0xFA, 0x42, 0x1D, 0x6D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x6C, 0x1D, 0x03, 0xC9, 0x0E, 0x2B, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x18, 0x52, 0xA5, 0xB4, 0x63, 0xE1, 0x06),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x0A, 0xD9, 0xC4, 0xFD, 0x16, 0x60, 0x54),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_17_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x7D, 0xDE, 0xDF, 0x4B, 0x4A, 0xB0, 0xCB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x4E, 0x8C, 0x94, 0xC1, 0xE2, 0x85, 0xDF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0xF0, 0xEA, 0xB5, 0x9B, 0x70, 0xEF, 0x10),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0xC2, 0x39, 0x5D, 0xF3, 0x2C, 0xD9, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x1C, 0x2E, 0xCC, 0x2F, 0x54, 0x87, 0x80),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x72, 0xC7, 0xB5, 0x50, 0xA3, 0x84, 0x77),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_17_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xD1, 0xAF, 0xA9, 0xB4, 0x8B, 0x5D, 0xFA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xF6, 0x52, 0x8A, 0xC3, 0x56, 0xA5, 0x5E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0x52, 0xFF, 0xEA, 0x05, 0x42, 0x77, 0x83),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x08, 0x90, 0x72, 0x86, 0xC4, 0xC3, 0xB8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0x15, 0xF8, 0xF1, 0x16, 0x67, 0xC6, 0xD5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x87, 0xAC, 0x8F, 0x71, 0xEC, 0x83, 0x81),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_18_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xE1, 0xE6, 0x2D, 0x0E, 0x11, 0xA1, 0x62),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xE2, 0xA8, 0x32, 0xE6, 0xE3, 0x83, 0xD1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x56, 0xE5, 0xCD, 0xB7, 0x2B, 0x67, 0x6F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0xED, 0xC9, 0x65, 0x6D, 0x87, 0xE1, 0x8E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x8E, 0xFD, 0x9A, 0x53, 0x0E, 0xFA, 0xA3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0x4C, 0x4A, 0xE2, 0x23, 0x84, 0xFA, 0x01),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_18_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xFE, 0x49, 0x81, 0xD1, 0x3E, 0xF4, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x72, 0xE0, 0xEF, 0x0D, 0xB8, 0x3E, 0x6F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x00, 0x0F, 0x5F, 0xCE, 0x60, 0x72, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xCC, 0xD8, 0x03, 0x07, 0x6E, 0x5A, 0xCD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x3A, 0x35, 0x50, 0x4E, 0x1F, 0xCA, 0x5F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xEA, 0x88, 0x55, 0xBD, 0x6E, 0x05, 0x7F),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_19_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x6D, 0xF1, 0x97, 0xA6, 0x69, 0x39, 0x24),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x41, 0x99, 0xFF, 0x3B, 0xA1, 0x26, 0xEC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x2F, 0x95, 0x80, 0x12, 0x4A, 0x1B, 0xCB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xBF, 0x51, 0xAA, 0xAE, 0x2D, 0xDA, 0xCF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x1C, 0xB3, 0x52, 0x36, 0x49, 0xD4, 0x86),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xC1, 0x1F, 0x3A, 0xD3, 0x3E, 0x5C, 0x1A),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_19_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x51, 0xF7, 0x2B, 0xC8, 0xA9, 0xA7, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x4E, 0x7F, 0x98, 0x41, 0x66, 0xB0, 0x03),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x1D, 0xC0, 0x42, 0xCD, 0xF8, 0xC3, 0x2B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x41, 0x91, 0x7D, 0xCC, 0x8B, 0xCC, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xAE, 0x76, 0xED, 0x56, 0x18, 0xC5, 0xAB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x6A, 0x06, 0xA3, 0x7F, 0x65, 0x10, 0x1F),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_20_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xEC, 0x3C, 0x05, 0x05, 0xCA, 0xF6, 0xED),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0xCD, 0x02, 0x51, 0x12, 0x16, 0x3C, 0x63),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0xEB, 0xB3, 0x43, 0x7B, 0xDD, 0xB2, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x59, 0x90, 0x41, 0xDB, 0xE4, 0xF5, 0x91),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x0E, 0x18, 0x2A, 0x5A, 0x83, 0x7C, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x37, 0xA1, 0x0D, 0xF1, 0x2F, 0x63, 0x79),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_20_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xC0, 0xFA, 0x6F, 0x1F, 0x67, 0xCF, 0xEC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x34, 0x45, 0xBB, 0xF4, 0xF9, 0x9B, 0x89),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x69, 0xFE, 0x67, 0x1D, 0x64, 0x8F, 0xB9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x39, 0xBF, 0xD8, 0xB3, 0xC7, 0xAD, 0x8A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x93, 0xFF, 0xF3, 0x28, 0xFA, 0x39, 0xF6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xF9, 0xC3, 0x85, 0x26, 0x7A, 0x88, 0x89),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_21_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xD5, 0x79, 0xD8, 0x11, 0xDE, 0xEB, 0x4E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x46, 0xA4, 0x6A, 0xDA, 0x74, 0x34, 0xA8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xBD, 0xD3, 0xF5, 0x14, 0xEE, 0xFE, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x4C, 0xA3, 0x71, 0x43, 0x65, 0xF8, 0x94),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x6C, 0x35, 0xFA, 0x90, 0x25, 0xD8, 0xE2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x34, 0x84, 0x96, 0xA1, 0x43, 0x03, 0x4D),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_21_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x3B, 0x3B, 0x2F, 0xCA, 0x59, 0xF2, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x48, 0x24, 0x74, 0xD8, 0x72, 0x90, 0xA3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x42, 0x74, 0x8C, 0x6F, 0x52, 0x19, 0x3D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x9E, 0x41, 0x63, 0x68, 0x78, 0x4C, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0x94, 0xB6, 0x6B, 0x38, 0x52, 0xA8, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x30, 0x25, 0x93, 0xA1, 0x6F, 0x6E, 0x68),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_22_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x2F, 0x4B, 0x64, 0x79, 0x50, 0xFF, 0x01),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x36, 0xED, 0x57, 0x39, 0x3B, 0xE7, 0xF3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x85, 0xEA, 0x35, 0xD6, 0xC0, 0xA0, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x89, 0x3A, 0xCC, 0x22, 0x1C, 0x46, 0x02),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x7A, 0xB0, 0xA1, 0x1B, 0x69, 0x62, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xB8, 0x8A, 0x6C, 0x18, 0x85, 0x0D, 0x88),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_22_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xB6, 0x50, 0xE9, 0x4E, 0x7F, 0xE8, 0x07),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x5B, 0x5C, 0xD1, 0x4B, 0x11, 0x9A, 0xD8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x25, 0x56, 0x74, 0x51, 0x9C, 0xEC, 0x9C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x7F, 0xB6, 0x8A, 0xCB, 0x3A, 0x10, 0x6A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0x33, 0x07, 0x01, 0xE9, 0x49, 0x59, 0xE6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xA5, 0x2E, 0xF2, 0xBA, 0x32, 0x63, 0x44),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_23_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x06, 0x0B, 0xA5, 0x44, 0x27, 0x7F, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x74, 0xAC, 0x0F, 0xCC, 0x4F, 0x13, 0x61),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xB1, 0xBF, 0x97, 0x49, 0xA5, 0x1C, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x64, 0x68, 0x7B, 0x0F, 0xCC, 0x77, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x39, 0xF9, 0x4E, 0x84, 0x9C, 0xF6, 0x96),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xCF, 0x6D, 0xE2, 0xA1, 0x2D, 0xF9, 0x2B),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_23_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0xC4, 0x90, 0x57, 0x31, 0x01, 0x05, 0x5E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x1E, 0xBB, 0xBF, 0x98, 0xA4, 0x7C, 0xE3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0xE3, 0xA0, 0xB2, 0xCD, 0x39, 0x9A, 0x3F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x34, 0x60, 0x7A, 0x89, 0x98, 0xB5, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0x20, 0x3D, 0x3A, 0x04, 0x8F, 0x5A, 0xAC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x26, 0xB6, 0x49, 0x09, 0x9C, 0x0F, 0x59),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_24_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x66, 0xD2, 0x38, 0x2A, 0x62, 0x81, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0xC8, 0x20, 0x5E, 0x28, 0xA3, 0x81, 0xA7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0x31, 0xA4, 0xF1, 0xEA, 0x7D, 0x87, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0x2C, 0x99, 0x09, 0x6F, 0x63, 0xEB, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x76, 0xDA, 0x1A, 0x06, 0xBE, 0xDE, 0xA2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x09, 0x2E, 0x75, 0x39, 0x30, 0x2D, 0x42),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_24_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x9B, 0xC1, 0x5A, 0x17, 0xC3, 0x8C, 0x31),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x8D, 0x94, 0x4D, 0x3D, 0xAB, 0x60, 0xD4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFD, 0x1E, 0x0F, 0x43, 0xAE, 0x9D, 0x62),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0xF2, 0xF3, 0x20, 0x1B, 0xAA, 0xB7, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x5B, 0xA4, 0xF4, 0x90, 0x3B, 0xE3, 0x71),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x78, 0x72, 0xBD, 0x65, 0x09, 0x0B, 0x01),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_25_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x37, 0x2A, 0x6C, 0x16, 0x4F, 0x64, 0x59),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0xCE, 0xA3, 0x90, 0xB4, 0x9A, 0xBC, 0xF7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x38, 0x55, 0x63, 0x1D, 0x3A, 0x6E, 0x18),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xB4, 0xAA, 0x99, 0x22, 0x45, 0x89, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x7C, 0x8C, 0xA6, 0x3D, 0xA7, 0x3E, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x06, 0x42, 0xDC, 0xA6, 0xE3, 0xC6, 0x12),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_25_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x8C, 0x3D, 0x5D, 0x47, 0x31, 0x7C, 0xEB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x85, 0xEE, 0x46, 0x7E, 0x13, 0x04, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x3C, 0x8B, 0x43, 0x2E, 0x74, 0xF5, 0xF6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x88, 0x8E, 0x07, 0x29, 0x08, 0x03, 0x26),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x9B, 0x89, 0xEB, 0x08, 0xE8, 0x43, 0xB5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x07, 0x67, 0xFD, 0xD9, 0x73, 0x6F, 0x18),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_26_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xEB, 0x21, 0x8D, 0x98, 0x43, 0x74, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0xCC, 0x14, 0xD8, 0x08, 0xBB, 0xA6, 0xE3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x98, 0xF2, 0x6A, 0x18, 0xC3, 0xDD, 0x9E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x38, 0x91, 0xA0, 0x03, 0xF2, 0x04, 0x62),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xAF, 0xE8, 0xFD, 0xFB, 0x13, 0x70, 0x74),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x93, 0x87, 0x98, 0x4A, 0xE0, 0x00, 0x12),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_26_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x2E, 0x69, 0x9C, 0xA2, 0x2D, 0x03, 0x3F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xFE, 0xF3, 0xB9, 0xC1, 0x85, 0x2A, 0xEE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xFD, 0x86, 0xB1, 0xCD, 0xBF, 0x41, 0xB7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xD8, 0x9A, 0x21, 0xF3, 0xFE, 0xCB, 0xF1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x78, 0x04, 0x60, 0xB7, 0xA9, 0xA2, 0x84),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x1E, 0x66, 0x2A, 0x54, 0x51, 0xBD, 0x8B),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_27_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x16, 0x36, 0xEF, 0x61, 0x2D, 0xEE, 0x3B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x5F, 0x88, 0xA0, 0x13, 0x12, 0xF7, 0x23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xC6, 0xAD, 0x4A, 0x4A, 0x07, 0x01, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x74, 0xB1, 0x4F, 0xEB, 0xBD, 0xD5, 0x6B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xF9, 0x71, 0xA2, 0x06, 0x4F, 0xD7, 0xBC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x8B, 0x4D, 0x48, 0xE0, 0x98, 0xFB, 0x6A),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_27_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0xBA, 0x10, 0xA3, 0x0D, 0x52, 0xAC, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xD0, 0xE0, 0x36, 0xE6, 0x07, 0x3A, 0x30),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x80, 0xF0, 0xAA, 0x49, 0x22, 0x4B, 0xDD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xC7, 0xAB, 0x1C, 0x89, 0xCD, 0x24, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x2A, 0xFC, 0xB3, 0x6D, 0x45, 0x96, 0x49),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0xE4, 0xDB, 0x52, 0x3F, 0xC4, 0xB4, 0x19),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_28_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0xCC, 0xC8, 0x7F, 0xBB, 0x6B, 0x87, 0x47),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x21, 0x3C, 0x69, 0x7D, 0x38, 0x57, 0x50),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x4C, 0x18, 0x3C, 0x53, 0xA5, 0x48, 0x6D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xC3, 0x64, 0x45, 0xDB, 0xC4, 0x6D, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xCC, 0xD1, 0xBB, 0x17, 0xB8, 0x34, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x69, 0x71, 0xFA, 0xA0, 0x28, 0x4A, 0x3D),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_28_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xE8, 0x9E, 0x39, 0xEA, 0x8D, 0x38, 0xDB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x9C, 0xBB, 0xCD, 0x80, 0x1A, 0xEE, 0xB7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xA0, 0x45, 0xBF, 0xD9, 0x22, 0x11, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x7C, 0x5C, 0xD9, 0xC0, 0x9F, 0x69, 0xF5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x8A, 0xA6, 0x79, 0x4E, 0x35, 0xB9, 0xD5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x8B, 0x9A, 0x3E, 0xA1, 0xB8, 0x28, 0x10),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_29_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x2F, 0xEF, 0xBB, 0xA9, 0x72, 0x7F, 0xEA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x34, 0xB7, 0x12, 0xB9, 0xE7, 0xC3, 0x2A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x1D, 0xD9, 0x42, 0x77, 0x0C, 0x71, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x01, 0x59, 0xA7, 0x56, 0x03, 0x91, 0x8D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x91, 0x99, 0x33, 0x30, 0x3E, 0xEF, 0x13),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0xC9, 0x5A, 0x9A, 0x54, 0x66, 0xF1, 0x70),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_29_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x2C, 0xB7, 0x6E, 0x71, 0x7D, 0x35, 0x30),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x0D, 0xEF, 0xD1, 0x2D, 0x99, 0x63, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x31, 0xAF, 0x2D, 0xC9, 0xC6, 0xC2, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0xC0, 0xDF, 0x80, 0x54, 0xC4, 0xAC, 0xF3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x6B, 0xA0, 0x84, 0x96, 0xF7, 0x31, 0xC8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0xE2, 0x7C, 0x7A, 0x41, 0x45, 0x75, 0x6A),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_30_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xEE, 0x58, 0x31, 0xE8, 0x68, 0xD6, 0x76),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x2E, 0x48, 0xB7, 0x09, 0x9F, 0xD4, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xA9, 0x5C, 0xE7, 0x64, 0x43, 0x5D, 0xC9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x58, 0x9F, 0x50, 0xAB, 0x68, 0xFF, 0x6D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x88, 0x2D, 0xBA, 0x12, 0xBF, 0x8D, 0x7D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xDF, 0x6F, 0xB3, 0x75, 0xA4, 0x55, 0x73),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_30_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x17, 0x92, 0x39, 0xB7, 0x13, 0x37, 0x6F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x43, 0x71, 0xA7, 0xCA, 0x17, 0x1B, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xB9, 0xB0, 0x78, 0xEF, 0xA0, 0xDA, 0x83),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x84, 0xF2, 0x0F, 0x85, 0xA2, 0xB6, 0x1F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x65, 0x2E, 0x6E, 0x45, 0xB9, 0x4C, 0x3C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x6A, 0x8C, 0x2B, 0x77, 0x96, 0x36, 0x22),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_31_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x7A, 0x13, 0x4A, 0x97, 0x63, 0x02, 0x10),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x1E, 0x06, 0x03, 0x8F, 0xB9, 0xEE, 0x64),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0xEE, 0x8B, 0x89, 0xA9, 0x70, 0xDB, 0xCE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x7B, 0x81, 0xC9, 0x70, 0x8D, 0x62, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0xDA, 0x46, 0xF8, 0xF9, 0x3A, 0xBE, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x9C, 0x7A, 0x97, 0x62, 0xEB, 0xFA, 0x0F),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_31_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0x03, 0x3D, 0x3C, 0x46, 0x27, 0x9E, 0x65),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x08, 0x1C, 0xD5, 0x25, 0xAF, 0xE9, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x69, 0xDC, 0x59, 0xF4, 0x8A, 0x7C, 0x1F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x9A, 0x7A, 0x99, 0x21, 0x0C, 0x4E, 0xE3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xCE, 0x85, 0x5F, 0xAC, 0xAA, 0x82, 0x10),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x57, 0x69, 0x90, 0x76, 0xF3, 0x53, 0x3F),
-};
-static const mbedtls_ecp_point brainpoolP384r1_T[32] = {
-    ECP_POINT_INIT_XY_Z1(brainpoolP384r1_T_0_X, brainpoolP384r1_T_0_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_1_X, brainpoolP384r1_T_1_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_2_X, brainpoolP384r1_T_2_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_3_X, brainpoolP384r1_T_3_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_4_X, brainpoolP384r1_T_4_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_5_X, brainpoolP384r1_T_5_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_6_X, brainpoolP384r1_T_6_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_7_X, brainpoolP384r1_T_7_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_8_X, brainpoolP384r1_T_8_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_9_X, brainpoolP384r1_T_9_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_10_X, brainpoolP384r1_T_10_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_11_X, brainpoolP384r1_T_11_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_12_X, brainpoolP384r1_T_12_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_13_X, brainpoolP384r1_T_13_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_14_X, brainpoolP384r1_T_14_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_15_X, brainpoolP384r1_T_15_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_16_X, brainpoolP384r1_T_16_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_17_X, brainpoolP384r1_T_17_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_18_X, brainpoolP384r1_T_18_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_19_X, brainpoolP384r1_T_19_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_20_X, brainpoolP384r1_T_20_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_21_X, brainpoolP384r1_T_21_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_22_X, brainpoolP384r1_T_22_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_23_X, brainpoolP384r1_T_23_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_24_X, brainpoolP384r1_T_24_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_25_X, brainpoolP384r1_T_25_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_26_X, brainpoolP384r1_T_26_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_27_X, brainpoolP384r1_T_27_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_28_X, brainpoolP384r1_T_28_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_29_X, brainpoolP384r1_T_29_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_30_X, brainpoolP384r1_T_30_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_31_X, brainpoolP384r1_T_31_Y),
-};
-#else
-#define brainpoolP384r1_T NULL
-#endif
-
-#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
-
-/*
- * Domain parameters for brainpoolP512r1 (RFC 5639 3.7)
- */
-#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
-static const mbedtls_mpi_uint brainpoolP512r1_p[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_a[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_b[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_gx[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_gy[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_n[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA),
-};
-
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-static const mbedtls_mpi_uint brainpoolP512r1_T_0_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_0_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_1_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xE9, 0x6B, 0x8C, 0x6F, 0x9D, 0x88, 0x43),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x4F, 0x86, 0x96, 0xA7, 0x56, 0xD1, 0x37),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xAB, 0xFA, 0xEE, 0xA7, 0xF5, 0x0E, 0xA6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x40, 0xEF, 0x9E, 0x6D, 0xD6, 0x32, 0x33),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xED, 0x56, 0x14, 0x57, 0x1A, 0x8D, 0x69),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xED, 0x4D, 0x3A, 0xFA, 0x71, 0x75, 0x6B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xC5, 0x76, 0x1C, 0x14, 0xBE, 0xB5, 0xCD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x5A, 0xCB, 0xE7, 0x36, 0x1D, 0x52, 0x1C),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_1_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x8D, 0x7A, 0xEB, 0xA3, 0x8B, 0xD5, 0xB0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0xA3, 0x41, 0xF8, 0xAC, 0x9E, 0xAB, 0x74),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0xE3, 0x65, 0x0D, 0x1C, 0xFE, 0x09, 0x2B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0xCA, 0x13, 0x3F, 0xC5, 0xF9, 0x7E, 0xEC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x5D, 0x63, 0x28, 0xA6, 0x89, 0xD3, 0x91),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x95, 0x3F, 0x7A, 0x82, 0xD4, 0x77, 0xE3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xBB, 0x92, 0x32, 0x00, 0xF4, 0x66, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x58, 0x31, 0xD1, 0x17, 0x9F, 0x2A, 0x22),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_2_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x36, 0xA9, 0xCD, 0x80, 0xA5, 0x2D, 0x78),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x44, 0xAB, 0xCE, 0x71, 0xFF, 0x0C, 0x9B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x24, 0x58, 0x35, 0x5A, 0x21, 0x32, 0x93),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0xA6, 0x28, 0xF8, 0x7A, 0x97, 0xAE, 0x8B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0xE7, 0x08, 0xFA, 0x47, 0xC9, 0x55, 0x09),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xAC, 0x2E, 0x84, 0xA4, 0xF5, 0x52, 0xC4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x58, 0x05, 0x9D, 0xA7, 0xC8, 0x71, 0xBF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x92, 0xB4, 0x92, 0xC1, 0x92, 0xEC, 0x6B),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_2_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x48, 0x2D, 0x79, 0x5E, 0x58, 0xE5, 0x69),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x85, 0x26, 0xEC, 0xE9, 0x6E, 0xD4, 0x06),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x68, 0x26, 0x87, 0x38, 0xA2, 0xD2, 0x0B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x17, 0x60, 0xCE, 0x75, 0xF8, 0xA5, 0x6F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0x51, 0xDB, 0xA9, 0xAE, 0x87, 0xF1, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x49, 0x92, 0x3B, 0x19, 0x96, 0xF5, 0xB0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0xD5, 0x52, 0x52, 0x8C, 0xCE, 0xFD, 0xFA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x18, 0x0A, 0xE6, 0xF6, 0xAE, 0x08, 0x41),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_3_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x2B, 0xD8, 0x54, 0xCE, 0xB0, 0x57, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0xB0, 0xF8, 0x9E, 0x03, 0x03, 0x3C, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x0E, 0x29, 0x29, 0x00, 0xF3, 0x70, 0xBF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x33, 0x99, 0x0E, 0x00, 0x5D, 0xFE, 0x4B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x2D, 0xF2, 0x59, 0x32, 0xCF, 0x03, 0xF4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0xC9, 0x72, 0xAE, 0x0C, 0xEF, 0xD1, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x5A, 0x27, 0xBF, 0x2F, 0x45, 0xF9, 0x51),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xBE, 0xE5, 0x2C, 0xFF, 0x5B, 0x1E, 0x88),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_3_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0xAC, 0xBB, 0xD8, 0x83, 0xC2, 0x46, 0xF6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0xDC, 0xCE, 0x15, 0xB4, 0xEF, 0xCF, 0x46),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0xDB, 0x5E, 0x94, 0x31, 0x0B, 0xB2, 0x7A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xB9, 0xE3, 0xE3, 0x11, 0x71, 0x41, 0x1E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xE3, 0x01, 0xB7, 0x7D, 0xBC, 0x65, 0xBE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x07, 0x65, 0x87, 0xA7, 0xE8, 0x48, 0xE3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x48, 0x8F, 0xD4, 0x30, 0x8E, 0xB4, 0x6C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xE0, 0x73, 0xBE, 0x1E, 0xBF, 0x56, 0x36),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_4_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x0E, 0x5E, 0x87, 0xC5, 0xAB, 0x0E, 0x3C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xF9, 0x5F, 0x80, 0x24, 0x4C, 0x2A, 0xF1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0x15, 0x21, 0x54, 0x92, 0x84, 0x8D, 0x6A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x8A, 0x47, 0x74, 0xDC, 0x42, 0xB1, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0xF7, 0x30, 0xFD, 0xC1, 0x9B, 0x0C, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x6C, 0xCC, 0xDF, 0xC5, 0xE3, 0xA9, 0xD5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x67, 0x59, 0x10, 0x5C, 0x51, 0x54, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x37, 0xFB, 0x6E, 0xB0, 0x78, 0x63, 0x8E),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_4_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0xEF, 0xC4, 0x39, 0x20, 0xF1, 0x46, 0x66),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x62, 0xAE, 0xFF, 0x10, 0xE4, 0xE2, 0xE9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x5C, 0xF5, 0x2E, 0x22, 0x89, 0xE5, 0x82),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x0C, 0x29, 0xA8, 0x62, 0xAE, 0xDB, 0x65),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x9E, 0x0F, 0xCA, 0x87, 0x2A, 0x6F, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xDC, 0x9B, 0x9F, 0x65, 0xD4, 0xAD, 0x27),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xC3, 0x08, 0x0F, 0xCF, 0x67, 0xE9, 0xF4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x5C, 0xD7, 0xFF, 0x41, 0x9C, 0xCB, 0x26),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_5_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x25, 0x05, 0x12, 0xAD, 0x73, 0x63, 0x90),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x99, 0x07, 0x86, 0x57, 0xE7, 0x94, 0xB1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x4B, 0xA5, 0xBF, 0x18, 0xA9, 0xEF, 0x6A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x4C, 0xC4, 0x09, 0xF2, 0x2F, 0x0C, 0xAA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x3A, 0x04, 0xEA, 0x89, 0x6C, 0x91, 0xB9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x6C, 0x3A, 0xE7, 0xA3, 0xEC, 0x24, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xA1, 0x26, 0x21, 0x04, 0xE3, 0xB9, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0x71, 0x4B, 0x7B, 0xC2, 0x89, 0xCD, 0xA2),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_5_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xB9, 0xA8, 0x9D, 0xFD, 0x00, 0x3A, 0x1F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x41, 0x6C, 0xBB, 0x5A, 0xCA, 0x1F, 0x74),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xD7, 0xE2, 0x6C, 0x6B, 0xA7, 0x48, 0xC9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x19, 0xAD, 0xA7, 0xC1, 0x7E, 0x4F, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xF7, 0x19, 0x3C, 0x06, 0x74, 0x2C, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x23, 0x4F, 0x0C, 0x09, 0xB0, 0x80, 0x4A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x74, 0x34, 0x08, 0x44, 0x7E, 0xA3, 0xDD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xCC, 0x8D, 0x12, 0x6E, 0xE1, 0x3D, 0x0B),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_6_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x18, 0xB1, 0x71, 0x02, 0x93, 0xC2, 0xA4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x89, 0x40, 0xE2, 0x1F, 0xE7, 0x5E, 0x68),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x8E, 0xAE, 0x89, 0x01, 0xD4, 0x0C, 0xEB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xDA, 0x58, 0x70, 0x24, 0xF2, 0xE4, 0x5F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0xC7, 0x1D, 0xD6, 0x4A, 0x6F, 0x66, 0x4F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x1D, 0x7E, 0x4A, 0x2C, 0xCA, 0xEC, 0x3B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x06, 0x7F, 0xA8, 0x99, 0xE4, 0xD3, 0x4E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x1D, 0x5A, 0xDF, 0x5E, 0x58, 0x36, 0x49),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_6_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0xB9, 0x32, 0x69, 0x1F, 0x72, 0x2A, 0xB3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x73, 0xE2, 0x03, 0x39, 0x35, 0xAA, 0xA8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x5E, 0x5D, 0x48, 0xEF, 0xAE, 0x30, 0xF5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x7F, 0x60, 0x19, 0xAF, 0xEC, 0x9D, 0xFC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xD9, 0x19, 0xE4, 0x1B, 0x56, 0x15, 0x5F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xD7, 0x33, 0x59, 0x1F, 0x43, 0x59, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xCE, 0xEE, 0xCA, 0xA4, 0x7F, 0x63, 0xD4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x40, 0xC0, 0xF6, 0x19, 0x89, 0x43, 0x20),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_7_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x92, 0xEA, 0x07, 0x65, 0x79, 0x86, 0xD3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xB7, 0x13, 0x75, 0xD3, 0xC5, 0x0A, 0xC9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x9E, 0xFA, 0xE1, 0x1F, 0x0C, 0xF9, 0x74),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x8C, 0xED, 0x5C, 0x21, 0xE9, 0x09, 0xDD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x4D, 0xD8, 0x18, 0xC4, 0xF6, 0x36, 0x39),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xC9, 0xAC, 0x5C, 0xFA, 0x69, 0xA4, 0xA0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x8C, 0x94, 0x1C, 0x7B, 0x71, 0x36, 0x58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xBD, 0x46, 0xCE, 0xB7, 0x1D, 0x9C, 0x5E),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_7_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xD6, 0x96, 0x4B, 0xA6, 0x47, 0xEB, 0xE5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0xF1, 0x5F, 0x15, 0xDE, 0x99, 0x6F, 0x66),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xBD, 0xE5, 0x04, 0xB8, 0xE6, 0xC0, 0x0B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xD3, 0xF0, 0x04, 0x00, 0xE4, 0x05, 0xDB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xF3, 0x06, 0xA3, 0x1A, 0xFF, 0xEA, 0x73),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x32, 0xAA, 0x99, 0x33, 0x09, 0xB6, 0x34),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0xEF, 0xFC, 0x61, 0x10, 0x42, 0x31, 0x94),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xF1, 0xF4, 0x33, 0xCF, 0x28, 0x90, 0x9C),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_8_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xDE, 0xF9, 0x88, 0x87, 0x7B, 0xEB, 0xC9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xB8, 0xDA, 0xFA, 0xDA, 0x3D, 0xA6, 0x17),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xF0, 0x62, 0x82, 0x53, 0x32, 0x55, 0x03),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xA5, 0x32, 0x4A, 0x19, 0x11, 0x9C, 0x10),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xB3, 0x27, 0xE9, 0x75, 0x90, 0x05, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x1C, 0x90, 0x48, 0x77, 0x01, 0x85, 0x1B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xD6, 0x9B, 0x84, 0xA8, 0xD7, 0xC5, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x7A, 0xCB, 0xB3, 0x11, 0x46, 0xD7, 0x99),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_8_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0x23, 0xBF, 0x75, 0x75, 0xA1, 0x95, 0x90),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x66, 0x5D, 0x34, 0x13, 0xA9, 0x03, 0xBE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x80, 0x9D, 0x5F, 0xD2, 0x44, 0xE1, 0x62),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x5D, 0xBD, 0xA8, 0xBF, 0xB4, 0x25, 0x1F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x99, 0x1F, 0x53, 0xF1, 0x57, 0xDB, 0xE7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x7C, 0xE5, 0xC5, 0x51, 0x0B, 0x4C, 0x9B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0xB0, 0x1A, 0x9C, 0x16, 0xB0, 0x32, 0x1F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0xE3, 0xCF, 0xDD, 0x48, 0xB4, 0x7B, 0x33),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_9_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xDD, 0x9E, 0x3C, 0x98, 0x0E, 0x77, 0x65),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0xAB, 0x01, 0xD3, 0x87, 0x74, 0x25, 0x4A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0xA3, 0xE3, 0x76, 0x43, 0x87, 0x12, 0xBD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0xB1, 0x3B, 0x60, 0x66, 0xEB, 0x98, 0x54),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x78, 0xC8, 0xD7, 0x4E, 0x75, 0xCA, 0x69),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xDF, 0x71, 0x19, 0xE7, 0x07, 0x36, 0xB5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xC9, 0xA8, 0x5F, 0x91, 0xBF, 0x47, 0xB2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x96, 0x58, 0x96, 0x18, 0xB6, 0xFA, 0x01),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_9_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x2D, 0xA9, 0x9B, 0x86, 0xDB, 0x0C, 0x4C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x0B, 0x2D, 0x56, 0x4A, 0xD3, 0x93, 0x8A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x15, 0xE2, 0x65, 0x12, 0x86, 0x0E, 0xB2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x41, 0x4D, 0xC1, 0xCB, 0xE4, 0xC3, 0xD7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x53, 0x10, 0xCA, 0xA3, 0xAC, 0x83, 0x26),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x01, 0x22, 0x96, 0x10, 0xAD, 0x69, 0xDB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x46, 0x4E, 0xD8, 0xEA, 0xD6, 0x9D, 0xF3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x2F, 0x7F, 0x62, 0x62, 0x80, 0xD0, 0x14),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_10_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0xDA, 0x00, 0x63, 0x09, 0xBD, 0x6A, 0x83),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xD4, 0x6E, 0x48, 0x05, 0xB7, 0xF7, 0x17),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0x4D, 0xD7, 0x00, 0x4A, 0x15, 0x27, 0x7A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x15, 0xAA, 0x37, 0x27, 0x34, 0x18, 0x24),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x20, 0x2C, 0x84, 0x1B, 0x88, 0xBA, 0x05),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x09, 0xD6, 0x04, 0xA2, 0x60, 0x84, 0x72),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x04, 0x94, 0x08, 0xD4, 0xED, 0x47, 0xDB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xF3, 0xE4, 0x3E, 0xB9, 0x5B, 0x35, 0x42),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_10_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0xD8, 0xB6, 0x80, 0xD6, 0xF1, 0x30, 0xDD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x14, 0xA6, 0x85, 0xEE, 0xA7, 0xD8, 0x61),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x49, 0x2A, 0x1E, 0x7C, 0xE9, 0x2D, 0xEC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x87, 0x56, 0x91, 0x03, 0x77, 0x4D, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0x52, 0xD4, 0xAA, 0xF7, 0xFA, 0xB0, 0xC5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x5D, 0x11, 0x39, 0xB1, 0xE7, 0x76, 0xAD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x13, 0xBC, 0x37, 0x5D, 0x74, 0xCD, 0xC2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x48, 0x14, 0x23, 0x30, 0xF8, 0x46, 0x37),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_11_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x27, 0xB0, 0xD9, 0xB2, 0x74, 0xB4, 0xC0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xA6, 0xB9, 0x6F, 0x9F, 0x64, 0x36, 0x92),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2E, 0x2B, 0x78, 0x40, 0x05, 0x2B, 0x7B, 0xA9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x68, 0x3A, 0xB6, 0x4A, 0xE2, 0xDB, 0xB8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x33, 0xD7, 0x34, 0x8B, 0x25, 0x45, 0xEF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0xCE, 0xA8, 0xC9, 0x01, 0xFB, 0x0E, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0xF9, 0x51, 0x4C, 0x12, 0x9F, 0x60, 0xE4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x85, 0xBD, 0x30, 0x37, 0x84, 0x39, 0x44),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_11_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x33, 0xAF, 0x2E, 0xB8, 0x2E, 0xCC, 0x3C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xB1, 0x73, 0x59, 0x4E, 0x0C, 0x09, 0x4A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x24, 0x89, 0x81, 0x12, 0xFF, 0xBB, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x37, 0x1A, 0x66, 0xEE, 0xED, 0xB6, 0x9B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xBD, 0x04, 0x20, 0x5D, 0xFB, 0xBF, 0x95),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xF8, 0x34, 0xA3, 0xFF, 0x45, 0xDE, 0x92),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x18, 0x73, 0xF1, 0x32, 0x25, 0x58, 0xEB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0xC1, 0x14, 0xE3, 0x9E, 0x40, 0x0F, 0x12),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_12_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x07, 0x9D, 0x9C, 0x00, 0xF7, 0x56, 0x19),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xBA, 0x87, 0xF9, 0x15, 0x0C, 0x66, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x1F, 0xC1, 0x28, 0xB0, 0x47, 0x0D, 0xF5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xCA, 0x27, 0xEE, 0x4B, 0x23, 0x2B, 0x89),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0xB5, 0x68, 0xC8, 0x17, 0x5D, 0xC3, 0xAA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x02, 0x08, 0xEE, 0x20, 0x9D, 0xEA, 0x64),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x14, 0x50, 0xD4, 0x7D, 0x5F, 0xCF, 0xA0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xFA, 0xF8, 0xA7, 0xC6, 0xDC, 0x14, 0x8C),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_12_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xBD, 0x0A, 0x1A, 0x18, 0x98, 0xDC, 0xB0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x63, 0x02, 0xB7, 0xD5, 0x5B, 0x5A, 0xC6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xB1, 0xD7, 0x4B, 0x15, 0x39, 0x61, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x32, 0xE1, 0x9E, 0x70, 0x1B, 0xCE, 0x51),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0xD8, 0x18, 0x83, 0x52, 0x9B, 0x6D, 0xA2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x55, 0x56, 0x19, 0x34, 0xA4, 0xEA, 0xFC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0xA9, 0x55, 0x80, 0xE3, 0x15, 0x36, 0x8B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x06, 0xC8, 0x1D, 0x17, 0x0D, 0xAD, 0x16),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_13_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0xD6, 0xF0, 0xCC, 0xF3, 0x63, 0x53, 0xD2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x5A, 0xDC, 0x46, 0xBD, 0x0D, 0xAD, 0x96),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x2F, 0x11, 0x60, 0x15, 0x51, 0x4A, 0xEA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xE3, 0x93, 0x38, 0xD5, 0x83, 0xAA, 0x0D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xA6, 0xCC, 0xB1, 0xFD, 0xBB, 0x1A, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0x54, 0xC8, 0x54, 0x6F, 0x79, 0x1A, 0x59),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x4A, 0xDA, 0x28, 0x92, 0x97, 0x9D, 0x7F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x4B, 0xDB, 0xC7, 0x52, 0xC5, 0x66, 0x34),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_13_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x7E, 0x92, 0x53, 0x30, 0x93, 0xFD, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x16, 0x6A, 0xB1, 0x91, 0x0A, 0xB4, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x9D, 0x40, 0x3F, 0xE3, 0xF1, 0x01, 0x46),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x0E, 0xD8, 0xED, 0x11, 0x8E, 0x4C, 0xED),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x4A, 0x1B, 0x88, 0xDF, 0x8D, 0x29, 0xE7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x23, 0x21, 0x11, 0xAB, 0x77, 0x81, 0x62),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0xAF, 0x11, 0xFA, 0xBA, 0x40, 0x63, 0xE7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0x6F, 0x8D, 0x80, 0xDF, 0x67, 0xF5, 0x44),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_14_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0x8B, 0xB7, 0x08, 0xF4, 0xD7, 0x2D, 0xA8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x2B, 0x30, 0x02, 0x45, 0x71, 0x08, 0x49),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x3A, 0xCA, 0x50, 0xF6, 0xC2, 0x19, 0x8C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xB9, 0x9B, 0x3E, 0x73, 0x95, 0x1D, 0x49),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x60, 0x59, 0x48, 0xCB, 0xD8, 0xD6, 0xAA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0xB9, 0x6C, 0x89, 0xAB, 0x99, 0xA8, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0xA1, 0x8B, 0x4E, 0x06, 0x19, 0xEC, 0x99),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x95, 0x04, 0xCF, 0xD5, 0x94, 0xB3, 0x02),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_14_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x35, 0x93, 0x7C, 0xB3, 0xB8, 0x9E, 0x1B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x45, 0x5C, 0x7E, 0xBF, 0x75, 0x81, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xE8, 0x24, 0xDF, 0xEC, 0x2F, 0x7D, 0xB9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x8B, 0xD5, 0x6A, 0x9B, 0xA0, 0xE0, 0x4F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xE3, 0x27, 0x82, 0xDE, 0xDD, 0xCA, 0x4B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x57, 0x56, 0x46, 0x05, 0x06, 0x01, 0x2E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x35, 0xA7, 0x47, 0xE2, 0x6B, 0x2C, 0x4F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x9D, 0x4C, 0xEC, 0x1F, 0x11, 0x75, 0x2B),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_15_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xAA, 0x41, 0xC1, 0xE9, 0x0E, 0xE9, 0xAA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0xCF, 0x9C, 0x4B, 0xE8, 0xED, 0x0A, 0x49),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x73, 0xCA, 0x0C, 0x46, 0x0A, 0x9C, 0xE4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xE1, 0x9E, 0xBC, 0xFE, 0x44, 0x63, 0x6D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x43, 0x71, 0xEE, 0xF8, 0xC1, 0x8C, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x4B, 0xF0, 0x69, 0x25, 0xBD, 0x71, 0x1A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x9A, 0xFE, 0x82, 0xE7, 0xC1, 0xC1, 0xEE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x5A, 0x6E, 0x5E, 0x97, 0x6A, 0x35, 0x8D),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_15_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x18, 0x6C, 0x7E, 0xB8, 0x9E, 0x57, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0xB9, 0xC1, 0xD0, 0xFE, 0x78, 0xFB, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x08, 0xAE, 0x46, 0x34, 0xEA, 0x7A, 0x7F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x1C, 0x56, 0xA9, 0x18, 0x37, 0xD4, 0x9E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x63, 0xE9, 0x0A, 0xB6, 0x38, 0x3C, 0xC1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x4F, 0xA4, 0x6E, 0x85, 0x31, 0x23, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0xAD, 0xC4, 0xC3, 0xB1, 0x4B, 0x1C, 0x82),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x56, 0x4A, 0x38, 0xB3, 0x6B, 0x6F, 0x2C),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_16_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0xC7, 0x19, 0xDE, 0x21, 0xED, 0x89, 0xD0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xBE, 0xA6, 0xAE, 0xEB, 0x9D, 0xA7, 0x2A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x0E, 0x13, 0x1E, 0x86, 0x57, 0xC3, 0x3B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x4B, 0x30, 0x46, 0x52, 0xC1, 0xEC, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0xD5, 0x44, 0x31, 0x96, 0x3B, 0x26, 0x27),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x68, 0xA8, 0x67, 0x78, 0x39, 0xE8, 0x68),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x78, 0xB7, 0xDD, 0xF2, 0x58, 0xB6, 0x3D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x3C, 0xB3, 0x26, 0xC4, 0x2C, 0x8C, 0xA5),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_16_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x24, 0xE5, 0x73, 0xEE, 0x9A, 0x02, 0xA9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x6A, 0x65, 0x60, 0xF3, 0x62, 0xE3, 0xE9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0x07, 0x84, 0xE6, 0x3B, 0x46, 0x65, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x8F, 0x0C, 0xB0, 0xE1, 0x04, 0x82, 0x9D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x13, 0xBF, 0x3D, 0xA0, 0x48, 0xA2, 0x74),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x26, 0x76, 0x74, 0xAB, 0x0B, 0x29, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x6E, 0x5F, 0x03, 0x34, 0x7C, 0x38, 0xCE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0x72, 0xF9, 0x3B, 0x3C, 0xA4, 0xBC, 0x7C),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_17_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xCE, 0x18, 0x80, 0xB8, 0x24, 0x45, 0x81),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x09, 0x03, 0xB8, 0x06, 0x64, 0xF7, 0xEC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x26, 0xB1, 0x10, 0x6D, 0x71, 0x12, 0x2E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x12, 0xC6, 0x6E, 0x1E, 0x6A, 0xC3, 0x80),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0xD3, 0x0A, 0xDE, 0xD8, 0x6B, 0x04, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x87, 0x5B, 0xAE, 0xDB, 0x3C, 0xC0, 0xC5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0xF5, 0xF9, 0xC1, 0x9A, 0x89, 0xBB, 0x7E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x69, 0x72, 0x8B, 0xAE, 0x32, 0x13, 0x11),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_17_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x16, 0x07, 0x50, 0xFA, 0x4C, 0xCF, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x50, 0x21, 0xE9, 0xDE, 0xEC, 0x7E, 0xDF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x2F, 0xE8, 0x83, 0x30, 0x0B, 0x65, 0x0E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x0B, 0x99, 0xAC, 0xC9, 0xBA, 0x6C, 0x2A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x59, 0x5A, 0x0D, 0x7B, 0x9E, 0x08, 0xAD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x91, 0xB2, 0xDC, 0x90, 0xCE, 0x67, 0xED),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x93, 0x60, 0x0C, 0xD7, 0x1F, 0x2F, 0x17),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x7F, 0x9D, 0x40, 0xF8, 0x78, 0x7A, 0x54),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_18_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x22, 0x95, 0xE8, 0xEF, 0x31, 0x57, 0x35),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x88, 0x53, 0xFE, 0xAF, 0x7C, 0x47, 0x14),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xCE, 0xCC, 0x79, 0xE8, 0x9F, 0x8C, 0xC4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x16, 0xDD, 0x77, 0x6E, 0x8A, 0x73, 0x97),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x07, 0x97, 0x21, 0x3B, 0xF8, 0x5F, 0xA8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xB5, 0xD2, 0x81, 0x84, 0xF0, 0xE7, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x8F, 0x75, 0x09, 0x6A, 0x0E, 0x53, 0xAD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x4F, 0x70, 0x97, 0xC7, 0xAC, 0x7D, 0x3F),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_18_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x3C, 0x6A, 0xB4, 0x10, 0xA9, 0xC8, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xC5, 0xD6, 0x69, 0x16, 0xB8, 0xAC, 0x25),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x44, 0xDC, 0xEB, 0x48, 0x54, 0x5D, 0x5F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x48, 0x9B, 0xD7, 0x72, 0x69, 0xA4, 0x8A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x0D, 0x36, 0x9A, 0x66, 0x0B, 0xEC, 0x24),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xC6, 0xD4, 0xB6, 0x60, 0xE5, 0xC3, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x29, 0x42, 0xE0, 0x9D, 0xFD, 0x7C, 0x3E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x10, 0xBA, 0x55, 0xBC, 0x3B, 0x38, 0x5D),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_19_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x66, 0xFA, 0x05, 0x73, 0x03, 0x1B, 0x69),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xA4, 0x66, 0x12, 0x96, 0x7B, 0x02, 0x4C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0xB5, 0xDE, 0x6D, 0x98, 0xD1, 0xD5, 0xA8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0xF5, 0x44, 0xB8, 0x8E, 0xF6, 0x8C, 0x05),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x15, 0x2B, 0x72, 0xBC, 0x49, 0xE5, 0xDF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x44, 0xD7, 0xDF, 0x8F, 0xEB, 0x8D, 0x80),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x64, 0x88, 0xAA, 0xB7, 0xE4, 0x70, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x14, 0xBB, 0xE9, 0x9B, 0xB9, 0x65, 0x5D),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_19_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x8E, 0x88, 0xF5, 0xF1, 0xC1, 0x89, 0xA2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x30, 0x53, 0xE6, 0xFB, 0x2D, 0x82, 0xB4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xE4, 0xFF, 0xBA, 0x31, 0x79, 0xAB, 0xC2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x09, 0xF7, 0xB7, 0x09, 0x78, 0x4C, 0x90),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xAE, 0xC2, 0x44, 0xDC, 0x17, 0x78, 0x47),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xD4, 0x17, 0x43, 0x19, 0x74, 0x9E, 0x23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x64, 0x3B, 0x73, 0xA2, 0x99, 0x27, 0x76),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x74, 0x36, 0x5F, 0xD3, 0x14, 0xB1, 0x31),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_20_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x07, 0xAB, 0xFD, 0x9B, 0x03, 0xC5, 0xD5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xBE, 0xB0, 0x1D, 0xF2, 0x0C, 0x73, 0x73),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xE7, 0x7B, 0x87, 0xD3, 0x34, 0xFD, 0xE2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x25, 0x3D, 0xC7, 0x36, 0x83, 0x53, 0xDC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x7C, 0xCF, 0x63, 0x55, 0x12, 0x11, 0xB0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x34, 0x4D, 0x27, 0x92, 0xAC, 0x18, 0x16),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x42, 0x61, 0x9D, 0x2E, 0xFF, 0x13, 0x16),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0xDE, 0x92, 0x65, 0x57, 0x0D, 0xBC, 0x0A),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_20_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x7B, 0x6E, 0xC6, 0x2A, 0x21, 0x74, 0x0A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xA7, 0x53, 0x4D, 0x29, 0x36, 0xEF, 0xE5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0xD6, 0x41, 0xC7, 0x99, 0xAD, 0x50, 0x53),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xAC, 0x41, 0x9F, 0xFB, 0x4C, 0x86, 0xF1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xBB, 0xE6, 0x25, 0x28, 0xAA, 0xEB, 0x1E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x04, 0xA2, 0xC3, 0xAA, 0x08, 0x8A, 0xCC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x2B, 0x5B, 0xE2, 0x8D, 0x76, 0xEA, 0x34),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x33, 0xD2, 0x21, 0x4D, 0x62, 0xE3, 0x8E),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_21_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x06, 0x8B, 0x2B, 0xC2, 0xC4, 0xB1, 0xD2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xF5, 0xA1, 0xC0, 0x03, 0x6A, 0x29, 0x12),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xA9, 0xEF, 0x55, 0xB6, 0x1A, 0x9F, 0x6B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x54, 0x32, 0xBE, 0x06, 0x43, 0xB5, 0xFD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xD6, 0xD9, 0x20, 0x89, 0xBE, 0xD4, 0x1B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x26, 0x95, 0x10, 0xCE, 0xB4, 0x88, 0x79),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xA6, 0x27, 0xAC, 0x32, 0xBA, 0xBD, 0xC7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0xA6, 0xAE, 0x9C, 0x7B, 0xBE, 0xA1, 0x63),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_21_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xCD, 0x4D, 0x3D, 0xDF, 0x96, 0xBB, 0x7D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0xA7, 0x11, 0x06, 0xCC, 0x0E, 0x31, 0x81),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0xE4, 0xF4, 0xAD, 0x7B, 0x5F, 0xF1, 0xEF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x54, 0xBE, 0xF4, 0x8A, 0x03, 0x47, 0xDF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x53, 0x00, 0x7F, 0xB0, 0x8A, 0x68, 0xA6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x16, 0xB1, 0x73, 0x6F, 0x5B, 0x0E, 0xC3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x32, 0xE3, 0x43, 0x64, 0x75, 0xFB, 0xFB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x18, 0x55, 0x8A, 0x4E, 0x6E, 0x35, 0x54),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_22_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x97, 0x15, 0x1E, 0xCB, 0xF2, 0x9C, 0xA5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xD1, 0xBB, 0xF3, 0x70, 0xAD, 0x13, 0xAD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x96, 0xA4, 0xC5, 0x5E, 0xDA, 0xD5, 0x57),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x81, 0xE9, 0x65, 0x66, 0x76, 0x47, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x35, 0x87, 0x06, 0x73, 0xCF, 0x34, 0xD2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x81, 0x15, 0x42, 0xA2, 0x79, 0x5B, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xA2, 0x7D, 0x09, 0x14, 0x64, 0xC6, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x6D, 0xC4, 0xED, 0xF1, 0xD6, 0xE9, 0x24),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_22_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xD5, 0xBB, 0x25, 0xA3, 0xDD, 0xA3, 0x88),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0xF2, 0x68, 0x67, 0x39, 0x8F, 0x73, 0x93),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x76, 0x28, 0x89, 0xAD, 0x32, 0xE0, 0xDF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x90, 0xCC, 0x57, 0x58, 0xAA, 0xC9, 0x75),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xD7, 0x43, 0xD2, 0xCE, 0x5E, 0xA0, 0x08),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xB0, 0xB8, 0xA4, 0x9E, 0x96, 0x26, 0x86),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x61, 0x1D, 0xF3, 0x65, 0x5E, 0x60, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x1E, 0x65, 0xED, 0xCF, 0x07, 0x60, 0x20),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_23_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x30, 0x17, 0x8A, 0x91, 0x88, 0x0A, 0xA4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x7D, 0x18, 0xA4, 0xAC, 0x59, 0xFC, 0x5F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x31, 0x8B, 0x25, 0x65, 0x39, 0x9A, 0xDC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x16, 0x4B, 0x68, 0xBA, 0x59, 0x13, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xFD, 0xD3, 0xC5, 0x56, 0xC9, 0x8C, 0x5E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xC6, 0x9F, 0xF4, 0xE6, 0xF7, 0xB4, 0x01),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x7C, 0x03, 0x00, 0x26, 0x9F, 0xD8, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x1D, 0x6E, 0x00, 0xB9, 0x00, 0x6E, 0x93),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_23_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x63, 0xDA, 0x03, 0x2B, 0xD5, 0x0B, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0xFC, 0xE2, 0xC8, 0x47, 0xF0, 0xAE, 0xF2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x4C, 0xF7, 0x50, 0x0C, 0x48, 0x06, 0x2A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x2B, 0x32, 0x98, 0x0E, 0x7E, 0x61, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x02, 0x27, 0xFE, 0x75, 0x86, 0xDF, 0x24),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0x30, 0xB1, 0x22, 0x32, 0x1B, 0xFE, 0x24),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x27, 0xF7, 0x78, 0x6F, 0xD7, 0xFD, 0xE4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x78, 0xCC, 0xEA, 0xC0, 0x50, 0x24, 0x44),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_24_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x2B, 0x4F, 0x7F, 0x58, 0xE6, 0xC2, 0x70),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x43, 0xD5, 0xA7, 0x35, 0x3C, 0x80, 0xB8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x6D, 0x4B, 0x12, 0x00, 0x7B, 0xE6, 0xA6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x15, 0xBD, 0xD0, 0x9B, 0xCA, 0xAA, 0x81),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0xCE, 0x9C, 0xE3, 0x8B, 0x60, 0x7A, 0x53),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xDA, 0x4B, 0x03, 0xA7, 0x8D, 0x43, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xAF, 0x00, 0x2B, 0x32, 0xF0, 0x22, 0x68),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xD9, 0x99, 0x99, 0xBE, 0x43, 0x99, 0x3E),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_24_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x71, 0x41, 0xF4, 0xB5, 0xFD, 0xDD, 0x36),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xE2, 0x20, 0x4C, 0xD1, 0x2E, 0x1F, 0x06),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x43, 0x48, 0x76, 0x8A, 0x49, 0xAC, 0x87),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x1A, 0x55, 0xA8, 0xA3, 0xD4, 0x57, 0x75),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xA6, 0x84, 0x39, 0xC9, 0x13, 0xBB, 0x60),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0xFA, 0xA9, 0x70, 0xDE, 0x83, 0xDD, 0xC9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0xC9, 0xD9, 0x3E, 0x44, 0x91, 0x68, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x9F, 0x85, 0x6D, 0xF7, 0x54, 0x36, 0x82),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_25_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x6B, 0xA6, 0xA3, 0xE5, 0xD4, 0x46, 0xDB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x3E, 0xDC, 0x84, 0x7C, 0x7B, 0x24, 0x34),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0xED, 0x7F, 0x86, 0x07, 0x6C, 0x57, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x06, 0xFE, 0x52, 0x12, 0x79, 0x69, 0x56),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0xD1, 0x44, 0x5F, 0x21, 0x3A, 0xC3, 0x84),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xD9, 0x4A, 0xC0, 0x75, 0xAB, 0x17, 0xAC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x81, 0x94, 0xB6, 0x80, 0x6B, 0x6F, 0xC3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xBE, 0x8E, 0xA5, 0xAA, 0xBC, 0x1E, 0x3E),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_25_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0xC7, 0x85, 0xA6, 0x59, 0x9B, 0xB1, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0xCE, 0x40, 0xD1, 0xFB, 0xDF, 0x94, 0xF7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0xB8, 0x5E, 0xBF, 0x45, 0xA8, 0x2D, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x9C, 0x06, 0x1B, 0xA9, 0x57, 0xB9, 0x79),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xE9, 0xCE, 0xA2, 0xD3, 0x74, 0xA1, 0x3C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x5F, 0x34, 0x78, 0xDB, 0xAE, 0x3A, 0x14),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x32, 0x84, 0x3E, 0x68, 0x6A, 0x43, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0xBC, 0x39, 0x36, 0xA4, 0xC5, 0xBB, 0x11),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_26_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x07, 0xA2, 0xB5, 0xC9, 0x0F, 0x4D, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x1D, 0x67, 0xE6, 0xF1, 0x46, 0xEB, 0x71),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x41, 0x23, 0x95, 0xE7, 0xE0, 0x10, 0xDD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x69, 0xFE, 0x68, 0x8C, 0xC6, 0x5F, 0xB6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xB9, 0x2B, 0x3D, 0xD2, 0x4F, 0xD8, 0x1A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x09, 0xF5, 0x5F, 0xCF, 0xF6, 0x91, 0x57),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x15, 0x42, 0x6B, 0x6D, 0xB5, 0xF3, 0xB6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x56, 0x9D, 0xC5, 0xFF, 0xCA, 0x13, 0x9B),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_26_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0x38, 0xE6, 0x23, 0x63, 0x48, 0x3C, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x68, 0x3C, 0xD1, 0x3B, 0xE9, 0x3B, 0x82),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x08, 0x54, 0x49, 0xD1, 0x46, 0x45, 0x13),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x70, 0x52, 0x6E, 0x79, 0xC4, 0x5E, 0x95),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xDF, 0xE8, 0x5A, 0x32, 0x81, 0xDA, 0xD3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x2D, 0x94, 0x5B, 0xB5, 0x35, 0x9F, 0x0A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x12, 0x8D, 0xC3, 0x36, 0x36, 0xB2, 0x2A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x2F, 0x22, 0x38, 0x5B, 0x18, 0x4C, 0x35),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_27_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xC1, 0x22, 0x0E, 0xF0, 0x73, 0x11, 0x05),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0xAE, 0xA4, 0x56, 0x18, 0x61, 0x66, 0x12),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xFB, 0x72, 0x08, 0x84, 0x38, 0x51, 0xB0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x86, 0xA8, 0xB9, 0x31, 0x99, 0x29, 0xC3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0xFB, 0xC3, 0x42, 0xB3, 0xC7, 0x6F, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xF8, 0xE1, 0x09, 0xBE, 0x75, 0xB0, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x7D, 0xFF, 0xF4, 0x99, 0xFC, 0x13, 0xAB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x1B, 0x84, 0x81, 0x42, 0x22, 0xC6, 0x3D),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_27_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xE0, 0x37, 0xA4, 0xA0, 0x2F, 0x38, 0x7F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x3D, 0xB7, 0x40, 0x2F, 0x39, 0x3C, 0x7A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0x3B, 0x8A, 0x51, 0xAE, 0x40, 0x49, 0x7A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x20, 0x9F, 0xDD, 0xA9, 0xD0, 0x77, 0xC7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0x1D, 0x64, 0xDA, 0xA0, 0x53, 0xC7, 0x7D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x7B, 0x66, 0x55, 0x94, 0xD1, 0x51, 0x44),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xA9, 0xB5, 0x5B, 0x38, 0x35, 0x40, 0xC0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xC9, 0x0F, 0xF0, 0x73, 0x79, 0x43, 0x61),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_28_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x47, 0x45, 0x69, 0x80, 0x72, 0x72, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x11, 0x99, 0x59, 0xDB, 0x48, 0x80, 0x39),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x6E, 0x3D, 0xFC, 0x37, 0x15, 0xF4, 0xBF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xBB, 0x5B, 0xA6, 0x35, 0x8D, 0x28, 0x20),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x1A, 0x3B, 0x2C, 0x8F, 0xD3, 0xAA, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x1C, 0x1A, 0xF8, 0x02, 0xD9, 0x7B, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x69, 0xAC, 0xF8, 0x54, 0x31, 0x14, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x8A, 0xE6, 0xDE, 0x58, 0xB9, 0xC4, 0x7A),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_28_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x83, 0x52, 0xFE, 0xF9, 0x7B, 0xE9, 0x1F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xA2, 0x55, 0x46, 0x15, 0x49, 0xC1, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xBC, 0x5C, 0x91, 0xBD, 0xB9, 0x9C, 0xF4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0xFD, 0xB1, 0x4E, 0x5F, 0x74, 0xEE, 0x53),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x8B, 0xD8, 0x8B, 0x17, 0x73, 0x1B, 0x96),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x92, 0xD7, 0x67, 0x06, 0xAD, 0x25, 0xCD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x0F, 0x80, 0x24, 0xE2, 0x27, 0x5F, 0x8B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x1C, 0xCE, 0xD0, 0x67, 0xCA, 0xD4, 0x0B),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_29_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0xF1, 0xDD, 0x33, 0x66, 0xF9, 0x05, 0xD6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xE5, 0x6B, 0x79, 0xBD, 0x48, 0x42, 0xAA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x14, 0x52, 0xE3, 0x53, 0xB4, 0x50, 0xD4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x84, 0x6C, 0xCF, 0xDA, 0xB2, 0x20, 0x0A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xD6, 0x1A, 0xE5, 0xE2, 0x29, 0x70, 0xCE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x61, 0xFE, 0xBB, 0x21, 0x82, 0xD1, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0xF0, 0x9C, 0x8B, 0x1A, 0x42, 0x30, 0x06),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0xD6, 0x49, 0x81, 0x92, 0xF1, 0xD0, 0x90),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_29_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x91, 0x93, 0x6A, 0xA6, 0x22, 0xE9, 0xD6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0xDC, 0xC3, 0x69, 0x11, 0x95, 0x7D, 0xEC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0xA3, 0x9D, 0x87, 0x5E, 0x64, 0x41, 0xA2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x87, 0x5A, 0x15, 0xBD, 0x6E, 0x3C, 0x8D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x8D, 0x50, 0xCC, 0xCF, 0xB7, 0x8F, 0x0B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x65, 0xCD, 0x31, 0x30, 0xF1, 0x68, 0x13),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x5C, 0x66, 0x67, 0x92, 0x30, 0x57, 0x95),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x9B, 0x01, 0x3D, 0x20, 0x8B, 0xD1, 0x0D),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_30_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0xC0, 0xE6, 0x4F, 0xDE, 0x62, 0xAB, 0xB3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x48, 0xB3, 0x1C, 0x0F, 0x16, 0x93, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x63, 0xBD, 0x1F, 0x16, 0x50, 0x56, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x06, 0xBC, 0xE9, 0x27, 0x1C, 0x9A, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0xFE, 0x21, 0xC5, 0x39, 0x55, 0xE1, 0xFD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xA8, 0xD0, 0x96, 0x0E, 0xB5, 0xB2, 0x84),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xE7, 0x4B, 0xF3, 0x11, 0x0C, 0xC9, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x3A, 0xC4, 0x87, 0x71, 0xEE, 0xFA, 0x18),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_30_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x77, 0xEE, 0x81, 0x5E, 0x96, 0xEA, 0x4B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xDF, 0xA9, 0xF4, 0x4F, 0x7C, 0xB2, 0x43),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0xD4, 0xDF, 0x35, 0x63, 0x47, 0x25, 0x8A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x3D, 0xFF, 0xA4, 0x02, 0xC3, 0x95, 0x11),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x10, 0x78, 0xD1, 0x2B, 0xB7, 0xBE, 0x0E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0xE9, 0x57, 0xF9, 0xE0, 0xD8, 0xFC, 0xBC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0xC4, 0x01, 0xD6, 0xB4, 0xE7, 0x78, 0xE2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x6C, 0xB9, 0x13, 0xA4, 0xE8, 0x6D, 0x6F),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_31_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0xB0, 0xC9, 0xCD, 0xBF, 0xA2, 0x1E, 0x63),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x4F, 0x86, 0x22, 0x9B, 0xEA, 0xE8, 0xBB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x46, 0xDF, 0x43, 0xB9, 0x82, 0x2D, 0x0A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x32, 0xF1, 0x4E, 0x95, 0x41, 0xAE, 0x8E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x93, 0x26, 0xFC, 0xD3, 0x90, 0xDC, 0xEB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x05, 0x45, 0xCA, 0xF9, 0x5A, 0x89, 0x93),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x82, 0x63, 0x4E, 0x55, 0x1D, 0x3A, 0x08),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x69, 0x52, 0x49, 0xE9, 0xED, 0x57, 0x34),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_31_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x64, 0xE9, 0xAC, 0x4C, 0x4A, 0xEA, 0x25),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0xE9, 0x0B, 0x99, 0xE7, 0xF9, 0xA9, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x0C, 0xC1, 0xF4, 0x8D, 0x07, 0xB6, 0xB1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x68, 0xFA, 0x35, 0xE4, 0x9E, 0xAE, 0xD9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x2D, 0x1A, 0x13, 0x8E, 0x02, 0xE2, 0x63),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x38, 0x28, 0x86, 0x46, 0x7B, 0x3A, 0xE1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x4C, 0x64, 0x59, 0x0A, 0xF9, 0x02, 0xC4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x4F, 0x23, 0xA2, 0xC3, 0xD5, 0xEF, 0x42),
-};
-static const mbedtls_ecp_point brainpoolP512r1_T[32] = {
-    ECP_POINT_INIT_XY_Z1(brainpoolP512r1_T_0_X, brainpoolP512r1_T_0_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_1_X, brainpoolP512r1_T_1_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_2_X, brainpoolP512r1_T_2_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_3_X, brainpoolP512r1_T_3_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_4_X, brainpoolP512r1_T_4_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_5_X, brainpoolP512r1_T_5_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_6_X, brainpoolP512r1_T_6_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_7_X, brainpoolP512r1_T_7_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_8_X, brainpoolP512r1_T_8_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_9_X, brainpoolP512r1_T_9_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_10_X, brainpoolP512r1_T_10_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_11_X, brainpoolP512r1_T_11_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_12_X, brainpoolP512r1_T_12_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_13_X, brainpoolP512r1_T_13_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_14_X, brainpoolP512r1_T_14_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_15_X, brainpoolP512r1_T_15_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_16_X, brainpoolP512r1_T_16_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_17_X, brainpoolP512r1_T_17_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_18_X, brainpoolP512r1_T_18_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_19_X, brainpoolP512r1_T_19_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_20_X, brainpoolP512r1_T_20_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_21_X, brainpoolP512r1_T_21_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_22_X, brainpoolP512r1_T_22_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_23_X, brainpoolP512r1_T_23_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_24_X, brainpoolP512r1_T_24_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_25_X, brainpoolP512r1_T_25_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_26_X, brainpoolP512r1_T_26_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_27_X, brainpoolP512r1_T_27_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_28_X, brainpoolP512r1_T_28_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_29_X, brainpoolP512r1_T_29_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_30_X, brainpoolP512r1_T_30_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_31_X, brainpoolP512r1_T_31_Y),
-};
-#else
-#define brainpoolP512r1_T NULL
-#endif
-#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
-
-#if defined(ECP_LOAD_GROUP)
-/*
- * Create an MPI from embedded constants
- * (assumes len is an exact multiple of sizeof(mbedtls_mpi_uint))
- */
-static inline void ecp_mpi_load(mbedtls_mpi *X, const mbedtls_mpi_uint *p, size_t len)
-{
-    X->s = 1;
-    X->n = (unsigned short) (len / sizeof(mbedtls_mpi_uint));
-    X->p = (mbedtls_mpi_uint *) p;
-}
-
-/*
- * Set an MPI to static value 1
- */
-static inline void ecp_mpi_set1(mbedtls_mpi *X)
-{
-    X->s = 1;
-    X->n = 1;
-    X->p = mpi_one;
-}
-
-/*
- * Make group available from embedded constants
- */
-static int ecp_group_load(mbedtls_ecp_group *grp,
-                          const mbedtls_mpi_uint *p,  size_t plen,
-                          const mbedtls_mpi_uint *a,  size_t alen,
-                          const mbedtls_mpi_uint *b,  size_t blen,
-                          const mbedtls_mpi_uint *gx, size_t gxlen,
-                          const mbedtls_mpi_uint *gy, size_t gylen,
-                          const mbedtls_mpi_uint *n,  size_t nlen,
-                          const mbedtls_ecp_point *T)
-{
-    ecp_mpi_load(&grp->P, p, plen);
-    if (a != NULL) {
-        ecp_mpi_load(&grp->A, a, alen);
-    }
-    ecp_mpi_load(&grp->B, b, blen);
-    ecp_mpi_load(&grp->N, n, nlen);
-
-    ecp_mpi_load(&grp->G.X, gx, gxlen);
-    ecp_mpi_load(&grp->G.Y, gy, gylen);
-    ecp_mpi_set1(&grp->G.Z);
-
-    grp->pbits = mbedtls_mpi_bitlen(&grp->P);
-    grp->nbits = mbedtls_mpi_bitlen(&grp->N);
-
-    grp->h = 1;
-
-    grp->T = (mbedtls_ecp_point *) T;
-    /*
-     * Set T_size to 0 to prevent T free by mbedtls_ecp_group_free.
-     */
-    grp->T_size = 0;
-
-    return 0;
-}
-#endif /* ECP_LOAD_GROUP */
-
-#if defined(MBEDTLS_ECP_NIST_OPTIM)
-/* Forward declarations */
-#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
-static int ecp_mod_p192(mbedtls_mpi *);
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
-static int ecp_mod_p224(mbedtls_mpi *);
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
-static int ecp_mod_p256(mbedtls_mpi *);
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
-static int ecp_mod_p384(mbedtls_mpi *);
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
-static int ecp_mod_p521(mbedtls_mpi *);
-#endif
-
-#define NIST_MODP(P)      grp->modp = ecp_mod_ ## P;
-#else
-#define NIST_MODP(P)
-#endif /* MBEDTLS_ECP_NIST_OPTIM */
-
-/* Additional forward declarations */
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-static int ecp_mod_p255(mbedtls_mpi *);
-#endif
-#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
-static int ecp_mod_p448(mbedtls_mpi *);
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
-static int ecp_mod_p192k1(mbedtls_mpi *);
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
-static int ecp_mod_p224k1(mbedtls_mpi *);
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
-static int ecp_mod_p256k1(mbedtls_mpi *);
-#endif
-
-#if defined(ECP_LOAD_GROUP)
-#define LOAD_GROUP_A(G)   ecp_group_load(grp,            \
-                                         G ## _p,  sizeof(G ## _p),   \
-                                         G ## _a,  sizeof(G ## _a),   \
-                                         G ## _b,  sizeof(G ## _b),   \
-                                         G ## _gx, sizeof(G ## _gx),   \
-                                         G ## _gy, sizeof(G ## _gy),   \
-                                         G ## _n,  sizeof(G ## _n),   \
-                                         G ## _T                         \
-                                         )
-
-#define LOAD_GROUP(G)     ecp_group_load(grp,            \
-                                         G ## _p,  sizeof(G ## _p),   \
-                                         NULL,     0,                    \
-                                         G ## _b,  sizeof(G ## _b),   \
-                                         G ## _gx, sizeof(G ## _gx),   \
-                                         G ## _gy, sizeof(G ## _gy),   \
-                                         G ## _n,  sizeof(G ## _n),   \
-                                         G ## _T                         \
-                                         )
-#endif /* ECP_LOAD_GROUP */
-
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-/* Constants used by ecp_use_curve25519() */
-static const mbedtls_mpi_sint curve25519_a24 = 0x01DB42;
-static const unsigned char curve25519_part_of_n[] = {
-    0x14, 0xDE, 0xF9, 0xDE, 0xA2, 0xF7, 0x9C, 0xD6,
-    0x58, 0x12, 0x63, 0x1A, 0x5C, 0xF5, 0xD3, 0xED,
-};
-
-/*
- * Specialized function for creating the Curve25519 group
- */
-static int ecp_use_curve25519(mbedtls_ecp_group *grp)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    /* Actually ( A + 2 ) / 4 */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->A, curve25519_a24));
-
-    /* P = 2^255 - 19 */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->P, 1));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&grp->P, 255));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&grp->P, &grp->P, 19));
-    grp->pbits = mbedtls_mpi_bitlen(&grp->P);
-
-    /* N = 2^252 + 27742317777372353535851937790883648493 */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&grp->N,
-                                            curve25519_part_of_n, sizeof(curve25519_part_of_n)));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&grp->N, 252, 1));
-
-    /* Y intentionally not set, since we use x/z coordinates.
-     * This is used as a marker to identify Montgomery curves! */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.X, 9));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.Z, 1));
-    mbedtls_mpi_free(&grp->G.Y);
-
-    /* Actually, the required msb for private keys */
-    grp->nbits = 254;
-
-cleanup:
-    if (ret != 0) {
-        mbedtls_ecp_group_free(grp);
-    }
-
-    return ret;
-}
-#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
-/* Constants used by ecp_use_curve448() */
-static const mbedtls_mpi_sint curve448_a24 = 0x98AA;
-static const unsigned char curve448_part_of_n[] = {
-    0x83, 0x35, 0xDC, 0x16, 0x3B, 0xB1, 0x24,
-    0xB6, 0x51, 0x29, 0xC9, 0x6F, 0xDE, 0x93,
-    0x3D, 0x8D, 0x72, 0x3A, 0x70, 0xAA, 0xDC,
-    0x87, 0x3D, 0x6D, 0x54, 0xA7, 0xBB, 0x0D,
-};
-
-/*
- * Specialized function for creating the Curve448 group
- */
-static int ecp_use_curve448(mbedtls_ecp_group *grp)
-{
-    mbedtls_mpi Ns;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    mbedtls_mpi_init(&Ns);
-
-    /* Actually ( A + 2 ) / 4 */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->A, curve448_a24));
-
-    /* P = 2^448 - 2^224 - 1 */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->P, 1));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&grp->P, 224));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&grp->P, &grp->P, 1));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&grp->P, 224));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&grp->P, &grp->P, 1));
-    grp->pbits = mbedtls_mpi_bitlen(&grp->P);
-
-    /* Y intentionally not set, since we use x/z coordinates.
-     * This is used as a marker to identify Montgomery curves! */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.X, 5));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.Z, 1));
-    mbedtls_mpi_free(&grp->G.Y);
-
-    /* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&grp->N, 446, 1));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&Ns,
-                                            curve448_part_of_n, sizeof(curve448_part_of_n)));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&grp->N, &grp->N, &Ns));
-
-    /* Actually, the required msb for private keys */
-    grp->nbits = 447;
-
-cleanup:
-    mbedtls_mpi_free(&Ns);
-    if (ret != 0) {
-        mbedtls_ecp_group_free(grp);
-    }
-
-    return ret;
-}
-#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
-
-/*
- * Set a group using well-known domain parameters
- */
-int mbedtls_ecp_group_load(mbedtls_ecp_group *grp, mbedtls_ecp_group_id id)
-{
-    ECP_VALIDATE_RET(grp != NULL);
-    mbedtls_ecp_group_free(grp);
-
-    mbedtls_ecp_group_init(grp);
-
-    grp->id = id;
-
-    switch (id) {
-#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
-        case MBEDTLS_ECP_DP_SECP192R1:
-            NIST_MODP(p192);
-            return LOAD_GROUP(secp192r1);
-#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
-        case MBEDTLS_ECP_DP_SECP224R1:
-            NIST_MODP(p224);
-            return LOAD_GROUP(secp224r1);
-#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
-        case MBEDTLS_ECP_DP_SECP256R1:
-            NIST_MODP(p256);
-            return LOAD_GROUP(secp256r1);
-#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
-        case MBEDTLS_ECP_DP_SECP384R1:
-            NIST_MODP(p384);
-            return LOAD_GROUP(secp384r1);
-#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
-        case MBEDTLS_ECP_DP_SECP521R1:
-            NIST_MODP(p521);
-            return LOAD_GROUP(secp521r1);
-#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
-        case MBEDTLS_ECP_DP_SECP192K1:
-            grp->modp = ecp_mod_p192k1;
-            return LOAD_GROUP_A(secp192k1);
-#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
-        case MBEDTLS_ECP_DP_SECP224K1:
-            grp->modp = ecp_mod_p224k1;
-            return LOAD_GROUP_A(secp224k1);
-#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
-        case MBEDTLS_ECP_DP_SECP256K1:
-            grp->modp = ecp_mod_p256k1;
-            return LOAD_GROUP_A(secp256k1);
-#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
-        case MBEDTLS_ECP_DP_BP256R1:
-            return LOAD_GROUP_A(brainpoolP256r1);
-#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
-        case MBEDTLS_ECP_DP_BP384R1:
-            return LOAD_GROUP_A(brainpoolP384r1);
-#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
-        case MBEDTLS_ECP_DP_BP512R1:
-            return LOAD_GROUP_A(brainpoolP512r1);
-#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-        case MBEDTLS_ECP_DP_CURVE25519:
-            grp->modp = ecp_mod_p255;
-            return ecp_use_curve25519(grp);
-#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
-        case MBEDTLS_ECP_DP_CURVE448:
-            grp->modp = ecp_mod_p448;
-            return ecp_use_curve448(grp);
-#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
-
-        default:
-            grp->id = MBEDTLS_ECP_DP_NONE;
-            return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
-    }
-}
-
-#if defined(MBEDTLS_ECP_NIST_OPTIM)
-/*
- * Fast reduction modulo the primes used by the NIST curves.
- *
- * These functions are critical for speed, but not needed for correct
- * operations. So, we make the choice to heavily rely on the internals of our
- * bignum library, which creates a tight coupling between these functions and
- * our MPI implementation.  However, the coupling between the ECP module and
- * MPI remains loose, since these functions can be deactivated at will.
- */
-
-#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
-/*
- * Compared to the way things are presented in FIPS 186-3 D.2,
- * we proceed in columns, from right (least significant chunk) to left,
- * adding chunks to N in place, and keeping a carry for the next chunk.
- * This avoids moving things around in memory, and uselessly adding zeros,
- * compared to the more straightforward, line-oriented approach.
- *
- * For this prime we need to handle data in chunks of 64 bits.
- * Since this is always a multiple of our basic mbedtls_mpi_uint, we can
- * use a mbedtls_mpi_uint * to designate such a chunk, and small loops to handle it.
- */
-
-/* Add 64-bit chunks (dst += src) and update carry */
-static inline void add64(mbedtls_mpi_uint *dst, mbedtls_mpi_uint *src, mbedtls_mpi_uint *carry)
-{
-    unsigned char i;
-    mbedtls_mpi_uint c = 0;
-    for (i = 0; i < 8 / sizeof(mbedtls_mpi_uint); i++, dst++, src++) {
-        *dst += c;      c  = (*dst < c);
-        *dst += *src;   c += (*dst < *src);
-    }
-    *carry += c;
-}
-
-/* Add carry to a 64-bit chunk and update carry */
-static inline void carry64(mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry)
-{
-    unsigned char i;
-    for (i = 0; i < 8 / sizeof(mbedtls_mpi_uint); i++, dst++) {
-        *dst += *carry;
-        *carry  = (*dst < *carry);
-    }
-}
-
-#define WIDTH       8 / sizeof(mbedtls_mpi_uint)
-#define A(i)      N->p + (i) * WIDTH
-#define ADD(i)    add64(p, A(i), &c)
-#define NEXT        p += WIDTH; carry64(p, &c)
-#define LAST        p += WIDTH; *p = c; while (++p < end) *p = 0
-
-/*
- * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
- */
-static int ecp_mod_p192(mbedtls_mpi *N)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi_uint c = 0;
-    mbedtls_mpi_uint *p, *end;
-
-    /* Make sure we have enough blocks so that A(5) is legal */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, 6 * WIDTH));
-
-    p = N->p;
-    end = p + N->n;
-
-    ADD(3); ADD(5);             NEXT;     // A0 += A3 + A5
-    ADD(3); ADD(4); ADD(5);   NEXT;       // A1 += A3 + A4 + A5
-    ADD(4); ADD(5);             LAST;     // A2 += A4 + A5
-
-cleanup:
-    return ret;
-}
-
-#undef WIDTH
-#undef A
-#undef ADD
-#undef NEXT
-#undef LAST
-#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
-/*
- * The reader is advised to first understand ecp_mod_p192() since the same
- * general structure is used here, but with additional complications:
- * (1) chunks of 32 bits, and (2) subtractions.
- */
-
-/*
- * For these primes, we need to handle data in chunks of 32 bits.
- * This makes it more complicated if we use 64 bits limbs in MPI,
- * which prevents us from using a uniform access method as for p192.
- *
- * So, we define a mini abstraction layer to access 32 bit chunks,
- * load them in 'cur' for work, and store them back from 'cur' when done.
- *
- * While at it, also define the size of N in terms of 32-bit chunks.
- */
-#define LOAD32      cur = A(i);
-
-#if defined(MBEDTLS_HAVE_INT32)  /* 32 bit */
-
-#define MAX32       N->n
-#define A(j)      N->p[j]
-#define STORE32     N->p[i] = cur;
-
-#else                               /* 64-bit */
-
-#define MAX32       N->n * 2
-#define A(j) (j) % 2 ? (uint32_t) (N->p[(j)/2] >> 32) : \
-    (uint32_t) (N->p[(j)/2])
-#define STORE32                                   \
-    if (i % 2) {                                 \
-        N->p[i/2] &= 0x00000000FFFFFFFF;          \
-        N->p[i/2] |= ((mbedtls_mpi_uint) cur) << 32;        \
-    } else {                                      \
-        N->p[i/2] &= 0xFFFFFFFF00000000;          \
-        N->p[i/2] |= (mbedtls_mpi_uint) cur;                \
-    }
-
-#endif /* sizeof( mbedtls_mpi_uint ) */
-
-/*
- * Helpers for addition and subtraction of chunks, with signed carry.
- */
-static inline void add32(uint32_t *dst, uint32_t src, signed char *carry)
-{
-    *dst += src;
-    *carry += (*dst < src);
-}
-
-static inline void sub32(uint32_t *dst, uint32_t src, signed char *carry)
-{
-    *carry -= (*dst < src);
-    *dst -= src;
-}
-
-#define ADD(j)    add32(&cur, A(j), &c);
-#define SUB(j)    sub32(&cur, A(j), &c);
-
-/*
- * Helpers for the main 'loop'
- */
-#define INIT(b)                                                       \
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;                    \
-    signed char c = 0, cc;                                              \
-    uint32_t cur;                                                       \
-    size_t i = 0, bits = (b);                                           \
-    /* N is the size of the product of two b-bit numbers, plus one */   \
-    /* limb for fix_negative */                                         \
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, (b) * 2 / biL + 1));      \
-    LOAD32;
-
-#define NEXT                    \
-    STORE32; i++; LOAD32;       \
-    cc = c; c = 0;              \
-    if (cc < 0)                \
-    sub32(&cur, -cc, &c); \
-    else                        \
-    add32(&cur, cc, &c);  \
-
-#define LAST                                    \
-    STORE32; i++;                               \
-    cur = c > 0 ? c : 0; STORE32;               \
-    cur = 0; while (++i < MAX32) { STORE32; }  \
-    if (c < 0) mbedtls_ecp_fix_negative(N, c, bits);
-
-/*
- * If the result is negative, we get it in the form
- * c * 2^bits + N, with c negative and N positive shorter than 'bits'
- */
-static void mbedtls_ecp_fix_negative(mbedtls_mpi *N, signed char c, size_t bits)
-{
-    size_t i;
-
-    /* Set N := 2^bits - 1 - N. We know that 0 <= N < 2^bits, so
-     * set the absolute value to 0xfff...fff - N. There is no carry
-     * since we're subtracting from all-bits-one.  */
-    for (i = 0; i <= bits / 8 / sizeof(mbedtls_mpi_uint); i++) {
-        N->p[i] = ~(mbedtls_mpi_uint) 0 - N->p[i];
-    }
-    /* Add 1, taking care of the carry. */
-    i = 0;
-    do {
-        ++N->p[i];
-    } while (N->p[i++] == 0 && i <= bits / 8 / sizeof(mbedtls_mpi_uint));
-    /* Invert the sign.
-     * Now N = N0 - 2^bits where N0 is the initial value of N. */
-    N->s = -1;
-
-    /* Add |c| * 2^bits to the absolute value. Since c and N are
-     * negative, this adds c * 2^bits. */
-    mbedtls_mpi_uint msw = (mbedtls_mpi_uint) -c;
-#if defined(MBEDTLS_HAVE_INT64)
-    if (bits == 224) {
-        msw <<= 32;
-    }
-#endif
-    N->p[bits / 8 / sizeof(mbedtls_mpi_uint)] += msw;
-}
-
-#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
-/*
- * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2)
- */
-static int ecp_mod_p224(mbedtls_mpi *N)
-{
-    INIT(224);
-
-    SUB(7); SUB(11);               NEXT;      // A0 += -A7 - A11
-    SUB(8); SUB(12);               NEXT;      // A1 += -A8 - A12
-    SUB(9); SUB(13);               NEXT;      // A2 += -A9 - A13
-    SUB(10); ADD(7); ADD(11);    NEXT;        // A3 += -A10 + A7 + A11
-    SUB(11); ADD(8); ADD(12);    NEXT;        // A4 += -A11 + A8 + A12
-    SUB(12); ADD(9); ADD(13);    NEXT;        // A5 += -A12 + A9 + A13
-    SUB(13); ADD(10);               LAST;     // A6 += -A13 + A10
-
-cleanup:
-    return ret;
-}
-#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
-/*
- * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3)
- */
-static int ecp_mod_p256(mbedtls_mpi *N)
-{
-    INIT(256);
-
-    ADD(8); ADD(9);
-    SUB(11); SUB(12); SUB(13); SUB(14);             NEXT;         // A0
-
-    ADD(9); ADD(10);
-    SUB(12); SUB(13); SUB(14); SUB(15);             NEXT;         // A1
-
-    ADD(10); ADD(11);
-    SUB(13); SUB(14); SUB(15);                        NEXT;       // A2
-
-    ADD(11); ADD(11); ADD(12); ADD(12); ADD(13);
-    SUB(15); SUB(8); SUB(9);                        NEXT;         // A3
-
-    ADD(12); ADD(12); ADD(13); ADD(13); ADD(14);
-    SUB(9); SUB(10);                                   NEXT;      // A4
-
-    ADD(13); ADD(13); ADD(14); ADD(14); ADD(15);
-    SUB(10); SUB(11);                                   NEXT;     // A5
-
-    ADD(14); ADD(14); ADD(15); ADD(15); ADD(14); ADD(13);
-    SUB(8); SUB(9);                                   NEXT;       // A6
-
-    ADD(15); ADD(15); ADD(15); ADD(8);
-    SUB(10); SUB(11); SUB(12); SUB(13);             LAST;         // A7
-
-cleanup:
-    return ret;
-}
-#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
-/*
- * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4)
- */
-static int ecp_mod_p384(mbedtls_mpi *N)
-{
-    INIT(384);
-
-    ADD(12); ADD(21); ADD(20);
-    SUB(23);                                              NEXT;   // A0
-
-    ADD(13); ADD(22); ADD(23);
-    SUB(12); SUB(20);                                   NEXT;     // A2
-
-    ADD(14); ADD(23);
-    SUB(13); SUB(21);                                   NEXT;     // A2
-
-    ADD(15); ADD(12); ADD(20); ADD(21);
-    SUB(14); SUB(22); SUB(23);                        NEXT;       // A3
-
-    ADD(21); ADD(21); ADD(16); ADD(13); ADD(12); ADD(20); ADD(22);
-    SUB(15); SUB(23); SUB(23);                        NEXT;       // A4
-
-    ADD(22); ADD(22); ADD(17); ADD(14); ADD(13); ADD(21); ADD(23);
-    SUB(16);                                              NEXT;   // A5
-
-    ADD(23); ADD(23); ADD(18); ADD(15); ADD(14); ADD(22);
-    SUB(17);                                              NEXT;   // A6
-
-    ADD(19); ADD(16); ADD(15); ADD(23);
-    SUB(18);                                              NEXT;   // A7
-
-    ADD(20); ADD(17); ADD(16);
-    SUB(19);                                              NEXT;   // A8
-
-    ADD(21); ADD(18); ADD(17);
-    SUB(20);                                              NEXT;   // A9
-
-    ADD(22); ADD(19); ADD(18);
-    SUB(21);                                              NEXT;   // A10
-
-    ADD(23); ADD(20); ADD(19);
-    SUB(22);                                              LAST;   // A11
-
-cleanup:
-    return ret;
-}
-#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
-
-#undef A
-#undef LOAD32
-#undef STORE32
-#undef MAX32
-#undef INIT
-#undef NEXT
-#undef LAST
-
-#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED ||
-          MBEDTLS_ECP_DP_SECP256R1_ENABLED ||
-          MBEDTLS_ECP_DP_SECP384R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
-/*
- * Here we have an actual Mersenne prime, so things are more straightforward.
- * However, chunks are aligned on a 'weird' boundary (521 bits).
- */
-
-/* Size of p521 in terms of mbedtls_mpi_uint */
-#define P521_WIDTH      (521 / 8 / sizeof(mbedtls_mpi_uint) + 1)
-
-/* Bits to keep in the most significant mbedtls_mpi_uint */
-#define P521_MASK       0x01FF
-
-/*
- * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5)
- * Write N as A1 + 2^521 A0, return A0 + A1
- */
-static int ecp_mod_p521(mbedtls_mpi *N)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t i;
-    mbedtls_mpi M;
-    mbedtls_mpi_uint Mp[P521_WIDTH + 1];
-    /* Worst case for the size of M is when mbedtls_mpi_uint is 16 bits:
-     * we need to hold bits 513 to 1056, which is 34 limbs, that is
-     * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */
-
-    if (N->n < P521_WIDTH) {
-        return 0;
-    }
-
-    /* M = A1 */
-    M.s = 1;
-    M.n = N->n - (P521_WIDTH - 1);
-    if (M.n > P521_WIDTH + 1) {
-        M.n = P521_WIDTH + 1;
-    }
-    M.p = Mp;
-    memcpy(Mp, N->p + P521_WIDTH - 1, M.n * sizeof(mbedtls_mpi_uint));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, 521 % (8 * sizeof(mbedtls_mpi_uint))));
-
-    /* N = A0 */
-    N->p[P521_WIDTH - 1] &= P521_MASK;
-    for (i = P521_WIDTH; i < N->n; i++) {
-        N->p[i] = 0;
-    }
-
-    /* N = A0 + A1 */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(N, N, &M));
-
-cleanup:
-    return ret;
-}
-
-#undef P521_WIDTH
-#undef P521_MASK
-#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
-
-#endif /* MBEDTLS_ECP_NIST_OPTIM */
-
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-
-/* Size of p255 in terms of mbedtls_mpi_uint */
-#define P255_WIDTH      (255 / 8 / sizeof(mbedtls_mpi_uint) + 1)
-
-/*
- * Fast quasi-reduction modulo p255 = 2^255 - 19
- * Write N as A0 + 2^256 A1, return A0 + 38 * A1
- */
-static int ecp_mod_p255(mbedtls_mpi *N)
-{
-    mbedtls_mpi_uint Mp[P255_WIDTH];
-
-    /* Helper references for top part of N */
-    mbedtls_mpi_uint * const NT_p = N->p + P255_WIDTH;
-    const size_t NT_n = N->n - P255_WIDTH;
-    if (N->n <= P255_WIDTH) {
-        return 0;
-    }
-    if (NT_n > P255_WIDTH) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    /* Split N as N + 2^256 M */
-    memcpy(Mp,   NT_p, sizeof(mbedtls_mpi_uint) * NT_n);
-    memset(NT_p, 0,    sizeof(mbedtls_mpi_uint) * NT_n);
-
-    /* N = A0 + 38 * A1 */
-    mbedtls_mpi_core_mla(N->p, P255_WIDTH + 1,
-                         Mp, NT_n,
-                         38);
-
-    return 0;
-}
-#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
-
-/* Size of p448 in terms of mbedtls_mpi_uint */
-#define P448_WIDTH      (448 / 8 / sizeof(mbedtls_mpi_uint))
-
-/* Number of limbs fully occupied by 2^224 (max), and limbs used by it (min) */
-#define DIV_ROUND_UP(X, Y) (((X) + (Y) -1) / (Y))
-#define P224_SIZE        (224 / 8)
-#define P224_WIDTH_MIN   (P224_SIZE / sizeof(mbedtls_mpi_uint))
-#define P224_WIDTH_MAX   DIV_ROUND_UP(P224_SIZE, sizeof(mbedtls_mpi_uint))
-#define P224_UNUSED_BITS ((P224_WIDTH_MAX * sizeof(mbedtls_mpi_uint) * 8) - 224)
-
-/*
- * Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1
- * Write N as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return
- * A0 + A1 + B1 + (B0 + B1) * 2^224.  This is different to the reference
- * implementation of Curve448, which uses its own special 56-bit limbs rather
- * than a generic bignum library.  We could squeeze some extra speed out on
- * 32-bit machines by splitting N up into 32-bit limbs and doing the
- * arithmetic using the limbs directly as we do for the NIST primes above,
- * but for 64-bit targets it should use half the number of operations if we do
- * the reduction with 224-bit limbs, since mpi_add_mpi will then use 64-bit adds.
- */
-static int ecp_mod_p448(mbedtls_mpi *N)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t i;
-    mbedtls_mpi M, Q;
-    mbedtls_mpi_uint Mp[P448_WIDTH + 1], Qp[P448_WIDTH];
-
-    if (N->n <= P448_WIDTH) {
-        return 0;
-    }
-
-    /* M = A1 */
-    M.s = 1;
-    M.n = N->n - (P448_WIDTH);
-    if (M.n > P448_WIDTH) {
-        /* Shouldn't be called with N larger than 2^896! */
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-    M.p = Mp;
-    memset(Mp, 0, sizeof(Mp));
-    memcpy(Mp, N->p + P448_WIDTH, M.n * sizeof(mbedtls_mpi_uint));
-
-    /* N = A0 */
-    for (i = P448_WIDTH; i < N->n; i++) {
-        N->p[i] = 0;
-    }
-
-    /* N += A1 */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &M));
-
-    /* Q = B1, N += B1 */
-    Q = M;
-    Q.p = Qp;
-    memcpy(Qp, Mp, sizeof(Qp));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Q, 224));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &Q));
-
-    /* M = (B0 + B1) * 2^224, N += M */
-    if (sizeof(mbedtls_mpi_uint) > 4) {
-        Mp[P224_WIDTH_MIN] &= ((mbedtls_mpi_uint)-1) >> (P224_UNUSED_BITS);
-    }
-    for (i = P224_WIDTH_MAX; i < M.n; ++i) {
-        Mp[i] = 0;
-    }
-    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&M, &M, &Q));
-    M.n = P448_WIDTH + 1; /* Make room for shifted carry bit from the addition */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&M, 224));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &M));
-
-cleanup:
-    return ret;
-}
-#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
-/*
- * Fast quasi-reduction modulo P = 2^s - R,
- * with R about 33 bits, used by the Koblitz curves.
- *
- * Write N as A0 + 2^224 A1, return A0 + R * A1.
- * Actually do two passes, since R is big.
- */
-#define P_KOBLITZ_MAX   (256 / 8 / sizeof(mbedtls_mpi_uint))      // Max limbs in P
-#define P_KOBLITZ_R     (8 / sizeof(mbedtls_mpi_uint))            // Limbs in R
-static inline int ecp_mod_koblitz(mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t p_limbs,
-                                  size_t adjust, size_t shift, mbedtls_mpi_uint mask)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t i;
-    mbedtls_mpi M, R;
-    mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1];
-
-    if (N->n < p_limbs) {
-        return 0;
-    }
-
-    /* Init R */
-    R.s = 1;
-    R.p = Rp;
-    R.n = P_KOBLITZ_R;
-
-    /* Common setup for M */
-    M.s = 1;
-    M.p = Mp;
-
-    /* M = A1 */
-    M.n = (unsigned short) (N->n - (p_limbs - adjust));
-    if (M.n > p_limbs + adjust) {
-        M.n = (unsigned short) (p_limbs + adjust);
-    }
-    memset(Mp, 0, sizeof(Mp));
-    memcpy(Mp, N->p + p_limbs - adjust, M.n * sizeof(mbedtls_mpi_uint));
-    if (shift != 0) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, shift));
-    }
-    M.n += R.n; /* Make room for multiplication by R */
-
-    /* N = A0 */
-    if (mask != 0) {
-        N->p[p_limbs - 1] &= mask;
-    }
-    for (i = p_limbs; i < N->n; i++) {
-        N->p[i] = 0;
-    }
-
-    /* N = A0 + R * A1 */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&M, &M, &R));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(N, N, &M));
-
-    /* Second pass */
-
-    /* M = A1 */
-    M.n = (unsigned short) (N->n - (p_limbs - adjust));
-    if (M.n > p_limbs + adjust) {
-        M.n = (unsigned short) (p_limbs + adjust);
-    }
-    memset(Mp, 0, sizeof(Mp));
-    memcpy(Mp, N->p + p_limbs - adjust, M.n * sizeof(mbedtls_mpi_uint));
-    if (shift != 0) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, shift));
-    }
-    M.n += R.n; /* Make room for multiplication by R */
-
-    /* N = A0 */
-    if (mask != 0) {
-        N->p[p_limbs - 1] &= mask;
-    }
-    for (i = p_limbs; i < N->n; i++) {
-        N->p[i] = 0;
-    }
-
-    /* N = A0 + R * A1 */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&M, &M, &R));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(N, N, &M));
-
-cleanup:
-    return ret;
-}
-#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||
-          MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||
-          MBEDTLS_ECP_DP_SECP256K1_ENABLED) */
-
-#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
-/*
- * Fast quasi-reduction modulo p192k1 = 2^192 - R,
- * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x01000011C9
- */
-static int ecp_mod_p192k1(mbedtls_mpi *N)
-{
-    static mbedtls_mpi_uint Rp[] = {
-        MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00,
-                                  0x00)
-    };
-
-    return ecp_mod_koblitz(N, Rp, 192 / 8 / sizeof(mbedtls_mpi_uint), 0, 0,
-                           0);
-}
-#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
-/*
- * Fast quasi-reduction modulo p224k1 = 2^224 - R,
- * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
- */
-static int ecp_mod_p224k1(mbedtls_mpi *N)
-{
-    static mbedtls_mpi_uint Rp[] = {
-        MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00,
-                                  0x00)
-    };
-
-#if defined(MBEDTLS_HAVE_INT64)
-    return ecp_mod_koblitz(N, Rp, 4, 1, 32, 0xFFFFFFFF);
-#else
-    return ecp_mod_koblitz(N, Rp, 224 / 8 / sizeof(mbedtls_mpi_uint), 0, 0,
-                           0);
-#endif
-}
-
-#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
-/*
- * Fast quasi-reduction modulo p256k1 = 2^256 - R,
- * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
- */
-static int ecp_mod_p256k1(mbedtls_mpi *N)
-{
-    static mbedtls_mpi_uint Rp[] = {
-        MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00,
-                                  0x00)
-    };
-    return ecp_mod_koblitz(N, Rp, 256 / 8 / sizeof(mbedtls_mpi_uint), 0, 0,
-                           0);
-}
-#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
-
-#if defined(MBEDTLS_TEST_HOOKS)
-
-MBEDTLS_STATIC_TESTABLE
-mbedtls_ecp_variant mbedtls_ecp_get_variant(void)
-{
-    return MBEDTLS_ECP_VARIANT_WITH_MPI_STRUCT;
-}
-
-#endif /* MBEDTLS_TEST_HOOKS */
-
-#endif /* !MBEDTLS_ECP_ALT */
-
-#endif /* MBEDTLS_ECP_LIGHT */
-#endif /* MBEDTLS_ECP_WITH_MPI_UINT */
diff --git a/library/ecp_curves_new.c b/library/ecp_curves_new.c
deleted file mode 100644
index d431dcf..0000000
--- a/library/ecp_curves_new.c
+++ /dev/null
@@ -1,6055 +0,0 @@
-/*
- *  Elliptic curves over GF(p): curve-specific data and functions
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_ECP_WITH_MPI_UINT)
-
-#if defined(MBEDTLS_ECP_LIGHT)
-
-#include "mbedtls/ecp.h"
-#include "mbedtls/platform.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#include "mbedtls/platform.h"
-
-#include "constant_time_internal.h"
-
-#include "bn_mul.h"
-#include "bignum_core.h"
-#include "ecp_invasive.h"
-
-#include <string.h>
-
-#if !defined(MBEDTLS_ECP_ALT)
-
-/* Parameter validation macros based on platform_util.h */
-#define ECP_VALIDATE_RET(cond)    \
-    MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA)
-#define ECP_VALIDATE(cond)        \
-    MBEDTLS_INTERNAL_VALIDATE(cond)
-
-#define ECP_MPI_INIT(_p, _n) { .p = (mbedtls_mpi_uint *) (_p), .s = 1, .n = (_n) }
-
-#define ECP_MPI_INIT_ARRAY(x)   \
-    ECP_MPI_INIT(x, sizeof(x) / sizeof(mbedtls_mpi_uint))
-
-#define ECP_POINT_INIT_XY_Z0(x, y) { \
-        ECP_MPI_INIT_ARRAY(x), ECP_MPI_INIT_ARRAY(y), ECP_MPI_INIT(NULL, 0) }
-#define ECP_POINT_INIT_XY_Z1(x, y) { \
-        ECP_MPI_INIT_ARRAY(x), ECP_MPI_INIT_ARRAY(y), ECP_MPI_INIT(mpi_one, 1) }
-
-#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)   ||   \
-    defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)   ||   \
-    defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)   ||   \
-    defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
-/* For these curves, we build the group parameters dynamically. */
-#define ECP_LOAD_GROUP
-static mbedtls_mpi_uint mpi_one[] = { 1 };
-#endif
-
-/*
- * Note: the constants are in little-endian order
- * to be directly usable in MPIs
- */
-
-/*
- * Domain parameters for secp192r1
- */
-#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
-static const mbedtls_mpi_uint secp192r1_p[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-};
-static const mbedtls_mpi_uint secp192r1_b[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64),
-};
-static const mbedtls_mpi_uint secp192r1_gx[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18),
-};
-static const mbedtls_mpi_uint secp192r1_gy[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07),
-};
-static const mbedtls_mpi_uint secp192r1_n[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-};
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-static const mbedtls_mpi_uint secp192r1_T_0_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18),
-};
-static const mbedtls_mpi_uint secp192r1_T_0_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07),
-};
-static const mbedtls_mpi_uint secp192r1_T_1_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x9E, 0xE3, 0x60, 0x59, 0xD1, 0xC4, 0xC2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xBD, 0x22, 0xD7, 0x2D, 0x07, 0xBD, 0xB6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x2A, 0xCF, 0x33, 0xF0, 0xBE, 0xD1, 0xED),
-};
-static const mbedtls_mpi_uint secp192r1_T_1_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x71, 0x4B, 0xA8, 0xED, 0x7E, 0xC9, 0x1A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x2A, 0xF6, 0xDF, 0x0E, 0xE8, 0x4C, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x35, 0xF7, 0x8A, 0xC3, 0xEC, 0xDE, 0x1E),
-};
-static const mbedtls_mpi_uint secp192r1_T_2_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x67, 0xC2, 0x1D, 0x32, 0x8F, 0x10, 0xFB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x2D, 0x17, 0xF3, 0xE4, 0xFE, 0xD8, 0x13),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x45, 0x10, 0x70, 0x2C, 0x3E, 0x52, 0x3E),
-};
-static const mbedtls_mpi_uint secp192r1_T_2_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xF1, 0x04, 0x5D, 0xEE, 0xD4, 0x56, 0xE6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xB7, 0x38, 0x27, 0x61, 0xAA, 0x81, 0x87),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x37, 0xD7, 0x0E, 0x29, 0x0E, 0x11, 0x14),
-};
-static const mbedtls_mpi_uint secp192r1_T_3_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x35, 0x52, 0xC6, 0x31, 0xB7, 0x27, 0xF5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xD4, 0x15, 0x98, 0x0F, 0xE7, 0xF3, 0x6A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x31, 0x70, 0x35, 0x09, 0xA0, 0x2B, 0xC2),
-};
-static const mbedtls_mpi_uint secp192r1_T_3_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x75, 0xA7, 0x4C, 0x88, 0xCF, 0x5B, 0xE4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x17, 0x48, 0x8D, 0xF2, 0xF0, 0x86, 0xED),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xCF, 0xFE, 0x6B, 0xB0, 0xA5, 0x06, 0xAB),
-};
-static const mbedtls_mpi_uint secp192r1_T_4_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x6A, 0xDC, 0x9A, 0x6D, 0x7B, 0x47, 0x2E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0xFC, 0x51, 0x12, 0x62, 0x66, 0x0B, 0x59),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x40, 0x93, 0xA0, 0xB5, 0x5A, 0x58, 0xD7),
-};
-static const mbedtls_mpi_uint secp192r1_T_4_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0xCB, 0xAF, 0xDC, 0x0B, 0xA1, 0x26, 0xFB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x36, 0x9D, 0xA3, 0xD7, 0x3B, 0xAD, 0x39),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x3B, 0x05, 0x9A, 0xA8, 0xAA, 0x69, 0xB2),
-};
-static const mbedtls_mpi_uint secp192r1_T_5_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xD9, 0xD1, 0x4D, 0x4A, 0x6E, 0x96, 0x1E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x66, 0x32, 0x39, 0xC6, 0x57, 0x7D, 0xE6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xA0, 0x36, 0xC2, 0x45, 0xF9, 0x00, 0x62),
-};
-static const mbedtls_mpi_uint secp192r1_T_5_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xEF, 0x59, 0x46, 0xDC, 0x60, 0xD9, 0x8F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0xB0, 0xE9, 0x41, 0xA4, 0x87, 0x76, 0x89),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0xD4, 0x0E, 0xB2, 0xFA, 0x16, 0x56, 0xDC),
-};
-static const mbedtls_mpi_uint secp192r1_T_6_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x62, 0xD2, 0xB1, 0x34, 0xB2, 0xF1, 0x06),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0xED, 0x55, 0xC5, 0x47, 0xB5, 0x07, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xF6, 0x2F, 0x94, 0xC3, 0xDD, 0x54, 0x2F),
-};
-static const mbedtls_mpi_uint secp192r1_T_6_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xA6, 0xD4, 0x8C, 0xA9, 0xCE, 0x4D, 0x2E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x4B, 0x46, 0xCC, 0xB2, 0x55, 0xC8, 0xB2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0xAE, 0x31, 0xED, 0x89, 0x65, 0x59, 0x55),
-};
-static const mbedtls_mpi_uint secp192r1_T_7_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x0A, 0xD1, 0x1A, 0xC5, 0xF6, 0xEA, 0x43),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xFC, 0x0C, 0x1A, 0xFB, 0xA0, 0xC8, 0x70),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xFD, 0x53, 0x6F, 0x6D, 0xBF, 0xBA, 0xAF),
-};
-static const mbedtls_mpi_uint secp192r1_T_7_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xB0, 0x7D, 0x83, 0x96, 0xE3, 0xCB, 0x9D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x6E, 0x55, 0x2C, 0x20, 0x53, 0x2F, 0x46),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0x66, 0x00, 0x17, 0x08, 0xFE, 0xAC, 0x31),
-};
-static const mbedtls_mpi_uint secp192r1_T_8_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x12, 0x97, 0x3A, 0xC7, 0x57, 0x45, 0xCD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x25, 0x99, 0x00, 0xF6, 0x97, 0xB4, 0x64),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x74, 0xE6, 0xE6, 0xA3, 0xDF, 0x9C, 0xCC),
-};
-static const mbedtls_mpi_uint secp192r1_T_8_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xF4, 0x76, 0xD5, 0x5F, 0x2A, 0xFD, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x80, 0x7E, 0x3E, 0xE5, 0xE8, 0xD6, 0x63),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0xAD, 0x1E, 0x70, 0x79, 0x3E, 0x3D, 0x83),
-};
-static const mbedtls_mpi_uint secp192r1_T_9_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x15, 0xBB, 0xB3, 0x42, 0x6A, 0xA1, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x58, 0xCB, 0x43, 0x25, 0x00, 0x14, 0x68),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x4E, 0x93, 0x11, 0xE0, 0x32, 0x54, 0x98),
-};
-static const mbedtls_mpi_uint secp192r1_T_9_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x52, 0xA2, 0xB4, 0x57, 0x32, 0xB9, 0x11),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x43, 0xA1, 0xB1, 0xFB, 0x01, 0xE1, 0xE7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xFB, 0x5A, 0x11, 0xB8, 0xC2, 0x03, 0xE5),
-};
-static const mbedtls_mpi_uint secp192r1_T_10_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x2B, 0x71, 0x26, 0x4E, 0x7C, 0xC5, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0xF5, 0xD3, 0xA8, 0xE4, 0x95, 0x48, 0x65),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xAE, 0xD9, 0x5D, 0x9F, 0x6A, 0x22, 0xAD),
-};
-static const mbedtls_mpi_uint secp192r1_T_10_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0xCC, 0xA3, 0x4D, 0xA0, 0x1C, 0x34, 0xEF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x3C, 0x62, 0xF8, 0x5E, 0xA6, 0x58, 0x7D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x6E, 0x66, 0x8A, 0x3D, 0x17, 0xFF, 0x0F),
-};
-static const mbedtls_mpi_uint secp192r1_T_11_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xCD, 0xA8, 0xDD, 0xD1, 0x20, 0x5C, 0xEA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0xFE, 0x17, 0xE2, 0xCF, 0xEA, 0x63, 0xDE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x51, 0xC9, 0x16, 0xDE, 0xB4, 0xB2, 0xDD),
-};
-static const mbedtls_mpi_uint secp192r1_T_11_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xBE, 0x12, 0xD7, 0xA3, 0x0A, 0x50, 0x33),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0x87, 0xC5, 0x8A, 0x76, 0x57, 0x07, 0x60),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x1F, 0xC6, 0x1B, 0x66, 0xC4, 0x3D, 0x8A),
-};
-static const mbedtls_mpi_uint secp192r1_T_12_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0xA4, 0x85, 0x13, 0x8F, 0xA7, 0x35, 0x19),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x0D, 0xFD, 0xFF, 0x1B, 0xD1, 0xD6, 0xEF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x7A, 0xD0, 0xC3, 0xB4, 0xEF, 0x39, 0x66),
-};
-static const mbedtls_mpi_uint secp192r1_T_12_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0xFE, 0xA5, 0x9C, 0x34, 0x30, 0x49, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0xC5, 0x39, 0x26, 0x06, 0xE3, 0x01, 0x17),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x2B, 0x66, 0xFC, 0x95, 0x5F, 0x35, 0xF7),
-};
-static const mbedtls_mpi_uint secp192r1_T_13_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xCF, 0x54, 0x63, 0x99, 0x57, 0x05, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x6F, 0x00, 0x5F, 0x65, 0x08, 0x47, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x2A, 0x90, 0x6D, 0x67, 0xC6, 0xBC, 0x45),
-};
-static const mbedtls_mpi_uint secp192r1_T_13_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x4D, 0x88, 0x0A, 0x35, 0x9E, 0x33, 0x9C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x17, 0x0C, 0xF8, 0xE1, 0x7A, 0x49, 0x02),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x44, 0x06, 0x8F, 0x0B, 0x70, 0x2F, 0x71),
-};
-static const mbedtls_mpi_uint secp192r1_T_14_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x4B, 0xCB, 0xF9, 0x8E, 0x6A, 0xDA, 0x1B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x43, 0xA1, 0x3F, 0xCE, 0x17, 0xD2, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x0D, 0xD2, 0x6C, 0x82, 0x37, 0xE5, 0xFC),
-};
-static const mbedtls_mpi_uint secp192r1_T_14_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x3C, 0xF4, 0x92, 0xB4, 0x8A, 0x95, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x96, 0xF1, 0x0A, 0x34, 0x2F, 0x74, 0x7E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xA1, 0xAA, 0xBA, 0x86, 0x77, 0x4F, 0xA2),
-};
-static const mbedtls_mpi_uint secp192r1_T_15_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x7F, 0xEF, 0x60, 0x50, 0x80, 0xD7, 0xD4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0xAC, 0xC9, 0xFE, 0xEC, 0x0A, 0x1A, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x2F, 0xBE, 0x91, 0xD7, 0xB7, 0x38, 0x48),
-};
-static const mbedtls_mpi_uint secp192r1_T_15_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xAE, 0x85, 0x98, 0xFE, 0x05, 0x7F, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xBE, 0xFD, 0x11, 0x31, 0x3D, 0x14, 0x13),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x75, 0xE8, 0x30, 0x01, 0xCB, 0x9B, 0x1C),
-};
-static const mbedtls_ecp_point secp192r1_T[16] = {
-    ECP_POINT_INIT_XY_Z1(secp192r1_T_0_X, secp192r1_T_0_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_1_X, secp192r1_T_1_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_2_X, secp192r1_T_2_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_3_X, secp192r1_T_3_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_4_X, secp192r1_T_4_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_5_X, secp192r1_T_5_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_6_X, secp192r1_T_6_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_7_X, secp192r1_T_7_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_8_X, secp192r1_T_8_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_9_X, secp192r1_T_9_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_10_X, secp192r1_T_10_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_11_X, secp192r1_T_11_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_12_X, secp192r1_T_12_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_13_X, secp192r1_T_13_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_14_X, secp192r1_T_14_Y),
-    ECP_POINT_INIT_XY_Z0(secp192r1_T_15_X, secp192r1_T_15_Y),
-};
-#else
-#define secp192r1_T NULL
-#endif
-#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
-
-/*
- * Domain parameters for secp224r1
- */
-#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
-static const mbedtls_mpi_uint secp224r1_p[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_b[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C),
-    MBEDTLS_BYTES_TO_T_UINT_4(0x85, 0x0A, 0x05, 0xB4),
-};
-static const mbedtls_mpi_uint secp224r1_gx[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B),
-    MBEDTLS_BYTES_TO_T_UINT_4(0xBD, 0x0C, 0x0E, 0xB7),
-};
-static const mbedtls_mpi_uint secp224r1_gy[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5),
-    MBEDTLS_BYTES_TO_T_UINT_4(0x88, 0x63, 0x37, 0xBD),
-};
-static const mbedtls_mpi_uint secp224r1_n[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_4(0xFF, 0xFF, 0xFF, 0xFF),
-};
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-static const mbedtls_mpi_uint secp224r1_T_0_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x0C, 0x0E, 0xB7, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_0_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x63, 0x37, 0xBD, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_1_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0xF9, 0xB8, 0xD0, 0x3D, 0xD2, 0xD3, 0xFA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xFD, 0x99, 0x26, 0x19, 0xFE, 0x13, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x0E, 0x4C, 0x48, 0x7C, 0xA2, 0x17, 0x01),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xA3, 0x13, 0x57, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_1_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x16, 0x5C, 0x8F, 0xAA, 0xED, 0x0F, 0x58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0xC5, 0x43, 0x34, 0x93, 0x05, 0x2A, 0x4C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0xE3, 0x6C, 0xCA, 0xC6, 0x14, 0xC2, 0x25),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x43, 0x6C, 0xD7, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_2_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x5A, 0x98, 0x1E, 0xC8, 0xA5, 0x42, 0xA3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x49, 0x56, 0x78, 0xF8, 0xEF, 0xED, 0x65),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0xBB, 0x64, 0xB6, 0x4C, 0x54, 0x5F, 0xD1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x0C, 0x33, 0xCC, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_2_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x79, 0xCB, 0x2E, 0x08, 0xFF, 0xD8, 0xE6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2E, 0x1F, 0xD4, 0xD7, 0x57, 0xE9, 0x39, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xD6, 0x3B, 0x0A, 0x1C, 0x87, 0xB7, 0x6A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x30, 0xD8, 0x05, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_3_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x79, 0x74, 0x9A, 0xE6, 0xBB, 0xC2, 0xC2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x5B, 0xA6, 0x67, 0xC1, 0x91, 0xE7, 0x64),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0xDF, 0x38, 0x82, 0x19, 0x2C, 0x4C, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x2E, 0x39, 0xC5, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_3_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x36, 0x78, 0x4E, 0xAE, 0x5B, 0x02, 0x76),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0xF6, 0x8B, 0xF8, 0xF4, 0x92, 0x6B, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x4D, 0x71, 0x35, 0xE7, 0x0C, 0x2C, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xA5, 0x1F, 0xAE, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_4_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x1C, 0x4B, 0xDF, 0x5B, 0xF2, 0x51, 0xB7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x74, 0xB1, 0x5A, 0xC6, 0x0F, 0x0E, 0x61),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x24, 0x09, 0x62, 0xAF, 0xFC, 0xDB, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0xE1, 0x80, 0x55, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_4_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x82, 0xFE, 0xAD, 0xC3, 0xE5, 0xCF, 0xD8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0xA2, 0x62, 0x17, 0x76, 0xF0, 0x5A, 0xFA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xB8, 0xE5, 0xAC, 0xB7, 0x66, 0x38, 0xAA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0xFD, 0x86, 0x05, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_5_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xD3, 0x0C, 0x3C, 0xD1, 0x66, 0xB0, 0xF1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x59, 0xB4, 0x8D, 0x90, 0x10, 0xB7, 0xA2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x47, 0x9B, 0xE6, 0x55, 0x8A, 0xE4, 0xEE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x49, 0xDB, 0x78, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_5_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x97, 0xED, 0xDE, 0xFF, 0xB3, 0xDF, 0x48),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xB9, 0x83, 0xB7, 0xEB, 0xBE, 0x40, 0x8D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xD3, 0xD3, 0xCD, 0x0E, 0x82, 0x79, 0x3D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x83, 0x1B, 0xF0, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_6_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x22, 0xBB, 0x54, 0xD3, 0x31, 0x56, 0xFC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x36, 0xE5, 0xE0, 0x89, 0x96, 0x8E, 0x71),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0xEF, 0x0A, 0xED, 0xD0, 0x11, 0x4A, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x00, 0x57, 0x27, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_6_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0xCA, 0x3D, 0xF7, 0x64, 0x9B, 0x6E, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xE3, 0x70, 0x6B, 0x41, 0xD7, 0xED, 0x8F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x44, 0x44, 0x80, 0xCE, 0x13, 0x37, 0x92),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x73, 0x80, 0x79, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_7_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x4D, 0x70, 0x7D, 0x31, 0x0F, 0x1C, 0x58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x35, 0x88, 0x47, 0xC4, 0x24, 0x78, 0x3F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xF0, 0xCD, 0x91, 0x81, 0xB3, 0xDE, 0xB6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xCE, 0xC6, 0xF7, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_7_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x9C, 0x2D, 0xE8, 0xD2, 0x00, 0x8F, 0x10),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x5E, 0x7C, 0x0E, 0x0C, 0x6E, 0x58, 0x02),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x81, 0x21, 0xCE, 0x43, 0xF4, 0x24, 0x3D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0xBC, 0xF0, 0xF4, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_8_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x10, 0xC2, 0x74, 0x4A, 0x8F, 0x8A, 0xCF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x67, 0xF4, 0x2B, 0x38, 0x2B, 0x35, 0x17),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xE7, 0x0C, 0xA9, 0xFA, 0x77, 0x5C, 0xBD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x33, 0x19, 0x2B, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_8_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x3E, 0x96, 0x22, 0x53, 0xE1, 0xE9, 0xBE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x13, 0xBC, 0xA1, 0x16, 0xEC, 0x01, 0x1A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x00, 0xC9, 0x7A, 0xC3, 0x73, 0xA5, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0xF4, 0x5E, 0xC1, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_9_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x95, 0xD6, 0xD9, 0x32, 0x30, 0x2B, 0xD0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x42, 0x09, 0x05, 0x61, 0x2A, 0x7E, 0x82),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x84, 0xA2, 0x05, 0x88, 0x64, 0x65, 0xF9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x2D, 0x90, 0xB3, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_9_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0xE7, 0x2E, 0x85, 0x55, 0x80, 0x7C, 0x79),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xC1, 0xAC, 0x78, 0xB4, 0xAF, 0xFB, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0xC3, 0x28, 0x8E, 0x79, 0x18, 0x1F, 0x58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x46, 0xCF, 0x49, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_10_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x5F, 0xA8, 0x6C, 0x46, 0x83, 0x43, 0xFA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xA9, 0x93, 0x11, 0xB6, 0x07, 0x57, 0x74),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x2A, 0x9D, 0x03, 0x89, 0x7E, 0xD7, 0x3C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x8C, 0x62, 0xCF, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_10_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0x2C, 0x13, 0x59, 0xCC, 0xFA, 0x84, 0x9E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xB9, 0x48, 0xBC, 0x57, 0xC7, 0xB3, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x0A, 0x38, 0x24, 0x2E, 0x3A, 0x28, 0x25),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x0A, 0x43, 0xB8, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_11_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x25, 0xAB, 0xC1, 0xEE, 0x70, 0x3C, 0xE1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0xDB, 0x45, 0x1D, 0x4A, 0x80, 0x75, 0x35),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x1F, 0x4D, 0x2D, 0x9A, 0x05, 0xF4, 0xCB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x10, 0xF0, 0x5A, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_11_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x95, 0xE1, 0xDC, 0x15, 0x86, 0xC3, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0xDC, 0x27, 0xD1, 0x56, 0xA1, 0x14, 0x0D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x0B, 0xD6, 0x77, 0x4E, 0x44, 0xA2, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x42, 0x71, 0x1F, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_12_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x86, 0xB2, 0xB0, 0xC8, 0x2F, 0x7B, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xEF, 0xCB, 0xDB, 0xBC, 0x9E, 0x3B, 0xC5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x03, 0x86, 0xDD, 0x5B, 0xF5, 0x8D, 0x46),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x95, 0x79, 0xD6, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_12_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x32, 0x14, 0xDA, 0x9B, 0x4F, 0x07, 0x39),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x3E, 0xFB, 0x06, 0xEE, 0xA7, 0x40, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x1F, 0xDF, 0x71, 0x61, 0xFD, 0x8B, 0xBE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x8B, 0xAB, 0x8B, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_13_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x34, 0xB3, 0xB4, 0xBC, 0x9F, 0xB0, 0x5E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x58, 0x48, 0xA8, 0x77, 0xBB, 0x13, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xC6, 0xF7, 0x34, 0xCC, 0x89, 0x21, 0x0A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x33, 0xDD, 0x1F, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_13_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x81, 0xEF, 0xA4, 0xF2, 0x10, 0x0B, 0xCD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xF7, 0x6E, 0x72, 0x4A, 0xDF, 0xDD, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x23, 0x0A, 0x53, 0x03, 0x16, 0x62, 0xD2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x76, 0xFD, 0x3C, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_14_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x14, 0xA1, 0xFA, 0xA0, 0x18, 0xBE, 0x07),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x2A, 0xE1, 0xD7, 0xB0, 0x6C, 0xA0, 0xDE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xC0, 0xB0, 0xC6, 0x63, 0x24, 0xCD, 0x4E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x38, 0x2C, 0xB1, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_14_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xCD, 0x7D, 0x20, 0x0C, 0xFE, 0xAC, 0xC3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x97, 0x9F, 0xA2, 0xB6, 0x45, 0xF7, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x99, 0xF3, 0xD2, 0x20, 0x02, 0xEB, 0x04),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x18, 0x5B, 0x7B, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_15_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xDD, 0x77, 0x91, 0x60, 0xEA, 0xFD, 0xD3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0xD3, 0xB5, 0xD6, 0x90, 0x17, 0x0E, 0x1A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0xF4, 0x28, 0xC1, 0xF2, 0x53, 0xF6, 0x63),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0x58, 0xDC, 0x61, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224r1_T_15_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x20, 0x01, 0xFB, 0xF1, 0xBD, 0x5F, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x7F, 0x06, 0xDA, 0x11, 0xCB, 0xBA, 0xA6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x41, 0x00, 0xA4, 0x1B, 0x30, 0x33, 0x79),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0xFF, 0x27, 0xCA, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_ecp_point secp224r1_T[16] = {
-    ECP_POINT_INIT_XY_Z1(secp224r1_T_0_X, secp224r1_T_0_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_1_X, secp224r1_T_1_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_2_X, secp224r1_T_2_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_3_X, secp224r1_T_3_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_4_X, secp224r1_T_4_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_5_X, secp224r1_T_5_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_6_X, secp224r1_T_6_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_7_X, secp224r1_T_7_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_8_X, secp224r1_T_8_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_9_X, secp224r1_T_9_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_10_X, secp224r1_T_10_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_11_X, secp224r1_T_11_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_12_X, secp224r1_T_12_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_13_X, secp224r1_T_13_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_14_X, secp224r1_T_14_Y),
-    ECP_POINT_INIT_XY_Z0(secp224r1_T_15_X, secp224r1_T_15_Y),
-};
-#else
-#define secp224r1_T NULL
-#endif
-#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
-
-/*
- * Domain parameters for secp256r1
- */
-#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
-static const mbedtls_mpi_uint secp256r1_p[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
-};
-static const mbedtls_mpi_uint secp256r1_b[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A),
-};
-static const mbedtls_mpi_uint secp256r1_gx[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B),
-};
-static const mbedtls_mpi_uint secp256r1_gy[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F),
-};
-static const mbedtls_mpi_uint secp256r1_n[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
-};
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-static const mbedtls_mpi_uint secp256r1_T_0_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B),
-};
-static const mbedtls_mpi_uint secp256r1_T_0_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F),
-};
-static const mbedtls_mpi_uint secp256r1_T_1_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xC8, 0xBA, 0x04, 0xB7, 0x4B, 0xD2, 0xF7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0xC6, 0x23, 0x3A, 0xA0, 0x09, 0x3A, 0x59),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x9D, 0x4C, 0xF9, 0x58, 0x23, 0xCC, 0xDF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0xED, 0x7B, 0x29, 0x87, 0x0F, 0xFA, 0x3C),
-};
-static const mbedtls_mpi_uint secp256r1_T_1_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x69, 0xF2, 0x40, 0x0B, 0xA3, 0x98, 0xCE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xA8, 0x48, 0x02, 0x0D, 0x1C, 0x12, 0x62),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xAF, 0x09, 0x83, 0x80, 0xAA, 0x58, 0xA7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x12, 0xBE, 0x70, 0x94, 0x76, 0xE3, 0xE4),
-};
-static const mbedtls_mpi_uint secp256r1_T_2_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x7D, 0xEF, 0x86, 0xFF, 0xE3, 0x37, 0xDD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x86, 0x8B, 0x08, 0x27, 0x7C, 0xD7, 0xF6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x54, 0x4C, 0x25, 0x4F, 0x9A, 0xFE, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xFD, 0xF0, 0x6D, 0x37, 0x03, 0x69, 0xD6),
-};
-static const mbedtls_mpi_uint secp256r1_T_2_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xD5, 0xDA, 0xAD, 0x92, 0x49, 0xF0, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x73, 0x43, 0x9E, 0xAF, 0xA7, 0xD1, 0xF3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x41, 0x07, 0xDF, 0x78, 0x95, 0x3E, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x3D, 0xD1, 0xE6, 0x3C, 0xA5, 0xE2, 0x20),
-};
-static const mbedtls_mpi_uint secp256r1_T_3_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x6A, 0x5D, 0x52, 0x35, 0xD7, 0xBF, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0xA2, 0xBE, 0x96, 0xF4, 0xF8, 0x02, 0xC3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x20, 0x49, 0x54, 0xEA, 0xB3, 0x82, 0xDB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2E, 0xDB, 0xEA, 0x02, 0xD1, 0x75, 0x1C, 0x62),
-};
-static const mbedtls_mpi_uint secp256r1_T_3_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x85, 0xF4, 0x9E, 0x4C, 0xDC, 0x39, 0x89),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x6D, 0xC4, 0x57, 0xD8, 0x03, 0x5D, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x7F, 0x2D, 0x52, 0x6F, 0xC9, 0xDA, 0x4F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x64, 0xFA, 0xB4, 0xFE, 0xA4, 0xC4, 0xD7),
-};
-static const mbedtls_mpi_uint secp256r1_T_4_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x37, 0xB9, 0xC0, 0xAA, 0x59, 0xC6, 0x8B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x58, 0xD9, 0xED, 0x58, 0x99, 0x65, 0xF7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x7D, 0x26, 0x8C, 0x4A, 0xF9, 0x05, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x73, 0x9A, 0xC9, 0xE7, 0x46, 0xDC, 0x00),
-};
-static const mbedtls_mpi_uint secp256r1_T_4_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0xD0, 0x55, 0xDF, 0x00, 0x0A, 0xF5, 0x4A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0xBF, 0x56, 0x81, 0x2D, 0x20, 0xEB, 0xB5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xC1, 0x28, 0x52, 0xAB, 0xE3, 0xD1, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x34, 0x79, 0x45, 0x57, 0xA5, 0x12, 0x03),
-};
-static const mbedtls_mpi_uint secp256r1_T_5_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xCF, 0xB8, 0x7E, 0xF7, 0x92, 0x96, 0x8D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x01, 0x8C, 0x0D, 0x23, 0xF2, 0xE3, 0x05),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x2E, 0xE3, 0x84, 0x52, 0x7A, 0x34, 0x76),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0xA1, 0xB0, 0x15, 0x90, 0xE2, 0x53, 0x3C),
-};
-static const mbedtls_mpi_uint secp256r1_T_5_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x98, 0xE7, 0xFA, 0xA5, 0x7D, 0x8B, 0x53),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x35, 0xD2, 0x00, 0xD1, 0x1B, 0x9F, 0x1B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x69, 0x08, 0x9A, 0x72, 0xF0, 0xA9, 0x11),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0xFE, 0x0E, 0x14, 0xDA, 0x7C, 0x0E, 0xD3),
-};
-static const mbedtls_mpi_uint secp256r1_T_6_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xF6, 0xE8, 0xF8, 0x87, 0xF7, 0xFC, 0x6D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xBE, 0x7F, 0x3F, 0x7A, 0x2B, 0xD7, 0x13),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0x32, 0xF2, 0x2D, 0x94, 0x6D, 0x42, 0xFD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x9A, 0xE3, 0x5F, 0x42, 0xBB, 0x84, 0xED),
-};
-static const mbedtls_mpi_uint secp256r1_T_6_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x95, 0x29, 0x73, 0xA1, 0x67, 0x3E, 0x02),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x30, 0x54, 0x35, 0x8E, 0x0A, 0xDD, 0x67),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0xD7, 0xA1, 0x97, 0x61, 0x3B, 0xF8, 0x0C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x33, 0x3C, 0x58, 0x55, 0x34, 0x23, 0xA3),
-};
-static const mbedtls_mpi_uint secp256r1_T_7_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x5D, 0x16, 0x5F, 0x7B, 0xBC, 0xBB, 0xCE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xEE, 0x4E, 0x8A, 0xC1, 0x51, 0xCC, 0x50),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x0D, 0x4D, 0x1B, 0x53, 0x23, 0x1D, 0xB3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x2A, 0x38, 0x66, 0x52, 0x84, 0xE1, 0x95),
-};
-static const mbedtls_mpi_uint secp256r1_T_7_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x9B, 0x83, 0x0A, 0x81, 0x4F, 0xAD, 0xAC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xFF, 0x42, 0x41, 0x6E, 0xA9, 0xA2, 0xA0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xA1, 0x4F, 0x1F, 0x89, 0x82, 0xAA, 0x3E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0xB8, 0x0F, 0x6B, 0x8F, 0x8C, 0xD6, 0x68),
-};
-static const mbedtls_mpi_uint secp256r1_T_8_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0xB3, 0xBB, 0x51, 0x69, 0xA2, 0x11, 0x93),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x4F, 0x0F, 0x8D, 0xBD, 0x26, 0x0F, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xCB, 0xEC, 0x6B, 0x34, 0xC3, 0x3D, 0x9D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x5D, 0x1E, 0x10, 0xD5, 0x44, 0xE2, 0x54),
-};
-static const mbedtls_mpi_uint secp256r1_T_8_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x9E, 0xB1, 0xF1, 0x6E, 0x4C, 0xAD, 0xB3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xE3, 0xC2, 0x58, 0xC0, 0xFB, 0x34, 0x43),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x9C, 0xDF, 0x35, 0x07, 0x41, 0xBD, 0x19),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x6E, 0x10, 0xEC, 0x0E, 0xEC, 0xBB, 0xD6),
-};
-static const mbedtls_mpi_uint secp256r1_T_9_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xCF, 0xEF, 0x3F, 0x83, 0x1A, 0x88, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x29, 0xB5, 0xB9, 0xE0, 0xC9, 0xA3, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x46, 0x1E, 0x77, 0xCD, 0x7E, 0xB3, 0x10),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x21, 0xD0, 0xD4, 0xA3, 0x16, 0x08, 0xEE),
-};
-static const mbedtls_mpi_uint secp256r1_T_9_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0xCA, 0xA8, 0xB3, 0xBF, 0x29, 0x99, 0x8E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xF2, 0x05, 0xC1, 0xCF, 0x5D, 0x91, 0x48),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x01, 0x49, 0xDB, 0x82, 0xDF, 0x5F, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x06, 0x90, 0xAD, 0xE3, 0x38, 0xA4, 0xC4),
-};
-static const mbedtls_mpi_uint secp256r1_T_10_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xD2, 0x3A, 0xE8, 0x03, 0xC5, 0x6D, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x35, 0xD0, 0xAE, 0x1D, 0x7A, 0x9F, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x1E, 0xD2, 0xCB, 0xAC, 0x88, 0x27, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0xB9, 0x9C, 0xE0, 0x31, 0xDD, 0x99, 0x86),
-};
-static const mbedtls_mpi_uint secp256r1_T_10_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xF9, 0x9B, 0x32, 0x96, 0x41, 0x58, 0x38),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x5A, 0x2A, 0xB8, 0x96, 0x0E, 0xB2, 0x4C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x78, 0x2C, 0xC7, 0x08, 0x99, 0x19, 0x24),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x59, 0x28, 0xE9, 0x84, 0x54, 0xE6, 0x16),
-};
-static const mbedtls_mpi_uint secp256r1_T_11_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x38, 0x30, 0xDB, 0x70, 0x2C, 0x0A, 0xA2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x5C, 0x9D, 0xE9, 0xD5, 0x46, 0x0B, 0x5F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x0B, 0x60, 0x4B, 0x37, 0x7D, 0xB9, 0xC9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x24, 0xF3, 0x3D, 0x79, 0x7F, 0x6C, 0x18),
-};
-static const mbedtls_mpi_uint secp256r1_T_11_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7F, 0xE5, 0x1C, 0x4F, 0x60, 0x24, 0xF7, 0x2A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xD8, 0xE2, 0x91, 0x7F, 0x89, 0x49, 0x92),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0xA7, 0x2E, 0x8D, 0x6A, 0xB3, 0x39, 0x81),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x89, 0xB5, 0x9A, 0xB8, 0x8D, 0x42, 0x9C),
-};
-static const mbedtls_mpi_uint secp256r1_T_12_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0x45, 0xE6, 0x4B, 0x3F, 0x4F, 0x1E, 0x1F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x65, 0x5E, 0x59, 0x22, 0xCC, 0x72, 0x5F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x93, 0x1A, 0x27, 0x1E, 0x34, 0xC5, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0xF2, 0xA5, 0x58, 0x5C, 0x15, 0x2E, 0xC6),
-};
-static const mbedtls_mpi_uint secp256r1_T_12_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x7F, 0xBA, 0x58, 0x5A, 0x84, 0x6F, 0x5F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xA6, 0x36, 0x7E, 0xDC, 0xF7, 0xE1, 0x67),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x4D, 0xAA, 0xEE, 0x57, 0x76, 0x3A, 0xD3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x7E, 0x26, 0x18, 0x22, 0x23, 0x9F, 0xFF),
-};
-static const mbedtls_mpi_uint secp256r1_T_13_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x4C, 0x64, 0xC7, 0x55, 0x02, 0x3F, 0xE3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x02, 0x90, 0xBB, 0xC3, 0xEC, 0x30, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x6F, 0x64, 0xF4, 0x16, 0x69, 0x48, 0xA4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x44, 0x9C, 0x95, 0x0C, 0x7D, 0x67, 0x5E),
-};
-static const mbedtls_mpi_uint secp256r1_T_13_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0x91, 0x8B, 0xD8, 0xD0, 0xD7, 0xE7, 0xE2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0xF9, 0x48, 0x62, 0x6F, 0xA8, 0x93, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x3A, 0x99, 0x02, 0xD5, 0x0B, 0x3D, 0xE3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xD3, 0x00, 0x31, 0xE6, 0x0C, 0x9F, 0x44),
-};
-static const mbedtls_mpi_uint secp256r1_T_14_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0xB2, 0xAA, 0xFD, 0x88, 0x15, 0xDF, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4C, 0x35, 0x27, 0x31, 0x44, 0xCD, 0xC0, 0x68),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xF8, 0x91, 0xA5, 0x71, 0x94, 0x84, 0x2A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xCB, 0xD0, 0x93, 0xE9, 0x88, 0xDA, 0xE4),
-};
-static const mbedtls_mpi_uint secp256r1_T_14_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0xC6, 0x39, 0x16, 0x5D, 0xA3, 0x1E, 0x6D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x07, 0x37, 0x26, 0x36, 0x2A, 0xFE, 0x60),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xBC, 0xF3, 0xD0, 0xDE, 0x50, 0xFC, 0x97),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x2E, 0x06, 0x10, 0x15, 0x4D, 0xFA, 0xF7),
-};
-static const mbedtls_mpi_uint secp256r1_T_15_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x65, 0x69, 0x5B, 0x66, 0xA2, 0x75, 0x2E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x16, 0x00, 0x5A, 0xB0, 0x30, 0x25, 0x1A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xFB, 0x86, 0x42, 0x80, 0xC1, 0xC4, 0x76),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x1D, 0x83, 0x8E, 0x94, 0x01, 0x5F, 0x82),
-};
-static const mbedtls_mpi_uint secp256r1_T_15_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x37, 0x70, 0xEF, 0x1F, 0xA1, 0xF0, 0xDB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x10, 0x5B, 0xCE, 0xC4, 0x9B, 0x6F, 0x10),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x11, 0x11, 0x24, 0x4F, 0x4C, 0x79, 0x61),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x3A, 0x72, 0xBC, 0xFE, 0x72, 0x58, 0x43),
-};
-static const mbedtls_ecp_point secp256r1_T[16] = {
-    ECP_POINT_INIT_XY_Z1(secp256r1_T_0_X, secp256r1_T_0_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_1_X, secp256r1_T_1_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_2_X, secp256r1_T_2_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_3_X, secp256r1_T_3_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_4_X, secp256r1_T_4_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_5_X, secp256r1_T_5_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_6_X, secp256r1_T_6_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_7_X, secp256r1_T_7_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_8_X, secp256r1_T_8_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_9_X, secp256r1_T_9_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_10_X, secp256r1_T_10_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_11_X, secp256r1_T_11_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_12_X, secp256r1_T_12_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_13_X, secp256r1_T_13_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_14_X, secp256r1_T_14_Y),
-    ECP_POINT_INIT_XY_Z0(secp256r1_T_15_X, secp256r1_T_15_Y),
-};
-#else
-#define secp256r1_T NULL
-#endif
-
-#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
-
-/*
- * Domain parameters for secp384r1
- */
-#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
-static const mbedtls_mpi_uint secp384r1_p[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-};
-static const mbedtls_mpi_uint secp384r1_b[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3),
-};
-static const mbedtls_mpi_uint secp384r1_gx[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA),
-};
-static const mbedtls_mpi_uint secp384r1_gy[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36),
-};
-static const mbedtls_mpi_uint secp384r1_n[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-};
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-static const mbedtls_mpi_uint secp384r1_T_0_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA),
-};
-static const mbedtls_mpi_uint secp384r1_T_0_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36),
-};
-static const mbedtls_mpi_uint secp384r1_T_1_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x92, 0x00, 0x2C, 0x78, 0xDB, 0x1F, 0x37),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xF3, 0xEB, 0xB7, 0x06, 0xF7, 0xB6, 0xBC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xBC, 0x2C, 0xCF, 0xD8, 0xED, 0x53, 0xE7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x75, 0x7B, 0xA3, 0xAB, 0xC3, 0x2C, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x9D, 0x78, 0x41, 0xF6, 0x76, 0x84, 0xAC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x56, 0xE8, 0x52, 0xB3, 0xCB, 0xA8, 0xBD),
-};
-static const mbedtls_mpi_uint secp384r1_T_1_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xF2, 0xAE, 0xA4, 0xB6, 0x89, 0x1B, 0xDA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x0F, 0xCE, 0x1C, 0x7C, 0xF6, 0x50, 0x4C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4C, 0xEB, 0x90, 0xE6, 0x4D, 0xC7, 0xD4, 0x7A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x49, 0x2D, 0x8A, 0x01, 0x99, 0x60, 0x94),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x80, 0x9B, 0x9B, 0x6A, 0xB0, 0x07, 0xD9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xA2, 0xEE, 0x59, 0xBE, 0x95, 0xBC, 0x23),
-};
-static const mbedtls_mpi_uint secp384r1_T_2_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x9D, 0x56, 0xAE, 0x59, 0xFB, 0x1F, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0xAC, 0x91, 0x80, 0x87, 0xA8, 0x6E, 0x58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x08, 0xA7, 0x08, 0x94, 0x32, 0xFC, 0x67),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x29, 0x9E, 0x84, 0xF4, 0xE5, 0x6E, 0x7E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x21, 0xB9, 0x50, 0x24, 0xF8, 0x9C, 0xC7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x04, 0x01, 0xC2, 0xFB, 0x77, 0x3E, 0xDE),
-};
-static const mbedtls_mpi_uint secp384r1_T_2_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x38, 0xEE, 0xE3, 0xC7, 0x9D, 0xEC, 0xA6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x88, 0xCF, 0x43, 0xFA, 0x92, 0x5E, 0x8E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0xCA, 0x43, 0xF8, 0x3B, 0x49, 0x7E, 0x75),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0xE7, 0xEB, 0x17, 0x45, 0x86, 0xC2, 0xE1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x69, 0x57, 0x32, 0xE0, 0x9C, 0xD1, 0x00),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x10, 0xB8, 0x4D, 0xB8, 0xF4, 0x0D, 0xE3),
-};
-static const mbedtls_mpi_uint secp384r1_T_3_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0xDC, 0x9A, 0xB2, 0x79, 0x39, 0x27, 0x16),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x71, 0xE4, 0x3B, 0x4D, 0x60, 0x0C, 0xA3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xBD, 0x19, 0x40, 0xFA, 0x19, 0x2A, 0x5A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xF8, 0x1E, 0x43, 0xA1, 0x50, 0x8D, 0xEF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x18, 0x7C, 0x41, 0xFA, 0x7C, 0x1B, 0x58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x59, 0x24, 0xC4, 0xE9, 0xB7, 0xD3, 0xAD),
-};
-static const mbedtls_mpi_uint secp384r1_T_3_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x01, 0x3D, 0x63, 0x54, 0x45, 0x6F, 0xB7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xB2, 0x19, 0xA3, 0x86, 0x1D, 0x42, 0x34),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x02, 0x87, 0x18, 0x92, 0x52, 0x1A, 0x71),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x18, 0xB1, 0x5D, 0x18, 0x1B, 0x37, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x74, 0x61, 0xBA, 0x18, 0xAF, 0x40, 0x30),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x7D, 0x3C, 0x52, 0x0F, 0x07, 0xB0, 0x6F),
-};
-static const mbedtls_mpi_uint secp384r1_T_4_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x39, 0x13, 0xAA, 0x60, 0x15, 0x99, 0x30),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x00, 0xCB, 0xC6, 0xB1, 0xDB, 0x97, 0x90),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xFA, 0x60, 0xB8, 0x24, 0xE4, 0x7D, 0xD3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x75, 0xB3, 0x70, 0xB2, 0x83, 0xB1, 0x9B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0xE3, 0x6C, 0xCD, 0x33, 0x62, 0x7A, 0x56),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x30, 0xDC, 0x0F, 0x9F, 0xBB, 0xB8, 0xAA),
-};
-static const mbedtls_mpi_uint secp384r1_T_4_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xD5, 0x0A, 0x60, 0x81, 0xB9, 0xC5, 0x16),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0xAA, 0x2F, 0xD6, 0xF2, 0x73, 0xDF, 0xEB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x7B, 0x74, 0xC9, 0xB3, 0x5B, 0x95, 0x6D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x04, 0xEB, 0x15, 0xC8, 0x5F, 0x00, 0xF6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x50, 0x20, 0x28, 0xD1, 0x01, 0xAF, 0xF0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x6D, 0x4F, 0x31, 0x81, 0x2F, 0x94, 0x48),
-};
-static const mbedtls_mpi_uint secp384r1_T_5_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x2F, 0xD8, 0xB6, 0x63, 0x7C, 0xE9, 0x50),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x8C, 0xB9, 0x14, 0xD9, 0x37, 0x63, 0xDE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x02, 0xB8, 0x46, 0xAD, 0xCE, 0x7B, 0x38),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x47, 0x2D, 0x66, 0xA7, 0xE9, 0x33, 0x23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xF9, 0x93, 0x94, 0xA8, 0x48, 0xB3, 0x4F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x4A, 0xAC, 0x51, 0x08, 0x72, 0x2F, 0x1A),
-};
-static const mbedtls_mpi_uint secp384r1_T_5_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0xAD, 0xA0, 0xF9, 0x81, 0xE1, 0x78, 0x97),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x9A, 0x63, 0xD8, 0xBA, 0x79, 0x1A, 0x17),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x31, 0x7B, 0x7A, 0x5A, 0x5D, 0x7D, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x96, 0x12, 0x4B, 0x19, 0x09, 0xE0, 0xB7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x8A, 0x57, 0xEE, 0x4E, 0x6E, 0x7E, 0xEC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x9D, 0x69, 0xDC, 0xB3, 0xDA, 0xD8, 0x08),
-};
-static const mbedtls_mpi_uint secp384r1_T_6_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x49, 0x03, 0x03, 0x33, 0x6F, 0x28, 0x4A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xDB, 0xA7, 0x05, 0x8C, 0xF3, 0x4D, 0xFB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x92, 0xB1, 0xA8, 0xEC, 0x0D, 0x64, 0x3B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0xFC, 0xFD, 0xD0, 0x4B, 0x88, 0x1B, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x9C, 0x51, 0x69, 0xCE, 0x71, 0x73, 0xF5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x5A, 0x14, 0x23, 0x1A, 0x46, 0x63, 0x5F),
-};
-static const mbedtls_mpi_uint secp384r1_T_6_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x4C, 0x70, 0x44, 0x18, 0xCD, 0xEF, 0xED),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x49, 0xDD, 0x64, 0x7E, 0x7E, 0x4D, 0x92),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x32, 0x7C, 0x09, 0xD0, 0x3F, 0xD6, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xE0, 0x4F, 0x65, 0x0C, 0x7A, 0x54, 0x3E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xFA, 0xFB, 0x4A, 0xB4, 0x79, 0x5A, 0x8C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x5D, 0x1B, 0x2B, 0xDA, 0xBC, 0x9A, 0x74),
-};
-static const mbedtls_mpi_uint secp384r1_T_7_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xAC, 0x56, 0xF7, 0x5F, 0x51, 0x68, 0x0B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xE0, 0x1D, 0xBC, 0x13, 0x4E, 0xAC, 0x03),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xF5, 0xC5, 0xE6, 0xD2, 0x88, 0xBA, 0xCB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x0E, 0x28, 0x23, 0x58, 0x67, 0xFA, 0xEE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x80, 0x4B, 0xD8, 0xC4, 0xDF, 0x15, 0xE4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x0E, 0x58, 0xE6, 0x2C, 0x59, 0xC2, 0x03),
-};
-static const mbedtls_mpi_uint secp384r1_T_7_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x26, 0x27, 0x99, 0x16, 0x2B, 0x22, 0x0B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xF3, 0x8F, 0xC3, 0x2A, 0x9B, 0xFC, 0x38),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x2E, 0x83, 0x3D, 0xFE, 0x9E, 0x3C, 0x1B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x57, 0xCD, 0x2D, 0xC1, 0x49, 0x38, 0xB5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x42, 0x8B, 0x33, 0x89, 0x1F, 0xEA, 0x01),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x1D, 0x13, 0xD7, 0x50, 0xBB, 0x3E, 0xEB),
-};
-static const mbedtls_mpi_uint secp384r1_T_8_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x9A, 0x52, 0xD2, 0x54, 0x7C, 0x97, 0xF2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x33, 0x6E, 0xED, 0xD9, 0x87, 0x50, 0xC5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x35, 0x7E, 0x16, 0x40, 0x15, 0x83, 0xB8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x2B, 0xA4, 0xAB, 0x03, 0x91, 0xEA, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x47, 0x39, 0xEF, 0x05, 0x59, 0xD0, 0x90),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x24, 0x0D, 0x76, 0x11, 0x53, 0x08, 0xAF),
-};
-static const mbedtls_mpi_uint secp384r1_T_8_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x2F, 0xDD, 0xBD, 0x50, 0x48, 0xB1, 0xE5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x1C, 0x84, 0x55, 0x78, 0x14, 0xEB, 0xF6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x5E, 0x3E, 0xA6, 0xAF, 0xF6, 0xC7, 0x04),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x11, 0xE2, 0x65, 0xCA, 0x41, 0x95, 0x3B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x83, 0xD8, 0xE6, 0x4D, 0x22, 0x06, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x7F, 0x25, 0x2A, 0xAA, 0x28, 0x46, 0x97),
-};
-static const mbedtls_mpi_uint secp384r1_T_9_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xDB, 0x15, 0x56, 0x84, 0xCB, 0xC0, 0x56),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0xDB, 0x0E, 0x08, 0xC9, 0xF5, 0xD4, 0x9E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x62, 0xD0, 0x1A, 0x7C, 0x13, 0xD5, 0x07),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0xAD, 0x53, 0xE0, 0x32, 0x21, 0xA0, 0xC0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x38, 0x81, 0x21, 0x23, 0x0E, 0xD2, 0xBB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x51, 0x05, 0xD0, 0x1E, 0x82, 0xA9, 0x71),
-};
-static const mbedtls_mpi_uint secp384r1_T_9_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xC3, 0x27, 0xBF, 0xC6, 0xAA, 0xB7, 0xB9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x65, 0x45, 0xDF, 0xB9, 0x46, 0x17, 0x46),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x38, 0x3F, 0xB2, 0xB1, 0x5D, 0xCA, 0x1C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x29, 0x6C, 0x63, 0xE9, 0xD7, 0x48, 0xB8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xF1, 0xD7, 0x99, 0x8C, 0xC2, 0x05, 0x99),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xE6, 0x5E, 0x82, 0x6D, 0xE5, 0x7E, 0xD5),
-};
-static const mbedtls_mpi_uint secp384r1_T_10_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x61, 0xFA, 0x7D, 0x01, 0xDB, 0xB6, 0x63),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xC6, 0x58, 0x39, 0xF4, 0xC6, 0x82, 0x23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x5A, 0x7A, 0x80, 0x08, 0xCD, 0xAA, 0xD8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x8C, 0xC6, 0x3F, 0x3C, 0xA5, 0x68, 0xF4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0xF5, 0xD5, 0x17, 0xAE, 0x36, 0xD8, 0x8A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xAD, 0x92, 0xC5, 0x57, 0x6C, 0xDA, 0x91),
-};
-static const mbedtls_mpi_uint secp384r1_T_10_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x67, 0x17, 0xC0, 0x40, 0x78, 0x8C, 0x84),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x9F, 0xF4, 0xAA, 0xDA, 0x5C, 0x7E, 0xB2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xDB, 0x42, 0x3E, 0x72, 0x64, 0xA0, 0x67),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0xF9, 0x41, 0x17, 0x43, 0xE3, 0xE8, 0xA8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xDD, 0xCC, 0x43, 0x7E, 0x16, 0x05, 0x03),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x4B, 0xCF, 0x48, 0x8F, 0x41, 0x90, 0xE5),
-};
-static const mbedtls_mpi_uint secp384r1_T_11_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x0C, 0x6B, 0x9D, 0x22, 0x04, 0xBC, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x63, 0x79, 0x2F, 0x6A, 0x0E, 0x8A, 0xDE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x67, 0x3F, 0x02, 0xB8, 0x91, 0x7F, 0x74),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x14, 0x64, 0xA0, 0x33, 0xF4, 0x6B, 0x50),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x44, 0x71, 0x87, 0xB8, 0x88, 0x3F, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x2B, 0x85, 0x05, 0xC5, 0x44, 0x53, 0x15),
-};
-static const mbedtls_mpi_uint secp384r1_T_11_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x2B, 0xFE, 0xD1, 0x1C, 0x73, 0xE3, 0x2E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x33, 0xA1, 0xD3, 0x69, 0x1C, 0x9D, 0xD2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x5A, 0xBA, 0xB6, 0xAE, 0x1B, 0x94, 0x04),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x74, 0x90, 0x5C, 0x57, 0xB0, 0x3A, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x2F, 0x93, 0x20, 0x24, 0x54, 0x1D, 0x8D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x78, 0x9D, 0x71, 0x67, 0x5D, 0x49, 0x98),
-};
-static const mbedtls_mpi_uint secp384r1_T_12_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0xC8, 0x0E, 0x11, 0x8D, 0xE0, 0x8F, 0x69),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x7F, 0x79, 0x6C, 0x5F, 0xB7, 0xBC, 0xB1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0xE1, 0x83, 0x3C, 0x12, 0xBB, 0xEE, 0x96),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xC2, 0xC4, 0x1B, 0x41, 0x71, 0xB9, 0x17),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0xEE, 0xBB, 0x1D, 0x89, 0x50, 0x88, 0xF2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x1C, 0x55, 0x74, 0xEB, 0xDE, 0x92, 0x3F),
-};
-static const mbedtls_mpi_uint secp384r1_T_12_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x38, 0x92, 0x06, 0x19, 0xD0, 0xB3, 0xB2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x99, 0x26, 0xA3, 0x5F, 0xE2, 0xC1, 0x81),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0xFC, 0xFD, 0xC3, 0xB6, 0x26, 0x24, 0x8F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xAD, 0xE7, 0x49, 0xB7, 0x64, 0x4B, 0x96),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x4E, 0x95, 0xAD, 0x07, 0xFE, 0xB6, 0x30),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x15, 0xE7, 0x2D, 0x19, 0xA9, 0x08, 0x10),
-};
-static const mbedtls_mpi_uint secp384r1_T_13_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xBD, 0xAC, 0x0A, 0x3F, 0x6B, 0xFF, 0xFA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0xE4, 0x74, 0x14, 0xD9, 0x70, 0x1D, 0x71),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0xB0, 0x71, 0xBB, 0xD8, 0x18, 0x96, 0x2B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0xB8, 0x19, 0x90, 0x80, 0xB5, 0xEE, 0x01),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x21, 0x20, 0xA6, 0x17, 0x48, 0x03, 0x6F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x1D, 0xBB, 0x6D, 0x94, 0x20, 0x34, 0xF1),
-};
-static const mbedtls_mpi_uint secp384r1_T_13_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x82, 0x67, 0x4B, 0x8E, 0x4E, 0xBE, 0xE2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xDA, 0x77, 0xF8, 0x23, 0x55, 0x2B, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x02, 0xDE, 0x25, 0x35, 0x2D, 0x74, 0x51),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x0C, 0xB8, 0x0B, 0x39, 0xBA, 0xAD, 0x04),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0x0E, 0x28, 0x4D, 0xE1, 0x3D, 0xE4, 0x1B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xEC, 0x0A, 0xD4, 0xB8, 0xC4, 0x8D, 0xB0),
-};
-static const mbedtls_mpi_uint secp384r1_T_14_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x68, 0xCE, 0xC2, 0x55, 0x4D, 0x0C, 0x6D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x20, 0x93, 0x32, 0x90, 0xD6, 0xAE, 0x47),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x78, 0xAB, 0x43, 0x9E, 0xEB, 0x73, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x97, 0xC3, 0x83, 0xA6, 0x3C, 0xF1, 0xBF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0x25, 0x25, 0x66, 0x08, 0x26, 0xFA, 0x4B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xFB, 0x44, 0x5D, 0x82, 0xEC, 0x3B, 0xAC),
-};
-static const mbedtls_mpi_uint secp384r1_T_14_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x90, 0xEA, 0xB5, 0x04, 0x99, 0xD0, 0x69),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0xF2, 0x22, 0xA0, 0xEB, 0xFD, 0x45, 0x87),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xA4, 0x81, 0x32, 0xFC, 0xFA, 0xEE, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0xBB, 0xA4, 0x6A, 0x77, 0x41, 0x5C, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x1E, 0xAA, 0x4F, 0xF0, 0x10, 0xB3, 0x50),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x74, 0x13, 0x14, 0x9E, 0x90, 0xD7, 0xE6),
-};
-static const mbedtls_mpi_uint secp384r1_T_15_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0xBD, 0x70, 0x4F, 0xA8, 0xD1, 0x06, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x4E, 0x2E, 0x68, 0xFC, 0x35, 0xFA, 0x50),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0x53, 0x75, 0xED, 0xF2, 0x5F, 0xC2, 0xEB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x87, 0x6B, 0x9F, 0x05, 0xE2, 0x22, 0x93),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x1A, 0xA8, 0xB7, 0x03, 0x9E, 0x6D, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0xD0, 0x69, 0x88, 0xA8, 0x39, 0x9E, 0x3A),
-};
-static const mbedtls_mpi_uint secp384r1_T_15_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0xEF, 0x68, 0xFE, 0xEC, 0x24, 0x08, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x06, 0x4B, 0x92, 0x0D, 0xB7, 0x34, 0x74),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xF4, 0xDD, 0x1A, 0xA0, 0x4A, 0xE4, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x63, 0x4F, 0x4F, 0xCE, 0xBB, 0xD6, 0xD3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xEE, 0x8D, 0xDF, 0x3F, 0x73, 0xB7, 0xAC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x06, 0xB6, 0x80, 0x4D, 0x81, 0xD9, 0x53),
-};
-static const mbedtls_mpi_uint secp384r1_T_16_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0xF5, 0x13, 0xDF, 0x13, 0x19, 0x97, 0x94),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xF9, 0xB3, 0x33, 0x66, 0x82, 0x21, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xFC, 0x39, 0x16, 0x23, 0x43, 0x76, 0x0E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x48, 0x25, 0xA1, 0x64, 0x95, 0x1C, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0xAC, 0x15, 0x57, 0xD9, 0xDE, 0xA0, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x5F, 0xB8, 0x3D, 0x48, 0x91, 0x24, 0xCC),
-};
-static const mbedtls_mpi_uint secp384r1_T_16_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xF2, 0xC8, 0x54, 0xD1, 0x32, 0xBD, 0xC4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x3B, 0xF0, 0xAA, 0x9D, 0xD8, 0xF4, 0x20),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0xC3, 0xBB, 0x6C, 0x66, 0xAC, 0x25, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x25, 0x10, 0xB2, 0xE1, 0x41, 0xDE, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xE8, 0x30, 0xB8, 0x37, 0xBC, 0x2A, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x57, 0x01, 0x4A, 0x1E, 0x78, 0x9F, 0x85),
-};
-static const mbedtls_mpi_uint secp384r1_T_17_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x19, 0xCD, 0x12, 0x0B, 0x51, 0x4F, 0x56),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x4B, 0x3D, 0x24, 0xA4, 0x16, 0x59, 0x05),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xEB, 0xD3, 0x59, 0x2E, 0x75, 0x7C, 0x01),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0xB9, 0xB4, 0xA5, 0xD9, 0x2E, 0x29, 0x4C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x16, 0x05, 0x75, 0x02, 0xB3, 0x06, 0xEE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x7C, 0x9F, 0x79, 0x91, 0xF1, 0x4F, 0x23),
-};
-static const mbedtls_mpi_uint secp384r1_T_17_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x98, 0x7C, 0x84, 0xE1, 0xFF, 0x30, 0x77),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0xE2, 0xC2, 0x5F, 0x55, 0x40, 0xBD, 0xCD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x65, 0x87, 0x3F, 0xC4, 0xC2, 0x24, 0x57),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0x30, 0x0A, 0x60, 0x15, 0xD1, 0x24, 0x48),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x99, 0xD9, 0xB6, 0xAE, 0xB1, 0xAF, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x80, 0xEE, 0xA2, 0x0F, 0x74, 0xB9, 0xF3),
-};
-static const mbedtls_mpi_uint secp384r1_T_18_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0xE6, 0x0F, 0x37, 0xC1, 0x10, 0x99, 0x1E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xAD, 0x9D, 0x5D, 0x80, 0x01, 0xA6, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x0F, 0x10, 0x2A, 0x9D, 0x20, 0x38, 0xEB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x60, 0xCB, 0xCE, 0x5A, 0xA0, 0xA7, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xCF, 0x14, 0xDF, 0xBF, 0xE5, 0x74, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x12, 0x1A, 0xDD, 0x59, 0x02, 0x5D, 0xC6),
-};
-static const mbedtls_mpi_uint secp384r1_T_18_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xC9, 0xF8, 0xF5, 0xB6, 0x13, 0x4D, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x45, 0xB1, 0x93, 0xB3, 0xA2, 0x79, 0xDC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xF6, 0xCF, 0xF7, 0xE6, 0x29, 0x9C, 0xCC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x50, 0x65, 0x80, 0xBC, 0x59, 0x0A, 0x59),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xF0, 0x24, 0x35, 0xA2, 0x46, 0xF0, 0x0C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x26, 0xC0, 0x9D, 0x61, 0x56, 0x62, 0x67),
-};
-static const mbedtls_mpi_uint secp384r1_T_19_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xBB, 0xC2, 0x24, 0x43, 0x2E, 0x37, 0x54),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0xF7, 0xCE, 0x35, 0xFC, 0x77, 0xF3, 0x3F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x34, 0x96, 0xD5, 0x4A, 0x76, 0x9D, 0x6B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x3B, 0x0F, 0xEA, 0xA8, 0x12, 0x0B, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x3F, 0x5D, 0x2D, 0x1C, 0xD4, 0x9E, 0xFB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x2E, 0xDD, 0xC7, 0x6E, 0xAB, 0xAF, 0xDC),
-};
-static const mbedtls_mpi_uint secp384r1_T_19_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0xB2, 0x7B, 0x0C, 0x9A, 0x83, 0x8E, 0x59),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x51, 0x90, 0x92, 0x79, 0x32, 0x19, 0xC3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x89, 0xF9, 0xD0, 0xCF, 0x2C, 0xA5, 0x8F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x50, 0x21, 0xDE, 0x50, 0x41, 0x9D, 0x81),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x7D, 0x2B, 0x9E, 0x9D, 0x95, 0xA8, 0xE3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xA5, 0x20, 0x87, 0x88, 0x97, 0x5F, 0xAA),
-};
-static const mbedtls_mpi_uint secp384r1_T_20_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x59, 0xB4, 0x66, 0x7E, 0xE8, 0x5A, 0x60),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x5C, 0x7E, 0xB2, 0xAD, 0xD9, 0xC9, 0xDA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x97, 0x49, 0xA3, 0x13, 0x83, 0x07, 0x2E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x26, 0xC7, 0x13, 0x35, 0x0D, 0xB0, 0x6B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x60, 0xAB, 0xFA, 0x4B, 0x93, 0x18, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x2D, 0x1C, 0x31, 0x4C, 0xE4, 0x61, 0xAE),
-};
-static const mbedtls_mpi_uint secp384r1_T_20_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0x4D, 0x1E, 0x51, 0x59, 0x6E, 0x91, 0xC5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x54, 0x4D, 0x51, 0xED, 0x36, 0xCC, 0x60),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0xA8, 0x56, 0xC7, 0x78, 0x27, 0x33, 0xC5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xB7, 0x95, 0xC9, 0x8B, 0xC8, 0x6A, 0xBC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xE9, 0x13, 0x96, 0xB3, 0xE1, 0xF9, 0xEE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x46, 0xB0, 0x5E, 0xC3, 0x94, 0x03, 0x05),
-};
-static const mbedtls_mpi_uint secp384r1_T_21_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x5B, 0x29, 0x30, 0x41, 0x1A, 0x9E, 0xB6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xCA, 0x83, 0x31, 0x5B, 0xA7, 0xCB, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x41, 0x50, 0x44, 0x4D, 0x64, 0x31, 0x89),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0x84, 0xC2, 0x5D, 0x97, 0xA5, 0x3C, 0x18),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x0F, 0xA5, 0xFD, 0x8E, 0x5A, 0x47, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x58, 0x02, 0x2D, 0x40, 0xB1, 0x0B, 0xBA),
-};
-static const mbedtls_mpi_uint secp384r1_T_21_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x33, 0x8C, 0x67, 0xCE, 0x23, 0x43, 0x99),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x53, 0x47, 0x72, 0x44, 0x1F, 0x5B, 0x2A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xC1, 0xD9, 0xA4, 0x50, 0x88, 0x63, 0x18),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xF2, 0x75, 0x69, 0x73, 0x00, 0xC4, 0x31),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x90, 0x1D, 0xDF, 0x1A, 0x00, 0xD8, 0x69),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0xB1, 0x89, 0x48, 0xA8, 0x70, 0x62, 0xEF),
-};
-static const mbedtls_mpi_uint secp384r1_T_22_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x8A, 0x55, 0x50, 0x7B, 0xEF, 0x8A, 0x3C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x1B, 0x23, 0x48, 0x23, 0x63, 0x91, 0xB6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x04, 0x54, 0x3C, 0x24, 0x9B, 0xC7, 0x9A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x38, 0xC3, 0x84, 0xFB, 0xFF, 0x9F, 0x49),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x2A, 0xE0, 0x6D, 0x68, 0x8A, 0x5C, 0xCB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x93, 0x53, 0x85, 0xA1, 0x0D, 0xAF, 0x63),
-};
-static const mbedtls_mpi_uint secp384r1_T_22_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x88, 0x95, 0x4C, 0x0B, 0xD0, 0x06, 0x51),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xAF, 0x8D, 0x49, 0xA2, 0xC8, 0xB4, 0xE0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x76, 0x53, 0x09, 0x88, 0x43, 0x87, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xA4, 0x77, 0x3F, 0x5E, 0x21, 0xB4, 0x0A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x9E, 0x86, 0x64, 0xCC, 0x91, 0xC1, 0x77),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x17, 0x56, 0xCB, 0xC3, 0x7D, 0x5B, 0xB1),
-};
-static const mbedtls_mpi_uint secp384r1_T_23_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x74, 0x9F, 0xB5, 0x91, 0x21, 0xB1, 0x1C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xED, 0xE1, 0x11, 0xEF, 0x45, 0xAF, 0xC1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x31, 0xBE, 0xB2, 0xBC, 0x72, 0x65, 0x1F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x4B, 0x8C, 0x77, 0xCE, 0x1E, 0x42, 0xB5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xC9, 0xAA, 0xB9, 0xD9, 0x86, 0x99, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x23, 0x80, 0xC6, 0x4E, 0x35, 0x0B, 0x6D),
-};
-static const mbedtls_mpi_uint secp384r1_T_23_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0xD8, 0xA2, 0x0A, 0x39, 0x32, 0x1D, 0x23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xC8, 0x86, 0xF1, 0x12, 0x9A, 0x4A, 0x05),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xF1, 0x7C, 0xAA, 0x70, 0x8E, 0xBC, 0x01),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x01, 0x47, 0x8F, 0xDD, 0x8B, 0xA5, 0xC8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x08, 0x21, 0xF4, 0xAB, 0xC7, 0xF5, 0x96),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x76, 0xA5, 0x95, 0xC4, 0x0F, 0x88, 0x1D),
-};
-static const mbedtls_mpi_uint secp384r1_T_24_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x42, 0x2A, 0x52, 0xCD, 0x75, 0x51, 0x49),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0x36, 0xE5, 0x04, 0x2B, 0x44, 0xC6, 0xEF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xEE, 0x16, 0x13, 0x07, 0x83, 0xB5, 0x30),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x59, 0xC6, 0xA2, 0x19, 0x05, 0xD3, 0xC6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x8B, 0xA8, 0x16, 0x09, 0xB7, 0xEA, 0xD6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xEE, 0x14, 0xAF, 0xB5, 0xFD, 0xD0, 0xEF),
-};
-static const mbedtls_mpi_uint secp384r1_T_24_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x7C, 0xCA, 0x71, 0x3E, 0x6E, 0x66, 0x75),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x31, 0x0E, 0x3F, 0xE5, 0x91, 0xC4, 0x7F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x3D, 0xC2, 0x3E, 0x95, 0x37, 0x58, 0x2B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x1F, 0x02, 0x03, 0xF3, 0xEF, 0xEE, 0x66),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x5B, 0x1A, 0xFC, 0x38, 0xCD, 0xE8, 0x24),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x57, 0x42, 0x85, 0xC6, 0x21, 0x68, 0x71),
-};
-static const mbedtls_mpi_uint secp384r1_T_25_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xA2, 0x4A, 0x66, 0xB1, 0x0A, 0xE6, 0xC0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x0C, 0x94, 0x9D, 0x5E, 0x99, 0xB2, 0xCE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x03, 0x40, 0xCA, 0xB2, 0xB3, 0x30, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x78, 0x48, 0x27, 0x34, 0x1E, 0xE2, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x72, 0x5B, 0xAC, 0xC1, 0x6D, 0xE3, 0x82),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xAB, 0x46, 0xCB, 0xEA, 0x5E, 0x4B, 0x0B),
-};
-static const mbedtls_mpi_uint secp384r1_T_25_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x08, 0xAD, 0x4E, 0x51, 0x9F, 0x2A, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x5C, 0x7D, 0x4C, 0xD6, 0xCF, 0xDD, 0x02),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x76, 0x26, 0xE0, 0x8B, 0x10, 0xD9, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0xA7, 0x23, 0x4E, 0x5F, 0xD2, 0x42, 0x17),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xE5, 0xA4, 0xEC, 0x77, 0x21, 0x34, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x14, 0x65, 0xEA, 0x4A, 0x85, 0xC3, 0x2F),
-};
-static const mbedtls_mpi_uint secp384r1_T_26_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0xD8, 0x40, 0x27, 0x73, 0x15, 0x7E, 0x65),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xBB, 0x53, 0x7E, 0x0F, 0x40, 0xC8, 0xD4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x37, 0x19, 0x73, 0xEF, 0x5A, 0x5E, 0x04),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x73, 0x2B, 0x49, 0x7E, 0xAC, 0x97, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0xB2, 0xC3, 0x1E, 0x0E, 0xE7, 0xD2, 0x21),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x08, 0xD6, 0xDD, 0xAC, 0x21, 0xD6, 0x3E),
-};
-static const mbedtls_mpi_uint secp384r1_T_26_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x26, 0xBE, 0x6D, 0x6D, 0xF2, 0x38, 0x3F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x6C, 0x31, 0xA7, 0x49, 0x50, 0x3A, 0x89),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x99, 0xC6, 0xF5, 0xD2, 0xC2, 0x30, 0x5A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xE4, 0xF6, 0x8B, 0x8B, 0x97, 0xE9, 0xB2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x21, 0xB7, 0x0D, 0xFC, 0x15, 0x54, 0x0B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x83, 0x1C, 0xA4, 0xCD, 0x6B, 0x9D, 0xF2),
-};
-static const mbedtls_mpi_uint secp384r1_T_27_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xE8, 0x4C, 0x48, 0xE4, 0xAA, 0x69, 0x93),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x7A, 0x27, 0xFC, 0x37, 0x96, 0x1A, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0xE7, 0x30, 0xA5, 0xCF, 0x13, 0x46, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0xD8, 0xAF, 0x74, 0x23, 0x4D, 0x56, 0x84),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x3D, 0x44, 0x14, 0x1B, 0x97, 0x83, 0xF0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x47, 0xD7, 0x5F, 0xFD, 0x98, 0x38, 0xF7),
-};
-static const mbedtls_mpi_uint secp384r1_T_27_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x73, 0x64, 0x36, 0xFD, 0x7B, 0xC1, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x5D, 0x32, 0xD2, 0x47, 0x94, 0x89, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xE9, 0x30, 0xAC, 0x06, 0xC8, 0x65, 0x04),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x6C, 0xB9, 0x1B, 0xF7, 0x61, 0x49, 0x53),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0xFF, 0x32, 0x43, 0x80, 0xDA, 0xA6, 0xB1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xF8, 0x04, 0x01, 0x95, 0x35, 0xCE, 0x21),
-};
-static const mbedtls_mpi_uint secp384r1_T_28_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x06, 0x46, 0x0D, 0x51, 0xE2, 0xD8, 0xAC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0x57, 0x1D, 0x6F, 0x79, 0xA0, 0xCD, 0xA6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0xFB, 0x36, 0xCA, 0xAD, 0xF5, 0x9E, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x7A, 0x1D, 0x9E, 0x1D, 0x95, 0x48, 0xDC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x26, 0xA5, 0xB7, 0x15, 0x2C, 0xC2, 0xC6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x42, 0x72, 0xAA, 0x11, 0xDC, 0xC9, 0xB6),
-};
-static const mbedtls_mpi_uint secp384r1_T_28_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x6C, 0x64, 0xA7, 0x62, 0x3C, 0xAB, 0xD4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x6A, 0x44, 0xD8, 0x60, 0xC0, 0xA8, 0x80),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x76, 0x58, 0x12, 0x57, 0x3C, 0x89, 0x46),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x4F, 0x83, 0xCE, 0xCB, 0xB8, 0xD0, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x84, 0x04, 0xB0, 0xAD, 0xEB, 0xFA, 0xDF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xA4, 0xC3, 0x41, 0x44, 0x4E, 0x65, 0x3E),
-};
-static const mbedtls_mpi_uint secp384r1_T_29_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x16, 0xA9, 0x1C, 0xE7, 0x65, 0x20, 0xC1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x53, 0x32, 0xF8, 0xC0, 0xA6, 0xBD, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xF0, 0xE6, 0x57, 0x31, 0xCC, 0x26, 0x6F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0xE3, 0x54, 0x1C, 0x34, 0xD3, 0x17, 0xBC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xAE, 0xED, 0xFB, 0xCD, 0xE7, 0x1E, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x16, 0x1C, 0x34, 0x40, 0x00, 0x1F, 0xB6),
-};
-static const mbedtls_mpi_uint secp384r1_T_29_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x32, 0x00, 0xC2, 0xD4, 0x3B, 0x1A, 0x09),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xE0, 0x99, 0x8F, 0x0C, 0x4A, 0x16, 0x44),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x73, 0x18, 0x1B, 0xD4, 0x94, 0x29, 0x62),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xA4, 0x2D, 0xB1, 0x9D, 0x74, 0x32, 0x67),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0xF4, 0xB1, 0x0C, 0x37, 0x62, 0x8B, 0x66),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xFF, 0xDA, 0xE2, 0x35, 0xA3, 0xB6, 0x42),
-};
-static const mbedtls_mpi_uint secp384r1_T_30_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x49, 0x99, 0x65, 0xC5, 0xED, 0x16, 0xEF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x42, 0x9A, 0xF3, 0xA7, 0x4E, 0x6F, 0x2B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x0A, 0x7E, 0xC0, 0xD7, 0x4E, 0x07, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x7A, 0x31, 0x69, 0xA6, 0xB9, 0x15, 0x34),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0xE0, 0x72, 0xA4, 0x3F, 0xB9, 0xF8, 0x0C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0x75, 0x32, 0x85, 0xA2, 0xDE, 0x37, 0x12),
-};
-static const mbedtls_mpi_uint secp384r1_T_30_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xC0, 0x0D, 0xCF, 0x25, 0x41, 0xA4, 0xF4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xFC, 0xB2, 0x48, 0xC3, 0x85, 0x83, 0x4B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xBE, 0x0B, 0x58, 0x2D, 0x7A, 0x9A, 0x62),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0xF3, 0x81, 0x18, 0x1B, 0x74, 0x4F, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x43, 0xA3, 0x0A, 0x16, 0x8B, 0xA3, 0x1E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x18, 0x81, 0x7B, 0x8D, 0xA2, 0x35, 0x77),
-};
-static const mbedtls_mpi_uint secp384r1_T_31_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xC4, 0x3F, 0x2C, 0xE7, 0x5F, 0x99, 0x03),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x2B, 0xB7, 0xB6, 0xAD, 0x5A, 0x56, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x00, 0xA4, 0x48, 0xC8, 0xE8, 0xBA, 0xBF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0xA1, 0xB5, 0x13, 0x5A, 0xCD, 0x99, 0x9C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x95, 0xAD, 0xFC, 0xE2, 0x7E, 0xE7, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x6B, 0xD1, 0x34, 0x99, 0x53, 0x63, 0x0B),
-};
-static const mbedtls_mpi_uint secp384r1_T_31_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x8A, 0x77, 0x5D, 0x2B, 0xAB, 0x01, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x85, 0xD0, 0xD5, 0x49, 0x83, 0x4D, 0x60),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0xC6, 0x91, 0x30, 0x3B, 0x00, 0xAF, 0x7A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0xAE, 0x61, 0x07, 0xE1, 0xB6, 0xE2, 0xC9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x43, 0x41, 0xFE, 0x9B, 0xB6, 0xF0, 0xA5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x97, 0xAE, 0xAD, 0x89, 0x88, 0x9E, 0x41),
-};
-static const mbedtls_ecp_point secp384r1_T[32] = {
-    ECP_POINT_INIT_XY_Z1(secp384r1_T_0_X, secp384r1_T_0_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_1_X, secp384r1_T_1_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_2_X, secp384r1_T_2_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_3_X, secp384r1_T_3_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_4_X, secp384r1_T_4_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_5_X, secp384r1_T_5_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_6_X, secp384r1_T_6_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_7_X, secp384r1_T_7_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_8_X, secp384r1_T_8_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_9_X, secp384r1_T_9_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_10_X, secp384r1_T_10_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_11_X, secp384r1_T_11_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_12_X, secp384r1_T_12_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_13_X, secp384r1_T_13_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_14_X, secp384r1_T_14_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_15_X, secp384r1_T_15_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_16_X, secp384r1_T_16_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_17_X, secp384r1_T_17_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_18_X, secp384r1_T_18_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_19_X, secp384r1_T_19_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_20_X, secp384r1_T_20_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_21_X, secp384r1_T_21_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_22_X, secp384r1_T_22_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_23_X, secp384r1_T_23_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_24_X, secp384r1_T_24_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_25_X, secp384r1_T_25_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_26_X, secp384r1_T_26_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_27_X, secp384r1_T_27_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_28_X, secp384r1_T_28_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_29_X, secp384r1_T_29_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_30_X, secp384r1_T_30_Y),
-    ECP_POINT_INIT_XY_Z0(secp384r1_T_31_X, secp384r1_T_31_Y),
-};
-#else
-#define secp384r1_T NULL
-#endif
-
-#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
-
-/*
- * Domain parameters for secp521r1
- */
-#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
-static const mbedtls_mpi_uint secp521r1_p[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_2(0xFF, 0x01),
-};
-static const mbedtls_mpi_uint secp521r1_b[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95),
-    MBEDTLS_BYTES_TO_T_UINT_2(0x51, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_gx[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_2(0xC6, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_gy[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39),
-    MBEDTLS_BYTES_TO_T_UINT_2(0x18, 0x01),
-};
-static const mbedtls_mpi_uint secp521r1_n[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_2(0xFF, 0x01),
-};
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-static const mbedtls_mpi_uint secp521r1_T_0_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_0_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_1_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xB1, 0x2D, 0xEB, 0x27, 0x2F, 0xE8, 0xDA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x4B, 0x44, 0x25, 0xDB, 0x5C, 0x5F, 0x67),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x85, 0x28, 0x78, 0x2E, 0x75, 0x34, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x57, 0x0F, 0x73, 0x78, 0x7A, 0xE3, 0x53),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xD8, 0xEC, 0xDC, 0xDA, 0x04, 0xAD, 0xAB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x8A, 0x09, 0xF3, 0x58, 0x79, 0xD8, 0x29),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x03, 0xCB, 0x50, 0x1A, 0x7F, 0x56, 0x00),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xA6, 0x78, 0x38, 0x85, 0x67, 0x0B, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_1_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0xD5, 0xD2, 0x22, 0xC4, 0x00, 0x3B, 0xBA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x93, 0x0E, 0x7B, 0x85, 0x51, 0xC3, 0x06),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xA6, 0x5F, 0x54, 0x49, 0x02, 0x81, 0x78),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xE9, 0x6B, 0x3A, 0x92, 0xE7, 0x72, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x5F, 0x28, 0x9E, 0x91, 0x27, 0x88, 0xE3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x28, 0x31, 0xB3, 0x84, 0xCA, 0x12, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xF9, 0xAC, 0x22, 0x10, 0x0A, 0x64, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0xC6, 0x33, 0x1F, 0x69, 0x19, 0x18, 0xBF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_2_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x48, 0xB8, 0xC7, 0x37, 0x5A, 0x00, 0x36),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xCC, 0x32, 0xE0, 0xEE, 0x03, 0xC2, 0xBA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x29, 0xC2, 0xE4, 0x6E, 0x24, 0x20, 0x8D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x6B, 0x7F, 0x7B, 0xF9, 0xB0, 0xB8, 0x13),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x7B, 0x3C, 0xE1, 0x19, 0xA1, 0x23, 0x02),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xE3, 0xC2, 0x53, 0xC0, 0x07, 0x13, 0xA9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xFE, 0x36, 0x35, 0x9F, 0x5E, 0x59, 0xCE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x55, 0x89, 0x84, 0xBC, 0xEF, 0xA2, 0xC2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_2_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x1A, 0x08, 0x67, 0xB4, 0xE7, 0x22, 0xED),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x26, 0xDF, 0x81, 0x3C, 0x5F, 0x1C, 0xDA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x4D, 0xD0, 0x0A, 0x48, 0x06, 0xF4, 0x48),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x18, 0x39, 0xF7, 0xD1, 0x20, 0x77, 0x8D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0x8F, 0x44, 0x13, 0xCB, 0x78, 0x11, 0x11),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xE2, 0x49, 0xEA, 0x43, 0x79, 0x08, 0x39),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0xD1, 0xD8, 0x73, 0x2C, 0x71, 0x2F, 0x69),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xE5, 0xE7, 0xF4, 0x46, 0xAB, 0x20, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_3_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x0B, 0xB9, 0x71, 0x1A, 0x27, 0xB7, 0xA7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xA2, 0x2C, 0xD1, 0xDA, 0xBC, 0xC1, 0xBD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xA3, 0x10, 0x1F, 0x90, 0xF2, 0xA5, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0xFB, 0x20, 0xF4, 0xC0, 0x70, 0xC0, 0xF5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0xA7, 0x99, 0xF0, 0xA5, 0xD3, 0x09, 0xDD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0xE8, 0x14, 0x39, 0xBE, 0xCB, 0x60, 0xAF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0xD6, 0x14, 0xA9, 0xC9, 0x20, 0xC3, 0xEA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xA8, 0x5B, 0xFD, 0x2D, 0x96, 0xBC, 0x78),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_3_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x04, 0x45, 0xBE, 0xCE, 0x75, 0x95, 0xF6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0xDA, 0x58, 0x49, 0x35, 0x09, 0x8D, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xF0, 0xC0, 0x36, 0xF2, 0xA6, 0x2D, 0x14),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xFC, 0x3D, 0xA8, 0xFB, 0x3C, 0xD2, 0x51),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x4D, 0x71, 0x09, 0x18, 0x42, 0xF0, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xC1, 0xCE, 0x9E, 0x6A, 0x49, 0x60, 0x12),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xB1, 0x00, 0xF7, 0xA1, 0x7A, 0x31, 0xB4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xC3, 0x86, 0xCD, 0x20, 0x4A, 0x17, 0x86),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_4_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0xAB, 0x8B, 0x47, 0x8D, 0xAA, 0xA6, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x97, 0xF0, 0xBC, 0x2D, 0xDC, 0x9D, 0x84),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x86, 0xB0, 0x74, 0xB2, 0xF4, 0xF6, 0x67),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xBD, 0xAC, 0xE3, 0x8F, 0x43, 0x5C, 0xB1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xC3, 0xE2, 0x6E, 0x25, 0x49, 0xCD, 0x0B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x5E, 0x08, 0xB3, 0xB9, 0xAC, 0x5F, 0xD1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xB7, 0xD1, 0xF4, 0xDC, 0x19, 0xE9, 0xC8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xE4, 0xFA, 0xE1, 0x36, 0x3E, 0xED, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_4_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x67, 0x92, 0x84, 0x6E, 0x48, 0x03, 0x51),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x95, 0xEF, 0x8F, 0xB2, 0x82, 0x6B, 0x1C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xFA, 0xB9, 0x55, 0x23, 0xFE, 0x09, 0xB3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x79, 0x85, 0x4B, 0x0E, 0xD4, 0x35, 0xDB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x27, 0x45, 0x81, 0xE0, 0x88, 0x52, 0xAD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x63, 0xA2, 0x4B, 0xBC, 0x5D, 0xB1, 0x92),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x8C, 0x83, 0xD9, 0x3E, 0xD3, 0x42, 0xDA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x03, 0x3A, 0x31, 0xBA, 0xE9, 0x3A, 0xD1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_5_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x10, 0xCD, 0x2D, 0x00, 0xFE, 0x32, 0xA7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x6E, 0x1F, 0xDA, 0xF8, 0x6F, 0x4D, 0x03),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x79, 0x7D, 0x09, 0xE5, 0xD3, 0x03, 0x21),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xC3, 0xBE, 0xDF, 0x07, 0x65, 0x49, 0xCC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x57, 0x33, 0xEF, 0xAE, 0x4F, 0x04, 0x27),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0xE9, 0x9B, 0xFE, 0xBF, 0xE6, 0x85, 0xF6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0xBA, 0xAA, 0x06, 0xC4, 0xC6, 0xB8, 0x57),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x83, 0x01, 0xA9, 0xF6, 0x51, 0xE7, 0xB8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_5_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xA6, 0x15, 0x8E, 0xAB, 0x1F, 0x10, 0x87),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x08, 0x27, 0x1A, 0xA1, 0x21, 0xAD, 0xF5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x09, 0x90, 0x6E, 0x50, 0x90, 0x9A, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x9A, 0xFE, 0xD7, 0xA1, 0xF5, 0xA2, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x7D, 0xE3, 0xDC, 0x21, 0xFB, 0xA4, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xBF, 0x07, 0xFF, 0x45, 0xDF, 0x51, 0x77),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x5C, 0x34, 0x02, 0x62, 0x9B, 0x08, 0x12),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xCE, 0x9A, 0x6A, 0xEC, 0x75, 0xF6, 0x46),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_6_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x59, 0xF4, 0x78, 0x3C, 0x60, 0xB1, 0x4A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x37, 0x84, 0x6A, 0xDC, 0xF2, 0x9A, 0x7D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x9A, 0x9A, 0x15, 0x36, 0xE0, 0x2B, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x38, 0x9C, 0x50, 0x3D, 0x1E, 0x37, 0x82),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x79, 0xF0, 0x92, 0xF2, 0x8B, 0x18, 0x82),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xE0, 0x82, 0x1E, 0x80, 0x82, 0x4B, 0xD7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xBB, 0x59, 0x6B, 0x8A, 0x77, 0x41, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xF9, 0xD4, 0xB8, 0x4A, 0x82, 0xCF, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_6_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x8C, 0xC8, 0x9B, 0x72, 0x9E, 0xF7, 0xF9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0xCE, 0xE9, 0x77, 0x0A, 0x19, 0x59, 0x84),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xA1, 0x41, 0x6A, 0x72, 0x4B, 0xB4, 0xDC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x35, 0x43, 0xE2, 0x8C, 0xBE, 0x0D, 0xE3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0xEB, 0xAD, 0xF3, 0xA9, 0xA6, 0x68, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x2F, 0xE2, 0x48, 0x0C, 0xDB, 0x1F, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x1E, 0x60, 0x9B, 0x2A, 0xD2, 0xC1, 0x3C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x64, 0xB5, 0xD2, 0xF6, 0xF6, 0x6E, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_7_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x3D, 0x30, 0x78, 0x10, 0x18, 0x41, 0x51),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x1D, 0x1C, 0xE0, 0x6D, 0x83, 0xD1, 0x93),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x03, 0x0B, 0xF5, 0x2F, 0x6C, 0x04, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x3E, 0xD5, 0xFC, 0x31, 0x5B, 0x3A, 0xEB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x82, 0x2F, 0xFB, 0xFE, 0xF8, 0x76, 0x39),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x26, 0xDA, 0x9C, 0x36, 0xF5, 0x93, 0xD1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4C, 0xE7, 0x6E, 0xD2, 0x7D, 0x81, 0x09, 0xC6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x03, 0xF9, 0x58, 0x48, 0x24, 0xA2, 0xEE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_7_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x79, 0x0C, 0x8E, 0x6B, 0x95, 0xF3, 0xC4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x10, 0x5C, 0x87, 0x03, 0x39, 0xCF, 0x68),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xF0, 0xF7, 0xC1, 0x07, 0xA4, 0xF4, 0x3F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xE8, 0x02, 0x89, 0x65, 0xC4, 0x72, 0x36),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x88, 0xEA, 0x96, 0x67, 0x0B, 0x5D, 0xDF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x75, 0x60, 0xA8, 0xBD, 0x74, 0xDF, 0x68),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0xE5, 0x71, 0x50, 0x67, 0xD0, 0xD2, 0xE6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xFC, 0xE5, 0xC7, 0x77, 0xB0, 0x7F, 0x8C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_8_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x86, 0x69, 0xCD, 0x0D, 0x9A, 0xBD, 0x66),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x17, 0xBC, 0xBB, 0x59, 0x85, 0x7D, 0x0E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xA8, 0x76, 0xAC, 0x80, 0xA9, 0x72, 0xE0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x78, 0xC1, 0xE2, 0x4D, 0xAF, 0xF9, 0x3C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x97, 0x8E, 0x74, 0xC4, 0x4B, 0xB2, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xD8, 0xF6, 0xF3, 0xAF, 0x2F, 0x52, 0xE5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x57, 0xF4, 0xCE, 0xEE, 0x43, 0xED, 0x60),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x46, 0x38, 0xDE, 0x20, 0xFD, 0x59, 0x18),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_8_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x18, 0xE8, 0x58, 0xB9, 0x76, 0x2C, 0xE6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x54, 0xE4, 0xFE, 0xC7, 0xBC, 0x31, 0x37),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xF8, 0x89, 0xEE, 0x70, 0xB5, 0xB0, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x22, 0x26, 0x9A, 0x53, 0xB9, 0x38, 0x0A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xA7, 0x19, 0x8C, 0x74, 0x7E, 0x88, 0x46),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xDA, 0x0A, 0xE8, 0xDA, 0xA5, 0xBE, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0x5C, 0xF7, 0xB1, 0x0C, 0x72, 0xFB, 0x09),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xE2, 0x23, 0xE7, 0x46, 0xB7, 0xE0, 0x91),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_9_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x36, 0xBC, 0xBD, 0x48, 0x11, 0x8E, 0x72),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0xBB, 0xA1, 0xF7, 0x0B, 0x9E, 0xBF, 0xDF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x28, 0xE1, 0xA2, 0x8F, 0xFC, 0xFC, 0xD6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0xFE, 0x19, 0x0A, 0xE5, 0xE7, 0x69, 0x39),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xCD, 0x12, 0xF5, 0xBE, 0xD3, 0x04, 0xF1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xA8, 0x0D, 0x81, 0x59, 0xC4, 0x79, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0xF3, 0x4B, 0x92, 0x65, 0xC3, 0x31, 0xAD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0xB5, 0x4F, 0x4D, 0x91, 0xD4, 0xE2, 0xB2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_9_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x09, 0x41, 0x79, 0x1D, 0x4D, 0x0D, 0x33),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x31, 0x18, 0xBA, 0xA0, 0xF2, 0x6E, 0x7E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x5B, 0x4D, 0x4F, 0xAF, 0xC9, 0x8C, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x99, 0x9C, 0x06, 0x68, 0xDE, 0xD8, 0x29),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x04, 0xE1, 0xB5, 0x9D, 0x00, 0xBC, 0xB8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x95, 0x92, 0x8D, 0x72, 0xD3, 0x37, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x4B, 0x27, 0xA2, 0xE8, 0xA4, 0x26, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x45, 0x9C, 0xA9, 0xCB, 0x9F, 0xBA, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_10_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x7E, 0x1B, 0x64, 0xF4, 0xE8, 0xA5, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x20, 0xA9, 0xCA, 0xF3, 0x89, 0xE5, 0xE1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xED, 0xFC, 0xAB, 0xD9, 0x0A, 0xB9, 0x07),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x6F, 0x46, 0x7C, 0xCD, 0x78, 0xFF, 0x05),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0xAB, 0x71, 0x5A, 0x94, 0xAB, 0x20, 0x20),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x2E, 0xEE, 0x87, 0x57, 0x1F, 0xAD, 0xD3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x4C, 0x3D, 0xFB, 0x7E, 0xA1, 0x8B, 0x07),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0xCF, 0x07, 0x86, 0xBA, 0x53, 0x37, 0xCF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_10_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x26, 0xB2, 0xB9, 0xE2, 0x91, 0xE3, 0xB5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xC9, 0x54, 0x84, 0x08, 0x3D, 0x0B, 0xD2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xA8, 0x77, 0x2F, 0x64, 0x45, 0x99, 0x4C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x96, 0x16, 0x1F, 0xDB, 0x96, 0x28, 0x97),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x2B, 0x8D, 0xFF, 0xA2, 0x4F, 0x55, 0xD3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0xE6, 0x48, 0xBD, 0x99, 0x3D, 0x12, 0x57),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x84, 0x59, 0xDA, 0xB9, 0xB6, 0x66, 0x12),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x78, 0x41, 0x92, 0xDF, 0xF4, 0x3F, 0x63),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_11_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x86, 0x6F, 0x4F, 0xBF, 0x67, 0xDF, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x2B, 0x1E, 0x5F, 0x00, 0xEA, 0xF6, 0x56),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xB9, 0x6A, 0x89, 0xD8, 0xC0, 0xD7, 0xA7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x9A, 0x32, 0x23, 0xA0, 0x02, 0x91, 0x58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x7F, 0x6A, 0x15, 0x64, 0x6A, 0x8B, 0xBB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x57, 0x82, 0x58, 0xA9, 0x56, 0xB5, 0xFB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x50, 0x92, 0x60, 0xCC, 0x81, 0x24, 0xA8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x3D, 0xAD, 0xDA, 0xD9, 0x51, 0x3E, 0x57),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_11_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0xFE, 0x8F, 0xB0, 0x0B, 0xDE, 0x2E, 0x7E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xD2, 0xBE, 0xEF, 0xAC, 0x76, 0x71, 0xA3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xE8, 0x72, 0x0B, 0xAC, 0xFE, 0xCA, 0x5A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x5B, 0xC7, 0xFC, 0xE3, 0x3C, 0x7C, 0x4C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x04, 0xA7, 0xB9, 0x9B, 0x93, 0xC0, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x48, 0x4B, 0x8E, 0x32, 0xC5, 0xF0, 0x6B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x42, 0x07, 0xC1, 0xF2, 0xF1, 0x72, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x37, 0x54, 0x9C, 0x88, 0xD2, 0x62, 0xAA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_12_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x19, 0x8A, 0x89, 0x58, 0xA2, 0x0F, 0xDB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0xCC, 0x4C, 0x97, 0x30, 0x66, 0x34, 0x26),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x6A, 0x1E, 0x1F, 0xDB, 0xC9, 0x5E, 0x13),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x4D, 0x49, 0xFF, 0x9B, 0x9C, 0xAC, 0x9B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0xE4, 0x4B, 0xF2, 0xD4, 0x1A, 0xD2, 0x78),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xDA, 0xE8, 0x61, 0x9F, 0xC8, 0x49, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xCB, 0xF2, 0x2D, 0x85, 0xF6, 0x8D, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xC5, 0xCD, 0x2C, 0x79, 0xC6, 0x0E, 0x4F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_12_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x1D, 0x55, 0x0F, 0xF8, 0x22, 0x9F, 0x78),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x56, 0xBA, 0xE7, 0x57, 0x32, 0xEC, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x9A, 0xC6, 0x4C, 0x09, 0xC4, 0x52, 0x3F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x1E, 0x6F, 0xF4, 0x7D, 0x27, 0xDD, 0xAF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x11, 0x16, 0xEC, 0x79, 0x83, 0xAD, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x4E, 0x92, 0x1F, 0x19, 0x7D, 0x65, 0xDC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0xFF, 0x78, 0x15, 0x45, 0x63, 0x32, 0xE4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x91, 0xD0, 0x78, 0x58, 0xDA, 0x50, 0x47),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_13_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0xDE, 0x40, 0xF6, 0x41, 0xB4, 0x3B, 0x95),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x8D, 0xE0, 0xE1, 0xA9, 0xF0, 0x35, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xD4, 0xBA, 0x7B, 0xCC, 0x1B, 0x3A, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x5A, 0x2E, 0x74, 0x47, 0x14, 0xC3, 0x4D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0xF0, 0x8B, 0x06, 0x15, 0x8E, 0x0E, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0xD2, 0xEB, 0x97, 0x50, 0x7D, 0x31, 0xFC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x93, 0x4C, 0xDB, 0x97, 0x79, 0x44, 0xF5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0xA2, 0xA0, 0x0B, 0xC8, 0x3A, 0x8A, 0xF9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_13_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x50, 0x92, 0x9E, 0x24, 0x1F, 0xCB, 0x4C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x16, 0xC9, 0xC5, 0x3D, 0x5A, 0xAF, 0x97),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0xE3, 0x97, 0xE4, 0xA8, 0x50, 0xF6, 0x7E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x57, 0x97, 0x42, 0x78, 0x92, 0x49, 0x0D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0xEB, 0x62, 0x24, 0xFB, 0x8F, 0x32, 0xCF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x0C, 0x36, 0x6E, 0x8F, 0xE8, 0xE8, 0x8E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xD3, 0x7C, 0xC7, 0x8D, 0x3F, 0x5C, 0xE1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x64, 0x6A, 0x73, 0x10, 0x79, 0xB8, 0x5A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_14_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xF9, 0xEF, 0xA5, 0x20, 0x4A, 0x5C, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xF3, 0xF4, 0x49, 0x5B, 0x73, 0xAA, 0x1B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xF2, 0xEA, 0x0F, 0x00, 0xAD, 0x53, 0xAB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0xB8, 0x66, 0xED, 0xC4, 0x2B, 0x4C, 0x35),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x2F, 0xC1, 0x9A, 0x37, 0xD2, 0x7F, 0x58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xA7, 0x81, 0x38, 0x64, 0xC9, 0x37, 0x38),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x3B, 0x6C, 0x9F, 0x5B, 0xD9, 0x8B, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x14, 0xD9, 0x08, 0xD8, 0xD2, 0x7E, 0x23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_14_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x71, 0xE6, 0x3D, 0xD1, 0xB0, 0xE7, 0xCD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x81, 0x23, 0xEC, 0x2D, 0x42, 0x45, 0xE6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x5B, 0x44, 0x6B, 0x89, 0x03, 0x67, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x27, 0xAE, 0x80, 0x5A, 0x33, 0xBE, 0x11),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xB6, 0x64, 0x1A, 0xDF, 0xD3, 0x85, 0x91),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x8C, 0x22, 0xBA, 0xD0, 0xBD, 0xCC, 0xA0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x3C, 0x01, 0x3A, 0xFF, 0x9D, 0xC7, 0x6B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xC7, 0x64, 0xB4, 0x59, 0x4E, 0x9F, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_15_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x34, 0x0A, 0x41, 0x94, 0xA8, 0xF2, 0xB7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xD4, 0xE4, 0xF0, 0x97, 0x45, 0x6D, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0x1F, 0x4D, 0x6D, 0xFE, 0xA0, 0xC4, 0x84),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x28, 0x5C, 0x40, 0xBB, 0x65, 0xD4, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0xA8, 0x87, 0x35, 0x20, 0x3A, 0x89, 0x44),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xFD, 0x4F, 0xAB, 0x2D, 0xD1, 0xD0, 0xC0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xE8, 0x00, 0xFC, 0x69, 0x52, 0xF8, 0xD5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x9A, 0x99, 0xE1, 0xDC, 0x9C, 0x3F, 0xD9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_15_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x08, 0x98, 0xD9, 0xCA, 0x73, 0xD5, 0xA9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x2C, 0xE0, 0xA7, 0x3E, 0x91, 0xD7, 0x87),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x04, 0xB0, 0x54, 0x09, 0xF4, 0x72, 0xB7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xEE, 0x28, 0xCC, 0xE8, 0x50, 0x78, 0x20),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x91, 0x03, 0x76, 0xDB, 0x68, 0x24, 0x77),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xE0, 0x56, 0xB2, 0x5D, 0x12, 0xD3, 0xB5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x42, 0x59, 0x8B, 0xDF, 0x67, 0xB5, 0xBE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xCC, 0xE5, 0x31, 0x53, 0x7A, 0x46, 0xB3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_16_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x8D, 0x59, 0xB5, 0x1B, 0x0F, 0xF4, 0xAF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x2F, 0xD1, 0x2C, 0xE0, 0xD8, 0x04, 0xEF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xF4, 0xD7, 0xBA, 0xB0, 0xA3, 0x7E, 0xC9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x08, 0x51, 0x56, 0xA6, 0x76, 0x67, 0x33),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x17, 0x63, 0xFE, 0x56, 0xD0, 0xD9, 0x71),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0xF6, 0xC3, 0x14, 0x47, 0xC5, 0xA7, 0x31),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x4C, 0x80, 0xF6, 0xA2, 0x57, 0xA7, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xB3, 0x7B, 0xF8, 0x2F, 0xE1, 0x3E, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_16_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0xF4, 0xF9, 0x6B, 0x7B, 0x90, 0xDF, 0x30),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x82, 0xEF, 0x62, 0xA1, 0x4C, 0x53, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x99, 0x76, 0x01, 0xBA, 0x8D, 0x0F, 0x54),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xF4, 0x58, 0x73, 0x56, 0xFE, 0xDD, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xCE, 0xF9, 0xE8, 0xA1, 0x34, 0xC3, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x5F, 0xDC, 0x6A, 0x3D, 0xD8, 0x7F, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xF4, 0x51, 0xB8, 0xB8, 0xC1, 0xD7, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x7D, 0x58, 0xD1, 0xD4, 0x1B, 0x4D, 0x23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_17_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x95, 0xDF, 0x00, 0xD8, 0x21, 0xDE, 0x94),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x47, 0x3C, 0xC3, 0xB2, 0x01, 0x53, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x17, 0x43, 0x23, 0xBD, 0xCA, 0x71, 0xF2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xBA, 0x0F, 0x4F, 0xDC, 0x41, 0x54, 0xBE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x39, 0x26, 0x70, 0x53, 0x32, 0x18, 0x11),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x46, 0x07, 0x97, 0x3A, 0x57, 0xE0, 0x01),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x92, 0x4F, 0xCE, 0xDF, 0x25, 0x80, 0x26),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x6F, 0x9A, 0x03, 0x05, 0x4B, 0xD1, 0x47),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_17_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x01, 0x72, 0x30, 0x90, 0x17, 0x51, 0x20),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xFB, 0x41, 0x65, 0x5C, 0xB4, 0x2D, 0xEE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xCD, 0xCD, 0xAA, 0x41, 0xCC, 0xBB, 0x07),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xCE, 0x08, 0x0A, 0x63, 0xE9, 0xA2, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xA8, 0x21, 0x7F, 0x7A, 0x5B, 0x9B, 0x81),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x6B, 0x89, 0x44, 0x0A, 0x7F, 0x85, 0x5F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0xDE, 0x7C, 0x19, 0x5C, 0x65, 0x26, 0x61),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0xAC, 0x62, 0x29, 0x4A, 0xF1, 0xD0, 0x81),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_18_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x00, 0x40, 0x87, 0xEB, 0xA9, 0x58, 0x56),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x51, 0x0B, 0xFF, 0x56, 0x35, 0x51, 0xB3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xAC, 0x08, 0x94, 0x71, 0xDA, 0xEC, 0x99),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x4D, 0xC5, 0x7B, 0x31, 0x8B, 0x8D, 0x5E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x05, 0xF1, 0x3E, 0x9E, 0x8F, 0x17, 0x8F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x9C, 0x4B, 0x62, 0x94, 0xAD, 0x49, 0xFC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xC9, 0xC6, 0x8F, 0xFD, 0x33, 0x44, 0x34),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x96, 0x17, 0x7F, 0x42, 0xBE, 0xF7, 0x0D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_18_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0x29, 0x39, 0x13, 0x08, 0x8D, 0x91, 0x47),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x79, 0xF9, 0x2F, 0xA9, 0x0A, 0xCF, 0xD6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x87, 0x7A, 0xA3, 0x19, 0xAB, 0x55, 0xAD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x0B, 0x01, 0xC5, 0x56, 0x19, 0x9D, 0x9E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0xDE, 0x82, 0x3B, 0xEA, 0xD3, 0x0B, 0x8C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x6B, 0xC7, 0xF3, 0x0F, 0x82, 0x87, 0x6C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x2E, 0x23, 0xF2, 0x39, 0x9D, 0x49, 0x70),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0xDE, 0xAF, 0x7A, 0xEE, 0xB0, 0xDA, 0x70),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_19_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x4E, 0x2A, 0x50, 0xFD, 0x8E, 0xC0, 0xEB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x0F, 0x7C, 0x76, 0x63, 0xD8, 0x89, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x2D, 0xB9, 0x4E, 0xF4, 0xEE, 0x85, 0xCF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x95, 0x5C, 0x96, 0x5D, 0xAA, 0x59, 0x0B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xDB, 0xD2, 0x68, 0x8E, 0x5A, 0x94, 0x60),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x02, 0xBF, 0x77, 0x9F, 0xB9, 0x4C, 0xC9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xDC, 0xC0, 0xCF, 0x81, 0x1E, 0xC4, 0x6C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xCC, 0x37, 0x86, 0xDC, 0xE2, 0x64, 0x72),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_19_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x30, 0xB1, 0x59, 0x20, 0x9D, 0x98, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x0C, 0x9D, 0xF8, 0x20, 0xDC, 0x90, 0xBA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xA0, 0xF4, 0xE7, 0x3E, 0x9C, 0x9E, 0xA2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x25, 0xA2, 0xB0, 0x54, 0xCD, 0x2E, 0x33),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xD9, 0x42, 0xB0, 0x80, 0xB0, 0xA3, 0x38),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0xFE, 0x9D, 0x8D, 0x40, 0xFF, 0x27, 0x6D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x9D, 0xA6, 0x88, 0x3A, 0x8B, 0x6F, 0x14),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x39, 0xEE, 0x1F, 0x3F, 0xB1, 0x4F, 0x63),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_20_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xD7, 0x9E, 0xFF, 0xD2, 0x35, 0x67, 0x03),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x4F, 0x15, 0x5D, 0xE3, 0xE8, 0x53, 0x86),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xF7, 0x24, 0x98, 0xA2, 0xCB, 0x11, 0x68),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x2E, 0x25, 0xE1, 0x94, 0xC5, 0xA3, 0x96),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x82, 0x6E, 0xBA, 0xE7, 0x43, 0x25, 0xB0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x65, 0xB4, 0x49, 0x73, 0x18, 0x35, 0x54),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x5B, 0xBC, 0x62, 0x86, 0x4C, 0xC1, 0xB7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xF2, 0x95, 0xA2, 0xBB, 0xA2, 0x35, 0x65),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_20_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x59, 0x62, 0xB0, 0x4B, 0x1E, 0xB4, 0xD8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x55, 0xCE, 0xB0, 0x69, 0xBA, 0x63, 0x10),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0x69, 0x86, 0xDB, 0x34, 0x7D, 0x68, 0x64),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x06, 0xCA, 0x55, 0x44, 0x36, 0x2B, 0xBA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0xD4, 0xC4, 0x3D, 0xCD, 0x9E, 0x69, 0xA4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x44, 0xE4, 0xBF, 0x31, 0xE6, 0x40, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x4F, 0xFA, 0x75, 0xE3, 0xFB, 0x97, 0x0E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xC0, 0xBD, 0x1C, 0x48, 0xB0, 0x26, 0xD0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_21_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x7B, 0x32, 0xFA, 0xF2, 0x6D, 0x84, 0x8E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x21, 0x03, 0x1D, 0x0D, 0x22, 0x55, 0x67),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0xF9, 0x42, 0x03, 0x9C, 0xC2, 0xCB, 0xBA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0xA1, 0x96, 0xD9, 0x9D, 0x11, 0x6F, 0xBE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x40, 0x57, 0xEB, 0x40, 0x2D, 0xC0, 0x11),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x96, 0xBB, 0x4F, 0x2F, 0x23, 0xA8, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x29, 0x85, 0x21, 0xA5, 0x50, 0x62, 0x06),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x7D, 0x92, 0xCF, 0x87, 0x0C, 0x22, 0xF9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_21_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x0E, 0xA5, 0x32, 0x5B, 0xDF, 0x9C, 0xD5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x96, 0x37, 0x2C, 0x88, 0x35, 0x30, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xB4, 0x69, 0xFF, 0xEB, 0xC6, 0x94, 0x08),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x55, 0x60, 0xAD, 0xAA, 0x58, 0x14, 0x88),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xFF, 0xF2, 0xB2, 0xD5, 0xA7, 0xD9, 0x27),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xAE, 0x54, 0xD2, 0x60, 0x31, 0xF3, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x92, 0x83, 0xE3, 0xF1, 0x42, 0x83, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xD2, 0xC8, 0xB7, 0x76, 0x45, 0x7F, 0x7D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_22_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x11, 0xA4, 0xFB, 0x7A, 0x01, 0xBC, 0xC8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x27, 0x73, 0x8D, 0x02, 0x91, 0x27, 0x8E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x62, 0xF6, 0xDD, 0x6B, 0xFA, 0x5B, 0xB9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0xCA, 0xA2, 0x44, 0x2C, 0xF0, 0x28, 0xD8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xF1, 0x7A, 0xA2, 0x42, 0x4C, 0x50, 0xC6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x83, 0x3E, 0x50, 0xAB, 0x9C, 0xF7, 0x67),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xED, 0x78, 0xCB, 0x76, 0x69, 0xDA, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x01, 0x1E, 0x43, 0x27, 0x47, 0x6E, 0xDA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_22_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x4F, 0x54, 0xB9, 0x3E, 0xBD, 0xD5, 0x44),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x35, 0x40, 0x69, 0x7F, 0x74, 0x9D, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x06, 0x6F, 0x67, 0x68, 0x2B, 0x4D, 0x10),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x65, 0x41, 0xFC, 0x7C, 0x1E, 0xE8, 0xC8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x79, 0x37, 0xAF, 0xFD, 0xD2, 0xDA, 0x4C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xA8, 0x69, 0x56, 0x62, 0xA4, 0xE4, 0xA3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x71, 0x73, 0x21, 0x8A, 0x17, 0x81, 0xA2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0x55, 0x8F, 0x7B, 0xB8, 0xAF, 0xF7, 0x86),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_23_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0xD1, 0xBD, 0xBE, 0x8C, 0xBC, 0x60, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0xA6, 0x57, 0x8C, 0xAE, 0x5C, 0x19, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0x43, 0xE4, 0xD9, 0xD8, 0x7B, 0xE7, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xB9, 0xE4, 0x85, 0x7C, 0x2E, 0xFC, 0x20),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x2E, 0x01, 0x2A, 0x6D, 0x56, 0xBE, 0x97),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x0C, 0x25, 0x9B, 0xAE, 0x86, 0x37, 0x43),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x22, 0xB3, 0xCB, 0x99, 0x66, 0xB7, 0x9E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0xF7, 0x90, 0xF0, 0x1B, 0x09, 0x27, 0xF7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_23_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x16, 0x08, 0xEF, 0x39, 0x64, 0x49, 0x31),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xA0, 0xE3, 0x97, 0xA9, 0x07, 0x54, 0x26),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xFF, 0xE2, 0x00, 0x07, 0x21, 0x88, 0x20),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xFD, 0x59, 0x53, 0x05, 0x6C, 0x42, 0x27),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0xF7, 0x39, 0x5C, 0x82, 0x36, 0xE8, 0x03),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2E, 0x83, 0xA8, 0xE2, 0xA8, 0x43, 0x07, 0x38),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xAF, 0x2B, 0x79, 0xED, 0xD8, 0x39, 0x87),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x20, 0x91, 0x7A, 0xC4, 0x07, 0xEF, 0x6C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_24_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x10, 0x2F, 0xAA, 0x0C, 0x94, 0x0E, 0x5A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x81, 0x87, 0x41, 0x23, 0xEB, 0x55, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x53, 0xCC, 0x79, 0xB6, 0xEB, 0x6C, 0xCC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x77, 0x73, 0x9D, 0xFC, 0x64, 0x6F, 0x7F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x40, 0xE3, 0x6D, 0x1C, 0x16, 0x71, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0xF4, 0x1B, 0xFF, 0x1C, 0x2F, 0xA5, 0xD7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x0E, 0x0B, 0x11, 0xF4, 0x8D, 0x93, 0xAF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xC5, 0x64, 0x6F, 0x24, 0x19, 0xF2, 0x9B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_24_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xB3, 0xAF, 0xA5, 0x0E, 0x4F, 0x5E, 0xE1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0x77, 0xCA, 0xF2, 0x6D, 0xC5, 0xF6, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0x18, 0x8E, 0x33, 0x68, 0x6C, 0xE8, 0xE0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x8B, 0x80, 0x90, 0x19, 0x7F, 0x90, 0x96),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x80, 0x6B, 0x68, 0xE2, 0x7D, 0xD4, 0xD0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xC1, 0x67, 0xB3, 0x72, 0xCB, 0xBF, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0xD5, 0xD3, 0x1D, 0x14, 0x58, 0x0A, 0x80),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x7A, 0x65, 0x98, 0xB3, 0x07, 0x4B, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_25_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x87, 0x0F, 0x5F, 0xCF, 0xA2, 0x01, 0x08),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xC9, 0xC8, 0x6E, 0x35, 0x87, 0xA5, 0x67),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x3E, 0x91, 0xA0, 0xAB, 0x24, 0x1E, 0xF2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xBC, 0x02, 0x35, 0x70, 0xC1, 0x5F, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x59, 0xA0, 0x50, 0x04, 0x80, 0x52, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x56, 0x6E, 0x42, 0x8F, 0x8C, 0x91, 0x65),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xA2, 0xCB, 0xA5, 0xDE, 0x14, 0x24, 0x38),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0xCB, 0x74, 0x28, 0xE6, 0xA7, 0xE7, 0xC3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_25_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x73, 0xA8, 0x8F, 0x9E, 0x0E, 0x63, 0x96),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x1B, 0x77, 0xC7, 0xC1, 0x38, 0xF9, 0xDC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x3C, 0xCF, 0xA8, 0x7A, 0xD7, 0xF3, 0xC4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x5F, 0x9A, 0xC9, 0xAD, 0xE9, 0x1A, 0x93),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0xCF, 0x2B, 0x5E, 0xD5, 0x81, 0x95, 0xA8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x88, 0x75, 0x29, 0x1F, 0xC7, 0xC7, 0xD0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xA9, 0x5A, 0x4D, 0x63, 0x95, 0xF9, 0x4E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xCD, 0x04, 0x8F, 0xCD, 0x91, 0xDE, 0xC6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_26_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0xD4, 0xFD, 0x25, 0x11, 0x99, 0x6E, 0xEA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x83, 0x01, 0x3D, 0xFB, 0x56, 0xA5, 0x4E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x3A, 0xDC, 0x74, 0xC2, 0xD7, 0xCF, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0xBD, 0xF1, 0xDD, 0xA3, 0x07, 0x03, 0xE2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xBE, 0xE9, 0x2E, 0x58, 0x84, 0x66, 0xFC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x20, 0x78, 0x37, 0x79, 0x0B, 0xA6, 0x64),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xF2, 0xAC, 0x65, 0xC8, 0xC9, 0x2F, 0x61),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x93, 0xE5, 0x0D, 0x0C, 0xC6, 0xB8, 0xCB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_26_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0xAD, 0x5C, 0x19, 0x12, 0x61, 0x0E, 0x25),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x4F, 0x0B, 0x1F, 0x49, 0x7E, 0xCD, 0x81),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x2E, 0x30, 0x61, 0xDB, 0x08, 0x68, 0x9B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x78, 0xAF, 0xB3, 0x08, 0xC1, 0x69, 0xE5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x5F, 0x5D, 0xC1, 0x57, 0x6F, 0xD8, 0x34),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0xD3, 0x6A, 0xF7, 0xFD, 0x86, 0xE5, 0xB3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x63, 0xBD, 0x70, 0x7B, 0x47, 0xE8, 0x6D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x62, 0xC8, 0x7E, 0x9D, 0x11, 0x2B, 0xA5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_27_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x84, 0xFD, 0xD5, 0x9A, 0x56, 0x7F, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xBB, 0xA4, 0x6F, 0x12, 0x6E, 0x4D, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x08, 0xA1, 0x82, 0x9C, 0x62, 0x74, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x58, 0x22, 0x05, 0x1D, 0x15, 0x35, 0x79),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x88, 0xCF, 0x5C, 0x05, 0x78, 0xFB, 0x94),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x6B, 0x2F, 0x79, 0x09, 0x73, 0x67, 0xEC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xA0, 0x80, 0xD8, 0xE8, 0xEC, 0xFB, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xE7, 0x0B, 0xB7, 0x81, 0x48, 0x7B, 0xD9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_27_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x53, 0xA9, 0xED, 0x61, 0x92, 0xD7, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x49, 0xD9, 0x5D, 0x9B, 0x4E, 0x89, 0x35),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x12, 0xEB, 0x9A, 0xC9, 0xCB, 0xC1, 0x95),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0xDC, 0x95, 0x16, 0xFE, 0x29, 0x70, 0x01),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x33, 0xB1, 0xD6, 0x78, 0xB9, 0xE2, 0x36),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xCE, 0x88, 0xC3, 0xFD, 0x7A, 0x6B, 0xB8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x1E, 0x50, 0x1E, 0xAF, 0xB1, 0x25, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0xE7, 0xD7, 0xD5, 0xBD, 0x7A, 0x12, 0xF9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_28_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xAA, 0xA2, 0x80, 0x5D, 0x8F, 0xCD, 0xC8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x39, 0x79, 0x64, 0xA1, 0x67, 0x3C, 0xB7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xC7, 0x49, 0xFF, 0x7F, 0xAC, 0xAB, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x54, 0x3E, 0x83, 0xF0, 0x3D, 0xBC, 0xB5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x92, 0x4A, 0x38, 0x42, 0x8A, 0xAB, 0xF6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x0B, 0x4F, 0xEE, 0x9E, 0x92, 0xA5, 0xBE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xDD, 0x19, 0x96, 0xF2, 0xF0, 0x6B, 0x2E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xFC, 0xDD, 0xB2, 0x8A, 0xE5, 0x4C, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_28_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x06, 0x49, 0xAC, 0x99, 0x7E, 0xF8, 0x12),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xC8, 0x01, 0x51, 0xEA, 0xF6, 0x52, 0xE7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x89, 0x66, 0x2B, 0x1F, 0x9B, 0x2A, 0xA3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x0F, 0x95, 0x07, 0x2B, 0x6C, 0x6E, 0x9E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0xC3, 0xB4, 0xBB, 0x91, 0x1F, 0xA3, 0x72),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x6E, 0x54, 0x28, 0x7B, 0x9C, 0x79, 0x2E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x45, 0xFF, 0xA6, 0xDA, 0xA2, 0x83, 0x71),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xDE, 0x8F, 0x17, 0x37, 0x82, 0xCB, 0xE2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_29_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x94, 0x3F, 0x26, 0xC9, 0x1D, 0xD9, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x97, 0x28, 0x20, 0xCD, 0xC1, 0xF3, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0xC9, 0xB5, 0x60, 0x9B, 0x1E, 0xDC, 0x74),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0xB9, 0x5B, 0x7D, 0xA0, 0xB2, 0x8C, 0xF0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xD1, 0x42, 0xE6, 0x39, 0x33, 0x6D, 0xBB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xC0, 0xFC, 0xD2, 0x14, 0x5D, 0x3E, 0x3C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0x4A, 0x3E, 0x40, 0x16, 0x93, 0x15, 0xCF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x24, 0xC1, 0x27, 0x27, 0xE5, 0x4B, 0xD8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_29_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x50, 0xD8, 0xBC, 0xC1, 0x46, 0x22, 0xBB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x0E, 0x60, 0xA1, 0xB3, 0x50, 0xD4, 0x86),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0xB1, 0x26, 0xB6, 0x6D, 0x47, 0x5A, 0x6F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0xAC, 0x11, 0x35, 0x3E, 0xB9, 0xF4, 0x01),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x97, 0xFA, 0xBB, 0x6B, 0x39, 0x13, 0xD8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x7B, 0x34, 0x12, 0x75, 0x8E, 0x9B, 0xC6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x9E, 0xCD, 0x29, 0xB6, 0xEF, 0x8D, 0x10),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0xAC, 0xE9, 0x25, 0x27, 0xBB, 0x78, 0x47),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_30_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x7A, 0xA8, 0xD3, 0xE3, 0x66, 0xE5, 0x66),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x4C, 0xC4, 0x2C, 0x76, 0x81, 0x50, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x71, 0x08, 0xB8, 0x52, 0x7C, 0xAF, 0xDC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x59, 0x24, 0xDD, 0xFB, 0x2F, 0xD0, 0xDA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xCD, 0x56, 0xE9, 0xAC, 0x91, 0xE6, 0xB9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x64, 0x20, 0xC6, 0x9F, 0xE4, 0xEF, 0xDF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x2C, 0x8F, 0x8C, 0x97, 0xF6, 0x22, 0xC3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xF4, 0x88, 0xAA, 0xA8, 0xD7, 0xA5, 0x68),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_30_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x6C, 0xAE, 0x83, 0xB1, 0x55, 0x55, 0xEE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x67, 0x84, 0x47, 0x7C, 0x83, 0x5C, 0x89),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x10, 0x4D, 0xDD, 0x30, 0x60, 0xB0, 0xE6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xA7, 0x36, 0x76, 0x24, 0x32, 0x9F, 0x9D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x42, 0x81, 0xFB, 0xA4, 0x2E, 0x13, 0x68),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x94, 0x91, 0xFF, 0x99, 0xA0, 0x09, 0x61),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x83, 0xA1, 0x76, 0xAF, 0x37, 0x5C, 0x77),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xA8, 0x04, 0x86, 0xC4, 0xA9, 0x79, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_31_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x8C, 0xC2, 0x34, 0xFB, 0x83, 0x28, 0x27),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x03, 0x7D, 0x5E, 0x9E, 0x0E, 0xB0, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x02, 0x46, 0x7F, 0xB9, 0xAC, 0xBB, 0x23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0xED, 0x48, 0xC2, 0x96, 0x4D, 0x56, 0x27),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0xB5, 0xC5, 0xD1, 0xE6, 0x1C, 0x7E, 0x9B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x2E, 0x18, 0x71, 0x2D, 0x7B, 0xD7, 0xB3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x46, 0x9D, 0xDE, 0xAA, 0x78, 0x8E, 0xB1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xD7, 0x69, 0x2E, 0xE1, 0xD9, 0x48, 0xDE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp521r1_T_31_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xFF, 0x9E, 0x09, 0x22, 0x22, 0xE6, 0x8D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x14, 0x28, 0x13, 0x1B, 0x62, 0x12, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x7F, 0x67, 0x03, 0xB0, 0xC0, 0xF3, 0x05),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xC3, 0x0F, 0xFB, 0x25, 0x48, 0x3E, 0xF4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x6E, 0x53, 0x98, 0x36, 0xB3, 0xD3, 0x94),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x81, 0x54, 0x22, 0xA4, 0xCC, 0xC1, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xBA, 0xFC, 0xA9, 0xDF, 0x68, 0x86, 0x2B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x92, 0x0E, 0xC3, 0xF2, 0x58, 0xE8, 0x51),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_ecp_point secp521r1_T[32] = {
-    ECP_POINT_INIT_XY_Z1(secp521r1_T_0_X, secp521r1_T_0_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_1_X, secp521r1_T_1_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_2_X, secp521r1_T_2_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_3_X, secp521r1_T_3_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_4_X, secp521r1_T_4_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_5_X, secp521r1_T_5_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_6_X, secp521r1_T_6_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_7_X, secp521r1_T_7_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_8_X, secp521r1_T_8_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_9_X, secp521r1_T_9_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_10_X, secp521r1_T_10_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_11_X, secp521r1_T_11_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_12_X, secp521r1_T_12_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_13_X, secp521r1_T_13_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_14_X, secp521r1_T_14_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_15_X, secp521r1_T_15_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_16_X, secp521r1_T_16_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_17_X, secp521r1_T_17_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_18_X, secp521r1_T_18_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_19_X, secp521r1_T_19_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_20_X, secp521r1_T_20_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_21_X, secp521r1_T_21_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_22_X, secp521r1_T_22_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_23_X, secp521r1_T_23_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_24_X, secp521r1_T_24_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_25_X, secp521r1_T_25_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_26_X, secp521r1_T_26_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_27_X, secp521r1_T_27_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_28_X, secp521r1_T_28_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_29_X, secp521r1_T_29_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_30_X, secp521r1_T_30_Y),
-    ECP_POINT_INIT_XY_Z0(secp521r1_T_31_X, secp521r1_T_31_Y),
-};
-#else
-#define secp521r1_T NULL
-#endif
-#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
-static const mbedtls_mpi_uint secp192k1_p[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-};
-static const mbedtls_mpi_uint secp192k1_a[] = {
-    MBEDTLS_BYTES_TO_T_UINT_2(0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp192k1_b[] = {
-    MBEDTLS_BYTES_TO_T_UINT_2(0x03, 0x00),
-};
-static const mbedtls_mpi_uint secp192k1_gx[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB),
-};
-static const mbedtls_mpi_uint secp192k1_gy[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B),
-};
-static const mbedtls_mpi_uint secp192k1_n[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-};
-
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-static const mbedtls_mpi_uint secp192k1_T_0_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB),
-};
-static const mbedtls_mpi_uint secp192k1_T_0_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B),
-};
-static const mbedtls_mpi_uint secp192k1_T_1_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x77, 0x3D, 0x0D, 0x85, 0x48, 0xA8, 0xA9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x07, 0xDF, 0x1D, 0xB3, 0xB3, 0x01, 0x54),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x86, 0xF6, 0xAF, 0x19, 0x2A, 0x88, 0x2E),
-};
-static const mbedtls_mpi_uint secp192k1_T_1_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x90, 0xB6, 0x2F, 0x48, 0x36, 0x4C, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x11, 0x14, 0xA6, 0xCB, 0xBA, 0x15, 0xD9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0xB0, 0xF2, 0xD4, 0xC9, 0xDA, 0xBA, 0xD7),
-};
-static const mbedtls_mpi_uint secp192k1_T_2_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0xC1, 0x9C, 0xE6, 0xBB, 0xFB, 0xCF, 0x23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x19, 0xAC, 0x5A, 0xC9, 0x8A, 0x1C, 0x75),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0xF6, 0x76, 0x86, 0x89, 0x27, 0x8D, 0x28),
-};
-static const mbedtls_mpi_uint secp192k1_T_2_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0xE0, 0x6F, 0x34, 0xBA, 0x5E, 0xD3, 0x96),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0xDC, 0xA6, 0x87, 0xC9, 0x9D, 0xC0, 0x82),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x11, 0x7E, 0xD6, 0xF7, 0x33, 0xFC, 0xE4),
-};
-static const mbedtls_mpi_uint secp192k1_T_3_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x37, 0x3E, 0xC0, 0x7F, 0x62, 0xE7, 0x54),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x3B, 0x69, 0x9D, 0x44, 0xBC, 0x82, 0x99),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x84, 0xB3, 0x5F, 0x2B, 0xA5, 0x9E, 0x2C),
-};
-static const mbedtls_mpi_uint secp192k1_T_3_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x95, 0xEB, 0x4C, 0x04, 0xB4, 0xF4, 0x75),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xAD, 0x4B, 0xD5, 0x9A, 0xEB, 0xC4, 0x4E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xB1, 0xC5, 0x59, 0xE3, 0xD5, 0x16, 0x2A),
-};
-static const mbedtls_mpi_uint secp192k1_T_4_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x2A, 0xCC, 0xAC, 0xD0, 0xEE, 0x50, 0xEC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x83, 0xE0, 0x5B, 0x14, 0x44, 0x52, 0x20),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x15, 0x2D, 0x78, 0xF6, 0x51, 0x32, 0xCF),
-};
-static const mbedtls_mpi_uint secp192k1_T_4_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x36, 0x9B, 0xDD, 0xF8, 0xDD, 0xEF, 0xB2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0xB1, 0x6A, 0x2B, 0xAF, 0xEB, 0x2B, 0xB1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x87, 0x7A, 0x66, 0x5D, 0x5B, 0xDF, 0x8F),
-};
-static const mbedtls_mpi_uint secp192k1_T_5_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x45, 0xE5, 0x81, 0x9B, 0xEB, 0x37, 0x23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x29, 0xE2, 0x20, 0x64, 0x23, 0x6B, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x1D, 0x41, 0xE1, 0x9B, 0x61, 0x7B, 0xD9),
-};
-static const mbedtls_mpi_uint secp192k1_T_5_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x57, 0xA3, 0x0A, 0x13, 0xE4, 0x59, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x6E, 0x4A, 0x48, 0x84, 0x90, 0xAC, 0xC7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0xB8, 0xF5, 0xF3, 0xDE, 0xA0, 0xA1, 0x1D),
-};
-static const mbedtls_mpi_uint secp192k1_T_6_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x32, 0x81, 0xA9, 0x91, 0x5A, 0x4E, 0x33),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0xA8, 0x90, 0xBE, 0x0F, 0xEC, 0xC0, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x30, 0xD7, 0x08, 0xAE, 0xC4, 0x3A, 0xA5),
-};
-static const mbedtls_mpi_uint secp192k1_T_6_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x55, 0xE3, 0x76, 0xB3, 0x64, 0x74, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x75, 0xD4, 0xDB, 0x98, 0xD7, 0x39, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xEB, 0x8A, 0xAB, 0x16, 0xD9, 0xD4, 0x0B),
-};
-static const mbedtls_mpi_uint secp192k1_T_7_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xBE, 0xF9, 0xC7, 0xC7, 0xBA, 0xF3, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x85, 0x59, 0xF3, 0x60, 0x41, 0x02, 0xD2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x1C, 0x4A, 0xA4, 0xC7, 0xED, 0x66, 0xBC),
-};
-static const mbedtls_mpi_uint secp192k1_T_7_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x9C, 0x2E, 0x46, 0x52, 0x18, 0x87, 0x14),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x35, 0x5A, 0x75, 0xAC, 0x4D, 0x75, 0x91),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0x2F, 0xAC, 0xFC, 0xBC, 0xE6, 0x93, 0x5E),
-};
-static const mbedtls_mpi_uint secp192k1_T_8_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x4D, 0xC9, 0x18, 0xE9, 0x00, 0xEB, 0x33),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x69, 0x72, 0x07, 0x5A, 0x59, 0xA8, 0x26),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x65, 0x83, 0x20, 0x10, 0xF9, 0x69, 0x82),
-};
-static const mbedtls_mpi_uint secp192k1_T_8_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0x56, 0x7F, 0x9F, 0xBF, 0x46, 0x0C, 0x7E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0xCF, 0xF0, 0xDC, 0xDF, 0x2D, 0xE6, 0xE5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0xF0, 0x72, 0x3A, 0x7A, 0x03, 0xE5, 0x22),
-};
-static const mbedtls_mpi_uint secp192k1_T_9_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xAA, 0x57, 0x13, 0x37, 0xA7, 0x2C, 0xD4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0xAC, 0xA2, 0x23, 0xF9, 0x84, 0x60, 0xD3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xEB, 0x51, 0x70, 0x64, 0x78, 0xCA, 0x05),
-};
-static const mbedtls_mpi_uint secp192k1_T_9_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xCC, 0x30, 0x62, 0x93, 0x46, 0x13, 0xE9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x26, 0xCC, 0x6C, 0x3D, 0x5C, 0xDA, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xAA, 0xB8, 0x03, 0xA4, 0x1A, 0x00, 0x96),
-};
-static const mbedtls_mpi_uint secp192k1_T_10_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x9D, 0xE6, 0xCC, 0x4E, 0x2E, 0xC2, 0xD5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xC3, 0x8A, 0xAE, 0x6F, 0x40, 0x05, 0xEB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x8F, 0x4A, 0x4D, 0x35, 0xD3, 0x50, 0x9D),
-};
-static const mbedtls_mpi_uint secp192k1_T_10_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0xFD, 0x98, 0xAB, 0xC7, 0x03, 0xB4, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x40, 0xD2, 0x9F, 0xCA, 0xD0, 0x53, 0x00),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x84, 0x00, 0x6F, 0xC8, 0xAD, 0xED, 0x8D),
-};
-static const mbedtls_mpi_uint secp192k1_T_11_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xD3, 0x57, 0xD7, 0xC3, 0x07, 0xBD, 0xD7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0xBA, 0x47, 0x1D, 0x3D, 0xEF, 0x98, 0x6C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xC0, 0x6C, 0x7F, 0x12, 0xEE, 0x9F, 0x67),
-};
-static const mbedtls_mpi_uint secp192k1_T_11_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x02, 0xDA, 0x79, 0xAA, 0xC9, 0x27, 0xC4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x79, 0xC7, 0x71, 0x84, 0xCB, 0xE5, 0x5A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x37, 0x06, 0xBA, 0xB5, 0xD5, 0x18, 0x4C),
-};
-static const mbedtls_mpi_uint secp192k1_T_12_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x65, 0x72, 0x6C, 0xF2, 0x63, 0x27, 0x6A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0xBC, 0x71, 0xDF, 0x75, 0xF8, 0x98, 0x4D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x70, 0x9B, 0xDC, 0xE7, 0x18, 0x71, 0xFF),
-};
-static const mbedtls_mpi_uint secp192k1_T_12_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x5B, 0x9F, 0x00, 0x5A, 0xB6, 0x80, 0x7A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xE0, 0xBB, 0xFC, 0x5E, 0x78, 0x9C, 0x89),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0x03, 0x68, 0x83, 0x3D, 0x2E, 0x4C, 0xDD),
-};
-static const mbedtls_mpi_uint secp192k1_T_13_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0x49, 0x23, 0xA8, 0xCB, 0x3B, 0x1A, 0xF6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0x3D, 0xA7, 0x46, 0xCF, 0x75, 0xB6, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xFD, 0x30, 0x01, 0xB6, 0xEF, 0xF9, 0xE8),
-};
-static const mbedtls_mpi_uint secp192k1_T_13_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xFA, 0xDA, 0xB8, 0x29, 0x42, 0xC9, 0xC7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0xD7, 0xA0, 0xE6, 0x6B, 0x86, 0x61, 0x39),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0xE9, 0xD3, 0x37, 0xD8, 0xE7, 0x35, 0xA9),
-};
-static const mbedtls_mpi_uint secp192k1_T_14_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xC8, 0x8E, 0xB1, 0xCB, 0xB1, 0xB5, 0x4D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xD7, 0x46, 0x7D, 0xAF, 0xE2, 0xDC, 0xBB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x46, 0xE7, 0xD8, 0x76, 0x31, 0x90, 0x76),
-};
-static const mbedtls_mpi_uint secp192k1_T_14_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xD3, 0xF4, 0x74, 0xE1, 0x67, 0xD8, 0x66),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x70, 0x3C, 0xC8, 0xAF, 0x5F, 0xF4, 0x58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x4E, 0xED, 0x5C, 0x43, 0xB3, 0x16, 0x35),
-};
-static const mbedtls_mpi_uint secp192k1_T_15_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xAE, 0xD1, 0xDD, 0x31, 0x14, 0xD3, 0xF0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x14, 0x06, 0x13, 0x12, 0x1C, 0x81, 0xF5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xF9, 0x0C, 0x91, 0xF7, 0x67, 0x59, 0x63),
-};
-static const mbedtls_mpi_uint secp192k1_T_15_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x91, 0xE2, 0xF4, 0x9D, 0xEB, 0x88, 0x87),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x82, 0x30, 0x9C, 0xAE, 0x18, 0x4D, 0xB7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x79, 0xCF, 0x17, 0xA5, 0x1E, 0xE8, 0xC8),
-};
-static const mbedtls_ecp_point secp192k1_T[16] = {
-    ECP_POINT_INIT_XY_Z1(secp192k1_T_0_X, secp192k1_T_0_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_1_X, secp192k1_T_1_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_2_X, secp192k1_T_2_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_3_X, secp192k1_T_3_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_4_X, secp192k1_T_4_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_5_X, secp192k1_T_5_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_6_X, secp192k1_T_6_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_7_X, secp192k1_T_7_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_8_X, secp192k1_T_8_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_9_X, secp192k1_T_9_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_10_X, secp192k1_T_10_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_11_X, secp192k1_T_11_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_12_X, secp192k1_T_12_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_13_X, secp192k1_T_13_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_14_X, secp192k1_T_14_Y),
-    ECP_POINT_INIT_XY_Z0(secp192k1_T_15_X, secp192k1_T_15_Y),
-};
-#else
-#define secp192k1_T NULL
-#endif
-
-#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
-static const mbedtls_mpi_uint secp224k1_p[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_4(0xFF, 0xFF, 0xFF, 0xFF),
-};
-static const mbedtls_mpi_uint secp224k1_a[] = {
-    MBEDTLS_BYTES_TO_T_UINT_2(0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_b[] = {
-    MBEDTLS_BYTES_TO_T_UINT_2(0x05, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_gx[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D),
-    MBEDTLS_BYTES_TO_T_UINT_4(0x33, 0x5B, 0x45, 0xA1),
-};
-static const mbedtls_mpi_uint secp224k1_gy[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F),
-    MBEDTLS_BYTES_TO_T_UINT_4(0xED, 0x9F, 0x08, 0x7E),
-};
-static const mbedtls_mpi_uint secp224k1_n[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00),
-};
-
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-static const mbedtls_mpi_uint secp224k1_T_0_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x5B, 0x45, 0xA1, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_0_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x9F, 0x08, 0x7E, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_1_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x6C, 0x22, 0x22, 0x40, 0x89, 0xAE, 0x7A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x92, 0xE1, 0x87, 0x56, 0x35, 0xAF, 0x9B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0xAF, 0x08, 0x35, 0x27, 0xEA, 0x04, 0xED),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x53, 0xFD, 0xCF, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_1_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0xD0, 0x9F, 0x8D, 0xF3, 0x63, 0x54, 0x30),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0xDB, 0x0F, 0x61, 0x54, 0x26, 0xD1, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x21, 0xF7, 0x1B, 0xB5, 0x1D, 0xF6, 0x7E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x05, 0xDA, 0x8F, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_2_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x26, 0x73, 0xBC, 0xE4, 0x29, 0x62, 0x56),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x95, 0x17, 0x8B, 0xC3, 0x9B, 0xAC, 0xCC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xDB, 0x77, 0xDF, 0xDD, 0x13, 0x04, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0xFC, 0x22, 0x93, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_2_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x65, 0xF1, 0x5A, 0x37, 0xEF, 0x79, 0xAD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x01, 0x37, 0xAC, 0x9A, 0x5B, 0x51, 0x65),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x75, 0x13, 0xA9, 0x4A, 0xAD, 0xFE, 0x9B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x82, 0x6F, 0x66, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_3_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0x5E, 0xF0, 0x40, 0xC3, 0xA6, 0xE2, 0x1E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x9A, 0x6F, 0xCF, 0x11, 0x26, 0x66, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x73, 0xA8, 0xCF, 0x2B, 0x12, 0x36, 0x37),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xB3, 0x0A, 0x58, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_3_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x79, 0x00, 0x55, 0x04, 0x34, 0x90, 0x1A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x54, 0x1C, 0xC2, 0x45, 0x0C, 0x1B, 0x23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x19, 0xAB, 0xA8, 0xFC, 0x73, 0xDC, 0xEE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0xFB, 0x93, 0xCE, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_4_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x75, 0xD0, 0x66, 0x95, 0x86, 0xCA, 0x66),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xEA, 0x29, 0x16, 0x6A, 0x38, 0xDF, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xA2, 0x36, 0x2F, 0xDC, 0xBB, 0x5E, 0xF7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x89, 0x59, 0x49, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_4_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xA3, 0x99, 0x9D, 0xB8, 0x77, 0x9D, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x93, 0x43, 0x47, 0xC6, 0x5C, 0xF9, 0xFD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x00, 0x79, 0x42, 0x64, 0xB8, 0x25, 0x3E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x54, 0xB4, 0x33, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_5_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x0C, 0x42, 0x90, 0x83, 0x0B, 0x31, 0x5F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x2E, 0xAE, 0xC8, 0xC7, 0x5F, 0xD2, 0x70),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xBC, 0xAD, 0x41, 0xE7, 0x32, 0x3A, 0x81),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x97, 0x52, 0x83, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_5_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x13, 0x7A, 0xBD, 0xAE, 0x94, 0x60, 0xFD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x9B, 0x95, 0xB4, 0x6E, 0x68, 0xB2, 0x1F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x49, 0xBE, 0x51, 0xFE, 0x66, 0x15, 0x74),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x37, 0xE4, 0xFE, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_6_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x9B, 0xEE, 0x64, 0xC9, 0x1B, 0xBD, 0x77),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x5F, 0x34, 0xA9, 0x0B, 0xB7, 0x25, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0x13, 0xB1, 0x38, 0xFB, 0x9D, 0x78, 0xED),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0xE7, 0x1B, 0xFA, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_6_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xB3, 0xB7, 0x44, 0x92, 0x6B, 0x00, 0x82),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x82, 0x44, 0x3E, 0x18, 0x1A, 0x58, 0x6A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0xF8, 0xC0, 0xE4, 0xEE, 0xC1, 0xBF, 0x44),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x32, 0x27, 0xB2, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_7_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x9A, 0x42, 0x62, 0x8B, 0x26, 0x54, 0x21),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x85, 0x74, 0xA0, 0x79, 0xA8, 0xEE, 0xBE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x36, 0x60, 0xB3, 0x28, 0x4D, 0x55, 0xBE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x27, 0x82, 0x29, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_7_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0xFC, 0x73, 0x77, 0xAF, 0x5C, 0xAC, 0x78),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0xED, 0xE5, 0xF6, 0x1D, 0xA8, 0x67, 0x43),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0xDE, 0x33, 0x1C, 0xF1, 0x80, 0x73, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xE2, 0xDE, 0x3C, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_8_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x3E, 0x6B, 0xFE, 0xF0, 0x04, 0x28, 0x01),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0xB2, 0x14, 0x9D, 0x18, 0x11, 0x7D, 0x9D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xC4, 0xD6, 0x2E, 0x6E, 0x57, 0x4D, 0xE1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x55, 0x1B, 0xDE, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_8_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xF7, 0x17, 0xBC, 0x45, 0xAB, 0x16, 0xAB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xB0, 0xEF, 0x61, 0xE3, 0x20, 0x7C, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x85, 0x41, 0x4D, 0xF1, 0x7E, 0x4D, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xC2, 0x9B, 0x5E, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_9_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x2E, 0x49, 0x3D, 0x3E, 0x4B, 0xD3, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x2B, 0x9D, 0xD5, 0x27, 0xFA, 0xCA, 0xE0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0xB3, 0x6A, 0xE0, 0x79, 0x14, 0x28, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x1E, 0xDC, 0xF5, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_9_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x44, 0x56, 0xCD, 0xFC, 0x9F, 0x09, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x8C, 0x59, 0xA4, 0x64, 0x2A, 0x3A, 0xED),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xA0, 0xB5, 0x86, 0x4E, 0x69, 0xDA, 0x06),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x8B, 0x11, 0x38, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_10_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x17, 0x16, 0x12, 0x17, 0xDC, 0x00, 0x7E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x76, 0x24, 0x6C, 0x97, 0x2C, 0xB5, 0xF9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x71, 0xE3, 0xB0, 0xBB, 0x4E, 0x50, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0x48, 0x26, 0xD5, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_10_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x5F, 0x28, 0xF6, 0x01, 0x5A, 0x60, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x95, 0xFE, 0xD0, 0xAD, 0x15, 0xD4, 0xD9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x5B, 0x7A, 0xFD, 0x80, 0xF7, 0x9F, 0x64),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xBC, 0x1B, 0xDF, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_11_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0xE6, 0xDF, 0x14, 0x29, 0xF4, 0xD4, 0x14),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x12, 0xDD, 0xEC, 0x5B, 0x8A, 0x59, 0xE5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x92, 0x3E, 0x35, 0x08, 0xE9, 0xCF, 0x0E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x35, 0x29, 0x97, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_11_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xDB, 0xD6, 0x6A, 0xC5, 0x43, 0xA4, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x33, 0x50, 0x61, 0x70, 0xA1, 0xE9, 0xCE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x15, 0x6E, 0x5F, 0x01, 0x0C, 0x8C, 0xFA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0xA1, 0x9A, 0x9D, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_12_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0xC6, 0xF7, 0xE2, 0x4A, 0xCD, 0x9B, 0x61),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x4D, 0x5A, 0xB8, 0xE2, 0x6D, 0xA6, 0x50),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x3F, 0xB6, 0x17, 0xE3, 0x2C, 0x6F, 0x65),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xA4, 0x59, 0x51, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_12_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x4F, 0x7C, 0x49, 0xCD, 0x6E, 0xEB, 0x3C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0xC9, 0x1F, 0xB7, 0x4D, 0x98, 0xC7, 0x67),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4C, 0xFD, 0x98, 0x20, 0x95, 0xBB, 0x20, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0xF2, 0x73, 0x92, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_13_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0xEF, 0xFB, 0x30, 0xFA, 0x12, 0x1A, 0xB0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0x4C, 0x24, 0xB4, 0x5B, 0xC9, 0x4C, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xDD, 0x5E, 0x84, 0x95, 0x4D, 0x26, 0xED),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xFA, 0xF9, 0x3A, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_13_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0xA3, 0x2E, 0x7A, 0xDC, 0xA7, 0x53, 0xA9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x9F, 0x81, 0x84, 0xB2, 0x0D, 0xFE, 0x31),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x89, 0x1B, 0x77, 0x0C, 0x89, 0x71, 0xEC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xFF, 0x7F, 0xB2, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_14_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0xE9, 0x2C, 0x79, 0xA6, 0x3C, 0xAD, 0x93),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xE0, 0x23, 0x02, 0x86, 0x0F, 0x77, 0x2A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x93, 0x6D, 0xE9, 0xF9, 0x3C, 0xBE, 0xB9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xE7, 0x24, 0x92, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_14_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x3C, 0x5B, 0x4B, 0x1B, 0x25, 0x37, 0xD6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xE8, 0x38, 0x1B, 0xA1, 0x5A, 0x2E, 0x68),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x19, 0xFD, 0xF4, 0x78, 0x01, 0x6B, 0x44),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0x69, 0x37, 0x4F, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_15_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0xE2, 0xBF, 0xD3, 0xEC, 0x95, 0x9C, 0x03),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x7B, 0xFC, 0xD5, 0xD3, 0x25, 0x5E, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x55, 0x09, 0xA2, 0x58, 0x6A, 0xC9, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0xCC, 0x3B, 0xD9, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp224k1_T_15_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0x08, 0x65, 0x5E, 0xCB, 0xAB, 0x48, 0xC8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x79, 0x8B, 0xC0, 0x11, 0xC0, 0x69, 0x38),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xE8, 0x8C, 0x4C, 0xC5, 0x28, 0xE4, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x1F, 0x34, 0x5C, 0x00, 0x00, 0x00, 0x00),
-};
-static const mbedtls_ecp_point secp224k1_T[16] = {
-    ECP_POINT_INIT_XY_Z1(secp224k1_T_0_X, secp224k1_T_0_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_1_X, secp224k1_T_1_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_2_X, secp224k1_T_2_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_3_X, secp224k1_T_3_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_4_X, secp224k1_T_4_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_5_X, secp224k1_T_5_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_6_X, secp224k1_T_6_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_7_X, secp224k1_T_7_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_8_X, secp224k1_T_8_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_9_X, secp224k1_T_9_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_10_X, secp224k1_T_10_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_11_X, secp224k1_T_11_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_12_X, secp224k1_T_12_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_13_X, secp224k1_T_13_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_14_X, secp224k1_T_14_Y),
-    ECP_POINT_INIT_XY_Z0(secp224k1_T_15_X, secp224k1_T_15_Y),
-};
-#else
-#define secp224k1_T NULL
-#endif
-#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
-static const mbedtls_mpi_uint secp256k1_p[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-};
-static const mbedtls_mpi_uint secp256k1_a[] = {
-    MBEDTLS_BYTES_TO_T_UINT_2(0x00, 0x00),
-};
-static const mbedtls_mpi_uint secp256k1_b[] = {
-    MBEDTLS_BYTES_TO_T_UINT_2(0x07, 0x00),
-};
-static const mbedtls_mpi_uint secp256k1_gx[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79),
-};
-static const mbedtls_mpi_uint secp256k1_gy[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48),
-};
-static const mbedtls_mpi_uint secp256k1_n[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
-};
-
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-static const mbedtls_mpi_uint secp256k1_T_0_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79),
-};
-static const mbedtls_mpi_uint secp256k1_T_0_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48),
-};
-static const mbedtls_mpi_uint secp256k1_T_1_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xEE, 0xD7, 0x1E, 0x67, 0x86, 0x32, 0x74),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x73, 0xB1, 0xA9, 0xD5, 0xCC, 0x27, 0x78),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x0E, 0x11, 0x01, 0x71, 0xFE, 0x92, 0x73),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x28, 0x63, 0x6D, 0x72, 0x09, 0xA6, 0xC0),
-};
-static const mbedtls_mpi_uint secp256k1_T_1_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xE1, 0x69, 0xDC, 0x3E, 0x2C, 0x75, 0xC3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0xB7, 0x3F, 0x30, 0x26, 0x3C, 0xDF, 0x8E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xBE, 0xB9, 0x5D, 0x0E, 0xE8, 0x5E, 0x14),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0xC3, 0x05, 0xD6, 0xB7, 0xD5, 0x24, 0xFC),
-};
-static const mbedtls_mpi_uint secp256k1_T_2_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0xCF, 0x7B, 0xDC, 0xCD, 0xC3, 0x39, 0x9D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xDA, 0xB9, 0xE5, 0x64, 0xA7, 0x47, 0x91),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x46, 0xA8, 0x61, 0xF6, 0x23, 0xEB, 0x58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xC1, 0xFF, 0xE4, 0x55, 0xD5, 0xC2, 0xBF),
-};
-static const mbedtls_mpi_uint secp256k1_T_2_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xBE, 0xB9, 0x59, 0x24, 0x13, 0x4A, 0x2A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x45, 0x12, 0xDE, 0xBA, 0x4F, 0xEF, 0x56),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x08, 0xBF, 0xC1, 0x66, 0xAA, 0x0A, 0xBC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xFE, 0x30, 0x55, 0x31, 0x86, 0xA7, 0xB4),
-};
-static const mbedtls_mpi_uint secp256k1_T_3_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xBF, 0x18, 0x81, 0x67, 0x27, 0x42, 0xBD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x05, 0x83, 0xA4, 0xDD, 0x57, 0xD3, 0x50),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0x63, 0xAB, 0xE4, 0x90, 0x70, 0xD0, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x5D, 0xFD, 0xA0, 0xEF, 0xCF, 0x1C, 0x54),
-};
-static const mbedtls_mpi_uint secp256k1_T_3_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x80, 0xE4, 0xF6, 0x09, 0xBC, 0x57, 0x90),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x9F, 0x6E, 0x88, 0x54, 0x6E, 0x51, 0xF2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x5F, 0x85, 0xFB, 0x84, 0x3E, 0x4A, 0xAA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x19, 0xF5, 0x55, 0xC9, 0x07, 0xD8, 0xCE),
-};
-static const mbedtls_mpi_uint secp256k1_T_4_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0xB4, 0xC3, 0xD9, 0x5C, 0xA0, 0xD4, 0x90),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x30, 0xAF, 0x59, 0x9B, 0xF8, 0x04, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xA6, 0xFD, 0x66, 0x7B, 0xC3, 0x39, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0xBF, 0xF0, 0xC2, 0xE9, 0x71, 0xA4, 0x9E),
-};
-static const mbedtls_mpi_uint secp256k1_T_4_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0x2D, 0xB9, 0x88, 0x28, 0xF1, 0xBE, 0x78),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0xF3, 0x1A, 0x0E, 0xB9, 0x01, 0x66, 0x34),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0xA7, 0xA4, 0xF4, 0x05, 0xD0, 0xAA, 0x53),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x39, 0x1E, 0x47, 0xE5, 0x68, 0xC8, 0xC0),
-};
-static const mbedtls_mpi_uint secp256k1_T_5_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0xB9, 0xFC, 0xE0, 0x33, 0x8A, 0x7D, 0x96),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x93, 0xA5, 0x53, 0x55, 0x16, 0xB4, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x5F, 0xEA, 0x9B, 0x29, 0x52, 0x71, 0xDA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0xF0, 0x24, 0xB8, 0x7D, 0xB7, 0xA0, 0x9B),
-};
-static const mbedtls_mpi_uint secp256k1_T_5_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x00, 0x27, 0xB2, 0xDF, 0x73, 0xA2, 0xE0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x2E, 0x4D, 0x7C, 0xDE, 0x7A, 0x23, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x65, 0x60, 0xC7, 0x97, 0x1E, 0xA4, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x13, 0x5B, 0x77, 0x59, 0xCB, 0x36, 0xE1),
-};
-static const mbedtls_mpi_uint secp256k1_T_6_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xBC, 0x9F, 0x9E, 0x2D, 0x53, 0x2A, 0xA8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x5F, 0x64, 0x9F, 0x1A, 0x19, 0xE6, 0x77),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x7B, 0x39, 0xD2, 0xDB, 0x85, 0x84, 0xD5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xC7, 0x0D, 0x58, 0x6E, 0x3F, 0x52, 0x15),
-};
-static const mbedtls_mpi_uint secp256k1_T_6_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x68, 0x19, 0x0B, 0x68, 0xC9, 0x1E, 0xFB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x4E, 0x21, 0x49, 0x3D, 0x55, 0xCC, 0x25),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xF9, 0x25, 0x45, 0x54, 0x45, 0xB1, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xB3, 0xF7, 0xCD, 0x80, 0xA4, 0x04, 0x05),
-};
-static const mbedtls_mpi_uint secp256k1_T_7_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x1E, 0x88, 0xC4, 0xAA, 0x18, 0x7E, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0xAC, 0xD9, 0xB2, 0xA1, 0xC0, 0x71, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xA2, 0xF1, 0x15, 0xA6, 0x5F, 0x6C, 0x86),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x5B, 0x05, 0xBC, 0xB7, 0xC6, 0x4E, 0x72),
-};
-static const mbedtls_mpi_uint secp256k1_T_7_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x80, 0xF8, 0x5C, 0x20, 0x2A, 0xE1, 0xE2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x48, 0x2E, 0x68, 0x82, 0x7F, 0xEB, 0x5F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x3B, 0x25, 0xDB, 0x32, 0x4D, 0x88, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x6E, 0xA6, 0xB6, 0x6D, 0x62, 0x78, 0x22),
-};
-static const mbedtls_mpi_uint secp256k1_T_8_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x4D, 0x3E, 0x86, 0x58, 0xC3, 0xEB, 0xBA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x89, 0x33, 0x18, 0x21, 0x1D, 0x9B, 0xE7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x9D, 0xFF, 0xC3, 0x79, 0xC1, 0x88, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0xD4, 0x48, 0x53, 0xE8, 0xAD, 0x21, 0x16),
-};
-static const mbedtls_mpi_uint secp256k1_T_8_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x7B, 0xDE, 0xCB, 0xD8, 0x39, 0x17, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0xF3, 0x03, 0xF2, 0x5C, 0xBC, 0xC8, 0x8A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0xAE, 0x4C, 0xB0, 0x16, 0xA4, 0x93, 0x86),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x8B, 0x6B, 0xDC, 0xD7, 0x9A, 0x3E, 0x7E),
-};
-static const mbedtls_mpi_uint secp256k1_T_9_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x2D, 0x7A, 0xD2, 0x59, 0x05, 0xA2, 0x82),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x56, 0x09, 0x32, 0xF1, 0xE8, 0xE3, 0x72),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0xCA, 0xE5, 0x2E, 0xF0, 0xFB, 0x18, 0x19),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x85, 0xA9, 0x23, 0x15, 0x31, 0x1F, 0x0E),
-};
-static const mbedtls_mpi_uint secp256k1_T_9_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xE5, 0xB1, 0x86, 0xB9, 0x6E, 0x8D, 0xD3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x77, 0xFC, 0xC9, 0xA3, 0x3F, 0x89, 0xD2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x6A, 0xDC, 0x25, 0xB0, 0xC7, 0x41, 0x54),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x11, 0x6B, 0xA6, 0x11, 0x62, 0xD4, 0x2D),
-};
-static const mbedtls_mpi_uint secp256k1_T_10_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x7D, 0x34, 0xB3, 0x20, 0x7F, 0x37, 0xAA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0xD4, 0x45, 0xE8, 0xC2, 0xE9, 0xC5, 0xEA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x32, 0x3B, 0x25, 0x7E, 0x79, 0xAF, 0xE7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0xE4, 0x54, 0x71, 0xBE, 0x35, 0x4E, 0xD0),
-};
-static const mbedtls_mpi_uint secp256k1_T_10_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x94, 0xDD, 0x8F, 0xB5, 0xC2, 0xDD, 0x75),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x49, 0xE9, 0x1C, 0x2F, 0x08, 0x49, 0xC6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0xB6, 0x03, 0x88, 0x6F, 0xB8, 0x15, 0x67),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xD3, 0x1C, 0xF3, 0xA5, 0xEB, 0x79, 0x01),
-};
-static const mbedtls_mpi_uint secp256k1_T_11_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0xF9, 0x43, 0x88, 0x89, 0x0D, 0x06, 0xEA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x2D, 0xF5, 0x98, 0x32, 0xF6, 0xB1, 0x05),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x73, 0x8F, 0x2B, 0x50, 0x27, 0x0A, 0xE7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xE3, 0xBD, 0x16, 0x05, 0xC8, 0x93, 0x12),
-};
-static const mbedtls_mpi_uint secp256k1_T_11_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x6A, 0xF7, 0xE3, 0x3D, 0xDE, 0x5F, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0xA3, 0x9C, 0x22, 0x3C, 0x33, 0x36, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0x24, 0x4C, 0x69, 0x45, 0x78, 0x14, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xF8, 0xD4, 0xBF, 0xB8, 0xC0, 0xA1, 0x25),
-};
-static const mbedtls_mpi_uint secp256k1_T_12_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x88, 0xE1, 0x91, 0x03, 0xEB, 0xB3, 0x2B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x11, 0xA1, 0xEF, 0x14, 0x0D, 0xC4, 0x7D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xD4, 0x0D, 0x1D, 0x96, 0x33, 0x5C, 0x19),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x45, 0x2A, 0x1A, 0xE6, 0x57, 0x04, 0x9B),
-};
-static const mbedtls_mpi_uint secp256k1_T_12_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xB5, 0xA7, 0x80, 0xE9, 0x93, 0x97, 0x8D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xB9, 0x7C, 0xA0, 0xC9, 0x57, 0x26, 0x43),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0xEF, 0x56, 0xDA, 0x66, 0xF6, 0x1B, 0x9A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x89, 0x6B, 0x91, 0xE0, 0xA9, 0x65, 0x2B),
-};
-static const mbedtls_mpi_uint secp256k1_T_13_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x98, 0x96, 0x9B, 0x06, 0x7D, 0x5E, 0x5A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0xFA, 0xC1, 0x5F, 0x19, 0x37, 0x94, 0x9D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0xBE, 0x6B, 0x1A, 0x05, 0xE4, 0xBF, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0xCD, 0x5D, 0x35, 0xB4, 0x51, 0xF7, 0x64),
-};
-static const mbedtls_mpi_uint secp256k1_T_13_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0xEF, 0x96, 0xDB, 0xF2, 0x61, 0x63, 0x59),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x04, 0x88, 0xC9, 0x9F, 0x1B, 0x94, 0xB9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x30, 0x79, 0x7E, 0x24, 0xE7, 0x5F, 0xB8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0xB8, 0x90, 0xB7, 0x94, 0x25, 0xBB, 0x0F),
-};
-static const mbedtls_mpi_uint secp256k1_T_14_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x79, 0xEA, 0xAD, 0xC0, 0x6D, 0x18, 0x57),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0xA4, 0x58, 0x2A, 0x8D, 0x95, 0xB3, 0xE6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xC4, 0xC2, 0x12, 0x0D, 0x79, 0xE2, 0x2B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x6F, 0xBE, 0x97, 0x4D, 0xA4, 0x20, 0x07),
-};
-static const mbedtls_mpi_uint secp256k1_T_14_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x31, 0x71, 0xC6, 0xA6, 0x91, 0xEB, 0x1F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x9B, 0xA8, 0x4A, 0xE7, 0x77, 0xE1, 0xAA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x06, 0xD3, 0x3D, 0x94, 0x30, 0xEF, 0x8C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xDF, 0xCA, 0xFA, 0xF5, 0x28, 0xF8, 0xC9),
-};
-static const mbedtls_mpi_uint secp256k1_T_15_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0xE1, 0x32, 0xFD, 0x3E, 0x81, 0xF8, 0x11),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xF2, 0x4B, 0x1D, 0x19, 0xC9, 0x0F, 0xCC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xB1, 0x8A, 0x22, 0x8B, 0x05, 0x6B, 0x56),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x21, 0xEF, 0x30, 0xEC, 0x09, 0x2A, 0x89),
-};
-static const mbedtls_mpi_uint secp256k1_T_15_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x84, 0x4A, 0x46, 0x07, 0x6C, 0x3C, 0x4C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x18, 0x3A, 0xF4, 0xCC, 0xF5, 0xB2, 0xF2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x8F, 0xCD, 0x0A, 0x9C, 0xF4, 0xBD, 0x95),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x89, 0x7F, 0x8A, 0xB1, 0x52, 0x3A, 0xAB),
-};
-static const mbedtls_ecp_point secp256k1_T[16] = {
-    ECP_POINT_INIT_XY_Z1(secp256k1_T_0_X, secp256k1_T_0_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_1_X, secp256k1_T_1_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_2_X, secp256k1_T_2_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_3_X, secp256k1_T_3_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_4_X, secp256k1_T_4_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_5_X, secp256k1_T_5_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_6_X, secp256k1_T_6_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_7_X, secp256k1_T_7_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_8_X, secp256k1_T_8_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_9_X, secp256k1_T_9_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_10_X, secp256k1_T_10_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_11_X, secp256k1_T_11_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_12_X, secp256k1_T_12_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_13_X, secp256k1_T_13_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_14_X, secp256k1_T_14_Y),
-    ECP_POINT_INIT_XY_Z0(secp256k1_T_15_X, secp256k1_T_15_Y),
-};
-#else
-#define secp256k1_T NULL
-#endif
-#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
-
-/*
- * Domain parameters for brainpoolP256r1 (RFC 5639 3.4)
- */
-#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
-static const mbedtls_mpi_uint brainpoolP256r1_p[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_a[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_b[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_gx[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_gy[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_n[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9),
-};
-
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-static const mbedtls_mpi_uint brainpoolP256r1_T_0_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_0_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_1_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xA2, 0xED, 0x52, 0xC9, 0x8C, 0xE3, 0xA5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0xC9, 0xC4, 0x87, 0x3F, 0x93, 0x7A, 0xD1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x12, 0x53, 0x61, 0x3E, 0x76, 0x08, 0xCB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x8C, 0x74, 0xF4, 0x08, 0xC3, 0x76, 0x80),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_1_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0xDD, 0x09, 0xA6, 0xED, 0xEE, 0xC4, 0x38),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xD9, 0xBE, 0x4B, 0xA5, 0xB7, 0x2B, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x20, 0x12, 0xCA, 0x0A, 0x38, 0x24, 0xAB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x72, 0x71, 0x90, 0x7A, 0x2E, 0xB7, 0x23),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_2_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x66, 0xA1, 0x93, 0x10, 0x2A, 0x51, 0x17),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x10, 0x11, 0x12, 0xBC, 0xB0, 0xB6, 0x93),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x58, 0xD7, 0x0A, 0x84, 0x05, 0xA3, 0x9C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x8E, 0x95, 0x61, 0xD3, 0x0B, 0xDF, 0x36),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_2_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x92, 0x12, 0x0F, 0x5E, 0x87, 0x70, 0x1B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0xE9, 0x9B, 0xEB, 0x3A, 0xFB, 0xCF, 0xC4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0x92, 0xB9, 0xF7, 0x45, 0xD3, 0x06, 0xB6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x28, 0x65, 0xE1, 0xC5, 0x6C, 0x57, 0x18),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_3_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x0E, 0x77, 0x01, 0x81, 0x9E, 0x38, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0xF0, 0xD5, 0xA5, 0x91, 0x2B, 0xDF, 0xC0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xEE, 0xB6, 0x25, 0xD6, 0x98, 0xDE, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xA1, 0x55, 0x63, 0x39, 0xEB, 0xB5, 0x47),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_3_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0xD6, 0xB8, 0xE3, 0x13, 0xED, 0x7F, 0xA3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0xE8, 0xAE, 0x36, 0xB8, 0xCD, 0x19, 0x02),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x82, 0x83, 0x7A, 0x7B, 0x46, 0x56, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x60, 0x46, 0x15, 0x5A, 0xAC, 0x99, 0x30),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_4_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x61, 0x50, 0xC6, 0xFF, 0x10, 0x7D, 0x04),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x51, 0xDF, 0xA9, 0x7D, 0x78, 0x26, 0x74),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0x15, 0x9A, 0xF7, 0x01, 0xC1, 0xBB, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x0F, 0xE6, 0x2A, 0xBD, 0x4A, 0x9E, 0x87),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_4_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xF8, 0xD1, 0x77, 0xD2, 0x49, 0xB3, 0xDD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x86, 0xFB, 0x9E, 0x1F, 0x5A, 0x60, 0x47),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0xC4, 0x8D, 0xCD, 0x86, 0x61, 0x2F, 0xF9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xF6, 0xB9, 0xAC, 0x37, 0x9D, 0xE9, 0x28),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_5_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x77, 0xAA, 0x97, 0x9C, 0x0B, 0x04, 0x20),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0xA6, 0x60, 0x81, 0xCE, 0x25, 0x13, 0x3E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x00, 0xF3, 0xBB, 0x82, 0x99, 0x95, 0xB7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x5A, 0xCE, 0x90, 0x71, 0x38, 0x2F, 0x10),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_5_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x1A, 0xC0, 0x84, 0x27, 0xD6, 0x9D, 0xB7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x37, 0x52, 0x16, 0x13, 0x0E, 0xCE, 0x92),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xBF, 0x5A, 0xDB, 0xDB, 0x6E, 0x1E, 0x69),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xB7, 0x5E, 0xF9, 0x86, 0xDD, 0x8A, 0x5C),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_6_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xAB, 0x5C, 0x8D, 0x1D, 0xF2, 0x2D, 0x1E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0xC5, 0xF8, 0xF7, 0x1D, 0x96, 0x0B, 0x4D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x4C, 0xA7, 0x45, 0x20, 0x6A, 0x1E, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x5D, 0xEF, 0xDE, 0xEE, 0x39, 0x44, 0x19),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_6_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x2F, 0x6D, 0x52, 0xC9, 0x58, 0x60, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0xC9, 0x62, 0xCB, 0x38, 0x3C, 0x55, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xA5, 0x09, 0x10, 0x88, 0xDB, 0xE3, 0xBD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xE0, 0x3C, 0xCE, 0x06, 0x0B, 0x4B, 0x5D),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_7_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x1D, 0xB4, 0x10, 0x76, 0x8F, 0xBA, 0x09),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x70, 0x5A, 0x07, 0xF5, 0x1A, 0x74, 0xC7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0xE9, 0x94, 0xA8, 0xC0, 0xD5, 0x4A, 0x4A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x6D, 0xD4, 0xE8, 0x9B, 0xE9, 0x6D, 0x0E),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_7_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x00, 0x32, 0x41, 0x57, 0x84, 0x89, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xC7, 0x14, 0xEC, 0xE9, 0x27, 0xFF, 0xF3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x67, 0x9E, 0xFB, 0xB6, 0xB8, 0x96, 0xF3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x4A, 0xE3, 0x97, 0x4B, 0x58, 0xDE, 0x30),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_8_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0x1E, 0x5C, 0xF5, 0x7F, 0xD5, 0xD4, 0xAA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x08, 0x7A, 0xF1, 0xBD, 0x89, 0xC7, 0x1E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0xF9, 0x11, 0x1B, 0xF5, 0x3C, 0x6D, 0x8C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x50, 0xE5, 0x69, 0x1D, 0x59, 0xFC, 0x0C),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_8_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x2F, 0xF8, 0x3F, 0xEC, 0x55, 0x99, 0x57),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xA7, 0x29, 0x90, 0x43, 0x81, 0x31, 0x4C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x18, 0x44, 0x50, 0x5D, 0x76, 0xCB, 0xDD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0xC5, 0x5B, 0x9A, 0x03, 0xE6, 0x17, 0x39),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_9_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x89, 0xFC, 0x55, 0x94, 0x91, 0x6A, 0xA2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x46, 0x35, 0xF2, 0x3A, 0x42, 0x08, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0xD2, 0x76, 0x49, 0x42, 0x87, 0xD3, 0x7F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xEA, 0xA0, 0x52, 0xF1, 0x6A, 0x30, 0x57),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_9_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0xB2, 0x57, 0xA3, 0x8A, 0x4D, 0x1B, 0x3C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0xA3, 0x99, 0x94, 0xB5, 0x3D, 0x64, 0x09),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0xC3, 0xD7, 0x53, 0xF6, 0x49, 0x1C, 0x60),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x23, 0x41, 0x4D, 0xFB, 0x7A, 0x5C, 0x53),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_10_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xB8, 0x15, 0x65, 0x5C, 0x85, 0x94, 0xD7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x37, 0xC7, 0xF8, 0x7E, 0xAE, 0x6C, 0x10),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xD8, 0x11, 0x54, 0x98, 0x44, 0xE3, 0xF1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x4D, 0xA6, 0x4B, 0x28, 0xF2, 0x57, 0x9E),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_10_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xD0, 0xEB, 0x1E, 0xAA, 0x30, 0xD3, 0x6A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x9B, 0x4D, 0xA7, 0x73, 0x6E, 0xB6, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x47, 0xF6, 0xED, 0x37, 0xEF, 0x71, 0x4D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0xB5, 0x49, 0x61, 0x5E, 0x45, 0xF6, 0x4A),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_11_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x0E, 0xB3, 0x84, 0x3A, 0x63, 0x72, 0x84),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x53, 0x5C, 0xA7, 0xC6, 0x2E, 0xAB, 0x9E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x0F, 0x8F, 0x87, 0x50, 0x28, 0xB4, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x98, 0x4A, 0x98, 0x31, 0x86, 0xCA, 0x51),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_11_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xC9, 0xE2, 0xFD, 0x5D, 0x1F, 0xE8, 0xC2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x90, 0x91, 0xC4, 0x84, 0xF0, 0xBA, 0xC5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x5A, 0xB3, 0x4E, 0xFB, 0xE0, 0x57, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x0B, 0x90, 0xA6, 0xFD, 0x9D, 0x8E, 0x02),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_12_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x41, 0x8F, 0x31, 0xFA, 0x5A, 0xF6, 0x33),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xE9, 0xE3, 0xF6, 0xE0, 0x4A, 0xE7, 0xD2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x4E, 0xCD, 0xA2, 0x22, 0x14, 0xD4, 0x12),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xED, 0x21, 0xB7, 0x0F, 0x53, 0x10, 0x17),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_12_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x06, 0x24, 0x2C, 0x4E, 0xD1, 0x1E, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x3F, 0xC1, 0x9F, 0xAB, 0xF0, 0x37, 0x95),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x5E, 0x12, 0xCE, 0x83, 0x1B, 0x2A, 0x18),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x65, 0xCF, 0xE8, 0x5C, 0xA5, 0xA2, 0x70),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_13_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x86, 0x76, 0x3A, 0x94, 0xF6, 0x1D, 0xC1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xDA, 0xC9, 0xA6, 0x29, 0x93, 0x15, 0x10),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x61, 0x6A, 0x7D, 0xC7, 0xA9, 0xF3, 0x76),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x03, 0x71, 0xA2, 0x15, 0xCE, 0x50, 0x72),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_13_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0xD0, 0xA8, 0x1E, 0x91, 0xC4, 0x4F, 0x24),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x4B, 0x7E, 0xD7, 0x71, 0x58, 0x7E, 0x1E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x45, 0xAF, 0x2A, 0x18, 0x93, 0x95, 0x3B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x8F, 0xC7, 0xFA, 0x4C, 0x7A, 0x86, 0x54),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_14_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0xAF, 0x68, 0x3A, 0x23, 0xC1, 0x2E, 0xBF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x50, 0x11, 0x67, 0x39, 0xB9, 0xAF, 0x48),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x86, 0xAA, 0x1E, 0x88, 0x21, 0x29, 0x8B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x28, 0xA4, 0x9D, 0x89, 0xA9, 0x9A, 0x10),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_14_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xBA, 0x04, 0x67, 0xB7, 0x01, 0x40, 0x38),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xE9, 0x09, 0xA3, 0xCA, 0xA6, 0x37, 0xF6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x97, 0xA8, 0xB6, 0x3C, 0xEE, 0x90, 0x3D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xED, 0xC4, 0xF7, 0xC3, 0x95, 0xEC, 0x85),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_15_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x84, 0xBD, 0xEB, 0xD5, 0x64, 0xBB, 0x9D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x9B, 0xE2, 0x28, 0x50, 0xC2, 0x72, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0xF2, 0x74, 0xD1, 0x26, 0xBF, 0x32, 0x68),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xCB, 0xAF, 0x72, 0xDB, 0x6D, 0x30, 0x98),
-};
-static const mbedtls_mpi_uint brainpoolP256r1_T_15_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x50, 0x85, 0xF4, 0x2B, 0x48, 0xC1, 0xAD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x28, 0xBB, 0x11, 0xBA, 0x5B, 0x22, 0x6C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xA1, 0xE5, 0x5C, 0xC9, 0x1D, 0x44, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xE8, 0xE6, 0x6F, 0xBB, 0xC1, 0x81, 0x7F),
-};
-static const mbedtls_ecp_point brainpoolP256r1_T[16] = {
-    ECP_POINT_INIT_XY_Z1(brainpoolP256r1_T_0_X, brainpoolP256r1_T_0_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_1_X, brainpoolP256r1_T_1_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_2_X, brainpoolP256r1_T_2_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_3_X, brainpoolP256r1_T_3_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_4_X, brainpoolP256r1_T_4_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_5_X, brainpoolP256r1_T_5_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_6_X, brainpoolP256r1_T_6_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_7_X, brainpoolP256r1_T_7_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_8_X, brainpoolP256r1_T_8_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_9_X, brainpoolP256r1_T_9_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_10_X, brainpoolP256r1_T_10_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_11_X, brainpoolP256r1_T_11_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_12_X, brainpoolP256r1_T_12_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_13_X, brainpoolP256r1_T_13_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_14_X, brainpoolP256r1_T_14_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_15_X, brainpoolP256r1_T_15_Y),
-};
-#else
-#define brainpoolP256r1_T NULL
-#endif
-
-#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
-
-/*
- * Domain parameters for brainpoolP384r1 (RFC 5639 3.6)
- */
-#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
-static const mbedtls_mpi_uint brainpoolP384r1_p[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_a[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_b[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_gx[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_gy[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_n[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C),
-};
-
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-static const mbedtls_mpi_uint brainpoolP384r1_T_0_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_0_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_1_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0xD8, 0x8A, 0x54, 0x41, 0xD6, 0x6B, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x3B, 0xF1, 0x22, 0xFD, 0x2D, 0x4B, 0x03),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x55, 0xE3, 0x33, 0xF0, 0x73, 0x52, 0x5A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x3F, 0x30, 0x26, 0xCA, 0x7F, 0x52, 0xA3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x6E, 0x17, 0x9B, 0xD5, 0x2A, 0x4A, 0x31),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xDA, 0x6B, 0xE5, 0x03, 0x07, 0x1D, 0x2E),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_1_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x7A, 0xAF, 0x98, 0xE3, 0xA4, 0xF6, 0x19),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x7D, 0xFE, 0x51, 0x40, 0x3B, 0x47, 0xD2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x88, 0xEC, 0xC4, 0xE2, 0x8F, 0xCB, 0xA4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0xE2, 0x88, 0x2D, 0x4E, 0x50, 0xEB, 0x9A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x54, 0x94, 0x5E, 0xF4, 0x7F, 0x3A, 0x04),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x07, 0x1C, 0xE1, 0xBD, 0x0F, 0xF8, 0x63),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_2_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x92, 0x28, 0x2E, 0x32, 0x04, 0xB1, 0x4D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x82, 0x44, 0x43, 0x76, 0x0D, 0x55, 0xBF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0xE3, 0xFF, 0x89, 0x46, 0xDE, 0x4E, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x22, 0xBB, 0x67, 0x1A, 0x81, 0xEE, 0x27),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x54, 0xE2, 0x7A, 0xAE, 0xDA, 0x2C, 0xD0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x9A, 0x90, 0xAA, 0x6E, 0x8B, 0xCC, 0x5F),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_2_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x40, 0xAC, 0xED, 0x7D, 0x37, 0x87, 0xAC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0xF8, 0xB1, 0x80, 0x4C, 0x8C, 0x04, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x98, 0x2C, 0xAD, 0x30, 0x69, 0x35, 0xC0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x2E, 0x00, 0x2F, 0x44, 0x8C, 0xF0, 0xC0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x58, 0x07, 0xD7, 0xCD, 0x60, 0xA1, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xFB, 0x7B, 0x03, 0x05, 0x5E, 0x79, 0x73),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_3_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x17, 0xCE, 0x38, 0x4B, 0x5E, 0x5B, 0xC8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0x0E, 0x0A, 0x61, 0x9D, 0x7C, 0x62, 0x08),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0xF0, 0x98, 0x71, 0x7F, 0x17, 0x26, 0xD7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xD3, 0xFA, 0x3C, 0xF0, 0x70, 0x07, 0x82),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x47, 0x5C, 0x09, 0x43, 0xB7, 0x65, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xA9, 0xA7, 0x3E, 0xFA, 0xF3, 0xEC, 0x22),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_3_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x78, 0x22, 0x2B, 0x58, 0x71, 0xFA, 0xAA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x30, 0xCE, 0x6A, 0xB3, 0xB0, 0x4F, 0x83),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0x95, 0x20, 0xA9, 0x23, 0xC2, 0x65, 0xE7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xCF, 0x03, 0x5B, 0x8A, 0x80, 0x44, 0xBB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xF8, 0x91, 0xF7, 0xD5, 0xED, 0xEA, 0x81),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x5B, 0x16, 0x10, 0x25, 0xAC, 0x2A, 0x17),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_4_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0xEC, 0xDC, 0xC4, 0x7B, 0x8C, 0x6B, 0xE9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xBB, 0x1C, 0xD3, 0x5A, 0xEE, 0xD9, 0x97),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x5D, 0x30, 0x5E, 0xF7, 0xB2, 0x41, 0x9D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xCE, 0x0F, 0x1A, 0xC6, 0x41, 0x64, 0x62),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x18, 0xE1, 0xE3, 0x82, 0x15, 0x66, 0x4B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xE2, 0x24, 0x04, 0x72, 0x39, 0xA0, 0x7C),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_4_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0x51, 0xA2, 0x58, 0x88, 0x62, 0xE1, 0x02),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xD2, 0x65, 0x14, 0xE9, 0x4C, 0x82, 0x30),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xE1, 0xAC, 0x87, 0xAE, 0x31, 0x1A, 0x7A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x4F, 0x96, 0x1E, 0x85, 0x7A, 0xC3, 0x2B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x86, 0xBB, 0xF0, 0xC0, 0x9D, 0x08, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x53, 0x03, 0x09, 0x80, 0x91, 0xEF, 0x68),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_5_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xD7, 0xAF, 0x6F, 0x69, 0x7B, 0x88, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x13, 0xE4, 0x30, 0xA2, 0x47, 0xB5, 0xC1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xD2, 0xC0, 0xDD, 0x8A, 0x1C, 0x3C, 0xF2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x8C, 0xB3, 0x4C, 0xBA, 0x8B, 0x6D, 0xCF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0xC7, 0xA1, 0xA8, 0x6E, 0x3C, 0x4F, 0xF1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x4A, 0x97, 0xC8, 0x03, 0x6F, 0x01, 0x82),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_5_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x18, 0x12, 0xA9, 0x39, 0xD5, 0x22, 0x26),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0xA7, 0xC0, 0xBD, 0x9D, 0x8D, 0x78, 0x38),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xB3, 0xD0, 0x7F, 0xDF, 0xD0, 0x30, 0xDE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x25, 0x73, 0x96, 0xEC, 0xA8, 0x1D, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xD1, 0x65, 0x66, 0xDC, 0xD9, 0xCF, 0xDF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0xED, 0x7B, 0x37, 0xAD, 0xE2, 0xBE, 0x2D),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_6_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x79, 0x42, 0x6A, 0x07, 0x66, 0xB1, 0xBD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x53, 0x62, 0x65, 0x92, 0x09, 0x4C, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0xAF, 0xC3, 0x03, 0xF6, 0xF4, 0x2D, 0x9B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0xCA, 0x41, 0xD9, 0xA2, 0x69, 0x9B, 0xC9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0xB2, 0xA6, 0x8D, 0xE1, 0xAA, 0x61, 0x76),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xBA, 0x4D, 0x12, 0xB6, 0xBE, 0xF3, 0x7E),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_6_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xD9, 0x92, 0x22, 0x07, 0xCE, 0xC9, 0x26),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0xA1, 0x7C, 0x91, 0xDB, 0x32, 0xF7, 0xE5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x49, 0x4B, 0x6D, 0xFB, 0xD9, 0x70, 0x3B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0xFB, 0x4E, 0x4C, 0x5E, 0x66, 0x81, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0xB3, 0xE1, 0x00, 0xB7, 0xD9, 0xCC, 0x58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x36, 0x8B, 0xC4, 0x39, 0x20, 0xFD, 0x30),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_7_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x1F, 0x60, 0x03, 0xBB, 0xD7, 0x60, 0x57),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x3C, 0x62, 0xDD, 0x71, 0x95, 0xE9, 0x61),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x5B, 0x7A, 0x5F, 0x68, 0x81, 0xC5, 0x90),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xAF, 0xB5, 0xB9, 0x98, 0x42, 0x28, 0xA5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x29, 0x8E, 0x11, 0x49, 0xB4, 0xD7, 0x20),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x3E, 0xD2, 0x30, 0xA1, 0xBA, 0xCA, 0x03),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_7_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x37, 0x64, 0x44, 0x2F, 0x03, 0xE5, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x42, 0xBC, 0xFF, 0xA2, 0x1A, 0x5F, 0x06),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x04, 0xAB, 0x04, 0xE0, 0x24, 0xAD, 0x2A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x45, 0x17, 0x67, 0x1F, 0x3E, 0x53, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x0F, 0xB3, 0x1B, 0x57, 0x54, 0xC2, 0x03),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xD3, 0xF8, 0xC4, 0x1B, 0x9B, 0xFA, 0x30),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_8_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x90, 0xFD, 0xFB, 0xCA, 0x49, 0x38, 0x4E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0xCF, 0xC6, 0xDD, 0xF0, 0xFF, 0x8C, 0x11),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x69, 0x9D, 0xBD, 0x5F, 0x33, 0xE9, 0xB4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x19, 0x82, 0x3D, 0xAC, 0x1C, 0x40, 0x23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xC7, 0x02, 0x46, 0x14, 0x77, 0x00, 0xBE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x05, 0xF2, 0x77, 0x3A, 0x66, 0x5C, 0x39),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_8_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xE6, 0x17, 0xDE, 0xB2, 0xA1, 0xE5, 0xB8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x71, 0xEC, 0x9D, 0xD8, 0xF5, 0xD4, 0x66),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0xC6, 0x42, 0x5E, 0xE7, 0x18, 0xBA, 0xD0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x21, 0x68, 0x5A, 0x26, 0xFB, 0xD7, 0x17),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x00, 0x5C, 0xBA, 0x8A, 0x34, 0xEC, 0x75),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x9C, 0x3C, 0xAF, 0x53, 0xE8, 0x65, 0x35),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_9_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xEF, 0x28, 0xDC, 0x67, 0x05, 0xC8, 0xDF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x78, 0xC3, 0x85, 0x49, 0xA0, 0xBC, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x3E, 0x2D, 0xA0, 0xCF, 0xD4, 0x7A, 0xF5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x93, 0xFE, 0x60, 0xB3, 0x6E, 0x99, 0xE2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0xAD, 0x04, 0xE7, 0x49, 0xAF, 0x5E, 0xE3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x7A, 0xED, 0xA6, 0x9E, 0x18, 0x09, 0x31),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_9_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x05, 0x94, 0x44, 0xDC, 0xB8, 0x85, 0x94),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0xB7, 0x37, 0xC2, 0x50, 0x75, 0x15, 0xDA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xC6, 0x0F, 0xB2, 0xA9, 0x91, 0x3E, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x81, 0xAD, 0x25, 0xA1, 0x26, 0x73, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xF1, 0xD1, 0x61, 0x7C, 0x76, 0x8F, 0x13),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0xDB, 0x4A, 0xFF, 0x14, 0xA7, 0x48, 0x0B),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_10_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x73, 0xC6, 0xC2, 0xCC, 0xF1, 0x57, 0x04),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0xED, 0x73, 0x27, 0x70, 0x82, 0xB6, 0x5E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0xBA, 0xAC, 0x3A, 0xCF, 0xF4, 0xEA, 0xA6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xD6, 0xB1, 0x8F, 0x0E, 0x08, 0x2C, 0x5E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xE3, 0x8F, 0x2F, 0x0E, 0xA1, 0xF3, 0x07),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0xF5, 0x7C, 0x9B, 0x29, 0x0A, 0xF6, 0x28),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_10_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0xEE, 0x17, 0x47, 0x34, 0x15, 0xA3, 0xAF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xBE, 0x88, 0x48, 0xE7, 0xA2, 0xBB, 0xDE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0xAD, 0xDC, 0x65, 0x61, 0x37, 0x0F, 0xC1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x67, 0xAD, 0xA2, 0x3A, 0x1C, 0x91, 0x78),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x07, 0x0C, 0x3A, 0x41, 0x6E, 0x13, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0xBD, 0x7E, 0xED, 0xAA, 0x14, 0xDD, 0x61),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_11_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0xDC, 0x20, 0x01, 0x72, 0x11, 0x48, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xC4, 0x7B, 0xF8, 0x62, 0x3D, 0xF0, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0xC2, 0x3D, 0x2E, 0x52, 0xA3, 0x4A, 0x89),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xE2, 0x53, 0x46, 0x5E, 0x21, 0xF8, 0xCE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xC7, 0x8F, 0xA9, 0x26, 0x42, 0x32, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xA6, 0xA0, 0x8D, 0x4B, 0x9A, 0x19, 0x03),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_11_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xAB, 0x6D, 0x1E, 0xFB, 0xEE, 0x60, 0x0C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x56, 0x3C, 0xC5, 0x5D, 0x10, 0x79, 0x1C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0xBC, 0x41, 0x9F, 0x71, 0xEF, 0x02, 0xF9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x36, 0xC4, 0xD0, 0x88, 0x9B, 0x32, 0xFC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0xD4, 0x5D, 0x17, 0x39, 0xE6, 0x22, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x26, 0x01, 0xCE, 0xBE, 0x4A, 0x9C, 0x27),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_12_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x6D, 0x11, 0xCA, 0x6C, 0x5A, 0x93, 0x0C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x96, 0x26, 0xAF, 0x2F, 0xE4, 0x30, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0xC1, 0x4C, 0xC6, 0x30, 0x1F, 0x5C, 0x04),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xB3, 0xE8, 0xFC, 0x35, 0xEB, 0x63, 0x6C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x1D, 0xCA, 0xFC, 0x50, 0x36, 0x4B, 0x96),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x0E, 0x23, 0x5B, 0xAF, 0xEB, 0x2D, 0x31),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_12_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x88, 0xB6, 0xD7, 0x74, 0x4A, 0x23, 0xB6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x66, 0xE2, 0xBB, 0x29, 0xA6, 0x4F, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x6F, 0x7E, 0x68, 0x6E, 0xA0, 0x14, 0x94),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0x73, 0xD4, 0xE8, 0xAB, 0x5B, 0xF6, 0x0D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0xE0, 0x3C, 0x24, 0x00, 0x95, 0xE9, 0xAD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x0D, 0x4F, 0x81, 0xD0, 0xF2, 0x3F, 0x00),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_13_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x1D, 0xCD, 0x78, 0x39, 0xC4, 0x6B, 0xD9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x45, 0xC7, 0xB8, 0x2F, 0xAA, 0x5D, 0xE3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x8C, 0x6E, 0xA3, 0x24, 0xB2, 0xDB, 0x4B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x2D, 0xD9, 0xF1, 0xC7, 0x9B, 0x8A, 0xAF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0xE1, 0x2C, 0xB9, 0x40, 0x37, 0x91, 0x75),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x2C, 0xB5, 0x23, 0x03, 0x2B, 0xAF, 0x2F),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_13_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x9D, 0x5A, 0x20, 0x10, 0xA9, 0x84, 0xDA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x30, 0x89, 0x20, 0x13, 0xE9, 0xB2, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x6E, 0x52, 0xEB, 0x03, 0x18, 0x1F, 0xA6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x9E, 0x1C, 0x35, 0x87, 0x92, 0x69, 0xC7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0xC9, 0x88, 0xAF, 0xC6, 0x6C, 0x83, 0x72),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0xD5, 0x7A, 0x54, 0x34, 0x99, 0xB6, 0x6F),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_14_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0xAD, 0x45, 0x9B, 0x4B, 0x41, 0x4D, 0x50),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x5D, 0xAB, 0x7F, 0x35, 0x34, 0xE9, 0x29),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0xBE, 0x78, 0x34, 0x44, 0xF3, 0x4A, 0x87),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xDE, 0xE3, 0xC4, 0xEE, 0x0B, 0xF9, 0xEB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x86, 0x16, 0x48, 0x32, 0xB8, 0x74, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0xEE, 0x7C, 0xBA, 0xBD, 0x81, 0xE3, 0x55),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_14_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x6A, 0xFA, 0x84, 0xDA, 0xB8, 0xD5, 0x14),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0x9F, 0x8A, 0xD5, 0x1B, 0x2E, 0x1A, 0x0B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x0C, 0x61, 0xE2, 0xFF, 0x5B, 0xE6, 0xD5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0x62, 0xC1, 0x87, 0x53, 0x1B, 0x92, 0xA3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x90, 0x00, 0xD1, 0x6A, 0x0C, 0x0E, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0x2E, 0xB5, 0x3B, 0x44, 0xB5, 0xA0, 0x78),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_15_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x5D, 0x02, 0x58, 0xB5, 0xBE, 0x45, 0x14),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xEF, 0x8E, 0x90, 0x4D, 0x2A, 0x32, 0xAC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x99, 0x75, 0x5C, 0x0A, 0x33, 0x8F, 0x36),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x6C, 0x95, 0xD4, 0x1F, 0xF3, 0xEB, 0xDA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xE4, 0x4C, 0x91, 0x20, 0xF3, 0x25, 0xEB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x95, 0xEB, 0x29, 0x6F, 0x20, 0x34, 0x81),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_15_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x15, 0xE5, 0x13, 0x7E, 0x64, 0x8B, 0xAD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xBC, 0x0D, 0x18, 0x7E, 0x37, 0x9E, 0xFA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x82, 0x20, 0xF7, 0x2D, 0x7A, 0x77, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x29, 0xA2, 0xDB, 0x7A, 0xE6, 0x6F, 0xA5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xC6, 0x50, 0x5C, 0xBC, 0xE6, 0x4F, 0xBD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x9F, 0xD5, 0xE8, 0xC5, 0x3D, 0xB7, 0x30),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_16_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x03, 0x55, 0x10, 0xDB, 0xA6, 0x8B, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x17, 0xAE, 0x78, 0xC9, 0x1D, 0x43, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x35, 0x49, 0xD4, 0x47, 0x84, 0x8D, 0x20),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x95, 0x2F, 0xEA, 0xBC, 0xB4, 0x18, 0xB3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x48, 0xAE, 0x89, 0xF5, 0x65, 0x3D, 0x89),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xF2, 0x2B, 0x20, 0xD1, 0x75, 0x50, 0x63),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_16_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xE6, 0x5C, 0x2C, 0xE0, 0x7D, 0xDF, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x07, 0x3E, 0xCE, 0x9F, 0x18, 0xB6, 0x05),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0xF8, 0xF0, 0xD5, 0xFA, 0x42, 0x1D, 0x6D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x6C, 0x1D, 0x03, 0xC9, 0x0E, 0x2B, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x18, 0x52, 0xA5, 0xB4, 0x63, 0xE1, 0x06),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x0A, 0xD9, 0xC4, 0xFD, 0x16, 0x60, 0x54),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_17_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x7D, 0xDE, 0xDF, 0x4B, 0x4A, 0xB0, 0xCB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x4E, 0x8C, 0x94, 0xC1, 0xE2, 0x85, 0xDF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0xF0, 0xEA, 0xB5, 0x9B, 0x70, 0xEF, 0x10),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0xC2, 0x39, 0x5D, 0xF3, 0x2C, 0xD9, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x1C, 0x2E, 0xCC, 0x2F, 0x54, 0x87, 0x80),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x72, 0xC7, 0xB5, 0x50, 0xA3, 0x84, 0x77),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_17_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xD1, 0xAF, 0xA9, 0xB4, 0x8B, 0x5D, 0xFA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xF6, 0x52, 0x8A, 0xC3, 0x56, 0xA5, 0x5E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0x52, 0xFF, 0xEA, 0x05, 0x42, 0x77, 0x83),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x08, 0x90, 0x72, 0x86, 0xC4, 0xC3, 0xB8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0x15, 0xF8, 0xF1, 0x16, 0x67, 0xC6, 0xD5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x87, 0xAC, 0x8F, 0x71, 0xEC, 0x83, 0x81),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_18_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xE1, 0xE6, 0x2D, 0x0E, 0x11, 0xA1, 0x62),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xE2, 0xA8, 0x32, 0xE6, 0xE3, 0x83, 0xD1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x56, 0xE5, 0xCD, 0xB7, 0x2B, 0x67, 0x6F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0xED, 0xC9, 0x65, 0x6D, 0x87, 0xE1, 0x8E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x8E, 0xFD, 0x9A, 0x53, 0x0E, 0xFA, 0xA3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0x4C, 0x4A, 0xE2, 0x23, 0x84, 0xFA, 0x01),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_18_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xFE, 0x49, 0x81, 0xD1, 0x3E, 0xF4, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x72, 0xE0, 0xEF, 0x0D, 0xB8, 0x3E, 0x6F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x00, 0x0F, 0x5F, 0xCE, 0x60, 0x72, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xCC, 0xD8, 0x03, 0x07, 0x6E, 0x5A, 0xCD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x3A, 0x35, 0x50, 0x4E, 0x1F, 0xCA, 0x5F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xEA, 0x88, 0x55, 0xBD, 0x6E, 0x05, 0x7F),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_19_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x6D, 0xF1, 0x97, 0xA6, 0x69, 0x39, 0x24),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x41, 0x99, 0xFF, 0x3B, 0xA1, 0x26, 0xEC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x2F, 0x95, 0x80, 0x12, 0x4A, 0x1B, 0xCB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xBF, 0x51, 0xAA, 0xAE, 0x2D, 0xDA, 0xCF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x1C, 0xB3, 0x52, 0x36, 0x49, 0xD4, 0x86),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xC1, 0x1F, 0x3A, 0xD3, 0x3E, 0x5C, 0x1A),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_19_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x51, 0xF7, 0x2B, 0xC8, 0xA9, 0xA7, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x4E, 0x7F, 0x98, 0x41, 0x66, 0xB0, 0x03),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x1D, 0xC0, 0x42, 0xCD, 0xF8, 0xC3, 0x2B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x41, 0x91, 0x7D, 0xCC, 0x8B, 0xCC, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xAE, 0x76, 0xED, 0x56, 0x18, 0xC5, 0xAB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x6A, 0x06, 0xA3, 0x7F, 0x65, 0x10, 0x1F),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_20_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xEC, 0x3C, 0x05, 0x05, 0xCA, 0xF6, 0xED),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0xCD, 0x02, 0x51, 0x12, 0x16, 0x3C, 0x63),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0xEB, 0xB3, 0x43, 0x7B, 0xDD, 0xB2, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x59, 0x90, 0x41, 0xDB, 0xE4, 0xF5, 0x91),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x0E, 0x18, 0x2A, 0x5A, 0x83, 0x7C, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x37, 0xA1, 0x0D, 0xF1, 0x2F, 0x63, 0x79),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_20_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xC0, 0xFA, 0x6F, 0x1F, 0x67, 0xCF, 0xEC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x34, 0x45, 0xBB, 0xF4, 0xF9, 0x9B, 0x89),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x69, 0xFE, 0x67, 0x1D, 0x64, 0x8F, 0xB9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x39, 0xBF, 0xD8, 0xB3, 0xC7, 0xAD, 0x8A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x93, 0xFF, 0xF3, 0x28, 0xFA, 0x39, 0xF6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xF9, 0xC3, 0x85, 0x26, 0x7A, 0x88, 0x89),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_21_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xD5, 0x79, 0xD8, 0x11, 0xDE, 0xEB, 0x4E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x46, 0xA4, 0x6A, 0xDA, 0x74, 0x34, 0xA8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xBD, 0xD3, 0xF5, 0x14, 0xEE, 0xFE, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x4C, 0xA3, 0x71, 0x43, 0x65, 0xF8, 0x94),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x6C, 0x35, 0xFA, 0x90, 0x25, 0xD8, 0xE2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x34, 0x84, 0x96, 0xA1, 0x43, 0x03, 0x4D),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_21_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x3B, 0x3B, 0x2F, 0xCA, 0x59, 0xF2, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x48, 0x24, 0x74, 0xD8, 0x72, 0x90, 0xA3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x42, 0x74, 0x8C, 0x6F, 0x52, 0x19, 0x3D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x9E, 0x41, 0x63, 0x68, 0x78, 0x4C, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0x94, 0xB6, 0x6B, 0x38, 0x52, 0xA8, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x30, 0x25, 0x93, 0xA1, 0x6F, 0x6E, 0x68),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_22_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x2F, 0x4B, 0x64, 0x79, 0x50, 0xFF, 0x01),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x36, 0xED, 0x57, 0x39, 0x3B, 0xE7, 0xF3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x85, 0xEA, 0x35, 0xD6, 0xC0, 0xA0, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x89, 0x3A, 0xCC, 0x22, 0x1C, 0x46, 0x02),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x7A, 0xB0, 0xA1, 0x1B, 0x69, 0x62, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xB8, 0x8A, 0x6C, 0x18, 0x85, 0x0D, 0x88),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_22_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xB6, 0x50, 0xE9, 0x4E, 0x7F, 0xE8, 0x07),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x5B, 0x5C, 0xD1, 0x4B, 0x11, 0x9A, 0xD8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x25, 0x56, 0x74, 0x51, 0x9C, 0xEC, 0x9C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x7F, 0xB6, 0x8A, 0xCB, 0x3A, 0x10, 0x6A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0x33, 0x07, 0x01, 0xE9, 0x49, 0x59, 0xE6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xA5, 0x2E, 0xF2, 0xBA, 0x32, 0x63, 0x44),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_23_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x06, 0x0B, 0xA5, 0x44, 0x27, 0x7F, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x74, 0xAC, 0x0F, 0xCC, 0x4F, 0x13, 0x61),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xB1, 0xBF, 0x97, 0x49, 0xA5, 0x1C, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x64, 0x68, 0x7B, 0x0F, 0xCC, 0x77, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x39, 0xF9, 0x4E, 0x84, 0x9C, 0xF6, 0x96),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xCF, 0x6D, 0xE2, 0xA1, 0x2D, 0xF9, 0x2B),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_23_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0xC4, 0x90, 0x57, 0x31, 0x01, 0x05, 0x5E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x1E, 0xBB, 0xBF, 0x98, 0xA4, 0x7C, 0xE3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0xE3, 0xA0, 0xB2, 0xCD, 0x39, 0x9A, 0x3F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x34, 0x60, 0x7A, 0x89, 0x98, 0xB5, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0x20, 0x3D, 0x3A, 0x04, 0x8F, 0x5A, 0xAC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x26, 0xB6, 0x49, 0x09, 0x9C, 0x0F, 0x59),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_24_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x66, 0xD2, 0x38, 0x2A, 0x62, 0x81, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0xC8, 0x20, 0x5E, 0x28, 0xA3, 0x81, 0xA7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0x31, 0xA4, 0xF1, 0xEA, 0x7D, 0x87, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0x2C, 0x99, 0x09, 0x6F, 0x63, 0xEB, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x76, 0xDA, 0x1A, 0x06, 0xBE, 0xDE, 0xA2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x09, 0x2E, 0x75, 0x39, 0x30, 0x2D, 0x42),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_24_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x9B, 0xC1, 0x5A, 0x17, 0xC3, 0x8C, 0x31),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x8D, 0x94, 0x4D, 0x3D, 0xAB, 0x60, 0xD4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFD, 0x1E, 0x0F, 0x43, 0xAE, 0x9D, 0x62),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0xF2, 0xF3, 0x20, 0x1B, 0xAA, 0xB7, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x5B, 0xA4, 0xF4, 0x90, 0x3B, 0xE3, 0x71),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x78, 0x72, 0xBD, 0x65, 0x09, 0x0B, 0x01),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_25_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x37, 0x2A, 0x6C, 0x16, 0x4F, 0x64, 0x59),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0xCE, 0xA3, 0x90, 0xB4, 0x9A, 0xBC, 0xF7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x38, 0x55, 0x63, 0x1D, 0x3A, 0x6E, 0x18),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xB4, 0xAA, 0x99, 0x22, 0x45, 0x89, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x7C, 0x8C, 0xA6, 0x3D, 0xA7, 0x3E, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x06, 0x42, 0xDC, 0xA6, 0xE3, 0xC6, 0x12),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_25_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x8C, 0x3D, 0x5D, 0x47, 0x31, 0x7C, 0xEB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x85, 0xEE, 0x46, 0x7E, 0x13, 0x04, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x3C, 0x8B, 0x43, 0x2E, 0x74, 0xF5, 0xF6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x88, 0x8E, 0x07, 0x29, 0x08, 0x03, 0x26),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x9B, 0x89, 0xEB, 0x08, 0xE8, 0x43, 0xB5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x07, 0x67, 0xFD, 0xD9, 0x73, 0x6F, 0x18),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_26_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xEB, 0x21, 0x8D, 0x98, 0x43, 0x74, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0xCC, 0x14, 0xD8, 0x08, 0xBB, 0xA6, 0xE3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x98, 0xF2, 0x6A, 0x18, 0xC3, 0xDD, 0x9E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x38, 0x91, 0xA0, 0x03, 0xF2, 0x04, 0x62),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xAF, 0xE8, 0xFD, 0xFB, 0x13, 0x70, 0x74),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x93, 0x87, 0x98, 0x4A, 0xE0, 0x00, 0x12),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_26_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x2E, 0x69, 0x9C, 0xA2, 0x2D, 0x03, 0x3F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xFE, 0xF3, 0xB9, 0xC1, 0x85, 0x2A, 0xEE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xFD, 0x86, 0xB1, 0xCD, 0xBF, 0x41, 0xB7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xD8, 0x9A, 0x21, 0xF3, 0xFE, 0xCB, 0xF1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x78, 0x04, 0x60, 0xB7, 0xA9, 0xA2, 0x84),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x1E, 0x66, 0x2A, 0x54, 0x51, 0xBD, 0x8B),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_27_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x16, 0x36, 0xEF, 0x61, 0x2D, 0xEE, 0x3B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x5F, 0x88, 0xA0, 0x13, 0x12, 0xF7, 0x23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xC6, 0xAD, 0x4A, 0x4A, 0x07, 0x01, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x74, 0xB1, 0x4F, 0xEB, 0xBD, 0xD5, 0x6B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xF9, 0x71, 0xA2, 0x06, 0x4F, 0xD7, 0xBC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x8B, 0x4D, 0x48, 0xE0, 0x98, 0xFB, 0x6A),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_27_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0xBA, 0x10, 0xA3, 0x0D, 0x52, 0xAC, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xD0, 0xE0, 0x36, 0xE6, 0x07, 0x3A, 0x30),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x80, 0xF0, 0xAA, 0x49, 0x22, 0x4B, 0xDD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xC7, 0xAB, 0x1C, 0x89, 0xCD, 0x24, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x2A, 0xFC, 0xB3, 0x6D, 0x45, 0x96, 0x49),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0xE4, 0xDB, 0x52, 0x3F, 0xC4, 0xB4, 0x19),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_28_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0xCC, 0xC8, 0x7F, 0xBB, 0x6B, 0x87, 0x47),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x21, 0x3C, 0x69, 0x7D, 0x38, 0x57, 0x50),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x4C, 0x18, 0x3C, 0x53, 0xA5, 0x48, 0x6D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xC3, 0x64, 0x45, 0xDB, 0xC4, 0x6D, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xCC, 0xD1, 0xBB, 0x17, 0xB8, 0x34, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x69, 0x71, 0xFA, 0xA0, 0x28, 0x4A, 0x3D),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_28_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xE8, 0x9E, 0x39, 0xEA, 0x8D, 0x38, 0xDB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x9C, 0xBB, 0xCD, 0x80, 0x1A, 0xEE, 0xB7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xA0, 0x45, 0xBF, 0xD9, 0x22, 0x11, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x7C, 0x5C, 0xD9, 0xC0, 0x9F, 0x69, 0xF5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x8A, 0xA6, 0x79, 0x4E, 0x35, 0xB9, 0xD5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x8B, 0x9A, 0x3E, 0xA1, 0xB8, 0x28, 0x10),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_29_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x2F, 0xEF, 0xBB, 0xA9, 0x72, 0x7F, 0xEA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x34, 0xB7, 0x12, 0xB9, 0xE7, 0xC3, 0x2A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x1D, 0xD9, 0x42, 0x77, 0x0C, 0x71, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x01, 0x59, 0xA7, 0x56, 0x03, 0x91, 0x8D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x91, 0x99, 0x33, 0x30, 0x3E, 0xEF, 0x13),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0xC9, 0x5A, 0x9A, 0x54, 0x66, 0xF1, 0x70),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_29_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x2C, 0xB7, 0x6E, 0x71, 0x7D, 0x35, 0x30),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x0D, 0xEF, 0xD1, 0x2D, 0x99, 0x63, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x31, 0xAF, 0x2D, 0xC9, 0xC6, 0xC2, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0xC0, 0xDF, 0x80, 0x54, 0xC4, 0xAC, 0xF3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x6B, 0xA0, 0x84, 0x96, 0xF7, 0x31, 0xC8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0xE2, 0x7C, 0x7A, 0x41, 0x45, 0x75, 0x6A),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_30_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xEE, 0x58, 0x31, 0xE8, 0x68, 0xD6, 0x76),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x2E, 0x48, 0xB7, 0x09, 0x9F, 0xD4, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xA9, 0x5C, 0xE7, 0x64, 0x43, 0x5D, 0xC9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x58, 0x9F, 0x50, 0xAB, 0x68, 0xFF, 0x6D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x88, 0x2D, 0xBA, 0x12, 0xBF, 0x8D, 0x7D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xDF, 0x6F, 0xB3, 0x75, 0xA4, 0x55, 0x73),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_30_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x17, 0x92, 0x39, 0xB7, 0x13, 0x37, 0x6F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x43, 0x71, 0xA7, 0xCA, 0x17, 0x1B, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xB9, 0xB0, 0x78, 0xEF, 0xA0, 0xDA, 0x83),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x84, 0xF2, 0x0F, 0x85, 0xA2, 0xB6, 0x1F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x65, 0x2E, 0x6E, 0x45, 0xB9, 0x4C, 0x3C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x6A, 0x8C, 0x2B, 0x77, 0x96, 0x36, 0x22),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_31_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x7A, 0x13, 0x4A, 0x97, 0x63, 0x02, 0x10),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x1E, 0x06, 0x03, 0x8F, 0xB9, 0xEE, 0x64),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0xEE, 0x8B, 0x89, 0xA9, 0x70, 0xDB, 0xCE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x7B, 0x81, 0xC9, 0x70, 0x8D, 0x62, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0xDA, 0x46, 0xF8, 0xF9, 0x3A, 0xBE, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x9C, 0x7A, 0x97, 0x62, 0xEB, 0xFA, 0x0F),
-};
-static const mbedtls_mpi_uint brainpoolP384r1_T_31_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0x03, 0x3D, 0x3C, 0x46, 0x27, 0x9E, 0x65),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x08, 0x1C, 0xD5, 0x25, 0xAF, 0xE9, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x69, 0xDC, 0x59, 0xF4, 0x8A, 0x7C, 0x1F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x9A, 0x7A, 0x99, 0x21, 0x0C, 0x4E, 0xE3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xCE, 0x85, 0x5F, 0xAC, 0xAA, 0x82, 0x10),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x57, 0x69, 0x90, 0x76, 0xF3, 0x53, 0x3F),
-};
-static const mbedtls_ecp_point brainpoolP384r1_T[32] = {
-    ECP_POINT_INIT_XY_Z1(brainpoolP384r1_T_0_X, brainpoolP384r1_T_0_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_1_X, brainpoolP384r1_T_1_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_2_X, brainpoolP384r1_T_2_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_3_X, brainpoolP384r1_T_3_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_4_X, brainpoolP384r1_T_4_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_5_X, brainpoolP384r1_T_5_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_6_X, brainpoolP384r1_T_6_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_7_X, brainpoolP384r1_T_7_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_8_X, brainpoolP384r1_T_8_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_9_X, brainpoolP384r1_T_9_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_10_X, brainpoolP384r1_T_10_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_11_X, brainpoolP384r1_T_11_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_12_X, brainpoolP384r1_T_12_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_13_X, brainpoolP384r1_T_13_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_14_X, brainpoolP384r1_T_14_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_15_X, brainpoolP384r1_T_15_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_16_X, brainpoolP384r1_T_16_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_17_X, brainpoolP384r1_T_17_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_18_X, brainpoolP384r1_T_18_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_19_X, brainpoolP384r1_T_19_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_20_X, brainpoolP384r1_T_20_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_21_X, brainpoolP384r1_T_21_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_22_X, brainpoolP384r1_T_22_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_23_X, brainpoolP384r1_T_23_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_24_X, brainpoolP384r1_T_24_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_25_X, brainpoolP384r1_T_25_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_26_X, brainpoolP384r1_T_26_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_27_X, brainpoolP384r1_T_27_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_28_X, brainpoolP384r1_T_28_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_29_X, brainpoolP384r1_T_29_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_30_X, brainpoolP384r1_T_30_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_31_X, brainpoolP384r1_T_31_Y),
-};
-#else
-#define brainpoolP384r1_T NULL
-#endif
-
-#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
-
-/*
- * Domain parameters for brainpoolP512r1 (RFC 5639 3.7)
- */
-#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
-static const mbedtls_mpi_uint brainpoolP512r1_p[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_a[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_b[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_gx[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_gy[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_n[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA),
-};
-
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-static const mbedtls_mpi_uint brainpoolP512r1_T_0_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_0_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_1_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xE9, 0x6B, 0x8C, 0x6F, 0x9D, 0x88, 0x43),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x4F, 0x86, 0x96, 0xA7, 0x56, 0xD1, 0x37),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xAB, 0xFA, 0xEE, 0xA7, 0xF5, 0x0E, 0xA6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x40, 0xEF, 0x9E, 0x6D, 0xD6, 0x32, 0x33),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xED, 0x56, 0x14, 0x57, 0x1A, 0x8D, 0x69),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xED, 0x4D, 0x3A, 0xFA, 0x71, 0x75, 0x6B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xC5, 0x76, 0x1C, 0x14, 0xBE, 0xB5, 0xCD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x5A, 0xCB, 0xE7, 0x36, 0x1D, 0x52, 0x1C),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_1_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x8D, 0x7A, 0xEB, 0xA3, 0x8B, 0xD5, 0xB0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0xA3, 0x41, 0xF8, 0xAC, 0x9E, 0xAB, 0x74),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0xE3, 0x65, 0x0D, 0x1C, 0xFE, 0x09, 0x2B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0xCA, 0x13, 0x3F, 0xC5, 0xF9, 0x7E, 0xEC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x5D, 0x63, 0x28, 0xA6, 0x89, 0xD3, 0x91),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x95, 0x3F, 0x7A, 0x82, 0xD4, 0x77, 0xE3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xBB, 0x92, 0x32, 0x00, 0xF4, 0x66, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x58, 0x31, 0xD1, 0x17, 0x9F, 0x2A, 0x22),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_2_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x36, 0xA9, 0xCD, 0x80, 0xA5, 0x2D, 0x78),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x44, 0xAB, 0xCE, 0x71, 0xFF, 0x0C, 0x9B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x24, 0x58, 0x35, 0x5A, 0x21, 0x32, 0x93),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0xA6, 0x28, 0xF8, 0x7A, 0x97, 0xAE, 0x8B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0xE7, 0x08, 0xFA, 0x47, 0xC9, 0x55, 0x09),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xAC, 0x2E, 0x84, 0xA4, 0xF5, 0x52, 0xC4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x58, 0x05, 0x9D, 0xA7, 0xC8, 0x71, 0xBF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x92, 0xB4, 0x92, 0xC1, 0x92, 0xEC, 0x6B),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_2_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x48, 0x2D, 0x79, 0x5E, 0x58, 0xE5, 0x69),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x85, 0x26, 0xEC, 0xE9, 0x6E, 0xD4, 0x06),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x68, 0x26, 0x87, 0x38, 0xA2, 0xD2, 0x0B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x17, 0x60, 0xCE, 0x75, 0xF8, 0xA5, 0x6F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0x51, 0xDB, 0xA9, 0xAE, 0x87, 0xF1, 0x15),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x49, 0x92, 0x3B, 0x19, 0x96, 0xF5, 0xB0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0xD5, 0x52, 0x52, 0x8C, 0xCE, 0xFD, 0xFA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x18, 0x0A, 0xE6, 0xF6, 0xAE, 0x08, 0x41),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_3_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x2B, 0xD8, 0x54, 0xCE, 0xB0, 0x57, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0xB0, 0xF8, 0x9E, 0x03, 0x03, 0x3C, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x0E, 0x29, 0x29, 0x00, 0xF3, 0x70, 0xBF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x33, 0x99, 0x0E, 0x00, 0x5D, 0xFE, 0x4B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x2D, 0xF2, 0x59, 0x32, 0xCF, 0x03, 0xF4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0xC9, 0x72, 0xAE, 0x0C, 0xEF, 0xD1, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x5A, 0x27, 0xBF, 0x2F, 0x45, 0xF9, 0x51),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xBE, 0xE5, 0x2C, 0xFF, 0x5B, 0x1E, 0x88),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_3_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0xAC, 0xBB, 0xD8, 0x83, 0xC2, 0x46, 0xF6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0xDC, 0xCE, 0x15, 0xB4, 0xEF, 0xCF, 0x46),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0xDB, 0x5E, 0x94, 0x31, 0x0B, 0xB2, 0x7A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xB9, 0xE3, 0xE3, 0x11, 0x71, 0x41, 0x1E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xE3, 0x01, 0xB7, 0x7D, 0xBC, 0x65, 0xBE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x07, 0x65, 0x87, 0xA7, 0xE8, 0x48, 0xE3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x48, 0x8F, 0xD4, 0x30, 0x8E, 0xB4, 0x6C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xE0, 0x73, 0xBE, 0x1E, 0xBF, 0x56, 0x36),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_4_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x0E, 0x5E, 0x87, 0xC5, 0xAB, 0x0E, 0x3C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xF9, 0x5F, 0x80, 0x24, 0x4C, 0x2A, 0xF1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0x15, 0x21, 0x54, 0x92, 0x84, 0x8D, 0x6A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x8A, 0x47, 0x74, 0xDC, 0x42, 0xB1, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0xF7, 0x30, 0xFD, 0xC1, 0x9B, 0x0C, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x6C, 0xCC, 0xDF, 0xC5, 0xE3, 0xA9, 0xD5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x67, 0x59, 0x10, 0x5C, 0x51, 0x54, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x37, 0xFB, 0x6E, 0xB0, 0x78, 0x63, 0x8E),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_4_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0xEF, 0xC4, 0x39, 0x20, 0xF1, 0x46, 0x66),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x62, 0xAE, 0xFF, 0x10, 0xE4, 0xE2, 0xE9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x5C, 0xF5, 0x2E, 0x22, 0x89, 0xE5, 0x82),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x0C, 0x29, 0xA8, 0x62, 0xAE, 0xDB, 0x65),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x9E, 0x0F, 0xCA, 0x87, 0x2A, 0x6F, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xDC, 0x9B, 0x9F, 0x65, 0xD4, 0xAD, 0x27),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xC3, 0x08, 0x0F, 0xCF, 0x67, 0xE9, 0xF4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x5C, 0xD7, 0xFF, 0x41, 0x9C, 0xCB, 0x26),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_5_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x25, 0x05, 0x12, 0xAD, 0x73, 0x63, 0x90),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x99, 0x07, 0x86, 0x57, 0xE7, 0x94, 0xB1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x4B, 0xA5, 0xBF, 0x18, 0xA9, 0xEF, 0x6A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x4C, 0xC4, 0x09, 0xF2, 0x2F, 0x0C, 0xAA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x3A, 0x04, 0xEA, 0x89, 0x6C, 0x91, 0xB9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x6C, 0x3A, 0xE7, 0xA3, 0xEC, 0x24, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xA1, 0x26, 0x21, 0x04, 0xE3, 0xB9, 0x40),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0x71, 0x4B, 0x7B, 0xC2, 0x89, 0xCD, 0xA2),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_5_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xB9, 0xA8, 0x9D, 0xFD, 0x00, 0x3A, 0x1F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x41, 0x6C, 0xBB, 0x5A, 0xCA, 0x1F, 0x74),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xD7, 0xE2, 0x6C, 0x6B, 0xA7, 0x48, 0xC9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x19, 0xAD, 0xA7, 0xC1, 0x7E, 0x4F, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xF7, 0x19, 0x3C, 0x06, 0x74, 0x2C, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x23, 0x4F, 0x0C, 0x09, 0xB0, 0x80, 0x4A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x74, 0x34, 0x08, 0x44, 0x7E, 0xA3, 0xDD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xCC, 0x8D, 0x12, 0x6E, 0xE1, 0x3D, 0x0B),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_6_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x18, 0xB1, 0x71, 0x02, 0x93, 0xC2, 0xA4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x89, 0x40, 0xE2, 0x1F, 0xE7, 0x5E, 0x68),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x8E, 0xAE, 0x89, 0x01, 0xD4, 0x0C, 0xEB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xDA, 0x58, 0x70, 0x24, 0xF2, 0xE4, 0x5F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0xC7, 0x1D, 0xD6, 0x4A, 0x6F, 0x66, 0x4F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x1D, 0x7E, 0x4A, 0x2C, 0xCA, 0xEC, 0x3B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x06, 0x7F, 0xA8, 0x99, 0xE4, 0xD3, 0x4E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x1D, 0x5A, 0xDF, 0x5E, 0x58, 0x36, 0x49),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_6_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0xB9, 0x32, 0x69, 0x1F, 0x72, 0x2A, 0xB3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x73, 0xE2, 0x03, 0x39, 0x35, 0xAA, 0xA8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x5E, 0x5D, 0x48, 0xEF, 0xAE, 0x30, 0xF5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x7F, 0x60, 0x19, 0xAF, 0xEC, 0x9D, 0xFC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xD9, 0x19, 0xE4, 0x1B, 0x56, 0x15, 0x5F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xD7, 0x33, 0x59, 0x1F, 0x43, 0x59, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xCE, 0xEE, 0xCA, 0xA4, 0x7F, 0x63, 0xD4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x40, 0xC0, 0xF6, 0x19, 0x89, 0x43, 0x20),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_7_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x92, 0xEA, 0x07, 0x65, 0x79, 0x86, 0xD3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xB7, 0x13, 0x75, 0xD3, 0xC5, 0x0A, 0xC9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x9E, 0xFA, 0xE1, 0x1F, 0x0C, 0xF9, 0x74),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x8C, 0xED, 0x5C, 0x21, 0xE9, 0x09, 0xDD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x4D, 0xD8, 0x18, 0xC4, 0xF6, 0x36, 0x39),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xC9, 0xAC, 0x5C, 0xFA, 0x69, 0xA4, 0xA0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x8C, 0x94, 0x1C, 0x7B, 0x71, 0x36, 0x58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xBD, 0x46, 0xCE, 0xB7, 0x1D, 0x9C, 0x5E),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_7_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xD6, 0x96, 0x4B, 0xA6, 0x47, 0xEB, 0xE5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0xF1, 0x5F, 0x15, 0xDE, 0x99, 0x6F, 0x66),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xBD, 0xE5, 0x04, 0xB8, 0xE6, 0xC0, 0x0B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xD3, 0xF0, 0x04, 0x00, 0xE4, 0x05, 0xDB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xF3, 0x06, 0xA3, 0x1A, 0xFF, 0xEA, 0x73),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x32, 0xAA, 0x99, 0x33, 0x09, 0xB6, 0x34),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0xEF, 0xFC, 0x61, 0x10, 0x42, 0x31, 0x94),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xF1, 0xF4, 0x33, 0xCF, 0x28, 0x90, 0x9C),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_8_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xDE, 0xF9, 0x88, 0x87, 0x7B, 0xEB, 0xC9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xB8, 0xDA, 0xFA, 0xDA, 0x3D, 0xA6, 0x17),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xF0, 0x62, 0x82, 0x53, 0x32, 0x55, 0x03),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xA5, 0x32, 0x4A, 0x19, 0x11, 0x9C, 0x10),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xB3, 0x27, 0xE9, 0x75, 0x90, 0x05, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x1C, 0x90, 0x48, 0x77, 0x01, 0x85, 0x1B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xD6, 0x9B, 0x84, 0xA8, 0xD7, 0xC5, 0x28),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x7A, 0xCB, 0xB3, 0x11, 0x46, 0xD7, 0x99),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_8_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0x23, 0xBF, 0x75, 0x75, 0xA1, 0x95, 0x90),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x66, 0x5D, 0x34, 0x13, 0xA9, 0x03, 0xBE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x80, 0x9D, 0x5F, 0xD2, 0x44, 0xE1, 0x62),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x5D, 0xBD, 0xA8, 0xBF, 0xB4, 0x25, 0x1F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x99, 0x1F, 0x53, 0xF1, 0x57, 0xDB, 0xE7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x7C, 0xE5, 0xC5, 0x51, 0x0B, 0x4C, 0x9B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0xB0, 0x1A, 0x9C, 0x16, 0xB0, 0x32, 0x1F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0xE3, 0xCF, 0xDD, 0x48, 0xB4, 0x7B, 0x33),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_9_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xDD, 0x9E, 0x3C, 0x98, 0x0E, 0x77, 0x65),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0xAB, 0x01, 0xD3, 0x87, 0x74, 0x25, 0x4A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0xA3, 0xE3, 0x76, 0x43, 0x87, 0x12, 0xBD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0xB1, 0x3B, 0x60, 0x66, 0xEB, 0x98, 0x54),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x78, 0xC8, 0xD7, 0x4E, 0x75, 0xCA, 0x69),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xDF, 0x71, 0x19, 0xE7, 0x07, 0x36, 0xB5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xC9, 0xA8, 0x5F, 0x91, 0xBF, 0x47, 0xB2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x96, 0x58, 0x96, 0x18, 0xB6, 0xFA, 0x01),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_9_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x2D, 0xA9, 0x9B, 0x86, 0xDB, 0x0C, 0x4C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x0B, 0x2D, 0x56, 0x4A, 0xD3, 0x93, 0x8A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x15, 0xE2, 0x65, 0x12, 0x86, 0x0E, 0xB2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x41, 0x4D, 0xC1, 0xCB, 0xE4, 0xC3, 0xD7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x53, 0x10, 0xCA, 0xA3, 0xAC, 0x83, 0x26),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x01, 0x22, 0x96, 0x10, 0xAD, 0x69, 0xDB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x46, 0x4E, 0xD8, 0xEA, 0xD6, 0x9D, 0xF3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x2F, 0x7F, 0x62, 0x62, 0x80, 0xD0, 0x14),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_10_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0xDA, 0x00, 0x63, 0x09, 0xBD, 0x6A, 0x83),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xD4, 0x6E, 0x48, 0x05, 0xB7, 0xF7, 0x17),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0x4D, 0xD7, 0x00, 0x4A, 0x15, 0x27, 0x7A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x15, 0xAA, 0x37, 0x27, 0x34, 0x18, 0x24),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x20, 0x2C, 0x84, 0x1B, 0x88, 0xBA, 0x05),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x09, 0xD6, 0x04, 0xA2, 0x60, 0x84, 0x72),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x04, 0x94, 0x08, 0xD4, 0xED, 0x47, 0xDB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xF3, 0xE4, 0x3E, 0xB9, 0x5B, 0x35, 0x42),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_10_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0xD8, 0xB6, 0x80, 0xD6, 0xF1, 0x30, 0xDD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x14, 0xA6, 0x85, 0xEE, 0xA7, 0xD8, 0x61),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x49, 0x2A, 0x1E, 0x7C, 0xE9, 0x2D, 0xEC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x87, 0x56, 0x91, 0x03, 0x77, 0x4D, 0x55),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0x52, 0xD4, 0xAA, 0xF7, 0xFA, 0xB0, 0xC5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x5D, 0x11, 0x39, 0xB1, 0xE7, 0x76, 0xAD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x13, 0xBC, 0x37, 0x5D, 0x74, 0xCD, 0xC2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x48, 0x14, 0x23, 0x30, 0xF8, 0x46, 0x37),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_11_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x27, 0xB0, 0xD9, 0xB2, 0x74, 0xB4, 0xC0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xA6, 0xB9, 0x6F, 0x9F, 0x64, 0x36, 0x92),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2E, 0x2B, 0x78, 0x40, 0x05, 0x2B, 0x7B, 0xA9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x68, 0x3A, 0xB6, 0x4A, 0xE2, 0xDB, 0xB8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x33, 0xD7, 0x34, 0x8B, 0x25, 0x45, 0xEF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0xCE, 0xA8, 0xC9, 0x01, 0xFB, 0x0E, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0xF9, 0x51, 0x4C, 0x12, 0x9F, 0x60, 0xE4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x85, 0xBD, 0x30, 0x37, 0x84, 0x39, 0x44),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_11_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x33, 0xAF, 0x2E, 0xB8, 0x2E, 0xCC, 0x3C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xB1, 0x73, 0x59, 0x4E, 0x0C, 0x09, 0x4A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x24, 0x89, 0x81, 0x12, 0xFF, 0xBB, 0x6E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x37, 0x1A, 0x66, 0xEE, 0xED, 0xB6, 0x9B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xBD, 0x04, 0x20, 0x5D, 0xFB, 0xBF, 0x95),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xF8, 0x34, 0xA3, 0xFF, 0x45, 0xDE, 0x92),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x18, 0x73, 0xF1, 0x32, 0x25, 0x58, 0xEB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0xC1, 0x14, 0xE3, 0x9E, 0x40, 0x0F, 0x12),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_12_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x07, 0x9D, 0x9C, 0x00, 0xF7, 0x56, 0x19),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xBA, 0x87, 0xF9, 0x15, 0x0C, 0x66, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x1F, 0xC1, 0x28, 0xB0, 0x47, 0x0D, 0xF5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xCA, 0x27, 0xEE, 0x4B, 0x23, 0x2B, 0x89),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0xB5, 0x68, 0xC8, 0x17, 0x5D, 0xC3, 0xAA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x02, 0x08, 0xEE, 0x20, 0x9D, 0xEA, 0x64),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x14, 0x50, 0xD4, 0x7D, 0x5F, 0xCF, 0xA0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xFA, 0xF8, 0xA7, 0xC6, 0xDC, 0x14, 0x8C),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_12_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xBD, 0x0A, 0x1A, 0x18, 0x98, 0xDC, 0xB0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x63, 0x02, 0xB7, 0xD5, 0x5B, 0x5A, 0xC6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xB1, 0xD7, 0x4B, 0x15, 0x39, 0x61, 0x5D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x32, 0xE1, 0x9E, 0x70, 0x1B, 0xCE, 0x51),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0xD8, 0x18, 0x83, 0x52, 0x9B, 0x6D, 0xA2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x55, 0x56, 0x19, 0x34, 0xA4, 0xEA, 0xFC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0xA9, 0x55, 0x80, 0xE3, 0x15, 0x36, 0x8B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x06, 0xC8, 0x1D, 0x17, 0x0D, 0xAD, 0x16),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_13_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0xD6, 0xF0, 0xCC, 0xF3, 0x63, 0x53, 0xD2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x5A, 0xDC, 0x46, 0xBD, 0x0D, 0xAD, 0x96),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x2F, 0x11, 0x60, 0x15, 0x51, 0x4A, 0xEA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xE3, 0x93, 0x38, 0xD5, 0x83, 0xAA, 0x0D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xA6, 0xCC, 0xB1, 0xFD, 0xBB, 0x1A, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0x54, 0xC8, 0x54, 0x6F, 0x79, 0x1A, 0x59),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x4A, 0xDA, 0x28, 0x92, 0x97, 0x9D, 0x7F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x4B, 0xDB, 0xC7, 0x52, 0xC5, 0x66, 0x34),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_13_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x7E, 0x92, 0x53, 0x30, 0x93, 0xFD, 0xFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x16, 0x6A, 0xB1, 0x91, 0x0A, 0xB4, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x9D, 0x40, 0x3F, 0xE3, 0xF1, 0x01, 0x46),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x0E, 0xD8, 0xED, 0x11, 0x8E, 0x4C, 0xED),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x4A, 0x1B, 0x88, 0xDF, 0x8D, 0x29, 0xE7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x23, 0x21, 0x11, 0xAB, 0x77, 0x81, 0x62),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0xAF, 0x11, 0xFA, 0xBA, 0x40, 0x63, 0xE7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0x6F, 0x8D, 0x80, 0xDF, 0x67, 0xF5, 0x44),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_14_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0x8B, 0xB7, 0x08, 0xF4, 0xD7, 0x2D, 0xA8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x2B, 0x30, 0x02, 0x45, 0x71, 0x08, 0x49),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x3A, 0xCA, 0x50, 0xF6, 0xC2, 0x19, 0x8C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xB9, 0x9B, 0x3E, 0x73, 0x95, 0x1D, 0x49),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x60, 0x59, 0x48, 0xCB, 0xD8, 0xD6, 0xAA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0xB9, 0x6C, 0x89, 0xAB, 0x99, 0xA8, 0xF8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0xA1, 0x8B, 0x4E, 0x06, 0x19, 0xEC, 0x99),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x95, 0x04, 0xCF, 0xD5, 0x94, 0xB3, 0x02),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_14_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x35, 0x93, 0x7C, 0xB3, 0xB8, 0x9E, 0x1B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x45, 0x5C, 0x7E, 0xBF, 0x75, 0x81, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xE8, 0x24, 0xDF, 0xEC, 0x2F, 0x7D, 0xB9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x8B, 0xD5, 0x6A, 0x9B, 0xA0, 0xE0, 0x4F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xE3, 0x27, 0x82, 0xDE, 0xDD, 0xCA, 0x4B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x57, 0x56, 0x46, 0x05, 0x06, 0x01, 0x2E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x35, 0xA7, 0x47, 0xE2, 0x6B, 0x2C, 0x4F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x9D, 0x4C, 0xEC, 0x1F, 0x11, 0x75, 0x2B),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_15_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xAA, 0x41, 0xC1, 0xE9, 0x0E, 0xE9, 0xAA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0xCF, 0x9C, 0x4B, 0xE8, 0xED, 0x0A, 0x49),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x73, 0xCA, 0x0C, 0x46, 0x0A, 0x9C, 0xE4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xE1, 0x9E, 0xBC, 0xFE, 0x44, 0x63, 0x6D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x43, 0x71, 0xEE, 0xF8, 0xC1, 0x8C, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x4B, 0xF0, 0x69, 0x25, 0xBD, 0x71, 0x1A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x9A, 0xFE, 0x82, 0xE7, 0xC1, 0xC1, 0xEE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x5A, 0x6E, 0x5E, 0x97, 0x6A, 0x35, 0x8D),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_15_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x18, 0x6C, 0x7E, 0xB8, 0x9E, 0x57, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0xB9, 0xC1, 0xD0, 0xFE, 0x78, 0xFB, 0x32),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x08, 0xAE, 0x46, 0x34, 0xEA, 0x7A, 0x7F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x1C, 0x56, 0xA9, 0x18, 0x37, 0xD4, 0x9E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x63, 0xE9, 0x0A, 0xB6, 0x38, 0x3C, 0xC1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x4F, 0xA4, 0x6E, 0x85, 0x31, 0x23, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0xAD, 0xC4, 0xC3, 0xB1, 0x4B, 0x1C, 0x82),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x56, 0x4A, 0x38, 0xB3, 0x6B, 0x6F, 0x2C),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_16_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0xC7, 0x19, 0xDE, 0x21, 0xED, 0x89, 0xD0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xBE, 0xA6, 0xAE, 0xEB, 0x9D, 0xA7, 0x2A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x0E, 0x13, 0x1E, 0x86, 0x57, 0xC3, 0x3B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x4B, 0x30, 0x46, 0x52, 0xC1, 0xEC, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0xD5, 0x44, 0x31, 0x96, 0x3B, 0x26, 0x27),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x68, 0xA8, 0x67, 0x78, 0x39, 0xE8, 0x68),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x78, 0xB7, 0xDD, 0xF2, 0x58, 0xB6, 0x3D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x3C, 0xB3, 0x26, 0xC4, 0x2C, 0x8C, 0xA5),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_16_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x24, 0xE5, 0x73, 0xEE, 0x9A, 0x02, 0xA9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x6A, 0x65, 0x60, 0xF3, 0x62, 0xE3, 0xE9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0x07, 0x84, 0xE6, 0x3B, 0x46, 0x65, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x8F, 0x0C, 0xB0, 0xE1, 0x04, 0x82, 0x9D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x13, 0xBF, 0x3D, 0xA0, 0x48, 0xA2, 0x74),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x26, 0x76, 0x74, 0xAB, 0x0B, 0x29, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x6E, 0x5F, 0x03, 0x34, 0x7C, 0x38, 0xCE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0x72, 0xF9, 0x3B, 0x3C, 0xA4, 0xBC, 0x7C),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_17_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xCE, 0x18, 0x80, 0xB8, 0x24, 0x45, 0x81),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x09, 0x03, 0xB8, 0x06, 0x64, 0xF7, 0xEC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x26, 0xB1, 0x10, 0x6D, 0x71, 0x12, 0x2E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x12, 0xC6, 0x6E, 0x1E, 0x6A, 0xC3, 0x80),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0xD3, 0x0A, 0xDE, 0xD8, 0x6B, 0x04, 0x5C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x87, 0x5B, 0xAE, 0xDB, 0x3C, 0xC0, 0xC5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0xF5, 0xF9, 0xC1, 0x9A, 0x89, 0xBB, 0x7E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x69, 0x72, 0x8B, 0xAE, 0x32, 0x13, 0x11),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_17_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x16, 0x07, 0x50, 0xFA, 0x4C, 0xCF, 0xE8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x50, 0x21, 0xE9, 0xDE, 0xEC, 0x7E, 0xDF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x2F, 0xE8, 0x83, 0x30, 0x0B, 0x65, 0x0E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x0B, 0x99, 0xAC, 0xC9, 0xBA, 0x6C, 0x2A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x59, 0x5A, 0x0D, 0x7B, 0x9E, 0x08, 0xAD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x91, 0xB2, 0xDC, 0x90, 0xCE, 0x67, 0xED),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x93, 0x60, 0x0C, 0xD7, 0x1F, 0x2F, 0x17),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x7F, 0x9D, 0x40, 0xF8, 0x78, 0x7A, 0x54),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_18_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x22, 0x95, 0xE8, 0xEF, 0x31, 0x57, 0x35),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x88, 0x53, 0xFE, 0xAF, 0x7C, 0x47, 0x14),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xCE, 0xCC, 0x79, 0xE8, 0x9F, 0x8C, 0xC4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x16, 0xDD, 0x77, 0x6E, 0x8A, 0x73, 0x97),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x07, 0x97, 0x21, 0x3B, 0xF8, 0x5F, 0xA8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xB5, 0xD2, 0x81, 0x84, 0xF0, 0xE7, 0x9F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x8F, 0x75, 0x09, 0x6A, 0x0E, 0x53, 0xAD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x4F, 0x70, 0x97, 0xC7, 0xAC, 0x7D, 0x3F),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_18_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x3C, 0x6A, 0xB4, 0x10, 0xA9, 0xC8, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xC5, 0xD6, 0x69, 0x16, 0xB8, 0xAC, 0x25),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x44, 0xDC, 0xEB, 0x48, 0x54, 0x5D, 0x5F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x48, 0x9B, 0xD7, 0x72, 0x69, 0xA4, 0x8A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x0D, 0x36, 0x9A, 0x66, 0x0B, 0xEC, 0x24),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xC6, 0xD4, 0xB6, 0x60, 0xE5, 0xC3, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x29, 0x42, 0xE0, 0x9D, 0xFD, 0x7C, 0x3E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x10, 0xBA, 0x55, 0xBC, 0x3B, 0x38, 0x5D),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_19_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x66, 0xFA, 0x05, 0x73, 0x03, 0x1B, 0x69),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xA4, 0x66, 0x12, 0x96, 0x7B, 0x02, 0x4C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0xB5, 0xDE, 0x6D, 0x98, 0xD1, 0xD5, 0xA8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0xF5, 0x44, 0xB8, 0x8E, 0xF6, 0x8C, 0x05),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x15, 0x2B, 0x72, 0xBC, 0x49, 0xE5, 0xDF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x44, 0xD7, 0xDF, 0x8F, 0xEB, 0x8D, 0x80),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x64, 0x88, 0xAA, 0xB7, 0xE4, 0x70, 0x1D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x14, 0xBB, 0xE9, 0x9B, 0xB9, 0x65, 0x5D),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_19_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x8E, 0x88, 0xF5, 0xF1, 0xC1, 0x89, 0xA2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x30, 0x53, 0xE6, 0xFB, 0x2D, 0x82, 0xB4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xE4, 0xFF, 0xBA, 0x31, 0x79, 0xAB, 0xC2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x09, 0xF7, 0xB7, 0x09, 0x78, 0x4C, 0x90),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xAE, 0xC2, 0x44, 0xDC, 0x17, 0x78, 0x47),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xD4, 0x17, 0x43, 0x19, 0x74, 0x9E, 0x23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x64, 0x3B, 0x73, 0xA2, 0x99, 0x27, 0x76),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x74, 0x36, 0x5F, 0xD3, 0x14, 0xB1, 0x31),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_20_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x07, 0xAB, 0xFD, 0x9B, 0x03, 0xC5, 0xD5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xBE, 0xB0, 0x1D, 0xF2, 0x0C, 0x73, 0x73),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xE7, 0x7B, 0x87, 0xD3, 0x34, 0xFD, 0xE2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x25, 0x3D, 0xC7, 0x36, 0x83, 0x53, 0xDC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x7C, 0xCF, 0x63, 0x55, 0x12, 0x11, 0xB0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x34, 0x4D, 0x27, 0x92, 0xAC, 0x18, 0x16),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x42, 0x61, 0x9D, 0x2E, 0xFF, 0x13, 0x16),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0xDE, 0x92, 0x65, 0x57, 0x0D, 0xBC, 0x0A),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_20_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x7B, 0x6E, 0xC6, 0x2A, 0x21, 0x74, 0x0A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xA7, 0x53, 0x4D, 0x29, 0x36, 0xEF, 0xE5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0xD6, 0x41, 0xC7, 0x99, 0xAD, 0x50, 0x53),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xAC, 0x41, 0x9F, 0xFB, 0x4C, 0x86, 0xF1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xBB, 0xE6, 0x25, 0x28, 0xAA, 0xEB, 0x1E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x04, 0xA2, 0xC3, 0xAA, 0x08, 0x8A, 0xCC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x2B, 0x5B, 0xE2, 0x8D, 0x76, 0xEA, 0x34),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x33, 0xD2, 0x21, 0x4D, 0x62, 0xE3, 0x8E),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_21_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x06, 0x8B, 0x2B, 0xC2, 0xC4, 0xB1, 0xD2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xF5, 0xA1, 0xC0, 0x03, 0x6A, 0x29, 0x12),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xA9, 0xEF, 0x55, 0xB6, 0x1A, 0x9F, 0x6B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x54, 0x32, 0xBE, 0x06, 0x43, 0xB5, 0xFD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xD6, 0xD9, 0x20, 0x89, 0xBE, 0xD4, 0x1B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x26, 0x95, 0x10, 0xCE, 0xB4, 0x88, 0x79),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xA6, 0x27, 0xAC, 0x32, 0xBA, 0xBD, 0xC7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0xA6, 0xAE, 0x9C, 0x7B, 0xBE, 0xA1, 0x63),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_21_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xCD, 0x4D, 0x3D, 0xDF, 0x96, 0xBB, 0x7D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0xA7, 0x11, 0x06, 0xCC, 0x0E, 0x31, 0x81),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0xE4, 0xF4, 0xAD, 0x7B, 0x5F, 0xF1, 0xEF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x54, 0xBE, 0xF4, 0x8A, 0x03, 0x47, 0xDF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x53, 0x00, 0x7F, 0xB0, 0x8A, 0x68, 0xA6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x16, 0xB1, 0x73, 0x6F, 0x5B, 0x0E, 0xC3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x32, 0xE3, 0x43, 0x64, 0x75, 0xFB, 0xFB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x18, 0x55, 0x8A, 0x4E, 0x6E, 0x35, 0x54),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_22_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x97, 0x15, 0x1E, 0xCB, 0xF2, 0x9C, 0xA5),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xD1, 0xBB, 0xF3, 0x70, 0xAD, 0x13, 0xAD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x96, 0xA4, 0xC5, 0x5E, 0xDA, 0xD5, 0x57),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x81, 0xE9, 0x65, 0x66, 0x76, 0x47, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x35, 0x87, 0x06, 0x73, 0xCF, 0x34, 0xD2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x81, 0x15, 0x42, 0xA2, 0x79, 0x5B, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xA2, 0x7D, 0x09, 0x14, 0x64, 0xC6, 0xAE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x6D, 0xC4, 0xED, 0xF1, 0xD6, 0xE9, 0x24),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_22_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xD5, 0xBB, 0x25, 0xA3, 0xDD, 0xA3, 0x88),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0xF2, 0x68, 0x67, 0x39, 0x8F, 0x73, 0x93),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x76, 0x28, 0x89, 0xAD, 0x32, 0xE0, 0xDF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x90, 0xCC, 0x57, 0x58, 0xAA, 0xC9, 0x75),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xD7, 0x43, 0xD2, 0xCE, 0x5E, 0xA0, 0x08),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xB0, 0xB8, 0xA4, 0x9E, 0x96, 0x26, 0x86),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x61, 0x1D, 0xF3, 0x65, 0x5E, 0x60, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x1E, 0x65, 0xED, 0xCF, 0x07, 0x60, 0x20),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_23_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x30, 0x17, 0x8A, 0x91, 0x88, 0x0A, 0xA4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x7D, 0x18, 0xA4, 0xAC, 0x59, 0xFC, 0x5F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x31, 0x8B, 0x25, 0x65, 0x39, 0x9A, 0xDC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x16, 0x4B, 0x68, 0xBA, 0x59, 0x13, 0x2F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xFD, 0xD3, 0xC5, 0x56, 0xC9, 0x8C, 0x5E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xC6, 0x9F, 0xF4, 0xE6, 0xF7, 0xB4, 0x01),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x7C, 0x03, 0x00, 0x26, 0x9F, 0xD8, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x1D, 0x6E, 0x00, 0xB9, 0x00, 0x6E, 0x93),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_23_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x63, 0xDA, 0x03, 0x2B, 0xD5, 0x0B, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0xFC, 0xE2, 0xC8, 0x47, 0xF0, 0xAE, 0xF2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x4C, 0xF7, 0x50, 0x0C, 0x48, 0x06, 0x2A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x2B, 0x32, 0x98, 0x0E, 0x7E, 0x61, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x02, 0x27, 0xFE, 0x75, 0x86, 0xDF, 0x24),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0x30, 0xB1, 0x22, 0x32, 0x1B, 0xFE, 0x24),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x27, 0xF7, 0x78, 0x6F, 0xD7, 0xFD, 0xE4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x78, 0xCC, 0xEA, 0xC0, 0x50, 0x24, 0x44),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_24_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x2B, 0x4F, 0x7F, 0x58, 0xE6, 0xC2, 0x70),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x43, 0xD5, 0xA7, 0x35, 0x3C, 0x80, 0xB8),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x6D, 0x4B, 0x12, 0x00, 0x7B, 0xE6, 0xA6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x15, 0xBD, 0xD0, 0x9B, 0xCA, 0xAA, 0x81),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0xCE, 0x9C, 0xE3, 0x8B, 0x60, 0x7A, 0x53),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xDA, 0x4B, 0x03, 0xA7, 0x8D, 0x43, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xAF, 0x00, 0x2B, 0x32, 0xF0, 0x22, 0x68),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xD9, 0x99, 0x99, 0xBE, 0x43, 0x99, 0x3E),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_24_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x71, 0x41, 0xF4, 0xB5, 0xFD, 0xDD, 0x36),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xE2, 0x20, 0x4C, 0xD1, 0x2E, 0x1F, 0x06),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x43, 0x48, 0x76, 0x8A, 0x49, 0xAC, 0x87),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x1A, 0x55, 0xA8, 0xA3, 0xD4, 0x57, 0x75),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xA6, 0x84, 0x39, 0xC9, 0x13, 0xBB, 0x60),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0xFA, 0xA9, 0x70, 0xDE, 0x83, 0xDD, 0xC9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0xC9, 0xD9, 0x3E, 0x44, 0x91, 0x68, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x9F, 0x85, 0x6D, 0xF7, 0x54, 0x36, 0x82),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_25_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x6B, 0xA6, 0xA3, 0xE5, 0xD4, 0x46, 0xDB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x3E, 0xDC, 0x84, 0x7C, 0x7B, 0x24, 0x34),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0xED, 0x7F, 0x86, 0x07, 0x6C, 0x57, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x06, 0xFE, 0x52, 0x12, 0x79, 0x69, 0x56),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0xD1, 0x44, 0x5F, 0x21, 0x3A, 0xC3, 0x84),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xD9, 0x4A, 0xC0, 0x75, 0xAB, 0x17, 0xAC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x81, 0x94, 0xB6, 0x80, 0x6B, 0x6F, 0xC3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xBE, 0x8E, 0xA5, 0xAA, 0xBC, 0x1E, 0x3E),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_25_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0xC7, 0x85, 0xA6, 0x59, 0x9B, 0xB1, 0x52),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0xCE, 0x40, 0xD1, 0xFB, 0xDF, 0x94, 0xF7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0xB8, 0x5E, 0xBF, 0x45, 0xA8, 0x2D, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x9C, 0x06, 0x1B, 0xA9, 0x57, 0xB9, 0x79),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xE9, 0xCE, 0xA2, 0xD3, 0x74, 0xA1, 0x3C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x5F, 0x34, 0x78, 0xDB, 0xAE, 0x3A, 0x14),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x32, 0x84, 0x3E, 0x68, 0x6A, 0x43, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0xBC, 0x39, 0x36, 0xA4, 0xC5, 0xBB, 0x11),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_26_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x07, 0xA2, 0xB5, 0xC9, 0x0F, 0x4D, 0x0F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x1D, 0x67, 0xE6, 0xF1, 0x46, 0xEB, 0x71),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x41, 0x23, 0x95, 0xE7, 0xE0, 0x10, 0xDD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x69, 0xFE, 0x68, 0x8C, 0xC6, 0x5F, 0xB6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xB9, 0x2B, 0x3D, 0xD2, 0x4F, 0xD8, 0x1A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x09, 0xF5, 0x5F, 0xCF, 0xF6, 0x91, 0x57),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x15, 0x42, 0x6B, 0x6D, 0xB5, 0xF3, 0xB6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x56, 0x9D, 0xC5, 0xFF, 0xCA, 0x13, 0x9B),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_26_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0x38, 0xE6, 0x23, 0x63, 0x48, 0x3C, 0xCA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x68, 0x3C, 0xD1, 0x3B, 0xE9, 0x3B, 0x82),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x08, 0x54, 0x49, 0xD1, 0x46, 0x45, 0x13),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x70, 0x52, 0x6E, 0x79, 0xC4, 0x5E, 0x95),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xDF, 0xE8, 0x5A, 0x32, 0x81, 0xDA, 0xD3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x2D, 0x94, 0x5B, 0xB5, 0x35, 0x9F, 0x0A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x12, 0x8D, 0xC3, 0x36, 0x36, 0xB2, 0x2A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x2F, 0x22, 0x38, 0x5B, 0x18, 0x4C, 0x35),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_27_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xC1, 0x22, 0x0E, 0xF0, 0x73, 0x11, 0x05),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0xAE, 0xA4, 0x56, 0x18, 0x61, 0x66, 0x12),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xFB, 0x72, 0x08, 0x84, 0x38, 0x51, 0xB0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x86, 0xA8, 0xB9, 0x31, 0x99, 0x29, 0xC3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0xFB, 0xC3, 0x42, 0xB3, 0xC7, 0x6F, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xF8, 0xE1, 0x09, 0xBE, 0x75, 0xB0, 0x22),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x7D, 0xFF, 0xF4, 0x99, 0xFC, 0x13, 0xAB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x1B, 0x84, 0x81, 0x42, 0x22, 0xC6, 0x3D),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_27_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xE0, 0x37, 0xA4, 0xA0, 0x2F, 0x38, 0x7F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x3D, 0xB7, 0x40, 0x2F, 0x39, 0x3C, 0x7A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0x3B, 0x8A, 0x51, 0xAE, 0x40, 0x49, 0x7A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x20, 0x9F, 0xDD, 0xA9, 0xD0, 0x77, 0xC7),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0x1D, 0x64, 0xDA, 0xA0, 0x53, 0xC7, 0x7D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x7B, 0x66, 0x55, 0x94, 0xD1, 0x51, 0x44),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xA9, 0xB5, 0x5B, 0x38, 0x35, 0x40, 0xC0),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xC9, 0x0F, 0xF0, 0x73, 0x79, 0x43, 0x61),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_28_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x47, 0x45, 0x69, 0x80, 0x72, 0x72, 0x42),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x11, 0x99, 0x59, 0xDB, 0x48, 0x80, 0x39),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x6E, 0x3D, 0xFC, 0x37, 0x15, 0xF4, 0xBF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xBB, 0x5B, 0xA6, 0x35, 0x8D, 0x28, 0x20),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x1A, 0x3B, 0x2C, 0x8F, 0xD3, 0xAA, 0x2D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x1C, 0x1A, 0xF8, 0x02, 0xD9, 0x7B, 0x41),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x69, 0xAC, 0xF8, 0x54, 0x31, 0x14, 0xA1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x8A, 0xE6, 0xDE, 0x58, 0xB9, 0xC4, 0x7A),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_28_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x83, 0x52, 0xFE, 0xF9, 0x7B, 0xE9, 0x1F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xA2, 0x55, 0x46, 0x15, 0x49, 0xC1, 0x3A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xBC, 0x5C, 0x91, 0xBD, 0xB9, 0x9C, 0xF4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0xFD, 0xB1, 0x4E, 0x5F, 0x74, 0xEE, 0x53),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x8B, 0xD8, 0x8B, 0x17, 0x73, 0x1B, 0x96),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x92, 0xD7, 0x67, 0x06, 0xAD, 0x25, 0xCD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x0F, 0x80, 0x24, 0xE2, 0x27, 0x5F, 0x8B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x1C, 0xCE, 0xD0, 0x67, 0xCA, 0xD4, 0x0B),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_29_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0xF1, 0xDD, 0x33, 0x66, 0xF9, 0x05, 0xD6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xE5, 0x6B, 0x79, 0xBD, 0x48, 0x42, 0xAA),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x14, 0x52, 0xE3, 0x53, 0xB4, 0x50, 0xD4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x84, 0x6C, 0xCF, 0xDA, 0xB2, 0x20, 0x0A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xD6, 0x1A, 0xE5, 0xE2, 0x29, 0x70, 0xCE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x61, 0xFE, 0xBB, 0x21, 0x82, 0xD1, 0xFE),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0xF0, 0x9C, 0x8B, 0x1A, 0x42, 0x30, 0x06),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0xD6, 0x49, 0x81, 0x92, 0xF1, 0xD0, 0x90),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_29_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x91, 0x93, 0x6A, 0xA6, 0x22, 0xE9, 0xD6),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0xDC, 0xC3, 0x69, 0x11, 0x95, 0x7D, 0xEC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0xA3, 0x9D, 0x87, 0x5E, 0x64, 0x41, 0xA2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x87, 0x5A, 0x15, 0xBD, 0x6E, 0x3C, 0x8D),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x8D, 0x50, 0xCC, 0xCF, 0xB7, 0x8F, 0x0B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x65, 0xCD, 0x31, 0x30, 0xF1, 0x68, 0x13),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x5C, 0x66, 0x67, 0x92, 0x30, 0x57, 0x95),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x9B, 0x01, 0x3D, 0x20, 0x8B, 0xD1, 0x0D),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_30_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0xC0, 0xE6, 0x4F, 0xDE, 0x62, 0xAB, 0xB3),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x48, 0xB3, 0x1C, 0x0F, 0x16, 0x93, 0x45),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x63, 0xBD, 0x1F, 0x16, 0x50, 0x56, 0x98),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x06, 0xBC, 0xE9, 0x27, 0x1C, 0x9A, 0x7B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0xFE, 0x21, 0xC5, 0x39, 0x55, 0xE1, 0xFD),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xA8, 0xD0, 0x96, 0x0E, 0xB5, 0xB2, 0x84),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xE7, 0x4B, 0xF3, 0x11, 0x0C, 0xC9, 0x5B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x3A, 0xC4, 0x87, 0x71, 0xEE, 0xFA, 0x18),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_30_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x77, 0xEE, 0x81, 0x5E, 0x96, 0xEA, 0x4B),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xDF, 0xA9, 0xF4, 0x4F, 0x7C, 0xB2, 0x43),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0xD4, 0xDF, 0x35, 0x63, 0x47, 0x25, 0x8A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x3D, 0xFF, 0xA4, 0x02, 0xC3, 0x95, 0x11),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x10, 0x78, 0xD1, 0x2B, 0xB7, 0xBE, 0x0E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0xE9, 0x57, 0xF9, 0xE0, 0xD8, 0xFC, 0xBC),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0xC4, 0x01, 0xD6, 0xB4, 0xE7, 0x78, 0xE2),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x6C, 0xB9, 0x13, 0xA4, 0xE8, 0x6D, 0x6F),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_31_X[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0xB0, 0xC9, 0xCD, 0xBF, 0xA2, 0x1E, 0x63),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x4F, 0x86, 0x22, 0x9B, 0xEA, 0xE8, 0xBB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x46, 0xDF, 0x43, 0xB9, 0x82, 0x2D, 0x0A),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x32, 0xF1, 0x4E, 0x95, 0x41, 0xAE, 0x8E),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x93, 0x26, 0xFC, 0xD3, 0x90, 0xDC, 0xEB),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x05, 0x45, 0xCA, 0xF9, 0x5A, 0x89, 0x93),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x82, 0x63, 0x4E, 0x55, 0x1D, 0x3A, 0x08),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x69, 0x52, 0x49, 0xE9, 0xED, 0x57, 0x34),
-};
-static const mbedtls_mpi_uint brainpoolP512r1_T_31_Y[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x64, 0xE9, 0xAC, 0x4C, 0x4A, 0xEA, 0x25),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0xE9, 0x0B, 0x99, 0xE7, 0xF9, 0xA9, 0x2C),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x0C, 0xC1, 0xF4, 0x8D, 0x07, 0xB6, 0xB1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x68, 0xFA, 0x35, 0xE4, 0x9E, 0xAE, 0xD9),
-    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x2D, 0x1A, 0x13, 0x8E, 0x02, 0xE2, 0x63),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x38, 0x28, 0x86, 0x46, 0x7B, 0x3A, 0xE1),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x4C, 0x64, 0x59, 0x0A, 0xF9, 0x02, 0xC4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x4F, 0x23, 0xA2, 0xC3, 0xD5, 0xEF, 0x42),
-};
-static const mbedtls_ecp_point brainpoolP512r1_T[32] = {
-    ECP_POINT_INIT_XY_Z1(brainpoolP512r1_T_0_X, brainpoolP512r1_T_0_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_1_X, brainpoolP512r1_T_1_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_2_X, brainpoolP512r1_T_2_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_3_X, brainpoolP512r1_T_3_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_4_X, brainpoolP512r1_T_4_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_5_X, brainpoolP512r1_T_5_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_6_X, brainpoolP512r1_T_6_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_7_X, brainpoolP512r1_T_7_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_8_X, brainpoolP512r1_T_8_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_9_X, brainpoolP512r1_T_9_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_10_X, brainpoolP512r1_T_10_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_11_X, brainpoolP512r1_T_11_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_12_X, brainpoolP512r1_T_12_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_13_X, brainpoolP512r1_T_13_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_14_X, brainpoolP512r1_T_14_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_15_X, brainpoolP512r1_T_15_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_16_X, brainpoolP512r1_T_16_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_17_X, brainpoolP512r1_T_17_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_18_X, brainpoolP512r1_T_18_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_19_X, brainpoolP512r1_T_19_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_20_X, brainpoolP512r1_T_20_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_21_X, brainpoolP512r1_T_21_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_22_X, brainpoolP512r1_T_22_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_23_X, brainpoolP512r1_T_23_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_24_X, brainpoolP512r1_T_24_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_25_X, brainpoolP512r1_T_25_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_26_X, brainpoolP512r1_T_26_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_27_X, brainpoolP512r1_T_27_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_28_X, brainpoolP512r1_T_28_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_29_X, brainpoolP512r1_T_29_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_30_X, brainpoolP512r1_T_30_Y),
-    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_31_X, brainpoolP512r1_T_31_Y),
-};
-#else
-#define brainpoolP512r1_T NULL
-#endif
-#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
-
-
-#if defined(ECP_LOAD_GROUP) || defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || \
-    defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
-/*
- * Create an MPI from embedded constants
- * (assumes len is an exact multiple of sizeof(mbedtls_mpi_uint) and
- * len < 1048576)
- */
-static inline void ecp_mpi_load(mbedtls_mpi *X, const mbedtls_mpi_uint *p, size_t len)
-{
-    X->s = 1;
-    X->n = (unsigned short) (len / sizeof(mbedtls_mpi_uint));
-    X->p = (mbedtls_mpi_uint *) p;
-}
-#endif
-
-#if defined(ECP_LOAD_GROUP)
-/*
- * Set an MPI to static value 1
- */
-static inline void ecp_mpi_set1(mbedtls_mpi *X)
-{
-    X->s = 1;
-    X->n = 1;
-    X->p = mpi_one;
-}
-
-/*
- * Make group available from embedded constants
- */
-static int ecp_group_load(mbedtls_ecp_group *grp,
-                          const mbedtls_mpi_uint *p,  size_t plen,
-                          const mbedtls_mpi_uint *a,  size_t alen,
-                          const mbedtls_mpi_uint *b,  size_t blen,
-                          const mbedtls_mpi_uint *gx, size_t gxlen,
-                          const mbedtls_mpi_uint *gy, size_t gylen,
-                          const mbedtls_mpi_uint *n,  size_t nlen,
-                          const mbedtls_ecp_point *T)
-{
-    ecp_mpi_load(&grp->P, p, plen);
-    if (a != NULL) {
-        ecp_mpi_load(&grp->A, a, alen);
-    }
-    ecp_mpi_load(&grp->B, b, blen);
-    ecp_mpi_load(&grp->N, n, nlen);
-
-    ecp_mpi_load(&grp->G.X, gx, gxlen);
-    ecp_mpi_load(&grp->G.Y, gy, gylen);
-    ecp_mpi_set1(&grp->G.Z);
-
-    grp->pbits = mbedtls_mpi_bitlen(&grp->P);
-    grp->nbits = mbedtls_mpi_bitlen(&grp->N);
-
-    grp->h = 1;
-
-    grp->T = (mbedtls_ecp_point *) T;
-    /*
-     * Set T_size to 0 to prevent T free by mbedtls_ecp_group_free.
-     */
-    grp->T_size = 0;
-
-    return 0;
-}
-#endif /* ECP_LOAD_GROUP */
-
-#if defined(MBEDTLS_ECP_NIST_OPTIM)
-/* Forward declarations */
-#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
-static int ecp_mod_p192(mbedtls_mpi *);
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn);
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
-static int ecp_mod_p224(mbedtls_mpi *);
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p224_raw(mbedtls_mpi_uint *X, size_t X_limbs);
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
-static int ecp_mod_p256(mbedtls_mpi *);
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p256_raw(mbedtls_mpi_uint *X, size_t X_limbs);
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
-static int ecp_mod_p384(mbedtls_mpi *);
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p384_raw(mbedtls_mpi_uint *X, size_t X_limbs);
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
-static int ecp_mod_p521(mbedtls_mpi *);
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n);
-#endif
-
-#define NIST_MODP(P)      grp->modp = ecp_mod_ ## P;
-#else
-#define NIST_MODP(P)
-#endif /* MBEDTLS_ECP_NIST_OPTIM */
-
-/* Additional forward declarations */
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-static int ecp_mod_p255(mbedtls_mpi *);
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p255_raw(mbedtls_mpi_uint *X, size_t X_limbs);
-#endif
-#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
-static int ecp_mod_p448(mbedtls_mpi *);
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p448_raw(mbedtls_mpi_uint *, size_t);
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
-static int ecp_mod_p192k1(mbedtls_mpi *);
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
-static int ecp_mod_p224k1(mbedtls_mpi *);
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
-#endif
-#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
-static int ecp_mod_p256k1(mbedtls_mpi *);
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p256k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
-#endif
-
-#if defined(ECP_LOAD_GROUP)
-#define LOAD_GROUP_A(G)   ecp_group_load(grp,            \
-                                         G ## _p,  sizeof(G ## _p),   \
-                                         G ## _a,  sizeof(G ## _a),   \
-                                         G ## _b,  sizeof(G ## _b),   \
-                                         G ## _gx, sizeof(G ## _gx),   \
-                                         G ## _gy, sizeof(G ## _gy),   \
-                                         G ## _n,  sizeof(G ## _n),   \
-                                         G ## _T                         \
-                                         )
-
-#define LOAD_GROUP(G)     ecp_group_load(grp,            \
-                                         G ## _p,  sizeof(G ## _p),   \
-                                         NULL,     0,                    \
-                                         G ## _b,  sizeof(G ## _b),   \
-                                         G ## _gx, sizeof(G ## _gx),   \
-                                         G ## _gy, sizeof(G ## _gy),   \
-                                         G ## _n,  sizeof(G ## _n),   \
-                                         G ## _T                         \
-                                         )
-#endif /* ECP_LOAD_GROUP */
-
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-/* Constants used by ecp_use_curve25519() */
-static const mbedtls_mpi_sint curve25519_a24 = 0x01DB42;
-
-/* P = 2^255 - 19 */
-static const mbedtls_mpi_uint curve25519_p[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0X7F)
-};
-
-/* N = 2^252 + 27742317777372353535851937790883648493 */
-static const mbedtls_mpi_uint curve25519_n[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0XED, 0XD3, 0XF5, 0X5C, 0X1A, 0X63, 0X12, 0X58),
-    MBEDTLS_BYTES_TO_T_UINT_8(0XD6, 0X9C, 0XF7, 0XA2, 0XDE, 0XF9, 0XDE, 0X14),
-    MBEDTLS_BYTES_TO_T_UINT_8(0X00, 0X00, 0X00, 0X00, 0x00, 0x00, 0x00, 0x00),
-    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10)
-};
-
-/*
- * Specialized function for creating the Curve25519 group
- */
-static int ecp_use_curve25519(mbedtls_ecp_group *grp)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    /* Actually ( A + 2 ) / 4 */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->A, curve25519_a24));
-
-    ecp_mpi_load(&grp->P, curve25519_p, sizeof(curve25519_p));
-
-    grp->pbits = mbedtls_mpi_bitlen(&grp->P);
-
-    ecp_mpi_load(&grp->N, curve25519_n, sizeof(curve25519_n));
-
-    /* Y intentionally not set, since we use x/z coordinates.
-     * This is used as a marker to identify Montgomery curves! */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.X, 9));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.Z, 1));
-    mbedtls_mpi_free(&grp->G.Y);
-
-    /* Actually, the required msb for private keys */
-    grp->nbits = 254;
-
-cleanup:
-    if (ret != 0) {
-        mbedtls_ecp_group_free(grp);
-    }
-
-    return ret;
-}
-#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
-/* Constants used by ecp_use_curve448() */
-static const mbedtls_mpi_sint curve448_a24 = 0x98AA;
-
-/* P = 2^448 - 2^224 - 1 */
-static const mbedtls_mpi_uint curve448_p[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFE, 0XFF, 0XFF, 0XFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0X00, 0X00, 0X00, 0X00, 0X00, 0X00, 0X00, 0X00)
-};
-
-/* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */
-static const mbedtls_mpi_uint curve448_n[] = {
-    MBEDTLS_BYTES_TO_T_UINT_8(0XF3, 0X44, 0X58, 0XAB, 0X92, 0XC2, 0X78, 0X23),
-    MBEDTLS_BYTES_TO_T_UINT_8(0X55, 0X8F, 0XC5, 0X8D, 0X72, 0XC2, 0X6C, 0X21),
-    MBEDTLS_BYTES_TO_T_UINT_8(0X90, 0X36, 0XD6, 0XAE, 0X49, 0XDB, 0X4E, 0XC4),
-    MBEDTLS_BYTES_TO_T_UINT_8(0XE9, 0X23, 0XCA, 0X7C, 0XFF, 0XFF, 0XFF, 0XFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
-    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0X3F),
-    MBEDTLS_BYTES_TO_T_UINT_8(0X00, 0X00, 0X00, 0X00, 0X00, 0X00, 0X00, 0X00)
-};
-
-/*
- * Specialized function for creating the Curve448 group
- */
-static int ecp_use_curve448(mbedtls_ecp_group *grp)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    /* Actually ( A + 2 ) / 4 */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->A, curve448_a24));
-
-    ecp_mpi_load(&grp->P, curve448_p, sizeof(curve448_p));
-    grp->pbits = mbedtls_mpi_bitlen(&grp->P);
-
-    /* Y intentionally not set, since we use x/z coordinates.
-     * This is used as a marker to identify Montgomery curves! */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.X, 5));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.Z, 1));
-    mbedtls_mpi_free(&grp->G.Y);
-
-    ecp_mpi_load(&grp->N, curve448_n, sizeof(curve448_n));
-
-    /* Actually, the required msb for private keys */
-    grp->nbits = 447;
-
-cleanup:
-    if (ret != 0) {
-        mbedtls_ecp_group_free(grp);
-    }
-
-    return ret;
-}
-#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
-
-/*
- * Set a group using well-known domain parameters
- */
-int mbedtls_ecp_group_load(mbedtls_ecp_group *grp, mbedtls_ecp_group_id id)
-{
-    ECP_VALIDATE_RET(grp != NULL);
-    mbedtls_ecp_group_free(grp);
-
-    mbedtls_ecp_group_init(grp);
-
-    grp->id = id;
-
-    switch (id) {
-#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
-        case MBEDTLS_ECP_DP_SECP192R1:
-            NIST_MODP(p192);
-            return LOAD_GROUP(secp192r1);
-#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
-        case MBEDTLS_ECP_DP_SECP224R1:
-            NIST_MODP(p224);
-            return LOAD_GROUP(secp224r1);
-#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
-        case MBEDTLS_ECP_DP_SECP256R1:
-            NIST_MODP(p256);
-            return LOAD_GROUP(secp256r1);
-#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
-        case MBEDTLS_ECP_DP_SECP384R1:
-            NIST_MODP(p384);
-            return LOAD_GROUP(secp384r1);
-#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
-        case MBEDTLS_ECP_DP_SECP521R1:
-            NIST_MODP(p521);
-            return LOAD_GROUP(secp521r1);
-#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
-        case MBEDTLS_ECP_DP_SECP192K1:
-            grp->modp = ecp_mod_p192k1;
-            return LOAD_GROUP_A(secp192k1);
-#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
-        case MBEDTLS_ECP_DP_SECP224K1:
-            grp->modp = ecp_mod_p224k1;
-            return LOAD_GROUP_A(secp224k1);
-#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
-        case MBEDTLS_ECP_DP_SECP256K1:
-            grp->modp = ecp_mod_p256k1;
-            return LOAD_GROUP_A(secp256k1);
-#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
-        case MBEDTLS_ECP_DP_BP256R1:
-            return LOAD_GROUP_A(brainpoolP256r1);
-#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
-        case MBEDTLS_ECP_DP_BP384R1:
-            return LOAD_GROUP_A(brainpoolP384r1);
-#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
-        case MBEDTLS_ECP_DP_BP512R1:
-            return LOAD_GROUP_A(brainpoolP512r1);
-#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-        case MBEDTLS_ECP_DP_CURVE25519:
-            grp->modp = ecp_mod_p255;
-            return ecp_use_curve25519(grp);
-#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
-        case MBEDTLS_ECP_DP_CURVE448:
-            grp->modp = ecp_mod_p448;
-            return ecp_use_curve448(grp);
-#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
-
-        default:
-            grp->id = MBEDTLS_ECP_DP_NONE;
-            return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
-    }
-}
-
-#if defined(MBEDTLS_ECP_NIST_OPTIM)
-/*
- * Fast reduction modulo the primes used by the NIST curves.
- *
- * These functions are critical for speed, but not needed for correct
- * operations. So, we make the choice to heavily rely on the internals of our
- * bignum library, which creates a tight coupling between these functions and
- * our MPI implementation.  However, the coupling between the ECP module and
- * MPI remains loose, since these functions can be deactivated at will.
- */
-
-#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
-/*
- * Compared to the way things are presented in FIPS 186-3 D.2,
- * we proceed in columns, from right (least significant chunk) to left,
- * adding chunks to N in place, and keeping a carry for the next chunk.
- * This avoids moving things around in memory, and uselessly adding zeros,
- * compared to the more straightforward, line-oriented approach.
- *
- * For this prime we need to handle data in chunks of 64 bits.
- * Since this is always a multiple of our basic mbedtls_mpi_uint, we can
- * use a mbedtls_mpi_uint * to designate such a chunk, and small loops to handle it.
- */
-
-/* Add 64-bit chunks (dst += src) and update carry */
-static inline void add64(mbedtls_mpi_uint *dst, mbedtls_mpi_uint *src, mbedtls_mpi_uint *carry)
-{
-    unsigned char i;
-    mbedtls_mpi_uint c = 0;
-    for (i = 0; i < 8 / sizeof(mbedtls_mpi_uint); i++, dst++, src++) {
-        *dst += c;      c  = (*dst < c);
-        *dst += *src;   c += (*dst < *src);
-    }
-    *carry += c;
-}
-
-/* Add carry to a 64-bit chunk and update carry */
-static inline void carry64(mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry)
-{
-    unsigned char i;
-    for (i = 0; i < 8 / sizeof(mbedtls_mpi_uint); i++, dst++) {
-        *dst += *carry;
-        *carry  = (*dst < *carry);
-    }
-}
-
-#define WIDTH       8 / sizeof(mbedtls_mpi_uint)
-#define A(i)        Np + (i) * WIDTH
-#define ADD(i)      add64(p, A(i), &c)
-#define NEXT        p += WIDTH; carry64(p, &c)
-#define LAST        p += WIDTH; do *p = 0; while (++p < end)
-#define RESET       last_carry[0] = c; c = 0; p = Np
-#define ADD_LAST    add64(p, last_carry, &c)
-
-/*
- * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
- */
-static int ecp_mod_p192(mbedtls_mpi *N)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t expected_width = BITS_TO_LIMBS(192) * 2;
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
-    ret = mbedtls_ecp_mod_p192_raw(N->p, expected_width);
-
-cleanup:
-    return ret;
-}
-
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn)
-{
-    mbedtls_mpi_uint c = 0, last_carry[WIDTH] = { 0 };
-    mbedtls_mpi_uint *p, *end;
-
-    if (Nn != BITS_TO_LIMBS(192) * 2) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    p = Np;
-    end = p + Nn;
-
-    ADD(3); ADD(5);         NEXT;   // A0 += A3 + A5
-    ADD(3); ADD(4); ADD(5); NEXT;   // A1 += A3 + A4 + A5
-    ADD(4); ADD(5);                 // A2 += A4 + A5
-
-    RESET;
-
-    /* Use the reduction for the carry as well:
-     * 2^192 * last_carry = 2^64 * last_carry + last_carry mod P192
-     * It can generate a carry. */
-    ADD_LAST; NEXT;                 // A0 += last_carry
-    ADD_LAST; NEXT;                 // A1 += last_carry
-                                    // A2 += carry
-
-    RESET;
-
-    /* Use the reduction for the carry as well:
-     * 2^192 * last_carry = 2^64 * last_carry + last_carry mod P192
-     */
-    ADD_LAST; NEXT;                 // A0 += last_carry
-    ADD_LAST; NEXT;                 // A1 += last_carry
-                                    // A2 += carry
-
-    LAST;
-
-    return 0;
-}
-
-#undef WIDTH
-#undef A
-#undef ADD
-#undef NEXT
-#undef LAST
-#undef RESET
-#undef ADD_LAST
-#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
-
-/*
- * The reader is advised to first understand ecp_mod_p192() since the same
- * general structure is used here, but with additional complications:
- * (1) chunks of 32 bits, and (2) subtractions.
- */
-
-/*
- * For these primes, we need to handle data in chunks of 32 bits.
- * This makes it more complicated if we use 64 bits limbs in MPI,
- * which prevents us from using a uniform access method as for p192.
- *
- * So, we define a mini abstraction layer to access 32 bit chunks,
- * load them in 'cur' for work, and store them back from 'cur' when done.
- *
- * While at it, also define the size of N in terms of 32-bit chunks.
- */
-#define LOAD32      cur = A(i);
-
-#if defined(MBEDTLS_HAVE_INT32)  /* 32 bit */
-
-#define MAX32       X_limbs
-#define A(j)        X[j]
-#define STORE32     X[i] = (mbedtls_mpi_uint) cur;
-#define STORE0      X[i] = 0;
-
-#else /* 64 bit */
-
-#define MAX32   X_limbs * 2
-#define A(j)                                                \
-    (j) % 2 ?                                               \
-    (uint32_t) (X[(j) / 2] >> 32) :                         \
-    (uint32_t) (X[(j) / 2])
-#define STORE32                                             \
-    if (i % 2) {                                            \
-        X[i/2] &= 0x00000000FFFFFFFF;                       \
-        X[i/2] |= (uint64_t) (cur) << 32;                   \
-    } else {                                                \
-        X[i/2] &= 0xFFFFFFFF00000000;                       \
-        X[i/2] |= (uint32_t) cur;                           \
-    }
-
-#define STORE0                                              \
-    if (i % 2) {                                            \
-        X[i/2] &= 0x00000000FFFFFFFF;                       \
-    } else {                                                \
-        X[i/2] &= 0xFFFFFFFF00000000;                       \
-    }
-
-#endif
-
-static inline int8_t extract_carry(int64_t cur)
-{
-    return (int8_t) (cur >> 32);
-}
-
-#define ADD(j)    cur += A(j)
-#define SUB(j)    cur -= A(j)
-
-#define ADD_CARRY(cc) cur += (cc)
-#define SUB_CARRY(cc) cur -= (cc)
-
-#define ADD_LAST ADD_CARRY(last_c)
-#define SUB_LAST SUB_CARRY(last_c)
-
-/*
- * Helpers for the main 'loop'
- */
-#define INIT(b)                                         \
-    int8_t c = 0, last_c;                               \
-    int64_t cur;                                        \
-    size_t i = 0;                                       \
-    LOAD32;
-
-#define NEXT                                            \
-    c = extract_carry(cur);                             \
-    STORE32; i++; LOAD32;                               \
-    ADD_CARRY(c);
-
-#define RESET                                           \
-    c = extract_carry(cur);                             \
-    last_c = c;                                         \
-    STORE32; i = 0; LOAD32;                             \
-    c = 0;                                              \
-
-#define LAST                                            \
-    c = extract_carry(cur);                             \
-    STORE32; i++;                                       \
-    if (c != 0)                                         \
-    return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;              \
-    while (i < MAX32) { STORE0; i++; }
-
-#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
-
-/*
- * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2)
- */
-static int ecp_mod_p224(mbedtls_mpi *N)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t expected_width = BITS_TO_LIMBS(224) * 2;
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
-    ret = mbedtls_ecp_mod_p224_raw(N->p, expected_width);
-cleanup:
-    return ret;
-}
-
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p224_raw(mbedtls_mpi_uint *X, size_t X_limbs)
-{
-    if (X_limbs != BITS_TO_LIMBS(224) * 2) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    INIT(224);
-
-    SUB(7);  SUB(11);           NEXT;   // A0 += -A7  - A11
-    SUB(8);  SUB(12);           NEXT;   // A1 += -A8  - A12
-    SUB(9);  SUB(13);           NEXT;   // A2 += -A9  - A13
-    SUB(10); ADD(7);  ADD(11);  NEXT;   // A3 += -A10 + A7 + A11
-    SUB(11); ADD(8);  ADD(12);  NEXT;   // A4 += -A11 + A8 + A12
-    SUB(12); ADD(9);  ADD(13);  NEXT;   // A5 += -A12 + A9 + A13
-    SUB(13); ADD(10);                   // A6 += -A13 + A10
-
-    RESET;
-
-    /* Use 2^224 = P + 2^96 - 1 to modulo reduce the final carry */
-    SUB_LAST; NEXT;                     // A0 -= last_c
-    ;         NEXT;                     // A1
-    ;         NEXT;                     // A2
-    ADD_LAST; NEXT;                     // A3 += last_c
-    ;         NEXT;                     // A4
-    ;         NEXT;                     // A5
-                                        // A6
-
-    /* The carry reduction cannot generate a carry
-     * (see commit 73e8553 for details)*/
-
-    LAST;
-
-    return 0;
-}
-
-#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
-
-/*
- * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3)
- */
-static int ecp_mod_p256(mbedtls_mpi *N)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t expected_width = BITS_TO_LIMBS(256) * 2;
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
-    ret = mbedtls_ecp_mod_p256_raw(N->p, expected_width);
-cleanup:
-    return ret;
-}
-
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p256_raw(mbedtls_mpi_uint *X, size_t X_limbs)
-{
-    if (X_limbs != BITS_TO_LIMBS(256) * 2) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    INIT(256);
-
-    ADD(8);  ADD(9);
-    SUB(11); SUB(12); SUB(13); SUB(14);                   NEXT; // A0
-
-    ADD(9);  ADD(10);
-    SUB(12); SUB(13); SUB(14); SUB(15);                   NEXT; // A1
-
-    ADD(10); ADD(11);
-    SUB(13); SUB(14); SUB(15);                            NEXT; // A2
-
-    ADD(11); ADD(11); ADD(12); ADD(12); ADD(13);
-    SUB(15); SUB(8);  SUB(9);                             NEXT; // A3
-
-    ADD(12); ADD(12); ADD(13); ADD(13); ADD(14);
-    SUB(9);  SUB(10);                                     NEXT; // A4
-
-    ADD(13); ADD(13); ADD(14); ADD(14); ADD(15);
-    SUB(10); SUB(11);                                     NEXT; // A5
-
-    ADD(14); ADD(14); ADD(15); ADD(15); ADD(14); ADD(13);
-    SUB(8);  SUB(9);                                      NEXT; // A6
-
-    ADD(15); ADD(15); ADD(15); ADD(8);
-    SUB(10); SUB(11); SUB(12); SUB(13);                         // A7
-
-    RESET;
-
-    /* Use 2^224 * (2^32 - 1) + 2^192 + 2^96 - 1
-     * to modulo reduce the final carry. */
-    ADD_LAST; NEXT;                                             // A0
-    ;         NEXT;                                             // A1
-    ;         NEXT;                                             // A2
-    SUB_LAST; NEXT;                                             // A3
-    ;         NEXT;                                             // A4
-    ;         NEXT;                                             // A5
-    SUB_LAST; NEXT;                                             // A6
-    ADD_LAST;                                                   // A7
-
-    RESET;
-
-    /* Use 2^224 * (2^32 - 1) + 2^192 + 2^96 - 1
-     * to modulo reduce the carry generated by the previous reduction. */
-    ADD_LAST; NEXT;                                             // A0
-    ;         NEXT;                                             // A1
-    ;         NEXT;                                             // A2
-    SUB_LAST; NEXT;                                             // A3
-    ;         NEXT;                                             // A4
-    ;         NEXT;                                             // A5
-    SUB_LAST; NEXT;                                             // A6
-    ADD_LAST;                                                   // A7
-
-    LAST;
-
-    return 0;
-}
-
-#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
-/*
- * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4)
- */
-static int ecp_mod_p384(mbedtls_mpi *N)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t expected_width = BITS_TO_LIMBS(384) * 2;
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
-    ret = mbedtls_ecp_mod_p384_raw(N->p, expected_width);
-cleanup:
-    return ret;
-}
-
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p384_raw(mbedtls_mpi_uint *X, size_t X_limbs)
-{
-    if (X_limbs != BITS_TO_LIMBS(384) * 2) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    INIT(384);
-
-    ADD(12); ADD(21); ADD(20);
-    SUB(23);                                                NEXT; // A0
-
-    ADD(13); ADD(22); ADD(23);
-    SUB(12); SUB(20);                                       NEXT; // A1
-
-    ADD(14); ADD(23);
-    SUB(13); SUB(21);                                       NEXT; // A2
-
-    ADD(15); ADD(12); ADD(20); ADD(21);
-    SUB(14); SUB(22); SUB(23);                              NEXT; // A3
-
-    ADD(21); ADD(21); ADD(16); ADD(13); ADD(12); ADD(20); ADD(22);
-    SUB(15); SUB(23); SUB(23);                              NEXT; // A4
-
-    ADD(22); ADD(22); ADD(17); ADD(14); ADD(13); ADD(21); ADD(23);
-    SUB(16);                                                NEXT; // A5
-
-    ADD(23); ADD(23); ADD(18); ADD(15); ADD(14); ADD(22);
-    SUB(17);                                                NEXT; // A6
-
-    ADD(19); ADD(16); ADD(15); ADD(23);
-    SUB(18);                                                NEXT; // A7
-
-    ADD(20); ADD(17); ADD(16);
-    SUB(19);                                                NEXT; // A8
-
-    ADD(21); ADD(18); ADD(17);
-    SUB(20);                                                NEXT; // A9
-
-    ADD(22); ADD(19); ADD(18);
-    SUB(21);                                                NEXT; // A10
-
-    ADD(23); ADD(20); ADD(19);
-    SUB(22);                                                      // A11
-
-    RESET;
-
-    /* Use 2^384 = P + 2^128 + 2^96 - 2^32 + 1 to modulo reduce the final carry */
-    ADD_LAST; NEXT;                                               // A0
-    SUB_LAST; NEXT;                                               // A1
-    ;         NEXT;                                               // A2
-    ADD_LAST; NEXT;                                               // A3
-    ADD_LAST; NEXT;                                               // A4
-    ;         NEXT;                                               // A5
-    ;         NEXT;                                               // A6
-    ;         NEXT;                                               // A7
-    ;         NEXT;                                               // A8
-    ;         NEXT;                                               // A9
-    ;         NEXT;                                               // A10
-                                                                  // A11
-
-    RESET;
-
-    ADD_LAST; NEXT;                                               // A0
-    SUB_LAST; NEXT;                                               // A1
-    ;         NEXT;                                               // A2
-    ADD_LAST; NEXT;                                               // A3
-    ADD_LAST; NEXT;                                               // A4
-    ;         NEXT;                                               // A5
-    ;         NEXT;                                               // A6
-    ;         NEXT;                                               // A7
-    ;         NEXT;                                               // A8
-    ;         NEXT;                                               // A9
-    ;         NEXT;                                               // A10
-                                                                  // A11
-
-    LAST;
-
-    return 0;
-}
-#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
-
-#undef LOAD32
-#undef MAX32
-#undef A
-#undef STORE32
-#undef STORE0
-#undef ADD
-#undef SUB
-#undef ADD_CARRY
-#undef SUB_CARRY
-#undef ADD_LAST
-#undef SUB_LAST
-#undef INIT
-#undef NEXT
-#undef RESET
-#undef LAST
-
-#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED ||
-          MBEDTLS_ECP_DP_SECP256R1_ENABLED ||
-          MBEDTLS_ECP_DP_SECP384R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
-/* Size of p521 in terms of mbedtls_mpi_uint */
-#define P521_WIDTH      (521 / 8 / sizeof(mbedtls_mpi_uint) + 1)
-
-/* Bits to keep in the most significant mbedtls_mpi_uint */
-#define P521_MASK       0x01FF
-
-/*
- * Fast quasi-reduction modulo p521 = 2^521 - 1 (FIPS 186-3 D.2.5)
- */
-static int ecp_mod_p521(mbedtls_mpi *N)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t expected_width = BITS_TO_LIMBS(521) * 2;
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
-    ret = mbedtls_ecp_mod_p521_raw(N->p, expected_width);
-cleanup:
-    return ret;
-}
-
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs)
-{
-    mbedtls_mpi_uint carry = 0;
-
-    if (X_limbs != BITS_TO_LIMBS(521) * 2) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    /* Step 1: Reduction to P521_WIDTH limbs */
-    /* Helper references for bottom part of X */
-    mbedtls_mpi_uint *X0 = X;
-    size_t X0_limbs = P521_WIDTH;
-    /* Helper references for top part of X */
-    mbedtls_mpi_uint *X1 = X + X0_limbs;
-    size_t X1_limbs = X_limbs - X0_limbs;
-    /* Split X as X0 + 2^P521_WIDTH X1 and compute X0 + 2^(biL - 9) X1.
-     * (We are using that 2^P521_WIDTH = 2^(512 + biL) and that
-     * 2^(512 + biL) X1 = 2^(biL - 9) X1 mod P521.)
-     * The high order limb of the result will be held in carry and the rest
-     * in X0 (that is the result will be represented as
-     * 2^P521_WIDTH carry + X0).
-     *
-     * Also, note that the resulting carry is either 0 or 1:
-     * X0 < 2^P521_WIDTH = 2^(512 + biL) and X1 < 2^(P521_WIDTH-biL) = 2^512
-     * therefore
-     * X0 + 2^(biL - 9) X1 < 2^(512 + biL) + 2^(512 + biL - 9)
-     * which in turn is less than 2 * 2^(512 + biL).
-     */
-    mbedtls_mpi_uint shift = ((mbedtls_mpi_uint) 1u) << (biL - 9);
-    carry = mbedtls_mpi_core_mla(X0, X0_limbs, X1, X1_limbs, shift);
-    /* Set X to X0 (by clearing the top part). */
-    memset(X1, 0, X1_limbs * sizeof(mbedtls_mpi_uint));
-
-    /* Step 2: Reduction modulo P521
-     *
-     * At this point X is reduced to P521_WIDTH limbs. What remains is to add
-     * the carry (that is 2^P521_WIDTH carry) and to reduce mod P521. */
-
-    /* 2^P521_WIDTH carry = 2^(512 + biL) carry = 2^(biL - 9) carry mod P521.
-     * Also, recall that carry is either 0 or 1. */
-    mbedtls_mpi_uint addend = carry << (biL - 9);
-    /* Keep the top 9 bits and reduce the rest, using 2^521 = 1 mod P521. */
-    addend += (X[P521_WIDTH - 1] >> 9);
-    X[P521_WIDTH - 1] &= P521_MASK;
-
-    /* Reuse the top part of X (already zeroed) as a helper array for
-     * carrying out the addition. */
-    mbedtls_mpi_uint *addend_arr = X + P521_WIDTH;
-    addend_arr[0] = addend;
-    (void) mbedtls_mpi_core_add(X, X, addend_arr, P521_WIDTH);
-    /* Both addends were less than P521 therefore X < 2 * P521. (This also means
-     * that the result fit in P521_WIDTH limbs and there won't be any carry.) */
-
-    /* Clear the reused part of X. */
-    addend_arr[0] = 0;
-
-    return 0;
-}
-
-#undef P521_WIDTH
-#undef P521_MASK
-
-#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
-
-#endif /* MBEDTLS_ECP_NIST_OPTIM */
-
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-
-/* Size of p255 in terms of mbedtls_mpi_uint */
-#define P255_WIDTH      (255 / 8 / sizeof(mbedtls_mpi_uint) + 1)
-
-/*
- * Fast quasi-reduction modulo p255 = 2^255 - 19
- * Write N as A0 + 2^256 A1, return A0 + 38 * A1
- */
-static int ecp_mod_p255(mbedtls_mpi *N)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t expected_width = BITS_TO_LIMBS(255) * 2;
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
-    ret = mbedtls_ecp_mod_p255_raw(N->p, expected_width);
-cleanup:
-    return ret;
-}
-
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p255_raw(mbedtls_mpi_uint *X, size_t X_Limbs)
-{
-
-    if (X_Limbs != BITS_TO_LIMBS(255) * 2) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    mbedtls_mpi_uint *carry = mbedtls_calloc(P255_WIDTH, ciL);
-    if (carry == NULL) {
-        return MBEDTLS_ERR_ECP_ALLOC_FAILED;
-    }
-
-    /* Step 1: Reduction to P255_WIDTH limbs */
-    if (X_Limbs > P255_WIDTH) {
-        /* Helper references for top part of X */
-        mbedtls_mpi_uint * const A1 = X + P255_WIDTH;
-        const size_t A1_limbs = X_Limbs - P255_WIDTH;
-
-        /* X = A0 + 38 * A1, capture carry out */
-        *carry = mbedtls_mpi_core_mla(X, P255_WIDTH, A1, A1_limbs, 38);
-        /* Clear top part */
-        memset(A1, 0, sizeof(mbedtls_mpi_uint) * A1_limbs);
-    }
-
-    /* Step 2: Reduce to <2p
-     * Split as A0 + 2^255*c, with c a scalar, and compute A0 + 19*c */
-    *carry <<= 1;
-    *carry += (X[P255_WIDTH - 1] >> (biL - 1));
-    *carry *= 19;
-
-    /* Clear top bit */
-    X[P255_WIDTH - 1] <<= 1; X[P255_WIDTH - 1] >>= 1;
-    /* Since the top bit for X has been cleared 0 + 0 + Carry
-     * will not overflow.
-     *
-     * Furthermore for 2p = 2^256-38. When a carry propagation on the highest
-     * limb occurs, X > 2^255 and all the remaining bits on the limb are zero.
-     *   - If X < 2^255 ==> X < 2p
-     *   - If X > 2^255 ==> X < 2^256 - 2^255 < 2p  */
-    (void) mbedtls_mpi_core_add(X, X, carry, P255_WIDTH);
-
-    mbedtls_free(carry);
-    return 0;
-}
-#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
-
-/* Size of p448 in terms of mbedtls_mpi_uint */
-#define P448_WIDTH      (448 / 8 / sizeof(mbedtls_mpi_uint))
-
-/* Number of limbs fully occupied by 2^224 (max), and limbs used by it (min) */
-#define DIV_ROUND_UP(X, Y) (((X) + (Y) -1) / (Y))
-#define P224_SIZE        (224 / 8)
-#define P224_WIDTH_MIN   (P224_SIZE / sizeof(mbedtls_mpi_uint))
-#define P224_WIDTH_MAX   DIV_ROUND_UP(P224_SIZE, sizeof(mbedtls_mpi_uint))
-#define P224_UNUSED_BITS ((P224_WIDTH_MAX * sizeof(mbedtls_mpi_uint) * 8) - 224)
-
-static int ecp_mod_p448(mbedtls_mpi *N)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t expected_width = BITS_TO_LIMBS(448) * 2;
-
-    /* This is required as some tests and use cases do not pass in a Bignum of
-     * the correct size, and expect the growth to be done automatically, which
-     * will no longer happen. */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
-
-    ret = mbedtls_ecp_mod_p448_raw(N->p, N->n);
-
-cleanup:
-    return ret;
-}
-
-/*
- * Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1
- * Write X as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return A0 + A1 + B1 +
- * (B0 + B1) * 2^224.  This is different to the reference implementation of
- * Curve448, which uses its own special 56-bit limbs rather than a generic
- * bignum library.  We could squeeze some extra speed out on 32-bit machines by
- * splitting N up into 32-bit limbs and doing the arithmetic using the limbs
- * directly as we do for the NIST primes above, but for 64-bit targets it should
- * use half the number of operations if we do the reduction with 224-bit limbs,
- * since mpi_core_add will then use 64-bit adds.
- */
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p448_raw(mbedtls_mpi_uint *X, size_t X_limbs)
-{
-    size_t round;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if (X_limbs != BITS_TO_LIMBS(448) * 2) {
-        return 0;
-    }
-
-    size_t M_limbs = X_limbs - (P448_WIDTH);
-
-    if (M_limbs > P448_WIDTH) {
-        /* Shouldn't be called with X larger than 2^896! */
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    /* Both M and Q require an extra limb to catch carries. */
-    M_limbs++;
-
-    const size_t Q_limbs = M_limbs;
-    mbedtls_mpi_uint *M = NULL;
-    mbedtls_mpi_uint *Q = NULL;
-
-    M = mbedtls_calloc(M_limbs, ciL);
-
-    if (M == NULL) {
-        return MBEDTLS_ERR_ECP_ALLOC_FAILED;
-    }
-
-    Q = mbedtls_calloc(Q_limbs, ciL);
-
-    if (Q == NULL) {
-        ret =  MBEDTLS_ERR_ECP_ALLOC_FAILED;
-        goto cleanup;
-    }
-
-    /* M = A1 */
-    memset(M, 0, (M_limbs * ciL));
-    /* Do not copy into the overflow limb, as this would read past the end of
-     * X. */
-    memcpy(M, X + P448_WIDTH, ((M_limbs - 1) * ciL));
-
-    /* X = A0 */
-    memset(X + P448_WIDTH, 0, ((M_limbs - 1) * ciL));
-
-    /* X = X + M = A0 + A1 */
-    /* Carry here fits in oversize X. Oversize M means it will get
-     * added in, not returned as carry. */
-    (void) mbedtls_mpi_core_add(X, X, M, M_limbs);
-
-    /* Q = B1 = M >> 224 */
-    memcpy(Q, (char *) M + P224_SIZE, P224_SIZE);
-    memset((char *) Q + P224_SIZE, 0, P224_SIZE);
-
-    /* X = X + Q = (A0 + A1) + B1
-     * Oversize Q catches potential carry here when X is already max 448 bits.
-     */
-    (void) mbedtls_mpi_core_add(X, X, Q, Q_limbs);
-
-    /* M = B0 */
-#ifdef MBEDTLS_HAVE_INT64
-    M[P224_WIDTH_MIN] &= ((mbedtls_mpi_uint)-1) >> (P224_UNUSED_BITS);
- #endif
-    memset(M + P224_WIDTH_MAX, 0, ((M_limbs - P224_WIDTH_MAX) * ciL));
-
-    /* M = M + Q = B0 + B1 */
-    (void) mbedtls_mpi_core_add(M, M, Q, Q_limbs);
-
-    /* M = (B0 + B1) * 2^224 */
-    /* Shifted carry bit from the addition fits in oversize M. */
-    memmove((char *) M + P224_SIZE, M, P224_SIZE + ciL);
-    memset(M, 0, P224_SIZE);
-
-    /* X = X + M = (A0 + A1 + B1) + (B0 + B1) * 2^224 */
-    (void) mbedtls_mpi_core_add(X, X, M, M_limbs);
-
-    /* In the second and third rounds A1 and B0 have at most 1 non-zero limb and
-     * B1=0.
-     * Using this we need to calculate:
-     * A0 + A1 + B1 + (B0 + B1) * 2^224 = A0 + A1 + B0 * 2^224. */
-    for (round = 0; round < 2; ++round) {
-
-        /* M = A1 */
-        memset(M, 0, (M_limbs * ciL));
-        memcpy(M, X + P448_WIDTH, ((M_limbs - 1) * ciL));
-
-        /* X = A0 */
-        memset(X + P448_WIDTH, 0, ((M_limbs - 1) * ciL));
-
-        /* M = A1 + B0 * 2^224
-         * We know that only one limb of A1 will be non-zero and that it will be
-         * limb 0. We also know that B0 is the bottom 224 bits of A1 (which is
-         * then shifted up 224 bits), so, given M is currently A1 this turns
-         * into:
-         * M = M + (M << 224)
-         * As the single non-zero limb in B0 will be A1 limb 0 shifted up by 224
-         * bits, we can just move that into the right place, shifted up
-         * accordingly.*/
-        M[P224_WIDTH_MIN] = M[0] << (224 & (biL - 1));
-
-        /* X = A0 + (A1 + B0 * 2^224) */
-        (void) mbedtls_mpi_core_add(X, X, M, M_limbs);
-    }
-
-    ret = 0;
-
-cleanup:
-    mbedtls_free(M);
-    mbedtls_free(Q);
-
-    return ret;
-}
-#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||   \
-    defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
-
-/*
- * Fast quasi-reduction modulo P = 2^s - R,
- * with R about 33 bits, used by the Koblitz curves.
- *
- * Write X as A0 + 2^224 A1, return A0 + R * A1.
- */
-#define P_KOBLITZ_R     (8 / sizeof(mbedtls_mpi_uint))            // Limbs in R
-
-static inline int ecp_mod_koblitz(mbedtls_mpi_uint *X,
-                                  size_t X_limbs,
-                                  mbedtls_mpi_uint *R,
-                                  size_t bits)
-{
-    int ret = 0;
-
-    /* Determine if A1 is aligned to limb bitsize. If not then the used limbs
-     * of P, A0 and A1 must be set accordingly and there is a middle limb
-     * which is shared by A0 and A1 and need to handle accordingly.
-     */
-    size_t shift   = bits % biL;
-    size_t adjust  = (shift + biL - 1) / biL;
-    size_t P_limbs = bits / biL + adjust;
-
-    mbedtls_mpi_uint *A1 = mbedtls_calloc(P_limbs, ciL);
-    if (A1 == NULL) {
-        return MBEDTLS_ERR_ECP_ALLOC_FAILED;
-    }
-
-    /* Create a buffer to store the value of `R * A1` */
-    size_t R_limbs = P_KOBLITZ_R;
-    size_t M_limbs = P_limbs + R_limbs;
-    mbedtls_mpi_uint *M = mbedtls_calloc(M_limbs, ciL);
-    if (M == NULL) {
-        ret = MBEDTLS_ERR_ECP_ALLOC_FAILED;
-        goto cleanup;
-    }
-
-    mbedtls_mpi_uint mask = 0;
-    if (adjust != 0) {
-        mask  = ((mbedtls_mpi_uint) 1 << shift) - 1;
-    }
-
-    /* Two passes are needed to reduce the value of `A0 + R * A1` and then
-     * we need an additional one to reduce the possible overflow during
-     * the addition.
-     */
-    for (size_t pass = 0; pass < 3; pass++) {
-        /* Copy A1 */
-        memcpy(A1, X + P_limbs - adjust, P_limbs * ciL);
-
-        /* Shift A1 to be aligned */
-        if (shift != 0) {
-            mbedtls_mpi_core_shift_r(A1, P_limbs, shift);
-        }
-
-        /* Zeroize the A1 part of the shared limb */
-        if (mask != 0) {
-            X[P_limbs - 1] &= mask;
-        }
-
-        /* X = A0
-         * Zeroize the A1 part of X to keep only the A0 part.
-         */
-        for (size_t i = P_limbs; i < X_limbs; i++) {
-            X[i] = 0;
-        }
-
-        /* X = A0 + R * A1 */
-        mbedtls_mpi_core_mul(M, A1, P_limbs, R, R_limbs);
-        (void) mbedtls_mpi_core_add(X, X, M, P_limbs + R_limbs);
-
-        /* Carry can not be generated since R is a 33-bit value and stored in
-         * 64 bits. The result value of the multiplication is at most
-         * P length + 33 bits in length and the result value of the addition
-         * is at most P length + 34 bits in length. So the result of the
-         * addition always fits in P length + 64 bits.
-         */
-    }
-
-cleanup:
-    mbedtls_free(M);
-    mbedtls_free(A1);
-
-    return ret;
-}
-
-#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||
-          MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||
-          MBEDTLS_ECP_DP_SECP256K1_ENABLED) */
-
-#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
-
-/*
- * Fast quasi-reduction modulo p192k1 = 2^192 - R,
- * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x01000011C9
- */
-static int ecp_mod_p192k1(mbedtls_mpi *N)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t expected_width = BITS_TO_LIMBS(192) * 2;
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
-    ret = mbedtls_ecp_mod_p192k1_raw(N->p, expected_width);
-
-cleanup:
-    return ret;
-}
-
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs)
-{
-    static mbedtls_mpi_uint Rp[] = {
-        MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x11, 0x00, 0x00,
-                                  0x01, 0x00, 0x00, 0x00)
-    };
-
-    if (X_limbs != BITS_TO_LIMBS(192) * 2) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    return ecp_mod_koblitz(X, X_limbs, Rp, 192);
-}
-
-#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
-
-/*
- * Fast quasi-reduction modulo p224k1 = 2^224 - R,
- * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
- */
-static int ecp_mod_p224k1(mbedtls_mpi *N)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t expected_width = BITS_TO_LIMBS(224) * 2;
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
-    ret = mbedtls_ecp_mod_p224k1_raw(N->p, expected_width);
-
-cleanup:
-    return ret;
-}
-
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs)
-{
-    static mbedtls_mpi_uint Rp[] = {
-        MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x1A, 0x00, 0x00,
-                                  0x01, 0x00, 0x00, 0x00)
-    };
-
-    if (X_limbs !=  BITS_TO_LIMBS(224) * 2) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    return ecp_mod_koblitz(X, X_limbs, Rp, 224);
-}
-
-#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
-
-/*
- * Fast quasi-reduction modulo p256k1 = 2^256 - R,
- * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
- */
-static int ecp_mod_p256k1(mbedtls_mpi *N)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t expected_width = BITS_TO_LIMBS(256) * 2;
-    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
-    ret = mbedtls_ecp_mod_p256k1_raw(N->p, expected_width);
-
-cleanup:
-    return ret;
-}
-
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p256k1_raw(mbedtls_mpi_uint *X, size_t X_limbs)
-{
-    static mbedtls_mpi_uint Rp[] = {
-        MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x03, 0x00, 0x00,
-                                  0x01, 0x00, 0x00, 0x00)
-    };
-
-    if (X_limbs != BITS_TO_LIMBS(256) * 2) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    return ecp_mod_koblitz(X, X_limbs, Rp, 256);
-}
-
-#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
-
-#if defined(MBEDTLS_TEST_HOOKS)
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
-                              const mbedtls_ecp_group_id id,
-                              const mbedtls_ecp_modulus_type ctype)
-{
-    mbedtls_mpi_modp_fn modp = NULL;
-    mbedtls_mpi_uint *p = NULL;
-    size_t p_limbs;
-
-    if (!(ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE || \
-          ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_SCALAR)) {
-        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    switch (id) {
-#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
-        case MBEDTLS_ECP_DP_SECP192R1:
-            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
-#if defined(MBEDTLS_ECP_NIST_OPTIM)
-                modp = &mbedtls_ecp_mod_p192_raw;
-#endif
-                p = (mbedtls_mpi_uint *) secp192r1_p;
-                p_limbs = CHARS_TO_LIMBS(sizeof(secp192r1_p));
-            } else {
-                p = (mbedtls_mpi_uint *) secp192r1_n;
-                p_limbs = CHARS_TO_LIMBS(sizeof(secp192r1_n));
-            }
-            break;
-#endif
-
-#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
-        case MBEDTLS_ECP_DP_SECP224R1:
-            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
-#if defined(MBEDTLS_ECP_NIST_OPTIM)
-                modp = &mbedtls_ecp_mod_p224_raw;
-#endif
-                p = (mbedtls_mpi_uint *) secp224r1_p;
-                p_limbs = CHARS_TO_LIMBS(sizeof(secp224r1_p));
-            } else {
-                p = (mbedtls_mpi_uint *) secp224r1_n;
-                p_limbs = CHARS_TO_LIMBS(sizeof(secp224r1_n));
-            }
-            break;
-#endif
-
-#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
-        case MBEDTLS_ECP_DP_SECP256R1:
-            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
-#if defined(MBEDTLS_ECP_NIST_OPTIM)
-                modp = &mbedtls_ecp_mod_p256_raw;
-#endif
-                p = (mbedtls_mpi_uint *) secp256r1_p;
-                p_limbs = CHARS_TO_LIMBS(sizeof(secp256r1_p));
-            } else {
-                p = (mbedtls_mpi_uint *) secp256r1_n;
-                p_limbs = CHARS_TO_LIMBS(sizeof(secp256r1_n));
-            }
-            break;
-#endif
-
-#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
-        case MBEDTLS_ECP_DP_SECP384R1:
-            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
-#if defined(MBEDTLS_ECP_NIST_OPTIM)
-                modp = &mbedtls_ecp_mod_p384_raw;
-#endif
-                p = (mbedtls_mpi_uint *) secp384r1_p;
-                p_limbs = CHARS_TO_LIMBS(sizeof(secp384r1_p));
-            } else {
-                p = (mbedtls_mpi_uint *) secp384r1_n;
-                p_limbs = CHARS_TO_LIMBS(sizeof(secp384r1_n));
-            }
-            break;
-#endif
-
-#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
-        case MBEDTLS_ECP_DP_SECP521R1:
-            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
-#if defined(MBEDTLS_ECP_NIST_OPTIM)
-                modp = &mbedtls_ecp_mod_p521_raw;
-#endif
-                p = (mbedtls_mpi_uint *) secp521r1_p;
-                p_limbs = CHARS_TO_LIMBS(sizeof(secp521r1_p));
-            } else {
-                p = (mbedtls_mpi_uint *) secp521r1_n;
-                p_limbs = CHARS_TO_LIMBS(sizeof(secp521r1_n));
-            }
-            break;
-#endif
-
-#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
-        case MBEDTLS_ECP_DP_BP256R1:
-            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
-                p = (mbedtls_mpi_uint *) brainpoolP256r1_p;
-                p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP256r1_p));
-            } else {
-                p = (mbedtls_mpi_uint *) brainpoolP256r1_n;
-                p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP256r1_n));
-            }
-            break;
-#endif
-
-#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
-        case MBEDTLS_ECP_DP_BP384R1:
-            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
-                p = (mbedtls_mpi_uint *) brainpoolP384r1_p;
-                p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP384r1_p));
-            } else {
-                p = (mbedtls_mpi_uint *) brainpoolP384r1_n;
-                p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP384r1_n));
-            }
-            break;
-#endif
-
-#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
-        case MBEDTLS_ECP_DP_BP512R1:
-            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
-                p = (mbedtls_mpi_uint *) brainpoolP512r1_p;
-                p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP512r1_p));
-            } else {
-                p = (mbedtls_mpi_uint *) brainpoolP512r1_n;
-                p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP512r1_n));
-            }
-            break;
-#endif
-
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-        case MBEDTLS_ECP_DP_CURVE25519:
-            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
-                modp = &mbedtls_ecp_mod_p255_raw;
-                p = (mbedtls_mpi_uint *) curve25519_p;
-                p_limbs = CHARS_TO_LIMBS(sizeof(curve25519_p));
-            } else {
-                p = (mbedtls_mpi_uint *) curve25519_n;
-                p_limbs = CHARS_TO_LIMBS(sizeof(curve25519_n));
-            }
-            break;
-#endif
-
-#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
-        case MBEDTLS_ECP_DP_SECP192K1:
-            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
-                modp = &mbedtls_ecp_mod_p192k1_raw;
-                p = (mbedtls_mpi_uint *) secp192k1_p;
-                p_limbs = CHARS_TO_LIMBS(sizeof(secp192k1_p));
-            } else {
-                p = (mbedtls_mpi_uint *) secp192k1_n;
-                p_limbs = CHARS_TO_LIMBS(sizeof(secp192k1_n));
-            }
-            break;
-#endif
-
-#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
-        case MBEDTLS_ECP_DP_SECP224K1:
-            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
-                modp = &mbedtls_ecp_mod_p224k1_raw;
-                p = (mbedtls_mpi_uint *) secp224k1_p;
-                p_limbs = CHARS_TO_LIMBS(sizeof(secp224k1_p));
-            } else {
-                p = (mbedtls_mpi_uint *) secp224k1_n;
-                p_limbs = CHARS_TO_LIMBS(sizeof(secp224k1_n));
-            }
-            break;
-#endif
-
-#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
-        case MBEDTLS_ECP_DP_SECP256K1:
-            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
-                modp = &mbedtls_ecp_mod_p256k1_raw;
-                p = (mbedtls_mpi_uint *) secp256k1_p;
-                p_limbs = CHARS_TO_LIMBS(sizeof(secp256k1_p));
-            } else {
-                p = (mbedtls_mpi_uint *) secp256k1_n;
-                p_limbs = CHARS_TO_LIMBS(sizeof(secp256k1_n));
-            }
-            break;
-#endif
-
-#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
-        case MBEDTLS_ECP_DP_CURVE448:
-            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
-                modp = &mbedtls_ecp_mod_p448_raw;
-                p = (mbedtls_mpi_uint *) curve448_p;
-                p_limbs = CHARS_TO_LIMBS(sizeof(curve448_p));
-            } else {
-                p = (mbedtls_mpi_uint *) curve448_n;
-                p_limbs = CHARS_TO_LIMBS(sizeof(curve448_n));
-            }
-            break;
-#endif
-
-        default:
-        case MBEDTLS_ECP_DP_NONE:
-            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-    }
-
-    if (modp != NULL) {
-        if (mbedtls_mpi_mod_optred_modulus_setup(N, p, p_limbs, modp)) {
-            return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-        }
-    } else {
-        if (mbedtls_mpi_mod_modulus_setup(N, p, p_limbs)) {
-            return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-        }
-    }
-    return 0;
-}
-#endif /* MBEDTLS_TEST_HOOKS */
-
-#if defined(MBEDTLS_TEST_HOOKS)
-
-MBEDTLS_STATIC_TESTABLE
-mbedtls_ecp_variant mbedtls_ecp_get_variant(void)
-{
-    return MBEDTLS_ECP_VARIANT_WITH_MPI_UINT;
-}
-
-#endif /* MBEDTLS_TEST_HOOKS */
-
-#endif /* !MBEDTLS_ECP_ALT */
-#endif /* MBEDTLS_ECP_LIGHT */
-#endif /* MBEDTLS_ECP_WITH_MPI_UINT */
diff --git a/library/ecp_internal_alt.h b/library/ecp_internal_alt.h
deleted file mode 100644
index f663d67..0000000
--- a/library/ecp_internal_alt.h
+++ /dev/null
@@ -1,299 +0,0 @@
-/**
- * \file ecp_internal_alt.h
- *
- * \brief Function declarations for alternative implementation of elliptic curve
- * point arithmetic.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/*
- * References:
- *
- * [1] BERNSTEIN, Daniel J. Curve25519: new Diffie-Hellman speed records.
- *     <http://cr.yp.to/ecdh/curve25519-20060209.pdf>
- *
- * [2] CORON, Jean-S'ebastien. Resistance against differential power analysis
- *     for elliptic curve cryptosystems. In : Cryptographic Hardware and
- *     Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302.
- *     <http://link.springer.com/chapter/10.1007/3-540-48059-5_25>
- *
- * [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to
- *     render ECC resistant against Side Channel Attacks. IACR Cryptology
- *     ePrint Archive, 2004, vol. 2004, p. 342.
- *     <http://eprint.iacr.org/2004/342.pdf>
- *
- * [4] Certicom Research. SEC 2: Recommended Elliptic Curve Domain Parameters.
- *     <http://www.secg.org/sec2-v2.pdf>
- *
- * [5] HANKERSON, Darrel, MENEZES, Alfred J., VANSTONE, Scott. Guide to Elliptic
- *     Curve Cryptography.
- *
- * [6] Digital Signature Standard (DSS), FIPS 186-4.
- *     <http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf>
- *
- * [7] Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer
- *     Security (TLS), RFC 4492.
- *     <https://tools.ietf.org/search/rfc4492>
- *
- * [8] <http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html>
- *
- * [9] COHEN, Henri. A Course in Computational Algebraic Number Theory.
- *     Springer Science & Business Media, 1 Aug 2000
- */
-
-#ifndef MBEDTLS_ECP_INTERNAL_H
-#define MBEDTLS_ECP_INTERNAL_H
-
-#include "mbedtls/build_info.h"
-
-#if defined(MBEDTLS_ECP_INTERNAL_ALT)
-
-/**
- * \brief           Indicate if the Elliptic Curve Point module extension can
- *                  handle the group.
- *
- * \param grp       The pointer to the elliptic curve group that will be the
- *                  basis of the cryptographic computations.
- *
- * \return          Non-zero if successful.
- */
-unsigned char mbedtls_internal_ecp_grp_capable(const mbedtls_ecp_group *grp);
-
-/**
- * \brief           Initialise the Elliptic Curve Point module extension.
- *
- *                  If mbedtls_internal_ecp_grp_capable returns true for a
- *                  group, this function has to be able to initialise the
- *                  module for it.
- *
- *                  This module can be a driver to a crypto hardware
- *                  accelerator, for which this could be an initialise function.
- *
- * \param grp       The pointer to the group the module needs to be
- *                  initialised for.
- *
- * \return          0 if successful.
- */
-int mbedtls_internal_ecp_init(const mbedtls_ecp_group *grp);
-
-/**
- * \brief           Frees and deallocates the Elliptic Curve Point module
- *                  extension.
- *
- * \param grp       The pointer to the group the module was initialised for.
- */
-void mbedtls_internal_ecp_free(const mbedtls_ecp_group *grp);
-
-#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
-
-#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
-/**
- * \brief           Randomize jacobian coordinates:
- *                  (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l.
- *
- * \param grp       Pointer to the group representing the curve.
- *
- * \param pt        The point on the curve to be randomised, given with Jacobian
- *                  coordinates.
- *
- * \param f_rng     A function pointer to the random number generator.
- *
- * \param p_rng     A pointer to the random number generator state.
- *
- * \return          0 if successful.
- */
-int mbedtls_internal_ecp_randomize_jac(const mbedtls_ecp_group *grp,
-                                       mbedtls_ecp_point *pt, int (*f_rng)(void *,
-                                                                           unsigned char *,
-                                                                           size_t),
-                                       void *p_rng);
-#endif
-
-#if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
-/**
- * \brief           Addition: R = P + Q, mixed affine-Jacobian coordinates.
- *
- *                  The coordinates of Q must be normalized (= affine),
- *                  but those of P don't need to. R is not normalized.
- *
- *                  This function is used only as a subrutine of
- *                  ecp_mul_comb().
- *
- *                  Special cases: (1) P or Q is zero, (2) R is zero,
- *                      (3) P == Q.
- *                  None of these cases can happen as intermediate step in
- *                  ecp_mul_comb():
- *                      - at each step, P, Q and R are multiples of the base
- *                      point, the factor being less than its order, so none of
- *                      them is zero;
- *                      - Q is an odd multiple of the base point, P an even
- *                      multiple, due to the choice of precomputed points in the
- *                      modified comb method.
- *                  So branches for these cases do not leak secret information.
- *
- *                  We accept Q->Z being unset (saving memory in tables) as
- *                  meaning 1.
- *
- *                  Cost in field operations if done by [5] 3.22:
- *                      1A := 8M + 3S
- *
- * \param grp       Pointer to the group representing the curve.
- *
- * \param R         Pointer to a point structure to hold the result.
- *
- * \param P         Pointer to the first summand, given with Jacobian
- *                  coordinates
- *
- * \param Q         Pointer to the second summand, given with affine
- *                  coordinates.
- *
- * \return          0 if successful.
- */
-int mbedtls_internal_ecp_add_mixed(const mbedtls_ecp_group *grp,
-                                   mbedtls_ecp_point *R, const mbedtls_ecp_point *P,
-                                   const mbedtls_ecp_point *Q);
-#endif
-
-/**
- * \brief           Point doubling R = 2 P, Jacobian coordinates.
- *
- *                  Cost:   1D := 3M + 4S    (A ==  0)
- *                          4M + 4S          (A == -3)
- *                          3M + 6S + 1a     otherwise
- *                  when the implementation is based on the "dbl-1998-cmo-2"
- *                  doubling formulas in [8] and standard optimizations are
- *                  applied when curve parameter A is one of { 0, -3 }.
- *
- * \param grp       Pointer to the group representing the curve.
- *
- * \param R         Pointer to a point structure to hold the result.
- *
- * \param P         Pointer to the point that has to be doubled, given with
- *                  Jacobian coordinates.
- *
- * \return          0 if successful.
- */
-#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
-int mbedtls_internal_ecp_double_jac(const mbedtls_ecp_group *grp,
-                                    mbedtls_ecp_point *R, const mbedtls_ecp_point *P);
-#endif
-
-/**
- * \brief           Normalize jacobian coordinates of an array of (pointers to)
- *                  points.
- *
- *                  Using Montgomery's trick to perform only one inversion mod P
- *                  the cost is:
- *                      1N(t) := 1I + (6t - 3)M + 1S
- *                  (See for example Algorithm 10.3.4. in [9])
- *
- *                  This function is used only as a subrutine of
- *                  ecp_mul_comb().
- *
- *                  Warning: fails (returning an error) if one of the points is
- *                  zero!
- *                  This should never happen, see choice of w in ecp_mul_comb().
- *
- * \param grp       Pointer to the group representing the curve.
- *
- * \param T         Array of pointers to the points to normalise.
- *
- * \param t_len     Number of elements in the array.
- *
- * \return          0 if successful,
- *                      an error if one of the points is zero.
- */
-#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
-int mbedtls_internal_ecp_normalize_jac_many(const mbedtls_ecp_group *grp,
-                                            mbedtls_ecp_point *T[], size_t t_len);
-#endif
-
-/**
- * \brief           Normalize jacobian coordinates so that Z == 0 || Z == 1.
- *
- *                  Cost in field operations if done by [5] 3.2.1:
- *                      1N := 1I + 3M + 1S
- *
- * \param grp       Pointer to the group representing the curve.
- *
- * \param pt        pointer to the point to be normalised. This is an
- *                  input/output parameter.
- *
- * \return          0 if successful.
- */
-#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
-int mbedtls_internal_ecp_normalize_jac(const mbedtls_ecp_group *grp,
-                                       mbedtls_ecp_point *pt);
-#endif
-
-#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
-
-#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
-
-#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
-int mbedtls_internal_ecp_double_add_mxz(const mbedtls_ecp_group *grp,
-                                        mbedtls_ecp_point *R,
-                                        mbedtls_ecp_point *S,
-                                        const mbedtls_ecp_point *P,
-                                        const mbedtls_ecp_point *Q,
-                                        const mbedtls_mpi *d);
-#endif
-
-/**
- * \brief           Randomize projective x/z coordinates:
- *                      (X, Z) -> (l X, l Z) for random l
- *
- * \param grp       pointer to the group representing the curve
- *
- * \param P         the point on the curve to be randomised given with
- *                  projective coordinates. This is an input/output parameter.
- *
- * \param f_rng     a function pointer to the random number generator
- *
- * \param p_rng     a pointer to the random number generator state
- *
- * \return          0 if successful
- */
-#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
-int mbedtls_internal_ecp_randomize_mxz(const mbedtls_ecp_group *grp,
-                                       mbedtls_ecp_point *P, int (*f_rng)(void *,
-                                                                          unsigned char *,
-                                                                          size_t),
-                                       void *p_rng);
-#endif
-
-/**
- * \brief           Normalize Montgomery x/z coordinates: X = X/Z, Z = 1.
- *
- * \param grp       pointer to the group representing the curve
- *
- * \param P         pointer to the point to be normalised. This is an
- *                  input/output parameter.
- *
- * \return          0 if successful
- */
-#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
-int mbedtls_internal_ecp_normalize_mxz(const mbedtls_ecp_group *grp,
-                                       mbedtls_ecp_point *P);
-#endif
-
-#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
-
-#endif /* MBEDTLS_ECP_INTERNAL_ALT */
-
-#endif /* ecp_internal_alt.h */
diff --git a/library/ecp_invasive.h b/library/ecp_invasive.h
deleted file mode 100644
index bb3b127..0000000
--- a/library/ecp_invasive.h
+++ /dev/null
@@ -1,337 +0,0 @@
-/**
- * \file ecp_invasive.h
- *
- * \brief ECP module: interfaces for invasive testing only.
- *
- * The interfaces in this file are intended for testing purposes only.
- * They SHOULD NOT be made available in library integrations except when
- * building the library for testing.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_ECP_INVASIVE_H
-#define MBEDTLS_ECP_INVASIVE_H
-
-#include "common.h"
-#include "mbedtls/bignum.h"
-#include "bignum_mod.h"
-#include "mbedtls/ecp.h"
-
-/*
- * Curve modulus types
- */
-typedef enum {
-    MBEDTLS_ECP_MOD_NONE = 0,
-    MBEDTLS_ECP_MOD_COORDINATE,
-    MBEDTLS_ECP_MOD_SCALAR
-} mbedtls_ecp_modulus_type;
-
-typedef enum {
-    MBEDTLS_ECP_VARIANT_NONE = 0,
-    MBEDTLS_ECP_VARIANT_WITH_MPI_STRUCT,
-    MBEDTLS_ECP_VARIANT_WITH_MPI_UINT
-} mbedtls_ecp_variant;
-
-#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_ECP_LIGHT)
-
-/** Queries the ecp variant.
- *
- * \return  The id of the ecp variant.
- */
-MBEDTLS_STATIC_TESTABLE
-mbedtls_ecp_variant mbedtls_ecp_get_variant(void);
-
-#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
-/** Generate a private key on a Montgomery curve (Curve25519 or Curve448).
- *
- * This function implements key generation for the set of secret keys
- * specified in [Curve25519] p. 5 and in [Curve448]. The resulting value
- * has the lower bits masked but is not necessarily canonical.
- *
- * \note            - [Curve25519] http://cr.yp.to/ecdh/curve25519-20060209.pdf
- *                  - [RFC7748] https://tools.ietf.org/html/rfc7748
- *
- * \p high_bit      The position of the high-order bit of the key to generate.
- *                  This is the bit-size of the key minus 1:
- *                  254 for Curve25519 or 447 for Curve448.
- * \param d         The randomly generated key. This is a number of size
- *                  exactly \p high_bit + 1 bits, with the least significant bits
- *                  masked as specified in [Curve25519] and in [RFC7748] §5.
- * \param f_rng     The RNG function.
- * \param p_rng     The RNG context to be passed to \p f_rng.
- *
- * \return          \c 0 on success.
- * \return          \c MBEDTLS_ERR_ECP_xxx or MBEDTLS_ERR_MPI_xxx on failure.
- */
-int mbedtls_ecp_gen_privkey_mx(size_t high_bit,
-                               mbedtls_mpi *d,
-                               int (*f_rng)(void *, unsigned char *, size_t),
-                               void *p_rng);
-
-#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
-
-/** Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
- *
- * This operation expects a 384 bit MPI and the result of the reduction
- * is a 192 bit MPI.
- *
- * \param[in,out]   Np  The address of the MPI to be converted.
- *                      Must have twice as many limbs as the modulus.
- *                      Upon return this holds the reduced value. The bitlength
- *                      of the reduced value is the same as that of the modulus
- *                      (192 bits).
- * \param[in]       Nn  The length of \p Np in limbs.
- */
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn);
-
-#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
-
-/** Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2)
- *
- * \param[in,out]   X       The address of the MPI to be converted.
- *                          Must have exact limb size that stores a 448-bit MPI
- *                          (double the bitlength of the modulus).
- *                          Upon return holds the reduced value which is
- *                          in range `0 <= X < 2 * N` (where N is the modulus).
- *                          The bitlength of the reduced value is the same as
- *                          that of the modulus (224 bits).
- * \param[in]       X_limbs The length of \p X in limbs.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X_limbs is not the
- *                  limb size that sores a 448-bit MPI.
- */
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p224_raw(mbedtls_mpi_uint *X, size_t X_limbs);
-
-#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
-
-/** Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3)
- *
- * \param[in,out]   X       The address of the MPI to be converted.
- *                          Must have exact limb size that stores a 512-bit MPI
- *                          (double the bitlength of the modulus).
- *                          Upon return holds the reduced value which is
- *                          in range `0 <= X < 2 * N` (where N is the modulus).
- *                          The bitlength of the reduced value is the same as
- *                          that of the modulus (256 bits).
- * \param[in]       X_limbs The length of \p X in limbs.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X_limbs is not the
- *                  limb size that sores a 512-bit MPI.
- */
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p256_raw(mbedtls_mpi_uint *X, size_t X_limbs);
-
-#endif
-
-#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
-
-/** Fast quasi-reduction modulo p521 = 2^521 - 1 (FIPS 186-3 D.2.5)
- *
- * \param[in,out]   X       The address of the MPI to be converted.
- *                          Must have twice as many limbs as the modulus
- *                          (the modulus is 521 bits long). Upon return this
- *                          holds the reduced value. The reduced value is
- *                          in range `0 <= X < 2 * N` (where N is the modulus).
- *                          and its the bitlength is one plus the bitlength
- *                          of the modulus.
- * \param[in]       X_limbs The length of \p X in limbs.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X_limbs does not have
- *                  twice as many limbs as the modulus.
- */
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs);
-
-#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
-
-/** Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4)
- *
- * \param[in,out]   X       The address of the MPI to be converted.
- *                          Must have exact limb size that stores a 768-bit MPI
- *                          (double the bitlength of the modulus).
- *                          Upon return holds the reduced value which is
- *                          in range `0 <= X < 2 * N` (where N is the modulus).
- *                          The bitlength of the reduced value is the same as
- *                          that of the modulus (384 bits).
- * \param[in]       X_limbs The length of \p N in limbs.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p N_n does not have
- *                  twice as many limbs as the modulus.
- */
-MBEDTLS_STATIC_TESTABLE
-int  mbedtls_ecp_mod_p384_raw(mbedtls_mpi_uint *X, size_t X_limbs);
-
-#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
-
-/** Fast quasi-reduction modulo p192k1 = 2^192 - R,
- * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x01000011C9
- *
- * \param[in,out]   X       The address of the MPI to be converted.
- *                          Must have exact limb size that stores a 384-bit MPI
- *                          (double the bitlength of the modulus).
- *                          Upon return holds the reduced value which is
- *                          in range `0 <= X < 2 * N` (where N is the modulus).
- *                          The bitlength of the reduced value is the same as
- *                          that of the modulus (192 bits).
- * \param[in]       X_limbs The length of \p X in limbs.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have
- *                  twice as many limbs as the modulus.
- * \return          #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed.
- */
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
-
-#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
-
-/** Fast quasi-reduction modulo p224k1 = 2^224 - R,
- * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
- *
- * \param[in,out]   X       The address of the MPI to be converted.
- *                          Must have exact limb size that stores a 448-bit MPI
- *                          (double the bitlength of the modulus).
- *                          Upon return holds the reduced value which is
- *                          in range `0 <= X < 2 * N` (where N is the modulus).
- *                          The bitlength of the reduced value is the same as
- *                          that of the modulus (224 bits).
- * \param[in]       X_limbs The length of \p X in limbs.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have
- *                  twice as many limbs as the modulus.
- * \return          #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed.
- */
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
-
-#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
-
-/** Fast quasi-reduction modulo p256k1 = 2^256 - R,
- * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
- *
- * \param[in,out]   X       The address of the MPI to be converted.
- *                          Must have exact limb size that stores a 512-bit MPI
- *                          (double the bitlength of the modulus).
- *                          Upon return holds the reduced value which is
- *                          in range `0 <= X < 2 * N` (where N is the modulus).
- *                          The bitlength of the reduced value is the same as
- *                          that of the modulus (256 bits).
- * \param[in]       X_limbs The length of \p X in limbs.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have
- *                  twice as many limbs as the modulus.
- * \return          #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed.
- */
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p256k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
-
-#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-
-/** Fast quasi-reduction modulo p255 = 2^255 - 19
- *
- * \param[in,out]   X       The address of the MPI to be converted.
- *                          Must have exact limb size that stores a 510-bit MPI
- *                          (double the bitlength of the modulus).
- *                          Upon return holds the reduced value which is
- *                          in range `0 <= X < 2 * N` (where N is the modulus).
- * \param[in]       X_limbs The length of \p X in limbs.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have
- *                  twice as many limbs as the modulus.
- * \return          #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed.
- */
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p255_raw(mbedtls_mpi_uint *X, size_t X_limbs);
-
-#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
-
-#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
-
-/** Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1
- * Write X as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return A0 + A1 + B1 +
- * (B0 + B1) * 2^224.
- *
- * \param[in,out]   X       The address of the MPI to be converted.
- *                          Must have exact limb size that stores a 896-bit MPI
- *                          (double the bitlength of the modulus). Upon return
- *                          holds the reduced value which is in range `0 <= X <
- *                          N` (where N is the modulus). The bitlength of the
- *                          reduced value is the same as that of the modulus
- *                          (448 bits).
- * \param[in]       X_limbs The length of \p X in limbs.
- *
- * \return          \c 0 on Success.
- * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have
- *                  twice as many limbs as the modulus.
- * \return          #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation
- *                  failed.
- */
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p448_raw(mbedtls_mpi_uint *X, size_t X_limbs);
-
-#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
-
-/** Initialise a modulus with hard-coded const curve data.
- *
- * \note            The caller is responsible for the \p N modulus' memory.
- *                  mbedtls_mpi_mod_modulus_free(&N) should be invoked at the
- *                  end of its lifecycle.
- *
- * \param[in,out] N The address of the modulus structure to populate.
- *                  Must be initialized.
- * \param[in] id    The mbedtls_ecp_group_id for which to initialise the modulus.
- * \param[in] ctype The mbedtls_ecp_modulus_type identifier for a coordinate modulus (P)
- *                  or a scalar modulus (N).
- *
- * \return          \c 0 if successful.
- * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the given MPIs do not
- *                  have the correct number of limbs.
- *
- */
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
-                              const mbedtls_ecp_group_id id,
-                              const mbedtls_ecp_modulus_type ctype);
-
-#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_ECP_C */
-
-#endif /* MBEDTLS_ECP_INVASIVE_H */
diff --git a/library/entropy.c b/library/entropy.c
deleted file mode 100644
index 0007917..0000000
--- a/library/entropy.c
+++ /dev/null
@@ -1,688 +0,0 @@
-/*
- *  Entropy accumulator implementation
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_ENTROPY_C)
-
-#include "mbedtls/entropy.h"
-#include "entropy_poll.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#include <string.h>
-
-#if defined(MBEDTLS_FS_IO)
-#include <stdio.h>
-#endif
-
-#include "mbedtls/platform.h"
-
-#define ENTROPY_MAX_LOOP    256     /**< Maximum amount to loop before error */
-
-void mbedtls_entropy_init(mbedtls_entropy_context *ctx)
-{
-    ctx->source_count = 0;
-    memset(ctx->source, 0, sizeof(ctx->source));
-
-#if defined(MBEDTLS_THREADING_C)
-    mbedtls_mutex_init(&ctx->mutex);
-#endif
-
-    ctx->accumulator_started = 0;
-    mbedtls_md_init(&ctx->accumulator);
-
-    /* Reminder: Update ENTROPY_HAVE_STRONG in the test files
-     *           when adding more strong entropy sources here. */
-
-#if !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
-#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
-    mbedtls_entropy_add_source(ctx, mbedtls_platform_entropy_poll, NULL,
-                               MBEDTLS_ENTROPY_MIN_PLATFORM,
-                               MBEDTLS_ENTROPY_SOURCE_STRONG);
-#endif
-#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
-    mbedtls_entropy_add_source(ctx, mbedtls_hardware_poll, NULL,
-                               MBEDTLS_ENTROPY_MIN_HARDWARE,
-                               MBEDTLS_ENTROPY_SOURCE_STRONG);
-#endif
-#if defined(MBEDTLS_ENTROPY_NV_SEED)
-    mbedtls_entropy_add_source(ctx, mbedtls_nv_seed_poll, NULL,
-                               MBEDTLS_ENTROPY_BLOCK_SIZE,
-                               MBEDTLS_ENTROPY_SOURCE_STRONG);
-    ctx->initial_entropy_run = 0;
-#endif
-#endif /* MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES */
-}
-
-void mbedtls_entropy_free(mbedtls_entropy_context *ctx)
-{
-    /* If the context was already free, don't call free() again.
-     * This is important for mutexes which don't allow double-free. */
-    if (ctx->accumulator_started == -1) {
-        return;
-    }
-
-#if defined(MBEDTLS_THREADING_C)
-    mbedtls_mutex_free(&ctx->mutex);
-#endif
-    mbedtls_md_free(&ctx->accumulator);
-#if defined(MBEDTLS_ENTROPY_NV_SEED)
-    ctx->initial_entropy_run = 0;
-#endif
-    ctx->source_count = 0;
-    mbedtls_platform_zeroize(ctx->source, sizeof(ctx->source));
-    ctx->accumulator_started = -1;
-}
-
-int mbedtls_entropy_add_source(mbedtls_entropy_context *ctx,
-                               mbedtls_entropy_f_source_ptr f_source, void *p_source,
-                               size_t threshold, int strong)
-{
-    int idx, ret = 0;
-
-#if defined(MBEDTLS_THREADING_C)
-    if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
-        return ret;
-    }
-#endif
-
-    idx = ctx->source_count;
-    if (idx >= MBEDTLS_ENTROPY_MAX_SOURCES) {
-        ret = MBEDTLS_ERR_ENTROPY_MAX_SOURCES;
-        goto exit;
-    }
-
-    ctx->source[idx].f_source  = f_source;
-    ctx->source[idx].p_source  = p_source;
-    ctx->source[idx].threshold = threshold;
-    ctx->source[idx].strong    = strong;
-
-    ctx->source_count++;
-
-exit:
-#if defined(MBEDTLS_THREADING_C)
-    if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
-        return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
-    }
-#endif
-
-    return ret;
-}
-
-/*
- * Entropy accumulator update
- */
-static int entropy_update(mbedtls_entropy_context *ctx, unsigned char source_id,
-                          const unsigned char *data, size_t len)
-{
-    unsigned char header[2];
-    unsigned char tmp[MBEDTLS_ENTROPY_BLOCK_SIZE];
-    size_t use_len = len;
-    const unsigned char *p = data;
-    int ret = 0;
-
-    if (use_len > MBEDTLS_ENTROPY_BLOCK_SIZE) {
-        if ((ret = mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_ENTROPY_MD),
-                              data, len, tmp)) != 0) {
-            goto cleanup;
-        }
-        p = tmp;
-        use_len = MBEDTLS_ENTROPY_BLOCK_SIZE;
-    }
-
-    header[0] = source_id;
-    header[1] = use_len & 0xFF;
-
-    /*
-     * Start the accumulator if this has not already happened. Note that
-     * it is sufficient to start the accumulator here only because all calls to
-     * gather entropy eventually execute this code.
-     */
-    if (ctx->accumulator_started == 0) {
-        ret = mbedtls_md_setup(&ctx->accumulator,
-                               mbedtls_md_info_from_type(MBEDTLS_ENTROPY_MD), 0);
-        if (ret != 0) {
-            goto cleanup;
-        }
-        ret = mbedtls_md_starts(&ctx->accumulator);
-        if (ret != 0) {
-            goto cleanup;
-        }
-        ctx->accumulator_started = 1;
-    }
-    if ((ret = mbedtls_md_update(&ctx->accumulator, header, 2)) != 0) {
-        goto cleanup;
-    }
-    ret = mbedtls_md_update(&ctx->accumulator, p, use_len);
-
-cleanup:
-    mbedtls_platform_zeroize(tmp, sizeof(tmp));
-
-    return ret;
-}
-
-int mbedtls_entropy_update_manual(mbedtls_entropy_context *ctx,
-                                  const unsigned char *data, size_t len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-#if defined(MBEDTLS_THREADING_C)
-    if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
-        return ret;
-    }
-#endif
-
-    ret = entropy_update(ctx, MBEDTLS_ENTROPY_SOURCE_MANUAL, data, len);
-
-#if defined(MBEDTLS_THREADING_C)
-    if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
-        return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
-    }
-#endif
-
-    return ret;
-}
-
-/*
- * Run through the different sources to add entropy to our accumulator
- */
-static int entropy_gather_internal(mbedtls_entropy_context *ctx)
-{
-    int ret = MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
-    int i;
-    int have_one_strong = 0;
-    unsigned char buf[MBEDTLS_ENTROPY_MAX_GATHER];
-    size_t olen;
-
-    if (ctx->source_count == 0) {
-        return MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED;
-    }
-
-    /*
-     * Run through our entropy sources
-     */
-    for (i = 0; i < ctx->source_count; i++) {
-        if (ctx->source[i].strong == MBEDTLS_ENTROPY_SOURCE_STRONG) {
-            have_one_strong = 1;
-        }
-
-        olen = 0;
-        if ((ret = ctx->source[i].f_source(ctx->source[i].p_source,
-                                           buf, MBEDTLS_ENTROPY_MAX_GATHER, &olen)) != 0) {
-            goto cleanup;
-        }
-
-        /*
-         * Add if we actually gathered something
-         */
-        if (olen > 0) {
-            if ((ret = entropy_update(ctx, (unsigned char) i,
-                                      buf, olen)) != 0) {
-                return ret;
-            }
-            ctx->source[i].size += olen;
-        }
-    }
-
-    if (have_one_strong == 0) {
-        ret = MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE;
-    }
-
-cleanup:
-    mbedtls_platform_zeroize(buf, sizeof(buf));
-
-    return ret;
-}
-
-/*
- * Thread-safe wrapper for entropy_gather_internal()
- */
-int mbedtls_entropy_gather(mbedtls_entropy_context *ctx)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-#if defined(MBEDTLS_THREADING_C)
-    if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
-        return ret;
-    }
-#endif
-
-    ret = entropy_gather_internal(ctx);
-
-#if defined(MBEDTLS_THREADING_C)
-    if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
-        return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
-    }
-#endif
-
-    return ret;
-}
-
-int mbedtls_entropy_func(void *data, unsigned char *output, size_t len)
-{
-    int ret, count = 0, i, thresholds_reached;
-    size_t strong_size;
-    mbedtls_entropy_context *ctx = (mbedtls_entropy_context *) data;
-    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
-
-    if (len > MBEDTLS_ENTROPY_BLOCK_SIZE) {
-        return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
-    }
-
-#if defined(MBEDTLS_ENTROPY_NV_SEED)
-    /* Update the NV entropy seed before generating any entropy for outside
-     * use.
-     */
-    if (ctx->initial_entropy_run == 0) {
-        ctx->initial_entropy_run = 1;
-        if ((ret = mbedtls_entropy_update_nv_seed(ctx)) != 0) {
-            return ret;
-        }
-    }
-#endif
-
-#if defined(MBEDTLS_THREADING_C)
-    if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
-        return ret;
-    }
-#endif
-
-    /*
-     * Always gather extra entropy before a call
-     */
-    do {
-        if (count++ > ENTROPY_MAX_LOOP) {
-            ret = MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
-            goto exit;
-        }
-
-        if ((ret = entropy_gather_internal(ctx)) != 0) {
-            goto exit;
-        }
-
-        thresholds_reached = 1;
-        strong_size = 0;
-        for (i = 0; i < ctx->source_count; i++) {
-            if (ctx->source[i].size < ctx->source[i].threshold) {
-                thresholds_reached = 0;
-            }
-            if (ctx->source[i].strong == MBEDTLS_ENTROPY_SOURCE_STRONG) {
-                strong_size += ctx->source[i].size;
-            }
-        }
-    } while (!thresholds_reached || strong_size < MBEDTLS_ENTROPY_BLOCK_SIZE);
-
-    memset(buf, 0, MBEDTLS_ENTROPY_BLOCK_SIZE);
-
-    /*
-     * Note that at this stage it is assumed that the accumulator was started
-     * in a previous call to entropy_update(). If this is not guaranteed, the
-     * code below will fail.
-     */
-    if ((ret = mbedtls_md_finish(&ctx->accumulator, buf)) != 0) {
-        goto exit;
-    }
-
-    /*
-     * Reset accumulator and counters and recycle existing entropy
-     */
-    mbedtls_md_free(&ctx->accumulator);
-    mbedtls_md_init(&ctx->accumulator);
-    ret = mbedtls_md_setup(&ctx->accumulator,
-                           mbedtls_md_info_from_type(MBEDTLS_ENTROPY_MD), 0);
-    if (ret != 0) {
-        goto exit;
-    }
-    ret = mbedtls_md_starts(&ctx->accumulator);
-    if (ret != 0) {
-        goto exit;
-    }
-    if ((ret = mbedtls_md_update(&ctx->accumulator, buf,
-                                 MBEDTLS_ENTROPY_BLOCK_SIZE)) != 0) {
-        goto exit;
-    }
-
-    /*
-     * Perform second hashing on entropy
-     */
-    if ((ret = mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_ENTROPY_MD),
-                          buf, MBEDTLS_ENTROPY_BLOCK_SIZE, buf)) != 0) {
-        goto exit;
-    }
-
-    for (i = 0; i < ctx->source_count; i++) {
-        ctx->source[i].size = 0;
-    }
-
-    memcpy(output, buf, len);
-
-    ret = 0;
-
-exit:
-    mbedtls_platform_zeroize(buf, sizeof(buf));
-
-#if defined(MBEDTLS_THREADING_C)
-    if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
-        return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
-    }
-#endif
-
-    return ret;
-}
-
-#if defined(MBEDTLS_ENTROPY_NV_SEED)
-int mbedtls_entropy_update_nv_seed(mbedtls_entropy_context *ctx)
-{
-    int ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
-    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
-
-    /* Read new seed  and write it to NV */
-    if ((ret = mbedtls_entropy_func(ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE)) != 0) {
-        return ret;
-    }
-
-    if (mbedtls_nv_seed_write(buf, MBEDTLS_ENTROPY_BLOCK_SIZE) < 0) {
-        return MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
-    }
-
-    /* Manually update the remaining stream with a separator value to diverge */
-    memset(buf, 0, MBEDTLS_ENTROPY_BLOCK_SIZE);
-    ret = mbedtls_entropy_update_manual(ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE);
-
-    return ret;
-}
-#endif /* MBEDTLS_ENTROPY_NV_SEED */
-
-#if defined(MBEDTLS_FS_IO)
-int mbedtls_entropy_write_seed_file(mbedtls_entropy_context *ctx, const char *path)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    FILE *f = NULL;
-    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
-
-    if ((ret = mbedtls_entropy_func(ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE)) != 0) {
-        ret = MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
-        goto exit;
-    }
-
-    if ((f = fopen(path, "wb")) == NULL) {
-        ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
-        goto exit;
-    }
-
-    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
-    mbedtls_setbuf(f, NULL);
-
-    if (fwrite(buf, 1, MBEDTLS_ENTROPY_BLOCK_SIZE, f) != MBEDTLS_ENTROPY_BLOCK_SIZE) {
-        ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
-        goto exit;
-    }
-
-    ret = 0;
-
-exit:
-    mbedtls_platform_zeroize(buf, sizeof(buf));
-
-    if (f != NULL) {
-        fclose(f);
-    }
-
-    return ret;
-}
-
-int mbedtls_entropy_update_seed_file(mbedtls_entropy_context *ctx, const char *path)
-{
-    int ret = 0;
-    FILE *f;
-    size_t n;
-    unsigned char buf[MBEDTLS_ENTROPY_MAX_SEED_SIZE];
-
-    if ((f = fopen(path, "rb")) == NULL) {
-        return MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
-    }
-
-    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
-    mbedtls_setbuf(f, NULL);
-
-    fseek(f, 0, SEEK_END);
-    n = (size_t) ftell(f);
-    fseek(f, 0, SEEK_SET);
-
-    if (n > MBEDTLS_ENTROPY_MAX_SEED_SIZE) {
-        n = MBEDTLS_ENTROPY_MAX_SEED_SIZE;
-    }
-
-    if (fread(buf, 1, n, f) != n) {
-        ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
-    } else {
-        ret = mbedtls_entropy_update_manual(ctx, buf, n);
-    }
-
-    fclose(f);
-
-    mbedtls_platform_zeroize(buf, sizeof(buf));
-
-    if (ret != 0) {
-        return ret;
-    }
-
-    return mbedtls_entropy_write_seed_file(ctx, path);
-}
-#endif /* MBEDTLS_FS_IO */
-
-#if defined(MBEDTLS_SELF_TEST)
-/*
- * Dummy source function
- */
-static int entropy_dummy_source(void *data, unsigned char *output,
-                                size_t len, size_t *olen)
-{
-    ((void) data);
-
-    memset(output, 0x2a, len);
-    *olen = len;
-
-    return 0;
-}
-
-#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
-
-static int mbedtls_entropy_source_self_test_gather(unsigned char *buf, size_t buf_len)
-{
-    int ret = 0;
-    size_t entropy_len = 0;
-    size_t olen = 0;
-    size_t attempts = buf_len;
-
-    while (attempts > 0 && entropy_len < buf_len) {
-        if ((ret = mbedtls_hardware_poll(NULL, buf + entropy_len,
-                                         buf_len - entropy_len, &olen)) != 0) {
-            return ret;
-        }
-
-        entropy_len += olen;
-        attempts--;
-    }
-
-    if (entropy_len < buf_len) {
-        ret = 1;
-    }
-
-    return ret;
-}
-
-
-static int mbedtls_entropy_source_self_test_check_bits(const unsigned char *buf,
-                                                       size_t buf_len)
-{
-    unsigned char set = 0xFF;
-    unsigned char unset = 0x00;
-    size_t i;
-
-    for (i = 0; i < buf_len; i++) {
-        set &= buf[i];
-        unset |= buf[i];
-    }
-
-    return set == 0xFF || unset == 0x00;
-}
-
-/*
- * A test to ensure that the entropy sources are functioning correctly
- * and there is no obvious failure. The test performs the following checks:
- *  - The entropy source is not providing only 0s (all bits unset) or 1s (all
- *    bits set).
- *  - The entropy source is not providing values in a pattern. Because the
- *    hardware could be providing data in an arbitrary length, this check polls
- *    the hardware entropy source twice and compares the result to ensure they
- *    are not equal.
- *  - The error code returned by the entropy source is not an error.
- */
-int mbedtls_entropy_source_self_test(int verbose)
-{
-    int ret = 0;
-    unsigned char buf0[2 * sizeof(unsigned long long int)];
-    unsigned char buf1[2 * sizeof(unsigned long long int)];
-
-    if (verbose != 0) {
-        mbedtls_printf("  ENTROPY_BIAS test: ");
-    }
-
-    memset(buf0, 0x00, sizeof(buf0));
-    memset(buf1, 0x00, sizeof(buf1));
-
-    if ((ret = mbedtls_entropy_source_self_test_gather(buf0, sizeof(buf0))) != 0) {
-        goto cleanup;
-    }
-    if ((ret = mbedtls_entropy_source_self_test_gather(buf1, sizeof(buf1))) != 0) {
-        goto cleanup;
-    }
-
-    /* Make sure that the returned values are not all 0 or 1 */
-    if ((ret = mbedtls_entropy_source_self_test_check_bits(buf0, sizeof(buf0))) != 0) {
-        goto cleanup;
-    }
-    if ((ret = mbedtls_entropy_source_self_test_check_bits(buf1, sizeof(buf1))) != 0) {
-        goto cleanup;
-    }
-
-    /* Make sure that the entropy source is not returning values in a
-     * pattern */
-    ret = memcmp(buf0, buf1, sizeof(buf0)) == 0;
-
-cleanup:
-    if (verbose != 0) {
-        if (ret != 0) {
-            mbedtls_printf("failed\n");
-        } else {
-            mbedtls_printf("passed\n");
-        }
-
-        mbedtls_printf("\n");
-    }
-
-    return ret != 0;
-}
-
-#endif /* MBEDTLS_ENTROPY_HARDWARE_ALT */
-
-/*
- * The actual entropy quality is hard to test, but we can at least
- * test that the functions don't cause errors and write the correct
- * amount of data to buffers.
- */
-int mbedtls_entropy_self_test(int verbose)
-{
-    int ret = 1;
-    mbedtls_entropy_context ctx;
-    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE] = { 0 };
-    unsigned char acc[MBEDTLS_ENTROPY_BLOCK_SIZE] = { 0 };
-    size_t i, j;
-
-    if (verbose != 0) {
-        mbedtls_printf("  ENTROPY test: ");
-    }
-
-    mbedtls_entropy_init(&ctx);
-
-    /* First do a gather to make sure we have default sources */
-    if ((ret = mbedtls_entropy_gather(&ctx)) != 0) {
-        goto cleanup;
-    }
-
-    ret = mbedtls_entropy_add_source(&ctx, entropy_dummy_source, NULL, 16,
-                                     MBEDTLS_ENTROPY_SOURCE_WEAK);
-    if (ret != 0) {
-        goto cleanup;
-    }
-
-    if ((ret = mbedtls_entropy_update_manual(&ctx, buf, sizeof(buf))) != 0) {
-        goto cleanup;
-    }
-
-    /*
-     * To test that mbedtls_entropy_func writes correct number of bytes:
-     * - use the whole buffer and rely on ASan to detect overruns
-     * - collect entropy 8 times and OR the result in an accumulator:
-     *   any byte should then be 0 with probably 2^(-64), so requiring
-     *   each of the 32 or 64 bytes to be non-zero has a false failure rate
-     *   of at most 2^(-58) which is acceptable.
-     */
-    for (i = 0; i < 8; i++) {
-        if ((ret = mbedtls_entropy_func(&ctx, buf, sizeof(buf))) != 0) {
-            goto cleanup;
-        }
-
-        for (j = 0; j < sizeof(buf); j++) {
-            acc[j] |= buf[j];
-        }
-    }
-
-    for (j = 0; j < sizeof(buf); j++) {
-        if (acc[j] == 0) {
-            ret = 1;
-            goto cleanup;
-        }
-    }
-
-#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
-    if ((ret = mbedtls_entropy_source_self_test(0)) != 0) {
-        goto cleanup;
-    }
-#endif
-
-cleanup:
-    mbedtls_entropy_free(&ctx);
-
-    if (verbose != 0) {
-        if (ret != 0) {
-            mbedtls_printf("failed\n");
-        } else {
-            mbedtls_printf("passed\n");
-        }
-
-        mbedtls_printf("\n");
-    }
-
-    return ret != 0;
-}
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* MBEDTLS_ENTROPY_C */
diff --git a/library/entropy_poll.c b/library/entropy_poll.c
deleted file mode 100644
index 9d5b1e6..0000000
--- a/library/entropy_poll.c
+++ /dev/null
@@ -1,241 +0,0 @@
-/*
- *  Platform-specific and custom entropy polling functions
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#if defined(__linux__) && !defined(_GNU_SOURCE)
-/* Ensure that syscall() is available even when compiling with -std=c99 */
-#define _GNU_SOURCE
-#endif
-
-#include "common.h"
-
-#include <string.h>
-
-#if defined(MBEDTLS_ENTROPY_C)
-
-#include "mbedtls/entropy.h"
-#include "entropy_poll.h"
-#include "mbedtls/error.h"
-
-#if defined(MBEDTLS_TIMING_C)
-#include "mbedtls/timing.h"
-#endif
-#include "mbedtls/platform.h"
-
-#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
-
-#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
-    !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
-    !defined(__HAIKU__) && !defined(__midipix__)
-#error \
-    "Platform entropy sources only work on Unix and Windows, see MBEDTLS_NO_PLATFORM_ENTROPY in mbedtls_config.h"
-#endif
-
-#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
-
-#include <windows.h>
-#include <bcrypt.h>
-#include <intsafe.h>
-
-int mbedtls_platform_entropy_poll(void *data, unsigned char *output, size_t len,
-                                  size_t *olen)
-{
-    ((void) data);
-    *olen = 0;
-
-    /*
-     * BCryptGenRandom takes ULONG for size, which is smaller than size_t on
-     * 64-bit Windows platforms. Extract entropy in chunks of len (dependent
-     * on ULONG_MAX) size.
-     */
-    while (len != 0) {
-        unsigned long ulong_bytes =
-            (len > ULONG_MAX) ? ULONG_MAX : (unsigned long) len;
-
-        if (!BCRYPT_SUCCESS(BCryptGenRandom(NULL, output, ulong_bytes,
-                                            BCRYPT_USE_SYSTEM_PREFERRED_RNG))) {
-            return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
-        }
-
-        *olen += ulong_bytes;
-        len -= ulong_bytes;
-    }
-
-    return 0;
-}
-#else /* _WIN32 && !EFIX64 && !EFI32 */
-
-/*
- * Test for Linux getrandom() support.
- * Since there is no wrapper in the libc yet, use the generic syscall wrapper
- * available in GNU libc and compatible libc's (eg uClibc).
- */
-#if ((defined(__linux__) && defined(__GLIBC__)) || defined(__midipix__))
-#include <unistd.h>
-#include <sys/syscall.h>
-#if defined(SYS_getrandom)
-#define HAVE_GETRANDOM
-#include <errno.h>
-
-static int getrandom_wrapper(void *buf, size_t buflen, unsigned int flags)
-{
-    /* MemSan cannot understand that the syscall writes to the buffer */
-#if defined(__has_feature)
-#if __has_feature(memory_sanitizer)
-    memset(buf, 0, buflen);
-#endif
-#endif
-    return syscall(SYS_getrandom, buf, buflen, flags);
-}
-#endif /* SYS_getrandom */
-#endif /* __linux__ || __midipix__ */
-
-#if defined(__FreeBSD__) || defined(__DragonFly__)
-#include <sys/param.h>
-#if (defined(__FreeBSD__) && __FreeBSD_version >= 1200000) || \
-    (defined(__DragonFly__) && __DragonFly_version >= 500700)
-#include <errno.h>
-#include <sys/random.h>
-#define HAVE_GETRANDOM
-static int getrandom_wrapper(void *buf, size_t buflen, unsigned int flags)
-{
-    return getrandom(buf, buflen, flags);
-}
-#endif /* (__FreeBSD__ && __FreeBSD_version >= 1200000) ||
-          (__DragonFly__ && __DragonFly_version >= 500700) */
-#endif /* __FreeBSD__ || __DragonFly__ */
-
-/*
- * Some BSD systems provide KERN_ARND.
- * This is equivalent to reading from /dev/urandom, only it doesn't require an
- * open file descriptor, and provides up to 256 bytes per call (basically the
- * same as getentropy(), but with a longer history).
- *
- * Documentation: https://netbsd.gw.com/cgi-bin/man-cgi?sysctl+7
- */
-#if (defined(__FreeBSD__) || defined(__NetBSD__)) && !defined(HAVE_GETRANDOM)
-#include <sys/param.h>
-#include <sys/sysctl.h>
-#if defined(KERN_ARND)
-#define HAVE_SYSCTL_ARND
-
-static int sysctl_arnd_wrapper(unsigned char *buf, size_t buflen)
-{
-    int name[2];
-    size_t len;
-
-    name[0] = CTL_KERN;
-    name[1] = KERN_ARND;
-
-    while (buflen > 0) {
-        len = buflen > 256 ? 256 : buflen;
-        if (sysctl(name, 2, buf, &len, NULL, 0) == -1) {
-            return -1;
-        }
-        buflen -= len;
-        buf += len;
-    }
-    return 0;
-}
-#endif /* KERN_ARND */
-#endif /* __FreeBSD__ || __NetBSD__ */
-
-#include <stdio.h>
-
-int mbedtls_platform_entropy_poll(void *data,
-                                  unsigned char *output, size_t len, size_t *olen)
-{
-    FILE *file;
-    size_t read_len;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    ((void) data);
-
-#if defined(HAVE_GETRANDOM)
-    ret = getrandom_wrapper(output, len, 0);
-    if (ret >= 0) {
-        *olen = ret;
-        return 0;
-    } else if (errno != ENOSYS) {
-        return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
-    }
-    /* Fall through if the system call isn't known. */
-#else
-    ((void) ret);
-#endif /* HAVE_GETRANDOM */
-
-#if defined(HAVE_SYSCTL_ARND)
-    ((void) file);
-    ((void) read_len);
-    if (sysctl_arnd_wrapper(output, len) == -1) {
-        return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
-    }
-    *olen = len;
-    return 0;
-#else
-
-    *olen = 0;
-
-    file = fopen("/dev/urandom", "rb");
-    if (file == NULL) {
-        return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
-    }
-
-    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
-    mbedtls_setbuf(file, NULL);
-
-    read_len = fread(output, 1, len, file);
-    if (read_len != len) {
-        fclose(file);
-        return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
-    }
-
-    fclose(file);
-    *olen = len;
-
-    return 0;
-#endif /* HAVE_SYSCTL_ARND */
-}
-#endif /* _WIN32 && !EFIX64 && !EFI32 */
-#endif /* !MBEDTLS_NO_PLATFORM_ENTROPY */
-
-#if defined(MBEDTLS_ENTROPY_NV_SEED)
-int mbedtls_nv_seed_poll(void *data,
-                         unsigned char *output, size_t len, size_t *olen)
-{
-    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
-    size_t use_len = MBEDTLS_ENTROPY_BLOCK_SIZE;
-    ((void) data);
-
-    memset(buf, 0, MBEDTLS_ENTROPY_BLOCK_SIZE);
-
-    if (mbedtls_nv_seed_read(buf, MBEDTLS_ENTROPY_BLOCK_SIZE) < 0) {
-        return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
-    }
-
-    if (len < use_len) {
-        use_len = len;
-    }
-
-    memcpy(output, buf, use_len);
-    *olen = use_len;
-
-    return 0;
-}
-#endif /* MBEDTLS_ENTROPY_NV_SEED */
-
-#endif /* MBEDTLS_ENTROPY_C */
diff --git a/library/entropy_poll.h b/library/entropy_poll.h
deleted file mode 100644
index be4943c..0000000
--- a/library/entropy_poll.h
+++ /dev/null
@@ -1,76 +0,0 @@
-/**
- * \file entropy_poll.h
- *
- * \brief Platform-specific and custom entropy polling functions
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_ENTROPY_POLL_H
-#define MBEDTLS_ENTROPY_POLL_H
-
-#include "mbedtls/build_info.h"
-
-#include <stddef.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/*
- * Default thresholds for built-in sources, in bytes
- */
-#define MBEDTLS_ENTROPY_MIN_PLATFORM     32     /**< Minimum for platform source    */
-#if !defined(MBEDTLS_ENTROPY_MIN_HARDWARE)
-#define MBEDTLS_ENTROPY_MIN_HARDWARE     32     /**< Minimum for the hardware source */
-#endif
-
-#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
-/**
- * \brief           Platform-specific entropy poll callback
- */
-int mbedtls_platform_entropy_poll(void *data,
-                                  unsigned char *output, size_t len, size_t *olen);
-#endif
-
-#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
-/**
- * \brief           Entropy poll callback for a hardware source
- *
- * \warning         This is not provided by Mbed TLS!
- *                  See \c MBEDTLS_ENTROPY_HARDWARE_ALT in mbedtls_config.h.
- *
- * \note            This must accept NULL as its first argument.
- */
-int mbedtls_hardware_poll(void *data,
-                          unsigned char *output, size_t len, size_t *olen);
-#endif
-
-#if defined(MBEDTLS_ENTROPY_NV_SEED)
-/**
- * \brief           Entropy poll callback for a non-volatile seed file
- *
- * \note            This must accept NULL as its first argument.
- */
-int mbedtls_nv_seed_poll(void *data,
-                         unsigned char *output, size_t len, size_t *olen);
-#endif
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* entropy_poll.h */
diff --git a/library/gcm.c b/library/gcm.c
deleted file mode 100644
index c8618be..0000000
--- a/library/gcm.c
+++ /dev/null
@@ -1,1180 +0,0 @@
-/*
- *  NIST SP800-38D compliant GCM implementation
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/*
- * http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
- *
- * See also:
- * [MGV] http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
- *
- * We use the algorithm described as Shoup's method with 4-bit tables in
- * [MGV] 4.1, pp. 12-13, to enhance speed without using too much memory.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_GCM_C)
-
-#include "mbedtls/gcm.h"
-#include "mbedtls/platform.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-#include "mbedtls/constant_time.h"
-
-#include <string.h>
-
-#if defined(MBEDTLS_AESNI_C)
-#include "aesni.h"
-#endif
-
-#if defined(MBEDTLS_AESCE_C)
-#include "aesce.h"
-#endif
-
-#if !defined(MBEDTLS_GCM_ALT)
-
-/*
- * Initialize a context
- */
-void mbedtls_gcm_init(mbedtls_gcm_context *ctx)
-{
-    memset(ctx, 0, sizeof(mbedtls_gcm_context));
-}
-
-/*
- * Precompute small multiples of H, that is set
- *      HH[i] || HL[i] = H times i,
- * where i is seen as a field element as in [MGV], ie high-order bits
- * correspond to low powers of P. The result is stored in the same way, that
- * is the high-order bit of HH corresponds to P^0 and the low-order bit of HL
- * corresponds to P^127.
- */
-static int gcm_gen_table(mbedtls_gcm_context *ctx)
-{
-    int ret, i, j;
-    uint64_t hi, lo;
-    uint64_t vl, vh;
-    unsigned char h[16];
-    size_t olen = 0;
-
-    memset(h, 0, 16);
-    if ((ret = mbedtls_cipher_update(&ctx->cipher_ctx, h, 16, h, &olen)) != 0) {
-        return ret;
-    }
-
-    /* pack h as two 64-bits ints, big-endian */
-    hi = MBEDTLS_GET_UINT32_BE(h,  0);
-    lo = MBEDTLS_GET_UINT32_BE(h,  4);
-    vh = (uint64_t) hi << 32 | lo;
-
-    hi = MBEDTLS_GET_UINT32_BE(h,  8);
-    lo = MBEDTLS_GET_UINT32_BE(h,  12);
-    vl = (uint64_t) hi << 32 | lo;
-
-    /* 8 = 1000 corresponds to 1 in GF(2^128) */
-    ctx->HL[8] = vl;
-    ctx->HH[8] = vh;
-
-#if defined(MBEDTLS_AESNI_HAVE_CODE)
-    /* With CLMUL support, we need only h, not the rest of the table */
-    if (mbedtls_aesni_has_support(MBEDTLS_AESNI_CLMUL)) {
-        return 0;
-    }
-#endif
-
-#if defined(MBEDTLS_AESCE_HAVE_CODE)
-    if (MBEDTLS_AESCE_HAS_SUPPORT()) {
-        return 0;
-    }
-#endif
-
-    /* 0 corresponds to 0 in GF(2^128) */
-    ctx->HH[0] = 0;
-    ctx->HL[0] = 0;
-
-    for (i = 4; i > 0; i >>= 1) {
-        uint32_t T = (vl & 1) * 0xe1000000U;
-        vl  = (vh << 63) | (vl >> 1);
-        vh  = (vh >> 1) ^ ((uint64_t) T << 32);
-
-        ctx->HL[i] = vl;
-        ctx->HH[i] = vh;
-    }
-
-    for (i = 2; i <= 8; i *= 2) {
-        uint64_t *HiL = ctx->HL + i, *HiH = ctx->HH + i;
-        vh = *HiH;
-        vl = *HiL;
-        for (j = 1; j < i; j++) {
-            HiH[j] = vh ^ ctx->HH[j];
-            HiL[j] = vl ^ ctx->HL[j];
-        }
-    }
-
-    return 0;
-}
-
-int mbedtls_gcm_setkey(mbedtls_gcm_context *ctx,
-                       mbedtls_cipher_id_t cipher,
-                       const unsigned char *key,
-                       unsigned int keybits)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    const mbedtls_cipher_info_t *cipher_info;
-
-    if (keybits != 128 && keybits != 192 && keybits != 256) {
-        return MBEDTLS_ERR_GCM_BAD_INPUT;
-    }
-
-    cipher_info = mbedtls_cipher_info_from_values(cipher, keybits,
-                                                  MBEDTLS_MODE_ECB);
-    if (cipher_info == NULL) {
-        return MBEDTLS_ERR_GCM_BAD_INPUT;
-    }
-
-    if (mbedtls_cipher_info_get_block_size(cipher_info) != 16) {
-        return MBEDTLS_ERR_GCM_BAD_INPUT;
-    }
-
-    mbedtls_cipher_free(&ctx->cipher_ctx);
-
-    if ((ret = mbedtls_cipher_setup(&ctx->cipher_ctx, cipher_info)) != 0) {
-        return ret;
-    }
-
-    if ((ret = mbedtls_cipher_setkey(&ctx->cipher_ctx, key, keybits,
-                                     MBEDTLS_ENCRYPT)) != 0) {
-        return ret;
-    }
-
-    if ((ret = gcm_gen_table(ctx)) != 0) {
-        return ret;
-    }
-
-    return 0;
-}
-
-/*
- * Shoup's method for multiplication use this table with
- *      last4[x] = x times P^128
- * where x and last4[x] are seen as elements of GF(2^128) as in [MGV]
- */
-static const uint16_t last4[16] =
-{
-    0x0000, 0x1c20, 0x3840, 0x2460,
-    0x7080, 0x6ca0, 0x48c0, 0x54e0,
-    0xe100, 0xfd20, 0xd940, 0xc560,
-    0x9180, 0x8da0, 0xa9c0, 0xb5e0
-};
-
-/*
- * Sets output to x times H using the precomputed tables.
- * x and output are seen as elements of GF(2^128) as in [MGV].
- */
-static void gcm_mult(mbedtls_gcm_context *ctx, const unsigned char x[16],
-                     unsigned char output[16])
-{
-    int i = 0;
-    unsigned char lo, hi, rem;
-    uint64_t zh, zl;
-
-#if defined(MBEDTLS_AESNI_HAVE_CODE)
-    if (mbedtls_aesni_has_support(MBEDTLS_AESNI_CLMUL)) {
-        unsigned char h[16];
-
-        /* mbedtls_aesni_gcm_mult needs big-endian input */
-        MBEDTLS_PUT_UINT32_BE(ctx->HH[8] >> 32, h,  0);
-        MBEDTLS_PUT_UINT32_BE(ctx->HH[8],       h,  4);
-        MBEDTLS_PUT_UINT32_BE(ctx->HL[8] >> 32, h,  8);
-        MBEDTLS_PUT_UINT32_BE(ctx->HL[8],       h, 12);
-
-        mbedtls_aesni_gcm_mult(output, x, h);
-        return;
-    }
-#endif /* MBEDTLS_AESNI_HAVE_CODE */
-
-#if defined(MBEDTLS_AESCE_HAVE_CODE)
-    if (MBEDTLS_AESCE_HAS_SUPPORT()) {
-        unsigned char h[16];
-
-        /* mbedtls_aesce_gcm_mult needs big-endian input */
-        MBEDTLS_PUT_UINT32_BE(ctx->HH[8] >> 32, h,  0);
-        MBEDTLS_PUT_UINT32_BE(ctx->HH[8],       h,  4);
-        MBEDTLS_PUT_UINT32_BE(ctx->HL[8] >> 32, h,  8);
-        MBEDTLS_PUT_UINT32_BE(ctx->HL[8],       h, 12);
-
-        mbedtls_aesce_gcm_mult(output, x, h);
-        return;
-    }
-#endif
-
-    lo = x[15] & 0xf;
-
-    zh = ctx->HH[lo];
-    zl = ctx->HL[lo];
-
-    for (i = 15; i >= 0; i--) {
-        lo = x[i] & 0xf;
-        hi = (x[i] >> 4) & 0xf;
-
-        if (i != 15) {
-            rem = (unsigned char) zl & 0xf;
-            zl = (zh << 60) | (zl >> 4);
-            zh = (zh >> 4);
-            zh ^= (uint64_t) last4[rem] << 48;
-            zh ^= ctx->HH[lo];
-            zl ^= ctx->HL[lo];
-
-        }
-
-        rem = (unsigned char) zl & 0xf;
-        zl = (zh << 60) | (zl >> 4);
-        zh = (zh >> 4);
-        zh ^= (uint64_t) last4[rem] << 48;
-        zh ^= ctx->HH[hi];
-        zl ^= ctx->HL[hi];
-    }
-
-    MBEDTLS_PUT_UINT32_BE(zh >> 32, output, 0);
-    MBEDTLS_PUT_UINT32_BE(zh, output, 4);
-    MBEDTLS_PUT_UINT32_BE(zl >> 32, output, 8);
-    MBEDTLS_PUT_UINT32_BE(zl, output, 12);
-}
-
-int mbedtls_gcm_starts(mbedtls_gcm_context *ctx,
-                       int mode,
-                       const unsigned char *iv, size_t iv_len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char work_buf[16];
-    const unsigned char *p;
-    size_t use_len, olen = 0;
-    uint64_t iv_bits;
-
-    /* IV is limited to 2^64 bits, so 2^61 bytes */
-    /* IV is not allowed to be zero length */
-    if (iv_len == 0 || (uint64_t) iv_len >> 61 != 0) {
-        return MBEDTLS_ERR_GCM_BAD_INPUT;
-    }
-
-    memset(ctx->y, 0x00, sizeof(ctx->y));
-    memset(ctx->buf, 0x00, sizeof(ctx->buf));
-
-    ctx->mode = mode;
-    ctx->len = 0;
-    ctx->add_len = 0;
-
-    if (iv_len == 12) {
-        memcpy(ctx->y, iv, iv_len);
-        ctx->y[15] = 1;
-    } else {
-        memset(work_buf, 0x00, 16);
-        iv_bits = (uint64_t) iv_len * 8;
-        MBEDTLS_PUT_UINT64_BE(iv_bits, work_buf, 8);
-
-        p = iv;
-        while (iv_len > 0) {
-            use_len = (iv_len < 16) ? iv_len : 16;
-
-            mbedtls_xor(ctx->y, ctx->y, p, use_len);
-
-            gcm_mult(ctx, ctx->y, ctx->y);
-
-            iv_len -= use_len;
-            p += use_len;
-        }
-
-        mbedtls_xor(ctx->y, ctx->y, work_buf, 16);
-
-        gcm_mult(ctx, ctx->y, ctx->y);
-    }
-
-    if ((ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16,
-                                     ctx->base_ectr, &olen)) != 0) {
-        return ret;
-    }
-
-    return 0;
-}
-
-/**
- * mbedtls_gcm_context::buf contains the partial state of the computation of
- * the authentication tag.
- * mbedtls_gcm_context::add_len and mbedtls_gcm_context::len indicate
- * different stages of the computation:
- *     * len == 0 && add_len == 0:      initial state
- *     * len == 0 && add_len % 16 != 0: the first `add_len % 16` bytes have
- *                                      a partial block of AD that has been
- *                                      xored in but not yet multiplied in.
- *     * len == 0 && add_len % 16 == 0: the authentication tag is correct if
- *                                      the data ends now.
- *     * len % 16 != 0:                 the first `len % 16` bytes have
- *                                      a partial block of ciphertext that has
- *                                      been xored in but not yet multiplied in.
- *     * len > 0 && len % 16 == 0:      the authentication tag is correct if
- *                                      the data ends now.
- */
-int mbedtls_gcm_update_ad(mbedtls_gcm_context *ctx,
-                          const unsigned char *add, size_t add_len)
-{
-    const unsigned char *p;
-    size_t use_len, offset;
-
-    /* IV is limited to 2^64 bits, so 2^61 bytes */
-    if ((uint64_t) add_len >> 61 != 0) {
-        return MBEDTLS_ERR_GCM_BAD_INPUT;
-    }
-
-    offset = ctx->add_len % 16;
-    p = add;
-
-    if (offset != 0) {
-        use_len = 16 - offset;
-        if (use_len > add_len) {
-            use_len = add_len;
-        }
-
-        mbedtls_xor(ctx->buf + offset, ctx->buf + offset, p, use_len);
-
-        if (offset + use_len == 16) {
-            gcm_mult(ctx, ctx->buf, ctx->buf);
-        }
-
-        ctx->add_len += use_len;
-        add_len -= use_len;
-        p += use_len;
-    }
-
-    ctx->add_len += add_len;
-
-    while (add_len >= 16) {
-        mbedtls_xor(ctx->buf, ctx->buf, p, 16);
-
-        gcm_mult(ctx, ctx->buf, ctx->buf);
-
-        add_len -= 16;
-        p += 16;
-    }
-
-    if (add_len > 0) {
-        mbedtls_xor(ctx->buf, ctx->buf, p, add_len);
-    }
-
-    return 0;
-}
-
-/* Increment the counter. */
-static void gcm_incr(unsigned char y[16])
-{
-    size_t i;
-    for (i = 16; i > 12; i--) {
-        if (++y[i - 1] != 0) {
-            break;
-        }
-    }
-}
-
-/* Calculate and apply the encryption mask. Process use_len bytes of data,
- * starting at position offset in the mask block. */
-static int gcm_mask(mbedtls_gcm_context *ctx,
-                    unsigned char ectr[16],
-                    size_t offset, size_t use_len,
-                    const unsigned char *input,
-                    unsigned char *output)
-{
-    size_t olen = 0;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if ((ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ectr,
-                                     &olen)) != 0) {
-        mbedtls_platform_zeroize(ectr, 16);
-        return ret;
-    }
-
-    if (ctx->mode == MBEDTLS_GCM_DECRYPT) {
-        mbedtls_xor(ctx->buf + offset, ctx->buf + offset, input, use_len);
-    }
-    mbedtls_xor(output, ectr + offset, input, use_len);
-    if (ctx->mode == MBEDTLS_GCM_ENCRYPT) {
-        mbedtls_xor(ctx->buf + offset, ctx->buf + offset, output, use_len);
-    }
-
-    return 0;
-}
-
-int mbedtls_gcm_update(mbedtls_gcm_context *ctx,
-                       const unsigned char *input, size_t input_length,
-                       unsigned char *output, size_t output_size,
-                       size_t *output_length)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    const unsigned char *p = input;
-    unsigned char *out_p = output;
-    size_t offset;
-    unsigned char ectr[16] = { 0 };
-
-    if (output_size < input_length) {
-        return MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL;
-    }
-    *output_length = input_length;
-
-    /* Exit early if input_length==0 so that we don't do any pointer arithmetic
-     * on a potentially null pointer.
-     * Returning early also means that the last partial block of AD remains
-     * untouched for mbedtls_gcm_finish */
-    if (input_length == 0) {
-        return 0;
-    }
-
-    if (output > input && (size_t) (output - input) < input_length) {
-        return MBEDTLS_ERR_GCM_BAD_INPUT;
-    }
-
-    /* Total length is restricted to 2^39 - 256 bits, ie 2^36 - 2^5 bytes
-     * Also check for possible overflow */
-    if (ctx->len + input_length < ctx->len ||
-        (uint64_t) ctx->len + input_length > 0xFFFFFFFE0ull) {
-        return MBEDTLS_ERR_GCM_BAD_INPUT;
-    }
-
-    if (ctx->len == 0 && ctx->add_len % 16 != 0) {
-        gcm_mult(ctx, ctx->buf, ctx->buf);
-    }
-
-    offset = ctx->len % 16;
-    if (offset != 0) {
-        size_t use_len = 16 - offset;
-        if (use_len > input_length) {
-            use_len = input_length;
-        }
-
-        if ((ret = gcm_mask(ctx, ectr, offset, use_len, p, out_p)) != 0) {
-            return ret;
-        }
-
-        if (offset + use_len == 16) {
-            gcm_mult(ctx, ctx->buf, ctx->buf);
-        }
-
-        ctx->len += use_len;
-        input_length -= use_len;
-        p += use_len;
-        out_p += use_len;
-    }
-
-    ctx->len += input_length;
-
-    while (input_length >= 16) {
-        gcm_incr(ctx->y);
-        if ((ret = gcm_mask(ctx, ectr, 0, 16, p, out_p)) != 0) {
-            return ret;
-        }
-
-        gcm_mult(ctx, ctx->buf, ctx->buf);
-
-        input_length -= 16;
-        p += 16;
-        out_p += 16;
-    }
-
-    if (input_length > 0) {
-        gcm_incr(ctx->y);
-        if ((ret = gcm_mask(ctx, ectr, 0, input_length, p, out_p)) != 0) {
-            return ret;
-        }
-    }
-
-    mbedtls_platform_zeroize(ectr, sizeof(ectr));
-    return 0;
-}
-
-int mbedtls_gcm_finish(mbedtls_gcm_context *ctx,
-                       unsigned char *output, size_t output_size,
-                       size_t *output_length,
-                       unsigned char *tag, size_t tag_len)
-{
-    unsigned char work_buf[16];
-    uint64_t orig_len;
-    uint64_t orig_add_len;
-
-    /* We never pass any output in finish(). The output parameter exists only
-     * for the sake of alternative implementations. */
-    (void) output;
-    (void) output_size;
-    *output_length = 0;
-
-    orig_len = ctx->len * 8;
-    orig_add_len = ctx->add_len * 8;
-
-    if (ctx->len == 0 && ctx->add_len % 16 != 0) {
-        gcm_mult(ctx, ctx->buf, ctx->buf);
-    }
-
-    if (tag_len > 16 || tag_len < 4) {
-        return MBEDTLS_ERR_GCM_BAD_INPUT;
-    }
-
-    if (ctx->len % 16 != 0) {
-        gcm_mult(ctx, ctx->buf, ctx->buf);
-    }
-
-    memcpy(tag, ctx->base_ectr, tag_len);
-
-    if (orig_len || orig_add_len) {
-        memset(work_buf, 0x00, 16);
-
-        MBEDTLS_PUT_UINT32_BE((orig_add_len >> 32), work_buf, 0);
-        MBEDTLS_PUT_UINT32_BE((orig_add_len), work_buf, 4);
-        MBEDTLS_PUT_UINT32_BE((orig_len     >> 32), work_buf, 8);
-        MBEDTLS_PUT_UINT32_BE((orig_len), work_buf, 12);
-
-        mbedtls_xor(ctx->buf, ctx->buf, work_buf, 16);
-
-        gcm_mult(ctx, ctx->buf, ctx->buf);
-
-        mbedtls_xor(tag, tag, ctx->buf, tag_len);
-    }
-
-    return 0;
-}
-
-int mbedtls_gcm_crypt_and_tag(mbedtls_gcm_context *ctx,
-                              int mode,
-                              size_t length,
-                              const unsigned char *iv,
-                              size_t iv_len,
-                              const unsigned char *add,
-                              size_t add_len,
-                              const unsigned char *input,
-                              unsigned char *output,
-                              size_t tag_len,
-                              unsigned char *tag)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t olen;
-
-    if ((ret = mbedtls_gcm_starts(ctx, mode, iv, iv_len)) != 0) {
-        return ret;
-    }
-
-    if ((ret = mbedtls_gcm_update_ad(ctx, add, add_len)) != 0) {
-        return ret;
-    }
-
-    if ((ret = mbedtls_gcm_update(ctx, input, length,
-                                  output, length, &olen)) != 0) {
-        return ret;
-    }
-
-    if ((ret = mbedtls_gcm_finish(ctx, NULL, 0, &olen, tag, tag_len)) != 0) {
-        return ret;
-    }
-
-    return 0;
-}
-
-int mbedtls_gcm_auth_decrypt(mbedtls_gcm_context *ctx,
-                             size_t length,
-                             const unsigned char *iv,
-                             size_t iv_len,
-                             const unsigned char *add,
-                             size_t add_len,
-                             const unsigned char *tag,
-                             size_t tag_len,
-                             const unsigned char *input,
-                             unsigned char *output)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char check_tag[16];
-    int diff;
-
-    if ((ret = mbedtls_gcm_crypt_and_tag(ctx, MBEDTLS_GCM_DECRYPT, length,
-                                         iv, iv_len, add, add_len,
-                                         input, output, tag_len, check_tag)) != 0) {
-        return ret;
-    }
-
-    /* Check tag in "constant-time" */
-    diff = mbedtls_ct_memcmp(tag, check_tag, tag_len);
-
-    if (diff != 0) {
-        mbedtls_platform_zeroize(output, length);
-        return MBEDTLS_ERR_GCM_AUTH_FAILED;
-    }
-
-    return 0;
-}
-
-void mbedtls_gcm_free(mbedtls_gcm_context *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-    mbedtls_cipher_free(&ctx->cipher_ctx);
-    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_gcm_context));
-}
-
-#endif /* !MBEDTLS_GCM_ALT */
-
-#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
-/*
- * AES-GCM test vectors from:
- *
- * http://csrc.nist.gov/groups/STM/cavp/documents/mac/gcmtestvectors.zip
- */
-#define MAX_TESTS   6
-
-static const int key_index_test_data[MAX_TESTS] =
-{ 0, 0, 1, 1, 1, 1 };
-
-static const unsigned char key_test_data[][32] =
-{
-    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-    { 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
-      0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
-      0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
-      0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08 },
-};
-
-static const size_t iv_len_test_data[MAX_TESTS] =
-{ 12, 12, 12, 12, 8, 60 };
-
-static const int iv_index_test_data[MAX_TESTS] =
-{ 0, 0, 1, 1, 1, 2 };
-
-static const unsigned char iv_test_data[][64] =
-{
-    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00 },
-    { 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
-      0xde, 0xca, 0xf8, 0x88 },
-    { 0x93, 0x13, 0x22, 0x5d, 0xf8, 0x84, 0x06, 0xe5,
-      0x55, 0x90, 0x9c, 0x5a, 0xff, 0x52, 0x69, 0xaa,
-      0x6a, 0x7a, 0x95, 0x38, 0x53, 0x4f, 0x7d, 0xa1,
-      0xe4, 0xc3, 0x03, 0xd2, 0xa3, 0x18, 0xa7, 0x28,
-      0xc3, 0xc0, 0xc9, 0x51, 0x56, 0x80, 0x95, 0x39,
-      0xfc, 0xf0, 0xe2, 0x42, 0x9a, 0x6b, 0x52, 0x54,
-      0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, 0x6a, 0x57,
-      0xa6, 0x37, 0xb3, 0x9b },
-};
-
-static const size_t add_len_test_data[MAX_TESTS] =
-{ 0, 0, 0, 20, 20, 20 };
-
-static const int add_index_test_data[MAX_TESTS] =
-{ 0, 0, 0, 1, 1, 1 };
-
-static const unsigned char additional_test_data[][64] =
-{
-    { 0x00 },
-    { 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
-      0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
-      0xab, 0xad, 0xda, 0xd2 },
-};
-
-static const size_t pt_len_test_data[MAX_TESTS] =
-{ 0, 16, 64, 60, 60, 60 };
-
-static const int pt_index_test_data[MAX_TESTS] =
-{ 0, 0, 1, 1, 1, 1 };
-
-static const unsigned char pt_test_data[][64] =
-{
-    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-    { 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
-      0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
-      0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
-      0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
-      0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
-      0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
-      0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
-      0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55 },
-};
-
-static const unsigned char ct_test_data[][64] =
-{
-    { 0x00 },
-    { 0x03, 0x88, 0xda, 0xce, 0x60, 0xb6, 0xa3, 0x92,
-      0xf3, 0x28, 0xc2, 0xb9, 0x71, 0xb2, 0xfe, 0x78 },
-    { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
-      0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
-      0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
-      0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
-      0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
-      0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
-      0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
-      0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85 },
-    { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
-      0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
-      0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
-      0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
-      0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
-      0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
-      0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
-      0x3d, 0x58, 0xe0, 0x91 },
-    { 0x61, 0x35, 0x3b, 0x4c, 0x28, 0x06, 0x93, 0x4a,
-      0x77, 0x7f, 0xf5, 0x1f, 0xa2, 0x2a, 0x47, 0x55,
-      0x69, 0x9b, 0x2a, 0x71, 0x4f, 0xcd, 0xc6, 0xf8,
-      0x37, 0x66, 0xe5, 0xf9, 0x7b, 0x6c, 0x74, 0x23,
-      0x73, 0x80, 0x69, 0x00, 0xe4, 0x9f, 0x24, 0xb2,
-      0x2b, 0x09, 0x75, 0x44, 0xd4, 0x89, 0x6b, 0x42,
-      0x49, 0x89, 0xb5, 0xe1, 0xeb, 0xac, 0x0f, 0x07,
-      0xc2, 0x3f, 0x45, 0x98 },
-    { 0x8c, 0xe2, 0x49, 0x98, 0x62, 0x56, 0x15, 0xb6,
-      0x03, 0xa0, 0x33, 0xac, 0xa1, 0x3f, 0xb8, 0x94,
-      0xbe, 0x91, 0x12, 0xa5, 0xc3, 0xa2, 0x11, 0xa8,
-      0xba, 0x26, 0x2a, 0x3c, 0xca, 0x7e, 0x2c, 0xa7,
-      0x01, 0xe4, 0xa9, 0xa4, 0xfb, 0xa4, 0x3c, 0x90,
-      0xcc, 0xdc, 0xb2, 0x81, 0xd4, 0x8c, 0x7c, 0x6f,
-      0xd6, 0x28, 0x75, 0xd2, 0xac, 0xa4, 0x17, 0x03,
-      0x4c, 0x34, 0xae, 0xe5 },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { 0x00 },
-    { 0x98, 0xe7, 0x24, 0x7c, 0x07, 0xf0, 0xfe, 0x41,
-      0x1c, 0x26, 0x7e, 0x43, 0x84, 0xb0, 0xf6, 0x00 },
-    { 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
-      0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57,
-      0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
-      0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c,
-      0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25,
-      0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47,
-      0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
-      0xcc, 0xda, 0x27, 0x10, 0xac, 0xad, 0xe2, 0x56 },
-    { 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
-      0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57,
-      0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
-      0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c,
-      0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25,
-      0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47,
-      0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
-      0xcc, 0xda, 0x27, 0x10 },
-    { 0x0f, 0x10, 0xf5, 0x99, 0xae, 0x14, 0xa1, 0x54,
-      0xed, 0x24, 0xb3, 0x6e, 0x25, 0x32, 0x4d, 0xb8,
-      0xc5, 0x66, 0x63, 0x2e, 0xf2, 0xbb, 0xb3, 0x4f,
-      0x83, 0x47, 0x28, 0x0f, 0xc4, 0x50, 0x70, 0x57,
-      0xfd, 0xdc, 0x29, 0xdf, 0x9a, 0x47, 0x1f, 0x75,
-      0xc6, 0x65, 0x41, 0xd4, 0xd4, 0xda, 0xd1, 0xc9,
-      0xe9, 0x3a, 0x19, 0xa5, 0x8e, 0x8b, 0x47, 0x3f,
-      0xa0, 0xf0, 0x62, 0xf7 },
-    { 0xd2, 0x7e, 0x88, 0x68, 0x1c, 0xe3, 0x24, 0x3c,
-      0x48, 0x30, 0x16, 0x5a, 0x8f, 0xdc, 0xf9, 0xff,
-      0x1d, 0xe9, 0xa1, 0xd8, 0xe6, 0xb4, 0x47, 0xef,
-      0x6e, 0xf7, 0xb7, 0x98, 0x28, 0x66, 0x6e, 0x45,
-      0x81, 0xe7, 0x90, 0x12, 0xaf, 0x34, 0xdd, 0xd9,
-      0xe2, 0xf0, 0x37, 0x58, 0x9b, 0x29, 0x2d, 0xb3,
-      0xe6, 0x7c, 0x03, 0x67, 0x45, 0xfa, 0x22, 0xe7,
-      0xe9, 0xb7, 0x37, 0x3b },
-    { 0x00 },
-    { 0xce, 0xa7, 0x40, 0x3d, 0x4d, 0x60, 0x6b, 0x6e,
-      0x07, 0x4e, 0xc5, 0xd3, 0xba, 0xf3, 0x9d, 0x18 },
-    { 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
-      0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
-      0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
-      0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
-      0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
-      0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
-      0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
-      0xbc, 0xc9, 0xf6, 0x62, 0x89, 0x80, 0x15, 0xad },
-    { 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
-      0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
-      0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
-      0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
-      0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
-      0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
-      0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
-      0xbc, 0xc9, 0xf6, 0x62 },
-    { 0xc3, 0x76, 0x2d, 0xf1, 0xca, 0x78, 0x7d, 0x32,
-      0xae, 0x47, 0xc1, 0x3b, 0xf1, 0x98, 0x44, 0xcb,
-      0xaf, 0x1a, 0xe1, 0x4d, 0x0b, 0x97, 0x6a, 0xfa,
-      0xc5, 0x2f, 0xf7, 0xd7, 0x9b, 0xba, 0x9d, 0xe0,
-      0xfe, 0xb5, 0x82, 0xd3, 0x39, 0x34, 0xa4, 0xf0,
-      0x95, 0x4c, 0xc2, 0x36, 0x3b, 0xc7, 0x3f, 0x78,
-      0x62, 0xac, 0x43, 0x0e, 0x64, 0xab, 0xe4, 0x99,
-      0xf4, 0x7c, 0x9b, 0x1f },
-    { 0x5a, 0x8d, 0xef, 0x2f, 0x0c, 0x9e, 0x53, 0xf1,
-      0xf7, 0x5d, 0x78, 0x53, 0x65, 0x9e, 0x2a, 0x20,
-      0xee, 0xb2, 0xb2, 0x2a, 0xaf, 0xde, 0x64, 0x19,
-      0xa0, 0x58, 0xab, 0x4f, 0x6f, 0x74, 0x6b, 0xf4,
-      0x0f, 0xc0, 0xc3, 0xb7, 0x80, 0xf2, 0x44, 0x45,
-      0x2d, 0xa3, 0xeb, 0xf1, 0xc5, 0xd8, 0x2c, 0xde,
-      0xa2, 0x41, 0x89, 0x97, 0x20, 0x0e, 0xf8, 0x2e,
-      0x44, 0xae, 0x7e, 0x3f },
-#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
-};
-
-static const unsigned char tag_test_data[][16] =
-{
-    { 0x58, 0xe2, 0xfc, 0xce, 0xfa, 0x7e, 0x30, 0x61,
-      0x36, 0x7f, 0x1d, 0x57, 0xa4, 0xe7, 0x45, 0x5a },
-    { 0xab, 0x6e, 0x47, 0xd4, 0x2c, 0xec, 0x13, 0xbd,
-      0xf5, 0x3a, 0x67, 0xb2, 0x12, 0x57, 0xbd, 0xdf },
-    { 0x4d, 0x5c, 0x2a, 0xf3, 0x27, 0xcd, 0x64, 0xa6,
-      0x2c, 0xf3, 0x5a, 0xbd, 0x2b, 0xa6, 0xfa, 0xb4 },
-    { 0x5b, 0xc9, 0x4f, 0xbc, 0x32, 0x21, 0xa5, 0xdb,
-      0x94, 0xfa, 0xe9, 0x5a, 0xe7, 0x12, 0x1a, 0x47 },
-    { 0x36, 0x12, 0xd2, 0xe7, 0x9e, 0x3b, 0x07, 0x85,
-      0x56, 0x1b, 0xe1, 0x4a, 0xac, 0xa2, 0xfc, 0xcb },
-    { 0x61, 0x9c, 0xc5, 0xae, 0xff, 0xfe, 0x0b, 0xfa,
-      0x46, 0x2a, 0xf4, 0x3c, 0x16, 0x99, 0xd0, 0x50 },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { 0xcd, 0x33, 0xb2, 0x8a, 0xc7, 0x73, 0xf7, 0x4b,
-      0xa0, 0x0e, 0xd1, 0xf3, 0x12, 0x57, 0x24, 0x35 },
-    { 0x2f, 0xf5, 0x8d, 0x80, 0x03, 0x39, 0x27, 0xab,
-      0x8e, 0xf4, 0xd4, 0x58, 0x75, 0x14, 0xf0, 0xfb },
-    { 0x99, 0x24, 0xa7, 0xc8, 0x58, 0x73, 0x36, 0xbf,
-      0xb1, 0x18, 0x02, 0x4d, 0xb8, 0x67, 0x4a, 0x14 },
-    { 0x25, 0x19, 0x49, 0x8e, 0x80, 0xf1, 0x47, 0x8f,
-      0x37, 0xba, 0x55, 0xbd, 0x6d, 0x27, 0x61, 0x8c },
-    { 0x65, 0xdc, 0xc5, 0x7f, 0xcf, 0x62, 0x3a, 0x24,
-      0x09, 0x4f, 0xcc, 0xa4, 0x0d, 0x35, 0x33, 0xf8 },
-    { 0xdc, 0xf5, 0x66, 0xff, 0x29, 0x1c, 0x25, 0xbb,
-      0xb8, 0x56, 0x8f, 0xc3, 0xd3, 0x76, 0xa6, 0xd9 },
-    { 0x53, 0x0f, 0x8a, 0xfb, 0xc7, 0x45, 0x36, 0xb9,
-      0xa9, 0x63, 0xb4, 0xf1, 0xc4, 0xcb, 0x73, 0x8b },
-    { 0xd0, 0xd1, 0xc8, 0xa7, 0x99, 0x99, 0x6b, 0xf0,
-      0x26, 0x5b, 0x98, 0xb5, 0xd4, 0x8a, 0xb9, 0x19 },
-    { 0xb0, 0x94, 0xda, 0xc5, 0xd9, 0x34, 0x71, 0xbd,
-      0xec, 0x1a, 0x50, 0x22, 0x70, 0xe3, 0xcc, 0x6c },
-    { 0x76, 0xfc, 0x6e, 0xce, 0x0f, 0x4e, 0x17, 0x68,
-      0xcd, 0xdf, 0x88, 0x53, 0xbb, 0x2d, 0x55, 0x1b },
-    { 0x3a, 0x33, 0x7d, 0xbf, 0x46, 0xa7, 0x92, 0xc4,
-      0x5e, 0x45, 0x49, 0x13, 0xfe, 0x2e, 0xa8, 0xf2 },
-    { 0xa4, 0x4a, 0x82, 0x66, 0xee, 0x1c, 0x8e, 0xb0,
-      0xc8, 0xb5, 0xd4, 0xcf, 0x5a, 0xe9, 0xf1, 0x9a },
-#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
-};
-
-int mbedtls_gcm_self_test(int verbose)
-{
-    mbedtls_gcm_context ctx;
-    unsigned char buf[64];
-    unsigned char tag_buf[16];
-    int i, j, ret;
-    mbedtls_cipher_id_t cipher = MBEDTLS_CIPHER_ID_AES;
-    size_t olen;
-
-    if (verbose != 0) {
-#if defined(MBEDTLS_GCM_ALT)
-        mbedtls_printf("  GCM note: alternative implementation.\n");
-#else /* MBEDTLS_GCM_ALT */
-#if defined(MBEDTLS_AESNI_HAVE_CODE)
-        if (mbedtls_aesni_has_support(MBEDTLS_AESNI_CLMUL)) {
-            mbedtls_printf("  GCM note: using AESNI.\n");
-        } else
-#endif
-
-#if defined(MBEDTLS_AESCE_HAVE_CODE)
-        if (MBEDTLS_AESCE_HAS_SUPPORT()) {
-            mbedtls_printf("  GCM note: using AESCE.\n");
-        } else
-#endif
-
-        mbedtls_printf("  GCM note: built-in implementation.\n");
-#endif /* MBEDTLS_GCM_ALT */
-    }
-
-    static const int loop_limit =
-        (sizeof(ct_test_data) / sizeof(*ct_test_data)) / MAX_TESTS;
-
-    for (j = 0; j < loop_limit; j++) {
-        int key_len = 128 + 64 * j;
-
-        for (i = 0; i < MAX_TESTS; i++) {
-            if (verbose != 0) {
-                mbedtls_printf("  AES-GCM-%3d #%d (%s): ",
-                               key_len, i, "enc");
-            }
-
-            mbedtls_gcm_init(&ctx);
-
-            ret = mbedtls_gcm_setkey(&ctx, cipher,
-                                     key_test_data[key_index_test_data[i]],
-                                     key_len);
-            /*
-             * AES-192 is an optional feature that may be unavailable when
-             * there is an alternative underlying implementation i.e. when
-             * MBEDTLS_AES_ALT is defined.
-             */
-            if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && key_len == 192) {
-                mbedtls_printf("skipped\n");
-                break;
-            } else if (ret != 0) {
-                goto exit;
-            }
-
-            ret = mbedtls_gcm_crypt_and_tag(&ctx, MBEDTLS_GCM_ENCRYPT,
-                                            pt_len_test_data[i],
-                                            iv_test_data[iv_index_test_data[i]],
-                                            iv_len_test_data[i],
-                                            additional_test_data[add_index_test_data[i]],
-                                            add_len_test_data[i],
-                                            pt_test_data[pt_index_test_data[i]],
-                                            buf, 16, tag_buf);
-#if defined(MBEDTLS_GCM_ALT)
-            /* Allow alternative implementations to only support 12-byte nonces. */
-            if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED &&
-                iv_len_test_data[i] != 12) {
-                mbedtls_printf("skipped\n");
-                break;
-            }
-#endif /* defined(MBEDTLS_GCM_ALT) */
-            if (ret != 0) {
-                goto exit;
-            }
-
-            if (memcmp(buf, ct_test_data[j * 6 + i],
-                       pt_len_test_data[i]) != 0 ||
-                memcmp(tag_buf, tag_test_data[j * 6 + i], 16) != 0) {
-                ret = 1;
-                goto exit;
-            }
-
-            mbedtls_gcm_free(&ctx);
-
-            if (verbose != 0) {
-                mbedtls_printf("passed\n");
-            }
-
-            mbedtls_gcm_init(&ctx);
-
-            if (verbose != 0) {
-                mbedtls_printf("  AES-GCM-%3d #%d (%s): ",
-                               key_len, i, "dec");
-            }
-
-            ret = mbedtls_gcm_setkey(&ctx, cipher,
-                                     key_test_data[key_index_test_data[i]],
-                                     key_len);
-            if (ret != 0) {
-                goto exit;
-            }
-
-            ret = mbedtls_gcm_crypt_and_tag(&ctx, MBEDTLS_GCM_DECRYPT,
-                                            pt_len_test_data[i],
-                                            iv_test_data[iv_index_test_data[i]],
-                                            iv_len_test_data[i],
-                                            additional_test_data[add_index_test_data[i]],
-                                            add_len_test_data[i],
-                                            ct_test_data[j * 6 + i], buf, 16, tag_buf);
-
-            if (ret != 0) {
-                goto exit;
-            }
-
-            if (memcmp(buf, pt_test_data[pt_index_test_data[i]],
-                       pt_len_test_data[i]) != 0 ||
-                memcmp(tag_buf, tag_test_data[j * 6 + i], 16) != 0) {
-                ret = 1;
-                goto exit;
-            }
-
-            mbedtls_gcm_free(&ctx);
-
-            if (verbose != 0) {
-                mbedtls_printf("passed\n");
-            }
-
-            mbedtls_gcm_init(&ctx);
-
-            if (verbose != 0) {
-                mbedtls_printf("  AES-GCM-%3d #%d split (%s): ",
-                               key_len, i, "enc");
-            }
-
-            ret = mbedtls_gcm_setkey(&ctx, cipher,
-                                     key_test_data[key_index_test_data[i]],
-                                     key_len);
-            if (ret != 0) {
-                goto exit;
-            }
-
-            ret = mbedtls_gcm_starts(&ctx, MBEDTLS_GCM_ENCRYPT,
-                                     iv_test_data[iv_index_test_data[i]],
-                                     iv_len_test_data[i]);
-            if (ret != 0) {
-                goto exit;
-            }
-
-            ret = mbedtls_gcm_update_ad(&ctx,
-                                        additional_test_data[add_index_test_data[i]],
-                                        add_len_test_data[i]);
-            if (ret != 0) {
-                goto exit;
-            }
-
-            if (pt_len_test_data[i] > 32) {
-                size_t rest_len = pt_len_test_data[i] - 32;
-                ret = mbedtls_gcm_update(&ctx,
-                                         pt_test_data[pt_index_test_data[i]],
-                                         32,
-                                         buf, sizeof(buf), &olen);
-                if (ret != 0) {
-                    goto exit;
-                }
-                if (olen != 32) {
-                    goto exit;
-                }
-
-                ret = mbedtls_gcm_update(&ctx,
-                                         pt_test_data[pt_index_test_data[i]] + 32,
-                                         rest_len,
-                                         buf + 32, sizeof(buf) - 32, &olen);
-                if (ret != 0) {
-                    goto exit;
-                }
-                if (olen != rest_len) {
-                    goto exit;
-                }
-            } else {
-                ret = mbedtls_gcm_update(&ctx,
-                                         pt_test_data[pt_index_test_data[i]],
-                                         pt_len_test_data[i],
-                                         buf, sizeof(buf), &olen);
-                if (ret != 0) {
-                    goto exit;
-                }
-                if (olen != pt_len_test_data[i]) {
-                    goto exit;
-                }
-            }
-
-            ret = mbedtls_gcm_finish(&ctx, NULL, 0, &olen, tag_buf, 16);
-            if (ret != 0) {
-                goto exit;
-            }
-
-            if (memcmp(buf, ct_test_data[j * 6 + i],
-                       pt_len_test_data[i]) != 0 ||
-                memcmp(tag_buf, tag_test_data[j * 6 + i], 16) != 0) {
-                ret = 1;
-                goto exit;
-            }
-
-            mbedtls_gcm_free(&ctx);
-
-            if (verbose != 0) {
-                mbedtls_printf("passed\n");
-            }
-
-            mbedtls_gcm_init(&ctx);
-
-            if (verbose != 0) {
-                mbedtls_printf("  AES-GCM-%3d #%d split (%s): ",
-                               key_len, i, "dec");
-            }
-
-            ret = mbedtls_gcm_setkey(&ctx, cipher,
-                                     key_test_data[key_index_test_data[i]],
-                                     key_len);
-            if (ret != 0) {
-                goto exit;
-            }
-
-            ret = mbedtls_gcm_starts(&ctx, MBEDTLS_GCM_DECRYPT,
-                                     iv_test_data[iv_index_test_data[i]],
-                                     iv_len_test_data[i]);
-            if (ret != 0) {
-                goto exit;
-            }
-            ret = mbedtls_gcm_update_ad(&ctx,
-                                        additional_test_data[add_index_test_data[i]],
-                                        add_len_test_data[i]);
-            if (ret != 0) {
-                goto exit;
-            }
-
-            if (pt_len_test_data[i] > 32) {
-                size_t rest_len = pt_len_test_data[i] - 32;
-                ret = mbedtls_gcm_update(&ctx,
-                                         ct_test_data[j * 6 + i], 32,
-                                         buf, sizeof(buf), &olen);
-                if (ret != 0) {
-                    goto exit;
-                }
-                if (olen != 32) {
-                    goto exit;
-                }
-
-                ret = mbedtls_gcm_update(&ctx,
-                                         ct_test_data[j * 6 + i] + 32,
-                                         rest_len,
-                                         buf + 32, sizeof(buf) - 32, &olen);
-                if (ret != 0) {
-                    goto exit;
-                }
-                if (olen != rest_len) {
-                    goto exit;
-                }
-            } else {
-                ret = mbedtls_gcm_update(&ctx,
-                                         ct_test_data[j * 6 + i],
-                                         pt_len_test_data[i],
-                                         buf, sizeof(buf), &olen);
-                if (ret != 0) {
-                    goto exit;
-                }
-                if (olen != pt_len_test_data[i]) {
-                    goto exit;
-                }
-            }
-
-            ret = mbedtls_gcm_finish(&ctx, NULL, 0, &olen, tag_buf, 16);
-            if (ret != 0) {
-                goto exit;
-            }
-
-            if (memcmp(buf, pt_test_data[pt_index_test_data[i]],
-                       pt_len_test_data[i]) != 0 ||
-                memcmp(tag_buf, tag_test_data[j * 6 + i], 16) != 0) {
-                ret = 1;
-                goto exit;
-            }
-
-            mbedtls_gcm_free(&ctx);
-
-            if (verbose != 0) {
-                mbedtls_printf("passed\n");
-            }
-        }
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-
-    ret = 0;
-
-exit:
-    if (ret != 0) {
-        if (verbose != 0) {
-            mbedtls_printf("failed\n");
-        }
-        mbedtls_gcm_free(&ctx);
-    }
-
-    return ret;
-}
-
-#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
-
-#endif /* MBEDTLS_GCM_C */
diff --git a/library/hkdf.c b/library/hkdf.c
deleted file mode 100644
index a3f071e..0000000
--- a/library/hkdf.c
+++ /dev/null
@@ -1,173 +0,0 @@
-/*
- *  HKDF implementation -- RFC 5869
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#include "common.h"
-
-#if defined(MBEDTLS_HKDF_C)
-
-#include <string.h>
-#include "mbedtls/hkdf.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-int mbedtls_hkdf(const mbedtls_md_info_t *md, const unsigned char *salt,
-                 size_t salt_len, const unsigned char *ikm, size_t ikm_len,
-                 const unsigned char *info, size_t info_len,
-                 unsigned char *okm, size_t okm_len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char prk[MBEDTLS_MD_MAX_SIZE];
-
-    ret = mbedtls_hkdf_extract(md, salt, salt_len, ikm, ikm_len, prk);
-
-    if (ret == 0) {
-        ret = mbedtls_hkdf_expand(md, prk, mbedtls_md_get_size(md),
-                                  info, info_len, okm, okm_len);
-    }
-
-    mbedtls_platform_zeroize(prk, sizeof(prk));
-
-    return ret;
-}
-
-int mbedtls_hkdf_extract(const mbedtls_md_info_t *md,
-                         const unsigned char *salt, size_t salt_len,
-                         const unsigned char *ikm, size_t ikm_len,
-                         unsigned char *prk)
-{
-    unsigned char null_salt[MBEDTLS_MD_MAX_SIZE] = { '\0' };
-
-    if (salt == NULL) {
-        size_t hash_len;
-
-        if (salt_len != 0) {
-            return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
-        }
-
-        hash_len = mbedtls_md_get_size(md);
-
-        if (hash_len == 0) {
-            return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
-        }
-
-        salt = null_salt;
-        salt_len = hash_len;
-    }
-
-    return mbedtls_md_hmac(md, salt, salt_len, ikm, ikm_len, prk);
-}
-
-int mbedtls_hkdf_expand(const mbedtls_md_info_t *md, const unsigned char *prk,
-                        size_t prk_len, const unsigned char *info,
-                        size_t info_len, unsigned char *okm, size_t okm_len)
-{
-    size_t hash_len;
-    size_t where = 0;
-    size_t n;
-    size_t t_len = 0;
-    size_t i;
-    int ret = 0;
-    mbedtls_md_context_t ctx;
-    unsigned char t[MBEDTLS_MD_MAX_SIZE];
-
-    if (okm == NULL) {
-        return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
-    }
-
-    hash_len = mbedtls_md_get_size(md);
-
-    if (prk_len < hash_len || hash_len == 0) {
-        return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
-    }
-
-    if (info == NULL) {
-        info = (const unsigned char *) "";
-        info_len = 0;
-    }
-
-    n = okm_len / hash_len;
-
-    if (okm_len % hash_len != 0) {
-        n++;
-    }
-
-    /*
-     * Per RFC 5869 Section 2.3, okm_len must not exceed
-     * 255 times the hash length
-     */
-    if (n > 255) {
-        return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
-    }
-
-    mbedtls_md_init(&ctx);
-
-    if ((ret = mbedtls_md_setup(&ctx, md, 1)) != 0) {
-        goto exit;
-    }
-
-    memset(t, 0, hash_len);
-
-    /*
-     * Compute T = T(1) | T(2) | T(3) | ... | T(N)
-     * Where T(N) is defined in RFC 5869 Section 2.3
-     */
-    for (i = 1; i <= n; i++) {
-        size_t num_to_copy;
-        unsigned char c = i & 0xff;
-
-        ret = mbedtls_md_hmac_starts(&ctx, prk, prk_len);
-        if (ret != 0) {
-            goto exit;
-        }
-
-        ret = mbedtls_md_hmac_update(&ctx, t, t_len);
-        if (ret != 0) {
-            goto exit;
-        }
-
-        ret = mbedtls_md_hmac_update(&ctx, info, info_len);
-        if (ret != 0) {
-            goto exit;
-        }
-
-        /* The constant concatenated to the end of each T(n) is a single octet.
-         * */
-        ret = mbedtls_md_hmac_update(&ctx, &c, 1);
-        if (ret != 0) {
-            goto exit;
-        }
-
-        ret = mbedtls_md_hmac_finish(&ctx, t);
-        if (ret != 0) {
-            goto exit;
-        }
-
-        num_to_copy = i != n ? hash_len : okm_len - where;
-        memcpy(okm + where, t, num_to_copy);
-        where += hash_len;
-        t_len = hash_len;
-    }
-
-exit:
-    mbedtls_md_free(&ctx);
-    mbedtls_platform_zeroize(t, sizeof(t));
-
-    return ret;
-}
-
-#endif /* MBEDTLS_HKDF_C */
diff --git a/library/hmac_drbg.c b/library/hmac_drbg.c
deleted file mode 100644
index af205aa..0000000
--- a/library/hmac_drbg.c
+++ /dev/null
@@ -1,645 +0,0 @@
-/*
- *  HMAC_DRBG implementation (NIST SP 800-90)
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/*
- *  The NIST SP 800-90A DRBGs are described in the following publication.
- *  http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf
- *  References below are based on rev. 1 (January 2012).
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_HMAC_DRBG_C)
-
-#include "mbedtls/hmac_drbg.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#include <string.h>
-
-#if defined(MBEDTLS_FS_IO)
-#include <stdio.h>
-#endif
-
-#include "mbedtls/platform.h"
-
-/*
- * HMAC_DRBG context initialization
- */
-void mbedtls_hmac_drbg_init(mbedtls_hmac_drbg_context *ctx)
-{
-    memset(ctx, 0, sizeof(mbedtls_hmac_drbg_context));
-
-    ctx->reseed_interval = MBEDTLS_HMAC_DRBG_RESEED_INTERVAL;
-}
-
-/*
- * HMAC_DRBG update, using optional additional data (10.1.2.2)
- */
-int mbedtls_hmac_drbg_update(mbedtls_hmac_drbg_context *ctx,
-                             const unsigned char *additional,
-                             size_t add_len)
-{
-    size_t md_len = mbedtls_md_get_size(ctx->md_ctx.md_info);
-    unsigned char rounds = (additional != NULL && add_len != 0) ? 2 : 1;
-    unsigned char sep[1];
-    unsigned char K[MBEDTLS_MD_MAX_SIZE];
-    int ret = MBEDTLS_ERR_MD_BAD_INPUT_DATA;
-
-    for (sep[0] = 0; sep[0] < rounds; sep[0]++) {
-        /* Step 1 or 4 */
-        if ((ret = mbedtls_md_hmac_reset(&ctx->md_ctx)) != 0) {
-            goto exit;
-        }
-        if ((ret = mbedtls_md_hmac_update(&ctx->md_ctx,
-                                          ctx->V, md_len)) != 0) {
-            goto exit;
-        }
-        if ((ret = mbedtls_md_hmac_update(&ctx->md_ctx,
-                                          sep, 1)) != 0) {
-            goto exit;
-        }
-        if (rounds == 2) {
-            if ((ret = mbedtls_md_hmac_update(&ctx->md_ctx,
-                                              additional, add_len)) != 0) {
-                goto exit;
-            }
-        }
-        if ((ret = mbedtls_md_hmac_finish(&ctx->md_ctx, K)) != 0) {
-            goto exit;
-        }
-
-        /* Step 2 or 5 */
-        if ((ret = mbedtls_md_hmac_starts(&ctx->md_ctx, K, md_len)) != 0) {
-            goto exit;
-        }
-        if ((ret = mbedtls_md_hmac_update(&ctx->md_ctx,
-                                          ctx->V, md_len)) != 0) {
-            goto exit;
-        }
-        if ((ret = mbedtls_md_hmac_finish(&ctx->md_ctx, ctx->V)) != 0) {
-            goto exit;
-        }
-    }
-
-exit:
-    mbedtls_platform_zeroize(K, sizeof(K));
-    return ret;
-}
-
-/*
- * Simplified HMAC_DRBG initialisation (for use with deterministic ECDSA)
- */
-int mbedtls_hmac_drbg_seed_buf(mbedtls_hmac_drbg_context *ctx,
-                               const mbedtls_md_info_t *md_info,
-                               const unsigned char *data, size_t data_len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if ((ret = mbedtls_md_setup(&ctx->md_ctx, md_info, 1)) != 0) {
-        return ret;
-    }
-
-#if defined(MBEDTLS_THREADING_C)
-    mbedtls_mutex_init(&ctx->mutex);
-#endif
-
-    /*
-     * Set initial working state.
-     * Use the V memory location, which is currently all 0, to initialize the
-     * MD context with an all-zero key. Then set V to its initial value.
-     */
-    if ((ret = mbedtls_md_hmac_starts(&ctx->md_ctx, ctx->V,
-                                      mbedtls_md_get_size(md_info))) != 0) {
-        return ret;
-    }
-    memset(ctx->V, 0x01, mbedtls_md_get_size(md_info));
-
-    if ((ret = mbedtls_hmac_drbg_update(ctx, data, data_len)) != 0) {
-        return ret;
-    }
-
-    return 0;
-}
-
-/*
- * Internal function used both for seeding and reseeding the DRBG.
- * Comments starting with arabic numbers refer to section 10.1.2.4
- * of SP800-90A, while roman numbers refer to section 9.2.
- */
-static int hmac_drbg_reseed_core(mbedtls_hmac_drbg_context *ctx,
-                                 const unsigned char *additional, size_t len,
-                                 int use_nonce)
-{
-    unsigned char seed[MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT];
-    size_t seedlen = 0;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    {
-        size_t total_entropy_len;
-
-        if (use_nonce == 0) {
-            total_entropy_len = ctx->entropy_len;
-        } else {
-            total_entropy_len = ctx->entropy_len * 3 / 2;
-        }
-
-        /* III. Check input length */
-        if (len > MBEDTLS_HMAC_DRBG_MAX_INPUT ||
-            total_entropy_len + len > MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT) {
-            return MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG;
-        }
-    }
-
-    memset(seed, 0, MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT);
-
-    /* IV. Gather entropy_len bytes of entropy for the seed */
-    if ((ret = ctx->f_entropy(ctx->p_entropy,
-                              seed, ctx->entropy_len)) != 0) {
-        return MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED;
-    }
-    seedlen += ctx->entropy_len;
-
-    /* For initial seeding, allow adding of nonce generated
-     * from the entropy source. See Sect 8.6.7 in SP800-90A. */
-    if (use_nonce) {
-        /* Note: We don't merge the two calls to f_entropy() in order
-         *       to avoid requesting too much entropy from f_entropy()
-         *       at once. Specifically, if the underlying digest is not
-         *       SHA-1, 3 / 2 * entropy_len is at least 36 Bytes, which
-         *       is larger than the maximum of 32 Bytes that our own
-         *       entropy source implementation can emit in a single
-         *       call in configurations disabling SHA-512. */
-        if ((ret = ctx->f_entropy(ctx->p_entropy,
-                                  seed + seedlen,
-                                  ctx->entropy_len / 2)) != 0) {
-            return MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED;
-        }
-
-        seedlen += ctx->entropy_len / 2;
-    }
-
-
-    /* 1. Concatenate entropy and additional data if any */
-    if (additional != NULL && len != 0) {
-        memcpy(seed + seedlen, additional, len);
-        seedlen += len;
-    }
-
-    /* 2. Update state */
-    if ((ret = mbedtls_hmac_drbg_update(ctx, seed, seedlen)) != 0) {
-        goto exit;
-    }
-
-    /* 3. Reset reseed_counter */
-    ctx->reseed_counter = 1;
-
-exit:
-    /* 4. Done */
-    mbedtls_platform_zeroize(seed, seedlen);
-    return ret;
-}
-
-/*
- * HMAC_DRBG reseeding: 10.1.2.4 + 9.2
- */
-int mbedtls_hmac_drbg_reseed(mbedtls_hmac_drbg_context *ctx,
-                             const unsigned char *additional, size_t len)
-{
-    return hmac_drbg_reseed_core(ctx, additional, len, 0);
-}
-
-/*
- * HMAC_DRBG initialisation (10.1.2.3 + 9.1)
- *
- * The nonce is not passed as a separate parameter but extracted
- * from the entropy source as suggested in 8.6.7.
- */
-int mbedtls_hmac_drbg_seed(mbedtls_hmac_drbg_context *ctx,
-                           const mbedtls_md_info_t *md_info,
-                           int (*f_entropy)(void *, unsigned char *, size_t),
-                           void *p_entropy,
-                           const unsigned char *custom,
-                           size_t len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t md_size;
-
-    if ((ret = mbedtls_md_setup(&ctx->md_ctx, md_info, 1)) != 0) {
-        return ret;
-    }
-
-    /* The mutex is initialized iff the md context is set up. */
-#if defined(MBEDTLS_THREADING_C)
-    mbedtls_mutex_init(&ctx->mutex);
-#endif
-
-    md_size = mbedtls_md_get_size(md_info);
-
-    /*
-     * Set initial working state.
-     * Use the V memory location, which is currently all 0, to initialize the
-     * MD context with an all-zero key. Then set V to its initial value.
-     */
-    if ((ret = mbedtls_md_hmac_starts(&ctx->md_ctx, ctx->V, md_size)) != 0) {
-        return ret;
-    }
-    memset(ctx->V, 0x01, md_size);
-
-    ctx->f_entropy = f_entropy;
-    ctx->p_entropy = p_entropy;
-
-    if (ctx->entropy_len == 0) {
-        /*
-         * See SP800-57 5.6.1 (p. 65-66) for the security strength provided by
-         * each hash function, then according to SP800-90A rev1 10.1 table 2,
-         * min_entropy_len (in bits) is security_strength.
-         *
-         * (This also matches the sizes used in the NIST test vectors.)
-         */
-        ctx->entropy_len = md_size <= 20 ? 16 : /* 160-bits hash -> 128 bits */
-                           md_size <= 28 ? 24 : /* 224-bits hash -> 192 bits */
-                           32;  /* better (256+) -> 256 bits */
-    }
-
-    if ((ret = hmac_drbg_reseed_core(ctx, custom, len,
-                                     1 /* add nonce */)) != 0) {
-        return ret;
-    }
-
-    return 0;
-}
-
-/*
- * Set prediction resistance
- */
-void mbedtls_hmac_drbg_set_prediction_resistance(mbedtls_hmac_drbg_context *ctx,
-                                                 int resistance)
-{
-    ctx->prediction_resistance = resistance;
-}
-
-/*
- * Set entropy length grabbed for seeding
- */
-void mbedtls_hmac_drbg_set_entropy_len(mbedtls_hmac_drbg_context *ctx, size_t len)
-{
-    ctx->entropy_len = len;
-}
-
-/*
- * Set reseed interval
- */
-void mbedtls_hmac_drbg_set_reseed_interval(mbedtls_hmac_drbg_context *ctx, int interval)
-{
-    ctx->reseed_interval = interval;
-}
-
-/*
- * HMAC_DRBG random function with optional additional data:
- * 10.1.2.5 (arabic) + 9.3 (Roman)
- */
-int mbedtls_hmac_drbg_random_with_add(void *p_rng,
-                                      unsigned char *output, size_t out_len,
-                                      const unsigned char *additional, size_t add_len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_hmac_drbg_context *ctx = (mbedtls_hmac_drbg_context *) p_rng;
-    size_t md_len = mbedtls_md_get_size(ctx->md_ctx.md_info);
-    size_t left = out_len;
-    unsigned char *out = output;
-
-    /* II. Check request length */
-    if (out_len > MBEDTLS_HMAC_DRBG_MAX_REQUEST) {
-        return MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG;
-    }
-
-    /* III. Check input length */
-    if (add_len > MBEDTLS_HMAC_DRBG_MAX_INPUT) {
-        return MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG;
-    }
-
-    /* 1. (aka VII and IX) Check reseed counter and PR */
-    if (ctx->f_entropy != NULL && /* For no-reseeding instances */
-        (ctx->prediction_resistance == MBEDTLS_HMAC_DRBG_PR_ON ||
-         ctx->reseed_counter > ctx->reseed_interval)) {
-        if ((ret = mbedtls_hmac_drbg_reseed(ctx, additional, add_len)) != 0) {
-            return ret;
-        }
-
-        add_len = 0; /* VII.4 */
-    }
-
-    /* 2. Use additional data if any */
-    if (additional != NULL && add_len != 0) {
-        if ((ret = mbedtls_hmac_drbg_update(ctx,
-                                            additional, add_len)) != 0) {
-            goto exit;
-        }
-    }
-
-    /* 3, 4, 5. Generate bytes */
-    while (left != 0) {
-        size_t use_len = left > md_len ? md_len : left;
-
-        if ((ret = mbedtls_md_hmac_reset(&ctx->md_ctx)) != 0) {
-            goto exit;
-        }
-        if ((ret = mbedtls_md_hmac_update(&ctx->md_ctx,
-                                          ctx->V, md_len)) != 0) {
-            goto exit;
-        }
-        if ((ret = mbedtls_md_hmac_finish(&ctx->md_ctx, ctx->V)) != 0) {
-            goto exit;
-        }
-
-        memcpy(out, ctx->V, use_len);
-        out += use_len;
-        left -= use_len;
-    }
-
-    /* 6. Update */
-    if ((ret = mbedtls_hmac_drbg_update(ctx,
-                                        additional, add_len)) != 0) {
-        goto exit;
-    }
-
-    /* 7. Update reseed counter */
-    ctx->reseed_counter++;
-
-exit:
-    /* 8. Done */
-    return ret;
-}
-
-/*
- * HMAC_DRBG random function
- */
-int mbedtls_hmac_drbg_random(void *p_rng, unsigned char *output, size_t out_len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_hmac_drbg_context *ctx = (mbedtls_hmac_drbg_context *) p_rng;
-
-#if defined(MBEDTLS_THREADING_C)
-    if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
-        return ret;
-    }
-#endif
-
-    ret = mbedtls_hmac_drbg_random_with_add(ctx, output, out_len, NULL, 0);
-
-#if defined(MBEDTLS_THREADING_C)
-    if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
-        return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
-    }
-#endif
-
-    return ret;
-}
-
-/*
- *  This function resets HMAC_DRBG context to the state immediately
- *  after initial call of mbedtls_hmac_drbg_init().
- */
-void mbedtls_hmac_drbg_free(mbedtls_hmac_drbg_context *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-#if defined(MBEDTLS_THREADING_C)
-    /* The mutex is initialized iff the md context is set up. */
-    if (ctx->md_ctx.md_info != NULL) {
-        mbedtls_mutex_free(&ctx->mutex);
-    }
-#endif
-    mbedtls_md_free(&ctx->md_ctx);
-    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_hmac_drbg_context));
-    ctx->reseed_interval = MBEDTLS_HMAC_DRBG_RESEED_INTERVAL;
-}
-
-#if defined(MBEDTLS_FS_IO)
-int mbedtls_hmac_drbg_write_seed_file(mbedtls_hmac_drbg_context *ctx, const char *path)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    FILE *f;
-    unsigned char buf[MBEDTLS_HMAC_DRBG_MAX_INPUT];
-
-    if ((f = fopen(path, "wb")) == NULL) {
-        return MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR;
-    }
-
-    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
-    mbedtls_setbuf(f, NULL);
-
-    if ((ret = mbedtls_hmac_drbg_random(ctx, buf, sizeof(buf))) != 0) {
-        goto exit;
-    }
-
-    if (fwrite(buf, 1, sizeof(buf), f) != sizeof(buf)) {
-        ret = MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR;
-        goto exit;
-    }
-
-    ret = 0;
-
-exit:
-    fclose(f);
-    mbedtls_platform_zeroize(buf, sizeof(buf));
-
-    return ret;
-}
-
-int mbedtls_hmac_drbg_update_seed_file(mbedtls_hmac_drbg_context *ctx, const char *path)
-{
-    int ret = 0;
-    FILE *f = NULL;
-    size_t n;
-    unsigned char buf[MBEDTLS_HMAC_DRBG_MAX_INPUT];
-    unsigned char c;
-
-    if ((f = fopen(path, "rb")) == NULL) {
-        return MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR;
-    }
-
-    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
-    mbedtls_setbuf(f, NULL);
-
-    n = fread(buf, 1, sizeof(buf), f);
-    if (fread(&c, 1, 1, f) != 0) {
-        ret = MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG;
-        goto exit;
-    }
-    if (n == 0 || ferror(f)) {
-        ret = MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR;
-        goto exit;
-    }
-    fclose(f);
-    f = NULL;
-
-    ret = mbedtls_hmac_drbg_update(ctx, buf, n);
-
-exit:
-    mbedtls_platform_zeroize(buf, sizeof(buf));
-    if (f != NULL) {
-        fclose(f);
-    }
-    if (ret != 0) {
-        return ret;
-    }
-    return mbedtls_hmac_drbg_write_seed_file(ctx, path);
-}
-#endif /* MBEDTLS_FS_IO */
-
-
-#if defined(MBEDTLS_SELF_TEST)
-
-#if !defined(MBEDTLS_MD_CAN_SHA1)
-/* Dummy checkup routine */
-int mbedtls_hmac_drbg_self_test(int verbose)
-{
-    (void) verbose;
-    return 0;
-}
-#else
-
-#define OUTPUT_LEN  80
-
-/* From a NIST PR=true test vector */
-static const unsigned char entropy_pr[] = {
-    0xa0, 0xc9, 0xab, 0x58, 0xf1, 0xe2, 0xe5, 0xa4, 0xde, 0x3e, 0xbd, 0x4f,
-    0xf7, 0x3e, 0x9c, 0x5b, 0x64, 0xef, 0xd8, 0xca, 0x02, 0x8c, 0xf8, 0x11,
-    0x48, 0xa5, 0x84, 0xfe, 0x69, 0xab, 0x5a, 0xee, 0x42, 0xaa, 0x4d, 0x42,
-    0x17, 0x60, 0x99, 0xd4, 0x5e, 0x13, 0x97, 0xdc, 0x40, 0x4d, 0x86, 0xa3,
-    0x7b, 0xf5, 0x59, 0x54, 0x75, 0x69, 0x51, 0xe4
-};
-static const unsigned char result_pr[OUTPUT_LEN] = {
-    0x9a, 0x00, 0xa2, 0xd0, 0x0e, 0xd5, 0x9b, 0xfe, 0x31, 0xec, 0xb1, 0x39,
-    0x9b, 0x60, 0x81, 0x48, 0xd1, 0x96, 0x9d, 0x25, 0x0d, 0x3c, 0x1e, 0x94,
-    0x10, 0x10, 0x98, 0x12, 0x93, 0x25, 0xca, 0xb8, 0xfc, 0xcc, 0x2d, 0x54,
-    0x73, 0x19, 0x70, 0xc0, 0x10, 0x7a, 0xa4, 0x89, 0x25, 0x19, 0x95, 0x5e,
-    0x4b, 0xc6, 0x00, 0x1d, 0x7f, 0x4e, 0x6a, 0x2b, 0xf8, 0xa3, 0x01, 0xab,
-    0x46, 0x05, 0x5c, 0x09, 0xa6, 0x71, 0x88, 0xf1, 0xa7, 0x40, 0xee, 0xf3,
-    0xe1, 0x5c, 0x02, 0x9b, 0x44, 0xaf, 0x03, 0x44
-};
-
-/* From a NIST PR=false test vector */
-static const unsigned char entropy_nopr[] = {
-    0x79, 0x34, 0x9b, 0xbf, 0x7c, 0xdd, 0xa5, 0x79, 0x95, 0x57, 0x86, 0x66,
-    0x21, 0xc9, 0x13, 0x83, 0x11, 0x46, 0x73, 0x3a, 0xbf, 0x8c, 0x35, 0xc8,
-    0xc7, 0x21, 0x5b, 0x5b, 0x96, 0xc4, 0x8e, 0x9b, 0x33, 0x8c, 0x74, 0xe3,
-    0xe9, 0x9d, 0xfe, 0xdf
-};
-static const unsigned char result_nopr[OUTPUT_LEN] = {
-    0xc6, 0xa1, 0x6a, 0xb8, 0xd4, 0x20, 0x70, 0x6f, 0x0f, 0x34, 0xab, 0x7f,
-    0xec, 0x5a, 0xdc, 0xa9, 0xd8, 0xca, 0x3a, 0x13, 0x3e, 0x15, 0x9c, 0xa6,
-    0xac, 0x43, 0xc6, 0xf8, 0xa2, 0xbe, 0x22, 0x83, 0x4a, 0x4c, 0x0a, 0x0a,
-    0xff, 0xb1, 0x0d, 0x71, 0x94, 0xf1, 0xc1, 0xa5, 0xcf, 0x73, 0x22, 0xec,
-    0x1a, 0xe0, 0x96, 0x4e, 0xd4, 0xbf, 0x12, 0x27, 0x46, 0xe0, 0x87, 0xfd,
-    0xb5, 0xb3, 0xe9, 0x1b, 0x34, 0x93, 0xd5, 0xbb, 0x98, 0xfa, 0xed, 0x49,
-    0xe8, 0x5f, 0x13, 0x0f, 0xc8, 0xa4, 0x59, 0xb7
-};
-
-/* "Entropy" from buffer */
-static size_t test_offset;
-static int hmac_drbg_self_test_entropy(void *data,
-                                       unsigned char *buf, size_t len)
-{
-    const unsigned char *p = data;
-    memcpy(buf, p + test_offset, len);
-    test_offset += len;
-    return 0;
-}
-
-#define CHK(c)    if ((c) != 0)                          \
-    {                                       \
-        if (verbose != 0)                  \
-        mbedtls_printf("failed\n");  \
-        return 1;                        \
-    }
-
-/*
- * Checkup routine for HMAC_DRBG with SHA-1
- */
-int mbedtls_hmac_drbg_self_test(int verbose)
-{
-    mbedtls_hmac_drbg_context ctx;
-    unsigned char buf[OUTPUT_LEN];
-    const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA1);
-
-    mbedtls_hmac_drbg_init(&ctx);
-
-    /*
-     * PR = True
-     */
-    if (verbose != 0) {
-        mbedtls_printf("  HMAC_DRBG (PR = True) : ");
-    }
-
-    test_offset = 0;
-    CHK(mbedtls_hmac_drbg_seed(&ctx, md_info,
-                               hmac_drbg_self_test_entropy, (void *) entropy_pr,
-                               NULL, 0));
-    mbedtls_hmac_drbg_set_prediction_resistance(&ctx, MBEDTLS_HMAC_DRBG_PR_ON);
-    CHK(mbedtls_hmac_drbg_random(&ctx, buf, OUTPUT_LEN));
-    CHK(mbedtls_hmac_drbg_random(&ctx, buf, OUTPUT_LEN));
-    CHK(memcmp(buf, result_pr, OUTPUT_LEN));
-    mbedtls_hmac_drbg_free(&ctx);
-
-    mbedtls_hmac_drbg_free(&ctx);
-
-    if (verbose != 0) {
-        mbedtls_printf("passed\n");
-    }
-
-    /*
-     * PR = False
-     */
-    if (verbose != 0) {
-        mbedtls_printf("  HMAC_DRBG (PR = False) : ");
-    }
-
-    mbedtls_hmac_drbg_init(&ctx);
-
-    test_offset = 0;
-    CHK(mbedtls_hmac_drbg_seed(&ctx, md_info,
-                               hmac_drbg_self_test_entropy, (void *) entropy_nopr,
-                               NULL, 0));
-    CHK(mbedtls_hmac_drbg_reseed(&ctx, NULL, 0));
-    CHK(mbedtls_hmac_drbg_random(&ctx, buf, OUTPUT_LEN));
-    CHK(mbedtls_hmac_drbg_random(&ctx, buf, OUTPUT_LEN));
-    CHK(memcmp(buf, result_nopr, OUTPUT_LEN));
-    mbedtls_hmac_drbg_free(&ctx);
-
-    mbedtls_hmac_drbg_free(&ctx);
-
-    if (verbose != 0) {
-        mbedtls_printf("passed\n");
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-
-    return 0;
-}
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* MBEDTLS_HMAC_DRBG_C */
diff --git a/library/lmots.c b/library/lmots.c
deleted file mode 100644
index 9d79694..0000000
--- a/library/lmots.c
+++ /dev/null
@@ -1,833 +0,0 @@
-/*
- * The LM-OTS one-time public-key signature scheme
- *
- * Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/*
- *  The following sources were referenced in the design of this implementation
- *  of the LM-OTS algorithm:
- *
- *  [1] IETF RFC8554
- *      D. McGrew, M. Curcio, S.Fluhrer
- *      https://datatracker.ietf.org/doc/html/rfc8554
- *
- *  [2] NIST Special Publication 800-208
- *      David A. Cooper et. al.
- *      https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_LMS_C)
-
-#include <string.h>
-
-#include "lmots.h"
-
-#include "mbedtls/lms.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-#include "psa_util_internal.h"
-
-#include "psa/crypto.h"
-
-/* Define a local translating function to save code size by not using too many
- * arguments in each translating place. */
-static int local_err_translation(psa_status_t status)
-{
-    return psa_status_to_mbedtls(status, psa_to_lms_errors,
-                                 ARRAY_LENGTH(psa_to_lms_errors),
-                                 psa_generic_status_to_mbedtls);
-}
-#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
-
-#define PUBLIC_KEY_TYPE_OFFSET     (0)
-#define PUBLIC_KEY_I_KEY_ID_OFFSET (PUBLIC_KEY_TYPE_OFFSET + \
-                                    MBEDTLS_LMOTS_TYPE_LEN)
-#define PUBLIC_KEY_Q_LEAF_ID_OFFSET (PUBLIC_KEY_I_KEY_ID_OFFSET + \
-                                     MBEDTLS_LMOTS_I_KEY_ID_LEN)
-#define PUBLIC_KEY_KEY_HASH_OFFSET (PUBLIC_KEY_Q_LEAF_ID_OFFSET + \
-                                    MBEDTLS_LMOTS_Q_LEAF_ID_LEN)
-
-/* We only support parameter sets that use 8-bit digits, as it does not require
- * translation logic between digits and bytes */
-#define W_WINTERNITZ_PARAMETER (8u)
-#define CHECKSUM_LEN           (2)
-#define I_DIGIT_IDX_LEN        (2)
-#define J_HASH_IDX_LEN         (1)
-#define D_CONST_LEN            (2)
-
-#define DIGIT_MAX_VALUE        ((1u << W_WINTERNITZ_PARAMETER) - 1u)
-
-#define D_CONST_LEN            (2)
-static const unsigned char D_PUBLIC_CONSTANT_BYTES[D_CONST_LEN] = { 0x80, 0x80 };
-static const unsigned char D_MESSAGE_CONSTANT_BYTES[D_CONST_LEN] = { 0x81, 0x81 };
-
-#if defined(MBEDTLS_TEST_HOOKS)
-int (*mbedtls_lmots_sign_private_key_invalidated_hook)(unsigned char *) = NULL;
-#endif /* defined(MBEDTLS_TEST_HOOKS) */
-
-void mbedtls_lms_unsigned_int_to_network_bytes(unsigned int val, size_t len,
-                                               unsigned char *bytes)
-{
-    size_t idx;
-
-    for (idx = 0; idx < len; idx++) {
-        bytes[idx] = (val >> ((len - 1 - idx) * 8)) & 0xFF;
-    }
-}
-
-unsigned int mbedtls_lms_network_bytes_to_unsigned_int(size_t len,
-                                                       const unsigned char *bytes)
-{
-    size_t idx;
-    unsigned int val = 0;
-
-    for (idx = 0; idx < len; idx++) {
-        val |= ((unsigned int) bytes[idx]) << (8 * (len - 1 - idx));
-    }
-
-    return val;
-}
-
-/* Calculate the checksum digits that are appended to the end of the LMOTS digit
- * string. See NIST SP800-208 section 3.1 or RFC8554 Algorithm 2 for details of
- * the checksum algorithm.
- *
- *  params              The LMOTS parameter set, I and q values which
- *                      describe the key being used.
- *
- *  digest              The digit string to create the digest from. As
- *                      this does not contain a checksum, it is the same
- *                      size as a hash output.
- */
-static unsigned short lmots_checksum_calculate(const mbedtls_lmots_parameters_t *params,
-                                               const unsigned char *digest)
-{
-    size_t idx;
-    unsigned sum = 0;
-
-    for (idx = 0; idx < MBEDTLS_LMOTS_N_HASH_LEN(params->type); idx++) {
-        sum += DIGIT_MAX_VALUE - digest[idx];
-    }
-
-    return sum;
-}
-
-/* Create the string of digest digits (in the base determined by the Winternitz
- * parameter with the checksum appended to the end (Q || cksm(Q)). See NIST
- * SP800-208 section 3.1 or RFC8554 Algorithm 3 step 5 (also used in Algorithm
- * 4b step 3) for details.
- *
- *  params              The LMOTS parameter set, I and q values which
- *                      describe the key being used.
- *
- *  msg                 The message that will be hashed to create the
- *                      digest.
- *
- *  msg_size            The size of the message.
- *
- *  C_random_value      The random value that will be combined with the
- *                      message digest. This is always the same size as a
- *                      hash output for whichever hash algorithm is
- *                      determined by the parameter set.
- *
- *  output              An output containing the digit string (+
- *                      checksum) of length P digits (in the case of
- *                      MBEDTLS_LMOTS_SHA256_N32_W8, this means it is of
- *                      size P bytes).
- */
-static int create_digit_array_with_checksum(const mbedtls_lmots_parameters_t *params,
-                                            const unsigned char *msg,
-                                            size_t msg_len,
-                                            const unsigned char *C_random_value,
-                                            unsigned char *out)
-{
-    psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    size_t output_hash_len;
-    unsigned short checksum;
-
-    status = psa_hash_setup(&op, PSA_ALG_SHA_256);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_hash_update(&op, params->I_key_identifier,
-                             MBEDTLS_LMOTS_I_KEY_ID_LEN);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_hash_update(&op, params->q_leaf_identifier,
-                             MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_hash_update(&op, D_MESSAGE_CONSTANT_BYTES, D_CONST_LEN);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_hash_update(&op, C_random_value,
-                             MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(params->type));
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_hash_update(&op, msg, msg_len);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_hash_finish(&op, out,
-                             MBEDTLS_LMOTS_N_HASH_LEN(params->type),
-                             &output_hash_len);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    checksum = lmots_checksum_calculate(params, out);
-    mbedtls_lms_unsigned_int_to_network_bytes(checksum, CHECKSUM_LEN,
-                                              out + MBEDTLS_LMOTS_N_HASH_LEN(params->type));
-
-exit:
-    psa_hash_abort(&op);
-
-    return PSA_TO_MBEDTLS_ERR(status);
-}
-
-/* Hash each element of the string of digits (+ checksum), producing a hash
- * output for each element. This is used in several places (by varying the
- * hash_idx_min/max_values) in order to calculate a public key from a private
- * key (RFC8554 Algorithm 1 step 4), in order to sign a message (RFC8554
- * Algorithm 3 step 5), and to calculate a public key candidate from a
- * signature and message (RFC8554 Algorithm 4b step 3).
- *
- *  params              The LMOTS parameter set, I and q values which
- *                      describe the key being used.
- *
- *  x_digit_array       The array of digits (of size P, 34 in the case of
- *                      MBEDTLS_LMOTS_SHA256_N32_W8).
- *
- *  hash_idx_min_values An array of the starting values of the j iterator
- *                      for each of the members of the digit array. If
- *                      this value in NULL, then all iterators will start
- *                      at 0.
- *
- *  hash_idx_max_values An array of the upper bound values of the j
- *                      iterator for each of the members of the digit
- *                      array. If this value in NULL, then iterator is
- *                      bounded to be less than 2^w - 1 (255 in the case
- *                      of MBEDTLS_LMOTS_SHA256_N32_W8)
- *
- *  output              An array containing a hash output for each member
- *                      of the digit string P. In the case of
- *                      MBEDTLS_LMOTS_SHA256_N32_W8, this is of size 32 *
- *                      34.
- */
-static int hash_digit_array(const mbedtls_lmots_parameters_t *params,
-                            const unsigned char *x_digit_array,
-                            const unsigned char *hash_idx_min_values,
-                            const unsigned char *hash_idx_max_values,
-                            unsigned char *output)
-{
-    unsigned int i_digit_idx;
-    unsigned char i_digit_idx_bytes[I_DIGIT_IDX_LEN];
-    unsigned int j_hash_idx;
-    unsigned char j_hash_idx_bytes[J_HASH_IDX_LEN];
-    unsigned int j_hash_idx_min;
-    unsigned int j_hash_idx_max;
-    psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    size_t output_hash_len;
-    unsigned char tmp_hash[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
-
-    for (i_digit_idx = 0;
-         i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type);
-         i_digit_idx++) {
-
-        memcpy(tmp_hash,
-               &x_digit_array[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
-               MBEDTLS_LMOTS_N_HASH_LEN(params->type));
-
-        j_hash_idx_min = hash_idx_min_values != NULL ?
-                         hash_idx_min_values[i_digit_idx] : 0;
-        j_hash_idx_max = hash_idx_max_values != NULL ?
-                         hash_idx_max_values[i_digit_idx] : DIGIT_MAX_VALUE;
-
-        for (j_hash_idx = j_hash_idx_min;
-             j_hash_idx < j_hash_idx_max;
-             j_hash_idx++) {
-            status = psa_hash_setup(&op, PSA_ALG_SHA_256);
-            if (status != PSA_SUCCESS) {
-                goto exit;
-            }
-
-            status = psa_hash_update(&op,
-                                     params->I_key_identifier,
-                                     MBEDTLS_LMOTS_I_KEY_ID_LEN);
-            if (status != PSA_SUCCESS) {
-                goto exit;
-            }
-
-            status = psa_hash_update(&op,
-                                     params->q_leaf_identifier,
-                                     MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
-            if (status != PSA_SUCCESS) {
-                goto exit;
-            }
-
-            mbedtls_lms_unsigned_int_to_network_bytes(i_digit_idx,
-                                                      I_DIGIT_IDX_LEN,
-                                                      i_digit_idx_bytes);
-            status = psa_hash_update(&op, i_digit_idx_bytes, I_DIGIT_IDX_LEN);
-            if (status != PSA_SUCCESS) {
-                goto exit;
-            }
-
-            mbedtls_lms_unsigned_int_to_network_bytes(j_hash_idx,
-                                                      J_HASH_IDX_LEN,
-                                                      j_hash_idx_bytes);
-            status = psa_hash_update(&op, j_hash_idx_bytes, J_HASH_IDX_LEN);
-            if (status != PSA_SUCCESS) {
-                goto exit;
-            }
-
-            status = psa_hash_update(&op, tmp_hash,
-                                     MBEDTLS_LMOTS_N_HASH_LEN(params->type));
-            if (status != PSA_SUCCESS) {
-                goto exit;
-            }
-
-            status = psa_hash_finish(&op, tmp_hash, sizeof(tmp_hash),
-                                     &output_hash_len);
-            if (status != PSA_SUCCESS) {
-                goto exit;
-            }
-
-            psa_hash_abort(&op);
-        }
-
-        memcpy(&output[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
-               tmp_hash, MBEDTLS_LMOTS_N_HASH_LEN(params->type));
-    }
-
-exit:
-    psa_hash_abort(&op);
-    mbedtls_platform_zeroize(tmp_hash, sizeof(tmp_hash));
-
-    return PSA_TO_MBEDTLS_ERR(status);
-}
-
-/* Combine the hashes of the digit array into a public key. This is used in
- * in order to calculate a public key from a private key (RFC8554 Algorithm 1
- * step 4), and to calculate a public key candidate from a signature and message
- * (RFC8554 Algorithm 4b step 3).
- *
- *  params           The LMOTS parameter set, I and q values which describe
- *                   the key being used.
- *  y_hashed_digits  The array of hashes, one hash for each digit of the
- *                   symbol array (which is of size P, 34 in the case of
- *                   MBEDTLS_LMOTS_SHA256_N32_W8)
- *
- *  pub_key          The output public key (or candidate public key in
- *                   case this is being run as part of signature
- *                   verification), in the form of a hash output.
- */
-static int public_key_from_hashed_digit_array(const mbedtls_lmots_parameters_t *params,
-                                              const unsigned char *y_hashed_digits,
-                                              unsigned char *pub_key)
-{
-    psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    size_t output_hash_len;
-
-    status = psa_hash_setup(&op, PSA_ALG_SHA_256);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_hash_update(&op,
-                             params->I_key_identifier,
-                             MBEDTLS_LMOTS_I_KEY_ID_LEN);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_hash_update(&op, params->q_leaf_identifier,
-                             MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_hash_update(&op, D_PUBLIC_CONSTANT_BYTES, D_CONST_LEN);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_hash_update(&op, y_hashed_digits,
-                             MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type) *
-                             MBEDTLS_LMOTS_N_HASH_LEN(params->type));
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_hash_finish(&op, pub_key,
-                             MBEDTLS_LMOTS_N_HASH_LEN(params->type),
-                             &output_hash_len);
-    if (status != PSA_SUCCESS) {
-
-exit:
-        psa_hash_abort(&op);
-    }
-
-    return PSA_TO_MBEDTLS_ERR(status);
-}
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-int mbedtls_lms_error_from_psa(psa_status_t status)
-{
-    switch (status) {
-        case PSA_SUCCESS:
-            return 0;
-        case PSA_ERROR_HARDWARE_FAILURE:
-            return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
-        case PSA_ERROR_NOT_SUPPORTED:
-            return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
-        case PSA_ERROR_BUFFER_TOO_SMALL:
-            return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
-        case PSA_ERROR_INVALID_ARGUMENT:
-            return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-        default:
-            return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
-    }
-}
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-
-void mbedtls_lmots_public_init(mbedtls_lmots_public_t *ctx)
-{
-    memset(ctx, 0, sizeof(*ctx));
-}
-
-void mbedtls_lmots_public_free(mbedtls_lmots_public_t *ctx)
-{
-    mbedtls_platform_zeroize(ctx, sizeof(*ctx));
-}
-
-int mbedtls_lmots_import_public_key(mbedtls_lmots_public_t *ctx,
-                                    const unsigned char *key, size_t key_len)
-{
-    if (key_len < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    ctx->params.type =
-        (mbedtls_lmots_algorithm_type_t) mbedtls_lms_network_bytes_to_unsigned_int(
-            MBEDTLS_LMOTS_TYPE_LEN,
-            key +
-            MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
-
-    if (key_len != MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type)) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    memcpy(ctx->params.I_key_identifier,
-           key + PUBLIC_KEY_I_KEY_ID_OFFSET,
-           MBEDTLS_LMOTS_I_KEY_ID_LEN);
-
-    memcpy(ctx->params.q_leaf_identifier,
-           key + PUBLIC_KEY_Q_LEAF_ID_OFFSET,
-           MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
-
-    memcpy(ctx->public_key,
-           key + PUBLIC_KEY_KEY_HASH_OFFSET,
-           MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
-
-    ctx->have_public_key = 1;
-
-    return 0;
-}
-
-int mbedtls_lmots_export_public_key(const mbedtls_lmots_public_t *ctx,
-                                    unsigned char *key, size_t key_size,
-                                    size_t *key_len)
-{
-    if (key_size < MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type)) {
-        return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
-    }
-
-    if (!ctx->have_public_key) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    mbedtls_lms_unsigned_int_to_network_bytes(ctx->params.type,
-                                              MBEDTLS_LMOTS_TYPE_LEN,
-                                              key + MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
-
-    memcpy(key + PUBLIC_KEY_I_KEY_ID_OFFSET,
-           ctx->params.I_key_identifier,
-           MBEDTLS_LMOTS_I_KEY_ID_LEN);
-
-    memcpy(key + PUBLIC_KEY_Q_LEAF_ID_OFFSET,
-           ctx->params.q_leaf_identifier,
-           MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
-
-    memcpy(key + PUBLIC_KEY_KEY_HASH_OFFSET, ctx->public_key,
-           MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
-
-    if (key_len != NULL) {
-        *key_len = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type);
-    }
-
-    return 0;
-}
-
-int mbedtls_lmots_calculate_public_key_candidate(const mbedtls_lmots_parameters_t *params,
-                                                 const unsigned char  *msg,
-                                                 size_t msg_size,
-                                                 const unsigned char *sig,
-                                                 size_t sig_size,
-                                                 unsigned char *out,
-                                                 size_t out_size,
-                                                 size_t *out_len)
-{
-    unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
-    unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if (msg == NULL && msg_size != 0) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    if (sig_size != MBEDTLS_LMOTS_SIG_LEN(params->type) ||
-        out_size < MBEDTLS_LMOTS_N_HASH_LEN(params->type)) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    ret = create_digit_array_with_checksum(params, msg, msg_size,
-                                           sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET,
-                                           tmp_digit_array);
-    if (ret) {
-        return ret;
-    }
-
-    ret = hash_digit_array(params,
-                           sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(params->type),
-                           tmp_digit_array, NULL, (unsigned char *) y_hashed_digits);
-    if (ret) {
-        return ret;
-    }
-
-    ret = public_key_from_hashed_digit_array(params,
-                                             (unsigned char *) y_hashed_digits,
-                                             out);
-    if (ret) {
-        return ret;
-    }
-
-    if (out_len != NULL) {
-        *out_len = MBEDTLS_LMOTS_N_HASH_LEN(params->type);
-    }
-
-    return 0;
-}
-
-int mbedtls_lmots_verify(const mbedtls_lmots_public_t *ctx,
-                         const unsigned char *msg, size_t msg_size,
-                         const unsigned char *sig, size_t sig_size)
-{
-    unsigned char Kc_public_key_candidate[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if (msg == NULL && msg_size != 0) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    if (!ctx->have_public_key) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    if (ctx->params.type != MBEDTLS_LMOTS_SHA256_N32_W8) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    if (sig_size < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) {
-        return MBEDTLS_ERR_LMS_VERIFY_FAILED;
-    }
-
-    if (mbedtls_lms_network_bytes_to_unsigned_int(MBEDTLS_LMOTS_TYPE_LEN,
-                                                  sig + MBEDTLS_LMOTS_SIG_TYPE_OFFSET) !=
-        MBEDTLS_LMOTS_SHA256_N32_W8) {
-        return MBEDTLS_ERR_LMS_VERIFY_FAILED;
-    }
-
-    ret = mbedtls_lmots_calculate_public_key_candidate(&ctx->params,
-                                                       msg, msg_size, sig, sig_size,
-                                                       Kc_public_key_candidate,
-                                                       MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
-                                                       NULL);
-    if (ret) {
-        return MBEDTLS_ERR_LMS_VERIFY_FAILED;
-    }
-
-    if (memcmp(&Kc_public_key_candidate, ctx->public_key,
-               sizeof(ctx->public_key))) {
-        return MBEDTLS_ERR_LMS_VERIFY_FAILED;
-    }
-
-    return 0;
-}
-
-#if defined(MBEDTLS_LMS_PRIVATE)
-
-void mbedtls_lmots_private_init(mbedtls_lmots_private_t *ctx)
-{
-    memset(ctx, 0, sizeof(*ctx));
-}
-
-void mbedtls_lmots_private_free(mbedtls_lmots_private_t *ctx)
-{
-    mbedtls_platform_zeroize(ctx,
-                             sizeof(*ctx));
-}
-
-int mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t *ctx,
-                                       mbedtls_lmots_algorithm_type_t type,
-                                       const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN],
-                                       uint32_t q_leaf_identifier,
-                                       const unsigned char *seed,
-                                       size_t seed_size)
-{
-    psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    size_t output_hash_len;
-    unsigned int i_digit_idx;
-    unsigned char i_digit_idx_bytes[2];
-    unsigned char const_bytes[1];
-
-    if (ctx->have_private_key) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    if (type != MBEDTLS_LMOTS_SHA256_N32_W8) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    ctx->params.type = type;
-
-    memcpy(ctx->params.I_key_identifier,
-           I_key_identifier,
-           sizeof(ctx->params.I_key_identifier));
-
-    mbedtls_lms_unsigned_int_to_network_bytes(q_leaf_identifier,
-                                              MBEDTLS_LMOTS_Q_LEAF_ID_LEN,
-                                              ctx->params.q_leaf_identifier);
-
-    mbedtls_lms_unsigned_int_to_network_bytes(0xFF, sizeof(const_bytes),
-                                              const_bytes);
-
-    for (i_digit_idx = 0;
-         i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type);
-         i_digit_idx++) {
-        status = psa_hash_setup(&op, PSA_ALG_SHA_256);
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-
-        status = psa_hash_update(&op,
-                                 ctx->params.I_key_identifier,
-                                 sizeof(ctx->params.I_key_identifier));
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-
-        status = psa_hash_update(&op,
-                                 ctx->params.q_leaf_identifier,
-                                 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-
-        mbedtls_lms_unsigned_int_to_network_bytes(i_digit_idx, I_DIGIT_IDX_LEN,
-                                                  i_digit_idx_bytes);
-        status = psa_hash_update(&op, i_digit_idx_bytes, I_DIGIT_IDX_LEN);
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-
-        status = psa_hash_update(&op, const_bytes, sizeof(const_bytes));
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-
-        status = psa_hash_update(&op, seed, seed_size);
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-
-        status = psa_hash_finish(&op,
-                                 ctx->private_key[i_digit_idx],
-                                 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
-                                 &output_hash_len);
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-
-        psa_hash_abort(&op);
-    }
-
-    ctx->have_private_key = 1;
-
-exit:
-    psa_hash_abort(&op);
-
-    return PSA_TO_MBEDTLS_ERR(status);
-}
-
-int mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t *ctx,
-                                       const mbedtls_lmots_private_t *priv_ctx)
-{
-    unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    /* Check that a private key is loaded */
-    if (!priv_ctx->have_private_key) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    ret = hash_digit_array(&priv_ctx->params,
-                           (unsigned char *) priv_ctx->private_key, NULL,
-                           NULL, (unsigned char *) y_hashed_digits);
-    if (ret) {
-        goto exit;
-    }
-
-    ret = public_key_from_hashed_digit_array(&priv_ctx->params,
-                                             (unsigned char *) y_hashed_digits,
-                                             ctx->public_key);
-    if (ret) {
-        goto exit;
-    }
-
-    memcpy(&ctx->params, &priv_ctx->params,
-           sizeof(ctx->params));
-
-    ctx->have_public_key = 1;
-
-exit:
-    mbedtls_platform_zeroize(y_hashed_digits, sizeof(y_hashed_digits));
-
-    return ret;
-}
-
-int mbedtls_lmots_sign(mbedtls_lmots_private_t *ctx,
-                       int (*f_rng)(void *, unsigned char *, size_t),
-                       void *p_rng, const unsigned char *msg, size_t msg_size,
-                       unsigned char *sig, size_t sig_size, size_t *sig_len)
-{
-    unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
-    /* Create a temporary buffer to prepare the signature in. This allows us to
-     * finish creating a signature (ensuring the process doesn't fail), and then
-     * erase the private key **before** writing any data into the sig parameter
-     * buffer. If data were directly written into the sig buffer, it might leak
-     * a partial signature on failure, which effectively compromises the private
-     * key.
-     */
-    unsigned char tmp_sig[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
-    unsigned char tmp_c_random[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if (msg == NULL && msg_size != 0) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    if (sig_size < MBEDTLS_LMOTS_SIG_LEN(ctx->params.type)) {
-        return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
-    }
-
-    /* Check that a private key is loaded */
-    if (!ctx->have_private_key) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    ret = f_rng(p_rng, tmp_c_random,
-                MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
-    if (ret) {
-        return ret;
-    }
-
-    ret = create_digit_array_with_checksum(&ctx->params,
-                                           msg, msg_size,
-                                           tmp_c_random,
-                                           tmp_digit_array);
-    if (ret) {
-        goto exit;
-    }
-
-    ret = hash_digit_array(&ctx->params, (unsigned char *) ctx->private_key,
-                           NULL, tmp_digit_array, (unsigned char *) tmp_sig);
-    if (ret) {
-        goto exit;
-    }
-
-    mbedtls_lms_unsigned_int_to_network_bytes(ctx->params.type,
-                                              MBEDTLS_LMOTS_TYPE_LEN,
-                                              sig + MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
-
-    /* Test hook to check if sig is being written to before we invalidate the
-     * private key.
-     */
-#if defined(MBEDTLS_TEST_HOOKS)
-    if (mbedtls_lmots_sign_private_key_invalidated_hook != NULL) {
-        ret = (*mbedtls_lmots_sign_private_key_invalidated_hook)(sig);
-        if (ret != 0) {
-            return ret;
-        }
-    }
-#endif /* defined(MBEDTLS_TEST_HOOKS) */
-
-    /* We've got a valid signature now, so it's time to make sure the private
-     * key can't be reused.
-     */
-    ctx->have_private_key = 0;
-    mbedtls_platform_zeroize(ctx->private_key,
-                             sizeof(ctx->private_key));
-
-    memcpy(sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET, tmp_c_random,
-           MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(ctx->params.type));
-
-    memcpy(sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(ctx->params.type), tmp_sig,
-           MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type)
-           * MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
-
-    if (sig_len != NULL) {
-        *sig_len = MBEDTLS_LMOTS_SIG_LEN(ctx->params.type);
-    }
-
-    ret = 0;
-
-exit:
-    mbedtls_platform_zeroize(tmp_digit_array, sizeof(tmp_digit_array));
-    mbedtls_platform_zeroize(tmp_sig, sizeof(tmp_sig));
-
-    return ret;
-}
-
-#endif /* defined(MBEDTLS_LMS_PRIVATE) */
-#endif /* defined(MBEDTLS_LMS_C) */
diff --git a/library/lmots.h b/library/lmots.h
deleted file mode 100644
index 98d1941..0000000
--- a/library/lmots.h
+++ /dev/null
@@ -1,323 +0,0 @@
-/**
- * \file lmots.h
- *
- * \brief This file provides an API for the LM-OTS post-quantum-safe one-time
- *        public-key signature scheme as defined in RFC8554 and NIST.SP.200-208.
- *        This implementation currently only supports a single parameter set
- *        MBEDTLS_LMOTS_SHA256_N32_W8 in order to reduce complexity.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_LMOTS_H
-#define MBEDTLS_LMOTS_H
-
-#include "mbedtls/build_info.h"
-
-#include "psa/crypto.h"
-
-#include "mbedtls/lms.h"
-
-#include <stdint.h>
-#include <stddef.h>
-
-
-#define MBEDTLS_LMOTS_PUBLIC_KEY_LEN(type) (MBEDTLS_LMOTS_TYPE_LEN + \
-                                            MBEDTLS_LMOTS_I_KEY_ID_LEN + \
-                                            MBEDTLS_LMOTS_Q_LEAF_ID_LEN + \
-                                            MBEDTLS_LMOTS_N_HASH_LEN(type))
-
-#define MBEDTLS_LMOTS_SIG_TYPE_OFFSET       (0)
-#define MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET (MBEDTLS_LMOTS_SIG_TYPE_OFFSET + \
-                                           MBEDTLS_LMOTS_TYPE_LEN)
-#define MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(type) (MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET + \
-                                                  MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(type))
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-
-#if defined(MBEDTLS_TEST_HOOKS)
-extern int (*mbedtls_lmots_sign_private_key_invalidated_hook)(unsigned char *);
-#endif /* defined(MBEDTLS_TEST_HOOKS) */
-
-/**
- * \brief                    This function converts an unsigned int into a
- *                           network-byte-order (big endian) string.
- *
- * \param val                The unsigned integer value
- * \param len                The length of the string.
- * \param bytes              The string to output into.
- */
-void mbedtls_lms_unsigned_int_to_network_bytes(unsigned int val, size_t len,
-                                               unsigned char *bytes);
-
-/**
- * \brief                    This function converts a network-byte-order
- *                           (big endian) string into an unsigned integer.
- *
- * \param len                The length of the string.
- * \param bytes              The string.
- *
- * \return                   The corresponding LMS error code.
- */
-unsigned int mbedtls_lms_network_bytes_to_unsigned_int(size_t len,
-                                                       const unsigned char *bytes);
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-/**
- * \brief                    This function converts a \ref psa_status_t to a
- *                           low-level LMS error code.
- *
- * \param status             The psa_status_t to convert
- *
- * \return                   The corresponding LMS error code.
- */
-int MBEDTLS_DEPRECATED mbedtls_lms_error_from_psa(psa_status_t status);
-#endif
-
-/**
- * \brief                    This function initializes a public LMOTS context
- *
- * \param ctx                The uninitialized LMOTS context that will then be
- *                           initialized.
- */
-void mbedtls_lmots_public_init(mbedtls_lmots_public_t *ctx);
-
-/**
- * \brief                    This function uninitializes a public LMOTS context
- *
- * \param ctx                The initialized LMOTS context that will then be
- *                           uninitialized.
- */
-void mbedtls_lmots_public_free(mbedtls_lmots_public_t *ctx);
-
-/**
- * \brief                    This function imports an LMOTS public key into a
- *                           LMOTS context.
- *
- * \note                     Before this function is called, the context must
- *                           have been initialized.
- *
- * \note                     See IETF RFC8554 for details of the encoding of
- *                           this public key.
- *
- * \param ctx                The initialized LMOTS context store the key in.
- * \param key                The buffer from which the key will be read.
- *                           #MBEDTLS_LMOTS_PUBLIC_KEY_LEN bytes will be read
- *                           from this.
- *
- * \return         \c 0 on success.
- * \return         A non-zero error code on failure.
- */
-int mbedtls_lmots_import_public_key(mbedtls_lmots_public_t *ctx,
-                                    const unsigned char *key, size_t key_size);
-
-/**
- * \brief                    This function exports an LMOTS public key from a
- *                           LMOTS context that already contains a public key.
- *
- * \note                     Before this function is called, the context must
- *                           have been initialized and the context must contain
- *                           a public key.
- *
- * \note                     See IETF RFC8554 for details of the encoding of
- *                           this public key.
- *
- * \param ctx                The initialized LMOTS context that contains the
- *                           public key.
- * \param key                The buffer into which the key will be output. Must
- *                           be at least #MBEDTLS_LMOTS_PUBLIC_KEY_LEN in size.
- *
- * \return         \c 0 on success.
- * \return         A non-zero error code on failure.
- */
-int mbedtls_lmots_export_public_key(const mbedtls_lmots_public_t *ctx,
-                                    unsigned char *key, size_t key_size,
-                                    size_t *key_len);
-
-/**
- * \brief                    This function creates a candidate public key from
- *                           an LMOTS signature. This can then be compared to
- *                           the real public key to determine the validity of
- *                           the signature.
- *
- * \note                     This function is exposed publicly to be used in LMS
- *                           signature verification, it is expected that
- *                           mbedtls_lmots_verify will be used for LMOTS
- *                           signature verification.
- *
- * \param params             The LMOTS parameter set, q and I values as an
- *                           mbedtls_lmots_parameters_t struct.
- * \param msg                The buffer from which the message will be read.
- * \param msg_size           The size of the message that will be read.
- * \param sig                The buffer from which the signature will be read.
- *                           #MBEDTLS_LMOTS_SIG_LEN bytes will be read from
- *                           this.
- * \param out                The buffer where the candidate public key will be
- *                           stored. Must be at least #MBEDTLS_LMOTS_N_HASH_LEN
- *                           bytes in size.
- *
- * \return         \c 0 on success.
- * \return         A non-zero error code on failure.
- */
-int mbedtls_lmots_calculate_public_key_candidate(const mbedtls_lmots_parameters_t *params,
-                                                 const unsigned char *msg,
-                                                 size_t msg_size,
-                                                 const unsigned char *sig,
-                                                 size_t sig_size,
-                                                 unsigned char *out,
-                                                 size_t out_size,
-                                                 size_t *out_len);
-
-/**
- * \brief                    This function verifies a LMOTS signature, using a
- *                           LMOTS context that contains a public key.
- *
- * \warning                  This function is **not intended for use in
- *                           production**, due to as-yet unsolved problems with
- *                           handling stateful keys. The API for this function
- *                           may change considerably in future versions.
- *
- * \note                     Before this function is called, the context must
- *                           have been initialized and must contain a public key
- *                           (either by import or calculation from a private
- *                           key).
- *
- * \param ctx                The initialized LMOTS context from which the public
- *                           key will be read.
- * \param msg                The buffer from which the message will be read.
- * \param msg_size           The size of the message that will be read.
- * \param sig                The buf from which the signature will be read.
- *                           #MBEDTLS_LMOTS_SIG_LEN bytes will be read from
- *                           this.
- *
- * \return         \c 0 on successful verification.
- * \return         A non-zero error code on failure.
- */
-int mbedtls_lmots_verify(const mbedtls_lmots_public_t *ctx,
-                         const unsigned char *msg,
-                         size_t msg_size, const unsigned char *sig,
-                         size_t sig_size);
-
-#if defined(MBEDTLS_LMS_PRIVATE)
-
-/**
- * \brief                    This function initializes a private LMOTS context
- *
- * \param ctx                The uninitialized LMOTS context that will then be
- *                           initialized.
- */
-void mbedtls_lmots_private_init(mbedtls_lmots_private_t *ctx);
-
-/**
- * \brief                    This function uninitializes a private LMOTS context
- *
- * \param ctx                The initialized LMOTS context that will then be
- *                           uninitialized.
- */
-void mbedtls_lmots_private_free(mbedtls_lmots_private_t *ctx);
-
-/**
- * \brief                    This function calculates an LMOTS private key, and
- *                           stores in into an LMOTS context.
- *
- * \warning                  This function is **not intended for use in
- *                           production**, due to as-yet unsolved problems with
- *                           handling stateful keys. The API for this function
- *                           may change considerably in future versions.
- *
- * \note                     The seed must have at least 256 bits of entropy.
- *
- * \param ctx                The initialized LMOTS context to generate the key
- *                           into.
- * \param I_key_identifier   The key identifier of the key, as a 16-byte string.
- * \param q_leaf_identifier  The leaf identifier of key. If this LMOTS key is
- *                           not being used as part of an LMS key, this should
- *                           be set to 0.
- * \param seed               The seed used to deterministically generate the
- *                           key.
- * \param seed_size          The length of the seed.
- *
- * \return         \c 0 on success.
- * \return         A non-zero error code on failure.
- */
-int mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t *ctx,
-                                       mbedtls_lmots_algorithm_type_t type,
-                                       const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN],
-                                       uint32_t q_leaf_identifier,
-                                       const unsigned char *seed,
-                                       size_t seed_size);
-
-/**
- * \brief                    This function generates an LMOTS public key from a
- *                           LMOTS context that already contains a private key.
- *
- * \note                     Before this function is called, the context must
- *                           have been initialized and the context must contain
- *                           a private key.
- *
- * \param ctx                The initialized LMOTS context to generate the key
- *                           from and store it into.
- *
- * \return         \c 0 on success.
- * \return         A non-zero error code on failure.
- */
-int mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t *ctx,
-                                       const mbedtls_lmots_private_t *priv_ctx);
-
-/**
- * \brief                    This function creates a LMOTS signature, using a
- *                           LMOTS context that contains a private key.
- *
- * \note                     Before this function is called, the context must
- *                           have been initialized and must contain a private
- *                           key.
- *
- * \note                     LMOTS private keys can only be used once, otherwise
- *                           attackers may be able to create forged signatures.
- *                           If the signing operation is successful, the private
- *                           key in the context will be erased, and no further
- *                           signing will be possible until another private key
- *                           is loaded
- *
- * \param ctx                The initialized LMOTS context from which the
- *                           private key will be read.
- * \param f_rng              The RNG function to be used for signature
- *                           generation.
- * \param p_rng              The RNG context to be passed to f_rng
- * \param msg                The buffer from which the message will be read.
- * \param msg_size           The size of the message that will be read.
- * \param sig                The buf into which the signature will be stored.
- *                           Must be at least #MBEDTLS_LMOTS_SIG_LEN in size.
- *
- * \return         \c 0 on success.
- * \return         A non-zero error code on failure.
- */
-int mbedtls_lmots_sign(mbedtls_lmots_private_t *ctx,
-                       int (*f_rng)(void *, unsigned char *, size_t),
-                       void *p_rng, const unsigned char *msg, size_t msg_size,
-                       unsigned char *sig, size_t sig_size, size_t *sig_len);
-
-#endif /* defined(MBEDTLS_LMS_PRIVATE) */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* MBEDTLS_LMOTS_H */
diff --git a/library/lms.c b/library/lms.c
deleted file mode 100644
index c06f9c2..0000000
--- a/library/lms.c
+++ /dev/null
@@ -1,791 +0,0 @@
-/*
- *  The LMS stateful-hash public-key signature scheme
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/*
- *  The following sources were referenced in the design of this implementation
- *  of the LMS algorithm:
- *
- *  [1] IETF RFC8554
- *      D. McGrew, M. Curcio, S.Fluhrer
- *      https://datatracker.ietf.org/doc/html/rfc8554
- *
- *  [2] NIST Special Publication 800-208
- *      David A. Cooper et. al.
- *      https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_LMS_C)
-
-#include <string.h>
-
-#include "lmots.h"
-
-#include "psa/crypto.h"
-#include "psa_util_internal.h"
-#include "mbedtls/lms.h"
-#include "mbedtls/error.h"
-#include "mbedtls/platform_util.h"
-
-#include "mbedtls/platform.h"
-
-/* Define a local translating function to save code size by not using too many
- * arguments in each translating place. */
-static int local_err_translation(psa_status_t status)
-{
-    return psa_status_to_mbedtls(status, psa_to_lms_errors,
-                                 ARRAY_LENGTH(psa_to_lms_errors),
-                                 psa_generic_status_to_mbedtls);
-}
-#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
-
-#define SIG_Q_LEAF_ID_OFFSET     (0)
-#define SIG_OTS_SIG_OFFSET       (SIG_Q_LEAF_ID_OFFSET + \
-                                  MBEDTLS_LMOTS_Q_LEAF_ID_LEN)
-#define SIG_TYPE_OFFSET(otstype) (SIG_OTS_SIG_OFFSET   + \
-                                  MBEDTLS_LMOTS_SIG_LEN(otstype))
-#define SIG_PATH_OFFSET(otstype) (SIG_TYPE_OFFSET(otstype) + \
-                                  MBEDTLS_LMS_TYPE_LEN)
-
-#define PUBLIC_KEY_TYPE_OFFSET      (0)
-#define PUBLIC_KEY_OTSTYPE_OFFSET   (PUBLIC_KEY_TYPE_OFFSET + \
-                                     MBEDTLS_LMS_TYPE_LEN)
-#define PUBLIC_KEY_I_KEY_ID_OFFSET  (PUBLIC_KEY_OTSTYPE_OFFSET  + \
-                                     MBEDTLS_LMOTS_TYPE_LEN)
-#define PUBLIC_KEY_ROOT_NODE_OFFSET (PUBLIC_KEY_I_KEY_ID_OFFSET + \
-                                     MBEDTLS_LMOTS_I_KEY_ID_LEN)
-
-
-/* Currently only support H=10 */
-#define H_TREE_HEIGHT_MAX                  10
-#define MERKLE_TREE_NODE_AM(type)          ((size_t) 1 << (MBEDTLS_LMS_H_TREE_HEIGHT(type) + 1u))
-#define MERKLE_TREE_LEAF_NODE_AM(type)     ((size_t) 1 << MBEDTLS_LMS_H_TREE_HEIGHT(type))
-#define MERKLE_TREE_INTERNAL_NODE_AM(type) ((size_t) 1 << MBEDTLS_LMS_H_TREE_HEIGHT(type))
-
-#define D_CONST_LEN           (2)
-static const unsigned char D_LEAF_CONSTANT_BYTES[D_CONST_LEN] = { 0x82, 0x82 };
-static const unsigned char D_INTR_CONSTANT_BYTES[D_CONST_LEN] = { 0x83, 0x83 };
-
-
-/* Calculate the value of a leaf node of the Merkle tree (which is a hash of a
- * public key and some other parameters like the leaf index). This function
- * implements RFC8554 section 5.3, in the case where r >= 2^h.
- *
- *  params              The LMS parameter set, the underlying LMOTS
- *                      parameter set, and I value which describe the key
- *                      being used.
- *
- *  pub_key             The public key of the private whose index
- *                      corresponds to the index of this leaf node. This
- *                      is a hash output.
- *
- *  r_node_idx          The index of this node in the Merkle tree. Note
- *                      that the root node of the Merkle tree is
- *                      1-indexed.
- *
- *  out                 The output node value, which is a hash output.
- */
-static int create_merkle_leaf_value(const mbedtls_lms_parameters_t *params,
-                                    unsigned char *pub_key,
-                                    unsigned int r_node_idx,
-                                    unsigned char *out)
-{
-    psa_hash_operation_t op;
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    size_t output_hash_len;
-    unsigned char r_node_idx_bytes[4];
-
-    op = psa_hash_operation_init();
-    status = psa_hash_setup(&op, PSA_ALG_SHA_256);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_hash_update(&op, params->I_key_identifier,
-                             MBEDTLS_LMOTS_I_KEY_ID_LEN);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    mbedtls_lms_unsigned_int_to_network_bytes(r_node_idx, 4, r_node_idx_bytes);
-    status = psa_hash_update(&op, r_node_idx_bytes, 4);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_hash_update(&op, D_LEAF_CONSTANT_BYTES, D_CONST_LEN);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_hash_update(&op, pub_key,
-                             MBEDTLS_LMOTS_N_HASH_LEN(params->otstype));
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_hash_finish(&op, out, MBEDTLS_LMS_M_NODE_BYTES(params->type),
-                             &output_hash_len);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-exit:
-    psa_hash_abort(&op);
-
-    return PSA_TO_MBEDTLS_ERR(status);
-}
-
-/* Calculate the value of an internal node of the Merkle tree (which is a hash
- * of a public key and some other parameters like the node index). This function
- * implements RFC8554 section 5.3, in the case where r < 2^h.
- *
- *  params              The LMS parameter set, the underlying LMOTS
- *                      parameter set, and I value which describe the key
- *                      being used.
- *
- *  left_node           The value of the child of this node which is on
- *                      the left-hand side. As with all nodes on the
- *                      Merkle tree, this is a hash output.
- *
- *  right_node          The value of the child of this node which is on
- *                      the right-hand side. As with all nodes on the
- *                      Merkle tree, this is a hash output.
- *
- *  r_node_idx          The index of this node in the Merkle tree. Note
- *                      that the root node of the Merkle tree is
- *                      1-indexed.
- *
- *  out                 The output node value, which is a hash output.
- */
-static int create_merkle_internal_value(const mbedtls_lms_parameters_t *params,
-                                        const unsigned char *left_node,
-                                        const unsigned char *right_node,
-                                        unsigned int r_node_idx,
-                                        unsigned char *out)
-{
-    psa_hash_operation_t op;
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    size_t output_hash_len;
-    unsigned char r_node_idx_bytes[4];
-
-    op = psa_hash_operation_init();
-    status = psa_hash_setup(&op, PSA_ALG_SHA_256);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_hash_update(&op, params->I_key_identifier,
-                             MBEDTLS_LMOTS_I_KEY_ID_LEN);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    mbedtls_lms_unsigned_int_to_network_bytes(r_node_idx, 4, r_node_idx_bytes);
-    status = psa_hash_update(&op, r_node_idx_bytes, 4);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_hash_update(&op, D_INTR_CONSTANT_BYTES, D_CONST_LEN);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_hash_update(&op, left_node,
-                             MBEDTLS_LMS_M_NODE_BYTES(params->type));
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_hash_update(&op, right_node,
-                             MBEDTLS_LMS_M_NODE_BYTES(params->type));
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_hash_finish(&op, out, MBEDTLS_LMS_M_NODE_BYTES(params->type),
-                             &output_hash_len);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-exit:
-    psa_hash_abort(&op);
-
-    return PSA_TO_MBEDTLS_ERR(status);
-}
-
-void mbedtls_lms_public_init(mbedtls_lms_public_t *ctx)
-{
-    memset(ctx, 0, sizeof(*ctx));
-}
-
-void mbedtls_lms_public_free(mbedtls_lms_public_t *ctx)
-{
-    mbedtls_platform_zeroize(ctx, sizeof(*ctx));
-}
-
-int mbedtls_lms_import_public_key(mbedtls_lms_public_t *ctx,
-                                  const unsigned char *key, size_t key_size)
-{
-    mbedtls_lms_algorithm_type_t type;
-    mbedtls_lmots_algorithm_type_t otstype;
-
-    type = (mbedtls_lms_algorithm_type_t) mbedtls_lms_network_bytes_to_unsigned_int(
-        MBEDTLS_LMS_TYPE_LEN,
-        key +
-        PUBLIC_KEY_TYPE_OFFSET);
-    if (type != MBEDTLS_LMS_SHA256_M32_H10) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-    ctx->params.type = type;
-
-    if (key_size != MBEDTLS_LMS_PUBLIC_KEY_LEN(ctx->params.type)) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    otstype = (mbedtls_lmots_algorithm_type_t) mbedtls_lms_network_bytes_to_unsigned_int(
-        MBEDTLS_LMOTS_TYPE_LEN,
-        key +
-        PUBLIC_KEY_OTSTYPE_OFFSET);
-    if (otstype != MBEDTLS_LMOTS_SHA256_N32_W8) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-    ctx->params.otstype = otstype;
-
-    memcpy(ctx->params.I_key_identifier,
-           key + PUBLIC_KEY_I_KEY_ID_OFFSET,
-           MBEDTLS_LMOTS_I_KEY_ID_LEN);
-    memcpy(ctx->T_1_pub_key, key + PUBLIC_KEY_ROOT_NODE_OFFSET,
-           MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type));
-
-    ctx->have_public_key = 1;
-
-    return 0;
-}
-
-int mbedtls_lms_export_public_key(const mbedtls_lms_public_t *ctx,
-                                  unsigned char *key,
-                                  size_t key_size, size_t *key_len)
-{
-    if (key_size < MBEDTLS_LMS_PUBLIC_KEY_LEN(ctx->params.type)) {
-        return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
-    }
-
-    if (!ctx->have_public_key) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    mbedtls_lms_unsigned_int_to_network_bytes(
-        ctx->params.type,
-        MBEDTLS_LMS_TYPE_LEN, key + PUBLIC_KEY_TYPE_OFFSET);
-    mbedtls_lms_unsigned_int_to_network_bytes(ctx->params.otstype,
-                                              MBEDTLS_LMOTS_TYPE_LEN,
-                                              key + PUBLIC_KEY_OTSTYPE_OFFSET);
-    memcpy(key + PUBLIC_KEY_I_KEY_ID_OFFSET,
-           ctx->params.I_key_identifier,
-           MBEDTLS_LMOTS_I_KEY_ID_LEN);
-    memcpy(key +PUBLIC_KEY_ROOT_NODE_OFFSET,
-           ctx->T_1_pub_key,
-           MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type));
-
-    if (key_len != NULL) {
-        *key_len = MBEDTLS_LMS_PUBLIC_KEY_LEN(ctx->params.type);
-    }
-
-    return 0;
-}
-
-int mbedtls_lms_verify(const mbedtls_lms_public_t *ctx,
-                       const unsigned char *msg, size_t msg_size,
-                       const unsigned char *sig, size_t sig_size)
-{
-    unsigned int q_leaf_identifier;
-    unsigned char Kc_candidate_ots_pub_key[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
-    unsigned char Tc_candidate_root_node[MBEDTLS_LMS_M_NODE_BYTES_MAX];
-    unsigned int height;
-    unsigned int curr_node_id;
-    unsigned int parent_node_id;
-    const unsigned char *left_node;
-    const unsigned char *right_node;
-    mbedtls_lmots_parameters_t ots_params;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if (!ctx->have_public_key) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    if (ctx->params.type
-        != MBEDTLS_LMS_SHA256_M32_H10) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    if (ctx->params.otstype
-        != MBEDTLS_LMOTS_SHA256_N32_W8) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    if (sig_size != MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype)) {
-        return MBEDTLS_ERR_LMS_VERIFY_FAILED;
-    }
-
-    if (sig_size < SIG_OTS_SIG_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) {
-        return MBEDTLS_ERR_LMS_VERIFY_FAILED;
-    }
-
-    if (mbedtls_lms_network_bytes_to_unsigned_int(MBEDTLS_LMOTS_TYPE_LEN,
-                                                  sig + SIG_OTS_SIG_OFFSET +
-                                                  MBEDTLS_LMOTS_SIG_TYPE_OFFSET)
-        != MBEDTLS_LMOTS_SHA256_N32_W8) {
-        return MBEDTLS_ERR_LMS_VERIFY_FAILED;
-    }
-
-    if (sig_size < SIG_TYPE_OFFSET(ctx->params.otstype) + MBEDTLS_LMS_TYPE_LEN) {
-        return MBEDTLS_ERR_LMS_VERIFY_FAILED;
-    }
-
-    if (mbedtls_lms_network_bytes_to_unsigned_int(MBEDTLS_LMS_TYPE_LEN,
-                                                  sig + SIG_TYPE_OFFSET(ctx->params.otstype))
-        != MBEDTLS_LMS_SHA256_M32_H10) {
-        return MBEDTLS_ERR_LMS_VERIFY_FAILED;
-    }
-
-
-    q_leaf_identifier = mbedtls_lms_network_bytes_to_unsigned_int(
-        MBEDTLS_LMOTS_Q_LEAF_ID_LEN, sig + SIG_Q_LEAF_ID_OFFSET);
-
-    if (q_leaf_identifier >= MERKLE_TREE_LEAF_NODE_AM(ctx->params.type)) {
-        return MBEDTLS_ERR_LMS_VERIFY_FAILED;
-    }
-
-    memcpy(ots_params.I_key_identifier,
-           ctx->params.I_key_identifier,
-           MBEDTLS_LMOTS_I_KEY_ID_LEN);
-    mbedtls_lms_unsigned_int_to_network_bytes(q_leaf_identifier,
-                                              MBEDTLS_LMOTS_Q_LEAF_ID_LEN,
-                                              ots_params.q_leaf_identifier);
-    ots_params.type = ctx->params.otstype;
-
-    ret = mbedtls_lmots_calculate_public_key_candidate(&ots_params,
-                                                       msg,
-                                                       msg_size,
-                                                       sig + SIG_OTS_SIG_OFFSET,
-                                                       MBEDTLS_LMOTS_SIG_LEN(ctx->params.otstype),
-                                                       Kc_candidate_ots_pub_key,
-                                                       sizeof(Kc_candidate_ots_pub_key),
-                                                       NULL);
-    if (ret != 0) {
-        return MBEDTLS_ERR_LMS_VERIFY_FAILED;
-    }
-
-    create_merkle_leaf_value(
-        &ctx->params,
-        Kc_candidate_ots_pub_key,
-        MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) + q_leaf_identifier,
-        Tc_candidate_root_node);
-
-    curr_node_id = MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) +
-                   q_leaf_identifier;
-
-    for (height = 0; height < MBEDTLS_LMS_H_TREE_HEIGHT(ctx->params.type);
-         height++) {
-        parent_node_id = curr_node_id / 2;
-
-        /* Left/right node ordering matters for the hash */
-        if (curr_node_id & 1) {
-            left_node = sig + SIG_PATH_OFFSET(ctx->params.otstype) +
-                        height * MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type);
-            right_node = Tc_candidate_root_node;
-        } else {
-            left_node = Tc_candidate_root_node;
-            right_node = sig + SIG_PATH_OFFSET(ctx->params.otstype) +
-                         height * MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type);
-        }
-
-        create_merkle_internal_value(&ctx->params, left_node, right_node,
-                                     parent_node_id, Tc_candidate_root_node);
-
-        curr_node_id /= 2;
-    }
-
-    if (memcmp(Tc_candidate_root_node, ctx->T_1_pub_key,
-               MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type))) {
-        return MBEDTLS_ERR_LMS_VERIFY_FAILED;
-    }
-
-    return 0;
-}
-
-#if defined(MBEDTLS_LMS_PRIVATE)
-
-/* Calculate a full Merkle tree based on a private key. This function
- * implements RFC8554 section 5.3, and is used to generate a public key (as the
- * public key is the root node of the Merkle tree).
- *
- *  ctx                 The LMS private context, containing a parameter
- *                      set and private key material consisting of both
- *                      public and private OTS.
- *
- *  tree                The output tree, which is 2^(H + 1) hash outputs.
- *                      In the case of H=10 we have 2048 tree nodes (of
- *                      which 1024 of them are leaf nodes). Note that
- *                      because the Merkle tree root is 1-indexed, the 0
- *                      index tree node is never used.
- */
-static int calculate_merkle_tree(const mbedtls_lms_private_t *ctx,
-                                 unsigned char *tree)
-{
-    unsigned int priv_key_idx;
-    unsigned int r_node_idx;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    /* First create the leaf nodes, in ascending order */
-    for (priv_key_idx = 0;
-         priv_key_idx < MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type);
-         priv_key_idx++) {
-        r_node_idx = MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) + priv_key_idx;
-
-        ret = create_merkle_leaf_value(&ctx->params,
-                                       ctx->ots_public_keys[priv_key_idx].public_key,
-                                       r_node_idx,
-                                       &tree[r_node_idx * MBEDTLS_LMS_M_NODE_BYTES(
-                                                 ctx->params.type)]);
-        if (ret != 0) {
-            return ret;
-        }
-    }
-
-    /* Then the internal nodes, in reverse order so that we can guarantee the
-     * parent has been created */
-    for (r_node_idx = MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) - 1;
-         r_node_idx > 0;
-         r_node_idx--) {
-        ret = create_merkle_internal_value(&ctx->params,
-                                           &tree[(r_node_idx * 2) *
-                                                 MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type)],
-                                           &tree[(r_node_idx * 2 + 1) *
-                                                 MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type)],
-                                           r_node_idx,
-                                           &tree[r_node_idx *
-                                                 MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type)]);
-        if (ret != 0) {
-            return ret;
-        }
-    }
-
-    return 0;
-}
-
-/* Calculate a path from a leaf node of the Merkle tree to the root of the tree,
- * and return the full path. This function implements RFC8554 section 5.4.1, as
- * the Merkle path is the main component of an LMS signature.
- *
- *  ctx                 The LMS private context, containing a parameter
- *                      set and private key material consisting of both
- *                      public and private OTS.
- *
- *  leaf_node_id        Which leaf node to calculate the path from.
- *
- *  path                The output path, which is H hash outputs.
- */
-static int get_merkle_path(mbedtls_lms_private_t *ctx,
-                           unsigned int leaf_node_id,
-                           unsigned char *path)
-{
-    const size_t node_bytes = MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type);
-    unsigned int curr_node_id = leaf_node_id;
-    unsigned int adjacent_node_id;
-    unsigned char *tree = NULL;
-    unsigned int height;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    tree = mbedtls_calloc(MERKLE_TREE_NODE_AM(ctx->params.type),
-                          node_bytes);
-    if (tree == NULL) {
-        return MBEDTLS_ERR_LMS_ALLOC_FAILED;
-    }
-
-    ret = calculate_merkle_tree(ctx, tree);
-    if (ret != 0) {
-        goto exit;
-    }
-
-    for (height = 0; height < MBEDTLS_LMS_H_TREE_HEIGHT(ctx->params.type);
-         height++) {
-        adjacent_node_id = curr_node_id ^ 1;
-
-        memcpy(&path[height * node_bytes],
-               &tree[adjacent_node_id * node_bytes], node_bytes);
-
-        curr_node_id >>= 1;
-    }
-
-    ret = 0;
-
-exit:
-    mbedtls_zeroize_and_free(tree, node_bytes *
-                             MERKLE_TREE_NODE_AM(ctx->params.type));
-
-    return ret;
-}
-
-void mbedtls_lms_private_init(mbedtls_lms_private_t *ctx)
-{
-    memset(ctx, 0, sizeof(*ctx));
-}
-
-void mbedtls_lms_private_free(mbedtls_lms_private_t *ctx)
-{
-    unsigned int idx;
-
-    if (ctx->have_private_key) {
-        if (ctx->ots_private_keys != NULL) {
-            for (idx = 0; idx < MERKLE_TREE_LEAF_NODE_AM(ctx->params.type); idx++) {
-                mbedtls_lmots_private_free(&ctx->ots_private_keys[idx]);
-            }
-        }
-
-        if (ctx->ots_public_keys != NULL) {
-            for (idx = 0; idx < MERKLE_TREE_LEAF_NODE_AM(ctx->params.type); idx++) {
-                mbedtls_lmots_public_free(&ctx->ots_public_keys[idx]);
-            }
-        }
-
-        mbedtls_free(ctx->ots_private_keys);
-        mbedtls_free(ctx->ots_public_keys);
-    }
-
-    mbedtls_platform_zeroize(ctx, sizeof(*ctx));
-}
-
-
-int mbedtls_lms_generate_private_key(mbedtls_lms_private_t *ctx,
-                                     mbedtls_lms_algorithm_type_t type,
-                                     mbedtls_lmots_algorithm_type_t otstype,
-                                     int (*f_rng)(void *, unsigned char *, size_t),
-                                     void *p_rng, const unsigned char *seed,
-                                     size_t seed_size)
-{
-    unsigned int idx = 0;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if (type != MBEDTLS_LMS_SHA256_M32_H10) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    if (otstype != MBEDTLS_LMOTS_SHA256_N32_W8) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    if (ctx->have_private_key) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    ctx->params.type = type;
-    ctx->params.otstype = otstype;
-    ctx->have_private_key = 1;
-
-    ret = f_rng(p_rng,
-                ctx->params.I_key_identifier,
-                MBEDTLS_LMOTS_I_KEY_ID_LEN);
-    if (ret != 0) {
-        goto exit;
-    }
-
-    /* Requires a cast to size_t to avoid an implicit cast warning on certain
-     * platforms (particularly Windows) */
-    ctx->ots_private_keys = mbedtls_calloc((size_t) MERKLE_TREE_LEAF_NODE_AM(ctx->params.type),
-                                           sizeof(*ctx->ots_private_keys));
-    if (ctx->ots_private_keys == NULL) {
-        ret = MBEDTLS_ERR_LMS_ALLOC_FAILED;
-        goto exit;
-    }
-
-    /* Requires a cast to size_t to avoid an implicit cast warning on certain
-     * platforms (particularly Windows) */
-    ctx->ots_public_keys = mbedtls_calloc((size_t) MERKLE_TREE_LEAF_NODE_AM(ctx->params.type),
-                                          sizeof(*ctx->ots_public_keys));
-    if (ctx->ots_public_keys == NULL) {
-        ret = MBEDTLS_ERR_LMS_ALLOC_FAILED;
-        goto exit;
-    }
-
-    for (idx = 0; idx < MERKLE_TREE_LEAF_NODE_AM(ctx->params.type); idx++) {
-        mbedtls_lmots_private_init(&ctx->ots_private_keys[idx]);
-        mbedtls_lmots_public_init(&ctx->ots_public_keys[idx]);
-    }
-
-
-    for (idx = 0; idx < MERKLE_TREE_LEAF_NODE_AM(ctx->params.type); idx++) {
-        ret = mbedtls_lmots_generate_private_key(&ctx->ots_private_keys[idx],
-                                                 otstype,
-                                                 ctx->params.I_key_identifier,
-                                                 idx, seed, seed_size);
-        if (ret != 0) {
-            goto exit;
-        }
-
-        ret = mbedtls_lmots_calculate_public_key(&ctx->ots_public_keys[idx],
-                                                 &ctx->ots_private_keys[idx]);
-        if (ret != 0) {
-            goto exit;
-        }
-    }
-
-    ctx->q_next_usable_key = 0;
-
-exit:
-    if (ret != 0) {
-        mbedtls_lms_private_free(ctx);
-    }
-
-    return ret;
-}
-
-int mbedtls_lms_calculate_public_key(mbedtls_lms_public_t *ctx,
-                                     const mbedtls_lms_private_t *priv_ctx)
-{
-    const size_t node_bytes = MBEDTLS_LMS_M_NODE_BYTES(priv_ctx->params.type);
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char *tree = NULL;
-
-    if (!priv_ctx->have_private_key) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    if (priv_ctx->params.type
-        != MBEDTLS_LMS_SHA256_M32_H10) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    if (priv_ctx->params.otstype
-        != MBEDTLS_LMOTS_SHA256_N32_W8) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    tree = mbedtls_calloc(MERKLE_TREE_NODE_AM(priv_ctx->params.type),
-                          node_bytes);
-    if (tree == NULL) {
-        return MBEDTLS_ERR_LMS_ALLOC_FAILED;
-    }
-
-    memcpy(&ctx->params, &priv_ctx->params,
-           sizeof(mbedtls_lmots_parameters_t));
-
-    ret = calculate_merkle_tree(priv_ctx, tree);
-    if (ret != 0) {
-        goto exit;
-    }
-
-    /* Root node is always at position 1, due to 1-based indexing */
-    memcpy(ctx->T_1_pub_key, &tree[node_bytes], node_bytes);
-
-    ctx->have_public_key = 1;
-
-    ret = 0;
-
-exit:
-    mbedtls_zeroize_and_free(tree, node_bytes *
-                             MERKLE_TREE_NODE_AM(priv_ctx->params.type));
-
-    return ret;
-}
-
-
-int mbedtls_lms_sign(mbedtls_lms_private_t *ctx,
-                     int (*f_rng)(void *, unsigned char *, size_t),
-                     void *p_rng, const unsigned char *msg,
-                     unsigned int msg_size, unsigned char *sig, size_t sig_size,
-                     size_t *sig_len)
-{
-    uint32_t q_leaf_identifier;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if (!ctx->have_private_key) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    if (sig_size < MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype)) {
-        return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
-    }
-
-    if (ctx->params.type != MBEDTLS_LMS_SHA256_M32_H10) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    if (ctx->params.otstype
-        != MBEDTLS_LMOTS_SHA256_N32_W8) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    if (ctx->q_next_usable_key >= MERKLE_TREE_LEAF_NODE_AM(ctx->params.type)) {
-        return MBEDTLS_ERR_LMS_OUT_OF_PRIVATE_KEYS;
-    }
-
-
-    q_leaf_identifier = ctx->q_next_usable_key;
-    /* This new value must _always_ be written back to the disk before the
-     * signature is returned.
-     */
-    ctx->q_next_usable_key += 1;
-
-    if (MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype)
-        < SIG_OTS_SIG_OFFSET) {
-        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
-    }
-
-    ret = mbedtls_lmots_sign(&ctx->ots_private_keys[q_leaf_identifier],
-                             f_rng,
-                             p_rng,
-                             msg,
-                             msg_size,
-                             sig + SIG_OTS_SIG_OFFSET,
-                             MBEDTLS_LMS_SIG_LEN(ctx->params.type,
-                                                 ctx->params.otstype) - SIG_OTS_SIG_OFFSET,
-                             NULL);
-    if (ret != 0) {
-        return ret;
-    }
-
-    mbedtls_lms_unsigned_int_to_network_bytes(ctx->params.type,
-                                              MBEDTLS_LMS_TYPE_LEN,
-                                              sig + SIG_TYPE_OFFSET(ctx->params.otstype));
-    mbedtls_lms_unsigned_int_to_network_bytes(q_leaf_identifier,
-                                              MBEDTLS_LMOTS_Q_LEAF_ID_LEN,
-                                              sig + SIG_Q_LEAF_ID_OFFSET);
-
-    ret = get_merkle_path(ctx,
-                          MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) + q_leaf_identifier,
-                          sig + SIG_PATH_OFFSET(ctx->params.otstype));
-    if (ret != 0) {
-        return ret;
-    }
-
-    if (sig_len != NULL) {
-        *sig_len = MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype);
-    }
-
-
-    return 0;
-}
-
-#endif /* defined(MBEDTLS_LMS_PRIVATE) */
-#endif /* defined(MBEDTLS_LMS_C) */
diff --git a/library/md.c b/library/md.c
deleted file mode 100644
index 6dfbba7..0000000
--- a/library/md.c
+++ /dev/null
@@ -1,1120 +0,0 @@
-/**
- * \file md.c
- *
- * \brief Generic message digest wrapper for Mbed TLS
- *
- * \author Adriaan de Jong <dejong@fox-it.com>
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-/*
- * Availability of functions in this module is controlled by two
- * feature macros:
- * - MBEDTLS_MD_C enables the whole module;
- * - MBEDTLS_MD_LIGHT enables only functions for hashing and accessing
- * most hash metadata (everything except string names); is it
- * automatically set whenever MBEDTLS_MD_C is defined.
- *
- * In this file, functions from MD_LIGHT are at the top, MD_C at the end.
- *
- * In the future we may want to change the contract of some functions
- * (behaviour with NULL arguments) depending on whether MD_C is defined or
- * only MD_LIGHT. Also, the exact scope of MD_LIGHT might vary.
- *
- * For these reasons, we're keeping MD_LIGHT internal for now.
- */
-#if defined(MBEDTLS_MD_LIGHT)
-
-#include "mbedtls/md.h"
-#include "md_wrap.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#include "mbedtls/md5.h"
-#include "mbedtls/ripemd160.h"
-#include "mbedtls/sha1.h"
-#include "mbedtls/sha256.h"
-#include "mbedtls/sha512.h"
-#include "mbedtls/sha3.h"
-
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-#include <psa/crypto.h>
-#include "md_psa.h"
-#include "psa_util_internal.h"
-#endif
-
-#if defined(MBEDTLS_MD_SOME_PSA)
-#include "psa_crypto_core.h"
-#endif
-
-#include "mbedtls/platform.h"
-
-#include <string.h>
-
-#if defined(MBEDTLS_FS_IO)
-#include <stdio.h>
-#endif
-
-/* See comment above MBEDTLS_MD_MAX_SIZE in md.h */
-#if defined(MBEDTLS_PSA_CRYPTO_C) && MBEDTLS_MD_MAX_SIZE < PSA_HASH_MAX_SIZE
-#error "Internal error: MBEDTLS_MD_MAX_SIZE < PSA_HASH_MAX_SIZE"
-#endif
-
-#if defined(MBEDTLS_MD_C)
-#define MD_INFO(type, out_size, block_size) type, out_size, block_size,
-#else
-#define MD_INFO(type, out_size, block_size) type, out_size,
-#endif
-
-#if defined(MBEDTLS_MD_CAN_MD5)
-static const mbedtls_md_info_t mbedtls_md5_info = {
-    MD_INFO(MBEDTLS_MD_MD5, 16, 64)
-};
-#endif
-
-#if defined(MBEDTLS_MD_CAN_RIPEMD160)
-static const mbedtls_md_info_t mbedtls_ripemd160_info = {
-    MD_INFO(MBEDTLS_MD_RIPEMD160, 20, 64)
-};
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA1)
-static const mbedtls_md_info_t mbedtls_sha1_info = {
-    MD_INFO(MBEDTLS_MD_SHA1, 20, 64)
-};
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA224)
-static const mbedtls_md_info_t mbedtls_sha224_info = {
-    MD_INFO(MBEDTLS_MD_SHA224, 28, 64)
-};
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA256)
-static const mbedtls_md_info_t mbedtls_sha256_info = {
-    MD_INFO(MBEDTLS_MD_SHA256, 32, 64)
-};
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
-static const mbedtls_md_info_t mbedtls_sha384_info = {
-    MD_INFO(MBEDTLS_MD_SHA384, 48, 128)
-};
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA512)
-static const mbedtls_md_info_t mbedtls_sha512_info = {
-    MD_INFO(MBEDTLS_MD_SHA512, 64, 128)
-};
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA3_224)
-static const mbedtls_md_info_t mbedtls_sha3_224_info = {
-    MD_INFO(MBEDTLS_MD_SHA3_224, 28, 144)
-};
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA3_256)
-static const mbedtls_md_info_t mbedtls_sha3_256_info = {
-    MD_INFO(MBEDTLS_MD_SHA3_256, 32, 136)
-};
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA3_384)
-static const mbedtls_md_info_t mbedtls_sha3_384_info = {
-    MD_INFO(MBEDTLS_MD_SHA3_384, 48, 104)
-};
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA3_512)
-static const mbedtls_md_info_t mbedtls_sha3_512_info = {
-    MD_INFO(MBEDTLS_MD_SHA3_512, 64, 72)
-};
-#endif
-
-const mbedtls_md_info_t *mbedtls_md_info_from_type(mbedtls_md_type_t md_type)
-{
-    switch (md_type) {
-#if defined(MBEDTLS_MD_CAN_MD5)
-        case MBEDTLS_MD_MD5:
-            return &mbedtls_md5_info;
-#endif
-#if defined(MBEDTLS_MD_CAN_RIPEMD160)
-        case MBEDTLS_MD_RIPEMD160:
-            return &mbedtls_ripemd160_info;
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA1)
-        case MBEDTLS_MD_SHA1:
-            return &mbedtls_sha1_info;
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA224)
-        case MBEDTLS_MD_SHA224:
-            return &mbedtls_sha224_info;
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA256)
-        case MBEDTLS_MD_SHA256:
-            return &mbedtls_sha256_info;
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA384)
-        case MBEDTLS_MD_SHA384:
-            return &mbedtls_sha384_info;
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA512)
-        case MBEDTLS_MD_SHA512:
-            return &mbedtls_sha512_info;
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA3_224)
-        case MBEDTLS_MD_SHA3_224:
-            return &mbedtls_sha3_224_info;
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA3_256)
-        case MBEDTLS_MD_SHA3_256:
-            return &mbedtls_sha3_256_info;
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA3_384)
-        case MBEDTLS_MD_SHA3_384:
-            return &mbedtls_sha3_384_info;
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA3_512)
-        case MBEDTLS_MD_SHA3_512:
-            return &mbedtls_sha3_512_info;
-#endif
-        default:
-            return NULL;
-    }
-}
-
-#if defined(MBEDTLS_MD_SOME_PSA)
-static psa_algorithm_t psa_alg_of_md(const mbedtls_md_info_t *info)
-{
-    switch (info->type) {
-#if defined(MBEDTLS_MD_MD5_VIA_PSA)
-        case MBEDTLS_MD_MD5:
-            return PSA_ALG_MD5;
-#endif
-#if defined(MBEDTLS_MD_RIPEMD160_VIA_PSA)
-        case MBEDTLS_MD_RIPEMD160:
-            return PSA_ALG_RIPEMD160;
-#endif
-#if defined(MBEDTLS_MD_SHA1_VIA_PSA)
-        case MBEDTLS_MD_SHA1:
-            return PSA_ALG_SHA_1;
-#endif
-#if defined(MBEDTLS_MD_SHA224_VIA_PSA)
-        case MBEDTLS_MD_SHA224:
-            return PSA_ALG_SHA_224;
-#endif
-#if defined(MBEDTLS_MD_SHA256_VIA_PSA)
-        case MBEDTLS_MD_SHA256:
-            return PSA_ALG_SHA_256;
-#endif
-#if defined(MBEDTLS_MD_SHA384_VIA_PSA)
-        case MBEDTLS_MD_SHA384:
-            return PSA_ALG_SHA_384;
-#endif
-#if defined(MBEDTLS_MD_SHA512_VIA_PSA)
-        case MBEDTLS_MD_SHA512:
-            return PSA_ALG_SHA_512;
-#endif
-#if defined(MBEDTLS_MD_SHA3_224_VIA_PSA)
-        case MBEDTLS_MD_SHA3_224:
-            return PSA_ALG_SHA3_224;
-#endif
-#if defined(MBEDTLS_MD_SHA3_256_VIA_PSA)
-        case MBEDTLS_MD_SHA3_256:
-            return PSA_ALG_SHA3_256;
-#endif
-#if defined(MBEDTLS_MD_SHA3_384_VIA_PSA)
-        case MBEDTLS_MD_SHA3_384:
-            return PSA_ALG_SHA3_384;
-#endif
-#if defined(MBEDTLS_MD_SHA3_512_VIA_PSA)
-        case MBEDTLS_MD_SHA3_512:
-            return PSA_ALG_SHA3_512;
-#endif
-        default:
-            return PSA_ALG_NONE;
-    }
-}
-
-static int md_can_use_psa(const mbedtls_md_info_t *info)
-{
-    psa_algorithm_t alg = psa_alg_of_md(info);
-    if (alg == PSA_ALG_NONE) {
-        return 0;
-    }
-
-    return psa_can_do_hash(alg);
-}
-#endif /* MBEDTLS_MD_SOME_PSA */
-
-void mbedtls_md_init(mbedtls_md_context_t *ctx)
-{
-    /* Note: this sets engine (if present) to MBEDTLS_MD_ENGINE_LEGACY */
-    memset(ctx, 0, sizeof(mbedtls_md_context_t));
-}
-
-void mbedtls_md_free(mbedtls_md_context_t *ctx)
-{
-    if (ctx == NULL || ctx->md_info == NULL) {
-        return;
-    }
-
-    if (ctx->md_ctx != NULL) {
-#if defined(MBEDTLS_MD_SOME_PSA)
-        if (ctx->engine == MBEDTLS_MD_ENGINE_PSA) {
-            psa_hash_abort(ctx->md_ctx);
-        } else
-#endif
-        switch (ctx->md_info->type) {
-#if defined(MBEDTLS_MD5_C)
-            case MBEDTLS_MD_MD5:
-                mbedtls_md5_free(ctx->md_ctx);
-                break;
-#endif
-#if defined(MBEDTLS_RIPEMD160_C)
-            case MBEDTLS_MD_RIPEMD160:
-                mbedtls_ripemd160_free(ctx->md_ctx);
-                break;
-#endif
-#if defined(MBEDTLS_SHA1_C)
-            case MBEDTLS_MD_SHA1:
-                mbedtls_sha1_free(ctx->md_ctx);
-                break;
-#endif
-#if defined(MBEDTLS_SHA224_C)
-            case MBEDTLS_MD_SHA224:
-                mbedtls_sha256_free(ctx->md_ctx);
-                break;
-#endif
-#if defined(MBEDTLS_SHA256_C)
-            case MBEDTLS_MD_SHA256:
-                mbedtls_sha256_free(ctx->md_ctx);
-                break;
-#endif
-#if defined(MBEDTLS_SHA384_C)
-            case MBEDTLS_MD_SHA384:
-                mbedtls_sha512_free(ctx->md_ctx);
-                break;
-#endif
-#if defined(MBEDTLS_SHA512_C)
-            case MBEDTLS_MD_SHA512:
-                mbedtls_sha512_free(ctx->md_ctx);
-                break;
-#endif
-#if defined(MBEDTLS_SHA3_C)
-            case MBEDTLS_MD_SHA3_224:
-            case MBEDTLS_MD_SHA3_256:
-            case MBEDTLS_MD_SHA3_384:
-            case MBEDTLS_MD_SHA3_512:
-                mbedtls_sha3_free(ctx->md_ctx);
-                break;
-#endif
-            default:
-                /* Shouldn't happen */
-                break;
-        }
-        mbedtls_free(ctx->md_ctx);
-    }
-
-#if defined(MBEDTLS_MD_C)
-    if (ctx->hmac_ctx != NULL) {
-        mbedtls_zeroize_and_free(ctx->hmac_ctx,
-                                 2 * ctx->md_info->block_size);
-    }
-#endif
-
-    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_md_context_t));
-}
-
-int mbedtls_md_clone(mbedtls_md_context_t *dst,
-                     const mbedtls_md_context_t *src)
-{
-    if (dst == NULL || dst->md_info == NULL ||
-        src == NULL || src->md_info == NULL ||
-        dst->md_info != src->md_info) {
-        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
-    }
-
-#if defined(MBEDTLS_MD_SOME_PSA)
-    if (src->engine != dst->engine) {
-        /* This can happen with src set to legacy because PSA wasn't ready
-         * yet, and dst to PSA because it became ready in the meantime.
-         * We currently don't support that case (we'd need to re-allocate
-         * md_ctx to the size of the appropriate MD context). */
-        return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
-    }
-
-    if (src->engine == MBEDTLS_MD_ENGINE_PSA) {
-        psa_status_t status = psa_hash_clone(src->md_ctx, dst->md_ctx);
-        return mbedtls_md_error_from_psa(status);
-    }
-#endif
-
-    switch (src->md_info->type) {
-#if defined(MBEDTLS_MD5_C)
-        case MBEDTLS_MD_MD5:
-            mbedtls_md5_clone(dst->md_ctx, src->md_ctx);
-            break;
-#endif
-#if defined(MBEDTLS_RIPEMD160_C)
-        case MBEDTLS_MD_RIPEMD160:
-            mbedtls_ripemd160_clone(dst->md_ctx, src->md_ctx);
-            break;
-#endif
-#if defined(MBEDTLS_SHA1_C)
-        case MBEDTLS_MD_SHA1:
-            mbedtls_sha1_clone(dst->md_ctx, src->md_ctx);
-            break;
-#endif
-#if defined(MBEDTLS_SHA224_C)
-        case MBEDTLS_MD_SHA224:
-            mbedtls_sha256_clone(dst->md_ctx, src->md_ctx);
-            break;
-#endif
-#if defined(MBEDTLS_SHA256_C)
-        case MBEDTLS_MD_SHA256:
-            mbedtls_sha256_clone(dst->md_ctx, src->md_ctx);
-            break;
-#endif
-#if defined(MBEDTLS_SHA384_C)
-        case MBEDTLS_MD_SHA384:
-            mbedtls_sha512_clone(dst->md_ctx, src->md_ctx);
-            break;
-#endif
-#if defined(MBEDTLS_SHA512_C)
-        case MBEDTLS_MD_SHA512:
-            mbedtls_sha512_clone(dst->md_ctx, src->md_ctx);
-            break;
-#endif
-#if defined(MBEDTLS_SHA3_C)
-        case MBEDTLS_MD_SHA3_224:
-        case MBEDTLS_MD_SHA3_256:
-        case MBEDTLS_MD_SHA3_384:
-        case MBEDTLS_MD_SHA3_512:
-            mbedtls_sha3_clone(dst->md_ctx, src->md_ctx);
-            break;
-#endif
-        default:
-            return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
-    }
-
-    return 0;
-}
-
-#define ALLOC(type)                                                   \
-    do {                                                                \
-        ctx->md_ctx = mbedtls_calloc(1, sizeof(mbedtls_##type##_context)); \
-        if (ctx->md_ctx == NULL)                                       \
-        return MBEDTLS_ERR_MD_ALLOC_FAILED;                      \
-        mbedtls_##type##_init(ctx->md_ctx);                           \
-    }                                                                   \
-    while (0)
-
-int mbedtls_md_setup(mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info, int hmac)
-{
-#if defined(MBEDTLS_MD_C)
-    if (ctx == NULL) {
-        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
-    }
-#endif
-    if (md_info == NULL) {
-        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
-    }
-
-    ctx->md_info = md_info;
-    ctx->md_ctx = NULL;
-#if defined(MBEDTLS_MD_C)
-    ctx->hmac_ctx = NULL;
-#else
-    if (hmac != 0) {
-        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
-    }
-#endif
-
-#if defined(MBEDTLS_MD_SOME_PSA)
-    if (md_can_use_psa(ctx->md_info)) {
-        ctx->md_ctx = mbedtls_calloc(1, sizeof(psa_hash_operation_t));
-        if (ctx->md_ctx == NULL) {
-            return MBEDTLS_ERR_MD_ALLOC_FAILED;
-        }
-        ctx->engine = MBEDTLS_MD_ENGINE_PSA;
-    } else
-#endif
-    switch (md_info->type) {
-#if defined(MBEDTLS_MD5_C)
-        case MBEDTLS_MD_MD5:
-            ALLOC(md5);
-            break;
-#endif
-#if defined(MBEDTLS_RIPEMD160_C)
-        case MBEDTLS_MD_RIPEMD160:
-            ALLOC(ripemd160);
-            break;
-#endif
-#if defined(MBEDTLS_SHA1_C)
-        case MBEDTLS_MD_SHA1:
-            ALLOC(sha1);
-            break;
-#endif
-#if defined(MBEDTLS_SHA224_C)
-        case MBEDTLS_MD_SHA224:
-            ALLOC(sha256);
-            break;
-#endif
-#if defined(MBEDTLS_SHA256_C)
-        case MBEDTLS_MD_SHA256:
-            ALLOC(sha256);
-            break;
-#endif
-#if defined(MBEDTLS_SHA384_C)
-        case MBEDTLS_MD_SHA384:
-            ALLOC(sha512);
-            break;
-#endif
-#if defined(MBEDTLS_SHA512_C)
-        case MBEDTLS_MD_SHA512:
-            ALLOC(sha512);
-            break;
-#endif
-#if defined(MBEDTLS_SHA3_C)
-        case MBEDTLS_MD_SHA3_224:
-        case MBEDTLS_MD_SHA3_256:
-        case MBEDTLS_MD_SHA3_384:
-        case MBEDTLS_MD_SHA3_512:
-            ALLOC(sha3);
-            break;
-#endif
-        default:
-            return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
-    }
-
-#if defined(MBEDTLS_MD_C)
-    if (hmac != 0) {
-        ctx->hmac_ctx = mbedtls_calloc(2, md_info->block_size);
-        if (ctx->hmac_ctx == NULL) {
-            mbedtls_md_free(ctx);
-            return MBEDTLS_ERR_MD_ALLOC_FAILED;
-        }
-    }
-#endif
-
-    return 0;
-}
-#undef ALLOC
-
-int mbedtls_md_starts(mbedtls_md_context_t *ctx)
-{
-#if defined(MBEDTLS_MD_C)
-    if (ctx == NULL || ctx->md_info == NULL) {
-        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
-    }
-#endif
-
-#if defined(MBEDTLS_MD_SOME_PSA)
-    if (ctx->engine == MBEDTLS_MD_ENGINE_PSA) {
-        psa_algorithm_t alg = psa_alg_of_md(ctx->md_info);
-        psa_hash_abort(ctx->md_ctx);
-        psa_status_t status = psa_hash_setup(ctx->md_ctx, alg);
-        return mbedtls_md_error_from_psa(status);
-    }
-#endif
-
-    switch (ctx->md_info->type) {
-#if defined(MBEDTLS_MD5_C)
-        case MBEDTLS_MD_MD5:
-            return mbedtls_md5_starts(ctx->md_ctx);
-#endif
-#if defined(MBEDTLS_RIPEMD160_C)
-        case MBEDTLS_MD_RIPEMD160:
-            return mbedtls_ripemd160_starts(ctx->md_ctx);
-#endif
-#if defined(MBEDTLS_SHA1_C)
-        case MBEDTLS_MD_SHA1:
-            return mbedtls_sha1_starts(ctx->md_ctx);
-#endif
-#if defined(MBEDTLS_SHA224_C)
-        case MBEDTLS_MD_SHA224:
-            return mbedtls_sha256_starts(ctx->md_ctx, 1);
-#endif
-#if defined(MBEDTLS_SHA256_C)
-        case MBEDTLS_MD_SHA256:
-            return mbedtls_sha256_starts(ctx->md_ctx, 0);
-#endif
-#if defined(MBEDTLS_SHA384_C)
-        case MBEDTLS_MD_SHA384:
-            return mbedtls_sha512_starts(ctx->md_ctx, 1);
-#endif
-#if defined(MBEDTLS_SHA512_C)
-        case MBEDTLS_MD_SHA512:
-            return mbedtls_sha512_starts(ctx->md_ctx, 0);
-#endif
-#if defined(MBEDTLS_SHA3_C)
-        case MBEDTLS_MD_SHA3_224:
-            return mbedtls_sha3_starts(ctx->md_ctx, MBEDTLS_SHA3_224);
-        case MBEDTLS_MD_SHA3_256:
-            return mbedtls_sha3_starts(ctx->md_ctx, MBEDTLS_SHA3_256);
-        case MBEDTLS_MD_SHA3_384:
-            return mbedtls_sha3_starts(ctx->md_ctx, MBEDTLS_SHA3_384);
-        case MBEDTLS_MD_SHA3_512:
-            return mbedtls_sha3_starts(ctx->md_ctx, MBEDTLS_SHA3_512);
-#endif
-        default:
-            return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
-    }
-}
-
-int mbedtls_md_update(mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen)
-{
-#if defined(MBEDTLS_MD_C)
-    if (ctx == NULL || ctx->md_info == NULL) {
-        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
-    }
-#endif
-
-#if defined(MBEDTLS_MD_SOME_PSA)
-    if (ctx->engine == MBEDTLS_MD_ENGINE_PSA) {
-        psa_status_t status = psa_hash_update(ctx->md_ctx, input, ilen);
-        return mbedtls_md_error_from_psa(status);
-    }
-#endif
-
-    switch (ctx->md_info->type) {
-#if defined(MBEDTLS_MD5_C)
-        case MBEDTLS_MD_MD5:
-            return mbedtls_md5_update(ctx->md_ctx, input, ilen);
-#endif
-#if defined(MBEDTLS_RIPEMD160_C)
-        case MBEDTLS_MD_RIPEMD160:
-            return mbedtls_ripemd160_update(ctx->md_ctx, input, ilen);
-#endif
-#if defined(MBEDTLS_SHA1_C)
-        case MBEDTLS_MD_SHA1:
-            return mbedtls_sha1_update(ctx->md_ctx, input, ilen);
-#endif
-#if defined(MBEDTLS_SHA224_C)
-        case MBEDTLS_MD_SHA224:
-            return mbedtls_sha256_update(ctx->md_ctx, input, ilen);
-#endif
-#if defined(MBEDTLS_SHA256_C)
-        case MBEDTLS_MD_SHA256:
-            return mbedtls_sha256_update(ctx->md_ctx, input, ilen);
-#endif
-#if defined(MBEDTLS_SHA384_C)
-        case MBEDTLS_MD_SHA384:
-            return mbedtls_sha512_update(ctx->md_ctx, input, ilen);
-#endif
-#if defined(MBEDTLS_SHA512_C)
-        case MBEDTLS_MD_SHA512:
-            return mbedtls_sha512_update(ctx->md_ctx, input, ilen);
-#endif
-#if defined(MBEDTLS_SHA3_C)
-        case MBEDTLS_MD_SHA3_224:
-        case MBEDTLS_MD_SHA3_256:
-        case MBEDTLS_MD_SHA3_384:
-        case MBEDTLS_MD_SHA3_512:
-            return mbedtls_sha3_update(ctx->md_ctx, input, ilen);
-#endif
-        default:
-            return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
-    }
-}
-
-int mbedtls_md_finish(mbedtls_md_context_t *ctx, unsigned char *output)
-{
-#if defined(MBEDTLS_MD_C)
-    if (ctx == NULL || ctx->md_info == NULL) {
-        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
-    }
-#endif
-
-#if defined(MBEDTLS_MD_SOME_PSA)
-    if (ctx->engine == MBEDTLS_MD_ENGINE_PSA) {
-        size_t size = ctx->md_info->size;
-        psa_status_t status = psa_hash_finish(ctx->md_ctx,
-                                              output, size, &size);
-        return mbedtls_md_error_from_psa(status);
-    }
-#endif
-
-    switch (ctx->md_info->type) {
-#if defined(MBEDTLS_MD5_C)
-        case MBEDTLS_MD_MD5:
-            return mbedtls_md5_finish(ctx->md_ctx, output);
-#endif
-#if defined(MBEDTLS_RIPEMD160_C)
-        case MBEDTLS_MD_RIPEMD160:
-            return mbedtls_ripemd160_finish(ctx->md_ctx, output);
-#endif
-#if defined(MBEDTLS_SHA1_C)
-        case MBEDTLS_MD_SHA1:
-            return mbedtls_sha1_finish(ctx->md_ctx, output);
-#endif
-#if defined(MBEDTLS_SHA224_C)
-        case MBEDTLS_MD_SHA224:
-            return mbedtls_sha256_finish(ctx->md_ctx, output);
-#endif
-#if defined(MBEDTLS_SHA256_C)
-        case MBEDTLS_MD_SHA256:
-            return mbedtls_sha256_finish(ctx->md_ctx, output);
-#endif
-#if defined(MBEDTLS_SHA384_C)
-        case MBEDTLS_MD_SHA384:
-            return mbedtls_sha512_finish(ctx->md_ctx, output);
-#endif
-#if defined(MBEDTLS_SHA512_C)
-        case MBEDTLS_MD_SHA512:
-            return mbedtls_sha512_finish(ctx->md_ctx, output);
-#endif
-#if defined(MBEDTLS_SHA3_C)
-        case MBEDTLS_MD_SHA3_224:
-        case MBEDTLS_MD_SHA3_256:
-        case MBEDTLS_MD_SHA3_384:
-        case MBEDTLS_MD_SHA3_512:
-            return mbedtls_sha3_finish(ctx->md_ctx, output, ctx->md_info->size);
-#endif
-        default:
-            return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
-    }
-}
-
-int mbedtls_md(const mbedtls_md_info_t *md_info, const unsigned char *input, size_t ilen,
-               unsigned char *output)
-{
-    if (md_info == NULL) {
-        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
-    }
-
-#if defined(MBEDTLS_MD_SOME_PSA)
-    if (md_can_use_psa(md_info)) {
-        size_t size = md_info->size;
-        psa_status_t status = psa_hash_compute(psa_alg_of_md(md_info),
-                                               input, ilen,
-                                               output, size, &size);
-        return mbedtls_md_error_from_psa(status);
-    }
-#endif
-
-    switch (md_info->type) {
-#if defined(MBEDTLS_MD5_C)
-        case MBEDTLS_MD_MD5:
-            return mbedtls_md5(input, ilen, output);
-#endif
-#if defined(MBEDTLS_RIPEMD160_C)
-        case MBEDTLS_MD_RIPEMD160:
-            return mbedtls_ripemd160(input, ilen, output);
-#endif
-#if defined(MBEDTLS_SHA1_C)
-        case MBEDTLS_MD_SHA1:
-            return mbedtls_sha1(input, ilen, output);
-#endif
-#if defined(MBEDTLS_SHA224_C)
-        case MBEDTLS_MD_SHA224:
-            return mbedtls_sha256(input, ilen, output, 1);
-#endif
-#if defined(MBEDTLS_SHA256_C)
-        case MBEDTLS_MD_SHA256:
-            return mbedtls_sha256(input, ilen, output, 0);
-#endif
-#if defined(MBEDTLS_SHA384_C)
-        case MBEDTLS_MD_SHA384:
-            return mbedtls_sha512(input, ilen, output, 1);
-#endif
-#if defined(MBEDTLS_SHA512_C)
-        case MBEDTLS_MD_SHA512:
-            return mbedtls_sha512(input, ilen, output, 0);
-#endif
-#if defined(MBEDTLS_SHA3_C)
-        case MBEDTLS_MD_SHA3_224:
-            return mbedtls_sha3(MBEDTLS_SHA3_224, input, ilen, output, md_info->size);
-        case MBEDTLS_MD_SHA3_256:
-            return mbedtls_sha3(MBEDTLS_SHA3_256, input, ilen, output, md_info->size);
-        case MBEDTLS_MD_SHA3_384:
-            return mbedtls_sha3(MBEDTLS_SHA3_384, input, ilen, output, md_info->size);
-        case MBEDTLS_MD_SHA3_512:
-            return mbedtls_sha3(MBEDTLS_SHA3_512, input, ilen, output, md_info->size);
-#endif
-        default:
-            return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
-    }
-}
-
-unsigned char mbedtls_md_get_size(const mbedtls_md_info_t *md_info)
-{
-    if (md_info == NULL) {
-        return 0;
-    }
-
-    return md_info->size;
-}
-
-mbedtls_md_type_t mbedtls_md_get_type(const mbedtls_md_info_t *md_info)
-{
-    if (md_info == NULL) {
-        return MBEDTLS_MD_NONE;
-    }
-
-    return md_info->type;
-}
-
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-int mbedtls_md_error_from_psa(psa_status_t status)
-{
-    return PSA_TO_MBEDTLS_ERR_LIST(status, psa_to_md_errors,
-                                   psa_generic_status_to_mbedtls);
-}
-#endif /* MBEDTLS_PSA_CRYPTO_C */
-
-
-/************************************************************************
- * Functions above this separator are part of MBEDTLS_MD_LIGHT,         *
- * functions below are only available when MBEDTLS_MD_C is set.         *
- ************************************************************************/
-#if defined(MBEDTLS_MD_C)
-
-/*
- * Reminder: update profiles in x509_crt.c when adding a new hash!
- */
-static const int supported_digests[] = {
-
-#if defined(MBEDTLS_MD_CAN_SHA512)
-    MBEDTLS_MD_SHA512,
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
-    MBEDTLS_MD_SHA384,
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA256)
-    MBEDTLS_MD_SHA256,
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA224)
-    MBEDTLS_MD_SHA224,
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA1)
-    MBEDTLS_MD_SHA1,
-#endif
-
-#if defined(MBEDTLS_MD_CAN_RIPEMD160)
-    MBEDTLS_MD_RIPEMD160,
-#endif
-
-#if defined(MBEDTLS_MD_CAN_MD5)
-    MBEDTLS_MD_MD5,
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA3_224)
-    MBEDTLS_MD_SHA3_224,
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA3_256)
-    MBEDTLS_MD_SHA3_256,
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA3_384)
-    MBEDTLS_MD_SHA3_384,
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA3_512)
-    MBEDTLS_MD_SHA3_512,
-#endif
-
-    MBEDTLS_MD_NONE
-};
-
-const int *mbedtls_md_list(void)
-{
-    return supported_digests;
-}
-
-typedef struct {
-    const char *md_name;
-    mbedtls_md_type_t md_type;
-} md_name_entry;
-
-static const md_name_entry md_names[] = {
-#if defined(MBEDTLS_MD_CAN_MD5)
-    { "MD5", MBEDTLS_MD_MD5 },
-#endif
-#if defined(MBEDTLS_MD_CAN_RIPEMD160)
-    { "RIPEMD160", MBEDTLS_MD_RIPEMD160 },
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA1)
-    { "SHA1", MBEDTLS_MD_SHA1 },
-    { "SHA", MBEDTLS_MD_SHA1 }, // compatibility fallback
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA224)
-    { "SHA224", MBEDTLS_MD_SHA224 },
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA256)
-    { "SHA256", MBEDTLS_MD_SHA256 },
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA384)
-    { "SHA384", MBEDTLS_MD_SHA384 },
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA512)
-    { "SHA512", MBEDTLS_MD_SHA512 },
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA3_224)
-    { "SHA3-224", MBEDTLS_MD_SHA3_224 },
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA3_256)
-    { "SHA3-256", MBEDTLS_MD_SHA3_256 },
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA3_384)
-    { "SHA3-384", MBEDTLS_MD_SHA3_384 },
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA3_512)
-    { "SHA3-512", MBEDTLS_MD_SHA3_512 },
-#endif
-    { NULL, MBEDTLS_MD_NONE },
-};
-
-const mbedtls_md_info_t *mbedtls_md_info_from_string(const char *md_name)
-{
-    if (NULL == md_name) {
-        return NULL;
-    }
-
-    const md_name_entry *entry = md_names;
-    while (entry->md_name != NULL &&
-           strcmp(entry->md_name, md_name) != 0) {
-        ++entry;
-    }
-
-    return mbedtls_md_info_from_type(entry->md_type);
-}
-
-const char *mbedtls_md_get_name(const mbedtls_md_info_t *md_info)
-{
-    if (md_info == NULL) {
-        return NULL;
-    }
-
-    const md_name_entry *entry = md_names;
-    while (entry->md_type != MBEDTLS_MD_NONE &&
-           entry->md_type != md_info->type) {
-        ++entry;
-    }
-
-    return entry->md_name;
-}
-
-const mbedtls_md_info_t *mbedtls_md_info_from_ctx(
-    const mbedtls_md_context_t *ctx)
-{
-    if (ctx == NULL) {
-        return NULL;
-    }
-
-    return ctx->MBEDTLS_PRIVATE(md_info);
-}
-
-#if defined(MBEDTLS_FS_IO)
-int mbedtls_md_file(const mbedtls_md_info_t *md_info, const char *path, unsigned char *output)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    FILE *f;
-    size_t n;
-    mbedtls_md_context_t ctx;
-    unsigned char buf[1024];
-
-    if (md_info == NULL) {
-        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
-    }
-
-    if ((f = fopen(path, "rb")) == NULL) {
-        return MBEDTLS_ERR_MD_FILE_IO_ERROR;
-    }
-
-    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
-    mbedtls_setbuf(f, NULL);
-
-    mbedtls_md_init(&ctx);
-
-    if ((ret = mbedtls_md_setup(&ctx, md_info, 0)) != 0) {
-        goto cleanup;
-    }
-
-    if ((ret = mbedtls_md_starts(&ctx)) != 0) {
-        goto cleanup;
-    }
-
-    while ((n = fread(buf, 1, sizeof(buf), f)) > 0) {
-        if ((ret = mbedtls_md_update(&ctx, buf, n)) != 0) {
-            goto cleanup;
-        }
-    }
-
-    if (ferror(f) != 0) {
-        ret = MBEDTLS_ERR_MD_FILE_IO_ERROR;
-    } else {
-        ret = mbedtls_md_finish(&ctx, output);
-    }
-
-cleanup:
-    mbedtls_platform_zeroize(buf, sizeof(buf));
-    fclose(f);
-    mbedtls_md_free(&ctx);
-
-    return ret;
-}
-#endif /* MBEDTLS_FS_IO */
-
-int mbedtls_md_hmac_starts(mbedtls_md_context_t *ctx, const unsigned char *key, size_t keylen)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char sum[MBEDTLS_MD_MAX_SIZE];
-    unsigned char *ipad, *opad;
-
-    if (ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL) {
-        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
-    }
-
-    if (keylen > (size_t) ctx->md_info->block_size) {
-        if ((ret = mbedtls_md_starts(ctx)) != 0) {
-            goto cleanup;
-        }
-        if ((ret = mbedtls_md_update(ctx, key, keylen)) != 0) {
-            goto cleanup;
-        }
-        if ((ret = mbedtls_md_finish(ctx, sum)) != 0) {
-            goto cleanup;
-        }
-
-        keylen = ctx->md_info->size;
-        key = sum;
-    }
-
-    ipad = (unsigned char *) ctx->hmac_ctx;
-    opad = (unsigned char *) ctx->hmac_ctx + ctx->md_info->block_size;
-
-    memset(ipad, 0x36, ctx->md_info->block_size);
-    memset(opad, 0x5C, ctx->md_info->block_size);
-
-    mbedtls_xor(ipad, ipad, key, keylen);
-    mbedtls_xor(opad, opad, key, keylen);
-
-    if ((ret = mbedtls_md_starts(ctx)) != 0) {
-        goto cleanup;
-    }
-    if ((ret = mbedtls_md_update(ctx, ipad,
-                                 ctx->md_info->block_size)) != 0) {
-        goto cleanup;
-    }
-
-cleanup:
-    mbedtls_platform_zeroize(sum, sizeof(sum));
-
-    return ret;
-}
-
-int mbedtls_md_hmac_update(mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen)
-{
-    if (ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL) {
-        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
-    }
-
-    return mbedtls_md_update(ctx, input, ilen);
-}
-
-int mbedtls_md_hmac_finish(mbedtls_md_context_t *ctx, unsigned char *output)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char tmp[MBEDTLS_MD_MAX_SIZE];
-    unsigned char *opad;
-
-    if (ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL) {
-        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
-    }
-
-    opad = (unsigned char *) ctx->hmac_ctx + ctx->md_info->block_size;
-
-    if ((ret = mbedtls_md_finish(ctx, tmp)) != 0) {
-        return ret;
-    }
-    if ((ret = mbedtls_md_starts(ctx)) != 0) {
-        return ret;
-    }
-    if ((ret = mbedtls_md_update(ctx, opad,
-                                 ctx->md_info->block_size)) != 0) {
-        return ret;
-    }
-    if ((ret = mbedtls_md_update(ctx, tmp,
-                                 ctx->md_info->size)) != 0) {
-        return ret;
-    }
-    return mbedtls_md_finish(ctx, output);
-}
-
-int mbedtls_md_hmac_reset(mbedtls_md_context_t *ctx)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char *ipad;
-
-    if (ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL) {
-        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
-    }
-
-    ipad = (unsigned char *) ctx->hmac_ctx;
-
-    if ((ret = mbedtls_md_starts(ctx)) != 0) {
-        return ret;
-    }
-    return mbedtls_md_update(ctx, ipad, ctx->md_info->block_size);
-}
-
-int mbedtls_md_hmac(const mbedtls_md_info_t *md_info,
-                    const unsigned char *key, size_t keylen,
-                    const unsigned char *input, size_t ilen,
-                    unsigned char *output)
-{
-    mbedtls_md_context_t ctx;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if (md_info == NULL) {
-        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
-    }
-
-    mbedtls_md_init(&ctx);
-
-    if ((ret = mbedtls_md_setup(&ctx, md_info, 1)) != 0) {
-        goto cleanup;
-    }
-
-    if ((ret = mbedtls_md_hmac_starts(&ctx, key, keylen)) != 0) {
-        goto cleanup;
-    }
-    if ((ret = mbedtls_md_hmac_update(&ctx, input, ilen)) != 0) {
-        goto cleanup;
-    }
-    if ((ret = mbedtls_md_hmac_finish(&ctx, output)) != 0) {
-        goto cleanup;
-    }
-
-cleanup:
-    mbedtls_md_free(&ctx);
-
-    return ret;
-}
-
-#endif /* MBEDTLS_MD_C */
-
-#endif /* MBEDTLS_MD_LIGHT */
diff --git a/library/md5.c b/library/md5.c
deleted file mode 100644
index 7e7e3ad..0000000
--- a/library/md5.c
+++ /dev/null
@@ -1,438 +0,0 @@
-/*
- *  RFC 1321 compliant MD5 implementation
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-/*
- *  The MD5 algorithm was designed by Ron Rivest in 1991.
- *
- *  http://www.ietf.org/rfc/rfc1321.txt
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_MD5_C)
-
-#include "mbedtls/md5.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#include <string.h>
-
-#include "mbedtls/platform.h"
-
-#if !defined(MBEDTLS_MD5_ALT)
-
-void mbedtls_md5_init(mbedtls_md5_context *ctx)
-{
-    memset(ctx, 0, sizeof(mbedtls_md5_context));
-}
-
-void mbedtls_md5_free(mbedtls_md5_context *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_md5_context));
-}
-
-void mbedtls_md5_clone(mbedtls_md5_context *dst,
-                       const mbedtls_md5_context *src)
-{
-    *dst = *src;
-}
-
-/*
- * MD5 context setup
- */
-int mbedtls_md5_starts(mbedtls_md5_context *ctx)
-{
-    ctx->total[0] = 0;
-    ctx->total[1] = 0;
-
-    ctx->state[0] = 0x67452301;
-    ctx->state[1] = 0xEFCDAB89;
-    ctx->state[2] = 0x98BADCFE;
-    ctx->state[3] = 0x10325476;
-
-    return 0;
-}
-
-#if !defined(MBEDTLS_MD5_PROCESS_ALT)
-int mbedtls_internal_md5_process(mbedtls_md5_context *ctx,
-                                 const unsigned char data[64])
-{
-    struct {
-        uint32_t X[16], A, B, C, D;
-    } local;
-
-    local.X[0] = MBEDTLS_GET_UINT32_LE(data,  0);
-    local.X[1] = MBEDTLS_GET_UINT32_LE(data,  4);
-    local.X[2] = MBEDTLS_GET_UINT32_LE(data,  8);
-    local.X[3] = MBEDTLS_GET_UINT32_LE(data, 12);
-    local.X[4] = MBEDTLS_GET_UINT32_LE(data, 16);
-    local.X[5] = MBEDTLS_GET_UINT32_LE(data, 20);
-    local.X[6] = MBEDTLS_GET_UINT32_LE(data, 24);
-    local.X[7] = MBEDTLS_GET_UINT32_LE(data, 28);
-    local.X[8] = MBEDTLS_GET_UINT32_LE(data, 32);
-    local.X[9] = MBEDTLS_GET_UINT32_LE(data, 36);
-    local.X[10] = MBEDTLS_GET_UINT32_LE(data, 40);
-    local.X[11] = MBEDTLS_GET_UINT32_LE(data, 44);
-    local.X[12] = MBEDTLS_GET_UINT32_LE(data, 48);
-    local.X[13] = MBEDTLS_GET_UINT32_LE(data, 52);
-    local.X[14] = MBEDTLS_GET_UINT32_LE(data, 56);
-    local.X[15] = MBEDTLS_GET_UINT32_LE(data, 60);
-
-#define S(x, n)                                                          \
-    (((x) << (n)) | (((x) & 0xFFFFFFFF) >> (32 - (n))))
-
-#define P(a, b, c, d, k, s, t)                                                \
-    do                                                                  \
-    {                                                                   \
-        (a) += F((b), (c), (d)) + local.X[(k)] + (t);                     \
-        (a) = S((a), (s)) + (b);                                         \
-    } while (0)
-
-    local.A = ctx->state[0];
-    local.B = ctx->state[1];
-    local.C = ctx->state[2];
-    local.D = ctx->state[3];
-
-#define F(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
-
-    P(local.A, local.B, local.C, local.D,  0,  7, 0xD76AA478);
-    P(local.D, local.A, local.B, local.C,  1, 12, 0xE8C7B756);
-    P(local.C, local.D, local.A, local.B,  2, 17, 0x242070DB);
-    P(local.B, local.C, local.D, local.A,  3, 22, 0xC1BDCEEE);
-    P(local.A, local.B, local.C, local.D,  4,  7, 0xF57C0FAF);
-    P(local.D, local.A, local.B, local.C,  5, 12, 0x4787C62A);
-    P(local.C, local.D, local.A, local.B,  6, 17, 0xA8304613);
-    P(local.B, local.C, local.D, local.A,  7, 22, 0xFD469501);
-    P(local.A, local.B, local.C, local.D,  8,  7, 0x698098D8);
-    P(local.D, local.A, local.B, local.C,  9, 12, 0x8B44F7AF);
-    P(local.C, local.D, local.A, local.B, 10, 17, 0xFFFF5BB1);
-    P(local.B, local.C, local.D, local.A, 11, 22, 0x895CD7BE);
-    P(local.A, local.B, local.C, local.D, 12,  7, 0x6B901122);
-    P(local.D, local.A, local.B, local.C, 13, 12, 0xFD987193);
-    P(local.C, local.D, local.A, local.B, 14, 17, 0xA679438E);
-    P(local.B, local.C, local.D, local.A, 15, 22, 0x49B40821);
-
-#undef F
-
-#define F(x, y, z) ((y) ^ ((z) & ((x) ^ (y))))
-
-    P(local.A, local.B, local.C, local.D,  1,  5, 0xF61E2562);
-    P(local.D, local.A, local.B, local.C,  6,  9, 0xC040B340);
-    P(local.C, local.D, local.A, local.B, 11, 14, 0x265E5A51);
-    P(local.B, local.C, local.D, local.A,  0, 20, 0xE9B6C7AA);
-    P(local.A, local.B, local.C, local.D,  5,  5, 0xD62F105D);
-    P(local.D, local.A, local.B, local.C, 10,  9, 0x02441453);
-    P(local.C, local.D, local.A, local.B, 15, 14, 0xD8A1E681);
-    P(local.B, local.C, local.D, local.A,  4, 20, 0xE7D3FBC8);
-    P(local.A, local.B, local.C, local.D,  9,  5, 0x21E1CDE6);
-    P(local.D, local.A, local.B, local.C, 14,  9, 0xC33707D6);
-    P(local.C, local.D, local.A, local.B,  3, 14, 0xF4D50D87);
-    P(local.B, local.C, local.D, local.A,  8, 20, 0x455A14ED);
-    P(local.A, local.B, local.C, local.D, 13,  5, 0xA9E3E905);
-    P(local.D, local.A, local.B, local.C,  2,  9, 0xFCEFA3F8);
-    P(local.C, local.D, local.A, local.B,  7, 14, 0x676F02D9);
-    P(local.B, local.C, local.D, local.A, 12, 20, 0x8D2A4C8A);
-
-#undef F
-
-#define F(x, y, z) ((x) ^ (y) ^ (z))
-
-    P(local.A, local.B, local.C, local.D,  5,  4, 0xFFFA3942);
-    P(local.D, local.A, local.B, local.C,  8, 11, 0x8771F681);
-    P(local.C, local.D, local.A, local.B, 11, 16, 0x6D9D6122);
-    P(local.B, local.C, local.D, local.A, 14, 23, 0xFDE5380C);
-    P(local.A, local.B, local.C, local.D,  1,  4, 0xA4BEEA44);
-    P(local.D, local.A, local.B, local.C,  4, 11, 0x4BDECFA9);
-    P(local.C, local.D, local.A, local.B,  7, 16, 0xF6BB4B60);
-    P(local.B, local.C, local.D, local.A, 10, 23, 0xBEBFBC70);
-    P(local.A, local.B, local.C, local.D, 13,  4, 0x289B7EC6);
-    P(local.D, local.A, local.B, local.C,  0, 11, 0xEAA127FA);
-    P(local.C, local.D, local.A, local.B,  3, 16, 0xD4EF3085);
-    P(local.B, local.C, local.D, local.A,  6, 23, 0x04881D05);
-    P(local.A, local.B, local.C, local.D,  9,  4, 0xD9D4D039);
-    P(local.D, local.A, local.B, local.C, 12, 11, 0xE6DB99E5);
-    P(local.C, local.D, local.A, local.B, 15, 16, 0x1FA27CF8);
-    P(local.B, local.C, local.D, local.A,  2, 23, 0xC4AC5665);
-
-#undef F
-
-#define F(x, y, z) ((y) ^ ((x) | ~(z)))
-
-    P(local.A, local.B, local.C, local.D,  0,  6, 0xF4292244);
-    P(local.D, local.A, local.B, local.C,  7, 10, 0x432AFF97);
-    P(local.C, local.D, local.A, local.B, 14, 15, 0xAB9423A7);
-    P(local.B, local.C, local.D, local.A,  5, 21, 0xFC93A039);
-    P(local.A, local.B, local.C, local.D, 12,  6, 0x655B59C3);
-    P(local.D, local.A, local.B, local.C,  3, 10, 0x8F0CCC92);
-    P(local.C, local.D, local.A, local.B, 10, 15, 0xFFEFF47D);
-    P(local.B, local.C, local.D, local.A,  1, 21, 0x85845DD1);
-    P(local.A, local.B, local.C, local.D,  8,  6, 0x6FA87E4F);
-    P(local.D, local.A, local.B, local.C, 15, 10, 0xFE2CE6E0);
-    P(local.C, local.D, local.A, local.B,  6, 15, 0xA3014314);
-    P(local.B, local.C, local.D, local.A, 13, 21, 0x4E0811A1);
-    P(local.A, local.B, local.C, local.D,  4,  6, 0xF7537E82);
-    P(local.D, local.A, local.B, local.C, 11, 10, 0xBD3AF235);
-    P(local.C, local.D, local.A, local.B,  2, 15, 0x2AD7D2BB);
-    P(local.B, local.C, local.D, local.A,  9, 21, 0xEB86D391);
-
-#undef F
-
-    ctx->state[0] += local.A;
-    ctx->state[1] += local.B;
-    ctx->state[2] += local.C;
-    ctx->state[3] += local.D;
-
-    /* Zeroise variables to clear sensitive data from memory. */
-    mbedtls_platform_zeroize(&local, sizeof(local));
-
-    return 0;
-}
-
-#endif /* !MBEDTLS_MD5_PROCESS_ALT */
-
-/*
- * MD5 process buffer
- */
-int mbedtls_md5_update(mbedtls_md5_context *ctx,
-                       const unsigned char *input,
-                       size_t ilen)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t fill;
-    uint32_t left;
-
-    if (ilen == 0) {
-        return 0;
-    }
-
-    left = ctx->total[0] & 0x3F;
-    fill = 64 - left;
-
-    ctx->total[0] += (uint32_t) ilen;
-    ctx->total[0] &= 0xFFFFFFFF;
-
-    if (ctx->total[0] < (uint32_t) ilen) {
-        ctx->total[1]++;
-    }
-
-    if (left && ilen >= fill) {
-        memcpy((void *) (ctx->buffer + left), input, fill);
-        if ((ret = mbedtls_internal_md5_process(ctx, ctx->buffer)) != 0) {
-            return ret;
-        }
-
-        input += fill;
-        ilen  -= fill;
-        left = 0;
-    }
-
-    while (ilen >= 64) {
-        if ((ret = mbedtls_internal_md5_process(ctx, input)) != 0) {
-            return ret;
-        }
-
-        input += 64;
-        ilen  -= 64;
-    }
-
-    if (ilen > 0) {
-        memcpy((void *) (ctx->buffer + left), input, ilen);
-    }
-
-    return 0;
-}
-
-/*
- * MD5 final digest
- */
-int mbedtls_md5_finish(mbedtls_md5_context *ctx,
-                       unsigned char output[16])
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    uint32_t used;
-    uint32_t high, low;
-
-    /*
-     * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
-     */
-    used = ctx->total[0] & 0x3F;
-
-    ctx->buffer[used++] = 0x80;
-
-    if (used <= 56) {
-        /* Enough room for padding + length in current block */
-        memset(ctx->buffer + used, 0, 56 - used);
-    } else {
-        /* We'll need an extra block */
-        memset(ctx->buffer + used, 0, 64 - used);
-
-        if ((ret = mbedtls_internal_md5_process(ctx, ctx->buffer)) != 0) {
-            goto exit;
-        }
-
-        memset(ctx->buffer, 0, 56);
-    }
-
-    /*
-     * Add message length
-     */
-    high = (ctx->total[0] >> 29)
-           | (ctx->total[1] <<  3);
-    low  = (ctx->total[0] <<  3);
-
-    MBEDTLS_PUT_UINT32_LE(low,  ctx->buffer, 56);
-    MBEDTLS_PUT_UINT32_LE(high, ctx->buffer, 60);
-
-    if ((ret = mbedtls_internal_md5_process(ctx, ctx->buffer)) != 0) {
-        goto exit;
-    }
-
-    /*
-     * Output final state
-     */
-    MBEDTLS_PUT_UINT32_LE(ctx->state[0], output,  0);
-    MBEDTLS_PUT_UINT32_LE(ctx->state[1], output,  4);
-    MBEDTLS_PUT_UINT32_LE(ctx->state[2], output,  8);
-    MBEDTLS_PUT_UINT32_LE(ctx->state[3], output, 12);
-
-    ret = 0;
-
-exit:
-    mbedtls_md5_free(ctx);
-    return ret;
-}
-
-#endif /* !MBEDTLS_MD5_ALT */
-
-/*
- * output = MD5( input buffer )
- */
-int mbedtls_md5(const unsigned char *input,
-                size_t ilen,
-                unsigned char output[16])
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_md5_context ctx;
-
-    mbedtls_md5_init(&ctx);
-
-    if ((ret = mbedtls_md5_starts(&ctx)) != 0) {
-        goto exit;
-    }
-
-    if ((ret = mbedtls_md5_update(&ctx, input, ilen)) != 0) {
-        goto exit;
-    }
-
-    if ((ret = mbedtls_md5_finish(&ctx, output)) != 0) {
-        goto exit;
-    }
-
-exit:
-    mbedtls_md5_free(&ctx);
-
-    return ret;
-}
-
-#if defined(MBEDTLS_SELF_TEST)
-/*
- * RFC 1321 test vectors
- */
-static const unsigned char md5_test_buf[7][81] =
-{
-    { "" },
-    { "a" },
-    { "abc" },
-    { "message digest" },
-    { "abcdefghijklmnopqrstuvwxyz" },
-    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
-    { "12345678901234567890123456789012345678901234567890123456789012345678901234567890" }
-};
-
-static const size_t md5_test_buflen[7] =
-{
-    0, 1, 3, 14, 26, 62, 80
-};
-
-static const unsigned char md5_test_sum[7][16] =
-{
-    { 0xD4, 0x1D, 0x8C, 0xD9, 0x8F, 0x00, 0xB2, 0x04,
-      0xE9, 0x80, 0x09, 0x98, 0xEC, 0xF8, 0x42, 0x7E },
-    { 0x0C, 0xC1, 0x75, 0xB9, 0xC0, 0xF1, 0xB6, 0xA8,
-      0x31, 0xC3, 0x99, 0xE2, 0x69, 0x77, 0x26, 0x61 },
-    { 0x90, 0x01, 0x50, 0x98, 0x3C, 0xD2, 0x4F, 0xB0,
-      0xD6, 0x96, 0x3F, 0x7D, 0x28, 0xE1, 0x7F, 0x72 },
-    { 0xF9, 0x6B, 0x69, 0x7D, 0x7C, 0xB7, 0x93, 0x8D,
-      0x52, 0x5A, 0x2F, 0x31, 0xAA, 0xF1, 0x61, 0xD0 },
-    { 0xC3, 0xFC, 0xD3, 0xD7, 0x61, 0x92, 0xE4, 0x00,
-      0x7D, 0xFB, 0x49, 0x6C, 0xCA, 0x67, 0xE1, 0x3B },
-    { 0xD1, 0x74, 0xAB, 0x98, 0xD2, 0x77, 0xD9, 0xF5,
-      0xA5, 0x61, 0x1C, 0x2C, 0x9F, 0x41, 0x9D, 0x9F },
-    { 0x57, 0xED, 0xF4, 0xA2, 0x2B, 0xE3, 0xC9, 0x55,
-      0xAC, 0x49, 0xDA, 0x2E, 0x21, 0x07, 0xB6, 0x7A }
-};
-
-/*
- * Checkup routine
- */
-int mbedtls_md5_self_test(int verbose)
-{
-    int i, ret = 0;
-    unsigned char md5sum[16];
-
-    for (i = 0; i < 7; i++) {
-        if (verbose != 0) {
-            mbedtls_printf("  MD5 test #%d: ", i + 1);
-        }
-
-        ret = mbedtls_md5(md5_test_buf[i], md5_test_buflen[i], md5sum);
-        if (ret != 0) {
-            goto fail;
-        }
-
-        if (memcmp(md5sum, md5_test_sum[i], 16) != 0) {
-            ret = 1;
-            goto fail;
-        }
-
-        if (verbose != 0) {
-            mbedtls_printf("passed\n");
-        }
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-
-    return 0;
-
-fail:
-    if (verbose != 0) {
-        mbedtls_printf("failed\n");
-    }
-
-    return ret;
-}
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* MBEDTLS_MD5_C */
diff --git a/library/md_psa.h b/library/md_psa.h
deleted file mode 100644
index 8e00bb1..0000000
--- a/library/md_psa.h
+++ /dev/null
@@ -1,75 +0,0 @@
-/**
- * Translation between MD and PSA identifiers (algorithms, errors).
- *
- *  Note: this internal module will go away when everything becomes based on
- *  PSA Crypto; it is a helper for the transition period.
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_MD_PSA_H
-#define MBEDTLS_MD_PSA_H
-
-#include "common.h"
-
-#include "mbedtls/md.h"
-#include "psa/crypto.h"
-
-/**
- * \brief           This function returns the PSA algorithm identifier
- *                  associated with the given digest type.
- *
- * \param md_type   The type of digest to search for. Must not be NONE.
- *
- * \warning         If \p md_type is \c MBEDTLS_MD_NONE, this function will
- *                  not return \c PSA_ALG_NONE, but an invalid algorithm.
- *
- * \warning         This function does not check if the algorithm is
- *                  supported, it always returns the corresponding identifier.
- *
- * \return          The PSA algorithm identifier associated with \p md_type,
- *                  regardless of whether it is supported or not.
- */
-static inline psa_algorithm_t mbedtls_md_psa_alg_from_type(mbedtls_md_type_t md_type)
-{
-    return PSA_ALG_CATEGORY_HASH | (psa_algorithm_t) md_type;
-}
-
-/**
- * \brief           This function returns the given digest type
- *                  associated with the PSA algorithm identifier.
- *
- * \param psa_alg   The PSA algorithm identifier to search for.
- *
- * \warning         This function does not check if the algorithm is
- *                  supported, it always returns the corresponding identifier.
- *
- * \return          The MD type associated with \p psa_alg,
- *                  regardless of whether it is supported or not.
- */
-static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa_alg)
-{
-    return (mbedtls_md_type_t) (psa_alg & PSA_ALG_HASH_MASK);
-}
-
-/** Convert PSA status to MD error code.
- *
- * \param status    PSA status.
- *
- * \return          The corresponding MD error code,
- */
-int mbedtls_md_error_from_psa(psa_status_t status);
-
-#endif /* MBEDTLS_MD_PSA_H */
diff --git a/library/md_wrap.h b/library/md_wrap.h
deleted file mode 100644
index 166b43b..0000000
--- a/library/md_wrap.h
+++ /dev/null
@@ -1,58 +0,0 @@
-/**
- * \file md_wrap.h
- *
- * \brief Message digest wrappers.
- *
- * \warning This in an internal header. Do not include directly.
- *
- * \author Adriaan de Jong <dejong@fox-it.com>
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_MD_WRAP_H
-#define MBEDTLS_MD_WRAP_H
-
-#include "mbedtls/build_info.h"
-
-#include "mbedtls/md.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * Message digest information.
- * Allows message digest functions to be called in a generic way.
- */
-struct mbedtls_md_info_t {
-    /** Digest identifier */
-    mbedtls_md_type_t type;
-
-    /** Output length of the digest function in bytes */
-    unsigned char size;
-
-#if defined(MBEDTLS_MD_C)
-    /** Block length of the digest function in bytes */
-    unsigned char block_size;
-#endif
-};
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* MBEDTLS_MD_WRAP_H */
diff --git a/library/memory_buffer_alloc.c b/library/memory_buffer_alloc.c
deleted file mode 100644
index e5052ce..0000000
--- a/library/memory_buffer_alloc.c
+++ /dev/null
@@ -1,757 +0,0 @@
-/*
- *  Buffer-based memory allocator
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
-#include "mbedtls/memory_buffer_alloc.h"
-
-/* No need for the header guard as MBEDTLS_MEMORY_BUFFER_ALLOC_C
-   is dependent upon MBEDTLS_PLATFORM_C */
-#include "mbedtls/platform.h"
-#include "mbedtls/platform_util.h"
-
-#include <string.h>
-
-#if defined(MBEDTLS_MEMORY_BACKTRACE)
-#include <execinfo.h>
-#endif
-
-#if defined(MBEDTLS_THREADING_C)
-#include "mbedtls/threading.h"
-#endif
-
-#define MAGIC1       0xFF00AA55
-#define MAGIC2       0xEE119966
-#define MAX_BT 20
-
-typedef struct _memory_header memory_header;
-struct _memory_header {
-    size_t          magic1;
-    size_t          size;
-    size_t          alloc;
-    memory_header   *prev;
-    memory_header   *next;
-    memory_header   *prev_free;
-    memory_header   *next_free;
-#if defined(MBEDTLS_MEMORY_BACKTRACE)
-    char            **trace;
-    size_t          trace_count;
-#endif
-    size_t          magic2;
-};
-
-typedef struct {
-    unsigned char   *buf;
-    size_t          len;
-    memory_header   *first;
-    memory_header   *first_free;
-    int             verify;
-#if defined(MBEDTLS_MEMORY_DEBUG)
-    size_t          alloc_count;
-    size_t          free_count;
-    size_t          total_used;
-    size_t          maximum_used;
-    size_t          header_count;
-    size_t          maximum_header_count;
-#endif
-#if defined(MBEDTLS_THREADING_C)
-    mbedtls_threading_mutex_t   mutex;
-#endif
-}
-buffer_alloc_ctx;
-
-static buffer_alloc_ctx heap;
-
-#if defined(MBEDTLS_MEMORY_DEBUG)
-static void debug_header(memory_header *hdr)
-{
-#if defined(MBEDTLS_MEMORY_BACKTRACE)
-    size_t i;
-#endif
-
-    mbedtls_fprintf(stderr, "HDR:  PTR(%10zu), PREV(%10zu), NEXT(%10zu), "
-                            "ALLOC(%zu), SIZE(%10zu)\n",
-                    (size_t) hdr, (size_t) hdr->prev, (size_t) hdr->next,
-                    hdr->alloc, hdr->size);
-    mbedtls_fprintf(stderr, "      FPREV(%10zu), FNEXT(%10zu)\n",
-                    (size_t) hdr->prev_free, (size_t) hdr->next_free);
-
-#if defined(MBEDTLS_MEMORY_BACKTRACE)
-    mbedtls_fprintf(stderr, "TRACE: \n");
-    for (i = 0; i < hdr->trace_count; i++) {
-        mbedtls_fprintf(stderr, "%s\n", hdr->trace[i]);
-    }
-    mbedtls_fprintf(stderr, "\n");
-#endif
-}
-
-static void debug_chain(void)
-{
-    memory_header *cur = heap.first;
-
-    mbedtls_fprintf(stderr, "\nBlock list\n");
-    while (cur != NULL) {
-        debug_header(cur);
-        cur = cur->next;
-    }
-
-    mbedtls_fprintf(stderr, "Free list\n");
-    cur = heap.first_free;
-
-    while (cur != NULL) {
-        debug_header(cur);
-        cur = cur->next_free;
-    }
-}
-#endif /* MBEDTLS_MEMORY_DEBUG */
-
-static int verify_header(memory_header *hdr)
-{
-    if (hdr->magic1 != MAGIC1) {
-#if defined(MBEDTLS_MEMORY_DEBUG)
-        mbedtls_fprintf(stderr, "FATAL: MAGIC1 mismatch\n");
-#endif
-        return 1;
-    }
-
-    if (hdr->magic2 != MAGIC2) {
-#if defined(MBEDTLS_MEMORY_DEBUG)
-        mbedtls_fprintf(stderr, "FATAL: MAGIC2 mismatch\n");
-#endif
-        return 1;
-    }
-
-    if (hdr->alloc > 1) {
-#if defined(MBEDTLS_MEMORY_DEBUG)
-        mbedtls_fprintf(stderr, "FATAL: alloc has illegal value\n");
-#endif
-        return 1;
-    }
-
-    if (hdr->prev != NULL && hdr->prev == hdr->next) {
-#if defined(MBEDTLS_MEMORY_DEBUG)
-        mbedtls_fprintf(stderr, "FATAL: prev == next\n");
-#endif
-        return 1;
-    }
-
-    if (hdr->prev_free != NULL && hdr->prev_free == hdr->next_free) {
-#if defined(MBEDTLS_MEMORY_DEBUG)
-        mbedtls_fprintf(stderr, "FATAL: prev_free == next_free\n");
-#endif
-        return 1;
-    }
-
-    return 0;
-}
-
-static int verify_chain(void)
-{
-    memory_header *prv = heap.first, *cur;
-
-    if (prv == NULL || verify_header(prv) != 0) {
-#if defined(MBEDTLS_MEMORY_DEBUG)
-        mbedtls_fprintf(stderr, "FATAL: verification of first header "
-                                "failed\n");
-#endif
-        return 1;
-    }
-
-    if (heap.first->prev != NULL) {
-#if defined(MBEDTLS_MEMORY_DEBUG)
-        mbedtls_fprintf(stderr, "FATAL: verification failed: "
-                                "first->prev != NULL\n");
-#endif
-        return 1;
-    }
-
-    cur = heap.first->next;
-
-    while (cur != NULL) {
-        if (verify_header(cur) != 0) {
-#if defined(MBEDTLS_MEMORY_DEBUG)
-            mbedtls_fprintf(stderr, "FATAL: verification of header "
-                                    "failed\n");
-#endif
-            return 1;
-        }
-
-        if (cur->prev != prv) {
-#if defined(MBEDTLS_MEMORY_DEBUG)
-            mbedtls_fprintf(stderr, "FATAL: verification failed: "
-                                    "cur->prev != prv\n");
-#endif
-            return 1;
-        }
-
-        prv = cur;
-        cur = cur->next;
-    }
-
-    return 0;
-}
-
-static void *buffer_alloc_calloc(size_t n, size_t size)
-{
-    memory_header *new, *cur = heap.first_free;
-    unsigned char *p;
-    void *ret;
-    size_t original_len, len;
-#if defined(MBEDTLS_MEMORY_BACKTRACE)
-    void *trace_buffer[MAX_BT];
-    size_t trace_cnt;
-#endif
-
-    if (heap.buf == NULL || heap.first == NULL) {
-        return NULL;
-    }
-
-    original_len = len = n * size;
-
-    if (n == 0 || size == 0 || len / n != size) {
-        return NULL;
-    } else if (len > (size_t) -MBEDTLS_MEMORY_ALIGN_MULTIPLE) {
-        return NULL;
-    }
-
-    if (len % MBEDTLS_MEMORY_ALIGN_MULTIPLE) {
-        len -= len % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
-        len += MBEDTLS_MEMORY_ALIGN_MULTIPLE;
-    }
-
-    // Find block that fits
-    //
-    while (cur != NULL) {
-        if (cur->size >= len) {
-            break;
-        }
-
-        cur = cur->next_free;
-    }
-
-    if (cur == NULL) {
-        return NULL;
-    }
-
-    if (cur->alloc != 0) {
-#if defined(MBEDTLS_MEMORY_DEBUG)
-        mbedtls_fprintf(stderr, "FATAL: block in free_list but allocated "
-                                "data\n");
-#endif
-        mbedtls_exit(1);
-    }
-
-#if defined(MBEDTLS_MEMORY_DEBUG)
-    heap.alloc_count++;
-#endif
-
-    // Found location, split block if > memory_header + 4 room left
-    //
-    if (cur->size - len < sizeof(memory_header) +
-        MBEDTLS_MEMORY_ALIGN_MULTIPLE) {
-        cur->alloc = 1;
-
-        // Remove from free_list
-        //
-        if (cur->prev_free != NULL) {
-            cur->prev_free->next_free = cur->next_free;
-        } else {
-            heap.first_free = cur->next_free;
-        }
-
-        if (cur->next_free != NULL) {
-            cur->next_free->prev_free = cur->prev_free;
-        }
-
-        cur->prev_free = NULL;
-        cur->next_free = NULL;
-
-#if defined(MBEDTLS_MEMORY_DEBUG)
-        heap.total_used += cur->size;
-        if (heap.total_used > heap.maximum_used) {
-            heap.maximum_used = heap.total_used;
-        }
-#endif
-#if defined(MBEDTLS_MEMORY_BACKTRACE)
-        trace_cnt = backtrace(trace_buffer, MAX_BT);
-        cur->trace = backtrace_symbols(trace_buffer, trace_cnt);
-        cur->trace_count = trace_cnt;
-#endif
-
-        if ((heap.verify & MBEDTLS_MEMORY_VERIFY_ALLOC) && verify_chain() != 0) {
-            mbedtls_exit(1);
-        }
-
-        ret = (unsigned char *) cur + sizeof(memory_header);
-        memset(ret, 0, original_len);
-
-        return ret;
-    }
-
-    p = ((unsigned char *) cur) + sizeof(memory_header) + len;
-    new = (memory_header *) p;
-
-    new->size = cur->size - len - sizeof(memory_header);
-    new->alloc = 0;
-    new->prev = cur;
-    new->next = cur->next;
-#if defined(MBEDTLS_MEMORY_BACKTRACE)
-    new->trace = NULL;
-    new->trace_count = 0;
-#endif
-    new->magic1 = MAGIC1;
-    new->magic2 = MAGIC2;
-
-    if (new->next != NULL) {
-        new->next->prev = new;
-    }
-
-    // Replace cur with new in free_list
-    //
-    new->prev_free = cur->prev_free;
-    new->next_free = cur->next_free;
-    if (new->prev_free != NULL) {
-        new->prev_free->next_free = new;
-    } else {
-        heap.first_free = new;
-    }
-
-    if (new->next_free != NULL) {
-        new->next_free->prev_free = new;
-    }
-
-    cur->alloc = 1;
-    cur->size = len;
-    cur->next = new;
-    cur->prev_free = NULL;
-    cur->next_free = NULL;
-
-#if defined(MBEDTLS_MEMORY_DEBUG)
-    heap.header_count++;
-    if (heap.header_count > heap.maximum_header_count) {
-        heap.maximum_header_count = heap.header_count;
-    }
-    heap.total_used += cur->size;
-    if (heap.total_used > heap.maximum_used) {
-        heap.maximum_used = heap.total_used;
-    }
-#endif
-#if defined(MBEDTLS_MEMORY_BACKTRACE)
-    trace_cnt = backtrace(trace_buffer, MAX_BT);
-    cur->trace = backtrace_symbols(trace_buffer, trace_cnt);
-    cur->trace_count = trace_cnt;
-#endif
-
-    if ((heap.verify & MBEDTLS_MEMORY_VERIFY_ALLOC) && verify_chain() != 0) {
-        mbedtls_exit(1);
-    }
-
-    ret = (unsigned char *) cur + sizeof(memory_header);
-    memset(ret, 0, original_len);
-
-    return ret;
-}
-
-static void buffer_alloc_free(void *ptr)
-{
-    memory_header *hdr, *old = NULL;
-    unsigned char *p = (unsigned char *) ptr;
-
-    if (ptr == NULL || heap.buf == NULL || heap.first == NULL) {
-        return;
-    }
-
-    if (p < heap.buf || p >= heap.buf + heap.len) {
-#if defined(MBEDTLS_MEMORY_DEBUG)
-        mbedtls_fprintf(stderr, "FATAL: mbedtls_free() outside of managed "
-                                "space\n");
-#endif
-        mbedtls_exit(1);
-    }
-
-    p -= sizeof(memory_header);
-    hdr = (memory_header *) p;
-
-    if (verify_header(hdr) != 0) {
-        mbedtls_exit(1);
-    }
-
-    if (hdr->alloc != 1) {
-#if defined(MBEDTLS_MEMORY_DEBUG)
-        mbedtls_fprintf(stderr, "FATAL: mbedtls_free() on unallocated "
-                                "data\n");
-#endif
-        mbedtls_exit(1);
-    }
-
-    hdr->alloc = 0;
-
-#if defined(MBEDTLS_MEMORY_DEBUG)
-    heap.free_count++;
-    heap.total_used -= hdr->size;
-#endif
-
-#if defined(MBEDTLS_MEMORY_BACKTRACE)
-    free(hdr->trace);
-    hdr->trace = NULL;
-    hdr->trace_count = 0;
-#endif
-
-    // Regroup with block before
-    //
-    if (hdr->prev != NULL && hdr->prev->alloc == 0) {
-#if defined(MBEDTLS_MEMORY_DEBUG)
-        heap.header_count--;
-#endif
-        hdr->prev->size += sizeof(memory_header) + hdr->size;
-        hdr->prev->next = hdr->next;
-        old = hdr;
-        hdr = hdr->prev;
-
-        if (hdr->next != NULL) {
-            hdr->next->prev = hdr;
-        }
-
-        memset(old, 0, sizeof(memory_header));
-    }
-
-    // Regroup with block after
-    //
-    if (hdr->next != NULL && hdr->next->alloc == 0) {
-#if defined(MBEDTLS_MEMORY_DEBUG)
-        heap.header_count--;
-#endif
-        hdr->size += sizeof(memory_header) + hdr->next->size;
-        old = hdr->next;
-        hdr->next = hdr->next->next;
-
-        if (hdr->prev_free != NULL || hdr->next_free != NULL) {
-            if (hdr->prev_free != NULL) {
-                hdr->prev_free->next_free = hdr->next_free;
-            } else {
-                heap.first_free = hdr->next_free;
-            }
-
-            if (hdr->next_free != NULL) {
-                hdr->next_free->prev_free = hdr->prev_free;
-            }
-        }
-
-        hdr->prev_free = old->prev_free;
-        hdr->next_free = old->next_free;
-
-        if (hdr->prev_free != NULL) {
-            hdr->prev_free->next_free = hdr;
-        } else {
-            heap.first_free = hdr;
-        }
-
-        if (hdr->next_free != NULL) {
-            hdr->next_free->prev_free = hdr;
-        }
-
-        if (hdr->next != NULL) {
-            hdr->next->prev = hdr;
-        }
-
-        memset(old, 0, sizeof(memory_header));
-    }
-
-    // Prepend to free_list if we have not merged
-    // (Does not have to stay in same order as prev / next list)
-    //
-    if (old == NULL) {
-        hdr->next_free = heap.first_free;
-        if (heap.first_free != NULL) {
-            heap.first_free->prev_free = hdr;
-        }
-        heap.first_free = hdr;
-    }
-
-    if ((heap.verify & MBEDTLS_MEMORY_VERIFY_FREE) && verify_chain() != 0) {
-        mbedtls_exit(1);
-    }
-}
-
-void mbedtls_memory_buffer_set_verify(int verify)
-{
-    heap.verify = verify;
-}
-
-int mbedtls_memory_buffer_alloc_verify(void)
-{
-    return verify_chain();
-}
-
-#if defined(MBEDTLS_MEMORY_DEBUG)
-void mbedtls_memory_buffer_alloc_status(void)
-{
-    mbedtls_fprintf(stderr,
-                    "Current use: %zu blocks / %zu bytes, max: %zu blocks / "
-                    "%zu bytes (total %zu bytes), alloc / free: %zu / %zu\n",
-                    heap.header_count, heap.total_used,
-                    heap.maximum_header_count, heap.maximum_used,
-                    heap.maximum_header_count * sizeof(memory_header)
-                    + heap.maximum_used,
-                    heap.alloc_count, heap.free_count);
-
-    if (heap.first->next == NULL) {
-        mbedtls_fprintf(stderr, "All memory de-allocated in stack buffer\n");
-    } else {
-        mbedtls_fprintf(stderr, "Memory currently allocated:\n");
-        debug_chain();
-    }
-}
-
-void mbedtls_memory_buffer_alloc_count_get(size_t *alloc_count, size_t *free_count)
-{
-    *alloc_count = heap.alloc_count;
-    *free_count = heap.free_count;
-}
-
-void mbedtls_memory_buffer_alloc_max_get(size_t *max_used, size_t *max_blocks)
-{
-    *max_used   = heap.maximum_used;
-    *max_blocks = heap.maximum_header_count;
-}
-
-void mbedtls_memory_buffer_alloc_max_reset(void)
-{
-    heap.maximum_used = 0;
-    heap.maximum_header_count = 0;
-}
-
-void mbedtls_memory_buffer_alloc_cur_get(size_t *cur_used, size_t *cur_blocks)
-{
-    *cur_used   = heap.total_used;
-    *cur_blocks = heap.header_count;
-}
-#endif /* MBEDTLS_MEMORY_DEBUG */
-
-#if defined(MBEDTLS_THREADING_C)
-static void *buffer_alloc_calloc_mutexed(size_t n, size_t size)
-{
-    void *buf;
-    if (mbedtls_mutex_lock(&heap.mutex) != 0) {
-        return NULL;
-    }
-    buf = buffer_alloc_calloc(n, size);
-    if (mbedtls_mutex_unlock(&heap.mutex)) {
-        return NULL;
-    }
-    return buf;
-}
-
-static void buffer_alloc_free_mutexed(void *ptr)
-{
-    /* We have no good option here, but corrupting the heap seems
-     * worse than losing memory. */
-    if (mbedtls_mutex_lock(&heap.mutex)) {
-        return;
-    }
-    buffer_alloc_free(ptr);
-    (void) mbedtls_mutex_unlock(&heap.mutex);
-}
-#endif /* MBEDTLS_THREADING_C */
-
-void mbedtls_memory_buffer_alloc_init(unsigned char *buf, size_t len)
-{
-    memset(&heap, 0, sizeof(buffer_alloc_ctx));
-
-#if defined(MBEDTLS_THREADING_C)
-    mbedtls_mutex_init(&heap.mutex);
-    mbedtls_platform_set_calloc_free(buffer_alloc_calloc_mutexed,
-                                     buffer_alloc_free_mutexed);
-#else
-    mbedtls_platform_set_calloc_free(buffer_alloc_calloc, buffer_alloc_free);
-#endif
-
-    if (len < sizeof(memory_header) + MBEDTLS_MEMORY_ALIGN_MULTIPLE) {
-        return;
-    } else if ((size_t) buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE) {
-        /* Adjust len first since buf is used in the computation */
-        len -= MBEDTLS_MEMORY_ALIGN_MULTIPLE
-               - (size_t) buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
-        buf += MBEDTLS_MEMORY_ALIGN_MULTIPLE
-               - (size_t) buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
-    }
-
-    memset(buf, 0, len);
-
-    heap.buf = buf;
-    heap.len = len;
-
-    heap.first = (memory_header *) buf;
-    heap.first->size = len - sizeof(memory_header);
-    heap.first->magic1 = MAGIC1;
-    heap.first->magic2 = MAGIC2;
-    heap.first_free = heap.first;
-}
-
-void mbedtls_memory_buffer_alloc_free(void)
-{
-#if defined(MBEDTLS_THREADING_C)
-    mbedtls_mutex_free(&heap.mutex);
-#endif
-    mbedtls_platform_zeroize(&heap, sizeof(buffer_alloc_ctx));
-}
-
-#if defined(MBEDTLS_SELF_TEST)
-static int check_pointer(void *p)
-{
-    if (p == NULL) {
-        return -1;
-    }
-
-    if ((size_t) p % MBEDTLS_MEMORY_ALIGN_MULTIPLE != 0) {
-        return -1;
-    }
-
-    return 0;
-}
-
-static int check_all_free(void)
-{
-    if (
-#if defined(MBEDTLS_MEMORY_DEBUG)
-        heap.total_used != 0 ||
-#endif
-        heap.first != heap.first_free ||
-        (void *) heap.first != (void *) heap.buf) {
-        return -1;
-    }
-
-    return 0;
-}
-
-#define TEST_ASSERT(condition)            \
-    if (!(condition))                     \
-    {                                       \
-        if (verbose != 0)                  \
-        mbedtls_printf("failed\n");  \
-                                            \
-        ret = 1;                            \
-        goto cleanup;                       \
-    }
-
-int mbedtls_memory_buffer_alloc_self_test(int verbose)
-{
-    unsigned char buf[1024];
-    unsigned char *p, *q, *r, *end;
-    int ret = 0;
-
-    if (verbose != 0) {
-        mbedtls_printf("  MBA test #1 (basic alloc-free cycle): ");
-    }
-
-    mbedtls_memory_buffer_alloc_init(buf, sizeof(buf));
-
-    p = mbedtls_calloc(1, 1);
-    q = mbedtls_calloc(1, 128);
-    r = mbedtls_calloc(1, 16);
-
-    TEST_ASSERT(check_pointer(p) == 0 &&
-                check_pointer(q) == 0 &&
-                check_pointer(r) == 0);
-
-    mbedtls_free(r);
-    mbedtls_free(q);
-    mbedtls_free(p);
-
-    TEST_ASSERT(check_all_free() == 0);
-
-    /* Memorize end to compare with the next test */
-    end = heap.buf + heap.len;
-
-    mbedtls_memory_buffer_alloc_free();
-
-    if (verbose != 0) {
-        mbedtls_printf("passed\n");
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("  MBA test #2 (buf not aligned): ");
-    }
-
-    mbedtls_memory_buffer_alloc_init(buf + 1, sizeof(buf) - 1);
-
-    TEST_ASSERT(heap.buf + heap.len == end);
-
-    p = mbedtls_calloc(1, 1);
-    q = mbedtls_calloc(1, 128);
-    r = mbedtls_calloc(1, 16);
-
-    TEST_ASSERT(check_pointer(p) == 0 &&
-                check_pointer(q) == 0 &&
-                check_pointer(r) == 0);
-
-    mbedtls_free(r);
-    mbedtls_free(q);
-    mbedtls_free(p);
-
-    TEST_ASSERT(check_all_free() == 0);
-
-    mbedtls_memory_buffer_alloc_free();
-
-    if (verbose != 0) {
-        mbedtls_printf("passed\n");
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("  MBA test #3 (full): ");
-    }
-
-    mbedtls_memory_buffer_alloc_init(buf, sizeof(buf));
-
-    p = mbedtls_calloc(1, sizeof(buf) - sizeof(memory_header));
-
-    TEST_ASSERT(check_pointer(p) == 0);
-    TEST_ASSERT(mbedtls_calloc(1, 1) == NULL);
-
-    mbedtls_free(p);
-
-    p = mbedtls_calloc(1, sizeof(buf) - 2 * sizeof(memory_header) - 16);
-    q = mbedtls_calloc(1, 16);
-
-    TEST_ASSERT(check_pointer(p) == 0 && check_pointer(q) == 0);
-    TEST_ASSERT(mbedtls_calloc(1, 1) == NULL);
-
-    mbedtls_free(q);
-
-    TEST_ASSERT(mbedtls_calloc(1, 17) == NULL);
-
-    mbedtls_free(p);
-
-    TEST_ASSERT(check_all_free() == 0);
-
-    mbedtls_memory_buffer_alloc_free();
-
-    if (verbose != 0) {
-        mbedtls_printf("passed\n");
-    }
-
-cleanup:
-    mbedtls_memory_buffer_alloc_free();
-
-    return ret;
-}
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* MBEDTLS_MEMORY_BUFFER_ALLOC_C */
diff --git a/library/mps_common.h b/library/mps_common.h
index 301d525..f9fe099 100644
--- a/library/mps_common.h
+++ b/library/mps_common.h
@@ -1,20 +1,6 @@
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of Mbed TLS (https://tls.mbed.org)
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /**
diff --git a/library/mps_error.h b/library/mps_error.h
index 5113959..016a84c 100644
--- a/library/mps_error.h
+++ b/library/mps_error.h
@@ -1,20 +1,6 @@
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of Mbed TLS (https://tls.mbed.org)
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /**
diff --git a/library/mps_reader.c b/library/mps_reader.c
index dc2a91c..27d0c04 100644
--- a/library/mps_reader.c
+++ b/library/mps_reader.c
@@ -2,21 +2,7 @@
  *  Message Processing Stack, Reader implementation
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of Mbed TLS (https://tls.mbed.org)
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "common.h"
diff --git a/library/mps_reader.h b/library/mps_reader.h
index bb912ec..3193a5e 100644
--- a/library/mps_reader.h
+++ b/library/mps_reader.h
@@ -1,20 +1,6 @@
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of Mbed TLS (https://tls.mbed.org)
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /**
diff --git a/library/mps_trace.c b/library/mps_trace.c
index 9ba1f85..69f6e5a 100644
--- a/library/mps_trace.c
+++ b/library/mps_trace.c
@@ -2,21 +2,7 @@
  *  Message Processing Stack, Trace module
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of Mbed TLS (https://tls.mbed.org)
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "common.h"
diff --git a/library/mps_trace.h b/library/mps_trace.h
index f8e0a5d..b456b2f 100644
--- a/library/mps_trace.h
+++ b/library/mps_trace.h
@@ -1,20 +1,6 @@
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of Mbed TLS (https://tls.mbed.org)
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /**
diff --git a/library/net_sockets.c b/library/net_sockets.c
index db80447..ef89a88 100644
--- a/library/net_sockets.c
+++ b/library/net_sockets.c
@@ -2,19 +2,7 @@
  *  TCP/IP or UDP/IP networking functions
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /* Enable definition of getaddrinfo() even when compiling with -std=c99. Must
@@ -328,7 +316,7 @@ static int net_would_block(const mbedtls_net_context *ctx)
  */
 int mbedtls_net_accept(mbedtls_net_context *bind_ctx,
                        mbedtls_net_context *client_ctx,
-                       void *client_ip, size_t buf_size, size_t *ip_len)
+                       void *client_ip, size_t buf_size, size_t *cip_len)
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     int type;
@@ -411,22 +399,22 @@ int mbedtls_net_accept(mbedtls_net_context *bind_ctx,
     if (client_ip != NULL) {
         if (client_addr.ss_family == AF_INET) {
             struct sockaddr_in *addr4 = (struct sockaddr_in *) &client_addr;
-            *ip_len = sizeof(addr4->sin_addr.s_addr);
+            *cip_len = sizeof(addr4->sin_addr.s_addr);
 
-            if (buf_size < *ip_len) {
+            if (buf_size < *cip_len) {
                 return MBEDTLS_ERR_NET_BUFFER_TOO_SMALL;
             }
 
-            memcpy(client_ip, &addr4->sin_addr.s_addr, *ip_len);
+            memcpy(client_ip, &addr4->sin_addr.s_addr, *cip_len);
         } else {
             struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &client_addr;
-            *ip_len = sizeof(addr6->sin6_addr.s6_addr);
+            *cip_len = sizeof(addr6->sin6_addr.s6_addr);
 
-            if (buf_size < *ip_len) {
+            if (buf_size < *cip_len) {
                 return MBEDTLS_ERR_NET_BUFFER_TOO_SMALL;
             }
 
-            memcpy(client_ip, &addr6->sin6_addr.s6_addr, *ip_len);
+            memcpy(client_ip, &addr6->sin6_addr.s6_addr, *cip_len);
         }
     }
 
@@ -695,7 +683,7 @@ void mbedtls_net_close(mbedtls_net_context *ctx)
  */
 void mbedtls_net_free(mbedtls_net_context *ctx)
 {
-    if (ctx->fd == -1) {
+    if (ctx == NULL || ctx->fd == -1) {
         return;
     }
 
diff --git a/library/nist_kw.c b/library/nist_kw.c
deleted file mode 100644
index 7bdc807..0000000
--- a/library/nist_kw.c
+++ /dev/null
@@ -1,737 +0,0 @@
-/*
- *  Implementation of NIST SP 800-38F key wrapping, supporting KW and KWP modes
- *  only
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-/*
- * Definition of Key Wrapping:
- * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
- * RFC 3394 "Advanced Encryption Standard (AES) Key Wrap Algorithm"
- * RFC 5649 "Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm"
- *
- * Note: RFC 3394 defines different methodology for intermediate operations for
- * the wrapping and unwrapping operation than the definition in NIST SP 800-38F.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_NIST_KW_C)
-
-#include "mbedtls/nist_kw.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-#include "mbedtls/constant_time.h"
-#include "constant_time_internal.h"
-
-#include <stdint.h>
-#include <string.h>
-
-#include "mbedtls/platform.h"
-
-#if !defined(MBEDTLS_NIST_KW_ALT)
-
-#define KW_SEMIBLOCK_LENGTH    8
-#define MIN_SEMIBLOCKS_COUNT   3
-
-/*! The 64-bit default integrity check value (ICV) for KW mode. */
-static const unsigned char NIST_KW_ICV1[] = { 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6 };
-/*! The 32-bit default integrity check value (ICV) for KWP mode. */
-static const  unsigned char NIST_KW_ICV2[] = { 0xA6, 0x59, 0x59, 0xA6 };
-
-/*
- * Initialize context
- */
-void mbedtls_nist_kw_init(mbedtls_nist_kw_context *ctx)
-{
-    memset(ctx, 0, sizeof(mbedtls_nist_kw_context));
-}
-
-int mbedtls_nist_kw_setkey(mbedtls_nist_kw_context *ctx,
-                           mbedtls_cipher_id_t cipher,
-                           const unsigned char *key,
-                           unsigned int keybits,
-                           const int is_wrap)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    const mbedtls_cipher_info_t *cipher_info;
-
-    cipher_info = mbedtls_cipher_info_from_values(cipher,
-                                                  keybits,
-                                                  MBEDTLS_MODE_ECB);
-    if (cipher_info == NULL) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    if (mbedtls_cipher_info_get_block_size(cipher_info) != 16) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    /*
-     * SP 800-38F currently defines AES cipher as the only block cipher allowed:
-     * "For KW and KWP, the underlying block cipher shall be approved, and the
-     *  block size shall be 128 bits. Currently, the AES block cipher, with key
-     *  lengths of 128, 192, or 256 bits, is the only block cipher that fits
-     *  this profile."
-     *  Currently we don't support other 128 bit block ciphers for key wrapping,
-     *  such as Camellia and Aria.
-     */
-    if (cipher != MBEDTLS_CIPHER_ID_AES) {
-        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-    }
-
-    mbedtls_cipher_free(&ctx->cipher_ctx);
-
-    if ((ret = mbedtls_cipher_setup(&ctx->cipher_ctx, cipher_info)) != 0) {
-        return ret;
-    }
-
-    if ((ret = mbedtls_cipher_setkey(&ctx->cipher_ctx, key, keybits,
-                                     is_wrap ? MBEDTLS_ENCRYPT :
-                                     MBEDTLS_DECRYPT)
-         ) != 0) {
-        return ret;
-    }
-
-    return 0;
-}
-
-/*
- * Free context
- */
-void mbedtls_nist_kw_free(mbedtls_nist_kw_context *ctx)
-{
-    mbedtls_cipher_free(&ctx->cipher_ctx);
-    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_nist_kw_context));
-}
-
-/*
- * Helper function for Xoring the uint64_t "t" with the encrypted A.
- * Defined in NIST SP 800-38F section 6.1
- */
-static void calc_a_xor_t(unsigned char A[KW_SEMIBLOCK_LENGTH], uint64_t t)
-{
-    size_t i = 0;
-    for (i = 0; i < sizeof(t); i++) {
-        A[i] ^= (t >> ((sizeof(t) - 1 - i) * 8)) & 0xff;
-    }
-}
-
-/*
- * KW-AE as defined in SP 800-38F section 6.2
- * KWP-AE as defined in SP 800-38F section 6.3
- */
-int mbedtls_nist_kw_wrap(mbedtls_nist_kw_context *ctx,
-                         mbedtls_nist_kw_mode_t mode,
-                         const unsigned char *input, size_t in_len,
-                         unsigned char *output, size_t *out_len, size_t out_size)
-{
-    int ret = 0;
-    size_t semiblocks = 0;
-    size_t s;
-    size_t olen, padlen = 0;
-    uint64_t t = 0;
-    unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
-    unsigned char inbuff[KW_SEMIBLOCK_LENGTH * 2];
-
-    *out_len = 0;
-    /*
-     * Generate the String to work on
-     */
-    if (mode == MBEDTLS_KW_MODE_KW) {
-        if (out_size < in_len + KW_SEMIBLOCK_LENGTH) {
-            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-        }
-
-        /*
-         * According to SP 800-38F Table 1, the plaintext length for KW
-         * must be between 2 to 2^54-1 semiblocks inclusive.
-         */
-        if (in_len < 16 ||
-#if SIZE_MAX > 0x1FFFFFFFFFFFFF8
-            in_len > 0x1FFFFFFFFFFFFF8 ||
-#endif
-            in_len % KW_SEMIBLOCK_LENGTH != 0) {
-            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-        }
-
-        memcpy(output, NIST_KW_ICV1, KW_SEMIBLOCK_LENGTH);
-        memmove(output + KW_SEMIBLOCK_LENGTH, input, in_len);
-    } else {
-        if (in_len % 8 != 0) {
-            padlen = (8 - (in_len % 8));
-        }
-
-        if (out_size < in_len + KW_SEMIBLOCK_LENGTH + padlen) {
-            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-        }
-
-        /*
-         * According to SP 800-38F Table 1, the plaintext length for KWP
-         * must be between 1 and 2^32-1 octets inclusive.
-         */
-        if (in_len < 1
-#if SIZE_MAX > 0xFFFFFFFF
-            || in_len > 0xFFFFFFFF
-#endif
-            ) {
-            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-        }
-
-        memcpy(output, NIST_KW_ICV2, KW_SEMIBLOCK_LENGTH / 2);
-        MBEDTLS_PUT_UINT32_BE((in_len & 0xffffffff), output,
-                              KW_SEMIBLOCK_LENGTH / 2);
-
-        memcpy(output + KW_SEMIBLOCK_LENGTH, input, in_len);
-        memset(output + KW_SEMIBLOCK_LENGTH + in_len, 0, padlen);
-    }
-    semiblocks = ((in_len + padlen) / KW_SEMIBLOCK_LENGTH) + 1;
-
-    s = 6 * (semiblocks - 1);
-
-    if (mode == MBEDTLS_KW_MODE_KWP
-        && in_len <= KW_SEMIBLOCK_LENGTH) {
-        memcpy(inbuff, output, 16);
-        ret = mbedtls_cipher_update(&ctx->cipher_ctx,
-                                    inbuff, 16, output, &olen);
-        if (ret != 0) {
-            goto cleanup;
-        }
-    } else {
-        unsigned char *R2 = output + KW_SEMIBLOCK_LENGTH;
-        unsigned char *A = output;
-
-        /*
-         * Do the wrapping function W, as defined in RFC 3394 section 2.2.1
-         */
-        if (semiblocks < MIN_SEMIBLOCKS_COUNT) {
-            ret = MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-            goto cleanup;
-        }
-
-        /* Calculate intermediate values */
-        for (t = 1; t <= s; t++) {
-            memcpy(inbuff, A, KW_SEMIBLOCK_LENGTH);
-            memcpy(inbuff + KW_SEMIBLOCK_LENGTH, R2, KW_SEMIBLOCK_LENGTH);
-
-            ret = mbedtls_cipher_update(&ctx->cipher_ctx,
-                                        inbuff, 16, outbuff, &olen);
-            if (ret != 0) {
-                goto cleanup;
-            }
-
-            memcpy(A, outbuff, KW_SEMIBLOCK_LENGTH);
-            calc_a_xor_t(A, t);
-
-            memcpy(R2, outbuff + KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH);
-            R2 += KW_SEMIBLOCK_LENGTH;
-            if (R2 >= output + (semiblocks * KW_SEMIBLOCK_LENGTH)) {
-                R2 = output + KW_SEMIBLOCK_LENGTH;
-            }
-        }
-    }
-
-    *out_len = semiblocks * KW_SEMIBLOCK_LENGTH;
-
-cleanup:
-
-    if (ret != 0) {
-        memset(output, 0, semiblocks * KW_SEMIBLOCK_LENGTH);
-    }
-    mbedtls_platform_zeroize(inbuff, KW_SEMIBLOCK_LENGTH * 2);
-    mbedtls_platform_zeroize(outbuff, KW_SEMIBLOCK_LENGTH * 2);
-
-    return ret;
-}
-
-/*
- * W-1 function as defined in RFC 3394 section 2.2.2
- * This function assumes the following:
- * 1. Output buffer is at least of size ( semiblocks - 1 ) * KW_SEMIBLOCK_LENGTH.
- * 2. The input buffer is of size semiblocks * KW_SEMIBLOCK_LENGTH.
- * 3. Minimal number of semiblocks is 3.
- * 4. A is a buffer to hold the first semiblock of the input buffer.
- */
-static int unwrap(mbedtls_nist_kw_context *ctx,
-                  const unsigned char *input, size_t semiblocks,
-                  unsigned char A[KW_SEMIBLOCK_LENGTH],
-                  unsigned char *output, size_t *out_len)
-{
-    int ret = 0;
-    const size_t s = 6 * (semiblocks - 1);
-    size_t olen;
-    uint64_t t = 0;
-    unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
-    unsigned char inbuff[KW_SEMIBLOCK_LENGTH * 2];
-    unsigned char *R = NULL;
-    *out_len = 0;
-
-    if (semiblocks < MIN_SEMIBLOCKS_COUNT) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    memcpy(A, input, KW_SEMIBLOCK_LENGTH);
-    memmove(output, input + KW_SEMIBLOCK_LENGTH, (semiblocks - 1) * KW_SEMIBLOCK_LENGTH);
-    R = output + (semiblocks - 2) * KW_SEMIBLOCK_LENGTH;
-
-    /* Calculate intermediate values */
-    for (t = s; t >= 1; t--) {
-        calc_a_xor_t(A, t);
-
-        memcpy(inbuff, A, KW_SEMIBLOCK_LENGTH);
-        memcpy(inbuff + KW_SEMIBLOCK_LENGTH, R, KW_SEMIBLOCK_LENGTH);
-
-        ret = mbedtls_cipher_update(&ctx->cipher_ctx,
-                                    inbuff, 16, outbuff, &olen);
-        if (ret != 0) {
-            goto cleanup;
-        }
-
-        memcpy(A, outbuff, KW_SEMIBLOCK_LENGTH);
-
-        /* Set R as LSB64 of outbuff */
-        memcpy(R, outbuff + KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH);
-
-        if (R == output) {
-            R = output + (semiblocks - 2) * KW_SEMIBLOCK_LENGTH;
-        } else {
-            R -= KW_SEMIBLOCK_LENGTH;
-        }
-    }
-
-    *out_len = (semiblocks - 1) * KW_SEMIBLOCK_LENGTH;
-
-cleanup:
-    if (ret != 0) {
-        memset(output, 0, (semiblocks - 1) * KW_SEMIBLOCK_LENGTH);
-    }
-    mbedtls_platform_zeroize(inbuff, sizeof(inbuff));
-    mbedtls_platform_zeroize(outbuff, sizeof(outbuff));
-
-    return ret;
-}
-
-/*
- * KW-AD as defined in SP 800-38F section 6.2
- * KWP-AD as defined in SP 800-38F section 6.3
- */
-int mbedtls_nist_kw_unwrap(mbedtls_nist_kw_context *ctx,
-                           mbedtls_nist_kw_mode_t mode,
-                           const unsigned char *input, size_t in_len,
-                           unsigned char *output, size_t *out_len, size_t out_size)
-{
-    int ret = 0;
-    size_t olen;
-    unsigned char A[KW_SEMIBLOCK_LENGTH];
-    int diff;
-
-    *out_len = 0;
-    if (out_size < in_len - KW_SEMIBLOCK_LENGTH) {
-        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    if (mode == MBEDTLS_KW_MODE_KW) {
-        /*
-         * According to SP 800-38F Table 1, the ciphertext length for KW
-         * must be between 3 to 2^54 semiblocks inclusive.
-         */
-        if (in_len < 24 ||
-#if SIZE_MAX > 0x200000000000000
-            in_len > 0x200000000000000 ||
-#endif
-            in_len % KW_SEMIBLOCK_LENGTH != 0) {
-            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-        }
-
-        ret = unwrap(ctx, input, in_len / KW_SEMIBLOCK_LENGTH,
-                     A, output, out_len);
-        if (ret != 0) {
-            goto cleanup;
-        }
-
-        /* Check ICV in "constant-time" */
-        diff = mbedtls_ct_memcmp(NIST_KW_ICV1, A, KW_SEMIBLOCK_LENGTH);
-
-        if (diff != 0) {
-            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
-            goto cleanup;
-        }
-
-    } else if (mode == MBEDTLS_KW_MODE_KWP) {
-        size_t padlen = 0;
-        uint32_t Plen;
-        /*
-         * According to SP 800-38F Table 1, the ciphertext length for KWP
-         * must be between 2 to 2^29 semiblocks inclusive.
-         */
-        if (in_len < KW_SEMIBLOCK_LENGTH * 2 ||
-#if SIZE_MAX > 0x100000000
-            in_len > 0x100000000 ||
-#endif
-            in_len % KW_SEMIBLOCK_LENGTH != 0) {
-            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
-        }
-
-        if (in_len == KW_SEMIBLOCK_LENGTH * 2) {
-            unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
-            ret = mbedtls_cipher_update(&ctx->cipher_ctx,
-                                        input, 16, outbuff, &olen);
-            if (ret != 0) {
-                goto cleanup;
-            }
-
-            memcpy(A, outbuff, KW_SEMIBLOCK_LENGTH);
-            memcpy(output, outbuff + KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH);
-            mbedtls_platform_zeroize(outbuff, sizeof(outbuff));
-            *out_len = KW_SEMIBLOCK_LENGTH;
-        } else {
-            /* in_len >=  KW_SEMIBLOCK_LENGTH * 3 */
-            ret = unwrap(ctx, input, in_len / KW_SEMIBLOCK_LENGTH,
-                         A, output, out_len);
-            if (ret != 0) {
-                goto cleanup;
-            }
-        }
-
-        /* Check ICV in "constant-time" */
-        diff = mbedtls_ct_memcmp(NIST_KW_ICV2, A, KW_SEMIBLOCK_LENGTH / 2);
-
-        if (diff != 0) {
-            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
-        }
-
-        Plen = MBEDTLS_GET_UINT32_BE(A, KW_SEMIBLOCK_LENGTH / 2);
-
-        /*
-         * Plen is the length of the plaintext, when the input is valid.
-         * If Plen is larger than the plaintext and padding, padlen will be
-         * larger than 8, because of the type wrap around.
-         */
-        padlen = in_len - KW_SEMIBLOCK_LENGTH - Plen;
-        ret = mbedtls_ct_error_if(mbedtls_ct_uint_gt(padlen, 7),
-                                  MBEDTLS_ERR_CIPHER_AUTH_FAILED, ret);
-        padlen &= 7;
-
-        /* Check padding in "constant-time" */
-        const uint8_t zero[KW_SEMIBLOCK_LENGTH] = { 0 };
-        diff = mbedtls_ct_memcmp_partial(
-            &output[*out_len - KW_SEMIBLOCK_LENGTH], zero,
-            KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH - padlen, 0);
-
-        if (diff != 0) {
-            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
-        }
-
-        if (ret != 0) {
-            goto cleanup;
-        }
-        memset(output + Plen, 0, padlen);
-        *out_len = Plen;
-    } else {
-        ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
-        goto cleanup;
-    }
-
-cleanup:
-    if (ret != 0) {
-        memset(output, 0, *out_len);
-        *out_len = 0;
-    }
-
-    mbedtls_platform_zeroize(&diff, sizeof(diff));
-    mbedtls_platform_zeroize(A, sizeof(A));
-
-    return ret;
-}
-
-#endif /* !MBEDTLS_NIST_KW_ALT */
-
-#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
-
-/*
- * Test vectors taken from NIST
- * https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/CAVP-TESTING-BLOCK-CIPHER-MODES#KW
- */
-static const unsigned int key_len[] = {
-    16,
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    24,
-    32
-#endif
-};
-
-static const unsigned char kw_key[][32] = {
-    { 0x75, 0x75, 0xda, 0x3a, 0x93, 0x60, 0x7c, 0xc2,
-      0xbf, 0xd8, 0xce, 0xc7, 0xaa, 0xdf, 0xd9, 0xa6 },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { 0x2d, 0x85, 0x26, 0x08, 0x1d, 0x02, 0xfb, 0x5b,
-      0x85, 0xf6, 0x9a, 0xc2, 0x86, 0xec, 0xd5, 0x7d,
-      0x40, 0xdf, 0x5d, 0xf3, 0x49, 0x47, 0x44, 0xd3 },
-    { 0x11, 0x2a, 0xd4, 0x1b, 0x48, 0x56, 0xc7, 0x25,
-      0x4a, 0x98, 0x48, 0xd3, 0x0f, 0xdd, 0x78, 0x33,
-      0x5b, 0x03, 0x9a, 0x48, 0xa8, 0x96, 0x2c, 0x4d,
-      0x1c, 0xb7, 0x8e, 0xab, 0xd5, 0xda, 0xd7, 0x88 }
-#endif
-};
-
-static const unsigned char kw_msg[][40] = {
-    { 0x42, 0x13, 0x6d, 0x3c, 0x38, 0x4a, 0x3e, 0xea,
-      0xc9, 0x5a, 0x06, 0x6f, 0xd2, 0x8f, 0xed, 0x3f },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { 0x95, 0xc1, 0x1b, 0xf5, 0x35, 0x3a, 0xfe, 0xdb,
-      0x98, 0xfd, 0xd6, 0xc8, 0xca, 0x6f, 0xdb, 0x6d,
-      0xa5, 0x4b, 0x74, 0xb4, 0x99, 0x0f, 0xdc, 0x45,
-      0xc0, 0x9d, 0x15, 0x8f, 0x51, 0xce, 0x62, 0x9d,
-      0xe2, 0xaf, 0x26, 0xe3, 0x25, 0x0e, 0x6b, 0x4c },
-    { 0x1b, 0x20, 0xbf, 0x19, 0x90, 0xb0, 0x65, 0xd7,
-      0x98, 0xe1, 0xb3, 0x22, 0x64, 0xad, 0x50, 0xa8,
-      0x74, 0x74, 0x92, 0xba, 0x09, 0xa0, 0x4d, 0xd1 }
-#endif
-};
-
-static const size_t kw_msg_len[] = {
-    16,
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    40,
-    24
-#endif
-};
-static const size_t kw_out_len[] = {
-    24,
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    48,
-    32
-#endif
-};
-static const unsigned char kw_res[][48] = {
-    { 0x03, 0x1f, 0x6b, 0xd7, 0xe6, 0x1e, 0x64, 0x3d,
-      0xf6, 0x85, 0x94, 0x81, 0x6f, 0x64, 0xca, 0xa3,
-      0xf5, 0x6f, 0xab, 0xea, 0x25, 0x48, 0xf5, 0xfb },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { 0x44, 0x3c, 0x6f, 0x15, 0x09, 0x83, 0x71, 0x91,
-      0x3e, 0x5c, 0x81, 0x4c, 0xa1, 0xa0, 0x42, 0xec,
-      0x68, 0x2f, 0x7b, 0x13, 0x6d, 0x24, 0x3a, 0x4d,
-      0x6c, 0x42, 0x6f, 0xc6, 0x97, 0x15, 0x63, 0xe8,
-      0xa1, 0x4a, 0x55, 0x8e, 0x09, 0x64, 0x16, 0x19,
-      0xbf, 0x03, 0xfc, 0xaf, 0x90, 0xb1, 0xfc, 0x2d },
-    { 0xba, 0x8a, 0x25, 0x9a, 0x47, 0x1b, 0x78, 0x7d,
-      0xd5, 0xd5, 0x40, 0xec, 0x25, 0xd4, 0x3d, 0x87,
-      0x20, 0x0f, 0xda, 0xdc, 0x6d, 0x1f, 0x05, 0xd9,
-      0x16, 0x58, 0x4f, 0xa9, 0xf6, 0xcb, 0xf5, 0x12 }
-#endif
-};
-
-static const unsigned char kwp_key[][32] = {
-    { 0x78, 0x65, 0xe2, 0x0f, 0x3c, 0x21, 0x65, 0x9a,
-      0xb4, 0x69, 0x0b, 0x62, 0x9c, 0xdf, 0x3c, 0xc4 },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { 0xf5, 0xf8, 0x96, 0xa3, 0xbd, 0x2f, 0x4a, 0x98,
-      0x23, 0xef, 0x16, 0x2b, 0x00, 0xb8, 0x05, 0xd7,
-      0xde, 0x1e, 0xa4, 0x66, 0x26, 0x96, 0xa2, 0x58 },
-    { 0x95, 0xda, 0x27, 0x00, 0xca, 0x6f, 0xd9, 0xa5,
-      0x25, 0x54, 0xee, 0x2a, 0x8d, 0xf1, 0x38, 0x6f,
-      0x5b, 0x94, 0xa1, 0xa6, 0x0e, 0xd8, 0xa4, 0xae,
-      0xf6, 0x0a, 0x8d, 0x61, 0xab, 0x5f, 0x22, 0x5a }
-#endif
-};
-
-static const unsigned char kwp_msg[][31] = {
-    { 0xbd, 0x68, 0x43, 0xd4, 0x20, 0x37, 0x8d, 0xc8,
-      0x96 },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { 0x6c, 0xcd, 0xd5, 0x85, 0x18, 0x40, 0x97, 0xeb,
-      0xd5, 0xc3, 0xaf, 0x3e, 0x47, 0xd0, 0x2c, 0x19,
-      0x14, 0x7b, 0x4d, 0x99, 0x5f, 0x96, 0x43, 0x66,
-      0x91, 0x56, 0x75, 0x8c, 0x13, 0x16, 0x8f },
-    { 0xd1 }
-#endif
-};
-static const size_t kwp_msg_len[] = {
-    9,
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    31,
-    1
-#endif
-};
-
-static const unsigned char kwp_res[][48] = {
-    { 0x41, 0xec, 0xa9, 0x56, 0xd4, 0xaa, 0x04, 0x7e,
-      0xb5, 0xcf, 0x4e, 0xfe, 0x65, 0x96, 0x61, 0xe7,
-      0x4d, 0xb6, 0xf8, 0xc5, 0x64, 0xe2, 0x35, 0x00 },
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    { 0x4e, 0x9b, 0xc2, 0xbc, 0xbc, 0x6c, 0x1e, 0x13,
-      0xd3, 0x35, 0xbc, 0xc0, 0xf7, 0x73, 0x6a, 0x88,
-      0xfa, 0x87, 0x53, 0x66, 0x15, 0xbb, 0x8e, 0x63,
-      0x8b, 0xcc, 0x81, 0x66, 0x84, 0x68, 0x17, 0x90,
-      0x67, 0xcf, 0xa9, 0x8a, 0x9d, 0x0e, 0x33, 0x26 },
-    { 0x06, 0xba, 0x7a, 0xe6, 0xf3, 0x24, 0x8c, 0xfd,
-      0xcf, 0x26, 0x75, 0x07, 0xfa, 0x00, 0x1b, 0xc4  }
-#endif
-};
-static const size_t kwp_out_len[] = {
-    24,
-#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
-    40,
-    16
-#endif
-};
-
-int mbedtls_nist_kw_self_test(int verbose)
-{
-    mbedtls_nist_kw_context ctx;
-    unsigned char out[48];
-    size_t olen;
-    int i;
-    int ret = 0;
-    mbedtls_nist_kw_init(&ctx);
-
-    /*
-     * KW mode
-     */
-    {
-        static const int num_tests = sizeof(kw_key) / sizeof(*kw_key);
-
-        for (i = 0; i < num_tests; i++) {
-            if (verbose != 0) {
-                mbedtls_printf("  KW-AES-%u ", (unsigned int) key_len[i] * 8);
-            }
-
-            ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES,
-                                         kw_key[i], key_len[i] * 8, 1);
-            if (ret != 0) {
-                if (verbose != 0) {
-                    mbedtls_printf("  KW: setup failed ");
-                }
-
-                goto end;
-            }
-
-            ret = mbedtls_nist_kw_wrap(&ctx, MBEDTLS_KW_MODE_KW, kw_msg[i],
-                                       kw_msg_len[i], out, &olen, sizeof(out));
-            if (ret != 0 || kw_out_len[i] != olen ||
-                memcmp(out, kw_res[i], kw_out_len[i]) != 0) {
-                if (verbose != 0) {
-                    mbedtls_printf("failed. ");
-                }
-
-                ret = 1;
-                goto end;
-            }
-
-            if ((ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES,
-                                              kw_key[i], key_len[i] * 8, 0))
-                != 0) {
-                if (verbose != 0) {
-                    mbedtls_printf("  KW: setup failed ");
-                }
-
-                goto end;
-            }
-
-            ret = mbedtls_nist_kw_unwrap(&ctx, MBEDTLS_KW_MODE_KW,
-                                         out, olen, out, &olen, sizeof(out));
-
-            if (ret != 0 || olen != kw_msg_len[i] ||
-                memcmp(out, kw_msg[i], kw_msg_len[i]) != 0) {
-                if (verbose != 0) {
-                    mbedtls_printf("failed\n");
-                }
-
-                ret = 1;
-                goto end;
-            }
-
-            if (verbose != 0) {
-                mbedtls_printf(" passed\n");
-            }
-        }
-    }
-
-    /*
-     * KWP mode
-     */
-    {
-        static const int num_tests = sizeof(kwp_key) / sizeof(*kwp_key);
-
-        for (i = 0; i < num_tests; i++) {
-            olen = sizeof(out);
-            if (verbose != 0) {
-                mbedtls_printf("  KWP-AES-%u ", (unsigned int) key_len[i] * 8);
-            }
-
-            ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES, kwp_key[i],
-                                         key_len[i] * 8, 1);
-            if (ret  != 0) {
-                if (verbose != 0) {
-                    mbedtls_printf("  KWP: setup failed ");
-                }
-
-                goto end;
-            }
-            ret = mbedtls_nist_kw_wrap(&ctx, MBEDTLS_KW_MODE_KWP, kwp_msg[i],
-                                       kwp_msg_len[i], out, &olen, sizeof(out));
-
-            if (ret != 0 || kwp_out_len[i] != olen ||
-                memcmp(out, kwp_res[i], kwp_out_len[i]) != 0) {
-                if (verbose != 0) {
-                    mbedtls_printf("failed. ");
-                }
-
-                ret = 1;
-                goto end;
-            }
-
-            if ((ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES,
-                                              kwp_key[i], key_len[i] * 8, 0))
-                != 0) {
-                if (verbose != 0) {
-                    mbedtls_printf("  KWP: setup failed ");
-                }
-
-                goto end;
-            }
-
-            ret = mbedtls_nist_kw_unwrap(&ctx, MBEDTLS_KW_MODE_KWP, out,
-                                         olen, out, &olen, sizeof(out));
-
-            if (ret != 0 || olen != kwp_msg_len[i] ||
-                memcmp(out, kwp_msg[i], kwp_msg_len[i]) != 0) {
-                if (verbose != 0) {
-                    mbedtls_printf("failed. ");
-                }
-
-                ret = 1;
-                goto end;
-            }
-
-            if (verbose != 0) {
-                mbedtls_printf(" passed\n");
-            }
-        }
-    }
-end:
-    mbedtls_nist_kw_free(&ctx);
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-
-    return ret;
-}
-
-#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
-
-#endif /* MBEDTLS_NIST_KW_C */
diff --git a/library/oid.c b/library/oid.c
deleted file mode 100644
index d139a6d..0000000
--- a/library/oid.c
+++ /dev/null
@@ -1,1166 +0,0 @@
-/**
- * \file oid.c
- *
- * \brief Object Identifier (OID) database
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_OID_C)
-
-#include "mbedtls/oid.h"
-#include "mbedtls/rsa.h"
-#include "mbedtls/error.h"
-#include "mbedtls/pk.h"
-
-#include <stdio.h>
-#include <string.h>
-
-#include "mbedtls/platform.h"
-
-/*
- * Macro to automatically add the size of #define'd OIDs
- */
-#define ADD_LEN(s)      s, MBEDTLS_OID_SIZE(s)
-
-/*
- * Macro to generate mbedtls_oid_descriptor_t
- */
-#if !defined(MBEDTLS_X509_REMOVE_INFO)
-#define OID_DESCRIPTOR(s, name, description)  { ADD_LEN(s), name, description }
-#define NULL_OID_DESCRIPTOR                   { NULL, 0, NULL, NULL }
-#else
-#define OID_DESCRIPTOR(s, name, description)  { ADD_LEN(s) }
-#define NULL_OID_DESCRIPTOR                   { NULL, 0 }
-#endif
-
-/*
- * Macro to generate an internal function for oid_XXX_from_asn1() (used by
- * the other functions)
- */
-#define FN_OID_TYPED_FROM_ASN1(TYPE_T, NAME, LIST)                    \
-    static const TYPE_T *oid_ ## NAME ## _from_asn1(                   \
-        const mbedtls_asn1_buf *oid)     \
-    {                                                                   \
-        const TYPE_T *p = (LIST);                                       \
-        const mbedtls_oid_descriptor_t *cur =                           \
-            (const mbedtls_oid_descriptor_t *) p;                       \
-        if (p == NULL || oid == NULL) return NULL;                  \
-        while (cur->asn1 != NULL) {                                    \
-            if (cur->asn1_len == oid->len &&                            \
-                memcmp(cur->asn1, oid->p, oid->len) == 0) {          \
-                return p;                                            \
-            }                                                           \
-            p++;                                                        \
-            cur = (const mbedtls_oid_descriptor_t *) p;                 \
-        }                                                               \
-        return NULL;                                                 \
-    }
-
-#if !defined(MBEDTLS_X509_REMOVE_INFO)
-/*
- * Macro to generate a function for retrieving a single attribute from the
- * descriptor of an mbedtls_oid_descriptor_t wrapper.
- */
-#define FN_OID_GET_DESCRIPTOR_ATTR1(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1) \
-    int FN_NAME(const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1)                  \
-    {                                                                       \
-        const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1(oid);        \
-        if (data == NULL) return MBEDTLS_ERR_OID_NOT_FOUND;            \
-        *ATTR1 = data->descriptor.ATTR1;                                    \
-        return 0;                                                        \
-    }
-#endif /* MBEDTLS_X509_REMOVE_INFO */
-
-/*
- * Macro to generate a function for retrieving a single attribute from an
- * mbedtls_oid_descriptor_t wrapper.
- */
-#define FN_OID_GET_ATTR1(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1) \
-    int FN_NAME(const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1)                  \
-    {                                                                       \
-        const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1(oid);        \
-        if (data == NULL) return MBEDTLS_ERR_OID_NOT_FOUND;            \
-        *ATTR1 = data->ATTR1;                                               \
-        return 0;                                                        \
-    }
-
-/*
- * Macro to generate a function for retrieving two attributes from an
- * mbedtls_oid_descriptor_t wrapper.
- */
-#define FN_OID_GET_ATTR2(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1,     \
-                         ATTR2_TYPE, ATTR2)                                 \
-    int FN_NAME(const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1,               \
-                ATTR2_TYPE * ATTR2)              \
-    {                                                                           \
-        const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1(oid);            \
-        if (data == NULL) return MBEDTLS_ERR_OID_NOT_FOUND;                 \
-        *(ATTR1) = data->ATTR1;                                                 \
-        *(ATTR2) = data->ATTR2;                                                 \
-        return 0;                                                            \
-    }
-
-/*
- * Macro to generate a function for retrieving the OID based on a single
- * attribute from a mbedtls_oid_descriptor_t wrapper.
- */
-#define FN_OID_GET_OID_BY_ATTR1(FN_NAME, TYPE_T, LIST, ATTR1_TYPE, ATTR1)   \
-    int FN_NAME(ATTR1_TYPE ATTR1, const char **oid, size_t *olen)             \
-    {                                                                           \
-        const TYPE_T *cur = (LIST);                                             \
-        while (cur->descriptor.asn1 != NULL) {                                 \
-            if (cur->ATTR1 == (ATTR1)) {                                       \
-                *oid = cur->descriptor.asn1;                                    \
-                *olen = cur->descriptor.asn1_len;                               \
-                return 0;                                                    \
-            }                                                                   \
-            cur++;                                                              \
-        }                                                                       \
-        return MBEDTLS_ERR_OID_NOT_FOUND;                                    \
-    }
-
-/*
- * Macro to generate a function for retrieving the OID based on two
- * attributes from a mbedtls_oid_descriptor_t wrapper.
- */
-#define FN_OID_GET_OID_BY_ATTR2(FN_NAME, TYPE_T, LIST, ATTR1_TYPE, ATTR1,   \
-                                ATTR2_TYPE, ATTR2)                          \
-    int FN_NAME(ATTR1_TYPE ATTR1, ATTR2_TYPE ATTR2, const char **oid,         \
-                size_t *olen)                                                 \
-    {                                                                           \
-        const TYPE_T *cur = (LIST);                                             \
-        while (cur->descriptor.asn1 != NULL) {                                 \
-            if (cur->ATTR1 == (ATTR1) && cur->ATTR2 == (ATTR2)) {              \
-                *oid = cur->descriptor.asn1;                                    \
-                *olen = cur->descriptor.asn1_len;                               \
-                return 0;                                                    \
-            }                                                                   \
-            cur++;                                                              \
-        }                                                                       \
-        return MBEDTLS_ERR_OID_NOT_FOUND;                                   \
-    }
-
-/*
- * For X520 attribute types
- */
-typedef struct {
-    mbedtls_oid_descriptor_t    descriptor;
-    const char          *short_name;
-} oid_x520_attr_t;
-
-static const oid_x520_attr_t oid_x520_attr_type[] =
-{
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_AT_CN,          "id-at-commonName",               "Common Name"),
-        "CN",
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_AT_COUNTRY,     "id-at-countryName",              "Country"),
-        "C",
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_AT_LOCALITY,    "id-at-locality",                 "Locality"),
-        "L",
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_AT_STATE,       "id-at-state",                    "State"),
-        "ST",
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_AT_ORGANIZATION, "id-at-organizationName",
-                       "Organization"),
-        "O",
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_AT_ORG_UNIT,    "id-at-organizationalUnitName",   "Org Unit"),
-        "OU",
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_PKCS9_EMAIL,
-                       "emailAddress",
-                       "E-mail address"),
-        "emailAddress",
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_AT_SERIAL_NUMBER,
-                       "id-at-serialNumber",
-                       "Serial number"),
-        "serialNumber",
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_AT_POSTAL_ADDRESS,
-                       "id-at-postalAddress",
-                       "Postal address"),
-        "postalAddress",
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_AT_POSTAL_CODE, "id-at-postalCode",               "Postal code"),
-        "postalCode",
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_AT_SUR_NAME,    "id-at-surName",                  "Surname"),
-        "SN",
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_AT_GIVEN_NAME,  "id-at-givenName",                "Given name"),
-        "GN",
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_AT_INITIALS,    "id-at-initials",                 "Initials"),
-        "initials",
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_AT_GENERATION_QUALIFIER,
-                       "id-at-generationQualifier",
-                       "Generation qualifier"),
-        "generationQualifier",
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_AT_TITLE,       "id-at-title",                    "Title"),
-        "title",
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_AT_DN_QUALIFIER,
-                       "id-at-dnQualifier",
-                       "Distinguished Name qualifier"),
-        "dnQualifier",
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_AT_PSEUDONYM,   "id-at-pseudonym",                "Pseudonym"),
-        "pseudonym",
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_UID,            "id-uid",                         "User Id"),
-        "uid",
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_DOMAIN_COMPONENT,
-                       "id-domainComponent",
-                       "Domain component"),
-        "DC",
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_AT_UNIQUE_IDENTIFIER,
-                       "id-at-uniqueIdentifier",
-                       "Unique Identifier"),
-        "uniqueIdentifier",
-    },
-    {
-        NULL_OID_DESCRIPTOR,
-        NULL,
-    }
-};
-
-FN_OID_TYPED_FROM_ASN1(oid_x520_attr_t, x520_attr, oid_x520_attr_type)
-FN_OID_GET_ATTR1(mbedtls_oid_get_attr_short_name,
-                 oid_x520_attr_t,
-                 x520_attr,
-                 const char *,
-                 short_name)
-
-/*
- * For X509 extensions
- */
-typedef struct {
-    mbedtls_oid_descriptor_t    descriptor;
-    int                 ext_type;
-} oid_x509_ext_t;
-
-static const oid_x509_ext_t oid_x509_ext[] =
-{
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_BASIC_CONSTRAINTS,
-                       "id-ce-basicConstraints",
-                       "Basic Constraints"),
-        MBEDTLS_OID_X509_EXT_BASIC_CONSTRAINTS,
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_KEY_USAGE,            "id-ce-keyUsage",            "Key Usage"),
-        MBEDTLS_OID_X509_EXT_KEY_USAGE,
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_EXTENDED_KEY_USAGE,
-                       "id-ce-extKeyUsage",
-                       "Extended Key Usage"),
-        MBEDTLS_OID_X509_EXT_EXTENDED_KEY_USAGE,
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_SUBJECT_ALT_NAME,
-                       "id-ce-subjectAltName",
-                       "Subject Alt Name"),
-        MBEDTLS_OID_X509_EXT_SUBJECT_ALT_NAME,
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_NS_CERT_TYPE,
-                       "id-netscape-certtype",
-                       "Netscape Certificate Type"),
-        MBEDTLS_OID_X509_EXT_NS_CERT_TYPE,
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_CERTIFICATE_POLICIES,
-                       "id-ce-certificatePolicies",
-                       "Certificate Policies"),
-        MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES,
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER,
-                       "id-ce-subjectKeyIdentifier",
-                       "Subject Key Identifier"),
-        MBEDTLS_OID_X509_EXT_SUBJECT_KEY_IDENTIFIER,
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER,
-                       "id-ce-authorityKeyIdentifier",
-                       "Authority Key Identifier"),
-        MBEDTLS_OID_X509_EXT_AUTHORITY_KEY_IDENTIFIER,
-    },
-    {
-        NULL_OID_DESCRIPTOR,
-        0,
-    },
-};
-
-FN_OID_TYPED_FROM_ASN1(oid_x509_ext_t, x509_ext, oid_x509_ext)
-FN_OID_GET_ATTR1(mbedtls_oid_get_x509_ext_type, oid_x509_ext_t, x509_ext, int, ext_type)
-
-#if !defined(MBEDTLS_X509_REMOVE_INFO)
-static const mbedtls_oid_descriptor_t oid_ext_key_usage[] =
-{
-    OID_DESCRIPTOR(MBEDTLS_OID_SERVER_AUTH,
-                   "id-kp-serverAuth",
-                   "TLS Web Server Authentication"),
-    OID_DESCRIPTOR(MBEDTLS_OID_CLIENT_AUTH,
-                   "id-kp-clientAuth",
-                   "TLS Web Client Authentication"),
-    OID_DESCRIPTOR(MBEDTLS_OID_CODE_SIGNING,     "id-kp-codeSigning",     "Code Signing"),
-    OID_DESCRIPTOR(MBEDTLS_OID_EMAIL_PROTECTION, "id-kp-emailProtection", "E-mail Protection"),
-    OID_DESCRIPTOR(MBEDTLS_OID_TIME_STAMPING,    "id-kp-timeStamping",    "Time Stamping"),
-    OID_DESCRIPTOR(MBEDTLS_OID_OCSP_SIGNING,     "id-kp-OCSPSigning",     "OCSP Signing"),
-    OID_DESCRIPTOR(MBEDTLS_OID_WISUN_FAN,
-                   "id-kp-wisun-fan-device",
-                   "Wi-SUN Alliance Field Area Network (FAN)"),
-    NULL_OID_DESCRIPTOR,
-};
-
-FN_OID_TYPED_FROM_ASN1(mbedtls_oid_descriptor_t, ext_key_usage, oid_ext_key_usage)
-FN_OID_GET_ATTR1(mbedtls_oid_get_extended_key_usage,
-                 mbedtls_oid_descriptor_t,
-                 ext_key_usage,
-                 const char *,
-                 description)
-
-static const mbedtls_oid_descriptor_t oid_certificate_policies[] =
-{
-    OID_DESCRIPTOR(MBEDTLS_OID_ANY_POLICY,      "anyPolicy",       "Any Policy"),
-    NULL_OID_DESCRIPTOR,
-};
-
-FN_OID_TYPED_FROM_ASN1(mbedtls_oid_descriptor_t, certificate_policies, oid_certificate_policies)
-FN_OID_GET_ATTR1(mbedtls_oid_get_certificate_policies,
-                 mbedtls_oid_descriptor_t,
-                 certificate_policies,
-                 const char *,
-                 description)
-#endif /* MBEDTLS_X509_REMOVE_INFO */
-
-/*
- * For SignatureAlgorithmIdentifier
- */
-typedef struct {
-    mbedtls_oid_descriptor_t    descriptor;
-    mbedtls_md_type_t           md_alg;
-    mbedtls_pk_type_t           pk_alg;
-} oid_sig_alg_t;
-
-static const oid_sig_alg_t oid_sig_alg[] =
-{
-#if defined(MBEDTLS_RSA_C)
-#if defined(MBEDTLS_MD_CAN_MD5)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_MD5,        "md5WithRSAEncryption",     "RSA with MD5"),
-        MBEDTLS_MD_MD5,      MBEDTLS_PK_RSA,
-    },
-#endif /* MBEDTLS_MD_CAN_MD5 */
-#if defined(MBEDTLS_MD_CAN_SHA1)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA1,       "sha-1WithRSAEncryption",   "RSA with SHA1"),
-        MBEDTLS_MD_SHA1,     MBEDTLS_PK_RSA,
-    },
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-#if defined(MBEDTLS_MD_CAN_SHA224)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA224,     "sha224WithRSAEncryption",
-                       "RSA with SHA-224"),
-        MBEDTLS_MD_SHA224,   MBEDTLS_PK_RSA,
-    },
-#endif /* MBEDTLS_MD_CAN_SHA224 */
-#if defined(MBEDTLS_MD_CAN_SHA256)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA256,     "sha256WithRSAEncryption",
-                       "RSA with SHA-256"),
-        MBEDTLS_MD_SHA256,   MBEDTLS_PK_RSA,
-    },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA384,     "sha384WithRSAEncryption",
-                       "RSA with SHA-384"),
-        MBEDTLS_MD_SHA384,   MBEDTLS_PK_RSA,
-    },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#if defined(MBEDTLS_MD_CAN_SHA512)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA512,     "sha512WithRSAEncryption",
-                       "RSA with SHA-512"),
-        MBEDTLS_MD_SHA512,   MBEDTLS_PK_RSA,
-    },
-#endif /* MBEDTLS_MD_CAN_SHA512 */
-#if defined(MBEDTLS_MD_CAN_SHA1)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_RSA_SHA_OBS,      "sha-1WithRSAEncryption",   "RSA with SHA1"),
-        MBEDTLS_MD_SHA1,     MBEDTLS_PK_RSA,
-    },
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-#endif /* MBEDTLS_RSA_C */
-#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
-#if defined(MBEDTLS_MD_CAN_SHA1)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA1,       "ecdsa-with-SHA1",      "ECDSA with SHA1"),
-        MBEDTLS_MD_SHA1,     MBEDTLS_PK_ECDSA,
-    },
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-#if defined(MBEDTLS_MD_CAN_SHA224)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA224,     "ecdsa-with-SHA224",    "ECDSA with SHA224"),
-        MBEDTLS_MD_SHA224,   MBEDTLS_PK_ECDSA,
-    },
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA256)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA256,     "ecdsa-with-SHA256",    "ECDSA with SHA256"),
-        MBEDTLS_MD_SHA256,   MBEDTLS_PK_ECDSA,
-    },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA384,     "ecdsa-with-SHA384",    "ECDSA with SHA384"),
-        MBEDTLS_MD_SHA384,   MBEDTLS_PK_ECDSA,
-    },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#if defined(MBEDTLS_MD_CAN_SHA512)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA512,     "ecdsa-with-SHA512",    "ECDSA with SHA512"),
-        MBEDTLS_MD_SHA512,   MBEDTLS_PK_ECDSA,
-    },
-#endif /* MBEDTLS_MD_CAN_SHA512 */
-#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
-#if defined(MBEDTLS_RSA_C)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_RSASSA_PSS,        "RSASSA-PSS",           "RSASSA-PSS"),
-        MBEDTLS_MD_NONE,     MBEDTLS_PK_RSASSA_PSS,
-    },
-#endif /* MBEDTLS_RSA_C */
-    {
-        NULL_OID_DESCRIPTOR,
-        MBEDTLS_MD_NONE, MBEDTLS_PK_NONE,
-    },
-};
-
-FN_OID_TYPED_FROM_ASN1(oid_sig_alg_t, sig_alg, oid_sig_alg)
-
-#if !defined(MBEDTLS_X509_REMOVE_INFO)
-FN_OID_GET_DESCRIPTOR_ATTR1(mbedtls_oid_get_sig_alg_desc,
-                            oid_sig_alg_t,
-                            sig_alg,
-                            const char *,
-                            description)
-#endif
-
-FN_OID_GET_ATTR2(mbedtls_oid_get_sig_alg,
-                 oid_sig_alg_t,
-                 sig_alg,
-                 mbedtls_md_type_t,
-                 md_alg,
-                 mbedtls_pk_type_t,
-                 pk_alg)
-FN_OID_GET_OID_BY_ATTR2(mbedtls_oid_get_oid_by_sig_alg,
-                        oid_sig_alg_t,
-                        oid_sig_alg,
-                        mbedtls_pk_type_t,
-                        pk_alg,
-                        mbedtls_md_type_t,
-                        md_alg)
-
-/*
- * For PublicKeyInfo (PKCS1, RFC 5480)
- */
-typedef struct {
-    mbedtls_oid_descriptor_t    descriptor;
-    mbedtls_pk_type_t           pk_alg;
-} oid_pk_alg_t;
-
-static const oid_pk_alg_t oid_pk_alg[] =
-{
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_RSA,           "rsaEncryption",    "RSA"),
-        MBEDTLS_PK_RSA,
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_EC_ALG_UNRESTRICTED, "id-ecPublicKey",   "Generic EC key"),
-        MBEDTLS_PK_ECKEY,
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_EC_ALG_ECDH,         "id-ecDH",          "EC key for ECDH"),
-        MBEDTLS_PK_ECKEY_DH,
-    },
-    {
-        NULL_OID_DESCRIPTOR,
-        MBEDTLS_PK_NONE,
-    },
-};
-
-FN_OID_TYPED_FROM_ASN1(oid_pk_alg_t, pk_alg, oid_pk_alg)
-FN_OID_GET_ATTR1(mbedtls_oid_get_pk_alg, oid_pk_alg_t, pk_alg, mbedtls_pk_type_t, pk_alg)
-FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_pk_alg,
-                        oid_pk_alg_t,
-                        oid_pk_alg,
-                        mbedtls_pk_type_t,
-                        pk_alg)
-
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-/*
- * For elliptic curves that use namedCurve inside ECParams (RFC 5480)
- */
-typedef struct {
-    mbedtls_oid_descriptor_t    descriptor;
-    mbedtls_ecp_group_id        grp_id;
-} oid_ecp_grp_t;
-
-static const oid_ecp_grp_t oid_ecp_grp[] =
-{
-#if defined(MBEDTLS_ECP_HAVE_SECP192R1)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_SECP192R1, "secp192r1",    "secp192r1"),
-        MBEDTLS_ECP_DP_SECP192R1,
-    },
-#endif /* MBEDTLS_ECP_HAVE_SECP192R1 */
-#if defined(MBEDTLS_ECP_HAVE_SECP224R1)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_SECP224R1, "secp224r1",    "secp224r1"),
-        MBEDTLS_ECP_DP_SECP224R1,
-    },
-#endif /* MBEDTLS_ECP_HAVE_SECP224R1 */
-#if defined(MBEDTLS_ECP_HAVE_SECP256R1)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_SECP256R1, "secp256r1",    "secp256r1"),
-        MBEDTLS_ECP_DP_SECP256R1,
-    },
-#endif /* MBEDTLS_ECP_HAVE_SECP256R1 */
-#if defined(MBEDTLS_ECP_HAVE_SECP384R1)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_SECP384R1, "secp384r1",    "secp384r1"),
-        MBEDTLS_ECP_DP_SECP384R1,
-    },
-#endif /* MBEDTLS_ECP_HAVE_SECP384R1 */
-#if defined(MBEDTLS_ECP_HAVE_SECP521R1)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_SECP521R1, "secp521r1",    "secp521r1"),
-        MBEDTLS_ECP_DP_SECP521R1,
-    },
-#endif /* MBEDTLS_ECP_HAVE_SECP521R1 */
-#if defined(MBEDTLS_ECP_HAVE_SECP192K1)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_SECP192K1, "secp192k1",    "secp192k1"),
-        MBEDTLS_ECP_DP_SECP192K1,
-    },
-#endif /* MBEDTLS_ECP_HAVE_SECP192K1 */
-#if defined(MBEDTLS_ECP_HAVE_SECP224K1)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_SECP224K1, "secp224k1",    "secp224k1"),
-        MBEDTLS_ECP_DP_SECP224K1,
-    },
-#endif /* MBEDTLS_ECP_HAVE_SECP224K1 */
-#if defined(MBEDTLS_ECP_HAVE_SECP256K1)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_SECP256K1, "secp256k1",    "secp256k1"),
-        MBEDTLS_ECP_DP_SECP256K1,
-    },
-#endif /* MBEDTLS_ECP_HAVE_SECP256K1 */
-#if defined(MBEDTLS_ECP_HAVE_BP256R1)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_BP256R1,   "brainpoolP256r1", "brainpool256r1"),
-        MBEDTLS_ECP_DP_BP256R1,
-    },
-#endif /* MBEDTLS_ECP_HAVE_BP256R1 */
-#if defined(MBEDTLS_ECP_HAVE_BP384R1)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_BP384R1,   "brainpoolP384r1", "brainpool384r1"),
-        MBEDTLS_ECP_DP_BP384R1,
-    },
-#endif /* MBEDTLS_ECP_HAVE_BP384R1 */
-#if defined(MBEDTLS_ECP_HAVE_BP512R1)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_BP512R1,   "brainpoolP512r1", "brainpool512r1"),
-        MBEDTLS_ECP_DP_BP512R1,
-    },
-#endif /* MBEDTLS_ECP_HAVE_BP512R1 */
-    {
-        NULL_OID_DESCRIPTOR,
-        MBEDTLS_ECP_DP_NONE,
-    },
-};
-
-FN_OID_TYPED_FROM_ASN1(oid_ecp_grp_t, grp_id, oid_ecp_grp)
-FN_OID_GET_ATTR1(mbedtls_oid_get_ec_grp, oid_ecp_grp_t, grp_id, mbedtls_ecp_group_id, grp_id)
-FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_ec_grp,
-                        oid_ecp_grp_t,
-                        oid_ecp_grp,
-                        mbedtls_ecp_group_id,
-                        grp_id)
-
-/*
- * For Elliptic Curve algorithms that are directly
- * encoded in the AlgorithmIdentifier (RFC 8410)
- */
-typedef struct {
-    mbedtls_oid_descriptor_t    descriptor;
-    mbedtls_ecp_group_id        grp_id;
-} oid_ecp_grp_algid_t;
-
-static const oid_ecp_grp_algid_t oid_ecp_grp_algid[] =
-{
-#if defined(MBEDTLS_ECP_HAVE_CURVE25519)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_X25519,               "X25519",       "X25519"),
-        MBEDTLS_ECP_DP_CURVE25519,
-    },
-#endif /* MBEDTLS_ECP_HAVE_CURVE25519 */
-#if defined(MBEDTLS_ECP_HAVE_CURVE448)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_X448,                 "X448",         "X448"),
-        MBEDTLS_ECP_DP_CURVE448,
-    },
-#endif /* MBEDTLS_ECP_HAVE_CURVE448 */
-    {
-        NULL_OID_DESCRIPTOR,
-        MBEDTLS_ECP_DP_NONE,
-    },
-};
-
-FN_OID_TYPED_FROM_ASN1(oid_ecp_grp_algid_t, grp_id_algid, oid_ecp_grp_algid)
-FN_OID_GET_ATTR1(mbedtls_oid_get_ec_grp_algid,
-                 oid_ecp_grp_algid_t,
-                 grp_id_algid,
-                 mbedtls_ecp_group_id,
-                 grp_id)
-FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_ec_grp_algid,
-                        oid_ecp_grp_algid_t,
-                        oid_ecp_grp_algid,
-                        mbedtls_ecp_group_id,
-                        grp_id)
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-
-#if defined(MBEDTLS_CIPHER_C)
-/*
- * For PKCS#5 PBES2 encryption algorithm
- */
-typedef struct {
-    mbedtls_oid_descriptor_t    descriptor;
-    mbedtls_cipher_type_t       cipher_alg;
-} oid_cipher_alg_t;
-
-static const oid_cipher_alg_t oid_cipher_alg[] =
-{
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_DES_CBC,              "desCBC",       "DES-CBC"),
-        MBEDTLS_CIPHER_DES_CBC,
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_DES_EDE3_CBC,         "des-ede3-cbc", "DES-EDE3-CBC"),
-        MBEDTLS_CIPHER_DES_EDE3_CBC,
-    },
-    {
-        NULL_OID_DESCRIPTOR,
-        MBEDTLS_CIPHER_NONE,
-    },
-};
-
-FN_OID_TYPED_FROM_ASN1(oid_cipher_alg_t, cipher_alg, oid_cipher_alg)
-FN_OID_GET_ATTR1(mbedtls_oid_get_cipher_alg,
-                 oid_cipher_alg_t,
-                 cipher_alg,
-                 mbedtls_cipher_type_t,
-                 cipher_alg)
-#endif /* MBEDTLS_CIPHER_C */
-
-/*
- * For digestAlgorithm
- */
-typedef struct {
-    mbedtls_oid_descriptor_t    descriptor;
-    mbedtls_md_type_t           md_alg;
-} oid_md_alg_t;
-
-static const oid_md_alg_t oid_md_alg[] =
-{
-#if defined(MBEDTLS_MD_CAN_MD5)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_MD5,       "id-md5",       "MD5"),
-        MBEDTLS_MD_MD5,
-    },
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA1)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA1,      "id-sha1",      "SHA-1"),
-        MBEDTLS_MD_SHA1,
-    },
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA224)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA224,    "id-sha224",    "SHA-224"),
-        MBEDTLS_MD_SHA224,
-    },
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA256)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA256,    "id-sha256",    "SHA-256"),
-        MBEDTLS_MD_SHA256,
-    },
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA384)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA384,    "id-sha384",    "SHA-384"),
-        MBEDTLS_MD_SHA384,
-    },
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA512)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA512,    "id-sha512",    "SHA-512"),
-        MBEDTLS_MD_SHA512,
-    },
-#endif
-#if defined(MBEDTLS_MD_CAN_RIPEMD160)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_RIPEMD160, "id-ripemd160", "RIPEMD-160"),
-        MBEDTLS_MD_RIPEMD160,
-    },
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA3_224)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA3_224,    "id-sha3-224",    "SHA-3-224"),
-        MBEDTLS_MD_SHA3_224,
-    },
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA3_256)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA3_256,    "id-sha3-256",    "SHA-3-256"),
-        MBEDTLS_MD_SHA3_256,
-    },
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA3_384)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA3_384,    "id-sha3-384",    "SHA-3-384"),
-        MBEDTLS_MD_SHA3_384,
-    },
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA3_512)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA3_512,    "id-sha3-512",    "SHA-3-512"),
-        MBEDTLS_MD_SHA3_512,
-    },
-#endif
-    {
-        NULL_OID_DESCRIPTOR,
-        MBEDTLS_MD_NONE,
-    },
-};
-
-FN_OID_TYPED_FROM_ASN1(oid_md_alg_t, md_alg, oid_md_alg)
-FN_OID_GET_ATTR1(mbedtls_oid_get_md_alg, oid_md_alg_t, md_alg, mbedtls_md_type_t, md_alg)
-FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_md,
-                        oid_md_alg_t,
-                        oid_md_alg,
-                        mbedtls_md_type_t,
-                        md_alg)
-
-/*
- * For HMAC digestAlgorithm
- */
-typedef struct {
-    mbedtls_oid_descriptor_t    descriptor;
-    mbedtls_md_type_t           md_hmac;
-} oid_md_hmac_t;
-
-static const oid_md_hmac_t oid_md_hmac[] =
-{
-#if defined(MBEDTLS_MD_CAN_SHA1)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA1,      "hmacSHA1",      "HMAC-SHA-1"),
-        MBEDTLS_MD_SHA1,
-    },
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-#if defined(MBEDTLS_MD_CAN_SHA224)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA224,    "hmacSHA224",    "HMAC-SHA-224"),
-        MBEDTLS_MD_SHA224,
-    },
-#endif /* MBEDTLS_MD_CAN_SHA224 */
-#if defined(MBEDTLS_MD_CAN_SHA256)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA256,    "hmacSHA256",    "HMAC-SHA-256"),
-        MBEDTLS_MD_SHA256,
-    },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA384,    "hmacSHA384",    "HMAC-SHA-384"),
-        MBEDTLS_MD_SHA384,
-    },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#if defined(MBEDTLS_MD_CAN_SHA512)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA512,    "hmacSHA512",    "HMAC-SHA-512"),
-        MBEDTLS_MD_SHA512,
-    },
-#endif /* MBEDTLS_MD_CAN_SHA512 */
-#if defined(MBEDTLS_MD_CAN_SHA3_224)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA3_224,    "hmacSHA3-224",    "HMAC-SHA3-224"),
-        MBEDTLS_MD_SHA3_224,
-    },
-#endif /* MBEDTLS_MD_CAN_SHA3_224 */
-#if defined(MBEDTLS_MD_CAN_SHA3_256)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA3_256,    "hmacSHA3-256",    "HMAC-SHA3-256"),
-        MBEDTLS_MD_SHA3_256,
-    },
-#endif /* MBEDTLS_MD_CAN_SHA3_256 */
-#if defined(MBEDTLS_MD_CAN_SHA3_384)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA3_384,    "hmacSHA3-384",    "HMAC-SHA3-384"),
-        MBEDTLS_MD_SHA3_384,
-    },
-#endif /* MBEDTLS_MD_CAN_SHA3_384 */
-#if defined(MBEDTLS_MD_CAN_SHA3_512)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA3_512,    "hmacSHA3-512",    "HMAC-SHA3-512"),
-        MBEDTLS_MD_SHA3_512,
-    },
-#endif /* MBEDTLS_MD_CAN_SHA3_512 */
-#if defined(MBEDTLS_MD_CAN_RIPEMD160)
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_HMAC_RIPEMD160,    "hmacRIPEMD160",    "HMAC-RIPEMD160"),
-        MBEDTLS_MD_RIPEMD160,
-    },
-#endif /* MBEDTLS_MD_CAN_RIPEMD160 */
-    {
-        NULL_OID_DESCRIPTOR,
-        MBEDTLS_MD_NONE,
-    },
-};
-
-FN_OID_TYPED_FROM_ASN1(oid_md_hmac_t, md_hmac, oid_md_hmac)
-FN_OID_GET_ATTR1(mbedtls_oid_get_md_hmac, oid_md_hmac_t, md_hmac, mbedtls_md_type_t, md_hmac)
-
-#if defined(MBEDTLS_PKCS12_C)
-/*
- * For PKCS#12 PBEs
- */
-typedef struct {
-    mbedtls_oid_descriptor_t    descriptor;
-    mbedtls_md_type_t           md_alg;
-    mbedtls_cipher_type_t       cipher_alg;
-} oid_pkcs12_pbe_alg_t;
-
-static const oid_pkcs12_pbe_alg_t oid_pkcs12_pbe_alg[] =
-{
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_PKCS12_PBE_SHA1_DES3_EDE_CBC,
-                       "pbeWithSHAAnd3-KeyTripleDES-CBC",
-                       "PBE with SHA1 and 3-Key 3DES"),
-        MBEDTLS_MD_SHA1,      MBEDTLS_CIPHER_DES_EDE3_CBC,
-    },
-    {
-        OID_DESCRIPTOR(MBEDTLS_OID_PKCS12_PBE_SHA1_DES2_EDE_CBC,
-                       "pbeWithSHAAnd2-KeyTripleDES-CBC",
-                       "PBE with SHA1 and 2-Key 3DES"),
-        MBEDTLS_MD_SHA1,      MBEDTLS_CIPHER_DES_EDE_CBC,
-    },
-    {
-        NULL_OID_DESCRIPTOR,
-        MBEDTLS_MD_NONE, MBEDTLS_CIPHER_NONE,
-    },
-};
-
-FN_OID_TYPED_FROM_ASN1(oid_pkcs12_pbe_alg_t, pkcs12_pbe_alg, oid_pkcs12_pbe_alg)
-FN_OID_GET_ATTR2(mbedtls_oid_get_pkcs12_pbe_alg,
-                 oid_pkcs12_pbe_alg_t,
-                 pkcs12_pbe_alg,
-                 mbedtls_md_type_t,
-                 md_alg,
-                 mbedtls_cipher_type_t,
-                 cipher_alg)
-#endif /* MBEDTLS_PKCS12_C */
-
-/* Return the x.y.z.... style numeric string for the given OID */
-int mbedtls_oid_get_numeric_string(char *buf, size_t size,
-                                   const mbedtls_asn1_buf *oid)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    char *p = buf;
-    size_t n = size;
-    unsigned int value = 0;
-
-    if (size > INT_MAX) {
-        /* Avoid overflow computing return value */
-        return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
-    }
-
-    if (oid->len <= 0) {
-        /* OID must not be empty */
-        return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
-    }
-
-    for (size_t i = 0; i < oid->len; i++) {
-        /* Prevent overflow in value. */
-        if (value > (UINT_MAX >> 7)) {
-            return MBEDTLS_ERR_ASN1_INVALID_DATA;
-        }
-        if ((value == 0) && ((oid->p[i]) == 0x80)) {
-            /* Overlong encoding is not allowed */
-            return MBEDTLS_ERR_ASN1_INVALID_DATA;
-        }
-
-        value <<= 7;
-        value |= oid->p[i] & 0x7F;
-
-        if (!(oid->p[i] & 0x80)) {
-            /* Last byte */
-            if (n == size) {
-                int component1;
-                unsigned int component2;
-                /* First subidentifier contains first two OID components */
-                if (value >= 80) {
-                    component1 = '2';
-                    component2 = value - 80;
-                } else if (value >= 40) {
-                    component1 = '1';
-                    component2 = value - 40;
-                } else {
-                    component1 = '0';
-                    component2 = value;
-                }
-                ret = mbedtls_snprintf(p, n, "%c.%u", component1, component2);
-            } else {
-                ret = mbedtls_snprintf(p, n, ".%u", value);
-            }
-            if (ret < 2 || (size_t) ret >= n) {
-                return MBEDTLS_ERR_OID_BUF_TOO_SMALL;
-            }
-            n -= (size_t) ret;
-            p += ret;
-            value = 0;
-        }
-    }
-
-    if (value != 0) {
-        /* Unterminated subidentifier */
-        return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
-    }
-
-    return (int) (size - n);
-}
-
-static int oid_parse_number(unsigned int *num, const char **p, const char *bound)
-{
-    int ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
-
-    *num = 0;
-
-    while (*p < bound && **p >= '0' && **p <= '9') {
-        ret = 0;
-        if (*num > (UINT_MAX / 10)) {
-            return MBEDTLS_ERR_ASN1_INVALID_DATA;
-        }
-        *num *= 10;
-        *num += **p - '0';
-        (*p)++;
-    }
-    return ret;
-}
-
-static size_t oid_subidentifier_num_bytes(unsigned int value)
-{
-    size_t num_bytes = 0;
-
-    do {
-        value >>= 7;
-        num_bytes++;
-    } while (value != 0);
-
-    return num_bytes;
-}
-
-static int oid_subidentifier_encode_into(unsigned char **p,
-                                         unsigned char *bound,
-                                         unsigned int value)
-{
-    size_t num_bytes = oid_subidentifier_num_bytes(value);
-
-    if ((size_t) (bound - *p) < num_bytes) {
-        return MBEDTLS_ERR_OID_BUF_TOO_SMALL;
-    }
-    (*p)[num_bytes - 1] = (unsigned char) (value & 0x7f);
-    value >>= 7;
-
-    for (size_t i = 2; i <= num_bytes; i++) {
-        (*p)[num_bytes - i] = 0x80 | (unsigned char) (value & 0x7f);
-        value >>= 7;
-    }
-    *p += num_bytes;
-
-    return 0;
-}
-
-/* Return the OID for the given x.y.z.... style numeric string  */
-int mbedtls_oid_from_numeric_string(mbedtls_asn1_buf *oid,
-                                    const char *oid_str, size_t size)
-{
-    int ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
-    const char *str_ptr = oid_str;
-    const char *str_bound = oid_str + size;
-    unsigned int val = 0;
-    unsigned int component1, component2;
-    size_t encoded_len;
-    unsigned char *resized_mem;
-
-    /* Count the number of dots to get a worst-case allocation size. */
-    size_t num_dots = 0;
-    for (size_t i = 0; i < size; i++) {
-        if (oid_str[i] == '.') {
-            num_dots++;
-        }
-    }
-    /* Allocate maximum possible required memory:
-     * There are (num_dots + 1) integer components, but the first 2 share the
-     * same subidentifier, so we only need num_dots subidentifiers maximum. */
-    if (num_dots == 0 || (num_dots > MBEDTLS_OID_MAX_COMPONENTS - 1)) {
-        return MBEDTLS_ERR_ASN1_INVALID_DATA;
-    }
-    /* Each byte can store 7 bits, calculate number of bytes for a
-     * subidentifier:
-     *
-     * bytes = ceil(subidentifer_size * 8 / 7)
-     */
-    size_t bytes_per_subidentifier = (((sizeof(unsigned int) * 8) - 1) / 7)
-                                     + 1;
-    size_t max_possible_bytes = num_dots * bytes_per_subidentifier;
-    oid->p = mbedtls_calloc(max_possible_bytes, 1);
-    if (oid->p == NULL) {
-        return MBEDTLS_ERR_ASN1_ALLOC_FAILED;
-    }
-    unsigned char *out_ptr = oid->p;
-    unsigned char *out_bound = oid->p + max_possible_bytes;
-
-    ret = oid_parse_number(&component1, &str_ptr, str_bound);
-    if (ret != 0) {
-        goto error;
-    }
-    if (component1 > 2) {
-        /* First component can't be > 2 */
-        ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
-        goto error;
-    }
-    if (str_ptr >= str_bound || *str_ptr != '.') {
-        ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
-        goto error;
-    }
-    str_ptr++;
-
-    ret = oid_parse_number(&component2, &str_ptr, str_bound);
-    if (ret != 0) {
-        goto error;
-    }
-    if ((component1 < 2) && (component2 > 39)) {
-        /* Root nodes 0 and 1 may have up to 40 children, numbered 0-39 */
-        ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
-        goto error;
-    }
-    if (str_ptr < str_bound) {
-        if (*str_ptr == '.') {
-            str_ptr++;
-        } else {
-            ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
-            goto error;
-        }
-    }
-
-    if (component2 > (UINT_MAX - (component1 * 40))) {
-        ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
-        goto error;
-    }
-    ret = oid_subidentifier_encode_into(&out_ptr, out_bound,
-                                        (component1 * 40) + component2);
-    if (ret != 0) {
-        goto error;
-    }
-
-    while (str_ptr < str_bound) {
-        ret = oid_parse_number(&val, &str_ptr, str_bound);
-        if (ret != 0) {
-            goto error;
-        }
-        if (str_ptr < str_bound) {
-            if (*str_ptr == '.') {
-                str_ptr++;
-            } else {
-                ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
-                goto error;
-            }
-        }
-
-        ret = oid_subidentifier_encode_into(&out_ptr, out_bound, val);
-        if (ret != 0) {
-            goto error;
-        }
-    }
-
-    encoded_len = out_ptr - oid->p;
-    resized_mem = mbedtls_calloc(encoded_len, 1);
-    if (resized_mem == NULL) {
-        ret = MBEDTLS_ERR_ASN1_ALLOC_FAILED;
-        goto error;
-    }
-    memcpy(resized_mem, oid->p, encoded_len);
-    mbedtls_free(oid->p);
-    oid->p = resized_mem;
-    oid->len = encoded_len;
-
-    oid->tag = MBEDTLS_ASN1_OID;
-
-    return 0;
-
-error:
-    mbedtls_free(oid->p);
-    oid->p = NULL;
-    oid->len = 0;
-    return ret;
-}
-
-#endif /* MBEDTLS_OID_C */
diff --git a/library/padlock.c b/library/padlock.c
deleted file mode 100644
index 563d40e..0000000
--- a/library/padlock.c
+++ /dev/null
@@ -1,167 +0,0 @@
-/*
- *  VIA PadLock support functions
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-/*
- *  This implementation is based on the VIA PadLock Programming Guide:
- *
- *  http://www.via.com.tw/en/downloads/whitepapers/initiatives/padlock/
- *  programming_guide.pdf
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_PADLOCK_C)
-
-#include "padlock.h"
-
-#include <string.h>
-
-#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
-
-/*
- * PadLock detection routine
- */
-int mbedtls_padlock_has_support(int feature)
-{
-    static int flags = -1;
-    int ebx = 0, edx = 0;
-
-    if (flags == -1) {
-        asm ("movl  %%ebx, %0           \n\t"
-             "movl  $0xC0000000, %%eax  \n\t"
-             "cpuid                     \n\t"
-             "cmpl  $0xC0000001, %%eax  \n\t"
-             "movl  $0, %%edx           \n\t"
-             "jb    1f                  \n\t"
-             "movl  $0xC0000001, %%eax  \n\t"
-             "cpuid                     \n\t"
-             "1:                        \n\t"
-             "movl  %%edx, %1           \n\t"
-             "movl  %2, %%ebx           \n\t"
-             : "=m" (ebx), "=m" (edx)
-             :  "m" (ebx)
-             : "eax", "ecx", "edx");
-
-        flags = edx;
-    }
-
-    return flags & feature;
-}
-
-/*
- * PadLock AES-ECB block en(de)cryption
- */
-int mbedtls_padlock_xcryptecb(mbedtls_aes_context *ctx,
-                              int mode,
-                              const unsigned char input[16],
-                              unsigned char output[16])
-{
-    int ebx = 0;
-    uint32_t *rk;
-    uint32_t *blk;
-    uint32_t *ctrl;
-    unsigned char buf[256];
-
-    rk = ctx->buf + ctx->rk_offset;
-
-    if (((long) rk & 15) != 0) {
-        return MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED;
-    }
-
-    blk = MBEDTLS_PADLOCK_ALIGN16(buf);
-    memcpy(blk, input, 16);
-
-    ctrl = blk + 4;
-    *ctrl = 0x80 | ctx->nr | ((ctx->nr + (mode^1) - 10) << 9);
-
-    asm ("pushfl                        \n\t"
-         "popfl                         \n\t"
-         "movl    %%ebx, %0             \n\t"
-         "movl    $1, %%ecx             \n\t"
-         "movl    %2, %%edx             \n\t"
-         "movl    %3, %%ebx             \n\t"
-         "movl    %4, %%esi             \n\t"
-         "movl    %4, %%edi             \n\t"
-         ".byte  0xf3,0x0f,0xa7,0xc8    \n\t"
-         "movl    %1, %%ebx             \n\t"
-         : "=m" (ebx)
-         :  "m" (ebx), "m" (ctrl), "m" (rk), "m" (blk)
-         : "memory", "ecx", "edx", "esi", "edi");
-
-    memcpy(output, blk, 16);
-
-    return 0;
-}
-
-/*
- * PadLock AES-CBC buffer en(de)cryption
- */
-int mbedtls_padlock_xcryptcbc(mbedtls_aes_context *ctx,
-                              int mode,
-                              size_t length,
-                              unsigned char iv[16],
-                              const unsigned char *input,
-                              unsigned char *output)
-{
-    int ebx = 0;
-    size_t count;
-    uint32_t *rk;
-    uint32_t *iw;
-    uint32_t *ctrl;
-    unsigned char buf[256];
-
-    rk = ctx->buf + ctx->rk_offset;
-
-    if (((long) input  & 15) != 0 ||
-        ((long) output & 15) != 0 ||
-        ((long) rk & 15) != 0) {
-        return MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED;
-    }
-
-    iw = MBEDTLS_PADLOCK_ALIGN16(buf);
-    memcpy(iw, iv, 16);
-
-    ctrl = iw + 4;
-    *ctrl = 0x80 | ctx->nr | ((ctx->nr + (mode ^ 1) - 10) << 9);
-
-    count = (length + 15) >> 4;
-
-    asm ("pushfl                        \n\t"
-         "popfl                         \n\t"
-         "movl    %%ebx, %0             \n\t"
-         "movl    %2, %%ecx             \n\t"
-         "movl    %3, %%edx             \n\t"
-         "movl    %4, %%ebx             \n\t"
-         "movl    %5, %%esi             \n\t"
-         "movl    %6, %%edi             \n\t"
-         "movl    %7, %%eax             \n\t"
-         ".byte  0xf3,0x0f,0xa7,0xd0    \n\t"
-         "movl    %1, %%ebx             \n\t"
-         : "=m" (ebx)
-         :  "m" (ebx), "m" (count), "m" (ctrl),
-         "m"  (rk), "m" (input), "m" (output), "m" (iw)
-         : "memory", "eax", "ecx", "edx", "esi", "edi");
-
-    memcpy(iv, iw, 16);
-
-    return 0;
-}
-
-#endif /* MBEDTLS_VIA_PADLOCK_HAVE_CODE */
-
-#endif /* MBEDTLS_PADLOCK_C */
diff --git a/library/padlock.h b/library/padlock.h
deleted file mode 100644
index a00afe0..0000000
--- a/library/padlock.h
+++ /dev/null
@@ -1,123 +0,0 @@
-/**
- * \file padlock.h
- *
- * \brief VIA PadLock ACE for HW encryption/decryption supported by some
- *        processors
- *
- * \warning These functions are only for internal use by other library
- *          functions; you must not call them directly.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_PADLOCK_H
-#define MBEDTLS_PADLOCK_H
-
-#include "mbedtls/build_info.h"
-
-#include "mbedtls/aes.h"
-
-#define MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED               -0x0030  /**< Input data should be aligned. */
-
-#if defined(__has_feature)
-#if __has_feature(address_sanitizer)
-#define MBEDTLS_HAVE_ASAN
-#endif
-#endif
-
-/*
- * - `padlock` is implements with GNUC assembly for x86 target.
- * - Some versions of ASan result in errors about not enough registers.
- */
-#if defined(MBEDTLS_PADLOCK_C) && \
-    defined(__GNUC__) && defined(MBEDTLS_ARCH_IS_X86) && \
-    defined(MBEDTLS_HAVE_ASM) && \
-    !defined(MBEDTLS_HAVE_ASAN)
-
-#define MBEDTLS_VIA_PADLOCK_HAVE_CODE
-
-#include <stdint.h>
-
-#define MBEDTLS_PADLOCK_RNG 0x000C
-#define MBEDTLS_PADLOCK_ACE 0x00C0
-#define MBEDTLS_PADLOCK_PHE 0x0C00
-#define MBEDTLS_PADLOCK_PMM 0x3000
-
-#define MBEDTLS_PADLOCK_ALIGN16(x) (uint32_t *) (16 + ((int32_t) (x) & ~15))
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          Internal PadLock detection routine
- *
- * \note           This function is only for internal use by other library
- *                 functions; you must not call it directly.
- *
- * \param feature  The feature to detect
- *
- * \return         non-zero if CPU has support for the feature, 0 otherwise
- */
-int mbedtls_padlock_has_support(int feature);
-
-/**
- * \brief          Internal PadLock AES-ECB block en(de)cryption
- *
- * \note           This function is only for internal use by other library
- *                 functions; you must not call it directly.
- *
- * \param ctx      AES context
- * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
- * \param input    16-byte input block
- * \param output   16-byte output block
- *
- * \return         0 if success, 1 if operation failed
- */
-int mbedtls_padlock_xcryptecb(mbedtls_aes_context *ctx,
-                              int mode,
-                              const unsigned char input[16],
-                              unsigned char output[16]);
-
-/**
- * \brief          Internal PadLock AES-CBC buffer en(de)cryption
- *
- * \note           This function is only for internal use by other library
- *                 functions; you must not call it directly.
- *
- * \param ctx      AES context
- * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
- * \param length   length of the input data
- * \param iv       initialization vector (updated after use)
- * \param input    buffer holding the input data
- * \param output   buffer holding the output data
- *
- * \return         0 if success, 1 if operation failed
- */
-int mbedtls_padlock_xcryptcbc(mbedtls_aes_context *ctx,
-                              int mode,
-                              size_t length,
-                              unsigned char iv[16],
-                              const unsigned char *input,
-                              unsigned char *output);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* HAVE_X86  */
-
-#endif /* padlock.h */
diff --git a/library/pem.c b/library/pem.c
deleted file mode 100644
index bd269dd..0000000
--- a/library/pem.c
+++ /dev/null
@@ -1,532 +0,0 @@
-/*
- *  Privacy Enhanced Mail (PEM) decoding
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
-
-#include "mbedtls/pem.h"
-#include "mbedtls/base64.h"
-#include "mbedtls/des.h"
-#include "mbedtls/aes.h"
-#include "mbedtls/md.h"
-#include "mbedtls/cipher.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#include <string.h>
-
-#include "mbedtls/platform.h"
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "psa/crypto.h"
-#endif
-
-#if defined(MBEDTLS_MD_CAN_MD5) &&  \
-    defined(MBEDTLS_CIPHER_MODE_CBC) &&                             \
-    (defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C))
-#define PEM_RFC1421
-#endif /* MBEDTLS_MD_CAN_MD5 &&
-          MBEDTLS_CIPHER_MODE_CBC &&
-          ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
-
-#if defined(MBEDTLS_PEM_PARSE_C)
-void mbedtls_pem_init(mbedtls_pem_context *ctx)
-{
-    memset(ctx, 0, sizeof(mbedtls_pem_context));
-}
-
-#if defined(PEM_RFC1421)
-/*
- * Read a 16-byte hex string and convert it to binary
- */
-static int pem_get_iv(const unsigned char *s, unsigned char *iv,
-                      size_t iv_len)
-{
-    size_t i, j, k;
-
-    memset(iv, 0, iv_len);
-
-    for (i = 0; i < iv_len * 2; i++, s++) {
-        if (*s >= '0' && *s <= '9') {
-            j = *s - '0';
-        } else
-        if (*s >= 'A' && *s <= 'F') {
-            j = *s - '7';
-        } else
-        if (*s >= 'a' && *s <= 'f') {
-            j = *s - 'W';
-        } else {
-            return MBEDTLS_ERR_PEM_INVALID_ENC_IV;
-        }
-
-        k = ((i & 1) != 0) ? j : j << 4;
-
-        iv[i >> 1] = (unsigned char) (iv[i >> 1] | k);
-    }
-
-    return 0;
-}
-
-static int pem_pbkdf1(unsigned char *key, size_t keylen,
-                      unsigned char *iv,
-                      const unsigned char *pwd, size_t pwdlen)
-{
-    mbedtls_md_context_t md5_ctx;
-    const mbedtls_md_info_t *md5_info;
-    unsigned char md5sum[16];
-    size_t use_len;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    mbedtls_md_init(&md5_ctx);
-
-    /* Prepare the context. (setup() errors gracefully on NULL info.) */
-    md5_info = mbedtls_md_info_from_type(MBEDTLS_MD_MD5);
-    if ((ret = mbedtls_md_setup(&md5_ctx, md5_info, 0)) != 0) {
-        goto exit;
-    }
-
-    /*
-     * key[ 0..15] = MD5(pwd || IV)
-     */
-    if ((ret = mbedtls_md_starts(&md5_ctx)) != 0) {
-        goto exit;
-    }
-    if ((ret = mbedtls_md_update(&md5_ctx, pwd, pwdlen)) != 0) {
-        goto exit;
-    }
-    if ((ret = mbedtls_md_update(&md5_ctx, iv,  8)) != 0) {
-        goto exit;
-    }
-    if ((ret = mbedtls_md_finish(&md5_ctx, md5sum)) != 0) {
-        goto exit;
-    }
-
-    if (keylen <= 16) {
-        memcpy(key, md5sum, keylen);
-        goto exit;
-    }
-
-    memcpy(key, md5sum, 16);
-
-    /*
-     * key[16..23] = MD5(key[ 0..15] || pwd || IV])
-     */
-    if ((ret = mbedtls_md_starts(&md5_ctx)) != 0) {
-        goto exit;
-    }
-    if ((ret = mbedtls_md_update(&md5_ctx, md5sum, 16)) != 0) {
-        goto exit;
-    }
-    if ((ret = mbedtls_md_update(&md5_ctx, pwd, pwdlen)) != 0) {
-        goto exit;
-    }
-    if ((ret = mbedtls_md_update(&md5_ctx, iv, 8)) != 0) {
-        goto exit;
-    }
-    if ((ret = mbedtls_md_finish(&md5_ctx, md5sum)) != 0) {
-        goto exit;
-    }
-
-    use_len = 16;
-    if (keylen < 32) {
-        use_len = keylen - 16;
-    }
-
-    memcpy(key + 16, md5sum, use_len);
-
-exit:
-    mbedtls_md_free(&md5_ctx);
-    mbedtls_platform_zeroize(md5sum, 16);
-
-    return ret;
-}
-
-#if defined(MBEDTLS_DES_C)
-/*
- * Decrypt with DES-CBC, using PBKDF1 for key derivation
- */
-static int pem_des_decrypt(unsigned char des_iv[8],
-                           unsigned char *buf, size_t buflen,
-                           const unsigned char *pwd, size_t pwdlen)
-{
-    mbedtls_des_context des_ctx;
-    unsigned char des_key[8];
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    mbedtls_des_init(&des_ctx);
-
-    if ((ret = pem_pbkdf1(des_key, 8, des_iv, pwd, pwdlen)) != 0) {
-        goto exit;
-    }
-
-    if ((ret = mbedtls_des_setkey_dec(&des_ctx, des_key)) != 0) {
-        goto exit;
-    }
-    ret = mbedtls_des_crypt_cbc(&des_ctx, MBEDTLS_DES_DECRYPT, buflen,
-                                des_iv, buf, buf);
-
-exit:
-    mbedtls_des_free(&des_ctx);
-    mbedtls_platform_zeroize(des_key, 8);
-
-    return ret;
-}
-
-/*
- * Decrypt with 3DES-CBC, using PBKDF1 for key derivation
- */
-static int pem_des3_decrypt(unsigned char des3_iv[8],
-                            unsigned char *buf, size_t buflen,
-                            const unsigned char *pwd, size_t pwdlen)
-{
-    mbedtls_des3_context des3_ctx;
-    unsigned char des3_key[24];
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    mbedtls_des3_init(&des3_ctx);
-
-    if ((ret = pem_pbkdf1(des3_key, 24, des3_iv, pwd, pwdlen)) != 0) {
-        goto exit;
-    }
-
-    if ((ret = mbedtls_des3_set3key_dec(&des3_ctx, des3_key)) != 0) {
-        goto exit;
-    }
-    ret = mbedtls_des3_crypt_cbc(&des3_ctx, MBEDTLS_DES_DECRYPT, buflen,
-                                 des3_iv, buf, buf);
-
-exit:
-    mbedtls_des3_free(&des3_ctx);
-    mbedtls_platform_zeroize(des3_key, 24);
-
-    return ret;
-}
-#endif /* MBEDTLS_DES_C */
-
-#if defined(MBEDTLS_AES_C)
-/*
- * Decrypt with AES-XXX-CBC, using PBKDF1 for key derivation
- */
-static int pem_aes_decrypt(unsigned char aes_iv[16], unsigned int keylen,
-                           unsigned char *buf, size_t buflen,
-                           const unsigned char *pwd, size_t pwdlen)
-{
-    mbedtls_aes_context aes_ctx;
-    unsigned char aes_key[32];
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    mbedtls_aes_init(&aes_ctx);
-
-    if ((ret = pem_pbkdf1(aes_key, keylen, aes_iv, pwd, pwdlen)) != 0) {
-        goto exit;
-    }
-
-    if ((ret = mbedtls_aes_setkey_dec(&aes_ctx, aes_key, keylen * 8)) != 0) {
-        goto exit;
-    }
-    ret = mbedtls_aes_crypt_cbc(&aes_ctx, MBEDTLS_AES_DECRYPT, buflen,
-                                aes_iv, buf, buf);
-
-exit:
-    mbedtls_aes_free(&aes_ctx);
-    mbedtls_platform_zeroize(aes_key, keylen);
-
-    return ret;
-}
-#endif /* MBEDTLS_AES_C */
-
-#endif /* PEM_RFC1421 */
-
-int mbedtls_pem_read_buffer(mbedtls_pem_context *ctx, const char *header, const char *footer,
-                            const unsigned char *data, const unsigned char *pwd,
-                            size_t pwdlen, size_t *use_len)
-{
-    int ret, enc;
-    size_t len;
-    unsigned char *buf;
-    const unsigned char *s1, *s2, *end;
-#if defined(PEM_RFC1421)
-    unsigned char pem_iv[16];
-    mbedtls_cipher_type_t enc_alg = MBEDTLS_CIPHER_NONE;
-#else
-    ((void) pwd);
-    ((void) pwdlen);
-#endif /* PEM_RFC1421 */
-
-    if (ctx == NULL) {
-        return MBEDTLS_ERR_PEM_BAD_INPUT_DATA;
-    }
-
-    s1 = (unsigned char *) strstr((const char *) data, header);
-
-    if (s1 == NULL) {
-        return MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
-    }
-
-    s2 = (unsigned char *) strstr((const char *) data, footer);
-
-    if (s2 == NULL || s2 <= s1) {
-        return MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
-    }
-
-    s1 += strlen(header);
-    if (*s1 == ' ') {
-        s1++;
-    }
-    if (*s1 == '\r') {
-        s1++;
-    }
-    if (*s1 == '\n') {
-        s1++;
-    } else {
-        return MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
-    }
-
-    end = s2;
-    end += strlen(footer);
-    if (*end == ' ') {
-        end++;
-    }
-    if (*end == '\r') {
-        end++;
-    }
-    if (*end == '\n') {
-        end++;
-    }
-    *use_len = end - data;
-
-    enc = 0;
-
-    if (s2 - s1 >= 22 && memcmp(s1, "Proc-Type: 4,ENCRYPTED", 22) == 0) {
-#if defined(PEM_RFC1421)
-        enc++;
-
-        s1 += 22;
-        if (*s1 == '\r') {
-            s1++;
-        }
-        if (*s1 == '\n') {
-            s1++;
-        } else {
-            return MBEDTLS_ERR_PEM_INVALID_DATA;
-        }
-
-
-#if defined(MBEDTLS_DES_C)
-        if (s2 - s1 >= 23 && memcmp(s1, "DEK-Info: DES-EDE3-CBC,", 23) == 0) {
-            enc_alg = MBEDTLS_CIPHER_DES_EDE3_CBC;
-
-            s1 += 23;
-            if (s2 - s1 < 16 || pem_get_iv(s1, pem_iv, 8) != 0) {
-                return MBEDTLS_ERR_PEM_INVALID_ENC_IV;
-            }
-
-            s1 += 16;
-        } else if (s2 - s1 >= 18 && memcmp(s1, "DEK-Info: DES-CBC,", 18) == 0) {
-            enc_alg = MBEDTLS_CIPHER_DES_CBC;
-
-            s1 += 18;
-            if (s2 - s1 < 16 || pem_get_iv(s1, pem_iv, 8) != 0) {
-                return MBEDTLS_ERR_PEM_INVALID_ENC_IV;
-            }
-
-            s1 += 16;
-        }
-#endif /* MBEDTLS_DES_C */
-
-#if defined(MBEDTLS_AES_C)
-        if (s2 - s1 >= 14 && memcmp(s1, "DEK-Info: AES-", 14) == 0) {
-            if (s2 - s1 < 22) {
-                return MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG;
-            } else if (memcmp(s1, "DEK-Info: AES-128-CBC,", 22) == 0) {
-                enc_alg = MBEDTLS_CIPHER_AES_128_CBC;
-            } else if (memcmp(s1, "DEK-Info: AES-192-CBC,", 22) == 0) {
-                enc_alg = MBEDTLS_CIPHER_AES_192_CBC;
-            } else if (memcmp(s1, "DEK-Info: AES-256-CBC,", 22) == 0) {
-                enc_alg = MBEDTLS_CIPHER_AES_256_CBC;
-            } else {
-                return MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG;
-            }
-
-            s1 += 22;
-            if (s2 - s1 < 32 || pem_get_iv(s1, pem_iv, 16) != 0) {
-                return MBEDTLS_ERR_PEM_INVALID_ENC_IV;
-            }
-
-            s1 += 32;
-        }
-#endif /* MBEDTLS_AES_C */
-
-        if (enc_alg == MBEDTLS_CIPHER_NONE) {
-            return MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG;
-        }
-
-        if (*s1 == '\r') {
-            s1++;
-        }
-        if (*s1 == '\n') {
-            s1++;
-        } else {
-            return MBEDTLS_ERR_PEM_INVALID_DATA;
-        }
-#else
-        return MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE;
-#endif /* PEM_RFC1421 */
-    }
-
-    if (s1 >= s2) {
-        return MBEDTLS_ERR_PEM_INVALID_DATA;
-    }
-
-    ret = mbedtls_base64_decode(NULL, 0, &len, s1, s2 - s1);
-
-    if (ret == MBEDTLS_ERR_BASE64_INVALID_CHARACTER) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PEM_INVALID_DATA, ret);
-    }
-
-    if ((buf = mbedtls_calloc(1, len)) == NULL) {
-        return MBEDTLS_ERR_PEM_ALLOC_FAILED;
-    }
-
-    if ((ret = mbedtls_base64_decode(buf, len, &len, s1, s2 - s1)) != 0) {
-        mbedtls_zeroize_and_free(buf, len);
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PEM_INVALID_DATA, ret);
-    }
-
-    if (enc != 0) {
-#if defined(PEM_RFC1421)
-        if (pwd == NULL) {
-            mbedtls_zeroize_and_free(buf, len);
-            return MBEDTLS_ERR_PEM_PASSWORD_REQUIRED;
-        }
-
-        ret = 0;
-
-#if defined(MBEDTLS_DES_C)
-        if (enc_alg == MBEDTLS_CIPHER_DES_EDE3_CBC) {
-            ret = pem_des3_decrypt(pem_iv, buf, len, pwd, pwdlen);
-        } else if (enc_alg == MBEDTLS_CIPHER_DES_CBC) {
-            ret = pem_des_decrypt(pem_iv, buf, len, pwd, pwdlen);
-        }
-#endif /* MBEDTLS_DES_C */
-
-#if defined(MBEDTLS_AES_C)
-        if (enc_alg == MBEDTLS_CIPHER_AES_128_CBC) {
-            ret = pem_aes_decrypt(pem_iv, 16, buf, len, pwd, pwdlen);
-        } else if (enc_alg == MBEDTLS_CIPHER_AES_192_CBC) {
-            ret = pem_aes_decrypt(pem_iv, 24, buf, len, pwd, pwdlen);
-        } else if (enc_alg == MBEDTLS_CIPHER_AES_256_CBC) {
-            ret = pem_aes_decrypt(pem_iv, 32, buf, len, pwd, pwdlen);
-        }
-#endif /* MBEDTLS_AES_C */
-
-        if (ret != 0) {
-            mbedtls_free(buf);
-            return ret;
-        }
-
-        /*
-         * The result will be ASN.1 starting with a SEQUENCE tag, with 1 to 3
-         * length bytes (allow 4 to be sure) in all known use cases.
-         *
-         * Use that as a heuristic to try to detect password mismatches.
-         */
-        if (len <= 2 || buf[0] != 0x30 || buf[1] > 0x83) {
-            mbedtls_zeroize_and_free(buf, len);
-            return MBEDTLS_ERR_PEM_PASSWORD_MISMATCH;
-        }
-#else
-        mbedtls_zeroize_and_free(buf, len);
-        return MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE;
-#endif /* PEM_RFC1421 */
-    }
-
-    ctx->buf = buf;
-    ctx->buflen = len;
-
-    return 0;
-}
-
-void mbedtls_pem_free(mbedtls_pem_context *ctx)
-{
-    if (ctx->buf != NULL) {
-        mbedtls_zeroize_and_free(ctx->buf, ctx->buflen);
-    }
-    mbedtls_free(ctx->info);
-
-    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_pem_context));
-}
-#endif /* MBEDTLS_PEM_PARSE_C */
-
-#if defined(MBEDTLS_PEM_WRITE_C)
-int mbedtls_pem_write_buffer(const char *header, const char *footer,
-                             const unsigned char *der_data, size_t der_len,
-                             unsigned char *buf, size_t buf_len, size_t *olen)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char *encode_buf = NULL, *c, *p = buf;
-    size_t len = 0, use_len, add_len = 0;
-
-    mbedtls_base64_encode(NULL, 0, &use_len, der_data, der_len);
-    add_len = strlen(header) + strlen(footer) + (((use_len > 2) ? (use_len - 2) : 0) / 64) + 1;
-
-    if (use_len + add_len > buf_len) {
-        *olen = use_len + add_len;
-        return MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL;
-    }
-
-    if (use_len != 0 &&
-        ((encode_buf = mbedtls_calloc(1, use_len)) == NULL)) {
-        return MBEDTLS_ERR_PEM_ALLOC_FAILED;
-    }
-
-    if ((ret = mbedtls_base64_encode(encode_buf, use_len, &use_len, der_data,
-                                     der_len)) != 0) {
-        mbedtls_free(encode_buf);
-        return ret;
-    }
-
-    memcpy(p, header, strlen(header));
-    p += strlen(header);
-    c = encode_buf;
-
-    while (use_len) {
-        len = (use_len > 64) ? 64 : use_len;
-        memcpy(p, c, len);
-        use_len -= len;
-        p += len;
-        c += len;
-        *p++ = '\n';
-    }
-
-    memcpy(p, footer, strlen(footer));
-    p += strlen(footer);
-
-    *p++ = '\0';
-    *olen = p - buf;
-
-    /* Clean any remaining data previously written to the buffer */
-    memset(buf + *olen, 0, buf_len - *olen);
-
-    mbedtls_free(encode_buf);
-    return 0;
-}
-#endif /* MBEDTLS_PEM_WRITE_C */
-#endif /* MBEDTLS_PEM_PARSE_C || MBEDTLS_PEM_WRITE_C */
diff --git a/library/pk.c b/library/pk.c
deleted file mode 100644
index 96b8ef9..0000000
--- a/library/pk.c
+++ /dev/null
@@ -1,982 +0,0 @@
-/*
- *  Public Key abstraction layer
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_PK_C)
-#include "mbedtls/pk.h"
-#include "pk_wrap.h"
-#include "pkwrite.h"
-#include "pk_internal.h"
-
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#if defined(MBEDTLS_RSA_C)
-#include "mbedtls/rsa.h"
-#endif
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-#include "mbedtls/ecp.h"
-#endif
-#if defined(MBEDTLS_ECDSA_C)
-#include "mbedtls/ecdsa.h"
-#endif
-
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-#include "psa_util_internal.h"
-#include "md_psa.h"
-#endif
-
-#include <limits.h>
-#include <stdint.h>
-
-/*
- * Initialise a mbedtls_pk_context
- */
-void mbedtls_pk_init(mbedtls_pk_context *ctx)
-{
-    ctx->pk_info = NULL;
-    ctx->pk_ctx = NULL;
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-    ctx->priv_id = MBEDTLS_SVC_KEY_ID_INIT;
-#endif /* MBEDTLS_PSA_CRYPTO_C */
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-    memset(ctx->pub_raw, 0, sizeof(ctx->pub_raw));
-    ctx->pub_raw_len = 0;
-    ctx->ec_family = 0;
-    ctx->ec_bits = 0;
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-}
-
-/*
- * Free (the components of) a mbedtls_pk_context
- */
-void mbedtls_pk_free(mbedtls_pk_context *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    if ((ctx->pk_info != NULL) && (ctx->pk_info->ctx_free_func != NULL)) {
-        ctx->pk_info->ctx_free_func(ctx->pk_ctx);
-    }
-
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-    /* The ownership of the priv_id key for opaque keys is external of the PK
-     * module. It's the user responsibility to clear it after use. */
-    if ((ctx->pk_info != NULL) && (ctx->pk_info->type != MBEDTLS_PK_OPAQUE)) {
-        psa_destroy_key(ctx->priv_id);
-    }
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-
-    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_pk_context));
-}
-
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
-/*
- * Initialize a restart context
- */
-void mbedtls_pk_restart_init(mbedtls_pk_restart_ctx *ctx)
-{
-    ctx->pk_info = NULL;
-    ctx->rs_ctx = NULL;
-}
-
-/*
- * Free the components of a restart context
- */
-void mbedtls_pk_restart_free(mbedtls_pk_restart_ctx *ctx)
-{
-    if (ctx == NULL || ctx->pk_info == NULL ||
-        ctx->pk_info->rs_free_func == NULL) {
-        return;
-    }
-
-    ctx->pk_info->rs_free_func(ctx->rs_ctx);
-
-    ctx->pk_info = NULL;
-    ctx->rs_ctx = NULL;
-}
-#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
-
-/*
- * Get pk_info structure from type
- */
-const mbedtls_pk_info_t *mbedtls_pk_info_from_type(mbedtls_pk_type_t pk_type)
-{
-    switch (pk_type) {
-#if defined(MBEDTLS_RSA_C)
-        case MBEDTLS_PK_RSA:
-            return &mbedtls_rsa_info;
-#endif /* MBEDTLS_RSA_C */
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-        case MBEDTLS_PK_ECKEY:
-            return &mbedtls_eckey_info;
-        case MBEDTLS_PK_ECKEY_DH:
-            return &mbedtls_eckeydh_info;
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
-        case MBEDTLS_PK_ECDSA:
-            return &mbedtls_ecdsa_info;
-#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
-        /* MBEDTLS_PK_RSA_ALT omitted on purpose */
-        default:
-            return NULL;
-    }
-}
-
-/*
- * Initialise context
- */
-int mbedtls_pk_setup(mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info)
-{
-    if (info == NULL || ctx->pk_info != NULL) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    if ((info->ctx_alloc_func != NULL) &&
-        ((ctx->pk_ctx = info->ctx_alloc_func()) == NULL)) {
-        return MBEDTLS_ERR_PK_ALLOC_FAILED;
-    }
-
-    ctx->pk_info = info;
-
-    return 0;
-}
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-/*
- * Initialise a PSA-wrapping context
- */
-int mbedtls_pk_setup_opaque(mbedtls_pk_context *ctx,
-                            const mbedtls_svc_key_id_t key)
-{
-    const mbedtls_pk_info_t *info = NULL;
-    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    psa_key_type_t type;
-
-    if (ctx == NULL || ctx->pk_info != NULL) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    if (PSA_SUCCESS != psa_get_key_attributes(key, &attributes)) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-    type = psa_get_key_type(&attributes);
-    psa_reset_key_attributes(&attributes);
-
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-    if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type)) {
-        info = &mbedtls_ecdsa_opaque_info;
-    } else
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-    if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
-        info = &mbedtls_rsa_opaque_info;
-    } else {
-        return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
-    }
-
-    ctx->pk_info = info;
-    ctx->priv_id = key;
-
-    return 0;
-}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
-/*
- * Initialize an RSA-alt context
- */
-int mbedtls_pk_setup_rsa_alt(mbedtls_pk_context *ctx, void *key,
-                             mbedtls_pk_rsa_alt_decrypt_func decrypt_func,
-                             mbedtls_pk_rsa_alt_sign_func sign_func,
-                             mbedtls_pk_rsa_alt_key_len_func key_len_func)
-{
-    mbedtls_rsa_alt_context *rsa_alt;
-    const mbedtls_pk_info_t *info = &mbedtls_rsa_alt_info;
-
-    if (ctx->pk_info != NULL) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    if ((ctx->pk_ctx = info->ctx_alloc_func()) == NULL) {
-        return MBEDTLS_ERR_PK_ALLOC_FAILED;
-    }
-
-    ctx->pk_info = info;
-
-    rsa_alt = (mbedtls_rsa_alt_context *) ctx->pk_ctx;
-
-    rsa_alt->key = key;
-    rsa_alt->decrypt_func = decrypt_func;
-    rsa_alt->sign_func = sign_func;
-    rsa_alt->key_len_func = key_len_func;
-
-    return 0;
-}
-#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
-
-/*
- * Tell if a PK can do the operations of the given type
- */
-int mbedtls_pk_can_do(const mbedtls_pk_context *ctx, mbedtls_pk_type_t type)
-{
-    /* A context with null pk_info is not set up yet and can't do anything.
-     * For backward compatibility, also accept NULL instead of a context
-     * pointer. */
-    if (ctx == NULL || ctx->pk_info == NULL) {
-        return 0;
-    }
-
-    return ctx->pk_info->can_do(type);
-}
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-/*
- * Tell if a PK can do the operations of the given PSA algorithm
- */
-int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg,
-                          psa_key_usage_t usage)
-{
-    psa_key_usage_t key_usage;
-
-    /* A context with null pk_info is not set up yet and can't do anything.
-     * For backward compatibility, also accept NULL instead of a context
-     * pointer. */
-    if (ctx == NULL || ctx->pk_info == NULL) {
-        return 0;
-    }
-
-    /* Filter out non allowed algorithms */
-    if (PSA_ALG_IS_ECDSA(alg) == 0 &&
-        PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) == 0 &&
-        PSA_ALG_IS_RSA_PSS(alg) == 0 &&
-        alg != PSA_ALG_RSA_PKCS1V15_CRYPT &&
-        PSA_ALG_IS_ECDH(alg) == 0) {
-        return 0;
-    }
-
-    /* Filter out non allowed usage flags */
-    if (usage == 0 ||
-        (usage & ~(PSA_KEY_USAGE_SIGN_HASH |
-                   PSA_KEY_USAGE_DECRYPT |
-                   PSA_KEY_USAGE_DERIVE)) != 0) {
-        return 0;
-    }
-
-    /* Wildcard hash is not allowed */
-    if (PSA_ALG_IS_SIGN_HASH(alg) &&
-        PSA_ALG_SIGN_GET_HASH(alg) == PSA_ALG_ANY_HASH) {
-        return 0;
-    }
-
-    if (mbedtls_pk_get_type(ctx) != MBEDTLS_PK_OPAQUE) {
-        mbedtls_pk_type_t type;
-
-        if (PSA_ALG_IS_ECDSA(alg) || PSA_ALG_IS_ECDH(alg)) {
-            type = MBEDTLS_PK_ECKEY;
-        } else if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||
-                   alg == PSA_ALG_RSA_PKCS1V15_CRYPT) {
-            type = MBEDTLS_PK_RSA;
-        } else if (PSA_ALG_IS_RSA_PSS(alg)) {
-            type = MBEDTLS_PK_RSASSA_PSS;
-        } else {
-            return 0;
-        }
-
-        if (ctx->pk_info->can_do(type) == 0) {
-            return 0;
-        }
-
-        switch (type) {
-            case MBEDTLS_PK_ECKEY:
-                key_usage = PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_DERIVE;
-                break;
-            case MBEDTLS_PK_RSA:
-            case MBEDTLS_PK_RSASSA_PSS:
-                key_usage = PSA_KEY_USAGE_SIGN_HASH |
-                            PSA_KEY_USAGE_SIGN_MESSAGE |
-                            PSA_KEY_USAGE_DECRYPT;
-                break;
-            default:
-                /* Should never happen */
-                return 0;
-        }
-
-        return (key_usage & usage) == usage;
-    }
-
-    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    psa_algorithm_t key_alg, key_alg2;
-    psa_status_t status;
-
-    status = psa_get_key_attributes(ctx->priv_id, &attributes);
-    if (status != PSA_SUCCESS) {
-        return 0;
-    }
-
-    key_alg = psa_get_key_algorithm(&attributes);
-    key_alg2 = psa_get_key_enrollment_algorithm(&attributes);
-    key_usage = psa_get_key_usage_flags(&attributes);
-    psa_reset_key_attributes(&attributes);
-
-    if ((key_usage & usage) != usage) {
-        return 0;
-    }
-
-    /*
-     * Common case: the key alg or alg2 only allows alg.
-     * This will match PSA_ALG_RSA_PKCS1V15_CRYPT & PSA_ALG_IS_ECDH
-     * directly.
-     * This would also match ECDSA/RSA_PKCS1V15_SIGN/RSA_PSS with
-     * a fixed hash on key_alg/key_alg2.
-     */
-    if (alg == key_alg || alg == key_alg2) {
-        return 1;
-    }
-
-    /*
-     * If key_alg or key_alg2 is a hash-and-sign with a wildcard for the hash,
-     * and alg is the same hash-and-sign family with any hash,
-     * then alg is compliant with this key alg
-     */
-    if (PSA_ALG_IS_SIGN_HASH(alg)) {
-
-        if (PSA_ALG_IS_SIGN_HASH(key_alg) &&
-            PSA_ALG_SIGN_GET_HASH(key_alg) == PSA_ALG_ANY_HASH &&
-            (alg & ~PSA_ALG_HASH_MASK) == (key_alg & ~PSA_ALG_HASH_MASK)) {
-            return 1;
-        }
-
-        if (PSA_ALG_IS_SIGN_HASH(key_alg2) &&
-            PSA_ALG_SIGN_GET_HASH(key_alg2) == PSA_ALG_ANY_HASH &&
-            (alg & ~PSA_ALG_HASH_MASK) == (key_alg2 & ~PSA_ALG_HASH_MASK)) {
-            return 1;
-        }
-    }
-
-    return 0;
-}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-/*
- * Helper for mbedtls_pk_sign and mbedtls_pk_verify
- */
-static inline int pk_hashlen_helper(mbedtls_md_type_t md_alg, size_t *hash_len)
-{
-    if (*hash_len != 0) {
-        return 0;
-    }
-
-    *hash_len = mbedtls_md_get_size_from_type(md_alg);
-
-    if (*hash_len == 0) {
-        return -1;
-    }
-
-    return 0;
-}
-
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
-/*
- * Helper to set up a restart context if needed
- */
-static int pk_restart_setup(mbedtls_pk_restart_ctx *ctx,
-                            const mbedtls_pk_info_t *info)
-{
-    /* Don't do anything if already set up or invalid */
-    if (ctx == NULL || ctx->pk_info != NULL) {
-        return 0;
-    }
-
-    /* Should never happen when we're called */
-    if (info->rs_alloc_func == NULL || info->rs_free_func == NULL) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    if ((ctx->rs_ctx = info->rs_alloc_func()) == NULL) {
-        return MBEDTLS_ERR_PK_ALLOC_FAILED;
-    }
-
-    ctx->pk_info = info;
-
-    return 0;
-}
-#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
-
-/*
- * Verify a signature (restartable)
- */
-int mbedtls_pk_verify_restartable(mbedtls_pk_context *ctx,
-                                  mbedtls_md_type_t md_alg,
-                                  const unsigned char *hash, size_t hash_len,
-                                  const unsigned char *sig, size_t sig_len,
-                                  mbedtls_pk_restart_ctx *rs_ctx)
-{
-    if ((md_alg != MBEDTLS_MD_NONE || hash_len != 0) && hash == NULL) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    if (ctx->pk_info == NULL ||
-        pk_hashlen_helper(md_alg, &hash_len) != 0) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
-    /* optimization: use non-restartable version if restart disabled */
-    if (rs_ctx != NULL &&
-        mbedtls_ecp_restart_is_enabled() &&
-        ctx->pk_info->verify_rs_func != NULL) {
-        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-        if ((ret = pk_restart_setup(rs_ctx, ctx->pk_info)) != 0) {
-            return ret;
-        }
-
-        ret = ctx->pk_info->verify_rs_func(ctx,
-                                           md_alg, hash, hash_len, sig, sig_len, rs_ctx->rs_ctx);
-
-        if (ret != MBEDTLS_ERR_ECP_IN_PROGRESS) {
-            mbedtls_pk_restart_free(rs_ctx);
-        }
-
-        return ret;
-    }
-#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
-    (void) rs_ctx;
-#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
-
-    if (ctx->pk_info->verify_func == NULL) {
-        return MBEDTLS_ERR_PK_TYPE_MISMATCH;
-    }
-
-    return ctx->pk_info->verify_func(ctx, md_alg, hash, hash_len,
-                                     sig, sig_len);
-}
-
-/*
- * Verify a signature
- */
-int mbedtls_pk_verify(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
-                      const unsigned char *hash, size_t hash_len,
-                      const unsigned char *sig, size_t sig_len)
-{
-    return mbedtls_pk_verify_restartable(ctx, md_alg, hash, hash_len,
-                                         sig, sig_len, NULL);
-}
-
-/*
- * Verify a signature with options
- */
-int mbedtls_pk_verify_ext(mbedtls_pk_type_t type, const void *options,
-                          mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
-                          const unsigned char *hash, size_t hash_len,
-                          const unsigned char *sig, size_t sig_len)
-{
-    if ((md_alg != MBEDTLS_MD_NONE || hash_len != 0) && hash == NULL) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    if (ctx->pk_info == NULL) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    if (!mbedtls_pk_can_do(ctx, type)) {
-        return MBEDTLS_ERR_PK_TYPE_MISMATCH;
-    }
-
-    if (type != MBEDTLS_PK_RSASSA_PSS) {
-        /* General case: no options */
-        if (options != NULL) {
-            return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-        }
-
-        return mbedtls_pk_verify(ctx, md_alg, hash, hash_len, sig, sig_len);
-    }
-
-#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21)
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    const mbedtls_pk_rsassa_pss_options *pss_opts;
-
-#if SIZE_MAX > UINT_MAX
-    if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-#endif
-
-    if (options == NULL) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    pss_opts = (const mbedtls_pk_rsassa_pss_options *) options;
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-    if (pss_opts->mgf1_hash_id == md_alg) {
-        unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
-        unsigned char *p;
-        int key_len;
-        size_t signature_length;
-        psa_status_t status = PSA_ERROR_DATA_CORRUPT;
-        psa_status_t destruction_status = PSA_ERROR_DATA_CORRUPT;
-
-        psa_algorithm_t psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
-        mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
-        psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-        psa_algorithm_t psa_sig_alg = PSA_ALG_RSA_PSS_ANY_SALT(psa_md_alg);
-        p = buf + sizeof(buf);
-        key_len = mbedtls_pk_write_pubkey(&p, buf, ctx);
-
-        if (key_len < 0) {
-            return key_len;
-        }
-
-        psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY);
-        psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
-        psa_set_key_algorithm(&attributes, psa_sig_alg);
-
-        status = psa_import_key(&attributes,
-                                buf + sizeof(buf) - key_len, key_len,
-                                &key_id);
-        if (status != PSA_SUCCESS) {
-            psa_destroy_key(key_id);
-            return PSA_PK_TO_MBEDTLS_ERR(status);
-        }
-
-        /* This function requires returning MBEDTLS_ERR_PK_SIG_LEN_MISMATCH
-         * on a valid signature with trailing data in a buffer, but
-         * mbedtls_psa_rsa_verify_hash requires the sig_len to be exact,
-         * so for this reason the passed sig_len is overwritten. Smaller
-         * signature lengths should not be accepted for verification. */
-        signature_length = sig_len > mbedtls_pk_get_len(ctx) ?
-                           mbedtls_pk_get_len(ctx) : sig_len;
-        status = psa_verify_hash(key_id, psa_sig_alg, hash,
-                                 hash_len, sig, signature_length);
-        destruction_status = psa_destroy_key(key_id);
-
-        if (status == PSA_SUCCESS && sig_len > mbedtls_pk_get_len(ctx)) {
-            return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
-        }
-
-        if (status == PSA_SUCCESS) {
-            status = destruction_status;
-        }
-
-        return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
-    } else
-#endif
-    {
-        if (sig_len < mbedtls_pk_get_len(ctx)) {
-            return MBEDTLS_ERR_RSA_VERIFY_FAILED;
-        }
-
-        ret = mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_pk_rsa(*ctx),
-                                                md_alg, (unsigned int) hash_len, hash,
-                                                pss_opts->mgf1_hash_id,
-                                                pss_opts->expected_salt_len,
-                                                sig);
-        if (ret != 0) {
-            return ret;
-        }
-
-        if (sig_len > mbedtls_pk_get_len(ctx)) {
-            return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
-        }
-
-        return 0;
-    }
-#else
-    return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
-#endif /* MBEDTLS_RSA_C && MBEDTLS_PKCS1_V21 */
-}
-
-/*
- * Make a signature (restartable)
- */
-int mbedtls_pk_sign_restartable(mbedtls_pk_context *ctx,
-                                mbedtls_md_type_t md_alg,
-                                const unsigned char *hash, size_t hash_len,
-                                unsigned char *sig, size_t sig_size, size_t *sig_len,
-                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
-                                mbedtls_pk_restart_ctx *rs_ctx)
-{
-    if ((md_alg != MBEDTLS_MD_NONE || hash_len != 0) && hash == NULL) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    if (ctx->pk_info == NULL || pk_hashlen_helper(md_alg, &hash_len) != 0) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
-    /* optimization: use non-restartable version if restart disabled */
-    if (rs_ctx != NULL &&
-        mbedtls_ecp_restart_is_enabled() &&
-        ctx->pk_info->sign_rs_func != NULL) {
-        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-        if ((ret = pk_restart_setup(rs_ctx, ctx->pk_info)) != 0) {
-            return ret;
-        }
-
-        ret = ctx->pk_info->sign_rs_func(ctx, md_alg,
-                                         hash, hash_len,
-                                         sig, sig_size, sig_len,
-                                         f_rng, p_rng, rs_ctx->rs_ctx);
-
-        if (ret != MBEDTLS_ERR_ECP_IN_PROGRESS) {
-            mbedtls_pk_restart_free(rs_ctx);
-        }
-
-        return ret;
-    }
-#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
-    (void) rs_ctx;
-#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
-
-    if (ctx->pk_info->sign_func == NULL) {
-        return MBEDTLS_ERR_PK_TYPE_MISMATCH;
-    }
-
-    return ctx->pk_info->sign_func(ctx, md_alg,
-                                   hash, hash_len,
-                                   sig, sig_size, sig_len,
-                                   f_rng, p_rng);
-}
-
-/*
- * Make a signature
- */
-int mbedtls_pk_sign(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
-                    const unsigned char *hash, size_t hash_len,
-                    unsigned char *sig, size_t sig_size, size_t *sig_len,
-                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    return mbedtls_pk_sign_restartable(ctx, md_alg, hash, hash_len,
-                                       sig, sig_size, sig_len,
-                                       f_rng, p_rng, NULL);
-}
-
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-/*
- * Make a signature given a signature type.
- */
-int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,
-                        mbedtls_pk_context *ctx,
-                        mbedtls_md_type_t md_alg,
-                        const unsigned char *hash, size_t hash_len,
-                        unsigned char *sig, size_t sig_size, size_t *sig_len,
-                        int (*f_rng)(void *, unsigned char *, size_t),
-                        void *p_rng)
-{
-#if defined(MBEDTLS_RSA_C)
-    psa_algorithm_t psa_md_alg;
-#endif /* MBEDTLS_RSA_C */
-    *sig_len = 0;
-
-    if (ctx->pk_info == NULL) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    if (!mbedtls_pk_can_do(ctx, pk_type)) {
-        return MBEDTLS_ERR_PK_TYPE_MISMATCH;
-    }
-
-    if (pk_type != MBEDTLS_PK_RSASSA_PSS) {
-        return mbedtls_pk_sign(ctx, md_alg, hash, hash_len,
-                               sig, sig_size, sig_len, f_rng, p_rng);
-    }
-
-#if defined(MBEDTLS_RSA_C)
-    psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
-    if (psa_md_alg == 0) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    if (mbedtls_pk_get_type(ctx) == MBEDTLS_PK_OPAQUE) {
-        psa_status_t status;
-
-        status = psa_sign_hash(ctx->priv_id, PSA_ALG_RSA_PSS(psa_md_alg),
-                               hash, hash_len,
-                               sig, sig_size, sig_len);
-        return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
-    }
-
-    return mbedtls_pk_psa_rsa_sign_ext(PSA_ALG_RSA_PSS(psa_md_alg),
-                                       ctx->pk_ctx, hash, hash_len,
-                                       sig, sig_size, sig_len);
-#else /* MBEDTLS_RSA_C */
-    return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
-#endif /* !MBEDTLS_RSA_C */
-
-}
-#endif /* MBEDTLS_PSA_CRYPTO_C */
-
-/*
- * Decrypt message
- */
-int mbedtls_pk_decrypt(mbedtls_pk_context *ctx,
-                       const unsigned char *input, size_t ilen,
-                       unsigned char *output, size_t *olen, size_t osize,
-                       int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    if (ctx->pk_info == NULL) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    if (ctx->pk_info->decrypt_func == NULL) {
-        return MBEDTLS_ERR_PK_TYPE_MISMATCH;
-    }
-
-    return ctx->pk_info->decrypt_func(ctx, input, ilen,
-                                      output, olen, osize, f_rng, p_rng);
-}
-
-/*
- * Encrypt message
- */
-int mbedtls_pk_encrypt(mbedtls_pk_context *ctx,
-                       const unsigned char *input, size_t ilen,
-                       unsigned char *output, size_t *olen, size_t osize,
-                       int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    if (ctx->pk_info == NULL) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    if (ctx->pk_info->encrypt_func == NULL) {
-        return MBEDTLS_ERR_PK_TYPE_MISMATCH;
-    }
-
-    return ctx->pk_info->encrypt_func(ctx, input, ilen,
-                                      output, olen, osize, f_rng, p_rng);
-}
-
-/*
- * Check public-private key pair
- */
-int mbedtls_pk_check_pair(const mbedtls_pk_context *pub,
-                          const mbedtls_pk_context *prv,
-                          int (*f_rng)(void *, unsigned char *, size_t),
-                          void *p_rng)
-{
-    if (pub->pk_info == NULL ||
-        prv->pk_info == NULL) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    if (f_rng == NULL) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    if (prv->pk_info->check_pair_func == NULL) {
-        return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
-    }
-
-    if (prv->pk_info->type == MBEDTLS_PK_RSA_ALT) {
-        if (pub->pk_info->type != MBEDTLS_PK_RSA) {
-            return MBEDTLS_ERR_PK_TYPE_MISMATCH;
-        }
-    } else {
-        if ((prv->pk_info->type != MBEDTLS_PK_OPAQUE) &&
-            (pub->pk_info != prv->pk_info)) {
-            return MBEDTLS_ERR_PK_TYPE_MISMATCH;
-        }
-    }
-
-    return prv->pk_info->check_pair_func((mbedtls_pk_context *) pub,
-                                         (mbedtls_pk_context *) prv,
-                                         f_rng, p_rng);
-}
-
-/*
- * Get key size in bits
- */
-size_t mbedtls_pk_get_bitlen(const mbedtls_pk_context *ctx)
-{
-    /* For backward compatibility, accept NULL or a context that
-     * isn't set up yet, and return a fake value that should be safe. */
-    if (ctx == NULL || ctx->pk_info == NULL) {
-        return 0;
-    }
-
-    return ctx->pk_info->get_bitlen((mbedtls_pk_context *) ctx);
-}
-
-/*
- * Export debug information
- */
-int mbedtls_pk_debug(const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *items)
-{
-    if (ctx->pk_info == NULL) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    if (ctx->pk_info->debug_func == NULL) {
-        return MBEDTLS_ERR_PK_TYPE_MISMATCH;
-    }
-
-    ctx->pk_info->debug_func((mbedtls_pk_context *) ctx, items);
-    return 0;
-}
-
-/*
- * Access the PK type name
- */
-const char *mbedtls_pk_get_name(const mbedtls_pk_context *ctx)
-{
-    if (ctx == NULL || ctx->pk_info == NULL) {
-        return "invalid PK";
-    }
-
-    return ctx->pk_info->name;
-}
-
-/*
- * Access the PK type
- */
-mbedtls_pk_type_t mbedtls_pk_get_type(const mbedtls_pk_context *ctx)
-{
-    if (ctx == NULL || ctx->pk_info == NULL) {
-        return MBEDTLS_PK_NONE;
-    }
-
-    return ctx->pk_info->type;
-}
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-/*
- * Load the key to a PSA key slot,
- * then turn the PK context into a wrapper for that key slot.
- *
- * Currently only works for EC & RSA private keys.
- */
-int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk,
-                              mbedtls_svc_key_id_t *key,
-                              psa_algorithm_t alg,
-                              psa_key_usage_t usage,
-                              psa_algorithm_t alg2)
-{
-#if !defined(MBEDTLS_PK_HAVE_ECC_KEYS) && !defined(MBEDTLS_RSA_C)
-    ((void) pk);
-    ((void) key);
-    ((void) alg);
-    ((void) usage);
-    ((void) alg2);
-#else /* !MBEDTLS_PK_HAVE_ECC_KEYS && !MBEDTLS_RSA_C */
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-    if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECKEY) {
-        size_t d_len;
-        psa_ecc_family_t curve_id;
-        psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-        psa_key_type_t key_type;
-        size_t bits;
-        psa_status_t status;
-
-        /* export the private key material in the format PSA wants */
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-        unsigned char d[MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH];
-        status = psa_export_key(pk->priv_id, d, sizeof(d), &d_len);
-        if (status != PSA_SUCCESS) {
-            return psa_pk_status_to_mbedtls(status);
-        }
-
-        curve_id = pk->ec_family;
-        bits = pk->ec_bits;
-#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
-        unsigned char d[MBEDTLS_ECP_MAX_BYTES];
-        mbedtls_ecp_keypair *ec = mbedtls_pk_ec_rw(*pk);
-        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-        d_len = PSA_BITS_TO_BYTES(ec->grp.nbits);
-        if ((ret = mbedtls_ecp_write_key(ec, d, d_len)) != 0) {
-            return ret;
-        }
-
-        curve_id = mbedtls_ecc_group_to_psa(ec->grp.id, &bits);
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-        key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(curve_id);
-
-        /* prepare the key attributes */
-        psa_set_key_type(&attributes, key_type);
-        psa_set_key_bits(&attributes, bits);
-        psa_set_key_usage_flags(&attributes, usage);
-        psa_set_key_algorithm(&attributes, alg);
-        if (alg2 != PSA_ALG_NONE) {
-            psa_set_key_enrollment_algorithm(&attributes, alg2);
-        }
-
-        /* import private key into PSA */
-        status = psa_import_key(&attributes, d, d_len, key);
-        mbedtls_platform_zeroize(d, sizeof(d));
-        if (status != PSA_SUCCESS) {
-            return PSA_PK_TO_MBEDTLS_ERR(status);
-        }
-
-        /* make PK context wrap the key slot */
-        mbedtls_pk_free(pk);
-        mbedtls_pk_init(pk);
-
-        return mbedtls_pk_setup_opaque(pk, *key);
-    } else
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-#if defined(MBEDTLS_RSA_C)
-    if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_RSA) {
-        unsigned char buf[MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES];
-        psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-        int key_len;
-        psa_status_t status;
-
-        /* export the private key material in the format PSA wants */
-        key_len = mbedtls_pk_write_key_der(pk, buf, sizeof(buf));
-        if (key_len <= 0) {
-            return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-        }
-
-        /* prepare the key attributes */
-        psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
-        psa_set_key_bits(&attributes, mbedtls_pk_get_bitlen(pk));
-        psa_set_key_usage_flags(&attributes, usage);
-        psa_set_key_algorithm(&attributes, alg);
-        if (alg2 != PSA_ALG_NONE) {
-            psa_set_key_enrollment_algorithm(&attributes, alg2);
-        }
-
-        /* import private key into PSA */
-        status = psa_import_key(&attributes,
-                                buf + sizeof(buf) - key_len,
-                                key_len, key);
-
-        mbedtls_platform_zeroize(buf, sizeof(buf));
-
-        if (status != PSA_SUCCESS) {
-            return PSA_PK_TO_MBEDTLS_ERR(status);
-        }
-
-        /* make PK context wrap the key slot */
-        mbedtls_pk_free(pk);
-        mbedtls_pk_init(pk);
-
-        return mbedtls_pk_setup_opaque(pk, *key);
-    } else
-#endif /* MBEDTLS_RSA_C */
-#endif /* !MBEDTLS_PK_HAVE_ECC_KEYS && !MBEDTLS_RSA_C */
-    return MBEDTLS_ERR_PK_TYPE_MISMATCH;
-}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#endif /* MBEDTLS_PK_C */
diff --git a/library/pk_internal.h b/library/pk_internal.h
deleted file mode 100644
index 2d519be..0000000
--- a/library/pk_internal.h
+++ /dev/null
@@ -1,132 +0,0 @@
-/**
- * \file pk_internal.h
- *
- * \brief Public Key abstraction layer: internal (i.e. library only) functions
- *        and definitions.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#ifndef MBEDTLS_PK_INTERNAL_H
-#define MBEDTLS_PK_INTERNAL_H
-
-#include "mbedtls/pk.h"
-
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-#include "mbedtls/ecp.h"
-#endif
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "psa/crypto.h"
-#endif
-
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-#include "psa_util_internal.h"
-#define PSA_PK_TO_MBEDTLS_ERR(status) psa_pk_status_to_mbedtls(status)
-#define PSA_PK_RSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status,     \
-                                                                  psa_to_pk_rsa_errors,            \
-                                                                  psa_pk_status_to_mbedtls)
-#define PSA_PK_ECDSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status,   \
-                                                                    psa_to_pk_ecdsa_errors,        \
-                                                                    psa_pk_status_to_mbedtls)
-#endif
-
-#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-/**
- * Public function mbedtls_pk_ec() can be used to get direct access to the
- * wrapped ecp_keypair structure pointed to the pk_ctx. However this is not
- * ideal because it bypasses the PK module on the control of its internal
- * structure (pk_context) fields.
- * For backward compatibility we keep mbedtls_pk_ec() when ECP_C is defined, but
- * we provide 2 very similar functions when only ECP_LIGHT is enabled and not
- * ECP_C.
- * These variants embed the "ro" or "rw" keywords in their name to make the
- * usage of the returned pointer explicit. Of course the returned value is
- * const or non-const accordingly.
- */
-static inline const mbedtls_ecp_keypair *mbedtls_pk_ec_ro(const mbedtls_pk_context pk)
-{
-    switch (mbedtls_pk_get_type(&pk)) {
-        case MBEDTLS_PK_ECKEY:
-        case MBEDTLS_PK_ECKEY_DH:
-        case MBEDTLS_PK_ECDSA:
-            return (const mbedtls_ecp_keypair *) (pk).MBEDTLS_PRIVATE(pk_ctx);
-        default:
-            return NULL;
-    }
-}
-
-static inline mbedtls_ecp_keypair *mbedtls_pk_ec_rw(const mbedtls_pk_context pk)
-{
-    switch (mbedtls_pk_get_type(&pk)) {
-        case MBEDTLS_PK_ECKEY:
-        case MBEDTLS_PK_ECKEY_DH:
-        case MBEDTLS_PK_ECDSA:
-            return (mbedtls_ecp_keypair *) (pk).MBEDTLS_PRIVATE(pk_ctx);
-        default:
-            return NULL;
-    }
-}
-#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
-
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-static inline mbedtls_ecp_group_id mbedtls_pk_get_group_id(const mbedtls_pk_context *pk)
-{
-    mbedtls_ecp_group_id id;
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-    if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
-        psa_key_attributes_t opaque_attrs = PSA_KEY_ATTRIBUTES_INIT;
-        psa_key_type_t opaque_key_type;
-        psa_ecc_family_t curve;
-
-        if (psa_get_key_attributes(pk->priv_id, &opaque_attrs) != PSA_SUCCESS) {
-            return MBEDTLS_ECP_DP_NONE;
-        }
-        opaque_key_type = psa_get_key_type(&opaque_attrs);
-        curve = PSA_KEY_TYPE_ECC_GET_FAMILY(opaque_key_type);
-        id = mbedtls_ecc_group_of_psa(curve, psa_get_key_bits(&opaque_attrs), 0);
-        psa_reset_key_attributes(&opaque_attrs);
-    } else
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-    {
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-        id = mbedtls_ecc_group_of_psa(pk->ec_family, pk->ec_bits, 0);
-#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
-        id = mbedtls_pk_ec_ro(*pk)->grp.id;
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-    }
-
-    return id;
-}
-
-/* Helper for Montgomery curves */
-#if defined(MBEDTLS_ECP_HAVE_CURVE25519) || defined(MBEDTLS_ECP_HAVE_CURVE448)
-#define MBEDTLS_PK_HAVE_RFC8410_CURVES
-#endif /* MBEDTLS_ECP_HAVE_CURVE25519 || MBEDTLS_ECP_DP_CURVE448 */
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-
-#if defined(MBEDTLS_TEST_HOOKS)
-
-MBEDTLS_STATIC_TESTABLE int mbedtls_pk_parse_key_pkcs8_encrypted_der(
-    mbedtls_pk_context *pk,
-    unsigned char *key, size_t keylen,
-    const unsigned char *pwd, size_t pwdlen,
-    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
-
-#endif
-
-#endif /* MBEDTLS_PK_INTERNAL_H */
diff --git a/library/pk_wrap.c b/library/pk_wrap.c
deleted file mode 100644
index 436876a..0000000
--- a/library/pk_wrap.c
+++ /dev/null
@@ -1,1848 +0,0 @@
-/*
- *  Public Key abstraction layer: wrapper functions
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#include "mbedtls/platform_util.h"
-
-#if defined(MBEDTLS_PK_C)
-#include "pk_wrap.h"
-#include "pk_internal.h"
-#include "mbedtls/error.h"
-#include "md_psa.h"
-
-/* Even if RSA not activated, for the sake of RSA-alt */
-#include "mbedtls/rsa.h"
-
-#if defined(MBEDTLS_ECP_C)
-#include "mbedtls/ecp.h"
-#endif
-
-#if defined(MBEDTLS_ECDSA_C)
-#include "mbedtls/ecdsa.h"
-#endif
-
-#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PSA_CRYPTO_C)
-#include "pkwrite.h"
-#endif
-
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-#include "psa_util_internal.h"
-#endif
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "psa/crypto.h"
-
-#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
-#include "mbedtls/asn1write.h"
-#include "mbedtls/asn1.h"
-#endif
-#endif  /* MBEDTLS_USE_PSA_CRYPTO */
-
-#include "mbedtls/platform.h"
-
-#include <limits.h>
-#include <stdint.h>
-#include <string.h>
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-int mbedtls_pk_error_from_psa(psa_status_t status)
-{
-    switch (status) {
-        case PSA_SUCCESS:
-            return 0;
-        case PSA_ERROR_INVALID_HANDLE:
-            return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
-        case PSA_ERROR_NOT_PERMITTED:
-            return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
-        case PSA_ERROR_BUFFER_TOO_SMALL:
-            return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
-        case PSA_ERROR_NOT_SUPPORTED:
-            return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
-        case PSA_ERROR_INVALID_ARGUMENT:
-            return MBEDTLS_ERR_PK_INVALID_ALG;
-        case PSA_ERROR_INSUFFICIENT_MEMORY:
-            return MBEDTLS_ERR_PK_ALLOC_FAILED;
-        case PSA_ERROR_BAD_STATE:
-            return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-        case PSA_ERROR_COMMUNICATION_FAILURE:
-        case PSA_ERROR_HARDWARE_FAILURE:
-            return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
-        case PSA_ERROR_DATA_CORRUPT:
-        case PSA_ERROR_DATA_INVALID:
-        case PSA_ERROR_STORAGE_FAILURE:
-            return MBEDTLS_ERR_PK_FILE_IO_ERROR;
-        case PSA_ERROR_CORRUPTION_DETECTED:
-            return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-        default:
-            return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
-    }
-}
-
-#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) ||    \
-    defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
-int mbedtls_pk_error_from_psa_rsa(psa_status_t status)
-{
-    switch (status) {
-        case PSA_ERROR_NOT_PERMITTED:
-        case PSA_ERROR_INVALID_ARGUMENT:
-        case PSA_ERROR_INVALID_HANDLE:
-            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-        case PSA_ERROR_BUFFER_TOO_SMALL:
-            return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
-        case PSA_ERROR_INSUFFICIENT_ENTROPY:
-            return MBEDTLS_ERR_RSA_RNG_FAILED;
-        case PSA_ERROR_INVALID_SIGNATURE:
-            return MBEDTLS_ERR_RSA_VERIFY_FAILED;
-        case PSA_ERROR_INVALID_PADDING:
-            return MBEDTLS_ERR_RSA_INVALID_PADDING;
-        case PSA_SUCCESS:
-            return 0;
-        case PSA_ERROR_NOT_SUPPORTED:
-            return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
-        case PSA_ERROR_INSUFFICIENT_MEMORY:
-            return MBEDTLS_ERR_PK_ALLOC_FAILED;
-        case PSA_ERROR_BAD_STATE:
-            return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-        case PSA_ERROR_COMMUNICATION_FAILURE:
-        case PSA_ERROR_HARDWARE_FAILURE:
-            return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
-        case PSA_ERROR_DATA_CORRUPT:
-        case PSA_ERROR_DATA_INVALID:
-        case PSA_ERROR_STORAGE_FAILURE:
-            return MBEDTLS_ERR_PK_FILE_IO_ERROR;
-        case PSA_ERROR_CORRUPTION_DETECTED:
-            return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-        default:
-            return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
-    }
-}
-#endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY || PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
-#endif /* MBEDTLS_PSA_CRYPTO_C */
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
-int mbedtls_pk_error_from_psa_ecdsa(psa_status_t status)
-{
-    switch (status) {
-        case PSA_ERROR_NOT_PERMITTED:
-        case PSA_ERROR_INVALID_ARGUMENT:
-            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-        case PSA_ERROR_INVALID_HANDLE:
-            return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
-        case PSA_ERROR_BUFFER_TOO_SMALL:
-            return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
-        case PSA_ERROR_INSUFFICIENT_ENTROPY:
-            return MBEDTLS_ERR_ECP_RANDOM_FAILED;
-        case PSA_ERROR_INVALID_SIGNATURE:
-            return MBEDTLS_ERR_ECP_VERIFY_FAILED;
-        case PSA_SUCCESS:
-            return 0;
-        case PSA_ERROR_NOT_SUPPORTED:
-            return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
-        case PSA_ERROR_INSUFFICIENT_MEMORY:
-            return MBEDTLS_ERR_PK_ALLOC_FAILED;
-        case PSA_ERROR_BAD_STATE:
-            return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-        case PSA_ERROR_COMMUNICATION_FAILURE:
-        case PSA_ERROR_HARDWARE_FAILURE:
-            return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
-        case PSA_ERROR_DATA_CORRUPT:
-        case PSA_ERROR_DATA_INVALID:
-        case PSA_ERROR_STORAGE_FAILURE:
-            return MBEDTLS_ERR_PK_FILE_IO_ERROR;
-        case PSA_ERROR_CORRUPTION_DETECTED:
-            return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-        default:
-            return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
-    }
-}
-#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-
-#if defined(MBEDTLS_RSA_C)
-static int rsa_can_do(mbedtls_pk_type_t type)
-{
-    return type == MBEDTLS_PK_RSA ||
-           type == MBEDTLS_PK_RSASSA_PSS;
-}
-
-static size_t rsa_get_bitlen(mbedtls_pk_context *pk)
-{
-    const mbedtls_rsa_context *rsa = (const mbedtls_rsa_context *) pk->pk_ctx;
-    return 8 * mbedtls_rsa_get_len(rsa);
-}
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-static int rsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
-                           const unsigned char *hash, size_t hash_len,
-                           const unsigned char *sig, size_t sig_len)
-{
-    mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
-    psa_status_t status;
-    mbedtls_pk_context key;
-    int key_len;
-    unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
-    psa_algorithm_t psa_alg_md =
-        PSA_ALG_RSA_PKCS1V15_SIGN(mbedtls_md_psa_alg_from_type(md_alg));
-    size_t rsa_len = mbedtls_rsa_get_len(rsa);
-
-#if SIZE_MAX > UINT_MAX
-    if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-#endif
-
-    if (sig_len < rsa_len) {
-        return MBEDTLS_ERR_RSA_VERIFY_FAILED;
-    }
-
-    /* mbedtls_pk_write_pubkey_der() expects a full PK context;
-     * re-construct one to make it happy */
-    key.pk_info = &mbedtls_rsa_info;
-    key.pk_ctx = rsa;
-    key_len = mbedtls_pk_write_pubkey_der(&key, buf, sizeof(buf));
-    if (key_len <= 0) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
-    psa_set_key_algorithm(&attributes, psa_alg_md);
-    psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY);
-
-    status = psa_import_key(&attributes,
-                            buf + sizeof(buf) - key_len, key_len,
-                            &key_id);
-    if (status != PSA_SUCCESS) {
-        ret = PSA_PK_TO_MBEDTLS_ERR(status);
-        goto cleanup;
-    }
-
-    status = psa_verify_hash(key_id, psa_alg_md, hash, hash_len,
-                             sig, sig_len);
-    if (status != PSA_SUCCESS) {
-        ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
-        goto cleanup;
-    }
-    ret = 0;
-
-cleanup:
-    status = psa_destroy_key(key_id);
-    if (ret == 0 && status != PSA_SUCCESS) {
-        ret = PSA_PK_TO_MBEDTLS_ERR(status);
-    }
-
-    return ret;
-}
-#else /* MBEDTLS_USE_PSA_CRYPTO */
-static int rsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
-                           const unsigned char *hash, size_t hash_len,
-                           const unsigned char *sig, size_t sig_len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
-    size_t rsa_len = mbedtls_rsa_get_len(rsa);
-
-#if SIZE_MAX > UINT_MAX
-    if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-#endif
-
-    if (sig_len < rsa_len) {
-        return MBEDTLS_ERR_RSA_VERIFY_FAILED;
-    }
-
-    if ((ret = mbedtls_rsa_pkcs1_verify(rsa, md_alg,
-                                        (unsigned int) hash_len,
-                                        hash, sig)) != 0) {
-        return ret;
-    }
-
-    /* The buffer contains a valid signature followed by extra data.
-     * We have a special error code for that so that so that callers can
-     * use mbedtls_pk_verify() to check "Does the buffer start with a
-     * valid signature?" and not just "Does the buffer contain a valid
-     * signature?". */
-    if (sig_len > rsa_len) {
-        return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
-    }
-
-    return 0;
-}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-int  mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t alg,
-                                 mbedtls_rsa_context *rsa_ctx,
-                                 const unsigned char *hash, size_t hash_len,
-                                 unsigned char *sig, size_t sig_size,
-                                 size_t *sig_len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
-    psa_status_t status;
-    mbedtls_pk_context key;
-    int key_len;
-    unsigned char *buf = NULL;
-    buf = mbedtls_calloc(1, MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES);
-    if (buf == NULL) {
-        return MBEDTLS_ERR_PK_ALLOC_FAILED;
-    }
-    mbedtls_pk_info_t pk_info = mbedtls_rsa_info;
-
-    *sig_len = mbedtls_rsa_get_len(rsa_ctx);
-    if (sig_size < *sig_len) {
-        mbedtls_free(buf);
-        return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
-    }
-
-    /* mbedtls_pk_write_key_der() expects a full PK context;
-     * re-construct one to make it happy */
-    key.pk_info = &pk_info;
-    key.pk_ctx = rsa_ctx;
-    key_len = mbedtls_pk_write_key_der(&key, buf, MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES);
-    if (key_len <= 0) {
-        mbedtls_free(buf);
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
-    psa_set_key_algorithm(&attributes, alg);
-    psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
-
-    status = psa_import_key(&attributes,
-                            buf + MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES - key_len, key_len,
-                            &key_id);
-    if (status != PSA_SUCCESS) {
-        ret = PSA_PK_TO_MBEDTLS_ERR(status);
-        goto cleanup;
-    }
-    status = psa_sign_hash(key_id, alg, hash, hash_len,
-                           sig, sig_size, sig_len);
-    if (status != PSA_SUCCESS) {
-        ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
-        goto cleanup;
-    }
-
-    ret = 0;
-
-cleanup:
-    mbedtls_free(buf);
-    status = psa_destroy_key(key_id);
-    if (ret == 0 && status != PSA_SUCCESS) {
-        ret = PSA_PK_TO_MBEDTLS_ERR(status);
-    }
-    return ret;
-}
-#endif /* MBEDTLS_PSA_CRYPTO_C */
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-static int rsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
-                         const unsigned char *hash, size_t hash_len,
-                         unsigned char *sig, size_t sig_size, size_t *sig_len,
-                         int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    ((void) f_rng);
-    ((void) p_rng);
-
-    psa_algorithm_t psa_md_alg;
-    psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
-    if (psa_md_alg == 0) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    return mbedtls_pk_psa_rsa_sign_ext(PSA_ALG_RSA_PKCS1V15_SIGN(
-                                           psa_md_alg),
-                                       pk->pk_ctx, hash, hash_len,
-                                       sig, sig_size, sig_len);
-}
-#else /* MBEDTLS_USE_PSA_CRYPTO */
-static int rsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
-                         const unsigned char *hash, size_t hash_len,
-                         unsigned char *sig, size_t sig_size, size_t *sig_len,
-                         int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
-
-#if SIZE_MAX > UINT_MAX
-    if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-#endif
-
-    *sig_len = mbedtls_rsa_get_len(rsa);
-    if (sig_size < *sig_len) {
-        return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
-    }
-
-    return mbedtls_rsa_pkcs1_sign(rsa, f_rng, p_rng,
-                                  md_alg, (unsigned int) hash_len,
-                                  hash, sig);
-}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-static int rsa_decrypt_wrap(mbedtls_pk_context *pk,
-                            const unsigned char *input, size_t ilen,
-                            unsigned char *output, size_t *olen, size_t osize,
-                            int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
-    psa_status_t status;
-    mbedtls_pk_context key;
-    int key_len;
-    unsigned char buf[MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES];
-
-    ((void) f_rng);
-    ((void) p_rng);
-
-#if !defined(MBEDTLS_RSA_ALT)
-    if (rsa->padding != MBEDTLS_RSA_PKCS_V15) {
-        return MBEDTLS_ERR_RSA_INVALID_PADDING;
-    }
-#endif /* !MBEDTLS_RSA_ALT */
-
-    if (ilen != mbedtls_rsa_get_len(rsa)) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    /* mbedtls_pk_write_key_der() expects a full PK context;
-     * re-construct one to make it happy */
-    key.pk_info = &mbedtls_rsa_info;
-    key.pk_ctx = rsa;
-    key_len = mbedtls_pk_write_key_der(&key, buf, sizeof(buf));
-    if (key_len <= 0) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
-    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
-    psa_set_key_algorithm(&attributes, PSA_ALG_RSA_PKCS1V15_CRYPT);
-
-    status = psa_import_key(&attributes,
-                            buf + sizeof(buf) - key_len, key_len,
-                            &key_id);
-    if (status != PSA_SUCCESS) {
-        ret = PSA_PK_TO_MBEDTLS_ERR(status);
-        goto cleanup;
-    }
-
-    status = psa_asymmetric_decrypt(key_id, PSA_ALG_RSA_PKCS1V15_CRYPT,
-                                    input, ilen,
-                                    NULL, 0,
-                                    output, osize, olen);
-    if (status != PSA_SUCCESS) {
-        ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
-        goto cleanup;
-    }
-
-    ret = 0;
-
-cleanup:
-    mbedtls_platform_zeroize(buf, sizeof(buf));
-    status = psa_destroy_key(key_id);
-    if (ret == 0 && status != PSA_SUCCESS) {
-        ret = PSA_PK_TO_MBEDTLS_ERR(status);
-    }
-
-    return ret;
-}
-#else /* MBEDTLS_USE_PSA_CRYPTO */
-static int rsa_decrypt_wrap(mbedtls_pk_context *pk,
-                            const unsigned char *input, size_t ilen,
-                            unsigned char *output, size_t *olen, size_t osize,
-                            int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
-
-    if (ilen != mbedtls_rsa_get_len(rsa)) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    return mbedtls_rsa_pkcs1_decrypt(rsa, f_rng, p_rng,
-                                     olen, input, output, osize);
-}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-static int rsa_encrypt_wrap(mbedtls_pk_context *pk,
-                            const unsigned char *input, size_t ilen,
-                            unsigned char *output, size_t *olen, size_t osize,
-                            int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
-    psa_status_t status;
-    mbedtls_pk_context key;
-    int key_len;
-    unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
-
-    ((void) f_rng);
-    ((void) p_rng);
-
-#if !defined(MBEDTLS_RSA_ALT)
-    if (rsa->padding != MBEDTLS_RSA_PKCS_V15) {
-        return MBEDTLS_ERR_RSA_INVALID_PADDING;
-    }
-#endif
-
-    if (mbedtls_rsa_get_len(rsa) > osize) {
-        return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
-    }
-
-    /* mbedtls_pk_write_pubkey_der() expects a full PK context;
-     * re-construct one to make it happy */
-    key.pk_info = &mbedtls_rsa_info;
-    key.pk_ctx = rsa;
-    key_len = mbedtls_pk_write_pubkey_der(&key, buf, sizeof(buf));
-    if (key_len <= 0) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
-    psa_set_key_algorithm(&attributes, PSA_ALG_RSA_PKCS1V15_CRYPT);
-    psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY);
-
-    status = psa_import_key(&attributes,
-                            buf + sizeof(buf) - key_len, key_len,
-                            &key_id);
-    if (status != PSA_SUCCESS) {
-        ret = PSA_PK_TO_MBEDTLS_ERR(status);
-        goto cleanup;
-    }
-
-    status = psa_asymmetric_encrypt(key_id, PSA_ALG_RSA_PKCS1V15_CRYPT,
-                                    input, ilen,
-                                    NULL, 0,
-                                    output, osize, olen);
-    if (status != PSA_SUCCESS) {
-        ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
-        goto cleanup;
-    }
-
-    ret = 0;
-
-cleanup:
-    status = psa_destroy_key(key_id);
-    if (ret == 0 && status != PSA_SUCCESS) {
-        ret = PSA_PK_TO_MBEDTLS_ERR(status);
-    }
-
-    return ret;
-}
-#else /* MBEDTLS_USE_PSA_CRYPTO */
-static int rsa_encrypt_wrap(mbedtls_pk_context *pk,
-                            const unsigned char *input, size_t ilen,
-                            unsigned char *output, size_t *olen, size_t osize,
-                            int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
-    *olen = mbedtls_rsa_get_len(rsa);
-
-    if (*olen > osize) {
-        return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
-    }
-
-    return mbedtls_rsa_pkcs1_encrypt(rsa, f_rng, p_rng,
-                                     ilen, input, output);
-}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-static int rsa_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
-                               int (*f_rng)(void *, unsigned char *, size_t),
-                               void *p_rng)
-{
-    (void) f_rng;
-    (void) p_rng;
-    return mbedtls_rsa_check_pub_priv((const mbedtls_rsa_context *) pub->pk_ctx,
-                                      (const mbedtls_rsa_context *) prv->pk_ctx);
-}
-
-static void *rsa_alloc_wrap(void)
-{
-    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_rsa_context));
-
-    if (ctx != NULL) {
-        mbedtls_rsa_init((mbedtls_rsa_context *) ctx);
-    }
-
-    return ctx;
-}
-
-static void rsa_free_wrap(void *ctx)
-{
-    mbedtls_rsa_free((mbedtls_rsa_context *) ctx);
-    mbedtls_free(ctx);
-}
-
-static void rsa_debug(mbedtls_pk_context *pk, mbedtls_pk_debug_item *items)
-{
-#if defined(MBEDTLS_RSA_ALT)
-    /* Not supported */
-    (void) pk;
-    (void) items;
-#else
-    mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
-
-    items->type = MBEDTLS_PK_DEBUG_MPI;
-    items->name = "rsa.N";
-    items->value = &(rsa->N);
-
-    items++;
-
-    items->type = MBEDTLS_PK_DEBUG_MPI;
-    items->name = "rsa.E";
-    items->value = &(rsa->E);
-#endif
-}
-
-const mbedtls_pk_info_t mbedtls_rsa_info = {
-    .type = MBEDTLS_PK_RSA,
-    .name = "RSA",
-    .get_bitlen = rsa_get_bitlen,
-    .can_do = rsa_can_do,
-    .verify_func = rsa_verify_wrap,
-    .sign_func = rsa_sign_wrap,
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
-    .verify_rs_func = NULL,
-    .sign_rs_func = NULL,
-    .rs_alloc_func = NULL,
-    .rs_free_func = NULL,
-#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
-    .decrypt_func = rsa_decrypt_wrap,
-    .encrypt_func = rsa_encrypt_wrap,
-    .check_pair_func = rsa_check_pair_wrap,
-    .ctx_alloc_func = rsa_alloc_wrap,
-    .ctx_free_func = rsa_free_wrap,
-    .debug_func = rsa_debug,
-};
-#endif /* MBEDTLS_RSA_C */
-
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-/*
- * Generic EC key
- */
-static int eckey_can_do(mbedtls_pk_type_t type)
-{
-    return type == MBEDTLS_PK_ECKEY ||
-           type == MBEDTLS_PK_ECKEY_DH ||
-           type == MBEDTLS_PK_ECDSA;
-}
-
-static size_t eckey_get_bitlen(mbedtls_pk_context *pk)
-{
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-    return pk->ec_bits;
-#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
-    mbedtls_ecp_keypair *ecp = (mbedtls_ecp_keypair *) pk->pk_ctx;
-    return ecp->grp.pbits;
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-}
-
-#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-/*
- * An ASN.1 encoded signature is a sequence of two ASN.1 integers. Parse one of
- * those integers and convert it to the fixed-length encoding expected by PSA.
- */
-static int extract_ecdsa_sig_int(unsigned char **from, const unsigned char *end,
-                                 unsigned char *to, size_t to_len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t unpadded_len, padding_len;
-
-    if ((ret = mbedtls_asn1_get_tag(from, end, &unpadded_len,
-                                    MBEDTLS_ASN1_INTEGER)) != 0) {
-        return ret;
-    }
-
-    while (unpadded_len > 0 && **from == 0x00) {
-        (*from)++;
-        unpadded_len--;
-    }
-
-    if (unpadded_len > to_len || unpadded_len == 0) {
-        return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
-    }
-
-    padding_len = to_len - unpadded_len;
-    memset(to, 0x00, padding_len);
-    memcpy(to + padding_len, *from, unpadded_len);
-    (*from) += unpadded_len;
-
-    return 0;
-}
-
-/*
- * Convert a signature from an ASN.1 sequence of two integers
- * to a raw {r,s} buffer. Note: the provided sig buffer must be at least
- * twice as big as int_size.
- */
-static int extract_ecdsa_sig(unsigned char **p, const unsigned char *end,
-                             unsigned char *sig, size_t int_size)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t tmp_size;
-
-    if ((ret = mbedtls_asn1_get_tag(p, end, &tmp_size,
-                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
-        return ret;
-    }
-
-    /* Extract r */
-    if ((ret = extract_ecdsa_sig_int(p, end, sig, int_size)) != 0) {
-        return ret;
-    }
-    /* Extract s */
-    if ((ret = extract_ecdsa_sig_int(p, end, sig + int_size, int_size)) != 0) {
-        return ret;
-    }
-
-    return 0;
-}
-
-/* Common helper for ECDSA verify using PSA functions. */
-static int ecdsa_verify_psa(unsigned char *key, size_t key_len,
-                            psa_ecc_family_t curve, size_t curve_bits,
-                            const unsigned char *hash, size_t hash_len,
-                            const unsigned char *sig, size_t sig_len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
-    psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY;
-    size_t signature_len = PSA_ECDSA_SIGNATURE_SIZE(curve_bits);
-    unsigned char extracted_sig[PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE];
-    unsigned char *p;
-    psa_status_t status;
-
-    if (curve == 0) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve));
-    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
-    psa_set_key_algorithm(&attributes, psa_sig_md);
-
-    status = psa_import_key(&attributes, key, key_len, &key_id);
-    if (status != PSA_SUCCESS) {
-        ret = PSA_PK_TO_MBEDTLS_ERR(status);
-        goto cleanup;
-    }
-
-    if (signature_len > sizeof(extracted_sig)) {
-        ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-        goto cleanup;
-    }
-
-    p = (unsigned char *) sig;
-    /* extract_ecdsa_sig's last parameter is the size
-     * of each integer to be parsed, so it's actually half
-     * the size of the signature. */
-    if ((ret = extract_ecdsa_sig(&p, sig + sig_len, extracted_sig,
-                                 signature_len/2)) != 0) {
-        goto cleanup;
-    }
-
-    status = psa_verify_hash(key_id, psa_sig_md, hash, hash_len,
-                             extracted_sig, signature_len);
-    if (status != PSA_SUCCESS) {
-        ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
-        goto cleanup;
-    }
-
-    if (p != sig + sig_len) {
-        ret = MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
-        goto cleanup;
-    }
-    ret = 0;
-
-cleanup:
-    status = psa_destroy_key(key_id);
-    if (ret == 0 && status != PSA_SUCCESS) {
-        ret = PSA_PK_TO_MBEDTLS_ERR(status);
-    }
-
-    return ret;
-}
-
-static int ecdsa_opaque_verify_wrap(mbedtls_pk_context *pk,
-                                    mbedtls_md_type_t md_alg,
-                                    const unsigned char *hash, size_t hash_len,
-                                    const unsigned char *sig, size_t sig_len)
-{
-    (void) md_alg;
-    unsigned char key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
-    size_t key_len;
-    psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
-    psa_ecc_family_t curve;
-    size_t curve_bits;
-    psa_status_t status;
-
-    status = psa_get_key_attributes(pk->priv_id, &key_attr);
-    if (status != PSA_SUCCESS) {
-        return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
-    }
-    curve = PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(&key_attr));
-    curve_bits = psa_get_key_bits(&key_attr);
-    psa_reset_key_attributes(&key_attr);
-
-    status = psa_export_public_key(pk->priv_id, key, sizeof(key), &key_len);
-    if (status != PSA_SUCCESS) {
-        return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
-    }
-
-    return ecdsa_verify_psa(key, key_len, curve, curve_bits,
-                            hash, hash_len, sig, sig_len);
-}
-
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-static int ecdsa_verify_wrap(mbedtls_pk_context *pk,
-                             mbedtls_md_type_t md_alg,
-                             const unsigned char *hash, size_t hash_len,
-                             const unsigned char *sig, size_t sig_len)
-{
-    (void) md_alg;
-    psa_ecc_family_t curve = pk->ec_family;
-    size_t curve_bits = pk->ec_bits;
-
-    return ecdsa_verify_psa(pk->pub_raw, pk->pub_raw_len, curve, curve_bits,
-                            hash, hash_len, sig, sig_len);
-}
-#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
-static int ecdsa_verify_wrap(mbedtls_pk_context *pk,
-                             mbedtls_md_type_t md_alg,
-                             const unsigned char *hash, size_t hash_len,
-                             const unsigned char *sig, size_t sig_len)
-{
-    (void) md_alg;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_ecp_keypair *ctx = pk->pk_ctx;
-    unsigned char key[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
-    size_t key_len;
-    size_t curve_bits;
-    psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits);
-
-    ret = mbedtls_ecp_point_write_binary(&ctx->grp, &ctx->Q,
-                                         MBEDTLS_ECP_PF_UNCOMPRESSED,
-                                         &key_len, key, sizeof(key));
-    if (ret != 0) {
-        return ret;
-    }
-
-    return ecdsa_verify_psa(key, key_len, curve, curve_bits,
-                            hash, hash_len, sig, sig_len);
-}
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-#else /* MBEDTLS_USE_PSA_CRYPTO */
-static int ecdsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
-                             const unsigned char *hash, size_t hash_len,
-                             const unsigned char *sig, size_t sig_len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    ((void) md_alg);
-
-    ret = mbedtls_ecdsa_read_signature((mbedtls_ecdsa_context *) pk->pk_ctx,
-                                       hash, hash_len, sig, sig_len);
-
-    if (ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) {
-        return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
-    }
-
-    return ret;
-}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
-
-#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-/*
- * Simultaneously convert and move raw MPI from the beginning of a buffer
- * to an ASN.1 MPI at the end of the buffer.
- * See also mbedtls_asn1_write_mpi().
- *
- * p: pointer to the end of the output buffer
- * start: start of the output buffer, and also of the mpi to write at the end
- * n_len: length of the mpi to read from start
- */
-static int asn1_write_mpibuf(unsigned char **p, unsigned char *start,
-                             size_t n_len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t len = 0;
-
-    if ((size_t) (*p - start) < n_len) {
-        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
-    }
-
-    len = n_len;
-    *p -= len;
-    memmove(*p, start, len);
-
-    /* ASN.1 DER encoding requires minimal length, so skip leading 0s.
-     * Neither r nor s should be 0, but as a failsafe measure, still detect
-     * that rather than overflowing the buffer in case of a PSA error. */
-    while (len > 0 && **p == 0x00) {
-        ++(*p);
-        --len;
-    }
-
-    /* this is only reached if the signature was invalid */
-    if (len == 0) {
-        return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
-    }
-
-    /* if the msb is 1, ASN.1 requires that we prepend a 0.
-     * Neither r nor s can be 0, so we can assume len > 0 at all times. */
-    if (**p & 0x80) {
-        if (*p - start < 1) {
-            return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
-        }
-
-        *--(*p) = 0x00;
-        len += 1;
-    }
-
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start,
-                                                     MBEDTLS_ASN1_INTEGER));
-
-    return (int) len;
-}
-
-/* Transcode signature from PSA format to ASN.1 sequence.
- * See ecdsa_signature_to_asn1 in ecdsa.c, but with byte buffers instead of
- * MPIs, and in-place.
- *
- * [in/out] sig: the signature pre- and post-transcoding
- * [in/out] sig_len: signature length pre- and post-transcoding
- * [int] buf_len: the available size the in/out buffer
- */
-static int pk_ecdsa_sig_asn1_from_psa(unsigned char *sig, size_t *sig_len,
-                                      size_t buf_len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t len = 0;
-    const size_t rs_len = *sig_len / 2;
-    unsigned char *p = sig + buf_len;
-
-    MBEDTLS_ASN1_CHK_ADD(len, asn1_write_mpibuf(&p, sig + rs_len, rs_len));
-    MBEDTLS_ASN1_CHK_ADD(len, asn1_write_mpibuf(&p, sig, rs_len));
-
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, sig, len));
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, sig,
-                                                     MBEDTLS_ASN1_CONSTRUCTED |
-                                                     MBEDTLS_ASN1_SEQUENCE));
-
-    memmove(sig, p, len);
-    *sig_len = len;
-
-    return 0;
-}
-
-/* Common helper for ECDSA sign using PSA functions. */
-static int ecdsa_sign_psa(mbedtls_svc_key_id_t key_id, mbedtls_md_type_t md_alg,
-                          const unsigned char *hash, size_t hash_len,
-                          unsigned char *sig, size_t sig_size, size_t *sig_len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    psa_status_t status;
-    psa_algorithm_t psa_sig_md;
-    psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
-    psa_algorithm_t alg;
-
-    status = psa_get_key_attributes(key_id, &key_attr);
-    if (status != PSA_SUCCESS) {
-        return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
-    }
-    alg = psa_get_key_algorithm(&key_attr);
-    psa_reset_key_attributes(&key_attr);
-
-    if (PSA_ALG_IS_DETERMINISTIC_ECDSA(alg)) {
-        psa_sig_md = PSA_ALG_DETERMINISTIC_ECDSA(mbedtls_md_psa_alg_from_type(md_alg));
-    } else {
-        psa_sig_md = PSA_ALG_ECDSA(mbedtls_md_psa_alg_from_type(md_alg));
-    }
-
-    status = psa_sign_hash(key_id, psa_sig_md, hash, hash_len,
-                           sig, sig_size, sig_len);
-    if (status != PSA_SUCCESS) {
-        return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
-    }
-
-    ret = pk_ecdsa_sig_asn1_from_psa(sig, sig_len, sig_size);
-
-    return ret;
-}
-
-static int ecdsa_opaque_sign_wrap(mbedtls_pk_context *pk,
-                                  mbedtls_md_type_t md_alg,
-                                  const unsigned char *hash, size_t hash_len,
-                                  unsigned char *sig, size_t sig_size,
-                                  size_t *sig_len,
-                                  int (*f_rng)(void *, unsigned char *, size_t),
-                                  void *p_rng)
-{
-    ((void) f_rng);
-    ((void) p_rng);
-
-    return ecdsa_sign_psa(pk->priv_id, md_alg, hash, hash_len, sig, sig_size,
-                          sig_len);
-}
-
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-/* When PK_USE_PSA_EC_DATA is defined opaque and non-opaque keys end up
- * using the same function. */
-#define ecdsa_sign_wrap     ecdsa_opaque_sign_wrap
-#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
-static int ecdsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
-                           const unsigned char *hash, size_t hash_len,
-                           unsigned char *sig, size_t sig_size, size_t *sig_len,
-                           int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
-    psa_status_t status;
-    mbedtls_ecp_keypair *ctx = pk->pk_ctx;
-    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    unsigned char buf[MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH];
-    size_t curve_bits;
-    psa_ecc_family_t curve =
-        mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits);
-    size_t key_len = PSA_BITS_TO_BYTES(curve_bits);
-#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
-    psa_algorithm_t psa_sig_md =
-        PSA_ALG_DETERMINISTIC_ECDSA(mbedtls_md_psa_alg_from_type(md_alg));
-#else
-    psa_algorithm_t psa_sig_md =
-        PSA_ALG_ECDSA(mbedtls_md_psa_alg_from_type(md_alg));
-#endif
-    ((void) f_rng);
-    ((void) p_rng);
-
-    if (curve == 0) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    if (key_len > sizeof(buf)) {
-        return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    }
-    ret = mbedtls_mpi_write_binary(&ctx->d, buf, key_len);
-    if (ret != 0) {
-        goto cleanup;
-    }
-
-    psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
-    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
-    psa_set_key_algorithm(&attributes, psa_sig_md);
-
-    status = psa_import_key(&attributes, buf, key_len, &key_id);
-    if (status != PSA_SUCCESS) {
-        ret = PSA_PK_TO_MBEDTLS_ERR(status);
-        goto cleanup;
-    }
-
-    ret = ecdsa_sign_psa(key_id, md_alg, hash, hash_len, sig, sig_size, sig_len);
-
-cleanup:
-    mbedtls_platform_zeroize(buf, sizeof(buf));
-    status = psa_destroy_key(key_id);
-    if (ret == 0 && status != PSA_SUCCESS) {
-        ret = PSA_PK_TO_MBEDTLS_ERR(status);
-    }
-
-    return ret;
-}
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-#else /* MBEDTLS_USE_PSA_CRYPTO */
-static int ecdsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
-                           const unsigned char *hash, size_t hash_len,
-                           unsigned char *sig, size_t sig_size, size_t *sig_len,
-                           int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    return mbedtls_ecdsa_write_signature((mbedtls_ecdsa_context *) pk->pk_ctx,
-                                         md_alg, hash, hash_len,
-                                         sig, sig_size, sig_len,
-                                         f_rng, p_rng);
-}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
-
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
-/* Forward declarations */
-static int ecdsa_verify_rs_wrap(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
-                                const unsigned char *hash, size_t hash_len,
-                                const unsigned char *sig, size_t sig_len,
-                                void *rs_ctx);
-
-static int ecdsa_sign_rs_wrap(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
-                              const unsigned char *hash, size_t hash_len,
-                              unsigned char *sig, size_t sig_size, size_t *sig_len,
-                              int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
-                              void *rs_ctx);
-
-/*
- * Restart context for ECDSA operations with ECKEY context
- *
- * We need to store an actual ECDSA context, as we need to pass the same to
- * the underlying ecdsa function, so we can't create it on the fly every time.
- */
-typedef struct {
-    mbedtls_ecdsa_restart_ctx ecdsa_rs;
-    mbedtls_ecdsa_context ecdsa_ctx;
-} eckey_restart_ctx;
-
-static void *eckey_rs_alloc(void)
-{
-    eckey_restart_ctx *rs_ctx;
-
-    void *ctx = mbedtls_calloc(1, sizeof(eckey_restart_ctx));
-
-    if (ctx != NULL) {
-        rs_ctx = ctx;
-        mbedtls_ecdsa_restart_init(&rs_ctx->ecdsa_rs);
-        mbedtls_ecdsa_init(&rs_ctx->ecdsa_ctx);
-    }
-
-    return ctx;
-}
-
-static void eckey_rs_free(void *ctx)
-{
-    eckey_restart_ctx *rs_ctx;
-
-    if (ctx == NULL) {
-        return;
-    }
-
-    rs_ctx = ctx;
-    mbedtls_ecdsa_restart_free(&rs_ctx->ecdsa_rs);
-    mbedtls_ecdsa_free(&rs_ctx->ecdsa_ctx);
-
-    mbedtls_free(ctx);
-}
-
-static int eckey_verify_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
-                                const unsigned char *hash, size_t hash_len,
-                                const unsigned char *sig, size_t sig_len,
-                                void *rs_ctx)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    eckey_restart_ctx *rs = rs_ctx;
-
-    /* Should never happen */
-    if (rs == NULL) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    /* set up our own sub-context if needed (that is, on first run) */
-    if (rs->ecdsa_ctx.grp.pbits == 0) {
-        MBEDTLS_MPI_CHK(mbedtls_ecdsa_from_keypair(&rs->ecdsa_ctx, pk->pk_ctx));
-    }
-
-    MBEDTLS_MPI_CHK(ecdsa_verify_rs_wrap(pk,
-                                         md_alg, hash, hash_len,
-                                         sig, sig_len, &rs->ecdsa_rs));
-
-cleanup:
-    return ret;
-}
-
-static int eckey_sign_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
-                              const unsigned char *hash, size_t hash_len,
-                              unsigned char *sig, size_t sig_size, size_t *sig_len,
-                              int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
-                              void *rs_ctx)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    eckey_restart_ctx *rs = rs_ctx;
-
-    /* Should never happen */
-    if (rs == NULL) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    /* set up our own sub-context if needed (that is, on first run) */
-    if (rs->ecdsa_ctx.grp.pbits == 0) {
-        MBEDTLS_MPI_CHK(mbedtls_ecdsa_from_keypair(&rs->ecdsa_ctx, pk->pk_ctx));
-    }
-
-    MBEDTLS_MPI_CHK(ecdsa_sign_rs_wrap(pk, md_alg,
-                                       hash, hash_len, sig, sig_size, sig_len,
-                                       f_rng, p_rng, &rs->ecdsa_rs));
-
-cleanup:
-    return ret;
-}
-#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-static int eckey_check_pair_psa(mbedtls_pk_context *pub, mbedtls_pk_context *prv)
-{
-    psa_status_t status;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    uint8_t prv_key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
-    size_t prv_key_len;
-    mbedtls_svc_key_id_t key_id = prv->priv_id;
-
-    status = psa_export_public_key(key_id, prv_key_buf, sizeof(prv_key_buf),
-                                   &prv_key_len);
-    ret = PSA_PK_TO_MBEDTLS_ERR(status);
-    if (ret != 0) {
-        return ret;
-    }
-
-    if (memcmp(prv_key_buf, pub->pub_raw, pub->pub_raw_len) != 0) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    return 0;
-}
-#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
-static int eckey_check_pair_psa(mbedtls_pk_context *pub, mbedtls_pk_context *prv)
-{
-    psa_status_t status;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    uint8_t prv_key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
-    size_t prv_key_len;
-    psa_status_t destruction_status;
-    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
-    psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
-    uint8_t pub_key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
-    size_t pub_key_len;
-    size_t curve_bits;
-    const psa_ecc_family_t curve =
-        mbedtls_ecc_group_to_psa(mbedtls_pk_ec_ro(*prv)->grp.id, &curve_bits);
-    const size_t curve_bytes = PSA_BITS_TO_BYTES(curve_bits);
-
-    if (curve == 0) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
-    psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT);
-
-    ret = mbedtls_mpi_write_binary(&mbedtls_pk_ec_ro(*prv)->d,
-                                   prv_key_buf, curve_bytes);
-    if (ret != 0) {
-        mbedtls_platform_zeroize(prv_key_buf, sizeof(prv_key_buf));
-        return ret;
-    }
-
-    status = psa_import_key(&key_attr, prv_key_buf, curve_bytes, &key_id);
-    mbedtls_platform_zeroize(prv_key_buf, sizeof(prv_key_buf));
-    ret = PSA_PK_TO_MBEDTLS_ERR(status);
-    if (ret != 0) {
-        return ret;
-    }
-
-    // From now on prv_key_buf is used to store the public key of prv.
-    status = psa_export_public_key(key_id, prv_key_buf, sizeof(prv_key_buf),
-                                   &prv_key_len);
-    ret = PSA_PK_TO_MBEDTLS_ERR(status);
-    destruction_status = psa_destroy_key(key_id);
-    if (ret != 0) {
-        return ret;
-    } else if (destruction_status != PSA_SUCCESS) {
-        return PSA_PK_TO_MBEDTLS_ERR(destruction_status);
-    }
-
-    ret = mbedtls_ecp_point_write_binary(&mbedtls_pk_ec_rw(*pub)->grp,
-                                         &mbedtls_pk_ec_rw(*pub)->Q,
-                                         MBEDTLS_ECP_PF_UNCOMPRESSED,
-                                         &pub_key_len, pub_key_buf,
-                                         sizeof(pub_key_buf));
-    if (ret != 0) {
-        return ret;
-    }
-
-    if (memcmp(prv_key_buf, pub_key_buf, curve_bytes) != 0) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    return 0;
-}
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-
-static int eckey_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
-                                 int (*f_rng)(void *, unsigned char *, size_t),
-                                 void *p_rng)
-{
-    (void) f_rng;
-    (void) p_rng;
-    return eckey_check_pair_psa(pub, prv);
-}
-#else /* MBEDTLS_USE_PSA_CRYPTO */
-static int eckey_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
-                                 int (*f_rng)(void *, unsigned char *, size_t),
-                                 void *p_rng)
-{
-    return mbedtls_ecp_check_pub_priv((const mbedtls_ecp_keypair *) pub->pk_ctx,
-                                      (const mbedtls_ecp_keypair *) prv->pk_ctx,
-                                      f_rng, p_rng);
-}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-/* When PK_USE_PSA_EC_DATA is defined opaque and non-opaque keys end up
- * using the same function. */
-#define ecdsa_opaque_check_pair_wrap    eckey_check_pair_wrap
-#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
-static int ecdsa_opaque_check_pair_wrap(mbedtls_pk_context *pub,
-                                        mbedtls_pk_context *prv,
-                                        int (*f_rng)(void *, unsigned char *, size_t),
-                                        void *p_rng)
-{
-    psa_status_t status;
-    uint8_t exp_pub_key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
-    size_t exp_pub_key_len = 0;
-    uint8_t pub_key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
-    size_t pub_key_len = 0;
-    int ret;
-    (void) f_rng;
-    (void) p_rng;
-
-    status = psa_export_public_key(prv->priv_id, exp_pub_key, sizeof(exp_pub_key),
-                                   &exp_pub_key_len);
-    if (status != PSA_SUCCESS) {
-        ret = psa_pk_status_to_mbedtls(status);
-        return ret;
-    }
-    ret = mbedtls_ecp_point_write_binary(&(mbedtls_pk_ec_ro(*pub)->grp),
-                                         &(mbedtls_pk_ec_ro(*pub)->Q),
-                                         MBEDTLS_ECP_PF_UNCOMPRESSED,
-                                         &pub_key_len, pub_key, sizeof(pub_key));
-    if (ret != 0) {
-        return ret;
-    }
-    if ((exp_pub_key_len != pub_key_len) ||
-        memcmp(exp_pub_key, pub_key, exp_pub_key_len)) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-    return 0;
-}
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-static void *eckey_alloc_wrap(void)
-{
-    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecp_keypair));
-
-    if (ctx != NULL) {
-        mbedtls_ecp_keypair_init(ctx);
-    }
-
-    return ctx;
-}
-
-static void eckey_free_wrap(void *ctx)
-{
-    mbedtls_ecp_keypair_free((mbedtls_ecp_keypair *) ctx);
-    mbedtls_free(ctx);
-}
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-
-static void eckey_debug(mbedtls_pk_context *pk, mbedtls_pk_debug_item *items)
-{
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-    items->type = MBEDTLS_PK_DEBUG_PSA_EC;
-    items->name = "eckey.Q";
-    items->value = pk;
-#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
-    mbedtls_ecp_keypair *ecp = (mbedtls_ecp_keypair *) pk->pk_ctx;
-    items->type = MBEDTLS_PK_DEBUG_ECP;
-    items->name = "eckey.Q";
-    items->value = &(ecp->Q);
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-}
-
-const mbedtls_pk_info_t mbedtls_eckey_info = {
-    .type = MBEDTLS_PK_ECKEY,
-    .name = "EC",
-    .get_bitlen = eckey_get_bitlen,
-    .can_do = eckey_can_do,
-#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
-    .verify_func = ecdsa_verify_wrap,   /* Compatible key structures */
-#else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
-    .verify_func = NULL,
-#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
-#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
-    .sign_func = ecdsa_sign_wrap,   /* Compatible key structures */
-#else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
-    .sign_func = NULL,
-#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
-    .verify_rs_func = eckey_verify_rs_wrap,
-    .sign_rs_func = eckey_sign_rs_wrap,
-    .rs_alloc_func = eckey_rs_alloc,
-    .rs_free_func = eckey_rs_free,
-#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
-    .decrypt_func = NULL,
-    .encrypt_func = NULL,
-    .check_pair_func = eckey_check_pair_wrap,
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-    .ctx_alloc_func = NULL,
-    .ctx_free_func = NULL,
-#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
-    .ctx_alloc_func = eckey_alloc_wrap,
-    .ctx_free_func = eckey_free_wrap,
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-    .debug_func = eckey_debug,
-};
-
-/*
- * EC key restricted to ECDH
- */
-static int eckeydh_can_do(mbedtls_pk_type_t type)
-{
-    return type == MBEDTLS_PK_ECKEY ||
-           type == MBEDTLS_PK_ECKEY_DH;
-}
-
-const mbedtls_pk_info_t mbedtls_eckeydh_info = {
-    .type = MBEDTLS_PK_ECKEY_DH,
-    .name = "EC_DH",
-    .get_bitlen = eckey_get_bitlen,         /* Same underlying key structure */
-    .can_do = eckeydh_can_do,
-    .verify_func = NULL,
-    .sign_func = NULL,
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
-    .verify_rs_func = NULL,
-    .sign_rs_func = NULL,
-#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
-    .decrypt_func = NULL,
-    .encrypt_func = NULL,
-    .check_pair_func = eckey_check_pair_wrap,
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-    .ctx_alloc_func = NULL,
-    .ctx_free_func = NULL,
-#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
-    .ctx_alloc_func = eckey_alloc_wrap,   /* Same underlying key structure */
-    .ctx_free_func = eckey_free_wrap,    /* Same underlying key structure */
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-    .debug_func = eckey_debug,            /* Same underlying key structure */
-};
-
-#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
-static int ecdsa_can_do(mbedtls_pk_type_t type)
-{
-    return type == MBEDTLS_PK_ECDSA;
-}
-
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
-static int ecdsa_verify_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
-                                const unsigned char *hash, size_t hash_len,
-                                const unsigned char *sig, size_t sig_len,
-                                void *rs_ctx)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    ((void) md_alg);
-
-    ret = mbedtls_ecdsa_read_signature_restartable(
-        (mbedtls_ecdsa_context *) pk->pk_ctx,
-        hash, hash_len, sig, sig_len,
-        (mbedtls_ecdsa_restart_ctx *) rs_ctx);
-
-    if (ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) {
-        return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
-    }
-
-    return ret;
-}
-
-static int ecdsa_sign_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
-                              const unsigned char *hash, size_t hash_len,
-                              unsigned char *sig, size_t sig_size, size_t *sig_len,
-                              int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
-                              void *rs_ctx)
-{
-    return mbedtls_ecdsa_write_signature_restartable(
-        (mbedtls_ecdsa_context *) pk->pk_ctx,
-        md_alg, hash, hash_len, sig, sig_size, sig_len, f_rng, p_rng,
-        (mbedtls_ecdsa_restart_ctx *) rs_ctx);
-
-}
-
-static void *ecdsa_rs_alloc(void)
-{
-    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecdsa_restart_ctx));
-
-    if (ctx != NULL) {
-        mbedtls_ecdsa_restart_init(ctx);
-    }
-
-    return ctx;
-}
-
-static void ecdsa_rs_free(void *ctx)
-{
-    mbedtls_ecdsa_restart_free(ctx);
-    mbedtls_free(ctx);
-}
-#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
-
-const mbedtls_pk_info_t mbedtls_ecdsa_info = {
-    .type = MBEDTLS_PK_ECDSA,
-    .name = "ECDSA",
-    .get_bitlen = eckey_get_bitlen,     /* Compatible key structures */
-    .can_do = ecdsa_can_do,
-#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
-    .verify_func = ecdsa_verify_wrap,   /* Compatible key structures */
-#else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
-    .verify_func = NULL,
-#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
-#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
-    .sign_func = ecdsa_sign_wrap,   /* Compatible key structures */
-#else /* MBEDTLS_PK_CAN_ECDSA_SIGN */
-    .sign_func = NULL,
-#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
-    .verify_rs_func = ecdsa_verify_rs_wrap,
-    .sign_rs_func = ecdsa_sign_rs_wrap,
-    .rs_alloc_func = ecdsa_rs_alloc,
-    .rs_free_func = ecdsa_rs_free,
-#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
-    .decrypt_func = NULL,
-    .encrypt_func = NULL,
-    .check_pair_func = eckey_check_pair_wrap,   /* Compatible key structures */
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-    .ctx_alloc_func = NULL,
-    .ctx_free_func = NULL,
-#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
-    .ctx_alloc_func = eckey_alloc_wrap,   /* Compatible key structures */
-    .ctx_free_func = eckey_free_wrap,   /* Compatible key structures */
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-    .debug_func = eckey_debug,        /* Compatible key structures */
-};
-#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-
-#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
-/*
- * Support for alternative RSA-private implementations
- */
-
-static int rsa_alt_can_do(mbedtls_pk_type_t type)
-{
-    return type == MBEDTLS_PK_RSA;
-}
-
-static size_t rsa_alt_get_bitlen(mbedtls_pk_context *pk)
-{
-    const mbedtls_rsa_alt_context *rsa_alt = pk->pk_ctx;
-
-    return 8 * rsa_alt->key_len_func(rsa_alt->key);
-}
-
-static int rsa_alt_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
-                             const unsigned char *hash, size_t hash_len,
-                             unsigned char *sig, size_t sig_size, size_t *sig_len,
-                             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    mbedtls_rsa_alt_context *rsa_alt = pk->pk_ctx;
-
-#if SIZE_MAX > UINT_MAX
-    if (UINT_MAX < hash_len) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-#endif
-
-    *sig_len = rsa_alt->key_len_func(rsa_alt->key);
-    if (*sig_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-    if (*sig_len > sig_size) {
-        return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
-    }
-
-    return rsa_alt->sign_func(rsa_alt->key, f_rng, p_rng,
-                              md_alg, (unsigned int) hash_len, hash, sig);
-}
-
-static int rsa_alt_decrypt_wrap(mbedtls_pk_context *pk,
-                                const unsigned char *input, size_t ilen,
-                                unsigned char *output, size_t *olen, size_t osize,
-                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    mbedtls_rsa_alt_context *rsa_alt = pk->pk_ctx;
-
-    ((void) f_rng);
-    ((void) p_rng);
-
-    if (ilen != rsa_alt->key_len_func(rsa_alt->key)) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    return rsa_alt->decrypt_func(rsa_alt->key,
-                                 olen, input, output, osize);
-}
-
-#if defined(MBEDTLS_RSA_C)
-static int rsa_alt_check_pair(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
-                              int (*f_rng)(void *, unsigned char *, size_t),
-                              void *p_rng)
-{
-    unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
-    unsigned char hash[32];
-    size_t sig_len = 0;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if (rsa_alt_get_bitlen(prv) != rsa_get_bitlen(pub)) {
-        return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
-    }
-
-    memset(hash, 0x2a, sizeof(hash));
-
-    if ((ret = rsa_alt_sign_wrap(prv, MBEDTLS_MD_NONE,
-                                 hash, sizeof(hash),
-                                 sig, sizeof(sig), &sig_len,
-                                 f_rng, p_rng)) != 0) {
-        return ret;
-    }
-
-    if (rsa_verify_wrap(pub, MBEDTLS_MD_NONE,
-                        hash, sizeof(hash), sig, sig_len) != 0) {
-        return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
-    }
-
-    return 0;
-}
-#endif /* MBEDTLS_RSA_C */
-
-static void *rsa_alt_alloc_wrap(void)
-{
-    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_rsa_alt_context));
-
-    if (ctx != NULL) {
-        memset(ctx, 0, sizeof(mbedtls_rsa_alt_context));
-    }
-
-    return ctx;
-}
-
-static void rsa_alt_free_wrap(void *ctx)
-{
-    mbedtls_zeroize_and_free(ctx, sizeof(mbedtls_rsa_alt_context));
-}
-
-const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
-    .type = MBEDTLS_PK_RSA_ALT,
-    .name = "RSA-alt",
-    .get_bitlen = rsa_alt_get_bitlen,
-    .can_do = rsa_alt_can_do,
-    .verify_func = NULL,
-    .sign_func = rsa_alt_sign_wrap,
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
-    .verify_rs_func = NULL,
-    .sign_rs_func = NULL,
-    .rs_alloc_func = NULL,
-    .rs_free_func = NULL,
-#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
-    .decrypt_func = rsa_alt_decrypt_wrap,
-    .encrypt_func = NULL,
-#if defined(MBEDTLS_RSA_C)
-    .check_pair_func = rsa_alt_check_pair,
-#else
-    .check_pair_func = NULL,
-#endif
-    .ctx_alloc_func = rsa_alt_alloc_wrap,
-    .ctx_free_func = rsa_alt_free_wrap,
-    .debug_func = NULL,
-};
-#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-static size_t opaque_get_bitlen(mbedtls_pk_context *pk)
-{
-    size_t bits;
-    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-
-    if (PSA_SUCCESS != psa_get_key_attributes(pk->priv_id, &attributes)) {
-        return 0;
-    }
-
-    bits = psa_get_key_bits(&attributes);
-    psa_reset_key_attributes(&attributes);
-    return bits;
-}
-
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-static int ecdsa_opaque_can_do(mbedtls_pk_type_t type)
-{
-    return type == MBEDTLS_PK_ECKEY ||
-           type == MBEDTLS_PK_ECDSA;
-}
-
-const mbedtls_pk_info_t mbedtls_ecdsa_opaque_info = {
-    .type = MBEDTLS_PK_OPAQUE,
-    .name = "Opaque",
-    .get_bitlen = opaque_get_bitlen,
-    .can_do = ecdsa_opaque_can_do,
-#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
-    .verify_func = ecdsa_opaque_verify_wrap,
-#else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
-    .verify_func = NULL,
-#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
-#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
-    .sign_func = ecdsa_opaque_sign_wrap,
-#else /* MBEDTLS_PK_CAN_ECDSA_SIGN */
-    .sign_func = NULL,
-#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
-    .verify_rs_func = NULL,
-    .sign_rs_func = NULL,
-    .rs_alloc_func = NULL,
-    .rs_free_func = NULL,
-#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
-    .decrypt_func = NULL,
-    .encrypt_func = NULL,
-    .check_pair_func = ecdsa_opaque_check_pair_wrap,
-    .ctx_alloc_func = NULL,
-    .ctx_free_func = NULL,
-    .debug_func = NULL,
-};
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-
-static int rsa_opaque_can_do(mbedtls_pk_type_t type)
-{
-    return type == MBEDTLS_PK_RSA ||
-           type == MBEDTLS_PK_RSASSA_PSS;
-}
-
-#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
-static int rsa_opaque_decrypt(mbedtls_pk_context *pk,
-                              const unsigned char *input, size_t ilen,
-                              unsigned char *output, size_t *olen, size_t osize,
-                              int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    psa_status_t status;
-
-    /* PSA has its own RNG */
-    (void) f_rng;
-    (void) p_rng;
-
-    status = psa_asymmetric_decrypt(pk->priv_id, PSA_ALG_RSA_PKCS1V15_CRYPT,
-                                    input, ilen,
-                                    NULL, 0,
-                                    output, osize, olen);
-    if (status != PSA_SUCCESS) {
-        return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
-    }
-
-    return 0;
-}
-#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
-
-static int rsa_opaque_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
-                                const unsigned char *hash, size_t hash_len,
-                                unsigned char *sig, size_t sig_size, size_t *sig_len,
-                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-#if defined(MBEDTLS_RSA_C)
-    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    psa_algorithm_t alg;
-    psa_key_type_t type;
-    psa_status_t status;
-
-    /* PSA has its own RNG */
-    (void) f_rng;
-    (void) p_rng;
-
-    status = psa_get_key_attributes(pk->priv_id, &attributes);
-    if (status != PSA_SUCCESS) {
-        return PSA_PK_TO_MBEDTLS_ERR(status);
-    }
-
-    type = psa_get_key_type(&attributes);
-    psa_reset_key_attributes(&attributes);
-
-    if (PSA_KEY_TYPE_IS_RSA(type)) {
-        alg = PSA_ALG_RSA_PKCS1V15_SIGN(mbedtls_md_psa_alg_from_type(md_alg));
-    } else {
-        return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
-    }
-
-    /* make the signature */
-    status = psa_sign_hash(pk->priv_id, alg, hash, hash_len,
-                           sig, sig_size, sig_len);
-    if (status != PSA_SUCCESS) {
-        if (PSA_KEY_TYPE_IS_RSA(type)) {
-            return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
-        } else {
-            return PSA_PK_TO_MBEDTLS_ERR(status);
-        }
-    }
-
-    return 0;
-#else /* !MBEDTLS_RSA_C */
-    ((void) pk);
-    ((void) md_alg);
-    ((void) hash);
-    ((void) hash_len);
-    ((void) sig);
-    ((void) sig_size);
-    ((void) sig_len);
-    ((void) f_rng);
-    ((void) p_rng);
-    return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
-#endif /* !MBEDTLS_RSA_C */
-}
-
-const mbedtls_pk_info_t mbedtls_rsa_opaque_info = {
-    .type = MBEDTLS_PK_OPAQUE,
-    .name = "Opaque",
-    .get_bitlen = opaque_get_bitlen,
-    .can_do = rsa_opaque_can_do,
-    .verify_func = NULL,
-    .sign_func = rsa_opaque_sign_wrap,
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
-    .verify_rs_func = NULL,
-    .sign_rs_func = NULL,
-    .rs_alloc_func = NULL,
-    .rs_free_func = NULL,
-#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
-#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
-    .decrypt_func = rsa_opaque_decrypt,
-#else /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
-    .decrypt_func = NULL,
-#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
-    .encrypt_func = NULL,
-    .check_pair_func = NULL,
-    .ctx_alloc_func = NULL,
-    .ctx_free_func = NULL,
-    .debug_func = NULL,
-};
-
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#endif /* MBEDTLS_PK_C */
diff --git a/library/pk_wrap.h b/library/pk_wrap.h
deleted file mode 100644
index b1e0218..0000000
--- a/library/pk_wrap.h
+++ /dev/null
@@ -1,168 +0,0 @@
-/**
- * \file pk_wrap.h
- *
- * \brief Public Key abstraction layer: wrapper functions
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_PK_WRAP_H
-#define MBEDTLS_PK_WRAP_H
-
-#include "mbedtls/build_info.h"
-
-#include "mbedtls/pk.h"
-
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-#include "psa/crypto.h"
-#endif /* MBEDTLS_PSA_CRYPTO_C */
-
-struct mbedtls_pk_info_t {
-    /** Public key type */
-    mbedtls_pk_type_t type;
-
-    /** Type name */
-    const char *name;
-
-    /** Get key size in bits */
-    size_t (*get_bitlen)(mbedtls_pk_context *pk);
-
-    /** Tell if the context implements this type (e.g. ECKEY can do ECDSA) */
-    int (*can_do)(mbedtls_pk_type_t type);
-
-    /** Verify signature */
-    int (*verify_func)(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
-                       const unsigned char *hash, size_t hash_len,
-                       const unsigned char *sig, size_t sig_len);
-
-    /** Make signature */
-    int (*sign_func)(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
-                     const unsigned char *hash, size_t hash_len,
-                     unsigned char *sig, size_t sig_size, size_t *sig_len,
-                     int (*f_rng)(void *, unsigned char *, size_t),
-                     void *p_rng);
-
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
-    /** Verify signature (restartable) */
-    int (*verify_rs_func)(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
-                          const unsigned char *hash, size_t hash_len,
-                          const unsigned char *sig, size_t sig_len,
-                          void *rs_ctx);
-
-    /** Make signature (restartable) */
-    int (*sign_rs_func)(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
-                        const unsigned char *hash, size_t hash_len,
-                        unsigned char *sig, size_t sig_size, size_t *sig_len,
-                        int (*f_rng)(void *, unsigned char *, size_t),
-                        void *p_rng, void *rs_ctx);
-#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
-
-    /** Decrypt message */
-    int (*decrypt_func)(mbedtls_pk_context *pk, const unsigned char *input, size_t ilen,
-                        unsigned char *output, size_t *olen, size_t osize,
-                        int (*f_rng)(void *, unsigned char *, size_t),
-                        void *p_rng);
-
-    /** Encrypt message */
-    int (*encrypt_func)(mbedtls_pk_context *pk, const unsigned char *input, size_t ilen,
-                        unsigned char *output, size_t *olen, size_t osize,
-                        int (*f_rng)(void *, unsigned char *, size_t),
-                        void *p_rng);
-
-    /** Check public-private key pair */
-    int (*check_pair_func)(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
-                           int (*f_rng)(void *, unsigned char *, size_t),
-                           void *p_rng);
-
-    /** Allocate a new context */
-    void * (*ctx_alloc_func)(void);
-
-    /** Free the given context */
-    void (*ctx_free_func)(void *ctx);
-
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
-    /** Allocate the restart context */
-    void *(*rs_alloc_func)(void);
-
-    /** Free the restart context */
-    void (*rs_free_func)(void *rs_ctx);
-#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
-
-    /** Interface with the debug module */
-    void (*debug_func)(mbedtls_pk_context *pk, mbedtls_pk_debug_item *items);
-
-};
-#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
-/* Container for RSA-alt */
-typedef struct {
-    void *key;
-    mbedtls_pk_rsa_alt_decrypt_func decrypt_func;
-    mbedtls_pk_rsa_alt_sign_func sign_func;
-    mbedtls_pk_rsa_alt_key_len_func key_len_func;
-} mbedtls_rsa_alt_context;
-#endif
-
-#if defined(MBEDTLS_RSA_C)
-extern const mbedtls_pk_info_t mbedtls_rsa_info;
-#endif
-
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-extern const mbedtls_pk_info_t mbedtls_eckey_info;
-extern const mbedtls_pk_info_t mbedtls_eckeydh_info;
-#endif
-
-#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
-extern const mbedtls_pk_info_t mbedtls_ecdsa_info;
-#endif
-
-#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
-extern const mbedtls_pk_info_t mbedtls_rsa_alt_info;
-#endif
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-extern const mbedtls_pk_info_t mbedtls_ecdsa_opaque_info;
-extern const mbedtls_pk_info_t mbedtls_rsa_opaque_info;
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
-int MBEDTLS_DEPRECATED mbedtls_pk_error_from_psa_ecdsa(psa_status_t status);
-#endif
-#endif
-
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-int MBEDTLS_DEPRECATED mbedtls_pk_error_from_psa(psa_status_t status);
-
-#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) ||    \
-    defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
-int MBEDTLS_DEPRECATED mbedtls_pk_error_from_psa_rsa(psa_status_t status);
-#endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY || PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-
-#if defined(MBEDTLS_RSA_C)
-int mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t psa_alg_md,
-                                mbedtls_rsa_context *rsa_ctx,
-                                const unsigned char *hash, size_t hash_len,
-                                unsigned char *sig, size_t sig_size,
-                                size_t *sig_len);
-#endif /* MBEDTLS_RSA_C */
-
-#endif /* MBEDTLS_PSA_CRYPTO_C */
-
-#endif /* MBEDTLS_PK_WRAP_H */
diff --git a/library/pkcs12.c b/library/pkcs12.c
deleted file mode 100644
index 4db2a4b..0000000
--- a/library/pkcs12.c
+++ /dev/null
@@ -1,446 +0,0 @@
-/*
- *  PKCS#12 Personal Information Exchange Syntax
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-/*
- *  The PKCS #12 Personal Information Exchange Syntax Standard v1.1
- *
- *  http://www.rsa.com/rsalabs/pkcs/files/h11301-wp-pkcs-12v1-1-personal-information-exchange-syntax.pdf
- *  ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1-1.asn
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_PKCS12_C)
-
-#include "mbedtls/pkcs12.h"
-#include "mbedtls/asn1.h"
-#include "mbedtls/cipher.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#include <string.h>
-
-#if defined(MBEDTLS_DES_C)
-#include "mbedtls/des.h"
-#endif
-
-#include "psa_util_internal.h"
-
-#if defined(MBEDTLS_ASN1_PARSE_C)
-
-static int pkcs12_parse_pbe_params(mbedtls_asn1_buf *params,
-                                   mbedtls_asn1_buf *salt, int *iterations)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char **p = &params->p;
-    const unsigned char *end = params->p + params->len;
-
-    /*
-     *  pkcs-12PbeParams ::= SEQUENCE {
-     *    salt          OCTET STRING,
-     *    iterations    INTEGER
-     *  }
-     *
-     */
-    if (params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT,
-                                 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
-    }
-
-    if ((ret = mbedtls_asn1_get_tag(p, end, &salt->len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT, ret);
-    }
-
-    salt->p = *p;
-    *p += salt->len;
-
-    if ((ret = mbedtls_asn1_get_int(p, end, iterations)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT, ret);
-    }
-
-    if (*p != end) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT,
-                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-    }
-
-    return 0;
-}
-
-#define PKCS12_MAX_PWDLEN 128
-
-static int pkcs12_pbe_derive_key_iv(mbedtls_asn1_buf *pbe_params, mbedtls_md_type_t md_type,
-                                    const unsigned char *pwd,  size_t pwdlen,
-                                    unsigned char *key, size_t keylen,
-                                    unsigned char *iv,  size_t ivlen)
-{
-    int ret, iterations = 0;
-    mbedtls_asn1_buf salt;
-    size_t i;
-    unsigned char unipwd[PKCS12_MAX_PWDLEN * 2 + 2];
-
-    if (pwdlen > PKCS12_MAX_PWDLEN) {
-        return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
-    }
-
-    memset(&salt, 0, sizeof(mbedtls_asn1_buf));
-    memset(&unipwd, 0, sizeof(unipwd));
-
-    if ((ret = pkcs12_parse_pbe_params(pbe_params, &salt,
-                                       &iterations)) != 0) {
-        return ret;
-    }
-
-    for (i = 0; i < pwdlen; i++) {
-        unipwd[i * 2 + 1] = pwd[i];
-    }
-
-    if ((ret = mbedtls_pkcs12_derivation(key, keylen, unipwd, pwdlen * 2 + 2,
-                                         salt.p, salt.len, md_type,
-                                         MBEDTLS_PKCS12_DERIVE_KEY, iterations)) != 0) {
-        return ret;
-    }
-
-    if (iv == NULL || ivlen == 0) {
-        return 0;
-    }
-
-    if ((ret = mbedtls_pkcs12_derivation(iv, ivlen, unipwd, pwdlen * 2 + 2,
-                                         salt.p, salt.len, md_type,
-                                         MBEDTLS_PKCS12_DERIVE_IV, iterations)) != 0) {
-        return ret;
-    }
-    return 0;
-}
-
-#undef PKCS12_MAX_PWDLEN
-
-#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
-int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
-                           mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
-                           const unsigned char *pwd,  size_t pwdlen,
-                           const unsigned char *data, size_t len,
-                           unsigned char *output, size_t output_size,
-                           size_t *output_len);
-#endif
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
-                       mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
-                       const unsigned char *pwd,  size_t pwdlen,
-                       const unsigned char *data, size_t len,
-                       unsigned char *output)
-{
-    size_t output_len = 0;
-
-    /* We assume caller of the function is providing a big enough output buffer
-     * so we pass output_size as SIZE_MAX to pass checks, However, no guarantees
-     * for the output size actually being correct.
-     */
-    return mbedtls_pkcs12_pbe_ext(pbe_params, mode, cipher_type, md_type,
-                                  pwd, pwdlen, data, len, output, SIZE_MAX,
-                                  &output_len);
-}
-#endif
-
-int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
-                           mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
-                           const unsigned char *pwd,  size_t pwdlen,
-                           const unsigned char *data, size_t len,
-                           unsigned char *output, size_t output_size,
-                           size_t *output_len)
-{
-    int ret, keylen = 0;
-    unsigned char key[32];
-    unsigned char iv[16];
-    const mbedtls_cipher_info_t *cipher_info;
-    mbedtls_cipher_context_t cipher_ctx;
-    size_t iv_len = 0;
-    size_t finish_olen = 0;
-    unsigned int padlen = 0;
-
-    if (pwd == NULL && pwdlen != 0) {
-        return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
-    }
-
-    cipher_info = mbedtls_cipher_info_from_type(cipher_type);
-    if (cipher_info == NULL) {
-        return MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE;
-    }
-
-    keylen = (int) mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8;
-
-    if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) {
-        if (output_size < len) {
-            return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
-        }
-    }
-
-    if (mode == MBEDTLS_PKCS12_PBE_ENCRYPT) {
-        padlen = cipher_info->block_size - (len % cipher_info->block_size);
-        if (output_size < (len + padlen)) {
-            return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
-        }
-    }
-
-    iv_len = mbedtls_cipher_info_get_iv_size(cipher_info);
-    if ((ret = pkcs12_pbe_derive_key_iv(pbe_params, md_type, pwd, pwdlen,
-                                        key, keylen,
-                                        iv, iv_len)) != 0) {
-        return ret;
-    }
-
-    mbedtls_cipher_init(&cipher_ctx);
-
-    if ((ret = mbedtls_cipher_setup(&cipher_ctx, cipher_info)) != 0) {
-        goto exit;
-    }
-
-    if ((ret = mbedtls_cipher_setkey(&cipher_ctx, key, 8 * keylen,
-                                     (mbedtls_operation_t) mode)) != 0) {
-        goto exit;
-    }
-
-#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
-    /* PKCS12 uses CBC with PKCS7 padding */
-
-    mbedtls_cipher_padding_t padding = MBEDTLS_PADDING_PKCS7;
-#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
-    /* For historical reasons, when decrypting, this function works when
-     * decrypting even when support for PKCS7 padding is disabled. In this
-     * case, it ignores the padding, and so will never report a
-     * password mismatch.
-     */
-    if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) {
-        padding = MBEDTLS_PADDING_NONE;
-    }
-#endif
-    if ((ret = mbedtls_cipher_set_padding_mode(&cipher_ctx, padding)) != 0) {
-        goto exit;
-    }
-#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
-
-    ret = mbedtls_cipher_crypt(&cipher_ctx, iv, iv_len, data, len, output, &finish_olen);
-    if (ret == MBEDTLS_ERR_CIPHER_INVALID_PADDING) {
-        ret = MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH;
-    }
-
-    *output_len += finish_olen;
-
-exit:
-    mbedtls_platform_zeroize(key, sizeof(key));
-    mbedtls_platform_zeroize(iv,  sizeof(iv));
-    mbedtls_cipher_free(&cipher_ctx);
-
-    return ret;
-}
-
-#endif /* MBEDTLS_ASN1_PARSE_C */
-
-static void pkcs12_fill_buffer(unsigned char *data, size_t data_len,
-                               const unsigned char *filler, size_t fill_len)
-{
-    unsigned char *p = data;
-    size_t use_len;
-
-    if (filler != NULL && fill_len != 0) {
-        while (data_len > 0) {
-            use_len = (data_len > fill_len) ? fill_len : data_len;
-            memcpy(p, filler, use_len);
-            p += use_len;
-            data_len -= use_len;
-        }
-    } else {
-        /* If either of the above are not true then clearly there is nothing
-         * that this function can do. The function should *not* be called
-         * under either of those circumstances, as you could end up with an
-         * incorrect output but for safety's sake, leaving the check in as
-         * otherwise we could end up with memory corruption.*/
-    }
-}
-
-
-static int calculate_hashes(mbedtls_md_type_t md_type, int iterations,
-                            unsigned char *diversifier, unsigned char *salt_block,
-                            unsigned char *pwd_block, unsigned char *hash_output, int use_salt,
-                            int use_password, size_t hlen, size_t v)
-{
-    int ret = -1;
-    size_t i;
-    const mbedtls_md_info_t *md_info;
-    mbedtls_md_context_t md_ctx;
-    md_info = mbedtls_md_info_from_type(md_type);
-    if (md_info == NULL) {
-        return MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE;
-    }
-
-    mbedtls_md_init(&md_ctx);
-
-    if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
-        return ret;
-    }
-    // Calculate hash( diversifier || salt_block || pwd_block )
-    if ((ret = mbedtls_md_starts(&md_ctx)) != 0) {
-        goto exit;
-    }
-
-    if ((ret = mbedtls_md_update(&md_ctx, diversifier, v)) != 0) {
-        goto exit;
-    }
-
-    if (use_salt != 0) {
-        if ((ret = mbedtls_md_update(&md_ctx, salt_block, v)) != 0) {
-            goto exit;
-        }
-    }
-
-    if (use_password != 0) {
-        if ((ret = mbedtls_md_update(&md_ctx, pwd_block, v)) != 0) {
-            goto exit;
-        }
-    }
-
-    if ((ret = mbedtls_md_finish(&md_ctx, hash_output)) != 0) {
-        goto exit;
-    }
-
-    // Perform remaining ( iterations - 1 ) recursive hash calculations
-    for (i = 1; i < (size_t) iterations; i++) {
-        if ((ret = mbedtls_md(md_info, hash_output, hlen, hash_output))
-            != 0) {
-            goto exit;
-        }
-    }
-
-exit:
-    mbedtls_md_free(&md_ctx);
-    return ret;
-}
-
-
-int mbedtls_pkcs12_derivation(unsigned char *data, size_t datalen,
-                              const unsigned char *pwd, size_t pwdlen,
-                              const unsigned char *salt, size_t saltlen,
-                              mbedtls_md_type_t md_type, int id, int iterations)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned int j;
-
-    unsigned char diversifier[128];
-    unsigned char salt_block[128], pwd_block[128], hash_block[128] = { 0 };
-    unsigned char hash_output[MBEDTLS_MD_MAX_SIZE];
-    unsigned char *p;
-    unsigned char c;
-    int           use_password = 0;
-    int           use_salt = 0;
-
-    size_t hlen, use_len, v, i;
-
-    // This version only allows max of 64 bytes of password or salt
-    if (datalen > 128 || pwdlen > 64 || saltlen > 64) {
-        return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
-    }
-
-    if (pwd == NULL && pwdlen != 0) {
-        return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
-    }
-
-    if (salt == NULL && saltlen != 0) {
-        return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
-    }
-
-    use_password = (pwd && pwdlen != 0);
-    use_salt = (salt && saltlen != 0);
-
-    hlen = mbedtls_md_get_size_from_type(md_type);
-
-    if (hlen <= 32) {
-        v = 64;
-    } else {
-        v = 128;
-    }
-
-    memset(diversifier, (unsigned char) id, v);
-
-    if (use_salt != 0) {
-        pkcs12_fill_buffer(salt_block, v, salt, saltlen);
-    }
-
-    if (use_password != 0) {
-        pkcs12_fill_buffer(pwd_block,  v, pwd,  pwdlen);
-    }
-
-    p = data;
-    while (datalen > 0) {
-        if (calculate_hashes(md_type, iterations, diversifier, salt_block,
-                             pwd_block, hash_output, use_salt, use_password, hlen,
-                             v) != 0) {
-            goto exit;
-        }
-
-        use_len = (datalen > hlen) ? hlen : datalen;
-        memcpy(p, hash_output, use_len);
-        datalen -= use_len;
-        p += use_len;
-
-        if (datalen == 0) {
-            break;
-        }
-
-        // Concatenating copies of hash_output into hash_block (B)
-        pkcs12_fill_buffer(hash_block, v, hash_output, hlen);
-
-        // B += 1
-        for (i = v; i > 0; i--) {
-            if (++hash_block[i - 1] != 0) {
-                break;
-            }
-        }
-
-        if (use_salt != 0) {
-            // salt_block += B
-            c = 0;
-            for (i = v; i > 0; i--) {
-                j = salt_block[i - 1] + hash_block[i - 1] + c;
-                c = MBEDTLS_BYTE_1(j);
-                salt_block[i - 1] = MBEDTLS_BYTE_0(j);
-            }
-        }
-
-        if (use_password != 0) {
-            // pwd_block  += B
-            c = 0;
-            for (i = v; i > 0; i--) {
-                j = pwd_block[i - 1] + hash_block[i - 1] + c;
-                c = MBEDTLS_BYTE_1(j);
-                pwd_block[i - 1] = MBEDTLS_BYTE_0(j);
-            }
-        }
-    }
-
-    ret = 0;
-
-exit:
-    mbedtls_platform_zeroize(salt_block, sizeof(salt_block));
-    mbedtls_platform_zeroize(pwd_block, sizeof(pwd_block));
-    mbedtls_platform_zeroize(hash_block, sizeof(hash_block));
-    mbedtls_platform_zeroize(hash_output, sizeof(hash_output));
-
-    return ret;
-}
-
-#endif /* MBEDTLS_PKCS12_C */
diff --git a/library/pkcs5.c b/library/pkcs5.c
deleted file mode 100644
index 2756d05..0000000
--- a/library/pkcs5.c
+++ /dev/null
@@ -1,508 +0,0 @@
-/**
- * \file pkcs5.c
- *
- * \brief PKCS#5 functions
- *
- * \author Mathias Olsson <mathias@kompetensum.com>
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-/*
- * PKCS#5 includes PBKDF2 and more
- *
- * http://tools.ietf.org/html/rfc2898 (Specification)
- * http://tools.ietf.org/html/rfc6070 (Test vectors)
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_PKCS5_C)
-
-#include "mbedtls/pkcs5.h"
-#include "mbedtls/error.h"
-
-#if defined(MBEDTLS_ASN1_PARSE_C)
-#include "mbedtls/asn1.h"
-#include "mbedtls/cipher.h"
-#include "mbedtls/oid.h"
-#endif /* MBEDTLS_ASN1_PARSE_C */
-
-#include <string.h>
-
-#include "mbedtls/platform.h"
-
-#include "psa_util_internal.h"
-
-#if defined(MBEDTLS_ASN1_PARSE_C)
-static int pkcs5_parse_pbkdf2_params(const mbedtls_asn1_buf *params,
-                                     mbedtls_asn1_buf *salt, int *iterations,
-                                     int *keylen, mbedtls_md_type_t *md_type)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_asn1_buf prf_alg_oid;
-    unsigned char *p = params->p;
-    const unsigned char *end = params->p + params->len;
-
-    if (params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT,
-                                 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
-    }
-    /*
-     *  PBKDF2-params ::= SEQUENCE {
-     *    salt              OCTET STRING,
-     *    iterationCount    INTEGER,
-     *    keyLength         INTEGER OPTIONAL
-     *    prf               AlgorithmIdentifier DEFAULT algid-hmacWithSHA1
-     *  }
-     *
-     */
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &salt->len,
-                                    MBEDTLS_ASN1_OCTET_STRING)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
-    }
-
-    salt->p = p;
-    p += salt->len;
-
-    if ((ret = mbedtls_asn1_get_int(&p, end, iterations)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
-    }
-
-    if (p == end) {
-        return 0;
-    }
-
-    if ((ret = mbedtls_asn1_get_int(&p, end, keylen)) != 0) {
-        if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
-            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
-        }
-    }
-
-    if (p == end) {
-        return 0;
-    }
-
-    if ((ret = mbedtls_asn1_get_alg_null(&p, end, &prf_alg_oid)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
-    }
-
-    if (mbedtls_oid_get_md_hmac(&prf_alg_oid, md_type) != 0) {
-        return MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE;
-    }
-
-    if (p != end) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT,
-                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-    }
-
-    return 0;
-}
-
-#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
-int mbedtls_pkcs5_pbes2_ext(const mbedtls_asn1_buf *pbe_params, int mode,
-                            const unsigned char *pwd,  size_t pwdlen,
-                            const unsigned char *data, size_t datalen,
-                            unsigned char *output, size_t output_size,
-                            size_t *output_len);
-#endif
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
-                        const unsigned char *pwd,  size_t pwdlen,
-                        const unsigned char *data, size_t datalen,
-                        unsigned char *output)
-{
-    size_t output_len = 0;
-
-    /* We assume caller of the function is providing a big enough output buffer
-     * so we pass output_size as SIZE_MAX to pass checks, However, no guarantees
-     * for the output size actually being correct.
-     */
-    return mbedtls_pkcs5_pbes2_ext(pbe_params, mode, pwd, pwdlen, data,
-                                   datalen, output, SIZE_MAX, &output_len);
-}
-#endif
-
-int mbedtls_pkcs5_pbes2_ext(const mbedtls_asn1_buf *pbe_params, int mode,
-                            const unsigned char *pwd,  size_t pwdlen,
-                            const unsigned char *data, size_t datalen,
-                            unsigned char *output, size_t output_size,
-                            size_t *output_len)
-{
-    int ret, iterations = 0, keylen = 0;
-    unsigned char *p, *end;
-    mbedtls_asn1_buf kdf_alg_oid, enc_scheme_oid, kdf_alg_params, enc_scheme_params;
-    mbedtls_asn1_buf salt;
-    mbedtls_md_type_t md_type = MBEDTLS_MD_SHA1;
-    unsigned char key[32], iv[32];
-    const mbedtls_cipher_info_t *cipher_info;
-    mbedtls_cipher_type_t cipher_alg;
-    mbedtls_cipher_context_t cipher_ctx;
-    unsigned int padlen = 0;
-
-    p = pbe_params->p;
-    end = p + pbe_params->len;
-
-    /*
-     *  PBES2-params ::= SEQUENCE {
-     *    keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
-     *    encryptionScheme AlgorithmIdentifier {{PBES2-Encs}}
-     *  }
-     */
-    if (pbe_params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT,
-                                 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
-    }
-
-    if ((ret = mbedtls_asn1_get_alg(&p, end, &kdf_alg_oid,
-                                    &kdf_alg_params)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
-    }
-
-    // Only PBKDF2 supported at the moment
-    //
-    if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS5_PBKDF2, &kdf_alg_oid) != 0) {
-        return MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE;
-    }
-
-    if ((ret = pkcs5_parse_pbkdf2_params(&kdf_alg_params,
-                                         &salt, &iterations, &keylen,
-                                         &md_type)) != 0) {
-        return ret;
-    }
-
-    if ((ret = mbedtls_asn1_get_alg(&p, end, &enc_scheme_oid,
-                                    &enc_scheme_params)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
-    }
-
-    if (mbedtls_oid_get_cipher_alg(&enc_scheme_oid, &cipher_alg) != 0) {
-        return MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE;
-    }
-
-    cipher_info = mbedtls_cipher_info_from_type(cipher_alg);
-    if (cipher_info == NULL) {
-        return MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE;
-    }
-
-    /*
-     * The value of keylen from pkcs5_parse_pbkdf2_params() is ignored
-     * since it is optional and we don't know if it was set or not
-     */
-    keylen = (int) mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8;
-
-    if (enc_scheme_params.tag != MBEDTLS_ASN1_OCTET_STRING ||
-        enc_scheme_params.len != mbedtls_cipher_info_get_iv_size(cipher_info)) {
-        return MBEDTLS_ERR_PKCS5_INVALID_FORMAT;
-    }
-
-    if (mode == MBEDTLS_PKCS5_DECRYPT) {
-        if (output_size < datalen) {
-            return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
-        }
-    }
-
-    if (mode == MBEDTLS_PKCS5_ENCRYPT) {
-        padlen = cipher_info->block_size - (datalen % cipher_info->block_size);
-        if (output_size < (datalen + padlen)) {
-            return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
-        }
-    }
-
-    mbedtls_cipher_init(&cipher_ctx);
-
-    memcpy(iv, enc_scheme_params.p, enc_scheme_params.len);
-
-    if ((ret = mbedtls_pkcs5_pbkdf2_hmac_ext(md_type, pwd, pwdlen, salt.p,
-                                             salt.len, iterations, keylen,
-                                             key)) != 0) {
-        goto exit;
-    }
-
-    if ((ret = mbedtls_cipher_setup(&cipher_ctx, cipher_info)) != 0) {
-        goto exit;
-    }
-
-    if ((ret = mbedtls_cipher_setkey(&cipher_ctx, key, 8 * keylen,
-                                     (mbedtls_operation_t) mode)) != 0) {
-        goto exit;
-    }
-
-#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
-    /* PKCS5 uses CBC with PKCS7 padding (which is the same as
-     * "PKCS5 padding" except that it's typically only called PKCS5
-     * with 64-bit-block ciphers).
-     */
-    mbedtls_cipher_padding_t padding = MBEDTLS_PADDING_PKCS7;
-#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
-    /* For historical reasons, when decrypting, this function works when
-     * decrypting even when support for PKCS7 padding is disabled. In this
-     * case, it ignores the padding, and so will never report a
-     * password mismatch.
-     */
-    if (mode == MBEDTLS_DECRYPT) {
-        padding = MBEDTLS_PADDING_NONE;
-    }
-#endif
-    if ((ret = mbedtls_cipher_set_padding_mode(&cipher_ctx, padding)) != 0) {
-        goto exit;
-    }
-#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
-    if ((ret = mbedtls_cipher_crypt(&cipher_ctx, iv, enc_scheme_params.len,
-                                    data, datalen, output, output_len)) != 0) {
-        ret = MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH;
-    }
-
-exit:
-    mbedtls_cipher_free(&cipher_ctx);
-
-    return ret;
-}
-#endif /* MBEDTLS_ASN1_PARSE_C */
-
-static int pkcs5_pbkdf2_hmac(mbedtls_md_context_t *ctx,
-                             const unsigned char *password,
-                             size_t plen, const unsigned char *salt, size_t slen,
-                             unsigned int iteration_count,
-                             uint32_t key_length, unsigned char *output)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned int i;
-    unsigned char md1[MBEDTLS_MD_MAX_SIZE];
-    unsigned char work[MBEDTLS_MD_MAX_SIZE];
-    unsigned char md_size = mbedtls_md_get_size(ctx->md_info);
-    size_t use_len;
-    unsigned char *out_p = output;
-    unsigned char counter[4];
-
-    memset(counter, 0, 4);
-    counter[3] = 1;
-
-#if UINT_MAX > 0xFFFFFFFF
-    if (iteration_count > 0xFFFFFFFF) {
-        return MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA;
-    }
-#endif
-
-    if ((ret = mbedtls_md_hmac_starts(ctx, password, plen)) != 0) {
-        return ret;
-    }
-    while (key_length) {
-        // U1 ends up in work
-        //
-        if ((ret = mbedtls_md_hmac_update(ctx, salt, slen)) != 0) {
-            goto cleanup;
-        }
-
-        if ((ret = mbedtls_md_hmac_update(ctx, counter, 4)) != 0) {
-            goto cleanup;
-        }
-
-        if ((ret = mbedtls_md_hmac_finish(ctx, work)) != 0) {
-            goto cleanup;
-        }
-
-        if ((ret = mbedtls_md_hmac_reset(ctx)) != 0) {
-            goto cleanup;
-        }
-
-        memcpy(md1, work, md_size);
-
-        for (i = 1; i < iteration_count; i++) {
-            // U2 ends up in md1
-            //
-            if ((ret = mbedtls_md_hmac_update(ctx, md1, md_size)) != 0) {
-                goto cleanup;
-            }
-
-            if ((ret = mbedtls_md_hmac_finish(ctx, md1)) != 0) {
-                goto cleanup;
-            }
-
-            if ((ret = mbedtls_md_hmac_reset(ctx)) != 0) {
-                goto cleanup;
-            }
-
-            // U1 xor U2
-            //
-            mbedtls_xor(work, work, md1, md_size);
-        }
-
-        use_len = (key_length < md_size) ? key_length : md_size;
-        memcpy(out_p, work, use_len);
-
-        key_length -= (uint32_t) use_len;
-        out_p += use_len;
-
-        for (i = 4; i > 0; i--) {
-            if (++counter[i - 1] != 0) {
-                break;
-            }
-        }
-    }
-
-cleanup:
-    /* Zeroise buffers to clear sensitive data from memory. */
-    mbedtls_platform_zeroize(work, MBEDTLS_MD_MAX_SIZE);
-    mbedtls_platform_zeroize(md1, MBEDTLS_MD_MAX_SIZE);
-
-    return ret;
-}
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-int mbedtls_pkcs5_pbkdf2_hmac(mbedtls_md_context_t *ctx,
-                              const unsigned char *password,
-                              size_t plen, const unsigned char *salt, size_t slen,
-                              unsigned int iteration_count,
-                              uint32_t key_length, unsigned char *output)
-{
-    return pkcs5_pbkdf2_hmac(ctx, password, plen, salt, slen, iteration_count,
-                             key_length, output);
-}
-#endif
-
-int mbedtls_pkcs5_pbkdf2_hmac_ext(mbedtls_md_type_t md_alg,
-                                  const unsigned char *password,
-                                  size_t plen, const unsigned char *salt, size_t slen,
-                                  unsigned int iteration_count,
-                                  uint32_t key_length, unsigned char *output)
-{
-    mbedtls_md_context_t md_ctx;
-    const mbedtls_md_info_t *md_info = NULL;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    md_info = mbedtls_md_info_from_type(md_alg);
-    if (md_info == NULL) {
-        return MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE;
-    }
-
-    mbedtls_md_init(&md_ctx);
-
-    if ((ret = mbedtls_md_setup(&md_ctx, md_info, 1)) != 0) {
-        goto exit;
-    }
-    ret = pkcs5_pbkdf2_hmac(&md_ctx, password, plen, salt, slen,
-                            iteration_count, key_length, output);
-exit:
-    mbedtls_md_free(&md_ctx);
-    return ret;
-}
-
-#if defined(MBEDTLS_SELF_TEST)
-
-#if !defined(MBEDTLS_MD_CAN_SHA1)
-int mbedtls_pkcs5_self_test(int verbose)
-{
-    if (verbose != 0) {
-        mbedtls_printf("  PBKDF2 (SHA1): skipped\n\n");
-    }
-
-    return 0;
-}
-#else
-
-#define MAX_TESTS   6
-
-static const size_t plen_test_data[MAX_TESTS] =
-{ 8, 8, 8, 24, 9 };
-
-static const unsigned char password_test_data[MAX_TESTS][32] =
-{
-    "password",
-    "password",
-    "password",
-    "passwordPASSWORDpassword",
-    "pass\0word",
-};
-
-static const size_t slen_test_data[MAX_TESTS] =
-{ 4, 4, 4, 36, 5 };
-
-static const unsigned char salt_test_data[MAX_TESTS][40] =
-{
-    "salt",
-    "salt",
-    "salt",
-    "saltSALTsaltSALTsaltSALTsaltSALTsalt",
-    "sa\0lt",
-};
-
-static const uint32_t it_cnt_test_data[MAX_TESTS] =
-{ 1, 2, 4096, 4096, 4096 };
-
-static const uint32_t key_len_test_data[MAX_TESTS] =
-{ 20, 20, 20, 25, 16 };
-
-static const unsigned char result_key_test_data[MAX_TESTS][32] =
-{
-    { 0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e, 0x71,
-      0xf3, 0xa9, 0xb5, 0x24, 0xaf, 0x60, 0x12, 0x06,
-      0x2f, 0xe0, 0x37, 0xa6 },
-    { 0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f, 0x8c,
-      0xcd, 0x1e, 0xd9, 0x2a, 0xce, 0x1d, 0x41, 0xf0,
-      0xd8, 0xde, 0x89, 0x57 },
-    { 0x4b, 0x00, 0x79, 0x01, 0xb7, 0x65, 0x48, 0x9a,
-      0xbe, 0xad, 0x49, 0xd9, 0x26, 0xf7, 0x21, 0xd0,
-      0x65, 0xa4, 0x29, 0xc1 },
-    { 0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b,
-      0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0, 0xe4, 0x4a,
-      0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70,
-      0x38 },
-    { 0x56, 0xfa, 0x6a, 0xa7, 0x55, 0x48, 0x09, 0x9d,
-      0xcc, 0x37, 0xd7, 0xf0, 0x34, 0x25, 0xe0, 0xc3 },
-};
-
-int mbedtls_pkcs5_self_test(int verbose)
-{
-    int ret, i;
-    unsigned char key[64];
-
-    for (i = 0; i < MAX_TESTS; i++) {
-        if (verbose != 0) {
-            mbedtls_printf("  PBKDF2 (SHA1) #%d: ", i);
-        }
-
-        ret = mbedtls_pkcs5_pbkdf2_hmac_ext(MBEDTLS_MD_SHA1, password_test_data[i],
-                                            plen_test_data[i], salt_test_data[i],
-                                            slen_test_data[i], it_cnt_test_data[i],
-                                            key_len_test_data[i], key);
-        if (ret != 0 ||
-            memcmp(result_key_test_data[i], key, key_len_test_data[i]) != 0) {
-            if (verbose != 0) {
-                mbedtls_printf("failed\n");
-            }
-
-            ret = 1;
-            goto exit;
-        }
-
-        if (verbose != 0) {
-            mbedtls_printf("passed\n");
-        }
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-
-exit:
-    return ret;
-}
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* MBEDTLS_PKCS5_C */
diff --git a/library/pkcs7.c b/library/pkcs7.c
index cf05afd..3aac662 100644
--- a/library/pkcs7.c
+++ b/library/pkcs7.c
@@ -1,25 +1,13 @@
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 #include "common.h"
 
 #include "mbedtls/build_info.h"
 #if defined(MBEDTLS_PKCS7_C)
 #include "mbedtls/pkcs7.h"
-#include "mbedtls/x509.h"
+#include "x509_internal.h"
 #include "mbedtls/asn1.h"
 #include "mbedtls/x509_crt.h"
 #include "mbedtls/x509_crl.h"
@@ -328,7 +316,7 @@ static int pkcs7_get_signer_info(unsigned char **p, unsigned char *end,
         goto out;
     }
 
-    signer->issuer_raw.len =  *p - signer->issuer_raw.p;
+    signer->issuer_raw.len =  (size_t) (*p - signer->issuer_raw.p);
 
     ret = mbedtls_x509_get_serial(p, end_issuer_and_sn, &signer->serial);
     if (ret != 0) {
diff --git a/library/pkparse.c b/library/pkparse.c
deleted file mode 100644
index e1422df..0000000
--- a/library/pkparse.c
+++ /dev/null
@@ -1,1857 +0,0 @@
-/*
- *  Public Key layer for parsing key files and structures
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_PK_PARSE_C)
-
-#include "mbedtls/pk.h"
-#include "mbedtls/asn1.h"
-#include "mbedtls/oid.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-#include "pk_internal.h"
-
-#include <string.h>
-
-#if defined(MBEDTLS_RSA_C)
-#include "mbedtls/rsa.h"
-#endif
-#include "mbedtls/ecp.h"
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-#include "pk_internal.h"
-#endif
-#if defined(MBEDTLS_ECDSA_C)
-#include "mbedtls/ecdsa.h"
-#endif
-#if defined(MBEDTLS_PEM_PARSE_C)
-#include "mbedtls/pem.h"
-#endif
-#if defined(MBEDTLS_PKCS5_C)
-#include "mbedtls/pkcs5.h"
-#endif
-#if defined(MBEDTLS_PKCS12_C)
-#include "mbedtls/pkcs12.h"
-#endif
-
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-#include "psa_util_internal.h"
-#endif
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "psa/crypto.h"
-#endif
-
-#include "mbedtls/platform.h"
-
-/* Helper for Montgomery curves */
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) && defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
-#define MBEDTLS_PK_IS_RFC8410_GROUP_ID(id)  \
-    ((id == MBEDTLS_ECP_DP_CURVE25519) || (id == MBEDTLS_ECP_DP_CURVE448))
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS && MBEDTLS_PK_HAVE_RFC8410_CURVES */
-
-#if defined(MBEDTLS_FS_IO)
-/*
- * Load all data from a file into a given buffer.
- *
- * The file is expected to contain either PEM or DER encoded data.
- * A terminating null byte is always appended. It is included in the announced
- * length only if the data looks like it is PEM encoded.
- */
-int mbedtls_pk_load_file(const char *path, unsigned char **buf, size_t *n)
-{
-    FILE *f;
-    long size;
-
-    if ((f = fopen(path, "rb")) == NULL) {
-        return MBEDTLS_ERR_PK_FILE_IO_ERROR;
-    }
-
-    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
-    mbedtls_setbuf(f, NULL);
-
-    fseek(f, 0, SEEK_END);
-    if ((size = ftell(f)) == -1) {
-        fclose(f);
-        return MBEDTLS_ERR_PK_FILE_IO_ERROR;
-    }
-    fseek(f, 0, SEEK_SET);
-
-    *n = (size_t) size;
-
-    if (*n + 1 == 0 ||
-        (*buf = mbedtls_calloc(1, *n + 1)) == NULL) {
-        fclose(f);
-        return MBEDTLS_ERR_PK_ALLOC_FAILED;
-    }
-
-    if (fread(*buf, 1, *n, f) != *n) {
-        fclose(f);
-
-        mbedtls_zeroize_and_free(*buf, *n);
-
-        return MBEDTLS_ERR_PK_FILE_IO_ERROR;
-    }
-
-    fclose(f);
-
-    (*buf)[*n] = '\0';
-
-    if (strstr((const char *) *buf, "-----BEGIN ") != NULL) {
-        ++*n;
-    }
-
-    return 0;
-}
-
-/*
- * Load and parse a private key
- */
-int mbedtls_pk_parse_keyfile(mbedtls_pk_context *ctx,
-                             const char *path, const char *pwd,
-                             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t n;
-    unsigned char *buf;
-
-    if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) {
-        return ret;
-    }
-
-    if (pwd == NULL) {
-        ret = mbedtls_pk_parse_key(ctx, buf, n, NULL, 0, f_rng, p_rng);
-    } else {
-        ret = mbedtls_pk_parse_key(ctx, buf, n,
-                                   (const unsigned char *) pwd, strlen(pwd), f_rng, p_rng);
-    }
-
-    mbedtls_zeroize_and_free(buf, n);
-
-    return ret;
-}
-
-/*
- * Load and parse a public key
- */
-int mbedtls_pk_parse_public_keyfile(mbedtls_pk_context *ctx, const char *path)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t n;
-    unsigned char *buf;
-
-    if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) {
-        return ret;
-    }
-
-    ret = mbedtls_pk_parse_public_key(ctx, buf, n);
-
-    mbedtls_zeroize_and_free(buf, n);
-
-    return ret;
-}
-#endif /* MBEDTLS_FS_IO */
-
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-/* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf
- *
- * ECParameters ::= CHOICE {
- *   namedCurve         OBJECT IDENTIFIER
- *   specifiedCurve     SpecifiedECDomain -- = SEQUENCE { ... }
- *   -- implicitCurve   NULL
- * }
- */
-static int pk_get_ecparams(unsigned char **p, const unsigned char *end,
-                           mbedtls_asn1_buf *params)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if (end - *p < 1) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
-                                 MBEDTLS_ERR_ASN1_OUT_OF_DATA);
-    }
-
-    /* Tag may be either OID or SEQUENCE */
-    params->tag = **p;
-    if (params->tag != MBEDTLS_ASN1_OID
-#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
-        && params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)
-#endif
-        ) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
-                                 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
-    }
-
-    if ((ret = mbedtls_asn1_get_tag(p, end, &params->len, params->tag)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-    }
-
-    params->p = *p;
-    *p += params->len;
-
-    if (*p != end) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
-                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-    }
-
-    return 0;
-}
-
-#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
-/*
- * Parse a SpecifiedECDomain (SEC 1 C.2) and (mostly) fill the group with it.
- * WARNING: the resulting group should only be used with
- * pk_group_id_from_specified(), since its base point may not be set correctly
- * if it was encoded compressed.
- *
- *  SpecifiedECDomain ::= SEQUENCE {
- *      version SpecifiedECDomainVersion(ecdpVer1 | ecdpVer2 | ecdpVer3, ...),
- *      fieldID FieldID {{FieldTypes}},
- *      curve Curve,
- *      base ECPoint,
- *      order INTEGER,
- *      cofactor INTEGER OPTIONAL,
- *      hash HashAlgorithm OPTIONAL,
- *      ...
- *  }
- *
- * We only support prime-field as field type, and ignore hash and cofactor.
- */
-static int pk_group_from_specified(const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char *p = params->p;
-    const unsigned char *const end = params->p + params->len;
-    const unsigned char *end_field, *end_curve;
-    size_t len;
-    int ver;
-
-    /* SpecifiedECDomainVersion ::= INTEGER { 1, 2, 3 } */
-    if ((ret = mbedtls_asn1_get_int(&p, end, &ver)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-    }
-
-    if (ver < 1 || ver > 3) {
-        return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
-    }
-
-    /*
-     * FieldID { FIELD-ID:IOSet } ::= SEQUENCE { -- Finite field
-     *       fieldType FIELD-ID.&id({IOSet}),
-     *       parameters FIELD-ID.&Type({IOSet}{@fieldType})
-     * }
-     */
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
-                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
-        return ret;
-    }
-
-    end_field = p + len;
-
-    /*
-     * FIELD-ID ::= TYPE-IDENTIFIER
-     * FieldTypes FIELD-ID ::= {
-     *       { Prime-p IDENTIFIED BY prime-field } |
-     *       { Characteristic-two IDENTIFIED BY characteristic-two-field }
-     * }
-     * prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 }
-     */
-    if ((ret = mbedtls_asn1_get_tag(&p, end_field, &len, MBEDTLS_ASN1_OID)) != 0) {
-        return ret;
-    }
-
-    if (len != MBEDTLS_OID_SIZE(MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD) ||
-        memcmp(p, MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD, len) != 0) {
-        return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
-    }
-
-    p += len;
-
-    /* Prime-p ::= INTEGER -- Field of size p. */
-    if ((ret = mbedtls_asn1_get_mpi(&p, end_field, &grp->P)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-    }
-
-    grp->pbits = mbedtls_mpi_bitlen(&grp->P);
-
-    if (p != end_field) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
-                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-    }
-
-    /*
-     * Curve ::= SEQUENCE {
-     *       a FieldElement,
-     *       b FieldElement,
-     *       seed BIT STRING OPTIONAL
-     *       -- Shall be present if used in SpecifiedECDomain
-     *       -- with version equal to ecdpVer2 or ecdpVer3
-     * }
-     */
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
-                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
-        return ret;
-    }
-
-    end_curve = p + len;
-
-    /*
-     * FieldElement ::= OCTET STRING
-     * containing an integer in the case of a prime field
-     */
-    if ((ret = mbedtls_asn1_get_tag(&p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0 ||
-        (ret = mbedtls_mpi_read_binary(&grp->A, p, len)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-    }
-
-    p += len;
-
-    if ((ret = mbedtls_asn1_get_tag(&p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0 ||
-        (ret = mbedtls_mpi_read_binary(&grp->B, p, len)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-    }
-
-    p += len;
-
-    /* Ignore seed BIT STRING OPTIONAL */
-    if ((ret = mbedtls_asn1_get_tag(&p, end_curve, &len, MBEDTLS_ASN1_BIT_STRING)) == 0) {
-        p += len;
-    }
-
-    if (p != end_curve) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
-                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-    }
-
-    /*
-     * ECPoint ::= OCTET STRING
-     */
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-    }
-
-    if ((ret = mbedtls_ecp_point_read_binary(grp, &grp->G,
-                                             (const unsigned char *) p, len)) != 0) {
-        /*
-         * If we can't read the point because it's compressed, cheat by
-         * reading only the X coordinate and the parity bit of Y.
-         */
-        if (ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ||
-            (p[0] != 0x02 && p[0] != 0x03) ||
-            len != mbedtls_mpi_size(&grp->P) + 1 ||
-            mbedtls_mpi_read_binary(&grp->G.X, p + 1, len - 1) != 0 ||
-            mbedtls_mpi_lset(&grp->G.Y, p[0] - 2) != 0 ||
-            mbedtls_mpi_lset(&grp->G.Z, 1) != 0) {
-            return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
-        }
-    }
-
-    p += len;
-
-    /*
-     * order INTEGER
-     */
-    if ((ret = mbedtls_asn1_get_mpi(&p, end, &grp->N)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-    }
-
-    grp->nbits = mbedtls_mpi_bitlen(&grp->N);
-
-    /*
-     * Allow optional elements by purposefully not enforcing p == end here.
-     */
-
-    return 0;
-}
-
-/*
- * Find the group id associated with an (almost filled) group as generated by
- * pk_group_from_specified(), or return an error if unknown.
- */
-static int pk_group_id_from_group(const mbedtls_ecp_group *grp, mbedtls_ecp_group_id *grp_id)
-{
-    int ret = 0;
-    mbedtls_ecp_group ref;
-    const mbedtls_ecp_group_id *id;
-
-    mbedtls_ecp_group_init(&ref);
-
-    for (id = mbedtls_ecp_grp_id_list(); *id != MBEDTLS_ECP_DP_NONE; id++) {
-        /* Load the group associated to that id */
-        mbedtls_ecp_group_free(&ref);
-        MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&ref, *id));
-
-        /* Compare to the group we were given, starting with easy tests */
-        if (grp->pbits == ref.pbits && grp->nbits == ref.nbits &&
-            mbedtls_mpi_cmp_mpi(&grp->P, &ref.P) == 0 &&
-            mbedtls_mpi_cmp_mpi(&grp->A, &ref.A) == 0 &&
-            mbedtls_mpi_cmp_mpi(&grp->B, &ref.B) == 0 &&
-            mbedtls_mpi_cmp_mpi(&grp->N, &ref.N) == 0 &&
-            mbedtls_mpi_cmp_mpi(&grp->G.X, &ref.G.X) == 0 &&
-            mbedtls_mpi_cmp_mpi(&grp->G.Z, &ref.G.Z) == 0 &&
-            /* For Y we may only know the parity bit, so compare only that */
-            mbedtls_mpi_get_bit(&grp->G.Y, 0) == mbedtls_mpi_get_bit(&ref.G.Y, 0)) {
-            break;
-        }
-    }
-
-cleanup:
-    mbedtls_ecp_group_free(&ref);
-
-    *grp_id = *id;
-
-    if (ret == 0 && *id == MBEDTLS_ECP_DP_NONE) {
-        ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
-    }
-
-    return ret;
-}
-
-/*
- * Parse a SpecifiedECDomain (SEC 1 C.2) and find the associated group ID
- */
-static int pk_group_id_from_specified(const mbedtls_asn1_buf *params,
-                                      mbedtls_ecp_group_id *grp_id)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_ecp_group grp;
-
-    mbedtls_ecp_group_init(&grp);
-
-    if ((ret = pk_group_from_specified(params, &grp)) != 0) {
-        goto cleanup;
-    }
-
-    ret = pk_group_id_from_group(&grp, grp_id);
-
-cleanup:
-    /* The API respecting lifecycle for mbedtls_ecp_group struct is
-     * _init(), _load() and _free(). In pk_group_id_from_specified() the
-     * temporary grp breaks that flow and it's members are populated
-     * by pk_group_id_from_group(). As such mbedtls_ecp_group_free()
-     * which is assuming a group populated by _setup() may not clean-up
-     * properly -> Manually free it's members.
-     */
-    mbedtls_mpi_free(&grp.N);
-    mbedtls_mpi_free(&grp.P);
-    mbedtls_mpi_free(&grp.A);
-    mbedtls_mpi_free(&grp.B);
-    mbedtls_ecp_point_free(&grp.G);
-
-    return ret;
-}
-#endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */
-
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-/* Functions pk_use_ecparams() and pk_use_ecparams_rfc8410() update the
- * ecp_keypair structure with proper group ID. The purpose of this helper
- * function is to update ec_family and ec_bits accordingly. */
-static int pk_update_psa_ecparams(mbedtls_pk_context *pk,
-                                  mbedtls_ecp_group_id grp_id)
-{
-    psa_ecc_family_t ec_family;
-    size_t bits;
-
-    ec_family = mbedtls_ecc_group_to_psa(grp_id, &bits);
-
-    if ((pk->ec_family != 0) && (pk->ec_family != ec_family)) {
-        return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
-    }
-
-    pk->ec_family = ec_family;
-    pk->ec_bits = bits;
-
-    return 0;
-}
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-
-/*
- * Use EC parameters to initialise an EC group
- *
- * ECParameters ::= CHOICE {
- *   namedCurve         OBJECT IDENTIFIER
- *   specifiedCurve     SpecifiedECDomain -- = SEQUENCE { ... }
- *   -- implicitCurve   NULL
- */
-static int pk_use_ecparams(const mbedtls_asn1_buf *params, mbedtls_pk_context *pk)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_ecp_group_id grp_id;
-
-    if (params->tag == MBEDTLS_ASN1_OID) {
-        if (mbedtls_oid_get_ec_grp(params, &grp_id) != 0) {
-            return MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE;
-        }
-    } else {
-#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
-        if ((ret = pk_group_id_from_specified(params, &grp_id)) != 0) {
-            return ret;
-        }
-#else
-        return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
-#endif
-    }
-
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-    ret = pk_update_psa_ecparams(pk, grp_id);
-#else
-    /* grp may already be initialized; if so, make sure IDs match */
-    if (mbedtls_pk_ec_ro(*pk)->grp.id != MBEDTLS_ECP_DP_NONE &&
-        mbedtls_pk_ec_ro(*pk)->grp.id != grp_id) {
-        return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
-    }
-
-    if ((ret = mbedtls_ecp_group_load(&(mbedtls_pk_ec_rw(*pk)->grp),
-                                      grp_id)) != 0) {
-        return ret;
-    }
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-
-    return ret;
-}
-
-/*
- * Helper function for deriving a public key from its private counterpart.
- */
-static int pk_derive_public_key(mbedtls_pk_context *pk,
-                                const unsigned char *d, size_t d_len,
-                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    int ret;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-    psa_status_t status;
-    (void) f_rng;
-    (void) p_rng;
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-    (void) d;
-    (void) d_len;
-
-    status = psa_export_public_key(pk->priv_id, pk->pub_raw, sizeof(pk->pub_raw),
-                                   &pk->pub_raw_len);
-    ret = psa_pk_status_to_mbedtls(status);
-#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
-    mbedtls_ecp_keypair *eck = (mbedtls_ecp_keypair *) pk->pk_ctx;
-    unsigned char key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
-    size_t key_len;
-    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
-    psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
-    size_t curve_bits;
-    psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(eck->grp.id, &curve_bits);
-    psa_status_t destruction_status;
-
-    psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
-    psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT);
-
-    status = psa_import_key(&key_attr, d, d_len, &key_id);
-    ret = psa_pk_status_to_mbedtls(status);
-    if (ret != 0) {
-        return ret;
-    }
-
-    status = psa_export_public_key(key_id, key_buf, sizeof(key_buf), &key_len);
-    ret = psa_pk_status_to_mbedtls(status);
-    destruction_status = psa_destroy_key(key_id);
-    if (ret != 0) {
-        return ret;
-    } else if (destruction_status != PSA_SUCCESS) {
-        return psa_pk_status_to_mbedtls(destruction_status);
-    }
-    ret = mbedtls_ecp_point_read_binary(&eck->grp, &eck->Q, key_buf, key_len);
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-#else /* MBEDTLS_USE_PSA_CRYPTO */
-    mbedtls_ecp_keypair *eck = (mbedtls_ecp_keypair *) pk->pk_ctx;
-    (void) d;
-    (void) d_len;
-
-    ret = mbedtls_ecp_mul(&eck->grp, &eck->Q, &eck->d, &eck->grp.G, f_rng, p_rng);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-    return ret;
-}
-
-#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
-
-/*
- * Load an RFC8410 EC key, which doesn't have any parameters
- */
-static int pk_use_ecparams_rfc8410(const mbedtls_asn1_buf *params,
-                                   mbedtls_ecp_group_id grp_id,
-                                   mbedtls_pk_context *pk)
-{
-    int ret;
-
-    if (params->tag != 0 || params->len != 0) {
-        return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
-    }
-
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-    ret = pk_update_psa_ecparams(pk, grp_id);
-#else
-    mbedtls_ecp_keypair *ecp = mbedtls_pk_ec_rw(*pk);
-    ret = mbedtls_ecp_group_load(&(ecp->grp), grp_id);
-    if (ret != 0) {
-        return ret;
-    }
-#endif
-    return ret;
-}
-
-/*
- * Parse an RFC 8410 encoded private EC key
- *
- * CurvePrivateKey ::= OCTET STRING
- */
-static int pk_parse_key_rfc8410_der(mbedtls_pk_context *pk,
-                                    unsigned char *key, size_t keylen, const unsigned char *end,
-                                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t len;
-
-    if ((ret = mbedtls_asn1_get_tag(&key, (key + keylen), &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-    }
-
-    if (key + len != end) {
-        return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
-    }
-
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    psa_status_t status;
-
-    psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(pk->ec_family));
-    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT |
-                            PSA_KEY_USAGE_DERIVE);
-    psa_set_key_algorithm(&attributes, PSA_ALG_ECDH);
-
-    status = psa_import_key(&attributes, key, len, &pk->priv_id);
-    if (status != PSA_SUCCESS) {
-        ret = psa_pk_status_to_mbedtls(status);
-        return ret;
-    }
-#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
-    mbedtls_ecp_keypair *eck = mbedtls_pk_ec_rw(*pk);
-
-    if ((ret = mbedtls_ecp_read_key(eck->grp.id, eck, key, len)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-    }
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-
-    /* pk_parse_key_pkcs8_unencrypted_der() only supports version 1 PKCS8 keys,
-     * which never contain a public key. As such, derive the public key
-     * unconditionally. */
-    if ((ret = pk_derive_public_key(pk, key, len, f_rng, p_rng)) != 0) {
-        return ret;
-    }
-
-    return 0;
-}
-#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
-
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) && defined(MBEDTLS_PK_PARSE_EC_COMPRESSED)
-/*
- * Create a temporary ecp_keypair for converting an EC point in compressed
- * format to an uncompressed one
- */
-static int pk_convert_compressed_ec(mbedtls_pk_context *pk,
-                                    const unsigned char *in_start, size_t in_len,
-                                    size_t *out_buf_len, unsigned char *out_buf,
-                                    size_t out_buf_size)
-{
-    mbedtls_ecp_keypair ecp_key;
-    mbedtls_ecp_group_id ecp_group_id;
-    int ret;
-
-    ecp_group_id = mbedtls_ecc_group_of_psa(pk->ec_family, pk->ec_bits, 0);
-
-    mbedtls_ecp_keypair_init(&ecp_key);
-    ret = mbedtls_ecp_group_load(&(ecp_key.grp), ecp_group_id);
-    if (ret != 0) {
-        return ret;
-    }
-    ret = mbedtls_ecp_point_read_binary(&(ecp_key.grp), &ecp_key.Q,
-                                        in_start, in_len);
-    if (ret != 0) {
-        goto exit;
-    }
-    ret = mbedtls_ecp_point_write_binary(&(ecp_key.grp), &ecp_key.Q,
-                                         MBEDTLS_ECP_PF_UNCOMPRESSED,
-                                         out_buf_len, out_buf, out_buf_size);
-
-exit:
-    mbedtls_ecp_keypair_free(&ecp_key);
-    return ret;
-}
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA && MBEDTLS_PK_PARSE_EC_COMPRESSED */
-
-/*
- * EC public key is an EC point
- *
- * The caller is responsible for clearing the structure upon failure if
- * desired. Take care to pass along the possible ECP_FEATURE_UNAVAILABLE
- * return code of mbedtls_ecp_point_read_binary() and leave p in a usable state.
- */
-static int pk_get_ecpubkey(unsigned char **p, const unsigned char *end,
-                           mbedtls_pk_context *pk)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-    mbedtls_svc_key_id_t key;
-    psa_key_attributes_t key_attrs = PSA_KEY_ATTRIBUTES_INIT;
-    size_t len = (end - *p);
-
-    if (len > PSA_EXPORT_PUBLIC_KEY_MAX_SIZE) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    /* Compressed point format are not supported yet by PSA crypto. As a
-     * consequence ecp functions are used to "convert" the point to
-     * uncompressed format */
-    if ((**p == 0x02) || (**p == 0x03)) {
-#if defined(MBEDTLS_PK_PARSE_EC_COMPRESSED)
-        ret = pk_convert_compressed_ec(pk, *p, len,
-                                       &(pk->pub_raw_len), pk->pub_raw,
-                                       PSA_EXPORT_PUBLIC_KEY_MAX_SIZE);
-        if (ret != 0) {
-            return ret;
-        }
-#else /* MBEDTLS_PK_PARSE_EC_COMPRESSED */
-        return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
-#endif /* MBEDTLS_PK_PARSE_EC_COMPRESSED */
-    } else {
-        /* Uncompressed format */
-        if ((size_t) (end - *p) > MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN) {
-            return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
-        }
-        memcpy(pk->pub_raw, *p, (end - *p));
-        pk->pub_raw_len = end - *p;
-    }
-
-    /* Validate the key by trying to importing it */
-    psa_set_key_usage_flags(&key_attrs, 0);
-    psa_set_key_algorithm(&key_attrs, PSA_ALG_ECDSA_ANY);
-    psa_set_key_type(&key_attrs, PSA_KEY_TYPE_ECC_PUBLIC_KEY(pk->ec_family));
-    psa_set_key_bits(&key_attrs, pk->ec_bits);
-
-    if ((psa_import_key(&key_attrs, pk->pub_raw, pk->pub_raw_len,
-                        &key) != PSA_SUCCESS) ||
-        (psa_destroy_key(key) != PSA_SUCCESS)) {
-        mbedtls_platform_zeroize(pk->pub_raw, MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN);
-        pk->pub_raw_len = 0;
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-    ret = 0;
-#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
-    mbedtls_ecp_keypair *ec_key = (mbedtls_ecp_keypair *) pk->pk_ctx;
-    if ((ret = mbedtls_ecp_point_read_binary(&ec_key->grp, &ec_key->Q,
-                                             (const unsigned char *) *p,
-                                             end - *p)) == 0) {
-        ret = mbedtls_ecp_check_pubkey(&ec_key->grp, &ec_key->Q);
-    }
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-
-    /*
-     * We know mbedtls_ecp_point_read_binary consumed all bytes or failed
-     */
-    *p = (unsigned char *) end;
-
-    return ret;
-}
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-
-#if defined(MBEDTLS_RSA_C)
-/*
- *  RSAPublicKey ::= SEQUENCE {
- *      modulus           INTEGER,  -- n
- *      publicExponent    INTEGER   -- e
- *  }
- */
-static int pk_get_rsapubkey(unsigned char **p,
-                            const unsigned char *end,
-                            mbedtls_rsa_context *rsa)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t len;
-
-    if ((ret = mbedtls_asn1_get_tag(p, end, &len,
-                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret);
-    }
-
-    if (*p + len != end) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY,
-                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-    }
-
-    /* Import N */
-    if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret);
-    }
-
-    if ((ret = mbedtls_rsa_import_raw(rsa, *p, len, NULL, 0, NULL, 0,
-                                      NULL, 0, NULL, 0)) != 0) {
-        return MBEDTLS_ERR_PK_INVALID_PUBKEY;
-    }
-
-    *p += len;
-
-    /* Import E */
-    if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret);
-    }
-
-    if ((ret = mbedtls_rsa_import_raw(rsa, NULL, 0, NULL, 0, NULL, 0,
-                                      NULL, 0, *p, len)) != 0) {
-        return MBEDTLS_ERR_PK_INVALID_PUBKEY;
-    }
-
-    *p += len;
-
-    if (mbedtls_rsa_complete(rsa) != 0 ||
-        mbedtls_rsa_check_pubkey(rsa) != 0) {
-        return MBEDTLS_ERR_PK_INVALID_PUBKEY;
-    }
-
-    if (*p != end) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY,
-                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-    }
-
-    return 0;
-}
-#endif /* MBEDTLS_RSA_C */
-
-/* Get a PK algorithm identifier
- *
- *  AlgorithmIdentifier  ::=  SEQUENCE  {
- *       algorithm               OBJECT IDENTIFIER,
- *       parameters              ANY DEFINED BY algorithm OPTIONAL  }
- */
-static int pk_get_pk_alg(unsigned char **p,
-                         const unsigned char *end,
-                         mbedtls_pk_type_t *pk_alg, mbedtls_asn1_buf *params,
-                         mbedtls_ecp_group_id *ec_grp_id)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_asn1_buf alg_oid;
-
-    memset(params, 0, sizeof(mbedtls_asn1_buf));
-
-    if ((ret = mbedtls_asn1_get_alg(p, end, &alg_oid, params)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_ALG, ret);
-    }
-
-    ret = mbedtls_oid_get_pk_alg(&alg_oid, pk_alg);
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-    if (ret == MBEDTLS_ERR_OID_NOT_FOUND) {
-        ret = mbedtls_oid_get_ec_grp_algid(&alg_oid, ec_grp_id);
-        if (ret == 0) {
-            *pk_alg = MBEDTLS_PK_ECKEY;
-        }
-    }
-#else
-    (void) ec_grp_id;
-#endif
-    if (ret != 0) {
-        return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
-    }
-
-    /*
-     * No parameters with RSA (only for EC)
-     */
-    if (*pk_alg == MBEDTLS_PK_RSA &&
-        ((params->tag != MBEDTLS_ASN1_NULL && params->tag != 0) ||
-         params->len != 0)) {
-        return MBEDTLS_ERR_PK_INVALID_ALG;
-    }
-
-    return 0;
-}
-
-/*
- *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
- *       algorithm            AlgorithmIdentifier,
- *       subjectPublicKey     BIT STRING }
- */
-int mbedtls_pk_parse_subpubkey(unsigned char **p, const unsigned char *end,
-                               mbedtls_pk_context *pk)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t len;
-    mbedtls_asn1_buf alg_params;
-    mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
-    mbedtls_ecp_group_id ec_grp_id = MBEDTLS_ECP_DP_NONE;
-    const mbedtls_pk_info_t *pk_info;
-
-    if ((ret = mbedtls_asn1_get_tag(p, end, &len,
-                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-    }
-
-    end = *p + len;
-
-    if ((ret = pk_get_pk_alg(p, end, &pk_alg, &alg_params, &ec_grp_id)) != 0) {
-        return ret;
-    }
-
-    if ((ret = mbedtls_asn1_get_bitstring_null(p, end, &len)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret);
-    }
-
-    if (*p + len != end) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY,
-                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-    }
-
-    if ((pk_info = mbedtls_pk_info_from_type(pk_alg)) == NULL) {
-        return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
-    }
-
-    if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0) {
-        return ret;
-    }
-
-#if defined(MBEDTLS_RSA_C)
-    if (pk_alg == MBEDTLS_PK_RSA) {
-        ret = pk_get_rsapubkey(p, end, mbedtls_pk_rsa(*pk));
-    } else
-#endif /* MBEDTLS_RSA_C */
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-    if (pk_alg == MBEDTLS_PK_ECKEY_DH || pk_alg == MBEDTLS_PK_ECKEY) {
-#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
-        if (MBEDTLS_PK_IS_RFC8410_GROUP_ID(ec_grp_id)) {
-            ret = pk_use_ecparams_rfc8410(&alg_params, ec_grp_id, pk);
-        } else
-#endif
-        {
-            ret = pk_use_ecparams(&alg_params, pk);
-        }
-        if (ret == 0) {
-            ret = pk_get_ecpubkey(p, end, pk);
-        }
-    } else
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-    ret = MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
-
-    if (ret == 0 && *p != end) {
-        ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY,
-                                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-    }
-
-    if (ret != 0) {
-        mbedtls_pk_free(pk);
-    }
-
-    return ret;
-}
-
-#if defined(MBEDTLS_RSA_C)
-/*
- * Wrapper around mbedtls_asn1_get_mpi() that rejects zero.
- *
- * The value zero is:
- * - never a valid value for an RSA parameter
- * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete().
- *
- * Since values can't be omitted in PKCS#1, passing a zero value to
- * rsa_complete() would be incorrect, so reject zero values early.
- */
-static int asn1_get_nonzero_mpi(unsigned char **p,
-                                const unsigned char *end,
-                                mbedtls_mpi *X)
-{
-    int ret;
-
-    ret = mbedtls_asn1_get_mpi(p, end, X);
-    if (ret != 0) {
-        return ret;
-    }
-
-    if (mbedtls_mpi_cmp_int(X, 0) == 0) {
-        return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
-    }
-
-    return 0;
-}
-
-/*
- * Parse a PKCS#1 encoded private RSA key
- */
-static int pk_parse_key_pkcs1_der(mbedtls_rsa_context *rsa,
-                                  const unsigned char *key,
-                                  size_t keylen)
-{
-    int ret, version;
-    size_t len;
-    unsigned char *p, *end;
-
-    mbedtls_mpi T;
-    mbedtls_mpi_init(&T);
-
-    p = (unsigned char *) key;
-    end = p + keylen;
-
-    /*
-     * This function parses the RSAPrivateKey (PKCS#1)
-     *
-     *  RSAPrivateKey ::= SEQUENCE {
-     *      version           Version,
-     *      modulus           INTEGER,  -- n
-     *      publicExponent    INTEGER,  -- e
-     *      privateExponent   INTEGER,  -- d
-     *      prime1            INTEGER,  -- p
-     *      prime2            INTEGER,  -- q
-     *      exponent1         INTEGER,  -- d mod (p-1)
-     *      exponent2         INTEGER,  -- d mod (q-1)
-     *      coefficient       INTEGER,  -- (inverse of q) mod p
-     *      otherPrimeInfos   OtherPrimeInfos OPTIONAL
-     *  }
-     */
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
-                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-    }
-
-    end = p + len;
-
-    if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-    }
-
-    if (version != 0) {
-        return MBEDTLS_ERR_PK_KEY_INVALID_VERSION;
-    }
-
-    /* Import N */
-    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
-        (ret = mbedtls_rsa_import(rsa, &T, NULL, NULL,
-                                  NULL, NULL)) != 0) {
-        goto cleanup;
-    }
-
-    /* Import E */
-    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
-        (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL,
-                                  NULL, &T)) != 0) {
-        goto cleanup;
-    }
-
-    /* Import D */
-    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
-        (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL,
-                                  &T, NULL)) != 0) {
-        goto cleanup;
-    }
-
-    /* Import P */
-    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
-        (ret = mbedtls_rsa_import(rsa, NULL, &T, NULL,
-                                  NULL, NULL)) != 0) {
-        goto cleanup;
-    }
-
-    /* Import Q */
-    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
-        (ret = mbedtls_rsa_import(rsa, NULL, NULL, &T,
-                                  NULL, NULL)) != 0) {
-        goto cleanup;
-    }
-
-#if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT)
-    /*
-     * The RSA CRT parameters DP, DQ and QP are nominally redundant, in
-     * that they can be easily recomputed from D, P and Q. However by
-     * parsing them from the PKCS1 structure it is possible to avoid
-     * recalculating them which both reduces the overhead of loading
-     * RSA private keys into memory and also avoids side channels which
-     * can arise when computing those values, since all of D, P, and Q
-     * are secret. See https://eprint.iacr.org/2020/055 for a
-     * description of one such attack.
-     */
-
-    /* Import DP */
-    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
-        (ret = mbedtls_mpi_copy(&rsa->DP, &T)) != 0) {
-        goto cleanup;
-    }
-
-    /* Import DQ */
-    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
-        (ret = mbedtls_mpi_copy(&rsa->DQ, &T)) != 0) {
-        goto cleanup;
-    }
-
-    /* Import QP */
-    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
-        (ret = mbedtls_mpi_copy(&rsa->QP, &T)) != 0) {
-        goto cleanup;
-    }
-
-#else
-    /* Verify existence of the CRT params */
-    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
-        (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
-        (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0) {
-        goto cleanup;
-    }
-#endif
-
-    /* rsa_complete() doesn't complete anything with the default
-     * implementation but is still called:
-     * - for the benefit of alternative implementation that may want to
-     *   pre-compute stuff beyond what's provided (eg Montgomery factors)
-     * - as is also sanity-checks the key
-     *
-     * Furthermore, we also check the public part for consistency with
-     * mbedtls_pk_parse_pubkey(), as it includes size minima for example.
-     */
-    if ((ret = mbedtls_rsa_complete(rsa)) != 0 ||
-        (ret = mbedtls_rsa_check_pubkey(rsa)) != 0) {
-        goto cleanup;
-    }
-
-    if (p != end) {
-        ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
-                                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-    }
-
-cleanup:
-
-    mbedtls_mpi_free(&T);
-
-    if (ret != 0) {
-        /* Wrap error code if it's coming from a lower level */
-        if ((ret & 0xff80) == 0) {
-            ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-        } else {
-            ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
-        }
-
-        mbedtls_rsa_free(rsa);
-    }
-
-    return ret;
-}
-#endif /* MBEDTLS_RSA_C */
-
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-/*
- * Parse a SEC1 encoded private EC key
- */
-static int pk_parse_key_sec1_der(mbedtls_pk_context *pk,
-                                 const unsigned char *key, size_t keylen,
-                                 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    int version, pubkey_done;
-    size_t len, d_len;
-    mbedtls_asn1_buf params = { 0, 0, NULL };
-    unsigned char *p = (unsigned char *) key;
-    unsigned char *d;
-    unsigned char *end = p + keylen;
-    unsigned char *end2;
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    psa_status_t status;
-#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
-    mbedtls_ecp_keypair *eck = mbedtls_pk_ec_rw(*pk);
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-
-    /*
-     * RFC 5915, or SEC1 Appendix C.4
-     *
-     * ECPrivateKey ::= SEQUENCE {
-     *      version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
-     *      privateKey     OCTET STRING,
-     *      parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
-     *      publicKey  [1] BIT STRING OPTIONAL
-     *    }
-     */
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
-                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-    }
-
-    end = p + len;
-
-    if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-    }
-
-    if (version != 1) {
-        return MBEDTLS_ERR_PK_KEY_INVALID_VERSION;
-    }
-
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-    }
-
-    /* Keep a reference to the position fo the private key. It will be used
-     * later in this function. */
-    d = p;
-    d_len = len;
-
-    p += len;
-
-    pubkey_done = 0;
-    if (p != end) {
-        /*
-         * Is 'parameters' present?
-         */
-        if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
-                                        MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
-                                        0)) == 0) {
-            if ((ret = pk_get_ecparams(&p, p + len, &params)) != 0 ||
-                (ret = pk_use_ecparams(&params, pk)) != 0) {
-                return ret;
-            }
-        } else if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
-            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-        }
-    }
-
-
-#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-    if ((ret = mbedtls_ecp_read_key(eck->grp.id, eck, d, d_len)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-    }
-#endif
-
-    if (p != end) {
-        /*
-         * Is 'publickey' present? If not, or if we can't read it (eg because it
-         * is compressed), create it from the private key.
-         */
-        if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
-                                        MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
-                                        1)) == 0) {
-            end2 = p + len;
-
-            if ((ret = mbedtls_asn1_get_bitstring_null(&p, end2, &len)) != 0) {
-                return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-            }
-
-            if (p + len != end2) {
-                return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
-                                         MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-            }
-
-            if ((ret = pk_get_ecpubkey(&p, end2, pk)) == 0) {
-                pubkey_done = 1;
-            } else {
-                /*
-                 * The only acceptable failure mode of pk_get_ecpubkey() above
-                 * is if the point format is not recognized.
-                 */
-                if (ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE) {
-                    return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
-                }
-            }
-        } else if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
-            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-        }
-    }
-
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-    psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(pk->ec_family));
-    /* Setting largest masks for usage and key algorithms */
-    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
-                            PSA_KEY_USAGE_SIGN_MESSAGE |
-                            PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DERIVE);
-#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
-    psa_set_key_algorithm(&attributes,
-                          PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH));
-#else
-    psa_set_key_algorithm(&attributes, PSA_ALG_ECDSA(PSA_ALG_ANY_HASH));
-#endif
-    psa_set_key_enrollment_algorithm(&attributes, PSA_ALG_ECDH);
-
-    status = psa_import_key(&attributes, d, d_len, &pk->priv_id);
-    if (status != PSA_SUCCESS) {
-        ret = psa_pk_status_to_mbedtls(status);
-        return ret;
-    }
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-
-    if (!pubkey_done) {
-        if ((ret = pk_derive_public_key(pk, d, d_len, f_rng, p_rng)) != 0) {
-            return ret;
-        }
-    }
-
-    return 0;
-}
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-
-/*
- * Parse an unencrypted PKCS#8 encoded private key
- *
- * Notes:
- *
- * - This function does not own the key buffer. It is the
- *   responsibility of the caller to take care of zeroizing
- *   and freeing it after use.
- *
- * - The function is responsible for freeing the provided
- *   PK context on failure.
- *
- */
-static int pk_parse_key_pkcs8_unencrypted_der(
-    mbedtls_pk_context *pk,
-    const unsigned char *key, size_t keylen,
-    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    int ret, version;
-    size_t len;
-    mbedtls_asn1_buf params;
-    unsigned char *p = (unsigned char *) key;
-    unsigned char *end = p + keylen;
-    mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
-    mbedtls_ecp_group_id ec_grp_id = MBEDTLS_ECP_DP_NONE;
-    const mbedtls_pk_info_t *pk_info;
-
-#if !defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-    (void) f_rng;
-    (void) p_rng;
-#endif
-
-    /*
-     * This function parses the PrivateKeyInfo object (PKCS#8 v1.2 = RFC 5208)
-     *
-     *    PrivateKeyInfo ::= SEQUENCE {
-     *      version                   Version,
-     *      privateKeyAlgorithm       PrivateKeyAlgorithmIdentifier,
-     *      privateKey                PrivateKey,
-     *      attributes           [0]  IMPLICIT Attributes OPTIONAL }
-     *
-     *    Version ::= INTEGER
-     *    PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
-     *    PrivateKey ::= OCTET STRING
-     *
-     *  The PrivateKey OCTET STRING is a SEC1 ECPrivateKey
-     */
-
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
-                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-    }
-
-    end = p + len;
-
-    if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-    }
-
-    if (version != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_VERSION, ret);
-    }
-
-    if ((ret = pk_get_pk_alg(&p, end, &pk_alg, &params, &ec_grp_id)) != 0) {
-        return ret;
-    }
-
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-    }
-
-    if (len < 1) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
-                                 MBEDTLS_ERR_ASN1_OUT_OF_DATA);
-    }
-
-    if ((pk_info = mbedtls_pk_info_from_type(pk_alg)) == NULL) {
-        return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
-    }
-
-    if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0) {
-        return ret;
-    }
-
-#if defined(MBEDTLS_RSA_C)
-    if (pk_alg == MBEDTLS_PK_RSA) {
-        if ((ret = pk_parse_key_pkcs1_der(mbedtls_pk_rsa(*pk), p, len)) != 0) {
-            mbedtls_pk_free(pk);
-            return ret;
-        }
-    } else
-#endif /* MBEDTLS_RSA_C */
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-    if (pk_alg == MBEDTLS_PK_ECKEY || pk_alg == MBEDTLS_PK_ECKEY_DH) {
-#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
-        if (MBEDTLS_PK_IS_RFC8410_GROUP_ID(ec_grp_id)) {
-            if ((ret =
-                     pk_use_ecparams_rfc8410(&params, ec_grp_id, pk)) != 0 ||
-                (ret =
-                     pk_parse_key_rfc8410_der(pk, p, len, end, f_rng,
-                                              p_rng)) != 0) {
-                mbedtls_pk_free(pk);
-                return ret;
-            }
-        } else
-#endif
-        {
-            if ((ret = pk_use_ecparams(&params, pk)) != 0 ||
-                (ret = pk_parse_key_sec1_der(pk, p, len, f_rng, p_rng)) != 0) {
-                mbedtls_pk_free(pk);
-                return ret;
-            }
-        }
-    } else
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-    return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
-
-    end = p + len;
-    if (end != (key + keylen)) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
-                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
-    }
-
-    return 0;
-}
-
-/*
- * Parse an encrypted PKCS#8 encoded private key
- *
- * To save space, the decryption happens in-place on the given key buffer.
- * Also, while this function may modify the keybuffer, it doesn't own it,
- * and instead it is the responsibility of the caller to zeroize and properly
- * free it after use.
- *
- */
-#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
-MBEDTLS_STATIC_TESTABLE int mbedtls_pk_parse_key_pkcs8_encrypted_der(
-    mbedtls_pk_context *pk,
-    unsigned char *key, size_t keylen,
-    const unsigned char *pwd, size_t pwdlen,
-    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    int ret, decrypted = 0;
-    size_t len;
-    unsigned char *buf;
-    unsigned char *p, *end;
-    mbedtls_asn1_buf pbe_alg_oid, pbe_params;
-#if defined(MBEDTLS_PKCS12_C)
-    mbedtls_cipher_type_t cipher_alg;
-    mbedtls_md_type_t md_alg;
-#endif
-    size_t outlen = 0;
-
-    p = key;
-    end = p + keylen;
-
-    if (pwdlen == 0) {
-        return MBEDTLS_ERR_PK_PASSWORD_REQUIRED;
-    }
-
-    /*
-     * This function parses the EncryptedPrivateKeyInfo object (PKCS#8)
-     *
-     *  EncryptedPrivateKeyInfo ::= SEQUENCE {
-     *    encryptionAlgorithm  EncryptionAlgorithmIdentifier,
-     *    encryptedData        EncryptedData
-     *  }
-     *
-     *  EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
-     *
-     *  EncryptedData ::= OCTET STRING
-     *
-     *  The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo
-     *
-     */
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
-                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-    }
-
-    end = p + len;
-
-    if ((ret = mbedtls_asn1_get_alg(&p, end, &pbe_alg_oid, &pbe_params)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-    }
-
-    if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
-    }
-
-    buf = p;
-
-    /*
-     * Decrypt EncryptedData with appropriate PBE
-     */
-#if defined(MBEDTLS_PKCS12_C)
-    if (mbedtls_oid_get_pkcs12_pbe_alg(&pbe_alg_oid, &md_alg, &cipher_alg) == 0) {
-        if ((ret = mbedtls_pkcs12_pbe_ext(&pbe_params, MBEDTLS_PKCS12_PBE_DECRYPT,
-                                          cipher_alg, md_alg,
-                                          pwd, pwdlen, p, len, buf, len, &outlen)) != 0) {
-            if (ret == MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH) {
-                return MBEDTLS_ERR_PK_PASSWORD_MISMATCH;
-            }
-
-            return ret;
-        }
-
-        decrypted = 1;
-    } else
-#endif /* MBEDTLS_PKCS12_C */
-#if defined(MBEDTLS_PKCS5_C)
-    if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS5_PBES2, &pbe_alg_oid) == 0) {
-        if ((ret = mbedtls_pkcs5_pbes2_ext(&pbe_params, MBEDTLS_PKCS5_DECRYPT, pwd, pwdlen,
-                                           p, len, buf, len, &outlen)) != 0) {
-            if (ret == MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH) {
-                return MBEDTLS_ERR_PK_PASSWORD_MISMATCH;
-            }
-
-            return ret;
-        }
-
-        decrypted = 1;
-    } else
-#endif /* MBEDTLS_PKCS5_C */
-    {
-        ((void) pwd);
-    }
-
-    if (decrypted == 0) {
-        return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
-    }
-    return pk_parse_key_pkcs8_unencrypted_der(pk, buf, outlen, f_rng, p_rng);
-}
-#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
-
-/*
- * Parse a private key
- */
-int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
-                         const unsigned char *key, size_t keylen,
-                         const unsigned char *pwd, size_t pwdlen,
-                         int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    const mbedtls_pk_info_t *pk_info;
-#if defined(MBEDTLS_PEM_PARSE_C)
-    size_t len;
-    mbedtls_pem_context pem;
-#endif
-
-    if (keylen == 0) {
-        return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
-    }
-
-#if defined(MBEDTLS_PEM_PARSE_C)
-    mbedtls_pem_init(&pem);
-
-#if defined(MBEDTLS_RSA_C)
-    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
-    if (key[keylen - 1] != '\0') {
-        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
-    } else {
-        ret = mbedtls_pem_read_buffer(&pem,
-                                      "-----BEGIN RSA PRIVATE KEY-----",
-                                      "-----END RSA PRIVATE KEY-----",
-                                      key, pwd, pwdlen, &len);
-    }
-
-    if (ret == 0) {
-        pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA);
-        if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0 ||
-            (ret = pk_parse_key_pkcs1_der(mbedtls_pk_rsa(*pk),
-                                          pem.buf, pem.buflen)) != 0) {
-            mbedtls_pk_free(pk);
-        }
-
-        mbedtls_pem_free(&pem);
-        return ret;
-    } else if (ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH) {
-        return MBEDTLS_ERR_PK_PASSWORD_MISMATCH;
-    } else if (ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED) {
-        return MBEDTLS_ERR_PK_PASSWORD_REQUIRED;
-    } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
-        return ret;
-    }
-#endif /* MBEDTLS_RSA_C */
-
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
-    if (key[keylen - 1] != '\0') {
-        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
-    } else {
-        ret = mbedtls_pem_read_buffer(&pem,
-                                      "-----BEGIN EC PRIVATE KEY-----",
-                                      "-----END EC PRIVATE KEY-----",
-                                      key, pwd, pwdlen, &len);
-    }
-    if (ret == 0) {
-        pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY);
-
-        if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0 ||
-            (ret = pk_parse_key_sec1_der(pk,
-                                         pem.buf, pem.buflen,
-                                         f_rng, p_rng)) != 0) {
-            mbedtls_pk_free(pk);
-        }
-
-        mbedtls_pem_free(&pem);
-        return ret;
-    } else if (ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH) {
-        return MBEDTLS_ERR_PK_PASSWORD_MISMATCH;
-    } else if (ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED) {
-        return MBEDTLS_ERR_PK_PASSWORD_REQUIRED;
-    } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
-        return ret;
-    }
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-
-    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
-    if (key[keylen - 1] != '\0') {
-        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
-    } else {
-        ret = mbedtls_pem_read_buffer(&pem,
-                                      "-----BEGIN PRIVATE KEY-----",
-                                      "-----END PRIVATE KEY-----",
-                                      key, NULL, 0, &len);
-    }
-    if (ret == 0) {
-        if ((ret = pk_parse_key_pkcs8_unencrypted_der(pk,
-                                                      pem.buf, pem.buflen, f_rng, p_rng)) != 0) {
-            mbedtls_pk_free(pk);
-        }
-
-        mbedtls_pem_free(&pem);
-        return ret;
-    } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
-        return ret;
-    }
-
-#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
-    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
-    if (key[keylen - 1] != '\0') {
-        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
-    } else {
-        ret = mbedtls_pem_read_buffer(&pem,
-                                      "-----BEGIN ENCRYPTED PRIVATE KEY-----",
-                                      "-----END ENCRYPTED PRIVATE KEY-----",
-                                      key, NULL, 0, &len);
-    }
-    if (ret == 0) {
-        if ((ret = mbedtls_pk_parse_key_pkcs8_encrypted_der(pk, pem.buf, pem.buflen,
-                                                            pwd, pwdlen, f_rng, p_rng)) != 0) {
-            mbedtls_pk_free(pk);
-        }
-
-        mbedtls_pem_free(&pem);
-        return ret;
-    } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
-        return ret;
-    }
-#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
-#else
-    ((void) pwd);
-    ((void) pwdlen);
-#endif /* MBEDTLS_PEM_PARSE_C */
-
-    /*
-     * At this point we only know it's not a PEM formatted key. Could be any
-     * of the known DER encoded private key formats
-     *
-     * We try the different DER format parsers to see if one passes without
-     * error
-     */
-#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
-    if (pwdlen != 0) {
-        unsigned char *key_copy;
-
-        if ((key_copy = mbedtls_calloc(1, keylen)) == NULL) {
-            return MBEDTLS_ERR_PK_ALLOC_FAILED;
-        }
-
-        memcpy(key_copy, key, keylen);
-
-        ret = mbedtls_pk_parse_key_pkcs8_encrypted_der(pk, key_copy, keylen,
-                                                       pwd, pwdlen, f_rng, p_rng);
-
-        mbedtls_zeroize_and_free(key_copy, keylen);
-    }
-
-    if (ret == 0) {
-        return 0;
-    }
-
-    mbedtls_pk_free(pk);
-    mbedtls_pk_init(pk);
-
-    if (ret == MBEDTLS_ERR_PK_PASSWORD_MISMATCH) {
-        return ret;
-    }
-#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
-
-    ret = pk_parse_key_pkcs8_unencrypted_der(pk, key, keylen, f_rng, p_rng);
-    if (ret == 0) {
-        return 0;
-    }
-
-    mbedtls_pk_free(pk);
-    mbedtls_pk_init(pk);
-
-#if defined(MBEDTLS_RSA_C)
-
-    pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA);
-    if (mbedtls_pk_setup(pk, pk_info) == 0 &&
-        pk_parse_key_pkcs1_der(mbedtls_pk_rsa(*pk), key, keylen) == 0) {
-        return 0;
-    }
-
-    mbedtls_pk_free(pk);
-    mbedtls_pk_init(pk);
-#endif /* MBEDTLS_RSA_C */
-
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-    pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY);
-    if (mbedtls_pk_setup(pk, pk_info) == 0 &&
-        pk_parse_key_sec1_der(pk,
-                              key, keylen, f_rng, p_rng) == 0) {
-        return 0;
-    }
-    mbedtls_pk_free(pk);
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-
-    /* If MBEDTLS_RSA_C is defined but MBEDTLS_PK_HAVE_ECC_KEYS isn't,
-     * it is ok to leave the PK context initialized but not
-     * freed: It is the caller's responsibility to call pk_init()
-     * before calling this function, and to call pk_free()
-     * when it fails. If MBEDTLS_PK_HAVE_ECC_KEYS is defined but MBEDTLS_RSA_C
-     * isn't, this leads to mbedtls_pk_free() being called
-     * twice, once here and once by the caller, but this is
-     * also ok and in line with the mbedtls_pk_free() calls
-     * on failed PEM parsing attempts. */
-
-    return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
-}
-
-/*
- * Parse a public key
- */
-int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx,
-                                const unsigned char *key, size_t keylen)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char *p;
-#if defined(MBEDTLS_RSA_C)
-    const mbedtls_pk_info_t *pk_info;
-#endif
-#if defined(MBEDTLS_PEM_PARSE_C)
-    size_t len;
-    mbedtls_pem_context pem;
-#endif
-
-    if (keylen == 0) {
-        return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
-    }
-
-#if defined(MBEDTLS_PEM_PARSE_C)
-    mbedtls_pem_init(&pem);
-#if defined(MBEDTLS_RSA_C)
-    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
-    if (key[keylen - 1] != '\0') {
-        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
-    } else {
-        ret = mbedtls_pem_read_buffer(&pem,
-                                      "-----BEGIN RSA PUBLIC KEY-----",
-                                      "-----END RSA PUBLIC KEY-----",
-                                      key, NULL, 0, &len);
-    }
-
-    if (ret == 0) {
-        p = pem.buf;
-        if ((pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == NULL) {
-            mbedtls_pem_free(&pem);
-            return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
-        }
-
-        if ((ret = mbedtls_pk_setup(ctx, pk_info)) != 0) {
-            mbedtls_pem_free(&pem);
-            return ret;
-        }
-
-        if ((ret = pk_get_rsapubkey(&p, p + pem.buflen, mbedtls_pk_rsa(*ctx))) != 0) {
-            mbedtls_pk_free(ctx);
-        }
-
-        mbedtls_pem_free(&pem);
-        return ret;
-    } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
-        mbedtls_pem_free(&pem);
-        return ret;
-    }
-#endif /* MBEDTLS_RSA_C */
-
-    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
-    if (key[keylen - 1] != '\0') {
-        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
-    } else {
-        ret = mbedtls_pem_read_buffer(&pem,
-                                      "-----BEGIN PUBLIC KEY-----",
-                                      "-----END PUBLIC KEY-----",
-                                      key, NULL, 0, &len);
-    }
-
-    if (ret == 0) {
-        /*
-         * Was PEM encoded
-         */
-        p = pem.buf;
-
-        ret = mbedtls_pk_parse_subpubkey(&p, p + pem.buflen, ctx);
-        mbedtls_pem_free(&pem);
-        return ret;
-    } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
-        mbedtls_pem_free(&pem);
-        return ret;
-    }
-    mbedtls_pem_free(&pem);
-#endif /* MBEDTLS_PEM_PARSE_C */
-
-#if defined(MBEDTLS_RSA_C)
-    if ((pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == NULL) {
-        return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
-    }
-
-    if ((ret = mbedtls_pk_setup(ctx, pk_info)) != 0) {
-        return ret;
-    }
-
-    p = (unsigned char *) key;
-    ret = pk_get_rsapubkey(&p, p + keylen, mbedtls_pk_rsa(*ctx));
-    if (ret == 0) {
-        return ret;
-    }
-    mbedtls_pk_free(ctx);
-    if (ret != (MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY,
-                                  MBEDTLS_ERR_ASN1_UNEXPECTED_TAG))) {
-        return ret;
-    }
-#endif /* MBEDTLS_RSA_C */
-    p = (unsigned char *) key;
-
-    ret = mbedtls_pk_parse_subpubkey(&p, p + keylen, ctx);
-
-    return ret;
-}
-
-#endif /* MBEDTLS_PK_PARSE_C */
diff --git a/library/pkwrite.c b/library/pkwrite.c
deleted file mode 100644
index e38bc27..0000000
--- a/library/pkwrite.c
+++ /dev/null
@@ -1,865 +0,0 @@
-/*
- *  Public Key layer for writing key files and structures
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_PK_WRITE_C)
-
-#include "mbedtls/pk.h"
-#include "mbedtls/asn1write.h"
-#include "mbedtls/oid.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-#include "pk_internal.h"
-
-#include <string.h>
-
-#if defined(MBEDTLS_RSA_C)
-#include "mbedtls/rsa.h"
-#endif
-#if defined(MBEDTLS_ECP_C)
-#include "mbedtls/bignum.h"
-#include "mbedtls/ecp.h"
-#include "mbedtls/platform_util.h"
-#endif
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-#include "pk_internal.h"
-#endif
-#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-#include "pkwrite.h"
-#endif
-#if defined(MBEDTLS_ECDSA_C)
-#include "mbedtls/ecdsa.h"
-#endif
-#if defined(MBEDTLS_PEM_WRITE_C)
-#include "mbedtls/pem.h"
-#endif
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "psa/crypto.h"
-#include "psa_util_internal.h"
-#endif
-#include "mbedtls/platform.h"
-
-/* Helper for Montgomery curves */
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
-static inline int mbedtls_pk_is_rfc8410(const mbedtls_pk_context *pk)
-{
-    mbedtls_ecp_group_id id = mbedtls_pk_get_group_id(pk);
-
-#if defined(MBEDTLS_ECP_HAVE_CURVE25519)
-    if (id == MBEDTLS_ECP_DP_CURVE25519) {
-        return 1;
-    }
-#endif
-#if defined(MBEDTLS_ECP_HAVE_CURVE448)
-    if (id == MBEDTLS_ECP_DP_CURVE448) {
-        return 1;
-    }
-#endif
-    return 0;
-}
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_PEM_WRITE_C)
-/* It is assumed that the input key is opaque */
-static psa_ecc_family_t pk_get_opaque_ec_family(const mbedtls_pk_context *pk)
-{
-    psa_ecc_family_t ec_family = 0;
-    psa_key_attributes_t key_attrs = PSA_KEY_ATTRIBUTES_INIT;
-
-    if (psa_get_key_attributes(pk->priv_id, &key_attrs) != PSA_SUCCESS) {
-        return 0;
-    }
-    ec_family = PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(&key_attrs));
-    psa_reset_key_attributes(&key_attrs);
-
-    return ec_family;
-}
-#endif /* MBETLS_USE_PSA_CRYPTO && MBEDTLS_PEM_WRITE_C */
-#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-/* It is assumed that the input key is opaque */
-static psa_key_type_t pk_get_opaque_key_type(const mbedtls_pk_context *pk)
-{
-    psa_key_attributes_t opaque_attrs = PSA_KEY_ATTRIBUTES_INIT;
-    psa_key_type_t opaque_key_type;
-
-    if (psa_get_key_attributes(pk->priv_id, &opaque_attrs) != PSA_SUCCESS) {
-        return 0;
-    }
-    opaque_key_type = psa_get_key_type(&opaque_attrs);
-    psa_reset_key_attributes(&opaque_attrs);
-
-    return opaque_key_type;
-}
-#endif /* MBETLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_RSA_C)
-/*
- *  RSAPublicKey ::= SEQUENCE {
- *      modulus           INTEGER,  -- n
- *      publicExponent    INTEGER   -- e
- *  }
- */
-static int pk_write_rsa_pubkey(unsigned char **p, unsigned char *start,
-                               const mbedtls_pk_context *pk)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t len = 0;
-    mbedtls_mpi T;
-    mbedtls_rsa_context *rsa = mbedtls_pk_rsa(*pk);
-
-    mbedtls_mpi_init(&T);
-
-    /* Export E */
-    if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, NULL, &T)) != 0 ||
-        (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
-        goto end_of_export;
-    }
-    len += ret;
-
-    /* Export N */
-    if ((ret = mbedtls_rsa_export(rsa, &T, NULL, NULL, NULL, NULL)) != 0 ||
-        (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
-        goto end_of_export;
-    }
-    len += ret;
-
-end_of_export:
-
-    mbedtls_mpi_free(&T);
-    if (ret < 0) {
-        return ret;
-    }
-
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, MBEDTLS_ASN1_CONSTRUCTED |
-                                                     MBEDTLS_ASN1_SEQUENCE));
-
-    return (int) len;
-}
-#endif /* MBEDTLS_RSA_C */
-
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-static int pk_write_ec_pubkey(unsigned char **p, unsigned char *start,
-                              const mbedtls_pk_context *pk)
-{
-    size_t len = 0;
-    uint8_t buf[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
-
-    if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
-        if (psa_export_public_key(pk->priv_id, buf, sizeof(buf), &len) != PSA_SUCCESS) {
-            return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-        }
-    } else {
-        len = pk->pub_raw_len;
-        memcpy(buf, pk->pub_raw, len);
-    }
-
-    if (*p < start || (size_t) (*p - start) < len) {
-        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
-    }
-
-    *p -= len;
-    memcpy(*p, buf, len);
-
-    return (int) len;
-}
-#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
-static int pk_write_ec_pubkey(unsigned char **p, unsigned char *start,
-                              const mbedtls_pk_context *pk)
-{
-    size_t len = 0;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-    uint8_t buf[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
-#else
-    unsigned char buf[MBEDTLS_ECP_MAX_PT_LEN];
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-    mbedtls_ecp_keypair *ec = mbedtls_pk_ec(*pk);
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-    if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
-        if (psa_export_public_key(pk->priv_id, buf, sizeof(buf), &len) != PSA_SUCCESS) {
-            return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-        }
-        *p -= len;
-        memcpy(*p, buf, len);
-        return (int) len;
-    } else
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-    {
-        if ((ret = mbedtls_ecp_point_write_binary(&ec->grp, &ec->Q,
-                                                  MBEDTLS_ECP_PF_UNCOMPRESSED,
-                                                  &len, buf, sizeof(buf))) != 0) {
-            return ret;
-        }
-    }
-
-    if (*p < start || (size_t) (*p - start) < len) {
-        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
-    }
-
-    *p -= len;
-    memcpy(*p, buf, len);
-
-    return (int) len;
-}
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-
-/*
- * ECParameters ::= CHOICE {
- *   namedCurve         OBJECT IDENTIFIER
- * }
- */
-static int pk_write_ec_param(unsigned char **p, unsigned char *start,
-                             mbedtls_ecp_group_id grp_id)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t len = 0;
-    const char *oid;
-    size_t oid_len;
-
-    if ((ret = mbedtls_oid_get_oid_by_ec_grp(grp_id, &oid, &oid_len)) != 0) {
-        return ret;
-    }
-
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_oid(p, start, oid, oid_len));
-
-    return (int) len;
-}
-
-/*
- * privateKey  OCTET STRING -- always of length ceil(log2(n)/8)
- */
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-static int pk_write_ec_private(unsigned char **p, unsigned char *start,
-                               const mbedtls_pk_context *pk)
-{
-    size_t byte_length;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char tmp[MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH];
-    psa_status_t status;
-
-    if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
-        status = psa_export_key(pk->priv_id, tmp, sizeof(tmp), &byte_length);
-        if (status != PSA_SUCCESS) {
-            ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
-            return ret;
-        }
-    } else {
-        status = psa_export_key(pk->priv_id, tmp, sizeof(tmp), &byte_length);
-        if (status != PSA_SUCCESS) {
-            ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
-            goto exit;
-        }
-    }
-
-    ret = mbedtls_asn1_write_octet_string(p, start, tmp, byte_length);
-exit:
-    mbedtls_platform_zeroize(tmp, sizeof(tmp));
-    return ret;
-}
-#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
-static int pk_write_ec_private(unsigned char **p, unsigned char *start,
-                               const mbedtls_pk_context *pk)
-{
-    size_t byte_length;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-    unsigned char tmp[MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH];
-    psa_status_t status;
-#else
-    unsigned char tmp[MBEDTLS_ECP_MAX_BYTES];
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-    if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
-        status = psa_export_key(pk->priv_id, tmp, sizeof(tmp), &byte_length);
-        if (status != PSA_SUCCESS) {
-            ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
-            return ret;
-        }
-    } else
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-    {
-        mbedtls_ecp_keypair *ec = mbedtls_pk_ec_rw(*pk);
-        byte_length = (ec->grp.pbits + 7) / 8;
-
-        ret = mbedtls_ecp_write_key(ec, tmp, byte_length);
-        if (ret != 0) {
-            goto exit;
-        }
-    }
-    ret = mbedtls_asn1_write_octet_string(p, start, tmp, byte_length);
-exit:
-    mbedtls_platform_zeroize(tmp, sizeof(tmp));
-    return ret;
-}
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-static int pk_write_opaque_pubkey(unsigned char **p, unsigned char *start,
-                                  const mbedtls_pk_context *pk)
-{
-    size_t buffer_size;
-    size_t len = 0;
-
-    if (*p < start) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    buffer_size = (size_t) (*p - start);
-    if (psa_export_public_key(pk->priv_id, start, buffer_size,
-                              &len) != PSA_SUCCESS) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
-
-    *p -= len;
-    memmove(*p, start, len);
-
-    return (int) len;
-}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-int mbedtls_pk_write_pubkey(unsigned char **p, unsigned char *start,
-                            const mbedtls_pk_context *key)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t len = 0;
-
-#if defined(MBEDTLS_RSA_C)
-    if (mbedtls_pk_get_type(key) == MBEDTLS_PK_RSA) {
-        MBEDTLS_ASN1_CHK_ADD(len, pk_write_rsa_pubkey(p, start, key));
-    } else
-#endif
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-    if (mbedtls_pk_get_type(key) == MBEDTLS_PK_ECKEY) {
-        MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_pubkey(p, start, key));
-    } else
-#endif
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-    if (mbedtls_pk_get_type(key) == MBEDTLS_PK_OPAQUE) {
-        MBEDTLS_ASN1_CHK_ADD(len, pk_write_opaque_pubkey(p, start, key));
-    } else
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-    return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
-
-    return (int) len;
-}
-
-int mbedtls_pk_write_pubkey_der(const mbedtls_pk_context *key, unsigned char *buf, size_t size)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char *c;
-    int has_par = 1;
-    size_t len = 0, par_len = 0, oid_len = 0;
-    mbedtls_pk_type_t pk_type;
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-    mbedtls_ecp_group_id ec_grp_id = MBEDTLS_ECP_DP_NONE;
-#endif
-    const char *oid = NULL;
-
-    if (size == 0) {
-        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
-    }
-
-    c = buf + size;
-
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_pk_write_pubkey(&c, buf, key));
-
-    if (c - buf < 1) {
-        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
-    }
-
-    /*
-     *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
-     *       algorithm            AlgorithmIdentifier,
-     *       subjectPublicKey     BIT STRING }
-     */
-    *--c = 0;
-    len += 1;
-
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf, MBEDTLS_ASN1_BIT_STRING));
-
-    pk_type = mbedtls_pk_get_type(key);
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-    if (pk_type == MBEDTLS_PK_ECKEY) {
-        ec_grp_id = mbedtls_pk_get_group_id(key);
-    }
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-    if (pk_type == MBEDTLS_PK_OPAQUE) {
-        psa_key_type_t opaque_key_type = pk_get_opaque_key_type(key);
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-        if (PSA_KEY_TYPE_IS_ECC(opaque_key_type)) {
-            pk_type = MBEDTLS_PK_ECKEY;
-            ec_grp_id = mbedtls_pk_get_group_id(key);
-        } else
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-        if (PSA_KEY_TYPE_IS_RSA(opaque_key_type)) {
-            /* The rest of the function works as for legacy RSA contexts. */
-            pk_type = MBEDTLS_PK_RSA;
-        }
-    }
-    /* `pk_type` will have been changed to non-opaque by here if this function can handle it */
-    if (pk_type == MBEDTLS_PK_OPAQUE) {
-        return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
-    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-    if (pk_type == MBEDTLS_PK_ECKEY) {
-        /* Some groups have their own AlgorithmIdentifier OID, others are handled
-         * by mbedtls_oid_get_oid_by_pk_alg() below */
-        ret = mbedtls_oid_get_oid_by_ec_grp_algid(ec_grp_id, &oid, &oid_len);
-
-        if (ret == 0) {
-            /* Currently, none of the supported algorithms that have their own
-             * AlgorithmIdentifier OID have any parameters */
-            has_par = 0;
-        } else if (ret == MBEDTLS_ERR_OID_NOT_FOUND) {
-            MBEDTLS_ASN1_CHK_ADD(par_len, pk_write_ec_param(&c, buf, ec_grp_id));
-        } else {
-            return ret;
-        }
-    }
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-
-    if (oid_len == 0) {
-        if ((ret = mbedtls_oid_get_oid_by_pk_alg(pk_type, &oid,
-                                                 &oid_len)) != 0) {
-            return ret;
-        }
-    }
-
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_algorithm_identifier_ext(&c, buf, oid, oid_len,
-                                                                          par_len, has_par));
-
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf, MBEDTLS_ASN1_CONSTRUCTED |
-                                                     MBEDTLS_ASN1_SEQUENCE));
-
-    return (int) len;
-}
-
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
-/*
- * RFC8410 section 7
- *
- * OneAsymmetricKey ::= SEQUENCE {
- *    version Version,
- *    privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
- *    privateKey PrivateKey,
- *    attributes [0] IMPLICIT Attributes OPTIONAL,
- *    ...,
- *    [[2: publicKey [1] IMPLICIT PublicKey OPTIONAL ]],
- *    ...
- * }
- * ...
- * CurvePrivateKey ::= OCTET STRING
- */
-static int pk_write_ec_rfc8410_der(unsigned char **p, unsigned char *buf,
-                                   const mbedtls_pk_context *pk)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t len = 0;
-    size_t oid_len = 0;
-    const char *oid;
-    mbedtls_ecp_group_id grp_id;
-
-    /* privateKey */
-    MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_private(p, buf, pk));
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, buf, len));
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, buf, MBEDTLS_ASN1_OCTET_STRING));
-
-    grp_id = mbedtls_pk_get_group_id(pk);
-    /* privateKeyAlgorithm */
-    if ((ret = mbedtls_oid_get_oid_by_ec_grp_algid(grp_id, &oid, &oid_len)) != 0) {
-        return ret;
-    }
-    MBEDTLS_ASN1_CHK_ADD(len,
-                         mbedtls_asn1_write_algorithm_identifier_ext(p, buf, oid, oid_len, 0, 0));
-
-    /* version */
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(p, buf, 0));
-
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, buf, len));
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, buf, MBEDTLS_ASN1_CONSTRUCTED |
-                                                     MBEDTLS_ASN1_SEQUENCE));
-
-    return (int) len;
-}
-#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
-
-/*
- * RFC 5915, or SEC1 Appendix C.4
- *
- * ECPrivateKey ::= SEQUENCE {
- *      version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
- *      privateKey     OCTET STRING,
- *      parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
- *      publicKey  [1] BIT STRING OPTIONAL
- *    }
- */
-static int pk_write_ec_der(unsigned char **p, unsigned char *buf,
-                           const mbedtls_pk_context *pk)
-{
-    size_t len = 0;
-    int ret;
-    size_t pub_len = 0, par_len = 0;
-    mbedtls_ecp_group_id grp_id;
-
-    /* publicKey */
-    MBEDTLS_ASN1_CHK_ADD(pub_len, pk_write_ec_pubkey(p, buf, pk));
-
-    if (*p - buf < 1) {
-        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
-    }
-    (*p)--;
-    **p = 0;
-    pub_len += 1;
-
-    MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_len(p, buf, pub_len));
-    MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_tag(p, buf, MBEDTLS_ASN1_BIT_STRING));
-
-    MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_len(p, buf, pub_len));
-    MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_tag(p, buf,
-                                                         MBEDTLS_ASN1_CONTEXT_SPECIFIC |
-                                                         MBEDTLS_ASN1_CONSTRUCTED | 1));
-    len += pub_len;
-
-    /* parameters */
-    grp_id = mbedtls_pk_get_group_id(pk);
-    MBEDTLS_ASN1_CHK_ADD(par_len, pk_write_ec_param(p, buf, grp_id));
-    MBEDTLS_ASN1_CHK_ADD(par_len, mbedtls_asn1_write_len(p, buf, par_len));
-    MBEDTLS_ASN1_CHK_ADD(par_len, mbedtls_asn1_write_tag(p, buf,
-                                                         MBEDTLS_ASN1_CONTEXT_SPECIFIC |
-                                                         MBEDTLS_ASN1_CONSTRUCTED | 0));
-    len += par_len;
-
-    /* privateKey */
-    MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_private(p, buf, pk));
-
-    /* version */
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(p, buf, 1));
-
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, buf, len));
-    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, buf, MBEDTLS_ASN1_CONSTRUCTED |
-                                                     MBEDTLS_ASN1_SEQUENCE));
-
-    return (int) len;
-}
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-
-#if defined(MBEDTLS_RSA_C)
-static int pk_write_rsa_der(unsigned char **p, unsigned char *buf,
-                            const mbedtls_pk_context *pk)
-{
-    size_t len = 0;
-    int ret;
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-    if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
-        uint8_t tmp[PSA_EXPORT_KEY_PAIR_MAX_SIZE];
-        size_t tmp_len = 0;
-
-        if (psa_export_key(pk->priv_id, tmp, sizeof(tmp), &tmp_len) != PSA_SUCCESS) {
-            return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-        }
-        *p -= tmp_len;
-        memcpy(*p, tmp, tmp_len);
-        len += tmp_len;
-        mbedtls_platform_zeroize(tmp, sizeof(tmp));
-    } else
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-    {
-        mbedtls_mpi T; /* Temporary holding the exported parameters */
-        mbedtls_rsa_context *rsa = mbedtls_pk_rsa(*pk);
-
-        /*
-         * Export the parameters one after another to avoid simultaneous copies.
-         */
-
-        mbedtls_mpi_init(&T);
-
-        /* Export QP */
-        if ((ret = mbedtls_rsa_export_crt(rsa, NULL, NULL, &T)) != 0 ||
-            (ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) {
-            goto end_of_export;
-        }
-        len += ret;
-
-        /* Export DQ */
-        if ((ret = mbedtls_rsa_export_crt(rsa, NULL, &T, NULL)) != 0 ||
-            (ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) {
-            goto end_of_export;
-        }
-        len += ret;
-
-        /* Export DP */
-        if ((ret = mbedtls_rsa_export_crt(rsa, &T, NULL, NULL)) != 0 ||
-            (ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) {
-            goto end_of_export;
-        }
-        len += ret;
-
-        /* Export Q */
-        if ((ret = mbedtls_rsa_export(rsa, NULL, NULL,
-                                      &T, NULL, NULL)) != 0 ||
-            (ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) {
-            goto end_of_export;
-        }
-        len += ret;
-
-        /* Export P */
-        if ((ret = mbedtls_rsa_export(rsa, NULL, &T,
-                                      NULL, NULL, NULL)) != 0 ||
-            (ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) {
-            goto end_of_export;
-        }
-        len += ret;
-
-        /* Export D */
-        if ((ret = mbedtls_rsa_export(rsa, NULL, NULL,
-                                      NULL, &T, NULL)) != 0 ||
-            (ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) {
-            goto end_of_export;
-        }
-        len += ret;
-
-        /* Export E */
-        if ((ret = mbedtls_rsa_export(rsa, NULL, NULL,
-                                      NULL, NULL, &T)) != 0 ||
-            (ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) {
-            goto end_of_export;
-        }
-        len += ret;
-
-        /* Export N */
-        if ((ret = mbedtls_rsa_export(rsa, &T, NULL,
-                                      NULL, NULL, NULL)) != 0 ||
-            (ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) {
-            goto end_of_export;
-        }
-        len += ret;
-
-end_of_export:
-
-        mbedtls_mpi_free(&T);
-        if (ret < 0) {
-            return ret;
-        }
-
-        MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(p, buf, 0));
-        MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, buf, len));
-        MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p,
-                                                         buf, MBEDTLS_ASN1_CONSTRUCTED |
-                                                         MBEDTLS_ASN1_SEQUENCE));
-    }
-
-    return (int) len;
-}
-#endif /* MBEDTLS_RSA_C */
-
-int mbedtls_pk_write_key_der(const mbedtls_pk_context *key, unsigned char *buf, size_t size)
-{
-    unsigned char *c;
-#if defined(MBEDTLS_RSA_C)
-    int is_rsa_opaque = 0;
-#endif /* MBEDTLS_RSA_C */
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-    int is_ec_opaque = 0;
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-    psa_key_type_t opaque_key_type;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-    if (size == 0) {
-        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
-    }
-
-    c = buf + size;
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-    if (mbedtls_pk_get_type(key) == MBEDTLS_PK_OPAQUE) {
-        opaque_key_type = pk_get_opaque_key_type(key);
-#if defined(MBEDTLS_RSA_C)
-        is_rsa_opaque = PSA_KEY_TYPE_IS_RSA(opaque_key_type);
-#endif /* MBEDTLS_RSA_C */
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-        is_ec_opaque = PSA_KEY_TYPE_IS_ECC(opaque_key_type);
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_RSA_C)
-    if ((mbedtls_pk_get_type(key) == MBEDTLS_PK_RSA) || is_rsa_opaque) {
-        return pk_write_rsa_der(&c, buf, key);
-    } else
-#endif /* MBEDTLS_RSA_C */
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-    if ((mbedtls_pk_get_type(key) == MBEDTLS_PK_ECKEY) || is_ec_opaque) {
-#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
-        if (mbedtls_pk_is_rfc8410(key)) {
-            return pk_write_ec_rfc8410_der(&c, buf, key);
-        }
-#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
-        return pk_write_ec_der(&c, buf, key);
-    } else
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-    return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
-}
-
-#if defined(MBEDTLS_PEM_WRITE_C)
-
-#define PEM_BEGIN_PUBLIC_KEY    "-----BEGIN PUBLIC KEY-----\n"
-#define PEM_END_PUBLIC_KEY      "-----END PUBLIC KEY-----\n"
-
-#define PEM_BEGIN_PRIVATE_KEY_RSA   "-----BEGIN RSA PRIVATE KEY-----\n"
-#define PEM_END_PRIVATE_KEY_RSA     "-----END RSA PRIVATE KEY-----\n"
-#define PEM_BEGIN_PRIVATE_KEY_EC    "-----BEGIN EC PRIVATE KEY-----\n"
-#define PEM_END_PRIVATE_KEY_EC      "-----END EC PRIVATE KEY-----\n"
-#define PEM_BEGIN_PRIVATE_KEY_PKCS8 "-----BEGIN PRIVATE KEY-----\n"
-#define PEM_END_PRIVATE_KEY_PKCS8   "-----END PRIVATE KEY-----\n"
-
-#define PUB_DER_MAX_BYTES                                                   \
-    (MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES > MBEDTLS_PK_ECP_PUB_DER_MAX_BYTES ? \
-     MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES : MBEDTLS_PK_ECP_PUB_DER_MAX_BYTES)
-#define PRV_DER_MAX_BYTES                                                   \
-    (MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES > MBEDTLS_PK_ECP_PRV_DER_MAX_BYTES ? \
-     MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES : MBEDTLS_PK_ECP_PRV_DER_MAX_BYTES)
-
-int mbedtls_pk_write_pubkey_pem(const mbedtls_pk_context *key, unsigned char *buf, size_t size)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char *output_buf = NULL;
-    output_buf = mbedtls_calloc(1, PUB_DER_MAX_BYTES);
-    if (output_buf == NULL) {
-        return MBEDTLS_ERR_PK_ALLOC_FAILED;
-    }
-    size_t olen = 0;
-
-    if ((ret = mbedtls_pk_write_pubkey_der(key, output_buf,
-                                           PUB_DER_MAX_BYTES)) < 0) {
-        goto cleanup;
-    }
-
-    if ((ret = mbedtls_pem_write_buffer(PEM_BEGIN_PUBLIC_KEY, PEM_END_PUBLIC_KEY,
-                                        output_buf + PUB_DER_MAX_BYTES - ret,
-                                        ret, buf, size, &olen)) != 0) {
-        goto cleanup;
-    }
-
-    ret = 0;
-cleanup:
-    mbedtls_free(output_buf);
-    return ret;
-}
-
-int mbedtls_pk_write_key_pem(const mbedtls_pk_context *key, unsigned char *buf, size_t size)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char *output_buf = NULL;
-    output_buf = mbedtls_calloc(1, PRV_DER_MAX_BYTES);
-    if (output_buf == NULL) {
-        return MBEDTLS_ERR_PK_ALLOC_FAILED;
-    }
-    const char *begin, *end;
-    size_t olen = 0;
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-    int is_ec_opaque = 0;
-#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
-    int is_montgomery_opaque = 0;
-#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-#if defined(MBEDTLS_RSA_C)
-    int is_rsa_opaque = 0;
-#endif
-
-    if ((ret = mbedtls_pk_write_key_der(key, output_buf, PRV_DER_MAX_BYTES)) < 0) {
-        goto cleanup;
-    }
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-    if (mbedtls_pk_get_type(key) == MBEDTLS_PK_OPAQUE) {
-        psa_key_type_t opaque_key_type = pk_get_opaque_key_type(key);
-
-#if defined(MBEDTLS_RSA_C)
-        is_rsa_opaque = PSA_KEY_TYPE_IS_RSA(opaque_key_type);
-#endif
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-        is_ec_opaque = PSA_KEY_TYPE_IS_ECC(opaque_key_type);
-#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
-        if (pk_get_opaque_ec_family(key) == PSA_ECC_FAMILY_MONTGOMERY) {
-            is_montgomery_opaque = 1;
-        }
-#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-    }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_RSA_C)
-    if ((mbedtls_pk_get_type(key) == MBEDTLS_PK_RSA) || is_rsa_opaque) {
-        begin = PEM_BEGIN_PRIVATE_KEY_RSA;
-        end = PEM_END_PRIVATE_KEY_RSA;
-    } else
-#endif
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-    if ((mbedtls_pk_get_type(key) == MBEDTLS_PK_ECKEY) || is_ec_opaque) {
-#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
-        if (is_montgomery_opaque ||
-            ((mbedtls_pk_get_type(key) == MBEDTLS_PK_ECKEY) &&
-             (mbedtls_pk_is_rfc8410(key)))) {
-            begin = PEM_BEGIN_PRIVATE_KEY_PKCS8;
-            end = PEM_END_PRIVATE_KEY_PKCS8;
-        } else
-#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
-        {
-            begin = PEM_BEGIN_PRIVATE_KEY_EC;
-            end = PEM_END_PRIVATE_KEY_EC;
-        }
-    } else
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-    {
-        ret = MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
-        goto cleanup;
-    }
-
-    if ((ret = mbedtls_pem_write_buffer(begin, end,
-                                        output_buf + PRV_DER_MAX_BYTES - ret,
-                                        ret, buf, size, &olen)) != 0) {
-        goto cleanup;
-    }
-
-    ret = 0;
-cleanup:
-    mbedtls_zeroize_and_free(output_buf, PRV_DER_MAX_BYTES);
-    return ret;
-}
-#endif /* MBEDTLS_PEM_WRITE_C */
-
-#endif /* MBEDTLS_PK_WRITE_C */
diff --git a/library/pkwrite.h b/library/pkwrite.h
deleted file mode 100644
index 8cfa64b..0000000
--- a/library/pkwrite.h
+++ /dev/null
@@ -1,124 +0,0 @@
-/**
- * \file pkwrite.h
- *
- * \brief Internal defines shared by the PK write module
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_PK_WRITE_H
-#define MBEDTLS_PK_WRITE_H
-
-#include "mbedtls/build_info.h"
-
-#include "mbedtls/pk.h"
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "psa/crypto.h"
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-/*
- * Max sizes of key per types. Shown as tag + len (+ content).
- */
-
-#if defined(MBEDTLS_RSA_C)
-/*
- * RSA public keys:
- *  SubjectPublicKeyInfo  ::=  SEQUENCE  {          1 + 3
- *       algorithm            AlgorithmIdentifier,  1 + 1 (sequence)
- *                                                + 1 + 1 + 9 (rsa oid)
- *                                                + 1 + 1 (params null)
- *       subjectPublicKey     BIT STRING }          1 + 3 + (1 + below)
- *  RSAPublicKey ::= SEQUENCE {                     1 + 3
- *      modulus           INTEGER,  -- n            1 + 3 + MPI_MAX + 1
- *      publicExponent    INTEGER   -- e            1 + 3 + MPI_MAX + 1
- *  }
- */
-#define MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES    (38 + 2 * MBEDTLS_MPI_MAX_SIZE)
-
-/*
- * RSA private keys:
- *  RSAPrivateKey ::= SEQUENCE {                    1 + 3
- *      version           Version,                  1 + 1 + 1
- *      modulus           INTEGER,                  1 + 3 + MPI_MAX + 1
- *      publicExponent    INTEGER,                  1 + 3 + MPI_MAX + 1
- *      privateExponent   INTEGER,                  1 + 3 + MPI_MAX + 1
- *      prime1            INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
- *      prime2            INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
- *      exponent1         INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
- *      exponent2         INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
- *      coefficient       INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
- *      otherPrimeInfos   OtherPrimeInfos OPTIONAL  0 (not supported)
- *  }
- */
-#define MBEDTLS_MPI_MAX_SIZE_2  (MBEDTLS_MPI_MAX_SIZE / 2 + \
-                                 MBEDTLS_MPI_MAX_SIZE % 2)
-#define MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES    (47 + 3 * MBEDTLS_MPI_MAX_SIZE \
-                                             + 5 * MBEDTLS_MPI_MAX_SIZE_2)
-
-#else /* MBEDTLS_RSA_C */
-
-#define MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES   0
-#define MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES   0
-
-#endif /* MBEDTLS_RSA_C */
-
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-
-/* Find the maximum number of bytes necessary to store an EC point. When USE_PSA
- * is defined this means looking for the maximum between PSA and built-in
- * supported curves. */
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#define MBEDTLS_PK_MAX_ECC_BYTES   (PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS) > \
-                                    MBEDTLS_ECP_MAX_BYTES ? \
-                                    PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS) : \
-                                    MBEDTLS_ECP_MAX_BYTES)
-#else /* MBEDTLS_USE_PSA_CRYPTO */
-#define MBEDTLS_PK_MAX_ECC_BYTES   MBEDTLS_ECP_MAX_BYTES
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-/*
- * EC public keys:
- *  SubjectPublicKeyInfo  ::=  SEQUENCE  {      1 + 2
- *    algorithm         AlgorithmIdentifier,    1 + 1 (sequence)
- *                                            + 1 + 1 + 7 (ec oid)
- *                                            + 1 + 1 + 9 (namedCurve oid)
- *    subjectPublicKey  BIT STRING              1 + 2 + 1               [1]
- *                                            + 1 (point format)        [1]
- *                                            + 2 * ECP_MAX (coords)    [1]
- *  }
- */
-#define MBEDTLS_PK_ECP_PUB_DER_MAX_BYTES    (30 + 2 * MBEDTLS_PK_MAX_ECC_BYTES)
-
-/*
- * EC private keys:
- * ECPrivateKey ::= SEQUENCE {                  1 + 2
- *      version        INTEGER ,                1 + 1 + 1
- *      privateKey     OCTET STRING,            1 + 1 + ECP_MAX
- *      parameters [0] ECParameters OPTIONAL,   1 + 1 + (1 + 1 + 9)
- *      publicKey  [1] BIT STRING OPTIONAL      1 + 2 + [1] above
- *    }
- */
-#define MBEDTLS_PK_ECP_PRV_DER_MAX_BYTES    (29 + 3 * MBEDTLS_PK_MAX_ECC_BYTES)
-
-#else /* MBEDTLS_PK_HAVE_ECC_KEYS */
-
-#define MBEDTLS_PK_ECP_PUB_DER_MAX_BYTES   0
-#define MBEDTLS_PK_ECP_PRV_DER_MAX_BYTES   0
-
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-#endif /* MBEDTLS_PK_WRITE_H */
diff --git a/library/platform.c b/library/platform.c
deleted file mode 100644
index b15b7b2..0000000
--- a/library/platform.c
+++ /dev/null
@@ -1,414 +0,0 @@
-/*
- *  Platform abstraction layer
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_PLATFORM_C)
-
-#include "mbedtls/platform.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-/* The compile time configuration of memory allocation via the macros
- * MBEDTLS_PLATFORM_{FREE/CALLOC}_MACRO takes precedence over the runtime
- * configuration via mbedtls_platform_set_calloc_free(). So, omit everything
- * related to the latter if MBEDTLS_PLATFORM_{FREE/CALLOC}_MACRO are defined. */
-#if defined(MBEDTLS_PLATFORM_MEMORY) &&                 \
-    !(defined(MBEDTLS_PLATFORM_CALLOC_MACRO) &&        \
-    defined(MBEDTLS_PLATFORM_FREE_MACRO))
-
-#if !defined(MBEDTLS_PLATFORM_STD_CALLOC)
-static void *platform_calloc_uninit(size_t n, size_t size)
-{
-    ((void) n);
-    ((void) size);
-    return NULL;
-}
-
-#define MBEDTLS_PLATFORM_STD_CALLOC   platform_calloc_uninit
-#endif /* !MBEDTLS_PLATFORM_STD_CALLOC */
-
-#if !defined(MBEDTLS_PLATFORM_STD_FREE)
-static void platform_free_uninit(void *ptr)
-{
-    ((void) ptr);
-}
-
-#define MBEDTLS_PLATFORM_STD_FREE     platform_free_uninit
-#endif /* !MBEDTLS_PLATFORM_STD_FREE */
-
-static void * (*mbedtls_calloc_func)(size_t, size_t) = MBEDTLS_PLATFORM_STD_CALLOC;
-static void (*mbedtls_free_func)(void *) = MBEDTLS_PLATFORM_STD_FREE;
-
-void *mbedtls_calloc(size_t nmemb, size_t size)
-{
-    return (*mbedtls_calloc_func)(nmemb, size);
-}
-
-void mbedtls_free(void *ptr)
-{
-    (*mbedtls_free_func)(ptr);
-}
-
-int mbedtls_platform_set_calloc_free(void *(*calloc_func)(size_t, size_t),
-                                     void (*free_func)(void *))
-{
-    mbedtls_calloc_func = calloc_func;
-    mbedtls_free_func = free_func;
-    return 0;
-}
-#endif /* MBEDTLS_PLATFORM_MEMORY &&
-          !( defined(MBEDTLS_PLATFORM_CALLOC_MACRO) &&
-             defined(MBEDTLS_PLATFORM_FREE_MACRO) ) */
-
-#if defined(MBEDTLS_PLATFORM_HAS_NON_CONFORMING_SNPRINTF)
-#include <stdarg.h>
-int mbedtls_platform_win32_snprintf(char *s, size_t n, const char *fmt, ...)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    va_list argp;
-
-    va_start(argp, fmt);
-    ret = mbedtls_vsnprintf(s, n, fmt, argp);
-    va_end(argp);
-
-    return ret;
-}
-#endif
-
-#if defined(MBEDTLS_PLATFORM_SNPRINTF_ALT)
-#if !defined(MBEDTLS_PLATFORM_STD_SNPRINTF)
-/*
- * Make dummy function to prevent NULL pointer dereferences
- */
-static int platform_snprintf_uninit(char *s, size_t n,
-                                    const char *format, ...)
-{
-    ((void) s);
-    ((void) n);
-    ((void) format);
-    return 0;
-}
-
-#define MBEDTLS_PLATFORM_STD_SNPRINTF    platform_snprintf_uninit
-#endif /* !MBEDTLS_PLATFORM_STD_SNPRINTF */
-
-int (*mbedtls_snprintf)(char *s, size_t n,
-                        const char *format,
-                        ...) = MBEDTLS_PLATFORM_STD_SNPRINTF;
-
-int mbedtls_platform_set_snprintf(int (*snprintf_func)(char *s, size_t n,
-                                                       const char *format,
-                                                       ...))
-{
-    mbedtls_snprintf = snprintf_func;
-    return 0;
-}
-#endif /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
-
-#if defined(MBEDTLS_PLATFORM_HAS_NON_CONFORMING_VSNPRINTF)
-#include <stdarg.h>
-int mbedtls_platform_win32_vsnprintf(char *s, size_t n, const char *fmt, va_list arg)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    /* Avoid calling the invalid parameter handler by checking ourselves */
-    if (s == NULL || n == 0 || fmt == NULL) {
-        return -1;
-    }
-
-#if defined(_TRUNCATE)
-    ret = vsnprintf_s(s, n, _TRUNCATE, fmt, arg);
-#else
-    ret = vsnprintf(s, n, fmt, arg);
-    if (ret < 0 || (size_t) ret == n) {
-        s[n-1] = '\0';
-        ret = -1;
-    }
-#endif
-
-    return ret;
-}
-#endif
-
-#if defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT)
-#if !defined(MBEDTLS_PLATFORM_STD_VSNPRINTF)
-/*
- * Make dummy function to prevent NULL pointer dereferences
- */
-static int platform_vsnprintf_uninit(char *s, size_t n,
-                                     const char *format, va_list arg)
-{
-    ((void) s);
-    ((void) n);
-    ((void) format);
-    ((void) arg);
-    return -1;
-}
-
-#define MBEDTLS_PLATFORM_STD_VSNPRINTF    platform_vsnprintf_uninit
-#endif /* !MBEDTLS_PLATFORM_STD_VSNPRINTF */
-
-int (*mbedtls_vsnprintf)(char *s, size_t n,
-                         const char *format,
-                         va_list arg) = MBEDTLS_PLATFORM_STD_VSNPRINTF;
-
-int mbedtls_platform_set_vsnprintf(int (*vsnprintf_func)(char *s, size_t n,
-                                                         const char *format,
-                                                         va_list arg))
-{
-    mbedtls_vsnprintf = vsnprintf_func;
-    return 0;
-}
-#endif /* MBEDTLS_PLATFORM_VSNPRINTF_ALT */
-
-#if defined(MBEDTLS_PLATFORM_PRINTF_ALT)
-#if !defined(MBEDTLS_PLATFORM_STD_PRINTF)
-/*
- * Make dummy function to prevent NULL pointer dereferences
- */
-static int platform_printf_uninit(const char *format, ...)
-{
-    ((void) format);
-    return 0;
-}
-
-#define MBEDTLS_PLATFORM_STD_PRINTF    platform_printf_uninit
-#endif /* !MBEDTLS_PLATFORM_STD_PRINTF */
-
-int (*mbedtls_printf)(const char *, ...) = MBEDTLS_PLATFORM_STD_PRINTF;
-
-int mbedtls_platform_set_printf(int (*printf_func)(const char *, ...))
-{
-    mbedtls_printf = printf_func;
-    return 0;
-}
-#endif /* MBEDTLS_PLATFORM_PRINTF_ALT */
-
-#if defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
-#if !defined(MBEDTLS_PLATFORM_STD_FPRINTF)
-/*
- * Make dummy function to prevent NULL pointer dereferences
- */
-static int platform_fprintf_uninit(FILE *stream, const char *format, ...)
-{
-    ((void) stream);
-    ((void) format);
-    return 0;
-}
-
-#define MBEDTLS_PLATFORM_STD_FPRINTF   platform_fprintf_uninit
-#endif /* !MBEDTLS_PLATFORM_STD_FPRINTF */
-
-int (*mbedtls_fprintf)(FILE *, const char *, ...) =
-    MBEDTLS_PLATFORM_STD_FPRINTF;
-
-int mbedtls_platform_set_fprintf(int (*fprintf_func)(FILE *, const char *, ...))
-{
-    mbedtls_fprintf = fprintf_func;
-    return 0;
-}
-#endif /* MBEDTLS_PLATFORM_FPRINTF_ALT */
-
-#if defined(MBEDTLS_PLATFORM_SETBUF_ALT)
-#if !defined(MBEDTLS_PLATFORM_STD_SETBUF)
-/*
- * Make dummy function to prevent NULL pointer dereferences
- */
-static void platform_setbuf_uninit(FILE *stream, char *buf)
-{
-    ((void) stream);
-    ((void) buf);
-}
-
-#define MBEDTLS_PLATFORM_STD_SETBUF   platform_setbuf_uninit
-#endif /* !MBEDTLS_PLATFORM_STD_SETBUF */
-void (*mbedtls_setbuf)(FILE *stream, char *buf) = MBEDTLS_PLATFORM_STD_SETBUF;
-
-int mbedtls_platform_set_setbuf(void (*setbuf_func)(FILE *stream, char *buf))
-{
-    mbedtls_setbuf = setbuf_func;
-    return 0;
-}
-#endif /* MBEDTLS_PLATFORM_SETBUF_ALT */
-
-#if defined(MBEDTLS_PLATFORM_EXIT_ALT)
-#if !defined(MBEDTLS_PLATFORM_STD_EXIT)
-/*
- * Make dummy function to prevent NULL pointer dereferences
- */
-static void platform_exit_uninit(int status)
-{
-    ((void) status);
-}
-
-#define MBEDTLS_PLATFORM_STD_EXIT   platform_exit_uninit
-#endif /* !MBEDTLS_PLATFORM_STD_EXIT */
-
-void (*mbedtls_exit)(int status) = MBEDTLS_PLATFORM_STD_EXIT;
-
-int mbedtls_platform_set_exit(void (*exit_func)(int status))
-{
-    mbedtls_exit = exit_func;
-    return 0;
-}
-#endif /* MBEDTLS_PLATFORM_EXIT_ALT */
-
-#if defined(MBEDTLS_HAVE_TIME)
-
-#if defined(MBEDTLS_PLATFORM_TIME_ALT)
-#if !defined(MBEDTLS_PLATFORM_STD_TIME)
-/*
- * Make dummy function to prevent NULL pointer dereferences
- */
-static mbedtls_time_t platform_time_uninit(mbedtls_time_t *timer)
-{
-    ((void) timer);
-    return 0;
-}
-
-#define MBEDTLS_PLATFORM_STD_TIME   platform_time_uninit
-#endif /* !MBEDTLS_PLATFORM_STD_TIME */
-
-mbedtls_time_t (*mbedtls_time)(mbedtls_time_t *timer) = MBEDTLS_PLATFORM_STD_TIME;
-
-int mbedtls_platform_set_time(mbedtls_time_t (*time_func)(mbedtls_time_t *timer))
-{
-    mbedtls_time = time_func;
-    return 0;
-}
-#endif /* MBEDTLS_PLATFORM_TIME_ALT */
-
-#endif /* MBEDTLS_HAVE_TIME */
-
-#if defined(MBEDTLS_ENTROPY_NV_SEED)
-#if !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS) && defined(MBEDTLS_FS_IO)
-/* Default implementations for the platform independent seed functions use
- * standard libc file functions to read from and write to a pre-defined filename
- */
-int mbedtls_platform_std_nv_seed_read(unsigned char *buf, size_t buf_len)
-{
-    FILE *file;
-    size_t n;
-
-    if ((file = fopen(MBEDTLS_PLATFORM_STD_NV_SEED_FILE, "rb")) == NULL) {
-        return -1;
-    }
-
-    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
-    mbedtls_setbuf(file, NULL);
-
-    if ((n = fread(buf, 1, buf_len, file)) != buf_len) {
-        fclose(file);
-        mbedtls_platform_zeroize(buf, buf_len);
-        return -1;
-    }
-
-    fclose(file);
-    return (int) n;
-}
-
-int mbedtls_platform_std_nv_seed_write(unsigned char *buf, size_t buf_len)
-{
-    FILE *file;
-    size_t n;
-
-    if ((file = fopen(MBEDTLS_PLATFORM_STD_NV_SEED_FILE, "w")) == NULL) {
-        return -1;
-    }
-
-    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
-    mbedtls_setbuf(file, NULL);
-
-    if ((n = fwrite(buf, 1, buf_len, file)) != buf_len) {
-        fclose(file);
-        return -1;
-    }
-
-    fclose(file);
-    return (int) n;
-}
-#endif /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
-
-#if defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
-#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_READ)
-/*
- * Make dummy function to prevent NULL pointer dereferences
- */
-static int platform_nv_seed_read_uninit(unsigned char *buf, size_t buf_len)
-{
-    ((void) buf);
-    ((void) buf_len);
-    return -1;
-}
-
-#define MBEDTLS_PLATFORM_STD_NV_SEED_READ   platform_nv_seed_read_uninit
-#endif /* !MBEDTLS_PLATFORM_STD_NV_SEED_READ */
-
-#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_WRITE)
-/*
- * Make dummy function to prevent NULL pointer dereferences
- */
-static int platform_nv_seed_write_uninit(unsigned char *buf, size_t buf_len)
-{
-    ((void) buf);
-    ((void) buf_len);
-    return -1;
-}
-
-#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE   platform_nv_seed_write_uninit
-#endif /* !MBEDTLS_PLATFORM_STD_NV_SEED_WRITE */
-
-int (*mbedtls_nv_seed_read)(unsigned char *buf, size_t buf_len) =
-    MBEDTLS_PLATFORM_STD_NV_SEED_READ;
-int (*mbedtls_nv_seed_write)(unsigned char *buf, size_t buf_len) =
-    MBEDTLS_PLATFORM_STD_NV_SEED_WRITE;
-
-int mbedtls_platform_set_nv_seed(
-    int (*nv_seed_read_func)(unsigned char *buf, size_t buf_len),
-    int (*nv_seed_write_func)(unsigned char *buf, size_t buf_len))
-{
-    mbedtls_nv_seed_read = nv_seed_read_func;
-    mbedtls_nv_seed_write = nv_seed_write_func;
-    return 0;
-}
-#endif /* MBEDTLS_PLATFORM_NV_SEED_ALT */
-#endif /* MBEDTLS_ENTROPY_NV_SEED */
-
-#if !defined(MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT)
-/*
- * Placeholder platform setup that does nothing by default
- */
-int mbedtls_platform_setup(mbedtls_platform_context *ctx)
-{
-    (void) ctx;
-
-    return 0;
-}
-
-/*
- * Placeholder platform teardown that does nothing by default
- */
-void mbedtls_platform_teardown(mbedtls_platform_context *ctx)
-{
-    (void) ctx;
-}
-#endif /* MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT */
-
-#endif /* MBEDTLS_PLATFORM_C */
diff --git a/library/platform_util.c b/library/platform_util.c
deleted file mode 100644
index 09216ed..0000000
--- a/library/platform_util.c
+++ /dev/null
@@ -1,297 +0,0 @@
-/*
- * Common and shared functions used by multiple modules in the Mbed TLS
- * library.
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/*
- * Ensure gmtime_r is available even with -std=c99; must be defined before
- * mbedtls_config.h, which pulls in glibc's features.h. Harmless on other platforms
- * except OpenBSD, where it stops us accessing explicit_bzero.
- */
-#if !defined(_POSIX_C_SOURCE) && !defined(__OpenBSD__)
-#define _POSIX_C_SOURCE 200112L
-#endif
-
-#if !defined(_GNU_SOURCE)
-/* Clang requires this to get support for explicit_bzero */
-#define _GNU_SOURCE
-#endif
-
-#include "common.h"
-
-#include "mbedtls/platform_util.h"
-#include "mbedtls/platform.h"
-#include "mbedtls/threading.h"
-
-#include <stddef.h>
-
-#ifndef __STDC_WANT_LIB_EXT1__
-#define __STDC_WANT_LIB_EXT1__ 1 /* Ask for the C11 gmtime_s() and memset_s() if available */
-#endif
-#include <string.h>
-
-#if defined(_WIN32)
-#include <windows.h>
-#endif
-
-// Detect platforms known to support explicit_bzero()
-#if defined(__GLIBC__) && (__GLIBC__ >= 2) && (__GLIBC_MINOR__ >= 25)
-#define MBEDTLS_PLATFORM_HAS_EXPLICIT_BZERO 1
-#elif (defined(__FreeBSD__) && (__FreeBSD_version >= 1100037)) || defined(__OpenBSD__)
-#define MBEDTLS_PLATFORM_HAS_EXPLICIT_BZERO 1
-#endif
-
-#if !defined(MBEDTLS_PLATFORM_ZEROIZE_ALT)
-
-#undef HAVE_MEMORY_SANITIZER
-#if defined(__has_feature)
-#if __has_feature(memory_sanitizer)
-#include <sanitizer/msan_interface.h>
-#define HAVE_MEMORY_SANITIZER
-#endif
-#endif
-
-/*
- * Where possible, we try to detect the presence of a platform-provided
- * secure memset, such as explicit_bzero(), that is safe against being optimized
- * out, and use that.
- *
- * For other platforms, we provide an implementation that aims not to be
- * optimized out by the compiler.
- *
- * This implementation for mbedtls_platform_zeroize() was inspired from Colin
- * Percival's blog article at:
- *
- * http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html
- *
- * It uses a volatile function pointer to the standard memset(). Because the
- * pointer is volatile the compiler expects it to change at
- * any time and will not optimize out the call that could potentially perform
- * other operations on the input buffer instead of just setting it to 0.
- * Nevertheless, as pointed out by davidtgoldblatt on Hacker News
- * (refer to http://www.daemonology.net/blog/2014-09-05-erratum.html for
- * details), optimizations of the following form are still possible:
- *
- * if (memset_func != memset)
- *     memset_func(buf, 0, len);
- *
- * Note that it is extremely difficult to guarantee that
- * the memset() call will not be optimized out by aggressive compilers
- * in a portable way. For this reason, Mbed TLS also provides the configuration
- * option MBEDTLS_PLATFORM_ZEROIZE_ALT, which allows users to configure
- * mbedtls_platform_zeroize() to use a suitable implementation for their
- * platform and needs.
- */
-#if !defined(MBEDTLS_PLATFORM_HAS_EXPLICIT_BZERO) && !(defined(__STDC_LIB_EXT1__) && \
-    !defined(__IAR_SYSTEMS_ICC__)) \
-    && !defined(_WIN32)
-static void *(*const volatile memset_func)(void *, int, size_t) = memset;
-#endif
-
-void mbedtls_platform_zeroize(void *buf, size_t len)
-{
-    MBEDTLS_INTERNAL_VALIDATE(len == 0 || buf != NULL);
-
-    if (len > 0) {
-#if defined(MBEDTLS_PLATFORM_HAS_EXPLICIT_BZERO)
-        explicit_bzero(buf, len);
-#if defined(HAVE_MEMORY_SANITIZER)
-        /* You'd think that Msan would recognize explicit_bzero() as
-         * equivalent to bzero(), but it actually doesn't on several
-         * platforms, including Linux (Ubuntu 20.04).
-         * https://github.com/google/sanitizers/issues/1507
-         * https://github.com/openssh/openssh-portable/commit/74433a19bb6f4cef607680fa4d1d7d81ca3826aa
-         */
-        __msan_unpoison(buf, len);
-#endif
-#elif defined(__STDC_LIB_EXT1__) && !defined(__IAR_SYSTEMS_ICC__)
-        memset_s(buf, len, 0, len);
-#elif defined(_WIN32)
-        SecureZeroMemory(buf, len);
-#else
-        memset_func(buf, 0, len);
-#endif
-
-#if defined(__GNUC__)
-        /* For clang and recent gcc, pretend that we have some assembly that reads the
-         * zero'd memory as an additional protection against being optimised away. */
-#if defined(__clang__) || (__GNUC__ >= 10)
-#if defined(__clang__)
-#pragma clang diagnostic push
-#pragma clang diagnostic ignored "-Wvla"
-#elif defined(MBEDTLS_COMPILER_IS_GCC)
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wvla"
-#endif
-        asm volatile ("" : : "m" (*(char (*)[len]) buf) :);
-#if defined(__clang__)
-#pragma clang diagnostic pop
-#elif defined(MBEDTLS_COMPILER_IS_GCC)
-#pragma GCC diagnostic pop
-#endif
-#endif
-#endif
-    }
-}
-#endif /* MBEDTLS_PLATFORM_ZEROIZE_ALT */
-
-void mbedtls_zeroize_and_free(void *buf, size_t len)
-{
-    if (buf != NULL) {
-        mbedtls_platform_zeroize(buf, len);
-    }
-
-    mbedtls_free(buf);
-}
-
-#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
-#include <time.h>
-#if !defined(_WIN32) && (defined(unix) || \
-    defined(__unix) || defined(__unix__) || (defined(__APPLE__) && \
-    defined(__MACH__)))
-#include <unistd.h>
-#endif /* !_WIN32 && (unix || __unix || __unix__ ||
-        * (__APPLE__ && __MACH__)) */
-
-#if !((defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L) ||     \
-    (defined(_POSIX_THREAD_SAFE_FUNCTIONS) &&                     \
-    _POSIX_THREAD_SAFE_FUNCTIONS >= 200112L))
-/*
- * This is a convenience shorthand macro to avoid checking the long
- * preprocessor conditions above. Ideally, we could expose this macro in
- * platform_util.h and simply use it in platform_util.c, threading.c and
- * threading.h. However, this macro is not part of the Mbed TLS public API, so
- * we keep it private by only defining it in this file
- */
-#if !(defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)) || \
-    (defined(__MINGW32__) && !defined(__MINGW64_VERSION_MAJOR))
-#define PLATFORM_UTIL_USE_GMTIME
-#endif
-
-#endif /* !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) || \
-             ( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) && \
-                _POSIX_THREAD_SAFE_FUNCTIONS >= 200112L ) ) */
-
-struct tm *mbedtls_platform_gmtime_r(const mbedtls_time_t *tt,
-                                     struct tm *tm_buf)
-{
-#if defined(_WIN32) && !defined(PLATFORM_UTIL_USE_GMTIME)
-#if defined(__STDC_LIB_EXT1__)
-    return (gmtime_s(tt, tm_buf) == 0) ? NULL : tm_buf;
-#else
-    /* MSVC and mingw64 argument order and return value are inconsistent with the C11 standard */
-    return (gmtime_s(tm_buf, tt) == 0) ? tm_buf : NULL;
-#endif
-#elif !defined(PLATFORM_UTIL_USE_GMTIME)
-    return gmtime_r(tt, tm_buf);
-#else
-    struct tm *lt;
-
-#if defined(MBEDTLS_THREADING_C)
-    if (mbedtls_mutex_lock(&mbedtls_threading_gmtime_mutex) != 0) {
-        return NULL;
-    }
-#endif /* MBEDTLS_THREADING_C */
-
-    lt = gmtime(tt);
-
-    if (lt != NULL) {
-        memcpy(tm_buf, lt, sizeof(struct tm));
-    }
-
-#if defined(MBEDTLS_THREADING_C)
-    if (mbedtls_mutex_unlock(&mbedtls_threading_gmtime_mutex) != 0) {
-        return NULL;
-    }
-#endif /* MBEDTLS_THREADING_C */
-
-    return (lt == NULL) ? NULL : tm_buf;
-#endif /* _WIN32 && !EFIX64 && !EFI32 */
-}
-#endif /* MBEDTLS_HAVE_TIME_DATE && MBEDTLS_PLATFORM_GMTIME_R_ALT */
-
-#if defined(MBEDTLS_TEST_HOOKS)
-void (*mbedtls_test_hook_test_fail)(const char *, int, const char *);
-#endif /* MBEDTLS_TEST_HOOKS */
-
-/*
- * Provide external definitions of some inline functions so that the compiler
- * has the option to not inline them
- */
-extern inline void mbedtls_xor(unsigned char *r,
-                               const unsigned char *a,
-                               const unsigned char *b,
-                               size_t n);
-
-extern inline uint16_t mbedtls_get_unaligned_uint16(const void *p);
-
-extern inline void mbedtls_put_unaligned_uint16(void *p, uint16_t x);
-
-extern inline uint32_t mbedtls_get_unaligned_uint32(const void *p);
-
-extern inline void mbedtls_put_unaligned_uint32(void *p, uint32_t x);
-
-extern inline uint64_t mbedtls_get_unaligned_uint64(const void *p);
-
-extern inline void mbedtls_put_unaligned_uint64(void *p, uint64_t x);
-
-#if defined(MBEDTLS_HAVE_TIME) && !defined(MBEDTLS_PLATFORM_MS_TIME_ALT)
-
-#include <time.h>
-#if !defined(_WIN32) && \
-    (defined(unix) || defined(__unix) || defined(__unix__) || \
-    (defined(__APPLE__) && defined(__MACH__)))
-#include <unistd.h>
-#endif /* !_WIN32 && (unix || __unix || __unix__ || (__APPLE__ && __MACH__)) */
-#if (defined(_POSIX_VERSION) && _POSIX_VERSION >= 199309L)
-mbedtls_ms_time_t mbedtls_ms_time(void)
-{
-    int ret;
-    struct timespec tv;
-    mbedtls_ms_time_t current_ms;
-
-#if defined(__linux__)
-    ret = clock_gettime(CLOCK_BOOTTIME, &tv);
-#else
-    ret = clock_gettime(CLOCK_MONOTONIC, &tv);
-#endif
-    if (ret) {
-        return time(NULL) * 1000;
-    }
-
-    current_ms = tv.tv_sec;
-
-    return current_ms*1000 + tv.tv_nsec / 1000000;
-}
-#elif defined(_WIN32) || defined(WIN32) || defined(__CYGWIN__) || \
-    defined(__MINGW32__) || defined(_WIN64)
-#include <windows.h>
-mbedtls_ms_time_t mbedtls_ms_time(void)
-{
-    FILETIME ct;
-    mbedtls_ms_time_t current_ms;
-
-    GetSystemTimeAsFileTime(&ct);
-    current_ms = ((mbedtls_ms_time_t) ct.dwLowDateTime +
-                  ((mbedtls_ms_time_t) (ct.dwHighDateTime) << 32LL))/10000;
-    return current_ms;
-}
-#else
-#error "No mbedtls_ms_time available"
-#endif
-#endif /* MBEDTLS_HAVE_TIME && !MBEDTLS_PLATFORM_MS_TIME_ALT */
diff --git a/library/poly1305.c b/library/poly1305.c
deleted file mode 100644
index f4e1d3f..0000000
--- a/library/poly1305.c
+++ /dev/null
@@ -1,504 +0,0 @@
-/**
- * \file poly1305.c
- *
- * \brief Poly1305 authentication algorithm.
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#include "common.h"
-
-#if defined(MBEDTLS_POLY1305_C)
-
-#include "mbedtls/poly1305.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#include <string.h>
-
-#include "mbedtls/platform.h"
-
-#if !defined(MBEDTLS_POLY1305_ALT)
-
-#define POLY1305_BLOCK_SIZE_BYTES (16U)
-
-/*
- * Our implementation is tuned for 32-bit platforms with a 64-bit multiplier.
- * However we provided an alternative for platforms without such a multiplier.
- */
-#if defined(MBEDTLS_NO_64BIT_MULTIPLICATION)
-static uint64_t mul64(uint32_t a, uint32_t b)
-{
-    /* a = al + 2**16 ah, b = bl + 2**16 bh */
-    const uint16_t al = (uint16_t) a;
-    const uint16_t bl = (uint16_t) b;
-    const uint16_t ah = a >> 16;
-    const uint16_t bh = b >> 16;
-
-    /* ab = al*bl + 2**16 (ah*bl + bl*bh) + 2**32 ah*bh */
-    const uint32_t lo = (uint32_t) al * bl;
-    const uint64_t me = (uint64_t) ((uint32_t) ah * bl) + (uint32_t) al * bh;
-    const uint32_t hi = (uint32_t) ah * bh;
-
-    return lo + (me << 16) + ((uint64_t) hi << 32);
-}
-#else
-static inline uint64_t mul64(uint32_t a, uint32_t b)
-{
-    return (uint64_t) a * b;
-}
-#endif
-
-
-/**
- * \brief                   Process blocks with Poly1305.
- *
- * \param ctx               The Poly1305 context.
- * \param nblocks           Number of blocks to process. Note that this
- *                          function only processes full blocks.
- * \param input             Buffer containing the input block(s).
- * \param needs_padding     Set to 0 if the padding bit has already been
- *                          applied to the input data before calling this
- *                          function.  Otherwise, set this parameter to 1.
- */
-static void poly1305_process(mbedtls_poly1305_context *ctx,
-                             size_t nblocks,
-                             const unsigned char *input,
-                             uint32_t needs_padding)
-{
-    uint64_t d0, d1, d2, d3;
-    uint32_t acc0, acc1, acc2, acc3, acc4;
-    uint32_t r0, r1, r2, r3;
-    uint32_t rs1, rs2, rs3;
-    size_t offset  = 0U;
-    size_t i;
-
-    r0 = ctx->r[0];
-    r1 = ctx->r[1];
-    r2 = ctx->r[2];
-    r3 = ctx->r[3];
-
-    rs1 = r1 + (r1 >> 2U);
-    rs2 = r2 + (r2 >> 2U);
-    rs3 = r3 + (r3 >> 2U);
-
-    acc0 = ctx->acc[0];
-    acc1 = ctx->acc[1];
-    acc2 = ctx->acc[2];
-    acc3 = ctx->acc[3];
-    acc4 = ctx->acc[4];
-
-    /* Process full blocks */
-    for (i = 0U; i < nblocks; i++) {
-        /* The input block is treated as a 128-bit little-endian integer */
-        d0   = MBEDTLS_GET_UINT32_LE(input, offset + 0);
-        d1   = MBEDTLS_GET_UINT32_LE(input, offset + 4);
-        d2   = MBEDTLS_GET_UINT32_LE(input, offset + 8);
-        d3   = MBEDTLS_GET_UINT32_LE(input, offset + 12);
-
-        /* Compute: acc += (padded) block as a 130-bit integer */
-        d0  += (uint64_t) acc0;
-        d1  += (uint64_t) acc1 + (d0 >> 32U);
-        d2  += (uint64_t) acc2 + (d1 >> 32U);
-        d3  += (uint64_t) acc3 + (d2 >> 32U);
-        acc0 = (uint32_t) d0;
-        acc1 = (uint32_t) d1;
-        acc2 = (uint32_t) d2;
-        acc3 = (uint32_t) d3;
-        acc4 += (uint32_t) (d3 >> 32U) + needs_padding;
-
-        /* Compute: acc *= r */
-        d0 = mul64(acc0, r0) +
-             mul64(acc1, rs3) +
-             mul64(acc2, rs2) +
-             mul64(acc3, rs1);
-        d1 = mul64(acc0, r1) +
-             mul64(acc1, r0) +
-             mul64(acc2, rs3) +
-             mul64(acc3, rs2) +
-             mul64(acc4, rs1);
-        d2 = mul64(acc0, r2) +
-             mul64(acc1, r1) +
-             mul64(acc2, r0) +
-             mul64(acc3, rs3) +
-             mul64(acc4, rs2);
-        d3 = mul64(acc0, r3) +
-             mul64(acc1, r2) +
-             mul64(acc2, r1) +
-             mul64(acc3, r0) +
-             mul64(acc4, rs3);
-        acc4 *= r0;
-
-        /* Compute: acc %= (2^130 - 5) (partial remainder) */
-        d1 += (d0 >> 32);
-        d2 += (d1 >> 32);
-        d3 += (d2 >> 32);
-        acc0 = (uint32_t) d0;
-        acc1 = (uint32_t) d1;
-        acc2 = (uint32_t) d2;
-        acc3 = (uint32_t) d3;
-        acc4 = (uint32_t) (d3 >> 32) + acc4;
-
-        d0 = (uint64_t) acc0 + (acc4 >> 2) + (acc4 & 0xFFFFFFFCU);
-        acc4 &= 3U;
-        acc0 = (uint32_t) d0;
-        d0 = (uint64_t) acc1 + (d0 >> 32U);
-        acc1 = (uint32_t) d0;
-        d0 = (uint64_t) acc2 + (d0 >> 32U);
-        acc2 = (uint32_t) d0;
-        d0 = (uint64_t) acc3 + (d0 >> 32U);
-        acc3 = (uint32_t) d0;
-        d0 = (uint64_t) acc4 + (d0 >> 32U);
-        acc4 = (uint32_t) d0;
-
-        offset    += POLY1305_BLOCK_SIZE_BYTES;
-    }
-
-    ctx->acc[0] = acc0;
-    ctx->acc[1] = acc1;
-    ctx->acc[2] = acc2;
-    ctx->acc[3] = acc3;
-    ctx->acc[4] = acc4;
-}
-
-/**
- * \brief                   Compute the Poly1305 MAC
- *
- * \param ctx               The Poly1305 context.
- * \param mac               The buffer to where the MAC is written. Must be
- *                          big enough to contain the 16-byte MAC.
- */
-static void poly1305_compute_mac(const mbedtls_poly1305_context *ctx,
-                                 unsigned char mac[16])
-{
-    uint64_t d;
-    uint32_t g0, g1, g2, g3, g4;
-    uint32_t acc0, acc1, acc2, acc3, acc4;
-    uint32_t mask;
-    uint32_t mask_inv;
-
-    acc0 = ctx->acc[0];
-    acc1 = ctx->acc[1];
-    acc2 = ctx->acc[2];
-    acc3 = ctx->acc[3];
-    acc4 = ctx->acc[4];
-
-    /* Before adding 's' we ensure that the accumulator is mod 2^130 - 5.
-     * We do this by calculating acc - (2^130 - 5), then checking if
-     * the 131st bit is set. If it is, then reduce: acc -= (2^130 - 5)
-     */
-
-    /* Calculate acc + -(2^130 - 5) */
-    d  = ((uint64_t) acc0 + 5U);
-    g0 = (uint32_t) d;
-    d  = ((uint64_t) acc1 + (d >> 32));
-    g1 = (uint32_t) d;
-    d  = ((uint64_t) acc2 + (d >> 32));
-    g2 = (uint32_t) d;
-    d  = ((uint64_t) acc3 + (d >> 32));
-    g3 = (uint32_t) d;
-    g4 = acc4 + (uint32_t) (d >> 32U);
-
-    /* mask == 0xFFFFFFFF if 131st bit is set, otherwise mask == 0 */
-    mask = (uint32_t) 0U - (g4 >> 2U);
-    mask_inv = ~mask;
-
-    /* If 131st bit is set then acc=g, otherwise, acc is unmodified */
-    acc0 = (acc0 & mask_inv) | (g0 & mask);
-    acc1 = (acc1 & mask_inv) | (g1 & mask);
-    acc2 = (acc2 & mask_inv) | (g2 & mask);
-    acc3 = (acc3 & mask_inv) | (g3 & mask);
-
-    /* Add 's' */
-    d = (uint64_t) acc0 + ctx->s[0];
-    acc0 = (uint32_t) d;
-    d = (uint64_t) acc1 + ctx->s[1] + (d >> 32U);
-    acc1 = (uint32_t) d;
-    d = (uint64_t) acc2 + ctx->s[2] + (d >> 32U);
-    acc2 = (uint32_t) d;
-    acc3 += ctx->s[3] + (uint32_t) (d >> 32U);
-
-    /* Compute MAC (128 least significant bits of the accumulator) */
-    MBEDTLS_PUT_UINT32_LE(acc0, mac,  0);
-    MBEDTLS_PUT_UINT32_LE(acc1, mac,  4);
-    MBEDTLS_PUT_UINT32_LE(acc2, mac,  8);
-    MBEDTLS_PUT_UINT32_LE(acc3, mac, 12);
-}
-
-void mbedtls_poly1305_init(mbedtls_poly1305_context *ctx)
-{
-    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_poly1305_context));
-}
-
-void mbedtls_poly1305_free(mbedtls_poly1305_context *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_poly1305_context));
-}
-
-int mbedtls_poly1305_starts(mbedtls_poly1305_context *ctx,
-                            const unsigned char key[32])
-{
-    /* r &= 0x0ffffffc0ffffffc0ffffffc0fffffff */
-    ctx->r[0] = MBEDTLS_GET_UINT32_LE(key, 0)  & 0x0FFFFFFFU;
-    ctx->r[1] = MBEDTLS_GET_UINT32_LE(key, 4)  & 0x0FFFFFFCU;
-    ctx->r[2] = MBEDTLS_GET_UINT32_LE(key, 8)  & 0x0FFFFFFCU;
-    ctx->r[3] = MBEDTLS_GET_UINT32_LE(key, 12) & 0x0FFFFFFCU;
-
-    ctx->s[0] = MBEDTLS_GET_UINT32_LE(key, 16);
-    ctx->s[1] = MBEDTLS_GET_UINT32_LE(key, 20);
-    ctx->s[2] = MBEDTLS_GET_UINT32_LE(key, 24);
-    ctx->s[3] = MBEDTLS_GET_UINT32_LE(key, 28);
-
-    /* Initial accumulator state */
-    ctx->acc[0] = 0U;
-    ctx->acc[1] = 0U;
-    ctx->acc[2] = 0U;
-    ctx->acc[3] = 0U;
-    ctx->acc[4] = 0U;
-
-    /* Queue initially empty */
-    mbedtls_platform_zeroize(ctx->queue, sizeof(ctx->queue));
-    ctx->queue_len = 0U;
-
-    return 0;
-}
-
-int mbedtls_poly1305_update(mbedtls_poly1305_context *ctx,
-                            const unsigned char *input,
-                            size_t ilen)
-{
-    size_t offset    = 0U;
-    size_t remaining = ilen;
-    size_t queue_free_len;
-    size_t nblocks;
-
-    if ((remaining > 0U) && (ctx->queue_len > 0U)) {
-        queue_free_len = (POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len);
-
-        if (ilen < queue_free_len) {
-            /* Not enough data to complete the block.
-             * Store this data with the other leftovers.
-             */
-            memcpy(&ctx->queue[ctx->queue_len],
-                   input,
-                   ilen);
-
-            ctx->queue_len += ilen;
-
-            remaining = 0U;
-        } else {
-            /* Enough data to produce a complete block */
-            memcpy(&ctx->queue[ctx->queue_len],
-                   input,
-                   queue_free_len);
-
-            ctx->queue_len = 0U;
-
-            poly1305_process(ctx, 1U, ctx->queue, 1U);   /* add padding bit */
-
-            offset    += queue_free_len;
-            remaining -= queue_free_len;
-        }
-    }
-
-    if (remaining >= POLY1305_BLOCK_SIZE_BYTES) {
-        nblocks = remaining / POLY1305_BLOCK_SIZE_BYTES;
-
-        poly1305_process(ctx, nblocks, &input[offset], 1U);
-
-        offset += nblocks * POLY1305_BLOCK_SIZE_BYTES;
-        remaining %= POLY1305_BLOCK_SIZE_BYTES;
-    }
-
-    if (remaining > 0U) {
-        /* Store partial block */
-        ctx->queue_len = remaining;
-        memcpy(ctx->queue, &input[offset], remaining);
-    }
-
-    return 0;
-}
-
-int mbedtls_poly1305_finish(mbedtls_poly1305_context *ctx,
-                            unsigned char mac[16])
-{
-    /* Process any leftover data */
-    if (ctx->queue_len > 0U) {
-        /* Add padding bit */
-        ctx->queue[ctx->queue_len] = 1U;
-        ctx->queue_len++;
-
-        /* Pad with zeroes */
-        memset(&ctx->queue[ctx->queue_len],
-               0,
-               POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len);
-
-        poly1305_process(ctx, 1U,           /* Process 1 block */
-                         ctx->queue, 0U);   /* Already padded above */
-    }
-
-    poly1305_compute_mac(ctx, mac);
-
-    return 0;
-}
-
-int mbedtls_poly1305_mac(const unsigned char key[32],
-                         const unsigned char *input,
-                         size_t ilen,
-                         unsigned char mac[16])
-{
-    mbedtls_poly1305_context ctx;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    mbedtls_poly1305_init(&ctx);
-
-    ret = mbedtls_poly1305_starts(&ctx, key);
-    if (ret != 0) {
-        goto cleanup;
-    }
-
-    ret = mbedtls_poly1305_update(&ctx, input, ilen);
-    if (ret != 0) {
-        goto cleanup;
-    }
-
-    ret = mbedtls_poly1305_finish(&ctx, mac);
-
-cleanup:
-    mbedtls_poly1305_free(&ctx);
-    return ret;
-}
-
-#endif /* MBEDTLS_POLY1305_ALT */
-
-#if defined(MBEDTLS_SELF_TEST)
-
-static const unsigned char test_keys[2][32] =
-{
-    {
-        0x85, 0xd6, 0xbe, 0x78, 0x57, 0x55, 0x6d, 0x33,
-        0x7f, 0x44, 0x52, 0xfe, 0x42, 0xd5, 0x06, 0xa8,
-        0x01, 0x03, 0x80, 0x8a, 0xfb, 0x0d, 0xb2, 0xfd,
-        0x4a, 0xbf, 0xf6, 0xaf, 0x41, 0x49, 0xf5, 0x1b
-    },
-    {
-        0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a,
-        0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0,
-        0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09,
-        0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0
-    }
-};
-
-static const unsigned char test_data[2][127] =
-{
-    {
-        0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x67, 0x72,
-        0x61, 0x70, 0x68, 0x69, 0x63, 0x20, 0x46, 0x6f,
-        0x72, 0x75, 0x6d, 0x20, 0x52, 0x65, 0x73, 0x65,
-        0x61, 0x72, 0x63, 0x68, 0x20, 0x47, 0x72, 0x6f,
-        0x75, 0x70
-    },
-    {
-        0x27, 0x54, 0x77, 0x61, 0x73, 0x20, 0x62, 0x72,
-        0x69, 0x6c, 0x6c, 0x69, 0x67, 0x2c, 0x20, 0x61,
-        0x6e, 0x64, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
-        0x6c, 0x69, 0x74, 0x68, 0x79, 0x20, 0x74, 0x6f,
-        0x76, 0x65, 0x73, 0x0a, 0x44, 0x69, 0x64, 0x20,
-        0x67, 0x79, 0x72, 0x65, 0x20, 0x61, 0x6e, 0x64,
-        0x20, 0x67, 0x69, 0x6d, 0x62, 0x6c, 0x65, 0x20,
-        0x69, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x77,
-        0x61, 0x62, 0x65, 0x3a, 0x0a, 0x41, 0x6c, 0x6c,
-        0x20, 0x6d, 0x69, 0x6d, 0x73, 0x79, 0x20, 0x77,
-        0x65, 0x72, 0x65, 0x20, 0x74, 0x68, 0x65, 0x20,
-        0x62, 0x6f, 0x72, 0x6f, 0x67, 0x6f, 0x76, 0x65,
-        0x73, 0x2c, 0x0a, 0x41, 0x6e, 0x64, 0x20, 0x74,
-        0x68, 0x65, 0x20, 0x6d, 0x6f, 0x6d, 0x65, 0x20,
-        0x72, 0x61, 0x74, 0x68, 0x73, 0x20, 0x6f, 0x75,
-        0x74, 0x67, 0x72, 0x61, 0x62, 0x65, 0x2e
-    }
-};
-
-static const size_t test_data_len[2] =
-{
-    34U,
-    127U
-};
-
-static const unsigned char test_mac[2][16] =
-{
-    {
-        0xa8, 0x06, 0x1d, 0xc1, 0x30, 0x51, 0x36, 0xc6,
-        0xc2, 0x2b, 0x8b, 0xaf, 0x0c, 0x01, 0x27, 0xa9
-    },
-    {
-        0x45, 0x41, 0x66, 0x9a, 0x7e, 0xaa, 0xee, 0x61,
-        0xe7, 0x08, 0xdc, 0x7c, 0xbc, 0xc5, 0xeb, 0x62
-    }
-};
-
-/* Make sure no other definition is already present. */
-#undef ASSERT
-
-#define ASSERT(cond, args)            \
-    do                                  \
-    {                                   \
-        if (!(cond))                \
-        {                               \
-            if (verbose != 0)          \
-            mbedtls_printf args;    \
-                                        \
-            return -1;               \
-        }                               \
-    }                                   \
-    while (0)
-
-int mbedtls_poly1305_self_test(int verbose)
-{
-    unsigned char mac[16];
-    unsigned i;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    for (i = 0U; i < 2U; i++) {
-        if (verbose != 0) {
-            mbedtls_printf("  Poly1305 test %u ", i);
-        }
-
-        ret = mbedtls_poly1305_mac(test_keys[i],
-                                   test_data[i],
-                                   test_data_len[i],
-                                   mac);
-        ASSERT(0 == ret, ("error code: %i\n", ret));
-
-        ASSERT(0 == memcmp(mac, test_mac[i], 16U), ("failed (mac)\n"));
-
-        if (verbose != 0) {
-            mbedtls_printf("passed\n");
-        }
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-
-    return 0;
-}
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* MBEDTLS_POLY1305_C */
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
deleted file mode 100644
index 1faf1dd..0000000
--- a/library/psa_crypto.c
+++ /dev/null
@@ -1,8444 +0,0 @@
-/*
- *  PSA crypto layer on top of Mbed TLS crypto
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-#include "psa_crypto_core_common.h"
-
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-
-#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
-#include "check_crypto_config.h"
-#endif
-
-#include "psa/crypto.h"
-#include "psa/crypto_values.h"
-
-#include "psa_crypto_cipher.h"
-#include "psa_crypto_core.h"
-#include "psa_crypto_invasive.h"
-#include "psa_crypto_driver_wrappers.h"
-#include "psa_crypto_driver_wrappers_no_static.h"
-#include "psa_crypto_ecp.h"
-#include "psa_crypto_ffdh.h"
-#include "psa_crypto_hash.h"
-#include "psa_crypto_mac.h"
-#include "psa_crypto_rsa.h"
-#include "psa_crypto_ecp.h"
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-#include "psa_crypto_se.h"
-#endif
-#include "psa_crypto_slot_management.h"
-/* Include internal declarations that are useful for implementing persistently
- * stored keys. */
-#include "psa_crypto_storage.h"
-
-#include "psa_crypto_random_impl.h"
-
-#include <stdlib.h>
-#include <string.h>
-#include "mbedtls/platform.h"
-
-#include "mbedtls/aes.h"
-#include "mbedtls/asn1.h"
-#include "mbedtls/asn1write.h"
-#include "mbedtls/bignum.h"
-#include "mbedtls/camellia.h"
-#include "mbedtls/chacha20.h"
-#include "mbedtls/chachapoly.h"
-#include "mbedtls/cipher.h"
-#include "mbedtls/ccm.h"
-#include "mbedtls/cmac.h"
-#include "mbedtls/constant_time.h"
-#include "mbedtls/des.h"
-#include "mbedtls/ecdh.h"
-#include "mbedtls/ecp.h"
-#include "mbedtls/entropy.h"
-#include "mbedtls/error.h"
-#include "mbedtls/gcm.h"
-#include "mbedtls/md5.h"
-#include "mbedtls/md.h"
-#include "mbedtls/pk.h"
-#include "pk_wrap.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-#include "mbedtls/ripemd160.h"
-#include "mbedtls/rsa.h"
-#include "mbedtls/sha1.h"
-#include "mbedtls/sha256.h"
-#include "mbedtls/sha512.h"
-#include "md_psa.h"
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) ||          \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) ||  \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
-#define BUILTIN_ALG_ANY_HKDF 1
-#endif
-
-/****************************************************************/
-/* Global data, support functions and library management */
-/****************************************************************/
-
-static int key_type_is_raw_bytes(psa_key_type_t type)
-{
-    return PSA_KEY_TYPE_IS_UNSTRUCTURED(type);
-}
-
-/* Values for psa_global_data_t::rng_state */
-#define RNG_NOT_INITIALIZED 0
-#define RNG_INITIALIZED 1
-#define RNG_SEEDED 2
-
-typedef struct {
-    uint8_t initialized;
-    uint8_t rng_state;
-    uint8_t drivers_initialized;
-    mbedtls_psa_random_context_t rng;
-} psa_global_data_t;
-
-static psa_global_data_t global_data;
-
-#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
-mbedtls_psa_drbg_context_t *const mbedtls_psa_random_state =
-    &global_data.rng.drbg;
-#endif
-
-#define GUARD_MODULE_INITIALIZED        \
-    if (global_data.initialized == 0)  \
-    return PSA_ERROR_BAD_STATE;
-
-int psa_can_do_hash(psa_algorithm_t hash_alg)
-{
-    (void) hash_alg;
-    return global_data.drivers_initialized;
-}
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) ||       \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) ||     \
-    defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE)
-static int psa_is_dh_key_size_valid(size_t bits)
-{
-    if (bits != 2048 && bits != 3072 && bits != 4096 &&
-        bits != 6144 && bits != 8192) {
-        return 0;
-    }
-
-    return 1;
-}
-#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT ||
-          MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY ||
-          PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE */
-
-psa_status_t mbedtls_to_psa_error(int ret)
-{
-    /* Mbed TLS error codes can combine a high-level error code and a
-     * low-level error code. The low-level error usually reflects the
-     * root cause better, so dispatch on that preferably. */
-    int low_level_ret = -(-ret & 0x007f);
-    switch (low_level_ret != 0 ? low_level_ret : ret) {
-        case 0:
-            return PSA_SUCCESS;
-
-#if defined(MBEDTLS_AES_C)
-        case MBEDTLS_ERR_AES_INVALID_KEY_LENGTH:
-        case MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH:
-            return PSA_ERROR_NOT_SUPPORTED;
-        case MBEDTLS_ERR_AES_BAD_INPUT_DATA:
-            return PSA_ERROR_INVALID_ARGUMENT;
-#endif
-
-#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_ASN1_WRITE_C)
-        case MBEDTLS_ERR_ASN1_OUT_OF_DATA:
-        case MBEDTLS_ERR_ASN1_UNEXPECTED_TAG:
-        case MBEDTLS_ERR_ASN1_INVALID_LENGTH:
-        case MBEDTLS_ERR_ASN1_LENGTH_MISMATCH:
-        case MBEDTLS_ERR_ASN1_INVALID_DATA:
-            return PSA_ERROR_INVALID_ARGUMENT;
-        case MBEDTLS_ERR_ASN1_ALLOC_FAILED:
-            return PSA_ERROR_INSUFFICIENT_MEMORY;
-        case MBEDTLS_ERR_ASN1_BUF_TOO_SMALL:
-            return PSA_ERROR_BUFFER_TOO_SMALL;
-#endif
-
-#if defined(MBEDTLS_CAMELLIA_C)
-        case MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA:
-        case MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH:
-            return PSA_ERROR_NOT_SUPPORTED;
-#endif
-
-#if defined(MBEDTLS_CCM_C)
-        case MBEDTLS_ERR_CCM_BAD_INPUT:
-            return PSA_ERROR_INVALID_ARGUMENT;
-        case MBEDTLS_ERR_CCM_AUTH_FAILED:
-            return PSA_ERROR_INVALID_SIGNATURE;
-#endif
-
-#if defined(MBEDTLS_CHACHA20_C)
-        case MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA:
-            return PSA_ERROR_INVALID_ARGUMENT;
-#endif
-
-#if defined(MBEDTLS_CHACHAPOLY_C)
-        case MBEDTLS_ERR_CHACHAPOLY_BAD_STATE:
-            return PSA_ERROR_BAD_STATE;
-        case MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED:
-            return PSA_ERROR_INVALID_SIGNATURE;
-#endif
-
-#if defined(MBEDTLS_CIPHER_C)
-        case MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE:
-            return PSA_ERROR_NOT_SUPPORTED;
-        case MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA:
-            return PSA_ERROR_INVALID_ARGUMENT;
-        case MBEDTLS_ERR_CIPHER_ALLOC_FAILED:
-            return PSA_ERROR_INSUFFICIENT_MEMORY;
-        case MBEDTLS_ERR_CIPHER_INVALID_PADDING:
-            return PSA_ERROR_INVALID_PADDING;
-        case MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED:
-            return PSA_ERROR_INVALID_ARGUMENT;
-        case MBEDTLS_ERR_CIPHER_AUTH_FAILED:
-            return PSA_ERROR_INVALID_SIGNATURE;
-        case MBEDTLS_ERR_CIPHER_INVALID_CONTEXT:
-            return PSA_ERROR_CORRUPTION_DETECTED;
-#endif
-
-#if !(defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) ||      \
-            defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE))
-        /* Only check CTR_DRBG error codes if underlying mbedtls_xxx
-         * functions are passed a CTR_DRBG instance. */
-        case MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED:
-            return PSA_ERROR_INSUFFICIENT_ENTROPY;
-        case MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG:
-        case MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG:
-            return PSA_ERROR_NOT_SUPPORTED;
-        case MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR:
-            return PSA_ERROR_INSUFFICIENT_ENTROPY;
-#endif
-
-#if defined(MBEDTLS_DES_C)
-        case MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH:
-            return PSA_ERROR_NOT_SUPPORTED;
-#endif
-
-        case MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED:
-        case MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE:
-        case MBEDTLS_ERR_ENTROPY_SOURCE_FAILED:
-            return PSA_ERROR_INSUFFICIENT_ENTROPY;
-
-#if defined(MBEDTLS_GCM_C)
-        case MBEDTLS_ERR_GCM_AUTH_FAILED:
-            return PSA_ERROR_INVALID_SIGNATURE;
-        case MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL:
-            return PSA_ERROR_BUFFER_TOO_SMALL;
-        case MBEDTLS_ERR_GCM_BAD_INPUT:
-            return PSA_ERROR_INVALID_ARGUMENT;
-#endif
-
-#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) &&        \
-            defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE)
-        /* Only check HMAC_DRBG error codes if underlying mbedtls_xxx
-         * functions are passed a HMAC_DRBG instance. */
-        case MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED:
-            return PSA_ERROR_INSUFFICIENT_ENTROPY;
-        case MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG:
-        case MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG:
-            return PSA_ERROR_NOT_SUPPORTED;
-        case MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR:
-            return PSA_ERROR_INSUFFICIENT_ENTROPY;
-#endif
-
-#if defined(MBEDTLS_MD_LIGHT)
-        case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE:
-            return PSA_ERROR_NOT_SUPPORTED;
-        case MBEDTLS_ERR_MD_BAD_INPUT_DATA:
-            return PSA_ERROR_INVALID_ARGUMENT;
-        case MBEDTLS_ERR_MD_ALLOC_FAILED:
-            return PSA_ERROR_INSUFFICIENT_MEMORY;
-#if defined(MBEDTLS_FS_IO)
-        case MBEDTLS_ERR_MD_FILE_IO_ERROR:
-            return PSA_ERROR_STORAGE_FAILURE;
-#endif
-#endif
-
-#if defined(MBEDTLS_BIGNUM_C)
-#if defined(MBEDTLS_FS_IO)
-        case MBEDTLS_ERR_MPI_FILE_IO_ERROR:
-            return PSA_ERROR_STORAGE_FAILURE;
-#endif
-        case MBEDTLS_ERR_MPI_BAD_INPUT_DATA:
-            return PSA_ERROR_INVALID_ARGUMENT;
-        case MBEDTLS_ERR_MPI_INVALID_CHARACTER:
-            return PSA_ERROR_INVALID_ARGUMENT;
-        case MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL:
-            return PSA_ERROR_BUFFER_TOO_SMALL;
-        case MBEDTLS_ERR_MPI_NEGATIVE_VALUE:
-            return PSA_ERROR_INVALID_ARGUMENT;
-        case MBEDTLS_ERR_MPI_DIVISION_BY_ZERO:
-            return PSA_ERROR_INVALID_ARGUMENT;
-        case MBEDTLS_ERR_MPI_NOT_ACCEPTABLE:
-            return PSA_ERROR_INVALID_ARGUMENT;
-        case MBEDTLS_ERR_MPI_ALLOC_FAILED:
-            return PSA_ERROR_INSUFFICIENT_MEMORY;
-#endif
-
-#if defined(MBEDTLS_PK_C)
-        case MBEDTLS_ERR_PK_ALLOC_FAILED:
-            return PSA_ERROR_INSUFFICIENT_MEMORY;
-        case MBEDTLS_ERR_PK_TYPE_MISMATCH:
-        case MBEDTLS_ERR_PK_BAD_INPUT_DATA:
-            return PSA_ERROR_INVALID_ARGUMENT;
-#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) || defined(MBEDTLS_FS_IO) || \
-            defined(MBEDTLS_PSA_ITS_FILE_C)
-        case MBEDTLS_ERR_PK_FILE_IO_ERROR:
-            return PSA_ERROR_STORAGE_FAILURE;
-#endif
-        case MBEDTLS_ERR_PK_KEY_INVALID_VERSION:
-        case MBEDTLS_ERR_PK_KEY_INVALID_FORMAT:
-            return PSA_ERROR_INVALID_ARGUMENT;
-        case MBEDTLS_ERR_PK_UNKNOWN_PK_ALG:
-            return PSA_ERROR_NOT_SUPPORTED;
-        case MBEDTLS_ERR_PK_PASSWORD_REQUIRED:
-        case MBEDTLS_ERR_PK_PASSWORD_MISMATCH:
-            return PSA_ERROR_NOT_PERMITTED;
-        case MBEDTLS_ERR_PK_INVALID_PUBKEY:
-            return PSA_ERROR_INVALID_ARGUMENT;
-        case MBEDTLS_ERR_PK_INVALID_ALG:
-        case MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE:
-        case MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE:
-            return PSA_ERROR_NOT_SUPPORTED;
-        case MBEDTLS_ERR_PK_SIG_LEN_MISMATCH:
-            return PSA_ERROR_INVALID_SIGNATURE;
-        case MBEDTLS_ERR_PK_BUFFER_TOO_SMALL:
-            return PSA_ERROR_BUFFER_TOO_SMALL;
-#endif
-
-        case MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED:
-            return PSA_ERROR_HARDWARE_FAILURE;
-        case MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
-            return PSA_ERROR_NOT_SUPPORTED;
-
-#if defined(MBEDTLS_RSA_C)
-        case MBEDTLS_ERR_RSA_BAD_INPUT_DATA:
-            return PSA_ERROR_INVALID_ARGUMENT;
-        case MBEDTLS_ERR_RSA_INVALID_PADDING:
-            return PSA_ERROR_INVALID_PADDING;
-        case MBEDTLS_ERR_RSA_KEY_GEN_FAILED:
-            return PSA_ERROR_HARDWARE_FAILURE;
-        case MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:
-            return PSA_ERROR_INVALID_ARGUMENT;
-        case MBEDTLS_ERR_RSA_PUBLIC_FAILED:
-        case MBEDTLS_ERR_RSA_PRIVATE_FAILED:
-            return PSA_ERROR_CORRUPTION_DETECTED;
-        case MBEDTLS_ERR_RSA_VERIFY_FAILED:
-            return PSA_ERROR_INVALID_SIGNATURE;
-        case MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE:
-            return PSA_ERROR_BUFFER_TOO_SMALL;
-        case MBEDTLS_ERR_RSA_RNG_FAILED:
-            return PSA_ERROR_INSUFFICIENT_ENTROPY;
-#endif
-
-#if defined(MBEDTLS_ECP_LIGHT)
-        case MBEDTLS_ERR_ECP_BAD_INPUT_DATA:
-        case MBEDTLS_ERR_ECP_INVALID_KEY:
-            return PSA_ERROR_INVALID_ARGUMENT;
-        case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL:
-            return PSA_ERROR_BUFFER_TOO_SMALL;
-        case MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE:
-            return PSA_ERROR_NOT_SUPPORTED;
-        case MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH:
-        case MBEDTLS_ERR_ECP_VERIFY_FAILED:
-            return PSA_ERROR_INVALID_SIGNATURE;
-        case MBEDTLS_ERR_ECP_ALLOC_FAILED:
-            return PSA_ERROR_INSUFFICIENT_MEMORY;
-        case MBEDTLS_ERR_ECP_RANDOM_FAILED:
-            return PSA_ERROR_INSUFFICIENT_ENTROPY;
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)
-        case MBEDTLS_ERR_ECP_IN_PROGRESS:
-            return PSA_OPERATION_INCOMPLETE;
-#endif
-#endif
-
-        case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED:
-            return PSA_ERROR_CORRUPTION_DETECTED;
-
-        default:
-            return PSA_ERROR_GENERIC_ERROR;
-    }
-}
-
-/**
- * \brief                       For output buffers which contain "tags"
- *                              (outputs that may be checked for validity like
- *                              hashes, MACs and signatures), fill the unused
- *                              part of the output buffer (the whole buffer on
- *                              error, the trailing part on success) with
- *                              something that isn't a valid tag (barring an
- *                              attack on the tag and deliberately-crafted
- *                              input), in case the caller doesn't check the
- *                              return status properly.
- *
- * \param output_buffer         Pointer to buffer to wipe. May not be NULL
- *                              unless \p output_buffer_size is zero.
- * \param status                Status of function called to generate
- *                              output_buffer originally
- * \param output_buffer_size    Size of output buffer. If zero, \p output_buffer
- *                              could be NULL.
- * \param output_buffer_length  Length of data written to output_buffer, must be
- *                              less than \p output_buffer_size
- */
-static void psa_wipe_tag_output_buffer(uint8_t *output_buffer, psa_status_t status,
-                                       size_t output_buffer_size, size_t output_buffer_length)
-{
-    size_t offset = 0;
-
-    if (output_buffer_size == 0) {
-        /* If output_buffer_size is 0 then we have nothing to do. We must not
-           call memset because output_buffer may be NULL in this case */
-        return;
-    }
-
-    if (status == PSA_SUCCESS) {
-        offset = output_buffer_length;
-    }
-
-    memset(output_buffer + offset, '!', output_buffer_size - offset);
-}
-
-
-
-
-/****************************************************************/
-/* Key management */
-/****************************************************************/
-
-#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
-psa_ecc_family_t mbedtls_ecc_group_to_psa(mbedtls_ecp_group_id grpid,
-                                          size_t *bits)
-{
-    switch (grpid) {
-#if defined(MBEDTLS_ECP_HAVE_SECP192R1)
-        case MBEDTLS_ECP_DP_SECP192R1:
-            *bits = 192;
-            return PSA_ECC_FAMILY_SECP_R1;
-#endif
-#if defined(MBEDTLS_ECP_HAVE_SECP224R1)
-        case MBEDTLS_ECP_DP_SECP224R1:
-            *bits = 224;
-            return PSA_ECC_FAMILY_SECP_R1;
-#endif
-#if defined(MBEDTLS_ECP_HAVE_SECP256R1)
-        case MBEDTLS_ECP_DP_SECP256R1:
-            *bits = 256;
-            return PSA_ECC_FAMILY_SECP_R1;
-#endif
-#if defined(MBEDTLS_ECP_HAVE_SECP384R1)
-        case MBEDTLS_ECP_DP_SECP384R1:
-            *bits = 384;
-            return PSA_ECC_FAMILY_SECP_R1;
-#endif
-#if defined(MBEDTLS_ECP_HAVE_SECP521R1)
-        case MBEDTLS_ECP_DP_SECP521R1:
-            *bits = 521;
-            return PSA_ECC_FAMILY_SECP_R1;
-#endif
-#if defined(MBEDTLS_ECP_HAVE_BP256R1)
-        case MBEDTLS_ECP_DP_BP256R1:
-            *bits = 256;
-            return PSA_ECC_FAMILY_BRAINPOOL_P_R1;
-#endif
-#if defined(MBEDTLS_ECP_HAVE_BP384R1)
-        case MBEDTLS_ECP_DP_BP384R1:
-            *bits = 384;
-            return PSA_ECC_FAMILY_BRAINPOOL_P_R1;
-#endif
-#if defined(MBEDTLS_ECP_HAVE_BP512R1)
-        case MBEDTLS_ECP_DP_BP512R1:
-            *bits = 512;
-            return PSA_ECC_FAMILY_BRAINPOOL_P_R1;
-#endif
-#if defined(MBEDTLS_ECP_HAVE_CURVE25519)
-        case MBEDTLS_ECP_DP_CURVE25519:
-            *bits = 255;
-            return PSA_ECC_FAMILY_MONTGOMERY;
-#endif
-#if defined(MBEDTLS_ECP_HAVE_SECP192K1)
-        case MBEDTLS_ECP_DP_SECP192K1:
-            *bits = 192;
-            return PSA_ECC_FAMILY_SECP_K1;
-#endif
-#if defined(MBEDTLS_ECP_HAVE_SECP224K1)
-        case MBEDTLS_ECP_DP_SECP224K1:
-            *bits = 224;
-            return PSA_ECC_FAMILY_SECP_K1;
-#endif
-#if defined(MBEDTLS_ECP_HAVE_SECP256K1)
-        case MBEDTLS_ECP_DP_SECP256K1:
-            *bits = 256;
-            return PSA_ECC_FAMILY_SECP_K1;
-#endif
-#if defined(MBEDTLS_ECP_HAVE_CURVE448)
-        case MBEDTLS_ECP_DP_CURVE448:
-            *bits = 448;
-            return PSA_ECC_FAMILY_MONTGOMERY;
-#endif
-        default:
-            *bits = 0;
-            return 0;
-    }
-}
-
-mbedtls_ecp_group_id mbedtls_ecc_group_of_psa(psa_ecc_family_t curve,
-                                              size_t bits,
-                                              int bits_is_sloppy)
-{
-    switch (curve) {
-        case PSA_ECC_FAMILY_SECP_R1:
-            switch (bits) {
-#if defined(PSA_WANT_ECC_SECP_R1_192)
-                case 192:
-                    return MBEDTLS_ECP_DP_SECP192R1;
-#endif
-#if defined(PSA_WANT_ECC_SECP_R1_224)
-                case 224:
-                    return MBEDTLS_ECP_DP_SECP224R1;
-#endif
-#if defined(PSA_WANT_ECC_SECP_R1_256)
-                case 256:
-                    return MBEDTLS_ECP_DP_SECP256R1;
-#endif
-#if defined(PSA_WANT_ECC_SECP_R1_384)
-                case 384:
-                    return MBEDTLS_ECP_DP_SECP384R1;
-#endif
-#if defined(PSA_WANT_ECC_SECP_R1_521)
-                case 521:
-                    return MBEDTLS_ECP_DP_SECP521R1;
-                case 528:
-                    if (bits_is_sloppy) {
-                        return MBEDTLS_ECP_DP_SECP521R1;
-                    }
-                    break;
-#endif
-            }
-            break;
-
-        case PSA_ECC_FAMILY_BRAINPOOL_P_R1:
-            switch (bits) {
-#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
-                case 256:
-                    return MBEDTLS_ECP_DP_BP256R1;
-#endif
-#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
-                case 384:
-                    return MBEDTLS_ECP_DP_BP384R1;
-#endif
-#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
-                case 512:
-                    return MBEDTLS_ECP_DP_BP512R1;
-#endif
-            }
-            break;
-
-        case PSA_ECC_FAMILY_MONTGOMERY:
-            switch (bits) {
-#if defined(PSA_WANT_ECC_MONTGOMERY_255)
-                case 255:
-                    return MBEDTLS_ECP_DP_CURVE25519;
-                case 256:
-                    if (bits_is_sloppy) {
-                        return MBEDTLS_ECP_DP_CURVE25519;
-                    }
-                    break;
-#endif
-#if defined(PSA_WANT_ECC_MONTGOMERY_448)
-                case 448:
-                    return MBEDTLS_ECP_DP_CURVE448;
-#endif
-            }
-            break;
-
-        case PSA_ECC_FAMILY_SECP_K1:
-            switch (bits) {
-#if defined(PSA_WANT_ECC_SECP_K1_192)
-                case 192:
-                    return MBEDTLS_ECP_DP_SECP192K1;
-#endif
-#if defined(PSA_WANT_ECC_SECP_K1_224)
-                case 224:
-                    return MBEDTLS_ECP_DP_SECP224K1;
-#endif
-#if defined(PSA_WANT_ECC_SECP_K1_256)
-                case 256:
-                    return MBEDTLS_ECP_DP_SECP256K1;
-#endif
-            }
-            break;
-    }
-
-    (void) bits_is_sloppy;
-    return MBEDTLS_ECP_DP_NONE;
-}
-#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
-
-psa_status_t psa_validate_unstructured_key_bit_size(psa_key_type_t type,
-                                                    size_t bits)
-{
-    /* Check that the bit size is acceptable for the key type */
-    switch (type) {
-        case PSA_KEY_TYPE_RAW_DATA:
-        case PSA_KEY_TYPE_HMAC:
-        case PSA_KEY_TYPE_DERIVE:
-        case PSA_KEY_TYPE_PASSWORD:
-        case PSA_KEY_TYPE_PASSWORD_HASH:
-            break;
-#if defined(PSA_WANT_KEY_TYPE_AES)
-        case PSA_KEY_TYPE_AES:
-            if (bits != 128 && bits != 192 && bits != 256) {
-                return PSA_ERROR_INVALID_ARGUMENT;
-            }
-            break;
-#endif
-#if defined(PSA_WANT_KEY_TYPE_ARIA)
-        case PSA_KEY_TYPE_ARIA:
-            if (bits != 128 && bits != 192 && bits != 256) {
-                return PSA_ERROR_INVALID_ARGUMENT;
-            }
-            break;
-#endif
-#if defined(PSA_WANT_KEY_TYPE_CAMELLIA)
-        case PSA_KEY_TYPE_CAMELLIA:
-            if (bits != 128 && bits != 192 && bits != 256) {
-                return PSA_ERROR_INVALID_ARGUMENT;
-            }
-            break;
-#endif
-#if defined(PSA_WANT_KEY_TYPE_DES)
-        case PSA_KEY_TYPE_DES:
-            if (bits != 64 && bits != 128 && bits != 192) {
-                return PSA_ERROR_INVALID_ARGUMENT;
-            }
-            break;
-#endif
-#if defined(PSA_WANT_KEY_TYPE_CHACHA20)
-        case PSA_KEY_TYPE_CHACHA20:
-            if (bits != 256) {
-                return PSA_ERROR_INVALID_ARGUMENT;
-            }
-            break;
-#endif
-        default:
-            return PSA_ERROR_NOT_SUPPORTED;
-    }
-    if (bits % 8 != 0) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    return PSA_SUCCESS;
-}
-
-/** Check whether a given key type is valid for use with a given MAC algorithm
- *
- * Upon successful return of this function, the behavior of #PSA_MAC_LENGTH
- * when called with the validated \p algorithm and \p key_type is well-defined.
- *
- * \param[in] algorithm     The specific MAC algorithm (can be wildcard).
- * \param[in] key_type      The key type of the key to be used with the
- *                          \p algorithm.
- *
- * \retval #PSA_SUCCESS
- *         The \p key_type is valid for use with the \p algorithm
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The \p key_type is not valid for use with the \p algorithm
- */
-MBEDTLS_STATIC_TESTABLE psa_status_t psa_mac_key_can_do(
-    psa_algorithm_t algorithm,
-    psa_key_type_t key_type)
-{
-    if (PSA_ALG_IS_HMAC(algorithm)) {
-        if (key_type == PSA_KEY_TYPE_HMAC) {
-            return PSA_SUCCESS;
-        }
-    }
-
-    if (PSA_ALG_IS_BLOCK_CIPHER_MAC(algorithm)) {
-        /* Check that we're calling PSA_BLOCK_CIPHER_BLOCK_LENGTH with a cipher
-         * key. */
-        if ((key_type & PSA_KEY_TYPE_CATEGORY_MASK) ==
-            PSA_KEY_TYPE_CATEGORY_SYMMETRIC) {
-            /* PSA_BLOCK_CIPHER_BLOCK_LENGTH returns 1 for stream ciphers and
-             * the block length (larger than 1) for block ciphers. */
-            if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) > 1) {
-                return PSA_SUCCESS;
-            }
-        }
-    }
-
-    return PSA_ERROR_INVALID_ARGUMENT;
-}
-
-psa_status_t psa_allocate_buffer_to_slot(psa_key_slot_t *slot,
-                                         size_t buffer_length)
-{
-    if (slot->key.data != NULL) {
-        return PSA_ERROR_ALREADY_EXISTS;
-    }
-
-    slot->key.data = mbedtls_calloc(1, buffer_length);
-    if (slot->key.data == NULL) {
-        return PSA_ERROR_INSUFFICIENT_MEMORY;
-    }
-
-    slot->key.bytes = buffer_length;
-    return PSA_SUCCESS;
-}
-
-psa_status_t psa_copy_key_material_into_slot(psa_key_slot_t *slot,
-                                             const uint8_t *data,
-                                             size_t data_length)
-{
-    psa_status_t status = psa_allocate_buffer_to_slot(slot,
-                                                      data_length);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    memcpy(slot->key.data, data, data_length);
-    return PSA_SUCCESS;
-}
-
-psa_status_t psa_import_key_into_slot(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *data, size_t data_length,
-    uint8_t *key_buffer, size_t key_buffer_size,
-    size_t *key_buffer_length, size_t *bits)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_type_t type = attributes->core.type;
-
-    /* zero-length keys are never supported. */
-    if (data_length == 0) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    if (key_type_is_raw_bytes(type)) {
-        *bits = PSA_BYTES_TO_BITS(data_length);
-
-        status = psa_validate_unstructured_key_bit_size(attributes->core.type,
-                                                        *bits);
-        if (status != PSA_SUCCESS) {
-            return status;
-        }
-
-        /* Copy the key material. */
-        memcpy(key_buffer, data, data_length);
-        *key_buffer_length = data_length;
-        (void) key_buffer_size;
-
-        return PSA_SUCCESS;
-    } else if (PSA_KEY_TYPE_IS_ASYMMETRIC(type)) {
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \
-        defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY)
-        if (PSA_KEY_TYPE_IS_DH(type)) {
-            if (psa_is_dh_key_size_valid(PSA_BYTES_TO_BITS(data_length)) == 0) {
-                return PSA_ERROR_INVALID_ARGUMENT;
-            }
-            return mbedtls_psa_ffdh_import_key(attributes,
-                                               data, data_length,
-                                               key_buffer, key_buffer_size,
-                                               key_buffer_length,
-                                               bits);
-        }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) */
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
-        defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
-        if (PSA_KEY_TYPE_IS_ECC(type)) {
-            return mbedtls_psa_ecp_import_key(attributes,
-                                              data, data_length,
-                                              key_buffer, key_buffer_size,
-                                              key_buffer_length,
-                                              bits);
-        }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
-#if (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \
-        defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || \
-        defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
-        if (PSA_KEY_TYPE_IS_RSA(type)) {
-            return mbedtls_psa_rsa_import_key(attributes,
-                                              data, data_length,
-                                              key_buffer, key_buffer_size,
-                                              key_buffer_length,
-                                              bits);
-        }
-#endif /* (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) &&
-           defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
-    }
-
-    return PSA_ERROR_NOT_SUPPORTED;
-}
-
-/** Calculate the intersection of two algorithm usage policies.
- *
- * Return 0 (which allows no operation) on incompatibility.
- */
-static psa_algorithm_t psa_key_policy_algorithm_intersection(
-    psa_key_type_t key_type,
-    psa_algorithm_t alg1,
-    psa_algorithm_t alg2)
-{
-    /* Common case: both sides actually specify the same policy. */
-    if (alg1 == alg2) {
-        return alg1;
-    }
-    /* If the policies are from the same hash-and-sign family, check
-     * if one is a wildcard. If so the other has the specific algorithm. */
-    if (PSA_ALG_IS_SIGN_HASH(alg1) &&
-        PSA_ALG_IS_SIGN_HASH(alg2) &&
-        (alg1 & ~PSA_ALG_HASH_MASK) == (alg2 & ~PSA_ALG_HASH_MASK)) {
-        if (PSA_ALG_SIGN_GET_HASH(alg1) == PSA_ALG_ANY_HASH) {
-            return alg2;
-        }
-        if (PSA_ALG_SIGN_GET_HASH(alg2) == PSA_ALG_ANY_HASH) {
-            return alg1;
-        }
-    }
-    /* If the policies are from the same AEAD family, check whether
-     * one of them is a minimum-tag-length wildcard. Calculate the most
-     * restrictive tag length. */
-    if (PSA_ALG_IS_AEAD(alg1) && PSA_ALG_IS_AEAD(alg2) &&
-        (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg1, 0) ==
-         PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg2, 0))) {
-        size_t alg1_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg1);
-        size_t alg2_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg2);
-        size_t restricted_len = alg1_len > alg2_len ? alg1_len : alg2_len;
-
-        /* If both are wildcards, return most restrictive wildcard */
-        if (((alg1 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
-            ((alg2 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0)) {
-            return PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(
-                alg1, restricted_len);
-        }
-        /* If only one is a wildcard, return specific algorithm if compatible. */
-        if (((alg1 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
-            (alg1_len <= alg2_len)) {
-            return alg2;
-        }
-        if (((alg2 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
-            (alg2_len <= alg1_len)) {
-            return alg1;
-        }
-    }
-    /* If the policies are from the same MAC family, check whether one
-     * of them is a minimum-MAC-length policy. Calculate the most
-     * restrictive tag length. */
-    if (PSA_ALG_IS_MAC(alg1) && PSA_ALG_IS_MAC(alg2) &&
-        (PSA_ALG_FULL_LENGTH_MAC(alg1) ==
-         PSA_ALG_FULL_LENGTH_MAC(alg2))) {
-        /* Validate the combination of key type and algorithm. Since the base
-         * algorithm of alg1 and alg2 are the same, we only need this once. */
-        if (PSA_SUCCESS != psa_mac_key_can_do(alg1, key_type)) {
-            return 0;
-        }
-
-        /* Get the (exact or at-least) output lengths for both sides of the
-         * requested intersection. None of the currently supported algorithms
-         * have an output length dependent on the actual key size, so setting it
-         * to a bogus value of 0 is currently OK.
-         *
-         * Note that for at-least-this-length wildcard algorithms, the output
-         * length is set to the shortest allowed length, which allows us to
-         * calculate the most restrictive tag length for the intersection. */
-        size_t alg1_len = PSA_MAC_LENGTH(key_type, 0, alg1);
-        size_t alg2_len = PSA_MAC_LENGTH(key_type, 0, alg2);
-        size_t restricted_len = alg1_len > alg2_len ? alg1_len : alg2_len;
-
-        /* If both are wildcards, return most restrictive wildcard */
-        if (((alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
-            ((alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0)) {
-            return PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(alg1, restricted_len);
-        }
-
-        /* If only one is an at-least-this-length policy, the intersection would
-         * be the other (fixed-length) policy as long as said fixed length is
-         * equal to or larger than the shortest allowed length. */
-        if ((alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) {
-            return (alg1_len <= alg2_len) ? alg2 : 0;
-        }
-        if ((alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) {
-            return (alg2_len <= alg1_len) ? alg1 : 0;
-        }
-
-        /* If none of them are wildcards, check whether they define the same tag
-         * length. This is still possible here when one is default-length and
-         * the other specific-length. Ensure to always return the
-         * specific-length version for the intersection. */
-        if (alg1_len == alg2_len) {
-            return PSA_ALG_TRUNCATED_MAC(alg1, alg1_len);
-        }
-    }
-    /* If the policies are incompatible, allow nothing. */
-    return 0;
-}
-
-static int psa_key_algorithm_permits(psa_key_type_t key_type,
-                                     psa_algorithm_t policy_alg,
-                                     psa_algorithm_t requested_alg)
-{
-    /* Common case: the policy only allows requested_alg. */
-    if (requested_alg == policy_alg) {
-        return 1;
-    }
-    /* If policy_alg is a hash-and-sign with a wildcard for the hash,
-     * and requested_alg is the same hash-and-sign family with any hash,
-     * then requested_alg is compliant with policy_alg. */
-    if (PSA_ALG_IS_SIGN_HASH(requested_alg) &&
-        PSA_ALG_SIGN_GET_HASH(policy_alg) == PSA_ALG_ANY_HASH) {
-        return (policy_alg & ~PSA_ALG_HASH_MASK) ==
-               (requested_alg & ~PSA_ALG_HASH_MASK);
-    }
-    /* If policy_alg is a wildcard AEAD algorithm of the same base as
-     * the requested algorithm, check the requested tag length to be
-     * equal-length or longer than the wildcard-specified length. */
-    if (PSA_ALG_IS_AEAD(policy_alg) &&
-        PSA_ALG_IS_AEAD(requested_alg) &&
-        (PSA_ALG_AEAD_WITH_SHORTENED_TAG(policy_alg, 0) ==
-         PSA_ALG_AEAD_WITH_SHORTENED_TAG(requested_alg, 0)) &&
-        ((policy_alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0)) {
-        return PSA_ALG_AEAD_GET_TAG_LENGTH(policy_alg) <=
-               PSA_ALG_AEAD_GET_TAG_LENGTH(requested_alg);
-    }
-    /* If policy_alg is a MAC algorithm of the same base as the requested
-     * algorithm, check whether their MAC lengths are compatible. */
-    if (PSA_ALG_IS_MAC(policy_alg) &&
-        PSA_ALG_IS_MAC(requested_alg) &&
-        (PSA_ALG_FULL_LENGTH_MAC(policy_alg) ==
-         PSA_ALG_FULL_LENGTH_MAC(requested_alg))) {
-        /* Validate the combination of key type and algorithm. Since the policy
-         * and requested algorithms are the same, we only need this once. */
-        if (PSA_SUCCESS != psa_mac_key_can_do(policy_alg, key_type)) {
-            return 0;
-        }
-
-        /* Get both the requested output length for the algorithm which is to be
-         * verified, and the default output length for the base algorithm.
-         * Note that none of the currently supported algorithms have an output
-         * length dependent on actual key size, so setting it to a bogus value
-         * of 0 is currently OK. */
-        size_t requested_output_length = PSA_MAC_LENGTH(
-            key_type, 0, requested_alg);
-        size_t default_output_length = PSA_MAC_LENGTH(
-            key_type, 0,
-            PSA_ALG_FULL_LENGTH_MAC(requested_alg));
-
-        /* If the policy is default-length, only allow an algorithm with
-         * a declared exact-length matching the default. */
-        if (PSA_MAC_TRUNCATED_LENGTH(policy_alg) == 0) {
-            return requested_output_length == default_output_length;
-        }
-
-        /* If the requested algorithm is default-length, allow it if the policy
-         * length exactly matches the default length. */
-        if (PSA_MAC_TRUNCATED_LENGTH(requested_alg) == 0 &&
-            PSA_MAC_TRUNCATED_LENGTH(policy_alg) == default_output_length) {
-            return 1;
-        }
-
-        /* If policy_alg is an at-least-this-length wildcard MAC algorithm,
-         * check for the requested MAC length to be equal to or longer than the
-         * minimum allowed length. */
-        if ((policy_alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) {
-            return PSA_MAC_TRUNCATED_LENGTH(policy_alg) <=
-                   requested_output_length;
-        }
-    }
-    /* If policy_alg is a generic key agreement operation, then using it for
-     * a key derivation with that key agreement should also be allowed. This
-     * behaviour is expected to be defined in a future specification version. */
-    if (PSA_ALG_IS_RAW_KEY_AGREEMENT(policy_alg) &&
-        PSA_ALG_IS_KEY_AGREEMENT(requested_alg)) {
-        return PSA_ALG_KEY_AGREEMENT_GET_BASE(requested_alg) ==
-               policy_alg;
-    }
-    /* If it isn't explicitly permitted, it's forbidden. */
-    return 0;
-}
-
-/** Test whether a policy permits an algorithm.
- *
- * The caller must test usage flags separately.
- *
- * \note This function requires providing the key type for which the policy is
- *       being validated, since some algorithm policy definitions (e.g. MAC)
- *       have different properties depending on what kind of cipher it is
- *       combined with.
- *
- * \retval PSA_SUCCESS                  When \p alg is a specific algorithm
- *                                      allowed by the \p policy.
- * \retval PSA_ERROR_INVALID_ARGUMENT   When \p alg is not a specific algorithm
- * \retval PSA_ERROR_NOT_PERMITTED      When \p alg is a specific algorithm, but
- *                                      the \p policy does not allow it.
- */
-static psa_status_t psa_key_policy_permits(const psa_key_policy_t *policy,
-                                           psa_key_type_t key_type,
-                                           psa_algorithm_t alg)
-{
-    /* '0' is not a valid algorithm */
-    if (alg == 0) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    /* A requested algorithm cannot be a wildcard. */
-    if (PSA_ALG_IS_WILDCARD(alg)) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    if (psa_key_algorithm_permits(key_type, policy->alg, alg) ||
-        psa_key_algorithm_permits(key_type, policy->alg2, alg)) {
-        return PSA_SUCCESS;
-    } else {
-        return PSA_ERROR_NOT_PERMITTED;
-    }
-}
-
-/** Restrict a key policy based on a constraint.
- *
- * \note This function requires providing the key type for which the policy is
- *       being restricted, since some algorithm policy definitions (e.g. MAC)
- *       have different properties depending on what kind of cipher it is
- *       combined with.
- *
- * \param[in] key_type      The key type for which to restrict the policy
- * \param[in,out] policy    The policy to restrict.
- * \param[in] constraint    The policy constraint to apply.
- *
- * \retval #PSA_SUCCESS
- *         \c *policy contains the intersection of the original value of
- *         \c *policy and \c *constraint.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \c key_type, \c *policy and \c *constraint are incompatible.
- *         \c *policy is unchanged.
- */
-static psa_status_t psa_restrict_key_policy(
-    psa_key_type_t key_type,
-    psa_key_policy_t *policy,
-    const psa_key_policy_t *constraint)
-{
-    psa_algorithm_t intersection_alg =
-        psa_key_policy_algorithm_intersection(key_type, policy->alg,
-                                              constraint->alg);
-    psa_algorithm_t intersection_alg2 =
-        psa_key_policy_algorithm_intersection(key_type, policy->alg2,
-                                              constraint->alg2);
-    if (intersection_alg == 0 && policy->alg != 0 && constraint->alg != 0) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-    if (intersection_alg2 == 0 && policy->alg2 != 0 && constraint->alg2 != 0) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-    policy->usage &= constraint->usage;
-    policy->alg = intersection_alg;
-    policy->alg2 = intersection_alg2;
-    return PSA_SUCCESS;
-}
-
-/** Get the description of a key given its identifier and policy constraints
- *  and lock it.
- *
- * The key must have allow all the usage flags set in \p usage. If \p alg is
- * nonzero, the key must allow operations with this algorithm. If \p alg is
- * zero, the algorithm is not checked.
- *
- * In case of a persistent key, the function loads the description of the key
- * into a key slot if not already done.
- *
- * On success, the returned key slot is locked. It is the responsibility of
- * the caller to unlock the key slot when it does not access it anymore.
- */
-static psa_status_t psa_get_and_lock_key_slot_with_policy(
-    mbedtls_svc_key_id_t key,
-    psa_key_slot_t **p_slot,
-    psa_key_usage_t usage,
-    psa_algorithm_t alg)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_slot_t *slot = NULL;
-
-    status = psa_get_and_lock_key_slot(key, p_slot);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-    slot = *p_slot;
-
-    /* Enforce that usage policy for the key slot contains all the flags
-     * required by the usage parameter. There is one exception: public
-     * keys can always be exported, so we treat public key objects as
-     * if they had the export flag. */
-    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type)) {
-        usage &= ~PSA_KEY_USAGE_EXPORT;
-    }
-
-    if ((slot->attr.policy.usage & usage) != usage) {
-        status = PSA_ERROR_NOT_PERMITTED;
-        goto error;
-    }
-
-    /* Enforce that the usage policy permits the requested algorithm. */
-    if (alg != 0) {
-        status = psa_key_policy_permits(&slot->attr.policy,
-                                        slot->attr.type,
-                                        alg);
-        if (status != PSA_SUCCESS) {
-            goto error;
-        }
-    }
-
-    return PSA_SUCCESS;
-
-error:
-    *p_slot = NULL;
-    psa_unlock_key_slot(slot);
-
-    return status;
-}
-
-/** Get a key slot containing a transparent key and lock it.
- *
- * A transparent key is a key for which the key material is directly
- * available, as opposed to a key in a secure element and/or to be used
- * by a secure element.
- *
- * This is a temporary function that may be used instead of
- * psa_get_and_lock_key_slot_with_policy() when there is no opaque key support
- * for a cryptographic operation.
- *
- * On success, the returned key slot is locked. It is the responsibility of the
- * caller to unlock the key slot when it does not access it anymore.
- */
-static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy(
-    mbedtls_svc_key_id_t key,
-    psa_key_slot_t **p_slot,
-    psa_key_usage_t usage,
-    psa_algorithm_t alg)
-{
-    psa_status_t status = psa_get_and_lock_key_slot_with_policy(key, p_slot,
-                                                                usage, alg);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    if (psa_key_lifetime_is_external((*p_slot)->attr.lifetime)) {
-        psa_unlock_key_slot(*p_slot);
-        *p_slot = NULL;
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    return PSA_SUCCESS;
-}
-
-psa_status_t psa_remove_key_data_from_memory(psa_key_slot_t *slot)
-{
-    if (slot->key.data != NULL) {
-        mbedtls_zeroize_and_free(slot->key.data, slot->key.bytes);
-    }
-
-    slot->key.data = NULL;
-    slot->key.bytes = 0;
-
-    return PSA_SUCCESS;
-}
-
-/** Completely wipe a slot in memory, including its policy.
- * Persistent storage is not affected. */
-psa_status_t psa_wipe_key_slot(psa_key_slot_t *slot)
-{
-    psa_status_t status = psa_remove_key_data_from_memory(slot);
-
-    /*
-     * As the return error code may not be handled in case of multiple errors,
-     * do our best to report an unexpected lock counter. Assert with
-     * MBEDTLS_TEST_HOOK_TEST_ASSERT that the lock counter is equal to one:
-     * if the MBEDTLS_TEST_HOOKS configuration option is enabled and the
-     * function is called as part of the execution of a test suite, the
-     * execution of the test suite is stopped in error if the assertion fails.
-     */
-    if (slot->lock_count != 1) {
-        MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->lock_count == 1);
-        status = PSA_ERROR_CORRUPTION_DETECTED;
-    }
-
-    /* Multipart operations may still be using the key. This is safe
-     * because all multipart operation objects are independent from
-     * the key slot: if they need to access the key after the setup
-     * phase, they have a copy of the key. Note that this means that
-     * key material can linger until all operations are completed. */
-    /* At this point, key material and other type-specific content has
-     * been wiped. Clear remaining metadata. We can call memset and not
-     * zeroize because the metadata is not particularly sensitive. */
-    memset(slot, 0, sizeof(*slot));
-    return status;
-}
-
-psa_status_t psa_destroy_key(mbedtls_svc_key_id_t key)
-{
-    psa_key_slot_t *slot;
-    psa_status_t status; /* status of the last operation */
-    psa_status_t overall_status = PSA_SUCCESS;
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-    psa_se_drv_table_entry_t *driver;
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
-
-    if (mbedtls_svc_key_id_is_null(key)) {
-        return PSA_SUCCESS;
-    }
-
-    /*
-     * Get the description of the key in a key slot. In case of a persistent
-     * key, this will load the key description from persistent memory if not
-     * done yet. We cannot avoid this loading as without it we don't know if
-     * the key is operated by an SE or not and this information is needed by
-     * the current implementation.
-     */
-    status = psa_get_and_lock_key_slot(key, &slot);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    /*
-     * If the key slot containing the key description is under access by the
-     * library (apart from the present access), the key cannot be destroyed
-     * yet. For the time being, just return in error. Eventually (to be
-     * implemented), the key should be destroyed when all accesses have
-     * stopped.
-     */
-    if (slot->lock_count > 1) {
-        psa_unlock_key_slot(slot);
-        return PSA_ERROR_GENERIC_ERROR;
-    }
-
-    if (PSA_KEY_LIFETIME_IS_READ_ONLY(slot->attr.lifetime)) {
-        /* Refuse the destruction of a read-only key (which may or may not work
-         * if we attempt it, depending on whether the key is merely read-only
-         * by policy or actually physically read-only).
-         * Just do the best we can, which is to wipe the copy in memory
-         * (done in this function's cleanup code). */
-        overall_status = PSA_ERROR_NOT_PERMITTED;
-        goto exit;
-    }
-
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-    driver = psa_get_se_driver_entry(slot->attr.lifetime);
-    if (driver != NULL) {
-        /* For a key in a secure element, we need to do three things:
-         * remove the key file in internal storage, destroy the
-         * key inside the secure element, and update the driver's
-         * persistent data. Start a transaction that will encompass these
-         * three actions. */
-        psa_crypto_prepare_transaction(PSA_CRYPTO_TRANSACTION_DESTROY_KEY);
-        psa_crypto_transaction.key.lifetime = slot->attr.lifetime;
-        psa_crypto_transaction.key.slot = psa_key_slot_get_slot_number(slot);
-        psa_crypto_transaction.key.id = slot->attr.id;
-        status = psa_crypto_save_transaction();
-        if (status != PSA_SUCCESS) {
-            (void) psa_crypto_stop_transaction();
-            /* We should still try to destroy the key in the secure
-             * element and the key metadata in storage. This is especially
-             * important if the error is that the storage is full.
-             * But how to do it exactly without risking an inconsistent
-             * state after a reset?
-             * https://github.com/ARMmbed/mbed-crypto/issues/215
-             */
-            overall_status = status;
-            goto exit;
-        }
-
-        status = psa_destroy_se_key(driver,
-                                    psa_key_slot_get_slot_number(slot));
-        if (overall_status == PSA_SUCCESS) {
-            overall_status = status;
-        }
-    }
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
-
-#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
-    if (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
-        status = psa_destroy_persistent_key(slot->attr.id);
-        if (overall_status == PSA_SUCCESS) {
-            overall_status = status;
-        }
-
-        /* TODO: other slots may have a copy of the same key. We should
-         * invalidate them.
-         * https://github.com/ARMmbed/mbed-crypto/issues/214
-         */
-    }
-#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
-
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-    if (driver != NULL) {
-        status = psa_save_se_persistent_data(driver);
-        if (overall_status == PSA_SUCCESS) {
-            overall_status = status;
-        }
-        status = psa_crypto_stop_transaction();
-        if (overall_status == PSA_SUCCESS) {
-            overall_status = status;
-        }
-    }
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
-
-exit:
-    status = psa_wipe_key_slot(slot);
-    /* Prioritize CORRUPTION_DETECTED from wiping over a storage error */
-    if (status != PSA_SUCCESS) {
-        overall_status = status;
-    }
-    return overall_status;
-}
-
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
-static psa_status_t psa_get_rsa_public_exponent(
-    const mbedtls_rsa_context *rsa,
-    psa_key_attributes_t *attributes)
-{
-    mbedtls_mpi mpi;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    uint8_t *buffer = NULL;
-    size_t buflen;
-    mbedtls_mpi_init(&mpi);
-
-    ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, NULL, &mpi);
-    if (ret != 0) {
-        goto exit;
-    }
-    if (mbedtls_mpi_cmp_int(&mpi, 65537) == 0) {
-        /* It's the default value, which is reported as an empty string,
-         * so there's nothing to do. */
-        goto exit;
-    }
-
-    buflen = mbedtls_mpi_size(&mpi);
-    buffer = mbedtls_calloc(1, buflen);
-    if (buffer == NULL) {
-        ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
-        goto exit;
-    }
-    ret = mbedtls_mpi_write_binary(&mpi, buffer, buflen);
-    if (ret != 0) {
-        goto exit;
-    }
-    attributes->domain_parameters = buffer;
-    attributes->domain_parameters_size = buflen;
-
-exit:
-    mbedtls_mpi_free(&mpi);
-    if (ret != 0) {
-        mbedtls_free(buffer);
-    }
-    return mbedtls_to_psa_error(ret);
-}
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
-
-/** Retrieve all the publicly-accessible attributes of a key.
- */
-psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key,
-                                    psa_key_attributes_t *attributes)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_slot_t *slot;
-
-    psa_reset_key_attributes(attributes);
-
-    status = psa_get_and_lock_key_slot_with_policy(key, &slot, 0, 0);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    attributes->core = slot->attr;
-    attributes->core.flags &= (MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY |
-                               MBEDTLS_PSA_KA_MASK_DUAL_USE);
-
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-    if (psa_get_se_driver_entry(slot->attr.lifetime) != NULL) {
-        psa_set_key_slot_number(attributes,
-                                psa_key_slot_get_slot_number(slot));
-    }
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
-
-    switch (slot->attr.type) {
-#if (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
-        case PSA_KEY_TYPE_RSA_KEY_PAIR:
-        case PSA_KEY_TYPE_RSA_PUBLIC_KEY:
-            /* TODO: reporting the public exponent for opaque keys
-             * is not yet implemented.
-             * https://github.com/ARMmbed/mbed-crypto/issues/216
-             */
-            if (!psa_key_lifetime_is_external(slot->attr.lifetime)) {
-                mbedtls_rsa_context *rsa = NULL;
-
-                status = mbedtls_psa_rsa_load_representation(
-                    slot->attr.type,
-                    slot->key.data,
-                    slot->key.bytes,
-                    &rsa);
-                if (status != PSA_SUCCESS) {
-                    break;
-                }
-
-                status = psa_get_rsa_public_exponent(rsa,
-                                                     attributes);
-                mbedtls_rsa_free(rsa);
-                mbedtls_free(rsa);
-            }
-            break;
-#endif /* (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
-        default:
-            /* Nothing else to do. */
-            break;
-    }
-
-    if (status != PSA_SUCCESS) {
-        psa_reset_key_attributes(attributes);
-    }
-
-    unlock_status = psa_unlock_key_slot(slot);
-
-    return (status == PSA_SUCCESS) ? unlock_status : status;
-}
-
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-psa_status_t psa_get_key_slot_number(
-    const psa_key_attributes_t *attributes,
-    psa_key_slot_number_t *slot_number)
-{
-    if (attributes->core.flags & MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER) {
-        *slot_number = attributes->slot_number;
-        return PSA_SUCCESS;
-    } else {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-}
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
-
-static psa_status_t psa_export_key_buffer_internal(const uint8_t *key_buffer,
-                                                   size_t key_buffer_size,
-                                                   uint8_t *data,
-                                                   size_t data_size,
-                                                   size_t *data_length)
-{
-    if (key_buffer_size > data_size) {
-        return PSA_ERROR_BUFFER_TOO_SMALL;
-    }
-    memcpy(data, key_buffer, key_buffer_size);
-    memset(data + key_buffer_size, 0,
-           data_size - key_buffer_size);
-    *data_length = key_buffer_size;
-    return PSA_SUCCESS;
-}
-
-psa_status_t psa_export_key_internal(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    uint8_t *data, size_t data_size, size_t *data_length)
-{
-    psa_key_type_t type = attributes->core.type;
-
-    if (key_type_is_raw_bytes(type) ||
-        PSA_KEY_TYPE_IS_RSA(type)   ||
-        PSA_KEY_TYPE_IS_ECC(type)   ||
-        PSA_KEY_TYPE_IS_DH(type)) {
-        return psa_export_key_buffer_internal(
-            key_buffer, key_buffer_size,
-            data, data_size, data_length);
-    } else {
-        /* This shouldn't happen in the reference implementation, but
-           it is valid for a special-purpose implementation to omit
-           support for exporting certain key types. */
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-}
-
-psa_status_t psa_export_key(mbedtls_svc_key_id_t key,
-                            uint8_t *data,
-                            size_t data_size,
-                            size_t *data_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_slot_t *slot;
-
-    /* Reject a zero-length output buffer now, since this can never be a
-     * valid key representation. This way we know that data must be a valid
-     * pointer and we can do things like memset(data, ..., data_size). */
-    if (data_size == 0) {
-        return PSA_ERROR_BUFFER_TOO_SMALL;
-    }
-
-    /* Set the key to empty now, so that even when there are errors, we always
-     * set data_length to a value between 0 and data_size. On error, setting
-     * the key to empty is a good choice because an empty key representation is
-     * unlikely to be accepted anywhere. */
-    *data_length = 0;
-
-    /* Export requires the EXPORT flag. There is an exception for public keys,
-     * which don't require any flag, but
-     * psa_get_and_lock_key_slot_with_policy() takes care of this.
-     */
-    status = psa_get_and_lock_key_slot_with_policy(key, &slot,
-                                                   PSA_KEY_USAGE_EXPORT, 0);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    psa_key_attributes_t attributes = {
-        .core = slot->attr
-    };
-    status = psa_driver_wrapper_export_key(&attributes,
-                                           slot->key.data, slot->key.bytes,
-                                           data, data_size, data_length);
-
-    unlock_status = psa_unlock_key_slot(slot);
-
-    return (status == PSA_SUCCESS) ? unlock_status : status;
-}
-
-psa_status_t psa_export_public_key_internal(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    uint8_t *data,
-    size_t data_size,
-    size_t *data_length)
-{
-    psa_key_type_t type = attributes->core.type;
-
-    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type) &&
-        (PSA_KEY_TYPE_IS_RSA(type) || PSA_KEY_TYPE_IS_ECC(type) ||
-         PSA_KEY_TYPE_IS_DH(type))) {
-        /* Exporting public -> public */
-        return psa_export_key_buffer_internal(
-            key_buffer, key_buffer_size,
-            data, data_size, data_length);
-    } else if (PSA_KEY_TYPE_IS_RSA(type)) {
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || \
-        defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
-        return mbedtls_psa_rsa_export_public_key(attributes,
-                                                 key_buffer,
-                                                 key_buffer_size,
-                                                 data,
-                                                 data_size,
-                                                 data_length);
-#else
-        /* We don't know how to convert a private RSA key to public. */
-        return PSA_ERROR_NOT_SUPPORTED;
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
-    } else if (PSA_KEY_TYPE_IS_ECC(type)) {
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
-        defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
-        return mbedtls_psa_ecp_export_public_key(attributes,
-                                                 key_buffer,
-                                                 key_buffer_size,
-                                                 data,
-                                                 data_size,
-                                                 data_length);
-#else
-        /* We don't know how to convert a private ECC key to public */
-        return PSA_ERROR_NOT_SUPPORTED;
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
-    } else if (PSA_KEY_TYPE_IS_DH(type)) {
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \
-        defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY)
-        return mbedtls_psa_ffdh_export_public_key(attributes,
-                                                  key_buffer,
-                                                  key_buffer_size,
-                                                  data, data_size,
-                                                  data_length);
-#else
-        return PSA_ERROR_NOT_SUPPORTED;
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) */
-    } else {
-        (void) key_buffer;
-        (void) key_buffer_size;
-        (void) data;
-        (void) data_size;
-        (void) data_length;
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-}
-
-psa_status_t psa_export_public_key(mbedtls_svc_key_id_t key,
-                                   uint8_t *data,
-                                   size_t data_size,
-                                   size_t *data_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_slot_t *slot;
-    psa_key_attributes_t attributes;
-
-    /* Reject a zero-length output buffer now, since this can never be a
-     * valid key representation. This way we know that data must be a valid
-     * pointer and we can do things like memset(data, ..., data_size). */
-    if (data_size == 0) {
-        return PSA_ERROR_BUFFER_TOO_SMALL;
-    }
-
-    /* Set the key to empty now, so that even when there are errors, we always
-     * set data_length to a value between 0 and data_size. On error, setting
-     * the key to empty is a good choice because an empty key representation is
-     * unlikely to be accepted anywhere. */
-    *data_length = 0;
-
-    /* Exporting a public key doesn't require a usage flag. */
-    status = psa_get_and_lock_key_slot_with_policy(key, &slot, 0, 0);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    if (!PSA_KEY_TYPE_IS_ASYMMETRIC(slot->attr.type)) {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-        goto exit;
-    }
-
-    attributes = (psa_key_attributes_t) {
-        .core = slot->attr
-    };
-    status = psa_driver_wrapper_export_public_key(
-        &attributes, slot->key.data, slot->key.bytes,
-        data, data_size, data_length);
-
-exit:
-    unlock_status = psa_unlock_key_slot(slot);
-
-    return (status == PSA_SUCCESS) ? unlock_status : status;
-}
-
-MBEDTLS_STATIC_ASSERT(
-    (MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY & MBEDTLS_PSA_KA_MASK_DUAL_USE) == 0,
-    "One or more key attribute flag is listed as both external-only and dual-use")
-MBEDTLS_STATIC_ASSERT(
-    (PSA_KA_MASK_INTERNAL_ONLY & MBEDTLS_PSA_KA_MASK_DUAL_USE) == 0,
-    "One or more key attribute flag is listed as both internal-only and dual-use")
-MBEDTLS_STATIC_ASSERT(
-    (PSA_KA_MASK_INTERNAL_ONLY & MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY) == 0,
-    "One or more key attribute flag is listed as both internal-only and external-only")
-
-/** Validate that a key policy is internally well-formed.
- *
- * This function only rejects invalid policies. It does not validate the
- * consistency of the policy with respect to other attributes of the key
- * such as the key type.
- */
-static psa_status_t psa_validate_key_policy(const psa_key_policy_t *policy)
-{
-    if ((policy->usage & ~(PSA_KEY_USAGE_EXPORT |
-                           PSA_KEY_USAGE_COPY |
-                           PSA_KEY_USAGE_ENCRYPT |
-                           PSA_KEY_USAGE_DECRYPT |
-                           PSA_KEY_USAGE_SIGN_MESSAGE |
-                           PSA_KEY_USAGE_VERIFY_MESSAGE |
-                           PSA_KEY_USAGE_SIGN_HASH |
-                           PSA_KEY_USAGE_VERIFY_HASH |
-                           PSA_KEY_USAGE_VERIFY_DERIVATION |
-                           PSA_KEY_USAGE_DERIVE)) != 0) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    return PSA_SUCCESS;
-}
-
-/** Validate the internal consistency of key attributes.
- *
- * This function only rejects invalid attribute values. If does not
- * validate the consistency of the attributes with any key data that may
- * be involved in the creation of the key.
- *
- * Call this function early in the key creation process.
- *
- * \param[in] attributes    Key attributes for the new key.
- * \param[out] p_drv        On any return, the driver for the key, if any.
- *                          NULL for a transparent key.
- *
- */
-static psa_status_t psa_validate_key_attributes(
-    const psa_key_attributes_t *attributes,
-    psa_se_drv_table_entry_t **p_drv)
-{
-    psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
-    psa_key_lifetime_t lifetime = psa_get_key_lifetime(attributes);
-    mbedtls_svc_key_id_t key = psa_get_key_id(attributes);
-
-    status = psa_validate_key_location(lifetime, p_drv);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    status = psa_validate_key_persistence(lifetime);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) {
-        if (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key) != 0) {
-            return PSA_ERROR_INVALID_ARGUMENT;
-        }
-    } else {
-        if (!psa_is_valid_key_id(psa_get_key_id(attributes), 0)) {
-            return PSA_ERROR_INVALID_ARGUMENT;
-        }
-    }
-
-    status = psa_validate_key_policy(&attributes->core.policy);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    /* Refuse to create overly large keys.
-     * Note that this doesn't trigger on import if the attributes don't
-     * explicitly specify a size (so psa_get_key_bits returns 0), so
-     * psa_import_key() needs its own checks. */
-    if (psa_get_key_bits(attributes) > PSA_MAX_KEY_BITS) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    /* Reject invalid flags. These should not be reachable through the API. */
-    if (attributes->core.flags & ~(MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY |
-                                   MBEDTLS_PSA_KA_MASK_DUAL_USE)) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    return PSA_SUCCESS;
-}
-
-/** Prepare a key slot to receive key material.
- *
- * This function allocates a key slot and sets its metadata.
- *
- * If this function fails, call psa_fail_key_creation().
- *
- * This function is intended to be used as follows:
- * -# Call psa_start_key_creation() to allocate a key slot, prepare
- *    it with the specified attributes, and in case of a volatile key assign it
- *    a volatile key identifier.
- * -# Populate the slot with the key material.
- * -# Call psa_finish_key_creation() to finalize the creation of the slot.
- * In case of failure at any step, stop the sequence and call
- * psa_fail_key_creation().
- *
- * On success, the key slot is locked. It is the responsibility of the caller
- * to unlock the key slot when it does not access it anymore.
- *
- * \param method            An identification of the calling function.
- * \param[in] attributes    Key attributes for the new key.
- * \param[out] p_slot       On success, a pointer to the prepared slot.
- * \param[out] p_drv        On any return, the driver for the key, if any.
- *                          NULL for a transparent key.
- *
- * \retval #PSA_SUCCESS
- *         The key slot is ready to receive key material.
- * \return If this function fails, the key slot is an invalid state.
- *         You must call psa_fail_key_creation() to wipe and free the slot.
- */
-static psa_status_t psa_start_key_creation(
-    psa_key_creation_method_t method,
-    const psa_key_attributes_t *attributes,
-    psa_key_slot_t **p_slot,
-    psa_se_drv_table_entry_t **p_drv)
-{
-    psa_status_t status;
-    psa_key_id_t volatile_key_id;
-    psa_key_slot_t *slot;
-
-    (void) method;
-    *p_drv = NULL;
-
-    status = psa_validate_key_attributes(attributes, p_drv);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    status = psa_get_empty_key_slot(&volatile_key_id, p_slot);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-    slot = *p_slot;
-
-    /* We're storing the declared bit-size of the key. It's up to each
-     * creation mechanism to verify that this information is correct.
-     * It's automatically correct for mechanisms that use the bit-size as
-     * an input (generate, device) but not for those where the bit-size
-     * is optional (import, copy). In case of a volatile key, assign it the
-     * volatile key identifier associated to the slot returned to contain its
-     * definition. */
-
-    slot->attr = attributes->core;
-    if (PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
-#if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
-        slot->attr.id = volatile_key_id;
-#else
-        slot->attr.id.key_id = volatile_key_id;
-#endif
-    }
-
-    /* Erase external-only flags from the internal copy. To access
-     * external-only flags, query `attributes`. Thanks to the check
-     * in psa_validate_key_attributes(), this leaves the dual-use
-     * flags and any internal flag that psa_get_empty_key_slot()
-     * may have set. */
-    slot->attr.flags &= ~MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY;
-
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-    /* For a key in a secure element, we need to do three things
-     * when creating or registering a persistent key:
-     * create the key file in internal storage, create the
-     * key inside the secure element, and update the driver's
-     * persistent data. This is done by starting a transaction that will
-     * encompass these three actions.
-     * For registering a volatile key, we just need to find an appropriate
-     * slot number inside the SE. Since the key is designated volatile, creating
-     * a transaction is not required. */
-    /* The first thing to do is to find a slot number for the new key.
-     * We save the slot number in persistent storage as part of the
-     * transaction data. It will be needed to recover if the power
-     * fails during the key creation process, to clean up on the secure
-     * element side after restarting. Obtaining a slot number from the
-     * secure element driver updates its persistent state, but we do not yet
-     * save the driver's persistent state, so that if the power fails,
-     * we can roll back to a state where the key doesn't exist. */
-    if (*p_drv != NULL) {
-        psa_key_slot_number_t slot_number;
-        status = psa_find_se_slot_for_key(attributes, method, *p_drv,
-                                          &slot_number);
-        if (status != PSA_SUCCESS) {
-            return status;
-        }
-
-        if (!PSA_KEY_LIFETIME_IS_VOLATILE(attributes->core.lifetime)) {
-            psa_crypto_prepare_transaction(PSA_CRYPTO_TRANSACTION_CREATE_KEY);
-            psa_crypto_transaction.key.lifetime = slot->attr.lifetime;
-            psa_crypto_transaction.key.slot = slot_number;
-            psa_crypto_transaction.key.id = slot->attr.id;
-            status = psa_crypto_save_transaction();
-            if (status != PSA_SUCCESS) {
-                (void) psa_crypto_stop_transaction();
-                return status;
-            }
-        }
-
-        status = psa_copy_key_material_into_slot(
-            slot, (uint8_t *) (&slot_number), sizeof(slot_number));
-    }
-
-    if (*p_drv == NULL && method == PSA_KEY_CREATION_REGISTER) {
-        /* Key registration only makes sense with a secure element. */
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
-
-    return PSA_SUCCESS;
-}
-
-/** Finalize the creation of a key once its key material has been set.
- *
- * This entails writing the key to persistent storage.
- *
- * If this function fails, call psa_fail_key_creation().
- * See the documentation of psa_start_key_creation() for the intended use
- * of this function.
- *
- * If the finalization succeeds, the function unlocks the key slot (it was
- * locked by psa_start_key_creation()) and the key slot cannot be accessed
- * anymore as part of the key creation process.
- *
- * \param[in,out] slot  Pointer to the slot with key material.
- * \param[in] driver    The secure element driver for the key,
- *                      or NULL for a transparent key.
- * \param[out] key      On success, identifier of the key. Note that the
- *                      key identifier is also stored in the key slot.
- *
- * \retval #PSA_SUCCESS
- *         The key was successfully created.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
- * \retval #PSA_ERROR_ALREADY_EXISTS \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- *
- * \return If this function fails, the key slot is an invalid state.
- *         You must call psa_fail_key_creation() to wipe and free the slot.
- */
-static psa_status_t psa_finish_key_creation(
-    psa_key_slot_t *slot,
-    psa_se_drv_table_entry_t *driver,
-    mbedtls_svc_key_id_t *key)
-{
-    psa_status_t status = PSA_SUCCESS;
-    (void) slot;
-    (void) driver;
-
-#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
-    if (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-        if (driver != NULL) {
-            psa_se_key_data_storage_t data;
-            psa_key_slot_number_t slot_number =
-                psa_key_slot_get_slot_number(slot);
-
-            MBEDTLS_STATIC_ASSERT(sizeof(slot_number) ==
-                                  sizeof(data.slot_number),
-                                  "Slot number size does not match psa_se_key_data_storage_t");
-
-            memcpy(&data.slot_number, &slot_number, sizeof(slot_number));
-            status = psa_save_persistent_key(&slot->attr,
-                                             (uint8_t *) &data,
-                                             sizeof(data));
-        } else
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
-        {
-            /* Key material is saved in export representation in the slot, so
-             * just pass the slot buffer for storage. */
-            status = psa_save_persistent_key(&slot->attr,
-                                             slot->key.data,
-                                             slot->key.bytes);
-        }
-    }
-#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
-
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-    /* Finish the transaction for a key creation. This does not
-     * happen when registering an existing key. Detect this case
-     * by checking whether a transaction is in progress (actual
-     * creation of a persistent key in a secure element requires a transaction,
-     * but registration or volatile key creation doesn't use one). */
-    if (driver != NULL &&
-        psa_crypto_transaction.unknown.type == PSA_CRYPTO_TRANSACTION_CREATE_KEY) {
-        status = psa_save_se_persistent_data(driver);
-        if (status != PSA_SUCCESS) {
-            psa_destroy_persistent_key(slot->attr.id);
-            return status;
-        }
-        status = psa_crypto_stop_transaction();
-    }
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
-
-    if (status == PSA_SUCCESS) {
-        *key = slot->attr.id;
-        status = psa_unlock_key_slot(slot);
-        if (status != PSA_SUCCESS) {
-            *key = MBEDTLS_SVC_KEY_ID_INIT;
-        }
-    }
-
-    return status;
-}
-
-/** Abort the creation of a key.
- *
- * You may call this function after calling psa_start_key_creation(),
- * or after psa_finish_key_creation() fails. In other circumstances, this
- * function may not clean up persistent storage.
- * See the documentation of psa_start_key_creation() for the intended use
- * of this function.
- *
- * \param[in,out] slot  Pointer to the slot with key material.
- * \param[in] driver    The secure element driver for the key,
- *                      or NULL for a transparent key.
- */
-static void psa_fail_key_creation(psa_key_slot_t *slot,
-                                  psa_se_drv_table_entry_t *driver)
-{
-    (void) driver;
-
-    if (slot == NULL) {
-        return;
-    }
-
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-    /* TODO: If the key has already been created in the secure
-     * element, and the failure happened later (when saving metadata
-     * to internal storage), we need to destroy the key in the secure
-     * element.
-     * https://github.com/ARMmbed/mbed-crypto/issues/217
-     */
-
-    /* Abort the ongoing transaction if any (there may not be one if
-     * the creation process failed before starting one, or if the
-     * key creation is a registration of a key in a secure element).
-     * Earlier functions must already have done what it takes to undo any
-     * partial creation. All that's left is to update the transaction data
-     * itself. */
-    (void) psa_crypto_stop_transaction();
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
-
-    psa_wipe_key_slot(slot);
-}
-
-/** Validate optional attributes during key creation.
- *
- * Some key attributes are optional during key creation. If they are
- * specified in the attributes structure, check that they are consistent
- * with the data in the slot.
- *
- * This function should be called near the end of key creation, after
- * the slot in memory is fully populated but before saving persistent data.
- */
-static psa_status_t psa_validate_optional_attributes(
-    const psa_key_slot_t *slot,
-    const psa_key_attributes_t *attributes)
-{
-    if (attributes->core.type != 0) {
-        if (attributes->core.type != slot->attr.type) {
-            return PSA_ERROR_INVALID_ARGUMENT;
-        }
-    }
-
-    if (attributes->domain_parameters_size != 0) {
-#if (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \
-        defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || \
-        defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
-        if (PSA_KEY_TYPE_IS_RSA(slot->attr.type)) {
-            mbedtls_rsa_context *rsa = NULL;
-            mbedtls_mpi actual, required;
-            int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-            psa_status_t status = mbedtls_psa_rsa_load_representation(
-                slot->attr.type,
-                slot->key.data,
-                slot->key.bytes,
-                &rsa);
-            if (status != PSA_SUCCESS) {
-                return status;
-            }
-
-            mbedtls_mpi_init(&actual);
-            mbedtls_mpi_init(&required);
-            ret = mbedtls_rsa_export(rsa,
-                                     NULL, NULL, NULL, NULL, &actual);
-            mbedtls_rsa_free(rsa);
-            mbedtls_free(rsa);
-            if (ret != 0) {
-                goto rsa_exit;
-            }
-            ret = mbedtls_mpi_read_binary(&required,
-                                          attributes->domain_parameters,
-                                          attributes->domain_parameters_size);
-            if (ret != 0) {
-                goto rsa_exit;
-            }
-            if (mbedtls_mpi_cmp_mpi(&actual, &required) != 0) {
-                ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-            }
-rsa_exit:
-            mbedtls_mpi_free(&actual);
-            mbedtls_mpi_free(&required);
-            if (ret != 0) {
-                return mbedtls_to_psa_error(ret);
-            }
-        } else
-#endif /* (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) &&
-        *  defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
-        {
-            return PSA_ERROR_INVALID_ARGUMENT;
-        }
-    }
-
-    if (attributes->core.bits != 0) {
-        if (attributes->core.bits != slot->attr.bits) {
-            return PSA_ERROR_INVALID_ARGUMENT;
-        }
-    }
-
-    return PSA_SUCCESS;
-}
-
-psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
-                            const uint8_t *data,
-                            size_t data_length,
-                            mbedtls_svc_key_id_t *key)
-{
-    psa_status_t status;
-    psa_key_slot_t *slot = NULL;
-    psa_se_drv_table_entry_t *driver = NULL;
-    size_t bits;
-    size_t storage_size = data_length;
-
-    *key = MBEDTLS_SVC_KEY_ID_INIT;
-
-    /* Reject zero-length symmetric keys (including raw data key objects).
-     * This also rejects any key which might be encoded as an empty string,
-     * which is never valid. */
-    if (data_length == 0) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    /* Ensure that the bytes-to-bits conversion cannot overflow. */
-    if (data_length > SIZE_MAX / 8) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    status = psa_start_key_creation(PSA_KEY_CREATION_IMPORT, attributes,
-                                    &slot, &driver);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    /* In the case of a transparent key or an opaque key stored in local
-     * storage ( thus not in the case of importing a key in a secure element
-     * with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a
-     * buffer to hold the imported key material. */
-    if (slot->key.data == NULL) {
-        if (psa_key_lifetime_is_external(attributes->core.lifetime)) {
-            status = psa_driver_wrapper_get_key_buffer_size_from_key_data(
-                attributes, data, data_length, &storage_size);
-            if (status != PSA_SUCCESS) {
-                goto exit;
-            }
-        }
-        status = psa_allocate_buffer_to_slot(slot, storage_size);
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-    }
-
-    bits = slot->attr.bits;
-    status = psa_driver_wrapper_import_key(attributes,
-                                           data, data_length,
-                                           slot->key.data,
-                                           slot->key.bytes,
-                                           &slot->key.bytes, &bits);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    if (slot->attr.bits == 0) {
-        slot->attr.bits = (psa_key_bits_t) bits;
-    } else if (bits != slot->attr.bits) {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-        goto exit;
-    }
-
-    /* Enforce a size limit, and in particular ensure that the bit
-     * size fits in its representation type.*/
-    if (bits > PSA_MAX_KEY_BITS) {
-        status = PSA_ERROR_NOT_SUPPORTED;
-        goto exit;
-    }
-    status = psa_validate_optional_attributes(slot, attributes);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_finish_key_creation(slot, driver, key);
-exit:
-    if (status != PSA_SUCCESS) {
-        psa_fail_key_creation(slot, driver);
-    }
-
-    return status;
-}
-
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-psa_status_t mbedtls_psa_register_se_key(
-    const psa_key_attributes_t *attributes)
-{
-    psa_status_t status;
-    psa_key_slot_t *slot = NULL;
-    psa_se_drv_table_entry_t *driver = NULL;
-    mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
-
-    /* Leaving attributes unspecified is not currently supported.
-     * It could make sense to query the key type and size from the
-     * secure element, but not all secure elements support this
-     * and the driver HAL doesn't currently support it. */
-    if (psa_get_key_type(attributes) == PSA_KEY_TYPE_NONE) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-    if (psa_get_key_bits(attributes) == 0) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    status = psa_start_key_creation(PSA_KEY_CREATION_REGISTER, attributes,
-                                    &slot, &driver);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_finish_key_creation(slot, driver, &key);
-
-exit:
-    if (status != PSA_SUCCESS) {
-        psa_fail_key_creation(slot, driver);
-    }
-
-    /* Registration doesn't keep the key in RAM. */
-    psa_close_key(key);
-    return status;
-}
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
-
-psa_status_t psa_copy_key(mbedtls_svc_key_id_t source_key,
-                          const psa_key_attributes_t *specified_attributes,
-                          mbedtls_svc_key_id_t *target_key)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_slot_t *source_slot = NULL;
-    psa_key_slot_t *target_slot = NULL;
-    psa_key_attributes_t actual_attributes = *specified_attributes;
-    psa_se_drv_table_entry_t *driver = NULL;
-    size_t storage_size = 0;
-
-    *target_key = MBEDTLS_SVC_KEY_ID_INIT;
-
-    status = psa_get_and_lock_key_slot_with_policy(
-        source_key, &source_slot, PSA_KEY_USAGE_COPY, 0);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_validate_optional_attributes(source_slot,
-                                              specified_attributes);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    /* The target key type and number of bits have been validated by
-     * psa_validate_optional_attributes() to be either equal to zero or
-     * equal to the ones of the source key. So it is safe to inherit
-     * them from the source key now."
-     * */
-    actual_attributes.core.bits = source_slot->attr.bits;
-    actual_attributes.core.type = source_slot->attr.type;
-
-
-    status = psa_restrict_key_policy(source_slot->attr.type,
-                                     &actual_attributes.core.policy,
-                                     &source_slot->attr.policy);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_start_key_creation(PSA_KEY_CREATION_COPY, &actual_attributes,
-                                    &target_slot, &driver);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-    if (PSA_KEY_LIFETIME_GET_LOCATION(target_slot->attr.lifetime) !=
-        PSA_KEY_LIFETIME_GET_LOCATION(source_slot->attr.lifetime)) {
-        /*
-         * If the source and target keys are stored in different locations,
-         * the source key would need to be exported as plaintext and re-imported
-         * in the other location. This has security implications which have not
-         * been fully mapped. For now, this can be achieved through
-         * appropriate API invocations from the application, if needed.
-         * */
-        status = PSA_ERROR_NOT_SUPPORTED;
-        goto exit;
-    }
-    /*
-     * When the source and target keys are within the same location,
-     * - For transparent keys it is a blind copy without any driver invocation,
-     * - For opaque keys this translates to an invocation of the drivers'
-     *   copy_key entry point through the dispatch layer.
-     * */
-    if (psa_key_lifetime_is_external(actual_attributes.core.lifetime)) {
-        status = psa_driver_wrapper_get_key_buffer_size(&actual_attributes,
-                                                        &storage_size);
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-
-        status = psa_allocate_buffer_to_slot(target_slot, storage_size);
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-
-        status = psa_driver_wrapper_copy_key(&actual_attributes,
-                                             source_slot->key.data,
-                                             source_slot->key.bytes,
-                                             target_slot->key.data,
-                                             target_slot->key.bytes,
-                                             &target_slot->key.bytes);
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-    } else {
-        status = psa_copy_key_material_into_slot(target_slot,
-                                                 source_slot->key.data,
-                                                 source_slot->key.bytes);
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-    }
-    status = psa_finish_key_creation(target_slot, driver, target_key);
-exit:
-    if (status != PSA_SUCCESS) {
-        psa_fail_key_creation(target_slot, driver);
-    }
-
-    unlock_status = psa_unlock_key_slot(source_slot);
-
-    return (status == PSA_SUCCESS) ? unlock_status : status;
-}
-
-
-
-/****************************************************************/
-/* Message digests */
-/****************************************************************/
-
-psa_status_t psa_hash_abort(psa_hash_operation_t *operation)
-{
-    /* Aborting a non-active operation is allowed */
-    if (operation->id == 0) {
-        return PSA_SUCCESS;
-    }
-
-    psa_status_t status = psa_driver_wrapper_hash_abort(operation);
-    operation->id = 0;
-
-    return status;
-}
-
-psa_status_t psa_hash_setup(psa_hash_operation_t *operation,
-                            psa_algorithm_t alg)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    /* A context must be freshly initialized before it can be set up. */
-    if (operation->id != 0) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (!PSA_ALG_IS_HASH(alg)) {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-        goto exit;
-    }
-
-    /* Ensure all of the context is zeroized, since PSA_HASH_OPERATION_INIT only
-     * directly zeroes the int-sized dummy member of the context union. */
-    memset(&operation->ctx, 0, sizeof(operation->ctx));
-
-    status = psa_driver_wrapper_hash_setup(operation, alg);
-
-exit:
-    if (status != PSA_SUCCESS) {
-        psa_hash_abort(operation);
-    }
-
-    return status;
-}
-
-psa_status_t psa_hash_update(psa_hash_operation_t *operation,
-                             const uint8_t *input,
-                             size_t input_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    if (operation->id == 0) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    /* Don't require hash implementations to behave correctly on a
-     * zero-length input, which may have an invalid pointer. */
-    if (input_length == 0) {
-        return PSA_SUCCESS;
-    }
-
-    status = psa_driver_wrapper_hash_update(operation, input, input_length);
-
-exit:
-    if (status != PSA_SUCCESS) {
-        psa_hash_abort(operation);
-    }
-
-    return status;
-}
-
-psa_status_t psa_hash_finish(psa_hash_operation_t *operation,
-                             uint8_t *hash,
-                             size_t hash_size,
-                             size_t *hash_length)
-{
-    *hash_length = 0;
-    if (operation->id == 0) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    psa_status_t status = psa_driver_wrapper_hash_finish(
-        operation, hash, hash_size, hash_length);
-    psa_hash_abort(operation);
-    return status;
-}
-
-psa_status_t psa_hash_verify(psa_hash_operation_t *operation,
-                             const uint8_t *hash,
-                             size_t hash_length)
-{
-    uint8_t actual_hash[PSA_HASH_MAX_SIZE];
-    size_t actual_hash_length;
-    psa_status_t status = psa_hash_finish(
-        operation,
-        actual_hash, sizeof(actual_hash),
-        &actual_hash_length);
-
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    if (actual_hash_length != hash_length) {
-        status = PSA_ERROR_INVALID_SIGNATURE;
-        goto exit;
-    }
-
-    if (mbedtls_ct_memcmp(hash, actual_hash, actual_hash_length) != 0) {
-        status = PSA_ERROR_INVALID_SIGNATURE;
-    }
-
-exit:
-    mbedtls_platform_zeroize(actual_hash, sizeof(actual_hash));
-    if (status != PSA_SUCCESS) {
-        psa_hash_abort(operation);
-    }
-
-    return status;
-}
-
-psa_status_t psa_hash_compute(psa_algorithm_t alg,
-                              const uint8_t *input, size_t input_length,
-                              uint8_t *hash, size_t hash_size,
-                              size_t *hash_length)
-{
-    *hash_length = 0;
-    if (!PSA_ALG_IS_HASH(alg)) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    return psa_driver_wrapper_hash_compute(alg, input, input_length,
-                                           hash, hash_size, hash_length);
-}
-
-psa_status_t psa_hash_compare(psa_algorithm_t alg,
-                              const uint8_t *input, size_t input_length,
-                              const uint8_t *hash, size_t hash_length)
-{
-    uint8_t actual_hash[PSA_HASH_MAX_SIZE];
-    size_t actual_hash_length;
-
-    if (!PSA_ALG_IS_HASH(alg)) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    psa_status_t status = psa_driver_wrapper_hash_compute(
-        alg, input, input_length,
-        actual_hash, sizeof(actual_hash),
-        &actual_hash_length);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-    if (actual_hash_length != hash_length) {
-        status = PSA_ERROR_INVALID_SIGNATURE;
-        goto exit;
-    }
-    if (mbedtls_ct_memcmp(hash, actual_hash, actual_hash_length) != 0) {
-        status = PSA_ERROR_INVALID_SIGNATURE;
-    }
-
-exit:
-    mbedtls_platform_zeroize(actual_hash, sizeof(actual_hash));
-    return status;
-}
-
-psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation,
-                            psa_hash_operation_t *target_operation)
-{
-    if (source_operation->id == 0 ||
-        target_operation->id != 0) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    psa_status_t status = psa_driver_wrapper_hash_clone(source_operation,
-                                                        target_operation);
-    if (status != PSA_SUCCESS) {
-        psa_hash_abort(target_operation);
-    }
-
-    return status;
-}
-
-
-/****************************************************************/
-/* MAC */
-/****************************************************************/
-
-psa_status_t psa_mac_abort(psa_mac_operation_t *operation)
-{
-    /* Aborting a non-active operation is allowed */
-    if (operation->id == 0) {
-        return PSA_SUCCESS;
-    }
-
-    psa_status_t status = psa_driver_wrapper_mac_abort(operation);
-    operation->mac_size = 0;
-    operation->is_sign = 0;
-    operation->id = 0;
-
-    return status;
-}
-
-static psa_status_t psa_mac_finalize_alg_and_key_validation(
-    psa_algorithm_t alg,
-    const psa_key_attributes_t *attributes,
-    uint8_t *mac_size)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_type_t key_type = psa_get_key_type(attributes);
-    size_t key_bits = psa_get_key_bits(attributes);
-
-    if (!PSA_ALG_IS_MAC(alg)) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    /* Validate the combination of key type and algorithm */
-    status = psa_mac_key_can_do(alg, key_type);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    /* Get the output length for the algorithm and key combination */
-    *mac_size = PSA_MAC_LENGTH(key_type, key_bits, alg);
-
-    if (*mac_size < 4) {
-        /* A very short MAC is too short for security since it can be
-         * brute-forced. Ancient protocols with 32-bit MACs do exist,
-         * so we make this our minimum, even though 32 bits is still
-         * too small for security. */
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    if (*mac_size > PSA_MAC_LENGTH(key_type, key_bits,
-                                   PSA_ALG_FULL_LENGTH_MAC(alg))) {
-        /* It's impossible to "truncate" to a larger length than the full length
-         * of the algorithm. */
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    if (*mac_size > PSA_MAC_MAX_SIZE) {
-        /* PSA_MAC_LENGTH returns the correct length even for a MAC algorithm
-         * that is disabled in the compile-time configuration. The result can
-         * therefore be larger than PSA_MAC_MAX_SIZE, which does take the
-         * configuration into account. In this case, force a return of
-         * PSA_ERROR_NOT_SUPPORTED here. Otherwise psa_mac_verify(), or
-         * psa_mac_compute(mac_size=PSA_MAC_MAX_SIZE), would return
-         * PSA_ERROR_BUFFER_TOO_SMALL for an unsupported algorithm whose MAC size
-         * is larger than PSA_MAC_MAX_SIZE, which is misleading and which breaks
-         * systematically generated tests. */
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    return PSA_SUCCESS;
-}
-
-static psa_status_t psa_mac_setup(psa_mac_operation_t *operation,
-                                  mbedtls_svc_key_id_t key,
-                                  psa_algorithm_t alg,
-                                  int is_sign)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_slot_t *slot = NULL;
-    psa_key_attributes_t attributes;
-
-    /* A context must be freshly initialized before it can be set up. */
-    if (operation->id != 0) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    status = psa_get_and_lock_key_slot_with_policy(
-        key,
-        &slot,
-        is_sign ? PSA_KEY_USAGE_SIGN_MESSAGE : PSA_KEY_USAGE_VERIFY_MESSAGE,
-        alg);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    attributes = (psa_key_attributes_t) {
-        .core = slot->attr
-    };
-
-    status = psa_mac_finalize_alg_and_key_validation(alg, &attributes,
-                                                     &operation->mac_size);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    operation->is_sign = is_sign;
-    /* Dispatch the MAC setup call with validated input */
-    if (is_sign) {
-        status = psa_driver_wrapper_mac_sign_setup(operation,
-                                                   &attributes,
-                                                   slot->key.data,
-                                                   slot->key.bytes,
-                                                   alg);
-    } else {
-        status = psa_driver_wrapper_mac_verify_setup(operation,
-                                                     &attributes,
-                                                     slot->key.data,
-                                                     slot->key.bytes,
-                                                     alg);
-    }
-
-exit:
-    if (status != PSA_SUCCESS) {
-        psa_mac_abort(operation);
-    }
-
-    unlock_status = psa_unlock_key_slot(slot);
-
-    return (status == PSA_SUCCESS) ? unlock_status : status;
-}
-
-psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
-                                mbedtls_svc_key_id_t key,
-                                psa_algorithm_t alg)
-{
-    return psa_mac_setup(operation, key, alg, 1);
-}
-
-psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
-                                  mbedtls_svc_key_id_t key,
-                                  psa_algorithm_t alg)
-{
-    return psa_mac_setup(operation, key, alg, 0);
-}
-
-psa_status_t psa_mac_update(psa_mac_operation_t *operation,
-                            const uint8_t *input,
-                            size_t input_length)
-{
-    if (operation->id == 0) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    /* Don't require hash implementations to behave correctly on a
-     * zero-length input, which may have an invalid pointer. */
-    if (input_length == 0) {
-        return PSA_SUCCESS;
-    }
-
-    psa_status_t status = psa_driver_wrapper_mac_update(operation,
-                                                        input, input_length);
-    if (status != PSA_SUCCESS) {
-        psa_mac_abort(operation);
-    }
-
-    return status;
-}
-
-psa_status_t psa_mac_sign_finish(psa_mac_operation_t *operation,
-                                 uint8_t *mac,
-                                 size_t mac_size,
-                                 size_t *mac_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    if (operation->id == 0) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (!operation->is_sign) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    /* Sanity check. This will guarantee that mac_size != 0 (and so mac != NULL)
-     * once all the error checks are done. */
-    if (operation->mac_size == 0) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (mac_size < operation->mac_size) {
-        status = PSA_ERROR_BUFFER_TOO_SMALL;
-        goto exit;
-    }
-
-    status = psa_driver_wrapper_mac_sign_finish(operation,
-                                                mac, operation->mac_size,
-                                                mac_length);
-
-exit:
-    /* In case of success, set the potential excess room in the output buffer
-     * to an invalid value, to avoid potentially leaking a longer MAC.
-     * In case of error, set the output length and content to a safe default,
-     * such that in case the caller misses an error check, the output would be
-     * an unachievable MAC.
-     */
-    if (status != PSA_SUCCESS) {
-        *mac_length = mac_size;
-        operation->mac_size = 0;
-    }
-
-    psa_wipe_tag_output_buffer(mac, status, mac_size, *mac_length);
-
-    abort_status = psa_mac_abort(operation);
-
-    return status == PSA_SUCCESS ? abort_status : status;
-}
-
-psa_status_t psa_mac_verify_finish(psa_mac_operation_t *operation,
-                                   const uint8_t *mac,
-                                   size_t mac_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    if (operation->id == 0) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (operation->is_sign) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (operation->mac_size != mac_length) {
-        status = PSA_ERROR_INVALID_SIGNATURE;
-        goto exit;
-    }
-
-    status = psa_driver_wrapper_mac_verify_finish(operation,
-                                                  mac, mac_length);
-
-exit:
-    abort_status = psa_mac_abort(operation);
-
-    return status == PSA_SUCCESS ? abort_status : status;
-}
-
-static psa_status_t psa_mac_compute_internal(mbedtls_svc_key_id_t key,
-                                             psa_algorithm_t alg,
-                                             const uint8_t *input,
-                                             size_t input_length,
-                                             uint8_t *mac,
-                                             size_t mac_size,
-                                             size_t *mac_length,
-                                             int is_sign)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_slot_t *slot;
-    uint8_t operation_mac_size = 0;
-    psa_key_attributes_t attributes;
-
-    status = psa_get_and_lock_key_slot_with_policy(
-        key,
-        &slot,
-        is_sign ? PSA_KEY_USAGE_SIGN_MESSAGE : PSA_KEY_USAGE_VERIFY_MESSAGE,
-        alg);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    attributes = (psa_key_attributes_t) {
-        .core = slot->attr
-    };
-
-    status = psa_mac_finalize_alg_and_key_validation(alg, &attributes,
-                                                     &operation_mac_size);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    if (mac_size < operation_mac_size) {
-        status = PSA_ERROR_BUFFER_TOO_SMALL;
-        goto exit;
-    }
-
-    status = psa_driver_wrapper_mac_compute(
-        &attributes,
-        slot->key.data, slot->key.bytes,
-        alg,
-        input, input_length,
-        mac, operation_mac_size, mac_length);
-
-exit:
-    /* In case of success, set the potential excess room in the output buffer
-     * to an invalid value, to avoid potentially leaking a longer MAC.
-     * In case of error, set the output length and content to a safe default,
-     * such that in case the caller misses an error check, the output would be
-     * an unachievable MAC.
-     */
-    if (status != PSA_SUCCESS) {
-        *mac_length = mac_size;
-        operation_mac_size = 0;
-    }
-
-    psa_wipe_tag_output_buffer(mac, status, mac_size, *mac_length);
-
-    unlock_status = psa_unlock_key_slot(slot);
-
-    return (status == PSA_SUCCESS) ? unlock_status : status;
-}
-
-psa_status_t psa_mac_compute(mbedtls_svc_key_id_t key,
-                             psa_algorithm_t alg,
-                             const uint8_t *input,
-                             size_t input_length,
-                             uint8_t *mac,
-                             size_t mac_size,
-                             size_t *mac_length)
-{
-    return psa_mac_compute_internal(key, alg,
-                                    input, input_length,
-                                    mac, mac_size, mac_length, 1);
-}
-
-psa_status_t psa_mac_verify(mbedtls_svc_key_id_t key,
-                            psa_algorithm_t alg,
-                            const uint8_t *input,
-                            size_t input_length,
-                            const uint8_t *mac,
-                            size_t mac_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    uint8_t actual_mac[PSA_MAC_MAX_SIZE];
-    size_t actual_mac_length;
-
-    status = psa_mac_compute_internal(key, alg,
-                                      input, input_length,
-                                      actual_mac, sizeof(actual_mac),
-                                      &actual_mac_length, 0);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    if (mac_length != actual_mac_length) {
-        status = PSA_ERROR_INVALID_SIGNATURE;
-        goto exit;
-    }
-    if (mbedtls_ct_memcmp(mac, actual_mac, actual_mac_length) != 0) {
-        status = PSA_ERROR_INVALID_SIGNATURE;
-        goto exit;
-    }
-
-exit:
-    mbedtls_platform_zeroize(actual_mac, sizeof(actual_mac));
-
-    return status;
-}
-
-/****************************************************************/
-/* Asymmetric cryptography */
-/****************************************************************/
-
-static psa_status_t psa_sign_verify_check_alg(int input_is_message,
-                                              psa_algorithm_t alg)
-{
-    if (input_is_message) {
-        if (!PSA_ALG_IS_SIGN_MESSAGE(alg)) {
-            return PSA_ERROR_INVALID_ARGUMENT;
-        }
-
-        if (PSA_ALG_IS_SIGN_HASH(alg)) {
-            if (!PSA_ALG_IS_HASH(PSA_ALG_SIGN_GET_HASH(alg))) {
-                return PSA_ERROR_INVALID_ARGUMENT;
-            }
-        }
-    } else {
-        if (!PSA_ALG_IS_SIGN_HASH(alg)) {
-            return PSA_ERROR_INVALID_ARGUMENT;
-        }
-    }
-
-    return PSA_SUCCESS;
-}
-
-static psa_status_t psa_sign_internal(mbedtls_svc_key_id_t key,
-                                      int input_is_message,
-                                      psa_algorithm_t alg,
-                                      const uint8_t *input,
-                                      size_t input_length,
-                                      uint8_t *signature,
-                                      size_t signature_size,
-                                      size_t *signature_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_slot_t *slot;
-    psa_key_attributes_t attributes;
-
-    *signature_length = 0;
-
-    status = psa_sign_verify_check_alg(input_is_message, alg);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    /* Immediately reject a zero-length signature buffer. This guarantees
-     * that signature must be a valid pointer. (On the other hand, the input
-     * buffer can in principle be empty since it doesn't actually have
-     * to be a hash.) */
-    if (signature_size == 0) {
-        return PSA_ERROR_BUFFER_TOO_SMALL;
-    }
-
-    status = psa_get_and_lock_key_slot_with_policy(
-        key, &slot,
-        input_is_message ? PSA_KEY_USAGE_SIGN_MESSAGE :
-        PSA_KEY_USAGE_SIGN_HASH,
-        alg);
-
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-        goto exit;
-    }
-
-    attributes = (psa_key_attributes_t) {
-        .core = slot->attr
-    };
-
-    if (input_is_message) {
-        status = psa_driver_wrapper_sign_message(
-            &attributes, slot->key.data, slot->key.bytes,
-            alg, input, input_length,
-            signature, signature_size, signature_length);
-    } else {
-
-        status = psa_driver_wrapper_sign_hash(
-            &attributes, slot->key.data, slot->key.bytes,
-            alg, input, input_length,
-            signature, signature_size, signature_length);
-    }
-
-
-exit:
-    psa_wipe_tag_output_buffer(signature, status, signature_size,
-                               *signature_length);
-
-    unlock_status = psa_unlock_key_slot(slot);
-
-    return (status == PSA_SUCCESS) ? unlock_status : status;
-}
-
-static psa_status_t psa_verify_internal(mbedtls_svc_key_id_t key,
-                                        int input_is_message,
-                                        psa_algorithm_t alg,
-                                        const uint8_t *input,
-                                        size_t input_length,
-                                        const uint8_t *signature,
-                                        size_t signature_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_slot_t *slot;
-
-    status = psa_sign_verify_check_alg(input_is_message, alg);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    status = psa_get_and_lock_key_slot_with_policy(
-        key, &slot,
-        input_is_message ? PSA_KEY_USAGE_VERIFY_MESSAGE :
-        PSA_KEY_USAGE_VERIFY_HASH,
-        alg);
-
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    psa_key_attributes_t attributes = {
-        .core = slot->attr
-    };
-
-    if (input_is_message) {
-        status = psa_driver_wrapper_verify_message(
-            &attributes, slot->key.data, slot->key.bytes,
-            alg, input, input_length,
-            signature, signature_length);
-    } else {
-        status = psa_driver_wrapper_verify_hash(
-            &attributes, slot->key.data, slot->key.bytes,
-            alg, input, input_length,
-            signature, signature_length);
-    }
-
-    unlock_status = psa_unlock_key_slot(slot);
-
-    return (status == PSA_SUCCESS) ? unlock_status : status;
-
-}
-
-psa_status_t psa_sign_message_builtin(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    psa_algorithm_t alg,
-    const uint8_t *input,
-    size_t input_length,
-    uint8_t *signature,
-    size_t signature_size,
-    size_t *signature_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    if (PSA_ALG_IS_SIGN_HASH(alg)) {
-        size_t hash_length;
-        uint8_t hash[PSA_HASH_MAX_SIZE];
-
-        status = psa_driver_wrapper_hash_compute(
-            PSA_ALG_SIGN_GET_HASH(alg),
-            input, input_length,
-            hash, sizeof(hash), &hash_length);
-
-        if (status != PSA_SUCCESS) {
-            return status;
-        }
-
-        return psa_driver_wrapper_sign_hash(
-            attributes, key_buffer, key_buffer_size,
-            alg, hash, hash_length,
-            signature, signature_size, signature_length);
-    }
-
-    return PSA_ERROR_NOT_SUPPORTED;
-}
-
-psa_status_t psa_sign_message(mbedtls_svc_key_id_t key,
-                              psa_algorithm_t alg,
-                              const uint8_t *input,
-                              size_t input_length,
-                              uint8_t *signature,
-                              size_t signature_size,
-                              size_t *signature_length)
-{
-    return psa_sign_internal(
-        key, 1, alg, input, input_length,
-        signature, signature_size, signature_length);
-}
-
-psa_status_t psa_verify_message_builtin(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    psa_algorithm_t alg,
-    const uint8_t *input,
-    size_t input_length,
-    const uint8_t *signature,
-    size_t signature_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    if (PSA_ALG_IS_SIGN_HASH(alg)) {
-        size_t hash_length;
-        uint8_t hash[PSA_HASH_MAX_SIZE];
-
-        status = psa_driver_wrapper_hash_compute(
-            PSA_ALG_SIGN_GET_HASH(alg),
-            input, input_length,
-            hash, sizeof(hash), &hash_length);
-
-        if (status != PSA_SUCCESS) {
-            return status;
-        }
-
-        return psa_driver_wrapper_verify_hash(
-            attributes, key_buffer, key_buffer_size,
-            alg, hash, hash_length,
-            signature, signature_length);
-    }
-
-    return PSA_ERROR_NOT_SUPPORTED;
-}
-
-psa_status_t psa_verify_message(mbedtls_svc_key_id_t key,
-                                psa_algorithm_t alg,
-                                const uint8_t *input,
-                                size_t input_length,
-                                const uint8_t *signature,
-                                size_t signature_length)
-{
-    return psa_verify_internal(
-        key, 1, alg, input, input_length,
-        signature, signature_length);
-}
-
-psa_status_t psa_sign_hash_builtin(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
-    uint8_t *signature, size_t signature_size, size_t *signature_length)
-{
-    if (attributes->core.type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
-        if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||
-            PSA_ALG_IS_RSA_PSS(alg)) {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
-            defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
-            return mbedtls_psa_rsa_sign_hash(
-                attributes,
-                key_buffer, key_buffer_size,
-                alg, hash, hash_length,
-                signature, signature_size, signature_length);
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
-        } else {
-            return PSA_ERROR_INVALID_ARGUMENT;
-        }
-    } else if (PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
-        if (PSA_ALG_IS_ECDSA(alg)) {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-            defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
-            return mbedtls_psa_ecdsa_sign_hash(
-                attributes,
-                key_buffer, key_buffer_size,
-                alg, hash, hash_length,
-                signature, signature_size, signature_length);
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
-        } else {
-            return PSA_ERROR_INVALID_ARGUMENT;
-        }
-    }
-
-    (void) key_buffer;
-    (void) key_buffer_size;
-    (void) hash;
-    (void) hash_length;
-    (void) signature;
-    (void) signature_size;
-    (void) signature_length;
-
-    return PSA_ERROR_NOT_SUPPORTED;
-}
-
-psa_status_t psa_sign_hash(mbedtls_svc_key_id_t key,
-                           psa_algorithm_t alg,
-                           const uint8_t *hash,
-                           size_t hash_length,
-                           uint8_t *signature,
-                           size_t signature_size,
-                           size_t *signature_length)
-{
-    return psa_sign_internal(
-        key, 0, alg, hash, hash_length,
-        signature, signature_size, signature_length);
-}
-
-psa_status_t psa_verify_hash_builtin(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
-    const uint8_t *signature, size_t signature_length)
-{
-    if (PSA_KEY_TYPE_IS_RSA(attributes->core.type)) {
-        if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||
-            PSA_ALG_IS_RSA_PSS(alg)) {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
-            defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
-            return mbedtls_psa_rsa_verify_hash(
-                attributes,
-                key_buffer, key_buffer_size,
-                alg, hash, hash_length,
-                signature, signature_length);
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
-        } else {
-            return PSA_ERROR_INVALID_ARGUMENT;
-        }
-    } else if (PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
-        if (PSA_ALG_IS_ECDSA(alg)) {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-            defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
-            return mbedtls_psa_ecdsa_verify_hash(
-                attributes,
-                key_buffer, key_buffer_size,
-                alg, hash, hash_length,
-                signature, signature_length);
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
-        } else {
-            return PSA_ERROR_INVALID_ARGUMENT;
-        }
-    }
-
-    (void) key_buffer;
-    (void) key_buffer_size;
-    (void) hash;
-    (void) hash_length;
-    (void) signature;
-    (void) signature_length;
-
-    return PSA_ERROR_NOT_SUPPORTED;
-}
-
-psa_status_t psa_verify_hash(mbedtls_svc_key_id_t key,
-                             psa_algorithm_t alg,
-                             const uint8_t *hash,
-                             size_t hash_length,
-                             const uint8_t *signature,
-                             size_t signature_length)
-{
-    return psa_verify_internal(
-        key, 0, alg, hash, hash_length,
-        signature, signature_length);
-}
-
-psa_status_t psa_asymmetric_encrypt(mbedtls_svc_key_id_t key,
-                                    psa_algorithm_t alg,
-                                    const uint8_t *input,
-                                    size_t input_length,
-                                    const uint8_t *salt,
-                                    size_t salt_length,
-                                    uint8_t *output,
-                                    size_t output_size,
-                                    size_t *output_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_slot_t *slot;
-    psa_key_attributes_t attributes;
-
-    (void) input;
-    (void) input_length;
-    (void) salt;
-    (void) output;
-    (void) output_size;
-
-    *output_length = 0;
-
-    if (!PSA_ALG_IS_RSA_OAEP(alg) && salt_length != 0) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    status = psa_get_and_lock_transparent_key_slot_with_policy(
-        key, &slot, PSA_KEY_USAGE_ENCRYPT, alg);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-    if (!(PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type) ||
-          PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type))) {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-        goto exit;
-    }
-
-    attributes = (psa_key_attributes_t) {
-        .core = slot->attr
-    };
-
-    status = psa_driver_wrapper_asymmetric_encrypt(
-        &attributes, slot->key.data, slot->key.bytes,
-        alg, input, input_length, salt, salt_length,
-        output, output_size, output_length);
-exit:
-    unlock_status = psa_unlock_key_slot(slot);
-
-    return (status == PSA_SUCCESS) ? unlock_status : status;
-}
-
-psa_status_t psa_asymmetric_decrypt(mbedtls_svc_key_id_t key,
-                                    psa_algorithm_t alg,
-                                    const uint8_t *input,
-                                    size_t input_length,
-                                    const uint8_t *salt,
-                                    size_t salt_length,
-                                    uint8_t *output,
-                                    size_t output_size,
-                                    size_t *output_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_slot_t *slot;
-    psa_key_attributes_t attributes;
-
-    (void) input;
-    (void) input_length;
-    (void) salt;
-    (void) output;
-    (void) output_size;
-
-    *output_length = 0;
-
-    if (!PSA_ALG_IS_RSA_OAEP(alg) && salt_length != 0) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    status = psa_get_and_lock_transparent_key_slot_with_policy(
-        key, &slot, PSA_KEY_USAGE_DECRYPT, alg);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-    if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-        goto exit;
-    }
-
-    attributes = (psa_key_attributes_t) {
-        .core = slot->attr
-    };
-
-    status = psa_driver_wrapper_asymmetric_decrypt(
-        &attributes, slot->key.data, slot->key.bytes,
-        alg, input, input_length, salt, salt_length,
-        output, output_size, output_length);
-
-exit:
-    unlock_status = psa_unlock_key_slot(slot);
-
-    return (status == PSA_SUCCESS) ? unlock_status : status;
-}
-
-/****************************************************************/
-/* Asymmetric interruptible cryptography                        */
-/****************************************************************/
-
-static uint32_t psa_interruptible_max_ops = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
-
-void psa_interruptible_set_max_ops(uint32_t max_ops)
-{
-    psa_interruptible_max_ops = max_ops;
-}
-
-uint32_t psa_interruptible_get_max_ops(void)
-{
-    return psa_interruptible_max_ops;
-}
-
-uint32_t psa_sign_hash_get_num_ops(
-    const psa_sign_hash_interruptible_operation_t *operation)
-{
-    return operation->num_ops;
-}
-
-uint32_t psa_verify_hash_get_num_ops(
-    const psa_verify_hash_interruptible_operation_t *operation)
-{
-    return operation->num_ops;
-}
-
-static psa_status_t psa_sign_hash_abort_internal(
-    psa_sign_hash_interruptible_operation_t *operation)
-{
-    if (operation->id == 0) {
-        /* The object has (apparently) been initialized but it is not (yet)
-         * in use. It's ok to call abort on such an object, and there's
-         * nothing to do. */
-        return PSA_SUCCESS;
-    }
-
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    status = psa_driver_wrapper_sign_hash_abort(operation);
-
-    operation->id = 0;
-
-    /* Do not clear either the error_occurred or num_ops elements here as they
-     * only want to be cleared by the application calling abort, not by abort
-     * being called at completion of an operation. */
-
-    return status;
-}
-
-psa_status_t psa_sign_hash_start(
-    psa_sign_hash_interruptible_operation_t *operation,
-    mbedtls_svc_key_id_t key, psa_algorithm_t alg,
-    const uint8_t *hash, size_t hash_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_slot_t *slot;
-    psa_key_attributes_t attributes;
-
-    /* Check that start has not been previously called, or operation has not
-     * previously errored. */
-    if (operation->id != 0 || operation->error_occurred) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    status = psa_sign_verify_check_alg(0, alg);
-    if (status != PSA_SUCCESS) {
-        operation->error_occurred = 1;
-        return status;
-    }
-
-    status = psa_get_and_lock_key_slot_with_policy(key, &slot,
-                                                   PSA_KEY_USAGE_SIGN_HASH,
-                                                   alg);
-
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-        goto exit;
-    }
-
-    attributes = (psa_key_attributes_t) {
-        .core = slot->attr
-    };
-
-    /* Ensure ops count gets reset, in case of operation re-use. */
-    operation->num_ops = 0;
-
-    status = psa_driver_wrapper_sign_hash_start(operation, &attributes,
-                                                slot->key.data,
-                                                slot->key.bytes, alg,
-                                                hash, hash_length);
-exit:
-
-    if (status != PSA_SUCCESS) {
-        operation->error_occurred = 1;
-        psa_sign_hash_abort_internal(operation);
-    }
-
-    unlock_status = psa_unlock_key_slot(slot);
-
-    if (unlock_status != PSA_SUCCESS) {
-        operation->error_occurred = 1;
-    }
-
-    return (status == PSA_SUCCESS) ? unlock_status : status;
-}
-
-
-psa_status_t psa_sign_hash_complete(
-    psa_sign_hash_interruptible_operation_t *operation,
-    uint8_t *signature, size_t signature_size,
-    size_t *signature_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    *signature_length = 0;
-
-    /* Check that start has been called first, and that operation has not
-     * previously errored. */
-    if (operation->id == 0 || operation->error_occurred) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    /* Immediately reject a zero-length signature buffer. This guarantees that
-     * signature must be a valid pointer. */
-    if (signature_size == 0) {
-        status = PSA_ERROR_BUFFER_TOO_SMALL;
-        goto exit;
-    }
-
-    status = psa_driver_wrapper_sign_hash_complete(operation, signature,
-                                                   signature_size,
-                                                   signature_length);
-
-    /* Update ops count with work done. */
-    operation->num_ops = psa_driver_wrapper_sign_hash_get_num_ops(operation);
-
-exit:
-
-    psa_wipe_tag_output_buffer(signature, status, signature_size,
-                               *signature_length);
-
-    if (status != PSA_OPERATION_INCOMPLETE) {
-        if (status != PSA_SUCCESS) {
-            operation->error_occurred = 1;
-        }
-
-        psa_sign_hash_abort_internal(operation);
-    }
-
-    return status;
-}
-
-psa_status_t psa_sign_hash_abort(
-    psa_sign_hash_interruptible_operation_t *operation)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    status = psa_sign_hash_abort_internal(operation);
-
-    /* We clear the number of ops done here, so that it is not cleared when
-     * the operation fails or succeeds, only on manual abort. */
-    operation->num_ops = 0;
-
-    /* Likewise, failure state. */
-    operation->error_occurred = 0;
-
-    return status;
-}
-
-static psa_status_t psa_verify_hash_abort_internal(
-    psa_verify_hash_interruptible_operation_t *operation)
-{
-    if (operation->id == 0) {
-        /* The object has (apparently) been initialized but it is not (yet)
-         * in use. It's ok to call abort on such an object, and there's
-         * nothing to do. */
-        return PSA_SUCCESS;
-    }
-
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    status = psa_driver_wrapper_verify_hash_abort(operation);
-
-    operation->id = 0;
-
-    /* Do not clear either the error_occurred or num_ops elements here as they
-     * only want to be cleared by the application calling abort, not by abort
-     * being called at completion of an operation. */
-
-    return status;
-}
-
-psa_status_t psa_verify_hash_start(
-    psa_verify_hash_interruptible_operation_t *operation,
-    mbedtls_svc_key_id_t key, psa_algorithm_t alg,
-    const uint8_t *hash, size_t hash_length,
-    const uint8_t *signature, size_t signature_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_slot_t *slot;
-
-    /* Check that start has not been previously called, or operation has not
-     * previously errored. */
-    if (operation->id != 0 || operation->error_occurred) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    status = psa_sign_verify_check_alg(0, alg);
-    if (status != PSA_SUCCESS) {
-        operation->error_occurred = 1;
-        return status;
-    }
-
-    status = psa_get_and_lock_key_slot_with_policy(key, &slot,
-                                                   PSA_KEY_USAGE_VERIFY_HASH,
-                                                   alg);
-
-    if (status != PSA_SUCCESS) {
-        operation->error_occurred = 1;
-        return status;
-    }
-
-    psa_key_attributes_t attributes = {
-        .core = slot->attr
-    };
-
-    /* Ensure ops count gets reset, in case of operation re-use. */
-    operation->num_ops = 0;
-
-    status = psa_driver_wrapper_verify_hash_start(operation, &attributes,
-                                                  slot->key.data,
-                                                  slot->key.bytes,
-                                                  alg, hash, hash_length,
-                                                  signature, signature_length);
-
-    if (status != PSA_SUCCESS) {
-        operation->error_occurred = 1;
-        psa_verify_hash_abort_internal(operation);
-    }
-
-    unlock_status = psa_unlock_key_slot(slot);
-
-    if (unlock_status != PSA_SUCCESS) {
-        operation->error_occurred = 1;
-    }
-
-    return (status == PSA_SUCCESS) ? unlock_status : status;
-}
-
-psa_status_t psa_verify_hash_complete(
-    psa_verify_hash_interruptible_operation_t *operation)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    /* Check that start has been called first, and that operation has not
-     * previously errored. */
-    if (operation->id == 0 || operation->error_occurred) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    status = psa_driver_wrapper_verify_hash_complete(operation);
-
-    /* Update ops count with work done. */
-    operation->num_ops = psa_driver_wrapper_verify_hash_get_num_ops(
-        operation);
-
-exit:
-
-    if (status != PSA_OPERATION_INCOMPLETE) {
-        if (status != PSA_SUCCESS) {
-            operation->error_occurred = 1;
-        }
-
-        psa_verify_hash_abort_internal(operation);
-    }
-
-    return status;
-}
-
-psa_status_t psa_verify_hash_abort(
-    psa_verify_hash_interruptible_operation_t *operation)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    status = psa_verify_hash_abort_internal(operation);
-
-    /* We clear the number of ops done here, so that it is not cleared when
-     * the operation fails or succeeds, only on manual abort. */
-    operation->num_ops = 0;
-
-    /* Likewise, failure state. */
-    operation->error_occurred = 0;
-
-    return status;
-}
-
-/****************************************************************/
-/* Asymmetric interruptible cryptography internal               */
-/* implementations                                              */
-/****************************************************************/
-
-void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops)
-{
-
-#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
-    defined(MBEDTLS_ECP_RESTARTABLE)
-
-    /* Internal implementation uses zero to indicate infinite number max ops,
-     * therefore avoid this value, and set to minimum possible. */
-    if (max_ops == 0) {
-        max_ops = 1;
-    }
-
-    mbedtls_ecp_set_max_ops(max_ops);
-#else
-    (void) max_ops;
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
-        * defined( MBEDTLS_ECP_RESTARTABLE ) */
-}
-
-uint32_t mbedtls_psa_sign_hash_get_num_ops(
-    const mbedtls_psa_sign_hash_interruptible_operation_t *operation)
-{
-#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
-    defined(MBEDTLS_ECP_RESTARTABLE)
-
-    return operation->num_ops;
-#else
-    (void) operation;
-    return 0;
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
-        * defined( MBEDTLS_ECP_RESTARTABLE ) */
-}
-
-uint32_t mbedtls_psa_verify_hash_get_num_ops(
-    const mbedtls_psa_verify_hash_interruptible_operation_t *operation)
-{
-    #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
-    defined(MBEDTLS_ECP_RESTARTABLE)
-
-    return operation->num_ops;
-#else
-    (void) operation;
-    return 0;
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
-        * defined( MBEDTLS_ECP_RESTARTABLE ) */
-}
-
-psa_status_t mbedtls_psa_sign_hash_start(
-    mbedtls_psa_sign_hash_interruptible_operation_t *operation,
-    const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
-    size_t key_buffer_size, psa_algorithm_t alg,
-    const uint8_t *hash, size_t hash_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    size_t required_hash_length;
-
-    if (!PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    if (!PSA_ALG_IS_ECDSA(alg)) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
-    defined(MBEDTLS_ECP_RESTARTABLE)
-
-    mbedtls_ecdsa_restart_init(&operation->restart_ctx);
-
-    /* Ensure num_ops is zero'ed in case of context re-use. */
-    operation->num_ops = 0;
-
-    status = mbedtls_psa_ecp_load_representation(attributes->core.type,
-                                                 attributes->core.bits,
-                                                 key_buffer,
-                                                 key_buffer_size,
-                                                 &operation->ctx);
-
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    operation->coordinate_bytes = PSA_BITS_TO_BYTES(
-        operation->ctx->grp.nbits);
-
-    psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
-    operation->md_alg = mbedtls_md_type_from_psa_alg(hash_alg);
-    operation->alg = alg;
-
-    /* We only need to store the same length of hash as the private key size
-     * here, it would be truncated by the internal implementation anyway. */
-    required_hash_length = (hash_length < operation->coordinate_bytes ?
-                            hash_length : operation->coordinate_bytes);
-
-    if (required_hash_length > sizeof(operation->hash)) {
-        /* Shouldn't happen, but better safe than sorry. */
-        return PSA_ERROR_CORRUPTION_DETECTED;
-    }
-
-    memcpy(operation->hash, hash, required_hash_length);
-    operation->hash_length = required_hash_length;
-
-    return PSA_SUCCESS;
-
-#else
-    (void) operation;
-    (void) key_buffer;
-    (void) key_buffer_size;
-    (void) alg;
-    (void) hash;
-    (void) hash_length;
-    (void) status;
-    (void) required_hash_length;
-
-    return PSA_ERROR_NOT_SUPPORTED;
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
-        * defined( MBEDTLS_ECP_RESTARTABLE ) */
-}
-
-psa_status_t mbedtls_psa_sign_hash_complete(
-    mbedtls_psa_sign_hash_interruptible_operation_t *operation,
-    uint8_t *signature, size_t signature_size,
-    size_t *signature_length)
-{
-#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
-    defined(MBEDTLS_ECP_RESTARTABLE)
-
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi r;
-    mbedtls_mpi s;
-
-    mbedtls_mpi_init(&r);
-    mbedtls_mpi_init(&s);
-
-    /* Ensure max_ops is set to the current value (or default). */
-    mbedtls_psa_interruptible_set_max_ops(psa_interruptible_get_max_ops());
-
-    if (signature_size < 2 * operation->coordinate_bytes) {
-        status = PSA_ERROR_BUFFER_TOO_SMALL;
-        goto exit;
-    }
-
-    if (PSA_ALG_ECDSA_IS_DETERMINISTIC(operation->alg)) {
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
-        status = mbedtls_to_psa_error(
-            mbedtls_ecdsa_sign_det_restartable(&operation->ctx->grp,
-                                               &r,
-                                               &s,
-                                               &operation->ctx->d,
-                                               operation->hash,
-                                               operation->hash_length,
-                                               operation->md_alg,
-                                               mbedtls_psa_get_random,
-                                               MBEDTLS_PSA_RANDOM_STATE,
-                                               &operation->restart_ctx));
-#else /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
-        status = PSA_ERROR_NOT_SUPPORTED;
-        goto exit;
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
-    } else {
-        status = mbedtls_to_psa_error(
-            mbedtls_ecdsa_sign_restartable(&operation->ctx->grp,
-                                           &r,
-                                           &s,
-                                           &operation->ctx->d,
-                                           operation->hash,
-                                           operation->hash_length,
-                                           mbedtls_psa_get_random,
-                                           MBEDTLS_PSA_RANDOM_STATE,
-                                           mbedtls_psa_get_random,
-                                           MBEDTLS_PSA_RANDOM_STATE,
-                                           &operation->restart_ctx));
-    }
-
-    /* Hide the fact that the restart context only holds a delta of number of
-     * ops done during the last operation, not an absolute value. */
-    operation->num_ops += operation->restart_ctx.ecp.ops_done;
-
-    if (status == PSA_SUCCESS) {
-        status =  mbedtls_to_psa_error(
-            mbedtls_mpi_write_binary(&r,
-                                     signature,
-                                     operation->coordinate_bytes)
-            );
-
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-
-        status =  mbedtls_to_psa_error(
-            mbedtls_mpi_write_binary(&s,
-                                     signature +
-                                     operation->coordinate_bytes,
-                                     operation->coordinate_bytes)
-            );
-
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-
-        *signature_length = operation->coordinate_bytes * 2;
-
-        status = PSA_SUCCESS;
-    }
-
-exit:
-
-    mbedtls_mpi_free(&r);
-    mbedtls_mpi_free(&s);
-    return status;
-
- #else
-
-    (void) operation;
-    (void) signature;
-    (void) signature_size;
-    (void) signature_length;
-
-    return PSA_ERROR_NOT_SUPPORTED;
-
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
-        * defined( MBEDTLS_ECP_RESTARTABLE ) */
-}
-
-psa_status_t mbedtls_psa_sign_hash_abort(
-    mbedtls_psa_sign_hash_interruptible_operation_t *operation)
-{
-
-#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
-    defined(MBEDTLS_ECP_RESTARTABLE)
-
-    if (operation->ctx) {
-        mbedtls_ecdsa_free(operation->ctx);
-        mbedtls_free(operation->ctx);
-        operation->ctx = NULL;
-    }
-
-    mbedtls_ecdsa_restart_free(&operation->restart_ctx);
-
-    operation->num_ops = 0;
-
-    return PSA_SUCCESS;
-
-#else
-
-    (void) operation;
-
-    return PSA_ERROR_NOT_SUPPORTED;
-
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
-        * defined( MBEDTLS_ECP_RESTARTABLE ) */
-}
-
-psa_status_t mbedtls_psa_verify_hash_start(
-    mbedtls_psa_verify_hash_interruptible_operation_t *operation,
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg,
-    const uint8_t *hash, size_t hash_length,
-    const uint8_t *signature, size_t signature_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    size_t coordinate_bytes = 0;
-    size_t required_hash_length = 0;
-
-    if (!PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    if (!PSA_ALG_IS_ECDSA(alg)) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
-    defined(MBEDTLS_ECP_RESTARTABLE)
-
-    mbedtls_ecdsa_restart_init(&operation->restart_ctx);
-    mbedtls_mpi_init(&operation->r);
-    mbedtls_mpi_init(&operation->s);
-
-    /* Ensure num_ops is zero'ed in case of context re-use. */
-    operation->num_ops = 0;
-
-    status = mbedtls_psa_ecp_load_representation(attributes->core.type,
-                                                 attributes->core.bits,
-                                                 key_buffer,
-                                                 key_buffer_size,
-                                                 &operation->ctx);
-
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    coordinate_bytes = PSA_BITS_TO_BYTES(operation->ctx->grp.nbits);
-
-    if (signature_length != 2 * coordinate_bytes) {
-        return PSA_ERROR_INVALID_SIGNATURE;
-    }
-
-    status = mbedtls_to_psa_error(
-        mbedtls_mpi_read_binary(&operation->r,
-                                signature,
-                                coordinate_bytes));
-
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    status = mbedtls_to_psa_error(
-        mbedtls_mpi_read_binary(&operation->s,
-                                signature +
-                                coordinate_bytes,
-                                coordinate_bytes));
-
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    status = mbedtls_psa_ecp_load_public_part(operation->ctx);
-
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    /* We only need to store the same length of hash as the private key size
-     * here, it would be truncated by the internal implementation anyway. */
-    required_hash_length = (hash_length < coordinate_bytes ? hash_length :
-                            coordinate_bytes);
-
-    if (required_hash_length > sizeof(operation->hash)) {
-        /* Shouldn't happen, but better safe than sorry. */
-        return PSA_ERROR_CORRUPTION_DETECTED;
-    }
-
-    memcpy(operation->hash, hash, required_hash_length);
-    operation->hash_length = required_hash_length;
-
-    return PSA_SUCCESS;
-#else
-    (void) operation;
-    (void) key_buffer;
-    (void) key_buffer_size;
-    (void) alg;
-    (void) hash;
-    (void) hash_length;
-    (void) signature;
-    (void) signature_length;
-    (void) status;
-    (void) coordinate_bytes;
-    (void) required_hash_length;
-
-    return PSA_ERROR_NOT_SUPPORTED;
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
-        * defined( MBEDTLS_ECP_RESTARTABLE ) */
-}
-
-psa_status_t mbedtls_psa_verify_hash_complete(
-    mbedtls_psa_verify_hash_interruptible_operation_t *operation)
-{
-
-#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
-    defined(MBEDTLS_ECP_RESTARTABLE)
-
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    /* Ensure max_ops is set to the current value (or default). */
-    mbedtls_psa_interruptible_set_max_ops(psa_interruptible_get_max_ops());
-
-    status = mbedtls_to_psa_error(
-        mbedtls_ecdsa_verify_restartable(&operation->ctx->grp,
-                                         operation->hash,
-                                         operation->hash_length,
-                                         &operation->ctx->Q,
-                                         &operation->r,
-                                         &operation->s,
-                                         &operation->restart_ctx));
-
-    /* Hide the fact that the restart context only holds a delta of number of
-     * ops done during the last operation, not an absolute value. */
-    operation->num_ops += operation->restart_ctx.ecp.ops_done;
-
-    return status;
-#else
-    (void) operation;
-
-    return PSA_ERROR_NOT_SUPPORTED;
-
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
-        * defined( MBEDTLS_ECP_RESTARTABLE ) */
-}
-
-psa_status_t mbedtls_psa_verify_hash_abort(
-    mbedtls_psa_verify_hash_interruptible_operation_t *operation)
-{
-
-#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
-    defined(MBEDTLS_ECP_RESTARTABLE)
-
-    if (operation->ctx) {
-        mbedtls_ecdsa_free(operation->ctx);
-        mbedtls_free(operation->ctx);
-        operation->ctx = NULL;
-    }
-
-    mbedtls_ecdsa_restart_free(&operation->restart_ctx);
-
-    operation->num_ops = 0;
-
-    mbedtls_mpi_free(&operation->r);
-    mbedtls_mpi_free(&operation->s);
-
-    return PSA_SUCCESS;
-
-#else
-    (void) operation;
-
-    return PSA_ERROR_NOT_SUPPORTED;
-
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
-        * defined( MBEDTLS_ECP_RESTARTABLE ) */
-}
-
-/****************************************************************/
-/* Symmetric cryptography */
-/****************************************************************/
-
-static psa_status_t psa_cipher_setup(psa_cipher_operation_t *operation,
-                                     mbedtls_svc_key_id_t key,
-                                     psa_algorithm_t alg,
-                                     mbedtls_operation_t cipher_operation)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_slot_t *slot = NULL;
-    psa_key_usage_t usage = (cipher_operation == MBEDTLS_ENCRYPT ?
-                             PSA_KEY_USAGE_ENCRYPT :
-                             PSA_KEY_USAGE_DECRYPT);
-    psa_key_attributes_t attributes;
-
-    /* A context must be freshly initialized before it can be set up. */
-    if (operation->id != 0) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (!PSA_ALG_IS_CIPHER(alg)) {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-        goto exit;
-    }
-
-    status = psa_get_and_lock_key_slot_with_policy(key, &slot, usage, alg);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    /* Initialize the operation struct members, except for id. The id member
-     * is used to indicate to psa_cipher_abort that there are resources to free,
-     * so we only set it (in the driver wrapper) after resources have been
-     * allocated/initialized. */
-    operation->iv_set = 0;
-    if (alg == PSA_ALG_ECB_NO_PADDING) {
-        operation->iv_required = 0;
-    } else {
-        operation->iv_required = 1;
-    }
-    operation->default_iv_length = PSA_CIPHER_IV_LENGTH(slot->attr.type, alg);
-
-    attributes = (psa_key_attributes_t) {
-        .core = slot->attr
-    };
-
-    /* Try doing the operation through a driver before using software fallback. */
-    if (cipher_operation == MBEDTLS_ENCRYPT) {
-        status = psa_driver_wrapper_cipher_encrypt_setup(operation,
-                                                         &attributes,
-                                                         slot->key.data,
-                                                         slot->key.bytes,
-                                                         alg);
-    } else {
-        status = psa_driver_wrapper_cipher_decrypt_setup(operation,
-                                                         &attributes,
-                                                         slot->key.data,
-                                                         slot->key.bytes,
-                                                         alg);
-    }
-
-exit:
-    if (status != PSA_SUCCESS) {
-        psa_cipher_abort(operation);
-    }
-
-    unlock_status = psa_unlock_key_slot(slot);
-
-    return (status == PSA_SUCCESS) ? unlock_status : status;
-}
-
-psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
-                                      mbedtls_svc_key_id_t key,
-                                      psa_algorithm_t alg)
-{
-    return psa_cipher_setup(operation, key, alg, MBEDTLS_ENCRYPT);
-}
-
-psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
-                                      mbedtls_svc_key_id_t key,
-                                      psa_algorithm_t alg)
-{
-    return psa_cipher_setup(operation, key, alg, MBEDTLS_DECRYPT);
-}
-
-psa_status_t psa_cipher_generate_iv(psa_cipher_operation_t *operation,
-                                    uint8_t *iv,
-                                    size_t iv_size,
-                                    size_t *iv_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    uint8_t local_iv[PSA_CIPHER_IV_MAX_SIZE];
-    size_t default_iv_length = 0;
-
-    if (operation->id == 0) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (operation->iv_set || !operation->iv_required) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    default_iv_length = operation->default_iv_length;
-    if (iv_size < default_iv_length) {
-        status = PSA_ERROR_BUFFER_TOO_SMALL;
-        goto exit;
-    }
-
-    if (default_iv_length > PSA_CIPHER_IV_MAX_SIZE) {
-        status = PSA_ERROR_GENERIC_ERROR;
-        goto exit;
-    }
-
-    status = psa_generate_random(local_iv, default_iv_length);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_driver_wrapper_cipher_set_iv(operation,
-                                              local_iv, default_iv_length);
-
-exit:
-    if (status == PSA_SUCCESS) {
-        memcpy(iv, local_iv, default_iv_length);
-        *iv_length = default_iv_length;
-        operation->iv_set = 1;
-    } else {
-        *iv_length = 0;
-        psa_cipher_abort(operation);
-    }
-
-    return status;
-}
-
-psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation,
-                               const uint8_t *iv,
-                               size_t iv_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    if (operation->id == 0) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (operation->iv_set || !operation->iv_required) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (iv_length > PSA_CIPHER_IV_MAX_SIZE) {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-        goto exit;
-    }
-
-    status = psa_driver_wrapper_cipher_set_iv(operation,
-                                              iv,
-                                              iv_length);
-
-exit:
-    if (status == PSA_SUCCESS) {
-        operation->iv_set = 1;
-    } else {
-        psa_cipher_abort(operation);
-    }
-    return status;
-}
-
-psa_status_t psa_cipher_update(psa_cipher_operation_t *operation,
-                               const uint8_t *input,
-                               size_t input_length,
-                               uint8_t *output,
-                               size_t output_size,
-                               size_t *output_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    if (operation->id == 0) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (operation->iv_required && !operation->iv_set) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    status = psa_driver_wrapper_cipher_update(operation,
-                                              input,
-                                              input_length,
-                                              output,
-                                              output_size,
-                                              output_length);
-
-exit:
-    if (status != PSA_SUCCESS) {
-        psa_cipher_abort(operation);
-    }
-
-    return status;
-}
-
-psa_status_t psa_cipher_finish(psa_cipher_operation_t *operation,
-                               uint8_t *output,
-                               size_t output_size,
-                               size_t *output_length)
-{
-    psa_status_t status = PSA_ERROR_GENERIC_ERROR;
-
-    if (operation->id == 0) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (operation->iv_required && !operation->iv_set) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    status = psa_driver_wrapper_cipher_finish(operation,
-                                              output,
-                                              output_size,
-                                              output_length);
-
-exit:
-    if (status == PSA_SUCCESS) {
-        return psa_cipher_abort(operation);
-    } else {
-        *output_length = 0;
-        (void) psa_cipher_abort(operation);
-
-        return status;
-    }
-}
-
-psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation)
-{
-    if (operation->id == 0) {
-        /* The object has (apparently) been initialized but it is not (yet)
-         * in use. It's ok to call abort on such an object, and there's
-         * nothing to do. */
-        return PSA_SUCCESS;
-    }
-
-    psa_driver_wrapper_cipher_abort(operation);
-
-    operation->id = 0;
-    operation->iv_set = 0;
-    operation->iv_required = 0;
-
-    return PSA_SUCCESS;
-}
-
-psa_status_t psa_cipher_encrypt(mbedtls_svc_key_id_t key,
-                                psa_algorithm_t alg,
-                                const uint8_t *input,
-                                size_t input_length,
-                                uint8_t *output,
-                                size_t output_size,
-                                size_t *output_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_slot_t *slot = NULL;
-    uint8_t local_iv[PSA_CIPHER_IV_MAX_SIZE];
-    size_t default_iv_length = 0;
-    psa_key_attributes_t attributes;
-
-    if (!PSA_ALG_IS_CIPHER(alg)) {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-        goto exit;
-    }
-
-    status = psa_get_and_lock_key_slot_with_policy(key, &slot,
-                                                   PSA_KEY_USAGE_ENCRYPT,
-                                                   alg);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    attributes = (psa_key_attributes_t) {
-        .core = slot->attr
-    };
-
-    default_iv_length = PSA_CIPHER_IV_LENGTH(slot->attr.type, alg);
-    if (default_iv_length > PSA_CIPHER_IV_MAX_SIZE) {
-        status = PSA_ERROR_GENERIC_ERROR;
-        goto exit;
-    }
-
-    if (default_iv_length > 0) {
-        if (output_size < default_iv_length) {
-            status = PSA_ERROR_BUFFER_TOO_SMALL;
-            goto exit;
-        }
-
-        status = psa_generate_random(local_iv, default_iv_length);
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-    }
-
-    status = psa_driver_wrapper_cipher_encrypt(
-        &attributes, slot->key.data, slot->key.bytes,
-        alg, local_iv, default_iv_length, input, input_length,
-        psa_crypto_buffer_offset(output, default_iv_length),
-        output_size - default_iv_length, output_length);
-
-exit:
-    unlock_status = psa_unlock_key_slot(slot);
-    if (status == PSA_SUCCESS) {
-        status = unlock_status;
-    }
-
-    if (status == PSA_SUCCESS) {
-        if (default_iv_length > 0) {
-            memcpy(output, local_iv, default_iv_length);
-        }
-        *output_length += default_iv_length;
-    } else {
-        *output_length = 0;
-    }
-
-    return status;
-}
-
-psa_status_t psa_cipher_decrypt(mbedtls_svc_key_id_t key,
-                                psa_algorithm_t alg,
-                                const uint8_t *input,
-                                size_t input_length,
-                                uint8_t *output,
-                                size_t output_size,
-                                size_t *output_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_slot_t *slot = NULL;
-    psa_key_attributes_t attributes;
-
-    if (!PSA_ALG_IS_CIPHER(alg)) {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-        goto exit;
-    }
-
-    status = psa_get_and_lock_key_slot_with_policy(key, &slot,
-                                                   PSA_KEY_USAGE_DECRYPT,
-                                                   alg);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    attributes = (psa_key_attributes_t) {
-        .core = slot->attr
-    };
-
-    if (alg == PSA_ALG_CCM_STAR_NO_TAG &&
-        input_length < PSA_BLOCK_CIPHER_BLOCK_LENGTH(slot->attr.type)) {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-        goto exit;
-    } else if (input_length < PSA_CIPHER_IV_LENGTH(slot->attr.type, alg)) {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-        goto exit;
-    }
-
-    status = psa_driver_wrapper_cipher_decrypt(
-        &attributes, slot->key.data, slot->key.bytes,
-        alg, input, input_length,
-        output, output_size, output_length);
-
-exit:
-    unlock_status = psa_unlock_key_slot(slot);
-    if (status == PSA_SUCCESS) {
-        status = unlock_status;
-    }
-
-    if (status != PSA_SUCCESS) {
-        *output_length = 0;
-    }
-
-    return status;
-}
-
-
-/****************************************************************/
-/* AEAD */
-/****************************************************************/
-
-/* Helper function to get the base algorithm from its variants. */
-static psa_algorithm_t psa_aead_get_base_algorithm(psa_algorithm_t alg)
-{
-    return PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(alg);
-}
-
-/* Helper function to perform common nonce length checks. */
-static psa_status_t psa_aead_check_nonce_length(psa_algorithm_t alg,
-                                                size_t nonce_length)
-{
-    psa_algorithm_t base_alg = psa_aead_get_base_algorithm(alg);
-
-    switch (base_alg) {
-#if defined(PSA_WANT_ALG_GCM)
-        case PSA_ALG_GCM:
-            /* Not checking max nonce size here as GCM spec allows almost
-             * arbitrarily large nonces. Please note that we do not generally
-             * recommend the usage of nonces of greater length than
-             * PSA_AEAD_NONCE_MAX_SIZE, as large nonces are hashed to a shorter
-             * size, which can then lead to collisions if you encrypt a very
-             * large number of messages.*/
-            if (nonce_length != 0) {
-                return PSA_SUCCESS;
-            }
-            break;
-#endif /* PSA_WANT_ALG_GCM */
-#if defined(PSA_WANT_ALG_CCM)
-        case PSA_ALG_CCM:
-            if (nonce_length >= 7 && nonce_length <= 13) {
-                return PSA_SUCCESS;
-            }
-            break;
-#endif /* PSA_WANT_ALG_CCM */
-#if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
-        case PSA_ALG_CHACHA20_POLY1305:
-            if (nonce_length == 12) {
-                return PSA_SUCCESS;
-            } else if (nonce_length == 8) {
-                return PSA_ERROR_NOT_SUPPORTED;
-            }
-            break;
-#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
-        default:
-            (void) nonce_length;
-            return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    return PSA_ERROR_INVALID_ARGUMENT;
-}
-
-static psa_status_t psa_aead_check_algorithm(psa_algorithm_t alg)
-{
-    if (!PSA_ALG_IS_AEAD(alg) || PSA_ALG_IS_WILDCARD(alg)) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    return PSA_SUCCESS;
-}
-
-psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key,
-                              psa_algorithm_t alg,
-                              const uint8_t *nonce,
-                              size_t nonce_length,
-                              const uint8_t *additional_data,
-                              size_t additional_data_length,
-                              const uint8_t *plaintext,
-                              size_t plaintext_length,
-                              uint8_t *ciphertext,
-                              size_t ciphertext_size,
-                              size_t *ciphertext_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_slot_t *slot;
-
-    *ciphertext_length = 0;
-
-    status = psa_aead_check_algorithm(alg);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    status = psa_get_and_lock_key_slot_with_policy(
-        key, &slot, PSA_KEY_USAGE_ENCRYPT, alg);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    psa_key_attributes_t attributes = {
-        .core = slot->attr
-    };
-
-    status = psa_aead_check_nonce_length(alg, nonce_length);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_driver_wrapper_aead_encrypt(
-        &attributes, slot->key.data, slot->key.bytes,
-        alg,
-        nonce, nonce_length,
-        additional_data, additional_data_length,
-        plaintext, plaintext_length,
-        ciphertext, ciphertext_size, ciphertext_length);
-
-    if (status != PSA_SUCCESS && ciphertext_size != 0) {
-        memset(ciphertext, 0, ciphertext_size);
-    }
-
-exit:
-    psa_unlock_key_slot(slot);
-
-    return status;
-}
-
-psa_status_t psa_aead_decrypt(mbedtls_svc_key_id_t key,
-                              psa_algorithm_t alg,
-                              const uint8_t *nonce,
-                              size_t nonce_length,
-                              const uint8_t *additional_data,
-                              size_t additional_data_length,
-                              const uint8_t *ciphertext,
-                              size_t ciphertext_length,
-                              uint8_t *plaintext,
-                              size_t plaintext_size,
-                              size_t *plaintext_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_slot_t *slot;
-
-    *plaintext_length = 0;
-
-    status = psa_aead_check_algorithm(alg);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    status = psa_get_and_lock_key_slot_with_policy(
-        key, &slot, PSA_KEY_USAGE_DECRYPT, alg);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    psa_key_attributes_t attributes = {
-        .core = slot->attr
-    };
-
-    status = psa_aead_check_nonce_length(alg, nonce_length);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_driver_wrapper_aead_decrypt(
-        &attributes, slot->key.data, slot->key.bytes,
-        alg,
-        nonce, nonce_length,
-        additional_data, additional_data_length,
-        ciphertext, ciphertext_length,
-        plaintext, plaintext_size, plaintext_length);
-
-    if (status != PSA_SUCCESS && plaintext_size != 0) {
-        memset(plaintext, 0, plaintext_size);
-    }
-
-exit:
-    psa_unlock_key_slot(slot);
-
-    return status;
-}
-
-static psa_status_t psa_validate_tag_length(psa_algorithm_t alg)
-{
-    const uint8_t tag_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg);
-
-    switch (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0)) {
-#if defined(PSA_WANT_ALG_CCM)
-        case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0):
-            /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.*/
-            if (tag_len < 4 || tag_len > 16 || tag_len % 2) {
-                return PSA_ERROR_INVALID_ARGUMENT;
-            }
-            break;
-#endif /* PSA_WANT_ALG_CCM */
-
-#if defined(PSA_WANT_ALG_GCM)
-        case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0):
-            /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16. */
-            if (tag_len != 4 && tag_len != 8 && (tag_len < 12 || tag_len > 16)) {
-                return PSA_ERROR_INVALID_ARGUMENT;
-            }
-            break;
-#endif /* PSA_WANT_ALG_GCM */
-
-#if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
-        case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0):
-            /* We only support the default tag length. */
-            if (tag_len != 16) {
-                return PSA_ERROR_INVALID_ARGUMENT;
-            }
-            break;
-#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
-
-        default:
-            (void) tag_len;
-            return PSA_ERROR_NOT_SUPPORTED;
-    }
-    return PSA_SUCCESS;
-}
-
-/* Set the key for a multipart authenticated operation. */
-static psa_status_t psa_aead_setup(psa_aead_operation_t *operation,
-                                   int is_encrypt,
-                                   mbedtls_svc_key_id_t key,
-                                   psa_algorithm_t alg)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_slot_t *slot = NULL;
-    psa_key_usage_t key_usage = 0;
-    psa_key_attributes_t attributes;
-
-    status = psa_aead_check_algorithm(alg);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    if (operation->id != 0) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (operation->nonce_set || operation->lengths_set ||
-        operation->ad_started || operation->body_started) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (is_encrypt) {
-        key_usage = PSA_KEY_USAGE_ENCRYPT;
-    } else {
-        key_usage = PSA_KEY_USAGE_DECRYPT;
-    }
-
-    status = psa_get_and_lock_key_slot_with_policy(key, &slot, key_usage,
-                                                   alg);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    attributes = (psa_key_attributes_t) {
-        .core = slot->attr
-    };
-
-    if ((status = psa_validate_tag_length(alg)) != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    if (is_encrypt) {
-        status = psa_driver_wrapper_aead_encrypt_setup(operation,
-                                                       &attributes,
-                                                       slot->key.data,
-                                                       slot->key.bytes,
-                                                       alg);
-    } else {
-        status = psa_driver_wrapper_aead_decrypt_setup(operation,
-                                                       &attributes,
-                                                       slot->key.data,
-                                                       slot->key.bytes,
-                                                       alg);
-    }
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    operation->key_type = psa_get_key_type(&attributes);
-
-exit:
-    unlock_status = psa_unlock_key_slot(slot);
-
-    if (status == PSA_SUCCESS) {
-        status = unlock_status;
-        operation->alg = psa_aead_get_base_algorithm(alg);
-        operation->is_encrypt = is_encrypt;
-    } else {
-        psa_aead_abort(operation);
-    }
-
-    return status;
-}
-
-/* Set the key for a multipart authenticated encryption operation. */
-psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
-                                    mbedtls_svc_key_id_t key,
-                                    psa_algorithm_t alg)
-{
-    return psa_aead_setup(operation, 1, key, alg);
-}
-
-/* Set the key for a multipart authenticated decryption operation. */
-psa_status_t psa_aead_decrypt_setup(psa_aead_operation_t *operation,
-                                    mbedtls_svc_key_id_t key,
-                                    psa_algorithm_t alg)
-{
-    return psa_aead_setup(operation, 0, key, alg);
-}
-
-/* Generate a random nonce / IV for multipart AEAD operation */
-psa_status_t psa_aead_generate_nonce(psa_aead_operation_t *operation,
-                                     uint8_t *nonce,
-                                     size_t nonce_size,
-                                     size_t *nonce_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    uint8_t local_nonce[PSA_AEAD_NONCE_MAX_SIZE];
-    size_t required_nonce_size = 0;
-
-    *nonce_length = 0;
-
-    if (operation->id == 0) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (operation->nonce_set || !operation->is_encrypt) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    /* For CCM, this size may not be correct according to the PSA
-     * specification. The PSA Crypto 1.0.1 specification states:
-     *
-     * CCM encodes the plaintext length pLen in L octets, with L the smallest
-     * integer >= 2 where pLen < 2^(8L). The nonce length is then 15 - L bytes.
-     *
-     * However this restriction that L has to be the smallest integer is not
-     * applied in practice, and it is not implementable here since the
-     * plaintext length may or may not be known at this time. */
-    required_nonce_size = PSA_AEAD_NONCE_LENGTH(operation->key_type,
-                                                operation->alg);
-    if (nonce_size < required_nonce_size) {
-        status = PSA_ERROR_BUFFER_TOO_SMALL;
-        goto exit;
-    }
-
-    status = psa_generate_random(local_nonce, required_nonce_size);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_aead_set_nonce(operation, local_nonce, required_nonce_size);
-
-exit:
-    if (status == PSA_SUCCESS) {
-        memcpy(nonce, local_nonce, required_nonce_size);
-        *nonce_length = required_nonce_size;
-    } else {
-        psa_aead_abort(operation);
-    }
-
-    return status;
-}
-
-/* Set the nonce for a multipart authenticated encryption or decryption
-   operation.*/
-psa_status_t psa_aead_set_nonce(psa_aead_operation_t *operation,
-                                const uint8_t *nonce,
-                                size_t nonce_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    if (operation->id == 0) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (operation->nonce_set) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    status = psa_aead_check_nonce_length(operation->alg, nonce_length);
-    if (status != PSA_SUCCESS) {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-        goto exit;
-    }
-
-    status = psa_driver_wrapper_aead_set_nonce(operation, nonce,
-                                               nonce_length);
-
-exit:
-    if (status == PSA_SUCCESS) {
-        operation->nonce_set = 1;
-    } else {
-        psa_aead_abort(operation);
-    }
-
-    return status;
-}
-
-/* Declare the lengths of the message and additional data for multipart AEAD. */
-psa_status_t psa_aead_set_lengths(psa_aead_operation_t *operation,
-                                  size_t ad_length,
-                                  size_t plaintext_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    if (operation->id == 0) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (operation->lengths_set || operation->ad_started ||
-        operation->body_started) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    switch (operation->alg) {
-#if defined(PSA_WANT_ALG_GCM)
-        case PSA_ALG_GCM:
-            /* Lengths can only be too large for GCM if size_t is bigger than 32
-             * bits. Without the guard this code will generate warnings on 32bit
-             * builds. */
-#if SIZE_MAX > UINT32_MAX
-            if (((uint64_t) ad_length) >> 61 != 0 ||
-                ((uint64_t) plaintext_length) > 0xFFFFFFFE0ull) {
-                status = PSA_ERROR_INVALID_ARGUMENT;
-                goto exit;
-            }
-#endif
-            break;
-#endif /* PSA_WANT_ALG_GCM */
-#if defined(PSA_WANT_ALG_CCM)
-        case PSA_ALG_CCM:
-            if (ad_length > 0xFF00) {
-                status = PSA_ERROR_INVALID_ARGUMENT;
-                goto exit;
-            }
-            break;
-#endif /* PSA_WANT_ALG_CCM */
-#if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
-        case PSA_ALG_CHACHA20_POLY1305:
-            /* No length restrictions for ChaChaPoly. */
-            break;
-#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
-        default:
-            break;
-    }
-
-    status = psa_driver_wrapper_aead_set_lengths(operation, ad_length,
-                                                 plaintext_length);
-
-exit:
-    if (status == PSA_SUCCESS) {
-        operation->ad_remaining = ad_length;
-        operation->body_remaining = plaintext_length;
-        operation->lengths_set = 1;
-    } else {
-        psa_aead_abort(operation);
-    }
-
-    return status;
-}
-
-/* Pass additional data to an active multipart AEAD operation. */
-psa_status_t psa_aead_update_ad(psa_aead_operation_t *operation,
-                                const uint8_t *input,
-                                size_t input_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    if (operation->id == 0) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (!operation->nonce_set || operation->body_started) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (operation->lengths_set) {
-        if (operation->ad_remaining < input_length) {
-            status = PSA_ERROR_INVALID_ARGUMENT;
-            goto exit;
-        }
-
-        operation->ad_remaining -= input_length;
-    }
-#if defined(PSA_WANT_ALG_CCM)
-    else if (operation->alg == PSA_ALG_CCM) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-#endif /* PSA_WANT_ALG_CCM */
-
-    status = psa_driver_wrapper_aead_update_ad(operation, input,
-                                               input_length);
-
-exit:
-    if (status == PSA_SUCCESS) {
-        operation->ad_started = 1;
-    } else {
-        psa_aead_abort(operation);
-    }
-
-    return status;
-}
-
-/* Encrypt or decrypt a message fragment in an active multipart AEAD
-   operation.*/
-psa_status_t psa_aead_update(psa_aead_operation_t *operation,
-                             const uint8_t *input,
-                             size_t input_length,
-                             uint8_t *output,
-                             size_t output_size,
-                             size_t *output_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    *output_length = 0;
-
-    if (operation->id == 0) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (!operation->nonce_set) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (operation->lengths_set) {
-        /* Additional data length was supplied, but not all the additional
-           data was supplied.*/
-        if (operation->ad_remaining != 0) {
-            status = PSA_ERROR_INVALID_ARGUMENT;
-            goto exit;
-        }
-
-        /* Too much data provided. */
-        if (operation->body_remaining < input_length) {
-            status = PSA_ERROR_INVALID_ARGUMENT;
-            goto exit;
-        }
-
-        operation->body_remaining -= input_length;
-    }
-#if defined(PSA_WANT_ALG_CCM)
-    else if (operation->alg == PSA_ALG_CCM) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-#endif /* PSA_WANT_ALG_CCM */
-
-    status = psa_driver_wrapper_aead_update(operation, input, input_length,
-                                            output, output_size,
-                                            output_length);
-
-exit:
-    if (status == PSA_SUCCESS) {
-        operation->body_started = 1;
-    } else {
-        psa_aead_abort(operation);
-    }
-
-    return status;
-}
-
-static psa_status_t psa_aead_final_checks(const psa_aead_operation_t *operation)
-{
-    if (operation->id == 0 || !operation->nonce_set) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    if (operation->lengths_set && (operation->ad_remaining != 0 ||
-                                   operation->body_remaining != 0)) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    return PSA_SUCCESS;
-}
-
-/* Finish encrypting a message in a multipart AEAD operation. */
-psa_status_t psa_aead_finish(psa_aead_operation_t *operation,
-                             uint8_t *ciphertext,
-                             size_t ciphertext_size,
-                             size_t *ciphertext_length,
-                             uint8_t *tag,
-                             size_t tag_size,
-                             size_t *tag_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    *ciphertext_length = 0;
-    *tag_length = tag_size;
-
-    status = psa_aead_final_checks(operation);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    if (!operation->is_encrypt) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    status = psa_driver_wrapper_aead_finish(operation, ciphertext,
-                                            ciphertext_size,
-                                            ciphertext_length,
-                                            tag, tag_size, tag_length);
-
-exit:
-
-
-    /* In case the operation fails and the user fails to check for failure or
-     * the zero tag size, make sure the tag is set to something implausible.
-     * Even if the operation succeeds, make sure we clear the rest of the
-     * buffer to prevent potential leakage of anything previously placed in
-     * the same buffer.*/
-    psa_wipe_tag_output_buffer(tag, status, tag_size, *tag_length);
-
-    psa_aead_abort(operation);
-
-    return status;
-}
-
-/* Finish authenticating and decrypting a message in a multipart AEAD
-   operation.*/
-psa_status_t psa_aead_verify(psa_aead_operation_t *operation,
-                             uint8_t *plaintext,
-                             size_t plaintext_size,
-                             size_t *plaintext_length,
-                             const uint8_t *tag,
-                             size_t tag_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    *plaintext_length = 0;
-
-    status = psa_aead_final_checks(operation);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    if (operation->is_encrypt) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    status = psa_driver_wrapper_aead_verify(operation, plaintext,
-                                            plaintext_size,
-                                            plaintext_length,
-                                            tag, tag_length);
-
-exit:
-    psa_aead_abort(operation);
-
-    return status;
-}
-
-/* Abort an AEAD operation. */
-psa_status_t psa_aead_abort(psa_aead_operation_t *operation)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    if (operation->id == 0) {
-        /* The object has (apparently) been initialized but it is not (yet)
-         * in use. It's ok to call abort on such an object, and there's
-         * nothing to do. */
-        return PSA_SUCCESS;
-    }
-
-    status = psa_driver_wrapper_aead_abort(operation);
-
-    memset(operation, 0, sizeof(*operation));
-
-    return status;
-}
-
-/****************************************************************/
-/* Generators */
-/****************************************************************/
-
-#if defined(BUILTIN_ALG_ANY_HKDF) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) || \
-    defined(PSA_HAVE_SOFT_PBKDF2)
-#define AT_LEAST_ONE_BUILTIN_KDF
-#endif /* At least one builtin KDF */
-
-#if defined(BUILTIN_ALG_ANY_HKDF) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
-static psa_status_t psa_key_derivation_start_hmac(
-    psa_mac_operation_t *operation,
-    psa_algorithm_t hash_alg,
-    const uint8_t *hmac_key,
-    size_t hmac_key_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
-    psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(hmac_key_length));
-    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
-
-    operation->is_sign = 1;
-    operation->mac_size = PSA_HASH_LENGTH(hash_alg);
-
-    status = psa_driver_wrapper_mac_sign_setup(operation,
-                                               &attributes,
-                                               hmac_key, hmac_key_length,
-                                               PSA_ALG_HMAC(hash_alg));
-
-    psa_reset_key_attributes(&attributes);
-    return status;
-}
-#endif /* KDF algorithms reliant on HMAC */
-
-#define HKDF_STATE_INIT 0 /* no input yet */
-#define HKDF_STATE_STARTED 1 /* got salt */
-#define HKDF_STATE_KEYED 2 /* got key */
-#define HKDF_STATE_OUTPUT 3 /* output started */
-
-static psa_algorithm_t psa_key_derivation_get_kdf_alg(
-    const psa_key_derivation_operation_t *operation)
-{
-    if (PSA_ALG_IS_KEY_AGREEMENT(operation->alg)) {
-        return PSA_ALG_KEY_AGREEMENT_GET_KDF(operation->alg);
-    } else {
-        return operation->alg;
-    }
-}
-
-psa_status_t psa_key_derivation_abort(psa_key_derivation_operation_t *operation)
-{
-    psa_status_t status = PSA_SUCCESS;
-    psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
-    if (kdf_alg == 0) {
-        /* The object has (apparently) been initialized but it is not
-         * in use. It's ok to call abort on such an object, and there's
-         * nothing to do. */
-    } else
-#if defined(BUILTIN_ALG_ANY_HKDF)
-    if (PSA_ALG_IS_ANY_HKDF(kdf_alg)) {
-        mbedtls_free(operation->ctx.hkdf.info);
-        status = psa_mac_abort(&operation->ctx.hkdf.hmac);
-    } else
-#endif /* BUILTIN_ALG_ANY_HKDF */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
-    if (PSA_ALG_IS_TLS12_PRF(kdf_alg) ||
-        /* TLS-1.2 PSK-to-MS KDF uses the same core as TLS-1.2 PRF */
-        PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
-        if (operation->ctx.tls12_prf.secret != NULL) {
-            mbedtls_zeroize_and_free(operation->ctx.tls12_prf.secret,
-                                     operation->ctx.tls12_prf.secret_length);
-        }
-
-        if (operation->ctx.tls12_prf.seed != NULL) {
-            mbedtls_zeroize_and_free(operation->ctx.tls12_prf.seed,
-                                     operation->ctx.tls12_prf.seed_length);
-        }
-
-        if (operation->ctx.tls12_prf.label != NULL) {
-            mbedtls_zeroize_and_free(operation->ctx.tls12_prf.label,
-                                     operation->ctx.tls12_prf.label_length);
-        }
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
-        if (operation->ctx.tls12_prf.other_secret != NULL) {
-            mbedtls_zeroize_and_free(operation->ctx.tls12_prf.other_secret,
-                                     operation->ctx.tls12_prf.other_secret_length);
-        }
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
-        status = PSA_SUCCESS;
-
-        /* We leave the fields Ai and output_block to be erased safely by the
-         * mbedtls_platform_zeroize() in the end of this function. */
-    } else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
-    if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
-        mbedtls_platform_zeroize(operation->ctx.tls12_ecjpake_to_pms.data,
-                                 sizeof(operation->ctx.tls12_ecjpake_to_pms.data));
-    } else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) */
-#if defined(PSA_HAVE_SOFT_PBKDF2)
-    if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
-        if (operation->ctx.pbkdf2.salt != NULL) {
-            mbedtls_zeroize_and_free(operation->ctx.pbkdf2.salt,
-                                     operation->ctx.pbkdf2.salt_length);
-        }
-
-        status = PSA_SUCCESS;
-    } else
-#endif /* defined(PSA_HAVE_SOFT_PBKDF2) */
-    {
-        status = PSA_ERROR_BAD_STATE;
-    }
-    mbedtls_platform_zeroize(operation, sizeof(*operation));
-    return status;
-}
-
-psa_status_t psa_key_derivation_get_capacity(const psa_key_derivation_operation_t *operation,
-                                             size_t *capacity)
-{
-    if (operation->alg == 0) {
-        /* This is a blank key derivation operation. */
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    *capacity = operation->capacity;
-    return PSA_SUCCESS;
-}
-
-psa_status_t psa_key_derivation_set_capacity(psa_key_derivation_operation_t *operation,
-                                             size_t capacity)
-{
-    if (operation->alg == 0) {
-        return PSA_ERROR_BAD_STATE;
-    }
-    if (capacity > operation->capacity) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-    operation->capacity = capacity;
-    return PSA_SUCCESS;
-}
-
-#if defined(BUILTIN_ALG_ANY_HKDF)
-/* Read some bytes from an HKDF-based operation. */
-static psa_status_t psa_key_derivation_hkdf_read(psa_hkdf_key_derivation_t *hkdf,
-                                                 psa_algorithm_t kdf_alg,
-                                                 uint8_t *output,
-                                                 size_t output_length)
-{
-    psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(kdf_alg);
-    uint8_t hash_length = PSA_HASH_LENGTH(hash_alg);
-    size_t hmac_output_length;
-    psa_status_t status;
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
-    const uint8_t last_block = PSA_ALG_IS_HKDF_EXTRACT(kdf_alg) ? 0 : 0xff;
-#else
-    const uint8_t last_block = 0xff;
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
-
-    if (hkdf->state < HKDF_STATE_KEYED ||
-        (!hkdf->info_set
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
-         && !PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
-        )) {
-        return PSA_ERROR_BAD_STATE;
-    }
-    hkdf->state = HKDF_STATE_OUTPUT;
-
-    while (output_length != 0) {
-        /* Copy what remains of the current block */
-        uint8_t n = hash_length - hkdf->offset_in_block;
-        if (n > output_length) {
-            n = (uint8_t) output_length;
-        }
-        memcpy(output, hkdf->output_block + hkdf->offset_in_block, n);
-        output += n;
-        output_length -= n;
-        hkdf->offset_in_block += n;
-        if (output_length == 0) {
-            break;
-        }
-        /* We can't be wanting more output after the last block, otherwise
-         * the capacity check in psa_key_derivation_output_bytes() would have
-         * prevented this call. It could happen only if the operation
-         * object was corrupted or if this function is called directly
-         * inside the library. */
-        if (hkdf->block_number == last_block) {
-            return PSA_ERROR_BAD_STATE;
-        }
-
-        /* We need a new block */
-        ++hkdf->block_number;
-        hkdf->offset_in_block = 0;
-
-        status = psa_key_derivation_start_hmac(&hkdf->hmac,
-                                               hash_alg,
-                                               hkdf->prk,
-                                               hash_length);
-        if (status != PSA_SUCCESS) {
-            return status;
-        }
-
-        if (hkdf->block_number != 1) {
-            status = psa_mac_update(&hkdf->hmac,
-                                    hkdf->output_block,
-                                    hash_length);
-            if (status != PSA_SUCCESS) {
-                return status;
-            }
-        }
-        status = psa_mac_update(&hkdf->hmac,
-                                hkdf->info,
-                                hkdf->info_length);
-        if (status != PSA_SUCCESS) {
-            return status;
-        }
-        status = psa_mac_update(&hkdf->hmac,
-                                &hkdf->block_number, 1);
-        if (status != PSA_SUCCESS) {
-            return status;
-        }
-        status = psa_mac_sign_finish(&hkdf->hmac,
-                                     hkdf->output_block,
-                                     sizeof(hkdf->output_block),
-                                     &hmac_output_length);
-        if (status != PSA_SUCCESS) {
-            return status;
-        }
-    }
-
-    return PSA_SUCCESS;
-}
-#endif /* BUILTIN_ALG_ANY_HKDF */
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
-static psa_status_t psa_key_derivation_tls12_prf_generate_next_block(
-    psa_tls12_prf_key_derivation_t *tls12_prf,
-    psa_algorithm_t alg)
-{
-    psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(alg);
-    uint8_t hash_length = PSA_HASH_LENGTH(hash_alg);
-    psa_mac_operation_t hmac = PSA_MAC_OPERATION_INIT;
-    size_t hmac_output_length;
-    psa_status_t status, cleanup_status;
-
-    /* We can't be wanting more output after block 0xff, otherwise
-     * the capacity check in psa_key_derivation_output_bytes() would have
-     * prevented this call. It could happen only if the operation
-     * object was corrupted or if this function is called directly
-     * inside the library. */
-    if (tls12_prf->block_number == 0xff) {
-        return PSA_ERROR_CORRUPTION_DETECTED;
-    }
-
-    /* We need a new block */
-    ++tls12_prf->block_number;
-    tls12_prf->left_in_block = hash_length;
-
-    /* Recall the definition of the TLS-1.2-PRF from RFC 5246:
-     *
-     * PRF(secret, label, seed) = P_<hash>(secret, label + seed)
-     *
-     * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
-     *                        HMAC_hash(secret, A(2) + seed) +
-     *                        HMAC_hash(secret, A(3) + seed) + ...
-     *
-     * A(0) = seed
-     * A(i) = HMAC_hash(secret, A(i-1))
-     *
-     * The `psa_tls12_prf_key_derivation` structure saves the block
-     * `HMAC_hash(secret, A(i) + seed)` from which the output
-     * is currently extracted as `output_block` and where i is
-     * `block_number`.
-     */
-
-    status = psa_key_derivation_start_hmac(&hmac,
-                                           hash_alg,
-                                           tls12_prf->secret,
-                                           tls12_prf->secret_length);
-    if (status != PSA_SUCCESS) {
-        goto cleanup;
-    }
-
-    /* Calculate A(i) where i = tls12_prf->block_number. */
-    if (tls12_prf->block_number == 1) {
-        /* A(1) = HMAC_hash(secret, A(0)), where A(0) = seed. (The RFC overloads
-         * the variable seed and in this instance means it in the context of the
-         * P_hash function, where seed = label + seed.) */
-        status = psa_mac_update(&hmac,
-                                tls12_prf->label,
-                                tls12_prf->label_length);
-        if (status != PSA_SUCCESS) {
-            goto cleanup;
-        }
-        status = psa_mac_update(&hmac,
-                                tls12_prf->seed,
-                                tls12_prf->seed_length);
-        if (status != PSA_SUCCESS) {
-            goto cleanup;
-        }
-    } else {
-        /* A(i) = HMAC_hash(secret, A(i-1)) */
-        status = psa_mac_update(&hmac, tls12_prf->Ai, hash_length);
-        if (status != PSA_SUCCESS) {
-            goto cleanup;
-        }
-    }
-
-    status = psa_mac_sign_finish(&hmac,
-                                 tls12_prf->Ai, hash_length,
-                                 &hmac_output_length);
-    if (hmac_output_length != hash_length) {
-        status = PSA_ERROR_CORRUPTION_DETECTED;
-    }
-    if (status != PSA_SUCCESS) {
-        goto cleanup;
-    }
-
-    /* Calculate HMAC_hash(secret, A(i) + label + seed). */
-    status = psa_key_derivation_start_hmac(&hmac,
-                                           hash_alg,
-                                           tls12_prf->secret,
-                                           tls12_prf->secret_length);
-    if (status != PSA_SUCCESS) {
-        goto cleanup;
-    }
-    status = psa_mac_update(&hmac, tls12_prf->Ai, hash_length);
-    if (status != PSA_SUCCESS) {
-        goto cleanup;
-    }
-    status = psa_mac_update(&hmac, tls12_prf->label, tls12_prf->label_length);
-    if (status != PSA_SUCCESS) {
-        goto cleanup;
-    }
-    status = psa_mac_update(&hmac, tls12_prf->seed, tls12_prf->seed_length);
-    if (status != PSA_SUCCESS) {
-        goto cleanup;
-    }
-    status = psa_mac_sign_finish(&hmac,
-                                 tls12_prf->output_block, hash_length,
-                                 &hmac_output_length);
-    if (status != PSA_SUCCESS) {
-        goto cleanup;
-    }
-
-
-cleanup:
-    cleanup_status = psa_mac_abort(&hmac);
-    if (status == PSA_SUCCESS && cleanup_status != PSA_SUCCESS) {
-        status = cleanup_status;
-    }
-
-    return status;
-}
-
-static psa_status_t psa_key_derivation_tls12_prf_read(
-    psa_tls12_prf_key_derivation_t *tls12_prf,
-    psa_algorithm_t alg,
-    uint8_t *output,
-    size_t output_length)
-{
-    psa_algorithm_t hash_alg = PSA_ALG_TLS12_PRF_GET_HASH(alg);
-    uint8_t hash_length = PSA_HASH_LENGTH(hash_alg);
-    psa_status_t status;
-    uint8_t offset, length;
-
-    switch (tls12_prf->state) {
-        case PSA_TLS12_PRF_STATE_LABEL_SET:
-            tls12_prf->state = PSA_TLS12_PRF_STATE_OUTPUT;
-            break;
-        case PSA_TLS12_PRF_STATE_OUTPUT:
-            break;
-        default:
-            return PSA_ERROR_BAD_STATE;
-    }
-
-    while (output_length != 0) {
-        /* Check if we have fully processed the current block. */
-        if (tls12_prf->left_in_block == 0) {
-            status = psa_key_derivation_tls12_prf_generate_next_block(tls12_prf,
-                                                                      alg);
-            if (status != PSA_SUCCESS) {
-                return status;
-            }
-
-            continue;
-        }
-
-        if (tls12_prf->left_in_block > output_length) {
-            length = (uint8_t) output_length;
-        } else {
-            length = tls12_prf->left_in_block;
-        }
-
-        offset = hash_length - tls12_prf->left_in_block;
-        memcpy(output, tls12_prf->output_block + offset, length);
-        output += length;
-        output_length -= length;
-        tls12_prf->left_in_block -= length;
-    }
-
-    return PSA_SUCCESS;
-}
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF ||
-        * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
-static psa_status_t psa_key_derivation_tls12_ecjpake_to_pms_read(
-    psa_tls12_ecjpake_to_pms_t *ecjpake,
-    uint8_t *output,
-    size_t output_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    size_t output_size = 0;
-
-    if (output_length != 32) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    status = psa_hash_compute(PSA_ALG_SHA_256, ecjpake->data,
-                              PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE, output, output_length,
-                              &output_size);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    if (output_size != output_length) {
-        return PSA_ERROR_GENERIC_ERROR;
-    }
-
-    return PSA_SUCCESS;
-}
-#endif
-
-#if defined(PSA_HAVE_SOFT_PBKDF2)
-static psa_status_t psa_key_derivation_pbkdf2_generate_block(
-    psa_pbkdf2_key_derivation_t *pbkdf2,
-    psa_algorithm_t prf_alg,
-    uint8_t prf_output_length,
-    psa_key_attributes_t *attributes)
-{
-    psa_status_t status;
-    psa_mac_operation_t mac_operation = PSA_MAC_OPERATION_INIT;
-    size_t mac_output_length;
-    uint8_t U_i[PSA_MAC_MAX_SIZE];
-    uint8_t *U_accumulator = pbkdf2->output_block;
-    uint64_t i;
-    uint8_t block_counter[4];
-
-    mac_operation.is_sign = 1;
-    mac_operation.mac_size = prf_output_length;
-    MBEDTLS_PUT_UINT32_BE(pbkdf2->block_number, block_counter, 0);
-
-    status = psa_driver_wrapper_mac_sign_setup(&mac_operation,
-                                               attributes,
-                                               pbkdf2->password,
-                                               pbkdf2->password_length,
-                                               prf_alg);
-    if (status != PSA_SUCCESS) {
-        goto cleanup;
-    }
-    status = psa_mac_update(&mac_operation, pbkdf2->salt, pbkdf2->salt_length);
-    if (status != PSA_SUCCESS) {
-        goto cleanup;
-    }
-    status = psa_mac_update(&mac_operation, block_counter, sizeof(block_counter));
-    if (status != PSA_SUCCESS) {
-        goto cleanup;
-    }
-    status = psa_mac_sign_finish(&mac_operation, U_i, sizeof(U_i),
-                                 &mac_output_length);
-    if (status != PSA_SUCCESS) {
-        goto cleanup;
-    }
-
-    if (mac_output_length != prf_output_length) {
-        status = PSA_ERROR_CORRUPTION_DETECTED;
-        goto cleanup;
-    }
-
-    memcpy(U_accumulator, U_i, prf_output_length);
-
-    for (i = 1; i < pbkdf2->input_cost; i++) {
-        /* We are passing prf_output_length as mac_size because the driver
-         * function directly sets mac_output_length as mac_size upon success.
-         * See https://github.com/Mbed-TLS/mbedtls/issues/7801 */
-        status = psa_driver_wrapper_mac_compute(attributes,
-                                                pbkdf2->password,
-                                                pbkdf2->password_length,
-                                                prf_alg, U_i, prf_output_length,
-                                                U_i, prf_output_length,
-                                                &mac_output_length);
-        if (status != PSA_SUCCESS) {
-            goto cleanup;
-        }
-
-        mbedtls_xor(U_accumulator, U_accumulator, U_i, prf_output_length);
-    }
-
-cleanup:
-    /* Zeroise buffers to clear sensitive data from memory. */
-    mbedtls_platform_zeroize(U_i, PSA_MAC_MAX_SIZE);
-    return status;
-}
-
-static psa_status_t psa_key_derivation_pbkdf2_read(
-    psa_pbkdf2_key_derivation_t *pbkdf2,
-    psa_algorithm_t kdf_alg,
-    uint8_t *output,
-    size_t output_length)
-{
-    psa_status_t status;
-    psa_algorithm_t prf_alg;
-    uint8_t prf_output_length;
-    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(pbkdf2->password_length));
-    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
-
-    if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
-        prf_alg = PSA_ALG_HMAC(PSA_ALG_PBKDF2_HMAC_GET_HASH(kdf_alg));
-        prf_output_length = PSA_HASH_LENGTH(prf_alg);
-        psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
-    } else if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
-        prf_alg = PSA_ALG_CMAC;
-        prf_output_length = PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC);
-        psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
-    } else {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    switch (pbkdf2->state) {
-        case PSA_PBKDF2_STATE_PASSWORD_SET:
-            /* Initially we need a new block so bytes_used is equal to block size*/
-            pbkdf2->bytes_used = prf_output_length;
-            pbkdf2->state = PSA_PBKDF2_STATE_OUTPUT;
-            break;
-        case PSA_PBKDF2_STATE_OUTPUT:
-            break;
-        default:
-            return PSA_ERROR_BAD_STATE;
-    }
-
-    while (output_length != 0) {
-        uint8_t n = prf_output_length - pbkdf2->bytes_used;
-        if (n > output_length) {
-            n = (uint8_t) output_length;
-        }
-        memcpy(output, pbkdf2->output_block + pbkdf2->bytes_used, n);
-        output += n;
-        output_length -= n;
-        pbkdf2->bytes_used += n;
-
-        if (output_length == 0) {
-            break;
-        }
-
-        /* We need a new block */
-        pbkdf2->bytes_used = 0;
-        pbkdf2->block_number++;
-
-        status = psa_key_derivation_pbkdf2_generate_block(pbkdf2, prf_alg,
-                                                          prf_output_length,
-                                                          &attributes);
-        if (status != PSA_SUCCESS) {
-            return status;
-        }
-    }
-
-    return PSA_SUCCESS;
-}
-#endif /* PSA_HAVE_SOFT_PBKDF2 */
-
-psa_status_t psa_key_derivation_output_bytes(
-    psa_key_derivation_operation_t *operation,
-    uint8_t *output,
-    size_t output_length)
-{
-    psa_status_t status;
-    psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
-
-    if (operation->alg == 0) {
-        /* This is a blank operation. */
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    if (output_length > operation->capacity) {
-        operation->capacity = 0;
-        /* Go through the error path to wipe all confidential data now
-         * that the operation object is useless. */
-        status = PSA_ERROR_INSUFFICIENT_DATA;
-        goto exit;
-    }
-    if (output_length == 0 && operation->capacity == 0) {
-        /* Edge case: this is a finished operation, and 0 bytes
-         * were requested. The right error in this case could
-         * be either INSUFFICIENT_CAPACITY or BAD_STATE. Return
-         * INSUFFICIENT_CAPACITY, which is right for a finished
-         * operation, for consistency with the case when
-         * output_length > 0. */
-        return PSA_ERROR_INSUFFICIENT_DATA;
-    }
-    operation->capacity -= output_length;
-
-#if defined(BUILTIN_ALG_ANY_HKDF)
-    if (PSA_ALG_IS_ANY_HKDF(kdf_alg)) {
-        status = psa_key_derivation_hkdf_read(&operation->ctx.hkdf, kdf_alg,
-                                              output, output_length);
-    } else
-#endif /* BUILTIN_ALG_ANY_HKDF */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
-    if (PSA_ALG_IS_TLS12_PRF(kdf_alg) ||
-        PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
-        status = psa_key_derivation_tls12_prf_read(&operation->ctx.tls12_prf,
-                                                   kdf_alg, output,
-                                                   output_length);
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF ||
-        * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
-    if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
-        status = psa_key_derivation_tls12_ecjpake_to_pms_read(
-            &operation->ctx.tls12_ecjpake_to_pms, output, output_length);
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
-#if defined(PSA_HAVE_SOFT_PBKDF2)
-    if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
-        status = psa_key_derivation_pbkdf2_read(&operation->ctx.pbkdf2, kdf_alg,
-                                                output, output_length);
-    } else
-#endif /* PSA_HAVE_SOFT_PBKDF2 */
-
-    {
-        (void) kdf_alg;
-        return PSA_ERROR_BAD_STATE;
-    }
-
-exit:
-    if (status != PSA_SUCCESS) {
-        /* Preserve the algorithm upon errors, but clear all sensitive state.
-         * This allows us to differentiate between exhausted operations and
-         * blank operations, so we can return PSA_ERROR_BAD_STATE on blank
-         * operations. */
-        psa_algorithm_t alg = operation->alg;
-        psa_key_derivation_abort(operation);
-        operation->alg = alg;
-        memset(output, '!', output_length);
-    }
-    return status;
-}
-
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
-static void psa_des_set_key_parity(uint8_t *data, size_t data_size)
-{
-    if (data_size >= 8) {
-        mbedtls_des_key_set_parity(data);
-    }
-    if (data_size >= 16) {
-        mbedtls_des_key_set_parity(data + 8);
-    }
-    if (data_size >= 24) {
-        mbedtls_des_key_set_parity(data + 16);
-    }
-}
-#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */
-
-/*
- * ECC keys on a Weierstrass elliptic curve require the generation
- * of a private key which is an integer
- * in the range [1, N - 1], where N is the boundary of the private key domain:
- * N is the prime p for Diffie-Hellman, or the order of the
- * curve’s base point for ECC.
- *
- * Let m be the bit size of N, such that 2^m > N >= 2^(m-1).
- * This function generates the private key using the following process:
- *
- * 1. Draw a byte string of length ceiling(m/8) bytes.
- * 2. If m is not a multiple of 8, set the most significant
- *    (8 * ceiling(m/8) - m) bits of the first byte in the string to zero.
- * 3. Convert the string to integer k by decoding it as a big-endian byte string.
- * 4. If k > N - 2, discard the result and return to step 1.
- * 5. Output k + 1 as the private key.
- *
- * This method allows compliance to NIST standards, specifically the methods titled
- * Key-Pair Generation by Testing Candidates in the following publications:
- * - NIST Special Publication 800-56A: Recommendation for Pair-Wise Key-Establishment
- *   Schemes Using Discrete Logarithm Cryptography [SP800-56A] §5.6.1.1.4 for
- *   Diffie-Hellman keys.
- *
- * - [SP800-56A] §5.6.1.2.2 or FIPS Publication 186-4: Digital Signature
- *   Standard (DSS) [FIPS186-4] §B.4.2 for elliptic curve keys.
- *
- * Note: Function allocates memory for *data buffer, so given *data should be
- *       always NULL.
- */
-#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
-static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper(
-    psa_key_slot_t *slot,
-    size_t bits,
-    psa_key_derivation_operation_t *operation,
-    uint8_t **data
-    )
-{
-    unsigned key_out_of_range = 1;
-    mbedtls_mpi k;
-    mbedtls_mpi diff_N_2;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    size_t m;
-    size_t m_bytes;
-
-    mbedtls_mpi_init(&k);
-    mbedtls_mpi_init(&diff_N_2);
-
-    psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(
-        slot->attr.type);
-    mbedtls_ecp_group_id grp_id =
-        mbedtls_ecc_group_of_psa(curve, bits, 0);
-
-    if (grp_id == MBEDTLS_ECP_DP_NONE) {
-        ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
-        goto cleanup;
-    }
-
-    mbedtls_ecp_group ecp_group;
-    mbedtls_ecp_group_init(&ecp_group);
-
-    MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&ecp_group, grp_id));
-
-    /* N is the boundary of the private key domain (ecp_group.N). */
-    /* Let m be the bit size of N. */
-    m = ecp_group.nbits;
-
-    m_bytes = PSA_BITS_TO_BYTES(m);
-
-    /* Calculate N - 2 - it will be needed later. */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&diff_N_2, &ecp_group.N, 2));
-
-    /* Note: This function is always called with *data == NULL and it
-     * allocates memory for the data buffer. */
-    *data = mbedtls_calloc(1, m_bytes);
-    if (*data == NULL) {
-        ret = MBEDTLS_ERR_ASN1_ALLOC_FAILED;
-        goto cleanup;
-    }
-
-    while (key_out_of_range) {
-        /* 1. Draw a byte string of length ceiling(m/8) bytes. */
-        if ((status = psa_key_derivation_output_bytes(operation, *data, m_bytes)) != 0) {
-            goto cleanup;
-        }
-
-        /* 2. If m is not a multiple of 8 */
-        if (m % 8 != 0) {
-            /* Set the most significant
-             * (8 * ceiling(m/8) - m) bits of the first byte in
-             * the string to zero.
-             */
-            uint8_t clear_bit_mask = (1 << (m % 8)) - 1;
-            (*data)[0] &= clear_bit_mask;
-        }
-
-        /* 3. Convert the string to integer k by decoding it as a
-         *    big-endian byte string.
-         */
-        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&k, *data, m_bytes));
-
-        /* 4. If k > N - 2, discard the result and return to step 1.
-         *    Result of comparison is returned. When it indicates error
-         *    then this function is called again.
-         */
-        MBEDTLS_MPI_CHK(mbedtls_mpi_lt_mpi_ct(&diff_N_2, &k, &key_out_of_range));
-    }
-
-    /* 5. Output k + 1 as the private key. */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&k, &k, 1));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&k, *data, m_bytes));
-cleanup:
-    if (ret != 0) {
-        status = mbedtls_to_psa_error(ret);
-    }
-    if (status != PSA_SUCCESS) {
-        mbedtls_free(*data);
-        *data = NULL;
-    }
-    mbedtls_mpi_free(&k);
-    mbedtls_mpi_free(&diff_N_2);
-    return status;
-}
-
-/* ECC keys on a Montgomery elliptic curve draws a byte string whose length
- * is determined by the curve, and sets the mandatory bits accordingly. That is:
- *
- * - Curve25519 (PSA_ECC_FAMILY_MONTGOMERY, 255 bits):
- *   draw a 32-byte string and process it as specified in
- *   Elliptic Curves for Security [RFC7748] §5.
- *
- * - Curve448 (PSA_ECC_FAMILY_MONTGOMERY, 448 bits):
- *   draw a 56-byte string and process it as specified in [RFC7748] §5.
- *
- * Note: Function allocates memory for *data buffer, so given *data should be
- *       always NULL.
- */
-
-static psa_status_t psa_generate_derived_ecc_key_montgomery_helper(
-    size_t bits,
-    psa_key_derivation_operation_t *operation,
-    uint8_t **data
-    )
-{
-    size_t output_length;
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    switch (bits) {
-        case 255:
-            output_length = 32;
-            break;
-        case 448:
-            output_length = 56;
-            break;
-        default:
-            return PSA_ERROR_INVALID_ARGUMENT;
-            break;
-    }
-
-    *data = mbedtls_calloc(1, output_length);
-
-    if (*data == NULL) {
-        return PSA_ERROR_INSUFFICIENT_MEMORY;
-    }
-
-    status = psa_key_derivation_output_bytes(operation, *data, output_length);
-
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    switch (bits) {
-        case 255:
-            (*data)[0] &= 248;
-            (*data)[31] &= 127;
-            (*data)[31] |= 64;
-            break;
-        case 448:
-            (*data)[0] &= 252;
-            (*data)[55] |= 128;
-            break;
-        default:
-            return PSA_ERROR_CORRUPTION_DETECTED;
-            break;
-    }
-
-    return status;
-}
-#else /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE */
-static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper(
-    psa_key_slot_t *slot, size_t bits,
-    psa_key_derivation_operation_t *operation, uint8_t **data)
-{
-    (void) slot;
-    (void) bits;
-    (void) operation;
-    (void) data;
-    return PSA_ERROR_NOT_SUPPORTED;
-}
-
-static psa_status_t psa_generate_derived_ecc_key_montgomery_helper(
-    size_t bits, psa_key_derivation_operation_t *operation, uint8_t **data)
-{
-    (void) bits;
-    (void) operation;
-    (void) data;
-    return PSA_ERROR_NOT_SUPPORTED;
-}
-#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE */
-#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE */
-
-static psa_status_t psa_generate_derived_key_internal(
-    psa_key_slot_t *slot,
-    size_t bits,
-    psa_key_derivation_operation_t *operation)
-{
-    uint8_t *data = NULL;
-    size_t bytes = PSA_BITS_TO_BYTES(bits);
-    size_t storage_size = bytes;
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_attributes_t attributes;
-
-    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type)) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
-    if (PSA_KEY_TYPE_IS_ECC(slot->attr.type)) {
-        psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(slot->attr.type);
-        if (PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) {
-            /* Weierstrass elliptic curve */
-            status = psa_generate_derived_ecc_key_weierstrass_helper(slot, bits, operation, &data);
-            if (status != PSA_SUCCESS) {
-                goto exit;
-            }
-        } else {
-            /* Montgomery elliptic curve */
-            status = psa_generate_derived_ecc_key_montgomery_helper(bits, operation, &data);
-            if (status != PSA_SUCCESS) {
-                goto exit;
-            }
-        }
-    } else
-#endif /* defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) ||
-          defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE) */
-    if (key_type_is_raw_bytes(slot->attr.type)) {
-        if (bits % 8 != 0) {
-            return PSA_ERROR_INVALID_ARGUMENT;
-        }
-        data = mbedtls_calloc(1, bytes);
-        if (data == NULL) {
-            return PSA_ERROR_INSUFFICIENT_MEMORY;
-        }
-
-        status = psa_key_derivation_output_bytes(operation, data, bytes);
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
-        if (slot->attr.type == PSA_KEY_TYPE_DES) {
-            psa_des_set_key_parity(data, bytes);
-        }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) */
-    } else {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    slot->attr.bits = (psa_key_bits_t) bits;
-    attributes = (psa_key_attributes_t) {
-        .core = slot->attr
-    };
-
-    if (psa_key_lifetime_is_external(attributes.core.lifetime)) {
-        status = psa_driver_wrapper_get_key_buffer_size(&attributes,
-                                                        &storage_size);
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-    }
-    status = psa_allocate_buffer_to_slot(slot, storage_size);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_driver_wrapper_import_key(&attributes,
-                                           data, bytes,
-                                           slot->key.data,
-                                           slot->key.bytes,
-                                           &slot->key.bytes, &bits);
-    if (bits != slot->attr.bits) {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-exit:
-    mbedtls_free(data);
-    return status;
-}
-
-psa_status_t psa_key_derivation_output_key(const psa_key_attributes_t *attributes,
-                                           psa_key_derivation_operation_t *operation,
-                                           mbedtls_svc_key_id_t *key)
-{
-    psa_status_t status;
-    psa_key_slot_t *slot = NULL;
-    psa_se_drv_table_entry_t *driver = NULL;
-
-    *key = MBEDTLS_SVC_KEY_ID_INIT;
-
-    /* Reject any attempt to create a zero-length key so that we don't
-     * risk tripping up later, e.g. on a malloc(0) that returns NULL. */
-    if (psa_get_key_bits(attributes) == 0) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    if (operation->alg == PSA_ALG_NONE) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    if (!operation->can_output_key) {
-        return PSA_ERROR_NOT_PERMITTED;
-    }
-
-    status = psa_start_key_creation(PSA_KEY_CREATION_DERIVE, attributes,
-                                    &slot, &driver);
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-    if (driver != NULL) {
-        /* Deriving a key in a secure element is not implemented yet. */
-        status = PSA_ERROR_NOT_SUPPORTED;
-    }
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
-    if (status == PSA_SUCCESS) {
-        status = psa_generate_derived_key_internal(slot,
-                                                   attributes->core.bits,
-                                                   operation);
-    }
-    if (status == PSA_SUCCESS) {
-        status = psa_finish_key_creation(slot, driver, key);
-    }
-    if (status != PSA_SUCCESS) {
-        psa_fail_key_creation(slot, driver);
-    }
-
-    return status;
-}
-
-
-
-/****************************************************************/
-/* Key derivation */
-/****************************************************************/
-
-#if defined(AT_LEAST_ONE_BUILTIN_KDF)
-static int is_kdf_alg_supported(psa_algorithm_t kdf_alg)
-{
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
-    if (PSA_ALG_IS_HKDF(kdf_alg)) {
-        return 1;
-    }
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
-    if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
-        return 1;
-    }
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
-    if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) {
-        return 1;
-    }
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF)
-    if (PSA_ALG_IS_TLS12_PRF(kdf_alg)) {
-        return 1;
-    }
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
-    if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
-        return 1;
-    }
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
-    if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
-        return 1;
-    }
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
-    if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
-        return 1;
-    }
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128)
-    if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
-        return 1;
-    }
-#endif
-    return 0;
-}
-
-static psa_status_t psa_hash_try_support(psa_algorithm_t alg)
-{
-    psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
-    psa_status_t status = psa_hash_setup(&operation, alg);
-    psa_hash_abort(&operation);
-    return status;
-}
-
-static psa_status_t psa_key_derivation_setup_kdf(
-    psa_key_derivation_operation_t *operation,
-    psa_algorithm_t kdf_alg)
-{
-    /* Make sure that operation->ctx is properly zero-initialised. (Macro
-     * initialisers for this union leave some bytes unspecified.) */
-    memset(&operation->ctx, 0, sizeof(operation->ctx));
-
-    /* Make sure that kdf_alg is a supported key derivation algorithm. */
-    if (!is_kdf_alg_supported(kdf_alg)) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    /* All currently supported key derivation algorithms (apart from
-     * ecjpake to pms and pbkdf2_aes_cmac_128) are based on a hash algorithm. */
-    psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(kdf_alg);
-    size_t hash_size = PSA_HASH_LENGTH(hash_alg);
-    if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
-        hash_size = PSA_HASH_LENGTH(PSA_ALG_SHA_256);
-    } else if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
-        hash_size = PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC);
-    } else {
-        if (hash_size == 0) {
-            return PSA_ERROR_NOT_SUPPORTED;
-        }
-
-        /* Make sure that hash_alg is a supported hash algorithm. Otherwise
-         * we might fail later, which is somewhat unfriendly and potentially
-         * risk-prone. */
-        psa_status_t status = psa_hash_try_support(hash_alg);
-        if (status != PSA_SUCCESS) {
-            return status;
-        }
-    }
-
-    if ((PSA_ALG_IS_TLS12_PRF(kdf_alg) ||
-         PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) &&
-        !(hash_alg == PSA_ALG_SHA_256 || hash_alg == PSA_ALG_SHA_384)) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
-    if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg) ||
-        (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS)) {
-        operation->capacity = hash_size;
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT ||
-          MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
-    operation->capacity = 255 * hash_size;
-    return PSA_SUCCESS;
-}
-
-static psa_status_t psa_key_agreement_try_support(psa_algorithm_t alg)
-{
-#if defined(PSA_WANT_ALG_ECDH)
-    if (alg == PSA_ALG_ECDH) {
-        return PSA_SUCCESS;
-    }
-#endif
-#if defined(PSA_WANT_ALG_FFDH)
-    if (alg == PSA_ALG_FFDH) {
-        return PSA_SUCCESS;
-    }
-#endif
-    (void) alg;
-    return PSA_ERROR_NOT_SUPPORTED;
-}
-
-static int psa_key_derivation_allows_free_form_secret_input(
-    psa_algorithm_t kdf_alg)
-{
-#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS)
-    if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
-        return 0;
-    }
-#endif
-    (void) kdf_alg;
-    return 1;
-}
-#endif /* AT_LEAST_ONE_BUILTIN_KDF */
-
-psa_status_t psa_key_derivation_setup(psa_key_derivation_operation_t *operation,
-                                      psa_algorithm_t alg)
-{
-    psa_status_t status;
-
-    if (operation->alg != 0) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    if (PSA_ALG_IS_RAW_KEY_AGREEMENT(alg)) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    } else if (PSA_ALG_IS_KEY_AGREEMENT(alg)) {
-#if defined(AT_LEAST_ONE_BUILTIN_KDF)
-        psa_algorithm_t kdf_alg = PSA_ALG_KEY_AGREEMENT_GET_KDF(alg);
-        psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE(alg);
-        status = psa_key_agreement_try_support(ka_alg);
-        if (status != PSA_SUCCESS) {
-            return status;
-        }
-        if (!psa_key_derivation_allows_free_form_secret_input(kdf_alg)) {
-            return PSA_ERROR_INVALID_ARGUMENT;
-        }
-        status = psa_key_derivation_setup_kdf(operation, kdf_alg);
-#else
-        return PSA_ERROR_NOT_SUPPORTED;
-#endif /* AT_LEAST_ONE_BUILTIN_KDF */
-    } else if (PSA_ALG_IS_KEY_DERIVATION(alg)) {
-#if defined(AT_LEAST_ONE_BUILTIN_KDF)
-        status = psa_key_derivation_setup_kdf(operation, alg);
-#else
-        return PSA_ERROR_NOT_SUPPORTED;
-#endif /* AT_LEAST_ONE_BUILTIN_KDF */
-    } else {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    if (status == PSA_SUCCESS) {
-        operation->alg = alg;
-    }
-    return status;
-}
-
-#if defined(BUILTIN_ALG_ANY_HKDF)
-static psa_status_t psa_hkdf_input(psa_hkdf_key_derivation_t *hkdf,
-                                   psa_algorithm_t kdf_alg,
-                                   psa_key_derivation_step_t step,
-                                   const uint8_t *data,
-                                   size_t data_length)
-{
-    psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(kdf_alg);
-    psa_status_t status;
-    switch (step) {
-        case PSA_KEY_DERIVATION_INPUT_SALT:
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
-            if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) {
-                return PSA_ERROR_INVALID_ARGUMENT;
-            }
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */
-            if (hkdf->state != HKDF_STATE_INIT) {
-                return PSA_ERROR_BAD_STATE;
-            } else {
-                status = psa_key_derivation_start_hmac(&hkdf->hmac,
-                                                       hash_alg,
-                                                       data, data_length);
-                if (status != PSA_SUCCESS) {
-                    return status;
-                }
-                hkdf->state = HKDF_STATE_STARTED;
-                return PSA_SUCCESS;
-            }
-        case PSA_KEY_DERIVATION_INPUT_SECRET:
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
-            if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) {
-                /* We shouldn't be in different state as HKDF_EXPAND only allows
-                 * two inputs: SECRET (this case) and INFO which does not modify
-                 * the state. It could happen only if the hkdf
-                 * object was corrupted. */
-                if (hkdf->state != HKDF_STATE_INIT) {
-                    return PSA_ERROR_BAD_STATE;
-                }
-
-                /* Allow only input that fits expected prk size */
-                if (data_length != PSA_HASH_LENGTH(hash_alg)) {
-                    return PSA_ERROR_INVALID_ARGUMENT;
-                }
-
-                memcpy(hkdf->prk, data, data_length);
-            } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */
-            {
-                /* HKDF: If no salt was provided, use an empty salt.
-                 * HKDF-EXTRACT: salt is mandatory. */
-                if (hkdf->state == HKDF_STATE_INIT) {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
-                    if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
-                        return PSA_ERROR_BAD_STATE;
-                    }
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
-                    status = psa_key_derivation_start_hmac(&hkdf->hmac,
-                                                           hash_alg,
-                                                           NULL, 0);
-                    if (status != PSA_SUCCESS) {
-                        return status;
-                    }
-                    hkdf->state = HKDF_STATE_STARTED;
-                }
-                if (hkdf->state != HKDF_STATE_STARTED) {
-                    return PSA_ERROR_BAD_STATE;
-                }
-                status = psa_mac_update(&hkdf->hmac,
-                                        data, data_length);
-                if (status != PSA_SUCCESS) {
-                    return status;
-                }
-                status = psa_mac_sign_finish(&hkdf->hmac,
-                                             hkdf->prk,
-                                             sizeof(hkdf->prk),
-                                             &data_length);
-                if (status != PSA_SUCCESS) {
-                    return status;
-                }
-            }
-
-            hkdf->state = HKDF_STATE_KEYED;
-            hkdf->block_number = 0;
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
-            if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
-                /* The only block of output is the PRK. */
-                memcpy(hkdf->output_block, hkdf->prk, PSA_HASH_LENGTH(hash_alg));
-                hkdf->offset_in_block = 0;
-            } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
-            {
-                /* Block 0 is empty, and the next block will be
-                 * generated by psa_key_derivation_hkdf_read(). */
-                hkdf->offset_in_block = PSA_HASH_LENGTH(hash_alg);
-            }
-
-            return PSA_SUCCESS;
-        case PSA_KEY_DERIVATION_INPUT_INFO:
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
-            if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
-                return PSA_ERROR_INVALID_ARGUMENT;
-            }
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
-            if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg) &&
-                hkdf->state == HKDF_STATE_INIT) {
-                return PSA_ERROR_BAD_STATE;
-            }
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
-            if (hkdf->state == HKDF_STATE_OUTPUT) {
-                return PSA_ERROR_BAD_STATE;
-            }
-            if (hkdf->info_set) {
-                return PSA_ERROR_BAD_STATE;
-            }
-            hkdf->info_length = data_length;
-            if (data_length != 0) {
-                hkdf->info = mbedtls_calloc(1, data_length);
-                if (hkdf->info == NULL) {
-                    return PSA_ERROR_INSUFFICIENT_MEMORY;
-                }
-                memcpy(hkdf->info, data, data_length);
-            }
-            hkdf->info_set = 1;
-            return PSA_SUCCESS;
-        default:
-            return PSA_ERROR_INVALID_ARGUMENT;
-    }
-}
-#endif /* BUILTIN_ALG_ANY_HKDF */
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
-static psa_status_t psa_tls12_prf_set_seed(psa_tls12_prf_key_derivation_t *prf,
-                                           const uint8_t *data,
-                                           size_t data_length)
-{
-    if (prf->state != PSA_TLS12_PRF_STATE_INIT) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    if (data_length != 0) {
-        prf->seed = mbedtls_calloc(1, data_length);
-        if (prf->seed == NULL) {
-            return PSA_ERROR_INSUFFICIENT_MEMORY;
-        }
-
-        memcpy(prf->seed, data, data_length);
-        prf->seed_length = data_length;
-    }
-
-    prf->state = PSA_TLS12_PRF_STATE_SEED_SET;
-
-    return PSA_SUCCESS;
-}
-
-static psa_status_t psa_tls12_prf_set_key(psa_tls12_prf_key_derivation_t *prf,
-                                          const uint8_t *data,
-                                          size_t data_length)
-{
-    if (prf->state != PSA_TLS12_PRF_STATE_SEED_SET &&
-        prf->state != PSA_TLS12_PRF_STATE_OTHER_KEY_SET) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    if (data_length != 0) {
-        prf->secret = mbedtls_calloc(1, data_length);
-        if (prf->secret == NULL) {
-            return PSA_ERROR_INSUFFICIENT_MEMORY;
-        }
-
-        memcpy(prf->secret, data, data_length);
-        prf->secret_length = data_length;
-    }
-
-    prf->state = PSA_TLS12_PRF_STATE_KEY_SET;
-
-    return PSA_SUCCESS;
-}
-
-static psa_status_t psa_tls12_prf_set_label(psa_tls12_prf_key_derivation_t *prf,
-                                            const uint8_t *data,
-                                            size_t data_length)
-{
-    if (prf->state != PSA_TLS12_PRF_STATE_KEY_SET) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    if (data_length != 0) {
-        prf->label = mbedtls_calloc(1, data_length);
-        if (prf->label == NULL) {
-            return PSA_ERROR_INSUFFICIENT_MEMORY;
-        }
-
-        memcpy(prf->label, data, data_length);
-        prf->label_length = data_length;
-    }
-
-    prf->state = PSA_TLS12_PRF_STATE_LABEL_SET;
-
-    return PSA_SUCCESS;
-}
-
-static psa_status_t psa_tls12_prf_input(psa_tls12_prf_key_derivation_t *prf,
-                                        psa_key_derivation_step_t step,
-                                        const uint8_t *data,
-                                        size_t data_length)
-{
-    switch (step) {
-        case PSA_KEY_DERIVATION_INPUT_SEED:
-            return psa_tls12_prf_set_seed(prf, data, data_length);
-        case PSA_KEY_DERIVATION_INPUT_SECRET:
-            return psa_tls12_prf_set_key(prf, data, data_length);
-        case PSA_KEY_DERIVATION_INPUT_LABEL:
-            return psa_tls12_prf_set_label(prf, data, data_length);
-        default:
-            return PSA_ERROR_INVALID_ARGUMENT;
-    }
-}
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) ||
-        * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
-static psa_status_t psa_tls12_prf_psk_to_ms_set_key(
-    psa_tls12_prf_key_derivation_t *prf,
-    const uint8_t *data,
-    size_t data_length)
-{
-    psa_status_t status;
-    const size_t pms_len = (prf->state == PSA_TLS12_PRF_STATE_OTHER_KEY_SET ?
-                            4 + data_length + prf->other_secret_length :
-                            4 + 2 * data_length);
-
-    if (data_length > PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    uint8_t *pms = mbedtls_calloc(1, pms_len);
-    if (pms == NULL) {
-        return PSA_ERROR_INSUFFICIENT_MEMORY;
-    }
-    uint8_t *cur = pms;
-
-    /* pure-PSK:
-     * Quoting RFC 4279, Section 2:
-     *
-     * The premaster secret is formed as follows: if the PSK is N octets
-     * long, concatenate a uint16 with the value N, N zero octets, a second
-     * uint16 with the value N, and the PSK itself.
-     *
-     * mixed-PSK:
-     * In a DHE-PSK, RSA-PSK, ECDHE-PSK the premaster secret is formed as
-     * follows: concatenate a uint16 with the length of the other secret,
-     * the other secret itself, uint16 with the length of PSK, and the
-     * PSK itself.
-     * For details please check:
-     * - RFC 4279, Section 4 for the definition of RSA-PSK,
-     * - RFC 4279, Section 3 for the definition of DHE-PSK,
-     * - RFC 5489 for the definition of ECDHE-PSK.
-     */
-
-    if (prf->state == PSA_TLS12_PRF_STATE_OTHER_KEY_SET) {
-        *cur++ = MBEDTLS_BYTE_1(prf->other_secret_length);
-        *cur++ = MBEDTLS_BYTE_0(prf->other_secret_length);
-        if (prf->other_secret_length != 0) {
-            memcpy(cur, prf->other_secret, prf->other_secret_length);
-            mbedtls_platform_zeroize(prf->other_secret, prf->other_secret_length);
-            cur += prf->other_secret_length;
-        }
-    } else {
-        *cur++ = MBEDTLS_BYTE_1(data_length);
-        *cur++ = MBEDTLS_BYTE_0(data_length);
-        memset(cur, 0, data_length);
-        cur += data_length;
-    }
-
-    *cur++ = MBEDTLS_BYTE_1(data_length);
-    *cur++ = MBEDTLS_BYTE_0(data_length);
-    memcpy(cur, data, data_length);
-    cur += data_length;
-
-    status = psa_tls12_prf_set_key(prf, pms, cur - pms);
-
-    mbedtls_zeroize_and_free(pms, pms_len);
-    return status;
-}
-
-static psa_status_t psa_tls12_prf_psk_to_ms_set_other_key(
-    psa_tls12_prf_key_derivation_t *prf,
-    const uint8_t *data,
-    size_t data_length)
-{
-    if (prf->state != PSA_TLS12_PRF_STATE_SEED_SET) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    if (data_length != 0) {
-        prf->other_secret = mbedtls_calloc(1, data_length);
-        if (prf->other_secret == NULL) {
-            return PSA_ERROR_INSUFFICIENT_MEMORY;
-        }
-
-        memcpy(prf->other_secret, data, data_length);
-        prf->other_secret_length = data_length;
-    } else {
-        prf->other_secret_length = 0;
-    }
-
-    prf->state = PSA_TLS12_PRF_STATE_OTHER_KEY_SET;
-
-    return PSA_SUCCESS;
-}
-
-static psa_status_t psa_tls12_prf_psk_to_ms_input(
-    psa_tls12_prf_key_derivation_t *prf,
-    psa_key_derivation_step_t step,
-    const uint8_t *data,
-    size_t data_length)
-{
-    switch (step) {
-        case PSA_KEY_DERIVATION_INPUT_SECRET:
-            return psa_tls12_prf_psk_to_ms_set_key(prf,
-                                                   data, data_length);
-            break;
-        case PSA_KEY_DERIVATION_INPUT_OTHER_SECRET:
-            return psa_tls12_prf_psk_to_ms_set_other_key(prf,
-                                                         data,
-                                                         data_length);
-            break;
-        default:
-            return psa_tls12_prf_input(prf, step, data, data_length);
-            break;
-
-    }
-}
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
-static psa_status_t psa_tls12_ecjpake_to_pms_input(
-    psa_tls12_ecjpake_to_pms_t *ecjpake,
-    psa_key_derivation_step_t step,
-    const uint8_t *data,
-    size_t data_length)
-{
-    if (data_length != PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE ||
-        step != PSA_KEY_DERIVATION_INPUT_SECRET) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    /* Check if the passed point is in an uncompressed form */
-    if (data[0] != 0x04) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    /* Only K.X has to be extracted - bytes 1 to 32 inclusive. */
-    memcpy(ecjpake->data, data + 1, PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE);
-
-    return PSA_SUCCESS;
-}
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
-
-#if defined(PSA_HAVE_SOFT_PBKDF2)
-static psa_status_t psa_pbkdf2_set_input_cost(
-    psa_pbkdf2_key_derivation_t *pbkdf2,
-    psa_key_derivation_step_t step,
-    uint64_t data)
-{
-    if (step != PSA_KEY_DERIVATION_INPUT_COST) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    if (pbkdf2->state != PSA_PBKDF2_STATE_INIT) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    if (data > PSA_VENDOR_PBKDF2_MAX_ITERATIONS) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    if (data == 0) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    pbkdf2->input_cost = data;
-    pbkdf2->state = PSA_PBKDF2_STATE_INPUT_COST_SET;
-
-    return PSA_SUCCESS;
-}
-
-static psa_status_t psa_pbkdf2_set_salt(psa_pbkdf2_key_derivation_t *pbkdf2,
-                                        const uint8_t *data,
-                                        size_t data_length)
-{
-    if (pbkdf2->state == PSA_PBKDF2_STATE_INPUT_COST_SET) {
-        pbkdf2->state = PSA_PBKDF2_STATE_SALT_SET;
-    } else if (pbkdf2->state == PSA_PBKDF2_STATE_SALT_SET) {
-        /* Appending to existing salt. No state change. */
-    } else {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    if (data_length == 0) {
-        /* Appending an empty string, nothing to do. */
-    } else {
-        uint8_t *next_salt;
-
-        next_salt = mbedtls_calloc(1, data_length + pbkdf2->salt_length);
-        if (next_salt == NULL) {
-            return PSA_ERROR_INSUFFICIENT_MEMORY;
-        }
-
-        if (pbkdf2->salt_length != 0) {
-            memcpy(next_salt, pbkdf2->salt, pbkdf2->salt_length);
-        }
-        memcpy(next_salt + pbkdf2->salt_length, data, data_length);
-        pbkdf2->salt_length += data_length;
-        mbedtls_free(pbkdf2->salt);
-        pbkdf2->salt = next_salt;
-    }
-    return PSA_SUCCESS;
-}
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
-static psa_status_t psa_pbkdf2_hmac_set_password(psa_algorithm_t hash_alg,
-                                                 const uint8_t *input,
-                                                 size_t input_len,
-                                                 uint8_t *output,
-                                                 size_t *output_len)
-{
-    psa_status_t status = PSA_SUCCESS;
-    if (input_len > PSA_HASH_BLOCK_LENGTH(hash_alg)) {
-        status = psa_hash_compute(hash_alg, input, input_len, output,
-                                  PSA_HMAC_MAX_HASH_BLOCK_SIZE, output_len);
-    } else {
-        memcpy(output, input, input_len);
-        *output_len = PSA_HASH_BLOCK_LENGTH(hash_alg);
-    }
-    return status;
-}
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128)
-static psa_status_t psa_pbkdf2_cmac_set_password(const uint8_t *input,
-                                                 size_t input_len,
-                                                 uint8_t *output,
-                                                 size_t *output_len)
-{
-    psa_status_t status = PSA_SUCCESS;
-    if (input_len != PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC)) {
-        psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-        uint8_t zeros[16] = { 0 };
-        psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
-        psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(sizeof(zeros)));
-        psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
-        /* Passing PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC) as
-         * mac_size as the driver function sets mac_output_length = mac_size
-         * on success. See https://github.com/Mbed-TLS/mbedtls/issues/7801 */
-        status = psa_driver_wrapper_mac_compute(&attributes,
-                                                zeros, sizeof(zeros),
-                                                PSA_ALG_CMAC, input, input_len,
-                                                output,
-                                                PSA_MAC_LENGTH(PSA_KEY_TYPE_AES,
-                                                               128U,
-                                                               PSA_ALG_CMAC),
-                                                output_len);
-    } else {
-        memcpy(output, input, input_len);
-        *output_len = PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC);
-    }
-    return status;
-}
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128 */
-
-static psa_status_t psa_pbkdf2_set_password(psa_pbkdf2_key_derivation_t *pbkdf2,
-                                            psa_algorithm_t kdf_alg,
-                                            const uint8_t *data,
-                                            size_t data_length)
-{
-    psa_status_t status = PSA_SUCCESS;
-    if (pbkdf2->state != PSA_PBKDF2_STATE_SALT_SET) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
-    if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
-        psa_algorithm_t hash_alg = PSA_ALG_PBKDF2_HMAC_GET_HASH(kdf_alg);
-        status = psa_pbkdf2_hmac_set_password(hash_alg, data, data_length,
-                                              pbkdf2->password,
-                                              &pbkdf2->password_length);
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128)
-    if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
-        status = psa_pbkdf2_cmac_set_password(data, data_length,
-                                              pbkdf2->password,
-                                              &pbkdf2->password_length);
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128 */
-    {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    pbkdf2->state = PSA_PBKDF2_STATE_PASSWORD_SET;
-
-    return status;
-}
-
-static psa_status_t psa_pbkdf2_input(psa_pbkdf2_key_derivation_t *pbkdf2,
-                                     psa_algorithm_t kdf_alg,
-                                     psa_key_derivation_step_t step,
-                                     const uint8_t *data,
-                                     size_t data_length)
-{
-    switch (step) {
-        case PSA_KEY_DERIVATION_INPUT_SALT:
-            return psa_pbkdf2_set_salt(pbkdf2, data, data_length);
-        case PSA_KEY_DERIVATION_INPUT_PASSWORD:
-            return psa_pbkdf2_set_password(pbkdf2, kdf_alg, data, data_length);
-        default:
-            return PSA_ERROR_INVALID_ARGUMENT;
-    }
-}
-#endif /* PSA_HAVE_SOFT_PBKDF2 */
-
-/** Check whether the given key type is acceptable for the given
- * input step of a key derivation.
- *
- * Secret inputs must have the type #PSA_KEY_TYPE_DERIVE.
- * Non-secret inputs must have the type #PSA_KEY_TYPE_RAW_DATA.
- * Both secret and non-secret inputs can alternatively have the type
- * #PSA_KEY_TYPE_NONE, which is never the type of a key object, meaning
- * that the input was passed as a buffer rather than via a key object.
- */
-static int psa_key_derivation_check_input_type(
-    psa_key_derivation_step_t step,
-    psa_key_type_t key_type)
-{
-    switch (step) {
-        case PSA_KEY_DERIVATION_INPUT_SECRET:
-            if (key_type == PSA_KEY_TYPE_DERIVE) {
-                return PSA_SUCCESS;
-            }
-            if (key_type == PSA_KEY_TYPE_NONE) {
-                return PSA_SUCCESS;
-            }
-            break;
-        case PSA_KEY_DERIVATION_INPUT_OTHER_SECRET:
-            if (key_type == PSA_KEY_TYPE_DERIVE) {
-                return PSA_SUCCESS;
-            }
-            if (key_type == PSA_KEY_TYPE_NONE) {
-                return PSA_SUCCESS;
-            }
-            break;
-        case PSA_KEY_DERIVATION_INPUT_LABEL:
-        case PSA_KEY_DERIVATION_INPUT_SALT:
-        case PSA_KEY_DERIVATION_INPUT_INFO:
-        case PSA_KEY_DERIVATION_INPUT_SEED:
-            if (key_type == PSA_KEY_TYPE_RAW_DATA) {
-                return PSA_SUCCESS;
-            }
-            if (key_type == PSA_KEY_TYPE_NONE) {
-                return PSA_SUCCESS;
-            }
-            break;
-        case PSA_KEY_DERIVATION_INPUT_PASSWORD:
-            if (key_type == PSA_KEY_TYPE_PASSWORD) {
-                return PSA_SUCCESS;
-            }
-            if (key_type == PSA_KEY_TYPE_DERIVE) {
-                return PSA_SUCCESS;
-            }
-            if (key_type == PSA_KEY_TYPE_NONE) {
-                return PSA_SUCCESS;
-            }
-            break;
-    }
-    return PSA_ERROR_INVALID_ARGUMENT;
-}
-
-static psa_status_t psa_key_derivation_input_internal(
-    psa_key_derivation_operation_t *operation,
-    psa_key_derivation_step_t step,
-    psa_key_type_t key_type,
-    const uint8_t *data,
-    size_t data_length)
-{
-    psa_status_t status;
-    psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
-
-    status = psa_key_derivation_check_input_type(step, key_type);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-#if defined(BUILTIN_ALG_ANY_HKDF)
-    if (PSA_ALG_IS_ANY_HKDF(kdf_alg)) {
-        status = psa_hkdf_input(&operation->ctx.hkdf, kdf_alg,
-                                step, data, data_length);
-    } else
-#endif /* BUILTIN_ALG_ANY_HKDF */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF)
-    if (PSA_ALG_IS_TLS12_PRF(kdf_alg)) {
-        status = psa_tls12_prf_input(&operation->ctx.tls12_prf,
-                                     step, data, data_length);
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
-    if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
-        status = psa_tls12_prf_psk_to_ms_input(&operation->ctx.tls12_prf,
-                                               step, data, data_length);
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
-    if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
-        status = psa_tls12_ecjpake_to_pms_input(
-            &operation->ctx.tls12_ecjpake_to_pms, step, data, data_length);
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
-#if defined(PSA_HAVE_SOFT_PBKDF2)
-    if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
-        status = psa_pbkdf2_input(&operation->ctx.pbkdf2, kdf_alg,
-                                  step, data, data_length);
-    } else
-#endif /* PSA_HAVE_SOFT_PBKDF2 */
-    {
-        /* This can't happen unless the operation object was not initialized */
-        (void) data;
-        (void) data_length;
-        (void) kdf_alg;
-        return PSA_ERROR_BAD_STATE;
-    }
-
-exit:
-    if (status != PSA_SUCCESS) {
-        psa_key_derivation_abort(operation);
-    }
-    return status;
-}
-
-static psa_status_t psa_key_derivation_input_integer_internal(
-    psa_key_derivation_operation_t *operation,
-    psa_key_derivation_step_t step,
-    uint64_t value)
-{
-    psa_status_t status;
-    psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
-
-#if defined(PSA_HAVE_SOFT_PBKDF2)
-    if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
-        status = psa_pbkdf2_set_input_cost(
-            &operation->ctx.pbkdf2, step, value);
-    } else
-#endif /* PSA_HAVE_SOFT_PBKDF2 */
-    {
-        (void) step;
-        (void) value;
-        (void) kdf_alg;
-        status = PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    if (status != PSA_SUCCESS) {
-        psa_key_derivation_abort(operation);
-    }
-    return status;
-}
-
-psa_status_t psa_key_derivation_input_bytes(
-    psa_key_derivation_operation_t *operation,
-    psa_key_derivation_step_t step,
-    const uint8_t *data,
-    size_t data_length)
-{
-    return psa_key_derivation_input_internal(operation, step,
-                                             PSA_KEY_TYPE_NONE,
-                                             data, data_length);
-}
-
-psa_status_t psa_key_derivation_input_integer(
-    psa_key_derivation_operation_t *operation,
-    psa_key_derivation_step_t step,
-    uint64_t value)
-{
-    return psa_key_derivation_input_integer_internal(operation, step, value);
-}
-
-psa_status_t psa_key_derivation_input_key(
-    psa_key_derivation_operation_t *operation,
-    psa_key_derivation_step_t step,
-    mbedtls_svc_key_id_t key)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_slot_t *slot;
-
-    status = psa_get_and_lock_transparent_key_slot_with_policy(
-        key, &slot, PSA_KEY_USAGE_DERIVE, operation->alg);
-    if (status != PSA_SUCCESS) {
-        psa_key_derivation_abort(operation);
-        return status;
-    }
-
-    /* Passing a key object as a SECRET or PASSWORD input unlocks the
-     * permission to output to a key object. */
-    if (step == PSA_KEY_DERIVATION_INPUT_SECRET ||
-        step == PSA_KEY_DERIVATION_INPUT_PASSWORD) {
-        operation->can_output_key = 1;
-    }
-
-    status = psa_key_derivation_input_internal(operation,
-                                               step, slot->attr.type,
-                                               slot->key.data,
-                                               slot->key.bytes);
-
-    unlock_status = psa_unlock_key_slot(slot);
-
-    return (status == PSA_SUCCESS) ? unlock_status : status;
-}
-
-
-
-/****************************************************************/
-/* Key agreement */
-/****************************************************************/
-
-psa_status_t psa_key_agreement_raw_builtin(const psa_key_attributes_t *attributes,
-                                           const uint8_t *key_buffer,
-                                           size_t key_buffer_size,
-                                           psa_algorithm_t alg,
-                                           const uint8_t *peer_key,
-                                           size_t peer_key_length,
-                                           uint8_t *shared_secret,
-                                           size_t shared_secret_size,
-                                           size_t *shared_secret_length)
-{
-    switch (alg) {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
-        case PSA_ALG_ECDH:
-            return mbedtls_psa_key_agreement_ecdh(attributes, key_buffer,
-                                                  key_buffer_size, alg,
-                                                  peer_key, peer_key_length,
-                                                  shared_secret,
-                                                  shared_secret_size,
-                                                  shared_secret_length);
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_FFDH)
-        case PSA_ALG_FFDH:
-            return mbedtls_psa_ffdh_key_agreement(attributes,
-                                                  peer_key,
-                                                  peer_key_length,
-                                                  key_buffer,
-                                                  key_buffer_size,
-                                                  shared_secret,
-                                                  shared_secret_size,
-                                                  shared_secret_length);
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_FFDH */
-
-        default:
-            (void) attributes;
-            (void) key_buffer;
-            (void) key_buffer_size;
-            (void) peer_key;
-            (void) peer_key_length;
-            (void) shared_secret;
-            (void) shared_secret_size;
-            (void) shared_secret_length;
-            return PSA_ERROR_NOT_SUPPORTED;
-    }
-}
-
-/** Internal function for raw key agreement
- *  Calls the driver wrapper which will hand off key agreement task
- *  to the driver's implementation if a driver is present.
- *  Fallback specified in the driver wrapper is built-in raw key agreement
- *  (psa_key_agreement_raw_builtin).
- */
-static psa_status_t psa_key_agreement_raw_internal(psa_algorithm_t alg,
-                                                   psa_key_slot_t *private_key,
-                                                   const uint8_t *peer_key,
-                                                   size_t peer_key_length,
-                                                   uint8_t *shared_secret,
-                                                   size_t shared_secret_size,
-                                                   size_t *shared_secret_length)
-{
-    if (!PSA_ALG_IS_RAW_KEY_AGREEMENT(alg)) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    psa_key_attributes_t attributes = {
-        .core = private_key->attr
-    };
-
-    return psa_driver_wrapper_key_agreement(&attributes,
-                                            private_key->key.data,
-                                            private_key->key.bytes, alg,
-                                            peer_key, peer_key_length,
-                                            shared_secret,
-                                            shared_secret_size,
-                                            shared_secret_length);
-}
-
-/* Note that if this function fails, you must call psa_key_derivation_abort()
- * to potentially free embedded data structures and wipe confidential data.
- */
-static psa_status_t psa_key_agreement_internal(psa_key_derivation_operation_t *operation,
-                                               psa_key_derivation_step_t step,
-                                               psa_key_slot_t *private_key,
-                                               const uint8_t *peer_key,
-                                               size_t peer_key_length)
-{
-    psa_status_t status;
-    uint8_t shared_secret[PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE];
-    size_t shared_secret_length = 0;
-    psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE(operation->alg);
-
-    /* Step 1: run the secret agreement algorithm to generate the shared
-     * secret. */
-    status = psa_key_agreement_raw_internal(ka_alg,
-                                            private_key,
-                                            peer_key, peer_key_length,
-                                            shared_secret,
-                                            sizeof(shared_secret),
-                                            &shared_secret_length);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    /* Step 2: set up the key derivation to generate key material from
-     * the shared secret. A shared secret is permitted wherever a key
-     * of type DERIVE is permitted. */
-    status = psa_key_derivation_input_internal(operation, step,
-                                               PSA_KEY_TYPE_DERIVE,
-                                               shared_secret,
-                                               shared_secret_length);
-exit:
-    mbedtls_platform_zeroize(shared_secret, shared_secret_length);
-    return status;
-}
-
-psa_status_t psa_key_derivation_key_agreement(psa_key_derivation_operation_t *operation,
-                                              psa_key_derivation_step_t step,
-                                              mbedtls_svc_key_id_t private_key,
-                                              const uint8_t *peer_key,
-                                              size_t peer_key_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_slot_t *slot;
-
-    if (!PSA_ALG_IS_KEY_AGREEMENT(operation->alg)) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-    status = psa_get_and_lock_transparent_key_slot_with_policy(
-        private_key, &slot, PSA_KEY_USAGE_DERIVE, operation->alg);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-    status = psa_key_agreement_internal(operation, step,
-                                        slot,
-                                        peer_key, peer_key_length);
-    if (status != PSA_SUCCESS) {
-        psa_key_derivation_abort(operation);
-    } else {
-        /* If a private key has been added as SECRET, we allow the derived
-         * key material to be used as a key in PSA Crypto. */
-        if (step == PSA_KEY_DERIVATION_INPUT_SECRET) {
-            operation->can_output_key = 1;
-        }
-    }
-
-    unlock_status = psa_unlock_key_slot(slot);
-
-    return (status == PSA_SUCCESS) ? unlock_status : status;
-}
-
-psa_status_t psa_raw_key_agreement(psa_algorithm_t alg,
-                                   mbedtls_svc_key_id_t private_key,
-                                   const uint8_t *peer_key,
-                                   size_t peer_key_length,
-                                   uint8_t *output,
-                                   size_t output_size,
-                                   size_t *output_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_slot_t *slot = NULL;
-    size_t expected_length;
-
-    if (!PSA_ALG_IS_KEY_AGREEMENT(alg)) {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-        goto exit;
-    }
-    status = psa_get_and_lock_transparent_key_slot_with_policy(
-        private_key, &slot, PSA_KEY_USAGE_DERIVE, alg);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    /* PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() is in general an upper bound
-     * for the output size. The PSA specification only guarantees that this
-     * function works if output_size >= PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(...),
-     * but it might be nice to allow smaller buffers if the output fits.
-     * At the time of writing this comment, with only ECDH implemented,
-     * PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() is exact so the point is moot.
-     * If FFDH is implemented, PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() can easily
-     * be exact for it as well. */
-    expected_length =
-        PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(slot->attr.type, slot->attr.bits);
-    if (output_size < expected_length) {
-        status = PSA_ERROR_BUFFER_TOO_SMALL;
-        goto exit;
-    }
-
-    status = psa_key_agreement_raw_internal(alg, slot,
-                                            peer_key, peer_key_length,
-                                            output, output_size,
-                                            output_length);
-
-exit:
-    if (status != PSA_SUCCESS) {
-        /* If an error happens and is not handled properly, the output
-         * may be used as a key to protect sensitive data. Arrange for such
-         * a key to be random, which is likely to result in decryption or
-         * verification errors. This is better than filling the buffer with
-         * some constant data such as zeros, which would result in the data
-         * being protected with a reproducible, easily knowable key.
-         */
-        psa_generate_random(output, output_size);
-        *output_length = output_size;
-    }
-
-    unlock_status = psa_unlock_key_slot(slot);
-
-    return (status == PSA_SUCCESS) ? unlock_status : status;
-}
-
-
-
-/****************************************************************/
-/* Random generation */
-/****************************************************************/
-
-#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
-#include "entropy_poll.h"
-#endif
-
-/** Initialize the PSA random generator.
- */
-static void mbedtls_psa_random_init(mbedtls_psa_random_context_t *rng)
-{
-#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
-    memset(rng, 0, sizeof(*rng));
-#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
-
-    /* Set default configuration if
-     * mbedtls_psa_crypto_configure_entropy_sources() hasn't been called. */
-    if (rng->entropy_init == NULL) {
-        rng->entropy_init = mbedtls_entropy_init;
-    }
-    if (rng->entropy_free == NULL) {
-        rng->entropy_free = mbedtls_entropy_free;
-    }
-
-    rng->entropy_init(&rng->entropy);
-#if defined(MBEDTLS_PSA_INJECT_ENTROPY) && \
-    defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
-    /* The PSA entropy injection feature depends on using NV seed as an entropy
-     * source. Add NV seed as an entropy source for PSA entropy injection. */
-    mbedtls_entropy_add_source(&rng->entropy,
-                               mbedtls_nv_seed_poll, NULL,
-                               MBEDTLS_ENTROPY_BLOCK_SIZE,
-                               MBEDTLS_ENTROPY_SOURCE_STRONG);
-#endif
-
-    mbedtls_psa_drbg_init(MBEDTLS_PSA_RANDOM_STATE);
-#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
-}
-
-/** Deinitialize the PSA random generator.
- */
-static void mbedtls_psa_random_free(mbedtls_psa_random_context_t *rng)
-{
-#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
-    memset(rng, 0, sizeof(*rng));
-#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
-    mbedtls_psa_drbg_free(MBEDTLS_PSA_RANDOM_STATE);
-    rng->entropy_free(&rng->entropy);
-#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
-}
-
-/** Seed the PSA random generator.
- */
-static psa_status_t mbedtls_psa_random_seed(mbedtls_psa_random_context_t *rng)
-{
-#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
-    /* Do nothing: the external RNG seeds itself. */
-    (void) rng;
-    return PSA_SUCCESS;
-#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
-    const unsigned char drbg_seed[] = "PSA";
-    int ret = mbedtls_psa_drbg_seed(&rng->entropy,
-                                    drbg_seed, sizeof(drbg_seed) - 1);
-    return mbedtls_to_psa_error(ret);
-#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
-}
-
-psa_status_t psa_generate_random(uint8_t *output,
-                                 size_t output_size)
-{
-    GUARD_MODULE_INITIALIZED;
-
-#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
-
-    size_t output_length = 0;
-    psa_status_t status = mbedtls_psa_external_get_random(&global_data.rng,
-                                                          output, output_size,
-                                                          &output_length);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-    /* Breaking up a request into smaller chunks is currently not supported
-     * for the external RNG interface. */
-    if (output_length != output_size) {
-        return PSA_ERROR_INSUFFICIENT_ENTROPY;
-    }
-    return PSA_SUCCESS;
-
-#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
-
-    while (output_size > 0) {
-        size_t request_size =
-            (output_size > MBEDTLS_PSA_RANDOM_MAX_REQUEST ?
-             MBEDTLS_PSA_RANDOM_MAX_REQUEST :
-             output_size);
-        int ret = mbedtls_psa_get_random(MBEDTLS_PSA_RANDOM_STATE,
-                                         output, request_size);
-        if (ret != 0) {
-            return mbedtls_to_psa_error(ret);
-        }
-        output_size -= request_size;
-        output += request_size;
-    }
-    return PSA_SUCCESS;
-#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
-}
-
-/* Wrapper function allowing the classic API to use the PSA RNG.
- *
- * `mbedtls_psa_get_random(MBEDTLS_PSA_RANDOM_STATE, ...)` calls
- * `psa_generate_random(...)`. The state parameter is ignored since the
- * PSA API doesn't support passing an explicit state.
- *
- * In the non-external case, psa_generate_random() calls an
- * `mbedtls_xxx_drbg_random` function which has exactly the same signature
- * and semantics as mbedtls_psa_get_random(). As an optimization,
- * instead of doing this back-and-forth between the PSA API and the
- * classic API, psa_crypto_random_impl.h defines `mbedtls_psa_get_random`
- * as a constant function pointer to `mbedtls_xxx_drbg_random`.
- */
-#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
-int mbedtls_psa_get_random(void *p_rng,
-                           unsigned char *output,
-                           size_t output_size)
-{
-    /* This function takes a pointer to the RNG state because that's what
-     * classic mbedtls functions using an RNG expect. The PSA RNG manages
-     * its own state internally and doesn't let the caller access that state.
-     * So we just ignore the state parameter, and in practice we'll pass
-     * NULL. */
-    (void) p_rng;
-    psa_status_t status = psa_generate_random(output, output_size);
-    if (status == PSA_SUCCESS) {
-        return 0;
-    } else {
-        return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
-    }
-}
-#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
-
-#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
-psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
-                                        size_t seed_size)
-{
-    if (global_data.initialized) {
-        return PSA_ERROR_NOT_PERMITTED;
-    }
-
-    if (((seed_size < MBEDTLS_ENTROPY_MIN_PLATFORM) ||
-         (seed_size < MBEDTLS_ENTROPY_BLOCK_SIZE)) ||
-        (seed_size > MBEDTLS_ENTROPY_MAX_SEED_SIZE)) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    return mbedtls_psa_storage_inject_entropy(seed, seed_size);
-}
-#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
-
-/** Validate the key type and size for key generation
- *
- * \param  type  The key type
- * \param  bits  The number of bits of the key
- *
- * \retval #PSA_SUCCESS
- *         The key type and size are valid.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The size in bits of the key is not valid.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         The type and/or the size in bits of the key or the combination of
- *         the two is not supported.
- */
-static psa_status_t psa_validate_key_type_and_size_for_key_generation(
-    psa_key_type_t type, size_t bits)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    if (key_type_is_raw_bytes(type)) {
-        status = psa_validate_unstructured_key_bit_size(type, bits);
-        if (status != PSA_SUCCESS) {
-            return status;
-        }
-    } else
-#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
-    if (PSA_KEY_TYPE_IS_RSA(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
-        if (bits > PSA_VENDOR_RSA_MAX_KEY_BITS) {
-            return PSA_ERROR_NOT_SUPPORTED;
-        }
-        if (bits < PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS) {
-            return PSA_ERROR_NOT_SUPPORTED;
-        }
-
-        /* Accept only byte-aligned keys, for the same reasons as
-         * in psa_import_rsa_key(). */
-        if (bits % 8 != 0) {
-            return PSA_ERROR_NOT_SUPPORTED;
-        }
-    } else
-#endif /* defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) */
-
-#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
-    if (PSA_KEY_TYPE_IS_ECC(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
-        /* To avoid empty block, return successfully here. */
-        return PSA_SUCCESS;
-    } else
-#endif /* defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) */
-
-#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE)
-    if (PSA_KEY_TYPE_IS_DH(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
-        if (psa_is_dh_key_size_valid(bits) == 0) {
-            return PSA_ERROR_NOT_SUPPORTED;
-        }
-    } else
-#endif /* defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE) */
-    {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    return PSA_SUCCESS;
-}
-
-psa_status_t psa_generate_key_internal(
-    const psa_key_attributes_t *attributes,
-    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_type_t type = attributes->core.type;
-
-    if ((attributes->domain_parameters == NULL) &&
-        (attributes->domain_parameters_size != 0)) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    if (key_type_is_raw_bytes(type)) {
-        status = psa_generate_random(key_buffer, key_buffer_size);
-        if (status != PSA_SUCCESS) {
-            return status;
-        }
-
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
-        if (type == PSA_KEY_TYPE_DES) {
-            psa_des_set_key_parity(key_buffer, key_buffer_size);
-        }
-#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */
-    } else
-
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
-    if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
-        return mbedtls_psa_rsa_generate_key(attributes,
-                                            key_buffer,
-                                            key_buffer_size,
-                                            key_buffer_length);
-    } else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE) */
-
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
-    if (PSA_KEY_TYPE_IS_ECC(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
-        return mbedtls_psa_ecp_generate_key(attributes,
-                                            key_buffer,
-                                            key_buffer_size,
-                                            key_buffer_length);
-    } else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE) */
-
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE)
-    if (PSA_KEY_TYPE_IS_DH(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
-        return mbedtls_psa_ffdh_generate_key(attributes,
-                                             key_buffer,
-                                             key_buffer_size,
-                                             key_buffer_length);
-    } else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE) */
-    {
-        (void) key_buffer_length;
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    return PSA_SUCCESS;
-}
-
-psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
-                              mbedtls_svc_key_id_t *key)
-{
-    psa_status_t status;
-    psa_key_slot_t *slot = NULL;
-    psa_se_drv_table_entry_t *driver = NULL;
-    size_t key_buffer_size;
-
-    *key = MBEDTLS_SVC_KEY_ID_INIT;
-
-    /* Reject any attempt to create a zero-length key so that we don't
-     * risk tripping up later, e.g. on a malloc(0) that returns NULL. */
-    if (psa_get_key_bits(attributes) == 0) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    /* Reject any attempt to create a public key. */
-    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(attributes->core.type)) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    status = psa_start_key_creation(PSA_KEY_CREATION_GENERATE, attributes,
-                                    &slot, &driver);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    /* In the case of a transparent key or an opaque key stored in local
-     * storage ( thus not in the case of generating a key in a secure element
-     * with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a
-     * buffer to hold the generated key material. */
-    if (slot->key.data == NULL) {
-        if (PSA_KEY_LIFETIME_GET_LOCATION(attributes->core.lifetime) ==
-            PSA_KEY_LOCATION_LOCAL_STORAGE) {
-            status = psa_validate_key_type_and_size_for_key_generation(
-                attributes->core.type, attributes->core.bits);
-            if (status != PSA_SUCCESS) {
-                goto exit;
-            }
-
-            key_buffer_size = PSA_EXPORT_KEY_OUTPUT_SIZE(
-                attributes->core.type,
-                attributes->core.bits);
-        } else {
-            status = psa_driver_wrapper_get_key_buffer_size(
-                attributes, &key_buffer_size);
-            if (status != PSA_SUCCESS) {
-                goto exit;
-            }
-        }
-
-        status = psa_allocate_buffer_to_slot(slot, key_buffer_size);
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-    }
-
-    status = psa_driver_wrapper_generate_key(attributes,
-                                             slot->key.data, slot->key.bytes, &slot->key.bytes);
-
-    if (status != PSA_SUCCESS) {
-        psa_remove_key_data_from_memory(slot);
-    }
-
-exit:
-    if (status == PSA_SUCCESS) {
-        status = psa_finish_key_creation(slot, driver, key);
-    }
-    if (status != PSA_SUCCESS) {
-        psa_fail_key_creation(slot, driver);
-    }
-
-    return status;
-}
-
-/****************************************************************/
-/* Module setup */
-/****************************************************************/
-
-#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
-psa_status_t mbedtls_psa_crypto_configure_entropy_sources(
-    void (* entropy_init)(mbedtls_entropy_context *ctx),
-    void (* entropy_free)(mbedtls_entropy_context *ctx))
-{
-    if (global_data.rng_state != RNG_NOT_INITIALIZED) {
-        return PSA_ERROR_BAD_STATE;
-    }
-    global_data.rng.entropy_init = entropy_init;
-    global_data.rng.entropy_free = entropy_free;
-    return PSA_SUCCESS;
-}
-#endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
-
-void mbedtls_psa_crypto_free(void)
-{
-    psa_wipe_all_key_slots();
-    if (global_data.rng_state != RNG_NOT_INITIALIZED) {
-        mbedtls_psa_random_free(&global_data.rng);
-    }
-    /* Wipe all remaining data, including configuration.
-     * In particular, this sets all state indicator to the value
-     * indicating "uninitialized". */
-    mbedtls_platform_zeroize(&global_data, sizeof(global_data));
-
-    /* Terminate drivers */
-    psa_driver_wrapper_free();
-}
-
-#if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
-/** Recover a transaction that was interrupted by a power failure.
- *
- * This function is called during initialization, before psa_crypto_init()
- * returns. If this function returns a failure status, the initialization
- * fails.
- */
-static psa_status_t psa_crypto_recover_transaction(
-    const psa_crypto_transaction_t *transaction)
-{
-    switch (transaction->unknown.type) {
-        case PSA_CRYPTO_TRANSACTION_CREATE_KEY:
-        case PSA_CRYPTO_TRANSACTION_DESTROY_KEY:
-        /* TODO - fall through to the failure case until this
-         * is implemented.
-         * https://github.com/ARMmbed/mbed-crypto/issues/218
-         */
-        default:
-            /* We found an unsupported transaction in the storage.
-             * We don't know what state the storage is in. Give up. */
-            return PSA_ERROR_DATA_INVALID;
-    }
-}
-#endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */
-
-psa_status_t psa_crypto_init(void)
-{
-    psa_status_t status;
-
-    /* Double initialization is explicitly allowed. */
-    if (global_data.initialized != 0) {
-        return PSA_SUCCESS;
-    }
-
-    /* Init drivers */
-    status = psa_driver_wrapper_init();
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-    global_data.drivers_initialized = 1;
-
-    /* Initialize and seed the random generator. */
-    mbedtls_psa_random_init(&global_data.rng);
-    global_data.rng_state = RNG_INITIALIZED;
-    status = mbedtls_psa_random_seed(&global_data.rng);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-    global_data.rng_state = RNG_SEEDED;
-
-    status = psa_initialize_key_slots();
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-#if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
-    status = psa_crypto_load_transaction();
-    if (status == PSA_SUCCESS) {
-        status = psa_crypto_recover_transaction(&psa_crypto_transaction);
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-        status = psa_crypto_stop_transaction();
-    } else if (status == PSA_ERROR_DOES_NOT_EXIST) {
-        /* There's no transaction to complete. It's all good. */
-        status = PSA_SUCCESS;
-    }
-#endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */
-
-    /* All done. */
-    global_data.initialized = 1;
-
-exit:
-    if (status != PSA_SUCCESS) {
-        mbedtls_psa_crypto_free();
-    }
-    return status;
-}
-
-#if defined(PSA_WANT_ALG_SOME_PAKE)
-psa_status_t psa_crypto_driver_pake_get_password_len(
-    const psa_crypto_driver_pake_inputs_t *inputs,
-    size_t *password_len)
-{
-    if (inputs->password_len == 0) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    *password_len = inputs->password_len;
-
-    return PSA_SUCCESS;
-}
-
-psa_status_t psa_crypto_driver_pake_get_password(
-    const psa_crypto_driver_pake_inputs_t *inputs,
-    uint8_t *buffer, size_t buffer_size, size_t *buffer_length)
-{
-    if (inputs->password_len == 0) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    if (buffer_size < inputs->password_len) {
-        return PSA_ERROR_BUFFER_TOO_SMALL;
-    }
-
-    memcpy(buffer, inputs->password, inputs->password_len);
-    *buffer_length = inputs->password_len;
-
-    return PSA_SUCCESS;
-}
-
-psa_status_t psa_crypto_driver_pake_get_user_len(
-    const psa_crypto_driver_pake_inputs_t *inputs,
-    size_t *user_len)
-{
-    if (inputs->user_len == 0) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    *user_len = inputs->user_len;
-
-    return PSA_SUCCESS;
-}
-
-psa_status_t psa_crypto_driver_pake_get_user(
-    const psa_crypto_driver_pake_inputs_t *inputs,
-    uint8_t *user_id, size_t user_id_size, size_t *user_id_len)
-{
-    if (inputs->user_len == 0) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    if (user_id_size < inputs->user_len) {
-        return PSA_ERROR_BUFFER_TOO_SMALL;
-    }
-
-    memcpy(user_id, inputs->user, inputs->user_len);
-    *user_id_len = inputs->user_len;
-
-    return PSA_SUCCESS;
-}
-
-psa_status_t psa_crypto_driver_pake_get_peer_len(
-    const psa_crypto_driver_pake_inputs_t *inputs,
-    size_t *peer_len)
-{
-    if (inputs->peer_len == 0) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    *peer_len = inputs->peer_len;
-
-    return PSA_SUCCESS;
-}
-
-psa_status_t psa_crypto_driver_pake_get_peer(
-    const psa_crypto_driver_pake_inputs_t *inputs,
-    uint8_t *peer_id, size_t peer_id_size, size_t *peer_id_length)
-{
-    if (inputs->peer_len == 0) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    if (peer_id_size < inputs->peer_len) {
-        return PSA_ERROR_BUFFER_TOO_SMALL;
-    }
-
-    memcpy(peer_id, inputs->peer, inputs->peer_len);
-    *peer_id_length = inputs->peer_len;
-
-    return PSA_SUCCESS;
-}
-
-psa_status_t psa_crypto_driver_pake_get_cipher_suite(
-    const psa_crypto_driver_pake_inputs_t *inputs,
-    psa_pake_cipher_suite_t *cipher_suite)
-{
-    if (inputs->cipher_suite.algorithm == PSA_ALG_NONE) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    *cipher_suite = inputs->cipher_suite;
-
-    return PSA_SUCCESS;
-}
-
-psa_status_t psa_pake_setup(
-    psa_pake_operation_t *operation,
-    const psa_pake_cipher_suite_t *cipher_suite)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    if (operation->stage != PSA_PAKE_OPERATION_STAGE_SETUP) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (PSA_ALG_IS_PAKE(cipher_suite->algorithm) == 0 ||
-        PSA_ALG_IS_HASH(cipher_suite->hash) == 0) {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-        goto exit;
-    }
-
-    memset(&operation->data.inputs, 0, sizeof(operation->data.inputs));
-
-    operation->alg = cipher_suite->algorithm;
-    operation->primitive = PSA_PAKE_PRIMITIVE(cipher_suite->type,
-                                              cipher_suite->family, cipher_suite->bits);
-    operation->data.inputs.cipher_suite = *cipher_suite;
-
-#if defined(PSA_WANT_ALG_JPAKE)
-    if (operation->alg == PSA_ALG_JPAKE) {
-        psa_jpake_computation_stage_t *computation_stage =
-            &operation->computation_stage.jpake;
-
-        memset(computation_stage, 0, sizeof(*computation_stage));
-        computation_stage->step = PSA_PAKE_STEP_KEY_SHARE;
-    } else
-#endif /* PSA_WANT_ALG_JPAKE */
-    {
-        status = PSA_ERROR_NOT_SUPPORTED;
-        goto exit;
-    }
-
-    operation->stage = PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS;
-
-    return PSA_SUCCESS;
-exit:
-    psa_pake_abort(operation);
-    return status;
-}
-
-psa_status_t psa_pake_set_password_key(
-    psa_pake_operation_t *operation,
-    mbedtls_svc_key_id_t password)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_slot_t *slot = NULL;
-    psa_key_attributes_t attributes;
-    psa_key_type_t type;
-
-    if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    status = psa_get_and_lock_key_slot_with_policy(password, &slot,
-                                                   PSA_KEY_USAGE_DERIVE,
-                                                   operation->alg);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    attributes = (psa_key_attributes_t) {
-        .core = slot->attr
-    };
-
-    type = psa_get_key_type(&attributes);
-
-    if (type != PSA_KEY_TYPE_PASSWORD &&
-        type != PSA_KEY_TYPE_PASSWORD_HASH) {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-        goto exit;
-    }
-
-    operation->data.inputs.password = mbedtls_calloc(1, slot->key.bytes);
-    if (operation->data.inputs.password == NULL) {
-        status = PSA_ERROR_INSUFFICIENT_MEMORY;
-        goto exit;
-    }
-
-    memcpy(operation->data.inputs.password, slot->key.data, slot->key.bytes);
-    operation->data.inputs.password_len = slot->key.bytes;
-    operation->data.inputs.attributes = attributes;
-exit:
-    if (status != PSA_SUCCESS) {
-        psa_pake_abort(operation);
-    }
-    unlock_status = psa_unlock_key_slot(slot);
-    return (status == PSA_SUCCESS) ? unlock_status : status;
-}
-
-psa_status_t psa_pake_set_user(
-    psa_pake_operation_t *operation,
-    const uint8_t *user_id,
-    size_t user_id_len)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (user_id_len == 0) {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-        goto exit;
-    }
-
-    if (operation->data.inputs.user_len != 0) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    operation->data.inputs.user = mbedtls_calloc(1, user_id_len);
-    if (operation->data.inputs.user == NULL) {
-        status = PSA_ERROR_INSUFFICIENT_MEMORY;
-        goto exit;
-    }
-
-    memcpy(operation->data.inputs.user, user_id, user_id_len);
-    operation->data.inputs.user_len = user_id_len;
-
-    return PSA_SUCCESS;
-exit:
-    psa_pake_abort(operation);
-    return status;
-}
-
-psa_status_t psa_pake_set_peer(
-    psa_pake_operation_t *operation,
-    const uint8_t *peer_id,
-    size_t peer_id_len)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (peer_id_len == 0) {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-        goto exit;
-    }
-
-    if (operation->data.inputs.peer_len != 0) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    operation->data.inputs.peer = mbedtls_calloc(1, peer_id_len);
-    if (operation->data.inputs.peer == NULL) {
-        status = PSA_ERROR_INSUFFICIENT_MEMORY;
-        goto exit;
-    }
-
-    memcpy(operation->data.inputs.peer, peer_id, peer_id_len);
-    operation->data.inputs.peer_len = peer_id_len;
-
-    return PSA_SUCCESS;
-exit:
-    psa_pake_abort(operation);
-    return status;
-}
-
-psa_status_t psa_pake_set_role(
-    psa_pake_operation_t *operation,
-    psa_pake_role_t role)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    switch (operation->alg) {
-#if defined(PSA_WANT_ALG_JPAKE)
-        case PSA_ALG_JPAKE:
-            if (role == PSA_PAKE_ROLE_NONE) {
-                return PSA_SUCCESS;
-            }
-            status = PSA_ERROR_INVALID_ARGUMENT;
-            break;
-#endif
-        default:
-            (void) role;
-            status = PSA_ERROR_NOT_SUPPORTED;
-            goto exit;
-    }
-exit:
-    psa_pake_abort(operation);
-    return status;
-}
-
-/* Auxiliary function to convert core computation stage to single driver step. */
-#if defined(PSA_WANT_ALG_JPAKE)
-static psa_crypto_driver_pake_step_t convert_jpake_computation_stage_to_driver_step(
-    psa_jpake_computation_stage_t *stage)
-{
-    psa_crypto_driver_pake_step_t key_share_step;
-    if (stage->round == PSA_JPAKE_FIRST) {
-        int is_x1;
-
-        if (stage->io_mode == PSA_JPAKE_OUTPUT) {
-            is_x1 = (stage->outputs < 1);
-        } else {
-            is_x1 = (stage->inputs < 1);
-        }
-
-        key_share_step = is_x1 ?
-                         PSA_JPAKE_X1_STEP_KEY_SHARE :
-                         PSA_JPAKE_X2_STEP_KEY_SHARE;
-    } else if (stage->round == PSA_JPAKE_SECOND) {
-        key_share_step = (stage->io_mode == PSA_JPAKE_OUTPUT) ?
-                         PSA_JPAKE_X2S_STEP_KEY_SHARE :
-                         PSA_JPAKE_X4S_STEP_KEY_SHARE;
-    } else {
-        return PSA_JPAKE_STEP_INVALID;
-    }
-    return (psa_crypto_driver_pake_step_t) (key_share_step + stage->step - PSA_PAKE_STEP_KEY_SHARE);
-}
-#endif /* PSA_WANT_ALG_JPAKE */
-
-static psa_status_t psa_pake_complete_inputs(
-    psa_pake_operation_t *operation)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    /* Create copy of the inputs on stack as inputs share memory
-       with the driver context which will be setup by the driver. */
-    psa_crypto_driver_pake_inputs_t inputs = operation->data.inputs;
-
-    if (inputs.password_len == 0) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    if (operation->alg == PSA_ALG_JPAKE) {
-        if (inputs.user_len == 0 || inputs.peer_len == 0) {
-            return PSA_ERROR_BAD_STATE;
-        }
-    }
-
-    /* Clear driver context */
-    mbedtls_platform_zeroize(&operation->data, sizeof(operation->data));
-
-    status = psa_driver_wrapper_pake_setup(operation, &inputs);
-
-    /* Driver is responsible for creating its own copy of the password. */
-    mbedtls_zeroize_and_free(inputs.password, inputs.password_len);
-
-    /* User and peer are translated to role. */
-    mbedtls_free(inputs.user);
-    mbedtls_free(inputs.peer);
-
-    if (status == PSA_SUCCESS) {
-#if defined(PSA_WANT_ALG_JPAKE)
-        if (operation->alg == PSA_ALG_JPAKE) {
-            operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION;
-        } else
-#endif /* PSA_WANT_ALG_JPAKE */
-        {
-            status = PSA_ERROR_NOT_SUPPORTED;
-        }
-    }
-    return status;
-}
-
-#if defined(PSA_WANT_ALG_JPAKE)
-static psa_status_t psa_jpake_prologue(
-    psa_pake_operation_t *operation,
-    psa_pake_step_t step,
-    psa_jpake_io_mode_t io_mode)
-{
-    if (step != PSA_PAKE_STEP_KEY_SHARE &&
-        step != PSA_PAKE_STEP_ZK_PUBLIC &&
-        step != PSA_PAKE_STEP_ZK_PROOF) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    psa_jpake_computation_stage_t *computation_stage =
-        &operation->computation_stage.jpake;
-
-    if (computation_stage->round != PSA_JPAKE_FIRST &&
-        computation_stage->round != PSA_JPAKE_SECOND) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    /* Check that the step we are given is the one we were expecting */
-    if (step != computation_stage->step) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    if (step == PSA_PAKE_STEP_KEY_SHARE &&
-        computation_stage->inputs == 0 &&
-        computation_stage->outputs == 0) {
-        /* Start of the round, so function decides whether we are inputting
-         * or outputting */
-        computation_stage->io_mode = io_mode;
-    } else if (computation_stage->io_mode != io_mode) {
-        /* Middle of the round so the mode we are in must match the function
-         * called by the user */
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    return PSA_SUCCESS;
-}
-
-static psa_status_t psa_jpake_epilogue(
-    psa_pake_operation_t *operation,
-    psa_jpake_io_mode_t io_mode)
-{
-    psa_jpake_computation_stage_t *stage =
-        &operation->computation_stage.jpake;
-
-    if (stage->step == PSA_PAKE_STEP_ZK_PROOF) {
-        /* End of an input/output */
-        if (io_mode == PSA_JPAKE_INPUT) {
-            stage->inputs++;
-            if (stage->inputs == PSA_JPAKE_EXPECTED_INPUTS(stage->round)) {
-                stage->io_mode = PSA_JPAKE_OUTPUT;
-            }
-        }
-        if (io_mode == PSA_JPAKE_OUTPUT) {
-            stage->outputs++;
-            if (stage->outputs == PSA_JPAKE_EXPECTED_OUTPUTS(stage->round)) {
-                stage->io_mode = PSA_JPAKE_INPUT;
-            }
-        }
-        if (stage->inputs == PSA_JPAKE_EXPECTED_INPUTS(stage->round) &&
-            stage->outputs == PSA_JPAKE_EXPECTED_OUTPUTS(stage->round)) {
-            /* End of a round, move to the next round */
-            stage->inputs = 0;
-            stage->outputs = 0;
-            stage->round++;
-        }
-        stage->step = PSA_PAKE_STEP_KEY_SHARE;
-    } else {
-        stage->step++;
-    }
-    return PSA_SUCCESS;
-}
-
-#endif /* PSA_WANT_ALG_JPAKE */
-
-psa_status_t psa_pake_output(
-    psa_pake_operation_t *operation,
-    psa_pake_step_t step,
-    uint8_t *output,
-    size_t output_size,
-    size_t *output_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_crypto_driver_pake_step_t driver_step = PSA_JPAKE_STEP_INVALID;
-    *output_length = 0;
-
-    if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
-        status = psa_pake_complete_inputs(operation);
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-    }
-
-    if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (output_size == 0) {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-        goto exit;
-    }
-
-    switch (operation->alg) {
-#if defined(PSA_WANT_ALG_JPAKE)
-        case PSA_ALG_JPAKE:
-            status = psa_jpake_prologue(operation, step, PSA_JPAKE_OUTPUT);
-            if (status != PSA_SUCCESS) {
-                goto exit;
-            }
-            driver_step = convert_jpake_computation_stage_to_driver_step(
-                &operation->computation_stage.jpake);
-            break;
-#endif /* PSA_WANT_ALG_JPAKE */
-        default:
-            (void) step;
-            status = PSA_ERROR_NOT_SUPPORTED;
-            goto exit;
-    }
-
-    status = psa_driver_wrapper_pake_output(operation, driver_step,
-                                            output, output_size, output_length);
-
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    switch (operation->alg) {
-#if defined(PSA_WANT_ALG_JPAKE)
-        case PSA_ALG_JPAKE:
-            status = psa_jpake_epilogue(operation, PSA_JPAKE_OUTPUT);
-            if (status != PSA_SUCCESS) {
-                goto exit;
-            }
-            break;
-#endif /* PSA_WANT_ALG_JPAKE */
-        default:
-            status = PSA_ERROR_NOT_SUPPORTED;
-            goto exit;
-    }
-
-    return PSA_SUCCESS;
-exit:
-    psa_pake_abort(operation);
-    return status;
-}
-
-psa_status_t psa_pake_input(
-    psa_pake_operation_t *operation,
-    psa_pake_step_t step,
-    const uint8_t *input,
-    size_t input_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_crypto_driver_pake_step_t driver_step = PSA_JPAKE_STEP_INVALID;
-    const size_t max_input_length = (size_t) PSA_PAKE_INPUT_SIZE(operation->alg,
-                                                                 operation->primitive,
-                                                                 step);
-
-    if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
-        status = psa_pake_complete_inputs(operation);
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-    }
-
-    if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) {
-        status =  PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-    if (input_length == 0 || input_length > max_input_length) {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-        goto exit;
-    }
-
-    switch (operation->alg) {
-#if defined(PSA_WANT_ALG_JPAKE)
-        case PSA_ALG_JPAKE:
-            status = psa_jpake_prologue(operation, step, PSA_JPAKE_INPUT);
-            if (status != PSA_SUCCESS) {
-                goto exit;
-            }
-            driver_step = convert_jpake_computation_stage_to_driver_step(
-                &operation->computation_stage.jpake);
-            break;
-#endif /* PSA_WANT_ALG_JPAKE */
-        default:
-            (void) step;
-            status = PSA_ERROR_NOT_SUPPORTED;
-            goto exit;
-    }
-
-    status = psa_driver_wrapper_pake_input(operation, driver_step,
-                                           input, input_length);
-
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    switch (operation->alg) {
-#if defined(PSA_WANT_ALG_JPAKE)
-        case PSA_ALG_JPAKE:
-            status = psa_jpake_epilogue(operation, PSA_JPAKE_INPUT);
-            if (status != PSA_SUCCESS) {
-                goto exit;
-            }
-            break;
-#endif /* PSA_WANT_ALG_JPAKE */
-        default:
-            status = PSA_ERROR_NOT_SUPPORTED;
-            goto exit;
-    }
-
-    return PSA_SUCCESS;
-exit:
-    psa_pake_abort(operation);
-    return status;
-}
-
-psa_status_t psa_pake_get_implicit_key(
-    psa_pake_operation_t *operation,
-    psa_key_derivation_operation_t *output)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
-    uint8_t shared_key[MBEDTLS_PSA_JPAKE_BUFFER_SIZE];
-    size_t shared_key_len = 0;
-
-    if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) {
-        status = PSA_ERROR_BAD_STATE;
-        goto exit;
-    }
-
-#if defined(PSA_WANT_ALG_JPAKE)
-    if (operation->alg == PSA_ALG_JPAKE) {
-        psa_jpake_computation_stage_t *computation_stage =
-            &operation->computation_stage.jpake;
-        if (computation_stage->round != PSA_JPAKE_FINISHED) {
-            status = PSA_ERROR_BAD_STATE;
-            goto exit;
-        }
-    } else
-#endif /* PSA_WANT_ALG_JPAKE */
-    {
-        status = PSA_ERROR_NOT_SUPPORTED;
-        goto exit;
-    }
-
-    status = psa_driver_wrapper_pake_get_implicit_key(operation,
-                                                      shared_key,
-                                                      sizeof(shared_key),
-                                                      &shared_key_len);
-
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_key_derivation_input_bytes(output,
-                                            PSA_KEY_DERIVATION_INPUT_SECRET,
-                                            shared_key,
-                                            shared_key_len);
-
-    mbedtls_platform_zeroize(shared_key, sizeof(shared_key));
-exit:
-    abort_status = psa_pake_abort(operation);
-    return status == PSA_SUCCESS ? abort_status : status;
-}
-
-psa_status_t psa_pake_abort(
-    psa_pake_operation_t *operation)
-{
-    psa_status_t status = PSA_SUCCESS;
-
-    if (operation->stage == PSA_PAKE_OPERATION_STAGE_COMPUTATION) {
-        status = psa_driver_wrapper_pake_abort(operation);
-    }
-
-    if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
-        if (operation->data.inputs.password != NULL) {
-            mbedtls_zeroize_and_free(operation->data.inputs.password,
-                                     operation->data.inputs.password_len);
-        }
-        if (operation->data.inputs.user != NULL) {
-            mbedtls_free(operation->data.inputs.user);
-        }
-        if (operation->data.inputs.peer != NULL) {
-            mbedtls_free(operation->data.inputs.peer);
-        }
-    }
-    memset(operation, 0, sizeof(psa_pake_operation_t));
-
-    return status;
-}
-#endif /* PSA_WANT_ALG_SOME_PAKE */
-
-#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_crypto_aead.c b/library/psa_crypto_aead.c
deleted file mode 100644
index 85d1f39..0000000
--- a/library/psa_crypto_aead.c
+++ /dev/null
@@ -1,665 +0,0 @@
-/*
- *  PSA AEAD entry points
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-
-#include "psa_crypto_aead.h"
-#include "psa_crypto_core.h"
-#include "psa_crypto_cipher.h"
-
-#include <string.h>
-#include "mbedtls/platform.h"
-
-#include "mbedtls/ccm.h"
-#include "mbedtls/chachapoly.h"
-#include "mbedtls/cipher.h"
-#include "mbedtls/gcm.h"
-#include "mbedtls/error.h"
-
-static psa_status_t psa_aead_setup(
-    mbedtls_psa_aead_operation_t *operation,
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    psa_algorithm_t alg)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    size_t key_bits;
-    const mbedtls_cipher_info_t *cipher_info;
-    mbedtls_cipher_id_t cipher_id;
-
-    (void) key_buffer_size;
-
-    key_bits = attributes->core.bits;
-
-    cipher_info = mbedtls_cipher_info_from_psa(alg,
-                                               attributes->core.type, key_bits,
-                                               &cipher_id);
-    if (cipher_info == NULL) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    switch (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0)) {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
-        case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0):
-            operation->alg = PSA_ALG_CCM;
-            /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.
-             * The call to mbedtls_ccm_encrypt_and_tag or
-             * mbedtls_ccm_auth_decrypt will validate the tag length. */
-            if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(attributes->core.type) != 16) {
-                return PSA_ERROR_INVALID_ARGUMENT;
-            }
-
-            mbedtls_ccm_init(&operation->ctx.ccm);
-            status = mbedtls_to_psa_error(
-                mbedtls_ccm_setkey(&operation->ctx.ccm, cipher_id,
-                                   key_buffer, (unsigned int) key_bits));
-            if (status != PSA_SUCCESS) {
-                return status;
-            }
-            break;
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
-        case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0):
-            operation->alg = PSA_ALG_GCM;
-            /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16.
-             * The call to mbedtls_gcm_crypt_and_tag or
-             * mbedtls_gcm_auth_decrypt will validate the tag length. */
-            if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(attributes->core.type) != 16) {
-                return PSA_ERROR_INVALID_ARGUMENT;
-            }
-
-            mbedtls_gcm_init(&operation->ctx.gcm);
-            status = mbedtls_to_psa_error(
-                mbedtls_gcm_setkey(&operation->ctx.gcm, cipher_id,
-                                   key_buffer, (unsigned int) key_bits));
-            if (status != PSA_SUCCESS) {
-                return status;
-            }
-            break;
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
-        case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0):
-            operation->alg = PSA_ALG_CHACHA20_POLY1305;
-            /* We only support the default tag length. */
-            if (alg != PSA_ALG_CHACHA20_POLY1305) {
-                return PSA_ERROR_NOT_SUPPORTED;
-            }
-
-            mbedtls_chachapoly_init(&operation->ctx.chachapoly);
-            status = mbedtls_to_psa_error(
-                mbedtls_chachapoly_setkey(&operation->ctx.chachapoly,
-                                          key_buffer));
-            if (status != PSA_SUCCESS) {
-                return status;
-            }
-            break;
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
-
-        default:
-            (void) status;
-            (void) key_buffer;
-            return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    operation->key_type = psa_get_key_type(attributes);
-
-    operation->tag_length = PSA_ALG_AEAD_GET_TAG_LENGTH(alg);
-
-    return PSA_SUCCESS;
-}
-
-psa_status_t mbedtls_psa_aead_encrypt(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg,
-    const uint8_t *nonce, size_t nonce_length,
-    const uint8_t *additional_data, size_t additional_data_length,
-    const uint8_t *plaintext, size_t plaintext_length,
-    uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    mbedtls_psa_aead_operation_t operation = MBEDTLS_PSA_AEAD_OPERATION_INIT;
-    uint8_t *tag;
-
-    status = psa_aead_setup(&operation, attributes, key_buffer,
-                            key_buffer_size, alg);
-
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    /* For all currently supported modes, the tag is at the end of the
-     * ciphertext. */
-    if (ciphertext_size < (plaintext_length + operation.tag_length)) {
-        status = PSA_ERROR_BUFFER_TOO_SMALL;
-        goto exit;
-    }
-    tag = ciphertext + plaintext_length;
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
-    if (operation.alg == PSA_ALG_CCM) {
-        status = mbedtls_to_psa_error(
-            mbedtls_ccm_encrypt_and_tag(&operation.ctx.ccm,
-                                        plaintext_length,
-                                        nonce, nonce_length,
-                                        additional_data,
-                                        additional_data_length,
-                                        plaintext, ciphertext,
-                                        tag, operation.tag_length));
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
-    if (operation.alg == PSA_ALG_GCM) {
-        status = mbedtls_to_psa_error(
-            mbedtls_gcm_crypt_and_tag(&operation.ctx.gcm,
-                                      MBEDTLS_GCM_ENCRYPT,
-                                      plaintext_length,
-                                      nonce, nonce_length,
-                                      additional_data, additional_data_length,
-                                      plaintext, ciphertext,
-                                      operation.tag_length, tag));
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
-    if (operation.alg == PSA_ALG_CHACHA20_POLY1305) {
-        if (operation.tag_length != 16) {
-            status = PSA_ERROR_NOT_SUPPORTED;
-            goto exit;
-        }
-        status = mbedtls_to_psa_error(
-            mbedtls_chachapoly_encrypt_and_tag(&operation.ctx.chachapoly,
-                                               plaintext_length,
-                                               nonce,
-                                               additional_data,
-                                               additional_data_length,
-                                               plaintext,
-                                               ciphertext,
-                                               tag));
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
-    {
-        (void) tag;
-        (void) nonce;
-        (void) nonce_length;
-        (void) additional_data;
-        (void) additional_data_length;
-        (void) plaintext;
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    if (status == PSA_SUCCESS) {
-        *ciphertext_length = plaintext_length + operation.tag_length;
-    }
-
-exit:
-    mbedtls_psa_aead_abort(&operation);
-
-    return status;
-}
-
-/* Locate the tag in a ciphertext buffer containing the encrypted data
- * followed by the tag. Return the length of the part preceding the tag in
- * *plaintext_length. This is the size of the plaintext in modes where
- * the encrypted data has the same size as the plaintext, such as
- * CCM and GCM. */
-static psa_status_t psa_aead_unpadded_locate_tag(size_t tag_length,
-                                                 const uint8_t *ciphertext,
-                                                 size_t ciphertext_length,
-                                                 size_t plaintext_size,
-                                                 const uint8_t **p_tag)
-{
-    size_t payload_length;
-    if (tag_length > ciphertext_length) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-    payload_length = ciphertext_length - tag_length;
-    if (payload_length > plaintext_size) {
-        return PSA_ERROR_BUFFER_TOO_SMALL;
-    }
-    *p_tag = ciphertext + payload_length;
-    return PSA_SUCCESS;
-}
-
-psa_status_t mbedtls_psa_aead_decrypt(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg,
-    const uint8_t *nonce, size_t nonce_length,
-    const uint8_t *additional_data, size_t additional_data_length,
-    const uint8_t *ciphertext, size_t ciphertext_length,
-    uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    mbedtls_psa_aead_operation_t operation = MBEDTLS_PSA_AEAD_OPERATION_INIT;
-    const uint8_t *tag = NULL;
-
-    status = psa_aead_setup(&operation, attributes, key_buffer,
-                            key_buffer_size, alg);
-
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_aead_unpadded_locate_tag(operation.tag_length,
-                                          ciphertext, ciphertext_length,
-                                          plaintext_size, &tag);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
-    if (operation.alg == PSA_ALG_CCM) {
-        status = mbedtls_to_psa_error(
-            mbedtls_ccm_auth_decrypt(&operation.ctx.ccm,
-                                     ciphertext_length - operation.tag_length,
-                                     nonce, nonce_length,
-                                     additional_data,
-                                     additional_data_length,
-                                     ciphertext, plaintext,
-                                     tag, operation.tag_length));
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
-    if (operation.alg == PSA_ALG_GCM) {
-        status = mbedtls_to_psa_error(
-            mbedtls_gcm_auth_decrypt(&operation.ctx.gcm,
-                                     ciphertext_length - operation.tag_length,
-                                     nonce, nonce_length,
-                                     additional_data,
-                                     additional_data_length,
-                                     tag, operation.tag_length,
-                                     ciphertext, plaintext));
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
-    if (operation.alg == PSA_ALG_CHACHA20_POLY1305) {
-        if (operation.tag_length != 16) {
-            status = PSA_ERROR_NOT_SUPPORTED;
-            goto exit;
-        }
-        status = mbedtls_to_psa_error(
-            mbedtls_chachapoly_auth_decrypt(&operation.ctx.chachapoly,
-                                            ciphertext_length - operation.tag_length,
-                                            nonce,
-                                            additional_data,
-                                            additional_data_length,
-                                            tag,
-                                            ciphertext,
-                                            plaintext));
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
-    {
-        (void) nonce;
-        (void) nonce_length;
-        (void) additional_data;
-        (void) additional_data_length;
-        (void) plaintext;
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    if (status == PSA_SUCCESS) {
-        *plaintext_length = ciphertext_length - operation.tag_length;
-    }
-
-exit:
-    mbedtls_psa_aead_abort(&operation);
-
-    if (status == PSA_SUCCESS) {
-        *plaintext_length = ciphertext_length - operation.tag_length;
-    }
-    return status;
-}
-
-/* Set the key and algorithm for a multipart authenticated encryption
- * operation. */
-psa_status_t mbedtls_psa_aead_encrypt_setup(
-    mbedtls_psa_aead_operation_t *operation,
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    psa_algorithm_t alg)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    status = psa_aead_setup(operation, attributes, key_buffer,
-                            key_buffer_size, alg);
-
-    if (status == PSA_SUCCESS) {
-        operation->is_encrypt = 1;
-    }
-
-    return status;
-}
-
-/* Set the key and algorithm for a multipart authenticated decryption
- * operation. */
-psa_status_t mbedtls_psa_aead_decrypt_setup(
-    mbedtls_psa_aead_operation_t *operation,
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    psa_algorithm_t alg)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    status = psa_aead_setup(operation, attributes, key_buffer,
-                            key_buffer_size, alg);
-
-    if (status == PSA_SUCCESS) {
-        operation->is_encrypt = 0;
-    }
-
-    return status;
-}
-
-/* Set a nonce for the multipart AEAD operation*/
-psa_status_t mbedtls_psa_aead_set_nonce(
-    mbedtls_psa_aead_operation_t *operation,
-    const uint8_t *nonce,
-    size_t nonce_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
-    if (operation->alg == PSA_ALG_GCM) {
-        status = mbedtls_to_psa_error(
-            mbedtls_gcm_starts(&operation->ctx.gcm,
-                               operation->is_encrypt ?
-                               MBEDTLS_GCM_ENCRYPT : MBEDTLS_GCM_DECRYPT,
-                               nonce,
-                               nonce_length));
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
-    if (operation->alg == PSA_ALG_CCM) {
-        status = mbedtls_to_psa_error(
-            mbedtls_ccm_starts(&operation->ctx.ccm,
-                               operation->is_encrypt ?
-                               MBEDTLS_CCM_ENCRYPT : MBEDTLS_CCM_DECRYPT,
-                               nonce,
-                               nonce_length));
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
-    if (operation->alg == PSA_ALG_CHACHA20_POLY1305) {
-        /* Note - ChaChaPoly allows an 8 byte nonce, but we would have to
-         * allocate a buffer in the operation, copy the nonce to it and pad
-         * it, so for now check the nonce is 12 bytes, as
-         * mbedtls_chachapoly_starts() assumes it can read 12 bytes from the
-         * passed in buffer. */
-        if (nonce_length != 12) {
-            return PSA_ERROR_INVALID_ARGUMENT;
-        }
-
-        status = mbedtls_to_psa_error(
-            mbedtls_chachapoly_starts(&operation->ctx.chachapoly,
-                                      nonce,
-                                      operation->is_encrypt ?
-                                      MBEDTLS_CHACHAPOLY_ENCRYPT :
-                                      MBEDTLS_CHACHAPOLY_DECRYPT));
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
-    {
-        (void) operation;
-        (void) nonce;
-        (void) nonce_length;
-
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    return status;
-}
-
-/* Declare the lengths of the message and additional data for AEAD. */
-psa_status_t mbedtls_psa_aead_set_lengths(
-    mbedtls_psa_aead_operation_t *operation,
-    size_t ad_length,
-    size_t plaintext_length)
-{
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
-    if (operation->alg == PSA_ALG_CCM) {
-        return mbedtls_to_psa_error(
-            mbedtls_ccm_set_lengths(&operation->ctx.ccm,
-                                    ad_length,
-                                    plaintext_length,
-                                    operation->tag_length));
-
-    }
-#else /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
-    (void) operation;
-    (void) ad_length;
-    (void) plaintext_length;
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
-
-    return PSA_SUCCESS;
-}
-
-/* Pass additional data to an active multipart AEAD operation. */
-psa_status_t mbedtls_psa_aead_update_ad(
-    mbedtls_psa_aead_operation_t *operation,
-    const uint8_t *input,
-    size_t input_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
-    if (operation->alg == PSA_ALG_GCM) {
-        status = mbedtls_to_psa_error(
-            mbedtls_gcm_update_ad(&operation->ctx.gcm, input, input_length));
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
-    if (operation->alg == PSA_ALG_CCM) {
-        status = mbedtls_to_psa_error(
-            mbedtls_ccm_update_ad(&operation->ctx.ccm, input, input_length));
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
-    if (operation->alg == PSA_ALG_CHACHA20_POLY1305) {
-        status = mbedtls_to_psa_error(
-            mbedtls_chachapoly_update_aad(&operation->ctx.chachapoly,
-                                          input,
-                                          input_length));
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
-    {
-        (void) operation;
-        (void) input;
-        (void) input_length;
-
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    return status;
-}
-
-/* Encrypt or decrypt a message fragment in an active multipart AEAD
- * operation.*/
-psa_status_t mbedtls_psa_aead_update(
-    mbedtls_psa_aead_operation_t *operation,
-    const uint8_t *input,
-    size_t input_length,
-    uint8_t *output,
-    size_t output_size,
-    size_t *output_length)
-{
-    size_t update_output_length;
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    update_output_length = input_length;
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
-    if (operation->alg == PSA_ALG_GCM) {
-        status =  mbedtls_to_psa_error(
-            mbedtls_gcm_update(&operation->ctx.gcm,
-                               input, input_length,
-                               output, output_size,
-                               &update_output_length));
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
-    if (operation->alg == PSA_ALG_CCM) {
-        if (output_size < input_length) {
-            return PSA_ERROR_BUFFER_TOO_SMALL;
-        }
-
-        status = mbedtls_to_psa_error(
-            mbedtls_ccm_update(&operation->ctx.ccm,
-                               input, input_length,
-                               output, output_size,
-                               &update_output_length));
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
-    if (operation->alg == PSA_ALG_CHACHA20_POLY1305) {
-        if (output_size < input_length) {
-            return PSA_ERROR_BUFFER_TOO_SMALL;
-        }
-
-        status = mbedtls_to_psa_error(
-            mbedtls_chachapoly_update(&operation->ctx.chachapoly,
-                                      input_length,
-                                      input,
-                                      output));
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
-    {
-        (void) operation;
-        (void) input;
-        (void) output;
-        (void) output_size;
-
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    if (status == PSA_SUCCESS) {
-        *output_length = update_output_length;
-    }
-
-    return status;
-}
-
-/* Finish encrypting a message in a multipart AEAD operation. */
-psa_status_t mbedtls_psa_aead_finish(
-    mbedtls_psa_aead_operation_t *operation,
-    uint8_t *ciphertext,
-    size_t ciphertext_size,
-    size_t *ciphertext_length,
-    uint8_t *tag,
-    size_t tag_size,
-    size_t *tag_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    size_t finish_output_size = 0;
-
-    if (tag_size < operation->tag_length) {
-        return PSA_ERROR_BUFFER_TOO_SMALL;
-    }
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
-    if (operation->alg == PSA_ALG_GCM) {
-        status =  mbedtls_to_psa_error(
-            mbedtls_gcm_finish(&operation->ctx.gcm,
-                               ciphertext, ciphertext_size, ciphertext_length,
-                               tag, operation->tag_length));
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
-    if (operation->alg == PSA_ALG_CCM) {
-        /* tag must be big enough to store a tag of size passed into set
-         * lengths. */
-        if (tag_size < operation->tag_length) {
-            return PSA_ERROR_BUFFER_TOO_SMALL;
-        }
-
-        status = mbedtls_to_psa_error(
-            mbedtls_ccm_finish(&operation->ctx.ccm,
-                               tag, operation->tag_length));
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
-    if (operation->alg == PSA_ALG_CHACHA20_POLY1305) {
-        /* Belt and braces. Although the above tag_size check should have
-         * already done this, if we later start supporting smaller tag sizes
-         * for chachapoly, then passing a tag buffer smaller than 16 into here
-         * could cause a buffer overflow, so better safe than sorry. */
-        if (tag_size < 16) {
-            return PSA_ERROR_BUFFER_TOO_SMALL;
-        }
-
-        status = mbedtls_to_psa_error(
-            mbedtls_chachapoly_finish(&operation->ctx.chachapoly,
-                                      tag));
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
-    {
-        (void) ciphertext;
-        (void) ciphertext_size;
-        (void) ciphertext_length;
-        (void) tag;
-        (void) tag_size;
-        (void) tag_length;
-
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    if (status == PSA_SUCCESS) {
-        /* This will be zero for all supported algorithms currently, but left
-         * here for future support. */
-        *ciphertext_length = finish_output_size;
-        *tag_length = operation->tag_length;
-    }
-
-    return status;
-}
-
-/* Abort an AEAD operation */
-psa_status_t mbedtls_psa_aead_abort(
-    mbedtls_psa_aead_operation_t *operation)
-{
-    switch (operation->alg) {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
-        case PSA_ALG_CCM:
-            mbedtls_ccm_free(&operation->ctx.ccm);
-            break;
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
-        case PSA_ALG_GCM:
-            mbedtls_gcm_free(&operation->ctx.gcm);
-            break;
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
-        case PSA_ALG_CHACHA20_POLY1305:
-            mbedtls_chachapoly_free(&operation->ctx.chachapoly);
-            break;
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
-    }
-
-    operation->is_encrypt = 0;
-
-    return PSA_SUCCESS;
-}
-
-#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_crypto_aead.h b/library/psa_crypto_aead.h
deleted file mode 100644
index 4b24b0f..0000000
--- a/library/psa_crypto_aead.h
+++ /dev/null
@@ -1,511 +0,0 @@
-/*
- *  PSA AEAD driver entry points
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_AEAD_H
-#define PSA_CRYPTO_AEAD_H
-
-#include <psa/crypto.h>
-
-/**
- * \brief Process an authenticated encryption operation.
- *
- * \note The signature of this function is that of a PSA driver
- *       aead_encrypt entry point. This function behaves as an aead_encrypt
- *       entry point as defined in the PSA driver interface specification for
- *       transparent drivers.
- *
- * \param[in]  attributes         The attributes of the key to use for the
- *                                operation.
- * \param[in]  key_buffer         The buffer containing the key context.
- * \param      key_buffer_size    Size of the \p key_buffer buffer in bytes.
- * \param      alg                The AEAD algorithm to compute.
- * \param[in]  nonce              Nonce or IV to use.
- * \param      nonce_length       Size of the nonce buffer in bytes. This must
- *                                be appropriate for the selected algorithm.
- *                                The default nonce size is
- *                                PSA_AEAD_NONCE_LENGTH(key_type, alg) where
- *                                key_type is the type of key.
- * \param[in]  additional_data    Additional data that will be authenticated
- *                                but not encrypted.
- * \param      additional_data_length  Size of additional_data in bytes.
- * \param[in]  plaintext          Data that will be authenticated and encrypted.
- * \param      plaintext_length   Size of plaintext in bytes.
- * \param[out] ciphertext         Output buffer for the authenticated and
- *                                encrypted data. The additional data is not
- *                                part of this output. For algorithms where the
- *                                encrypted data and the authentication tag are
- *                                defined as separate outputs, the
- *                                authentication tag is appended to the
- *                                encrypted data.
- * \param      ciphertext_size    Size of the ciphertext buffer in bytes. This
- *                                must be appropriate for the selected algorithm
- *                                and key:
- *                                - A sufficient output size is
- *                                  PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg,
- *                                  plaintext_length) where key_type is the type
- *                                  of key.
- *                                - PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(
- *                                  plaintext_length) evaluates to the maximum
- *                                  ciphertext size of any supported AEAD
- *                                  encryption.
- * \param[out] ciphertext_length  On success, the size of the output in the
- *                                ciphertext buffer.
- *
- * \retval #PSA_SUCCESS Success.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not supported.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         ciphertext_size is too small.
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- */
-psa_status_t mbedtls_psa_aead_encrypt(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg,
-    const uint8_t *nonce, size_t nonce_length,
-    const uint8_t *additional_data, size_t additional_data_length,
-    const uint8_t *plaintext, size_t plaintext_length,
-    uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length);
-
-/**
- * \brief Process an authenticated decryption operation.
- *
- * \note The signature of this function is that of a PSA driver
- *       aead_decrypt entry point. This function behaves as an aead_decrypt
- *       entry point as defined in the PSA driver interface specification for
- *       transparent drivers.
- *
- * \param[in]  attributes         The attributes of the key to use for the
- *                                operation.
- * \param[in]  key_buffer         The buffer containing the key context.
- * \param      key_buffer_size    Size of the \p key_buffer buffer in bytes.
- * \param      alg                The AEAD algorithm to compute.
- * \param[in]  nonce              Nonce or IV to use.
- * \param      nonce_length       Size of the nonce buffer in bytes. This must
- *                                be appropriate for the selected algorithm.
- *                                The default nonce size is
- *                                PSA_AEAD_NONCE_LENGTH(key_type, alg) where
- *                                key_type is the type of key.
- * \param[in]  additional_data    Additional data that has been authenticated
- *                                but not encrypted.
- * \param      additional_data_length  Size of additional_data in bytes.
- * \param[in]  ciphertext         Data that has been authenticated and
- *                                encrypted. For algorithms where the encrypted
- *                                data and the authentication tag are defined
- *                                as separate inputs, the buffer contains
- *                                encrypted data followed by the authentication
- *                                tag.
- * \param      ciphertext_length  Size of ciphertext in bytes.
- * \param[out] plaintext          Output buffer for the decrypted data.
- * \param      plaintext_size     Size of the plaintext buffer in bytes. This
- *                                must be appropriate for the selected algorithm
- *                                and key:
- *                                - A sufficient output size is
- *                                  PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg,
- *                                  ciphertext_length) where key_type is the
- *                                  type of key.
- *                                - PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(
- *                                  ciphertext_length) evaluates to the maximum
- *                                  plaintext size of any supported AEAD
- *                                  decryption.
- * \param[out] plaintext_length   On success, the size of the output in the
- *                                plaintext buffer.
- *
- * \retval #PSA_SUCCESS Success.
- * \retval #PSA_ERROR_INVALID_SIGNATURE
- *         The cipher is not authentic.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not supported.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         plaintext_size is too small.
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- */
-psa_status_t mbedtls_psa_aead_decrypt(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg,
-    const uint8_t *nonce, size_t nonce_length,
-    const uint8_t *additional_data, size_t additional_data_length,
-    const uint8_t *ciphertext, size_t ciphertext_length,
-    uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length);
-
-/** Set the key for a multipart authenticated encryption operation.
- *
- *  \note The signature of this function is that of a PSA driver
- *       aead_encrypt_setup entry point. This function behaves as an
- *       aead_encrypt_setup entry point as defined in the PSA driver interface
- *       specification for transparent drivers.
- *
- * If an error occurs at any step after a call to
- * mbedtls_psa_aead_encrypt_setup(), the operation is reset by the PSA core by a
- * call to mbedtls_psa_aead_abort(). The PSA core may call
- * mbedtls_psa_aead_abort() at any time after the operation has been
- * initialized, and is required to when the operation is no longer needed.
- *
- * \param[in,out] operation     The operation object to set up. It must have
- *                              been initialized as per the documentation for
- *                              #mbedtls_psa_aead_operation_t and not yet in
- *                              use.
- * \param[in]  attributes       The attributes of the key to use for the
- *                              operation.
- * \param[in]  key_buffer       The buffer containing the key context.
- * \param      key_buffer_size  Size of the \p key_buffer buffer in bytes.
-                                It must be consistent with the size in bits
-                                recorded in \p attributes.
- * \param alg                   The AEAD algorithm to compute
- *                              (\c PSA_ALG_XXX value such that
- *                              #PSA_ALG_IS_AEAD(\p alg) is true).
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         An invalid block length was supplied.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not supported.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- *         Failed to allocate memory for key material
- */
-psa_status_t mbedtls_psa_aead_encrypt_setup(
-    mbedtls_psa_aead_operation_t *operation,
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    psa_algorithm_t alg);
-
-/** Set the key for a multipart authenticated decryption operation.
- *
- * \note The signature of this function is that of a PSA driver
- *       aead_decrypt_setup entry point. This function behaves as an
- *       aead_decrypt_setup entry point as defined in the PSA driver interface
- *       specification for transparent drivers.
- *
- * If an error occurs at any step after a call to
- * mbedtls_psa_aead_decrypt_setup(), the PSA core resets the operation by a
- * call to mbedtls_psa_aead_abort(). The PSA core may call
- * mbedtls_psa_aead_abort() at any time after the operation has been
- * initialized, and is required to when the operation is no longer needed.
- *
- * \param[in,out] operation     The operation object to set up. It must have
- *                              been initialized as per the documentation for
- *                              #mbedtls_psa_aead_operation_t and not yet in
- *                              use.
- * \param[in]  attributes       The attributes of the key to use for the
- *                              operation.
- * \param[in]  key_buffer       The buffer containing the key context.
- * \param      key_buffer_size  Size of the \p key_buffer buffer in bytes.
-                                It must be consistent with the size in bits
-                                recorded in \p attributes.
- * \param alg                   The AEAD algorithm to compute
- *                              (\c PSA_ALG_XXX value such that
- *                              #PSA_ALG_IS_AEAD(\p alg) is true).
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         An invalid block length was supplied.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not supported.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- *         Failed to allocate memory for key material
- */
-psa_status_t mbedtls_psa_aead_decrypt_setup(
-    mbedtls_psa_aead_operation_t *operation,
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    psa_algorithm_t alg);
-
-/** Set the nonce for an authenticated encryption or decryption operation.
- *
- * \note The signature of this function is that of a PSA driver aead_set_nonce
- *       entry point. This function behaves as an aead_set_nonce entry point as
- *       defined in the PSA driver interface specification for transparent
- *       drivers.
- *
- * This function sets the nonce for the authenticated
- * encryption or decryption operation.
- *
- * The PSA core calls mbedtls_psa_aead_encrypt_setup() or
- * mbedtls_psa_aead_decrypt_setup() before calling this function.
- *
- * If this function returns an error status, the PSA core will call
- * mbedtls_psa_aead_abort().
- *
- * \param[in,out] operation     Active AEAD operation.
- * \param[in] nonce             Buffer containing the nonce to use.
- * \param nonce_length          Size of the nonce in bytes.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The size of \p nonce is not acceptable for the chosen algorithm.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         Algorithm previously set is not supported in this configuration of
- *         the library.
- */
-psa_status_t mbedtls_psa_aead_set_nonce(
-    mbedtls_psa_aead_operation_t *operation,
-    const uint8_t *nonce,
-    size_t nonce_length);
-
-/** Declare the lengths of the message and additional data for AEAD.
- *
- * \note The signature of this function is that of a PSA driver aead_set_lengths
- *       entry point. This function behaves as an aead_set_lengths entry point
- *       as defined in the PSA driver interface specification for transparent
- *       drivers.
- *
- * The PSA core calls this function before calling mbedtls_psa_aead_update_ad()
- * or mbedtls_psa_aead_update() if the algorithm for the operation requires it.
- * If the algorithm does not require it, calling this function is optional, but
- * if this function is called then the implementation must enforce the lengths.
- *
- * The PSA core may call this function before or after setting the nonce with
- * mbedtls_psa_aead_set_nonce().
- *
- * - For #PSA_ALG_CCM, calling this function is required.
- * - For the other AEAD algorithms defined in this specification, calling
- *   this function is not required.
- *
- * If this function returns an error status, the PSA core calls
- * mbedtls_psa_aead_abort().
- *
- * \param[in,out] operation     Active AEAD operation.
- * \param ad_length             Size of the non-encrypted additional
- *                              authenticated data in bytes.
- * \param plaintext_length      Size of the plaintext to encrypt in bytes.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         At least one of the lengths is not acceptable for the chosen
- *         algorithm.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         Algorithm previously set is not supported in this configuration of
- *         the library.
- */
-psa_status_t mbedtls_psa_aead_set_lengths(
-    mbedtls_psa_aead_operation_t *operation,
-    size_t ad_length,
-    size_t plaintext_length);
-
-/** Pass additional data to an active AEAD operation.
- *
- *  \note The signature of this function is that of a PSA driver
- *       aead_update_ad entry point. This function behaves as an aead_update_ad
- *       entry point as defined in the PSA driver interface specification for
- *       transparent drivers.
- *
- * Additional data is authenticated, but not encrypted.
- *
- * The PSA core can call this function multiple times to pass successive
- * fragments of the additional data. It will not call this function after
- * passing data to encrypt or decrypt with mbedtls_psa_aead_update().
- *
- * Before calling this function, the PSA core will:
- *    1. Call either mbedtls_psa_aead_encrypt_setup() or
- *       mbedtls_psa_aead_decrypt_setup().
- *    2. Set the nonce with mbedtls_psa_aead_set_nonce().
- *
- * If this function returns an error status, the PSA core will call
- * mbedtls_psa_aead_abort().
- *
- * \param[in,out] operation     Active AEAD operation.
- * \param[in] input             Buffer containing the fragment of
- *                              additional data.
- * \param input_length          Size of the \p input buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         Algorithm previously set is not supported in this configuration of
- *         the library.
- */
-psa_status_t mbedtls_psa_aead_update_ad(
-    mbedtls_psa_aead_operation_t *operation,
-    const uint8_t *input,
-    size_t input_length);
-
-/** Encrypt or decrypt a message fragment in an active AEAD operation.
- *
- *  \note The signature of this function is that of a PSA driver
- *       aead_update entry point. This function behaves as an aead_update entry
- *       point as defined in the PSA driver interface specification for
- *       transparent drivers.
- *
- * Before calling this function, the PSA core will:
- *    1. Call either mbedtls_psa_aead_encrypt_setup() or
- *       mbedtls_psa_aead_decrypt_setup(). The choice of setup function
- *       determines whether this function encrypts or decrypts its input.
- *    2. Set the nonce with mbedtls_psa_aead_set_nonce().
- *    3. Call mbedtls_psa_aead_update_ad() to pass all the additional data.
- *
- * If this function returns an error status, the PSA core will call
- * mbedtls_psa_aead_abort().
- *
- * This function does not require the input to be aligned to any
- * particular block boundary. If the implementation can only process
- * a whole block at a time, it must consume all the input provided, but
- * it may delay the end of the corresponding output until a subsequent
- * call to mbedtls_psa_aead_update(), mbedtls_psa_aead_finish() provides
- * sufficient input. The amount of data that can be delayed in this way is
- * bounded by #PSA_AEAD_UPDATE_OUTPUT_SIZE.
- *
- * \param[in,out] operation     Active AEAD operation.
- * \param[in] input             Buffer containing the message fragment to
- *                              encrypt or decrypt.
- * \param input_length          Size of the \p input buffer in bytes.
- * \param[out] output           Buffer where the output is to be written.
- * \param output_size           Size of the \p output buffer in bytes.
- *                              This must be appropriate for the selected
- *                                algorithm and key:
- *                                - A sufficient output size is
- *                                  #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type,
- *                                  \c alg, \p input_length) where
- *                                  \c key_type is the type of key and \c alg is
- *                                  the algorithm that were used to set up the
- *                                  operation.
- *                                - #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p
- *                                  input_length) evaluates to the maximum
- *                                  output size of any supported AEAD
- *                                  algorithm.
- * \param[out] output_length    On success, the number of bytes
- *                              that make up the returned output.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- *
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p output buffer is too small.
- *         #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, \c alg, \p input_length) or
- *         #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length) can be used to
- *         determine the required buffer size.
- */
-psa_status_t mbedtls_psa_aead_update(
-    mbedtls_psa_aead_operation_t *operation,
-    const uint8_t *input,
-    size_t input_length,
-    uint8_t *output,
-    size_t output_size,
-    size_t *output_length);
-
-/** Finish encrypting a message in an AEAD operation.
- *
- *  \note The signature of this function is that of a PSA driver
- *       aead_finish entry point. This function behaves as an aead_finish entry
- *       point as defined in the PSA driver interface specification for
- *       transparent drivers.
- *
- * The operation must have been set up by the PSA core with
- * mbedtls_psa_aead_encrypt_setup().
- *
- * This function finishes the authentication of the additional data
- * formed by concatenating the inputs passed to preceding calls to
- * mbedtls_psa_aead_update_ad() with the plaintext formed by concatenating the
- * inputs passed to preceding calls to mbedtls_psa_aead_update().
- *
- * This function has two output buffers:
- * - \p ciphertext contains trailing ciphertext that was buffered from
- *   preceding calls to mbedtls_psa_aead_update().
- * - \p tag contains the authentication tag.
- *
- * Whether or not this function returns successfully, the PSA core subsequently
- * calls mbedtls_psa_aead_abort() to deactivate the operation.
- *
- * \param[in,out] operation     Active AEAD operation.
- * \param[out] ciphertext       Buffer where the last part of the ciphertext
- *                              is to be written.
- * \param ciphertext_size       Size of the \p ciphertext buffer in bytes.
- *                              This must be appropriate for the selected
- *                              algorithm and key:
- *                              - A sufficient output size is
- *                                #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type,
- *                                \c alg) where \c key_type is the type of key
- *                                and \c alg is the algorithm that were used to
- *                                set up the operation.
- *                              - #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE evaluates to
- *                                the maximum output size of any supported AEAD
- *                                algorithm.
- * \param[out] ciphertext_length On success, the number of bytes of
- *                              returned ciphertext.
- * \param[out] tag              Buffer where the authentication tag is
- *                              to be written.
- * \param tag_size              Size of the \p tag buffer in bytes.
- *                              This must be appropriate for the selected
- *                              algorithm and key:
- *                              - The exact tag size is #PSA_AEAD_TAG_LENGTH(\c
- *                                key_type, \c key_bits, \c alg) where
- *                                \c key_type and \c key_bits are the type and
- *                                bit-size of the key, and \c alg are the
- *                                algorithm that were used in the call to
- *                                mbedtls_psa_aead_encrypt_setup().
- *                              - #PSA_AEAD_TAG_MAX_SIZE evaluates to the
- *                                maximum tag size of any supported AEAD
- *                                algorithm.
- * \param[out] tag_length       On success, the number of bytes
- *                              that make up the returned tag.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p tag buffer is too small.
- *         #PSA_AEAD_TAG_LENGTH(\c key_type, key_bits, \c alg) or
- *         #PSA_AEAD_TAG_MAX_SIZE can be used to determine the required \p tag
- *         buffer size.
- */
-psa_status_t mbedtls_psa_aead_finish(
-    mbedtls_psa_aead_operation_t *operation,
-    uint8_t *ciphertext,
-    size_t ciphertext_size,
-    size_t *ciphertext_length,
-    uint8_t *tag,
-    size_t tag_size,
-    size_t *tag_length);
-
-/** Abort an AEAD operation.
- *
- *  \note The signature of this function is that of a PSA driver
- *       aead_abort entry point. This function behaves as an aead_abort entry
- *       point as defined in the PSA driver interface specification for
- *       transparent drivers.
- *
- * Aborting an operation frees all associated resources except for the
- * \p operation structure itself. Once aborted, the operation object
- * can be reused for another operation by the PSA core by it calling
- * mbedtls_psa_aead_encrypt_setup() or mbedtls_psa_aead_decrypt_setup() again.
- *
- * The PSA core may call this function any time after the operation object has
- * been initialized as described in #mbedtls_psa_aead_operation_t.
- *
- * In particular, calling mbedtls_psa_aead_abort() after the operation has been
- * terminated by a call to mbedtls_psa_aead_abort() or
- * mbedtls_psa_aead_finish() is safe and has no effect.
- *
- * \param[in,out] operation     Initialized AEAD operation.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- */
-psa_status_t mbedtls_psa_aead_abort(
-    mbedtls_psa_aead_operation_t *operation);
-
-#endif /* PSA_CRYPTO_AEAD_H */
diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c
deleted file mode 100644
index b997a07..0000000
--- a/library/psa_crypto_cipher.c
+++ /dev/null
@@ -1,602 +0,0 @@
-/*
- *  PSA cipher driver entry points
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-
-#include "psa_crypto_cipher.h"
-#include "psa_crypto_core.h"
-#include "psa_crypto_random_impl.h"
-
-#include "mbedtls/cipher.h"
-#include "mbedtls/error.h"
-
-#include <string.h>
-
-const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa(
-    psa_algorithm_t alg,
-    psa_key_type_t key_type,
-    size_t key_bits,
-    mbedtls_cipher_id_t *cipher_id)
-{
-    mbedtls_cipher_mode_t mode;
-    mbedtls_cipher_id_t cipher_id_tmp;
-
-    if (PSA_ALG_IS_AEAD(alg)) {
-        alg = PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0);
-    }
-
-    if (PSA_ALG_IS_CIPHER(alg) || PSA_ALG_IS_AEAD(alg)) {
-        switch (alg) {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER)
-            case PSA_ALG_STREAM_CIPHER:
-                mode = MBEDTLS_MODE_STREAM;
-                break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CTR)
-            case PSA_ALG_CTR:
-                mode = MBEDTLS_MODE_CTR;
-                break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CFB)
-            case PSA_ALG_CFB:
-                mode = MBEDTLS_MODE_CFB;
-                break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_OFB)
-            case PSA_ALG_OFB:
-                mode = MBEDTLS_MODE_OFB;
-                break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING)
-            case PSA_ALG_ECB_NO_PADDING:
-                mode = MBEDTLS_MODE_ECB;
-                break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING)
-            case PSA_ALG_CBC_NO_PADDING:
-                mode = MBEDTLS_MODE_CBC;
-                break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7)
-            case PSA_ALG_CBC_PKCS7:
-                mode = MBEDTLS_MODE_CBC;
-                break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG)
-            case PSA_ALG_CCM_STAR_NO_TAG:
-                mode = MBEDTLS_MODE_CCM_STAR_NO_TAG;
-                break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
-            case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0):
-                mode = MBEDTLS_MODE_CCM;
-                break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
-            case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0):
-                mode = MBEDTLS_MODE_GCM;
-                break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
-            case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0):
-                mode = MBEDTLS_MODE_CHACHAPOLY;
-                break;
-#endif
-            default:
-                return NULL;
-        }
-    } else if (alg == PSA_ALG_CMAC) {
-        mode = MBEDTLS_MODE_ECB;
-    } else {
-        return NULL;
-    }
-
-    switch (key_type) {
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES)
-        case PSA_KEY_TYPE_AES:
-            cipher_id_tmp = MBEDTLS_CIPHER_ID_AES;
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARIA)
-        case PSA_KEY_TYPE_ARIA:
-            cipher_id_tmp = MBEDTLS_CIPHER_ID_ARIA;
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
-        case PSA_KEY_TYPE_DES:
-            /* key_bits is 64 for Single-DES, 128 for two-key Triple-DES,
-             * and 192 for three-key Triple-DES. */
-            if (key_bits == 64) {
-                cipher_id_tmp = MBEDTLS_CIPHER_ID_DES;
-            } else {
-                cipher_id_tmp = MBEDTLS_CIPHER_ID_3DES;
-            }
-            /* mbedtls doesn't recognize two-key Triple-DES as an algorithm,
-             * but two-key Triple-DES is functionally three-key Triple-DES
-             * with K1=K3, so that's how we present it to mbedtls. */
-            if (key_bits == 128) {
-                key_bits = 192;
-            }
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_CAMELLIA)
-        case PSA_KEY_TYPE_CAMELLIA:
-            cipher_id_tmp = MBEDTLS_CIPHER_ID_CAMELLIA;
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20)
-        case PSA_KEY_TYPE_CHACHA20:
-            cipher_id_tmp = MBEDTLS_CIPHER_ID_CHACHA20;
-            break;
-#endif
-        default:
-            return NULL;
-    }
-    if (cipher_id != NULL) {
-        *cipher_id = cipher_id_tmp;
-    }
-
-    return mbedtls_cipher_info_from_values(cipher_id_tmp,
-                                           (int) key_bits, mode);
-}
-
-#if defined(MBEDTLS_PSA_BUILTIN_CIPHER)
-
-static psa_status_t psa_cipher_setup(
-    mbedtls_psa_cipher_operation_t *operation,
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg,
-    mbedtls_operation_t cipher_operation)
-{
-    int ret = 0;
-    size_t key_bits;
-    const mbedtls_cipher_info_t *cipher_info = NULL;
-    psa_key_type_t key_type = attributes->core.type;
-
-    (void) key_buffer_size;
-
-    mbedtls_cipher_init(&operation->ctx.cipher);
-
-    operation->alg = alg;
-    key_bits = attributes->core.bits;
-    cipher_info = mbedtls_cipher_info_from_psa(alg, key_type,
-                                               key_bits, NULL);
-    if (cipher_info == NULL) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    ret = mbedtls_cipher_setup(&operation->ctx.cipher, cipher_info);
-    if (ret != 0) {
-        goto exit;
-    }
-
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
-    if (key_type == PSA_KEY_TYPE_DES && key_bits == 128) {
-        /* Two-key Triple-DES is 3-key Triple-DES with K1=K3 */
-        uint8_t keys[24];
-        memcpy(keys, key_buffer, 16);
-        memcpy(keys + 16, key_buffer, 8);
-        ret = mbedtls_cipher_setkey(&operation->ctx.cipher,
-                                    keys,
-                                    192, cipher_operation);
-    } else
-#endif
-    {
-        ret = mbedtls_cipher_setkey(&operation->ctx.cipher, key_buffer,
-                                    (int) key_bits, cipher_operation);
-    }
-    if (ret != 0) {
-        goto exit;
-    }
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7)
-    switch (alg) {
-        case PSA_ALG_CBC_NO_PADDING:
-            ret = mbedtls_cipher_set_padding_mode(&operation->ctx.cipher,
-                                                  MBEDTLS_PADDING_NONE);
-            break;
-        case PSA_ALG_CBC_PKCS7:
-            ret = mbedtls_cipher_set_padding_mode(&operation->ctx.cipher,
-                                                  MBEDTLS_PADDING_PKCS7);
-            break;
-        default:
-            /* The algorithm doesn't involve padding. */
-            ret = 0;
-            break;
-    }
-    if (ret != 0) {
-        goto exit;
-    }
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING ||
-          MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7 */
-
-    operation->block_length = (PSA_ALG_IS_STREAM_CIPHER(alg) ? 1 :
-                               PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type));
-    operation->iv_length = PSA_CIPHER_IV_LENGTH(key_type, alg);
-
-exit:
-    return mbedtls_to_psa_error(ret);
-}
-
-psa_status_t mbedtls_psa_cipher_encrypt_setup(
-    mbedtls_psa_cipher_operation_t *operation,
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg)
-{
-    return psa_cipher_setup(operation, attributes,
-                            key_buffer, key_buffer_size,
-                            alg, MBEDTLS_ENCRYPT);
-}
-
-psa_status_t mbedtls_psa_cipher_decrypt_setup(
-    mbedtls_psa_cipher_operation_t *operation,
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg)
-{
-    return psa_cipher_setup(operation, attributes,
-                            key_buffer, key_buffer_size,
-                            alg, MBEDTLS_DECRYPT);
-}
-
-psa_status_t mbedtls_psa_cipher_set_iv(
-    mbedtls_psa_cipher_operation_t *operation,
-    const uint8_t *iv, size_t iv_length)
-{
-    if (iv_length != operation->iv_length) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    return mbedtls_to_psa_error(
-        mbedtls_cipher_set_iv(&operation->ctx.cipher,
-                              iv, iv_length));
-}
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING)
-/** Process input for which the algorithm is set to ECB mode.
- *
- * This requires manual processing, since the PSA API is defined as being
- * able to process arbitrary-length calls to psa_cipher_update() with ECB mode,
- * but the underlying mbedtls_cipher_update only takes full blocks.
- *
- * \param ctx           The mbedtls cipher context to use. It must have been
- *                      set up for ECB.
- * \param[in] input     The input plaintext or ciphertext to process.
- * \param input_length  The number of bytes to process from \p input.
- *                      This does not need to be aligned to a block boundary.
- *                      If there is a partial block at the end of the input,
- *                      it is stored in \p ctx for future processing.
- * \param output        The buffer where the output is written. It must be
- *                      at least `BS * floor((p + input_length) / BS)` bytes
- *                      long, where `p` is the number of bytes in the
- *                      unprocessed partial block in \p ctx (with
- *                      `0 <= p <= BS - 1`) and `BS` is the block size.
- * \param output_length On success, the number of bytes written to \p output.
- *                      \c 0 on error.
- *
- * \return #PSA_SUCCESS or an error from a hardware accelerator
- */
-static psa_status_t psa_cipher_update_ecb(
-    mbedtls_cipher_context_t *ctx,
-    const uint8_t *input,
-    size_t input_length,
-    uint8_t *output,
-    size_t *output_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    size_t block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
-    size_t internal_output_length = 0;
-    *output_length = 0;
-
-    if (input_length == 0) {
-        status = PSA_SUCCESS;
-        goto exit;
-    }
-
-    if (ctx->unprocessed_len > 0) {
-        /* Fill up to block size, and run the block if there's a full one. */
-        size_t bytes_to_copy = block_size - ctx->unprocessed_len;
-
-        if (input_length < bytes_to_copy) {
-            bytes_to_copy = input_length;
-        }
-
-        memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]),
-               input, bytes_to_copy);
-        input_length -= bytes_to_copy;
-        input += bytes_to_copy;
-        ctx->unprocessed_len += bytes_to_copy;
-
-        if (ctx->unprocessed_len == block_size) {
-            status = mbedtls_to_psa_error(
-                mbedtls_cipher_update(ctx,
-                                      ctx->unprocessed_data,
-                                      block_size,
-                                      output, &internal_output_length));
-
-            if (status != PSA_SUCCESS) {
-                goto exit;
-            }
-
-            output += internal_output_length;
-            *output_length += internal_output_length;
-            ctx->unprocessed_len = 0;
-        }
-    }
-
-    while (input_length >= block_size) {
-        /* Run all full blocks we have, one by one */
-        status = mbedtls_to_psa_error(
-            mbedtls_cipher_update(ctx, input,
-                                  block_size,
-                                  output, &internal_output_length));
-
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-
-        input_length -= block_size;
-        input += block_size;
-
-        output += internal_output_length;
-        *output_length += internal_output_length;
-    }
-
-    if (input_length > 0) {
-        /* Save unprocessed bytes for later processing */
-        memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]),
-               input, input_length);
-        ctx->unprocessed_len += input_length;
-    }
-
-    status = PSA_SUCCESS;
-
-exit:
-    return status;
-}
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING */
-
-psa_status_t mbedtls_psa_cipher_update(
-    mbedtls_psa_cipher_operation_t *operation,
-    const uint8_t *input, size_t input_length,
-    uint8_t *output, size_t output_size, size_t *output_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    size_t expected_output_size;
-
-    if (!PSA_ALG_IS_STREAM_CIPHER(operation->alg)) {
-        /* Take the unprocessed partial block left over from previous
-         * update calls, if any, plus the input to this call. Remove
-         * the last partial block, if any. You get the data that will be
-         * output in this call. */
-        expected_output_size =
-            (operation->ctx.cipher.unprocessed_len + input_length)
-            / operation->block_length * operation->block_length;
-    } else {
-        expected_output_size = input_length;
-    }
-
-    if (output_size < expected_output_size) {
-        return PSA_ERROR_BUFFER_TOO_SMALL;
-    }
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING)
-    if (operation->alg == PSA_ALG_ECB_NO_PADDING) {
-        /* mbedtls_cipher_update has an API inconsistency: it will only
-         * process a single block at a time in ECB mode. Abstract away that
-         * inconsistency here to match the PSA API behaviour. */
-        status = psa_cipher_update_ecb(&operation->ctx.cipher,
-                                       input,
-                                       input_length,
-                                       output,
-                                       output_length);
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING */
-    {
-        status = mbedtls_to_psa_error(
-            mbedtls_cipher_update(&operation->ctx.cipher, input,
-                                  input_length, output, output_length));
-
-        if (*output_length > output_size) {
-            return PSA_ERROR_CORRUPTION_DETECTED;
-        }
-    }
-
-    return status;
-}
-
-psa_status_t mbedtls_psa_cipher_finish(
-    mbedtls_psa_cipher_operation_t *operation,
-    uint8_t *output, size_t output_size, size_t *output_length)
-{
-    psa_status_t status = PSA_ERROR_GENERIC_ERROR;
-    uint8_t temp_output_buffer[MBEDTLS_MAX_BLOCK_LENGTH];
-
-    if (operation->ctx.cipher.unprocessed_len != 0) {
-        if (operation->alg == PSA_ALG_ECB_NO_PADDING ||
-            operation->alg == PSA_ALG_CBC_NO_PADDING) {
-            status = PSA_ERROR_INVALID_ARGUMENT;
-            goto exit;
-        }
-    }
-
-    status = mbedtls_to_psa_error(
-        mbedtls_cipher_finish(&operation->ctx.cipher,
-                              temp_output_buffer,
-                              output_length));
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    if (*output_length == 0) {
-        ; /* Nothing to copy. Note that output may be NULL in this case. */
-    } else if (output_size >= *output_length) {
-        memcpy(output, temp_output_buffer, *output_length);
-    } else {
-        status = PSA_ERROR_BUFFER_TOO_SMALL;
-    }
-
-exit:
-    mbedtls_platform_zeroize(temp_output_buffer,
-                             sizeof(temp_output_buffer));
-
-    return status;
-}
-
-psa_status_t mbedtls_psa_cipher_abort(
-    mbedtls_psa_cipher_operation_t *operation)
-{
-    /* Sanity check (shouldn't happen: operation->alg should
-     * always have been initialized to a valid value). */
-    if (!PSA_ALG_IS_CIPHER(operation->alg)) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    mbedtls_cipher_free(&operation->ctx.cipher);
-
-    return PSA_SUCCESS;
-}
-
-psa_status_t mbedtls_psa_cipher_encrypt(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    psa_algorithm_t alg,
-    const uint8_t *iv,
-    size_t iv_length,
-    const uint8_t *input,
-    size_t input_length,
-    uint8_t *output,
-    size_t output_size,
-    size_t *output_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    mbedtls_psa_cipher_operation_t operation = MBEDTLS_PSA_CIPHER_OPERATION_INIT;
-    size_t update_output_length, finish_output_length;
-
-    status = mbedtls_psa_cipher_encrypt_setup(&operation, attributes,
-                                              key_buffer, key_buffer_size,
-                                              alg);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    if (iv_length > 0) {
-        status = mbedtls_psa_cipher_set_iv(&operation, iv, iv_length);
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-    }
-
-    status = mbedtls_psa_cipher_update(&operation, input, input_length,
-                                       output, output_size,
-                                       &update_output_length);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = mbedtls_psa_cipher_finish(
-        &operation,
-        mbedtls_buffer_offset(output, update_output_length),
-        output_size - update_output_length, &finish_output_length);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    *output_length = update_output_length + finish_output_length;
-
-exit:
-    if (status == PSA_SUCCESS) {
-        status = mbedtls_psa_cipher_abort(&operation);
-    } else {
-        mbedtls_psa_cipher_abort(&operation);
-    }
-
-    return status;
-}
-
-psa_status_t mbedtls_psa_cipher_decrypt(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    psa_algorithm_t alg,
-    const uint8_t *input,
-    size_t input_length,
-    uint8_t *output,
-    size_t output_size,
-    size_t *output_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    mbedtls_psa_cipher_operation_t operation = MBEDTLS_PSA_CIPHER_OPERATION_INIT;
-    size_t olength, accumulated_length;
-
-    status = mbedtls_psa_cipher_decrypt_setup(&operation, attributes,
-                                              key_buffer, key_buffer_size,
-                                              alg);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    if (operation.iv_length > 0) {
-        status = mbedtls_psa_cipher_set_iv(&operation,
-                                           input, operation.iv_length);
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-    }
-
-    status = mbedtls_psa_cipher_update(
-        &operation,
-        mbedtls_buffer_offset_const(input, operation.iv_length),
-        input_length - operation.iv_length,
-        output, output_size, &olength);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    accumulated_length = olength;
-
-    status = mbedtls_psa_cipher_finish(
-        &operation,
-        mbedtls_buffer_offset(output, accumulated_length),
-        output_size - accumulated_length, &olength);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    *output_length = accumulated_length + olength;
-
-exit:
-    if (status == PSA_SUCCESS) {
-        status = mbedtls_psa_cipher_abort(&operation);
-    } else {
-        mbedtls_psa_cipher_abort(&operation);
-    }
-
-    return status;
-}
-#endif /* MBEDTLS_PSA_BUILTIN_CIPHER */
-
-#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_crypto_cipher.h b/library/psa_crypto_cipher.h
deleted file mode 100644
index bf43ff0..0000000
--- a/library/psa_crypto_cipher.h
+++ /dev/null
@@ -1,305 +0,0 @@
-/*
- *  PSA cipher driver entry points and associated auxiliary functions
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_CIPHER_H
-#define PSA_CRYPTO_CIPHER_H
-
-#include <mbedtls/cipher.h>
-#include <psa/crypto.h>
-
-/** Get Mbed TLS cipher information given the cipher algorithm PSA identifier
- *  as well as the PSA type and size of the key to be used with the cipher
- *  algorithm.
- *
- * \param       alg        PSA cipher algorithm identifier
- * \param       key_type   PSA key type
- * \param       key_bits   Size of the key in bits
- * \param[out]  cipher_id  Mbed TLS cipher algorithm identifier
- *
- * \return  The Mbed TLS cipher information of the cipher algorithm.
- *          \c NULL if the PSA cipher algorithm is not supported.
- */
-const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa(
-    psa_algorithm_t alg, psa_key_type_t key_type, size_t key_bits,
-    mbedtls_cipher_id_t *cipher_id);
-
-/**
- * \brief Set the key for a multipart symmetric encryption operation.
- *
- * \note The signature of this function is that of a PSA driver
- *       cipher_encrypt_setup entry point. This function behaves as a
- *       cipher_encrypt_setup entry point as defined in the PSA driver
- *       interface specification for transparent drivers.
- *
- * \param[in,out] operation     The operation object to set up. It has been
- *                              initialized as per the documentation for
- *                              #psa_cipher_operation_t and not yet in use.
- * \param[in] attributes        The attributes of the key to use for the
- *                              operation.
- * \param[in] key_buffer        The buffer containing the key context.
- * \param[in] key_buffer_size   Size of the \p key_buffer buffer in bytes.
- * \param[in] alg               The cipher algorithm to compute
- *                              (\c PSA_ALG_XXX value such that
- *                              #PSA_ALG_IS_CIPHER(\p alg) is true).
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- */
-psa_status_t mbedtls_psa_cipher_encrypt_setup(
-    mbedtls_psa_cipher_operation_t *operation,
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg);
-
-/**
- * \brief Set the key for a multipart symmetric decryption operation.
- *
- * \note The signature of this function is that of a PSA driver
- *       cipher_decrypt_setup entry point. This function behaves as a
- *       cipher_decrypt_setup entry point as defined in the PSA driver
- *       interface specification for transparent drivers.
- *
- * \param[in,out] operation     The operation object to set up. It has been
- *                              initialized as per the documentation for
- *                              #psa_cipher_operation_t and not yet in use.
- * \param[in] attributes        The attributes of the key to use for the
- *                              operation.
- * \param[in] key_buffer        The buffer containing the key context.
- * \param[in] key_buffer_size   Size of the \p key_buffer buffer in bytes.
- * \param[in] alg               The cipher algorithm to compute
- *                              (\c PSA_ALG_XXX value such that
- *                              #PSA_ALG_IS_CIPHER(\p alg) is true).
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- */
-psa_status_t mbedtls_psa_cipher_decrypt_setup(
-    mbedtls_psa_cipher_operation_t *operation,
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg);
-
-/** Set the IV for a symmetric encryption or decryption operation.
- *
- * This function sets the IV (initialization vector), nonce
- * or initial counter value for the encryption or decryption operation.
- *
- * \note The signature of this function is that of a PSA driver
- *       cipher_set_iv entry point. This function behaves as a
- *       cipher_set_iv entry point as defined in the PSA driver
- *       interface specification for transparent drivers.
- *
- * \param[in,out] operation     Active cipher operation.
- * \param[in] iv                Buffer containing the IV to use.
- * \param[in] iv_length         Size of the IV in bytes. It is guaranteed by
- *                              the core to be less or equal to
- *                              PSA_CIPHER_IV_MAX_SIZE.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The size of \p iv is not acceptable for the chosen algorithm,
- *         or the chosen algorithm does not use an IV.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- */
-psa_status_t mbedtls_psa_cipher_set_iv(
-    mbedtls_psa_cipher_operation_t *operation,
-    const uint8_t *iv, size_t iv_length);
-
-/** Encrypt or decrypt a message fragment in an active cipher operation.
- *
- * \note The signature of this function is that of a PSA driver
- *       cipher_update entry point. This function behaves as a
- *       cipher_update entry point as defined in the PSA driver
- *       interface specification for transparent drivers.
- *
- * \param[in,out] operation     Active cipher operation.
- * \param[in] input             Buffer containing the message fragment to
- *                              encrypt or decrypt.
- * \param[in] input_length      Size of the \p input buffer in bytes.
- * \param[out] output           Buffer where the output is to be written.
- * \param[in]  output_size      Size of the \p output buffer in bytes.
- * \param[out] output_length    On success, the number of bytes
- *                              that make up the returned output.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p output buffer is too small.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- */
-psa_status_t mbedtls_psa_cipher_update(
-    mbedtls_psa_cipher_operation_t *operation,
-    const uint8_t *input, size_t input_length,
-    uint8_t *output, size_t output_size, size_t *output_length);
-
-/** Finish encrypting or decrypting a message in a cipher operation.
- *
- * \note The signature of this function is that of a PSA driver
- *       cipher_finish entry point. This function behaves as a
- *       cipher_finish entry point as defined in the PSA driver
- *       interface specification for transparent drivers.
- *
- * \param[in,out] operation     Active cipher operation.
- * \param[out] output           Buffer where the output is to be written.
- * \param[in]  output_size      Size of the \p output buffer in bytes.
- * \param[out] output_length    On success, the number of bytes
- *                              that make up the returned output.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The total input size passed to this operation is not valid for
- *         this particular algorithm. For example, the algorithm is a based
- *         on block cipher and requires a whole number of blocks, but the
- *         total input size is not a multiple of the block size.
- * \retval #PSA_ERROR_INVALID_PADDING
- *         This is a decryption operation for an algorithm that includes
- *         padding, and the ciphertext does not contain valid padding.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p output buffer is too small.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- */
-psa_status_t mbedtls_psa_cipher_finish(
-    mbedtls_psa_cipher_operation_t *operation,
-    uint8_t *output, size_t output_size, size_t *output_length);
-
-/** Abort a cipher operation.
- *
- * Aborting an operation frees all associated resources except for the
- * \p operation structure itself. Once aborted, the operation object
- * can be reused for another operation.
- *
- * \note The signature of this function is that of a PSA driver
- *       cipher_abort entry point. This function behaves as a
- *       cipher_abort entry point as defined in the PSA driver
- *       interface specification for transparent drivers.
- *
- * \param[in,out] operation     Initialized cipher operation.
- *
- * \retval #PSA_SUCCESS \emptydescription
- */
-psa_status_t mbedtls_psa_cipher_abort(mbedtls_psa_cipher_operation_t *operation);
-
-/** Encrypt a message using a symmetric cipher.
- *
- * \note The signature of this function is that of a PSA driver
- *       cipher_encrypt entry point. This function behaves as a
- *       cipher_encrypt entry point as defined in the PSA driver
- *       interface specification for transparent drivers.
- *
- * \param[in] attributes        The attributes of the key to use for the
- *                              operation.
- * \param[in] key_buffer        The buffer containing the key context.
- * \param[in] key_buffer_size   Size of the \p key_buffer buffer in bytes.
- * \param[in] alg               The cipher algorithm to compute
- *                              (\c PSA_ALG_XXX value such that
- *                              #PSA_ALG_IS_CIPHER(\p alg) is true).
- * \param[in] iv                Buffer containing the IV for encryption. The
- *                              IV has been generated by the core.
- * \param[in] iv_length         Size of the \p iv in bytes.
- * \param[in] input             Buffer containing the message to encrypt.
- * \param[in] input_length      Size of the \p input buffer in bytes.
- * \param[in,out] output        Buffer where the output is to be written.
- * \param[in]  output_size      Size of the \p output buffer in bytes.
- * \param[out] output_length    On success, the number of bytes that make up
- *                              the returned output. Initialized to zero
- *                              by the core.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p output buffer is too small.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The size \p iv_length is not acceptable for the chosen algorithm,
- *         or the chosen algorithm does not use an IV.
- *         The total input size passed to this operation is not valid for
- *         this particular algorithm. For example, the algorithm is a based
- *         on block cipher and requires a whole number of blocks, but the
- *         total input size is not a multiple of the block size.
- * \retval #PSA_ERROR_INVALID_PADDING
- *         This is a decryption operation for an algorithm that includes
- *         padding, and the ciphertext does not contain valid padding.
- */
-psa_status_t mbedtls_psa_cipher_encrypt(const psa_key_attributes_t *attributes,
-                                        const uint8_t *key_buffer,
-                                        size_t key_buffer_size,
-                                        psa_algorithm_t alg,
-                                        const uint8_t *iv,
-                                        size_t iv_length,
-                                        const uint8_t *input,
-                                        size_t input_length,
-                                        uint8_t *output,
-                                        size_t output_size,
-                                        size_t *output_length);
-
-/** Decrypt a message using a symmetric cipher.
- *
- * \note The signature of this function is that of a PSA driver
- *       cipher_decrypt entry point. This function behaves as a
- *       cipher_decrypt entry point as defined in the PSA driver
- *       interface specification for transparent drivers.
- *
- * \param[in]  attributes       The attributes of the key to use for the
- *                              operation.
- * \param[in]  key_buffer       The buffer containing the key context.
- * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
- * \param[in]  alg              The cipher algorithm to compute
- *                              (\c PSA_ALG_XXX value such that
- *                              #PSA_ALG_IS_CIPHER(\p alg) is true).
- * \param[in]  input            Buffer containing the iv and the ciphertext.
- * \param[in]  input_length     Size of the \p input buffer in bytes.
- * \param[out] output           Buffer where the output is to be written.
- * \param[in]  output_size      Size of the \p output buffer in bytes.
- * \param[out] output_length    On success, the number of bytes that make up
- *                              the returned output. Initialized to zero
- *                              by the core.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p output buffer is too small.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The size of \p iv is not acceptable for the chosen algorithm,
- *         or the chosen algorithm does not use an IV.
- *         The total input size passed to this operation is not valid for
- *         this particular algorithm. For example, the algorithm is a based
- *         on block cipher and requires a whole number of blocks, but the
- *         total input size is not a multiple of the block size.
- * \retval #PSA_ERROR_INVALID_PADDING
- *         This is a decryption operation for an algorithm that includes
- *         padding, and the ciphertext does not contain valid padding.
- */
-psa_status_t mbedtls_psa_cipher_decrypt(const psa_key_attributes_t *attributes,
-                                        const uint8_t *key_buffer,
-                                        size_t key_buffer_size,
-                                        psa_algorithm_t alg,
-                                        const uint8_t *input,
-                                        size_t input_length,
-                                        uint8_t *output,
-                                        size_t output_size,
-                                        size_t *output_length);
-
-#endif /* PSA_CRYPTO_CIPHER_H */
diff --git a/library/psa_crypto_client.c b/library/psa_crypto_client.c
deleted file mode 100644
index c323427..0000000
--- a/library/psa_crypto_client.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- *  PSA crypto client code
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-#include "psa/crypto.h"
-
-#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
-
-#include <string.h>
-#include "mbedtls/platform.h"
-
-void psa_reset_key_attributes(psa_key_attributes_t *attributes)
-{
-    mbedtls_free(attributes->domain_parameters);
-    memset(attributes, 0, sizeof(*attributes));
-}
-
-psa_status_t psa_set_key_domain_parameters(psa_key_attributes_t *attributes,
-                                           psa_key_type_t type,
-                                           const uint8_t *data,
-                                           size_t data_length)
-{
-    uint8_t *copy = NULL;
-
-    if (data_length != 0) {
-        copy = mbedtls_calloc(1, data_length);
-        if (copy == NULL) {
-            return PSA_ERROR_INSUFFICIENT_MEMORY;
-        }
-        memcpy(copy, data, data_length);
-    }
-    /* After this point, this function is guaranteed to succeed, so it
-     * can start modifying `*attributes`. */
-
-    if (attributes->domain_parameters != NULL) {
-        mbedtls_free(attributes->domain_parameters);
-        attributes->domain_parameters = NULL;
-        attributes->domain_parameters_size = 0;
-    }
-
-    attributes->domain_parameters = copy;
-    attributes->domain_parameters_size = data_length;
-    attributes->core.type = type;
-    return PSA_SUCCESS;
-}
-
-psa_status_t psa_get_key_domain_parameters(
-    const psa_key_attributes_t *attributes,
-    uint8_t *data, size_t data_size, size_t *data_length)
-{
-    if (attributes->domain_parameters_size > data_size) {
-        return PSA_ERROR_BUFFER_TOO_SMALL;
-    }
-    *data_length = attributes->domain_parameters_size;
-    if (attributes->domain_parameters_size != 0) {
-        memcpy(data, attributes->domain_parameters,
-               attributes->domain_parameters_size);
-    }
-    return PSA_SUCCESS;
-}
-
-#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h
deleted file mode 100644
index 29b3b94..0000000
--- a/library/psa_crypto_core.h
+++ /dev/null
@@ -1,857 +0,0 @@
-/*
- *  PSA crypto core internal interfaces
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_CORE_H
-#define PSA_CRYPTO_CORE_H
-
-/*
- * Include the build-time configuration information header. Here, we do not
- * include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which
- * is basically just an alias to it. This is to ease the maintenance of the
- * TF-PSA-Crypto repository which has a different build system and
- * configuration.
- */
-#include "psa/build_info.h"
-
-#include "psa/crypto.h"
-#include "psa/crypto_se_driver.h"
-
-/**
- * Tell if PSA is ready for this hash.
- *
- * \note            For now, only checks the state of the driver subsystem,
- *                  not the algorithm. Might do more in the future.
- *
- * \param hash_alg  The hash algorithm (ignored for now).
- *
- * \return 1 if the driver subsytem is ready, 0 otherwise.
- */
-int psa_can_do_hash(psa_algorithm_t hash_alg);
-
-/** The data structure representing a key slot, containing key material
- * and metadata for one key.
- */
-typedef struct {
-    psa_core_key_attributes_t attr;
-
-    /*
-     * Number of locks on the key slot held by the library.
-     *
-     * This counter is incremented by one each time a library function
-     * retrieves through one of the dedicated internal API a pointer to the
-     * key slot.
-     *
-     * This counter is decremented by one each time a library function stops
-     * accessing the key slot and states it by calling the
-     * psa_unlock_key_slot() API.
-     *
-     * This counter is used to prevent resetting the key slot while the library
-     * may access it. For example, such control is needed in the following
-     * scenarios:
-     * . In case of key slot starvation, all key slots contain the description
-     *   of a key, and the library asks for the description of a persistent
-     *   key not present in the key slots, the key slots currently accessed by
-     *   the library cannot be reclaimed to free a key slot to load the
-     *   persistent key.
-     * . In case of a multi-threaded application where one thread asks to close
-     *   or purge or destroy a key while it is in used by the library through
-     *   another thread.
-     */
-    size_t lock_count;
-
-    /* Dynamically allocated key data buffer.
-     * Format as specified in psa_export_key(). */
-    struct key_data {
-        uint8_t *data;
-        size_t bytes;
-    } key;
-} psa_key_slot_t;
-
-/* A mask of key attribute flags used only internally.
- * Currently there aren't any. */
-#define PSA_KA_MASK_INTERNAL_ONLY (     \
-        0)
-
-/** Test whether a key slot is occupied.
- *
- * A key slot is occupied iff the key type is nonzero. This works because
- * no valid key can have 0 as its key type.
- *
- * \param[in] slot      The key slot to test.
- *
- * \return 1 if the slot is occupied, 0 otherwise.
- */
-static inline int psa_is_key_slot_occupied(const psa_key_slot_t *slot)
-{
-    return slot->attr.type != 0;
-}
-
-/** Test whether a key slot is locked.
- *
- * A key slot is locked iff its lock counter is strictly greater than 0.
- *
- * \param[in] slot  The key slot to test.
- *
- * \return 1 if the slot is locked, 0 otherwise.
- */
-static inline int psa_is_key_slot_locked(const psa_key_slot_t *slot)
-{
-    return slot->lock_count > 0;
-}
-
-/** Retrieve flags from psa_key_slot_t::attr::core::flags.
- *
- * \param[in] slot      The key slot to query.
- * \param mask          The mask of bits to extract.
- *
- * \return The key attribute flags in the given slot,
- *         bitwise-anded with \p mask.
- */
-static inline uint16_t psa_key_slot_get_flags(const psa_key_slot_t *slot,
-                                              uint16_t mask)
-{
-    return slot->attr.flags & mask;
-}
-
-/** Set flags in psa_key_slot_t::attr::core::flags.
- *
- * \param[in,out] slot  The key slot to modify.
- * \param mask          The mask of bits to modify.
- * \param value         The new value of the selected bits.
- */
-static inline void psa_key_slot_set_flags(psa_key_slot_t *slot,
-                                          uint16_t mask,
-                                          uint16_t value)
-{
-    slot->attr.flags = ((~mask & slot->attr.flags) |
-                        (mask & value));
-}
-
-/** Turn on flags in psa_key_slot_t::attr::core::flags.
- *
- * \param[in,out] slot  The key slot to modify.
- * \param mask          The mask of bits to set.
- */
-static inline void psa_key_slot_set_bits_in_flags(psa_key_slot_t *slot,
-                                                  uint16_t mask)
-{
-    slot->attr.flags |= mask;
-}
-
-/** Turn off flags in psa_key_slot_t::attr::core::flags.
- *
- * \param[in,out] slot  The key slot to modify.
- * \param mask          The mask of bits to clear.
- */
-static inline void psa_key_slot_clear_bits(psa_key_slot_t *slot,
-                                           uint16_t mask)
-{
-    slot->attr.flags &= ~mask;
-}
-
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-/** Get the SE slot number of a key from the key slot storing its description.
- *
- * \param[in]  slot  The key slot to query. This must be a key slot storing
- *                   the description of a key of a dynamically registered
- *                   secure element, otherwise the behaviour is undefined.
- */
-static inline psa_key_slot_number_t psa_key_slot_get_slot_number(
-    const psa_key_slot_t *slot)
-{
-    return *((psa_key_slot_number_t *) (slot->key.data));
-}
-#endif
-
-/** Completely wipe a slot in memory, including its policy.
- *
- * Persistent storage is not affected.
- *
- * \param[in,out] slot  The key slot to wipe.
- *
- * \retval #PSA_SUCCESS
- *         Success. This includes the case of a key slot that was
- *         already fully wiped.
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- */
-psa_status_t psa_wipe_key_slot(psa_key_slot_t *slot);
-
-/** Try to allocate a buffer to an empty key slot.
- *
- * \param[in,out] slot          Key slot to attach buffer to.
- * \param[in] buffer_length     Requested size of the buffer.
- *
- * \retval #PSA_SUCCESS
- *         The buffer has been successfully allocated.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- *         Not enough memory was available for allocation.
- * \retval #PSA_ERROR_ALREADY_EXISTS
- *         Trying to allocate a buffer to a non-empty key slot.
- */
-psa_status_t psa_allocate_buffer_to_slot(psa_key_slot_t *slot,
-                                         size_t buffer_length);
-
-/** Wipe key data from a slot. Preserves metadata such as the policy. */
-psa_status_t psa_remove_key_data_from_memory(psa_key_slot_t *slot);
-
-/** Copy key data (in export format) into an empty key slot.
- *
- * This function assumes that the slot does not contain
- * any key material yet. On failure, the slot content is unchanged.
- *
- * \param[in,out] slot          Key slot to copy the key into.
- * \param[in] data              Buffer containing the key material.
- * \param data_length           Size of the key buffer.
- *
- * \retval #PSA_SUCCESS
- *         The key has been copied successfully.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- *         Not enough memory was available for allocation of the
- *         copy buffer.
- * \retval #PSA_ERROR_ALREADY_EXISTS
- *         There was other key material already present in the slot.
- */
-psa_status_t psa_copy_key_material_into_slot(psa_key_slot_t *slot,
-                                             const uint8_t *data,
-                                             size_t data_length);
-
-/** Convert an Mbed TLS error code to a PSA error code
- *
- * \note This function is provided solely for the convenience of
- *       Mbed TLS and may be removed at any time without notice.
- *
- * \param ret           An Mbed TLS-thrown error code
- *
- * \return              The corresponding PSA error code
- */
-psa_status_t mbedtls_to_psa_error(int ret);
-
-/** Import a key in binary format.
- *
- * \note The signature of this function is that of a PSA driver
- *       import_key entry point. This function behaves as an import_key
- *       entry point as defined in the PSA driver interface specification for
- *       transparent drivers.
- *
- * \param[in]  attributes       The attributes for the key to import.
- * \param[in]  data             The buffer containing the key data in import
- *                              format.
- * \param[in]  data_length      Size of the \p data buffer in bytes.
- * \param[out] key_buffer       The buffer to contain the key data in output
- *                              format upon successful return.
- * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes. This
- *                              size is greater or equal to \p data_length.
- * \param[out] key_buffer_length  The length of the data written in \p
- *                                key_buffer in bytes.
- * \param[out] bits             The key size in number of bits.
- *
- * \retval #PSA_SUCCESS  The key was imported successfully.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The key data is not correctly formatted.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- */
-psa_status_t psa_import_key_into_slot(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *data, size_t data_length,
-    uint8_t *key_buffer, size_t key_buffer_size,
-    size_t *key_buffer_length, size_t *bits);
-
-/** Export a key in binary format
- *
- * \note The signature of this function is that of a PSA driver export_key
- *       entry point. This function behaves as an export_key entry point as
- *       defined in the PSA driver interface specification.
- *
- * \param[in]  attributes       The attributes for the key to export.
- * \param[in]  key_buffer       Material or context of the key to export.
- * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
- * \param[out] data             Buffer where the key data is to be written.
- * \param[in]  data_size        Size of the \p data buffer in bytes.
- * \param[out] data_length      On success, the number of bytes written in
- *                              \p data
- *
- * \retval #PSA_SUCCESS  The key was exported successfully.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- */
-psa_status_t psa_export_key_internal(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    uint8_t *data, size_t data_size, size_t *data_length);
-
-/** Export a public key or the public part of a key pair in binary format.
- *
- * \note The signature of this function is that of a PSA driver
- *       export_public_key entry point. This function behaves as an
- *       export_public_key entry point as defined in the PSA driver interface
- *       specification.
- *
- * \param[in]  attributes       The attributes for the key to export.
- * \param[in]  key_buffer       Material or context of the key to export.
- * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
- * \param[out] data             Buffer where the key data is to be written.
- * \param[in]  data_size        Size of the \p data buffer in bytes.
- * \param[out] data_length      On success, the number of bytes written in
- *                              \p data
- *
- * \retval #PSA_SUCCESS  The public key was exported successfully.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- */
-psa_status_t psa_export_public_key_internal(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    uint8_t *data, size_t data_size, size_t *data_length);
-
-/**
- * \brief Generate a key.
- *
- * \note The signature of the function is that of a PSA driver generate_key
- *       entry point.
- *
- * \param[in]  attributes         The attributes for the key to generate.
- * \param[out] key_buffer         Buffer where the key data is to be written.
- * \param[in]  key_buffer_size    Size of \p key_buffer in bytes.
- * \param[out] key_buffer_length  On success, the number of bytes written in
- *                                \p key_buffer.
- *
- * \retval #PSA_SUCCESS
- *         The key was generated successfully.
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         Key size in bits or type not supported.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of \p key_buffer is too small.
- */
-psa_status_t psa_generate_key_internal(const psa_key_attributes_t *attributes,
-                                       uint8_t *key_buffer,
-                                       size_t key_buffer_size,
-                                       size_t *key_buffer_length);
-
-/** Sign a message with a private key. For hash-and-sign algorithms,
- *  this includes the hashing step.
- *
- * \note The signature of this function is that of a PSA driver
- *       sign_message entry point. This function behaves as a sign_message
- *       entry point as defined in the PSA driver interface specification for
- *       transparent drivers.
- *
- * \note This function will call the driver for psa_sign_hash
- *       and go through driver dispatch again.
- *
- * \param[in]  attributes       The attributes of the key to use for the
- *                              operation.
- * \param[in]  key_buffer       The buffer containing the key context.
- * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
- * \param[in]  alg              A signature algorithm that is compatible with
- *                              the type of the key.
- * \param[in]  input            The input message to sign.
- * \param[in]  input_length     Size of the \p input buffer in bytes.
- * \param[out] signature        Buffer where the signature is to be written.
- * \param[in]  signature_size   Size of the \p signature buffer in bytes.
- * \param[out] signature_length On success, the number of bytes
- *                              that make up the returned signature value.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p signature buffer is too small. You can
- *         determine a sufficient buffer size by calling
- *         #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
- *         where \c key_type and \c key_bits are the type and bit-size
- *         respectively of the key.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
- */
-psa_status_t psa_sign_message_builtin(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg, const uint8_t *input, size_t input_length,
-    uint8_t *signature, size_t signature_size, size_t *signature_length);
-
-/** Verify the signature of a message with a public key, using
- *  a hash-and-sign verification algorithm.
- *
- * \note The signature of this function is that of a PSA driver
- *       verify_message entry point. This function behaves as a verify_message
- *       entry point as defined in the PSA driver interface specification for
- *       transparent drivers.
- *
- * \note This function will call the driver for psa_verify_hash
- *       and go through driver dispatch again.
- *
- * \param[in]  attributes       The attributes of the key to use for the
- *                              operation.
- * \param[in]  key_buffer       The buffer containing the key context.
- * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
- * \param[in]  alg              A signature algorithm that is compatible with
- *                              the type of the key.
- * \param[in]  input            The message whose signature is to be verified.
- * \param[in]  input_length     Size of the \p input buffer in bytes.
- * \param[in]  signature        Buffer containing the signature to verify.
- * \param[in]  signature_length Size of the \p signature buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         The signature is valid.
- * \retval #PSA_ERROR_INVALID_SIGNATURE
- *         The calculation was performed successfully, but the passed
- *         signature is not a valid signature.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- */
-psa_status_t psa_verify_message_builtin(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg, const uint8_t *input, size_t input_length,
-    const uint8_t *signature, size_t signature_length);
-
-/** Sign an already-calculated hash with a private key.
- *
- * \note The signature of this function is that of a PSA driver
- *       sign_hash entry point. This function behaves as a sign_hash
- *       entry point as defined in the PSA driver interface specification for
- *       transparent drivers.
- *
- * \param[in]  attributes       The attributes of the key to use for the
- *                              operation.
- * \param[in]  key_buffer       The buffer containing the key context.
- * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
- * \param[in]  alg              A signature algorithm that is compatible with
- *                              the type of the key.
- * \param[in]  hash             The hash or message to sign.
- * \param[in]  hash_length      Size of the \p hash buffer in bytes.
- * \param[out] signature        Buffer where the signature is to be written.
- * \param[in]  signature_size   Size of the \p signature buffer in bytes.
- * \param[out] signature_length On success, the number of bytes
- *                              that make up the returned signature value.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p signature buffer is too small. You can
- *         determine a sufficient buffer size by calling
- *         #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
- *         where \c key_type and \c key_bits are the type and bit-size
- *         respectively of the key.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
- */
-psa_status_t psa_sign_hash_builtin(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
-    uint8_t *signature, size_t signature_size, size_t *signature_length);
-
-/**
- * \brief Verify the signature a hash or short message using a public key.
- *
- * \note The signature of this function is that of a PSA driver
- *       verify_hash entry point. This function behaves as a verify_hash
- *       entry point as defined in the PSA driver interface specification for
- *       transparent drivers.
- *
- * \param[in]  attributes       The attributes of the key to use for the
- *                              operation.
- * \param[in]  key_buffer       The buffer containing the key context.
- * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
- * \param[in]  alg              A signature algorithm that is compatible with
- *                              the type of the key.
- * \param[in]  hash             The hash or message whose signature is to be
- *                              verified.
- * \param[in]  hash_length      Size of the \p hash buffer in bytes.
- * \param[in]  signature        Buffer containing the signature to verify.
- * \param[in]  signature_length Size of the \p signature buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         The signature is valid.
- * \retval #PSA_ERROR_INVALID_SIGNATURE
- *         The calculation was performed successfully, but the passed
- *         signature is not a valid signature.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- */
-psa_status_t psa_verify_hash_builtin(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
-    const uint8_t *signature, size_t signature_length);
-
-/**
- * \brief Validate the key bit size for unstructured keys.
- *
- * \note  Check that the bit size is acceptable for a given key type for
- *        unstructured keys.
- *
- * \param[in]  type  The key type
- * \param[in]  bits  The number of bits of the key
- *
- * \retval #PSA_SUCCESS
- *         The key type and size are valid.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The size in bits of the key is not valid.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         The type and/or the size in bits of the key or the combination of
- *         the two is not supported.
- */
-psa_status_t psa_validate_unstructured_key_bit_size(psa_key_type_t type,
-                                                    size_t bits);
-
-/** Perform a key agreement and return the raw shared secret, using
-    built-in raw key agreement functions.
- *
- * \note The signature of this function is that of a PSA driver
- *       key_agreement entry point. This function behaves as a key_agreement
- *       entry point as defined in the PSA driver interface specification for
- *       transparent drivers.
- *
- * \param[in]  attributes           The attributes of the key to use for the
- *                                  operation.
- * \param[in]  key_buffer           The buffer containing the private key
- *                                  context.
- * \param[in]  key_buffer_size      Size of the \p key_buffer buffer in
- *                                  bytes.
- * \param[in]  alg                  A key agreement algorithm that is
- *                                  compatible with the type of the key.
- * \param[in]  peer_key             The buffer containing the key context
- *                                  of the peer's public key.
- * \param[in]  peer_key_length      Size of the \p peer_key buffer in
- *                                  bytes.
- * \param[out] shared_secret        The buffer to which the shared secret
- *                                  is to be written.
- * \param[in]  shared_secret_size   Size of the \p shared_secret buffer in
- *                                  bytes.
- * \param[out] shared_secret_length On success, the number of bytes that make
- *                                  up the returned shared secret.
- * \retval #PSA_SUCCESS
- *         Success. Shared secret successfully calculated.
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p alg is not a key agreement algorithm, or
- *         \p private_key is not compatible with \p alg,
- *         or \p peer_key is not valid for \p alg or not compatible with
- *         \p private_key.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         \p shared_secret_size is too small
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not a supported key agreement algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_BAD_STATE \emptydescription
- */
-psa_status_t psa_key_agreement_raw_builtin(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    psa_algorithm_t alg,
-    const uint8_t *peer_key,
-    size_t peer_key_length,
-    uint8_t *shared_secret,
-    size_t shared_secret_size,
-    size_t *shared_secret_length);
-
-/**
- * \brief Set the maximum number of ops allowed to be executed by an
- *        interruptible function in a single call.
- *
- * \note The signature of this function is that of a PSA driver
- *       interruptible_set_max_ops entry point. This function behaves as an
- *       interruptible_set_max_ops entry point as defined in the PSA driver
- *       interface specification for transparent drivers.
- *
- * \param[in]  max_ops          The maximum number of ops to be executed in a
- *                              single call, this can be a number from 0 to
- *                              #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0
- *                              is obviously the least amount of work done per
- *                              call.
- */
-void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops);
-
-/**
- * \brief Get the maximum number of ops allowed to be executed by an
- *        interruptible function in a single call.
- *
- * \note The signature of this function is that of a PSA driver
- *       interruptible_get_max_ops entry point. This function behaves as an
- *       interruptible_get_max_ops entry point as defined in the PSA driver
- *       interface specification for transparent drivers.
- *
- * \return                      Maximum number of ops allowed to be executed
- *                              by an interruptible function in a single call.
- */
-uint32_t mbedtls_psa_interruptible_get_max_ops(void);
-
-/**
- * \brief Get the number of ops that a hash signing operation has taken for the
- *        previous call. If no call or work has taken place, this will return
- *        zero.
- *
- * \note The signature of this function is that of a PSA driver
- *       sign_hash_get_num_ops entry point. This function behaves as an
- *       sign_hash_get_num_ops entry point as defined in the PSA driver
- *       interface specification for transparent drivers.
- *
- * \param   operation           The \c
- *                              mbedtls_psa_sign_hash_interruptible_operation_t
- *                              to use. This must be initialized first.
- *
- * \return                      Number of ops that were completed
- *                              in the last call to \c
- *                              mbedtls_psa_sign_hash_complete().
- */
-uint32_t mbedtls_psa_sign_hash_get_num_ops(
-    const mbedtls_psa_sign_hash_interruptible_operation_t *operation);
-
-/**
- * \brief Get the number of ops that a hash verification operation has taken for
- *        the previous call. If no call or work has taken place, this will
- *        return zero.
- *
- * \note The signature of this function is that of a PSA driver
- *       verify_hash_get_num_ops entry point. This function behaves as an
- *       verify_hash_get_num_ops entry point as defined in the PSA driver
- *       interface specification for transparent drivers.
- *
- * \param   operation           The \c
- *                              mbedtls_psa_verify_hash_interruptible_operation_t
- *                              to use. This must be initialized first.
- *
- * \return                      Number of ops that were completed
- *                              in the last call to \c
- *                              mbedtls_psa_verify_hash_complete().
- */
-uint32_t mbedtls_psa_verify_hash_get_num_ops(
-    const mbedtls_psa_verify_hash_interruptible_operation_t *operation);
-
-/**
- * \brief  Start signing a hash or short message with a private key, in an
- *         interruptible manner.
- *
- * \note The signature of this function is that of a PSA driver
- *       sign_hash_start entry point. This function behaves as a
- *       sign_hash_start entry point as defined in the PSA driver interface
- *       specification for transparent drivers.
- *
- * \param[in]  operation        The \c
- *                              mbedtls_psa_sign_hash_interruptible_operation_t
- *                              to use. This must be initialized first.
- * \param[in]  attributes       The attributes of the key to use for the
- *                              operation.
- * \param[in]  key_buffer       The buffer containing the key context.
- * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
- * \param[in]  alg              A signature algorithm that is compatible with
- *                              the type of the key.
- * \param[in] hash              The hash or message to sign.
- * \param hash_length           Size of the \p hash buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         The operation started successfully - call \c psa_sign_hash_complete()
- *         with the same context to complete the operation
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         An unsupported, incorrectly formatted or incorrect type of key was
- *         used.
- * \retval #PSA_ERROR_NOT_SUPPORTED Either no internal interruptible operations
- *         are currently supported, or the key type is currently unsupported.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- *         There was insufficient memory to load the key representation.
- */
-psa_status_t mbedtls_psa_sign_hash_start(
-    mbedtls_psa_sign_hash_interruptible_operation_t *operation,
-    const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
-    size_t key_buffer_size, psa_algorithm_t alg,
-    const uint8_t *hash, size_t hash_length);
-
-/**
- * \brief Continue and eventually complete the action of signing a hash or
- *        short message with a private key, in an interruptible manner.
- *
- * \note The signature of this function is that of a PSA driver
- *       sign_hash_complete entry point. This function behaves as a
- *       sign_hash_complete entry point as defined in the PSA driver interface
- *       specification for transparent drivers.
- *
- * \param[in]  operation        The \c
- *                              mbedtls_psa_sign_hash_interruptible_operation_t
- *                              to use. This must be initialized first.
- *
- * \param[out] signature        Buffer where the signature is to be written.
- * \param signature_size        Size of the \p signature buffer in bytes. This
- *                              must be appropriate for the selected
- *                              algorithm and key.
- * \param[out] signature_length On success, the number of bytes that make up
- *                              the returned signature value.
- *
- * \retval #PSA_SUCCESS
- *         Operation completed successfully
- *
- * \retval #PSA_OPERATION_INCOMPLETE
- *         Operation was interrupted due to the setting of \c
- *         psa_interruptible_set_max_ops(), there is still work to be done,
- *         please call this function again with the same operation object.
- *
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p signature buffer is too small. You can
- *         determine a sufficient buffer size by calling
- *         #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
- *         where \c key_type and \c key_bits are the type and bit-size
- *         respectively of \p key.
- *
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
- */
-psa_status_t mbedtls_psa_sign_hash_complete(
-    mbedtls_psa_sign_hash_interruptible_operation_t *operation,
-    uint8_t *signature, size_t signature_size,
-    size_t *signature_length);
-
-/**
- * \brief Abort a sign hash operation.
- *
- * \note The signature of this function is that of a PSA driver sign_hash_abort
- *       entry point. This function behaves as a sign_hash_abort entry point as
- *       defined in the PSA driver interface specification for transparent
- *       drivers.
- *
- * \param[in]  operation        The \c
- *                              mbedtls_psa_sign_hash_interruptible_operation_t
- *                              to abort.
- *
- * \retval #PSA_SUCCESS
- *         The operation was aborted successfully.
- */
-psa_status_t mbedtls_psa_sign_hash_abort(
-    mbedtls_psa_sign_hash_interruptible_operation_t *operation);
-
-/**
- * \brief  Start reading and verifying a hash or short message, in an
- *         interruptible manner.
- *
- * \note The signature of this function is that of a PSA driver
- *       verify_hash_start entry point. This function behaves as a
- *       verify_hash_start entry point as defined in the PSA driver interface
- *       specification for transparent drivers.
- *
- * \param[in]  operation        The \c
- *                              mbedtls_psa_verify_hash_interruptible_operation_t
- *                              to use. This must be initialized first.
- * \param[in]  attributes       The attributes of the key to use for the
- *                              operation.
- * \param[in]  key_buffer       The buffer containing the key context.
- * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
- * \param[in]  alg              A signature algorithm that is compatible with
- *                              the type of the key.
- * \param[in] hash              The hash whose signature is to be verified.
- * \param hash_length           Size of the \p hash buffer in bytes.
- * \param[in] signature         Buffer containing the signature to verify.
- * \param signature_length      Size of the \p signature buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         The operation started successfully - call \c psa_sign_hash_complete()
- *         with the same context to complete the operation
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         An unsupported or incorrect type of key was used.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *        Either no internal interruptible operations are currently supported,
- *         or the key type is currently unsupported.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- *        There was insufficient memory either to load the key representation,
- *        or to prepare the operation.
- */
-psa_status_t mbedtls_psa_verify_hash_start(
-    mbedtls_psa_verify_hash_interruptible_operation_t *operation,
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg,
-    const uint8_t *hash, size_t hash_length,
-    const uint8_t *signature, size_t signature_length);
-
-/**
- * \brief Continue and eventually complete the action of signing a hash or
- *        short message with a private key, in an interruptible manner.
- *
- * \note The signature of this function is that of a PSA driver
- *       sign_hash_complete entry point. This function behaves as a
- *       sign_hash_complete entry point as defined in the PSA driver interface
- *       specification for transparent drivers.
- *
- * \param[in]  operation        The \c
- *                              mbedtls_psa_sign_hash_interruptible_operation_t
- *                              to use. This must be initialized first.
- *
- * \retval #PSA_SUCCESS
- *         Operation completed successfully, and the passed signature is valid.
- *
- * \retval #PSA_OPERATION_INCOMPLETE
- *         Operation was interrupted due to the setting of \c
- *         psa_interruptible_set_max_ops(), there is still work to be done,
- *         please call this function again with the same operation object.
- *
- * \retval #PSA_ERROR_INVALID_SIGNATURE
- *         The calculation was performed successfully, but the passed
- *         signature is not a valid signature.
- *
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- */
-psa_status_t mbedtls_psa_verify_hash_complete(
-    mbedtls_psa_verify_hash_interruptible_operation_t *operation);
-
-/**
- * \brief Abort a verify signed hash operation.
- *
- * \note The signature of this function is that of a PSA driver
- *       verify_hash_abort entry point. This function behaves as a
- *       verify_hash_abort entry point as defined in the PSA driver interface
- *       specification for transparent drivers.
- *
- * \param[in]  operation        The \c
- *                              mbedtls_psa_verify_hash_interruptible_operation_t
- *                              to abort.
- *
- * \retval #PSA_SUCCESS
- *         The operation was aborted successfully.
- */
-psa_status_t mbedtls_psa_verify_hash_abort(
-    mbedtls_psa_verify_hash_interruptible_operation_t *operation);
-
-#endif /* PSA_CRYPTO_CORE_H */
diff --git a/library/psa_crypto_core_common.h b/library/psa_crypto_core_common.h
deleted file mode 100644
index dd72ab1..0000000
--- a/library/psa_crypto_core_common.h
+++ /dev/null
@@ -1,64 +0,0 @@
-/**
- * \file psa_crypto_core_common.h
- *
- * \brief Utility macros for internal use in the PSA cryptography core.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_CORE_COMMON_H
-#define PSA_CRYPTO_CORE_COMMON_H
-
-/** Return an offset into a buffer.
- *
- * This is just the addition of an offset to a pointer, except that this
- * function also accepts an offset of 0 into a buffer whose pointer is null.
- * (`p + n` has undefined behavior when `p` is null, even when `n == 0`.
- * A null pointer is a valid buffer pointer when the size is 0, for example
- * as the result of `malloc(0)` on some platforms.)
- *
- * \param p     Pointer to a buffer of at least n bytes.
- *              This may be \p NULL if \p n is zero.
- * \param n     An offset in bytes.
- * \return      Pointer to offset \p n in the buffer \p p.
- *              Note that this is only a valid pointer if the size of the
- *              buffer is at least \p n + 1.
- */
-static inline unsigned char *psa_crypto_buffer_offset(
-    unsigned char *p, size_t n)
-{
-    return p == NULL ? NULL : p + n;
-}
-
-/** Return an offset into a read-only buffer.
- *
- * Similar to mbedtls_buffer_offset(), but for const pointers.
- *
- * \param p     Pointer to a buffer of at least n bytes.
- *              This may be \p NULL if \p n is zero.
- * \param n     An offset in bytes.
- * \return      Pointer to offset \p n in the buffer \p p.
- *              Note that this is only a valid pointer if the size of the
- *              buffer is at least \p n + 1.
- */
-static inline const unsigned char *psa_crypto_buffer_offset_const(
-    const unsigned char *p, size_t n)
-{
-    return p == NULL ? NULL : p + n;
-}
-
-#endif /* PSA_CRYPTO_CORE_COMMON_H */
diff --git a/library/psa_crypto_driver_wrappers_no_static.h b/library/psa_crypto_driver_wrappers_no_static.h
deleted file mode 100644
index 4985403..0000000
--- a/library/psa_crypto_driver_wrappers_no_static.h
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- *  Function signatures for functionality that can be provided by
- *  cryptographic accelerators.
- */
-/*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_DRIVER_WRAPPERS_NO_STATIC_H
-#define PSA_CRYPTO_DRIVER_WRAPPERS_NO_STATIC_H
-
-#include "psa/crypto.h"
-#include "psa/crypto_driver_common.h"
-
-psa_status_t psa_driver_wrapper_export_public_key(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    uint8_t *data, size_t data_size, size_t *data_length);
-
-psa_status_t psa_driver_wrapper_get_key_buffer_size(
-    const psa_key_attributes_t *attributes,
-    size_t *key_buffer_size);
-
-psa_status_t psa_driver_wrapper_get_builtin_key(
-    psa_drv_slot_number_t slot_number,
-    psa_key_attributes_t *attributes,
-    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length);
-
-#endif /* PSA_CRYPTO_DRIVER_WRAPPERS_NO_STATIC_H */
-
-/* End of automatically generated file. */
diff --git a/library/psa_crypto_ecp.c b/library/psa_crypto_ecp.c
deleted file mode 100644
index 5c77865..0000000
--- a/library/psa_crypto_ecp.c
+++ /dev/null
@@ -1,573 +0,0 @@
-/*
- *  PSA ECP layer on top of Mbed TLS crypto
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-
-#include <psa/crypto.h>
-#include "psa_crypto_core.h"
-#include "psa_crypto_ecp.h"
-#include "psa_crypto_random_impl.h"
-#include "md_psa.h"
-
-#include <stdlib.h>
-#include <string.h>
-#include "mbedtls/platform.h"
-
-#include <mbedtls/ecdsa.h>
-#include <mbedtls/ecdh.h>
-#include <mbedtls/ecp.h>
-#include <mbedtls/error.h>
-
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
-psa_status_t mbedtls_psa_ecp_load_representation(
-    psa_key_type_t type, size_t curve_bits,
-    const uint8_t *data, size_t data_length,
-    mbedtls_ecp_keypair **p_ecp)
-{
-    mbedtls_ecp_group_id grp_id = MBEDTLS_ECP_DP_NONE;
-    psa_status_t status;
-    mbedtls_ecp_keypair *ecp = NULL;
-    size_t curve_bytes = data_length;
-    int explicit_bits = (curve_bits != 0);
-
-    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type) &&
-        PSA_KEY_TYPE_ECC_GET_FAMILY(type) != PSA_ECC_FAMILY_MONTGOMERY) {
-        /* A Weierstrass public key is represented as:
-         * - The byte 0x04;
-         * - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
-         * - `y_P` as a `ceiling(m/8)`-byte string, big-endian.
-         * So its data length is 2m+1 where m is the curve size in bits.
-         */
-        if ((data_length & 1) == 0) {
-            return PSA_ERROR_INVALID_ARGUMENT;
-        }
-        curve_bytes = data_length / 2;
-
-        /* Montgomery public keys are represented in compressed format, meaning
-         * their curve_bytes is equal to the amount of input. */
-
-        /* Private keys are represented in uncompressed private random integer
-         * format, meaning their curve_bytes is equal to the amount of input. */
-    }
-
-    if (explicit_bits) {
-        /* With an explicit bit-size, the data must have the matching length. */
-        if (curve_bytes != PSA_BITS_TO_BYTES(curve_bits)) {
-            return PSA_ERROR_INVALID_ARGUMENT;
-        }
-    } else {
-        /* We need to infer the bit-size from the data. Since the only
-         * information we have is the length in bytes, the value of curve_bits
-         * at this stage is rounded up to the nearest multiple of 8. */
-        curve_bits = PSA_BYTES_TO_BITS(curve_bytes);
-    }
-
-    /* Allocate and initialize a key representation. */
-    ecp = mbedtls_calloc(1, sizeof(mbedtls_ecp_keypair));
-    if (ecp == NULL) {
-        return PSA_ERROR_INSUFFICIENT_MEMORY;
-    }
-    mbedtls_ecp_keypair_init(ecp);
-
-    /* Load the group. */
-    grp_id = mbedtls_ecc_group_of_psa(PSA_KEY_TYPE_ECC_GET_FAMILY(type),
-                                      curve_bits, !explicit_bits);
-    if (grp_id == MBEDTLS_ECP_DP_NONE) {
-        /* We can't distinguish between a nonsensical family/size combination
-         * (which would warrant PSA_ERROR_INVALID_ARGUMENT) and a
-         * well-regarded curve that Mbed TLS just doesn't know about (which
-         * would warrant PSA_ERROR_NOT_SUPPORTED). For uniformity with how
-         * curves that Mbed TLS knows about but for which support is disabled
-         * at build time, return NOT_SUPPORTED. */
-        status = PSA_ERROR_NOT_SUPPORTED;
-        goto exit;
-    }
-
-    status = mbedtls_to_psa_error(
-        mbedtls_ecp_group_load(&ecp->grp, grp_id));
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    /* Load the key material. */
-    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
-        /* Load the public value. */
-        status = mbedtls_to_psa_error(
-            mbedtls_ecp_point_read_binary(&ecp->grp, &ecp->Q,
-                                          data,
-                                          data_length));
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-
-        /* Check that the point is on the curve. */
-        status = mbedtls_to_psa_error(
-            mbedtls_ecp_check_pubkey(&ecp->grp, &ecp->Q));
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-    } else {
-        /* Load and validate the secret value. */
-        status = mbedtls_to_psa_error(
-            mbedtls_ecp_read_key(ecp->grp.id,
-                                 ecp,
-                                 data,
-                                 data_length));
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-    }
-
-    *p_ecp = ecp;
-exit:
-    if (status != PSA_SUCCESS) {
-        mbedtls_ecp_keypair_free(ecp);
-        mbedtls_free(ecp);
-    }
-
-    return status;
-}
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) */
-
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
-
-psa_status_t mbedtls_psa_ecp_import_key(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *data, size_t data_length,
-    uint8_t *key_buffer, size_t key_buffer_size,
-    size_t *key_buffer_length, size_t *bits)
-{
-    psa_status_t status;
-    mbedtls_ecp_keypair *ecp = NULL;
-
-    /* Parse input */
-    status = mbedtls_psa_ecp_load_representation(attributes->core.type,
-                                                 attributes->core.bits,
-                                                 data,
-                                                 data_length,
-                                                 &ecp);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    if (PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->core.type) ==
-        PSA_ECC_FAMILY_MONTGOMERY) {
-        *bits = ecp->grp.nbits + 1;
-    } else {
-        *bits = ecp->grp.nbits;
-    }
-
-    /* Re-export the data to PSA export format. There is currently no support
-     * for other input formats then the export format, so this is a 1-1
-     * copy operation. */
-    status = mbedtls_psa_ecp_export_key(attributes->core.type,
-                                        ecp,
-                                        key_buffer,
-                                        key_buffer_size,
-                                        key_buffer_length);
-exit:
-    /* Always free the PK object (will also free contained ECP context) */
-    mbedtls_ecp_keypair_free(ecp);
-    mbedtls_free(ecp);
-
-    return status;
-}
-
-psa_status_t mbedtls_psa_ecp_export_key(psa_key_type_t type,
-                                        mbedtls_ecp_keypair *ecp,
-                                        uint8_t *data,
-                                        size_t data_size,
-                                        size_t *data_length)
-{
-    psa_status_t status;
-
-    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
-        /* Check whether the public part is loaded */
-        if (mbedtls_ecp_is_zero(&ecp->Q)) {
-            /* Calculate the public key */
-            status = mbedtls_to_psa_error(
-                mbedtls_ecp_mul(&ecp->grp, &ecp->Q, &ecp->d, &ecp->grp.G,
-                                mbedtls_psa_get_random,
-                                MBEDTLS_PSA_RANDOM_STATE));
-            if (status != PSA_SUCCESS) {
-                return status;
-            }
-        }
-
-        status = mbedtls_to_psa_error(
-            mbedtls_ecp_point_write_binary(&ecp->grp, &ecp->Q,
-                                           MBEDTLS_ECP_PF_UNCOMPRESSED,
-                                           data_length,
-                                           data,
-                                           data_size));
-        if (status != PSA_SUCCESS) {
-            memset(data, 0, data_size);
-        }
-
-        return status;
-    } else {
-        if (data_size < PSA_BITS_TO_BYTES(ecp->grp.nbits)) {
-            return PSA_ERROR_BUFFER_TOO_SMALL;
-        }
-
-        status = mbedtls_to_psa_error(
-            mbedtls_ecp_write_key(ecp,
-                                  data,
-                                  PSA_BITS_TO_BYTES(ecp->grp.nbits)));
-        if (status == PSA_SUCCESS) {
-            *data_length = PSA_BITS_TO_BYTES(ecp->grp.nbits);
-        } else {
-            memset(data, 0, data_size);
-        }
-
-        return status;
-    }
-}
-
-psa_status_t mbedtls_psa_ecp_export_public_key(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    uint8_t *data, size_t data_size, size_t *data_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    mbedtls_ecp_keypair *ecp = NULL;
-
-    status = mbedtls_psa_ecp_load_representation(
-        attributes->core.type, attributes->core.bits,
-        key_buffer, key_buffer_size, &ecp);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    status = mbedtls_psa_ecp_export_key(
-        PSA_KEY_TYPE_ECC_PUBLIC_KEY(
-            PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->core.type)),
-        ecp, data, data_size, data_length);
-
-    mbedtls_ecp_keypair_free(ecp);
-    mbedtls_free(ecp);
-
-    return status;
-}
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
-
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
-psa_status_t mbedtls_psa_ecp_generate_key(
-    const psa_key_attributes_t *attributes,
-    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(
-        attributes->core.type);
-    mbedtls_ecp_group_id grp_id =
-        mbedtls_ecc_group_of_psa(curve, attributes->core.bits, 0);
-
-    const mbedtls_ecp_curve_info *curve_info =
-        mbedtls_ecp_curve_info_from_grp_id(grp_id);
-    mbedtls_ecp_keypair ecp;
-
-    if (attributes->domain_parameters_size != 0) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    if (grp_id == MBEDTLS_ECP_DP_NONE || curve_info == NULL) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    mbedtls_ecp_keypair_init(&ecp);
-    ret = mbedtls_ecp_gen_key(grp_id, &ecp,
-                              mbedtls_psa_get_random,
-                              MBEDTLS_PSA_RANDOM_STATE);
-    if (ret != 0) {
-        mbedtls_ecp_keypair_free(&ecp);
-        return mbedtls_to_psa_error(ret);
-    }
-
-    status = mbedtls_to_psa_error(
-        mbedtls_ecp_write_key(&ecp, key_buffer, key_buffer_size));
-
-    mbedtls_ecp_keypair_free(&ecp);
-
-    if (status == PSA_SUCCESS) {
-        *key_buffer_length = key_buffer_size;
-    }
-
-    return status;
-}
-#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE */
-
-/****************************************************************/
-/* ECDSA sign/verify */
-/****************************************************************/
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
-psa_status_t mbedtls_psa_ecdsa_sign_hash(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
-    uint8_t *signature, size_t signature_size, size_t *signature_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    mbedtls_ecp_keypair *ecp = NULL;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t curve_bytes;
-    mbedtls_mpi r, s;
-
-    status = mbedtls_psa_ecp_load_representation(attributes->core.type,
-                                                 attributes->core.bits,
-                                                 key_buffer,
-                                                 key_buffer_size,
-                                                 &ecp);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    curve_bytes = PSA_BITS_TO_BYTES(ecp->grp.pbits);
-    mbedtls_mpi_init(&r);
-    mbedtls_mpi_init(&s);
-
-    if (signature_size < 2 * curve_bytes) {
-        ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
-        goto cleanup;
-    }
-
-    if (PSA_ALG_ECDSA_IS_DETERMINISTIC(alg)) {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
-        psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
-        mbedtls_md_type_t md_alg = mbedtls_md_type_from_psa_alg(hash_alg);
-        MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_det_ext(
-                            &ecp->grp, &r, &s,
-                            &ecp->d, hash,
-                            hash_length, md_alg,
-                            mbedtls_psa_get_random,
-                            MBEDTLS_PSA_RANDOM_STATE));
-#else
-        ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
-        goto cleanup;
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
-    } else {
-        (void) alg;
-        MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign(&ecp->grp, &r, &s, &ecp->d,
-                                           hash, hash_length,
-                                           mbedtls_psa_get_random,
-                                           MBEDTLS_PSA_RANDOM_STATE));
-    }
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&r,
-                                             signature,
-                                             curve_bytes));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&s,
-                                             signature + curve_bytes,
-                                             curve_bytes));
-cleanup:
-    mbedtls_mpi_free(&r);
-    mbedtls_mpi_free(&s);
-    if (ret == 0) {
-        *signature_length = 2 * curve_bytes;
-    }
-
-    mbedtls_ecp_keypair_free(ecp);
-    mbedtls_free(ecp);
-
-    return mbedtls_to_psa_error(ret);
-}
-
-psa_status_t mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp)
-{
-    int ret = 0;
-
-    /* Check whether the public part is loaded. If not, load it. */
-    if (mbedtls_ecp_is_zero(&ecp->Q)) {
-        ret = mbedtls_ecp_mul(&ecp->grp, &ecp->Q,
-                              &ecp->d, &ecp->grp.G,
-                              mbedtls_psa_get_random,
-                              MBEDTLS_PSA_RANDOM_STATE);
-    }
-
-    return mbedtls_to_psa_error(ret);
-}
-
-psa_status_t mbedtls_psa_ecdsa_verify_hash(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
-    const uint8_t *signature, size_t signature_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    mbedtls_ecp_keypair *ecp = NULL;
-    size_t curve_bytes;
-    mbedtls_mpi r, s;
-
-    (void) alg;
-
-    status = mbedtls_psa_ecp_load_representation(attributes->core.type,
-                                                 attributes->core.bits,
-                                                 key_buffer,
-                                                 key_buffer_size,
-                                                 &ecp);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    curve_bytes = PSA_BITS_TO_BYTES(ecp->grp.pbits);
-    mbedtls_mpi_init(&r);
-    mbedtls_mpi_init(&s);
-
-    if (signature_length != 2 * curve_bytes) {
-        status = PSA_ERROR_INVALID_SIGNATURE;
-        goto cleanup;
-    }
-
-    status = mbedtls_to_psa_error(mbedtls_mpi_read_binary(&r,
-                                                          signature,
-                                                          curve_bytes));
-    if (status != PSA_SUCCESS) {
-        goto cleanup;
-    }
-
-    status = mbedtls_to_psa_error(mbedtls_mpi_read_binary(&s,
-                                                          signature + curve_bytes,
-                                                          curve_bytes));
-    if (status != PSA_SUCCESS) {
-        goto cleanup;
-    }
-
-    status = mbedtls_psa_ecp_load_public_part(ecp);
-    if (status != PSA_SUCCESS) {
-        goto cleanup;
-    }
-
-    status = mbedtls_to_psa_error(mbedtls_ecdsa_verify(&ecp->grp, hash,
-                                                       hash_length, &ecp->Q,
-                                                       &r, &s));
-cleanup:
-    mbedtls_mpi_free(&r);
-    mbedtls_mpi_free(&s);
-    mbedtls_ecp_keypair_free(ecp);
-    mbedtls_free(ecp);
-
-    return status;
-}
-
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
-
-/****************************************************************/
-/* ECDH Key Agreement */
-/****************************************************************/
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
-psa_status_t mbedtls_psa_key_agreement_ecdh(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg, const uint8_t *peer_key, size_t peer_key_length,
-    uint8_t *shared_secret, size_t shared_secret_size,
-    size_t *shared_secret_length)
-{
-    psa_status_t status;
-    if (!PSA_KEY_TYPE_IS_ECC_KEY_PAIR(attributes->core.type) ||
-        !PSA_ALG_IS_ECDH(alg)) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-    mbedtls_ecp_keypair *ecp = NULL;
-    status = mbedtls_psa_ecp_load_representation(
-        attributes->core.type,
-        attributes->core.bits,
-        key_buffer,
-        key_buffer_size,
-        &ecp);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-    mbedtls_ecp_keypair *their_key = NULL;
-    mbedtls_ecdh_context ecdh;
-    size_t bits = 0;
-    psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(ecp->grp.id, &bits);
-    mbedtls_ecdh_init(&ecdh);
-
-    status = mbedtls_psa_ecp_load_representation(
-        PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve),
-        bits,
-        peer_key,
-        peer_key_length,
-        &their_key);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = mbedtls_to_psa_error(
-        mbedtls_ecdh_get_params(&ecdh, their_key, MBEDTLS_ECDH_THEIRS));
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-    status = mbedtls_to_psa_error(
-        mbedtls_ecdh_get_params(&ecdh, ecp, MBEDTLS_ECDH_OURS));
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = mbedtls_to_psa_error(
-        mbedtls_ecdh_calc_secret(&ecdh,
-                                 shared_secret_length,
-                                 shared_secret, shared_secret_size,
-                                 mbedtls_psa_get_random,
-                                 MBEDTLS_PSA_RANDOM_STATE));
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-    if (PSA_BITS_TO_BYTES(bits) != *shared_secret_length) {
-        status = PSA_ERROR_CORRUPTION_DETECTED;
-    }
-exit:
-    if (status != PSA_SUCCESS) {
-        mbedtls_platform_zeroize(shared_secret, shared_secret_size);
-    }
-    mbedtls_ecdh_free(&ecdh);
-    mbedtls_ecp_keypair_free(their_key);
-    mbedtls_free(their_key);
-    mbedtls_ecp_keypair_free(ecp);
-    mbedtls_free(ecp);
-    return status;
-}
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
-
-
-#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_crypto_ecp.h b/library/psa_crypto_ecp.h
deleted file mode 100644
index f4ad3d2..0000000
--- a/library/psa_crypto_ecp.h
+++ /dev/null
@@ -1,279 +0,0 @@
-/*
- *  PSA ECP layer on top of Mbed TLS crypto
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_ECP_H
-#define PSA_CRYPTO_ECP_H
-
-#include <psa/crypto.h>
-#include <mbedtls/ecp.h>
-
-/** Load the contents of a key buffer into an internal ECP representation
- *
- * \param[in] type          The type of key contained in \p data.
- * \param[in] curve_bits    The nominal bit-size of the curve.
- *                          It must be consistent with the representation
- *                          passed in \p data.
- *                          This can be 0, in which case the bit-size
- *                          is inferred from \p data_length (which is possible
- *                          for all key types and representation formats
- *                          formats that are currently supported or will
- *                          be in the foreseeable future).
- * \param[in] data          The buffer from which to load the representation.
- * \param[in] data_length   The size in bytes of \p data.
- * \param[out] p_ecp        Returns a pointer to an ECP context on success.
- *                          The caller is responsible for freeing both the
- *                          contents of the context and the context itself
- *                          when done.
- */
-psa_status_t mbedtls_psa_ecp_load_representation(psa_key_type_t type,
-                                                 size_t curve_bits,
-                                                 const uint8_t *data,
-                                                 size_t data_length,
-                                                 mbedtls_ecp_keypair **p_ecp);
-
-/** Load the public part of an internal ECP, if required.
- *
- * \param ecp               The ECP context to load the public part for.
- *
- * \return PSA_SUCCESS on success, otherwise an MPI error.
- */
-
-psa_status_t mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp);
-
-/** Import an ECP key in binary format.
- *
- * \note The signature of this function is that of a PSA driver
- *       import_key entry point. This function behaves as an import_key
- *       entry point as defined in the PSA driver interface specification for
- *       transparent drivers.
- *
- * \param[in]  attributes       The attributes for the key to import.
- * \param[in]  data             The buffer containing the key data in import
- *                              format.
- * \param[in]  data_length      Size of the \p data buffer in bytes.
- * \param[out] key_buffer       The buffer containing the key data in output
- *                              format.
- * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes. This
- *                              size is greater or equal to \p data_length.
- * \param[out] key_buffer_length  The length of the data written in \p
- *                                key_buffer in bytes.
- * \param[out] bits             The key size in number of bits.
- *
- * \retval #PSA_SUCCESS  The ECP key was imported successfully.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The key data is not correctly formatted.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- */
-psa_status_t mbedtls_psa_ecp_import_key(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *data, size_t data_length,
-    uint8_t *key_buffer, size_t key_buffer_size,
-    size_t *key_buffer_length, size_t *bits);
-
-/** Export an ECP key to export representation
- *
- * \param[in] type          The type of key (public/private) to export
- * \param[in] ecp           The internal ECP representation from which to export
- * \param[out] data         The buffer to export to
- * \param[in] data_size     The length of the buffer to export to
- * \param[out] data_length  The amount of bytes written to \p data
- */
-psa_status_t mbedtls_psa_ecp_export_key(psa_key_type_t type,
-                                        mbedtls_ecp_keypair *ecp,
-                                        uint8_t *data,
-                                        size_t data_size,
-                                        size_t *data_length);
-
-/** Export an ECP public key or the public part of an ECP key pair in binary
- *  format.
- *
- * \note The signature of this function is that of a PSA driver
- *       export_public_key entry point. This function behaves as an
- *       export_public_key entry point as defined in the PSA driver interface
- *       specification.
- *
- * \param[in]  attributes       The attributes for the key to export.
- * \param[in]  key_buffer       Material or context of the key to export.
- * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
- * \param[out] data             Buffer where the key data is to be written.
- * \param[in]  data_size        Size of the \p data buffer in bytes.
- * \param[out] data_length      On success, the number of bytes written in
- *                              \p data
- *
- * \retval #PSA_SUCCESS  The ECP public key was exported successfully.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- */
-psa_status_t mbedtls_psa_ecp_export_public_key(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    uint8_t *data, size_t data_size, size_t *data_length);
-
-/**
- * \brief Generate an ECP key.
- *
- * \note The signature of the function is that of a PSA driver generate_key
- *       entry point.
- *
- * \param[in]  attributes         The attributes for the ECP key to generate.
- * \param[out] key_buffer         Buffer where the key data is to be written.
- * \param[in]  key_buffer_size    Size of \p key_buffer in bytes.
- * \param[out] key_buffer_length  On success, the number of bytes written in
- *                                \p key_buffer.
- *
- * \retval #PSA_SUCCESS
- *         The key was successfully generated.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         Key length or type not supported.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of \p key_buffer is too small.
- */
-psa_status_t mbedtls_psa_ecp_generate_key(
-    const psa_key_attributes_t *attributes,
-    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length);
-
-/** Sign an already-calculated hash with ECDSA.
- *
- * \note The signature of this function is that of a PSA driver
- *       sign_hash entry point. This function behaves as a sign_hash
- *       entry point as defined in the PSA driver interface specification for
- *       transparent drivers.
- *
- * \param[in]  attributes       The attributes of the ECC key to use for the
- *                              operation.
- * \param[in]  key_buffer       The buffer containing the ECC key context.
- *                              format.
- * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
- * \param[in]  alg              Randomized or deterministic ECDSA algorithm.
- * \param[in]  hash             The hash or message to sign.
- * \param[in]  hash_length      Size of the \p hash buffer in bytes.
- * \param[out] signature        Buffer where the signature is to be written.
- * \param[in]  signature_size   Size of the \p signature buffer in bytes.
- * \param[out] signature_length On success, the number of bytes
- *                              that make up the returned signature value.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p signature buffer is too small. You can
- *         determine a sufficient buffer size by calling
- *         #PSA_SIGN_OUTPUT_SIZE(\c PSA_KEY_TYPE_ECC_KEY_PAIR, \c key_bits,
- *         \p alg) where \c key_bits is the bit-size of the ECC key.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
- */
-psa_status_t mbedtls_psa_ecdsa_sign_hash(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
-    uint8_t *signature, size_t signature_size, size_t *signature_length);
-
-/**
- * \brief Verify an ECDSA hash or short message signature.
- *
- * \note The signature of this function is that of a PSA driver
- *       verify_hash entry point. This function behaves as a verify_hash
- *       entry point as defined in the PSA driver interface specification for
- *       transparent drivers.
- *
- * \param[in]  attributes       The attributes of the ECC key to use for the
- *                              operation.
- * \param[in]  key_buffer       The buffer containing the ECC key context.
- *                              format.
- * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
- * \param[in]  alg              Randomized or deterministic ECDSA algorithm.
- * \param[in]  hash             The hash or message whose signature is to be
- *                              verified.
- * \param[in]  hash_length      Size of the \p hash buffer in bytes.
- * \param[in]  signature        Buffer containing the signature to verify.
- * \param[in]  signature_length Size of the \p signature buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         The signature is valid.
- * \retval #PSA_ERROR_INVALID_SIGNATURE
- *         The calculation was performed successfully, but the passed
- *         signature is not a valid signature.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- */
-psa_status_t mbedtls_psa_ecdsa_verify_hash(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
-    const uint8_t *signature, size_t signature_length);
-
-
-/** Perform a key agreement and return the raw ECDH shared secret.
- *
- * \note The signature of this function is that of a PSA driver
- *       key_agreement entry point. This function behaves as a key_agreement
- *       entry point as defined in the PSA driver interface specification for
- *       transparent drivers.
- *
- * \param[in]  attributes           The attributes of the key to use for the
- *                                  operation.
- * \param[in]  key_buffer           The buffer containing the private key
- *                                  context.
- * \param[in]  key_buffer_size      Size of the \p key_buffer buffer in
- *                                  bytes.
- * \param[in]  alg                  A key agreement algorithm that is
- *                                  compatible with the type of the key.
- * \param[in]  peer_key             The buffer containing the key context
- *                                  of the peer's public key.
- * \param[in]  peer_key_length      Size of the \p peer_key buffer in
- *                                  bytes.
- * \param[out] shared_secret        The buffer to which the shared secret
- *                                  is to be written.
- * \param[in]  shared_secret_size   Size of the \p shared_secret buffer in
- *                                  bytes.
- * \param[out] shared_secret_length On success, the number of bytes that make
- *                                  up the returned shared secret.
- * \retval #PSA_SUCCESS
- *         Success. Shared secret successfully calculated.
- * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p alg is not a key agreement algorithm, or
- *         \p private_key is not compatible with \p alg,
- *         or \p peer_key is not valid for \p alg or not compatible with
- *         \p private_key.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         \p shared_secret_size is too small
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not a supported key agreement algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- */
-psa_status_t mbedtls_psa_key_agreement_ecdh(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg, const uint8_t *peer_key, size_t peer_key_length,
-    uint8_t *shared_secret, size_t shared_secret_size,
-    size_t *shared_secret_length);
-#endif /* PSA_CRYPTO_ECP_H */
diff --git a/library/psa_crypto_ffdh.c b/library/psa_crypto_ffdh.c
deleted file mode 100644
index 20dfd2d..0000000
--- a/library/psa_crypto_ffdh.c
+++ /dev/null
@@ -1,307 +0,0 @@
-/*
- *  PSA FFDH layer on top of Mbed TLS crypto
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-
-#include <psa/crypto.h>
-#include "psa_crypto_core.h"
-#include "psa_crypto_ffdh.h"
-#include "psa_crypto_random_impl.h"
-#include "mbedtls/platform.h"
-#include "mbedtls/error.h"
-
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) ||   \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE) ||   \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_FFDH)
-static psa_status_t mbedtls_psa_ffdh_set_prime_generator(size_t key_size,
-                                                         mbedtls_mpi *P,
-                                                         mbedtls_mpi *G)
-{
-    const unsigned char *dhm_P = NULL;
-    const unsigned char *dhm_G = NULL;
-    size_t dhm_size_P = 0;
-    size_t dhm_size_G = 0;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if (P == NULL && G == NULL) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    static const unsigned char dhm_P_2048[] =
-        MBEDTLS_DHM_RFC7919_FFDHE2048_P_BIN;
-    static const unsigned char dhm_P_3072[] =
-        MBEDTLS_DHM_RFC7919_FFDHE3072_P_BIN;
-    static const unsigned char dhm_P_4096[] =
-        MBEDTLS_DHM_RFC7919_FFDHE4096_P_BIN;
-    static const unsigned char dhm_P_6144[] =
-        MBEDTLS_DHM_RFC7919_FFDHE6144_P_BIN;
-    static const unsigned char dhm_P_8192[] =
-        MBEDTLS_DHM_RFC7919_FFDHE8192_P_BIN;
-    static const unsigned char dhm_G_2048[] =
-        MBEDTLS_DHM_RFC7919_FFDHE2048_G_BIN;
-    static const unsigned char dhm_G_3072[] =
-        MBEDTLS_DHM_RFC7919_FFDHE3072_G_BIN;
-    static const unsigned char dhm_G_4096[] =
-        MBEDTLS_DHM_RFC7919_FFDHE4096_G_BIN;
-    static const unsigned char dhm_G_6144[] =
-        MBEDTLS_DHM_RFC7919_FFDHE6144_G_BIN;
-    static const unsigned char dhm_G_8192[] =
-        MBEDTLS_DHM_RFC7919_FFDHE8192_G_BIN;
-
-    switch (key_size) {
-        case sizeof(dhm_P_2048):
-            dhm_P = dhm_P_2048;
-            dhm_G = dhm_G_2048;
-            dhm_size_P = sizeof(dhm_P_2048);
-            dhm_size_G = sizeof(dhm_G_2048);
-            break;
-        case sizeof(dhm_P_3072):
-            dhm_P = dhm_P_3072;
-            dhm_G = dhm_G_3072;
-            dhm_size_P = sizeof(dhm_P_3072);
-            dhm_size_G = sizeof(dhm_G_3072);
-            break;
-        case sizeof(dhm_P_4096):
-            dhm_P = dhm_P_4096;
-            dhm_G = dhm_G_4096;
-            dhm_size_P = sizeof(dhm_P_4096);
-            dhm_size_G = sizeof(dhm_G_4096);
-            break;
-        case sizeof(dhm_P_6144):
-            dhm_P = dhm_P_6144;
-            dhm_G = dhm_G_6144;
-            dhm_size_P = sizeof(dhm_P_6144);
-            dhm_size_G = sizeof(dhm_G_6144);
-            break;
-        case sizeof(dhm_P_8192):
-            dhm_P = dhm_P_8192;
-            dhm_G = dhm_G_8192;
-            dhm_size_P = sizeof(dhm_P_8192);
-            dhm_size_G = sizeof(dhm_G_8192);
-            break;
-        default:
-            return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    if (P != NULL) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(P, dhm_P,
-                                                dhm_size_P));
-    }
-    if (G != NULL) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(G, dhm_G,
-                                                dhm_size_G));
-    }
-
-cleanup:
-    if (ret != 0) {
-        return mbedtls_to_psa_error(ret);
-    }
-
-    return PSA_SUCCESS;
-}
-#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT ||
-          MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE ||
-          MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY ||
-          MBEDTLS_PSA_BUILTIN_ALG_FFDH */
-
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY)
-psa_status_t mbedtls_psa_ffdh_export_public_key(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    uint8_t *data,
-    size_t data_size,
-    size_t *data_length)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi GX, G, X, P;
-    psa_key_type_t type = attributes->core.type;
-
-    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
-        if (key_buffer_size > data_size) {
-            return PSA_ERROR_BUFFER_TOO_SMALL;
-        }
-        memcpy(data, key_buffer, key_buffer_size);
-        memset(data + key_buffer_size, 0,
-               data_size - key_buffer_size);
-        *data_length = key_buffer_size;
-        return PSA_SUCCESS;
-    }
-
-    mbedtls_mpi_init(&GX); mbedtls_mpi_init(&G);
-    mbedtls_mpi_init(&X); mbedtls_mpi_init(&P);
-
-    size_t key_len = PSA_BITS_TO_BYTES(attributes->core.bits);
-
-    status = mbedtls_psa_ffdh_set_prime_generator(key_len, &P, &G);
-
-    if (status != PSA_SUCCESS) {
-        goto cleanup;
-    }
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&X, key_buffer,
-                                            key_buffer_size));
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&GX, &G, &X, &P, NULL));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&GX, data, key_len));
-
-    *data_length = key_len;
-
-    ret = 0;
-cleanup:
-    mbedtls_mpi_free(&P); mbedtls_mpi_free(&G);
-    mbedtls_mpi_free(&X); mbedtls_mpi_free(&GX);
-
-    if (status == PSA_SUCCESS && ret != 0) {
-        status = mbedtls_to_psa_error(ret);
-    }
-
-    return status;
-}
-#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT ||
-          MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY */
-
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE)
-psa_status_t mbedtls_psa_ffdh_generate_key(
-    const psa_key_attributes_t *attributes,
-    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
-{
-    mbedtls_mpi X, P;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi_init(&P); mbedtls_mpi_init(&X);
-    (void) attributes;
-
-    status = mbedtls_psa_ffdh_set_prime_generator(key_buffer_size, &P, NULL);
-
-    if (status != PSA_SUCCESS) {
-        goto cleanup;
-    }
-
-    /* RFC7919: Traditional finite field Diffie-Hellman has each peer choose their
-        secret exponent from the range [2, P-2].
-        Select random value in range [3, P-1] and decrease it by 1. */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_random(&X, 3, &P, mbedtls_psa_get_random,
-                                       MBEDTLS_PSA_RANDOM_STATE));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&X, &X, 1));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&X, key_buffer, key_buffer_size));
-    *key_buffer_length = key_buffer_size;
-
-cleanup:
-    mbedtls_mpi_free(&P); mbedtls_mpi_free(&X);
-    if (status == PSA_SUCCESS && ret != 0) {
-        return mbedtls_to_psa_error(ret);
-    }
-
-    return status;
-}
-#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE */
-
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT)
-psa_status_t mbedtls_psa_ffdh_import_key(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *data, size_t data_length,
-    uint8_t *key_buffer, size_t key_buffer_size,
-    size_t *key_buffer_length, size_t *bits)
-{
-    (void) attributes;
-
-    if (key_buffer_size < data_length) {
-        return PSA_ERROR_BUFFER_TOO_SMALL;
-    }
-    memcpy(key_buffer, data, data_length);
-    *key_buffer_length = data_length;
-    *bits = PSA_BYTES_TO_BITS(data_length);
-
-    return PSA_SUCCESS;
-}
-#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT */
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_FFDH)
-psa_status_t mbedtls_psa_ffdh_key_agreement(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *peer_key,
-    size_t peer_key_length,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    uint8_t *shared_secret,
-    size_t shared_secret_size,
-    size_t *shared_secret_length)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi P, G, X, GY, K;
-    const size_t calculated_shared_secret_size = peer_key_length;
-
-    if (peer_key_length != key_buffer_size ||
-        calculated_shared_secret_size > shared_secret_size) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    if (!PSA_KEY_TYPE_IS_DH_KEY_PAIR(psa_get_key_type(attributes))) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    mbedtls_mpi_init(&P); mbedtls_mpi_init(&G);
-    mbedtls_mpi_init(&X); mbedtls_mpi_init(&GY);
-    mbedtls_mpi_init(&K);
-
-    status = mbedtls_psa_ffdh_set_prime_generator(
-        PSA_BITS_TO_BYTES(attributes->core.bits), &P, &G);
-
-    if (status != PSA_SUCCESS) {
-        goto cleanup;
-    }
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&X, key_buffer,
-                                            key_buffer_size));
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&GY, peer_key,
-                                            peer_key_length));
-
-    /* Calculate shared secret public key: K = G^(XY) mod P = GY^X mod P */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&K, &GY, &X, &P, NULL));
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&K, shared_secret,
-                                             calculated_shared_secret_size));
-
-    *shared_secret_length = calculated_shared_secret_size;
-
-    ret = 0;
-
-cleanup:
-    mbedtls_mpi_free(&P); mbedtls_mpi_free(&G);
-    mbedtls_mpi_free(&X); mbedtls_mpi_free(&GY);
-    mbedtls_mpi_free(&K);
-
-    if (status == PSA_SUCCESS && ret != 0) {
-        status = mbedtls_to_psa_error(ret);
-    }
-
-    return status;
-}
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_FFDH */
-
-#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_crypto_ffdh.h b/library/psa_crypto_ffdh.h
deleted file mode 100644
index 67e5444..0000000
--- a/library/psa_crypto_ffdh.h
+++ /dev/null
@@ -1,144 +0,0 @@
-/*
- *  PSA FFDH layer on top of Mbed TLS crypto
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_FFDH_H
-#define PSA_CRYPTO_FFDH_H
-
-#include <psa/crypto.h>
-#include <mbedtls/dhm.h>
-
-/** Perform a key agreement and return the FFDH shared secret.
- *
- * \param[in]  attributes           The attributes of the key to use for the
- *                                  operation.
- * \param[in]  peer_key             The buffer containing the key context
- *                                  of the peer's public key.
- * \param[in]  peer_key_length      Size of the \p peer_key buffer in
- *                                  bytes.
- * \param[in]  key_buffer           The buffer containing the private key
- *                                  context.
- * \param[in]  key_buffer_size      Size of the \p key_buffer buffer in
- *                                  bytes.
- * \param[out] shared_secret        The buffer to which the shared secret
- *                                  is to be written.
- * \param[in]  shared_secret_size   Size of the \p shared_secret buffer in
- *                                  bytes.
- * \param[out] shared_secret_length On success, the number of bytes that make
- *                                  up the returned shared secret.
- * \retval #PSA_SUCCESS
- *         Success. Shared secret successfully calculated.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p key_buffer_size, \p peer_key_length, \p shared_secret_size
- *         do not match
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY   \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED   \emptydescription
- */
-psa_status_t mbedtls_psa_ffdh_key_agreement(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *peer_key,
-    size_t peer_key_length,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    uint8_t *shared_secret,
-    size_t shared_secret_size,
-    size_t *shared_secret_length);
-
-/** Export a public key or the public part of a DH key pair in binary format.
- *
- * \param[in]  attributes       The attributes for the key to export.
- * \param[in]  key_buffer       Material or context of the key to export.
- * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
- * \param[out] data             Buffer where the key data is to be written.
- * \param[in]  data_size        Size of the \p data buffer in bytes.
- * \param[out] data_length      On success, the number of bytes written in
- *                              \p data
- *
- * \retval #PSA_SUCCESS  The public key was exported successfully.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of \p key_buffer is too small.
- * \retval #PSA_ERROR_NOT_PERMITTED         \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY   \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED   \emptydescription
- */
-psa_status_t mbedtls_psa_ffdh_export_public_key(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    uint8_t *data,
-    size_t data_size,
-    size_t *data_length);
-
-/**
- * \brief Generate DH key.
- *
- * \note The signature of the function is that of a PSA driver generate_key
- *       entry point.
- *
- * \param[in]  attributes         The attributes for the key to generate.
- * \param[out] key_buffer         Buffer where the key data is to be written.
- * \param[in]  key_buffer_size    Size of \p key_buffer in bytes.
- * \param[out] key_buffer_length  On success, the number of bytes written in
- *                                \p key_buffer.
- *
- * \retval #PSA_SUCCESS
- *         The key was generated successfully.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         Key size in bits is invalid.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of \p key_buffer is too small.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY   \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED   \emptydescription
- */
-psa_status_t mbedtls_psa_ffdh_generate_key(
-    const psa_key_attributes_t *attributes,
-    uint8_t *key_buffer,
-    size_t key_buffer_size,
-    size_t *key_buffer_length);
-
-/**
- * \brief Import DH key.
- *
- * \note The signature of the function is that of a PSA driver import_key
- *       entry point.
- *
- * \param[in]  attributes       The attributes for the key to import.
- * \param[in]  data             The buffer containing the key data in import
- *                              format.
- * \param[in]  data_length      Size of the \p data buffer in bytes.
- * \param[out] key_buffer       The buffer containing the key data in output
- *                              format.
- * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes. This
- *                              size is greater or equal to \p data_length.
- * \param[out] key_buffer_length  The length of the data written in \p
- *                                key_buffer in bytes.
- * \param[out] bits             The key size in number of bits.
- *
- * \retval #PSA_SUCCESS
- *         The key was generated successfully.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of \p key_buffer is too small.
- */
-psa_status_t mbedtls_psa_ffdh_import_key(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *data, size_t data_length,
-    uint8_t *key_buffer, size_t key_buffer_size,
-    size_t *key_buffer_length, size_t *bits);
-
-#endif /* PSA_CRYPTO_FFDH_H */
diff --git a/library/psa_crypto_hash.c b/library/psa_crypto_hash.c
deleted file mode 100644
index dad1826..0000000
--- a/library/psa_crypto_hash.c
+++ /dev/null
@@ -1,482 +0,0 @@
-/*
- *  PSA hashing layer on top of Mbed TLS software crypto
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-
-#include <psa/crypto.h>
-#include "psa_crypto_core.h"
-#include "psa_crypto_hash.h"
-
-#include <mbedtls/error.h>
-#include <string.h>
-
-#if defined(MBEDTLS_PSA_BUILTIN_HASH)
-psa_status_t mbedtls_psa_hash_abort(
-    mbedtls_psa_hash_operation_t *operation)
-{
-    switch (operation->alg) {
-        case 0:
-            /* The object has (apparently) been initialized but it is not
-             * in use. It's ok to call abort on such an object, and there's
-             * nothing to do. */
-            break;
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
-        case PSA_ALG_MD5:
-            mbedtls_md5_free(&operation->ctx.md5);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
-        case PSA_ALG_RIPEMD160:
-            mbedtls_ripemd160_free(&operation->ctx.ripemd160);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
-        case PSA_ALG_SHA_1:
-            mbedtls_sha1_free(&operation->ctx.sha1);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
-        case PSA_ALG_SHA_224:
-            mbedtls_sha256_free(&operation->ctx.sha256);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
-        case PSA_ALG_SHA_256:
-            mbedtls_sha256_free(&operation->ctx.sha256);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
-        case PSA_ALG_SHA_384:
-            mbedtls_sha512_free(&operation->ctx.sha512);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
-        case PSA_ALG_SHA_512:
-            mbedtls_sha512_free(&operation->ctx.sha512);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224)
-        case PSA_ALG_SHA3_224:
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256)
-        case PSA_ALG_SHA3_256:
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384)
-        case PSA_ALG_SHA3_384:
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
-        case PSA_ALG_SHA3_512:
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
-            defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
-            defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
-            defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
-            mbedtls_sha3_free(&operation->ctx.sha3);
-            break;
-#endif
-        default:
-            return PSA_ERROR_BAD_STATE;
-    }
-    operation->alg = 0;
-    return PSA_SUCCESS;
-}
-
-psa_status_t mbedtls_psa_hash_setup(
-    mbedtls_psa_hash_operation_t *operation,
-    psa_algorithm_t alg)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    /* A context must be freshly initialized before it can be set up. */
-    if (operation->alg != 0) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    switch (alg) {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
-        case PSA_ALG_MD5:
-            mbedtls_md5_init(&operation->ctx.md5);
-            ret = mbedtls_md5_starts(&operation->ctx.md5);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
-        case PSA_ALG_RIPEMD160:
-            mbedtls_ripemd160_init(&operation->ctx.ripemd160);
-            ret = mbedtls_ripemd160_starts(&operation->ctx.ripemd160);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
-        case PSA_ALG_SHA_1:
-            mbedtls_sha1_init(&operation->ctx.sha1);
-            ret = mbedtls_sha1_starts(&operation->ctx.sha1);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
-        case PSA_ALG_SHA_224:
-            mbedtls_sha256_init(&operation->ctx.sha256);
-            ret = mbedtls_sha256_starts(&operation->ctx.sha256, 1);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
-        case PSA_ALG_SHA_256:
-            mbedtls_sha256_init(&operation->ctx.sha256);
-            ret = mbedtls_sha256_starts(&operation->ctx.sha256, 0);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
-        case PSA_ALG_SHA_384:
-            mbedtls_sha512_init(&operation->ctx.sha512);
-            ret = mbedtls_sha512_starts(&operation->ctx.sha512, 1);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
-        case PSA_ALG_SHA_512:
-            mbedtls_sha512_init(&operation->ctx.sha512);
-            ret = mbedtls_sha512_starts(&operation->ctx.sha512, 0);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224)
-        case PSA_ALG_SHA3_224:
-            mbedtls_sha3_init(&operation->ctx.sha3);
-            ret = mbedtls_sha3_starts(&operation->ctx.sha3, MBEDTLS_SHA3_224);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256)
-        case PSA_ALG_SHA3_256:
-            mbedtls_sha3_init(&operation->ctx.sha3);
-            ret = mbedtls_sha3_starts(&operation->ctx.sha3, MBEDTLS_SHA3_256);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384)
-        case PSA_ALG_SHA3_384:
-            mbedtls_sha3_init(&operation->ctx.sha3);
-            ret = mbedtls_sha3_starts(&operation->ctx.sha3, MBEDTLS_SHA3_384);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
-        case PSA_ALG_SHA3_512:
-            mbedtls_sha3_init(&operation->ctx.sha3);
-            ret = mbedtls_sha3_starts(&operation->ctx.sha3, MBEDTLS_SHA3_512);
-            break;
-#endif
-        default:
-            return PSA_ALG_IS_HASH(alg) ?
-                   PSA_ERROR_NOT_SUPPORTED :
-                   PSA_ERROR_INVALID_ARGUMENT;
-    }
-    if (ret == 0) {
-        operation->alg = alg;
-    } else {
-        mbedtls_psa_hash_abort(operation);
-    }
-    return mbedtls_to_psa_error(ret);
-}
-
-psa_status_t mbedtls_psa_hash_clone(
-    const mbedtls_psa_hash_operation_t *source_operation,
-    mbedtls_psa_hash_operation_t *target_operation)
-{
-    switch (source_operation->alg) {
-        case 0:
-            return PSA_ERROR_BAD_STATE;
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
-        case PSA_ALG_MD5:
-            mbedtls_md5_clone(&target_operation->ctx.md5,
-                              &source_operation->ctx.md5);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
-        case PSA_ALG_RIPEMD160:
-            mbedtls_ripemd160_clone(&target_operation->ctx.ripemd160,
-                                    &source_operation->ctx.ripemd160);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
-        case PSA_ALG_SHA_1:
-            mbedtls_sha1_clone(&target_operation->ctx.sha1,
-                               &source_operation->ctx.sha1);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
-        case PSA_ALG_SHA_224:
-            mbedtls_sha256_clone(&target_operation->ctx.sha256,
-                                 &source_operation->ctx.sha256);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
-        case PSA_ALG_SHA_256:
-            mbedtls_sha256_clone(&target_operation->ctx.sha256,
-                                 &source_operation->ctx.sha256);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
-        case PSA_ALG_SHA_384:
-            mbedtls_sha512_clone(&target_operation->ctx.sha512,
-                                 &source_operation->ctx.sha512);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
-        case PSA_ALG_SHA_512:
-            mbedtls_sha512_clone(&target_operation->ctx.sha512,
-                                 &source_operation->ctx.sha512);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224)
-        case PSA_ALG_SHA3_224:
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256)
-        case PSA_ALG_SHA3_256:
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384)
-        case PSA_ALG_SHA3_384:
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
-        case PSA_ALG_SHA3_512:
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
-            defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
-            defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
-            defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
-            mbedtls_sha3_clone(&target_operation->ctx.sha3,
-                               &source_operation->ctx.sha3);
-            break;
-#endif
-        default:
-            (void) source_operation;
-            (void) target_operation;
-            return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    target_operation->alg = source_operation->alg;
-    return PSA_SUCCESS;
-}
-
-psa_status_t mbedtls_psa_hash_update(
-    mbedtls_psa_hash_operation_t *operation,
-    const uint8_t *input,
-    size_t input_length)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    switch (operation->alg) {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
-        case PSA_ALG_MD5:
-            ret = mbedtls_md5_update(&operation->ctx.md5,
-                                     input, input_length);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
-        case PSA_ALG_RIPEMD160:
-            ret = mbedtls_ripemd160_update(&operation->ctx.ripemd160,
-                                           input, input_length);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
-        case PSA_ALG_SHA_1:
-            ret = mbedtls_sha1_update(&operation->ctx.sha1,
-                                      input, input_length);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
-        case PSA_ALG_SHA_224:
-            ret = mbedtls_sha256_update(&operation->ctx.sha256,
-                                        input, input_length);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
-        case PSA_ALG_SHA_256:
-            ret = mbedtls_sha256_update(&operation->ctx.sha256,
-                                        input, input_length);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
-        case PSA_ALG_SHA_384:
-            ret = mbedtls_sha512_update(&operation->ctx.sha512,
-                                        input, input_length);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
-        case PSA_ALG_SHA_512:
-            ret = mbedtls_sha512_update(&operation->ctx.sha512,
-                                        input, input_length);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224)
-        case PSA_ALG_SHA3_224:
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256)
-        case PSA_ALG_SHA3_256:
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384)
-        case PSA_ALG_SHA3_384:
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
-        case PSA_ALG_SHA3_512:
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
-    ret = mbedtls_sha3_update(&operation->ctx.sha3,
-                              input, input_length);
-    break;
-#endif
-        default:
-            (void) input;
-            (void) input_length;
-            return PSA_ERROR_BAD_STATE;
-    }
-
-    return mbedtls_to_psa_error(ret);
-}
-
-psa_status_t mbedtls_psa_hash_finish(
-    mbedtls_psa_hash_operation_t *operation,
-    uint8_t *hash,
-    size_t hash_size,
-    size_t *hash_length)
-{
-    psa_status_t status;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t actual_hash_length = PSA_HASH_LENGTH(operation->alg);
-
-    /* Fill the output buffer with something that isn't a valid hash
-     * (barring an attack on the hash and deliberately-crafted input),
-     * in case the caller doesn't check the return status properly. */
-    *hash_length = hash_size;
-    /* If hash_size is 0 then hash may be NULL and then the
-     * call to memset would have undefined behavior. */
-    if (hash_size != 0) {
-        memset(hash, '!', hash_size);
-    }
-
-    if (hash_size < actual_hash_length) {
-        status = PSA_ERROR_BUFFER_TOO_SMALL;
-        goto exit;
-    }
-
-    switch (operation->alg) {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
-        case PSA_ALG_MD5:
-            ret = mbedtls_md5_finish(&operation->ctx.md5, hash);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
-        case PSA_ALG_RIPEMD160:
-            ret = mbedtls_ripemd160_finish(&operation->ctx.ripemd160, hash);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
-        case PSA_ALG_SHA_1:
-            ret = mbedtls_sha1_finish(&operation->ctx.sha1, hash);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
-        case PSA_ALG_SHA_224:
-            ret = mbedtls_sha256_finish(&operation->ctx.sha256, hash);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
-        case PSA_ALG_SHA_256:
-            ret = mbedtls_sha256_finish(&operation->ctx.sha256, hash);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
-        case PSA_ALG_SHA_384:
-            ret = mbedtls_sha512_finish(&operation->ctx.sha512, hash);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
-        case PSA_ALG_SHA_512:
-            ret = mbedtls_sha512_finish(&operation->ctx.sha512, hash);
-            break;
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224)
-        case PSA_ALG_SHA3_224:
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256)
-        case PSA_ALG_SHA3_256:
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384)
-        case PSA_ALG_SHA3_384:
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
-        case PSA_ALG_SHA3_512:
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
-    ret = mbedtls_sha3_finish(&operation->ctx.sha3, hash, hash_size);
-    break;
-#endif
-        default:
-            (void) hash;
-            return PSA_ERROR_BAD_STATE;
-    }
-    status = mbedtls_to_psa_error(ret);
-
-exit:
-    if (status == PSA_SUCCESS) {
-        *hash_length = actual_hash_length;
-    }
-    return status;
-}
-
-psa_status_t mbedtls_psa_hash_compute(
-    psa_algorithm_t alg,
-    const uint8_t *input,
-    size_t input_length,
-    uint8_t *hash,
-    size_t hash_size,
-    size_t *hash_length)
-{
-    mbedtls_psa_hash_operation_t operation = MBEDTLS_PSA_HASH_OPERATION_INIT;
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    *hash_length = hash_size;
-    status = mbedtls_psa_hash_setup(&operation, alg);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-    status = mbedtls_psa_hash_update(&operation, input, input_length);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-    status = mbedtls_psa_hash_finish(&operation, hash, hash_size, hash_length);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-exit:
-    abort_status = mbedtls_psa_hash_abort(&operation);
-    if (status == PSA_SUCCESS) {
-        return abort_status;
-    } else {
-        return status;
-    }
-
-}
-#endif /* MBEDTLS_PSA_BUILTIN_HASH */
-
-#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_crypto_hash.h b/library/psa_crypto_hash.h
deleted file mode 100644
index 2dfb011..0000000
--- a/library/psa_crypto_hash.h
+++ /dev/null
@@ -1,223 +0,0 @@
-/*
- *  PSA hashing layer on top of Mbed TLS software crypto
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_HASH_H
-#define PSA_CRYPTO_HASH_H
-
-#include <psa/crypto.h>
-
-/** Calculate the hash (digest) of a message using Mbed TLS routines.
- *
- * \note The signature of this function is that of a PSA driver hash_compute
- *       entry point. This function behaves as a hash_compute entry point as
- *       defined in the PSA driver interface specification for transparent
- *       drivers.
- *
- * \param alg               The hash algorithm to compute (\c PSA_ALG_XXX value
- *                          such that #PSA_ALG_IS_HASH(\p alg) is true).
- * \param[in] input         Buffer containing the message to hash.
- * \param input_length      Size of the \p input buffer in bytes.
- * \param[out] hash         Buffer where the hash is to be written.
- * \param hash_size         Size of the \p hash buffer in bytes.
- * \param[out] hash_length  On success, the number of bytes
- *                          that make up the hash value. This is always
- *                          #PSA_HASH_LENGTH(\p alg).
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not supported
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         \p hash_size is too small
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- */
-psa_status_t mbedtls_psa_hash_compute(
-    psa_algorithm_t alg,
-    const uint8_t *input,
-    size_t input_length,
-    uint8_t *hash,
-    size_t hash_size,
-    size_t *hash_length);
-
-/** Set up a multipart hash operation using Mbed TLS routines.
- *
- * \note The signature of this function is that of a PSA driver hash_setup
- *       entry point. This function behaves as a hash_setup entry point as
- *       defined in the PSA driver interface specification for transparent
- *       drivers.
- *
- * If an error occurs at any step after a call to mbedtls_psa_hash_setup(), the
- * operation will need to be reset by a call to mbedtls_psa_hash_abort(). The
- * core may call mbedtls_psa_hash_abort() at any time after the operation
- * has been initialized.
- *
- * After a successful call to mbedtls_psa_hash_setup(), the core must
- * eventually terminate the operation. The following events terminate an
- * operation:
- * - A successful call to mbedtls_psa_hash_finish() or mbedtls_psa_hash_verify().
- * - A call to mbedtls_psa_hash_abort().
- *
- * \param[in,out] operation The operation object to set up. It must have
- *                          been initialized to all-zero and not yet be in use.
- * \param alg               The hash algorithm to compute (\c PSA_ALG_XXX value
- *                          such that #PSA_ALG_IS_HASH(\p alg) is true).
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not supported
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be inactive).
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- */
-psa_status_t mbedtls_psa_hash_setup(
-    mbedtls_psa_hash_operation_t *operation,
-    psa_algorithm_t alg);
-
-/** Clone an Mbed TLS hash operation.
- *
- * \note The signature of this function is that of a PSA driver hash_clone
- *       entry point. This function behaves as a hash_clone entry point as
- *       defined in the PSA driver interface specification for transparent
- *       drivers.
- *
- * This function copies the state of an ongoing hash operation to
- * a new operation object. In other words, this function is equivalent
- * to calling mbedtls_psa_hash_setup() on \p target_operation with the same
- * algorithm that \p source_operation was set up for, then
- * mbedtls_psa_hash_update() on \p target_operation with the same input that
- * that was passed to \p source_operation. After this function returns, the
- * two objects are independent, i.e. subsequent calls involving one of
- * the objects do not affect the other object.
- *
- * \param[in] source_operation      The active hash operation to clone.
- * \param[in,out] target_operation  The operation object to set up.
- *                                  It must be initialized but not active.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The \p source_operation state is not valid (it must be active).
- * \retval #PSA_ERROR_BAD_STATE
- *         The \p target_operation state is not valid (it must be inactive).
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- */
-psa_status_t mbedtls_psa_hash_clone(
-    const mbedtls_psa_hash_operation_t *source_operation,
-    mbedtls_psa_hash_operation_t *target_operation);
-
-/** Add a message fragment to a multipart Mbed TLS hash operation.
- *
- * \note The signature of this function is that of a PSA driver hash_update
- *       entry point. This function behaves as a hash_update entry point as
- *       defined in the PSA driver interface specification for transparent
- *       drivers.
- *
- * The application must call mbedtls_psa_hash_setup() before calling this function.
- *
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling mbedtls_psa_hash_abort().
- *
- * \param[in,out] operation Active hash operation.
- * \param[in] input         Buffer containing the message fragment to hash.
- * \param input_length      Size of the \p input buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be active).
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- */
-psa_status_t mbedtls_psa_hash_update(
-    mbedtls_psa_hash_operation_t *operation,
-    const uint8_t *input,
-    size_t input_length);
-
-/** Finish the calculation of the Mbed TLS-calculated hash of a message.
- *
- * \note The signature of this function is that of a PSA driver hash_finish
- *       entry point. This function behaves as a hash_finish entry point as
- *       defined in the PSA driver interface specification for transparent
- *       drivers.
- *
- * The application must call mbedtls_psa_hash_setup() before calling this function.
- * This function calculates the hash of the message formed by concatenating
- * the inputs passed to preceding calls to mbedtls_psa_hash_update().
- *
- * When this function returns successfully, the operation becomes inactive.
- * If this function returns an error status, the operation enters an error
- * state and must be aborted by calling mbedtls_psa_hash_abort().
- *
- * \param[in,out] operation     Active hash operation.
- * \param[out] hash             Buffer where the hash is to be written.
- * \param hash_size             Size of the \p hash buffer in bytes.
- * \param[out] hash_length      On success, the number of bytes
- *                              that make up the hash value. This is always
- *                              #PSA_HASH_LENGTH(\c alg) where \c alg is the
- *                              hash algorithm that is calculated.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be active).
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p hash buffer is too small. You can determine a
- *         sufficient buffer size by calling #PSA_HASH_LENGTH(\c alg)
- *         where \c alg is the hash algorithm that is calculated.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- */
-psa_status_t mbedtls_psa_hash_finish(
-    mbedtls_psa_hash_operation_t *operation,
-    uint8_t *hash,
-    size_t hash_size,
-    size_t *hash_length);
-
-/** Abort an Mbed TLS hash operation.
- *
- * \note The signature of this function is that of a PSA driver hash_abort
- *       entry point. This function behaves as a hash_abort entry point as
- *       defined in the PSA driver interface specification for transparent
- *       drivers.
- *
- * Aborting an operation frees all associated resources except for the
- * \p operation structure itself. Once aborted, the operation object
- * can be reused for another operation by calling
- * mbedtls_psa_hash_setup() again.
- *
- * You may call this function any time after the operation object has
- * been initialized by one of the methods described in #psa_hash_operation_t.
- *
- * In particular, calling mbedtls_psa_hash_abort() after the operation has been
- * terminated by a call to mbedtls_psa_hash_abort(), mbedtls_psa_hash_finish() or
- * mbedtls_psa_hash_verify() is safe and has no effect.
- *
- * \param[in,out] operation     Initialized hash operation.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- */
-psa_status_t mbedtls_psa_hash_abort(
-    mbedtls_psa_hash_operation_t *operation);
-
-#endif /* PSA_CRYPTO_HASH_H */
diff --git a/library/psa_crypto_invasive.h b/library/psa_crypto_invasive.h
deleted file mode 100644
index 408c39b..0000000
--- a/library/psa_crypto_invasive.h
+++ /dev/null
@@ -1,89 +0,0 @@
-/**
- * \file psa_crypto_invasive.h
- *
- * \brief PSA cryptography module: invasive interfaces for test only.
- *
- * The interfaces in this file are intended for testing purposes only.
- * They MUST NOT be made available to clients over IPC in integrations
- * with isolation, and they SHOULD NOT be made available in library
- * integrations except when building the library for testing.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_INVASIVE_H
-#define PSA_CRYPTO_INVASIVE_H
-
-/*
- * Include the build-time configuration information header. Here, we do not
- * include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which
- * is basically just an alias to it. This is to ease the maintenance of the
- * TF-PSA-Crypto repository which has a different build system and
- * configuration.
- */
-#include "psa/build_info.h"
-
-#include "psa/crypto.h"
-#include "common.h"
-
-#include "mbedtls/entropy.h"
-
-#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
-/** \brief Configure entropy sources.
- *
- * This function may only be called before a call to psa_crypto_init(),
- * or after a call to mbedtls_psa_crypto_free() and before any
- * subsequent call to psa_crypto_init().
- *
- * This function is only intended for test purposes. The functionality
- * it provides is also useful for system integrators, but
- * system integrators should configure entropy drivers instead of
- * breaking through to the Mbed TLS API.
- *
- * \param entropy_init  Function to initialize the entropy context
- *                      and set up the desired entropy sources.
- *                      It is called by psa_crypto_init().
- *                      By default this is mbedtls_entropy_init().
- *                      This function cannot report failures directly.
- *                      To indicate a failure, set the entropy context
- *                      to a state where mbedtls_entropy_func() will
- *                      return an error.
- * \param entropy_free  Function to free the entropy context
- *                      and associated resources.
- *                      It is called by mbedtls_psa_crypto_free().
- *                      By default this is mbedtls_entropy_free().
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_NOT_PERMITTED
- *         The caller does not have the permission to configure
- *         entropy sources.
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has already been initialized.
- */
-psa_status_t mbedtls_psa_crypto_configure_entropy_sources(
-    void (* entropy_init)(mbedtls_entropy_context *ctx),
-    void (* entropy_free)(mbedtls_entropy_context *ctx));
-#endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
-
-#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_PSA_CRYPTO_C)
-psa_status_t psa_mac_key_can_do(
-    psa_algorithm_t algorithm,
-    psa_key_type_t key_type);
-#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_PSA_CRYPTO_C */
-
-#endif /* PSA_CRYPTO_INVASIVE_H */
diff --git a/library/psa_crypto_its.h b/library/psa_crypto_its.h
deleted file mode 100644
index 3ceee49..0000000
--- a/library/psa_crypto_its.h
+++ /dev/null
@@ -1,143 +0,0 @@
-/** \file psa_crypto_its.h
- * \brief Interface of trusted storage that crypto is built on.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_ITS_H
-#define PSA_CRYPTO_ITS_H
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include <psa/crypto_types.h>
-#include <psa/crypto_values.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/** \brief Flags used when creating a data entry
- */
-typedef uint32_t psa_storage_create_flags_t;
-
-/** \brief A type for UIDs used for identifying data
- */
-typedef uint64_t psa_storage_uid_t;
-
-#define PSA_STORAGE_FLAG_NONE        0         /**< No flags to pass */
-#define PSA_STORAGE_FLAG_WRITE_ONCE (1 << 0) /**< The data associated with the uid will not be able to be modified or deleted. Intended to be used to set bits in `psa_storage_create_flags_t`*/
-
-/**
- * \brief A container for metadata associated with a specific uid
- */
-struct psa_storage_info_t {
-    uint32_t size;                  /**< The size of the data associated with a uid **/
-    psa_storage_create_flags_t flags;    /**< The flags set when the uid was created **/
-};
-
-/** Flag indicating that \ref psa_storage_create and \ref psa_storage_set_extended are supported */
-#define PSA_STORAGE_SUPPORT_SET_EXTENDED (1 << 0)
-
-#define PSA_ITS_API_VERSION_MAJOR  1  /**< The major version number of the PSA ITS API. It will be incremented on significant updates that may include breaking changes */
-#define PSA_ITS_API_VERSION_MINOR  1  /**< The minor version number of the PSA ITS API. It will be incremented in small updates that are unlikely to include breaking changes */
-
-/**
- * \brief create a new or modify an existing uid/value pair
- *
- * \param[in] uid           the identifier for the data
- * \param[in] data_length   The size in bytes of the data in `p_data`
- * \param[in] p_data        A buffer containing the data
- * \param[in] create_flags  The flags that the data will be stored with
- *
- * \return      A status indicating the success/failure of the operation
- *
- * \retval      #PSA_SUCCESS                     The operation completed successfully
- * \retval      #PSA_ERROR_NOT_PERMITTED         The operation failed because the provided `uid` value was already created with PSA_STORAGE_FLAG_WRITE_ONCE
- * \retval      #PSA_ERROR_NOT_SUPPORTED         The operation failed because one or more of the flags provided in `create_flags` is not supported or is not valid
- * \retval      #PSA_ERROR_INSUFFICIENT_STORAGE  The operation failed because there was insufficient space on the storage medium
- * \retval      #PSA_ERROR_STORAGE_FAILURE       The operation failed because the physical storage has failed (Fatal error)
- * \retval      #PSA_ERROR_INVALID_ARGUMENT      The operation failed because one of the provided pointers(`p_data`)
- *                                               is invalid, for example is `NULL` or references memory the caller cannot access
- */
-psa_status_t psa_its_set(psa_storage_uid_t uid,
-                         uint32_t data_length,
-                         const void *p_data,
-                         psa_storage_create_flags_t create_flags);
-
-/**
- * \brief Retrieve the value associated with a provided uid
- *
- * \param[in] uid               The uid value
- * \param[in] data_offset       The starting offset of the data requested
- * \param[in] data_length       the amount of data requested (and the minimum allocated size of the `p_data` buffer)
- * \param[out] p_data           The buffer where the data will be placed upon successful completion
- * \param[out] p_data_length    The amount of data returned in the p_data buffer
- *
- *
- * \return      A status indicating the success/failure of the operation
- *
- * \retval      #PSA_SUCCESS                 The operation completed successfully
- * \retval      #PSA_ERROR_DOES_NOT_EXIST    The operation failed because the provided `uid` value was not found in the storage
- * \retval      #PSA_ERROR_STORAGE_FAILURE   The operation failed because the physical storage has failed (Fatal error)
- * \retval      #PSA_ERROR_DATA_CORRUPT      The operation failed because stored data has been corrupted
- * \retval      #PSA_ERROR_INVALID_ARGUMENT  The operation failed because one of the provided pointers(`p_data`, `p_data_length`)
- *                                           is invalid. For example is `NULL` or references memory the caller cannot access.
- *                                           In addition, this can also happen if an invalid offset was provided.
- */
-psa_status_t psa_its_get(psa_storage_uid_t uid,
-                         uint32_t data_offset,
-                         uint32_t data_length,
-                         void *p_data,
-                         size_t *p_data_length);
-
-/**
- * \brief Retrieve the metadata about the provided uid
- *
- * \param[in] uid           The uid value
- * \param[out] p_info       A pointer to the `psa_storage_info_t` struct that will be populated with the metadata
- *
- * \return      A status indicating the success/failure of the operation
- *
- * \retval      #PSA_SUCCESS                 The operation completed successfully
- * \retval      #PSA_ERROR_DOES_NOT_EXIST    The operation failed because the provided uid value was not found in the storage
- * \retval      #PSA_ERROR_DATA_CORRUPT      The operation failed because stored data has been corrupted
- * \retval      #PSA_ERROR_INVALID_ARGUMENT  The operation failed because one of the provided pointers(`p_info`)
- *                                           is invalid, for example is `NULL` or references memory the caller cannot access
- */
-psa_status_t psa_its_get_info(psa_storage_uid_t uid,
-                              struct psa_storage_info_t *p_info);
-
-/**
- * \brief Remove the provided key and its associated data from the storage
- *
- * \param[in] uid   The uid value
- *
- * \return  A status indicating the success/failure of the operation
- *
- * \retval      #PSA_SUCCESS                  The operation completed successfully
- * \retval      #PSA_ERROR_DOES_NOT_EXIST     The operation failed because the provided key value was not found in the storage
- * \retval      #PSA_ERROR_NOT_PERMITTED      The operation failed because the provided key value was created with PSA_STORAGE_FLAG_WRITE_ONCE
- * \retval      #PSA_ERROR_STORAGE_FAILURE    The operation failed because the physical storage has failed (Fatal error)
- */
-psa_status_t psa_its_remove(psa_storage_uid_t uid);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* PSA_CRYPTO_ITS_H */
diff --git a/library/psa_crypto_mac.c b/library/psa_crypto_mac.c
deleted file mode 100644
index 2f2c51d..0000000
--- a/library/psa_crypto_mac.c
+++ /dev/null
@@ -1,508 +0,0 @@
-/*
- *  PSA MAC layer on top of Mbed TLS software crypto
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-
-#include <psa/crypto.h>
-#include "psa_crypto_core.h"
-#include "psa_crypto_cipher.h"
-#include "psa_crypto_mac.h"
-#include <mbedtls/md.h>
-
-#include <mbedtls/error.h>
-#include "mbedtls/constant_time.h"
-#include <string.h>
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
-static psa_status_t psa_hmac_abort_internal(
-    mbedtls_psa_hmac_operation_t *hmac)
-{
-    mbedtls_platform_zeroize(hmac->opad, sizeof(hmac->opad));
-    return psa_hash_abort(&hmac->hash_ctx);
-}
-
-static psa_status_t psa_hmac_setup_internal(
-    mbedtls_psa_hmac_operation_t *hmac,
-    const uint8_t *key,
-    size_t key_length,
-    psa_algorithm_t hash_alg)
-{
-    uint8_t ipad[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
-    size_t i;
-    size_t hash_size = PSA_HASH_LENGTH(hash_alg);
-    size_t block_size = PSA_HASH_BLOCK_LENGTH(hash_alg);
-    psa_status_t status;
-
-    hmac->alg = hash_alg;
-
-    /* Sanity checks on block_size, to guarantee that there won't be a buffer
-     * overflow below. This should never trigger if the hash algorithm
-     * is implemented correctly. */
-    /* The size checks against the ipad and opad buffers cannot be written
-     * `block_size > sizeof( ipad ) || block_size > sizeof( hmac->opad )`
-     * because that triggers -Wlogical-op on GCC 7.3. */
-    if (block_size > sizeof(ipad)) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-    if (block_size > sizeof(hmac->opad)) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-    if (block_size < hash_size) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    if (key_length > block_size) {
-        status = psa_hash_compute(hash_alg, key, key_length,
-                                  ipad, sizeof(ipad), &key_length);
-        if (status != PSA_SUCCESS) {
-            goto cleanup;
-        }
-    }
-    /* A 0-length key is not commonly used in HMAC when used as a MAC,
-     * but it is permitted. It is common when HMAC is used in HKDF, for
-     * example. Don't call `memcpy` in the 0-length because `key` could be
-     * an invalid pointer which would make the behavior undefined. */
-    else if (key_length != 0) {
-        memcpy(ipad, key, key_length);
-    }
-
-    /* ipad contains the key followed by garbage. Xor and fill with 0x36
-     * to create the ipad value. */
-    for (i = 0; i < key_length; i++) {
-        ipad[i] ^= 0x36;
-    }
-    memset(ipad + key_length, 0x36, block_size - key_length);
-
-    /* Copy the key material from ipad to opad, flipping the requisite bits,
-     * and filling the rest of opad with the requisite constant. */
-    for (i = 0; i < key_length; i++) {
-        hmac->opad[i] = ipad[i] ^ 0x36 ^ 0x5C;
-    }
-    memset(hmac->opad + key_length, 0x5C, block_size - key_length);
-
-    status = psa_hash_setup(&hmac->hash_ctx, hash_alg);
-    if (status != PSA_SUCCESS) {
-        goto cleanup;
-    }
-
-    status = psa_hash_update(&hmac->hash_ctx, ipad, block_size);
-
-cleanup:
-    mbedtls_platform_zeroize(ipad, sizeof(ipad));
-
-    return status;
-}
-
-static psa_status_t psa_hmac_update_internal(
-    mbedtls_psa_hmac_operation_t *hmac,
-    const uint8_t *data,
-    size_t data_length)
-{
-    return psa_hash_update(&hmac->hash_ctx, data, data_length);
-}
-
-static psa_status_t psa_hmac_finish_internal(
-    mbedtls_psa_hmac_operation_t *hmac,
-    uint8_t *mac,
-    size_t mac_size)
-{
-    uint8_t tmp[PSA_HASH_MAX_SIZE];
-    psa_algorithm_t hash_alg = hmac->alg;
-    size_t hash_size = 0;
-    size_t block_size = PSA_HASH_BLOCK_LENGTH(hash_alg);
-    psa_status_t status;
-
-    status = psa_hash_finish(&hmac->hash_ctx, tmp, sizeof(tmp), &hash_size);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-    /* From here on, tmp needs to be wiped. */
-
-    status = psa_hash_setup(&hmac->hash_ctx, hash_alg);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_hash_update(&hmac->hash_ctx, hmac->opad, block_size);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_hash_update(&hmac->hash_ctx, tmp, hash_size);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_hash_finish(&hmac->hash_ctx, tmp, sizeof(tmp), &hash_size);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    memcpy(mac, tmp, mac_size);
-
-exit:
-    mbedtls_platform_zeroize(tmp, hash_size);
-    return status;
-}
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
-static psa_status_t cmac_setup(mbedtls_psa_mac_operation_t *operation,
-                               const psa_key_attributes_t *attributes,
-                               const uint8_t *key_buffer)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-#if defined(PSA_WANT_KEY_TYPE_DES)
-    /* Mbed TLS CMAC does not accept 3DES with only two keys, nor does it accept
-     * to do CMAC with pure DES, so return NOT_SUPPORTED here. */
-    if (psa_get_key_type(attributes) == PSA_KEY_TYPE_DES &&
-        (psa_get_key_bits(attributes) == 64 ||
-         psa_get_key_bits(attributes) == 128)) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-#endif
-
-    const mbedtls_cipher_info_t *cipher_info =
-        mbedtls_cipher_info_from_psa(
-            PSA_ALG_CMAC,
-            psa_get_key_type(attributes),
-            psa_get_key_bits(attributes),
-            NULL);
-
-    if (cipher_info == NULL) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    ret = mbedtls_cipher_setup(&operation->ctx.cmac, cipher_info);
-    if (ret != 0) {
-        goto exit;
-    }
-
-    ret = mbedtls_cipher_cmac_starts(&operation->ctx.cmac,
-                                     key_buffer,
-                                     psa_get_key_bits(attributes));
-exit:
-    return mbedtls_to_psa_error(ret);
-}
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
-
-/* Initialize this driver's MAC operation structure. Once this function has been
- * called, mbedtls_psa_mac_abort can run and will do the right thing. */
-static psa_status_t mac_init(
-    mbedtls_psa_mac_operation_t *operation,
-    psa_algorithm_t alg)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    operation->alg = alg;
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
-    if (PSA_ALG_FULL_LENGTH_MAC(operation->alg) == PSA_ALG_CMAC) {
-        mbedtls_cipher_init(&operation->ctx.cmac);
-        status = PSA_SUCCESS;
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
-    if (PSA_ALG_IS_HMAC(operation->alg)) {
-        /* We'll set up the hash operation later in psa_hmac_setup_internal. */
-        operation->ctx.hmac.alg = 0;
-        status = PSA_SUCCESS;
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
-    {
-        (void) operation;
-        status = PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    if (status != PSA_SUCCESS) {
-        memset(operation, 0, sizeof(*operation));
-    }
-    return status;
-}
-
-psa_status_t mbedtls_psa_mac_abort(mbedtls_psa_mac_operation_t *operation)
-{
-    if (operation->alg == 0) {
-        /* The object has (apparently) been initialized but it is not
-         * in use. It's ok to call abort on such an object, and there's
-         * nothing to do. */
-        return PSA_SUCCESS;
-    } else
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
-    if (PSA_ALG_FULL_LENGTH_MAC(operation->alg) == PSA_ALG_CMAC) {
-        mbedtls_cipher_free(&operation->ctx.cmac);
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
-    if (PSA_ALG_IS_HMAC(operation->alg)) {
-        psa_hmac_abort_internal(&operation->ctx.hmac);
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
-    {
-        /* Sanity check (shouldn't happen: operation->alg should
-         * always have been initialized to a valid value). */
-        goto bad_state;
-    }
-
-    operation->alg = 0;
-
-    return PSA_SUCCESS;
-
-bad_state:
-    /* If abort is called on an uninitialized object, we can't trust
-     * anything. Wipe the object in case it contains confidential data.
-     * This may result in a memory leak if a pointer gets overwritten,
-     * but it's too late to do anything about this. */
-    memset(operation, 0, sizeof(*operation));
-    return PSA_ERROR_BAD_STATE;
-}
-
-static psa_status_t psa_mac_setup(mbedtls_psa_mac_operation_t *operation,
-                                  const psa_key_attributes_t *attributes,
-                                  const uint8_t *key_buffer,
-                                  size_t key_buffer_size,
-                                  psa_algorithm_t alg)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    /* A context must be freshly initialized before it can be set up. */
-    if (operation->alg != 0) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    status = mac_init(operation, alg);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
-    if (PSA_ALG_FULL_LENGTH_MAC(alg) == PSA_ALG_CMAC) {
-        /* Key buffer size for CMAC is dictated by the key bits set on the
-         * attributes, and previously validated by the core on key import. */
-        (void) key_buffer_size;
-        status = cmac_setup(operation, attributes, key_buffer);
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
-    if (PSA_ALG_IS_HMAC(alg)) {
-        status = psa_hmac_setup_internal(&operation->ctx.hmac,
-                                         key_buffer,
-                                         key_buffer_size,
-                                         PSA_ALG_HMAC_GET_HASH(alg));
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
-    {
-        (void) attributes;
-        (void) key_buffer;
-        (void) key_buffer_size;
-        status = PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    if (status != PSA_SUCCESS) {
-        mbedtls_psa_mac_abort(operation);
-    }
-
-    return status;
-}
-
-psa_status_t mbedtls_psa_mac_sign_setup(
-    mbedtls_psa_mac_operation_t *operation,
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    psa_algorithm_t alg)
-{
-    return psa_mac_setup(operation, attributes,
-                         key_buffer, key_buffer_size, alg);
-}
-
-psa_status_t mbedtls_psa_mac_verify_setup(
-    mbedtls_psa_mac_operation_t *operation,
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    psa_algorithm_t alg)
-{
-    return psa_mac_setup(operation, attributes,
-                         key_buffer, key_buffer_size, alg);
-}
-
-psa_status_t mbedtls_psa_mac_update(
-    mbedtls_psa_mac_operation_t *operation,
-    const uint8_t *input,
-    size_t input_length)
-{
-    if (operation->alg == 0) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
-    if (PSA_ALG_FULL_LENGTH_MAC(operation->alg) == PSA_ALG_CMAC) {
-        return mbedtls_to_psa_error(
-            mbedtls_cipher_cmac_update(&operation->ctx.cmac,
-                                       input, input_length));
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
-    if (PSA_ALG_IS_HMAC(operation->alg)) {
-        return psa_hmac_update_internal(&operation->ctx.hmac,
-                                        input, input_length);
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
-    {
-        /* This shouldn't happen if `operation` was initialized by
-         * a setup function. */
-        (void) input;
-        (void) input_length;
-        return PSA_ERROR_BAD_STATE;
-    }
-}
-
-static psa_status_t psa_mac_finish_internal(
-    mbedtls_psa_mac_operation_t *operation,
-    uint8_t *mac, size_t mac_size)
-{
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
-    if (PSA_ALG_FULL_LENGTH_MAC(operation->alg) == PSA_ALG_CMAC) {
-        uint8_t tmp[PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE];
-        int ret = mbedtls_cipher_cmac_finish(&operation->ctx.cmac, tmp);
-        if (ret == 0) {
-            memcpy(mac, tmp, mac_size);
-        }
-        mbedtls_platform_zeroize(tmp, sizeof(tmp));
-        return mbedtls_to_psa_error(ret);
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
-    if (PSA_ALG_IS_HMAC(operation->alg)) {
-        return psa_hmac_finish_internal(&operation->ctx.hmac,
-                                        mac, mac_size);
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
-    {
-        /* This shouldn't happen if `operation` was initialized by
-         * a setup function. */
-        (void) operation;
-        (void) mac;
-        (void) mac_size;
-        return PSA_ERROR_BAD_STATE;
-    }
-}
-
-psa_status_t mbedtls_psa_mac_sign_finish(
-    mbedtls_psa_mac_operation_t *operation,
-    uint8_t *mac,
-    size_t mac_size,
-    size_t *mac_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    if (operation->alg == 0) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    status = psa_mac_finish_internal(operation, mac, mac_size);
-    if (status == PSA_SUCCESS) {
-        *mac_length = mac_size;
-    }
-
-    return status;
-}
-
-psa_status_t mbedtls_psa_mac_verify_finish(
-    mbedtls_psa_mac_operation_t *operation,
-    const uint8_t *mac,
-    size_t mac_length)
-{
-    uint8_t actual_mac[PSA_MAC_MAX_SIZE];
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    if (operation->alg == 0) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    /* Consistency check: requested MAC length fits our local buffer */
-    if (mac_length > sizeof(actual_mac)) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    status = psa_mac_finish_internal(operation, actual_mac, mac_length);
-    if (status != PSA_SUCCESS) {
-        goto cleanup;
-    }
-
-    if (mbedtls_ct_memcmp(mac, actual_mac, mac_length) != 0) {
-        status = PSA_ERROR_INVALID_SIGNATURE;
-    }
-
-cleanup:
-    mbedtls_platform_zeroize(actual_mac, sizeof(actual_mac));
-
-    return status;
-}
-
-psa_status_t mbedtls_psa_mac_compute(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    psa_algorithm_t alg,
-    const uint8_t *input,
-    size_t input_length,
-    uint8_t *mac,
-    size_t mac_size,
-    size_t *mac_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    mbedtls_psa_mac_operation_t operation = MBEDTLS_PSA_MAC_OPERATION_INIT;
-
-    status = psa_mac_setup(&operation,
-                           attributes, key_buffer, key_buffer_size,
-                           alg);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    if (input_length > 0) {
-        status = mbedtls_psa_mac_update(&operation, input, input_length);
-        if (status != PSA_SUCCESS) {
-            goto exit;
-        }
-    }
-
-    status = psa_mac_finish_internal(&operation, mac, mac_size);
-    if (status == PSA_SUCCESS) {
-        *mac_length = mac_size;
-    }
-
-exit:
-    mbedtls_psa_mac_abort(&operation);
-
-    return status;
-}
-
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC || MBEDTLS_PSA_BUILTIN_ALG_CMAC */
-
-#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_crypto_mac.h b/library/psa_crypto_mac.h
deleted file mode 100644
index 4f8024a..0000000
--- a/library/psa_crypto_mac.h
+++ /dev/null
@@ -1,276 +0,0 @@
-/*
- *  PSA MAC layer on top of Mbed TLS software crypto
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_MAC_H
-#define PSA_CRYPTO_MAC_H
-
-#include <psa/crypto.h>
-
-/** Calculate the MAC (message authentication code) of a message using Mbed TLS.
- *
- * \note The signature of this function is that of a PSA driver mac_compute
- *       entry point. This function behaves as a mac_compute entry point as
- *       defined in the PSA driver interface specification for transparent
- *       drivers.
- *
- * \param[in] attributes        The attributes of the key to use for the
- *                              operation.
- * \param[in] key_buffer        The buffer containing the key to use for
- *                              computing the MAC. This buffer contains the key
- *                              in export representation as defined by
- *                              psa_export_key() (i.e. the raw key bytes).
- * \param key_buffer_size       Size of the \p key_buffer buffer in bytes.
- * \param alg                   The MAC algorithm to use (\c PSA_ALG_XXX value
- *                              such that #PSA_ALG_IS_MAC(\p alg) is true).
- * \param[in] input             Buffer containing the input message.
- * \param input_length          Size of the \p input buffer in bytes.
- * \param[out] mac              Buffer where the MAC value is to be written.
- * \param mac_size              Size of the \p mac buffer in bytes.
- * \param[out] mac_length       On success, the number of bytes
- *                              that make up the MAC value.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not supported.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         \p mac_size is too small
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- */
-psa_status_t mbedtls_psa_mac_compute(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    psa_algorithm_t alg,
-    const uint8_t *input,
-    size_t input_length,
-    uint8_t *mac,
-    size_t mac_size,
-    size_t *mac_length);
-
-/** Set up a multipart MAC calculation operation using Mbed TLS.
- *
- * \note The signature of this function is that of a PSA driver mac_sign_setup
- *       entry point. This function behaves as a mac_sign_setup entry point as
- *       defined in the PSA driver interface specification for transparent
- *       drivers.
- *
- * \param[in,out] operation     The operation object to set up. It must have
- *                              been initialized and not yet in use.
- * \param[in] attributes        The attributes of the key to use for the
- *                              operation.
- * \param[in] key_buffer        The buffer containing the key to use for
- *                              computing the MAC. This buffer contains the key
- *                              in export representation as defined by
- *                              psa_export_key() (i.e. the raw key bytes).
- * \param key_buffer_size       Size of the \p key_buffer buffer in bytes.
- * \param alg                   The MAC algorithm to use (\c PSA_ALG_XXX value
- *                              such that #PSA_ALG_IS_MAC(\p alg) is true).
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not supported.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be inactive).
- */
-psa_status_t mbedtls_psa_mac_sign_setup(
-    mbedtls_psa_mac_operation_t *operation,
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    psa_algorithm_t alg);
-
-/** Set up a multipart MAC verification operation using Mbed TLS.
- *
- * \note The signature of this function is that of a PSA driver mac_verify_setup
- *       entry point. This function behaves as a mac_verify_setup entry point as
- *       defined in the PSA driver interface specification for transparent
- *       drivers.
- *
- * \param[in,out] operation     The operation object to set up. It must have
- *                              been initialized and not yet in use.
- * \param[in] attributes        The attributes of the key to use for the
- *                              operation.
- * \param[in] key_buffer        The buffer containing the key to use for
- *                              computing the MAC. This buffer contains the key
- *                              in export representation as defined by
- *                              psa_export_key() (i.e. the raw key bytes).
- * \param key_buffer_size       Size of the \p key_buffer buffer in bytes.
- * \param alg                   The MAC algorithm to use (\c PSA_ALG_XXX value
- *                              such that #PSA_ALG_IS_MAC(\p alg) is true).
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \p alg is not supported.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be inactive).
- */
-psa_status_t mbedtls_psa_mac_verify_setup(
-    mbedtls_psa_mac_operation_t *operation,
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer,
-    size_t key_buffer_size,
-    psa_algorithm_t alg);
-
-/** Add a message fragment to a multipart MAC operation using Mbed TLS.
- *
- * \note The signature of this function is that of a PSA driver mac_update
- *       entry point. This function behaves as a mac_update entry point as
- *       defined in the PSA driver interface specification for transparent
- *       drivers.
- *
- * The PSA core calls mbedtls_psa_mac_sign_setup() or
- * mbedtls_psa_mac_verify_setup() before calling this function.
- *
- * If this function returns an error status, the PSA core aborts the
- * operation by calling mbedtls_psa_mac_abort().
- *
- * \param[in,out] operation Active MAC operation.
- * \param[in] input         Buffer containing the message fragment to add to
- *                          the MAC calculation.
- * \param input_length      Size of the \p input buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be active).
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- */
-psa_status_t mbedtls_psa_mac_update(
-    mbedtls_psa_mac_operation_t *operation,
-    const uint8_t *input,
-    size_t input_length);
-
-/** Finish the calculation of the MAC of a message using Mbed TLS.
- *
- * \note The signature of this function is that of a PSA driver mac_sign_finish
- *       entry point. This function behaves as a mac_sign_finish entry point as
- *       defined in the PSA driver interface specification for transparent
- *       drivers.
- *
- * The PSA core calls mbedtls_psa_mac_sign_setup() before calling this function.
- * This function calculates the MAC of the message formed by concatenating
- * the inputs passed to preceding calls to mbedtls_psa_mac_update().
- *
- * Whether this function returns successfully or not, the PSA core subsequently
- * aborts the operation by calling mbedtls_psa_mac_abort().
- *
- * \param[in,out] operation Active MAC operation.
- * \param[out] mac          Buffer where the MAC value is to be written.
- * \param mac_size          Output size requested for the MAC algorithm. The PSA
- *                          core guarantees this is a valid MAC length for the
- *                          algorithm and key combination passed to
- *                          mbedtls_psa_mac_sign_setup(). It also guarantees the
- *                          \p mac buffer is large enough to contain the
- *                          requested output size.
- * \param[out] mac_length   On success, the number of bytes output to buffer
- *                          \p mac, which will be equal to the requested length
- *                          \p mac_size.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be an active mac sign
- *         operation).
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p mac buffer is too small. A sufficient buffer size
- *         can be determined by calling PSA_MAC_LENGTH().
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- */
-psa_status_t mbedtls_psa_mac_sign_finish(
-    mbedtls_psa_mac_operation_t *operation,
-    uint8_t *mac,
-    size_t mac_size,
-    size_t *mac_length);
-
-/** Finish the calculation of the MAC of a message and compare it with
- * an expected value using Mbed TLS.
- *
- * \note The signature of this function is that of a PSA driver
- *       mac_verify_finish entry point. This function behaves as a
- *       mac_verify_finish entry point as defined in the PSA driver interface
- *       specification for transparent drivers.
- *
- * The PSA core calls mbedtls_psa_mac_verify_setup() before calling this
- * function. This function calculates the MAC of the message formed by
- * concatenating the inputs passed to preceding calls to
- * mbedtls_psa_mac_update(). It then compares the calculated MAC with the
- * expected MAC passed as a parameter to this function.
- *
- * Whether this function returns successfully or not, the PSA core subsequently
- * aborts the operation by calling mbedtls_psa_mac_abort().
- *
- * \param[in,out] operation Active MAC operation.
- * \param[in] mac           Buffer containing the expected MAC value.
- * \param mac_length        Length in bytes of the expected MAC value. The PSA
- *                          core guarantees that this length is a valid MAC
- *                          length for the algorithm and key combination passed
- *                          to mbedtls_psa_mac_verify_setup().
- *
- * \retval #PSA_SUCCESS
- *         The expected MAC is identical to the actual MAC of the message.
- * \retval #PSA_ERROR_INVALID_SIGNATURE
- *         The MAC of the message was calculated successfully, but it
- *         differs from the expected MAC.
- * \retval #PSA_ERROR_BAD_STATE
- *         The operation state is not valid (it must be an active mac verify
- *         operation).
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- */
-psa_status_t mbedtls_psa_mac_verify_finish(
-    mbedtls_psa_mac_operation_t *operation,
-    const uint8_t *mac,
-    size_t mac_length);
-
-/** Abort a MAC operation using Mbed TLS.
- *
- * Aborting an operation frees all associated resources except for the
- * \p operation structure itself. Once aborted, the operation object
- * can be reused for another operation by calling
- * mbedtls_psa_mac_sign_setup() or mbedtls_psa_mac_verify_setup() again.
- *
- * The PSA core may call this function any time after the operation object has
- * been initialized by one of the methods described in
- * #mbedtls_psa_mac_operation_t.
- *
- * In particular, calling mbedtls_psa_mac_abort() after the operation has been
- * terminated by a call to mbedtls_psa_mac_abort(),
- * mbedtls_psa_mac_sign_finish() or mbedtls_psa_mac_verify_finish() is safe and
- * has no effect.
- *
- * \param[in,out] operation Initialized MAC operation.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- */
-psa_status_t mbedtls_psa_mac_abort(
-    mbedtls_psa_mac_operation_t *operation);
-
-#endif /* PSA_CRYPTO_MAC_H */
diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c
deleted file mode 100644
index db00cbd..0000000
--- a/library/psa_crypto_pake.c
+++ /dev/null
@@ -1,583 +0,0 @@
-/*
- *  PSA PAKE layer on top of Mbed TLS software crypto
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-
-#include <psa/crypto.h>
-#include "psa_crypto_core.h"
-#include "psa_crypto_pake.h"
-#include "psa_crypto_slot_management.h"
-
-#include <mbedtls/ecjpake.h>
-#include "psa_util_internal.h"
-
-#include <mbedtls/platform.h>
-#include <mbedtls/error.h>
-#include <string.h>
-
-/*
- * State sequence:
- *
- *   psa_pake_setup()
- *   |
- *   |-- In any order:
- *   |   | psa_pake_set_password_key()
- *   |   | psa_pake_set_user()
- *   |   | psa_pake_set_peer()
- *   |   | psa_pake_set_role()
- *   |
- *   |--- In any order: (First round input before or after first round output)
- *   |   |
- *   |   |------ In Order
- *   |   |       | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE)
- *   |   |       | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC)
- *   |   |       | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF)
- *   |   |       | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE)
- *   |   |       | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC)
- *   |   |       | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF)
- *   |   |
- *   |   |------ In Order:
- *   |           | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE)
- *   |           | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC)
- *   |           | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF)
- *   |           | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE)
- *   |           | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC)
- *   |           | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF)
- *   |
- *   |--- In any order: (Second round input before or after second round output)
- *   |   |
- *   |   |------ In Order
- *   |   |       | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE)
- *   |   |       | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC)
- *   |   |       | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF)
- *   |   |
- *   |   |------ In Order:
- *   |           | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE)
- *   |           | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC)
- *   |           | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF)
- *   |
- *   psa_pake_get_implicit_key()
- *   psa_pake_abort()
- */
-
-/*
- * Possible sequence of calls to implementation:
- *
- * |--- In any order:
- * |   |
- * |   |------ In Order
- * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X1_STEP_KEY_SHARE)
- * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X1_STEP_ZK_PUBLIC)
- * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X1_STEP_ZK_PROOF)
- * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X2_STEP_KEY_SHARE)
- * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X2_STEP_ZK_PUBLIC)
- * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X2_STEP_ZK_PROOF)
- * |   |
- * |   |------ In Order:
- * |           | mbedtls_psa_pake_input(PSA_JPAKE_X1_STEP_KEY_SHARE)
- * |           | mbedtls_psa_pake_input(PSA_JPAKE_X1_STEP_ZK_PUBLIC)
- * |           | mbedtls_psa_pake_input(PSA_JPAKE_X1_STEP_ZK_PROOF)
- * |           | mbedtls_psa_pake_input(PSA_JPAKE_X2_STEP_KEY_SHARE)
- * |           | mbedtls_psa_pake_input(PSA_JPAKE_X2_STEP_ZK_PUBLIC)
- * |           | mbedtls_psa_pake_input(PSA_JPAKE_X2_STEP_ZK_PROOF)
- * |
- * |--- In any order:
- * |   |
- * |   |------ In Order
- * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X2S_STEP_KEY_SHARE)
- * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X2S_STEP_ZK_PUBLIC)
- * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X2S_STEP_ZK_PROOF)
- * |   |
- * |   |------ In Order:
- * |           | mbedtls_psa_pake_input(PSA_JPAKE_X4S_STEP_KEY_SHARE)
- * |           | mbedtls_psa_pake_input(PSA_JPAKE_X4S_STEP_ZK_PUBLIC)
- * |           | mbedtls_psa_pake_input(PSA_JPAKE_X4S_STEP_ZK_PROOF)
- */
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
-static psa_status_t mbedtls_ecjpake_to_psa_error(int ret)
-{
-    switch (ret) {
-        case MBEDTLS_ERR_MPI_BAD_INPUT_DATA:
-        case MBEDTLS_ERR_ECP_BAD_INPUT_DATA:
-        case MBEDTLS_ERR_ECP_INVALID_KEY:
-        case MBEDTLS_ERR_ECP_VERIFY_FAILED:
-            return PSA_ERROR_DATA_INVALID;
-        case MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL:
-        case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL:
-            return PSA_ERROR_BUFFER_TOO_SMALL;
-        case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE:
-            return PSA_ERROR_NOT_SUPPORTED;
-        case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED:
-            return PSA_ERROR_CORRUPTION_DETECTED;
-        default:
-            return PSA_ERROR_GENERIC_ERROR;
-    }
-}
-#endif
-
-#if defined(MBEDTLS_PSA_BUILTIN_PAKE)
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
-static psa_status_t psa_pake_ecjpake_setup(mbedtls_psa_pake_operation_t *operation)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    mbedtls_ecjpake_init(&operation->ctx.jpake);
-
-    ret = mbedtls_ecjpake_setup(&operation->ctx.jpake,
-                                operation->role,
-                                MBEDTLS_MD_SHA256,
-                                MBEDTLS_ECP_DP_SECP256R1,
-                                operation->password,
-                                operation->password_len);
-
-    mbedtls_platform_zeroize(operation->password, operation->password_len);
-
-    if (ret != 0) {
-        return mbedtls_ecjpake_to_psa_error(ret);
-    }
-
-    return PSA_SUCCESS;
-}
-#endif
-
-/* The only two JPAKE user/peer identifiers supported in built-in implementation. */
-static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' };
-static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' };
-
-psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation,
-                                    const psa_crypto_driver_pake_inputs_t *inputs)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    size_t user_len = 0, peer_len = 0, password_len = 0;
-    uint8_t *peer = NULL, *user = NULL;
-    size_t actual_user_len = 0, actual_peer_len = 0, actual_password_len = 0;
-    psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
-
-    status = psa_crypto_driver_pake_get_password_len(inputs, &password_len);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    status = psa_crypto_driver_pake_get_user_len(inputs, &user_len);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    status = psa_crypto_driver_pake_get_peer_len(inputs, &peer_len);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    status = psa_crypto_driver_pake_get_cipher_suite(inputs, &cipher_suite);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    operation->password = mbedtls_calloc(1, password_len);
-    if (operation->password == NULL) {
-        status = PSA_ERROR_INSUFFICIENT_MEMORY;
-        goto error;
-    }
-
-    user = mbedtls_calloc(1, user_len);
-    if (user == NULL) {
-        status = PSA_ERROR_INSUFFICIENT_MEMORY;
-        goto error;
-    }
-
-    peer = mbedtls_calloc(1, peer_len);
-    if (peer == NULL) {
-        status = PSA_ERROR_INSUFFICIENT_MEMORY;
-        goto error;
-    }
-
-    status = psa_crypto_driver_pake_get_password(inputs, operation->password,
-                                                 password_len, &actual_password_len);
-    if (status != PSA_SUCCESS) {
-        goto error;
-    }
-
-    status = psa_crypto_driver_pake_get_user(inputs, user,
-                                             user_len, &actual_user_len);
-    if (status != PSA_SUCCESS) {
-        goto error;
-    }
-
-    status = psa_crypto_driver_pake_get_peer(inputs, peer,
-                                             peer_len, &actual_peer_len);
-    if (status != PSA_SUCCESS) {
-        goto error;
-    }
-
-    operation->password_len = actual_password_len;
-    operation->alg = cipher_suite.algorithm;
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
-    if (cipher_suite.algorithm == PSA_ALG_JPAKE) {
-        if (cipher_suite.type != PSA_PAKE_PRIMITIVE_TYPE_ECC ||
-            cipher_suite.family != PSA_ECC_FAMILY_SECP_R1 ||
-            cipher_suite.bits != 256 ||
-            cipher_suite.hash != PSA_ALG_SHA_256) {
-            status = PSA_ERROR_NOT_SUPPORTED;
-            goto error;
-        }
-
-        const size_t user_peer_len = sizeof(jpake_client_id); // client and server have the same length
-        if (actual_user_len != user_peer_len ||
-            actual_peer_len != user_peer_len) {
-            status = PSA_ERROR_NOT_SUPPORTED;
-            goto error;
-        }
-
-        if (memcmp(user, jpake_client_id, actual_user_len) == 0 &&
-            memcmp(peer, jpake_server_id, actual_peer_len) == 0) {
-            operation->role = MBEDTLS_ECJPAKE_CLIENT;
-        } else
-        if (memcmp(user, jpake_server_id, actual_user_len) == 0 &&
-            memcmp(peer, jpake_client_id, actual_peer_len) == 0) {
-            operation->role = MBEDTLS_ECJPAKE_SERVER;
-        } else {
-            status = PSA_ERROR_NOT_SUPPORTED;
-            goto error;
-        }
-
-        operation->buffer_length = 0;
-        operation->buffer_offset = 0;
-
-        status = psa_pake_ecjpake_setup(operation);
-        if (status != PSA_SUCCESS) {
-            goto error;
-        }
-
-        /* Role has been set, release user/peer buffers. */
-        mbedtls_free(user); mbedtls_free(peer);
-
-        return PSA_SUCCESS;
-    } else
-#else
-    (void) operation;
-    (void) inputs;
-#endif
-    { status = PSA_ERROR_NOT_SUPPORTED; }
-
-error:
-    mbedtls_free(user); mbedtls_free(peer);
-    /* In case of failure of the setup of a multipart operation, the PSA driver interface
-     * specifies that the core does not call any other driver entry point thus does not
-     * call mbedtls_psa_pake_abort(). Therefore call it here to do the needed clean
-     * up like freeing the memory that may have been allocated to store the password.
-     */
-    mbedtls_psa_pake_abort(operation);
-    return status;
-}
-
-static psa_status_t mbedtls_psa_pake_output_internal(
-    mbedtls_psa_pake_operation_t *operation,
-    psa_crypto_driver_pake_step_t step,
-    uint8_t *output,
-    size_t output_size,
-    size_t *output_length)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t length;
-    (void) step; // Unused parameter
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
-    /*
-     * The PSA CRYPTO PAKE and Mbed TLS JPAKE API have a different
-     * handling of output sequencing.
-     *
-     * The Mbed TLS JPAKE API outputs the whole X1+X2 and X2S steps data
-     * at once, on the other side the PSA CRYPTO PAKE api requires
-     * the KEY_SHARE/ZP_PUBLIC/ZK_PROOF parts of X1, X2 & X2S to be
-     * retrieved in sequence.
-     *
-     * In order to achieve API compatibility, the whole X1+X2 or X2S steps
-     * data is stored in an intermediate buffer at first step output call,
-     * and data is sliced down by parsing the ECPoint records in order
-     * to return the right parts on each step.
-     */
-    if (operation->alg == PSA_ALG_JPAKE) {
-        /* Initialize & write round on KEY_SHARE sequences */
-        if (step == PSA_JPAKE_X1_STEP_KEY_SHARE) {
-            ret = mbedtls_ecjpake_write_round_one(&operation->ctx.jpake,
-                                                  operation->buffer,
-                                                  sizeof(operation->buffer),
-                                                  &operation->buffer_length,
-                                                  mbedtls_psa_get_random,
-                                                  MBEDTLS_PSA_RANDOM_STATE);
-            if (ret != 0) {
-                return mbedtls_ecjpake_to_psa_error(ret);
-            }
-
-            operation->buffer_offset = 0;
-        } else if (step == PSA_JPAKE_X2S_STEP_KEY_SHARE) {
-            ret = mbedtls_ecjpake_write_round_two(&operation->ctx.jpake,
-                                                  operation->buffer,
-                                                  sizeof(operation->buffer),
-                                                  &operation->buffer_length,
-                                                  mbedtls_psa_get_random,
-                                                  MBEDTLS_PSA_RANDOM_STATE);
-            if (ret != 0) {
-                return mbedtls_ecjpake_to_psa_error(ret);
-            }
-
-            operation->buffer_offset = 0;
-        }
-
-        /*
-         * mbedtls_ecjpake_write_round_xxx() outputs thing in the format
-         * defined by draft-cragie-tls-ecjpake-01 section 7. The summary is
-         * that the data for each step is prepended with a length byte, and
-         * then they're concatenated. Additionally, the server's second round
-         * output is prepended with a 3-bytes ECParameters structure.
-         *
-         * In PSA, we output each step separately, and don't prepend the
-         * output with a length byte, even less a curve identifier, as that
-         * information is already available.
-         */
-        if (step == PSA_JPAKE_X2S_STEP_KEY_SHARE &&
-            operation->role == MBEDTLS_ECJPAKE_SERVER) {
-            /* Skip ECParameters, with is 3 bytes (RFC 8422) */
-            operation->buffer_offset += 3;
-        }
-
-        /* Read the length byte then move past it to the data */
-        length = operation->buffer[operation->buffer_offset];
-        operation->buffer_offset += 1;
-
-        if (operation->buffer_offset + length > operation->buffer_length) {
-            return PSA_ERROR_DATA_CORRUPT;
-        }
-
-        if (output_size < length) {
-            return PSA_ERROR_BUFFER_TOO_SMALL;
-        }
-
-        memcpy(output,
-               operation->buffer + operation->buffer_offset,
-               length);
-        *output_length = length;
-
-        operation->buffer_offset += length;
-
-        /* Reset buffer after ZK_PROOF sequence */
-        if ((step == PSA_JPAKE_X2_STEP_ZK_PROOF) ||
-            (step == PSA_JPAKE_X2S_STEP_ZK_PROOF)) {
-            mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer));
-            operation->buffer_length = 0;
-            operation->buffer_offset = 0;
-        }
-
-        return PSA_SUCCESS;
-    } else
-#else
-    (void) step;
-    (void) output;
-    (void) output_size;
-    (void) output_length;
-#endif
-    { return PSA_ERROR_NOT_SUPPORTED; }
-}
-
-psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation,
-                                     psa_crypto_driver_pake_step_t step,
-                                     uint8_t *output,
-                                     size_t output_size,
-                                     size_t *output_length)
-{
-    psa_status_t status = mbedtls_psa_pake_output_internal(
-        operation, step, output, output_size, output_length);
-
-    return status;
-}
-
-static psa_status_t mbedtls_psa_pake_input_internal(
-    mbedtls_psa_pake_operation_t *operation,
-    psa_crypto_driver_pake_step_t step,
-    const uint8_t *input,
-    size_t input_length)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    (void) step; // Unused parameter
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
-    /*
-     * The PSA CRYPTO PAKE and Mbed TLS JPAKE API have a different
-     * handling of input sequencing.
-     *
-     * The Mbed TLS JPAKE API takes the whole X1+X2 or X4S steps data
-     * at once as input, on the other side the PSA CRYPTO PAKE api requires
-     * the KEY_SHARE/ZP_PUBLIC/ZK_PROOF parts of X1, X2 & X4S to be
-     * given in sequence.
-     *
-     * In order to achieve API compatibility, each X1+X2 or X4S step data
-     * is stored sequentially in an intermediate buffer and given to the
-     * Mbed TLS JPAKE API on the last step.
-     *
-     * This causes any input error to be only detected on the last step.
-     */
-    if (operation->alg == PSA_ALG_JPAKE) {
-        /*
-         * Copy input to local buffer and format it as the Mbed TLS API
-         * expects, i.e. as defined by draft-cragie-tls-ecjpake-01 section 7.
-         * The summary is that the data for each step is prepended with a
-         * length byte, and then they're concatenated. Additionally, the
-         * server's second round output is prepended with a 3-bytes
-         * ECParameters structure - which means we have to prepend that when
-         * we're a client.
-         */
-        if (step == PSA_JPAKE_X4S_STEP_KEY_SHARE &&
-            operation->role == MBEDTLS_ECJPAKE_CLIENT) {
-            /* We only support secp256r1. */
-            /* This is the ECParameters structure defined by RFC 8422. */
-            unsigned char ecparameters[3] = {
-                3, /* named_curve */
-                0, 23 /* secp256r1 */
-            };
-
-            if (operation->buffer_length + sizeof(ecparameters) >
-                sizeof(operation->buffer)) {
-                return PSA_ERROR_BUFFER_TOO_SMALL;
-            }
-
-            memcpy(operation->buffer + operation->buffer_length,
-                   ecparameters, sizeof(ecparameters));
-            operation->buffer_length += sizeof(ecparameters);
-        }
-
-        /*
-         * The core checks that input_length is smaller than
-         * PSA_PAKE_INPUT_MAX_SIZE.
-         * Thus no risk of integer overflow here.
-         */
-        if (operation->buffer_length + input_length + 1 > sizeof(operation->buffer)) {
-            return PSA_ERROR_BUFFER_TOO_SMALL;
-        }
-
-        /* Write the length byte */
-        operation->buffer[operation->buffer_length] = (uint8_t) input_length;
-        operation->buffer_length += 1;
-
-        /* Finally copy the data */
-        memcpy(operation->buffer + operation->buffer_length,
-               input, input_length);
-        operation->buffer_length += input_length;
-
-        /* Load buffer at each last round ZK_PROOF */
-        if (step == PSA_JPAKE_X2_STEP_ZK_PROOF) {
-            ret = mbedtls_ecjpake_read_round_one(&operation->ctx.jpake,
-                                                 operation->buffer,
-                                                 operation->buffer_length);
-
-            mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer));
-            operation->buffer_length = 0;
-
-            if (ret != 0) {
-                return mbedtls_ecjpake_to_psa_error(ret);
-            }
-        } else if (step == PSA_JPAKE_X4S_STEP_ZK_PROOF) {
-            ret = mbedtls_ecjpake_read_round_two(&operation->ctx.jpake,
-                                                 operation->buffer,
-                                                 operation->buffer_length);
-
-            mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer));
-            operation->buffer_length = 0;
-
-            if (ret != 0) {
-                return mbedtls_ecjpake_to_psa_error(ret);
-            }
-        }
-
-        return PSA_SUCCESS;
-    } else
-#else
-    (void) step;
-    (void) input;
-    (void) input_length;
-#endif
-    { return PSA_ERROR_NOT_SUPPORTED; }
-}
-
-psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation,
-                                    psa_crypto_driver_pake_step_t step,
-                                    const uint8_t *input,
-                                    size_t input_length)
-{
-    psa_status_t status = mbedtls_psa_pake_input_internal(
-        operation, step, input, input_length);
-
-    return status;
-}
-
-psa_status_t mbedtls_psa_pake_get_implicit_key(
-    mbedtls_psa_pake_operation_t *operation,
-    uint8_t *output, size_t output_size,
-    size_t *output_length)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
-    if (operation->alg == PSA_ALG_JPAKE) {
-        ret = mbedtls_ecjpake_write_shared_key(&operation->ctx.jpake,
-                                               output,
-                                               output_size,
-                                               output_length,
-                                               mbedtls_psa_get_random,
-                                               MBEDTLS_PSA_RANDOM_STATE);
-        if (ret != 0) {
-            return mbedtls_ecjpake_to_psa_error(ret);
-        }
-
-        return PSA_SUCCESS;
-    } else
-#else
-    (void) output;
-#endif
-    { return PSA_ERROR_NOT_SUPPORTED; }
-}
-
-psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation)
-{
-    mbedtls_zeroize_and_free(operation->password, operation->password_len);
-    operation->password = NULL;
-    operation->password_len = 0;
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
-    if (operation->alg == PSA_ALG_JPAKE) {
-        operation->role = MBEDTLS_ECJPAKE_NONE;
-        mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer));
-        operation->buffer_length = 0;
-        operation->buffer_offset = 0;
-        mbedtls_ecjpake_free(&operation->ctx.jpake);
-    }
-#endif
-
-    operation->alg = PSA_ALG_NONE;
-
-    return PSA_SUCCESS;
-}
-
-#endif /* MBEDTLS_PSA_BUILTIN_PAKE */
-
-#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_crypto_pake.h b/library/psa_crypto_pake.h
deleted file mode 100644
index f21b0e6..0000000
--- a/library/psa_crypto_pake.h
+++ /dev/null
@@ -1,171 +0,0 @@
-/*
- *  PSA PAKE layer on top of Mbed TLS software crypto
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_PAKE_H
-#define PSA_CRYPTO_PAKE_H
-
-#include <psa/crypto.h>
-
-/** Set the session information for a password-authenticated key exchange.
- *
- * \note The signature of this function is that of a PSA driver
- *       pake_setup entry point. This function behaves as a pake_setup
- *       entry point as defined in the PSA driver interface specification for
- *       transparent drivers.
- *
- * \param[in,out] operation     The operation object to set up. It must have
- *                              been initialized but not set up yet.
- * \param[in] inputs            Inputs required for PAKE operation (role, password,
- *                              key lifetime, cipher suite)
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         The algorithm in \p cipher_suite is not a supported PAKE algorithm,
- *         or the PAKE primitive in \p cipher_suite is not supported or not
- *         compatible with the PAKE algorithm, or the hash algorithm in
- *         \p cipher_suite is not supported or not compatible with the PAKE
- *         algorithm and primitive.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY   \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED   \emptydescription
- */
-psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation,
-                                    const psa_crypto_driver_pake_inputs_t *inputs);
-
-
-/** Get output for a step of a password-authenticated key exchange.
- *
- * \note The signature of this function is that of a PSA driver
- *       pake_output entry point. This function behaves as a pake_output
- *       entry point as defined in the PSA driver interface specification for
- *       transparent drivers.
- *
- * \param[in,out] operation    Active PAKE operation.
- * \param step                 The step of the algorithm for which the output is
- *                             requested.
- * \param[out] output          Buffer where the output is to be written in the
- *                             format appropriate for this driver \p step. Refer to
- *                             the documentation of psa_crypto_driver_pake_step_t for
- *                             more information.
- * \param output_size          Size of the \p output buffer in bytes. This must
- *                             be at least #PSA_PAKE_OUTPUT_SIZE(\p alg, \p
- *                             primitive, \p step) where \p alg and
- *                             \p primitive are the PAKE algorithm and primitive
- *                             in the operation's cipher suite, and \p step is
- *                             the output step.
- *
- * \param[out] output_length   On success, the number of bytes of the returned
- *                             output.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p output buffer is too small.
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY  \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED   \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT          \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID          \emptydescription
- */
-psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation,
-                                     psa_crypto_driver_pake_step_t step,
-                                     uint8_t *output,
-                                     size_t output_size,
-                                     size_t *output_length);
-
-/** Provide input for a step of a password-authenticated key exchange.
- *
- * \note The signature of this function is that of a PSA driver
- *       pake_input entry point. This function behaves as a pake_input
- *       entry point as defined in the PSA driver interface specification for
- *       transparent drivers.
- *
- * \note The core checks that input_length is smaller than PSA_PAKE_INPUT_MAX_SIZE.
- *
- * \param[in,out] operation    Active PAKE operation.
- * \param step                 The driver step for which the input is provided.
- * \param[in] input            Buffer containing the input in the format
- *                             appropriate for this \p step. Refer to the
- *                             documentation of psa_crypto_driver_pake_step_t
- *                             for more information.
- * \param input_length         Size of the \p input buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_SIGNATURE
- *         The verification fails for a zero-knowledge input step.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         the \p input is not valid for the \p operation's algorithm, cipher suite
- *         or \p step.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         the \p input is not supported for the \p operation's algorithm, cipher
- *         suite or \p step.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY   \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED   \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT          \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID          \emptydescription
- */
-psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation,
-                                    psa_crypto_driver_pake_step_t step,
-                                    const uint8_t *input,
-                                    size_t input_length);
-
-/** Get implicitly confirmed shared secret from a PAKE.
- *
- * \note The signature of this function is that of a PSA driver
- *       pake_get_implicit_key entry point. This function behaves as a
- *       pake_get_implicit_key entry point as defined in the PSA driver
- *       interface specification for transparent drivers.
- *
- * \param[in,out] operation    Active PAKE operation.
- * \param[out] output          Output buffer for implicit key.
- * \param      output_size     Size of the output buffer in bytes.
- * \param[out] output_length   On success, the number of bytes of the implicit key.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         Input from a PAKE is not supported by the algorithm in the \p output
- *         key derivation operation.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY   \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED   \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT          \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID          \emptydescription
- */
-psa_status_t mbedtls_psa_pake_get_implicit_key(
-    mbedtls_psa_pake_operation_t *operation,
-    uint8_t *output, size_t output_size,
-    size_t *output_length);
-
-/** Abort a PAKE operation.
- *
- * \note The signature of this function is that of a PSA driver
- *       pake_abort entry point. This function behaves as a pake_abort
- *       entry point as defined in the PSA driver interface specification for
- *       transparent drivers.
- *
- * \param[in,out] operation    The operation to abort.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_CORRUPTION_DETECTED   \emptydescription
- */
-psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation);
-
-#endif /* PSA_CRYPTO_PAKE_H */
diff --git a/library/psa_crypto_random_impl.h b/library/psa_crypto_random_impl.h
deleted file mode 100644
index 8719d9c..0000000
--- a/library/psa_crypto_random_impl.h
+++ /dev/null
@@ -1,204 +0,0 @@
-/** \file psa_crypto_random_impl.h
- *
- * \brief PSA crypto random generator implementation abstraction.
- *
- * The definitions here need to be consistent with the declarations
- * in include/psa_util_internal.h. This file contains some redundant
- * declarations to increase the chance that a compiler will detect
- * inconsistencies if one file is changed without updating the other,
- * but not all potential inconsistencies can be enforced, so make sure
- * to check the public declarations and contracts in
- * include/psa_util_internal.h if you modify this file.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_RANDOM_IMPL_H
-#define PSA_CRYPTO_RANDOM_IMPL_H
-
-#include "psa_util_internal.h"
-
-#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
-
-#include <string.h>
-#include <mbedtls/entropy.h> // only for error codes
-#include <psa/crypto.h>
-
-typedef mbedtls_psa_external_random_context_t mbedtls_psa_random_context_t;
-
-/* Trivial wrapper around psa_generate_random(). */
-int mbedtls_psa_get_random(void *p_rng,
-                           unsigned char *output,
-                           size_t output_size);
-
-/* The PSA RNG API doesn't need any externally maintained state. */
-#define MBEDTLS_PSA_RANDOM_STATE NULL
-
-#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
-
-/* Choose a DRBG based on configuration and availability */
-#if defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE)
-
-#include "mbedtls/hmac_drbg.h"
-
-#elif defined(MBEDTLS_CTR_DRBG_C)
-
-#include "mbedtls/ctr_drbg.h"
-
-#elif defined(MBEDTLS_HMAC_DRBG_C)
-
-#include "mbedtls/hmac_drbg.h"
-#if defined(MBEDTLS_MD_CAN_SHA512) && defined(MBEDTLS_MD_CAN_SHA256)
-#include <limits.h>
-#if SIZE_MAX > 0xffffffff
-/* Looks like a 64-bit system, so prefer SHA-512. */
-#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA512
-#else
-/* Looks like a 32-bit system, so prefer SHA-256. */
-#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256
-#endif
-#elif defined(MBEDTLS_MD_CAN_SHA512)
-#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA512
-#elif defined(MBEDTLS_MD_CAN_SHA256)
-#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256
-#else
-#error "No hash algorithm available for HMAC_DBRG."
-#endif
-
-#else
-#error "No DRBG module available for the psa_crypto module."
-#endif
-
-#include "mbedtls/entropy.h"
-
-/** Initialize the PSA DRBG.
- *
- * \param p_rng        Pointer to the Mbed TLS DRBG state.
- */
-static inline void mbedtls_psa_drbg_init(mbedtls_psa_drbg_context_t *p_rng)
-{
-#if defined(MBEDTLS_CTR_DRBG_C)
-    mbedtls_ctr_drbg_init(p_rng);
-#elif defined(MBEDTLS_HMAC_DRBG_C)
-    mbedtls_hmac_drbg_init(p_rng);
-#endif
-}
-
-/** Deinitialize the PSA DRBG.
- *
- * \param p_rng        Pointer to the Mbed TLS DRBG state.
- */
-static inline void mbedtls_psa_drbg_free(mbedtls_psa_drbg_context_t *p_rng)
-{
-#if defined(MBEDTLS_CTR_DRBG_C)
-    mbedtls_ctr_drbg_free(p_rng);
-#elif defined(MBEDTLS_HMAC_DRBG_C)
-    mbedtls_hmac_drbg_free(p_rng);
-#endif
-}
-
-/** The type of the PSA random generator context.
- *
- * The random generator context is composed of an entropy context and
- * a DRBG context.
- */
-typedef struct {
-    void (* entropy_init)(mbedtls_entropy_context *ctx);
-    void (* entropy_free)(mbedtls_entropy_context *ctx);
-    mbedtls_entropy_context entropy;
-    mbedtls_psa_drbg_context_t drbg;
-} mbedtls_psa_random_context_t;
-
-/* Defined in include/psa_util_internal.h so that it's visible to
- * application code. The declaration here is redundant, but included
- * as a safety net to make it more likely that a future change that
- * accidentally causes the implementation to diverge from the interface
- * will be noticed. */
-/* Do not include the declaration under MSVC because it doesn't accept it
- * ("error C2370: 'mbedtls_psa_get_random' : redefinition; different storage class").
- * Observed with Visual Studio 2013. A known bug apparently:
- * https://stackoverflow.com/questions/8146541/duplicate-external-static-declarations-not-allowed-in-visual-studio
- */
-#if !defined(_MSC_VER)
-static mbedtls_f_rng_t *const mbedtls_psa_get_random;
-#endif
-
-/** The maximum number of bytes that mbedtls_psa_get_random() is expected to
- * return.
- */
-#if defined(MBEDTLS_CTR_DRBG_C)
-#define MBEDTLS_PSA_RANDOM_MAX_REQUEST MBEDTLS_CTR_DRBG_MAX_REQUEST
-#elif defined(MBEDTLS_HMAC_DRBG_C)
-#define MBEDTLS_PSA_RANDOM_MAX_REQUEST MBEDTLS_HMAC_DRBG_MAX_REQUEST
-#endif
-
-/** A pointer to the PSA DRBG state.
- *
- * This variable is only intended to be used through the macro
- * #MBEDTLS_PSA_RANDOM_STATE.
- */
-/* psa_crypto.c sets this variable to a pointer to the DRBG state in the
- * global PSA crypto state. */
-/* The type `mbedtls_psa_drbg_context_t` is defined in
- * include/psa_util_internal.h so that `mbedtls_psa_random_state` can be
- * declared there and be visible to application code. */
-extern mbedtls_psa_drbg_context_t *const mbedtls_psa_random_state;
-
-/** A pointer to the PSA DRBG state.
- *
- * This macro expands to an expression that is suitable as the \c p_rng
- * parameter to pass to mbedtls_psa_get_random().
- *
- * This macro exists in all configurations where the psa_crypto module is
- * enabled. Its expansion depends on the configuration.
- */
-#define MBEDTLS_PSA_RANDOM_STATE mbedtls_psa_random_state
-
-/** Seed the PSA DRBG.
- *
- * \param entropy       An entropy context to read the seed from.
- * \param custom        The personalization string.
- *                      This can be \c NULL, in which case the personalization
- *                      string is empty regardless of the value of \p len.
- * \param len           The length of the personalization string.
- *
- * \return              \c 0 on success.
- * \return              An Mbed TLS error code (\c MBEDTLS_ERR_xxx) on failure.
- */
-static inline int mbedtls_psa_drbg_seed(
-    mbedtls_entropy_context *entropy,
-    const unsigned char *custom, size_t len)
-{
-#if defined(MBEDTLS_CTR_DRBG_C)
-    return mbedtls_ctr_drbg_seed(MBEDTLS_PSA_RANDOM_STATE,
-                                 mbedtls_entropy_func,
-                                 entropy,
-                                 custom, len);
-#elif defined(MBEDTLS_HMAC_DRBG_C)
-    const mbedtls_md_info_t *md_info =
-        mbedtls_md_info_from_type(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE);
-    return mbedtls_hmac_drbg_seed(MBEDTLS_PSA_RANDOM_STATE,
-                                  md_info,
-                                  mbedtls_entropy_func,
-                                  entropy,
-                                  custom, len);
-#endif
-}
-
-#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
-
-#endif /* PSA_CRYPTO_RANDOM_IMPL_H */
diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c
deleted file mode 100644
index 065e55a..0000000
--- a/library/psa_crypto_rsa.c
+++ /dev/null
@@ -1,739 +0,0 @@
-/*
- *  PSA RSA layer on top of Mbed TLS crypto
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-
-#include <psa/crypto.h>
-#include "psa/crypto_values.h"
-#include "psa_crypto_core.h"
-#include "psa_crypto_random_impl.h"
-#include "psa_crypto_rsa.h"
-#include "psa_crypto_hash.h"
-#include "md_psa.h"
-
-#include <stdlib.h>
-#include <string.h>
-#include "mbedtls/platform.h"
-
-#include <mbedtls/rsa.h>
-#include <mbedtls/error.h>
-#include <mbedtls/pk.h>
-#include "pk_wrap.h"
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
-
-/* Mbed TLS doesn't support non-byte-aligned key sizes (i.e. key sizes
- * that are not a multiple of 8) well. For example, there is only
- * mbedtls_rsa_get_len(), which returns a number of bytes, and no
- * way to return the exact bit size of a key.
- * To keep things simple, reject non-byte-aligned key sizes. */
-static psa_status_t psa_check_rsa_key_byte_aligned(
-    const mbedtls_rsa_context *rsa)
-{
-    mbedtls_mpi n;
-    psa_status_t status;
-    mbedtls_mpi_init(&n);
-    status = mbedtls_to_psa_error(
-        mbedtls_rsa_export(rsa, &n, NULL, NULL, NULL, NULL));
-    if (status == PSA_SUCCESS) {
-        if (mbedtls_mpi_bitlen(&n) % 8 != 0) {
-            status = PSA_ERROR_NOT_SUPPORTED;
-        }
-    }
-    mbedtls_mpi_free(&n);
-    return status;
-}
-
-psa_status_t mbedtls_psa_rsa_load_representation(
-    psa_key_type_t type, const uint8_t *data, size_t data_length,
-    mbedtls_rsa_context **p_rsa)
-{
-    psa_status_t status;
-    mbedtls_pk_context ctx;
-    size_t bits;
-    mbedtls_pk_init(&ctx);
-
-    /* Parse the data. */
-    if (PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
-        status = mbedtls_to_psa_error(
-            mbedtls_pk_parse_key(&ctx, data, data_length, NULL, 0,
-                                 mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE));
-    } else {
-        status = mbedtls_to_psa_error(
-            mbedtls_pk_parse_public_key(&ctx, data, data_length));
-    }
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    /* We have something that the pkparse module recognizes. If it is a
-     * valid RSA key, store it. */
-    if (mbedtls_pk_get_type(&ctx) != MBEDTLS_PK_RSA) {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-        goto exit;
-    }
-
-    /* The size of an RSA key doesn't have to be a multiple of 8. Mbed TLS
-     * supports non-byte-aligned key sizes, but not well. For example,
-     * mbedtls_rsa_get_len() returns the key size in bytes, not in bits. */
-    bits = PSA_BYTES_TO_BITS(mbedtls_rsa_get_len(mbedtls_pk_rsa(ctx)));
-    if (bits > PSA_VENDOR_RSA_MAX_KEY_BITS) {
-        status = PSA_ERROR_NOT_SUPPORTED;
-        goto exit;
-    }
-    status = psa_check_rsa_key_byte_aligned(mbedtls_pk_rsa(ctx));
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    /* Copy out the pointer to the RSA context, and reset the PK context
-     * such that pk_free doesn't free the RSA context we just grabbed. */
-    *p_rsa = mbedtls_pk_rsa(ctx);
-    ctx.pk_info = NULL;
-
-exit:
-    mbedtls_pk_free(&ctx);
-    return status;
-}
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
-
-#if (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
-psa_status_t mbedtls_psa_rsa_import_key(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *data, size_t data_length,
-    uint8_t *key_buffer, size_t key_buffer_size,
-    size_t *key_buffer_length, size_t *bits)
-{
-    psa_status_t status;
-    mbedtls_rsa_context *rsa = NULL;
-
-    /* Parse input */
-    status = mbedtls_psa_rsa_load_representation(attributes->core.type,
-                                                 data,
-                                                 data_length,
-                                                 &rsa);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    *bits = (psa_key_bits_t) PSA_BYTES_TO_BITS(mbedtls_rsa_get_len(rsa));
-
-    /* Re-export the data to PSA export format, such that we can store export
-     * representation in the key slot. Export representation in case of RSA is
-     * the smallest representation that's allowed as input, so a straight-up
-     * allocation of the same size as the input buffer will be large enough. */
-    status = mbedtls_psa_rsa_export_key(attributes->core.type,
-                                        rsa,
-                                        key_buffer,
-                                        key_buffer_size,
-                                        key_buffer_length);
-exit:
-    /* Always free the RSA object */
-    mbedtls_rsa_free(rsa);
-    mbedtls_free(rsa);
-
-    return status;
-}
-#endif /* (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) &&
-        *  defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
-
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
-psa_status_t mbedtls_psa_rsa_export_key(psa_key_type_t type,
-                                        mbedtls_rsa_context *rsa,
-                                        uint8_t *data,
-                                        size_t data_size,
-                                        size_t *data_length)
-{
-    int ret;
-    mbedtls_pk_context pk;
-    uint8_t *pos = data + data_size;
-
-    mbedtls_pk_init(&pk);
-    pk.pk_info = &mbedtls_rsa_info;
-    pk.pk_ctx = rsa;
-
-    /* PSA Crypto API defines the format of an RSA key as a DER-encoded
-     * representation of the non-encrypted PKCS#1 RSAPrivateKey for a
-     * private key and of the RFC3279 RSAPublicKey for a public key. */
-    if (PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
-        ret = mbedtls_pk_write_key_der(&pk, data, data_size);
-    } else {
-        ret = mbedtls_pk_write_pubkey(&pos, data, &pk);
-    }
-
-    if (ret < 0) {
-        /* Clean up in case pk_write failed halfway through. */
-        memset(data, 0, data_size);
-        return mbedtls_to_psa_error(ret);
-    }
-
-    /* The mbedtls_pk_xxx functions write to the end of the buffer.
-     * Move the data to the beginning and erase remaining data
-     * at the original location. */
-    if (2 * (size_t) ret <= data_size) {
-        memcpy(data, data + data_size - ret, ret);
-        memset(data + data_size - ret, 0, ret);
-    } else if ((size_t) ret < data_size) {
-        memmove(data, data + data_size - ret, ret);
-        memset(data + ret, 0, data_size - ret);
-    }
-
-    *data_length = ret;
-    return PSA_SUCCESS;
-}
-
-psa_status_t mbedtls_psa_rsa_export_public_key(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    uint8_t *data, size_t data_size, size_t *data_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    mbedtls_rsa_context *rsa = NULL;
-
-    status = mbedtls_psa_rsa_load_representation(
-        attributes->core.type, key_buffer, key_buffer_size, &rsa);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    status = mbedtls_psa_rsa_export_key(PSA_KEY_TYPE_RSA_PUBLIC_KEY,
-                                        rsa,
-                                        data,
-                                        data_size,
-                                        data_length);
-
-    mbedtls_rsa_free(rsa);
-    mbedtls_free(rsa);
-
-    return status;
-}
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
-
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
-static psa_status_t psa_rsa_read_exponent(const uint8_t *domain_parameters,
-                                          size_t domain_parameters_size,
-                                          int *exponent)
-{
-    size_t i;
-    uint32_t acc = 0;
-
-    if (domain_parameters_size == 0) {
-        *exponent = 65537;
-        return PSA_SUCCESS;
-    }
-
-    /* Mbed TLS encodes the public exponent as an int. For simplicity, only
-     * support values that fit in a 32-bit integer, which is larger than
-     * int on just about every platform anyway. */
-    if (domain_parameters_size > sizeof(acc)) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-    for (i = 0; i < domain_parameters_size; i++) {
-        acc = (acc << 8) | domain_parameters[i];
-    }
-    if (acc > INT_MAX) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-    *exponent = acc;
-    return PSA_SUCCESS;
-}
-
-psa_status_t mbedtls_psa_rsa_generate_key(
-    const psa_key_attributes_t *attributes,
-    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
-{
-    psa_status_t status;
-    mbedtls_rsa_context rsa;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    int exponent;
-
-    status = psa_rsa_read_exponent(attributes->domain_parameters,
-                                   attributes->domain_parameters_size,
-                                   &exponent);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    mbedtls_rsa_init(&rsa);
-    ret = mbedtls_rsa_gen_key(&rsa,
-                              mbedtls_psa_get_random,
-                              MBEDTLS_PSA_RANDOM_STATE,
-                              (unsigned int) attributes->core.bits,
-                              exponent);
-    if (ret != 0) {
-        return mbedtls_to_psa_error(ret);
-    }
-
-    status = mbedtls_psa_rsa_export_key(attributes->core.type,
-                                        &rsa, key_buffer, key_buffer_size,
-                                        key_buffer_length);
-    mbedtls_rsa_free(&rsa);
-
-    return status;
-}
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE) */
-
-/****************************************************************/
-/* Sign/verify hashes */
-/****************************************************************/
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
-
-/* Decode the hash algorithm from alg and store the mbedtls encoding in
- * md_alg. Verify that the hash length is acceptable. */
-static psa_status_t psa_rsa_decode_md_type(psa_algorithm_t alg,
-                                           size_t hash_length,
-                                           mbedtls_md_type_t *md_alg)
-{
-    psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
-    *md_alg = mbedtls_md_type_from_psa_alg(hash_alg);
-
-    /* The Mbed TLS RSA module uses an unsigned int for hash length
-     * parameters. Validate that it fits so that we don't risk an
-     * overflow later. */
-#if SIZE_MAX > UINT_MAX
-    if (hash_length > UINT_MAX) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-#endif
-
-    /* For signatures using a hash, the hash length must be correct. */
-    if (alg != PSA_ALG_RSA_PKCS1V15_SIGN_RAW) {
-        if (*md_alg == MBEDTLS_MD_NONE) {
-            return PSA_ERROR_NOT_SUPPORTED;
-        }
-        if (mbedtls_md_get_size_from_type(*md_alg) != hash_length) {
-            return PSA_ERROR_INVALID_ARGUMENT;
-        }
-    }
-
-    return PSA_SUCCESS;
-}
-
-psa_status_t mbedtls_psa_rsa_sign_hash(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
-    uint8_t *signature, size_t signature_size, size_t *signature_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    mbedtls_rsa_context *rsa = NULL;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_md_type_t md_alg;
-
-    status = mbedtls_psa_rsa_load_representation(attributes->core.type,
-                                                 key_buffer,
-                                                 key_buffer_size,
-                                                 &rsa);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    status = psa_rsa_decode_md_type(alg, hash_length, &md_alg);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    if (signature_size < mbedtls_rsa_get_len(rsa)) {
-        status = PSA_ERROR_BUFFER_TOO_SMALL;
-        goto exit;
-    }
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN)
-    if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg)) {
-        ret = mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V15,
-                                      MBEDTLS_MD_NONE);
-        if (ret == 0) {
-            ret = mbedtls_rsa_pkcs1_sign(rsa,
-                                         mbedtls_psa_get_random,
-                                         MBEDTLS_PSA_RANDOM_STATE,
-                                         md_alg,
-                                         (unsigned int) hash_length,
-                                         hash,
-                                         signature);
-        }
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
-    if (PSA_ALG_IS_RSA_PSS(alg)) {
-        ret = mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V21, md_alg);
-
-        if (ret == 0) {
-            ret = mbedtls_rsa_rsassa_pss_sign(rsa,
-                                              mbedtls_psa_get_random,
-                                              MBEDTLS_PSA_RANDOM_STATE,
-                                              MBEDTLS_MD_NONE,
-                                              (unsigned int) hash_length,
-                                              hash,
-                                              signature);
-        }
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS */
-    {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-        goto exit;
-    }
-
-    if (ret == 0) {
-        *signature_length = mbedtls_rsa_get_len(rsa);
-    }
-    status = mbedtls_to_psa_error(ret);
-
-exit:
-    mbedtls_rsa_free(rsa);
-    mbedtls_free(rsa);
-
-    return status;
-}
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
-static int rsa_pss_expected_salt_len(psa_algorithm_t alg,
-                                     const mbedtls_rsa_context *rsa,
-                                     size_t hash_length)
-{
-    if (PSA_ALG_IS_RSA_PSS_ANY_SALT(alg)) {
-        return MBEDTLS_RSA_SALT_LEN_ANY;
-    }
-    /* Otherwise: standard salt length, i.e. largest possible salt length
-     * up to the hash length. */
-    int klen = (int) mbedtls_rsa_get_len(rsa);   // known to fit
-    int hlen = (int) hash_length; // known to fit
-    int room = klen - 2 - hlen;
-    if (room < 0) {
-        return 0;  // there is no valid signature in this case anyway
-    } else if (room > hlen) {
-        return hlen;
-    } else {
-        return room;
-    }
-}
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS */
-
-psa_status_t mbedtls_psa_rsa_verify_hash(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
-    const uint8_t *signature, size_t signature_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    mbedtls_rsa_context *rsa = NULL;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_md_type_t md_alg;
-
-    status = mbedtls_psa_rsa_load_representation(attributes->core.type,
-                                                 key_buffer,
-                                                 key_buffer_size,
-                                                 &rsa);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_rsa_decode_md_type(alg, hash_length, &md_alg);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    if (signature_length != mbedtls_rsa_get_len(rsa)) {
-        status = PSA_ERROR_INVALID_SIGNATURE;
-        goto exit;
-    }
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN)
-    if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg)) {
-        ret = mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V15,
-                                      MBEDTLS_MD_NONE);
-        if (ret == 0) {
-            ret = mbedtls_rsa_pkcs1_verify(rsa,
-                                           md_alg,
-                                           (unsigned int) hash_length,
-                                           hash,
-                                           signature);
-        }
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
-    if (PSA_ALG_IS_RSA_PSS(alg)) {
-        ret = mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V21, md_alg);
-        if (ret == 0) {
-            int slen = rsa_pss_expected_salt_len(alg, rsa, hash_length);
-            ret = mbedtls_rsa_rsassa_pss_verify_ext(rsa,
-                                                    md_alg,
-                                                    (unsigned) hash_length,
-                                                    hash,
-                                                    md_alg,
-                                                    slen,
-                                                    signature);
-        }
-    } else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS */
-    {
-        status = PSA_ERROR_INVALID_ARGUMENT;
-        goto exit;
-    }
-
-    /* Mbed TLS distinguishes "invalid padding" from "valid padding but
-     * the rest of the signature is invalid". This has little use in
-     * practice and PSA doesn't report this distinction. */
-    status = (ret == MBEDTLS_ERR_RSA_INVALID_PADDING) ?
-             PSA_ERROR_INVALID_SIGNATURE :
-             mbedtls_to_psa_error(ret);
-
-exit:
-    mbedtls_rsa_free(rsa);
-    mbedtls_free(rsa);
-
-    return status;
-}
-
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
-
-/****************************************************************/
-/* Asymmetric cryptography */
-/****************************************************************/
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
-static int psa_rsa_oaep_set_padding_mode(psa_algorithm_t alg,
-                                         mbedtls_rsa_context *rsa)
-{
-    psa_algorithm_t hash_alg = PSA_ALG_RSA_OAEP_GET_HASH(alg);
-    mbedtls_md_type_t md_alg = mbedtls_md_type_from_psa_alg(hash_alg);
-
-    /* Just to get the error status right, as rsa_set_padding() doesn't
-     * distinguish between "bad RSA algorithm" and "unknown hash". */
-    if (mbedtls_md_info_from_type(md_alg) == NULL) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    return mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V21, md_alg);
-}
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */
-
-psa_status_t mbedtls_psa_asymmetric_encrypt(const psa_key_attributes_t *attributes,
-                                            const uint8_t *key_buffer,
-                                            size_t key_buffer_size,
-                                            psa_algorithm_t alg,
-                                            const uint8_t *input,
-                                            size_t input_length,
-                                            const uint8_t *salt,
-                                            size_t salt_length,
-                                            uint8_t *output,
-                                            size_t output_size,
-                                            size_t *output_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    (void) key_buffer;
-    (void) key_buffer_size;
-    (void) input;
-    (void) input_length;
-    (void) salt;
-    (void) salt_length;
-    (void) output;
-    (void) output_size;
-    (void) output_length;
-
-    if (PSA_KEY_TYPE_IS_RSA(attributes->core.type)) {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
-        defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
-        mbedtls_rsa_context *rsa = NULL;
-        status = mbedtls_psa_rsa_load_representation(attributes->core.type,
-                                                     key_buffer,
-                                                     key_buffer_size,
-                                                     &rsa);
-        if (status != PSA_SUCCESS) {
-            goto rsa_exit;
-        }
-
-        if (output_size < mbedtls_rsa_get_len(rsa)) {
-            status = PSA_ERROR_BUFFER_TOO_SMALL;
-            goto rsa_exit;
-        }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */
-        if (alg == PSA_ALG_RSA_PKCS1V15_CRYPT) {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT)
-            status = mbedtls_to_psa_error(
-                mbedtls_rsa_pkcs1_encrypt(rsa,
-                                          mbedtls_psa_get_random,
-                                          MBEDTLS_PSA_RANDOM_STATE,
-                                          input_length,
-                                          input,
-                                          output));
-#else
-            status = PSA_ERROR_NOT_SUPPORTED;
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT */
-        } else
-        if (PSA_ALG_IS_RSA_OAEP(alg)) {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
-            status = mbedtls_to_psa_error(
-                psa_rsa_oaep_set_padding_mode(alg, rsa));
-            if (status != PSA_SUCCESS) {
-                goto rsa_exit;
-            }
-
-            status = mbedtls_to_psa_error(
-                mbedtls_rsa_rsaes_oaep_encrypt(rsa,
-                                               mbedtls_psa_get_random,
-                                               MBEDTLS_PSA_RANDOM_STATE,
-                                               salt, salt_length,
-                                               input_length,
-                                               input,
-                                               output));
-#else
-            status = PSA_ERROR_NOT_SUPPORTED;
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP */
-        } else {
-            status = PSA_ERROR_INVALID_ARGUMENT;
-        }
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
-        defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
-rsa_exit:
-        if (status == PSA_SUCCESS) {
-            *output_length = mbedtls_rsa_get_len(rsa);
-        }
-
-        mbedtls_rsa_free(rsa);
-        mbedtls_free(rsa);
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */
-    } else {
-        status = PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    return status;
-}
-
-psa_status_t mbedtls_psa_asymmetric_decrypt(const psa_key_attributes_t *attributes,
-                                            const uint8_t *key_buffer,
-                                            size_t key_buffer_size,
-                                            psa_algorithm_t alg,
-                                            const uint8_t *input,
-                                            size_t input_length,
-                                            const uint8_t *salt,
-                                            size_t salt_length,
-                                            uint8_t *output,
-                                            size_t output_size,
-                                            size_t *output_length)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    (void) key_buffer;
-    (void) key_buffer_size;
-    (void) input;
-    (void) input_length;
-    (void) salt;
-    (void) salt_length;
-    (void) output;
-    (void) output_size;
-    (void) output_length;
-
-    *output_length = 0;
-
-    if (attributes->core.type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
-        defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
-        mbedtls_rsa_context *rsa = NULL;
-        status = mbedtls_psa_rsa_load_representation(attributes->core.type,
-                                                     key_buffer,
-                                                     key_buffer_size,
-                                                     &rsa);
-        if (status != PSA_SUCCESS) {
-            goto rsa_exit;
-        }
-
-        if (input_length != mbedtls_rsa_get_len(rsa)) {
-            status = PSA_ERROR_INVALID_ARGUMENT;
-            goto rsa_exit;
-        }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */
-
-        if (alg == PSA_ALG_RSA_PKCS1V15_CRYPT) {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT)
-            status = mbedtls_to_psa_error(
-                mbedtls_rsa_pkcs1_decrypt(rsa,
-                                          mbedtls_psa_get_random,
-                                          MBEDTLS_PSA_RANDOM_STATE,
-                                          output_length,
-                                          input,
-                                          output,
-                                          output_size));
-#else
-            status = PSA_ERROR_NOT_SUPPORTED;
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT */
-        } else
-        if (PSA_ALG_IS_RSA_OAEP(alg)) {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
-            status = mbedtls_to_psa_error(
-                psa_rsa_oaep_set_padding_mode(alg, rsa));
-            if (status != PSA_SUCCESS) {
-                goto rsa_exit;
-            }
-
-            status = mbedtls_to_psa_error(
-                mbedtls_rsa_rsaes_oaep_decrypt(rsa,
-                                               mbedtls_psa_get_random,
-                                               MBEDTLS_PSA_RANDOM_STATE,
-                                               salt, salt_length,
-                                               output_length,
-                                               input,
-                                               output,
-                                               output_size));
-#else
-            status = PSA_ERROR_NOT_SUPPORTED;
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP */
-        } else {
-            status = PSA_ERROR_INVALID_ARGUMENT;
-        }
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
-        defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
-rsa_exit:
-        mbedtls_rsa_free(rsa);
-        mbedtls_free(rsa);
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */
-    } else {
-        status = PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    return status;
-}
-
-#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_crypto_rsa.h b/library/psa_crypto_rsa.h
deleted file mode 100644
index bc24ef5..0000000
--- a/library/psa_crypto_rsa.h
+++ /dev/null
@@ -1,329 +0,0 @@
-/*
- *  PSA RSA layer on top of Mbed TLS crypto
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_RSA_H
-#define PSA_CRYPTO_RSA_H
-
-#include <psa/crypto.h>
-#include <mbedtls/rsa.h>
-
-/** Load the contents of a key buffer into an internal RSA representation
- *
- * \param[in] type          The type of key contained in \p data.
- * \param[in] data          The buffer from which to load the representation.
- * \param[in] data_length   The size in bytes of \p data.
- * \param[out] p_rsa        Returns a pointer to an RSA context on success.
- *                          The caller is responsible for freeing both the
- *                          contents of the context and the context itself
- *                          when done.
- */
-psa_status_t mbedtls_psa_rsa_load_representation(psa_key_type_t type,
-                                                 const uint8_t *data,
-                                                 size_t data_length,
-                                                 mbedtls_rsa_context **p_rsa);
-
-/** Import an RSA key in binary format.
- *
- * \note The signature of this function is that of a PSA driver
- *       import_key entry point. This function behaves as an import_key
- *       entry point as defined in the PSA driver interface specification for
- *       transparent drivers.
- *
- * \param[in]  attributes       The attributes for the key to import.
- * \param[in]  data             The buffer containing the key data in import
- *                              format.
- * \param[in]  data_length      Size of the \p data buffer in bytes.
- * \param[out] key_buffer       The buffer containing the key data in output
- *                              format.
- * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes. This
- *                              size is greater or equal to \p data_length.
- * \param[out] key_buffer_length  The length of the data written in \p
- *                                key_buffer in bytes.
- * \param[out] bits             The key size in number of bits.
- *
- * \retval #PSA_SUCCESS  The RSA key was imported successfully.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         The key data is not correctly formatted.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- */
-psa_status_t mbedtls_psa_rsa_import_key(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *data, size_t data_length,
-    uint8_t *key_buffer, size_t key_buffer_size,
-    size_t *key_buffer_length, size_t *bits);
-
-/** Export an RSA key to export representation
- *
- * \param[in] type          The type of key (public/private) to export
- * \param[in] rsa           The internal RSA representation from which to export
- * \param[out] data         The buffer to export to
- * \param[in] data_size     The length of the buffer to export to
- * \param[out] data_length  The amount of bytes written to \p data
- */
-psa_status_t mbedtls_psa_rsa_export_key(psa_key_type_t type,
-                                        mbedtls_rsa_context *rsa,
-                                        uint8_t *data,
-                                        size_t data_size,
-                                        size_t *data_length);
-
-/** Export a public RSA key or the public part of an RSA key pair in binary
- *  format.
- *
- * \note The signature of this function is that of a PSA driver
- *       export_public_key entry point. This function behaves as an
- *       export_public_key entry point as defined in the PSA driver interface
- *       specification.
- *
- * \param[in]  attributes       The attributes for the key to export.
- * \param[in]  key_buffer       Material or context of the key to export.
- * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
- * \param[out] data             Buffer where the key data is to be written.
- * \param[in]  data_size        Size of the \p data buffer in bytes.
- * \param[out] data_length      On success, the number of bytes written in
- *                              \p data.
- *
- * \retval #PSA_SUCCESS  The RSA public key was exported successfully.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- */
-psa_status_t mbedtls_psa_rsa_export_public_key(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    uint8_t *data, size_t data_size, size_t *data_length);
-
-/**
- * \brief Generate an RSA key.
- *
- * \note The signature of the function is that of a PSA driver generate_key
- *       entry point.
- *
- * \param[in]  attributes         The attributes for the RSA key to generate.
- * \param[out] key_buffer         Buffer where the key data is to be written.
- * \param[in]  key_buffer_size    Size of \p key_buffer in bytes.
- * \param[out] key_buffer_length  On success, the number of bytes written in
- *                                \p key_buffer.
- *
- * \retval #PSA_SUCCESS
- *         The key was successfully generated.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         Key length or type not supported.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of \p key_buffer is too small.
- */
-psa_status_t mbedtls_psa_rsa_generate_key(
-    const psa_key_attributes_t *attributes,
-    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length);
-
-/** Sign an already-calculated hash with an RSA private key.
- *
- * \note The signature of this function is that of a PSA driver
- *       sign_hash entry point. This function behaves as a sign_hash
- *       entry point as defined in the PSA driver interface specification for
- *       transparent drivers.
- *
- * \param[in]  attributes       The attributes of the RSA key to use for the
- *                              operation.
- * \param[in]  key_buffer       The buffer containing the RSA key context.
- *                              format.
- * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
- * \param[in]  alg              A signature algorithm that is compatible with
- *                              an RSA key.
- * \param[in]  hash             The hash or message to sign.
- * \param[in]  hash_length      Size of the \p hash buffer in bytes.
- * \param[out] signature        Buffer where the signature is to be written.
- * \param[in]  signature_size   Size of the \p signature buffer in bytes.
- * \param[out] signature_length On success, the number of bytes
- *                              that make up the returned signature value.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p signature buffer is too small. You can
- *         determine a sufficient buffer size by calling
- *         #PSA_SIGN_OUTPUT_SIZE(\c PSA_KEY_TYPE_RSA_KEY_PAIR, \c key_bits,
- *         \p alg) where \c key_bits is the bit-size of the RSA key.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
- */
-psa_status_t mbedtls_psa_rsa_sign_hash(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
-    uint8_t *signature, size_t signature_size, size_t *signature_length);
-
-/**
- * \brief Verify the signature a hash or short message using a public RSA key.
- *
- * \note The signature of this function is that of a PSA driver
- *       verify_hash entry point. This function behaves as a verify_hash
- *       entry point as defined in the PSA driver interface specification for
- *       transparent drivers.
- *
- * \param[in]  attributes       The attributes of the RSA key to use for the
- *                              operation.
- * \param[in]  key_buffer       The buffer containing the RSA key context.
- *                              format.
- * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
- * \param[in]  alg              A signature algorithm that is compatible with
- *                              an RSA key.
- * \param[in]  hash             The hash or message whose signature is to be
- *                              verified.
- * \param[in]  hash_length      Size of the \p hash buffer in bytes.
- * \param[in]  signature        Buffer containing the signature to verify.
- * \param[in]  signature_length Size of the \p signature buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- *         The signature is valid.
- * \retval #PSA_ERROR_INVALID_SIGNATURE
- *         The calculation was performed successfully, but the passed
- *         signature is not a valid signature.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- */
-psa_status_t mbedtls_psa_rsa_verify_hash(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *key_buffer, size_t key_buffer_size,
-    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
-    const uint8_t *signature, size_t signature_length);
-
-/**
- * \brief Encrypt a short message with a public key.
- *
- * \param attributes            The attributes for the key to import.
- * \param key_buffer            Buffer where the key data is to be written.
- * \param key_buffer_size       Size of the \p key_buffer buffer in bytes.
- * \param input_length          Size of the \p input buffer in bytes.
- * \param[in] salt              A salt or label, if supported by the
- *                              encryption algorithm.
- *                              If the algorithm does not support a
- *                              salt, pass \c NULL.
- *                              If the algorithm supports an optional
- *                              salt and you do not want to pass a salt,
- *                              pass \c NULL.
- *
- *                              - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is
- *                                supported.
- * \param salt_length           Size of the \p salt buffer in bytes.
- *                              If \p salt is \c NULL, pass 0.
- * \param[out] output           Buffer where the encrypted message is to
- *                              be written.
- * \param output_size           Size of the \p output buffer in bytes.
- * \param[out] output_length    On success, the number of bytes
- *                              that make up the returned output.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p output buffer is too small. You can
- *         determine a sufficient buffer size by calling
- *         #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
- *         where \c key_type and \c key_bits are the type and bit-size
- *         respectively of \p key.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t mbedtls_psa_asymmetric_encrypt(const psa_key_attributes_t *attributes,
-                                            const uint8_t *key_buffer,
-                                            size_t key_buffer_size,
-                                            psa_algorithm_t alg,
-                                            const uint8_t *input,
-                                            size_t input_length,
-                                            const uint8_t *salt,
-                                            size_t salt_length,
-                                            uint8_t *output,
-                                            size_t output_size,
-                                            size_t *output_length);
-
-/**
- * \brief Decrypt a short message with a private key.
- *
- * \param attributes            The attributes for the key to import.
- * \param key_buffer            Buffer where the key data is to be written.
- * \param key_buffer_size       Size of the \p key_buffer buffer in bytes.
- * \param[in] input             The message to decrypt.
- * \param input_length          Size of the \p input buffer in bytes.
- * \param[in] salt              A salt or label, if supported by the
- *                              encryption algorithm.
- *                              If the algorithm does not support a
- *                              salt, pass \c NULL.
- *                              If the algorithm supports an optional
- *                              salt and you do not want to pass a salt,
- *                              pass \c NULL.
- *
- *                              - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is
- *                                supported.
- * \param salt_length           Size of the \p salt buffer in bytes.
- *                              If \p salt is \c NULL, pass 0.
- * \param[out] output           Buffer where the decrypted message is to
- *                              be written.
- * \param output_size           Size of the \c output buffer in bytes.
- * \param[out] output_length    On success, the number of bytes
- *                              that make up the returned output.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- *         The size of the \p output buffer is too small. You can
- *         determine a sufficient buffer size by calling
- *         #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
- *         where \c key_type and \c key_bits are the type and bit-size
- *         respectively of \p key.
- * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
- * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
- * \retval #PSA_ERROR_INVALID_PADDING \emptydescription
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t mbedtls_psa_asymmetric_decrypt(const psa_key_attributes_t *attributes,
-                                            const uint8_t *key_buffer,
-                                            size_t key_buffer_size,
-                                            psa_algorithm_t alg,
-                                            const uint8_t *input,
-                                            size_t input_length,
-                                            const uint8_t *salt,
-                                            size_t salt_length,
-                                            uint8_t *output,
-                                            size_t output_size,
-                                            size_t *output_length);
-
-#endif /* PSA_CRYPTO_RSA_H */
diff --git a/library/psa_crypto_se.c b/library/psa_crypto_se.c
deleted file mode 100644
index 9db3ded..0000000
--- a/library/psa_crypto_se.c
+++ /dev/null
@@ -1,385 +0,0 @@
-/*
- *  PSA crypto support for secure element drivers
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-
-#include <stdint.h>
-#include <string.h>
-
-#include "psa/crypto_se_driver.h"
-
-#include "psa_crypto_se.h"
-
-#if defined(MBEDTLS_PSA_ITS_FILE_C)
-#include "psa_crypto_its.h"
-#else /* Native ITS implementation */
-#include "psa/error.h"
-#include "psa/internal_trusted_storage.h"
-#endif
-
-#include "mbedtls/platform.h"
-
-
-
-/****************************************************************/
-/* Driver lookup */
-/****************************************************************/
-
-/* This structure is identical to psa_drv_se_context_t declared in
- * `crypto_se_driver.h`, except that some parts are writable here
- * (non-const, or pointer to non-const). */
-typedef struct {
-    void *persistent_data;
-    size_t persistent_data_size;
-    uintptr_t transient_data;
-} psa_drv_se_internal_context_t;
-
-struct psa_se_drv_table_entry_s {
-    psa_key_location_t location;
-    const psa_drv_se_t *methods;
-    union {
-        psa_drv_se_internal_context_t internal;
-        psa_drv_se_context_t context;
-    } u;
-};
-
-static psa_se_drv_table_entry_t driver_table[PSA_MAX_SE_DRIVERS];
-
-psa_se_drv_table_entry_t *psa_get_se_driver_entry(
-    psa_key_lifetime_t lifetime)
-{
-    size_t i;
-    psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(lifetime);
-    /* In the driver table, location=0 means an entry that isn't used.
-     * No driver has a location of 0 because it's a reserved value
-     * (which designates transparent keys). Make sure we never return
-     * a driver entry for location 0. */
-    if (location == 0) {
-        return NULL;
-    }
-    for (i = 0; i < PSA_MAX_SE_DRIVERS; i++) {
-        if (driver_table[i].location == location) {
-            return &driver_table[i];
-        }
-    }
-    return NULL;
-}
-
-const psa_drv_se_t *psa_get_se_driver_methods(
-    const psa_se_drv_table_entry_t *driver)
-{
-    return driver->methods;
-}
-
-psa_drv_se_context_t *psa_get_se_driver_context(
-    psa_se_drv_table_entry_t *driver)
-{
-    return &driver->u.context;
-}
-
-int psa_get_se_driver(psa_key_lifetime_t lifetime,
-                      const psa_drv_se_t **p_methods,
-                      psa_drv_se_context_t **p_drv_context)
-{
-    psa_se_drv_table_entry_t *driver = psa_get_se_driver_entry(lifetime);
-    if (p_methods != NULL) {
-        *p_methods = (driver ? driver->methods : NULL);
-    }
-    if (p_drv_context != NULL) {
-        *p_drv_context = (driver ? &driver->u.context : NULL);
-    }
-    return driver != NULL;
-}
-
-
-
-/****************************************************************/
-/* Persistent data management */
-/****************************************************************/
-
-static psa_status_t psa_get_se_driver_its_file_uid(
-    const psa_se_drv_table_entry_t *driver,
-    psa_storage_uid_t *uid)
-{
-    if (driver->location > PSA_MAX_SE_LOCATION) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    /* ITS file sizes are limited to 32 bits. */
-    if (driver->u.internal.persistent_data_size > UINT32_MAX) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    /* See the documentation of PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE. */
-    *uid = PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE + driver->location;
-    return PSA_SUCCESS;
-}
-
-psa_status_t psa_load_se_persistent_data(
-    const psa_se_drv_table_entry_t *driver)
-{
-    psa_status_t status;
-    psa_storage_uid_t uid;
-    size_t length;
-
-    status = psa_get_se_driver_its_file_uid(driver, &uid);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    /* Read the amount of persistent data that the driver requests.
-     * If the data in storage is larger, it is truncated. If the data
-     * in storage is smaller, silently keep what is already at the end
-     * of the output buffer. */
-    /* psa_get_se_driver_its_file_uid ensures that the size_t
-     * persistent_data_size is in range, but compilers don't know that,
-     * so cast to reassure them. */
-    return psa_its_get(uid, 0,
-                       (uint32_t) driver->u.internal.persistent_data_size,
-                       driver->u.internal.persistent_data,
-                       &length);
-}
-
-psa_status_t psa_save_se_persistent_data(
-    const psa_se_drv_table_entry_t *driver)
-{
-    psa_status_t status;
-    psa_storage_uid_t uid;
-
-    status = psa_get_se_driver_its_file_uid(driver, &uid);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    /* psa_get_se_driver_its_file_uid ensures that the size_t
-     * persistent_data_size is in range, but compilers don't know that,
-     * so cast to reassure them. */
-    return psa_its_set(uid,
-                       (uint32_t) driver->u.internal.persistent_data_size,
-                       driver->u.internal.persistent_data,
-                       0);
-}
-
-psa_status_t psa_destroy_se_persistent_data(psa_key_location_t location)
-{
-    psa_storage_uid_t uid;
-    if (location > PSA_MAX_SE_LOCATION) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-    uid = PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE + location;
-    return psa_its_remove(uid);
-}
-
-psa_status_t psa_find_se_slot_for_key(
-    const psa_key_attributes_t *attributes,
-    psa_key_creation_method_t method,
-    psa_se_drv_table_entry_t *driver,
-    psa_key_slot_number_t *slot_number)
-{
-    psa_status_t status;
-    psa_key_location_t key_location =
-        PSA_KEY_LIFETIME_GET_LOCATION(psa_get_key_lifetime(attributes));
-
-    /* If the location is wrong, it's a bug in the library. */
-    if (driver->location != key_location) {
-        return PSA_ERROR_CORRUPTION_DETECTED;
-    }
-
-    /* If the driver doesn't support key creation in any way, give up now. */
-    if (driver->methods->key_management == NULL) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    if (psa_get_key_slot_number(attributes, slot_number) == PSA_SUCCESS) {
-        /* The application wants to use a specific slot. Allow it if
-         * the driver supports it. On a system with isolation,
-         * the crypto service must check that the application is
-         * permitted to request this slot. */
-        psa_drv_se_validate_slot_number_t p_validate_slot_number =
-            driver->methods->key_management->p_validate_slot_number;
-        if (p_validate_slot_number == NULL) {
-            return PSA_ERROR_NOT_SUPPORTED;
-        }
-        status = p_validate_slot_number(&driver->u.context,
-                                        driver->u.internal.persistent_data,
-                                        attributes, method,
-                                        *slot_number);
-    } else if (method == PSA_KEY_CREATION_REGISTER) {
-        /* The application didn't specify a slot number. This doesn't
-         * make sense when registering a slot. */
-        return PSA_ERROR_INVALID_ARGUMENT;
-    } else {
-        /* The application didn't tell us which slot to use. Let the driver
-         * choose. This is the normal case. */
-        psa_drv_se_allocate_key_t p_allocate =
-            driver->methods->key_management->p_allocate;
-        if (p_allocate == NULL) {
-            return PSA_ERROR_NOT_SUPPORTED;
-        }
-        status = p_allocate(&driver->u.context,
-                            driver->u.internal.persistent_data,
-                            attributes, method,
-                            slot_number);
-    }
-    return status;
-}
-
-psa_status_t psa_destroy_se_key(psa_se_drv_table_entry_t *driver,
-                                psa_key_slot_number_t slot_number)
-{
-    psa_status_t status;
-    psa_status_t storage_status;
-    /* Normally a missing method would mean that the action is not
-     * supported. But psa_destroy_key() is not supposed to return
-     * PSA_ERROR_NOT_SUPPORTED: if you can create a key, you should
-     * be able to destroy it. The only use case for a driver that
-     * does not have a way to destroy keys at all is if the keys are
-     * locked in a read-only state: we can use the keys but not
-     * destroy them. Hence, if the driver doesn't support destroying
-     * keys, it's really a lack of permission. */
-    if (driver->methods->key_management == NULL ||
-        driver->methods->key_management->p_destroy == NULL) {
-        return PSA_ERROR_NOT_PERMITTED;
-    }
-    status = driver->methods->key_management->p_destroy(
-        &driver->u.context,
-        driver->u.internal.persistent_data,
-        slot_number);
-    storage_status = psa_save_se_persistent_data(driver);
-    return status == PSA_SUCCESS ? storage_status : status;
-}
-
-psa_status_t psa_init_all_se_drivers(void)
-{
-    size_t i;
-    for (i = 0; i < PSA_MAX_SE_DRIVERS; i++) {
-        psa_se_drv_table_entry_t *driver = &driver_table[i];
-        if (driver->location == 0) {
-            continue; /* skipping unused entry */
-        }
-        const psa_drv_se_t *methods = psa_get_se_driver_methods(driver);
-        if (methods->p_init != NULL) {
-            psa_status_t status = methods->p_init(
-                &driver->u.context,
-                driver->u.internal.persistent_data,
-                driver->location);
-            if (status != PSA_SUCCESS) {
-                return status;
-            }
-            status = psa_save_se_persistent_data(driver);
-            if (status != PSA_SUCCESS) {
-                return status;
-            }
-        }
-    }
-    return PSA_SUCCESS;
-}
-
-
-
-/****************************************************************/
-/* Driver registration */
-/****************************************************************/
-
-psa_status_t psa_register_se_driver(
-    psa_key_location_t location,
-    const psa_drv_se_t *methods)
-{
-    size_t i;
-    psa_status_t status;
-
-    if (methods->hal_version != PSA_DRV_SE_HAL_VERSION) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-    /* Driver table entries are 0-initialized. 0 is not a valid driver
-     * location because it means a transparent key. */
-    MBEDTLS_STATIC_ASSERT(PSA_KEY_LOCATION_LOCAL_STORAGE == 0,
-                          "Secure element support requires 0 to mean a local key");
-
-    if (location == PSA_KEY_LOCATION_LOCAL_STORAGE) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-    if (location > PSA_MAX_SE_LOCATION) {
-        return PSA_ERROR_NOT_SUPPORTED;
-    }
-
-    for (i = 0; i < PSA_MAX_SE_DRIVERS; i++) {
-        if (driver_table[i].location == 0) {
-            break;
-        }
-        /* Check that location isn't already in use up to the first free
-         * entry. Since entries are created in order and never deleted,
-         * there can't be a used entry after the first free entry. */
-        if (driver_table[i].location == location) {
-            return PSA_ERROR_ALREADY_EXISTS;
-        }
-    }
-    if (i == PSA_MAX_SE_DRIVERS) {
-        return PSA_ERROR_INSUFFICIENT_MEMORY;
-    }
-
-    driver_table[i].location = location;
-    driver_table[i].methods = methods;
-    driver_table[i].u.internal.persistent_data_size =
-        methods->persistent_data_size;
-
-    if (methods->persistent_data_size != 0) {
-        driver_table[i].u.internal.persistent_data =
-            mbedtls_calloc(1, methods->persistent_data_size);
-        if (driver_table[i].u.internal.persistent_data == NULL) {
-            status = PSA_ERROR_INSUFFICIENT_MEMORY;
-            goto error;
-        }
-        /* Load the driver's persistent data. On first use, the persistent
-         * data does not exist in storage, and is initialized to
-         * all-bits-zero by the calloc call just above. */
-        status = psa_load_se_persistent_data(&driver_table[i]);
-        if (status != PSA_SUCCESS && status != PSA_ERROR_DOES_NOT_EXIST) {
-            goto error;
-        }
-    }
-
-    return PSA_SUCCESS;
-
-error:
-    memset(&driver_table[i], 0, sizeof(driver_table[i]));
-    return status;
-}
-
-void psa_unregister_all_se_drivers(void)
-{
-    size_t i;
-    for (i = 0; i < PSA_MAX_SE_DRIVERS; i++) {
-        if (driver_table[i].u.internal.persistent_data != NULL) {
-            mbedtls_free(driver_table[i].u.internal.persistent_data);
-        }
-    }
-    memset(driver_table, 0, sizeof(driver_table));
-}
-
-
-
-/****************************************************************/
-/* The end */
-/****************************************************************/
-
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
diff --git a/library/psa_crypto_se.h b/library/psa_crypto_se.h
deleted file mode 100644
index 850ea8f..0000000
--- a/library/psa_crypto_se.h
+++ /dev/null
@@ -1,204 +0,0 @@
-/*
- *  PSA crypto support for secure element drivers
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_SE_H
-#define PSA_CRYPTO_SE_H
-
-/*
- * Include the build-time configuration information header. Here, we do not
- * include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which
- * is basically just an alias to it. This is to ease the maintenance of the
- * TF-PSA-Crypto repository which has a different build system and
- * configuration.
- */
-#include "psa/build_info.h"
-
-#include "psa/crypto.h"
-#include "psa/crypto_se_driver.h"
-
-/** The maximum location value that this implementation supports
- * for a secure element.
- *
- * This is not a characteristic that each PSA implementation has, but a
- * limitation of the current implementation due to the constraints imposed
- * by storage. See #PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE.
- *
- * The minimum location value for a secure element is 1, like on any
- * PSA implementation (0 means a transparent key).
- */
-#define PSA_MAX_SE_LOCATION 255
-
-/** The base of the range of ITS file identifiers for secure element
- * driver persistent data.
- *
- * We use a slice of the implementation reserved range 0xffff0000..0xffffffff,
- * specifically the range 0xfffffe00..0xfffffeff. The length of this range
- * drives the value of #PSA_MAX_SE_LOCATION. The identifier 0xfffffe00 is
- * actually not used since it corresponds to #PSA_KEY_LOCATION_LOCAL_STORAGE
- * which doesn't have a driver.
- */
-#define PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE ((psa_key_id_t) 0xfffffe00)
-
-/** The maximum number of registered secure element driver locations. */
-#define PSA_MAX_SE_DRIVERS 4
-
-/** Unregister all secure element drivers.
- *
- * \warning Do not call this function while the library is in the initialized
- *          state. This function is only intended to be called at the end
- *          of mbedtls_psa_crypto_free().
- */
-void psa_unregister_all_se_drivers(void);
-
-/** Initialize all secure element drivers.
- *
- * Called from psa_crypto_init().
- */
-psa_status_t psa_init_all_se_drivers(void);
-
-/** A structure that describes a registered secure element driver.
- *
- * A secure element driver table entry contains a pointer to the
- * driver's method table as well as the driver context structure.
- */
-typedef struct psa_se_drv_table_entry_s psa_se_drv_table_entry_t;
-
-/** Return the secure element driver information for a lifetime value.
- *
- * \param lifetime              The lifetime value to query.
- * \param[out] p_methods        On output, if there is a driver,
- *                              \c *methods points to its method table.
- *                              Otherwise \c *methods is \c NULL.
- * \param[out] p_drv_context    On output, if there is a driver,
- *                              \c *drv_context points to its context
- *                              structure.
- *                              Otherwise \c *drv_context is \c NULL.
- *
- * \retval 1
- *         \p lifetime corresponds to a registered driver.
- * \retval 0
- *         \p lifetime does not correspond to a registered driver.
- */
-int psa_get_se_driver(psa_key_lifetime_t lifetime,
-                      const psa_drv_se_t **p_methods,
-                      psa_drv_se_context_t **p_drv_context);
-
-/** Return the secure element driver table entry for a lifetime value.
- *
- * \param lifetime      The lifetime value to query.
- *
- * \return The driver table entry for \p lifetime, or
- *         \p NULL if \p lifetime does not correspond to a registered driver.
- */
-psa_se_drv_table_entry_t *psa_get_se_driver_entry(
-    psa_key_lifetime_t lifetime);
-
-/** Return the method table for a secure element driver.
- *
- * \param[in] driver    The driver table entry to access, or \c NULL.
- *
- * \return The driver's method table.
- *         \c NULL if \p driver is \c NULL.
- */
-const psa_drv_se_t *psa_get_se_driver_methods(
-    const psa_se_drv_table_entry_t *driver);
-
-/** Return the context of a secure element driver.
- *
- * \param[in] driver    The driver table entry to access, or \c NULL.
- *
- * \return A pointer to the driver context.
- *         \c NULL if \p driver is \c NULL.
- */
-psa_drv_se_context_t *psa_get_se_driver_context(
-    psa_se_drv_table_entry_t *driver);
-
-/** Find a free slot for a key that is to be created.
- *
- * This function calls the relevant method in the driver to find a suitable
- * slot for a key with the given attributes.
- *
- * \param[in] attributes    Metadata about the key that is about to be created.
- * \param[in] driver        The driver table entry to query.
- * \param[out] slot_number  On success, a slot number that is free in this
- *                          secure element.
- */
-psa_status_t psa_find_se_slot_for_key(
-    const psa_key_attributes_t *attributes,
-    psa_key_creation_method_t method,
-    psa_se_drv_table_entry_t *driver,
-    psa_key_slot_number_t *slot_number);
-
-/** Destroy a key in a secure element.
- *
- * This function calls the relevant driver method to destroy a key
- * and updates the driver's persistent data.
- */
-psa_status_t psa_destroy_se_key(psa_se_drv_table_entry_t *driver,
-                                psa_key_slot_number_t slot_number);
-
-/** Load the persistent data of a secure element driver.
- *
- * \param driver        The driver table entry containing the persistent
- *                      data to load from storage.
- *
- * \return #PSA_SUCCESS
- * \return #PSA_ERROR_NOT_SUPPORTED
- * \return #PSA_ERROR_DOES_NOT_EXIST
- * \return #PSA_ERROR_STORAGE_FAILURE
- * \return #PSA_ERROR_DATA_CORRUPT
- * \return #PSA_ERROR_INVALID_ARGUMENT
- */
-psa_status_t psa_load_se_persistent_data(
-    const psa_se_drv_table_entry_t *driver);
-
-/** Save the persistent data of a secure element driver.
- *
- * \param[in] driver    The driver table entry containing the persistent
- *                      data to save to storage.
- *
- * \return #PSA_SUCCESS
- * \return #PSA_ERROR_NOT_SUPPORTED
- * \return #PSA_ERROR_NOT_PERMITTED
- * \return #PSA_ERROR_NOT_SUPPORTED
- * \return #PSA_ERROR_INSUFFICIENT_STORAGE
- * \return #PSA_ERROR_STORAGE_FAILURE
- * \return #PSA_ERROR_INVALID_ARGUMENT
- */
-psa_status_t psa_save_se_persistent_data(
-    const psa_se_drv_table_entry_t *driver);
-
-/** Destroy the persistent data of a secure element driver.
- *
- * This is currently only used for testing.
- *
- * \param[in] location  The location identifier for the driver whose
- *                      persistent data is to be erased.
- */
-psa_status_t psa_destroy_se_persistent_data(psa_key_location_t location);
-
-
-/** The storage representation of a key whose data is in a secure element.
- */
-typedef struct {
-    uint8_t slot_number[sizeof(psa_key_slot_number_t)];
-} psa_se_key_data_storage_t;
-
-#endif /* PSA_CRYPTO_SE_H */
diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c
deleted file mode 100644
index 92646c0..0000000
--- a/library/psa_crypto_slot_management.c
+++ /dev/null
@@ -1,571 +0,0 @@
-/*
- *  PSA crypto layer on top of Mbed TLS crypto
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-
-#include "psa/crypto.h"
-
-#include "psa_crypto_core.h"
-#include "psa_crypto_driver_wrappers_no_static.h"
-#include "psa_crypto_slot_management.h"
-#include "psa_crypto_storage.h"
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-#include "psa_crypto_se.h"
-#endif
-
-#include <stdlib.h>
-#include <string.h>
-#include "mbedtls/platform.h"
-
-typedef struct {
-    psa_key_slot_t key_slots[MBEDTLS_PSA_KEY_SLOT_COUNT];
-    uint8_t key_slots_initialized;
-} psa_global_data_t;
-
-static psa_global_data_t global_data;
-
-int psa_is_valid_key_id(mbedtls_svc_key_id_t key, int vendor_ok)
-{
-    psa_key_id_t key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key);
-
-    if ((PSA_KEY_ID_USER_MIN <= key_id) &&
-        (key_id <= PSA_KEY_ID_USER_MAX)) {
-        return 1;
-    }
-
-    if (vendor_ok &&
-        (PSA_KEY_ID_VENDOR_MIN <= key_id) &&
-        (key_id <= PSA_KEY_ID_VENDOR_MAX)) {
-        return 1;
-    }
-
-    return 0;
-}
-
-/** Get the description in memory of a key given its identifier and lock it.
- *
- * The descriptions of volatile keys and loaded persistent keys are
- * stored in key slots. This function returns a pointer to the key slot
- * containing the description of a key given its identifier.
- *
- * The function searches the key slots containing the description of the key
- * with \p key identifier. The function does only read accesses to the key
- * slots. The function does not load any persistent key thus does not access
- * any storage.
- *
- * For volatile key identifiers, only one key slot is queried as a volatile
- * key with identifier key_id can only be stored in slot of index
- * ( key_id - #PSA_KEY_ID_VOLATILE_MIN ).
- *
- * On success, the function locks the key slot. It is the responsibility of
- * the caller to unlock the key slot when it does not access it anymore.
- *
- * \param key           Key identifier to query.
- * \param[out] p_slot   On success, `*p_slot` contains a pointer to the
- *                      key slot containing the description of the key
- *                      identified by \p key.
- *
- * \retval #PSA_SUCCESS
- *         The pointer to the key slot containing the description of the key
- *         identified by \p key was returned.
- * \retval #PSA_ERROR_INVALID_HANDLE
- *         \p key is not a valid key identifier.
- * \retval #PSA_ERROR_DOES_NOT_EXIST
- *         There is no key with key identifier \p key in the key slots.
- */
-static psa_status_t psa_get_and_lock_key_slot_in_memory(
-    mbedtls_svc_key_id_t key, psa_key_slot_t **p_slot)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_id_t key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key);
-    size_t slot_idx;
-    psa_key_slot_t *slot = NULL;
-
-    if (psa_key_id_is_volatile(key_id)) {
-        slot = &global_data.key_slots[key_id - PSA_KEY_ID_VOLATILE_MIN];
-
-        /*
-         * Check if both the PSA key identifier key_id and the owner
-         * identifier of key match those of the key slot.
-         *
-         * Note that, if the key slot is not occupied, its PSA key identifier
-         * is equal to zero. This is an invalid value for a PSA key identifier
-         * and thus cannot be equal to the valid PSA key identifier key_id.
-         */
-        status = mbedtls_svc_key_id_equal(key, slot->attr.id) ?
-                 PSA_SUCCESS : PSA_ERROR_DOES_NOT_EXIST;
-    } else {
-        if (!psa_is_valid_key_id(key, 1)) {
-            return PSA_ERROR_INVALID_HANDLE;
-        }
-
-        for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) {
-            slot = &global_data.key_slots[slot_idx];
-            if (mbedtls_svc_key_id_equal(key, slot->attr.id)) {
-                break;
-            }
-        }
-        status = (slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT) ?
-                 PSA_SUCCESS : PSA_ERROR_DOES_NOT_EXIST;
-    }
-
-    if (status == PSA_SUCCESS) {
-        status = psa_lock_key_slot(slot);
-        if (status == PSA_SUCCESS) {
-            *p_slot = slot;
-        }
-    }
-
-    return status;
-}
-
-psa_status_t psa_initialize_key_slots(void)
-{
-    /* Nothing to do: program startup and psa_wipe_all_key_slots() both
-     * guarantee that the key slots are initialized to all-zero, which
-     * means that all the key slots are in a valid, empty state. */
-    global_data.key_slots_initialized = 1;
-    return PSA_SUCCESS;
-}
-
-void psa_wipe_all_key_slots(void)
-{
-    size_t slot_idx;
-
-    for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) {
-        psa_key_slot_t *slot = &global_data.key_slots[slot_idx];
-        slot->lock_count = 1;
-        (void) psa_wipe_key_slot(slot);
-    }
-    global_data.key_slots_initialized = 0;
-}
-
-psa_status_t psa_get_empty_key_slot(psa_key_id_t *volatile_key_id,
-                                    psa_key_slot_t **p_slot)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    size_t slot_idx;
-    psa_key_slot_t *selected_slot, *unlocked_persistent_key_slot;
-
-    if (!global_data.key_slots_initialized) {
-        status = PSA_ERROR_BAD_STATE;
-        goto error;
-    }
-
-    selected_slot = unlocked_persistent_key_slot = NULL;
-    for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) {
-        psa_key_slot_t *slot = &global_data.key_slots[slot_idx];
-        if (!psa_is_key_slot_occupied(slot)) {
-            selected_slot = slot;
-            break;
-        }
-
-        if ((unlocked_persistent_key_slot == NULL) &&
-            (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) &&
-            (!psa_is_key_slot_locked(slot))) {
-            unlocked_persistent_key_slot = slot;
-        }
-    }
-
-    /*
-     * If there is no unused key slot and there is at least one unlocked key
-     * slot containing the description of a persistent key, recycle the first
-     * such key slot we encountered. If we later need to operate on the
-     * persistent key we are evicting now, we will reload its description from
-     * storage.
-     */
-    if ((selected_slot == NULL) &&
-        (unlocked_persistent_key_slot != NULL)) {
-        selected_slot = unlocked_persistent_key_slot;
-        selected_slot->lock_count = 1;
-        psa_wipe_key_slot(selected_slot);
-    }
-
-    if (selected_slot != NULL) {
-        status = psa_lock_key_slot(selected_slot);
-        if (status != PSA_SUCCESS) {
-            goto error;
-        }
-
-        *volatile_key_id = PSA_KEY_ID_VOLATILE_MIN +
-                           ((psa_key_id_t) (selected_slot - global_data.key_slots));
-        *p_slot = selected_slot;
-
-        return PSA_SUCCESS;
-    }
-    status = PSA_ERROR_INSUFFICIENT_MEMORY;
-
-error:
-    *p_slot = NULL;
-    *volatile_key_id = 0;
-
-    return status;
-}
-
-#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
-static psa_status_t psa_load_persistent_key_into_slot(psa_key_slot_t *slot)
-{
-    psa_status_t status = PSA_SUCCESS;
-    uint8_t *key_data = NULL;
-    size_t key_data_length = 0;
-
-    status = psa_load_persistent_key(&slot->attr,
-                                     &key_data, &key_data_length);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-    /* Special handling is required for loading keys associated with a
-     * dynamically registered SE interface. */
-    const psa_drv_se_t *drv;
-    psa_drv_se_context_t *drv_context;
-    if (psa_get_se_driver(slot->attr.lifetime, &drv, &drv_context)) {
-        psa_se_key_data_storage_t *data;
-
-        if (key_data_length != sizeof(*data)) {
-            status = PSA_ERROR_DATA_INVALID;
-            goto exit;
-        }
-        data = (psa_se_key_data_storage_t *) key_data;
-        status = psa_copy_key_material_into_slot(
-            slot, data->slot_number, sizeof(data->slot_number));
-        goto exit;
-    }
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
-
-    status = psa_copy_key_material_into_slot(slot, key_data, key_data_length);
-
-exit:
-    psa_free_persistent_key_data(key_data, key_data_length);
-    return status;
-}
-#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
-
-#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
-
-static psa_status_t psa_load_builtin_key_into_slot(psa_key_slot_t *slot)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    psa_key_lifetime_t lifetime = PSA_KEY_LIFETIME_VOLATILE;
-    psa_drv_slot_number_t slot_number = 0;
-    size_t key_buffer_size = 0;
-    size_t key_buffer_length = 0;
-
-    if (!psa_key_id_is_builtin(
-            MBEDTLS_SVC_KEY_ID_GET_KEY_ID(slot->attr.id))) {
-        return PSA_ERROR_DOES_NOT_EXIST;
-    }
-
-    /* Check the platform function to see whether this key actually exists */
-    status = mbedtls_psa_platform_get_builtin_key(
-        slot->attr.id, &lifetime, &slot_number);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    /* Set required key attributes to ensure get_builtin_key can retrieve the
-     * full attributes. */
-    psa_set_key_id(&attributes, slot->attr.id);
-    psa_set_key_lifetime(&attributes, lifetime);
-
-    /* Get the full key attributes from the driver in order to be able to
-     * calculate the required buffer size. */
-    status = psa_driver_wrapper_get_builtin_key(
-        slot_number, &attributes,
-        NULL, 0, NULL);
-    if (status != PSA_ERROR_BUFFER_TOO_SMALL) {
-        /* Builtin keys cannot be defined by the attributes alone */
-        if (status == PSA_SUCCESS) {
-            status = PSA_ERROR_CORRUPTION_DETECTED;
-        }
-        return status;
-    }
-
-    /* If the key should exist according to the platform, then ask the driver
-     * what its expected size is. */
-    status = psa_driver_wrapper_get_key_buffer_size(&attributes,
-                                                    &key_buffer_size);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    /* Allocate a buffer of the required size and load the builtin key directly
-     * into the (now properly sized) slot buffer. */
-    status = psa_allocate_buffer_to_slot(slot, key_buffer_size);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    status = psa_driver_wrapper_get_builtin_key(
-        slot_number, &attributes,
-        slot->key.data, slot->key.bytes, &key_buffer_length);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    /* Copy actual key length and core attributes into the slot on success */
-    slot->key.bytes = key_buffer_length;
-    slot->attr = attributes.core;
-
-exit:
-    if (status != PSA_SUCCESS) {
-        psa_remove_key_data_from_memory(slot);
-    }
-    return status;
-}
-#endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
-
-psa_status_t psa_get_and_lock_key_slot(mbedtls_svc_key_id_t key,
-                                       psa_key_slot_t **p_slot)
-{
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
-    *p_slot = NULL;
-    if (!global_data.key_slots_initialized) {
-        return PSA_ERROR_BAD_STATE;
-    }
-
-    /*
-     * On success, the pointer to the slot is passed directly to the caller
-     * thus no need to unlock the key slot here.
-     */
-    status = psa_get_and_lock_key_slot_in_memory(key, p_slot);
-    if (status != PSA_ERROR_DOES_NOT_EXIST) {
-        return status;
-    }
-
-    /* Loading keys from storage requires support for such a mechanism */
-#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) || \
-    defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
-    psa_key_id_t volatile_key_id;
-
-    status = psa_get_empty_key_slot(&volatile_key_id, p_slot);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    (*p_slot)->attr.id = key;
-    (*p_slot)->attr.lifetime = PSA_KEY_LIFETIME_PERSISTENT;
-
-    status = PSA_ERROR_DOES_NOT_EXIST;
-#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
-    /* Load keys in the 'builtin' range through their own interface */
-    status = psa_load_builtin_key_into_slot(*p_slot);
-#endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
-
-#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
-    if (status == PSA_ERROR_DOES_NOT_EXIST) {
-        status = psa_load_persistent_key_into_slot(*p_slot);
-    }
-#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
-
-    if (status != PSA_SUCCESS) {
-        psa_wipe_key_slot(*p_slot);
-        if (status == PSA_ERROR_DOES_NOT_EXIST) {
-            status = PSA_ERROR_INVALID_HANDLE;
-        }
-    } else {
-        /* Add implicit usage flags. */
-        psa_extend_key_usage_flags(&(*p_slot)->attr.policy.usage);
-    }
-
-    return status;
-#else /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
-    return PSA_ERROR_INVALID_HANDLE;
-#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
-}
-
-psa_status_t psa_unlock_key_slot(psa_key_slot_t *slot)
-{
-    if (slot == NULL) {
-        return PSA_SUCCESS;
-    }
-
-    if (slot->lock_count > 0) {
-        slot->lock_count--;
-        return PSA_SUCCESS;
-    }
-
-    /*
-     * As the return error code may not be handled in case of multiple errors,
-     * do our best to report if the lock counter is equal to zero. Assert with
-     * MBEDTLS_TEST_HOOK_TEST_ASSERT that the lock counter is strictly greater
-     * than zero: if the MBEDTLS_TEST_HOOKS configuration option is enabled and
-     * the function is called as part of the execution of a test suite, the
-     * execution of the test suite is stopped in error if the assertion fails.
-     */
-    MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->lock_count > 0);
-    return PSA_ERROR_CORRUPTION_DETECTED;
-}
-
-psa_status_t psa_validate_key_location(psa_key_lifetime_t lifetime,
-                                       psa_se_drv_table_entry_t **p_drv)
-{
-    if (psa_key_lifetime_is_external(lifetime)) {
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-        /* Check whether a driver is registered against this lifetime */
-        psa_se_drv_table_entry_t *driver = psa_get_se_driver_entry(lifetime);
-        if (driver != NULL) {
-            if (p_drv != NULL) {
-                *p_drv = driver;
-            }
-            return PSA_SUCCESS;
-        }
-#else /* MBEDTLS_PSA_CRYPTO_SE_C */
-        (void) p_drv;
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
-
-        /* Key location for external keys gets checked by the wrapper */
-        return PSA_SUCCESS;
-    } else {
-        /* Local/internal keys are always valid */
-        return PSA_SUCCESS;
-    }
-}
-
-psa_status_t psa_validate_key_persistence(psa_key_lifetime_t lifetime)
-{
-    if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) {
-        /* Volatile keys are always supported */
-        return PSA_SUCCESS;
-    } else {
-        /* Persistent keys require storage support */
-#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
-        if (PSA_KEY_LIFETIME_IS_READ_ONLY(lifetime)) {
-            return PSA_ERROR_INVALID_ARGUMENT;
-        } else {
-            return PSA_SUCCESS;
-        }
-#else /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
-        return PSA_ERROR_NOT_SUPPORTED;
-#endif /* !MBEDTLS_PSA_CRYPTO_STORAGE_C */
-    }
-}
-
-psa_status_t psa_open_key(mbedtls_svc_key_id_t key, psa_key_handle_t *handle)
-{
-#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) || \
-    defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
-    psa_status_t status;
-    psa_key_slot_t *slot;
-
-    status = psa_get_and_lock_key_slot(key, &slot);
-    if (status != PSA_SUCCESS) {
-        *handle = PSA_KEY_HANDLE_INIT;
-        if (status == PSA_ERROR_INVALID_HANDLE) {
-            status = PSA_ERROR_DOES_NOT_EXIST;
-        }
-
-        return status;
-    }
-
-    *handle = key;
-
-    return psa_unlock_key_slot(slot);
-
-#else /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
-    (void) key;
-    *handle = PSA_KEY_HANDLE_INIT;
-    return PSA_ERROR_NOT_SUPPORTED;
-#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
-}
-
-psa_status_t psa_close_key(psa_key_handle_t handle)
-{
-    psa_status_t status;
-    psa_key_slot_t *slot;
-
-    if (psa_key_handle_is_null(handle)) {
-        return PSA_SUCCESS;
-    }
-
-    status = psa_get_and_lock_key_slot_in_memory(handle, &slot);
-    if (status != PSA_SUCCESS) {
-        if (status == PSA_ERROR_DOES_NOT_EXIST) {
-            status = PSA_ERROR_INVALID_HANDLE;
-        }
-
-        return status;
-    }
-    if (slot->lock_count <= 1) {
-        return psa_wipe_key_slot(slot);
-    } else {
-        return psa_unlock_key_slot(slot);
-    }
-}
-
-psa_status_t psa_purge_key(mbedtls_svc_key_id_t key)
-{
-    psa_status_t status;
-    psa_key_slot_t *slot;
-
-    status = psa_get_and_lock_key_slot_in_memory(key, &slot);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    if ((!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) &&
-        (slot->lock_count <= 1)) {
-        return psa_wipe_key_slot(slot);
-    } else {
-        return psa_unlock_key_slot(slot);
-    }
-}
-
-void mbedtls_psa_get_stats(mbedtls_psa_stats_t *stats)
-{
-    size_t slot_idx;
-
-    memset(stats, 0, sizeof(*stats));
-
-    for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) {
-        const psa_key_slot_t *slot = &global_data.key_slots[slot_idx];
-        if (psa_is_key_slot_locked(slot)) {
-            ++stats->locked_slots;
-        }
-        if (!psa_is_key_slot_occupied(slot)) {
-            ++stats->empty_slots;
-            continue;
-        }
-        if (PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
-            ++stats->volatile_slots;
-        } else {
-            psa_key_id_t id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(slot->attr.id);
-            ++stats->persistent_slots;
-            if (id > stats->max_open_internal_key_id) {
-                stats->max_open_internal_key_id = id;
-            }
-        }
-        if (PSA_KEY_LIFETIME_GET_LOCATION(slot->attr.lifetime) !=
-            PSA_KEY_LOCATION_LOCAL_STORAGE) {
-            psa_key_id_t id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(slot->attr.id);
-            ++stats->external_slots;
-            if (id > stats->max_open_external_key_id) {
-                stats->max_open_external_key_id = id;
-            }
-        }
-    }
-}
-
-#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_crypto_slot_management.h b/library/psa_crypto_slot_management.h
deleted file mode 100644
index c8366ab..0000000
--- a/library/psa_crypto_slot_management.h
+++ /dev/null
@@ -1,225 +0,0 @@
-/*
- *  PSA crypto layer on top of Mbed TLS crypto
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_SLOT_MANAGEMENT_H
-#define PSA_CRYPTO_SLOT_MANAGEMENT_H
-
-#include "psa/crypto.h"
-#include "psa_crypto_core.h"
-#include "psa_crypto_se.h"
-
-/** Range of volatile key identifiers.
- *
- *  The last #MBEDTLS_PSA_KEY_SLOT_COUNT identifiers of the implementation
- *  range of key identifiers are reserved for volatile key identifiers.
- *  A volatile key identifier is equal to #PSA_KEY_ID_VOLATILE_MIN plus the
- *  index of the key slot containing the volatile key definition.
- */
-
-/** The minimum value for a volatile key identifier.
- */
-#define PSA_KEY_ID_VOLATILE_MIN  (PSA_KEY_ID_VENDOR_MAX - \
-                                  MBEDTLS_PSA_KEY_SLOT_COUNT + 1)
-
-/** The maximum value for a volatile key identifier.
- */
-#define PSA_KEY_ID_VOLATILE_MAX  PSA_KEY_ID_VENDOR_MAX
-
-/** Test whether a key identifier is a volatile key identifier.
- *
- * \param key_id  Key identifier to test.
- *
- * \retval 1
- *         The key identifier is a volatile key identifier.
- * \retval 0
- *         The key identifier is not a volatile key identifier.
- */
-static inline int psa_key_id_is_volatile(psa_key_id_t key_id)
-{
-    return (key_id >= PSA_KEY_ID_VOLATILE_MIN) &&
-           (key_id <= PSA_KEY_ID_VOLATILE_MAX);
-}
-
-/** Get the description of a key given its identifier and lock it.
- *
- * The descriptions of volatile keys and loaded persistent keys are stored in
- * key slots. This function returns a pointer to the key slot containing the
- * description of a key given its identifier.
- *
- * In case of a persistent key, the function loads the description of the key
- * into a key slot if not already done.
- *
- * On success, the returned key slot is locked. It is the responsibility of
- * the caller to unlock the key slot when it does not access it anymore.
- *
- * \param key           Key identifier to query.
- * \param[out] p_slot   On success, `*p_slot` contains a pointer to the
- *                      key slot containing the description of the key
- *                      identified by \p key.
- *
- * \retval #PSA_SUCCESS
- *         \p *p_slot contains a pointer to the key slot containing the
- *         description of the key identified by \p key.
- *         The key slot counter has been incremented.
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been initialized.
- * \retval #PSA_ERROR_INVALID_HANDLE
- *         \p key is not a valid key identifier.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- *         \p key is a persistent key identifier. The implementation does not
- *         have sufficient resources to load the persistent key. This can be
- *         due to a lack of empty key slot, or available memory.
- * \retval #PSA_ERROR_DOES_NOT_EXIST
- *         There is no key with key identifier \p key.
- * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- */
-psa_status_t psa_get_and_lock_key_slot(mbedtls_svc_key_id_t key,
-                                       psa_key_slot_t **p_slot);
-
-/** Initialize the key slot structures.
- *
- * \retval #PSA_SUCCESS
- *         Currently this function always succeeds.
- */
-psa_status_t psa_initialize_key_slots(void);
-
-/** Delete all data from key slots in memory.
- *
- * This does not affect persistent storage. */
-void psa_wipe_all_key_slots(void);
-
-/** Find a free key slot.
- *
- * This function returns a key slot that is available for use and is in its
- * ground state (all-bits-zero). On success, the key slot is locked. It is
- * the responsibility of the caller to unlock the key slot when it does not
- * access it anymore.
- *
- * \param[out] volatile_key_id   On success, volatile key identifier
- *                               associated to the returned slot.
- * \param[out] p_slot            On success, a pointer to the slot.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_BAD_STATE \emptydescription
- */
-psa_status_t psa_get_empty_key_slot(psa_key_id_t *volatile_key_id,
-                                    psa_key_slot_t **p_slot);
-
-/** Lock a key slot.
- *
- * This function increments the key slot lock counter by one.
- *
- * \param[in] slot  The key slot.
- *
- * \retval #PSA_SUCCESS
-               The key slot lock counter was incremented.
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- *             The lock counter already reached its maximum value and was not
- *             increased.
- */
-static inline psa_status_t psa_lock_key_slot(psa_key_slot_t *slot)
-{
-    if (slot->lock_count >= SIZE_MAX) {
-        return PSA_ERROR_CORRUPTION_DETECTED;
-    }
-
-    slot->lock_count++;
-
-    return PSA_SUCCESS;
-}
-
-/** Unlock a key slot.
- *
- * This function decrements the key slot lock counter by one.
- *
- * \note To ease the handling of errors in retrieving a key slot
- *       a NULL input pointer is valid, and the function returns
- *       successfully without doing anything in that case.
- *
- * \param[in] slot  The key slot.
- * \retval #PSA_SUCCESS
- *             \p slot is NULL or the key slot lock counter has been
- *             decremented successfully.
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- *             The lock counter was equal to 0.
- *
- */
-psa_status_t psa_unlock_key_slot(psa_key_slot_t *slot);
-
-/** Test whether a lifetime designates a key in an external cryptoprocessor.
- *
- * \param lifetime      The lifetime to test.
- *
- * \retval 1
- *         The lifetime designates an external key. There should be a
- *         registered driver for this lifetime, otherwise the key cannot
- *         be created or manipulated.
- * \retval 0
- *         The lifetime designates a key that is volatile or in internal
- *         storage.
- */
-static inline int psa_key_lifetime_is_external(psa_key_lifetime_t lifetime)
-{
-    return PSA_KEY_LIFETIME_GET_LOCATION(lifetime)
-           != PSA_KEY_LOCATION_LOCAL_STORAGE;
-}
-
-/** Validate a key's location.
- *
- * This function checks whether the key's attributes point to a location that
- * is known to the PSA Core, and returns the driver function table if the key
- * is to be found in an external location.
- *
- * \param[in] lifetime      The key lifetime attribute.
- * \param[out] p_drv        On success, when a key is located in external
- *                          storage, returns a pointer to the driver table
- *                          associated with the key's storage location.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- */
-psa_status_t psa_validate_key_location(psa_key_lifetime_t lifetime,
-                                       psa_se_drv_table_entry_t **p_drv);
-
-/** Validate the persistence of a key.
- *
- * \param[in] lifetime  The key lifetime attribute.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_NOT_SUPPORTED The key is persistent but persistent keys
- *             are not supported.
- */
-psa_status_t psa_validate_key_persistence(psa_key_lifetime_t lifetime);
-
-/** Validate a key identifier.
- *
- * \param[in] key           The key identifier.
- * \param[in] vendor_ok     Non-zero to indicate that key identifiers in the
- *                          vendor range are allowed, volatile key identifiers
- *                          excepted \c 0 otherwise.
- *
- * \retval <> 0 if the key identifier is valid, 0 otherwise.
- */
-int psa_is_valid_key_id(mbedtls_svc_key_id_t key, int vendor_ok);
-
-#endif /* PSA_CRYPTO_SLOT_MANAGEMENT_H */
diff --git a/library/psa_crypto_storage.c b/library/psa_crypto_storage.c
deleted file mode 100644
index 574d4b0..0000000
--- a/library/psa_crypto_storage.c
+++ /dev/null
@@ -1,493 +0,0 @@
-/*
- *  PSA persistent key storage
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
-
-#include <stdlib.h>
-#include <string.h>
-
-#include "psa/crypto.h"
-#include "psa_crypto_storage.h"
-#include "mbedtls/platform_util.h"
-
-#if defined(MBEDTLS_PSA_ITS_FILE_C)
-#include "psa_crypto_its.h"
-#else /* Native ITS implementation */
-#include "psa/error.h"
-#include "psa/internal_trusted_storage.h"
-#endif
-
-#include "mbedtls/platform.h"
-
-
-
-/****************************************************************/
-/* Key storage */
-/****************************************************************/
-
-/* Determine a file name (ITS file identifier) for the given key identifier.
- * The file name must be distinct from any file that is used for a purpose
- * other than storing a key. Currently, the only such file is the random seed
- * file whose name is PSA_CRYPTO_ITS_RANDOM_SEED_UID and whose value is
- * 0xFFFFFF52. */
-static psa_storage_uid_t psa_its_identifier_of_slot(mbedtls_svc_key_id_t key)
-{
-#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
-    /* Encode the owner in the upper 32 bits. This means that if
-     * owner values are nonzero (as they are on a PSA platform),
-     * no key file will ever have a value less than 0x100000000, so
-     * the whole range 0..0xffffffff is available for non-key files. */
-    uint32_t unsigned_owner_id = MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(key);
-    return ((uint64_t) unsigned_owner_id << 32) |
-           MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key);
-#else
-    /* Use the key id directly as a file name.
-     * psa_is_key_id_valid() in psa_crypto_slot_management.c
-     * is responsible for ensuring that key identifiers do not have a
-     * value that is reserved for non-key files. */
-    return key;
-#endif
-}
-
-/**
- * \brief Load persistent data for the given key slot number.
- *
- * This function reads data from a storage backend and returns the data in a
- * buffer.
- *
- * \param key               Persistent identifier of the key to be loaded. This
- *                          should be an occupied storage location.
- * \param[out] data         Buffer where the data is to be written.
- * \param data_size         Size of the \c data buffer in bytes.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription
- */
-static psa_status_t psa_crypto_storage_load(
-    const mbedtls_svc_key_id_t key, uint8_t *data, size_t data_size)
-{
-    psa_status_t status;
-    psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
-    struct psa_storage_info_t data_identifier_info;
-    size_t data_length = 0;
-
-    status = psa_its_get_info(data_identifier, &data_identifier_info);
-    if (status  != PSA_SUCCESS) {
-        return status;
-    }
-
-    status = psa_its_get(data_identifier, 0, (uint32_t) data_size, data, &data_length);
-    if (data_size  != data_length) {
-        return PSA_ERROR_DATA_INVALID;
-    }
-
-    return status;
-}
-
-int psa_is_key_present_in_storage(const mbedtls_svc_key_id_t key)
-{
-    psa_status_t ret;
-    psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
-    struct psa_storage_info_t data_identifier_info;
-
-    ret = psa_its_get_info(data_identifier, &data_identifier_info);
-
-    if (ret == PSA_ERROR_DOES_NOT_EXIST) {
-        return 0;
-    }
-    return 1;
-}
-
-/**
- * \brief Store persistent data for the given key slot number.
- *
- * This function stores the given data buffer to a persistent storage.
- *
- * \param key           Persistent identifier of the key to be stored. This
- *                      should be an unoccupied storage location.
- * \param[in] data      Buffer containing the data to be stored.
- * \param data_length   The number of bytes
- *                      that make up the data.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
- * \retval #PSA_ERROR_ALREADY_EXISTS \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- */
-static psa_status_t psa_crypto_storage_store(const mbedtls_svc_key_id_t key,
-                                             const uint8_t *data,
-                                             size_t data_length)
-{
-    psa_status_t status;
-    psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
-    struct psa_storage_info_t data_identifier_info;
-
-    if (psa_is_key_present_in_storage(key) == 1) {
-        return PSA_ERROR_ALREADY_EXISTS;
-    }
-
-    status = psa_its_set(data_identifier, (uint32_t) data_length, data, 0);
-    if (status != PSA_SUCCESS) {
-        return PSA_ERROR_DATA_INVALID;
-    }
-
-    status = psa_its_get_info(data_identifier, &data_identifier_info);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    if (data_identifier_info.size != data_length) {
-        status = PSA_ERROR_DATA_INVALID;
-        goto exit;
-    }
-
-exit:
-    if (status != PSA_SUCCESS) {
-        /* Remove the file in case we managed to create it but something
-         * went wrong. It's ok if the file doesn't exist. If the file exists
-         * but the removal fails, we're already reporting an error so there's
-         * nothing else we can do. */
-        (void) psa_its_remove(data_identifier);
-    }
-    return status;
-}
-
-psa_status_t psa_destroy_persistent_key(const mbedtls_svc_key_id_t key)
-{
-    psa_status_t ret;
-    psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
-    struct psa_storage_info_t data_identifier_info;
-
-    ret = psa_its_get_info(data_identifier, &data_identifier_info);
-    if (ret == PSA_ERROR_DOES_NOT_EXIST) {
-        return PSA_SUCCESS;
-    }
-
-    if (psa_its_remove(data_identifier) != PSA_SUCCESS) {
-        return PSA_ERROR_DATA_INVALID;
-    }
-
-    ret = psa_its_get_info(data_identifier, &data_identifier_info);
-    if (ret != PSA_ERROR_DOES_NOT_EXIST) {
-        return PSA_ERROR_DATA_INVALID;
-    }
-
-    return PSA_SUCCESS;
-}
-
-/**
- * \brief Get data length for given key slot number.
- *
- * \param key               Persistent identifier whose stored data length
- *                          is to be obtained.
- * \param[out] data_length  The number of bytes that make up the data.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- */
-static psa_status_t psa_crypto_storage_get_data_length(
-    const mbedtls_svc_key_id_t key,
-    size_t *data_length)
-{
-    psa_status_t status;
-    psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
-    struct psa_storage_info_t data_identifier_info;
-
-    status = psa_its_get_info(data_identifier, &data_identifier_info);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    *data_length = (size_t) data_identifier_info.size;
-
-    return PSA_SUCCESS;
-}
-
-/**
- * Persistent key storage magic header.
- */
-#define PSA_KEY_STORAGE_MAGIC_HEADER "PSA\0KEY"
-#define PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH (sizeof(PSA_KEY_STORAGE_MAGIC_HEADER))
-
-typedef struct {
-    uint8_t magic[PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH];
-    uint8_t version[4];
-    uint8_t lifetime[sizeof(psa_key_lifetime_t)];
-    uint8_t type[2];
-    uint8_t bits[2];
-    uint8_t policy[sizeof(psa_key_policy_t)];
-    uint8_t data_len[4];
-    uint8_t key_data[];
-} psa_persistent_key_storage_format;
-
-void psa_format_key_data_for_storage(const uint8_t *data,
-                                     const size_t data_length,
-                                     const psa_core_key_attributes_t *attr,
-                                     uint8_t *storage_data)
-{
-    psa_persistent_key_storage_format *storage_format =
-        (psa_persistent_key_storage_format *) storage_data;
-
-    memcpy(storage_format->magic, PSA_KEY_STORAGE_MAGIC_HEADER,
-           PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH);
-    MBEDTLS_PUT_UINT32_LE(0, storage_format->version, 0);
-    MBEDTLS_PUT_UINT32_LE(attr->lifetime, storage_format->lifetime, 0);
-    MBEDTLS_PUT_UINT16_LE((uint16_t) attr->type, storage_format->type, 0);
-    MBEDTLS_PUT_UINT16_LE((uint16_t) attr->bits, storage_format->bits, 0);
-    MBEDTLS_PUT_UINT32_LE(attr->policy.usage, storage_format->policy, 0);
-    MBEDTLS_PUT_UINT32_LE(attr->policy.alg, storage_format->policy, sizeof(uint32_t));
-    MBEDTLS_PUT_UINT32_LE(attr->policy.alg2, storage_format->policy, 2 * sizeof(uint32_t));
-    MBEDTLS_PUT_UINT32_LE(data_length, storage_format->data_len, 0);
-    memcpy(storage_format->key_data, data, data_length);
-}
-
-static psa_status_t check_magic_header(const uint8_t *data)
-{
-    if (memcmp(data, PSA_KEY_STORAGE_MAGIC_HEADER,
-               PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH) != 0) {
-        return PSA_ERROR_DATA_INVALID;
-    }
-    return PSA_SUCCESS;
-}
-
-psa_status_t psa_parse_key_data_from_storage(const uint8_t *storage_data,
-                                             size_t storage_data_length,
-                                             uint8_t **key_data,
-                                             size_t *key_data_length,
-                                             psa_core_key_attributes_t *attr)
-{
-    psa_status_t status;
-    const psa_persistent_key_storage_format *storage_format =
-        (const psa_persistent_key_storage_format *) storage_data;
-    uint32_t version;
-
-    if (storage_data_length < sizeof(*storage_format)) {
-        return PSA_ERROR_DATA_INVALID;
-    }
-
-    status = check_magic_header(storage_data);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    version = MBEDTLS_GET_UINT32_LE(storage_format->version, 0);
-    if (version != 0) {
-        return PSA_ERROR_DATA_INVALID;
-    }
-
-    *key_data_length = MBEDTLS_GET_UINT32_LE(storage_format->data_len, 0);
-    if (*key_data_length > (storage_data_length - sizeof(*storage_format)) ||
-        *key_data_length > PSA_CRYPTO_MAX_STORAGE_SIZE) {
-        return PSA_ERROR_DATA_INVALID;
-    }
-
-    if (*key_data_length == 0) {
-        *key_data = NULL;
-    } else {
-        *key_data = mbedtls_calloc(1, *key_data_length);
-        if (*key_data == NULL) {
-            return PSA_ERROR_INSUFFICIENT_MEMORY;
-        }
-        memcpy(*key_data, storage_format->key_data, *key_data_length);
-    }
-
-    attr->lifetime = MBEDTLS_GET_UINT32_LE(storage_format->lifetime, 0);
-    attr->type = MBEDTLS_GET_UINT16_LE(storage_format->type, 0);
-    attr->bits = MBEDTLS_GET_UINT16_LE(storage_format->bits, 0);
-    attr->policy.usage = MBEDTLS_GET_UINT32_LE(storage_format->policy, 0);
-    attr->policy.alg = MBEDTLS_GET_UINT32_LE(storage_format->policy, sizeof(uint32_t));
-    attr->policy.alg2 = MBEDTLS_GET_UINT32_LE(storage_format->policy, 2 * sizeof(uint32_t));
-
-    return PSA_SUCCESS;
-}
-
-psa_status_t psa_save_persistent_key(const psa_core_key_attributes_t *attr,
-                                     const uint8_t *data,
-                                     const size_t data_length)
-{
-    size_t storage_data_length;
-    uint8_t *storage_data;
-    psa_status_t status;
-
-    /* All keys saved to persistent storage always have a key context */
-    if (data == NULL || data_length == 0) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-
-    if (data_length > PSA_CRYPTO_MAX_STORAGE_SIZE) {
-        return PSA_ERROR_INSUFFICIENT_STORAGE;
-    }
-    storage_data_length = data_length + sizeof(psa_persistent_key_storage_format);
-
-    storage_data = mbedtls_calloc(1, storage_data_length);
-    if (storage_data == NULL) {
-        return PSA_ERROR_INSUFFICIENT_MEMORY;
-    }
-
-    psa_format_key_data_for_storage(data, data_length, attr, storage_data);
-
-    status = psa_crypto_storage_store(attr->id,
-                                      storage_data, storage_data_length);
-
-    mbedtls_zeroize_and_free(storage_data, storage_data_length);
-
-    return status;
-}
-
-void psa_free_persistent_key_data(uint8_t *key_data, size_t key_data_length)
-{
-    mbedtls_zeroize_and_free(key_data, key_data_length);
-}
-
-psa_status_t psa_load_persistent_key(psa_core_key_attributes_t *attr,
-                                     uint8_t **data,
-                                     size_t *data_length)
-{
-    psa_status_t status = PSA_SUCCESS;
-    uint8_t *loaded_data;
-    size_t storage_data_length = 0;
-    mbedtls_svc_key_id_t key = attr->id;
-
-    status = psa_crypto_storage_get_data_length(key, &storage_data_length);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-
-    loaded_data = mbedtls_calloc(1, storage_data_length);
-
-    if (loaded_data == NULL) {
-        return PSA_ERROR_INSUFFICIENT_MEMORY;
-    }
-
-    status = psa_crypto_storage_load(key, loaded_data, storage_data_length);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-
-    status = psa_parse_key_data_from_storage(loaded_data, storage_data_length,
-                                             data, data_length, attr);
-
-    /* All keys saved to persistent storage always have a key context */
-    if (status == PSA_SUCCESS &&
-        (*data == NULL || *data_length == 0)) {
-        status = PSA_ERROR_STORAGE_FAILURE;
-    }
-
-exit:
-    mbedtls_zeroize_and_free(loaded_data, storage_data_length);
-    return status;
-}
-
-
-
-/****************************************************************/
-/* Transactions */
-/****************************************************************/
-
-#if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
-
-psa_crypto_transaction_t psa_crypto_transaction;
-
-psa_status_t psa_crypto_save_transaction(void)
-{
-    struct psa_storage_info_t p_info;
-    psa_status_t status;
-    status = psa_its_get_info(PSA_CRYPTO_ITS_TRANSACTION_UID, &p_info);
-    if (status == PSA_SUCCESS) {
-        /* This shouldn't happen: we're trying to start a transaction while
-         * there is still a transaction that hasn't been replayed. */
-        return PSA_ERROR_CORRUPTION_DETECTED;
-    } else if (status != PSA_ERROR_DOES_NOT_EXIST) {
-        return status;
-    }
-    return psa_its_set(PSA_CRYPTO_ITS_TRANSACTION_UID,
-                       sizeof(psa_crypto_transaction),
-                       &psa_crypto_transaction,
-                       0);
-}
-
-psa_status_t psa_crypto_load_transaction(void)
-{
-    psa_status_t status;
-    size_t length;
-    status = psa_its_get(PSA_CRYPTO_ITS_TRANSACTION_UID, 0,
-                         sizeof(psa_crypto_transaction),
-                         &psa_crypto_transaction, &length);
-    if (status != PSA_SUCCESS) {
-        return status;
-    }
-    if (length != sizeof(psa_crypto_transaction)) {
-        return PSA_ERROR_DATA_INVALID;
-    }
-    return PSA_SUCCESS;
-}
-
-psa_status_t psa_crypto_stop_transaction(void)
-{
-    psa_status_t status = psa_its_remove(PSA_CRYPTO_ITS_TRANSACTION_UID);
-    /* Whether or not updating the storage succeeded, the transaction is
-     * finished now. It's too late to go back, so zero out the in-memory
-     * data. */
-    memset(&psa_crypto_transaction, 0, sizeof(psa_crypto_transaction));
-    return status;
-}
-
-#endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */
-
-
-
-/****************************************************************/
-/* Random generator state */
-/****************************************************************/
-
-#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
-psa_status_t mbedtls_psa_storage_inject_entropy(const unsigned char *seed,
-                                                size_t seed_size)
-{
-    psa_status_t status;
-    struct psa_storage_info_t p_info;
-
-    status = psa_its_get_info(PSA_CRYPTO_ITS_RANDOM_SEED_UID, &p_info);
-
-    if (PSA_ERROR_DOES_NOT_EXIST == status) { /* No seed exists */
-        status = psa_its_set(PSA_CRYPTO_ITS_RANDOM_SEED_UID, seed_size, seed, 0);
-    } else if (PSA_SUCCESS == status) {
-        /* You should not be here. Seed needs to be injected only once */
-        status = PSA_ERROR_NOT_PERMITTED;
-    }
-    return status;
-}
-#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
-
-
-
-/****************************************************************/
-/* The end */
-/****************************************************************/
-
-#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
diff --git a/library/psa_crypto_storage.h b/library/psa_crypto_storage.h
deleted file mode 100644
index 37ca46e..0000000
--- a/library/psa_crypto_storage.h
+++ /dev/null
@@ -1,396 +0,0 @@
-/**
- * \file psa_crypto_storage.h
- *
- * \brief PSA cryptography module: Mbed TLS key storage
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef PSA_CRYPTO_STORAGE_H
-#define PSA_CRYPTO_STORAGE_H
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#include "psa/crypto.h"
-#include "psa/crypto_se_driver.h"
-
-#include <stdint.h>
-#include <string.h>
-
-/* Limit the maximum key size in storage. This should have no effect
- * since the key size is limited in memory. */
-#define PSA_CRYPTO_MAX_STORAGE_SIZE (PSA_BITS_TO_BYTES(PSA_MAX_KEY_BITS))
-/* Sanity check: a file size must fit in 32 bits. Allow a generous
- * 64kB of metadata. */
-#if PSA_CRYPTO_MAX_STORAGE_SIZE > 0xffff0000
-#error "PSA_CRYPTO_MAX_STORAGE_SIZE > 0xffff0000"
-#endif
-
-/** The maximum permitted persistent slot number.
- *
- * In Mbed Crypto 0.1.0b:
- * - Using the file backend, all key ids are ok except 0.
- * - Using the ITS backend, all key ids are ok except 0xFFFFFF52
- *   (#PSA_CRYPTO_ITS_RANDOM_SEED_UID) for which the file contains the
- *   device's random seed (if this feature is enabled).
- * - Only key ids from 1 to #MBEDTLS_PSA_KEY_SLOT_COUNT are actually used.
- *
- * Since we need to preserve the random seed, avoid using that key slot.
- * Reserve a whole range of key slots just in case something else comes up.
- *
- * This limitation will probably become moot when we implement client
- * separation for key storage.
- */
-#define PSA_MAX_PERSISTENT_KEY_IDENTIFIER PSA_KEY_ID_VENDOR_MAX
-
-/**
- * \brief Checks if persistent data is stored for the given key slot number
- *
- * This function checks if any key data or metadata exists for the key slot in
- * the persistent storage.
- *
- * \param key           Persistent identifier to check.
- *
- * \retval 0
- *         No persistent data present for slot number
- * \retval 1
- *         Persistent data present for slot number
- */
-int psa_is_key_present_in_storage(const mbedtls_svc_key_id_t key);
-
-/**
- * \brief Format key data and metadata and save to a location for given key
- *        slot.
- *
- * This function formats the key data and metadata and saves it to a
- * persistent storage backend. The storage location corresponding to the
- * key slot must be empty, otherwise this function will fail. This function
- * should be called after loading the key into an internal slot to ensure the
- * persistent key is not saved into a storage location corresponding to an
- * already occupied non-persistent key, as well as ensuring the key data is
- * validated.
- *
- * Note: This function will only succeed for key buffers which are not
- * empty. If passed a NULL pointer or zero-length, the function will fail
- * with #PSA_ERROR_INVALID_ARGUMENT.
- *
- * \param[in] attr          The attributes of the key to save.
- *                          The key identifier field in the attributes
- *                          determines the key's location.
- * \param[in] data          Buffer containing the key data.
- * \param data_length       The number of bytes that make up the key data.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_ALREADY_EXISTS \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- */
-psa_status_t psa_save_persistent_key(const psa_core_key_attributes_t *attr,
-                                     const uint8_t *data,
-                                     const size_t data_length);
-
-/**
- * \brief Parses key data and metadata and load persistent key for given
- * key slot number.
- *
- * This function reads from a storage backend, parses the key data and
- * metadata and writes them to the appropriate output parameters.
- *
- * Note: This function allocates a buffer and returns a pointer to it through
- * the data parameter. On successful return, the pointer is guaranteed to be
- * valid and the buffer contains at least one byte of data.
- * psa_free_persistent_key_data() must be called on the data buffer
- * afterwards to zeroize and free this buffer.
- *
- * \param[in,out] attr      On input, the key identifier field identifies
- *                          the key to load. Other fields are ignored.
- *                          On success, the attribute structure contains
- *                          the key metadata that was loaded from storage.
- * \param[out] data         Pointer to an allocated key data buffer on return.
- * \param[out] data_length  The number of bytes that make up the key data.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- * \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription
- */
-psa_status_t psa_load_persistent_key(psa_core_key_attributes_t *attr,
-                                     uint8_t **data,
-                                     size_t *data_length);
-
-/**
- * \brief Remove persistent data for the given key slot number.
- *
- * \param key           Persistent identifier of the key to remove
- *                      from persistent storage.
- *
- * \retval #PSA_SUCCESS
- *         The key was successfully removed,
- *         or the key did not exist.
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- */
-psa_status_t psa_destroy_persistent_key(const mbedtls_svc_key_id_t key);
-
-/**
- * \brief Free the temporary buffer allocated by psa_load_persistent_key().
- *
- * This function must be called at some point after psa_load_persistent_key()
- * to zeroize and free the memory allocated to the buffer in that function.
- *
- * \param key_data        Buffer for the key data.
- * \param key_data_length Size of the key data buffer.
- *
- */
-void psa_free_persistent_key_data(uint8_t *key_data, size_t key_data_length);
-
-/**
- * \brief Formats key data and metadata for persistent storage
- *
- * \param[in] data          Buffer containing the key data.
- * \param data_length       Length of the key data buffer.
- * \param[in] attr          The core attributes of the key.
- * \param[out] storage_data Output buffer for the formatted data.
- *
- */
-void psa_format_key_data_for_storage(const uint8_t *data,
-                                     const size_t data_length,
-                                     const psa_core_key_attributes_t *attr,
-                                     uint8_t *storage_data);
-
-/**
- * \brief Parses persistent storage data into key data and metadata
- *
- * \param[in] storage_data     Buffer for the storage data.
- * \param storage_data_length  Length of the storage data buffer
- * \param[out] key_data        On output, pointer to a newly allocated buffer
- *                             containing the key data. This must be freed
- *                             using psa_free_persistent_key_data()
- * \param[out] key_data_length Length of the key data buffer
- * \param[out] attr            On success, the attribute structure is filled
- *                             with the loaded key metadata.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- */
-psa_status_t psa_parse_key_data_from_storage(const uint8_t *storage_data,
-                                             size_t storage_data_length,
-                                             uint8_t **key_data,
-                                             size_t *key_data_length,
-                                             psa_core_key_attributes_t *attr);
-
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-/** This symbol is defined if transaction support is required. */
-#define PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS 1
-#endif
-
-#if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
-
-/** The type of transaction that is in progress.
- */
-/* This is an integer type rather than an enum for two reasons: to support
- * unknown values when loading a transaction file, and to ensure that the
- * type has a known size.
- */
-typedef uint16_t psa_crypto_transaction_type_t;
-
-/** No transaction is in progress.
- *
- * This has the value 0, so zero-initialization sets a transaction's type to
- * this value.
- */
-#define PSA_CRYPTO_TRANSACTION_NONE             ((psa_crypto_transaction_type_t) 0x0000)
-
-/** A key creation transaction.
- *
- * This is only used for keys in an external cryptoprocessor (secure element).
- * Keys in RAM or in internal storage are created atomically in storage
- * (simple file creation), so they do not need a transaction mechanism.
- */
-#define PSA_CRYPTO_TRANSACTION_CREATE_KEY       ((psa_crypto_transaction_type_t) 0x0001)
-
-/** A key destruction transaction.
- *
- * This is only used for keys in an external cryptoprocessor (secure element).
- * Keys in RAM or in internal storage are destroyed atomically in storage
- * (simple file deletion), so they do not need a transaction mechanism.
- */
-#define PSA_CRYPTO_TRANSACTION_DESTROY_KEY      ((psa_crypto_transaction_type_t) 0x0002)
-
-/** Transaction data.
- *
- * This type is designed to be serialized by writing the memory representation
- * and reading it back on the same device.
- *
- * \note The transaction mechanism is designed for a single active transaction
- *       at a time. The transaction object is #psa_crypto_transaction.
- *
- * \note If an API call starts a transaction, it must complete this transaction
- *       before returning to the application.
- *
- * The lifetime of a transaction is the following (note that only one
- * transaction may be active at a time):
- *
- * -# Call psa_crypto_prepare_transaction() to initialize the transaction
- *    object in memory and declare the type of transaction that is starting.
- * -# Fill in the type-specific fields of #psa_crypto_transaction.
- * -# Call psa_crypto_save_transaction() to start the transaction. This
- *    saves the transaction data to internal storage.
- * -# Perform the work of the transaction by modifying files, contacting
- *    external entities, or whatever needs doing. Note that the transaction
- *    may be interrupted by a power failure, so you need to have a way
- *    recover from interruptions either by undoing what has been done
- *    so far or by resuming where you left off.
- * -# If there are intermediate stages in the transaction, update
- *    the fields of #psa_crypto_transaction and call
- *    psa_crypto_save_transaction() again when each stage is reached.
- * -# When the transaction is over, call psa_crypto_stop_transaction() to
- *    remove the transaction data in storage and in memory.
- *
- * If the system crashes while a transaction is in progress, psa_crypto_init()
- * calls psa_crypto_load_transaction() and takes care of completing or
- * rewinding the transaction. This is done in psa_crypto_recover_transaction()
- * in psa_crypto.c. If you add a new type of transaction, be
- * sure to add code for it in psa_crypto_recover_transaction().
- */
-typedef union {
-    /* Each element of this union must have the following properties
-     * to facilitate serialization and deserialization:
-     *
-     * - The element is a struct.
-     * - The first field of the struct is `psa_crypto_transaction_type_t type`.
-     * - Elements of the struct are arranged such a way that there is
-     *   no padding.
-     */
-    struct psa_crypto_transaction_unknown_s {
-        psa_crypto_transaction_type_t type;
-        uint16_t unused1;
-        uint32_t unused2;
-        uint64_t unused3;
-        uint64_t unused4;
-    } unknown;
-    /* ::type is #PSA_CRYPTO_TRANSACTION_CREATE_KEY or
-     * #PSA_CRYPTO_TRANSACTION_DESTROY_KEY. */
-    struct psa_crypto_transaction_key_s {
-        psa_crypto_transaction_type_t type;
-        uint16_t unused1;
-        psa_key_lifetime_t lifetime;
-        psa_key_slot_number_t slot;
-        mbedtls_svc_key_id_t id;
-    } key;
-} psa_crypto_transaction_t;
-
-/** The single active transaction.
- */
-extern psa_crypto_transaction_t psa_crypto_transaction;
-
-/** Prepare for a transaction.
- *
- * There must not be an ongoing transaction.
- *
- * \param type          The type of transaction to start.
- */
-static inline void psa_crypto_prepare_transaction(
-    psa_crypto_transaction_type_t type)
-{
-    psa_crypto_transaction.unknown.type = type;
-}
-
-/** Save the transaction data to storage.
- *
- * You may call this function multiple times during a transaction to
- * atomically update the transaction state.
- *
- * \retval #PSA_SUCCESS \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- */
-psa_status_t psa_crypto_save_transaction(void);
-
-/** Load the transaction data from storage, if any.
- *
- * This function is meant to be called from psa_crypto_init() to recover
- * in case a transaction was interrupted by a system crash.
- *
- * \retval #PSA_SUCCESS
- *         The data about the ongoing transaction has been loaded to
- *         #psa_crypto_transaction.
- * \retval #PSA_ERROR_DOES_NOT_EXIST
- *         There is no ongoing transaction.
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_DATA_INVALID \emptydescription
- * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
- */
-psa_status_t psa_crypto_load_transaction(void);
-
-/** Indicate that the current transaction is finished.
- *
- * Call this function at the very end of transaction processing.
- * This function does not "commit" or "abort" the transaction: the storage
- * subsystem has no concept of "commit" and "abort", just saving and
- * removing the transaction information in storage.
- *
- * This function erases the transaction data in storage (if any) and
- * resets the transaction data in memory.
- *
- * \retval #PSA_SUCCESS
- *         There was transaction data in storage.
- * \retval #PSA_ERROR_DOES_NOT_EXIST
- *         There was no transaction data in storage.
- * \retval #PSA_ERROR_STORAGE_FAILURE
- *         It was impossible to determine whether there was transaction data
- *         in storage, or the transaction data could not be erased.
- */
-psa_status_t psa_crypto_stop_transaction(void);
-
-/** The ITS file identifier for the transaction data.
- *
- * 0xffffffNN = special file; 0x74 = 't' for transaction.
- */
-#define PSA_CRYPTO_ITS_TRANSACTION_UID ((psa_key_id_t) 0xffffff74)
-
-#endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */
-
-#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
-/** Backend side of mbedtls_psa_inject_entropy().
- *
- * This function stores the supplied data into the entropy seed file.
- *
- * \retval #PSA_SUCCESS
- *         Success
- * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
- * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
- * \retval #PSA_ERROR_NOT_PERMITTED
- *         The entropy seed file already exists.
- */
-psa_status_t mbedtls_psa_storage_inject_entropy(const unsigned char *seed,
-                                                size_t seed_size);
-#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* PSA_CRYPTO_STORAGE_H */
diff --git a/library/psa_its_file.c b/library/psa_its_file.c
deleted file mode 100644
index 9748616..0000000
--- a/library/psa_its_file.c
+++ /dev/null
@@ -1,271 +0,0 @@
-/*
- *  PSA ITS simulator over stdio files.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_PSA_ITS_FILE_C)
-
-#include "mbedtls/platform.h"
-
-#if defined(_WIN32)
-#include <windows.h>
-#endif
-
-#include "psa_crypto_its.h"
-
-#include <limits.h>
-#include <stdint.h>
-#include <stdio.h>
-#include <string.h>
-
-#if !defined(PSA_ITS_STORAGE_PREFIX)
-#define PSA_ITS_STORAGE_PREFIX ""
-#endif
-
-#define PSA_ITS_STORAGE_FILENAME_PATTERN "%08x%08x"
-#define PSA_ITS_STORAGE_SUFFIX ".psa_its"
-#define PSA_ITS_STORAGE_FILENAME_LENGTH         \
-    (sizeof(PSA_ITS_STORAGE_PREFIX) - 1 +    /*prefix without terminating 0*/ \
-     16 +  /*UID (64-bit number in hex)*/                               \
-     sizeof(PSA_ITS_STORAGE_SUFFIX) - 1 +    /*suffix without terminating 0*/ \
-     1 /*terminating null byte*/)
-#define PSA_ITS_STORAGE_TEMP \
-    PSA_ITS_STORAGE_PREFIX "tempfile" PSA_ITS_STORAGE_SUFFIX
-
-/* The maximum value of psa_storage_info_t.size */
-#define PSA_ITS_MAX_SIZE 0xffffffff
-
-#define PSA_ITS_MAGIC_STRING "PSA\0ITS\0"
-#define PSA_ITS_MAGIC_LENGTH 8
-
-/* As rename fails on Windows if the new filepath already exists,
- * use MoveFileExA with the MOVEFILE_REPLACE_EXISTING flag instead.
- * Returns 0 on success, nonzero on failure. */
-#if defined(_WIN32)
-#define rename_replace_existing(oldpath, newpath) \
-    (!MoveFileExA(oldpath, newpath, MOVEFILE_REPLACE_EXISTING))
-#else
-#define rename_replace_existing(oldpath, newpath) rename(oldpath, newpath)
-#endif
-
-typedef struct {
-    uint8_t magic[PSA_ITS_MAGIC_LENGTH];
-    uint8_t size[sizeof(uint32_t)];
-    uint8_t flags[sizeof(psa_storage_create_flags_t)];
-} psa_its_file_header_t;
-
-static void psa_its_fill_filename(psa_storage_uid_t uid, char *filename)
-{
-    /* Break up the UID into two 32-bit pieces so as not to rely on
-     * long long support in snprintf. */
-    mbedtls_snprintf(filename, PSA_ITS_STORAGE_FILENAME_LENGTH,
-                     "%s" PSA_ITS_STORAGE_FILENAME_PATTERN "%s",
-                     PSA_ITS_STORAGE_PREFIX,
-                     (unsigned) (uid >> 32),
-                     (unsigned) (uid & 0xffffffff),
-                     PSA_ITS_STORAGE_SUFFIX);
-}
-
-static psa_status_t psa_its_read_file(psa_storage_uid_t uid,
-                                      struct psa_storage_info_t *p_info,
-                                      FILE **p_stream)
-{
-    char filename[PSA_ITS_STORAGE_FILENAME_LENGTH];
-    psa_its_file_header_t header;
-    size_t n;
-
-    *p_stream = NULL;
-    psa_its_fill_filename(uid, filename);
-    *p_stream = fopen(filename, "rb");
-    if (*p_stream == NULL) {
-        return PSA_ERROR_DOES_NOT_EXIST;
-    }
-
-    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
-    mbedtls_setbuf(*p_stream, NULL);
-
-    n = fread(&header, 1, sizeof(header), *p_stream);
-    if (n != sizeof(header)) {
-        return PSA_ERROR_DATA_CORRUPT;
-    }
-    if (memcmp(header.magic, PSA_ITS_MAGIC_STRING,
-               PSA_ITS_MAGIC_LENGTH) != 0) {
-        return PSA_ERROR_DATA_CORRUPT;
-    }
-
-    p_info->size = (header.size[0] |
-                    header.size[1] << 8 |
-                    header.size[2] << 16 |
-                    header.size[3] << 24);
-    p_info->flags = (header.flags[0] |
-                     header.flags[1] << 8 |
-                     header.flags[2] << 16 |
-                     header.flags[3] << 24);
-    return PSA_SUCCESS;
-}
-
-psa_status_t psa_its_get_info(psa_storage_uid_t uid,
-                              struct psa_storage_info_t *p_info)
-{
-    psa_status_t status;
-    FILE *stream = NULL;
-    status = psa_its_read_file(uid, p_info, &stream);
-    if (stream != NULL) {
-        fclose(stream);
-    }
-    return status;
-}
-
-psa_status_t psa_its_get(psa_storage_uid_t uid,
-                         uint32_t data_offset,
-                         uint32_t data_length,
-                         void *p_data,
-                         size_t *p_data_length)
-{
-    psa_status_t status;
-    FILE *stream = NULL;
-    size_t n;
-    struct psa_storage_info_t info;
-
-    status = psa_its_read_file(uid, &info, &stream);
-    if (status != PSA_SUCCESS) {
-        goto exit;
-    }
-    status = PSA_ERROR_INVALID_ARGUMENT;
-    if (data_offset + data_length < data_offset) {
-        goto exit;
-    }
-#if SIZE_MAX < 0xffffffff
-    if (data_offset + data_length > SIZE_MAX) {
-        goto exit;
-    }
-#endif
-    if (data_offset + data_length > info.size) {
-        goto exit;
-    }
-
-    status = PSA_ERROR_STORAGE_FAILURE;
-#if LONG_MAX < 0xffffffff
-    while (data_offset > LONG_MAX) {
-        if (fseek(stream, LONG_MAX, SEEK_CUR) != 0) {
-            goto exit;
-        }
-        data_offset -= LONG_MAX;
-    }
-#endif
-    if (fseek(stream, data_offset, SEEK_CUR) != 0) {
-        goto exit;
-    }
-    n = fread(p_data, 1, data_length, stream);
-    if (n != data_length) {
-        goto exit;
-    }
-    status = PSA_SUCCESS;
-    if (p_data_length != NULL) {
-        *p_data_length = n;
-    }
-
-exit:
-    if (stream != NULL) {
-        fclose(stream);
-    }
-    return status;
-}
-
-psa_status_t psa_its_set(psa_storage_uid_t uid,
-                         uint32_t data_length,
-                         const void *p_data,
-                         psa_storage_create_flags_t create_flags)
-{
-    if (uid == 0) {
-        return PSA_ERROR_INVALID_HANDLE;
-    }
-
-    psa_status_t status = PSA_ERROR_STORAGE_FAILURE;
-    char filename[PSA_ITS_STORAGE_FILENAME_LENGTH];
-    FILE *stream = NULL;
-    psa_its_file_header_t header;
-    size_t n;
-
-    memcpy(header.magic, PSA_ITS_MAGIC_STRING, PSA_ITS_MAGIC_LENGTH);
-    MBEDTLS_PUT_UINT32_LE(data_length, header.size, 0);
-    MBEDTLS_PUT_UINT32_LE(create_flags, header.flags, 0);
-
-    psa_its_fill_filename(uid, filename);
-    stream = fopen(PSA_ITS_STORAGE_TEMP, "wb");
-
-    if (stream == NULL) {
-        goto exit;
-    }
-
-    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
-    mbedtls_setbuf(stream, NULL);
-
-    status = PSA_ERROR_INSUFFICIENT_STORAGE;
-    n = fwrite(&header, 1, sizeof(header), stream);
-    if (n != sizeof(header)) {
-        goto exit;
-    }
-    if (data_length != 0) {
-        n = fwrite(p_data, 1, data_length, stream);
-        if (n != data_length) {
-            goto exit;
-        }
-    }
-    status = PSA_SUCCESS;
-
-exit:
-    if (stream != NULL) {
-        int ret = fclose(stream);
-        if (status == PSA_SUCCESS && ret != 0) {
-            status = PSA_ERROR_INSUFFICIENT_STORAGE;
-        }
-    }
-    if (status == PSA_SUCCESS) {
-        if (rename_replace_existing(PSA_ITS_STORAGE_TEMP, filename) != 0) {
-            status = PSA_ERROR_STORAGE_FAILURE;
-        }
-    }
-    /* The temporary file may still exist, but only in failure cases where
-     * we're already reporting an error. So there's nothing we can do on
-     * failure. If the function succeeded, and in some error cases, the
-     * temporary file doesn't exist and so remove() is expected to fail.
-     * Thus we just ignore the return status of remove(). */
-    (void) remove(PSA_ITS_STORAGE_TEMP);
-    return status;
-}
-
-psa_status_t psa_its_remove(psa_storage_uid_t uid)
-{
-    char filename[PSA_ITS_STORAGE_FILENAME_LENGTH];
-    FILE *stream;
-    psa_its_fill_filename(uid, filename);
-    stream = fopen(filename, "rb");
-    if (stream == NULL) {
-        return PSA_ERROR_DOES_NOT_EXIST;
-    }
-    fclose(stream);
-    if (remove(filename) != 0) {
-        return PSA_ERROR_STORAGE_FAILURE;
-    }
-    return PSA_SUCCESS;
-}
-
-#endif /* MBEDTLS_PSA_ITS_FILE_C */
diff --git a/library/psa_util.c b/library/psa_util.c
deleted file mode 100644
index dd5e134..0000000
--- a/library/psa_util.c
+++ /dev/null
@@ -1,172 +0,0 @@
-/*
- *  PSA hashing layer on top of Mbed TLS software crypto
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-
-#include <psa/crypto.h>
-
-#include "psa_crypto_core.h"
-#include "psa_util_internal.h"
-
-/* The following includes are needed for MBEDTLS_ERR_XXX macros */
-#include <mbedtls/error.h>
-#if defined(MBEDTLS_MD_LIGHT)
-#include <mbedtls/md.h>
-#endif
-#if defined(MBEDTLS_LMS_C)
-#include <mbedtls/lms.h>
-#endif
-#if defined(MBEDTLS_SSL_TLS_C) && \
-    (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
-#include <mbedtls/ssl.h>
-#endif
-#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) ||    \
-    defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
-#include <mbedtls/rsa.h>
-#endif
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
-    defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
-#include <mbedtls/ecp.h>
-#endif
-#if defined(MBEDTLS_PK_C)
-#include <mbedtls/pk.h>
-#endif
-
-/* PSA_SUCCESS is kept at the top of each error table since
- * it's the most common status when everything functions properly. */
-#if defined(MBEDTLS_MD_LIGHT)
-const mbedtls_error_pair_t psa_to_md_errors[] =
-{
-    { PSA_SUCCESS,                     0 },
-    { PSA_ERROR_NOT_SUPPORTED,         MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE },
-    { PSA_ERROR_INVALID_ARGUMENT,      MBEDTLS_ERR_MD_BAD_INPUT_DATA },
-    { PSA_ERROR_INSUFFICIENT_MEMORY,   MBEDTLS_ERR_MD_ALLOC_FAILED }
-};
-#endif
-#if defined(MBEDTLS_LMS_C)
-const mbedtls_error_pair_t psa_to_lms_errors[] =
-{
-    { PSA_SUCCESS,                     0 },
-    { PSA_ERROR_BUFFER_TOO_SMALL,      MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL },
-    { PSA_ERROR_INVALID_ARGUMENT,      MBEDTLS_ERR_LMS_BAD_INPUT_DATA }
-};
-#endif
-#if defined(MBEDTLS_SSL_TLS_C) && \
-    (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
-const mbedtls_error_pair_t psa_to_ssl_errors[] =
-{
-    { PSA_SUCCESS,                     0 },
-    { PSA_ERROR_INSUFFICIENT_MEMORY,   MBEDTLS_ERR_SSL_ALLOC_FAILED },
-    { PSA_ERROR_NOT_SUPPORTED,         MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE },
-    { PSA_ERROR_INVALID_SIGNATURE,     MBEDTLS_ERR_SSL_INVALID_MAC },
-    { PSA_ERROR_INVALID_ARGUMENT,      MBEDTLS_ERR_SSL_BAD_INPUT_DATA },
-    { PSA_ERROR_BAD_STATE,             MBEDTLS_ERR_SSL_INTERNAL_ERROR },
-    { PSA_ERROR_BUFFER_TOO_SMALL,      MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL }
-};
-#endif
-
-#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) ||    \
-    defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
-const mbedtls_error_pair_t psa_to_pk_rsa_errors[] =
-{
-    { PSA_SUCCESS,                     0 },
-    { PSA_ERROR_NOT_PERMITTED,         MBEDTLS_ERR_RSA_BAD_INPUT_DATA },
-    { PSA_ERROR_INVALID_ARGUMENT,      MBEDTLS_ERR_RSA_BAD_INPUT_DATA },
-    { PSA_ERROR_INVALID_HANDLE,        MBEDTLS_ERR_RSA_BAD_INPUT_DATA },
-    { PSA_ERROR_BUFFER_TOO_SMALL,      MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE },
-    { PSA_ERROR_INSUFFICIENT_ENTROPY,  MBEDTLS_ERR_RSA_RNG_FAILED },
-    { PSA_ERROR_INVALID_SIGNATURE,     MBEDTLS_ERR_RSA_VERIFY_FAILED },
-    { PSA_ERROR_INVALID_PADDING,       MBEDTLS_ERR_RSA_INVALID_PADDING }
-};
-#endif
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
-    defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
-const mbedtls_error_pair_t psa_to_pk_ecdsa_errors[] =
-{
-    { PSA_SUCCESS,                     0 },
-    { PSA_ERROR_NOT_PERMITTED,         MBEDTLS_ERR_ECP_BAD_INPUT_DATA },
-    { PSA_ERROR_INVALID_ARGUMENT,      MBEDTLS_ERR_ECP_BAD_INPUT_DATA },
-    { PSA_ERROR_INVALID_HANDLE,        MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE },
-    { PSA_ERROR_BUFFER_TOO_SMALL,      MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL },
-    { PSA_ERROR_INSUFFICIENT_ENTROPY,  MBEDTLS_ERR_ECP_RANDOM_FAILED },
-    { PSA_ERROR_INVALID_SIGNATURE,     MBEDTLS_ERR_ECP_VERIFY_FAILED }
-};
-#endif
-
-int psa_generic_status_to_mbedtls(psa_status_t status)
-{
-    switch (status) {
-        case PSA_SUCCESS:
-            return 0;
-        case PSA_ERROR_NOT_SUPPORTED:
-            return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
-        case PSA_ERROR_CORRUPTION_DETECTED:
-            return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-        case PSA_ERROR_COMMUNICATION_FAILURE:
-        case PSA_ERROR_HARDWARE_FAILURE:
-            return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
-        case PSA_ERROR_NOT_PERMITTED:
-        default:
-            return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
-    }
-}
-
-int psa_status_to_mbedtls(psa_status_t status,
-                          const mbedtls_error_pair_t *local_translations,
-                          size_t local_errors_num,
-                          int (*fallback_f)(psa_status_t))
-{
-    for (size_t i = 0; i < local_errors_num; i++) {
-        if (status == local_translations[i].psa_status) {
-            return local_translations[i].mbedtls_error;
-        }
-    }
-    return fallback_f(status);
-}
-
-#if defined(MBEDTLS_PK_C)
-int psa_pk_status_to_mbedtls(psa_status_t status)
-{
-    switch (status) {
-        case PSA_ERROR_INVALID_HANDLE:
-            return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
-        case PSA_ERROR_BUFFER_TOO_SMALL:
-            return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
-        case PSA_ERROR_NOT_SUPPORTED:
-            return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
-        case PSA_ERROR_INVALID_ARGUMENT:
-            return MBEDTLS_ERR_PK_INVALID_ALG;
-        case PSA_ERROR_INSUFFICIENT_MEMORY:
-            return MBEDTLS_ERR_PK_ALLOC_FAILED;
-        case PSA_ERROR_BAD_STATE:
-            return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-        case PSA_ERROR_DATA_CORRUPT:
-        case PSA_ERROR_DATA_INVALID:
-        case PSA_ERROR_STORAGE_FAILURE:
-            return MBEDTLS_ERR_PK_FILE_IO_ERROR;
-        default:
-            return psa_generic_status_to_mbedtls(status);
-    }
-}
-#endif /* MBEDTLS_PK_C */
-#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_util_internal.h b/library/psa_util_internal.h
deleted file mode 100644
index 4a36dbf..0000000
--- a/library/psa_util_internal.h
+++ /dev/null
@@ -1,108 +0,0 @@
-/**
- * \file psa_util_internal.h
- *
- * \brief Internal utility functions for use of PSA Crypto.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef MBEDTLS_PSA_UTIL_INTERNAL_H
-#define MBEDTLS_PSA_UTIL_INTERNAL_H
-
-/* Include the public header so that users only need one include. */
-#include "mbedtls/psa_util.h"
-
-#include "psa/crypto.h"
-
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-
-/*************************************************************************
- * FFDH
- ************************************************************************/
-
-#define MBEDTLS_PSA_MAX_FFDH_PUBKEY_LENGTH \
-    PSA_KEY_EXPORT_FFDH_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_FFDH_MAX_KEY_BITS)
-
-/*************************************************************************
- * ECC
- ************************************************************************/
-
-#define MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH \
-    PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
-
-#define MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH \
-    PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
-
-/*************************************************************************
- * Error translation
- ************************************************************************/
-
-typedef struct {
-    /* Error codes used by PSA crypto are in -255..-128, fitting in 16 bits. */
-    int16_t psa_status;
-    /* Error codes used by Mbed TLS are in one of the ranges
-     * -127..-1 (low-level) or -32767..-4096 (high-level with a low-level
-     * code optionally added), fitting in 16 bits. */
-    int16_t mbedtls_error;
-} mbedtls_error_pair_t;
-
-#if defined(MBEDTLS_MD_LIGHT)
-extern const mbedtls_error_pair_t psa_to_md_errors[4];
-#endif
-
-#if defined(MBEDTLS_LMS_C)
-extern const mbedtls_error_pair_t psa_to_lms_errors[3];
-#endif
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
-extern const mbedtls_error_pair_t psa_to_ssl_errors[7];
-#endif
-
-#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) ||    \
-    defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
-extern const mbedtls_error_pair_t psa_to_pk_rsa_errors[8];
-#endif
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
-    defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
-extern const mbedtls_error_pair_t psa_to_pk_ecdsa_errors[7];
-#endif
-
-/* Generic fallback function for error translation,
- * when the received state was not module-specific. */
-int psa_generic_status_to_mbedtls(psa_status_t status);
-
-/* This function iterates over provided local error translations,
- * and if no match was found - calls the fallback error translation function. */
-int psa_status_to_mbedtls(psa_status_t status,
-                          const mbedtls_error_pair_t *local_translations,
-                          size_t local_errors_num,
-                          int (*fallback_f)(psa_status_t));
-
-/* The second out of three-stage error handling functions of the pk module,
- * acts as a fallback after RSA / ECDSA error translation, and if no match
- * is found, it itself calls psa_generic_status_to_mbedtls. */
-int psa_pk_status_to_mbedtls(psa_status_t status);
-
-/* Utility macro to shorten the defines of error translator in modules. */
-#define PSA_TO_MBEDTLS_ERR_LIST(status, error_list, fallback_f)       \
-    psa_status_to_mbedtls(status, error_list,                         \
-                          sizeof(error_list)/sizeof(error_list[0]),   \
-                          fallback_f)
-
-#endif /* MBEDTLS_PSA_CRYPTO_C */
-#endif /* MBEDTLS_PSA_UTIL_INTERNAL_H */
diff --git a/library/ripemd160.c b/library/ripemd160.c
deleted file mode 100644
index 49fee85..0000000
--- a/library/ripemd160.c
+++ /dev/null
@@ -1,502 +0,0 @@
-/*
- *  RIPE MD-160 implementation
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/*
- *  The RIPEMD-160 algorithm was designed by RIPE in 1996
- *  http://homes.esat.kuleuven.be/~bosselae/mbedtls_ripemd160.html
- *  http://ehash.iaik.tugraz.at/wiki/RIPEMD-160
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_RIPEMD160_C)
-
-#include "mbedtls/ripemd160.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#include <string.h>
-
-#include "mbedtls/platform.h"
-
-#if !defined(MBEDTLS_RIPEMD160_ALT)
-
-void mbedtls_ripemd160_init(mbedtls_ripemd160_context *ctx)
-{
-    memset(ctx, 0, sizeof(mbedtls_ripemd160_context));
-}
-
-void mbedtls_ripemd160_free(mbedtls_ripemd160_context *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ripemd160_context));
-}
-
-void mbedtls_ripemd160_clone(mbedtls_ripemd160_context *dst,
-                             const mbedtls_ripemd160_context *src)
-{
-    *dst = *src;
-}
-
-/*
- * RIPEMD-160 context setup
- */
-int mbedtls_ripemd160_starts(mbedtls_ripemd160_context *ctx)
-{
-    ctx->total[0] = 0;
-    ctx->total[1] = 0;
-
-    ctx->state[0] = 0x67452301;
-    ctx->state[1] = 0xEFCDAB89;
-    ctx->state[2] = 0x98BADCFE;
-    ctx->state[3] = 0x10325476;
-    ctx->state[4] = 0xC3D2E1F0;
-
-    return 0;
-}
-
-#if !defined(MBEDTLS_RIPEMD160_PROCESS_ALT)
-/*
- * Process one block
- */
-int mbedtls_internal_ripemd160_process(mbedtls_ripemd160_context *ctx,
-                                       const unsigned char data[64])
-{
-    struct {
-        uint32_t A, B, C, D, E, Ap, Bp, Cp, Dp, Ep, X[16];
-    } local;
-
-    local.X[0] = MBEDTLS_GET_UINT32_LE(data,  0);
-    local.X[1] = MBEDTLS_GET_UINT32_LE(data,  4);
-    local.X[2] = MBEDTLS_GET_UINT32_LE(data,  8);
-    local.X[3] = MBEDTLS_GET_UINT32_LE(data, 12);
-    local.X[4] = MBEDTLS_GET_UINT32_LE(data, 16);
-    local.X[5] = MBEDTLS_GET_UINT32_LE(data, 20);
-    local.X[6] = MBEDTLS_GET_UINT32_LE(data, 24);
-    local.X[7] = MBEDTLS_GET_UINT32_LE(data, 28);
-    local.X[8] = MBEDTLS_GET_UINT32_LE(data, 32);
-    local.X[9] = MBEDTLS_GET_UINT32_LE(data, 36);
-    local.X[10] = MBEDTLS_GET_UINT32_LE(data, 40);
-    local.X[11] = MBEDTLS_GET_UINT32_LE(data, 44);
-    local.X[12] = MBEDTLS_GET_UINT32_LE(data, 48);
-    local.X[13] = MBEDTLS_GET_UINT32_LE(data, 52);
-    local.X[14] = MBEDTLS_GET_UINT32_LE(data, 56);
-    local.X[15] = MBEDTLS_GET_UINT32_LE(data, 60);
-
-    local.A = local.Ap = ctx->state[0];
-    local.B = local.Bp = ctx->state[1];
-    local.C = local.Cp = ctx->state[2];
-    local.D = local.Dp = ctx->state[3];
-    local.E = local.Ep = ctx->state[4];
-
-#define F1(x, y, z)   ((x) ^ (y) ^ (z))
-#define F2(x, y, z)   (((x) & (y)) | (~(x) & (z)))
-#define F3(x, y, z)   (((x) | ~(y)) ^ (z))
-#define F4(x, y, z)   (((x) & (z)) | ((y) & ~(z)))
-#define F5(x, y, z)   ((x) ^ ((y) | ~(z)))
-
-#define S(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
-
-#define P(a, b, c, d, e, r, s, f, k)                      \
-    do                                                      \
-    {                                                       \
-        (a) += f((b), (c), (d)) + local.X[r] + (k);       \
-        (a) = S((a), (s)) + (e);                          \
-        (c) = S((c), 10);                                 \
-    } while (0)
-
-#define P2(a, b, c, d, e, r, s, rp, sp)                               \
-    do                                                                  \
-    {                                                                   \
-        P((a), (b), (c), (d), (e), (r), (s), F, K);                   \
-        P(a ## p, b ## p, c ## p, d ## p, e ## p,                      \
-          (rp), (sp), Fp, Kp);                                        \
-    } while (0)
-
-#define F   F1
-#define K   0x00000000
-#define Fp  F5
-#define Kp  0x50A28BE6
-    P2(local.A, local.B, local.C, local.D, local.E,  0, 11,  5,  8);
-    P2(local.E, local.A, local.B, local.C, local.D,  1, 14, 14,  9);
-    P2(local.D, local.E, local.A, local.B, local.C,  2, 15,  7,  9);
-    P2(local.C, local.D, local.E, local.A, local.B,  3, 12,  0, 11);
-    P2(local.B, local.C, local.D, local.E, local.A,  4,  5,  9, 13);
-    P2(local.A, local.B, local.C, local.D, local.E,  5,  8,  2, 15);
-    P2(local.E, local.A, local.B, local.C, local.D,  6,  7, 11, 15);
-    P2(local.D, local.E, local.A, local.B, local.C,  7,  9,  4,  5);
-    P2(local.C, local.D, local.E, local.A, local.B,  8, 11, 13,  7);
-    P2(local.B, local.C, local.D, local.E, local.A,  9, 13,  6,  7);
-    P2(local.A, local.B, local.C, local.D, local.E, 10, 14, 15,  8);
-    P2(local.E, local.A, local.B, local.C, local.D, 11, 15,  8, 11);
-    P2(local.D, local.E, local.A, local.B, local.C, 12,  6,  1, 14);
-    P2(local.C, local.D, local.E, local.A, local.B, 13,  7, 10, 14);
-    P2(local.B, local.C, local.D, local.E, local.A, 14,  9,  3, 12);
-    P2(local.A, local.B, local.C, local.D, local.E, 15,  8, 12,  6);
-#undef F
-#undef K
-#undef Fp
-#undef Kp
-
-#define F   F2
-#define K   0x5A827999
-#define Fp  F4
-#define Kp  0x5C4DD124
-    P2(local.E, local.A, local.B, local.C, local.D,  7,  7,  6,  9);
-    P2(local.D, local.E, local.A, local.B, local.C,  4,  6, 11, 13);
-    P2(local.C, local.D, local.E, local.A, local.B, 13,  8,  3, 15);
-    P2(local.B, local.C, local.D, local.E, local.A,  1, 13,  7,  7);
-    P2(local.A, local.B, local.C, local.D, local.E, 10, 11,  0, 12);
-    P2(local.E, local.A, local.B, local.C, local.D,  6,  9, 13,  8);
-    P2(local.D, local.E, local.A, local.B, local.C, 15,  7,  5,  9);
-    P2(local.C, local.D, local.E, local.A, local.B,  3, 15, 10, 11);
-    P2(local.B, local.C, local.D, local.E, local.A, 12,  7, 14,  7);
-    P2(local.A, local.B, local.C, local.D, local.E,  0, 12, 15,  7);
-    P2(local.E, local.A, local.B, local.C, local.D,  9, 15,  8, 12);
-    P2(local.D, local.E, local.A, local.B, local.C,  5,  9, 12,  7);
-    P2(local.C, local.D, local.E, local.A, local.B,  2, 11,  4,  6);
-    P2(local.B, local.C, local.D, local.E, local.A, 14,  7,  9, 15);
-    P2(local.A, local.B, local.C, local.D, local.E, 11, 13,  1, 13);
-    P2(local.E, local.A, local.B, local.C, local.D,  8, 12,  2, 11);
-#undef F
-#undef K
-#undef Fp
-#undef Kp
-
-#define F   F3
-#define K   0x6ED9EBA1
-#define Fp  F3
-#define Kp  0x6D703EF3
-    P2(local.D, local.E, local.A, local.B, local.C,  3, 11, 15,  9);
-    P2(local.C, local.D, local.E, local.A, local.B, 10, 13,  5,  7);
-    P2(local.B, local.C, local.D, local.E, local.A, 14,  6,  1, 15);
-    P2(local.A, local.B, local.C, local.D, local.E,  4,  7,  3, 11);
-    P2(local.E, local.A, local.B, local.C, local.D,  9, 14,  7,  8);
-    P2(local.D, local.E, local.A, local.B, local.C, 15,  9, 14,  6);
-    P2(local.C, local.D, local.E, local.A, local.B,  8, 13,  6,  6);
-    P2(local.B, local.C, local.D, local.E, local.A,  1, 15,  9, 14);
-    P2(local.A, local.B, local.C, local.D, local.E,  2, 14, 11, 12);
-    P2(local.E, local.A, local.B, local.C, local.D,  7,  8,  8, 13);
-    P2(local.D, local.E, local.A, local.B, local.C,  0, 13, 12,  5);
-    P2(local.C, local.D, local.E, local.A, local.B,  6,  6,  2, 14);
-    P2(local.B, local.C, local.D, local.E, local.A, 13,  5, 10, 13);
-    P2(local.A, local.B, local.C, local.D, local.E, 11, 12,  0, 13);
-    P2(local.E, local.A, local.B, local.C, local.D,  5,  7,  4,  7);
-    P2(local.D, local.E, local.A, local.B, local.C, 12,  5, 13,  5);
-#undef F
-#undef K
-#undef Fp
-#undef Kp
-
-#define F   F4
-#define K   0x8F1BBCDC
-#define Fp  F2
-#define Kp  0x7A6D76E9
-    P2(local.C, local.D, local.E, local.A, local.B,  1, 11,  8, 15);
-    P2(local.B, local.C, local.D, local.E, local.A,  9, 12,  6,  5);
-    P2(local.A, local.B, local.C, local.D, local.E, 11, 14,  4,  8);
-    P2(local.E, local.A, local.B, local.C, local.D, 10, 15,  1, 11);
-    P2(local.D, local.E, local.A, local.B, local.C,  0, 14,  3, 14);
-    P2(local.C, local.D, local.E, local.A, local.B,  8, 15, 11, 14);
-    P2(local.B, local.C, local.D, local.E, local.A, 12,  9, 15,  6);
-    P2(local.A, local.B, local.C, local.D, local.E,  4,  8,  0, 14);
-    P2(local.E, local.A, local.B, local.C, local.D, 13,  9,  5,  6);
-    P2(local.D, local.E, local.A, local.B, local.C,  3, 14, 12,  9);
-    P2(local.C, local.D, local.E, local.A, local.B,  7,  5,  2, 12);
-    P2(local.B, local.C, local.D, local.E, local.A, 15,  6, 13,  9);
-    P2(local.A, local.B, local.C, local.D, local.E, 14,  8,  9, 12);
-    P2(local.E, local.A, local.B, local.C, local.D,  5,  6,  7,  5);
-    P2(local.D, local.E, local.A, local.B, local.C,  6,  5, 10, 15);
-    P2(local.C, local.D, local.E, local.A, local.B,  2, 12, 14,  8);
-#undef F
-#undef K
-#undef Fp
-#undef Kp
-
-#define F   F5
-#define K   0xA953FD4E
-#define Fp  F1
-#define Kp  0x00000000
-    P2(local.B, local.C, local.D, local.E, local.A,  4,  9, 12,  8);
-    P2(local.A, local.B, local.C, local.D, local.E,  0, 15, 15,  5);
-    P2(local.E, local.A, local.B, local.C, local.D,  5,  5, 10, 12);
-    P2(local.D, local.E, local.A, local.B, local.C,  9, 11,  4,  9);
-    P2(local.C, local.D, local.E, local.A, local.B,  7,  6,  1, 12);
-    P2(local.B, local.C, local.D, local.E, local.A, 12,  8,  5,  5);
-    P2(local.A, local.B, local.C, local.D, local.E,  2, 13,  8, 14);
-    P2(local.E, local.A, local.B, local.C, local.D, 10, 12,  7,  6);
-    P2(local.D, local.E, local.A, local.B, local.C, 14,  5,  6,  8);
-    P2(local.C, local.D, local.E, local.A, local.B,  1, 12,  2, 13);
-    P2(local.B, local.C, local.D, local.E, local.A,  3, 13, 13,  6);
-    P2(local.A, local.B, local.C, local.D, local.E,  8, 14, 14,  5);
-    P2(local.E, local.A, local.B, local.C, local.D, 11, 11,  0, 15);
-    P2(local.D, local.E, local.A, local.B, local.C,  6,  8,  3, 13);
-    P2(local.C, local.D, local.E, local.A, local.B, 15,  5,  9, 11);
-    P2(local.B, local.C, local.D, local.E, local.A, 13,  6, 11, 11);
-#undef F
-#undef K
-#undef Fp
-#undef Kp
-
-    local.C       = ctx->state[1] + local.C + local.Dp;
-    ctx->state[1] = ctx->state[2] + local.D + local.Ep;
-    ctx->state[2] = ctx->state[3] + local.E + local.Ap;
-    ctx->state[3] = ctx->state[4] + local.A + local.Bp;
-    ctx->state[4] = ctx->state[0] + local.B + local.Cp;
-    ctx->state[0] = local.C;
-
-    /* Zeroise variables to clear sensitive data from memory. */
-    mbedtls_platform_zeroize(&local, sizeof(local));
-
-    return 0;
-}
-
-#endif /* !MBEDTLS_RIPEMD160_PROCESS_ALT */
-
-/*
- * RIPEMD-160 process buffer
- */
-int mbedtls_ripemd160_update(mbedtls_ripemd160_context *ctx,
-                             const unsigned char *input,
-                             size_t ilen)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t fill;
-    uint32_t left;
-
-    if (ilen == 0) {
-        return 0;
-    }
-
-    left = ctx->total[0] & 0x3F;
-    fill = 64 - left;
-
-    ctx->total[0] += (uint32_t) ilen;
-    ctx->total[0] &= 0xFFFFFFFF;
-
-    if (ctx->total[0] < (uint32_t) ilen) {
-        ctx->total[1]++;
-    }
-
-    if (left && ilen >= fill) {
-        memcpy((void *) (ctx->buffer + left), input, fill);
-
-        if ((ret = mbedtls_internal_ripemd160_process(ctx, ctx->buffer)) != 0) {
-            return ret;
-        }
-
-        input += fill;
-        ilen  -= fill;
-        left = 0;
-    }
-
-    while (ilen >= 64) {
-        if ((ret = mbedtls_internal_ripemd160_process(ctx, input)) != 0) {
-            return ret;
-        }
-
-        input += 64;
-        ilen  -= 64;
-    }
-
-    if (ilen > 0) {
-        memcpy((void *) (ctx->buffer + left), input, ilen);
-    }
-
-    return 0;
-}
-
-static const unsigned char ripemd160_padding[64] =
-{
-    0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
-};
-
-/*
- * RIPEMD-160 final digest
- */
-int mbedtls_ripemd160_finish(mbedtls_ripemd160_context *ctx,
-                             unsigned char output[20])
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    uint32_t last, padn;
-    uint32_t high, low;
-    unsigned char msglen[8];
-
-    high = (ctx->total[0] >> 29)
-           | (ctx->total[1] <<  3);
-    low  = (ctx->total[0] <<  3);
-
-    MBEDTLS_PUT_UINT32_LE(low,  msglen, 0);
-    MBEDTLS_PUT_UINT32_LE(high, msglen, 4);
-
-    last = ctx->total[0] & 0x3F;
-    padn = (last < 56) ? (56 - last) : (120 - last);
-
-    ret = mbedtls_ripemd160_update(ctx, ripemd160_padding, padn);
-    if (ret != 0) {
-        goto exit;
-    }
-
-    ret = mbedtls_ripemd160_update(ctx, msglen, 8);
-    if (ret != 0) {
-        goto exit;
-    }
-
-    MBEDTLS_PUT_UINT32_LE(ctx->state[0], output,  0);
-    MBEDTLS_PUT_UINT32_LE(ctx->state[1], output,  4);
-    MBEDTLS_PUT_UINT32_LE(ctx->state[2], output,  8);
-    MBEDTLS_PUT_UINT32_LE(ctx->state[3], output, 12);
-    MBEDTLS_PUT_UINT32_LE(ctx->state[4], output, 16);
-
-    ret = 0;
-
-exit:
-    mbedtls_ripemd160_free(ctx);
-    return ret;
-}
-
-#endif /* ! MBEDTLS_RIPEMD160_ALT */
-
-/*
- * output = RIPEMD-160( input buffer )
- */
-int mbedtls_ripemd160(const unsigned char *input,
-                      size_t ilen,
-                      unsigned char output[20])
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_ripemd160_context ctx;
-
-    mbedtls_ripemd160_init(&ctx);
-
-    if ((ret = mbedtls_ripemd160_starts(&ctx)) != 0) {
-        goto exit;
-    }
-
-    if ((ret = mbedtls_ripemd160_update(&ctx, input, ilen)) != 0) {
-        goto exit;
-    }
-
-    if ((ret = mbedtls_ripemd160_finish(&ctx, output)) != 0) {
-        goto exit;
-    }
-
-exit:
-    mbedtls_ripemd160_free(&ctx);
-
-    return ret;
-}
-
-#if defined(MBEDTLS_SELF_TEST)
-/*
- * Test vectors from the RIPEMD-160 paper and
- * http://homes.esat.kuleuven.be/~bosselae/mbedtls_ripemd160.html#HMAC
- */
-#define TESTS   8
-static const unsigned char ripemd160_test_str[TESTS][81] =
-{
-    { "" },
-    { "a" },
-    { "abc" },
-    { "message digest" },
-    { "abcdefghijklmnopqrstuvwxyz" },
-    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
-    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
-    { "12345678901234567890123456789012345678901234567890123456789012345678901234567890" },
-};
-
-static const size_t ripemd160_test_strlen[TESTS] =
-{
-    0, 1, 3, 14, 26, 56, 62, 80
-};
-
-static const unsigned char ripemd160_test_md[TESTS][20] =
-{
-    { 0x9c, 0x11, 0x85, 0xa5, 0xc5, 0xe9, 0xfc, 0x54, 0x61, 0x28,
-      0x08, 0x97, 0x7e, 0xe8, 0xf5, 0x48, 0xb2, 0x25, 0x8d, 0x31 },
-    { 0x0b, 0xdc, 0x9d, 0x2d, 0x25, 0x6b, 0x3e, 0xe9, 0xda, 0xae,
-      0x34, 0x7b, 0xe6, 0xf4, 0xdc, 0x83, 0x5a, 0x46, 0x7f, 0xfe },
-    { 0x8e, 0xb2, 0x08, 0xf7, 0xe0, 0x5d, 0x98, 0x7a, 0x9b, 0x04,
-      0x4a, 0x8e, 0x98, 0xc6, 0xb0, 0x87, 0xf1, 0x5a, 0x0b, 0xfc },
-    { 0x5d, 0x06, 0x89, 0xef, 0x49, 0xd2, 0xfa, 0xe5, 0x72, 0xb8,
-      0x81, 0xb1, 0x23, 0xa8, 0x5f, 0xfa, 0x21, 0x59, 0x5f, 0x36 },
-    { 0xf7, 0x1c, 0x27, 0x10, 0x9c, 0x69, 0x2c, 0x1b, 0x56, 0xbb,
-      0xdc, 0xeb, 0x5b, 0x9d, 0x28, 0x65, 0xb3, 0x70, 0x8d, 0xbc },
-    { 0x12, 0xa0, 0x53, 0x38, 0x4a, 0x9c, 0x0c, 0x88, 0xe4, 0x05,
-      0xa0, 0x6c, 0x27, 0xdc, 0xf4, 0x9a, 0xda, 0x62, 0xeb, 0x2b },
-    { 0xb0, 0xe2, 0x0b, 0x6e, 0x31, 0x16, 0x64, 0x02, 0x86, 0xed,
-      0x3a, 0x87, 0xa5, 0x71, 0x30, 0x79, 0xb2, 0x1f, 0x51, 0x89 },
-    { 0x9b, 0x75, 0x2e, 0x45, 0x57, 0x3d, 0x4b, 0x39, 0xf4, 0xdb,
-      0xd3, 0x32, 0x3c, 0xab, 0x82, 0xbf, 0x63, 0x32, 0x6b, 0xfb },
-};
-
-/*
- * Checkup routine
- */
-int mbedtls_ripemd160_self_test(int verbose)
-{
-    int i, ret = 0;
-    unsigned char output[20];
-
-    memset(output, 0, sizeof(output));
-
-    for (i = 0; i < TESTS; i++) {
-        if (verbose != 0) {
-            mbedtls_printf("  RIPEMD-160 test #%d: ", i + 1);
-        }
-
-        ret = mbedtls_ripemd160(ripemd160_test_str[i],
-                                ripemd160_test_strlen[i], output);
-        if (ret != 0) {
-            goto fail;
-        }
-
-        if (memcmp(output, ripemd160_test_md[i], 20) != 0) {
-            ret = 1;
-            goto fail;
-        }
-
-        if (verbose != 0) {
-            mbedtls_printf("passed\n");
-        }
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-
-    return 0;
-
-fail:
-    if (verbose != 0) {
-        mbedtls_printf("failed\n");
-    }
-
-    return ret;
-}
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* MBEDTLS_RIPEMD160_C */
diff --git a/library/rsa.c b/library/rsa.c
deleted file mode 100644
index 3c538bf..0000000
--- a/library/rsa.c
+++ /dev/null
@@ -1,2652 +0,0 @@
-/*
- *  The RSA public-key cryptosystem
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/*
- *  The following sources were referenced in the design of this implementation
- *  of the RSA algorithm:
- *
- *  [1] A method for obtaining digital signatures and public-key cryptosystems
- *      R Rivest, A Shamir, and L Adleman
- *      http://people.csail.mit.edu/rivest/pubs.html#RSA78
- *
- *  [2] Handbook of Applied Cryptography - 1997, Chapter 8
- *      Menezes, van Oorschot and Vanstone
- *
- *  [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
- *      Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
- *      Stefan Mangard
- *      https://arxiv.org/abs/1702.08719v2
- *
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_RSA_C)
-
-#include "mbedtls/rsa.h"
-#include "rsa_alt_helpers.h"
-#include "mbedtls/oid.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-#include "constant_time_internal.h"
-#include "mbedtls/constant_time.h"
-#include "md_psa.h"
-
-#include <string.h>
-
-#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && !defined(__NetBSD__)
-#include <stdlib.h>
-#endif
-
-#include "mbedtls/platform.h"
-
-
-#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
-
-/** This function performs the unpadding part of a PKCS#1 v1.5 decryption
- *  operation (EME-PKCS1-v1_5 decoding).
- *
- * \note The return value from this function is a sensitive value
- *       (this is unusual). #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE shouldn't happen
- *       in a well-written application, but 0 vs #MBEDTLS_ERR_RSA_INVALID_PADDING
- *       is often a situation that an attacker can provoke and leaking which
- *       one is the result is precisely the information the attacker wants.
- *
- * \param input          The input buffer which is the payload inside PKCS#1v1.5
- *                       encryption padding, called the "encoded message EM"
- *                       by the terminology.
- * \param ilen           The length of the payload in the \p input buffer.
- * \param output         The buffer for the payload, called "message M" by the
- *                       PKCS#1 terminology. This must be a writable buffer of
- *                       length \p output_max_len bytes.
- * \param olen           The address at which to store the length of
- *                       the payload. This must not be \c NULL.
- * \param output_max_len The length in bytes of the output buffer \p output.
- *
- * \return      \c 0 on success.
- * \return      #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE
- *              The output buffer is too small for the unpadded payload.
- * \return      #MBEDTLS_ERR_RSA_INVALID_PADDING
- *              The input doesn't contain properly formatted padding.
- */
-static int mbedtls_ct_rsaes_pkcs1_v15_unpadding(unsigned char *input,
-                                                size_t ilen,
-                                                unsigned char *output,
-                                                size_t output_max_len,
-                                                size_t *olen)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t i, plaintext_max_size;
-
-    /* The following variables take sensitive values: their value must
-     * not leak into the observable behavior of the function other than
-     * the designated outputs (output, olen, return value). Otherwise
-     * this would open the execution of the function to
-     * side-channel-based variants of the Bleichenbacher padding oracle
-     * attack. Potential side channels include overall timing, memory
-     * access patterns (especially visible to an adversary who has access
-     * to a shared memory cache), and branches (especially visible to
-     * an adversary who has access to a shared code cache or to a shared
-     * branch predictor). */
-    size_t pad_count = 0;
-    mbedtls_ct_condition_t bad;
-    mbedtls_ct_condition_t pad_done;
-    size_t plaintext_size = 0;
-    mbedtls_ct_condition_t output_too_large;
-
-    plaintext_max_size = (output_max_len > ilen - 11) ? ilen - 11
-                                                        : output_max_len;
-
-    /* Check and get padding length in constant time and constant
-     * memory trace. The first byte must be 0. */
-    bad = mbedtls_ct_bool(input[0]);
-
-
-    /* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00
-     * where PS must be at least 8 nonzero bytes. */
-    bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_ne(input[1], MBEDTLS_RSA_CRYPT));
-
-    /* Read the whole buffer. Set pad_done to nonzero if we find
-     * the 0x00 byte and remember the padding length in pad_count. */
-    pad_done = MBEDTLS_CT_FALSE;
-    for (i = 2; i < ilen; i++) {
-        mbedtls_ct_condition_t found = mbedtls_ct_uint_eq(input[i], 0);
-        pad_done   = mbedtls_ct_bool_or(pad_done, found);
-        pad_count += mbedtls_ct_uint_if_else_0(mbedtls_ct_bool_not(pad_done), 1);
-    }
-
-    /* If pad_done is still zero, there's no data, only unfinished padding. */
-    bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_not(pad_done));
-
-    /* There must be at least 8 bytes of padding. */
-    bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_gt(8, pad_count));
-
-    /* If the padding is valid, set plaintext_size to the number of
-     * remaining bytes after stripping the padding. If the padding
-     * is invalid, avoid leaking this fact through the size of the
-     * output: use the maximum message size that fits in the output
-     * buffer. Do it without branches to avoid leaking the padding
-     * validity through timing. RSA keys are small enough that all the
-     * size_t values involved fit in unsigned int. */
-    plaintext_size = mbedtls_ct_uint_if(
-        bad, (unsigned) plaintext_max_size,
-        (unsigned) (ilen - pad_count - 3));
-
-    /* Set output_too_large to 0 if the plaintext fits in the output
-     * buffer and to 1 otherwise. */
-    output_too_large = mbedtls_ct_uint_gt(plaintext_size,
-                                          plaintext_max_size);
-
-    /* Set ret without branches to avoid timing attacks. Return:
-     * - INVALID_PADDING if the padding is bad (bad != 0).
-     * - OUTPUT_TOO_LARGE if the padding is good but the decrypted
-     *   plaintext does not fit in the output buffer.
-     * - 0 if the padding is correct. */
-    ret = mbedtls_ct_error_if(
-        bad,
-        MBEDTLS_ERR_RSA_INVALID_PADDING,
-        mbedtls_ct_error_if_else_0(output_too_large, MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE)
-        );
-
-    /* If the padding is bad or the plaintext is too large, zero the
-     * data that we're about to copy to the output buffer.
-     * We need to copy the same amount of data
-     * from the same buffer whether the padding is good or not to
-     * avoid leaking the padding validity through overall timing or
-     * through memory or cache access patterns. */
-    mbedtls_ct_zeroize_if(mbedtls_ct_bool_or(bad, output_too_large), input + 11, ilen - 11);
-
-    /* If the plaintext is too large, truncate it to the buffer size.
-     * Copy anyway to avoid revealing the length through timing, because
-     * revealing the length is as bad as revealing the padding validity
-     * for a Bleichenbacher attack. */
-    plaintext_size = mbedtls_ct_uint_if(output_too_large,
-                                        (unsigned) plaintext_max_size,
-                                        (unsigned) plaintext_size);
-
-    /* Move the plaintext to the leftmost position where it can start in
-     * the working buffer, i.e. make it start plaintext_max_size from
-     * the end of the buffer. Do this with a memory access trace that
-     * does not depend on the plaintext size. After this move, the
-     * starting location of the plaintext is no longer sensitive
-     * information. */
-    mbedtls_ct_memmove_left(input + ilen - plaintext_max_size,
-                            plaintext_max_size,
-                            plaintext_max_size - plaintext_size);
-
-    /* Finally copy the decrypted plaintext plus trailing zeros into the output
-     * buffer. If output_max_len is 0, then output may be an invalid pointer
-     * and the result of memcpy() would be undefined; prevent undefined
-     * behavior making sure to depend only on output_max_len (the size of the
-     * user-provided output buffer), which is independent from plaintext
-     * length, validity of padding, success of the decryption, and other
-     * secrets. */
-    if (output_max_len != 0) {
-        memcpy(output, input + ilen - plaintext_max_size, plaintext_max_size);
-    }
-
-    /* Report the amount of data we copied to the output buffer. In case
-     * of errors (bad padding or output too large), the value of *olen
-     * when this function returns is not specified. Making it equivalent
-     * to the good case limits the risks of leaking the padding validity. */
-    *olen = plaintext_size;
-
-    return ret;
-}
-
-#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */
-
-#if !defined(MBEDTLS_RSA_ALT)
-
-int mbedtls_rsa_import(mbedtls_rsa_context *ctx,
-                       const mbedtls_mpi *N,
-                       const mbedtls_mpi *P, const mbedtls_mpi *Q,
-                       const mbedtls_mpi *D, const mbedtls_mpi *E)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if ((N != NULL && (ret = mbedtls_mpi_copy(&ctx->N, N)) != 0) ||
-        (P != NULL && (ret = mbedtls_mpi_copy(&ctx->P, P)) != 0) ||
-        (Q != NULL && (ret = mbedtls_mpi_copy(&ctx->Q, Q)) != 0) ||
-        (D != NULL && (ret = mbedtls_mpi_copy(&ctx->D, D)) != 0) ||
-        (E != NULL && (ret = mbedtls_mpi_copy(&ctx->E, E)) != 0)) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
-    }
-
-    if (N != NULL) {
-        ctx->len = mbedtls_mpi_size(&ctx->N);
-    }
-
-    return 0;
-}
-
-int mbedtls_rsa_import_raw(mbedtls_rsa_context *ctx,
-                           unsigned char const *N, size_t N_len,
-                           unsigned char const *P, size_t P_len,
-                           unsigned char const *Q, size_t Q_len,
-                           unsigned char const *D, size_t D_len,
-                           unsigned char const *E, size_t E_len)
-{
-    int ret = 0;
-
-    if (N != NULL) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->N, N, N_len));
-        ctx->len = mbedtls_mpi_size(&ctx->N);
-    }
-
-    if (P != NULL) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->P, P, P_len));
-    }
-
-    if (Q != NULL) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->Q, Q, Q_len));
-    }
-
-    if (D != NULL) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->D, D, D_len));
-    }
-
-    if (E != NULL) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->E, E, E_len));
-    }
-
-cleanup:
-
-    if (ret != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
-    }
-
-    return 0;
-}
-
-/*
- * Checks whether the context fields are set in such a way
- * that the RSA primitives will be able to execute without error.
- * It does *not* make guarantees for consistency of the parameters.
- */
-static int rsa_check_context(mbedtls_rsa_context const *ctx, int is_priv,
-                             int blinding_needed)
-{
-#if !defined(MBEDTLS_RSA_NO_CRT)
-    /* blinding_needed is only used for NO_CRT to decide whether
-     * P,Q need to be present or not. */
-    ((void) blinding_needed);
-#endif
-
-    if (ctx->len != mbedtls_mpi_size(&ctx->N) ||
-        ctx->len > MBEDTLS_MPI_MAX_SIZE) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    /*
-     * 1. Modular exponentiation needs positive, odd moduli.
-     */
-
-    /* Modular exponentiation wrt. N is always used for
-     * RSA public key operations. */
-    if (mbedtls_mpi_cmp_int(&ctx->N, 0) <= 0 ||
-        mbedtls_mpi_get_bit(&ctx->N, 0) == 0) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-#if !defined(MBEDTLS_RSA_NO_CRT)
-    /* Modular exponentiation for P and Q is only
-     * used for private key operations and if CRT
-     * is used. */
-    if (is_priv &&
-        (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 ||
-         mbedtls_mpi_get_bit(&ctx->P, 0) == 0 ||
-         mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0 ||
-         mbedtls_mpi_get_bit(&ctx->Q, 0) == 0)) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-#endif /* !MBEDTLS_RSA_NO_CRT */
-
-    /*
-     * 2. Exponents must be positive
-     */
-
-    /* Always need E for public key operations */
-    if (mbedtls_mpi_cmp_int(&ctx->E, 0) <= 0) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-#if defined(MBEDTLS_RSA_NO_CRT)
-    /* For private key operations, use D or DP & DQ
-     * as (unblinded) exponents. */
-    if (is_priv && mbedtls_mpi_cmp_int(&ctx->D, 0) <= 0) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-#else
-    if (is_priv &&
-        (mbedtls_mpi_cmp_int(&ctx->DP, 0) <= 0 ||
-         mbedtls_mpi_cmp_int(&ctx->DQ, 0) <= 0)) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-#endif /* MBEDTLS_RSA_NO_CRT */
-
-    /* Blinding shouldn't make exponents negative either,
-     * so check that P, Q >= 1 if that hasn't yet been
-     * done as part of 1. */
-#if defined(MBEDTLS_RSA_NO_CRT)
-    if (is_priv && blinding_needed &&
-        (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 ||
-         mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0)) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-#endif
-
-    /* It wouldn't lead to an error if it wasn't satisfied,
-     * but check for QP >= 1 nonetheless. */
-#if !defined(MBEDTLS_RSA_NO_CRT)
-    if (is_priv &&
-        mbedtls_mpi_cmp_int(&ctx->QP, 0) <= 0) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-#endif
-
-    return 0;
-}
-
-int mbedtls_rsa_complete(mbedtls_rsa_context *ctx)
-{
-    int ret = 0;
-    int have_N, have_P, have_Q, have_D, have_E;
-#if !defined(MBEDTLS_RSA_NO_CRT)
-    int have_DP, have_DQ, have_QP;
-#endif
-    int n_missing, pq_missing, d_missing, is_pub, is_priv;
-
-    have_N = (mbedtls_mpi_cmp_int(&ctx->N, 0) != 0);
-    have_P = (mbedtls_mpi_cmp_int(&ctx->P, 0) != 0);
-    have_Q = (mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0);
-    have_D = (mbedtls_mpi_cmp_int(&ctx->D, 0) != 0);
-    have_E = (mbedtls_mpi_cmp_int(&ctx->E, 0) != 0);
-
-#if !defined(MBEDTLS_RSA_NO_CRT)
-    have_DP = (mbedtls_mpi_cmp_int(&ctx->DP, 0) != 0);
-    have_DQ = (mbedtls_mpi_cmp_int(&ctx->DQ, 0) != 0);
-    have_QP = (mbedtls_mpi_cmp_int(&ctx->QP, 0) != 0);
-#endif
-
-    /*
-     * Check whether provided parameters are enough
-     * to deduce all others. The following incomplete
-     * parameter sets for private keys are supported:
-     *
-     * (1) P, Q missing.
-     * (2) D and potentially N missing.
-     *
-     */
-
-    n_missing  =              have_P &&  have_Q &&  have_D && have_E;
-    pq_missing =   have_N && !have_P && !have_Q &&  have_D && have_E;
-    d_missing  =              have_P &&  have_Q && !have_D && have_E;
-    is_pub     =   have_N && !have_P && !have_Q && !have_D && have_E;
-
-    /* These three alternatives are mutually exclusive */
-    is_priv = n_missing || pq_missing || d_missing;
-
-    if (!is_priv && !is_pub) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    /*
-     * Step 1: Deduce N if P, Q are provided.
-     */
-
-    if (!have_N && have_P && have_Q) {
-        if ((ret = mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P,
-                                       &ctx->Q)) != 0) {
-            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
-        }
-
-        ctx->len = mbedtls_mpi_size(&ctx->N);
-    }
-
-    /*
-     * Step 2: Deduce and verify all remaining core parameters.
-     */
-
-    if (pq_missing) {
-        ret = mbedtls_rsa_deduce_primes(&ctx->N, &ctx->E, &ctx->D,
-                                        &ctx->P, &ctx->Q);
-        if (ret != 0) {
-            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
-        }
-
-    } else if (d_missing) {
-        if ((ret = mbedtls_rsa_deduce_private_exponent(&ctx->P,
-                                                       &ctx->Q,
-                                                       &ctx->E,
-                                                       &ctx->D)) != 0) {
-            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
-        }
-    }
-
-    /*
-     * Step 3: Deduce all additional parameters specific
-     *         to our current RSA implementation.
-     */
-
-#if !defined(MBEDTLS_RSA_NO_CRT)
-    if (is_priv && !(have_DP && have_DQ && have_QP)) {
-        ret = mbedtls_rsa_deduce_crt(&ctx->P,  &ctx->Q,  &ctx->D,
-                                     &ctx->DP, &ctx->DQ, &ctx->QP);
-        if (ret != 0) {
-            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
-        }
-    }
-#endif /* MBEDTLS_RSA_NO_CRT */
-
-    /*
-     * Step 3: Basic sanity checks
-     */
-
-    return rsa_check_context(ctx, is_priv, 1);
-}
-
-int mbedtls_rsa_export_raw(const mbedtls_rsa_context *ctx,
-                           unsigned char *N, size_t N_len,
-                           unsigned char *P, size_t P_len,
-                           unsigned char *Q, size_t Q_len,
-                           unsigned char *D, size_t D_len,
-                           unsigned char *E, size_t E_len)
-{
-    int ret = 0;
-    int is_priv;
-
-    /* Check if key is private or public */
-    is_priv =
-        mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
-        mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
-        mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
-        mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
-        mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
-
-    if (!is_priv) {
-        /* If we're trying to export private parameters for a public key,
-         * something must be wrong. */
-        if (P != NULL || Q != NULL || D != NULL) {
-            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-        }
-
-    }
-
-    if (N != NULL) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->N, N, N_len));
-    }
-
-    if (P != NULL) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->P, P, P_len));
-    }
-
-    if (Q != NULL) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->Q, Q, Q_len));
-    }
-
-    if (D != NULL) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->D, D, D_len));
-    }
-
-    if (E != NULL) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->E, E, E_len));
-    }
-
-cleanup:
-
-    return ret;
-}
-
-int mbedtls_rsa_export(const mbedtls_rsa_context *ctx,
-                       mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
-                       mbedtls_mpi *D, mbedtls_mpi *E)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    int is_priv;
-
-    /* Check if key is private or public */
-    is_priv =
-        mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
-        mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
-        mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
-        mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
-        mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
-
-    if (!is_priv) {
-        /* If we're trying to export private parameters for a public key,
-         * something must be wrong. */
-        if (P != NULL || Q != NULL || D != NULL) {
-            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-        }
-
-    }
-
-    /* Export all requested core parameters. */
-
-    if ((N != NULL && (ret = mbedtls_mpi_copy(N, &ctx->N)) != 0) ||
-        (P != NULL && (ret = mbedtls_mpi_copy(P, &ctx->P)) != 0) ||
-        (Q != NULL && (ret = mbedtls_mpi_copy(Q, &ctx->Q)) != 0) ||
-        (D != NULL && (ret = mbedtls_mpi_copy(D, &ctx->D)) != 0) ||
-        (E != NULL && (ret = mbedtls_mpi_copy(E, &ctx->E)) != 0)) {
-        return ret;
-    }
-
-    return 0;
-}
-
-/*
- * Export CRT parameters
- * This must also be implemented if CRT is not used, for being able to
- * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt
- * can be used in this case.
- */
-int mbedtls_rsa_export_crt(const mbedtls_rsa_context *ctx,
-                           mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    int is_priv;
-
-    /* Check if key is private or public */
-    is_priv =
-        mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
-        mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
-        mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
-        mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
-        mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
-
-    if (!is_priv) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-#if !defined(MBEDTLS_RSA_NO_CRT)
-    /* Export all requested blinding parameters. */
-    if ((DP != NULL && (ret = mbedtls_mpi_copy(DP, &ctx->DP)) != 0) ||
-        (DQ != NULL && (ret = mbedtls_mpi_copy(DQ, &ctx->DQ)) != 0) ||
-        (QP != NULL && (ret = mbedtls_mpi_copy(QP, &ctx->QP)) != 0)) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
-    }
-#else
-    if ((ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
-                                      DP, DQ, QP)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
-    }
-#endif
-
-    return 0;
-}
-
-/*
- * Initialize an RSA context
- */
-void mbedtls_rsa_init(mbedtls_rsa_context *ctx)
-{
-    memset(ctx, 0, sizeof(mbedtls_rsa_context));
-
-    ctx->padding = MBEDTLS_RSA_PKCS_V15;
-    ctx->hash_id = MBEDTLS_MD_NONE;
-
-#if defined(MBEDTLS_THREADING_C)
-    /* Set ctx->ver to nonzero to indicate that the mutex has been
-     * initialized and will need to be freed. */
-    ctx->ver = 1;
-    mbedtls_mutex_init(&ctx->mutex);
-#endif
-}
-
-/*
- * Set padding for an existing RSA context
- */
-int mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx, int padding,
-                            mbedtls_md_type_t hash_id)
-{
-    switch (padding) {
-#if defined(MBEDTLS_PKCS1_V15)
-        case MBEDTLS_RSA_PKCS_V15:
-            break;
-#endif
-
-#if defined(MBEDTLS_PKCS1_V21)
-        case MBEDTLS_RSA_PKCS_V21:
-            break;
-#endif
-        default:
-            return MBEDTLS_ERR_RSA_INVALID_PADDING;
-    }
-
-#if defined(MBEDTLS_PKCS1_V21)
-    if ((padding == MBEDTLS_RSA_PKCS_V21) &&
-        (hash_id != MBEDTLS_MD_NONE)) {
-        /* Just make sure this hash is supported in this build. */
-        if (mbedtls_md_info_from_type(hash_id) == NULL) {
-            return MBEDTLS_ERR_RSA_INVALID_PADDING;
-        }
-    }
-#endif /* MBEDTLS_PKCS1_V21 */
-
-    ctx->padding = padding;
-    ctx->hash_id = hash_id;
-
-    return 0;
-}
-
-/*
- * Get padding mode of initialized RSA context
- */
-int mbedtls_rsa_get_padding_mode(const mbedtls_rsa_context *ctx)
-{
-    return ctx->padding;
-}
-
-/*
- * Get hash identifier of mbedtls_md_type_t type
- */
-int mbedtls_rsa_get_md_alg(const mbedtls_rsa_context *ctx)
-{
-    return ctx->hash_id;
-}
-
-/*
- * Get length in bytes of RSA modulus
- */
-size_t mbedtls_rsa_get_len(const mbedtls_rsa_context *ctx)
-{
-    return ctx->len;
-}
-
-
-#if defined(MBEDTLS_GENPRIME)
-
-/*
- * Generate an RSA keypair
- *
- * This generation method follows the RSA key pair generation procedure of
- * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.
- */
-int mbedtls_rsa_gen_key(mbedtls_rsa_context *ctx,
-                        int (*f_rng)(void *, unsigned char *, size_t),
-                        void *p_rng,
-                        unsigned int nbits, int exponent)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_mpi H, G, L;
-    int prime_quality = 0;
-
-    /*
-     * If the modulus is 1024 bit long or shorter, then the security strength of
-     * the RSA algorithm is less than or equal to 80 bits and therefore an error
-     * rate of 2^-80 is sufficient.
-     */
-    if (nbits > 1024) {
-        prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR;
-    }
-
-    mbedtls_mpi_init(&H);
-    mbedtls_mpi_init(&G);
-    mbedtls_mpi_init(&L);
-
-    if (exponent < 3 || nbits % 2 != 0) {
-        ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-        goto cleanup;
-    }
-
-    if (nbits < MBEDTLS_RSA_GEN_KEY_MIN_BITS) {
-        ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-        goto cleanup;
-    }
-
-    /*
-     * find primes P and Q with Q < P so that:
-     * 1.  |P-Q| > 2^( nbits / 2 - 100 )
-     * 2.  GCD( E, (P-1)*(Q-1) ) == 1
-     * 3.  E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 )
-     */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->E, exponent));
-
-    do {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->P, nbits >> 1,
-                                              prime_quality, f_rng, p_rng));
-
-        MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->Q, nbits >> 1,
-                                              prime_quality, f_rng, p_rng));
-
-        /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */
-        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&H, &ctx->P, &ctx->Q));
-        if (mbedtls_mpi_bitlen(&H) <= ((nbits >= 200) ? ((nbits >> 1) - 99) : 0)) {
-            continue;
-        }
-
-        /* not required by any standards, but some users rely on the fact that P > Q */
-        if (H.s < 0) {
-            mbedtls_mpi_swap(&ctx->P, &ctx->Q);
-        }
-
-        /* Temporarily replace P,Q by P-1, Q-1 */
-        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->P, &ctx->P, 1));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->Q, &ctx->Q, 1));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&H, &ctx->P, &ctx->Q));
-
-        /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */
-        MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->E, &H));
-        if (mbedtls_mpi_cmp_int(&G, 1) != 0) {
-            continue;
-        }
-
-        /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */
-        MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->P, &ctx->Q));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&L, NULL, &H, &G));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&ctx->D, &ctx->E, &L));
-
-        if (mbedtls_mpi_bitlen(&ctx->D) <= ((nbits + 1) / 2)) {      // (FIPS 186-4 §B.3.1 criterion 3(a))
-            continue;
-        }
-
-        break;
-    } while (1);
-
-    /* Restore P,Q */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->P,  &ctx->P, 1));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->Q,  &ctx->Q, 1));
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P, &ctx->Q));
-
-    ctx->len = mbedtls_mpi_size(&ctx->N);
-
-#if !defined(MBEDTLS_RSA_NO_CRT)
-    /*
-     * DP = D mod (P - 1)
-     * DQ = D mod (Q - 1)
-     * QP = Q^-1 mod P
-     */
-    MBEDTLS_MPI_CHK(mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
-                                           &ctx->DP, &ctx->DQ, &ctx->QP));
-#endif /* MBEDTLS_RSA_NO_CRT */
-
-    /* Double-check */
-    MBEDTLS_MPI_CHK(mbedtls_rsa_check_privkey(ctx));
-
-cleanup:
-
-    mbedtls_mpi_free(&H);
-    mbedtls_mpi_free(&G);
-    mbedtls_mpi_free(&L);
-
-    if (ret != 0) {
-        mbedtls_rsa_free(ctx);
-
-        if ((-ret & ~0x7f) == 0) {
-            ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_KEY_GEN_FAILED, ret);
-        }
-        return ret;
-    }
-
-    return 0;
-}
-
-#endif /* MBEDTLS_GENPRIME */
-
-/*
- * Check a public RSA key
- */
-int mbedtls_rsa_check_pubkey(const mbedtls_rsa_context *ctx)
-{
-    if (rsa_check_context(ctx, 0 /* public */, 0 /* no blinding */) != 0) {
-        return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
-    }
-
-    if (mbedtls_mpi_bitlen(&ctx->N) < 128) {
-        return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
-    }
-
-    if (mbedtls_mpi_get_bit(&ctx->E, 0) == 0 ||
-        mbedtls_mpi_bitlen(&ctx->E)     < 2  ||
-        mbedtls_mpi_cmp_mpi(&ctx->E, &ctx->N) >= 0) {
-        return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
-    }
-
-    return 0;
-}
-
-/*
- * Check for the consistency of all fields in an RSA private key context
- */
-int mbedtls_rsa_check_privkey(const mbedtls_rsa_context *ctx)
-{
-    if (mbedtls_rsa_check_pubkey(ctx) != 0 ||
-        rsa_check_context(ctx, 1 /* private */, 1 /* blinding */) != 0) {
-        return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
-    }
-
-    if (mbedtls_rsa_validate_params(&ctx->N, &ctx->P, &ctx->Q,
-                                    &ctx->D, &ctx->E, NULL, NULL) != 0) {
-        return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
-    }
-
-#if !defined(MBEDTLS_RSA_NO_CRT)
-    else if (mbedtls_rsa_validate_crt(&ctx->P, &ctx->Q, &ctx->D,
-                                      &ctx->DP, &ctx->DQ, &ctx->QP) != 0) {
-        return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
-    }
-#endif
-
-    return 0;
-}
-
-/*
- * Check if contexts holding a public and private key match
- */
-int mbedtls_rsa_check_pub_priv(const mbedtls_rsa_context *pub,
-                               const mbedtls_rsa_context *prv)
-{
-    if (mbedtls_rsa_check_pubkey(pub)  != 0 ||
-        mbedtls_rsa_check_privkey(prv) != 0) {
-        return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
-    }
-
-    if (mbedtls_mpi_cmp_mpi(&pub->N, &prv->N) != 0 ||
-        mbedtls_mpi_cmp_mpi(&pub->E, &prv->E) != 0) {
-        return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
-    }
-
-    return 0;
-}
-
-/*
- * Do an RSA public key operation
- */
-int mbedtls_rsa_public(mbedtls_rsa_context *ctx,
-                       const unsigned char *input,
-                       unsigned char *output)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t olen;
-    mbedtls_mpi T;
-
-    if (rsa_check_context(ctx, 0 /* public */, 0 /* no blinding */)) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    mbedtls_mpi_init(&T);
-
-#if defined(MBEDTLS_THREADING_C)
-    if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
-        return ret;
-    }
-#endif
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&T, input, ctx->len));
-
-    if (mbedtls_mpi_cmp_mpi(&T, &ctx->N) >= 0) {
-        ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-        goto cleanup;
-    }
-
-    olen = ctx->len;
-    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, &ctx->E, &ctx->N, &ctx->RN));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));
-
-cleanup:
-#if defined(MBEDTLS_THREADING_C)
-    if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
-        return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
-    }
-#endif
-
-    mbedtls_mpi_free(&T);
-
-    if (ret != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_PUBLIC_FAILED, ret);
-    }
-
-    return 0;
-}
-
-/*
- * Generate or update blinding values, see section 10 of:
- *  KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
- *  DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
- *  Berlin Heidelberg, 1996. p. 104-113.
- */
-static int rsa_prepare_blinding(mbedtls_rsa_context *ctx,
-                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
-{
-    int ret, count = 0;
-    mbedtls_mpi R;
-
-    mbedtls_mpi_init(&R);
-
-    if (ctx->Vf.p != NULL) {
-        /* We already have blinding values, just update them by squaring */
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &ctx->Vi));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &ctx->Vf));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->N));
-
-        goto cleanup;
-    }
-
-    /* Unblinding value: Vf = random number, invertible mod N */
-    do {
-        if (count++ > 10) {
-            ret = MBEDTLS_ERR_RSA_RNG_FAILED;
-            goto cleanup;
-        }
-
-        MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&ctx->Vf, ctx->len - 1, f_rng, p_rng));
-
-        /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */
-        MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, ctx->len - 1, f_rng, p_rng));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vf, &R));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
-
-        /* At this point, Vi is invertible mod N if and only if both Vf and R
-         * are invertible mod N. If one of them isn't, we don't need to know
-         * which one, we just loop and choose new values for both of them.
-         * (Each iteration succeeds with overwhelming probability.) */
-        ret = mbedtls_mpi_inv_mod(&ctx->Vi, &ctx->Vi, &ctx->N);
-        if (ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
-            goto cleanup;
-        }
-
-    } while (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE);
-
-    /* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &R));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
-
-    /* Blinding value: Vi = Vf^(-e) mod N
-     * (Vi already contains Vf^-1 at this point) */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN));
-
-
-cleanup:
-    mbedtls_mpi_free(&R);
-
-    return ret;
-}
-
-/*
- * Exponent blinding supposed to prevent side-channel attacks using multiple
- * traces of measurements to recover the RSA key. The more collisions are there,
- * the more bits of the key can be recovered. See [3].
- *
- * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
- * observations on average.
- *
- * For example with 28 byte blinding to achieve 2 collisions the adversary has
- * to make 2^112 observations on average.
- *
- * (With the currently (as of 2017 April) known best algorithms breaking 2048
- * bit RSA requires approximately as much time as trying out 2^112 random keys.
- * Thus in this sense with 28 byte blinding the security is not reduced by
- * side-channel attacks like the one in [3])
- *
- * This countermeasure does not help if the key recovery is possible with a
- * single trace.
- */
-#define RSA_EXPONENT_BLINDING 28
-
-/*
- * Do an RSA private key operation
- */
-int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
-                        int (*f_rng)(void *, unsigned char *, size_t),
-                        void *p_rng,
-                        const unsigned char *input,
-                        unsigned char *output)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t olen;
-
-    /* Temporary holding the result */
-    mbedtls_mpi T;
-
-    /* Temporaries holding P-1, Q-1 and the
-     * exponent blinding factor, respectively. */
-    mbedtls_mpi P1, Q1, R;
-
-#if !defined(MBEDTLS_RSA_NO_CRT)
-    /* Temporaries holding the results mod p resp. mod q. */
-    mbedtls_mpi TP, TQ;
-
-    /* Temporaries holding the blinded exponents for
-     * the mod p resp. mod q computation (if used). */
-    mbedtls_mpi DP_blind, DQ_blind;
-
-    /* Pointers to actual exponents to be used - either the unblinded
-     * or the blinded ones, depending on the presence of a PRNG. */
-    mbedtls_mpi *DP = &ctx->DP;
-    mbedtls_mpi *DQ = &ctx->DQ;
-#else
-    /* Temporary holding the blinded exponent (if used). */
-    mbedtls_mpi D_blind;
-
-    /* Pointer to actual exponent to be used - either the unblinded
-     * or the blinded one, depending on the presence of a PRNG. */
-    mbedtls_mpi *D = &ctx->D;
-#endif /* MBEDTLS_RSA_NO_CRT */
-
-    /* Temporaries holding the initial input and the double
-     * checked result; should be the same in the end. */
-    mbedtls_mpi I, C;
-
-    if (f_rng == NULL) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    if (rsa_check_context(ctx, 1 /* private key checks */,
-                          1 /* blinding on        */) != 0) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-#if defined(MBEDTLS_THREADING_C)
-    if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
-        return ret;
-    }
-#endif
-
-    /* MPI Initialization */
-    mbedtls_mpi_init(&T);
-
-    mbedtls_mpi_init(&P1);
-    mbedtls_mpi_init(&Q1);
-    mbedtls_mpi_init(&R);
-
-#if defined(MBEDTLS_RSA_NO_CRT)
-    mbedtls_mpi_init(&D_blind);
-#else
-    mbedtls_mpi_init(&DP_blind);
-    mbedtls_mpi_init(&DQ_blind);
-#endif
-
-#if !defined(MBEDTLS_RSA_NO_CRT)
-    mbedtls_mpi_init(&TP); mbedtls_mpi_init(&TQ);
-#endif
-
-    mbedtls_mpi_init(&I);
-    mbedtls_mpi_init(&C);
-
-    /* End of MPI initialization */
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&T, input, ctx->len));
-    if (mbedtls_mpi_cmp_mpi(&T, &ctx->N) >= 0) {
-        ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-        goto cleanup;
-    }
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&I, &T));
-
-    /*
-     * Blinding
-     * T = T * Vi mod N
-     */
-    MBEDTLS_MPI_CHK(rsa_prepare_blinding(ctx, f_rng, p_rng));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vi));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N));
-
-    /*
-     * Exponent blinding
-     */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&P1, &ctx->P, 1));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&Q1, &ctx->Q, 1));
-
-#if defined(MBEDTLS_RSA_NO_CRT)
-    /*
-     * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
-     */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
-                                            f_rng, p_rng));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &P1, &Q1));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &D_blind, &R));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&D_blind, &D_blind, &ctx->D));
-
-    D = &D_blind;
-#else
-    /*
-     * DP_blind = ( P - 1 ) * R + DP
-     */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
-                                            f_rng, p_rng));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DP_blind, &P1, &R));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DP_blind, &DP_blind,
-                                        &ctx->DP));
-
-    DP = &DP_blind;
-
-    /*
-     * DQ_blind = ( Q - 1 ) * R + DQ
-     */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
-                                            f_rng, p_rng));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DQ_blind, &Q1, &R));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DQ_blind, &DQ_blind,
-                                        &ctx->DQ));
-
-    DQ = &DQ_blind;
-#endif /* MBEDTLS_RSA_NO_CRT */
-
-#if defined(MBEDTLS_RSA_NO_CRT)
-    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, D, &ctx->N, &ctx->RN));
-#else
-    /*
-     * Faster decryption using the CRT
-     *
-     * TP = input ^ dP mod P
-     * TQ = input ^ dQ mod Q
-     */
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TP, &T, DP, &ctx->P, &ctx->RP));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TQ, &T, DQ, &ctx->Q, &ctx->RQ));
-
-    /*
-     * T = (TP - TQ) * (Q^-1 mod P) mod P
-     */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&T, &TP, &TQ));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&TP, &T, &ctx->QP));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &TP, &ctx->P));
-
-    /*
-     * T = TQ + T * Q
-     */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&TP, &T, &ctx->Q));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&T, &TQ, &TP));
-#endif /* MBEDTLS_RSA_NO_CRT */
-
-    /*
-     * Unblind
-     * T = T * Vf mod N
-     */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vf));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N));
-
-    /* Verify the result to prevent glitching attacks. */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&C, &T, &ctx->E,
-                                        &ctx->N, &ctx->RN));
-    if (mbedtls_mpi_cmp_mpi(&C, &I) != 0) {
-        ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
-        goto cleanup;
-    }
-
-    olen = ctx->len;
-    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));
-
-cleanup:
-#if defined(MBEDTLS_THREADING_C)
-    if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
-        return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
-    }
-#endif
-
-    mbedtls_mpi_free(&P1);
-    mbedtls_mpi_free(&Q1);
-    mbedtls_mpi_free(&R);
-
-#if defined(MBEDTLS_RSA_NO_CRT)
-    mbedtls_mpi_free(&D_blind);
-#else
-    mbedtls_mpi_free(&DP_blind);
-    mbedtls_mpi_free(&DQ_blind);
-#endif
-
-    mbedtls_mpi_free(&T);
-
-#if !defined(MBEDTLS_RSA_NO_CRT)
-    mbedtls_mpi_free(&TP); mbedtls_mpi_free(&TQ);
-#endif
-
-    mbedtls_mpi_free(&C);
-    mbedtls_mpi_free(&I);
-
-    if (ret != 0 && ret >= -0x007f) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_PRIVATE_FAILED, ret);
-    }
-
-    return ret;
-}
-
-#if defined(MBEDTLS_PKCS1_V21)
-/**
- * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
- *
- * \param dst       buffer to mask
- * \param dlen      length of destination buffer
- * \param src       source of the mask generation
- * \param slen      length of the source buffer
- * \param md_alg    message digest to use
- */
-static int mgf_mask(unsigned char *dst, size_t dlen, unsigned char *src,
-                    size_t slen, mbedtls_md_type_t md_alg)
-{
-    unsigned char counter[4];
-    unsigned char *p;
-    unsigned int hlen;
-    size_t i, use_len;
-    unsigned char mask[MBEDTLS_MD_MAX_SIZE];
-    int ret = 0;
-    const mbedtls_md_info_t *md_info;
-    mbedtls_md_context_t md_ctx;
-
-    mbedtls_md_init(&md_ctx);
-    md_info = mbedtls_md_info_from_type(md_alg);
-    if (md_info == NULL) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    mbedtls_md_init(&md_ctx);
-    if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
-        goto exit;
-    }
-
-    hlen = mbedtls_md_get_size(md_info);
-
-    memset(mask, 0, sizeof(mask));
-    memset(counter, 0, 4);
-
-    /* Generate and apply dbMask */
-    p = dst;
-
-    while (dlen > 0) {
-        use_len = hlen;
-        if (dlen < hlen) {
-            use_len = dlen;
-        }
-
-        if ((ret = mbedtls_md_starts(&md_ctx)) != 0) {
-            goto exit;
-        }
-        if ((ret = mbedtls_md_update(&md_ctx, src, slen)) != 0) {
-            goto exit;
-        }
-        if ((ret = mbedtls_md_update(&md_ctx, counter, 4)) != 0) {
-            goto exit;
-        }
-        if ((ret = mbedtls_md_finish(&md_ctx, mask)) != 0) {
-            goto exit;
-        }
-
-        for (i = 0; i < use_len; ++i) {
-            *p++ ^= mask[i];
-        }
-
-        counter[3]++;
-
-        dlen -= use_len;
-    }
-
-exit:
-    mbedtls_platform_zeroize(mask, sizeof(mask));
-    mbedtls_md_free(&md_ctx);
-
-    return ret;
-}
-
-/**
- * Generate Hash(M') as in RFC 8017 page 43 points 5 and 6.
- *
- * \param hash      the input hash
- * \param hlen      length of the input hash
- * \param salt      the input salt
- * \param slen      length of the input salt
- * \param out       the output buffer - must be large enough for \p md_alg
- * \param md_alg    message digest to use
- */
-static int hash_mprime(const unsigned char *hash, size_t hlen,
-                       const unsigned char *salt, size_t slen,
-                       unsigned char *out, mbedtls_md_type_t md_alg)
-{
-    const unsigned char zeros[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
-
-    mbedtls_md_context_t md_ctx;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg);
-    if (md_info == NULL) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    mbedtls_md_init(&md_ctx);
-    if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
-        goto exit;
-    }
-    if ((ret = mbedtls_md_starts(&md_ctx)) != 0) {
-        goto exit;
-    }
-    if ((ret = mbedtls_md_update(&md_ctx, zeros, sizeof(zeros))) != 0) {
-        goto exit;
-    }
-    if ((ret = mbedtls_md_update(&md_ctx, hash, hlen)) != 0) {
-        goto exit;
-    }
-    if ((ret = mbedtls_md_update(&md_ctx, salt, slen)) != 0) {
-        goto exit;
-    }
-    if ((ret = mbedtls_md_finish(&md_ctx, out)) != 0) {
-        goto exit;
-    }
-
-exit:
-    mbedtls_md_free(&md_ctx);
-
-    return ret;
-}
-
-/**
- * Compute a hash.
- *
- * \param md_alg    algorithm to use
- * \param input     input message to hash
- * \param ilen      input length
- * \param output    the output buffer - must be large enough for \p md_alg
- */
-static int compute_hash(mbedtls_md_type_t md_alg,
-                        const unsigned char *input, size_t ilen,
-                        unsigned char *output)
-{
-    const mbedtls_md_info_t *md_info;
-
-    md_info = mbedtls_md_info_from_type(md_alg);
-    if (md_info == NULL) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    return mbedtls_md(md_info, input, ilen, output);
-}
-#endif /* MBEDTLS_PKCS1_V21 */
-
-#if defined(MBEDTLS_PKCS1_V21)
-/*
- * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
- */
-int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx,
-                                   int (*f_rng)(void *, unsigned char *, size_t),
-                                   void *p_rng,
-                                   const unsigned char *label, size_t label_len,
-                                   size_t ilen,
-                                   const unsigned char *input,
-                                   unsigned char *output)
-{
-    size_t olen;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char *p = output;
-    unsigned int hlen;
-
-    if (f_rng == NULL) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id);
-    if (hlen == 0) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    olen = ctx->len;
-
-    /* first comparison checks for overflow */
-    if (ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    memset(output, 0, olen);
-
-    *p++ = 0;
-
-    /* Generate a random octet string seed */
-    if ((ret = f_rng(p_rng, p, hlen)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
-    }
-
-    p += hlen;
-
-    /* Construct DB */
-    ret = compute_hash((mbedtls_md_type_t) ctx->hash_id, label, label_len, p);
-    if (ret != 0) {
-        return ret;
-    }
-    p += hlen;
-    p += olen - 2 * hlen - 2 - ilen;
-    *p++ = 1;
-    if (ilen != 0) {
-        memcpy(p, input, ilen);
-    }
-
-    /* maskedDB: Apply dbMask to DB */
-    if ((ret = mgf_mask(output + hlen + 1, olen - hlen - 1, output + 1, hlen,
-                        (mbedtls_md_type_t) ctx->hash_id)) != 0) {
-        return ret;
-    }
-
-    /* maskedSeed: Apply seedMask to seed */
-    if ((ret = mgf_mask(output + 1, hlen, output + hlen + 1, olen - hlen - 1,
-                        (mbedtls_md_type_t) ctx->hash_id)) != 0) {
-        return ret;
-    }
-
-    return mbedtls_rsa_public(ctx, output, output);
-}
-#endif /* MBEDTLS_PKCS1_V21 */
-
-#if defined(MBEDTLS_PKCS1_V15)
-/*
- * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
- */
-int mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context *ctx,
-                                        int (*f_rng)(void *, unsigned char *, size_t),
-                                        void *p_rng, size_t ilen,
-                                        const unsigned char *input,
-                                        unsigned char *output)
-{
-    size_t nb_pad, olen;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char *p = output;
-
-    olen = ctx->len;
-
-    /* first comparison checks for overflow */
-    if (ilen + 11 < ilen || olen < ilen + 11) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    nb_pad = olen - 3 - ilen;
-
-    *p++ = 0;
-
-    if (f_rng == NULL) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    *p++ = MBEDTLS_RSA_CRYPT;
-
-    while (nb_pad-- > 0) {
-        int rng_dl = 100;
-
-        do {
-            ret = f_rng(p_rng, p, 1);
-        } while (*p == 0 && --rng_dl && ret == 0);
-
-        /* Check if RNG failed to generate data */
-        if (rng_dl == 0 || ret != 0) {
-            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
-        }
-
-        p++;
-    }
-
-    *p++ = 0;
-    if (ilen != 0) {
-        memcpy(p, input, ilen);
-    }
-
-    return mbedtls_rsa_public(ctx, output, output);
-}
-#endif /* MBEDTLS_PKCS1_V15 */
-
-/*
- * Add the message padding, then do an RSA operation
- */
-int mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context *ctx,
-                              int (*f_rng)(void *, unsigned char *, size_t),
-                              void *p_rng,
-                              size_t ilen,
-                              const unsigned char *input,
-                              unsigned char *output)
-{
-    switch (ctx->padding) {
-#if defined(MBEDTLS_PKCS1_V15)
-        case MBEDTLS_RSA_PKCS_V15:
-            return mbedtls_rsa_rsaes_pkcs1_v15_encrypt(ctx, f_rng, p_rng,
-                                                       ilen, input, output);
-#endif
-
-#if defined(MBEDTLS_PKCS1_V21)
-        case MBEDTLS_RSA_PKCS_V21:
-            return mbedtls_rsa_rsaes_oaep_encrypt(ctx, f_rng, p_rng, NULL, 0,
-                                                  ilen, input, output);
-#endif
-
-        default:
-            return MBEDTLS_ERR_RSA_INVALID_PADDING;
-    }
-}
-
-#if defined(MBEDTLS_PKCS1_V21)
-/*
- * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
- */
-int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
-                                   int (*f_rng)(void *, unsigned char *, size_t),
-                                   void *p_rng,
-                                   const unsigned char *label, size_t label_len,
-                                   size_t *olen,
-                                   const unsigned char *input,
-                                   unsigned char *output,
-                                   size_t output_max_len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t ilen, i, pad_len;
-    unsigned char *p;
-    mbedtls_ct_condition_t bad, in_padding;
-    unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
-    unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
-    unsigned int hlen;
-
-    /*
-     * Parameters sanity checks
-     */
-    if (ctx->padding != MBEDTLS_RSA_PKCS_V21) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    ilen = ctx->len;
-
-    if (ilen < 16 || ilen > sizeof(buf)) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id);
-    if (hlen == 0) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    // checking for integer underflow
-    if (2 * hlen + 2 > ilen) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    /*
-     * RSA operation
-     */
-    ret = mbedtls_rsa_private(ctx, f_rng, p_rng, input, buf);
-
-    if (ret != 0) {
-        goto cleanup;
-    }
-
-    /*
-     * Unmask data and generate lHash
-     */
-    /* seed: Apply seedMask to maskedSeed */
-    if ((ret = mgf_mask(buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
-                        (mbedtls_md_type_t) ctx->hash_id)) != 0 ||
-        /* DB: Apply dbMask to maskedDB */
-        (ret = mgf_mask(buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
-                        (mbedtls_md_type_t) ctx->hash_id)) != 0) {
-        goto cleanup;
-    }
-
-    /* Generate lHash */
-    ret = compute_hash((mbedtls_md_type_t) ctx->hash_id,
-                       label, label_len, lhash);
-    if (ret != 0) {
-        goto cleanup;
-    }
-
-    /*
-     * Check contents, in "constant-time"
-     */
-    p = buf;
-
-    bad = mbedtls_ct_bool(*p++); /* First byte must be 0 */
-
-    p += hlen; /* Skip seed */
-
-    /* Check lHash */
-    bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool(mbedtls_ct_memcmp(lhash, p, hlen)));
-    p += hlen;
-
-    /* Get zero-padding len, but always read till end of buffer
-     * (minus one, for the 01 byte) */
-    pad_len = 0;
-    in_padding = MBEDTLS_CT_TRUE;
-    for (i = 0; i < ilen - 2 * hlen - 2; i++) {
-        in_padding = mbedtls_ct_bool_and(in_padding, mbedtls_ct_uint_eq(p[i], 0));
-        pad_len += mbedtls_ct_uint_if_else_0(in_padding, 1);
-    }
-
-    p += pad_len;
-    bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_ne(*p++, 0x01));
-
-    /*
-     * The only information "leaked" is whether the padding was correct or not
-     * (eg, no data is copied if it was not correct). This meets the
-     * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
-     * the different error conditions.
-     */
-    if (bad != MBEDTLS_CT_FALSE) {
-        ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
-        goto cleanup;
-    }
-
-    if (ilen - (p - buf) > output_max_len) {
-        ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
-        goto cleanup;
-    }
-
-    *olen = ilen - (p - buf);
-    if (*olen != 0) {
-        memcpy(output, p, *olen);
-    }
-    ret = 0;
-
-cleanup:
-    mbedtls_platform_zeroize(buf, sizeof(buf));
-    mbedtls_platform_zeroize(lhash, sizeof(lhash));
-
-    return ret;
-}
-#endif /* MBEDTLS_PKCS1_V21 */
-
-#if defined(MBEDTLS_PKCS1_V15)
-/*
- * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
- */
-int mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context *ctx,
-                                        int (*f_rng)(void *, unsigned char *, size_t),
-                                        void *p_rng,
-                                        size_t *olen,
-                                        const unsigned char *input,
-                                        unsigned char *output,
-                                        size_t output_max_len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t ilen;
-    unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
-
-    ilen = ctx->len;
-
-    if (ctx->padding != MBEDTLS_RSA_PKCS_V15) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    if (ilen < 16 || ilen > sizeof(buf)) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    ret = mbedtls_rsa_private(ctx, f_rng, p_rng, input, buf);
-
-    if (ret != 0) {
-        goto cleanup;
-    }
-
-    ret = mbedtls_ct_rsaes_pkcs1_v15_unpadding(buf, ilen,
-                                               output, output_max_len, olen);
-
-cleanup:
-    mbedtls_platform_zeroize(buf, sizeof(buf));
-
-    return ret;
-}
-#endif /* MBEDTLS_PKCS1_V15 */
-
-/*
- * Do an RSA operation, then remove the message padding
- */
-int mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context *ctx,
-                              int (*f_rng)(void *, unsigned char *, size_t),
-                              void *p_rng,
-                              size_t *olen,
-                              const unsigned char *input,
-                              unsigned char *output,
-                              size_t output_max_len)
-{
-    switch (ctx->padding) {
-#if defined(MBEDTLS_PKCS1_V15)
-        case MBEDTLS_RSA_PKCS_V15:
-            return mbedtls_rsa_rsaes_pkcs1_v15_decrypt(ctx, f_rng, p_rng, olen,
-                                                       input, output, output_max_len);
-#endif
-
-#if defined(MBEDTLS_PKCS1_V21)
-        case MBEDTLS_RSA_PKCS_V21:
-            return mbedtls_rsa_rsaes_oaep_decrypt(ctx, f_rng, p_rng, NULL, 0,
-                                                  olen, input, output,
-                                                  output_max_len);
-#endif
-
-        default:
-            return MBEDTLS_ERR_RSA_INVALID_PADDING;
-    }
-}
-
-#if defined(MBEDTLS_PKCS1_V21)
-static int rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
-                               int (*f_rng)(void *, unsigned char *, size_t),
-                               void *p_rng,
-                               mbedtls_md_type_t md_alg,
-                               unsigned int hashlen,
-                               const unsigned char *hash,
-                               int saltlen,
-                               unsigned char *sig)
-{
-    size_t olen;
-    unsigned char *p = sig;
-    unsigned char *salt = NULL;
-    size_t slen, min_slen, hlen, offset = 0;
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t msb;
-
-    if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    if (ctx->padding != MBEDTLS_RSA_PKCS_V21) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    if (f_rng == NULL) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    olen = ctx->len;
-
-    if (md_alg != MBEDTLS_MD_NONE) {
-        /* Gather length of hash to sign */
-        size_t exp_hashlen = mbedtls_md_get_size_from_type(md_alg);
-        if (exp_hashlen == 0) {
-            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-        }
-
-        if (hashlen != exp_hashlen) {
-            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-        }
-    }
-
-    hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id);
-    if (hlen == 0) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    if (saltlen == MBEDTLS_RSA_SALT_LEN_ANY) {
-        /* Calculate the largest possible salt length, up to the hash size.
-         * Normally this is the hash length, which is the maximum salt length
-         * according to FIPS 185-4 §5.5 (e) and common practice. If there is not
-         * enough room, use the maximum salt length that fits. The constraint is
-         * that the hash length plus the salt length plus 2 bytes must be at most
-         * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017
-         * (PKCS#1 v2.2) §9.1.1 step 3. */
-        min_slen = hlen - 2;
-        if (olen < hlen + min_slen + 2) {
-            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-        } else if (olen >= hlen + hlen + 2) {
-            slen = hlen;
-        } else {
-            slen = olen - hlen - 2;
-        }
-    } else if ((saltlen < 0) || (saltlen + hlen + 2 > olen)) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    } else {
-        slen = (size_t) saltlen;
-    }
-
-    memset(sig, 0, olen);
-
-    /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
-    msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
-    p += olen - hlen - slen - 2;
-    *p++ = 0x01;
-
-    /* Generate salt of length slen in place in the encoded message */
-    salt = p;
-    if ((ret = f_rng(p_rng, salt, slen)) != 0) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
-    }
-
-    p += slen;
-
-    /* Generate H = Hash( M' ) */
-    ret = hash_mprime(hash, hashlen, salt, slen, p, (mbedtls_md_type_t) ctx->hash_id);
-    if (ret != 0) {
-        return ret;
-    }
-
-    /* Compensate for boundary condition when applying mask */
-    if (msb % 8 == 0) {
-        offset = 1;
-    }
-
-    /* maskedDB: Apply dbMask to DB */
-    ret = mgf_mask(sig + offset, olen - hlen - 1 - offset, p, hlen,
-                   (mbedtls_md_type_t) ctx->hash_id);
-    if (ret != 0) {
-        return ret;
-    }
-
-    msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
-    sig[0] &= 0xFF >> (olen * 8 - msb);
-
-    p += hlen;
-    *p++ = 0xBC;
-
-    return mbedtls_rsa_private(ctx, f_rng, p_rng, sig, sig);
-}
-
-/*
- * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function with
- * the option to pass in the salt length.
- */
-int mbedtls_rsa_rsassa_pss_sign_ext(mbedtls_rsa_context *ctx,
-                                    int (*f_rng)(void *, unsigned char *, size_t),
-                                    void *p_rng,
-                                    mbedtls_md_type_t md_alg,
-                                    unsigned int hashlen,
-                                    const unsigned char *hash,
-                                    int saltlen,
-                                    unsigned char *sig)
-{
-    return rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,
-                               hashlen, hash, saltlen, sig);
-}
-
-
-/*
- * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
- */
-int mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
-                                int (*f_rng)(void *, unsigned char *, size_t),
-                                void *p_rng,
-                                mbedtls_md_type_t md_alg,
-                                unsigned int hashlen,
-                                const unsigned char *hash,
-                                unsigned char *sig)
-{
-    return rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,
-                               hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig);
-}
-#endif /* MBEDTLS_PKCS1_V21 */
-
-#if defined(MBEDTLS_PKCS1_V15)
-/*
- * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
- */
-
-/* Construct a PKCS v1.5 encoding of a hashed message
- *
- * This is used both for signature generation and verification.
- *
- * Parameters:
- * - md_alg:  Identifies the hash algorithm used to generate the given hash;
- *            MBEDTLS_MD_NONE if raw data is signed.
- * - hashlen: Length of hash. Must match md_alg if that's not NONE.
- * - hash:    Buffer containing the hashed message or the raw data.
- * - dst_len: Length of the encoded message.
- * - dst:     Buffer to hold the encoded message.
- *
- * Assumptions:
- * - hash has size hashlen.
- * - dst points to a buffer of size at least dst_len.
- *
- */
-static int rsa_rsassa_pkcs1_v15_encode(mbedtls_md_type_t md_alg,
-                                       unsigned int hashlen,
-                                       const unsigned char *hash,
-                                       size_t dst_len,
-                                       unsigned char *dst)
-{
-    size_t oid_size  = 0;
-    size_t nb_pad    = dst_len;
-    unsigned char *p = dst;
-    const char *oid  = NULL;
-
-    /* Are we signing hashed or raw data? */
-    if (md_alg != MBEDTLS_MD_NONE) {
-        unsigned char md_size = mbedtls_md_get_size_from_type(md_alg);
-        if (md_size == 0) {
-            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-        }
-
-        if (mbedtls_oid_get_oid_by_md(md_alg, &oid, &oid_size) != 0) {
-            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-        }
-
-        if (hashlen != md_size) {
-            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-        }
-
-        /* Double-check that 8 + hashlen + oid_size can be used as a
-         * 1-byte ASN.1 length encoding and that there's no overflow. */
-        if (8 + hashlen + oid_size  >= 0x80         ||
-            10 + hashlen            <  hashlen      ||
-            10 + hashlen + oid_size <  10 + hashlen) {
-            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-        }
-
-        /*
-         * Static bounds check:
-         * - Need 10 bytes for five tag-length pairs.
-         *   (Insist on 1-byte length encodings to protect against variants of
-         *    Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
-         * - Need hashlen bytes for hash
-         * - Need oid_size bytes for hash alg OID.
-         */
-        if (nb_pad < 10 + hashlen + oid_size) {
-            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-        }
-        nb_pad -= 10 + hashlen + oid_size;
-    } else {
-        if (nb_pad < hashlen) {
-            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-        }
-
-        nb_pad -= hashlen;
-    }
-
-    /* Need space for signature header and padding delimiter (3 bytes),
-     * and 8 bytes for the minimal padding */
-    if (nb_pad < 3 + 8) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-    nb_pad -= 3;
-
-    /* Now nb_pad is the amount of memory to be filled
-     * with padding, and at least 8 bytes long. */
-
-    /* Write signature header and padding */
-    *p++ = 0;
-    *p++ = MBEDTLS_RSA_SIGN;
-    memset(p, 0xFF, nb_pad);
-    p += nb_pad;
-    *p++ = 0;
-
-    /* Are we signing raw data? */
-    if (md_alg == MBEDTLS_MD_NONE) {
-        memcpy(p, hash, hashlen);
-        return 0;
-    }
-
-    /* Signing hashed data, add corresponding ASN.1 structure
-     *
-     * DigestInfo ::= SEQUENCE {
-     *   digestAlgorithm DigestAlgorithmIdentifier,
-     *   digest Digest }
-     * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
-     * Digest ::= OCTET STRING
-     *
-     * Schematic:
-     * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID  + LEN [ OID  ]
-     *                                 TAG-NULL + LEN [ NULL ] ]
-     *                 TAG-OCTET + LEN [ HASH ] ]
-     */
-    *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
-    *p++ = (unsigned char) (0x08 + oid_size + hashlen);
-    *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
-    *p++ = (unsigned char) (0x04 + oid_size);
-    *p++ = MBEDTLS_ASN1_OID;
-    *p++ = (unsigned char) oid_size;
-    memcpy(p, oid, oid_size);
-    p += oid_size;
-    *p++ = MBEDTLS_ASN1_NULL;
-    *p++ = 0x00;
-    *p++ = MBEDTLS_ASN1_OCTET_STRING;
-    *p++ = (unsigned char) hashlen;
-    memcpy(p, hash, hashlen);
-    p += hashlen;
-
-    /* Just a sanity-check, should be automatic
-     * after the initial bounds check. */
-    if (p != dst + dst_len) {
-        mbedtls_platform_zeroize(dst, dst_len);
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    return 0;
-}
-
-/*
- * Do an RSA operation to sign the message digest
- */
-int mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context *ctx,
-                                      int (*f_rng)(void *, unsigned char *, size_t),
-                                      void *p_rng,
-                                      mbedtls_md_type_t md_alg,
-                                      unsigned int hashlen,
-                                      const unsigned char *hash,
-                                      unsigned char *sig)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char *sig_try = NULL, *verif = NULL;
-
-    if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    if (ctx->padding != MBEDTLS_RSA_PKCS_V15) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    /*
-     * Prepare PKCS1-v1.5 encoding (padding and hash identifier)
-     */
-
-    if ((ret = rsa_rsassa_pkcs1_v15_encode(md_alg, hashlen, hash,
-                                           ctx->len, sig)) != 0) {
-        return ret;
-    }
-
-    /* Private key operation
-     *
-     * In order to prevent Lenstra's attack, make the signature in a
-     * temporary buffer and check it before returning it.
-     */
-
-    sig_try = mbedtls_calloc(1, ctx->len);
-    if (sig_try == NULL) {
-        return MBEDTLS_ERR_MPI_ALLOC_FAILED;
-    }
-
-    verif = mbedtls_calloc(1, ctx->len);
-    if (verif == NULL) {
-        mbedtls_free(sig_try);
-        return MBEDTLS_ERR_MPI_ALLOC_FAILED;
-    }
-
-    MBEDTLS_MPI_CHK(mbedtls_rsa_private(ctx, f_rng, p_rng, sig, sig_try));
-    MBEDTLS_MPI_CHK(mbedtls_rsa_public(ctx, sig_try, verif));
-
-    if (mbedtls_ct_memcmp(verif, sig, ctx->len) != 0) {
-        ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
-        goto cleanup;
-    }
-
-    memcpy(sig, sig_try, ctx->len);
-
-cleanup:
-    mbedtls_zeroize_and_free(sig_try, ctx->len);
-    mbedtls_zeroize_and_free(verif, ctx->len);
-
-    if (ret != 0) {
-        memset(sig, '!', ctx->len);
-    }
-    return ret;
-}
-#endif /* MBEDTLS_PKCS1_V15 */
-
-/*
- * Do an RSA operation to sign the message digest
- */
-int mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context *ctx,
-                           int (*f_rng)(void *, unsigned char *, size_t),
-                           void *p_rng,
-                           mbedtls_md_type_t md_alg,
-                           unsigned int hashlen,
-                           const unsigned char *hash,
-                           unsigned char *sig)
-{
-    if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    switch (ctx->padding) {
-#if defined(MBEDTLS_PKCS1_V15)
-        case MBEDTLS_RSA_PKCS_V15:
-            return mbedtls_rsa_rsassa_pkcs1_v15_sign(ctx, f_rng, p_rng,
-                                                     md_alg, hashlen, hash, sig);
-#endif
-
-#if defined(MBEDTLS_PKCS1_V21)
-        case MBEDTLS_RSA_PKCS_V21:
-            return mbedtls_rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,
-                                               hashlen, hash, sig);
-#endif
-
-        default:
-            return MBEDTLS_ERR_RSA_INVALID_PADDING;
-    }
-}
-
-#if defined(MBEDTLS_PKCS1_V21)
-/*
- * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
- */
-int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx,
-                                      mbedtls_md_type_t md_alg,
-                                      unsigned int hashlen,
-                                      const unsigned char *hash,
-                                      mbedtls_md_type_t mgf1_hash_id,
-                                      int expected_salt_len,
-                                      const unsigned char *sig)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t siglen;
-    unsigned char *p;
-    unsigned char *hash_start;
-    unsigned char result[MBEDTLS_MD_MAX_SIZE];
-    unsigned int hlen;
-    size_t observed_salt_len, msb;
-    unsigned char buf[MBEDTLS_MPI_MAX_SIZE] = { 0 };
-
-    if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    siglen = ctx->len;
-
-    if (siglen < 16 || siglen > sizeof(buf)) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    ret = mbedtls_rsa_public(ctx, sig, buf);
-
-    if (ret != 0) {
-        return ret;
-    }
-
-    p = buf;
-
-    if (buf[siglen - 1] != 0xBC) {
-        return MBEDTLS_ERR_RSA_INVALID_PADDING;
-    }
-
-    if (md_alg != MBEDTLS_MD_NONE) {
-        /* Gather length of hash to sign */
-        size_t exp_hashlen = mbedtls_md_get_size_from_type(md_alg);
-        if (exp_hashlen == 0) {
-            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-        }
-
-        if (hashlen != exp_hashlen) {
-            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-        }
-    }
-
-    hlen = mbedtls_md_get_size_from_type(mgf1_hash_id);
-    if (hlen == 0) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    /*
-     * Note: EMSA-PSS verification is over the length of N - 1 bits
-     */
-    msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
-
-    if (buf[0] >> (8 - siglen * 8 + msb)) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    /* Compensate for boundary condition when applying mask */
-    if (msb % 8 == 0) {
-        p++;
-        siglen -= 1;
-    }
-
-    if (siglen < hlen + 2) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-    hash_start = p + siglen - hlen - 1;
-
-    ret = mgf_mask(p, siglen - hlen - 1, hash_start, hlen, mgf1_hash_id);
-    if (ret != 0) {
-        return ret;
-    }
-
-    buf[0] &= 0xFF >> (siglen * 8 - msb);
-
-    while (p < hash_start - 1 && *p == 0) {
-        p++;
-    }
-
-    if (*p++ != 0x01) {
-        return MBEDTLS_ERR_RSA_INVALID_PADDING;
-    }
-
-    observed_salt_len = hash_start - p;
-
-    if (expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
-        observed_salt_len != (size_t) expected_salt_len) {
-        return MBEDTLS_ERR_RSA_INVALID_PADDING;
-    }
-
-    /*
-     * Generate H = Hash( M' )
-     */
-    ret = hash_mprime(hash, hashlen, p, observed_salt_len,
-                      result, mgf1_hash_id);
-    if (ret != 0) {
-        return ret;
-    }
-
-    if (memcmp(hash_start, result, hlen) != 0) {
-        return MBEDTLS_ERR_RSA_VERIFY_FAILED;
-    }
-
-    return 0;
-}
-
-/*
- * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
- */
-int mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context *ctx,
-                                  mbedtls_md_type_t md_alg,
-                                  unsigned int hashlen,
-                                  const unsigned char *hash,
-                                  const unsigned char *sig)
-{
-    mbedtls_md_type_t mgf1_hash_id;
-    if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    mgf1_hash_id = (ctx->hash_id != MBEDTLS_MD_NONE)
-                             ? (mbedtls_md_type_t) ctx->hash_id
-                             : md_alg;
-
-    return mbedtls_rsa_rsassa_pss_verify_ext(ctx,
-                                             md_alg, hashlen, hash,
-                                             mgf1_hash_id,
-                                             MBEDTLS_RSA_SALT_LEN_ANY,
-                                             sig);
-
-}
-#endif /* MBEDTLS_PKCS1_V21 */
-
-#if defined(MBEDTLS_PKCS1_V15)
-/*
- * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
- */
-int mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context *ctx,
-                                        mbedtls_md_type_t md_alg,
-                                        unsigned int hashlen,
-                                        const unsigned char *hash,
-                                        const unsigned char *sig)
-{
-    int ret = 0;
-    size_t sig_len;
-    unsigned char *encoded = NULL, *encoded_expected = NULL;
-
-    if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    sig_len = ctx->len;
-
-    /*
-     * Prepare expected PKCS1 v1.5 encoding of hash.
-     */
-
-    if ((encoded          = mbedtls_calloc(1, sig_len)) == NULL ||
-        (encoded_expected = mbedtls_calloc(1, sig_len)) == NULL) {
-        ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
-        goto cleanup;
-    }
-
-    if ((ret = rsa_rsassa_pkcs1_v15_encode(md_alg, hashlen, hash, sig_len,
-                                           encoded_expected)) != 0) {
-        goto cleanup;
-    }
-
-    /*
-     * Apply RSA primitive to get what should be PKCS1 encoded hash.
-     */
-
-    ret = mbedtls_rsa_public(ctx, sig, encoded);
-    if (ret != 0) {
-        goto cleanup;
-    }
-
-    /*
-     * Compare
-     */
-
-    if ((ret = mbedtls_ct_memcmp(encoded, encoded_expected,
-                                 sig_len)) != 0) {
-        ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
-        goto cleanup;
-    }
-
-cleanup:
-
-    if (encoded != NULL) {
-        mbedtls_zeroize_and_free(encoded, sig_len);
-    }
-
-    if (encoded_expected != NULL) {
-        mbedtls_zeroize_and_free(encoded_expected, sig_len);
-    }
-
-    return ret;
-}
-#endif /* MBEDTLS_PKCS1_V15 */
-
-/*
- * Do an RSA operation and check the message digest
- */
-int mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context *ctx,
-                             mbedtls_md_type_t md_alg,
-                             unsigned int hashlen,
-                             const unsigned char *hash,
-                             const unsigned char *sig)
-{
-    if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
-        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-    }
-
-    switch (ctx->padding) {
-#if defined(MBEDTLS_PKCS1_V15)
-        case MBEDTLS_RSA_PKCS_V15:
-            return mbedtls_rsa_rsassa_pkcs1_v15_verify(ctx, md_alg,
-                                                       hashlen, hash, sig);
-#endif
-
-#if defined(MBEDTLS_PKCS1_V21)
-        case MBEDTLS_RSA_PKCS_V21:
-            return mbedtls_rsa_rsassa_pss_verify(ctx, md_alg,
-                                                 hashlen, hash, sig);
-#endif
-
-        default:
-            return MBEDTLS_ERR_RSA_INVALID_PADDING;
-    }
-}
-
-/*
- * Copy the components of an RSA key
- */
-int mbedtls_rsa_copy(mbedtls_rsa_context *dst, const mbedtls_rsa_context *src)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    dst->len = src->len;
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->N, &src->N));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->E, &src->E));
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->D, &src->D));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->P, &src->P));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Q, &src->Q));
-
-#if !defined(MBEDTLS_RSA_NO_CRT)
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->DP, &src->DP));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->DQ, &src->DQ));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->QP, &src->QP));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RP, &src->RP));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RQ, &src->RQ));
-#endif
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RN, &src->RN));
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Vi, &src->Vi));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Vf, &src->Vf));
-
-    dst->padding = src->padding;
-    dst->hash_id = src->hash_id;
-
-cleanup:
-    if (ret != 0) {
-        mbedtls_rsa_free(dst);
-    }
-
-    return ret;
-}
-
-/*
- * Free the components of an RSA key
- */
-void mbedtls_rsa_free(mbedtls_rsa_context *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    mbedtls_mpi_free(&ctx->Vi);
-    mbedtls_mpi_free(&ctx->Vf);
-    mbedtls_mpi_free(&ctx->RN);
-    mbedtls_mpi_free(&ctx->D);
-    mbedtls_mpi_free(&ctx->Q);
-    mbedtls_mpi_free(&ctx->P);
-    mbedtls_mpi_free(&ctx->E);
-    mbedtls_mpi_free(&ctx->N);
-
-#if !defined(MBEDTLS_RSA_NO_CRT)
-    mbedtls_mpi_free(&ctx->RQ);
-    mbedtls_mpi_free(&ctx->RP);
-    mbedtls_mpi_free(&ctx->QP);
-    mbedtls_mpi_free(&ctx->DQ);
-    mbedtls_mpi_free(&ctx->DP);
-#endif /* MBEDTLS_RSA_NO_CRT */
-
-#if defined(MBEDTLS_THREADING_C)
-    /* Free the mutex, but only if it hasn't been freed already. */
-    if (ctx->ver != 0) {
-        mbedtls_mutex_free(&ctx->mutex);
-        ctx->ver = 0;
-    }
-#endif
-}
-
-#endif /* !MBEDTLS_RSA_ALT */
-
-#if defined(MBEDTLS_SELF_TEST)
-
-#include "mbedtls/md.h"
-
-/*
- * Example RSA-1024 keypair, for test purposes
- */
-#define KEY_LEN 128
-
-#define RSA_N   "9292758453063D803DD603D5E777D788" \
-                "8ED1D5BF35786190FA2F23EBC0848AEA" \
-                "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
-                "7130B9CED7ACDF54CFC7555AC14EEBAB" \
-                "93A89813FBF3C4F8066D2D800F7C38A8" \
-                "1AE31942917403FF4946B0A83D3D3E05" \
-                "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
-                "5E94BB77B07507233A0BC7BAC8F90F79"
-
-#define RSA_E   "10001"
-
-#define RSA_D   "24BF6185468786FDD303083D25E64EFC" \
-                "66CA472BC44D253102F8B4A9D3BFA750" \
-                "91386C0077937FE33FA3252D28855837" \
-                "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
-                "DF79C5CE07EE72C7F123142198164234" \
-                "CABB724CF78B8173B9F880FC86322407" \
-                "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
-                "071513A1E85B5DFA031F21ECAE91A34D"
-
-#define RSA_P   "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
-                "2C01CAD19EA484A87EA4377637E75500" \
-                "FCB2005C5C7DD6EC4AC023CDA285D796" \
-                "C3D9E75E1EFC42488BB4F1D13AC30A57"
-
-#define RSA_Q   "C000DF51A7C77AE8D7C7370C1FF55B69" \
-                "E211C2B9E5DB1ED0BF61D0D9899620F4" \
-                "910E4168387E3C30AA1E00C339A79508" \
-                "8452DD96A9A5EA5D9DCA68DA636032AF"
-
-#define PT_LEN  24
-#define RSA_PT  "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
-                "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
-
-#if defined(MBEDTLS_PKCS1_V15)
-static int myrand(void *rng_state, unsigned char *output, size_t len)
-{
-#if !defined(__OpenBSD__) && !defined(__NetBSD__)
-    size_t i;
-
-    if (rng_state != NULL) {
-        rng_state  = NULL;
-    }
-
-    for (i = 0; i < len; ++i) {
-        output[i] = rand();
-    }
-#else
-    if (rng_state != NULL) {
-        rng_state = NULL;
-    }
-
-    arc4random_buf(output, len);
-#endif /* !OpenBSD && !NetBSD */
-
-    return 0;
-}
-#endif /* MBEDTLS_PKCS1_V15 */
-
-/*
- * Checkup routine
- */
-int mbedtls_rsa_self_test(int verbose)
-{
-    int ret = 0;
-#if defined(MBEDTLS_PKCS1_V15)
-    size_t len;
-    mbedtls_rsa_context rsa;
-    unsigned char rsa_plaintext[PT_LEN];
-    unsigned char rsa_decrypted[PT_LEN];
-    unsigned char rsa_ciphertext[KEY_LEN];
-#if defined(MBEDTLS_MD_CAN_SHA1)
-    unsigned char sha1sum[20];
-#endif
-
-    mbedtls_mpi K;
-
-    mbedtls_mpi_init(&K);
-    mbedtls_rsa_init(&rsa);
-
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_N));
-    MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, &K, NULL, NULL, NULL, NULL));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_P));
-    MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, &K, NULL, NULL, NULL));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_Q));
-    MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, &K, NULL, NULL));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_D));
-    MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, NULL, &K, NULL));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_E));
-    MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, NULL, NULL, &K));
-
-    MBEDTLS_MPI_CHK(mbedtls_rsa_complete(&rsa));
-
-    if (verbose != 0) {
-        mbedtls_printf("  RSA key validation: ");
-    }
-
-    if (mbedtls_rsa_check_pubkey(&rsa) != 0 ||
-        mbedtls_rsa_check_privkey(&rsa) != 0) {
-        if (verbose != 0) {
-            mbedtls_printf("failed\n");
-        }
-
-        ret = 1;
-        goto cleanup;
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("passed\n  PKCS#1 encryption : ");
-    }
-
-    memcpy(rsa_plaintext, RSA_PT, PT_LEN);
-
-    if (mbedtls_rsa_pkcs1_encrypt(&rsa, myrand, NULL,
-                                  PT_LEN, rsa_plaintext,
-                                  rsa_ciphertext) != 0) {
-        if (verbose != 0) {
-            mbedtls_printf("failed\n");
-        }
-
-        ret = 1;
-        goto cleanup;
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("passed\n  PKCS#1 decryption : ");
-    }
-
-    if (mbedtls_rsa_pkcs1_decrypt(&rsa, myrand, NULL,
-                                  &len, rsa_ciphertext, rsa_decrypted,
-                                  sizeof(rsa_decrypted)) != 0) {
-        if (verbose != 0) {
-            mbedtls_printf("failed\n");
-        }
-
-        ret = 1;
-        goto cleanup;
-    }
-
-    if (memcmp(rsa_decrypted, rsa_plaintext, len) != 0) {
-        if (verbose != 0) {
-            mbedtls_printf("failed\n");
-        }
-
-        ret = 1;
-        goto cleanup;
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("passed\n");
-    }
-
-#if defined(MBEDTLS_MD_CAN_SHA1)
-    if (verbose != 0) {
-        mbedtls_printf("  PKCS#1 data sign  : ");
-    }
-
-    if (mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1),
-                   rsa_plaintext, PT_LEN, sha1sum) != 0) {
-        if (verbose != 0) {
-            mbedtls_printf("failed\n");
-        }
-
-        return 1;
-    }
-
-    if (mbedtls_rsa_pkcs1_sign(&rsa, myrand, NULL,
-                               MBEDTLS_MD_SHA1, 20,
-                               sha1sum, rsa_ciphertext) != 0) {
-        if (verbose != 0) {
-            mbedtls_printf("failed\n");
-        }
-
-        ret = 1;
-        goto cleanup;
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("passed\n  PKCS#1 sig. verify: ");
-    }
-
-    if (mbedtls_rsa_pkcs1_verify(&rsa, MBEDTLS_MD_SHA1, 20,
-                                 sha1sum, rsa_ciphertext) != 0) {
-        if (verbose != 0) {
-            mbedtls_printf("failed\n");
-        }
-
-        ret = 1;
-        goto cleanup;
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("passed\n");
-    }
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-
-cleanup:
-    mbedtls_mpi_free(&K);
-    mbedtls_rsa_free(&rsa);
-#else /* MBEDTLS_PKCS1_V15 */
-    ((void) verbose);
-#endif /* MBEDTLS_PKCS1_V15 */
-    return ret;
-}
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* MBEDTLS_RSA_C */
diff --git a/library/rsa_alt_helpers.c b/library/rsa_alt_helpers.c
deleted file mode 100644
index 5cc4636..0000000
--- a/library/rsa_alt_helpers.c
+++ /dev/null
@@ -1,459 +0,0 @@
-/*
- *  Helper functions for the RSA module
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_RSA_C)
-
-#include "mbedtls/rsa.h"
-#include "mbedtls/bignum.h"
-#include "rsa_alt_helpers.h"
-
-/*
- * Compute RSA prime factors from public and private exponents
- *
- * Summary of algorithm:
- * Setting F := lcm(P-1,Q-1), the idea is as follows:
- *
- * (a) For any 1 <= X < N with gcd(X,N)=1, we have X^F = 1 modulo N, so X^(F/2)
- *     is a square root of 1 in Z/NZ. Since Z/NZ ~= Z/PZ x Z/QZ by CRT and the
- *     square roots of 1 in Z/PZ and Z/QZ are +1 and -1, this leaves the four
- *     possibilities X^(F/2) = (+-1, +-1). If it happens that X^(F/2) = (-1,+1)
- *     or (+1,-1), then gcd(X^(F/2) + 1, N) will be equal to one of the prime
- *     factors of N.
- *
- * (b) If we don't know F/2 but (F/2) * K for some odd (!) K, then the same
- *     construction still applies since (-)^K is the identity on the set of
- *     roots of 1 in Z/NZ.
- *
- * The public and private key primitives (-)^E and (-)^D are mutually inverse
- * bijections on Z/NZ if and only if (-)^(DE) is the identity on Z/NZ, i.e.
- * if and only if DE - 1 is a multiple of F, say DE - 1 = F * L.
- * Splitting L = 2^t * K with K odd, we have
- *
- *   DE - 1 = FL = (F/2) * (2^(t+1)) * K,
- *
- * so (F / 2) * K is among the numbers
- *
- *   (DE - 1) >> 1, (DE - 1) >> 2, ..., (DE - 1) >> ord
- *
- * where ord is the order of 2 in (DE - 1).
- * We can therefore iterate through these numbers apply the construction
- * of (a) and (b) above to attempt to factor N.
- *
- */
-int mbedtls_rsa_deduce_primes(mbedtls_mpi const *N,
-                              mbedtls_mpi const *E, mbedtls_mpi const *D,
-                              mbedtls_mpi *P, mbedtls_mpi *Q)
-{
-    int ret = 0;
-
-    uint16_t attempt;  /* Number of current attempt  */
-    uint16_t iter;     /* Number of squares computed in the current attempt */
-
-    uint16_t order;    /* Order of 2 in DE - 1 */
-
-    mbedtls_mpi T;  /* Holds largest odd divisor of DE - 1     */
-    mbedtls_mpi K;  /* Temporary holding the current candidate */
-
-    const unsigned char primes[] = { 2,
-                                     3,    5,    7,   11,   13,   17,   19,   23,
-                                     29,   31,   37,   41,   43,   47,   53,   59,
-                                     61,   67,   71,   73,   79,   83,   89,   97,
-                                     101,  103,  107,  109,  113,  127,  131,  137,
-                                     139,  149,  151,  157,  163,  167,  173,  179,
-                                     181,  191,  193,  197,  199,  211,  223,  227,
-                                     229,  233,  239,  241,  251 };
-
-    const size_t num_primes = sizeof(primes) / sizeof(*primes);
-
-    if (P == NULL || Q == NULL || P->p != NULL || Q->p != NULL) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    if (mbedtls_mpi_cmp_int(N, 0) <= 0 ||
-        mbedtls_mpi_cmp_int(D, 1) <= 0 ||
-        mbedtls_mpi_cmp_mpi(D, N) >= 0 ||
-        mbedtls_mpi_cmp_int(E, 1) <= 0 ||
-        mbedtls_mpi_cmp_mpi(E, N) >= 0) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    /*
-     * Initializations and temporary changes
-     */
-
-    mbedtls_mpi_init(&K);
-    mbedtls_mpi_init(&T);
-
-    /* T := DE - 1 */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, D,  E));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&T, &T, 1));
-
-    if ((order = (uint16_t) mbedtls_mpi_lsb(&T)) == 0) {
-        ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-        goto cleanup;
-    }
-
-    /* After this operation, T holds the largest odd divisor of DE - 1. */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&T, order));
-
-    /*
-     * Actual work
-     */
-
-    /* Skip trying 2 if N == 1 mod 8 */
-    attempt = 0;
-    if (N->p[0] % 8 == 1) {
-        attempt = 1;
-    }
-
-    for (; attempt < num_primes; ++attempt) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&K, primes[attempt]));
-
-        /* Check if gcd(K,N) = 1 */
-        MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(P, &K, N));
-        if (mbedtls_mpi_cmp_int(P, 1) != 0) {
-            continue;
-        }
-
-        /* Go through K^T + 1, K^(2T) + 1, K^(4T) + 1, ...
-         * and check whether they have nontrivial GCD with N. */
-        MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&K, &K, &T, N,
-                                            Q /* temporarily use Q for storing Montgomery
-                                               * multiplication helper values */));
-
-        for (iter = 1; iter <= order; ++iter) {
-            /* If we reach 1 prematurely, there's no point
-             * in continuing to square K */
-            if (mbedtls_mpi_cmp_int(&K, 1) == 0) {
-                break;
-            }
-
-            MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&K, &K, 1));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(P, &K, N));
-
-            if (mbedtls_mpi_cmp_int(P, 1) ==  1 &&
-                mbedtls_mpi_cmp_mpi(P, N) == -1) {
-                /*
-                 * Have found a nontrivial divisor P of N.
-                 * Set Q := N / P.
-                 */
-
-                MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(Q, NULL, N, P));
-                goto cleanup;
-            }
-
-            MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, &K, 1));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, &K, &K));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&K, &K, N));
-        }
-
-        /*
-         * If we get here, then either we prematurely aborted the loop because
-         * we reached 1, or K holds primes[attempt]^(DE - 1) mod N, which must
-         * be 1 if D,E,N were consistent.
-         * Check if that's the case and abort if not, to avoid very long,
-         * yet eventually failing, computations if N,D,E were not sane.
-         */
-        if (mbedtls_mpi_cmp_int(&K, 1) != 0) {
-            break;
-        }
-    }
-
-    ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-
-cleanup:
-
-    mbedtls_mpi_free(&K);
-    mbedtls_mpi_free(&T);
-    return ret;
-}
-
-/*
- * Given P, Q and the public exponent E, deduce D.
- * This is essentially a modular inversion.
- */
-int mbedtls_rsa_deduce_private_exponent(mbedtls_mpi const *P,
-                                        mbedtls_mpi const *Q,
-                                        mbedtls_mpi const *E,
-                                        mbedtls_mpi *D)
-{
-    int ret = 0;
-    mbedtls_mpi K, L;
-
-    if (D == NULL || mbedtls_mpi_cmp_int(D, 0) != 0) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    if (mbedtls_mpi_cmp_int(P, 1) <= 0 ||
-        mbedtls_mpi_cmp_int(Q, 1) <= 0 ||
-        mbedtls_mpi_cmp_int(E, 0) == 0) {
-        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
-    }
-
-    mbedtls_mpi_init(&K);
-    mbedtls_mpi_init(&L);
-
-    /* Temporarily put K := P-1 and L := Q-1 */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, P, 1));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&L, Q, 1));
-
-    /* Temporarily put D := gcd(P-1, Q-1) */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(D, &K, &L));
-
-    /* K := LCM(P-1, Q-1) */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, &K, &L));
-    MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&K, NULL, &K, D));
-
-    /* Compute modular inverse of E in LCM(P-1, Q-1) */
-    MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(D, E, &K));
-
-cleanup:
-
-    mbedtls_mpi_free(&K);
-    mbedtls_mpi_free(&L);
-
-    return ret;
-}
-
-int mbedtls_rsa_deduce_crt(const mbedtls_mpi *P, const mbedtls_mpi *Q,
-                           const mbedtls_mpi *D, mbedtls_mpi *DP,
-                           mbedtls_mpi *DQ, mbedtls_mpi *QP)
-{
-    int ret = 0;
-    mbedtls_mpi K;
-    mbedtls_mpi_init(&K);
-
-    /* DP = D mod P-1 */
-    if (DP != NULL) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, P, 1));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(DP, D, &K));
-    }
-
-    /* DQ = D mod Q-1 */
-    if (DQ != NULL) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, Q, 1));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(DQ, D, &K));
-    }
-
-    /* QP = Q^{-1} mod P */
-    if (QP != NULL) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(QP, Q, P));
-    }
-
-cleanup:
-    mbedtls_mpi_free(&K);
-
-    return ret;
-}
-
-/*
- * Check that core RSA parameters are sane.
- */
-int mbedtls_rsa_validate_params(const mbedtls_mpi *N, const mbedtls_mpi *P,
-                                const mbedtls_mpi *Q, const mbedtls_mpi *D,
-                                const mbedtls_mpi *E,
-                                int (*f_rng)(void *, unsigned char *, size_t),
-                                void *p_rng)
-{
-    int ret = 0;
-    mbedtls_mpi K, L;
-
-    mbedtls_mpi_init(&K);
-    mbedtls_mpi_init(&L);
-
-    /*
-     * Step 1: If PRNG provided, check that P and Q are prime
-     */
-
-#if defined(MBEDTLS_GENPRIME)
-    /*
-     * When generating keys, the strongest security we support aims for an error
-     * rate of at most 2^-100 and we are aiming for the same certainty here as
-     * well.
-     */
-    if (f_rng != NULL && P != NULL &&
-        (ret = mbedtls_mpi_is_prime_ext(P, 50, f_rng, p_rng)) != 0) {
-        ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
-        goto cleanup;
-    }
-
-    if (f_rng != NULL && Q != NULL &&
-        (ret = mbedtls_mpi_is_prime_ext(Q, 50, f_rng, p_rng)) != 0) {
-        ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
-        goto cleanup;
-    }
-#else
-    ((void) f_rng);
-    ((void) p_rng);
-#endif /* MBEDTLS_GENPRIME */
-
-    /*
-     * Step 2: Check that 1 < N = P * Q
-     */
-
-    if (P != NULL && Q != NULL && N != NULL) {
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, P, Q));
-        if (mbedtls_mpi_cmp_int(N, 1)  <= 0 ||
-            mbedtls_mpi_cmp_mpi(&K, N) != 0) {
-            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
-            goto cleanup;
-        }
-    }
-
-    /*
-     * Step 3: Check and 1 < D, E < N if present.
-     */
-
-    if (N != NULL && D != NULL && E != NULL) {
-        if (mbedtls_mpi_cmp_int(D, 1) <= 0 ||
-            mbedtls_mpi_cmp_int(E, 1) <= 0 ||
-            mbedtls_mpi_cmp_mpi(D, N) >= 0 ||
-            mbedtls_mpi_cmp_mpi(E, N) >= 0) {
-            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
-            goto cleanup;
-        }
-    }
-
-    /*
-     * Step 4: Check that D, E are inverse modulo P-1 and Q-1
-     */
-
-    if (P != NULL && Q != NULL && D != NULL && E != NULL) {
-        if (mbedtls_mpi_cmp_int(P, 1) <= 0 ||
-            mbedtls_mpi_cmp_int(Q, 1) <= 0) {
-            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
-            goto cleanup;
-        }
-
-        /* Compute DE-1 mod P-1 */
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, D, E));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, &K, 1));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&L, P, 1));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&K, &K, &L));
-        if (mbedtls_mpi_cmp_int(&K, 0) != 0) {
-            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
-            goto cleanup;
-        }
-
-        /* Compute DE-1 mod Q-1 */
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, D, E));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, &K, 1));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&L, Q, 1));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&K, &K, &L));
-        if (mbedtls_mpi_cmp_int(&K, 0) != 0) {
-            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
-            goto cleanup;
-        }
-    }
-
-cleanup:
-
-    mbedtls_mpi_free(&K);
-    mbedtls_mpi_free(&L);
-
-    /* Wrap MPI error codes by RSA check failure error code */
-    if (ret != 0 && ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED) {
-        ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
-    }
-
-    return ret;
-}
-
-/*
- * Check that RSA CRT parameters are in accordance with core parameters.
- */
-int mbedtls_rsa_validate_crt(const mbedtls_mpi *P,  const mbedtls_mpi *Q,
-                             const mbedtls_mpi *D,  const mbedtls_mpi *DP,
-                             const mbedtls_mpi *DQ, const mbedtls_mpi *QP)
-{
-    int ret = 0;
-
-    mbedtls_mpi K, L;
-    mbedtls_mpi_init(&K);
-    mbedtls_mpi_init(&L);
-
-    /* Check that DP - D == 0 mod P - 1 */
-    if (DP != NULL) {
-        if (P == NULL) {
-            ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-            goto cleanup;
-        }
-
-        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, P, 1));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&L, DP, D));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&L, &L, &K));
-
-        if (mbedtls_mpi_cmp_int(&L, 0) != 0) {
-            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
-            goto cleanup;
-        }
-    }
-
-    /* Check that DQ - D == 0 mod Q - 1 */
-    if (DQ != NULL) {
-        if (Q == NULL) {
-            ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-            goto cleanup;
-        }
-
-        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, Q, 1));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&L, DQ, D));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&L, &L, &K));
-
-        if (mbedtls_mpi_cmp_int(&L, 0) != 0) {
-            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
-            goto cleanup;
-        }
-    }
-
-    /* Check that QP * Q - 1 == 0 mod P */
-    if (QP != NULL) {
-        if (P == NULL || Q == NULL) {
-            ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-            goto cleanup;
-        }
-
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, QP, Q));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, &K, 1));
-        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&K, &K, P));
-        if (mbedtls_mpi_cmp_int(&K, 0) != 0) {
-            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
-            goto cleanup;
-        }
-    }
-
-cleanup:
-
-    /* Wrap MPI error codes by RSA check failure error code */
-    if (ret != 0 &&
-        ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED &&
-        ret != MBEDTLS_ERR_RSA_BAD_INPUT_DATA) {
-        ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
-    }
-
-    mbedtls_mpi_free(&K);
-    mbedtls_mpi_free(&L);
-
-    return ret;
-}
-
-#endif /* MBEDTLS_RSA_C */
diff --git a/library/rsa_alt_helpers.h b/library/rsa_alt_helpers.h
deleted file mode 100644
index 3b22ba8..0000000
--- a/library/rsa_alt_helpers.h
+++ /dev/null
@@ -1,220 +0,0 @@
-/**
- * \file rsa_alt_helpers.h
- *
- * \brief Context-independent RSA helper functions
- *
- *  This module declares some RSA-related helper functions useful when
- *  implementing the RSA interface. These functions are provided in a separate
- *  compilation unit in order to make it easy for designers of alternative RSA
- *  implementations to use them in their own code, as it is conceived that the
- *  functionality they provide will be necessary for most complete
- *  implementations.
- *
- *  End-users of Mbed TLS who are not providing their own alternative RSA
- *  implementations should not use these functions directly, and should instead
- *  use only the functions declared in rsa.h.
- *
- *  The interface provided by this module will be maintained through LTS (Long
- *  Term Support) branches of Mbed TLS, but may otherwise be subject to change,
- *  and must be considered an internal interface of the library.
- *
- *  There are two classes of helper functions:
- *
- *  (1) Parameter-generating helpers. These are:
- *      - mbedtls_rsa_deduce_primes
- *      - mbedtls_rsa_deduce_private_exponent
- *      - mbedtls_rsa_deduce_crt
- *       Each of these functions takes a set of core RSA parameters and
- *       generates some other, or CRT related parameters.
- *
- *  (2) Parameter-checking helpers. These are:
- *      - mbedtls_rsa_validate_params
- *      - mbedtls_rsa_validate_crt
- *      They take a set of core or CRT related RSA parameters and check their
- *      validity.
- *
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- */
-
-#ifndef MBEDTLS_RSA_INTERNAL_H
-#define MBEDTLS_RSA_INTERNAL_H
-
-#include "mbedtls/build_info.h"
-
-#include "mbedtls/bignum.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-
-/**
- * \brief          Compute RSA prime moduli P, Q from public modulus N=PQ
- *                 and a pair of private and public key.
- *
- * \note           This is a 'static' helper function not operating on
- *                 an RSA context. Alternative implementations need not
- *                 overwrite it.
- *
- * \param N        RSA modulus N = PQ, with P, Q to be found
- * \param E        RSA public exponent
- * \param D        RSA private exponent
- * \param P        Pointer to MPI holding first prime factor of N on success
- * \param Q        Pointer to MPI holding second prime factor of N on success
- *
- * \return
- *                 - 0 if successful. In this case, P and Q constitute a
- *                   factorization of N.
- *                 - A non-zero error code otherwise.
- *
- * \note           It is neither checked that P, Q are prime nor that
- *                 D, E are modular inverses wrt. P-1 and Q-1. For that,
- *                 use the helper function \c mbedtls_rsa_validate_params.
- *
- */
-int mbedtls_rsa_deduce_primes(mbedtls_mpi const *N, mbedtls_mpi const *E,
-                              mbedtls_mpi const *D,
-                              mbedtls_mpi *P, mbedtls_mpi *Q);
-
-/**
- * \brief          Compute RSA private exponent from
- *                 prime moduli and public key.
- *
- * \note           This is a 'static' helper function not operating on
- *                 an RSA context. Alternative implementations need not
- *                 overwrite it.
- *
- * \param P        First prime factor of RSA modulus
- * \param Q        Second prime factor of RSA modulus
- * \param E        RSA public exponent
- * \param D        Pointer to MPI holding the private exponent on success.
- *
- * \return
- *                 - 0 if successful. In this case, D is set to a simultaneous
- *                   modular inverse of E modulo both P-1 and Q-1.
- *                 - A non-zero error code otherwise.
- *
- * \note           This function does not check whether P and Q are primes.
- *
- */
-int mbedtls_rsa_deduce_private_exponent(mbedtls_mpi const *P,
-                                        mbedtls_mpi const *Q,
-                                        mbedtls_mpi const *E,
-                                        mbedtls_mpi *D);
-
-
-/**
- * \brief          Generate RSA-CRT parameters
- *
- * \note           This is a 'static' helper function not operating on
- *                 an RSA context. Alternative implementations need not
- *                 overwrite it.
- *
- * \param P        First prime factor of N
- * \param Q        Second prime factor of N
- * \param D        RSA private exponent
- * \param DP       Output variable for D modulo P-1
- * \param DQ       Output variable for D modulo Q-1
- * \param QP       Output variable for the modular inverse of Q modulo P.
- *
- * \return         0 on success, non-zero error code otherwise.
- *
- * \note           This function does not check whether P, Q are
- *                 prime and whether D is a valid private exponent.
- *
- */
-int mbedtls_rsa_deduce_crt(const mbedtls_mpi *P, const mbedtls_mpi *Q,
-                           const mbedtls_mpi *D, mbedtls_mpi *DP,
-                           mbedtls_mpi *DQ, mbedtls_mpi *QP);
-
-
-/**
- * \brief          Check validity of core RSA parameters
- *
- * \note           This is a 'static' helper function not operating on
- *                 an RSA context. Alternative implementations need not
- *                 overwrite it.
- *
- * \param N        RSA modulus N = PQ
- * \param P        First prime factor of N
- * \param Q        Second prime factor of N
- * \param D        RSA private exponent
- * \param E        RSA public exponent
- * \param f_rng    PRNG to be used for primality check, or NULL
- * \param p_rng    PRNG context for f_rng, or NULL
- *
- * \return
- *                 - 0 if the following conditions are satisfied
- *                   if all relevant parameters are provided:
- *                    - P prime if f_rng != NULL (%)
- *                    - Q prime if f_rng != NULL (%)
- *                    - 1 < N = P * Q
- *                    - 1 < D, E < N
- *                    - D and E are modular inverses modulo P-1 and Q-1
- *                   (%) This is only done if MBEDTLS_GENPRIME is defined.
- *                 - A non-zero error code otherwise.
- *
- * \note           The function can be used with a restricted set of arguments
- *                 to perform specific checks only. E.g., calling it with
- *                 (-,P,-,-,-) and a PRNG amounts to a primality check for P.
- */
-int mbedtls_rsa_validate_params(const mbedtls_mpi *N, const mbedtls_mpi *P,
-                                const mbedtls_mpi *Q, const mbedtls_mpi *D,
-                                const mbedtls_mpi *E,
-                                int (*f_rng)(void *, unsigned char *, size_t),
-                                void *p_rng);
-
-/**
- * \brief          Check validity of RSA CRT parameters
- *
- * \note           This is a 'static' helper function not operating on
- *                 an RSA context. Alternative implementations need not
- *                 overwrite it.
- *
- * \param P        First prime factor of RSA modulus
- * \param Q        Second prime factor of RSA modulus
- * \param D        RSA private exponent
- * \param DP       MPI to check for D modulo P-1
- * \param DQ       MPI to check for D modulo P-1
- * \param QP       MPI to check for the modular inverse of Q modulo P.
- *
- * \return
- *                 - 0 if the following conditions are satisfied:
- *                    - D = DP mod P-1 if P, D, DP != NULL
- *                    - Q = DQ mod P-1 if P, D, DQ != NULL
- *                    - QP = Q^-1 mod P if P, Q, QP != NULL
- *                 - \c MBEDTLS_ERR_RSA_KEY_CHECK_FAILED if check failed,
- *                   potentially including \c MBEDTLS_ERR_MPI_XXX if some
- *                   MPI calculations failed.
- *                 - \c MBEDTLS_ERR_RSA_BAD_INPUT_DATA if insufficient
- *                   data was provided to check DP, DQ or QP.
- *
- * \note           The function can be used with a restricted set of arguments
- *                 to perform specific checks only. E.g., calling it with the
- *                 parameters (P, -, D, DP, -, -) will check DP = D mod P-1.
- */
-int mbedtls_rsa_validate_crt(const mbedtls_mpi *P,  const mbedtls_mpi *Q,
-                             const mbedtls_mpi *D,  const mbedtls_mpi *DP,
-                             const mbedtls_mpi *DQ, const mbedtls_mpi *QP);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* rsa_alt_helpers.h */
diff --git a/library/sha1.c b/library/sha1.c
deleted file mode 100644
index 28a57b6..0000000
--- a/library/sha1.c
+++ /dev/null
@@ -1,492 +0,0 @@
-/*
- *  FIPS-180-1 compliant SHA-1 implementation
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-/*
- *  The SHA-1 standard was published by NIST in 1993.
- *
- *  http://www.itl.nist.gov/fipspubs/fip180-1.htm
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_SHA1_C)
-
-#include "mbedtls/sha1.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#include <string.h>
-
-#include "mbedtls/platform.h"
-
-#if !defined(MBEDTLS_SHA1_ALT)
-
-void mbedtls_sha1_init(mbedtls_sha1_context *ctx)
-{
-    memset(ctx, 0, sizeof(mbedtls_sha1_context));
-}
-
-void mbedtls_sha1_free(mbedtls_sha1_context *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha1_context));
-}
-
-void mbedtls_sha1_clone(mbedtls_sha1_context *dst,
-                        const mbedtls_sha1_context *src)
-{
-    *dst = *src;
-}
-
-/*
- * SHA-1 context setup
- */
-int mbedtls_sha1_starts(mbedtls_sha1_context *ctx)
-{
-    ctx->total[0] = 0;
-    ctx->total[1] = 0;
-
-    ctx->state[0] = 0x67452301;
-    ctx->state[1] = 0xEFCDAB89;
-    ctx->state[2] = 0x98BADCFE;
-    ctx->state[3] = 0x10325476;
-    ctx->state[4] = 0xC3D2E1F0;
-
-    return 0;
-}
-
-#if !defined(MBEDTLS_SHA1_PROCESS_ALT)
-int mbedtls_internal_sha1_process(mbedtls_sha1_context *ctx,
-                                  const unsigned char data[64])
-{
-    struct {
-        uint32_t temp, W[16], A, B, C, D, E;
-    } local;
-
-    local.W[0] = MBEDTLS_GET_UINT32_BE(data,  0);
-    local.W[1] = MBEDTLS_GET_UINT32_BE(data,  4);
-    local.W[2] = MBEDTLS_GET_UINT32_BE(data,  8);
-    local.W[3] = MBEDTLS_GET_UINT32_BE(data, 12);
-    local.W[4] = MBEDTLS_GET_UINT32_BE(data, 16);
-    local.W[5] = MBEDTLS_GET_UINT32_BE(data, 20);
-    local.W[6] = MBEDTLS_GET_UINT32_BE(data, 24);
-    local.W[7] = MBEDTLS_GET_UINT32_BE(data, 28);
-    local.W[8] = MBEDTLS_GET_UINT32_BE(data, 32);
-    local.W[9] = MBEDTLS_GET_UINT32_BE(data, 36);
-    local.W[10] = MBEDTLS_GET_UINT32_BE(data, 40);
-    local.W[11] = MBEDTLS_GET_UINT32_BE(data, 44);
-    local.W[12] = MBEDTLS_GET_UINT32_BE(data, 48);
-    local.W[13] = MBEDTLS_GET_UINT32_BE(data, 52);
-    local.W[14] = MBEDTLS_GET_UINT32_BE(data, 56);
-    local.W[15] = MBEDTLS_GET_UINT32_BE(data, 60);
-
-#define S(x, n) (((x) << (n)) | (((x) & 0xFFFFFFFF) >> (32 - (n))))
-
-#define R(t)                                                    \
-    (                                                           \
-        local.temp = local.W[((t) -  3) & 0x0F] ^             \
-                     local.W[((t) -  8) & 0x0F] ^             \
-                     local.W[((t) - 14) & 0x0F] ^             \
-                     local.W[(t)        & 0x0F],              \
-        (local.W[(t) & 0x0F] = S(local.temp, 1))               \
-    )
-
-#define P(a, b, c, d, e, x)                                          \
-    do                                                          \
-    {                                                           \
-        (e) += S((a), 5) + F((b), (c), (d)) + K + (x);             \
-        (b) = S((b), 30);                                        \
-    } while (0)
-
-    local.A = ctx->state[0];
-    local.B = ctx->state[1];
-    local.C = ctx->state[2];
-    local.D = ctx->state[3];
-    local.E = ctx->state[4];
-
-#define F(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
-#define K 0x5A827999
-
-    P(local.A, local.B, local.C, local.D, local.E, local.W[0]);
-    P(local.E, local.A, local.B, local.C, local.D, local.W[1]);
-    P(local.D, local.E, local.A, local.B, local.C, local.W[2]);
-    P(local.C, local.D, local.E, local.A, local.B, local.W[3]);
-    P(local.B, local.C, local.D, local.E, local.A, local.W[4]);
-    P(local.A, local.B, local.C, local.D, local.E, local.W[5]);
-    P(local.E, local.A, local.B, local.C, local.D, local.W[6]);
-    P(local.D, local.E, local.A, local.B, local.C, local.W[7]);
-    P(local.C, local.D, local.E, local.A, local.B, local.W[8]);
-    P(local.B, local.C, local.D, local.E, local.A, local.W[9]);
-    P(local.A, local.B, local.C, local.D, local.E, local.W[10]);
-    P(local.E, local.A, local.B, local.C, local.D, local.W[11]);
-    P(local.D, local.E, local.A, local.B, local.C, local.W[12]);
-    P(local.C, local.D, local.E, local.A, local.B, local.W[13]);
-    P(local.B, local.C, local.D, local.E, local.A, local.W[14]);
-    P(local.A, local.B, local.C, local.D, local.E, local.W[15]);
-    P(local.E, local.A, local.B, local.C, local.D, R(16));
-    P(local.D, local.E, local.A, local.B, local.C, R(17));
-    P(local.C, local.D, local.E, local.A, local.B, R(18));
-    P(local.B, local.C, local.D, local.E, local.A, R(19));
-
-#undef K
-#undef F
-
-#define F(x, y, z) ((x) ^ (y) ^ (z))
-#define K 0x6ED9EBA1
-
-    P(local.A, local.B, local.C, local.D, local.E, R(20));
-    P(local.E, local.A, local.B, local.C, local.D, R(21));
-    P(local.D, local.E, local.A, local.B, local.C, R(22));
-    P(local.C, local.D, local.E, local.A, local.B, R(23));
-    P(local.B, local.C, local.D, local.E, local.A, R(24));
-    P(local.A, local.B, local.C, local.D, local.E, R(25));
-    P(local.E, local.A, local.B, local.C, local.D, R(26));
-    P(local.D, local.E, local.A, local.B, local.C, R(27));
-    P(local.C, local.D, local.E, local.A, local.B, R(28));
-    P(local.B, local.C, local.D, local.E, local.A, R(29));
-    P(local.A, local.B, local.C, local.D, local.E, R(30));
-    P(local.E, local.A, local.B, local.C, local.D, R(31));
-    P(local.D, local.E, local.A, local.B, local.C, R(32));
-    P(local.C, local.D, local.E, local.A, local.B, R(33));
-    P(local.B, local.C, local.D, local.E, local.A, R(34));
-    P(local.A, local.B, local.C, local.D, local.E, R(35));
-    P(local.E, local.A, local.B, local.C, local.D, R(36));
-    P(local.D, local.E, local.A, local.B, local.C, R(37));
-    P(local.C, local.D, local.E, local.A, local.B, R(38));
-    P(local.B, local.C, local.D, local.E, local.A, R(39));
-
-#undef K
-#undef F
-
-#define F(x, y, z) (((x) & (y)) | ((z) & ((x) | (y))))
-#define K 0x8F1BBCDC
-
-    P(local.A, local.B, local.C, local.D, local.E, R(40));
-    P(local.E, local.A, local.B, local.C, local.D, R(41));
-    P(local.D, local.E, local.A, local.B, local.C, R(42));
-    P(local.C, local.D, local.E, local.A, local.B, R(43));
-    P(local.B, local.C, local.D, local.E, local.A, R(44));
-    P(local.A, local.B, local.C, local.D, local.E, R(45));
-    P(local.E, local.A, local.B, local.C, local.D, R(46));
-    P(local.D, local.E, local.A, local.B, local.C, R(47));
-    P(local.C, local.D, local.E, local.A, local.B, R(48));
-    P(local.B, local.C, local.D, local.E, local.A, R(49));
-    P(local.A, local.B, local.C, local.D, local.E, R(50));
-    P(local.E, local.A, local.B, local.C, local.D, R(51));
-    P(local.D, local.E, local.A, local.B, local.C, R(52));
-    P(local.C, local.D, local.E, local.A, local.B, R(53));
-    P(local.B, local.C, local.D, local.E, local.A, R(54));
-    P(local.A, local.B, local.C, local.D, local.E, R(55));
-    P(local.E, local.A, local.B, local.C, local.D, R(56));
-    P(local.D, local.E, local.A, local.B, local.C, R(57));
-    P(local.C, local.D, local.E, local.A, local.B, R(58));
-    P(local.B, local.C, local.D, local.E, local.A, R(59));
-
-#undef K
-#undef F
-
-#define F(x, y, z) ((x) ^ (y) ^ (z))
-#define K 0xCA62C1D6
-
-    P(local.A, local.B, local.C, local.D, local.E, R(60));
-    P(local.E, local.A, local.B, local.C, local.D, R(61));
-    P(local.D, local.E, local.A, local.B, local.C, R(62));
-    P(local.C, local.D, local.E, local.A, local.B, R(63));
-    P(local.B, local.C, local.D, local.E, local.A, R(64));
-    P(local.A, local.B, local.C, local.D, local.E, R(65));
-    P(local.E, local.A, local.B, local.C, local.D, R(66));
-    P(local.D, local.E, local.A, local.B, local.C, R(67));
-    P(local.C, local.D, local.E, local.A, local.B, R(68));
-    P(local.B, local.C, local.D, local.E, local.A, R(69));
-    P(local.A, local.B, local.C, local.D, local.E, R(70));
-    P(local.E, local.A, local.B, local.C, local.D, R(71));
-    P(local.D, local.E, local.A, local.B, local.C, R(72));
-    P(local.C, local.D, local.E, local.A, local.B, R(73));
-    P(local.B, local.C, local.D, local.E, local.A, R(74));
-    P(local.A, local.B, local.C, local.D, local.E, R(75));
-    P(local.E, local.A, local.B, local.C, local.D, R(76));
-    P(local.D, local.E, local.A, local.B, local.C, R(77));
-    P(local.C, local.D, local.E, local.A, local.B, R(78));
-    P(local.B, local.C, local.D, local.E, local.A, R(79));
-
-#undef K
-#undef F
-
-    ctx->state[0] += local.A;
-    ctx->state[1] += local.B;
-    ctx->state[2] += local.C;
-    ctx->state[3] += local.D;
-    ctx->state[4] += local.E;
-
-    /* Zeroise buffers and variables to clear sensitive data from memory. */
-    mbedtls_platform_zeroize(&local, sizeof(local));
-
-    return 0;
-}
-
-#endif /* !MBEDTLS_SHA1_PROCESS_ALT */
-
-/*
- * SHA-1 process buffer
- */
-int mbedtls_sha1_update(mbedtls_sha1_context *ctx,
-                        const unsigned char *input,
-                        size_t ilen)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t fill;
-    uint32_t left;
-
-    if (ilen == 0) {
-        return 0;
-    }
-
-    left = ctx->total[0] & 0x3F;
-    fill = 64 - left;
-
-    ctx->total[0] += (uint32_t) ilen;
-    ctx->total[0] &= 0xFFFFFFFF;
-
-    if (ctx->total[0] < (uint32_t) ilen) {
-        ctx->total[1]++;
-    }
-
-    if (left && ilen >= fill) {
-        memcpy((void *) (ctx->buffer + left), input, fill);
-
-        if ((ret = mbedtls_internal_sha1_process(ctx, ctx->buffer)) != 0) {
-            return ret;
-        }
-
-        input += fill;
-        ilen  -= fill;
-        left = 0;
-    }
-
-    while (ilen >= 64) {
-        if ((ret = mbedtls_internal_sha1_process(ctx, input)) != 0) {
-            return ret;
-        }
-
-        input += 64;
-        ilen  -= 64;
-    }
-
-    if (ilen > 0) {
-        memcpy((void *) (ctx->buffer + left), input, ilen);
-    }
-
-    return 0;
-}
-
-/*
- * SHA-1 final digest
- */
-int mbedtls_sha1_finish(mbedtls_sha1_context *ctx,
-                        unsigned char output[20])
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    uint32_t used;
-    uint32_t high, low;
-
-    /*
-     * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
-     */
-    used = ctx->total[0] & 0x3F;
-
-    ctx->buffer[used++] = 0x80;
-
-    if (used <= 56) {
-        /* Enough room for padding + length in current block */
-        memset(ctx->buffer + used, 0, 56 - used);
-    } else {
-        /* We'll need an extra block */
-        memset(ctx->buffer + used, 0, 64 - used);
-
-        if ((ret = mbedtls_internal_sha1_process(ctx, ctx->buffer)) != 0) {
-            goto exit;
-        }
-
-        memset(ctx->buffer, 0, 56);
-    }
-
-    /*
-     * Add message length
-     */
-    high = (ctx->total[0] >> 29)
-           | (ctx->total[1] <<  3);
-    low  = (ctx->total[0] <<  3);
-
-    MBEDTLS_PUT_UINT32_BE(high, ctx->buffer, 56);
-    MBEDTLS_PUT_UINT32_BE(low,  ctx->buffer, 60);
-
-    if ((ret = mbedtls_internal_sha1_process(ctx, ctx->buffer)) != 0) {
-        goto exit;
-    }
-
-    /*
-     * Output final state
-     */
-    MBEDTLS_PUT_UINT32_BE(ctx->state[0], output,  0);
-    MBEDTLS_PUT_UINT32_BE(ctx->state[1], output,  4);
-    MBEDTLS_PUT_UINT32_BE(ctx->state[2], output,  8);
-    MBEDTLS_PUT_UINT32_BE(ctx->state[3], output, 12);
-    MBEDTLS_PUT_UINT32_BE(ctx->state[4], output, 16);
-
-    ret = 0;
-
-exit:
-    mbedtls_sha1_free(ctx);
-    return ret;
-}
-
-#endif /* !MBEDTLS_SHA1_ALT */
-
-/*
- * output = SHA-1( input buffer )
- */
-int mbedtls_sha1(const unsigned char *input,
-                 size_t ilen,
-                 unsigned char output[20])
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_sha1_context ctx;
-
-    mbedtls_sha1_init(&ctx);
-
-    if ((ret = mbedtls_sha1_starts(&ctx)) != 0) {
-        goto exit;
-    }
-
-    if ((ret = mbedtls_sha1_update(&ctx, input, ilen)) != 0) {
-        goto exit;
-    }
-
-    if ((ret = mbedtls_sha1_finish(&ctx, output)) != 0) {
-        goto exit;
-    }
-
-exit:
-    mbedtls_sha1_free(&ctx);
-    return ret;
-}
-
-#if defined(MBEDTLS_SELF_TEST)
-/*
- * FIPS-180-1 test vectors
- */
-static const unsigned char sha1_test_buf[3][57] =
-{
-    { "abc" },
-    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
-    { "" }
-};
-
-static const size_t sha1_test_buflen[3] =
-{
-    3, 56, 1000
-};
-
-static const unsigned char sha1_test_sum[3][20] =
-{
-    { 0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E,
-      0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D },
-    { 0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
-      0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1 },
-    { 0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E,
-      0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F }
-};
-
-/*
- * Checkup routine
- */
-int mbedtls_sha1_self_test(int verbose)
-{
-    int i, j, buflen, ret = 0;
-    unsigned char buf[1024];
-    unsigned char sha1sum[20];
-    mbedtls_sha1_context ctx;
-
-    mbedtls_sha1_init(&ctx);
-
-    /*
-     * SHA-1
-     */
-    for (i = 0; i < 3; i++) {
-        if (verbose != 0) {
-            mbedtls_printf("  SHA-1 test #%d: ", i + 1);
-        }
-
-        if ((ret = mbedtls_sha1_starts(&ctx)) != 0) {
-            goto fail;
-        }
-
-        if (i == 2) {
-            memset(buf, 'a', buflen = 1000);
-
-            for (j = 0; j < 1000; j++) {
-                ret = mbedtls_sha1_update(&ctx, buf, buflen);
-                if (ret != 0) {
-                    goto fail;
-                }
-            }
-        } else {
-            ret = mbedtls_sha1_update(&ctx, sha1_test_buf[i],
-                                      sha1_test_buflen[i]);
-            if (ret != 0) {
-                goto fail;
-            }
-        }
-
-        if ((ret = mbedtls_sha1_finish(&ctx, sha1sum)) != 0) {
-            goto fail;
-        }
-
-        if (memcmp(sha1sum, sha1_test_sum[i], 20) != 0) {
-            ret = 1;
-            goto fail;
-        }
-
-        if (verbose != 0) {
-            mbedtls_printf("passed\n");
-        }
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-
-    goto exit;
-
-fail:
-    if (verbose != 0) {
-        mbedtls_printf("failed\n");
-    }
-
-exit:
-    mbedtls_sha1_free(&ctx);
-
-    return ret;
-}
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* MBEDTLS_SHA1_C */
diff --git a/library/sha256.c b/library/sha256.c
deleted file mode 100644
index 223badf..0000000
--- a/library/sha256.c
+++ /dev/null
@@ -1,958 +0,0 @@
-/*
- *  FIPS-180-2 compliant SHA-256 implementation
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-/*
- *  The SHA-256 Secure Hash Standard was published by NIST in 2002.
- *
- *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
- */
-
-#if defined(__aarch64__) && !defined(__ARM_FEATURE_CRYPTO) && \
-    defined(__clang__) && __clang_major__ >= 4
-/* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged.
- *
- * The intrinsic declaration are guarded by predefined ACLE macros in clang:
- * these are normally only enabled by the -march option on the command line.
- * By defining the macros ourselves we gain access to those declarations without
- * requiring -march on the command line.
- *
- * `arm_neon.h` could be included by any header file, so we put these defines
- * at the top of this file, before any includes.
- */
-#define __ARM_FEATURE_CRYPTO 1
-/* See: https://arm-software.github.io/acle/main/acle.html#cryptographic-extensions
- *
- * `__ARM_FEATURE_CRYPTO` is deprecated, but we need to continue to specify it
- * for older compilers.
- */
-#define __ARM_FEATURE_SHA2   1
-#define MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG
-#endif
-
-#include "common.h"
-
-#if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA224_C)
-
-#include "mbedtls/sha256.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#include <string.h>
-
-#include "mbedtls/platform.h"
-
-#if defined(__aarch64__)
-
-#  if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \
-    defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
-
-/* *INDENT-OFF* */
-
-#   ifdef __ARM_NEON
-#       include <arm_neon.h>
-#   else
-#       error "Target does not support NEON instructions"
-#   endif
-
-#    if !defined(__ARM_FEATURE_CRYPTO) || defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG)
-#      if defined(__ARMCOMPILER_VERSION)
-#        if __ARMCOMPILER_VERSION <= 6090000
-#          error "Must use minimum -march=armv8-a+crypto for MBEDTLS_SHA256_USE_A64_CRYPTO_*"
-#        endif
-#          pragma clang attribute push (__attribute__((target("sha2"))), apply_to=function)
-#          define MBEDTLS_POP_TARGET_PRAGMA
-#      elif defined(__clang__)
-#        if __clang_major__ < 4
-#          error "A more recent Clang is required for MBEDTLS_SHA256_USE_A64_CRYPTO_*"
-#        endif
-#        pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function)
-#        define MBEDTLS_POP_TARGET_PRAGMA
-#      elif defined(__GNUC__)
-         /* FIXME: GCC 5 claims to support Armv8 Crypto Extensions, but some
-          *        intrinsics are missing. Missing intrinsics could be worked around.
-          */
-#        if __GNUC__ < 6
-#          error "A more recent GCC is required for MBEDTLS_SHA256_USE_A64_CRYPTO_*"
-#        else
-#          pragma GCC push_options
-#          pragma GCC target ("arch=armv8-a+crypto")
-#          define MBEDTLS_POP_TARGET_PRAGMA
-#        endif
-#      else
-#        error "Only GCC and Clang supported for MBEDTLS_SHA256_USE_A64_CRYPTO_*"
-#      endif
-#    endif
-/* *INDENT-ON* */
-
-#  endif
-#  if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
-#    if defined(__unix__)
-#      if defined(__linux__)
-/* Our preferred method of detection is getauxval() */
-#        include <sys/auxv.h>
-#      endif
-/* Use SIGILL on Unix, and fall back to it on Linux */
-#      include <signal.h>
-#    endif
-#  endif
-#elif defined(_M_ARM64)
-#  if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \
-    defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
-#    include <arm64_neon.h>
-#  endif
-#else
-#  undef MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
-#  undef MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
-#endif
-
-#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
-/*
- * Capability detection code comes early, so we can disable
- * MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT if no detection mechanism found
- */
-#if defined(HWCAP_SHA2)
-static int mbedtls_a64_crypto_sha256_determine_support(void)
-{
-    return (getauxval(AT_HWCAP) & HWCAP_SHA2) ? 1 : 0;
-}
-#elif defined(__APPLE__)
-static int mbedtls_a64_crypto_sha256_determine_support(void)
-{
-    return 1;
-}
-#elif defined(_M_ARM64)
-#define WIN32_LEAN_AND_MEAN
-#include <Windows.h>
-#include <processthreadsapi.h>
-
-static int mbedtls_a64_crypto_sha256_determine_support(void)
-{
-    return IsProcessorFeaturePresent(PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE) ?
-           1 : 0;
-}
-#elif defined(__unix__) && defined(SIG_SETMASK)
-/* Detection with SIGILL, setjmp() and longjmp() */
-#include <signal.h>
-#include <setjmp.h>
-
-static jmp_buf return_from_sigill;
-
-/*
- * A64 SHA256 support detection via SIGILL
- */
-static void sigill_handler(int signal)
-{
-    (void) signal;
-    longjmp(return_from_sigill, 1);
-}
-
-static int mbedtls_a64_crypto_sha256_determine_support(void)
-{
-    struct sigaction old_action, new_action;
-
-    sigset_t old_mask;
-    if (sigprocmask(0, NULL, &old_mask)) {
-        return 0;
-    }
-
-    sigemptyset(&new_action.sa_mask);
-    new_action.sa_flags = 0;
-    new_action.sa_handler = sigill_handler;
-
-    sigaction(SIGILL, &new_action, &old_action);
-
-    static int ret = 0;
-
-    if (setjmp(return_from_sigill) == 0) {         /* First return only */
-        /* If this traps, we will return a second time from setjmp() with 1 */
-        asm ("sha256h q0, q0, v0.4s" : : : "v0");
-        ret = 1;
-    }
-
-    sigaction(SIGILL, &old_action, NULL);
-    sigprocmask(SIG_SETMASK, &old_mask, NULL);
-
-    return ret;
-}
-#else
-#warning "No mechanism to detect A64_CRYPTO found, using C code only"
-#undef MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
-#endif  /* HWCAP_SHA2, __APPLE__, __unix__ && SIG_SETMASK */
-
-#endif  /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT */
-
-#if !defined(MBEDTLS_SHA256_ALT)
-
-#define SHA256_BLOCK_SIZE 64
-
-void mbedtls_sha256_init(mbedtls_sha256_context *ctx)
-{
-    memset(ctx, 0, sizeof(mbedtls_sha256_context));
-}
-
-void mbedtls_sha256_free(mbedtls_sha256_context *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha256_context));
-}
-
-void mbedtls_sha256_clone(mbedtls_sha256_context *dst,
-                          const mbedtls_sha256_context *src)
-{
-    *dst = *src;
-}
-
-/*
- * SHA-256 context setup
- */
-int mbedtls_sha256_starts(mbedtls_sha256_context *ctx, int is224)
-{
-#if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
-    if (is224 != 0 && is224 != 1) {
-        return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
-    }
-#elif defined(MBEDTLS_SHA256_C)
-    if (is224 != 0) {
-        return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
-    }
-#else /* defined MBEDTLS_SHA224_C only */
-    if (is224 == 0) {
-        return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
-    }
-#endif
-
-    ctx->total[0] = 0;
-    ctx->total[1] = 0;
-
-    if (is224 == 0) {
-#if defined(MBEDTLS_SHA256_C)
-        ctx->state[0] = 0x6A09E667;
-        ctx->state[1] = 0xBB67AE85;
-        ctx->state[2] = 0x3C6EF372;
-        ctx->state[3] = 0xA54FF53A;
-        ctx->state[4] = 0x510E527F;
-        ctx->state[5] = 0x9B05688C;
-        ctx->state[6] = 0x1F83D9AB;
-        ctx->state[7] = 0x5BE0CD19;
-#endif
-    } else {
-#if defined(MBEDTLS_SHA224_C)
-        ctx->state[0] = 0xC1059ED8;
-        ctx->state[1] = 0x367CD507;
-        ctx->state[2] = 0x3070DD17;
-        ctx->state[3] = 0xF70E5939;
-        ctx->state[4] = 0xFFC00B31;
-        ctx->state[5] = 0x68581511;
-        ctx->state[6] = 0x64F98FA7;
-        ctx->state[7] = 0xBEFA4FA4;
-#endif
-    }
-
-#if defined(MBEDTLS_SHA224_C)
-    ctx->is224 = is224;
-#endif
-
-    return 0;
-}
-
-#if !defined(MBEDTLS_SHA256_PROCESS_ALT)
-static const uint32_t K[] =
-{
-    0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
-    0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
-    0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
-    0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
-    0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
-    0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
-    0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
-    0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
-    0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
-    0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
-    0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
-    0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
-    0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
-    0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
-    0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
-    0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
-};
-
-#endif
-
-#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \
-    defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
-
-#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
-#  define mbedtls_internal_sha256_process_many_a64_crypto mbedtls_internal_sha256_process_many
-#  define mbedtls_internal_sha256_process_a64_crypto      mbedtls_internal_sha256_process
-#endif
-
-static size_t mbedtls_internal_sha256_process_many_a64_crypto(
-    mbedtls_sha256_context *ctx, const uint8_t *msg, size_t len)
-{
-    uint32x4_t abcd = vld1q_u32(&ctx->state[0]);
-    uint32x4_t efgh = vld1q_u32(&ctx->state[4]);
-
-    size_t processed = 0;
-
-    for (;
-         len >= SHA256_BLOCK_SIZE;
-         processed += SHA256_BLOCK_SIZE,
-         msg += SHA256_BLOCK_SIZE,
-         len -= SHA256_BLOCK_SIZE) {
-        uint32x4_t tmp, abcd_prev;
-
-        uint32x4_t abcd_orig = abcd;
-        uint32x4_t efgh_orig = efgh;
-
-        uint32x4_t sched0 = (uint32x4_t) vld1q_u8(msg + 16 * 0);
-        uint32x4_t sched1 = (uint32x4_t) vld1q_u8(msg + 16 * 1);
-        uint32x4_t sched2 = (uint32x4_t) vld1q_u8(msg + 16 * 2);
-        uint32x4_t sched3 = (uint32x4_t) vld1q_u8(msg + 16 * 3);
-
-#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__  /* Will be true if not defined */
-                                               /* Untested on BE */
-        sched0 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched0)));
-        sched1 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched1)));
-        sched2 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched2)));
-        sched3 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched3)));
-#endif
-
-        /* Rounds 0 to 3 */
-        tmp = vaddq_u32(sched0, vld1q_u32(&K[0]));
-        abcd_prev = abcd;
-        abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
-        efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
-
-        /* Rounds 4 to 7 */
-        tmp = vaddq_u32(sched1, vld1q_u32(&K[4]));
-        abcd_prev = abcd;
-        abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
-        efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
-
-        /* Rounds 8 to 11 */
-        tmp = vaddq_u32(sched2, vld1q_u32(&K[8]));
-        abcd_prev = abcd;
-        abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
-        efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
-
-        /* Rounds 12 to 15 */
-        tmp = vaddq_u32(sched3, vld1q_u32(&K[12]));
-        abcd_prev = abcd;
-        abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
-        efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
-
-        for (int t = 16; t < 64; t += 16) {
-            /* Rounds t to t + 3 */
-            sched0 = vsha256su1q_u32(vsha256su0q_u32(sched0, sched1), sched2, sched3);
-            tmp = vaddq_u32(sched0, vld1q_u32(&K[t]));
-            abcd_prev = abcd;
-            abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
-            efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
-
-            /* Rounds t + 4 to t + 7 */
-            sched1 = vsha256su1q_u32(vsha256su0q_u32(sched1, sched2), sched3, sched0);
-            tmp = vaddq_u32(sched1, vld1q_u32(&K[t + 4]));
-            abcd_prev = abcd;
-            abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
-            efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
-
-            /* Rounds t + 8 to t + 11 */
-            sched2 = vsha256su1q_u32(vsha256su0q_u32(sched2, sched3), sched0, sched1);
-            tmp = vaddq_u32(sched2, vld1q_u32(&K[t + 8]));
-            abcd_prev = abcd;
-            abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
-            efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
-
-            /* Rounds t + 12 to t + 15 */
-            sched3 = vsha256su1q_u32(vsha256su0q_u32(sched3, sched0), sched1, sched2);
-            tmp = vaddq_u32(sched3, vld1q_u32(&K[t + 12]));
-            abcd_prev = abcd;
-            abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
-            efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
-        }
-
-        abcd = vaddq_u32(abcd, abcd_orig);
-        efgh = vaddq_u32(efgh, efgh_orig);
-    }
-
-    vst1q_u32(&ctx->state[0], abcd);
-    vst1q_u32(&ctx->state[4], efgh);
-
-    return processed;
-}
-
-#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
-/*
- * This function is for internal use only if we are building both C and A64
- * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process()
- */
-static
-#endif
-int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx,
-                                               const unsigned char data[SHA256_BLOCK_SIZE])
-{
-    return (mbedtls_internal_sha256_process_many_a64_crypto(ctx, data,
-                                                            SHA256_BLOCK_SIZE) ==
-            SHA256_BLOCK_SIZE) ? 0 : -1;
-}
-
-#endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */
-
-#if defined(MBEDTLS_POP_TARGET_PRAGMA)
-#if defined(__clang__)
-#pragma clang attribute pop
-#elif defined(__GNUC__)
-#pragma GCC pop_options
-#endif
-#undef MBEDTLS_POP_TARGET_PRAGMA
-#endif
-
-#if !defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
-#define mbedtls_internal_sha256_process_many_c mbedtls_internal_sha256_process_many
-#define mbedtls_internal_sha256_process_c      mbedtls_internal_sha256_process
-#endif
-
-
-#if !defined(MBEDTLS_SHA256_PROCESS_ALT) && \
-    !defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
-
-#define  SHR(x, n) (((x) & 0xFFFFFFFF) >> (n))
-#define ROTR(x, n) (SHR(x, n) | ((x) << (32 - (n))))
-
-#define S0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^  SHR(x, 3))
-#define S1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^  SHR(x, 10))
-
-#define S2(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
-#define S3(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
-
-#define F0(x, y, z) (((x) & (y)) | ((z) & ((x) | (y))))
-#define F1(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
-
-#define R(t)                                                        \
-    (                                                               \
-        local.W[t] = S1(local.W[(t) -  2]) + local.W[(t) -  7] +    \
-                     S0(local.W[(t) - 15]) + local.W[(t) - 16]      \
-    )
-
-#define P(a, b, c, d, e, f, g, h, x, K)                                      \
-    do                                                              \
-    {                                                               \
-        local.temp1 = (h) + S3(e) + F1((e), (f), (g)) + (K) + (x);    \
-        local.temp2 = S2(a) + F0((a), (b), (c));                      \
-        (d) += local.temp1; (h) = local.temp1 + local.temp2;        \
-    } while (0)
-
-#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
-/*
- * This function is for internal use only if we are building both C and A64
- * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process()
- */
-static
-#endif
-int mbedtls_internal_sha256_process_c(mbedtls_sha256_context *ctx,
-                                      const unsigned char data[SHA256_BLOCK_SIZE])
-{
-    struct {
-        uint32_t temp1, temp2, W[64];
-        uint32_t A[8];
-    } local;
-
-    unsigned int i;
-
-    for (i = 0; i < 8; i++) {
-        local.A[i] = ctx->state[i];
-    }
-
-#if defined(MBEDTLS_SHA256_SMALLER)
-    for (i = 0; i < 64; i++) {
-        if (i < 16) {
-            local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i);
-        } else {
-            R(i);
-        }
-
-        P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
-          local.A[5], local.A[6], local.A[7], local.W[i], K[i]);
-
-        local.temp1 = local.A[7]; local.A[7] = local.A[6];
-        local.A[6] = local.A[5]; local.A[5] = local.A[4];
-        local.A[4] = local.A[3]; local.A[3] = local.A[2];
-        local.A[2] = local.A[1]; local.A[1] = local.A[0];
-        local.A[0] = local.temp1;
-    }
-#else /* MBEDTLS_SHA256_SMALLER */
-    for (i = 0; i < 16; i++) {
-        local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i);
-    }
-
-    for (i = 0; i < 16; i += 8) {
-        P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
-          local.A[5], local.A[6], local.A[7], local.W[i+0], K[i+0]);
-        P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
-          local.A[4], local.A[5], local.A[6], local.W[i+1], K[i+1]);
-        P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
-          local.A[3], local.A[4], local.A[5], local.W[i+2], K[i+2]);
-        P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
-          local.A[2], local.A[3], local.A[4], local.W[i+3], K[i+3]);
-        P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
-          local.A[1], local.A[2], local.A[3], local.W[i+4], K[i+4]);
-        P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
-          local.A[0], local.A[1], local.A[2], local.W[i+5], K[i+5]);
-        P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
-          local.A[7], local.A[0], local.A[1], local.W[i+6], K[i+6]);
-        P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
-          local.A[6], local.A[7], local.A[0], local.W[i+7], K[i+7]);
-    }
-
-    for (i = 16; i < 64; i += 8) {
-        P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
-          local.A[5], local.A[6], local.A[7], R(i+0), K[i+0]);
-        P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
-          local.A[4], local.A[5], local.A[6], R(i+1), K[i+1]);
-        P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
-          local.A[3], local.A[4], local.A[5], R(i+2), K[i+2]);
-        P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
-          local.A[2], local.A[3], local.A[4], R(i+3), K[i+3]);
-        P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
-          local.A[1], local.A[2], local.A[3], R(i+4), K[i+4]);
-        P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
-          local.A[0], local.A[1], local.A[2], R(i+5), K[i+5]);
-        P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
-          local.A[7], local.A[0], local.A[1], R(i+6), K[i+6]);
-        P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
-          local.A[6], local.A[7], local.A[0], R(i+7), K[i+7]);
-    }
-#endif /* MBEDTLS_SHA256_SMALLER */
-
-    for (i = 0; i < 8; i++) {
-        ctx->state[i] += local.A[i];
-    }
-
-    /* Zeroise buffers and variables to clear sensitive data from memory. */
-    mbedtls_platform_zeroize(&local, sizeof(local));
-
-    return 0;
-}
-
-#endif /* !MBEDTLS_SHA256_PROCESS_ALT && !MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */
-
-
-#if !defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
-
-static size_t mbedtls_internal_sha256_process_many_c(
-    mbedtls_sha256_context *ctx, const uint8_t *data, size_t len)
-{
-    size_t processed = 0;
-
-    while (len >= SHA256_BLOCK_SIZE) {
-        if (mbedtls_internal_sha256_process_c(ctx, data) != 0) {
-            return 0;
-        }
-
-        data += SHA256_BLOCK_SIZE;
-        len  -= SHA256_BLOCK_SIZE;
-
-        processed += SHA256_BLOCK_SIZE;
-    }
-
-    return processed;
-}
-
-#endif /* !MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */
-
-
-#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
-
-static int mbedtls_a64_crypto_sha256_has_support(void)
-{
-    static int done = 0;
-    static int supported = 0;
-
-    if (!done) {
-        supported = mbedtls_a64_crypto_sha256_determine_support();
-        done = 1;
-    }
-
-    return supported;
-}
-
-static size_t mbedtls_internal_sha256_process_many(mbedtls_sha256_context *ctx,
-                                                   const uint8_t *msg, size_t len)
-{
-    if (mbedtls_a64_crypto_sha256_has_support()) {
-        return mbedtls_internal_sha256_process_many_a64_crypto(ctx, msg, len);
-    } else {
-        return mbedtls_internal_sha256_process_many_c(ctx, msg, len);
-    }
-}
-
-int mbedtls_internal_sha256_process(mbedtls_sha256_context *ctx,
-                                    const unsigned char data[SHA256_BLOCK_SIZE])
-{
-    if (mbedtls_a64_crypto_sha256_has_support()) {
-        return mbedtls_internal_sha256_process_a64_crypto(ctx, data);
-    } else {
-        return mbedtls_internal_sha256_process_c(ctx, data);
-    }
-}
-
-#endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT */
-
-
-/*
- * SHA-256 process buffer
- */
-int mbedtls_sha256_update(mbedtls_sha256_context *ctx,
-                          const unsigned char *input,
-                          size_t ilen)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t fill;
-    uint32_t left;
-
-    if (ilen == 0) {
-        return 0;
-    }
-
-    left = ctx->total[0] & 0x3F;
-    fill = SHA256_BLOCK_SIZE - left;
-
-    ctx->total[0] += (uint32_t) ilen;
-    ctx->total[0] &= 0xFFFFFFFF;
-
-    if (ctx->total[0] < (uint32_t) ilen) {
-        ctx->total[1]++;
-    }
-
-    if (left && ilen >= fill) {
-        memcpy((void *) (ctx->buffer + left), input, fill);
-
-        if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
-            return ret;
-        }
-
-        input += fill;
-        ilen  -= fill;
-        left = 0;
-    }
-
-    while (ilen >= SHA256_BLOCK_SIZE) {
-        size_t processed =
-            mbedtls_internal_sha256_process_many(ctx, input, ilen);
-        if (processed < SHA256_BLOCK_SIZE) {
-            return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
-        }
-
-        input += processed;
-        ilen  -= processed;
-    }
-
-    if (ilen > 0) {
-        memcpy((void *) (ctx->buffer + left), input, ilen);
-    }
-
-    return 0;
-}
-
-/*
- * SHA-256 final digest
- */
-int mbedtls_sha256_finish(mbedtls_sha256_context *ctx,
-                          unsigned char *output)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    uint32_t used;
-    uint32_t high, low;
-    int truncated = 0;
-
-    /*
-     * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
-     */
-    used = ctx->total[0] & 0x3F;
-
-    ctx->buffer[used++] = 0x80;
-
-    if (used <= 56) {
-        /* Enough room for padding + length in current block */
-        memset(ctx->buffer + used, 0, 56 - used);
-    } else {
-        /* We'll need an extra block */
-        memset(ctx->buffer + used, 0, SHA256_BLOCK_SIZE - used);
-
-        if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
-            goto exit;
-        }
-
-        memset(ctx->buffer, 0, 56);
-    }
-
-    /*
-     * Add message length
-     */
-    high = (ctx->total[0] >> 29)
-           | (ctx->total[1] <<  3);
-    low  = (ctx->total[0] <<  3);
-
-    MBEDTLS_PUT_UINT32_BE(high, ctx->buffer, 56);
-    MBEDTLS_PUT_UINT32_BE(low,  ctx->buffer, 60);
-
-    if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
-        goto exit;
-    }
-
-    /*
-     * Output final state
-     */
-    MBEDTLS_PUT_UINT32_BE(ctx->state[0], output,  0);
-    MBEDTLS_PUT_UINT32_BE(ctx->state[1], output,  4);
-    MBEDTLS_PUT_UINT32_BE(ctx->state[2], output,  8);
-    MBEDTLS_PUT_UINT32_BE(ctx->state[3], output, 12);
-    MBEDTLS_PUT_UINT32_BE(ctx->state[4], output, 16);
-    MBEDTLS_PUT_UINT32_BE(ctx->state[5], output, 20);
-    MBEDTLS_PUT_UINT32_BE(ctx->state[6], output, 24);
-
-#if defined(MBEDTLS_SHA224_C)
-    truncated = ctx->is224;
-#endif
-    if (!truncated) {
-        MBEDTLS_PUT_UINT32_BE(ctx->state[7], output, 28);
-    }
-
-    ret = 0;
-
-exit:
-    mbedtls_sha256_free(ctx);
-    return ret;
-}
-
-#endif /* !MBEDTLS_SHA256_ALT */
-
-/*
- * output = SHA-256( input buffer )
- */
-int mbedtls_sha256(const unsigned char *input,
-                   size_t ilen,
-                   unsigned char *output,
-                   int is224)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_sha256_context ctx;
-
-#if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
-    if (is224 != 0 && is224 != 1) {
-        return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
-    }
-#elif defined(MBEDTLS_SHA256_C)
-    if (is224 != 0) {
-        return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
-    }
-#else /* defined MBEDTLS_SHA224_C only */
-    if (is224 == 0) {
-        return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
-    }
-#endif
-
-    mbedtls_sha256_init(&ctx);
-
-    if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) {
-        goto exit;
-    }
-
-    if ((ret = mbedtls_sha256_update(&ctx, input, ilen)) != 0) {
-        goto exit;
-    }
-
-    if ((ret = mbedtls_sha256_finish(&ctx, output)) != 0) {
-        goto exit;
-    }
-
-exit:
-    mbedtls_sha256_free(&ctx);
-
-    return ret;
-}
-
-#if defined(MBEDTLS_SELF_TEST)
-/*
- * FIPS-180-2 test vectors
- */
-static const unsigned char sha_test_buf[3][57] =
-{
-    { "abc" },
-    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
-    { "" }
-};
-
-static const size_t sha_test_buflen[3] =
-{
-    3, 56, 1000
-};
-
-typedef const unsigned char (sha_test_sum_t)[32];
-
-/*
- * SHA-224 test vectors
- */
-#if defined(MBEDTLS_SHA224_C)
-static sha_test_sum_t sha224_test_sum[] =
-{
-    { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
-      0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
-      0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
-      0xE3, 0x6C, 0x9D, 0xA7 },
-    { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
-      0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
-      0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
-      0x52, 0x52, 0x25, 0x25 },
-    { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
-      0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
-      0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
-      0x4E, 0xE7, 0xAD, 0x67 }
-};
-#endif
-
-/*
- * SHA-256 test vectors
- */
-#if defined(MBEDTLS_SHA256_C)
-static sha_test_sum_t sha256_test_sum[] =
-{
-    { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
-      0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
-      0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
-      0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
-    { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
-      0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
-      0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
-      0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
-    { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
-      0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
-      0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
-      0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
-};
-#endif
-
-/*
- * Checkup routine
- */
-static int mbedtls_sha256_common_self_test(int verbose, int is224)
-{
-    int i, buflen, ret = 0;
-    unsigned char *buf;
-    unsigned char sha256sum[32];
-    mbedtls_sha256_context ctx;
-
-#if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
-    sha_test_sum_t *sha_test_sum = (is224) ? sha224_test_sum : sha256_test_sum;
-#elif defined(MBEDTLS_SHA256_C)
-    sha_test_sum_t *sha_test_sum = sha256_test_sum;
-#else
-    sha_test_sum_t *sha_test_sum = sha224_test_sum;
-#endif
-
-    buf = mbedtls_calloc(1024, sizeof(unsigned char));
-    if (NULL == buf) {
-        if (verbose != 0) {
-            mbedtls_printf("Buffer allocation failed\n");
-        }
-
-        return 1;
-    }
-
-    mbedtls_sha256_init(&ctx);
-
-    for (i = 0; i < 3; i++) {
-        if (verbose != 0) {
-            mbedtls_printf("  SHA-%d test #%d: ", 256 - is224 * 32, i + 1);
-        }
-
-        if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) {
-            goto fail;
-        }
-
-        if (i == 2) {
-            memset(buf, 'a', buflen = 1000);
-
-            for (int j = 0; j < 1000; j++) {
-                ret = mbedtls_sha256_update(&ctx, buf, buflen);
-                if (ret != 0) {
-                    goto fail;
-                }
-            }
-
-        } else {
-            ret = mbedtls_sha256_update(&ctx, sha_test_buf[i],
-                                        sha_test_buflen[i]);
-            if (ret != 0) {
-                goto fail;
-            }
-        }
-
-        if ((ret = mbedtls_sha256_finish(&ctx, sha256sum)) != 0) {
-            goto fail;
-        }
-
-
-        if (memcmp(sha256sum, sha_test_sum[i], 32 - is224 * 4) != 0) {
-            ret = 1;
-            goto fail;
-        }
-
-        if (verbose != 0) {
-            mbedtls_printf("passed\n");
-        }
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-
-    goto exit;
-
-fail:
-    if (verbose != 0) {
-        mbedtls_printf("failed\n");
-    }
-
-exit:
-    mbedtls_sha256_free(&ctx);
-    mbedtls_free(buf);
-
-    return ret;
-}
-
-#if defined(MBEDTLS_SHA256_C)
-int mbedtls_sha256_self_test(int verbose)
-{
-    return mbedtls_sha256_common_self_test(verbose, 0);
-}
-#endif /* MBEDTLS_SHA256_C */
-
-#if defined(MBEDTLS_SHA224_C)
-int mbedtls_sha224_self_test(int verbose)
-{
-    return mbedtls_sha256_common_self_test(verbose, 1);
-}
-#endif /* MBEDTLS_SHA224_C */
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA224_C */
diff --git a/library/sha3.c b/library/sha3.c
deleted file mode 100644
index 4c1a1a9..0000000
--- a/library/sha3.c
+++ /dev/null
@@ -1,638 +0,0 @@
-/*
- *  FIPS-202 compliant SHA3 implementation
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-/*
- *  The SHA-3 Secure Hash Standard was published by NIST in 2015.
- *
- *  https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.202.pdf
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_SHA3_C)
-
-#include "mbedtls/sha3.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#include <string.h>
-
-#if defined(MBEDTLS_SELF_TEST)
-#include "mbedtls/platform.h"
-#endif /* MBEDTLS_SELF_TEST */
-
-#define XOR_BYTE 0x6
-
-typedef struct mbedtls_sha3_family_functions {
-    mbedtls_sha3_id id;
-
-    uint16_t r;
-    uint16_t olen;
-}
-mbedtls_sha3_family_functions;
-
-/*
- * List of supported SHA-3 families
- */
-static mbedtls_sha3_family_functions sha3_families[] = {
-    { MBEDTLS_SHA3_224,      1152, 224 },
-    { MBEDTLS_SHA3_256,      1088, 256 },
-    { MBEDTLS_SHA3_384,       832, 384 },
-    { MBEDTLS_SHA3_512,       576, 512 },
-    { MBEDTLS_SHA3_NONE, 0, 0 }
-};
-
-static const uint64_t rc[24] = {
-    0x0000000000000001, 0x0000000000008082, 0x800000000000808a, 0x8000000080008000,
-    0x000000000000808b, 0x0000000080000001, 0x8000000080008081, 0x8000000000008009,
-    0x000000000000008a, 0x0000000000000088, 0x0000000080008009, 0x000000008000000a,
-    0x000000008000808b, 0x800000000000008b, 0x8000000000008089, 0x8000000000008003,
-    0x8000000000008002, 0x8000000000000080, 0x000000000000800a, 0x800000008000000a,
-    0x8000000080008081, 0x8000000000008080, 0x0000000080000001, 0x8000000080008008,
-};
-
-static const uint8_t rho[24] = {
-    1, 62, 28, 27, 36, 44,  6, 55, 20,
-    3, 10, 43, 25, 39, 41, 45, 15,
-    21,  8, 18,  2, 61, 56, 14
-};
-
-static const uint8_t pi[24] = {
-    10,  7, 11, 17, 18, 3,  5, 16,  8, 21, 24, 4,
-    15, 23, 19, 13, 12, 2, 20, 14, 22,  9,  6, 1,
-};
-
-#define ROT64(x, y) (((x) << (y)) | ((x) >> (64U - (y))))
-#define ABSORB(ctx, idx, v) do { ctx->state[(idx) >> 3] ^= ((uint64_t) (v)) << (((idx) & 0x7) << 3); \
-} while (0)
-#define SQUEEZE(ctx, idx) ((uint8_t) (ctx->state[(idx) >> 3] >> (((idx) & 0x7) << 3)))
-#define SWAP(x, y) do { uint64_t tmp = (x); (x) = (y); (y) = tmp; } while (0)
-
-/* The permutation function.  */
-static void keccak_f1600(mbedtls_sha3_context *ctx)
-{
-    uint64_t lane[5];
-    uint64_t *s = ctx->state;
-    int i;
-
-    for (int round = 0; round < 24; round++) {
-        uint64_t t;
-
-        /* Theta */
-        lane[0] = s[0] ^ s[5] ^ s[10] ^ s[15] ^ s[20];
-        lane[1] = s[1] ^ s[6] ^ s[11] ^ s[16] ^ s[21];
-        lane[2] = s[2] ^ s[7] ^ s[12] ^ s[17] ^ s[22];
-        lane[3] = s[3] ^ s[8] ^ s[13] ^ s[18] ^ s[23];
-        lane[4] = s[4] ^ s[9] ^ s[14] ^ s[19] ^ s[24];
-
-        t = lane[4] ^ ROT64(lane[1], 1);
-        s[0] ^= t; s[5] ^= t; s[10] ^= t; s[15] ^= t; s[20] ^= t;
-
-        t = lane[0] ^ ROT64(lane[2], 1);
-        s[1] ^= t; s[6] ^= t; s[11] ^= t; s[16] ^= t; s[21] ^= t;
-
-        t = lane[1] ^ ROT64(lane[3], 1);
-        s[2] ^= t; s[7] ^= t; s[12] ^= t; s[17] ^= t; s[22] ^= t;
-
-        t = lane[2] ^ ROT64(lane[4], 1);
-        s[3] ^= t; s[8] ^= t; s[13] ^= t; s[18] ^= t; s[23] ^= t;
-
-        t = lane[3] ^ ROT64(lane[0], 1);
-        s[4] ^= t; s[9] ^= t; s[14] ^= t; s[19] ^= t; s[24] ^= t;
-
-        /* Rho */
-        for (i = 1; i < 25; i++) {
-            s[i] = ROT64(s[i], rho[i-1]);
-        }
-
-        /* Pi */
-        t = s[1];
-        for (i = 0; i < 24; i++) {
-            SWAP(s[pi[i]], t);
-        }
-
-        /* Chi */
-        lane[0] = s[0]; lane[1] = s[1]; lane[2] = s[2]; lane[3] = s[3]; lane[4] = s[4];
-        s[0] ^= (~lane[1]) & lane[2];
-        s[1] ^= (~lane[2]) & lane[3];
-        s[2] ^= (~lane[3]) & lane[4];
-        s[3] ^= (~lane[4]) & lane[0];
-        s[4] ^= (~lane[0]) & lane[1];
-
-        lane[0] = s[5]; lane[1] = s[6]; lane[2] = s[7]; lane[3] = s[8]; lane[4] = s[9];
-        s[5] ^= (~lane[1]) & lane[2];
-        s[6] ^= (~lane[2]) & lane[3];
-        s[7] ^= (~lane[3]) & lane[4];
-        s[8] ^= (~lane[4]) & lane[0];
-        s[9] ^= (~lane[0]) & lane[1];
-
-        lane[0] = s[10]; lane[1] = s[11]; lane[2] = s[12]; lane[3] = s[13]; lane[4] = s[14];
-        s[10] ^= (~lane[1]) & lane[2];
-        s[11] ^= (~lane[2]) & lane[3];
-        s[12] ^= (~lane[3]) & lane[4];
-        s[13] ^= (~lane[4]) & lane[0];
-        s[14] ^= (~lane[0]) & lane[1];
-
-        lane[0] = s[15]; lane[1] = s[16]; lane[2] = s[17]; lane[3] = s[18]; lane[4] = s[19];
-        s[15] ^= (~lane[1]) & lane[2];
-        s[16] ^= (~lane[2]) & lane[3];
-        s[17] ^= (~lane[3]) & lane[4];
-        s[18] ^= (~lane[4]) & lane[0];
-        s[19] ^= (~lane[0]) & lane[1];
-
-        lane[0] = s[20]; lane[1] = s[21]; lane[2] = s[22]; lane[3] = s[23]; lane[4] = s[24];
-        s[20] ^= (~lane[1]) & lane[2];
-        s[21] ^= (~lane[2]) & lane[3];
-        s[22] ^= (~lane[3]) & lane[4];
-        s[23] ^= (~lane[4]) & lane[0];
-        s[24] ^= (~lane[0]) & lane[1];
-
-        /* Iota */
-        s[0] ^= rc[round];
-    }
-}
-
-void mbedtls_sha3_init(mbedtls_sha3_context *ctx)
-{
-    memset(ctx, 0, sizeof(mbedtls_sha3_context));
-}
-
-void mbedtls_sha3_free(mbedtls_sha3_context *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha3_context));
-}
-
-void mbedtls_sha3_clone(mbedtls_sha3_context *dst,
-                        const mbedtls_sha3_context *src)
-{
-    *dst = *src;
-}
-
-/*
- * SHA-3 context setup
- */
-int mbedtls_sha3_starts(mbedtls_sha3_context *ctx, mbedtls_sha3_id id)
-{
-    mbedtls_sha3_family_functions *p = NULL;
-
-    for (p = sha3_families; p->id != MBEDTLS_SHA3_NONE; p++) {
-        if (p->id == id) {
-            break;
-        }
-    }
-
-    if (p->id == MBEDTLS_SHA3_NONE) {
-        return MBEDTLS_ERR_SHA3_BAD_INPUT_DATA;
-    }
-
-    ctx->olen = p->olen / 8;
-    ctx->max_block_size = p->r / 8;
-
-    memset(ctx->state, 0, sizeof(ctx->state));
-    ctx->index = 0;
-
-    return 0;
-}
-
-/*
- * SHA-3 process buffer
- */
-int mbedtls_sha3_update(mbedtls_sha3_context *ctx,
-                        const uint8_t *input,
-                        size_t ilen)
-{
-    if (ilen >= 8) {
-        // 8-byte align index
-        int align_bytes = 8 - (ctx->index % 8);
-        if (align_bytes) {
-            for (; align_bytes > 0; align_bytes--) {
-                ABSORB(ctx, ctx->index, *input++);
-                ilen--;
-                ctx->index++;
-            }
-            if ((ctx->index = ctx->index % ctx->max_block_size) == 0) {
-                keccak_f1600(ctx);
-            }
-        }
-
-        // process input in 8-byte chunks
-        while (ilen >= 8) {
-            ABSORB(ctx, ctx->index, MBEDTLS_GET_UINT64_LE(input, 0));
-            input += 8;
-            ilen -= 8;
-            if ((ctx->index = (ctx->index + 8) % ctx->max_block_size) == 0) {
-                keccak_f1600(ctx);
-            }
-        }
-    }
-
-    // handle remaining bytes
-    while (ilen-- > 0) {
-        ABSORB(ctx, ctx->index, *input++);
-        if ((ctx->index = (ctx->index + 1) % ctx->max_block_size) == 0) {
-            keccak_f1600(ctx);
-        }
-    }
-
-    return 0;
-}
-
-int mbedtls_sha3_finish(mbedtls_sha3_context *ctx,
-                        uint8_t *output, size_t olen)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    /* Catch SHA-3 families, with fixed output length */
-    if (ctx->olen > 0) {
-        if (ctx->olen > olen) {
-            ret = MBEDTLS_ERR_SHA3_BAD_INPUT_DATA;
-            goto exit;
-        }
-        olen = ctx->olen;
-    }
-
-    ABSORB(ctx, ctx->index, XOR_BYTE);
-    ABSORB(ctx, ctx->max_block_size - 1, 0x80);
-    keccak_f1600(ctx);
-    ctx->index = 0;
-
-    while (olen-- > 0) {
-        *output++ = SQUEEZE(ctx, ctx->index);
-
-        if ((ctx->index = (ctx->index + 1) % ctx->max_block_size) == 0) {
-            keccak_f1600(ctx);
-        }
-    }
-
-    ret = 0;
-
-exit:
-    mbedtls_sha3_free(ctx);
-    return ret;
-}
-
-/*
- * output = SHA-3( input buffer )
- */
-int mbedtls_sha3(mbedtls_sha3_id id, const uint8_t *input,
-                 size_t ilen, uint8_t *output, size_t olen)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_sha3_context ctx;
-
-    mbedtls_sha3_init(&ctx);
-
-    /* Sanity checks are performed in every mbedtls_sha3_xxx() */
-    if ((ret = mbedtls_sha3_starts(&ctx, id)) != 0) {
-        goto exit;
-    }
-
-    if ((ret = mbedtls_sha3_update(&ctx, input, ilen)) != 0) {
-        goto exit;
-    }
-
-    if ((ret = mbedtls_sha3_finish(&ctx, output, olen)) != 0) {
-        goto exit;
-    }
-
-exit:
-    mbedtls_sha3_free(&ctx);
-
-    return ret;
-}
-
-/**************** Self-tests ****************/
-
-#if defined(MBEDTLS_SELF_TEST)
-
-static const unsigned char test_data[2][4] =
-{
-    "",
-    "abc",
-};
-
-static const size_t test_data_len[2] =
-{
-    0, /* "" */
-    3  /* "abc" */
-};
-
-static const unsigned char test_hash_sha3_224[2][28] =
-{
-    { /* "" */
-        0x6B, 0x4E, 0x03, 0x42, 0x36, 0x67, 0xDB, 0xB7,
-        0x3B, 0x6E, 0x15, 0x45, 0x4F, 0x0E, 0xB1, 0xAB,
-        0xD4, 0x59, 0x7F, 0x9A, 0x1B, 0x07, 0x8E, 0x3F,
-        0x5B, 0x5A, 0x6B, 0xC7
-    },
-    { /* "abc" */
-        0xE6, 0x42, 0x82, 0x4C, 0x3F, 0x8C, 0xF2, 0x4A,
-        0xD0, 0x92, 0x34, 0xEE, 0x7D, 0x3C, 0x76, 0x6F,
-        0xC9, 0xA3, 0xA5, 0x16, 0x8D, 0x0C, 0x94, 0xAD,
-        0x73, 0xB4, 0x6F, 0xDF
-    }
-};
-
-static const unsigned char test_hash_sha3_256[2][32] =
-{
-    { /* "" */
-        0xA7, 0xFF, 0xC6, 0xF8, 0xBF, 0x1E, 0xD7, 0x66,
-        0x51, 0xC1, 0x47, 0x56, 0xA0, 0x61, 0xD6, 0x62,
-        0xF5, 0x80, 0xFF, 0x4D, 0xE4, 0x3B, 0x49, 0xFA,
-        0x82, 0xD8, 0x0A, 0x4B, 0x80, 0xF8, 0x43, 0x4A
-    },
-    { /* "abc" */
-        0x3A, 0x98, 0x5D, 0xA7, 0x4F, 0xE2, 0x25, 0xB2,
-        0x04, 0x5C, 0x17, 0x2D, 0x6B, 0xD3, 0x90, 0xBD,
-        0x85, 0x5F, 0x08, 0x6E, 0x3E, 0x9D, 0x52, 0x5B,
-        0x46, 0xBF, 0xE2, 0x45, 0x11, 0x43, 0x15, 0x32
-    }
-};
-
-static const unsigned char test_hash_sha3_384[2][48] =
-{
-    { /* "" */
-        0x0C, 0x63, 0xA7, 0x5B, 0x84, 0x5E, 0x4F, 0x7D,
-        0x01, 0x10, 0x7D, 0x85, 0x2E, 0x4C, 0x24, 0x85,
-        0xC5, 0x1A, 0x50, 0xAA, 0xAA, 0x94, 0xFC, 0x61,
-        0x99, 0x5E, 0x71, 0xBB, 0xEE, 0x98, 0x3A, 0x2A,
-        0xC3, 0x71, 0x38, 0x31, 0x26, 0x4A, 0xDB, 0x47,
-        0xFB, 0x6B, 0xD1, 0xE0, 0x58, 0xD5, 0xF0, 0x04
-    },
-    { /* "abc" */
-        0xEC, 0x01, 0x49, 0x82, 0x88, 0x51, 0x6F, 0xC9,
-        0x26, 0x45, 0x9F, 0x58, 0xE2, 0xC6, 0xAD, 0x8D,
-        0xF9, 0xB4, 0x73, 0xCB, 0x0F, 0xC0, 0x8C, 0x25,
-        0x96, 0xDA, 0x7C, 0xF0, 0xE4, 0x9B, 0xE4, 0xB2,
-        0x98, 0xD8, 0x8C, 0xEA, 0x92, 0x7A, 0xC7, 0xF5,
-        0x39, 0xF1, 0xED, 0xF2, 0x28, 0x37, 0x6D, 0x25
-    }
-};
-
-static const unsigned char test_hash_sha3_512[2][64] =
-{
-    { /* "" */
-        0xA6, 0x9F, 0x73, 0xCC, 0xA2, 0x3A, 0x9A, 0xC5,
-        0xC8, 0xB5, 0x67, 0xDC, 0x18, 0x5A, 0x75, 0x6E,
-        0x97, 0xC9, 0x82, 0x16, 0x4F, 0xE2, 0x58, 0x59,
-        0xE0, 0xD1, 0xDC, 0xC1, 0x47, 0x5C, 0x80, 0xA6,
-        0x15, 0xB2, 0x12, 0x3A, 0xF1, 0xF5, 0xF9, 0x4C,
-        0x11, 0xE3, 0xE9, 0x40, 0x2C, 0x3A, 0xC5, 0x58,
-        0xF5, 0x00, 0x19, 0x9D, 0x95, 0xB6, 0xD3, 0xE3,
-        0x01, 0x75, 0x85, 0x86, 0x28, 0x1D, 0xCD, 0x26
-    },
-    { /* "abc" */
-        0xB7, 0x51, 0x85, 0x0B, 0x1A, 0x57, 0x16, 0x8A,
-        0x56, 0x93, 0xCD, 0x92, 0x4B, 0x6B, 0x09, 0x6E,
-        0x08, 0xF6, 0x21, 0x82, 0x74, 0x44, 0xF7, 0x0D,
-        0x88, 0x4F, 0x5D, 0x02, 0x40, 0xD2, 0x71, 0x2E,
-        0x10, 0xE1, 0x16, 0xE9, 0x19, 0x2A, 0xF3, 0xC9,
-        0x1A, 0x7E, 0xC5, 0x76, 0x47, 0xE3, 0x93, 0x40,
-        0x57, 0x34, 0x0B, 0x4C, 0xF4, 0x08, 0xD5, 0xA5,
-        0x65, 0x92, 0xF8, 0x27, 0x4E, 0xEC, 0x53, 0xF0
-    }
-};
-
-static const unsigned char long_kat_hash_sha3_224[28] =
-{
-    0xD6, 0x93, 0x35, 0xB9, 0x33, 0x25, 0x19, 0x2E,
-    0x51, 0x6A, 0x91, 0x2E, 0x6D, 0x19, 0xA1, 0x5C,
-    0xB5, 0x1C, 0x6E, 0xD5, 0xC1, 0x52, 0x43, 0xE7,
-    0xA7, 0xFD, 0x65, 0x3C
-};
-
-static const unsigned char long_kat_hash_sha3_256[32] =
-{
-    0x5C, 0x88, 0x75, 0xAE, 0x47, 0x4A, 0x36, 0x34,
-    0xBA, 0x4F, 0xD5, 0x5E, 0xC8, 0x5B, 0xFF, 0xD6,
-    0x61, 0xF3, 0x2A, 0xCA, 0x75, 0xC6, 0xD6, 0x99,
-    0xD0, 0xCD, 0xCB, 0x6C, 0x11, 0x58, 0x91, 0xC1
-};
-
-static const unsigned char long_kat_hash_sha3_384[48] =
-{
-    0xEE, 0xE9, 0xE2, 0x4D, 0x78, 0xC1, 0x85, 0x53,
-    0x37, 0x98, 0x34, 0x51, 0xDF, 0x97, 0xC8, 0xAD,
-    0x9E, 0xED, 0xF2, 0x56, 0xC6, 0x33, 0x4F, 0x8E,
-    0x94, 0x8D, 0x25, 0x2D, 0x5E, 0x0E, 0x76, 0x84,
-    0x7A, 0xA0, 0x77, 0x4D, 0xDB, 0x90, 0xA8, 0x42,
-    0x19, 0x0D, 0x2C, 0x55, 0x8B, 0x4B, 0x83, 0x40
-};
-
-static const unsigned char long_kat_hash_sha3_512[64] =
-{
-    0x3C, 0x3A, 0x87, 0x6D, 0xA1, 0x40, 0x34, 0xAB,
-    0x60, 0x62, 0x7C, 0x07, 0x7B, 0xB9, 0x8F, 0x7E,
-    0x12, 0x0A, 0x2A, 0x53, 0x70, 0x21, 0x2D, 0xFF,
-    0xB3, 0x38, 0x5A, 0x18, 0xD4, 0xF3, 0x88, 0x59,
-    0xED, 0x31, 0x1D, 0x0A, 0x9D, 0x51, 0x41, 0xCE,
-    0x9C, 0xC5, 0xC6, 0x6E, 0xE6, 0x89, 0xB2, 0x66,
-    0xA8, 0xAA, 0x18, 0xAC, 0xE8, 0x28, 0x2A, 0x0E,
-    0x0D, 0xB5, 0x96, 0xC9, 0x0B, 0x0A, 0x7B, 0x87
-};
-
-static int mbedtls_sha3_kat_test(int verbose,
-                                 const char *type_name,
-                                 mbedtls_sha3_id id,
-                                 int test_num)
-{
-    uint8_t hash[64];
-    int result;
-
-    result = mbedtls_sha3(id,
-                          test_data[test_num], test_data_len[test_num],
-                          hash, sizeof(hash));
-    if (result != 0) {
-        if (verbose != 0) {
-            mbedtls_printf("  %s test %d error code: %d\n",
-                           type_name, test_num, result);
-        }
-
-        return result;
-    }
-
-    switch (id) {
-        case MBEDTLS_SHA3_224:
-            result = memcmp(hash, test_hash_sha3_224[test_num], 28);
-            break;
-        case MBEDTLS_SHA3_256:
-            result = memcmp(hash, test_hash_sha3_256[test_num], 32);
-            break;
-        case MBEDTLS_SHA3_384:
-            result = memcmp(hash, test_hash_sha3_384[test_num], 48);
-            break;
-        case MBEDTLS_SHA3_512:
-            result = memcmp(hash, test_hash_sha3_512[test_num], 64);
-            break;
-        default:
-            break;
-    }
-
-    if (0 != result) {
-        if (verbose != 0) {
-            mbedtls_printf("  %s test %d failed\n", type_name, test_num);
-        }
-
-        return -1;
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("  %s test %d passed\n", type_name, test_num);
-    }
-
-    return 0;
-}
-
-static int mbedtls_sha3_long_kat_test(int verbose,
-                                      const char *type_name,
-                                      mbedtls_sha3_id id)
-{
-    mbedtls_sha3_context ctx;
-    unsigned char buffer[1000];
-    unsigned char hash[64];
-    int result = 0;
-
-    memset(buffer, 'a', 1000);
-
-    if (verbose != 0) {
-        mbedtls_printf("  %s long KAT test ", type_name);
-    }
-
-    mbedtls_sha3_init(&ctx);
-
-    result = mbedtls_sha3_starts(&ctx, id);
-    if (result != 0) {
-        if (verbose != 0) {
-            mbedtls_printf("setup failed\n ");
-        }
-    }
-
-    /* Process 1,000,000 (one million) 'a' characters */
-    for (int i = 0; i < 1000; i++) {
-        result = mbedtls_sha3_update(&ctx, buffer, 1000);
-        if (result != 0) {
-            if (verbose != 0) {
-                mbedtls_printf("update error code: %i\n", result);
-            }
-
-            goto cleanup;
-        }
-    }
-
-    result = mbedtls_sha3_finish(&ctx, hash, sizeof(hash));
-    if (result != 0) {
-        if (verbose != 0) {
-            mbedtls_printf("finish error code: %d\n", result);
-        }
-
-        goto cleanup;
-    }
-
-    switch (id) {
-        case MBEDTLS_SHA3_224:
-            result = memcmp(hash, long_kat_hash_sha3_224, 28);
-            break;
-        case MBEDTLS_SHA3_256:
-            result = memcmp(hash, long_kat_hash_sha3_256, 32);
-            break;
-        case MBEDTLS_SHA3_384:
-            result = memcmp(hash, long_kat_hash_sha3_384, 48);
-            break;
-        case MBEDTLS_SHA3_512:
-            result = memcmp(hash, long_kat_hash_sha3_512, 64);
-            break;
-        default:
-            break;
-    }
-
-    if (result != 0) {
-        if (verbose != 0) {
-            mbedtls_printf("failed\n");
-        }
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("passed\n");
-    }
-
-cleanup:
-    mbedtls_sha3_free(&ctx);
-    return result;
-}
-
-int mbedtls_sha3_self_test(int verbose)
-{
-    int i;
-
-    /* SHA-3 Known Answer Tests (KAT) */
-    for (i = 0; i < 2; i++) {
-        if (0 != mbedtls_sha3_kat_test(verbose,
-                                       "SHA3-224", MBEDTLS_SHA3_224, i)) {
-            return 1;
-        }
-
-        if (0 != mbedtls_sha3_kat_test(verbose,
-                                       "SHA3-256", MBEDTLS_SHA3_256, i)) {
-            return 1;
-        }
-
-        if (0 != mbedtls_sha3_kat_test(verbose,
-                                       "SHA3-384", MBEDTLS_SHA3_384, i)) {
-            return 1;
-        }
-
-        if (0 != mbedtls_sha3_kat_test(verbose,
-                                       "SHA3-512", MBEDTLS_SHA3_512, i)) {
-            return 1;
-        }
-    }
-
-    /* SHA-3 long KAT tests */
-    if (0 != mbedtls_sha3_long_kat_test(verbose,
-                                        "SHA3-224", MBEDTLS_SHA3_224)) {
-        return 1;
-    }
-
-    if (0 != mbedtls_sha3_long_kat_test(verbose,
-                                        "SHA3-256", MBEDTLS_SHA3_256)) {
-        return 1;
-    }
-
-    if (0 != mbedtls_sha3_long_kat_test(verbose,
-                                        "SHA3-384", MBEDTLS_SHA3_384)) {
-        return 1;
-    }
-
-    if (0 != mbedtls_sha3_long_kat_test(verbose,
-                                        "SHA3-512", MBEDTLS_SHA3_512)) {
-        return 1;
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-
-    return 0;
-}
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* MBEDTLS_SHA3_C */
diff --git a/library/sha512.c b/library/sha512.c
deleted file mode 100644
index e739af2..0000000
--- a/library/sha512.c
+++ /dev/null
@@ -1,1123 +0,0 @@
-/*
- *  FIPS-180-2 compliant SHA-384/512 implementation
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-/*
- *  The SHA-512 Secure Hash Standard was published by NIST in 2002.
- *
- *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
- */
-
-#if defined(__aarch64__) && !defined(__ARM_FEATURE_SHA512) && \
-    defined(__clang__) && __clang_major__ >= 7
-/* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged.
- *
- * The intrinsic declaration are guarded by predefined ACLE macros in clang:
- * these are normally only enabled by the -march option on the command line.
- * By defining the macros ourselves we gain access to those declarations without
- * requiring -march on the command line.
- *
- * `arm_neon.h` could be included by any header file, so we put these defines
- * at the top of this file, before any includes.
- */
-#define __ARM_FEATURE_SHA512 1
-#define MBEDTLS_ENABLE_ARM_SHA3_EXTENSIONS_COMPILER_FLAG
-#endif
-
-#include "common.h"
-
-#if defined(MBEDTLS_SHA512_C) || defined(MBEDTLS_SHA384_C)
-
-#include "mbedtls/sha512.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#if defined(_MSC_VER) || defined(__WATCOMC__)
-  #define UL64(x) x##ui64
-#else
-  #define UL64(x) x##ULL
-#endif
-
-#include <string.h>
-
-#include "mbedtls/platform.h"
-
-#if defined(__aarch64__)
-#  if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \
-    defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)
-/* *INDENT-OFF* */
-#   ifdef __ARM_NEON
-#       include <arm_neon.h>
-#   else
-#       error "Target does not support NEON instructions"
-#   endif
-/*
- * Best performance comes from most recent compilers, with intrinsics and -O3.
- * Must compile with -march=armv8.2-a+sha3, but we can't detect armv8.2-a, and
- * can't always detect __ARM_FEATURE_SHA512 (notably clang 7-12).
- *
- * GCC < 8 won't work at all (lacks the sha512 instructions)
- * GCC >= 8 uses intrinsics, sets __ARM_FEATURE_SHA512
- *
- * Clang < 7 won't work at all (lacks the sha512 instructions)
- * Clang 7-12 don't have intrinsics (but we work around that with inline
- *            assembler) or __ARM_FEATURE_SHA512
- * Clang == 13.0.0 same as clang 12 (only seen on macOS)
- * Clang >= 13.0.1 has __ARM_FEATURE_SHA512 and intrinsics
- */
-#    if !defined(__ARM_FEATURE_SHA512) || defined(MBEDTLS_ENABLE_ARM_SHA3_EXTENSIONS_COMPILER_FLAG)
-       /* Test Clang first, as it defines __GNUC__ */
-#      if defined(__ARMCOMPILER_VERSION)
-#        if __ARMCOMPILER_VERSION < 6090000
-#          error "A more recent armclang is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*"
-#        elif __ARMCOMPILER_VERSION == 6090000
-#          error "Must use minimum -march=armv8.2-a+sha3 for MBEDTLS_SHA512_USE_A64_CRYPTO_*"
-#        else
-#          pragma clang attribute push (__attribute__((target("sha3"))), apply_to=function)
-#          define MBEDTLS_POP_TARGET_PRAGMA
-#        endif
-#      elif defined(__clang__)
-#        if __clang_major__ < 7
-#          error "A more recent Clang is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*"
-#        else
-#          pragma clang attribute push (__attribute__((target("sha3"))), apply_to=function)
-#          define MBEDTLS_POP_TARGET_PRAGMA
-#        endif
-#      elif defined(__GNUC__)
-#        if __GNUC__ < 8
-#          error "A more recent GCC is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*"
-#        else
-#          pragma GCC push_options
-#          pragma GCC target ("arch=armv8.2-a+sha3")
-#          define MBEDTLS_POP_TARGET_PRAGMA
-#        endif
-#      else
-#        error "Only GCC and Clang supported for MBEDTLS_SHA512_USE_A64_CRYPTO_*"
-#      endif
-#    endif
-/* *INDENT-ON* */
-#  endif
-#  if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT)
-#    if defined(__unix__)
-#      if defined(__linux__)
-/* Our preferred method of detection is getauxval() */
-#        include <sys/auxv.h>
-#      endif
-/* Use SIGILL on Unix, and fall back to it on Linux */
-#      include <signal.h>
-#    endif
-#  endif
-#elif defined(_M_ARM64)
-#  if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \
-    defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)
-#    include <arm64_neon.h>
-#  endif
-#else
-#  undef MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY
-#  undef MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
-#endif
-
-#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT)
-/*
- * Capability detection code comes early, so we can disable
- * MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT if no detection mechanism found
- */
-#if defined(HWCAP_SHA512)
-static int mbedtls_a64_crypto_sha512_determine_support(void)
-{
-    return (getauxval(AT_HWCAP) & HWCAP_SHA512) ? 1 : 0;
-}
-#elif defined(__APPLE__)
-#include <sys/types.h>
-#include <sys/sysctl.h>
-
-static int mbedtls_a64_crypto_sha512_determine_support(void)
-{
-    int value = 0;
-    size_t value_len = sizeof(value);
-
-    int ret = sysctlbyname("hw.optional.armv8_2_sha512", &value, &value_len,
-                           NULL, 0);
-    return ret == 0 && value != 0;
-}
-#elif defined(_M_ARM64)
-/*
- * As of March 2022, there don't appear to be any PF_ARM_V8_* flags
- * available to pass to IsProcessorFeaturePresent() to check for
- * SHA-512 support. So we fall back to the C code only.
- */
-#if defined(_MSC_VER)
-#pragma message "No mechanism to detect A64_CRYPTO found, using C code only"
-#else
-#warning "No mechanism to detect A64_CRYPTO found, using C code only"
-#endif
-#elif defined(__unix__) && defined(SIG_SETMASK)
-/* Detection with SIGILL, setjmp() and longjmp() */
-#include <signal.h>
-#include <setjmp.h>
-
-static jmp_buf return_from_sigill;
-
-/*
- * A64 SHA512 support detection via SIGILL
- */
-static void sigill_handler(int signal)
-{
-    (void) signal;
-    longjmp(return_from_sigill, 1);
-}
-
-static int mbedtls_a64_crypto_sha512_determine_support(void)
-{
-    struct sigaction old_action, new_action;
-
-    sigset_t old_mask;
-    if (sigprocmask(0, NULL, &old_mask)) {
-        return 0;
-    }
-
-    sigemptyset(&new_action.sa_mask);
-    new_action.sa_flags = 0;
-    new_action.sa_handler = sigill_handler;
-
-    sigaction(SIGILL, &new_action, &old_action);
-
-    static int ret = 0;
-
-    if (setjmp(return_from_sigill) == 0) {         /* First return only */
-        /* If this traps, we will return a second time from setjmp() with 1 */
-        asm ("sha512h q0, q0, v0.2d" : : : "v0");
-        ret = 1;
-    }
-
-    sigaction(SIGILL, &old_action, NULL);
-    sigprocmask(SIG_SETMASK, &old_mask, NULL);
-
-    return ret;
-}
-#else
-#warning "No mechanism to detect A64_CRYPTO found, using C code only"
-#undef MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
-#endif  /* HWCAP_SHA512, __APPLE__, __unix__ && SIG_SETMASK */
-
-#endif  /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT */
-
-#if !defined(MBEDTLS_SHA512_ALT)
-
-#define SHA512_BLOCK_SIZE 128
-
-#if defined(MBEDTLS_SHA512_SMALLER)
-static void sha512_put_uint64_be(uint64_t n, unsigned char *b, uint8_t i)
-{
-    MBEDTLS_PUT_UINT64_BE(n, b, i);
-}
-#else
-#define sha512_put_uint64_be    MBEDTLS_PUT_UINT64_BE
-#endif /* MBEDTLS_SHA512_SMALLER */
-
-void mbedtls_sha512_init(mbedtls_sha512_context *ctx)
-{
-    memset(ctx, 0, sizeof(mbedtls_sha512_context));
-}
-
-void mbedtls_sha512_free(mbedtls_sha512_context *ctx)
-{
-    if (ctx == NULL) {
-        return;
-    }
-
-    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha512_context));
-}
-
-void mbedtls_sha512_clone(mbedtls_sha512_context *dst,
-                          const mbedtls_sha512_context *src)
-{
-    *dst = *src;
-}
-
-/*
- * SHA-512 context setup
- */
-int mbedtls_sha512_starts(mbedtls_sha512_context *ctx, int is384)
-{
-#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_SHA512_C)
-    if (is384 != 0 && is384 != 1) {
-        return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA;
-    }
-#elif defined(MBEDTLS_SHA512_C)
-    if (is384 != 0) {
-        return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA;
-    }
-#else /* defined MBEDTLS_SHA384_C only */
-    if (is384 == 0) {
-        return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA;
-    }
-#endif
-
-    ctx->total[0] = 0;
-    ctx->total[1] = 0;
-
-    if (is384 == 0) {
-#if defined(MBEDTLS_SHA512_C)
-        ctx->state[0] = UL64(0x6A09E667F3BCC908);
-        ctx->state[1] = UL64(0xBB67AE8584CAA73B);
-        ctx->state[2] = UL64(0x3C6EF372FE94F82B);
-        ctx->state[3] = UL64(0xA54FF53A5F1D36F1);
-        ctx->state[4] = UL64(0x510E527FADE682D1);
-        ctx->state[5] = UL64(0x9B05688C2B3E6C1F);
-        ctx->state[6] = UL64(0x1F83D9ABFB41BD6B);
-        ctx->state[7] = UL64(0x5BE0CD19137E2179);
-#endif /* MBEDTLS_SHA512_C */
-    } else {
-#if defined(MBEDTLS_SHA384_C)
-        ctx->state[0] = UL64(0xCBBB9D5DC1059ED8);
-        ctx->state[1] = UL64(0x629A292A367CD507);
-        ctx->state[2] = UL64(0x9159015A3070DD17);
-        ctx->state[3] = UL64(0x152FECD8F70E5939);
-        ctx->state[4] = UL64(0x67332667FFC00B31);
-        ctx->state[5] = UL64(0x8EB44A8768581511);
-        ctx->state[6] = UL64(0xDB0C2E0D64F98FA7);
-        ctx->state[7] = UL64(0x47B5481DBEFA4FA4);
-#endif /* MBEDTLS_SHA384_C */
-    }
-
-#if defined(MBEDTLS_SHA384_C)
-    ctx->is384 = is384;
-#endif
-
-    return 0;
-}
-
-#if !defined(MBEDTLS_SHA512_PROCESS_ALT)
-
-/*
- * Round constants
- */
-static const uint64_t K[80] =
-{
-    UL64(0x428A2F98D728AE22),  UL64(0x7137449123EF65CD),
-    UL64(0xB5C0FBCFEC4D3B2F),  UL64(0xE9B5DBA58189DBBC),
-    UL64(0x3956C25BF348B538),  UL64(0x59F111F1B605D019),
-    UL64(0x923F82A4AF194F9B),  UL64(0xAB1C5ED5DA6D8118),
-    UL64(0xD807AA98A3030242),  UL64(0x12835B0145706FBE),
-    UL64(0x243185BE4EE4B28C),  UL64(0x550C7DC3D5FFB4E2),
-    UL64(0x72BE5D74F27B896F),  UL64(0x80DEB1FE3B1696B1),
-    UL64(0x9BDC06A725C71235),  UL64(0xC19BF174CF692694),
-    UL64(0xE49B69C19EF14AD2),  UL64(0xEFBE4786384F25E3),
-    UL64(0x0FC19DC68B8CD5B5),  UL64(0x240CA1CC77AC9C65),
-    UL64(0x2DE92C6F592B0275),  UL64(0x4A7484AA6EA6E483),
-    UL64(0x5CB0A9DCBD41FBD4),  UL64(0x76F988DA831153B5),
-    UL64(0x983E5152EE66DFAB),  UL64(0xA831C66D2DB43210),
-    UL64(0xB00327C898FB213F),  UL64(0xBF597FC7BEEF0EE4),
-    UL64(0xC6E00BF33DA88FC2),  UL64(0xD5A79147930AA725),
-    UL64(0x06CA6351E003826F),  UL64(0x142929670A0E6E70),
-    UL64(0x27B70A8546D22FFC),  UL64(0x2E1B21385C26C926),
-    UL64(0x4D2C6DFC5AC42AED),  UL64(0x53380D139D95B3DF),
-    UL64(0x650A73548BAF63DE),  UL64(0x766A0ABB3C77B2A8),
-    UL64(0x81C2C92E47EDAEE6),  UL64(0x92722C851482353B),
-    UL64(0xA2BFE8A14CF10364),  UL64(0xA81A664BBC423001),
-    UL64(0xC24B8B70D0F89791),  UL64(0xC76C51A30654BE30),
-    UL64(0xD192E819D6EF5218),  UL64(0xD69906245565A910),
-    UL64(0xF40E35855771202A),  UL64(0x106AA07032BBD1B8),
-    UL64(0x19A4C116B8D2D0C8),  UL64(0x1E376C085141AB53),
-    UL64(0x2748774CDF8EEB99),  UL64(0x34B0BCB5E19B48A8),
-    UL64(0x391C0CB3C5C95A63),  UL64(0x4ED8AA4AE3418ACB),
-    UL64(0x5B9CCA4F7763E373),  UL64(0x682E6FF3D6B2B8A3),
-    UL64(0x748F82EE5DEFB2FC),  UL64(0x78A5636F43172F60),
-    UL64(0x84C87814A1F0AB72),  UL64(0x8CC702081A6439EC),
-    UL64(0x90BEFFFA23631E28),  UL64(0xA4506CEBDE82BDE9),
-    UL64(0xBEF9A3F7B2C67915),  UL64(0xC67178F2E372532B),
-    UL64(0xCA273ECEEA26619C),  UL64(0xD186B8C721C0C207),
-    UL64(0xEADA7DD6CDE0EB1E),  UL64(0xF57D4F7FEE6ED178),
-    UL64(0x06F067AA72176FBA),  UL64(0x0A637DC5A2C898A6),
-    UL64(0x113F9804BEF90DAE),  UL64(0x1B710B35131C471B),
-    UL64(0x28DB77F523047D84),  UL64(0x32CAAB7B40C72493),
-    UL64(0x3C9EBE0A15C9BEBC),  UL64(0x431D67C49C100D4C),
-    UL64(0x4CC5D4BECB3E42B6),  UL64(0x597F299CFC657E2A),
-    UL64(0x5FCB6FAB3AD6FAEC),  UL64(0x6C44198C4A475817)
-};
-#endif
-
-#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \
-    defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)
-
-#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)
-#  define mbedtls_internal_sha512_process_many_a64_crypto mbedtls_internal_sha512_process_many
-#  define mbedtls_internal_sha512_process_a64_crypto      mbedtls_internal_sha512_process
-#endif
-
-/* Accelerated SHA-512 implementation originally written by Simon Tatham for PuTTY,
- * under the MIT licence; dual-licensed as Apache 2 with his kind permission.
- */
-
-#if defined(__clang__) && \
-    (__clang_major__ < 13 || \
-     (__clang_major__ == 13 && __clang_minor__ == 0 && __clang_patchlevel__ == 0))
-static inline uint64x2_t vsha512su0q_u64(uint64x2_t x, uint64x2_t y)
-{
-    asm ("sha512su0 %0.2D,%1.2D" : "+w" (x) : "w" (y));
-    return x;
-}
-static inline uint64x2_t vsha512su1q_u64(uint64x2_t x, uint64x2_t y, uint64x2_t z)
-{
-    asm ("sha512su1 %0.2D,%1.2D,%2.2D" : "+w" (x) : "w" (y), "w" (z));
-    return x;
-}
-static inline uint64x2_t vsha512hq_u64(uint64x2_t x, uint64x2_t y, uint64x2_t z)
-{
-    asm ("sha512h %0,%1,%2.2D" : "+w" (x) : "w" (y), "w" (z));
-    return x;
-}
-static inline uint64x2_t vsha512h2q_u64(uint64x2_t x, uint64x2_t y, uint64x2_t z)
-{
-    asm ("sha512h2 %0,%1,%2.2D" : "+w" (x) : "w" (y), "w" (z));
-    return x;
-}
-#endif  /* __clang__ etc */
-
-static size_t mbedtls_internal_sha512_process_many_a64_crypto(
-    mbedtls_sha512_context *ctx, const uint8_t *msg, size_t len)
-{
-    uint64x2_t ab = vld1q_u64(&ctx->state[0]);
-    uint64x2_t cd = vld1q_u64(&ctx->state[2]);
-    uint64x2_t ef = vld1q_u64(&ctx->state[4]);
-    uint64x2_t gh = vld1q_u64(&ctx->state[6]);
-
-    size_t processed = 0;
-
-    for (;
-         len >= SHA512_BLOCK_SIZE;
-         processed += SHA512_BLOCK_SIZE,
-         msg += SHA512_BLOCK_SIZE,
-         len -= SHA512_BLOCK_SIZE) {
-        uint64x2_t initial_sum, sum, intermed;
-
-        uint64x2_t ab_orig = ab;
-        uint64x2_t cd_orig = cd;
-        uint64x2_t ef_orig = ef;
-        uint64x2_t gh_orig = gh;
-
-        uint64x2_t s0 = (uint64x2_t) vld1q_u8(msg + 16 * 0);
-        uint64x2_t s1 = (uint64x2_t) vld1q_u8(msg + 16 * 1);
-        uint64x2_t s2 = (uint64x2_t) vld1q_u8(msg + 16 * 2);
-        uint64x2_t s3 = (uint64x2_t) vld1q_u8(msg + 16 * 3);
-        uint64x2_t s4 = (uint64x2_t) vld1q_u8(msg + 16 * 4);
-        uint64x2_t s5 = (uint64x2_t) vld1q_u8(msg + 16 * 5);
-        uint64x2_t s6 = (uint64x2_t) vld1q_u8(msg + 16 * 6);
-        uint64x2_t s7 = (uint64x2_t) vld1q_u8(msg + 16 * 7);
-
-#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__  /* assume LE if these not defined; untested on BE */
-        s0 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s0)));
-        s1 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s1)));
-        s2 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s2)));
-        s3 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s3)));
-        s4 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s4)));
-        s5 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s5)));
-        s6 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s6)));
-        s7 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s7)));
-#endif
-
-        /* Rounds 0 and 1 */
-        initial_sum = vaddq_u64(s0, vld1q_u64(&K[0]));
-        sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), gh);
-        intermed = vsha512hq_u64(sum, vextq_u64(ef, gh, 1), vextq_u64(cd, ef, 1));
-        gh = vsha512h2q_u64(intermed, cd, ab);
-        cd = vaddq_u64(cd, intermed);
-
-        /* Rounds 2 and 3 */
-        initial_sum = vaddq_u64(s1, vld1q_u64(&K[2]));
-        sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ef);
-        intermed = vsha512hq_u64(sum, vextq_u64(cd, ef, 1), vextq_u64(ab, cd, 1));
-        ef = vsha512h2q_u64(intermed, ab, gh);
-        ab = vaddq_u64(ab, intermed);
-
-        /* Rounds 4 and 5 */
-        initial_sum = vaddq_u64(s2, vld1q_u64(&K[4]));
-        sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), cd);
-        intermed = vsha512hq_u64(sum, vextq_u64(ab, cd, 1), vextq_u64(gh, ab, 1));
-        cd = vsha512h2q_u64(intermed, gh, ef);
-        gh = vaddq_u64(gh, intermed);
-
-        /* Rounds 6 and 7 */
-        initial_sum = vaddq_u64(s3, vld1q_u64(&K[6]));
-        sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ab);
-        intermed = vsha512hq_u64(sum, vextq_u64(gh, ab, 1), vextq_u64(ef, gh, 1));
-        ab = vsha512h2q_u64(intermed, ef, cd);
-        ef = vaddq_u64(ef, intermed);
-
-        /* Rounds 8 and 9 */
-        initial_sum = vaddq_u64(s4, vld1q_u64(&K[8]));
-        sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), gh);
-        intermed = vsha512hq_u64(sum, vextq_u64(ef, gh, 1), vextq_u64(cd, ef, 1));
-        gh = vsha512h2q_u64(intermed, cd, ab);
-        cd = vaddq_u64(cd, intermed);
-
-        /* Rounds 10 and 11 */
-        initial_sum = vaddq_u64(s5, vld1q_u64(&K[10]));
-        sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ef);
-        intermed = vsha512hq_u64(sum, vextq_u64(cd, ef, 1), vextq_u64(ab, cd, 1));
-        ef = vsha512h2q_u64(intermed, ab, gh);
-        ab = vaddq_u64(ab, intermed);
-
-        /* Rounds 12 and 13 */
-        initial_sum = vaddq_u64(s6, vld1q_u64(&K[12]));
-        sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), cd);
-        intermed = vsha512hq_u64(sum, vextq_u64(ab, cd, 1), vextq_u64(gh, ab, 1));
-        cd = vsha512h2q_u64(intermed, gh, ef);
-        gh = vaddq_u64(gh, intermed);
-
-        /* Rounds 14 and 15 */
-        initial_sum = vaddq_u64(s7, vld1q_u64(&K[14]));
-        sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ab);
-        intermed = vsha512hq_u64(sum, vextq_u64(gh, ab, 1), vextq_u64(ef, gh, 1));
-        ab = vsha512h2q_u64(intermed, ef, cd);
-        ef = vaddq_u64(ef, intermed);
-
-        for (unsigned int t = 16; t < 80; t += 16) {
-            /* Rounds t and t + 1 */
-            s0 = vsha512su1q_u64(vsha512su0q_u64(s0, s1), s7, vextq_u64(s4, s5, 1));
-            initial_sum = vaddq_u64(s0, vld1q_u64(&K[t]));
-            sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), gh);
-            intermed = vsha512hq_u64(sum, vextq_u64(ef, gh, 1), vextq_u64(cd, ef, 1));
-            gh = vsha512h2q_u64(intermed, cd, ab);
-            cd = vaddq_u64(cd, intermed);
-
-            /* Rounds t + 2 and t + 3 */
-            s1 = vsha512su1q_u64(vsha512su0q_u64(s1, s2), s0, vextq_u64(s5, s6, 1));
-            initial_sum = vaddq_u64(s1, vld1q_u64(&K[t + 2]));
-            sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ef);
-            intermed = vsha512hq_u64(sum, vextq_u64(cd, ef, 1), vextq_u64(ab, cd, 1));
-            ef = vsha512h2q_u64(intermed, ab, gh);
-            ab = vaddq_u64(ab, intermed);
-
-            /* Rounds t + 4 and t + 5 */
-            s2 = vsha512su1q_u64(vsha512su0q_u64(s2, s3), s1, vextq_u64(s6, s7, 1));
-            initial_sum = vaddq_u64(s2, vld1q_u64(&K[t + 4]));
-            sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), cd);
-            intermed = vsha512hq_u64(sum, vextq_u64(ab, cd, 1), vextq_u64(gh, ab, 1));
-            cd = vsha512h2q_u64(intermed, gh, ef);
-            gh = vaddq_u64(gh, intermed);
-
-            /* Rounds t + 6 and t + 7 */
-            s3 = vsha512su1q_u64(vsha512su0q_u64(s3, s4), s2, vextq_u64(s7, s0, 1));
-            initial_sum = vaddq_u64(s3, vld1q_u64(&K[t + 6]));
-            sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ab);
-            intermed = vsha512hq_u64(sum, vextq_u64(gh, ab, 1), vextq_u64(ef, gh, 1));
-            ab = vsha512h2q_u64(intermed, ef, cd);
-            ef = vaddq_u64(ef, intermed);
-
-            /* Rounds t + 8 and t + 9 */
-            s4 = vsha512su1q_u64(vsha512su0q_u64(s4, s5), s3, vextq_u64(s0, s1, 1));
-            initial_sum = vaddq_u64(s4, vld1q_u64(&K[t + 8]));
-            sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), gh);
-            intermed = vsha512hq_u64(sum, vextq_u64(ef, gh, 1), vextq_u64(cd, ef, 1));
-            gh = vsha512h2q_u64(intermed, cd, ab);
-            cd = vaddq_u64(cd, intermed);
-
-            /* Rounds t + 10 and t + 11 */
-            s5 = vsha512su1q_u64(vsha512su0q_u64(s5, s6), s4, vextq_u64(s1, s2, 1));
-            initial_sum = vaddq_u64(s5, vld1q_u64(&K[t + 10]));
-            sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ef);
-            intermed = vsha512hq_u64(sum, vextq_u64(cd, ef, 1), vextq_u64(ab, cd, 1));
-            ef = vsha512h2q_u64(intermed, ab, gh);
-            ab = vaddq_u64(ab, intermed);
-
-            /* Rounds t + 12 and t + 13 */
-            s6 = vsha512su1q_u64(vsha512su0q_u64(s6, s7), s5, vextq_u64(s2, s3, 1));
-            initial_sum = vaddq_u64(s6, vld1q_u64(&K[t + 12]));
-            sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), cd);
-            intermed = vsha512hq_u64(sum, vextq_u64(ab, cd, 1), vextq_u64(gh, ab, 1));
-            cd = vsha512h2q_u64(intermed, gh, ef);
-            gh = vaddq_u64(gh, intermed);
-
-            /* Rounds t + 14 and t + 15 */
-            s7 = vsha512su1q_u64(vsha512su0q_u64(s7, s0), s6, vextq_u64(s3, s4, 1));
-            initial_sum = vaddq_u64(s7, vld1q_u64(&K[t + 14]));
-            sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ab);
-            intermed = vsha512hq_u64(sum, vextq_u64(gh, ab, 1), vextq_u64(ef, gh, 1));
-            ab = vsha512h2q_u64(intermed, ef, cd);
-            ef = vaddq_u64(ef, intermed);
-        }
-
-        ab = vaddq_u64(ab, ab_orig);
-        cd = vaddq_u64(cd, cd_orig);
-        ef = vaddq_u64(ef, ef_orig);
-        gh = vaddq_u64(gh, gh_orig);
-    }
-
-    vst1q_u64(&ctx->state[0], ab);
-    vst1q_u64(&ctx->state[2], cd);
-    vst1q_u64(&ctx->state[4], ef);
-    vst1q_u64(&ctx->state[6], gh);
-
-    return processed;
-}
-
-#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT)
-/*
- * This function is for internal use only if we are building both C and A64
- * versions, otherwise it is renamed to be the public mbedtls_internal_sha512_process()
- */
-static
-#endif
-int mbedtls_internal_sha512_process_a64_crypto(mbedtls_sha512_context *ctx,
-                                               const unsigned char data[SHA512_BLOCK_SIZE])
-{
-    return (mbedtls_internal_sha512_process_many_a64_crypto(ctx, data,
-                                                            SHA512_BLOCK_SIZE) ==
-            SHA512_BLOCK_SIZE) ? 0 : -1;
-}
-
-#endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */
-
-#if defined(MBEDTLS_POP_TARGET_PRAGMA)
-#if defined(__clang__)
-#pragma clang attribute pop
-#elif defined(__GNUC__)
-#pragma GCC pop_options
-#endif
-#undef MBEDTLS_POP_TARGET_PRAGMA
-#endif
-
-
-#if !defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT)
-#define mbedtls_internal_sha512_process_many_c mbedtls_internal_sha512_process_many
-#define mbedtls_internal_sha512_process_c      mbedtls_internal_sha512_process
-#endif
-
-
-#if !defined(MBEDTLS_SHA512_PROCESS_ALT) && !defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)
-
-#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT)
-/*
- * This function is for internal use only if we are building both C and A64
- * versions, otherwise it is renamed to be the public mbedtls_internal_sha512_process()
- */
-static
-#endif
-int mbedtls_internal_sha512_process_c(mbedtls_sha512_context *ctx,
-                                      const unsigned char data[SHA512_BLOCK_SIZE])
-{
-    int i;
-    struct {
-        uint64_t temp1, temp2, W[80];
-        uint64_t A[8];
-    } local;
-
-#define  SHR(x, n) ((x) >> (n))
-#define ROTR(x, n) (SHR((x), (n)) | ((x) << (64 - (n))))
-
-#define S0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^  SHR(x, 7))
-#define S1(x) (ROTR(x, 19) ^ ROTR(x, 61) ^  SHR(x, 6))
-
-#define S2(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39))
-#define S3(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41))
-
-#define F0(x, y, z) (((x) & (y)) | ((z) & ((x) | (y))))
-#define F1(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
-
-#define P(a, b, c, d, e, f, g, h, x, K)                                      \
-    do                                                              \
-    {                                                               \
-        local.temp1 = (h) + S3(e) + F1((e), (f), (g)) + (K) + (x);    \
-        local.temp2 = S2(a) + F0((a), (b), (c));                      \
-        (d) += local.temp1; (h) = local.temp1 + local.temp2;        \
-    } while (0)
-
-    for (i = 0; i < 8; i++) {
-        local.A[i] = ctx->state[i];
-    }
-
-#if defined(MBEDTLS_SHA512_SMALLER)
-    for (i = 0; i < 80; i++) {
-        if (i < 16) {
-            local.W[i] = MBEDTLS_GET_UINT64_BE(data, i << 3);
-        } else {
-            local.W[i] = S1(local.W[i -  2]) + local.W[i -  7] +
-                         S0(local.W[i - 15]) + local.W[i - 16];
-        }
-
-        P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
-          local.A[5], local.A[6], local.A[7], local.W[i], K[i]);
-
-        local.temp1 = local.A[7]; local.A[7] = local.A[6];
-        local.A[6] = local.A[5]; local.A[5] = local.A[4];
-        local.A[4] = local.A[3]; local.A[3] = local.A[2];
-        local.A[2] = local.A[1]; local.A[1] = local.A[0];
-        local.A[0] = local.temp1;
-    }
-#else /* MBEDTLS_SHA512_SMALLER */
-    for (i = 0; i < 16; i++) {
-        local.W[i] = MBEDTLS_GET_UINT64_BE(data, i << 3);
-    }
-
-    for (; i < 80; i++) {
-        local.W[i] = S1(local.W[i -  2]) + local.W[i -  7] +
-                     S0(local.W[i - 15]) + local.W[i - 16];
-    }
-
-    i = 0;
-    do {
-        P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
-          local.A[5], local.A[6], local.A[7], local.W[i], K[i]); i++;
-        P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
-          local.A[4], local.A[5], local.A[6], local.W[i], K[i]); i++;
-        P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
-          local.A[3], local.A[4], local.A[5], local.W[i], K[i]); i++;
-        P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
-          local.A[2], local.A[3], local.A[4], local.W[i], K[i]); i++;
-        P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
-          local.A[1], local.A[2], local.A[3], local.W[i], K[i]); i++;
-        P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
-          local.A[0], local.A[1], local.A[2], local.W[i], K[i]); i++;
-        P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
-          local.A[7], local.A[0], local.A[1], local.W[i], K[i]); i++;
-        P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
-          local.A[6], local.A[7], local.A[0], local.W[i], K[i]); i++;
-    } while (i < 80);
-#endif /* MBEDTLS_SHA512_SMALLER */
-
-    for (i = 0; i < 8; i++) {
-        ctx->state[i] += local.A[i];
-    }
-
-    /* Zeroise buffers and variables to clear sensitive data from memory. */
-    mbedtls_platform_zeroize(&local, sizeof(local));
-
-    return 0;
-}
-
-#endif /* !MBEDTLS_SHA512_PROCESS_ALT && !MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */
-
-
-#if !defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)
-
-static size_t mbedtls_internal_sha512_process_many_c(
-    mbedtls_sha512_context *ctx, const uint8_t *data, size_t len)
-{
-    size_t processed = 0;
-
-    while (len >= SHA512_BLOCK_SIZE) {
-        if (mbedtls_internal_sha512_process_c(ctx, data) != 0) {
-            return 0;
-        }
-
-        data += SHA512_BLOCK_SIZE;
-        len  -= SHA512_BLOCK_SIZE;
-
-        processed += SHA512_BLOCK_SIZE;
-    }
-
-    return processed;
-}
-
-#endif /* !MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */
-
-
-#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT)
-
-static int mbedtls_a64_crypto_sha512_has_support(void)
-{
-    static int done = 0;
-    static int supported = 0;
-
-    if (!done) {
-        supported = mbedtls_a64_crypto_sha512_determine_support();
-        done = 1;
-    }
-
-    return supported;
-}
-
-static size_t mbedtls_internal_sha512_process_many(mbedtls_sha512_context *ctx,
-                                                   const uint8_t *msg, size_t len)
-{
-    if (mbedtls_a64_crypto_sha512_has_support()) {
-        return mbedtls_internal_sha512_process_many_a64_crypto(ctx, msg, len);
-    } else {
-        return mbedtls_internal_sha512_process_many_c(ctx, msg, len);
-    }
-}
-
-int mbedtls_internal_sha512_process(mbedtls_sha512_context *ctx,
-                                    const unsigned char data[SHA512_BLOCK_SIZE])
-{
-    if (mbedtls_a64_crypto_sha512_has_support()) {
-        return mbedtls_internal_sha512_process_a64_crypto(ctx, data);
-    } else {
-        return mbedtls_internal_sha512_process_c(ctx, data);
-    }
-}
-
-#endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT */
-
-/*
- * SHA-512 process buffer
- */
-int mbedtls_sha512_update(mbedtls_sha512_context *ctx,
-                          const unsigned char *input,
-                          size_t ilen)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t fill;
-    unsigned int left;
-
-    if (ilen == 0) {
-        return 0;
-    }
-
-    left = (unsigned int) (ctx->total[0] & 0x7F);
-    fill = SHA512_BLOCK_SIZE - left;
-
-    ctx->total[0] += (uint64_t) ilen;
-
-    if (ctx->total[0] < (uint64_t) ilen) {
-        ctx->total[1]++;
-    }
-
-    if (left && ilen >= fill) {
-        memcpy((void *) (ctx->buffer + left), input, fill);
-
-        if ((ret = mbedtls_internal_sha512_process(ctx, ctx->buffer)) != 0) {
-            return ret;
-        }
-
-        input += fill;
-        ilen  -= fill;
-        left = 0;
-    }
-
-    while (ilen >= SHA512_BLOCK_SIZE) {
-        size_t processed =
-            mbedtls_internal_sha512_process_many(ctx, input, ilen);
-        if (processed < SHA512_BLOCK_SIZE) {
-            return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
-        }
-
-        input += processed;
-        ilen  -= processed;
-    }
-
-    if (ilen > 0) {
-        memcpy((void *) (ctx->buffer + left), input, ilen);
-    }
-
-    return 0;
-}
-
-/*
- * SHA-512 final digest
- */
-int mbedtls_sha512_finish(mbedtls_sha512_context *ctx,
-                          unsigned char *output)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned used;
-    uint64_t high, low;
-    int truncated = 0;
-
-    /*
-     * Add padding: 0x80 then 0x00 until 16 bytes remain for the length
-     */
-    used = ctx->total[0] & 0x7F;
-
-    ctx->buffer[used++] = 0x80;
-
-    if (used <= 112) {
-        /* Enough room for padding + length in current block */
-        memset(ctx->buffer + used, 0, 112 - used);
-    } else {
-        /* We'll need an extra block */
-        memset(ctx->buffer + used, 0, SHA512_BLOCK_SIZE - used);
-
-        if ((ret = mbedtls_internal_sha512_process(ctx, ctx->buffer)) != 0) {
-            goto exit;
-        }
-
-        memset(ctx->buffer, 0, 112);
-    }
-
-    /*
-     * Add message length
-     */
-    high = (ctx->total[0] >> 61)
-           | (ctx->total[1] <<  3);
-    low  = (ctx->total[0] <<  3);
-
-    sha512_put_uint64_be(high, ctx->buffer, 112);
-    sha512_put_uint64_be(low,  ctx->buffer, 120);
-
-    if ((ret = mbedtls_internal_sha512_process(ctx, ctx->buffer)) != 0) {
-        goto exit;
-    }
-
-    /*
-     * Output final state
-     */
-    sha512_put_uint64_be(ctx->state[0], output,  0);
-    sha512_put_uint64_be(ctx->state[1], output,  8);
-    sha512_put_uint64_be(ctx->state[2], output, 16);
-    sha512_put_uint64_be(ctx->state[3], output, 24);
-    sha512_put_uint64_be(ctx->state[4], output, 32);
-    sha512_put_uint64_be(ctx->state[5], output, 40);
-
-#if defined(MBEDTLS_SHA384_C)
-    truncated = ctx->is384;
-#endif
-    if (!truncated) {
-        sha512_put_uint64_be(ctx->state[6], output, 48);
-        sha512_put_uint64_be(ctx->state[7], output, 56);
-    }
-
-    ret = 0;
-
-exit:
-    mbedtls_sha512_free(ctx);
-    return ret;
-}
-
-#endif /* !MBEDTLS_SHA512_ALT */
-
-/*
- * output = SHA-512( input buffer )
- */
-int mbedtls_sha512(const unsigned char *input,
-                   size_t ilen,
-                   unsigned char *output,
-                   int is384)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_sha512_context ctx;
-
-#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_SHA512_C)
-    if (is384 != 0 && is384 != 1) {
-        return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA;
-    }
-#elif defined(MBEDTLS_SHA512_C)
-    if (is384 != 0) {
-        return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA;
-    }
-#else /* defined MBEDTLS_SHA384_C only */
-    if (is384 == 0) {
-        return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA;
-    }
-#endif
-
-    mbedtls_sha512_init(&ctx);
-
-    if ((ret = mbedtls_sha512_starts(&ctx, is384)) != 0) {
-        goto exit;
-    }
-
-    if ((ret = mbedtls_sha512_update(&ctx, input, ilen)) != 0) {
-        goto exit;
-    }
-
-    if ((ret = mbedtls_sha512_finish(&ctx, output)) != 0) {
-        goto exit;
-    }
-
-exit:
-    mbedtls_sha512_free(&ctx);
-
-    return ret;
-}
-
-#if defined(MBEDTLS_SELF_TEST)
-
-/*
- * FIPS-180-2 test vectors
- */
-static const unsigned char sha_test_buf[3][113] =
-{
-    { "abc" },
-    {
-        "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu"
-    },
-    { "" }
-};
-
-static const size_t sha_test_buflen[3] =
-{
-    3, 112, 1000
-};
-
-typedef const unsigned char (sha_test_sum_t)[64];
-
-/*
- * SHA-384 test vectors
- */
-#if defined(MBEDTLS_SHA384_C)
-static sha_test_sum_t sha384_test_sum[] =
-{
-    { 0xCB, 0x00, 0x75, 0x3F, 0x45, 0xA3, 0x5E, 0x8B,
-      0xB5, 0xA0, 0x3D, 0x69, 0x9A, 0xC6, 0x50, 0x07,
-      0x27, 0x2C, 0x32, 0xAB, 0x0E, 0xDE, 0xD1, 0x63,
-      0x1A, 0x8B, 0x60, 0x5A, 0x43, 0xFF, 0x5B, 0xED,
-      0x80, 0x86, 0x07, 0x2B, 0xA1, 0xE7, 0xCC, 0x23,
-      0x58, 0xBA, 0xEC, 0xA1, 0x34, 0xC8, 0x25, 0xA7 },
-    { 0x09, 0x33, 0x0C, 0x33, 0xF7, 0x11, 0x47, 0xE8,
-      0x3D, 0x19, 0x2F, 0xC7, 0x82, 0xCD, 0x1B, 0x47,
-      0x53, 0x11, 0x1B, 0x17, 0x3B, 0x3B, 0x05, 0xD2,
-      0x2F, 0xA0, 0x80, 0x86, 0xE3, 0xB0, 0xF7, 0x12,
-      0xFC, 0xC7, 0xC7, 0x1A, 0x55, 0x7E, 0x2D, 0xB9,
-      0x66, 0xC3, 0xE9, 0xFA, 0x91, 0x74, 0x60, 0x39 },
-    { 0x9D, 0x0E, 0x18, 0x09, 0x71, 0x64, 0x74, 0xCB,
-      0x08, 0x6E, 0x83, 0x4E, 0x31, 0x0A, 0x4A, 0x1C,
-      0xED, 0x14, 0x9E, 0x9C, 0x00, 0xF2, 0x48, 0x52,
-      0x79, 0x72, 0xCE, 0xC5, 0x70, 0x4C, 0x2A, 0x5B,
-      0x07, 0xB8, 0xB3, 0xDC, 0x38, 0xEC, 0xC4, 0xEB,
-      0xAE, 0x97, 0xDD, 0xD8, 0x7F, 0x3D, 0x89, 0x85 }
-};
-#endif /* MBEDTLS_SHA384_C */
-
-/*
- * SHA-512 test vectors
- */
-#if defined(MBEDTLS_SHA512_C)
-static sha_test_sum_t sha512_test_sum[] =
-{
-    { 0xDD, 0xAF, 0x35, 0xA1, 0x93, 0x61, 0x7A, 0xBA,
-      0xCC, 0x41, 0x73, 0x49, 0xAE, 0x20, 0x41, 0x31,
-      0x12, 0xE6, 0xFA, 0x4E, 0x89, 0xA9, 0x7E, 0xA2,
-      0x0A, 0x9E, 0xEE, 0xE6, 0x4B, 0x55, 0xD3, 0x9A,
-      0x21, 0x92, 0x99, 0x2A, 0x27, 0x4F, 0xC1, 0xA8,
-      0x36, 0xBA, 0x3C, 0x23, 0xA3, 0xFE, 0xEB, 0xBD,
-      0x45, 0x4D, 0x44, 0x23, 0x64, 0x3C, 0xE8, 0x0E,
-      0x2A, 0x9A, 0xC9, 0x4F, 0xA5, 0x4C, 0xA4, 0x9F },
-    { 0x8E, 0x95, 0x9B, 0x75, 0xDA, 0xE3, 0x13, 0xDA,
-      0x8C, 0xF4, 0xF7, 0x28, 0x14, 0xFC, 0x14, 0x3F,
-      0x8F, 0x77, 0x79, 0xC6, 0xEB, 0x9F, 0x7F, 0xA1,
-      0x72, 0x99, 0xAE, 0xAD, 0xB6, 0x88, 0x90, 0x18,
-      0x50, 0x1D, 0x28, 0x9E, 0x49, 0x00, 0xF7, 0xE4,
-      0x33, 0x1B, 0x99, 0xDE, 0xC4, 0xB5, 0x43, 0x3A,
-      0xC7, 0xD3, 0x29, 0xEE, 0xB6, 0xDD, 0x26, 0x54,
-      0x5E, 0x96, 0xE5, 0x5B, 0x87, 0x4B, 0xE9, 0x09 },
-    { 0xE7, 0x18, 0x48, 0x3D, 0x0C, 0xE7, 0x69, 0x64,
-      0x4E, 0x2E, 0x42, 0xC7, 0xBC, 0x15, 0xB4, 0x63,
-      0x8E, 0x1F, 0x98, 0xB1, 0x3B, 0x20, 0x44, 0x28,
-      0x56, 0x32, 0xA8, 0x03, 0xAF, 0xA9, 0x73, 0xEB,
-      0xDE, 0x0F, 0xF2, 0x44, 0x87, 0x7E, 0xA6, 0x0A,
-      0x4C, 0xB0, 0x43, 0x2C, 0xE5, 0x77, 0xC3, 0x1B,
-      0xEB, 0x00, 0x9C, 0x5C, 0x2C, 0x49, 0xAA, 0x2E,
-      0x4E, 0xAD, 0xB2, 0x17, 0xAD, 0x8C, 0xC0, 0x9B }
-};
-#endif /* MBEDTLS_SHA512_C */
-
-static int mbedtls_sha512_common_self_test(int verbose, int is384)
-{
-    int i, buflen, ret = 0;
-    unsigned char *buf;
-    unsigned char sha512sum[64];
-    mbedtls_sha512_context ctx;
-
-#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_SHA512_C)
-    sha_test_sum_t *sha_test_sum = (is384) ? sha384_test_sum : sha512_test_sum;
-#elif defined(MBEDTLS_SHA512_C)
-    sha_test_sum_t *sha_test_sum = sha512_test_sum;
-#else
-    sha_test_sum_t *sha_test_sum = sha384_test_sum;
-#endif
-
-    buf = mbedtls_calloc(1024, sizeof(unsigned char));
-    if (NULL == buf) {
-        if (verbose != 0) {
-            mbedtls_printf("Buffer allocation failed\n");
-        }
-
-        return 1;
-    }
-
-    mbedtls_sha512_init(&ctx);
-
-    for (i = 0; i < 3; i++) {
-        if (verbose != 0) {
-            mbedtls_printf("  SHA-%d test #%d: ", 512 - is384 * 128, i + 1);
-        }
-
-        if ((ret = mbedtls_sha512_starts(&ctx, is384)) != 0) {
-            goto fail;
-        }
-
-        if (i == 2) {
-            memset(buf, 'a', buflen = 1000);
-
-            for (int j = 0; j < 1000; j++) {
-                ret = mbedtls_sha512_update(&ctx, buf, buflen);
-                if (ret != 0) {
-                    goto fail;
-                }
-            }
-        } else {
-            ret = mbedtls_sha512_update(&ctx, sha_test_buf[i],
-                                        sha_test_buflen[i]);
-            if (ret != 0) {
-                goto fail;
-            }
-        }
-
-        if ((ret = mbedtls_sha512_finish(&ctx, sha512sum)) != 0) {
-            goto fail;
-        }
-
-        if (memcmp(sha512sum, sha_test_sum[i], 64 - is384 * 16) != 0) {
-            ret = 1;
-            goto fail;
-        }
-
-        if (verbose != 0) {
-            mbedtls_printf("passed\n");
-        }
-    }
-
-    if (verbose != 0) {
-        mbedtls_printf("\n");
-    }
-
-    goto exit;
-
-fail:
-    if (verbose != 0) {
-        mbedtls_printf("failed\n");
-    }
-
-exit:
-    mbedtls_sha512_free(&ctx);
-    mbedtls_free(buf);
-
-    return ret;
-}
-
-#if defined(MBEDTLS_SHA512_C)
-int mbedtls_sha512_self_test(int verbose)
-{
-    return mbedtls_sha512_common_self_test(verbose, 0);
-}
-#endif /* MBEDTLS_SHA512_C */
-
-#if defined(MBEDTLS_SHA384_C)
-int mbedtls_sha384_self_test(int verbose)
-{
-    return mbedtls_sha512_common_self_test(verbose, 1);
-}
-#endif /* MBEDTLS_SHA384_C */
-
-#undef ARRAY_LENGTH
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#endif /* MBEDTLS_SHA512_C || MBEDTLS_SHA384_C */
diff --git a/library/ssl_cache.c b/library/ssl_cache.c
index 929c28b..772cb8f 100644
--- a/library/ssl_cache.c
+++ b/library/ssl_cache.c
@@ -2,19 +2,7 @@
  *  SSL session cache implementation
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 /*
  * These session callbacks use a simple chained list
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 95aa581..5fc9000 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -4,19 +4,7 @@
  * \brief SSL ciphersuites for Mbed TLS
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "common.h"
@@ -29,7 +17,7 @@
 #include "mbedtls/ssl.h"
 #include "ssl_misc.h"
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
 #endif
 
 #include <string.h>
@@ -292,15 +280,15 @@ static const int ciphersuite_preference[] =
 static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
 {
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SSL_HAVE_AES)
 #if defined(MBEDTLS_SSL_HAVE_GCM)
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS1_3_AES_256_GCM_SHA384, "TLS1-3-AES-256-GCM-SHA384",
       MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384,
       MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */
       0,
       MBEDTLS_SSL_VERSION_TLS1_3, MBEDTLS_SSL_VERSION_TLS1_3 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 #if defined(MBEDTLS_MD_CAN_SHA256)
     { MBEDTLS_TLS1_3_AES_128_GCM_SHA256, "TLS1-3-AES-128-GCM-SHA256",
       MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256,
@@ -321,7 +309,7 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_CIPHERSUITE_SHORT_TAG,
       MBEDTLS_SSL_VERSION_TLS1_3, MBEDTLS_SSL_VERSION_TLS1_3 },
 #endif /* MBEDTLS_MD_CAN_SHA256 && MBEDTLS_SSL_HAVE_CCM */
-#endif /* MBEDTLS_AES_C */
+#endif /* MBEDTLS_SSL_HAVE_AES */
 #if defined(MBEDTLS_SSL_HAVE_CHACHAPOLY) && defined(MBEDTLS_MD_CAN_SHA256)
     { MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256,
       "TLS1-3-CHACHA20-POLY1305-SHA256",
@@ -395,9 +383,9 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
           MBEDTLS_MD_CAN_SHA256 &&
           MBEDTLS_SSL_PROTO_TLS1_2 */
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
-#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SSL_HAVE_AES)
 #if defined(MBEDTLS_MD_CAN_SHA1)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
     { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA",
       MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
       0,
@@ -406,15 +394,15 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 #endif /* MBEDTLS_MD_CAN_SHA1 */
 #if defined(MBEDTLS_MD_CAN_SHA256)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
     { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256",
       MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 #if defined(MBEDTLS_SSL_HAVE_GCM)
     { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256",
       MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
@@ -422,20 +410,20 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_SSL_HAVE_GCM */
 #endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(PSA_WANT_ALG_SHA_384)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
     { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384",
       MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 #if defined(MBEDTLS_SSL_HAVE_GCM)
     { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384",
       MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 #if defined(MBEDTLS_SSL_HAVE_CCM)
     { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM, "TLS-ECDHE-ECDSA-WITH-AES-256-CCM",
       MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
@@ -454,10 +442,10 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_CIPHERSUITE_SHORT_TAG,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_SSL_HAVE_CCM */
-#endif /* MBEDTLS_AES_C */
+#endif /* MBEDTLS_SSL_HAVE_AES */
 
-#if defined(MBEDTLS_CAMELLIA_C)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
 #if defined(MBEDTLS_MD_CAN_SHA256)
     { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
       "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256",
@@ -465,14 +453,14 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
       "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384",
       MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* PSA_WANT_ALG_SHA_384 */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 
 #if defined(MBEDTLS_SSL_HAVE_GCM)
 #if defined(MBEDTLS_MD_CAN_SHA256)
@@ -482,15 +470,15 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
       "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384",
       MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 #endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_CAMELLIA_C */
+#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
 
 #if defined(MBEDTLS_CIPHER_NULL_CIPHER)
 #if defined(MBEDTLS_MD_CAN_SHA1)
@@ -503,9 +491,9 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
-#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SSL_HAVE_AES)
 #if defined(MBEDTLS_MD_CAN_SHA1)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
     { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA",
       MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
       0,
@@ -514,40 +502,40 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 #endif /* MBEDTLS_MD_CAN_SHA1 */
 #if defined(MBEDTLS_MD_CAN_SHA256)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
     { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256",
       MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-#if (defined(MBEDTLS_GCM_C) || defined(PSA_WANT_ALG_GCM))
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#if defined(MBEDTLS_SSL_HAVE_GCM)
     { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256",
       MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_SSL_HAVE_GCM */
 #endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(PSA_WANT_ALG_SHA_384)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
     { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384",
       MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-#if (defined(MBEDTLS_GCM_C) || defined(PSA_WANT_ALG_GCM))
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#if defined(MBEDTLS_SSL_HAVE_GCM)
     { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384",
       MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_AES_C */
+#endif /* PSA_WANT_ALG_SHA_384 */
+#endif /* MBEDTLS_SSL_HAVE_AES */
 
-#if defined(MBEDTLS_CAMELLIA_C)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
 #if defined(MBEDTLS_MD_CAN_SHA256)
     { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
       "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256",
@@ -555,14 +543,14 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
       "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384",
       MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* PSA_WANT_ALG_SHA_384 */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 
 #if defined(MBEDTLS_SSL_HAVE_GCM)
 #if defined(MBEDTLS_MD_CAN_SHA256)
@@ -572,15 +560,15 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
       "TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384",
       MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 #endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_CAMELLIA_C */
+#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
 
 #if defined(MBEDTLS_CIPHER_NULL_CIPHER)
 #if defined(MBEDTLS_MD_CAN_SHA1)
@@ -593,14 +581,14 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
 
 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
-#if defined(MBEDTLS_AES_C)
-#if defined(MBEDTLS_MD_CAN_SHA384) && \
+#if defined(MBEDTLS_SSL_HAVE_AES)
+#if defined(PSA_WANT_ALG_SHA_384) && \
     defined(MBEDTLS_SSL_HAVE_GCM)
     { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384",
       MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 && MBEDTLS_GCM_C */
+#endif /* PSA_WANT_ALG_SHA_384 && MBEDTLS_SSL_HAVE_GCM */
 
 #if defined(MBEDTLS_MD_CAN_SHA256)
 #if defined(MBEDTLS_SSL_HAVE_GCM)
@@ -610,7 +598,7 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_SSL_HAVE_GCM */
 
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
     { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256",
       MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
       0,
@@ -620,10 +608,10 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 #endif /* MBEDTLS_MD_CAN_SHA256 */
 
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
 #if defined(MBEDTLS_MD_CAN_SHA1)
     { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA",
       MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
@@ -635,7 +623,7 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA1 */
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 #if defined(MBEDTLS_SSL_HAVE_CCM)
     { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM, "TLS-DHE-RSA-WITH-AES-256-CCM",
       MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
@@ -654,10 +642,10 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_CIPHERSUITE_SHORT_TAG,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_SSL_HAVE_CCM */
-#endif /* MBEDTLS_AES_C */
+#endif /* MBEDTLS_SSL_HAVE_AES */
 
-#if defined(MBEDTLS_CAMELLIA_C)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
 #if defined(MBEDTLS_MD_CAN_SHA256)
     { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256",
       MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
@@ -681,7 +669,7 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA1 */
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 #if defined(MBEDTLS_SSL_HAVE_GCM)
 #if defined(MBEDTLS_MD_CAN_SHA256)
     { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256",
@@ -690,26 +678,26 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA256 */
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384",
       MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 #endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_CAMELLIA_C */
+#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
 
 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
 
 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
-#if defined(MBEDTLS_AES_C)
-#if defined(MBEDTLS_MD_CAN_SHA384) && \
+#if defined(MBEDTLS_SSL_HAVE_AES)
+#if defined(PSA_WANT_ALG_SHA_384) && \
     defined(MBEDTLS_SSL_HAVE_GCM)
     { MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS-RSA-WITH-AES-256-GCM-SHA384",
       MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 && MBEDTLS_GCM_C */
+#endif /* PSA_WANT_ALG_SHA_384 && MBEDTLS_SSL_HAVE_GCM */
 
 #if defined(MBEDTLS_MD_CAN_SHA256)
 #if defined(MBEDTLS_SSL_HAVE_GCM)
@@ -719,7 +707,7 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_SSL_HAVE_GCM */
 
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
     { MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS-RSA-WITH-AES-128-CBC-SHA256",
       MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
       0,
@@ -729,11 +717,11 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 #endif /* MBEDTLS_MD_CAN_SHA256 */
 
 #if defined(MBEDTLS_MD_CAN_SHA1)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
     { MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA, "TLS-RSA-WITH-AES-128-CBC-SHA",
       MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
       0,
@@ -743,7 +731,7 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 #endif /* MBEDTLS_MD_CAN_SHA1 */
 #if defined(MBEDTLS_SSL_HAVE_CCM)
     { MBEDTLS_TLS_RSA_WITH_AES_256_CCM, "TLS-RSA-WITH-AES-256-CCM",
@@ -763,10 +751,10 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_CIPHERSUITE_SHORT_TAG,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_SSL_HAVE_CCM */
-#endif /* MBEDTLS_AES_C */
+#endif /* MBEDTLS_SSL_HAVE_AES */
 
-#if defined(MBEDTLS_CAMELLIA_C)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
 #if defined(MBEDTLS_MD_CAN_SHA256)
     { MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256",
       MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
@@ -790,7 +778,7 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA1 */
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 
 #if defined(MBEDTLS_SSL_HAVE_GCM)
 #if defined(MBEDTLS_MD_CAN_SHA256)
@@ -800,21 +788,21 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA256 */
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384",
       MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 #endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_CAMELLIA_C */
+#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
 
 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
-#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SSL_HAVE_AES)
 #if defined(MBEDTLS_MD_CAN_SHA1)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
     { MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA",
       MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
       0,
@@ -823,15 +811,15 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 #endif /* MBEDTLS_MD_CAN_SHA1 */
 #if defined(MBEDTLS_MD_CAN_SHA256)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
     { MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256",
       MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 #if defined(MBEDTLS_SSL_HAVE_GCM)
     { MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256",
       MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
@@ -839,24 +827,24 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_SSL_HAVE_GCM */
 #endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(PSA_WANT_ALG_SHA_384)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
     { MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384",
       MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 #if defined(MBEDTLS_SSL_HAVE_GCM)
     { MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384",
       MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_AES_C */
+#endif /* PSA_WANT_ALG_SHA_384 */
+#endif /* MBEDTLS_SSL_HAVE_AES */
 
-#if defined(MBEDTLS_CAMELLIA_C)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
 #if defined(MBEDTLS_MD_CAN_SHA256)
     { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
       "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256",
@@ -864,14 +852,14 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,
       "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA384",
       MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* PSA_WANT_ALG_SHA_384 */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 
 #if defined(MBEDTLS_SSL_HAVE_GCM)
 #if defined(MBEDTLS_MD_CAN_SHA256)
@@ -881,15 +869,15 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384,
       "TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384",
       MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 #endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_CAMELLIA_C */
+#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
 
 #if defined(MBEDTLS_CIPHER_NULL_CIPHER)
 #if defined(MBEDTLS_MD_CAN_SHA1)
@@ -902,9 +890,9 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
-#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SSL_HAVE_AES)
 #if defined(MBEDTLS_MD_CAN_SHA1)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
     { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA",
       MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
       0,
@@ -913,15 +901,15 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 #endif /* MBEDTLS_MD_CAN_SHA1 */
 #if defined(MBEDTLS_MD_CAN_SHA256)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
     { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256",
       MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 #if defined(MBEDTLS_SSL_HAVE_GCM)
     { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256",
       MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
@@ -929,24 +917,24 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_SSL_HAVE_GCM */
 #endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(PSA_WANT_ALG_SHA_384)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
     { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384",
       MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 #if defined(MBEDTLS_SSL_HAVE_GCM)
     { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384",
       MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_AES_C */
+#endif /* PSA_WANT_ALG_SHA_384 */
+#endif /* MBEDTLS_SSL_HAVE_AES */
 
-#if defined(MBEDTLS_CAMELLIA_C)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
 #if defined(MBEDTLS_MD_CAN_SHA256)
     { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
       "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256",
@@ -954,14 +942,14 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
       "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384",
       MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* PSA_WANT_ALG_SHA_384 */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 
 #if defined(MBEDTLS_SSL_HAVE_GCM)
 #if defined(MBEDTLS_MD_CAN_SHA256)
@@ -971,15 +959,15 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
       "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384",
       MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 #endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_CAMELLIA_C */
+#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
 
 #if defined(MBEDTLS_CIPHER_NULL_CIPHER)
 #if defined(MBEDTLS_MD_CAN_SHA1)
@@ -992,7 +980,7 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
 
 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
-#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SSL_HAVE_AES)
 #if defined(MBEDTLS_SSL_HAVE_GCM)
 #if defined(MBEDTLS_MD_CAN_SHA256)
     { MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256, "TLS-PSK-WITH-AES-128-GCM-SHA256",
@@ -1001,15 +989,15 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA256 */
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384, "TLS-PSK-WITH-AES-256-GCM-SHA384",
       MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 #endif /* MBEDTLS_SSL_HAVE_GCM */
 
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
 #if defined(MBEDTLS_MD_CAN_SHA256)
     { MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256, "TLS-PSK-WITH-AES-128-CBC-SHA256",
       MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
@@ -1017,12 +1005,12 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA256 */
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384, "TLS-PSK-WITH-AES-256-CBC-SHA384",
       MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 
 #if defined(MBEDTLS_MD_CAN_SHA1)
     { MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA, "TLS-PSK-WITH-AES-128-CBC-SHA",
@@ -1035,7 +1023,7 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA1 */
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 #if defined(MBEDTLS_SSL_HAVE_CCM)
     { MBEDTLS_TLS_PSK_WITH_AES_256_CCM, "TLS-PSK-WITH-AES-256-CCM",
       MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
@@ -1054,10 +1042,10 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_CIPHERSUITE_SHORT_TAG,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_SSL_HAVE_CCM */
-#endif /* MBEDTLS_AES_C */
+#endif /* MBEDTLS_SSL_HAVE_AES */
 
-#if defined(MBEDTLS_CAMELLIA_C)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
 #if defined(MBEDTLS_MD_CAN_SHA256)
     { MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256",
       MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
@@ -1065,13 +1053,13 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA256 */
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384",
       MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* PSA_WANT_ALG_SHA_384 */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 
 #if defined(MBEDTLS_SSL_HAVE_GCM)
 #if defined(MBEDTLS_MD_CAN_SHA256)
@@ -1081,19 +1069,19 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA256 */
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-PSK-WITH-CAMELLIA-256-GCM-SHA384",
       MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 #endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_CAMELLIA_C */
+#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
 
 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
 
 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
-#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SSL_HAVE_AES)
 #if defined(MBEDTLS_SSL_HAVE_GCM)
 #if defined(MBEDTLS_MD_CAN_SHA256)
     { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, "TLS-DHE-PSK-WITH-AES-128-GCM-SHA256",
@@ -1102,15 +1090,15 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA256 */
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, "TLS-DHE-PSK-WITH-AES-256-GCM-SHA384",
       MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 #endif /* MBEDTLS_SSL_HAVE_GCM */
 
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
 #if defined(MBEDTLS_MD_CAN_SHA256)
     { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, "TLS-DHE-PSK-WITH-AES-128-CBC-SHA256",
       MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
@@ -1118,12 +1106,12 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA256 */
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, "TLS-DHE-PSK-WITH-AES-256-CBC-SHA384",
       MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 
 #if defined(MBEDTLS_MD_CAN_SHA1)
     { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA, "TLS-DHE-PSK-WITH-AES-128-CBC-SHA",
@@ -1136,7 +1124,7 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA1 */
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 #if defined(MBEDTLS_SSL_HAVE_CCM)
     { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM, "TLS-DHE-PSK-WITH-AES-256-CCM",
       MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
@@ -1155,10 +1143,10 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_CIPHERSUITE_SHORT_TAG,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_SSL_HAVE_CCM */
-#endif /* MBEDTLS_AES_C */
+#endif /* MBEDTLS_SSL_HAVE_AES */
 
-#if defined(MBEDTLS_CAMELLIA_C)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
 #if defined(MBEDTLS_MD_CAN_SHA256)
     { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256",
       MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
@@ -1166,13 +1154,13 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA256 */
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384",
       MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* PSA_WANT_ALG_SHA_384 */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 
 #if defined(MBEDTLS_SSL_HAVE_GCM)
 #if defined(MBEDTLS_MD_CAN_SHA256)
@@ -1182,21 +1170,21 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA256 */
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384",
       MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 #endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_CAMELLIA_C */
+#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
 
 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
-#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SSL_HAVE_AES)
 
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
 #if defined(MBEDTLS_MD_CAN_SHA256)
     { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256",
       MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
@@ -1204,12 +1192,12 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA256 */
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384",
       MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 
 #if defined(MBEDTLS_MD_CAN_SHA1)
     { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, "TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA",
@@ -1222,11 +1210,11 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA1 */
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-#endif /* MBEDTLS_AES_C */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#endif /* MBEDTLS_SSL_HAVE_AES */
 
-#if defined(MBEDTLS_CAMELLIA_C)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
 #if defined(MBEDTLS_MD_CAN_SHA256)
     { MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
       "TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256",
@@ -1235,20 +1223,20 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA256 */
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
       "TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384",
       MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-#endif /* MBEDTLS_CAMELLIA_C */
+#endif /* PSA_WANT_ALG_SHA_384 */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
 
 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
 
 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
-#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SSL_HAVE_AES)
 #if defined(MBEDTLS_SSL_HAVE_GCM)
 #if defined(MBEDTLS_MD_CAN_SHA256)
     { MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, "TLS-RSA-PSK-WITH-AES-128-GCM-SHA256",
@@ -1257,15 +1245,15 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA256 */
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, "TLS-RSA-PSK-WITH-AES-256-GCM-SHA384",
       MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 #endif /* MBEDTLS_SSL_HAVE_GCM */
 
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
 #if defined(MBEDTLS_MD_CAN_SHA256)
     { MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA256",
       MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
@@ -1273,12 +1261,12 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA256 */
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, "TLS-RSA-PSK-WITH-AES-256-CBC-SHA384",
       MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 
 #if defined(MBEDTLS_MD_CAN_SHA1)
     { MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA",
@@ -1291,11 +1279,11 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA1 */
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-#endif /* MBEDTLS_AES_C */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#endif /* MBEDTLS_SSL_HAVE_AES */
 
-#if defined(MBEDTLS_CAMELLIA_C)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
 #if defined(MBEDTLS_MD_CAN_SHA256)
     { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256",
       MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
@@ -1303,13 +1291,13 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA256 */
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384",
       MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* PSA_WANT_ALG_SHA_384 */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
 
 #if defined(MBEDTLS_SSL_HAVE_GCM)
 #if defined(MBEDTLS_MD_CAN_SHA256)
@@ -1319,26 +1307,26 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_MD_CAN_SHA256 */
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384",
       MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 #endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_CAMELLIA_C */
+#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
 
 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
-#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SSL_HAVE_AES)
 #if defined(MBEDTLS_SSL_HAVE_CCM)
     { MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8, "TLS-ECJPAKE-WITH-AES-128-CCM-8",
       MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECJPAKE,
       MBEDTLS_CIPHERSUITE_SHORT_TAG,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif /* MBEDTLS_SSL_HAVE_CCM */
-#endif /* MBEDTLS_AES_C */
+#endif /* MBEDTLS_SSL_HAVE_AES */
 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
 
 #if defined(MBEDTLS_CIPHER_NULL_CIPHER)
@@ -1380,12 +1368,12 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_PSK_WITH_NULL_SHA384, "TLS-PSK-WITH-NULL-SHA384",
       MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
       MBEDTLS_CIPHERSUITE_WEAK,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
 
 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
@@ -1403,12 +1391,12 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384, "TLS-DHE-PSK-WITH-NULL-SHA384",
       MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
       MBEDTLS_CIPHERSUITE_WEAK,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
@@ -1426,12 +1414,12 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384, "TLS-ECDHE-PSK-WITH-NULL-SHA384",
       MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
       MBEDTLS_CIPHERSUITE_WEAK,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
 
 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
@@ -1449,42 +1437,42 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     { MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384, "TLS-RSA-PSK-WITH-NULL-SHA384",
       MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
       MBEDTLS_CIPHERSUITE_WEAK,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
 #endif /* MBEDTLS_CIPHER_NULL_CIPHER */
 
-#if defined(MBEDTLS_ARIA_C)
+#if defined(MBEDTLS_SSL_HAVE_ARIA)
 
 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
 
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_MD_CAN_SHA384))
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(PSA_WANT_ALG_SHA_384))
     { MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384,
       "TLS-RSA-WITH-ARIA-256-GCM-SHA384",
       MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && \
-    defined(MBEDTLS_MD_CAN_SHA384))
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+    defined(PSA_WANT_ALG_SHA_384))
     { MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384,
       "TLS-RSA-WITH-ARIA-256-CBC-SHA384",
       MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_MD_CAN_SHA256))
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
     { MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256,
       "TLS-RSA-WITH-ARIA-128-GCM-SHA256",
       MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && \
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
     defined(MBEDTLS_MD_CAN_SHA256))
     { MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256,
       "TLS-RSA-WITH-ARIA-128-CBC-SHA256",
@@ -1497,29 +1485,29 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
 
 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
 
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_MD_CAN_SHA384))
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(PSA_WANT_ALG_SHA_384))
     { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
       "TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384",
       MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && \
-    defined(MBEDTLS_MD_CAN_SHA384))
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+    defined(PSA_WANT_ALG_SHA_384))
     { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,
       "TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384",
       MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_MD_CAN_SHA256))
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
     { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
       "TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256",
       MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && \
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
     defined(MBEDTLS_MD_CAN_SHA256))
     { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,
       "TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256",
@@ -1532,29 +1520,29 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
 
 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
 
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_MD_CAN_SHA384))
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(PSA_WANT_ALG_SHA_384))
     { MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384,
       "TLS-PSK-WITH-ARIA-256-GCM-SHA384",
       MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && \
-    defined(MBEDTLS_MD_CAN_SHA384))
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+    defined(PSA_WANT_ALG_SHA_384))
     { MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384,
       "TLS-PSK-WITH-ARIA-256-CBC-SHA384",
       MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_MD_CAN_SHA256))
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
     { MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256,
       "TLS-PSK-WITH-ARIA-128-GCM-SHA256",
       MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && \
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
     defined(MBEDTLS_MD_CAN_SHA256))
     { MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256,
       "TLS-PSK-WITH-ARIA-128-CBC-SHA256",
@@ -1567,29 +1555,29 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
 
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_MD_CAN_SHA384))
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(PSA_WANT_ALG_SHA_384))
     { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,
       "TLS-ECDH-RSA-WITH-ARIA-256-GCM-SHA384",
       MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && \
-    defined(MBEDTLS_MD_CAN_SHA384))
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+    defined(PSA_WANT_ALG_SHA_384))
     { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,
       "TLS-ECDH-RSA-WITH-ARIA-256-CBC-SHA384",
       MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_MD_CAN_SHA256))
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
     { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,
       "TLS-ECDH-RSA-WITH-ARIA-128-GCM-SHA256",
       MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && \
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
     defined(MBEDTLS_MD_CAN_SHA256))
     { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,
       "TLS-ECDH-RSA-WITH-ARIA-128-CBC-SHA256",
@@ -1602,29 +1590,29 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
 
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_MD_CAN_SHA384))
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(PSA_WANT_ALG_SHA_384))
     { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
       "TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384",
       MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && \
-    defined(MBEDTLS_MD_CAN_SHA384))
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+    defined(PSA_WANT_ALG_SHA_384))
     { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
       "TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384",
       MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_MD_CAN_SHA256))
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
     { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
       "TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256",
       MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && \
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
     defined(MBEDTLS_MD_CAN_SHA256))
     { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
       "TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256",
@@ -1637,15 +1625,15 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
 
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && \
-    defined(MBEDTLS_MD_CAN_SHA384))
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+    defined(PSA_WANT_ALG_SHA_384))
     { MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
       "TLS-ECDHE-PSK-WITH-ARIA-256-CBC-SHA384",
       MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && \
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
     defined(MBEDTLS_MD_CAN_SHA256))
     { MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
       "TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256",
@@ -1658,29 +1646,29 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
 
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_MD_CAN_SHA384))
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(PSA_WANT_ALG_SHA_384))
     { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
       "TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384",
       MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && \
-    defined(MBEDTLS_MD_CAN_SHA384))
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+    defined(PSA_WANT_ALG_SHA_384))
     { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
       "TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384",
       MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_MD_CAN_SHA256))
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
     { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
       "TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256",
       MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && \
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
     defined(MBEDTLS_MD_CAN_SHA256))
     { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
       "TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256",
@@ -1693,29 +1681,29 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
 
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_MD_CAN_SHA384))
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(PSA_WANT_ALG_SHA_384))
     { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,
       "TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384",
       MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && \
-    defined(MBEDTLS_MD_CAN_SHA384))
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+    defined(PSA_WANT_ALG_SHA_384))
     { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,
       "TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384",
       MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_MD_CAN_SHA256))
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
     { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,
       "TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256",
       MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && \
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
     defined(MBEDTLS_MD_CAN_SHA256))
     { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,
       "TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256",
@@ -1728,29 +1716,29 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
 
 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
 
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_MD_CAN_SHA384))
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(PSA_WANT_ALG_SHA_384))
     { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
       "TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384",
       MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && \
-    defined(MBEDTLS_MD_CAN_SHA384))
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+    defined(PSA_WANT_ALG_SHA_384))
     { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
       "TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384",
       MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_MD_CAN_SHA256))
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
     { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
       "TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256",
       MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && \
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
     defined(MBEDTLS_MD_CAN_SHA256))
     { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
       "TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256",
@@ -1763,29 +1751,29 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
 
 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
 
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_MD_CAN_SHA384))
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(PSA_WANT_ALG_SHA_384))
     { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
       "TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384",
       MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && \
-    defined(MBEDTLS_MD_CAN_SHA384))
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+    defined(PSA_WANT_ALG_SHA_384))
     { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
       "TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384",
       MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_MD_CAN_SHA256))
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
     { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
       "TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256",
       MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
       0,
       MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
 #endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && \
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
     defined(MBEDTLS_MD_CAN_SHA256))
     { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
       "TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256",
@@ -1796,7 +1784,7 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
 
 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
 
-#endif /* MBEDTLS_ARIA_C */
+#endif /* MBEDTLS_SSL_HAVE_ARIA */
 
 
     { 0, "",
diff --git a/library/ssl_ciphersuites_internal.h b/library/ssl_ciphersuites_internal.h
new file mode 100644
index 0000000..27ff721
--- /dev/null
+++ b/library/ssl_ciphersuites_internal.h
@@ -0,0 +1,154 @@
+/**
+ * \file ssl_ciphersuites_internal.h
+ *
+ * \brief Internal part of the public "ssl_ciphersuites.h".
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_SSL_CIPHERSUITES_INTERNAL_H
+#define MBEDTLS_SSL_CIPHERSUITES_INTERNAL_H
+
+#include "mbedtls/pk.h"
+
+#if defined(MBEDTLS_PK_C)
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_ciphersuite_t *info);
+psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(const mbedtls_ssl_ciphersuite_t *info);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info);
+#endif /* MBEDTLS_PK_C */
+
+int mbedtls_ssl_ciphersuite_uses_ec(const mbedtls_ssl_ciphersuite_t *info);
+int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info);
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_has_pfs(const mbedtls_ssl_ciphersuite_t *info)
+{
+    switch (info->MBEDTLS_PRIVATE(key_exchange)) {
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
+            return 1;
+
+        default:
+            return 0;
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_no_pfs(const mbedtls_ssl_ciphersuite_t *info)
+{
+    switch (info->MBEDTLS_PRIVATE(key_exchange)) {
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+            return 1;
+
+        default:
+            return 0;
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_ecdh(const mbedtls_ssl_ciphersuite_t *info)
+{
+    switch (info->MBEDTLS_PRIVATE(key_exchange)) {
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+            return 1;
+
+        default:
+            return 0;
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
+
+static inline int mbedtls_ssl_ciphersuite_cert_req_allowed(const mbedtls_ssl_ciphersuite_t *info)
+{
+    switch (info->MBEDTLS_PRIVATE(key_exchange)) {
+        case MBEDTLS_KEY_EXCHANGE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+            return 1;
+
+        default:
+            return 0;
+    }
+}
+
+static inline int mbedtls_ssl_ciphersuite_uses_srv_cert(const mbedtls_ssl_ciphersuite_t *info)
+{
+    switch (info->MBEDTLS_PRIVATE(key_exchange)) {
+        case MBEDTLS_KEY_EXCHANGE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+            return 1;
+
+        default:
+            return 0;
+    }
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_dhe(const mbedtls_ssl_ciphersuite_t *info)
+{
+    switch (info->MBEDTLS_PRIVATE(key_exchange)) {
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+            return 1;
+
+        default:
+            return 0;
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED) */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_ecdhe(const mbedtls_ssl_ciphersuite_t *info)
+{
+    switch (info->MBEDTLS_PRIVATE(key_exchange)) {
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+            return 1;
+
+        default:
+            return 0;
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_server_signature(
+    const mbedtls_ssl_ciphersuite_t *info)
+{
+    switch (info->MBEDTLS_PRIVATE(key_exchange)) {
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+            return 1;
+
+        default:
+            return 0;
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
+
+#endif /* MBEDTLS_SSL_CIPHERSUITES_INTERNAL_H */
diff --git a/library/ssl_client.c b/library/ssl_client.c
index 1a56f1e..345e608 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -2,21 +2,7 @@
  *  TLS 1.2 and 1.3 client-side functions
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of Mbed TLS ( https://tls.mbed.org )
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "common.h"
@@ -26,7 +12,7 @@
 
 #include <string.h>
 
-#include "mbedtls/debug.h"
+#include "debug_internal.h"
 #include "mbedtls/error.h"
 #include "mbedtls/platform.h"
 
@@ -169,7 +155,7 @@ static int ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
         p += protocol_name_len;
     }
 
-    *out_len = p - buf;
+    *out_len = (size_t) (p - buf);
 
     /* List length = *out_len - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
     MBEDTLS_PUT_UINT16_BE(*out_len - 6, buf, 4);
@@ -299,7 +285,7 @@ static int ssl_write_supported_groups_ext(mbedtls_ssl_context *ssl,
     }
 
     /* Length of named_group_list */
-    named_group_list_len = p - named_group_list;
+    named_group_list_len = (size_t) (p - named_group_list);
     if (named_group_list_len == 0) {
         MBEDTLS_SSL_DEBUG_MSG(1, ("No group available."));
         return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
@@ -315,7 +301,7 @@ static int ssl_write_supported_groups_ext(mbedtls_ssl_context *ssl,
     MBEDTLS_SSL_DEBUG_BUF(3, "Supported groups extension",
                           buf + 4, named_group_list_len + 2);
 
-    *out_len = p - buf;
+    *out_len = (size_t) (p - buf);
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
     mbedtls_ssl_tls13_set_hs_sent_ext_mask(
@@ -405,14 +391,14 @@ static int ssl_write_client_hello_cipher_suites(
     }
 
     /* Write the cipher_suites length in number of bytes */
-    cipher_suites_len = p - cipher_suites;
+    cipher_suites_len = (size_t) (p - cipher_suites);
     MBEDTLS_PUT_UINT16_BE(cipher_suites_len, buf, 0);
     MBEDTLS_SSL_DEBUG_MSG(3,
                           ("client hello, got %" MBEDTLS_PRINTF_SIZET " cipher suites",
                            cipher_suites_len/2));
 
     /* Output the total length of cipher_suites field. */
-    *out_len = p - buf;
+    *out_len = (size_t) (p - buf);
 
     return 0;
 }
@@ -623,7 +609,7 @@ static int ssl_write_client_hello_body(mbedtls_ssl_context *ssl,
         int ssl_write_supported_groups_ext_flags = 0;
 
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
-        if (propose_tls13 && mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
+        if (propose_tls13 && mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
             ssl_write_supported_groups_ext_flags |=
                 SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_3_FLAG;
         }
@@ -651,7 +637,7 @@ static int ssl_write_client_hello_body(mbedtls_ssl_context *ssl,
     int write_sig_alg_ext = 0;
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
     write_sig_alg_ext = write_sig_alg_ext ||
-                        (propose_tls13 && mbedtls_ssl_conf_tls13_ephemeral_enabled(ssl));
+                        (propose_tls13 && mbedtls_ssl_conf_tls13_is_ephemeral_enabled(ssl));
 #endif
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
     write_sig_alg_ext = write_sig_alg_ext || propose_tls12;
@@ -682,7 +668,7 @@ static int ssl_write_client_hello_body(mbedtls_ssl_context *ssl,
     /* The "pre_shared_key" extension (RFC 8446 Section 4.2.11)
      * MUST be the last extension in the ClientHello.
      */
-    if (propose_tls13 && mbedtls_ssl_conf_tls13_some_psk_enabled(ssl)) {
+    if (propose_tls13 && mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl)) {
         ret = mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
             ssl, p, end, &output_len, binders_len);
         if (ret != 0) {
@@ -693,7 +679,7 @@ static int ssl_write_client_hello_body(mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
 
     /* Write the length of the list of extensions. */
-    extensions_len = p - p_extensions_len - 2;
+    extensions_len = (size_t) (p - p_extensions_len) - 2;
 
     if (extensions_len == 0) {
         p = p_extensions_len;
@@ -705,12 +691,7 @@ static int ssl_write_client_hello_body(mbedtls_ssl_context *ssl,
                               p_extensions_len, extensions_len);
     }
 
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    MBEDTLS_SSL_PRINT_EXTS(
-        3, MBEDTLS_SSL_HS_CLIENT_HELLO, handshake->sent_extensions);
-#endif
-
-    *out_len = p - buf;
+    *out_len = (size_t) (p - buf);
     return 0;
 }
 
@@ -770,10 +751,10 @@ static int ssl_prepare_client_hello(mbedtls_ssl_context *ssl)
     if (ssl->handshake->resume != 0 &&
         session_negotiate->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
         session_negotiate->ticket != NULL) {
-        mbedtls_time_t now = mbedtls_time(NULL);
-        uint64_t age = (uint64_t) (now - session_negotiate->ticket_received);
-        if (session_negotiate->ticket_received > now ||
-            age > session_negotiate->ticket_lifetime) {
+        mbedtls_ms_time_t now = mbedtls_ms_time();
+        mbedtls_ms_time_t age = now - session_negotiate->ticket_reception_time;
+        if (age < 0 ||
+            age > (mbedtls_ms_time_t) session_negotiate->ticket_lifetime * 1000) {
             /* Without valid ticket, disable session resumption.*/
             MBEDTLS_SSL_DEBUG_MSG(
                 3, ("Ticket expired, disable session resumption"));
@@ -784,11 +765,6 @@ static int ssl_prepare_client_hello(mbedtls_ssl_context *ssl)
           MBEDTLS_SSL_SESSION_TICKETS &&
           MBEDTLS_HAVE_TIME */
 
-    if (ssl->conf->f_rng == NULL) {
-        MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
-        return MBEDTLS_ERR_SSL_NO_RNG;
-    }
-
     /* Bet on the highest configured version if we are not in a TLS 1.2
      * renegotiation or session resumption.
      */
@@ -816,10 +792,15 @@ static int ssl_prepare_client_hello(mbedtls_ssl_context *ssl)
         (ssl->handshake->cookie == NULL))
 #endif
     {
-        ret = ssl_generate_random(ssl);
-        if (ret != 0) {
-            MBEDTLS_SSL_DEBUG_RET(1, "Random bytes generation failed", ret);
-            return ret;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+        if (!ssl->handshake->hello_retry_request_flag)
+#endif
+        {
+            ret = ssl_generate_random(ssl);
+            if (ret != 0) {
+                MBEDTLS_SSL_DEBUG_RET(1, "Random bytes generation failed", ret);
+                return ret;
+            }
         }
     }
 
@@ -1021,6 +1002,11 @@ int mbedtls_ssl_write_client_hello(mbedtls_ssl_context *ssl)
 #endif
     }
 
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+    MBEDTLS_SSL_PRINT_EXTS(
+        3, MBEDTLS_SSL_HS_CLIENT_HELLO, ssl->handshake->sent_extensions);
+#endif
+
 cleanup:
 
     MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client hello"));
diff --git a/library/ssl_client.h b/library/ssl_client.h
index f57bea3..05ee7e4 100644
--- a/library/ssl_client.h
+++ b/library/ssl_client.h
@@ -2,19 +2,7 @@
  *  TLS 1.2 and 1.3 client-side functions
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef MBEDTLS_SSL_CLIENT_H
diff --git a/library/ssl_cookie.c b/library/ssl_cookie.c
index 098aced..be55963 100644
--- a/library/ssl_cookie.c
+++ b/library/ssl_cookie.c
@@ -2,19 +2,7 @@
  *  DTLS cookie callbacks implementation
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 /*
  * These session callbacks use a simple chained list
@@ -36,7 +24,7 @@
 #include <string.h>
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
 /* Define a local translating function to save code size by not using too many
  * arguments in each translating place. */
 static int local_err_translation(psa_status_t status)
@@ -56,7 +44,7 @@ static int local_err_translation(psa_status_t status)
 #define COOKIE_MD           MBEDTLS_MD_SHA256
 #define COOKIE_MD_OUTLEN    32
 #define COOKIE_HMAC_LEN     28
-#elif defined(MBEDTLS_MD_CAN_SHA384)
+#elif defined(PSA_WANT_ALG_SHA_384)
 #define COOKIE_MD           MBEDTLS_MD_SHA384
 #define COOKIE_MD_OUTLEN    48
 #define COOKIE_HMAC_LEN     28
@@ -96,6 +84,10 @@ void mbedtls_ssl_cookie_set_timeout(mbedtls_ssl_cookie_ctx *ctx, unsigned long d
 
 void mbedtls_ssl_cookie_free(mbedtls_ssl_cookie_ctx *ctx)
 {
+    if (ctx == NULL) {
+        return;
+    }
+
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     psa_destroy_key(ctx->psa_hmac_key);
 #else
diff --git a/library/ssl_debug_helpers.h b/library/ssl_debug_helpers.h
index 5c22ed2..4889e77 100644
--- a/library/ssl_debug_helpers.h
+++ b/library/ssl_debug_helpers.h
@@ -5,19 +5,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef MBEDTLS_SSL_DEBUG_HELPERS_H
@@ -33,6 +21,11 @@
 
 const char *mbedtls_ssl_states_str(mbedtls_ssl_states in);
 
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
+const char *mbedtls_ssl_early_data_status_str(mbedtls_ssl_early_data_status in);
+const char *mbedtls_ssl_early_data_state_str(mbedtls_ssl_early_data_state in);
+#endif
+
 const char *mbedtls_ssl_protocol_version_str(mbedtls_ssl_protocol_version in);
 
 const char *mbedtls_tls_prf_types_str(mbedtls_tls_prf_types in);
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index a99bb33..a11feb8 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -5,19 +5,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 #ifndef MBEDTLS_SSL_MISC_H
 #define MBEDTLS_SSL_MISC_H
@@ -56,6 +44,8 @@
 #endif
 
 #include "mbedtls/pk.h"
+#include "ssl_ciphersuites_internal.h"
+#include "x509_internal.h"
 #include "pk_internal.h"
 #include "common.h"
 
@@ -264,11 +254,10 @@ uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type);
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
 
 /* This macro determines whether CBC is supported. */
-#if defined(MBEDTLS_CIPHER_MODE_CBC) &&                               \
-    (defined(MBEDTLS_AES_C)      ||                                  \
-    defined(MBEDTLS_CAMELLIA_C) ||                                  \
-    defined(MBEDTLS_ARIA_C)     ||                                  \
-    defined(MBEDTLS_DES_C))
+#if defined(MBEDTLS_SSL_HAVE_CBC)      &&                                  \
+    (defined(MBEDTLS_SSL_HAVE_AES)     ||                                  \
+    defined(MBEDTLS_SSL_HAVE_CAMELLIA) ||                                  \
+    defined(MBEDTLS_SSL_HAVE_ARIA))
 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC
 #endif
 
@@ -299,7 +288,7 @@ uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type);
 
 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
 /* Ciphersuites using HMAC */
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
 #define MBEDTLS_SSL_MAC_ADD                 48  /* SHA-384 used for HMAC */
 #elif defined(MBEDTLS_MD_CAN_SHA256)
 #define MBEDTLS_SSL_MAC_ADD                 32  /* SHA-256 used for HMAC */
@@ -311,7 +300,7 @@ uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type);
 #define MBEDTLS_SSL_MAC_ADD                 16
 #endif
 
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
 #define MBEDTLS_SSL_PADDING_ADD            256
 #else
 #define MBEDTLS_SSL_PADDING_ADD              0
@@ -452,6 +441,19 @@ size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl);
 size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl);
 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
 
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+/**
+ * \brief    Get the size limit in bytes for the protected outgoing records
+ *           as defined in RFC 8449
+ *
+ * \param ssl      SSL context
+ *
+ * \return         The size limit in bytes for the protected outgoing
+ *                 records as defined in RFC 8449.
+ */
+size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl);
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+
 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
 static inline size_t mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context *ctx)
 {
@@ -650,6 +652,10 @@ struct mbedtls_ssl_handshake_params {
     /* Flag indicating if a CertificateRequest message has been sent
      * to the client or not. */
     uint8_t certificate_request_sent;
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+    /* Flag indicating if the server has accepted early data or not. */
+    uint8_t early_data_accepted;
+#endif
 #endif /* MBEDTLS_SSL_SRV_C */
 
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
@@ -659,21 +665,21 @@ struct mbedtls_ssl_handshake_params {
 #if defined(MBEDTLS_SSL_CLI_C)
     /** Minimum TLS version to be negotiated.
      *
-     *  It is set up in the ClientHello writing preparation stage and used
-     *  throughout the ClientHello writing. Not relevant anymore as soon as
-     *  the protocol version has been negotiated thus as soon as the
-     *  ServerHello is received.
-     *  For a fresh handshake not linked to any previous handshake, it is
-     *  equal to the configured minimum minor version to be negotiated. When
-     *  renegotiating or resuming a session, it is equal to the previously
-     *  negotiated minor version.
+     * It is set up in the ClientHello writing preparation stage and used
+     * throughout the ClientHello writing. Not relevant anymore as soon as
+     * the protocol version has been negotiated thus as soon as the
+     * ServerHello is received.
+     * For a fresh handshake not linked to any previous handshake, it is
+     * equal to the configured minimum minor version to be negotiated. When
+     * renegotiating or resuming a session, it is equal to the previously
+     * negotiated minor version.
      *
-     *  There is no maximum TLS version field in this handshake context.
-     *  From the start of the handshake, we need to define a current protocol
-     *  version for the record layer which we define as the maximum TLS
-     *  version to be negotiated. The `tls_version` field of the SSL context is
-     *  used to store this maximum value until it contains the actual
-     *  negotiated value.
+     * There is no maximum TLS version field in this handshake context.
+     * From the start of the handshake, we need to define a current protocol
+     * version for the record layer which we define as the maximum TLS
+     * version to be negotiated. The `tls_version` field of the SSL context is
+     * used to store this maximum value until it contains the actual
+     * negotiated value.
      */
     mbedtls_ssl_protocol_version min_tls_version;
 #endif
@@ -724,15 +730,29 @@ struct mbedtls_ssl_handshake_params {
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
     uint8_t key_exchange_mode; /*!< Selected key exchange mode */
 
-    /** Number of HelloRetryRequest messages received/sent from/to the server. */
-    int hello_retry_request_count;
+    /**
+     * Flag indicating if, in the course of the current handshake, an
+     * HelloRetryRequest message has been sent by the server or received by
+     * the client (<> 0) or not (0).
+     */
+    uint8_t hello_retry_request_flag;
+
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+    /**
+     * Flag indicating if, in the course of the current handshake, a dummy
+     * change_cipher_spec (CCS) record has already been sent. Used to send only
+     * one CCS per handshake while not complicating the handshake state
+     * transitions for that purpose.
+     */
+    uint8_t ccs_sent;
+#endif
 
 #if defined(MBEDTLS_SSL_SRV_C)
-    /** selected_group of key_share extension in HelloRetryRequest message. */
-    uint16_t hrr_selected_group;
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
     uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */
 #endif
+    /** selected_group of key_share extension in HelloRetryRequest message. */
+    uint16_t hrr_selected_group;
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
     uint16_t new_session_tickets_count;         /*!< number of session tickets */
 #endif
@@ -909,7 +929,7 @@ struct mbedtls_ssl_handshake_params {
     mbedtls_md_context_t fin_sha256;
 #endif
 #endif
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     psa_hash_operation_t fin_sha384_psa;
 #else
@@ -1422,7 +1442,7 @@ int mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want);
  * Write handshake message header
  */
 MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_start_handshake_msg(mbedtls_ssl_context *ssl, unsigned hs_type,
+int mbedtls_ssl_start_handshake_msg(mbedtls_ssl_context *ssl, unsigned char hs_type,
                                     unsigned char **buf, size_t *buf_len);
 
 MBEDTLS_CHECK_RETURN_CRITICAL
@@ -1914,89 +1934,89 @@ int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl);
 /*
  * Helper functions around key exchange modes.
  */
-static inline unsigned mbedtls_ssl_conf_tls13_check_kex_modes(mbedtls_ssl_context *ssl,
-                                                              int kex_mode_mask)
+static inline int mbedtls_ssl_conf_tls13_is_kex_mode_enabled(mbedtls_ssl_context *ssl,
+                                                             int kex_mode_mask)
 {
     return (ssl->conf->tls13_kex_modes & kex_mode_mask) != 0;
 }
 
-static inline int mbedtls_ssl_conf_tls13_psk_enabled(mbedtls_ssl_context *ssl)
+static inline int mbedtls_ssl_conf_tls13_is_psk_enabled(mbedtls_ssl_context *ssl)
 {
-    return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
-                                                  MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
+    return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
+                                                      MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
 }
 
-static inline int mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(mbedtls_ssl_context *ssl)
+static inline int mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(mbedtls_ssl_context *ssl)
 {
-    return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
-                                                  MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
+    return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
+                                                      MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
 }
 
-static inline int mbedtls_ssl_conf_tls13_ephemeral_enabled(mbedtls_ssl_context *ssl)
+static inline int mbedtls_ssl_conf_tls13_is_ephemeral_enabled(mbedtls_ssl_context *ssl)
 {
-    return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
-                                                  MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
+    return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
+                                                      MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
 }
 
-static inline int mbedtls_ssl_conf_tls13_some_ephemeral_enabled(mbedtls_ssl_context *ssl)
+static inline int mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(mbedtls_ssl_context *ssl)
 {
-    return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
-                                                  MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
+    return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
+                                                      MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
 }
 
-static inline int mbedtls_ssl_conf_tls13_some_psk_enabled(mbedtls_ssl_context *ssl)
+static inline int mbedtls_ssl_conf_tls13_is_some_psk_enabled(mbedtls_ssl_context *ssl)
 {
-    return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
-                                                  MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
+    return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
+                                                      MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
 }
 
 #if defined(MBEDTLS_SSL_SRV_C) && \
     defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
 /**
  * Given a list of key exchange modes, check if at least one of them is
- * supported.
+ * supported by peer.
  *
  * \param[in] ssl  SSL context
  * \param kex_modes_mask  Mask of the key exchange modes to check
  *
- * \return 0 if at least one of the key exchange modes is supported,
- *         !=0 otherwise.
+ * \return Non-zero if at least one of the key exchange modes is supported by
+ *         the peer, otherwise \c 0.
  */
-static inline unsigned mbedtls_ssl_tls13_check_kex_modes(mbedtls_ssl_context *ssl,
-                                                         int kex_modes_mask)
+static inline int mbedtls_ssl_tls13_is_kex_mode_supported(mbedtls_ssl_context *ssl,
+                                                          int kex_modes_mask)
 {
-    return (ssl->handshake->tls13_kex_modes & kex_modes_mask) == 0;
+    return (ssl->handshake->tls13_kex_modes & kex_modes_mask) != 0;
 }
 
-static inline int mbedtls_ssl_tls13_psk_enabled(mbedtls_ssl_context *ssl)
+static inline int mbedtls_ssl_tls13_is_psk_supported(mbedtls_ssl_context *ssl)
 {
-    return !mbedtls_ssl_tls13_check_kex_modes(ssl,
-                                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
+    return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
+                                                   MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
 }
 
-static inline int mbedtls_ssl_tls13_psk_ephemeral_enabled(
+static inline int mbedtls_ssl_tls13_is_psk_ephemeral_supported(
     mbedtls_ssl_context *ssl)
 {
-    return !mbedtls_ssl_tls13_check_kex_modes(ssl,
-                                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
+    return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
+                                                   MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
 }
 
-static inline int mbedtls_ssl_tls13_ephemeral_enabled(mbedtls_ssl_context *ssl)
+static inline int mbedtls_ssl_tls13_is_ephemeral_supported(mbedtls_ssl_context *ssl)
 {
-    return !mbedtls_ssl_tls13_check_kex_modes(ssl,
-                                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
+    return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
+                                                   MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
 }
 
-static inline int mbedtls_ssl_tls13_some_ephemeral_enabled(mbedtls_ssl_context *ssl)
+static inline int mbedtls_ssl_tls13_is_some_ephemeral_supported(mbedtls_ssl_context *ssl)
 {
-    return !mbedtls_ssl_tls13_check_kex_modes(ssl,
-                                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
+    return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
+                                                   MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
 }
 
-static inline int mbedtls_ssl_tls13_some_psk_enabled(mbedtls_ssl_context *ssl)
+static inline int mbedtls_ssl_tls13_is_some_psk_supported(mbedtls_ssl_context *ssl)
 {
-    return !mbedtls_ssl_tls13_check_kex_modes(ssl,
-                                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
+    return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
+                                                   MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
 }
 #endif /* MBEDTLS_SSL_SRV_C &&
           MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
@@ -2126,9 +2146,64 @@ int mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
 
 #if defined(MBEDTLS_SSL_EARLY_DATA)
 int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl,
+                                           int in_new_session_ticket,
                                            unsigned char *buf,
                                            const unsigned char *end,
                                            size_t *out_len);
+
+int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl,
+                                           size_t early_data_len);
+
+typedef enum {
+/*
+ * The client has not sent the first ClientHello yet, the negotiation of early
+ * data has not started yet.
+ */
+    MBEDTLS_SSL_EARLY_DATA_STATE_IDLE,
+
+/*
+ * In its ClientHello, the client has not included an early data indication
+ * extension.
+ */
+    MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT,
+
+/*
+ * The client has sent an early data indication extension in its first
+ * ClientHello, it has not received the response (ServerHello or
+ * HelloRetryRequest) from the server yet. The transform to protect early data
+ * is not set either as for middlebox compatibility a dummy CCS may have to be
+ * sent in clear. Early data cannot be sent to the server yet.
+ */
+    MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT,
+
+/*
+ * The client has sent an early data indication extension in its first
+ * ClientHello, it has not received the response (ServerHello or
+ * HelloRetryRequest) from the server yet. The transform to protect early data
+ * has been set and early data can be written now.
+ */
+    MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE,
+
+/*
+ * The client has indicated the use of early data and the server has accepted
+ * it.
+ */
+    MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED,
+
+/*
+ * The client has indicated the use of early data but the server has rejected
+ * it.
+ */
+    MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED,
+
+/*
+ * The client has sent an early data indication extension in its first
+ * ClientHello, the server has accepted them and the client has received the
+ * server Finished message. It cannot send early data to the server anymore.
+ */
+    MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED,
+
+} mbedtls_ssl_early_data_state;
 #endif /* MBEDTLS_SSL_EARLY_DATA */
 
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
@@ -2358,10 +2433,10 @@ static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
         case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
             break;
 #endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
         case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
             break;
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 #if defined(MBEDTLS_MD_CAN_SHA512)
         case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
             break;
@@ -2414,12 +2489,12 @@ static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
             *pk_type = MBEDTLS_PK_RSASSA_PSS;
             break;
 #endif /* MBEDTLS_MD_CAN_SHA256  */
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
         case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
             *md_alg = MBEDTLS_MD_SHA384;
             *pk_type = MBEDTLS_PK_RSASSA_PSS;
             break;
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 #if defined(MBEDTLS_MD_CAN_SHA512)
         case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
             *md_alg = MBEDTLS_MD_SHA512;
@@ -2452,7 +2527,7 @@ static inline int mbedtls_ssl_tls12_sig_alg_is_supported(
             break;
 #endif
 
-#if defined(MBEDTLS_MD_CAN_SHA224)
+#if defined(PSA_WANT_ALG_SHA_224)
         case MBEDTLS_SSL_HASH_SHA224:
             break;
 #endif
@@ -2462,7 +2537,7 @@ static inline int mbedtls_ssl_tls12_sig_alg_is_supported(
             break;
 #endif
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
         case MBEDTLS_SSL_HASH_SHA384:
             break;
 #endif
@@ -2697,12 +2772,18 @@ int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl,
 
 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
 #define MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH (2)
-#define MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN (64)
+#define MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN (64)      /* As defined in RFC 8449 */
 
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
                                                   const unsigned char *buf,
                                                   const unsigned char *end);
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_write_record_size_limit_ext(mbedtls_ssl_context *ssl,
+                                                  unsigned char *buf,
+                                                  const unsigned char *end,
+                                                  size_t *out_len);
 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
 
 #if defined(MBEDTLS_SSL_ALPN)
@@ -2771,21 +2852,64 @@ int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,
                                      const char *hostname);
 #endif
 
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA) && \
+    defined(MBEDTLS_SSL_ALPN)
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session,
+                                        const char *alpn);
+#endif
+
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
-static inline unsigned int mbedtls_ssl_session_get_ticket_flags(
+
+#define MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME (604800)
+
+static inline unsigned int mbedtls_ssl_tls13_session_get_ticket_flags(
     mbedtls_ssl_session *session, unsigned int flags)
 {
     return session->ticket_flags &
            (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
 }
 
-static inline void mbedtls_ssl_session_set_ticket_flags(
+/**
+ * Check if at least one of the given flags is set in
+ * the session ticket. See the definition of
+ * `MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK` to get all
+ * permitted flags.
+ */
+static inline int mbedtls_ssl_tls13_session_ticket_has_flags(
+    mbedtls_ssl_session *session, unsigned int flags)
+{
+    return mbedtls_ssl_tls13_session_get_ticket_flags(session, flags) != 0;
+}
+
+static inline int mbedtls_ssl_tls13_session_ticket_allow_psk(
+    mbedtls_ssl_session *session)
+{
+    return mbedtls_ssl_tls13_session_ticket_has_flags(
+        session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION);
+}
+
+static inline int mbedtls_ssl_tls13_session_ticket_allow_psk_ephemeral(
+    mbedtls_ssl_session *session)
+{
+    return mbedtls_ssl_tls13_session_ticket_has_flags(
+        session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION);
+}
+
+static inline unsigned int mbedtls_ssl_tls13_session_ticket_allow_early_data(
+    mbedtls_ssl_session *session)
+{
+    return mbedtls_ssl_tls13_session_ticket_has_flags(
+        session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
+}
+
+static inline void mbedtls_ssl_tls13_session_set_ticket_flags(
     mbedtls_ssl_session *session, unsigned int flags)
 {
     session->ticket_flags |= (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
 }
 
-static inline void mbedtls_ssl_session_clear_ticket_flags(
+static inline void mbedtls_ssl_tls13_session_clear_ticket_flags(
     mbedtls_ssl_session *session, unsigned int flags)
 {
     session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 12b8f9b..2bdad84 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -3,19 +3,7 @@
  *  (record layer + retransmission state machine)
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 /*
  *  http://www.ietf.org/rfc/rfc2246.txt
@@ -30,7 +18,7 @@
 
 #include "mbedtls/ssl.h"
 #include "ssl_misc.h"
-#include "mbedtls/debug.h"
+#include "debug_internal.h"
 #include "mbedtls/error.h"
 #include "mbedtls/platform_util.h"
 #include "mbedtls/version.h"
@@ -860,7 +848,7 @@ static void ssl_extract_add_data_from_record(unsigned char *add_data,
         cur += 2;
     }
 
-    *add_data_len = cur - add_data;
+    *add_data_len = (size_t) (cur - add_data);
 }
 
 #if defined(MBEDTLS_SSL_HAVE_AEAD)
@@ -1224,7 +1212,7 @@ hmac_failed_etm_disabled:
                                                    iv, transform->ivlen,
                                                    add_data, add_data_len,
                                                    data, rec->data_len, /* src */
-                                                   data, rec->buf_len - (data - rec->buf), /* dst */
+                                                   data, rec->buf_len - (size_t) (data - rec->buf), /* dst */
                                                    &rec->data_len,
                                                    transform->taglen)) != 0) {
             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_auth_encrypt_ext", ret);
@@ -1647,12 +1635,13 @@ int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
             return ret;
         }
 #else
-        if ((ret = mbedtls_cipher_auth_decrypt_ext(&transform->cipher_ctx_dec,
-                                                   iv, transform->ivlen,
-                                                   add_data, add_data_len,
-                                                   data, rec->data_len + transform->taglen, /* src */
-                                                   data, rec->buf_len - (data - rec->buf), &olen, /* dst */
-                                                   transform->taglen)) != 0) {
+        if ((ret = mbedtls_cipher_auth_decrypt_ext
+                       (&transform->cipher_ctx_dec,
+                       iv, transform->ivlen,
+                       add_data, add_data_len,
+                       data, rec->data_len + transform->taglen, /* src */
+                       data, rec->buf_len - (size_t) (data - rec->buf), &olen, /* dst */
+                       transform->taglen)) != 0) {
             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_auth_decrypt_ext", ret);
 
             if (ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED) {
@@ -2240,7 +2229,7 @@ int mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want)
             MBEDTLS_SSL_DEBUG_MSG(2, ("timer has expired"));
             ret = MBEDTLS_ERR_SSL_TIMEOUT;
         } else {
-            len = in_buf_len - (ssl->in_hdr - ssl->in_buf);
+            len = in_buf_len - (size_t) (ssl->in_hdr - ssl->in_buf);
 
             if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
                 timeout = ssl->handshake->retransmit_timeout;
@@ -2604,7 +2593,7 @@ int mbedtls_ssl_flight_transmit(mbedtls_ssl_context *ssl)
         } else {
             const unsigned char * const p = ssl->handshake->cur_msg_p;
             const size_t hs_len = cur->len - 12;
-            const size_t frag_off = p - (cur->p + 12);
+            const size_t frag_off = (size_t) (p - (cur->p + 12));
             const size_t rem_len = hs_len - frag_off;
             size_t cur_hs_frag_len, max_hs_frag_len;
 
@@ -2742,7 +2731,7 @@ void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl)
 /*
  * Handshake layer functions
  */
-int mbedtls_ssl_start_handshake_msg(mbedtls_ssl_context *ssl, unsigned hs_type,
+int mbedtls_ssl_start_handshake_msg(mbedtls_ssl_context *ssl, unsigned char hs_type,
                                     unsigned char **buf, size_t *buf_len)
 {
     /*
@@ -2981,9 +2970,9 @@ int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, int force_flush)
             mbedtls_record rec;
 
             rec.buf         = ssl->out_iv;
-            rec.buf_len     = out_buf_len - (ssl->out_iv - ssl->out_buf);
+            rec.buf_len     = out_buf_len - (size_t) (ssl->out_iv - ssl->out_buf);
             rec.data_len    = ssl->out_msglen;
-            rec.data_offset = ssl->out_msg - rec.buf;
+            rec.data_offset = (size_t) (ssl->out_msg - rec.buf);
 
             memcpy(&rec.ctr[0], ssl->out_ctr, sizeof(rec.ctr));
             mbedtls_ssl_write_version(rec.ver, ssl->conf->transport, tls_ver);
@@ -3108,16 +3097,12 @@ static int ssl_hs_is_proper_fragment(mbedtls_ssl_context *ssl)
 
 static uint32_t ssl_get_hs_frag_len(mbedtls_ssl_context const *ssl)
 {
-    return (ssl->in_msg[9] << 16) |
-           (ssl->in_msg[10] << 8) |
-           ssl->in_msg[11];
+    return MBEDTLS_GET_UINT24_BE(ssl->in_msg, 9);
 }
 
 static uint32_t ssl_get_hs_frag_off(mbedtls_ssl_context const *ssl)
 {
-    return (ssl->in_msg[6] << 16) |
-           (ssl->in_msg[7] << 8) |
-           ssl->in_msg[8];
+    return MBEDTLS_GET_UINT24_BE(ssl->in_msg, 6);
 }
 
 MBEDTLS_CHECK_RETURN_CRITICAL
@@ -3230,9 +3215,7 @@ static size_t ssl_get_reassembly_buffer_size(size_t msg_len,
 
 static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl)
 {
-    return (ssl->in_msg[1] << 16) |
-           (ssl->in_msg[2] << 8) |
-           ssl->in_msg[3];
+    return MBEDTLS_GET_UINT24_BE(ssl->in_msg, 1);
 }
 
 int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
@@ -3253,7 +3236,7 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
     if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
         int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-        unsigned int recv_msg_seq = (ssl->in_msg[4] << 8) | ssl->in_msg[5];
+        unsigned int recv_msg_seq = MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
 
         if (ssl_check_hs_header(ssl) != 0) {
             MBEDTLS_SSL_DEBUG_MSG(1, ("invalid handshake header"));
@@ -3606,7 +3589,7 @@ int mbedtls_ssl_check_dtls_clihlo_cookie(
         return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
     }
 
-    *olen = p - obuf;
+    *olen = (size_t) (p - obuf);
 
     /* Go back and fill length fields */
     obuf[27] = (unsigned char) (*olen - 28);
@@ -3644,7 +3627,7 @@ MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_handle_possible_reconnect(mbedtls_ssl_context *ssl)
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t len;
+    size_t len = 0;
 
     if (ssl->conf->f_cookie_write == NULL ||
         ssl->conf->f_cookie_check == NULL) {
@@ -3868,8 +3851,7 @@ static int ssl_parse_record_header(mbedtls_ssl_context const *ssl,
      */
 
     rec->data_offset = rec_hdr_len_offset + rec_hdr_len_len;
-    rec->data_len    = ((size_t) buf[rec_hdr_len_offset + 0] << 8) |
-                       ((size_t) buf[rec_hdr_len_offset + 1] << 0);
+    rec->data_len    = MBEDTLS_GET_UINT16_BE(buf, rec_hdr_len_offset);
     MBEDTLS_SSL_DEBUG_BUF(4, "input record header", buf, rec->data_offset);
 
     MBEDTLS_SSL_DEBUG_MSG(3, ("input record: msgtype = %u, "
@@ -3897,7 +3879,7 @@ static int ssl_parse_record_header(mbedtls_ssl_context const *ssl,
      */
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
     if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
-        rec_epoch = (rec->ctr[0] << 8) | rec->ctr[1];
+        rec_epoch = MBEDTLS_GET_UINT16_BE(rec->ctr, 0);
 
         /* Check that the datagram is large enough to contain a record
          * of the advertised length. */
@@ -3947,7 +3929,7 @@ static int ssl_parse_record_header(mbedtls_ssl_context const *ssl,
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_check_client_reconnect(mbedtls_ssl_context *ssl)
 {
-    unsigned int rec_epoch = (ssl->in_ctr[0] << 8) | ssl->in_ctr[1];
+    unsigned int rec_epoch = MBEDTLS_GET_UINT16_BE(ssl->in_ctr, 0);
 
     /*
      * Check for an epoch 0 ClientHello. We can't use in_msg here to
@@ -4003,6 +3985,35 @@ static int ssl_prepare_record_content(mbedtls_ssl_context *ssl,
                                            rec)) != 0) {
             MBEDTLS_SSL_DEBUG_RET(1, "ssl_decrypt_buf", ret);
 
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C)
+            /*
+             * Although the server rejected early data, it might receive early
+             * data as long as it has not received the client Finished message.
+             * It is encrypted with early keys and should be ignored as stated
+             * in section 4.2.10 of RFC 8446:
+             *
+             * "Ignore the extension and return a regular 1-RTT response. The
+             * server then skips past early data by attempting to deprotect
+             * received records using the handshake traffic key, discarding
+             * records which fail deprotection (up to the configured
+             * max_early_data_size). Once a record is deprotected successfully,
+             * it is treated as the start of the client's second flight and the
+             * server proceeds as with an ordinary 1-RTT handshake."
+             */
+            if ((old_msg_type == MBEDTLS_SSL_MSG_APPLICATION_DATA) &&
+                (ssl->discard_early_data_record ==
+                 MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD)) {
+                MBEDTLS_SSL_DEBUG_MSG(
+                    3, ("EarlyData: deprotect and discard app data records."));
+
+                ret = mbedtls_ssl_tls13_check_early_data_len(ssl, rec->data_len);
+                if (ret != 0) {
+                    return ret;
+                }
+                ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
+            }
+#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */
+
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
             if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID &&
                 ssl->conf->ignore_unexpected_cid
@@ -4012,9 +4023,27 @@ static int ssl_prepare_record_content(mbedtls_ssl_context *ssl,
             }
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
 
+            /*
+             * The decryption of the record failed, no reason to ignore it,
+             * return in error with the decryption error code.
+             */
             return ret;
         }
 
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C)
+        /*
+         * If the server were discarding protected records that it fails to
+         * deprotect because it has rejected early data, as we have just
+         * deprotected successfully a record, the server has to resume normal
+         * operation and fail the connection if the deprotection of a record
+         * fails.
+         */
+        if (ssl->discard_early_data_record ==
+            MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD) {
+            ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
+        }
+#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */
+
         if (old_msg_type != rec->type) {
             MBEDTLS_SSL_DEBUG_MSG(4, ("record type after decrypt (before %d): %d",
                                       old_msg_type, rec->type));
@@ -4088,6 +4117,38 @@ static int ssl_prepare_record_content(mbedtls_ssl_context *ssl,
 
     }
 
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C)
+    /*
+     * Although the server rejected early data because it needed to send an
+     * HelloRetryRequest message, it might receive early data as long as it has
+     * not received the client Finished message.
+     * The early data is encrypted with early keys and should be ignored as
+     * stated in section 4.2.10 of RFC 8446 (second case):
+     *
+     * "The server then ignores early data by skipping all records with an
+     * external content type of "application_data" (indicating that they are
+     * encrypted), up to the configured max_early_data_size. Ignore application
+     * data message before 2nd ClientHello when early_data was received in 1st
+     * ClientHello."
+     */
+    if (ssl->discard_early_data_record == MBEDTLS_SSL_EARLY_DATA_DISCARD) {
+        if (rec->type == MBEDTLS_SSL_MSG_APPLICATION_DATA) {
+
+            ret = mbedtls_ssl_tls13_check_early_data_len(ssl, rec->data_len);
+            if (ret != 0) {
+                return ret;
+            }
+
+            MBEDTLS_SSL_DEBUG_MSG(
+                3, ("EarlyData: Ignore application message before 2nd ClientHello"));
+
+            return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
+        } else if (rec->type == MBEDTLS_SSL_MSG_HANDSHAKE) {
+            ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
+        }
+    }
+#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */
+
 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
     if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
         mbedtls_ssl_dtls_replay_update(ssl);
@@ -4269,9 +4330,7 @@ static int ssl_load_buffered_message(mbedtls_ssl_context *ssl)
     hs_buf = &hs->buffering.hs[0];
     if ((hs_buf->is_valid == 1) && (hs_buf->is_complete == 1)) {
         /* Synthesize a record containing the buffered HS message. */
-        size_t msg_len = (hs_buf->data[1] << 16) |
-                         (hs_buf->data[2] << 8) |
-                         hs_buf->data[3];
+        size_t msg_len = MBEDTLS_GET_UINT24_BE(hs_buf->data, 1);
 
         /* Double-check that we haven't accidentally buffered
          * a message that doesn't fit into the input buffer. */
@@ -4368,7 +4427,7 @@ static int ssl_buffer_message(mbedtls_ssl_context *ssl)
         case MBEDTLS_SSL_MSG_HANDSHAKE:
         {
             unsigned recv_msg_seq_offset;
-            unsigned recv_msg_seq = (ssl->in_msg[4] << 8) | ssl->in_msg[5];
+            unsigned recv_msg_seq = MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
             mbedtls_ssl_hs_buffer *hs_buf;
             size_t msg_len = ssl->in_hslen - 12;
 
@@ -5511,9 +5570,9 @@ static int ssl_check_ctr_renegotiate(mbedtls_ssl_context *ssl)
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
 
-#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+#if defined(MBEDTLS_SSL_CLI_C)
 MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_check_new_session_ticket(mbedtls_ssl_context *ssl)
+static int ssl_tls13_is_new_session_ticket(mbedtls_ssl_context *ssl)
 {
 
     if ((ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl)) ||
@@ -5521,15 +5580,9 @@ static int ssl_tls13_check_new_session_ticket(mbedtls_ssl_context *ssl)
         return 0;
     }
 
-    ssl->keep_current_message = 1;
-
-    MBEDTLS_SSL_DEBUG_MSG(3, ("NewSessionTicket received"));
-    mbedtls_ssl_handshake_set_state(ssl,
-                                    MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
-
-    return MBEDTLS_ERR_SSL_WANT_READ;
+    return 1;
 }
-#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+#endif /* MBEDTLS_SSL_CLI_C */
 
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_handle_hs_message_post_handshake(mbedtls_ssl_context *ssl)
@@ -5537,14 +5590,23 @@ static int ssl_tls13_handle_hs_message_post_handshake(mbedtls_ssl_context *ssl)
 
     MBEDTLS_SSL_DEBUG_MSG(3, ("received post-handshake message"));
 
-#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+#if defined(MBEDTLS_SSL_CLI_C)
     if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
-        int ret = ssl_tls13_check_new_session_ticket(ssl);
-        if (ret != 0) {
-            return ret;
+        if (ssl_tls13_is_new_session_ticket(ssl)) {
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+            MBEDTLS_SSL_DEBUG_MSG(3, ("NewSessionTicket received"));
+            ssl->keep_current_message = 1;
+
+            mbedtls_ssl_handshake_set_state(ssl,
+                                            MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
+            return MBEDTLS_ERR_SSL_WANT_READ;
+#else
+            MBEDTLS_SSL_DEBUG_MSG(3, ("Ignore NewSessionTicket, not supported."));
+            return 0;
+#endif
         }
     }
-#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+#endif /* MBEDTLS_SSL_CLI_C */
 
     /* Fail in all other cases. */
     return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
@@ -5668,12 +5730,53 @@ static int ssl_handle_hs_message_post_handshake(mbedtls_ssl_context *ssl)
 }
 
 /*
+ * brief          Read at most 'len' application data bytes from the input
+ *                buffer.
+ *
+ * param ssl      SSL context:
+ *                - First byte of application data not read yet in the input
+ *                  buffer located at address `in_offt`.
+ *                - The number of bytes of data not read yet is `in_msglen`.
+ * param buf      buffer that will hold the data
+ * param len      maximum number of bytes to read
+ *
+ * note           The function updates the fields `in_offt` and `in_msglen`
+ *                according to the number of bytes read.
+ *
+ * return         The number of bytes read.
+ */
+static int ssl_read_application_data(
+    mbedtls_ssl_context *ssl, unsigned char *buf, size_t len)
+{
+    size_t n = (len < ssl->in_msglen) ? len : ssl->in_msglen;
+
+    if (len != 0) {
+        memcpy(buf, ssl->in_offt, n);
+        ssl->in_msglen -= n;
+    }
+
+    /* Zeroising the plaintext buffer to erase unused application data
+       from the memory. */
+    mbedtls_platform_zeroize(ssl->in_offt, n);
+
+    if (ssl->in_msglen == 0) {
+        /* all bytes consumed */
+        ssl->in_offt = NULL;
+        ssl->keep_current_message = 0;
+    } else {
+        /* more data available */
+        ssl->in_offt += n;
+    }
+
+    return (int) n;
+}
+
+/*
  * Receive application data decrypted from the SSL layer
  */
 int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len)
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t n;
 
     if (ssl == NULL || ssl->conf == NULL) {
         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
@@ -5837,31 +5940,33 @@ int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len)
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
     }
 
-    n = (len < ssl->in_msglen)
-        ? len : ssl->in_msglen;
+    ret = ssl_read_application_data(ssl, buf, len);
 
-    if (len != 0) {
-        memcpy(buf, ssl->in_offt, n);
-        ssl->in_msglen -= n;
-    }
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= read"));
 
-    /* Zeroising the plaintext buffer to erase unused application data
-       from the memory. */
-    mbedtls_platform_zeroize(ssl->in_offt, n);
+    return ret;
+}
 
-    if (ssl->in_msglen == 0) {
-        /* all bytes consumed */
-        ssl->in_offt = NULL;
-        ssl->keep_current_message = 0;
-    } else {
-        /* more data available */
-        ssl->in_offt += n;
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA)
+int mbedtls_ssl_read_early_data(mbedtls_ssl_context *ssl,
+                                unsigned char *buf, size_t len)
+{
+    if (ssl == NULL || (ssl->conf == NULL)) {
+        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
     }
 
-    MBEDTLS_SSL_DEBUG_MSG(2, ("<= read"));
+    /*
+     * The server may receive early data only while waiting for the End of
+     * Early Data handshake message.
+     */
+    if ((ssl->state != MBEDTLS_SSL_END_OF_EARLY_DATA) ||
+        (ssl->in_offt == NULL)) {
+        return MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA;
+    }
 
-    return (int) n;
+    return ssl_read_application_data(ssl, buf, len);
 }
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_EARLY_DATA */
 
 /*
  * Send application data to be encrypted by the SSL layer, taking care of max
@@ -5966,6 +6071,111 @@ int mbedtls_ssl_write(mbedtls_ssl_context *ssl, const unsigned char *buf, size_t
     return ret;
 }
 
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
+int mbedtls_ssl_write_early_data(mbedtls_ssl_context *ssl,
+                                 const unsigned char *buf, size_t len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const struct mbedtls_ssl_config *conf;
+    uint32_t remaining;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write early_data"));
+
+    if (ssl == NULL || (conf = ssl->conf) == NULL) {
+        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+    }
+
+    if (conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
+        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+    }
+
+    if ((!mbedtls_ssl_conf_is_tls13_enabled(conf)) ||
+        (conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
+        (conf->early_data_enabled != MBEDTLS_SSL_EARLY_DATA_ENABLED)) {
+        return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA;
+    }
+
+    if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_3) {
+        return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA;
+    }
+
+    /*
+     * If we are at the beginning of the handshake, the early data state being
+     * equal to MBEDTLS_SSL_EARLY_DATA_STATE_IDLE or
+     * MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT advance the handshake just
+     * enough to be able to send early data if possible. That way, we can
+     * guarantee that when starting the handshake with this function we will
+     * send at least one record of early data. Note that when the state is
+     * MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT and not yet
+     * MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE, we cannot send early data
+     * as the early data outbound transform has not been set as we may have to
+     * first send a dummy CCS in clear.
+     */
+    if ((ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_IDLE) ||
+        (ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT)) {
+        while ((ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_IDLE) ||
+               (ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT)) {
+            ret = mbedtls_ssl_handshake_step(ssl);
+            if (ret != 0) {
+                MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake_step", ret);
+                return ret;
+            }
+
+            ret = mbedtls_ssl_flush_output(ssl);
+            if (ret != 0) {
+                MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flush_output", ret);
+                return ret;
+            }
+        }
+        remaining = ssl->session_negotiate->max_early_data_size;
+    } else {
+        /*
+         * If we are past the point where we can send early data or we have
+         * already reached the maximum early data size, return immediatly.
+         * Otherwise, progress the handshake as much as possible to not delay
+         * it too much. If we reach a point where we can still send early data,
+         * then we will send some.
+         */
+        if ((ssl->early_data_state != MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE) &&
+            (ssl->early_data_state != MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED)) {
+            return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA;
+        }
+
+        remaining = ssl->session_negotiate->max_early_data_size -
+                    ssl->total_early_data_size;
+
+        if (remaining == 0) {
+            return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA;
+        }
+
+        ret = mbedtls_ssl_handshake(ssl);
+        if ((ret != 0) && (ret != MBEDTLS_ERR_SSL_WANT_READ)) {
+            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
+            return ret;
+        }
+    }
+
+    if (((ssl->early_data_state != MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE) &&
+         (ssl->early_data_state != MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED))
+        || (remaining == 0)) {
+        return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA;
+    }
+
+    if (len > remaining) {
+        len = remaining;
+    }
+
+    ret = ssl_write_real(ssl, buf, len);
+    if (ret >= 0) {
+        ssl->total_early_data_size += ret;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write early_data, ret=%d", ret));
+
+    return ret;
+}
+#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */
+
 /*
  * Notify the peer that the connection is being closed
  */
diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c
index 1adaa07..bfb656c 100644
--- a/library/ssl_ticket.c
+++ b/library/ssl_ticket.c
@@ -2,19 +2,7 @@
  *  TLS server tickets callbacks implementation
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "common.h"
@@ -87,6 +75,10 @@ static int ssl_ticket_gen_key(mbedtls_ssl_ticket_context *ctx,
 #if defined(MBEDTLS_HAVE_TIME)
     key->generation_time = mbedtls_time(NULL);
 #endif
+    /* The lifetime of a key is the configured lifetime of the tickets when
+     * the key is created.
+     */
+    key->lifetime = ctx->ticket_lifetime;
 
     if ((ret = ctx->f_rng(ctx->p_rng, key->name, sizeof(key->name))) != 0) {
         return ret;
@@ -128,16 +120,17 @@ static int ssl_ticket_update_keys(mbedtls_ssl_ticket_context *ctx)
 #if !defined(MBEDTLS_HAVE_TIME)
     ((void) ctx);
 #else
-    if (ctx->ticket_lifetime != 0) {
+    mbedtls_ssl_ticket_key * const key = ctx->keys + ctx->active;
+    if (key->lifetime != 0) {
         mbedtls_time_t current_time = mbedtls_time(NULL);
-        mbedtls_time_t key_time = ctx->keys[ctx->active].generation_time;
+        mbedtls_time_t key_time = key->generation_time;
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
         psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
 #endif
 
         if (current_time >= key_time &&
-            (uint64_t) (current_time - key_time) < ctx->ticket_lifetime) {
+            (uint64_t) (current_time - key_time) < key->lifetime) {
             return 0;
         }
 
@@ -210,6 +203,8 @@ int mbedtls_ssl_ticket_rotate(mbedtls_ssl_ticket_context *ctx,
 #if defined(MBEDTLS_HAVE_TIME)
     key->generation_time = mbedtls_time(NULL);
 #endif
+    key->lifetime = lifetime;
+
     return 0;
 }
 
@@ -343,7 +338,7 @@ int mbedtls_ssl_ticket_write(void *p_ticket,
 
     key = &ctx->keys[ctx->active];
 
-    *ticket_lifetime = ctx->ticket_lifetime;
+    *ticket_lifetime = key->lifetime;
 
     memcpy(key_name, key->name, TICKET_KEY_NAME_BYTES);
 
@@ -353,7 +348,7 @@ int mbedtls_ssl_ticket_write(void *p_ticket,
 
     /* Dump session state */
     if ((ret = mbedtls_ssl_session_save(session,
-                                        state, end - state,
+                                        state, (size_t) (end - state),
                                         &clear_len)) != 0 ||
         (unsigned long) clear_len > 65535) {
         goto cleanup;
@@ -376,7 +371,7 @@ int mbedtls_ssl_ticket_write(void *p_ticket,
                                                /* Additional data: key name, IV and length */
                                                key_name, TICKET_ADD_DATA_LEN,
                                                state, clear_len,
-                                               state, end - state, &ciph_len,
+                                               state, (size_t) (end - state), &ciph_len,
                                                TICKET_AUTH_TAG_BYTES)) != 0) {
         goto cleanup;
     }
@@ -456,7 +451,7 @@ int mbedtls_ssl_ticket_parse(void *p_ticket,
         goto cleanup;
     }
 
-    enc_len = (enc_len_p[0] << 8) | enc_len_p[1];
+    enc_len = MBEDTLS_GET_UINT16_BE(enc_len_p, 0);
 
     if (len != TICKET_MIN_LEN + enc_len) {
         ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
@@ -507,15 +502,20 @@ int mbedtls_ssl_ticket_parse(void *p_ticket,
     }
 
 #if defined(MBEDTLS_HAVE_TIME)
-    {
-        /* Check for expiration */
-        mbedtls_time_t current_time = mbedtls_time(NULL);
+    mbedtls_ms_time_t ticket_creation_time, ticket_age;
+    mbedtls_ms_time_t ticket_lifetime =
+        (mbedtls_ms_time_t) key->lifetime * 1000;
 
-        if (current_time < session->start ||
-            (uint32_t) (current_time - session->start) > ctx->ticket_lifetime) {
-            ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
-            goto cleanup;
-        }
+    ret = mbedtls_ssl_session_get_ticket_creation_time(session,
+                                                       &ticket_creation_time);
+    if (ret != 0) {
+        goto cleanup;
+    }
+
+    ticket_age = mbedtls_ms_time() - ticket_creation_time;
+    if (ticket_age < 0 || ticket_age > ticket_lifetime) {
+        ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
+        goto cleanup;
     }
 #endif
 
@@ -534,6 +534,10 @@ cleanup:
  */
 void mbedtls_ssl_ticket_free(mbedtls_ssl_ticket_context *ctx)
 {
+    if (ctx == NULL) {
+        return;
+    }
+
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     psa_destroy_key(ctx->keys[0].key);
     psa_destroy_key(ctx->keys[1].key);
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 827b7fb..a2fd227 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2,19 +2,7 @@
  *  TLS shared functions
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 /*
  *  http://www.ietf.org/rfc/rfc2246.txt
@@ -32,7 +20,7 @@
 #include "ssl_debug_helpers.h"
 #include "ssl_misc.h"
 
-#include "mbedtls/debug.h"
+#include "debug_internal.h"
 #include "mbedtls/error.h"
 #include "mbedtls/platform_util.h"
 #include "mbedtls/version.h"
@@ -41,6 +29,7 @@
 #include <string.h>
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "mbedtls/psa_util.h"
 #include "md_psa.h"
 #include "psa_util_internal.h"
 #include "psa/crypto.h"
@@ -143,7 +132,7 @@ int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl,
 
 int mbedtls_ssl_get_own_cid(mbedtls_ssl_context *ssl,
                             int *enabled,
-                            unsigned char own_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],
+                            unsigned char own_cid[MBEDTLS_SSL_CID_IN_LEN_MAX],
                             size_t *own_cid_len)
 {
     *enabled = MBEDTLS_SSL_CID_DISABLED;
@@ -249,6 +238,11 @@ int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
 #endif
 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
 
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \
+    defined(MBEDTLS_SSL_EARLY_DATA)
+    dst->ticket_alpn = NULL;
+#endif
+
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
 
 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
@@ -286,6 +280,16 @@ int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
 
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \
+    defined(MBEDTLS_SSL_EARLY_DATA)
+    {
+        int ret = mbedtls_ssl_session_set_ticket_alpn(dst, src->ticket_alpn);
+        if (ret != 0) {
+            return ret;
+        }
+    }
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_ALPN && MBEDTLS_SSL_EARLY_DATA */
+
 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
     if (src->ticket != NULL) {
         dst->ticket = mbedtls_calloc(1, src->ticket_len);
@@ -318,7 +322,7 @@ static int resize_buffer(unsigned char **buffer, size_t len_new, size_t *len_old
 {
     unsigned char *resized_buffer = mbedtls_calloc(1, len_new);
     if (resized_buffer == NULL) {
-        return -1;
+        return MBEDTLS_ERR_SSL_ALLOC_FAILED;
     }
 
     /* We want to copy len_new bytes when downsizing the buffer, and
@@ -432,7 +436,7 @@ static int ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *,
 
 #endif /* MBEDTLS_MD_CAN_SHA256*/
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int tls_prf_sha384(const unsigned char *secret, size_t slen,
                           const char *label,
@@ -441,11 +445,7 @@ static int tls_prf_sha384(const unsigned char *secret, size_t slen,
 
 static int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *);
 static int ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int);
-#endif /* MBEDTLS_MD_CAN_SHA384*/
-
-static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session,
-                                     unsigned char *buf,
-                                     size_t buf_len);
+#endif /* PSA_WANT_ALG_SHA_384*/
 
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls12_session_load(mbedtls_ssl_session *session,
@@ -459,9 +459,9 @@ static int ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char
 static int ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t);
 #endif /* MBEDTLS_MD_CAN_SHA256*/
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
 static int ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t);
-#endif /* MBEDTLS_MD_CAN_SHA384*/
+#endif /* PSA_WANT_ALG_SHA_384*/
 
 int  mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,
                          const unsigned char *secret, size_t slen,
@@ -473,11 +473,11 @@ int  mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,
 
     switch (prf) {
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
         case MBEDTLS_SSL_TLS_PRF_SHA384:
             tls_prf = tls_prf_sha384;
             break;
-#endif /* MBEDTLS_MD_CAN_SHA384*/
+#endif /* PSA_WANT_ALG_SHA_384*/
 #if defined(MBEDTLS_MD_CAN_SHA256)
         case MBEDTLS_SSL_TLS_PRF_SHA256:
             tls_prf = tls_prf_sha256;
@@ -642,7 +642,7 @@ static const char *extension_name_table[] = {
     [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = "record_size_limit"
 };
 
-static unsigned int extension_type_table[] = {
+static const unsigned int extension_type_table[] = {
     [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = 0xff,
     [MBEDTLS_SSL_EXT_ID_SERVERNAME] = MBEDTLS_TLS_EXT_SERVERNAME,
     [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH,
@@ -784,7 +784,7 @@ void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
 {
     ((void) ciphersuite_info);
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
         ssl->handshake->update_checksum = ssl_update_checksum_sha384;
     } else
@@ -831,7 +831,7 @@ int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
 int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
 {
 #if defined(MBEDTLS_MD_CAN_SHA256) || \
-    defined(MBEDTLS_MD_CAN_SHA384)
+    defined(PSA_WANT_ALG_SHA_384)
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     psa_status_t status;
 #else
@@ -865,7 +865,7 @@ int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
     }
 #endif
 #endif
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     status = psa_hash_abort(&ssl->handshake->fin_sha384_psa);
     if (status != PSA_SUCCESS) {
@@ -896,7 +896,7 @@ static int ssl_update_checksum_start(mbedtls_ssl_context *ssl,
                                      const unsigned char *buf, size_t len)
 {
 #if defined(MBEDTLS_MD_CAN_SHA256) || \
-    defined(MBEDTLS_MD_CAN_SHA384)
+    defined(PSA_WANT_ALG_SHA_384)
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     psa_status_t status;
 #else
@@ -920,7 +920,7 @@ static int ssl_update_checksum_start(mbedtls_ssl_context *ssl,
     }
 #endif
 #endif
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     status = psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len);
     if (status != PSA_SUCCESS) {
@@ -949,7 +949,7 @@ static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl,
 }
 #endif
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
 static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl,
                                       const unsigned char *buf, size_t len)
 {
@@ -973,7 +973,7 @@ static void ssl_handshake_params_init(mbedtls_ssl_handshake_params *handshake)
     mbedtls_md_init(&handshake->fin_sha256);
 #endif
 #endif
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     handshake->fin_sha384_psa = psa_hash_operation_init();
 #else
@@ -1109,6 +1109,16 @@ static int ssl_handshake_init(mbedtls_ssl_context *ssl)
         return MBEDTLS_ERR_SSL_ALLOC_FAILED;
     }
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+#if defined(MBEDTLS_SSL_CLI_C)
+    ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_IDLE;
+#endif
+#if defined(MBEDTLS_SSL_SRV_C)
+    ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
+#endif
+    ssl->total_early_data_size = 0;
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
     /* Initialize structures */
     mbedtls_ssl_session_init(ssl->session_negotiate);
     ssl_handshake_params_init(ssl->handshake);
@@ -1354,7 +1364,7 @@ static int ssl_conf_check(const mbedtls_ssl_context *ssl)
      * bad config.
      *
      */
-    if (mbedtls_ssl_conf_tls13_ephemeral_enabled(
+    if (mbedtls_ssl_conf_tls13_is_ephemeral_enabled(
             (mbedtls_ssl_context *) ssl)                            &&
         ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT                &&
         ssl->conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3    &&
@@ -1367,6 +1377,11 @@ static int ssl_conf_check(const mbedtls_ssl_context *ssl)
     }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
 
+    if (ssl->conf->f_rng == NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
+        return MBEDTLS_ERR_SSL_NO_RNG;
+    }
+
     /* Space for further checks */
 
     return 0;
@@ -1551,6 +1566,7 @@ int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial)
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
+    ssl->tls_version = ssl->conf->max_tls_version;
 
     mbedtls_ssl_session_reset_msg_layer(ssl, partial);
 
@@ -1744,6 +1760,7 @@ int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
     if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
         const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
             mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
 
@@ -1754,6 +1771,14 @@ int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session
                                       session->ciphersuite));
             return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
         }
+#else
+        /*
+         * If session tickets are not enabled, it is not possible to resume a
+         * TLS 1.3 session, thus do not make any change to the SSL context in
+         * the first place.
+         */
+        return 0;
+#endif
     }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
 
@@ -1782,14 +1807,14 @@ void mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config *conf,
 }
 
 #if defined(MBEDTLS_SSL_EARLY_DATA)
-void mbedtls_ssl_tls13_conf_early_data(mbedtls_ssl_config *conf,
-                                       int early_data_enabled)
+void mbedtls_ssl_conf_early_data(mbedtls_ssl_config *conf,
+                                 int early_data_enabled)
 {
     conf->early_data_enabled = early_data_enabled;
 }
 
 #if defined(MBEDTLS_SSL_SRV_C)
-void mbedtls_ssl_tls13_conf_max_early_data_size(
+void mbedtls_ssl_conf_max_early_data_size(
     mbedtls_ssl_config *conf, uint32_t max_early_data_size)
 {
     conf->max_early_data_size = max_early_data_size;
@@ -2218,6 +2243,7 @@ static void ssl_remove_psk(mbedtls_ssl_context *ssl)
         mbedtls_zeroize_and_free(ssl->handshake->psk,
                                  ssl->handshake->psk_len);
         ssl->handshake->psk_len = 0;
+        ssl->handshake->psk = NULL;
     }
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 }
@@ -2450,391 +2476,191 @@ mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
 
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-/* Serialization of TLS 1.3 sessions:
- *
- *     struct {
- *       opaque hostname<0..2^16-1>;
- *       uint64 ticket_received;
- *       uint32 ticket_lifetime;
- *       opaque ticket<1..2^16-1>;
- *     } ClientOnlyData;
- *
- *     struct {
- *       uint8 endpoint;
- *       uint8 ciphersuite[2];
- *       uint32 ticket_age_add;
- *       uint8 ticket_flags;
- *       opaque resumption_key<0..255>;
- *       select ( endpoint ) {
- *            case client: ClientOnlyData;
- *            case server: uint64 start_time;
- *        };
- *     } serialized_session_tls13;
- *
- */
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
-                                  unsigned char *buf,
-                                  size_t buf_len,
-                                  size_t *olen)
-{
-    unsigned char *p = buf;
-#if defined(MBEDTLS_SSL_CLI_C) && \
-    defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
-    size_t hostname_len = (session->hostname == NULL) ?
-                          0 : strlen(session->hostname) + 1;
-#endif
-    size_t needed =   1                             /* endpoint */
-                    + 2                             /* ciphersuite */
-                    + 4                             /* ticket_age_add */
-                    + 1                             /* ticket_flags */
-                    + 1;                            /* resumption_key length */
-    *olen = 0;
-
-    if (session->resumption_key_len > MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN) {
-        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-    }
-    needed += session->resumption_key_len;  /* resumption_key */
-
-#if defined(MBEDTLS_HAVE_TIME)
-    needed += 8; /* start_time or ticket_received */
-#endif
-
-#if defined(MBEDTLS_SSL_CLI_C)
-    if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
-        needed +=  2                        /* hostname_len */
-                  + hostname_len;           /* hostname */
-#endif
-
-        needed +=   4                       /* ticket_lifetime */
-                  + 2;                      /* ticket_len */
-
-        /* Check size_t overflow */
-        if (session->ticket_len > SIZE_MAX - needed) {
-            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-        }
-
-        needed += session->ticket_len;      /* ticket */
-    }
-#endif /* MBEDTLS_SSL_CLI_C */
-
-    *olen = needed;
-    if (needed > buf_len) {
-        return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
-    }
-
-    p[0] = session->endpoint;
-    MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 1);
-    MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 3);
-    p[7] = session->ticket_flags;
-
-    /* save resumption_key */
-    p[8] = session->resumption_key_len;
-    p += 9;
-    memcpy(p, session->resumption_key, session->resumption_key_len);
-    p += session->resumption_key_len;
-
-#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
-    if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
-        MBEDTLS_PUT_UINT64_BE((uint64_t) session->start, p, 0);
-        p += 8;
-    }
-#endif /* MBEDTLS_HAVE_TIME */
-
-#if defined(MBEDTLS_SSL_CLI_C)
-    if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
-        MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0);
-        p += 2;
-        if (hostname_len > 0) {
-            /* save host name */
-            memcpy(p, session->hostname, hostname_len);
-            p += hostname_len;
-        }
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
-
-#if defined(MBEDTLS_HAVE_TIME)
-        MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_received, p, 0);
-        p += 8;
-#endif
-        MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
-        p += 4;
-
-        MBEDTLS_PUT_UINT16_BE(session->ticket_len, p, 0);
-        p += 2;
-
-        if (session->ticket != NULL && session->ticket_len > 0) {
-            memcpy(p, session->ticket, session->ticket_len);
-            p += session->ticket_len;
-        }
-    }
-#endif /* MBEDTLS_SSL_CLI_C */
-    return 0;
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_session_load(mbedtls_ssl_session *session,
-                                  const unsigned char *buf,
-                                  size_t len)
-{
-    const unsigned char *p = buf;
-    const unsigned char *end = buf + len;
-
-    if (end - p < 9) {
-        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-    }
-    session->endpoint = p[0];
-    session->ciphersuite = MBEDTLS_GET_UINT16_BE(p, 1);
-    session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 3);
-    session->ticket_flags = p[7];
-
-    /* load resumption_key */
-    session->resumption_key_len = p[8];
-    p += 9;
-
-    if (end - p < session->resumption_key_len) {
-        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-    }
-
-    if (sizeof(session->resumption_key) < session->resumption_key_len) {
-        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-    }
-    memcpy(session->resumption_key, p, session->resumption_key_len);
-    p += session->resumption_key_len;
-
-#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
-    if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
-        if (end - p < 8) {
-            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-        }
-        session->start = MBEDTLS_GET_UINT64_BE(p, 0);
-        p += 8;
-    }
-#endif /* MBEDTLS_HAVE_TIME */
-
-#if defined(MBEDTLS_SSL_CLI_C)
-    if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
-        defined(MBEDTLS_SSL_SESSION_TICKETS)
-        size_t hostname_len;
-        /* load host name */
-        if (end - p < 2) {
-            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-        }
-        hostname_len = MBEDTLS_GET_UINT16_BE(p, 0);
-        p += 2;
-
-        if (end - p < (long int) hostname_len) {
-            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-        }
-        if (hostname_len > 0) {
-            session->hostname = mbedtls_calloc(1, hostname_len);
-            if (session->hostname == NULL) {
-                return MBEDTLS_ERR_SSL_ALLOC_FAILED;
-            }
-            memcpy(session->hostname, p, hostname_len);
-            p += hostname_len;
-        }
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION &&
-          MBEDTLS_SSL_SESSION_TICKETS */
-
-#if defined(MBEDTLS_HAVE_TIME)
-        if (end - p < 8) {
-            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-        }
-        session->ticket_received = MBEDTLS_GET_UINT64_BE(p, 0);
-        p += 8;
-#endif
-        if (end - p < 4) {
-            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-        }
-        session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
-        p += 4;
-
-        if (end - p <  2) {
-            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-        }
-        session->ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);
-        p += 2;
-
-        if (end - p < (long int) session->ticket_len) {
-            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-        }
-        if (session->ticket_len > 0) {
-            session->ticket = mbedtls_calloc(1, session->ticket_len);
-            if (session->ticket == NULL) {
-                return MBEDTLS_ERR_SSL_ALLOC_FAILED;
-            }
-            memcpy(session->ticket, p, session->ticket_len);
-            p += session->ticket_len;
-        }
-    }
-#endif /* MBEDTLS_SSL_CLI_C */
-
-    return 0;
-
-}
-#else /* MBEDTLS_SSL_SESSION_TICKETS */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
-                                  unsigned char *buf,
-                                  size_t buf_len,
-                                  size_t *olen)
-{
-    ((void) session);
-    ((void) buf);
-    ((void) buf_len);
-    *olen = 0;
-    return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
-}
-
-static int ssl_tls13_session_load(const mbedtls_ssl_session *session,
-                                  unsigned char *buf,
-                                  size_t buf_len)
-{
-    ((void) session);
-    ((void) buf);
-    ((void) buf_len);
-    return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
-}
-#endif /* !MBEDTLS_SSL_SESSION_TICKETS */
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
 psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,
                                        size_t taglen,
                                        psa_algorithm_t *alg,
                                        psa_key_type_t *key_type,
                                        size_t *key_size)
 {
+#if !defined(MBEDTLS_SSL_HAVE_CCM)
+    (void) taglen;
+#endif
     switch (mbedtls_cipher_type) {
+#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC)
         case MBEDTLS_CIPHER_AES_128_CBC:
             *alg = PSA_ALG_CBC_NO_PADDING;
             *key_type = PSA_KEY_TYPE_AES;
             *key_size = 128;
             break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
         case MBEDTLS_CIPHER_AES_128_CCM:
             *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
             *key_type = PSA_KEY_TYPE_AES;
             *key_size = 128;
             break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
         case MBEDTLS_CIPHER_AES_128_GCM:
             *alg = PSA_ALG_GCM;
             *key_type = PSA_KEY_TYPE_AES;
             *key_size = 128;
             break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
         case MBEDTLS_CIPHER_AES_192_CCM:
             *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
             *key_type = PSA_KEY_TYPE_AES;
             *key_size = 192;
             break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
         case MBEDTLS_CIPHER_AES_192_GCM:
             *alg = PSA_ALG_GCM;
             *key_type = PSA_KEY_TYPE_AES;
             *key_size = 192;
             break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC)
         case MBEDTLS_CIPHER_AES_256_CBC:
             *alg = PSA_ALG_CBC_NO_PADDING;
             *key_type = PSA_KEY_TYPE_AES;
             *key_size = 256;
             break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
         case MBEDTLS_CIPHER_AES_256_CCM:
             *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
             *key_type = PSA_KEY_TYPE_AES;
             *key_size = 256;
             break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
         case MBEDTLS_CIPHER_AES_256_GCM:
             *alg = PSA_ALG_GCM;
             *key_type = PSA_KEY_TYPE_AES;
             *key_size = 256;
             break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC)
         case MBEDTLS_CIPHER_ARIA_128_CBC:
             *alg = PSA_ALG_CBC_NO_PADDING;
             *key_type = PSA_KEY_TYPE_ARIA;
             *key_size = 128;
             break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
         case MBEDTLS_CIPHER_ARIA_128_CCM:
             *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
             *key_type = PSA_KEY_TYPE_ARIA;
             *key_size = 128;
             break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
         case MBEDTLS_CIPHER_ARIA_128_GCM:
             *alg = PSA_ALG_GCM;
             *key_type = PSA_KEY_TYPE_ARIA;
             *key_size = 128;
             break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
         case MBEDTLS_CIPHER_ARIA_192_CCM:
             *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
             *key_type = PSA_KEY_TYPE_ARIA;
             *key_size = 192;
             break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
         case MBEDTLS_CIPHER_ARIA_192_GCM:
             *alg = PSA_ALG_GCM;
             *key_type = PSA_KEY_TYPE_ARIA;
             *key_size = 192;
             break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC)
         case MBEDTLS_CIPHER_ARIA_256_CBC:
             *alg = PSA_ALG_CBC_NO_PADDING;
             *key_type = PSA_KEY_TYPE_ARIA;
             *key_size = 256;
             break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
         case MBEDTLS_CIPHER_ARIA_256_CCM:
             *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
             *key_type = PSA_KEY_TYPE_ARIA;
             *key_size = 256;
             break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
         case MBEDTLS_CIPHER_ARIA_256_GCM:
             *alg = PSA_ALG_GCM;
             *key_type = PSA_KEY_TYPE_ARIA;
             *key_size = 256;
             break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC)
         case MBEDTLS_CIPHER_CAMELLIA_128_CBC:
             *alg = PSA_ALG_CBC_NO_PADDING;
             *key_type = PSA_KEY_TYPE_CAMELLIA;
             *key_size = 128;
             break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
         case MBEDTLS_CIPHER_CAMELLIA_128_CCM:
             *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
             *key_type = PSA_KEY_TYPE_CAMELLIA;
             *key_size = 128;
             break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
         case MBEDTLS_CIPHER_CAMELLIA_128_GCM:
             *alg = PSA_ALG_GCM;
             *key_type = PSA_KEY_TYPE_CAMELLIA;
             *key_size = 128;
             break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
         case MBEDTLS_CIPHER_CAMELLIA_192_CCM:
             *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
             *key_type = PSA_KEY_TYPE_CAMELLIA;
             *key_size = 192;
             break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
         case MBEDTLS_CIPHER_CAMELLIA_192_GCM:
             *alg = PSA_ALG_GCM;
             *key_type = PSA_KEY_TYPE_CAMELLIA;
             *key_size = 192;
             break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC)
         case MBEDTLS_CIPHER_CAMELLIA_256_CBC:
             *alg = PSA_ALG_CBC_NO_PADDING;
             *key_type = PSA_KEY_TYPE_CAMELLIA;
             *key_size = 256;
             break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
         case MBEDTLS_CIPHER_CAMELLIA_256_CCM:
             *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
             *key_type = PSA_KEY_TYPE_CAMELLIA;
             *key_size = 256;
             break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
         case MBEDTLS_CIPHER_CAMELLIA_256_GCM:
             *alg = PSA_ALG_GCM;
             *key_type = PSA_KEY_TYPE_CAMELLIA;
             *key_size = 256;
             break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_CHACHAPOLY)
         case MBEDTLS_CIPHER_CHACHA20_POLY1305:
             *alg = PSA_ALG_CHACHA20_POLY1305;
             *key_type = PSA_KEY_TYPE_CHACHA20;
             *key_size = 256;
             break;
+#endif
         case MBEDTLS_CIPHER_NULL:
             *alg = MBEDTLS_SSL_NULL_CIPHER;
             *key_type = 0;
@@ -3315,6 +3141,31 @@ const char *mbedtls_ssl_get_version(const mbedtls_ssl_context *ssl)
     }
 }
 
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+
+size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl)
+{
+    const size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
+    size_t record_size_limit = max_len;
+
+    if (ssl->session != NULL &&
+        ssl->session->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
+        ssl->session->record_size_limit < max_len) {
+        record_size_limit = ssl->session->record_size_limit;
+    }
+
+    // TODO: this is currently untested
+    /* During a handshake, use the value being negotiated */
+    if (ssl->session_negotiate != NULL &&
+        ssl->session_negotiate->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
+        ssl->session_negotiate->record_size_limit < max_len) {
+        record_size_limit = ssl->session_negotiate->record_size_limit;
+    }
+
+    return record_size_limit;
+}
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+
 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
 size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl)
 {
@@ -3401,6 +3252,7 @@ int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
     size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
 
 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
+    !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) && \
     !defined(MBEDTLS_SSL_PROTO_DTLS)
     (void) ssl;
 #endif
@@ -3413,6 +3265,30 @@ int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
     }
 #endif
 
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+    const size_t record_size_limit = mbedtls_ssl_get_output_record_size_limit(ssl);
+
+    if (max_len > record_size_limit) {
+        max_len = record_size_limit;
+    }
+#endif
+
+    if (ssl->transform_out != NULL &&
+        ssl->transform_out->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
+        /*
+         * In TLS 1.3 case, when records are protected, `max_len` as computed
+         * above is the maximum length of the TLSInnerPlaintext structure that
+         * along the plaintext payload contains the inner content type (one byte)
+         * and some zero padding. Given the algorithm used for padding
+         * in mbedtls_ssl_encrypt_buf(), compute the maximum length for
+         * the plaintext payload. Round down to a multiple of
+         * MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY and
+         * subtract 1.
+         */
+        max_len = ((max_len / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) *
+                   MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) - 1;
+    }
+
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
     if (mbedtls_ssl_get_current_mtu(ssl) != 0) {
         const size_t mtu = mbedtls_ssl_get_current_mtu(ssl);
@@ -3435,7 +3311,8 @@ int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
 
 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) &&        \
-    !defined(MBEDTLS_SSL_PROTO_DTLS)
+    !defined(MBEDTLS_SSL_PROTO_DTLS) &&                 \
+    !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
     ((void) ssl);
 #endif
 
@@ -3515,6 +3392,684 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
 }
 #endif /* MBEDTLS_SSL_CLI_C */
 
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+
+/* Serialization of TLS 1.2 sessions
+ *
+ * For more detail, see the description of ssl_session_save().
+ */
+static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session,
+                                     unsigned char *buf,
+                                     size_t buf_len)
+{
+    unsigned char *p = buf;
+    size_t used = 0;
+
+#if defined(MBEDTLS_HAVE_TIME)
+    uint64_t start;
+#endif
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    size_t cert_len;
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+    /*
+     * Time
+     */
+#if defined(MBEDTLS_HAVE_TIME)
+    used += 8;
+
+    if (used <= buf_len) {
+        start = (uint64_t) session->start;
+
+        MBEDTLS_PUT_UINT64_BE(start, p, 0);
+        p += 8;
+    }
+#endif /* MBEDTLS_HAVE_TIME */
+
+    /*
+     * Basic mandatory fields
+     */
+    used += 1 /* id_len */
+            + sizeof(session->id)
+            + sizeof(session->master)
+            + 4; /* verify_result */
+
+    if (used <= buf_len) {
+        *p++ = MBEDTLS_BYTE_0(session->id_len);
+        memcpy(p, session->id, 32);
+        p += 32;
+
+        memcpy(p, session->master, 48);
+        p += 48;
+
+        MBEDTLS_PUT_UINT32_BE(session->verify_result, p, 0);
+        p += 4;
+    }
+
+    /*
+     * Peer's end-entity certificate
+     */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    if (session->peer_cert == NULL) {
+        cert_len = 0;
+    } else {
+        cert_len = session->peer_cert->raw.len;
+    }
+
+    used += 3 + cert_len;
+
+    if (used <= buf_len) {
+        *p++ = MBEDTLS_BYTE_2(cert_len);
+        *p++ = MBEDTLS_BYTE_1(cert_len);
+        *p++ = MBEDTLS_BYTE_0(cert_len);
+
+        if (session->peer_cert != NULL) {
+            memcpy(p, session->peer_cert->raw.p, cert_len);
+            p += cert_len;
+        }
+    }
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+    if (session->peer_cert_digest != NULL) {
+        used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
+        if (used <= buf_len) {
+            *p++ = (unsigned char) session->peer_cert_digest_type;
+            *p++ = (unsigned char) session->peer_cert_digest_len;
+            memcpy(p, session->peer_cert_digest,
+                   session->peer_cert_digest_len);
+            p += session->peer_cert_digest_len;
+        }
+    } else {
+        used += 2;
+        if (used <= buf_len) {
+            *p++ = (unsigned char) MBEDTLS_MD_NONE;
+            *p++ = 0;
+        }
+    }
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+    /*
+     * Session ticket if any, plus associated data
+     */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if defined(MBEDTLS_SSL_CLI_C)
+    if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
+        used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */
+
+        if (used <= buf_len) {
+            *p++ = MBEDTLS_BYTE_2(session->ticket_len);
+            *p++ = MBEDTLS_BYTE_1(session->ticket_len);
+            *p++ = MBEDTLS_BYTE_0(session->ticket_len);
+
+            if (session->ticket != NULL) {
+                memcpy(p, session->ticket, session->ticket_len);
+                p += session->ticket_len;
+            }
+
+            MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
+            p += 4;
+        }
+    }
+#endif /* MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
+    if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
+        used += 8;
+
+        if (used <= buf_len) {
+            MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
+            p += 8;
+        }
+    }
+#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+    /*
+     * Misc extension-related info
+     */
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    used += 1;
+
+    if (used <= buf_len) {
+        *p++ = session->mfl_code;
+    }
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    used += 1;
+
+    if (used <= buf_len) {
+        *p++ = MBEDTLS_BYTE_0(session->encrypt_then_mac);
+    }
+#endif
+
+    return used;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls12_session_load(mbedtls_ssl_session *session,
+                                  const unsigned char *buf,
+                                  size_t len)
+{
+#if defined(MBEDTLS_HAVE_TIME)
+    uint64_t start;
+#endif
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    size_t cert_len;
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+    const unsigned char *p = buf;
+    const unsigned char * const end = buf + len;
+
+    /*
+     * Time
+     */
+#if defined(MBEDTLS_HAVE_TIME)
+    if (8 > (size_t) (end - p)) {
+        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+    }
+
+    start = MBEDTLS_GET_UINT64_BE(p, 0);
+    p += 8;
+
+    session->start = (time_t) start;
+#endif /* MBEDTLS_HAVE_TIME */
+
+    /*
+     * Basic mandatory fields
+     */
+    if (1 + 32 + 48 + 4 > (size_t) (end - p)) {
+        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+    }
+
+    session->id_len = *p++;
+    memcpy(session->id, p, 32);
+    p += 32;
+
+    memcpy(session->master, p, 48);
+    p += 48;
+
+    session->verify_result = MBEDTLS_GET_UINT32_BE(p, 0);
+    p += 4;
+
+    /* Immediately clear invalid pointer values that have been read, in case
+     * we exit early before we replaced them with valid ones. */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    session->peer_cert = NULL;
+#else
+    session->peer_cert_digest = NULL;
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+    session->ticket = NULL;
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+
+    /*
+     * Peer certificate
+     */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    /* Deserialize CRT from the end of the ticket. */
+    if (3 > (size_t) (end - p)) {
+        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+    }
+
+    cert_len = MBEDTLS_GET_UINT24_BE(p, 0);
+    p += 3;
+
+    if (cert_len != 0) {
+        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+        if (cert_len > (size_t) (end - p)) {
+            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+        }
+
+        session->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
+
+        if (session->peer_cert == NULL) {
+            return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+        }
+
+        mbedtls_x509_crt_init(session->peer_cert);
+
+        if ((ret = mbedtls_x509_crt_parse_der(session->peer_cert,
+                                              p, cert_len)) != 0) {
+            mbedtls_x509_crt_free(session->peer_cert);
+            mbedtls_free(session->peer_cert);
+            session->peer_cert = NULL;
+            return ret;
+        }
+
+        p += cert_len;
+    }
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+    /* Deserialize CRT digest from the end of the ticket. */
+    if (2 > (size_t) (end - p)) {
+        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+    }
+
+    session->peer_cert_digest_type = (mbedtls_md_type_t) *p++;
+    session->peer_cert_digest_len  = (size_t) *p++;
+
+    if (session->peer_cert_digest_len != 0) {
+        const mbedtls_md_info_t *md_info =
+            mbedtls_md_info_from_type(session->peer_cert_digest_type);
+        if (md_info == NULL) {
+            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+        }
+        if (session->peer_cert_digest_len != mbedtls_md_get_size(md_info)) {
+            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+        }
+
+        if (session->peer_cert_digest_len > (size_t) (end - p)) {
+            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+        }
+
+        session->peer_cert_digest =
+            mbedtls_calloc(1, session->peer_cert_digest_len);
+        if (session->peer_cert_digest == NULL) {
+            return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+        }
+
+        memcpy(session->peer_cert_digest, p,
+               session->peer_cert_digest_len);
+        p += session->peer_cert_digest_len;
+    }
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+    /*
+     * Session ticket and associated data
+     */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if defined(MBEDTLS_SSL_CLI_C)
+    if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
+        if (3 > (size_t) (end - p)) {
+            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+        }
+
+        session->ticket_len = MBEDTLS_GET_UINT24_BE(p, 0);
+        p += 3;
+
+        if (session->ticket_len != 0) {
+            if (session->ticket_len > (size_t) (end - p)) {
+                return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+            }
+
+            session->ticket = mbedtls_calloc(1, session->ticket_len);
+            if (session->ticket == NULL) {
+                return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+            }
+
+            memcpy(session->ticket, p, session->ticket_len);
+            p += session->ticket_len;
+        }
+
+        if (4 > (size_t) (end - p)) {
+            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+        }
+
+        session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
+        p += 4;
+    }
+#endif /* MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
+    if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
+        if (8 > (size_t) (end - p)) {
+            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+        }
+        session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
+        p += 8;
+    }
+#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+    /*
+     * Misc extension-related info
+     */
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    if (1 > (size_t) (end - p)) {
+        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+    }
+
+    session->mfl_code = *p++;
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    if (1 > (size_t) (end - p)) {
+        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+    }
+
+    session->encrypt_then_mac = *p++;
+#endif
+
+    /* Done, should have consumed entire buffer */
+    if (p != end) {
+        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+    }
+
+    return 0;
+}
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+/* Serialization of TLS 1.3 sessions:
+ *
+ * For more detail, see the description of ssl_session_save().
+ */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
+                                  unsigned char *buf,
+                                  size_t buf_len,
+                                  size_t *olen)
+{
+    unsigned char *p = buf;
+#if defined(MBEDTLS_SSL_CLI_C) && \
+    defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    size_t hostname_len = (session->hostname == NULL) ?
+                          0 : strlen(session->hostname) + 1;
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C) && \
+    defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
+    const size_t alpn_len = (session->ticket_alpn == NULL) ?
+                            0 : strlen(session->ticket_alpn) + 1;
+#endif
+    size_t needed =   4  /* ticket_age_add */
+                    + 1  /* ticket_flags */
+                    + 1; /* resumption_key length */
+
+    *olen = 0;
+
+    if (session->resumption_key_len > MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN) {
+        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+    }
+    needed += session->resumption_key_len;  /* resumption_key */
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+    needed += 4;                            /* max_early_data_size */
+#endif
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+    needed += 2;                            /* record_size_limit */
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+
+#if defined(MBEDTLS_HAVE_TIME)
+    needed += 8; /* ticket_creation_time or ticket_reception_time */
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C)
+    if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
+        needed +=   2                         /* alpn_len */
+                  + alpn_len;                 /* alpn */
+#endif
+    }
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+    if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+        needed +=  2                        /* hostname_len */
+                  + hostname_len;           /* hostname */
+#endif
+
+        needed +=   4                       /* ticket_lifetime */
+                  + 2;                      /* ticket_len */
+
+        /* Check size_t overflow */
+        if (session->ticket_len > SIZE_MAX - needed) {
+            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+        }
+
+        needed += session->ticket_len;      /* ticket */
+    }
+#endif /* MBEDTLS_SSL_CLI_C */
+
+    *olen = needed;
+    if (needed > buf_len) {
+        return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+    }
+
+    MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 0);
+    p[4] = session->ticket_flags;
+
+    /* save resumption_key */
+    p[5] = session->resumption_key_len;
+    p += 6;
+    memcpy(p, session->resumption_key, session->resumption_key_len);
+    p += session->resumption_key_len;
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+    MBEDTLS_PUT_UINT32_BE(session->max_early_data_size, p, 0);
+    p += 4;
+#endif
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+    MBEDTLS_PUT_UINT16_BE(session->record_size_limit, p, 0);
+    p += 2;
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+
+#if defined(MBEDTLS_SSL_SRV_C)
+    if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
+#if defined(MBEDTLS_HAVE_TIME)
+        MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
+        p += 8;
+#endif /* MBEDTLS_HAVE_TIME */
+
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
+        MBEDTLS_PUT_UINT16_BE(alpn_len, p, 0);
+        p += 2;
+
+        if (alpn_len > 0) {
+            /* save chosen alpn */
+            memcpy(p, session->ticket_alpn, alpn_len);
+            p += alpn_len;
+        }
+#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
+    }
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+    if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+        MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0);
+        p += 2;
+        if (hostname_len > 0) {
+            /* save host name */
+            memcpy(p, session->hostname, hostname_len);
+            p += hostname_len;
+        }
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_HAVE_TIME)
+        MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_reception_time, p, 0);
+        p += 8;
+#endif
+        MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
+        p += 4;
+
+        MBEDTLS_PUT_UINT16_BE(session->ticket_len, p, 0);
+        p += 2;
+
+        if (session->ticket != NULL && session->ticket_len > 0) {
+            memcpy(p, session->ticket, session->ticket_len);
+            p += session->ticket_len;
+        }
+    }
+#endif /* MBEDTLS_SSL_CLI_C */
+    return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_session_load(mbedtls_ssl_session *session,
+                                  const unsigned char *buf,
+                                  size_t len)
+{
+    const unsigned char *p = buf;
+    const unsigned char *end = buf + len;
+
+    if (end - p < 6) {
+        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+    }
+    session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 0);
+    session->ticket_flags = p[4];
+
+    /* load resumption_key */
+    session->resumption_key_len = p[5];
+    p += 6;
+
+    if (end - p < session->resumption_key_len) {
+        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+    }
+
+    if (sizeof(session->resumption_key) < session->resumption_key_len) {
+        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+    }
+    memcpy(session->resumption_key, p, session->resumption_key_len);
+    p += session->resumption_key_len;
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+    if (end - p < 4) {
+        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+    }
+    session->max_early_data_size = MBEDTLS_GET_UINT32_BE(p, 0);
+    p += 4;
+#endif
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+    if (end - p < 2) {
+        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+    }
+    session->record_size_limit = MBEDTLS_GET_UINT16_BE(p, 0);
+    p += 2;
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+
+#if  defined(MBEDTLS_SSL_SRV_C)
+    if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
+#if defined(MBEDTLS_HAVE_TIME)
+        if (end - p < 8) {
+            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+        }
+        session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
+        p += 8;
+#endif /* MBEDTLS_HAVE_TIME */
+
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
+        size_t alpn_len;
+
+        if (end - p < 2) {
+            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+        }
+
+        alpn_len = MBEDTLS_GET_UINT16_BE(p, 0);
+        p += 2;
+
+        if (end - p < (long int) alpn_len) {
+            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+        }
+
+        if (alpn_len > 0) {
+            int ret = mbedtls_ssl_session_set_ticket_alpn(session, (char *) p);
+            if (ret != 0) {
+                return ret;
+            }
+            p += alpn_len;
+        }
+#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
+    }
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+    if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+        size_t hostname_len;
+        /* load host name */
+        if (end - p < 2) {
+            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+        }
+        hostname_len = MBEDTLS_GET_UINT16_BE(p, 0);
+        p += 2;
+
+        if (end - p < (long int) hostname_len) {
+            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+        }
+        if (hostname_len > 0) {
+            session->hostname = mbedtls_calloc(1, hostname_len);
+            if (session->hostname == NULL) {
+                return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+            }
+            memcpy(session->hostname, p, hostname_len);
+            p += hostname_len;
+        }
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_HAVE_TIME)
+        if (end - p < 8) {
+            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+        }
+        session->ticket_reception_time = MBEDTLS_GET_UINT64_BE(p, 0);
+        p += 8;
+#endif
+        if (end - p < 4) {
+            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+        }
+        session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
+        p += 4;
+
+        if (end - p <  2) {
+            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+        }
+        session->ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);
+        p += 2;
+
+        if (end - p < (long int) session->ticket_len) {
+            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+        }
+        if (session->ticket_len > 0) {
+            session->ticket = mbedtls_calloc(1, session->ticket_len);
+            if (session->ticket == NULL) {
+                return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+            }
+            memcpy(session->ticket, p, session->ticket_len);
+            p += session->ticket_len;
+        }
+    }
+#endif /* MBEDTLS_SSL_CLI_C */
+
+    return 0;
+
+}
+#else /* MBEDTLS_SSL_SESSION_TICKETS */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
+                                  unsigned char *buf,
+                                  size_t buf_len,
+                                  size_t *olen)
+{
+    ((void) session);
+    ((void) buf);
+    ((void) buf_len);
+    *olen = 0;
+    return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+}
+
+static int ssl_tls13_session_load(const mbedtls_ssl_session *session,
+                                  const unsigned char *buf,
+                                  size_t buf_len)
+{
+    ((void) session);
+    ((void) buf);
+    ((void) buf_len);
+    return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+}
+#endif /* !MBEDTLS_SSL_SESSION_TICKETS */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
 /*
  * Define ticket header determining Mbed TLS version
  * and structure of the ticket.
@@ -3537,6 +4092,12 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
 #define SSL_SERIALIZED_SESSION_CONFIG_CRT 0
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 1
+#else
+#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 0
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1
 #else
@@ -3561,12 +4122,42 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0
 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
 
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+#define SSL_SERIALIZED_SESSION_CONFIG_SNI 1
+#else
+#define SSL_SERIALIZED_SESSION_CONFIG_SNI 0
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 1
+#else
+#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 0
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 1
+#else
+#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 0
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+
+#if defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C) && \
+    defined(MBEDTLS_SSL_EARLY_DATA)
+#define SSL_SERIALIZED_SESSION_CONFIG_ALPN 1
+#else
+#define SSL_SERIALIZED_SESSION_CONFIG_ALPN 0
+#endif /* MBEDTLS_SSL_ALPN */
+
 #define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT          0
 #define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT           1
 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2
 #define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT           3
 #define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT           4
 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT        5
+#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT 6
+#define SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT           7
+#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT    8
+#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT   9
+#define SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT          10
 
 #define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG                           \
     ((uint16_t) (                                                      \
@@ -3576,9 +4167,18 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
              SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT) | \
          (SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT) | \
          (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \
-         (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT)))
-
-static unsigned char ssl_serialized_session_header[] = {
+         (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT) | \
+         (SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT << \
+             SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT) | \
+         (SSL_SERIALIZED_SESSION_CONFIG_SNI << SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT) | \
+         (SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA << \
+             SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT) | \
+         (SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE << \
+             SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT) | \
+         (SSL_SERIALIZED_SESSION_CONFIG_ALPN << \
+             SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT)))
+
+static const unsigned char ssl_serialized_session_header[] = {
     MBEDTLS_VERSION_MAJOR,
     MBEDTLS_VERSION_MINOR,
     MBEDTLS_VERSION_PATCH,
@@ -3590,7 +4190,81 @@ static unsigned char ssl_serialized_session_header[] = {
  * Serialize a session in the following format:
  * (in the presentation language of TLS, RFC 8446 section 3)
  *
- *  struct {
+ * TLS 1.2 session:
+ *
+ * struct {
+ * #if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ *    opaque ticket<0..2^24-1>;       // length 0 means no ticket
+ *    uint32 ticket_lifetime;
+ * #endif
+ * } ClientOnlyData;
+ *
+ * struct {
+ * #if defined(MBEDTLS_HAVE_TIME)
+ *    uint64 start_time;
+ * #endif
+ *     uint8 session_id_len;           // at most 32
+ *     opaque session_id[32];
+ *     opaque master[48];              // fixed length in the standard
+ *     uint32 verify_result;
+ * #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
+ *    opaque peer_cert<0..2^24-1>;    // length 0 means no peer cert
+ * #else
+ *    uint8 peer_cert_digest_type;
+ *    opaque peer_cert_digest<0..2^8-1>
+ * #endif
+ *     select (endpoint) {
+ *         case client: ClientOnlyData;
+ *         case server: uint64 ticket_creation_time;
+ *     };
+ * #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+ *    uint8 mfl_code;                 // up to 255 according to standard
+ * #endif
+ * #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+ *    uint8 encrypt_then_mac;         // 0 or 1
+ * #endif
+ * } serialized_session_tls12;
+ *
+ *
+ * TLS 1.3 Session:
+ *
+ * struct {
+ * #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ *    opaque hostname<0..2^16-1>;
+ * #endif
+ * #if defined(MBEDTLS_HAVE_TIME)
+ *    uint64 ticket_reception_time;
+ * #endif
+ *    uint32 ticket_lifetime;
+ *    opaque ticket<1..2^16-1>;
+ * } ClientOnlyData;
+ *
+ * struct {
+ *    uint32 ticket_age_add;
+ *    uint8 ticket_flags;
+ *    opaque resumption_key<0..255>;
+ * #if defined(MBEDTLS_SSL_EARLY_DATA)
+ *    uint32 max_early_data_size;
+ * #endif
+ * #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+ *    uint16 record_size_limit;
+ * #endif
+ *    select ( endpoint ) {
+ *         case client: ClientOnlyData;
+ *         case server:
+ * #if defined(MBEDTLS_HAVE_TIME)
+ *                      uint64 ticket_creation_time;
+ * #endif
+ * #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
+ *                      opaque ticket_alpn<0..256>;
+ * #endif
+ *     };
+ * } serialized_session_tls13;
+ *
+ *
+ * SSL session:
+ *
+ * struct {
  *
  *    opaque mbedtls_version[3];   // library version: major, minor, patch
  *    opaque session_format[2];    // library-version specific 16-bit field
@@ -3608,6 +4282,8 @@ static unsigned char ssl_serialized_session_header[] = {
  *    uint8_t minor_ver;           // Protocol minor version. Possible values:
  *                                 // - TLS 1.2 (0x0303)
  *                                 // - TLS 1.3 (0x0304)
+ *    uint8_t endpoint;
+ *    uint16_t ciphersuite;
  *
  *    select (serialized_session.tls_version) {
  *
@@ -3654,11 +4330,16 @@ static int ssl_session_save(const mbedtls_ssl_session *session,
     }
 
     /*
-     * TLS version identifier
+     * TLS version identifier, endpoint, ciphersuite
      */
-    used += 1;
+    used += 1    /* TLS version */
+            + 1  /* endpoint */
+            + 2; /* ciphersuite */
     if (used <= buf_len) {
         *p++ = MBEDTLS_BYTE_0(session->tls_version);
+        *p++ = session->endpoint;
+        MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 0);
+        p += 2;
     }
 
     /* Forward to version-specific serialization routine. */
@@ -3741,15 +4422,18 @@ static int ssl_session_load(mbedtls_ssl_session *session,
     }
 
     /*
-     * TLS version identifier
+     * TLS version identifier, endpoint, ciphersuite
      */
-    if (1 > (size_t) (end - p)) {
+    if (4 > (size_t) (end - p)) {
         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
     }
     session->tls_version = (mbedtls_ssl_protocol_version) (0x0300 | *p++);
+    session->endpoint = *p++;
+    session->ciphersuite = MBEDTLS_GET_UINT16_BE(p, 0);
+    p += 2;
 
     /* Dispatch according to TLS version. */
-    remaining_len = (end - p);
+    remaining_len = (size_t) (end - p);
     switch (session->tls_version) {
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
         case MBEDTLS_SSL_VERSION_TLS1_2:
@@ -4118,7 +4802,7 @@ void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl)
     mbedtls_md_free(&handshake->fin_sha256);
 #endif
 #endif
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     psa_hash_abort(&handshake->fin_sha384_psa);
 #else
@@ -4262,6 +4946,11 @@ void mbedtls_ssl_session_free(mbedtls_ssl_session *session)
     mbedtls_free(session->ticket);
 #endif
 
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) && \
+    defined(MBEDTLS_SSL_SRV_C)
+    mbedtls_free(session->ticket_alpn);
+#endif
+
     mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session));
 }
 
@@ -4303,7 +4992,7 @@ void mbedtls_ssl_session_free(mbedtls_ssl_session *session)
          (SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT) | \
          0u))
 
-static unsigned char ssl_serialized_context_header[] = {
+static const unsigned char ssl_serialized_context_header[] = {
     MBEDTLS_VERSION_MAJOR,
     MBEDTLS_VERSION_MINOR,
     MBEDTLS_VERSION_PATCH,
@@ -4460,7 +5149,7 @@ int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl,
     }
 
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-    used += 2 + ssl->transform->in_cid_len + ssl->transform->out_cid_len;
+    used += 2U + ssl->transform->in_cid_len + ssl->transform->out_cid_len;
     if (used <= buf_len) {
         *p++ = ssl->transform->in_cid_len;
         memcpy(p, ssl->transform->in_cid, ssl->transform->in_cid_len);
@@ -4741,7 +5430,7 @@ static int ssl_context_load(mbedtls_ssl_context *ssl,
         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
     }
 
-    ssl->mtu = (p[0] << 8) | p[1];
+    ssl->mtu = MBEDTLS_GET_UINT16_BE(p, 0);
     p += 2;
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
 
@@ -4760,7 +5449,7 @@ static int ssl_context_load(mbedtls_ssl_context *ssl,
             /* alpn_chosen should point to an item in the configured list */
             for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) {
                 if (strlen(*cur) == alpn_len &&
-                    memcmp(p, cur, alpn_len) == 0) {
+                    memcmp(p, *cur, alpn_len) == 0) {
                     ssl->alpn_chosen = *cur;
                     break;
                 }
@@ -4921,7 +5610,7 @@ void mbedtls_ssl_config_init(mbedtls_ssl_config *conf)
  * See the documentation of mbedtls_ssl_conf_curves() for what we promise
  * about this list.
  */
-static uint16_t ssl_preset_default_groups[] = {
+static const uint16_t ssl_preset_default_groups[] = {
 #if defined(MBEDTLS_ECP_HAVE_CURVE25519)
     MBEDTLS_SSL_IANA_TLS_GROUP_X25519,
 #endif
@@ -4972,7 +5661,7 @@ static const int ssl_preset_suiteb_ciphersuites[] = {
  *   - ssl_tls12_preset* is for TLS 1.2 use only.
  *   - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes.
  */
-static uint16_t ssl_preset_default_sig_algs[] = {
+static const uint16_t ssl_preset_default_sig_algs[] = {
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
     defined(MBEDTLS_MD_CAN_SHA256) && \
@@ -4982,7 +5671,7 @@ static uint16_t ssl_preset_default_sig_algs[] = {
 #endif
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
-    defined(MBEDTLS_MD_CAN_SHA384) && \
+    defined(PSA_WANT_ALG_SHA_384) && \
     defined(PSA_WANT_ECC_SECP_R1_384)
     MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
     // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
@@ -4995,31 +5684,25 @@ static uint16_t ssl_preset_default_sig_algs[] = {
     // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512)
 #endif
 
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
-    defined(MBEDTLS_MD_CAN_SHA512)
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA512)
     MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
-#endif \
-    /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA512 */
+#endif
 
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
-    defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(PSA_WANT_ALG_SHA_384)
     MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
-#endif \
-    /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA384 */
+#endif
 
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
-    defined(MBEDTLS_MD_CAN_SHA256)
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA256)
     MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
-#endif \
-    /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA256 */
+#endif
 
 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA512)
     MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA512 */
 
-#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(MBEDTLS_RSA_C) && defined(PSA_WANT_ALG_SHA_384)
     MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384,
-#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_RSA_C && PSA_WANT_ALG_SHA_384 */
 
 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256)
     MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
@@ -5031,44 +5714,49 @@ static uint16_t ssl_preset_default_sig_algs[] = {
 /* NOTICE: see above */
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
 static uint16_t ssl_tls12_preset_default_sig_algs[] = {
+
 #if defined(MBEDTLS_MD_CAN_SHA512)
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
     MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512),
 #endif
 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
     MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
-#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+#endif
 #if defined(MBEDTLS_RSA_C)
     MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512),
 #endif
-#endif /* MBEDTLS_MD_CAN_SHA512*/
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#endif /* MBEDTLS_MD_CAN_SHA512 */
+
+#if defined(PSA_WANT_ALG_SHA_384)
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
     MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
 #endif
 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
     MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
-#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+#endif
 #if defined(MBEDTLS_RSA_C)
     MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384),
 #endif
-#endif /* MBEDTLS_MD_CAN_SHA384*/
+#endif /* PSA_WANT_ALG_SHA_384 */
+
 #if defined(MBEDTLS_MD_CAN_SHA256)
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
     MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
 #endif
 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
     MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
-#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+#endif
 #if defined(MBEDTLS_RSA_C)
     MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256),
 #endif
-#endif /* MBEDTLS_MD_CAN_SHA256*/
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
     MBEDTLS_TLS_SIG_NONE
 };
 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
 /* NOTICE: see above */
-static uint16_t ssl_preset_suiteb_sig_algs[] = {
+static const uint16_t ssl_preset_suiteb_sig_algs[] = {
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
     defined(MBEDTLS_MD_CAN_SHA256) && \
@@ -5078,51 +5766,38 @@ static uint16_t ssl_preset_suiteb_sig_algs[] = {
 #endif
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
-    defined(MBEDTLS_MD_CAN_SHA384) && \
+    defined(PSA_WANT_ALG_SHA_384) && \
     defined(MBEDTLS_ECP_HAVE_SECP384R1)
     MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
     // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
 #endif
 
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
-    defined(MBEDTLS_MD_CAN_SHA256)
-    MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
-#endif \
-    /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA256*/
-
-#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256)
-    MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
-#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256*/
-
     MBEDTLS_TLS_SIG_NONE
 };
 
 /* NOTICE: see above */
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
 static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
+
 #if defined(MBEDTLS_MD_CAN_SHA256)
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
     MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
 #endif
-#if defined(MBEDTLS_RSA_C)
-    MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256),
-#endif
-#endif /* MBEDTLS_MD_CAN_SHA256*/
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+#if defined(PSA_WANT_ALG_SHA_384)
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
     MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
 #endif
-#if defined(MBEDTLS_RSA_C)
-    MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384),
-#endif
-#endif /* MBEDTLS_MD_CAN_SHA256*/
+#endif /* PSA_WANT_ALG_SHA_384 */
+
     MBEDTLS_TLS_SIG_NONE
 };
 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
 
 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
 
-static uint16_t ssl_preset_suiteb_groups[] = {
+static const uint16_t ssl_preset_suiteb_groups[] = {
 #if defined(MBEDTLS_ECP_HAVE_SECP256R1)
     MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
 #endif
@@ -5136,7 +5811,7 @@ static uint16_t ssl_preset_suiteb_groups[] = {
 /* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs`
  * to make sure there are no duplicated signature algorithm entries. */
 MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_check_no_sig_alg_duplication(uint16_t *sig_algs)
+static int ssl_check_no_sig_alg_duplication(const uint16_t *sig_algs)
 {
     size_t i, j;
     int ret = 0;
@@ -5259,10 +5934,9 @@ int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
 
 #if defined(MBEDTLS_SSL_EARLY_DATA)
-    mbedtls_ssl_tls13_conf_early_data(conf, MBEDTLS_SSL_EARLY_DATA_DISABLED);
+    mbedtls_ssl_conf_early_data(conf, MBEDTLS_SSL_EARLY_DATA_DISABLED);
 #if defined(MBEDTLS_SSL_SRV_C)
-    mbedtls_ssl_tls13_conf_max_early_data_size(
-        conf, MBEDTLS_SSL_MAX_EARLY_DATA_SIZE);
+    mbedtls_ssl_conf_max_early_data_size(conf, MBEDTLS_SSL_MAX_EARLY_DATA_SIZE);
 #endif
 #endif /* MBEDTLS_SSL_EARLY_DATA */
 
@@ -5366,6 +6040,10 @@ int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
  */
 void mbedtls_ssl_config_free(mbedtls_ssl_config *conf)
 {
+    if (conf == NULL) {
+        return;
+    }
+
 #if defined(MBEDTLS_DHM_C)
     mbedtls_mpi_free(&conf->dhm_P);
     mbedtls_mpi_free(&conf->dhm_G);
@@ -5462,7 +6140,7 @@ mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash)
         case MBEDTLS_SSL_HASH_SHA1:
             return MBEDTLS_MD_SHA1;
 #endif
-#if defined(MBEDTLS_MD_CAN_SHA224)
+#if defined(PSA_WANT_ALG_SHA_224)
         case MBEDTLS_SSL_HASH_SHA224:
             return MBEDTLS_MD_SHA224;
 #endif
@@ -5470,7 +6148,7 @@ mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash)
         case MBEDTLS_SSL_HASH_SHA256:
             return MBEDTLS_MD_SHA256;
 #endif
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
         case MBEDTLS_SSL_HASH_SHA384:
             return MBEDTLS_MD_SHA384;
 #endif
@@ -5497,7 +6175,7 @@ unsigned char mbedtls_ssl_hash_from_md_alg(int md)
         case MBEDTLS_MD_SHA1:
             return MBEDTLS_SSL_HASH_SHA1;
 #endif
-#if defined(MBEDTLS_MD_CAN_SHA224)
+#if defined(PSA_WANT_ALG_SHA_224)
         case MBEDTLS_MD_SHA224:
             return MBEDTLS_SSL_HASH_SHA224;
 #endif
@@ -5505,7 +6183,7 @@ unsigned char mbedtls_ssl_hash_from_md_alg(int md)
         case MBEDTLS_MD_SHA256:
             return MBEDTLS_SSL_HASH_SHA256;
 #endif
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
         case MBEDTLS_MD_SHA384:
             return MBEDTLS_SSL_HASH_SHA384;
 #endif
@@ -5687,7 +6365,7 @@ int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
                                  uint32_t *flags)
 {
     int ret = 0;
-    int usage = 0;
+    unsigned int usage = 0;
     const char *ext_oid;
     size_t ext_len;
 
@@ -5759,7 +6437,7 @@ int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
     *olen = 0;
 
     switch (md) {
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
         case MBEDTLS_MD_SHA384:
             hash_operation_to_clone = &ssl->handshake->fin_sha384_psa;
             break;
@@ -5786,7 +6464,7 @@ int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
     }
 
 exit:
-#if !defined(MBEDTLS_MD_CAN_SHA384) && \
+#if !defined(PSA_WANT_ALG_SHA_384) && \
     !defined(MBEDTLS_MD_CAN_SHA256)
     (void) ssl;
 #endif
@@ -5794,7 +6472,7 @@ exit:
 }
 #else /* MBEDTLS_USE_PSA_CRYPTO */
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_get_handshake_transcript_sha384(mbedtls_ssl_context *ssl,
                                                unsigned char *dst,
@@ -5830,7 +6508,7 @@ exit:
     mbedtls_md_free(&sha384);
     return ret;
 }
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 
 #if defined(MBEDTLS_MD_CAN_SHA256)
 MBEDTLS_CHECK_RETURN_CRITICAL
@@ -5878,10 +6556,10 @@ int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
 {
     switch (md) {
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
         case MBEDTLS_MD_SHA384:
             return ssl_get_handshake_transcript_sha384(ssl, dst, dst_len, olen);
-#endif /* MBEDTLS_MD_CAN_SHA384*/
+#endif /* PSA_WANT_ALG_SHA_384*/
 
 #if defined(MBEDTLS_MD_CAN_SHA256)
         case MBEDTLS_MD_SHA256:
@@ -5889,7 +6567,7 @@ int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_MD_CAN_SHA256*/
 
         default:
-#if !defined(MBEDTLS_MD_CAN_SHA384) && \
+#if !defined(PSA_WANT_ALG_SHA_384) && \
             !defined(MBEDTLS_MD_CAN_SHA256)
             (void) ssl;
             (void) dst;
@@ -6157,7 +6835,7 @@ static int tls_prf_generic(mbedtls_md_type_t md_type,
 
 #if defined(MBEDTLS_MD_C) &&       \
     (defined(MBEDTLS_MD_CAN_SHA256) || \
-    defined(MBEDTLS_MD_CAN_SHA384))
+    defined(PSA_WANT_ALG_SHA_384))
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int tls_prf_generic(mbedtls_md_type_t md_type,
                            const unsigned char *secret, size_t slen,
@@ -6261,7 +6939,7 @@ exit:
 
     return ret;
 }
-#endif /* MBEDTLS_MD_C && ( MBEDTLS_MD_CAN_SHA256 || MBEDTLS_MD_CAN_SHA384 ) */
+#endif /* MBEDTLS_MD_C && ( MBEDTLS_MD_CAN_SHA256 || PSA_WANT_ALG_SHA_384 ) */
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
 #if defined(MBEDTLS_MD_CAN_SHA256)
@@ -6276,7 +6954,7 @@ static int tls_prf_sha256(const unsigned char *secret, size_t slen,
 }
 #endif /* MBEDTLS_MD_CAN_SHA256*/
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int tls_prf_sha384(const unsigned char *secret, size_t slen,
                           const char *label,
@@ -6286,7 +6964,7 @@ static int tls_prf_sha384(const unsigned char *secret, size_t slen,
     return tls_prf_generic(MBEDTLS_MD_SHA384, secret, slen,
                            label, random, rlen, dstbuf, dlen);
 }
-#endif /* MBEDTLS_MD_CAN_SHA384*/
+#endif /* PSA_WANT_ALG_SHA_384*/
 
 /*
  * Set appropriate PRF function and other SSL / TLS1.2 functions
@@ -6301,7 +6979,7 @@ MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_set_handshake_prfs(mbedtls_ssl_handshake_params *handshake,
                                   mbedtls_md_type_t hash)
 {
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     if (hash == MBEDTLS_MD_SHA384) {
         handshake->tls_prf = tls_prf_sha384;
         handshake->calc_verify = ssl_calc_verify_tls_sha384;
@@ -6598,7 +7276,7 @@ int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl)
 int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md)
 {
     switch (md) {
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
         case MBEDTLS_SSL_HASH_SHA384:
             ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
             break;
@@ -6611,7 +7289,7 @@ int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md)
         default:
             return -1;
     }
-#if !defined(MBEDTLS_MD_CAN_SHA384) && \
+#if !defined(PSA_WANT_ALG_SHA_384) && \
     !defined(MBEDTLS_MD_CAN_SHA256)
     (void) ssl;
 #endif
@@ -6705,7 +7383,7 @@ int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl,
 }
 #endif /* MBEDTLS_MD_CAN_SHA256 */
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
 int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl,
                                unsigned char *hash,
                                size_t *hlen)
@@ -6718,7 +7396,7 @@ int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl,
                                       hash, hlen);
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 }
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
 
 #if !defined(MBEDTLS_USE_PSA_CRYPTO) &&                      \
     defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
@@ -6790,7 +7468,7 @@ int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_excha
 
         /* Write length only when we know the actual value */
         if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
-                                           p + 2, end - (p + 2), &len,
+                                           p + 2, (size_t) (end - (p + 2)), &len,
                                            ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
             return ret;
@@ -6807,7 +7485,7 @@ int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_excha
         size_t zlen;
 
         if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, &zlen,
-                                            p + 2, end - (p + 2),
+                                            p + 2, (size_t) (end - (p + 2)),
                                             ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
             return ret;
@@ -6840,7 +7518,7 @@ int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_excha
     memcpy(p, psk, psk_len);
     p += psk_len;
 
-    ssl->handshake->pmslen = p - ssl->handshake->premaster;
+    ssl->handshake->pmslen = (size_t) (p - ssl->handshake->premaster);
 
     return 0;
 }
@@ -7098,7 +7776,7 @@ static int ssl_parse_certificate_chain(mbedtls_ssl_context *ssl,
     /*
      * Same message structure as in mbedtls_ssl_write_certificate()
      */
-    n = (ssl->in_msg[i+1] << 8) | ssl->in_msg[i+2];
+    n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1);
 
     if (ssl->in_msg[i] != 0 ||
         ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len(ssl)) {
@@ -7132,8 +7810,7 @@ static int ssl_parse_certificate_chain(mbedtls_ssl_context *ssl,
         }
 
         /* Read length of the next CRT in the chain. */
-        n = ((unsigned int) ssl->in_msg[i + 1] << 8)
-            | (unsigned int) ssl->in_msg[i + 2];
+        n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1);
         i += 3;
 
         if (n < 128 || i + n > ssl->in_hslen) {
@@ -7364,7 +8041,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
             /* and in the unlikely case the above assumption no longer holds
              * we are making sure that pk_ec() here does not return a NULL
              */
-            mbedtls_ecp_group_id grp_id = mbedtls_pk_get_group_id(pk);
+            mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(pk);
             if (grp_id == MBEDTLS_ECP_DP_NONE) {
                 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid group ID"));
                 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
@@ -7661,7 +8338,7 @@ static int ssl_calc_finished_tls_generic(mbedtls_ssl_context *ssl, void *ctx,
                                          unsigned char *padbuf, size_t hlen,
                                          unsigned char *buf, int from)
 {
-    int len = 12;
+    unsigned int len = 12;
     const char *sender;
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     psa_status_t status;
@@ -7758,7 +8435,7 @@ static int ssl_calc_finished_tls_sha256(
 #endif /* MBEDTLS_MD_CAN_SHA256*/
 
 
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
 static int ssl_calc_finished_tls_sha384(
     mbedtls_ssl_context *ssl, unsigned char *buf, int from)
 {
@@ -7772,7 +8449,7 @@ static int ssl_calc_finished_tls_sha384(
                                          padbuf, sizeof(padbuf),
                                          buf, from);
 }
-#endif /* MBEDTLS_MD_CAN_SHA384*/
+#endif /* PSA_WANT_ALG_SHA_384*/
 
 void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl)
 {
@@ -7861,7 +8538,8 @@ void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl)
 
 int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl)
 {
-    int ret, hash_len;
+    int ret;
+    unsigned int hash_len;
 
     MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished"));
 
@@ -8064,7 +8742,7 @@ static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id)
 {
     const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
         mbedtls_ssl_ciphersuite_from_id(ciphersuite_id);
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
         return tls_prf_sha384;
     } else
@@ -8076,7 +8754,7 @@ static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id)
         }
     }
 #endif
-#if !defined(MBEDTLS_MD_CAN_SHA384) && \
+#if !defined(PSA_WANT_ALG_SHA_384) && \
     !defined(MBEDTLS_MD_CAN_SHA256)
     (void) ciphersuite_info;
 #endif
@@ -8088,7 +8766,7 @@ static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id)
 static mbedtls_tls_prf_types tls_prf_get_type(mbedtls_ssl_tls_prf_cb *tls_prf)
 {
     ((void) tls_prf);
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     if (tls_prf == tls_prf_sha384) {
         return MBEDTLS_SSL_TLS_PRF_SHA384;
     } else
@@ -8159,14 +8837,6 @@ static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
 #endif
 
-#if !defined(MBEDTLS_DEBUG_C) && \
-    !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-    if (ssl->f_export_keys == NULL) {
-        ssl = NULL; /* make sure we don't use it except for these cases */
-        (void) ssl;
-    }
-#endif
-
     /*
      * Some data just needs copying into the structure
      */
@@ -8438,7 +9108,7 @@ static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
         goto end;
     }
 
-    if (ssl != NULL && ssl->f_export_keys != NULL) {
+    if (ssl->f_export_keys != NULL) {
         ssl->f_export_keys(ssl->p_export_keys,
                            MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET,
                            master, 48,
@@ -8838,360 +9508,6 @@ unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
 
 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
 
-/* Serialization of TLS 1.2 sessions:
- *
- * struct {
- *    uint64 start_time;
- *    uint8 ciphersuite[2];           // defined by the standard
- *    uint8 session_id_len;           // at most 32
- *    opaque session_id[32];
- *    opaque master[48];              // fixed length in the standard
- *    uint32 verify_result;
- *    opaque peer_cert<0..2^24-1>;    // length 0 means no peer cert
- *    opaque ticket<0..2^24-1>;       // length 0 means no ticket
- *    uint32 ticket_lifetime;
- *    uint8 mfl_code;                 // up to 255 according to standard
- *    uint8 encrypt_then_mac;         // 0 or 1
- * } serialized_session_tls12;
- *
- */
-static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session,
-                                     unsigned char *buf,
-                                     size_t buf_len)
-{
-    unsigned char *p = buf;
-    size_t used = 0;
-
-#if defined(MBEDTLS_HAVE_TIME)
-    uint64_t start;
-#endif
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
-    size_t cert_len;
-#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
-    /*
-     * Time
-     */
-#if defined(MBEDTLS_HAVE_TIME)
-    used += 8;
-
-    if (used <= buf_len) {
-        start = (uint64_t) session->start;
-
-        MBEDTLS_PUT_UINT64_BE(start, p, 0);
-        p += 8;
-    }
-#endif /* MBEDTLS_HAVE_TIME */
-
-    /*
-     * Basic mandatory fields
-     */
-    used += 2   /* ciphersuite */
-            + 1 /* id_len */
-            + sizeof(session->id)
-            + sizeof(session->master)
-            + 4; /* verify_result */
-
-    if (used <= buf_len) {
-        MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 0);
-        p += 2;
-
-        *p++ = MBEDTLS_BYTE_0(session->id_len);
-        memcpy(p, session->id, 32);
-        p += 32;
-
-        memcpy(p, session->master, 48);
-        p += 48;
-
-        MBEDTLS_PUT_UINT32_BE(session->verify_result, p, 0);
-        p += 4;
-    }
-
-    /*
-     * Peer's end-entity certificate
-     */
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
-    if (session->peer_cert == NULL) {
-        cert_len = 0;
-    } else {
-        cert_len = session->peer_cert->raw.len;
-    }
-
-    used += 3 + cert_len;
-
-    if (used <= buf_len) {
-        *p++ = MBEDTLS_BYTE_2(cert_len);
-        *p++ = MBEDTLS_BYTE_1(cert_len);
-        *p++ = MBEDTLS_BYTE_0(cert_len);
-
-        if (session->peer_cert != NULL) {
-            memcpy(p, session->peer_cert->raw.p, cert_len);
-            p += cert_len;
-        }
-    }
-#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-    if (session->peer_cert_digest != NULL) {
-        used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
-        if (used <= buf_len) {
-            *p++ = (unsigned char) session->peer_cert_digest_type;
-            *p++ = (unsigned char) session->peer_cert_digest_len;
-            memcpy(p, session->peer_cert_digest,
-                   session->peer_cert_digest_len);
-            p += session->peer_cert_digest_len;
-        }
-    } else {
-        used += 2;
-        if (used <= buf_len) {
-            *p++ = (unsigned char) MBEDTLS_MD_NONE;
-            *p++ = 0;
-        }
-    }
-#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
-    /*
-     * Session ticket if any, plus associated data
-     */
-#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
-    used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */
-
-    if (used <= buf_len) {
-        *p++ = MBEDTLS_BYTE_2(session->ticket_len);
-        *p++ = MBEDTLS_BYTE_1(session->ticket_len);
-        *p++ = MBEDTLS_BYTE_0(session->ticket_len);
-
-        if (session->ticket != NULL) {
-            memcpy(p, session->ticket, session->ticket_len);
-            p += session->ticket_len;
-        }
-
-        MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
-        p += 4;
-    }
-#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
-
-    /*
-     * Misc extension-related info
-     */
-#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
-    used += 1;
-
-    if (used <= buf_len) {
-        *p++ = session->mfl_code;
-    }
-#endif
-
-#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
-    used += 1;
-
-    if (used <= buf_len) {
-        *p++ = MBEDTLS_BYTE_0(session->encrypt_then_mac);
-    }
-#endif
-
-    return used;
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls12_session_load(mbedtls_ssl_session *session,
-                                  const unsigned char *buf,
-                                  size_t len)
-{
-#if defined(MBEDTLS_HAVE_TIME)
-    uint64_t start;
-#endif
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
-    size_t cert_len;
-#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
-    const unsigned char *p = buf;
-    const unsigned char * const end = buf + len;
-
-    /*
-     * Time
-     */
-#if defined(MBEDTLS_HAVE_TIME)
-    if (8 > (size_t) (end - p)) {
-        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-    }
-
-    start = MBEDTLS_GET_UINT64_BE(p, 0);
-    p += 8;
-
-    session->start = (time_t) start;
-#endif /* MBEDTLS_HAVE_TIME */
-
-    /*
-     * Basic mandatory fields
-     */
-    if (2 + 1 + 32 + 48 + 4 > (size_t) (end - p)) {
-        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-    }
-
-    session->ciphersuite = (p[0] << 8) | p[1];
-    p += 2;
-
-    session->id_len = *p++;
-    memcpy(session->id, p, 32);
-    p += 32;
-
-    memcpy(session->master, p, 48);
-    p += 48;
-
-    session->verify_result = MBEDTLS_GET_UINT32_BE(p, 0);
-    p += 4;
-
-    /* Immediately clear invalid pointer values that have been read, in case
-     * we exit early before we replaced them with valid ones. */
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
-    session->peer_cert = NULL;
-#else
-    session->peer_cert_digest = NULL;
-#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
-    session->ticket = NULL;
-#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
-
-    /*
-     * Peer certificate
-     */
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
-    /* Deserialize CRT from the end of the ticket. */
-    if (3 > (size_t) (end - p)) {
-        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-    }
-
-    cert_len = (p[0] << 16) | (p[1] << 8) | p[2];
-    p += 3;
-
-    if (cert_len != 0) {
-        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-        if (cert_len > (size_t) (end - p)) {
-            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-        }
-
-        session->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
-
-        if (session->peer_cert == NULL) {
-            return MBEDTLS_ERR_SSL_ALLOC_FAILED;
-        }
-
-        mbedtls_x509_crt_init(session->peer_cert);
-
-        if ((ret = mbedtls_x509_crt_parse_der(session->peer_cert,
-                                              p, cert_len)) != 0) {
-            mbedtls_x509_crt_free(session->peer_cert);
-            mbedtls_free(session->peer_cert);
-            session->peer_cert = NULL;
-            return ret;
-        }
-
-        p += cert_len;
-    }
-#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-    /* Deserialize CRT digest from the end of the ticket. */
-    if (2 > (size_t) (end - p)) {
-        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-    }
-
-    session->peer_cert_digest_type = (mbedtls_md_type_t) *p++;
-    session->peer_cert_digest_len  = (size_t) *p++;
-
-    if (session->peer_cert_digest_len != 0) {
-        const mbedtls_md_info_t *md_info =
-            mbedtls_md_info_from_type(session->peer_cert_digest_type);
-        if (md_info == NULL) {
-            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-        }
-        if (session->peer_cert_digest_len != mbedtls_md_get_size(md_info)) {
-            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-        }
-
-        if (session->peer_cert_digest_len > (size_t) (end - p)) {
-            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-        }
-
-        session->peer_cert_digest =
-            mbedtls_calloc(1, session->peer_cert_digest_len);
-        if (session->peer_cert_digest == NULL) {
-            return MBEDTLS_ERR_SSL_ALLOC_FAILED;
-        }
-
-        memcpy(session->peer_cert_digest, p,
-               session->peer_cert_digest_len);
-        p += session->peer_cert_digest_len;
-    }
-#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
-    /*
-     * Session ticket and associated data
-     */
-#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
-    if (3 > (size_t) (end - p)) {
-        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-    }
-
-    session->ticket_len = (p[0] << 16) | (p[1] << 8) | p[2];
-    p += 3;
-
-    if (session->ticket_len != 0) {
-        if (session->ticket_len > (size_t) (end - p)) {
-            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-        }
-
-        session->ticket = mbedtls_calloc(1, session->ticket_len);
-        if (session->ticket == NULL) {
-            return MBEDTLS_ERR_SSL_ALLOC_FAILED;
-        }
-
-        memcpy(session->ticket, p, session->ticket_len);
-        p += session->ticket_len;
-    }
-
-    if (4 > (size_t) (end - p)) {
-        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-    }
-
-    session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
-    p += 4;
-#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
-
-    /*
-     * Misc extension-related info
-     */
-#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
-    if (1 > (size_t) (end - p)) {
-        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-    }
-
-    session->mfl_code = *p++;
-#endif
-
-#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
-    if (1 > (size_t) (end - p)) {
-        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-    }
-
-    session->encrypt_then_mac = *p++;
-#endif
-
-    /* Done, should have consumed entire buffer */
-    if (p != end) {
-        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-    }
-
-    return 0;
-}
 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
 
 int mbedtls_ssl_validate_ciphersuite(
@@ -9323,7 +9639,7 @@ int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf,
     }
 
     /* Length of supported_signature_algorithms */
-    supported_sig_alg_len = p - supported_sig_alg;
+    supported_sig_alg_len = (size_t) (p - supported_sig_alg);
     if (supported_sig_alg_len == 0) {
         MBEDTLS_SSL_DEBUG_MSG(1, ("No signature algorithms defined."));
         return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
@@ -9333,7 +9649,7 @@ int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf,
     MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len + 2, buf, 2);
     MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len, buf, 4);
 
-    *out_len = p - buf;
+    *out_len = (size_t) (p - buf);
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
     mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_SIG_ALG);
@@ -9585,4 +9901,36 @@ int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,
           MBEDTLS_SSL_SERVER_NAME_INDICATION &&
           MBEDTLS_SSL_CLI_C */
 
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA) && \
+    defined(MBEDTLS_SSL_ALPN)
+int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session,
+                                        const char *alpn)
+{
+    size_t alpn_len = 0;
+
+    if (alpn != NULL) {
+        alpn_len = strlen(alpn);
+
+        if (alpn_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) {
+            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+        }
+    }
+
+    if (session->ticket_alpn != NULL) {
+        mbedtls_zeroize_and_free(session->ticket_alpn,
+                                 strlen(session->ticket_alpn));
+        session->ticket_alpn = NULL;
+    }
+
+    if (alpn != NULL) {
+        session->ticket_alpn = mbedtls_calloc(alpn_len + 1, 1);
+        if (session->ticket_alpn == NULL) {
+            return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+        }
+        memcpy(session->ticket_alpn, alpn, alpn_len);
+    }
+
+    return 0;
+}
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
 #endif /* MBEDTLS_SSL_TLS_C */
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index 27bbafa..eac6a3a 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -2,19 +2,7 @@
  *  TLS client-side functions
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "common.h"
@@ -26,7 +14,7 @@
 #include "mbedtls/ssl.h"
 #include "ssl_client.h"
 #include "ssl_misc.h"
-#include "mbedtls/debug.h"
+#include "debug_internal.h"
 #include "mbedtls/error.h"
 #include "mbedtls/constant_time.h"
 
@@ -619,7 +607,7 @@ int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl,
     p += ext_len;
 #endif
 
-    *out_len = p - buf;
+    *out_len = (size_t) (p - buf);
 
     return 0;
 }
@@ -953,7 +941,7 @@ static int ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
         return MBEDTLS_ERR_SSL_DECODE_ERROR;
     }
 
-    list_len = (buf[0] << 8) | buf[1];
+    list_len = MBEDTLS_GET_UINT16_BE(buf, 0);
     if (list_len != len - 2) {
         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
@@ -1280,6 +1268,7 @@ static int ssl_parse_server_hello(mbedtls_ssl_context *ssl)
     ssl->tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(buf,
                                                                                ssl->conf->transport);
     ssl->session_negotiate->tls_version = ssl->tls_version;
+    ssl->session_negotiate->endpoint = ssl->conf->endpoint;
 
     if (ssl->tls_version < ssl->conf->min_tls_version ||
         ssl->tls_version > ssl->conf->max_tls_version) {
@@ -1316,8 +1305,7 @@ static int ssl_parse_server_hello(mbedtls_ssl_context *ssl)
     }
 
     if (ssl->in_hslen > mbedtls_ssl_hs_hdr_len(ssl) + 39 + n) {
-        ext_len = ((buf[38 + n] <<  8)
-                   | (buf[39 + n]));
+        ext_len = MBEDTLS_GET_UINT16_BE(buf, 38 + n);
 
         if ((ext_len > 0 && ext_len < 4) ||
             ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 40 + n + ext_len) {
@@ -1338,7 +1326,7 @@ static int ssl_parse_server_hello(mbedtls_ssl_context *ssl)
     }
 
     /* ciphersuite (used later) */
-    i = (buf[35 + n] << 8) | buf[36 + n];
+    i = (int) MBEDTLS_GET_UINT16_BE(buf, n + 35);
 
     /*
      * Read and check compression
@@ -1459,10 +1447,8 @@ static int ssl_parse_server_hello(mbedtls_ssl_context *ssl)
                            ext_len));
 
     while (ext_len) {
-        unsigned int ext_id   = ((ext[0] <<  8)
-                                 | (ext[1]));
-        unsigned int ext_size = ((ext[2] <<  8)
-                                 | (ext[3]));
+        unsigned int ext_id   = MBEDTLS_GET_UINT16_BE(ext, 0);
+        unsigned int ext_size = MBEDTLS_GET_UINT16_BE(ext, 2);
 
         if (ext_size + 4 > ext_len) {
             MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
@@ -1753,9 +1739,8 @@ static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
     }
 
     /* Next two bytes are the namedcurve value */
-    tls_id = *(*p)++;
-    tls_id <<= 8;
-    tls_id |= *(*p)++;
+    tls_id = MBEDTLS_GET_UINT16_BE(*p, 0);
+    *p += 2;
 
     /* Check it's a curve we offered */
     if (mbedtls_ssl_check_curve_tls_id(ssl, tls_id) != 0) {
@@ -1895,7 +1880,7 @@ static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl,
                               ("bad server key exchange message (psk_identity_hint length)"));
         return MBEDTLS_ERR_SSL_DECODE_ERROR;
     }
-    len = (*p)[0] << 8 | (*p)[1];
+    len = MBEDTLS_GET_UINT16_BE(*p, 0);
     *p += 2;
 
     if (end - (*p) < len) {
@@ -2021,14 +2006,14 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
         return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
     }
 
-#if defined(MBEDTLS_ECP_C)
+#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
     const mbedtls_ecp_keypair *peer_key = mbedtls_pk_ec_ro(*peer_pk);
-#endif /* MBEDTLS_ECP_C */
+#endif /* !defined(MBEDTLS_PK_USE_PSA_EC_DATA) */
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     uint16_t tls_id = 0;
     psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
-    mbedtls_ecp_group_id grp_id = mbedtls_pk_get_group_id(peer_pk);
+    mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(peer_pk);
 
     if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
         MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
@@ -2186,7 +2171,7 @@ start_processing:
 #endif
     p   = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
     end = ssl->in_msg + ssl->in_hslen;
-    MBEDTLS_SSL_DEBUG_BUF(3,   "server key exchange", p, end - p);
+    MBEDTLS_SSL_DEBUG_BUF(3,   "server key exchange", p, (size_t) (end - p));
 
 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
     if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
@@ -2311,7 +2296,7 @@ start_processing:
         mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
         mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
         unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
-        size_t params_len = p - params;
+        size_t params_len = (size_t) (p - params);
         void *rs_ctx = NULL;
         uint16_t sig_alg;
 
@@ -2369,7 +2354,7 @@ start_processing:
                 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
             return MBEDTLS_ERR_SSL_DECODE_ERROR;
         }
-        sig_len = (p[0] << 8) | p[1];
+        sig_len = MBEDTLS_GET_UINT16_BE(p, 0);
         p += 2;
 
         if (p != end - sig_len) {
@@ -2597,8 +2582,7 @@ static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
     }
 
     /* supported_signature_algorithms */
-    sig_alg_len = ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] <<  8)
-                   | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n]));
+    sig_alg_len = MBEDTLS_GET_UINT16_BE(buf, mbedtls_ssl_hs_hdr_len(ssl) + 1 + n);
 
     /*
      * The furthest access in buf is in the loop few lines below:
@@ -2633,8 +2617,7 @@ static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
     n += 2 + sig_alg_len;
 
     /* certificate_authorities */
-    dn_len = ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] <<  8)
-              | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n]));
+    dn_len = MBEDTLS_GET_UINT16_BE(buf, mbedtls_ssl_hs_hdr_len(ssl) + 1 + n);
 
     n += dn_len;
     if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 3 + n) {
@@ -3264,9 +3247,9 @@ static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
     size_t hashlen;
     void *rs_ctx = NULL;
 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
-    size_t out_buf_len = ssl->out_buf_len - (ssl->out_msg - ssl->out_buf);
+    size_t out_buf_len = ssl->out_buf_len - (size_t) (ssl->out_msg - ssl->out_buf);
 #else
-    size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (ssl->out_msg - ssl->out_buf);
+    size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (size_t) (ssl->out_msg - ssl->out_buf);
 #endif
 
     MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
@@ -3433,10 +3416,9 @@ static int ssl_parse_new_session_ticket(mbedtls_ssl_context *ssl)
 
     msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
 
-    lifetime = (((uint32_t) msg[0]) << 24) | (msg[1] << 16) |
-               (msg[2] << 8) | (msg[3]);
+    lifetime = MBEDTLS_GET_UINT32_BE(msg, 0);
 
-    ticket_len = (msg[4] << 8) | (msg[5]);
+    ticket_len = MBEDTLS_GET_UINT16_BE(msg, 4);
 
     if (ticket_len + 6 + mbedtls_ssl_hs_hdr_len(ssl) != ssl->in_hslen) {
         MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 6367e46..b5b975f 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -2,19 +2,7 @@
  *  TLS server-side functions
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "common.h"
@@ -25,7 +13,7 @@
 
 #include "mbedtls/ssl.h"
 #include "ssl_misc.h"
-#include "mbedtls/debug.h"
+#include "debug_internal.h"
 #include "mbedtls/error.h"
 #include "mbedtls/platform_util.h"
 #include "constant_time_internal.h"
@@ -204,7 +192,7 @@ static int ssl_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
         return MBEDTLS_ERR_SSL_DECODE_ERROR;
     }
-    list_size = ((buf[0] << 8) | (buf[1]));
+    list_size = MBEDTLS_GET_UINT16_BE(buf, 0);
     if (list_size + 2 != len ||
         list_size % 2 != 0) {
         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
@@ -676,7 +664,7 @@ static int ssl_check_key_curve(mbedtls_pk_context *pk,
                                uint16_t *curves_tls_id)
 {
     uint16_t *curr_tls_id = curves_tls_id;
-    mbedtls_ecp_group_id grp_id = mbedtls_pk_get_group_id(pk);
+    mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(pk);
     mbedtls_ecp_group_id curr_grp_id;
 
     while (*curr_tls_id != 0) {
@@ -969,7 +957,7 @@ read_record_header:
     }
 
     MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message len.: %d",
-                              (ssl->in_len[0] << 8) | ssl->in_len[1]));
+                              MBEDTLS_GET_UINT16_BE(ssl->in_len, 0)));
 
     MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, protocol version: [%d:%d]",
                               buf[1], buf[2]));
@@ -1005,7 +993,7 @@ read_record_header:
     }
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
 
-    msg_len = (ssl->in_len[0] << 8) | ssl->in_len[1];
+    msg_len = MBEDTLS_GET_UINT16_BE(ssl->in_len, 0);
 
 #if defined(MBEDTLS_SSL_RENEGOTIATION)
     if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
@@ -1140,11 +1128,11 @@ read_record_header:
     msg_len -= mbedtls_ssl_hs_hdr_len(ssl);
 
     /*
-     * ClientHello layer:
+     * ClientHello layout:
      *     0  .   1   protocol version
      *     2  .  33   random bytes (starting with 4 bytes of Unix time)
-     *    34  .  35   session id length (1 byte)
-     *    35  . 34+x  session id
+     *    34  .  34   session id length (1 byte)
+     *    35  . 34+x  session id, where x = session id length from byte 34
      *   35+x . 35+x  DTLS only: cookie length (1 byte)
      *   36+x .  ..   DTLS only: cookie
      *    ..  .  ..   ciphersuite list length (2 bytes)
@@ -1173,6 +1161,7 @@ read_record_header:
     ssl->tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(buf,
                                                                                ssl->conf->transport);
     ssl->session_negotiate->tls_version = ssl->tls_version;
+    ssl->session_negotiate->endpoint = ssl->conf->endpoint;
 
     if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
         MBEDTLS_SSL_DEBUG_MSG(1, ("server only supports TLS 1.2"));
@@ -1263,8 +1252,7 @@ read_record_header:
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
     ciph_offset = 35 + sess_len;
 
-    ciph_len = (buf[ciph_offset + 0] << 8)
-               | (buf[ciph_offset + 1]);
+    ciph_len = MBEDTLS_GET_UINT16_BE(buf, ciph_offset);
 
     if (ciph_len < 2 ||
         ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
@@ -1312,8 +1300,7 @@ read_record_header:
             return MBEDTLS_ERR_SSL_DECODE_ERROR;
         }
 
-        ext_len = (buf[ext_offset + 0] << 8)
-                  | (buf[ext_offset + 1]);
+        ext_len = MBEDTLS_GET_UINT16_BE(buf, ext_offset);
 
         if (msg_len != ext_offset + 2 + ext_len) {
             MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
@@ -1337,8 +1324,8 @@ read_record_header:
                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
             return MBEDTLS_ERR_SSL_DECODE_ERROR;
         }
-        ext_id   = ((ext[0] <<  8) | (ext[1]));
-        ext_size = ((ext[2] <<  8) | (ext[3]));
+        ext_id   = MBEDTLS_GET_UINT16_BE(ext, 0);
+        ext_size = MBEDTLS_GET_UINT16_BE(ext, 2);
 
         if (ext_size + 4 > ext_len) {
             MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
@@ -1870,7 +1857,7 @@ static void ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
         *p++ = 0x00;
     }
 
-    *olen = p - buf;
+    *olen = (size_t) (p - buf);
 }
 
 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
@@ -1962,7 +1949,7 @@ static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
-                                          p + 2, end - p - 2, &kkpp_len,
+                                          p + 2, (size_t) (end - p - 2), &kkpp_len,
                                           MBEDTLS_ECJPAKE_ROUND_ONE);
     if (ret != 0) {
         psa_destroy_key(ssl->handshake->psa_pake_password);
@@ -1972,7 +1959,7 @@ static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
     }
 #else
     ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
-                                          p + 2, end - p - 2, &kkpp_len,
+                                          p + 2, (size_t) (end - p - 2), &kkpp_len,
                                           ssl->conf->f_rng, ssl->conf->p_rng);
     if (ret != 0) {
         MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_one", ret);
@@ -2093,7 +2080,7 @@ static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl)
 
     MBEDTLS_SSL_DEBUG_BUF(3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte);
 
-    ssl->out_msglen  = p - ssl->out_msg;
+    ssl->out_msglen  = (size_t) (p - ssl->out_msg);
     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
     ssl->out_msg[0]  = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
 
@@ -2191,11 +2178,6 @@ static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
     }
 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
 
-    if (ssl->conf->f_rng == NULL) {
-        MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
-        return MBEDTLS_ERR_SSL_NO_RNG;
-    }
-
     /*
      *     0  .   0   handshake type
      *     1  .   3   handshake length
@@ -2398,7 +2380,7 @@ static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
         p += 2 + ext_len;
     }
 
-    ssl->out_msglen  = p - buf;
+    ssl->out_msglen  = (size_t) (p - buf);
     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
     ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_HELLO;
 
@@ -2582,12 +2564,12 @@ static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
 
             MBEDTLS_SSL_DEBUG_BUF(3, "requested DN", p - dn_size, dn_size);
 
-            total_dn_size += 2 + dn_size;
+            total_dn_size += (unsigned short) (2 + dn_size);
             crt = crt->next;
         }
     }
 
-    ssl->out_msglen  = p - buf;
+    ssl->out_msglen  = (size_t) (p - buf);
     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
     ssl->out_msg[0]  = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
     MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len);
@@ -2611,12 +2593,12 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
     mbedtls_pk_context *pk;
     mbedtls_pk_type_t pk_type;
     psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
+    unsigned char buf[PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
+    size_t key_len;
 #if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
     uint16_t tls_id = 0;
     psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
-    size_t key_len;
     mbedtls_ecp_group_id grp_id;
-    unsigned char buf[PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
     mbedtls_ecp_keypair *key;
 #endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
 
@@ -2639,31 +2621,65 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
                 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
             }
 
-            ssl->handshake->xxdh_psa_privkey = pk->priv_id;
-
-            /* Key should not be destroyed in the TLS library */
-            ssl->handshake->xxdh_psa_privkey_is_external = 1;
-
-            status = psa_get_key_attributes(ssl->handshake->xxdh_psa_privkey,
-                                            &key_attributes);
+            /* Get the attributes of the key previously parsed by PK module in
+             * order to extract its type and length (in bits). */
+            status = psa_get_key_attributes(pk->priv_id, &key_attributes);
             if (status != PSA_SUCCESS) {
-                ssl->handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
-                return PSA_TO_MBEDTLS_ERR(status);
+                ret = PSA_TO_MBEDTLS_ERR(status);
+                goto exit;
             }
-
             ssl->handshake->xxdh_psa_type = psa_get_key_type(&key_attributes);
             ssl->handshake->xxdh_psa_bits = psa_get_key_bits(&key_attributes);
 
-            psa_reset_key_attributes(&key_attributes);
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+            if (pk_type != MBEDTLS_PK_OPAQUE) {
+                /* PK_ECKEY[_DH] and PK_ECDSA instead as parsed from the PK
+                 * module and only have ECDSA capabilities. Since we need
+                 * them for ECDH later, we export and then re-import them with
+                 * proper flags and algorithm. Of course We also set key's type
+                 * and bits that we just got above. */
+                key_attributes = psa_key_attributes_init();
+                psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
+                psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
+                psa_set_key_type(&key_attributes,
+                                 PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
+                psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
+
+                status = psa_export_key(pk->priv_id, buf, sizeof(buf), &key_len);
+                if (status != PSA_SUCCESS) {
+                    ret = PSA_TO_MBEDTLS_ERR(status);
+                    goto exit;
+                }
+                status = psa_import_key(&key_attributes, buf, key_len,
+                                        &ssl->handshake->xxdh_psa_privkey);
+                if (status != PSA_SUCCESS) {
+                    ret = PSA_TO_MBEDTLS_ERR(status);
+                    goto exit;
+                }
+
+                /* Set this key as owned by the TLS library: it will be its duty
+                 * to clear it exit. */
+                ssl->handshake->xxdh_psa_privkey_is_external = 0;
+
+                ret = 0;
+                break;
+            }
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
 
+            /* Opaque key is created by the user (externally from Mbed TLS)
+             * so we assume it already has the right algorithm and flags
+             * set. Just copy its ID as reference. */
+            ssl->handshake->xxdh_psa_privkey = pk->priv_id;
+            ssl->handshake->xxdh_psa_privkey_is_external = 1;
             ret = 0;
             break;
+
 #if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
         case MBEDTLS_PK_ECKEY:
         case MBEDTLS_PK_ECKEY_DH:
         case MBEDTLS_PK_ECDSA:
             key = mbedtls_pk_ec_rw(*pk);
-            grp_id = mbedtls_pk_get_group_id(pk);
+            grp_id = mbedtls_pk_get_ec_group_id(pk);
             if (grp_id == MBEDTLS_ECP_DP_NONE) {
                 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
             }
@@ -2687,8 +2703,7 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
                              PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
             psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
 
-            key_len = PSA_BITS_TO_BYTES(key->grp.pbits);
-            ret = mbedtls_ecp_write_key(key, buf, key_len);
+            ret = mbedtls_ecp_write_key_ext(key, &key_len, buf, sizeof(buf));
             if (ret != 0) {
                 mbedtls_platform_zeroize(buf, sizeof(buf));
                 break;
@@ -2710,6 +2725,10 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
             ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
     }
 
+exit:
+    psa_reset_key_attributes(&key_attributes);
+    mbedtls_platform_zeroize(buf, sizeof(buf));
+
     return ret;
 }
 #else /* MBEDTLS_USE_PSA_CRYPTO */
@@ -2791,9 +2810,9 @@ static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl,
 
 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
-    size_t out_buf_len = ssl->out_buf_len - (ssl->out_msg - ssl->out_buf);
+    size_t out_buf_len = ssl->out_buf_len - (size_t) (ssl->out_msg - ssl->out_buf);
 #else
-    size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (ssl->out_msg - ssl->out_buf);
+    size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (size_t) (ssl->out_msg - ssl->out_buf);
 #endif
 #endif
 
@@ -3098,7 +3117,7 @@ curve_matching_done:
             return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
         }
 
-        size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed;
+        size_t dig_signed_len = (size_t) (ssl->out_msg + ssl->out_msglen - dig_signed);
         size_t hashlen = 0;
         unsigned char hash[MBEDTLS_MD_MAX_SIZE];
 
@@ -3113,8 +3132,8 @@ curve_matching_done:
         mbedtls_pk_type_t sig_alg =
             mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
 
-        unsigned int sig_hash =
-            mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
+        unsigned char sig_hash =
+            (unsigned char) mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
                 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
 
         mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash(sig_hash);
@@ -3372,7 +3391,7 @@ static int ssl_parse_client_dh_public(mbedtls_ssl_context *ssl, unsigned char **
         return MBEDTLS_ERR_SSL_DECODE_ERROR;
     }
 
-    n = ((*p)[0] << 8) | (*p)[1];
+    n = MBEDTLS_GET_UINT16_BE(*p, 0);
     *p += 2;
 
     if (*p + n > end) {
@@ -3605,7 +3624,7 @@ static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char
         return MBEDTLS_ERR_SSL_DECODE_ERROR;
     }
 
-    n = ((*p)[0] << 8) | (*p)[1];
+    n = MBEDTLS_GET_UINT16_BE(*p, 0);
     *p += 2;
 
     if (n == 0 || n > end - *p) {
@@ -3775,7 +3794,7 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
         handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
 #else
         if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
-                                            p, end - p)) != 0) {
+                                            p, (size_t) (end - p))) != 0) {
             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
             return MBEDTLS_ERR_SSL_DECODE_ERROR;
         }
@@ -3988,7 +4007,7 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
         }
 
         if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
-                                            p, end - p)) != 0) {
+                                            p, (size_t) (end - p))) != 0) {
             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
             return MBEDTLS_ERR_SSL_DECODE_ERROR;
         }
@@ -4017,7 +4036,7 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
     if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
         if ((ret = mbedtls_psa_ecjpake_read_round(
-                 &ssl->handshake->psa_pake_ctx, p, end - p,
+                 &ssl->handshake->psa_pake_ctx, p, (size_t) (end - p),
                  MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) {
             psa_destroy_key(ssl->handshake->psa_pake_password);
             psa_pake_abort(&ssl->handshake->psa_pake_ctx);
@@ -4027,7 +4046,7 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
         }
 #else
         ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
-                                             p, end - p);
+                                             p, (size_t) (end - p));
         if (ret != 0) {
             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
             return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
@@ -4201,7 +4220,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
         return MBEDTLS_ERR_SSL_DECODE_ERROR;
     }
 
-    sig_len = (ssl->in_msg[i] << 8) | ssl->in_msg[i+1];
+    sig_len = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i);
     i += 2;
 
     if (i + sig_len != ssl->in_hslen) {
@@ -4262,6 +4281,9 @@ static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl)
      * 10 .  9+n ticket content
      */
 
+#if defined(MBEDTLS_HAVE_TIME)
+    ssl->session_negotiate->ticket_creation_time = mbedtls_ms_time();
+#endif
     if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
                                          ssl->session_negotiate,
                                          ssl->out_msg + 10,
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index c6fa3b3..162e3a3 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -2,21 +2,7 @@
  *  TLS 1.3 client-side functions
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of Mbed TLS ( https://tls.mbed.org )
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "common.h"
@@ -25,7 +11,7 @@
 
 #include <string.h>
 
-#include "mbedtls/debug.h"
+#include "debug_internal.h"
 #include "mbedtls/error.h"
 #include "mbedtls/platform.h"
 
@@ -33,7 +19,7 @@
 #include "ssl_client.h"
 #include "ssl_tls13_keys.h"
 #include "ssl_debug_helpers.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
 
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
 /* Define a local translating function to save code size by not using too many
@@ -635,7 +621,7 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
     /* Skip writing extension if no PSK key exchange mode
      * is enabled in the config.
      */
-    if (!mbedtls_ssl_conf_tls13_some_psk_enabled(ssl)) {
+    if (!mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl)) {
         MBEDTLS_SSL_DEBUG_MSG(3, ("skip psk_key_exchange_modes extension"));
         return 0;
     }
@@ -654,14 +640,14 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
      */
     p += 5;
 
-    if (mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(ssl)) {
+    if (mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(ssl)) {
         *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
         ke_modes_len++;
 
         MBEDTLS_SSL_DEBUG_MSG(4, ("Adding PSK-ECDHE key exchange mode"));
     }
 
-    if (mbedtls_ssl_conf_tls13_psk_enabled(ssl)) {
+    if (mbedtls_ssl_conf_tls13_is_psk_enabled(ssl)) {
         *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
         ke_modes_len++;
 
@@ -680,6 +666,7 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
     return 0;
 }
 
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
 static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite)
 {
     const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
@@ -692,14 +679,13 @@ static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite)
     return PSA_ALG_NONE;
 }
 
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
 static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl)
 {
     mbedtls_ssl_session *session = ssl->session_negotiate;
     return ssl->handshake->resume &&
            session != NULL && session->ticket != NULL &&
-           mbedtls_ssl_conf_tls13_check_kex_modes(
-        ssl, mbedtls_ssl_session_get_ticket_flags(
+           mbedtls_ssl_conf_tls13_is_kex_mode_enabled(
+        ssl, mbedtls_ssl_tls13_session_get_ticket_flags(
             session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL));
 }
 
@@ -709,10 +695,8 @@ static int ssl_tls13_early_data_has_valid_ticket(mbedtls_ssl_context *ssl)
     mbedtls_ssl_session *session = ssl->session_negotiate;
     return ssl->handshake->resume &&
            session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
-           (session->ticket_flags &
-            MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA) &&
-           mbedtls_ssl_tls13_cipher_suite_is_offered(
-        ssl, session->ciphersuite);
+           mbedtls_ssl_tls13_session_ticket_allow_early_data(session) &&
+           mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, session->ciphersuite);
 }
 #endif
 
@@ -945,28 +929,14 @@ int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
     if (ssl_tls13_ticket_get_identity(
             ssl, &hash_alg, &identity, &identity_len) == 0) {
 #if defined(MBEDTLS_HAVE_TIME)
-        mbedtls_time_t now = mbedtls_time(NULL);
+        mbedtls_ms_time_t now = mbedtls_ms_time();
         mbedtls_ssl_session *session = ssl->session_negotiate;
+        /* The ticket age has been checked to be smaller than the
+         * `ticket_lifetime` in ssl_prepare_client_hello() which is smaller than
+         * 7 days (enforced in ssl_tls13_parse_new_session_ticket()) . Thus the
+         * cast to `uint32_t` of the ticket age is safe. */
         uint32_t obfuscated_ticket_age =
-            (uint32_t) (now - session->ticket_received);
-
-        /*
-         * The ticket timestamp is in seconds but the ticket age is in
-         * milliseconds. If the ticket was received at the end of a second and
-         * re-used here just at the beginning of the next second, the computed
-         * age `now - session->ticket_received` is equal to 1s thus 1000 ms
-         * while the actual age could be just a few milliseconds or tens of
-         * milliseconds. If the server has more accurate ticket timestamps
-         * (typically timestamps in milliseconds), as part of the processing of
-         * the ClientHello, it may compute a ticket lifetime smaller than the
-         * one computed here and potentially reject the ticket. To avoid that,
-         * remove one second to the ticket age if possible.
-         */
-        if (obfuscated_ticket_age > 0) {
-            obfuscated_ticket_age -= 1;
-        }
-
-        obfuscated_ticket_age *= 1000;
+            (uint32_t) (now - session->ticket_reception_time);
         obfuscated_ticket_age += session->ticket_age_add;
 
         ret = ssl_tls13_write_identity(ssl, p, end,
@@ -1190,8 +1160,17 @@ int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
     }
     p += ext_len;
 
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+    ret = mbedtls_ssl_tls13_write_record_size_limit_ext(
+        ssl, p, end, &ext_len);
+    if (ret != 0) {
+        return ret;
+    }
+    p += ext_len;
+#endif
+
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
-    if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
+    if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
         ret = ssl_tls13_write_key_share_ext(ssl, p, end, &ext_len);
         if (ret != 0) {
             return ret;
@@ -1201,23 +1180,29 @@ int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
 #endif
 
 #if defined(MBEDTLS_SSL_EARLY_DATA)
-    if (mbedtls_ssl_conf_tls13_some_psk_enabled(ssl) &&
-        ssl_tls13_early_data_has_valid_ticket(ssl) &&
-        ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {
-        ret = mbedtls_ssl_tls13_write_early_data_ext(ssl, p, end, &ext_len);
-        if (ret != 0) {
-            return ret;
-        }
-        p += ext_len;
+    /* In the first ClientHello, write the early data indication extension if
+     * necessary and update the early data state.
+     * If an HRR has been received and thus we are currently writing the
+     * second ClientHello, the second ClientHello must not contain an early
+     * data extension and the early data state must stay as it is:
+     * MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT or
+     * MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED.
+     */
+    if (!ssl->handshake->hello_retry_request_flag) {
+        if (mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl) &&
+            ssl_tls13_early_data_has_valid_ticket(ssl) &&
+            ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {
+            ret = mbedtls_ssl_tls13_write_early_data_ext(
+                ssl, 0, p, end, &ext_len);
+            if (ret != 0) {
+                return ret;
+            }
+            p += ext_len;
 
-        /* Initializes the status to `rejected`. It will be updated to
-         * `accepted` if the EncryptedExtension message contain an early data
-         * indication extension.
-         */
-        ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
-    } else {
-        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write early_data extension"));
-        ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT;
+            ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT;
+        } else {
+            ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT;
+        }
     }
 #endif /* MBEDTLS_SSL_EARLY_DATA */
 
@@ -1254,11 +1239,7 @@ int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl)
     size_t psk_len;
     const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
 
-    if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) {
-#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
-        mbedtls_ssl_handshake_set_state(
-            ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO);
-#endif
+    if (ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT) {
         MBEDTLS_SSL_DEBUG_MSG(
             1, ("Set hs psk for early data when writing the first psk"));
 
@@ -1313,6 +1294,16 @@ int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl)
             return ret;
         }
 
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+        mbedtls_ssl_handshake_set_state(
+            ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO);
+#else
+        MBEDTLS_SSL_DEBUG_MSG(
+            1, ("Switch to early data keys for outbound traffic"));
+        mbedtls_ssl_set_outbound_transform(
+            ssl, ssl->handshake->transform_earlydata);
+        ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE;
+#endif
     }
 #endif /* MBEDTLS_SSL_EARLY_DATA */
     return 0;
@@ -1485,7 +1476,7 @@ static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,
                                  ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
                                  buf, (size_t) (end - buf)));
 
-        if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
+        if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
             ret = ssl_tls13_reset_key_share(ssl);
             if (ret != 0) {
                 return ret;
@@ -1495,10 +1486,8 @@ static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,
         return SSL_SERVER_HELLO_TLS1_2;
     }
 
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
-    ssl->session_negotiate->endpoint = ssl->conf->endpoint;
     ssl->session_negotiate->tls_version = ssl->tls_version;
-#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+    ssl->session_negotiate->endpoint = ssl->conf->endpoint;
 
     handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
 
@@ -1514,7 +1503,7 @@ static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,
              * to a HelloRetryRequest), it MUST abort the handshake with an
              * "unexpected_message" alert.
              */
-            if (handshake->hello_retry_request_count > 0) {
+            if (handshake->hello_retry_request_flag) {
                 MBEDTLS_SSL_DEBUG_MSG(1, ("Multiple HRRs received"));
                 MBEDTLS_SSL_PEND_FATAL_ALERT(
                     MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
@@ -1527,7 +1516,7 @@ static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,
              * in the ClientHello.
              * In a PSK only key exchange that what we expect.
              */
-            if (!mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
+            if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
                 MBEDTLS_SSL_DEBUG_MSG(1,
                                       ("Unexpected HRR in pure PSK key exchange."));
                 MBEDTLS_SSL_PEND_FATAL_ALERT(
@@ -1536,7 +1525,7 @@ static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,
                 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
             }
 
-            handshake->hello_retry_request_count++;
+            handshake->hello_retry_request_flag = 1;
 
             break;
     }
@@ -1691,7 +1680,7 @@ static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl,
      * proposed in the HRR, we abort the handshake and send an
      * "illegal_parameter" alert.
      */
-    else if ((!is_hrr) && (handshake->hello_retry_request_count > 0) &&
+    else if ((!is_hrr) && handshake->hello_retry_request_flag &&
              (cipher_suite != ssl->session_negotiate->ciphersuite)) {
         fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
     }
@@ -1804,7 +1793,7 @@ static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl,
 
             case MBEDTLS_TLS_EXT_KEY_SHARE:
                 MBEDTLS_SSL_DEBUG_MSG(3, ("found key_shares extension"));
-                if (!mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
+                if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
                     fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
                     goto cleanup;
                 }
@@ -1906,38 +1895,8 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)
             ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
             goto cleanup;
     }
-#if defined(MBEDTLS_SSL_EARLY_DATA)
-    if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA) &&
-        (handshake->selected_identity != 0 ||
-         handshake->ciphersuite_info->id !=
-         ssl->session_negotiate->ciphersuite)) {
-        /* RFC8446 4.2.11
-         * If the server supplies an "early_data" extension, the
-         * client MUST verify that the server's selected_identity
-         * is 0. If any other value is returned, the client MUST
-         * abort the handshake with an "illegal_parameter" alert.
-         *
-         * RFC 8446 4.2.10
-         * In order to accept early data, the server MUST have accepted a PSK
-         * cipher suite and selected the first key offered in the client's
-         * "pre_shared_key" extension. In addition, it MUST verify that the
-         * following values are the same as those associated with the
-         * selected PSK:
-         * - The TLS version number
-         * - The selected cipher suite
-         * - The selected ALPN [RFC7301] protocol, if any
-         *
-         * We check here that when early data is involved the server
-         * selected the cipher suite associated to the pre-shared key
-         * as it must have.
-         */
-        MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
-                                     MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
-        return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
-    }
-#endif
 
-    if (!mbedtls_ssl_conf_tls13_check_kex_modes(
+    if (!mbedtls_ssl_conf_tls13_is_kex_mode_enabled(
             ssl, handshake->key_exchange_mode)) {
         ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
         MBEDTLS_SSL_DEBUG_MSG(
@@ -1960,7 +1919,7 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)
      * cases we compute it here.
      */
 #if defined(MBEDTLS_SSL_EARLY_DATA)
-    if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT ||
+    if (ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT ||
         handshake->key_exchange_mode ==
         MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL)
 #endif
@@ -1983,7 +1942,6 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)
 
     mbedtls_ssl_set_inbound_transform(ssl, handshake->transform_handshake);
     MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic"));
-    ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id;
     ssl->session_in = ssl->session_negotiate;
 
 cleanup:
@@ -2015,6 +1973,13 @@ static int ssl_tls13_postprocess_hrr(mbedtls_ssl_context *ssl)
     }
 
     ssl->session_negotiate->ciphersuite = ssl->handshake->ciphersuite_info->id;
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+    if (ssl->early_data_state != MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT) {
+        ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED;
+    }
+#endif
+
     return 0;
 }
 
@@ -2172,12 +2137,11 @@ static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl,
 
                 ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(
                     ssl, p, p + extension_data_len);
-
-                /* TODO: Return unconditionally here until we handle the record
-                 * size limit correctly. Once handled correctly, only return in
-                 * case of errors. */
-                return ret;
-
+                if (ret != 0) {
+                    MBEDTLS_SSL_DEBUG_RET(
+                        1, ("mbedtls_ssl_tls13_parse_record_size_limit_ext"), ret);
+                    return ret;
+                }
                 break;
 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
 
@@ -2191,6 +2155,17 @@ static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl,
         p += extension_data_len;
     }
 
+    if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)) &&
+        (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH))) {
+        MBEDTLS_SSL_DEBUG_MSG(3,
+                              (
+                                  "Record size limit extension cannot be used with max fragment length extension"));
+        MBEDTLS_SSL_PEND_FATAL_ALERT(
+            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+            MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+        return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+    }
+
     MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
                            handshake->received_extensions);
 
@@ -2211,6 +2186,7 @@ static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl)
     int ret;
     unsigned char *buf;
     size_t buf_len;
+    mbedtls_ssl_handshake_params *handshake = ssl->handshake;
 
     MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse encrypted extensions"));
 
@@ -2223,12 +2199,64 @@ static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl)
         ssl_tls13_parse_encrypted_extensions(ssl, buf, buf + buf_len));
 
 #if defined(MBEDTLS_SSL_EARLY_DATA)
-    if (ssl->handshake->received_extensions &
-        MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) {
-        ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED;
+    if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) {
+        /* RFC8446 4.2.11
+         * If the server supplies an "early_data" extension, the
+         * client MUST verify that the server's selected_identity
+         * is 0. If any other value is returned, the client MUST
+         * abort the handshake with an "illegal_parameter" alert.
+         *
+         * RFC 8446 4.2.10
+         * In order to accept early data, the server MUST have accepted a PSK
+         * cipher suite and selected the first key offered in the client's
+         * "pre_shared_key" extension. In addition, it MUST verify that the
+         * following values are the same as those associated with the
+         * selected PSK:
+         * - The TLS version number
+         * - The selected cipher suite
+         * - The selected ALPN [RFC7301] protocol, if any
+         *
+         * The server has sent an early data extension in its Encrypted
+         * Extension message thus accepted to receive early data. We
+         * check here that the additional constraints on the handshake
+         * parameters, when early data are exchanged, are met,
+         * namely:
+         * - a PSK has been selected for the handshake
+         * - the selected PSK for the handshake was the first one proposed
+         *   by the client.
+         * - the selected ciphersuite for the handshake is the ciphersuite
+         *   associated with the selected PSK.
+         */
+        if ((!mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) ||
+            handshake->selected_identity != 0 ||
+            handshake->ciphersuite_info->id !=
+            ssl->session_negotiate->ciphersuite) {
+
+            MBEDTLS_SSL_PEND_FATAL_ALERT(
+                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+                MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+            return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+        }
+
+        ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED;
+    } else if (ssl->early_data_state !=
+               MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT) {
+        ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED;
     }
 #endif
 
+    /*
+     * In case the client has proposed a PSK associated with a ticket,
+     * `ssl->session_negotiate->ciphersuite` still contains at this point the
+     * identifier of the ciphersuite associated with the ticket. This is that
+     * way because, if an exchange of early data is agreed upon, we need
+     * it to check that the ciphersuite selected for the handshake is the
+     * ticket ciphersuite (see above). This information is not needed
+     * anymore thus we can now set it to the identifier of the ciphersuite
+     * used in this session under negotiation.
+     */
+    ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id;
+
     MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
                              ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
                              buf, buf_len));
@@ -2251,6 +2279,7 @@ cleanup:
 
 }
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
 /*
  * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA
  *
@@ -2289,6 +2318,32 @@ cleanup:
     return ret;
 }
 
+int mbedtls_ssl_get_early_data_status(mbedtls_ssl_context *ssl)
+{
+    if ((ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) ||
+        (!mbedtls_ssl_is_handshake_over(ssl))) {
+        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+    }
+
+    switch (ssl->early_data_state) {
+        case MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT:
+            return MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_INDICATED;
+            break;
+
+        case MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED:
+            return MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
+            break;
+
+        case MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED:
+            return MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED;
+            break;
+
+        default:
+            return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+    }
+}
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
 /*
  * STATE HANDLING: CertificateRequest
@@ -2550,10 +2605,9 @@ static int ssl_tls13_process_server_finished(mbedtls_ssl_context *ssl)
     }
 
 #if defined(MBEDTLS_SSL_EARLY_DATA)
-    if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) {
+    if (ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED) {
+        ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED;
         mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA);
-    } else if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) {
-        mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
     } else
 #endif /* MBEDTLS_SSL_EARLY_DATA */
     {
@@ -2673,6 +2727,37 @@ static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
 
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+/* From RFC 8446 section 4.2.10
+ *
+ * struct {
+ *     select (Handshake.msg_type) {
+ *         case new_session_ticket:   uint32 max_early_data_size;
+ *         ...
+ *     };
+ * } EarlyDataIndication;
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_new_session_ticket_early_data_ext(
+    mbedtls_ssl_context *ssl,
+    const unsigned char *buf,
+    const unsigned char *end)
+{
+    mbedtls_ssl_session *session = ssl->session;
+
+    MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 4);
+
+    session->max_early_data_size = MBEDTLS_GET_UINT32_BE(buf, 0);
+    mbedtls_ssl_tls13_session_set_ticket_flags(
+        session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
+    MBEDTLS_SSL_DEBUG_MSG(
+        3, ("received max_early_data_size: %u",
+            (unsigned int) session->max_early_data_size));
+
+    return 0;
+}
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_parse_new_session_ticket_exts(mbedtls_ssl_context *ssl,
                                                    const unsigned char *buf,
@@ -2706,15 +2791,12 @@ static int ssl_tls13_parse_new_session_ticket_exts(mbedtls_ssl_context *ssl,
         switch (extension_type) {
 #if defined(MBEDTLS_SSL_EARLY_DATA)
             case MBEDTLS_TLS_EXT_EARLY_DATA:
-                if (extension_data_len != 4) {
-                    MBEDTLS_SSL_PEND_FATAL_ALERT(
-                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
-                        MBEDTLS_ERR_SSL_DECODE_ERROR);
-                    return MBEDTLS_ERR_SSL_DECODE_ERROR;
-                }
-                if (ssl->session != NULL) {
-                    ssl->session->ticket_flags |=
-                        MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA;
+                ret = ssl_tls13_parse_new_session_ticket_early_data_ext(
+                    ssl, p, p + extension_data_len);
+                if (ret != 0) {
+                    MBEDTLS_SSL_DEBUG_RET(
+                        1, "ssl_tls13_parse_new_session_ticket_early_data_ext",
+                        ret);
                 }
                 break;
 #endif /* MBEDTLS_SSL_EARLY_DATA */
@@ -2774,6 +2856,11 @@ static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl,
     MBEDTLS_SSL_DEBUG_MSG(3,
                           ("ticket_lifetime: %u",
                            (unsigned int) session->ticket_lifetime));
+    if (session->ticket_lifetime >
+        MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime exceeds 7 days."));
+        return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+    }
 
     session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 4);
     MBEDTLS_SSL_DEBUG_MSG(3,
@@ -2812,7 +2899,7 @@ static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl,
     session->ticket_len = ticket_len;
 
     /* Clear all flags in ticket_flags */
-    mbedtls_ssl_session_clear_ticket_flags(
+    mbedtls_ssl_tls13_session_clear_ticket_flags(
         session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
 
     MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
@@ -2830,12 +2917,17 @@ static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl,
         return ret;
     }
 
-    /* session has been updated, allow export */
-    session->exported = 0;
-
     return 0;
 }
 
+/* Non negative return values for ssl_tls13_postprocess_new_session_ticket().
+ * - POSTPROCESS_NEW_SESSION_TICKET_SIGNAL, all good, we have to signal the
+ *   application that a valid ticket has been received.
+ * - POSTPROCESS_NEW_SESSION_TICKET_DISCARD, no fatal error, we keep the
+ *   connection alive but we do not signal the ticket to the application.
+ */
+#define POSTPROCESS_NEW_SESSION_TICKET_SIGNAL 0
+#define POSTPROCESS_NEW_SESSION_TICKET_DISCARD 1
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl,
                                                     unsigned char *ticket_nonce,
@@ -2847,9 +2939,13 @@ static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl,
     psa_algorithm_t psa_hash_alg;
     int hash_length;
 
+    if (session->ticket_lifetime == 0) {
+        return POSTPROCESS_NEW_SESSION_TICKET_DISCARD;
+    }
+
 #if defined(MBEDTLS_HAVE_TIME)
     /* Store ticket creation time */
-    session->ticket_received = mbedtls_time(NULL);
+    session->ticket_reception_time = mbedtls_ms_time();
 #endif
 
     ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
@@ -2899,11 +2995,11 @@ static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl,
                           session->resumption_key_len);
 
     /* Set ticket_flags depends on the selected key exchange modes */
-    mbedtls_ssl_session_set_ticket_flags(
+    mbedtls_ssl_tls13_session_set_ticket_flags(
         session, ssl->conf->tls13_kex_modes);
     MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);
 
-    return 0;
+    return POSTPROCESS_NEW_SESSION_TICKET_SIGNAL;
 }
 
 /*
@@ -2924,12 +3020,37 @@ static int ssl_tls13_process_new_session_ticket(mbedtls_ssl_context *ssl)
                              ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
                              &buf, &buf_len));
 
+    /*
+     * We are about to update (maybe only partially) ticket data thus block
+     * any session export for the time being.
+     */
+    ssl->session->exported = 1;
+
     MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_new_session_ticket(
                              ssl, buf, buf + buf_len,
                              &ticket_nonce, &ticket_nonce_len));
 
-    MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_new_session_ticket(
-                             ssl, ticket_nonce, ticket_nonce_len));
+    MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_postprocess_new_session_ticket(
+                                 ssl, ticket_nonce, ticket_nonce_len));
+
+    switch (ret) {
+        case POSTPROCESS_NEW_SESSION_TICKET_SIGNAL:
+            /*
+             * All good, we have received a new valid ticket, session data can
+             * be exported now and we signal the ticket to the application.
+             */
+            ssl->session->exported = 0;
+            ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET;
+            break;
+
+        case POSTPROCESS_NEW_SESSION_TICKET_DISCARD:
+            ret = 0;
+            MBEDTLS_SSL_DEBUG_MSG(2, ("Discard new session ticket"));
+            break;
+
+        default:
+            ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+    }
 
     mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
 
@@ -2979,9 +3100,11 @@ int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl)
             ret = ssl_tls13_process_server_finished(ssl);
             break;
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
         case MBEDTLS_SSL_END_OF_EARLY_DATA:
             ret = ssl_tls13_write_end_of_early_data(ssl);
             break;
+#endif
 
         case MBEDTLS_SSL_CLIENT_CERTIFICATE:
             ret = ssl_tls13_write_client_certificate(ssl);
@@ -3011,41 +3134,39 @@ int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl)
 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
         case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
             ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
-            if (ret == 0) {
-                mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
+            if (ret != 0) {
+                break;
             }
+            mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
             break;
 
         case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
             ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
-            if (ret == 0) {
-                mbedtls_ssl_handshake_set_state(
-                    ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
+            if (ret != 0) {
+                break;
             }
+            mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
             break;
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
         case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:
             ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
             if (ret == 0) {
                 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
 
-#if defined(MBEDTLS_SSL_EARLY_DATA)
                 MBEDTLS_SSL_DEBUG_MSG(
                     1, ("Switch to early data keys for outbound traffic"));
                 mbedtls_ssl_set_outbound_transform(
                     ssl, ssl->handshake->transform_earlydata);
-#endif
+                ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE;
             }
             break;
+#endif /* MBEDTLS_SSL_EARLY_DATA */
 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
 
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
         case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:
             ret = ssl_tls13_process_new_session_ticket(ssl);
-            if (ret != 0) {
-                break;
-            }
-            ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET;
             break;
 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
 
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 3c8d448..8ac6579 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -2,19 +2,7 @@
  *  TLS 1.3 functionality shared between client and server
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "common.h"
@@ -24,12 +12,12 @@
 #include <string.h>
 
 #include "mbedtls/error.h"
-#include "mbedtls/debug.h"
+#include "debug_internal.h"
 #include "mbedtls/oid.h"
 #include "mbedtls/platform.h"
 #include "mbedtls/constant_time.h"
 #include "psa/crypto.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
 
 #include "ssl_misc.h"
 #include "ssl_tls13_invasive.h"
@@ -205,10 +193,12 @@ static void ssl_tls13_create_verify_structure(const unsigned char *transcript_ha
     idx = 64;
 
     if (from == MBEDTLS_SSL_IS_CLIENT) {
-        memcpy(verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(client_cv));
+        memcpy(verify_buffer + idx, mbedtls_ssl_tls13_labels.client_cv,
+               MBEDTLS_SSL_TLS1_3_LBL_LEN(client_cv));
         idx += MBEDTLS_SSL_TLS1_3_LBL_LEN(client_cv);
     } else { /* from == MBEDTLS_SSL_IS_SERVER */
-        memcpy(verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(server_cv));
+        memcpy(verify_buffer + idx, mbedtls_ssl_tls13_labels.server_cv,
+               MBEDTLS_SSL_TLS1_3_LBL_LEN(server_cv));
         idx += MBEDTLS_SSL_TLS1_3_LBL_LEN(server_cv);
     }
 
@@ -1391,6 +1381,12 @@ int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl)
 
     MBEDTLS_SSL_DEBUG_MSG(2, ("=> write change cipher spec"));
 
+    /* Only one CCS to send. */
+    if (ssl->handshake->ccs_sent) {
+        ret = 0;
+        goto cleanup;
+    }
+
     /* Write CCS message */
     MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_change_cipher_spec_body(
                              ssl, ssl->out_msg,
@@ -1402,6 +1398,8 @@ int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl)
     /* Dispatch message */
     MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_write_record(ssl, 0));
 
+    ssl->handshake->ccs_sent = 1;
+
 cleanup:
 
     MBEDTLS_SSL_DEBUG_MSG(2, ("<= write change cipher spec"));
@@ -1414,7 +1412,7 @@ cleanup:
  *
  * struct {
  *   select ( Handshake.msg_type ) {
- *     ...
+ *     case new_session_ticket:   uint32 max_early_data_size;
  *     case client_hello:         Empty;
  *     case encrypted_extensions: Empty;
  *   };
@@ -1422,25 +1420,92 @@ cleanup:
  */
 #if defined(MBEDTLS_SSL_EARLY_DATA)
 int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl,
+                                           int in_new_session_ticket,
                                            unsigned char *buf,
                                            const unsigned char *end,
                                            size_t *out_len)
 {
     unsigned char *p = buf;
+
+#if defined(MBEDTLS_SSL_SRV_C)
+    const size_t needed = in_new_session_ticket ? 8 : 4;
+#else
+    const size_t needed = 4;
+    ((void) in_new_session_ticket);
+#endif
+
     *out_len = 0;
-    ((void) ssl);
 
-    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
+    MBEDTLS_SSL_CHK_BUF_PTR(p, end, needed);
 
     MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EARLY_DATA, p, 0);
-    MBEDTLS_PUT_UINT16_BE(0, p, 2);
+    MBEDTLS_PUT_UINT16_BE(needed - 4, p, 2);
 
-    *out_len = 4;
+#if defined(MBEDTLS_SSL_SRV_C)
+    if (in_new_session_ticket) {
+        MBEDTLS_PUT_UINT32_BE(ssl->conf->max_early_data_size, p, 4);
+        MBEDTLS_SSL_DEBUG_MSG(
+            4, ("Sent max_early_data_size=%u",
+                (unsigned int) ssl->conf->max_early_data_size));
+    }
+#endif
+
+    *out_len = needed;
 
     mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_EARLY_DATA);
 
     return 0;
 }
+
+#if defined(MBEDTLS_SSL_SRV_C)
+int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl,
+                                           size_t early_data_len)
+{
+    /*
+     * This function should be called only while an handshake is in progress
+     * and thus a session under negotiation. Add a sanity check to detect a
+     * misuse.
+     */
+    if (ssl->session_negotiate == NULL) {
+        return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+    }
+
+    /* RFC 8446 section 4.6.1
+     *
+     * A server receiving more than max_early_data_size bytes of 0-RTT data
+     * SHOULD terminate the connection with an "unexpected_message" alert.
+     * Note that if it is still possible to send early_data_len bytes of early
+     * data, it means that early_data_len is smaller than max_early_data_size
+     * (type uint32_t) and can fit in an uint32_t. We use this further
+     * down.
+     */
+    if (early_data_len >
+        (ssl->session_negotiate->max_early_data_size -
+         ssl->total_early_data_size)) {
+
+        MBEDTLS_SSL_DEBUG_MSG(
+            2, ("EarlyData: Too much early data received, "
+                "%lu + %" MBEDTLS_PRINTF_SIZET " > %lu",
+                (unsigned long) ssl->total_early_data_size,
+                early_data_len,
+                (unsigned long) ssl->session_negotiate->max_early_data_size));
+
+        MBEDTLS_SSL_PEND_FATAL_ALERT(
+            MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
+            MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+        return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+    }
+
+    /*
+     * early_data_len has been checked to be less than max_early_data_size
+     * that is uint32_t. Its cast to an uint32_t below is thus safe. We need
+     * the cast to appease some compilers.
+     */
+    ssl->total_early_data_size += (uint32_t) early_data_len;
+
+    return 0;
+}
+#endif /* MBEDTLS_SSL_SRV_C */
 #endif /* MBEDTLS_SSL_EARLY_DATA */
 
 /* Reset SSL context and update hash for handling HRR.
@@ -1534,26 +1599,36 @@ static psa_status_t  mbedtls_ssl_get_psa_ffdh_info_from_tls_id(
     uint16_t tls_id, size_t *bits, psa_key_type_t *key_type)
 {
     switch (tls_id) {
+#if defined(PSA_WANT_DH_RFC7919_2048)
         case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048:
             *bits = 2048;
             *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
             return PSA_SUCCESS;
+#endif /* PSA_WANT_DH_RFC7919_2048 */
+#if defined(PSA_WANT_DH_RFC7919_3072)
         case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072:
             *bits = 3072;
             *key_type =  PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
             return PSA_SUCCESS;
+#endif /* PSA_WANT_DH_RFC7919_3072 */
+#if defined(PSA_WANT_DH_RFC7919_4096)
         case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096:
             *bits = 4096;
             *key_type =  PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
             return PSA_SUCCESS;
+#endif /* PSA_WANT_DH_RFC7919_4096 */
+#if defined(PSA_WANT_DH_RFC7919_6144)
         case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144:
             *bits = 6144;
             *key_type =  PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
             return PSA_SUCCESS;
+#endif /* PSA_WANT_DH_RFC7919_6144 */
+#if defined(PSA_WANT_DH_RFC7919_8192)
         case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192:
             *bits = 8192;
             *key_type =  PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
             return PSA_SUCCESS;
+#endif /* PSA_WANT_DH_RFC7919_8192 */
         default:
             return PSA_ERROR_NOT_SUPPORTED;
     }
@@ -1693,6 +1768,7 @@ int mbedtls_ssl_tls13_check_received_extension(
 }
 
 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+
 /* RFC 8449, section 4:
  *
  * The ExtensionData of the "record_size_limit" extension is
@@ -1726,27 +1802,56 @@ int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
 
     MBEDTLS_SSL_DEBUG_MSG(2, ("RecordSizeLimit: %u Bytes", record_size_limit));
 
-    /* RFC 8449, section 4
+    /* RFC 8449, section 4:
      *
      * Endpoints MUST NOT send a "record_size_limit" extension with a value
      * smaller than 64.  An endpoint MUST treat receipt of a smaller value
      * as a fatal error and generate an "illegal_parameter" alert.
      */
     if (record_size_limit < MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid record size limit : %u Bytes",
+                                  record_size_limit));
         MBEDTLS_SSL_PEND_FATAL_ALERT(
             MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
             MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
         return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
     }
 
-    MBEDTLS_SSL_DEBUG_MSG(
-        2, ("record_size_limit extension is still in development. Aborting handshake."));
+    ssl->session_negotiate->record_size_limit = record_size_limit;
 
-    MBEDTLS_SSL_PEND_FATAL_ALERT(
-        MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
-        MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION);
-    return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
+    return 0;
 }
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_write_record_size_limit_ext(mbedtls_ssl_context *ssl,
+                                                  unsigned char *buf,
+                                                  const unsigned char *end,
+                                                  size_t *out_len)
+{
+    unsigned char *p = buf;
+    *out_len = 0;
+
+    MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_IN_CONTENT_LEN >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN,
+                          "MBEDTLS_SSL_IN_CONTENT_LEN is less than the "
+                          "minimum record size limit");
+
+    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
+
+    MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT, p, 0);
+    MBEDTLS_PUT_UINT16_BE(MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH,
+                          p, 2);
+    MBEDTLS_PUT_UINT16_BE(MBEDTLS_SSL_IN_CONTENT_LEN, p, 4);
+
+    *out_len = 6;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("Sent RecordSizeLimit: %d Bytes",
+                              MBEDTLS_SSL_IN_CONTENT_LEN));
+
+    mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT);
+
+    return 0;
+}
+
 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
 
 #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_tls13_invasive.h b/library/ssl_tls13_invasive.h
index 3fb79a9..b4506f7 100644
--- a/library/ssl_tls13_invasive.h
+++ b/library/ssl_tls13_invasive.h
@@ -1,18 +1,6 @@
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef MBEDTLS_SSL_TLS13_INVASIVE_H
diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
index 5ae6210..739414e 100644
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c
@@ -2,19 +2,7 @@
  *  TLS 1.3 key schedule
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 ( the "License" ); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "common.h"
@@ -25,7 +13,7 @@
 #include <string.h>
 
 #include "mbedtls/hkdf.h"
-#include "mbedtls/debug.h"
+#include "debug_internal.h"
 #include "mbedtls/error.h"
 #include "mbedtls/platform.h"
 
@@ -34,7 +22,7 @@
 #include "ssl_tls13_invasive.h"
 
 #include "psa/crypto.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
 
 /* Define a local translating function to save code size by not using too many
  * arguments in each translating place. */
@@ -1152,8 +1140,8 @@ static int ssl_tls13_generate_early_key(mbedtls_ssl_context *ssl,
     size_t hash_len;
     unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
     size_t transcript_len;
-    size_t key_len;
-    size_t iv_len;
+    size_t key_len = 0;
+    size_t iv_len = 0;
     mbedtls_ssl_tls13_early_secrets tls13_early_secrets;
 
     mbedtls_ssl_handshake_params *handshake = ssl->handshake;
@@ -1353,8 +1341,8 @@ static int ssl_tls13_generate_handshake_keys(mbedtls_ssl_context *ssl,
     size_t hash_len;
     unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
     size_t transcript_len;
-    size_t key_len;
-    size_t iv_len;
+    size_t key_len = 0;
+    size_t iv_len = 0;
 
     mbedtls_ssl_handshake_params *handshake = ssl->handshake;
     const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
@@ -1604,7 +1592,7 @@ static int ssl_tls13_generate_application_keys(
     size_t hash_len;
 
     /* Variables relating to the cipher for the chosen ciphersuite. */
-    size_t key_len, iv_len;
+    size_t key_len = 0, iv_len = 0;
 
     MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive application traffic keys"));
 
diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h
index 21e9b4d..d3a4c6c 100644
--- a/library/ssl_tls13_keys.h
+++ b/library/ssl_tls13_keys.h
@@ -2,19 +2,7 @@
  *  TLS 1.3 key schedule
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 ( the "License" ); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 #if !defined(MBEDTLS_SSL_TLS1_3_KEYS_H)
 #define MBEDTLS_SSL_TLS1_3_KEYS_H
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index b8201f0..f5ef920 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -2,31 +2,19 @@
  *  TLS 1.3 server-side functions
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "common.h"
 
 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
 
-#include "mbedtls/debug.h"
+#include "debug_internal.h"
 #include "mbedtls/error.h"
 #include "mbedtls/platform.h"
 #include "mbedtls/constant_time.h"
 #include "mbedtls/oid.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
 
 #include "ssl_misc.h"
 #include "ssl_tls13_keys.h"
@@ -51,6 +39,64 @@ static const mbedtls_ssl_ciphersuite_t *ssl_tls13_validate_peer_ciphersuite(
     return ciphersuite_info;
 }
 
+static void ssl_tls13_select_ciphersuite(
+    mbedtls_ssl_context *ssl,
+    const unsigned char *cipher_suites,
+    const unsigned char *cipher_suites_end,
+    int psk_ciphersuite_id,
+    psa_algorithm_t psk_hash_alg,
+    const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info)
+{
+    *selected_ciphersuite_info = NULL;
+
+    /*
+     * In a compliant ClientHello the byte-length of the list of ciphersuites
+     * is even and this function relies on this fact. This should have been
+     * checked in the main ClientHello parsing function. Double check here.
+     */
+    if ((cipher_suites_end - cipher_suites) & 1) {
+        return;
+    }
+
+    for (const unsigned char *p = cipher_suites;
+         p < cipher_suites_end; p += 2) {
+        /*
+         * "cipher_suites_end - p is even" is an invariant of the loop. As
+         * cipher_suites_end - p > 0, we have cipher_suites_end - p >= 2 and it
+         * is thus safe to read two bytes.
+         */
+        uint16_t id = MBEDTLS_GET_UINT16_BE(p, 0);
+
+        const mbedtls_ssl_ciphersuite_t *info =
+            ssl_tls13_validate_peer_ciphersuite(ssl, id);
+        if (info == NULL) {
+            continue;
+        }
+
+        /*
+         * If a valid PSK ciphersuite identifier has been passed in, we want
+         * an exact match.
+         */
+        if (psk_ciphersuite_id != 0) {
+            if (id != psk_ciphersuite_id) {
+                continue;
+            }
+        } else if (psk_hash_alg != PSA_ALG_NONE) {
+            if (mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac) !=
+                psk_hash_alg) {
+                continue;
+            }
+        }
+
+        *selected_ciphersuite_info = info;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite, psk_ciphersuite_id=%x, psk_hash_alg=%lx",
+                              (unsigned) psk_ciphersuite_id,
+                              (unsigned long) psk_hash_alg));
+}
+
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
 /* From RFC 8446:
  *
@@ -102,11 +148,37 @@ static int ssl_tls13_parse_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
     return 0;
 }
 
-#define SSL_TLS1_3_OFFERED_PSK_NOT_MATCH   1
-#define SSL_TLS1_3_OFFERED_PSK_MATCH       0
+/*
+ * Non-error return values of
+ * ssl_tls13_offered_psks_check_identity_match_ticket() and
+ * ssl_tls13_offered_psks_check_identity_match(). They are positive to
+ * not collide with error codes that are negative. Zero
+ * (SSL_TLS1_3_PSK_IDENTITY_MATCH) in case of success as it may be propagated
+ * up by the callers of this function as a generic success condition.
+ *
+ * The return value SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE means
+ * that the pre-shared-key identity matches that of a ticket or an externally-
+ * provisioned pre-shared-key. We have thus been able to retrieve the
+ * attributes of the pre-shared-key but at least one of them does not meet
+ * some criteria and the pre-shared-key cannot be used. For example, a ticket
+ * is expired or its version is not TLS 1.3. Note eventually that the return
+ * value SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE does not have
+ * anything to do with binder check. A binder check is done only when a
+ * suitable pre-shared-key has been selected and only for that selected
+ * pre-shared-key: if the binder check fails, we fail the handshake and we do
+ * not try to find another pre-shared-key for which the binder check would
+ * succeed as recommended by the specification.
+ */
+#define SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH 2
+#define SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE 1
+#define SSL_TLS1_3_PSK_IDENTITY_MATCH 0
 
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_key_exchange_is_psk_available(mbedtls_ssl_context *ssl);
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_key_exchange_is_psk_ephemeral_available(mbedtls_ssl_context *ssl);
 
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_offered_psks_check_identity_match_ticket(
     mbedtls_ssl_context *ssl,
@@ -118,9 +190,10 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket(
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned char *ticket_buffer;
 #if defined(MBEDTLS_HAVE_TIME)
-    mbedtls_time_t now;
-    uint64_t age_in_s;
-    int64_t age_diff_in_ms;
+    mbedtls_ms_time_t now;
+    mbedtls_ms_time_t server_age;
+    uint32_t client_age;
+    mbedtls_ms_time_t age_diff;
 #endif
 
     ((void) obfuscated_ticket_age);
@@ -129,7 +202,7 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket(
 
     /* Ticket parser is not configured, Skip */
     if (ssl->conf->f_ticket_parse == NULL || identity_len == 0) {
-        return 0;
+        return SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH;
     }
 
     /* We create a copy of the encrypted ticket since the ticket parsing
@@ -139,63 +212,63 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket(
      */
     ticket_buffer = mbedtls_calloc(1, identity_len);
     if (ticket_buffer == NULL) {
-        MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
         return MBEDTLS_ERR_SSL_ALLOC_FAILED;
     }
     memcpy(ticket_buffer, identity, identity_len);
 
-    if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket,
-                                         session,
-                                         ticket_buffer, identity_len)) != 0) {
-        if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
-            MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));
-        } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) {
+    ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket,
+                                    session,
+                                    ticket_buffer, identity_len);
+    switch (ret) {
+        case 0:
+            ret = SSL_TLS1_3_PSK_IDENTITY_MATCH;
+            break;
+
+        case MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED:
             MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired"));
-        } else {
+            ret = SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE;
+            break;
+
+        case MBEDTLS_ERR_SSL_INVALID_MAC:
+            MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));
+            ret = SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH;
+            break;
+
+        default:
             MBEDTLS_SSL_DEBUG_RET(1, "ticket_parse", ret);
-        }
+            ret = SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH;
     }
 
     /* We delete the temporary buffer */
     mbedtls_free(ticket_buffer);
 
-    if (ret != 0) {
+    if (ret != SSL_TLS1_3_PSK_IDENTITY_MATCH) {
         goto exit;
     }
 
-    /* RFC 8446 section 4.2.9
-     *
-     * Servers SHOULD NOT send NewSessionTicket with tickets that are not
-     * compatible with the advertised modes; however, if a server does so,
-     * the impact will just be that the client's attempts at resumption fail.
-     *
-     * We regard the ticket with incompatible key exchange modes as not match.
+    /*
+     * The identity matches that of a ticket. Now check that it has suitable
+     * attributes and bet it will not be the case.
      */
-    ret = MBEDTLS_ERR_ERROR_GENERIC_ERROR;
-    MBEDTLS_SSL_PRINT_TICKET_FLAGS(4,
-                                   session->ticket_flags);
-    if (mbedtls_ssl_tls13_check_kex_modes(
-            ssl,
-            mbedtls_ssl_session_get_ticket_flags(
-                session,
-                MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL))) {
-        MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable key exchange mode"));
+    ret = SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE;
+
+    if (session->tls_version != MBEDTLS_SSL_VERSION_TLS1_3) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("Ticket TLS version is not 1.3."));
         goto exit;
     }
 
-    ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
 #if defined(MBEDTLS_HAVE_TIME)
-    now = mbedtls_time(NULL);
+    now = mbedtls_ms_time();
 
-    if (now < session->start) {
+    if (now < session->ticket_creation_time) {
         MBEDTLS_SSL_DEBUG_MSG(
-            3, ("Invalid ticket start time ( now=%" MBEDTLS_PRINTF_LONGLONG
-                ", start=%" MBEDTLS_PRINTF_LONGLONG " )",
-                (long long) now, (long long) session->start));
+            3, ("Invalid ticket creation time ( now = %" MBEDTLS_PRINTF_MS_TIME
+                ", creation_time = %" MBEDTLS_PRINTF_MS_TIME " )",
+                now, session->ticket_creation_time));
         goto exit;
     }
 
-    age_in_s = (uint64_t) (now - session->start);
+    server_age = now - session->ticket_creation_time;
 
     /* RFC 8446 section 4.6.1
      *
@@ -206,12 +279,11 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket(
      * Clients MUST NOT attempt to use tickets which have ages greater than
      * the "ticket_lifetime" value which was provided with the ticket.
      *
-     * For time being, the age MUST be less than 604800 seconds (7 days).
      */
-    if (age_in_s > 604800) {
+    if (server_age > MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME * 1000) {
         MBEDTLS_SSL_DEBUG_MSG(
-            3, ("Ticket age exceeds limitation ticket_age=%lu",
-                (long unsigned int) age_in_s));
+            3, ("Ticket age exceeds limitation ticket_age = %" MBEDTLS_PRINTF_MS_TIME,
+                server_age));
         goto exit;
     }
 
@@ -222,27 +294,30 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket(
      * ticket_age_add from PskIdentity.obfuscated_ticket_age modulo 2^32) is
      * within a small tolerance of the time since the ticket was issued.
      *
-     * NOTE: When `now == session->start`, `age_diff_in_ms` may be negative
-     *       as the age units are different on the server (s) and in the
-     *       client (ms) side. Add a -1000 ms tolerance window to take this
-     *       into account.
+     * NOTE: The typical accuracy of an RTC crystal is ±100 to ±20 parts per
+     *       million (360 to 72 milliseconds per hour). Default tolerance
+     *       window is 6s, thus in the worst case clients and servers must
+     *       sync up their system time every 6000/360/2~=8 hours.
      */
-    age_diff_in_ms = age_in_s * 1000;
-    age_diff_in_ms -= (obfuscated_ticket_age - session->ticket_age_add);
-    if (age_diff_in_ms <= -1000 ||
-        age_diff_in_ms > MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE) {
+    client_age = obfuscated_ticket_age - session->ticket_age_add;
+    age_diff = server_age - (mbedtls_ms_time_t) client_age;
+    if (age_diff < -MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE ||
+        age_diff > MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE) {
         MBEDTLS_SSL_DEBUG_MSG(
-            3, ("Ticket age outside tolerance window ( diff=%d )",
-                (int) age_diff_in_ms));
+            3, ("Ticket age outside tolerance window ( diff = %"
+                MBEDTLS_PRINTF_MS_TIME ")",
+                age_diff));
         goto exit;
     }
-
-    ret = 0;
-
 #endif /* MBEDTLS_HAVE_TIME */
 
+    /*
+     * All good, we have found a suitable ticket.
+     */
+    ret = SSL_TLS1_3_PSK_IDENTITY_MATCH;
+
 exit:
-    if (ret != 0) {
+    if (ret != SSL_TLS1_3_PSK_IDENTITY_MATCH) {
         mbedtls_ssl_session_free(session);
     }
 
@@ -267,13 +342,11 @@ static int ssl_tls13_offered_psks_check_identity_match(
     *psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL;
 
     MBEDTLS_SSL_DEBUG_BUF(4, "identity", identity, identity_len);
-    ssl->handshake->resume = 0;
 
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
-    if (ssl_tls13_offered_psks_check_identity_match_ticket(
-            ssl, identity, identity_len, obfuscated_ticket_age,
-            session) == SSL_TLS1_3_OFFERED_PSK_MATCH) {
-        ssl->handshake->resume = 1;
+    ret = ssl_tls13_offered_psks_check_identity_match_ticket(
+        ssl, identity, identity_len, obfuscated_ticket_age, session);
+    if (ret == SSL_TLS1_3_PSK_IDENTITY_MATCH) {
         *psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION;
         ret = mbedtls_ssl_set_hs_psk(ssl,
                                      session->resumption_key,
@@ -288,7 +361,9 @@ static int ssl_tls13_offered_psks_check_identity_match(
                               session->resumption_key_len);
         MBEDTLS_SSL_DEBUG_MSG(4, ("ticket: obfuscated_ticket_age: %u",
                                   (unsigned) obfuscated_ticket_age));
-        return SSL_TLS1_3_OFFERED_PSK_MATCH;
+        return SSL_TLS1_3_PSK_IDENTITY_MATCH;
+    } else if (ret == SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE) {
+        return SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE;
     }
 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
 
@@ -296,9 +371,9 @@ static int ssl_tls13_offered_psks_check_identity_match(
     if (ssl->conf->f_psk != NULL) {
         if (ssl->conf->f_psk(
                 ssl->conf->p_psk, ssl, identity, identity_len) == 0) {
-            return SSL_TLS1_3_OFFERED_PSK_MATCH;
+            return SSL_TLS1_3_PSK_IDENTITY_MATCH;
         }
-        return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH;
+        return SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH;
     }
 
     MBEDTLS_SSL_DEBUG_BUF(5, "identity", identity, identity_len);
@@ -312,12 +387,20 @@ static int ssl_tls13_offered_psks_check_identity_match(
             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
             return ret;
         }
-        return SSL_TLS1_3_OFFERED_PSK_MATCH;
+        return SSL_TLS1_3_PSK_IDENTITY_MATCH;
     }
 
-    return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH;
+    return SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH;
 }
 
+/*
+ * Non-error return values of ssl_tls13_offered_psks_check_binder_match().
+ * They are positive to not collide with error codes that are negative. Zero
+ * (SSL_TLS1_3_BINDER_MATCH) in case of success as it may be propagated up
+ * by the callers of this function as a generic success condition.
+ */
+#define SSL_TLS1_3_BINDER_DOES_NOT_MATCH 1
+#define SSL_TLS1_3_BINDER_MATCH 0
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_offered_psks_check_binder_match(
     mbedtls_ssl_context *ssl,
@@ -332,6 +415,10 @@ static int ssl_tls13_offered_psks_check_binder_match(
     size_t psk_len;
     unsigned char server_computed_binder[PSA_HASH_MAX_SIZE];
 
+    if (binder_len != PSA_HASH_LENGTH(psk_hash_alg)) {
+        return SSL_TLS1_3_BINDER_DOES_NOT_MATCH;
+    }
+
     /* Get current state of handshake transcript. */
     ret = mbedtls_ssl_get_handshake_transcript(
         ssl, mbedtls_md_type_from_psa_alg(psk_hash_alg),
@@ -361,101 +448,19 @@ static int ssl_tls13_offered_psks_check_binder_match(
                           server_computed_binder, transcript_len);
     MBEDTLS_SSL_DEBUG_BUF(3, "psk binder ( received ): ", binder, binder_len);
 
-    if (mbedtls_ct_memcmp(server_computed_binder, binder, binder_len) == 0) {
-        return SSL_TLS1_3_OFFERED_PSK_MATCH;
+    if (mbedtls_ct_memcmp(server_computed_binder,
+                          binder,
+                          PSA_HASH_LENGTH(psk_hash_alg)) == 0) {
+        return SSL_TLS1_3_BINDER_MATCH;
     }
 
     mbedtls_platform_zeroize(server_computed_binder,
                              sizeof(server_computed_binder));
-    return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH;
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_select_ciphersuite_for_psk(
-    mbedtls_ssl_context *ssl,
-    const unsigned char *cipher_suites,
-    const unsigned char *cipher_suites_end,
-    uint16_t *selected_ciphersuite,
-    const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info)
-{
-    psa_algorithm_t psk_hash_alg = PSA_ALG_SHA_256;
-
-    *selected_ciphersuite = 0;
-    *selected_ciphersuite_info = NULL;
-
-    /* RFC 8446, page 55.
-     *
-     * For externally established PSKs, the Hash algorithm MUST be set when the
-     * PSK is established or default to SHA-256 if no such algorithm is defined.
-     *
-     */
-
-    /*
-     * Search for a matching ciphersuite
-     */
-    for (const unsigned char *p = cipher_suites;
-         p < cipher_suites_end; p += 2) {
-        uint16_t cipher_suite;
-        const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
-
-        cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);
-        ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(ssl,
-                                                               cipher_suite);
-        if (ciphersuite_info == NULL) {
-            continue;
-        }
-
-        /* MAC of selected ciphersuite MUST be same with PSK binder if exist.
-         * Otherwise, client should reject.
-         */
-        if (psk_hash_alg ==
-            mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac)) {
-            *selected_ciphersuite = cipher_suite;
-            *selected_ciphersuite_info = ciphersuite_info;
-            return 0;
-        }
-    }
-    MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite"));
-    return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+    return SSL_TLS1_3_BINDER_DOES_NOT_MATCH;
 }
 
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
 MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_select_ciphersuite_for_resumption(
-    mbedtls_ssl_context *ssl,
-    const unsigned char *cipher_suites,
-    const unsigned char *cipher_suites_end,
-    mbedtls_ssl_session *session,
-    uint16_t *selected_ciphersuite,
-    const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info)
-{
-
-    *selected_ciphersuite = 0;
-    *selected_ciphersuite_info = NULL;
-    for (const unsigned char *p = cipher_suites; p < cipher_suites_end; p += 2) {
-        uint16_t cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);
-        const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
-
-        if (cipher_suite != session->ciphersuite) {
-            continue;
-        }
-
-        ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(ssl,
-                                                               cipher_suite);
-        if (ciphersuite_info == NULL) {
-            continue;
-        }
-
-        *selected_ciphersuite = cipher_suite;
-        *selected_ciphersuite_info = ciphersuite_info;
-
-        return 0;
-    }
-
-    return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_session_copy_ticket(mbedtls_ssl_session *dst,
                                          const mbedtls_ssl_session *src)
 {
@@ -467,10 +472,28 @@ static int ssl_tls13_session_copy_ticket(mbedtls_ssl_session *dst,
     }
     memcpy(dst->resumption_key, src->resumption_key, src->resumption_key_len);
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+    dst->max_early_data_size = src->max_early_data_size;
+
+#if defined(MBEDTLS_SSL_ALPN)
+    int ret = mbedtls_ssl_session_set_ticket_alpn(dst, src->ticket_alpn);
+    if (ret != 0) {
+        return ret;
+    }
+#endif /* MBEDTLS_SSL_ALPN */
+#endif /* MBEDTLS_SSL_EARLY_DATA*/
+
     return 0;
 }
 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
 
+struct psk_attributes {
+    int type;
+    int key_exchange_mode;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+};
+#define PSK_ATTRIBUTES_INIT { 0, 0, NULL }
+
 /* Parser for pre_shared_key extension in client hello
  *    struct {
  *        opaque identity<1..2^16-1>;
@@ -497,7 +520,8 @@ static int ssl_tls13_parse_pre_shared_key_ext(
     const unsigned char *pre_shared_key_ext,
     const unsigned char *pre_shared_key_ext_end,
     const unsigned char *ciphersuites,
-    const unsigned char *ciphersuites_end)
+    const unsigned char *ciphersuites_end,
+    struct psk_attributes *psk)
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     const unsigned char *identities = pre_shared_key_ext;
@@ -548,13 +572,12 @@ static int ssl_tls13_parse_pre_shared_key_ext(
         uint32_t obfuscated_ticket_age;
         const unsigned char *binder;
         size_t binder_len;
-        int psk_type;
-        uint16_t cipher_suite;
-        const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+        int psk_ciphersuite_id;
+        psa_algorithm_t psk_hash_alg;
+        int allowed_key_exchange_modes;
+
         mbedtls_ssl_session session;
         mbedtls_ssl_session_init(&session);
-#endif
 
         MBEDTLS_SSL_CHK_BUF_READ_PTR(p_identity_len, identities_end, 2 + 1 + 4);
         identity_len = MBEDTLS_GET_UINT16_BE(p_identity_len, 0);
@@ -576,47 +599,74 @@ static int ssl_tls13_parse_pre_shared_key_ext(
 
         ret = ssl_tls13_offered_psks_check_identity_match(
             ssl, identity, identity_len, obfuscated_ticket_age,
-            &psk_type, &session);
-        if (ret != SSL_TLS1_3_OFFERED_PSK_MATCH) {
+            &psk->type, &session);
+        if (ret != SSL_TLS1_3_PSK_IDENTITY_MATCH) {
             continue;
         }
 
         MBEDTLS_SSL_DEBUG_MSG(4, ("found matched identity"));
-        switch (psk_type) {
+
+        switch (psk->type) {
             case MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL:
-                ret = ssl_tls13_select_ciphersuite_for_psk(
-                    ssl, ciphersuites, ciphersuites_end,
-                    &cipher_suite, &ciphersuite_info);
+                psk_ciphersuite_id = 0;
+                psk_hash_alg = PSA_ALG_SHA_256;
+                allowed_key_exchange_modes =
+                    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;
                 break;
-            case MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION:
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
-                ret = ssl_tls13_select_ciphersuite_for_resumption(
-                    ssl, ciphersuites, ciphersuites_end, &session,
-                    &cipher_suite, &ciphersuite_info);
-                if (ret != 0) {
-                    mbedtls_ssl_session_free(&session);
-                }
-#else
-                ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
-#endif
+            case MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION:
+                psk_ciphersuite_id = session.ciphersuite;
+                psk_hash_alg = PSA_ALG_NONE;
+                ssl->session_negotiate->ticket_flags = session.ticket_flags;
+                allowed_key_exchange_modes =
+                    session.ticket_flags &
+                    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;
                 break;
+#endif
             default:
                 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
         }
-        if (ret != 0) {
-            /* See below, no cipher_suite available, abort handshake */
+
+        psk->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE;
+
+        if ((allowed_key_exchange_modes &
+             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL) &&
+            ssl_tls13_key_exchange_is_psk_ephemeral_available(ssl)) {
+            psk->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
+        } else if ((allowed_key_exchange_modes &
+                    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) &&
+                   ssl_tls13_key_exchange_is_psk_available(ssl)) {
+            psk->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
+        }
+
+        if (psk->key_exchange_mode == MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE) {
+            MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable PSK key exchange mode"));
+            continue;
+        }
+
+        ssl_tls13_select_ciphersuite(ssl, ciphersuites, ciphersuites_end,
+                                     psk_ciphersuite_id, psk_hash_alg,
+                                     &psk->ciphersuite_info);
+
+        if (psk->ciphersuite_info == NULL) {
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+            mbedtls_ssl_session_free(&session);
+#endif
+            /*
+             * We consider finding a ciphersuite suitable for the PSK as part
+             * of the validation of its binder. Thus if we do not find one, we
+             * abort the handshake with a decrypt_error alert.
+             */
             MBEDTLS_SSL_PEND_FATAL_ALERT(
                 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
                 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
-            MBEDTLS_SSL_DEBUG_RET(
-                2, "ssl_tls13_select_ciphersuite", ret);
-            return ret;
+            return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
         }
 
         ret = ssl_tls13_offered_psks_check_binder_match(
-            ssl, binder, binder_len, psk_type,
-            mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac));
-        if (ret != SSL_TLS1_3_OFFERED_PSK_MATCH) {
+            ssl, binder, binder_len, psk->type,
+            mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) psk->ciphersuite_info->mac));
+        if (ret != SSL_TLS1_3_BINDER_MATCH) {
             /* For security reasons, the handshake should be aborted when we
              * fail to validate a binder value. See RFC 8446 section 4.2.11.2
              * and appendix E.6. */
@@ -634,13 +684,8 @@ static int ssl_tls13_parse_pre_shared_key_ext(
 
         matched_identity = identity_id;
 
-        /* Update handshake parameters */
-        ssl->handshake->ciphersuite_info = ciphersuite_info;
-        ssl->session_negotiate->ciphersuite = cipher_suite;
-        MBEDTLS_SSL_DEBUG_MSG(2, ("overwrite ciphersuite: %04x - %s",
-                                  cipher_suite, ciphersuite_info->name));
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
-        if (psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) {
+        if (psk->type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) {
             ret = ssl_tls13_session_copy_ticket(ssl->session_negotiate,
                                                 &session);
             mbedtls_ssl_session_free(&session);
@@ -666,7 +711,7 @@ static int ssl_tls13_parse_pre_shared_key_ext(
         return ret;
     }
     if (matched_identity == -1) {
-        MBEDTLS_SSL_DEBUG_MSG(3, ("No matched PSK or ticket."));
+        MBEDTLS_SSL_DEBUG_MSG(3, ("No usable PSK or ticket."));
         return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
     }
 
@@ -991,24 +1036,13 @@ static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(
 }
 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED */
 
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
 MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_check_ephemeral_key_exchange(mbedtls_ssl_context *ssl)
-{
-#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
-    return mbedtls_ssl_conf_tls13_ephemeral_enabled(ssl) &&
-           ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(ssl);
-#else
-    ((void) ssl);
-    return 0;
-#endif
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_check_psk_key_exchange(mbedtls_ssl_context *ssl)
+static int ssl_tls13_key_exchange_is_psk_available(mbedtls_ssl_context *ssl)
 {
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
-    return mbedtls_ssl_conf_tls13_psk_enabled(ssl) &&
-           mbedtls_ssl_tls13_psk_enabled(ssl) &&
+    return mbedtls_ssl_conf_tls13_is_psk_enabled(ssl) &&
+           mbedtls_ssl_tls13_is_psk_supported(ssl) &&
            ssl_tls13_client_hello_has_exts_for_psk_key_exchange(ssl);
 #else
     ((void) ssl);
@@ -1017,63 +1051,29 @@ static int ssl_tls13_check_psk_key_exchange(mbedtls_ssl_context *ssl)
 }
 
 MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_check_psk_ephemeral_key_exchange(mbedtls_ssl_context *ssl)
+static int ssl_tls13_key_exchange_is_psk_ephemeral_available(mbedtls_ssl_context *ssl)
 {
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
-    return mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(ssl) &&
-           mbedtls_ssl_tls13_psk_ephemeral_enabled(ssl) &&
+    return mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(ssl) &&
+           mbedtls_ssl_tls13_is_psk_ephemeral_supported(ssl) &&
            ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(ssl);
 #else
     ((void) ssl);
     return 0;
 #endif
 }
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
 
-static int ssl_tls13_determine_key_exchange_mode(mbedtls_ssl_context *ssl)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_key_exchange_is_ephemeral_available(mbedtls_ssl_context *ssl)
 {
-    /*
-     * Determine the key exchange algorithm to use.
-     * There are three types of key exchanges supported in TLS 1.3:
-     * - (EC)DH with ECDSA,
-     * - (EC)DH with PSK,
-     * - plain PSK.
-     *
-     * The PSK-based key exchanges may additionally be used with 0-RTT.
-     *
-     * Our built-in order of preference is
-     *  1 ) (EC)DHE-PSK Mode ( psk_ephemeral )
-     *  2 ) Certificate Mode ( ephemeral )
-     *  3 ) Plain PSK Mode ( psk )
-     */
-
-    ssl->handshake->key_exchange_mode =
-        MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE;
-
-    if (ssl_tls13_check_psk_ephemeral_key_exchange(ssl)) {
-        ssl->handshake->key_exchange_mode =
-            MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
-        MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk_ephemeral"));
-    } else
-    if (ssl_tls13_check_ephemeral_key_exchange(ssl)) {
-        ssl->handshake->key_exchange_mode =
-            MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
-        MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: ephemeral"));
-    } else
-    if (ssl_tls13_check_psk_key_exchange(ssl)) {
-        ssl->handshake->key_exchange_mode =
-            MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
-        MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk"));
-    } else {
-        MBEDTLS_SSL_DEBUG_MSG(
-            1,
-            ("ClientHello message misses mandatory extensions."));
-        MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION,
-                                     MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
-        return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
-    }
-
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+    return mbedtls_ssl_conf_tls13_is_ephemeral_enabled(ssl) &&
+           ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(ssl);
+#else
+    ((void) ssl);
     return 0;
-
+#endif
 }
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
@@ -1267,6 +1267,8 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
     int no_usable_share_for_key_agreement = 0;
 
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+    int got_psk = 0;
+    struct psk_attributes psk = PSK_ATTRIBUTES_INIT;
     const unsigned char *pre_shared_key_ext = NULL;
     const unsigned char *pre_shared_key_ext_end = NULL;
 #endif
@@ -1403,12 +1405,8 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
      * We negotiate TLS 1.3.
      */
     ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
-
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
-    /* Store minor version for later use with ticket serialization. */
     ssl->session_negotiate->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
     ssl->session_negotiate->endpoint = ssl->conf->endpoint;
-#endif
 
     /*
      * We are negotiating the version 1.3 of the protocol. Do what we have
@@ -1434,37 +1432,20 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
      */
     MBEDTLS_SSL_DEBUG_BUF(3, "client hello, list of cipher suites",
                           cipher_suites, cipher_suites_len);
-    for (const unsigned char *cipher_suites_p = cipher_suites;
-         cipher_suites_p < cipher_suites_end; cipher_suites_p += 2) {
-        uint16_t cipher_suite;
-        const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
-
-        /*
-         * "cipher_suites_end - cipher_suites_p is even" is an invariant of the
-         * loop. As cipher_suites_end - cipher_suites_p > 0, we have
-         * cipher_suites_end - cipher_suites_p >= 2 and it is thus safe to read
-         * two bytes.
-         */
-        cipher_suite = MBEDTLS_GET_UINT16_BE(cipher_suites_p, 0);
-        ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(
-            ssl, cipher_suite);
-        if (ciphersuite_info == NULL) {
-            continue;
-        }
 
-        ssl->session_negotiate->ciphersuite = cipher_suite;
-        handshake->ciphersuite_info = ciphersuite_info;
-        MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %04x - %s",
-                                  cipher_suite,
-                                  ciphersuite_info->name));
-        break;
-    }
+    ssl_tls13_select_ciphersuite(ssl, cipher_suites, cipher_suites_end,
+                                 0, PSA_ALG_NONE, &handshake->ciphersuite_info);
 
     if (handshake->ciphersuite_info == NULL) {
         MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
                                      MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
         return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
     }
+    ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %04x - %s",
+                              ((unsigned) handshake->ciphersuite_info->id),
+                              handshake->ciphersuite_info->name));
 
     /* ...
      * opaque legacy_compression_methods<1..2^8-1>;
@@ -1499,6 +1480,12 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
         unsigned int extension_type;
         size_t extension_data_len;
         const unsigned char *extension_data_end;
+        uint32_t allowed_exts = MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH;
+
+        if (ssl->handshake->hello_retry_request_flag) {
+            /* Do not accept early data extension in 2nd ClientHello */
+            allowed_exts &= ~MBEDTLS_SSL_EXT_MASK(EARLY_DATA);
+        }
 
         /* RFC 8446, section 4.2.11
          *
@@ -1526,7 +1513,7 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
 
         ret = mbedtls_ssl_tls13_check_received_extension(
             ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type,
-            MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH);
+            allowed_exts);
         if (ret != 0) {
             return ret;
         }
@@ -1665,14 +1652,11 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
 
                 ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(
                     ssl, p, extension_data_end);
-
-                /*
-                 * TODO: Return unconditionally here until we handle the record
-                 *       size limit correctly.
-                 *       Once handled correctly, only return in case of errors.
-                 */
-                return ret;
-
+                if (ret != 0) {
+                    MBEDTLS_SSL_DEBUG_RET(
+                        1, ("mbedtls_ssl_tls13_parse_record_size_limit_ext"), ret);
+                    return ret;
+                }
                 break;
 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
 
@@ -1701,11 +1685,11 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
     /* Update checksum with either
      * - The entire content of the CH message, if no PSK extension is present
      * - The content up to but excluding the PSK extension, if present.
+     * Always parse the pre-shared-key extension when present in the
+     * ClientHello even if some pre-requisites for PSK key exchange modes are
+     * not met. That way we always validate the syntax of the extension.
      */
-    /* If we've settled on a PSK-based exchange, parse PSK identity ext */
-    if (mbedtls_ssl_tls13_some_psk_enabled(ssl) &&
-        mbedtls_ssl_conf_tls13_some_psk_enabled(ssl) &&
-        (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY))) {
+    if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY)) {
         ret = handshake->update_checksum(ssl, buf,
                                          pre_shared_key_ext - buf);
         if (0 != ret) {
@@ -1716,10 +1700,11 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
                                                  pre_shared_key_ext,
                                                  pre_shared_key_ext_end,
                                                  cipher_suites,
-                                                 cipher_suites_end);
-        if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {
-            handshake->received_extensions &= ~MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY);
-        } else if (ret != 0) {
+                                                 cipher_suites_end,
+                                                 &psk);
+        if (ret == 0) {
+            got_psk = 1;
+        } else if (ret != MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {
             MBEDTLS_SSL_DEBUG_RET(
                 1, "ssl_tls13_parse_pre_shared_key_ext", ret);
             return ret;
@@ -1734,12 +1719,68 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
         }
     }
 
-    ret = ssl_tls13_determine_key_exchange_mode(ssl);
-    if (ret < 0) {
-        return ret;
+    /*
+     * Determine the key exchange algorithm to use.
+     * There are three types of key exchanges supported in TLS 1.3:
+     * - (EC)DH with ECDSA,
+     * - (EC)DH with PSK,
+     * - plain PSK.
+     *
+     * The PSK-based key exchanges may additionally be used with 0-RTT.
+     *
+     * Our built-in order of preference is
+     *  1 ) (EC)DHE-PSK Mode ( psk_ephemeral )
+     *  2 ) Certificate Mode ( ephemeral )
+     *  3 ) Plain PSK Mode ( psk )
+     */
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+    if (got_psk && (psk.key_exchange_mode ==
+                    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL)) {
+        handshake->key_exchange_mode =
+            MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
+        MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk_ephemeral"));
+
+    } else
+#endif
+    if (ssl_tls13_key_exchange_is_ephemeral_available(ssl)) {
+        handshake->key_exchange_mode =
+            MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
+        MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: ephemeral"));
+
+    }
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+    else if (got_psk && (psk.key_exchange_mode ==
+                         MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK)) {
+        handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
+        MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk"));
+    }
+#endif
+    else {
+        MBEDTLS_SSL_DEBUG_MSG(
+            1,
+            ("ClientHello message misses mandatory extensions."));
+        MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION,
+                                     MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+        return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
     }
 
-    if (ssl->handshake->key_exchange_mode !=
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+    if (handshake->key_exchange_mode &
+        MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL) {
+        handshake->ciphersuite_info = psk.ciphersuite_info;
+        ssl->session_negotiate->ciphersuite = psk.ciphersuite_info->id;
+
+        MBEDTLS_SSL_DEBUG_MSG(2, ("Select PSK ciphersuite: %04x - %s",
+                                  ((unsigned) psk.ciphersuite_info->id),
+                                  psk.ciphersuite_info->name));
+
+        if (psk.type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) {
+            handshake->resume = 1;
+        }
+    }
+#endif
+
+    if (handshake->key_exchange_mode !=
         MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) {
         hrr_required = (no_usable_share_for_key_agreement != 0);
     }
@@ -1749,10 +1790,97 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
     return hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK;
 }
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+static int ssl_tls13_check_early_data_requirements(mbedtls_ssl_context *ssl)
+{
+    mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+    if (ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_DISABLED) {
+        MBEDTLS_SSL_DEBUG_MSG(
+            1,
+            ("EarlyData: rejected, feature disabled in server configuration."));
+        return -1;
+    }
+
+    if (!handshake->resume) {
+        /* We currently support early data only in the case of PSKs established
+           via a NewSessionTicket message thus in the case of a session
+           resumption. */
+        MBEDTLS_SSL_DEBUG_MSG(
+            1, ("EarlyData: rejected, not a session resumption."));
+        return -1;
+    }
+
+    /* RFC 8446 4.2.10
+     *
+     * In order to accept early data, the server MUST have accepted a PSK cipher
+     * suite and selected the first key offered in the client's "pre_shared_key"
+     * extension. In addition, it MUST verify that the following values are the
+     * same as those associated with the selected PSK:
+     * - The TLS version number
+     * - The selected cipher suite
+     * - The selected ALPN [RFC7301] protocol, if any
+     *
+     * NOTE:
+     *  - The TLS version number is checked in
+     *    ssl_tls13_offered_psks_check_identity_match_ticket().
+     */
+
+    if (handshake->selected_identity != 0) {
+        MBEDTLS_SSL_DEBUG_MSG(
+            1, ("EarlyData: rejected, the selected key in "
+                "`pre_shared_key` is not the first one."));
+        return -1;
+    }
+
+    if (handshake->ciphersuite_info->id !=
+        ssl->session_negotiate->ciphersuite) {
+        MBEDTLS_SSL_DEBUG_MSG(
+            1, ("EarlyData: rejected, the selected ciphersuite is not the one "
+                "of the selected pre-shared key."));
+        return -1;
+
+    }
+
+    if (!mbedtls_ssl_tls13_session_ticket_allow_early_data(ssl->session_negotiate)) {
+        MBEDTLS_SSL_DEBUG_MSG(
+            1,
+            ("EarlyData: rejected, early_data not allowed in ticket "
+             "permission bits."));
+        return -1;
+    }
+
+#if defined(MBEDTLS_SSL_ALPN)
+    const char *alpn = mbedtls_ssl_get_alpn_protocol(ssl);
+    size_t alpn_len;
+
+    if (alpn == NULL && ssl->session_negotiate->ticket_alpn == NULL) {
+        return 0;
+    }
+
+    if (alpn != NULL) {
+        alpn_len = strlen(alpn);
+    }
+
+    if (alpn == NULL ||
+        ssl->session_negotiate->ticket_alpn == NULL ||
+        alpn_len != strlen(ssl->session_negotiate->ticket_alpn) ||
+        (memcmp(alpn, ssl->session_negotiate->ticket_alpn, alpn_len) != 0)) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("EarlyData: rejected, the selected ALPN is different "
+                                  "from the one associated with the pre-shared key."));
+        return -1;
+    }
+#endif
+
+    return 0;
+}
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
 /* Update the handshake state machine */
 
 MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl)
+static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl,
+                                              int hrr_required)
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
@@ -1775,8 +1903,30 @@ static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl)
         return ret;
     }
 
-    return 0;
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+    if (ssl->handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) {
+        ssl->handshake->early_data_accepted =
+            (!hrr_required) && (ssl_tls13_check_early_data_requirements(ssl) == 0);
 
+        if (ssl->handshake->early_data_accepted) {
+            ret = mbedtls_ssl_tls13_compute_early_transform(ssl);
+            if (ret != 0) {
+                MBEDTLS_SSL_DEBUG_RET(
+                    1, "mbedtls_ssl_tls13_compute_early_transform", ret);
+                return ret;
+            }
+        } else {
+            ssl->discard_early_data_record =
+                hrr_required ?
+                MBEDTLS_SSL_EARLY_DATA_DISCARD :
+                MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD;
+        }
+    }
+#else
+    ((void) hrr_required);
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+    return 0;
 }
 
 /*
@@ -1806,19 +1956,31 @@ static int ssl_tls13_process_client_hello(mbedtls_ssl_context *ssl)
                                    * by MBEDTLS_SSL_PROC_CHK_NEG. */
 
     /*
-     * Version 1.2 of the protocol has been chosen, set the
+     * Version 1.2 of the protocol has to be used for the handshake.
+     * If TLS 1.2 is not supported, abort the handshake. Otherwise, set the
      * ssl->keep_current_message flag for the ClientHello to be kept and parsed
      * as a TLS 1.2 ClientHello. We also change ssl->tls_version to
      * MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step()
      * will dispatch to the TLS 1.2 state machine.
      */
     if (SSL_CLIENT_HELLO_TLS1_2 == parse_client_hello_ret) {
+        /* Check if server supports TLS 1.2 */
+        if (!mbedtls_ssl_conf_is_tls12_enabled(ssl->conf)) {
+            MBEDTLS_SSL_DEBUG_MSG(
+                1, ("TLS 1.2 not supported."));
+            MBEDTLS_SSL_PEND_FATAL_ALERT(
+                MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
+                MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
+            return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
+        }
         ssl->keep_current_message = 1;
         ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
         return 0;
     }
 
-    MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_client_hello(ssl));
+    MBEDTLS_SSL_PROC_CHK(
+        ssl_tls13_postprocess_client_hello(ssl, parse_client_hello_ret ==
+                                           SSL_CLIENT_HELLO_HRR_REQUIRED));
 
     if (SSL_CLIENT_HELLO_OK == parse_client_hello_ret) {
         mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
@@ -1841,10 +2003,6 @@ static int ssl_tls13_prepare_server_hello(mbedtls_ssl_context *ssl)
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     unsigned char *server_randbytes =
         ssl->handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
-    if (ssl->conf->f_rng == NULL) {
-        MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
-        return MBEDTLS_ERR_SSL_NO_RNG;
-    }
 
     if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, server_randbytes,
                                 MBEDTLS_SERVER_HELLO_RANDOM_LEN)) != 0) {
@@ -2295,7 +2453,7 @@ MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_prepare_hello_retry_request(mbedtls_ssl_context *ssl)
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    if (ssl->handshake->hello_retry_request_count > 0) {
+    if (ssl->handshake->hello_retry_request_flag) {
         MBEDTLS_SSL_DEBUG_MSG(1, ("Too many HRRs"));
         MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
                                      MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
@@ -2342,7 +2500,7 @@ static int ssl_tls13_write_hello_retry_request(mbedtls_ssl_context *ssl)
     MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(ssl, buf_len,
                                                           msg_len));
 
-    ssl->handshake->hello_retry_request_count++;
+    ssl->handshake->hello_retry_request_flag = 1;
 
 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
     /* The server sends a dummy change_cipher_spec record immediately
@@ -2400,6 +2558,28 @@ static int ssl_tls13_write_encrypted_extensions_body(mbedtls_ssl_context *ssl,
     p += output_len;
 #endif /* MBEDTLS_SSL_ALPN */
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+    if (ssl->handshake->early_data_accepted) {
+        ret = mbedtls_ssl_tls13_write_early_data_ext(
+            ssl, 0, p, end, &output_len);
+        if (ret != 0) {
+            return ret;
+        }
+        p += output_len;
+    }
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+    if (ssl->handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)) {
+        ret = mbedtls_ssl_tls13_write_record_size_limit_ext(
+            ssl, p, end, &output_len);
+        if (ret != 0) {
+            return ret;
+        }
+        p += output_len;
+    }
+#endif
+
     extensions_len = (p - p_extensions_len) - 2;
     MBEDTLS_PUT_UINT16_BE(extensions_len, p_extensions_len, 0);
 
@@ -2632,6 +2812,59 @@ static int ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl)
 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
 
 /*
+ * RFC 8446 section A.2
+ *
+ *                                | Send ServerHello
+ *                                | K_send = handshake
+ *                                | Send EncryptedExtensions
+ *                                | [Send CertificateRequest]
+ * Can send                       | [Send Certificate + CertificateVerify]
+ * app data                       | Send Finished
+ * after   -->                    | K_send = application
+ * here                  +--------+--------+
+ *              No 0-RTT |                 | 0-RTT
+ *                       |                 |
+ *   K_recv = handshake  |                 | K_recv = early data
+ * [Skip decrypt errors] |    +------> WAIT_EOED -+
+ *                       |    |       Recv |      | Recv EndOfEarlyData
+ *                       |    | early data |      | K_recv = handshake
+ *                       |    +------------+      |
+ *                       |                        |
+ *                       +> WAIT_FLIGHT2 <--------+
+ *                                |
+ *                       +--------+--------+
+ *               No auth |                 | Client auth
+ *                       |                 |
+ *                       |                 v
+ *                       |             WAIT_CERT
+ *                       |        Recv |       | Recv Certificate
+ *                       |       empty |       v
+ *                       | Certificate |    WAIT_CV
+ *                       |             |       | Recv
+ *                       |             v       | CertificateVerify
+ *                       +-> WAIT_FINISHED <---+
+ *                                | Recv Finished
+ *
+ *
+ * The following function handles the state changes after WAIT_FLIGHT2 in the
+ * above diagram. We are not going to receive early data related messages
+ * anymore, prepare to receive the first handshake message of the client
+ * second flight.
+ */
+static void ssl_tls13_prepare_for_handshake_second_flight(
+    mbedtls_ssl_context *ssl)
+{
+    if (ssl->handshake->certificate_request_sent) {
+        mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
+    } else {
+        MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate"));
+        MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify"));
+
+        mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);
+    }
+}
+
+/*
  * Handler for MBEDTLS_SSL_SERVER_FINISHED
  */
 MBEDTLS_CHECK_RETURN_CRITICAL
@@ -2652,21 +2885,179 @@ static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl)
         return ret;
     }
 
-    MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic"));
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+    if (ssl->handshake->early_data_accepted) {
+        /* See RFC 8446 section A.2 for more information */
+        MBEDTLS_SSL_DEBUG_MSG(
+            1, ("Switch to early keys for inbound traffic. "
+                "( K_recv = early data )"));
+        mbedtls_ssl_set_inbound_transform(
+            ssl, ssl->handshake->transform_earlydata);
+        mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA);
+        return 0;
+    }
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+    MBEDTLS_SSL_DEBUG_MSG(
+        1, ("Switch to handshake keys for inbound traffic "
+            "( K_recv = handshake )"));
     mbedtls_ssl_set_inbound_transform(ssl, ssl->handshake->transform_handshake);
 
-    if (ssl->handshake->certificate_request_sent) {
-        mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
-    } else {
-        MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate"));
-        MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify"));
-        mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);
+    ssl_tls13_prepare_for_handshake_second_flight(ssl);
+
+    return 0;
+}
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+/*
+ * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA
+ */
+#define SSL_GOT_END_OF_EARLY_DATA      0
+#define SSL_GOT_EARLY_DATA             1
+/* Coordination:
+ * Deals with the ambiguity of not knowing if the next message is an
+ * EndOfEarlyData message or an application message containing early data.
+ * Returns a negative code on failure, or
+ * - SSL_GOT_END_OF_EARLY_DATA
+ * - SSL_GOT_EARLY_DATA
+ * indicating which message is received.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_end_of_early_data_coordinate(mbedtls_ssl_context *ssl)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+        return ret;
+    }
+    ssl->keep_current_message = 1;
+
+    if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE        &&
+        ssl->in_msg[0]  == MBEDTLS_SSL_HS_END_OF_EARLY_DATA) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("Received an end_of_early_data message."));
+        return SSL_GOT_END_OF_EARLY_DATA;
     }
 
+    if (ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA) {
+        if (ssl->in_offt == NULL) {
+            MBEDTLS_SSL_DEBUG_MSG(3, ("Received early data"));
+            /* Set the reading pointer */
+            ssl->in_offt = ssl->in_msg;
+            ret = mbedtls_ssl_tls13_check_early_data_len(ssl, ssl->in_msglen);
+            if (ret != 0) {
+                return ret;
+            }
+        }
+        return SSL_GOT_EARLY_DATA;
+    }
+
+    MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
+                                 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+    return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_end_of_early_data(mbedtls_ssl_context *ssl,
+                                             const unsigned char *buf,
+                                             const unsigned char *end)
+{
+    /* RFC 8446 section 4.5
+     *
+     * struct {} EndOfEarlyData;
+     */
+    if (buf != end) {
+        MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
+                                     MBEDTLS_ERR_SSL_DECODE_ERROR);
+        return MBEDTLS_ERR_SSL_DECODE_ERROR;
+    }
     return 0;
 }
 
 /*
+ * RFC 8446 section A.2
+ *
+ *                                | Send ServerHello
+ *                                | K_send = handshake
+ *                                | Send EncryptedExtensions
+ *                                | [Send CertificateRequest]
+ * Can send                       | [Send Certificate + CertificateVerify]
+ * app data                       | Send Finished
+ * after   -->                    | K_send = application
+ * here                  +--------+--------+
+ *              No 0-RTT |                 | 0-RTT
+ *                       |                 |
+ *   K_recv = handshake  |                 | K_recv = early data
+ * [Skip decrypt errors] |    +------> WAIT_EOED -+
+ *                       |    |       Recv |      | Recv EndOfEarlyData
+ *                       |    | early data |      | K_recv = handshake
+ *                       |    +------------+      |
+ *                       |                        |
+ *                       +> WAIT_FLIGHT2 <--------+
+ *                                |
+ *                       +--------+--------+
+ *               No auth |                 | Client auth
+ *                       |                 |
+ *                       |                 v
+ *                       |             WAIT_CERT
+ *                       |        Recv |       | Recv Certificate
+ *                       |       empty |       v
+ *                       | Certificate |    WAIT_CV
+ *                       |             |       | Recv
+ *                       |             v       | CertificateVerify
+ *                       +-> WAIT_FINISHED <---+
+ *                                | Recv Finished
+ *
+ * The function handles actions and state changes from 0-RTT to WAIT_FLIGHT2 in
+ * the above diagram.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_process_end_of_early_data(mbedtls_ssl_context *ssl)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_process_end_of_early_data"));
+
+    MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_end_of_early_data_coordinate(ssl));
+
+    if (ret == SSL_GOT_END_OF_EARLY_DATA) {
+        unsigned char *buf;
+        size_t buf_len;
+
+        MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
+                                 ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA,
+                                 &buf, &buf_len));
+
+        MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_end_of_early_data(
+                                 ssl, buf, buf + buf_len));
+
+        MBEDTLS_SSL_DEBUG_MSG(
+            1, ("Switch to handshake keys for inbound traffic"
+                "( K_recv = handshake )"));
+        mbedtls_ssl_set_inbound_transform(
+            ssl, ssl->handshake->transform_handshake);
+
+        MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
+                                 ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA,
+                                 buf, buf_len));
+
+        ssl_tls13_prepare_for_handshake_second_flight(ssl);
+
+    } else if (ret == SSL_GOT_EARLY_DATA) {
+        ret = MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA;
+        goto cleanup;
+    } else {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+        ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+        goto cleanup;
+    }
+
+cleanup:
+    MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_tls13_process_end_of_early_data"));
+    return ret;
+}
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+/*
  * Handler for MBEDTLS_SSL_CLIENT_FINISHED
  */
 MBEDTLS_CHECK_RETURN_CRITICAL
@@ -2706,7 +3097,7 @@ static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
  *       expected to be resolved with issue#6395.
  */
     /* Sent NewSessionTicket message only when client supports PSK */
-    if (mbedtls_ssl_tls13_some_psk_enabled(ssl)) {
+    if (mbedtls_ssl_tls13_is_some_psk_supported(ssl)) {
         mbedtls_ssl_handshake_set_state(
             ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
     } else
@@ -2717,6 +3108,7 @@ static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
     return 0;
 }
 
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
 /*
  * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
  */
@@ -2746,7 +3138,6 @@ static int ssl_tls13_write_new_session_ticket_coordinate(mbedtls_ssl_context *ss
     return SSL_NEW_SESSION_TICKET_WRITE;
 }
 
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl,
                                                 unsigned char *ticket_nonce,
@@ -2760,19 +3151,34 @@ static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl,
 
     MBEDTLS_SSL_DEBUG_MSG(2, ("=> prepare NewSessionTicket msg"));
 
-#if defined(MBEDTLS_HAVE_TIME)
-    session->start = mbedtls_time(NULL);
-#endif
-
     /* Set ticket_flags depends on the advertised psk key exchange mode */
-    mbedtls_ssl_session_clear_ticket_flags(
+    mbedtls_ssl_tls13_session_clear_ticket_flags(
         session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
-    mbedtls_ssl_session_set_ticket_flags(
+    mbedtls_ssl_tls13_session_set_ticket_flags(
         session, ssl->handshake->tls13_kex_modes);
 #endif
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+    if (ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED &&
+        ssl->conf->max_early_data_size > 0) {
+        mbedtls_ssl_tls13_session_set_ticket_flags(
+            session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
+        session->max_early_data_size = ssl->conf->max_early_data_size;
+    }
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
     MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);
 
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
+    if (session->ticket_alpn == NULL) {
+        ret = mbedtls_ssl_session_set_ticket_alpn(session, ssl->alpn_chosen);
+        if (ret != 0) {
+            return ret;
+        }
+    }
+#endif
+
     /* Generate ticket_age_add */
     if ((ret = ssl->conf->f_rng(ssl->conf->p_rng,
                                 (unsigned char *) &session->ticket_age_add,
@@ -2854,12 +3260,13 @@ static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl,
  * The following fields are placed inside the ticket by the
  * f_ticket_write() function:
  *
- *  - creation time (start)
- *  - flags (flags)
+ *  - creation time (ticket_creation_time)
+ *  - flags (ticket_flags)
  *  - age add (ticket_age_add)
- *  - key (key)
- *  - key length (key_len)
+ *  - key (resumption_key)
+ *  - key length (resumption_key_len)
  *  - ciphersuite (ciphersuite)
+ *  - max_early_data_size (max_early_data_size)
  */
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_write_new_session_ticket_body(mbedtls_ssl_context *ssl,
@@ -2874,6 +3281,7 @@ static int ssl_tls13_write_new_session_ticket_body(mbedtls_ssl_context *ssl,
     mbedtls_ssl_session *session = ssl->session;
     size_t ticket_len;
     uint32_t ticket_lifetime;
+    unsigned char *p_extensions_len;
 
     *out_len = 0;
     MBEDTLS_SSL_DEBUG_MSG(2, ("=> write NewSessionTicket msg"));
@@ -2887,6 +3295,9 @@ static int ssl_tls13_write_new_session_ticket_body(mbedtls_ssl_context *ssl,
     MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + 4 + 1 + ticket_nonce_size + 2);
 
     /* Generate ticket and ticket_lifetime */
+#if defined(MBEDTLS_HAVE_TIME)
+    session->ticket_creation_time = mbedtls_ms_time();
+#endif
     ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
                                     session,
                                     p + 9 + ticket_nonce_size + 2,
@@ -2897,20 +3308,21 @@ static int ssl_tls13_write_new_session_ticket_body(mbedtls_ssl_context *ssl,
         MBEDTLS_SSL_DEBUG_RET(1, "write_ticket", ret);
         return ret;
     }
-    /* RFC 8446 4.6.1
+
+    /* RFC 8446 section 4.6.1
+     *
      *  ticket_lifetime:  Indicates the lifetime in seconds as a 32-bit
-     *      unsigned integer in network byte order from the time of ticket
-     *      issuance.  Servers MUST NOT use any value greater than
-     *      604800 seconds (7 days).  The value of zero indicates that the
-     *      ticket should be discarded immediately.  Clients MUST NOT cache
-     *      tickets for longer than 7 days, regardless of the ticket_lifetime,
-     *      and MAY delete tickets earlier based on local policy.  A server
-     *      MAY treat a ticket as valid for a shorter period of time than what
-     *      is stated in the ticket_lifetime.
+     *     unsigned integer in network byte order from the time of ticket
+     *     issuance.  Servers MUST NOT use any value greater than
+     *     604800 seconds (7 days) ...
      */
-    if (ticket_lifetime > 604800) {
-        ticket_lifetime = 604800;
+    if (ticket_lifetime > MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME) {
+        MBEDTLS_SSL_DEBUG_MSG(
+            1, ("Ticket lifetime (%u) is greater than 7 days.",
+                (unsigned int) ticket_lifetime));
+        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
     }
+
     MBEDTLS_PUT_UINT32_BE(ticket_lifetime, p, 0);
     MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime: %u",
                               (unsigned int) ticket_lifetime));
@@ -2935,15 +3347,35 @@ static int ssl_tls13_write_new_session_ticket_body(mbedtls_ssl_context *ssl,
 
     /* Ticket Extensions
      *
-     * Note: We currently don't have any extensions.
-     * Set length to zero.
+     * Extension extensions<0..2^16-2>;
      */
     ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
 
     MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
-    MBEDTLS_PUT_UINT16_BE(0, p, 0);
+    p_extensions_len = p;
     p += 2;
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+    if (mbedtls_ssl_tls13_session_ticket_allow_early_data(session)) {
+        size_t output_len;
+
+        if ((ret = mbedtls_ssl_tls13_write_early_data_ext(
+                 ssl, 1, p, end, &output_len)) != 0) {
+            MBEDTLS_SSL_DEBUG_RET(
+                1, "mbedtls_ssl_tls13_write_early_data_ext", ret);
+            return ret;
+        }
+        p += output_len;
+    } else {
+        MBEDTLS_SSL_DEBUG_MSG(
+            4, ("early_data not allowed, "
+                "skip early_data extension in NewSessionTicket"));
+    }
+
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+    MBEDTLS_PUT_UINT16_BE(p - p_extensions_len - 2, p_extensions_len, 0);
+
     *out_len = p - buf;
     MBEDTLS_SSL_DEBUG_BUF(4, "ticket", buf, *out_len);
     MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));
@@ -3080,9 +3512,10 @@ int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl)
 
         case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO:
             ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
-            if (ret == 0) {
-                mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
+            if (ret != 0) {
+                break;
             }
+            mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
             break;
 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
 
@@ -3090,6 +3523,12 @@ int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl)
             ret = ssl_tls13_write_server_finished(ssl);
             break;
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+        case MBEDTLS_SSL_END_OF_EARLY_DATA:
+            ret = ssl_tls13_process_end_of_early_data(ssl);
+            break;
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
         case MBEDTLS_SSL_CLIENT_FINISHED:
             ret = ssl_tls13_process_client_finished(ssl);
             break;
diff --git a/library/threading.c b/library/threading.c
deleted file mode 100644
index 130c696..0000000
--- a/library/threading.c
+++ /dev/null
@@ -1,193 +0,0 @@
-/*
- *  Threading abstraction layer
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/*
- * Ensure gmtime_r is available even with -std=c99; must be defined before
- * mbedtls_config.h, which pulls in glibc's features.h. Harmless on other platforms.
- */
-#if !defined(_POSIX_C_SOURCE)
-#define _POSIX_C_SOURCE 200112L
-#endif
-
-#include "common.h"
-
-#if defined(MBEDTLS_THREADING_C)
-
-#include "mbedtls/threading.h"
-
-#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
-
-#if !defined(_WIN32) && (defined(unix) || \
-    defined(__unix) || defined(__unix__) || (defined(__APPLE__) && \
-    defined(__MACH__)))
-#include <unistd.h>
-#endif /* !_WIN32 && (unix || __unix || __unix__ ||
-        * (__APPLE__ && __MACH__)) */
-
-#if !((defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L) ||     \
-    (defined(_POSIX_THREAD_SAFE_FUNCTIONS) &&                     \
-    _POSIX_THREAD_SAFE_FUNCTIONS >= 200112L))
-/*
- * This is a convenience shorthand macro to avoid checking the long
- * preprocessor conditions above. Ideally, we could expose this macro in
- * platform_util.h and simply use it in platform_util.c, threading.c and
- * threading.h. However, this macro is not part of the Mbed TLS public API, so
- * we keep it private by only defining it in this file
- */
-
-#if !(defined(_WIN32) && !defined(EFIX64) && !defined(EFI32))
-#define THREADING_USE_GMTIME
-#endif /* ! ( defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) ) */
-
-#endif /* !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) || \
-             ( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) && \
-                _POSIX_THREAD_SAFE_FUNCTIONS >= 200112L ) ) */
-
-#endif /* MBEDTLS_HAVE_TIME_DATE && !MBEDTLS_PLATFORM_GMTIME_R_ALT */
-
-#if defined(MBEDTLS_THREADING_PTHREAD)
-static void threading_mutex_init_pthread(mbedtls_threading_mutex_t *mutex)
-{
-    if (mutex == NULL) {
-        return;
-    }
-
-    /* A nonzero value of is_valid indicates a successfully initialized
-     * mutex. This is a workaround for not being able to return an error
-     * code for this function. The lock/unlock functions return an error
-     * if is_valid is nonzero. The Mbed TLS unit test code uses this field
-     * to distinguish more states of the mutex; see
-     * tests/src/threading_helpers for details. */
-    mutex->is_valid = pthread_mutex_init(&mutex->mutex, NULL) == 0;
-}
-
-static void threading_mutex_free_pthread(mbedtls_threading_mutex_t *mutex)
-{
-    if (mutex == NULL || !mutex->is_valid) {
-        return;
-    }
-
-    (void) pthread_mutex_destroy(&mutex->mutex);
-    mutex->is_valid = 0;
-}
-
-static int threading_mutex_lock_pthread(mbedtls_threading_mutex_t *mutex)
-{
-    if (mutex == NULL || !mutex->is_valid) {
-        return MBEDTLS_ERR_THREADING_BAD_INPUT_DATA;
-    }
-
-    if (pthread_mutex_lock(&mutex->mutex) != 0) {
-        return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
-    }
-
-    return 0;
-}
-
-static int threading_mutex_unlock_pthread(mbedtls_threading_mutex_t *mutex)
-{
-    if (mutex == NULL || !mutex->is_valid) {
-        return MBEDTLS_ERR_THREADING_BAD_INPUT_DATA;
-    }
-
-    if (pthread_mutex_unlock(&mutex->mutex) != 0) {
-        return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
-    }
-
-    return 0;
-}
-
-void (*mbedtls_mutex_init)(mbedtls_threading_mutex_t *) = threading_mutex_init_pthread;
-void (*mbedtls_mutex_free)(mbedtls_threading_mutex_t *) = threading_mutex_free_pthread;
-int (*mbedtls_mutex_lock)(mbedtls_threading_mutex_t *) = threading_mutex_lock_pthread;
-int (*mbedtls_mutex_unlock)(mbedtls_threading_mutex_t *) = threading_mutex_unlock_pthread;
-
-/*
- * With pthreads we can statically initialize mutexes
- */
-#define MUTEX_INIT  = { PTHREAD_MUTEX_INITIALIZER, 1 }
-
-#endif /* MBEDTLS_THREADING_PTHREAD */
-
-#if defined(MBEDTLS_THREADING_ALT)
-static int threading_mutex_fail(mbedtls_threading_mutex_t *mutex)
-{
-    ((void) mutex);
-    return MBEDTLS_ERR_THREADING_BAD_INPUT_DATA;
-}
-static void threading_mutex_dummy(mbedtls_threading_mutex_t *mutex)
-{
-    ((void) mutex);
-    return;
-}
-
-void (*mbedtls_mutex_init)(mbedtls_threading_mutex_t *) = threading_mutex_dummy;
-void (*mbedtls_mutex_free)(mbedtls_threading_mutex_t *) = threading_mutex_dummy;
-int (*mbedtls_mutex_lock)(mbedtls_threading_mutex_t *) = threading_mutex_fail;
-int (*mbedtls_mutex_unlock)(mbedtls_threading_mutex_t *) = threading_mutex_fail;
-
-/*
- * Set functions pointers and initialize global mutexes
- */
-void mbedtls_threading_set_alt(void (*mutex_init)(mbedtls_threading_mutex_t *),
-                               void (*mutex_free)(mbedtls_threading_mutex_t *),
-                               int (*mutex_lock)(mbedtls_threading_mutex_t *),
-                               int (*mutex_unlock)(mbedtls_threading_mutex_t *))
-{
-    mbedtls_mutex_init = mutex_init;
-    mbedtls_mutex_free = mutex_free;
-    mbedtls_mutex_lock = mutex_lock;
-    mbedtls_mutex_unlock = mutex_unlock;
-
-#if defined(MBEDTLS_FS_IO)
-    mbedtls_mutex_init(&mbedtls_threading_readdir_mutex);
-#endif
-#if defined(THREADING_USE_GMTIME)
-    mbedtls_mutex_init(&mbedtls_threading_gmtime_mutex);
-#endif
-}
-
-/*
- * Free global mutexes
- */
-void mbedtls_threading_free_alt(void)
-{
-#if defined(MBEDTLS_FS_IO)
-    mbedtls_mutex_free(&mbedtls_threading_readdir_mutex);
-#endif
-#if defined(THREADING_USE_GMTIME)
-    mbedtls_mutex_free(&mbedtls_threading_gmtime_mutex);
-#endif
-}
-#endif /* MBEDTLS_THREADING_ALT */
-
-/*
- * Define global mutexes
- */
-#ifndef MUTEX_INIT
-#define MUTEX_INIT
-#endif
-#if defined(MBEDTLS_FS_IO)
-mbedtls_threading_mutex_t mbedtls_threading_readdir_mutex MUTEX_INIT;
-#endif
-#if defined(THREADING_USE_GMTIME)
-mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex MUTEX_INIT;
-#endif
-
-#endif /* MBEDTLS_THREADING_C */
diff --git a/library/timing.c b/library/timing.c
deleted file mode 100644
index 6852033..0000000
--- a/library/timing.c
+++ /dev/null
@@ -1,166 +0,0 @@
-/*
- *  Portable interface to the CPU cycle counter
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_TIMING_C)
-
-#include "mbedtls/timing.h"
-
-#if !defined(MBEDTLS_TIMING_ALT)
-
-#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
-    !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
-    !defined(__HAIKU__) && !defined(__midipix__)
-#error "This module only works on Unix and Windows, see MBEDTLS_TIMING_C in mbedtls_config.h"
-#endif
-
-#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
-
-#include <windows.h>
-#include <process.h>
-
-struct _hr_time {
-    LARGE_INTEGER start;
-};
-
-#else
-
-#include <unistd.h>
-#include <sys/types.h>
-#include <signal.h>
-/* time.h should be included independently of MBEDTLS_HAVE_TIME. If the
- * platform matches the ifdefs above, it will be used. */
-#include <time.h>
-#include <sys/time.h>
-struct _hr_time {
-    struct timeval start;
-};
-#endif /* _WIN32 && !EFIX64 && !EFI32 */
-
-/**
- * \brief          Return the elapsed time in milliseconds
- *
- * \warning        May change without notice
- *
- * \param val      points to a timer structure
- * \param reset    If 0, query the elapsed time. Otherwise (re)start the timer.
- *
- * \return         Elapsed time since the previous reset in ms. When
- *                 restarting, this is always 0.
- *
- * \note           To initialize a timer, call this function with reset=1.
- *
- *                 Determining the elapsed time and resetting the timer is not
- *                 atomic on all platforms, so after the sequence
- *                 `{ get_timer(1); ...; time1 = get_timer(1); ...; time2 =
- *                 get_timer(0) }` the value time1+time2 is only approximately
- *                 the delay since the first reset.
- */
-#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
-
-unsigned long mbedtls_timing_get_timer(struct mbedtls_timing_hr_time *val, int reset)
-{
-    struct _hr_time *t = (struct _hr_time *) val;
-
-    if (reset) {
-        QueryPerformanceCounter(&t->start);
-        return 0;
-    } else {
-        unsigned long delta;
-        LARGE_INTEGER now, hfreq;
-        QueryPerformanceCounter(&now);
-        QueryPerformanceFrequency(&hfreq);
-        delta = (unsigned long) ((now.QuadPart - t->start.QuadPart) * 1000ul
-                                 / hfreq.QuadPart);
-        return delta;
-    }
-}
-
-#else /* _WIN32 && !EFIX64 && !EFI32 */
-
-unsigned long mbedtls_timing_get_timer(struct mbedtls_timing_hr_time *val, int reset)
-{
-    struct _hr_time *t = (struct _hr_time *) val;
-
-    if (reset) {
-        gettimeofday(&t->start, NULL);
-        return 0;
-    } else {
-        unsigned long delta;
-        struct timeval now;
-        gettimeofday(&now, NULL);
-        delta = (now.tv_sec  - t->start.tv_sec) * 1000ul
-                + (now.tv_usec - t->start.tv_usec) / 1000;
-        return delta;
-    }
-}
-
-#endif /* _WIN32 && !EFIX64 && !EFI32 */
-
-/*
- * Set delays to watch
- */
-void mbedtls_timing_set_delay(void *data, uint32_t int_ms, uint32_t fin_ms)
-{
-    mbedtls_timing_delay_context *ctx = (mbedtls_timing_delay_context *) data;
-
-    ctx->int_ms = int_ms;
-    ctx->fin_ms = fin_ms;
-
-    if (fin_ms != 0) {
-        (void) mbedtls_timing_get_timer(&ctx->timer, 1);
-    }
-}
-
-/*
- * Get number of delays expired
- */
-int mbedtls_timing_get_delay(void *data)
-{
-    mbedtls_timing_delay_context *ctx = (mbedtls_timing_delay_context *) data;
-    unsigned long elapsed_ms;
-
-    if (ctx->fin_ms == 0) {
-        return -1;
-    }
-
-    elapsed_ms = mbedtls_timing_get_timer(&ctx->timer, 0);
-
-    if (elapsed_ms >= ctx->fin_ms) {
-        return 2;
-    }
-
-    if (elapsed_ms >= ctx->int_ms) {
-        return 1;
-    }
-
-    return 0;
-}
-
-/*
- * Get the final delay.
- */
-uint32_t mbedtls_timing_get_final_delay(
-    const mbedtls_timing_delay_context *data)
-{
-    return data->fin_ms;
-}
-#endif /* !MBEDTLS_TIMING_ALT */
-#endif /* MBEDTLS_TIMING_C */
diff --git a/library/version.c b/library/version.c
deleted file mode 100644
index 4f78c9c..0000000
--- a/library/version.c
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- *  Version information
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_VERSION_C)
-
-#include "mbedtls/version.h"
-#include <string.h>
-
-unsigned int mbedtls_version_get_number(void)
-{
-    return MBEDTLS_VERSION_NUMBER;
-}
-
-void mbedtls_version_get_string(char *string)
-{
-    memcpy(string, MBEDTLS_VERSION_STRING,
-           sizeof(MBEDTLS_VERSION_STRING));
-}
-
-void mbedtls_version_get_string_full(char *string)
-{
-    memcpy(string, MBEDTLS_VERSION_STRING_FULL,
-           sizeof(MBEDTLS_VERSION_STRING_FULL));
-}
-
-#endif /* MBEDTLS_VERSION_C */
diff --git a/library/x509.c b/library/x509.c
index 990393c..3560490 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -2,19 +2,7 @@
  *  X.509 common functions for parsing and verification
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 /*
  *  The ITU-T X.509 standard defines a certificate format for PKI.
@@ -31,7 +19,7 @@
 
 #if defined(MBEDTLS_X509_USE_C)
 
-#include "mbedtls/x509.h"
+#include "x509_internal.h"
 #include "mbedtls/asn1.h"
 #include "mbedtls/error.h"
 #include "mbedtls/oid.h"
@@ -149,7 +137,7 @@ static inline const char *md_type_to_string(mbedtls_md_type_t md_alg)
         case MBEDTLS_MD_SHA1:
             return "SHA1";
 #endif
-#if defined(MBEDTLS_MD_CAN_SHA224)
+#if defined(PSA_WANT_ALG_SHA_224)
         case MBEDTLS_MD_SHA224:
             return "SHA224";
 #endif
@@ -157,7 +145,7 @@ static inline const char *md_type_to_string(mbedtls_md_type_t md_alg)
         case MBEDTLS_MD_SHA256:
             return "SHA256";
 #endif
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
         case MBEDTLS_MD_SHA384:
             return "SHA384";
 #endif
@@ -165,7 +153,7 @@ static inline const char *md_type_to_string(mbedtls_md_type_t md_alg)
         case MBEDTLS_MD_SHA512:
             return "SHA512";
 #endif
-#if defined(MBEDTLS_MD_CAN_RIPEMD160)
+#if defined(PSA_WANT_ALG_RIPEMD160)
         case MBEDTLS_MD_RIPEMD160:
             return "RIPEMD160";
 #endif
diff --git a/library/x509_create.c b/library/x509_create.c
index 2583cdd..839b5df 100644
--- a/library/x509_create.c
+++ b/library/x509_create.c
@@ -2,26 +2,14 @@
  *  X.509 base functions for creating certificates / CSRs
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "common.h"
 
 #if defined(MBEDTLS_X509_CREATE_C)
 
-#include "mbedtls/x509.h"
+#include "x509_internal.h"
 #include "mbedtls/asn1write.h"
 #include "mbedtls/error.h"
 #include "mbedtls/oid.h"
@@ -181,7 +169,7 @@ static int parse_attribute_value_string(const char *s,
             return MBEDTLS_ERR_X509_INVALID_NAME;
         }
     }
-    *data_len = d - data;
+    *data_len = (size_t) (d - data);
     return 0;
 }
 
@@ -254,31 +242,33 @@ static int parse_attribute_value_hex_der_encoded(const char *s,
     /* Step 3: decode the DER. */
     /* We've checked that der_length >= 1 above. */
     *tag = der[0];
-    unsigned char *p = der + 1;
-    if (mbedtls_asn1_get_len(&p, der + der_length, data_len) != 0) {
-        goto error;
-    }
-    /* Now p points to the first byte of the payload inside der,
-     * and *data_len is the length of the payload. */
+    {
+        unsigned char *p = der + 1;
+        if (mbedtls_asn1_get_len(&p, der + der_length, data_len) != 0) {
+            goto error;
+        }
+        /* Now p points to the first byte of the payload inside der,
+         * and *data_len is the length of the payload. */
 
-    /* Step 4: payload validation */
-    if (*data_len > MBEDTLS_X509_MAX_DN_NAME_SIZE) {
-        goto error;
-    }
-    /* Strings must not contain null bytes. */
-    if (MBEDTLS_ASN1_IS_STRING_TAG(*tag)) {
-        for (size_t i = 0; i < *data_len; i++) {
-            if (p[i] == 0) {
-                goto error;
+        /* Step 4: payload validation */
+        if (*data_len > MBEDTLS_X509_MAX_DN_NAME_SIZE) {
+            goto error;
+        }
+        /* Strings must not contain null bytes. */
+        if (MBEDTLS_ASN1_IS_STRING_TAG(*tag)) {
+            for (size_t i = 0; i < *data_len; i++) {
+                if (p[i] == 0) {
+                    goto error;
+                }
             }
         }
-    }
 
-    /* Step 5: output the payload. */
-    if (*data_len > data_size) {
-        goto error;
+        /* Step 5: output the payload. */
+        if (*data_len > data_size) {
+            goto error;
+        }
+        memcpy(data, p, *data_len);
     }
-    memcpy(data, p, *data_len);
     mbedtls_free(der);
 
     return 0;
@@ -307,8 +297,8 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam
 
     while (c <= end) {
         if (in_attr_type && *c == '=') {
-            if ((attr_descr = x509_attr_descr_from_name(s, c - s)) == NULL) {
-                if ((mbedtls_oid_from_numeric_string(&oid, s, c - s)) != 0) {
+            if ((attr_descr = x509_attr_descr_from_name(s, (size_t) (c - s))) == NULL) {
+                if ((mbedtls_oid_from_numeric_string(&oid, s, (size_t) (c - s))) != 0) {
                     return MBEDTLS_ERR_X509_INVALID_NAME;
                 } else {
                     numericoid = 1;
@@ -332,7 +322,7 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam
                 /* We know that c >= s (loop invariant) and c != s (in this
                  * else branch), hence c - s - 1 >= 0. */
                 parse_ret = parse_attribute_value_hex_der_encoded(
-                    s + 1, c - s - 1,
+                    s + 1, (size_t) (c - s) - 1,
                     data, sizeof(data), &data_len, &tag);
                 if (parse_ret != 0) {
                     mbedtls_free(oid.p);
@@ -392,6 +382,10 @@ int mbedtls_x509_set_extension(mbedtls_asn1_named_data **head, const char *oid,
 {
     mbedtls_asn1_named_data *cur;
 
+    if (val_len > (SIZE_MAX  - 1)) {
+        return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+    }
+
     if ((cur = mbedtls_asn1_store_named_data(head, oid, oid_len,
                                              NULL, val_len + 1)) == NULL) {
         return MBEDTLS_ERR_X509_ALLOC_FAILED;
diff --git a/library/x509_crl.c b/library/x509_crl.c
index 79ace8f..7901992 100644
--- a/library/x509_crl.c
+++ b/library/x509_crl.c
@@ -2,19 +2,7 @@
  *  X.509 Certificate Revocation List (CRL) parsing
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 /*
  *  The ITU-T X.509 standard defines a certificate format for PKI.
@@ -32,6 +20,7 @@
 #if defined(MBEDTLS_X509_CRL_PARSE_C)
 
 #include "mbedtls/x509_crl.h"
+#include "x509_internal.h"
 #include "mbedtls/error.h"
 #include "mbedtls/oid.h"
 #include "mbedtls/platform_util.h"
@@ -379,7 +368,7 @@ int mbedtls_x509_crl_parse_der(mbedtls_x509_crl *chain,
     }
 
     end = p + len;
-    crl->tbs.len = end - crl->tbs.p;
+    crl->tbs.len = (size_t) (end - crl->tbs.p);
 
     /*
      * Version  ::=  INTEGER  OPTIONAL {  v1(0), v2(1)  }
@@ -423,7 +412,7 @@ int mbedtls_x509_crl_parse_der(mbedtls_x509_crl *chain,
         return ret;
     }
 
-    crl->issuer_raw.len = p - crl->issuer_raw.p;
+    crl->issuer_raw.len = (size_t) (p - crl->issuer_raw.p);
 
     /*
      * thisUpdate          Time
diff --git a/library/x509_crt.c b/library/x509_crt.c
index e9153e7..2fd56fb 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -2,19 +2,7 @@
  *  X.509 certificate parsing and verification
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 /*
  *  The ITU-T X.509 standard defines a certificate format for PKI.
@@ -34,6 +22,7 @@
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
 
 #include "mbedtls/x509_crt.h"
+#include "x509_internal.h"
 #include "mbedtls/error.h"
 #include "mbedtls/oid.h"
 #include "mbedtls/platform_util.h"
@@ -47,7 +36,7 @@
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
 #include "psa/crypto.h"
 #include "psa_util_internal.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 #include "pk_internal.h"
 
@@ -234,7 +223,7 @@ static int x509_profile_check_key(const mbedtls_x509_crt_profile *profile,
     if (pk_alg == MBEDTLS_PK_ECDSA ||
         pk_alg == MBEDTLS_PK_ECKEY ||
         pk_alg == MBEDTLS_PK_ECKEY_DH) {
-        const mbedtls_ecp_group_id gid = mbedtls_pk_get_group_id(pk);
+        const mbedtls_ecp_group_id gid = mbedtls_pk_get_ec_group_id(pk);
 
         if (gid == MBEDTLS_ECP_DP_NONE) {
             return -1;
@@ -1120,7 +1109,7 @@ static int x509_crt_parse_der_core(mbedtls_x509_crt *crt,
     }
 
     end = crt_end = p + len;
-    crt->raw.len = crt_end - buf;
+    crt->raw.len = (size_t) (crt_end - buf);
     if (make_copy != 0) {
         /* Create and populate a new buffer for the raw field. */
         crt->raw.p = p = mbedtls_calloc(1, crt->raw.len);
@@ -1150,7 +1139,7 @@ static int x509_crt_parse_der_core(mbedtls_x509_crt *crt,
     }
 
     end = p + len;
-    crt->tbs.len = end - crt->tbs.p;
+    crt->tbs.len = (size_t) (end - crt->tbs.p);
 
     /*
      * Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
@@ -1197,7 +1186,7 @@ static int x509_crt_parse_der_core(mbedtls_x509_crt *crt,
         return ret;
     }
 
-    crt->issuer_raw.len = p - crt->issuer_raw.p;
+    crt->issuer_raw.len = (size_t) (p - crt->issuer_raw.p);
 
     /*
      * Validity ::= SEQUENCE {
@@ -1227,7 +1216,7 @@ static int x509_crt_parse_der_core(mbedtls_x509_crt *crt,
         return ret;
     }
 
-    crt->subject_raw.len = p - crt->subject_raw.p;
+    crt->subject_raw.len = (size_t) (p - crt->subject_raw.p);
 
     /*
      * SubjectPublicKeyInfo
@@ -1237,7 +1226,7 @@ static int x509_crt_parse_der_core(mbedtls_x509_crt *crt,
         mbedtls_x509_crt_free(crt);
         return ret;
     }
-    crt->pk_raw.len = p - crt->pk_raw.p;
+    crt->pk_raw.len = (size_t) (p - crt->pk_raw.p);
 
     /*
      *  issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
@@ -3301,4 +3290,12 @@ void mbedtls_x509_crt_restart_free(mbedtls_x509_crt_restart_ctx *ctx)
 }
 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
 
+int mbedtls_x509_crt_get_ca_istrue(const mbedtls_x509_crt *crt)
+{
+    if ((crt->ext_types & MBEDTLS_X509_EXT_BASIC_CONSTRAINTS) != 0) {
+        return crt->MBEDTLS_PRIVATE(ca_istrue);
+    }
+    return MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
+}
+
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
diff --git a/library/x509_csr.c b/library/x509_csr.c
index 0b2bb6f..813d644 100644
--- a/library/x509_csr.c
+++ b/library/x509_csr.c
@@ -2,19 +2,7 @@
  *  X.509 Certificate Signing Request (CSR) parsing
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 /*
  *  The ITU-T X.509 standard defines a certificate format for PKI.
@@ -32,6 +20,7 @@
 #if defined(MBEDTLS_X509_CSR_PARSE_C)
 
 #include "mbedtls/x509_csr.h"
+#include "x509_internal.h"
 #include "mbedtls/error.h"
 #include "mbedtls/oid.h"
 #include "mbedtls/platform_util.h"
@@ -73,13 +62,17 @@ static int x509_csr_get_version(unsigned char **p,
  * Parse CSR extension requests in DER format
  */
 static int x509_csr_parse_extensions(mbedtls_x509_csr *csr,
-                                     unsigned char **p, const unsigned char *end)
+                                     unsigned char **p, const unsigned char *end,
+                                     mbedtls_x509_csr_ext_cb_t cb,
+                                     void *p_ctx)
 {
-    int ret;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len;
-    unsigned char *end_ext_data;
+    unsigned char *end_ext_data, *end_ext_octet;
+
     while (*p < end) {
         mbedtls_x509_buf extn_oid = { 0, 0, NULL };
+        int is_critical = 0; /* DEFAULT FALSE */
         int ext_type = 0;
 
         /* Read sequence tag */
@@ -100,13 +93,21 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr,
         extn_oid.p = *p;
         *p += extn_oid.len;
 
+        /* Get optional critical */
+        if ((ret = mbedtls_asn1_get_bool(p, end_ext_data, &is_critical)) != 0 &&
+            (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+        }
+
         /* Data should be octet string type */
         if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len,
                                         MBEDTLS_ASN1_OCTET_STRING)) != 0) {
             return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
         }
 
-        if (*p + len != end_ext_data) {
+        end_ext_octet = *p + len;
+
+        if (end_ext_octet != end_ext_data) {
             return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
                                      MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
         }
@@ -116,44 +117,72 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr,
          */
         ret = mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type);
 
-        if (ret == 0) {
-            /* Forbid repeated extensions */
-            if ((csr->ext_types & ext_type) != 0) {
-                return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
-                                         MBEDTLS_ERR_ASN1_INVALID_DATA);
+        if (ret != 0) {
+            /* Give the callback (if any) a chance to handle the extension */
+            if (cb != NULL) {
+                ret = cb(p_ctx, csr, &extn_oid, is_critical, *p, end_ext_octet);
+                if (ret != 0 && is_critical) {
+                    return ret;
+                }
+                *p = end_ext_octet;
+                continue;
             }
 
-            csr->ext_types |= ext_type;
-
-            switch (ext_type) {
-                case MBEDTLS_X509_EXT_KEY_USAGE:
-                    /* Parse key usage */
-                    if ((ret = mbedtls_x509_get_key_usage(p, end_ext_data,
-                                                          &csr->key_usage)) != 0) {
-                        return ret;
-                    }
-                    break;
-
-                case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
-                    /* Parse subject alt name */
-                    if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_data,
-                                                                 &csr->subject_alt_names)) != 0) {
-                        return ret;
-                    }
-                    break;
-
-                case MBEDTLS_X509_EXT_NS_CERT_TYPE:
-                    /* Parse netscape certificate type */
-                    if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_data,
-                                                             &csr->ns_cert_type)) != 0) {
-                        return ret;
-                    }
-                    break;
-                default:
-                    break;
+            /* No parser found, skip extension */
+            *p = end_ext_octet;
+
+            if (is_critical) {
+                /* Data is marked as critical: fail */
+                return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+                                         MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
             }
+            continue;
+        }
+
+        /* Forbid repeated extensions */
+        if ((csr->ext_types & ext_type) != 0) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+                                     MBEDTLS_ERR_ASN1_INVALID_DATA);
+        }
+
+        csr->ext_types |= ext_type;
+
+        switch (ext_type) {
+            case MBEDTLS_X509_EXT_KEY_USAGE:
+                /* Parse key usage */
+                if ((ret = mbedtls_x509_get_key_usage(p, end_ext_data,
+                                                      &csr->key_usage)) != 0) {
+                    return ret;
+                }
+                break;
+
+            case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
+                /* Parse subject alt name */
+                if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_data,
+                                                             &csr->subject_alt_names)) != 0) {
+                    return ret;
+                }
+                break;
+
+            case MBEDTLS_X509_EXT_NS_CERT_TYPE:
+                /* Parse netscape certificate type */
+                if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_data,
+                                                         &csr->ns_cert_type)) != 0) {
+                    return ret;
+                }
+                break;
+            default:
+                /*
+                 * If this is a non-critical extension, which the oid layer
+                 * supports, but there isn't an x509 parser for it,
+                 * skip the extension.
+                 */
+                if (is_critical) {
+                    return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
+                } else {
+                    *p = end_ext_octet;
+                }
         }
-        *p = end_ext_data;
     }
 
     if (*p != end) {
@@ -168,7 +197,9 @@ static int x509_csr_parse_extensions(mbedtls_x509_csr *csr,
  * Parse CSR attributes in DER format
  */
 static int x509_csr_parse_attributes(mbedtls_x509_csr *csr,
-                                     const unsigned char *start, const unsigned char *end)
+                                     const unsigned char *start, const unsigned char *end,
+                                     mbedtls_x509_csr_ext_cb_t cb,
+                                     void *p_ctx)
 {
     int ret;
     size_t len;
@@ -207,7 +238,7 @@ static int x509_csr_parse_attributes(mbedtls_x509_csr *csr,
                 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
             }
 
-            if ((ret = x509_csr_parse_extensions(csr, p, *p + len)) != 0) {
+            if ((ret = x509_csr_parse_extensions(csr, p, *p + len, cb, p_ctx)) != 0) {
                 return ret;
             }
 
@@ -231,8 +262,10 @@ static int x509_csr_parse_attributes(mbedtls_x509_csr *csr,
 /*
  * Parse a CSR in DER format
  */
-int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
-                               const unsigned char *buf, size_t buflen)
+static int mbedtls_x509_csr_parse_der_internal(mbedtls_x509_csr *csr,
+                                               const unsigned char *buf, size_t buflen,
+                                               mbedtls_x509_csr_ext_cb_t cb,
+                                               void *p_ctx)
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t len;
@@ -296,7 +329,7 @@ int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
     }
 
     end = p + len;
-    csr->cri.len = end - csr->cri.p;
+    csr->cri.len = (size_t) (end - csr->cri.p);
 
     /*
      *  Version  ::=  INTEGER {  v1(0) }
@@ -329,7 +362,7 @@ int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
         return ret;
     }
 
-    csr->subject_raw.len = p - csr->subject_raw.p;
+    csr->subject_raw.len = (size_t) (p - csr->subject_raw.p);
 
     /*
      *  subjectPKInfo SubjectPublicKeyInfo
@@ -356,7 +389,7 @@ int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
     }
 
-    if ((ret = x509_csr_parse_attributes(csr, p, p + len)) != 0) {
+    if ((ret = x509_csr_parse_attributes(csr, p, p + len, cb, p_ctx)) != 0) {
         mbedtls_x509_csr_free(csr);
         return ret;
     }
@@ -396,6 +429,26 @@ int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
 }
 
 /*
+ * Parse a CSR in DER format
+ */
+int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
+                               const unsigned char *buf, size_t buflen)
+{
+    return mbedtls_x509_csr_parse_der_internal(csr, buf, buflen, NULL, NULL);
+}
+
+/*
+ * Parse a CSR in DER format with callback for unknown extensions
+ */
+int mbedtls_x509_csr_parse_der_with_ext_cb(mbedtls_x509_csr *csr,
+                                           const unsigned char *buf, size_t buflen,
+                                           mbedtls_x509_csr_ext_cb_t cb,
+                                           void *p_ctx)
+{
+    return mbedtls_x509_csr_parse_der_internal(csr, buf, buflen, cb, p_ctx);
+}
+
+/*
  * Parse a CSR, allowing for PEM or raw DER encoding
  */
 int mbedtls_x509_csr_parse(mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen)
diff --git a/library/x509_internal.h b/library/x509_internal.h
new file mode 100644
index 0000000..8a2d2ed
--- /dev/null
+++ b/library/x509_internal.h
@@ -0,0 +1,86 @@
+/**
+ * \file x509.h
+ *
+ * \brief Internal part of the public "x509.h".
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_X509_INTERNAL_H
+#define MBEDTLS_X509_INTERNAL_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/x509.h"
+#include "mbedtls/asn1.h"
+#include "pk_internal.h"
+
+#if defined(MBEDTLS_RSA_C)
+#include "mbedtls/rsa.h"
+#endif
+
+int mbedtls_x509_get_name(unsigned char **p, const unsigned char *end,
+                          mbedtls_x509_name *cur);
+int mbedtls_x509_get_alg_null(unsigned char **p, const unsigned char *end,
+                              mbedtls_x509_buf *alg);
+int mbedtls_x509_get_alg(unsigned char **p, const unsigned char *end,
+                         mbedtls_x509_buf *alg, mbedtls_x509_buf *params);
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+int mbedtls_x509_get_rsassa_pss_params(const mbedtls_x509_buf *params,
+                                       mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md,
+                                       int *salt_len);
+#endif
+int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig);
+int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params,
+                             mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg,
+                             void **sig_opts);
+int mbedtls_x509_get_time(unsigned char **p, const unsigned char *end,
+                          mbedtls_x509_time *t);
+int mbedtls_x509_get_serial(unsigned char **p, const unsigned char *end,
+                            mbedtls_x509_buf *serial);
+int mbedtls_x509_get_ext(unsigned char **p, const unsigned char *end,
+                         mbedtls_x509_buf *ext, int tag);
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
+int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *sig_oid,
+                              mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
+                              const void *sig_opts);
+#endif
+int mbedtls_x509_key_size_helper(char *buf, size_t buf_size, const char *name);
+int mbedtls_x509_set_extension(mbedtls_asn1_named_data **head, const char *oid, size_t oid_len,
+                               int critical, const unsigned char *val,
+                               size_t val_len);
+int mbedtls_x509_write_extensions(unsigned char **p, unsigned char *start,
+                                  mbedtls_asn1_named_data *first);
+int mbedtls_x509_write_names(unsigned char **p, unsigned char *start,
+                             mbedtls_asn1_named_data *first);
+int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start,
+                           const char *oid, size_t oid_len,
+                           unsigned char *sig, size_t size,
+                           mbedtls_pk_type_t pk_alg);
+int mbedtls_x509_get_ns_cert_type(unsigned char **p,
+                                  const unsigned char *end,
+                                  unsigned char *ns_cert_type);
+int mbedtls_x509_get_key_usage(unsigned char **p,
+                               const unsigned char *end,
+                               unsigned int *key_usage);
+int mbedtls_x509_get_subject_alt_name(unsigned char **p,
+                                      const unsigned char *end,
+                                      mbedtls_x509_sequence *subject_alt_name);
+int mbedtls_x509_get_subject_alt_name_ext(unsigned char **p,
+                                          const unsigned char *end,
+                                          mbedtls_x509_sequence *subject_alt_name);
+int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
+                                       const mbedtls_x509_sequence
+                                       *subject_alt_name,
+                                       const char *prefix);
+int mbedtls_x509_info_cert_type(char **buf, size_t *size,
+                                unsigned char ns_cert_type);
+int mbedtls_x509_info_key_usage(char **buf, size_t *size,
+                                unsigned int key_usage);
+
+int mbedtls_x509_write_set_san_common(mbedtls_asn1_named_data **extensions,
+                                      const mbedtls_x509_san_list *san_list);
+
+#endif /* MBEDTLS_X509_INTERNAL_H */
diff --git a/library/x509write.c b/library/x509write.c
index cd3c739..4704900 100644
--- a/library/x509write.c
+++ b/library/x509write.c
@@ -2,30 +2,18 @@
  *  X.509 internal, common functions for writing
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 #include "common.h"
 #if defined(MBEDTLS_X509_CSR_WRITE_C) || defined(MBEDTLS_X509_CRT_WRITE_C)
 
 #include "mbedtls/x509_crt.h"
+#include "x509_internal.h"
 #include "mbedtls/asn1write.h"
 #include "mbedtls/error.h"
 #include "mbedtls/oid.h"
 #include "mbedtls/platform.h"
 #include "mbedtls/platform_util.h"
-#include "mbedtls/md.h"
 
 #include <string.h>
 #include <stdint.h>
diff --git a/library/x509write_crt.c b/library/x509write_crt.c
index a8a3022..56f23c9 100644
--- a/library/x509write_crt.c
+++ b/library/x509write_crt.c
@@ -2,19 +2,7 @@
  *  X.509 certificate writing
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 /*
  * References:
@@ -28,6 +16,7 @@
 #if defined(MBEDTLS_X509_CRT_WRITE_C)
 
 #include "mbedtls/x509_crt.h"
+#include "x509_internal.h"
 #include "mbedtls/asn1write.h"
 #include "mbedtls/error.h"
 #include "mbedtls/oid.h"
@@ -45,7 +34,7 @@
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
 #include "psa/crypto.h"
 #include "psa_util_internal.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
 void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx)
@@ -57,6 +46,10 @@ void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx)
 
 void mbedtls_x509write_crt_free(mbedtls_x509write_cert *ctx)
 {
+    if (ctx == NULL) {
+        return;
+    }
+
     mbedtls_asn1_free_named_data_list(&ctx->subject);
     mbedtls_asn1_free_named_data_list(&ctx->issuer);
     mbedtls_asn1_free_named_data_list(&ctx->extensions);
@@ -493,7 +486,7 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
      */
     MBEDTLS_ASN1_CHK_ADD(pub_len,
                          mbedtls_pk_write_pubkey_der(ctx->subject_key,
-                                                     buf, c - buf));
+                                                     buf, (size_t) (c - buf)));
     c -= pub_len;
     len += pub_len;
 
diff --git a/library/x509write_csr.c b/library/x509write_csr.c
index d996052..0d6f6bb 100644
--- a/library/x509write_csr.c
+++ b/library/x509write_csr.c
@@ -2,19 +2,7 @@
  *  X.509 Certificate Signing Request writing
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 /*
  * References:
@@ -26,7 +14,7 @@
 
 #if defined(MBEDTLS_X509_CSR_WRITE_C)
 
-#include "mbedtls/x509.h"
+#include "x509_internal.h"
 #include "mbedtls/x509_csr.h"
 #include "mbedtls/asn1write.h"
 #include "mbedtls/error.h"
@@ -36,7 +24,7 @@
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
 #include "psa/crypto.h"
 #include "psa_util_internal.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
 #include <string.h>
@@ -55,6 +43,10 @@ void mbedtls_x509write_csr_init(mbedtls_x509write_csr *ctx)
 
 void mbedtls_x509write_csr_free(mbedtls_x509write_csr *ctx)
 {
+    if (ctx == NULL) {
+        return;
+    }
+
     mbedtls_asn1_free_named_data_list(&ctx->subject);
     mbedtls_asn1_free_named_data_list(&ctx->extensions);
 
@@ -197,7 +189,7 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx,
                              MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC));
 
     MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_pk_write_pubkey_der(ctx->key,
-                                                              buf, c - buf));
+                                                              buf, (size_t) (c - buf)));
     c -= pub_len;
     len += pub_len;
 
@@ -288,7 +280,7 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx,
                              MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE));
 
     /* Zero the unused bytes at the start of buf */
-    memset(buf, 0, c2 - buf);
+    memset(buf, 0, (size_t) (c2 - buf));
 
     return (int) len;
 }
diff --git a/pkgconfig/.gitignore b/pkgconfig/.gitignore
new file mode 100644
index 0000000..5460c20
--- /dev/null
+++ b/pkgconfig/.gitignore
@@ -0,0 +1,2 @@
+Makefile
+*.pc
diff --git a/pkgconfig/CMakeLists.txt b/pkgconfig/CMakeLists.txt
new file mode 100644
index 0000000..7dfc043
--- /dev/null
+++ b/pkgconfig/CMakeLists.txt
@@ -0,0 +1,25 @@
+if(NOT DISABLE_PACKAGE_CONFIG_AND_INSTALL)
+  include(JoinPaths.cmake)
+  join_paths(PKGCONFIG_INCLUDEDIR "\${prefix}" "${CMAKE_INSTALL_INCLUDEDIR}")
+  join_paths(PKGCONFIG_LIBDIR "\${prefix}" "${CMAKE_INSTALL_LIBDIR}")
+
+  #define these manually since minimum CMAKE version is not 3.9 for DESCRIPTION and 3.12 for HOMEPAGE_URL usage in project() below.
+  # Prefix with something that won't clash with newer versions of CMAKE.
+  set(PKGCONFIG_PROJECT_DESCRIPTION "Mbed TLS is a C library that implements cryptographic primitives, X.509 certificate manipulation and the SSL/TLS and DTLS protocols. Its small code footprint makes it suitable for embedded systems.")
+  set(PKGCONFIG_PROJECT_HOMEPAGE_URL "https://www.trustedfirmware.org/projects/mbed-tls/")
+
+  configure_file(mbedcrypto.pc.in mbedcrypto.pc @ONLY)
+    install(FILES
+    ${CMAKE_CURRENT_BINARY_DIR}/mbedcrypto.pc
+    DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig)
+
+  configure_file(mbedtls.pc.in mbedtls.pc @ONLY)
+    install(FILES
+    ${CMAKE_CURRENT_BINARY_DIR}/mbedtls.pc
+    DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig)
+
+  configure_file(mbedx509.pc.in mbedx509.pc @ONLY)
+    install(FILES
+    ${CMAKE_CURRENT_BINARY_DIR}/mbedx509.pc
+    DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig)
+endif()
diff --git a/pkgconfig/JoinPaths.cmake b/pkgconfig/JoinPaths.cmake
new file mode 100644
index 0000000..193caed
--- /dev/null
+++ b/pkgconfig/JoinPaths.cmake
@@ -0,0 +1,27 @@
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+# This module provides function for joining paths
+# known from most languages
+#
+# Copyright The Mbed TLS Contributors
+#
+# This script originates from:
+#   - https://github.com/jtojnar/cmake-snips
+# Jan has provided re-licensing under Apache 2.0 and GPL 2.0+ and
+# allowed for the change of Copyright.
+#
+# Modelled after Python’s os.path.join
+# https://docs.python.org/3.7/library/os.path.html#os.path.join
+# Windows not supported
+function(join_paths joined_path first_path_segment)
+    set(temp_path "${first_path_segment}")
+    foreach(current_segment IN LISTS ARGN)
+        if(NOT ("${current_segment}" STREQUAL ""))
+            if(IS_ABSOLUTE "${current_segment}")
+                set(temp_path "${current_segment}")
+            else()
+                set(temp_path "${temp_path}/${current_segment}")
+            endif()
+        endif()
+    endforeach()
+    set(${joined_path} "${temp_path}" PARENT_SCOPE)
+endfunction()
diff --git a/pkgconfig/mbedcrypto.pc.in b/pkgconfig/mbedcrypto.pc.in
new file mode 100644
index 0000000..b35afc1
--- /dev/null
+++ b/pkgconfig/mbedcrypto.pc.in
@@ -0,0 +1,10 @@
+prefix=@CMAKE_INSTALL_PREFIX@
+includedir=@PKGCONFIG_INCLUDEDIR@
+libdir=@PKGCONFIG_LIBDIR@
+
+Name: @PROJECT_NAME@
+Description: @PKGCONFIG_PROJECT_DESCRIPTION@
+URL: @PKGCONFIG_PROJECT_HOMEPAGE_URL@
+Version: @PROJECT_VERSION@
+Cflags: -I"${includedir}"
+Libs: -L"${libdir}" -lmbedcrypto
diff --git a/pkgconfig/mbedtls.pc.in b/pkgconfig/mbedtls.pc.in
new file mode 100644
index 0000000..2bfce80
--- /dev/null
+++ b/pkgconfig/mbedtls.pc.in
@@ -0,0 +1,11 @@
+prefix=@CMAKE_INSTALL_PREFIX@
+includedir=@PKGCONFIG_INCLUDEDIR@
+libdir=@PKGCONFIG_LIBDIR@
+
+Name: @PROJECT_NAME@
+Description: @PKGCONFIG_PROJECT_DESCRIPTION@
+URL: @PKGCONFIG_PROJECT_HOMEPAGE_URL@
+Version: @PROJECT_VERSION@
+Requires.private: mbedcrypto mbedx509
+Cflags: -I"${includedir}"
+Libs: -L"${libdir}" -lmbedtls
diff --git a/pkgconfig/mbedx509.pc.in b/pkgconfig/mbedx509.pc.in
new file mode 100644
index 0000000..0ab2e31
--- /dev/null
+++ b/pkgconfig/mbedx509.pc.in
@@ -0,0 +1,11 @@
+prefix=@CMAKE_INSTALL_PREFIX@
+includedir=@PKGCONFIG_INCLUDEDIR@
+libdir=@PKGCONFIG_LIBDIR@
+
+Name: @PROJECT_NAME@
+Description: @PKGCONFIG_PROJECT_DESCRIPTION@
+URL: @PKGCONFIG_PROJECT_HOMEPAGE_URL@
+Version: @PROJECT_VERSION@
+Requires.private: mbedcrypto
+Cflags: -I"${includedir}"
+Libs: -L"${libdir}" -lmbedx509
diff --git a/programs/.gitignore b/programs/.gitignore
index a641c31..e0c4987 100644
--- a/programs/.gitignore
+++ b/programs/.gitignore
@@ -38,6 +38,7 @@ psa/crypto_examples
 psa/hmac_demo
 psa/key_ladder_demo
 psa/psa_constant_names
+psa/psa_hash
 random/gen_entropy
 random/gen_random_ctr_drbg
 ssl/dtls_client
@@ -56,6 +57,7 @@ test/cpp_dummy_build
 test/cpp_dummy_build.cpp
 test/dlopen
 test/ecp-bench
+test/metatest
 test/query_compile_time_config
 test/query_included_headers
 test/selftest
diff --git a/programs/Makefile b/programs/Makefile
index 116883b..1f2d719 100644
--- a/programs/Makefile
+++ b/programs/Makefile
@@ -1,21 +1,5 @@
-
-# To compile on SunOS: add "-lsocket -lnsl" to LDFLAGS
-
-CFLAGS	?= -O2
-WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral
-WARNING_CXXFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral
-LDFLAGS ?=
-
-MBEDTLS_TEST_PATH:=../tests/src
-MBEDTLS_TEST_OBJS:=$(patsubst %.c,%.o,$(wildcard ${MBEDTLS_TEST_PATH}/*.c ${MBEDTLS_TEST_PATH}/drivers/*.c))
-
-LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../tests/include -I../include -D_FILE_OFFSET_BITS=64
-LOCAL_CXXFLAGS = $(WARNING_CXXFLAGS) -I../include -I../tests/include -D_FILE_OFFSET_BITS=64
-LOCAL_LDFLAGS = ${MBEDTLS_TEST_OBJS} 		\
-		-L../library 			\
-		-lmbedtls$(SHARED_SUFFIX)	\
-		-lmbedx509$(SHARED_SUFFIX)	\
-		-lmbedcrypto$(SHARED_SUFFIX)
+MBEDTLS_TEST_PATH = ../tests
+include ../scripts/common.make
 
 ifeq ($(shell uname -s),Linux)
 DLOPEN_LDFLAGS ?= -ldl
@@ -23,44 +7,11 @@ else
 DLOPEN_LDFLAGS ?=
 endif
 
-include ../3rdparty/Makefile.inc
-LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES)
-
-ifndef SHARED
-MBEDLIBS=../library/libmbedcrypto.a ../library/libmbedx509.a ../library/libmbedtls.a
-else
-MBEDLIBS=../library/libmbedcrypto.$(DLEXT) ../library/libmbedx509.$(DLEXT) ../library/libmbedtls.$(DLEXT)
+ifdef RECORD_PSA_STATUS_COVERAGE_LOG
+LOCAL_CFLAGS += -Werror -DRECORD_PSA_STATUS_COVERAGE_LOG
 endif
 DEP=${MBEDLIBS} ${MBEDTLS_TEST_OBJS}
 
-ifdef DEBUG
-LOCAL_CFLAGS += -g3
-endif
-
-# if we're running on Windows, build for Windows
-ifdef WINDOWS
-WINDOWS_BUILD=1
-endif
-
-ifdef WINDOWS_BUILD
-DLEXT=dll
-EXEXT=.exe
-LOCAL_LDFLAGS += -lws2_32 -lbcrypt
-ifdef SHARED
-SHARED_SUFFIX=.$(DLEXT)
-endif
-else
-DLEXT ?= so
-EXEXT=
-SHARED_SUFFIX=
-endif
-
-ifdef WINDOWS
-PYTHON ?= python
-else
-PYTHON ?= $(shell if type python3 >/dev/null 2>/dev/null; then echo python3; else echo python; fi)
-endif
-
 # Only build the dlopen test in shared library builds, and not when building
 # for Windows.
 ifdef BUILD_DLOPEN
@@ -123,6 +74,7 @@ APPS = \
 	ssl/ssl_server \
 	ssl/ssl_server2 \
 	test/benchmark \
+	test/metatest \
 	test/query_compile_time_config \
 	test/query_included_headers \
 	test/selftest \
@@ -138,7 +90,7 @@ APPS = \
 	x509/req_app \
 # End of APPS
 
-ifdef PTHREAD
+ifeq ($(THREADING),pthread)
 APPS +=	ssl/ssl_pthread_server
 endif
 
@@ -165,10 +117,7 @@ all: fuzz
 endif
 
 fuzz: ${MBEDTLS_TEST_OBJS}
-	$(MAKE) -C fuzz THIRDPARTY_INCLUDES=$(THIRDPARTY_INCLUDES)
-
-$(MBEDLIBS):
-	$(MAKE) -C ../library
+	$(MAKE) -C fuzz
 
 ${MBEDTLS_TEST_OBJS}:
 	$(MAKE) -C ../tests mbedtls_test
@@ -177,17 +126,9 @@ ${MBEDTLS_TEST_OBJS}:
 GENERATED_FILES = psa/psa_constant_names_generated.c test/query_config.c
 generated_files: $(GENERATED_FILES)
 
-# See root Makefile
-GEN_FILES ?= yes
-ifdef GEN_FILES
-gen_file_dep =
-else
-gen_file_dep = |
-endif
-
 psa/psa_constant_names_generated.c: $(gen_file_dep) ../scripts/generate_psa_constants.py
-psa/psa_constant_names_generated.c: $(gen_file_dep) ../include/psa/crypto_values.h
-psa/psa_constant_names_generated.c: $(gen_file_dep) ../include/psa/crypto_extra.h
+psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/include/psa/crypto_values.h
+psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/include/psa/crypto_extra.h
 psa/psa_constant_names_generated.c: $(gen_file_dep) ../tests/suites/test_suite_psa_crypto_metadata.data
 psa/psa_constant_names_generated.c:
 	echo "  Gen   $@"
@@ -413,6 +354,10 @@ test/dlopen$(EXEXT): test/dlopen.c $(DEP)
 	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/dlopen.c $(LDFLAGS) $(DLOPEN_LDFLAGS) -o $@
 endif
 
+test/metatest$(EXEXT): test/metatest.c $(DEP)
+	echo "  CC    test/metatest.c"
+	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) -I../library -I../tf-psa-crypto/core test/metatest.c    $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+
 test/query_config.o: test/query_config.c test/query_config.h $(DEP)
 	echo "  CC    test/query_config.c"
 	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) -c test/query_config.c -o $@
@@ -482,12 +427,5 @@ else
 endif
 	$(MAKE) -C fuzz clean
 
-neat: clean
-ifndef WINDOWS
-	rm -f $(GENERATED_FILES)
-else
-	for %f in ($(subst /,\,$(GENERATED_FILES))) if exist %f del /Q /F %f
-endif
-
 list:
 	echo $(EXES)
diff --git a/programs/aes/CMakeLists.txt b/programs/aes/CMakeLists.txt
index 85bcd5f..ccb8db5 100644
--- a/programs/aes/CMakeLists.txt
+++ b/programs/aes/CMakeLists.txt
@@ -4,7 +4,7 @@ set(executables
 
 foreach(exe IN LISTS executables)
     add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
-    target_link_libraries(${exe} ${mbedcrypto_target})
+    target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
     target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
 endforeach()
 
diff --git a/programs/aes/crypt_and_hash.c b/programs/aes/crypt_and_hash.c
index 1d9b522..b2cd704 100644
--- a/programs/aes/crypt_and_hash.c
+++ b/programs/aes/crypt_and_hash.c
@@ -3,19 +3,7 @@
  *          security.
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /* Enable definition of fileno() even when compiling with -std=c99. Must be
@@ -115,7 +103,11 @@ int main(int argc, char *argv[])
         list = mbedtls_cipher_list();
         while (*list) {
             cipher_info = mbedtls_cipher_info_from_type(*list);
-            mbedtls_printf("  %s\n", mbedtls_cipher_info_get_name(cipher_info));
+            const char *name = mbedtls_cipher_info_get_name(cipher_info);
+
+            if (name) {
+                mbedtls_printf("  %s\n", mbedtls_cipher_info_get_name(cipher_info));
+            }
             list++;
         }
 
diff --git a/programs/cipher/CMakeLists.txt b/programs/cipher/CMakeLists.txt
index 93e5f31..e925524 100644
--- a/programs/cipher/CMakeLists.txt
+++ b/programs/cipher/CMakeLists.txt
@@ -4,7 +4,7 @@ set(executables
 
 foreach(exe IN LISTS executables)
     add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
-    target_link_libraries(${exe} ${mbedcrypto_target})
+    target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
     target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
 endforeach()
 
diff --git a/programs/cipher/cipher_aead_demo.c b/programs/cipher/cipher_aead_demo.c
index ce39256..853ec20 100644
--- a/programs/cipher/cipher_aead_demo.c
+++ b/programs/cipher/cipher_aead_demo.c
@@ -25,19 +25,7 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /* First include Mbed TLS headers to get the Mbed TLS configuration and
diff --git a/programs/fuzz/CMakeLists.txt b/programs/fuzz/CMakeLists.txt
index 7747744..c389029 100644
--- a/programs/fuzz/CMakeLists.txt
+++ b/programs/fuzz/CMakeLists.txt
@@ -1,5 +1,6 @@
 set(libs
     ${mbedtls_target}
+    ${CMAKE_THREAD_LIBS_INIT}
 )
 
 find_library(FUZZINGENGINE_LIB FuzzingEngine)
diff --git a/programs/fuzz/Makefile b/programs/fuzz/Makefile
index b4fc76a..828e518 100644
--- a/programs/fuzz/Makefile
+++ b/programs/fuzz/Makefile
@@ -1,36 +1,14 @@
-MBEDTLS_TEST_PATH:=../../tests/src
-MBEDTLS_TEST_OBJS:=$(patsubst %.c,%.o,$(wildcard ${MBEDTLS_TEST_PATH}/*.c ${MBEDTLS_TEST_PATH}/drivers/*.c))
+MBEDTLS_TEST_PATH:=../../tests
 
-CFLAGS ?= -O2
-WARNING_CFLAGS ?= -Wall -Wextra
-LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../../tests/include -I../../include -D_FILE_OFFSET_BITS=64
-LOCAL_LDFLAGS = ${MBEDTLS_TEST_OBJS}		\
-		-L../../library			\
-		-lmbedtls$(SHARED_SUFFIX)	\
-		-lmbedx509$(SHARED_SUFFIX)	\
-		-lmbedcrypto$(SHARED_SUFFIX)
+MBEDTLS_PATH := ../..
+include ../../scripts/common.make
 
-LOCAL_CFLAGS += $(patsubst -I../%,-I../../%,$(THIRDPARTY_INCLUDES))
-
-ifndef SHARED
-DEP=../../library/libmbedcrypto.a ../../library/libmbedx509.a ../../library/libmbedtls.a
-else
-DEP=../../library/libmbedcrypto.$(DLEXT) ../../library/libmbedx509.$(DLEXT) ../../library/libmbedtls.$(DLEXT)
-endif
-
-
-DLEXT ?= so
-EXEXT=
-SHARED_SUFFIX=
+DEP=${MBEDLIBS}
 
 ifdef FUZZINGENGINE
 LOCAL_LDFLAGS += -lFuzzingEngine
 endif
 
-ifdef WINDOWS_BUILD
-LOCAL_LDFLAGS += -lbcrypt
-endif
-
 # A test application is built for each suites/test_suite_*.data file.
 # Application name is same as .data file's base name and can be
 # constructed by stripping path 'suites/' and extension .data.
@@ -45,9 +23,6 @@ BINARIES := $(addsuffix $(EXEXT),$(APPS))
 
 all: $(BINARIES)
 
-$(DEP):
-	$(MAKE) -C ../../library
-
 C_FILES := $(addsuffix .c,$(APPS))
 
 %.o: %.c
diff --git a/programs/fuzz/fuzz_client.c b/programs/fuzz/fuzz_client.c
index d4e1d74..07ca96e 100644
--- a/programs/fuzz/fuzz_client.c
+++ b/programs/fuzz/fuzz_client.c
@@ -1,5 +1,3 @@
-#define MBEDTLS_ALLOW_PRIVATE_ACCESS
-
 #include "mbedtls/ssl.h"
 #include "mbedtls/entropy.h"
 #include "mbedtls/ctr_drbg.h"
diff --git a/programs/fuzz/fuzz_dtlsclient.c b/programs/fuzz/fuzz_dtlsclient.c
index 3659026..6581dcb 100644
--- a/programs/fuzz/fuzz_dtlsclient.c
+++ b/programs/fuzz/fuzz_dtlsclient.c
@@ -1,5 +1,3 @@
-#define MBEDTLS_ALLOW_PRIVATE_ACCESS
-
 #include <string.h>
 #include <stdlib.h>
 #include <stdint.h>
diff --git a/programs/fuzz/fuzz_dtlsserver.c b/programs/fuzz/fuzz_dtlsserver.c
index 1632e9d..4343e81 100644
--- a/programs/fuzz/fuzz_dtlsserver.c
+++ b/programs/fuzz/fuzz_dtlsserver.c
@@ -1,5 +1,3 @@
-#define MBEDTLS_ALLOW_PRIVATE_ACCESS
-
 #include <string.h>
 #include <stdlib.h>
 #include <stdint.h>
@@ -16,7 +14,7 @@
     defined(MBEDTLS_ENTROPY_C) && \
     defined(MBEDTLS_CTR_DRBG_C) && \
     defined(MBEDTLS_TIMING_C) && \
-    (defined(MBEDTLS_MD_CAN_SHA384) || \
+    (defined(PSA_WANT_ALG_SHA_384) || \
     defined(MBEDTLS_MD_CAN_SHA256))
 const char *pers = "fuzz_dtlsserver";
 const unsigned char client_ip[4] = { 0x7F, 0, 0, 1 };
@@ -35,7 +33,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
     defined(MBEDTLS_ENTROPY_C) && \
     defined(MBEDTLS_CTR_DRBG_C) && \
     defined(MBEDTLS_TIMING_C) && \
-    (defined(MBEDTLS_MD_CAN_SHA384) || \
+    (defined(PSA_WANT_ALG_SHA_384) || \
     defined(MBEDTLS_MD_CAN_SHA256))
     int ret;
     size_t len;
@@ -137,7 +135,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
     ret = mbedtls_ssl_handshake(&ssl);
 
     if (ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED) {
-        biomemfuzz.Offset = ssl.next_record_offset;
+        biomemfuzz.Offset = ssl.MBEDTLS_PRIVATE(next_record_offset);
         mbedtls_ssl_session_reset(&ssl);
         mbedtls_ssl_set_bio(&ssl, &biomemfuzz, dummy_send, fuzz_recv, fuzz_recv_timeout);
         if (mbedtls_ssl_set_client_transport_id(&ssl, client_ip, sizeof(client_ip)) != 0) {
diff --git a/programs/fuzz/fuzz_privkey.c b/programs/fuzz/fuzz_privkey.c
index ce75624..7530964 100644
--- a/programs/fuzz/fuzz_privkey.c
+++ b/programs/fuzz/fuzz_privkey.c
@@ -1,5 +1,3 @@
-#define MBEDTLS_ALLOW_PRIVATE_ACCESS
-
 #include <stdint.h>
 #include <stdlib.h>
 #include <string.h>
@@ -73,7 +71,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
         if (mbedtls_pk_get_type(&pk) == MBEDTLS_PK_ECKEY ||
             mbedtls_pk_get_type(&pk) == MBEDTLS_PK_ECKEY_DH) {
             mbedtls_ecp_keypair *ecp = mbedtls_pk_ec(pk);
-            mbedtls_ecp_group_id grp_id = ecp->grp.id;
+            mbedtls_ecp_group_id grp_id = mbedtls_ecp_keypair_get_group_id(ecp);
             const mbedtls_ecp_curve_info *curve_info =
                 mbedtls_ecp_curve_info_from_grp_id(grp_id);
 
diff --git a/programs/fuzz/fuzz_pubkey.c b/programs/fuzz/fuzz_pubkey.c
index 9203b4e..0b153b1 100644
--- a/programs/fuzz/fuzz_pubkey.c
+++ b/programs/fuzz/fuzz_pubkey.c
@@ -1,5 +1,3 @@
-#define MBEDTLS_ALLOW_PRIVATE_ACCESS
-
 #include <stdint.h>
 #include <stdlib.h>
 #include "mbedtls/pk.h"
@@ -49,7 +47,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
         if (mbedtls_pk_get_type(&pk) == MBEDTLS_PK_ECKEY ||
             mbedtls_pk_get_type(&pk) == MBEDTLS_PK_ECKEY_DH) {
             mbedtls_ecp_keypair *ecp = mbedtls_pk_ec(pk);
-            mbedtls_ecp_group_id grp_id = ecp->grp.id;
+            mbedtls_ecp_group_id grp_id = mbedtls_ecp_keypair_get_group_id(ecp);
             const mbedtls_ecp_curve_info *curve_info =
                 mbedtls_ecp_curve_info_from_grp_id(grp_id);
 
@@ -61,9 +59,15 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
 
             /* It's a public key, so the private value should not have
              * been changed from its initialization to 0. */
-            if (mbedtls_mpi_cmp_int(&ecp->d, 0) != 0) {
+            mbedtls_mpi d;
+            mbedtls_mpi_init(&d);
+            if (mbedtls_ecp_export(ecp, NULL, &d, NULL) != 0) {
+                abort();
+            }
+            if (mbedtls_mpi_cmp_int(&d, 0) != 0) {
                 abort();
             }
+            mbedtls_mpi_free(&d);
         } else
 #endif
         {
diff --git a/programs/fuzz/fuzz_server.c b/programs/fuzz/fuzz_server.c
index e767859..64b35ed 100644
--- a/programs/fuzz/fuzz_server.c
+++ b/programs/fuzz/fuzz_server.c
@@ -1,5 +1,3 @@
-#define MBEDTLS_ALLOW_PRIVATE_ACCESS
-
 #include "mbedtls/ssl.h"
 #include "mbedtls/entropy.h"
 #include "mbedtls/ctr_drbg.h"
diff --git a/programs/fuzz/fuzz_x509crl.c b/programs/fuzz/fuzz_x509crl.c
index 313540d..151db92 100644
--- a/programs/fuzz/fuzz_x509crl.c
+++ b/programs/fuzz/fuzz_x509crl.c
@@ -1,5 +1,3 @@
-#define MBEDTLS_ALLOW_PRIVATE_ACCESS
-
 #include <stdint.h>
 #include "mbedtls/x509_crl.h"
 
diff --git a/programs/fuzz/fuzz_x509crt.c b/programs/fuzz/fuzz_x509crt.c
index 8442090..3eee072 100644
--- a/programs/fuzz/fuzz_x509crt.c
+++ b/programs/fuzz/fuzz_x509crt.c
@@ -1,5 +1,3 @@
-#define MBEDTLS_ALLOW_PRIVATE_ACCESS
-
 #include <stdint.h>
 #include "mbedtls/x509_crt.h"
 
diff --git a/programs/fuzz/fuzz_x509csr.c b/programs/fuzz/fuzz_x509csr.c
index 395d3c2..7946e57 100644
--- a/programs/fuzz/fuzz_x509csr.c
+++ b/programs/fuzz/fuzz_x509csr.c
@@ -1,5 +1,3 @@
-#define MBEDTLS_ALLOW_PRIVATE_ACCESS
-
 #include <stdint.h>
 #include "mbedtls/x509_csr.h"
 
diff --git a/programs/hash/CMakeLists.txt b/programs/hash/CMakeLists.txt
index da98188..fcacf3b 100644
--- a/programs/hash/CMakeLists.txt
+++ b/programs/hash/CMakeLists.txt
@@ -6,7 +6,7 @@ set(executables
 
 foreach(exe IN LISTS executables)
     add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
-    target_link_libraries(${exe} ${mbedcrypto_target})
+    target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
     target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
 endforeach()
 
diff --git a/programs/hash/generic_sum.c b/programs/hash/generic_sum.c
index 995694a..3fd2b00 100644
--- a/programs/hash/generic_sum.c
+++ b/programs/hash/generic_sum.c
@@ -2,19 +2,7 @@
  *  generic message digest layer demonstration program
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/hash/hello.c b/programs/hash/hello.c
index 7bb27ad..8caae88 100644
--- a/programs/hash/hello.c
+++ b/programs/hash/hello.c
@@ -2,19 +2,7 @@
  *  Classic "Hello, world" demonstration program
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/hash/md_hmac_demo.c b/programs/hash/md_hmac_demo.c
index 4c812fb..581816a 100644
--- a/programs/hash/md_hmac_demo.c
+++ b/programs/hash/md_hmac_demo.c
@@ -20,19 +20,7 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /* First include Mbed TLS headers to get the Mbed TLS configuration and
diff --git a/programs/pkey/CMakeLists.txt b/programs/pkey/CMakeLists.txt
index 3ad5643..cd0387a 100644
--- a/programs/pkey/CMakeLists.txt
+++ b/programs/pkey/CMakeLists.txt
@@ -5,7 +5,7 @@ set(executables_mbedtls
 
 foreach(exe IN LISTS executables_mbedtls)
     add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
-    target_link_libraries(${exe} ${mbedtls_target})
+    target_link_libraries(${exe} ${mbedtls_target} ${CMAKE_THREAD_LIBS_INIT})
     target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
 endforeach()
 
@@ -32,7 +32,7 @@ set(executables_mbedcrypto
 
 foreach(exe IN LISTS executables_mbedcrypto)
     add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
-    target_link_libraries(${exe} ${mbedcrypto_target})
+    target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
     target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
 endforeach()
 
diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c
index 5a2c30f..165cee2 100644
--- a/programs/pkey/dh_client.c
+++ b/programs/pkey/dh_client.c
@@ -2,19 +2,7 @@
  *  Diffie-Hellman-Merkle key exchange (client side)
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
@@ -25,14 +13,13 @@
 
 #if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \
     defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \
-    defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256) && \
-    defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C) && \
-    defined(MBEDTLS_MD_CAN_SHA1)
+    defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C) && \
+    defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C)
 #include "mbedtls/net_sockets.h"
 #include "mbedtls/aes.h"
 #include "mbedtls/dhm.h"
 #include "mbedtls/rsa.h"
-#include "mbedtls/sha1.h"
+#include "mbedtls/sha256.h"
 #include "mbedtls/entropy.h"
 #include "mbedtls/ctr_drbg.h"
 
@@ -45,9 +32,8 @@
 
 #if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_DHM_C) ||     \
     !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) ||  \
-    !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_MD_CAN_SHA256) ||    \
-    !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) || \
-    !defined(MBEDTLS_SHA1_C)
+    !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_SHA256_C) ||    \
+    !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C)
 int main(void)
 {
     mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C "
@@ -56,6 +42,13 @@ int main(void)
                    "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_SHA1_C not defined.\n");
     mbedtls_exit(0);
 }
+
+#elif defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+int main(void)
+{
+    mbedtls_printf("MBEDTLS_BLOCK_CIPHER_NO_DECRYPT defined.\n");
+    mbedtls_exit(0);
+}
 #else
 
 
@@ -65,12 +58,14 @@ int main(void)
 
     int ret = 1;
     int exit_code = MBEDTLS_EXIT_FAILURE;
+    unsigned int mdlen;
     size_t n, buflen;
     mbedtls_net_context server_fd;
 
     unsigned char *p, *end;
     unsigned char buf[2048];
-    unsigned char hash[32];
+    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+    mbedtls_mpi N, E;
     const char *pers = "dh_client";
 
     mbedtls_entropy_context entropy;
@@ -83,6 +78,8 @@ int main(void)
     mbedtls_dhm_init(&dhm);
     mbedtls_aes_init(&aes);
     mbedtls_ctr_drbg_init(&ctr_drbg);
+    mbedtls_mpi_init(&N);
+    mbedtls_mpi_init(&E);
 
     /*
      * 1. Setup the RNG
@@ -111,16 +108,13 @@ int main(void)
     }
 
     mbedtls_rsa_init(&rsa);
-
-    if ((ret = mbedtls_mpi_read_file(&rsa.MBEDTLS_PRIVATE(N), 16, f)) != 0 ||
-        (ret = mbedtls_mpi_read_file(&rsa.MBEDTLS_PRIVATE(E), 16, f)) != 0) {
+    if ((ret = mbedtls_mpi_read_file(&N, 16, f)) != 0 ||
+        (ret = mbedtls_mpi_read_file(&E, 16, f)) != 0 ||
+        (ret = mbedtls_rsa_import(&rsa, &N, NULL, NULL, NULL, &E) != 0)) {
         mbedtls_printf(" failed\n  ! mbedtls_mpi_read_file returned %d\n\n", ret);
         fclose(f);
         goto exit;
     }
-
-    rsa.MBEDTLS_PRIVATE(len) = (mbedtls_mpi_bitlen(&rsa.MBEDTLS_PRIVATE(N)) + 7) >> 3;
-
     fclose(f);
 
     /*
@@ -187,18 +181,24 @@ int main(void)
 
     p += 2;
 
-    if ((n = (size_t) (end - p)) != rsa.MBEDTLS_PRIVATE(len)) {
+    if ((n = (size_t) (end - p)) != mbedtls_rsa_get_len(&rsa)) {
         mbedtls_printf(" failed\n  ! Invalid RSA signature size\n\n");
         goto exit;
     }
 
-    if ((ret = mbedtls_sha1(buf, (int) (p - 2 - buf), hash)) != 0) {
-        mbedtls_printf(" failed\n  ! mbedtls_sha1 returned %d\n\n", ret);
+    mdlen = (unsigned int) mbedtls_md_get_size(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256));
+    if (mdlen == 0) {
+        mbedtls_printf(" failed\n  ! Invalid digest type\n\n");
+        goto exit;
+    }
+
+    if ((ret = mbedtls_sha256(buf, (int) (p - 2 - buf), hash, 0)) != 0) {
+        mbedtls_printf(" failed\n  ! mbedtls_sha256 returned %d\n\n", ret);
         goto exit;
     }
 
     if ((ret = mbedtls_rsa_pkcs1_verify(&rsa, MBEDTLS_MD_SHA256,
-                                        32, hash, p)) != 0) {
+                                        mdlen, hash, p)) != 0) {
         mbedtls_printf(" failed\n  ! mbedtls_rsa_pkcs1_verify returned %d\n\n", ret);
         goto exit;
     }
@@ -278,6 +278,8 @@ exit:
     mbedtls_dhm_free(&dhm);
     mbedtls_ctr_drbg_free(&ctr_drbg);
     mbedtls_entropy_free(&entropy);
+    mbedtls_mpi_free(&N);
+    mbedtls_mpi_free(&E);
 
     mbedtls_exit(exit_code);
 }
diff --git a/programs/pkey/dh_genprime.c b/programs/pkey/dh_genprime.c
index 1f4cd59..6872e61 100644
--- a/programs/pkey/dh_genprime.c
+++ b/programs/pkey/dh_genprime.c
@@ -2,19 +2,7 @@
  *  Diffie-Hellman-Merkle key exchange (prime generation)
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c
index c940be0..1ae5651 100644
--- a/programs/pkey/dh_server.c
+++ b/programs/pkey/dh_server.c
@@ -2,19 +2,7 @@
  *  Diffie-Hellman-Merkle key exchange (server side)
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
@@ -25,14 +13,13 @@
 
 #if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \
     defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \
-    defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256) && \
-    defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C) && \
-    defined(MBEDTLS_MD_CAN_SHA1)
+    defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C) && \
+    defined(MBEDTLS_FS_IO) && defined(MBEDTLS_CTR_DRBG_C)
 #include "mbedtls/net_sockets.h"
 #include "mbedtls/aes.h"
 #include "mbedtls/dhm.h"
 #include "mbedtls/rsa.h"
-#include "mbedtls/sha1.h"
+#include "mbedtls/sha256.h"
 #include "mbedtls/entropy.h"
 #include "mbedtls/ctr_drbg.h"
 
@@ -45,9 +32,8 @@
 
 #if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_DHM_C) ||     \
     !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) ||  \
-    !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_MD_CAN_SHA256) ||    \
-    !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) || \
-    !defined(MBEDTLS_SHA1_C)
+    !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_SHA256_C) ||    \
+    !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C)
 int main(void)
 {
     mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C "
@@ -65,11 +51,12 @@ int main(void)
 
     int ret = 1;
     int exit_code = MBEDTLS_EXIT_FAILURE;
+    unsigned int mdlen;
     size_t n, buflen;
     mbedtls_net_context listen_fd, client_fd;
 
     unsigned char buf[2048];
-    unsigned char hash[32];
+    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
     unsigned char buf2[2];
     const char *pers = "dh_server";
 
@@ -79,7 +66,7 @@ int main(void)
     mbedtls_dhm_context dhm;
     mbedtls_aes_context aes;
 
-    mbedtls_mpi N, P, Q, D, E;
+    mbedtls_mpi N, P, Q, D, E, dhm_P, dhm_G;
 
     mbedtls_net_init(&listen_fd);
     mbedtls_net_init(&client_fd);
@@ -88,8 +75,8 @@ int main(void)
     mbedtls_ctr_drbg_init(&ctr_drbg);
 
     mbedtls_mpi_init(&N); mbedtls_mpi_init(&P); mbedtls_mpi_init(&Q);
-    mbedtls_mpi_init(&D); mbedtls_mpi_init(&E);
-
+    mbedtls_mpi_init(&D); mbedtls_mpi_init(&E); mbedtls_mpi_init(&dhm_P);
+    mbedtls_mpi_init(&dhm_G);
     /*
      * 1. Setup the RNG
      */
@@ -154,8 +141,9 @@ int main(void)
         goto exit;
     }
 
-    if (mbedtls_mpi_read_file(&dhm.MBEDTLS_PRIVATE(P), 16, f) != 0 ||
-        mbedtls_mpi_read_file(&dhm.MBEDTLS_PRIVATE(G), 16, f) != 0) {
+    if ((ret = mbedtls_mpi_read_file(&dhm_P, 16, f)) != 0 ||
+        (ret = mbedtls_mpi_read_file(&dhm_G, 16, f)) != 0 ||
+        (ret = mbedtls_dhm_set_group(&dhm, &dhm_P, &dhm_G) != 0)) {
         mbedtls_printf(" failed\n  ! Invalid DH parameter file\n\n");
         fclose(f);
         goto exit;
@@ -189,7 +177,7 @@ int main(void)
     memset(buf, 0, sizeof(buf));
 
     if ((ret =
-             mbedtls_dhm_make_params(&dhm, (int) mbedtls_mpi_size(&dhm.MBEDTLS_PRIVATE(P)), buf, &n,
+             mbedtls_dhm_make_params(&dhm, (int) mbedtls_dhm_get_len(&dhm), buf, &n,
                                      mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
         mbedtls_printf(" failed\n  ! mbedtls_dhm_make_params returned %d\n\n", ret);
         goto exit;
@@ -198,21 +186,30 @@ int main(void)
     /*
      * 5. Sign the parameters and send them
      */
-    if ((ret = mbedtls_sha1(buf, n, hash)) != 0) {
-        mbedtls_printf(" failed\n  ! mbedtls_sha1 returned %d\n\n", ret);
+
+    mdlen = (unsigned int) mbedtls_md_get_size(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256));
+    if (mdlen == 0) {
+        mbedtls_printf(" failed\n  ! Invalid digest type\n\n");
+        goto exit;
+    }
+
+    if ((ret = mbedtls_sha256(buf, n, hash, 0)) != 0) {
+        mbedtls_printf(" failed\n  ! mbedtls_sha256 returned %d\n\n", ret);
         goto exit;
     }
 
-    buf[n] = (unsigned char) (rsa.MBEDTLS_PRIVATE(len) >> 8);
-    buf[n + 1] = (unsigned char) (rsa.MBEDTLS_PRIVATE(len));
+    const size_t rsa_key_len = mbedtls_rsa_get_len(&rsa);
+    buf[n] = (unsigned char) (rsa_key_len >> 8);
+    buf[n + 1] = (unsigned char) (rsa_key_len);
 
-    if ((ret = mbedtls_rsa_pkcs1_sign(&rsa, NULL, NULL, MBEDTLS_MD_SHA256,
-                                      32, hash, buf + n + 2)) != 0) {
+    if ((ret = mbedtls_rsa_pkcs1_sign(&rsa, mbedtls_ctr_drbg_random, &ctr_drbg,
+                                      MBEDTLS_MD_SHA256, mdlen,
+                                      hash, buf + n + 2)) != 0) {
         mbedtls_printf(" failed\n  ! mbedtls_rsa_pkcs1_sign returned %d\n\n", ret);
         goto exit;
     }
 
-    buflen = n + 2 + rsa.MBEDTLS_PRIVATE(len);
+    buflen = n + 2 + rsa_key_len;
     buf2[0] = (unsigned char) (buflen >> 8);
     buf2[1] = (unsigned char) (buflen);
 
@@ -290,7 +287,8 @@ int main(void)
 exit:
 
     mbedtls_mpi_free(&N); mbedtls_mpi_free(&P); mbedtls_mpi_free(&Q);
-    mbedtls_mpi_free(&D); mbedtls_mpi_free(&E);
+    mbedtls_mpi_free(&D); mbedtls_mpi_free(&E); mbedtls_mpi_free(&dhm_P);
+    mbedtls_mpi_free(&dhm_G);
 
     mbedtls_net_free(&client_fd);
     mbedtls_net_free(&listen_fd);
diff --git a/programs/pkey/ecdh_curve25519.c b/programs/pkey/ecdh_curve25519.c
index 9804417..fedfcc9 100644
--- a/programs/pkey/ecdh_curve25519.c
+++ b/programs/pkey/ecdh_curve25519.c
@@ -2,19 +2,7 @@
  *  Example ECDHE with Curve25519 program
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/pkey/ecdsa.c b/programs/pkey/ecdsa.c
index 953c144..5664b8c 100644
--- a/programs/pkey/ecdsa.c
+++ b/programs/pkey/ecdsa.c
@@ -2,19 +2,7 @@
  *  Example ECDSA program
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
@@ -72,8 +60,8 @@ static void dump_pubkey(const char *title, mbedtls_ecdsa_context *key)
     unsigned char buf[300];
     size_t len;
 
-    if (mbedtls_ecp_point_write_binary(&key->MBEDTLS_PRIVATE(grp), &key->MBEDTLS_PRIVATE(Q),
-                                       MBEDTLS_ECP_PF_UNCOMPRESSED, &len, buf, sizeof(buf)) != 0) {
+    if (mbedtls_ecp_write_public_key(key, MBEDTLS_ECP_PF_UNCOMPRESSED,
+                                     &len, buf, sizeof(buf)) != 0) {
         mbedtls_printf("internal error\n");
         return;
     }
@@ -91,6 +79,8 @@ int main(int argc, char *argv[])
     int ret = 1;
     int exit_code = MBEDTLS_EXIT_FAILURE;
     mbedtls_ecdsa_context ctx_sign, ctx_verify;
+    mbedtls_ecp_point Q;
+    mbedtls_ecp_point_init(&Q);
     mbedtls_entropy_context entropy;
     mbedtls_ctr_drbg_context ctr_drbg;
     unsigned char message[100];
@@ -140,7 +130,10 @@ int main(int argc, char *argv[])
         goto exit;
     }
 
-    mbedtls_printf(" ok (key size: %d bits)\n", (int) ctx_sign.MBEDTLS_PRIVATE(grp).pbits);
+    mbedtls_ecp_group_id grp_id = mbedtls_ecp_keypair_get_group_id(&ctx_sign);
+    const mbedtls_ecp_curve_info *curve_info =
+        mbedtls_ecp_curve_info_from_grp_id(grp_id);
+    mbedtls_printf(" ok (key size: %d bits)\n", (int) curve_info->bit_size);
 
     dump_pubkey("  + Public key: ", &ctx_sign);
 
@@ -186,16 +179,13 @@ int main(int argc, char *argv[])
     mbedtls_printf("  . Preparing verification context...");
     fflush(stdout);
 
-    if ((ret =
-             mbedtls_ecp_group_copy(&ctx_verify.MBEDTLS_PRIVATE(grp),
-                                    &ctx_sign.MBEDTLS_PRIVATE(grp))) != 0) {
-        mbedtls_printf(" failed\n  ! mbedtls_ecp_group_copy returned %d\n", ret);
+    if ((ret = mbedtls_ecp_export(&ctx_sign, NULL, NULL, &Q)) != 0) {
+        mbedtls_printf(" failed\n  ! mbedtls_ecp_export returned %d\n", ret);
         goto exit;
     }
 
-    if ((ret =
-             mbedtls_ecp_copy(&ctx_verify.MBEDTLS_PRIVATE(Q), &ctx_sign.MBEDTLS_PRIVATE(Q))) != 0) {
-        mbedtls_printf(" failed\n  ! mbedtls_ecp_copy returned %d\n", ret);
+    if ((ret = mbedtls_ecp_set_public_key(grp_id, &ctx_verify, &Q)) != 0) {
+        mbedtls_printf(" failed\n  ! mbedtls_ecp_set_public_key returned %d\n", ret);
         goto exit;
     }
 
@@ -220,6 +210,7 @@ exit:
 
     mbedtls_ecdsa_free(&ctx_verify);
     mbedtls_ecdsa_free(&ctx_sign);
+    mbedtls_ecp_point_free(&Q);
     mbedtls_ctr_drbg_free(&ctr_drbg);
     mbedtls_entropy_free(&entropy);
 
diff --git a/programs/pkey/gen_key.c b/programs/pkey/gen_key.c
index 99e8850..194a5cb 100644
--- a/programs/pkey/gen_key.c
+++ b/programs/pkey/gen_key.c
@@ -2,27 +2,26 @@
  *  Key generation application
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
 
 #include "mbedtls/platform.h"
 
-#if defined(MBEDTLS_PK_WRITE_C) && defined(MBEDTLS_FS_IO) && \
-    defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_CTR_DRBG_C)
+#if !defined(MBEDTLS_PK_WRITE_C) || !defined(MBEDTLS_PEM_WRITE_C) ||    \
+    !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_ENTROPY_C) ||           \
+    !defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_BIGNUM_C)
+int main(void)
+{
+    mbedtls_printf("MBEDTLS_PK_WRITE_C and/or MBEDTLS_FS_IO and/or "
+                   "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
+                   "MBEDTLS_PEM_WRITE_C and/or MBEDTLS_BIGNUM_C "
+                   "not defined.\n");
+    mbedtls_exit(0);
+}
+#else
+
 #include "mbedtls/error.h"
 #include "mbedtls/pk.h"
 #include "mbedtls/ecdsa.h"
@@ -73,7 +72,6 @@ int dev_random_entropy_poll(void *data, unsigned char *output,
     return 0;
 }
 #endif /* !_WIN32 */
-#endif
 
 #if defined(MBEDTLS_ECP_C)
 #define DFL_EC_CURVE            mbedtls_ecp_curve_list()->grp_id
@@ -108,19 +106,6 @@ int dev_random_entropy_poll(void *data, unsigned char *output,
     USAGE_DEV_RANDOM                                    \
     "\n"
 
-#if !defined(MBEDTLS_PK_WRITE_C) || !defined(MBEDTLS_PEM_WRITE_C) || \
-    !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_ENTROPY_C) || \
-    !defined(MBEDTLS_CTR_DRBG_C)
-int main(void)
-{
-    mbedtls_printf("MBEDTLS_PK_WRITE_C and/or MBEDTLS_FS_IO and/or "
-                   "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
-                   "MBEDTLS_PEM_WRITE_C"
-                   "not defined.\n");
-    mbedtls_exit(0);
-}
-#else
-
 
 /*
  * global options
@@ -172,6 +157,71 @@ static int write_private_key(mbedtls_pk_context *key, const char *output_file)
     return 0;
 }
 
+#if defined(MBEDTLS_ECP_C)
+static int show_ecp_key(const mbedtls_ecp_keypair *ecp, int has_private)
+{
+    int ret = 0;
+
+    const mbedtls_ecp_curve_info *curve_info =
+        mbedtls_ecp_curve_info_from_grp_id(
+            mbedtls_ecp_keypair_get_group_id(ecp));
+    mbedtls_printf("curve: %s\n", curve_info->name);
+
+    mbedtls_ecp_group grp;
+    mbedtls_ecp_group_init(&grp);
+    mbedtls_mpi D;
+    mbedtls_mpi_init(&D);
+    mbedtls_ecp_point pt;
+    mbedtls_ecp_point_init(&pt);
+    mbedtls_mpi X, Y;
+    mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y);
+
+    MBEDTLS_MPI_CHK(mbedtls_ecp_export(ecp, &grp,
+                                       (has_private ? &D : NULL),
+                                       &pt));
+
+    unsigned char point_bin[MBEDTLS_ECP_MAX_PT_LEN];
+    size_t len = 0;
+    MBEDTLS_MPI_CHK(mbedtls_ecp_point_write_binary(
+                        &grp, &pt, MBEDTLS_ECP_PF_UNCOMPRESSED,
+                        &len, point_bin, sizeof(point_bin)));
+    switch (mbedtls_ecp_get_type(&grp)) {
+        case MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS:
+            if ((len & 1) == 0 || point_bin[0] != 0x04) {
+                /* Point in an unxepected format. This shouldn't happen. */
+                ret = -1;
+                goto cleanup;
+            }
+            MBEDTLS_MPI_CHK(
+                mbedtls_mpi_read_binary(&X, point_bin + 1, len / 2));
+            MBEDTLS_MPI_CHK(
+                mbedtls_mpi_read_binary(&Y, point_bin + 1 + len / 2, len / 2));
+            mbedtls_mpi_write_file("X_Q:   ", &X, 16, NULL);
+            mbedtls_mpi_write_file("Y_Q:   ", &Y, 16, NULL);
+            break;
+        case MBEDTLS_ECP_TYPE_MONTGOMERY:
+            MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&X, point_bin, len));
+            mbedtls_mpi_write_file("X_Q:   ", &X, 16, NULL);
+            break;
+        default:
+            mbedtls_printf(
+                "This program does not yet support listing coordinates for this curve type.\n");
+            break;
+    }
+
+    if (has_private) {
+        mbedtls_mpi_write_file("D:     ", &D, 16, NULL);
+    }
+
+cleanup:
+    mbedtls_ecp_group_free(&grp);
+    mbedtls_mpi_free(&D);
+    mbedtls_ecp_point_free(&pt);
+    mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y);
+    return ret;
+}
+#endif
+
 int main(int argc, char *argv[])
 {
     int ret = 1;
@@ -199,6 +249,7 @@ int main(int argc, char *argv[])
     mbedtls_mpi_init(&DQ); mbedtls_mpi_init(&QP);
 #endif /* MBEDTLS_RSA_C */
 
+    mbedtls_entropy_init(&entropy);
     mbedtls_pk_init(&key);
     mbedtls_ctr_drbg_init(&ctr_drbg);
     memset(buf, 0, sizeof(buf));
@@ -286,7 +337,6 @@ usage:
     mbedtls_printf("\n  . Seeding the random number generator...");
     fflush(stdout);
 
-    mbedtls_entropy_init(&entropy);
 #if !defined(_WIN32) && defined(MBEDTLS_FS_IO)
     if (opt.use_dev_random) {
         if ((ret = mbedtls_entropy_add_source(&entropy, dev_random_entropy_poll,
@@ -377,12 +427,10 @@ usage:
 #endif
 #if defined(MBEDTLS_ECP_C)
     if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_ECKEY) {
-        mbedtls_ecp_keypair *ecp = mbedtls_pk_ec(key);
-        mbedtls_printf("curve: %s\n",
-                       mbedtls_ecp_curve_info_from_grp_id(ecp->MBEDTLS_PRIVATE(grp).id)->name);
-        mbedtls_mpi_write_file("X_Q:   ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(X), 16, NULL);
-        mbedtls_mpi_write_file("Y_Q:   ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Y), 16, NULL);
-        mbedtls_mpi_write_file("D:     ", &ecp->MBEDTLS_PRIVATE(d), 16, NULL);
+        if (show_ecp_key(mbedtls_pk_ec(key), 1) != 0) {
+            mbedtls_printf(" failed\n  ! could not export ECC parameters\n\n");
+            goto exit;
+        }
     } else
 #endif
     mbedtls_printf("  ! key type not supported\n");
@@ -427,5 +475,4 @@ exit:
 
     mbedtls_exit(exit_code);
 }
-#endif /* MBEDTLS_PK_WRITE_C && MBEDTLS_PEM_WRITE_C && MBEDTLS_FS_IO &&
-        * MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */
+#endif /* program viability conditions */
diff --git a/programs/pkey/key_app.c b/programs/pkey/key_app.c
index cd16e33..e3a6966 100644
--- a/programs/pkey/key_app.c
+++ b/programs/pkey/key_app.c
@@ -2,19 +2,7 @@
  *  Key reading application
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
@@ -65,6 +53,71 @@ int main(void)
 #else
 
 
+#if defined(MBEDTLS_ECP_C)
+static int show_ecp_key(const mbedtls_ecp_keypair *ecp, int has_private)
+{
+    int ret = 0;
+
+    const mbedtls_ecp_curve_info *curve_info =
+        mbedtls_ecp_curve_info_from_grp_id(
+            mbedtls_ecp_keypair_get_group_id(ecp));
+    mbedtls_printf("curve: %s\n", curve_info->name);
+
+    mbedtls_ecp_group grp;
+    mbedtls_ecp_group_init(&grp);
+    mbedtls_mpi D;
+    mbedtls_mpi_init(&D);
+    mbedtls_ecp_point pt;
+    mbedtls_ecp_point_init(&pt);
+    mbedtls_mpi X, Y;
+    mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y);
+
+    MBEDTLS_MPI_CHK(mbedtls_ecp_export(ecp, &grp,
+                                       (has_private ? &D : NULL),
+                                       &pt));
+
+    unsigned char point_bin[MBEDTLS_ECP_MAX_PT_LEN];
+    size_t len = 0;
+    MBEDTLS_MPI_CHK(mbedtls_ecp_point_write_binary(
+                        &grp, &pt, MBEDTLS_ECP_PF_UNCOMPRESSED,
+                        &len, point_bin, sizeof(point_bin)));
+    switch (mbedtls_ecp_get_type(&grp)) {
+        case MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS:
+            if ((len & 1) == 0 || point_bin[0] != 0x04) {
+                /* Point in an unxepected format. This shouldn't happen. */
+                ret = -1;
+                goto cleanup;
+            }
+            MBEDTLS_MPI_CHK(
+                mbedtls_mpi_read_binary(&X, point_bin + 1, len / 2));
+            MBEDTLS_MPI_CHK(
+                mbedtls_mpi_read_binary(&Y, point_bin + 1 + len / 2, len / 2));
+            mbedtls_mpi_write_file("X_Q:   ", &X, 16, NULL);
+            mbedtls_mpi_write_file("Y_Q:   ", &Y, 16, NULL);
+            break;
+        case MBEDTLS_ECP_TYPE_MONTGOMERY:
+            MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&X, point_bin, len));
+            mbedtls_mpi_write_file("X_Q:   ", &X, 16, NULL);
+            break;
+        default:
+            mbedtls_printf(
+                "This program does not yet support listing coordinates for this curve type.\n");
+            break;
+    }
+
+    if (has_private) {
+        mbedtls_mpi_write_file("D:     ", &D, 16, NULL);
+    }
+
+cleanup:
+    mbedtls_ecp_group_free(&grp);
+    mbedtls_mpi_free(&D);
+    mbedtls_ecp_point_free(&pt);
+    mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y);
+    return ret;
+}
+#endif
+
 /*
  * global options
  */
@@ -231,17 +284,10 @@ usage:
 #endif
 #if defined(MBEDTLS_ECP_C)
         if (mbedtls_pk_get_type(&pk) == MBEDTLS_PK_ECKEY) {
-            mbedtls_ecp_keypair *ecp = mbedtls_pk_ec(pk);
-            MBEDTLS_MPI_CHK(mbedtls_mpi_write_file("Q(X): ",
-                                                   &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(X), 16,
-                                                   NULL));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_write_file("Q(Y): ",
-                                                   &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Y), 16,
-                                                   NULL));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_write_file("Q(Z): ",
-                                                   &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Z), 16,
-                                                   NULL));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_write_file("D   : ", &ecp->MBEDTLS_PRIVATE(d), 16, NULL));
+            if (show_ecp_key(mbedtls_pk_ec(pk), 1) != 0) {
+                mbedtls_printf(" failed\n  ! could not export ECC parameters\n\n");
+                goto cleanup;
+            }
         } else
 #endif
         {
@@ -281,16 +327,10 @@ usage:
 #endif
 #if defined(MBEDTLS_ECP_C)
         if (mbedtls_pk_get_type(&pk) == MBEDTLS_PK_ECKEY) {
-            mbedtls_ecp_keypair *ecp = mbedtls_pk_ec(pk);
-            MBEDTLS_MPI_CHK(mbedtls_mpi_write_file("Q(X): ",
-                                                   &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(X), 16,
-                                                   NULL));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_write_file("Q(Y): ",
-                                                   &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Y), 16,
-                                                   NULL));
-            MBEDTLS_MPI_CHK(mbedtls_mpi_write_file("Q(Z): ",
-                                                   &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Z), 16,
-                                                   NULL));
+            if (show_ecp_key(mbedtls_pk_ec(pk), 0) != 0) {
+                mbedtls_printf(" failed\n  ! could not export ECC parameters\n\n");
+                goto cleanup;
+            }
         } else
 #endif
         {
diff --git a/programs/pkey/key_app_writer.c b/programs/pkey/key_app_writer.c
index 179094c..60f992e 100644
--- a/programs/pkey/key_app_writer.c
+++ b/programs/pkey/key_app_writer.c
@@ -2,28 +2,28 @@
  *  Key writing application
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
 
 #include "mbedtls/platform.h"
 
-#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PK_WRITE_C) && \
-    defined(MBEDTLS_FS_IO) && \
-    defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_CTR_DRBG_C)
+#if !defined(MBEDTLS_PK_PARSE_C) || \
+    !defined(MBEDTLS_PK_WRITE_C) || \
+    !defined(MBEDTLS_FS_IO)      || \
+    !defined(MBEDTLS_ENTROPY_C)  || \
+    !defined(MBEDTLS_CTR_DRBG_C) || \
+    !defined(MBEDTLS_BIGNUM_C)
+int main(void)
+{
+    mbedtls_printf("MBEDTLS_PK_PARSE_C and/or MBEDTLS_PK_WRITE_C and/or "
+                   "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
+                   "MBEDTLS_FS_IO and/or MBEDTLS_BIGNUM_C not defined.\n");
+    mbedtls_exit(0);
+}
+#else
+
 #include "mbedtls/error.h"
 #include "mbedtls/pk.h"
 #include "mbedtls/error.h"
@@ -33,7 +33,6 @@
 
 #include <stdio.h>
 #include <string.h>
-#endif
 
 #if defined(MBEDTLS_PEM_WRITE_C)
 #define USAGE_OUT \
@@ -78,20 +77,6 @@
     USAGE_OUT                                           \
     "\n"
 
-#if !defined(MBEDTLS_PK_PARSE_C) || \
-    !defined(MBEDTLS_PK_WRITE_C) || \
-    !defined(MBEDTLS_FS_IO)      || \
-    !defined(MBEDTLS_ENTROPY_C)  || \
-    !defined(MBEDTLS_CTR_DRBG_C)
-int main(void)
-{
-    mbedtls_printf("MBEDTLS_PK_PARSE_C and/or MBEDTLS_PK_WRITE_C and/or "
-                   "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
-                   "MBEDTLS_FS_IO not defined.\n");
-    mbedtls_exit(0);
-}
-#else
-
 
 /*
  * global options
@@ -188,6 +173,71 @@ static int write_private_key(mbedtls_pk_context *key, const char *output_file)
     return 0;
 }
 
+#if defined(MBEDTLS_ECP_C)
+static int show_ecp_key(const mbedtls_ecp_keypair *ecp, int has_private)
+{
+    int ret = 0;
+
+    const mbedtls_ecp_curve_info *curve_info =
+        mbedtls_ecp_curve_info_from_grp_id(
+            mbedtls_ecp_keypair_get_group_id(ecp));
+    mbedtls_printf("curve: %s\n", curve_info->name);
+
+    mbedtls_ecp_group grp;
+    mbedtls_ecp_group_init(&grp);
+    mbedtls_mpi D;
+    mbedtls_mpi_init(&D);
+    mbedtls_ecp_point pt;
+    mbedtls_ecp_point_init(&pt);
+    mbedtls_mpi X, Y;
+    mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y);
+
+    MBEDTLS_MPI_CHK(mbedtls_ecp_export(ecp, &grp,
+                                       (has_private ? &D : NULL),
+                                       &pt));
+
+    unsigned char point_bin[MBEDTLS_ECP_MAX_PT_LEN];
+    size_t len = 0;
+    MBEDTLS_MPI_CHK(mbedtls_ecp_point_write_binary(
+                        &grp, &pt, MBEDTLS_ECP_PF_UNCOMPRESSED,
+                        &len, point_bin, sizeof(point_bin)));
+    switch (mbedtls_ecp_get_type(&grp)) {
+        case MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS:
+            if ((len & 1) == 0 || point_bin[0] != 0x04) {
+                /* Point in an unxepected format. This shouldn't happen. */
+                ret = -1;
+                goto cleanup;
+            }
+            MBEDTLS_MPI_CHK(
+                mbedtls_mpi_read_binary(&X, point_bin + 1, len / 2));
+            MBEDTLS_MPI_CHK(
+                mbedtls_mpi_read_binary(&Y, point_bin + 1 + len / 2, len / 2));
+            mbedtls_mpi_write_file("X_Q:   ", &X, 16, NULL);
+            mbedtls_mpi_write_file("Y_Q:   ", &Y, 16, NULL);
+            break;
+        case MBEDTLS_ECP_TYPE_MONTGOMERY:
+            MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&X, point_bin, len));
+            mbedtls_mpi_write_file("X_Q:   ", &X, 16, NULL);
+            break;
+        default:
+            mbedtls_printf(
+                "This program does not yet support listing coordinates for this curve type.\n");
+            break;
+    }
+
+    if (has_private) {
+        mbedtls_mpi_write_file("D:     ", &D, 16, NULL);
+    }
+
+cleanup:
+    mbedtls_ecp_group_free(&grp);
+    mbedtls_mpi_free(&D);
+    mbedtls_ecp_point_free(&pt);
+    mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y);
+    return ret;
+}
+#endif
+
 int main(int argc, char *argv[])
 {
     int ret = 1;
@@ -350,11 +400,10 @@ usage:
 #endif
 #if defined(MBEDTLS_ECP_C)
         if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_ECKEY) {
-            mbedtls_ecp_keypair *ecp = mbedtls_pk_ec(key);
-            mbedtls_mpi_write_file("Q(X): ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(X), 16, NULL);
-            mbedtls_mpi_write_file("Q(Y): ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Y), 16, NULL);
-            mbedtls_mpi_write_file("Q(Z): ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Z), 16, NULL);
-            mbedtls_mpi_write_file("D   : ", &ecp->MBEDTLS_PRIVATE(d), 16, NULL);
+            if (show_ecp_key(mbedtls_pk_ec(key), 1) != 0) {
+                mbedtls_printf(" failed\n  ! could not export ECC parameters\n\n");
+                goto exit;
+            }
         } else
 #endif
         mbedtls_printf("key type not supported yet\n");
@@ -396,10 +445,10 @@ usage:
 #endif
 #if defined(MBEDTLS_ECP_C)
         if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_ECKEY) {
-            mbedtls_ecp_keypair *ecp = mbedtls_pk_ec(key);
-            mbedtls_mpi_write_file("Q(X): ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(X), 16, NULL);
-            mbedtls_mpi_write_file("Q(Y): ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Y), 16, NULL);
-            mbedtls_mpi_write_file("Q(Z): ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Z), 16, NULL);
+            if (show_ecp_key(mbedtls_pk_ec(key), 0) != 0) {
+                mbedtls_printf(" failed\n  ! could not export ECC parameters\n\n");
+                goto exit;
+            }
         } else
 #endif
         mbedtls_printf("key type not supported yet\n");
@@ -443,5 +492,4 @@ exit:
 
     mbedtls_exit(exit_code);
 }
-#endif /* MBEDTLS_PK_PARSE_C && MBEDTLS_PK_WRITE_C && MBEDTLS_FS_IO &&
-          MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */
+#endif /* program viability conditions */
diff --git a/programs/pkey/mpi_demo.c b/programs/pkey/mpi_demo.c
index 88d745e..e83aa32 100644
--- a/programs/pkey/mpi_demo.c
+++ b/programs/pkey/mpi_demo.c
@@ -2,19 +2,7 @@
  *  Simple MPI demonstration program
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/pkey/pk_decrypt.c b/programs/pkey/pk_decrypt.c
index f60c946..b8f7943 100644
--- a/programs/pkey/pk_decrypt.c
+++ b/programs/pkey/pk_decrypt.c
@@ -2,19 +2,7 @@
  *  Public key-based simple decryption program
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/pkey/pk_encrypt.c b/programs/pkey/pk_encrypt.c
index 04e5cc7..a916bc6 100644
--- a/programs/pkey/pk_encrypt.c
+++ b/programs/pkey/pk_encrypt.c
@@ -2,19 +2,7 @@
  *  RSA simple data encryption program
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/pkey/pk_sign.c b/programs/pkey/pk_sign.c
index 57bd796..59347ad 100644
--- a/programs/pkey/pk_sign.c
+++ b/programs/pkey/pk_sign.c
@@ -2,19 +2,7 @@
  *  Public key-based signature creation program
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/pkey/pk_verify.c b/programs/pkey/pk_verify.c
index bca985b..3127df5 100644
--- a/programs/pkey/pk_verify.c
+++ b/programs/pkey/pk_verify.c
@@ -2,19 +2,7 @@
  *  Public key-based signature verification program
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/pkey/rsa_decrypt.c b/programs/pkey/rsa_decrypt.c
index 0462ba6..a84af50 100644
--- a/programs/pkey/rsa_decrypt.c
+++ b/programs/pkey/rsa_decrypt.c
@@ -2,19 +2,7 @@
  *  RSA simple decryption program
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
@@ -145,7 +133,7 @@ int main(int argc, char *argv[])
 
     fclose(f);
 
-    if (i != rsa.MBEDTLS_PRIVATE(len)) {
+    if (i != mbedtls_rsa_get_len(&rsa)) {
         mbedtls_printf("\n  ! Invalid RSA signature format\n\n");
         goto exit;
     }
diff --git a/programs/pkey/rsa_encrypt.c b/programs/pkey/rsa_encrypt.c
index 2126a9b..6538f8a 100644
--- a/programs/pkey/rsa_encrypt.c
+++ b/programs/pkey/rsa_encrypt.c
@@ -2,19 +2,7 @@
  *  RSA simple data encryption program
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
@@ -138,7 +126,7 @@ int main(int argc, char *argv[])
         goto exit;
     }
 
-    for (i = 0; i < rsa.MBEDTLS_PRIVATE(len); i++) {
+    for (i = 0; i < mbedtls_rsa_get_len(&rsa); i++) {
         mbedtls_fprintf(f, "%02X%s", buf[i],
                         (i + 1) % 16 == 0 ? "\r\n" : " ");
     }
diff --git a/programs/pkey/rsa_genkey.c b/programs/pkey/rsa_genkey.c
index 17f6d65..dc58215 100644
--- a/programs/pkey/rsa_genkey.c
+++ b/programs/pkey/rsa_genkey.c
@@ -2,19 +2,7 @@
  *  Example RSA key generation program
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/pkey/rsa_sign.c b/programs/pkey/rsa_sign.c
index 64375e9..e14953b 100644
--- a/programs/pkey/rsa_sign.c
+++ b/programs/pkey/rsa_sign.c
@@ -2,19 +2,7 @@
  *  RSA/SHA-256 signature creation program
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
@@ -143,7 +131,7 @@ int main(int argc, char *argv[])
         goto exit;
     }
 
-    for (i = 0; i < rsa.MBEDTLS_PRIVATE(len); i++) {
+    for (i = 0; i < mbedtls_rsa_get_len(&rsa); i++) {
         mbedtls_fprintf(f, "%02X%s", buf[i],
                         (i + 1) % 16 == 0 ? "\r\n" : " ");
     }
diff --git a/programs/pkey/rsa_sign_pss.c b/programs/pkey/rsa_sign_pss.c
index 999669e..3a1f747 100644
--- a/programs/pkey/rsa_sign_pss.c
+++ b/programs/pkey/rsa_sign_pss.c
@@ -2,19 +2,7 @@
  *  RSASSA-PSS/SHA-256 signature creation program
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c
index d525010..4a9af77 100644
--- a/programs/pkey/rsa_verify.c
+++ b/programs/pkey/rsa_verify.c
@@ -2,19 +2,7 @@
  *  RSA/SHA-256 signature verification program
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
@@ -49,11 +37,14 @@ int main(int argc, char *argv[])
     int exit_code = MBEDTLS_EXIT_FAILURE;
     size_t i;
     mbedtls_rsa_context rsa;
+    mbedtls_mpi N, E;
     unsigned char hash[32];
     unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
     char filename[512];
 
     mbedtls_rsa_init(&rsa);
+    mbedtls_mpi_init(&N);
+    mbedtls_mpi_init(&E);
 
     if (argc != 2) {
         mbedtls_printf("usage: rsa_verify <filename>\n");
@@ -74,15 +65,13 @@ int main(int argc, char *argv[])
         goto exit;
     }
 
-    if ((ret = mbedtls_mpi_read_file(&rsa.MBEDTLS_PRIVATE(N), 16, f)) != 0 ||
-        (ret = mbedtls_mpi_read_file(&rsa.MBEDTLS_PRIVATE(E), 16, f)) != 0) {
+    if ((ret = mbedtls_mpi_read_file(&N, 16, f)) != 0 ||
+        (ret = mbedtls_mpi_read_file(&E, 16, f)) != 0 ||
+        (ret = mbedtls_rsa_import(&rsa, &N, NULL, NULL, NULL, &E) != 0)) {
         mbedtls_printf(" failed\n  ! mbedtls_mpi_read_file returned %d\n\n", ret);
         fclose(f);
         goto exit;
     }
-
-    rsa.MBEDTLS_PRIVATE(len) = (mbedtls_mpi_bitlen(&rsa.MBEDTLS_PRIVATE(N)) + 7) >> 3;
-
     fclose(f);
 
     /*
@@ -103,7 +92,7 @@ int main(int argc, char *argv[])
 
     fclose(f);
 
-    if (i != rsa.MBEDTLS_PRIVATE(len)) {
+    if (i != mbedtls_rsa_get_len(&rsa)) {
         mbedtls_printf("\n  ! Invalid RSA signature format\n\n");
         goto exit;
     }
@@ -136,6 +125,8 @@ int main(int argc, char *argv[])
 exit:
 
     mbedtls_rsa_free(&rsa);
+    mbedtls_mpi_free(&N);
+    mbedtls_mpi_free(&E);
 
     mbedtls_exit(exit_code);
 }
diff --git a/programs/pkey/rsa_verify_pss.c b/programs/pkey/rsa_verify_pss.c
index 8a1fb59..afbbfa9 100644
--- a/programs/pkey/rsa_verify_pss.c
+++ b/programs/pkey/rsa_verify_pss.c
@@ -2,19 +2,7 @@
  *  RSASSA-PSS/SHA-256 signature verification program
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/psa/CMakeLists.txt b/programs/psa/CMakeLists.txt
index c8ee626..c0843e1 100644
--- a/programs/psa/CMakeLists.txt
+++ b/programs/psa/CMakeLists.txt
@@ -19,8 +19,8 @@ if(GEN_FILES)
             ${CMAKE_CURRENT_SOURCE_DIR}/../..
         DEPENDS
             ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/generate_psa_constants.py
-            ${CMAKE_CURRENT_SOURCE_DIR}/../../include/psa/crypto_values.h
-            ${CMAKE_CURRENT_SOURCE_DIR}/../../include/psa/crypto_extra.h
+            ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/include/psa/crypto_values.h
+            ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/include/psa/crypto_extra.h
     )
 else()
     link_to_source(psa_constant_names_generated.c)
@@ -28,7 +28,7 @@ endif()
 
 foreach(exe IN LISTS executables)
     add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
-    target_link_libraries(${exe} ${mbedcrypto_target})
+    target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
     target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
 endforeach()
 
diff --git a/programs/psa/aead_demo.c b/programs/psa/aead_demo.c
index 0c2413e..619166d 100644
--- a/programs/psa/aead_demo.c
+++ b/programs/psa/aead_demo.c
@@ -26,19 +26,7 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /* First include Mbed TLS headers to get the Mbed TLS configuration and
diff --git a/programs/psa/crypto_examples.c b/programs/psa/crypto_examples.c
index 3f109d8..b755f09 100644
--- a/programs/psa/crypto_examples.c
+++ b/programs/psa/crypto_examples.c
@@ -1,18 +1,6 @@
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "psa/crypto.h"
diff --git a/programs/psa/hmac_demo.c b/programs/psa/hmac_demo.c
index f25cdeb..2055054 100644
--- a/programs/psa/hmac_demo.c
+++ b/programs/psa/hmac_demo.c
@@ -20,19 +20,7 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /* First include Mbed TLS headers to get the Mbed TLS configuration and
diff --git a/programs/psa/key_ladder_demo.c b/programs/psa/key_ladder_demo.c
index a79fac6..2734ceb 100644
--- a/programs/psa/key_ladder_demo.c
+++ b/programs/psa/key_ladder_demo.c
@@ -32,19 +32,7 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /* First include Mbed TLS headers to get the Mbed TLS configuration and
diff --git a/programs/psa/key_ladder_demo.sh b/programs/psa/key_ladder_demo.sh
index bb4a24f..e55da7e 100755
--- a/programs/psa/key_ladder_demo.sh
+++ b/programs/psa/key_ladder_demo.sh
@@ -1,19 +1,7 @@
 #!/bin/sh
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 . "${0%/*}/../demo_common.sh"
 
diff --git a/programs/psa/psa_constant_names.c b/programs/psa/psa_constant_names.c
index 8842685..0baf4a0 100644
--- a/programs/psa/psa_constant_names.c
+++ b/programs/psa/psa_constant_names.c
@@ -1,18 +1,6 @@
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include <errno.h>
diff --git a/programs/psa/psa_hash.c b/programs/psa/psa_hash.c
index d3a6bf8..c5244d6 100644
--- a/programs/psa/psa_hash.c
+++ b/programs/psa/psa_hash.c
@@ -9,19 +9,7 @@
  *
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "psa/crypto.h"
diff --git a/programs/psa/psa_hash_demo.sh b/programs/psa/psa_hash_demo.sh
new file mode 100755
index 0000000..a26697c
--- /dev/null
+++ b/programs/psa/psa_hash_demo.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+#
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+. "${0%/*}/../demo_common.sh"
+
+msg <<'EOF'
+This program demonstrates the use of the PSA cryptography interface to
+compute a SHA-256 hash of a test string using the one-shot API call
+and also using the multi-part operation API.
+EOF
+
+depends_on MBEDTLS_PSA_CRYPTO_C PSA_WANT_ALG_SHA_256
+
+program="${0%/*}"/psa_hash
+
+"$program"
+
+cleanup
diff --git a/programs/random/CMakeLists.txt b/programs/random/CMakeLists.txt
index e5edf7b..5940395 100644
--- a/programs/random/CMakeLists.txt
+++ b/programs/random/CMakeLists.txt
@@ -5,7 +5,7 @@ set(executables
 
 foreach(exe IN LISTS executables)
     add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
-    target_link_libraries(${exe} ${mbedcrypto_target})
+    target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
     target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
 endforeach()
 
diff --git a/programs/random/gen_entropy.c b/programs/random/gen_entropy.c
index cc32171..887b2c9 100644
--- a/programs/random/gen_entropy.c
+++ b/programs/random/gen_entropy.c
@@ -2,19 +2,7 @@
  *  \brief Use and generate multiple entropies calls into a file
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/random/gen_random_ctr_drbg.c b/programs/random/gen_random_ctr_drbg.c
index e1db16e..0eecf0a 100644
--- a/programs/random/gen_random_ctr_drbg.c
+++ b/programs/random/gen_random_ctr_drbg.c
@@ -2,19 +2,7 @@
  *  \brief Use and generate random data into a file via the CTR_DBRG based on AES
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/ssl/CMakeLists.txt b/programs/ssl/CMakeLists.txt
index 280bbcf..ec2c86f 100644
--- a/programs/ssl/CMakeLists.txt
+++ b/programs/ssl/CMakeLists.txt
@@ -1,4 +1,3 @@
-set(THREADS_USE_PTHREADS_WIN32 true)
 find_package(Threads)
 
 set(libs
@@ -39,7 +38,7 @@ foreach(exe IN LISTS executables)
     endif()
     add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>
         ${extra_sources})
-    target_link_libraries(${exe} ${libs})
+    target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT})
     target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
     if(exe STREQUAL "ssl_client2" OR exe STREQUAL "ssl_server2")
         if(GEN_FILES)
diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c
index f0abcab..ddb3c34 100644
--- a/programs/ssl/dtls_client.c
+++ b/programs/ssl/dtls_client.c
@@ -2,19 +2,7 @@
  *  Simple DTLS client demonstration program
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c
index b11a4f5..732625e 100644
--- a/programs/ssl/dtls_server.c
+++ b/programs/ssl/dtls_server.c
@@ -2,19 +2,7 @@
  *  Simple DTLS server demonstration program
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/ssl/mini_client.c b/programs/ssl/mini_client.c
index e8f4797..ba0195c 100644
--- a/programs/ssl/mini_client.c
+++ b/programs/ssl/mini_client.c
@@ -3,19 +3,7 @@
  *  (meant to be used with config-suite-b.h or config-ccm-psk-tls1_2.h)
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
@@ -82,7 +70,7 @@ const char psk_id[] = "Client_identity";
 #endif
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
-/* This is tests/data_files/test-ca2.crt, a CA using EC secp384r1 */
+/* This is framework/data_files/test-ca2.crt, a CA using EC secp384r1 */
 const unsigned char ca_cert[] = {
     0x30, 0x82, 0x02, 0x52, 0x30, 0x82, 0x01, 0xd7, 0xa0, 0x03, 0x02, 0x01,
     0x02, 0x02, 0x09, 0x00, 0xc1, 0x43, 0xe2, 0x7e, 0x62, 0x43, 0xcc, 0xe8,
diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c
index 259b8f9..ee734b1 100644
--- a/programs/ssl/ssl_client1.c
+++ b/programs/ssl/ssl_client1.c
@@ -2,19 +2,7 @@
  *  SSL client demonstration program
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 7c2c818..fef5c46 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -2,19 +2,7 @@
  *  SSL client with certificate authentication
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #define MBEDTLS_ALLOW_PRIVATE_ACCESS
@@ -64,7 +52,7 @@ int main(void)
 #define DFL_KEY_OPAQUE          0
 #define DFL_KEY_PWD             ""
 #define DFL_PSK                 ""
-#define DFL_EARLY_DATA          MBEDTLS_SSL_EARLY_DATA_DISABLED
+#define DFL_EARLY_DATA          -1
 #define DFL_PSK_OPAQUE          0
 #define DFL_PSK_IDENTITY        "Client_identity"
 #define DFL_ECJPAKE_PW          NULL
@@ -359,7 +347,7 @@ int main(void)
 
 #if defined(MBEDTLS_SSL_EARLY_DATA)
 #define USAGE_EARLY_DATA \
-    "    early_data=%%d        default: 0 (disabled)\n"      \
+    "    early_data=%%d      default: library default\n" \
     "                        options: 0 (disabled), 1 (enabled)\n"
 #else
 #define USAGE_EARLY_DATA ""
@@ -469,7 +457,7 @@ int main(void)
     "                                otherwise. The expansion of the macro\n" \
     "                                is printed if it is defined\n"           \
     USAGE_SERIALIZATION                                                       \
-    " acceptable ciphersuite names:\n"
+    "\n"
 
 /*
  * global options
@@ -555,7 +543,7 @@ struct options {
     int reproducible;           /* make communication reproducible          */
     int skip_close_notify;      /* skip sending the close_notify alert      */
 #if defined(MBEDTLS_SSL_EARLY_DATA)
-    int early_data;             /* support for early data                   */
+    int early_data;             /* early data enablement flag               */
 #endif
     int query_config_mode;      /* whether to read config                   */
     int use_srtp;               /* Support SRTP                             */
@@ -705,7 +693,7 @@ static int ssl_save_session_serialize(mbedtls_ssl_context *ssl,
     }
 
     /* get size of the buffer needed */
-    mbedtls_ssl_session_save(&exported_session, NULL, 0, session_data_len);
+    (void) mbedtls_ssl_session_save(&exported_session, NULL, 0, session_data_len);
     *session_data = mbedtls_calloc(1, *session_data_len);
     if (*session_data == NULL) {
         mbedtls_printf(" failed\n  ! alloc %u bytes for session data\n",
@@ -728,9 +716,64 @@ exit:
     return ret;
 }
 
+/*
+ * Build HTTP request
+ */
+static int build_http_request(unsigned char *buf, size_t buf_size, size_t *request_len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len, tail_len, request_size;
+
+    ret = mbedtls_snprintf((char *) buf, buf_size, GET_REQUEST, opt.request_page);
+    if (ret < 0) {
+        return ret;
+    }
+
+    len = (size_t) ret;
+    tail_len = strlen(GET_REQUEST_END);
+    if (opt.request_size != DFL_REQUEST_SIZE) {
+        request_size = (size_t) opt.request_size;
+    } else {
+        request_size = len + tail_len;
+    }
+
+    if (request_size > buf_size) {
+        return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+    }
+
+    /* Add padding to GET request to reach opt.request_size in length */
+    if (opt.request_size != DFL_REQUEST_SIZE &&
+        len + tail_len < request_size) {
+        memset(buf + len, 'A', request_size - len - tail_len);
+        len = request_size - tail_len;
+    }
+
+    strncpy((char *) buf + len, GET_REQUEST_END, buf_size - len);
+    len += tail_len;
+
+    /* Truncate if request size is smaller than the "natural" size */
+    if (opt.request_size != DFL_REQUEST_SIZE &&
+        len > request_size) {
+        len = request_size;
+
+        /* Still end with \r\n unless that's really not possible */
+        if (len >= 2) {
+            buf[len - 2] = '\r';
+        }
+        if (len >= 1) {
+            buf[len - 1] = '\n';
+        }
+    }
+
+    *request_len = len;
+
+    return 0;
+}
+
 int main(int argc, char *argv[])
 {
-    int ret = 0, len, tail_len, i, written, frags, retry_left;
+    int ret = 0, i;
+    size_t len, written, frags, retry_left;
     int query_config_ret = 0;
     mbedtls_net_context server_fd;
     io_ctx_t io_ctx;
@@ -840,7 +883,7 @@ int main(int argc, char *argv[])
     mbedtls_net_init(&server_fd);
     mbedtls_ssl_init(&ssl);
     mbedtls_ssl_config_init(&conf);
-    memset(&saved_session, 0, sizeof(mbedtls_ssl_session));
+    mbedtls_ssl_session_init(&saved_session);
     rng_init(&rng);
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
     mbedtls_x509_crt_init(&cacert);
@@ -864,31 +907,6 @@ int main(int argc, char *argv[])
     mbedtls_test_enable_insecure_external_rng();
 #endif  /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
 
-    if (argc < 2) {
-usage:
-        if (ret == 0) {
-            ret = 1;
-        }
-
-        mbedtls_printf(USAGE1);
-        mbedtls_printf(USAGE2);
-        mbedtls_printf(USAGE3);
-        mbedtls_printf(USAGE4);
-
-        list = mbedtls_ssl_list_ciphersuites();
-        while (*list) {
-            mbedtls_printf(" %-42s", mbedtls_ssl_get_ciphersuite_name(*list));
-            list++;
-            if (!*list) {
-                break;
-            }
-            mbedtls_printf(" %s\n", mbedtls_ssl_get_ciphersuite_name(*list));
-            list++;
-        }
-        mbedtls_printf("\n");
-        goto exit;
-    }
-
     opt.server_name         = DFL_SERVER_NAME;
     opt.server_addr         = DFL_SERVER_ADDR;
     opt.server_port         = DFL_SERVER_PORT;
@@ -973,9 +991,54 @@ usage:
     opt.key_opaque_alg1     = DFL_KEY_OPAQUE_ALG;
     opt.key_opaque_alg2     = DFL_KEY_OPAQUE_ALG;
 
+    p = q = NULL;
+    if (argc < 1) {
+usage:
+        if (p != NULL && q != NULL) {
+            printf("unrecognized value for '%s': '%s'\n", p, q);
+        } else if (p != NULL && q == NULL) {
+            printf("unrecognized param: '%s'\n", p);
+        }
+
+        mbedtls_printf("usage: ssl_client2 [param=value] [...]\n");
+        mbedtls_printf("       ssl_client2 help[_theme]\n");
+        mbedtls_printf("'help' lists acceptable 'param' and 'value'\n");
+        mbedtls_printf("'help_ciphersuites' lists available ciphersuites\n");
+        mbedtls_printf("\n");
+
+        if (ret == 0) {
+            ret = 1;
+        }
+        goto exit;
+    }
+
     for (i = 1; i < argc; i++) {
         p = argv[i];
+
+        if (strcmp(p, "help") == 0) {
+            mbedtls_printf(USAGE1);
+            mbedtls_printf(USAGE2);
+            mbedtls_printf(USAGE3);
+            mbedtls_printf(USAGE4);
+
+            ret = 0;
+            goto exit;
+        }
+        if (strcmp(p, "help_ciphersuites") == 0) {
+            mbedtls_printf(" acceptable ciphersuite names:\n");
+            for (list = mbedtls_ssl_list_ciphersuites();
+                 *list != 0;
+                 list++) {
+                mbedtls_printf(" %s\n", mbedtls_ssl_get_ciphersuite_name(*list));
+            }
+
+            ret = 0;
+            goto exit;
+        }
+
         if ((q = strchr(p, '=')) == NULL) {
+            mbedtls_printf("param requires a value: '%s'\n", p);
+            p = NULL; // avoid "unrecnognized param" message
             goto usage;
         }
         *q++ = '\0';
@@ -1372,9 +1435,13 @@ usage:
                 goto usage;
             }
         } else {
+            /* This signals that the problem is with p not q */
+            q = NULL;
             goto usage;
         }
     }
+    /* This signals that any further errors are not with a single option */
+    p = q = NULL;
 
     if (opt.nss_keylog != 0 && opt.eap_tls != 0) {
         mbedtls_printf("Error: eap_tls and nss_keylog options cannot be used together.\n");
@@ -1460,11 +1527,11 @@ usage:
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
         if (opt.psk_opaque != 0) {
             /* Determine KDF algorithm the opaque PSK will be used in. */
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
             if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
                 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
             } else
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
             alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
         }
 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
@@ -1702,11 +1769,10 @@ usage:
                                      &psa_alg, &psa_alg2,
                                      &usage,
                                      mbedtls_pk_get_type(&pkey)) == 0) {
-            ret = mbedtls_pk_wrap_as_opaque(&pkey, &key_slot, psa_alg,
-                                            usage, psa_alg2);
+            ret = pk_wrap_as_opaque(&pkey, psa_alg, psa_alg2, usage, &key_slot);
             if (ret != 0) {
                 mbedtls_printf(" failed\n  !  "
-                               "mbedtls_pk_wrap_as_opaque returned -0x%x\n\n",
+                               "mbedtls_pk_get_psa_attributes returned -0x%x\n\n",
                                (unsigned int)  -ret);
                 goto exit;
             }
@@ -1959,7 +2025,9 @@ usage:
     }
 
 #if defined(MBEDTLS_SSL_EARLY_DATA)
-    mbedtls_ssl_tls13_conf_early_data(&conf, opt.early_data);
+    if (opt.early_data != DFL_EARLY_DATA) {
+        mbedtls_ssl_conf_early_data(&conf, opt.early_data);
+    }
 #endif /* MBEDTLS_SSL_EARLY_DATA */
 
     if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0) {
@@ -2430,32 +2498,9 @@ send_request:
     mbedtls_printf("  > Write to server:");
     fflush(stdout);
 
-    len = mbedtls_snprintf((char *) buf, sizeof(buf) - 1, GET_REQUEST,
-                           opt.request_page);
-    tail_len = (int) strlen(GET_REQUEST_END);
-
-    /* Add padding to GET request to reach opt.request_size in length */
-    if (opt.request_size != DFL_REQUEST_SIZE &&
-        len + tail_len < opt.request_size) {
-        memset(buf + len, 'A', opt.request_size - len - tail_len);
-        len += opt.request_size - len - tail_len;
-    }
-
-    strncpy((char *) buf + len, GET_REQUEST_END, sizeof(buf) - len - 1);
-    len += tail_len;
-
-    /* Truncate if request size is smaller than the "natural" size */
-    if (opt.request_size != DFL_REQUEST_SIZE &&
-        len > opt.request_size) {
-        len = opt.request_size;
-
-        /* Still end with \r\n unless that's really not possible */
-        if (len >= 2) {
-            buf[len - 2] = '\r';
-        }
-        if (len >= 1) {
-            buf[len - 1] = '\n';
-        }
+    ret = build_http_request(buf, sizeof(buf) - 1, &len);
+    if (ret != 0) {
+        goto exit;
     }
 
     if (opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM) {
@@ -2527,8 +2572,11 @@ send_request:
     }
 
     buf[written] = '\0';
-    mbedtls_printf(" %d bytes written in %d fragments\n\n%s\n",
-                   written, frags, (char *) buf);
+    mbedtls_printf(
+        " %" MBEDTLS_PRINTF_SIZET " bytes written in %" MBEDTLS_PRINTF_SIZET " fragments\n\n%s\n",
+        written,
+        frags,
+        (char *) buf);
 
     /* Send a non-empty request if request_size == 0 */
     if (len == 0) {
@@ -2635,7 +2683,9 @@ send_request:
 
             len = ret;
             buf[len] = '\0';
-            mbedtls_printf("  < Read from server: %d bytes read\n\n%s", len, (char *) buf);
+            mbedtls_printf("  < Read from server: %" MBEDTLS_PRINTF_SIZET " bytes read\n\n%s",
+                           len,
+                           (char *) buf);
             fflush(stdout);
             /* End of message should be detected according to the syntax of the
              * application protocol (eg HTTP), just use a dummy test here. */
@@ -2694,7 +2744,9 @@ send_request:
 
         len = ret;
         buf[len] = '\0';
-        mbedtls_printf("  < Read from server: %d bytes read\n\n%s", len, (char *) buf);
+        mbedtls_printf("  < Read from server: %" MBEDTLS_PRINTF_SIZET " bytes read\n\n%s",
+                       len,
+                       (char *) buf);
         ret = 0;
     }
 
@@ -2984,6 +3036,54 @@ reconnect:
             goto exit;
         }
 
+        ret = build_http_request(buf, sizeof(buf) - 1, &len);
+        if (ret != 0) {
+            goto exit;
+        }
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+        if (ssl.conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {
+            frags = 0;
+            written = 0;
+            do {
+                while ((ret = mbedtls_ssl_write_early_data(&ssl, buf + written,
+                                                           len - written)) < 0) {
+                    if (ret == MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA) {
+                        goto end_of_early_data;
+                    }
+                    if (ret != MBEDTLS_ERR_SSL_WANT_READ &&
+                        ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
+                        ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) {
+                        mbedtls_printf(" failed\n  ! mbedtls_ssl_write returned -0x%x\n\n",
+                                       (unsigned int) -ret);
+                        goto exit;
+                    }
+
+                    /* For event-driven IO, wait for socket to become available */
+                    if (opt.event == 1 /* level triggered IO */) {
+#if defined(MBEDTLS_TIMING_C)
+                        idle(&server_fd, &timer, ret);
+#else
+                        idle(&server_fd, ret);
+#endif
+                    }
+                }
+
+                frags++;
+                written += ret;
+            } while (written < len);
+
+end_of_early_data:
+
+            buf[written] = '\0';
+            mbedtls_printf(
+                " %" MBEDTLS_PRINTF_SIZET " bytes of early data written in %" MBEDTLS_PRINTF_SIZET " fragments\n\n%s\n",
+                written,
+                frags,
+                (char *) buf);
+        }
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
         while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) {
             if (ret != MBEDTLS_ERR_SSL_WANT_READ &&
                 ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
diff --git a/programs/ssl/ssl_context_info.c b/programs/ssl/ssl_context_info.c
index 9744c58..ee2cdb7 100644
--- a/programs/ssl/ssl_context_info.c
+++ b/programs/ssl/ssl_context_info.c
@@ -2,23 +2,9 @@
  *  Mbed TLS SSL context deserializer from base64 code
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
-#define MBEDTLS_ALLOW_PRIVATE_ACCESS
-
 #include "mbedtls/build_info.h"
 #include "mbedtls/debug.h"
 #include "mbedtls/platform.h"
@@ -559,22 +545,27 @@ void print_deserialized_ssl_session(const uint8_t *ssl, uint32_t len,
     if (ciphersuite_info == NULL) {
         printf_err("Cannot find ciphersuite info\n");
     } else {
-        const mbedtls_cipher_info_t *cipher_info;
 #if defined(MBEDTLS_MD_C)
         const mbedtls_md_info_t *md_info;
 #endif
 
-        printf("\tciphersuite    : %s\n", ciphersuite_info->name);
-        printf("\tcipher flags   : 0x%02X\n", ciphersuite_info->flags);
+        printf("\tciphersuite    : %s\n", mbedtls_ssl_ciphersuite_get_name(ciphersuite_info));
+        printf("\tcipher flags   : 0x%02X\n", ciphersuite_info->MBEDTLS_PRIVATE(flags));
 
-        cipher_info = mbedtls_cipher_info_from_type(ciphersuite_info->cipher);
+#if defined(MBEDTLS_CIPHER_C)
+        const mbedtls_cipher_info_t *cipher_info;
+        cipher_info = mbedtls_cipher_info_from_type(ciphersuite_info->MBEDTLS_PRIVATE(cipher));
         if (cipher_info == NULL) {
             printf_err("Cannot find cipher info\n");
         } else {
-            printf("\tcipher         : %s\n", cipher_info->name);
+            printf("\tcipher         : %s\n", mbedtls_cipher_info_get_name(cipher_info));
         }
+#else /* MBEDTLS_CIPHER_C */
+        printf("\tcipher type     : %d\n", ciphersuite_info->MBEDTLS_PRIVATE(cipher));
+#endif /* MBEDTLS_CIPHER_C */
+
 #if defined(MBEDTLS_MD_C)
-        md_info = mbedtls_md_info_from_type(ciphersuite_info->mac);
+        md_info = mbedtls_md_info_from_type(ciphersuite_info->MBEDTLS_PRIVATE(mac));
         if (md_info == NULL) {
             printf_err("Cannot find Message-Digest info\n");
         } else {
diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c
index 6734a14..f4822b7 100644
--- a/programs/ssl/ssl_fork_server.c
+++ b/programs/ssl/ssl_fork_server.c
@@ -2,19 +2,7 @@
  *  SSL server demonstration program using fork() for handling multiple clients
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index 1e648e8..e3ed697 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@@ -2,19 +2,7 @@
  *  SSL client for SMTP servers
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /* Enable definition of gethostname() even when compiling with -std=c99. Must
@@ -739,7 +727,11 @@ usage:
     mbedtls_printf("  > Write MAIL FROM to server:");
     fflush(stdout);
 
-    len = sprintf((char *) buf, "MAIL FROM:<%s>\r\n", opt.mail_from);
+    len = mbedtls_snprintf((char *) buf, sizeof(buf), "MAIL FROM:<%s>\r\n", opt.mail_from);
+    if (len < 0 || (size_t) len >= sizeof(buf)) {
+        mbedtls_printf(" failed\n  ! mbedtls_snprintf encountered error or truncated output\n\n");
+        goto exit;
+    }
     ret = write_ssl_and_get_response(&ssl, buf, len);
     if (ret < 200 || ret > 299) {
         mbedtls_printf(" failed\n  ! server responded with %d\n\n", ret);
@@ -751,7 +743,11 @@ usage:
     mbedtls_printf("  > Write RCPT TO to server:");
     fflush(stdout);
 
-    len = sprintf((char *) buf, "RCPT TO:<%s>\r\n", opt.mail_to);
+    len = mbedtls_snprintf((char *) buf, sizeof(buf), "RCPT TO:<%s>\r\n", opt.mail_to);
+    if (len < 0 || (size_t) len >= sizeof(buf)) {
+        mbedtls_printf(" failed\n  ! mbedtls_snprintf encountered error or truncated output\n\n");
+        goto exit;
+    }
     ret = write_ssl_and_get_response(&ssl, buf, len);
     if (ret < 200 || ret > 299) {
         mbedtls_printf(" failed\n  ! server responded with %d\n\n", ret);
@@ -775,11 +771,16 @@ usage:
     mbedtls_printf("  > Write content to server:");
     fflush(stdout);
 
-    len = sprintf((char *) buf, "From: %s\r\nSubject: Mbed TLS Test mail\r\n\r\n"
-                                "This is a simple test mail from the "
-                                "Mbed TLS mail client example.\r\n"
-                                "\r\n"
-                                "Enjoy!", opt.mail_from);
+    len = mbedtls_snprintf((char *) buf, sizeof(buf),
+                           "From: %s\r\nSubject: Mbed TLS Test mail\r\n\r\n"
+                           "This is a simple test mail from the "
+                           "Mbed TLS mail client example.\r\n"
+                           "\r\n"
+                           "Enjoy!", opt.mail_from);
+    if (len < 0 || (size_t) len >= sizeof(buf)) {
+        mbedtls_printf(" failed\n  ! mbedtls_snprintf encountered error or truncated output\n\n");
+        goto exit;
+    }
     ret = write_ssl_data(&ssl, buf, len);
 
     len = sprintf((char *) buf, "\r\n.\r\n");
diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c
index 12d3057..fcb8f2f 100644
--- a/programs/ssl/ssl_pthread_server.c
+++ b/programs/ssl/ssl_pthread_server.c
@@ -3,19 +3,7 @@
  *  clients.
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c
index ad82567..6becf8d 100644
--- a/programs/ssl/ssl_server.c
+++ b/programs/ssl/ssl_server.c
@@ -2,19 +2,7 @@
  *  SSL server demonstration program
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 0efcb7f..81b1256 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -2,19 +2,7 @@
  *  SSL client with options
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #define MBEDTLS_ALLOW_PRIVATE_ACCESS
@@ -134,7 +122,8 @@ int main(void)
 #define DFL_SNI                 NULL
 #define DFL_ALPN_STRING         NULL
 #define DFL_GROUPS              NULL
-#define DFL_MAX_EARLY_DATA_SIZE 0
+#define DFL_EARLY_DATA          -1
+#define DFL_MAX_EARLY_DATA_SIZE ((uint32_t) -1)
 #define DFL_SIG_ALGS            NULL
 #define DFL_DHM_FILE            NULL
 #define DFL_TRANSPORT           MBEDTLS_SSL_TRANSPORT_STREAM
@@ -283,6 +272,7 @@ int main(void)
 #else
 #define USAGE_PSK ""
 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
+
 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
 #define USAGE_CA_CALLBACK                       \
     "   ca_callback=%%d       default: 0 (disabled)\n"      \
@@ -290,13 +280,14 @@ int main(void)
 #else
 #define USAGE_CA_CALLBACK ""
 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
+
 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
 #define USAGE_TICKETS                                       \
     "    tickets=%%d          default: 1 (enabled)\n"       \
     "    ticket_rotate=%%d    default: 0 (disabled)\n"      \
     "    ticket_timeout=%%d   default: 86400 (one day)\n"   \
     "    ticket_aead=%%s      default: \"AES-256-GCM\"\n"
-#else
+#else /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_TICKET_C */
 #define USAGE_TICKETS ""
 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_TICKET_C */
 
@@ -439,9 +430,10 @@ int main(void)
 
 #if defined(MBEDTLS_SSL_EARLY_DATA)
 #define USAGE_EARLY_DATA \
-    "    max_early_data_size=%%d default: -1 (disabled)\n"             \
-    "                            options: -1 (disabled), "           \
-    "                                     >= 0 (enabled, max amount of early data )\n"
+    "    early_data=%%d      default: library default\n" \
+    "                        options: 0 (disabled), 1 (enabled)\n" \
+    "    max_early_data_size=%%d default: library default\n" \
+    "                            options: max amount of early data\n"
 #else
 #define USAGE_EARLY_DATA ""
 #endif /* MBEDTLS_SSL_EARLY_DATA */
@@ -566,6 +558,7 @@ int main(void)
     USAGE_GROUPS                                            \
     USAGE_SIG_ALGS                                          \
     USAGE_KEY_OPAQUE_ALGS                                   \
+    USAGE_EARLY_DATA                                        \
     "\n"
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
@@ -590,7 +583,7 @@ int main(void)
     "                                otherwise. The expansion of the macro\n" \
     "                                is printed if it is defined\n"           \
     USAGE_SERIALIZATION                                                       \
-    " acceptable ciphersuite names:\n"
+    "\n"
 
 #define PUT_UINT64_BE(out_be, in_le, i)                                   \
     {                                                                       \
@@ -703,7 +696,10 @@ struct options {
     const char *cid_val_renego; /* the CID to use for incoming messages
                                  * after renegotiation                      */
     int reproducible;           /* make communication reproducible          */
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+    int early_data;               /* early data enablement flag             */
     uint32_t max_early_data_size; /* max amount of early data               */
+#endif
     int query_config_mode;      /* whether to read config                   */
     int use_srtp;               /* Support SRTP                             */
     int force_srtp_profile;     /* SRTP protection profile to use or all    */
@@ -1430,21 +1426,28 @@ int dummy_ticket_parse(void *p_ticket, mbedtls_ssl_session *session,
         case 2:
             return MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
         case 3:
-            session->start = mbedtls_time(NULL) + 10;
+            /* Creation time in the future. */
+            session->ticket_creation_time = mbedtls_ms_time() + 1000;
             break;
         case 4:
-            session->start = mbedtls_time(NULL) - 10 - 7 * 24 * 3600;
+            /* Ticket has reached the end of lifetime. */
+            session->ticket_creation_time = mbedtls_ms_time() -
+                                            (7 * 24 * 3600 * 1000 + 1000);
             break;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
         case 5:
-            session->start = mbedtls_time(NULL) - 10;
+            /* Ticket is valid, but client age is below the lower bound of the tolerance window. */
+            session->ticket_age_add += MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE + 4 * 1000;
+            /* Make sure the execution time does not affect the result */
+            session->ticket_creation_time = mbedtls_ms_time();
             break;
+
         case 6:
-            session->start = mbedtls_time(NULL);
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-            session->ticket_age_add -= 1000;
-#endif
+            /* Ticket is valid, but client age is beyond the upper bound of the tolerance window. */
+            session->ticket_age_add -= MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE + 4 * 1000;
+            /* Make sure the execution time does not affect the result */
+            session->ticket_creation_time = mbedtls_ms_time();
             break;
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
         case 7:
             session->ticket_flags = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE;
             break;
@@ -1466,6 +1469,42 @@ int dummy_ticket_parse(void *p_ticket, mbedtls_ssl_session *session,
 }
 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_HAVE_TIME */
 
+int parse_cipher(char *buf)
+{
+    if (strcmp(buf, "AES-128-CCM")) {
+        return MBEDTLS_CIPHER_AES_128_CCM;
+    } else if (strcmp(buf, "AES-128-GCM")) {
+        return MBEDTLS_CIPHER_AES_128_GCM;
+    } else if (strcmp(buf, "AES-192-CCM")) {
+        return MBEDTLS_CIPHER_AES_192_CCM;
+    } else if (strcmp(buf, "AES-192-GCM")) {
+        return MBEDTLS_CIPHER_AES_192_GCM;
+    } else if (strcmp(buf, "AES-256-CCM")) {
+        return MBEDTLS_CIPHER_AES_256_CCM;
+    } else if (strcmp(buf, "ARIA-128-CCM")) {
+        return MBEDTLS_CIPHER_ARIA_128_CCM;
+    } else if (strcmp(buf, "ARIA-128-GCM")) {
+        return MBEDTLS_CIPHER_ARIA_128_GCM;
+    } else if (strcmp(buf, "ARIA-192-CCM")) {
+        return MBEDTLS_CIPHER_ARIA_192_CCM;
+    } else if (strcmp(buf, "ARIA-192-GCM")) {
+        return MBEDTLS_CIPHER_ARIA_192_GCM;
+    } else if (strcmp(buf, "ARIA-256-CCM")) {
+        return MBEDTLS_CIPHER_ARIA_256_CCM;
+    } else if (strcmp(buf, "ARIA-256-GCM")) {
+        return MBEDTLS_CIPHER_ARIA_256_GCM;
+    } else if (strcmp(buf, "CAMELLIA-128-CCM")) {
+        return MBEDTLS_CIPHER_CAMELLIA_128_CCM;
+    } else if (strcmp(buf, "CAMELLIA-192-CCM")) {
+        return MBEDTLS_CIPHER_CAMELLIA_192_CCM;
+    } else if (strcmp(buf, "CAMELLIA-256-CCM")) {
+        return MBEDTLS_CIPHER_CAMELLIA_256_CCM;
+    } else if (strcmp(buf, "CHACHA20-POLY1305")) {
+        return MBEDTLS_CIPHER_CHACHA20_POLY1305;
+    }
+    return MBEDTLS_CIPHER_NONE;
+}
+
 int main(int argc, char *argv[])
 {
     int ret = 0, len, written, frags, exchanges_left;
@@ -1575,9 +1614,6 @@ int main(int argc, char *argv[])
     };
 #endif /* MBEDTLS_SSL_DTLS_SRTP */
 
-#if defined(MBEDTLS_SSL_EARLY_DATA)
-    int tls13_early_data_enabled = MBEDTLS_SSL_EARLY_DATA_DISABLED;
-#endif
 #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
     mbedtls_memory_buffer_alloc_init(alloc_buf, sizeof(alloc_buf));
 #if defined(MBEDTLS_MEMORY_DEBUG)
@@ -1642,31 +1678,6 @@ int main(int argc, char *argv[])
     signal(SIGINT, term_handler);
 #endif
 
-    if (argc < 2) {
-usage:
-        if (ret == 0) {
-            ret = 1;
-        }
-
-        mbedtls_printf(USAGE1);
-        mbedtls_printf(USAGE2);
-        mbedtls_printf(USAGE3);
-        mbedtls_printf(USAGE4);
-
-        list = mbedtls_ssl_list_ciphersuites();
-        while (*list) {
-            mbedtls_printf(" %-42s", mbedtls_ssl_get_ciphersuite_name(*list));
-            list++;
-            if (!*list) {
-                break;
-            }
-            mbedtls_printf(" %s\n", mbedtls_ssl_get_ciphersuite_name(*list));
-            list++;
-        }
-        mbedtls_printf("\n");
-        goto exit;
-    }
-
     opt.buffer_size         = DFL_IO_BUF_LEN;
     opt.server_addr         = DFL_SERVER_ADDR;
     opt.server_port         = DFL_SERVER_PORT;
@@ -1737,7 +1748,10 @@ usage:
     opt.sni                 = DFL_SNI;
     opt.alpn_string         = DFL_ALPN_STRING;
     opt.groups              = DFL_GROUPS;
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+    opt.early_data          = DFL_EARLY_DATA;
     opt.max_early_data_size = DFL_MAX_EARLY_DATA_SIZE;
+#endif
     opt.sig_algs            = DFL_SIG_ALGS;
     opt.dhm_file            = DFL_DHM_FILE;
     opt.transport           = DFL_TRANSPORT;
@@ -1765,9 +1779,54 @@ usage:
     opt.key2_opaque_alg1   = DFL_KEY_OPAQUE_ALG;
     opt.key2_opaque_alg2   = DFL_KEY_OPAQUE_ALG;
 
+    p = q = NULL;
+    if (argc < 1) {
+usage:
+        if (p != NULL && q != NULL) {
+            printf("unrecognized value for '%s': '%s'\n", p, q);
+        } else if (p != NULL && q == NULL) {
+            printf("unrecognized param: '%s'\n", p);
+        }
+
+        mbedtls_printf("usage: ssl_client2 [param=value] [...]\n");
+        mbedtls_printf("       ssl_client2 help[_theme]\n");
+        mbedtls_printf("'help' lists acceptable 'param' and 'value'\n");
+        mbedtls_printf("'help_ciphersuites' lists available ciphersuites\n");
+        mbedtls_printf("\n");
+
+        if (ret == 0) {
+            ret = 1;
+        }
+        goto exit;
+    }
+
     for (i = 1; i < argc; i++) {
         p = argv[i];
+
+        if (strcmp(p, "help") == 0) {
+            mbedtls_printf(USAGE1);
+            mbedtls_printf(USAGE2);
+            mbedtls_printf(USAGE3);
+            mbedtls_printf(USAGE4);
+
+            ret = 0;
+            goto exit;
+        }
+        if (strcmp(p, "help_ciphersuites") == 0) {
+            mbedtls_printf(" acceptable ciphersuite names:\n");
+            for (list = mbedtls_ssl_list_ciphersuites();
+                 *list != 0;
+                 list++) {
+                mbedtls_printf(" %s\n", mbedtls_ssl_get_ciphersuite_name(*list));
+            }
+
+            ret = 0;
+            goto exit;
+        }
+
         if ((q = strchr(p, '=')) == NULL) {
+            mbedtls_printf("param requires a value: '%s'\n", p);
+            p = NULL; // avoid "unrecnognized param" message
             goto usage;
         }
         *q++ = '\0';
@@ -1925,14 +1984,18 @@ usage:
         }
 #endif
 #if defined(MBEDTLS_SSL_EARLY_DATA)
-        else if (strcmp(p, "max_early_data_size") == 0) {
-            long long value = atoll(q);
-            tls13_early_data_enabled =
-                value >= 0 ? MBEDTLS_SSL_EARLY_DATA_ENABLED :
-                MBEDTLS_SSL_EARLY_DATA_DISABLED;
-            if (tls13_early_data_enabled) {
-                opt.max_early_data_size = atoi(q);
+        else if (strcmp(p, "early_data") == 0) {
+            switch (atoi(q)) {
+                case 0:
+                    opt.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
+                    break;
+                case 1:
+                    opt.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
+                    break;
+                default: goto usage;
             }
+        } else if (strcmp(p, "max_early_data_size") == 0) {
+            opt.max_early_data_size = (uint32_t) atoll(q);
         }
 #endif /* MBEDTLS_SSL_EARLY_DATA */
         else if (strcmp(p, "renegotiation") == 0) {
@@ -2127,12 +2190,11 @@ usage:
                 goto usage;
             }
         } else if (strcmp(p, "ticket_aead") == 0) {
-            const mbedtls_cipher_info_t *ci = mbedtls_cipher_info_from_string(q);
+            opt.ticket_aead = parse_cipher(q);
 
-            if (ci == NULL) {
+            if (opt.ticket_aead == MBEDTLS_CIPHER_NONE) {
                 goto usage;
             }
-            opt.ticket_aead = mbedtls_cipher_info_get_type(ci);
         } else if (strcmp(p, "cache_max") == 0) {
             opt.cache_max = atoi(q);
             if (opt.cache_max < 0) {
@@ -2232,9 +2294,13 @@ usage:
                 goto usage;
             }
         } else {
+            /* This signals that the problem is with p not q */
+            q = NULL;
             goto usage;
         }
     }
+    /* This signals that any further erorrs are not with a single option */
+    p = q = NULL;
 
     if (opt.nss_keylog != 0 && opt.eap_tls != 0) {
         mbedtls_printf("Error: eap_tls and nss_keylog options cannot be used together.\n");
@@ -2337,11 +2403,11 @@ usage:
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
         if (opt.psk_opaque != 0 || opt.psk_list_opaque != 0) {
             /* Determine KDF algorithm the opaque PSK will be used in. */
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
             if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
                 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
             } else
-#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* PSA_WANT_ALG_SHA_384 */
             alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
         }
 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
@@ -2650,12 +2716,10 @@ usage:
                                      &psa_alg, &psa_alg2,
                                      &psa_usage,
                                      mbedtls_pk_get_type(&pkey)) == 0) {
-            ret = mbedtls_pk_wrap_as_opaque(&pkey, &key_slot,
-                                            psa_alg, psa_usage, psa_alg2);
-
+            ret = pk_wrap_as_opaque(&pkey, psa_alg, psa_alg2, psa_usage, &key_slot);
             if (ret != 0) {
                 mbedtls_printf(" failed\n  !  "
-                               "mbedtls_pk_wrap_as_opaque returned -0x%x\n\n",
+                               "pk_wrap_as_opaque returned -0x%x\n\n",
                                (unsigned int)  -ret);
                 goto exit;
             }
@@ -2669,12 +2733,10 @@ usage:
                                      &psa_alg, &psa_alg2,
                                      &psa_usage,
                                      mbedtls_pk_get_type(&pkey2)) == 0) {
-            ret = mbedtls_pk_wrap_as_opaque(&pkey2, &key_slot2,
-                                            psa_alg, psa_usage, psa_alg2);
-
+            ret = pk_wrap_as_opaque(&pkey2, psa_alg, psa_alg2, psa_usage, &key_slot2);
             if (ret != 0) {
                 mbedtls_printf(" failed\n  !  "
-                               "mbedtls_pk_wrap_as_opaque returned -0x%x\n\n",
+                               "mbedtls_pk_get_psa_attributes returned -0x%x\n\n",
                                (unsigned int)  -ret);
                 goto exit;
             }
@@ -2751,9 +2813,11 @@ usage:
     }
 
 #if defined(MBEDTLS_SSL_EARLY_DATA)
-    mbedtls_ssl_tls13_conf_early_data(&conf, tls13_early_data_enabled);
-    if (tls13_early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {
-        mbedtls_ssl_tls13_conf_max_early_data_size(
+    if (opt.early_data != DFL_EARLY_DATA) {
+        mbedtls_ssl_conf_early_data(&conf, opt.early_data);
+    }
+    if (opt.max_early_data_size != DFL_MAX_EARLY_DATA_SIZE) {
+        mbedtls_ssl_conf_max_early_data_size(
             &conf, opt.max_early_data_size);
     }
 #endif /* MBEDTLS_SSL_EARLY_DATA */
@@ -3393,6 +3457,19 @@ handshake:
     fflush(stdout);
 
     while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) {
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+        if (ret == MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA) {
+            memset(buf, 0, opt.buffer_size);
+            ret = mbedtls_ssl_read_early_data(&ssl, buf, opt.buffer_size);
+            if (ret > 0) {
+                buf[ret] = '\0';
+                mbedtls_printf(" %d early data bytes read\n\n%s\n",
+                               ret, (char *) buf);
+            }
+            continue;
+        }
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
         if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS &&
             ssl_async_keys.inject_error == SSL_ASYNC_INJECT_ERROR_CANCEL) {
@@ -3464,7 +3541,7 @@ handshake:
         mbedtls_printf("    [ Record expansion is unknown ]\n");
     }
 
-#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) || defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
     mbedtls_printf("    [ Maximum incoming record payload length is %u ]\n",
                    (unsigned int) mbedtls_ssl_get_max_in_record_payload(&ssl));
     mbedtls_printf("    [ Maximum outgoing record payload length is %u ]\n",
diff --git a/programs/ssl/ssl_test_common_source.c b/programs/ssl/ssl_test_common_source.c
index 67fc061..03c835b 100644
--- a/programs/ssl/ssl_test_common_source.c
+++ b/programs/ssl/ssl_test_common_source.c
@@ -9,19 +9,7 @@
  *  This file is meant to be #include'd and cannot be compiled separately.
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 void eap_tls_key_derivation(void *p_expkey,
@@ -307,13 +295,13 @@ uint16_t ssl_sig_algs_for_test[] = {
 #if defined(MBEDTLS_MD_CAN_SHA512)
     MBEDTLS_SSL_SIG_ALG(MBEDTLS_SSL_HASH_SHA512)
 #endif
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(PSA_WANT_ALG_SHA_384)
     MBEDTLS_SSL_SIG_ALG(MBEDTLS_SSL_HASH_SHA384)
 #endif
 #if defined(MBEDTLS_MD_CAN_SHA256)
     MBEDTLS_SSL_SIG_ALG(MBEDTLS_SSL_HASH_SHA256)
 #endif
-#if defined(MBEDTLS_MD_CAN_SHA224)
+#if defined(PSA_WANT_ALG_SHA_224)
     MBEDTLS_SSL_SIG_ALG(MBEDTLS_SSL_HASH_SHA224)
 #endif
 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256)
diff --git a/programs/ssl/ssl_test_lib.c b/programs/ssl/ssl_test_lib.c
index aea056b..17d36b7 100644
--- a/programs/ssl/ssl_test_lib.c
+++ b/programs/ssl/ssl_test_lib.c
@@ -5,27 +5,14 @@
  *  that cannot be compiled separately in "ssl_test_common_source.c".
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
-#define MBEDTLS_ALLOW_PRIVATE_ACCESS
 
 #include "ssl_test_lib.h"
 
 #if defined(MBEDTLS_TEST_HOOKS)
-#include "test/helpers.h"
+#include "test/threading_helpers.h"
 #endif
 
 #if !defined(MBEDTLS_SSL_TEST_IMPOSSIBLE)
@@ -287,6 +274,37 @@ int key_opaque_set_alg_usage(const char *alg1, const char *alg2,
 
     return 0;
 }
+
+#if defined(MBEDTLS_PK_C)
+int pk_wrap_as_opaque(mbedtls_pk_context *pk, psa_algorithm_t psa_alg, psa_algorithm_t psa_alg2,
+                      psa_key_usage_t psa_usage, mbedtls_svc_key_id_t *key_id)
+{
+    int ret;
+    psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+
+    ret = mbedtls_pk_get_psa_attributes(pk, PSA_KEY_USAGE_SIGN_HASH, &key_attr);
+    if (ret != 0) {
+        return ret;
+    }
+    psa_set_key_usage_flags(&key_attr, psa_usage);
+    psa_set_key_algorithm(&key_attr, psa_alg);
+    if (psa_alg2 != PSA_ALG_NONE) {
+        psa_set_key_enrollment_algorithm(&key_attr, psa_alg2);
+    }
+    ret = mbedtls_pk_import_into_psa(pk, &key_attr, key_id);
+    if (ret != 0) {
+        return ret;
+    }
+    mbedtls_pk_free(pk);
+    mbedtls_pk_init(pk);
+    ret = mbedtls_pk_setup_opaque(pk, *key_id);
+    if (ret != 0) {
+        return ret;
+    }
+
+    return 0;
+}
+#endif /* MBEDTLS_PK_C */
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
@@ -439,7 +457,7 @@ int test_hooks_failure_detected(void)
     mbedtls_test_mutex_usage_check();
 #endif
 
-    if (mbedtls_test_info.result != MBEDTLS_TEST_RESULT_SUCCESS) {
+    if (mbedtls_test_get_result() != MBEDTLS_TEST_RESULT_SUCCESS) {
         return 1;
     }
     return 0;
@@ -447,6 +465,9 @@ int test_hooks_failure_detected(void)
 
 void test_hooks_free(void)
 {
+#if defined(MBEDTLS_TEST_MUTEX_USAGE)
+    mbedtls_test_mutex_usage_end();
+#endif
 }
 
 #endif /* MBEDTLS_TEST_HOOKS */
@@ -524,17 +545,31 @@ static const struct {
 #endif
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) && \
     defined(PSA_WANT_ALG_FFDH)
+#if defined(PSA_WANT_DH_RFC7919_2048)
     { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048, "ffdhe2048", 1 },
-    { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072, "ffdhe3072", 1 },
-    { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096, "ffdhe4096", 1 },
-    { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144, "ffdhe6144", 1 },
-    { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192, "ffdhe8192", 1 },
-#else
+#else /* PSA_WANT_DH_RFC7919_2048 */
     { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048, "ffdhe2048", 0 },
+#endif /* PSA_WANT_DH_RFC7919_2048 */
+#if defined(PSA_WANT_DH_RFC7919_3072)
+    { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072, "ffdhe3072", 1 },
+#else /* PSA_WANT_DH_RFC7919_3072 */
     { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072, "ffdhe3072", 0 },
+#endif /* PSA_WANT_DH_RFC7919_3072 */
+#if defined(PSA_WANT_DH_RFC7919_4096)
+    { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096, "ffdhe4096", 1 },
+#else /* PSA_WANT_DH_RFC7919_4096 */
     { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096, "ffdhe4096", 0 },
+#endif /* PSA_WANT_DH_RFC7919_4096 */
+#if defined(PSA_WANT_DH_RFC7919_6144)
+    { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144, "ffdhe6144", 1 },
+#else /* PSA_WANT_DH_RFC7919_6144 */
     { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144, "ffdhe6144", 0 },
+#endif /* PSA_WANT_DH_RFC7919_6144 */
+#if defined(PSA_WANT_DH_RFC7919_8192)
+    { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192, "ffdhe8192", 1 },
+#else /* PSA_WANT_DH_RFC7919_8192 */
     { MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192, "ffdhe8192", 0 },
+#endif /* PSA_WANT_DH_RFC7919_8192 */
 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED && PSA_WANT_ALG_FFDH */
     { 0, NULL, 0 },
 };
diff --git a/programs/ssl/ssl_test_lib.h b/programs/ssl/ssl_test_lib.h
index ef0dba7..1da2dfb 100644
--- a/programs/ssl/ssl_test_lib.h
+++ b/programs/ssl/ssl_test_lib.h
@@ -2,19 +2,7 @@
  *  Common code for SSL test programs
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef MBEDTLS_PROGRAMS_SSL_SSL_TEST_LIB_H
@@ -247,6 +235,31 @@ int key_opaque_set_alg_usage(const char *alg1, const char *alg2,
                              psa_algorithm_t *psa_alg2,
                              psa_key_usage_t *usage,
                              mbedtls_pk_type_t key_type);
+
+#if defined(MBEDTLS_PK_C)
+/** Turn a non-opaque PK context into an opaque one with folowing steps:
+ * - extract the key data and attributes from the PK context.
+ * - import the key material into PSA.
+ * - free the provided PK context and re-initilize it as an opaque PK context
+ *   wrapping the PSA key imported in the above step.
+ *
+ * \param[in/out] pk    On input the non-opaque PK context which contains the
+ *                      key to be wrapped. On output the re-initialized PK
+ *                      context which represents the opaque version of the one
+ *                      provided as input.
+ * \param[in] psa_alg   The primary algorithm that will be associated to the
+ *                      PSA key.
+ * \param[in] psa_alg2  The enrollment algorithm that will be associated to the
+ *                      PSA key.
+ * \param[in] psa_usage The PSA key usage policy.
+ * \param[out] key_id   The PSA key identifier of the imported key.
+ *
+ * \return              \c 0 on sucess.
+ * \return              \c -1 on failure.
+ */
+int pk_wrap_as_opaque(mbedtls_pk_context *pk, psa_algorithm_t psa_alg, psa_algorithm_t psa_alg2,
+                      psa_key_usage_t psa_usage, mbedtls_svc_key_id_t *key_id);
+#endif /* MBEDTLS_PK_C */
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
diff --git a/programs/test/CMakeLists.txt b/programs/test/CMakeLists.txt
index a75f8d9..0c9b11a 100644
--- a/programs/test/CMakeLists.txt
+++ b/programs/test/CMakeLists.txt
@@ -3,6 +3,7 @@ set(libs
 )
 
 set(executables_libs
+    metatest
     query_included_headers
     selftest
     udp_proxy
@@ -24,14 +25,20 @@ if(TEST_CPP)
         WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
     )
     add_executable(cpp_dummy_build "${cpp_dummy_build_cpp}")
-    target_include_directories(cpp_dummy_build PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../include)
-    target_link_libraries(cpp_dummy_build ${mbedcrypto_target})
+    target_include_directories(cpp_dummy_build
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../include
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/include
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/drivers/builtin/include)
+    target_link_libraries(cpp_dummy_build ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
 endif()
 
 if(USE_SHARED_MBEDTLS_LIBRARY AND
    NOT ${CMAKE_SYSTEM_NAME} MATCHES "[Ww][Ii][Nn]")
     add_executable(dlopen "dlopen.c")
-    target_include_directories(dlopen PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../include)
+    target_include_directories(dlopen
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../include
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/include
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/drivers/builtin/include)
     target_link_libraries(dlopen ${CMAKE_DL_LIBS})
 endif()
 
@@ -45,13 +52,13 @@ if(GEN_FILES)
             ${PERL}
                 ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/generate_query_config.pl
                 ${CMAKE_CURRENT_SOURCE_DIR}/../../include/mbedtls/mbedtls_config.h
-                ${CMAKE_CURRENT_SOURCE_DIR}/../../include/psa/crypto_config.h
+                ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/include/psa/crypto_config.h
                 ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/data_files/query_config.fmt
                 ${CMAKE_CURRENT_BINARY_DIR}/query_config.c
         DEPENDS
             ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/generate_query_config.pl
             ${CMAKE_CURRENT_SOURCE_DIR}/../../include/mbedtls/mbedtls_config.h
-            ${CMAKE_CURRENT_SOURCE_DIR}/../../include/psa/crypto_config.h
+            ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/include/psa/crypto_config.h
             ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/data_files/query_config.fmt
     )
     # this file will also be used in another directory, so create a target, see
@@ -71,17 +78,24 @@ foreach(exe IN LISTS executables_libs executables_mbedcrypto)
     endif()
     add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>
         ${extra_sources})
-    target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
+    target_include_directories(${exe}
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
+    target_include_directories(${exe}
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../library
+                ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/core)
     if(exe STREQUAL "query_compile_time_config")
         target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR})
     endif()
 
+    # Request C11, required for memory poisoning
+    set_target_properties(${exe} PROPERTIES C_STANDARD 11)
+
     # This emulates "if ( ... IN_LIST ... )" which becomes available in CMake 3.3
     list(FIND executables_libs ${exe} exe_index)
     if (${exe_index} GREATER -1)
-        target_link_libraries(${exe} ${libs})
+        target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT})
     else()
-        target_link_libraries(${exe} ${mbedcrypto_target})
+        target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
     endif()
 endforeach()
 
diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c
index d8237f5..93c1729 100644
--- a/programs/test/benchmark.c
+++ b/programs/test/benchmark.c
@@ -2,23 +2,9 @@
  *  Benchmark demonstration program
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
-#define MBEDTLS_ALLOW_PRIVATE_ACCESS
-
 #include "mbedtls/build_info.h"
 
 #include "mbedtls/platform.h"
@@ -95,7 +81,14 @@ struct _hr_time {
 #include "mbedtls/memory_buffer_alloc.h"
 #endif
 
+#ifdef MBEDTLS_TIMING_ALT
+void mbedtls_set_alarm(int seconds);
+unsigned long mbedtls_timing_hardclock(void);
+extern volatile int mbedtls_timing_alarmed;
+#else
 static void mbedtls_set_alarm(int seconds);
+static unsigned long mbedtls_timing_hardclock(void);
+#endif
 
 /*
  * For heap usage estimates, we need an estimate of the overhead per allocated
@@ -239,6 +232,7 @@ static void mbedtls_set_alarm(int seconds);
         }                                                                   \
     } while (0)
 
+#if !defined(MBEDTLS_TIMING_ALT)
 #if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&  \
     (defined(_MSC_VER) && defined(_M_IX86)) || defined(__WATCOMC__)
 
@@ -453,6 +447,7 @@ static void mbedtls_set_alarm(int seconds)
 }
 
 #endif /* _WIN32 && !EFIX64 && !EFI32 */
+#endif /* !MBEDTLS_TIMING_ALT */
 
 static int myrand(void *rng_state, unsigned char *output, size_t len)
 {
@@ -510,7 +505,7 @@ typedef struct {
     char md5, ripemd160, sha1, sha256, sha512,
          sha3_224, sha3_256, sha3_384, sha3_512,
          des3, des,
-         aes_cbc, aes_cfb128, aes_cfb8, aes_gcm, aes_ccm, aes_xts, chachapoly,
+         aes_cbc, aes_cfb128, aes_cfb8, aes_ctr, aes_gcm, aes_ccm, aes_xts, chachapoly,
          aes_cmac, des3_cmac,
          aria, camellia, chacha20,
          poly1305,
@@ -574,6 +569,8 @@ int main(int argc, char *argv[])
                 todo.aes_cfb128 = 1;
             } else if (strcmp(argv[i], "aes_cfb8") == 0) {
                 todo.aes_cfb8 = 1;
+            } else if (strcmp(argv[i], "aes_ctr") == 0) {
+                todo.aes_ctr = 1;
             } else if (strcmp(argv[i], "aes_xts") == 0) {
                 todo.aes_xts = 1;
             } else if (strcmp(argv[i], "aes_gcm") == 0) {
@@ -777,6 +774,31 @@ int main(int argc, char *argv[])
         mbedtls_aes_free(&aes);
     }
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    if (todo.aes_ctr) {
+        int keysize;
+        mbedtls_aes_context aes;
+
+        uint8_t stream_block[16];
+        size_t nc_off;
+
+        mbedtls_aes_init(&aes);
+        for (keysize = 128; keysize <= 256; keysize += 64) {
+            mbedtls_snprintf(title, sizeof(title), "AES-CTR-%d", keysize);
+
+            memset(buf, 0, sizeof(buf));
+            memset(tmp, 0, sizeof(tmp));
+            memset(stream_block, 0, sizeof(stream_block));
+            nc_off = 0;
+
+            CHECK_AND_CONTINUE(mbedtls_aes_setkey_enc(&aes, tmp, keysize));
+
+            TIME_AND_TSC(title, mbedtls_aes_crypt_ctr(&aes, BUFSIZE, &nc_off, tmp, stream_block,
+                                                      buf, buf));
+        }
+        mbedtls_aes_free(&aes);
+    }
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_XTS)
     if (todo.aes_xts) {
         int keysize;
@@ -1023,7 +1045,7 @@ int main(int argc, char *argv[])
         int keysize;
         mbedtls_rsa_context rsa;
 
-        for (keysize = 2048; keysize <= 4096; keysize *= 2) {
+        for (keysize = 2048; keysize <= 4096; keysize += 1024) {
             mbedtls_snprintf(title, sizeof(title), "RSA-%d", keysize);
 
             mbedtls_rsa_init(&rsa);
@@ -1065,20 +1087,24 @@ int main(int argc, char *argv[])
         mbedtls_dhm_context dhm;
         size_t olen;
         size_t n;
+        mbedtls_mpi P, G;
+        mbedtls_mpi_init(&P); mbedtls_mpi_init(&G);
 
         for (i = 0; (size_t) i < sizeof(dhm_sizes) / sizeof(dhm_sizes[0]); i++) {
             mbedtls_dhm_init(&dhm);
 
-            if (mbedtls_mpi_read_binary(&dhm.P, dhm_P[i],
+            if (mbedtls_mpi_read_binary(&P, dhm_P[i],
                                         dhm_P_size[i]) != 0 ||
-                mbedtls_mpi_read_binary(&dhm.G, dhm_G[i],
-                                        dhm_G_size[i]) != 0) {
+                mbedtls_mpi_read_binary(&G, dhm_G[i],
+                                        dhm_G_size[i]) != 0 ||
+                mbedtls_dhm_set_group(&dhm, &P, &G) != 0) {
                 mbedtls_exit(1);
             }
 
-            n = mbedtls_mpi_size(&dhm.P);
+            n = mbedtls_dhm_get_len(&dhm);
             mbedtls_dhm_make_public(&dhm, (int) n, buf, n, myrand, NULL);
-            if (mbedtls_mpi_copy(&dhm.GY, &dhm.GX) != 0) {
+
+            if (mbedtls_dhm_read_public(&dhm, buf, n) != 0) {
                 mbedtls_exit(1);
             }
 
@@ -1095,6 +1121,7 @@ int main(int argc, char *argv[])
                             mbedtls_dhm_calc_secret(&dhm, buf, sizeof(buf), &olen, myrand, NULL));
 
             mbedtls_dhm_free(&dhm);
+            mbedtls_mpi_free(&P), mbedtls_mpi_free(&G);
         }
     }
 #endif
@@ -1159,38 +1186,12 @@ int main(int argc, char *argv[])
     }
 #endif
 
-#if defined(MBEDTLS_ECDH_C) && defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+#if defined(MBEDTLS_ECDH_C)
     if (todo.ecdh) {
-        mbedtls_ecdh_context ecdh;
-        mbedtls_mpi z;
-        const mbedtls_ecp_curve_info montgomery_curve_list[] = {
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-            { MBEDTLS_ECP_DP_CURVE25519, 0, 0, "Curve25519" },
-#endif
-#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
-            { MBEDTLS_ECP_DP_CURVE448, 0, 0, "Curve448" },
-#endif
-            { MBEDTLS_ECP_DP_NONE, 0, 0, 0 }
-        };
+        mbedtls_ecdh_context ecdh_srv, ecdh_cli;
+        unsigned char buf_srv[BUFSIZE], buf_cli[BUFSIZE];
         const mbedtls_ecp_curve_info *curve_info;
-        size_t olen;
-        const mbedtls_ecp_curve_info *selected_montgomery_curve_list =
-            montgomery_curve_list;
-
-        if (curve_list == (const mbedtls_ecp_curve_info *) &single_curve) {
-            mbedtls_ecp_group grp;
-
-            mbedtls_ecp_group_init(&grp);
-            if (mbedtls_ecp_group_load(&grp, curve_list->grp_id) != 0) {
-                mbedtls_exit(1);
-            }
-            if (mbedtls_ecp_get_type(&grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
-                selected_montgomery_curve_list = single_curve;
-            } else { /* empty list */
-                selected_montgomery_curve_list = single_curve + 1;
-            }
-            mbedtls_ecp_group_free(&grp);
-        }
+        size_t params_len, publen, seclen;
 
         for (curve_info = curve_list;
              curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
@@ -1199,101 +1200,30 @@ int main(int argc, char *argv[])
                 continue;
             }
 
-            mbedtls_ecdh_init(&ecdh);
-
-            CHECK_AND_CONTINUE(mbedtls_ecp_group_load(&ecdh.grp, curve_info->grp_id));
-            CHECK_AND_CONTINUE(mbedtls_ecdh_make_public(&ecdh, &olen, buf, sizeof(buf),
-                                                        myrand, NULL));
-            CHECK_AND_CONTINUE(mbedtls_ecp_copy(&ecdh.Qp, &ecdh.Q));
-
-            mbedtls_snprintf(title, sizeof(title), "ECDHE-%s",
-                             curve_info->name);
-            TIME_PUBLIC(title, "handshake",
-                        CHECK_AND_CONTINUE(mbedtls_ecdh_make_public(&ecdh, &olen, buf, sizeof(buf),
-                                                                    myrand, NULL));
-                        CHECK_AND_CONTINUE(mbedtls_ecdh_calc_secret(&ecdh, &olen, buf, sizeof(buf),
-                                                                    myrand, NULL)));
-            mbedtls_ecdh_free(&ecdh);
-        }
-
-        /* Montgomery curves need to be handled separately */
-        for (curve_info = selected_montgomery_curve_list;
-             curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
-             curve_info++) {
-            mbedtls_ecdh_init(&ecdh);
-            mbedtls_mpi_init(&z);
-
-            CHECK_AND_CONTINUE(mbedtls_ecp_group_load(&ecdh.grp, curve_info->grp_id));
-            CHECK_AND_CONTINUE(mbedtls_ecdh_gen_public(&ecdh.grp, &ecdh.d, &ecdh.Qp, myrand, NULL));
-
-            mbedtls_snprintf(title, sizeof(title), "ECDHE-%s",
-                             curve_info->name);
-            TIME_PUBLIC(title, "handshake",
-                        CHECK_AND_CONTINUE(mbedtls_ecdh_gen_public(&ecdh.grp, &ecdh.d, &ecdh.Q,
-                                                                   myrand, NULL));
-                        CHECK_AND_CONTINUE(mbedtls_ecdh_compute_shared(&ecdh.grp, &z, &ecdh.Qp,
-                                                                       &ecdh.d,
-                                                                       myrand, NULL)));
-
-            mbedtls_ecdh_free(&ecdh);
-            mbedtls_mpi_free(&z);
-        }
-
-        for (curve_info = curve_list;
-             curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
-             curve_info++) {
-            if (!mbedtls_ecdh_can_do(curve_info->grp_id)) {
-                continue;
-            }
-
-            mbedtls_ecdh_init(&ecdh);
+            mbedtls_ecdh_init(&ecdh_srv);
 
-            CHECK_AND_CONTINUE(mbedtls_ecp_group_load(&ecdh.grp, curve_info->grp_id));
-            CHECK_AND_CONTINUE(mbedtls_ecdh_make_public(&ecdh, &olen, buf, sizeof(buf),
-                                                        myrand, NULL));
-            CHECK_AND_CONTINUE(mbedtls_ecp_copy(&ecdh.Qp, &ecdh.Q));
-            CHECK_AND_CONTINUE(mbedtls_ecdh_make_public(&ecdh, &olen, buf, sizeof(buf),
-                                                        myrand, NULL));
+            CHECK_AND_CONTINUE(mbedtls_ecdh_setup(&ecdh_srv, curve_info->grp_id));
+            CHECK_AND_CONTINUE(mbedtls_ecdh_make_params(&ecdh_srv, &params_len, buf_srv,
+                                                        sizeof(buf_srv), myrand, NULL));
 
-            mbedtls_snprintf(title, sizeof(title), "ECDH-%s",
-                             curve_info->name);
-            TIME_PUBLIC(title, "handshake",
-                        CHECK_AND_CONTINUE(mbedtls_ecdh_calc_secret(&ecdh, &olen, buf, sizeof(buf),
-                                                                    myrand, NULL)));
-            mbedtls_ecdh_free(&ecdh);
-        }
-
-        /* Montgomery curves need to be handled separately */
-        for (curve_info = selected_montgomery_curve_list;
-             curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
-             curve_info++) {
-            mbedtls_ecdh_init(&ecdh);
-            mbedtls_mpi_init(&z);
+            mbedtls_snprintf(title, sizeof(title), "ECDHE-%s", curve_info->name);
+            TIME_PUBLIC(title,
+                        "ephemeral handshake",
+                        const unsigned char *p_srv = buf_srv;
+                        mbedtls_ecdh_init(&ecdh_cli);
 
-            CHECK_AND_CONTINUE(mbedtls_ecp_group_load(&ecdh.grp, curve_info->grp_id));
-            CHECK_AND_CONTINUE(mbedtls_ecdh_gen_public(&ecdh.grp, &ecdh.d, &ecdh.Qp,
-                                                       myrand, NULL));
-            CHECK_AND_CONTINUE(mbedtls_ecdh_gen_public(&ecdh.grp, &ecdh.d, &ecdh.Q, myrand, NULL));
+                        CHECK_AND_CONTINUE(mbedtls_ecdh_read_params(&ecdh_cli, &p_srv,
+                                                                    p_srv + params_len));
+                        CHECK_AND_CONTINUE(mbedtls_ecdh_make_public(&ecdh_cli, &publen, buf_cli,
+                                                                    sizeof(buf_cli), myrand, NULL));
 
-            mbedtls_snprintf(title, sizeof(title), "ECDH-%s",
-                             curve_info->name);
-            TIME_PUBLIC(title, "handshake",
-                        CHECK_AND_CONTINUE(mbedtls_ecdh_compute_shared(&ecdh.grp, &z, &ecdh.Qp,
-                                                                       &ecdh.d,
-                                                                       myrand, NULL)));
+                        CHECK_AND_CONTINUE(mbedtls_ecdh_calc_secret(&ecdh_cli, &seclen, buf_cli,
+                                                                    sizeof(buf_cli), myrand, NULL));
+                        mbedtls_ecdh_free(&ecdh_cli);
+                        );
 
-            mbedtls_ecdh_free(&ecdh);
-            mbedtls_mpi_free(&z);
+            mbedtls_ecdh_free(&ecdh_srv);
         }
-    }
-#endif
-
-#if defined(MBEDTLS_ECDH_C)
-    if (todo.ecdh) {
-        mbedtls_ecdh_context ecdh_srv, ecdh_cli;
-        unsigned char buf_srv[BUFSIZE], buf_cli[BUFSIZE];
-        const mbedtls_ecp_curve_info *curve_info;
-        size_t olen;
 
         for (curve_info = curve_list;
              curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
@@ -1305,31 +1235,26 @@ int main(int argc, char *argv[])
             mbedtls_ecdh_init(&ecdh_srv);
             mbedtls_ecdh_init(&ecdh_cli);
 
-            mbedtls_snprintf(title, sizeof(title), "ECDHE-%s", curve_info->name);
-            TIME_PUBLIC(title,
-                        "full handshake",
-                        const unsigned char *p_srv = buf_srv;
+            CHECK_AND_CONTINUE(mbedtls_ecdh_setup(&ecdh_srv, curve_info->grp_id));
+            CHECK_AND_CONTINUE(mbedtls_ecdh_make_params(&ecdh_srv, &params_len, buf_srv,
+                                                        sizeof(buf_srv), myrand, NULL));
 
-                        CHECK_AND_CONTINUE(mbedtls_ecdh_setup(&ecdh_srv, curve_info->grp_id));
-                        CHECK_AND_CONTINUE(mbedtls_ecdh_make_params(&ecdh_srv, &olen, buf_srv,
-                                                                    sizeof(buf_srv), myrand, NULL));
+            const unsigned char *p_srv = buf_srv;
+            CHECK_AND_CONTINUE(mbedtls_ecdh_read_params(&ecdh_cli, &p_srv,
+                                                        p_srv + params_len));
+            CHECK_AND_CONTINUE(mbedtls_ecdh_make_public(&ecdh_cli, &publen, buf_cli,
+                                                        sizeof(buf_cli), myrand, NULL));
 
-                        CHECK_AND_CONTINUE(mbedtls_ecdh_read_params(&ecdh_cli, &p_srv,
-                                                                    p_srv + olen));
-                        CHECK_AND_CONTINUE(mbedtls_ecdh_make_public(&ecdh_cli, &olen, buf_cli,
-                                                                    sizeof(buf_cli), myrand, NULL));
-
-                        CHECK_AND_CONTINUE(mbedtls_ecdh_read_public(&ecdh_srv, buf_cli, olen));
-                        CHECK_AND_CONTINUE(mbedtls_ecdh_calc_secret(&ecdh_srv, &olen, buf_srv,
-                                                                    sizeof(buf_srv), myrand, NULL));
 
-                        CHECK_AND_CONTINUE(mbedtls_ecdh_calc_secret(&ecdh_cli, &olen, buf_cli,
+            mbedtls_snprintf(title, sizeof(title), "ECDH-%s", curve_info->name);
+            TIME_PUBLIC(title,
+                        "static handshake",
+                        CHECK_AND_CONTINUE(mbedtls_ecdh_calc_secret(&ecdh_cli, &seclen, buf_cli,
                                                                     sizeof(buf_cli), myrand, NULL));
-                        mbedtls_ecdh_free(&ecdh_cli);
-
-                        mbedtls_ecdh_free(&ecdh_srv);
                         );
 
+            mbedtls_ecdh_free(&ecdh_cli);
+            mbedtls_ecdh_free(&ecdh_srv);
         }
     }
 #endif
diff --git a/programs/test/cmake_package/.gitignore b/programs/test/cmake_package/.gitignore
index 9ae6b59..89d8c2b 100644
--- a/programs/test/cmake_package/.gitignore
+++ b/programs/test/cmake_package/.gitignore
@@ -1,3 +1,4 @@
 build
 Makefile
 cmake_package
+mbedtls
diff --git a/programs/test/cmake_package/cmake_package.c b/programs/test/cmake_package/cmake_package.c
index 86e1077..729800a 100644
--- a/programs/test/cmake_package/cmake_package.c
+++ b/programs/test/cmake_package/cmake_package.c
@@ -2,19 +2,7 @@
  *  Simple program to test that Mbed TLS builds correctly as a CMake package.
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/test/cmake_package_install/.gitignore b/programs/test/cmake_package_install/.gitignore
index b9b8282..aaa5942 100644
--- a/programs/test/cmake_package_install/.gitignore
+++ b/programs/test/cmake_package_install/.gitignore
@@ -1,3 +1,4 @@
 build
 Makefile
 cmake_package_install
+mbedtls
diff --git a/programs/test/cmake_package_install/cmake_package_install.c b/programs/test/cmake_package_install/cmake_package_install.c
index 9aa4c3b..44a2ada 100644
--- a/programs/test/cmake_package_install/cmake_package_install.c
+++ b/programs/test/cmake_package_install/cmake_package_install.c
@@ -3,19 +3,7 @@
  * package.
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/test/cmake_subproject/CMakeLists.txt b/programs/test/cmake_subproject/CMakeLists.txt
index 3c3cba3..78bd5e7 100644
--- a/programs/test/cmake_subproject/CMakeLists.txt
+++ b/programs/test/cmake_subproject/CMakeLists.txt
@@ -20,4 +20,4 @@ set(libs
 )
 
 add_executable(cmake_subproject cmake_subproject.c)
-target_link_libraries(cmake_subproject ${libs})
+target_link_libraries(cmake_subproject ${libs} ${CMAKE_THREAD_LIBS_INIT})
diff --git a/programs/test/cmake_subproject/cmake_subproject.c b/programs/test/cmake_subproject/cmake_subproject.c
index d56b9a9..8b4f18e 100644
--- a/programs/test/cmake_subproject/cmake_subproject.c
+++ b/programs/test/cmake_subproject/cmake_subproject.c
@@ -3,19 +3,7 @@
  *  work correctly.
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/test/dlopen.c b/programs/test/dlopen.c
index 2dcda3b..f241254 100644
--- a/programs/test/dlopen.c
+++ b/programs/test/dlopen.c
@@ -2,19 +2,7 @@
  *  Test dynamic loading of libmbed*
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/test/dlopen_demo.sh b/programs/test/dlopen_demo.sh
index b162d7b..7280f1d 100755
--- a/programs/test/dlopen_demo.sh
+++ b/programs/test/dlopen_demo.sh
@@ -4,19 +4,7 @@
 # This is only expected to work when Mbed TLS is built as a shared library.
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 . "${0%/*}/../demo_common.sh"
 
diff --git a/programs/test/generate_cpp_dummy_build.sh b/programs/test/generate_cpp_dummy_build.sh
index a550516..d27c7ae 100755
--- a/programs/test/generate_cpp_dummy_build.sh
+++ b/programs/test/generate_cpp_dummy_build.sh
@@ -14,19 +14,7 @@ EOF
 fi
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 set -e
 
@@ -41,29 +29,31 @@ print_cpp () {
  *  can be included and built with a C++ compiler.
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
  */
 
 #include "mbedtls/build_info.h"
 
 EOF
 
-    for header in include/mbedtls/*.h include/psa/*.h; do
+    for header in include/mbedtls/*.h; do
         case ${header#include/} in
             mbedtls/mbedtls_config.h) :;; # not meant for direct inclusion
             mbedtls/config_*.h) :;; # not meant for direct inclusion
+            *) echo "#include \"${header#include/}\"";;
+        esac
+    done
+
+    for header in tf-psa-crypto/drivers/builtin/include/mbedtls/*.h; do
+        case ${header#tf-psa-crypto/drivers/builtin/include/} in
+            mbedtls/config_*.h) :;; # not meant for direct inclusion
+            *) echo "#include \"${header#tf-psa-crypto/drivers/builtin/include/}\"";;
+        esac
+    done
+
+    for header in tf-psa-crypto/include/psa/*.h; do
+        case ${header#tf-psa-crypto/include/} in
             psa/crypto_config.h) :;; # not meant for direct inclusion
             psa/crypto_ajdust_config*.h) :;; # not meant for direct inclusion
             # Some of the psa/crypto_*.h headers are not meant to be included
@@ -71,7 +61,7 @@ EOF
             # psa/crypto.h has been included before. Since psa/crypto.h comes
             # before psa/crypto_*.h in the wildcard enumeration, we don't need
             # to skip those headers.
-            *) echo "#include \"${header#include/}\"";;
+            *) echo "#include \"${header#tf-psa-crypto/include/}\"";;
         esac
     done
 
diff --git a/programs/test/metatest.c b/programs/test/metatest.c
new file mode 100644
index 0000000..c52e579
--- /dev/null
+++ b/programs/test/metatest.c
@@ -0,0 +1,484 @@
+/** \file metatest.c
+ *
+ *  \brief Test features of the test framework.
+ *
+ * When you run this program, it runs a single "meta-test". A meta-test
+ * performs an operation which should be caught as a failure by our
+ * test framework. The meta-test passes if this program calls `exit` with
+ * a nonzero status, or aborts, or is terminated by a signal, or if the
+ * framework running the program considers the run an error (this happens
+ * with Valgrind for a memory leak). The non-success of the meta-test
+ * program means that the test failure has been caught correctly.
+ *
+ * Some failures are purely functional: the logic of the code causes the
+ * test result to be set to FAIL. Other failures come from extra
+ * instrumentation which is not present in a normal build; for example,
+ * Asan or Valgrind to detect memory leaks. This is reflected by the
+ * "platform" associated with each meta-test.
+ *
+ * Use the companion script `tests/scripts/run-metatests.sh` to run all
+ * the meta-tests for a given platform and validate that they trigger a
+ * detected failure as expected.
+ */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+
+#include <mbedtls/debug.h>
+#include <mbedtls/platform.h>
+#include <mbedtls/platform_util.h>
+#include "test/helpers.h"
+#include "test/threading_helpers.h"
+#include "test/macros.h"
+#include "test/memory.h"
+#include "common.h"
+
+#include <stdio.h>
+#include <string.h>
+
+#if defined(MBEDTLS_THREADING_C)
+#include <mbedtls/threading.h>
+#endif
+
+
+/* This is an external variable, so the compiler doesn't know that we're never
+ * changing its value.
+ */
+volatile int false_but_the_compiler_does_not_know = 0;
+
+/* Hide calls to calloc/free from static checkers such as
+ * `gcc-12 -Wuse-after-free`, to avoid compile-time complaints about
+ * code where we do mean to cause a runtime error. */
+void * (* volatile calloc_but_the_compiler_does_not_know)(size_t, size_t) = mbedtls_calloc;
+void(*volatile free_but_the_compiler_does_not_know)(void *) = mbedtls_free;
+
+/* Set n bytes at the address p to all-bits-zero, in such a way that
+ * the compiler should not know that p is all-bits-zero. */
+static void set_to_zero_but_the_compiler_does_not_know(volatile void *p, size_t n)
+{
+    memset((void *) p, false_but_the_compiler_does_not_know, n);
+}
+
+/* Simulate an access to the given object, to avoid compiler optimizations
+ * in code that prepares or consumes the object. */
+static void do_nothing_with_object(void *p)
+{
+    (void) p;
+}
+void(*volatile do_nothing_with_object_but_the_compiler_does_not_know)(void *) =
+    do_nothing_with_object;
+
+
+/****************************************************************/
+/* Test framework features */
+/****************************************************************/
+
+void meta_test_fail(const char *name)
+{
+    (void) name;
+    mbedtls_test_fail("Forced test failure", __LINE__, __FILE__);
+}
+
+void meta_test_not_equal(const char *name)
+{
+    int left = 20;
+    int right = 10;
+
+    (void) name;
+
+    TEST_EQUAL(left, right);
+exit:
+    ;
+}
+
+void meta_test_not_le_s(const char *name)
+{
+    int left = 20;
+    int right = 10;
+
+    (void) name;
+
+    TEST_LE_S(left, right);
+exit:
+    ;
+}
+
+void meta_test_not_le_u(const char *name)
+{
+    size_t left = 20;
+    size_t right = 10;
+
+    (void) name;
+
+    TEST_LE_U(left, right);
+exit:
+    ;
+}
+
+/****************************************************************/
+/* Platform features */
+/****************************************************************/
+
+void null_pointer_dereference(const char *name)
+{
+    (void) name;
+    volatile char *volatile p;
+    set_to_zero_but_the_compiler_does_not_know(&p, sizeof(p));
+    /* Undefined behavior (read from null data pointer) */
+    mbedtls_printf("%p -> %u\n", p, (unsigned) *p);
+}
+
+void null_pointer_call(const char *name)
+{
+    (void) name;
+    unsigned(*volatile p)(void);
+    set_to_zero_but_the_compiler_does_not_know(&p, sizeof(p));
+    /* Undefined behavior (execute null function pointer) */
+    /* The pointer representation may be truncated, but we don't care:
+     * the only point of printing it is to have some use of the pointer
+     * to dissuade the compiler from optimizing it away. */
+    mbedtls_printf("%lx() -> %u\n", (unsigned long) (uintptr_t) p, p());
+}
+
+
+/****************************************************************/
+/* Memory */
+/****************************************************************/
+
+void read_after_free(const char *name)
+{
+    (void) name;
+    volatile char *p = calloc_but_the_compiler_does_not_know(1, 1);
+    *p = 'a';
+    free_but_the_compiler_does_not_know((void *) p);
+    /* Undefined behavior (read after free) */
+    mbedtls_printf("%u\n", (unsigned) *p);
+}
+
+void double_free(const char *name)
+{
+    (void) name;
+    volatile char *p = calloc_but_the_compiler_does_not_know(1, 1);
+    *p = 'a';
+    free_but_the_compiler_does_not_know((void *) p);
+    /* Undefined behavior (double free) */
+    free_but_the_compiler_does_not_know((void *) p);
+}
+
+void read_uninitialized_stack(const char *name)
+{
+    (void) name;
+    char buf[1];
+    if (false_but_the_compiler_does_not_know) {
+        buf[0] = '!';
+    }
+    char *volatile p = buf;
+    if (*p != 0) {
+        /* Unspecified result (read from uninitialized memory) */
+        mbedtls_printf("%u\n", (unsigned) *p);
+    }
+}
+
+void memory_leak(const char *name)
+{
+    (void) name;
+    volatile char *p = calloc_but_the_compiler_does_not_know(1, 1);
+    mbedtls_printf("%u\n", (unsigned) *p);
+    /* Leak of a heap object */
+}
+
+/* name = "test_memory_poison_%(start)_%(offset)_%(count)_%(direction)"
+ * Poison a region starting at start from an 8-byte aligned origin,
+ * encompassing count bytes. Access the region at offset from the start.
+ * %(start), %(offset) and %(count) are decimal integers.
+ * %(direction) is either the character 'r' for read or 'w' for write.
+ */
+void test_memory_poison(const char *name)
+{
+    size_t start = 0, offset = 0, count = 0;
+    char direction = 'r';
+    if (sscanf(name,
+               "%*[^0-9]%" MBEDTLS_PRINTF_SIZET
+               "%*[^0-9]%" MBEDTLS_PRINTF_SIZET
+               "%*[^0-9]%" MBEDTLS_PRINTF_SIZET
+               "_%c",
+               &start, &offset, &count, &direction) != 4) {
+        mbedtls_fprintf(stderr, "%s: Bad name format: %s\n", __func__, name);
+        return;
+    }
+
+    union {
+        long long ll;
+        unsigned char buf[32];
+    } aligned;
+    memset(aligned.buf, 'a', sizeof(aligned.buf));
+
+    if (start > sizeof(aligned.buf)) {
+        mbedtls_fprintf(stderr,
+                        "%s: start=%" MBEDTLS_PRINTF_SIZET
+                        " > size=%" MBEDTLS_PRINTF_SIZET,
+                        __func__, start, sizeof(aligned.buf));
+        return;
+    }
+    if (start + count > sizeof(aligned.buf)) {
+        mbedtls_fprintf(stderr,
+                        "%s: start+count=%" MBEDTLS_PRINTF_SIZET
+                        " > size=%" MBEDTLS_PRINTF_SIZET,
+                        __func__, start + count, sizeof(aligned.buf));
+        return;
+    }
+    if (offset >= count) {
+        mbedtls_fprintf(stderr,
+                        "%s: offset=%" MBEDTLS_PRINTF_SIZET
+                        " >= count=%" MBEDTLS_PRINTF_SIZET,
+                        __func__, offset, count);
+        return;
+    }
+
+    MBEDTLS_TEST_MEMORY_POISON(aligned.buf + start, count);
+
+    if (direction == 'w') {
+        aligned.buf[start + offset] = 'b';
+        do_nothing_with_object_but_the_compiler_does_not_know(aligned.buf);
+    } else {
+        do_nothing_with_object_but_the_compiler_does_not_know(aligned.buf);
+        mbedtls_printf("%u\n", (unsigned) aligned.buf[start + offset]);
+    }
+}
+
+
+/****************************************************************/
+/* Threading */
+/****************************************************************/
+
+void mutex_lock_not_initialized(const char *name)
+{
+    (void) name;
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;
+    memset(&mutex, 0, sizeof(mutex));
+    /* This mutex usage error is detected by our test framework's mutex usage
+     * verification framework. See tests/src/threading_helpers.c. Other
+     * threading implementations (e.g. pthread without our instrumentation)
+     * might consider this normal usage. */
+    TEST_ASSERT(mbedtls_mutex_lock(&mutex) == 0);
+exit:
+    ;
+#endif
+}
+
+void mutex_unlock_not_initialized(const char *name)
+{
+    (void) name;
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;
+    memset(&mutex, 0, sizeof(mutex));
+    /* This mutex usage error is detected by our test framework's mutex usage
+     * verification framework. See tests/src/threading_helpers.c. Other
+     * threading implementations (e.g. pthread without our instrumentation)
+     * might consider this normal usage. */
+    TEST_ASSERT(mbedtls_mutex_unlock(&mutex) == 0);
+exit:
+    ;
+#endif
+}
+
+void mutex_free_not_initialized(const char *name)
+{
+    (void) name;
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;
+    memset(&mutex, 0, sizeof(mutex));
+    /* This mutex usage error is detected by our test framework's mutex usage
+     * verification framework. See tests/src/threading_helpers.c. Other
+     * threading implementations (e.g. pthread without our instrumentation)
+     * might consider this normal usage. */
+    mbedtls_mutex_free(&mutex);
+#endif
+}
+
+void mutex_double_init(const char *name)
+{
+    (void) name;
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;
+    mbedtls_mutex_init(&mutex);
+    /* This mutex usage error is detected by our test framework's mutex usage
+     * verification framework. See tests/src/threading_helpers.c. Other
+     * threading implementations (e.g. pthread without our instrumentation)
+     * might consider this normal usage. */
+    mbedtls_mutex_init(&mutex);
+    mbedtls_mutex_free(&mutex);
+#endif
+}
+
+void mutex_double_free(const char *name)
+{
+    (void) name;
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;
+    mbedtls_mutex_init(&mutex);
+    mbedtls_mutex_free(&mutex);
+    /* This mutex usage error is detected by our test framework's mutex usage
+     * verification framework. See tests/src/threading_helpers.c. Other
+     * threading implementations (e.g. pthread without our instrumentation)
+     * might consider this normal usage. */
+    mbedtls_mutex_free(&mutex);
+#endif
+}
+
+void mutex_leak(const char *name)
+{
+    (void) name;
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;
+    mbedtls_mutex_init(&mutex);
+#endif
+    /* This mutex usage error is detected by our test framework's mutex usage
+     * verification framework. See tests/src/threading_helpers.c. Other
+     * threading implementations (e.g. pthread without our instrumentation)
+     * might consider this normal usage. */
+}
+
+
+/****************************************************************/
+/* Command line entry point */
+/****************************************************************/
+
+typedef struct {
+    /** Command line argument that will trigger that metatest.
+     *
+     * Conventionally matches "[a-z0-9_]+". */
+    const char *name;
+
+    /** Platform under which that metatest is valid.
+     *
+     * - "any": should work anywhere.
+     * - "asan": triggers ASan (Address Sanitizer).
+     * - "msan": triggers MSan (Memory Sanitizer).
+     * - "pthread": requires MBEDTLS_THREADING_PTHREAD and MBEDTLS_TEST_HOOKS,
+     *   which enables MBEDTLS_TEST_MUTEX_USAGE internally in the test
+     *   framework (see tests/src/threading_helpers.c).
+     */
+    const char *platform;
+
+    /** Function that performs the metatest.
+     *
+     * The function receives the name as an argument. This allows using the
+     * same function to perform multiple variants of a test based on the name.
+     *
+     * When executed on a conforming platform, the function is expected to
+     * either cause a test failure (mbedtls_test_fail()), or cause the
+     * program to abort in some way (e.g. by causing a segfault or by
+     * triggering a sanitizer).
+     *
+     * When executed on a non-conforming platform, the function may return
+     * normally or may have unpredictable behavior.
+     */
+    void (*entry_point)(const char *name);
+} metatest_t;
+
+/* The list of availble meta-tests. Remember to register new functions here!
+ *
+ * Note that we always compile all the functions, so that `metatest --list`
+ * will always list all the available meta-tests.
+ *
+ * See the documentation of metatest_t::platform for the meaning of
+ * platform values.
+ */
+metatest_t metatests[] = {
+    { "test_fail", "any", meta_test_fail },
+    { "test_not_equal", "any", meta_test_not_equal },
+    { "test_not_le_s", "any", meta_test_not_le_s },
+    { "test_not_le_u", "any", meta_test_not_le_u },
+    { "null_dereference", "any", null_pointer_dereference },
+    { "null_call", "any", null_pointer_call },
+    { "read_after_free", "asan", read_after_free },
+    { "double_free", "asan", double_free },
+    { "read_uninitialized_stack", "msan", read_uninitialized_stack },
+    { "memory_leak", "asan", memory_leak },
+    { "test_memory_poison_0_0_8_r", "poison", test_memory_poison },
+    { "test_memory_poison_0_0_8_w", "poison", test_memory_poison },
+    { "test_memory_poison_0_7_8_r", "poison", test_memory_poison },
+    { "test_memory_poison_0_7_8_w", "poison", test_memory_poison },
+    { "test_memory_poison_0_0_1_r", "poison", test_memory_poison },
+    { "test_memory_poison_0_0_1_w", "poison", test_memory_poison },
+    { "test_memory_poison_0_1_2_r", "poison", test_memory_poison },
+    { "test_memory_poison_0_1_2_w", "poison", test_memory_poison },
+    { "test_memory_poison_7_0_8_r", "poison", test_memory_poison },
+    { "test_memory_poison_7_0_8_w", "poison", test_memory_poison },
+    { "test_memory_poison_7_7_8_r", "poison", test_memory_poison },
+    { "test_memory_poison_7_7_8_w", "poison", test_memory_poison },
+    { "test_memory_poison_7_0_1_r", "poison", test_memory_poison },
+    { "test_memory_poison_7_0_1_w", "poison", test_memory_poison },
+    { "test_memory_poison_7_1_2_r", "poison", test_memory_poison },
+    { "test_memory_poison_7_1_2_w", "poison", test_memory_poison },
+    { "mutex_lock_not_initialized", "pthread", mutex_lock_not_initialized },
+    { "mutex_unlock_not_initialized", "pthread", mutex_unlock_not_initialized },
+    { "mutex_free_not_initialized", "pthread", mutex_free_not_initialized },
+    { "mutex_double_init", "pthread", mutex_double_init },
+    { "mutex_double_free", "pthread", mutex_double_free },
+    { "mutex_leak", "pthread", mutex_leak },
+    { NULL, NULL, NULL }
+};
+
+static void help(FILE *out, const char *argv0)
+{
+    mbedtls_fprintf(out, "Usage: %s list|TEST\n", argv0);
+    mbedtls_fprintf(out, "Run a meta-test that should cause a test failure.\n");
+    mbedtls_fprintf(out, "With 'list', list the available tests and their platform requirement.\n");
+}
+
+int main(int argc, char *argv[])
+{
+    const char *argv0 = argc > 0 ? argv[0] : "metatest";
+    if (argc != 2) {
+        help(stderr, argv0);
+        mbedtls_exit(MBEDTLS_EXIT_FAILURE);
+    }
+
+    /* Support "-help", "--help", "--list", etc. */
+    const char *command = argv[1];
+    while (*command == '-') {
+        ++command;
+    }
+
+    if (strcmp(argv[1], "help") == 0) {
+        help(stdout, argv0);
+        mbedtls_exit(MBEDTLS_EXIT_SUCCESS);
+    }
+    if (strcmp(argv[1], "list") == 0) {
+        for (const metatest_t *p = metatests; p->name != NULL; p++) {
+            mbedtls_printf("%s %s\n", p->name, p->platform);
+        }
+        mbedtls_exit(MBEDTLS_EXIT_SUCCESS);
+    }
+
+#if defined(MBEDTLS_TEST_MUTEX_USAGE)
+    mbedtls_test_mutex_usage_init();
+#endif
+
+    for (const metatest_t *p = metatests; p->name != NULL; p++) {
+        if (strcmp(argv[1], p->name) == 0) {
+            mbedtls_printf("Running metatest %s...\n", argv[1]);
+            p->entry_point(argv[1]);
+#if defined(MBEDTLS_TEST_MUTEX_USAGE)
+            mbedtls_test_mutex_usage_check();
+#endif
+            int result = (int) mbedtls_test_get_result();
+
+            mbedtls_printf("Running metatest %s... done, result=%d\n",
+                           argv[1], result);
+            mbedtls_exit(result == MBEDTLS_TEST_RESULT_SUCCESS ?
+                         MBEDTLS_EXIT_SUCCESS :
+                         MBEDTLS_EXIT_FAILURE);
+        }
+    }
+
+    mbedtls_fprintf(stderr, "%s: FATAL: No such metatest: %s\n",
+                    argv0, command);
+    mbedtls_exit(MBEDTLS_EXIT_FAILURE);
+}
diff --git a/programs/test/query_compile_time_config.c b/programs/test/query_compile_time_config.c
index df0fe4a..a70e6da 100644
--- a/programs/test/query_compile_time_config.c
+++ b/programs/test/query_compile_time_config.c
@@ -2,19 +2,7 @@
  *  Query the Mbed TLS compile time configuration
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/test/query_config.h b/programs/test/query_config.h
index ade73d0..43f120b 100644
--- a/programs/test/query_config.h
+++ b/programs/test/query_config.h
@@ -2,19 +2,7 @@
  *  Query Mbed TLS compile time configurations from mbedtls_config.h
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef MBEDTLS_PROGRAMS_TEST_QUERY_CONFIG_H
diff --git a/programs/test/query_included_headers.c b/programs/test/query_included_headers.c
index 383a2ff..cdafa16 100644
--- a/programs/test/query_included_headers.c
+++ b/programs/test/query_included_headers.c
@@ -1,19 +1,7 @@
 /* Ad hoc report on included headers. */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include <psa/crypto.h>
diff --git a/programs/test/selftest.c b/programs/test/selftest.c
index cc5e00e..043209b 100644
--- a/programs/test/selftest.c
+++ b/programs/test/selftest.c
@@ -2,23 +2,9 @@
  *  Self-test demonstration program
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
-#define MBEDTLS_ALLOW_PRIVATE_ACCESS
-
 #include "mbedtls/build_info.h"
 
 #include "mbedtls/entropy.h"
@@ -91,6 +77,7 @@ static int calloc_self_test(int verbose)
         if (verbose) {
             mbedtls_printf("  CALLOC(0,1): passed (same non-null)\n");
         }
+        empty2 = NULL;
     } else {
         if (verbose) {
             mbedtls_printf("  CALLOC(0,1): passed (distinct non-null)\n");
@@ -115,6 +102,7 @@ static int calloc_self_test(int verbose)
         if (verbose) {
             mbedtls_printf("  CALLOC(1,0): passed (same non-null)\n");
         }
+        empty2 = NULL;
     } else {
         if (verbose) {
             mbedtls_printf("  CALLOC(1,0): passed (distinct non-null)\n");
@@ -131,6 +119,7 @@ static int calloc_self_test(int verbose)
             mbedtls_printf("  CALLOC(1): failed (same buffer twice)\n");
         }
         ++failures;
+        buffer2 = NULL;
     } else {
         if (verbose) {
             mbedtls_printf("  CALLOC(1): passed\n");
diff --git a/programs/test/udp_proxy.c b/programs/test/udp_proxy.c
index 685e336..beaa8bd 100644
--- a/programs/test/udp_proxy.c
+++ b/programs/test/udp_proxy.c
@@ -2,19 +2,7 @@
  *  UDP proxy: emulate an unreliable UDP connection for DTLS testing
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /*
@@ -23,7 +11,6 @@
  * example of good general usage.
  */
 
-#define MBEDTLS_ALLOW_PRIVATE_ACCESS
 
 #include "mbedtls/build_info.h"
 
diff --git a/programs/test/udp_proxy_wrapper.sh b/programs/test/udp_proxy_wrapper.sh
index 27de013..aa6a6d1 100755
--- a/programs/test/udp_proxy_wrapper.sh
+++ b/programs/test/udp_proxy_wrapper.sh
@@ -3,19 +3,7 @@
 # Usage: udp_proxy_wrapper.sh [PROXY_PARAM...] -- [SERVER_PARAM...]
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 set -u
 
diff --git a/programs/test/zeroize.c b/programs/test/zeroize.c
index b7842c4..1e9b98d 100644
--- a/programs/test/zeroize.c
+++ b/programs/test/zeroize.c
@@ -10,19 +10,7 @@
  * call to mbedtls_platform_zeroize() was not eliminated.
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/util/CMakeLists.txt b/programs/util/CMakeLists.txt
index 7fc58cb..cb6bc3d 100644
--- a/programs/util/CMakeLists.txt
+++ b/programs/util/CMakeLists.txt
@@ -9,7 +9,7 @@ set(executables
 
 foreach(exe IN LISTS executables)
     add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
-    target_link_libraries(${exe} ${libs})
+    target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT})
     target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
 endforeach()
 
diff --git a/programs/util/pem2der.c b/programs/util/pem2der.c
index 5dd367a..d682c2b 100644
--- a/programs/util/pem2der.c
+++ b/programs/util/pem2der.c
@@ -2,19 +2,7 @@
  *  Convert PEM to DER
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/util/strerror.c b/programs/util/strerror.c
index 4bfd8a1..316f286 100644
--- a/programs/util/strerror.c
+++ b/programs/util/strerror.c
@@ -2,19 +2,7 @@
  *  Translate error code to error string
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/wince_main.c b/programs/wince_main.c
index be98eae..e817b9f 100644
--- a/programs/wince_main.c
+++ b/programs/wince_main.c
@@ -2,19 +2,7 @@
  *  Windows CE console application entry point
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #if defined(_WIN32_WCE)
diff --git a/programs/x509/CMakeLists.txt b/programs/x509/CMakeLists.txt
index 5876b8d..43437f0 100644
--- a/programs/x509/CMakeLists.txt
+++ b/programs/x509/CMakeLists.txt
@@ -13,7 +13,7 @@ set(executables
 
 foreach(exe IN LISTS executables)
     add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
-    target_link_libraries(${exe} ${libs})
+    target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT})
     target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
 endforeach()
 
diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c
index 51a79ec..cb1e5bc 100644
--- a/programs/x509/cert_app.c
+++ b/programs/x509/cert_app.c
@@ -2,19 +2,7 @@
  *  Certificate reading application
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c
index 7e2a6bd..dcfd176 100644
--- a/programs/x509/cert_req.c
+++ b/programs/x509/cert_req.c
@@ -2,19 +2,7 @@
  *  Certificate request generation
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
@@ -26,7 +14,8 @@
 #if !defined(MBEDTLS_X509_CSR_WRITE_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
     !defined(MBEDTLS_PK_PARSE_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \
     !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
-    !defined(MBEDTLS_PEM_WRITE_C) || !defined(MBEDTLS_FS_IO)
+    !defined(MBEDTLS_PEM_WRITE_C) || !defined(MBEDTLS_FS_IO) || \
+    !defined(MBEDTLS_MD_C)
 int main(void)
 {
     mbedtls_printf("MBEDTLS_X509_CSR_WRITE_C and/or MBEDTLS_FS_IO and/or "
@@ -273,10 +262,10 @@ usage:
                 } else if (strcmp(q, "DNS") == 0) {
                     cur->node.type = MBEDTLS_X509_SAN_DNS_NAME;
                 } else if (strcmp(q, "IP") == 0) {
-                    size_t ip_len = 0;
+                    size_t ip_addr_len = 0;
                     cur->node.type = MBEDTLS_X509_SAN_IP_ADDRESS;
-                    ip_len = mbedtls_x509_crt_parse_cn_inet_pton(subtype_value, ip);
-                    if (ip_len == 0) {
+                    ip_addr_len = mbedtls_x509_crt_parse_cn_inet_pton(subtype_value, ip);
+                    if (ip_addr_len == 0) {
                         mbedtls_printf("mbedtls_x509_crt_parse_cn_inet_pton failed to parse %s\n",
                                        subtype_value);
                         goto exit;
diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c
index d8660dc..0b2575e 100644
--- a/programs/x509/cert_write.c
+++ b/programs/x509/cert_write.c
@@ -2,19 +2,7 @@
  *  Certificate generation and signing
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
@@ -27,7 +15,7 @@
     !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
     !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
     !defined(MBEDTLS_ERROR_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \
-    !defined(MBEDTLS_PEM_WRITE_C)
+    !defined(MBEDTLS_PEM_WRITE_C) || !defined(MBEDTLS_MD_C)
 int main(void)
 {
     mbedtls_printf("MBEDTLS_X509_CRT_WRITE_C and/or MBEDTLS_X509_CRT_PARSE_C and/or "
@@ -595,10 +583,10 @@ usage:
                 } else if (strcmp(q, "DNS") == 0) {
                     cur->node.type = MBEDTLS_X509_SAN_DNS_NAME;
                 } else if (strcmp(q, "IP") == 0) {
-                    size_t ip_len = 0;
+                    size_t ip_addr_len = 0;
                     cur->node.type = MBEDTLS_X509_SAN_IP_ADDRESS;
-                    ip_len = mbedtls_x509_crt_parse_cn_inet_pton(subtype_value, ip);
-                    if (ip_len == 0) {
+                    ip_addr_len = mbedtls_x509_crt_parse_cn_inet_pton(subtype_value, ip);
+                    if (ip_addr_len == 0) {
                         mbedtls_printf("mbedtls_x509_crt_parse_cn_inet_pton failed to parse %s\n",
                                        subtype_value);
                         goto exit;
diff --git a/programs/x509/crl_app.c b/programs/x509/crl_app.c
index 6c671ff..5e3fd5a 100644
--- a/programs/x509/crl_app.c
+++ b/programs/x509/crl_app.c
@@ -2,19 +2,7 @@
  *  CRL reading application
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/x509/load_roots.c b/programs/x509/load_roots.c
index d024e98..f0e6acf 100644
--- a/programs/x509/load_roots.c
+++ b/programs/x509/load_roots.c
@@ -3,45 +3,6 @@
  *
  *  Copyright The Mbed TLS Contributors
  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- *
- *  This file is provided under the Apache License 2.0, or the
- *  GNU General Public License v2.0 or later.
- *
- *  **********
- *  Apache License 2.0:
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  **********
- *
- *  **********
- *  GNU General Public License v2.0 or later:
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  **********
  */
 
 #include "mbedtls/build_info.h"
diff --git a/programs/x509/req_app.c b/programs/x509/req_app.c
index 64b9f0b..fff0983 100644
--- a/programs/x509/req_app.c
+++ b/programs/x509/req_app.c
@@ -2,19 +2,7 @@
  *  Certificate request reading application
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/scripts/abi_check.py b/scripts/abi_check.py
index ac1d60f..f91d80e 100755
--- a/scripts/abi_check.py
+++ b/scripts/abi_check.py
@@ -84,19 +84,7 @@ function name and parameter list.
 """
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 import glob
 import os
@@ -113,7 +101,8 @@ from types import SimpleNamespace
 
 import xml.etree.ElementTree as ET
 
-from mbedtls_dev import build_tree
+import framework_scripts_path # pylint: disable=unused-import
+from mbedtls_framework import build_tree
 
 
 class AbiChecker:
@@ -337,8 +326,14 @@ class AbiChecker:
     @staticmethod
     def _list_generated_test_data_files(git_worktree_path):
         """List the generated test data files."""
+        generate_psa_tests = 'framework/scripts/generate_psa_tests.py'
+        if not os.path.isfile(git_worktree_path + '/' + generate_psa_tests):
+            # The checked-out revision is from before generate_psa_tests.py
+            # was moved to the framework submodule. Use the old location.
+            generate_psa_tests = 'tests/scripts/generate_psa_tests.py'
+
         output = subprocess.check_output(
-            ['tests/scripts/generate_psa_tests.py', '--list'],
+            [generate_psa_tests, '--list'],
             cwd=git_worktree_path,
         ).decode('ascii')
         return [line for line in output.split('\n') if line]
@@ -364,8 +359,14 @@ class AbiChecker:
             if 'storage_format' in filename:
                 storage_data_files.add(filename)
                 to_be_generated.add(filename)
+
+        generate_psa_tests = 'framework/scripts/generate_psa_tests.py'
+        if not os.path.isfile(git_worktree_path + '/' + generate_psa_tests):
+            # The checked-out revision is from before generate_psa_tests.py
+            # was moved to the framework submodule. Use the old location.
+            generate_psa_tests = 'tests/scripts/generate_psa_tests.py'
         subprocess.check_call(
-            ['tests/scripts/generate_psa_tests.py'] + sorted(to_be_generated),
+            [generate_psa_tests] + sorted(to_be_generated),
             cwd=git_worktree_path,
         )
         for test_file in sorted(storage_data_files):
diff --git a/scripts/apidoc_full.sh b/scripts/apidoc_full.sh
index cf01e1f..34daf37 100755
--- a/scripts/apidoc_full.sh
+++ b/scripts/apidoc_full.sh
@@ -8,19 +8,7 @@
 # when multiple targets are invoked in the same parallel build.
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 set -eu
 
diff --git a/scripts/assemble_changelog.py b/scripts/assemble_changelog.py
index e808101..07e6fc5 100755
--- a/scripts/assemble_changelog.py
+++ b/scripts/assemble_changelog.py
@@ -19,19 +19,7 @@ You must run this program from within a git working directory.
 """
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 import argparse
 from collections import OrderedDict, namedtuple
@@ -127,7 +115,7 @@ class ChangelogFormat:
 class TextChangelogFormat(ChangelogFormat):
     """The traditional Mbed TLS changelog format."""
 
-    _unreleased_version_text = '= Mbed TLS x.x.x branch released xxxx-xx-xx'
+    _unreleased_version_text = '= {} x.x.x branch released xxxx-xx-xx'
     @classmethod
     def is_released_version(cls, title):
         # Look for an incomplete release date
@@ -135,6 +123,7 @@ class TextChangelogFormat(ChangelogFormat):
 
     _top_version_re = re.compile(r'(?:\A|\n)(=[^\n]*\n+)(.*?\n)(?:=|$)',
                                  re.DOTALL)
+    _name_re = re.compile(r'=\s(.*)\s[0-9x]+\.', re.DOTALL)
     @classmethod
     def extract_top_version(cls, changelog_file_content):
         """A version section starts with a line starting with '='."""
@@ -143,9 +132,10 @@ class TextChangelogFormat(ChangelogFormat):
         top_version_end = m.end(2)
         top_version_title = m.group(1)
         top_version_body = m.group(2)
+        name = re.match(cls._name_re, top_version_title).group(1)
         if cls.is_released_version(top_version_title):
             top_version_end = top_version_start
-            top_version_title = cls._unreleased_version_text + '\n\n'
+            top_version_title = cls._unreleased_version_text.format(name) + '\n\n'
             top_version_body = ''
         return (changelog_file_content[:top_version_start],
                 top_version_title, top_version_body,
@@ -257,6 +247,7 @@ class ChangeLog:
         for category in STANDARD_CATEGORIES:
             self.categories[category] = ''
         offset = (self.header + self.top_version_title).count('\n') + 1
+
         self.add_categories_from_text(input_stream.name, offset,
                                       top_version_body, True)
 
diff --git a/scripts/bump_version.sh b/scripts/bump_version.sh
index 19d90bc..86ed74e 100755
--- a/scripts/bump_version.sh
+++ b/scripts/bump_version.sh
@@ -1,19 +1,7 @@
 #!/bin/bash
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 #
 # Purpose
 #
diff --git a/scripts/ci.requirements.txt b/scripts/ci.requirements.txt
index 7dbcfe8..d21aa27 100644
--- a/scripts/ci.requirements.txt
+++ b/scripts/ci.requirements.txt
@@ -18,3 +18,7 @@ mypy >= 0.780
 # for mypy and pylint under Python 3.5, and we also get something good enough
 # to run audit-validity-dates.py on Python >=3.6.
 cryptography # >= 35.0.0
+
+# For building `framework/data_files/server9-bad-saltlen.crt` and check python
+# files.
+asn1crypto
diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py
index e764e9d..ce752e4 100755
--- a/scripts/code_size_compare.py
+++ b/scripts/code_size_compare.py
@@ -9,19 +9,7 @@ Note: must be run from Mbed TLS root.
 """
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 import argparse
 import logging
@@ -33,9 +21,10 @@ import sys
 import typing
 from enum import Enum
 
-from mbedtls_dev import build_tree
-from mbedtls_dev import logging_util
-from mbedtls_dev import typing_util
+import framework_scripts_path # pylint: disable=unused-import
+from mbedtls_framework import build_tree
+from mbedtls_framework import logging_util
+from mbedtls_framework import typing_util
 
 class SupportedArch(Enum):
     """Supported architecture for code size measurement."""
@@ -156,11 +145,11 @@ def detect_arch() -> str:
         print("Unknown host architecture, cannot auto-detect arch.")
         sys.exit(1)
 
-TFM_MEDIUM_CONFIG_H = 'configs/tfm_mbedcrypto_config_profile_medium.h'
-TFM_MEDIUM_CRYPTO_CONFIG_H = 'configs/crypto_config_profile_medium.h'
+TFM_MEDIUM_CONFIG_H = 'configs/ext/tfm_mbedcrypto_config_profile_medium.h'
+TFM_MEDIUM_CRYPTO_CONFIG_H = 'configs/ext/crypto_config_profile_medium.h'
 
 CONFIG_H = 'include/mbedtls/mbedtls_config.h'
-CRYPTO_CONFIG_H = 'include/psa/crypto_config.h'
+CRYPTO_CONFIG_H = 'tf-psa-crypto/include/psa/crypto_config.h'
 BACKUP_SUFFIX = '.code_size.bak'
 
 class CodeSizeBuildInfo: # pylint: disable=too-few-public-methods
diff --git a/scripts/code_style.py b/scripts/code_style.py
index ddd0a98..26de730 100755
--- a/scripts/code_style.py
+++ b/scripts/code_style.py
@@ -4,19 +4,7 @@
 This script must be run from the root of a Git work tree containing Mbed TLS.
 """
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 import argparse
 import os
 import re
@@ -63,6 +51,13 @@ def list_generated_files() -> FrozenSet[str]:
     checks = re.findall(CHECK_CALL_RE, content)
     return frozenset(word for s in checks for word in s.split())
 
+# Check for comment string indicating an auto-generated file
+AUTOGEN_RE = re.compile(r"Warning[ :-]+This file is (now )?auto[ -]?generated",
+                        re.ASCII | re.IGNORECASE)
+def is_file_autogenerated(filename):
+    content = open(filename, encoding="utf-8").read()
+    return AUTOGEN_RE.search(content) is not None
+
 def get_src_files(since: Optional[str]) -> List[str]:
     """
     Use git to get a list of the source files.
@@ -71,7 +66,7 @@ def get_src_files(since: Optional[str]) -> List[str]:
     that have changed since that commit. Without this argument, list all
     files known to git.
 
-    Only C files are included, and certain files (generated, or 3rdparty)
+    Only C files are included, and certain files (generated, or third party)
     are excluded.
     """
     file_patterns = ["*.[hc]",
@@ -80,24 +75,65 @@ def get_src_files(since: Optional[str]) -> List[str]:
     output = subprocess.check_output(["git", "ls-files"] + file_patterns,
                                      universal_newlines=True)
     src_files = output.split()
+
+    # When this script is called from a git hook, some environment variables
+    # are set by default which force all git commands to use the main repository
+    # (i.e. prevent us from performing commands on the framework repo).
+    # Create an environment without these variables for running commands on the
+    # framework repo.
+    framework_env = os.environ.copy()
+    # Get a list of environment vars that git sets
+    git_env_vars = subprocess.check_output(["git", "rev-parse", "--local-env-vars"],
+                                           universal_newlines=True)
+    # Remove the vars from the environment
+    for var in git_env_vars.split():
+        framework_env.pop(var, None)
+
+    output = subprocess.check_output(["git", "-C", "framework", "ls-files"]
+                                     + file_patterns,
+                                     universal_newlines=True,
+                                     env=framework_env)
+    framework_src_files = output.split()
+
     if since:
-        # get all files changed in commits since the starting point
-        cmd = ["git", "log", since + "..HEAD", "--name-only", "--pretty=", "--"] + src_files
+        # get all files changed in commits since the starting point in ...
+        # ... the main repository
+        cmd = ["git", "log", since + "..HEAD", "--ignore-submodules",
+               "--name-only", "--pretty=", "--"] + src_files
         output = subprocess.check_output(cmd, universal_newlines=True)
         committed_changed_files = output.split()
-        # and also get all files with uncommitted changes
+        # ... the framework submodule
+        cmd = ["git", "-C", "framework", "log", since + "..HEAD",
+               "--name-only", "--pretty=", "--"] + framework_src_files
+        output = subprocess.check_output(cmd, universal_newlines=True,
+                                         env=framework_env)
+        committed_changed_files += ["framework/" + s for s in output.split()]
+
+        # and also get all files with uncommitted changes in ...
+        # ... the main repository
         cmd = ["git", "diff", "--name-only", "--"] + src_files
         output = subprocess.check_output(cmd, universal_newlines=True)
         uncommitted_changed_files = output.split()
-        src_files = list(set(committed_changed_files + uncommitted_changed_files))
+        # ... the framework submodule
+        cmd = ["git", "-C", "framework", "diff", "--name-only", "--"] + \
+              framework_src_files
+        output = subprocess.check_output(cmd, universal_newlines=True,
+                                         env=framework_env)
+        uncommitted_changed_files += ["framework/" + s for s in output.split()]
+
+        src_files = committed_changed_files + uncommitted_changed_files
+    else:
+        src_files += ["framework/" + s for s in framework_src_files]
 
     generated_files = list_generated_files()
     # Don't correct style for third-party files (and, for simplicity,
     # companion files in the same subtree), or for automatically
     # generated files (we're correcting the templates instead).
     src_files = [filename for filename in src_files
-                 if not (filename.startswith("3rdparty/") or
-                         filename in generated_files)]
+                 if not (filename.startswith("tf-psa-crypto/drivers/everest/") or
+                         filename.startswith("tf-psa-crypto/drivers/p256-m/") or
+                         filename in generated_files or
+                         is_file_autogenerated(filename))]
     return src_files
 
 def get_uncrustify_version() -> str:
diff --git a/scripts/common.make b/scripts/common.make
new file mode 100644
index 0000000..d102a97
--- /dev/null
+++ b/scripts/common.make
@@ -0,0 +1,168 @@
+# To compile on SunOS: add "-lsocket -lnsl" to LDFLAGS
+
+ifndef MBEDTLS_PATH
+MBEDTLS_PATH := ..
+endif
+
+PSASIM_PATH=$(MBEDTLS_PATH)/tests/psa-client-server/psasim
+
+ifeq (,$(wildcard $(MBEDTLS_PATH)/framework/exported.make))
+    # Use the define keyword to get a multi-line message.
+    # GNU make appends ".  Stop.", so tweak the ending of our message accordingly.
+    define error_message
+$(MBEDTLS_PATH)/framework/exported.make not found.
+Run `git submodule update --init` to fetch the submodule contents.
+This is a fatal error
+    endef
+    $(error $(error_message))
+endif
+include $(MBEDTLS_PATH)/framework/exported.make
+
+CFLAGS	?= -O2
+WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral
+WARNING_CXXFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral
+LDFLAGS ?=
+
+LOCAL_CFLAGS = $(WARNING_CFLAGS) -I$(MBEDTLS_TEST_PATH)/include \
+               -I$(MBEDTLS_PATH)/include -I$(MBEDTLS_PATH)/tf-psa-crypto/include \
+               -I$(MBEDTLS_PATH)/tf-psa-crypto/drivers/builtin/include \
+               -D_FILE_OFFSET_BITS=64
+LOCAL_CXXFLAGS = $(WARNING_CXXFLAGS) -I$(MBEDTLS_PATH)/include -I$(MBEDTLS_PATH)/tests/include -D_FILE_OFFSET_BITS=64
+
+ifdef PSASIM
+LOCAL_LDFLAGS = ${MBEDTLS_TEST_OBJS} 		\
+		-L$(PSASIM_PATH)/client_libs			\
+		-lpsaclient \
+		-lmbedtls$(SHARED_SUFFIX)	\
+		-lmbedx509$(SHARED_SUFFIX)	\
+		-lmbedcrypto$(SHARED_SUFFIX)
+else
+LOCAL_LDFLAGS = ${MBEDTLS_TEST_OBJS} 		\
+		-L$(MBEDTLS_PATH)/library			\
+		-lmbedtls$(SHARED_SUFFIX)	\
+		-lmbedx509$(SHARED_SUFFIX)	\
+		-lmbedcrypto$(SHARED_SUFFIX)
+endif
+
+THIRDPARTY_DIR = $(MBEDTLS_PATH)/tf-psa-crypto/drivers
+include $(THIRDPARTY_DIR)/everest/Makefile.inc
+include $(THIRDPARTY_DIR)/p256-m/Makefile.inc
+LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES)
+
+ifdef PSASIM
+MBEDLIBS=$(PSASIM_PATH)/client_libs/libmbedcrypto.a \
+				$(PSASIM_PATH)/client_libs/libmbedx509.a \
+				$(PSASIM_PATH)/client_libs/libmbedtls.a \
+				$(PSASIM_PATH)/client_libs/libpsaclient.a
+else ifndef SHARED
+MBEDLIBS=$(MBEDTLS_PATH)/library/libmbedcrypto.a \
+				$(MBEDTLS_PATH)/library/libmbedx509.a \
+				$(MBEDTLS_PATH)/library/libmbedtls.a
+else
+MBEDLIBS=$(MBEDTLS_PATH)/library/libmbedcrypto.$(DLEXT) \
+				$(MBEDTLS_PATH)/library/libmbedx509.$(DLEXT) \
+				$(MBEDTLS_PATH)/library/libmbedtls.$(DLEXT)
+endif
+
+ifdef DEBUG
+LOCAL_CFLAGS += -g3
+endif
+
+# if we're running on Windows, build for Windows
+ifdef WINDOWS
+WINDOWS_BUILD=1
+endif
+
+## Usage: $(call remove_enabled_options,PREPROCESSOR_INPUT)
+## Remove the preprocessor symbols that are set in the current configuration
+## from PREPROCESSOR_INPUT. Also normalize whitespace.
+## Example:
+##   $(call remove_enabled_options,MBEDTLS_FOO MBEDTLS_BAR)
+## This expands to an empty string "" if MBEDTLS_FOO and MBEDTLS_BAR are both
+## enabled, to "MBEDTLS_FOO" if MBEDTLS_BAR is enabled but MBEDTLS_FOO is
+## disabled, etc.
+##
+## This only works with a Unix-like shell environment (Bourne/POSIX-style shell
+## and standard commands) and a Unix-like compiler (supporting -E). In
+## other environments, the output is likely to be empty.
+define remove_enabled_options
+$(strip $(shell
+  exec 2>/dev/null;
+  { echo '#include <mbedtls/build_info.h>'; echo $(1); } |
+  $(CC) $(LOCAL_CFLAGS) $(CFLAGS) -E - |
+  tail -n 1
+))
+endef
+
+ifdef WINDOWS_BUILD
+  DLEXT=dll
+  EXEXT=.exe
+  LOCAL_LDFLAGS += -lws2_32 -lbcrypt
+  ifdef SHARED
+    SHARED_SUFFIX=.$(DLEXT)
+  endif
+
+else # Not building for Windows
+  DLEXT ?= so
+  EXEXT=
+  SHARED_SUFFIX=
+  ifndef THREADING
+    # Auto-detect configurations with pthread.
+    # If the call to remove_enabled_options returns "control", the symbols
+    # are confirmed set and we link with pthread.
+    # If the auto-detection fails, the result of the call is empty and
+    # we keep THREADING undefined.
+    ifeq (control,$(call remove_enabled_options,control MBEDTLS_THREADING_C MBEDTLS_THREADING_PTHREAD))
+      THREADING := pthread
+    endif
+  endif
+
+  ifeq ($(THREADING),pthread)
+    LOCAL_LDFLAGS += -lpthread
+  endif
+endif
+
+ifdef WINDOWS
+PYTHON ?= python
+else
+PYTHON ?= $(shell if type python3 >/dev/null 2>/dev/null; then echo python3; else echo python; fi)
+endif
+
+# See root Makefile
+GEN_FILES ?= yes
+ifdef GEN_FILES
+gen_file_dep =
+else
+gen_file_dep = |
+endif
+
+default: all
+
+$(MBEDLIBS):
+	$(MAKE) -C $(MBEDTLS_PATH)/library
+
+neat: clean
+ifndef WINDOWS
+	rm -f $(GENERATED_FILES)
+else
+	for %f in ($(subst /,\,$(GENERATED_FILES))) if exist %f del /Q /F %f
+endif
+
+# Auxiliary modules used by tests and some sample programs
+MBEDTLS_CORE_TEST_OBJS := $(patsubst %.c,%.o,$(wildcard \
+    ${MBEDTLS_TEST_PATH}/src/*.c \
+    ${MBEDTLS_TEST_PATH}/src/drivers/*.c \
+  ))
+# Ignore PSA stubs when building for the client side of PSASIM (i.e.
+# CRYPTO_CLIENT && !CRYPTO_C) otherwise there will be functions duplicates.
+ifdef PSASIM
+MBEDTLS_CORE_TEST_OBJS := $(filter-out \
+    ${MBEDTLS_TEST_PATH}/src/psa_crypto_stubs.o, $(MBEDTLS_CORE_TEST_OBJS)\
+  )
+endif
+# Additional auxiliary modules for TLS testing
+MBEDTLS_TLS_TEST_OBJS = $(patsubst %.c,%.o,$(wildcard \
+    ${MBEDTLS_TEST_PATH}/src/test_helpers/*.c \
+  ))
+
+MBEDTLS_TEST_OBJS = $(MBEDTLS_CORE_TEST_OBJS) $(MBEDTLS_TLS_TEST_OBJS)
diff --git a/scripts/config.pl b/scripts/config.pl
index 5dd89d2..ca02b90 100755
--- a/scripts/config.pl
+++ b/scripts/config.pl
@@ -2,19 +2,8 @@
 # Backward compatibility redirection
 
 ## Copyright The Mbed TLS Contributors
-## SPDX-License-Identifier: Apache-2.0
+## SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 ##
-## Licensed under the Apache License, Version 2.0 (the "License"); you may
-## not use this file except in compliance with the License.
-## You may obtain a copy of the License at
-##
-## http://www.apache.org/licenses/LICENSE-2.0
-##
-## Unless required by applicable law or agreed to in writing, software
-## distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-## WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-## See the License for the specific language governing permissions and
-## limitations under the License.
 
 my $py = $0;
 $py =~ s/\.pl$/.py/ or die "Unable to determine the name of the Python script";
diff --git a/scripts/config.py b/scripts/config.py
index 17fbe65..7c32db1 100755
--- a/scripts/config.py
+++ b/scripts/config.py
@@ -13,19 +13,8 @@ Basic usage, to read the Mbed TLS configuration:
 # in parts that are not backported to 2.28.
 
 ## Copyright The Mbed TLS Contributors
-## SPDX-License-Identifier: Apache-2.0
+## SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 ##
-## Licensed under the Apache License, Version 2.0 (the "License"); you may
-## not use this file except in compliance with the License.
-## You may obtain a copy of the License at
-##
-## http://www.apache.org/licenses/LICENSE-2.0
-##
-## Unless required by applicable law or agreed to in writing, software
-## distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-## WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-## See the License for the specific language governing permissions and
-## limitations under the License.
 
 import os
 import re
@@ -191,11 +180,11 @@ EXCLUDE_FROM_FULL = frozenset([
     #pylint: disable=line-too-long
     'MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH', # interacts with CTR_DRBG_128_BIT_KEY
     'MBEDTLS_AES_USE_HARDWARE_ONLY', # hardware dependency
+    'MBEDTLS_BLOCK_CIPHER_NO_DECRYPT', # incompatible with ECB in PSA, CBC/XTS/NIST_KW/DES
     'MBEDTLS_CTR_DRBG_USE_128_BIT_KEY', # interacts with ENTROPY_FORCE_SHA256
     'MBEDTLS_DEPRECATED_REMOVED', # conflicts with deprecated options
     'MBEDTLS_DEPRECATED_WARNING', # conflicts with deprecated options
     'MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED', # influences the use of ECDH in TLS
-    'MBEDTLS_ECP_NO_FALLBACK', # removes internal ECP implementation
     'MBEDTLS_ECP_WITH_MPI_UINT', # disables the default ECP and is experimental
     'MBEDTLS_ENTROPY_FORCE_SHA256', # interacts with CTR_DRBG_128_BIT_KEY
     'MBEDTLS_HAVE_SSE2', # hardware dependency
@@ -208,14 +197,16 @@ EXCLUDE_FROM_FULL = frozenset([
     'MBEDTLS_NO_UDBL_DIVISION', # influences anything that uses bignum
     'MBEDTLS_PSA_P256M_DRIVER_ENABLED', # influences SECP256R1 KeyGen/ECDH/ECDSA
     'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS', # removes a feature
+    'MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS', # removes a feature
     'MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG', # behavior change + build dependency
     'MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER', # incompatible with USE_PSA_CRYPTO
     'MBEDTLS_PSA_CRYPTO_SPM', # platform dependency (PSA SPM)
     'MBEDTLS_PSA_INJECT_ENTROPY', # conflicts with platform entropy sources
     'MBEDTLS_RSA_NO_CRT', # influences the use of RSA in X.509 and TLS
     'MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY', # interacts with *_USE_A64_CRYPTO_IF_PRESENT
+    'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY', # interacts with *_USE_ARMV8_A_CRYPTO_IF_PRESENT
     'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY', # interacts with *_USE_A64_CRYPTO_IF_PRESENT
-    'MBEDTLS_SSL_RECORD_SIZE_LIMIT', # in development, currently breaks other tests
+    'MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT', # setting *_USE_ARMV8_A_CRYPTO is sufficient
     'MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN', # build dependency (clang+memsan)
     'MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND', # build dependency (valgrind headers)
     'MBEDTLS_X509_REMOVE_INFO', # removes a feature
@@ -278,6 +269,9 @@ EXCLUDE_FROM_BAREMETAL = frozenset([
     'MBEDTLS_THREADING_C', # requires a threading interface
     'MBEDTLS_THREADING_PTHREAD', # requires pthread
     'MBEDTLS_TIMING_C', # requires a clock
+    'MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection
+    'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection
+    'MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection
 ])
 
 def keep_in_baremetal(name):
@@ -358,6 +352,22 @@ def no_deprecated_adapter(adapter):
         return adapter(name, active, section)
     return continuation
 
+def no_platform_adapter(adapter):
+    """Modify an adapter to disable platform symbols.
+
+    ``no_platform_adapter(adapter)(name, active, section)`` is like
+    ``adapter(name, active, section)``, but unsets all platform symbols other
+    ``than MBEDTLS_PLATFORM_C.
+    """
+    def continuation(name, active, section):
+        # Allow MBEDTLS_PLATFORM_C but remove all other platform symbols.
+        if name.startswith('MBEDTLS_PLATFORM_') and name != 'MBEDTLS_PLATFORM_C':
+            return False
+        if adapter is None:
+            return active
+        return adapter(name, active, section)
+    return continuation
+
 class ConfigFile(Config):
     """Representation of the Mbed TLS configuration read for a file.
 
@@ -385,6 +395,7 @@ class ConfigFile(Config):
                                 self.default_path)
         super().__init__()
         self.filename = filename
+        self.inclusion_guard = None
         self.current_section = 'header'
         with open(filename, 'r', encoding='utf-8') as file:
             self.templates = [self._parse_line(line) for line in file]
@@ -402,9 +413,11 @@ class ConfigFile(Config):
                            r'(?P<arguments>(?:\((?:\w|\s|,)*\))?)' +
                            r'(?P<separator>\s*)' +
                            r'(?P<value>.*)')
+    _ifndef_line_regexp = r'#ifndef (?P<inclusion_guard>\w+)'
     _section_line_regexp = (r'\s*/?\*+\s*[\\@]name\s+SECTION:\s*' +
                             r'(?P<section>.*)[ */]*')
     _config_line_regexp = re.compile(r'|'.join([_define_line_regexp,
+                                                _ifndef_line_regexp,
                                                 _section_line_regexp]))
     def _parse_line(self, line):
         """Parse a line in mbedtls_config.h and return the corresponding template."""
@@ -415,10 +428,16 @@ class ConfigFile(Config):
         elif m.group('section'):
             self.current_section = m.group('section')
             return line
+        elif m.group('inclusion_guard') and self.inclusion_guard is None:
+            self.inclusion_guard = m.group('inclusion_guard')
+            return line
         else:
             active = not m.group('commented_out')
             name = m.group('name')
             value = m.group('value')
+            if name == self.inclusion_guard and value == '':
+                # The file double-inclusion guard is not an option.
+                return line
             template = (name,
                         m.group('indentation'),
                         m.group('define') + name +
@@ -540,6 +559,10 @@ if __name__ == '__main__':
                     """Uncomment most non-deprecated features.
                     Like "full", but without deprecated features.
                     """)
+        add_adapter('full_no_platform', no_platform_adapter(full_adapter),
+                    """Uncomment most non-platform features.
+                    Like "full", but without platform features.
+                    """)
         add_adapter('realfull', realfull_adapter,
                     """Uncomment all boolean #defines.
                     Suitable for generating documentation, but not for building.""")
diff --git a/scripts/data_files/driver_jsons/p256_transparent_driver.json b/scripts/data_files/driver_jsons/p256_transparent_driver.json
index 7d2aabf..4794074 100644
--- a/scripts/data_files/driver_jsons/p256_transparent_driver.json
+++ b/scripts/data_files/driver_jsons/p256_transparent_driver.json
@@ -2,7 +2,7 @@
     "prefix":       "p256",
     "type":         "transparent",
     "mbedtls/h_condition":   "defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)",
-    "headers":      ["../3rdparty/p256-m/p256-m_driver_entrypoints.h"],
+    "headers":      ["../tf-psa-crypto/drivers/p256-m/p256-m_driver_entrypoints.h"],
     "capabilities": [
         {
             "mbedtls/c_condition": "defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)",
diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
index 8670bbd..8b91f0b 100644
--- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
+++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
@@ -4,19 +4,7 @@
  *  Warning: This file is now auto-generated.
  */
 /*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 
@@ -134,7 +122,7 @@ static inline psa_status_t psa_driver_wrapper_sign_message(
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_location_t location =
-        PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
+        PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
 
     switch( location )
     {
@@ -208,7 +196,7 @@ static inline psa_status_t psa_driver_wrapper_verify_message(
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_location_t location =
-        PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
+        PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
 
     switch( location )
     {
@@ -278,7 +266,7 @@ static inline psa_status_t psa_driver_wrapper_sign_hash(
     const psa_drv_se_t *drv;
     psa_drv_se_context_t *drv_context;
 
-    if( psa_get_se_driver( attributes->core.lifetime, &drv, &drv_context ) )
+    if( psa_get_se_driver( psa_get_key_lifetime(attributes), &drv, &drv_context ) )
     {
         if( drv->asymmetric == NULL ||
             drv->asymmetric->p_sign == NULL )
@@ -295,7 +283,7 @@ static inline psa_status_t psa_driver_wrapper_sign_hash(
 
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_location_t location =
-        PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
+        PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
 
     switch( location )
     {
@@ -318,11 +306,11 @@ static inline psa_status_t psa_driver_wrapper_sign_hash(
                 return( status );
 #endif /* PSA_CRYPTO_DRIVER_TEST */
 #if defined (MBEDTLS_PSA_P256M_DRIVER_ENABLED)
-            if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) &&
+            if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) &&
                 PSA_ALG_IS_ECDSA(alg) &&
                 !PSA_ALG_ECDSA_IS_DETERMINISTIC( alg ) &&
-                PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->core.type) == PSA_ECC_FAMILY_SECP_R1 &&
-                attributes->core.bits == 256 )
+                PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(attributes)) == PSA_ECC_FAMILY_SECP_R1 &&
+                psa_get_key_bits(attributes) == 256 )
             {
                 status = p256_transparent_sign_hash( attributes,
                                                      key_buffer,
@@ -382,7 +370,7 @@ static inline psa_status_t psa_driver_wrapper_verify_hash(
     const psa_drv_se_t *drv;
     psa_drv_se_context_t *drv_context;
 
-    if( psa_get_se_driver( attributes->core.lifetime, &drv, &drv_context ) )
+    if( psa_get_se_driver( psa_get_key_lifetime(attributes), &drv, &drv_context ) )
     {
         if( drv->asymmetric == NULL ||
             drv->asymmetric->p_verify == NULL )
@@ -399,7 +387,7 @@ static inline psa_status_t psa_driver_wrapper_verify_hash(
 
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_location_t location =
-        PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
+        PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
 
     switch( location )
     {
@@ -422,11 +410,11 @@ static inline psa_status_t psa_driver_wrapper_verify_hash(
                 return( status );
 #endif /* PSA_CRYPTO_DRIVER_TEST */
 #if defined (MBEDTLS_PSA_P256M_DRIVER_ENABLED)
-            if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) &&
+            if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) &&
                 PSA_ALG_IS_ECDSA(alg) &&
                 !PSA_ALG_ECDSA_IS_DETERMINISTIC( alg ) &&
-                PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->core.type) == PSA_ECC_FAMILY_SECP_R1 &&
-                attributes->core.bits == 256 )
+                PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(attributes)) == PSA_ECC_FAMILY_SECP_R1 &&
+                psa_get_key_bits(attributes) == 256 )
             {
                 status = p256_transparent_verify_hash( attributes,
                                                        key_buffer,
@@ -529,7 +517,7 @@ static inline psa_status_t psa_driver_wrapper_sign_hash_start(
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(
-                                                    attributes->core.lifetime );
+                                                    psa_get_key_lifetime(attributes) );
 
     switch( location )
     {
@@ -621,7 +609,7 @@ static inline psa_status_t psa_driver_wrapper_verify_hash_start(
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(
-                                                    attributes->core.lifetime );
+                                                    psa_get_key_lifetime(attributes) );
 
     switch( location )
     {
@@ -719,8 +707,8 @@ static inline psa_status_t psa_driver_wrapper_get_key_buffer_size_from_key_data(
     size_t *key_buffer_size )
 {
     psa_key_location_t location =
-        PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
-    psa_key_type_t key_type = attributes->core.type;
+        PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
+    psa_key_type_t key_type = psa_get_key_type(attributes);
 
     *key_buffer_size = 0;
     switch( location )
@@ -743,18 +731,33 @@ static inline psa_status_t psa_driver_wrapper_get_key_buffer_size_from_key_data(
 
 static inline psa_status_t psa_driver_wrapper_generate_key(
     const psa_key_attributes_t *attributes,
+    const psa_key_production_parameters_t *params, size_t params_data_length,
     uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length )
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_location_t location =
-        PSA_KEY_LIFETIME_GET_LOCATION(attributes->core.lifetime);
+        PSA_KEY_LIFETIME_GET_LOCATION(psa_get_key_lifetime(attributes));
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
+    int is_default_production =
+        psa_key_production_parameters_are_default(params, params_data_length);
+    if( location != PSA_KEY_LOCATION_LOCAL_STORAGE && !is_default_production )
+    {
+        /* We don't support passing custom production parameters
+         * to drivers yet. */
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+#else
+    int is_default_production = 1;
+    (void) is_default_production;
+#endif
 
     /* Try dynamically-registered SE interface first */
 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
     const psa_drv_se_t *drv;
     psa_drv_se_context_t *drv_context;
 
-    if( psa_get_se_driver( attributes->core.lifetime, &drv, &drv_context ) )
+    if( psa_get_se_driver( psa_get_key_lifetime(attributes), &drv, &drv_context ) )
     {
         size_t pubkey_length = 0; /* We don't support this feature yet */
         if( drv->key_management == NULL ||
@@ -774,8 +777,11 @@ static inline psa_status_t psa_driver_wrapper_generate_key(
     {
         case PSA_KEY_LOCATION_LOCAL_STORAGE:
 #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-            /* Transparent drivers are limited to generating asymmetric keys */
-            if( PSA_KEY_TYPE_IS_ASYMMETRIC( attributes->core.type ) )
+            /* Transparent drivers are limited to generating asymmetric keys. */
+            /* We don't support passing custom production parameters
+             * to drivers yet. */
+            if( PSA_KEY_TYPE_IS_ASYMMETRIC( psa_get_key_type(attributes) ) &&
+                is_default_production )
             {
             /* Cycle through all known transparent accelerators */
 #if defined(PSA_CRYPTO_DRIVER_TEST)
@@ -787,9 +793,9 @@ static inline psa_status_t psa_driver_wrapper_generate_key(
                     break;
 #endif /* PSA_CRYPTO_DRIVER_TEST */
 #if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)
-                if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) &&
-                    attributes->core.type == PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1) &&
-                    attributes->core.bits == 256 )
+                if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) &&
+                    psa_get_key_type(attributes) == PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1) &&
+                    psa_get_key_bits(attributes) == 256 )
                 {
                     status = p256_transparent_generate_key( attributes,
                                                             key_buffer,
@@ -805,7 +811,8 @@ static inline psa_status_t psa_driver_wrapper_generate_key(
 
             /* Software fallback */
             status = psa_generate_key_internal(
-                attributes, key_buffer, key_buffer_size, key_buffer_length );
+                attributes, params, params_data_length,
+                key_buffer, key_buffer_size, key_buffer_length );
             break;
 
         /* Add cases for opaque driver here */
@@ -855,7 +862,7 @@ bits
     const psa_drv_se_t *drv;
     psa_drv_se_context_t *drv_context;
 
-    if( psa_get_se_driver( attributes->core.lifetime, &drv, &drv_context ) )
+    if( psa_get_se_driver( psa_get_key_lifetime(attributes), &drv, &drv_context ) )
     {
         if( drv->key_management == NULL ||
             drv->key_management->p_import == NULL )
@@ -932,7 +939,7 @@ data_length
     const psa_drv_se_t *drv;
     psa_drv_se_context_t *drv_context;
 
-    if( psa_get_se_driver( attributes->core.lifetime, &drv, &drv_context ) )
+    if( psa_get_se_driver( psa_get_key_lifetime(attributes), &drv, &drv_context ) )
     {
         if( ( drv->key_management == NULL   ) ||
             ( drv->key_management->p_export == NULL ) )
@@ -987,13 +994,13 @@ target_key_buffer_length
 {% endmacro %}
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_location_t location =
-        PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
+        PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
 
 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
     const psa_drv_se_t *drv;
     psa_drv_se_context_t *drv_context;
 
-    if( psa_get_se_driver( attributes->core.lifetime, &drv, &drv_context ) )
+    if( psa_get_se_driver( psa_get_key_lifetime(attributes), &drv, &drv_context ) )
     {
         /* Copying to a secure element is not implemented yet. */
         return( PSA_ERROR_NOT_SUPPORTED );
@@ -1037,7 +1044,7 @@ static inline psa_status_t psa_driver_wrapper_cipher_encrypt(
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_location_t location =
-        PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
+        PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
 
     switch( location )
     {
@@ -1127,7 +1134,7 @@ static inline psa_status_t psa_driver_wrapper_cipher_decrypt(
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_location_t location =
-        PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
+        PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
 
     switch( location )
     {
@@ -1204,7 +1211,7 @@ static inline psa_status_t psa_driver_wrapper_cipher_encrypt_setup(
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_location_t location =
-        PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
+        PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
 
     switch( location )
     {
@@ -1277,7 +1284,7 @@ static inline psa_status_t psa_driver_wrapper_cipher_decrypt_setup(
 {
     psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
     psa_key_location_t location =
-        PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
+        PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
 
     switch( location )
     {
@@ -1677,7 +1684,7 @@ static inline psa_status_t psa_driver_wrapper_aead_encrypt(
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_location_t location =
-        PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
+        PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
 
     switch( location )
     {
@@ -1729,7 +1736,7 @@ static inline psa_status_t psa_driver_wrapper_aead_decrypt(
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_location_t location =
-        PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
+        PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
 
     switch( location )
     {
@@ -1778,7 +1785,7 @@ static inline psa_status_t psa_driver_wrapper_aead_encrypt_setup(
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_location_t location =
-        PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
+        PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
 
     switch( location )
     {
@@ -1826,7 +1833,7 @@ static inline psa_status_t psa_driver_wrapper_aead_decrypt_setup(
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_location_t location =
-        PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
+        PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
 
     switch( location )
     {
@@ -2162,7 +2169,7 @@ static inline psa_status_t psa_driver_wrapper_mac_compute(
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_location_t location =
-        PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
+        PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
 
     switch( location )
     {
@@ -2226,7 +2233,7 @@ static inline psa_status_t psa_driver_wrapper_mac_sign_setup(
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_location_t location =
-        PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
+        PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
 
     switch( location )
     {
@@ -2298,7 +2305,7 @@ static inline psa_status_t psa_driver_wrapper_mac_verify_setup(
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_location_t location =
-        PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
+        PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
 
     switch( location )
     {
@@ -2498,7 +2505,7 @@ static inline psa_status_t psa_driver_wrapper_asymmetric_encrypt(
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_location_t location =
-        PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
+        PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
 
     switch( location )
     {
@@ -2556,7 +2563,7 @@ static inline psa_status_t psa_driver_wrapper_asymmetric_decrypt(
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_location_t location =
-        PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
+        PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
 
     switch( location )
     {
@@ -2620,7 +2627,7 @@ static inline psa_status_t psa_driver_wrapper_key_agreement(
 {
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_location_t location =
-        PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
+        PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
 
     switch( location )
     {
@@ -2638,10 +2645,10 @@ static inline psa_status_t psa_driver_wrapper_key_agreement(
                 return( status );
 #endif /* PSA_CRYPTO_DRIVER_TEST */
 #if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)
-            if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) &&
+            if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) &&
                 PSA_ALG_IS_ECDH(alg) &&
-                PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->core.type) == PSA_ECC_FAMILY_SECP_R1 &&
-                attributes->core.bits == 256 )
+                PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(attributes)) == PSA_ECC_FAMILY_SECP_R1 &&
+                psa_get_key_bits(attributes) == 256 )
             {
                 status = p256_transparent_key_agreement( attributes,
                                                          key_buffer,
diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja
index dbe424c..f612cf0 100644
--- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja
+++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja
@@ -4,19 +4,7 @@
  *  Warning: This file is now auto-generated.
  */
 /*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 
@@ -100,9 +88,9 @@ psa_status_t psa_driver_wrapper_get_key_buffer_size(
     const psa_key_attributes_t *attributes,
     size_t *key_buffer_size )
 {
-    psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
-    psa_key_type_t key_type = attributes->core.type;
-    size_t key_bits = attributes->core.bits;
+    psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
+    psa_key_type_t key_type = psa_get_key_type(attributes);
+    size_t key_bits = psa_get_key_bits(attributes);
 
     *key_buffer_size = 0;
     switch( location )
@@ -156,7 +144,7 @@ data_length
     const psa_drv_se_t *drv;
     psa_drv_se_context_t *drv_context;
 
-    if( psa_get_se_driver( attributes->core.lifetime, &drv, &drv_context ) )
+    if( psa_get_se_driver( psa_get_key_lifetime(attributes), &drv, &drv_context ) )
     {
         if( ( drv->key_management == NULL ) ||
             ( drv->key_management->p_export_public == NULL ) )
@@ -215,14 +203,14 @@ key_buffer,
 key_buffer_size,
 key_buffer_length
 {% endmacro %}
-    psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
+    psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
     switch( location )
     {
-#if defined(PSA_CRYPTO_DRIVER_TEST)
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
 {% with nest_indent=8 %}
 {% include "OS-template-opaque.jinja" -%}
 {% endwith -%}
-#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
         default:
             (void) slot_number;
             (void) key_buffer;
diff --git a/scripts/data_files/error.fmt b/scripts/data_files/error.fmt
index 0775003..781e72a 100644
--- a/scripts/data_files/error.fmt
+++ b/scripts/data_files/error.fmt
@@ -2,19 +2,7 @@
  *  Error message information
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "common.h"
diff --git a/scripts/data_files/query_config.fmt b/scripts/data_files/query_config.fmt
index e7e6fc6..b60aba0 100644
--- a/scripts/data_files/query_config.fmt
+++ b/scripts/data_files/query_config.fmt
@@ -2,19 +2,7 @@
  *  Query Mbed TLS compile time configurations from mbedtls_config.h
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "mbedtls/build_info.h"
diff --git a/scripts/data_files/version_features.fmt b/scripts/data_files/version_features.fmt
index 0e40597..d820d4d 100644
--- a/scripts/data_files/version_features.fmt
+++ b/scripts/data_files/version_features.fmt
@@ -2,19 +2,7 @@
  *  Version feature information
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "common.h"
diff --git a/scripts/data_files/vs2013-app-template.vcxproj b/scripts/data_files/vs2013-app-template.vcxproj
deleted file mode 100644
index 2fe9cf3..0000000
--- a/scripts/data_files/vs2013-app-template.vcxproj
+++ /dev/null
@@ -1,171 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>

-<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

-  <ItemGroup Label="ProjectConfigurations">

-    <ProjectConfiguration Include="Debug|Win32">

-      <Configuration>Debug</Configuration>

-      <Platform>Win32</Platform>

-    </ProjectConfiguration>

-    <ProjectConfiguration Include="Debug|x64">

-      <Configuration>Debug</Configuration>

-      <Platform>x64</Platform>

-    </ProjectConfiguration>

-    <ProjectConfiguration Include="Release|Win32">

-      <Configuration>Release</Configuration>

-      <Platform>Win32</Platform>

-    </ProjectConfiguration>

-    <ProjectConfiguration Include="Release|x64">

-      <Configuration>Release</Configuration>

-      <Platform>x64</Platform>

-    </ProjectConfiguration>

-  </ItemGroup>

-  <ItemGroup>

-    <SOURCES>

-  </ItemGroup>

-  <ItemGroup>

-    <ProjectReference Include="mbedTLS.vcxproj">

-      <Project>{46cf2d25-6a36-4189-b59c-e4815388e554}</Project>

-      <LinkLibraryDependencies>true</LinkLibraryDependencies>

-    </ProjectReference>

-  </ItemGroup>

-  <PropertyGroup Label="Globals">

-    <ProjectGuid><GUID></ProjectGuid>

-    <Keyword>Win32Proj</Keyword>

-    <RootNamespace><APPNAME></RootNamespace>

-  </PropertyGroup>

-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />

-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">

-    <ConfigurationType>Application</ConfigurationType>

-    <UseDebugLibraries>true</UseDebugLibraries>

-    <CharacterSet>Unicode</CharacterSet>

-  </PropertyGroup>

-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">

-    <ConfigurationType>Application</ConfigurationType>

-    <UseDebugLibraries>true</UseDebugLibraries>

-    <CharacterSet>Unicode</CharacterSet>

-  </PropertyGroup>

-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">

-    <ConfigurationType>Application</ConfigurationType>

-    <UseDebugLibraries>false</UseDebugLibraries>

-    <WholeProgramOptimization>true</WholeProgramOptimization>

-    <CharacterSet>Unicode</CharacterSet>

-  </PropertyGroup>

-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">

-    <ConfigurationType>Application</ConfigurationType>

-    <UseDebugLibraries>false</UseDebugLibraries>

-    <WholeProgramOptimization>true</WholeProgramOptimization>

-    <CharacterSet>Unicode</CharacterSet>

-  </PropertyGroup>

-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />

-  <ImportGroup Label="ExtensionSettings">

-  </ImportGroup>

-  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">

-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />

-  </ImportGroup>

-  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">

-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />

-  </ImportGroup>

-  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">

-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />

-  </ImportGroup>

-  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">

-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />

-  </ImportGroup>

-  <PropertyGroup Label="UserMacros" />

-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">

-    <LinkIncremental>true</LinkIncremental>

-    <IntDir>$(Configuration)\$(TargetName)\</IntDir>

-  </PropertyGroup>

-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">

-    <LinkIncremental>true</LinkIncremental>

-    <IntDir>$(Configuration)\$(TargetName)\</IntDir>

-  </PropertyGroup>

-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">

-    <LinkIncremental>false</LinkIncremental>

-    <IntDir>$(Configuration)\$(TargetName)\</IntDir>

-  </PropertyGroup>

-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">

-    <LinkIncremental>false</LinkIncremental>

-    <IntDir>$(Configuration)\$(TargetName)\</IntDir>

-  </PropertyGroup>

-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">

-    <ClCompile>

-      <WarningLevel>Level3</WarningLevel>

-      <Optimization>Disabled</Optimization>

-      <PreprocessorDefinitions>%(PreprocessorDefinitions)</PreprocessorDefinitions>

-      <AdditionalIncludeDirectories>

-INCLUDE_DIRECTORIES

-      </AdditionalIncludeDirectories>

-    </ClCompile>

-    <Link>

-      <SubSystem>Console</SubSystem>

-      <GenerateDebugInformation>true</GenerateDebugInformation>

-      <AdditionalDependencies>bcrypt.lib;%(AdditionalDependencies)</AdditionalDependencies>

-      <AdditionalLibraryDirectories>Debug</AdditionalLibraryDirectories>

-    </Link>

-    <ProjectReference>

-      <LinkLibraryDependencies>false</LinkLibraryDependencies>

-    </ProjectReference>

-  </ItemDefinitionGroup>

-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">

-    <ClCompile>

-      <WarningLevel>Level3</WarningLevel>

-      <Optimization>Disabled</Optimization>

-      <PreprocessorDefinitions>%(PreprocessorDefinitions)</PreprocessorDefinitions>

-      <AdditionalIncludeDirectories>

-INCLUDE_DIRECTORIES

-      </AdditionalIncludeDirectories>

-    </ClCompile>

-    <Link>

-      <SubSystem>Console</SubSystem>

-      <GenerateDebugInformation>true</GenerateDebugInformation>

-      <AdditionalDependencies>bcrypt.lib;%(AdditionalDependencies)</AdditionalDependencies>

-      <AdditionalLibraryDirectories>Debug</AdditionalLibraryDirectories>

-    </Link>

-    <ProjectReference>

-      <LinkLibraryDependencies>false</LinkLibraryDependencies>

-    </ProjectReference>

-  </ItemDefinitionGroup>

-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">

-    <ClCompile>

-      <WarningLevel>Level3</WarningLevel>

-      <Optimization>MaxSpeed</Optimization>

-      <FunctionLevelLinking>true</FunctionLevelLinking>

-      <IntrinsicFunctions>true</IntrinsicFunctions>

-      <PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>

-      <AdditionalIncludeDirectories>

-INCLUDE_DIRECTORIES

-      </AdditionalIncludeDirectories>

-    </ClCompile>

-    <Link>

-      <SubSystem>Console</SubSystem>

-      <GenerateDebugInformation>true</GenerateDebugInformation>

-      <EnableCOMDATFolding>true</EnableCOMDATFolding>

-      <OptimizeReferences>true</OptimizeReferences>

-      <AdditionalLibraryDirectories>Release</AdditionalLibraryDirectories>

-      <AdditionalDependencies>bcrypt.lib;%(AdditionalDependencies)</AdditionalDependencies>

-    </Link>

-  </ItemDefinitionGroup>

-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">

-    <ClCompile>

-      <WarningLevel>Level3</WarningLevel>

-      <Optimization>MaxSpeed</Optimization>

-      <FunctionLevelLinking>true</FunctionLevelLinking>

-      <IntrinsicFunctions>true</IntrinsicFunctions>

-      <PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>

-      <AdditionalIncludeDirectories>

-INCLUDE_DIRECTORIES

-      </AdditionalIncludeDirectories>

-    </ClCompile>

-    <Link>

-      <SubSystem>Console</SubSystem>

-      <GenerateDebugInformation>true</GenerateDebugInformation>

-      <EnableCOMDATFolding>true</EnableCOMDATFolding>

-      <OptimizeReferences>true</OptimizeReferences>

-      <AdditionalLibraryDirectories>Release</AdditionalLibraryDirectories>

-      <AdditionalDependencies>bcrypt.lib;%(AdditionalDependencies)</AdditionalDependencies>

-    </Link>

-  </ItemDefinitionGroup>

-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />

-  <ImportGroup Label="ExtensionTargets">

-  </ImportGroup>

-</Project>

diff --git a/scripts/data_files/vs2013-main-template.vcxproj b/scripts/data_files/vs2013-main-template.vcxproj
deleted file mode 100644
index 51861e1..0000000
--- a/scripts/data_files/vs2013-main-template.vcxproj
+++ /dev/null
@@ -1,159 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>

-<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

-  <ItemGroup Label="ProjectConfigurations">

-    <ProjectConfiguration Include="Debug|Win32">

-      <Configuration>Debug</Configuration>

-      <Platform>Win32</Platform>

-    </ProjectConfiguration>

-    <ProjectConfiguration Include="Debug|x64">

-      <Configuration>Debug</Configuration>

-      <Platform>x64</Platform>

-    </ProjectConfiguration>

-    <ProjectConfiguration Include="Release|Win32">

-      <Configuration>Release</Configuration>

-      <Platform>Win32</Platform>

-    </ProjectConfiguration>

-    <ProjectConfiguration Include="Release|x64">

-      <Configuration>Release</Configuration>

-      <Platform>x64</Platform>

-    </ProjectConfiguration>

-  </ItemGroup>

-  <PropertyGroup Label="Globals">

-    <ProjectGuid>{46CF2D25-6A36-4189-B59C-E4815388E554}</ProjectGuid>

-    <Keyword>Win32Proj</Keyword>

-    <RootNamespace>mbedTLS</RootNamespace>

-  </PropertyGroup>

-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />

-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">

-    <ConfigurationType>StaticLibrary</ConfigurationType>

-    <UseDebugLibraries>true</UseDebugLibraries>

-    <CharacterSet>Unicode</CharacterSet>

-  </PropertyGroup>

-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">

-    <ConfigurationType>StaticLibrary</ConfigurationType>

-    <UseDebugLibraries>true</UseDebugLibraries>

-    <CharacterSet>Unicode</CharacterSet>

-  </PropertyGroup>

-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">

-    <ConfigurationType>StaticLibrary</ConfigurationType>

-    <UseDebugLibraries>false</UseDebugLibraries>

-    <WholeProgramOptimization>true</WholeProgramOptimization>

-    <CharacterSet>Unicode</CharacterSet>

-  </PropertyGroup>

-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">

-    <ConfigurationType>StaticLibrary</ConfigurationType>

-    <UseDebugLibraries>false</UseDebugLibraries>

-    <WholeProgramOptimization>true</WholeProgramOptimization>

-    <CharacterSet>Unicode</CharacterSet>

-  </PropertyGroup>

-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />

-  <ImportGroup Label="ExtensionSettings">

-  </ImportGroup>

-  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">

-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />

-  </ImportGroup>

-  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">

-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />

-  </ImportGroup>

-  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">

-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />

-  </ImportGroup>

-  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">

-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />

-  </ImportGroup>

-  <PropertyGroup Label="UserMacros" />

-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">

-    <LinkIncremental>true</LinkIncremental>

-    <IntDir>$(Configuration)\$(TargetName)\</IntDir>

-  </PropertyGroup>

-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">

-    <LinkIncremental>true</LinkIncremental>

-    <IntDir>$(Configuration)\$(TargetName)\</IntDir>

-  </PropertyGroup>

-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">

-    <LinkIncremental>false</LinkIncremental>

-    <IntDir>$(Configuration)\$(TargetName)\</IntDir>

-  </PropertyGroup>

-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">

-    <LinkIncremental>false</LinkIncremental>

-    <IntDir>$(Configuration)\$(TargetName)\</IntDir>

-  </PropertyGroup>

-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">

-    <ClCompile>

-      <WarningLevel>Level3</WarningLevel>

-      <Optimization>Disabled</Optimization>

-      <PreprocessorDefinitions>_USRDLL;MBEDTLS_EXPORTS;KRML_VERIFIED_UINT128;%(PreprocessorDefinitions)</PreprocessorDefinitions>

-      <AdditionalIncludeDirectories>

-INCLUDE_DIRECTORIES

-      </AdditionalIncludeDirectories>

-      <CompileAs>CompileAsC</CompileAs>

-    </ClCompile>

-    <Link>

-      <SubSystem>Windows</SubSystem>

-      <GenerateDebugInformation>true</GenerateDebugInformation>

-      <AdditionalDependencies>bcrypt.lib;%(AdditionalDependencies)</AdditionalDependencies>

-    </Link>

-  </ItemDefinitionGroup>

-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">

-    <ClCompile>

-      <WarningLevel>Level3</WarningLevel>

-      <Optimization>Disabled</Optimization>

-      <PreprocessorDefinitions>_USRDLL;MBEDTLS_EXPORTS;KRML_VERIFIED_UINT128;%(PreprocessorDefinitions)</PreprocessorDefinitions>

-      <AdditionalIncludeDirectories>

-INCLUDE_DIRECTORIES

-      </AdditionalIncludeDirectories>

-      <CompileAs>CompileAsC</CompileAs>

-    </ClCompile>

-    <Link>

-      <SubSystem>Windows</SubSystem>

-      <GenerateDebugInformation>true</GenerateDebugInformation>

-      <AdditionalDependencies>bcrypt.lib;%(AdditionalDependencies)</AdditionalDependencies>

-    </Link>

-  </ItemDefinitionGroup>

-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">

-    <ClCompile>

-      <WarningLevel>Level3</WarningLevel>

-      <Optimization>MaxSpeed</Optimization>

-      <FunctionLevelLinking>true</FunctionLevelLinking>

-      <IntrinsicFunctions>true</IntrinsicFunctions>

-      <PreprocessorDefinitions>NDEBUG;_USRDLL;MBEDTLS_EXPORTS;KRML_VERIFIED_UINT128;%(PreprocessorDefinitions)</PreprocessorDefinitions>

-      <AdditionalIncludeDirectories>

-INCLUDE_DIRECTORIES

-      </AdditionalIncludeDirectories>

-    </ClCompile>

-    <Link>

-      <SubSystem>Windows</SubSystem>

-      <GenerateDebugInformation>true</GenerateDebugInformation>

-      <EnableCOMDATFolding>true</EnableCOMDATFolding>

-      <OptimizeReferences>true</OptimizeReferences>

-      <AdditionalDependencies>bcrypt.lib;%(AdditionalDependencies)</AdditionalDependencies>

-    </Link>

-  </ItemDefinitionGroup>

-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">

-    <ClCompile>

-      <WarningLevel>Level3</WarningLevel>

-      <Optimization>MaxSpeed</Optimization>

-      <FunctionLevelLinking>true</FunctionLevelLinking>

-      <IntrinsicFunctions>true</IntrinsicFunctions>

-      <PreprocessorDefinitions>WIN64;NDEBUG;_WINDOWS;_USRDLL;MBEDTLS_EXPORTS;KRML_VERIFIED_UINT128;%(PreprocessorDefinitions)</PreprocessorDefinitions>

-      <AdditionalIncludeDirectories>

-INCLUDE_DIRECTORIES

-      </AdditionalIncludeDirectories>

-    </ClCompile>

-    <Link>

-      <SubSystem>Windows</SubSystem>

-      <GenerateDebugInformation>true</GenerateDebugInformation>

-      <EnableCOMDATFolding>true</EnableCOMDATFolding>

-      <OptimizeReferences>true</OptimizeReferences>

-    </Link>

-  </ItemDefinitionGroup>

-  <ItemGroup>

-HEADER_ENTRIES

-  </ItemGroup>

-  <ItemGroup>

-SOURCE_ENTRIES

-  </ItemGroup>

-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />

-  <ImportGroup Label="ExtensionTargets">

-  </ImportGroup>

-</Project>

diff --git a/scripts/data_files/vs2013-sln-template.sln b/scripts/data_files/vs2013-sln-template.sln
deleted file mode 100644
index 615ce04..0000000
--- a/scripts/data_files/vs2013-sln-template.sln
+++ /dev/null
@@ -1,30 +0,0 @@
-

-Microsoft Visual Studio Solution File, Format Version 12.00

-# Visual Studio 2013

-VisualStudioVersion = 12.0.31101.0

-MinimumVisualStudioVersion = 10.0.40219.1

-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "mbedTLS", "mbedTLS.vcxproj", "{46CF2D25-6A36-4189-B59C-E4815388E554}"

-EndProject

-APP_ENTRIES

-Global

-	GlobalSection(SolutionConfigurationPlatforms) = preSolution

-		Debug|Win32 = Debug|Win32

-		Debug|x64 = Debug|x64

-		Release|Win32 = Release|Win32

-		Release|x64 = Release|x64

-	EndGlobalSection

-	GlobalSection(ProjectConfigurationPlatforms) = postSolution

-		{46CF2D25-6A36-4189-B59C-E4815388E554}.Debug|Win32.ActiveCfg = Debug|Win32

-		{46CF2D25-6A36-4189-B59C-E4815388E554}.Debug|Win32.Build.0 = Debug|Win32

-		{46CF2D25-6A36-4189-B59C-E4815388E554}.Debug|x64.ActiveCfg = Debug|x64

-		{46CF2D25-6A36-4189-B59C-E4815388E554}.Debug|x64.Build.0 = Debug|x64

-		{46CF2D25-6A36-4189-B59C-E4815388E554}.Release|Win32.ActiveCfg = Release|Win32

-		{46CF2D25-6A36-4189-B59C-E4815388E554}.Release|Win32.Build.0 = Release|Win32

-		{46CF2D25-6A36-4189-B59C-E4815388E554}.Release|x64.ActiveCfg = Release|x64

-		{46CF2D25-6A36-4189-B59C-E4815388E554}.Release|x64.Build.0 = Release|x64

-CONF_ENTRIES

-	EndGlobalSection

-	GlobalSection(SolutionProperties) = preSolution

-		HideSolutionNode = FALSE

-	EndGlobalSection

-EndGlobal

diff --git a/scripts/data_files/vs2017-app-template.vcxproj b/scripts/data_files/vs2017-app-template.vcxproj
new file mode 100644
index 0000000..36ca317
--- /dev/null
+++ b/scripts/data_files/vs2017-app-template.vcxproj
@@ -0,0 +1,175 @@
+<?xml version="1.0" encoding="utf-8"?>

+<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

+  <ItemGroup Label="ProjectConfigurations">

+    <ProjectConfiguration Include="Debug|Win32">

+      <Configuration>Debug</Configuration>

+      <Platform>Win32</Platform>

+    </ProjectConfiguration>

+    <ProjectConfiguration Include="Debug|x64">

+      <Configuration>Debug</Configuration>

+      <Platform>x64</Platform>

+    </ProjectConfiguration>

+    <ProjectConfiguration Include="Release|Win32">

+      <Configuration>Release</Configuration>

+      <Platform>Win32</Platform>

+    </ProjectConfiguration>

+    <ProjectConfiguration Include="Release|x64">

+      <Configuration>Release</Configuration>

+      <Platform>x64</Platform>

+    </ProjectConfiguration>

+  </ItemGroup>

+  <ItemGroup>

+    <SOURCES>

+  </ItemGroup>

+  <ItemGroup>

+    <ProjectReference Include="mbedTLS.vcxproj">

+      <Project>{46cf2d25-6a36-4189-b59c-e4815388e554}</Project>

+      <LinkLibraryDependencies>true</LinkLibraryDependencies>

+    </ProjectReference>

+  </ItemGroup>

+  <PropertyGroup Label="Globals">

+    <ProjectGuid><GUID></ProjectGuid>

+    <Keyword>Win32Proj</Keyword>

+    <RootNamespace><APPNAME></RootNamespace>

+  </PropertyGroup>

+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />

+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">

+    <ConfigurationType>Application</ConfigurationType>

+    <UseDebugLibraries>true</UseDebugLibraries>

+    <CharacterSet>Unicode</CharacterSet>

+    <PlatformToolset>v141</PlatformToolset>

+  </PropertyGroup>

+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">

+    <ConfigurationType>Application</ConfigurationType>

+    <UseDebugLibraries>true</UseDebugLibraries>

+    <CharacterSet>Unicode</CharacterSet>

+    <PlatformToolset>v141</PlatformToolset>

+  </PropertyGroup>

+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">

+    <ConfigurationType>Application</ConfigurationType>

+    <UseDebugLibraries>false</UseDebugLibraries>

+    <WholeProgramOptimization>true</WholeProgramOptimization>

+    <CharacterSet>Unicode</CharacterSet>

+    <PlatformToolset>v141</PlatformToolset>

+  </PropertyGroup>

+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">

+    <ConfigurationType>Application</ConfigurationType>

+    <UseDebugLibraries>false</UseDebugLibraries>

+    <WholeProgramOptimization>true</WholeProgramOptimization>

+    <CharacterSet>Unicode</CharacterSet>

+    <PlatformToolset>v141</PlatformToolset>

+  </PropertyGroup>

+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />

+  <ImportGroup Label="ExtensionSettings">

+  </ImportGroup>

+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">

+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />

+  </ImportGroup>

+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">

+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />

+  </ImportGroup>

+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">

+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />

+  </ImportGroup>

+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">

+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />

+  </ImportGroup>

+  <PropertyGroup Label="UserMacros" />

+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">

+    <LinkIncremental>true</LinkIncremental>

+    <IntDir>$(Configuration)\$(TargetName)\</IntDir>

+  </PropertyGroup>

+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">

+    <LinkIncremental>true</LinkIncremental>

+    <IntDir>$(Configuration)\$(TargetName)\</IntDir>

+  </PropertyGroup>

+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">

+    <LinkIncremental>false</LinkIncremental>

+    <IntDir>$(Configuration)\$(TargetName)\</IntDir>

+  </PropertyGroup>

+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">

+    <LinkIncremental>false</LinkIncremental>

+    <IntDir>$(Configuration)\$(TargetName)\</IntDir>

+  </PropertyGroup>

+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">

+    <ClCompile>

+      <WarningLevel>Level3</WarningLevel>

+      <Optimization>Disabled</Optimization>

+      <PreprocessorDefinitions>%(PreprocessorDefinitions)</PreprocessorDefinitions>

+      <AdditionalIncludeDirectories>

+INCLUDE_DIRECTORIES

+      </AdditionalIncludeDirectories>

+    </ClCompile>

+    <Link>

+      <SubSystem>Console</SubSystem>

+      <GenerateDebugInformation>true</GenerateDebugInformation>

+      <AdditionalDependencies>bcrypt.lib;%(AdditionalDependencies)</AdditionalDependencies>

+      <AdditionalLibraryDirectories>Debug</AdditionalLibraryDirectories>

+    </Link>

+    <ProjectReference>

+      <LinkLibraryDependencies>false</LinkLibraryDependencies>

+    </ProjectReference>

+  </ItemDefinitionGroup>

+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">

+    <ClCompile>

+      <WarningLevel>Level3</WarningLevel>

+      <Optimization>Disabled</Optimization>

+      <PreprocessorDefinitions>%(PreprocessorDefinitions)</PreprocessorDefinitions>

+      <AdditionalIncludeDirectories>

+INCLUDE_DIRECTORIES

+      </AdditionalIncludeDirectories>

+    </ClCompile>

+    <Link>

+      <SubSystem>Console</SubSystem>

+      <GenerateDebugInformation>true</GenerateDebugInformation>

+      <AdditionalDependencies>bcrypt.lib;%(AdditionalDependencies)</AdditionalDependencies>

+      <AdditionalLibraryDirectories>Debug</AdditionalLibraryDirectories>

+    </Link>

+    <ProjectReference>

+      <LinkLibraryDependencies>false</LinkLibraryDependencies>

+    </ProjectReference>

+  </ItemDefinitionGroup>

+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">

+    <ClCompile>

+      <WarningLevel>Level3</WarningLevel>

+      <Optimization>MaxSpeed</Optimization>

+      <FunctionLevelLinking>true</FunctionLevelLinking>

+      <IntrinsicFunctions>true</IntrinsicFunctions>

+      <PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>

+      <AdditionalIncludeDirectories>

+INCLUDE_DIRECTORIES

+      </AdditionalIncludeDirectories>

+    </ClCompile>

+    <Link>

+      <SubSystem>Console</SubSystem>

+      <GenerateDebugInformation>true</GenerateDebugInformation>

+      <EnableCOMDATFolding>true</EnableCOMDATFolding>

+      <OptimizeReferences>true</OptimizeReferences>

+      <AdditionalLibraryDirectories>Release</AdditionalLibraryDirectories>

+      <AdditionalDependencies>bcrypt.lib;%(AdditionalDependencies)</AdditionalDependencies>

+    </Link>

+  </ItemDefinitionGroup>

+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">

+    <ClCompile>

+      <WarningLevel>Level3</WarningLevel>

+      <Optimization>MaxSpeed</Optimization>

+      <FunctionLevelLinking>true</FunctionLevelLinking>

+      <IntrinsicFunctions>true</IntrinsicFunctions>

+      <PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>

+      <AdditionalIncludeDirectories>

+INCLUDE_DIRECTORIES

+      </AdditionalIncludeDirectories>

+    </ClCompile>

+    <Link>

+      <SubSystem>Console</SubSystem>

+      <GenerateDebugInformation>true</GenerateDebugInformation>

+      <EnableCOMDATFolding>true</EnableCOMDATFolding>

+      <OptimizeReferences>true</OptimizeReferences>

+      <AdditionalLibraryDirectories>Release</AdditionalLibraryDirectories>

+      <AdditionalDependencies>bcrypt.lib;%(AdditionalDependencies)</AdditionalDependencies>

+    </Link>

+  </ItemDefinitionGroup>

+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />

+  <ImportGroup Label="ExtensionTargets">

+  </ImportGroup>

+</Project>

diff --git a/scripts/data_files/vs2017-main-template.vcxproj b/scripts/data_files/vs2017-main-template.vcxproj
new file mode 100644
index 0000000..448f9cd
--- /dev/null
+++ b/scripts/data_files/vs2017-main-template.vcxproj
@@ -0,0 +1,163 @@
+<?xml version="1.0" encoding="utf-8"?>

+<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

+  <ItemGroup Label="ProjectConfigurations">

+    <ProjectConfiguration Include="Debug|Win32">

+      <Configuration>Debug</Configuration>

+      <Platform>Win32</Platform>

+    </ProjectConfiguration>

+    <ProjectConfiguration Include="Debug|x64">

+      <Configuration>Debug</Configuration>

+      <Platform>x64</Platform>

+    </ProjectConfiguration>

+    <ProjectConfiguration Include="Release|Win32">

+      <Configuration>Release</Configuration>

+      <Platform>Win32</Platform>

+    </ProjectConfiguration>

+    <ProjectConfiguration Include="Release|x64">

+      <Configuration>Release</Configuration>

+      <Platform>x64</Platform>

+    </ProjectConfiguration>

+  </ItemGroup>

+  <PropertyGroup Label="Globals">

+    <ProjectGuid>{46CF2D25-6A36-4189-B59C-E4815388E554}</ProjectGuid>

+    <Keyword>Win32Proj</Keyword>

+    <RootNamespace>mbedTLS</RootNamespace>

+  </PropertyGroup>

+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />

+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">

+    <ConfigurationType>StaticLibrary</ConfigurationType>

+    <UseDebugLibraries>true</UseDebugLibraries>

+    <CharacterSet>Unicode</CharacterSet>

+    <PlatformToolset>v141</PlatformToolset>

+  </PropertyGroup>

+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">

+    <ConfigurationType>StaticLibrary</ConfigurationType>

+    <UseDebugLibraries>true</UseDebugLibraries>

+    <CharacterSet>Unicode</CharacterSet>

+    <PlatformToolset>v141</PlatformToolset>

+  </PropertyGroup>

+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">

+    <ConfigurationType>StaticLibrary</ConfigurationType>

+    <UseDebugLibraries>false</UseDebugLibraries>

+    <WholeProgramOptimization>true</WholeProgramOptimization>

+    <CharacterSet>Unicode</CharacterSet>

+    <PlatformToolset>v141</PlatformToolset>

+  </PropertyGroup>

+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">

+    <ConfigurationType>StaticLibrary</ConfigurationType>

+    <UseDebugLibraries>false</UseDebugLibraries>

+    <WholeProgramOptimization>true</WholeProgramOptimization>

+    <CharacterSet>Unicode</CharacterSet>

+    <PlatformToolset>v141</PlatformToolset>

+  </PropertyGroup>

+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />

+  <ImportGroup Label="ExtensionSettings">

+  </ImportGroup>

+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">

+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />

+  </ImportGroup>

+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">

+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />

+  </ImportGroup>

+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">

+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />

+  </ImportGroup>

+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">

+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />

+  </ImportGroup>

+  <PropertyGroup Label="UserMacros" />

+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">

+    <LinkIncremental>true</LinkIncremental>

+    <IntDir>$(Configuration)\$(TargetName)\</IntDir>

+  </PropertyGroup>

+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">

+    <LinkIncremental>true</LinkIncremental>

+    <IntDir>$(Configuration)\$(TargetName)\</IntDir>

+  </PropertyGroup>

+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">

+    <LinkIncremental>false</LinkIncremental>

+    <IntDir>$(Configuration)\$(TargetName)\</IntDir>

+  </PropertyGroup>

+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">

+    <LinkIncremental>false</LinkIncremental>

+    <IntDir>$(Configuration)\$(TargetName)\</IntDir>

+  </PropertyGroup>

+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">

+    <ClCompile>

+      <WarningLevel>Level3</WarningLevel>

+      <Optimization>Disabled</Optimization>

+      <PreprocessorDefinitions>_USRDLL;MBEDTLS_EXPORTS;KRML_VERIFIED_UINT128;%(PreprocessorDefinitions)</PreprocessorDefinitions>

+      <AdditionalIncludeDirectories>

+INCLUDE_DIRECTORIES

+      </AdditionalIncludeDirectories>

+      <CompileAs>CompileAsC</CompileAs>

+    </ClCompile>

+    <Link>

+      <SubSystem>Windows</SubSystem>

+      <GenerateDebugInformation>true</GenerateDebugInformation>

+      <AdditionalDependencies>bcrypt.lib;%(AdditionalDependencies)</AdditionalDependencies>

+    </Link>

+  </ItemDefinitionGroup>

+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">

+    <ClCompile>

+      <WarningLevel>Level3</WarningLevel>

+      <Optimization>Disabled</Optimization>

+      <PreprocessorDefinitions>_USRDLL;MBEDTLS_EXPORTS;KRML_VERIFIED_UINT128;%(PreprocessorDefinitions)</PreprocessorDefinitions>

+      <AdditionalIncludeDirectories>

+INCLUDE_DIRECTORIES

+      </AdditionalIncludeDirectories>

+      <CompileAs>CompileAsC</CompileAs>

+    </ClCompile>

+    <Link>

+      <SubSystem>Windows</SubSystem>

+      <GenerateDebugInformation>true</GenerateDebugInformation>

+      <AdditionalDependencies>bcrypt.lib;%(AdditionalDependencies)</AdditionalDependencies>

+    </Link>

+  </ItemDefinitionGroup>

+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">

+    <ClCompile>

+      <WarningLevel>Level3</WarningLevel>

+      <Optimization>MaxSpeed</Optimization>

+      <FunctionLevelLinking>true</FunctionLevelLinking>

+      <IntrinsicFunctions>true</IntrinsicFunctions>

+      <PreprocessorDefinitions>NDEBUG;_USRDLL;MBEDTLS_EXPORTS;KRML_VERIFIED_UINT128;%(PreprocessorDefinitions)</PreprocessorDefinitions>

+      <AdditionalIncludeDirectories>

+INCLUDE_DIRECTORIES

+      </AdditionalIncludeDirectories>

+    </ClCompile>

+    <Link>

+      <SubSystem>Windows</SubSystem>

+      <GenerateDebugInformation>true</GenerateDebugInformation>

+      <EnableCOMDATFolding>true</EnableCOMDATFolding>

+      <OptimizeReferences>true</OptimizeReferences>

+      <AdditionalDependencies>bcrypt.lib;%(AdditionalDependencies)</AdditionalDependencies>

+    </Link>

+  </ItemDefinitionGroup>

+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">

+    <ClCompile>

+      <WarningLevel>Level3</WarningLevel>

+      <Optimization>MaxSpeed</Optimization>

+      <FunctionLevelLinking>true</FunctionLevelLinking>

+      <IntrinsicFunctions>true</IntrinsicFunctions>

+      <PreprocessorDefinitions>WIN64;NDEBUG;_WINDOWS;_USRDLL;MBEDTLS_EXPORTS;KRML_VERIFIED_UINT128;%(PreprocessorDefinitions)</PreprocessorDefinitions>

+      <AdditionalIncludeDirectories>

+INCLUDE_DIRECTORIES

+      </AdditionalIncludeDirectories>

+    </ClCompile>

+    <Link>

+      <SubSystem>Windows</SubSystem>

+      <GenerateDebugInformation>true</GenerateDebugInformation>

+      <EnableCOMDATFolding>true</EnableCOMDATFolding>

+      <OptimizeReferences>true</OptimizeReferences>

+    </Link>

+  </ItemDefinitionGroup>

+  <ItemGroup>

+HEADER_ENTRIES

+  </ItemGroup>

+  <ItemGroup>

+SOURCE_ENTRIES

+  </ItemGroup>

+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />

+  <ImportGroup Label="ExtensionTargets">

+  </ImportGroup>

+</Project>

diff --git a/scripts/data_files/vs2017-sln-template.sln b/scripts/data_files/vs2017-sln-template.sln
new file mode 100644
index 0000000..80efb10
--- /dev/null
+++ b/scripts/data_files/vs2017-sln-template.sln
@@ -0,0 +1,30 @@
+

+Microsoft Visual Studio Solution File, Format Version 12.00

+# Visual Studio 2017

+VisualStudioVersion = 15.0.26228.4

+MinimumVisualStudioVersion = 15.0.26228.4

+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "mbedTLS", "mbedTLS.vcxproj", "{46CF2D25-6A36-4189-B59C-E4815388E554}"

+EndProject

+APP_ENTRIES

+Global

+	GlobalSection(SolutionConfigurationPlatforms) = preSolution

+		Debug|Win32 = Debug|Win32

+		Debug|x64 = Debug|x64

+		Release|Win32 = Release|Win32

+		Release|x64 = Release|x64

+	EndGlobalSection

+	GlobalSection(ProjectConfigurationPlatforms) = postSolution

+		{46CF2D25-6A36-4189-B59C-E4815388E554}.Debug|Win32.ActiveCfg = Debug|Win32

+		{46CF2D25-6A36-4189-B59C-E4815388E554}.Debug|Win32.Build.0 = Debug|Win32

+		{46CF2D25-6A36-4189-B59C-E4815388E554}.Debug|x64.ActiveCfg = Debug|x64

+		{46CF2D25-6A36-4189-B59C-E4815388E554}.Debug|x64.Build.0 = Debug|x64

+		{46CF2D25-6A36-4189-B59C-E4815388E554}.Release|Win32.ActiveCfg = Release|Win32

+		{46CF2D25-6A36-4189-B59C-E4815388E554}.Release|Win32.Build.0 = Release|Win32

+		{46CF2D25-6A36-4189-B59C-E4815388E554}.Release|x64.ActiveCfg = Release|x64

+		{46CF2D25-6A36-4189-B59C-E4815388E554}.Release|x64.Build.0 = Release|x64

+CONF_ENTRIES

+	EndGlobalSection

+	GlobalSection(SolutionProperties) = preSolution

+		HideSolutionNode = FALSE

+	EndGlobalSection

+EndGlobal

diff --git a/scripts/ecc-heap.sh b/scripts/ecc-heap.sh
index 43fc7df..3eb2ff4 100755
--- a/scripts/ecc-heap.sh
+++ b/scripts/ecc-heap.sh
@@ -8,19 +8,7 @@
 # scripts/ecc-heap.sh | tee ecc-heap.log
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 set -eu
 
diff --git a/scripts/ecp_comb_table.py b/scripts/ecp_comb_table.py
index 6719be1..6146e88 100755
--- a/scripts/ecp_comb_table.py
+++ b/scripts/ecp_comb_table.py
@@ -7,19 +7,7 @@ can use this script to generate codes to define `<curve>_T` in ecp_curves.c
 """
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 import os
 import subprocess
diff --git a/scripts/find-mem-leak.cocci b/scripts/find-mem-leak.cocci
deleted file mode 100644
index 8179e2b..0000000
--- a/scripts/find-mem-leak.cocci
+++ /dev/null
@@ -1,20 +0,0 @@
-@@
-expression x, y;
-statement S;
-@@
-  x = mbedtls_calloc(...);
-  y = mbedtls_calloc(...);
-  ...
-* if (x == NULL || y == NULL)
-    S
-
-@@
-expression x, y;
-statement S;
-@@
-  if (
-*   (x = mbedtls_calloc(...)) == NULL
-    ||
-*   (y = mbedtls_calloc(...)) == NULL
-  )
-    S
diff --git a/scripts/footprint.sh b/scripts/footprint.sh
index ae95db4..614a493 100755
--- a/scripts/footprint.sh
+++ b/scripts/footprint.sh
@@ -1,19 +1,7 @@
 #!/bin/sh
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 #
 # Purpose
 #
diff --git a/scripts/framework_scripts_path.py b/scripts/framework_scripts_path.py
new file mode 100644
index 0000000..4d4a440
--- /dev/null
+++ b/scripts/framework_scripts_path.py
@@ -0,0 +1,17 @@
+"""Add our Python library directory to the module search path.
+
+Usage:
+
+    import framework_scripts_path # pylint: disable=unused-import
+"""
+
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+#
+
+import os
+import sys
+
+sys.path.append(os.path.join(os.path.dirname(__file__),
+                             os.path.pardir,
+                             'framework', 'scripts'))
diff --git a/scripts/generate_driver_wrappers.py b/scripts/generate_driver_wrappers.py
index e0f2827..9579764 100755
--- a/scripts/generate_driver_wrappers.py
+++ b/scripts/generate_driver_wrappers.py
@@ -1,25 +1,13 @@
 #!/usr/bin/env python3
-"""Generate library/psa_crypto_driver_wrappers.h
-            library/psa_crypto_driver_wrappers_no_static.c
+"""Generate psa_crypto_driver_wrappers.h
+            psa_crypto_driver_wrappers_no_static.c
 
    This module is invoked by the build scripts to auto generate the
    psa_crypto_driver_wrappers.h and psa_crypto_driver_wrappers_no_static
    based on template files in script/data_files/driver_templates/.
 """
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 import sys
 import os
@@ -29,7 +17,9 @@ from traceback import format_tb
 import argparse
 import jsonschema
 import jinja2
-from mbedtls_dev import build_tree
+
+import framework_scripts_path # pylint: disable=unused-import
+from mbedtls_framework import build_tree
 
 JSONSchema = NewType('JSONSchema', object)
 # The Driver is an Object, but practically it's indexable and can called a dictionary to
@@ -120,17 +110,17 @@ def load_driver(schemas: Dict[str, Any], driver_file: str) -> Any:
         return json_data
 
 
-def load_schemas(mbedtls_root: str) -> Dict[str, Any]:
+def load_schemas(project_root: str) -> Dict[str, Any]:
     """
     Load schemas map
     """
     schema_file_paths = {
-        'transparent': os.path.join(mbedtls_root,
+        'transparent': os.path.join(project_root,
                                     'scripts',
                                     'data_files',
                                     'driver_jsons',
                                     'driver_transparent_schema.json'),
-        'opaque': os.path.join(mbedtls_root,
+        'opaque': os.path.join(project_root,
                                'scripts',
                                'data_files',
                                'driver_jsons',
@@ -143,13 +133,13 @@ def load_schemas(mbedtls_root: str) -> Dict[str, Any]:
     return driver_schema
 
 
-def read_driver_descriptions(mbedtls_root: str,
+def read_driver_descriptions(project_root: str,
                              json_directory: str,
                              jsondriver_list: str) -> list:
     """
     Merge driver JSON files into a single ordered JSON after validation.
     """
-    driver_schema = load_schemas(mbedtls_root)
+    driver_schema = load_schemas(project_root)
 
     with open(file=os.path.join(json_directory, jsondriver_list),
               mode='r',
@@ -175,11 +165,11 @@ def main() -> int:
     """
     Main with command line arguments.
     """
-    def_arg_mbedtls_root = build_tree.guess_mbedtls_root()
+    def_arg_project_root = build_tree.guess_project_root()
 
     parser = argparse.ArgumentParser()
-    parser.add_argument('--mbedtls-root', default=def_arg_mbedtls_root,
-                        help='root directory of mbedtls source code')
+    parser.add_argument('--project-root', default=def_arg_project_root,
+                        help='root directory of repo source code')
     parser.add_argument('--template-dir',
                         help='directory holding the driver templates')
     parser.add_argument('--json-dir',
@@ -188,24 +178,27 @@ def main() -> int:
                         help='output file\'s location')
     args = parser.parse_args()
 
-    mbedtls_root = os.path.abspath(args.mbedtls_root)
+    project_root = os.path.abspath(args.project_root)
+
+    crypto_core_directory = build_tree.crypto_core_directory(project_root)
 
     output_directory = args.output_directory if args.output_directory is not None else \
-        os.path.join(mbedtls_root, 'library')
+        crypto_core_directory
+
     template_directory = args.template_dir if args.template_dir is not None else \
-        os.path.join(mbedtls_root,
+        os.path.join(project_root,
                      'scripts',
                      'data_files',
                      'driver_templates')
     json_directory = args.json_dir if args.json_dir is not None else \
-        os.path.join(mbedtls_root,
+        os.path.join(project_root,
                      'scripts',
                      'data_files',
                      'driver_jsons')
 
     try:
         # Read and validate list of driver jsons from driverlist.json
-        merged_driver_json = read_driver_descriptions(mbedtls_root,
+        merged_driver_json = read_driver_descriptions(project_root,
                                                       json_directory,
                                                       'driverlist.json')
     except DriverReaderException as e:
diff --git a/scripts/generate_errors.pl b/scripts/generate_errors.pl
index 664a349..df546d7 100755
--- a/scripts/generate_errors.pl
+++ b/scripts/generate_errors.pl
@@ -3,42 +3,32 @@
 # Generate error.c
 #
 # Usage: ./generate_errors.pl or scripts/generate_errors.pl without arguments,
-# or generate_errors.pl include_dir data_dir error_file
+# or generate_errors.pl crypto_include_dir tls_include_dir data_dir error_file
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 use strict;
 use warnings;
 
-my ($include_dir, $data_dir, $error_file);
+my ($crypto_include_dir, $tls_include_dir, $data_dir, $error_file);
 
 if( @ARGV ) {
-    die "Invalid number of arguments" if scalar @ARGV != 3;
-    ($include_dir, $data_dir, $error_file) = @ARGV;
+    die "Invalid number of arguments" if scalar @ARGV != 4;
+    ($crypto_include_dir, $tls_include_dir, $data_dir, $error_file) = @ARGV;
 
-    -d $include_dir or die "No such directory: $include_dir\n";
+    -d $crypto_include_dir or die "No such directory: $crypto_include_dir\n";
+    -d $tls_include_dir or die "No such directory: $tls_include_dir\n";
     -d $data_dir or die "No such directory: $data_dir\n";
 } else {
-    $include_dir = 'include/mbedtls';
+    $crypto_include_dir = 'tf-psa-crypto/drivers/builtin/include/mbedtls';
+    $tls_include_dir = 'include/mbedtls';
     $data_dir = 'scripts/data_files';
-    $error_file = 'library/error.c';
+    $error_file = 'tf-psa-crypto/drivers/builtin/src/error.c';
 
-    unless( -d $include_dir && -d $data_dir ) {
+    unless( -d $crypto_include_dir && -d $tls_include_dir && -d $data_dir ) {
         chdir '..' or die;
-        -d $include_dir && -d $data_dir
+        -d $crypto_include_dir && -d $tls_include_dir && -d $data_dir
             or die "Without arguments, must be run from root or scripts\n"
     }
 }
@@ -48,7 +38,7 @@ my $error_format_file = $data_dir.'/error.fmt';
 my @low_level_modules = qw( AES ARIA ASN1 BASE64 BIGNUM
                             CAMELLIA CCM CHACHA20 CHACHAPOLY CMAC CTR_DRBG DES
                             ENTROPY ERROR GCM HKDF HMAC_DRBG LMS MD5
-                            NET OID PADLOCK PBKDF2 PLATFORM POLY1305 RIPEMD160
+                            NET OID PBKDF2 PLATFORM POLY1305 RIPEMD160
                             SHA1 SHA256 SHA512 SHA3 THREADING );
 my @high_level_modules = qw( CIPHER DHM ECP MD
                              PEM PK PKCS12 PKCS5
@@ -60,7 +50,8 @@ open(FORMAT_FILE, '<:crlf', "$error_format_file") or die "Opening error format f
 my $error_format = <FORMAT_FILE>;
 close(FORMAT_FILE);
 
-my @files = glob qq("$include_dir/*.h");
+my @files = glob qq("$crypto_include_dir/*.h");
+push(@files, glob qq("$tls_include_dir/*.h"));
 my @necessary_include_files;
 my @matches;
 foreach my $file (@files) {
diff --git a/scripts/generate_features.pl b/scripts/generate_features.pl
index 49cca2e..6972682 100755
--- a/scripts/generate_features.pl
+++ b/scripts/generate_features.pl
@@ -1,19 +1,7 @@
 #!/usr/bin/env perl
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 use strict;
 
@@ -28,7 +16,7 @@ if( @ARGV ) {
 } else {
     $include_dir = 'include/mbedtls';
     $data_dir = 'scripts/data_files';
-    $feature_file = 'library/version_features.c';
+    $feature_file = 'tf-psa-crypto/drivers/builtin/src/version_features.c';
 
     unless( -d $include_dir && -d $data_dir ) {
         chdir '..' or die;
diff --git a/scripts/generate_psa_constants.py b/scripts/generate_psa_constants.py
index 960a079..d472c6d 100755
--- a/scripts/generate_psa_constants.py
+++ b/scripts/generate_psa_constants.py
@@ -12,25 +12,14 @@ file is written:
 """
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 import os
 import sys
 
-from mbedtls_dev import build_tree
-from mbedtls_dev import macro_collector
+import framework_scripts_path # pylint: disable=unused-import
+from mbedtls_framework import build_tree
+from mbedtls_framework import macro_collector
 
 OUTPUT_TEMPLATE = '''\
 /* Automatically generated by generate_psa_constant.py. DO NOT EDIT. */
@@ -339,6 +328,7 @@ if __name__ == '__main__':
     build_tree.chdir_to_root()
     # Allow to change the directory where psa_constant_names_generated.c is written to.
     OUTPUT_FILE_DIR = sys.argv[1] if len(sys.argv) == 2 else "programs/psa"
-    generate_psa_constants(['include/psa/crypto_values.h',
-                            'include/psa/crypto_extra.h'],
+
+    generate_psa_constants(['tf-psa-crypto/include/psa/crypto_values.h',
+                            'tf-psa-crypto/include/psa/crypto_extra.h'],
                            OUTPUT_FILE_DIR + '/psa_constant_names_generated.c')
diff --git a/scripts/generate_query_config.pl b/scripts/generate_query_config.pl
index 69eca83..6a2f9cb 100755
--- a/scripts/generate_query_config.pl
+++ b/scripts/generate_query_config.pl
@@ -19,26 +19,14 @@
 # generate_query_config.pl mbedtls_config_file psa_crypto_config_file template_file output_file
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 use strict;
 
 my ($mbedtls_config_file, $psa_crypto_config_file, $query_config_format_file, $query_config_file);
 
 my $default_mbedtls_config_file = "./include/mbedtls/mbedtls_config.h";
-my $default_psa_crypto_config_file = "./include/psa/crypto_config.h";
+my $default_psa_crypto_config_file = "./tf-psa-crypto/include/psa/crypto_config.h";
 my $default_query_config_format_file = "./scripts/data_files/query_config.fmt";
 my $default_query_config_file = "./programs/test/query_config.c";
 
diff --git a/scripts/generate_ssl_debug_helpers.py b/scripts/generate_ssl_debug_helpers.py
index 19be415..600d160 100755
--- a/scripts/generate_ssl_debug_helpers.py
+++ b/scripts/generate_ssl_debug_helpers.py
@@ -8,25 +8,15 @@ implemented by fixed codes.
 """
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 import sys
 import re
 import os
 import textwrap
 import argparse
-from mbedtls_dev import build_tree
+
+import framework_scripts_path # pylint: disable=unused-import
+from mbedtls_framework import build_tree
 
 
 def remove_c_comments(string):
@@ -340,7 +330,7 @@ class NamedGroupDefinition:
             {translation_table}
                 }};
 
-                return "UNKOWN";
+                return "UNKNOWN";
             }}''')
         body = body.format(translation_table='\n'.join(translation_table))
         return body
@@ -356,19 +346,8 @@ OUTPUT_C_TEMPLATE = '''\
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
  */
 
 #include "common.h"
diff --git a/scripts/generate_visualc_files.pl b/scripts/generate_visualc_files.pl
index 4fad322..d48b2b2 100755
--- a/scripts/generate_visualc_files.pl
+++ b/scripts/generate_visualc_files.pl
@@ -1,54 +1,45 @@
 #!/usr/bin/env perl
 
 # Generate main file, individual apps and solution files for
-# MS Visual Studio 2013
+# MS Visual Studio 2017
 #
 # Must be run from Mbed TLS root or scripts directory.
 # Takes no argument.
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 use warnings;
 use strict;
 use Digest::MD5 'md5_hex';
 
-my $vsx_dir = "visualc/VS2013";
+my $vsx_dir = "visualc/VS2017";
 my $vsx_ext = "vcxproj";
-my $vsx_app_tpl_file = "scripts/data_files/vs2013-app-template.$vsx_ext";
-my $vsx_main_tpl_file = "scripts/data_files/vs2013-main-template.$vsx_ext";
+my $vsx_app_tpl_file = "scripts/data_files/vs2017-app-template.$vsx_ext";
+my $vsx_main_tpl_file = "scripts/data_files/vs2017-main-template.$vsx_ext";
 my $vsx_main_file = "$vsx_dir/mbedTLS.$vsx_ext";
-my $vsx_sln_tpl_file = "scripts/data_files/vs2013-sln-template.sln";
+my $vsx_sln_tpl_file = "scripts/data_files/vs2017-sln-template.sln";
 my $vsx_sln_file = "$vsx_dir/mbedTLS.sln";
 
 my $programs_dir = 'programs';
 my $mbedtls_header_dir = 'include/mbedtls';
-my $psa_header_dir = 'include/psa';
-my $source_dir = 'library';
+my $drivers_builtin_header_dir = 'tf-psa-crypto/drivers/builtin/include/mbedtls';
+my $psa_header_dir = 'tf-psa-crypto/include/psa';
+my $tls_source_dir = 'library';
+my $crypto_core_source_dir = 'tf-psa-crypto/core';
+my $crypto_source_dir = 'tf-psa-crypto/drivers/builtin/src';
 my $test_source_dir = 'tests/src';
 my $test_header_dir = 'tests/include/test';
 my $test_drivers_header_dir = 'tests/include/test/drivers';
 my $test_drivers_source_dir = 'tests/src/drivers';
 
 my @thirdparty_header_dirs = qw(
-    3rdparty/everest/include/everest
+    tf-psa-crypto/drivers/everest/include/everest
 );
 my @thirdparty_source_dirs = qw(
-    3rdparty/everest/library
-    3rdparty/everest/library/kremlib
-    3rdparty/everest/library/legacy
+    tf-psa-crypto/drivers/everest/library
+    tf-psa-crypto/drivers/everest/library/kremlib
+    tf-psa-crypto/drivers/everest/library/legacy
 );
 
 # Directories to add to the include path.
@@ -56,25 +47,29 @@ my @thirdparty_source_dirs = qw(
 # one directory: the compiler will use the first match.
 my @include_directories = qw(
     include
-    3rdparty/everest/include/
-    3rdparty/everest/include/everest
-    3rdparty/everest/include/everest/vs2013
-    3rdparty/everest/include/everest/kremlib
+    tf-psa-crypto/include
+    tf-psa-crypto/drivers/builtin/include
+    tf-psa-crypto/drivers/everest/include/
+    tf-psa-crypto/drivers/everest/include/everest
+    tf-psa-crypto/drivers/everest/include/everest/vs2013
+    tf-psa-crypto/drivers/everest/include/everest/kremlib
     tests/include
 );
 my $include_directories = join(';', map {"../../$_"} @include_directories);
 
-# Directories to add to the include path when building the library, but not
+# Directories to add to the include path when building the libraries, but not
 # when building tests or applications.
 my @library_include_directories = qw(
     library
+    tf-psa-crypto/core
+    tf-psa-crypto/drivers/builtin/src
 );
 my $library_include_directories =
   join(';', map {"../../$_"} (@library_include_directories,
                               @include_directories));
 
 my @excluded_files = qw(
-    3rdparty/everest/library/Hacl_Curve25519.c
+    tf-psa-crypto/drivers/everest/library/Hacl_Curve25519.c
 );
 my %excluded_files = ();
 foreach (@excluded_files) { $excluded_files{$_} = 1 }
@@ -113,8 +108,11 @@ sub check_dirs {
     }
     return -d $vsx_dir
         && -d $mbedtls_header_dir
+        && -d $drivers_builtin_header_dir
         && -d $psa_header_dir
-        && -d $source_dir
+        && -d $tls_source_dir
+        && -d $crypto_core_source_dir
+        && -d $crypto_source_dir
         && -d $test_source_dir
         && -d $test_drivers_source_dir
         && -d $test_header_dir
@@ -156,6 +154,7 @@ sub gen_app {
     my $guid = gen_app_guid( $path );
     $path =~ s!/!\\!g;
     (my $appname = $path) =~ s/.*\\//;
+    my $is_test_app = ($path =~ m/^test\\/);
 
     my $srcs = "<ClCompile Include=\"..\\..\\programs\\$path.c\" \/>";
     if( $appname eq "ssl_client2" or $appname eq "ssl_server2" or
@@ -170,7 +169,9 @@ sub gen_app {
     $content =~ s/<SOURCES>/$srcs/g;
     $content =~ s/<APPNAME>/$appname/g;
     $content =~ s/<GUID>/$guid/g;
-    $content =~ s/INCLUDE_DIRECTORIES\n/$include_directories/g;
+    $content =~ s/INCLUDE_DIRECTORIES\n/($is_test_app ?
+                                         $library_include_directories :
+                                         $include_directories)/ge;
 
     content_to_file( $content, "$dir/$appname.$ext" );
 }
@@ -266,15 +267,20 @@ sub main {
     my @app_list = get_app_list();
     my @header_dirs = (
                        $mbedtls_header_dir,
+                       $drivers_builtin_header_dir,
                        $psa_header_dir,
                        $test_header_dir,
                        $test_drivers_header_dir,
-                       $source_dir,
+                       $tls_source_dir,
+                       $crypto_core_source_dir,
+                       $crypto_source_dir,
                        @thirdparty_header_dirs,
                       );
     my @headers = (map { <$_/*.h> } @header_dirs);
     my @source_dirs = (
-                       $source_dir,
+                       $tls_source_dir,
+                       $crypto_core_source_dir,
+                       $crypto_source_dir,
                        $test_source_dir,
                        $test_drivers_source_dir,
                        @thirdparty_source_dirs,
diff --git a/scripts/lcov.sh b/scripts/lcov.sh
index 6bba02f..9a0c582 100755
--- a/scripts/lcov.sh
+++ b/scripts/lcov.sh
@@ -26,42 +26,41 @@ EOF
 }
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 set -eu
 
+# Repository detection
+in_mbedtls_build_dir () {
+    test -d library
+}
+
 # Collect stats and build a HTML report.
 lcov_library_report () {
     rm -rf Coverage
     mkdir Coverage Coverage/tmp
-    lcov --capture --initial --directory library -o Coverage/tmp/files.info
-    lcov --rc lcov_branch_coverage=1 --capture --directory library -o Coverage/tmp/tests.info
-    lcov --rc lcov_branch_coverage=1 --add-tracefile Coverage/tmp/files.info --add-tracefile Coverage/tmp/tests.info -o Coverage/tmp/all.info
-    lcov --rc lcov_branch_coverage=1 --remove Coverage/tmp/all.info -o Coverage/tmp/final.info '*.h'
-    gendesc tests/Descriptions.txt -o Coverage/tmp/descriptions
-    genhtml --title "Mbed TLS" --description-file Coverage/tmp/descriptions --keep-descriptions --legend --branch-coverage -o Coverage Coverage/tmp/final.info
-    rm -f Coverage/tmp/*.info Coverage/tmp/descriptions
+    # Pass absolute paths as lcov output files. This works around a bug
+    # whereby lcov tries to create the output file in the root directory
+    # if it has emitted a warning. A fix was released in lcov 1.13 in 2016.
+    # Ubuntu 16.04 is affected, 18.04 and above are not.
+    # https://github.com/linux-test-project/lcov/commit/632c25a0d1f5e4d2f4fd5b28ce7c8b86d388c91f
+    COVTMP=$PWD/Coverage/tmp
+    lcov --capture --initial --directory $library_dir -o "$COVTMP/files.info"
+    lcov --rc lcov_branch_coverage=1 --capture --directory $library_dir -o "$COVTMP/tests.info"
+    lcov --rc lcov_branch_coverage=1 --add-tracefile "$COVTMP/files.info" --add-tracefile "$COVTMP/tests.info" -o "$COVTMP/all.info"
+    lcov --rc lcov_branch_coverage=1 --remove "$COVTMP/all.info" -o "$COVTMP/final.info" '*.h'
+    gendesc tests/Descriptions.txt -o "$COVTMP/descriptions"
+    genhtml --title "$title" --description-file "$COVTMP/descriptions" --keep-descriptions --legend --branch-coverage -o Coverage "$COVTMP/final.info"
+    rm -f "$COVTMP/"*.info "$COVTMP/descriptions"
     echo "Coverage report in: Coverage/index.html"
 }
 
 # Reset the traces to 0.
 lcov_reset_traces () {
     # Location with plain make
-    rm -f library/*.gcda
+    rm -f $library_dir/*.gcda
     # Location with CMake
-    rm -f library/CMakeFiles/*.dir/*.gcda
+    rm -f $library_dir/CMakeFiles/*.dir/*.gcda
 }
 
 if [ $# -gt 0 ] && [ "$1" = "--help" ]; then
@@ -69,6 +68,14 @@ if [ $# -gt 0 ] && [ "$1" = "--help" ]; then
     exit
 fi
 
+if in_mbedtls_build_dir; then
+    library_dir='library'
+    title='Mbed TLS'
+else
+    library_dir='core'
+    title='TF-PSA-Crypto'
+fi
+
 main=lcov_library_report
 while getopts r OPTLET; do
     case $OPTLET in
diff --git a/scripts/make_generated_files.bat b/scripts/make_generated_files.bat
index abcfc39..b03bce2 100644
--- a/scripts/make_generated_files.bat
+++ b/scripts/make_generated_files.bat
@@ -10,6 +10,9 @@ perl scripts\generate_features.pl || exit /b 1
 python scripts\generate_ssl_debug_helpers.py || exit /b 1

 perl scripts\generate_visualc_files.pl || exit /b 1

 python scripts\generate_psa_constants.py || exit /b 1

-python tests\scripts\generate_bignum_tests.py || exit /b 1

-python tests\scripts\generate_ecp_tests.py || exit /b 1

-python tests\scripts\generate_psa_tests.py || exit /b 1

+python framework\scripts\generate_bignum_tests.py || exit /b 1

+python framework\scripts\generate_config_tests.py || exit /b 1

+python framework\scripts\generate_ecp_tests.py || exit /b 1

+python framework\scripts\generate_psa_tests.py || exit /b 1

+python framework\scripts\generate_test_keys.py --output tests\src\test_keys.h || exit /b 1

+python framework\scripts\generate_test_cert_macros.py --output tests\src\test_certs.h || exit /b 1

diff --git a/scripts/massif_max.pl b/scripts/massif_max.pl
index eaf56ae..52ca606 100755
--- a/scripts/massif_max.pl
+++ b/scripts/massif_max.pl
@@ -3,19 +3,7 @@
 # Parse a massif.out.xxx file and output peak total memory usage
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 use warnings;
 use strict;
diff --git a/scripts/mbedtls_dev/__init__.py b/scripts/mbedtls_dev/__init__.py
deleted file mode 100644
index 15b0d60..0000000
--- a/scripts/mbedtls_dev/__init__.py
+++ /dev/null
@@ -1,3 +0,0 @@
-# This file needs to exist to make mbedtls_dev a package.
-# Among other things, this allows modules in this directory to make
-# relative imports.
diff --git a/scripts/mbedtls_dev/asymmetric_key_data.py b/scripts/mbedtls_dev/asymmetric_key_data.py
deleted file mode 100644
index 6fd6223..0000000
--- a/scripts/mbedtls_dev/asymmetric_key_data.py
+++ /dev/null
@@ -1,166 +0,0 @@
-"""Sample key material for asymmetric key types.
-
-Meant for use in crypto_knowledge.py.
-"""
-
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import binascii
-import re
-from typing import Dict
-
-STR_TRANS_REMOVE_BLANKS = str.maketrans('', '', ' \t\n\r')
-
-def unhexlify(text: str) -> bytes:
-    return binascii.unhexlify(text.translate(STR_TRANS_REMOVE_BLANKS))
-
-def construct_asymmetric_key_data(src) -> Dict[str, Dict[int, bytes]]:
-    """Split key pairs into separate table entries and convert hex to bytes.
-
-    Input format: src[abbreviated_type][size] = (private_key_hex, public_key_hex)
-    Output format: dst['PSA_KEY_TYPE_xxx'][size] = key_bytes
-    """
-    dst = {} #type: Dict[str, Dict[int, bytes]]
-    for typ in src:
-        private = 'PSA_KEY_TYPE_' + re.sub(r'(\(|\Z)', r'_KEY_PAIR\1', typ, 1)
-        public = 'PSA_KEY_TYPE_' + re.sub(r'(\(|\Z)', r'_PUBLIC_KEY\1', typ, 1)
-        dst[private] = {}
-        dst[public] = {}
-        for size in src[typ]:
-            dst[private][size] = unhexlify(src[typ][size][0])
-            dst[public][size] = unhexlify(src[typ][size][1])
-    return dst
-
-## These are valid keys that don't try to exercise any edge cases. They're
-## either test vectors from some specification, or randomly generated. All
-## pairs consist of a private key and its public key.
-#pylint: disable=line-too-long
-ASYMMETRIC_KEY_DATA = construct_asymmetric_key_data({
-    'ECC(PSA_ECC_FAMILY_SECP_K1)': {
-        192: ("297ac1722ccac7589ecb240dc719842538ca974beb79f228",
-              "0426b7bb38da649ac2138fc050c6548b32553dab68afebc36105d325b75538c12323cb0764789ecb992671beb2b6bef2f5"),
-        224: ("0024122bf020fa113f6c0ac978dfbd41f749257a9468febdbe0dc9f7e8",
-              "042cc7335f4b76042bed44ef45959a62aa215f7a5ff0c8111b8c44ed654ee71c1918326ad485b2d599fe2a6eab096ee26d977334d2bac6d61d"),
-        256: ("7fa06fa02d0e911b9a47fdc17d2d962ca01e2f31d60c6212d0ed7e3bba23a7b9",
-              "045c39154579efd667adc73a81015a797d2c8682cdfbd3c3553c4a185d481cdc50e42a0e1cbc3ca29a32a645e927f54beaed14c9dbbf8279d725f5495ca924b24d"),
-    },
-    'ECC(PSA_ECC_FAMILY_SECP_R1)': {
-        225: ("872f203b3ad35b7f2ecc803c3a0e1e0b1ed61cc1afe71b189cd4c995",
-              "046f00eadaa949fee3e9e1c7fa1247eecec86a0dce46418b9bd3117b981d4bd0ae7a990de912f9d060d6cb531a42d22e394ac29e81804bf160"),
-        256: ("49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee",
-              "047772656f814b399279d5e1f1781fac6f099a3c5ca1b0e35351834b08b65e0b572590cdaf8f769361bcf34acfc11e5e074e8426bdde04be6e653945449617de45"),
-        384: ("3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a",
-              "04d9c662b50ba29ca47990450e043aeaf4f0c69b15676d112f622a71c93059af999691c5680d2b44d111579db12f4a413a2ed5c45fcfb67b5b63e00b91ebe59d09a6b1ac2c0c4282aa12317ed5914f999bc488bb132e8342cc36f2ca5e3379c747"),
-        521: ("01b1b6ad07bb79e7320da59860ea28e055284f6058f279de666e06d435d2af7bda28d99fa47b7dd0963e16b0073078ee8b8a38d966a582f46d19ff95df3ad9685aae",
-              "04001de142d54f69eb038ee4b7af9d3ca07736fd9cf719eb354d69879ee7f3c136fb0fbf9f08f86be5fa128ec1a051d3e6c643e85ada8ffacf3663c260bd2c844b6f5600cee8e48a9e65d09cadd89f235dee05f3b8a646be715f1f67d5b434e0ff23a1fc07ef7740193e40eeff6f3bcdfd765aa9155033524fe4f205f5444e292c4c2f6ac1"),
-    },
-    'ECC(PSA_ECC_FAMILY_SECP_R2)': {
-        160: ("00bf539a1cdda0d7f71a50a3f98aec0a2e8e4ced1e",
-              "049570d541398665adb5cfa16f5af73b3196926bbd4b876bdb80f8eab20d0f540c22f4de9c140f6d7b"),
-    },
-    'ECC(PSA_ECC_FAMILY_SECT_K1)': {
-        163: ("03ebc8fcded2d6ab72ec0f75bdb4fd080481273e71",
-              "0406f88f90b4b65950f06ce433afdb097e320f433dc2062b8a65db8fafd3c110f46bc45663fbf021ee7eb9"),
-        233: ("41f08485ce587b06061c087e76e247c359de2ba9927ee013b2f1ed9ca8",
-              "0401e9d7189189f773bd8f71be2c10774ba18842434dfa9312595ea545104400f45a9d5675647513ba75b079fe66a29daac2ec86a6a5d4e75c5f290c1f"),
-        239: ("1a8069ce2c2c8bdd7087f2a6ab49588797e6294e979495602ab9650b9c61",
-              "04068d76b9f4508762c2379db9ee8b87ad8d86d9535132ffba3b5680440cfa28eb133d4232faf1c9aba96af11aefe634a551440800d5f8185105d3072d"),
-        283: ("006d627885dd48b9ec6facb5b3865377d755b75a5d51440e45211c1f600e15eff8a881a0",
-              "0405f48374debceaadb46ba385fd92048fcc5b9af1a1c90408bf94a68b9378df1cbfdfb6fb026a96bea06d8f181bf10c020adbcc88b6ecff96bdc564a9649c247cede601c4be63afc3"),
-        409: ("3ff5e74d932fa77db139b7c948c81e4069c72c24845574064beea8976b70267f1c6f9a503e3892ea1dcbb71fcea423faa370a8",
-              "04012c587f69f68b308ba6dcb238797f4e22290ca939ae806604e2b5ab4d9caef5a74a98fd87c4f88d292dd39d92e556e16c6ecc3c019a105826eef507cd9a04119f54d5d850b3720b3792d5d03410e9105610f7e4b420166ed45604a7a1f229d80975ba6be2060e8b"),
-        571: ("005008c97b4a161c0db1bac6452c72846d57337aa92d8ecb4a66eb01d2f29555ffb61a5317225dcc8ca6917d91789e227efc0bfe9eeda7ee21998cd11c3c9885056b0e55b4f75d51",
-              "04050172a7fd7adf98e4e2ed2742faa5cd12731a15fb0dbbdf75b1c3cc771a4369af6f2fa00e802735650881735759ea9c79961ded18e0daa0ac59afb1d513b5bbda9962e435f454fc020b4afe1445c2302ada07d295ec2580f8849b2dfa7f956b09b4cbe4c88d3b1c217049f75d3900d36df0fa12689256b58dd2ef784ebbeb0564600cf47a841485f8cf897a68accd5a"),
-    },
-    'ECC(PSA_ECC_FAMILY_SECT_R1)': {
-        163: ("009b05dc82d46d64a04a22e6e5ca70ca1231e68c50",
-              "0400465eeb9e7258b11e33c02266bfe834b20bcb118700772796ee4704ec67651bd447e3011959a79a04cb"),
-        233: ("00e5e42834e3c78758088b905deea975f28dc20ef6173e481f96e88afe7f",
-              "0400cd68c8af4430c92ec7a7048becfdf00a6bae8d1b4c37286f2d336f2a0e017eca3748f4ad6d435c85867aa014eea1bd6d9d005bbd8319cab629001d"),
-        283: ("004cecad915f6f3c9bbbd92d1eb101eda23f16c7dad60a57c87c7e1fd2b29b22f6d666ad",
-              "04052f9ff887254c2d1440ba9e30f13e2185ba53c373b2c410dae21cf8c167f796c08134f601cbc4c570bffbc2433082cf4d9eb5ba173ecb8caec15d66a02673f60807b2daa729b765"),
-        409: ("00c22422d265721a3ae2b3b2baeb77bee50416e19877af97b5fc1c700a0a88916ecb9050135883accb5e64edc77a3703f4f67a64",
-              "0401aa25466b1d291846db365957b25431591e50d9c109fe2106e93bb369775896925b15a7bfec397406ab4fe6f6b1a13bf8fdcb9300fa5500a813228676b0a6c572ed96b0f4aec7e87832e7e20f17ca98ecdfd36f59c82bddb8665f1f357a73900e827885ec9e1f22"),
-        571: ("026ac1cdf92a13a1b8d282da9725847908745138f5c6706b52d164e3675fcfbf86fc3e6ab2de732193267db029dd35a0599a94a118f480231cfc6ccca2ebfc1d8f54176e0f5656a1",
-              "040708f3403ee9948114855c17572152a08f8054d486defef5f29cbffcfb7cfd9280746a1ac5f751a6ad902ec1e0525120e9be56f03437af196fbe60ee7856e3542ab2cf87880632d80290e39b1a2bd03c6bbf6225511c567bd2ff41d2325dc58346f2b60b1feee4dc8b2af2296c2dc52b153e0556b5d24152b07f690c3fa24e4d1d19efbdeb1037833a733654d2366c74"),
-    },
-    'ECC(PSA_ECC_FAMILY_SECT_R2)': {
-        163: ("0210b482a458b4822d0cb21daa96819a67c8062d34",
-              "0403692601144c32a6cfa369ae20ae5d43c1c764678c037bafe80c6fd2e42b7ced96171d9c5367fd3dca6f"),
-    },
-    'ECC(PSA_ECC_FAMILY_BRAINPOOL_P_R1)': {
-        160: ("69502c4fdaf48d4fa617bdd24498b0406d0eeaac",
-              "04d4b9186816358e2f9c59cf70748cb70641b22fbab65473db4b4e22a361ed7e3de7e8a8ddc4130c5c"),
-        192: ("1688a2c5fbf4a3c851d76a98c3ec88f445a97996283db59f",
-              "043fdd168c179ff5363dd71dcd58de9617caad791ae0c37328be9ca0bfc79cebabf6a95d1c52df5b5f3c8b1a2441cf6c88"),
-        224: ("a69835dafeb5da5ab89c59860dddebcfd80b529a99f59b880882923c",
-              "045fbea378fc8583b3837e3f21a457c31eaf20a54e18eb11d104b3adc47f9d1c97eb9ea4ac21740d70d88514b98bf0bc31addac1d19c4ab3cc"),
-        256: ("2161d6f2db76526fa62c16f356a80f01f32f776784b36aa99799a8b7662080ff",
-              "04768c8cae4abca6306db0ed81b0c4a6215c378066ec6d616c146e13f1c7df809b96ab6911c27d8a02339f0926840e55236d3d1efbe2669d090e4c4c660fada91d"),
-        320: ("61b8daa7a6e5aa9fccf1ef504220b2e5a5b8c6dc7475d16d3172d7db0b2778414e4f6e8fa2032ead",
-              "049caed8fb4742956cc2ad12a9a1c995e21759ef26a07bc2054136d3d2f28bb331a70e26c4c687275ab1f434be7871e115d2350c0c5f61d4d06d2bcdb67f5cb63fdb794e5947c87dc6849a58694e37e6cd"),
-        384: ("3dd92e750d90d7d39fc1885cd8ad12ea9441f22b9334b4d965202adb1448ce24c5808a85dd9afc229af0a3124f755bcb",
-              "04719f9d093a627e0d350385c661cebf00c61923566fe9006a3107af1d871bc6bb68985fd722ea32be316f8e783b7cd1957785f66cfc0cb195dd5c99a8e7abaa848553a584dfd2b48e76d445fe00dd8be59096d877d4696d23b4bc8db14724e66a"),
-        512: ("372c9778f69f726cbca3f4a268f16b4d617d10280d79a6a029cd51879fe1012934dfe5395455337df6906dc7d6d2eea4dbb2065c0228f73b3ed716480e7d71d2",
-              "0438b7ec92b61c5c6c7fbc28a4ec759d48fcd4e2e374defd5c4968a54dbef7510e517886fbfc38ea39aa529359d70a7156c35d3cbac7ce776bdb251dd64bce71234424ee7049eed072f0dbc4d79996e175d557e263763ae97095c081e73e7db2e38adc3d4c9a0487b1ede876dc1fca61c902e9a1d8722b8612928f18a24845591a"),
-    },
-    'ECC(PSA_ECC_FAMILY_MONTGOMERY)': {
-        255: ("70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a",
-              "8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a"),
-        448: ("e4e49f52686f9ee3b638528f721f1596196ffd0a1cddb64c3f216f06541805cfeb1a286dc78018095cdfec050e8007b5f4908962ba20d6c1",
-              "c0d3a5a2b416a573dc9909f92f134ac01323ab8f8e36804e578588ba2d09fe7c3e737f771ca112825b548a0ffded6d6a2fd09a3e77dec30e"),
-    },
-    'ECC(PSA_ECC_FAMILY_TWISTED_EDWARDS)': {
-        255: ("9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60",
-              "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a"),
-        448: ("6c82a562cb808d10d632be89c8513ebf6c929f34ddfa8c9f63c9960ef6e348a3528c8a3fcc2f044e39a3fc5b94492f8f032e7549a20098f95b",
-              "5fd7449b59b461fd2ce787ec616ad46a1da1342485a70e1f8a0ea75d80e96778edf124769b46c7061bd6783df1e50f6cd1fa1abeafe8256180"),
-    },
-    'RSA': {
-        1024: ("""
-3082025e
- 020100
- 02818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3
- 0203010001
- 02818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1
- 024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113
- 024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091
- 024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d
- 024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1
- 024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24
-""", """
- 308189
-  02818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3
- 0203010001
-"""),
-        1536: ("""
-3082037b
- 020100
- 0281c100c870feb6ca6b1d2bd9f2dd99e20f1fe2d7e5192de662229dbe162bd1ba66336a7182903ca0b72796cd441c83d24bcdc3e9a2f5e4399c8a043f1c3ddf04754a66d4cfe7b3671a37dd31a9b4c13bfe06ee90f9d94ddaa06de67a52ac863e68f756736ceb014405a6160579640f831dddccc34ad0b05070e3f9954a58d1815813e1b83bcadba814789c87f1ef2ba5d738b793ec456a67360eea1b5faf1c7cc7bf24f3b2a9d0f8958b1096e0f0c335f8888d0c63a51c3c0337214fa3f5efdf6dcc35
- 0203010001
- 0281c06d2d670047973a87752a9d5bc14f3dae00acb01f593aa0e24cf4a49f932931de4bbfb332e2d38083da80bc0b6d538edba479f7f77d0deffb4a28e6e67ff6273585bb4cd862535c946605ab0809d65f0e38f76e4ec2c3d9b8cd6e14bcf667943892cd4b34cc6420a439abbf3d7d35ef73976dd6f9cbde35a51fa5213f0107f83e3425835d16d3c9146fc9e36ce75a09bb66cdff21dd5a776899f1cb07e282cca27be46510e9c799f0d8db275a6be085d9f3f803218ee3384265bfb1a3640e8ca1
- 026100e6848c31d466fffefc547e3a3b0d3785de6f78b0dd12610843512e495611a0675509b1650b27415009838dd8e68eec6e7530553b637d602424643b33e8bc5b762e1799bc79d56b13251d36d4f201da2182416ce13574e88278ff04467ad602d9
- 026100de994fdf181f02be2bf9e5f5e4e517a94993b827d1eaf609033e3a6a6f2396ae7c44e9eb594cf1044cb3ad32ea258f0c82963b27bb650ed200cde82cb993374be34be5b1c7ead5446a2b82a4486e8c1810a0b01551609fb0841d474bada802bd
- 026076ddae751b73a959d0bfb8ff49e7fcd378e9be30652ecefe35c82cb8003bc29cc60ae3809909baf20c95db9516fe680865417111d8b193dbcf30281f1249de57c858bf1ba32f5bb1599800e8398a9ef25c7a642c95261da6f9c17670e97265b1
- 0260732482b837d5f2a9443e23c1aa0106d83e82f6c3424673b5fdc3769c0f992d1c5c93991c7038e882fcda04414df4d7a5f4f698ead87851ce37344b60b72d7b70f9c60cae8566e7a257f8e1bef0e89df6e4c2f9d24d21d9f8889e4c7eccf91751
- 026009050d94493da8f00a4ddbe9c800afe3d44b43f78a48941a79b2814a1f0b81a18a8b2347642a03b27998f5a18de9abc9ae0e54ab8294feac66dc87e854cce6f7278ac2710cb5878b592ffeb1f4f0a1853e4e8d1d0561b6efcc831a296cf7eeaf
-""", """
-3081c9
- 0281c100c870feb6ca6b1d2bd9f2dd99e20f1fe2d7e5192de662229dbe162bd1ba66336a7182903ca0b72796cd441c83d24bcdc3e9a2f5e4399c8a043f1c3ddf04754a66d4cfe7b3671a37dd31a9b4c13bfe06ee90f9d94ddaa06de67a52ac863e68f756736ceb014405a6160579640f831dddccc34ad0b05070e3f9954a58d1815813e1b83bcadba814789c87f1ef2ba5d738b793ec456a67360eea1b5faf1c7cc7bf24f3b2a9d0f8958b1096e0f0c335f8888d0c63a51c3c0337214fa3f5efdf6dcc35
- 0203010001
-"""),
-    },
-})
diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
deleted file mode 100644
index 3bef16d..0000000
--- a/scripts/mbedtls_dev/bignum_common.py
+++ /dev/null
@@ -1,417 +0,0 @@
-"""Common features for bignum in test generation framework."""
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-from abc import abstractmethod
-import enum
-from typing import Iterator, List, Tuple, TypeVar, Any
-from copy import deepcopy
-from itertools import chain
-from math import ceil
-
-from . import test_case
-from . import test_data_generation
-from .bignum_data import INPUTS_DEFAULT, MODULI_DEFAULT
-
-T = TypeVar('T') #pylint: disable=invalid-name
-
-def invmod(a: int, n: int) -> int:
-    """Return inverse of a to modulo n.
-
-    Equivalent to pow(a, -1, n) in Python 3.8+. Implementation is equivalent
-    to long_invmod() in CPython.
-    """
-    b, c = 1, 0
-    while n:
-        q, r = divmod(a, n)
-        a, b, c, n = n, c, b - q*c, r
-    # at this point a is the gcd of the original inputs
-    if a == 1:
-        return b
-    raise ValueError("Not invertible")
-
-def invmod_positive(a: int, n: int) -> int:
-    """Return a non-negative inverse of a to modulo n."""
-    inv = invmod(a, n)
-    return inv if inv >= 0 else inv + n
-
-def hex_to_int(val: str) -> int:
-    """Implement the syntax accepted by mbedtls_test_read_mpi().
-
-    This is a superset of what is accepted by mbedtls_test_read_mpi_core().
-    """
-    if val in ['', '-']:
-        return 0
-    return int(val, 16)
-
-def quote_str(val: str) -> str:
-    return "\"{}\"".format(val)
-
-def bound_mpi(val: int, bits_in_limb: int) -> int:
-    """First number exceeding number of limbs needed for given input value."""
-    return bound_mpi_limbs(limbs_mpi(val, bits_in_limb), bits_in_limb)
-
-def bound_mpi_limbs(limbs: int, bits_in_limb: int) -> int:
-    """First number exceeding maximum of given number of limbs."""
-    bits = bits_in_limb * limbs
-    return 1 << bits
-
-def limbs_mpi(val: int, bits_in_limb: int) -> int:
-    """Return the number of limbs required to store value."""
-    bit_length = max(val.bit_length(), 1)
-    return (bit_length + bits_in_limb - 1) // bits_in_limb
-
-def combination_pairs(values: List[T]) -> List[Tuple[T, T]]:
-    """Return all pair combinations from input values."""
-    return [(x, y) for x in values for y in values]
-
-def bits_to_limbs(bits: int, bits_in_limb: int) -> int:
-    """ Return the appropriate ammount of limbs needed to store
-        a number contained in input bits"""
-    return ceil(bits / bits_in_limb)
-
-def hex_digits_for_limb(limbs: int, bits_in_limb: int) -> int:
-    """ Return the hex digits need for a number of limbs. """
-    return 2 * ((limbs * bits_in_limb) // 8)
-
-def hex_digits_max_int(val: str, bits_in_limb: int) -> int:
-    """ Return the first number exceeding maximum  the limb space
-    required to store the input hex-string value. This method
-    weights on the input str_len rather than numerical value
-    and works with zero-padded inputs"""
-    n = ((1 << (len(val) * 4)) - 1)
-    l = limbs_mpi(n, bits_in_limb)
-    return bound_mpi_limbs(l, bits_in_limb)
-
-def zfill_match(reference: str, target: str) -> str:
-    """ Zero pad target hex-string to match the limb size of
-    the reference input """
-    lt = len(target)
-    lr = len(reference)
-    target_len = lr if lt < lr else lt
-    return "{:x}".format(int(target, 16)).zfill(target_len)
-
-class OperationCommon(test_data_generation.BaseTest):
-    """Common features for bignum binary operations.
-
-    This adds functionality common in binary operation tests.
-
-    Attributes:
-        symbol: Symbol to use for the operation in case description.
-        input_values: List of values to use as test case inputs. These are
-            combined to produce pairs of values.
-        input_cases: List of tuples containing pairs of test case inputs. This
-            can be used to implement specific pairs of inputs.
-        unique_combinations_only: Boolean to select if test case combinations
-            must be unique. If True, only A,B or B,A would be included as a test
-            case. If False, both A,B and B,A would be included.
-        input_style: Controls the way how test data is passed to the functions
-            in the generated test cases. "variable" passes them as they are
-            defined in the python source. "arch_split" pads the values with
-            zeroes depending on the architecture/limb size. If this is set,
-            test cases are generated for all architectures.
-        arity: the number of operands for the operation. Currently supported
-            values are 1 and 2.
-    """
-    symbol = ""
-    input_values = INPUTS_DEFAULT # type: List[str]
-    input_cases = [] # type: List[Any]
-    dependencies = [] # type: List[Any]
-    unique_combinations_only = False
-    input_styles = ["variable", "fixed", "arch_split"] # type: List[str]
-    input_style = "variable" # type: str
-    limb_sizes = [32, 64] # type: List[int]
-    arities = [1, 2]
-    arity = 2
-    suffix = False   # for arity = 1, symbol can be prefix (default) or suffix
-
-    def __init__(self, val_a: str, val_b: str = "0", bits_in_limb: int = 32) -> None:
-        self.val_a = val_a
-        self.val_b = val_b
-        # Setting the int versions here as opposed to making them @properties
-        # provides earlier/more robust input validation.
-        self.int_a = hex_to_int(val_a)
-        self.int_b = hex_to_int(val_b)
-        self.dependencies = deepcopy(self.dependencies)
-        if bits_in_limb not in self.limb_sizes:
-            raise ValueError("Invalid number of bits in limb!")
-        if self.input_style == "arch_split":
-            self.dependencies.append("MBEDTLS_HAVE_INT{:d}".format(bits_in_limb))
-        self.bits_in_limb = bits_in_limb
-
-    @property
-    def boundary(self) -> int:
-        if self.arity == 1:
-            return self.int_a
-        elif self.arity == 2:
-            return max(self.int_a, self.int_b)
-        raise ValueError("Unsupported number of operands!")
-
-    @property
-    def limb_boundary(self) -> int:
-        return bound_mpi(self.boundary, self.bits_in_limb)
-
-    @property
-    def limbs(self) -> int:
-        return limbs_mpi(self.boundary, self.bits_in_limb)
-
-    @property
-    def hex_digits(self) -> int:
-        return hex_digits_for_limb(self.limbs, self.bits_in_limb)
-
-    def format_arg(self, val: str) -> str:
-        if self.input_style not in self.input_styles:
-            raise ValueError("Unknown input style!")
-        if self.input_style == "variable":
-            return val
-        else:
-            return val.zfill(self.hex_digits)
-
-    def format_result(self, res: int) -> str:
-        res_str = '{:x}'.format(res)
-        return quote_str(self.format_arg(res_str))
-
-    @property
-    def arg_a(self) -> str:
-        return self.format_arg(self.val_a)
-
-    @property
-    def arg_b(self) -> str:
-        if self.arity == 1:
-            raise AttributeError("Operation is unary and doesn't have arg_b!")
-        return self.format_arg(self.val_b)
-
-    def arguments(self) -> List[str]:
-        args = [quote_str(self.arg_a)]
-        if self.arity == 2:
-            args.append(quote_str(self.arg_b))
-        return args + self.result()
-
-    def description(self) -> str:
-        """Generate a description for the test case.
-
-        If not set, case_description uses the form A `symbol` B, where symbol
-        is used to represent the operation. Descriptions of each value are
-        generated to provide some context to the test case.
-        """
-        if not self.case_description:
-            if self.arity == 1:
-                format_string = "{1:x} {0}" if self.suffix else "{0} {1:x}"
-                self.case_description = format_string.format(
-                    self.symbol, self.int_a
-                )
-            elif self.arity == 2:
-                self.case_description = "{:x} {} {:x}".format(
-                    self.int_a, self.symbol, self.int_b
-                )
-        return super().description()
-
-    @property
-    def is_valid(self) -> bool:
-        return True
-
-    @abstractmethod
-    def result(self) -> List[str]:
-        """Get the result of the operation.
-
-        This could be calculated during initialization and stored as `_result`
-        and then returned, or calculated when the method is called.
-        """
-        raise NotImplementedError
-
-    @classmethod
-    def get_value_pairs(cls) -> Iterator[Tuple[str, str]]:
-        """Generator to yield pairs of inputs.
-
-        Combinations are first generated from all input values, and then
-        specific cases provided.
-        """
-        if cls.arity == 1:
-            yield from ((a, "0") for a in cls.input_values)
-        elif cls.arity == 2:
-            if cls.unique_combinations_only:
-                yield from combination_pairs(cls.input_values)
-            else:
-                yield from (
-                    (a, b)
-                    for a in cls.input_values
-                    for b in cls.input_values
-                )
-        else:
-            raise ValueError("Unsupported number of operands!")
-
-    @classmethod
-    def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
-        if cls.input_style not in cls.input_styles:
-            raise ValueError("Unknown input style!")
-        if cls.arity not in cls.arities:
-            raise ValueError("Unsupported number of operands!")
-        if cls.input_style == "arch_split":
-            test_objects = (cls(a, b, bits_in_limb=bil)
-                            for a, b in cls.get_value_pairs()
-                            for bil in cls.limb_sizes)
-            special_cases = (cls(*args, bits_in_limb=bil) # type: ignore
-                             for args in cls.input_cases
-                             for bil in cls.limb_sizes)
-        else:
-            test_objects = (cls(a, b)
-                            for a, b in cls.get_value_pairs())
-            special_cases = (cls(*args) for args in cls.input_cases)
-        yield from (valid_test_object.create_test_case()
-                    for valid_test_object in filter(
-                        lambda test_object: test_object.is_valid,
-                        chain(test_objects, special_cases)
-                        )
-                    )
-
-
-class ModulusRepresentation(enum.Enum):
-    """Representation selector of a modulus."""
-    # Numerical values aligned with the type mbedtls_mpi_mod_rep_selector
-    INVALID = 0
-    MONTGOMERY = 2
-    OPT_RED = 3
-
-    def symbol(self) -> str:
-        """The C symbol for this representation selector."""
-        return 'MBEDTLS_MPI_MOD_REP_' + self.name
-
-    @classmethod
-    def supported_representations(cls) -> List['ModulusRepresentation']:
-        """Return all representations that are supported in positive test cases."""
-        return [cls.MONTGOMERY, cls.OPT_RED]
-
-
-class ModOperationCommon(OperationCommon):
-    #pylint: disable=abstract-method
-    """Target for bignum mod_raw test case generation."""
-    moduli = MODULI_DEFAULT # type: List[str]
-    montgomery_form_a = False
-    disallow_zero_a = False
-
-    def __init__(self, val_n: str, val_a: str, val_b: str = "0",
-                 bits_in_limb: int = 64) -> None:
-        super().__init__(val_a=val_a, val_b=val_b, bits_in_limb=bits_in_limb)
-        self.val_n = val_n
-        # Setting the int versions here as opposed to making them @properties
-        # provides earlier/more robust input validation.
-        self.int_n = hex_to_int(val_n)
-
-    def to_montgomery(self, val: int) -> int:
-        return (val * self.r) % self.int_n
-
-    def from_montgomery(self, val: int) -> int:
-        return (val * self.r_inv) % self.int_n
-
-    def convert_from_canonical(self, canonical: int,
-                               rep: ModulusRepresentation) -> int:
-        """Convert values from canonical representation to the given representation."""
-        if rep is ModulusRepresentation.MONTGOMERY:
-            return self.to_montgomery(canonical)
-        elif rep is ModulusRepresentation.OPT_RED:
-            return canonical
-        else:
-            raise ValueError('Modulus representation not supported: {}'
-                             .format(rep.name))
-
-    @property
-    def boundary(self) -> int:
-        return self.int_n
-
-    @property
-    def arg_a(self) -> str:
-        if self.montgomery_form_a:
-            value_a = self.to_montgomery(self.int_a)
-        else:
-            value_a = self.int_a
-        return self.format_arg('{:x}'.format(value_a))
-
-    @property
-    def arg_n(self) -> str:
-        return self.format_arg(self.val_n)
-
-    def format_arg(self, val: str) -> str:
-        return super().format_arg(val).zfill(self.hex_digits)
-
-    def arguments(self) -> List[str]:
-        return [quote_str(self.arg_n)] + super().arguments()
-
-    @property
-    def r(self) -> int: # pylint: disable=invalid-name
-        l = limbs_mpi(self.int_n, self.bits_in_limb)
-        return bound_mpi_limbs(l, self.bits_in_limb)
-
-    @property
-    def r_inv(self) -> int:
-        return invmod(self.r, self.int_n)
-
-    @property
-    def r2(self) -> int: # pylint: disable=invalid-name
-        return pow(self.r, 2)
-
-    @property
-    def is_valid(self) -> bool:
-        if self.int_a >= self.int_n:
-            return False
-        if self.disallow_zero_a and self.int_a == 0:
-            return False
-        if self.arity == 2 and self.int_b >= self.int_n:
-            return False
-        return True
-
-    def description(self) -> str:
-        """Generate a description for the test case.
-
-        It uses the form A `symbol` B mod N, where symbol is used to represent
-        the operation.
-        """
-
-        if not self.case_description:
-            return super().description() + " mod {:x}".format(self.int_n)
-        return super().description()
-
-    @classmethod
-    def input_cases_args(cls) -> Iterator[Tuple[Any, Any, Any]]:
-        if cls.arity == 1:
-            yield from ((n, a, "0") for a, n in cls.input_cases)
-        elif cls.arity == 2:
-            yield from ((n, a, b) for a, b, n in cls.input_cases)
-        else:
-            raise ValueError("Unsupported number of operands!")
-
-    @classmethod
-    def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
-        if cls.input_style not in cls.input_styles:
-            raise ValueError("Unknown input style!")
-        if cls.arity not in cls.arities:
-            raise ValueError("Unsupported number of operands!")
-        if cls.input_style == "arch_split":
-            test_objects = (cls(n, a, b, bits_in_limb=bil)
-                            for n in cls.moduli
-                            for a, b in cls.get_value_pairs()
-                            for bil in cls.limb_sizes)
-            special_cases = (cls(*args, bits_in_limb=bil)
-                             for args in cls.input_cases_args()
-                             for bil in cls.limb_sizes)
-        else:
-            test_objects = (cls(n, a, b)
-                            for n in cls.moduli
-                            for a, b in cls.get_value_pairs())
-            special_cases = (cls(*args) for args in cls.input_cases_args())
-        yield from (valid_test_object.create_test_case()
-                    for valid_test_object in filter(
-                        lambda test_object: test_object.is_valid,
-                        chain(test_objects, special_cases)
-                        ))
diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py
deleted file mode 100644
index 563492b..0000000
--- a/scripts/mbedtls_dev/bignum_core.py
+++ /dev/null
@@ -1,907 +0,0 @@
-"""Framework classes for generation of bignum core test cases."""
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import random
-
-from typing import Dict, Iterator, List, Tuple
-
-from . import test_case
-from . import test_data_generation
-from . import bignum_common
-from .bignum_data import ADD_SUB_DATA
-
-class BignumCoreTarget(test_data_generation.BaseTarget):
-    #pylint: disable=abstract-method, too-few-public-methods
-    """Target for bignum core test case generation."""
-    target_basename = 'test_suite_bignum_core.generated'
-
-
-class BignumCoreShiftR(BignumCoreTarget, test_data_generation.BaseTest):
-    """Test cases for mbedtls_bignum_core_shift_r()."""
-    count = 0
-    test_function = "mpi_core_shift_r"
-    test_name = "Core shift right"
-
-    DATA = [
-        ('00', '0', [0, 1, 8]),
-        ('01', '1', [0, 1, 2, 8, 64]),
-        ('dee5ca1a7ef10a75', '64-bit',
-         list(range(11)) + [31, 32, 33, 63, 64, 65, 71, 72]),
-        ('002e7ab0070ad57001', '[leading 0 limb]',
-         [0, 1, 8, 63, 64]),
-        ('a1055eb0bb1efa1150ff', '80-bit',
-         [0, 1, 8, 63, 64, 65, 72, 79, 80, 81, 88, 128, 129, 136]),
-        ('020100000000000000001011121314151617', '138-bit',
-         [0, 1, 8, 9, 16, 72, 73, 136, 137, 138, 144]),
-    ]
-
-    def __init__(self, input_hex: str, descr: str, count: int) -> None:
-        self.input_hex = input_hex
-        self.number_description = descr
-        self.shift_count = count
-        self.result = bignum_common.hex_to_int(input_hex) >> count
-
-    def arguments(self) -> List[str]:
-        return ['"{}"'.format(self.input_hex),
-                str(self.shift_count),
-                '"{:0{}x}"'.format(self.result, len(self.input_hex))]
-
-    def description(self) -> str:
-        return 'Core shift {} >> {}'.format(self.number_description,
-                                            self.shift_count)
-
-    @classmethod
-    def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
-        for input_hex, descr, counts in cls.DATA:
-            for count in counts:
-                yield cls(input_hex, descr, count).create_test_case()
-
-
-class BignumCoreShiftL(BignumCoreTarget, bignum_common.ModOperationCommon):
-    """Test cases for mbedtls_bignum_core_shift_l()."""
-
-    BIT_SHIFT_VALUES = ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a',
-                        '1f', '20', '21', '3f', '40', '41', '47', '48', '4f',
-                        '50', '51', '58', '80', '81', '88']
-    DATA = ["0", "1", "40", "dee5ca1a7ef10a75", "a1055eb0bb1efa1150ff",
-            "002e7ab0070ad57001", "020100000000000000001011121314151617",
-            "1946e2958a85d8863ae21f4904fcc49478412534ed53eaf321f63f2a222"
-            "7a3c63acbf50b6305595f90cfa8327f6db80d986fe96080bcbb5df1bdbe"
-            "9b74fb8dedf2bddb3f8215b54dffd66409323bcc473e45a8fe9d08e77a51"
-            "1698b5dad0416305db7fcf"]
-    arity = 1
-    test_function = "mpi_core_shift_l"
-    test_name = "Core shift(L)"
-    input_style = "arch_split"
-    symbol = "<<"
-    input_values = BIT_SHIFT_VALUES
-    moduli = DATA
-
-    @property
-    def val_n_max_limbs(self) -> int:
-        """ Return the limb count required to store the maximum number that can
-        fit in a the number of digits used by val_n """
-        m = bignum_common.hex_digits_max_int(self.val_n, self.bits_in_limb) - 1
-        return bignum_common.limbs_mpi(m, self.bits_in_limb)
-
-    def arguments(self) -> List[str]:
-        return [bignum_common.quote_str(self.val_n),
-                str(self.int_a)
-                ] + self.result()
-
-    def description(self) -> str:
-        """ Format the output as:
-        #{count} {hex input} ({input bits} {limbs capacity}) << {bit shift} """
-        bits = "({} bits in {} limbs)".format(self.int_n.bit_length(), self.val_n_max_limbs)
-        return "{} #{} {} {} {} {}".format(self.test_name,
-                                           self.count,
-                                           self.val_n,
-                                           bits,
-                                           self.symbol,
-                                           self.int_a)
-
-    def format_result(self, res: int) -> str:
-        # Override to match zero-pading for leading digits between the output and input.
-        res_str = bignum_common.zfill_match(self.val_n, "{:x}".format(res))
-        return bignum_common.quote_str(res_str)
-
-    def result(self) -> List[str]:
-        result = (self.int_n << self.int_a)
-        # Calculate if there is space for shifting to the left(leading zero limbs)
-        mx = bignum_common.hex_digits_max_int(self.val_n, self.bits_in_limb)
-        # If there are empty limbs ahead, adjust the bitmask accordingly
-        result = result & (mx - 1)
-        return [self.format_result(result)]
-
-    @property
-    def is_valid(self) -> bool:
-        return True
-
-
-class BignumCoreCTLookup(BignumCoreTarget, test_data_generation.BaseTest):
-    """Test cases for mbedtls_mpi_core_ct_uint_table_lookup()."""
-    test_function = "mpi_core_ct_uint_table_lookup"
-    test_name = "Constant time MPI table lookup"
-
-    bitsizes = [
-        (32, "One limb"),
-        (192, "Smallest curve sized"),
-        (512, "Largest curve sized"),
-        (2048, "Small FF/RSA sized"),
-        (4096, "Large FF/RSA sized"),
-        ]
-
-    window_sizes = [0, 1, 2, 3, 4, 5, 6]
-
-    def __init__(self,
-                 bitsize: int, descr: str, window_size: int) -> None:
-        self.bitsize = bitsize
-        self.bitsize_description = descr
-        self.window_size = window_size
-
-    def arguments(self) -> List[str]:
-        return [str(self.bitsize), str(self.window_size)]
-
-    def description(self) -> str:
-        return '{} - {} MPI with {} bit window'.format(
-            BignumCoreCTLookup.test_name,
-            self.bitsize_description,
-            self.window_size
-            )
-
-    @classmethod
-    def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
-        for bitsize, bitsize_description in cls.bitsizes:
-            for window_size in cls.window_sizes:
-                yield (cls(bitsize, bitsize_description, window_size)
-                       .create_test_case())
-
-
-class BignumCoreAddAndAddIf(BignumCoreTarget, bignum_common.OperationCommon):
-    """Test cases for bignum core add and add-if."""
-    count = 0
-    symbol = "+"
-    test_function = "mpi_core_add_and_add_if"
-    test_name = "mpi_core_add_and_add_if"
-    input_style = "arch_split"
-    input_values = ADD_SUB_DATA
-    unique_combinations_only = True
-
-    def result(self) -> List[str]:
-        result = self.int_a + self.int_b
-
-        carry, result = divmod(result, self.limb_boundary)
-
-        return [
-            self.format_result(result),
-            str(carry)
-        ]
-
-
-class BignumCoreSub(BignumCoreTarget, bignum_common.OperationCommon):
-    """Test cases for bignum core sub."""
-    count = 0
-    input_style = "arch_split"
-    symbol = "-"
-    test_function = "mpi_core_sub"
-    test_name = "mbedtls_mpi_core_sub"
-    input_values = ADD_SUB_DATA
-
-    def result(self) -> List[str]:
-        if self.int_a >= self.int_b:
-            result = self.int_a - self.int_b
-            carry = 0
-        else:
-            result = self.limb_boundary + self.int_a - self.int_b
-            carry = 1
-        return [
-            self.format_result(result),
-            str(carry)
-        ]
-
-
-class BignumCoreMLA(BignumCoreTarget, bignum_common.OperationCommon):
-    """Test cases for fixed-size multiply accumulate."""
-    count = 0
-    test_function = "mpi_core_mla"
-    test_name = "mbedtls_mpi_core_mla"
-
-    input_values = [
-        "0", "1", "fffe", "ffffffff", "100000000", "20000000000000",
-        "ffffffffffffffff", "10000000000000000", "1234567890abcdef0",
-        "fffffffffffffffffefefefefefefefe",
-        "100000000000000000000000000000000",
-        "1234567890abcdef01234567890abcdef0",
-        "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
-        "1234567890abcdef01234567890abcdef01234567890abcdef01234567890abcdef0",
-        (
-            "4df72d07b4b71c8dacb6cffa954f8d88254b6277099308baf003fab73227f"
-            "34029643b5a263f66e0d3c3fa297ef71755efd53b8fb6cb812c6bbf7bcf17"
-            "9298bd9947c4c8b14324140a2c0f5fad7958a69050a987a6096e9f055fb38"
-            "edf0c5889eca4a0cfa99b45fbdeee4c696b328ddceae4723945901ec02507"
-            "6b12b"
-        )
-    ] # type: List[str]
-    input_scalars = [
-        "0", "3", "fe", "ff", "ffff", "10000", "ffffffff", "100000000",
-        "7f7f7f7f7f7f7f7f", "8000000000000000", "fffffffffffffffe"
-    ] # type: List[str]
-
-    def __init__(self, val_a: str, val_b: str, val_s: str) -> None:
-        super().__init__(val_a, val_b)
-        self.arg_scalar = val_s
-        self.int_scalar = bignum_common.hex_to_int(val_s)
-        if bignum_common.limbs_mpi(self.int_scalar, 32) > 1:
-            self.dependencies = ["MBEDTLS_HAVE_INT64"]
-
-    def arguments(self) -> List[str]:
-        return [
-            bignum_common.quote_str(self.arg_a),
-            bignum_common.quote_str(self.arg_b),
-            bignum_common.quote_str(self.arg_scalar)
-        ] + self.result()
-
-    def description(self) -> str:
-        """Override and add the additional scalar."""
-        if not self.case_description:
-            self.case_description = "0x{} + 0x{} * 0x{}".format(
-                self.arg_a, self.arg_b, self.arg_scalar
-            )
-        return super().description()
-
-    def result(self) -> List[str]:
-        result = self.int_a + (self.int_b * self.int_scalar)
-        bound_val = max(self.int_a, self.int_b)
-        bound_4 = bignum_common.bound_mpi(bound_val, 32)
-        bound_8 = bignum_common.bound_mpi(bound_val, 64)
-        carry_4, remainder_4 = divmod(result, bound_4)
-        carry_8, remainder_8 = divmod(result, bound_8)
-        return [
-            "\"{:x}\"".format(remainder_4),
-            "\"{:x}\"".format(carry_4),
-            "\"{:x}\"".format(remainder_8),
-            "\"{:x}\"".format(carry_8)
-        ]
-
-    @classmethod
-    def get_value_pairs(cls) -> Iterator[Tuple[str, str]]:
-        """Generator to yield pairs of inputs.
-
-        Combinations are first generated from all input values, and then
-        specific cases provided.
-        """
-        yield from super().get_value_pairs()
-        yield from cls.input_cases
-
-    @classmethod
-    def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
-        """Override for additional scalar input."""
-        for a_value, b_value in cls.get_value_pairs():
-            for s_value in cls.input_scalars:
-                cur_op = cls(a_value, b_value, s_value)
-                yield cur_op.create_test_case()
-
-
-class BignumCoreMul(BignumCoreTarget, bignum_common.OperationCommon):
-    """Test cases for bignum core multiplication."""
-    count = 0
-    input_style = "arch_split"
-    symbol = "*"
-    test_function = "mpi_core_mul"
-    test_name = "mbedtls_mpi_core_mul"
-    arity = 2
-    unique_combinations_only = True
-
-    def format_arg(self, val: str) -> str:
-        return val
-
-    def format_result(self, res: int) -> str:
-        res_str = '{:x}'.format(res)
-        a_limbs = bignum_common.limbs_mpi(self.int_a, self.bits_in_limb)
-        b_limbs = bignum_common.limbs_mpi(self.int_b, self.bits_in_limb)
-        hex_digits = bignum_common.hex_digits_for_limb(a_limbs + b_limbs, self.bits_in_limb)
-        return bignum_common.quote_str(self.format_arg(res_str).zfill(hex_digits))
-
-    def result(self) -> List[str]:
-        result = self.int_a * self.int_b
-        return [self.format_result(result)]
-
-
-class BignumCoreMontmul(BignumCoreTarget, test_data_generation.BaseTest):
-    """Test cases for Montgomery multiplication."""
-    count = 0
-    test_function = "mpi_core_montmul"
-    test_name = "mbedtls_mpi_core_montmul"
-
-    start_2_mpi4 = False
-    start_2_mpi8 = False
-
-    replay_test_cases = [
-        (2, 1, 1, 1, "19", "1", "1D"), (2, 1, 1, 1, "7", "1", "9"),
-        (2, 1, 1, 1, "4", "1", "9"),
-        (
-            12, 1, 6, 1, (
-                "3C246D0E059A93A266288A7718419EC741661B474C58C032C5EDAF92709402"
-                "B07CC8C7CE0B781C641A1EA8DB2F4343"
-            ), "1", (
-                "66A198186C18C10B2F5ED9B522752A9830B69916E535C8F047518A889A43A5"
-                "94B6BED27A168D31D4A52F88925AA8F5"
-            )
-        ), (
-            8, 1, 4, 1,
-            "1E442976B0E63D64FCCE74B999E470CA9888165CB75BFA1F340E918CE03C6211",
-            "1", "B3A119602EE213CDE28581ECD892E0F592A338655DCE4CA88054B3D124D0E561"
-        ), (
-            22, 1, 11, 1, (
-                "7CF5AC97304E0B63C65413F57249F59994B0FED1D2A8D3D83ED5FA38560FFB"
-                "82392870D6D08F87D711917FD7537E13B7E125BE407E74157776839B0AC9DB"
-                "23CBDFC696104353E4D2780B2B4968F8D8542306BCA7A2366E"
-            ), "1", (
-                "284139EA19C139EBE09A8111926AAA39A2C2BE12ED487A809D3CB5BC558547"
-                "25B4CDCB5734C58F90B2F60D99CC1950CDBC8D651793E93C9C6F0EAD752500"
-                "A32C56C62082912B66132B2A6AA42ADA923E1AD22CEB7BA0123"
-            )
-        )
-    ] # type: List[Tuple[int, int, int, int, str, str, str]]
-
-    random_test_cases = [
-        ("2", "2", "3", ""), ("1", "2", "3", ""), ("2", "1", "3", ""),
-        ("6", "5", "7", ""), ("3", "4", "7", ""), ("1", "6", "7", ""), ("5", "6", "7", ""),
-        ("3", "4", "B", ""), ("7", "4", "B", ""), ("9", "7", "B", ""), ("2", "a", "B", ""),
-        ("25", "16", "29", "(0x29 is prime)"), ("8", "28", "29", ""),
-        ("18", "21", "29", ""), ("15", "f", "29", ""),
-        ("e2", "ea", "FF", ""), ("43", "72", "FF", ""),
-        ("d8", "70", "FF", ""), ("3c", "7c", "FF", ""),
-        ("99", "b9", "101", "(0x101 is prime)"), ("65", "b2", "101", ""),
-        ("81", "32", "101", ""), ("51", "dd", "101", ""),
-        ("d5", "143", "38B", "(0x38B is prime)"), ("3d", "387", "38B", ""),
-        ("160", "2e5", "38B", ""), ("10f", "137", "38B", ""),
-        ("7dac", "25a", "8003", "(0x8003 is prime)"), ("6f1c", "3286", "8003", ""),
-        ("59ed", "2f3f", "8003", ""), ("6893", "736d", "8003", ""),
-        ("d199", "2832", "10001", "(0x10001 is prime)"), ("c3b2", "3e5b", "10001", ""),
-        ("abe4", "214e", "10001", ""), ("4360", "a05d", "10001", ""),
-        ("3f5a1", "165b2", "7F7F7", ""), ("3bd29", "37863", "7F7F7", ""),
-        ("60c47", "64819", "7F7F7", ""), ("16584", "12c49", "7F7F7", ""),
-        ("1ff03f", "610347", "800009", "(0x800009 is prime)"), ("340fd5", "19812e", "800009", ""),
-        ("3fe2e8", "4d0dc7", "800009", ""), ("40356", "e6392", "800009", ""),
-        ("dd8a1d", "266c0e", "100002B", "(0x100002B is prime)"),
-        ("3fa1cb", "847fd6", "100002B", ""), ("5f439d", "5c3196", "100002B", ""),
-        ("18d645", "f72dc6", "100002B", ""),
-        ("20051ad", "37def6e", "37EEE9D", "(0x37EEE9D is prime)"),
-        ("2ec140b", "3580dbf", "37EEE9D", ""), ("1d91b46", "190d4fc", "37EEE9D", ""),
-        ("34e488d", "1224d24", "37EEE9D", ""),
-        ("2a4fe2cb", "263466a9", "8000000B", "(0x8000000B is prime)"),
-        ("5643fe94", "29a1aefa", "8000000B", ""), ("29633513", "7b007ac4", "8000000B", ""),
-        ("2439cef5", "5c9d5a47", "8000000B", ""),
-        ("4de3cfaa", "50dea178", "8CD626B9", "(0x8CD626B9 is prime)"),
-        ("b8b8563", "10dbbbac", "8CD626B9", ""), ("4e8a6151", "5574ec19", "8CD626B9", ""),
-        ("69224878", "309cfc23", "8CD626B9", ""),
-        ("fb6f7fb6", "afb05423", "10000000F", "(0x10000000F is prime)"),
-        ("8391a243", "26034dcd", "10000000F", ""), ("d26b98c", "14b2d6aa", "10000000F", ""),
-        ("6b9f1371", "a21daf1d", "10000000F", ""),
-        (
-            "9f49435ad", "c8264ade8", "174876E7E9",
-            "0x174876E7E9 is prime (dec) 99999999977"
-        ),
-        ("c402da434", "1fb427acf", "174876E7E9", ""),
-        ("f6ebc2bb1", "1096d39f2a", "174876E7E9", ""),
-        ("153b7f7b6b", "878fda8ff", "174876E7E9", ""),
-        ("2c1adbb8d6", "4384d2d3c6", "8000000017", "(0x8000000017 is prime)"),
-        ("2e4f9cf5fb", "794f3443d9", "8000000017", ""),
-        ("149e495582", "3802b8f7b7", "8000000017", ""),
-        ("7b9d49df82", "69c68a442a", "8000000017", ""),
-        ("683a134600", "6dd80ea9f6", "864CB9076D", "(0x864CB9076D is prime)"),
-        ("13a870ff0d", "59b099694a", "864CB9076D", ""),
-        ("37d06b0e63", "4d2147e46f", "864CB9076D", ""),
-        ("661714f8f4", "22e55df507", "864CB9076D", ""),
-        ("2f0a96363", "52693307b4", "F7F7F7F7F7", ""),
-        ("3c85078e64", "f2275ecb6d", "F7F7F7F7F7", ""),
-        ("352dae68d1", "707775b4c6", "F7F7F7F7F7", ""),
-        ("37ae0f3e0b", "912113040f", "F7F7F7F7F7", ""),
-        ("6dada15e31", "f58ed9eff7", "1000000000F", "(0x1000000000F is prime)"),
-        ("69627a7c89", "cfb5ebd13d", "1000000000F", ""),
-        ("a5e1ad239b", "afc030c731", "1000000000F", ""),
-        ("f1cc45f4c5", "c64ad607c8", "1000000000F", ""),
-        ("2ebad87d2e31", "4c72d90bca78", "800000000005", "(0x800000000005 is prime)"),
-        ("a30b3cc50d", "29ac4fe59490", "800000000005", ""),
-        ("33674e9647b4", "5ec7ee7e72d3", "800000000005", ""),
-        ("3d956f474f61", "74070040257d", "800000000005", ""),
-        ("48348e3717d6", "43fcb4399571", "800795D9BA47", "(0x800795D9BA47 is prime)"),
-        ("5234c03cc99b", "2f3cccb87803", "800795D9BA47", ""),
-        ("3ed13db194ab", "44b8f4ba7030", "800795D9BA47", ""),
-        ("1c11e843bfdb", "95bd1b47b08", "800795D9BA47", ""),
-        ("a81d11cb81fd", "1e5753a3f33d", "1000000000015", "(0x1000000000015 is prime)"),
-        ("688c4db99232", "36fc0cf7ed", "1000000000015", ""),
-        ("f0720cc07e07", "fc76140ed903", "1000000000015", ""),
-        ("2ec61f8d17d1", "d270c85e36d2", "1000000000015", ""),
-        (
-            "6a24cd3ab63820", "ed4aad55e5e348", "100000000000051",
-            "(0x100000000000051 is prime)"
-        ),
-        ("e680c160d3b248", "31e0d8840ed510", "100000000000051", ""),
-        ("a80637e9aebc38", "bb81decc4e1738", "100000000000051", ""),
-        ("9afa5a59e9d630", "be9e65a6d42938", "100000000000051", ""),
-        ("ab5e104eeb71c000", "2cffbd639e9fea00", "ABCDEF0123456789", ""),
-        ("197b867547f68a00", "44b796cf94654800", "ABCDEF0123456789", ""),
-        ("329f9483a04f2c00", "9892f76961d0f000", "ABCDEF0123456789", ""),
-        ("4a2e12dfb4545000", "1aa3e89a69794500", "ABCDEF0123456789", ""),
-        (
-            "8b9acdf013d140f000", "12e4ceaefabdf2b2f00", "25A55A46E5DA99C71C7",
-            "0x25A55A46E5DA99C71C7 is the 3rd repunit prime(dec) 11111111111111111111111"
-        ),
-        ("1b8d960ea277e3f5500", "14418aa980e37dd000", "25A55A46E5DA99C71C7", ""),
-        ("7314524977e8075980", "8172fa45618ccd0d80", "25A55A46E5DA99C71C7", ""),
-        ("ca14f031769be63580", "147a2f3cf2964ca9400", "25A55A46E5DA99C71C7", ""),
-        (
-            "18532ba119d5cd0cf39735c0000", "25f9838e31634844924733000000",
-            "314DC643FB763F2B8C0E2DE00879",
-            "0x314DC643FB763F2B8C0E2DE00879 is (dec)99999999977^3"
-        ),
-        (
-            "a56e2d2517519e3970e70c40000", "ec27428d4bb380458588fa80000",
-            "314DC643FB763F2B8C0E2DE00879", ""
-        ),
-        (
-            "1cb5e8257710e8653fff33a00000", "15fdd42fe440fd3a1d121380000",
-            "314DC643FB763F2B8C0E2DE00879", ""
-        ),
-        (
-            "e50d07a65fc6f93e538ce040000", "1f4b059ca609f3ce597f61240000",
-            "314DC643FB763F2B8C0E2DE00879", ""
-        ),
-        (
-            "1ea3ade786a095d978d387f30df9f20000000",
-            "127c448575f04af5a367a7be06c7da0000000",
-            "47BF19662275FA2F6845C74942ED1D852E521",
-            "0x47BF19662275FA2F6845C74942ED1D852E521 is (dec) 99999999977^4"
-        ),
-        (
-            "16e15b0ca82764e72e38357b1f10a20000000",
-            "43e2355d8514bbe22b0838fdc3983a0000000",
-            "47BF19662275FA2F6845C74942ED1D852E521", ""
-        ),
-        (
-            "be39332529d93f25c3d116c004c620000000",
-            "5cccec42370a0a2c89c6772da801a0000000",
-            "47BF19662275FA2F6845C74942ED1D852E521", ""
-        ),
-        (
-            "ecaa468d90de0eeda474d39b3e1fc0000000",
-            "1e714554018de6dc0fe576bfd3b5660000000",
-            "47BF19662275FA2F6845C74942ED1D852E521", ""
-        ),
-        (
-            "32298816711c5dce46f9ba06e775c4bedfc770e6700000000000000",
-            "8ee751fd5fb24f0b4a653cb3a0c8b7d9e724574d168000000000000",
-            "97EDD86E4B5C4592C6D32064AC55C888A7245F07CA3CC455E07C931",
-            (
-                "0x97EDD86E4B5C4592C6D32064AC55C888A7245F07CA3CC455E07C931"
-                " is (dec) 99999999977^6"
-            )
-        ),
-        (
-            "29213b9df3cfd15f4b428645b67b677c29d1378d810000000000000",
-            "6cbb732c65e10a28872394dfdd1936d5171c3c3aac0000000000000",
-            "97EDD86E4B5C4592C6D32064AC55C888A7245F07CA3CC455E07C931", ""
-        ),
-        (
-            "6f18db06ad4abc52c0c50643dd13098abccd4a232f0000000000000",
-            "7e6bf41f2a86098ad51f98dfc10490ba3e8081bc830000000000000",
-            "97EDD86E4B5C4592C6D32064AC55C888A7245F07CA3CC455E07C931", ""
-        ),
-        (
-            "62d3286cd706ad9d73caff63f1722775d7e8c731208000000000000",
-            "530f7ba02ae2b04c2fe3e3d27ec095925631a6c2528000000000000",
-            "97EDD86E4B5C4592C6D32064AC55C888A7245F07CA3CC455E07C931", ""
-        ),
-        (
-            "a6c6503e3c031fdbf6009a89ed60582b7233c5a85de28b16000000000000000",
-            "75c8ed18270b583f16d442a467d32bf95c5e491e9b8523798000000000000000",
-            "DD15FE80B731872AC104DB37832F7E75A244AA2631BC87885B861E8F20375499",
-            (
-                "0xDD15FE80B731872AC104DB37832F7E75A244AA2631BC87885B861E8F20375499"
-                " is (dec) 99999999977^7"
-            )
-        ),
-        (
-            "bf84d1f85cf6b51e04d2c8f4ffd03532d852053cf99b387d4000000000000000",
-            "397ba5a743c349f4f28bc583ecd5f06e0a25f9c6d98f09134000000000000000",
-            "DD15FE80B731872AC104DB37832F7E75A244AA2631BC87885B861E8F20375499", ""
-        ),
-        (
-            "6db11c3a4152ed1a2aa6fa34b0903ec82ea1b88908dcb482000000000000000",
-            "ac8ac576a74ad6ca48f201bf89f77350ce86e821358d85920000000000000000",
-            "DD15FE80B731872AC104DB37832F7E75A244AA2631BC87885B861E8F20375499", ""
-        ),
-        (
-            "3001d96d7fe8b733f33687646fc3017e3ac417eb32e0ec708000000000000000",
-            "925ddbdac4174e8321a48a32f79640e8cf7ec6f46ea235a80000000000000000",
-            "DD15FE80B731872AC104DB37832F7E75A244AA2631BC87885B861E8F20375499", ""
-        ),
-        (
-            "1029048755f2e60dd98c8de6d9989226b6bb4f0db8e46bd1939de560000000000000000000",
-            "51bb7270b2e25cec0301a03e8275213bb6c2f6e6ec93d4d46d36ca0000000000000000000",
-            "141B8EBD9009F84C241879A1F680FACCED355DA36C498F73E96E880CF78EA5F96146380E41",
-            (
-                "0x141B8EBD9009F84C241879A1F680FACCED355DA36C498F73E96E880CF78EA5F96146"
-                "380E41 is 99999999977^8"
-            )
-        ),
-        (
-            "1c5337ff982b3ad6611257dbff5bbd7a9920ba2d4f5838a0cc681ce000000000000000000",
-            "520c5d049ca4702031ba728591b665c4d4ccd3b2b86864d4c160fd2000000000000000000",
-            "141B8EBD9009F84C241879A1F680FACCED355DA36C498F73E96E880CF78EA5F96146380E41",
-            ""
-        ),
-        (
-            "57074dfa00e42f6555bae624b7f0209f218adf57f73ed34ab0ff90c000000000000000000",
-            "41eb14b6c07bfd3d1fe4f4a610c17cc44fcfcda695db040e011065000000000000000000",
-            "141B8EBD9009F84C241879A1F680FACCED355DA36C498F73E96E880CF78EA5F96146380E41",
-            ""
-        ),
-        (
-            "d8ed7feed2fe855e6997ad6397f776158573d425031bf085a615784000000000000000000",
-            "6f121dcd18c578ab5e229881006007bb6d319b179f11015fe958b9c000000000000000000",
-            "141B8EBD9009F84C241879A1F680FACCED355DA36C498F73E96E880CF78EA5F96146380E41",
-            ""
-        ),
-        (
-            (
-                "2a462b156180ea5fe550d3758c764e06fae54e626b5f503265a09df76edbdfbf"
-                "a1e6000000000000000000000000"
-            ), (
-                "1136f41d1879fd4fb9e49e0943a46b6704d77c068ee237c3121f9071cfd3e6a0"
-                "0315800000000000000000000000"
-            ), (
-                "2A94608DE88B6D5E9F8920F5ABB06B24CC35AE1FBACC87D075C621C3E2833EC90"
-                "2713E40F51E3B3C214EDFABC451"
-            ), (
-                "0x2A94608DE88B6D5E9F8920F5ABB06B24CC35AE1FBACC87D075C621C3E2833EC"
-                "902713E40F51E3B3C214EDFABC451 is (dec) 99999999977^10"
-            )
-        ),
-        (
-            (
-                "c1ac3800dfb3c6954dea391d206200cf3c47f795bf4a5603b4cb88ae7e574de47"
-                "40800000000000000000000000"
-            ), (
-                "c0d16eda0549ede42fa0deb4635f7b7ce061fadea02ee4d85cba4c4f709603419"
-                "3c800000000000000000000000"
-            ), (
-                "2A94608DE88B6D5E9F8920F5ABB06B24CC35AE1FBACC87D075C621C3E2833EC90"
-                "2713E40F51E3B3C214EDFABC451"
-            ), ""
-        ),
-        (
-            (
-                "19e45bb7633094d272588ad2e43bcb3ee341991c6731b6fa9d47c4018d7ce7bba"
-                "5ee800000000000000000000000"
-            ), (
-                "1e4f83166ae59f6b9cc8fd3e7677ed8bfc01bb99c98bd3eb084246b64c1e18c33"
-                "65b800000000000000000000000"
-            ), (
-                "2A94608DE88B6D5E9F8920F5ABB06B24CC35AE1FBACC87D075C621C3E2833EC90"
-                "2713E40F51E3B3C214EDFABC451"
-            ), ""
-        ),
-        (
-            (
-                "1aa93395fad5f9b7f20b8f9028a054c0bb7c11bb8520e6a95e5a34f06cb70bcdd"
-                "01a800000000000000000000000"
-            ), (
-                "54b45afa5d4310192f8d224634242dd7dcfb342318df3d9bd37b4c614788ba13b"
-                "8b000000000000000000000000"
-            ), (
-                "2A94608DE88B6D5E9F8920F5ABB06B24CC35AE1FBACC87D075C621C3E2833EC90"
-                "2713E40F51E3B3C214EDFABC451"
-            ), ""
-        ),
-        (
-            (
-                "544f2628a28cfb5ce0a1b7180ee66b49716f1d9476c466c57f0c4b23089917843"
-                "06d48f78686115ee19e25400000000000000000000000000000000"
-            ), (
-                "677eb31ef8d66c120fa872a60cd47f6e10cbfdf94f90501bd7883cba03d185be0"
-                "a0148d1625745e9c4c827300000000000000000000000000000000"
-            ), (
-                "8335616AED761F1F7F44E6BD49E807B82E3BF2BF11BFA6AF813C808DBF33DBFA1"
-                "1DABD6E6144BEF37C6800000000000000000000000000000000051"
-            ), (
-                "0x8335616AED761F1F7F44E6BD49E807B82E3BF2BF11BFA6AF813C808DBF33DBF"
-                "A11DABD6E6144BEF37C6800000000000000000000000000000000051 is prime,"
-                " (dec) 10^143 + 3^4"
-            )
-        ),
-        (
-            (
-                "76bb3470985174915e9993522aec989666908f9e8cf5cb9f037bf4aee33d8865c"
-                "b6464174795d07e30015b80000000000000000000000000000000"
-            ), (
-                "6aaaf60d5784dcef612d133613b179a317532ecca0eed40b8ad0c01e6d4a6d8c7"
-                "9a52af190abd51739009a900000000000000000000000000000000"
-            ), (
-                "8335616AED761F1F7F44E6BD49E807B82E3BF2BF11BFA6AF813C808DBF33DBFA1"
-                "1DABD6E6144BEF37C6800000000000000000000000000000000051"
-            ), ""
-        ),
-        (
-            (
-                "6cfdd6e60912e441d2d1fc88f421b533f0103a5322ccd3f4db84861643ad63fd6"
-                "3d1d8cfbc1d498162786ba00000000000000000000000000000000"
-            ), (
-                "1177246ec5e93814816465e7f8f248b350d954439d35b2b5d75d917218e7fd5fb"
-                "4c2f6d0667f9467fdcf33400000000000000000000000000000000"
-            ), (
-                "8335616AED761F1F7F44E6BD49E807B82E3BF2BF11BFA6AF813C808DBF33DBFA1"
-                "1DABD6E6144BEF37C6800000000000000000000000000000000051"
-            ), ""
-        ),
-        (
-            (
-                "7a09a0b0f8bbf8057116fb0277a9bdf3a91b5eaa8830d448081510d8973888be5"
-                "a9f0ad04facb69aa3715f00000000000000000000000000000000"
-            ), (
-                "764dec6c05a1c0d87b649efa5fd94c91ea28bffb4725d4ab4b33f1a3e8e3b314d"
-                "799020e244a835a145ec9800000000000000000000000000000000"
-            ), (
-                "8335616AED761F1F7F44E6BD49E807B82E3BF2BF11BFA6AF813C808DBF33DBFA1"
-                "1DABD6E6144BEF37C6800000000000000000000000000000000051"
-            ), ""
-        )
-    ] # type: List[Tuple[str, str, str, str]]
-
-    def __init__(
-            self, val_a: str, val_b: str, val_n: str, case_description: str = ""
-        ):
-        self.case_description = case_description
-        self.arg_a = val_a
-        self.int_a = bignum_common.hex_to_int(val_a)
-        self.arg_b = val_b
-        self.int_b = bignum_common.hex_to_int(val_b)
-        self.arg_n = val_n
-        self.int_n = bignum_common.hex_to_int(val_n)
-
-        limbs_a4 = bignum_common.limbs_mpi(self.int_a, 32)
-        limbs_a8 = bignum_common.limbs_mpi(self.int_a, 64)
-        self.limbs_b4 = bignum_common.limbs_mpi(self.int_b, 32)
-        self.limbs_b8 = bignum_common.limbs_mpi(self.int_b, 64)
-        self.limbs_an4 = bignum_common.limbs_mpi(self.int_n, 32)
-        self.limbs_an8 = bignum_common.limbs_mpi(self.int_n, 64)
-
-        if limbs_a4 > self.limbs_an4 or limbs_a8 > self.limbs_an8:
-            raise Exception("Limbs of input A ({}) exceeds N ({})".format(
-                self.arg_a, self.arg_n
-            ))
-
-    def arguments(self) -> List[str]:
-        return [
-            str(self.limbs_an4), str(self.limbs_b4),
-            str(self.limbs_an8), str(self.limbs_b8),
-            bignum_common.quote_str(self.arg_a),
-            bignum_common.quote_str(self.arg_b),
-            bignum_common.quote_str(self.arg_n)
-        ] + self.result()
-
-    def description(self) -> str:
-        if self.case_description != "replay":
-            if not self.start_2_mpi4 and self.limbs_an4 > 1:
-                tmp = "(start of 2-MPI 4-byte bignums) "
-                self.__class__.start_2_mpi4 = True
-            elif not self.start_2_mpi8 and self.limbs_an8 > 1:
-                tmp = "(start of 2-MPI 8-byte bignums) "
-                self.__class__.start_2_mpi8 = True
-            else:
-                tmp = "(gen) "
-            self.case_description = tmp + self.case_description
-        return super().description()
-
-    def result(self) -> List[str]:
-        """Get the result of the operation."""
-        r4 = bignum_common.bound_mpi_limbs(self.limbs_an4, 32)
-        i4 = bignum_common.invmod(r4, self.int_n)
-        x4 = self.int_a * self.int_b * i4
-        x4 = x4 % self.int_n
-
-        r8 = bignum_common.bound_mpi_limbs(self.limbs_an8, 64)
-        i8 = bignum_common.invmod(r8, self.int_n)
-        x8 = self.int_a * self.int_b * i8
-        x8 = x8 % self.int_n
-        return [
-            "\"{:x}\"".format(x4),
-            "\"{:x}\"".format(x8)
-        ]
-
-    def set_limbs(
-            self, limbs_an4: int, limbs_b4: int, limbs_an8: int, limbs_b8: int
-        ) -> None:
-        """Set number of limbs for each input.
-
-        Replaces default values set during initialization.
-        """
-        self.limbs_an4 = limbs_an4
-        self.limbs_b4 = limbs_b4
-        self.limbs_an8 = limbs_an8
-        self.limbs_b8 = limbs_b8
-
-    @classmethod
-    def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
-        """Generate replay and randomly generated test cases."""
-        # Test cases which replay captured invocations during unit test runs.
-        for limbs_an4, limbs_b4, limbs_an8, limbs_b8, a, b, n in cls.replay_test_cases:
-            cur_op = cls(a, b, n, case_description="replay")
-            cur_op.set_limbs(limbs_an4, limbs_b4, limbs_an8, limbs_b8)
-            yield cur_op.create_test_case()
-        # Random test cases can be generated using mpi_modmul_case_generate()
-        # Uses a mixture of primes and odd numbers as N, with four randomly
-        # generated cases for each N.
-        for a, b, n, description in cls.random_test_cases:
-            cur_op = cls(a, b, n, case_description=description)
-            yield cur_op.create_test_case()
-
-
-def mpi_modmul_case_generate() -> None:
-    """Generate valid inputs for montmul tests using moduli.
-
-    For each modulus, generates random values for A and B and simple descriptions
-    for the test case.
-    """
-    moduli = [
-        ("3", ""), ("7", ""), ("B", ""), ("29", ""), ("FF", ""),
-        ("101", ""), ("38B", ""), ("8003", ""), ("10001", ""),
-        ("7F7F7", ""), ("800009", ""), ("100002B", ""), ("37EEE9D", ""),
-        ("8000000B", ""), ("8CD626B9", ""), ("10000000F", ""),
-        ("174876E7E9", "is prime (dec) 99999999977"),
-        ("8000000017", ""), ("864CB9076D", ""), ("F7F7F7F7F7", ""),
-        ("1000000000F", ""), ("800000000005", ""), ("800795D9BA47", ""),
-        ("1000000000015", ""), ("100000000000051", ""), ("ABCDEF0123456789", ""),
-        (
-            "25A55A46E5DA99C71C7",
-            "is the 3rd repunit prime (dec) 11111111111111111111111"
-        ),
-        ("314DC643FB763F2B8C0E2DE00879", "is (dec)99999999977^3"),
-        ("47BF19662275FA2F6845C74942ED1D852E521", "is (dec) 99999999977^4"),
-        (
-            "97EDD86E4B5C4592C6D32064AC55C888A7245F07CA3CC455E07C931",
-            "is (dec) 99999999977^6"
-        ),
-        (
-            "DD15FE80B731872AC104DB37832F7E75A244AA2631BC87885B861E8F20375499",
-            "is (dec) 99999999977^7"
-        ),
-        (
-            "141B8EBD9009F84C241879A1F680FACCED355DA36C498F73E96E880CF78EA5F96146380E41",
-            "is (dec) 99999999977^8"
-        ),
-        (
-            (
-                "2A94608DE88B6D5E9F8920F5ABB06B24CC35AE1FBACC87D075C621C3E283"
-                "3EC902713E40F51E3B3C214EDFABC451"
-            ),
-            "is (dec) 99999999977^10"
-        ),
-        (
-            "8335616AED761F1F7F44E6BD49E807B82E3BF2BF11BFA6AF813C808DBF33DBFA11"
-            "DABD6E6144BEF37C6800000000000000000000000000000000051",
-            "is prime, (dec) 10^143 + 3^4"
-        )
-    ] # type: List[Tuple[str, str]]
-    primes = [
-        "3", "7", "B", "29", "101", "38B", "8003", "10001", "800009",
-        "100002B", "37EEE9D", "8000000B", "8CD626B9",
-        # From here they require > 1 4-byte MPI
-        "10000000F", "174876E7E9", "8000000017", "864CB9076D", "1000000000F",
-        "800000000005", "800795D9BA47", "1000000000015", "100000000000051",
-        # From here they require > 1 8-byte MPI
-        "25A55A46E5DA99C71C7",      # this is 11111111111111111111111 decimal
-        # 10^143 + 3^4: (which is prime)
-        # 100000000000000000000000000000000000000000000000000000000000000000000000000000
-        # 000000000000000000000000000000000000000000000000000000000000000081
-        (
-            "8335616AED761F1F7F44E6BD49E807B82E3BF2BF11BFA6AF813C808DBF33DBFA11"
-            "DABD6E6144BEF37C6800000000000000000000000000000000051"
-        )
-    ] # type: List[str]
-    generated_inputs = []
-    for mod, description in moduli:
-        n = bignum_common.hex_to_int(mod)
-        mod_read = "{:x}".format(n)
-        case_count = 3 if n < 5 else 4
-        cases = {} # type: Dict[int, int]
-        i = 0
-        while i < case_count:
-            a = random.randint(1, n)
-            b = random.randint(1, n)
-            if cases.get(a) == b:
-                continue
-            cases[a] = b
-            if description:
-                out_description = "0x{} {}".format(mod_read, description)
-            elif i == 0 and len(mod) > 1 and mod in primes:
-                out_description = "(0x{} is prime)"
-            else:
-                out_description = ""
-            generated_inputs.append(
-                ("{:x}".format(a), "{:x}".format(b), mod, out_description)
-            )
-            i += 1
-    print(generated_inputs)
-
-
-class BignumCoreExpMod(BignumCoreTarget, bignum_common.ModOperationCommon):
-    """Test cases for bignum core exponentiation."""
-    symbol = "^"
-    test_function = "mpi_core_exp_mod"
-    test_name = "Core modular exponentiation (Mongtomery form only)"
-    input_style = "fixed"
-    montgomery_form_a = True
-
-    def result(self) -> List[str]:
-        # Result has to be given in Montgomery form too
-        result = pow(self.int_a, self.int_b, self.int_n)
-        mont_result = self.to_montgomery(result)
-        return [self.format_result(mont_result)]
-
-    @property
-    def is_valid(self) -> bool:
-        # The base needs to be canonical, but the exponent can be larger than
-        # the modulus (see for example exponent blinding)
-        return bool(self.int_a < self.int_n)
-
-
-class BignumCoreSubInt(BignumCoreTarget, bignum_common.OperationCommon):
-    """Test cases for bignum core sub int."""
-    count = 0
-    symbol = "-"
-    test_function = "mpi_core_sub_int"
-    test_name = "mpi_core_sub_int"
-    input_style = "arch_split"
-
-    @property
-    def is_valid(self) -> bool:
-        # This is "sub int", so b is only one limb
-        if bignum_common.limbs_mpi(self.int_b, self.bits_in_limb) > 1:
-            return False
-        return True
-
-    # Overriding because we don't want leading zeros on b
-    @property
-    def arg_b(self) -> str:
-        return self.val_b
-
-    def result(self) -> List[str]:
-        result = self.int_a - self.int_b
-
-        borrow, result = divmod(result, self.limb_boundary)
-
-        # Borrow will be -1 if non-zero, but we want it to be 1 in the test data
-        return [
-            self.format_result(result),
-            str(-borrow)
-        ]
-
-class BignumCoreZeroCheckCT(BignumCoreTarget, bignum_common.OperationCommon):
-    """Test cases for bignum core zero check (constant flow)."""
-    count = 0
-    symbol = "== 0"
-    test_function = "mpi_core_check_zero_ct"
-    test_name = "mpi_core_check_zero_ct"
-    input_style = "variable"
-    arity = 1
-    suffix = True
-
-    def result(self) -> List[str]:
-        result = 1 if self.int_a == 0 else 0
-        return [str(result)]
diff --git a/scripts/mbedtls_dev/bignum_data.py b/scripts/mbedtls_dev/bignum_data.py
deleted file mode 100644
index 897e319..0000000
--- a/scripts/mbedtls_dev/bignum_data.py
+++ /dev/null
@@ -1,170 +0,0 @@
-"""Base values and datasets for bignum generated tests and helper functions that
-produced them."""
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import random
-
-# Functions calling these were used to produce test data and are here only for
-# reproducibility, they are not used by the test generation framework/classes
-try:
-    from Cryptodome.Util.number import isPrime, getPrime #type: ignore #pylint: disable=import-error
-except ImportError:
-    pass
-
-# Generated by bignum_common.gen_safe_prime(192,1)
-SAFE_PRIME_192_BIT_SEED_1 = "d1c127a667786703830500038ebaef20e5a3e2dc378fb75b"
-
-# First number generated by random.getrandbits(192) - seed(2,2), not a prime
-RANDOM_192_BIT_SEED_2_NO1 = "177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973"
-
-# Second number generated by random.getrandbits(192) - seed(2,2), not a prime
-RANDOM_192_BIT_SEED_2_NO2 = "cf1822ffbc6887782b491044d5e341245c6e433715ba2bdd"
-
-# Third number generated by random.getrandbits(192) - seed(2,2), not a prime
-RANDOM_192_BIT_SEED_2_NO3 = "3653f8dd9b1f282e4067c3584ee207f8da94e3e8ab73738f"
-
-# Fourth number generated by random.getrandbits(192) - seed(2,2), not a prime
-RANDOM_192_BIT_SEED_2_NO4 = "ffed9235288bc781ae66267594c9c9500925e4749b575bd1"
-
-# Ninth number generated by random.getrandbits(192) - seed(2,2), not a prime
-RANDOM_192_BIT_SEED_2_NO9 = "2a1be9cd8697bbd0e2520e33e44c50556c71c4a66148a86f"
-
-# Generated by bignum_common.gen_safe_prime(1024,3)
-SAFE_PRIME_1024_BIT_SEED_3 = ("c93ba7ec74d96f411ba008bdb78e63ff11bb5df46a51e16b"
-                              "2c9d156f8e4e18abf5e052cb01f47d0d1925a77f60991577"
-                              "e128fb6f52f34a27950a594baadd3d8057abeb222cf3cca9"
-                              "62db16abf79f2ada5bd29ab2f51244bf295eff9f6aaba130"
-                              "2efc449b128be75eeaca04bc3c1a155d11d14e8be32a2c82"
-                              "87b3996cf6ad5223")
-
-# First number generated by random.getrandbits(1024) - seed(4,2), not a prime
-RANDOM_1024_BIT_SEED_4_NO1 = ("6905269ed6f0b09f165c8ce36e2f24b43000de01b2ed40ed"
-                              "3addccb2c33be0ac79d679346d4ac7a5c3902b38963dc6e8"
-                              "534f45738d048ec0f1099c6c3e1b258fd724452ccea71ff4"
-                              "a14876aeaff1a098ca5996666ceab360512bd13110722311"
-                              "710cf5327ac435a7a97c643656412a9b8a1abcd1a6916c74"
-                              "da4f9fc3c6da5d7")
-
-# Second number generated by random.getrandbits(1024) - seed(4,2), not a prime
-RANDOM_1024_BIT_SEED_4_NO2 = ("f1cfd99216df648647adec26793d0e453f5082492d83a823"
-                              "3fb62d2c81862fc9634f806fabf4a07c566002249b191bf4"
-                              "d8441b5616332aca5f552773e14b0190d93936e1daca3c06"
-                              "f5ff0c03bb5d7385de08caa1a08179104a25e4664f5253a0"
-                              "2a3187853184ff27459142deccea264542a00403ce80c4b0"
-                              "a4042bb3d4341aad")
-
-# Third number generated by random.getrandbits(1024) - seed(4,2), not a prime
-RANDOM_1024_BIT_SEED_4_NO3 = ("14c15c910b11ad28cc21ce88d0060cc54278c2614e1bcb38"
-                              "3bb4a570294c4ea3738d243a6e58d5ca49c7b59b995253fd"
-                              "6c79a3de69f85e3131f3b9238224b122c3e4a892d9196ada"
-                              "4fcfa583e1df8af9b474c7e89286a1754abcb06ae8abb93f"
-                              "01d89a024cdce7a6d7288ff68c320f89f1347e0cdd905ecf"
-                              "d160c5d0ef412ed6")
-
-# Fourth number generated by random.getrandbits(1024) - seed(4,2), not a prime
-RANDOM_1024_BIT_SEED_4_NO4 = ("32decd6b8efbc170a26a25c852175b7a96b98b5fbf37a2be"
-                              "6f98bca35b17b9662f0733c846bbe9e870ef55b1a1f65507"
-                              "a2909cb633e238b4e9dd38b869ace91311021c9e32111ac1"
-                              "ac7cc4a4ff4dab102522d53857c49391b36cc9aa78a330a1"
-                              "a5e333cb88dcf94384d4cd1f47ca7883ff5a52f1a05885ac"
-                              "7671863c0bdbc23a")
-
-# Fifth number generated by random.getrandbits(1024) - seed(4,2), not a prime
-RANDOM_1024_BIT_SEED_4_NO5 = ("53be4721f5b9e1f5acdac615bc20f6264922b9ccf469aef8"
-                              "f6e7d078e55b85dd1525f363b281b8885b69dc230af5ac87"
-                              "0692b534758240df4a7a03052d733dcdef40af2e54c0ce68"
-                              "1f44ebd13cc75f3edcb285f89d8cf4d4950b16ffc3e1ac3b"
-                              "4708d9893a973000b54a23020fc5b043d6e4a51519d9c9cc"
-                              "52d32377e78131c1")
-
-# Adding 192 bit and 1024 bit numbers because these are the shortest required
-# for ECC and RSA respectively.
-INPUTS_DEFAULT = [
-        "0", "1", # corner cases
-        "2", "3", # small primes
-        "4",      # non-prime even
-        "38",     # small random
-        SAFE_PRIME_192_BIT_SEED_1,  # prime
-        RANDOM_192_BIT_SEED_2_NO1,  # not a prime
-        RANDOM_192_BIT_SEED_2_NO2,  # not a prime
-        SAFE_PRIME_1024_BIT_SEED_3, # prime
-        RANDOM_1024_BIT_SEED_4_NO1, # not a prime
-        RANDOM_1024_BIT_SEED_4_NO3, # not a prime
-        RANDOM_1024_BIT_SEED_4_NO2, # largest (not a prime)
-        ]
-
-ADD_SUB_DATA = [
-    "0", "1", "3", "f", "fe", "ff", "100", "ff00",
-    "fffe", "ffff", "10000", # 2^16 - 1, 2^16, 2^16 + 1
-    "fffffffe", "ffffffff", "100000000", # 2^32 - 1, 2^32, 2^32 + 1
-    "1f7f7f7f7f7f7f",
-    "8000000000000000", "fefefefefefefefe",
-    "fffffffffffffffe", "ffffffffffffffff", "10000000000000000", # 2^64 - 1, 2^64, 2^64 + 1
-    "1234567890abcdef0",
-    "fffffffffffffffffffffffe",
-    "ffffffffffffffffffffffff",
-    "1000000000000000000000000",
-    "fffffffffffffffffefefefefefefefe",
-    "fffffffffffffffffffffffffffffffe",
-    "ffffffffffffffffffffffffffffffff",
-    "100000000000000000000000000000000",
-    "1234567890abcdef01234567890abcdef0",
-    "fffffffffffffffffffffffffffffffffffffffffffffffffefefefefefefefe",
-    "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe",
-    "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
-    "10000000000000000000000000000000000000000000000000000000000000000",
-    "1234567890abcdef01234567890abcdef01234567890abcdef01234567890abcdef0",
-    ]
-
-# Only odd moduli are present as in the new bignum code only odd moduli are
-# supported for now.
-MODULI_DEFAULT = [
-        "53", # safe prime
-        "45", # non-prime
-        SAFE_PRIME_192_BIT_SEED_1,  # safe prime
-        RANDOM_192_BIT_SEED_2_NO4,  # not a prime
-        SAFE_PRIME_1024_BIT_SEED_3, # safe prime
-        RANDOM_1024_BIT_SEED_4_NO5, # not a prime
-        ]
-
-# Some functions, e.g. mbedtls_mpi_mod_raw_inv_prime(), only support prime moduli.
-ONLY_PRIME_MODULI = [
-        "53", # safe prime
-        "8ac72304057392b5",     # 9999999997777777333 (longer, not safe, prime)
-        # The next prime has a different R in Montgomery form depending on
-        # whether 32- or 64-bit MPIs are used.
-        "152d02c7e14af67fe0bf", # 99999999999999999991999
-        SAFE_PRIME_192_BIT_SEED_1,  # safe prime
-        SAFE_PRIME_1024_BIT_SEED_3, # safe prime
-        ]
-
-def __gen_safe_prime(bits, seed):
-    '''
-    Generate a safe prime.
-
-    This function is intended for generating constants offline and shouldn't be
-    used in test generation classes.
-
-    Requires pycryptodomex for getPrime and isPrime and python 3.9 or later for
-    randbytes.
-    '''
-    rng = random.Random()
-    # We want reproducibility across python versions
-    rng.seed(seed, version=2)
-    while True:
-        prime = 2*getPrime(bits-1, rng.randbytes)+1 #pylint: disable=no-member
-        if isPrime(prime, 1e-30):
-            return prime
diff --git a/scripts/mbedtls_dev/bignum_mod.py b/scripts/mbedtls_dev/bignum_mod.py
deleted file mode 100644
index 77c7b1b..0000000
--- a/scripts/mbedtls_dev/bignum_mod.py
+++ /dev/null
@@ -1,113 +0,0 @@
-"""Framework classes for generation of bignum mod test cases."""
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-from typing import Dict, List
-
-from . import test_data_generation
-from . import bignum_common
-from .bignum_data import ONLY_PRIME_MODULI
-
-class BignumModTarget(test_data_generation.BaseTarget):
-    #pylint: disable=abstract-method, too-few-public-methods
-    """Target for bignum mod test case generation."""
-    target_basename = 'test_suite_bignum_mod.generated'
-
-
-class BignumModMul(bignum_common.ModOperationCommon,
-                   BignumModTarget):
-    # pylint:disable=duplicate-code
-    """Test cases for bignum mpi_mod_mul()."""
-    symbol = "*"
-    test_function = "mpi_mod_mul"
-    test_name = "mbedtls_mpi_mod_mul"
-    input_style = "arch_split"
-    arity = 2
-
-    def arguments(self) -> List[str]:
-        return [self.format_result(self.to_montgomery(self.int_a)),
-                self.format_result(self.to_montgomery(self.int_b)),
-                bignum_common.quote_str(self.arg_n)
-               ] + self.result()
-
-    def result(self) -> List[str]:
-        result = (self.int_a * self.int_b) % self.int_n
-        return [self.format_result(self.to_montgomery(result))]
-
-
-class BignumModSub(bignum_common.ModOperationCommon, BignumModTarget):
-    """Test cases for bignum mpi_mod_sub()."""
-    symbol = "-"
-    test_function = "mpi_mod_sub"
-    test_name = "mbedtls_mpi_mod_sub"
-    input_style = "fixed"
-    arity = 2
-
-    def result(self) -> List[str]:
-        result = (self.int_a - self.int_b) % self.int_n
-        # To make negative tests easier, append 0 for success to the
-        # generated cases
-        return [self.format_result(result), "0"]
-
-class BignumModInvNonMont(bignum_common.ModOperationCommon, BignumModTarget):
-    """Test cases for bignum mpi_mod_inv() - not in Montgomery form."""
-    moduli = ONLY_PRIME_MODULI  # for now only prime moduli supported
-    symbol = "^ -1"
-    test_function = "mpi_mod_inv_non_mont"
-    test_name = "mbedtls_mpi_mod_inv non-Mont. form"
-    input_style = "fixed"
-    arity = 1
-    suffix = True
-    disallow_zero_a = True
-
-    def result(self) -> List[str]:
-        result = bignum_common.invmod_positive(self.int_a, self.int_n)
-        # To make negative tests easier, append 0 for success to the
-        # generated cases
-        return [self.format_result(result), "0"]
-
-class BignumModInvMont(bignum_common.ModOperationCommon, BignumModTarget):
-    """Test cases for bignum mpi_mod_inv() - Montgomery form."""
-    moduli = ONLY_PRIME_MODULI  # for now only prime moduli supported
-    symbol = "^ -1"
-    test_function = "mpi_mod_inv_mont"
-    test_name = "mbedtls_mpi_mod_inv Mont. form"
-    input_style = "arch_split"  # Mont. form requires arch_split
-    arity = 1
-    suffix = True
-    disallow_zero_a = True
-    montgomery_form_a = True
-
-    def result(self) -> List[str]:
-        result = bignum_common.invmod_positive(self.int_a, self.int_n)
-        mont_result = self.to_montgomery(result)
-        # To make negative tests easier, append 0 for success to the
-        # generated cases
-        return [self.format_result(mont_result), "0"]
-
-
-class BignumModAdd(bignum_common.ModOperationCommon, BignumModTarget):
-    """Test cases for bignum mpi_mod_add()."""
-    count = 0
-    symbol = "+"
-    test_function = "mpi_mod_add"
-    test_name = "mbedtls_mpi_mod_add"
-    input_style = "fixed"
-
-    def result(self) -> List[str]:
-        result = (self.int_a + self.int_b) % self.int_n
-        # To make negative tests easier, append "0" for success to the
-        # generated cases
-        return [self.format_result(result), "0"]
diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py
deleted file mode 100644
index 7121f2f..0000000
--- a/scripts/mbedtls_dev/bignum_mod_raw.py
+++ /dev/null
@@ -1,253 +0,0 @@
-"""Framework classes for generation of bignum mod_raw test cases."""
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-from typing import Iterator, List
-
-from . import test_case
-from . import test_data_generation
-from . import bignum_common
-from .bignum_data import ONLY_PRIME_MODULI
-
-class BignumModRawTarget(test_data_generation.BaseTarget):
-    #pylint: disable=abstract-method, too-few-public-methods
-    """Target for bignum mod_raw test case generation."""
-    target_basename = 'test_suite_bignum_mod_raw.generated'
-
-
-class BignumModRawSub(bignum_common.ModOperationCommon,
-                      BignumModRawTarget):
-    """Test cases for bignum mpi_mod_raw_sub()."""
-    symbol = "-"
-    test_function = "mpi_mod_raw_sub"
-    test_name = "mbedtls_mpi_mod_raw_sub"
-    input_style = "fixed"
-    arity = 2
-
-    def arguments(self) -> List[str]:
-        return [bignum_common.quote_str(n) for n in [self.arg_a,
-                                                     self.arg_b,
-                                                     self.arg_n]
-               ] + self.result()
-
-    def result(self) -> List[str]:
-        result = (self.int_a - self.int_b) % self.int_n
-        return [self.format_result(result)]
-
-class BignumModRawFixQuasiReduction(bignum_common.ModOperationCommon,
-                                    BignumModRawTarget):
-    """Test cases for ecp quasi_reduction()."""
-    symbol = "-"
-    test_function = "mpi_mod_raw_fix_quasi_reduction"
-    test_name = "fix_quasi_reduction"
-    input_style = "fixed"
-    arity = 1
-
-    # Extend the default values with n < x < 2n
-    input_values = bignum_common.ModOperationCommon.input_values + [
-        "73",
-
-        # First number generated by random.getrandbits(1024) - seed(3,2)
-        "ea7b5bf55eb561a4216363698b529b4a97b750923ceb3ffd",
-
-        # First number generated by random.getrandbits(1024) - seed(1,2)
-        ("cd447e35b8b6d8fe442e3d437204e52db2221a58008a05a6c4647159c324c985"
-         "9b810e766ec9d28663ca828dd5f4b3b2e4b06ce60741c7a87ce42c8218072e8c"
-         "35bf992dc9e9c616612e7696a6cecc1b78e510617311d8a3c2ce6f447ed4d57b"
-         "1e2feb89414c343c1027c4d1c386bbc4cd613e30d8f16adf91b7584a2265b1f5")
-    ] # type: List[str]
-
-    def result(self) -> List[str]:
-        result = self.int_a % self.int_n
-        return [self.format_result(result)]
-
-    @property
-    def is_valid(self) -> bool:
-        return bool(self.int_a < 2 * self.int_n)
-
-class BignumModRawMul(bignum_common.ModOperationCommon,
-                      BignumModRawTarget):
-    """Test cases for bignum mpi_mod_raw_mul()."""
-    symbol = "*"
-    test_function = "mpi_mod_raw_mul"
-    test_name = "mbedtls_mpi_mod_raw_mul"
-    input_style = "arch_split"
-    arity = 2
-
-    def arguments(self) -> List[str]:
-        return [self.format_result(self.to_montgomery(self.int_a)),
-                self.format_result(self.to_montgomery(self.int_b)),
-                bignum_common.quote_str(self.arg_n)
-               ] + self.result()
-
-    def result(self) -> List[str]:
-        result = (self.int_a * self.int_b) % self.int_n
-        return [self.format_result(self.to_montgomery(result))]
-
-
-class BignumModRawInvPrime(bignum_common.ModOperationCommon,
-                           BignumModRawTarget):
-    """Test cases for bignum mpi_mod_raw_inv_prime()."""
-    moduli = ONLY_PRIME_MODULI
-    symbol = "^ -1"
-    test_function = "mpi_mod_raw_inv_prime"
-    test_name = "mbedtls_mpi_mod_raw_inv_prime (Montgomery form only)"
-    input_style = "arch_split"
-    arity = 1
-    suffix = True
-    montgomery_form_a = True
-    disallow_zero_a = True
-
-    def result(self) -> List[str]:
-        result = bignum_common.invmod_positive(self.int_a, self.int_n)
-        mont_result = self.to_montgomery(result)
-        return [self.format_result(mont_result)]
-
-
-class BignumModRawAdd(bignum_common.ModOperationCommon,
-                      BignumModRawTarget):
-    """Test cases for bignum mpi_mod_raw_add()."""
-    symbol = "+"
-    test_function = "mpi_mod_raw_add"
-    test_name = "mbedtls_mpi_mod_raw_add"
-    input_style = "fixed"
-    arity = 2
-
-    def result(self) -> List[str]:
-        result = (self.int_a + self.int_b) % self.int_n
-        return [self.format_result(result)]
-
-
-class BignumModRawConvertRep(bignum_common.ModOperationCommon,
-                             BignumModRawTarget):
-    # This is an abstract class, it's ok to have unimplemented methods.
-    #pylint: disable=abstract-method
-    """Test cases for representation conversion."""
-    symbol = ""
-    input_style = "arch_split"
-    arity = 1
-    rep = bignum_common.ModulusRepresentation.INVALID
-
-    def set_representation(self, r: bignum_common.ModulusRepresentation) -> None:
-        self.rep = r
-
-    def arguments(self) -> List[str]:
-        return ([bignum_common.quote_str(self.arg_n), self.rep.symbol(),
-                 bignum_common.quote_str(self.arg_a)] +
-                self.result())
-
-    def description(self) -> str:
-        base = super().description()
-        mod_with_rep = 'mod({})'.format(self.rep.name)
-        return base.replace('mod', mod_with_rep, 1)
-
-    @classmethod
-    def test_cases_for_values(cls, rep: bignum_common.ModulusRepresentation,
-                              n: str, a: str) -> Iterator[test_case.TestCase]:
-        """Emit test cases for the given values (if any).
-
-        This may emit no test cases if a isn't valid for the modulus n,
-        or multiple test cases if rep requires different data depending
-        on the limb size.
-        """
-        for bil in cls.limb_sizes:
-            test_object = cls(n, a, bits_in_limb=bil)
-            test_object.set_representation(rep)
-            # The class is set to having separate test cases for each limb
-            # size, because the Montgomery representation requires it.
-            # But other representations don't require it. So for other
-            # representations, emit a single test case with no dependency
-            # on the limb size.
-            if rep is not bignum_common.ModulusRepresentation.MONTGOMERY:
-                test_object.dependencies = \
-                    [dep for dep in test_object.dependencies
-                     if not dep.startswith('MBEDTLS_HAVE_INT')]
-            if test_object.is_valid:
-                yield test_object.create_test_case()
-            if rep is not bignum_common.ModulusRepresentation.MONTGOMERY:
-                # A single test case (emitted, or skipped due to invalidity)
-                # is enough, since this test case doesn't depend on the
-                # limb size.
-                break
-
-    # The parent class doesn't support non-bignum parameters. So we override
-    # test generation, in order to have the representation as a parameter.
-    @classmethod
-    def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
-
-        for rep in bignum_common.ModulusRepresentation.supported_representations():
-            for n in cls.moduli:
-                for a in cls.input_values:
-                    yield from cls.test_cases_for_values(rep, n, a)
-
-class BignumModRawCanonicalToModulusRep(BignumModRawConvertRep):
-    """Test cases for mpi_mod_raw_canonical_to_modulus_rep."""
-    test_function = "mpi_mod_raw_canonical_to_modulus_rep"
-    test_name = "Rep canon->mod"
-
-    def result(self) -> List[str]:
-        return [self.format_result(self.convert_from_canonical(self.int_a, self.rep))]
-
-class BignumModRawModulusToCanonicalRep(BignumModRawConvertRep):
-    """Test cases for mpi_mod_raw_modulus_to_canonical_rep."""
-    test_function = "mpi_mod_raw_modulus_to_canonical_rep"
-    test_name = "Rep mod->canon"
-
-    @property
-    def arg_a(self) -> str:
-        return self.format_arg("{:x}".format(self.convert_from_canonical(self.int_a, self.rep)))
-
-    def result(self) -> List[str]:
-        return [self.format_result(self.int_a)]
-
-
-class BignumModRawConvertToMont(bignum_common.ModOperationCommon,
-                                BignumModRawTarget):
-    """ Test cases for mpi_mod_raw_to_mont_rep(). """
-    test_function = "mpi_mod_raw_to_mont_rep"
-    test_name = "Convert into Mont: "
-    symbol = "R *"
-    input_style = "arch_split"
-    arity = 1
-
-    def result(self) -> List[str]:
-        result = self.to_montgomery(self.int_a)
-        return [self.format_result(result)]
-
-class BignumModRawConvertFromMont(bignum_common.ModOperationCommon,
-                                  BignumModRawTarget):
-    """ Test cases for mpi_mod_raw_from_mont_rep(). """
-    test_function = "mpi_mod_raw_from_mont_rep"
-    test_name = "Convert from Mont: "
-    symbol = "1/R *"
-    input_style = "arch_split"
-    arity = 1
-
-    def result(self) -> List[str]:
-        result = self.from_montgomery(self.int_a)
-        return [self.format_result(result)]
-
-class BignumModRawModNegate(bignum_common.ModOperationCommon,
-                            BignumModRawTarget):
-    """ Test cases for mpi_mod_raw_neg(). """
-    test_function = "mpi_mod_raw_neg"
-    test_name = "Modular negation: "
-    symbol = "-"
-    input_style = "arch_split"
-    arity = 1
-
-    def result(self) -> List[str]:
-        result = (self.int_n - self.int_a) % self.int_n
-        return [self.format_result(result)]
diff --git a/scripts/mbedtls_dev/build_tree.py b/scripts/mbedtls_dev/build_tree.py
deleted file mode 100644
index 2e10c88..0000000
--- a/scripts/mbedtls_dev/build_tree.py
+++ /dev/null
@@ -1,74 +0,0 @@
-"""Mbed TLS build tree information and manipulation.
-"""
-
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import os
-import inspect
-
-def looks_like_tf_psa_crypto_root(path: str) -> bool:
-    """Whether the given directory looks like the root of the PSA Crypto source tree."""
-    return all(os.path.isdir(os.path.join(path, subdir))
-               for subdir in ['include', 'core', 'drivers', 'programs', 'tests'])
-
-def looks_like_mbedtls_root(path: str) -> bool:
-    """Whether the given directory looks like the root of the Mbed TLS source tree."""
-    return all(os.path.isdir(os.path.join(path, subdir))
-               for subdir in ['include', 'library', 'programs', 'tests'])
-
-def looks_like_root(path: str) -> bool:
-    return looks_like_tf_psa_crypto_root(path) or looks_like_mbedtls_root(path)
-
-def check_repo_path():
-    """
-    Check that the current working directory is the project root, and throw
-    an exception if not.
-    """
-    if not all(os.path.isdir(d) for d in ["include", "library", "tests"]):
-        raise Exception("This script must be run from Mbed TLS root")
-
-def chdir_to_root() -> None:
-    """Detect the root of the Mbed TLS source tree and change to it.
-
-    The current directory must be up to two levels deep inside an Mbed TLS
-    source tree.
-    """
-    for d in [os.path.curdir,
-              os.path.pardir,
-              os.path.join(os.path.pardir, os.path.pardir)]:
-        if looks_like_root(d):
-            os.chdir(d)
-            return
-    raise Exception('Mbed TLS source tree not found')
-
-
-def guess_mbedtls_root():
-    """Guess mbedTLS source code directory.
-
-    Return the first possible mbedTLS root directory
-    """
-    dirs = set({})
-    for frame in inspect.stack():
-        path = os.path.dirname(frame.filename)
-        for d in ['.', os.path.pardir] \
-                 + [os.path.join(*([os.path.pardir]*i)) for i in range(2, 10)]:
-            d = os.path.abspath(os.path.join(path, d))
-            if d in dirs:
-                continue
-            dirs.add(d)
-            if looks_like_root(d):
-                return d
-    raise Exception('Mbed TLS source tree not found')
diff --git a/scripts/mbedtls_dev/c_build_helper.py b/scripts/mbedtls_dev/c_build_helper.py
deleted file mode 100644
index 9bd17d6..0000000
--- a/scripts/mbedtls_dev/c_build_helper.py
+++ /dev/null
@@ -1,173 +0,0 @@
-"""Generate and run C code.
-"""
-
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import os
-import platform
-import subprocess
-import sys
-import tempfile
-
-def remove_file_if_exists(filename):
-    """Remove the specified file, ignoring errors."""
-    if not filename:
-        return
-    try:
-        os.remove(filename)
-    except OSError:
-        pass
-
-def create_c_file(file_label):
-    """Create a temporary C file.
-
-    * ``file_label``: a string that will be included in the file name.
-
-    Return ```(c_file, c_name, exe_name)``` where ``c_file`` is a Python
-    stream open for writing to the file, ``c_name`` is the name of the file
-    and ``exe_name`` is the name of the executable that will be produced
-    by compiling the file.
-    """
-    c_fd, c_name = tempfile.mkstemp(prefix='tmp-{}-'.format(file_label),
-                                    suffix='.c')
-    exe_suffix = '.exe' if platform.system() == 'Windows' else ''
-    exe_name = c_name[:-2] + exe_suffix
-    remove_file_if_exists(exe_name)
-    c_file = os.fdopen(c_fd, 'w', encoding='ascii')
-    return c_file, c_name, exe_name
-
-def generate_c_printf_expressions(c_file, cast_to, printf_format, expressions):
-    """Generate C instructions to print the value of ``expressions``.
-
-    Write the code with ``c_file``'s ``write`` method.
-
-    Each expression is cast to the type ``cast_to`` and printed with the
-    printf format ``printf_format``.
-    """
-    for expr in expressions:
-        c_file.write('    printf("{}\\n", ({}) {});\n'
-                     .format(printf_format, cast_to, expr))
-
-def generate_c_file(c_file,
-                    caller, header,
-                    main_generator):
-    """Generate a temporary C source file.
-
-    * ``c_file`` is an open stream on the C source file.
-    * ``caller``: an informational string written in a comment at the top
-      of the file.
-    * ``header``: extra code to insert before any function in the generated
-      C file.
-    * ``main_generator``: a function called with ``c_file`` as its sole argument
-      to generate the body of the ``main()`` function.
-    """
-    c_file.write('/* Generated by {} */'
-                 .format(caller))
-    c_file.write('''
-#include <stdio.h>
-''')
-    c_file.write(header)
-    c_file.write('''
-int main(void)
-{
-''')
-    main_generator(c_file)
-    c_file.write('''    return 0;
-}
-''')
-
-def compile_c_file(c_filename, exe_filename, include_dirs):
-    """Compile a C source file with the host compiler.
-
-    * ``c_filename``: the name of the source file to compile.
-    * ``exe_filename``: the name for the executable to be created.
-    * ``include_dirs``: a list of paths to include directories to be passed
-      with the -I switch.
-    """
-    # Respect $HOSTCC if it is set
-    cc = os.getenv('HOSTCC', None)
-    if cc is None:
-        cc = os.getenv('CC', 'cc')
-    cmd = [cc]
-
-    proc = subprocess.Popen(cmd,
-                            stdout=subprocess.DEVNULL,
-                            stderr=subprocess.PIPE,
-                            universal_newlines=True)
-    cc_is_msvc = 'Microsoft (R) C/C++' in proc.communicate()[1]
-
-    cmd += ['-I' + dir for dir in include_dirs]
-    if cc_is_msvc:
-        # MSVC has deprecated using -o to specify the output file,
-        # and produces an object file in the working directory by default.
-        obj_filename = exe_filename[:-4] + '.obj'
-        cmd += ['-Fe' + exe_filename, '-Fo' + obj_filename]
-    else:
-        cmd += ['-o' + exe_filename]
-
-    subprocess.check_call(cmd + [c_filename])
-
-def get_c_expression_values(
-        cast_to, printf_format,
-        expressions,
-        caller=__name__, file_label='',
-        header='', include_path=None,
-        keep_c=False,
-): # pylint: disable=too-many-arguments, too-many-locals
-    """Generate and run a program to print out numerical values for expressions.
-
-    * ``cast_to``: a C type.
-    * ``printf_format``: a printf format suitable for the type ``cast_to``.
-    * ``header``: extra code to insert before any function in the generated
-      C file.
-    * ``expressions``: a list of C language expressions that have the type
-      ``cast_to``.
-    * ``include_path``: a list of directories containing header files.
-    * ``keep_c``: if true, keep the temporary C file (presumably for debugging
-      purposes).
-
-    Use the C compiler specified by the ``CC`` environment variable, defaulting
-    to ``cc``. If ``CC`` looks like MSVC, use its command line syntax,
-    otherwise assume the compiler supports Unix traditional ``-I`` and ``-o``.
-
-    Return the list of values of the ``expressions``.
-    """
-    if include_path is None:
-        include_path = []
-    c_name = None
-    exe_name = None
-    obj_name = None
-    try:
-        c_file, c_name, exe_name = create_c_file(file_label)
-        generate_c_file(
-            c_file, caller, header,
-            lambda c_file: generate_c_printf_expressions(c_file,
-                                                         cast_to, printf_format,
-                                                         expressions)
-        )
-        c_file.close()
-
-        compile_c_file(c_name, exe_name, include_path)
-        if keep_c:
-            sys.stderr.write('List of {} tests kept at {}\n'
-                             .format(caller, c_name))
-        else:
-            os.remove(c_name)
-        output = subprocess.check_output([exe_name])
-        return output.decode('ascii').strip().split('\n')
-    finally:
-        remove_file_if_exists(exe_name)
-        remove_file_if_exists(obj_name)
diff --git a/scripts/mbedtls_dev/crypto_data_tests.py b/scripts/mbedtls_dev/crypto_data_tests.py
deleted file mode 100644
index 7593952..0000000
--- a/scripts/mbedtls_dev/crypto_data_tests.py
+++ /dev/null
@@ -1,123 +0,0 @@
-"""Generate test data for cryptographic mechanisms.
-
-This module is a work in progress, only implementing a few cases for now.
-"""
-
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import hashlib
-from typing import Callable, Dict, Iterator, List, Optional #pylint: disable=unused-import
-
-from . import crypto_knowledge
-from . import psa_information
-from . import test_case
-
-
-def psa_low_level_dependencies(*expressions: str) -> List[str]:
-    """Infer dependencies of a PSA low-level test case by looking for PSA_xxx symbols.
-
-    This function generates MBEDTLS_PSA_BUILTIN_xxx symbols.
-    """
-    high_level = psa_information.automatic_dependencies(*expressions)
-    for dep in high_level:
-        assert dep.startswith('PSA_WANT_')
-    return ['MBEDTLS_PSA_BUILTIN_' + dep[9:] for dep in high_level]
-
-
-class HashPSALowLevel:
-    """Generate test cases for the PSA low-level hash interface."""
-
-    def __init__(self, info: psa_information.Information) -> None:
-        self.info = info
-        base_algorithms = sorted(info.constructors.algorithms)
-        all_algorithms = \
-            [crypto_knowledge.Algorithm(expr)
-             for expr in info.constructors.generate_expressions(base_algorithms)]
-        self.algorithms = \
-            [alg
-             for alg in all_algorithms
-             if (not alg.is_wildcard and
-                 alg.can_do(crypto_knowledge.AlgorithmCategory.HASH))]
-
-    # CALCULATE[alg] = function to return the hash of its argument in hex
-    # TO-DO: implement the None entries with a third-party library, because
-    # hashlib might not have everything, depending on the Python version and
-    # the underlying OpenSSL. On Ubuntu 16.04, truncated sha512 and sha3/shake
-    # are not available. On Ubuntu 22.04, md2, md4 and ripemd160 are not
-    # available.
-    CALCULATE = {
-        'PSA_ALG_MD5': lambda data: hashlib.md5(data).hexdigest(),
-        'PSA_ALG_RIPEMD160': None, #lambda data: hashlib.new('ripdemd160').hexdigest()
-        'PSA_ALG_SHA_1': lambda data: hashlib.sha1(data).hexdigest(),
-        'PSA_ALG_SHA_224': lambda data: hashlib.sha224(data).hexdigest(),
-        'PSA_ALG_SHA_256': lambda data: hashlib.sha256(data).hexdigest(),
-        'PSA_ALG_SHA_384': lambda data: hashlib.sha384(data).hexdigest(),
-        'PSA_ALG_SHA_512': lambda data: hashlib.sha512(data).hexdigest(),
-        'PSA_ALG_SHA_512_224': None, #lambda data: hashlib.new('sha512_224').hexdigest()
-        'PSA_ALG_SHA_512_256': None, #lambda data: hashlib.new('sha512_256').hexdigest()
-        'PSA_ALG_SHA3_224': None, #lambda data: hashlib.sha3_224(data).hexdigest(),
-        'PSA_ALG_SHA3_256': None, #lambda data: hashlib.sha3_256(data).hexdigest(),
-        'PSA_ALG_SHA3_384': None, #lambda data: hashlib.sha3_384(data).hexdigest(),
-        'PSA_ALG_SHA3_512': None, #lambda data: hashlib.sha3_512(data).hexdigest(),
-        'PSA_ALG_SHAKE256_512': None, #lambda data: hashlib.shake_256(data).hexdigest(64),
-    } #type: Dict[str, Optional[Callable[[bytes], str]]]
-
-    @staticmethod
-    def one_test_case(alg: crypto_knowledge.Algorithm,
-                      function: str, note: str,
-                      arguments: List[str]) -> test_case.TestCase:
-        """Construct one test case involving a hash."""
-        tc = test_case.TestCase()
-        tc.set_description('{}{} {}'
-                           .format(function,
-                                   ' ' + note if note else '',
-                                   alg.short_expression()))
-        tc.set_dependencies(psa_low_level_dependencies(alg.expression))
-        tc.set_function(function)
-        tc.set_arguments([alg.expression] +
-                         ['"{}"'.format(arg) for arg in arguments])
-        return tc
-
-    def test_cases_for_hash(self,
-                            alg: crypto_knowledge.Algorithm
-                            ) -> Iterator[test_case.TestCase]:
-        """Enumerate all test cases for one hash algorithm."""
-        calc = self.CALCULATE[alg.expression]
-        if calc is None:
-            return # not implemented yet
-
-        short = b'abc'
-        hash_short = calc(short)
-        long = (b'Hello, world. Here are 16 unprintable bytes: ['
-                b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a'
-                b'\x80\x81\x82\x83\xfe\xff]. '
-                b' This message was brought to you by a natural intelligence. '
-                b' If you can read this, good luck with your debugging!')
-        hash_long = calc(long)
-
-        yield self.one_test_case(alg, 'hash_empty', '', [calc(b'')])
-        yield self.one_test_case(alg, 'hash_valid_one_shot', '',
-                                 [short.hex(), hash_short])
-        for n in [0, 1, 64, len(long) - 1, len(long)]:
-            yield self.one_test_case(alg, 'hash_valid_multipart',
-                                     '{} + {}'.format(n, len(long) - n),
-                                     [long[:n].hex(), calc(long[:n]),
-                                      long[n:].hex(), hash_long])
-
-    def all_test_cases(self) -> Iterator[test_case.TestCase]:
-        """Enumerate all test cases for all hash algorithms."""
-        for alg in self.algorithms:
-            yield from self.test_cases_for_hash(alg)
diff --git a/scripts/mbedtls_dev/crypto_knowledge.py b/scripts/mbedtls_dev/crypto_knowledge.py
deleted file mode 100644
index 45d253b..0000000
--- a/scripts/mbedtls_dev/crypto_knowledge.py
+++ /dev/null
@@ -1,579 +0,0 @@
-"""Knowledge about cryptographic mechanisms implemented in Mbed TLS.
-
-This module is entirely based on the PSA API.
-"""
-
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import enum
-import re
-from typing import FrozenSet, Iterable, List, Optional, Tuple, Dict
-
-from .asymmetric_key_data import ASYMMETRIC_KEY_DATA
-
-
-def short_expression(original: str, level: int = 0) -> str:
-    """Abbreviate the expression, keeping it human-readable.
-
-    If `level` is 0, just remove parts that are implicit from context,
-    such as a leading ``PSA_KEY_TYPE_``.
-    For larger values of `level`, also abbreviate some names in an
-    unambiguous, but ad hoc way.
-    """
-    short = original
-    short = re.sub(r'\bPSA_(?:ALG|DH_FAMILY|ECC_FAMILY|KEY_[A-Z]+)_', r'', short)
-    short = re.sub(r' +', r'', short)
-    if level >= 1:
-        short = re.sub(r'PUBLIC_KEY\b', r'PUB', short)
-        short = re.sub(r'KEY_PAIR\b', r'PAIR', short)
-        short = re.sub(r'\bBRAINPOOL_P', r'BP', short)
-        short = re.sub(r'\bMONTGOMERY\b', r'MGM', short)
-        short = re.sub(r'AEAD_WITH_SHORTENED_TAG\b', r'AEAD_SHORT', short)
-        short = re.sub(r'\bDETERMINISTIC_', r'DET_', short)
-        short = re.sub(r'\bKEY_AGREEMENT\b', r'KA', short)
-        short = re.sub(r'_PSK_TO_MS\b', r'_PSK2MS', short)
-    return short
-
-
-BLOCK_CIPHERS = frozenset(['AES', 'ARIA', 'CAMELLIA', 'DES'])
-BLOCK_MAC_MODES = frozenset(['CBC_MAC', 'CMAC'])
-BLOCK_CIPHER_MODES = frozenset([
-    'CTR', 'CFB', 'OFB', 'XTS', 'CCM_STAR_NO_TAG',
-    'ECB_NO_PADDING', 'CBC_NO_PADDING', 'CBC_PKCS7',
-])
-BLOCK_AEAD_MODES = frozenset(['CCM', 'GCM'])
-
-class EllipticCurveCategory(enum.Enum):
-    """Categorization of elliptic curve families.
-
-    The category of a curve determines what algorithms are defined over it.
-    """
-
-    SHORT_WEIERSTRASS = 0
-    MONTGOMERY = 1
-    TWISTED_EDWARDS = 2
-
-    @staticmethod
-    def from_family(family: str) -> 'EllipticCurveCategory':
-        if family == 'PSA_ECC_FAMILY_MONTGOMERY':
-            return EllipticCurveCategory.MONTGOMERY
-        if family == 'PSA_ECC_FAMILY_TWISTED_EDWARDS':
-            return EllipticCurveCategory.TWISTED_EDWARDS
-        # Default to SW, which most curves belong to.
-        return EllipticCurveCategory.SHORT_WEIERSTRASS
-
-
-class KeyType:
-    """Knowledge about a PSA key type."""
-
-    def __init__(self, name: str, params: Optional[Iterable[str]] = None) -> None:
-        """Analyze a key type.
-
-        The key type must be specified in PSA syntax. In its simplest form,
-        `name` is a string 'PSA_KEY_TYPE_xxx' which is the name of a PSA key
-        type macro. For key types that take arguments, the arguments can
-        be passed either through the optional argument `params` or by
-        passing an expression of the form 'PSA_KEY_TYPE_xxx(param1, ...)'
-        in `name` as a string.
-        """
-
-        self.name = name.strip()
-        """The key type macro name (``PSA_KEY_TYPE_xxx``).
-
-        For key types constructed from a macro with arguments, this is the
-        name of the macro, and the arguments are in `self.params`.
-        """
-        if params is None:
-            if '(' in self.name:
-                m = re.match(r'(\w+)\s*\((.*)\)\Z', self.name)
-                assert m is not None
-                self.name = m.group(1)
-                params = m.group(2).split(',')
-        self.params = (None if params is None else
-                       [param.strip() for param in params])
-        """The parameters of the key type, if there are any.
-
-        None if the key type is a macro without arguments.
-        """
-        assert re.match(r'PSA_KEY_TYPE_\w+\Z', self.name)
-
-        self.expression = self.name
-        """A C expression whose value is the key type encoding."""
-        if self.params is not None:
-            self.expression += '(' + ', '.join(self.params) + ')'
-
-        m = re.match(r'PSA_KEY_TYPE_(\w+)', self.name)
-        assert m
-        self.head = re.sub(r'_(?:PUBLIC_KEY|KEY_PAIR)\Z', r'', m.group(1))
-        """The key type macro name, with common prefixes and suffixes stripped."""
-
-        self.private_type = re.sub(r'_PUBLIC_KEY\Z', r'_KEY_PAIR', self.name)
-        """The key type macro name for the corresponding key pair type.
-
-        For everything other than a public key type, this is the same as
-        `self.name`.
-        """
-
-    def short_expression(self, level: int = 0) -> str:
-        """Abbreviate the expression, keeping it human-readable.
-
-        See `crypto_knowledge.short_expression`.
-        """
-        return short_expression(self.expression, level=level)
-
-    def is_public(self) -> bool:
-        """Whether the key type is for public keys."""
-        return self.name.endswith('_PUBLIC_KEY')
-
-    DH_KEY_SIZES = {
-        'PSA_DH_FAMILY_RFC7919': (2048, 3072, 4096, 6144, 8192),
-    } # type: Dict[str, Tuple[int, ...]]
-    ECC_KEY_SIZES = {
-        'PSA_ECC_FAMILY_SECP_K1': (192, 224, 256),
-        'PSA_ECC_FAMILY_SECP_R1': (225, 256, 384, 521),
-        'PSA_ECC_FAMILY_SECP_R2': (160,),
-        'PSA_ECC_FAMILY_SECT_K1': (163, 233, 239, 283, 409, 571),
-        'PSA_ECC_FAMILY_SECT_R1': (163, 233, 283, 409, 571),
-        'PSA_ECC_FAMILY_SECT_R2': (163,),
-        'PSA_ECC_FAMILY_BRAINPOOL_P_R1': (160, 192, 224, 256, 320, 384, 512),
-        'PSA_ECC_FAMILY_MONTGOMERY': (255, 448),
-        'PSA_ECC_FAMILY_TWISTED_EDWARDS': (255, 448),
-    } # type: Dict[str, Tuple[int, ...]]
-    KEY_TYPE_SIZES = {
-        'PSA_KEY_TYPE_AES': (128, 192, 256), # exhaustive
-        'PSA_KEY_TYPE_ARIA': (128, 192, 256), # exhaustive
-        'PSA_KEY_TYPE_CAMELLIA': (128, 192, 256), # exhaustive
-        'PSA_KEY_TYPE_CHACHA20': (256,), # exhaustive
-        'PSA_KEY_TYPE_DERIVE': (120, 128), # sample
-        'PSA_KEY_TYPE_DES': (64, 128, 192), # exhaustive
-        'PSA_KEY_TYPE_HMAC': (128, 160, 224, 256, 384, 512), # standard size for each supported hash
-        'PSA_KEY_TYPE_PASSWORD': (48, 168, 336), # sample
-        'PSA_KEY_TYPE_PASSWORD_HASH': (128, 256), # sample
-        'PSA_KEY_TYPE_PEPPER': (128, 256), # sample
-        'PSA_KEY_TYPE_RAW_DATA': (8, 40, 128), # sample
-        'PSA_KEY_TYPE_RSA_KEY_PAIR': (1024, 1536), # small sample
-    } # type: Dict[str, Tuple[int, ...]]
-    def sizes_to_test(self) -> Tuple[int, ...]:
-        """Return a tuple of key sizes to test.
-
-        For key types that only allow a single size, or only a small set of
-        sizes, these are all the possible sizes. For key types that allow a
-        wide range of sizes, these are a representative sample of sizes,
-        excluding large sizes for which a typical resource-constrained platform
-        may run out of memory.
-        """
-        if self.private_type == 'PSA_KEY_TYPE_ECC_KEY_PAIR':
-            assert self.params is not None
-            return self.ECC_KEY_SIZES[self.params[0]]
-        if self.private_type == 'PSA_KEY_TYPE_DH_KEY_PAIR':
-            assert self.params is not None
-            return self.DH_KEY_SIZES[self.params[0]]
-        return self.KEY_TYPE_SIZES[self.private_type]
-
-    # "48657265006973206b6579a064617461"
-    DATA_BLOCK = b'Here\000is key\240data'
-    def key_material(self, bits: int) -> bytes:
-        """Return a byte string containing suitable key material with the given bit length.
-
-        Use the PSA export representation. The resulting byte string is one that
-        can be obtained with the following code:
-        ```
-        psa_set_key_type(&attributes, `self.expression`);
-        psa_set_key_bits(&attributes, `bits`);
-        psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT);
-        psa_generate_key(&attributes, &id);
-        psa_export_key(id, `material`, ...);
-        ```
-        """
-        if self.expression in ASYMMETRIC_KEY_DATA:
-            if bits not in ASYMMETRIC_KEY_DATA[self.expression]:
-                raise ValueError('No key data for {}-bit {}'
-                                 .format(bits, self.expression))
-            return ASYMMETRIC_KEY_DATA[self.expression][bits]
-        if bits % 8 != 0:
-            raise ValueError('Non-integer number of bytes: {} bits for {}'
-                             .format(bits, self.expression))
-        length = bits // 8
-        if self.name == 'PSA_KEY_TYPE_DES':
-            # "644573206b457901644573206b457902644573206b457904"
-            des3 = b'dEs kEy\001dEs kEy\002dEs kEy\004'
-            return des3[:length]
-        return b''.join([self.DATA_BLOCK] * (length // len(self.DATA_BLOCK)) +
-                        [self.DATA_BLOCK[:length % len(self.DATA_BLOCK)]])
-
-    def can_do(self, alg: 'Algorithm') -> bool:
-        """Whether this key type can be used for operations with the given algorithm.
-
-        This function does not currently handle key derivation or PAKE.
-        """
-        #pylint: disable=too-many-branches,too-many-return-statements
-        if not alg.is_valid_for_operation():
-            return False
-        if self.head == 'HMAC' and alg.head == 'HMAC':
-            return True
-        if self.head == 'DES':
-            # 64-bit block ciphers only allow a reduced set of modes.
-            return alg.head in [
-                'CBC_NO_PADDING', 'CBC_PKCS7',
-                'ECB_NO_PADDING',
-            ]
-        if self.head in BLOCK_CIPHERS and \
-           alg.head in frozenset.union(BLOCK_MAC_MODES,
-                                       BLOCK_CIPHER_MODES,
-                                       BLOCK_AEAD_MODES):
-            if alg.head in ['CMAC', 'OFB'] and \
-               self.head in ['ARIA', 'CAMELLIA']:
-                return False # not implemented in Mbed TLS
-            return True
-        if self.head == 'CHACHA20' and alg.head == 'CHACHA20_POLY1305':
-            return True
-        if self.head in {'ARC4', 'CHACHA20'} and \
-           alg.head == 'STREAM_CIPHER':
-            return True
-        if self.head == 'RSA' and alg.head.startswith('RSA_'):
-            return True
-        if alg.category == AlgorithmCategory.KEY_AGREEMENT and \
-           self.is_public():
-            # The PSA API does not use public key objects in key agreement
-            # operations: it imports the public key as a formatted byte string.
-            # So a public key object with a key agreement algorithm is not
-            # a valid combination.
-            return False
-        if alg.is_invalid_key_agreement_with_derivation():
-            return False
-        if self.head == 'ECC':
-            assert self.params is not None
-            eccc = EllipticCurveCategory.from_family(self.params[0])
-            if alg.head == 'ECDH' and \
-               eccc in {EllipticCurveCategory.SHORT_WEIERSTRASS,
-                        EllipticCurveCategory.MONTGOMERY}:
-                return True
-            if alg.head == 'ECDSA' and \
-               eccc == EllipticCurveCategory.SHORT_WEIERSTRASS:
-                return True
-            if alg.head in {'PURE_EDDSA', 'EDDSA_PREHASH'} and \
-               eccc == EllipticCurveCategory.TWISTED_EDWARDS:
-                return True
-        if self.head == 'DH' and alg.head == 'FFDH':
-            return True
-        return False
-
-
-class AlgorithmCategory(enum.Enum):
-    """PSA algorithm categories."""
-    # The numbers are aligned with the category bits in numerical values of
-    # algorithms.
-    HASH = 2
-    MAC = 3
-    CIPHER = 4
-    AEAD = 5
-    SIGN = 6
-    ASYMMETRIC_ENCRYPTION = 7
-    KEY_DERIVATION = 8
-    KEY_AGREEMENT = 9
-    PAKE = 10
-
-    def requires_key(self) -> bool:
-        """Whether operations in this category are set up with a key."""
-        return self not in {self.HASH, self.KEY_DERIVATION}
-
-    def is_asymmetric(self) -> bool:
-        """Whether operations in this category involve asymmetric keys."""
-        return self in {
-            self.SIGN,
-            self.ASYMMETRIC_ENCRYPTION,
-            self.KEY_AGREEMENT
-        }
-
-
-class AlgorithmNotRecognized(Exception):
-    def __init__(self, expr: str) -> None:
-        super().__init__('Algorithm not recognized: ' + expr)
-        self.expr = expr
-
-
-class Algorithm:
-    """Knowledge about a PSA algorithm."""
-
-    @staticmethod
-    def determine_base(expr: str) -> str:
-        """Return an expression for the "base" of the algorithm.
-
-        This strips off variants of algorithms such as MAC truncation.
-
-        This function does not attempt to detect invalid inputs.
-        """
-        m = re.match(r'PSA_ALG_(?:'
-                     r'(?:TRUNCATED|AT_LEAST_THIS_LENGTH)_MAC|'
-                     r'AEAD_WITH_(?:SHORTENED|AT_LEAST_THIS_LENGTH)_TAG'
-                     r')\((.*),[^,]+\)\Z', expr)
-        if m:
-            expr = m.group(1)
-        return expr
-
-    @staticmethod
-    def determine_head(expr: str) -> str:
-        """Return the head of an algorithm expression.
-
-        The head is the first (outermost) constructor, without its PSA_ALG_
-        prefix, and with some normalization of similar algorithms.
-        """
-        m = re.match(r'PSA_ALG_(?:DETERMINISTIC_)?(\w+)', expr)
-        if not m:
-            raise AlgorithmNotRecognized(expr)
-        head = m.group(1)
-        if head == 'KEY_AGREEMENT':
-            m = re.match(r'PSA_ALG_KEY_AGREEMENT\s*\(\s*PSA_ALG_(\w+)', expr)
-            if not m:
-                raise AlgorithmNotRecognized(expr)
-            head = m.group(1)
-        head = re.sub(r'_ANY\Z', r'', head)
-        if re.match(r'ED[0-9]+PH\Z', head):
-            head = 'EDDSA_PREHASH'
-        return head
-
-    CATEGORY_FROM_HEAD = {
-        'SHA': AlgorithmCategory.HASH,
-        'SHAKE256_512': AlgorithmCategory.HASH,
-        'MD': AlgorithmCategory.HASH,
-        'RIPEMD': AlgorithmCategory.HASH,
-        'ANY_HASH': AlgorithmCategory.HASH,
-        'HMAC': AlgorithmCategory.MAC,
-        'STREAM_CIPHER': AlgorithmCategory.CIPHER,
-        'CHACHA20_POLY1305': AlgorithmCategory.AEAD,
-        'DSA': AlgorithmCategory.SIGN,
-        'ECDSA': AlgorithmCategory.SIGN,
-        'EDDSA': AlgorithmCategory.SIGN,
-        'PURE_EDDSA': AlgorithmCategory.SIGN,
-        'RSA_PSS': AlgorithmCategory.SIGN,
-        'RSA_PKCS1V15_SIGN': AlgorithmCategory.SIGN,
-        'RSA_PKCS1V15_CRYPT': AlgorithmCategory.ASYMMETRIC_ENCRYPTION,
-        'RSA_OAEP': AlgorithmCategory.ASYMMETRIC_ENCRYPTION,
-        'HKDF': AlgorithmCategory.KEY_DERIVATION,
-        'TLS12_PRF': AlgorithmCategory.KEY_DERIVATION,
-        'TLS12_PSK_TO_MS': AlgorithmCategory.KEY_DERIVATION,
-        'TLS12_ECJPAKE_TO_PMS': AlgorithmCategory.KEY_DERIVATION,
-        'PBKDF': AlgorithmCategory.KEY_DERIVATION,
-        'ECDH': AlgorithmCategory.KEY_AGREEMENT,
-        'FFDH': AlgorithmCategory.KEY_AGREEMENT,
-        # KEY_AGREEMENT(...) is a key derivation with a key agreement component
-        'KEY_AGREEMENT': AlgorithmCategory.KEY_DERIVATION,
-        'JPAKE': AlgorithmCategory.PAKE,
-    }
-    for x in BLOCK_MAC_MODES:
-        CATEGORY_FROM_HEAD[x] = AlgorithmCategory.MAC
-    for x in BLOCK_CIPHER_MODES:
-        CATEGORY_FROM_HEAD[x] = AlgorithmCategory.CIPHER
-    for x in BLOCK_AEAD_MODES:
-        CATEGORY_FROM_HEAD[x] = AlgorithmCategory.AEAD
-
-    def determine_category(self, expr: str, head: str) -> AlgorithmCategory:
-        """Return the category of the given algorithm expression.
-
-        This function does not attempt to detect invalid inputs.
-        """
-        prefix = head
-        while prefix:
-            if prefix in self.CATEGORY_FROM_HEAD:
-                return self.CATEGORY_FROM_HEAD[prefix]
-            if re.match(r'.*[0-9]\Z', prefix):
-                prefix = re.sub(r'_*[0-9]+\Z', r'', prefix)
-            else:
-                prefix = re.sub(r'_*[^_]*\Z', r'', prefix)
-        raise AlgorithmNotRecognized(expr)
-
-    @staticmethod
-    def determine_wildcard(expr) -> bool:
-        """Whether the given algorithm expression is a wildcard.
-
-        This function does not attempt to detect invalid inputs.
-        """
-        if re.search(r'\bPSA_ALG_ANY_HASH\b', expr):
-            return True
-        if re.search(r'_AT_LEAST_', expr):
-            return True
-        return False
-
-    def __init__(self, expr: str) -> None:
-        """Analyze an algorithm value.
-
-        The algorithm must be expressed as a C expression containing only
-        calls to PSA algorithm constructor macros and numeric literals.
-
-        This class is only programmed to handle valid expressions. Invalid
-        expressions may result in exceptions or in nonsensical results.
-        """
-        self.expression = re.sub(r'\s+', r'', expr)
-        self.base_expression = self.determine_base(self.expression)
-        self.head = self.determine_head(self.base_expression)
-        self.category = self.determine_category(self.base_expression, self.head)
-        self.is_wildcard = self.determine_wildcard(self.expression)
-
-    def get_key_agreement_derivation(self) -> Optional[str]:
-        """For a combined key agreement and key derivation algorithm, get the derivation part.
-
-        For anything else, return None.
-        """
-        if self.category != AlgorithmCategory.KEY_AGREEMENT:
-            return None
-        m = re.match(r'PSA_ALG_KEY_AGREEMENT\(\w+,\s*(.*)\)\Z', self.expression)
-        if not m:
-            return None
-        kdf_alg = m.group(1)
-        # Assume kdf_alg is either a valid KDF or 0.
-        if re.match(r'(?:0[Xx])?0+\s*\Z', kdf_alg):
-            return None
-        return kdf_alg
-
-    KEY_DERIVATIONS_INCOMPATIBLE_WITH_AGREEMENT = frozenset([
-        'PSA_ALG_TLS12_ECJPAKE_TO_PMS', # secret input in specific format
-    ])
-    def is_valid_key_agreement_with_derivation(self) -> bool:
-        """Whether this is a valid combined key agreement and key derivation algorithm."""
-        kdf_alg = self.get_key_agreement_derivation()
-        if kdf_alg is None:
-            return False
-        return kdf_alg not in self.KEY_DERIVATIONS_INCOMPATIBLE_WITH_AGREEMENT
-
-    def is_invalid_key_agreement_with_derivation(self) -> bool:
-        """Whether this is an invalid combined key agreement and key derivation algorithm."""
-        kdf_alg = self.get_key_agreement_derivation()
-        if kdf_alg is None:
-            return False
-        return kdf_alg in self.KEY_DERIVATIONS_INCOMPATIBLE_WITH_AGREEMENT
-
-    def short_expression(self, level: int = 0) -> str:
-        """Abbreviate the expression, keeping it human-readable.
-
-        See `crypto_knowledge.short_expression`.
-        """
-        return short_expression(self.expression, level=level)
-
-    HASH_LENGTH = {
-        'PSA_ALG_MD5': 16,
-        'PSA_ALG_SHA_1': 20,
-    }
-    HASH_LENGTH_BITS_RE = re.compile(r'([0-9]+)\Z')
-    @classmethod
-    def hash_length(cls, alg: str) -> int:
-        """The length of the given hash algorithm, in bytes."""
-        if alg in cls.HASH_LENGTH:
-            return cls.HASH_LENGTH[alg]
-        m = cls.HASH_LENGTH_BITS_RE.search(alg)
-        if m:
-            return int(m.group(1)) // 8
-        raise ValueError('Unknown hash length for ' + alg)
-
-    PERMITTED_TAG_LENGTHS = {
-        'PSA_ALG_CCM': frozenset([4, 6, 8, 10, 12, 14, 16]),
-        'PSA_ALG_CHACHA20_POLY1305': frozenset([16]),
-        'PSA_ALG_GCM': frozenset([4, 8, 12, 13, 14, 15, 16]),
-    }
-    MAC_LENGTH = {
-        'PSA_ALG_CBC_MAC': 16, # actually the block cipher length
-        'PSA_ALG_CMAC': 16, # actually the block cipher length
-    }
-    HMAC_RE = re.compile(r'PSA_ALG_HMAC\((.*)\)\Z')
-    @classmethod
-    def permitted_truncations(cls, base: str) -> FrozenSet[int]:
-        """Permitted output lengths for the given MAC or AEAD base algorithm.
-
-        For a MAC algorithm, this is the set of truncation lengths that
-        Mbed TLS supports.
-        For an AEAD algorithm, this is the set of truncation lengths that
-        are permitted by the algorithm specification.
-        """
-        if base in cls.PERMITTED_TAG_LENGTHS:
-            return cls.PERMITTED_TAG_LENGTHS[base]
-        max_length = cls.MAC_LENGTH.get(base, None)
-        if max_length is None:
-            m = cls.HMAC_RE.match(base)
-            if m:
-                max_length = cls.hash_length(m.group(1))
-        if max_length is None:
-            raise ValueError('Unknown permitted lengths for ' + base)
-        return frozenset(range(4, max_length + 1))
-
-    TRUNCATED_ALG_RE = re.compile(
-        r'(?P<face>PSA_ALG_(?:AEAD_WITH_SHORTENED_TAG|TRUNCATED_MAC))'
-        r'\((?P<base>.*),'
-        r'(?P<length>0[Xx][0-9A-Fa-f]+|[1-9][0-9]*|0[0-7]*)[LUlu]*\)\Z')
-    def is_invalid_truncation(self) -> bool:
-        """False for a MAC or AEAD algorithm truncated to an invalid length.
-
-        True for a MAC or AEAD algorithm truncated to a valid length or to
-        a length that cannot be determined. True for anything other than
-        a truncated MAC or AEAD.
-        """
-        m = self.TRUNCATED_ALG_RE.match(self.expression)
-        if m:
-            base = m.group('base')
-            to_length = int(m.group('length'), 0)
-            permitted_lengths = self.permitted_truncations(base)
-            if to_length not in permitted_lengths:
-                return True
-        return False
-
-    def is_valid_for_operation(self) -> bool:
-        """Whether this algorithm construction is valid for an operation.
-
-        This function assumes that the algorithm is constructed in a
-        "grammatically" correct way, and only rejects semantically invalid
-        combinations.
-        """
-        if self.is_wildcard:
-            return False
-        if self.is_invalid_truncation():
-            return False
-        return True
-
-    def can_do(self, category: AlgorithmCategory) -> bool:
-        """Whether this algorithm can perform operations in the given category.
-        """
-        if category == self.category:
-            return True
-        if category == AlgorithmCategory.KEY_DERIVATION and \
-           self.is_valid_key_agreement_with_derivation():
-            return True
-        return False
-
-    def usage_flags(self, public: bool = False) -> List[str]:
-        """The list of usage flags describing operations that can perform this algorithm.
-
-        If public is true, only return public-key operations, not private-key operations.
-        """
-        if self.category == AlgorithmCategory.HASH:
-            flags = []
-        elif self.category == AlgorithmCategory.MAC:
-            flags = ['SIGN_HASH', 'SIGN_MESSAGE',
-                     'VERIFY_HASH', 'VERIFY_MESSAGE']
-        elif self.category == AlgorithmCategory.CIPHER or \
-             self.category == AlgorithmCategory.AEAD:
-            flags = ['DECRYPT', 'ENCRYPT']
-        elif self.category == AlgorithmCategory.SIGN:
-            flags = ['VERIFY_HASH', 'VERIFY_MESSAGE']
-            if not public:
-                flags += ['SIGN_HASH', 'SIGN_MESSAGE']
-        elif self.category == AlgorithmCategory.ASYMMETRIC_ENCRYPTION:
-            flags = ['ENCRYPT']
-            if not public:
-                flags += ['DECRYPT']
-        elif self.category == AlgorithmCategory.KEY_DERIVATION or \
-             self.category == AlgorithmCategory.KEY_AGREEMENT:
-            flags = ['DERIVE']
-        else:
-            raise AlgorithmNotRecognized(self.expression)
-        return ['PSA_KEY_USAGE_' + flag for flag in flags]
diff --git a/scripts/mbedtls_dev/ecp.py b/scripts/mbedtls_dev/ecp.py
deleted file mode 100644
index 410c77e..0000000
--- a/scripts/mbedtls_dev/ecp.py
+++ /dev/null
@@ -1,886 +0,0 @@
-"""Framework classes for generation of ecp test cases."""
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-from typing import List
-
-from . import test_data_generation
-from . import bignum_common
-
-
-class EcpTarget(test_data_generation.BaseTarget):
-    #pylint: disable=abstract-method, too-few-public-methods
-    """Target for ecp test case generation."""
-    target_basename = 'test_suite_ecp.generated'
-
-
-class EcpP192R1Raw(bignum_common.ModOperationCommon,
-                   EcpTarget):
-    """Test cases for ECP P192 fast reduction."""
-    symbol = "-"
-    test_function = "ecp_mod_p_generic_raw"
-    test_name = "ecp_mod_p192_raw"
-    input_style = "fixed"
-    arity = 1
-    dependencies = ["MBEDTLS_ECP_DP_SECP192R1_ENABLED",
-                    "MBEDTLS_ECP_NIST_OPTIM"]
-
-    moduli = ["fffffffffffffffffffffffffffffffeffffffffffffffff"] # type: List[str]
-
-    input_values = [
-        "0", "1",
-
-        # Modulus - 1
-        "fffffffffffffffffffffffffffffffefffffffffffffffe",
-
-        # Modulus + 1
-        "ffffffffffffffffffffffffffffffff0000000000000000",
-
-        # 2^192 - 1
-        "ffffffffffffffffffffffffffffffffffffffffffffffff",
-
-        # Maximum canonical P192 multiplication result
-        ("fffffffffffffffffffffffffffffffdfffffffffffffffc"
-         "000000000000000100000000000000040000000000000004"),
-
-        # Generate an overflow during reduction
-        ("00000000000000000000000000000001ffffffffffffffff"
-         "ffffffffffffffffffffffffffffffff0000000000000000"),
-
-        # Generate an overflow during carry reduction
-        ("ffffffffffffffff00000000000000010000000000000000"
-         "fffffffffffffffeffffffffffffffff0000000000000000"),
-
-        # First 8 number generated by random.getrandbits(384) - seed(2,2)
-        ("cf1822ffbc6887782b491044d5e341245c6e433715ba2bdd"
-         "177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973"),
-        ("ffed9235288bc781ae66267594c9c9500925e4749b575bd1"
-         "3653f8dd9b1f282e4067c3584ee207f8da94e3e8ab73738f"),
-        ("ef8acd128b4f2fc15f3f57ebf30b94fa82523e86feac7eb7"
-         "dc38f519b91751dacdbd47d364be8049a372db8f6e405d93"),
-        ("e8624fab5186ee32ee8d7ee9770348a05d300cb90706a045"
-         "defc044a09325626e6b58de744ab6cce80877b6f71e1f6d2"),
-        ("2d3d854e061b90303b08c6e33c7295782d6c797f8f7d9b78"
-         "2a1be9cd8697bbd0e2520e33e44c50556c71c4a66148a86f"),
-        ("fec3f6b32e8d4b8a8f54f8ceacaab39e83844b40ffa9b9f1"
-         "5c14bc4a829e07b0829a48d422fe99a22c70501e533c9135"),
-        ("97eeab64ca2ce6bc5d3fd983c34c769fe89204e2e8168561"
-         "867e5e15bc01bfce6a27e0dfcbf8754472154e76e4c11ab2"),
-        ("bd143fa9b714210c665d7435c1066932f4767f26294365b2"
-         "721dea3bf63f23d0dbe53fcafb2147df5ca495fa5a91c89b"),
-
-        # Next 2 number generated by random.getrandbits(192)
-        "47733e847d718d733ff98ff387c56473a7a83ee0761ebfd2",
-        "cbd4d3e2d4dec9ef83f0be4e80371eb97f81375eecc1cb63"
-    ]
-
-    @property
-    def arg_a(self) -> str:
-        return super().format_arg('{:x}'.format(self.int_a)).zfill(2 * self.hex_digits)
-
-    def result(self) -> List[str]:
-        result = self.int_a % self.int_n
-        return [self.format_result(result)]
-
-    @property
-    def is_valid(self) -> bool:
-        return True
-
-    def arguments(self)-> List[str]:
-        args = super().arguments()
-        return  ["MBEDTLS_ECP_DP_SECP192R1"] + args
-
-
-class EcpP224R1Raw(bignum_common.ModOperationCommon,
-                   EcpTarget):
-    """Test cases for ECP P224 fast reduction."""
-    symbol = "-"
-    test_function = "ecp_mod_p_generic_raw"
-    test_name = "ecp_mod_p224_raw"
-    input_style = "arch_split"
-    arity = 1
-    dependencies = ["MBEDTLS_ECP_DP_SECP224R1_ENABLED",
-                    "MBEDTLS_ECP_NIST_OPTIM"]
-
-    moduli = ["ffffffffffffffffffffffffffffffff000000000000000000000001"] # type: List[str]
-
-    input_values = [
-        "0", "1",
-
-        # Modulus - 1
-        "ffffffffffffffffffffffffffffffff000000000000000000000000",
-
-        # Modulus + 1
-        "ffffffffffffffffffffffffffffffff000000000000000000000002",
-
-        # 2^224 - 1
-        "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
-
-        # Maximum canonical P224 multiplication result
-        ("fffffffffffffffffffffffffffffffe000000000000000000000000"
-         "00000001000000000000000000000000000000000000000000000000"),
-
-        # Generate an overflow during reduction
-        ("00000000000000000000000000010000000070000000002000001000"
-         "ffffffffffff9fffffffffe00000efff000070000000002000001003"),
-
-        # Generate an underflow during reduction
-        ("00000001000000000000000000000000000000000000000000000000"
-         "00000000000dc0000000000000000001000000010000000100000003"),
-
-        # First 8 number generated by random.getrandbits(448) - seed(2,2)
-        ("da94e3e8ab73738fcf1822ffbc6887782b491044d5e341245c6e4337"
-         "15ba2bdd177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973"),
-        ("cdbd47d364be8049a372db8f6e405d93ffed9235288bc781ae662675"
-         "94c9c9500925e4749b575bd13653f8dd9b1f282e4067c3584ee207f8"),
-        ("defc044a09325626e6b58de744ab6cce80877b6f71e1f6d2ef8acd12"
-         "8b4f2fc15f3f57ebf30b94fa82523e86feac7eb7dc38f519b91751da"),
-        ("2d6c797f8f7d9b782a1be9cd8697bbd0e2520e33e44c50556c71c4a6"
-         "6148a86fe8624fab5186ee32ee8d7ee9770348a05d300cb90706a045"),
-        ("8f54f8ceacaab39e83844b40ffa9b9f15c14bc4a829e07b0829a48d4"
-         "22fe99a22c70501e533c91352d3d854e061b90303b08c6e33c729578"),
-        ("97eeab64ca2ce6bc5d3fd983c34c769fe89204e2e8168561867e5e15"
-         "bc01bfce6a27e0dfcbf8754472154e76e4c11ab2fec3f6b32e8d4b8a"),
-        ("a7a83ee0761ebfd2bd143fa9b714210c665d7435c1066932f4767f26"
-         "294365b2721dea3bf63f23d0dbe53fcafb2147df5ca495fa5a91c89b"),
-        ("74667bffe202849da9643a295a9ac6decbd4d3e2d4dec9ef83f0be4e"
-         "80371eb97f81375eecc1cb6347733e847d718d733ff98ff387c56473"),
-
-        # Next 2 number generated by random.getrandbits(224)
-        "eb9ac688b9d39cca91551e8259cc60b17604e4b4e73695c3e652c71a",
-        "f0caeef038c89b38a8acb5137c9260dc74e088a9b9492f258ebdbfe3"
-    ]
-
-    @property
-    def arg_a(self) -> str:
-        limbs = 2 * bignum_common.bits_to_limbs(224, self.bits_in_limb)
-        hex_digits = bignum_common.hex_digits_for_limb(limbs, self.bits_in_limb)
-        return super().format_arg('{:x}'.format(self.int_a)).zfill(hex_digits)
-
-    def result(self) -> List[str]:
-        result = self.int_a % self.int_n
-        return [self.format_result(result)]
-
-    @property
-    def is_valid(self) -> bool:
-        return True
-
-    def arguments(self)-> List[str]:
-        args = super().arguments()
-        return  ["MBEDTLS_ECP_DP_SECP224R1"] + args
-
-
-class EcpP256R1Raw(bignum_common.ModOperationCommon,
-                   EcpTarget):
-    """Test cases for ECP P256 fast reduction."""
-    symbol = "-"
-    test_function = "ecp_mod_p_generic_raw"
-    test_name = "ecp_mod_p256_raw"
-    input_style = "fixed"
-    arity = 1
-    dependencies = ["MBEDTLS_ECP_DP_SECP256R1_ENABLED",
-                    "MBEDTLS_ECP_NIST_OPTIM"]
-
-    moduli = ["ffffffff00000001000000000000000000000000ffffffffffffffffffffffff"] # type: List[str]
-
-    input_values = [
-        "0", "1",
-
-        # Modulus - 1
-        "ffffffff00000001000000000000000000000000fffffffffffffffffffffffe",
-
-        # Modulus + 1
-        "ffffffff00000001000000000000000000000001000000000000000000000000",
-
-        # 2^256 - 1
-        "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
-
-        # Maximum canonical P256 multiplication result
-        ("fffffffe00000002fffffffe0000000100000001fffffffe00000001fffffffc"
-         "00000003fffffffcfffffffffffffffffffffffc000000000000000000000004"),
-
-        # Generate an overflow during reduction
-        ("0000000000000000000000010000000000000000000000000000000000000000"
-         "00000000000000000000000000000000000000000000000000000000ffffffff"),
-
-        # Generate an underflow during reduction
-        ("0000000000000000000000000000000000000000000000000000000000000010"
-         "ffffffff00000000000000000000000000000000000000000000000000000000"),
-
-        # Generate an overflow during carry reduction
-        ("aaaaaaaa00000000000000000000000000000000000000000000000000000000"
-         "00000000000000000000000000000000aaaaaaacaaaaaaaaaaaaaaaa00000000"),
-
-        # Generate an underflow during carry reduction
-        ("000000000000000000000001ffffffff00000000000000000000000000000000"
-         "0000000000000000000000000000000000000002000000020000000100000002"),
-
-        # First 8 number generated by random.getrandbits(512) - seed(2,2)
-        ("4067c3584ee207f8da94e3e8ab73738fcf1822ffbc6887782b491044d5e34124"
-         "5c6e433715ba2bdd177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973"),
-        ("82523e86feac7eb7dc38f519b91751dacdbd47d364be8049a372db8f6e405d93"
-         "ffed9235288bc781ae66267594c9c9500925e4749b575bd13653f8dd9b1f282e"),
-        ("e8624fab5186ee32ee8d7ee9770348a05d300cb90706a045defc044a09325626"
-         "e6b58de744ab6cce80877b6f71e1f6d2ef8acd128b4f2fc15f3f57ebf30b94fa"),
-        ("829a48d422fe99a22c70501e533c91352d3d854e061b90303b08c6e33c729578"
-         "2d6c797f8f7d9b782a1be9cd8697bbd0e2520e33e44c50556c71c4a66148a86f"),
-        ("e89204e2e8168561867e5e15bc01bfce6a27e0dfcbf8754472154e76e4c11ab2"
-         "fec3f6b32e8d4b8a8f54f8ceacaab39e83844b40ffa9b9f15c14bc4a829e07b0"),
-        ("bd143fa9b714210c665d7435c1066932f4767f26294365b2721dea3bf63f23d0"
-         "dbe53fcafb2147df5ca495fa5a91c89b97eeab64ca2ce6bc5d3fd983c34c769f"),
-        ("74667bffe202849da9643a295a9ac6decbd4d3e2d4dec9ef83f0be4e80371eb9"
-         "7f81375eecc1cb6347733e847d718d733ff98ff387c56473a7a83ee0761ebfd2"),
-        ("d08f1bb2531d6460f0caeef038c89b38a8acb5137c9260dc74e088a9b9492f25"
-         "8ebdbfe3eb9ac688b9d39cca91551e8259cc60b17604e4b4e73695c3e652c71a"),
-
-        # Next 2 number generated by random.getrandbits(256)
-        "c5e2486c44a4a8f69dc8db48e86ec9c6e06f291b2a838af8d5c44a4eb3172062",
-        "d4c0dca8b4c9e755cc9c3adcf515a8234da4daeb4f3f87777ad1f45ae9500ec9"
-    ]
-
-    @property
-    def arg_a(self) -> str:
-        return super().format_arg('{:x}'.format(self.int_a)).zfill(2 * self.hex_digits)
-
-    def result(self) -> List[str]:
-        result = self.int_a % self.int_n
-        return [self.format_result(result)]
-
-    @property
-    def is_valid(self) -> bool:
-        return True
-
-    def arguments(self)-> List[str]:
-        args = super().arguments()
-        return  ["MBEDTLS_ECP_DP_SECP256R1"] + args
-
-
-class EcpP384R1Raw(bignum_common.ModOperationCommon,
-                   EcpTarget):
-    """Test cases for ECP P384 fast reduction."""
-    test_function = "ecp_mod_p_generic_raw"
-    test_name = "ecp_mod_p384_raw"
-    input_style = "fixed"
-    arity = 1
-    dependencies = ["MBEDTLS_ECP_DP_SECP384R1_ENABLED",
-                    "MBEDTLS_ECP_NIST_OPTIM"]
-
-    moduli = [("ffffffffffffffffffffffffffffffffffffffffffffffff"
-               "fffffffffffffffeffffffff0000000000000000ffffffff")
-             ] # type: List[str]
-
-    input_values = [
-        "0", "1",
-
-        # Modulus - 1
-        ("ffffffffffffffffffffffffffffffffffffffffffffffff"
-         "fffffffffffffffeffffffff0000000000000000fffffffe"),
-
-        # Modulus + 1
-        ("ffffffffffffffffffffffffffffffffffffffffffffffff"
-         "fffffffffffffffeffffffff000000000000000100000000"),
-
-        # 2^384 - 1
-        ("ffffffffffffffffffffffffffffffffffffffffffffffff"
-         "ffffffffffffffffffffffffffffffffffffffffffffffff"),
-
-        # Maximum canonical P384 multiplication result
-        ("ffffffffffffffffffffffffffffffffffffffffffffffff"
-         "fffffffffffffffdfffffffe0000000000000001fffffffc"
-         "000000000000000000000000000000010000000200000000"
-         "fffffffe000000020000000400000000fffffffc00000004"),
-
-        # Testing with overflow in A(12) + A(21) + A(20);
-        ("497811378624857a2c2af60d70583376545484cfae5c812f"
-         "e2999fc1abb51d18b559e8ca3b50aaf263fdf8f24bdfb98f"
-         "ffffffff20e65bf9099e4e73a5e8b517cf4fbeb8fd1750fd"
-         "ae6d43f2e53f82d5ffffffffffffffffcc6f1e06111c62e0"),
-
-        # Testing with underflow in A(13) + A(22) + A(23) - A(12) - A(20);
-        ("dfdd25e96777406b3c04b8c7b406f5fcf287e1e576003a09"
-         "2852a6fbe517f2712b68abef41dbd35183a0614fb7222606"
-         "ffffffff84396eee542f18a9189d94396c784059c17a9f18"
-         "f807214ef32f2f10ffffffff8a77fac20000000000000000"),
-
-        # Testing with overflow in A(23) + A(20) + A(19) - A(22);
-        ("783753f8a5afba6c1862eead1deb2fcdd907272be3ffd185"
-         "42b24a71ee8b26cab0aa33513610ff973042bbe1637cc9fc"
-         "99ad36c7f703514572cf4f5c3044469a8f5be6312c19e5d3"
-         "f8fc1ac6ffffffffffffffff8c86252400000000ffffffff"),
-
-        # Testing with underflow in A(23) + A(20) + A(19) - A(22);
-        ("65e1d2362fce922663b7fd517586e88842a9b4bd092e93e6"
-         "251c9c69f278cbf8285d99ae3b53da5ba36e56701e2b17c2"
-         "25f1239556c5f00117fa140218b46ebd8e34f50d0018701f"
-         "a8a0a5cc00000000000000004410bcb4ffffffff00000000"),
-
-        # Testing the second round of carry reduction
-        ("000000000000000000000000ffffffffffffffffffffffff"
-         "ffffffffffffffffffffffffffffffff0000000000000000"
-         "0000000000000000ffffffff000000000000000000000001"
-         "00000000000000000000000000000000ffffffff00000001"),
-
-        # First 8 number generated by random.getrandbits(768) - seed(2,2)
-        ("ffed9235288bc781ae66267594c9c9500925e4749b575bd1"
-         "3653f8dd9b1f282e4067c3584ee207f8da94e3e8ab73738f"
-         "cf1822ffbc6887782b491044d5e341245c6e433715ba2bdd"
-         "177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973"),
-        ("e8624fab5186ee32ee8d7ee9770348a05d300cb90706a045"
-         "defc044a09325626e6b58de744ab6cce80877b6f71e1f6d2"
-         "ef8acd128b4f2fc15f3f57ebf30b94fa82523e86feac7eb7"
-         "dc38f519b91751dacdbd47d364be8049a372db8f6e405d93"),
-        ("fec3f6b32e8d4b8a8f54f8ceacaab39e83844b40ffa9b9f1"
-         "5c14bc4a829e07b0829a48d422fe99a22c70501e533c9135"
-         "2d3d854e061b90303b08c6e33c7295782d6c797f8f7d9b78"
-         "2a1be9cd8697bbd0e2520e33e44c50556c71c4a66148a86f"),
-        ("bd143fa9b714210c665d7435c1066932f4767f26294365b2"
-         "721dea3bf63f23d0dbe53fcafb2147df5ca495fa5a91c89b"
-         "97eeab64ca2ce6bc5d3fd983c34c769fe89204e2e8168561"
-         "867e5e15bc01bfce6a27e0dfcbf8754472154e76e4c11ab2"),
-        ("8ebdbfe3eb9ac688b9d39cca91551e8259cc60b17604e4b4"
-         "e73695c3e652c71a74667bffe202849da9643a295a9ac6de"
-         "cbd4d3e2d4dec9ef83f0be4e80371eb97f81375eecc1cb63"
-         "47733e847d718d733ff98ff387c56473a7a83ee0761ebfd2"),
-        ("d4c0dca8b4c9e755cc9c3adcf515a8234da4daeb4f3f8777"
-         "7ad1f45ae9500ec9c5e2486c44a4a8f69dc8db48e86ec9c6"
-         "e06f291b2a838af8d5c44a4eb3172062d08f1bb2531d6460"
-         "f0caeef038c89b38a8acb5137c9260dc74e088a9b9492f25"),
-        ("0227eeb7b9d7d01f5769da05d205bbfcc8c69069134bccd3"
-         "e1cf4f589f8e4ce0af29d115ef24bd625dd961e6830b54fa"
-         "7d28f93435339774bb1e386c4fd5079e681b8f5896838b76"
-         "9da59b74a6c3181c81e220df848b1df78feb994a81167346"),
-        ("d322a7353ead4efe440e2b4fda9c025a22f1a83185b98f5f"
-         "c11e60de1b343f52ea748db9e020307aaeb6db2c3a038a70"
-         "9779ac1f45e9dd320c855fdfa7251af0930cdbd30f0ad2a8"
-         "1b2d19a2beaa14a7ff3fe32a30ffc4eed0a7bd04e85bfcdd"),
-
-        # Next 2 number generated by random.getrandbits(384)
-        ("5c3747465cc36c270e8a35b10828d569c268a20eb78ac332"
-         "e5e138e26c4454b90f756132e16dce72f18e859835e1f291"),
-        ("eb2b5693babb7fbb0a76c196067cfdcb11457d9cf45e2fa0"
-         "1d7f4275153924800600571fac3a5b263fdf57cd2c006497")
-    ]
-
-    @property
-    def arg_a(self) -> str:
-        return super().format_arg('{:x}'.format(self.int_a)).zfill(2 * self.hex_digits)
-
-    def result(self) -> List[str]:
-        result = self.int_a % self.int_n
-        return [self.format_result(result)]
-
-    @property
-    def is_valid(self) -> bool:
-        return True
-
-    def arguments(self)-> List[str]:
-        args = super().arguments()
-        return  ["MBEDTLS_ECP_DP_SECP384R1"] + args
-
-
-class EcpP521R1Raw(bignum_common.ModOperationCommon,
-                   EcpTarget):
-    """Test cases for ECP P521 fast reduction."""
-    test_function = "ecp_mod_p_generic_raw"
-    test_name = "ecp_mod_p521_raw"
-    input_style = "arch_split"
-    arity = 1
-    dependencies = ["MBEDTLS_ECP_DP_SECP521R1_ENABLED",
-                    "MBEDTLS_ECP_NIST_OPTIM"]
-
-    moduli = [("01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
-               "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff")
-             ] # type: List[str]
-
-    input_values = [
-        "0", "1",
-
-        # Modulus - 1
-        ("01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
-         "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe"),
-
-        # Modulus + 1
-        ("020000000000000000000000000000000000000000000000000000000000000000"
-         "000000000000000000000000000000000000000000000000000000000000000000"),
-
-        # Maximum canonical P521 multiplication result
-        ("0003ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
-         "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
-         "fffff800"
-         "0000000000000000000000000000000000000000000000000000000000000000"
-         "0000000000000000000000000000000000000000000000000000000000000004"),
-
-        # Test case for overflow during addition
-        ("0001efffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
-         "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
-         "000001ef"
-         "0000000000000000000000000000000000000000000000000000000000000000"
-         "000000000000000000000000000000000000000000000000000000000f000000"),
-
-        # First 8 number generated by random.getrandbits(1042) - seed(2,2)
-        ("0003cc2e82523e86feac7eb7dc38f519b91751dacdbd47d364be8049a372db8f"
-         "6e405d93ffed9235288bc781ae66267594c9c9500925e4749b575bd13653f8dd"
-         "9b1f282e"
-         "4067c3584ee207f8da94e3e8ab73738fcf1822ffbc6887782b491044d5e34124"
-         "5c6e433715ba2bdd177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973"),
-        ("00017052829e07b0829a48d422fe99a22c70501e533c91352d3d854e061b9030"
-         "3b08c6e33c7295782d6c797f8f7d9b782a1be9cd8697bbd0e2520e33e44c5055"
-         "6c71c4a6"
-         "6148a86fe8624fab5186ee32ee8d7ee9770348a05d300cb90706a045defc044a"
-         "09325626e6b58de744ab6cce80877b6f71e1f6d2ef8acd128b4f2fc15f3f57eb"),
-        ("00021f15a7a83ee0761ebfd2bd143fa9b714210c665d7435c1066932f4767f26"
-         "294365b2721dea3bf63f23d0dbe53fcafb2147df5ca495fa5a91c89b97eeab64"
-         "ca2ce6bc"
-         "5d3fd983c34c769fe89204e2e8168561867e5e15bc01bfce6a27e0dfcbf87544"
-         "72154e76e4c11ab2fec3f6b32e8d4b8a8f54f8ceacaab39e83844b40ffa9b9f1"),
-        ("000381bc2a838af8d5c44a4eb3172062d08f1bb2531d6460f0caeef038c89b38"
-         "a8acb5137c9260dc74e088a9b9492f258ebdbfe3eb9ac688b9d39cca91551e82"
-         "59cc60b1"
-         "7604e4b4e73695c3e652c71a74667bffe202849da9643a295a9ac6decbd4d3e2"
-         "d4dec9ef83f0be4e80371eb97f81375eecc1cb6347733e847d718d733ff98ff3"),
-        ("00034816c8c69069134bccd3e1cf4f589f8e4ce0af29d115ef24bd625dd961e6"
-         "830b54fa7d28f93435339774bb1e386c4fd5079e681b8f5896838b769da59b74"
-         "a6c3181c"
-         "81e220df848b1df78feb994a81167346d4c0dca8b4c9e755cc9c3adcf515a823"
-         "4da4daeb4f3f87777ad1f45ae9500ec9c5e2486c44a4a8f69dc8db48e86ec9c6"),
-        ("000397846c4454b90f756132e16dce72f18e859835e1f291d322a7353ead4efe"
-         "440e2b4fda9c025a22f1a83185b98f5fc11e60de1b343f52ea748db9e020307a"
-         "aeb6db2c"
-         "3a038a709779ac1f45e9dd320c855fdfa7251af0930cdbd30f0ad2a81b2d19a2"
-         "beaa14a7ff3fe32a30ffc4eed0a7bd04e85bfcdd0227eeb7b9d7d01f5769da05"),
-        ("00002c3296e6bc4d62b47204007ee4fab105d83e85e951862f0981aebc1b00d9"
-         "2838e766ef9b6bf2d037fe2e20b6a8464174e75a5f834da70569c018eb2b5693"
-         "babb7fbb"
-         "0a76c196067cfdcb11457d9cf45e2fa01d7f4275153924800600571fac3a5b26"
-         "3fdf57cd2c0064975c3747465cc36c270e8a35b10828d569c268a20eb78ac332"),
-        ("00009d23b4917fc09f20dbb0dcc93f0e66dfe717c17313394391b6e2e6eacb0f"
-         "0bb7be72bd6d25009aeb7fa0c4169b148d2f527e72daf0a54ef25c0707e33868"
-         "7d1f7157"
-         "5653a45c49390aa51cf5192bbf67da14be11d56ba0b4a2969d8055a9f03f2d71"
-         "581d8e830112ff0f0948eccaf8877acf26c377c13f719726fd70bddacb4deeec"),
-
-        # Next 2 number generated by random.getrandbits(521)
-        ("12b84ae65e920a63ac1f2b64df6dff07870c9d531ae72a47403063238da1a1fe"
-         "3f9d6a179fa50f96cd4aff9261aa92c0e6f17ec940639bc2ccdf572df00790813e3"),
-        ("166049dd332a73fa0b26b75196cf87eb8a09b27ec714307c68c425424a1574f1"
-         "eedf5b0f16cdfdb839424d201e653f53d6883ca1c107ca6e706649889c0c7f38608")
-    ]
-
-    @property
-    def arg_a(self) -> str:
-        # Number of limbs: 2 * N
-        return super().format_arg('{:x}'.format(self.int_a)).zfill(2 * self.hex_digits)
-
-    def result(self) -> List[str]:
-        result = self.int_a % self.int_n
-        return [self.format_result(result)]
-
-    @property
-    def is_valid(self) -> bool:
-        return True
-
-    def arguments(self)-> List[str]:
-        args = super().arguments()
-        return  ["MBEDTLS_ECP_DP_SECP521R1"] + args
-
-
-class EcpP192K1Raw(bignum_common.ModOperationCommon,
-                   EcpTarget):
-    """Test cases for ECP P192K1 fast reduction."""
-    symbol = "-"
-    test_function = "ecp_mod_p_generic_raw"
-    test_name = "ecp_mod_p192k1_raw"
-    input_style = "fixed"
-    arity = 1
-    dependencies = ["MBEDTLS_ECP_DP_SECP192K1_ENABLED"]
-
-    moduli = ["fffffffffffffffffffffffffffffffffffffffeffffee37"] # type: List[str]
-
-    input_values = [
-        "0", "1",
-
-        # Modulus - 1
-        "fffffffffffffffffffffffffffffffffffffffeffffee36",
-
-        # Modulus + 1
-        "fffffffffffffffffffffffffffffffffffffffeffffee38",
-
-        # 2^192 - 1
-        "ffffffffffffffffffffffffffffffffffffffffffffffff",
-
-        # Maximum canonical P192K1 multiplication result
-        ("fffffffffffffffffffffffffffffffffffffffdffffdc6c"
-         "0000000000000000000000000000000100002394013c7364"),
-
-        # Test case for overflow during addition
-        ("00000007ffff71b809e27dd832cfd5e04d9d2dbb9f8da217"
-         "0000000000000000000000000000000000000000520834f0"),
-
-        # First 8 number generated by random.getrandbits(384) - seed(2,2)
-        ("cf1822ffbc6887782b491044d5e341245c6e433715ba2bdd"
-         "177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973"),
-        ("ffed9235288bc781ae66267594c9c9500925e4749b575bd1"
-         "3653f8dd9b1f282e4067c3584ee207f8da94e3e8ab73738f"),
-        ("ef8acd128b4f2fc15f3f57ebf30b94fa82523e86feac7eb7"
-         "dc38f519b91751dacdbd47d364be8049a372db8f6e405d93"),
-        ("e8624fab5186ee32ee8d7ee9770348a05d300cb90706a045"
-         "defc044a09325626e6b58de744ab6cce80877b6f71e1f6d2"),
-        ("2d3d854e061b90303b08c6e33c7295782d6c797f8f7d9b78"
-         "2a1be9cd8697bbd0e2520e33e44c50556c71c4a66148a86f"),
-        ("fec3f6b32e8d4b8a8f54f8ceacaab39e83844b40ffa9b9f1"
-         "5c14bc4a829e07b0829a48d422fe99a22c70501e533c9135"),
-        ("97eeab64ca2ce6bc5d3fd983c34c769fe89204e2e8168561"
-         "867e5e15bc01bfce6a27e0dfcbf8754472154e76e4c11ab2"),
-        ("bd143fa9b714210c665d7435c1066932f4767f26294365b2"
-         "721dea3bf63f23d0dbe53fcafb2147df5ca495fa5a91c89b"),
-
-        # Next 2 number generated by random.getrandbits(192)
-        "47733e847d718d733ff98ff387c56473a7a83ee0761ebfd2",
-        "cbd4d3e2d4dec9ef83f0be4e80371eb97f81375eecc1cb63"
-    ]
-
-    @property
-    def arg_a(self) -> str:
-        return super().format_arg('{:x}'.format(self.int_a)).zfill(2 * self.hex_digits)
-
-    def result(self) -> List[str]:
-        result = self.int_a % self.int_n
-        return [self.format_result(result)]
-
-    @property
-    def is_valid(self) -> bool:
-        return True
-
-    def arguments(self):
-        args = super().arguments()
-        return  ["MBEDTLS_ECP_DP_SECP192K1"] + args
-
-
-class EcpP224K1Raw(bignum_common.ModOperationCommon,
-                   EcpTarget):
-    """Test cases for ECP P224 fast reduction."""
-    symbol = "-"
-    test_function = "ecp_mod_p_generic_raw"
-    test_name = "ecp_mod_p224k1_raw"
-    input_style = "arch_split"
-    arity = 1
-    dependencies = ["MBEDTLS_ECP_DP_SECP224K1_ENABLED"]
-
-    moduli = ["fffffffffffffffffffffffffffffffffffffffffffffffeffffe56d"] # type: List[str]
-
-    input_values = [
-        "0", "1",
-
-        # Modulus - 1
-        "fffffffffffffffffffffffffffffffffffffffffffffffeffffe56c",
-
-        # Modulus + 1
-        "fffffffffffffffffffffffffffffffffffffffffffffffeffffe56e",
-
-        # 2^224 - 1
-        "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
-
-        # Maximum canonical P224K1 multiplication result
-        ("fffffffffffffffffffffffffffffffffffffffffffffffdffffcad8"
-         "00000000000000000000000000000000000000010000352802c26590"),
-
-        # Test case for overflow during addition
-        ("0000007ffff2b68161180fd8cd92e1a109be158a19a99b1809db8032"
-         "0000000000000000000000000000000000000000000000000bf04f49"),
-
-        # First 8 number generated by random.getrandbits(448) - seed(2,2)
-        ("da94e3e8ab73738fcf1822ffbc6887782b491044d5e341245c6e4337"
-         "15ba2bdd177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973"),
-        ("cdbd47d364be8049a372db8f6e405d93ffed9235288bc781ae662675"
-         "94c9c9500925e4749b575bd13653f8dd9b1f282e4067c3584ee207f8"),
-        ("defc044a09325626e6b58de744ab6cce80877b6f71e1f6d2ef8acd12"
-         "8b4f2fc15f3f57ebf30b94fa82523e86feac7eb7dc38f519b91751da"),
-        ("2d6c797f8f7d9b782a1be9cd8697bbd0e2520e33e44c50556c71c4a6"
-         "6148a86fe8624fab5186ee32ee8d7ee9770348a05d300cb90706a045"),
-        ("8f54f8ceacaab39e83844b40ffa9b9f15c14bc4a829e07b0829a48d4"
-         "22fe99a22c70501e533c91352d3d854e061b90303b08c6e33c729578"),
-        ("97eeab64ca2ce6bc5d3fd983c34c769fe89204e2e8168561867e5e15"
-         "bc01bfce6a27e0dfcbf8754472154e76e4c11ab2fec3f6b32e8d4b8a"),
-        ("a7a83ee0761ebfd2bd143fa9b714210c665d7435c1066932f4767f26"
-         "294365b2721dea3bf63f23d0dbe53fcafb2147df5ca495fa5a91c89b"),
-        ("74667bffe202849da9643a295a9ac6decbd4d3e2d4dec9ef83f0be4e"
-         "80371eb97f81375eecc1cb6347733e847d718d733ff98ff387c56473"),
-
-        # Next 2 number generated by random.getrandbits(224)
-        ("eb9ac688b9d39cca91551e8259cc60b17604e4b4e73695c3e652c71a"),
-        ("f0caeef038c89b38a8acb5137c9260dc74e088a9b9492f258ebdbfe3"),
-    ]
-
-    @property
-    def arg_a(self) -> str:
-        limbs = 2 * bignum_common.bits_to_limbs(224, self.bits_in_limb)
-        hex_digits = bignum_common.hex_digits_for_limb(limbs, self.bits_in_limb)
-        return super().format_arg('{:x}'.format(self.int_a)).zfill(hex_digits)
-
-    def result(self) -> List[str]:
-        result = self.int_a % self.int_n
-        return [self.format_result(result)]
-
-    @property
-    def is_valid(self) -> bool:
-        return True
-
-    def arguments(self):
-        args = super().arguments()
-        return  ["MBEDTLS_ECP_DP_SECP224K1"] + args
-
-
-class EcpP256K1Raw(bignum_common.ModOperationCommon,
-                   EcpTarget):
-    """Test cases for ECP P256 fast reduction."""
-    symbol = "-"
-    test_function = "ecp_mod_p_generic_raw"
-    test_name = "ecp_mod_p256k1_raw"
-    input_style = "fixed"
-    arity = 1
-    dependencies = ["MBEDTLS_ECP_DP_SECP256K1_ENABLED"]
-
-    moduli = ["fffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f"] # type: List[str]
-
-    input_values = [
-        "0", "1",
-
-        # Modulus - 1
-        "fffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2e",
-
-        # Modulus + 1
-        "fffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc30",
-
-        # 2^256 - 1
-        "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
-
-        # Maximum canonical P256K1 multiplication result
-        ("fffffffffffffffffffffffffffffffffffffffffffffffffffffffdfffff85c"
-         "000000000000000000000000000000000000000000000001000007a4000e9844"),
-
-        # Test case for overflow during addition
-        ("0000fffffc2f000e90a0c86a0a63234e5ba641f43a7e4aecc4040e67ec850562"
-         "00000000000000000000000000000000000000000000000000000000585674fd"),
-
-        # Test case for overflow during addition
-        ("0000fffffc2f000e90a0c86a0a63234e5ba641f43a7e4aecc4040e67ec850562"
-         "00000000000000000000000000000000000000000000000000000000585674fd"),
-
-        # First 8 number generated by random.getrandbits(512) - seed(2,2)
-        ("4067c3584ee207f8da94e3e8ab73738fcf1822ffbc6887782b491044d5e34124"
-         "5c6e433715ba2bdd177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973"),
-        ("82523e86feac7eb7dc38f519b91751dacdbd47d364be8049a372db8f6e405d93"
-         "ffed9235288bc781ae66267594c9c9500925e4749b575bd13653f8dd9b1f282e"),
-        ("e8624fab5186ee32ee8d7ee9770348a05d300cb90706a045defc044a09325626"
-         "e6b58de744ab6cce80877b6f71e1f6d2ef8acd128b4f2fc15f3f57ebf30b94fa"),
-        ("829a48d422fe99a22c70501e533c91352d3d854e061b90303b08c6e33c729578"
-         "2d6c797f8f7d9b782a1be9cd8697bbd0e2520e33e44c50556c71c4a66148a86f"),
-        ("e89204e2e8168561867e5e15bc01bfce6a27e0dfcbf8754472154e76e4c11ab2"
-         "fec3f6b32e8d4b8a8f54f8ceacaab39e83844b40ffa9b9f15c14bc4a829e07b0"),
-        ("bd143fa9b714210c665d7435c1066932f4767f26294365b2721dea3bf63f23d0"
-         "dbe53fcafb2147df5ca495fa5a91c89b97eeab64ca2ce6bc5d3fd983c34c769f"),
-        ("74667bffe202849da9643a295a9ac6decbd4d3e2d4dec9ef83f0be4e80371eb9"
-         "7f81375eecc1cb6347733e847d718d733ff98ff387c56473a7a83ee0761ebfd2"),
-        ("d08f1bb2531d6460f0caeef038c89b38a8acb5137c9260dc74e088a9b9492f25"
-         "8ebdbfe3eb9ac688b9d39cca91551e8259cc60b17604e4b4e73695c3e652c71a"),
-
-        # Next 2 number generated by random.getrandbits(256)
-        ("c5e2486c44a4a8f69dc8db48e86ec9c6e06f291b2a838af8d5c44a4eb3172062"),
-        ("d4c0dca8b4c9e755cc9c3adcf515a8234da4daeb4f3f87777ad1f45ae9500ec9"),
-    ]
-
-    @property
-    def arg_a(self) -> str:
-        return super().format_arg('{:x}'.format(self.int_a)).zfill(2 * self.hex_digits)
-
-    def result(self) -> List[str]:
-        result = self.int_a % self.int_n
-        return [self.format_result(result)]
-
-    @property
-    def is_valid(self) -> bool:
-        return True
-
-    def arguments(self):
-        args = super().arguments()
-        return  ["MBEDTLS_ECP_DP_SECP256K1"] + args
-
-
-class EcpP255Raw(bignum_common.ModOperationCommon,
-                 EcpTarget):
-    """Test cases for ECP 25519 fast reduction."""
-    symbol = "-"
-    test_function = "ecp_mod_p_generic_raw"
-    test_name = "mbedtls_ecp_mod_p255_raw"
-    input_style = "fixed"
-    arity = 1
-    dependencies = ["MBEDTLS_ECP_DP_CURVE25519_ENABLED"]
-
-    moduli = [("7fffffffffffffffffffffffffffffffffffffffffffffffff"
-               "ffffffffffffed")] # type: List[str]
-
-    input_values = [
-        "0", "1",
-
-        # Modulus - 1
-        ("7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffec"),
-
-        # Modulus + 1
-        ("7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffee"),
-
-        # 2^255 - 1
-        ("7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
-
-        # Maximum canonical P255 multiplication result
-        ("3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffec"
-         "0000000000000000000000000000000000000000000000000000000000000190"),
-
-        # First 8 number generated by random.getrandbits(510) - seed(2,2)
-        ("1019f0d64ee207f8da94e3e8ab73738fcf1822ffbc6887782b491044d5e34124"
-         "5c6e433715ba2bdd177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973"),
-        ("20948fa1feac7eb7dc38f519b91751dacdbd47d364be8049a372db8f6e405d93"
-         "ffed9235288bc781ae66267594c9c9500925e4749b575bd13653f8dd9b1f282e"),
-        ("3a1893ea5186ee32ee8d7ee9770348a05d300cb90706a045defc044a09325626"
-         "e6b58de744ab6cce80877b6f71e1f6d2ef8acd128b4f2fc15f3f57ebf30b94fa"),
-        ("20a6923522fe99a22c70501e533c91352d3d854e061b90303b08c6e33c729578"
-         "2d6c797f8f7d9b782a1be9cd8697bbd0e2520e33e44c50556c71c4a66148a86f"),
-        ("3a248138e8168561867e5e15bc01bfce6a27e0dfcbf8754472154e76e4c11ab2"
-         "fec3f6b32e8d4b8a8f54f8ceacaab39e83844b40ffa9b9f15c14bc4a829e07b0"),
-        ("2f450feab714210c665d7435c1066932f4767f26294365b2721dea3bf63f23d0"
-         "dbe53fcafb2147df5ca495fa5a91c89b97eeab64ca2ce6bc5d3fd983c34c769f"),
-        ("1d199effe202849da9643a295a9ac6decbd4d3e2d4dec9ef83f0be4e80371eb9"
-         "7f81375eecc1cb6347733e847d718d733ff98ff387c56473a7a83ee0761ebfd2"),
-        ("3423c6ec531d6460f0caeef038c89b38a8acb5137c9260dc74e088a9b9492f25"
-         "8ebdbfe3eb9ac688b9d39cca91551e8259cc60b17604e4b4e73695c3e652c71a"),
-
-        # Next 2 number generated by random.getrandbits(255)
-        ("62f1243644a4a8f69dc8db48e86ec9c6e06f291b2a838af8d5c44a4eb3172062"),
-        ("6a606e54b4c9e755cc9c3adcf515a8234da4daeb4f3f87777ad1f45ae9500ec9"),
-    ]
-
-    @property
-    def arg_a(self) -> str:
-        return super().format_arg('{:x}'.format(self.int_a)).zfill(2 * self.hex_digits)
-
-    def result(self) -> List[str]:
-        result = self.int_a % self.int_n
-        return [self.format_result(result)]
-
-    @property
-    def is_valid(self) -> bool:
-        return True
-
-    def arguments(self)-> List[str]:
-        args = super().arguments()
-        return  ["MBEDTLS_ECP_DP_CURVE25519"] + args
-
-
-class EcpP448Raw(bignum_common.ModOperationCommon,
-                 EcpTarget):
-    """Test cases for ECP P448 fast reduction."""
-    symbol = "-"
-    test_function = "ecp_mod_p_generic_raw"
-    test_name = "ecp_mod_p448_raw"
-    input_style = "fixed"
-    arity = 1
-    dependencies = ["MBEDTLS_ECP_DP_CURVE448_ENABLED"]
-
-    moduli = [("fffffffffffffffffffffffffffffffffffffffffffffffffffffffe"
-               "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff")] # type: List[str]
-
-    input_values = [
-        "0", "1",
-
-        # Modulus - 1
-        ("fffffffffffffffffffffffffffffffffffffffffffffffffffffffe"
-         "fffffffffffffffffffffffffffffffffffffffffffffffffffffffe"),
-
-        # Modulus + 1
-        ("ffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
-         "00000000000000000000000000000000000000000000000000000000"),
-
-        # 2^448 - 1
-        ("ffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
-         "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
-
-        # Maximum canonical P448 multiplication result
-        ("fffffffffffffffffffffffffffffffffffffffffffffffffffffffd"
-         "fffffffffffffffffffffffffffffffffffffffffffffffffffffffd"
-         "00000000000000000000000000000000000000000000000000000004"
-         "00000000000000000000000000000000000000000000000000000004"),
-
-        # First 8 number generated by random.getrandbits(896) - seed(2,2)
-        ("74667bffe202849da9643a295a9ac6decbd4d3e2d4dec9ef83f0be4e"
-         "80371eb97f81375eecc1cb6347733e847d718d733ff98ff387c56473"
-         "a7a83ee0761ebfd2bd143fa9b714210c665d7435c1066932f4767f26"
-         "294365b2721dea3bf63f23d0dbe53fcafb2147df5ca495fa5a91c89b"),
-        ("4da4daeb4f3f87777ad1f45ae9500ec9c5e2486c44a4a8f69dc8db48"
-         "e86ec9c6e06f291b2a838af8d5c44a4eb3172062d08f1bb2531d6460"
-         "f0caeef038c89b38a8acb5137c9260dc74e088a9b9492f258ebdbfe3"
-         "eb9ac688b9d39cca91551e8259cc60b17604e4b4e73695c3e652c71a"),
-        ("bc1b00d92838e766ef9b6bf2d037fe2e20b6a8464174e75a5f834da7"
-         "0569c018eb2b5693babb7fbb0a76c196067cfdcb11457d9cf45e2fa0"
-         "1d7f4275153924800600571fac3a5b263fdf57cd2c0064975c374746"
-         "5cc36c270e8a35b10828d569c268a20eb78ac332e5e138e26c4454b9"),
-        ("8d2f527e72daf0a54ef25c0707e338687d1f71575653a45c49390aa5"
-         "1cf5192bbf67da14be11d56ba0b4a2969d8055a9f03f2d71581d8e83"
-         "0112ff0f0948eccaf8877acf26c377c13f719726fd70bddacb4deeec"
-         "0b0c995e96e6bc4d62b47204007ee4fab105d83e85e951862f0981ae"),
-        ("84ae65e920a63ac1f2b64df6dff07870c9d531ae72a47403063238da"
-         "1a1fe3f9d6a179fa50f96cd4aff9261aa92c0e6f17ec940639bc2ccd"
-         "f572df00790813e32748dd1db4917fc09f20dbb0dcc93f0e66dfe717"
-         "c17313394391b6e2e6eacb0f0bb7be72bd6d25009aeb7fa0c4169b14"),
-        ("2bb3b36f29421c4021b7379f0897246a40c270b00e893302aba9e7b8"
-         "23fc5ad2f58105748ed5d1b7b310b730049dd332a73fa0b26b75196c"
-         "f87eb8a09b27ec714307c68c425424a1574f1eedf5b0f16cdfdb8394"
-         "24d201e653f53d6883ca1c107ca6e706649889c0c7f3860895bfa813"),
-        ("af3f5d7841b1256d5c1dc12fb5a1ae519fb8883accda6559caa538a0"
-         "9fc9370d3a6b86a7975b54a31497024640332b0612d4050771d7b14e"
-         "b6c004cc3b8367dc3f2bb31efe9934ad0809eae3ef232a32b5459d83"
-         "fbc46f1aea990e94821d46063b4dbf2ca294523d74115c86188b1044"),
-        ("7430051376e31f5aab63ad02854efa600641b4fa37a47ce41aeffafc"
-         "3b45402ac02659fe2e87d4150511baeb198ababb1a16daff3da95cd2"
-         "167b75dfb948f82a8317cba01c75f67e290535d868a24b7f627f2855"
-         "09167d4126af8090013c3273c02c6b9586b4625b475b51096c4ad652"),
-
-        # Corner case which causes maximum overflow
-        ("f4ae65e920a63ac1f2b64df6dff07870c9d531ae72a47403063238da1"
-         "a1fe3f9d6a179fa50f96cd4aff9261aa92c0e6f17ec940639bc2ccd0B"
-         "519A16DF59C53E0D49B209200F878F362ACE518D5B8BFCF9CDC725E5E"
-         "01C06295E8605AF06932B5006D9E556D3F190E8136BF9C643D332"),
-
-        # Next 2 number generated by random.getrandbits(448)
-        ("8f54f8ceacaab39e83844b40ffa9b9f15c14bc4a829e07b0829a48d4"
-         "22fe99a22c70501e533c91352d3d854e061b90303b08c6e33c729578"),
-        ("97eeab64ca2ce6bc5d3fd983c34c769fe89204e2e8168561867e5e15"
-         "bc01bfce6a27e0dfcbf8754472154e76e4c11ab2fec3f6b32e8d4b8a"),
-
-    ]
-
-    @property
-    def arg_a(self) -> str:
-        return super().format_arg('{:x}'.format(self.int_a)).zfill(2 * self.hex_digits)
-
-    def result(self) -> List[str]:
-        result = self.int_a % self.int_n
-        return [self.format_result(result)]
-
-    @property
-    def is_valid(self) -> bool:
-        return True
-
-    def arguments(self):
-        args = super().arguments()
-        return  ["MBEDTLS_ECP_DP_CURVE448"] + args
diff --git a/scripts/mbedtls_dev/logging_util.py b/scripts/mbedtls_dev/logging_util.py
deleted file mode 100644
index db1ebfe..0000000
--- a/scripts/mbedtls_dev/logging_util.py
+++ /dev/null
@@ -1,57 +0,0 @@
-"""Auxiliary functions used for logging module.
-"""
-
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import logging
-import sys
-
-def configure_logger(
-        logger: logging.Logger,
-        log_format="[%(levelname)s]: %(message)s",
-        split_level=logging.WARNING
-    ) -> None:
-    """
-    Configure the logging.Logger instance so that:
-        - Format is set to any log_format.
-            Default: "[%(levelname)s]: %(message)s"
-        - loglevel >= split_level are printed to stderr.
-        - loglevel <  split_level are printed to stdout.
-            Default: logging.WARNING
-    """
-    class MaxLevelFilter(logging.Filter):
-        # pylint: disable=too-few-public-methods
-        def __init__(self, max_level, name=''):
-            super().__init__(name)
-            self.max_level = max_level
-
-        def filter(self, record: logging.LogRecord) -> bool:
-            return record.levelno <= self.max_level
-
-    log_formatter = logging.Formatter(log_format)
-
-    # set loglevel >= split_level to be printed to stderr
-    stderr_hdlr = logging.StreamHandler(sys.stderr)
-    stderr_hdlr.setLevel(split_level)
-    stderr_hdlr.setFormatter(log_formatter)
-
-    # set loglevel < split_level to be printed to stdout
-    stdout_hdlr = logging.StreamHandler(sys.stdout)
-    stdout_hdlr.addFilter(MaxLevelFilter(split_level - 1))
-    stdout_hdlr.setFormatter(log_formatter)
-
-    logger.addHandler(stderr_hdlr)
-    logger.addHandler(stdout_hdlr)
diff --git a/scripts/mbedtls_dev/macro_collector.py b/scripts/mbedtls_dev/macro_collector.py
deleted file mode 100644
index 3cad2a3..0000000
--- a/scripts/mbedtls_dev/macro_collector.py
+++ /dev/null
@@ -1,550 +0,0 @@
-"""Collect macro definitions from header files.
-"""
-
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import itertools
-import re
-from typing import Dict, IO, Iterable, Iterator, List, Optional, Pattern, Set, Tuple, Union
-
-
-class ReadFileLineException(Exception):
-    def __init__(self, filename: str, line_number: Union[int, str]) -> None:
-        message = 'in {} at {}'.format(filename, line_number)
-        super(ReadFileLineException, self).__init__(message)
-        self.filename = filename
-        self.line_number = line_number
-
-
-class read_file_lines:
-    # Dear Pylint, conventionally, a context manager class name is lowercase.
-    # pylint: disable=invalid-name,too-few-public-methods
-    """Context manager to read a text file line by line.
-
-    ```
-    with read_file_lines(filename) as lines:
-        for line in lines:
-            process(line)
-    ```
-    is equivalent to
-    ```
-    with open(filename, 'r') as input_file:
-        for line in input_file:
-            process(line)
-    ```
-    except that if process(line) raises an exception, then the read_file_lines
-    snippet annotates the exception with the file name and line number.
-    """
-    def __init__(self, filename: str, binary: bool = False) -> None:
-        self.filename = filename
-        self.file = None #type: Optional[IO[str]]
-        self.line_number = 'entry' #type: Union[int, str]
-        self.generator = None #type: Optional[Iterable[Tuple[int, str]]]
-        self.binary = binary
-    def __enter__(self) -> 'read_file_lines':
-        self.file = open(self.filename, 'rb' if self.binary else 'r')
-        self.generator = enumerate(self.file)
-        return self
-    def __iter__(self) -> Iterator[str]:
-        assert self.generator is not None
-        for line_number, content in self.generator:
-            self.line_number = line_number
-            yield content
-        self.line_number = 'exit'
-    def __exit__(self, exc_type, exc_value, exc_traceback) -> None:
-        if self.file is not None:
-            self.file.close()
-        if exc_type is not None:
-            raise ReadFileLineException(self.filename, self.line_number) \
-                from exc_value
-
-
-class PSAMacroEnumerator:
-    """Information about constructors of various PSA Crypto types.
-
-    This includes macro names as well as information about their arguments
-    when applicable.
-
-    This class only provides ways to enumerate expressions that evaluate to
-    values of the covered types. Derived classes are expected to populate
-    the set of known constructors of each kind, as well as populate
-    `self.arguments_for` for arguments that are not of a kind that is
-    enumerated here.
-    """
-    #pylint: disable=too-many-instance-attributes
-
-    def __init__(self) -> None:
-        """Set up an empty set of known constructor macros.
-        """
-        self.statuses = set() #type: Set[str]
-        self.lifetimes = set() #type: Set[str]
-        self.locations = set() #type: Set[str]
-        self.persistence_levels = set() #type: Set[str]
-        self.algorithms = set() #type: Set[str]
-        self.ecc_curves = set() #type: Set[str]
-        self.dh_groups = set() #type: Set[str]
-        self.key_types = set() #type: Set[str]
-        self.key_usage_flags = set() #type: Set[str]
-        self.hash_algorithms = set() #type: Set[str]
-        self.mac_algorithms = set() #type: Set[str]
-        self.ka_algorithms = set() #type: Set[str]
-        self.kdf_algorithms = set() #type: Set[str]
-        self.pake_algorithms = set() #type: Set[str]
-        self.aead_algorithms = set() #type: Set[str]
-        self.sign_algorithms = set() #type: Set[str]
-        # macro name -> list of argument names
-        self.argspecs = {} #type: Dict[str, List[str]]
-        # argument name -> list of values
-        self.arguments_for = {
-            'mac_length': [],
-            'min_mac_length': [],
-            'tag_length': [],
-            'min_tag_length': [],
-        } #type: Dict[str, List[str]]
-        # Whether to include intermediate macros in enumerations. Intermediate
-        # macros serve as category headers and are not valid values of their
-        # type. See `is_internal_name`.
-        # Always false in this class, may be set to true in derived classes.
-        self.include_intermediate = False
-
-    def is_internal_name(self, name: str) -> bool:
-        """Whether this is an internal macro. Internal macros will be skipped."""
-        if not self.include_intermediate:
-            if name.endswith('_BASE') or name.endswith('_NONE'):
-                return True
-            if '_CATEGORY_' in name:
-                return True
-        return name.endswith('_FLAG') or name.endswith('_MASK')
-
-    def gather_arguments(self) -> None:
-        """Populate the list of values for macro arguments.
-
-        Call this after parsing all the inputs.
-        """
-        self.arguments_for['hash_alg'] = sorted(self.hash_algorithms)
-        self.arguments_for['mac_alg'] = sorted(self.mac_algorithms)
-        self.arguments_for['ka_alg'] = sorted(self.ka_algorithms)
-        self.arguments_for['kdf_alg'] = sorted(self.kdf_algorithms)
-        self.arguments_for['aead_alg'] = sorted(self.aead_algorithms)
-        self.arguments_for['sign_alg'] = sorted(self.sign_algorithms)
-        self.arguments_for['curve'] = sorted(self.ecc_curves)
-        self.arguments_for['group'] = sorted(self.dh_groups)
-        self.arguments_for['persistence'] = sorted(self.persistence_levels)
-        self.arguments_for['location'] = sorted(self.locations)
-        self.arguments_for['lifetime'] = sorted(self.lifetimes)
-
-    @staticmethod
-    def _format_arguments(name: str, arguments: Iterable[str]) -> str:
-        """Format a macro call with arguments.
-
-        The resulting format is consistent with
-        `InputsForTest.normalize_argument`.
-        """
-        return name + '(' + ', '.join(arguments) + ')'
-
-    _argument_split_re = re.compile(r' *, *')
-    @classmethod
-    def _argument_split(cls, arguments: str) -> List[str]:
-        return re.split(cls._argument_split_re, arguments)
-
-    def distribute_arguments(self, name: str) -> Iterator[str]:
-        """Generate macro calls with each tested argument set.
-
-        If name is a macro without arguments, just yield "name".
-        If name is a macro with arguments, yield a series of
-        "name(arg1,...,argN)" where each argument takes each possible
-        value at least once.
-        """
-        try:
-            if name not in self.argspecs:
-                yield name
-                return
-            argspec = self.argspecs[name]
-            if argspec == []:
-                yield name + '()'
-                return
-            argument_lists = [self.arguments_for[arg] for arg in argspec]
-            arguments = [values[0] for values in argument_lists]
-            yield self._format_arguments(name, arguments)
-            # Dear Pylint, enumerate won't work here since we're modifying
-            # the array.
-            # pylint: disable=consider-using-enumerate
-            for i in range(len(arguments)):
-                for value in argument_lists[i][1:]:
-                    arguments[i] = value
-                    yield self._format_arguments(name, arguments)
-                arguments[i] = argument_lists[i][0]
-        except BaseException as e:
-            raise Exception('distribute_arguments({})'.format(name)) from e
-
-    def distribute_arguments_without_duplicates(
-            self, seen: Set[str], name: str
-    ) -> Iterator[str]:
-        """Same as `distribute_arguments`, but don't repeat seen results."""
-        for result in self.distribute_arguments(name):
-            if result not in seen:
-                seen.add(result)
-                yield result
-
-    def generate_expressions(self, names: Iterable[str]) -> Iterator[str]:
-        """Generate expressions covering values constructed from the given names.
-
-        `names` can be any iterable collection of macro names.
-
-        For example:
-        * ``generate_expressions(['PSA_ALG_CMAC', 'PSA_ALG_HMAC'])``
-          generates ``'PSA_ALG_CMAC'`` as well as ``'PSA_ALG_HMAC(h)'`` for
-          every known hash algorithm ``h``.
-        * ``macros.generate_expressions(macros.key_types)`` generates all
-          key types.
-        """
-        seen = set() #type: Set[str]
-        return itertools.chain(*(
-            self.distribute_arguments_without_duplicates(seen, name)
-            for name in names
-        ))
-
-
-class PSAMacroCollector(PSAMacroEnumerator):
-    """Collect PSA crypto macro definitions from C header files.
-    """
-
-    def __init__(self, include_intermediate: bool = False) -> None:
-        """Set up an object to collect PSA macro definitions.
-
-        Call the read_file method of the constructed object on each header file.
-
-        * include_intermediate: if true, include intermediate macros such as
-          PSA_XXX_BASE that do not designate semantic values.
-        """
-        super().__init__()
-        self.include_intermediate = include_intermediate
-        self.key_types_from_curve = {} #type: Dict[str, str]
-        self.key_types_from_group = {} #type: Dict[str, str]
-        self.algorithms_from_hash = {} #type: Dict[str, str]
-
-    @staticmethod
-    def algorithm_tester(name: str) -> str:
-        """The predicate for whether an algorithm is built from the given constructor.
-
-        The given name must be the name of an algorithm constructor of the
-        form ``PSA_ALG_xxx`` which is used as ``PSA_ALG_xxx(yyy)`` to build
-        an algorithm value. Return the corresponding predicate macro which
-        is used as ``predicate(alg)`` to test whether ``alg`` can be built
-        as ``PSA_ALG_xxx(yyy)``. The predicate is usually called
-        ``PSA_ALG_IS_xxx``.
-        """
-        prefix = 'PSA_ALG_'
-        assert name.startswith(prefix)
-        midfix = 'IS_'
-        suffix = name[len(prefix):]
-        if suffix in ['DSA', 'ECDSA']:
-            midfix += 'RANDOMIZED_'
-        elif suffix == 'RSA_PSS':
-            suffix += '_STANDARD_SALT'
-        return prefix + midfix + suffix
-
-    def record_algorithm_subtype(self, name: str, expansion: str) -> None:
-        """Record the subtype of an algorithm constructor.
-
-        Given a ``PSA_ALG_xxx`` macro name and its expansion, if the algorithm
-        is of a subtype that is tracked in its own set, add it to the relevant
-        set.
-        """
-        # This code is very ad hoc and fragile. It should be replaced by
-        # something more robust.
-        if re.match(r'MAC(?:_|\Z)', name):
-            self.mac_algorithms.add(name)
-        elif re.match(r'KDF(?:_|\Z)', name):
-            self.kdf_algorithms.add(name)
-        elif re.search(r'0x020000[0-9A-Fa-f]{2}', expansion):
-            self.hash_algorithms.add(name)
-        elif re.search(r'0x03[0-9A-Fa-f]{6}', expansion):
-            self.mac_algorithms.add(name)
-        elif re.search(r'0x05[0-9A-Fa-f]{6}', expansion):
-            self.aead_algorithms.add(name)
-        elif re.search(r'0x09[0-9A-Fa-f]{2}0000', expansion):
-            self.ka_algorithms.add(name)
-        elif re.search(r'0x08[0-9A-Fa-f]{6}', expansion):
-            self.kdf_algorithms.add(name)
-
-    # "#define" followed by a macro name with either no parameters
-    # or a single parameter and a non-empty expansion.
-    # Grab the macro name in group 1, the parameter name if any in group 2
-    # and the expansion in group 3.
-    _define_directive_re = re.compile(r'\s*#\s*define\s+(\w+)' +
-                                      r'(?:\s+|\((\w+)\)\s*)' +
-                                      r'(.+)')
-    _deprecated_definition_re = re.compile(r'\s*MBEDTLS_DEPRECATED')
-
-    def read_line(self, line):
-        """Parse a C header line and record the PSA identifier it defines if any.
-        This function analyzes lines that start with "#define PSA_"
-        (up to non-significant whitespace) and skips all non-matching lines.
-        """
-        # pylint: disable=too-many-branches
-        m = re.match(self._define_directive_re, line)
-        if not m:
-            return
-        name, parameter, expansion = m.groups()
-        expansion = re.sub(r'/\*.*?\*/|//.*', r' ', expansion)
-        if parameter:
-            self.argspecs[name] = [parameter]
-        if re.match(self._deprecated_definition_re, expansion):
-            # Skip deprecated values, which are assumed to be
-            # backward compatibility aliases that share
-            # numerical values with non-deprecated values.
-            return
-        if self.is_internal_name(name):
-            # Macro only to build actual values
-            return
-        elif (name.startswith('PSA_ERROR_') or name == 'PSA_SUCCESS') \
-           and not parameter:
-            self.statuses.add(name)
-        elif name.startswith('PSA_KEY_TYPE_') and not parameter:
-            self.key_types.add(name)
-        elif name.startswith('PSA_KEY_TYPE_') and parameter == 'curve':
-            self.key_types_from_curve[name] = name[:13] + 'IS_' + name[13:]
-        elif name.startswith('PSA_KEY_TYPE_') and parameter == 'group':
-            self.key_types_from_group[name] = name[:13] + 'IS_' + name[13:]
-        elif name.startswith('PSA_ECC_FAMILY_') and not parameter:
-            self.ecc_curves.add(name)
-        elif name.startswith('PSA_DH_FAMILY_') and not parameter:
-            self.dh_groups.add(name)
-        elif name.startswith('PSA_ALG_') and not parameter:
-            if name in ['PSA_ALG_ECDSA_BASE',
-                        'PSA_ALG_RSA_PKCS1V15_SIGN_BASE']:
-                # Ad hoc skipping of duplicate names for some numerical values
-                return
-            self.algorithms.add(name)
-            self.record_algorithm_subtype(name, expansion)
-        elif name.startswith('PSA_ALG_') and parameter == 'hash_alg':
-            self.algorithms_from_hash[name] = self.algorithm_tester(name)
-        elif name.startswith('PSA_KEY_USAGE_') and not parameter:
-            self.key_usage_flags.add(name)
-        else:
-            # Other macro without parameter
-            return
-
-    _nonascii_re = re.compile(rb'[^\x00-\x7f]+')
-    _continued_line_re = re.compile(rb'\\\r?\n\Z')
-    def read_file(self, header_file):
-        for line in header_file:
-            m = re.search(self._continued_line_re, line)
-            while m:
-                cont = next(header_file)
-                line = line[:m.start(0)] + cont
-                m = re.search(self._continued_line_re, line)
-            line = re.sub(self._nonascii_re, rb'', line).decode('ascii')
-            self.read_line(line)
-
-
-class InputsForTest(PSAMacroEnumerator):
-    # pylint: disable=too-many-instance-attributes
-    """Accumulate information about macros to test.
-enumerate
-    This includes macro names as well as information about their arguments
-    when applicable.
-    """
-
-    def __init__(self) -> None:
-        super().__init__()
-        self.all_declared = set() #type: Set[str]
-        # Identifier prefixes
-        self.table_by_prefix = {
-            'ERROR': self.statuses,
-            'ALG': self.algorithms,
-            'ECC_CURVE': self.ecc_curves,
-            'DH_GROUP': self.dh_groups,
-            'KEY_LIFETIME': self.lifetimes,
-            'KEY_LOCATION': self.locations,
-            'KEY_PERSISTENCE': self.persistence_levels,
-            'KEY_TYPE': self.key_types,
-            'KEY_USAGE': self.key_usage_flags,
-        } #type: Dict[str, Set[str]]
-        # Test functions
-        self.table_by_test_function = {
-            # Any function ending in _algorithm also gets added to
-            # self.algorithms.
-            'key_type': [self.key_types],
-            'block_cipher_key_type': [self.key_types],
-            'stream_cipher_key_type': [self.key_types],
-            'ecc_key_family': [self.ecc_curves],
-            'ecc_key_types': [self.ecc_curves],
-            'dh_key_family': [self.dh_groups],
-            'dh_key_types': [self.dh_groups],
-            'hash_algorithm': [self.hash_algorithms],
-            'mac_algorithm': [self.mac_algorithms],
-            'cipher_algorithm': [],
-            'hmac_algorithm': [self.mac_algorithms, self.sign_algorithms],
-            'aead_algorithm': [self.aead_algorithms],
-            'key_derivation_algorithm': [self.kdf_algorithms],
-            'key_agreement_algorithm': [self.ka_algorithms],
-            'asymmetric_signature_algorithm': [self.sign_algorithms],
-            'asymmetric_signature_wildcard': [self.algorithms],
-            'asymmetric_encryption_algorithm': [],
-            'pake_algorithm': [self.pake_algorithms],
-            'other_algorithm': [],
-            'lifetime': [self.lifetimes],
-        } #type: Dict[str, List[Set[str]]]
-        mac_lengths = [str(n) for n in [
-            1,  # minimum expressible
-            4,  # minimum allowed by policy
-            13, # an odd size in a plausible range
-            14, # an even non-power-of-two size in a plausible range
-            16, # same as full size for at least one algorithm
-            63, # maximum expressible
-        ]]
-        self.arguments_for['mac_length'] += mac_lengths
-        self.arguments_for['min_mac_length'] += mac_lengths
-        aead_lengths = [str(n) for n in [
-            1,  # minimum expressible
-            4,  # minimum allowed by policy
-            13, # an odd size in a plausible range
-            14, # an even non-power-of-two size in a plausible range
-            16, # same as full size for at least one algorithm
-            63, # maximum expressible
-        ]]
-        self.arguments_for['tag_length'] += aead_lengths
-        self.arguments_for['min_tag_length'] += aead_lengths
-
-    def add_numerical_values(self) -> None:
-        """Add numerical values that are not supported to the known identifiers."""
-        # Sets of names per type
-        self.algorithms.add('0xffffffff')
-        self.ecc_curves.add('0xff')
-        self.dh_groups.add('0xff')
-        self.key_types.add('0xffff')
-        self.key_usage_flags.add('0x80000000')
-
-        # Hard-coded values for unknown algorithms
-        #
-        # These have to have values that are correct for their respective
-        # PSA_ALG_IS_xxx macros, but are also not currently assigned and are
-        # not likely to be assigned in the near future.
-        self.hash_algorithms.add('0x020000fe') # 0x020000ff is PSA_ALG_ANY_HASH
-        self.mac_algorithms.add('0x03007fff')
-        self.ka_algorithms.add('0x09fc0000')
-        self.kdf_algorithms.add('0x080000ff')
-        self.pake_algorithms.add('0x0a0000ff')
-        # For AEAD algorithms, the only variability is over the tag length,
-        # and this only applies to known algorithms, so don't test an
-        # unknown algorithm.
-
-    def get_names(self, type_word: str) -> Set[str]:
-        """Return the set of known names of values of the given type."""
-        return {
-            'status': self.statuses,
-            'algorithm': self.algorithms,
-            'ecc_curve': self.ecc_curves,
-            'dh_group': self.dh_groups,
-            'key_type': self.key_types,
-            'key_usage': self.key_usage_flags,
-        }[type_word]
-
-    # Regex for interesting header lines.
-    # Groups: 1=macro name, 2=type, 3=argument list (optional).
-    _header_line_re = \
-        re.compile(r'#define +' +
-                   r'(PSA_((?:(?:DH|ECC|KEY)_)?[A-Z]+)_\w+)' +
-                   r'(?:\(([^\n()]*)\))?')
-    # Regex of macro names to exclude.
-    _excluded_name_re = re.compile(r'_(?:GET|IS|OF)_|_(?:BASE|FLAG|MASK)\Z')
-    # Additional excluded macros.
-    _excluded_names = set([
-        # Macros that provide an alternative way to build the same
-        # algorithm as another macro.
-        'PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG',
-        'PSA_ALG_FULL_LENGTH_MAC',
-        # Auxiliary macro whose name doesn't fit the usual patterns for
-        # auxiliary macros.
-        'PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG_CASE',
-    ])
-    def parse_header_line(self, line: str) -> None:
-        """Parse a C header line, looking for "#define PSA_xxx"."""
-        m = re.match(self._header_line_re, line)
-        if not m:
-            return
-        name = m.group(1)
-        self.all_declared.add(name)
-        if re.search(self._excluded_name_re, name) or \
-           name in self._excluded_names or \
-           self.is_internal_name(name):
-            return
-        dest = self.table_by_prefix.get(m.group(2))
-        if dest is None:
-            return
-        dest.add(name)
-        if m.group(3):
-            self.argspecs[name] = self._argument_split(m.group(3))
-
-    _nonascii_re = re.compile(rb'[^\x00-\x7f]+') #type: Pattern
-    def parse_header(self, filename: str) -> None:
-        """Parse a C header file, looking for "#define PSA_xxx"."""
-        with read_file_lines(filename, binary=True) as lines:
-            for line in lines:
-                line = re.sub(self._nonascii_re, rb'', line).decode('ascii')
-                self.parse_header_line(line)
-
-    _macro_identifier_re = re.compile(r'[A-Z]\w+')
-    def generate_undeclared_names(self, expr: str) -> Iterable[str]:
-        for name in re.findall(self._macro_identifier_re, expr):
-            if name not in self.all_declared:
-                yield name
-
-    def accept_test_case_line(self, function: str, argument: str) -> bool:
-        #pylint: disable=unused-argument
-        undeclared = list(self.generate_undeclared_names(argument))
-        if undeclared:
-            raise Exception('Undeclared names in test case', undeclared)
-        return True
-
-    @staticmethod
-    def normalize_argument(argument: str) -> str:
-        """Normalize whitespace in the given C expression.
-
-        The result uses the same whitespace as
-        ` PSAMacroEnumerator.distribute_arguments`.
-        """
-        return re.sub(r',', r', ', re.sub(r' +', r'', argument))
-
-    def add_test_case_line(self, function: str, argument: str) -> None:
-        """Parse a test case data line, looking for algorithm metadata tests."""
-        sets = []
-        if function.endswith('_algorithm'):
-            sets.append(self.algorithms)
-            if function == 'key_agreement_algorithm' and \
-               argument.startswith('PSA_ALG_KEY_AGREEMENT('):
-                # We only want *raw* key agreement algorithms as such, so
-                # exclude ones that are already chained with a KDF.
-                # Keep the expression as one to test as an algorithm.
-                function = 'other_algorithm'
-        sets += self.table_by_test_function[function]
-        if self.accept_test_case_line(function, argument):
-            for s in sets:
-                s.add(self.normalize_argument(argument))
-
-    # Regex matching a *.data line containing a test function call and
-    # its arguments. The actual definition is partly positional, but this
-    # regex is good enough in practice.
-    _test_case_line_re = re.compile(r'(?!depends_on:)(\w+):([^\n :][^:\n]*)')
-    def parse_test_cases(self, filename: str) -> None:
-        """Parse a test case file (*.data), looking for algorithm metadata tests."""
-        with read_file_lines(filename) as lines:
-            for line in lines:
-                m = re.match(self._test_case_line_re, line)
-                if m:
-                    self.add_test_case_line(m.group(1), m.group(2))
diff --git a/scripts/mbedtls_dev/psa_information.py b/scripts/mbedtls_dev/psa_information.py
deleted file mode 100644
index a82df41..0000000
--- a/scripts/mbedtls_dev/psa_information.py
+++ /dev/null
@@ -1,162 +0,0 @@
-"""Collect information about PSA cryptographic mechanisms.
-"""
-
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import re
-from typing import Dict, FrozenSet, List, Optional
-
-from . import macro_collector
-
-
-class Information:
-    """Gather information about PSA constructors."""
-
-    def __init__(self) -> None:
-        self.constructors = self.read_psa_interface()
-
-    @staticmethod
-    def remove_unwanted_macros(
-            constructors: macro_collector.PSAMacroEnumerator
-    ) -> None:
-        # Mbed TLS does not support finite-field DSA.
-        # Don't attempt to generate any related test case.
-        constructors.key_types.discard('PSA_KEY_TYPE_DSA_KEY_PAIR')
-        constructors.key_types.discard('PSA_KEY_TYPE_DSA_PUBLIC_KEY')
-
-    def read_psa_interface(self) -> macro_collector.PSAMacroEnumerator:
-        """Return the list of known key types, algorithms, etc."""
-        constructors = macro_collector.InputsForTest()
-        header_file_names = ['include/psa/crypto_values.h',
-                             'include/psa/crypto_extra.h']
-        test_suites = ['tests/suites/test_suite_psa_crypto_metadata.data']
-        for header_file_name in header_file_names:
-            constructors.parse_header(header_file_name)
-        for test_cases in test_suites:
-            constructors.parse_test_cases(test_cases)
-        self.remove_unwanted_macros(constructors)
-        constructors.gather_arguments()
-        return constructors
-
-
-def psa_want_symbol(name: str) -> str:
-    """Return the PSA_WANT_xxx symbol associated with a PSA crypto feature."""
-    if name.startswith('PSA_'):
-        return name[:4] + 'WANT_' + name[4:]
-    else:
-        raise ValueError('Unable to determine the PSA_WANT_ symbol for ' + name)
-
-def finish_family_dependency(dep: str, bits: int) -> str:
-    """Finish dep if it's a family dependency symbol prefix.
-
-    A family dependency symbol prefix is a PSA_WANT_ symbol that needs to be
-    qualified by the key size. If dep is such a symbol, finish it by adjusting
-    the prefix and appending the key size. Other symbols are left unchanged.
-    """
-    return re.sub(r'_FAMILY_(.*)', r'_\1_' + str(bits), dep)
-
-def finish_family_dependencies(dependencies: List[str], bits: int) -> List[str]:
-    """Finish any family dependency symbol prefixes.
-
-    Apply `finish_family_dependency` to each element of `dependencies`.
-    """
-    return [finish_family_dependency(dep, bits) for dep in dependencies]
-
-SYMBOLS_WITHOUT_DEPENDENCY = frozenset([
-    'PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG', # modifier, only in policies
-    'PSA_ALG_AEAD_WITH_SHORTENED_TAG', # modifier
-    'PSA_ALG_ANY_HASH', # only in policies
-    'PSA_ALG_AT_LEAST_THIS_LENGTH_MAC', # modifier, only in policies
-    'PSA_ALG_KEY_AGREEMENT', # chaining
-    'PSA_ALG_TRUNCATED_MAC', # modifier
-])
-def automatic_dependencies(*expressions: str) -> List[str]:
-    """Infer dependencies of a test case by looking for PSA_xxx symbols.
-
-    The arguments are strings which should be C expressions. Do not use
-    string literals or comments as this function is not smart enough to
-    skip them.
-    """
-    used = set()
-    for expr in expressions:
-        used.update(re.findall(r'PSA_(?:ALG|ECC_FAMILY|KEY_TYPE)_\w+', expr))
-    used.difference_update(SYMBOLS_WITHOUT_DEPENDENCY)
-    return sorted(psa_want_symbol(name) for name in used)
-
-# Define set of regular expressions and dependencies to optionally append
-# extra dependencies for test case.
-AES_128BIT_ONLY_DEP_REGEX = r'AES\s(192|256)'
-AES_128BIT_ONLY_DEP = ["!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH"]
-
-DEPENDENCY_FROM_KEY = {
-    AES_128BIT_ONLY_DEP_REGEX: AES_128BIT_ONLY_DEP
-}#type: Dict[str, List[str]]
-def generate_key_dependencies(description: str) -> List[str]:
-    """Return additional dependencies based on pairs of REGEX and dependencies.
-    """
-    deps = []
-    for regex, dep in DEPENDENCY_FROM_KEY.items():
-        if re.search(regex, description):
-            deps += dep
-
-    return deps
-
-# A temporary hack: at the time of writing, not all dependency symbols
-# are implemented yet. Skip test cases for which the dependency symbols are
-# not available. Once all dependency symbols are available, this hack must
-# be removed so that a bug in the dependency symbols properly leads to a test
-# failure.
-def read_implemented_dependencies(filename: str) -> FrozenSet[str]:
-    return frozenset(symbol
-                     for line in open(filename)
-                     for symbol in re.findall(r'\bPSA_WANT_\w+\b', line))
-_implemented_dependencies = None #type: Optional[FrozenSet[str]] #pylint: disable=invalid-name
-def hack_dependencies_not_implemented(dependencies: List[str]) -> None:
-    global _implemented_dependencies #pylint: disable=global-statement,invalid-name
-    if _implemented_dependencies is None:
-        _implemented_dependencies = \
-            read_implemented_dependencies('include/psa/crypto_config.h')
-    if not all((dep.lstrip('!') in _implemented_dependencies or
-                not dep.lstrip('!').startswith('PSA_WANT'))
-               for dep in dependencies):
-        dependencies.append('DEPENDENCY_NOT_IMPLEMENTED_YET')
-
-def tweak_key_pair_dependency(dep: str, usage: str):
-    """
-    This helper function add the proper suffix to PSA_WANT_KEY_TYPE_xxx_KEY_PAIR
-    symbols according to the required usage.
-    """
-    ret_list = list()
-    if dep.endswith('KEY_PAIR'):
-        if usage == "BASIC":
-            # BASIC automatically includes IMPORT and EXPORT for test purposes (see
-            # config_psa.h).
-            ret_list.append(re.sub(r'KEY_PAIR', r'KEY_PAIR_BASIC', dep))
-            ret_list.append(re.sub(r'KEY_PAIR', r'KEY_PAIR_IMPORT', dep))
-            ret_list.append(re.sub(r'KEY_PAIR', r'KEY_PAIR_EXPORT', dep))
-        elif usage == "GENERATE":
-            ret_list.append(re.sub(r'KEY_PAIR', r'KEY_PAIR_GENERATE', dep))
-    else:
-        # No replacement to do in this case
-        ret_list.append(dep)
-    return ret_list
-
-def fix_key_pair_dependencies(dep_list: List[str], usage: str):
-    new_list = [new_deps
-                for dep in dep_list
-                for new_deps in tweak_key_pair_dependency(dep, usage)]
-
-    return new_list
diff --git a/scripts/mbedtls_dev/psa_storage.py b/scripts/mbedtls_dev/psa_storage.py
deleted file mode 100644
index 737760f..0000000
--- a/scripts/mbedtls_dev/psa_storage.py
+++ /dev/null
@@ -1,217 +0,0 @@
-"""Knowledge about the PSA key store as implemented in Mbed TLS.
-
-Note that if you need to make a change that affects how keys are
-stored, this may indicate that the key store is changing in a
-backward-incompatible way! Think carefully about backward compatibility
-before changing how test data is constructed or validated.
-"""
-
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import re
-import struct
-from typing import Dict, List, Optional, Set, Union
-import unittest
-
-from . import c_build_helper
-from . import build_tree
-
-
-class Expr:
-    """Representation of a C expression with a known or knowable numerical value."""
-
-    def __init__(self, content: Union[int, str]):
-        if isinstance(content, int):
-            digits = 8 if content > 0xffff else 4
-            self.string = '{0:#0{1}x}'.format(content, digits + 2)
-            self.value_if_known = content #type: Optional[int]
-        else:
-            self.string = content
-            self.unknown_values.add(self.normalize(content))
-            self.value_if_known = None
-
-    value_cache = {} #type: Dict[str, int]
-    """Cache of known values of expressions."""
-
-    unknown_values = set() #type: Set[str]
-    """Expressions whose values are not present in `value_cache` yet."""
-
-    def update_cache(self) -> None:
-        """Update `value_cache` for expressions registered in `unknown_values`."""
-        expressions = sorted(self.unknown_values)
-        includes = ['include']
-        if build_tree.looks_like_tf_psa_crypto_root('.'):
-            includes.append('drivers/builtin/include')
-        values = c_build_helper.get_c_expression_values(
-            'unsigned long', '%lu',
-            expressions,
-            header="""
-            #include <psa/crypto.h>
-            """,
-            include_path=includes) #type: List[str]
-        for e, v in zip(expressions, values):
-            self.value_cache[e] = int(v, 0)
-        self.unknown_values.clear()
-
-    @staticmethod
-    def normalize(string: str) -> str:
-        """Put the given C expression in a canonical form.
-
-        This function is only intended to give correct results for the
-        relatively simple kind of C expression typically used with this
-        module.
-        """
-        return re.sub(r'\s+', r'', string)
-
-    def value(self) -> int:
-        """Return the numerical value of the expression."""
-        if self.value_if_known is None:
-            if re.match(r'([0-9]+|0x[0-9a-f]+)\Z', self.string, re.I):
-                return int(self.string, 0)
-            normalized = self.normalize(self.string)
-            if normalized not in self.value_cache:
-                self.update_cache()
-            self.value_if_known = self.value_cache[normalized]
-        return self.value_if_known
-
-Exprable = Union[str, int, Expr]
-"""Something that can be converted to a C expression with a known numerical value."""
-
-def as_expr(thing: Exprable) -> Expr:
-    """Return an `Expr` object for `thing`.
-
-    If `thing` is already an `Expr` object, return it. Otherwise build a new
-    `Expr` object from `thing`. `thing` can be an integer or a string that
-    contains a C expression.
-    """
-    if isinstance(thing, Expr):
-        return thing
-    else:
-        return Expr(thing)
-
-
-class Key:
-    """Representation of a PSA crypto key object and its storage encoding.
-    """
-
-    LATEST_VERSION = 0
-    """The latest version of the storage format."""
-
-    def __init__(self, *,
-                 version: Optional[int] = None,
-                 id: Optional[int] = None, #pylint: disable=redefined-builtin
-                 lifetime: Exprable = 'PSA_KEY_LIFETIME_PERSISTENT',
-                 type: Exprable, #pylint: disable=redefined-builtin
-                 bits: int,
-                 usage: Exprable, alg: Exprable, alg2: Exprable,
-                 material: bytes #pylint: disable=used-before-assignment
-                ) -> None:
-        self.version = self.LATEST_VERSION if version is None else version
-        self.id = id #pylint: disable=invalid-name #type: Optional[int]
-        self.lifetime = as_expr(lifetime) #type: Expr
-        self.type = as_expr(type) #type: Expr
-        self.bits = bits #type: int
-        self.usage = as_expr(usage) #type: Expr
-        self.alg = as_expr(alg) #type: Expr
-        self.alg2 = as_expr(alg2) #type: Expr
-        self.material = material #type: bytes
-
-    MAGIC = b'PSA\000KEY\000'
-
-    @staticmethod
-    def pack(
-            fmt: str,
-            *args: Union[int, Expr]
-    ) -> bytes: #pylint: disable=used-before-assignment
-        """Pack the given arguments into a byte string according to the given format.
-
-        This function is similar to `struct.pack`, but with the following differences:
-        * All integer values are encoded with standard sizes and in
-          little-endian representation. `fmt` must not include an endianness
-          prefix.
-        * Arguments can be `Expr` objects instead of integers.
-        * Only integer-valued elements are supported.
-        """
-        return struct.pack('<' + fmt, # little-endian, standard sizes
-                           *[arg.value() if isinstance(arg, Expr) else arg
-                             for arg in args])
-
-    def bytes(self) -> bytes:
-        """Return the representation of the key in storage as a byte array.
-
-        This is the content of the PSA storage file. When PSA storage is
-        implemented over stdio files, this does not include any wrapping made
-        by the PSA-storage-over-stdio-file implementation.
-
-        Note that if you need to make a change in this function,
-        this may indicate that the key store is changing in a
-        backward-incompatible way! Think carefully about backward
-        compatibility before making any change here.
-        """
-        header = self.MAGIC + self.pack('L', self.version)
-        if self.version == 0:
-            attributes = self.pack('LHHLLL',
-                                   self.lifetime, self.type, self.bits,
-                                   self.usage, self.alg, self.alg2)
-            material = self.pack('L', len(self.material)) + self.material
-        else:
-            raise NotImplementedError
-        return header + attributes + material
-
-    def hex(self) -> str:
-        """Return the representation of the key as a hexadecimal string.
-
-        This is the hexadecimal representation of `self.bytes`.
-        """
-        return self.bytes().hex()
-
-    def location_value(self) -> int:
-        """The numerical value of the location encoded in the key's lifetime."""
-        return self.lifetime.value() >> 8
-
-
-class TestKey(unittest.TestCase):
-    # pylint: disable=line-too-long
-    """A few smoke tests for the functionality of the `Key` class."""
-
-    def test_numerical(self):
-        key = Key(version=0,
-                  id=1, lifetime=0x00000001,
-                  type=0x2400, bits=128,
-                  usage=0x00000300, alg=0x05500200, alg2=0x04c01000,
-                  material=b'@ABCDEFGHIJKLMNO')
-        expected_hex = '505341004b45590000000000010000000024800000030000000250050010c00410000000404142434445464748494a4b4c4d4e4f'
-        self.assertEqual(key.bytes(), bytes.fromhex(expected_hex))
-        self.assertEqual(key.hex(), expected_hex)
-
-    def test_names(self):
-        length = 0xfff8 // 8 # PSA_MAX_KEY_BITS in bytes
-        key = Key(version=0,
-                  id=1, lifetime='PSA_KEY_LIFETIME_PERSISTENT',
-                  type='PSA_KEY_TYPE_RAW_DATA', bits=length*8,
-                  usage=0, alg=0, alg2=0,
-                  material=b'\x00' * length)
-        expected_hex = '505341004b45590000000000010000000110f8ff000000000000000000000000ff1f0000' + '00' * length
-        self.assertEqual(key.bytes(), bytes.fromhex(expected_hex))
-        self.assertEqual(key.hex(), expected_hex)
-
-    def test_defaults(self):
-        key = Key(type=0x1001, bits=8,
-                  usage=0, alg=0, alg2=0,
-                  material=b'\x2a')
-        expected_hex = '505341004b455900000000000100000001100800000000000000000000000000010000002a'
-        self.assertEqual(key.bytes(), bytes.fromhex(expected_hex))
-        self.assertEqual(key.hex(), expected_hex)
diff --git a/scripts/mbedtls_dev/test_case.py b/scripts/mbedtls_dev/test_case.py
deleted file mode 100644
index 8f08703..0000000
--- a/scripts/mbedtls_dev/test_case.py
+++ /dev/null
@@ -1,102 +0,0 @@
-"""Library for constructing an Mbed TLS test case.
-"""
-
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import binascii
-import os
-import sys
-from typing import Iterable, List, Optional
-
-from . import typing_util
-
-def hex_string(data: bytes) -> str:
-    return '"' + binascii.hexlify(data).decode('ascii') + '"'
-
-
-class MissingDescription(Exception):
-    pass
-
-class MissingFunction(Exception):
-    pass
-
-class TestCase:
-    """An Mbed TLS test case."""
-
-    def __init__(self, description: Optional[str] = None):
-        self.comments = [] #type: List[str]
-        self.description = description #type: Optional[str]
-        self.dependencies = [] #type: List[str]
-        self.function = None #type: Optional[str]
-        self.arguments = [] #type: List[str]
-
-    def add_comment(self, *lines: str) -> None:
-        self.comments += lines
-
-    def set_description(self, description: str) -> None:
-        self.description = description
-
-    def set_dependencies(self, dependencies: List[str]) -> None:
-        self.dependencies = dependencies
-
-    def set_function(self, function: str) -> None:
-        self.function = function
-
-    def set_arguments(self, arguments: List[str]) -> None:
-        self.arguments = arguments
-
-    def check_completeness(self) -> None:
-        if self.description is None:
-            raise MissingDescription
-        if self.function is None:
-            raise MissingFunction
-
-    def write(self, out: typing_util.Writable) -> None:
-        """Write the .data file paragraph for this test case.
-
-        The output starts and ends with a single newline character. If the
-        surrounding code writes lines (consisting of non-newline characters
-        and a final newline), you will end up with a blank line before, but
-        not after the test case.
-        """
-        self.check_completeness()
-        assert self.description is not None # guide mypy
-        assert self.function is not None # guide mypy
-        out.write('\n')
-        for line in self.comments:
-            out.write('# ' + line + '\n')
-        out.write(self.description + '\n')
-        if self.dependencies:
-            out.write('depends_on:' + ':'.join(self.dependencies) + '\n')
-        out.write(self.function + ':' + ':'.join(self.arguments) + '\n')
-
-def write_data_file(filename: str,
-                    test_cases: Iterable[TestCase],
-                    caller: Optional[str] = None) -> None:
-    """Write the test cases to the specified file.
-
-    If the file already exists, it is overwritten.
-    """
-    if caller is None:
-        caller = os.path.basename(sys.argv[0])
-    tempfile = filename + '.new'
-    with open(tempfile, 'w') as out:
-        out.write('# Automatically generated by {}. Do not edit!\n'
-                  .format(caller))
-        for tc in test_cases:
-            tc.write(out)
-        out.write('\n# End of automatically generated file.\n')
-    os.replace(tempfile, filename)
diff --git a/scripts/mbedtls_dev/test_data_generation.py b/scripts/mbedtls_dev/test_data_generation.py
deleted file mode 100644
index 02aa510..0000000
--- a/scripts/mbedtls_dev/test_data_generation.py
+++ /dev/null
@@ -1,235 +0,0 @@
-"""Common code for test data generation.
-
-This module defines classes that are of general use to automatically
-generate .data files for unit tests, as well as a main function.
-
-These are used both by generate_psa_tests.py and generate_bignum_tests.py.
-"""
-
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import argparse
-import os
-import posixpath
-import re
-import inspect
-
-from abc import ABCMeta, abstractmethod
-from typing import Callable, Dict, Iterable, Iterator, List, Type, TypeVar
-
-from . import build_tree
-from . import test_case
-
-T = TypeVar('T') #pylint: disable=invalid-name
-
-
-class BaseTest(metaclass=ABCMeta):
-    """Base class for test case generation.
-
-    Attributes:
-        count: Counter for test cases from this class.
-        case_description: Short description of the test case. This may be
-            automatically generated using the class, or manually set.
-        dependencies: A list of dependencies required for the test case.
-        show_test_count: Toggle for inclusion of `count` in the test description.
-        test_function: Test function which the class generates cases for.
-        test_name: A common name or description of the test function. This can
-            be `test_function`, a clearer equivalent, or a short summary of the
-            test function's purpose.
-    """
-    count = 0
-    case_description = ""
-    dependencies = [] # type: List[str]
-    show_test_count = True
-    test_function = ""
-    test_name = ""
-
-    def __new__(cls, *args, **kwargs):
-        # pylint: disable=unused-argument
-        cls.count += 1
-        return super().__new__(cls)
-
-    @abstractmethod
-    def arguments(self) -> List[str]:
-        """Get the list of arguments for the test case.
-
-        Override this method to provide the list of arguments required for
-        the `test_function`.
-
-        Returns:
-            List of arguments required for the test function.
-        """
-        raise NotImplementedError
-
-    def description(self) -> str:
-        """Create a test case description.
-
-        Creates a description of the test case, including a name for the test
-        function, an optional case count, and a description of the specific
-        test case. This should inform a reader what is being tested, and
-        provide context for the test case.
-
-        Returns:
-            Description for the test case.
-        """
-        if self.show_test_count:
-            return "{} #{} {}".format(
-                self.test_name, self.count, self.case_description
-                ).strip()
-        else:
-            return "{} {}".format(self.test_name, self.case_description).strip()
-
-
-    def create_test_case(self) -> test_case.TestCase:
-        """Generate TestCase from the instance."""
-        tc = test_case.TestCase()
-        tc.set_description(self.description())
-        tc.set_function(self.test_function)
-        tc.set_arguments(self.arguments())
-        tc.set_dependencies(self.dependencies)
-
-        return tc
-
-    @classmethod
-    @abstractmethod
-    def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
-        """Generate test cases for the class test function.
-
-        This will be called in classes where `test_function` is set.
-        Implementations should yield TestCase objects, by creating instances
-        of the class with appropriate input data, and then calling
-        `create_test_case()` on each.
-        """
-        raise NotImplementedError
-
-
-class BaseTarget:
-    #pylint: disable=too-few-public-methods
-    """Base target for test case generation.
-
-    Child classes of this class represent an output file, and can be referred
-    to as file targets. These indicate where test cases will be written to for
-    all subclasses of the file target, which is set by `target_basename`.
-
-    Attributes:
-        target_basename: Basename of file to write generated tests to. This
-            should be specified in a child class of BaseTarget.
-    """
-    target_basename = ""
-
-    @classmethod
-    def generate_tests(cls) -> Iterator[test_case.TestCase]:
-        """Generate test cases for the class and its subclasses.
-
-        In classes with `test_function` set, `generate_function_tests()` is
-        called to generate test cases first.
-
-        In all classes, this method will iterate over its subclasses, and
-        yield from `generate_tests()` in each. Calling this method on a class X
-        will yield test cases from all classes derived from X.
-        """
-        if issubclass(cls, BaseTest) and not inspect.isabstract(cls):
-            #pylint: disable=no-member
-            yield from cls.generate_function_tests()
-        for subclass in sorted(cls.__subclasses__(), key=lambda c: c.__name__):
-            yield from subclass.generate_tests()
-
-
-class TestGenerator:
-    """Generate test cases and write to data files."""
-    def __init__(self, options) -> None:
-        self.test_suite_directory = options.directory
-        # Update `targets` with an entry for each child class of BaseTarget.
-        # Each entry represents a file generated by the BaseTarget framework,
-        # and enables generating the .data files using the CLI.
-        self.targets.update({
-            subclass.target_basename: subclass.generate_tests
-            for subclass in BaseTarget.__subclasses__()
-            if subclass.target_basename
-        })
-
-    def filename_for(self, basename: str) -> str:
-        """The location of the data file with the specified base name."""
-        return posixpath.join(self.test_suite_directory, basename + '.data')
-
-    def write_test_data_file(self, basename: str,
-                             test_cases: Iterable[test_case.TestCase]) -> None:
-        """Write the test cases to a .data file.
-
-        The output file is ``basename + '.data'`` in the test suite directory.
-        """
-        filename = self.filename_for(basename)
-        test_case.write_data_file(filename, test_cases)
-
-    # Note that targets whose names contain 'test_format' have their content
-    # validated by `abi_check.py`.
-    targets = {} # type: Dict[str, Callable[..., Iterable[test_case.TestCase]]]
-
-    def generate_target(self, name: str, *target_args) -> None:
-        """Generate cases and write to data file for a target.
-
-        For target callables which require arguments, override this function
-        and pass these arguments using super() (see PSATestGenerator).
-        """
-        test_cases = self.targets[name](*target_args)
-        self.write_test_data_file(name, test_cases)
-
-def main(args, description: str, generator_class: Type[TestGenerator] = TestGenerator):
-    """Command line entry point."""
-    parser = argparse.ArgumentParser(description=description)
-    parser.add_argument('--list', action='store_true',
-                        help='List available targets and exit')
-    parser.add_argument('--list-for-cmake', action='store_true',
-                        help='Print \';\'-separated list of available targets and exit')
-    # If specified explicitly, this option may be a path relative to the
-    # current directory when the script is invoked. The default value
-    # is relative to the mbedtls root, which we don't know yet. So we
-    # can't set a string as the default value here.
-    parser.add_argument('--directory', metavar='DIR',
-                        help='Output directory (default: tests/suites)')
-    parser.add_argument('targets', nargs='*', metavar='TARGET',
-                        help='Target file to generate (default: all; "-": none)')
-    options = parser.parse_args(args)
-
-    # Change to the mbedtls root, to keep things simple. But first, adjust
-    # command line options that might be relative paths.
-    if options.directory is None:
-        options.directory = 'tests/suites'
-    else:
-        options.directory = os.path.abspath(options.directory)
-    build_tree.chdir_to_root()
-
-    generator = generator_class(options)
-    if options.list:
-        for name in sorted(generator.targets):
-            print(generator.filename_for(name))
-        return
-    # List in a cmake list format (i.e. ';'-separated)
-    if options.list_for_cmake:
-        print(';'.join(generator.filename_for(name)
-                       for name in sorted(generator.targets)), end='')
-        return
-    if options.targets:
-        # Allow "-" as a special case so you can run
-        # ``generate_xxx_tests.py - $targets`` and it works uniformly whether
-        # ``$targets`` is empty or not.
-        options.targets = [os.path.basename(re.sub(r'\.data\Z', r'', target))
-                           for target in options.targets
-                           if target != '-']
-    else:
-        options.targets = sorted(generator.targets)
-    for target in options.targets:
-        generator.generate_target(target)
diff --git a/scripts/mbedtls_dev/typing_util.py b/scripts/mbedtls_dev/typing_util.py
deleted file mode 100644
index 4c34449..0000000
--- a/scripts/mbedtls_dev/typing_util.py
+++ /dev/null
@@ -1,39 +0,0 @@
-"""Auxiliary definitions used in type annotations.
-"""
-
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-from typing import Any
-
-# The typing_extensions module is necessary for type annotations that are
-# checked with mypy. It is only used for type annotations or to define
-# things that are themselves only used for type annotations. It is not
-# available on a default Python installation. Therefore, try loading
-# what we need from it for the sake of mypy (which depends on, or comes
-# with, typing_extensions), and if not define substitutes that lack the
-# static type information but are good enough at runtime.
-try:
-    from typing_extensions import Protocol #pylint: disable=import-error
-except ImportError:
-    class Protocol: #type: ignore
-        #pylint: disable=too-few-public-methods
-        pass
-
-class Writable(Protocol):
-    """Abstract class for typing hints."""
-    # pylint: disable=no-self-use,too-few-public-methods,unused-argument
-    def write(self, text: str) -> Any:
-        ...
diff --git a/scripts/memory.sh b/scripts/memory.sh
index e3ce9d6..d119374 100755
--- a/scripts/memory.sh
+++ b/scripts/memory.sh
@@ -7,19 +7,7 @@
 # since for memory we want debug information.
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 set -eu
 
diff --git a/scripts/min_requirements.py b/scripts/min_requirements.py
index c00d58e..b36f906 100755
--- a/scripts/min_requirements.py
+++ b/scripts/min_requirements.py
@@ -3,19 +3,7 @@
 """
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 import argparse
 import os
@@ -26,7 +14,9 @@ import tempfile
 import typing
 
 from typing import List, Optional
-from mbedtls_dev import typing_util
+
+import framework_scripts_path # pylint: disable=unused-import
+from mbedtls_framework import typing_util
 
 def pylint_doesn_t_notice_that_certain_types_are_used_in_annotations(
         _list: List[typing.Any],
diff --git a/scripts/output_env.sh b/scripts/output_env.sh
index 302f3fd..b056ffd 100755
--- a/scripts/output_env.sh
+++ b/scripts/output_env.sh
@@ -3,19 +3,7 @@
 # output_env.sh
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 #
 # Purpose
 #
diff --git a/scripts/prepare_release.sh b/scripts/prepare_release.sh
index 800383d..3b63ed9 100755
--- a/scripts/prepare_release.sh
+++ b/scripts/prepare_release.sh
@@ -12,19 +12,7 @@ EOF
 }
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 set -eu
 
@@ -51,11 +39,11 @@ done
 GITIGNORES=$(find . -name ".gitignore")
 for GITIGNORE in $GITIGNORES; do
     if [ -n "$unrelease" ]; then
-        sed -i '/###START_COMMENTED_GENERATED_FILES###/,/###END_COMMENTED_GENERATED_FILES###/s/^# //' $GITIGNORE
+        sed -i '/###START_COMMENTED_GENERATED_FILES###/,/###END_COMMENTED_GENERATED_FILES###/s/^#//' $GITIGNORE
         sed -i 's/###START_COMMENTED_GENERATED_FILES###/###START_GENERATED_FILES###/' $GITIGNORE
         sed -i 's/###END_COMMENTED_GENERATED_FILES###/###END_GENERATED_FILES###/' $GITIGNORE
     else
-        sed -i '/###START_GENERATED_FILES###/,/###END_GENERATED_FILES###/s/^/# /' $GITIGNORE
+        sed -i '/###START_GENERATED_FILES###/,/###END_GENERATED_FILES###/s/^/#/' $GITIGNORE
         sed -i 's/###START_GENERATED_FILES###/###START_COMMENTED_GENERATED_FILES###/' $GITIGNORE
         sed -i 's/###END_GENERATED_FILES###/###END_COMMENTED_GENERATED_FILES###/' $GITIGNORE
     fi
diff --git a/scripts/rm-calloc-cast.cocci b/scripts/rm-calloc-cast.cocci
deleted file mode 100644
index 89481c0..0000000
--- a/scripts/rm-calloc-cast.cocci
+++ /dev/null
@@ -1,7 +0,0 @@
-@rm_calloc_cast@
-expression x, n, m;
-type T;
-@@
-  x =
-- (T *)
-  mbedtls_calloc(n, m)
diff --git a/scripts/tmp_ignore_makefiles.sh b/scripts/tmp_ignore_makefiles.sh
index 558970f..455f892 100755
--- a/scripts/tmp_ignore_makefiles.sh
+++ b/scripts/tmp_ignore_makefiles.sh
@@ -4,19 +4,7 @@
 # git development
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 IGNORE=""
 
diff --git a/scripts/windows_msbuild.bat b/scripts/windows_msbuild.bat
index ff2b9f2..2bc6a51 100644
--- a/scripts/windows_msbuild.bat
+++ b/scripts/windows_msbuild.bat
@@ -14,7 +14,7 @@ if not "%~1"=="" set "retarget=,PlatformToolset=%1"
 @rem vcvarsall.bat will silently change the directory to that directory.

 @rem Setting the VSCMD_START_DIR environment variable causes it to change

 @rem to that directory instead.

-set "VSCMD_START_DIR=%~dp0\..\visualc\VS2013"

+set "VSCMD_START_DIR=%~dp0\..\visualc\VS2017"

 

 "%vcvarsall%" x64 && ^

 msbuild /t:Rebuild /p:Configuration=%cfg%%retarget% /m mbedTLS.sln

diff --git a/tests/.gitignore b/tests/.gitignore
index 973ebb5..870fa79 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -3,22 +3,26 @@
 
 *.log
 /test_suite*
-data_files/mpi_write
-data_files/hmac_drbg_seed
-data_files/ctr_drbg_seed
-data_files/entropy_seed
+/data_files/mpi_write
+/data_files/hmac_drbg_seed
+/data_files/ctr_drbg_seed
+/data_files/entropy_seed
 
-include/alt-extra/psa/crypto_platform_alt.h
-include/alt-extra/psa/crypto_struct_alt.h
-include/test/instrument_record_status.h
+/include/alt-extra/psa/crypto_platform_alt.h
+/include/alt-extra/psa/crypto_struct_alt.h
+/include/test/instrument_record_status.h
 
-src/libmbed*
+/src/libmbed*
 
-libtestdriver1/*
+/libtestdriver1/*
 
 ###START_GENERATED_FILES###
 # Generated source files
 /suites/*.generated.data
+/suites/test_suite_config.mbedtls_boolean.data
+/suites/test_suite_config.psa_boolean.data
 /suites/test_suite_psa_crypto_storage_format.v[0-9]*.data
 /suites/test_suite_psa_crypto_storage_format.current.data
+/src/test_keys.h
+/src/test_certs.h
 ###END_GENERATED_FILES###
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 0869aaa..fd15a5f 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -1,5 +1,6 @@
 set(libs
     ${mbedtls_target}
+    ${CMAKE_THREAD_LIBS_INIT}
 )
 
 # Set the project root directory if it's not already defined, as may happen if
@@ -20,7 +21,7 @@ file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/suites)
 execute_process(
     COMMAND
         ${MBEDTLS_PYTHON_EXECUTABLE}
-        ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_bignum_tests.py
+        ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_bignum_tests.py
         --list-for-cmake
     WORKING_DIRECTORY
         ${CMAKE_CURRENT_SOURCE_DIR}/..
@@ -32,7 +33,19 @@ string(REGEX REPLACE "[^;]*/" ""
 execute_process(
     COMMAND
         ${MBEDTLS_PYTHON_EXECUTABLE}
-        ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_ecp_tests.py
+        ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_config_tests.py
+        --list-for-cmake
+    WORKING_DIRECTORY
+        ${CMAKE_CURRENT_SOURCE_DIR}/..
+    OUTPUT_VARIABLE
+        base_config_generated_data_files)
+string(REGEX REPLACE "[^;]*/" ""
+       base_config_generated_data_files "${base_config_generated_data_files}")
+
+execute_process(
+    COMMAND
+        ${MBEDTLS_PYTHON_EXECUTABLE}
+        ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_ecp_tests.py
         --list-for-cmake
     WORKING_DIRECTORY
         ${CMAKE_CURRENT_SOURCE_DIR}/..
@@ -44,7 +57,7 @@ string(REGEX REPLACE "[^;]*/" ""
 execute_process(
     COMMAND
         ${MBEDTLS_PYTHON_EXECUTABLE}
-        ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_psa_tests.py
+        ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_psa_tests.py
         --list-for-cmake
     WORKING_DIRECTORY
         ${CMAKE_CURRENT_SOURCE_DIR}/..
@@ -60,11 +73,15 @@ set(base_generated_data_files
 string(REGEX REPLACE "([^;]+)" "suites/\\1"
        all_generated_data_files "${base_generated_data_files}")
 set(bignum_generated_data_files "")
+set(config_generated_data_files "")
 set(ecp_generated_data_files "")
 set(psa_generated_data_files "")
 foreach(file ${base_bignum_generated_data_files})
     list(APPEND bignum_generated_data_files ${CMAKE_CURRENT_BINARY_DIR}/suites/${file})
 endforeach()
+foreach(file ${base_config_generated_data_files})
+    list(APPEND config_generated_data_files ${CMAKE_CURRENT_BINARY_DIR}/suites/${file})
+endforeach()
 foreach(file ${base_ecp_generated_data_files})
     list(APPEND ecp_generated_data_files ${CMAKE_CURRENT_BINARY_DIR}/suites/${file})
 endforeach()
@@ -80,16 +97,31 @@ if(GEN_FILES)
             ${CMAKE_CURRENT_SOURCE_DIR}/..
         COMMAND
             ${MBEDTLS_PYTHON_EXECUTABLE}
-            ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_bignum_tests.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_bignum_tests.py
+            --directory ${CMAKE_CURRENT_BINARY_DIR}/suites
+        DEPENDS
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_bignum_tests.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/bignum_common.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/bignum_core.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/bignum_mod_raw.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/bignum_mod.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/test_case.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/test_data_generation.py
+    )
+    add_custom_command(
+        OUTPUT
+            ${config_generated_data_files}
+        WORKING_DIRECTORY
+            ${CMAKE_CURRENT_SOURCE_DIR}/..
+        COMMAND
+            ${MBEDTLS_PYTHON_EXECUTABLE}
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_config_tests.py
             --directory ${CMAKE_CURRENT_BINARY_DIR}/suites
         DEPENDS
-            ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_bignum_tests.py
-            ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/bignum_common.py
-            ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/bignum_core.py
-            ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/bignum_mod_raw.py
-            ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/bignum_mod.py
-            ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/test_case.py
-            ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/test_data_generation.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_config_tests.py
+            # Do not declare the configuration files as dependencies: they
+            # change too often in ways that don't affect the result
+            # ((un)commenting some options).
     )
     add_custom_command(
         OUTPUT
@@ -98,14 +130,14 @@ if(GEN_FILES)
             ${CMAKE_CURRENT_SOURCE_DIR}/..
         COMMAND
             ${MBEDTLS_PYTHON_EXECUTABLE}
-            ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_ecp_tests.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_ecp_tests.py
             --directory ${CMAKE_CURRENT_BINARY_DIR}/suites
         DEPENDS
-            ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_ecp_tests.py
-            ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/bignum_common.py
-            ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/ecp.py
-            ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/test_case.py
-            ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/test_data_generation.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_ecp_tests.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/bignum_common.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/ecp.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/test_case.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/test_data_generation.py
     )
     add_custom_command(
         OUTPUT
@@ -114,20 +146,20 @@ if(GEN_FILES)
             ${CMAKE_CURRENT_SOURCE_DIR}/..
         COMMAND
             ${MBEDTLS_PYTHON_EXECUTABLE}
-            ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_psa_tests.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_psa_tests.py
             --directory ${CMAKE_CURRENT_BINARY_DIR}/suites
         DEPENDS
-            ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_psa_tests.py
-            ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/crypto_data_tests.py
-            ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/crypto_knowledge.py
-            ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/macro_collector.py
-            ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/psa_information.py
-            ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/psa_storage.py
-            ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/test_case.py
-            ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/test_data_generation.py
-            ${CMAKE_CURRENT_SOURCE_DIR}/../include/psa/crypto_config.h
-            ${CMAKE_CURRENT_SOURCE_DIR}/../include/psa/crypto_values.h
-            ${CMAKE_CURRENT_SOURCE_DIR}/../include/psa/crypto_extra.h
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_psa_tests.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/crypto_data_tests.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/crypto_knowledge.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/macro_collector.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/psa_information.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/psa_storage.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/test_case.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/test_data_generation.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../tf-psa-crypto/include/psa/crypto_config.h
+            ${CMAKE_CURRENT_SOURCE_DIR}/../tf-psa-crypto/include/psa/crypto_values.h
+            ${CMAKE_CURRENT_SOURCE_DIR}/../tf-psa-crypto/include/psa/crypto_extra.h
     )
 
 else()
@@ -141,6 +173,7 @@ endif()
 # With this line, only 4 sub-makefiles include the above command, that reduces
 # the risk of a race.
 add_custom_target(test_suite_bignum_generated_data DEPENDS ${bignum_generated_data_files})
+add_custom_target(test_suite_config_generated_data DEPENDS ${config_generated_data_files})
 add_custom_target(test_suite_ecp_generated_data DEPENDS ${ecp_generated_data_files})
 add_custom_target(test_suite_psa_generated_data DEPENDS ${psa_generated_data_files})
 # If SKIP_TEST_SUITES is not defined with -D, get it from the environment.
@@ -198,6 +231,10 @@ function(add_test_suite suite_name)
         set(data_file
             ${CMAKE_CURRENT_BINARY_DIR}/suites/test_suite_${data_name}.data)
         set(dependency test_suite_bignum_generated_data)
+    elseif(";${config_generated_data_names};" MATCHES ";${data_name};")
+        set(data_file
+            ${CMAKE_CURRENT_BINARY_DIR}/suites/test_suite_${data_name}.data)
+        set(dependency test_suite_bignum_generated_data)
     elseif(";${ecp_generated_data_names};" MATCHES ";${data_name};")
         set(data_file
             ${CMAKE_CURRENT_BINARY_DIR}/suites/test_suite_${data_name}.data)
@@ -209,7 +246,11 @@ function(add_test_suite suite_name)
     else()
         set(data_file
             ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${data_name}.data)
-        set(dependency test_suite_bignum_generated_data test_suite_ecp_generated_data test_suite_psa_generated_data)
+        set(dependency
+            test_suite_bignum_generated_data
+            test_suite_config_generated_data
+            test_suite_ecp_generated_data
+            test_suite_psa_generated_data)
     endif()
 
     add_custom_command(
@@ -219,7 +260,7 @@ function(add_test_suite suite_name)
             test_suite_${data_name}.c
         COMMAND
             ${MBEDTLS_PYTHON_EXECUTABLE}
-            ${CMAKE_CURRENT_SOURCE_DIR}/scripts/generate_test_code.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_test_code.py
             -f ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${suite_name}.function
             -d ${data_file}
             -t ${CMAKE_CURRENT_SOURCE_DIR}/suites/main_test.function
@@ -228,7 +269,7 @@ function(add_test_suite suite_name)
             --helpers-file ${CMAKE_CURRENT_SOURCE_DIR}/suites/helpers.function
             -o .
         DEPENDS
-            ${CMAKE_CURRENT_SOURCE_DIR}/scripts/generate_test_code.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_test_code.py
             ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${suite_name}.function
             ${data_file}
             ${CMAKE_CURRENT_SOURCE_DIR}/suites/main_test.function
@@ -250,7 +291,11 @@ function(add_test_suite suite_name)
     # them as PUBLIC.
     target_include_directories(test_suite_${data_name}
         PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/include
-        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../library)
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../library
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../tf-psa-crypto/core
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../tf-psa-crypto/drivers/builtin/src)
+    # Request C11, which is needed for memory poisoning tests
+    set_target_properties(test_suite_${data_name} PROPERTIES C_STANDARD 11)
 
     if(${data_name} MATCHES ${SKIP_TEST_SUITES_REGEX})
         message(STATUS "The test suite ${data_name} will not be executed.")
@@ -297,7 +342,7 @@ if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR})
     link_to_source(Descriptions.txt)
     link_to_source(compat.sh)
     link_to_source(context-info.sh)
-    link_to_source(data_files)
+    link_to_source(../framework/data_files)
     link_to_source(scripts)
     link_to_source(ssl-opt.sh)
     link_to_source(opt-testcases)
diff --git a/tests/Makefile b/tests/Makefile
index 2249a55..95cd461 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -1,101 +1,62 @@
-
-# To compile on SunOS: add "-lsocket -lnsl" to LDFLAGS
-
-CFLAGS	?= -O2
-WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral
-LDFLAGS ?=
+MBEDTLS_TEST_PATH = .
+include ../scripts/common.make
 
 # Set this to -v to see the details of failing test cases
 TEST_FLAGS ?= $(if $(filter-out 0 OFF Off off NO No no FALSE False false N n,$(CTEST_OUTPUT_ON_FAILURE)),-v,)
 
-default: all
-
-# Include public header files from ../include, test-specific header files
-# from ./include, and private header files (used by some invasive tests)
-# from ../library.
-LOCAL_CFLAGS = $(WARNING_CFLAGS) -I./include -I../include -I../library -D_FILE_OFFSET_BITS=64
-LOCAL_LDFLAGS = -L../library			\
-		-lmbedtls$(SHARED_SUFFIX)	\
-		-lmbedx509$(SHARED_SUFFIX)	\
-		-lmbedcrypto$(SHARED_SUFFIX)
+# Also include private headers, for the sake of invasive tests.
+LOCAL_CFLAGS += -I../library -I../tf-psa-crypto/core -I../tf-psa-crypto/drivers/builtin/src
 
-include ../3rdparty/Makefile.inc
-LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES)
 
 # Enable definition of various functions used throughout the testsuite
 # (gethostname, strdup, fileno...) even when compiling with -std=c99. Harmless
 # on non-POSIX platforms.
 LOCAL_CFLAGS += -D_POSIX_C_SOURCE=200809L
 
-ifndef SHARED
-MBEDLIBS=../library/libmbedcrypto.a ../library/libmbedx509.a ../library/libmbedtls.a
-else
-MBEDLIBS=../library/libmbedcrypto.$(DLEXT) ../library/libmbedx509.$(DLEXT) ../library/libmbedtls.$(DLEXT)
-endif
-
-ifdef DEBUG
-LOCAL_CFLAGS += -g3
-endif
-
 ifdef RECORD_PSA_STATUS_COVERAGE_LOG
 LOCAL_CFLAGS += -Werror -DRECORD_PSA_STATUS_COVERAGE_LOG
 endif
 
-# if we're running on Windows, build for Windows
-ifdef WINDOWS
-WINDOWS_BUILD=1
-endif
-
-ifdef WINDOWS_BUILD
-DLEXT=dll
-EXEXT=.exe
-LOCAL_LDFLAGS += -lws2_32 -lbcrypt
-ifdef SHARED
-SHARED_SUFFIX=.$(DLEXT)
-endif
-else
-DLEXT ?= so
-EXEXT=
-SHARED_SUFFIX=
-endif
-
-ifdef WINDOWS
-PYTHON ?= python
-else
-PYTHON ?= $(shell if type python3 >/dev/null 2>/dev/null; then echo python3; else echo python; fi)
-endif
-
-# See root Makefile
-GEN_FILES ?= yes
-ifdef GEN_FILES
-gen_file_dep =
-else
-gen_file_dep = |
-endif
-
-.PHONY: generated_files
 GENERATED_BIGNUM_DATA_FILES := $(patsubst tests/%,%,$(shell \
-	$(PYTHON) scripts/generate_bignum_tests.py --list || \
+	$(PYTHON) ../framework/scripts/generate_bignum_tests.py --list || \
 	echo FAILED \
 ))
 ifeq ($(GENERATED_BIGNUM_DATA_FILES),FAILED)
-$(error "$(PYTHON) scripts/generate_bignum_tests.py --list" failed)
+$(error "$(PYTHON) ../framework/scripts/generate_bignum_tests.py --list" failed)
+endif
+GENERATED_DATA_FILES += $(GENERATED_BIGNUM_DATA_FILES)
+
+GENERATED_CONFIG_DATA_FILES := $(patsubst tests/%,%,$(shell \
+	$(PYTHON) ../framework/scripts/generate_config_tests.py --list || \
+	echo FAILED \
+))
+ifeq ($(GENERATED_CONFIG_DATA_FILES),FAILED)
+$(error "$(PYTHON) ../framework/scripts/generate_config_tests.py --list" failed)
 endif
+GENERATED_DATA_FILES += $(GENERATED_CONFIG_DATA_FILES)
+
 GENERATED_ECP_DATA_FILES := $(patsubst tests/%,%,$(shell \
-	$(PYTHON) scripts/generate_ecp_tests.py --list || \
+	$(PYTHON) ../framework/scripts/generate_ecp_tests.py --list || \
 	echo FAILED \
 ))
 ifeq ($(GENERATED_ECP_DATA_FILES),FAILED)
-$(error "$(PYTHON) scripts/generate_ecp_tests.py --list" failed)
+$(error "$(PYTHON) ../framework/scripts/generate_ecp_tests.py --list" failed)
 endif
+GENERATED_DATA_FILES += $(GENERATED_ECP_DATA_FILES)
+
 GENERATED_PSA_DATA_FILES := $(patsubst tests/%,%,$(shell \
-	$(PYTHON) scripts/generate_psa_tests.py --list || \
+	$(PYTHON) ../framework/scripts/generate_psa_tests.py --list || \
 	echo FAILED \
 ))
 ifeq ($(GENERATED_PSA_DATA_FILES),FAILED)
-$(error "$(PYTHON) scripts/generate_psa_tests.py --list" failed)
+$(error "$(PYTHON) ../framework/scripts/generate_psa_tests.py --list" failed)
 endif
-GENERATED_FILES := $(GENERATED_PSA_DATA_FILES) $(GENERATED_ECP_DATA_FILES) $(GENERATED_BIGNUM_DATA_FILES)
+GENERATED_DATA_FILES += $(GENERATED_PSA_DATA_FILES)
+
+GENERATED_FILES = $(GENERATED_DATA_FILES)
+GENERATED_FILES += src/test_keys.h src/test_certs.h
+
+.PHONY: generated_files
 generated_files: $(GENERATED_FILES)
 
 # generate_bignum_tests.py and generate_psa_tests.py spend more time analyzing
@@ -104,50 +65,68 @@ generated_files: $(GENERATED_FILES)
 # It's rare not to want all the outputs. So always generate all of its outputs.
 # Use an intermediate phony dependency so that parallel builds don't run
 # a separate instance of the recipe for each output file.
-.SECONDARY: generated_bignum_test_data generated_ecp_test_data generated_psa_test_data
 $(GENERATED_BIGNUM_DATA_FILES): $(gen_file_dep) generated_bignum_test_data
-generated_bignum_test_data: scripts/generate_bignum_tests.py
-generated_bignum_test_data: ../scripts/mbedtls_dev/bignum_common.py
-generated_bignum_test_data: ../scripts/mbedtls_dev/bignum_core.py
-generated_bignum_test_data: ../scripts/mbedtls_dev/bignum_mod_raw.py
-generated_bignum_test_data: ../scripts/mbedtls_dev/bignum_mod.py
-generated_bignum_test_data: ../scripts/mbedtls_dev/test_case.py
-generated_bignum_test_data: ../scripts/mbedtls_dev/test_data_generation.py
+generated_bignum_test_data: ../framework/scripts/generate_bignum_tests.py
+generated_bignum_test_data: ../framework/scripts/mbedtls_framework/bignum_common.py
+generated_bignum_test_data: ../framework/scripts/mbedtls_framework/bignum_core.py
+generated_bignum_test_data: ../framework/scripts/mbedtls_framework/bignum_mod_raw.py
+generated_bignum_test_data: ../framework/scripts/mbedtls_framework/bignum_mod.py
+generated_bignum_test_data: ../framework/scripts/mbedtls_framework/test_case.py
+generated_bignum_test_data: ../framework/scripts/mbedtls_framework/test_data_generation.py
 generated_bignum_test_data:
 	echo "  Gen   $(GENERATED_BIGNUM_DATA_FILES)"
-	$(PYTHON) scripts/generate_bignum_tests.py
+	$(PYTHON) ../framework/scripts/generate_bignum_tests.py
+.SECONDARY: generated_bignum_test_data
+
+# We deliberately omit the configuration files (mbedtls_config.h,
+# crypto_config.h) from the depenency list because during development
+# and on the CI, we often edit those in a way that doesn't change the
+# output, to comment out certain options, or even to remove certain
+# lines which do affect the output negatively (it will miss the
+# corresponding test cases).
+$(GENERATED_CONFIG_DATA_FILES): $(gen_file_dep) generated_config_test_data
+generated_config_test_data: ../framework/scripts/generate_config_tests.py
+generated_config_test_data: ../scripts/config.py
+generated_config_test_data: ../framework/scripts/mbedtls_framework/test_case.py
+generated_config_test_data: ../framework/scripts/mbedtls_framework/test_data_generation.py
+generated_config_test_data:
+	echo "  Gen   $(GENERATED_CONFIG_DATA_FILES)"
+	$(PYTHON) ../framework/scripts/generate_config_tests.py
+.SECONDARY: generated_config_test_data
 
 $(GENERATED_ECP_DATA_FILES): $(gen_file_dep) generated_ecp_test_data
-generated_ecp_test_data: scripts/generate_ecp_tests.py
-generated_ecp_test_data: ../scripts/mbedtls_dev/bignum_common.py
-generated_ecp_test_data: ../scripts/mbedtls_dev/ecp.py
-generated_ecp_test_data: ../scripts/mbedtls_dev/test_case.py
-generated_ecp_test_data: ../scripts/mbedtls_dev/test_data_generation.py
+generated_ecp_test_data: ../framework/scripts/generate_ecp_tests.py
+generated_ecp_test_data: ../framework/scripts/mbedtls_framework/bignum_common.py
+generated_ecp_test_data: ../framework/scripts/mbedtls_framework/ecp.py
+generated_ecp_test_data: ../framework/scripts/mbedtls_framework/test_case.py
+generated_ecp_test_data: ../framework/scripts/mbedtls_framework/test_data_generation.py
 generated_ecp_test_data:
 	echo "  Gen   $(GENERATED_ECP_DATA_FILES)"
-	$(PYTHON) scripts/generate_ecp_tests.py
+	$(PYTHON) ../framework/scripts/generate_ecp_tests.py
+.SECONDARY: generated_ecp_test_data
 
 $(GENERATED_PSA_DATA_FILES): $(gen_file_dep) generated_psa_test_data
-generated_psa_test_data: scripts/generate_psa_tests.py
-generated_psa_test_data: ../scripts/mbedtls_dev/crypto_data_tests.py
-generated_psa_test_data: ../scripts/mbedtls_dev/crypto_knowledge.py
-generated_psa_test_data: ../scripts/mbedtls_dev/macro_collector.py
-generated_psa_test_data: ../scripts/mbedtls_dev/psa_information.py
-generated_psa_test_data: ../scripts/mbedtls_dev/psa_storage.py
-generated_psa_test_data: ../scripts/mbedtls_dev/test_case.py
-generated_psa_test_data: ../scripts/mbedtls_dev/test_data_generation.py
+generated_psa_test_data: ../framework/scripts/generate_psa_tests.py
+generated_psa_test_data: ../framework/scripts/mbedtls_framework/crypto_data_tests.py
+generated_psa_test_data: ../framework/scripts/mbedtls_framework/crypto_knowledge.py
+generated_psa_test_data: ../framework/scripts/mbedtls_framework/macro_collector.py
+generated_psa_test_data: ../framework/scripts/mbedtls_framework/psa_information.py
+generated_psa_test_data: ../framework/scripts/mbedtls_framework/psa_storage.py
+generated_psa_test_data: ../framework/scripts/mbedtls_framework/test_case.py
+generated_psa_test_data: ../framework/scripts/mbedtls_framework/test_data_generation.py
 ## The generated file only depends on the options that are present in
 ## crypto_config.h, not on which options are set. To avoid regenerating this
 ## file all the time when switching between configurations, don't declare
 ## crypto_config.h as a dependency. Remove this file from your working tree
 ## if you've just added or removed an option in crypto_config.h.
-#generated_psa_test_data: ../include/psa/crypto_config.h
-generated_psa_test_data: ../include/psa/crypto_values.h
-generated_psa_test_data: ../include/psa/crypto_extra.h
+#generated_psa_test_data: ../tf-psa-crypto/include/psa/crypto_config.h
+generated_psa_test_data: ../tf-psa-crypto/include/psa/crypto_values.h
+generated_psa_test_data: ../tf-psa-crypto/include/psa/crypto_extra.h
 generated_psa_test_data: suites/test_suite_psa_crypto_metadata.data
 generated_psa_test_data:
 	echo "  Gen   $(GENERATED_PSA_DATA_FILES) ..."
-	$(PYTHON) scripts/generate_psa_tests.py
+	$(PYTHON) ../framework/scripts/generate_psa_tests.py
+.SECONDARY: generated_psa_test_data
 
 # A test application is built for each suites/test_suite_*.data file.
 # Application name is same as .data file's base name and can be
@@ -155,7 +134,7 @@ generated_psa_test_data:
 DATA_FILES := $(wildcard suites/test_suite_*.data)
 # Make sure that generated data files are included even if they don't
 # exist yet when the makefile is parsed.
-DATA_FILES += $(filter-out $(DATA_FILES),$(GENERATED_FILES))
+DATA_FILES += $(filter-out $(DATA_FILES),$(GENERATED_DATA_FILES))
 APPS = $(basename $(subst suites/,,$(DATA_FILES)))
 
 # Construct executable name by adding OS specific suffix $(EXEXT).
@@ -167,12 +146,14 @@ BINARIES := $(addsuffix $(EXEXT),$(APPS))
 
 all: $(BINARIES)
 
-$(MBEDLIBS):
-	$(MAKE) -C ../library
+mbedtls_test: $(MBEDTLS_TEST_OBJS)
 
-MBEDTLS_TEST_OBJS=$(patsubst %.c,%.o,$(wildcard src/*.c src/drivers/*.c src/test_helpers/*.c))
+src/test_certs.h: ../framework/scripts/generate_test_cert_macros.py \
+				  $($(PYTHON) ../framework/scripts/generate_test_cert_macros.py --list-dependencies)
+	$(PYTHON) ../framework/scripts/generate_test_cert_macros.py --output $@
 
-mbedtls_test: $(MBEDTLS_TEST_OBJS)
+src/test_keys.h: ../framework/scripts/generate_test_keys.py
+	$(PYTHON) ../framework/scripts/generate_test_keys.py --output $@
 
 TEST_OBJS_DEPS = $(wildcard include/test/*.h include/test/*/*.h)
 ifdef RECORD_PSA_STATUS_COVERAGE_LOG
@@ -181,6 +162,7 @@ ifdef RECORD_PSA_STATUS_COVERAGE_LOG
 # therefore the wildcard enumeration above doesn't include it.
 TEST_OBJS_DEPS += include/test/instrument_record_status.h
 endif
+TEST_OBJS_DEPS += src/test_certs.h src/test_keys.h
 
 # Rule to compile common test C files in src folder
 src/%.o : src/%.c $(TEST_OBJS_DEPS)
@@ -213,9 +195,9 @@ c: $(C_FILES)
 # dot in .c file's base name.
 #
 .SECONDEXPANSION:
-%.c: suites/$$(firstword $$(subst ., ,$$*)).function suites/%.data scripts/generate_test_code.py suites/helpers.function suites/main_test.function suites/host_test.function
+%.c: suites/$$(firstword $$(subst ., ,$$*)).function suites/%.data ../framework/scripts/generate_test_code.py suites/helpers.function suites/main_test.function suites/host_test.function
 	echo "  Gen   $@"
-	$(PYTHON) scripts/generate_test_code.py -f suites/$(firstword $(subst ., ,$*)).function \
+	$(PYTHON) ../framework/scripts/generate_test_code.py -f suites/$(firstword $(subst ., ,$*)).function \
 		-d suites/$*.data \
 		-t suites/main_test.function \
 		-p suites/host_test.function \
@@ -226,15 +208,18 @@ c: $(C_FILES)
 
 $(BINARIES): %$(EXEXT): %.c $(MBEDLIBS) $(TEST_OBJS_DEPS) $(MBEDTLS_TEST_OBJS)
 	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(MBEDTLS_TEST_OBJS) $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 
 clean:
 ifndef WINDOWS
+	$(MAKE) -C psa-client-server/psasim clean
 	rm -rf $(BINARIES) *.c *.datax
-	rm -f src/*.o src/drivers/*.o src/test_helpers/*.o src/libmbed*
+	rm -f src/*.o src/drivers/*.o src/test_helpers/*.o src/libmbed* src/test_keys.h src/test_certs.h
+	rm -f src/test_keys.h src/test_certs.h
 	rm -f include/test/instrument_record_status.h
 	rm -f include/alt-extra/*/*_alt.h
 	rm -rf libtestdriver1
+	rm -rf libpsaclient libpsaserver
 	rm -f ../library/libtestdriver1.a
 else
 	if exist *.c del /Q /F *.c
@@ -242,18 +227,13 @@ else
 	if exist *.datax del /Q /F *.datax
 	if exist src/*.o del /Q /F src/*.o
 	if exist src/drivers/*.o del /Q /F src/drivers/*.o
+	if exist src/test_keys.h del /Q /F src/test_keys.h
+	if exist src/test_certs.h del /Q /F src/test_cers.h
 	if exist src/test_helpers/*.o del /Q /F src/test_helpers/*.o
 	if exist src/libmbed* del /Q /F src/libmed*
 	if exist include/test/instrument_record_status.h del /Q /F include/test/instrument_record_status.h
 endif
 
-neat: clean
-ifndef WINDOWS
-	rm -f $(GENERATED_FILES)
-else
-	for %f in ($(subst /,\,$(GENERATED_FILES))) if exist %f del /Q /F %f
-endif
-
 # Test suites caught by SKIP_TEST_SUITES are built but not executed.
 check: $(BINARIES)
 	perl scripts/run-test-suites.pl $(TEST_FLAGS) --skip=$(SKIP_TEST_SUITES)
@@ -263,6 +243,10 @@ test: check
 # Generate variants of some headers for testing
 include/alt-extra/%_alt.h: ../include/%.h
 	perl -p -e 's/^(# *(define|ifndef) +\w+_)H\b/$${1}ALT_H/' $< >$@
+include/alt-extra/%_alt.h: ../tf-psa-crypto/include/%.h
+	perl -p -e 's/^(# *(define|ifndef) +\w+_)H\b/$${1}ALT_H/' $< >$@
+include/alt-extra/%_alt.h: ../tf-psa-crypto/drivers/builtin/include/%.h
+	perl -p -e 's/^(# *(define|ifndef) +\w+_)H\b/$${1}ALT_H/' $< >$@
 
 # Generate test library
 
@@ -271,21 +255,35 @@ include/alt-extra/%_alt.h: ../include/%.h
 # library. Add a LIBTESTDRIVER1_/libtestdriver1_ to mbedtls_xxx and psa_xxx
 # symbols.
 define libtestdriver1_rewrite :=
-	s!^(\s*#\s*include\s*[\"<])(mbedtls|psa)/!$${1}libtestdriver1/include/$${2}/!; \
+	s!^(\s*#\s*include\s*[\"<])mbedtls/build_info.h!$${1}libtestdriver1/include/mbedtls/build_info.h!; \
+	s!^(\s*#\s*include\s*[\"<])mbedtls/mbedtls_config.h!$${1}libtestdriver1/include/mbedtls/mbedtls_config.h!; \
+	s!^(\s*#\s*include\s*[\"<])mbedtls/config_adjust_legacy_crypto.h!$${1}libtestdriver1/include/mbedtls/config_adjust_legacy_crypto.h!; \
+	s!^(\s*#\s*include\s*[\"<])mbedtls/config_adjust_x509.h!$${1}libtestdriver1/include/mbedtls/config_adjust_x509.h!; \
+	s!^(\s*#\s*include\s*[\"<])mbedtls/config_adjust_ssl.h!$${1}libtestdriver1/include/mbedtls/config_adjust_ssl.h!; \
+	s!^(\s*#\s*include\s*[\"<])mbedtls/check_config.h!$${1}libtestdriver1/include/mbedtls/check_config.h!; \
+	s!^(\s*#\s*include\s*[\"<])mbedtls/!$${1}libtestdriver1/tf-psa-crypto/drivers/builtin/include/mbedtls/!; \
+	s!^(\s*#\s*include\s*[\"<])psa/!$${1}libtestdriver1/tf-psa-crypto/include/psa/!; \
 	next if /^\s*#\s*include/; \
 	s/\b(?=MBEDTLS_|PSA_)/LIBTESTDRIVER1_/g; \
 	s/\b(?=mbedtls_|psa_)/libtestdriver1_/g;
 endef
 
 libtestdriver1.a:
-	# Copy the library and fake a 3rdparty Makefile include.
 	rm -Rf ./libtestdriver1
 	mkdir ./libtestdriver1
+	mkdir ./libtestdriver1/tf-psa-crypto
+	mkdir ./libtestdriver1/tf-psa-crypto/drivers
+	mkdir ./libtestdriver1/tf-psa-crypto/drivers/everest
+	mkdir ./libtestdriver1/tf-psa-crypto/drivers/p256-m
+	touch ./libtestdriver1/tf-psa-crypto/drivers/everest/Makefile.inc
+	touch ./libtestdriver1/tf-psa-crypto/drivers/p256-m/Makefile.inc
+	cp -Rf ../framework ./libtestdriver1
 	cp -Rf ../library ./libtestdriver1
 	cp -Rf ../include ./libtestdriver1
+	cp -Rf ../tf-psa-crypto/core ./libtestdriver1/tf-psa-crypto
+	cp -Rf ../tf-psa-crypto/include ./libtestdriver1/tf-psa-crypto
+	cp -Rf ../tf-psa-crypto/drivers/builtin ./libtestdriver1/tf-psa-crypto/drivers
 	cp -Rf ../scripts ./libtestdriver1
-	mkdir ./libtestdriver1/3rdparty
-	touch ./libtestdriver1/3rdparty/Makefile.inc
 
 	# Set the test driver base (minimal) configuration.
 	cp ./include/test/drivers/config_test_driver.h ./libtestdriver1/include/mbedtls/mbedtls_config.h
@@ -295,22 +293,26 @@ libtestdriver1.a:
         # library the test library is intended to be linked with extended by
         # ./include/test/drivers/crypto_config_test_driver_extension.h to
         # mirror the PSA_ACCEL_* macros.
-	mv ./libtestdriver1/include/psa/crypto_config.h ./libtestdriver1/include/psa/crypto_config.h.bak
-	head -n -1 ./libtestdriver1/include/psa/crypto_config.h.bak > ./libtestdriver1/include/psa/crypto_config.h
-	cat ./include/test/drivers/crypto_config_test_driver_extension.h >> ./libtestdriver1/include/psa/crypto_config.h
-	echo "#endif /* PSA_CRYPTO_CONFIG_H */" >> ./libtestdriver1/include/psa/crypto_config.h
+	mv ./libtestdriver1/tf-psa-crypto/include/psa/crypto_config.h ./libtestdriver1/tf-psa-crypto/include/psa/crypto_config.h.bak
+	head -n -1 ./libtestdriver1/tf-psa-crypto/include/psa/crypto_config.h.bak > ./libtestdriver1/tf-psa-crypto/include/psa/crypto_config.h
+	cat ./include/test/drivers/crypto_config_test_driver_extension.h >> ./libtestdriver1/tf-psa-crypto/include/psa/crypto_config.h
+	echo "#endif /* PSA_CRYPTO_CONFIG_H */" >> ./libtestdriver1/tf-psa-crypto/include/psa/crypto_config.h
 
 	# Prefix MBEDTLS_* PSA_* symbols with LIBTESTDRIVER1_ as well as
 	# mbedtls_* psa_* symbols with libtestdriver1_ to avoid symbol clash
 	# when this test driver library is linked with the Mbed TLS library.
 	perl -pi -e '$(libtestdriver1_rewrite)' ./libtestdriver1/library/*.[ch]
 	perl -pi -e '$(libtestdriver1_rewrite)' ./libtestdriver1/include/*/*.h
+	perl -pi -e '$(libtestdriver1_rewrite)' ./libtestdriver1/tf-psa-crypto/core/*.[ch]
+	perl -pi -e '$(libtestdriver1_rewrite)' ./libtestdriver1/tf-psa-crypto/include/*/*.h
+	perl -pi -e '$(libtestdriver1_rewrite)' ./libtestdriver1/tf-psa-crypto/drivers/builtin/include/*/*.h
+	perl -pi -e '$(libtestdriver1_rewrite)' ./libtestdriver1/tf-psa-crypto/drivers/builtin/src/*.[ch]
 
 	$(MAKE) -C ./libtestdriver1/library CFLAGS="-I../../ $(CFLAGS)" LDFLAGS="$(LDFLAGS)" libmbedcrypto.a
 	cp ./libtestdriver1/library/libmbedcrypto.a ../library/libtestdriver1.a
 
 ifdef RECORD_PSA_STATUS_COVERAGE_LOG
-include/test/instrument_record_status.h: ../include/psa/crypto.h Makefile
+include/test/instrument_record_status.h: ../tf-psa-crypto/include/psa/crypto.h Makefile
 	echo "  Gen  $@"
-	sed <../include/psa/crypto.h >$@ -n 's/^psa_status_t \([A-Za-z0-9_]*\)(.*/#define \1(...) RECORD_STATUS("\1", \1(__VA_ARGS__))/p'
+	sed <../tf-psa-crypto/include/psa/crypto.h >$@ -n 's/^psa_status_t \([A-Za-z0-9_]*\)(.*/#define \1(...) RECORD_STATUS("\1", \1(__VA_ARGS__))/p'
 endif
diff --git a/tests/compat-in-docker.sh b/tests/compat-in-docker.sh
index 29c8787..e703c57 100755
--- a/tests/compat-in-docker.sh
+++ b/tests/compat-in-docker.sh
@@ -22,19 +22,7 @@
 # - compat.sh for notes about invocation of that script.
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#  http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 source tests/scripts/docker_env.sh
 
diff --git a/tests/compat.sh b/tests/compat.sh
index 6506e6c..52f75e0 100755
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -3,19 +3,7 @@
 # compat.sh
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 #
 # Purpose
 #
@@ -108,6 +96,7 @@ FILTER=""
 EXCLUDE='NULL\|ARIA\|CHACHA20_POLY1305'
 VERBOSE=""
 MEMCHECK=0
+MIN_TESTS=1
 PRESERVE_LOGS=0
 PEERS="OpenSSL$PEER_GNUTLS mbedTLS"
 
@@ -127,7 +116,8 @@ print_usage() {
     printf "            \tAlso available: GnuTLS (needs v3.2.15 or higher)\n"
     printf "  -M|--memcheck\tCheck memory leaks and errors.\n"
     printf "  -v|--verbose\tSet verbose output.\n"
-    printf "     --list-test-case\tList all potential test cases (No Execution)\n"
+    printf "     --list-test-cases\tList all potential test cases (No Execution)\n"
+    printf "     --min      \tMinimum number of non-skipped tests (default 1)\n"
     printf "     --outcome-file\tFile where test outcomes are written\n"
     printf "                   \t(default: \$MBEDTLS_TEST_OUTCOME_FILE, none if empty)\n"
     printf "     --preserve-logs\tPreserve logs of successful tests as well\n"
@@ -137,28 +127,34 @@ print_usage() {
 print_test_case() {
     for i in $3; do
         uniform_title $1 $2 $i
-        echo $TITLE
+        echo "compat;$TITLE"
     done
 }
 
-# list_test_case lists all potential test cases in compat.sh without execution
-list_test_case() {
-    reset_ciphersuites
+# list_test_cases lists all potential test cases in compat.sh without execution
+list_test_cases() {
     for TYPE in $TYPES; do
+        reset_ciphersuites
         add_common_ciphersuites
         add_openssl_ciphersuites
         add_gnutls_ciphersuites
         add_mbedtls_ciphersuites
-    done
 
-    for VERIFY in $VERIFIES; do
-        VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]')
-        for MODE in $MODES; do
-            print_test_case m O "$O_CIPHERS"
-            print_test_case O m "$O_CIPHERS"
-            print_test_case m G "$G_CIPHERS"
-            print_test_case G m "$G_CIPHERS"
-            print_test_case m m "$M_CIPHERS"
+        # PSK cipher suites do not allow client certificate verification.
+        SUB_VERIFIES=$VERIFIES
+        if [ "$TYPE" = "PSK" ]; then
+            SUB_VERIFIES="NO"
+        fi
+
+        for VERIFY in $SUB_VERIFIES; do
+            VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]')
+            for MODE in $MODES; do
+                print_test_case m O "$O_CIPHERS"
+                print_test_case O m "$O_CIPHERS"
+                print_test_case m G "$G_CIPHERS"
+                print_test_case G m "$G_CIPHERS"
+                print_test_case m m "$M_CIPHERS"
+            done
         done
     done
 }
@@ -191,11 +187,14 @@ get_options() {
                 MEMCHECK=1
                 ;;
             # Please check scripts/check_test_cases.py correspondingly
-            # if you have to modify option, --list-test-case
-            --list-test-case)
-                list_test_case
+            # if you have to modify option, --list-test-cases
+            --list-test-cases)
+                list_test_cases
                 exit $?
                 ;;
+            --min)
+                shift; MIN_TESTS=$1
+                ;;
             --outcome-file)
                 shift; MBEDTLS_TEST_OUTCOME_FILE=$1
                 ;;
@@ -276,12 +275,6 @@ filter_ciphersuites()
         # Ciphersuite for GnuTLS
         G_CIPHERS=$( filter "$G_CIPHERS" )
     fi
-
-    # For GnuTLS client -> Mbed TLS server,
-    # we need to force IPv4 by connecting to 127.0.0.1 but then auth fails
-    if is_dtls "$MODE" && [ "X$VERIFY" = "XYES" ]; then
-        G_CIPHERS=""
-    fi
 }
 
 reset_ciphersuites()
@@ -600,7 +593,18 @@ add_mbedtls_ciphersuites()
 # o_check_ciphersuite STANDARD_CIPHER_SUITE
 o_check_ciphersuite()
 {
-    if [ "${O_SUPPORT_ECDH}" = "NO" ]; then
+    # skip DTLS when lack of support was declared
+    if test "$OSSL_NO_DTLS" -gt 0 && is_dtls "$MODE"; then
+        SKIP_NEXT_="YES"
+    fi
+
+    # skip DTLS 1.2 is support was not detected
+    if [ "$O_SUPPORT_DTLS12" = "NO" -a "$MODE" = "dtls12" ]; then
+        SKIP_NEXT="YES"
+    fi
+
+    # skip static ECDH when OpenSSL doesn't support it
+    if [ "${O_SUPPORT_STATIC_ECDH}" = "NO" ]; then
         case "$1" in
             *ECDH_*) SKIP_NEXT="YES"
         esac
@@ -609,6 +613,8 @@ o_check_ciphersuite()
 
 setup_arguments()
 {
+    DATA_FILES_PATH="../framework/data_files"
+
     O_MODE=""
     G_MODE=""
     case "$MODE" in
@@ -647,7 +653,7 @@ setup_arguments()
     # force it or not for intermediate versions.
     case $($OPENSSL version) in
         "OpenSSL 1.0"*)
-            O_SERVER_ARGS="$O_SERVER_ARGS -dhparam data_files/dhparams.pem"
+            O_SERVER_ARGS="$O_SERVER_ARGS -dhparam $DATA_FILES_PATH/dhparams.pem"
             ;;
     esac
 
@@ -677,19 +683,34 @@ setup_arguments()
     esac
 
     case $($OPENSSL ciphers ALL) in
-        *ECDH-ECDSA*|*ECDH-RSA*) O_SUPPORT_ECDH="YES";;
-        *) O_SUPPORT_ECDH="NO";;
+        *ECDH-ECDSA*|*ECDH-RSA*) O_SUPPORT_STATIC_ECDH="YES";;
+        *) O_SUPPORT_STATIC_ECDH="NO";;
     esac
 
+    case $($OPENSSL ciphers ALL) in
+        *DES-CBC-*) O_SUPPORT_SINGLE_DES="YES";;
+        *) O_SUPPORT_SINGLE_DES="NO";;
+    esac
+
+    # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL
+    # supports -dtls1_2 from the s_server help. (The s_client
+    # help isn't accurate as of 1.0.2g: it supports DTLS 1.2
+    # but doesn't list it. But the s_server help seems to be
+    # accurate.)
+    O_SUPPORT_DTLS12="NO"
+    if $OPENSSL s_server -help 2>&1 | grep -q "^ *-dtls1_2 "; then
+        O_SUPPORT_DTLS12="YES"
+    fi
+
     if [ "X$VERIFY" = "XYES" ];
     then
-        M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
-        O_SERVER_ARGS="$O_SERVER_ARGS -CAfile data_files/test-ca_cat12.crt -Verify 10"
-        G_SERVER_ARGS="$G_SERVER_ARGS --x509cafile data_files/test-ca_cat12.crt --require-client-cert"
+        M_SERVER_ARGS="$M_SERVER_ARGS ca_file=$DATA_FILES_PATH/test-ca_cat12.crt auth_mode=required"
+        O_SERVER_ARGS="$O_SERVER_ARGS -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -Verify 10"
+        G_SERVER_ARGS="$G_SERVER_ARGS --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --require-client-cert"
 
-        M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
-        O_CLIENT_ARGS="$O_CLIENT_ARGS -CAfile data_files/test-ca_cat12.crt -verify 10"
-        G_CLIENT_ARGS="$G_CLIENT_ARGS --x509cafile data_files/test-ca_cat12.crt"
+        M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=$DATA_FILES_PATH/test-ca_cat12.crt auth_mode=required"
+        O_CLIENT_ARGS="$O_CLIENT_ARGS -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -verify 10"
+        G_CLIENT_ARGS="$G_CLIENT_ARGS --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt"
     else
         # don't request a client cert at all
         M_SERVER_ARGS="$M_SERVER_ARGS ca_file=none auth_mode=none"
@@ -702,28 +723,28 @@ setup_arguments()
 
     case $TYPE in
         "ECDSA")
-            M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server5.crt key_file=data_files/server5.key"
-            O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server5.crt -key data_files/server5.key"
-            G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
+            M_SERVER_ARGS="$M_SERVER_ARGS crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key"
+            O_SERVER_ARGS="$O_SERVER_ARGS -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key"
+            G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile $DATA_FILES_PATH/server5.crt --x509keyfile $DATA_FILES_PATH/server5.key"
 
             if [ "X$VERIFY" = "XYES" ]; then
-                M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/server6.crt key_file=data_files/server6.key"
-                O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server6.crt -key data_files/server6.key"
-                G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/server6.crt --x509keyfile data_files/server6.key"
+                M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=$DATA_FILES_PATH/server6.crt key_file=$DATA_FILES_PATH/server6.key"
+                O_CLIENT_ARGS="$O_CLIENT_ARGS -cert $DATA_FILES_PATH/server6.crt -key $DATA_FILES_PATH/server6.key"
+                G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile $DATA_FILES_PATH/server6.crt --x509keyfile $DATA_FILES_PATH/server6.key"
             else
                 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none"
             fi
             ;;
 
         "RSA")
-            M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key"
-            O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server2-sha256.crt -key data_files/server2.key"
-            G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key"
+            M_SERVER_ARGS="$M_SERVER_ARGS crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key"
+            O_SERVER_ARGS="$O_SERVER_ARGS -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key"
+            G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key"
 
             if [ "X$VERIFY" = "XYES" ]; then
-                M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/cert_sha256.crt key_file=data_files/server1.key"
-                O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/cert_sha256.crt -key data_files/server1.key"
-                G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/cert_sha256.crt --x509keyfile data_files/server1.key"
+                M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=$DATA_FILES_PATH/cert_sha256.crt key_file=$DATA_FILES_PATH/server1.key"
+                O_CLIENT_ARGS="$O_CLIENT_ARGS -cert $DATA_FILES_PATH/cert_sha256.crt -key $DATA_FILES_PATH/server1.key"
+                G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile $DATA_FILES_PATH/cert_sha256.crt --x509keyfile $DATA_FILES_PATH/server1.key"
             else
                 M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none"
             fi
@@ -732,9 +753,9 @@ setup_arguments()
         "PSK")
             # give RSA-PSK-capable server a RSA cert
             # (should be a separate type, but harder to close with openssl)
-            M_SERVER_ARGS="$M_SERVER_ARGS psk=6162636465666768696a6b6c6d6e6f70 ca_file=none crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key"
+            M_SERVER_ARGS="$M_SERVER_ARGS psk=6162636465666768696a6b6c6d6e6f70 ca_file=none crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key"
             O_SERVER_ARGS="$O_SERVER_ARGS -psk 6162636465666768696a6b6c6d6e6f70 -nocert"
-            G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --pskpasswd data_files/passwd.psk"
+            G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --pskpasswd $DATA_FILES_PATH/passwd.psk"
 
             M_CLIENT_ARGS="$M_CLIENT_ARGS psk=6162636465666768696a6b6c6d6e6f70 crt_file=none key_file=none"
             O_CLIENT_ARGS="$O_CLIENT_ARGS -psk 6162636465666768696a6b6c6d6e6f70"
@@ -869,7 +890,7 @@ wait_client_done() {
 }
 
 # uniform_title <CLIENT> <SERVER> <STANDARD_CIPHER_SUITE>
-# $TITLE is considered as test case description for both --list-test-case and
+# $TITLE is considered as test case description for both --list-test-cases and
 # MBEDTLS_TEST_OUTCOME_FILE. This function aims to control the format of
 # each test case description.
 uniform_title() {
@@ -951,13 +972,7 @@ run_client() {
             ;;
 
         [Gg]nu*)
-            # need to force IPv4 with UDP, but keep localhost for auth
-            if is_dtls "$MODE"; then
-                G_HOST="127.0.0.1"
-            else
-                G_HOST="localhost"
-            fi
-            CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$3 $G_HOST"
+            CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$3 localhost"
             log "$CLIENT_CMD"
             echo "$CLIENT_CMD" > $CLI_OUT
             printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 &
@@ -1127,19 +1142,6 @@ for MODE in $MODES; do
 
                 [Oo]pen*)
 
-                    if test "$OSSL_NO_DTLS" -gt 0 && is_dtls "$MODE"; then
-                        continue;
-                    fi
-
-                    # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL
-                    # supports $O_MODE from the s_server help. (The s_client
-                    # help isn't accurate as of 1.0.2g: it supports DTLS 1.2
-                    # but doesn't list it. But the s_server help seems to be
-                    # accurate.)
-                    if ! $OPENSSL s_server -help 2>&1 | grep -q "^ *-$O_MODE "; then
-                        continue;
-                    fi
-
                     reset_ciphersuites
                     add_common_ciphersuites
                     add_openssl_ciphersuites
@@ -1243,6 +1245,16 @@ fi
 PASSED=$(( $TESTS - $FAILED ))
 echo " ($PASSED / $TESTS tests ($SKIPPED skipped$MEMREPORT))"
 
+if [ $((TESTS - SKIPPED)) -lt $MIN_TESTS ]; then
+    cat <<EOF
+Error: Expected to run at least $MIN_TESTS, but only ran $((TESTS - SKIPPED)).
+Maybe a bad filter ('$FILTER' excluding '$EXCLUDE') or a bad configuration?
+EOF
+    if [ $FAILED -eq 0 ]; then
+        FAILED=1
+    fi
+fi
+
 FAILED=$(( $FAILED + $SRVMEM ))
 if [ $FAILED -gt 255 ]; then
     # Clamp at 255 as caller gets exit code & 0xFF
diff --git a/tests/configs/tls13-only.h b/tests/configs/tls13-only.h
index 38286d1..d825ee9 100644
--- a/tests/configs/tls13-only.h
+++ b/tests/configs/tls13-only.h
@@ -7,19 +7,7 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /* Enable TLS 1.3 and core 1.3 features */
diff --git a/tests/configs/user-config-for-test.h b/tests/configs/user-config-for-test.h
index a9386a2..f40f838 100644
--- a/tests/configs/user-config-for-test.h
+++ b/tests/configs/user-config-for-test.h
@@ -7,19 +7,7 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #if defined(PSA_CRYPTO_DRIVER_TEST_ALL)
@@ -49,24 +37,61 @@
 #endif
 
 /* Use the accelerator driver for all cryptographic mechanisms for which
- * the test driver implemented. */
+ * the test driver is implemented. This is copied from psa/crypto_config.h
+ * with the parts not implemented by the test driver commented out. */
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_DERIVE
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_PASSWORD
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_PASSWORD_HASH
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_HMAC
 #define MBEDTLS_PSA_ACCEL_KEY_TYPE_AES
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA
 #define MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_DES
 #define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY
 #define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC
 #define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT
 #define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT
 #define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE
-#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR
+//#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_BASIC
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_IMPORT
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_EXPORT
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_GENERATE
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RAW_DATA
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_BASIC
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_IMPORT
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_EXPORT
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY
+
 #define MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING
 #define MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7
-#define MBEDTLS_PSA_ACCEL_ALG_CTR
+#define MBEDTLS_PSA_ACCEL_ALG_CCM
+#define MBEDTLS_PSA_ACCEL_ALG_CCM_STAR_NO_TAG
+#define MBEDTLS_PSA_ACCEL_ALG_CMAC
 #define MBEDTLS_PSA_ACCEL_ALG_CFB
-#define MBEDTLS_PSA_ACCEL_ALG_ECDSA
+#define MBEDTLS_PSA_ACCEL_ALG_CHACHA20_POLY1305
+#define MBEDTLS_PSA_ACCEL_ALG_CTR
 #define MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA
+#define MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING
+#define MBEDTLS_PSA_ACCEL_ALG_ECDH
+#define MBEDTLS_PSA_ACCEL_ALG_FFDH
+#define MBEDTLS_PSA_ACCEL_ALG_ECDSA
+#define MBEDTLS_PSA_ACCEL_ALG_JPAKE
+#define MBEDTLS_PSA_ACCEL_ALG_GCM
+//#define MBEDTLS_PSA_ACCEL_ALG_HKDF
+//#define MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT
+//#define MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND
+#define MBEDTLS_PSA_ACCEL_ALG_HMAC
 #define MBEDTLS_PSA_ACCEL_ALG_MD5
 #define MBEDTLS_PSA_ACCEL_ALG_OFB
+//#define MBEDTLS_PSA_ACCEL_ALG_PBKDF2_HMAC
+//#define MBEDTLS_PSA_ACCEL_ALG_PBKDF2_AES_CMAC_PRF_128
 #define MBEDTLS_PSA_ACCEL_ALG_RIPEMD160
+#define MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP
+#define MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT
 #define MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN
 #define MBEDTLS_PSA_ACCEL_ALG_RSA_PSS
 #define MBEDTLS_PSA_ACCEL_ALG_SHA_1
@@ -74,9 +99,14 @@
 #define MBEDTLS_PSA_ACCEL_ALG_SHA_256
 #define MBEDTLS_PSA_ACCEL_ALG_SHA_384
 #define MBEDTLS_PSA_ACCEL_ALG_SHA_512
-#define MBEDTLS_PSA_ACCEL_ALG_XTS
-#define MBEDTLS_PSA_ACCEL_ALG_CMAC
-#define MBEDTLS_PSA_ACCEL_ALG_HMAC
+#define MBEDTLS_PSA_ACCEL_ALG_SHA3_224
+#define MBEDTLS_PSA_ACCEL_ALG_SHA3_256
+#define MBEDTLS_PSA_ACCEL_ALG_SHA3_384
+#define MBEDTLS_PSA_ACCEL_ALG_SHA3_512
+#define MBEDTLS_PSA_ACCEL_ALG_STREAM_CIPHER
+//#define MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF
+//#define MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS
+//#define MBEDTLS_PSA_ACCEL_ALG_TLS12_ECJPAKE_TO_PMS
 
 #endif  /* PSA_CRYPTO_DRIVER_TEST_ALL */
 
diff --git a/tests/configs/user-config-malloc-0-null.h b/tests/configs/user-config-malloc-0-null.h
index 226f4d1..fada9ee 100644
--- a/tests/configs/user-config-malloc-0-null.h
+++ b/tests/configs/user-config-malloc-0-null.h
@@ -3,19 +3,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include <stdlib.h>
diff --git a/tests/configs/user-config-zeroize-memset.h b/tests/configs/user-config-zeroize-memset.h
index fcdd1f0..52d4b08 100644
--- a/tests/configs/user-config-zeroize-memset.h
+++ b/tests/configs/user-config-zeroize-memset.h
@@ -4,19 +4,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include <string.h>
diff --git a/tests/context-info.sh b/tests/context-info.sh
index 88dfcaa..6c08b86 100755
--- a/tests/context-info.sh
+++ b/tests/context-info.sh
@@ -3,19 +3,7 @@
 # context-info.sh
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 #
 # This program is intended for testing the ssl_context_info program
 #
@@ -31,7 +19,7 @@ fi
 THIS_SCRIPT_NAME=$(basename "$0")
 PROG_PATH="../programs/ssl/ssl_context_info"
 OUT_FILE="ssl_context_info.log"
-IN_DIR="data_files/base64"
+IN_DIR="../framework/data_files/base64"
 
 USE_VALGRIND=0
 
@@ -413,7 +401,7 @@ run_test "Empty file as input" \
          -u "Finished. No valid base64 code found"
 
 run_test "Not empty file without base64 code" \
-         "../../context-info.sh" \
+         "../../../tests/context-info.sh" \
          -n "Deserializing"
 
 run_test "Binary file instead of text file" \
diff --git a/tests/data_files/.gitignore b/tests/data_files/.gitignore
deleted file mode 100644
index d16c04c..0000000
--- a/tests/data_files/.gitignore
+++ /dev/null
@@ -1,3 +0,0 @@
-cli-rsa.csr
-server2-rsa.csr
-test-ca.csr
diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile
deleted file mode 100644
index 21ca489..0000000
--- a/tests/data_files/Makefile
+++ /dev/null
@@ -1,2159 +0,0 @@
-## This file contains a record of how some of the test data was
-## generated. The final build products are committed to the repository
-## as well to make sure that the test data is identical. You do not
-## need to use this makefile unless you're extending Mbed TLS's tests.
-
-## Many data files were generated prior to the existence of this
-## makefile, so the method of their generation was not recorded.
-
-## Note that in addition to depending on the version of the data
-## generation tool, many of the build outputs are randomized, so
-## running this makefile twice would not produce the same results.
-
-## Tools
-OPENSSL ?= openssl
-FAKETIME ?= faketime
-
-TOP_DIR = ../..
-MBEDTLS_CERT_WRITE ?= $(TOP_DIR)/programs/x509/cert_write
-MBEDTLS_CERT_REQ ?= $(TOP_DIR)/programs/x509/cert_req
-
-
-## Build the generated test data. Note that since the final outputs
-## are committed to the repository, this target should do nothing on a
-## fresh checkout. Furthermore, since the generation is randomized,
-## re-running the same targets may result in differing files. The goal
-## of this makefile is primarily to serve as a record of how the
-## targets were generated in the first place.
-default: all_final
-
-all_intermediate := # temporary files
-all_final := # files used by tests
-
-
-
-################################################################
-#### Generate certificates from existing keys
-################################################################
-
-test_ca_crt = test-ca.crt
-test_ca_key_file_rsa = test-ca.key
-test_ca_pwd_rsa = PolarSSLTest
-test_ca_config_file = test-ca.opensslconf
-
-$(test_ca_key_file_rsa):
-	$(OPENSSL) genrsa -aes-128-cbc -passout pass:$(test_ca_pwd_rsa) -out $@ 2048
-all_final += $(test_ca_key_file_rsa)
-
-test-ca.req.sha256: $(test_ca_key_file_rsa)
-	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$(test_ca_key_file_rsa) password=$(test_ca_pwd_rsa) subject_name="C=NL,O=PolarSSL,CN=PolarSSL Test CA" md=SHA256
-all_intermediate += test-ca.req.sha256
-
-parse_input/test-ca.crt test-ca.crt: $(test_ca_key_file_rsa) test-ca.req.sha256
-	$(MBEDTLS_CERT_WRITE) is_ca=1 serial=3 request_file=test-ca.req.sha256 selfsign=1 issuer_name="C=NL,O=PolarSSL,CN=PolarSSL Test CA" issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144400 not_after=20290210144400 md=SHA1 version=3 output_file=$@
-all_final += test-ca.crt
-
-parse_input/test-ca.crt.der: parse_input/test-ca.crt
-	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
-
-test-ca.key.der: $(test_ca_key_file_rsa)
-	$(OPENSSL) pkey -in $< -out $@ -inform PEM -outform DER -passin "pass:$(test_ca_pwd_rsa)"
-all_final += test-ca.key.der
-
-# This is only used for generating cert_example_multi_nocn.crt
-test-ca_nocn.crt: $(test_ca_key_file_rsa)
-	$(MBEDTLS_CERT_WRITE) is_ca=1 serial=3 selfsign=1 \
-		subject_key=$(test_ca_key_file_rsa) subject_pwd=$(test_ca_pwd_rsa)  subject_name="C=NL" \
-		issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) issuer_name="C=NL" \
-		not_before=20190210144400 not_after=20290210144400 md=SHA1 version=3 output_file=$@
-all_intermediate += test-ca_nocn.crt
-
-test-ca-sha1.crt: $(test_ca_key_file_rsa) test-ca.req.sha256
-	$(MBEDTLS_CERT_WRITE) is_ca=1 serial=3 request_file=test-ca.req.sha256 selfsign=1 issuer_name="C=NL,O=PolarSSL,CN=PolarSSL Test CA" issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144400 not_after=20290210144400 md=SHA1 version=3 output_file=$@
-all_final += test-ca-sha1.crt
-
-test-ca-sha1.crt.der: test-ca-sha1.crt
-	$(OPENSSL) x509 -in $< -out $@ -inform PEM -outform DER
-all_final += test-ca-sha1.crt.der
-
-test-ca-sha256.crt: $(test_ca_key_file_rsa) test-ca.req.sha256
-	$(MBEDTLS_CERT_WRITE) is_ca=1 serial=3 request_file=test-ca.req.sha256 selfsign=1 issuer_name="C=NL,O=PolarSSL,CN=PolarSSL Test CA" issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144400 not_after=20290210144400 md=SHA256 version=3 output_file=$@
-all_final += test-ca-sha256.crt
-
-test-ca-sha256.crt.der: test-ca-sha256.crt
-	$(OPENSSL) x509 -in $< -out $@ -inform PEM -outform DER
-all_final += test-ca-sha256.crt.der
-
-test-ca_utf8.crt: $(test_ca_key_file_rsa)
-	$(OPENSSL) req -x509 -new -nodes -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 3 -config $(test_ca_config_file) -sha1 -days 3653 -utf8 -subj "/C=NL/O=PolarSSL/CN=PolarSSL Test CA" -out $@
-all_final += test-ca_utf8.crt
-
-test-ca_printable.crt: $(test_ca_key_file_rsa)
-	$(OPENSSL) req -x509 -new -nodes -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 3 -config $(test_ca_config_file) -sha1 -days 3653 -subj "/C=NL/O=PolarSSL/CN=PolarSSL Test CA" -out $@
-all_final += test-ca_printable.crt
-
-test-ca_uppercase.crt: $(test_ca_key_file_rsa)
-	$(OPENSSL) req -x509 -new -nodes -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 3 -config $(test_ca_config_file) -sha1 -days 3653 -subj "/C=NL/O=PolarSSL/CN=PolarSSL Test CA" -out $@
-all_final += test-ca_uppercase.crt
-
-test_ca_key_file_rsa_alt = test-ca-alt.key
-
-cert_example_multi.csr: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) req -new -subj "/C=NL/O=PolarSSL/CN=www.example.com" -set_serial 17 -config $(test_ca_config_file) -extensions dns_alt_names -days 3650 -key rsa_pkcs1_1024_clear.pem -out $@
-
-parse_input/cert_example_multi.crt cert_example_multi.crt: cert_example_multi.csr
-	$(OPENSSL) x509 -req -CA $(test_ca_crt) -CAkey $(test_ca_key_file_rsa) \
-		-extfile $(test_ca_config_file) -extensions dns_alt_names \
-		-passin "pass:$(test_ca_pwd_rsa)" -set_serial 17 -days 3653 -sha256 \
-		-in $< > $@
-
-cert_example_multi_nocn.csr: rsa_pkcs1_1024_clear.pem
-	$(MBEDTLS_CERT_REQ) filename=$< output_file=$@ subject_name='C=NL'
-all_intermediate += cert_example_multi_nocn.csr
-
-parse_input/cert_example_multi_nocn.crt cert_example_multi_nocn.crt: cert_example_multi_nocn.csr test-ca_nocn.crt
-	$(OPENSSL) x509 -req -CA test-ca_nocn.crt -CAkey $(test_ca_key_file_rsa) \
-		-extfile $(test_ca_config_file) -extensions ext_multi_nocn -passin "pass:$(test_ca_pwd_rsa)" \
-		-set_serial  0xf7c67ff8e9a963f9 -days 3653 -sha1 -in $< > $@
-all_final += cert_example_multi_nocn.crt
-
-parse_input/test_csr_v3_keyUsage.csr.der: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -outform DER -out $@ -reqexts csr_ext_v3_keyUsage
-parse_input/test_csr_v3_subjectAltName.csr.der: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -outform DER -out $@ -reqexts csr_ext_v3_subjectAltName
-parse_input/test_csr_v3_nsCertType.csr.der: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -outform DER -out $@ -reqexts csr_ext_v3_nsCertType
-parse_input/test_csr_v3_all.csr.der: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -outform DER -out $@ -reqexts csr_ext_v3_all
-parse_input/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der: parse_input/test_csr_v3_all.csr.der
-	(hexdump -ve '1/1 "%.2X"' $< | sed "s/300B0603551D0F040403/200B0603551D0F040403/" | xxd -r -p ) > $@
-parse_input/test_csr_v3_all_malformed_extension_id_tag.csr.der: parse_input/test_csr_v3_all.csr.der
-	(hexdump -ve '1/1 "%.2X"' $< | sed "s/0603551D0F0404030201/0703551D0F0404030201/" | xxd -r -p ) > $@
-parse_input/test_csr_v3_all_malformed_extension_data_tag.csr.der: parse_input/test_csr_v3_all.csr.der
-	(hexdump -ve '1/1 "%.2X"' $< | sed "s/040403020102302F0603/050403020102302F0603/" | xxd -r -p ) > $@
-parse_input/test_csr_v3_all_malformed_extension_data_len1.csr.der: parse_input/test_csr_v3_all.csr.der
-	(hexdump -ve '1/1 "%.2X"' $< | sed "s/040403020102302F0603/040503020102302F0603/" | xxd -r -p ) > $@
-parse_input/test_csr_v3_all_malformed_extension_data_len2.csr.der: parse_input/test_csr_v3_all.csr.der
-	(hexdump -ve '1/1 "%.2X"' $< | sed "s/040403020102302F0603/040303020102302F0603/" | xxd -r -p ) > $@
-parse_input/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der: parse_input/test_csr_v3_all.csr.der
-	(hexdump -ve '1/1 "%.2X"' $< | sed "s/03020102302F0603551D/04020102302F0603551D/" | xxd -r -p ) > $@
-parse_input/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der: parse_input/test_csr_v3_all.csr.der
-	(hexdump -ve '1/1 "%.2X"' $< | sed "s/3026A02406082B060105/4026A02406082B060105/" | xxd -r -p ) > $@
-parse_input/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der: parse_input/test_csr_v3_all.csr.der
-	(hexdump -ve '1/1 "%.2X"' $< | sed "s/03020780300D06092A86/04020780300D06092A86/" | xxd -r -p ) > $@
-parse_input/test_csr_v3_all_malformed_duplicated_extension.csr.der: parse_input/test_csr_v3_all.csr.der
-	(hexdump -ve '1/1 "%.2X"' $< | sed "s/551D11/551D0F/" | xxd -r -p ) > $@
-parse_input/test_csr_v3_all_malformed_extension_type_oid.csr.der: parse_input/test_csr_v3_all.csr.der
-	(hexdump -ve '1/1 "%.2X"' $< | sed "s/551D11/551DFF/" | xxd -r -p ) > $@
-parse_input/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der: parse_input/test_csr_v3_all.csr.der
-	(hexdump -ve '1/1 "%.2X"' $< | sed "s/306006092A864886F70D/406006092A864886F70D/" | xxd -r -p ) > $@
-parse_input/test_csr_v3_all_malformed_attributes_id_tag.csr.der: parse_input/test_csr_v3_all.csr.der
-	(hexdump -ve '1/1 "%.2X"' $< | sed "s/06092A864886F70D0109/07092A864886F70D0109/" | xxd -r -p ) > $@
-parse_input/test_csr_v3_all_malformed_attributes_extension_request.csr.der: parse_input/test_csr_v3_all.csr.der
-	(hexdump -ve '1/1 "%.2X"' $< | sed "s/2A864886F70D01090E/2A864886F70D01090F/" | xxd -r -p ) > $@
-parse_input/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der: parse_input/test_csr_v3_all.csr.der
-	(hexdump -ve '1/1 "%.2X"' $< | sed "s/31533051300B0603551D/32533051300B0603551D/" | xxd -r -p ) > $@
-parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der: parse_input/test_csr_v3_all.csr.der
-	(hexdump -ve '1/1 "%.2X"' $< | sed "s/3051300B0603551D0F04/3151300B0603551D0F04/" | xxd -r -p ) > $@
-parse_input/test_csr_v3_all_malformed_attributes_len1.csr.der: parse_input/test_csr_v3_all.csr.der
-	(hexdump -ve '1/1 "%.2X"' $< | sed "s/306006092A864886F70D/306106092A864886F70D/" | xxd -r -p ) > $@
-parse_input/test_csr_v3_all_malformed_attributes_len2.csr.der: parse_input/test_csr_v3_all.csr.der
-	(hexdump -ve '1/1 "%.2X"' $< | sed "s/306006092A864886F70D/305906092A864886F70D/" | xxd -r -p ) > $@
-parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der: parse_input/test_csr_v3_all.csr.der
-	(hexdump -ve '1/1 "%.2X"' $< | sed "s/3051300B0603551D0F04/3052300B0603551D0F04/" | xxd -r -p ) > $@
-parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der: parse_input/test_csr_v3_all.csr.der
-	(hexdump -ve '1/1 "%.2X"' $< | sed "s/3051300B0603551D0F04/3050300B0603551D0F04/" | xxd -r -p ) > $@
-
-parse_input/test_cert_rfc822name.crt.der: cert_example_multi.csr
-	$(OPENSSL) x509 -req -CA $(test_ca_crt) -CAkey $(test_ca_key_file_rsa) -extfile $(test_ca_config_file) -outform DER -extensions rfc822name_names -passin "pass:$(test_ca_pwd_rsa)" -set_serial 17 -days 3653 -sha256 -in $< > $@
-
-$(test_ca_key_file_rsa_alt):test-ca.opensslconf
-	$(OPENSSL) genrsa -out $@ 2048
-test-ca-alt.csr: $(test_ca_key_file_rsa_alt) $(test_ca_config_file)
-	$(OPENSSL) req -new -config $(test_ca_config_file) -key $(test_ca_key_file_rsa_alt) -subj "/C=NL/O=PolarSSL/CN=PolarSSL Test CA" -out $@
-all_intermediate += test-ca-alt.csr
-test-ca-alt.crt: $(test_ca_key_file_rsa_alt) $(test_ca_config_file) test-ca-alt.csr
-	$(OPENSSL) req -x509 -config $(test_ca_config_file) -key $(test_ca_key_file_rsa_alt) -set_serial 0 -days 3653 -sha256 -in test-ca-alt.csr -out $@
-all_final += test-ca-alt.crt
-test-ca-alt-good.crt: test-ca-alt.crt test-ca-sha256.crt
-	cat test-ca-alt.crt test-ca-sha256.crt > $@
-all_final += test-ca-alt-good.crt
-test-ca-good-alt.crt: test-ca-alt.crt test-ca-sha256.crt
-	cat test-ca-sha256.crt test-ca-alt.crt > $@
-all_final += test-ca-good-alt.crt
-
-test_ca_crt_file_ec = test-ca2.crt
-test_ca_key_file_ec = test-ca2.key
-
-test-ca2.req.sha256: $(test_ca_key_file_ec)
-	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$(test_ca_key_file_ec) \
-	subject_name="C=NL,O=PolarSSL,CN=Polarssl Test EC CA" md=SHA256
-all_intermediate += test-ca2.req.sha256
-
-test-ca2.crt: $(test_ca_key_file_ec) test-ca2.req.sha256
-	$(MBEDTLS_CERT_WRITE) is_ca=1 serial=13926223505202072808 selfsign=1 \
-		request_file=test-ca2.req.sha256 \
-		issuer_name="C=NL,O=PolarSSL,CN=Polarssl Test EC CA" \
-		issuer_key=$(test_ca_key_file_ec) \
-		not_before=20190210144400 not_after=20290210144400 \
-		md=SHA256 version=3 output_file=$@
-all_final += test-ca2.crt
-
-test-ca2.ku-%.crt: test-ca2.ku-%.crt.openssl.v3_ext $(test_ca_key_file_ec) test-ca2.req.sha256
-	$(OPENSSL) x509 -req -in test-ca2.req.sha256 -extfile $< \
-		-signkey $(test_ca_key_file_ec) -days 3653 -out $@
-
-all_final += test-ca2.ku-crl.crt \
-			 test-ca2.ku-crt.crt \
-			 test-ca2.ku-crt_crl.crt \
-			 test-ca2.ku-ds.crt
-
-test-ca2-future.crt: $(test_ca_key_file_ec) test-ca2.req.sha256
-	$(MBEDTLS_CERT_WRITE) is_ca=1 serial=13926223505202072808 request_file=test-ca2.req.sha256 selfsign=1 \
-		issuer_name="C=NL,O=PolarSSL,CN=Polarssl Test EC CA" issuer_key=$(test_ca_key_file_ec) \
-		not_before=20290210144400 not_after=20390210144400 md=SHA256 version=3 output_file=$@
-all_intermediate += test-ca2-future.crt
-
-test_ca_ec_cat := # files that concatenate different crt
-test-ca2_cat-future-invalid.crt: test-ca2-future.crt server6.crt
-test_ca_ec_cat += test-ca2_cat-future-invalid.crt
-test-ca2_cat-future-present.crt: test-ca2-future.crt test-ca2.crt
-test_ca_ec_cat += test-ca2_cat-future-present.crt
-test-ca2_cat-present-future.crt: test-ca2.crt test-ca2-future.crt
-test_ca_ec_cat += test-ca2_cat-present-future.crt
-test-ca2_cat-present-past.crt: test-ca2.crt test-ca2-expired.crt
-test_ca_ec_cat += test-ca2_cat-present-past.crt
-test-ca2_cat-past-invalid.crt: test-ca2-expired.crt server6.crt
-test_ca_ec_cat += test-ca2_cat-past-invalid.crt
-test-ca2_cat-past-present.crt: test-ca2-expired.crt test-ca2.crt
-test_ca_ec_cat += test-ca2_cat-past-present.crt
-$(test_ca_ec_cat):
-	cat $^ > $@
-all_final += $(test_ca_ec_cat)
-
-parse_input/test-ca-any_policy.crt: $(test_ca_key_file_rsa) test-ca.req.sha256
-	$(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_any_policy_ca \
-		-key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" \
-		-set_serial 0 -days 3653 -sha256 -in test-ca.req.sha256 -out $@
-
-parse_input/test-ca-any_policy_ec.crt: $(test_ca_key_file_ec) test-ca.req_ec.sha256
-	$(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_any_policy_ca \
-		-key $(test_ca_key_file_ec) -set_serial 0 -days 3653 -sha256 \
-		-in test-ca.req_ec.sha256 -out $@
-
-parse_input/test-ca-any_policy_with_qualifier.crt: $(test_ca_key_file_rsa) test-ca.req.sha256
-	$(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_any_policy_qualifier_ca -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0 -days 3653 -sha256 -in test-ca.req.sha256 -out $@
-
-parse_input/test-ca-any_policy_with_qualifier_ec.crt: $(test_ca_key_file_ec) test-ca.req_ec.sha256
-	$(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_any_policy_qualifier_ca -key $(test_ca_key_file_ec) -set_serial 0 -days 3653 -sha256 -in test-ca.req_ec.sha256 -out $@
-
-parse_input/test-ca-multi_policy.crt: $(test_ca_key_file_rsa) test-ca.req.sha256
-	$(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_multi_policy_ca -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0 -days 3653 -sha256 -in test-ca.req.sha256 -out $@
-
-parse_input/test-ca-multi_policy_ec.crt: $(test_ca_key_file_ec) test-ca.req_ec.sha256
-	$(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_multi_policy_ca -key $(test_ca_key_file_ec) -set_serial 0 -days 3653 -sha256 -in test-ca.req_ec.sha256 -out $@
-
-parse_input/test-ca-unsupported_policy.crt: $(test_ca_key_file_rsa) test-ca.req.sha256
-	$(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_unsupported_policy_ca -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0 -days 3653 -sha256 -in test-ca.req.sha256 -out $@
-
-parse_input/test-ca-unsupported_policy_ec.crt: $(test_ca_key_file_ec) test-ca.req_ec.sha256
-	$(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_unsupported_policy_ca -key $(test_ca_key_file_ec) -set_serial 0 -days 3653 -sha256 -in test-ca.req_ec.sha256 -out $@
-
-test-ca.req_ec.sha256: $(test_ca_key_file_ec)
-	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$(test_ca_key_file_ec) subject_name="C=NL, O=PolarSSL, CN=Polarssl Test EC CA" md=SHA256
-all_intermediate += test-ca.req_ec.sha256
-
-test-ca2.crt.der: $(test_ca_crt_file_ec)
-	$(OPENSSL) x509 -in $(test_ca_crt_file_ec) -out $@ -inform PEM -outform DER
-all_final += test-ca2.crt.der
-
-test-ca2.key.der: $(test_ca_key_file_ec)
-	$(OPENSSL) pkey -in $(test_ca_key_file_ec) -out $@ -inform PEM -outform DER
-all_final += test-ca2.key.der
-
-test_ca_crt_cat12 = test-ca_cat12.crt
-$(test_ca_crt_cat12): $(test_ca_crt) $(test_ca_crt_file_ec)
-	cat $(test_ca_crt) $(test_ca_crt_file_ec) > $@
-all_final += $(test_ca_crt_cat12)
-
-test_ca_crt_cat21 = test-ca_cat21.crt
-$(test_ca_crt_cat21): $(test_ca_crt) $(test_ca_crt_file_ec)
-	cat $(test_ca_crt_file_ec) $(test_ca_crt) > $@
-all_final += $(test_ca_crt_cat21)
-
-test-int-ca.csr: test-int-ca.key $(test_ca_config_file)
-	$(OPENSSL) req -new -config $(test_ca_config_file) -key test-int-ca.key -subj "/C=NL/O=PolarSSL/CN=PolarSSL Test Intermediate CA" -out $@
-
-test-int-ca2.csr: test-int-ca2.key $(test_ca_config_file)
-	$(OPENSSL) req -new -config $(test_ca_config_file) -key test-int-ca2.key \
-		-subj "/C=NL/O=PolarSSL/CN=PolarSSL Test Intermediate EC CA" -out $@
-
-test-int-ca3.csr: test-int-ca3.key $(test_ca_config_file)
-	$(OPENSSL) req -new -config $(test_ca_config_file) -key test-int-ca3.key \
-		-subj "/C=UK/O=mbed TLS/CN=mbed TLS Test intermediate CA 3" -out $@
-
-all_intermediate += test-int-ca.csr test-int-ca2.csr test-int-ca3.csr
-
-test-int-ca.crt: $(test_ca_crt_file_ec) $(test_ca_key_file_ec) $(test_ca_config_file) test-int-ca.csr
-	$(OPENSSL) x509 -req -extfile $(test_ca_config_file) -extensions v3_ca \
-		-CA $(test_ca_crt_file_ec) -CAkey $(test_ca_key_file_ec) \
-		-set_serial 14 -days 3653 -sha256 -in test-int-ca.csr -out $@
-
-test-int-ca2.crt: $(test_ca_key_file_rsa) $(test_ca_crt) $(test_ca_config_file) test-int-ca2.csr
-	$(OPENSSL) x509 -req -extfile $(test_ca_config_file) -extensions v3_ca -CA $(test_ca_crt) \
-		-CAkey $(test_ca_key_file_rsa) -set_serial 15 -days 3653 -sha256 -in test-int-ca2.csr \
-		-passin "pass:$(test_ca_pwd_rsa)" -out $@
-
-# Note: This requests openssl version >= 3.x.xx
-test-int-ca3.crt: test-int-ca2.crt test-int-ca2.key $(test_ca_config_file) test-int-ca3.csr
-	$(OPENSSL) x509 -req -extfile $(test_ca_config_file) -extensions no_subj_auth_id \
-		-CA test-int-ca2.crt -CAkey test-int-ca2.key -set_serial 77 -days 3653 \
-			-sha256 -in test-int-ca3.csr -out $@
-
-test-int-ca-exp.crt: $(test_ca_crt_file_ec) $(test_ca_key_file_ec) $(test_ca_config_file) test-int-ca.csr
-	$(FAKETIME) -f -3653d $(OPENSSL) x509 -req -extfile $(test_ca_config_file) -extensions v3_ca -CA $(test_ca_crt_file_ec) -CAkey $(test_ca_key_file_ec) -set_serial 14 -days 3653 -sha256 -in test-int-ca.csr -out $@
-
-all_final += test-int-ca-exp.crt test-int-ca.crt test-int-ca2.crt test-int-ca3.crt
-
-enco-cert-utf8str.pem: rsa_pkcs1_1024_clear.pem
-	$(MBEDTLS_CERT_WRITE) subject_key=rsa_pkcs1_1024_clear.pem subject_name="CN=dw.yonan.net" issuer_crt=enco-ca-prstr.pem issuer_key=rsa_pkcs1_1024_clear.pem not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@
-
-parse_input/crl-idp.pem: $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_config_file)
-	$(OPENSSL) ca -gencrl -batch -cert $(test_ca_crt) -keyfile $(test_ca_key_file_rsa) -key $(test_ca_pwd_rsa) -config $(test_ca_config_file) -name test_ca -md sha256 -crldays 3653 -crlexts crl_ext_idp -out $@
-parse_input/crl-idpnc.pem: $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_config_file)
-	$(OPENSSL) ca -gencrl -batch -cert $(test_ca_crt) -keyfile $(test_ca_key_file_rsa) -key $(test_ca_pwd_rsa) -config $(test_ca_config_file) -name test_ca -md sha256 -crldays 3653 -crlexts crl_ext_idp_nc -out $@
-
-cli_crt_key_file_rsa = cli-rsa.key
-cli_crt_extensions_file = cli.opensslconf
-
-cli-rsa.csr: $(cli_crt_key_file_rsa)
-	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Client 2" md=SHA1
-all_intermediate += cli-rsa.csr
-
-cli-rsa-sha1.crt: cli-rsa.csr
-	$(MBEDTLS_CERT_WRITE) request_file=$< serial=4 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@
-
-cli-rsa-sha256.crt: cli-rsa.csr
-	$(MBEDTLS_CERT_WRITE) request_file=$< serial=4 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=SHA256 version=3 output_file=$@
-all_final += cli-rsa-sha256.crt
-
-cli-rsa-sha256.crt.der: cli-rsa-sha256.crt
-	$(OPENSSL) x509 -in $< -out $@ -inform PEM -outform DER
-all_final += cli-rsa-sha256.crt.der
-
-parse_input/cli-rsa-sha256-badalg.crt.der: cli-rsa-sha256.crt.der
-	hexdump -ve '1/1 "%.2X"' $< | sed "s/06092A864886F70D01010B0500/06092A864886F70D01010B0900/2" | xxd -r -p > $@
-
-cli-rsa.key.der: $(cli_crt_key_file_rsa)
-	$(OPENSSL) pkey -in $< -out $@ -inform PEM -outform DER
-all_final += cli-rsa.key.der
-
-test_ca_int_rsa1 = test-int-ca.crt
-test_ca_int_ec = test-int-ca2.crt
-test_ca_int_key_file_ec = test-int-ca2.key
-
-# server7*
-
-server7.csr: server7.key
-	$(OPENSSL) req -new -key server7.key -subj "/C=NL/O=PolarSSL/CN=localhost" -out $@
-all_intermediate += server7.csr
-
-server7.crt: server7.csr $(test_ca_int_rsa1)
-	$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa \
-		-CA $(test_ca_int_rsa1) -CAkey test-int-ca.key \
-		-set_serial 16 -days 3653 -sha256 -in server7.csr > $@
-all_final += server7.crt
-
-server7-expired.crt: server7.csr $(test_ca_int_rsa1)
-	$(FAKETIME) -f -3653d $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA $(test_ca_int_rsa1) -CAkey test-int-ca.key -set_serial 16 -days 3653 -sha256 -in server7.csr | cat - $(test_ca_int_rsa1) > $@
-all_final += server7-expired.crt
-
-server7-future.crt: server7.csr $(test_ca_int_rsa1)
-	$(FAKETIME) -f +3653d $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA $(test_ca_int_rsa1) -CAkey test-int-ca.key -set_serial 16 -days 3653 -sha256 -in server7.csr | cat - $(test_ca_int_rsa1) > $@
-all_final += server7-future.crt
-
-server7-badsign.crt: server7.crt $(test_ca_int_rsa1)
-	{ head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; cat $(test_ca_int_rsa1); } > $@
-all_final += server7-badsign.crt
-
-parse_input/server7_int-ca.crt server7_int-ca.crt: server7.crt $(test_ca_int_rsa1)
-	cat server7.crt $(test_ca_int_rsa1) > $@
-all_final += server7_int-ca.crt
-
-parse_input/server7_pem_space.crt: server7.crt $(test_ca_int_rsa1)
-	cat server7.crt $(test_ca_int_rsa1) | sed '4s/\(.\)$$/ \1/' > $@
-
-parse_input/server7_all_space.crt: server7.crt $(test_ca_int_rsa1)
-	{ cat server7.crt | sed '4s/\(.\)$$/ \1/'; cat test-int-ca.crt | sed '4s/\(.\)$$/ \1/'; } > $@
-
-parse_input/server7_trailing_space.crt: server7.crt $(test_ca_int_rsa1)
-	cat server7.crt $(test_ca_int_rsa1) | sed 's/\(.\)$$/\1 /' > $@
-
-server7_int-ca_ca2.crt: server7.crt $(test_ca_int_rsa1) $(test_ca_crt_file_ec)
-	cat server7.crt $(test_ca_int_rsa1) $(test_ca_crt_file_ec) > $@
-all_final += server7_int-ca_ca2.crt
-
-server7_int-ca-exp.crt: server7.crt test-int-ca-exp.crt
-	cat server7.crt test-int-ca-exp.crt > $@
-all_final += server7_int-ca-exp.crt
-
-server7_spurious_int-ca.crt: server7.crt $(test_ca_int_ec) $(test_ca_int_rsa1)
-	cat server7.crt $(test_ca_int_ec) $(test_ca_int_rsa1) > $@
-all_final += server7_spurious_int-ca.crt
-
-# server8*
-
-server8.crt: server8.key
-	$(MBEDTLS_CERT_WRITE) subject_key=$< subject_name="C=NL, O=PolarSSL, CN=localhost" serial=17 \
-		issuer_crt=$(test_ca_int_ec) issuer_key=$(test_ca_int_key_file_ec) \
-		not_before=20190210144406 not_after=20290210144406 \
-		md=SHA256 version=3 output_file=$@
-all_final += server8.crt
-
-server8_int-ca2.crt: server8.crt $(test_ca_int_ec)
-	cat $^ > $@
-all_final += server8_int-ca2.crt
-
-cli2.req.sha256: cli2.key
-	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Test Client 2" md=SHA256
-all_intermediate += cli2.req.sha256
-
-all_final += server1.req.sha1
-cli2.crt: cli2.req.sha256
-	$(MBEDTLS_CERT_WRITE) request_file=cli2.req.sha256 serial=13 selfsign=0 issuer_name="C=NL,O=PolarSSL,CN=PolarSSL Test EC CA" issuer_key=$(test_ca_key_file_ec) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144400 not_after=20290210144400 md=SHA256 version=3 output_file=$@
-all_final += cli2.crt
-
-cli2.crt.der: cli2.crt
-	$(OPENSSL) x509 -in $< -out $@ -inform PEM -outform DER
-all_final += cli2.crt.der
-
-cli2.key.der: cli2.key
-	$(OPENSSL) pkey -in $< -out $@ -inform PEM -outform DER
-all_final += cli2.key.der
-
-server5_pwd_ec = PolarSSLTest
-
-server5.crt.der: server5.crt
-	$(OPENSSL) x509 -in $< -out $@ -inform PEM -outform DER
-all_final += server5.crt.der
-
-server5.key.der: server5.key
-	$(OPENSSL) pkey -in $< -out $@ -inform PEM -outform DER
-all_final += server5.key.der
-
-server5.key.enc: server5.key
-	$(OPENSSL) ec -aes256 -in $< -out $@ -passout "pass:$(server5_pwd_ec)"
-all_final += server5.key.enc
-
-server5-ss-expired.crt: server5.key
-	$(FAKETIME) -f -3653d $(OPENSSL) req -x509 -new -subj "/C=UK/O=mbed TLS/OU=testsuite/CN=localhost" -days 3653 -sha256 -key $< -out $@
-all_final += server5-ss-expired.crt
-
-# try to forge a copy of test-int-ca3 with different key
-server5-ss-forgeca.crt: server5.key
-	$(OPENSSL) req -x509 -new -subj "/C=UK/O=mbed TLS/CN=mbed TLS Test intermediate CA 3" \
-		-set_serial 77 -config $(test_ca_config_file) -extensions noext_ca \
-		-days 3650 -sha256 -key $< -out $@
-all_final += server5-ss-forgeca.crt
-
-server5-selfsigned.crt: server5.key
-	openssl req -x509 -key server5.key \
-        -sha256 -days 3650 -nodes \
-        -addext basicConstraints=critical,CA:FALSE \
-        -addext keyUsage=critical,digitalSignature \
-        -addext subjectKeyIdentifier=hash   \
-        -addext authorityKeyIdentifier=none \
-        -set_serial 0x53a2cb4b124ead837da894b2 \
-        -subj "/CN=selfsigned/OU=testing/O=PolarSSL/C=NL" \
-        -out $@
-all_final += server5-selfsigned.crt
-
-parse_input/server5-othername.crt.der: server5.key
-	$(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions othername_san -days 3650 -sha256 -key $< -outform der -out $@
-
-parse_input/server5-nonprintable_othername.crt.der: server5.key
-	$(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS non-printable othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions nonprintable_othername_san -days 3650 -sha256 -key $< -outform der -out $@
-
-parse_input/server5-unsupported_othername.crt.der: server5.key
-	$(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS unsupported othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions unsupported_othername_san -days 3650 -sha256 -key $< -outform der -out $@
-
-parse_input/server5-fan.crt.der: server5.key
-	$(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS FAN" -set_serial 77 -config $(test_ca_config_file) -extensions fan_cert -days 3650 -sha256 -key server5.key -outform der -out $@
-
-server5-tricky-ip-san.crt.der: server5.key
-	$(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS Tricky IP SAN" -set_serial 77 -config $(test_ca_config_file) -extensions tricky_ip_san -days 3650 -sha256 -key server5.key -outform der -out $@
-
-all_final += server5-tricky-ip-san.crt.der
-
-# malformed IP length
-server5-tricky-ip-san-malformed-len.crt.der: server5-tricky-ip-san.crt.der
-	hexdump -ve '1/1 "%.2X"' $< | sed "s/87046162636487106162/87056162636487106162/" | xxd -r -p > $@
-
-parse_input/server5-directoryname.crt.der: server5.key
-	$(OPENSSL) req -x509 -outform der -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS directoryName SAN" -set_serial 77 -config $(test_ca_config_file) -extensions directory_name_san -days 3650 -sha256 -key server5.key -out $@
-
-parse_input/server5-two-directorynames.crt.der: server5.key
-	$(OPENSSL) req -x509 -outform der -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS directoryName SAN" -set_serial 77 -config $(test_ca_config_file) -extensions two_directorynames -days 3650 -sha256 -key server5.key -out $@
-
-server5-der0.crt: server5.crt.der
-	cp $< $@
-server5-der1a.crt: server5.crt.der
-	cp $< $@
-	echo '00' | xxd -r -p | dd of=$@ bs=1 seek=$$(wc -c <$<) conv=notrunc
-server5-der1b.crt: server5.crt.der
-	cp $< $@
-	echo 'c1' | xxd -r -p | dd of=$@ bs=1 seek=$$(wc -c <$<) conv=notrunc
-server5-der2.crt: server5.crt.der
-	cp $< $@
-	echo 'b90a' | xxd -r -p | dd of=$@ bs=1 seek=$$(wc -c <$<) conv=notrunc
-server5-der4.crt: server5.crt.der
-	cp $< $@
-	echo 'a710945f' | xxd -r -p | dd of=$@ bs=1 seek=$$(wc -c <$<) conv=notrunc
-server5-der8.crt: server5.crt.der
-	cp $< $@
-	echo 'a4a7ff27267aaa0f' | xxd -r -p | dd of=$@ bs=1 seek=$$(wc -c <$<) conv=notrunc
-server5-der9.crt: server5.crt.der
-	cp $< $@
-	echo 'cff8303376ffa47a29' | xxd -r -p | dd of=$@ bs=1 seek=$$(wc -c <$<) conv=notrunc
-all_final += server5-der0.crt server5-der1b.crt server5-der4.crt \
-			 server5-der9.crt server5-der1a.crt server5-der2.crt \
-			 server5-der8.crt
-
-# directoryname sequence tag malformed
-parse_input/server5-directoryname-seq-malformed.crt.der: parse_input/server5-two-directorynames.crt.der
-	hexdump -ve '1/1 "%.2X"' $< | sed "s/62A4473045310B/62A4473145310B/" | xxd -r -p > $@
-
-# Second directoryname OID length malformed 03 -> 15
-parse_input/server5-second-directoryname-oid-malformed.crt.der: parse_input/server5-two-directorynames.crt.der
-	hexdump -ve '1/1 "%.2X"' $< | sed "s/0355040A0C0A4D414C464F524D5F4D45/1555040A0C0A4D414C464F524D5F4D45/" | xxd -r -p > $@
-
-parse_input/rsa_single_san_uri.crt.der rsa_single_san_uri.crt.der: rsa_single_san_uri.key
-	$(OPENSSL) req -x509 -outform der -nodes -days 7300 -newkey rsa:2048 -key $< -out $@ -addext "subjectAltName = URI:urn:example.com:5ff40f78-9210-494f-8206-c2c082f0609c" -extensions 'v3_req' -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS URI SAN"
-
-parse_input/rsa_multiple_san_uri.crt.der: rsa_multiple_san_uri.key
-	$(OPENSSL) req -x509 -outform der -nodes -days 7300 -newkey rsa:2048 -key $< -out $@ -addext "subjectAltName = URI:urn:example.com:5ff40f78-9210-494f-8206-c2c082f0609c, URI:urn:example.com:5ff40f78-9210-494f-8206-abcde1234567" -extensions 'v3_req' -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS URI SAN"
-
-test-int-ca3-badsign.crt: test-int-ca3.crt
-	{ head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@
-all_final += test-int-ca3-badsign.crt
-
-# server9*
-
-server9.csr: server9.key
-	$(OPENSSL) req -new -subj "/C=NL/O=PolarSSL/CN=localhost" \
-					-key $< -out $@
-parse_input/server9.crt server9.crt: server9-sha1.crt
-	cp $< $@
-all_final += server9.crt
-all_intermediate += server9.csr server9-sha1.crt
-
-server9-%.crt: server9.csr $(test_ca_crt) $(test_ca_key_file_rsa)
-	$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa \
-		-passin "pass:$(test_ca_pwd_rsa)" -CA $(test_ca_crt) -CAkey $(test_ca_key_file_rsa) \
-		-set_serial $(SERVER9_CRT_SERIAL) -days 3653 \
-		-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:max \
-		-sigopt rsa_mgf1_md:$(@F:server9-%.crt=%) -$(@F:server9-%.crt=%) \
-		-in $< -out $@
-server9-sha1.crt: SERVER9_CRT_SERIAL=22
-parse_input/server9-sha224.crt server9-sha224.crt: SERVER9_CRT_SERIAL=23
-parse_input/server9-sha256.crt server9-sha256.crt: SERVER9_CRT_SERIAL=24
-parse_input/server9-sha384.crt server9-sha384.crt: SERVER9_CRT_SERIAL=25
-parse_input/server9-sha512.crt server9-sha512.crt: SERVER9_CRT_SERIAL=26
-all_final += server9-sha224.crt server9-sha256.crt server9-sha384.crt server9-sha512.crt
-
-server9-defaults.crt: server9.csr $(test_ca_crt) $(test_ca_key_file_rsa)
-	$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa \
-		-passin "pass:$(test_ca_pwd_rsa)" -CA $(test_ca_crt) -CAkey $(test_ca_key_file_rsa) \
-		-set_serial 72 -days 3653 \
-		-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:max -sha1 \
-		-in $< -out $@
-all_final += server9-defaults.crt
-
-server9-badsign.crt: server9.crt
-	{ head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@
-all_final += server9-badsign.crt
-
-server9-with-ca.crt: server9.crt $(test_ca_crt)
-	cat $^ > $@
-all_final += server9-with-ca.crt
-
-# FIXME: This file needs special sequence. It should be update manually
-server9-bad-saltlen.crt: server9.csr $(test_ca_crt) $(test_ca_key_file_rsa)
-	false
-
-server9-bad-mgfhash.crt: server9.csr $(test_ca_crt) $(test_ca_key_file_rsa)
-	$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa \
-		-passin "pass:$(test_ca_pwd_rsa)" -CA $(test_ca_crt) -CAkey $(test_ca_key_file_rsa) \
-		-set_serial 24 -days 3653 \
-		-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:max \
-		-sigopt rsa_mgf1_md:sha224 -sha256 \
-		-in $< -out $@
-all_final += server9-bad-mgfhash.crt
-
-# server10*
-
-server10.crt: server10.key test-int-ca3.crt test-int-ca3.key
-	$(MBEDTLS_CERT_WRITE) subject_key=$< subject_name="CN=localhost" serial=75 \
-		issuer_crt=test-int-ca3.crt issuer_key=test-int-ca3.key \
-		subject_identifier=0 authority_identifier=0 \
-		not_before=20190210144406 not_after=20290210144406 \
-		md=SHA256 version=3 output_file=$@
-all_final += server10.crt
-server10-badsign.crt: server10.crt
-	{ head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@
-all_final += server10-badsign.crt
-server10-bs_int3.pem: server10-badsign.crt test-int-ca3.crt
-	cat server10-badsign.crt test-int-ca3.crt > $@
-all_final += server10-bs_int3.pem
-server10_int3-bs.pem: server10.crt test-int-ca3-badsign.crt
-	cat server10.crt test-int-ca3-badsign.crt > $@
-all_final += server10_int3-bs.pem
-server10_int3_int-ca2.crt: server10.crt test-int-ca3.crt $(test_ca_int_ec)
-	cat $^ > $@
-all_final += server10_int3_int-ca2.crt
-server10_int3_int-ca2_ca.crt: server10.crt test-int-ca3.crt $(test_ca_int_ec) $(test_ca_crt)
-	cat $^ > $@
-all_final += server10_int3_int-ca2_ca.crt
-server10_int3_spurious_int-ca2.crt: server10.crt test-int-ca3.crt $(test_ca_int_rsa1) $(test_ca_int_ec)
-	cat $^ > $@
-all_final += server10_int3_spurious_int-ca2.crt
-
-rsa_pkcs1_2048_public.pem: server8.key
-	$(OPENSSL)  rsa -in $< -outform PEM -RSAPublicKey_out -out $@
-all_final += rsa_pkcs1_2048_public.pem
-
-rsa_pkcs1_2048_public.der: rsa_pkcs1_2048_public.pem
-	$(OPENSSL) rsa -RSAPublicKey_in -in $< -outform DER -RSAPublicKey_out -out $@
-all_final += rsa_pkcs1_2048_public.der
-
-rsa_pkcs8_2048_public.pem: server8.key
-	$(OPENSSL)  rsa -in $< -outform PEM -pubout -out $@
-all_final += rsa_pkcs8_2048_public.pem
-
-rsa_pkcs8_2048_public.der: rsa_pkcs8_2048_public.pem
-	$(OPENSSL) rsa -pubin -in $< -outform DER -pubout -out $@
-all_final += rsa_pkcs8_2048_public.der
-
-# Generate crl_cat_*.pem
-# - crt_cat_*.pem: (1+2) concatenations in various orders:
-#     ec = crl-ec-sha256.pem, ecfut = crl-future.pem
-#     rsa = crl.pem, rsabadpem = same with pem error, rsaexp = crl_expired.pem
-
-crl_cat_ec-rsa.pem:crl-ec-sha256.pem crl.pem
-	cat $^ > $@
-
-crl_cat_rsa-ec.pem:crl.pem crl-ec-sha256.pem
-	cat $^ > $@
-
-all_final += crl_cat_ec-rsa.pem crl_cat_rsa-ec.pem
-
-authorityKeyId_subjectKeyId.crt.der:
-	$(OPENSSL) req -x509 -nodes -days 7300 -key server2.key -outform DER -out $@ -config authorityKeyId_subjectKeyId.conf -extensions 'v3_req' -set_serial 593828494303792449134898749208168108403991951034
-
-authorityKeyId_no_keyid.crt.der:
-	$(OPENSSL) req -x509 -nodes -days 7300 -key server2.key -outform DER -out $@ -config authorityKeyId_subjectKeyId.conf -extensions 'v3_req_authorityKeyId_no_keyid' -set_serial 593828494303792449134898749208168108403991951034
-
-authorityKeyId_no_issuer.crt.der:
-	$(OPENSSL) req -x509 -nodes -days 7300 -key server2.key -outform DER -out $@ -config authorityKeyId_subjectKeyId.conf -extensions 'v3_req_authorityKeyId_no_issuer'
-
-authorityKeyId_no_authorityKeyId.crt.der:
-	$(OPENSSL) req -x509 -nodes -days 7300 -key server2.key -outform DER -out $@ -config authorityKeyId_subjectKeyId.conf -extensions 'v3_req_no_authorityKeyId'
-
-authorityKeyId_subjectKeyId_tag_malformed.crt.der: authorityKeyId_subjectKeyId.crt.der
-	hexdump -ve '1/1 "%.2X"' $< | sed "s/0414A505E864B8DCDF600F50124D60A864AF4D8B4393/0114A505E864B8DCDF600F50124D60A864AF4D8B4393/" | xxd -r -p > $@
-
-authorityKeyId_subjectKeyId_tag_len_malformed.crt.der: authorityKeyId_subjectKeyId.crt.der
-	hexdump -ve '1/1 "%.2X"' $< | sed "s/0414A505E864B8DCDF600F50124D60A864AF4D8B4393/0413A505E864B8DCDF600F50124D60A864AF4D8B4393/" | xxd -r -p > $@
-
-authorityKeyId_subjectKeyId_length_malformed.crt.der: authorityKeyId_subjectKeyId.crt.der
-	hexdump -ve '1/1 "%.2X"' $< | sed "s/306D8014A505E864B8DC/306C8014A505E864B8DC/" | xxd -r -p > $@
-
-authorityKeyId_subjectKeyId_sequence_tag_malformed.crt.der: authorityKeyId_subjectKeyId.crt.der
-	hexdump -ve '1/1 "%.2X"' $< | sed "s/6F306D8014A505E864B8/6F006D8014A505E864B8/" | xxd -r -p > $@
-
-authorityKeyId_subjectKeyId_keyid_tag_malformed.crt.der: authorityKeyId_subjectKeyId.crt.der
-	hexdump -ve '1/1 "%.2X"' $< | sed "s/306D8014A505E864B8DC/306D0014A505E864B8DC/" | xxd -r -p > $@
-
-authorityKeyId_subjectKeyId_keyid_tag_len_malformed.crt.der: authorityKeyId_subjectKeyId.crt.der
-	hexdump -ve '1/1 "%.2X"' $< | sed "s/306D8014A505E864B8DC/306D80FFA505E864B8DC/" | xxd -r -p > $@
-
-authorityKeyId_subjectKeyId_issuer_tag1_malformed.crt.der: authorityKeyId_subjectKeyId.crt.der
-	hexdump -ve '1/1 "%.2X"' $< | sed "s/A13FA43D303B310B3009/003FA43D303B310B3009/" | xxd -r -p > $@
-
-authorityKeyId_subjectKeyId_issuer_tag2_malformed.crt.der: authorityKeyId_subjectKeyId.crt.der
-	hexdump -ve '1/1 "%.2X"' $< | sed "s/A43D303B310B30090603/003D303B310B30090603/" | xxd -r -p > $@
-
-authorityKeyId_subjectKeyId_sn_tag_malformed.crt.der: authorityKeyId_subjectKeyId.crt.der
-	hexdump -ve '1/1 "%.2X"' $< | sed "s/8214680430CD074DE63F/8114680430CD074DE63F/" | xxd -r -p > $@
-
-authorityKeyId_subjectKeyId_sn_len_malformed.crt.der: authorityKeyId_subjectKeyId.crt.der
-	hexdump -ve '1/1 "%.2X"' $< | sed "s/8214680430CD074DE63F/8213680430CD074DE63F/" | xxd -r -p > $@
-
-################################################################
-#### Generate various RSA keys
-################################################################
-
-### Password used for PKCS1-encoded encrypted RSA keys
-keys_rsa_basic_pwd = testkey
-
-### Password used for PKCS8-encoded encrypted RSA keys
-keys_rsa_pkcs8_pwd = PolarSSLTest
-
-### Basic 1024-, 2048- and 4096-bit unencrypted RSA keys from which
-### all other encrypted RSA keys are derived.
-rsa_pkcs1_1024_clear.pem:
-	$(OPENSSL) genrsa -out $@ 1024
-all_final += rsa_pkcs1_1024_clear.pem
-rsa_pkcs1_2048_clear.pem:
-	$(OPENSSL) genrsa -out $@ 2048
-all_final += rsa_pkcs1_2048_clear.pem
-rsa_pkcs1_4096_clear.pem:
-	$(OPENSSL) genrsa -out $@ 4096
-all_final += rsa_pkcs1_4096_clear.pem
-
-###
-### PKCS1-encoded, encrypted RSA keys
-###
-
-### 1024-bit
-rsa_pkcs1_1024_des.pem: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) rsa -des -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
-all_final += rsa_pkcs1_1024_des.pem
-rsa_pkcs1_1024_3des.pem: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) rsa -des3 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
-all_final += rsa_pkcs1_1024_3des.pem
-rsa_pkcs1_1024_aes128.pem: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) rsa -aes128 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
-all_final += rsa_pkcs1_1024_aes128.pem
-rsa_pkcs1_1024_aes192.pem: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) rsa -aes192 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
-all_final += rsa_pkcs1_1024_aes192.pem
-rsa_pkcs1_1024_aes256.pem: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) rsa -aes256 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
-all_final += rsa_pkcs1_1024_aes256.pem
-keys_rsa_enc_basic_1024: rsa_pkcs1_1024_des.pem rsa_pkcs1_1024_3des.pem rsa_pkcs1_1024_aes128.pem rsa_pkcs1_1024_aes192.pem rsa_pkcs1_1024_aes256.pem
-
-# 2048-bit
-rsa_pkcs1_2048_des.pem: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) rsa -des -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
-all_final += rsa_pkcs1_2048_des.pem
-rsa_pkcs1_2048_3des.pem: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) rsa -des3 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
-all_final += rsa_pkcs1_2048_3des.pem
-rsa_pkcs1_2048_aes128.pem: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) rsa -aes128 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
-all_final += rsa_pkcs1_2048_aes128.pem
-rsa_pkcs1_2048_aes192.pem: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) rsa -aes192 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
-all_final += rsa_pkcs1_2048_aes192.pem
-rsa_pkcs1_2048_aes256.pem: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) rsa -aes256 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
-all_final += rsa_pkcs1_2048_aes256.pem
-keys_rsa_enc_basic_2048: rsa_pkcs1_2048_des.pem rsa_pkcs1_2048_3des.pem rsa_pkcs1_2048_aes128.pem rsa_pkcs1_2048_aes192.pem rsa_pkcs1_2048_aes256.pem
-
-# 4096-bit
-rsa_pkcs1_4096_des.pem: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) rsa -des -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
-all_final += rsa_pkcs1_4096_des.pem
-rsa_pkcs1_4096_3des.pem: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) rsa -des3 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
-all_final += rsa_pkcs1_4096_3des.pem
-rsa_pkcs1_4096_aes128.pem: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) rsa -aes128 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
-all_final += rsa_pkcs1_4096_aes128.pem
-rsa_pkcs1_4096_aes192.pem: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) rsa -aes192 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
-all_final += rsa_pkcs1_4096_aes192.pem
-rsa_pkcs1_4096_aes256.pem: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) rsa -aes256 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
-all_final += rsa_pkcs1_4096_aes256.pem
-keys_rsa_enc_basic_4096: rsa_pkcs1_4096_des.pem rsa_pkcs1_4096_3des.pem rsa_pkcs1_4096_aes128.pem rsa_pkcs1_4096_aes192.pem rsa_pkcs1_4096_aes256.pem
-
-###
-### PKCS8-v1 encoded, encrypted RSA keys
-###
-
-### 1024-bit
-rsa_pkcs8_pbe_sha1_1024_3des.der: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) pkcs8 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-3DES
-all_final += rsa_pkcs8_pbe_sha1_1024_3des.der
-rsa_pkcs8_pbe_sha1_1024_3des.pem: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) pkcs8 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-3DES
-all_final += rsa_pkcs8_pbe_sha1_1024_3des.pem
-keys_rsa_enc_pkcs8_v1_1024_3des: rsa_pkcs8_pbe_sha1_1024_3des.pem rsa_pkcs8_pbe_sha1_1024_3des.der
-
-rsa_pkcs8_pbe_sha1_1024_2des.der: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) pkcs8 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-2DES
-all_final += rsa_pkcs8_pbe_sha1_1024_2des.der
-rsa_pkcs8_pbe_sha1_1024_2des.pem: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) pkcs8 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-2DES
-all_final += rsa_pkcs8_pbe_sha1_1024_2des.pem
-keys_rsa_enc_pkcs8_v1_1024_2des: rsa_pkcs8_pbe_sha1_1024_2des.pem rsa_pkcs8_pbe_sha1_1024_2des.der
-
-keys_rsa_enc_pkcs8_v1_1024: keys_rsa_enc_pkcs8_v1_1024_3des keys_rsa_enc_pkcs8_v1_1024_2des
-
-### 2048-bit
-rsa_pkcs8_pbe_sha1_2048_3des.der: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) pkcs8 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-3DES
-all_final += rsa_pkcs8_pbe_sha1_2048_3des.der
-rsa_pkcs8_pbe_sha1_2048_3des.pem: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) pkcs8 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-3DES
-all_final += rsa_pkcs8_pbe_sha1_2048_3des.pem
-keys_rsa_enc_pkcs8_v1_2048_3des: rsa_pkcs8_pbe_sha1_2048_3des.pem rsa_pkcs8_pbe_sha1_2048_3des.der
-
-rsa_pkcs8_pbe_sha1_2048_2des.der: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) pkcs8 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-2DES
-all_final += rsa_pkcs8_pbe_sha1_2048_2des.der
-rsa_pkcs8_pbe_sha1_2048_2des.pem: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) pkcs8 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-2DES
-all_final += rsa_pkcs8_pbe_sha1_2048_2des.pem
-keys_rsa_enc_pkcs8_v1_2048_2des: rsa_pkcs8_pbe_sha1_2048_2des.pem rsa_pkcs8_pbe_sha1_2048_2des.der
-
-keys_rsa_enc_pkcs8_v1_2048: keys_rsa_enc_pkcs8_v1_2048_3des keys_rsa_enc_pkcs8_v1_2048_2des
-
-### 4096-bit
-rsa_pkcs8_pbe_sha1_4096_3des.der: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) pkcs8 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-3DES
-all_final += rsa_pkcs8_pbe_sha1_4096_3des.der
-rsa_pkcs8_pbe_sha1_4096_3des.pem: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) pkcs8 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-3DES
-all_final += rsa_pkcs8_pbe_sha1_4096_3des.pem
-keys_rsa_enc_pkcs8_v1_4096_3des: rsa_pkcs8_pbe_sha1_4096_3des.pem rsa_pkcs8_pbe_sha1_4096_3des.der
-
-rsa_pkcs8_pbe_sha1_4096_2des.der: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) pkcs8 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-2DES
-all_final += rsa_pkcs8_pbe_sha1_4096_2des.der
-rsa_pkcs8_pbe_sha1_4096_2des.pem: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) pkcs8 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-2DES
-all_final += rsa_pkcs8_pbe_sha1_4096_2des.pem
-keys_rsa_enc_pkcs8_v1_4096_2des: rsa_pkcs8_pbe_sha1_4096_2des.pem rsa_pkcs8_pbe_sha1_4096_2des.der
-
-keys_rsa_enc_pkcs8_v1_4096: keys_rsa_enc_pkcs8_v1_4096_3des keys_rsa_enc_pkcs8_v1_4096_2des
-
-###
-### PKCS8-v2 encoded, encrypted RSA keys, no PRF specified (default for OpenSSL1.0: hmacWithSHA1)
-###
-
-### 1024-bit
-rsa_pkcs8_pbes2_pbkdf2_1024_3des.der: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des3 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_1024_3des.der
-rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des3 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem
-keys_rsa_enc_pkcs8_v2_1024_3des: rsa_pkcs8_pbes2_pbkdf2_1024_3des.der rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem
-
-rsa_pkcs8_pbes2_pbkdf2_1024_des.der: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_1024_des.der
-rsa_pkcs8_pbes2_pbkdf2_1024_des.pem: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_1024_des.pem
-keys_rsa_enc_pkcs8_v2_1024_des: rsa_pkcs8_pbes2_pbkdf2_1024_des.der rsa_pkcs8_pbes2_pbkdf2_1024_des.pem
-
-keys_rsa_enc_pkcs8_v2_1024: keys_rsa_enc_pkcs8_v2_1024_3des keys_rsa_enc_pkcs8_v2_1024_des
-
-### 2048-bit
-rsa_pkcs8_pbes2_pbkdf2_2048_3des.der: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des3 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_2048_3des.der
-rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des3 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem
-keys_rsa_enc_pkcs8_v2_2048_3des: rsa_pkcs8_pbes2_pbkdf2_2048_3des.der rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem
-
-rsa_pkcs8_pbes2_pbkdf2_2048_des.der: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_2048_des.der
-rsa_pkcs8_pbes2_pbkdf2_2048_des.pem: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_2048_des.pem
-keys_rsa_enc_pkcs8_v2_2048_des: rsa_pkcs8_pbes2_pbkdf2_2048_des.der rsa_pkcs8_pbes2_pbkdf2_2048_des.pem
-
-keys_rsa_enc_pkcs8_v2_2048: keys_rsa_enc_pkcs8_v2_2048_3des keys_rsa_enc_pkcs8_v2_2048_des
-
-### 4096-bit
-rsa_pkcs8_pbes2_pbkdf2_4096_3des.der: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des3 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_4096_3des.der
-rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des3 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem
-keys_rsa_enc_pkcs8_v2_4096_3des: rsa_pkcs8_pbes2_pbkdf2_4096_3des.der rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem
-
-rsa_pkcs8_pbes2_pbkdf2_4096_des.der: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_4096_des.der
-rsa_pkcs8_pbes2_pbkdf2_4096_des.pem: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_4096_des.pem
-keys_rsa_enc_pkcs8_v2_4096_des: rsa_pkcs8_pbes2_pbkdf2_4096_des.der rsa_pkcs8_pbes2_pbkdf2_4096_des.pem
-
-keys_rsa_enc_pkcs8_v2_4096: keys_rsa_enc_pkcs8_v2_4096_3des keys_rsa_enc_pkcs8_v2_4096_des
-
-###
-### PKCS8-v2 encoded, encrypted RSA keys, PRF hmacWithSHA224
-###
-
-### 1024-bit
-rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.der: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des3 -v2prf hmacWithSHA224 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.der
-rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.pem: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des3 -v2prf hmacWithSHA224 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.pem
-keys_rsa_enc_pkcs8_v2_1024_3des_sha224: rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.der rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.pem
-
-rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.der: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des -v2prf hmacWithSHA224 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.der
-rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.pem: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des -v2prf hmacWithSHA224 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.pem
-keys_rsa_enc_pkcs8_v2_1024_des_sha224: rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.der rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.pem
-
-keys_rsa_enc_pkcs8_v2_1024_sha224: keys_rsa_enc_pkcs8_v2_1024_3des_sha224 keys_rsa_enc_pkcs8_v2_1024_des_sha224
-
-### 2048-bit
-rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.der: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des3 -v2prf hmacWithSHA224 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.der
-rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.pem: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des3 -v2prf hmacWithSHA224 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.pem
-keys_rsa_enc_pkcs8_v2_2048_3des_sha224: rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.der rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.pem
-
-rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.der: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des -v2prf hmacWithSHA224 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.der
-rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.pem: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des -v2prf hmacWithSHA224 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.pem
-keys_rsa_enc_pkcs8_v2_2048_des_sha224: rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.der rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.pem
-
-keys_rsa_enc_pkcs8_v2_2048_sha224: keys_rsa_enc_pkcs8_v2_2048_3des_sha224 keys_rsa_enc_pkcs8_v2_2048_des_sha224
-
-### 4096-bit
-rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des3 -v2prf hmacWithSHA224 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der
-rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des3 -v2prf hmacWithSHA224 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem
-keys_rsa_enc_pkcs8_v2_4096_3des_sha224: rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem
-
-rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des -v2prf hmacWithSHA224 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der
-rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des -v2prf hmacWithSHA224 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem
-keys_rsa_enc_pkcs8_v2_4096_des_sha224: rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem
-
-keys_rsa_enc_pkcs8_v2_4096_sha224: keys_rsa_enc_pkcs8_v2_4096_3des_sha224 keys_rsa_enc_pkcs8_v2_4096_des_sha224
-
-###
-### PKCS8-v2 encoded, encrypted RSA keys, PRF hmacWithSHA256
-###
-
-### 1024-bit
-rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.der: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des3 -v2prf hmacWithSHA256 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.der
-rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.pem: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des3 -v2prf hmacWithSHA256 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.pem
-keys_rsa_enc_pkcs8_v2_1024_3des_sha256: rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.der rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.pem
-
-rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.der: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des -v2prf hmacWithSHA256 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.der
-rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.pem: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des -v2prf hmacWithSHA256 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.pem
-keys_rsa_enc_pkcs8_v2_1024_des_sha256: rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.der rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.pem
-
-keys_rsa_enc_pkcs8_v2_1024_sha256: keys_rsa_enc_pkcs8_v2_1024_3des_sha256 keys_rsa_enc_pkcs8_v2_1024_des_sha256
-
-### 2048-bit
-rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.der: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des3 -v2prf hmacWithSHA256 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.der
-rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.pem: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des3 -v2prf hmacWithSHA256 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.pem
-keys_rsa_enc_pkcs8_v2_2048_3des_sha256: rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.der rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.pem
-
-rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.der: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des -v2prf hmacWithSHA256 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.der
-rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.pem: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des -v2prf hmacWithSHA256 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.pem
-keys_rsa_enc_pkcs8_v2_2048_des_sha256: rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.der rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.pem
-
-keys_rsa_enc_pkcs8_v2_2048_sha256: keys_rsa_enc_pkcs8_v2_2048_3des_sha256 keys_rsa_enc_pkcs8_v2_2048_des_sha256
-
-### 4096-bit
-rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des3 -v2prf hmacWithSHA256 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der
-rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des3 -v2prf hmacWithSHA256 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem
-keys_rsa_enc_pkcs8_v2_4096_3des_sha256: rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem
-
-rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des -v2prf hmacWithSHA256 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der
-rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des -v2prf hmacWithSHA256 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem
-keys_rsa_enc_pkcs8_v2_4096_des_sha256: rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem
-
-keys_rsa_enc_pkcs8_v2_4096_sha256: keys_rsa_enc_pkcs8_v2_4096_3des_sha256 keys_rsa_enc_pkcs8_v2_4096_des_sha256
-
-###
-### PKCS8-v2 encoded, encrypted RSA keys, PRF hmacWithSHA384
-###
-
-### 1024-bit
-rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.der: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des3 -v2prf hmacWithSHA384 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.der
-rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.pem: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des3 -v2prf hmacWithSHA384 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.pem
-keys_rsa_enc_pkcs8_v2_1024_3des_sha384: rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.der rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.pem
-
-rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.der: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des -v2prf hmacWithSHA384 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.der
-rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.pem: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des -v2prf hmacWithSHA384 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.pem
-keys_rsa_enc_pkcs8_v2_1024_des_sha384: rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.der rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.pem
-
-keys_rsa_enc_pkcs8_v2_1024_sha384: keys_rsa_enc_pkcs8_v2_1024_3des_sha384 keys_rsa_enc_pkcs8_v2_1024_des_sha384
-
-### 2048-bit
-rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.der: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des3 -v2prf hmacWithSHA384 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.der
-rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des3 -v2prf hmacWithSHA384 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem
-keys_rsa_enc_pkcs8_v2_2048_3des_sha384: rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.der rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem
-
-rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des -v2prf hmacWithSHA384 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der
-rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.pem: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des -v2prf hmacWithSHA384 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.pem
-keys_rsa_enc_pkcs8_v2_2048_des_sha384: rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.pem
-
-keys_rsa_enc_pkcs8_v2_2048_sha384: keys_rsa_enc_pkcs8_v2_2048_3des_sha384 keys_rsa_enc_pkcs8_v2_2048_des_sha384
-
-### 4096-bit
-rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des3 -v2prf hmacWithSHA384 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der
-rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des3 -v2prf hmacWithSHA384 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem
-keys_rsa_enc_pkcs8_v2_4096_3des_sha384: rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem
-
-rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des -v2prf hmacWithSHA384 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der
-rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des -v2prf hmacWithSHA384 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem
-keys_rsa_enc_pkcs8_v2_4096_des_sha384: rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem
-
-keys_rsa_enc_pkcs8_v2_4096_sha384: keys_rsa_enc_pkcs8_v2_4096_3des_sha384 keys_rsa_enc_pkcs8_v2_4096_des_sha384
-
-###
-### PKCS8-v2 encoded, encrypted RSA keys, PRF hmacWithSHA512
-###
-
-### 1024-bit
-rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.der: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des3 -v2prf hmacWithSHA512 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.der
-rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.pem: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des3 -v2prf hmacWithSHA512 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.pem
-keys_rsa_enc_pkcs8_v2_1024_3des_sha512: rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.der rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.pem
-
-rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.der: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des -v2prf hmacWithSHA512 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.der
-rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.pem: rsa_pkcs1_1024_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des -v2prf hmacWithSHA512 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.pem
-keys_rsa_enc_pkcs8_v2_1024_des_sha512: rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.der rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.pem
-
-keys_rsa_enc_pkcs8_v2_1024_sha512: keys_rsa_enc_pkcs8_v2_1024_3des_sha512 keys_rsa_enc_pkcs8_v2_1024_des_sha512
-
-### 2048-bit
-rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.der: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des3 -v2prf hmacWithSHA512 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.der
-rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.pem: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des3 -v2prf hmacWithSHA512 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.pem
-keys_rsa_enc_pkcs8_v2_2048_3des_sha512: rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.der rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.pem
-
-rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.der: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des -v2prf hmacWithSHA512 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.der
-rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.pem: rsa_pkcs1_2048_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des -v2prf hmacWithSHA512 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.pem
-keys_rsa_enc_pkcs8_v2_2048_des_sha512: rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.der rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.pem
-
-keys_rsa_enc_pkcs8_v2_2048_sha512: keys_rsa_enc_pkcs8_v2_2048_3des_sha512 keys_rsa_enc_pkcs8_v2_2048_des_sha512
-
-### 4096-bit
-rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des3 -v2prf hmacWithSHA512 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der
-rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des3 -v2prf hmacWithSHA512 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem
-keys_rsa_enc_pkcs8_v2_4096_3des_sha512: rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem
-
-rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) pkcs8 -topk8 -v2 des -v2prf hmacWithSHA512 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der
-rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem: rsa_pkcs1_4096_clear.pem
-	$(OPENSSL) pkcs8  -topk8 -v2 des -v2prf hmacWithSHA512 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
-all_final += rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem
-keys_rsa_enc_pkcs8_v2_4096_des_sha512: rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem
-
-keys_rsa_enc_pkcs8_v2_4096_sha512: keys_rsa_enc_pkcs8_v2_4096_3des_sha512 keys_rsa_enc_pkcs8_v2_4096_des_sha512
-
-###
-### Rules to generate all RSA keys from a particular class
-###
-
-### Generate basic unencrypted RSA keys
-keys_rsa_unenc: rsa_pkcs1_1024_clear.pem rsa_pkcs1_2048_clear.pem rsa_pkcs1_4096_clear.pem
-
-### Generate PKCS1-encoded encrypted RSA keys
-keys_rsa_enc_basic: keys_rsa_enc_basic_1024 keys_rsa_enc_basic_2048 keys_rsa_enc_basic_4096
-
-### Generate PKCS8-v1 encrypted RSA keys
-keys_rsa_enc_pkcs8_v1: keys_rsa_enc_pkcs8_v1_1024 keys_rsa_enc_pkcs8_v1_2048 keys_rsa_enc_pkcs8_v1_4096
-
-### Generate PKCS8-v2 encrypted RSA keys
-keys_rsa_enc_pkcs8_v2: keys_rsa_enc_pkcs8_v2_1024 keys_rsa_enc_pkcs8_v2_2048 keys_rsa_enc_pkcs8_v2_4096 keys_rsa_enc_pkcs8_v2_1024_sha224 keys_rsa_enc_pkcs8_v2_2048_sha224 keys_rsa_enc_pkcs8_v2_4096_sha224 keys_rsa_enc_pkcs8_v2_1024_sha256 keys_rsa_enc_pkcs8_v2_2048_sha256 keys_rsa_enc_pkcs8_v2_4096_sha256 keys_rsa_enc_pkcs8_v2_1024_sha384 keys_rsa_enc_pkcs8_v2_2048_sha384 keys_rsa_enc_pkcs8_v2_4096_sha384 keys_rsa_enc_pkcs8_v2_1024_sha512 keys_rsa_enc_pkcs8_v2_2048_sha512 keys_rsa_enc_pkcs8_v2_4096_sha512
-
-### Generate all RSA keys
-keys_rsa_all: keys_rsa_unenc keys_rsa_enc_basic keys_rsa_enc_pkcs8_v1 keys_rsa_enc_pkcs8_v2
-
-################################################################
-#### Generate various EC keys
-################################################################
-
-###
-### PKCS8 encoded
-###
-
-ec_prv.pk8.der:
-	$(OPENSSL) genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime192v1 -pkeyopt ec_param_enc:named_curve -out $@ -outform DER
-all_final += ec_prv.pk8.der
-
-# ### Instructions for creating `ec_prv.pk8nopub.der`,
-# ### `ec_prv.pk8nopubparam.der`, and `ec_prv.pk8param.der` by hand from
-# ### `ec_prv.pk8.der`.
-#
-# These instructions assume you are familiar with ASN.1 DER encoding and can
-# use a hex editor to manipulate DER.
-#
-# The relevant ASN.1 definitions for a PKCS#8 encoded Elliptic Curve key are:
-#
-# PrivateKeyInfo ::= SEQUENCE {
-#   version                   Version,
-#   privateKeyAlgorithm       PrivateKeyAlgorithmIdentifier,
-#   privateKey                PrivateKey,
-#   attributes           [0]  IMPLICIT Attributes OPTIONAL
-# }
-#
-# AlgorithmIdentifier  ::=  SEQUENCE  {
-#   algorithm   OBJECT IDENTIFIER,
-#   parameters  ANY DEFINED BY algorithm OPTIONAL
-# }
-#
-# ECParameters ::= CHOICE {
-#   namedCurve         OBJECT IDENTIFIER
-#   -- implicitCurve   NULL
-#   -- specifiedCurve  SpecifiedECDomain
-# }
-#
-# ECPrivateKey ::= SEQUENCE {
-#   version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
-#   privateKey     OCTET STRING,
-#   parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
-#   publicKey  [1] BIT STRING OPTIONAL
-# }
-#
-# `ec_prv.pk8.der` as generatde above by OpenSSL should have the following
-# fields:
-#
-# * privateKeyAlgorithm       namedCurve
-# * privateKey.parameters     NOT PRESENT
-# * privateKey.publicKey      PRESENT
-# * attributes                NOT PRESENT
-#
-# # ec_prv.pk8nopub.der
-#
-# Take `ec_prv.pk8.der` and remove `privateKey.publicKey`.
-#
-# # ec_prv.pk8nopubparam.der
-#
-# Take `ec_prv.pk8nopub.der` and add `privateKey.parameters`, the same value as
-# `privateKeyAlgorithm.namedCurve`. Don't forget to add the explicit tag.
-#
-# # ec_prv.pk8param.der
-#
-# Take `ec_prv.pk8.der` and add `privateKey.parameters`, the same value as
-# `privateKeyAlgorithm.namedCurve`. Don't forget to add the explicit tag.
-
-ec_prv.pk8.pem: ec_prv.pk8.der
-	$(OPENSSL) pkey -in $< -inform DER -out $@
-all_final += ec_prv.pk8.pem
-ec_prv.pk8nopub.pem: ec_prv.pk8nopub.der
-	$(OPENSSL) pkey -in $< -inform DER -out $@
-all_final += ec_prv.pk8nopub.pem
-ec_prv.pk8nopubparam.pem: ec_prv.pk8nopubparam.der
-	$(OPENSSL) pkey -in $< -inform DER -out $@
-all_final += ec_prv.pk8nopubparam.pem
-ec_prv.pk8param.pem: ec_prv.pk8param.der
-	$(OPENSSL) pkey -in $< -inform DER -out $@
-all_final += ec_prv.pk8param.pem
-
-ec_pub.pem: ec_prv.sec1.der
-	$(OPENSSL) pkey -in $< -inform DER -outform PEM -pubout -out $@
-all_final += ec_pub.pem
-
-ec_prv.sec1.comp.pem: ec_prv.sec1.pem
-	$(OPENSSL) ec -in $< -out $@ -conv_form compressed
-all_final += ec_prv.sec1.comp.pem
-
-ec_224_prv.comp.pem: ec_224_prv.pem
-	$(OPENSSL) ec -in $< -out $@ -conv_form compressed
-all_final += ec_224_prv.comp.pem
-
-ec_256_prv.comp.pem: ec_256_prv.pem
-	$(OPENSSL) ec -in $< -out $@ -conv_form compressed
-all_final += ec_256_prv.comp.pem
-
-ec_384_prv.comp.pem: ec_384_prv.pem
-	$(OPENSSL) ec -in $< -out $@ -conv_form compressed
-all_final += ec_384_prv.comp.pem
-
-ec_521_prv.comp.pem: ec_521_prv.pem
-	$(OPENSSL) ec -in $< -out $@ -conv_form compressed
-all_final += ec_521_prv.comp.pem
-
-ec_bp256_prv.comp.pem: ec_bp256_prv.pem
-	$(OPENSSL) ec -in $< -out $@ -conv_form compressed
-all_final += ec_bp256_prv.comp.pem
-
-ec_bp384_prv.comp.pem: ec_bp384_prv.pem
-	$(OPENSSL) ec -in $< -out $@ -conv_form compressed
-all_final += ec_bp384_prv.comp.pem
-
-ec_bp512_prv.comp.pem: ec_bp512_prv.pem
-	$(OPENSSL) ec -in $< -out $@ -conv_form compressed
-all_final += ec_bp512_prv.comp.pem
-
-ec_pub.comp.pem: ec_pub.pem
-	$(OPENSSL) ec -pubin -in $< -out $@ -conv_form compressed
-all_final += ec_pub.comp.pem
-
-ec_224_pub.comp.pem: ec_224_pub.pem
-	$(OPENSSL) ec -pubin -in $< -out $@ -conv_form compressed
-all_final += ec_224_pub.comp.pem
-
-ec_256_pub.comp.pem: ec_256_pub.pem
-	$(OPENSSL) ec -pubin -in $< -out $@ -conv_form compressed
-all_final += ec_256_pub.comp.pem
-
-ec_384_pub.comp.pem: ec_384_pub.pem
-	$(OPENSSL) ec -pubin -in $< -out $@ -conv_form compressed
-all_final += ec_384_pub.comp.pem
-
-ec_521_pub.comp.pem: ec_521_pub.pem
-	$(OPENSSL) ec -pubin -in $< -out $@ -conv_form compressed
-all_final += ec_521_pub.comp.pem
-
-ec_bp256_pub.comp.pem: ec_bp256_pub.pem
-	$(OPENSSL) ec -pubin -in $< -out $@ -conv_form compressed
-all_final += ec_bp256_pub.comp.pem
-
-ec_bp384_pub.comp.pem: ec_bp384_pub.pem
-	$(OPENSSL) ec -pubin -in $< -out $@ -conv_form compressed
-all_final += ec_bp384_pub.comp.pem
-
-ec_bp512_pub.comp.pem: ec_bp512_pub.pem
-	$(OPENSSL) ec -pubin -in $< -out $@ -conv_form compressed
-all_final += ec_bp512_pub.comp.pem
-
-ec_x25519_prv.der:
-	$(OPENSSL) genpkey -algorithm X25519 -out $@ -outform DER
-all_final += ec_x25519_prv.der
-
-ec_x25519_pub.der: ec_x25519_prv.der
-	$(OPENSSL) pkey -in $< -inform DER -out $@ -outform DER -pubout
-all_final += ec_x25519_pub.der
-
-ec_x25519_prv.pem: ec_x25519_prv.der
-	$(OPENSSL) pkey -in $< -inform DER -out $@
-all_final += ec_x25519_prv.pem
-
-ec_x25519_pub.pem: ec_x25519_prv.der
-	$(OPENSSL) pkey -in $< -inform DER -out $@ -pubout
-all_final += ec_x25519_pub.pem
-
-ec_x448_prv.der:
-	$(OPENSSL) genpkey -algorithm X448 -out $@ -outform DER
-all_final += ec_x448_prv.der
-
-ec_x448_pub.der: ec_x448_prv.der
-	$(OPENSSL) pkey -in $< -inform DER -out $@ -outform DER -pubout
-all_final += ec_x448_pub.der
-
-ec_x448_prv.pem: ec_x448_prv.der
-	$(OPENSSL) pkey -in $< -inform DER -out $@
-all_final += ec_x448_prv.pem
-
-ec_x448_pub.pem: ec_x448_prv.der
-	$(OPENSSL) pkey -in $< -inform DER -out $@ -pubout
-all_final += ec_x448_pub.pem
-
-################################################################
-#### Convert PEM keys to DER format
-################################################################
-server1.pubkey.der: server1.pubkey
-	$(OPENSSL) pkey -pubin -in $< -out $@ -outform DER
-all_final += server1.pubkey.der
-
-rsa4096_pub.der: rsa4096_pub.pem
-	$(OPENSSL) pkey -pubin -in $< -out $@ -outform DER
-all_final += rsa4096_pub.der
-
-ec_pub.der: ec_pub.pem
-	$(OPENSSL) pkey -pubin -in $< -out $@ -outform DER
-all_final += ec_pub.der
-
-ec_521_pub.der: ec_521_pub.pem
-	$(OPENSSL) pkey -pubin -in $< -out $@ -outform DER
-all_final += ec_521_pub.der
-
-ec_bp512_pub.der: ec_bp512_pub.pem
-	$(OPENSSL) pkey -pubin -in $< -out $@ -outform DER
-all_final += ec_bp512_pub.der
-
-server1.key.der: server1.key
-	$(OPENSSL) pkey -in $< -out $@ -outform DER
-all_final += server1.key.der
-
-rsa4096_prv.der: rsa4096_prv.pem
-	$(OPENSSL) pkey -in $< -out $@ -outform DER
-all_final += rsa4096_prv.der
-
-ec_prv.sec1.der: ec_prv.sec1.pem
-	$(OPENSSL) pkey -in $< -out $@ -outform DER
-all_final += ec_prv.sec1.der
-
-ec_256_long_prv.der: ec_256_long_prv.pem
-	$(OPENSSL) pkey -in $< -out $@ -outform DER
-all_final += ec_256_long_prv.der
-
-ec_521_prv.der: ec_521_prv.pem
-	$(OPENSSL) pkey -in $< -out $@ -outform DER
-all_final += ec_521_prv.der
-
-ec_521_short_prv.der: ec_521_short_prv.pem
-	$(OPENSSL) pkey -in $< -out $@ -outform DER
-all_final += ec_521_short_prv.der
-
-ec_bp512_prv.der: ec_bp512_prv.pem
-	$(OPENSSL) pkey -in $< -out $@ -outform DER
-all_final += ec_bp512_prv.der
-
-################################################################
-### Generate CSRs for X.509 write test suite
-################################################################
-
-parse_input/server1.req.sha1 server1.req.sha1: server1.key
-	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1
-all_final += server1.req.sha1
-
-parse_input/server1.req.md5 server1.req.md5: server1.key
-	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=MD5
-all_final += server1.req.md5
-
-parse_input/server1.req.sha224 server1.req.sha224: server1.key
-	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA224
-all_final += server1.req.sha224
-
-parse_input/server1.req.sha256 server1.req.sha256: server1.key
-	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA256
-all_final += server1.req.sha256
-
-server1.req.sha256.ext: server1.key
-	# Generating this with OpenSSL as a comparison point to test we're getting the same result
-	openssl req -new -out $@ -key $< -subj '/C=NL/O=PolarSSL/CN=PolarSSL Server 1' -sha256 -config server1.req.sha256.conf
-
-parse_input/server1.req.sha384 server1.req.sha384: server1.key
-	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA384
-all_final += server1.req.sha384
-
-parse_input/server1.req.sha512 server1.req.sha512: server1.key
-	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA512
-all_final += server1.req.sha512
-
-server1.req.cert_type: server1.key
-	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< ns_cert_type=ssl_server subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1
-all_final += server1.req.cert_type
-
-server1.req.key_usage: server1.key
-	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< key_usage=digital_signature,non_repudiation,key_encipherment subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1
-all_final += server1.req.key_usage
-
-server1.req.ku-ct: server1.key
-	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< key_usage=digital_signature,non_repudiation,key_encipherment ns_cert_type=ssl_server subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1
-all_final += server1.req.ku-ct
-
-server1.req.key_usage_empty: server1.key
-	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1 force_key_usage=1
-all_final += server1.req.key_usage_empty
-
-server1.req.cert_type_empty: server1.key
-	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1 force_ns_cert_type=1
-all_final += server1.req.cert_type_empty
-
-parse_input/server1.req.commas.sha256: server1.key
-	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL\, Commas,CN=PolarSSL Server 1" md=SHA256
-
-parse_input/server1.req.hashsymbol.sha256: server1.key
-	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=\#PolarSSL,CN=PolarSSL Server 1" md=SHA256
-
-parse_input/server1.req.spaces.sha256: server1.key
-	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O= PolarSSL ,CN=PolarSSL Server 1" md=SHA256
-
-parse_input/server1.req.asciichars.sha256: server1.key
-	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=极地SSL,CN=PolarSSL Server 1" md=SHA256
-# server2*
-
-server2_pwd_ec = PolarSSLTest
-
-server2.req.sha256: server2.key
-	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=localhost" md=SHA256
-all_intermediate += server2.req.sha256
-
-parse_input/server2.crt.der: parse_input/server2.crt
-server2.crt.der: server2.crt
-parse_input/server2.crt.der server2.crt.der:
-	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
-all_final += server2.crt.der
-
-server2-sha256.crt.der: server2-sha256.crt
-	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
-all_final += server2-sha256.crt.der
-
-server2.key.der: server2.key
-	$(OPENSSL) pkey -in $< -out $@ -inform PEM -outform DER
-all_final += server2.key.der
-
-server2.key.enc: server2.key
-	$(OPENSSL) rsa -aes256 -in $< -out $@ -passout "pass:$(server2_pwd_ec)"
-all_final += server2.key.enc
-
-# server5*
-
-server5.csr: server5.key
-	$(OPENSSL) req -new -subj "/C=NL/O=PolarSSL/CN=localhost" \
-					-key $< -out $@
-all_intermediate += server5.csr
-parse_input/server5.crt server5.crt: server5-sha256.crt
-	cp $< $@
-all_intermediate += server5-sha256.crt
-server5-sha%.crt: server5.csr $(test_ca_crt_file_ec) $(test_ca_key_file_ec) server5.crt.openssl.v3_ext
-	$(OPENSSL) x509 -req -CA $(test_ca_crt_file_ec) -CAkey $(test_ca_key_file_ec) \
-				-extfile server5.crt.openssl.v3_ext -set_serial 9 -days 3650 \
-				-sha$(@F:server5-sha%.crt=%) -in $< -out $@
-all_final += server5.crt server5-sha1.crt server5-sha224.crt server5-sha384.crt server5-sha512.crt
-
-server5-badsign.crt: server5.crt
-	{ head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@
-all_final += server5-badsign.crt
-
-# The use of 'Server 1' in the DN is intentional here, as the DN is hardcoded in the x509_write test suite.'
-server5.req.ku.sha1: server5.key
-	$(OPENSSL) req -key $< -out $@ -new -nodes -subj "/C=NL/O=PolarSSL/CN=PolarSSL Server 1" -sha1 -addext keyUsage=digitalSignature,nonRepudiation
-all_final += server5.req.ku.sha1
-
-server5.ku-ds.crt: SERVER5_CRT_SERIAL=45
-server5.ku-ds.crt: SERVER5_KEY_USAGE=digital_signature
-server5.ku-ka.crt: SERVER5_CRT_SERIAL=46
-server5.ku-ka.crt: SERVER5_KEY_USAGE=key_agreement
-server5.ku-ke.crt: SERVER5_CRT_SERIAL=47
-server5.ku-ke.crt: SERVER5_KEY_USAGE=key_encipherment
-server5.eku-cs.crt: SERVER5_CRT_SERIAL=58
-server5.eku-cs.crt: SERVER5_EXT_KEY_USAGE=codeSigning
-server5.eku-cs_any.crt: SERVER5_CRT_SERIAL=59
-server5.eku-cs_any.crt: SERVER5_EXT_KEY_USAGE=codeSigning,any
-server5.eku-cli.crt: SERVER5_CRT_SERIAL=60
-server5.eku-cli.crt: SERVER5_EXT_KEY_USAGE=clientAuth
-server5.eku-srv_cli.crt: SERVER5_CRT_SERIAL=61
-server5.eku-srv_cli.crt: SERVER5_EXT_KEY_USAGE=serverAuth,clientAuth
-server5.eku-srv.crt: SERVER5_CRT_SERIAL=62
-server5.eku-srv.crt: SERVER5_EXT_KEY_USAGE=serverAuth
-server5.ku-%.crt: SERVER5_EXT_OPTS=key_usage=$(SERVER5_KEY_USAGE)
-server5.eku-%.crt: SERVER5_EXT_OPTS=ext_key_usage=$(SERVER5_EXT_KEY_USAGE)
-server5.%.crt: server5.key
-	$(MBEDTLS_CERT_WRITE) \
-		subject_key=$< subject_name="C=NL,O=PolarSSL,CN=localhost" serial=$(SERVER5_CRT_SERIAL) \
-		issuer_crt=$(test_ca_crt_file_ec) issuer_key=$(test_ca_key_file_ec) $(SERVER5_EXT_OPTS) \
-		not_before=20190210144406 not_after=20290210144406 md=SHA256 version=3 output_file=$@
-all_final += server5.ku-ka.crt server5.ku-ke.crt server5.ku-ds.crt
-all_final += server5.eku-cs.crt server5.eku-cs_any.crt server5.eku-cli.crt server5.eku-srv_cli.crt server5.eku-srv.crt
-
-# server6*
-
-server6.csr: server6.key
-	$(OPENSSL) req -new -subj "/C=NL/O=PolarSSL/CN=localhost" \
-					-key $< -out $@
-all_intermediate += server6.csr
-server6.crt: server6.csr $(test_ca_crt_file_ec) $(test_ca_key_file_ec)
-	$(OPENSSL) x509 -req -CA $(test_ca_crt_file_ec) -CAkey $(test_ca_key_file_ec) \
-				-extfile server5.crt.openssl.v3_ext -set_serial 10 -days 3650 -sha256 -in $< -out $@
-all_final += server6.crt
-
-server6-ss-child.csr : server6.key
-	$(OPENSSL) req -new -subj "/CN=selfsigned-child/OU=testing/O=PolarSSL/C=NL" \
-		-key $< -out $@
-all_intermediate += server6-ss-child.csr
-server6-ss-child.crt: server6-ss-child.csr server5-selfsigned.crt server5.key server6-ss-child.crt.openssl.v3_ext
-	$(OPENSSL) x509 -req -CA server5-selfsigned.crt -CAkey server5.key \
-				-extfile server6-ss-child.crt.openssl.v3_ext \
-				-set_serial 0x53a2cb5822399474a7ec79ec \
-				-days 3650 -sha256 -in $< -out $@
-all_final += server6-ss-child.crt
-
-
-################################################################
-### Generate certificates for CRT write check tests
-################################################################
-
-### The test files use the Mbed TLS generated certificates server1*.crt,
-### but for comparison with OpenSSL also rules for OpenSSL-generated
-### certificates server1*.crt.openssl are offered.
-###
-### Known differences:
-### * OpenSSL encodes trailing zero-bits in bit-strings occurring in X.509 extension
-###   as unused bits, while Mbed TLS doesn't.
-
-test_ca_server1_db = test-ca.server1.db
-test_ca_server1_serial = test-ca.server1.serial
-test_ca_server1_config_file = test-ca.server1.opensslconf
-
-# server1*
-
-parse_input/server1.crt: parse_input/server1.req.sha256
-server1.crt: server1.req.sha256
-parse_input/server1.crt server1.crt: $(test_ca_crt) $(test_ca_key_file_rsa)
-parse_input/server1.crt server1.crt:
-	$(MBEDTLS_CERT_WRITE) request_file=$(@D)/server1.req.sha256 \
-		issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) \
-		issuer_pwd=$(test_ca_pwd_rsa) version=1 \
-		not_before=20190210144406 not_after=20290210144406 \
-		md=SHA1 version=3 output_file=$@
-server1.allSubjectAltNames.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
-	$(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@ san=URI:http://pki.example.com\;IP:1.2.3.4\;DN:C=UK,O="Mbed TLS",CN="SubjectAltName test"\;DNS:example.com\;RFC822:mail@example.com
-server1.long_serial.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
-	echo "112233445566778899aabbccddeeff0011223344" > test-ca.server1.tmp.serial
-	$(OPENSSL) ca -in server1.req.sha256 -key PolarSSLTest -config test-ca.server1.test_serial.opensslconf -notext -batch -out $@
-server1.80serial.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
-	echo "8011223344" > test-ca.server1.tmp.serial
-	$(OPENSSL) ca -in server1.req.sha256 -key PolarSSLTest -config test-ca.server1.test_serial.opensslconf -notext -batch -out $@
-server1.long_serial_FF.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
-	echo "ffffffffffffffffffffffffffffffff" > test-ca.server1.tmp.serial
-	$(OPENSSL) ca -in server1.req.sha256 -key PolarSSLTest -config test-ca.server1.test_serial.opensslconf -notext -batch -out $@
-server1.noauthid.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
-	$(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=SHA1 authority_identifier=0 version=3 output_file=$@
-parse_input/server1.crt.der: parse_input/server1.crt
-	$(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 \
-		issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) \
-		issuer_pwd=$(test_ca_pwd_rsa) \
-		not_before=20190210144406 not_after=20290210144406 \
-		md=SHA1 authority_identifier=0 version=3 output_file=$@
-server1.der: server1.crt
-	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
-server1.commas.crt: server1.key parse_input/server1.req.commas.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
-	$(MBEDTLS_CERT_WRITE) request_file=parse_input/server1.req.commas.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@
-server1.hashsymbol.crt: server1.key parse_input/server1.req.hashsymbol.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
-	$(MBEDTLS_CERT_WRITE) request_file=parse_input/server1.req.hashsymbol.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@
-server1.spaces.crt: server1.key parse_input/server1.req.spaces.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
-	$(MBEDTLS_CERT_WRITE) request_file=parse_input/server1.req.spaces.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@
-server1.asciichars.crt: server1.key parse_input/server1.req.asciichars.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
-	$(MBEDTLS_CERT_WRITE) request_file=parse_input/server1.req.asciichars.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@
-all_final += server1.crt server1.noauthid.crt parse_input/server1.crt.der server1.commas.crt server1.hashsymbol.crt server1.spaces.crt server1.asciichars.crt
-
-parse_input/server1.key_usage.crt: parse_input/server1.req.sha256
-server1.key_usage.crt: server1.req.sha256
-parse_input/server1.key_usage.crt server1.key_usage.crt: $(test_ca_crt) $(test_ca_key_file_rsa)
-parse_input/server1.key_usage.crt server1.key_usage.crt:
-	$(MBEDTLS_CERT_WRITE) request_file=$(@D)/server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 key_usage=digital_signature,non_repudiation,key_encipherment version=3 output_file=$@
-server1.key_usage_noauthid.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
-	$(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 key_usage=digital_signature,non_repudiation,key_encipherment authority_identifier=0 version=3 output_file=$@
-server1.key_usage.der: server1.key_usage.crt
-	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
-all_final += server1.key_usage.crt server1.key_usage_noauthid.crt server1.key_usage.der
-
-parse_input/server1.cert_type.crt: parse_input/server1.req.sha256
-server1.cert_type.crt: server1.req.sha256
-parse_input/server1.cert_type.crt server1.cert_type.crt: $(test_ca_crt) $(test_ca_key_file_rsa)
-parse_input/server1.cert_type.crt server1.cert_type.crt:
-	$(MBEDTLS_CERT_WRITE) request_file=$(@D)/server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 ns_cert_type=ssl_server version=3 output_file=$@
-server1.cert_type_noauthid.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
-	$(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 ns_cert_type=ssl_server authority_identifier=0 version=3 output_file=$@
-server1.cert_type.der: server1.cert_type.crt
-	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
-all_final += server1.cert_type.crt server1.cert_type_noauthid.crt server1.cert_type.der
-
-server1.v1.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
-	$(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 version=1 output_file=$@
-server1.v1.der: server1.v1.crt
-	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
-all_final += server1.v1.crt server1.v1.der
-
-server1.ca.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
-	$(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 is_ca=1 version=3 output_file=$@
-server1.ca_noauthid.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
-	$(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=SHA1 authority_identifier=0 is_ca=1 version=3 output_file=$@
-server1.ca.der: server1.ca.crt
-	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
-all_final += server1.ca.crt server1.ca_noauthid.crt server1.ca.der
-
-server1-nospace.crt: server1.key test-ca.crt
-	$(MBEDTLS_CERT_WRITE) subject_key=$< serial=31\
-		subject_name="C=NL,O=PolarSSL,CN=polarssl.example"  \
-		issuer_crt=test-ca.crt issuer_key=$(test_ca_key_file_rsa) \
-		issuer_pwd=$(test_ca_pwd_rsa) \
-		not_before=20190210144406 not_after=20290210144406 \
-		md=SHA256 version=3 authority_identifier=1 \
-		output_file=$@
-all_final += server1-nospace.crt
-
-server1_ca.crt: server1.crt $(test_ca_crt)
-	cat server1.crt $(test_ca_crt) > $@
-all_final += server1_ca.crt
-
-parse_input/cert_sha1.crt cert_sha1.crt: server1.key
-	$(MBEDTLS_CERT_WRITE) subject_key=server1.key subject_name="C=NL, O=PolarSSL, CN=PolarSSL Cert SHA1" serial=7 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@
-all_final += cert_sha1.crt
-
-parse_input/cert_sha224.crt cert_sha224.crt: server1.key
-	$(MBEDTLS_CERT_WRITE) subject_key=server1.key subject_name="C=NL, O=PolarSSL, CN=PolarSSL Cert SHA224" serial=8 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=SHA224 version=3 output_file=$@
-all_final += cert_sha224.crt
-
-parse_input/cert_sha256.crt cert_sha256.crt: server1.key
-	$(MBEDTLS_CERT_WRITE) subject_key=server1.key subject_name="C=NL, O=PolarSSL, CN=PolarSSL Cert SHA256" serial=9 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=SHA256 version=3 output_file=$@
-all_final += cert_sha256.crt
-
-parse_input/cert_sha384.crt cert_sha384.crt: server1.key
-	$(MBEDTLS_CERT_WRITE) subject_key=server1.key subject_name="C=NL, O=PolarSSL, CN=PolarSSL Cert SHA384" serial=10 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=SHA384 version=3 output_file=$@
-all_final += cert_sha384.crt
-
-parse_input/cert_sha512.crt cert_sha512.crt: server1.key
-	$(MBEDTLS_CERT_WRITE) subject_key=server1.key subject_name="C=NL, O=PolarSSL, CN=PolarSSL Cert SHA512" serial=11 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=SHA512 version=3 output_file=$@
-all_final += cert_sha512.crt
-
-cert_example_wildcard.crt: server1.key
-	$(MBEDTLS_CERT_WRITE) subject_key=server1.key subject_name="C=NL, O=PolarSSL, CN=*.example.com" serial=12 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@
-all_final += cert_example_wildcard.crt
-
-# OpenSSL-generated certificates for comparison
-# Also provide certificates in DER format to allow
-# direct binary comparison using e.g. dumpasn1
-server1.crt.openssl server1.key_usage.crt.openssl server1.cert_type.crt.openssl: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_server1_config_file)
-	echo "01" > $(test_ca_server1_serial)
-	rm -f $(test_ca_server1_db)
-	touch $(test_ca_server1_db)
-	$(OPENSSL) ca -batch -passin "pass:$(test_ca_pwd_rsa)" -config $(test_ca_server1_config_file) -in server1.req.sha256 -extensions v3_ext -extfile $@.v3_ext -out $@
-server1.der.openssl: server1.crt.openssl
-	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
-server1.key_usage.der.openssl: server1.key_usage.crt.openssl
-	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
-server1.cert_type.der.openssl: server1.cert_type.crt.openssl
-	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
-
-server1.v1.crt.openssl: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_server1_config_file)
-	echo "01" > $(test_ca_server1_serial)
-	rm -f $(test_ca_server1_db)
-	touch $(test_ca_server1_db)
-	$(OPENSSL) ca -batch -passin "pass:$(test_ca_pwd_rsa)" -config $(test_ca_server1_config_file) -in server1.req.sha256 -out $@
-server1.v1.der.openssl: server1.v1.crt.openssl
-	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
-
-# To revoke certificate in the openssl database:
-#
-# $(OPENSSL) ca -gencrl -batch -cert $(test_ca_crt) -keyfile $(test_ca_key_file_rsa) -key $(test_ca_pwd_rsa) -config $(test_ca_server1_config_file) -md sha256 -crldays 365 -revoke server1.crt
-
-crl.pem: $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_config_file)
-	$(OPENSSL) ca -gencrl -batch -cert $(test_ca_crt) -keyfile $(test_ca_key_file_rsa) -key $(test_ca_pwd_rsa) -config $(test_ca_server1_config_file) -md sha1 -crldays 3653 -out $@
-
-crl-futureRevocationDate.pem: $(test_ca_crt) $(test_ca_key_file_rsa) \
-							  $(test_ca_config_file) 				\
-							  test-ca.server1.future-crl.db  \
-							  test-ca.server1.future-crl.opensslconf
-	$(FAKETIME) -f '+10y' $(OPENSSL) ca -gencrl \
-		-config test-ca.server1.future-crl.opensslconf -crldays 365 \
-		-passin "pass:$(test_ca_pwd_rsa)" -out $@
-
-server1_all: crl.pem crl-futureRevocationDate.pem server1.crt server1.noauthid.crt server1.crt.openssl server1.v1.crt server1.v1.crt.openssl server1.key_usage.crt server1.key_usage_noauthid.crt server1.key_usage.crt.openssl server1.cert_type.crt server1.cert_type_noauthid.crt server1.cert_type.crt.openssl server1.der server1.der.openssl server1.v1.der server1.v1.der.openssl server1.key_usage.der server1.key_usage.der.openssl server1.cert_type.der server1.cert_type.der.openssl
-
-# server2*
-
-parse_input/server2.crt server2.crt: server2.req.sha256
-	$(MBEDTLS_CERT_WRITE) request_file=server2.req.sha256 serial=2 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@
-all_final += server2.crt
-
-server2.der: server2.crt
-	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
-all_final += server2.crt server2.der
-
-server2-sha256.crt: server2.req.sha256
-	$(MBEDTLS_CERT_WRITE) request_file=server2.req.sha256 serial=2 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=SHA256 version=3 output_file=$@
-all_final += server2-sha256.crt
-
-server2.ku-ka.crt: SERVER2_CRT_SERIAL=42
-server2.ku-ka.crt: SERVER2_KEY_USAGE=key_agreement
-server2.ku-ke.crt: SERVER2_CRT_SERIAL=43
-server2.ku-ke.crt: SERVER2_KEY_USAGE=key_encipherment
-server2.ku-ds.crt: SERVER2_CRT_SERIAL=44
-server2.ku-ds.crt: SERVER2_KEY_USAGE=digital_signature
-server2.ku-ds_ke.crt: SERVER2_CRT_SERIAL=48
-server2.ku-ds_ke.crt: SERVER2_KEY_USAGE=digital_signature,key_encipherment
-server2.ku-%.crt: server2.req.sha256
-	$(MBEDTLS_CERT_WRITE) request_file=server2.req.sha256 serial=$(SERVER2_CRT_SERIAL) \
-		issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) \
-		key_usage="$(SERVER2_KEY_USAGE)" \
-		not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@
-all_final += server2.ku-ka.crt server2.ku-ke.crt server2.ku-ds.crt server2.ku-ds_ke.crt
-
-server2-badsign.crt: server2.crt
-	{ head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@
-all_final += server2-badsign.crt
-
-# server3*
-
-parse_input/server3.crt server3.crt: server3.key
-	$(MBEDTLS_CERT_WRITE) subject_key=$< subject_name="C=NL,O=PolarSSL,CN=localhost" serial=13 \
-		issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) \
-		not_before=20190210144406 not_after=20290210144406 \
-		md=SHA1 version=3 output_file=$@
-all_final += server3.crt
-
-# server4*
-
-parse_input/server4.crt server4.crt: server4.key
-	$(MBEDTLS_CERT_WRITE) subject_key=$< subject_name="C=NL,O=PolarSSL,CN=localhost" serial=8 \
-		issuer_crt=$(test_ca_crt_file_ec) issuer_key=$(test_ca_key_file_ec) \
-		not_before=20190210144400 not_after=20290210144400 \
-		md=SHA256 version=3 output_file=$@
-all_final += server4.crt
-
-# MD5 test certificate
-
-cert_md_test_key = $(cli_crt_key_file_rsa)
-
-cert_md5.csr: $(cert_md_test_key)
-	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Cert MD5" md=MD5
-all_intermediate += cert_md5.csr
-
-parse_input/cert_md5.crt cert_md5.crt: cert_md5.csr
-	$(MBEDTLS_CERT_WRITE) request_file=$< serial=6 \
-		issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) \
-		issuer_pwd=$(test_ca_pwd_rsa) \
-		not_before=20000101121212 not_after=20300101121212 \
-		md=MD5 version=3 output_file=$@
-all_final += cert_md5.crt
-
-# TLSv1.3 test certificates
-ecdsa_secp256r1.key: ec_256_prv.pem
-	cp $< $@
-
-ecdsa_secp256r1.csr: ecdsa_secp256r1.key
-	$(OPENSSL) req -new -subj "/C=NL/O=PolarSSL/CN=localhost" \
-					-key $< -out $@
-all_intermediate += ecdsa_secp256r1.csr
-ecdsa_secp256r1.crt: ecdsa_secp256r1.csr
-	$(OPENSSL) x509 -req -CA $(test_ca_crt_file_ec) -CAkey $(test_ca_key_file_ec) \
-				-set_serial 77 -days 3653 -sha384 -in $< -out $@
-all_final += ecdsa_secp256r1.crt ecdsa_secp256r1.key
-tls13_certs: ecdsa_secp256r1.crt ecdsa_secp256r1.key
-
-ecdsa_secp384r1.key: ec_384_prv.pem
-	cp $< $@
-ecdsa_secp384r1.csr: ecdsa_secp384r1.key
-	$(OPENSSL) req -new -subj "/C=NL/O=PolarSSL/CN=localhost" \
-					-key $< -out $@
-all_intermediate += ecdsa_secp384r1.csr
-ecdsa_secp384r1.crt: ecdsa_secp384r1.csr
-	$(OPENSSL) x509 -req -CA $(test_ca_crt_file_ec) -CAkey $(test_ca_key_file_ec) \
-				-set_serial 77 -days 3653 -sha384 -in $< -out $@
-all_final += ecdsa_secp384r1.crt ecdsa_secp384r1.key
-tls13_certs: ecdsa_secp384r1.crt ecdsa_secp384r1.key
-
-ecdsa_secp521r1.key: ec_521_prv.pem
-	cp $< $@
-ecdsa_secp521r1.csr: ecdsa_secp521r1.key
-	$(OPENSSL) req -new -subj "/C=NL/O=PolarSSL/CN=localhost" \
-					-key $< -out $@
-all_intermediate += ecdsa_secp521r1.csr
-ecdsa_secp521r1.crt: ecdsa_secp521r1.csr
-	$(OPENSSL) x509 -req -CA $(test_ca_crt_file_ec) -CAkey $(test_ca_key_file_ec) \
-				-set_serial 77 -days 3653 -sha384 -in $< -out $@
-all_final += ecdsa_secp521r1.crt ecdsa_secp521r1.key
-tls13_certs: ecdsa_secp521r1.crt ecdsa_secp521r1.key
-
-# PKCS7 test data
-pkcs7_test_cert_1 = pkcs7-rsa-sha256-1.crt
-pkcs7_test_cert_2 = pkcs7-rsa-sha256-2.crt
-pkcs7_test_cert_3 = pkcs7-rsa-sha256-3.crt
-pkcs7_test_file = pkcs7_data.bin
-
-$(pkcs7_test_file):
-	printf "Hello\15\n" > $@
-all_final += $(pkcs7_test_file)
-
-pkcs7_zerolendata.bin:
-	printf '' > $@
-all_final += pkcs7_zerolendata.bin
-
-pkcs7_data_1.bin:
-	printf "2\15\n" > $@
-all_final += pkcs7_data_1.bin
-
-# Generate signing cert
-pkcs7-rsa-sha256-1.crt:
-	$(OPENSSL) req -x509 -subj="/C=NL/O=PKCS7/CN=PKCS7 Cert 1" -sha256 -nodes -days 3653  -newkey rsa:2048 -keyout pkcs7-rsa-sha256-1.key -out pkcs7-rsa-sha256-1.crt
-	cat pkcs7-rsa-sha256-1.crt pkcs7-rsa-sha256-1.key > pkcs7-rsa-sha256-1.pem
-all_final += pkcs7-rsa-sha256-1.crt
-
-pkcs7-rsa-sha256-2.crt:
-	$(OPENSSL) req -x509 -subj="/C=NL/O=PKCS7/CN=PKCS7 Cert 2" -sha256 -nodes -days 3653  -newkey rsa:2048 -keyout pkcs7-rsa-sha256-2.key -out pkcs7-rsa-sha256-2.crt
-	cat pkcs7-rsa-sha256-2.crt pkcs7-rsa-sha256-2.key > pkcs7-rsa-sha256-2.pem
-all_final += pkcs7-rsa-sha256-2.crt
-
-pkcs7-rsa-sha256-3.crt:
-	$(OPENSSL) req -x509 -subj="/C=NL/O=PKCS7/CN=PKCS7 Cert 3" -sha256 -nodes -days 3653  -newkey rsa:2048 -keyout pkcs7-rsa-sha256-3.key -out pkcs7-rsa-sha256-3.crt
-	cat pkcs7-rsa-sha256-3.crt pkcs7-rsa-sha256-3.key > pkcs7-rsa-sha256-3.pem
-all_final += pkcs7-rsa-sha256-3.crt
-
-pkcs7-rsa-expired.crt:
-	$(FAKETIME) -f -3650d $(OPENSSL) req -x509 -subj="/C=NL/O=PKCS7/CN=PKCS7 Cert Expired" -sha256 -nodes -days 365  -newkey rsa:2048 -keyout pkcs7-rsa-expired.key -out pkcs7-rsa-expired.crt
-all_final += pkcs7-rsa-expired.crt
-
-# File with an otherwise valid signature signed with an expired cert
-pkcs7_data_rsa_expired.der: pkcs7-rsa-expired.key pkcs7-rsa-expired.crt pkcs7_data.bin
-	$(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -inkey pkcs7-rsa-expired.key -signer pkcs7-rsa-expired.crt -noattr -outform DER -out $@
-all_final += pkcs7_data_rsa_expired.der
-
-# Convert signing certs to DER for testing PEM-free builds
-pkcs7-rsa-sha256-1.der: $(pkcs7_test_cert_1)
-	$(OPENSSL) x509 -in pkcs7-rsa-sha256-1.crt -out $@ -outform DER
-all_final += pkcs7-rsa-sha256-1.der
-
-pkcs7-rsa-sha256-2.der: $(pkcs7_test_cert_2)
-	$(OPENSSL) x509 -in pkcs7-rsa-sha256-2.crt -out $@ -outform DER
-all_final += pkcs7-rsa-sha256-2.der
-
-pkcs7-rsa-expired.der: pkcs7-rsa-expired.crt
-	$(OPENSSL) x509 -in pkcs7-rsa-expired.crt -out $@ -outform DER
-all_final += pkcs7-rsa-expired.der
-
-# pkcs7 signature file over zero-len data
-pkcs7_zerolendata_detached.der: pkcs7_zerolendata.bin pkcs7-rsa-sha256-1.key pkcs7-rsa-sha256-1.crt
-	$(OPENSSL) smime -sign -md sha256 -nocerts -noattr -in pkcs7_zerolendata.bin -inkey pkcs7-rsa-sha256-1.key -outform DER -binary -signer pkcs7-rsa-sha256-1.crt -out pkcs7_zerolendata_detached.der
-all_final += pkcs7_zerolendata_detached.der
-
-# pkcs7 signature file with CERT
-pkcs7_data_cert_signed_sha256.der: $(pkcs7_test_file) $(pkcs7_test_cert_1)
-	$(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@
-all_final += pkcs7_data_cert_signed_sha256.der
-
-# pkcs7 signature file with CERT and sha1
-pkcs7_data_cert_signed_sha1.der: $(pkcs7_test_file) $(pkcs7_test_cert_1)
-	$(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha1 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@
-all_final += pkcs7_data_cert_signed_sha1.der
-
-# pkcs7 signature file with CERT and sha512
-pkcs7_data_cert_signed_sha512.der: $(pkcs7_test_file) $(pkcs7_test_cert_1)
-	$(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha512 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@
-all_final += pkcs7_data_cert_signed_sha512.der
-
-# pkcs7 signature file without CERT
-pkcs7_data_without_cert_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1)
-	$(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -nocerts -noattr -outform DER -out $@
-all_final += pkcs7_data_without_cert_signed.der
-
-# pkcs7 signature file with signature
-pkcs7_data_with_signature.der: $(pkcs7_test_file) $(pkcs7_test_cert_1)
-	$(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -nocerts -noattr -nodetach -outform DER -out $@
-all_final += pkcs7_data_with_signature.der
-
-# pkcs7 signature file with two signers
-pkcs7_data_multiple_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) $(pkcs7_test_cert_2)
-	$(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -signer pkcs7-rsa-sha256-2.pem -nocerts -noattr -outform DER -out $@
-all_final += pkcs7_data_multiple_signed.der
-
-# pkcs7 signature file with three signers
-pkcs7_data_3_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) $(pkcs7_test_cert_2) $(pkcs7_test_cert_3)
-	$(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -signer pkcs7-rsa-sha256-2.pem -signer pkcs7-rsa-sha256-3.pem -nocerts -noattr -outform DER -out $@
-all_final += pkcs7_data_3_signed.der
-
-# pkcs7 signature file with multiple certificates
-pkcs7_data_multiple_certs_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) $(pkcs7_test_cert_2)
-	$(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -signer pkcs7-rsa-sha256-2.pem -noattr -outform DER -out $@
-all_final += pkcs7_data_multiple_certs_signed.der
-
-# pkcs7 signature file with corrupted CERT
-pkcs7_data_signed_badcert.der: pkcs7_data_cert_signed_sha256.der
-	cp pkcs7_data_cert_signed_sha256.der $@
-	echo 'a1' | xxd -r -p | dd of=$@ bs=1 seek=547 conv=notrunc
-all_final += pkcs7_data_signed_badcert.der
-
-# pkcs7 signature file with corrupted signer info
-pkcs7_data_signed_badsigner.der: pkcs7_data_cert_signed_sha256.der
-	cp pkcs7_data_cert_signed_sha256.der $@
-	echo 'a1' | xxd -r -p | dd of=$@ bs=1 seek=918 conv=notrunc
-all_final += pkcs7_data_signed_badsigner.der
-
-# pkcs7 signature file with invalid tag in signerInfo[1].serial after long issuer name
-pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der: pkcs7_data_multiple_signed.der
-	cp $< $@
-	echo 'a1' | xxd -r -p | dd of=$@ bs=1 seek=498 conv=notrunc
-all_final += pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der
-
-# pkcs7 signature file with invalid tag in signerInfo[2]
-pkcs7_signerInfo_2_invalid_tag.der: pkcs7_data_3_signed.der
-	cp $< $@
-	echo 'a1' | xxd -r -p | dd of=$@ bs=1 seek=810 conv=notrunc
-all_final += pkcs7_signerInfo_2_invalid_tag.der
-
-# pkcs7 signature file with corrupted signer info[1]
-pkcs7_data_signed_badsigner1_badsize.der: pkcs7_data_3_signed.der
-	cp pkcs7_data_3_signed.der $@
-	echo '72' | xxd -p -r | dd of=$@ bs=1 seek=438 conv=notrunc
-all_final += pkcs7_data_signed_badsigner1_badsize.der
-
-pkcs7_data_signed_badsigner1_badtag.der: pkcs7_data_3_signed.der
-	cp pkcs7_data_3_signed.der $@
-	echo 'a1' | xxd -p -r | dd of=$@ bs=1 seek=442 conv=notrunc
-all_final += pkcs7_data_signed_badsigner1_badtag.der
-
-pkcs7_data_signed_badsigner1_fuzzbad.der: pkcs7_data_3_signed.der
-	cp pkcs7_data_3_signed.der $@
-	echo 'a1' | xxd -p -r | dd of=$@ bs=1 seek=550 conv=notrunc
-all_final += pkcs7_data_signed_badsigner1_fuzzbad.der
-
-# pkcs7 signature file with corrupted signer info[2]
-pkcs7_data_signed_badsigner2_badsize.der: pkcs7_data_3_signed.der
-	cp pkcs7_data_3_signed.der $@
-	echo '72'| xxd -p -r | dd of=$@ bs=1 seek=813 conv=notrunc
-all_final += pkcs7_data_signed_badsigner2_badsize.der
-
-pkcs7_data_signed_badsigner2_badtag.der: pkcs7_data_3_signed.der
-	cp pkcs7_data_3_signed.der $@
-	echo 'a1'| xxd -p -r | dd of=$@ bs=1 seek=817 conv=notrunc
-all_final += pkcs7_data_signed_badsigner2_badtag.der
-
-pkcs7_data_signed_badsigner2_fuzzbad.der: pkcs7_data_3_signed.der
-	cp pkcs7_data_3_signed.der $@
-	echo 'a1'| xxd -p -r | dd of=$@ bs=1 seek=925 conv=notrunc
-all_final += pkcs7_data_signed_badsigner2_fuzzbad.der
-
-# pkcs7 file with version 2
-pkcs7_data_cert_signed_v2.der: pkcs7_data_cert_signed_sha256.der
-	cp pkcs7_data_cert_signed_sha256.der $@
-	echo '02' | xxd -r -p | dd of=$@ bs=1 seek=25 conv=notrunc
-all_final += pkcs7_data_cert_signed_v2.der
-
-pkcs7_data_cert_encrypted.der: $(pkcs7_test_file) $(pkcs7_test_cert_1)
-	$(OPENSSL) smime -encrypt -aes256 -in pkcs7_data.bin -binary -outform DER -out $@ pkcs7-rsa-sha256-1.crt
-all_final += pkcs7_data_cert_encrypted.der
-
-## Negative tests
-# For some interesting sizes, what happens if we make them off-by-one?
-pkcs7_signerInfo_issuer_invalid_size.der: pkcs7_data_cert_signed_sha256.der
-	cp $< $@
-	echo '35' | xxd -r -p | dd of=$@ seek=919 bs=1 conv=notrunc
-all_final += pkcs7_signerInfo_issuer_invalid_size.der
-
-pkcs7_signerInfo_serial_invalid_size.der: pkcs7_data_cert_signed_sha256.der
-	cp $< $@
-	echo '15' | xxd -r -p | dd of=$@ seek=973 bs=1 conv=notrunc
-all_final += pkcs7_signerInfo_serial_invalid_size.der
-
-# pkcs7 signature file just with signed data
-pkcs7_data_cert_signeddata_sha256.der: pkcs7_data_cert_signed_sha256.der
-	dd if=pkcs7_data_cert_signed_sha256.der of=$@ skip=19 bs=1
-all_final += pkcs7_data_cert_signeddata_sha256.der
-
-# - test-ca-v1.crt: v1 "CA", signs
-#     server1-v1.crt: v1 "intermediate CA", signs
-#         server2-v1*.crt: EE cert (without of with chain in same file)
-
-test-ca-v1.crt: $(test_ca_key_file_rsa) test-ca.req.sha256
-	$(MBEDTLS_CERT_WRITE) is_ca=1 serial_hex=53a2b68e05400e555c9395e5 \
-		request_file=test-ca.req.sha256 \
-		selfsign=1 issuer_name="CN=PolarSSL Test CA v1,OU=testing,O=PolarSSL,C=NL" \
-		issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) \
-		not_before=20190210144400 not_after=20290210144400 md=SHA256 version=1 \
-		output_file=$@
-all_final += test-ca-v1.crt
-
-server1-v1.crt: server1.key test-ca-v1.crt
-	$(MBEDTLS_CERT_WRITE) subject_key=$< serial_hex=53a2b6c704cd4d8ebc800bc1\
-		subject_name="CN=server1/int-ca-v1,OU=testing,O=PolarSSL,C=NL"  \
-		issuer_crt=test-ca-v1.crt issuer_key=$(test_ca_key_file_rsa) \
-		issuer_pwd=$(test_ca_pwd_rsa) \
-		not_before=20190210144406 not_after=20290210144406 \
-		md=SHA256 version=1 \
-		output_file=$@
-all_final += server1-v1.crt
-
-server2-v1.crt: server2.key server1-v1.crt
-	$(MBEDTLS_CERT_WRITE) subject_key=$< serial_hex=53a2b6d9235dbc4573f9b76c\
-		subject_name="CN=server2,OU=testing,O=PolarSSL,C=NL"  \
-		issuer_crt=server1-v1.crt issuer_key=server1.key \
-		not_before=20190210144406 not_after=20290210144406 \
-		md=SHA256 version=1 \
-		output_file=$@
-all_final += server2-v1.crt
-
-server2-v1-chain.crt: server2-v1.crt server1-v1.crt
-	cat $^ > $@
-
-################################################################
-#### Generate C format test certs header
-################################################################
-
-TEST_CERTS_H_INPUT_FILES=test-ca2.crt \
-					test-ca2.crt.der \
-					test-ca2.key.enc \
-					test-ca2.key.der \
-					test-ca-sha256.crt \
-					test-ca-sha256.crt.der \
-					test-ca-sha1.crt \
-					test-ca-sha1.crt.der \
-					test-ca.key \
-					test-ca.key.der \
-					server5.crt \
-					server5.crt.der \
-					server5.key \
-					server5.key.der \
-					server2-sha256.crt \
-					server2-sha256.crt.der \
-					server2.crt \
-					server2.crt.der \
-					server2.key \
-					server2.key.der \
-					cli2.crt \
-					cli2.crt.der \
-					cli2.key \
-					cli2.key.der \
-					cli-rsa-sha256.crt \
-					cli-rsa-sha256.crt.der \
-					cli-rsa.key \
-					cli-rsa.key.der
-../src/test_certs.h: ../scripts/generate_test_cert_macros.py \
-					 $(TEST_CERTS_H_INPUT_FILES)
-	../scripts/generate_test_cert_macros.py --output $@ \
-				--string TEST_CA_CRT_EC_PEM=test-ca2.crt \
-				--binary TEST_CA_CRT_EC_DER=test-ca2.crt.der \
-				--string TEST_CA_KEY_EC_PEM=test-ca2.key.enc \
-				--password TEST_CA_PWD_EC_PEM=PolarSSLTest \
-				--binary TEST_CA_KEY_EC_DER=test-ca2.key.der \
-				--string TEST_CA_CRT_RSA_SHA256_PEM=test-ca-sha256.crt \
-				--binary TEST_CA_CRT_RSA_SHA256_DER=test-ca-sha256.crt.der \
-				--string TEST_CA_CRT_RSA_SHA1_PEM=test-ca-sha1.crt \
-				--binary TEST_CA_CRT_RSA_SHA1_DER=test-ca-sha1.crt.der \
-				--string TEST_CA_KEY_RSA_PEM=test-ca.key \
-				--password TEST_CA_PWD_RSA_PEM=PolarSSLTest \
-				--binary TEST_CA_KEY_RSA_DER=test-ca.key.der \
-				--string TEST_SRV_CRT_EC_PEM=server5.crt \
-				--binary TEST_SRV_CRT_EC_DER=server5.crt.der \
-				--string TEST_SRV_KEY_EC_PEM=server5.key \
-				--binary TEST_SRV_KEY_EC_DER=server5.key.der \
-				--string TEST_SRV_CRT_RSA_SHA256_PEM=server2-sha256.crt \
-				--binary TEST_SRV_CRT_RSA_SHA256_DER=server2-sha256.crt.der \
-				--string TEST_SRV_CRT_RSA_SHA1_PEM=server2.crt \
-				--binary TEST_SRV_CRT_RSA_SHA1_DER=server2.crt.der \
-				--string TEST_SRV_KEY_RSA_PEM=server2.key \
-				--binary TEST_SRV_KEY_RSA_DER=server2.key.der \
-				--string TEST_CLI_CRT_EC_PEM=cli2.crt \
-				--binary TEST_CLI_CRT_EC_DER=cli2.crt.der \
-				--string TEST_CLI_KEY_EC_PEM=cli2.key \
-				--binary TEST_CLI_KEY_EC_DER=cli2.key.der \
-				--string TEST_CLI_CRT_RSA_PEM=cli-rsa-sha256.crt \
-				--binary TEST_CLI_CRT_RSA_DER=cli-rsa-sha256.crt.der \
-				--string TEST_CLI_KEY_RSA_PEM=cli-rsa.key \
-				--binary TEST_CLI_KEY_RSA_DER=cli-rsa.key.der
-
-################################################################
-#### Diffie-Hellman parameters
-################################################################
-
-dh.998.pem:
-	$(OPENSSL) dhparam -out $@ -text 998
-
-dh.999.pem:
-	$(OPENSSL) dhparam -out $@ -text 999
-
-
-################################################################
-#### Meta targets
-################################################################
-
-all_final: $(all_final)
-all: $(all_intermediate) $(all_final)
-
-.PHONY: default all_final all
-.PHONY: keys_rsa_all
-.PHONY: keys_rsa_unenc keys_rsa_enc_basic
-.PHONY: keys_rsa_enc_pkcs8_v1 keys_rsa_enc_pkcs8_v2
-.PHONY: keys_rsa_enc_basic_1024 keys_rsa_enc_basic_2048 keys_rsa_enc_basic_4096
-.PHONY: keys_rsa_enc_pkcs8_v1_1024 keys_rsa_enc_pkcs8_v2_1024
-.PHONY: keys_rsa_enc_pkcs8_v1_2048 keys_rsa_enc_pkcs8_v2_2048
-.PHONY: keys_rsa_enc_pkcs8_v1_4096 keys_rsa_enc_pkcs8_v2_4096
-.PHONY: server1_all
-
-# These files should not be committed to the repository.
-list_intermediate:
-	@printf '%s\n' $(all_intermediate) | sort
-# These files should be committed to the repository so that the test data is
-# available upon checkout without running a randomized process depending on
-# third-party tools.
-list_final:
-	@printf '%s\n' $(all_final) | sort
-.PHONY: list_intermediate list_final
-
-## Remove intermediate files
-clean:
-	rm -f $(all_intermediate)
-## Remove all build products, even the ones that are committed
-neat: clean
-	rm -f $(all_final)
-.PHONY: clean neat
-
-.SECONDARY: $(all_intermediate)
diff --git a/tests/data_files/Readme-x509.txt b/tests/data_files/Readme-x509.txt
deleted file mode 100644
index 82f93d2..0000000
--- a/tests/data_files/Readme-x509.txt
+++ /dev/null
@@ -1,135 +0,0 @@
-This documents the X.509 CAs, certificates, and CRLS used for testing.
-
-Certification authorities
--------------------------
-
-There are two main CAs for use as trusted roots:
-- test-ca.crt aka "C=NL, O=PolarSSL, CN=PolarSSL Test CA"
-  uses a RSA-2048 key
-  test-ca-sha1.crt and test-ca-sha256.crt use the same key, signed with
-  different hashes.
-- test-ca2*.crt aka "C=NL, O=PolarSSL, CN=Polarssl Test EC CA"
-  uses an EC key with NIST P-384 (aka secp384r1)
-  variants used to test the keyUsage extension
-The files test-ca_cat12 and test-ca_cat21 contain them concatenated both ways.
-
-Two intermediate CAs are signed by them:
-- test-int-ca.crt "C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA"
-  uses RSA-4096, signed by test-ca2
-    - test-int-ca-exp.crt is a copy that is expired
-- test-int-ca2.crt "C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA"
-  uses an EC key with NIST P-384, signed by test-ca
-
-A third intermediate CA is signed by test-int-ca2.crt:
-- test-int-ca3.crt "C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3"
-  uses an EC key with NIST P-256, signed by test-int-ca2
-
-Finally, other CAs for specific purposes:
-- enco-ca-prstr.pem: has its CN encoded as a printable string, but child cert
-  enco-cert-utf8str.pem has its issuer's CN encoded as a UTF-8 string.
-- test-ca-v1.crt: v1 "CA", signs
-    server1-v1.crt: v1 "intermediate CA", signs
-        server2-v1*.crt: EE cert (without of with chain in same file)
-- keyUsage.decipherOnly.crt: has the decipherOnly keyUsage bit set
-
-End-entity certificates
------------------------
-
-Short information fields:
-
-- name or pattern
-- issuing CA:   1   -> test-ca.crt
-                2   -> test-ca2.crt
-                I1  -> test-int-ca.crt
-                I2  -> test-int-ca2.crt
-                I3  -> test-int-ca3.crt
-                O   -> other
-- key type: R -> RSA, E -> EC
-- C -> there is a CRL revoking this cert (see below)
-- L -> CN=localhost (useful for local test servers)
-- P1, P2 if the file includes parent (resp. parent + grandparent)
-- free-form comments
-
-List of certificates:
-
-- cert_example_multi*.crt: 1/O R: subjectAltName
-- cert_example_wildcard.crt: 1 R: wildcard in subject's CN
-- cert_md*.crt, cert_sha*.crt: 1 R: signature hash
-- cert_v1_with_ext.crt: 1 R: v1 with extensions (illegal)
-- cli2.crt: 2 E: basic
-- cli-rsa.key, cli-rsa-*.crt: RSA key used for test clients, signed by
-  the RSA test CA.
-- enco-cert-utf8str.pem: see enco-ca-prstr.pem above
-- server1*.crt: 1* R C* P1*: misc *(server1-v1 see test-ca-v1.crt above)
-    *CRL for: .cert_type.crt, .crt, .key_usage.crt, .v1.crt
-    P1 only for _ca.crt
-- server2-v1*.crt: O R: see test-ca-v1.crt above
-- server2*.crt: 1 R L: misc
-- server3.crt: 1 E L: EC cert signed by RSA CA
-- server4.crt: 2 R L: RSA cert signed by EC CA
-- server5*.crt: 2* E L: misc *(except -selfsigned and -ss-*)
-    -sha*: hashes
-    .eku*: extendeKeyUsage (cli/srv = www client/server, cs = codesign, etc)
-    .ku*: keyUsage (ds = signatures, ke/ka = key exchange/agreement)
-    .req*: CSR, not certificate
-    -der*: trailing bytes in der (?)
-    -badsign.crt: S5 with corrupted signature
-    -expired.crt: S5 with "not after" date in the past
-    -future.crt: S5 with "not before" date in the future
-    -non-compliant.crt: S5, RFC non-compliant
-      (with forbidden EC algorithm identifier NULL parameter)
-      generated by (before fix):
-        cert_write subject_key=server5.key subject_name="CN=Test EC RFC non-compliant" issuer_crt=test-ca2.crt issuer_key=test-ca2.key
-    -selfsigned.crt: Self-signed cert with S5 key
-    -ss-expired.crt: Self-signed cert with S5 key, expired
-    -ss-forgeca.crt: Copy of test-int-ca3 self-signed with S5 key
-- server6-ss-child.crt: O E: "child" of non-CA server5-selfsigned
-- server6.crt, server6.pem: 2 E L C: revoked
-- server7.crt: I1 E L P1(usually): EC signed by RSA signed by EC
-    -badsign.crt: S7 with corrupted signature + I1
-    -expired.crt: S7 with "not after" date in the past + I1
-    -future.crt: S7 with "not before" date in the future + I1
-    _int-ca-exp.crt: S7 + expired I1
-    _int-ca.crt: S7 + I1
-    _int-ca_ca2.crt: S7 + I1 + 2
-    _all_space.crt: S7 + I1 both with misplaced spaces (invalid PEM)
-    _pem_space.crt: S7 with misplaced space (invalid PEM) + I1
-    _trailing_space.crt: S7 + I1 both with trailing space (valid PEM)
-    _spurious_int-ca.crt: S7 + I2(spurious) + I1
-- server8*.crt: I2 R L: RSA signed by EC signed by RSA (P1 for _int-ca2)
-- server9*.crt: 1 R C* L P1*: signed using RSASSA-PSS
-    *CRL for: 9.crt, -badsign, -with-ca (P1)
-- server10.crt: I3 E L
-    -badsign.crt: S10 with corrupted signature
-    -bs_int3.pem: S10-badsign + I3
-    _int3-bs.pem: S10 + I3-badsign
-    _int3_int-ca2.crt: S10 + I3 + I2
-    _int3_int-ca2_ca.crt: S10 + I3 + I2 + 1
-    _int3_spurious_int-ca2.crt: S10 + I3 + I1(spurious) + I2
-
-Certificate revocation lists
-----------------------------
-
-Signing CA in parentheses (same meaning as certificates).
-
-- crl-ec-sha*.pem: (2) server6.crt
-- crl-future.pem: (2) server6.crt + unknown
-- crl-rsa-pss-*.pem: (1) server9{,badsign,with-ca}.crt + cert_sha384.crt + unknown
-- crl.pem, crl-futureRevocationDate.pem, crl_expired.pem: (1) server1{,.cert_type,.key_usage,.v1}.crt + unknown
-- crl_md*.pem: crl_sha*.pem: (1) same as crl.pem
-- crt_cat_*.pem: (1+2) concatenations in various orders:
-    ec = crl-ec-sha256.pem, ecfut = crl-future.pem
-    rsa = crl.pem, rsabadpem = same with pem error, rsaexp = crl_expired.pem
-
-Note: crl_future would revoke server9 and cert_sha384.crt if signed by CA 1
-      crl-rsa-pss* would revoke server6.crt if signed by CA 2
-
-Generation
-----------
-
-Newer test files have been generated through commands in the Makefile. The
-resulting files are committed to the repository so that the tests can
-run without having to re-do the generation and so that the output is the
-same for everyone (the generation process is randomized).
-
-The origin of older certificates has not been recorded.
diff --git a/tests/data_files/authorityKeyId_no_authorityKeyId.crt.der b/tests/data_files/authorityKeyId_no_authorityKeyId.crt.der
deleted file mode 100644
index 452d9d1..0000000
--- a/tests/data_files/authorityKeyId_no_authorityKeyId.crt.der
+++ /dev/null
diff --git a/tests/data_files/authorityKeyId_no_issuer.crt.der b/tests/data_files/authorityKeyId_no_issuer.crt.der
deleted file mode 100644
index 175ee3f..0000000
--- a/tests/data_files/authorityKeyId_no_issuer.crt.der
+++ /dev/null
diff --git a/tests/data_files/authorityKeyId_no_keyid.crt.der b/tests/data_files/authorityKeyId_no_keyid.crt.der
deleted file mode 100644
index 4ac5f00..0000000
--- a/tests/data_files/authorityKeyId_no_keyid.crt.der
+++ /dev/null
diff --git a/tests/data_files/authorityKeyId_subjectKeyId.conf b/tests/data_files/authorityKeyId_subjectKeyId.conf
deleted file mode 100644
index 296fac8..0000000
--- a/tests/data_files/authorityKeyId_subjectKeyId.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-[req]
-distinguished_name = req_distinguished_name
-x509_extensions = v3_req
-prompt = no
-[req_distinguished_name]
-countryName = NL
-organizationalUnitName = PolarSSL
-commonName = PolarSSL Test CA
-[v3_req]
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer:always
-[v3_req_authorityKeyId_no_keyid]
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = issuer:always
-[v3_req_authorityKeyId_no_issuer]
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always
-[v3_req_no_authorityKeyId]
-subjectKeyIdentifier = hash
diff --git a/tests/data_files/authorityKeyId_subjectKeyId.crt.der b/tests/data_files/authorityKeyId_subjectKeyId.crt.der
deleted file mode 100644
index a6ca469..0000000
--- a/tests/data_files/authorityKeyId_subjectKeyId.crt.der
+++ /dev/null
diff --git a/tests/data_files/authorityKeyId_subjectKeyId_issuer_tag1_malformed.crt.der b/tests/data_files/authorityKeyId_subjectKeyId_issuer_tag1_malformed.crt.der
deleted file mode 100644
index 0e3f578..0000000
--- a/tests/data_files/authorityKeyId_subjectKeyId_issuer_tag1_malformed.crt.der
+++ /dev/null
diff --git a/tests/data_files/authorityKeyId_subjectKeyId_issuer_tag2_malformed.crt.der b/tests/data_files/authorityKeyId_subjectKeyId_issuer_tag2_malformed.crt.der
deleted file mode 100644
index 1c8519b..0000000
--- a/tests/data_files/authorityKeyId_subjectKeyId_issuer_tag2_malformed.crt.der
+++ /dev/null
diff --git a/tests/data_files/authorityKeyId_subjectKeyId_keyid_tag_len_malformed.crt.der b/tests/data_files/authorityKeyId_subjectKeyId_keyid_tag_len_malformed.crt.der
deleted file mode 100644
index 469493e..0000000
--- a/tests/data_files/authorityKeyId_subjectKeyId_keyid_tag_len_malformed.crt.der
+++ /dev/null
diff --git a/tests/data_files/authorityKeyId_subjectKeyId_keyid_tag_malformed.crt.der b/tests/data_files/authorityKeyId_subjectKeyId_keyid_tag_malformed.crt.der
deleted file mode 100644
index 3e36086..0000000
--- a/tests/data_files/authorityKeyId_subjectKeyId_keyid_tag_malformed.crt.der
+++ /dev/null
diff --git a/tests/data_files/authorityKeyId_subjectKeyId_length_malformed.crt.der b/tests/data_files/authorityKeyId_subjectKeyId_length_malformed.crt.der
deleted file mode 100644
index 55d5dd0..0000000
--- a/tests/data_files/authorityKeyId_subjectKeyId_length_malformed.crt.der
+++ /dev/null
diff --git a/tests/data_files/authorityKeyId_subjectKeyId_sequence_tag_malformed.crt.der b/tests/data_files/authorityKeyId_subjectKeyId_sequence_tag_malformed.crt.der
deleted file mode 100644
index 45ac8f4..0000000
--- a/tests/data_files/authorityKeyId_subjectKeyId_sequence_tag_malformed.crt.der
+++ /dev/null
diff --git a/tests/data_files/authorityKeyId_subjectKeyId_sn_len_malformed.crt.der b/tests/data_files/authorityKeyId_subjectKeyId_sn_len_malformed.crt.der
deleted file mode 100644
index 009fcf2..0000000
--- a/tests/data_files/authorityKeyId_subjectKeyId_sn_len_malformed.crt.der
+++ /dev/null
diff --git a/tests/data_files/authorityKeyId_subjectKeyId_sn_tag_malformed.crt.der b/tests/data_files/authorityKeyId_subjectKeyId_sn_tag_malformed.crt.der
deleted file mode 100644
index 93fb1e3..0000000
--- a/tests/data_files/authorityKeyId_subjectKeyId_sn_tag_malformed.crt.der
+++ /dev/null
diff --git a/tests/data_files/authorityKeyId_subjectKeyId_tag_len_malformed.crt.der b/tests/data_files/authorityKeyId_subjectKeyId_tag_len_malformed.crt.der
deleted file mode 100644
index 89e1f4b..0000000
--- a/tests/data_files/authorityKeyId_subjectKeyId_tag_len_malformed.crt.der
+++ /dev/null
diff --git a/tests/data_files/authorityKeyId_subjectKeyId_tag_malformed.crt.der b/tests/data_files/authorityKeyId_subjectKeyId_tag_malformed.crt.der
deleted file mode 100644
index 53063f8..0000000
--- a/tests/data_files/authorityKeyId_subjectKeyId_tag_malformed.crt.der
+++ /dev/null
diff --git a/tests/data_files/base64/cli_cid.txt b/tests/data_files/base64/cli_cid.txt
deleted file mode 100644
index 8048aec..0000000
--- a/tests/data_files/base64/cli_cid.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-// Client, CID 0xBEEF
-AhUAAH8AAA8AAAQ8AAAAAF6MZUPMqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABh7h8/aprLN1fS0KwLkZzKcsa5LNtDW7sYu7d1z7fNetuRjLJpX/A1mTSqeBY7li8AAAAAAAM7MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJhPqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6UHoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq91C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sva1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbopMZqLmbBm/7WPLcAAJRZtK1pHRuu/Uw+Y91KCaqMAHKWeVJvuqjiTaElrahsx+HYoZ1+8i5BMY1NOL/y4TR9qZdxY+7NvNrEdEoFgcI/DqUN0aKs0zAIPmk92pFnjnbro5LxWRm3JbtIFcG6PdN+9aAbISrewt6EERIPhS45aH+Si08NLrvM+CcEBfqBBqOD+4LCZqT8nDBtALJyRqiykibsAAFRgAAAAF6MZUNak74BhbcgvZ2M8WhZKjQyCix7GJzRs4SqnD7iXoxlQ7YXjsVI0K/xyMOJPkT9ZcPEi/2jHGIte1ZduW4Cvu8C3q0AAAAAAAAAAAAAAAIAAAAAAAAABwAAAQAAAAAAAwAAAA==
diff --git a/tests/data_files/base64/cli_ciphersuite.txt b/tests/data_files/base64/cli_ciphersuite.txt
deleted file mode 100644
index bf36470..0000000
--- a/tests/data_files/base64/cli_ciphersuite.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-// TLS-RSA-WITH-AES-256-CCM-8
-AhUAAH8AAA4AAAQ8AAAAAF6K4ynAoQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADLBIQUrrPh7jxYz9e55cJvfpOkuBf2ZiVovlYa1Dkwbimp5q/CoWIn48C0x3Yj6N0AAAAAAAM7MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJhPqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6UHoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq91C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sva1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbopMZqLmbBm/7WPLcAAJQBiQTa148x1XQyGt9vU2JxAHIZ9HxLR87PewpTaslP0qJ4FK6cibG/U4ACVriGQMpNkJo6xRRn5dGyKE5L5iqcLQZ4zwcJT50NYlVQqzlXPArOaAzjVAX4k+TwL/VmNepmn3wvregAADeiGsvvbaAw2P9fhCgwX6Bm0YNzkWQsNwWENa6GoZLzvMM51G44611fFnKoAAFRgAAAAF6K4yksMvMV19qRq+eNokGn0j9Q5tjE88EK8jfM7gksXorjKR6zhXhttFGIFkNNAmmKuuDQGVmX1yCoHiJFonUAAAAAAAAAAAAAAAEAAAAAAAAAAwAAAQAAAAAAAgAAAA==
diff --git a/tests/data_files/base64/cli_def.txt b/tests/data_files/base64/cli_def.txt
deleted file mode 100644
index 793da2b..0000000
--- a/tests/data_files/base64/cli_def.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-// Client context with default MbedTLS configuration
-AhUAAH8AAA4AAAQ8AAAAAF6HQx3MqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACG2QbHbUj8eGpdx5KVIebiwk0jvRj9/3m6BOSzpA7qBXeEunhqr3D11NE7ciGjeHMAAAAAAAM7MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJhPqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6UHoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq91C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sva1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbopMZqLmbBm/7WPLcAAJTfQC2Ek91INP5ihHNzImPOAHJCk+YTO/pQuEnNWwXbdmKAi+IRp671iAwtpkjSxCBXVzKX925F1A66caCOQptlw+9zFukDQgblM2JyAJLG0j6B4RtBTDWJ8ZTMUPHUoLJoEpm8APZgRi//DMRyCKP9pbBLGlDzgUvl0w11LzBAlJHkWau5NoqQBlG7w4HFrKweovskAAFRgAAAAF6HQx248L77RH0Z973tSYNQ8zBsz861CZG5/T09TJz3XodDHe/iJ+cgXb5An3zTdnTBtw3EWAb68T+gCE33GN8AAAAAAAAAAAAAAAEAAAAAAAAAAwAAAQAAAAAAAgAAAA==
diff --git a/tests/data_files/base64/cli_min_cfg.txt b/tests/data_files/base64/cli_min_cfg.txt
deleted file mode 100644
index 152b474..0000000
--- a/tests/data_files/base64/cli_min_cfg.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-// Minimal configuration
-AhUAAAMAAAAAAAOeAAAAAF6LZlLMqAAgUGktPmpSPbzRPipeCpYJtp5SNIIjTr3R121WF9AeWN4tmKbRhhv+yPMjY0yWPrHLy7lLLhwNFBwCD6eQ0ULZZ15Fi2Rhae/4ZkAR0BN2iCMAAAAAAAM7MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJhPqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6UHoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq91C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sva1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbopMZqLmbBm/7WPLdei2ZSQwLppTqzs7kieOYQR6DjJItmQ0N/RS3+zTr9wF6LZlL6SQpLewmyja7jXyOWuUqJ6zJQ5b7FfA4PxthlAAABAAAAAAACAAA=
diff --git a/tests/data_files/base64/cli_no_alpn.txt b/tests/data_files/base64/cli_no_alpn.txt
deleted file mode 100644
index 25923f6..0000000
--- a/tests/data_files/base64/cli_no_alpn.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-// Without MBEDTLS_SSL_ALPN
-AhUAAH8AAAYAAAQ8AAAAAF6LDSzMqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB1lCUO8B/805UzCOLZzWDAEA8anfLpbuWTrnFSR2puZktvEiR8nXdATN0yKS94oSAAAAAAAAM7MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJhPqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6UHoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq91C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sva1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbopMZqLmbBm/7WPLcAAJQVUI/Wwt3q4XiqL74wCmkhAHKj0YgCvjZi3GKw0s7PJqjZzzLt+OuroC8Q2XeDf5nKKk8jkolZ+dXUftsPPizFgb2hGuYa4NhxXjiGlUpFEoXm7r78SwGfWxRgH5vJk6W3TdodkxTZkjMoWjlC2PANOHPeClw0szBmly7+s89LFZqnCXgyxE8xlv+l5IYSEPSj7UsmAAFRgAAAAF6LDSwWt0QWgmNg4Zv2yYhf4Pdexpi/QTIqWyD2AQVjXosNLLK1vz/upFHrJlizjH5uSBUJCpQZJczrBgxBmGoAAAAAAAAAAAAAAAEAAAAAAAAAAwAAAQAAAAAAAgAA
-
diff --git a/tests/data_files/base64/cli_no_keep_cert.txt b/tests/data_files/base64/cli_no_keep_cert.txt
deleted file mode 100644
index 76d0c3c..0000000
--- a/tests/data_files/base64/cli_no_keep_cert.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-// Without MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
-AhUAAAMAAAAAAACCAAAAAF6MKhTMqAAgSKCqXrcrmjqOBpxsGO3itQB09YgsSJwXmZB12QlB+wwhiof0mzAN0hupkLxu4Yyc9SgyFoEDPKJk8TiRo8bO2rkEfPItB5lUFkJwzdeuGVMAAAAABiCAy8MWqlj4vnIv0mswJvB35hyCOYWZ+fcZ6t5LzZgXPl6MKhRs69b+psiGUAo8OK3fU4HKOHNdi36tk22+ScctXowqFEyvzGcvbtI0VfWLKlOlDv+SwC08ZdCNa+RBZ/AAAAEAAAAAAAIAAA==
diff --git a/tests/data_files/base64/cli_no_mfl.txt b/tests/data_files/base64/cli_no_mfl.txt
deleted file mode 100644
index 0d06891..0000000
--- a/tests/data_files/base64/cli_no_mfl.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-// Without MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
-AhUAAHcAAA4AAAQ6AAAAAF6LDLPMqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0fzGzO1ysljMgZr4gduigvRXr2AK5X8j8c6vHTOpc2ncFS3UN2ojwD2tOaM3+/XIAAAAAAAM7MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJhPqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6UHoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq91C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sva1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbopMZqLmbBm/7WPLcAAJMiPbE45oAjg9Rx0iVnQDg2AHHKrrmSMTfVijgZbdL/ZFWYvFMioa7uqW0NmA0bSTxcsieRarndOq5fIdEIzmAgGkdaxJaGNDT105gwwIzUnLRapgP6H6IImSMFPXVp3Zks0zFfrq7aQnQMgc8o5kPqWq1/eYfdq8lysTO8Rgliv96lA/pe1SQmPL1mdChAwCa/4XEAAVGAAABeiwyzXGz4yPwEgvq/TWq0dZXvD6mzEbAty1oZJIvRpl6LDLOyQ94MIvSKw7OH4mg+DNL+ZW0xzQbKQalloUG6AAAAAAAAAAAAAAABAAAAAAAAAAMAAAEAAAAAAAIAAAA=
diff --git a/tests/data_files/base64/cli_no_packing.txt b/tests/data_files/base64/cli_no_packing.txt
deleted file mode 100644
index 112b1b6..0000000
--- a/tests/data_files/base64/cli_no_packing.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-// Without DTLS packing
-AhUAAH8AAA4AAAQ8AAAAAF6LCM/MqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACfl0tXNmshIQEqiEflQGnVUKkIFl1on/Mu0pjWes3XwQgdwmy9xMzpVyYU5gBOsOEAAAAAAAM7MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJhPqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6UHoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq91C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sva1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbopMZqLmbBm/7WPLcAAJRTvlE7NmNNLDESUBoGC+K2AHIKA+/lhdRVF4YcMvvqCBYFB5tj0oyCikftfjNbvjl9YPGqcRXk664YieWv/pz8U1FOENipbjXF9lFhgedG2Xanh/2FwHX5txYiHIJxJeLEKCXp5Sjt9XBvQsrryxLyX9l+zkLKm7bCAcrfk4h/YoqxecAI63isG9vnrS7o07iD/3mOAAFRgAAAAF6LCM+1uRpyaoyfzuNGBJK9DgBWIWtrPpu7KM8qsC/FXosIz/YIPhveZ8Z4IR0g/McAMQwzQoK5tScSE0DD3BwAAAAAAAAAAAAAAAEAAAAAAAAAAwEAAQAAAAAAAgAAAA==
diff --git a/tests/data_files/base64/def_b64_ff.bin b/tests/data_files/base64/def_b64_ff.bin
deleted file mode 100644
index 66aa827..0000000
--- a/tests/data_files/base64/def_b64_ff.bin
+++ /dev/null
@@ -1,5 +0,0 @@
-// Ensure that the b64 parser continues after encountering a 0xFF
-// character.  Note that this byte is invalid UTF-8, making this
-// entire file invalid UTF-8.  Use care when editing.
-// -> � <-
-AhUAAH8AAA4AAABtAAAAAF6HQx3MqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACG2QbHbUj8eGpdx5KVIebiwk0jvRj9/3m6BOSzpA7qBXeEunhqr3D11NE7ciGjeHMAAACAAAAAAAAAAAAAAAAAAV6HQx248L77RH0Z973tSYNQ8zBsz861CZG5/T09TJz3XodDHe/iJ+cgXb5An3zTdnTBtw3EWAb68T+gCE33GN8AAAAAAAAAAAAAAAEAAAAAAAAAAwAAAQAAAAAAAgAAAA==
diff --git a/tests/data_files/base64/def_b64_too_big_1.txt b/tests/data_files/base64/def_b64_too_big_1.txt
deleted file mode 100644
index 47be05c..0000000
--- a/tests/data_files/base64/def_b64_too_big_1.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-// Context with added '1234' at the beginning to simulate too much data in the base64 code
-1234AhUAAH8AAA4AAAQ8AAAAAF6HQx3MqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACG2QbHbUj8eGpdx5KVIebiwk0jvRj9/3m6BOSzpA7qBXeEunhqr3D11NE7ciGjeHMAAAAAAAM7MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJhPqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6UHoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq91C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sva1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbopMZqLmbBm/7WPLcAAJTfQC2Ek91INP5ihHNzImPOAHJCk+YTO/pQuEnNWwXbdmKAi+IRp671iAwtpkjSxCBXVzKX925F1A66caCOQptlw+9zFukDQgblM2JyAJLG0j6B4RtBTDWJ8ZTMUPHUoLJoEpm8APZgRi//DMRyCKP9pbBLGlDzgUvl0w11LzBAlJHkWau5NoqQBlG7w4HFrKweovskAAFRgAAAAF6HQx248L77RH0Z973tSYNQ8zBsz861CZG5/T09TJz3XodDHe/iJ+cgXb5An3zTdnTBtw3EWAb68T+gCE33GN8AAAAAAAAAAAAAAAEAAAAAAAAAAwAAAQAAAAAAAgAAAA==
diff --git a/tests/data_files/base64/def_b64_too_big_2.txt b/tests/data_files/base64/def_b64_too_big_2.txt
deleted file mode 100644
index 7ec1dd0..0000000
--- a/tests/data_files/base64/def_b64_too_big_2.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-// Context with added '1234' in the middle of code to simulate too much data
-AhUAAH8AAA4AAAQ8AAAAAF6HQx3MqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACG2QbHbUj8eGpdx5KVIebiwk0jvRj9/3m6BOSzpA7qBXeEunhqr3D11NE7ciGjeHMAAAAAAAM7MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7m1234gM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJhPqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6UHoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq91C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sva1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbopMZqLmbBm/7WPLcAAJTfQC2Ek91INP5ihHNzImPOAHJCk+YTO/pQuEnNWwXbdmKAi+IRp671iAwtpkjSxCBXVzKX925F1A66caCOQptlw+9zFukDQgblM2JyAJLG0j6B4RtBTDWJ8ZTMUPHUoLJoEpm8APZgRi//DMRyCKP9pbBLGlDzgUvl0w11LzBAlJHkWau5NoqQBlG7w4HFrKweovskAAFRgAAAAF6HQx248L77RH0Z973tSYNQ8zBsz861CZG5/T09TJz3XodDHe/iJ+cgXb5An3zTdnTBtw3EWAb68T+gCE33GN8AAAAAAAAAAAAAAAEAAAAAAAAAAwAAAQAAAAAAAgAAAA==
diff --git a/tests/data_files/base64/def_b64_too_big_3.txt b/tests/data_files/base64/def_b64_too_big_3.txt
deleted file mode 100644
index 514754c..0000000
--- a/tests/data_files/base64/def_b64_too_big_3.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-// Context with added '1234' before '==' add the end to simulate too much data in the base64 code
-AhUAAH8AAA4AAAQ8AAAAAF6HQx3MqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACG2QbHbUj8eGpdx5KVIebiwk0jvRj9/3m6BOSzpA7qBXeEunhqr3D11NE7ciGjeHMAAAAAAAM7MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJhPqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6UHoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq91C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sva1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbopMZqLmbBm/7WPLcAAJTfQC2Ek91INP5ihHNzImPOAHJCk+YTO/pQuEnNWwXbdmKAi+IRp671iAwtpkjSxCBXVzKX925F1A66caCOQptlw+9zFukDQgblM2JyAJLG0j6B4RtBTDWJ8ZTMUPHUoLJoEpm8APZgRi//DMRyCKP9pbBLGlDzgUvl0w11LzBAlJHkWau5NoqQBlG7w4HFrKweovskAAFRgAAAAF6HQx248L77RH0Z973tSYNQ8zBsz861CZG5/T09TJz3XodDHe/iJ+cgXb5An3zTdnTBtw3EWAb68T+gCE33GN8AAAAAAAAAAAAAAAEAAAAAAAAAAwAAAQAAAAAAAgAAAA1234==
diff --git a/tests/data_files/base64/def_bad_b64.txt b/tests/data_files/base64/def_bad_b64.txt
deleted file mode 100644
index d777658..0000000
--- a/tests/data_files/base64/def_bad_b64.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-// Context with added extra 'A' before '==' add the end to simulate bad length of base64 code
-AhUAAH8AAA4AAAQ8AAAAAF6HQx3MqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACG2QbHbUj8eGpdx5KVIebiwk0jvRj9/3m6BOSzpA7qBXeEunhqr3D11NE7ciGjeHMAAAAAAAM7MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJhPqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6UHoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq91C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sva1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbopMZqLmbBm/7WPLcAAJTfQC2Ek91INP5ihHNzImPOAHJCk+YTO/pQuEnNWwXbdmKAi+IRp671iAwtpkjSxCBXVzKX925F1A66caCOQptlw+9zFukDQgblM2JyAJLG0j6B4RtBTDWJ8ZTMUPHUoLJoEpm8APZgRi//DMRyCKP9pbBLGlDzgUvl0w11LzBAlJHkWau5NoqQBlG7w4HFrKweovskAAFRgAAAAF6HQx248L77RH0Z973tSYNQ8zBsz861CZG5/T09TJz3XodDHe/iJ+cgXb5An3zTdnTBtw3EWAb68T+gCE33GN8AAAAAAAAAAAAAAAEAAAAAAAAAAwAAAQAAAAAAAgAAAAA==
diff --git a/tests/data_files/base64/mfl_1024.txt b/tests/data_files/base64/mfl_1024.txt
deleted file mode 100644
index b56044a..0000000
--- a/tests/data_files/base64/mfl_1024.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-// MFL=1024
-AhUAAH8AAA4AAABtAAAAAF6K+GLMqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACHeeQKPVt9RpB8nLTB6C2AhxRzB0r/OBbXbMPm6jb1rkR+qrXZAUFRvGfGxlqqGWwAAACAAAAAAAAAAAAAAAIAAV6K+GJIXNnpKTr9HZQW6WEH7YSYhhRRqOO6xvf8QL6/Xor4YhOxOJYk23w3AwDvVAofeWnVAfJnExe5ipdSxnAAAAAAAAAAAAAAAAEAAAAAAAAAAwAAAQAAAAAAAgAAAA===
diff --git a/tests/data_files/base64/mtu_10000.txt b/tests/data_files/base64/mtu_10000.txt
deleted file mode 100644
index 6764539..0000000
--- a/tests/data_files/base64/mtu_10000.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-// MTU=10000
-AhUAAH8AAA4AAABtAAAAAF6LDkzMqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABx06kxYooMLGPyUMoB46EF2zTJzmZEM4le5aKihcHpFEfgrX/eWQZFWa7cak79ihwAAACAAAAAAAAAAAAAAAAAAV6LDkz9bigMk9q0WiDmgYhX8ppbfgbtMCfruvVQNiFWXosOTJ3R2+J+TaSChmjtS8sD+y1Zruhe/SJE7y9D+5YAAAAAAAAAAAAAAAEAAAAAAAAAAwAAAQAAAAAAAicQAA==
diff --git a/tests/data_files/base64/srv_cid.txt b/tests/data_files/base64/srv_cid.txt
deleted file mode 100644
index 69aad5f..0000000
--- a/tests/data_files/base64/srv_cid.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-// Server, CID 0xDEAD
-AhUAAH8AAA8AAABtAAAAAF6MZUPMqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABh7h8/aprLN1fS0KwLkZzKcsa5LNtDW7sYu7d1z7fNetuRjLJpX/A1mTSqeBY7li8AAACAAAAAAAAAAAAAAAAAAV6MZUNak74BhbcgvZ2M8WhZKjQyCix7GJzRs4SqnD7iXoxlQ7YXjsVI0K/xyMOJPkT9ZcPEi/2jHGIte1ZduW4C3q0Cvu8AAAAAAAAAAAAAAAIAAAAAAAAABwAAAQAAAAAAAwAAAA==
diff --git a/tests/data_files/base64/srv_ciphersuite.txt b/tests/data_files/base64/srv_ciphersuite.txt
deleted file mode 100644
index 7e93906..0000000
--- a/tests/data_files/base64/srv_ciphersuite.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-// TLS-RSA-WITH-AES-256-CCM-8
-AhUAAH8AAA4AAABtAAAAAF6K4ynAoQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADLBIQUrrPh7jxYz9e55cJvfpOkuBf2ZiVovlYa1Dkwbimp5q/CoWIn48C0x3Yj6N0AAACAAAAAAAAAAAAAAAAAAV6K4yksMvMV19qRq+eNokGn0j9Q5tjE88EK8jfM7gksXorjKR6zhXhttFGIFkNNAmmKuuDQGVmX1yCoHiJFonUAAAAAAAAAAAAAAAEAAAAAAAAAAwAAAQAAAAAAAgAAAA==
diff --git a/tests/data_files/base64/srv_def.txt b/tests/data_files/base64/srv_def.txt
deleted file mode 100644
index ca81461..0000000
--- a/tests/data_files/base64/srv_def.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-// Server context with default MbedTLS configuration
-AhUAAH8AAA4AAABtAAAAAF6HQx3MqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACG2QbHbUj8eGpdx5KVIebiwk0jvRj9/3m6BOSzpA7qBXeEunhqr3D11NE7ciGjeHMAAACAAAAAAAAAAAAAAAAAAV6HQx248L77RH0Z973tSYNQ8zBsz861CZG5/T09TJz3XodDHe/iJ+cgXb5An3zTdnTBtw3EWAb68T+gCE33GN8AAAAAAAAAAAAAAAEAAAAAAAAAAwAAAQAAAAAAAgAAAA==
diff --git a/tests/data_files/base64/srv_min_cfg.txt b/tests/data_files/base64/srv_min_cfg.txt
deleted file mode 100644
index 77272f5..0000000
--- a/tests/data_files/base64/srv_min_cfg.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-// Minimal configuration
-AhUAAAMAAAAAAABjAAAAAF6LZlLMqAAgUGktPmpSPbzRPipeCpYJtp5SNIIjTr3R121WF9AeWN4tmKbRhhv+yPMjY0yWPrHLy7lLLhwNFBwCD6eQ0ULZZ15Fi2Rhae/4ZkAR0BN2iCMAAACAAAAAXotmUkMC6aU6s7O5InjmEEeg4ySLZkNDf0Ut/s06/cBei2ZS+kkKS3sJso2u418jlrlKiesyUOW+xXwOD8bYZQAAAQAAAAAAAgAA
diff --git a/tests/data_files/base64/srv_no_alpn.txt b/tests/data_files/base64/srv_no_alpn.txt
deleted file mode 100644
index 10ddd0c..0000000
--- a/tests/data_files/base64/srv_no_alpn.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-// Without MBEDTLS_SSL_ALPN
-AhUAAH8AAAYAAABtAAAAAF6LDSzMqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB1lCUO8B/805UzCOLZzWDAEA8anfLpbuWTrnFSR2puZktvEiR8nXdATN0yKS94oSAAAACAAAAAAAAAAAAAAAAAAV6LDSwWt0QWgmNg4Zv2yYhf4Pdexpi/QTIqWyD2AQVjXosNLLK1vz/upFHrJlizjH5uSBUJCpQZJczrBgxBmGoAAAAAAAAAAAAAAAEAAAAAAAAAAwAAAQAAAAAAAgAA
diff --git a/tests/data_files/base64/srv_no_keep_cert.txt b/tests/data_files/base64/srv_no_keep_cert.txt
deleted file mode 100644
index be834b9..0000000
--- a/tests/data_files/base64/srv_no_keep_cert.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-// Without MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
-AhUAAAMAAAAAAABiAAAAAF6MKhTMqAAgSKCqXrcrmjqOBpxsGO3itQB09YgsSJwXmZB12QlB+wwhiof0mzAN0hupkLxu4Yyc9SgyFoEDPKJk8TiRo8bO2rkEfPItB5lUFkJwzdeuGVMAAACAAABejCoUbOvW/qbIhlAKPDit31OByjhzXYt+rZNtvknHLV6MKhRMr8xnL27SNFX1iypTpQ7/ksAtPGXQjWvkQWfwAAABAAAAAAACAAA=
diff --git a/tests/data_files/base64/srv_no_mfl.txt b/tests/data_files/base64/srv_no_mfl.txt
deleted file mode 100644
index e254403..0000000
--- a/tests/data_files/base64/srv_no_mfl.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-// Without MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
-AhUAAHcAAA4AAABsAAAAAF6LDLPMqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0fzGzO1ysljMgZr4gduigvRXr2AK5X8j8c6vHTOpc2ncFS3UN2ojwD2tOaM3+/XIAAACAAAAAAAAAAAAAAAABXosMs1xs+Mj8BIL6v01qtHWV7w+psxGwLctaGSSL0aZeiwyzskPeDCL0isOzh+JoPgzS/mVtMc0GykGpZaFBugAAAAAAAAAAAAAAAQAAAAAAAAADAAABAAAAAAACAAAA
diff --git a/tests/data_files/base64/srv_no_packing.txt b/tests/data_files/base64/srv_no_packing.txt
deleted file mode 100644
index bcc4228..0000000
--- a/tests/data_files/base64/srv_no_packing.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-// Without DTLS packing
-AhUAAH8AAA4AAABtAAAAAF6LCM/MqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACfl0tXNmshIQEqiEflQGnVUKkIFl1on/Mu0pjWes3XwQgdwmy9xMzpVyYU5gBOsOEAAACAAAAAAAAAAAAAAAAAAV6LCM+1uRpyaoyfzuNGBJK9DgBWIWtrPpu7KM8qsC/FXosIz/YIPhveZ8Z4IR0g/McAMQwzQoK5tScSE0DD3BwAAAAAAAAAAAAAAAEAAAAAAAAAAwEAAQAAAAAAAgAAAA==
diff --git a/tests/data_files/base64/v2.19.1.txt b/tests/data_files/base64/v2.19.1.txt
deleted file mode 100644
index c07bd9d..0000000
--- a/tests/data_files/base64/v2.19.1.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-// Context creaded by MbedTLS v.2.19.1
-AhMBAH8AAA8AAAGjAAAAAF5iHYLArgAgkQE4V2NJsjbOuO52ws/u75f6Cg126zWeI7a+kaxTqKLbdWWZmW3PP+SflLxBA7Trpb0qZ5MP8+m0leylnLcDt2TtIWR49MOuiJuvVuMJmtwAAAAAAAE2MIIBMjCB2qADAgECAgYBcK9AtOYwCgYIKoZIzj0EAwIwDTELMAkGA1UEAwwCY2EwIBcNMjAwMzA2MDk1MDE4WhgPMjA1NjAyMjYwOTUwMThaMDMxDzANBgNVBAcTBjE2MDAwMTENMAsGA1UECxMEYWNjMTERMA8GA1UEAxMIZGV2aWNlMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARn0TtinN6/runzIuF2f2uTH1f0mQOFXu3uRPtQji2ObccSsw6Cn9z7XWK9fRgeoOKA0WZC+O9L9IEWieS13ajFMAoGCCqGSM49BAMCA0cAMEQCIFoavpekQjIqubJ09jkMR+iiUpkGdFRla1R7onnc5iEOAiBAvYr8j9QqjpM2jColTS1cI0z29PBbuasq4HI6YCj0wgAAAAAAAAAAAAFeYh2Ct3LnESwmdWzU+xs7vV2Q0T5HJ8y4ckhpO7wOoF5iHYJ38gKFI3Qdc3BR48GV7nuBUKZeI1YJExQchj1WCAY6dEyghLpHAAAAAAAAAAAAAAAAAQAAAAAAAAADAAABAAAAAAACAAAA
diff --git a/tests/data_files/cert_example_multi.crt b/tests/data_files/cert_example_multi.crt
deleted file mode 100644
index 0e3295d..0000000
--- a/tests/data_files/cert_example_multi.crt
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICojCCAYqgAwIBAgIBETANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwNzEwMTEyNzUyWhcNMjkwNzEwMTEyNzUyWjA6MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCBnzANBgkq
-hkiG9w0BAQEFAAOBjQAwgYkCgYEAxziSxcP0cBAIa/gTNezzARyKJQ+VgjYeqh6W
-ElUarPh7dTMLcFcznNmV8U1MRDfIvsSgP+RkPNPzyQJDPcN8W455qgmEroITNwq/
-hWm9KjVibLH+5KzgQrJBfHvknScUmywHa45DPT9sdjpGmhxwDSWdvAjHQPzYAjdi
-/33r/C0CAwEAAaM2MDQwMgYDVR0RBCswKYILZXhhbXBsZS5jb22CC2V4YW1wbGUu
-bmV0gg0qLmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQCJbFizurHz804x
-6NbsvsPPgLcESq0OcGOEXOCOe8seZqomhSYTXtHBzrFtRp2/gmtORq2oapoDDiq+
-I+xRLJYsUBut2NdkZmEIRSW4n4sXJwqb0fXTTkd7EAXBvGNWbERab5Sbf84oqd4t
-yjjz2u+Hvx8hZCHJG2V9qg3zaw5zJT1AfAsMbjXqi8CfU7U+Fcor+O3GeuUVgpJC
-QCXb2Qjj3ZmrCvGZA9x59XtnEN6m2O4pWkmqR/Z7MlQrZzQ80vcQMk9+qoKIr2EJ
-RcJhAtE+dLV19IlccwsDlGx5kT5N5zSYLK9nARV1/AjK48bUxGH353A1Y2MCfy0E
-dXDReJa1
------END CERTIFICATE-----
diff --git a/tests/data_files/cert_example_multi_nocn.crt b/tests/data_files/cert_example_multi_nocn.crt
deleted file mode 100644
index 08bf63c..0000000
--- a/tests/data_files/cert_example_multi_nocn.crt
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICfjCCAWagAwIBAgIJAPfGf/jpqWP5MA0GCSqGSIb3DQEBBQUAMA0xCzAJBgNV
-BAYTAk5MMB4XDTIzMDUxODAyMDUwMVoXDTMzMDUxODAyMDUwMVowDTELMAkGA1UE
-BhMCTkwwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMc4ksXD9HAQCGv4EzXs
-8wEciiUPlYI2HqoelhJVGqz4e3UzC3BXM5zZlfFNTEQ3yL7EoD/kZDzT88kCQz3D
-fFuOeaoJhK6CEzcKv4VpvSo1Ymyx/uSs4EKyQXx75J0nFJssB2uOQz0/bHY6Rpoc
-cA0lnbwIx0D82AI3Yv996/wtAgMBAAGjZTBjMAkGA1UdEwQCMAAwCwYDVR0PBAQD
-AgXgMEkGA1UdEQRCMECCHHd3dy5zaG90b2thbi1icmF1bnNjaHdlaWcuZGWCFHd3
-dy5tYXNzaW1vLWFiYXRlLmV1hwTAqAEBhwTAqEWQMA0GCSqGSIb3DQEBBQUAA4IB
-AQAuomKlMLwSkP3zvGuA9awDdITM/uCzfd77yi60zMNtFHDMu2YZ2npQSl0czab6
-/8fX9goaU8V3cx4KXSLMx7i9AsP1r559Uo3c/4oTZd3xBsElMAn/TXiuujZ2RwdL
-RcMOJerlThOE0dtNdniJj7lPaan70CELP/CUn8KgeWgztQJj4ghfUwnLn6RnpLfl
-YyM/Xq2YbwnQWHXSe3CPTy5RCWalt3SgZf6IDcD6CNq1Q2l14iR78OWnlxGTFmjP
-ez3OzxNT2BZz0AiP0WvTbUtvfuxw9G3fHHe5ClsAopIA3tD246jHOAlqAnOEBC/x
-IABbWjY/briP9U4R6x+mg2ck
------END CERTIFICATE-----
diff --git a/tests/data_files/cert_example_wildcard.crt b/tests/data_files/cert_example_wildcard.crt
deleted file mode 100644
index ab417c5..0000000
--- a/tests/data_files/cert_example_wildcard.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDOzCCAiOgAwIBAgIBDDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA4MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxFjAUBgNVBAMMDSouZXhhbXBsZS5jb20wggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpAh89QGrVVVOL/TbugmUuFWFeib+46EWQ
-2+6IFlLT8UNQR5YSWWSHa/0r4Eb5c77dz5LhkVvtZqBviSl5RYDQg2rVQUN3Xzl8
-CQRHgrBXOXDto+wVGR6oMwhHwQVCqf1Mw7Tf3QYfTRBRQGdzEw9A+G2BJV8KsVPG
-MH4VOaz5Wu5/kp6mBVvnE5eFtSOS2dQkBtUJJYl1B92mGo8/CRm+rWUsZOuVm9z+
-QV4XptpsW2nMAroULBYknErczdD3Umdz8S2gI/1+9DHKLXDKiQsE2y6mT3Buns69
-WIniU1meblqSZeKIPwyUGaPd5eidlRPtKdurcBLcWsprF6tSglSxAgMBAAGjTTBL
-MAkGA1UdEwQCMAAwHQYDVR0OBBYEFB901j8pwXR0RTsFEiw9qL1DWQKmMB8GA1Ud
-IwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBBQUAA4IBAQBx
-d7aXXhUG1EM6HrkN6XOOXykuDIgh8iQi7+D9TANwbXtPJk0hiCqtChOC31Hao79U
-5E23Y2LsFP+Ap/jLRpZYvxkk9kcBjgcp0GTxPHLu2n7ijsGuj/765FGG4wTVTtrF
-uU8ZNI3uGoz2SjLyvNLz7aulavagcLt0P32TzURezJH47RN8JxriEXGbxVf0CCNl
-Zw/hWy+g5yT12AT0dYwX1UeFT6JMXwwDrCG+W1uBY35wgTovrh5YYvNc1JFpzh+o
-vvu9Tq7rsX7P4f7/gu8f4MMDuzMryUyGCYMexQkXJNBz2S/igLFbuX1VmsLlX8zm
-iDqWV5xLtVuLbgQGKa4q
------END CERTIFICATE-----
diff --git a/tests/data_files/cert_md5.crt b/tests/data_files/cert_md5.crt
deleted file mode 100644
index e514fd6..0000000
--- a/tests/data_files/cert_md5.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDPzCCAiegAwIBAgIBBjANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MDAwMTAxMTIxMjEyWhcNMzAwMTAxMTIxMjEyWjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENlcnQgTUQ1MIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f
-M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu
-1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw
-MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v
-4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/
-/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB
-o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITAf
-BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQQFAAOC
-AQEAF4QcMshVtVbYgvvU7f2lWakubbAISM/k+FW/f7u63m0MSSoSFeYflBOC1Wf4
-imgDEnWcWTH5V7sxsLNogxfpfTuFUaKfHeQmRhAK4UgqbDEs4dZvgo3wZ/w92G0/
-QNntJefnqaFiITXZTn6J8hxeoEq4QbucbWgeY6fTAwXtIv40BvMOSakkuIFAyIvV
-90VY1j4vnx0/xv5lIBAxah1HdtXhqtDu/sUfdCtWX5SCcVUwwM3gZ4Q1ZdWQmlvF
-737ZG7XaINxsDaI04sJxc7qvuRYhLdCwUPnZL5TGEQJ8jNa/39eEbnkvs7hbTU98
-6qG8UAYsSI7aMe1j7DZpkoPL9w==
------END CERTIFICATE-----
diff --git a/tests/data_files/cert_md5.csr b/tests/data_files/cert_md5.csr
deleted file mode 100644
index dc6792d..0000000
--- a/tests/data_files/cert_md5.csr
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
-GAYDVQQDDBFQb2xhclNTTCBDZXJ0IE1ENTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAMh0xMy5+bV56UXZFGCwfbuT8msenzOtDY+KPFZl5dxE2cxmhQfV
-+CewSjXQY54Kbhu32vB+q+4MEJOGSRg086gq0lf1LtQvdymEYU2CUI+nlUhw9W5N
-stUTw9Ia7eZD6kIU63TqwO0f1FdOqfOo7dLgwTBxMDIw1dP2CNBWT0aO8l/5PWeR
-iDAuQrLfffvlDHf/7DHAeI+/wn/KrWwh1o3Zi2qOb+Cb+BBWzLOOExXmNARmx+75
-Ng5qlfYJmgZn9GVx+MqksSXg/jyLNQRnuuBPdoX8f/w2a7XpzS0DYk6zPQDPr3ag
-aVaDatKo1OdQcea1NgV3BW17yOTE/UzVIV8CAwEAAaAAMA0GCSqGSIb3DQEBBAUA
-A4IBAQBNEvxgn3Pc62hsMgMz33IdeNpazeK3ae2gwQQFgL7qMp/kskfpIKF4m8eB
-YrmjKn9cqszRD606/ZtWYDwINUUc6O7bQGmpGIFd7bSPm/pbsajc6R7kzA/tD/bk
-G5zqu9Bj0x92hEwdku0zY+Hx9PgT2dK8M72iFylHBwT3X1tNyXhh7xWJ9RlAfSvN
-KdS6s3kRjK4qcir0MnflV5f2HD6r1v9cSVyme6eVLvOmup89z0cihH7NDwDJaYbi
-oqcKXFbro8/2ruEzPUS6U8NA9cjlX9DW8buIu4cQACVx5YevlwKoayYfXcRRvIFo
-OLiPq14TuZj3c0+HFOxWj4UBAjvI
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/cert_sha1.crt b/tests/data_files/cert_sha1.crt
deleted file mode 100644
index 1e23585..0000000
--- a/tests/data_files/cert_sha1.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDQDCCAiigAwIBAgIBBzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA9MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGzAZBgNVBAMMElBvbGFyU1NMIENlcnQgU0hBMTCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6J
-v7joRZDb7ogWUtPxQ1BHlhJZZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVB
-Q3dfOXwJBEeCsFc5cO2j7BUZHqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYEl
-XwqxU8YwfhU5rPla7n+SnqYFW+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk
-65Wb3P5BXhem2mxbacwCuhQsFiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZP
-cG6ezr1YieJTWZ5uWpJl4og/DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEA
-AaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUH3TWPynBdHRFOwUSLD2ovUNZAqYw
-HwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQAD
-ggEBAFAHuWfjOp+GaM5dP3NBaUayXmjbrsY5fo/ysfOVV9xipzbPWvE2Bu679iU1
-Eg+5hME9VlMmQejGzG09ReXE+30gyhtO3vWA8U21YrsL3ybvS6EREHGKk238bIBh
-yDP/b0VuoNsS3xRn9WyH3TRu5re0vK68OSkLIWPd01fgvcfl6YyUY+WuuSrpYcDv
-nrgKvFZws/EE4RNldtRC1Blwy497AtmWBQWs65zj5JkNdNnm4JJqXZAArNh2GSZo
-83C/1ZSFrNo9GONsCJ0GVGEt7IK7FPqXYW7rXi30BRse33ziU7RPWGDT13bh9Rdz
-RqsoZ5h5VjtHOnMUUD99gIWinBE=
------END CERTIFICATE-----
diff --git a/tests/data_files/cert_sha224.crt b/tests/data_files/cert_sha224.crt
deleted file mode 100644
index c8a209d..0000000
--- a/tests/data_files/cert_sha224.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDQjCCAiqgAwIBAgIBCDANBgkqhkiG9w0BAQ4FADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA/MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHTAbBgNVBAMMFFBvbGFyU1NMIENlcnQgU0hBMjI0MIIB
-IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVh
-Xom/uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq
-1UFDd185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPht
-gSVfCrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1l
-LGTrlZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsu
-pk9wbp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQID
-AQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kC
-pjAfBgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQ4F
-AAOCAQEATdo7p7dok8gcxS0dYGluXMOsAEALyHAgvAJSZUt0x8RxemJfpquv4XG/
-rppQmtA5aPf59Fo0z5GcS0zzYFLTQIcLHKnuuG0W6yjhx3e+5J1hjLbv///vvKGN
-jq55z+CANkragMk6XQ/t+iXkh/Fq00FS+zbf1JLaMXOLst5dfv3uPQaJHwzX/EaE
-VdognXxWudNQgIvemindk9TTQon27zBS/z6nwcBCIXMDfesAjcHuBCfxl6pofK6E
-28qs4up/JayptG2CX98LGsEyAgegwTMSYGLJoWcHhrUcbF0fNOcXPgQKGTcZO4Tg
-yPYGbkG9FjgaASc2gTrYVPRZ6mY19g==
------END CERTIFICATE-----
diff --git a/tests/data_files/cert_sha256.crt b/tests/data_files/cert_sha256.crt
deleted file mode 100644
index e56d428..0000000
--- a/tests/data_files/cert_sha256.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDQjCCAiqgAwIBAgIBCTANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA/MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHTAbBgNVBAMMFFBvbGFyU1NMIENlcnQgU0hBMjU2MIIB
-IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVh
-Xom/uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq
-1UFDd185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPht
-gSVfCrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1l
-LGTrlZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsu
-pk9wbp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQID
-AQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kC
-pjAfBgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQsF
-AAOCAQEAuo8kRDdQj3+rgqbz7bS3ZfBVCqgbQfruRZncP0s3IQJ6g7k6BNfCTO+N
-tIgnCDhnhjK9DS4l1LTkQJKfcd6sfuwBxjHKWGZUqTqHWFm/O5MJwfMpxI305xXE
-evDzh8LK1W3moX5OcT4bx3QsY9I4nqXQkOzjGidxhOXYA2v+X5OhRt3IJ2dzmQQu
-BVXnDbzuchUfP5aeCwW6l7VX+RJOE2zlqO5yt0ejT02E44qtC5sBf24V9ko5LORw
-1J7Zk34QwsKrSPSGxOuoWNwH3fJpgZQImKgJIQCsksJ+A45CK6iz0km8oTiI3Hoo
-2LpE6UNx2M8jiZWVzH1L4tkg4fcCoQ==
------END CERTIFICATE-----
diff --git a/tests/data_files/cert_sha384.crt b/tests/data_files/cert_sha384.crt
deleted file mode 100644
index f8ec10b..0000000
--- a/tests/data_files/cert_sha384.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDQjCCAiqgAwIBAgIBCjANBgkqhkiG9w0BAQwFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA/MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHTAbBgNVBAMMFFBvbGFyU1NMIENlcnQgU0hBMzg0MIIB
-IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVh
-Xom/uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq
-1UFDd185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPht
-gSVfCrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1l
-LGTrlZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsu
-pk9wbp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQID
-AQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kC
-pjAfBgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQwF
-AAOCAQEAeyHm+emo4/QHqEVKj/MYPOsPrrcr5MupNE7WmoUA7SilVUlceIy8ApWR
-MUdwnh7UPkCa6K1yvayknEbHzD2Lv9BLEf5A1/a+F/LmFXiV0kXIFue13u+z7laV
-N/s/jphPVgjPwZiC1ZtOoD7WvSkIInB53j4Q3VCH6EpZxZuDO/u8CGBQ0g+9Eqhn
-W3+4GFnxUPYeN17u/opt16mEPx6WFbRl9hs5wUvND/FCDEJ/9uVNiVYlPYyHKzzq
-e3WXCHLYUKGESQX+85IrnmlwbAb33bM+sAM6naFafXTZEimeEpX3iYrHzhoU7aR7
-piojwAE+Yb3Ac+Hu1fY4CRO4ZHL6Zg==
------END CERTIFICATE-----
diff --git a/tests/data_files/cert_sha512.crt b/tests/data_files/cert_sha512.crt
deleted file mode 100644
index b2254fa..0000000
--- a/tests/data_files/cert_sha512.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDQjCCAiqgAwIBAgIBCzANBgkqhkiG9w0BAQ0FADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA/MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHTAbBgNVBAMMFFBvbGFyU1NMIENlcnQgU0hBNTEyMIIB
-IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVh
-Xom/uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq
-1UFDd185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPht
-gSVfCrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1l
-LGTrlZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsu
-pk9wbp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQID
-AQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kC
-pjAfBgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQ0F
-AAOCAQEABnuq7gMU6EWqcmEcj2/wiqOFUBeH9ro0tni9JZzaDAKkBMwoeJ3RP/59
-wY92UZC/SoWPm0yLK25KTwxJhd645a5ZeRk+yi1SG+oXNgZFS03F1Orat0bM5u94
-RtzLRInGzTxhlVS8HPRya2+nEaPT9YNO25vORczPDjtrI82UnysaWiKx1OCPhdP3
-ZySAkX/zE1U8Te0+948C0vmg2aTWCSk5zutryFgHH5UojmmWAkBHpX3tIm8JMRG9
-tvp6fbIDan0LmSsVK8rq5OPSwAKMso6GF4Iuxou/jP2gI+NutenX26wrffSjlPiW
-KksLNj8oL6vIUap28Oh+Gwph02biSQ==
------END CERTIFICATE-----
diff --git a/tests/data_files/cert_v1_with_ext.crt b/tests/data_files/cert_v1_with_ext.crt
deleted file mode 100644
index 4f07048..0000000
--- a/tests/data_files/cert_v1_with_ext.crt
+++ /dev/null
@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDzTCCArUCCQC97UTH0j7CpDANBgkqhkiG9w0BAQUFADCBhzELMAkGA1UEBhMC
-WFgxCzAJBgNVBAgTAlhYMQswCQYDVQQHEwJYWDELMAkGA1UEChMCWFgxCzAJBgNV
-BAsTAlhYMScwJQYJKoZIhvcNAQkBFhhhZG1pbkBpZGVudGl0eS1jaGVjay5vcmcx
-GzAZBgNVBAMTEmlkZW50aXR5LWNoZWNrLm9yZzAeFw0xMzA3MDQxNjE3MDJaFw0x
-NDA3MDQxNjE3MDJaMIGHMQswCQYDVQQGEwJYWDELMAkGA1UECBMCWFgxCzAJBgNV
-BAcTAlhYMQswCQYDVQQKEwJYWDELMAkGA1UECxMCWFgxJzAlBgkqhkiG9w0BCQEW
-GGFkbWluQGlkZW50aXR5LWNoZWNrLm9yZzEbMBkGA1UEAxMSaWRlbnRpdHktY2hl
-Y2sub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1v8FswMughO8
-mwkHWAf+XRpK33kYR0ifBnObvk2R9ZTEUk/TfFEEFVlen5xhiE0g8lbCj8Y5Mzsg
-wZsJv5in/KnraYb7VC0ah0jx4sMkhKRcyUWfjyH8r7FNH1j1jd08ZpWJGotYxxaL
-evqom1rzLN99JPObwyCCgGcQjlRV7cMfIgwlwHb/JPXOy/hYAgjrCjqvBu3nL5/b
-HF0PyVGiKCEQiHhMBKNjAxzQrCUGy7Vp+3QlIYrs6/m5A96vohX/j+wzwIp3QgiK
-Yhj5E4Zo/iQLf6Rwl7pL4RTdT+crcy143mYiShNY+ayl9snfVJNnuHaMe15fVEsP
-X9lDvdBvXwIDAQABoz8wPTA7BgNVHREENDAyghJpZGVudGl0eS1jaGVjay5vcmeC
-Fnd3dy5pZGVudGl0eS1jaGVjay5vcmeHBCU7/jAwDQYJKoZIhvcNAQEFBQADggEB
-AAXUXoWlQxKvSCVWhes8x03MCude0nDqDFH1DPGIKeVeWOw87nVni+hIvy8II6hj
-5ZfGSHuZci2AgElA3tXk2qDcZ/uBXe2VV4IwsgXKUYSlpz1xoU55InT4e7KdssEP
-HOyrU03Dzm8Jk0PhgEJpV48tkWYoJvZvOiwG0e43UPDv9xp8C8EbvJmmuWkUWnNW
-o0yDnoAOxGfUGSUQ1guTpWCoQEKj3DS4v4lI0kNmJm+oRE2vv1XealWEHSuMpRZO
-Qhy8WImX3muw99MP579tY44D5Z7p3kpiC1bwV3tzkHdf5mkrAbFJIfliPvjMrPMw
-2eyXXijDsebpT0w3ruMxjHg=
------END CERTIFICATE-----
diff --git a/tests/data_files/cli-rsa-sha1.crt b/tests/data_files/cli-rsa-sha1.crt
deleted file mode 100644
index 60952e6..0000000
--- a/tests/data_files/cli-rsa-sha1.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDPzCCAiegAwIBAgIBBDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENsaWVudCAyMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f
-M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu
-1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw
-MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v
-4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/
-/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB
-o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITAf
-BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQUFAAOC
-AQEAvhU1q5bKpkuxcYjjASRCARDUZz6X0BLr/j5S1bvdnHCzyLt30wViDNnAyO+Z
-FW5S3t+WMU80nyvZ+q+WQWx9u8yHkPx1Mkju9kxrBNiFRSKKq4U7nvB0bEp1Coij
-kaPkK6i4qpPQ4+CrPxoERIez4yqJUY5xaVMa8JIKEJPU3UX1P3AHCmIM97IbZ55m
-xqG3gus0hL6I93ou0kxMF1G5DJP4kpa/UIvXG962EXYeKfBK3MPV/yL/5tXpyjqX
-9mH7DmL3Haa2AVajx/5NGr/DKyL2aN4mG+IWO1NErUfOoR0aIDVd7q6LwD8DuKlI
-e6dcSTeYJ8CzzzPXVfwnHjDi/g==
------END CERTIFICATE-----
diff --git a/tests/data_files/cli-rsa-sha256.crt b/tests/data_files/cli-rsa-sha256.crt
deleted file mode 100644
index 3b3d9bc..0000000
--- a/tests/data_files/cli-rsa-sha256.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDPzCCAiegAwIBAgIBBDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENsaWVudCAyMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f
-M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu
-1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw
-MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v
-4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/
-/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB
-o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITAf
-BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQsFAAOC
-AQEAXidv1d4pLlBiKWED95rMycBdgDcgyNqJxakFkRfRyA2y1mlyTn7uBXRkNLY5
-ZFzK82GCjk2Q2OD4RZSCPAJJqLpHHU34t71ciffvy2KK81YvrxczRhMAE64i+qna
-yP3Td2XuWJR05PVPoSemsNELs9gWttdnYy3ce+EY2Y0n7Rsi7982EeLIAA7H6ca4
-2Es/NUH//JZJT32OP0doMxeDRA+vplkKqTLLWf7dX26LIriBkBaRCgR5Yv9LBPFc
-NOtpzu/LbrY7QFXKJMI+JXDudCsOn8KCmiA4d6Emisqfh3V3485l7HEQNcvLTxlD
-6zDQyi0/ykYUYZkwQTK1N2Nvlw==
------END CERTIFICATE-----
diff --git a/tests/data_files/cli-rsa-sha256.crt.der b/tests/data_files/cli-rsa-sha256.crt.der
deleted file mode 100644
index e2739e9..0000000
--- a/tests/data_files/cli-rsa-sha256.crt.der
+++ /dev/null
diff --git a/tests/data_files/cli-rsa-sha256.key.der b/tests/data_files/cli-rsa-sha256.key.der
deleted file mode 100644
index 8ef5a04..0000000
--- a/tests/data_files/cli-rsa-sha256.key.der
+++ /dev/null
diff --git a/tests/data_files/cli-rsa.key b/tests/data_files/cli-rsa.key
deleted file mode 100644
index eb1d3bc..0000000
--- a/tests/data_files/cli-rsa.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6fM60Nj4o8VmXl3ETZzGaF
-B9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu1C93KYRhTYJQj6eVSHD1
-bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEwMjDV0/YI0FZPRo7yX/k9
-Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v4Jv4EFbMs44TFeY0BGbH
-7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx//DZrtenNLQNiTrM9AM+v
-dqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQABAoIBAGdNtfYDiap6bzst
-yhCiI8m9TtrhZw4MisaEaN/ll3XSjaOG2dvV6xMZCMV+5TeXDHOAZnY18Yi18vzz
-4Ut2TnNFzizCECYNaA2fST3WgInnxUkV3YXAyP6CNxJaCmv2aA0yFr2kFVSeaKGt
-ymvljNp2NVkvm7Th8fBQBO7I7AXhz43k0mR7XmPgewe8ApZOG3hstkOaMvbWAvWA
-zCZupdDjZYjOJqlA4eEA4H8/w7F83r5CugeBE8LgEREjLPiyejrU5H1fubEY+h0d
-l5HZBJ68ybTXfQ5U9o/QKA3dd0toBEhhdRUDGzWtjvwkEQfqF1reGWj/tod/gCpf
-DFi6X0ECgYEA4wOv/pjSC3ty6TuOvKX2rOUiBrLXXv2JSxZnMoMiWI5ipLQt+RYT
-VPafL/m7Dn6MbwjayOkcZhBwk5CNz5A6Q4lJ64Mq/lqHznRCQQ2Mc1G8eyDF/fYL
-Ze2pLvwP9VD5jTc2miDfw+MnvJhywRRLcemDFP8k4hQVtm8PMp3ZmNECgYEA4gz7
-wzObR4gn8ibe617uQPZjWzUj9dUHYd+in1gwBCIrtNnaRn9I9U/Q6tegRYpii4ys
-c176NmU+umy6XmuSKV5qD9bSpZWG2nLFnslrN15Lm3fhZxoeMNhBaEDTnLT26yoi
-33gp0mSSWy94ZEqipms+ULF6sY1ZtFW6tpGFoy8CgYAQHhnnvJflIs2ky4q10B60
-ZcxFp3rtDpkp0JxhFLhiizFrujMtZSjYNm5U7KkgPVHhLELEUvCmOnKTt4ap/vZ0
-BxJNe1GZH3pW6SAvGDQpl9sG7uu/vTFP+lCxukmzxB0DrrDcvorEkKMom7ZCCRvW
-KZsZ6YeH2Z81BauRj218kQKBgQCUV/DgKP2985xDTT79N08jUo3hTP5MVYCCuj/+
-UeEw1TvZcx3LJby7P6Xad6a1/BqveaGyFKIfEFIaBUBItk801sDDpDaYc4gL00Xc
-7lFuBHOZkxJYlss5QrGpuOEl9ZwUt5IrFLBdYaKqNHzNVC1pCPfb/JyH6Dr2HUxq
-gxUwAQKBgQCcU6G2L8AG9d9c0UpOyL1tMvFe5Ttw0KjlQVdsh1MP6yigYo9DYuwu
-bHFVW2r0dBTqegP2/KTOxKzaHfC1qf0RGDsUoJCNJrd1cwoCLG8P2EF4w3OBrKqv
-8u4ytY0F+Vlanj5lm3TaoHSVF1+NWPyOTiwevIECGKwSxvlki4fDAA==
------END RSA PRIVATE KEY-----
\ No newline at end of file
diff --git a/tests/data_files/cli-rsa.key.der b/tests/data_files/cli-rsa.key.der
deleted file mode 100644
index 8ef5a04..0000000
--- a/tests/data_files/cli-rsa.key.der
+++ /dev/null
diff --git a/tests/data_files/cli.opensslconf b/tests/data_files/cli.opensslconf
deleted file mode 100644
index ae9ab9d..0000000
--- a/tests/data_files/cli.opensslconf
+++ /dev/null
@@ -1,4 +0,0 @@
-[cli-rsa]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:false
diff --git a/tests/data_files/cli2.crt b/tests/data_files/cli2.crt
deleted file mode 100644
index f287a19..0000000
--- a/tests/data_files/cli2.crt
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB3zCCAWOgAwIBAgIBDTAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJTU0wgVGVzdCBFQyBDQTAe
-Fw0xOTAyMTAxNDQ0MDBaFw0yOTAyMTAxNDQ0MDBaMEExCzAJBgNVBAYTAk5MMREw
-DwYDVQQKDAhQb2xhclNTTDEfMB0GA1UEAwwWUG9sYXJTU0wgVGVzdCBDbGllbnQg
-MjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFflrrFz39Osu5O4gf8Sru7mU6zO
-VVP2NA7MLuNjJQvfmOLzXGA2lsDVGBRw5X+f1UtFGOWwbNVc+JaPh3Cj5MejTTBL
-MAkGA1UdEwQCMAAwHQYDVR0OBBYEFHoAX4Zk/OBd5REQO7LmO8QmP8/iMB8GA1Ud
-IwQYMBaAFJ1tICRJAT8ry3i1Gbx+JMnb+zZ8MAwGCCqGSM49BAMCBQADaAAwZQIx
-AMqme4DKMldUlplDET9Q6Eptre7uUWKhsLOF+zPkKDlfzpIkJYEFgcloDHGYw80u
-IgIwNftyPXsabTqMM7iEHgVpX/GRozKklY9yQI/5eoA6gGW7Y+imuGR/oao5ySOb
-a9Vk
------END CERTIFICATE-----
diff --git a/tests/data_files/cli2.crt.der b/tests/data_files/cli2.crt.der
deleted file mode 100644
index 56a0a1b..0000000
--- a/tests/data_files/cli2.crt.der
+++ /dev/null
diff --git a/tests/data_files/cli2.key b/tests/data_files/cli2.key
deleted file mode 100644
index e747d09..0000000
--- a/tests/data_files/cli2.key
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIPb3hmTxZ3/mZI3vyk7p3U3wBf+WIop6hDhkFzJhmLcqoAoGCCqGSM49
-AwEHoUQDQgAEV+WusXPf06y7k7iB/xKu7uZTrM5VU/Y0Dswu42MlC9+Y4vNcYDaW
-wNUYFHDlf5/VS0UY5bBs1Vz4lo+HcKPkxw==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/cli2.key.der b/tests/data_files/cli2.key.der
deleted file mode 100644
index acba6a0..0000000
--- a/tests/data_files/cli2.key.der
+++ /dev/null
diff --git a/tests/data_files/clusterfuzz-testcase-minimized-fuzz_x509crt-6666050834661376.crt.der b/tests/data_files/clusterfuzz-testcase-minimized-fuzz_x509crt-6666050834661376.crt.der
deleted file mode 100644
index 64a4900..0000000
--- a/tests/data_files/clusterfuzz-testcase-minimized-fuzz_x509crt-6666050834661376.crt.der
+++ /dev/null
diff --git a/tests/data_files/crl-ec-sha1.pem b/tests/data_files/crl-ec-sha1.pem
deleted file mode 100644
index f82d946..0000000
--- a/tests/data_files/crl-ec-sha1.pem
+++ /dev/null
@@ -1,10 +0,0 @@
------BEGIN X509 CRL-----
-MIIBbjCB9gIBATAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQ
-b2xhclNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQRcNMjMwNTE3MDcx
-NDM5WhcNMzMwNTE3MDcxNDM5WjAUMBICAQoXDTIzMDUxNzA3MTQzOVqgcjBwMG4G
-A1UdIwRnMGWAFJ1tICRJAT8ry3i1Gbx+JMnb+zZ8oUKkQDA+MQswCQYDVQQGEwJO
-TDERMA8GA1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMg
-Q0GCCQDBQ+J+YkPM6DAJBgcqhkjOPQQBA2gAMGUCMQCRAtXd7kXgijlMXHXr6m0B
-IzDbpAAwDwCJtgOzarF5hZKGDZeDp6vptGZK0y40NsoCMACxRrXIV+6KUBipFarI
-36yXDoBNol2xzst6p9fOg+prl6p7vO1sRYrIGg1WJGA5wQ==
------END X509 CRL-----
diff --git a/tests/data_files/crl-ec-sha256.pem b/tests/data_files/crl-ec-sha256.pem
deleted file mode 100644
index b9fad50..0000000
--- a/tests/data_files/crl-ec-sha256.pem
+++ /dev/null
@@ -1,10 +0,0 @@
------BEGIN X509 CRL-----
-MIIBcTCB9wIBATAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8GA1UECgwI
-UG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTIzMDUxNzA3
-MTQ0MFoXDTMzMDUxNzA3MTQ0MFowFDASAgEKFw0yMzA1MTcwNzE0NDBaoHIwcDBu
-BgNVHSMEZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMC
-TkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVD
-IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwIDaQAwZgIxAOFCq4tS7s27+KShmh4n
-zavpLBQUbqyjkH9dJk0jg862YXjirOu9oCOoWtZQz6/LhQIxAJbtOSwJNq0F/FTq
-NYhP7ibE1jad9Tbs6igtZ7Z9NN7V5upnnL4SVETU9pvy9zh+tw==
------END X509 CRL-----
diff --git a/tests/data_files/crl-future.pem b/tests/data_files/crl-future.pem
deleted file mode 100644
index 1938219..0000000
--- a/tests/data_files/crl-future.pem
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN X509 CRL-----
-MIIBgzCCAQoCAQEwCQYHKoZIzj0EATA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTMyMDMxMDEx
-MDUxNVoXDTQyMDMwODExMDUxNVowKDASAgEKFw0xMzA5MjQxNjI4MzhaMBICARYX
-DTE0MDEyMDEzNDMwNVqgcjBwMG4GA1UdIwRnMGWAFJ1tICRJAT8ry3i1Gbx+JMnb
-+zZ8oUKkQDA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNV
-BAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GCCQDBQ+J+YkPM6DAJBgcqhkjOPQQBA2gA
-MGUCMQCmsvNsOQdbGpmzpeZlKU9lDP6yyWenrI/89swZYogE3cSPob4tOzeYg38i
-or91IPgCMD7N/0Qz6Nq2IgBtZORLgsA0ltK+W6AOS+/EIhvGuXV8uguUyYknl4vb
-+cE+lWxhCQ==
------END X509 CRL-----
diff --git a/tests/data_files/crl-futureRevocationDate.pem b/tests/data_files/crl-futureRevocationDate.pem
deleted file mode 100644
index f147a8f..0000000
--- a/tests/data_files/crl-futureRevocationDate.pem
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN X509 CRL-----
-MIIBqzCBlDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwI
-UG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EXDTI4MTIzMDIzMDAw
-MFoXDTI5MTIzMDIzMDAwMFowKDASAgEBFw0yOTAxMDExMjQ0MDdaMBICAQMXDTI5
-MDEwMTEyNDQwN1owDQYJKoZIhvcNAQEFBQADggEBAKbL1mDpzCbLJmRZKM2KHPvK
-ijS4UMnanzzYpLAwom1NI69v2fE1/EfiXv0empE6mFqnLwOG4ZP8fECfxjMXO2Ee
-VhxYiRjly6q9hfIUk1e+N9ct8unNnLEBvf6Syfy9+FSO3Q/ahljpYlXsXxg62WXl
-9xp5b5Ok+/0sCv0eL5uFQKXQa8hS9dZo6py7jvFDQC+wVau1mXjQW85iXMLm7vik
-4lR+kfZloeq1jIbsx8cdMi32YVt7uccaqoFcjtrdrWfGmi0wvlDc8K5J0l4tIxZY
-9P+T4fzSgQLdqGZ3xADheEaGTRVL/5oe5L4zRH32BZONMFCijv+j1SpWLxHE8cM=
------END X509 CRL-----
diff --git a/tests/data_files/crl-rsa-pss-sha1-badsign.pem b/tests/data_files/crl-rsa-pss-sha1-badsign.pem
deleted file mode 100644
index d236910..0000000
--- a/tests/data_files/crl-rsa-pss-sha1-badsign.pem
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN X509 CRL-----
-MIICJDCCAQYCAQEwEwYJKoZIhvcNAQEKMAaiBAICAOowOzELMAkGA1UEBhMCTkwx
-ETAPBgNVBAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBFw0y
-MzA1MTcwODA3NDlaFw0zMzA1MTcwODA3NDlaMCgwEgIBChcNMjMwNTE3MDgwNzQ5
-WjASAgEWFw0yMzA1MTcwODA3NDlaoGcwZTBjBgNVHSMEXDBagBS0WuSls97SUva5
-1aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NM
-MRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEDMBMGCSqGSIb3DQEBCjAGogQC
-AgDqA4IBAQCMUepEfAXs1G3hDE7rcIPT/AFv/oLQSVwRE8O2G5r4j0CgzN6CSGNi
-8qfFVX6f7ds+QM4pxAXk5FH4QJJkev0ZBQxmA/ZDLEFmmCEfPMsA69nG//Xeq+Xz
-ZOqJpAewmXoP2UUxV5rRpAIr9g9NvDkTT012eQEpoGkJlpxOln1VW+Dk24PCZFWf
-Nf8GMUzUsXfXm7ZdCeuc8ZDYNma0nWAMR9Jw6qaEhyH4Fd/scFvXiF/i4cpVp8Rk
-M71wSrCC0pkFzw4/bYMnf0aHle/lNg5e78SAT+/6PA8pXL7Urc0IufOfxCGwqY27
-IXSTrZJj4WeQMk289pIccMHj5DUSo4u0
------END X509 CRL-----
diff --git a/tests/data_files/crl-rsa-pss-sha1.pem b/tests/data_files/crl-rsa-pss-sha1.pem
deleted file mode 100644
index c129c0c..0000000
--- a/tests/data_files/crl-rsa-pss-sha1.pem
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN X509 CRL-----
-MIICJDCCAQYCAQEwEwYJKoZIhvcNAQEKMAaiBAICAOowOzELMAkGA1UEBhMCTkwx
-ETAPBgNVBAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBFw0y
-MzA1MTcwODA3NDlaFw0zMzA1MTcwODA3NDlaMCgwEgIBChcNMjMwNTE3MDgwNzQ5
-WjASAgEWFw0yMzA1MTcwODA3NDlaoGcwZTBjBgNVHSMEXDBagBS0WuSls97SUva5
-1aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NM
-MRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEDMBMGCSqGSIb3DQEBCjAGogQC
-AgDqA4IBAQCMUepEfAXs1G3hDE7rcIPT/AFv/oLQSVwRE8O2G5r4j0CgzN6CSGNi
-8qfFVX6f7ds+QM4pxAXk5FH4QJJkev0ZBQxmA/ZDLEFmmCEfPMsA69nG//Xeq+Xz
-ZOqJpAewmXoP2UUxV5rRpAIr9g9NvDkTT012eQEpoGkJlpxOln1VW+Dk24PCZFWf
-Nf8GMUzUsXfXm7ZdCeuc8ZDYNma0nWAMR9Jw6qaEhyH4Fd/scFvXiF/i4cpVp8Rk
-M71wSrCC0pkFzw4/bYMnf0aHle/lNg5e78SAT+/6PA8pXL7Urc0IufOfxCGwqY27
-IXSTrZJj4WeQMk289pIccMHj5DUSo4uO
------END X509 CRL-----
diff --git a/tests/data_files/crl-rsa-pss-sha224.pem b/tests/data_files/crl-rsa-pss-sha224.pem
deleted file mode 100644
index 1108b3d..0000000
--- a/tests/data_files/crl-rsa-pss-sha224.pem
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN X509 CRL-----
-MIICgjCCATUCAQEwQgYJKoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgQFAKEcMBoG
-CSqGSIb3DQEBCDANBglghkgBZQMEAgQFAKIEAgIA4jA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EXDTIz
-MDUxNzA4MDc0OVoXDTMzMDUxNzA4MDc0OVowKDASAgEKFw0yMzA1MTcwODA3NDla
-MBICARYXDTIzMDUxNzA4MDc0OVqgZzBlMGMGA1UdIwRcMFqAFLRa5KWz3tJS9rnV
-ppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wx
-GTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQMwQgYJKoZIhvcNAQEKMDWgDzAN
-BglghkgBZQMEAgQFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgQFAKIEAgIA
-4gOCAQEANsElK5qMavcgBXsqgysCIIwEPj+dXdBOwXW17HWh2jcSwAssFNRxhiIc
-PoUjj2fNlbOWXLPoxXBitgkJ31UAYCteGSv3j5P3WEuriVwCG889JEoMWn9U4+f9
-f5jSVNfynyiAOiwpA0TrOhZOAs9SEj742S1pzhsb9yaOXeQXNnDv8HYe3uX9/D9w
-ynot+/EwCYEuvK8XQ6qnV6588NHEAd9x+OcV9pxWrmUE8Muz1KffBwD5+SOW+Taj
-4fKQPcKJoRXOKyLXpOz7yMl/6fCf6h3Qj/H4YI/2gsWI0iduKoXDsuQkMEdPTZvk
-7P88YK3/4MReaZS3sDyhhUrojELPXw==
------END X509 CRL-----
diff --git a/tests/data_files/crl-rsa-pss-sha256.pem b/tests/data_files/crl-rsa-pss-sha256.pem
deleted file mode 100644
index 26f7935..0000000
--- a/tests/data_files/crl-rsa-pss-sha256.pem
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN X509 CRL-----
-MIICgjCCATUCAQEwQgYJKoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgEFAKEcMBoG
-CSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIEAgIA3jA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EXDTIz
-MDUxNzA4MDc0OVoXDTMzMDUxNzA4MDc0OVowKDASAgEKFw0yMzA1MTcwODA3NDla
-MBICARYXDTIzMDUxNzA4MDc0OVqgZzBlMGMGA1UdIwRcMFqAFLRa5KWz3tJS9rnV
-ppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wx
-GTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQMwQgYJKoZIhvcNAQEKMDWgDzAN
-BglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIEAgIA
-3gOCAQEAHLzvRF0RVQL48ZGVFnTk1nsOHXVHS0UVMItsILurXJ4XrOgN1I7iTzu2
-wYNtgr+T15jwsPdgU+Gg3127vb2Djm0IUX0dCfYpSFRUv8BjaK962ZPjM0rkWhC6
-JUTWSLMAMy4ScqcoC7e4vuN2h4kPOzlvDBIhzWKA03+taAtuIOWjXZu2/Cyeggxs
-oXARKI8BEv4b94xwiFJMoMuzcYAkuDIH4MRYANVgOS/zncCRS9D5ZerfoBt70LKX
-nzJtT4a0XoxbUJeU8MZ0fR5aAHUQulAPA9CMmBsHkSx7pzAAhCwx/vXbnWPyhA6G
-XG6gCKcDR5PZQvQNgi29SLlhRTT5TA==
------END X509 CRL-----
diff --git a/tests/data_files/crl-rsa-pss-sha384.pem b/tests/data_files/crl-rsa-pss-sha384.pem
deleted file mode 100644
index 45431f0..0000000
--- a/tests/data_files/crl-rsa-pss-sha384.pem
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN X509 CRL-----
-MIICgjCCATUCAQEwQgYJKoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgIFAKEcMBoG
-CSqGSIb3DQEBCDANBglghkgBZQMEAgIFAKIEAgIAzjA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EXDTIz
-MDUxNzA4MDc1MFoXDTMzMDUxNzA4MDc1MFowKDASAgEKFw0yMzA1MTcwODA3NTBa
-MBICARYXDTIzMDUxNzA4MDc1MFqgZzBlMGMGA1UdIwRcMFqAFLRa5KWz3tJS9rnV
-ppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wx
-GTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQMwQgYJKoZIhvcNAQEKMDWgDzAN
-BglghkgBZQMEAgIFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgIFAKIEAgIA
-zgOCAQEAnZvMo3nmKXPV+q4m1CdMA7jUtdanJBHDAv2+LZLq4T1QpyN+nmLEB1yX
-ARN8/5Px47zm7XyZw6HI1Il34MjblAKIPBVXoswj4YLRceijwiG1bxkh1Kz3lcV0
-GCNPNo7tMPii9iATWlVzWBCzx2rLmt/ys0DtNRCMISOYGW1HkyuO28dwA6nUJwSS
-Ddjr3iilavnBdpzddH9AiN5Fm0sfrFBANx79Qyp0/r8hqrv7rT33maeRKj3S4e9G
-zpO6uHPAh9Obo93DxpKpXoMwxDiHv+bwHPO4J1YOiryy/KZmHhzUMPfvP09pGg9f
-zGO/bOyiHGH0Lf4F9JVMxpfitdbtwg==
------END X509 CRL-----
diff --git a/tests/data_files/crl-rsa-pss-sha512.pem b/tests/data_files/crl-rsa-pss-sha512.pem
deleted file mode 100644
index 71f2b7c..0000000
--- a/tests/data_files/crl-rsa-pss-sha512.pem
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN X509 CRL-----
-MIICgjCCATUCAQEwQgYJKoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgMFAKEcMBoG
-CSqGSIb3DQEBCDANBglghkgBZQMEAgMFAKIEAgIAvjA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EXDTIz
-MDUxNzA4MDc1MFoXDTMzMDUxNzA4MDc1MFowKDASAgEKFw0yMzA1MTcwODA3NTBa
-MBICARYXDTIzMDUxNzA4MDc1MFqgZzBlMGMGA1UdIwRcMFqAFLRa5KWz3tJS9rnV
-ppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wx
-GTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQMwQgYJKoZIhvcNAQEKMDWgDzAN
-BglghkgBZQMEAgMFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgMFAKIEAgIA
-vgOCAQEAtMPpQMet9BfMRLg0AW9QfL3QkktV7xk++BqYFOYynBiqxjQH4AKu3wU8
-eiGd3+2xNpQd2/sG7UUNo1Vnl9gCHRiT4bje6+CdvvqaZKSgpmsiztbgBAYORriF
-flKOKOOQTxaikqJ4t7vp727JmstADuyizTgOBE0k3V1glas8B0G122YheeHF02S4
-+33Nss4hbfbTilR0RccOaqiXzF9bkFsTlD5KgyUFZbFtdy+1zHZLnRUAJA1HmDeP
-r5p2mJxKwXmZzLnw/FPa8fUH665TKYk08AuIpN+VHdPwiBoYHJ2YZJWgM+1qHq1y
-tlyoAOC6beqsh9OfxcQZaEiWbUI9yQ==
------END X509 CRL-----
diff --git a/tests/data_files/crl.pem b/tests/data_files/crl.pem
deleted file mode 100644
index 5a1bdd3..0000000
--- a/tests/data_files/crl.pem
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN X509 CRL-----
-MIIBqzCBlDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwI
-UG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EXDTIzMDUxNzA3MTQz
-OFoXDTMzMDUxNzA3MTQzOFowKDASAgEBFw0yMzA1MTcwNzE0MzhaMBICAQMXDTIz
-MDUxNzA3MTQzOFowDQYJKoZIhvcNAQEFBQADggEBAEKGf/KYnv3EpFiEsPii5f3S
-CEgD0NL44rYIU7n9oBIqgqxP93tDeqwqvv/oDYBA41fugxU63nO5qKn4xszKN/w0
-e3GDg6ihFFz2wO6NE37Wfn3lVIvMbboNyMGqH1CTqTbNcsam8DhvILCMkG60kV66
-pSVGVIJftDzE+33mUundQMYz4wN4QJFGRSfHW745iowF9ejiPsfAn4gO9eLDrRmA
-C0oedNyRLj6jfGRtaQddlCjCAGwNlIJBe/IhixafW9g8deGPHJu8RSlJ/Q77pgjx
-7WccwCz+dWP+uqi8fwgerHYdTjiAvFVu1Yd4KA5WTndzI3wzJwbdZZ08OfDLmyU=
------END X509 CRL-----
diff --git a/tests/data_files/crl_cat_ec-rsa.pem b/tests/data_files/crl_cat_ec-rsa.pem
deleted file mode 100644
index cafa1d4..0000000
--- a/tests/data_files/crl_cat_ec-rsa.pem
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN X509 CRL-----
-MIIBcTCB9wIBATAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8GA1UECgwI
-UG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTIzMDUxNzA3
-MTQ0MFoXDTMzMDUxNzA3MTQ0MFowFDASAgEKFw0yMzA1MTcwNzE0NDBaoHIwcDBu
-BgNVHSMEZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMC
-TkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVD
-IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwIDaQAwZgIxAOFCq4tS7s27+KShmh4n
-zavpLBQUbqyjkH9dJk0jg862YXjirOu9oCOoWtZQz6/LhQIxAJbtOSwJNq0F/FTq
-NYhP7ibE1jad9Tbs6igtZ7Z9NN7V5upnnL4SVETU9pvy9zh+tw==
------END X509 CRL-----
------BEGIN X509 CRL-----
-MIIBqzCBlDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwI
-UG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EXDTIzMDUxNzA3MTQz
-OFoXDTMzMDUxNzA3MTQzOFowKDASAgEBFw0yMzA1MTcwNzE0MzhaMBICAQMXDTIz
-MDUxNzA3MTQzOFowDQYJKoZIhvcNAQEFBQADggEBAEKGf/KYnv3EpFiEsPii5f3S
-CEgD0NL44rYIU7n9oBIqgqxP93tDeqwqvv/oDYBA41fugxU63nO5qKn4xszKN/w0
-e3GDg6ihFFz2wO6NE37Wfn3lVIvMbboNyMGqH1CTqTbNcsam8DhvILCMkG60kV66
-pSVGVIJftDzE+33mUundQMYz4wN4QJFGRSfHW745iowF9ejiPsfAn4gO9eLDrRmA
-C0oedNyRLj6jfGRtaQddlCjCAGwNlIJBe/IhixafW9g8deGPHJu8RSlJ/Q77pgjx
-7WccwCz+dWP+uqi8fwgerHYdTjiAvFVu1Yd4KA5WTndzI3wzJwbdZZ08OfDLmyU=
------END X509 CRL-----
diff --git a/tests/data_files/crl_cat_ecfut-rsa.pem b/tests/data_files/crl_cat_ecfut-rsa.pem
deleted file mode 100644
index f503a5b..0000000
--- a/tests/data_files/crl_cat_ecfut-rsa.pem
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN X509 CRL-----
-MIIBgzCCAQoCAQEwCQYHKoZIzj0EATA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTMyMDMxMDEx
-MDUxNVoXDTQyMDMwODExMDUxNVowKDASAgEKFw0xMzA5MjQxNjI4MzhaMBICARYX
-DTE0MDEyMDEzNDMwNVqgcjBwMG4GA1UdIwRnMGWAFJ1tICRJAT8ry3i1Gbx+JMnb
-+zZ8oUKkQDA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNV
-BAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GCCQDBQ+J+YkPM6DAJBgcqhkjOPQQBA2gA
-MGUCMQCmsvNsOQdbGpmzpeZlKU9lDP6yyWenrI/89swZYogE3cSPob4tOzeYg38i
-or91IPgCMD7N/0Qz6Nq2IgBtZORLgsA0ltK+W6AOS+/EIhvGuXV8uguUyYknl4vb
-+cE+lWxhCQ==
------END X509 CRL-----
------BEGIN X509 CRL-----
-MIIBqzCBlDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwI
-UG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EXDTE5MDIwNjE2MzQ0
-NloXDTI5MDIwNjE2MzQ0NlowKDASAgEBFw0xMTAyMTIxMjQ0MDdaMBICAQMXDTEx
-MDIxMjEyNDQwN1owDQYJKoZIhvcNAQEFBQADggEBAGHkRHGDz2HsoiXzfJDBpkfg
-I+yK34O9zoHMyGcDZbF9fj4NVyyNA6XCgY3IgQYe3boA1edO6+8ImjqiZjYK+GWt
-4ne7YhapRFAoFbKQY5hgy8mlpSRlNfmRVVCDDKannMac4tQff1LCFHN8msk/uG1b
-WHWAsL6dzLVojhbUFY6mZTb6nqjm5YgqcsNsz37n4dyrCDftB99FQdE/aAec2RXP
-Jgy9DnY5jMotPqHLZtMyfVNEoivDb7YJA5Vv6NSyiYVTjyWyTHNRsFEXRtHqjpqs
-oZdBgLZAAQsUvuVpMbDKQ4FrZjOaOW/xLtKPlh/HNA5p7hNtwIiCAIvp7uQti0w=
------END X509 CRL-----
diff --git a/tests/data_files/crl_cat_rsa-ec.pem b/tests/data_files/crl_cat_rsa-ec.pem
deleted file mode 100644
index 92ecccc..0000000
--- a/tests/data_files/crl_cat_rsa-ec.pem
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN X509 CRL-----
-MIIBqzCBlDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwI
-UG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EXDTIzMDUxNzA3MTQz
-OFoXDTMzMDUxNzA3MTQzOFowKDASAgEBFw0yMzA1MTcwNzE0MzhaMBICAQMXDTIz
-MDUxNzA3MTQzOFowDQYJKoZIhvcNAQEFBQADggEBAEKGf/KYnv3EpFiEsPii5f3S
-CEgD0NL44rYIU7n9oBIqgqxP93tDeqwqvv/oDYBA41fugxU63nO5qKn4xszKN/w0
-e3GDg6ihFFz2wO6NE37Wfn3lVIvMbboNyMGqH1CTqTbNcsam8DhvILCMkG60kV66
-pSVGVIJftDzE+33mUundQMYz4wN4QJFGRSfHW745iowF9ejiPsfAn4gO9eLDrRmA
-C0oedNyRLj6jfGRtaQddlCjCAGwNlIJBe/IhixafW9g8deGPHJu8RSlJ/Q77pgjx
-7WccwCz+dWP+uqi8fwgerHYdTjiAvFVu1Yd4KA5WTndzI3wzJwbdZZ08OfDLmyU=
------END X509 CRL-----
------BEGIN X509 CRL-----
-MIIBcTCB9wIBATAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8GA1UECgwI
-UG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTIzMDUxNzA3
-MTQ0MFoXDTMzMDUxNzA3MTQ0MFowFDASAgEKFw0yMzA1MTcwNzE0NDBaoHIwcDBu
-BgNVHSMEZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMC
-TkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVD
-IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwIDaQAwZgIxAOFCq4tS7s27+KShmh4n
-zavpLBQUbqyjkH9dJk0jg862YXjirOu9oCOoWtZQz6/LhQIxAJbtOSwJNq0F/FTq
-NYhP7ibE1jad9Tbs6igtZ7Z9NN7V5upnnL4SVETU9pvy9zh+tw==
------END X509 CRL-----
diff --git a/tests/data_files/crl_cat_rsabadpem-ec.pem b/tests/data_files/crl_cat_rsabadpem-ec.pem
deleted file mode 100644
index a035e18..0000000
--- a/tests/data_files/crl_cat_rsabadpem-ec.pem
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN X509 CRL-----
-MIIBqzCBlDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EXDTExMDIyMDEwMjI1
-OVoXDTE5MTEyNTEwMjI1OVowKDASAgEBFw0xMTAyMTIxNDQ0MDdaMBICAQMXDTEx
-MDIxMjE0NDQwN1owDQYJKoZIhvcNAQEFBQADggEBAJYuWdKPdblMVWCnxpMnchuL
-dqWzK2BA0RelCaGjpxuwX3NmLDm+5hKja/DJxaRqTOf4RSC3kcX8CdIldsLO96dz
-//wAQdFPDhy6AFT5vKTO8ItPHDb7qFOqFqpeJi5XN1yoZGTB1ei0mgD3xBaKbp6U
-yCOZJSIFomt7piT4GcgWVHLUmpyHDDeodNhYPrN0jf2mr+ECd9fQJYdz1qm0Xx+Q
-NbKXDiPRmPX0qVleCZSeSp1JAmU4GoCO+96qQUpjgll+6xWya3UNj61f9sh0Zzr7
-5ug2LZo5uBM/LpNR1K3TLxNCcg7uUPTn9r143d7ivJhPl3tEJn4PXjv6mlLoOgU
------END X509 CRL-----
------BEGIN X509 CRL-----
-MIIBcTCB9wIBATAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDkyNDE2
-MzEwOFoXDTIzMDkyMjE2MzEwOFowFDASAgEKFw0xMzA5MjQxNjI4MzhaoHIwcDBu
-BgNVHSMEZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMC
-TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD
-IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwIDaQAwZgIxAKuQ684s7gyhtxKJr6Ln
-S2BQ02f1jjPHrZVdXaZvm3C5tGi2cKkoK1aMiyC3LsRCuAIxAIMhj0TmcuIZr5fX
-g5RByD7zUnZBpoEAdgxFy4JPJ2IViWOPekSGh8b/JY1VNS6Zbw==
------END X509 CRL-----
diff --git a/tests/data_files/crl_expired.pem b/tests/data_files/crl_expired.pem
deleted file mode 100644
index cf60ae4..0000000
--- a/tests/data_files/crl_expired.pem
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN X509 CRL-----
-MIIBqzCBlDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EXDTExMDIyMDEwMjQx
-OVoXDTExMDIyMDExMjQxOVowKDASAgEBFw0xMTAyMTIxNDQ0MDdaMBICAQMXDTEx
-MDIxMjE0NDQwN1owDQYJKoZIhvcNAQEFBQADggEBAKgP1XmCIPbfY1/UO+SVFQir
-jArZ94QnQdoan4tJ29d8DmTxJ+z9/KyWNoGeOwc9P/2GQQaZahQOBr0f6lYd67Ct
-wFVh/Q2zF8FgRcrQV7u/vJM33Q2yEsQkMGlM7rE5lC972vUKWu/NKq8bN9W/tWxZ
-SFbvTXpv024aI0IRudpOCALnIy8SFhVb2/52IN2uR6qrFizDexMEdSckgpHuJzGS
-IiANhIMn5LdQYJFjPgBzQU12tDdgzcpxtGhT10y4uQre+UbSjw+iVyml3issw59k
-OSmkWFb06LamRC215JAMok3YQO5RnxCR8EjqPcJr+7+O9a1O1++yiaitg4bUjEA=
------END X509 CRL-----
diff --git a/tests/data_files/crl_sha256.pem b/tests/data_files/crl_sha256.pem
deleted file mode 100644
index c3ca256..0000000
--- a/tests/data_files/crl_sha256.pem
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN X509 CRL-----
-MIIBqzCBlDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EXDTExMDIxMjE0NDQw
-N1oXDTExMDQxMzE0NDQwN1owKDASAgEBFw0xMTAyMTIxNDQ0MDdaMBICAQMXDTEx
-MDIxMjE0NDQwN1owDQYJKoZIhvcNAQELBQADggEBAG4mBBgwfNynCYYL2CEnqore
-mgKpC32tB6WiUBu9figcvdN3nSX/1wrB8rpiE8R04C8oSFglwhotJCnlWsy42tjb
-0pk0Wuizln0PFMc/OypqRNNhwx31SHH42W4KzONiqvq3n/WkH3M1YniR1ZnMlyvi
-lJioQn6ZAoc6O6mMP1J9duKYYhiMAOV992PD1/iqXw+jYN31RwdIS8/mGzIs4ake
-EdviwhM3E4/sVbNOWCOnZFYV4m+yNAEe29HL1VKw6UXixBczct+brqXNVD3U6T0F
-5ovR6BTefZO17eT52Duke5RZGDUyQOGywxOYKI5W+FcOYdp+U5Idk399tAz2Mdw=
------END X509 CRL-----
diff --git a/tests/data_files/crt_cat_rsaexp-ec.pem b/tests/data_files/crt_cat_rsaexp-ec.pem
deleted file mode 100644
index 4f74c9a..0000000
--- a/tests/data_files/crt_cat_rsaexp-ec.pem
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN X509 CRL-----
-MIIBqzCBlDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EXDTExMDIyMDEwMjQx
-OVoXDTExMDIyMDExMjQxOVowKDASAgEBFw0xMTAyMTIxNDQ0MDdaMBICAQMXDTEx
-MDIxMjE0NDQwN1owDQYJKoZIhvcNAQEFBQADggEBAKgP1XmCIPbfY1/UO+SVFQir
-jArZ94QnQdoan4tJ29d8DmTxJ+z9/KyWNoGeOwc9P/2GQQaZahQOBr0f6lYd67Ct
-wFVh/Q2zF8FgRcrQV7u/vJM33Q2yEsQkMGlM7rE5lC972vUKWu/NKq8bN9W/tWxZ
-SFbvTXpv024aI0IRudpOCALnIy8SFhVb2/52IN2uR6qrFizDexMEdSckgpHuJzGS
-IiANhIMn5LdQYJFjPgBzQU12tDdgzcpxtGhT10y4uQre+UbSjw+iVyml3issw59k
-OSmkWFb06LamRC215JAMok3YQO5RnxCR8EjqPcJr+7+O9a1O1++yiaitg4bUjEA=
------END X509 CRL-----
------BEGIN X509 CRL-----
-MIIBcTCB9wIBATAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDkyNDE2
-MzEwOFoXDTIzMDkyMjE2MzEwOFowFDASAgEKFw0xMzA5MjQxNjI4MzhaoHIwcDBu
-BgNVHSMEZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMC
-TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD
-IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwIDaQAwZgIxAKuQ684s7gyhtxKJr6Ln
-S2BQ02f1jjPHrZVdXaZvm3C5tGi2cKkoK1aMiyC3LsRCuAIxAIMhj0TmcuIZr5fX
-g5RByD7zUnZBpoEAdgxFy4JPJ2IViWOPekSGh8b/JY1VNS6Zbw==
------END X509 CRL-----
diff --git a/tests/data_files/dh.1000.pem b/tests/data_files/dh.1000.pem
deleted file mode 100644
index 172f19f..0000000
--- a/tests/data_files/dh.1000.pem
+++ /dev/null
@@ -1,34 +0,0 @@
-
-Recommended key length: 160 bits
-
-generator:
-	23:84:3c:0d:55:8c:b9:7d:a9:d5:9a:80:82:fb:50:
-	89:29:71:8e:8e:a1:29:2e:df:db:01:34:41:e7:66:
-	fa:60:dc:bc:34:83:45:70:e0:61:e9:a6:25:23:c2:
-	77:33:a9:8a:90:94:21:ff:84:d2:7b:36:39:9b:e5:
-	f0:88:2b:35:98:64:28:58:27:be:fa:bf:e3:60:cc:
-	c4:61:60:59:78:a7:e1:a3:b3:a7:3e:7e:5b:a8:d7:
-	b7:ba:25:0e:b1:9e:79:03:b5:83:ba:43:34:b6:c1:
-	ce:45:66:72:07:64:8a:af:14:d8:ae:18:19:ba:25:
-	a6:d9:36:f8:8c:
-
-prime:
-	9e:a4:a8:c4:29:fe:76:18:02:4f:76:c9:29:0e:f2:
-	ba:0d:92:08:9d:d9:b3:28:41:5d:88:4e:fe:3c:ae:
-	c1:d4:3e:7e:fb:d8:2c:bf:7b:63:70:99:9e:c4:ac:
-	d0:1e:7c:4e:22:07:d2:b5:f9:9a:9e:52:e2:97:9d:
-	c3:cb:0d:66:33:75:95:a7:96:6e:69:ec:16:bd:06:
-	4a:1a:dc:b2:d4:29:23:ab:2e:8f:7f:6a:84:1d:82:
-	23:6e:42:8c:1e:70:3d:21:bb:b9:b9:8f:f9:fd:9c:
-	53:08:e4:e8:5a:04:ca:5f:8f:73:55:ac:e1:41:20:
-	c7:43:fa:8f:99:
-
-
------BEGIN DH PARAMETERS-----
-MIIBAwJ+AJ6kqMQp/nYYAk92ySkO8roNkgid2bMoQV2ITv48rsHUPn772Cy/e2Nw
-mZ7ErNAefE4iB9K1+ZqeUuKXncPLDWYzdZWnlm5p7Ba9Bkoa3LLUKSOrLo9/aoQd
-giNuQowecD0hu7m5j/n9nFMI5OhaBMpfj3NVrOFBIMdD+o+ZAn0jhDwNVYy5fanV
-moCC+1CJKXGOjqEpLt/bATRB52b6YNy8NINFcOBh6aYlI8J3M6mKkJQh/4TSezY5
-m+XwiCs1mGQoWCe++r/jYMzEYWBZeKfho7OnPn5bqNe3uiUOsZ55A7WDukM0tsHO
-RWZyB2SKrxTYrhgZuiWm2Tb4jAICAKA=
------END DH PARAMETERS-----
diff --git a/tests/data_files/dh.998.pem b/tests/data_files/dh.998.pem
deleted file mode 100644
index 96d6cf2..0000000
--- a/tests/data_files/dh.998.pem
+++ /dev/null
@@ -1,17 +0,0 @@
-    DH Parameters: (998 bit)
-        prime:
-            39:5f:30:c0:7b:06:b7:6a:49:c6:c0:81:1f:39:77:
-            b3:35:e2:8d:66:fc:6a:6e:94:f3:df:97:f2:89:31:
-            6c:75:39:08:16:d1:a4:b8:0c:68:c5:63:21:61:eb:
-            48:2d:77:99:08:1d:67:38:37:0a:cd:cf:39:b6:3c:
-            9d:8a:e5:85:3c:71:e3:4b:3e:1e:b9:80:e3:cc:7a:
-            fd:84:05:b0:df:36:15:29:4e:3e:23:3b:c3:ae:6b:
-            c7:11:b9:64:43:40:75:c7:4a:ef:a7:2d:00:e2:62:
-            8f:93:78:96:8f:2c:25:8d:7d:1f:eb:5c:3c:bf:51:
-            de:f8:08:25:db
-        generator: 2 (0x2)
------BEGIN DH PARAMETERS-----
-MIGCAn05XzDAewa3aknGwIEfOXezNeKNZvxqbpTz35fyiTFsdTkIFtGkuAxoxWMh
-YetILXeZCB1nODcKzc85tjydiuWFPHHjSz4euYDjzHr9hAWw3zYVKU4+IzvDrmvH
-EblkQ0B1x0rvpy0A4mKPk3iWjywljX0f61w8v1He+Agl2wIBAg==
------END DH PARAMETERS-----
diff --git a/tests/data_files/dh.999.pem b/tests/data_files/dh.999.pem
deleted file mode 100644
index 6e3ceb3..0000000
--- a/tests/data_files/dh.999.pem
+++ /dev/null
@@ -1,17 +0,0 @@
-    DH Parameters: (999 bit)
-        prime:
-            4f:b8:d2:d8:3c:b3:02:c9:64:f5:99:fe:61:cc:b3:
-            69:1c:ba:bb:a2:33:db:38:2f:85:87:b7:12:fb:69:
-            6e:a5:32:3e:ff:24:df:c4:61:07:0c:e1:88:72:fa:
-            14:d4:22:65:18:66:09:7e:43:35:c4:5a:62:f7:0a:
-            69:be:45:71:6e:ac:c5:56:d8:22:9e:c4:9c:23:2b:
-            bd:6d:3b:b6:02:4f:5d:12:a7:ac:90:b8:9e:be:93:
-            82:bc:09:7c:cd:e1:09:21:1e:3d:69:2a:76:41:00:
-            68:6d:b7:e8:e8:df:d6:1b:82:93:d9:21:4a:ea:71:
-            f2:e6:c4:94:03
-        generator: 2 (0x2)
------BEGIN DH PARAMETERS-----
-MIGCAn1PuNLYPLMCyWT1mf5hzLNpHLq7ojPbOC+Fh7cS+2lupTI+/yTfxGEHDOGI
-cvoU1CJlGGYJfkM1xFpi9wppvkVxbqzFVtginsScIyu9bTu2Ak9dEqeskLievpOC
-vAl8zeEJIR49aSp2QQBobbfo6N/WG4KT2SFK6nHy5sSUAwIBAg==
------END DH PARAMETERS-----
diff --git a/tests/data_files/dh.optlen.der b/tests/data_files/dh.optlen.der
deleted file mode 100644
index 3c3bf17..0000000
--- a/tests/data_files/dh.optlen.der
+++ /dev/null
diff --git a/tests/data_files/dh.optlen.pem b/tests/data_files/dh.optlen.pem
deleted file mode 100644
index ee1e29b..0000000
--- a/tests/data_files/dh.optlen.pem
+++ /dev/null
@@ -1,58 +0,0 @@
-
-Recommended key length: 256 bits
-
-generator:
-	80:0a:bf:e7:dc:66:7a:a1:7b:cd:7c:04:61:4b:c2:
-	21:a6:54:82:cc:c0:4b:60:46:02:b0:e1:31:90:8a:
-	93:8e:a1:1b:48:dc:51:5d:ab:7a:bc:bb:1e:0c:7f:
-	d6:65:11:ed:c0:d8:65:51:b7:63:24:96:e0:3d:f9:
-	43:57:e1:c4:ea:07:a7:ce:1e:38:1a:2f:ca:fd:ff:
-	5f:5b:f0:0d:f8:28:80:60:20:e8:75:c0:09:26:e4:
-	d0:11:f8:84:77:a1:b0:19:27:d7:38:13:ca:d4:84:
-	7c:63:96:b9:24:46:21:be:2b:00:b6:3c:65:92:53:
-	31:84:13:44:3c:d2:44:21:5c:d7:fd:4c:be:79:6e:
-	82:c6:cf:70:f8:9c:c0:c5:28:fb:8e:34:48:09:b3:
-	18:76:e7:ef:73:9d:51:60:d0:95:c9:68:41:88:b0:
-	c8:75:5c:7a:46:8d:47:f5:6d:6d:b9:ea:01:29:24:
-	ec:b0:55:6f:b7:13:12:a8:d7:c9:3b:b2:89:8e:a0:
-	8e:e5:4e:eb:59:45:48:28:5f:06:a9:73:cb:be:2a:
-	0c:b0:2e:90:f3:23:fe:04:55:21:f3:4c:68:35:4a:
-	6d:3e:95:db:ff:f1:eb:64:69:2e:dc:0a:44:f3:d3:
-	e4:08:d0:e4:79:a5:41:e7:79:a6:05:42:59:e2:d8:
-	54:
-
-prime:
-	b3:12:6a:ea:f4:71:53:c7:d6:7f:40:30:30:b2:92:
-	b5:bd:5a:6c:9e:ae:1c:13:7a:f3:40:87:fc:e2:a3:
-	6a:57:8d:70:c5:c5:60:ad:2b:db:92:4c:4a:4d:be:
-	e2:0a:16:71:be:71:03:ce:87:de:fa:76:90:89:36:
-	80:3d:be:ca:60:c3:3e:12:89:c1:a0:3a:c2:c6:c4:
-	e4:94:05:e5:90:2f:a0:59:6a:1c:ba:a8:95:cc:40:
-	2d:52:13:ed:4a:5f:1f:5b:a8:b5:e1:ed:3d:a9:51:
-	a4:c4:75:af:eb:0c:a6:60:b7:36:8c:38:c8:e8:09:
-	f3:82:d9:6a:e1:9e:60:dc:98:4e:61:cb:42:b5:df:
-	d7:23:32:2a:cf:32:7f:9e:41:3c:da:64:00:c1:5c:
-	5b:2e:a1:fa:34:40:5d:83:98:2f:ba:40:e6:d8:52:
-	da:3d:91:01:9b:f2:35:11:31:42:54:dc:21:1a:90:
-	83:3e:5b:17:98:ee:52:a7:81:98:c5:55:64:47:29:
-	ad:92:f0:60:36:7c:74:de:d3:77:04:ad:fc:27:3a:
-	4a:33:fe:c8:21:bd:2e:bd:3b:c0:51:73:0e:97:a4:
-	dd:14:d2:b7:66:06:25:92:f5:ee:c0:9d:16:bb:50:
-	ef:eb:f2:cc:00:dd:3e:0e:34:18:e6:0e:c8:48:70:
-	f7:
-
-
------BEGIN DH PARAMETERS-----
-MIICDgKCAQEAsxJq6vRxU8fWf0AwMLKStb1abJ6uHBN680CH/OKjaleNcMXFYK0r
-25JMSk2+4goWcb5xA86H3vp2kIk2gD2+ymDDPhKJwaA6wsbE5JQF5ZAvoFlqHLqo
-lcxALVIT7UpfH1uoteHtPalRpMR1r+sMpmC3Now4yOgJ84LZauGeYNyYTmHLQrXf
-1yMyKs8yf55BPNpkAMFcWy6h+jRAXYOYL7pA5thS2j2RAZvyNRExQlTcIRqQgz5b
-F5juUqeBmMVVZEcprZLwYDZ8dN7TdwSt/Cc6SjP+yCG9Lr07wFFzDpek3RTSt2YG
-JZL17sCdFrtQ7+vyzADdPg40GOYOyEhw9wKCAQEAgAq/59xmeqF7zXwEYUvCIaZU
-gszAS2BGArDhMZCKk46hG0jcUV2rery7Hgx/1mUR7cDYZVG3YySW4D35Q1fhxOoH
-p84eOBovyv3/X1vwDfgogGAg6HXACSbk0BH4hHehsBkn1zgTytSEfGOWuSRGIb4r
-ALY8ZZJTMYQTRDzSRCFc1/1MvnlugsbPcPicwMUo+440SAmzGHbn73OdUWDQlclo
-QYiwyHVcekaNR/VtbbnqASkk7LBVb7cTEqjXyTuyiY6gjuVO61lFSChfBqlzy74q
-DLAukPMj/gRVIfNMaDVKbT6V2//x62RpLtwKRPPT5AjQ5HmlQed5pgVCWeLYVAIC
-AQA=
------END DH PARAMETERS-----
diff --git a/tests/data_files/dhparams.pem b/tests/data_files/dhparams.pem
deleted file mode 100644
index 7ce05f0..0000000
--- a/tests/data_files/dhparams.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN DH PARAMETERS-----
-MIGHAoGBAJ419DBEOgmQTzo5qXl5fQcN9TN455wkOL7052HzxxRVMyhYmwQcgJvh
-1sa18fyfR9OiVEMYglOpkqVoGLN7qd5aQNNi5W7/C+VBdHTBJcGZJyyP5B3qcz32
-9mLJKudlVudV0Qxk5qUJaPZ/xupz0NyoVpviuiBOI1gNi8ovSXWzAgEC
------END DH PARAMETERS-----
diff --git a/tests/data_files/dir-maxpath/00.crt b/tests/data_files/dir-maxpath/00.crt
deleted file mode 100644
index c806648..0000000
--- a/tests/data_files/dir-maxpath/00.crt
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
-AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
-MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
-YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
-LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
-fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
-AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
-IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/00.key b/tests/data_files/dir-maxpath/00.key
deleted file mode 100644
index b4d3315..0000000
--- a/tests/data_files/dir-maxpath/00.key
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIARPaEIfROHkE9Y0ZgHh7Mc3ZU6LR9lCOIw1ksYTHp5EoAoGCCqGSM49
-AwEHoUQDQgAEVbjX+oDAA+nL5PF1zs8qbNmyr0I+K6MpTi+kXV6RecbHYc/jbRCh
-vAFVVaGTNGYvB1ugfaPrl1wIqNDua/93Eg==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/01.crt b/tests/data_files/dir-maxpath/01.crt
deleted file mode 100644
index 0e9107a..0000000
--- a/tests/data_files/dir-maxpath/01.crt
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
-GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
-6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
-BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
-DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
-1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
-TDA=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/01.key b/tests/data_files/dir-maxpath/01.key
deleted file mode 100644
index 7dd0643..0000000
--- a/tests/data_files/dir-maxpath/01.key
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEINSnxPqUNMba8F2KWNxU88heSs7vgas5BOzjRwQsQe6IoAoGCCqGSM49
-AwEHoUQDQgAEM55/cxx8CxjvFUeFvVe7zJcQnaKI8xDol+WOibT7RTs/Ournh2Os
-6DdP5ieg56p0l4pSSFFHlunhn6ppGu58ZA==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/02.crt b/tests/data_files/dir-maxpath/02.crt
deleted file mode 100644
index 387b064..0000000
--- a/tests/data_files/dir-maxpath/02.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
-wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
-2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
-BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
-oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/02.key b/tests/data_files/dir-maxpath/02.key
deleted file mode 100644
index b5ac513..0000000
--- a/tests/data_files/dir-maxpath/02.key
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIPW9zE8cjiZ8w17jTAebb4xAmEg6heEEnEaG4lGCd38joAoGCCqGSM49
-AwEHoUQDQgAEFh6b9YupX8LzTzj+ZGuktJ+eRL86GmCuqW01z+sjDlv+F2UjyseW
-aKuBTHtHCsxiCBS9a849VdnM2Afqry4cog==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/03.crt b/tests/data_files/dir-maxpath/03.crt
deleted file mode 100644
index 7d90a5e..0000000
--- a/tests/data_files/dir-maxpath/03.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
-ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
-PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
-BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
-8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/03.key b/tests/data_files/dir-maxpath/03.key
deleted file mode 100644
index 2bfa483..0000000
--- a/tests/data_files/dir-maxpath/03.key
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIBx2xwapGbHTy79IbpJkc/w9LJXPKNG7gGRLPOGPQFI6oAoGCCqGSM49
-AwEHoUQDQgAEEQ1wzSItaXq3rnYasGti7JV4LMZwetx7ucuZYPtVj67iGD8w/x6N
-AD73lXcxS1Y4tffmxOPrRT2C9UqbDdVn1g==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/04.crt b/tests/data_files/dir-maxpath/04.crt
deleted file mode 100644
index 1ddcf69..0000000
--- a/tests/data_files/dir-maxpath/04.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
-9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
-sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
-BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
-+Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/04.key b/tests/data_files/dir-maxpath/04.key
deleted file mode 100644
index e836bbf..0000000
--- a/tests/data_files/dir-maxpath/04.key
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIDQvTm0wfEAKoymv8ePBv7cRxrnM4g6LREnSll5ghQsXoAoGCCqGSM49
-AwEHoUQDQgAEFFw4HFFTU/YaL22RORy+q4zm+wuecBLlik4VfwnGeK1q18e1Vx2H
-Q/0d2gwOyUr2KZtrE6JOIrG5Q84WTPxgzQ==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/05.crt b/tests/data_files/dir-maxpath/05.crt
deleted file mode 100644
index 19de3a3..0000000
--- a/tests/data_files/dir-maxpath/05.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
-UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
-LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
-BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
-XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/05.key b/tests/data_files/dir-maxpath/05.key
deleted file mode 100644
index 7f3095e..0000000
--- a/tests/data_files/dir-maxpath/05.key
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIP3MTs0m9ssAAXQ94O6GYC3pckfpMUxQiPTG8hQYgA0WoAoGCCqGSM49
-AwEHoUQDQgAEBHU9DhX+RlHK4F9l5ZQsicz/eDWeOuBrIAeqbDS7A3i/o+wFPqCc
-u1S71v5R4dzg4JdPGfW4aixQZjY5x25vEA==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/06.crt b/tests/data_files/dir-maxpath/06.crt
deleted file mode 100644
index 36f99d2..0000000
--- a/tests/data_files/dir-maxpath/06.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
-nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
-r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
-BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
-g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/06.key b/tests/data_files/dir-maxpath/06.key
deleted file mode 100644
index 5b0bce2..0000000
--- a/tests/data_files/dir-maxpath/06.key
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIESUhQgXWd8cVQnitNEpOD2JNMqH9ug/wYaY1xW3SaSGoAoGCCqGSM49
-AwEHoUQDQgAEgPalqAFB655/t5Mcja4zyZPNlgy4plttUTedbsaaG2nb/GIBhA0X
-T/jpPrkakElLAOmV3xd4hq9ho30N8DAx/A==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/07.crt b/tests/data_files/dir-maxpath/07.crt
deleted file mode 100644
index 5bb57f8..0000000
--- a/tests/data_files/dir-maxpath/07.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
-7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
-LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
-BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
-oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/07.key b/tests/data_files/dir-maxpath/07.key
deleted file mode 100644
index 3f20131..0000000
--- a/tests/data_files/dir-maxpath/07.key
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIEi1oKInPLbiINj8OxdActVTgI+YQVSefdQfCu1ihbLRoAoGCCqGSM49
-AwEHoUQDQgAEjTo+HeDBAO6f95ooo6huE6BOKKSjwJvtwUyBqyU2E9ePvk0olCAp
-dAEl4/sXlHCzCGl0zdONrC7B8aUoc0Gi9A==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/08.crt b/tests/data_files/dir-maxpath/08.crt
deleted file mode 100644
index bf1f33e..0000000
--- a/tests/data_files/dir-maxpath/08.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
-nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
-pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
-BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
-/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/08.key b/tests/data_files/dir-maxpath/08.key
deleted file mode 100644
index d1ee9c5..0000000
--- a/tests/data_files/dir-maxpath/08.key
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIC8M2G7XcqeagYgt8SZJbuTh4tYchGvX3yDZJKTuBgFUoAoGCCqGSM49
-AwEHoUQDQgAEaUHkP2BkI55e0s6OlkrSdbu8bp0y+YwZFx/GgFUptKol+AA/+2D8
-WuRJxs2XS059ub0FZ30ABqTMfD9ZWIhmAg==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/09.crt b/tests/data_files/dir-maxpath/09.crt
deleted file mode 100644
index 8f67e54..0000000
--- a/tests/data_files/dir-maxpath/09.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
-sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
-8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
-BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
-N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/09.key b/tests/data_files/dir-maxpath/09.key
deleted file mode 100644
index fe6a06f..0000000
--- a/tests/data_files/dir-maxpath/09.key
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIKkdxegP5yN840sBDxIPpiMftZss14uLaH7zoxOqrePDoAoGCCqGSM49
-AwEHoUQDQgAEe2QdevrehLH2oRsilBiVuZns5M43WmL3OJWyWijUcBUX3Nxf35jT
-krFBUoPxdDfr1BPnaCojwvMEcC875uLPuQ==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/10.crt b/tests/data_files/dir-maxpath/10.crt
deleted file mode 100644
index 72e699a..0000000
--- a/tests/data_files/dir-maxpath/10.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDkwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR6jlGKbJd5
-hiDxN789gkOcwpyHI9wRwCrADAOwOkMePBPRlwGdm7mw7Z/EAmu26zRm/hcyrs4M
-qk2LabDjPI9Xo4GJMIGGMB0GA1UdDgQWBBQtxZSLJAkEz+2RKMQexM6EtsfgcjBX
-BgNVHSMEUDBOgBT6gyXHzPIPYc1Vr1aGiLLeMh4HpqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA4ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgP7S8vFstfUBdNe6ym5GYG5Q+aBVEKqRs
-fVW7HNUktSYCIQDo6Jua6o/DJbrpq4qYWq5gv4yGyzPTN+3IaKrEICdaaw==
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/10.key b/tests/data_files/dir-maxpath/10.key
deleted file mode 100644
index c5558f5..0000000
--- a/tests/data_files/dir-maxpath/10.key
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIPuPPMxo5e2doI7YfDp60qmEn4YwYs2sb5QlOpFQ3BIJoAoGCCqGSM49
-AwEHoUQDQgAEeo5RimyXeYYg8Te/PYJDnMKchyPcEcAqwAwDsDpDHjwT0ZcBnZu5
-sO2fxAJrtus0Zv4XMq7ODKpNi2mw4zyPVw==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/11.crt b/tests/data_files/dir-maxpath/11.crt
deleted file mode 100644
index e09e49f..0000000
--- a/tests/data_files/dir-maxpath/11.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTAwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZwR+WK6NB
-F/7riFdN63c8hjYddZRR4lrzVNPwiBQxnnxwpPyrD9A6aPPmLc6SqGOJW4ZGVCco
-IBze9RJVeiB9o4GJMIGGMB0GA1UdDgQWBBSOSt6ePyMRT6PGMaIi7FqNX9MKtDBX
-BgNVHSMEUDBOgBQtxZSLJAkEz+2RKMQexM6EtsfgcqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA5ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgN//NqM0FrkrMjmxoeCY9DgxkH2R6sQ4d
-NgtwCZAIqEICIBs4vupaVcuvni9tltbP26wi7c0FR+blZuo5DPIA3SVe
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/11.key b/tests/data_files/dir-maxpath/11.key
deleted file mode 100644
index b34bf8c..0000000
--- a/tests/data_files/dir-maxpath/11.key
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIHaMieH2/wn6lnsFUGzww43ymhN16Z0nhG5TyvNeY8U2oAoGCCqGSM49
-AwEHoUQDQgAE2cEfliujQRf+64hXTet3PIY2HXWUUeJa81TT8IgUMZ58cKT8qw/Q
-Omjz5i3OkqhjiVuGRlQnKCAc3vUSVXogfQ==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/12.crt b/tests/data_files/dir-maxpath/12.crt
deleted file mode 100644
index 91ef9b0..0000000
--- a/tests/data_files/dir-maxpath/12.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTEwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATDE9LPlLPc
-gZ3b0BchR/AkhNEP9HAavwYadJIyzoPo5edCVnboQH786jsZwZNZoC0gHDAhCmGc
-IfRenISAoVuPo4GJMIGGMB0GA1UdDgQWBBTZTtbi+j0Sm/Zs/+gTkWdASpQzfjBX
-BgNVHSMEUDBOgBSOSt6ePyMRT6PGMaIi7FqNX9MKtKEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgYYF5AnRV7eh2hLD5Dz//pceMTKz9Ls46
-E6DxvbfDHikCIFttlGrOCZVyS4ocsjuKIELVUX5qfygI0sn4kU3qCTs2
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/12.key b/tests/data_files/dir-maxpath/12.key
deleted file mode 100644
index 906bdc6..0000000
--- a/tests/data_files/dir-maxpath/12.key
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIAzhAcc1Yb2u4bsQDaYeRaRW8kJ/HzFTTfINV1k+TxZ/oAoGCCqGSM49
-AwEHoUQDQgAEwxPSz5Sz3IGd29AXIUfwJITRD/RwGr8GGnSSMs6D6OXnQlZ26EB+
-/Oo7GcGTWaAtIBwwIQphnCH0XpyEgKFbjw==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/13.crt b/tests/data_files/dir-maxpath/13.crt
deleted file mode 100644
index c23c165..0000000
--- a/tests/data_files/dir-maxpath/13.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTIwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATrkzCJLznh
-lhnsv1RXB9kfeaD+cIruPQ0cItBDGpdvD8xbBVvQci4+RG2RVUCSWRhkFYjSsUSM
-0QHMQnBFlhw2o4GJMIGGMB0GA1UdDgQWBBTmVnUSF2MYwws/nCMv7b1wJVkDmjBX
-BgNVHSMEUDBOgBTZTtbi+j0Sm/Zs/+gTkWdASpQzfqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTExggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgWsm+rHJgwUEyNm8EKbEds5yurpp5/3y5
-PsvXJVDqxogCIQDUP0Jcl3A907CE2tPVXSgD6LQ6CPu19mixemPw60yijA==
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/13.key b/tests/data_files/dir-maxpath/13.key
deleted file mode 100644
index c8a04ef..0000000
--- a/tests/data_files/dir-maxpath/13.key
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIKb966FXMh8cFQt3sVpmcrh2/3yaGiLMwz+/XGKGMJ+2oAoGCCqGSM49
-AwEHoUQDQgAE65MwiS854ZYZ7L9UVwfZH3mg/nCK7j0NHCLQQxqXbw/MWwVb0HIu
-PkRtkVVAklkYZBWI0rFEjNEBzEJwRZYcNg==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/14.crt b/tests/data_files/dir-maxpath/14.crt
deleted file mode 100644
index 5ca323c..0000000
--- a/tests/data_files/dir-maxpath/14.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTMwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATRMZN0RHzP
-donNmZuq9XPhzvQ52TaokxT39qpQtlFyvUuEGKrLoNvdcpARaA0rGput6RLAQOVU
-iNVlJ3Ipj789o4GJMIGGMB0GA1UdDgQWBBRNsJB++ccSBmbCCKBxi4CjXROBkzBX
-BgNVHSMEUDBOgBTmVnUSF2MYwws/nCMv7b1wJVkDmqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgVfuLpjp08AaxKWf6cuZUUCRd7CojSS1I
-71hzeUyFS+sCIQDNJI6P/pBbiHgTaGlBAgfcEfmxmbY0n4xZndtxIkmyVA==
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/14.key b/tests/data_files/dir-maxpath/14.key
deleted file mode 100644
index a526a18..0000000
--- a/tests/data_files/dir-maxpath/14.key
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIKEycJNLyYJ5JgECpCuZiFeXZIMC+XsMEKoMhRTx6xD+oAoGCCqGSM49
-AwEHoUQDQgAE0TGTdER8z3aJzZmbqvVz4c70Odk2qJMU9/aqULZRcr1LhBiqy6Db
-3XKQEWgNKxqbrekSwEDlVIjVZSdyKY+/PQ==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/15.crt b/tests/data_files/dir-maxpath/15.crt
deleted file mode 100644
index bef923a..0000000
--- a/tests/data_files/dir-maxpath/15.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTQwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQlKUiMoSss
-/hsTasedqdB2BCOGJhTt0hgUGeUnWNZ1svO4yn0GkFHZ08++fl2MKqjpj+VXq0JS
-FFyGUOgmgi3Ho4GJMIGGMB0GA1UdDgQWBBR1mXlrdW5rx1VnqMMnUBXo0WWGWjBX
-BgNVHSMEUDBOgBRNsJB++ccSBmbCCKBxi4CjXROBk6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEzggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAKYOIo+fdCQRqpH4LN8qUK1aKzKmWGxS
-fGzEEkg/29bMAiAl95cmucoCDMq2Ab8Coc0dEqyJ6+rAPMLBCbGawyiW6A==
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/15.key b/tests/data_files/dir-maxpath/15.key
deleted file mode 100644
index 1d93908..0000000
--- a/tests/data_files/dir-maxpath/15.key
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIL1c0zvh4Fx8aylrlHsOsK5Pcam7BWVHM2lDxGO26QIUoAoGCCqGSM49
-AwEHoUQDQgAEJSlIjKErLP4bE2rHnanQdgQjhiYU7dIYFBnlJ1jWdbLzuMp9BpBR
-2dPPvn5djCqo6Y/lV6tCUhRchlDoJoItxw==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/16.crt b/tests/data_files/dir-maxpath/16.crt
deleted file mode 100644
index d9d998d..0000000
--- a/tests/data_files/dir-maxpath/16.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTUwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ7Vsp7JmDN
-kgPh/+zmIPkd7o0xot/WPMFn3uAsGtsU385MF0fmhfFLhRbbH9h4JjYHj8y0spU3
-buUXhftvAZVbo4GJMIGGMB0GA1UdDgQWBBRTw3K0Psy3u/6+3KKSoaQqJnPvPjBX
-BgNVHSMEUDBOgBR1mXlrdW5rx1VnqMMnUBXo0WWGWqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE0ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAMJnGjE9v3SjuGfi0jNByrwyNfhlTHMh
-FhPQidNrDpXwAiEAqYtNiV8t9RrAa9GC6FWDuJpvIiU6FsE+lFq6uIq/J2E=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/16.key b/tests/data_files/dir-maxpath/16.key
deleted file mode 100644
index 70492de..0000000
--- a/tests/data_files/dir-maxpath/16.key
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIM0YCnGkEG/TjBxrytP9Ztslm1yoQaWptBxegRzzBRDVoAoGCCqGSM49
-AwEHoUQDQgAEO1bKeyZgzZID4f/s5iD5He6NMaLf1jzBZ97gLBrbFN/OTBdH5oXx
-S4UW2x/YeCY2B4/MtLKVN27lF4X7bwGVWw==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/17.crt b/tests/data_files/dir-maxpath/17.crt
deleted file mode 100644
index 1ee7849..0000000
--- a/tests/data_files/dir-maxpath/17.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTYwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARrISq2zO9m
-D29YCLHB56FdU/RINtRhfeLtM+u5o3HaAnopy0S98RzuEGELjpzr8ZI6kkMMZsj8
-nFZQF8HfuE0go4GJMIGGMB0GA1UdDgQWBBSnjWvpWxZcFnfQ2KGtCg/u6fT/DzBX
-BgNVHSMEUDBOgBRTw3K0Psy3u/6+3KKSoaQqJnPvPqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE1ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgDgXjoc6FfMF5W0NziV6vx2BOPNWav01Z
-ynEP4h9ULnUCIQC1rU4sEId3UdjzTKhpSGTKtaOuPG+b0YdEMPimI4jmVw==
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/17.key b/tests/data_files/dir-maxpath/17.key
deleted file mode 100644
index eee33e8..0000000
--- a/tests/data_files/dir-maxpath/17.key
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIAiUS1dM3qrcOun8PjKe+rw40L2HG/Y8Dfxl0AfzyIVeoAoGCCqGSM49
-AwEHoUQDQgAEayEqtszvZg9vWAixweehXVP0SDbUYX3i7TPruaNx2gJ6KctEvfEc
-7hBhC46c6/GSOpJDDGbI/JxWUBfB37hNIA==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/18.crt b/tests/data_files/dir-maxpath/18.crt
deleted file mode 100644
index afd682e..0000000
--- a/tests/data_files/dir-maxpath/18.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTcwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASsc/JkNcYf
-bMgpOfrL5kKOGxOJaGS6SQIeNO33UeBpToe1bU2acN652xjvcGo0fJEtxg2fcPHR
-hTnGMBD1u1N2o4GJMIGGMB0GA1UdDgQWBBSDbIpYntlhJ0GgIsyd75XRhlC18jBX
-BgNVHSMEUDBOgBSnjWvpWxZcFnfQ2KGtCg/u6fT/D6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE2ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAJo2NXfJU1sK6SVTu4OV21FKITlXntMi
-oenYMsBjzO8oAiEAidSELcLjjAHi3mfBARvCgKlRhmbNEMCHQT7Ha7ZQoRw=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/18.key b/tests/data_files/dir-maxpath/18.key
deleted file mode 100644
index 4591d03..0000000
--- a/tests/data_files/dir-maxpath/18.key
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIJETLWqIZtnejCGzESDgMnknxqEx5evMGZfzBVPKMwKKoAoGCCqGSM49
-AwEHoUQDQgAErHPyZDXGH2zIKTn6y+ZCjhsTiWhkukkCHjTt91HgaU6HtW1NmnDe
-udsY73BqNHyRLcYNn3Dx0YU5xjAQ9btTdg==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/19.crt b/tests/data_files/dir-maxpath/19.crt
deleted file mode 100644
index a2220e5..0000000
--- a/tests/data_files/dir-maxpath/19.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTgwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQJyRCHND78
-KxZHoHHdOTjPuD6HjHPnEKX8apblUpETDJuLW7YR3V8Q0dTac+JHiR6e2l4DlDbf
-5bTiyFoAzw9yo4GJMIGGMB0GA1UdDgQWBBRQMc94kTqW+zQO3lo2WMI/81k3czBX
-BgNVHSMEUDBOgBSDbIpYntlhJ0GgIsyd75XRhlC18qEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE3ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgIzGOZqJRmvygzvLm8zxZFyoNpcT7e26H
-nZd5xFIzEakCIHGYcUXzt+owSVlLmrlW8gQcB81ErQbxuBTAsvpaaKSS
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/19.key b/tests/data_files/dir-maxpath/19.key
deleted file mode 100644
index bb6562b..0000000
--- a/tests/data_files/dir-maxpath/19.key
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIDJyHSKbXEZVfkNftQF4eHeJVuXhGdaboa7w4RejL5uYoAoGCCqGSM49
-AwEHoUQDQgAECckQhzQ+/CsWR6Bx3Tk4z7g+h4xz5xCl/GqW5VKREwybi1u2Ed1f
-ENHU2nPiR4kentpeA5Q23+W04shaAM8Pcg==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/20.crt b/tests/data_files/dir-maxpath/20.crt
deleted file mode 100644
index c82a527..0000000
--- a/tests/data_files/dir-maxpath/20.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTkwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMjAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATGebrN8JxE
-heOdCxD+mhnQ4zMUxF1WUkmAAHIUw089BYiH9SAwYS/M5tnl+R8fbjvoGqSpR6Tk
-V9EU3CQyIoxwo4GJMIGGMB0GA1UdDgQWBBTZs6oChL1c2CSZXY2YFQkkqg+lzDBX
-BgNVHSMEUDBOgBRQMc94kTqW+zQO3lo2WMI/81k3c6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE4ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgRVGZReXKvdMHhwLbPvbrTVLeAGDqmqMH
-/WqD4u23QBgCID/QtFaiawjviNFEdtU7JK6v4ZY0PQ0a0+HLZIHLi9ah
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/20.key b/tests/data_files/dir-maxpath/20.key
deleted file mode 100644
index 2ec68de..0000000
--- a/tests/data_files/dir-maxpath/20.key
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIJHLciDhJcnlE5MhTrOfFlnRbpJQLOf4h72E6VDXxMM0oAoGCCqGSM49
-AwEHoUQDQgAExnm6zfCcRIXjnQsQ/poZ0OMzFMRdVlJJgAByFMNPPQWIh/UgMGEv
-zObZ5fkfH2476BqkqUek5FfRFNwkMiKMcA==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/Readme.txt b/tests/data_files/dir-maxpath/Readme.txt
deleted file mode 100644
index 606ec6c..0000000
--- a/tests/data_files/dir-maxpath/Readme.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-These certificates form a very long chain, used to test the
-MBEDTLS_X509_MAX_INT_CA limit.
-
-NN.key is the private key of certificate NN.crt.
-
-The root is 00.crt and N+1.crt is a child of N.crt.
-
-File cNN.pem contains the chain NN.crt to 00.crt.
-
-Those certificates were generated by tests/data_files/dir-maxpath/long.sh.
diff --git a/tests/data_files/dir-maxpath/c00.pem b/tests/data_files/dir-maxpath/c00.pem
deleted file mode 100644
index c806648..0000000
--- a/tests/data_files/dir-maxpath/c00.pem
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
-AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
-MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
-YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
-LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
-fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
-AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
-IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c01.pem b/tests/data_files/dir-maxpath/c01.pem
deleted file mode 100644
index 302fcbd..0000000
--- a/tests/data_files/dir-maxpath/c01.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
-GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
-6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
-BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
-DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
-1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
-TDA=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
-AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
-MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
-YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
-LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
-fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
-AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
-IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c02.pem b/tests/data_files/dir-maxpath/c02.pem
deleted file mode 100644
index 77c2519..0000000
--- a/tests/data_files/dir-maxpath/c02.pem
+++ /dev/null
@@ -1,36 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
-wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
-2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
-BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
-oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
-GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
-6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
-BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
-DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
-1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
-TDA=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
-AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
-MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
-YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
-LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
-fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
-AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
-IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c03.pem b/tests/data_files/dir-maxpath/c03.pem
deleted file mode 100644
index d6c1a21..0000000
--- a/tests/data_files/dir-maxpath/c03.pem
+++ /dev/null
@@ -1,48 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
-ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
-PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
-BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
-8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
-wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
-2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
-BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
-oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
-GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
-6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
-BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
-DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
-1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
-TDA=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
-AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
-MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
-YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
-LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
-fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
-AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
-IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c04.pem b/tests/data_files/dir-maxpath/c04.pem
deleted file mode 100644
index 613d7d8..0000000
--- a/tests/data_files/dir-maxpath/c04.pem
+++ /dev/null
@@ -1,60 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
-9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
-sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
-BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
-+Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
-ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
-PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
-BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
-8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
-wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
-2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
-BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
-oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
-GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
-6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
-BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
-DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
-1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
-TDA=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
-AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
-MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
-YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
-LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
-fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
-AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
-IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c05.pem b/tests/data_files/dir-maxpath/c05.pem
deleted file mode 100644
index 8009049..0000000
--- a/tests/data_files/dir-maxpath/c05.pem
+++ /dev/null
@@ -1,72 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
-UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
-LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
-BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
-XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
-9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
-sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
-BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
-+Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
-ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
-PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
-BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
-8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
-wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
-2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
-BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
-oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
-GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
-6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
-BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
-DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
-1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
-TDA=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
-AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
-MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
-YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
-LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
-fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
-AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
-IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c06.pem b/tests/data_files/dir-maxpath/c06.pem
deleted file mode 100644
index e0fbf13..0000000
--- a/tests/data_files/dir-maxpath/c06.pem
+++ /dev/null
@@ -1,84 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
-nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
-r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
-BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
-g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
-UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
-LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
-BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
-XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
-9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
-sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
-BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
-+Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
-ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
-PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
-BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
-8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
-wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
-2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
-BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
-oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
-GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
-6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
-BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
-DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
-1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
-TDA=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
-AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
-MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
-YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
-LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
-fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
-AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
-IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c07.pem b/tests/data_files/dir-maxpath/c07.pem
deleted file mode 100644
index c960d19..0000000
--- a/tests/data_files/dir-maxpath/c07.pem
+++ /dev/null
@@ -1,96 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
-7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
-LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
-BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
-oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
-nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
-r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
-BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
-g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
-UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
-LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
-BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
-XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
-9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
-sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
-BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
-+Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
-ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
-PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
-BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
-8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
-wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
-2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
-BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
-oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
-GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
-6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
-BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
-DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
-1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
-TDA=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
-AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
-MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
-YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
-LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
-fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
-AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
-IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c08.pem b/tests/data_files/dir-maxpath/c08.pem
deleted file mode 100644
index 78c2c4a..0000000
--- a/tests/data_files/dir-maxpath/c08.pem
+++ /dev/null
@@ -1,108 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
-nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
-pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
-BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
-/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
-7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
-LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
-BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
-oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
-nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
-r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
-BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
-g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
-UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
-LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
-BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
-XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
-9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
-sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
-BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
-+Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
-ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
-PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
-BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
-8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
-wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
-2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
-BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
-oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
-GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
-6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
-BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
-DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
-1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
-TDA=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
-AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
-MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
-YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
-LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
-fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
-AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
-IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c09.pem b/tests/data_files/dir-maxpath/c09.pem
deleted file mode 100644
index 269f4e3..0000000
--- a/tests/data_files/dir-maxpath/c09.pem
+++ /dev/null
@@ -1,120 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
-sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
-8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
-BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
-N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
-nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
-pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
-BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
-/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
-7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
-LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
-BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
-oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
-nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
-r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
-BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
-g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
-UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
-LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
-BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
-XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
-9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
-sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
-BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
-+Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
-ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
-PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
-BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
-8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
-wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
-2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
-BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
-oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
-GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
-6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
-BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
-DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
-1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
-TDA=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
-AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
-MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
-YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
-LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
-fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
-AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
-IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c10.pem b/tests/data_files/dir-maxpath/c10.pem
deleted file mode 100644
index e293304..0000000
--- a/tests/data_files/dir-maxpath/c10.pem
+++ /dev/null
@@ -1,132 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDkwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR6jlGKbJd5
-hiDxN789gkOcwpyHI9wRwCrADAOwOkMePBPRlwGdm7mw7Z/EAmu26zRm/hcyrs4M
-qk2LabDjPI9Xo4GJMIGGMB0GA1UdDgQWBBQtxZSLJAkEz+2RKMQexM6EtsfgcjBX
-BgNVHSMEUDBOgBT6gyXHzPIPYc1Vr1aGiLLeMh4HpqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA4ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgP7S8vFstfUBdNe6ym5GYG5Q+aBVEKqRs
-fVW7HNUktSYCIQDo6Jua6o/DJbrpq4qYWq5gv4yGyzPTN+3IaKrEICdaaw==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
-sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
-8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
-BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
-N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
-nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
-pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
-BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
-/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
-7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
-LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
-BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
-oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
-nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
-r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
-BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
-g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
-UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
-LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
-BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
-XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
-9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
-sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
-BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
-+Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
-ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
-PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
-BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
-8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
-wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
-2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
-BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
-oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
-GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
-6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
-BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
-DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
-1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
-TDA=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
-AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
-MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
-YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
-LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
-fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
-AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
-IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c11.pem b/tests/data_files/dir-maxpath/c11.pem
deleted file mode 100644
index 56cbcbf..0000000
--- a/tests/data_files/dir-maxpath/c11.pem
+++ /dev/null
@@ -1,144 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTAwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZwR+WK6NB
-F/7riFdN63c8hjYddZRR4lrzVNPwiBQxnnxwpPyrD9A6aPPmLc6SqGOJW4ZGVCco
-IBze9RJVeiB9o4GJMIGGMB0GA1UdDgQWBBSOSt6ePyMRT6PGMaIi7FqNX9MKtDBX
-BgNVHSMEUDBOgBQtxZSLJAkEz+2RKMQexM6EtsfgcqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA5ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgN//NqM0FrkrMjmxoeCY9DgxkH2R6sQ4d
-NgtwCZAIqEICIBs4vupaVcuvni9tltbP26wi7c0FR+blZuo5DPIA3SVe
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDkwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR6jlGKbJd5
-hiDxN789gkOcwpyHI9wRwCrADAOwOkMePBPRlwGdm7mw7Z/EAmu26zRm/hcyrs4M
-qk2LabDjPI9Xo4GJMIGGMB0GA1UdDgQWBBQtxZSLJAkEz+2RKMQexM6EtsfgcjBX
-BgNVHSMEUDBOgBT6gyXHzPIPYc1Vr1aGiLLeMh4HpqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA4ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgP7S8vFstfUBdNe6ym5GYG5Q+aBVEKqRs
-fVW7HNUktSYCIQDo6Jua6o/DJbrpq4qYWq5gv4yGyzPTN+3IaKrEICdaaw==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
-sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
-8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
-BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
-N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
-nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
-pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
-BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
-/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
-7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
-LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
-BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
-oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
-nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
-r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
-BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
-g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
-UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
-LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
-BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
-XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
-9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
-sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
-BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
-+Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
-ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
-PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
-BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
-8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
-wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
-2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
-BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
-oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
-GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
-6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
-BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
-DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
-1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
-TDA=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
-AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
-MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
-YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
-LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
-fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
-AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
-IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c12.pem b/tests/data_files/dir-maxpath/c12.pem
deleted file mode 100644
index 77c8f3f..0000000
--- a/tests/data_files/dir-maxpath/c12.pem
+++ /dev/null
@@ -1,156 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTEwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATDE9LPlLPc
-gZ3b0BchR/AkhNEP9HAavwYadJIyzoPo5edCVnboQH786jsZwZNZoC0gHDAhCmGc
-IfRenISAoVuPo4GJMIGGMB0GA1UdDgQWBBTZTtbi+j0Sm/Zs/+gTkWdASpQzfjBX
-BgNVHSMEUDBOgBSOSt6ePyMRT6PGMaIi7FqNX9MKtKEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgYYF5AnRV7eh2hLD5Dz//pceMTKz9Ls46
-E6DxvbfDHikCIFttlGrOCZVyS4ocsjuKIELVUX5qfygI0sn4kU3qCTs2
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTAwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZwR+WK6NB
-F/7riFdN63c8hjYddZRR4lrzVNPwiBQxnnxwpPyrD9A6aPPmLc6SqGOJW4ZGVCco
-IBze9RJVeiB9o4GJMIGGMB0GA1UdDgQWBBSOSt6ePyMRT6PGMaIi7FqNX9MKtDBX
-BgNVHSMEUDBOgBQtxZSLJAkEz+2RKMQexM6EtsfgcqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA5ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgN//NqM0FrkrMjmxoeCY9DgxkH2R6sQ4d
-NgtwCZAIqEICIBs4vupaVcuvni9tltbP26wi7c0FR+blZuo5DPIA3SVe
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDkwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR6jlGKbJd5
-hiDxN789gkOcwpyHI9wRwCrADAOwOkMePBPRlwGdm7mw7Z/EAmu26zRm/hcyrs4M
-qk2LabDjPI9Xo4GJMIGGMB0GA1UdDgQWBBQtxZSLJAkEz+2RKMQexM6EtsfgcjBX
-BgNVHSMEUDBOgBT6gyXHzPIPYc1Vr1aGiLLeMh4HpqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA4ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgP7S8vFstfUBdNe6ym5GYG5Q+aBVEKqRs
-fVW7HNUktSYCIQDo6Jua6o/DJbrpq4qYWq5gv4yGyzPTN+3IaKrEICdaaw==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
-sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
-8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
-BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
-N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
-nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
-pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
-BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
-/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
-7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
-LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
-BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
-oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
-nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
-r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
-BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
-g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
-UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
-LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
-BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
-XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
-9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
-sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
-BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
-+Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
-ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
-PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
-BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
-8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
-wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
-2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
-BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
-oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
-GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
-6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
-BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
-DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
-1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
-TDA=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
-AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
-MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
-YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
-LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
-fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
-AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
-IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c13.pem b/tests/data_files/dir-maxpath/c13.pem
deleted file mode 100644
index d5039ba..0000000
--- a/tests/data_files/dir-maxpath/c13.pem
+++ /dev/null
@@ -1,168 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTIwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATrkzCJLznh
-lhnsv1RXB9kfeaD+cIruPQ0cItBDGpdvD8xbBVvQci4+RG2RVUCSWRhkFYjSsUSM
-0QHMQnBFlhw2o4GJMIGGMB0GA1UdDgQWBBTmVnUSF2MYwws/nCMv7b1wJVkDmjBX
-BgNVHSMEUDBOgBTZTtbi+j0Sm/Zs/+gTkWdASpQzfqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTExggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgWsm+rHJgwUEyNm8EKbEds5yurpp5/3y5
-PsvXJVDqxogCIQDUP0Jcl3A907CE2tPVXSgD6LQ6CPu19mixemPw60yijA==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTEwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATDE9LPlLPc
-gZ3b0BchR/AkhNEP9HAavwYadJIyzoPo5edCVnboQH786jsZwZNZoC0gHDAhCmGc
-IfRenISAoVuPo4GJMIGGMB0GA1UdDgQWBBTZTtbi+j0Sm/Zs/+gTkWdASpQzfjBX
-BgNVHSMEUDBOgBSOSt6ePyMRT6PGMaIi7FqNX9MKtKEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgYYF5AnRV7eh2hLD5Dz//pceMTKz9Ls46
-E6DxvbfDHikCIFttlGrOCZVyS4ocsjuKIELVUX5qfygI0sn4kU3qCTs2
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTAwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZwR+WK6NB
-F/7riFdN63c8hjYddZRR4lrzVNPwiBQxnnxwpPyrD9A6aPPmLc6SqGOJW4ZGVCco
-IBze9RJVeiB9o4GJMIGGMB0GA1UdDgQWBBSOSt6ePyMRT6PGMaIi7FqNX9MKtDBX
-BgNVHSMEUDBOgBQtxZSLJAkEz+2RKMQexM6EtsfgcqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA5ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgN//NqM0FrkrMjmxoeCY9DgxkH2R6sQ4d
-NgtwCZAIqEICIBs4vupaVcuvni9tltbP26wi7c0FR+blZuo5DPIA3SVe
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDkwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR6jlGKbJd5
-hiDxN789gkOcwpyHI9wRwCrADAOwOkMePBPRlwGdm7mw7Z/EAmu26zRm/hcyrs4M
-qk2LabDjPI9Xo4GJMIGGMB0GA1UdDgQWBBQtxZSLJAkEz+2RKMQexM6EtsfgcjBX
-BgNVHSMEUDBOgBT6gyXHzPIPYc1Vr1aGiLLeMh4HpqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA4ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgP7S8vFstfUBdNe6ym5GYG5Q+aBVEKqRs
-fVW7HNUktSYCIQDo6Jua6o/DJbrpq4qYWq5gv4yGyzPTN+3IaKrEICdaaw==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
-sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
-8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
-BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
-N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
-nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
-pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
-BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
-/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
-7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
-LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
-BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
-oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
-nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
-r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
-BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
-g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
-UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
-LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
-BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
-XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
-9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
-sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
-BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
-+Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
-ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
-PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
-BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
-8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
-wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
-2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
-BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
-oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
-GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
-6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
-BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
-DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
-1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
-TDA=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
-AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
-MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
-YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
-LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
-fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
-AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
-IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c14.pem b/tests/data_files/dir-maxpath/c14.pem
deleted file mode 100644
index c6eca72..0000000
--- a/tests/data_files/dir-maxpath/c14.pem
+++ /dev/null
@@ -1,180 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTMwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATRMZN0RHzP
-donNmZuq9XPhzvQ52TaokxT39qpQtlFyvUuEGKrLoNvdcpARaA0rGput6RLAQOVU
-iNVlJ3Ipj789o4GJMIGGMB0GA1UdDgQWBBRNsJB++ccSBmbCCKBxi4CjXROBkzBX
-BgNVHSMEUDBOgBTmVnUSF2MYwws/nCMv7b1wJVkDmqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgVfuLpjp08AaxKWf6cuZUUCRd7CojSS1I
-71hzeUyFS+sCIQDNJI6P/pBbiHgTaGlBAgfcEfmxmbY0n4xZndtxIkmyVA==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTIwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATrkzCJLznh
-lhnsv1RXB9kfeaD+cIruPQ0cItBDGpdvD8xbBVvQci4+RG2RVUCSWRhkFYjSsUSM
-0QHMQnBFlhw2o4GJMIGGMB0GA1UdDgQWBBTmVnUSF2MYwws/nCMv7b1wJVkDmjBX
-BgNVHSMEUDBOgBTZTtbi+j0Sm/Zs/+gTkWdASpQzfqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTExggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgWsm+rHJgwUEyNm8EKbEds5yurpp5/3y5
-PsvXJVDqxogCIQDUP0Jcl3A907CE2tPVXSgD6LQ6CPu19mixemPw60yijA==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTEwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATDE9LPlLPc
-gZ3b0BchR/AkhNEP9HAavwYadJIyzoPo5edCVnboQH786jsZwZNZoC0gHDAhCmGc
-IfRenISAoVuPo4GJMIGGMB0GA1UdDgQWBBTZTtbi+j0Sm/Zs/+gTkWdASpQzfjBX
-BgNVHSMEUDBOgBSOSt6ePyMRT6PGMaIi7FqNX9MKtKEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgYYF5AnRV7eh2hLD5Dz//pceMTKz9Ls46
-E6DxvbfDHikCIFttlGrOCZVyS4ocsjuKIELVUX5qfygI0sn4kU3qCTs2
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTAwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZwR+WK6NB
-F/7riFdN63c8hjYddZRR4lrzVNPwiBQxnnxwpPyrD9A6aPPmLc6SqGOJW4ZGVCco
-IBze9RJVeiB9o4GJMIGGMB0GA1UdDgQWBBSOSt6ePyMRT6PGMaIi7FqNX9MKtDBX
-BgNVHSMEUDBOgBQtxZSLJAkEz+2RKMQexM6EtsfgcqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA5ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgN//NqM0FrkrMjmxoeCY9DgxkH2R6sQ4d
-NgtwCZAIqEICIBs4vupaVcuvni9tltbP26wi7c0FR+blZuo5DPIA3SVe
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDkwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR6jlGKbJd5
-hiDxN789gkOcwpyHI9wRwCrADAOwOkMePBPRlwGdm7mw7Z/EAmu26zRm/hcyrs4M
-qk2LabDjPI9Xo4GJMIGGMB0GA1UdDgQWBBQtxZSLJAkEz+2RKMQexM6EtsfgcjBX
-BgNVHSMEUDBOgBT6gyXHzPIPYc1Vr1aGiLLeMh4HpqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA4ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgP7S8vFstfUBdNe6ym5GYG5Q+aBVEKqRs
-fVW7HNUktSYCIQDo6Jua6o/DJbrpq4qYWq5gv4yGyzPTN+3IaKrEICdaaw==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
-sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
-8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
-BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
-N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
-nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
-pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
-BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
-/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
-7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
-LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
-BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
-oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
-nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
-r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
-BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
-g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
-UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
-LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
-BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
-XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
-9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
-sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
-BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
-+Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
-ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
-PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
-BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
-8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
-wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
-2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
-BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
-oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
-GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
-6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
-BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
-DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
-1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
-TDA=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
-AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
-MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
-YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
-LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
-fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
-AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
-IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c15.pem b/tests/data_files/dir-maxpath/c15.pem
deleted file mode 100644
index 220420d..0000000
--- a/tests/data_files/dir-maxpath/c15.pem
+++ /dev/null
@@ -1,192 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTQwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQlKUiMoSss
-/hsTasedqdB2BCOGJhTt0hgUGeUnWNZ1svO4yn0GkFHZ08++fl2MKqjpj+VXq0JS
-FFyGUOgmgi3Ho4GJMIGGMB0GA1UdDgQWBBR1mXlrdW5rx1VnqMMnUBXo0WWGWjBX
-BgNVHSMEUDBOgBRNsJB++ccSBmbCCKBxi4CjXROBk6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEzggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAKYOIo+fdCQRqpH4LN8qUK1aKzKmWGxS
-fGzEEkg/29bMAiAl95cmucoCDMq2Ab8Coc0dEqyJ6+rAPMLBCbGawyiW6A==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTMwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATRMZN0RHzP
-donNmZuq9XPhzvQ52TaokxT39qpQtlFyvUuEGKrLoNvdcpARaA0rGput6RLAQOVU
-iNVlJ3Ipj789o4GJMIGGMB0GA1UdDgQWBBRNsJB++ccSBmbCCKBxi4CjXROBkzBX
-BgNVHSMEUDBOgBTmVnUSF2MYwws/nCMv7b1wJVkDmqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgVfuLpjp08AaxKWf6cuZUUCRd7CojSS1I
-71hzeUyFS+sCIQDNJI6P/pBbiHgTaGlBAgfcEfmxmbY0n4xZndtxIkmyVA==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTIwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATrkzCJLznh
-lhnsv1RXB9kfeaD+cIruPQ0cItBDGpdvD8xbBVvQci4+RG2RVUCSWRhkFYjSsUSM
-0QHMQnBFlhw2o4GJMIGGMB0GA1UdDgQWBBTmVnUSF2MYwws/nCMv7b1wJVkDmjBX
-BgNVHSMEUDBOgBTZTtbi+j0Sm/Zs/+gTkWdASpQzfqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTExggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgWsm+rHJgwUEyNm8EKbEds5yurpp5/3y5
-PsvXJVDqxogCIQDUP0Jcl3A907CE2tPVXSgD6LQ6CPu19mixemPw60yijA==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTEwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATDE9LPlLPc
-gZ3b0BchR/AkhNEP9HAavwYadJIyzoPo5edCVnboQH786jsZwZNZoC0gHDAhCmGc
-IfRenISAoVuPo4GJMIGGMB0GA1UdDgQWBBTZTtbi+j0Sm/Zs/+gTkWdASpQzfjBX
-BgNVHSMEUDBOgBSOSt6ePyMRT6PGMaIi7FqNX9MKtKEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgYYF5AnRV7eh2hLD5Dz//pceMTKz9Ls46
-E6DxvbfDHikCIFttlGrOCZVyS4ocsjuKIELVUX5qfygI0sn4kU3qCTs2
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTAwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZwR+WK6NB
-F/7riFdN63c8hjYddZRR4lrzVNPwiBQxnnxwpPyrD9A6aPPmLc6SqGOJW4ZGVCco
-IBze9RJVeiB9o4GJMIGGMB0GA1UdDgQWBBSOSt6ePyMRT6PGMaIi7FqNX9MKtDBX
-BgNVHSMEUDBOgBQtxZSLJAkEz+2RKMQexM6EtsfgcqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA5ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgN//NqM0FrkrMjmxoeCY9DgxkH2R6sQ4d
-NgtwCZAIqEICIBs4vupaVcuvni9tltbP26wi7c0FR+blZuo5DPIA3SVe
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDkwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR6jlGKbJd5
-hiDxN789gkOcwpyHI9wRwCrADAOwOkMePBPRlwGdm7mw7Z/EAmu26zRm/hcyrs4M
-qk2LabDjPI9Xo4GJMIGGMB0GA1UdDgQWBBQtxZSLJAkEz+2RKMQexM6EtsfgcjBX
-BgNVHSMEUDBOgBT6gyXHzPIPYc1Vr1aGiLLeMh4HpqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA4ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgP7S8vFstfUBdNe6ym5GYG5Q+aBVEKqRs
-fVW7HNUktSYCIQDo6Jua6o/DJbrpq4qYWq5gv4yGyzPTN+3IaKrEICdaaw==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
-sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
-8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
-BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
-N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
-nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
-pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
-BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
-/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
-7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
-LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
-BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
-oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
-nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
-r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
-BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
-g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
-UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
-LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
-BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
-XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
-9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
-sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
-BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
-+Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
-ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
-PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
-BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
-8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
-wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
-2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
-BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
-oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
-GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
-6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
-BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
-DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
-1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
-TDA=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
-AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
-MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
-YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
-LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
-fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
-AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
-IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c16.pem b/tests/data_files/dir-maxpath/c16.pem
deleted file mode 100644
index 041a83b..0000000
--- a/tests/data_files/dir-maxpath/c16.pem
+++ /dev/null
@@ -1,204 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTUwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ7Vsp7JmDN
-kgPh/+zmIPkd7o0xot/WPMFn3uAsGtsU385MF0fmhfFLhRbbH9h4JjYHj8y0spU3
-buUXhftvAZVbo4GJMIGGMB0GA1UdDgQWBBRTw3K0Psy3u/6+3KKSoaQqJnPvPjBX
-BgNVHSMEUDBOgBR1mXlrdW5rx1VnqMMnUBXo0WWGWqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE0ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAMJnGjE9v3SjuGfi0jNByrwyNfhlTHMh
-FhPQidNrDpXwAiEAqYtNiV8t9RrAa9GC6FWDuJpvIiU6FsE+lFq6uIq/J2E=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTQwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQlKUiMoSss
-/hsTasedqdB2BCOGJhTt0hgUGeUnWNZ1svO4yn0GkFHZ08++fl2MKqjpj+VXq0JS
-FFyGUOgmgi3Ho4GJMIGGMB0GA1UdDgQWBBR1mXlrdW5rx1VnqMMnUBXo0WWGWjBX
-BgNVHSMEUDBOgBRNsJB++ccSBmbCCKBxi4CjXROBk6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEzggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAKYOIo+fdCQRqpH4LN8qUK1aKzKmWGxS
-fGzEEkg/29bMAiAl95cmucoCDMq2Ab8Coc0dEqyJ6+rAPMLBCbGawyiW6A==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTMwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATRMZN0RHzP
-donNmZuq9XPhzvQ52TaokxT39qpQtlFyvUuEGKrLoNvdcpARaA0rGput6RLAQOVU
-iNVlJ3Ipj789o4GJMIGGMB0GA1UdDgQWBBRNsJB++ccSBmbCCKBxi4CjXROBkzBX
-BgNVHSMEUDBOgBTmVnUSF2MYwws/nCMv7b1wJVkDmqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgVfuLpjp08AaxKWf6cuZUUCRd7CojSS1I
-71hzeUyFS+sCIQDNJI6P/pBbiHgTaGlBAgfcEfmxmbY0n4xZndtxIkmyVA==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTIwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATrkzCJLznh
-lhnsv1RXB9kfeaD+cIruPQ0cItBDGpdvD8xbBVvQci4+RG2RVUCSWRhkFYjSsUSM
-0QHMQnBFlhw2o4GJMIGGMB0GA1UdDgQWBBTmVnUSF2MYwws/nCMv7b1wJVkDmjBX
-BgNVHSMEUDBOgBTZTtbi+j0Sm/Zs/+gTkWdASpQzfqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTExggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgWsm+rHJgwUEyNm8EKbEds5yurpp5/3y5
-PsvXJVDqxogCIQDUP0Jcl3A907CE2tPVXSgD6LQ6CPu19mixemPw60yijA==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTEwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATDE9LPlLPc
-gZ3b0BchR/AkhNEP9HAavwYadJIyzoPo5edCVnboQH786jsZwZNZoC0gHDAhCmGc
-IfRenISAoVuPo4GJMIGGMB0GA1UdDgQWBBTZTtbi+j0Sm/Zs/+gTkWdASpQzfjBX
-BgNVHSMEUDBOgBSOSt6ePyMRT6PGMaIi7FqNX9MKtKEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgYYF5AnRV7eh2hLD5Dz//pceMTKz9Ls46
-E6DxvbfDHikCIFttlGrOCZVyS4ocsjuKIELVUX5qfygI0sn4kU3qCTs2
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTAwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZwR+WK6NB
-F/7riFdN63c8hjYddZRR4lrzVNPwiBQxnnxwpPyrD9A6aPPmLc6SqGOJW4ZGVCco
-IBze9RJVeiB9o4GJMIGGMB0GA1UdDgQWBBSOSt6ePyMRT6PGMaIi7FqNX9MKtDBX
-BgNVHSMEUDBOgBQtxZSLJAkEz+2RKMQexM6EtsfgcqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA5ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgN//NqM0FrkrMjmxoeCY9DgxkH2R6sQ4d
-NgtwCZAIqEICIBs4vupaVcuvni9tltbP26wi7c0FR+blZuo5DPIA3SVe
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDkwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR6jlGKbJd5
-hiDxN789gkOcwpyHI9wRwCrADAOwOkMePBPRlwGdm7mw7Z/EAmu26zRm/hcyrs4M
-qk2LabDjPI9Xo4GJMIGGMB0GA1UdDgQWBBQtxZSLJAkEz+2RKMQexM6EtsfgcjBX
-BgNVHSMEUDBOgBT6gyXHzPIPYc1Vr1aGiLLeMh4HpqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA4ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgP7S8vFstfUBdNe6ym5GYG5Q+aBVEKqRs
-fVW7HNUktSYCIQDo6Jua6o/DJbrpq4qYWq5gv4yGyzPTN+3IaKrEICdaaw==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
-sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
-8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
-BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
-N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
-nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
-pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
-BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
-/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
-7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
-LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
-BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
-oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
-nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
-r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
-BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
-g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
-UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
-LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
-BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
-XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
-9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
-sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
-BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
-+Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
-ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
-PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
-BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
-8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
-wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
-2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
-BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
-oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
-GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
-6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
-BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
-DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
-1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
-TDA=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
-AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
-MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
-YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
-LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
-fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
-AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
-IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c17.pem b/tests/data_files/dir-maxpath/c17.pem
deleted file mode 100644
index 5bdbafd..0000000
--- a/tests/data_files/dir-maxpath/c17.pem
+++ /dev/null
@@ -1,216 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTYwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARrISq2zO9m
-D29YCLHB56FdU/RINtRhfeLtM+u5o3HaAnopy0S98RzuEGELjpzr8ZI6kkMMZsj8
-nFZQF8HfuE0go4GJMIGGMB0GA1UdDgQWBBSnjWvpWxZcFnfQ2KGtCg/u6fT/DzBX
-BgNVHSMEUDBOgBRTw3K0Psy3u/6+3KKSoaQqJnPvPqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE1ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgDgXjoc6FfMF5W0NziV6vx2BOPNWav01Z
-ynEP4h9ULnUCIQC1rU4sEId3UdjzTKhpSGTKtaOuPG+b0YdEMPimI4jmVw==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTUwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ7Vsp7JmDN
-kgPh/+zmIPkd7o0xot/WPMFn3uAsGtsU385MF0fmhfFLhRbbH9h4JjYHj8y0spU3
-buUXhftvAZVbo4GJMIGGMB0GA1UdDgQWBBRTw3K0Psy3u/6+3KKSoaQqJnPvPjBX
-BgNVHSMEUDBOgBR1mXlrdW5rx1VnqMMnUBXo0WWGWqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE0ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAMJnGjE9v3SjuGfi0jNByrwyNfhlTHMh
-FhPQidNrDpXwAiEAqYtNiV8t9RrAa9GC6FWDuJpvIiU6FsE+lFq6uIq/J2E=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTQwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQlKUiMoSss
-/hsTasedqdB2BCOGJhTt0hgUGeUnWNZ1svO4yn0GkFHZ08++fl2MKqjpj+VXq0JS
-FFyGUOgmgi3Ho4GJMIGGMB0GA1UdDgQWBBR1mXlrdW5rx1VnqMMnUBXo0WWGWjBX
-BgNVHSMEUDBOgBRNsJB++ccSBmbCCKBxi4CjXROBk6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEzggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAKYOIo+fdCQRqpH4LN8qUK1aKzKmWGxS
-fGzEEkg/29bMAiAl95cmucoCDMq2Ab8Coc0dEqyJ6+rAPMLBCbGawyiW6A==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTMwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATRMZN0RHzP
-donNmZuq9XPhzvQ52TaokxT39qpQtlFyvUuEGKrLoNvdcpARaA0rGput6RLAQOVU
-iNVlJ3Ipj789o4GJMIGGMB0GA1UdDgQWBBRNsJB++ccSBmbCCKBxi4CjXROBkzBX
-BgNVHSMEUDBOgBTmVnUSF2MYwws/nCMv7b1wJVkDmqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgVfuLpjp08AaxKWf6cuZUUCRd7CojSS1I
-71hzeUyFS+sCIQDNJI6P/pBbiHgTaGlBAgfcEfmxmbY0n4xZndtxIkmyVA==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTIwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATrkzCJLznh
-lhnsv1RXB9kfeaD+cIruPQ0cItBDGpdvD8xbBVvQci4+RG2RVUCSWRhkFYjSsUSM
-0QHMQnBFlhw2o4GJMIGGMB0GA1UdDgQWBBTmVnUSF2MYwws/nCMv7b1wJVkDmjBX
-BgNVHSMEUDBOgBTZTtbi+j0Sm/Zs/+gTkWdASpQzfqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTExggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgWsm+rHJgwUEyNm8EKbEds5yurpp5/3y5
-PsvXJVDqxogCIQDUP0Jcl3A907CE2tPVXSgD6LQ6CPu19mixemPw60yijA==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTEwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATDE9LPlLPc
-gZ3b0BchR/AkhNEP9HAavwYadJIyzoPo5edCVnboQH786jsZwZNZoC0gHDAhCmGc
-IfRenISAoVuPo4GJMIGGMB0GA1UdDgQWBBTZTtbi+j0Sm/Zs/+gTkWdASpQzfjBX
-BgNVHSMEUDBOgBSOSt6ePyMRT6PGMaIi7FqNX9MKtKEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgYYF5AnRV7eh2hLD5Dz//pceMTKz9Ls46
-E6DxvbfDHikCIFttlGrOCZVyS4ocsjuKIELVUX5qfygI0sn4kU3qCTs2
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTAwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZwR+WK6NB
-F/7riFdN63c8hjYddZRR4lrzVNPwiBQxnnxwpPyrD9A6aPPmLc6SqGOJW4ZGVCco
-IBze9RJVeiB9o4GJMIGGMB0GA1UdDgQWBBSOSt6ePyMRT6PGMaIi7FqNX9MKtDBX
-BgNVHSMEUDBOgBQtxZSLJAkEz+2RKMQexM6EtsfgcqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA5ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgN//NqM0FrkrMjmxoeCY9DgxkH2R6sQ4d
-NgtwCZAIqEICIBs4vupaVcuvni9tltbP26wi7c0FR+blZuo5DPIA3SVe
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDkwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR6jlGKbJd5
-hiDxN789gkOcwpyHI9wRwCrADAOwOkMePBPRlwGdm7mw7Z/EAmu26zRm/hcyrs4M
-qk2LabDjPI9Xo4GJMIGGMB0GA1UdDgQWBBQtxZSLJAkEz+2RKMQexM6EtsfgcjBX
-BgNVHSMEUDBOgBT6gyXHzPIPYc1Vr1aGiLLeMh4HpqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA4ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgP7S8vFstfUBdNe6ym5GYG5Q+aBVEKqRs
-fVW7HNUktSYCIQDo6Jua6o/DJbrpq4qYWq5gv4yGyzPTN+3IaKrEICdaaw==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
-sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
-8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
-BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
-N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
-nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
-pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
-BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
-/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
-7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
-LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
-BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
-oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
-nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
-r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
-BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
-g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
-UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
-LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
-BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
-XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
-9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
-sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
-BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
-+Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
-ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
-PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
-BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
-8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
-wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
-2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
-BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
-oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
-GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
-6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
-BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
-DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
-1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
-TDA=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
-AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
-MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
-YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
-LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
-fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
-AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
-IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c18.pem b/tests/data_files/dir-maxpath/c18.pem
deleted file mode 100644
index d863189..0000000
--- a/tests/data_files/dir-maxpath/c18.pem
+++ /dev/null
@@ -1,228 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTcwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASsc/JkNcYf
-bMgpOfrL5kKOGxOJaGS6SQIeNO33UeBpToe1bU2acN652xjvcGo0fJEtxg2fcPHR
-hTnGMBD1u1N2o4GJMIGGMB0GA1UdDgQWBBSDbIpYntlhJ0GgIsyd75XRhlC18jBX
-BgNVHSMEUDBOgBSnjWvpWxZcFnfQ2KGtCg/u6fT/D6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE2ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAJo2NXfJU1sK6SVTu4OV21FKITlXntMi
-oenYMsBjzO8oAiEAidSELcLjjAHi3mfBARvCgKlRhmbNEMCHQT7Ha7ZQoRw=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTYwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARrISq2zO9m
-D29YCLHB56FdU/RINtRhfeLtM+u5o3HaAnopy0S98RzuEGELjpzr8ZI6kkMMZsj8
-nFZQF8HfuE0go4GJMIGGMB0GA1UdDgQWBBSnjWvpWxZcFnfQ2KGtCg/u6fT/DzBX
-BgNVHSMEUDBOgBRTw3K0Psy3u/6+3KKSoaQqJnPvPqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE1ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgDgXjoc6FfMF5W0NziV6vx2BOPNWav01Z
-ynEP4h9ULnUCIQC1rU4sEId3UdjzTKhpSGTKtaOuPG+b0YdEMPimI4jmVw==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTUwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ7Vsp7JmDN
-kgPh/+zmIPkd7o0xot/WPMFn3uAsGtsU385MF0fmhfFLhRbbH9h4JjYHj8y0spU3
-buUXhftvAZVbo4GJMIGGMB0GA1UdDgQWBBRTw3K0Psy3u/6+3KKSoaQqJnPvPjBX
-BgNVHSMEUDBOgBR1mXlrdW5rx1VnqMMnUBXo0WWGWqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE0ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAMJnGjE9v3SjuGfi0jNByrwyNfhlTHMh
-FhPQidNrDpXwAiEAqYtNiV8t9RrAa9GC6FWDuJpvIiU6FsE+lFq6uIq/J2E=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTQwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQlKUiMoSss
-/hsTasedqdB2BCOGJhTt0hgUGeUnWNZ1svO4yn0GkFHZ08++fl2MKqjpj+VXq0JS
-FFyGUOgmgi3Ho4GJMIGGMB0GA1UdDgQWBBR1mXlrdW5rx1VnqMMnUBXo0WWGWjBX
-BgNVHSMEUDBOgBRNsJB++ccSBmbCCKBxi4CjXROBk6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEzggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAKYOIo+fdCQRqpH4LN8qUK1aKzKmWGxS
-fGzEEkg/29bMAiAl95cmucoCDMq2Ab8Coc0dEqyJ6+rAPMLBCbGawyiW6A==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTMwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATRMZN0RHzP
-donNmZuq9XPhzvQ52TaokxT39qpQtlFyvUuEGKrLoNvdcpARaA0rGput6RLAQOVU
-iNVlJ3Ipj789o4GJMIGGMB0GA1UdDgQWBBRNsJB++ccSBmbCCKBxi4CjXROBkzBX
-BgNVHSMEUDBOgBTmVnUSF2MYwws/nCMv7b1wJVkDmqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgVfuLpjp08AaxKWf6cuZUUCRd7CojSS1I
-71hzeUyFS+sCIQDNJI6P/pBbiHgTaGlBAgfcEfmxmbY0n4xZndtxIkmyVA==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTIwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATrkzCJLznh
-lhnsv1RXB9kfeaD+cIruPQ0cItBDGpdvD8xbBVvQci4+RG2RVUCSWRhkFYjSsUSM
-0QHMQnBFlhw2o4GJMIGGMB0GA1UdDgQWBBTmVnUSF2MYwws/nCMv7b1wJVkDmjBX
-BgNVHSMEUDBOgBTZTtbi+j0Sm/Zs/+gTkWdASpQzfqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTExggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgWsm+rHJgwUEyNm8EKbEds5yurpp5/3y5
-PsvXJVDqxogCIQDUP0Jcl3A907CE2tPVXSgD6LQ6CPu19mixemPw60yijA==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTEwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATDE9LPlLPc
-gZ3b0BchR/AkhNEP9HAavwYadJIyzoPo5edCVnboQH786jsZwZNZoC0gHDAhCmGc
-IfRenISAoVuPo4GJMIGGMB0GA1UdDgQWBBTZTtbi+j0Sm/Zs/+gTkWdASpQzfjBX
-BgNVHSMEUDBOgBSOSt6ePyMRT6PGMaIi7FqNX9MKtKEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgYYF5AnRV7eh2hLD5Dz//pceMTKz9Ls46
-E6DxvbfDHikCIFttlGrOCZVyS4ocsjuKIELVUX5qfygI0sn4kU3qCTs2
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTAwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZwR+WK6NB
-F/7riFdN63c8hjYddZRR4lrzVNPwiBQxnnxwpPyrD9A6aPPmLc6SqGOJW4ZGVCco
-IBze9RJVeiB9o4GJMIGGMB0GA1UdDgQWBBSOSt6ePyMRT6PGMaIi7FqNX9MKtDBX
-BgNVHSMEUDBOgBQtxZSLJAkEz+2RKMQexM6EtsfgcqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA5ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgN//NqM0FrkrMjmxoeCY9DgxkH2R6sQ4d
-NgtwCZAIqEICIBs4vupaVcuvni9tltbP26wi7c0FR+blZuo5DPIA3SVe
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDkwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR6jlGKbJd5
-hiDxN789gkOcwpyHI9wRwCrADAOwOkMePBPRlwGdm7mw7Z/EAmu26zRm/hcyrs4M
-qk2LabDjPI9Xo4GJMIGGMB0GA1UdDgQWBBQtxZSLJAkEz+2RKMQexM6EtsfgcjBX
-BgNVHSMEUDBOgBT6gyXHzPIPYc1Vr1aGiLLeMh4HpqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA4ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgP7S8vFstfUBdNe6ym5GYG5Q+aBVEKqRs
-fVW7HNUktSYCIQDo6Jua6o/DJbrpq4qYWq5gv4yGyzPTN+3IaKrEICdaaw==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
-sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
-8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
-BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
-N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
-nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
-pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
-BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
-/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
-7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
-LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
-BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
-oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
-nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
-r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
-BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
-g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
-UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
-LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
-BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
-XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
-9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
-sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
-BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
-+Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
-ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
-PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
-BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
-8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
-wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
-2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
-BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
-oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
-GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
-6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
-BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
-DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
-1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
-TDA=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
-AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
-MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
-YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
-LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
-fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
-AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
-IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c19.pem b/tests/data_files/dir-maxpath/c19.pem
deleted file mode 100644
index b1e24e4..0000000
--- a/tests/data_files/dir-maxpath/c19.pem
+++ /dev/null
@@ -1,240 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTgwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQJyRCHND78
-KxZHoHHdOTjPuD6HjHPnEKX8apblUpETDJuLW7YR3V8Q0dTac+JHiR6e2l4DlDbf
-5bTiyFoAzw9yo4GJMIGGMB0GA1UdDgQWBBRQMc94kTqW+zQO3lo2WMI/81k3czBX
-BgNVHSMEUDBOgBSDbIpYntlhJ0GgIsyd75XRhlC18qEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE3ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgIzGOZqJRmvygzvLm8zxZFyoNpcT7e26H
-nZd5xFIzEakCIHGYcUXzt+owSVlLmrlW8gQcB81ErQbxuBTAsvpaaKSS
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTcwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASsc/JkNcYf
-bMgpOfrL5kKOGxOJaGS6SQIeNO33UeBpToe1bU2acN652xjvcGo0fJEtxg2fcPHR
-hTnGMBD1u1N2o4GJMIGGMB0GA1UdDgQWBBSDbIpYntlhJ0GgIsyd75XRhlC18jBX
-BgNVHSMEUDBOgBSnjWvpWxZcFnfQ2KGtCg/u6fT/D6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE2ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAJo2NXfJU1sK6SVTu4OV21FKITlXntMi
-oenYMsBjzO8oAiEAidSELcLjjAHi3mfBARvCgKlRhmbNEMCHQT7Ha7ZQoRw=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTYwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARrISq2zO9m
-D29YCLHB56FdU/RINtRhfeLtM+u5o3HaAnopy0S98RzuEGELjpzr8ZI6kkMMZsj8
-nFZQF8HfuE0go4GJMIGGMB0GA1UdDgQWBBSnjWvpWxZcFnfQ2KGtCg/u6fT/DzBX
-BgNVHSMEUDBOgBRTw3K0Psy3u/6+3KKSoaQqJnPvPqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE1ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgDgXjoc6FfMF5W0NziV6vx2BOPNWav01Z
-ynEP4h9ULnUCIQC1rU4sEId3UdjzTKhpSGTKtaOuPG+b0YdEMPimI4jmVw==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTUwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ7Vsp7JmDN
-kgPh/+zmIPkd7o0xot/WPMFn3uAsGtsU385MF0fmhfFLhRbbH9h4JjYHj8y0spU3
-buUXhftvAZVbo4GJMIGGMB0GA1UdDgQWBBRTw3K0Psy3u/6+3KKSoaQqJnPvPjBX
-BgNVHSMEUDBOgBR1mXlrdW5rx1VnqMMnUBXo0WWGWqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE0ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAMJnGjE9v3SjuGfi0jNByrwyNfhlTHMh
-FhPQidNrDpXwAiEAqYtNiV8t9RrAa9GC6FWDuJpvIiU6FsE+lFq6uIq/J2E=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTQwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQlKUiMoSss
-/hsTasedqdB2BCOGJhTt0hgUGeUnWNZ1svO4yn0GkFHZ08++fl2MKqjpj+VXq0JS
-FFyGUOgmgi3Ho4GJMIGGMB0GA1UdDgQWBBR1mXlrdW5rx1VnqMMnUBXo0WWGWjBX
-BgNVHSMEUDBOgBRNsJB++ccSBmbCCKBxi4CjXROBk6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEzggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAKYOIo+fdCQRqpH4LN8qUK1aKzKmWGxS
-fGzEEkg/29bMAiAl95cmucoCDMq2Ab8Coc0dEqyJ6+rAPMLBCbGawyiW6A==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTMwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATRMZN0RHzP
-donNmZuq9XPhzvQ52TaokxT39qpQtlFyvUuEGKrLoNvdcpARaA0rGput6RLAQOVU
-iNVlJ3Ipj789o4GJMIGGMB0GA1UdDgQWBBRNsJB++ccSBmbCCKBxi4CjXROBkzBX
-BgNVHSMEUDBOgBTmVnUSF2MYwws/nCMv7b1wJVkDmqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgVfuLpjp08AaxKWf6cuZUUCRd7CojSS1I
-71hzeUyFS+sCIQDNJI6P/pBbiHgTaGlBAgfcEfmxmbY0n4xZndtxIkmyVA==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTIwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATrkzCJLznh
-lhnsv1RXB9kfeaD+cIruPQ0cItBDGpdvD8xbBVvQci4+RG2RVUCSWRhkFYjSsUSM
-0QHMQnBFlhw2o4GJMIGGMB0GA1UdDgQWBBTmVnUSF2MYwws/nCMv7b1wJVkDmjBX
-BgNVHSMEUDBOgBTZTtbi+j0Sm/Zs/+gTkWdASpQzfqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTExggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgWsm+rHJgwUEyNm8EKbEds5yurpp5/3y5
-PsvXJVDqxogCIQDUP0Jcl3A907CE2tPVXSgD6LQ6CPu19mixemPw60yijA==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTEwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATDE9LPlLPc
-gZ3b0BchR/AkhNEP9HAavwYadJIyzoPo5edCVnboQH786jsZwZNZoC0gHDAhCmGc
-IfRenISAoVuPo4GJMIGGMB0GA1UdDgQWBBTZTtbi+j0Sm/Zs/+gTkWdASpQzfjBX
-BgNVHSMEUDBOgBSOSt6ePyMRT6PGMaIi7FqNX9MKtKEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgYYF5AnRV7eh2hLD5Dz//pceMTKz9Ls46
-E6DxvbfDHikCIFttlGrOCZVyS4ocsjuKIELVUX5qfygI0sn4kU3qCTs2
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTAwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZwR+WK6NB
-F/7riFdN63c8hjYddZRR4lrzVNPwiBQxnnxwpPyrD9A6aPPmLc6SqGOJW4ZGVCco
-IBze9RJVeiB9o4GJMIGGMB0GA1UdDgQWBBSOSt6ePyMRT6PGMaIi7FqNX9MKtDBX
-BgNVHSMEUDBOgBQtxZSLJAkEz+2RKMQexM6EtsfgcqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA5ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgN//NqM0FrkrMjmxoeCY9DgxkH2R6sQ4d
-NgtwCZAIqEICIBs4vupaVcuvni9tltbP26wi7c0FR+blZuo5DPIA3SVe
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDkwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR6jlGKbJd5
-hiDxN789gkOcwpyHI9wRwCrADAOwOkMePBPRlwGdm7mw7Z/EAmu26zRm/hcyrs4M
-qk2LabDjPI9Xo4GJMIGGMB0GA1UdDgQWBBQtxZSLJAkEz+2RKMQexM6EtsfgcjBX
-BgNVHSMEUDBOgBT6gyXHzPIPYc1Vr1aGiLLeMh4HpqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA4ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgP7S8vFstfUBdNe6ym5GYG5Q+aBVEKqRs
-fVW7HNUktSYCIQDo6Jua6o/DJbrpq4qYWq5gv4yGyzPTN+3IaKrEICdaaw==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
-sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
-8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
-BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
-N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
-nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
-pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
-BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
-/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
-7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
-LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
-BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
-oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
-nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
-r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
-BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
-g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
-UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
-LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
-BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
-XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
-9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
-sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
-BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
-+Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
-ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
-PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
-BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
-8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
-wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
-2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
-BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
-oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
-GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
-6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
-BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
-DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
-1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
-TDA=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
-AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
-MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
-YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
-LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
-fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
-AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
-IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c20.pem b/tests/data_files/dir-maxpath/c20.pem
deleted file mode 100644
index ff97472..0000000
--- a/tests/data_files/dir-maxpath/c20.pem
+++ /dev/null
@@ -1,252 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTkwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMjAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATGebrN8JxE
-heOdCxD+mhnQ4zMUxF1WUkmAAHIUw089BYiH9SAwYS/M5tnl+R8fbjvoGqSpR6Tk
-V9EU3CQyIoxwo4GJMIGGMB0GA1UdDgQWBBTZs6oChL1c2CSZXY2YFQkkqg+lzDBX
-BgNVHSMEUDBOgBRQMc94kTqW+zQO3lo2WMI/81k3c6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE4ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgRVGZReXKvdMHhwLbPvbrTVLeAGDqmqMH
-/WqD4u23QBgCID/QtFaiawjviNFEdtU7JK6v4ZY0PQ0a0+HLZIHLi9ah
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTgwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQJyRCHND78
-KxZHoHHdOTjPuD6HjHPnEKX8apblUpETDJuLW7YR3V8Q0dTac+JHiR6e2l4DlDbf
-5bTiyFoAzw9yo4GJMIGGMB0GA1UdDgQWBBRQMc94kTqW+zQO3lo2WMI/81k3czBX
-BgNVHSMEUDBOgBSDbIpYntlhJ0GgIsyd75XRhlC18qEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE3ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgIzGOZqJRmvygzvLm8zxZFyoNpcT7e26H
-nZd5xFIzEakCIHGYcUXzt+owSVlLmrlW8gQcB81ErQbxuBTAsvpaaKSS
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTcwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASsc/JkNcYf
-bMgpOfrL5kKOGxOJaGS6SQIeNO33UeBpToe1bU2acN652xjvcGo0fJEtxg2fcPHR
-hTnGMBD1u1N2o4GJMIGGMB0GA1UdDgQWBBSDbIpYntlhJ0GgIsyd75XRhlC18jBX
-BgNVHSMEUDBOgBSnjWvpWxZcFnfQ2KGtCg/u6fT/D6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE2ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAJo2NXfJU1sK6SVTu4OV21FKITlXntMi
-oenYMsBjzO8oAiEAidSELcLjjAHi3mfBARvCgKlRhmbNEMCHQT7Ha7ZQoRw=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTYwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARrISq2zO9m
-D29YCLHB56FdU/RINtRhfeLtM+u5o3HaAnopy0S98RzuEGELjpzr8ZI6kkMMZsj8
-nFZQF8HfuE0go4GJMIGGMB0GA1UdDgQWBBSnjWvpWxZcFnfQ2KGtCg/u6fT/DzBX
-BgNVHSMEUDBOgBRTw3K0Psy3u/6+3KKSoaQqJnPvPqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE1ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgDgXjoc6FfMF5W0NziV6vx2BOPNWav01Z
-ynEP4h9ULnUCIQC1rU4sEId3UdjzTKhpSGTKtaOuPG+b0YdEMPimI4jmVw==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTUwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ7Vsp7JmDN
-kgPh/+zmIPkd7o0xot/WPMFn3uAsGtsU385MF0fmhfFLhRbbH9h4JjYHj8y0spU3
-buUXhftvAZVbo4GJMIGGMB0GA1UdDgQWBBRTw3K0Psy3u/6+3KKSoaQqJnPvPjBX
-BgNVHSMEUDBOgBR1mXlrdW5rx1VnqMMnUBXo0WWGWqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE0ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAMJnGjE9v3SjuGfi0jNByrwyNfhlTHMh
-FhPQidNrDpXwAiEAqYtNiV8t9RrAa9GC6FWDuJpvIiU6FsE+lFq6uIq/J2E=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTQwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQlKUiMoSss
-/hsTasedqdB2BCOGJhTt0hgUGeUnWNZ1svO4yn0GkFHZ08++fl2MKqjpj+VXq0JS
-FFyGUOgmgi3Ho4GJMIGGMB0GA1UdDgQWBBR1mXlrdW5rx1VnqMMnUBXo0WWGWjBX
-BgNVHSMEUDBOgBRNsJB++ccSBmbCCKBxi4CjXROBk6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEzggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAKYOIo+fdCQRqpH4LN8qUK1aKzKmWGxS
-fGzEEkg/29bMAiAl95cmucoCDMq2Ab8Coc0dEqyJ6+rAPMLBCbGawyiW6A==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTMwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATRMZN0RHzP
-donNmZuq9XPhzvQ52TaokxT39qpQtlFyvUuEGKrLoNvdcpARaA0rGput6RLAQOVU
-iNVlJ3Ipj789o4GJMIGGMB0GA1UdDgQWBBRNsJB++ccSBmbCCKBxi4CjXROBkzBX
-BgNVHSMEUDBOgBTmVnUSF2MYwws/nCMv7b1wJVkDmqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgVfuLpjp08AaxKWf6cuZUUCRd7CojSS1I
-71hzeUyFS+sCIQDNJI6P/pBbiHgTaGlBAgfcEfmxmbY0n4xZndtxIkmyVA==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTIwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATrkzCJLznh
-lhnsv1RXB9kfeaD+cIruPQ0cItBDGpdvD8xbBVvQci4+RG2RVUCSWRhkFYjSsUSM
-0QHMQnBFlhw2o4GJMIGGMB0GA1UdDgQWBBTmVnUSF2MYwws/nCMv7b1wJVkDmjBX
-BgNVHSMEUDBOgBTZTtbi+j0Sm/Zs/+gTkWdASpQzfqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTExggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgWsm+rHJgwUEyNm8EKbEds5yurpp5/3y5
-PsvXJVDqxogCIQDUP0Jcl3A907CE2tPVXSgD6LQ6CPu19mixemPw60yijA==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTEwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATDE9LPlLPc
-gZ3b0BchR/AkhNEP9HAavwYadJIyzoPo5edCVnboQH786jsZwZNZoC0gHDAhCmGc
-IfRenISAoVuPo4GJMIGGMB0GA1UdDgQWBBTZTtbi+j0Sm/Zs/+gTkWdASpQzfjBX
-BgNVHSMEUDBOgBSOSt6ePyMRT6PGMaIi7FqNX9MKtKEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgYYF5AnRV7eh2hLD5Dz//pceMTKz9Ls46
-E6DxvbfDHikCIFttlGrOCZVyS4ocsjuKIELVUX5qfygI0sn4kU3qCTs2
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTAwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZwR+WK6NB
-F/7riFdN63c8hjYddZRR4lrzVNPwiBQxnnxwpPyrD9A6aPPmLc6SqGOJW4ZGVCco
-IBze9RJVeiB9o4GJMIGGMB0GA1UdDgQWBBSOSt6ePyMRT6PGMaIi7FqNX9MKtDBX
-BgNVHSMEUDBOgBQtxZSLJAkEz+2RKMQexM6EtsfgcqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA5ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgN//NqM0FrkrMjmxoeCY9DgxkH2R6sQ4d
-NgtwCZAIqEICIBs4vupaVcuvni9tltbP26wi7c0FR+blZuo5DPIA3SVe
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDkwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR6jlGKbJd5
-hiDxN789gkOcwpyHI9wRwCrADAOwOkMePBPRlwGdm7mw7Z/EAmu26zRm/hcyrs4M
-qk2LabDjPI9Xo4GJMIGGMB0GA1UdDgQWBBQtxZSLJAkEz+2RKMQexM6EtsfgcjBX
-BgNVHSMEUDBOgBT6gyXHzPIPYc1Vr1aGiLLeMh4HpqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA4ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgP7S8vFstfUBdNe6ym5GYG5Q+aBVEKqRs
-fVW7HNUktSYCIQDo6Jua6o/DJbrpq4qYWq5gv4yGyzPTN+3IaKrEICdaaw==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
-MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
-sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
-8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
-BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
-N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
-nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
-pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
-BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
-/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
-7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
-LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
-BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
-oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
-nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
-r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
-BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
-g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
-UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
-LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
-BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
-XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
-9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
-sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
-BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
-+Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
-ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
-PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
-BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
-8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
-wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
-2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
-BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
-oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
-MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
-DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
-GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
-6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
-BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
-VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
-DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
-1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
-TDA=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
-AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
-MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
-YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
-BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
-LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
-fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
-AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
-IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/int.opensslconf b/tests/data_files/dir-maxpath/int.opensslconf
deleted file mode 100644
index df28cab..0000000
--- a/tests/data_files/dir-maxpath/int.opensslconf
+++ /dev/null
@@ -1,4 +0,0 @@
-[int]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:true
diff --git a/tests/data_files/dir-maxpath/long.sh b/tests/data_files/dir-maxpath/long.sh
deleted file mode 100755
index d7d8797..0000000
--- a/tests/data_files/dir-maxpath/long.sh
+++ /dev/null
@@ -1,50 +0,0 @@
-#!/bin/sh
-#
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-set -eu
-
-: ${OPENSSL:=openssl}
-NB=20
-
-OPT="-days 3653 -sha256"
-
-# generate self-signed root
-$OPENSSL ecparam -name prime256v1 -genkey -out 00.key
-$OPENSSL req -new -x509 -subj "/C=UK/O=mbed TLS/CN=CA00" $OPT \
-             -key 00.key -out 00.crt
-
-# cXX.pem is the chain starting at XX
-cp 00.crt c00.pem
-
-# generate long chain
-i=1
-while [ $i -le $NB ]; do
-    UP=$( printf "%02d" $((i-1)) )
-    ME=$( printf "%02d" $i )
-
-    $OPENSSL ecparam -name prime256v1 -genkey -out ${ME}.key
-    $OPENSSL req -new -subj "/C=UK/O=mbed TLS/CN=CA${ME}" \
-                 -key ${ME}.key -out ${ME}.csr
-    $OPENSSL x509 -req -CA ${UP}.crt -CAkey ${UP}.key -set_serial 1 $OPT \
-                  -extfile int.opensslconf -extensions int \
-                  -in ${ME}.csr -out ${ME}.crt
-
-    cat ${ME}.crt c${UP}.pem > c${ME}.pem
-
-    rm ${ME}.csr
-    i=$((i+1))
-done
diff --git a/tests/data_files/dir1/test-ca.crt b/tests/data_files/dir1/test-ca.crt
deleted file mode 100644
index 3c1d14c..0000000
--- a/tests/data_files/dir1/test-ca.crt
+++ /dev/null
@@ -1,80 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-        Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=NL, O=PolarSSL, CN=PolarSSL Test CA
-        Validity
-            Not Before: Feb 12 14:44:00 2011 GMT
-            Not After : Feb 12 14:44:00 2021 GMT
-        Subject: C=NL, O=PolarSSL, CN=PolarSSL Test CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (2048 bit)
-                Modulus (2048 bit):
-                    00:c0:df:37:fc:17:bb:e0:96:9d:3f:86:de:96:32:
-                    7d:44:a5:16:a0:cd:21:f1:99:d4:ec:ea:cb:7c:18:
-                    58:08:94:a5:ec:9b:c5:8b:df:1a:1e:99:38:99:87:
-                    1e:7b:c0:8d:39:df:38:5d:70:78:07:d3:9e:d9:93:
-                    e8:b9:72:51:c5:ce:a3:30:52:a9:f2:e7:40:70:14:
-                    cb:44:a2:72:0b:c2:e5:40:f9:3e:e5:a6:0e:b3:f9:
-                    ec:4a:63:c0:b8:29:00:74:9c:57:3b:a8:a5:04:90:
-                    71:f1:bd:83:d9:3f:d6:a5:e2:3c:2a:8f:ef:27:60:
-                    c3:c6:9f:cb:ba:ec:60:7d:b7:e6:84:32:be:4f:fb:
-                    58:26:22:03:5b:d4:b4:d5:fb:f5:e3:96:2e:70:c0:
-                    e4:2e:bd:fc:2e:ee:e2:41:55:c0:34:2e:7d:24:72:
-                    69:cb:47:b1:14:40:83:7d:67:f4:86:f6:31:ab:f1:
-                    79:a4:b2:b5:2e:12:f9:84:17:f0:62:6f:27:3e:13:
-                    58:b1:54:0d:21:9a:73:37:a1:30:cf:6f:92:dc:f6:
-                    e9:fc:ac:db:2e:28:d1:7e:02:4b:23:a0:15:f2:38:
-                    65:64:09:ea:0c:6e:8e:1b:17:a0:71:c8:b3:9b:c9:
-                    ab:e9:c3:f2:cf:87:96:8f:80:02:32:9e:99:58:6f:
-                    a2:d5
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints:
-                CA:TRUE
-            X509v3 Subject Key Identifier:
-                B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF
-            X509v3 Authority Key Identifier:
-                keyid:B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF
-                DirName:/C=NL/O=PolarSSL/CN=PolarSSL Test CA
-                serial:00
-
-    Signature Algorithm: sha1WithRSAEncryption
-        b8:fd:54:d8:00:54:90:8b:25:b0:27:dd:95:cd:a2:f7:84:07:
-        1d:87:89:4a:c4:78:11:d8:07:b5:d7:22:50:8e:48:eb:62:7a:
-        32:89:be:63:47:53:ff:b6:be:f1:2e:8c:54:c0:99:3f:a0:b9:
-        37:23:72:5f:0d:46:59:8f:d8:47:cd:97:4c:9f:07:0c:12:62:
-        09:3a:24:e4:36:d9:e9:2c:da:38:d0:73:75:61:d7:c1:6c:26:
-        8b:9b:e0:d5:dc:67:ed:8c:6b:33:d7:74:22:3c:4c:db:b5:8d:
-        2a:ce:2c:0d:08:59:05:09:05:a6:39:9f:b3:67:1b:e2:83:e5:
-        e1:8f:53:f6:67:93:c7:f9:6f:76:44:58:12:e8:3a:d4:97:e7:
-        e9:c0:3e:a8:7a:72:3d:87:53:1f:e5:2c:84:84:e7:9a:9e:7f:
-        66:d9:1f:9b:f5:13:48:b0:4d:14:d1:de:b2:24:d9:78:7d:f5:
-        35:cc:58:19:d1:d2:99:ef:4d:73:f8:1f:89:d4:5a:d0:52:ce:
-        09:f5:b1:46:51:6a:00:8e:3b:cc:6f:63:01:00:99:ed:9d:a6:
-        08:60:cd:32:18:d0:73:e0:58:71:d9:e5:d2:53:d7:8d:d0:ca:
-        e9:5d:2a:0a:0d:5d:55:ec:21:50:17:16:e6:06:4a:cd:5e:de:
-        f7:e0:e9:54
------BEGIN CERTIFICATE-----
-MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
-mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
-50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
-YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
-R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
-KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH
-/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV
-BAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz
-dCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ
-SsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H
-DBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF
-pjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf
-m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ
-7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==
------END CERTIFICATE-----
diff --git a/tests/data_files/dir2/test-ca.crt b/tests/data_files/dir2/test-ca.crt
deleted file mode 100644
index 3c1d14c..0000000
--- a/tests/data_files/dir2/test-ca.crt
+++ /dev/null
@@ -1,80 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-        Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=NL, O=PolarSSL, CN=PolarSSL Test CA
-        Validity
-            Not Before: Feb 12 14:44:00 2011 GMT
-            Not After : Feb 12 14:44:00 2021 GMT
-        Subject: C=NL, O=PolarSSL, CN=PolarSSL Test CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (2048 bit)
-                Modulus (2048 bit):
-                    00:c0:df:37:fc:17:bb:e0:96:9d:3f:86:de:96:32:
-                    7d:44:a5:16:a0:cd:21:f1:99:d4:ec:ea:cb:7c:18:
-                    58:08:94:a5:ec:9b:c5:8b:df:1a:1e:99:38:99:87:
-                    1e:7b:c0:8d:39:df:38:5d:70:78:07:d3:9e:d9:93:
-                    e8:b9:72:51:c5:ce:a3:30:52:a9:f2:e7:40:70:14:
-                    cb:44:a2:72:0b:c2:e5:40:f9:3e:e5:a6:0e:b3:f9:
-                    ec:4a:63:c0:b8:29:00:74:9c:57:3b:a8:a5:04:90:
-                    71:f1:bd:83:d9:3f:d6:a5:e2:3c:2a:8f:ef:27:60:
-                    c3:c6:9f:cb:ba:ec:60:7d:b7:e6:84:32:be:4f:fb:
-                    58:26:22:03:5b:d4:b4:d5:fb:f5:e3:96:2e:70:c0:
-                    e4:2e:bd:fc:2e:ee:e2:41:55:c0:34:2e:7d:24:72:
-                    69:cb:47:b1:14:40:83:7d:67:f4:86:f6:31:ab:f1:
-                    79:a4:b2:b5:2e:12:f9:84:17:f0:62:6f:27:3e:13:
-                    58:b1:54:0d:21:9a:73:37:a1:30:cf:6f:92:dc:f6:
-                    e9:fc:ac:db:2e:28:d1:7e:02:4b:23:a0:15:f2:38:
-                    65:64:09:ea:0c:6e:8e:1b:17:a0:71:c8:b3:9b:c9:
-                    ab:e9:c3:f2:cf:87:96:8f:80:02:32:9e:99:58:6f:
-                    a2:d5
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints:
-                CA:TRUE
-            X509v3 Subject Key Identifier:
-                B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF
-            X509v3 Authority Key Identifier:
-                keyid:B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF
-                DirName:/C=NL/O=PolarSSL/CN=PolarSSL Test CA
-                serial:00
-
-    Signature Algorithm: sha1WithRSAEncryption
-        b8:fd:54:d8:00:54:90:8b:25:b0:27:dd:95:cd:a2:f7:84:07:
-        1d:87:89:4a:c4:78:11:d8:07:b5:d7:22:50:8e:48:eb:62:7a:
-        32:89:be:63:47:53:ff:b6:be:f1:2e:8c:54:c0:99:3f:a0:b9:
-        37:23:72:5f:0d:46:59:8f:d8:47:cd:97:4c:9f:07:0c:12:62:
-        09:3a:24:e4:36:d9:e9:2c:da:38:d0:73:75:61:d7:c1:6c:26:
-        8b:9b:e0:d5:dc:67:ed:8c:6b:33:d7:74:22:3c:4c:db:b5:8d:
-        2a:ce:2c:0d:08:59:05:09:05:a6:39:9f:b3:67:1b:e2:83:e5:
-        e1:8f:53:f6:67:93:c7:f9:6f:76:44:58:12:e8:3a:d4:97:e7:
-        e9:c0:3e:a8:7a:72:3d:87:53:1f:e5:2c:84:84:e7:9a:9e:7f:
-        66:d9:1f:9b:f5:13:48:b0:4d:14:d1:de:b2:24:d9:78:7d:f5:
-        35:cc:58:19:d1:d2:99:ef:4d:73:f8:1f:89:d4:5a:d0:52:ce:
-        09:f5:b1:46:51:6a:00:8e:3b:cc:6f:63:01:00:99:ed:9d:a6:
-        08:60:cd:32:18:d0:73:e0:58:71:d9:e5:d2:53:d7:8d:d0:ca:
-        e9:5d:2a:0a:0d:5d:55:ec:21:50:17:16:e6:06:4a:cd:5e:de:
-        f7:e0:e9:54
------BEGIN CERTIFICATE-----
-MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
-mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
-50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
-YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
-R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
-KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH
-/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV
-BAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz
-dCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ
-SsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H
-DBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF
-pjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf
-m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ
-7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==
------END CERTIFICATE-----
diff --git a/tests/data_files/dir2/test-ca2.crt b/tests/data_files/dir2/test-ca2.crt
deleted file mode 100644
index d41a420..0000000
--- a/tests/data_files/dir2/test-ca2.crt
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
-QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
-QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu
-ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy
-aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g
-JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
-AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56
-t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv
-uCjn8pwUOkABXK8Mss90fzCfCEOtIA==
------END CERTIFICATE-----
diff --git a/tests/data_files/dir3/Readme b/tests/data_files/dir3/Readme
deleted file mode 100644
index 189dadc..0000000
--- a/tests/data_files/dir3/Readme
+++ /dev/null
@@ -1 +0,0 @@
-This is just to make sure files that don't parse as certs are ignored.
diff --git a/tests/data_files/dir3/test-ca.crt b/tests/data_files/dir3/test-ca.crt
deleted file mode 100644
index 3c1d14c..0000000
--- a/tests/data_files/dir3/test-ca.crt
+++ /dev/null
@@ -1,80 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-        Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=NL, O=PolarSSL, CN=PolarSSL Test CA
-        Validity
-            Not Before: Feb 12 14:44:00 2011 GMT
-            Not After : Feb 12 14:44:00 2021 GMT
-        Subject: C=NL, O=PolarSSL, CN=PolarSSL Test CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (2048 bit)
-                Modulus (2048 bit):
-                    00:c0:df:37:fc:17:bb:e0:96:9d:3f:86:de:96:32:
-                    7d:44:a5:16:a0:cd:21:f1:99:d4:ec:ea:cb:7c:18:
-                    58:08:94:a5:ec:9b:c5:8b:df:1a:1e:99:38:99:87:
-                    1e:7b:c0:8d:39:df:38:5d:70:78:07:d3:9e:d9:93:
-                    e8:b9:72:51:c5:ce:a3:30:52:a9:f2:e7:40:70:14:
-                    cb:44:a2:72:0b:c2:e5:40:f9:3e:e5:a6:0e:b3:f9:
-                    ec:4a:63:c0:b8:29:00:74:9c:57:3b:a8:a5:04:90:
-                    71:f1:bd:83:d9:3f:d6:a5:e2:3c:2a:8f:ef:27:60:
-                    c3:c6:9f:cb:ba:ec:60:7d:b7:e6:84:32:be:4f:fb:
-                    58:26:22:03:5b:d4:b4:d5:fb:f5:e3:96:2e:70:c0:
-                    e4:2e:bd:fc:2e:ee:e2:41:55:c0:34:2e:7d:24:72:
-                    69:cb:47:b1:14:40:83:7d:67:f4:86:f6:31:ab:f1:
-                    79:a4:b2:b5:2e:12:f9:84:17:f0:62:6f:27:3e:13:
-                    58:b1:54:0d:21:9a:73:37:a1:30:cf:6f:92:dc:f6:
-                    e9:fc:ac:db:2e:28:d1:7e:02:4b:23:a0:15:f2:38:
-                    65:64:09:ea:0c:6e:8e:1b:17:a0:71:c8:b3:9b:c9:
-                    ab:e9:c3:f2:cf:87:96:8f:80:02:32:9e:99:58:6f:
-                    a2:d5
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints:
-                CA:TRUE
-            X509v3 Subject Key Identifier:
-                B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF
-            X509v3 Authority Key Identifier:
-                keyid:B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF
-                DirName:/C=NL/O=PolarSSL/CN=PolarSSL Test CA
-                serial:00
-
-    Signature Algorithm: sha1WithRSAEncryption
-        b8:fd:54:d8:00:54:90:8b:25:b0:27:dd:95:cd:a2:f7:84:07:
-        1d:87:89:4a:c4:78:11:d8:07:b5:d7:22:50:8e:48:eb:62:7a:
-        32:89:be:63:47:53:ff:b6:be:f1:2e:8c:54:c0:99:3f:a0:b9:
-        37:23:72:5f:0d:46:59:8f:d8:47:cd:97:4c:9f:07:0c:12:62:
-        09:3a:24:e4:36:d9:e9:2c:da:38:d0:73:75:61:d7:c1:6c:26:
-        8b:9b:e0:d5:dc:67:ed:8c:6b:33:d7:74:22:3c:4c:db:b5:8d:
-        2a:ce:2c:0d:08:59:05:09:05:a6:39:9f:b3:67:1b:e2:83:e5:
-        e1:8f:53:f6:67:93:c7:f9:6f:76:44:58:12:e8:3a:d4:97:e7:
-        e9:c0:3e:a8:7a:72:3d:87:53:1f:e5:2c:84:84:e7:9a:9e:7f:
-        66:d9:1f:9b:f5:13:48:b0:4d:14:d1:de:b2:24:d9:78:7d:f5:
-        35:cc:58:19:d1:d2:99:ef:4d:73:f8:1f:89:d4:5a:d0:52:ce:
-        09:f5:b1:46:51:6a:00:8e:3b:cc:6f:63:01:00:99:ed:9d:a6:
-        08:60:cd:32:18:d0:73:e0:58:71:d9:e5:d2:53:d7:8d:d0:ca:
-        e9:5d:2a:0a:0d:5d:55:ec:21:50:17:16:e6:06:4a:cd:5e:de:
-        f7:e0:e9:54
------BEGIN CERTIFICATE-----
-MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
-mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
-50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
-YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
-R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
-KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH
-/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV
-BAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz
-dCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ
-SsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H
-DBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF
-pjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf
-m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ
-7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==
------END CERTIFICATE-----
diff --git a/tests/data_files/dir3/test-ca2.crt b/tests/data_files/dir3/test-ca2.crt
deleted file mode 100644
index d41a420..0000000
--- a/tests/data_files/dir3/test-ca2.crt
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
-QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
-QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu
-ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy
-aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g
-JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
-AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56
-t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv
-uCjn8pwUOkABXK8Mss90fzCfCEOtIA==
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/Readme b/tests/data_files/dir4/Readme
deleted file mode 100644
index 3f1f610..0000000
--- a/tests/data_files/dir4/Readme
+++ /dev/null
@@ -1,47 +0,0 @@
-This directory contains the certificates for the tests targeting the enforcement of the policy indicated by the *pathLenConstraint* field. All leaf elements were generated with *is_ca* unset and all roots with the *selfsign=1* option. 
-
-1. zero pathlen constraint on an intermediate CA (invalid)
-```
-cert11.crt -> cert12.crt (max_pathlen=0) -> cert13.crt -> cert14.crt
-```
-
-2. zero pathlen constraint on the root CA (invalid)
-```
-cert21.crt (max_pathlen=0) -> cert22.crt -> cert23.crt
-```
-
-3. nonzero pathlen constraint on the root CA (invalid)
-```
-cert31.crt (max_pathlen=1) -> cert32.crt -> cert33.crt -> cert34.crt
-```
-
-4. nonzero pathlen constraint on an intermediate CA (invalid)
-```
-cert41.crt -> cert42.crt (max_pathlen=1) -> cert43.crt -> cert44.crt -> cert45.crt 
-```
-
-5. nonzero pathlen constraint on an intermediate CA with maximum number of elements in the chain (valid)
-```
-cert51.crt -> cert52.crt (max_pathlen=1) -> cert53.crt -> cert54.crt
-```
-
-6. nonzero pathlen constraint on the root CA with maximum number of elements in the chain (valid)
-```
-cert61.crt (max_pathlen=1) -> cert62.crt -> cert63.crt
-```
-
-7. pathlen constraint on the root CA with maximum number of elements and a self signed certificate in the chain (valid) 
-(This situation happens for example when a root of some hierarchy gets integrated into another hierarchy. In this case the certificates issued before the integration will have an intermadiate self signed certificate in their chain)
-```
-cert71.crt (max_pathlen=1) -> cert72.crt -> cert73.crt (self signed) -> cert74.crt -> cert74.crt
-```
-
-8. zero pathlen constraint on first intermediate CA (valid)
-```
-cert81.crt -> cert82.crt (max_pathlen=0) -> cert83.crt
-```
-
-9. zero pathlen constraint on trusted root (valid)
-```
-cert91.crt (max_pathlen=0) -> cert92.crt
-```
diff --git a/tests/data_files/dir4/cert11.crt b/tests/data_files/dir4/cert11.crt
deleted file mode 100644
index 3077c3d..0000000
--- a/tests/data_files/dir4/cert11.crt
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC9zCCAd+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtUZXN0
-IHJvb3QgMjAeFw0wMTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMBYxFDASBgNV
-BAMTC1Rlc3Qgcm9vdCAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-hqLw+KDH8+tkX9hphnydOZFoueGTY5v8WdYI6KZXoIln9IAu4Rmb6M59uLziXurg
-VKuwBqOkbUZsIY0NOA6C8FpdjZL1di8Viq669vBBs9c+x9hKpx8/VVcZfTaGgqni
-h5XiivQynBQ4E2KOxEQ+VjUMDqIBHYG1VXWs4KMkAeJsqDYHtmS4XsC9TXTIri5S
-9IX4mE5A9+ngSTo0/6Sjwcd27uO2IQHXDC7jkxX5OH5jFPAqsVKTYDeWlCU7bvbr
-iy1H9Z9uCl+M7unbAl8BKQ8leOnno3KO3lQQAPGP2EFRT0XMuUXJnfydPbzMa9FY
-ufB1I8zCBZviPvO/Of3yrwIDAQABo1AwTjAMBgNVHRMEBTADAQEBMB0GA1UdDgQW
-BBSUHSH6gjrYFZnS1gDvk7BpfwTKwDAfBgNVHSMEGDAWgBSUHSH6gjrYFZnS1gDv
-k7BpfwTKwDANBgkqhkiG9w0BAQsFAAOCAQEATLqZGFEBO+2IiHjkn7pBkAuktmHm
-jkkuFLONwe0vlxZFaabaFqSgkoS5eZ50D0dmuUkpJRNMnGK1B/ja5RewtAdxD6us
-VT8JpeWYkhxaSIHjUW95jJLMVr17it8jHawI05tD26nqDjTq3C2rM4ExpAaK/Dgv
-83ZHe4IdvenkXckDMIjmSsK0GfomZmKvmnfxhg4FnQvZGI48JJUqPA2dHxRhUyr4
-ohBmH5Xi5oLICd85GRi8YqD00agKL99EjGulaKNEdsQkrC4ZvY6QDV0EEnbu8b4R
-GfiA42UWN2dKNSqNhBOrP9g5yTcIWXh1Dwpd1Z9vhBCwmBegPqqM5IM1dQ==
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert12.crt b/tests/data_files/dir4/cert12.crt
deleted file mode 100644
index fd88c2d..0000000
--- a/tests/data_files/dir4/cert12.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDCjCCAfKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtUZXN0
-IHJvb3QgMjAeFw0wMTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMCYxJDAiBgNV
-BAMTG1Rlc3QgaW50ZXJtZWRpYXRlIG1heHBhdGggMTCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBANJrP7/Y+KjupvlgaOmQYArfGuoh3CzcdPe/mlhq+fxD
-8U9qzgSVuVR+FpNZi9DyMljMBrWV1OnZI+cVCDYYkNMa3IkV+AkzJGqwcSBKE+6N
-RXZvv+I4xbGymdSSaT6Kh1PgPVk/EYNfLFF30pBsycjM81aMtZgW6aA9xCSp0r8W
-XkZodsrJUQerDh/7VmDVEeKanZog8auvrvs/ENiA8d4p/75lOIER4nLz6SSn5Eqy
-uXzNCwmT5PVwWStXbDD7EBs3rOtR2VNWQ9o6QdfKQOe/SkIddZr1IWGEJ8JHjtNo
-jxcYO67A+Jgp1Jwjk+83eRICs0hlWyeHWfBlbOVIKLcCAwEAAaNTMFEwDwYDVR0T
-BAgwBgEBAQIBADAdBgNVHQ4EFgQUyw8Phy/FAvifGQ+G6HWkMiWzyqUwHwYDVR0j
-BBgwFoAUlB0h+oI62BWZ0tYA75OwaX8EysAwDQYJKoZIhvcNAQELBQADggEBACFS
-6tFy9TpVMUfh1mkr3rFEVtho0NJkRhJW8z2PTmKQa069S9gS+U6+CsqwvM1y3yyh
-Pt2q34fhhhbQ+gS8iAm+zvQtBsys3frfVkeKmRzxWDh2LnT+tJi/xtqdlULua5NB
-21So46HdlceDTuv2vUbrHgxUS/IEjIL6OZZ0Sc6S6YybvGSioGsRUHO2k2IiOnUa
-C+hpBvOkXScnItfdMKAAce71CsZeN97sbxeNIMBDiX9bSy+dZLscEhRwBUABiNr/
-sYdYvIpbrFXowjMtBdac+vvhcem7dkCrCdsGylGINWhE2tC9hKmFkFXo4mu/AGDS
-M4/59TlMeK8X+WZ9zBs=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert13.crt b/tests/data_files/dir4/cert13.crt
deleted file mode 100644
index ac01a22..0000000
--- a/tests/data_files/dir4/cert13.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDFzCCAf+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDExtUZXN0
-IGludGVybWVkaWF0ZSBtYXhwYXRoIDEwHhcNMDEwMTAxMDAwMDAwWhcNMzAxMjMx
-MjM1OTU5WjAmMSQwIgYDVQQDExtUZXN0IGludGVybWVkaWF0ZSBtYXhwYXRoIDIw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCs0qdKXytu/GTKpa2H0CE3
-OPSIMM2hiYbavzUroyL+hFv9XVoxh5CGnVUxK7B9ifVvzyElrcV7tjuIlGwp1hLH
-tx/YU22xksI/n5/NS/qrxkK5xjwEWB9lx93rwLK0QnfjYRZrir7yySoBKi6IlHOv
-GOwl0V/JAslMWwUZlFmvYvoCWSWGrDAkxWVnHq+HoZ7YoM/bdJdsIIJYe3tt7L8D
-cJVP5dQ8jSs8/Ehm8BbG339r3B7v/KdK8zuoMig9ag/YOu9jOb0QvYC2HdZoL4WV
-N+7aasTQmDGWGOt7fk7AEl0EI8lDvr2O/5q6ad9jRCkxyq3lJwRy+M3MdVKgA1On
-AgMBAAGjUDBOMAwGA1UdEwQFMAMBAQEwHQYDVR0OBBYEFM6u5Gkjkxb8PDdQIGKD
-D8t1Zv/9MB8GA1UdIwQYMBaAFMsPD4cvxQL4nxkPhuh1pDIls8qlMA0GCSqGSIb3
-DQEBCwUAA4IBAQCLpKATt01DUM8wCiDFVSpmpiCBqxnLRfQuY+ta1p+f15LME+cT
-94lwaYCfCBtXQYwiuVFYdK8ztWEStPg6BecMLPB2K9gO/talxUoVDumsmR83p+2y
-8YJmFHyjr+BShsjP9paCjUQkJiMOiWRpNFNpScv0IOHmb8NLER3vX/tCmxyVHPg/
-7tBpDXRD6jOyajYH4KUx6wddcYWb63N9sApVpRHNaqpUKjuiQwfUFZjA7AyK/FUS
-/cO3++uq+CkZhBu8vupaznXD4h0E28GbZgvu/F0edB7f0Q5DpnuDJ6HFMYl3A2mM
-m8pqKNnRYGCtQwppBYVsoBisga2ymtNud7K+
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert14.crt b/tests/data_files/dir4/cert14.crt
deleted file mode 100644
index 49e1cbb..0000000
--- a/tests/data_files/dir4/cert14.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDDDCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDExtUZXN0
-IGludGVybWVkaWF0ZSBtYXhwYXRoIDIwHhcNMDEwMTAxMDAwMDAwWhcNMzAxMjMx
-MjM1OTU5WjAeMRwwGgYDVQQDExNUZXN0IGxlYWYgaW52YWxpZCAzMIIBIjANBgkq
-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw6Vc/T2GYTWj7nGZcy2voZyeWkFyfDIy
-oexyJe8eyuWX+YqaSCra1JMcww0Jy8e9/6/aI9ezd1d73eZDcW5h61tagCpBki+W
-dYh+FJfCdDdPnSkitWOBLKBK21AQ9dxePvkQBEanDdAk2IwasydCoHEiSCqwXNEz
-jVJPL38ibbLf9sNO3kk6zOFA3QqVSTJ4BddNh9bHL7y106ekfMhrfyTzSpo3Wj0V
-20ThmJZ1NuwYRl3j1XHALP0t8Cp2ZLbXuFsTWqTFNzXj+gWM8b2IfZqmqcew5poZ
-4aDkjXXOizRxDPxCHp7rLz9xv1pIIBxady0YWp+w9vxLxFF6rYBLtQIDAQABo00w
-SzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQoF/qrn9WnKV3zOnCwMl99Uhmx8DAfBgNV
-HSMEGDAWgBTOruRpI5MW/Dw3UCBigw/LdWb//TANBgkqhkiG9w0BAQsFAAOCAQEA
-VUnlX//h3T5Ajc85WNkyTuirhSZtIr6+X/AxH4kR/QG5NiaDxP9H0FzMs5FcMni8
-3Rs4d2H3CBs+QB7lm/b+xy26vpORwlVFXScHeTEanuXSVsmGPkn7TAQrPoyZgVUN
-uy4TGi8Mlkso4gmgehvgTklIV+Emxy32Abd1lRfI8/vOQ1xTdA7f3X98AfWStTya
-DGRsQLZE/Q4/Gh57xNqF0ftBIRwt9TbGlu8AyZiIilVECGvE/gtTwuqpQPOhJQmi
-NdYTErgD2Wkw9ohifQFo46AMMU1seehtqijW2pC2UjmV5nboPs0eGQmWrfNCjDOr
-sZfh98BafcaFGjz605V36g==
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert21.crt b/tests/data_files/dir4/cert21.crt
deleted file mode 100644
index 501c5d7..0000000
--- a/tests/data_files/dir4/cert21.crt
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC+jCCAeKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtUZXN0
-IHJvb3QgMjAeFw0wMTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMBYxFDASBgNV
-BAMTC1Rlc3Qgcm9vdCAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-mTX2sHY42Ord9gWyB6GcdlLjjE+4zBJ1BoDpMnvJ89niMTuZTq1ViMp/B6RuTH+2
-YF3+riZYQDH9yM/8rgvAUIvK9STaq19Zrm0mnfQUo9yKdkfoJ+XvWuvK6f+NkAMg
-xfhAD6eSupigTvov/w2IT8rS0dxo4KF6hKBL2aYlXhiEyi/NmsEPZWvVh+qk3L/Q
-GSwpgC+DhVoQzFRofUdK9O9MkgR675iftaFDvyi7F0fxrSLfB/Wy4cgRYzIW6pyN
-2sXWivKdLI3bgB01ffdbO17ZAGILK1whO29/bX6hbH09Y/H7jR2vjy+KP9N0PEa3
-7SBymlokB3A8wq/LWPYPeQIDAQABo1MwUTAPBgNVHRMECDAGAQEBAgEAMB0GA1Ud
-DgQWBBSOBd1fH00Y9r5S8cELj/9IT4BGlDAfBgNVHSMEGDAWgBSOBd1fH00Y9r5S
-8cELj/9IT4BGlDANBgkqhkiG9w0BAQsFAAOCAQEAFEY2StppaPzOgG6vEvPJr//+
-NWY1jKcBB3cT+zWJW54+BexDjyaBRnBIPvRLDG8PAlhlYr9v/P6JCjBSuhYorFLG
-P4ZhD+akuMvn6yF7nsyG20LHPwvE7/jye7+zSO3hhyqCg7N7M7O17exo/agw/iUI
-DYUuUv1ZJlZvPB2kmZMYa78g0P2ynyKpu4hdbstJzxwA4aQDXGQxcQNtv+3ZCdC2
-TI4w0jodkjqdq/4y0McpkEvYL3/LaQElLaHr8CQo7xYEzsjv+cnzojCO/ilXU+Rl
-sz940Q4njAJqlpfiJ44aFytjp96uN4YVpViFCvRz//9uyQY9kuA/8kKwJuO3qw==
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert22.crt b/tests/data_files/dir4/cert22.crt
deleted file mode 100644
index 5dcd65d..0000000
--- a/tests/data_files/dir4/cert22.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDBzCCAe+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtUZXN0
-IHJvb3QgMjAeFw0wMTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMCYxJDAiBgNV
-BAMTG1Rlc3QgaW50ZXJtZWRpYXRlIG1heHBhdGggMTCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBANpGlBMXdo8cO9oqUw/b6PMwiMNV8LCe6wB9VKHPa6OG
-Q0o8Xqktgwnh1rojgpMhbCApE7UXeMr6ZGq/NtqmO1hO5adV5JehWZyvg7j4EBpG
-g8iWo0jNpKMJ0Yx1uBkkljEdZLTHa4bK/zy2NKqDNS2yWs9/M5+xw5XE2ecAg7FT
-cXhf3q50V+M6T2IaQ9BxntTyCT8IIF2eRM/t9Y944s9Rfzm/KQVKRYPudX7YhTt9
-iqCJB4JoqYhs3HEO0wPkJxY4KBTUCN94s+7jUFdRrYxe+8Ya6tIYWqD38i5qdGhY
-xrVey1LatsDJQ2EgNYobM/LjoCLK1WUssEqf0OU2bi0CAwEAAaNQME4wDAYDVR0T
-BAUwAwEBATAdBgNVHQ4EFgQUOBl8edVm/H5xdS2EGEeLzftZ/DUwHwYDVR0jBBgw
-FoAUjgXdXx9NGPa+UvHBC4//SE+ARpQwDQYJKoZIhvcNAQELBQADggEBAFwZriTu
-DKkiDHFfz3UX4fIxYTHCi4TveYZGPeTbxhBb3XZC5qDF4T5HvCTSkG9+oFfZzI1a
-lPN2yZB7QnmHJoyWa5fuovwUL0iI3iIZMqU56tdVPW8gkJe++U5kHMSpz2VF0eo8
-7XkKWxZovRwczgfDFRP9zM9CylyzQjqxx6kbxJozWnwc5UrVbJMaPIqonXp1nDoZ
-i878+hX4rJUEjgO6Sa9GVZQpmuCrQF0qKsTiUBzZN67hoD3xoTAYi5IXQE2tRD1N
-j3zwng9liCsxurGMnuV0BPWv/IDYRu/syjee1Qv1VFeRto5D4Rldmi2p1f5iWJCk
-5m5YpRsknaICjYs=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert23.crt b/tests/data_files/dir4/cert23.crt
deleted file mode 100644
index 6c54725..0000000
--- a/tests/data_files/dir4/cert23.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDDDCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDExtUZXN0
-IGludGVybWVkaWF0ZSBtYXhwYXRoIDEwHhcNMDEwMTAxMDAwMDAwWhcNMzAxMjMx
-MjM1OTU5WjAeMRwwGgYDVQQDExNUZXN0IGxlYWYgaW52YWxpZCAyMIIBIjANBgkq
-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAigGgHGNWNkEWWFn7eaU4kC2WjR3RtcBs
-oW1MlQndUvwWUHgcbfIg7nh66Oi6Xl3IqAMjHj1J0EPGcwTfmLdaRvN38KjTMh3/
-FiFrrUL0MNgiGxjkTthWgsfV4C/i3vRDTCW+2UMFdd6+z7hwFf+ldTsCP9Qp+93G
-drslrvAR2W0qjHLULAJGk/6WzxFG6xeCgdhkooDPprsflZJ/cN1SuqTYOaVMAj9J
-aovStUTVhF8ouDULpq0fiBImoldObcGdaAWlgRl0k8NdoSLpWd/7+hi4sH5PSOZq
-+8g1lQ3cgrE7ta4X3p/i6eApcn1hyEkTy9ZpKOFvZXnM4D1j8+KSKQIDAQABo00w
-SzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTCN2vDLY1tcenTzyRmlS4TBe2xijAfBgNV
-HSMEGDAWgBQ4GXx51Wb8fnF1LYQYR4vN+1n8NTANBgkqhkiG9w0BAQsFAAOCAQEA
-eb/tgtSbrz7j7HQaxGgI5LVedRro3a2fNLhO0wNboGI6gACIPait1ePkUwuMfLfl
-Fky2/2VZ8Ie4pQqxFmdSUqf1NSmxgiWLRho4oTiFv1z08LYQgSdKT49ffKO67TDG
-D1nI8rEuT1Nupq8WI5jcKgWqktMJjgKzfN+9nCgFGQMGqTBnt7uYZHhnuZfKSJPv
-gHmS4gj72OQ2Nu6xORGhd6J8VjzcG6BX1pLebNQRzlHT3E5IVNF/9cCrc+E87Wns
-bDGtzhyx7SIP7/2TiJeBZs7p8xXpaDF2cNx2F+jZH+P8feT7c+JoY7A72uVDSlYf
-WVf02pylKRgqayOujH3PWA==
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert31.crt b/tests/data_files/dir4/cert31.crt
deleted file mode 100644
index 8c2af4c..0000000
--- a/tests/data_files/dir4/cert31.crt
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC+jCCAeKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtUZXN0
-IHJvb3QgMjAeFw0wMTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMBYxFDASBgNV
-BAMTC1Rlc3Qgcm9vdCAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-mTX2sHY42Ord9gWyB6GcdlLjjE+4zBJ1BoDpMnvJ89niMTuZTq1ViMp/B6RuTH+2
-YF3+riZYQDH9yM/8rgvAUIvK9STaq19Zrm0mnfQUo9yKdkfoJ+XvWuvK6f+NkAMg
-xfhAD6eSupigTvov/w2IT8rS0dxo4KF6hKBL2aYlXhiEyi/NmsEPZWvVh+qk3L/Q
-GSwpgC+DhVoQzFRofUdK9O9MkgR675iftaFDvyi7F0fxrSLfB/Wy4cgRYzIW6pyN
-2sXWivKdLI3bgB01ffdbO17ZAGILK1whO29/bX6hbH09Y/H7jR2vjy+KP9N0PEa3
-7SBymlokB3A8wq/LWPYPeQIDAQABo1MwUTAPBgNVHRMECDAGAQEBAgEBMB0GA1Ud
-DgQWBBSOBd1fH00Y9r5S8cELj/9IT4BGlDAfBgNVHSMEGDAWgBSOBd1fH00Y9r5S
-8cELj/9IT4BGlDANBgkqhkiG9w0BAQsFAAOCAQEAB9nLaqxsBW0isDaBGNJyzH9O
-WqYY0hex9tm3UqygfE9b9aahykpkowQIzh4D9Xpbd0hZGVlK/sw2qsKj6gDOiMtL
-uWs4gaFNWIQqhVsTzL88c7XaW55n+TRQdVZyy38DZVWphte1Mumc9WB8N15rZTDh
-iXjwGl0mrV1egq4hJZLpy14f6ihqU7KGfmc9onxvgvWxYLi+5v8874c4ophSKsI2
-qVE8iZ6uq2oQ66Pd5S50cYk6MEW5lifAhLM5WFZmW7dRKmykBGZ9rFrJrIvhkmh9
-He7q6TEQP1Wcoc147nIg0BTkHGtdrEv3jIX6UKKUEwUUk9ARB1mSodZQHBhuww==
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert32.crt b/tests/data_files/dir4/cert32.crt
deleted file mode 100644
index 5dcd65d..0000000
--- a/tests/data_files/dir4/cert32.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDBzCCAe+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtUZXN0
-IHJvb3QgMjAeFw0wMTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMCYxJDAiBgNV
-BAMTG1Rlc3QgaW50ZXJtZWRpYXRlIG1heHBhdGggMTCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBANpGlBMXdo8cO9oqUw/b6PMwiMNV8LCe6wB9VKHPa6OG
-Q0o8Xqktgwnh1rojgpMhbCApE7UXeMr6ZGq/NtqmO1hO5adV5JehWZyvg7j4EBpG
-g8iWo0jNpKMJ0Yx1uBkkljEdZLTHa4bK/zy2NKqDNS2yWs9/M5+xw5XE2ecAg7FT
-cXhf3q50V+M6T2IaQ9BxntTyCT8IIF2eRM/t9Y944s9Rfzm/KQVKRYPudX7YhTt9
-iqCJB4JoqYhs3HEO0wPkJxY4KBTUCN94s+7jUFdRrYxe+8Ya6tIYWqD38i5qdGhY
-xrVey1LatsDJQ2EgNYobM/LjoCLK1WUssEqf0OU2bi0CAwEAAaNQME4wDAYDVR0T
-BAUwAwEBATAdBgNVHQ4EFgQUOBl8edVm/H5xdS2EGEeLzftZ/DUwHwYDVR0jBBgw
-FoAUjgXdXx9NGPa+UvHBC4//SE+ARpQwDQYJKoZIhvcNAQELBQADggEBAFwZriTu
-DKkiDHFfz3UX4fIxYTHCi4TveYZGPeTbxhBb3XZC5qDF4T5HvCTSkG9+oFfZzI1a
-lPN2yZB7QnmHJoyWa5fuovwUL0iI3iIZMqU56tdVPW8gkJe++U5kHMSpz2VF0eo8
-7XkKWxZovRwczgfDFRP9zM9CylyzQjqxx6kbxJozWnwc5UrVbJMaPIqonXp1nDoZ
-i878+hX4rJUEjgO6Sa9GVZQpmuCrQF0qKsTiUBzZN67hoD3xoTAYi5IXQE2tRD1N
-j3zwng9liCsxurGMnuV0BPWv/IDYRu/syjee1Qv1VFeRto5D4Rldmi2p1f5iWJCk
-5m5YpRsknaICjYs=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert33.crt b/tests/data_files/dir4/cert33.crt
deleted file mode 100644
index 8e5d192..0000000
--- a/tests/data_files/dir4/cert33.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDFzCCAf+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDExtUZXN0
-IGludGVybWVkaWF0ZSBtYXhwYXRoIDEwHhcNMDEwMTAxMDAwMDAwWhcNMzAxMjMx
-MjM1OTU5WjAmMSQwIgYDVQQDExtUZXN0IGludGVybWVkaWF0ZSBtYXhwYXRoIDIw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCKAaAcY1Y2QRZYWft5pTiQ
-LZaNHdG1wGyhbUyVCd1S/BZQeBxt8iDueHro6LpeXcioAyMePUnQQ8ZzBN+Yt1pG
-83fwqNMyHf8WIWutQvQw2CIbGORO2FaCx9XgL+Le9ENMJb7ZQwV13r7PuHAV/6V1
-OwI/1Cn73cZ2uyWu8BHZbSqMctQsAkaT/pbPEUbrF4KB2GSigM+mux+Vkn9w3VK6
-pNg5pUwCP0lqi9K1RNWEXyi4NQumrR+IEiaiV05twZ1oBaWBGXSTw12hIulZ3/v6
-GLiwfk9I5mr7yDWVDdyCsTu1rhfen+Lp4ClyfWHISRPL1mko4W9leczgPWPz4pIp
-AgMBAAGjUDBOMAwGA1UdEwQFMAMBAQEwHQYDVR0OBBYEFMI3a8MtjW1x6dPPJGaV
-LhMF7bGKMB8GA1UdIwQYMBaAFDgZfHnVZvx+cXUthBhHi837Wfw1MA0GCSqGSIb3
-DQEBCwUAA4IBAQCprzpoj6UaEG4eqLg2L3HqsvY73/XE8ytuZ9wDC3HodnmpezUX
-48XwJPHFO7OGPGWZgsU2qX/Zp7yUXkVFSK4VnmnSzUtXNVlU0oWEEOzQLrpphksH
-dcF8YNN/Y65KnhzIU784uHeFefUpPaE6yS5OSZboptZWVF9y1LoU3F7gN0UGvVG9
-hflz5O0/KvmYd+6+Yrje+2lbHiJHNXLmOPiZyk9TBDknygBuU14IOWghQim3yks9
-tKk8D38Vl85V5aG9nO4STjx5J8BtSl0x6wW3t9WwU5UC9geCROhZI1XRBafIoKkn
-VSgHLpLTARtLikbbg/3SxpnW12msHvgLVasf
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert34.crt b/tests/data_files/dir4/cert34.crt
deleted file mode 100644
index bebcb65..0000000
--- a/tests/data_files/dir4/cert34.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDDDCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDExtUZXN0
-IGludGVybWVkaWF0ZSBtYXhwYXRoIDIwHhcNMDEwMTAxMDAwMDAwWhcNMzAxMjMx
-MjM1OTU5WjAeMRwwGgYDVQQDExNUZXN0IGxlYWYgaW52YWxpZCAzMIIBIjANBgkq
-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkSrgWFD4lYQ0RF/z3mJZjn1lgNBkhnCP
-0hciJv/etoMN3bCB+uc8fo0wxDQ2ZcbzTAQ0qBNnjJvAJ1qslZA9boIBKmT8JSix
-ii/1XTDWI3E5aOvX1h6lW66pVsIzLm0NAf0VJn2xLw0Yv8hfKbwjcNeAfm7GCwJB
-8skjekMKJ8+e6pP4ZHxmrnOo0kUlCg8w8RKzZ6sYJxX1ETekWPEUSXrscQ/YSjpO
-zjLDph1lO4gVErBhdJgJpJznqkrRBiR7f/hIrpAV3wOUbtfrxrIb5FXOM9rt/svW
-RRrzIUGnBvo04WZ+KQHPsMn+9x8i+/tueOg1KLfs10hW0RWsTQjmOQIDAQABo00w
-SzAJBgNVHRMEAjAAMB0GA1UdDgQWBBSOBr1U4h5PYyOqGe/gJgwWk7FfezAfBgNV
-HSMEGDAWgBTCN2vDLY1tcenTzyRmlS4TBe2xijANBgkqhkiG9w0BAQsFAAOCAQEA
-aBLuwNN5vOh2dLbn8lMNsc/oTFSInzu+ylzC/KLTkjoyMYY+S2ISUuew9pzUo4Gs
-AAE/rqVYednayyA13eNRBnwIw+8kPTESaJMGl6uQQd8DzAalzqxbFhbwFY2T0pdi
-LNFkGjmGdpRNy/VSTy6JEEBMhIKXjMpactmpiV6mwK3bfnFaXZ6o70+JZrNeiSe0
-g8sci6gBVEt27bGvhLalut8WXc7VCkxQhQCSBdv/94EmRxzPye6iAK0L9jaTHlt+
-qR5MWJxZN32muI7nsKnetUMZbIYwvO1LPn8f+0hdYkck8kE7ga1UM98oTgQeIOmj
-3JNCDkNY+Z387ujaaOAVxw==
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert41.crt b/tests/data_files/dir4/cert41.crt
deleted file mode 100644
index 7065c94..0000000
--- a/tests/data_files/dir4/cert41.crt
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC9zCCAd+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtUZXN0
-IHJvb3QgNDAeFw0wMTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMBYxFDASBgNV
-BAMTC1Rlc3Qgcm9vdCA0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-mTX2sHY42Ord9gWyB6GcdlLjjE+4zBJ1BoDpMnvJ89niMTuZTq1ViMp/B6RuTH+2
-YF3+riZYQDH9yM/8rgvAUIvK9STaq19Zrm0mnfQUo9yKdkfoJ+XvWuvK6f+NkAMg
-xfhAD6eSupigTvov/w2IT8rS0dxo4KF6hKBL2aYlXhiEyi/NmsEPZWvVh+qk3L/Q
-GSwpgC+DhVoQzFRofUdK9O9MkgR675iftaFDvyi7F0fxrSLfB/Wy4cgRYzIW6pyN
-2sXWivKdLI3bgB01ffdbO17ZAGILK1whO29/bX6hbH09Y/H7jR2vjy+KP9N0PEa3
-7SBymlokB3A8wq/LWPYPeQIDAQABo1AwTjAMBgNVHRMEBTADAQEBMB0GA1UdDgQW
-BBSOBd1fH00Y9r5S8cELj/9IT4BGlDAfBgNVHSMEGDAWgBSOBd1fH00Y9r5S8cEL
-j/9IT4BGlDANBgkqhkiG9w0BAQsFAAOCAQEAWhrHGIMcEG2UJfv920hftxi+Jvj/
-ivrhEscqlVA0QNLqZV8v/ai/AiypDLk7uwKtsxF2i+sl81473aSFS9hh3F83/ofm
-x8EU8X1FBQHN1zyAEpZyPXr7MiaTXn4w5sCeZLmpWyxGk+cRiPVRE0QUbXDGfVRp
-3v984oCUMUzbb+zv6QlkHa6m/kZq0qrnNVVp0X4c7/Pb5elJOVlKnIslNgd/eLrz
-zSabToAX9OP6tbJdSRky/LmIYW+CXH/Y4YVwpEu7NisZmDo6lnCBoRQB3QgxoMLp
-mM+RUY+AyHr0ZsSUSb6iicJMRZ3mhxCLvnK/Noe/3hq4pUk4Sit7s7JL7A==
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert42.crt b/tests/data_files/dir4/cert42.crt
deleted file mode 100644
index c071318..0000000
--- a/tests/data_files/dir4/cert42.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDCjCCAfKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtUZXN0
-IHJvb3QgNDAeFw0wMTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMCYxJDAiBgNV
-BAMTG1Rlc3QgaW50ZXJtZWRpYXRlIG1heHBhdGggMTCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBANpGlBMXdo8cO9oqUw/b6PMwiMNV8LCe6wB9VKHPa6OG
-Q0o8Xqktgwnh1rojgpMhbCApE7UXeMr6ZGq/NtqmO1hO5adV5JehWZyvg7j4EBpG
-g8iWo0jNpKMJ0Yx1uBkkljEdZLTHa4bK/zy2NKqDNS2yWs9/M5+xw5XE2ecAg7FT
-cXhf3q50V+M6T2IaQ9BxntTyCT8IIF2eRM/t9Y944s9Rfzm/KQVKRYPudX7YhTt9
-iqCJB4JoqYhs3HEO0wPkJxY4KBTUCN94s+7jUFdRrYxe+8Ya6tIYWqD38i5qdGhY
-xrVey1LatsDJQ2EgNYobM/LjoCLK1WUssEqf0OU2bi0CAwEAAaNTMFEwDwYDVR0T
-BAgwBgEBAQIBATAdBgNVHQ4EFgQUOBl8edVm/H5xdS2EGEeLzftZ/DUwHwYDVR0j
-BBgwFoAUjgXdXx9NGPa+UvHBC4//SE+ARpQwDQYJKoZIhvcNAQELBQADggEBAGKh
-pBhYSGN0KGWIG4GG4mVoTiw880ehetDuTpl3ymZNqkoUuTaAtU3PJWOctcJva7h6
-4PSgyabi/WQmhntR1GxCUt0GTuhHmyJYsSwakXUgMgF6W6TKcxg6m4vjMkkrf+ZT
-1lO/MiwxhTTluHPGkl/nBG+uxySInuQMDvdyQDXp2e17qxops+G+1UnRJinqLtsd
-LMkCOT4pyh6B5ysnJ8gP1Z2EKWjhKJcIHRMUm7Ap/pf8Zgh5LIqdRtDSuNuTmPLP
-lkgoebOCO3c/mWCciR0xGCcz86G3fYznvGp4XqHnRkg3SpAcHQbQ/nSHA+1LdfFi
-nqZQPnJPVsJctDR935c=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert43.crt b/tests/data_files/dir4/cert43.crt
deleted file mode 100644
index 8e5d192..0000000
--- a/tests/data_files/dir4/cert43.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDFzCCAf+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDExtUZXN0
-IGludGVybWVkaWF0ZSBtYXhwYXRoIDEwHhcNMDEwMTAxMDAwMDAwWhcNMzAxMjMx
-MjM1OTU5WjAmMSQwIgYDVQQDExtUZXN0IGludGVybWVkaWF0ZSBtYXhwYXRoIDIw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCKAaAcY1Y2QRZYWft5pTiQ
-LZaNHdG1wGyhbUyVCd1S/BZQeBxt8iDueHro6LpeXcioAyMePUnQQ8ZzBN+Yt1pG
-83fwqNMyHf8WIWutQvQw2CIbGORO2FaCx9XgL+Le9ENMJb7ZQwV13r7PuHAV/6V1
-OwI/1Cn73cZ2uyWu8BHZbSqMctQsAkaT/pbPEUbrF4KB2GSigM+mux+Vkn9w3VK6
-pNg5pUwCP0lqi9K1RNWEXyi4NQumrR+IEiaiV05twZ1oBaWBGXSTw12hIulZ3/v6
-GLiwfk9I5mr7yDWVDdyCsTu1rhfen+Lp4ClyfWHISRPL1mko4W9leczgPWPz4pIp
-AgMBAAGjUDBOMAwGA1UdEwQFMAMBAQEwHQYDVR0OBBYEFMI3a8MtjW1x6dPPJGaV
-LhMF7bGKMB8GA1UdIwQYMBaAFDgZfHnVZvx+cXUthBhHi837Wfw1MA0GCSqGSIb3
-DQEBCwUAA4IBAQCprzpoj6UaEG4eqLg2L3HqsvY73/XE8ytuZ9wDC3HodnmpezUX
-48XwJPHFO7OGPGWZgsU2qX/Zp7yUXkVFSK4VnmnSzUtXNVlU0oWEEOzQLrpphksH
-dcF8YNN/Y65KnhzIU784uHeFefUpPaE6yS5OSZboptZWVF9y1LoU3F7gN0UGvVG9
-hflz5O0/KvmYd+6+Yrje+2lbHiJHNXLmOPiZyk9TBDknygBuU14IOWghQim3yks9
-tKk8D38Vl85V5aG9nO4STjx5J8BtSl0x6wW3t9WwU5UC9geCROhZI1XRBafIoKkn
-VSgHLpLTARtLikbbg/3SxpnW12msHvgLVasf
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert44.crt b/tests/data_files/dir4/cert44.crt
deleted file mode 100644
index 084fb2d..0000000
--- a/tests/data_files/dir4/cert44.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDFzCCAf+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDExtUZXN0
-IGludGVybWVkaWF0ZSBtYXhwYXRoIDIwHhcNMDEwMTAxMDAwMDAwWhcNMzAxMjMx
-MjM1OTU5WjAmMSQwIgYDVQQDExtUZXN0IGludGVybWVkaWF0ZSBtYXhwYXRoIDMw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCRKuBYUPiVhDREX/PeYlmO
-fWWA0GSGcI/SFyIm/962gw3dsIH65zx+jTDENDZlxvNMBDSoE2eMm8AnWqyVkD1u
-ggEqZPwlKLGKL/VdMNYjcTlo69fWHqVbrqlWwjMubQ0B/RUmfbEvDRi/yF8pvCNw
-14B+bsYLAkHyySN6Qwonz57qk/hkfGauc6jSRSUKDzDxErNnqxgnFfURN6RY8RRJ
-euxxD9hKOk7OMsOmHWU7iBUSsGF0mAmknOeqStEGJHt/+EiukBXfA5Ru1+vGshvk
-Vc4z2u3+y9ZFGvMhQacG+jThZn4pAc+wyf73HyL7+2546DUot+zXSFbRFaxNCOY5
-AgMBAAGjUDBOMAwGA1UdEwQFMAMBAQEwHQYDVR0OBBYEFI4GvVTiHk9jI6oZ7+Am
-DBaTsV97MB8GA1UdIwQYMBaAFMI3a8MtjW1x6dPPJGaVLhMF7bGKMA0GCSqGSIb3
-DQEBCwUAA4IBAQCB3dtsoVdschVyCWSI16Se46RZJtLW1bM019KdyZj9DdIZ2VPm
-Ip+BQFcVJyzbfmhn5QBbhNDKkwsfldI9Y8IqZ132j442/XIFZIilaPi3cE/WLFUY
-Nxu2opuN3+KDwDYO32CUp3frr9OjAtB5amZnkXau+C1EkJlSuWaT+/gIlYwlr4/H
-uADcyqFSmy28P9jmkK8AzZHhKnlRadAn2cDB8MFXD5VxnLJfejkprQVLdxTXRovP
-cE/6c7PUGIK22WcSX8KTfuviKmjdGVhgeKps2nRNKaSIlqYCztyc8IjcZwJCnh6c
-ZW8V9bi7WxDK+I9PPgrgLK8W+VTkS0RtjP5a
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert45.crt b/tests/data_files/dir4/cert45.crt
deleted file mode 100644
index e5d5b3d..0000000
--- a/tests/data_files/dir4/cert45.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDDDCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDExtUZXN0
-IGludGVybWVkaWF0ZSBtYXhwYXRoIDMwHhcNMDEwMTAxMDAwMDAwWhcNMzAxMjMx
-MjM1OTU5WjAeMRwwGgYDVQQDExNUZXN0IGxlYWYgaW52YWxpZCA0MIIBIjANBgkq
-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkcNsE/s4nauA5vSG/23znHT5ZjFAQiRa
-83xo83MD2jMrBjgBBzOW0IKedk9lmqcRmoMsWt3PbYeH2Am+EqtOjh9vbHw/wXEw
-eXg7DtZaYTjeRNkrwZ0z5Bz/TTvia7YkcfaU83OG4JyL8GmmbtiGNOHZyHqTv2Ky
-j6YqyBJaDE7dwBNBJd5DElEuvr6Tu/Y3K3Z6z8bZUAX/5oII2sq8rg76ZQ+Dfk8i
-upjp4MVPvowh/+ys+WNMW5MA5k1dwYyU1MZ20O/aa9VTMkb4DPyv4pXZgi1dBCMc
-YskPRVoPPsE5xl3DZ3h4qZ039MbcalXFYe65689+Ra1O4/dsXR5raQIDAQABo00w
-SzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTKtXdQZA8cZkS/89eiih4GTJX+fDAfBgNV
-HSMEGDAWgBSOBr1U4h5PYyOqGe/gJgwWk7FfezANBgkqhkiG9w0BAQsFAAOCAQEA
-IWynyo8ezt+So+w29h7z2ZS3/EcrErnSiDDJ0DaE/vcvflrT/tEPeDHTxy61qQuX
-KoseO84foFqLPu1YqgSjRgmbk76gt8aAu0lr6/t0RHWdHKZG3QtK8696pGoMAhVg
-Ha3f/YYaEkqSnHwU+/vxEXEkGHM22UHwb7dtH2LfBHtoQtjE6M+Ulv6QdkLj2LFD
-XMKJIyAlibTRMW8YOP4G/DekCq1DstUOcTn7BFqeAjjzYwv3NHpOJHdZrUgyGb7B
-QqDXf2rM3s7LEpwDMvfdraAEWld4/LRLkfau/PfKD5YwGYg3Nb45xyXFSEijVjAr
-23G8HAIcJJu2jUIWGr9OtQ==
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert51.crt b/tests/data_files/dir4/cert51.crt
deleted file mode 100644
index 7065c94..0000000
--- a/tests/data_files/dir4/cert51.crt
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC9zCCAd+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtUZXN0
-IHJvb3QgNDAeFw0wMTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMBYxFDASBgNV
-BAMTC1Rlc3Qgcm9vdCA0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-mTX2sHY42Ord9gWyB6GcdlLjjE+4zBJ1BoDpMnvJ89niMTuZTq1ViMp/B6RuTH+2
-YF3+riZYQDH9yM/8rgvAUIvK9STaq19Zrm0mnfQUo9yKdkfoJ+XvWuvK6f+NkAMg
-xfhAD6eSupigTvov/w2IT8rS0dxo4KF6hKBL2aYlXhiEyi/NmsEPZWvVh+qk3L/Q
-GSwpgC+DhVoQzFRofUdK9O9MkgR675iftaFDvyi7F0fxrSLfB/Wy4cgRYzIW6pyN
-2sXWivKdLI3bgB01ffdbO17ZAGILK1whO29/bX6hbH09Y/H7jR2vjy+KP9N0PEa3
-7SBymlokB3A8wq/LWPYPeQIDAQABo1AwTjAMBgNVHRMEBTADAQEBMB0GA1UdDgQW
-BBSOBd1fH00Y9r5S8cELj/9IT4BGlDAfBgNVHSMEGDAWgBSOBd1fH00Y9r5S8cEL
-j/9IT4BGlDANBgkqhkiG9w0BAQsFAAOCAQEAWhrHGIMcEG2UJfv920hftxi+Jvj/
-ivrhEscqlVA0QNLqZV8v/ai/AiypDLk7uwKtsxF2i+sl81473aSFS9hh3F83/ofm
-x8EU8X1FBQHN1zyAEpZyPXr7MiaTXn4w5sCeZLmpWyxGk+cRiPVRE0QUbXDGfVRp
-3v984oCUMUzbb+zv6QlkHa6m/kZq0qrnNVVp0X4c7/Pb5elJOVlKnIslNgd/eLrz
-zSabToAX9OP6tbJdSRky/LmIYW+CXH/Y4YVwpEu7NisZmDo6lnCBoRQB3QgxoMLp
-mM+RUY+AyHr0ZsSUSb6iicJMRZ3mhxCLvnK/Noe/3hq4pUk4Sit7s7JL7A==
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert52.crt b/tests/data_files/dir4/cert52.crt
deleted file mode 100644
index c071318..0000000
--- a/tests/data_files/dir4/cert52.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDCjCCAfKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtUZXN0
-IHJvb3QgNDAeFw0wMTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMCYxJDAiBgNV
-BAMTG1Rlc3QgaW50ZXJtZWRpYXRlIG1heHBhdGggMTCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBANpGlBMXdo8cO9oqUw/b6PMwiMNV8LCe6wB9VKHPa6OG
-Q0o8Xqktgwnh1rojgpMhbCApE7UXeMr6ZGq/NtqmO1hO5adV5JehWZyvg7j4EBpG
-g8iWo0jNpKMJ0Yx1uBkkljEdZLTHa4bK/zy2NKqDNS2yWs9/M5+xw5XE2ecAg7FT
-cXhf3q50V+M6T2IaQ9BxntTyCT8IIF2eRM/t9Y944s9Rfzm/KQVKRYPudX7YhTt9
-iqCJB4JoqYhs3HEO0wPkJxY4KBTUCN94s+7jUFdRrYxe+8Ya6tIYWqD38i5qdGhY
-xrVey1LatsDJQ2EgNYobM/LjoCLK1WUssEqf0OU2bi0CAwEAAaNTMFEwDwYDVR0T
-BAgwBgEBAQIBATAdBgNVHQ4EFgQUOBl8edVm/H5xdS2EGEeLzftZ/DUwHwYDVR0j
-BBgwFoAUjgXdXx9NGPa+UvHBC4//SE+ARpQwDQYJKoZIhvcNAQELBQADggEBAGKh
-pBhYSGN0KGWIG4GG4mVoTiw880ehetDuTpl3ymZNqkoUuTaAtU3PJWOctcJva7h6
-4PSgyabi/WQmhntR1GxCUt0GTuhHmyJYsSwakXUgMgF6W6TKcxg6m4vjMkkrf+ZT
-1lO/MiwxhTTluHPGkl/nBG+uxySInuQMDvdyQDXp2e17qxops+G+1UnRJinqLtsd
-LMkCOT4pyh6B5ysnJ8gP1Z2EKWjhKJcIHRMUm7Ap/pf8Zgh5LIqdRtDSuNuTmPLP
-lkgoebOCO3c/mWCciR0xGCcz86G3fYznvGp4XqHnRkg3SpAcHQbQ/nSHA+1LdfFi
-nqZQPnJPVsJctDR935c=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert53.crt b/tests/data_files/dir4/cert53.crt
deleted file mode 100644
index 8e5d192..0000000
--- a/tests/data_files/dir4/cert53.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDFzCCAf+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDExtUZXN0
-IGludGVybWVkaWF0ZSBtYXhwYXRoIDEwHhcNMDEwMTAxMDAwMDAwWhcNMzAxMjMx
-MjM1OTU5WjAmMSQwIgYDVQQDExtUZXN0IGludGVybWVkaWF0ZSBtYXhwYXRoIDIw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCKAaAcY1Y2QRZYWft5pTiQ
-LZaNHdG1wGyhbUyVCd1S/BZQeBxt8iDueHro6LpeXcioAyMePUnQQ8ZzBN+Yt1pG
-83fwqNMyHf8WIWutQvQw2CIbGORO2FaCx9XgL+Le9ENMJb7ZQwV13r7PuHAV/6V1
-OwI/1Cn73cZ2uyWu8BHZbSqMctQsAkaT/pbPEUbrF4KB2GSigM+mux+Vkn9w3VK6
-pNg5pUwCP0lqi9K1RNWEXyi4NQumrR+IEiaiV05twZ1oBaWBGXSTw12hIulZ3/v6
-GLiwfk9I5mr7yDWVDdyCsTu1rhfen+Lp4ClyfWHISRPL1mko4W9leczgPWPz4pIp
-AgMBAAGjUDBOMAwGA1UdEwQFMAMBAQEwHQYDVR0OBBYEFMI3a8MtjW1x6dPPJGaV
-LhMF7bGKMB8GA1UdIwQYMBaAFDgZfHnVZvx+cXUthBhHi837Wfw1MA0GCSqGSIb3
-DQEBCwUAA4IBAQCprzpoj6UaEG4eqLg2L3HqsvY73/XE8ytuZ9wDC3HodnmpezUX
-48XwJPHFO7OGPGWZgsU2qX/Zp7yUXkVFSK4VnmnSzUtXNVlU0oWEEOzQLrpphksH
-dcF8YNN/Y65KnhzIU784uHeFefUpPaE6yS5OSZboptZWVF9y1LoU3F7gN0UGvVG9
-hflz5O0/KvmYd+6+Yrje+2lbHiJHNXLmOPiZyk9TBDknygBuU14IOWghQim3yks9
-tKk8D38Vl85V5aG9nO4STjx5J8BtSl0x6wW3t9WwU5UC9geCROhZI1XRBafIoKkn
-VSgHLpLTARtLikbbg/3SxpnW12msHvgLVasf
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert54.crt b/tests/data_files/dir4/cert54.crt
deleted file mode 100644
index e42e14f..0000000
--- a/tests/data_files/dir4/cert54.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDCjCCAfKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDExtUZXN0
-IGludGVybWVkaWF0ZSBtYXhwYXRoIDIwHhcNMDEwMTAxMDAwMDAwWhcNMzAxMjMx
-MjM1OTU5WjAcMRowGAYDVQQDExFUZXN0IExlYWYgNCB2YWxpZDCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAJEq4FhQ+JWENERf895iWY59ZYDQZIZwj9IX
-Iib/3raDDd2wgfrnPH6NMMQ0NmXG80wENKgTZ4ybwCdarJWQPW6CASpk/CUosYov
-9V0w1iNxOWjr19YepVuuqVbCMy5tDQH9FSZ9sS8NGL/IXym8I3DXgH5uxgsCQfLJ
-I3pDCifPnuqT+GR8Zq5zqNJFJQoPMPESs2erGCcV9RE3pFjxFEl67HEP2Eo6Ts4y
-w6YdZTuIFRKwYXSYCaSc56pK0QYke3/4SK6QFd8DlG7X68ayG+RVzjPa7f7L1kUa
-8yFBpwb6NOFmfikBz7DJ/vcfIvv7bnjoNSi37NdIVtEVrE0I5jkCAwEAAaNNMEsw
-CQYDVR0TBAIwADAdBgNVHQ4EFgQUjga9VOIeT2Mjqhnv4CYMFpOxX3swHwYDVR0j
-BBgwFoAUwjdrwy2NbXHp088kZpUuEwXtsYowDQYJKoZIhvcNAQELBQADggEBADdp
-VpPr4AzE7ecrhclQKGjPa7leaorYuevjTLWsieY17mVQhlMX1itTNXlPBUfPAsOd
-O7LUgY0yZOnV7l8TbfGal8pIF+acgFLgqM5A6z8ngChMi6iKEZChDVffAVHJs3e/
-WUm7VeFY8Mvwnay3iHj2trC7XQX2SZCovXYfNP3bVyqIaDNqt6SPY1skouWpmmUn
-ISzcyH6EU/CegFjHJyXxrsIW9Nv2mDejrmcR0EJOmEAfWUgonfemeX93xkwZHW2s
-lZ8/e6rTPPSGdhY/b4VRu6o1FpLcPLGZSgPwYBNVYtgT4WsoT0xUvm6Y1WipiZda
-B/bpiL8l4GSVtTw1Jko=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert61.crt b/tests/data_files/dir4/cert61.crt
deleted file mode 100644
index 8c2af4c..0000000
--- a/tests/data_files/dir4/cert61.crt
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC+jCCAeKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtUZXN0
-IHJvb3QgMjAeFw0wMTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMBYxFDASBgNV
-BAMTC1Rlc3Qgcm9vdCAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-mTX2sHY42Ord9gWyB6GcdlLjjE+4zBJ1BoDpMnvJ89niMTuZTq1ViMp/B6RuTH+2
-YF3+riZYQDH9yM/8rgvAUIvK9STaq19Zrm0mnfQUo9yKdkfoJ+XvWuvK6f+NkAMg
-xfhAD6eSupigTvov/w2IT8rS0dxo4KF6hKBL2aYlXhiEyi/NmsEPZWvVh+qk3L/Q
-GSwpgC+DhVoQzFRofUdK9O9MkgR675iftaFDvyi7F0fxrSLfB/Wy4cgRYzIW6pyN
-2sXWivKdLI3bgB01ffdbO17ZAGILK1whO29/bX6hbH09Y/H7jR2vjy+KP9N0PEa3
-7SBymlokB3A8wq/LWPYPeQIDAQABo1MwUTAPBgNVHRMECDAGAQEBAgEBMB0GA1Ud
-DgQWBBSOBd1fH00Y9r5S8cELj/9IT4BGlDAfBgNVHSMEGDAWgBSOBd1fH00Y9r5S
-8cELj/9IT4BGlDANBgkqhkiG9w0BAQsFAAOCAQEAB9nLaqxsBW0isDaBGNJyzH9O
-WqYY0hex9tm3UqygfE9b9aahykpkowQIzh4D9Xpbd0hZGVlK/sw2qsKj6gDOiMtL
-uWs4gaFNWIQqhVsTzL88c7XaW55n+TRQdVZyy38DZVWphte1Mumc9WB8N15rZTDh
-iXjwGl0mrV1egq4hJZLpy14f6ihqU7KGfmc9onxvgvWxYLi+5v8874c4ophSKsI2
-qVE8iZ6uq2oQ66Pd5S50cYk6MEW5lifAhLM5WFZmW7dRKmykBGZ9rFrJrIvhkmh9
-He7q6TEQP1Wcoc147nIg0BTkHGtdrEv3jIX6UKKUEwUUk9ARB1mSodZQHBhuww==
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert62.crt b/tests/data_files/dir4/cert62.crt
deleted file mode 100644
index 5dcd65d..0000000
--- a/tests/data_files/dir4/cert62.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDBzCCAe+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtUZXN0
-IHJvb3QgMjAeFw0wMTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMCYxJDAiBgNV
-BAMTG1Rlc3QgaW50ZXJtZWRpYXRlIG1heHBhdGggMTCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBANpGlBMXdo8cO9oqUw/b6PMwiMNV8LCe6wB9VKHPa6OG
-Q0o8Xqktgwnh1rojgpMhbCApE7UXeMr6ZGq/NtqmO1hO5adV5JehWZyvg7j4EBpG
-g8iWo0jNpKMJ0Yx1uBkkljEdZLTHa4bK/zy2NKqDNS2yWs9/M5+xw5XE2ecAg7FT
-cXhf3q50V+M6T2IaQ9BxntTyCT8IIF2eRM/t9Y944s9Rfzm/KQVKRYPudX7YhTt9
-iqCJB4JoqYhs3HEO0wPkJxY4KBTUCN94s+7jUFdRrYxe+8Ya6tIYWqD38i5qdGhY
-xrVey1LatsDJQ2EgNYobM/LjoCLK1WUssEqf0OU2bi0CAwEAAaNQME4wDAYDVR0T
-BAUwAwEBATAdBgNVHQ4EFgQUOBl8edVm/H5xdS2EGEeLzftZ/DUwHwYDVR0jBBgw
-FoAUjgXdXx9NGPa+UvHBC4//SE+ARpQwDQYJKoZIhvcNAQELBQADggEBAFwZriTu
-DKkiDHFfz3UX4fIxYTHCi4TveYZGPeTbxhBb3XZC5qDF4T5HvCTSkG9+oFfZzI1a
-lPN2yZB7QnmHJoyWa5fuovwUL0iI3iIZMqU56tdVPW8gkJe++U5kHMSpz2VF0eo8
-7XkKWxZovRwczgfDFRP9zM9CylyzQjqxx6kbxJozWnwc5UrVbJMaPIqonXp1nDoZ
-i878+hX4rJUEjgO6Sa9GVZQpmuCrQF0qKsTiUBzZN67hoD3xoTAYi5IXQE2tRD1N
-j3zwng9liCsxurGMnuV0BPWv/IDYRu/syjee1Qv1VFeRto5D4Rldmi2p1f5iWJCk
-5m5YpRsknaICjYs=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert63.crt b/tests/data_files/dir4/cert63.crt
deleted file mode 100644
index ffa90e4..0000000
--- a/tests/data_files/dir4/cert63.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDCjCCAfKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDExtUZXN0
-IGludGVybWVkaWF0ZSBtYXhwYXRoIDEwHhcNMDEwMTAxMDAwMDAwWhcNMzAxMjMx
-MjM1OTU5WjAcMRowGAYDVQQDExFUZXN0IExlYWYgdmFsaWQgMjCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAIoBoBxjVjZBFlhZ+3mlOJAtlo0d0bXAbKFt
-TJUJ3VL8FlB4HG3yIO54eujoul5dyKgDIx49SdBDxnME35i3Wkbzd/Co0zId/xYh
-a61C9DDYIhsY5E7YVoLH1eAv4t70Q0wlvtlDBXXevs+4cBX/pXU7Aj/UKfvdxna7
-Ja7wEdltKoxy1CwCRpP+ls8RRusXgoHYZKKAz6a7H5WSf3DdUrqk2DmlTAI/SWqL
-0rVE1YRfKLg1C6atH4gSJqJXTm3BnWgFpYEZdJPDXaEi6Vnf+/oYuLB+T0jmavvI
-NZUN3IKxO7WuF96f4ungKXJ9YchJE8vWaSjhb2V5zOA9Y/PikikCAwEAAaNNMEsw
-CQYDVR0TBAIwADAdBgNVHQ4EFgQUwjdrwy2NbXHp088kZpUuEwXtsYowHwYDVR0j
-BBgwFoAUOBl8edVm/H5xdS2EGEeLzftZ/DUwDQYJKoZIhvcNAQELBQADggEBABrt
-2fKOUwAb5EFD/ebXMM4Qzg6sFYpq/mcnPlmGmqwNzmumlgYUBS15liTnA4nBgR09
-b2sejlwnzcnrsFB18YCmE/TIPuh3XMJXmUxjcnCy3qPuSwpuwG3brUGQPiIZhRZz
-1+iSc7uba/JGaTqLBItaRPlB6dD3jqY3UowFaWvnYiVmCXg147EBC5Mn2EDiukg0
-xsqM03yfpUkp4/W9+WpJuGNyhicSJbNxlh3zEjrgWeMvhnFmrTr7ss6P2ZoKGS3/
-QrZBLUzkk25hCF3dTNfTDVSQUt0rONJvx3ym+Kp+zQWc/oHsDs0STs5Db2J0dGp8
-VEyxyevfwivF4EQ70Jw=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert71.crt b/tests/data_files/dir4/cert71.crt
deleted file mode 100644
index 8c2af4c..0000000
--- a/tests/data_files/dir4/cert71.crt
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC+jCCAeKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtUZXN0
-IHJvb3QgMjAeFw0wMTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMBYxFDASBgNV
-BAMTC1Rlc3Qgcm9vdCAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-mTX2sHY42Ord9gWyB6GcdlLjjE+4zBJ1BoDpMnvJ89niMTuZTq1ViMp/B6RuTH+2
-YF3+riZYQDH9yM/8rgvAUIvK9STaq19Zrm0mnfQUo9yKdkfoJ+XvWuvK6f+NkAMg
-xfhAD6eSupigTvov/w2IT8rS0dxo4KF6hKBL2aYlXhiEyi/NmsEPZWvVh+qk3L/Q
-GSwpgC+DhVoQzFRofUdK9O9MkgR675iftaFDvyi7F0fxrSLfB/Wy4cgRYzIW6pyN
-2sXWivKdLI3bgB01ffdbO17ZAGILK1whO29/bX6hbH09Y/H7jR2vjy+KP9N0PEa3
-7SBymlokB3A8wq/LWPYPeQIDAQABo1MwUTAPBgNVHRMECDAGAQEBAgEBMB0GA1Ud
-DgQWBBSOBd1fH00Y9r5S8cELj/9IT4BGlDAfBgNVHSMEGDAWgBSOBd1fH00Y9r5S
-8cELj/9IT4BGlDANBgkqhkiG9w0BAQsFAAOCAQEAB9nLaqxsBW0isDaBGNJyzH9O
-WqYY0hex9tm3UqygfE9b9aahykpkowQIzh4D9Xpbd0hZGVlK/sw2qsKj6gDOiMtL
-uWs4gaFNWIQqhVsTzL88c7XaW55n+TRQdVZyy38DZVWphte1Mumc9WB8N15rZTDh
-iXjwGl0mrV1egq4hJZLpy14f6ihqU7KGfmc9onxvgvWxYLi+5v8874c4ophSKsI2
-qVE8iZ6uq2oQ66Pd5S50cYk6MEW5lifAhLM5WFZmW7dRKmykBGZ9rFrJrIvhkmh9
-He7q6TEQP1Wcoc147nIg0BTkHGtdrEv3jIX6UKKUEwUUk9ARB1mSodZQHBhuww==
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert72.crt b/tests/data_files/dir4/cert72.crt
deleted file mode 100644
index 5dcd65d..0000000
--- a/tests/data_files/dir4/cert72.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDBzCCAe+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtUZXN0
-IHJvb3QgMjAeFw0wMTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMCYxJDAiBgNV
-BAMTG1Rlc3QgaW50ZXJtZWRpYXRlIG1heHBhdGggMTCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBANpGlBMXdo8cO9oqUw/b6PMwiMNV8LCe6wB9VKHPa6OG
-Q0o8Xqktgwnh1rojgpMhbCApE7UXeMr6ZGq/NtqmO1hO5adV5JehWZyvg7j4EBpG
-g8iWo0jNpKMJ0Yx1uBkkljEdZLTHa4bK/zy2NKqDNS2yWs9/M5+xw5XE2ecAg7FT
-cXhf3q50V+M6T2IaQ9BxntTyCT8IIF2eRM/t9Y944s9Rfzm/KQVKRYPudX7YhTt9
-iqCJB4JoqYhs3HEO0wPkJxY4KBTUCN94s+7jUFdRrYxe+8Ya6tIYWqD38i5qdGhY
-xrVey1LatsDJQ2EgNYobM/LjoCLK1WUssEqf0OU2bi0CAwEAAaNQME4wDAYDVR0T
-BAUwAwEBATAdBgNVHQ4EFgQUOBl8edVm/H5xdS2EGEeLzftZ/DUwHwYDVR0jBBgw
-FoAUjgXdXx9NGPa+UvHBC4//SE+ARpQwDQYJKoZIhvcNAQELBQADggEBAFwZriTu
-DKkiDHFfz3UX4fIxYTHCi4TveYZGPeTbxhBb3XZC5qDF4T5HvCTSkG9+oFfZzI1a
-lPN2yZB7QnmHJoyWa5fuovwUL0iI3iIZMqU56tdVPW8gkJe++U5kHMSpz2VF0eo8
-7XkKWxZovRwczgfDFRP9zM9CylyzQjqxx6kbxJozWnwc5UrVbJMaPIqonXp1nDoZ
-i878+hX4rJUEjgO6Sa9GVZQpmuCrQF0qKsTiUBzZN67hoD3xoTAYi5IXQE2tRD1N
-j3zwng9liCsxurGMnuV0BPWv/IDYRu/syjee1Qv1VFeRto5D4Rldmi2p1f5iWJCk
-5m5YpRsknaICjYs=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert73.crt b/tests/data_files/dir4/cert73.crt
deleted file mode 100644
index 6854c74..0000000
--- a/tests/data_files/dir4/cert73.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDFzCCAf+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDExtUZXN0
-IGludGVybWVkaWF0ZSBtYXhwYXRoIDEwHhcNMDEwMTAxMDAwMDAwWhcNMzAxMjMx
-MjM1OTU5WjAmMSQwIgYDVQQDExtUZXN0IGludGVybWVkaWF0ZSBtYXhwYXRoIDEw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaRpQTF3aPHDvaKlMP2+jz
-MIjDVfCwnusAfVShz2ujhkNKPF6pLYMJ4da6I4KTIWwgKRO1F3jK+mRqvzbapjtY
-TuWnVeSXoVmcr4O4+BAaRoPIlqNIzaSjCdGMdbgZJJYxHWS0x2uGyv88tjSqgzUt
-slrPfzOfscOVxNnnAIOxU3F4X96udFfjOk9iGkPQcZ7U8gk/CCBdnkTP7fWPeOLP
-UX85vykFSkWD7nV+2IU7fYqgiQeCaKmIbNxxDtMD5CcWOCgU1AjfeLPu41BXUa2M
-XvvGGurSGFqg9/IuanRoWMa1XstS2rbAyUNhIDWKGzPy46AiytVlLLBKn9DlNm4t
-AgMBAAGjUDBOMAwGA1UdEwQFMAMBAQEwHQYDVR0OBBYEFDgZfHnVZvx+cXUthBhH
-i837Wfw1MB8GA1UdIwQYMBaAFDgZfHnVZvx+cXUthBhHi837Wfw1MA0GCSqGSIb3
-DQEBCwUAA4IBAQDPQC9vYJegBgVZHu0StoRT7L6ShWcZc5Z/TeyrqJBdoiguSRq5
-kMiFXZpksxeFlIUYry21MigYqxOXGZ2GZYNqhLpYVh7hzAY8uYvf4U70q88zj7mw
-gIcgEaMd71GHqbb2O5x3fCN7vLeU5DFYBWfqLlkL57Uqr2aRDHlucryyRNordicN
-WbCxPozmqtbNMABEUbjLMCCuzJeNRSZbS0OOod6Xd3N00EK7PqaRhbihbq3L6gUG
-MjUI2keSxW4vXcDfI5Hqem6SHpCc3retx2VUgwIDAoTrw7E4dwmyC4Tp7TDJL/+d
-GU8qhRmoQer7mLUzpb3s8mq/4rZx+alTQ3gu
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert74.crt b/tests/data_files/dir4/cert74.crt
deleted file mode 100644
index 920c4c2..0000000
--- a/tests/data_files/dir4/cert74.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDCjCCAfKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDExtUZXN0
-IGludGVybWVkaWF0ZSBtYXhwYXRoIDEwHhcNMDEwMTAxMDAwMDAwWhcNMzAxMjMx
-MjM1OTU5WjAcMRowGAYDVQQDExFUZXN0IExlYWYgdmFsaWQgMzCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAIoBoBxjVjZBFlhZ+3mlOJAtlo0d0bXAbKFt
-TJUJ3VL8FlB4HG3yIO54eujoul5dyKgDIx49SdBDxnME35i3Wkbzd/Co0zId/xYh
-a61C9DDYIhsY5E7YVoLH1eAv4t70Q0wlvtlDBXXevs+4cBX/pXU7Aj/UKfvdxna7
-Ja7wEdltKoxy1CwCRpP+ls8RRusXgoHYZKKAz6a7H5WSf3DdUrqk2DmlTAI/SWqL
-0rVE1YRfKLg1C6atH4gSJqJXTm3BnWgFpYEZdJPDXaEi6Vnf+/oYuLB+T0jmavvI
-NZUN3IKxO7WuF96f4ungKXJ9YchJE8vWaSjhb2V5zOA9Y/PikikCAwEAAaNNMEsw
-CQYDVR0TBAIwADAdBgNVHQ4EFgQUwjdrwy2NbXHp088kZpUuEwXtsYowHwYDVR0j
-BBgwFoAUOBl8edVm/H5xdS2EGEeLzftZ/DUwDQYJKoZIhvcNAQELBQADggEBAK9R
-J7H8epG2NagZ3Gpl6R1jSiIixWlPJci2Bz1Nr8NIER64TJCKHeh9ku6tzSdrVL3B
-2rj5GmpubDXEWAKfMtt0ccF2UIva9rDMNzaAnCSevWHXf9Httr84X6RmhtXb9/Rm
-fp3W+L0GlDfHfHn8uoVdQe5e6xkmGxtcHDUsyO/CJMkrwUyoB8zs7UtlNtOf45H4
-PPg09lzV7RQ9vFIH48F/4gZW+w3AqN9ZwvYkGcJUY8tyHpb9hDrR4F6loVInrlCE
-0pQiQXNCdee1za9QsScSjYNxGfR2Dkzote41H098jvLalLTTg5Fqx/AylnX285FI
-ETGOumNQ51IJLUpq+hc=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert81.crt b/tests/data_files/dir4/cert81.crt
deleted file mode 100644
index 26b2bd5..0000000
--- a/tests/data_files/dir4/cert81.crt
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBpTCCAUmgAwIBAgIBUTAMBggqhkjOPQQDAgUAMDExDzANBgNVBAMTBlJvb3Qg
-ODERMA8GA1UEChMIbWJlZCBUTFMxCzAJBgNVBAYTAlVLMB4XDTAxMDEwMTAwMDAw
-MFoXDTMwMTIzMTIzNTk1OVowMTEPMA0GA1UEAxMGUm9vdCA4MREwDwYDVQQKEwht
-YmVkIFRMUzELMAkGA1UEBhMCVUswWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT1
-GuTQ9vgf2l3oLM25r78cvIAQqE02GzQGjp/WWw3CysEwTwNEuZGhRiD5lDmkbUGW
-UNxv/7uJjy7k3K3fDNdko1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTHFA2h
-Au0tPnzeYnLcmlTQj4FAajAfBgNVHSMEGDAWgBTHFA2hAu0tPnzeYnLcmlTQj4FA
-ajAMBggqhkjOPQQDAgUAA0gAMEUCIH7Z/HNb/Pwbs40iNll1a9gmgAbYOgdlVPWo
-nSdcb7cZAiEAlhVb6CdBXsjOfAWWEET/QP74z608PKFccCIFPCDLkxo=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert82.crt b/tests/data_files/dir4/cert82.crt
deleted file mode 100644
index d49ecc9..0000000
--- a/tests/data_files/dir4/cert82.crt
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBqDCCAUygAwIBAgIBUjAMBggqhkjOPQQDAgUAMDExDzANBgNVBAMTBlJvb3Qg
-ODERMA8GA1UEChMIbWJlZCBUTFMxCzAJBgNVBAYTAlVLMB4XDTAxMDEwMTAwMDAw
-MFoXDTMwMTIzMTIzNTk1OVowMTEPMA0GA1UEAxMGSW50IDgyMREwDwYDVQQKEwht
-YmVkIFRMUzELMAkGA1UEBhMCVUswWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS2
-giYQt4HVfQ2t8eTS0bvISwp7ol2x17umbllBxwzGDFEUQ00JL1/SStezecK0lNhE
-0AvY8Ez2soQEtdSeQGkCo1MwUTAPBgNVHRMECDAGAQH/AgEAMB0GA1UdDgQWBBS3
-+nsv3nQknSg4aDjlTiRpCPo7XzAfBgNVHSMEGDAWgBTHFA2hAu0tPnzeYnLcmlTQ
-j4FAajAMBggqhkjOPQQDAgUAA0gAMEUCIQDus2Lvx3yyvaViY1s334uMm6ge484X
-oktMyxLVjkAMiAIgehTHiJJaT9PnlVa+hUpxsIfVAuMexrm5fw/bDF5Nxzw=
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert83.crt b/tests/data_files/dir4/cert83.crt
deleted file mode 100644
index 21a748e..0000000
--- a/tests/data_files/dir4/cert83.crt
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBoDCCAUWgAwIBAgIBUzAMBggqhkjOPQQDAgUAMDExDzANBgNVBAMTBkludCA4
-MjERMA8GA1UEChMIbWJlZCBUTFMxCzAJBgNVBAYTAlVLMB4XDTAxMDEwMTAwMDAw
-MFoXDTMwMTIzMTIzNTk1OVowMDEOMAwGA1UEAxMFRUUgODMxETAPBgNVBAoTCG1i
-ZWQgVExTMQswCQYDVQQGEwJVSzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMSy
-6X5iBYrdxxOMfdcA23pLBoJCeyEjiWfALxTm80MJGBdRNVdnT50xNU3SDDwHWPda
-/EQqHq+itsqkUeyAGAyjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFGsFH/KsvM4n
-r+i1gI2iCVXi3KtFMB8GA1UdIwQYMBaAFLf6ey/edCSdKDhoOOVOJGkI+jtfMAwG
-CCqGSM49BAMCBQADRwAwRAIgQURH8DHWFHVK38+znWc85G1P+g4ocdkA5Gt0LbOg
-SJMCIBsacOLFywxZYF8atizw6zMRw+QeHR2514JIhJUck2kd
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert91.crt b/tests/data_files/dir4/cert91.crt
deleted file mode 100644
index 6d4605a..0000000
--- a/tests/data_files/dir4/cert91.crt
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBqTCCAUygAwIBAgIBWzAMBggqhkjOPQQDAgUAMDExDzANBgNVBAMTBlJvb3Qg
-OTERMA8GA1UEChMIbWJlZCBUTFMxCzAJBgNVBAYTAlVLMB4XDTAxMDEwMTAwMDAw
-MFoXDTMwMTIzMTIzNTk1OVowMTEPMA0GA1UEAxMGUm9vdCA5MREwDwYDVQQKEwht
-YmVkIFRMUzELMAkGA1UEBhMCVUswWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATh
-D2SmdS6D7cYi2vGMyuCdol/OOUN2di2pS2wfSI/MsY/Z4O9iNHqbXQP6l+hcT5ap
-daycs7r6ZPNqmWM7b16go1MwUTAPBgNVHRMECDAGAQH/AgEAMB0GA1UdDgQWBBRb
-zVrcAxddj0i0DEqvTGT8F37bizAfBgNVHSMEGDAWgBRbzVrcAxddj0i0DEqvTGT8
-F37bizAMBggqhkjOPQQDAgUAA0kAMEYCIQDbrSV4ndH0vAR3HqJfBn8NT8zdvMjB
-qSJes6Qwa42b2wIhAKyoH0H+b1Svw8pMkvUYF4ElH5Cnn7gxb7Wl3arc0+hQ
------END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert92.crt b/tests/data_files/dir4/cert92.crt
deleted file mode 100644
index 49b53a5..0000000
--- a/tests/data_files/dir4/cert92.crt
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBoTCCAUWgAwIBAgIBXDAMBggqhkjOPQQDAgUAMDExDzANBgNVBAMTBlJvb3Qg
-OTERMA8GA1UEChMIbWJlZCBUTFMxCzAJBgNVBAYTAlVLMB4XDTAxMDEwMTAwMDAw
-MFoXDTMwMTIzMTIzNTk1OVowMDEOMAwGA1UEAxMFRUUgOTIxETAPBgNVBAoTCG1i
-ZWQgVExTMQswCQYDVQQGEwJVSzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABC9E
-tK1pE8Ei8vgScunyjx50C+qDsQS8D2RhGHC4VkE2yyiFxJA/ynhoeXTKZsHuEWI9
-CfOSvk0RrTWf9nr0pTGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFLqsN52tAf1k
-XlzxQmdD5qG6Sy6PMB8GA1UdIwQYMBaAFFvNWtwDF12PSLQMSq9MZPwXftuLMAwG
-CCqGSM49BAMCBQADSAAwRQIgXlfKqhkhXgK112Eycl+Z5NHM+6aqXE7i9j7IyGfk
-ikICIQDBYNGbpSx82XG+IS/h4AWNTa4Hs6rmWvQDWJum7NrzMQ==
------END CERTIFICATE-----
diff --git a/tests/data_files/ec_224_prv.comp.pem b/tests/data_files/ec_224_prv.comp.pem
deleted file mode 100644
index e7ed538..0000000
--- a/tests/data_files/ec_224_prv.comp.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MEwCAQEEHGhJ+X0QZvaZd1ljfH44mUZM7j7HrJcGU6C+B0KgBwYFK4EEACGhIAMe
-AAMWk6KQ9/C1cf4rQdXYSwEydjH0qGD5lfozLAl/
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_224_prv.pem b/tests/data_files/ec_224_prv.pem
deleted file mode 100644
index ebb83a0..0000000
--- a/tests/data_files/ec_224_prv.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MGgCAQEEHGhJ+X0QZvaZd1ljfH44mUZM7j7HrJcGU6C+B0KgBwYFK4EEACGhPAM6
-AAQWk6KQ9/C1cf4rQdXYSwEydjH0qGD5lfozLAl/VBkrsQ8AET8q/7E8GiTORJFF
-calUQK4BSgDL9w==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_224_pub.comp.pem b/tests/data_files/ec_224_pub.comp.pem
deleted file mode 100644
index 159366c..0000000
--- a/tests/data_files/ec_224_pub.comp.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN PUBLIC KEY-----
-MDIwEAYHKoZIzj0CAQYFK4EEACEDHgADFpOikPfwtXH+K0HV2EsBMnYx9Khg+ZX6
-MywJfw==
------END PUBLIC KEY-----
diff --git a/tests/data_files/ec_224_pub.pem b/tests/data_files/ec_224_pub.pem
deleted file mode 100644
index d2da54a..0000000
--- a/tests/data_files/ec_224_pub.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN PUBLIC KEY-----
-ME4wEAYHKoZIzj0CAQYFK4EEACEDOgAEFpOikPfwtXH+K0HV2EsBMnYx9Khg+ZX6
-MywJf1QZK7EPABE/Kv+xPBokzkSRRXGpVECuAUoAy/c=
------END PUBLIC KEY-----
diff --git a/tests/data_files/ec_256_long_prv.der b/tests/data_files/ec_256_long_prv.der
deleted file mode 100644
index 96e329e..0000000
--- a/tests/data_files/ec_256_long_prv.der
+++ /dev/null
diff --git a/tests/data_files/ec_256_long_prv.pem b/tests/data_files/ec_256_long_prv.pem
deleted file mode 100644
index 5141e30..0000000
--- a/tests/data_files/ec_256_long_prv.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIIcex4mqXsQamUKTVf8vXmTAJrQvGjh5mXG8p9+OR4xAoAoGCCqGSM49
-AwEHoUQDQgAEqJ2HQjPpc6fDwE/vSa6U35USXawkTo98y4U6NsAl+rOGuqMPEFXf
-P1Srm/Jrzwa/RuppRL5kgyAsGJTUmwZEzQ==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_256_prv.comp.pem b/tests/data_files/ec_256_prv.comp.pem
deleted file mode 100644
index 9ef8c97..0000000
--- a/tests/data_files/ec_256_prv.comp.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MFcCAQEEIEnJqMGMS4hWOMQxzx3xyZQTFgm1gNT9Q6DKsX2y8T7uoAoGCCqGSM49
-AwEHoSQDIgADd3Jlb4FLOZJ51eHxeB+sbwmaPFyhsONTUYNLCLZeC1c=
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_256_prv.pem b/tests/data_files/ec_256_prv.pem
deleted file mode 100644
index e42dd4a..0000000
--- a/tests/data_files/ec_256_prv.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIEnJqMGMS4hWOMQxzx3xyZQTFgm1gNT9Q6DKsX2y8T7uoAoGCCqGSM49
-AwEHoUQDQgAEd3Jlb4FLOZJ51eHxeB+sbwmaPFyhsONTUYNLCLZeC1clkM2vj3aT
-YbzzSs/BHl4HToQmvd4Evm5lOUVElhfeRQ==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_256_pub.comp.pem b/tests/data_files/ec_256_pub.comp.pem
deleted file mode 100644
index bf9655d..0000000
--- a/tests/data_files/ec_256_pub.comp.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN PUBLIC KEY-----
-MDkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDIgADd3Jlb4FLOZJ51eHxeB+sbwmaPFyh
-sONTUYNLCLZeC1c=
------END PUBLIC KEY-----
diff --git a/tests/data_files/ec_256_pub.pem b/tests/data_files/ec_256_pub.pem
deleted file mode 100644
index 701da02..0000000
--- a/tests/data_files/ec_256_pub.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEd3Jlb4FLOZJ51eHxeB+sbwmaPFyh
-sONTUYNLCLZeC1clkM2vj3aTYbzzSs/BHl4HToQmvd4Evm5lOUVElhfeRQ==
------END PUBLIC KEY-----
diff --git a/tests/data_files/ec_384_prv.comp.pem b/tests/data_files/ec_384_prv.comp.pem
deleted file mode 100644
index 3125b41..0000000
--- a/tests/data_files/ec_384_prv.comp.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHQCAQEEMD9djZvigLVpbMXMn5TPivfmth3WWSsqsrOkxgdFBBfsMn3Nyu18EAU9
-cZoFdPCnaqAHBgUrgQQAIqE0AzIAA9nGYrULopykeZBFDgQ66vTwxpsVZ20RL2Iq
-cckwWa+ZlpHFaA0rRNERV52xL0pBOg==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_384_prv.pem b/tests/data_files/ec_384_prv.pem
deleted file mode 100644
index 7890759..0000000
--- a/tests/data_files/ec_384_prv.pem
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDA/XY2b4oC1aWzFzJ+Uz4r35rYd1lkrKrKzpMYHRQQX7DJ9zcrtfBAF
-PXGaBXTwp2qgBwYFK4EEACKhZANiAATZxmK1C6KcpHmQRQ4EOur08MabFWdtES9i
-KnHJMFmvmZaRxWgNK0TREVedsS9KQTou1cRfz7Z7W2PgC5Hr5Z0JprGsLAxCgqoS
-MX7VkU+Zm8SIuxMug0LMNvLKXjN5x0c=
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_384_pub.comp.pem b/tests/data_files/ec_384_pub.comp.pem
deleted file mode 100644
index ccb6702..0000000
--- a/tests/data_files/ec_384_pub.comp.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN PUBLIC KEY-----
-MEYwEAYHKoZIzj0CAQYFK4EEACIDMgAD2cZitQuinKR5kEUOBDrq9PDGmxVnbREv
-YipxyTBZr5mWkcVoDStE0RFXnbEvSkE6
------END PUBLIC KEY-----
diff --git a/tests/data_files/ec_384_pub.pem b/tests/data_files/ec_384_pub.pem
deleted file mode 100644
index de95382..0000000
--- a/tests/data_files/ec_384_pub.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN PUBLIC KEY-----
-MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE2cZitQuinKR5kEUOBDrq9PDGmxVnbREv
-YipxyTBZr5mWkcVoDStE0RFXnbEvSkE6LtXEX8+2e1tj4AuR6+WdCaaxrCwMQoKq
-EjF+1ZFPmZvEiLsTLoNCzDbyyl4zecdH
------END PUBLIC KEY-----
diff --git a/tests/data_files/ec_521_prv.comp.pem b/tests/data_files/ec_521_prv.comp.pem
deleted file mode 100644
index 314c393..0000000
--- a/tests/data_files/ec_521_prv.comp.pem
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIGYAgEBBEIBsbatB7t55zINpZhg6ijgVShPYFjyed5mbgbUNdKve9oo2Z+ke33Q
-lj4WsAcweO6LijjZZqWC9G0Z/5XfOtloWq6gBwYFK4EEACOhRgNEAAMAHeFC1U9p
-6wOO5LevnTygdzb9nPcZ6zVNaYee5/PBNvsPv58I+Gvl+hKOwaBR0+bGQ+ha2o/6
-zzZjwmC9LIRLb1Y=
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_521_prv.der b/tests/data_files/ec_521_prv.der
deleted file mode 100644
index 734714a..0000000
--- a/tests/data_files/ec_521_prv.der
+++ /dev/null
diff --git a/tests/data_files/ec_521_prv.pem b/tests/data_files/ec_521_prv.pem
deleted file mode 100644
index 144bb44..0000000
--- a/tests/data_files/ec_521_prv.pem
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIBsbatB7t55zINpZhg6ijgVShPYFjyed5mbgbUNdKve9oo2Z+ke33Q
-lj4WsAcweO6LijjZZqWC9G0Z/5XfOtloWq6gBwYFK4EEACOhgYkDgYYABAAd4ULV
-T2nrA47kt6+dPKB3Nv2c9xnrNU1ph57n88E2+w+/nwj4a+X6Eo7BoFHT5sZD6Fra
-j/rPNmPCYL0shEtvVgDO6OSKnmXQnK3YnyNd7gXzuKZGvnFfH2fVtDTg/yOh/Afv
-d0AZPkDu/287zf12WqkVUDNST+TyBfVETiksTC9qwQ==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_521_pub.comp.pem b/tests/data_files/ec_521_pub.comp.pem
deleted file mode 100644
index 4bb8c2b..0000000
--- a/tests/data_files/ec_521_pub.comp.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN PUBLIC KEY-----
-MFgwEAYHKoZIzj0CAQYFK4EEACMDRAADAB3hQtVPaesDjuS3r508oHc2/Zz3Ges1
-TWmHnufzwTb7D7+fCPhr5foSjsGgUdPmxkPoWtqP+s82Y8JgvSyES29W
------END PUBLIC KEY-----
diff --git a/tests/data_files/ec_521_pub.der b/tests/data_files/ec_521_pub.der
deleted file mode 100644
index 5b685de..0000000
--- a/tests/data_files/ec_521_pub.der
+++ /dev/null
diff --git a/tests/data_files/ec_521_pub.pem b/tests/data_files/ec_521_pub.pem
deleted file mode 100644
index 26bc5c5..0000000
--- a/tests/data_files/ec_521_pub.pem
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAHeFC1U9p6wOO5LevnTygdzb9nPcZ
-6zVNaYee5/PBNvsPv58I+Gvl+hKOwaBR0+bGQ+ha2o/6zzZjwmC9LIRLb1YAzujk
-ip5l0Jyt2J8jXe4F87imRr5xXx9n1bQ04P8jofwH73dAGT5A7v9vO839dlqpFVAz
-Uk/k8gX1RE4pLEwvasE=
------END PUBLIC KEY-----
diff --git a/tests/data_files/ec_521_short_prv.der b/tests/data_files/ec_521_short_prv.der
deleted file mode 100644
index 0a1f18c..0000000
--- a/tests/data_files/ec_521_short_prv.der
+++ /dev/null
diff --git a/tests/data_files/ec_521_short_prv.pem b/tests/data_files/ec_521_short_prv.pem
deleted file mode 100644
index 427b7ad..0000000
--- a/tests/data_files/ec_521_short_prv.pem
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIAOXdk7W+Hf5L7Hc9fKe44wmpaRNs5ERFTkv5CrlXv/Bu3y28M673q
-vBNo7a/UE/6NNQHu2pQODEYFpMg6R34b5SigBwYFK4EEACOhgYkDgYYABAFUMHXV
-KPA4vkMgq+pFgDoH96XoM517gF2GJFV6h2gLhykzIHL/otAyEpAStw7MBvbU0V21
-ixB+hjqzO7Snxaj9mwB8g87OKxm5eGfsqvJNPdJ0RZ/EKy06Ukg6KThlhQeyrtIk
-g5PTCrPnNszlffAy6/jCOe3Moi59g15H13sSzwfX6g==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_bp256_prv.comp.pem b/tests/data_files/ec_bp256_prv.comp.pem
deleted file mode 100644
index 198d21d..0000000
--- a/tests/data_files/ec_bp256_prv.comp.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MFgCAQEEICFh1vLbdlJvpiwW81aoDwHzL3dnhLNqqZeZqLdmIID/oAsGCSskAwMC
-CAEBB6EkAyIAA3aMjK5KvKYwbbDtgbDEpiFcN4Bm7G1hbBRuE/HH34Cb
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_bp256_prv.pem b/tests/data_files/ec_bp256_prv.pem
deleted file mode 100644
index 9d6a867..0000000
--- a/tests/data_files/ec_bp256_prv.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHgCAQEEICFh1vLbdlJvpiwW81aoDwHzL3dnhLNqqZeZqLdmIID/oAsGCSskAwMC
-CAEBB6FEA0IABHaMjK5KvKYwbbDtgbDEpiFcN4Bm7G1hbBRuE/HH34CblqtpEcJ9
-igIznwkmhA5VI209HvviZp0JDkxMZg+tqR0=
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_bp256_pub.comp.pem b/tests/data_files/ec_bp256_pub.comp.pem
deleted file mode 100644
index ecd07bc..0000000
--- a/tests/data_files/ec_bp256_pub.comp.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN PUBLIC KEY-----
-MDowFAYHKoZIzj0CAQYJKyQDAwIIAQEHAyIAA3aMjK5KvKYwbbDtgbDEpiFcN4Bm
-7G1hbBRuE/HH34Cb
------END PUBLIC KEY-----
diff --git a/tests/data_files/ec_bp256_pub.pem b/tests/data_files/ec_bp256_pub.pem
deleted file mode 100644
index f738623..0000000
--- a/tests/data_files/ec_bp256_pub.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN PUBLIC KEY-----
-MFowFAYHKoZIzj0CAQYJKyQDAwIIAQEHA0IABHaMjK5KvKYwbbDtgbDEpiFcN4Bm
-7G1hbBRuE/HH34CblqtpEcJ9igIznwkmhA5VI209HvviZp0JDkxMZg+tqR0=
------END PUBLIC KEY-----
diff --git a/tests/data_files/ec_bp384_prv.comp.pem b/tests/data_files/ec_bp384_prv.comp.pem
deleted file mode 100644
index c0e2393..0000000
--- a/tests/data_files/ec_bp384_prv.comp.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHgCAQEEMD3ZLnUNkNfTn8GIXNitEuqUQfIrkzS02WUgKtsUSM4kxYCKhd2a/CKa
-8KMST3Vby6ALBgkrJAMDAggBAQuhNAMyAAJxn50JOmJ+DTUDhcZhzr8AxhkjVm/p
-AGoxB68dhxvGu2iYX9ci6jK+MW+OeDt80ZU=
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_bp384_prv.pem b/tests/data_files/ec_bp384_prv.pem
deleted file mode 100644
index 34e82db..0000000
--- a/tests/data_files/ec_bp384_prv.pem
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIGoAgEBBDA92S51DZDX05/BiFzYrRLqlEHyK5M0tNllICrbFEjOJMWAioXdmvwi
-mvCjEk91W8ugCwYJKyQDAwIIAQELoWQDYgAEcZ+dCTpifg01A4XGYc6/AMYZI1Zv
-6QBqMQevHYcbxrtomF/XIuoyvjFvjng7fNGVd4X2bPwMsZXdXJmo56uqhIVTpYTf
-0rSOdtRF/gDdi+WQlth31GltI7S8jbFHJOZq
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_bp384_pub.comp.pem b/tests/data_files/ec_bp384_pub.comp.pem
deleted file mode 100644
index 638666d..0000000
--- a/tests/data_files/ec_bp384_pub.comp.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN PUBLIC KEY-----
-MEowFAYHKoZIzj0CAQYJKyQDAwIIAQELAzIAAnGfnQk6Yn4NNQOFxmHOvwDGGSNW
-b+kAajEHrx2HG8a7aJhf1yLqMr4xb454O3zRlQ==
------END PUBLIC KEY-----
diff --git a/tests/data_files/ec_bp384_pub.pem b/tests/data_files/ec_bp384_pub.pem
deleted file mode 100644
index eb202e2..0000000
--- a/tests/data_files/ec_bp384_pub.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN PUBLIC KEY-----
-MHowFAYHKoZIzj0CAQYJKyQDAwIIAQELA2IABHGfnQk6Yn4NNQOFxmHOvwDGGSNW
-b+kAajEHrx2HG8a7aJhf1yLqMr4xb454O3zRlXeF9mz8DLGV3VyZqOerqoSFU6WE
-39K0jnbURf4A3YvlkJbYd9RpbSO0vI2xRyTmag==
------END PUBLIC KEY-----
diff --git a/tests/data_files/ec_bp512_prv.comp.pem b/tests/data_files/ec_bp512_prv.comp.pem
deleted file mode 100644
index 73b1c07..0000000
--- a/tests/data_files/ec_bp512_prv.comp.pem
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIGYAgEBBEA3LJd49p9ybLyj9KJo8WtNYX0QKA15pqApzVGHn+EBKTTf5TlUVTN9
-9pBtx9bS7qTbsgZcAij3Oz7XFkgOfXHSoAsGCSskAwMCCAEBDaFEA0IAAji37JK2
-HFxsf7wopOx1nUj81OLjdN79XElopU2+91EOUXiG+/w46jmqUpNZ1wpxVsNdPLrH
-zndr2yUd1kvOcSM=
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_bp512_prv.der b/tests/data_files/ec_bp512_prv.der
deleted file mode 100644
index 2d9a3de..0000000
--- a/tests/data_files/ec_bp512_prv.der
+++ /dev/null
diff --git a/tests/data_files/ec_bp512_prv.pem b/tests/data_files/ec_bp512_prv.pem
deleted file mode 100644
index a30c622..0000000
--- a/tests/data_files/ec_bp512_prv.pem
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIHaAgEBBEA3LJd49p9ybLyj9KJo8WtNYX0QKA15pqApzVGHn+EBKTTf5TlUVTN9
-9pBtx9bS7qTbsgZcAij3Oz7XFkgOfXHSoAsGCSskAwMCCAEBDaGBhQOBggAEOLfs
-krYcXGx/vCik7HWdSPzU4uN03v1cSWilTb73UQ5ReIb7/DjqOapSk1nXCnFWw108
-usfOd2vbJR3WS85xI0Qk7nBJ7tBy8NvE15mW4XXVV+JjdjrpcJXAgec+fbLjitw9
-TJoEh7Ht6HbcH8phyQLpodhyK4YSko8YokhFWRo=
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_bp512_pub.comp.pem b/tests/data_files/ec_bp512_pub.comp.pem
deleted file mode 100644
index c2fbdca..0000000
--- a/tests/data_files/ec_bp512_pub.comp.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN PUBLIC KEY-----
-MFowFAYHKoZIzj0CAQYJKyQDAwIIAQENA0IAAji37JK2HFxsf7wopOx1nUj81OLj
-dN79XElopU2+91EOUXiG+/w46jmqUpNZ1wpxVsNdPLrHzndr2yUd1kvOcSM=
------END PUBLIC KEY-----
diff --git a/tests/data_files/ec_bp512_pub.der b/tests/data_files/ec_bp512_pub.der
deleted file mode 100644
index 6a8c4c7..0000000
--- a/tests/data_files/ec_bp512_pub.der
+++ /dev/null
diff --git a/tests/data_files/ec_bp512_pub.pem b/tests/data_files/ec_bp512_pub.pem
deleted file mode 100644
index ff5d072..0000000
--- a/tests/data_files/ec_bp512_pub.pem
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIGbMBQGByqGSM49AgEGCSskAwMCCAEBDQOBggAEOLfskrYcXGx/vCik7HWdSPzU
-4uN03v1cSWilTb73UQ5ReIb7/DjqOapSk1nXCnFWw108usfOd2vbJR3WS85xI0Qk
-7nBJ7tBy8NvE15mW4XXVV+JjdjrpcJXAgec+fbLjitw9TJoEh7Ht6HbcH8phyQLp
-odhyK4YSko8YokhFWRo=
------END PUBLIC KEY-----
diff --git a/tests/data_files/ec_prv.pk8.der b/tests/data_files/ec_prv.pk8.der
deleted file mode 100644
index f2bd2a9..0000000
--- a/tests/data_files/ec_prv.pk8.der
+++ /dev/null
diff --git a/tests/data_files/ec_prv.pk8.pem b/tests/data_files/ec_prv.pk8.pem
deleted file mode 100644
index dbeab7c..0000000
--- a/tests/data_files/ec_prv.pk8.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN PRIVATE KEY-----
-MG8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQEEVTBTAgEBBBgzjoaogeI49Um9bwVT
-SUtz49YRMP3GyW2hNAMyAARRdbzfMKNw851Tk+YScojYAWe19LS3dsZ098bzVLfS
-JAYsH2hUtaevD+V46vJY8Cc=
------END PRIVATE KEY-----
diff --git a/tests/data_files/ec_prv.pk8.pw.der b/tests/data_files/ec_prv.pk8.pw.der
deleted file mode 100644
index db0b5bd..0000000
--- a/tests/data_files/ec_prv.pk8.pw.der
+++ /dev/null
diff --git a/tests/data_files/ec_prv.pk8.pw.pem b/tests/data_files/ec_prv.pk8.pw.pem
deleted file mode 100644
index 7413d1e..0000000
--- a/tests/data_files/ec_prv.pk8.pw.pem
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIGRMBwGCiqGSIb3DQEMAQEwDgQIIrlmCCSpJzcCAggABHGm2LyJ60ojfilRRp8h
-Xf+sWL3lJq6wlj4Nk41SHVnZ2RiVtP5NVK908/WxnXkridd6Qpjnq/14woWVmQxT
-IzhKFVi22YmQyBsNj+bEGDAE4c9qaby8u6zbzs7Qj29F90f/PiYsaIEGcNn/W88e
-XarNDw==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/ec_prv.pk8nopub.der b/tests/data_files/ec_prv.pk8nopub.der
deleted file mode 100644
index fde16a1..0000000
--- a/tests/data_files/ec_prv.pk8nopub.der
+++ /dev/null
diff --git a/tests/data_files/ec_prv.pk8nopub.pem b/tests/data_files/ec_prv.pk8nopub.pem
deleted file mode 100644
index 0ec5272..0000000
--- a/tests/data_files/ec_prv.pk8nopub.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN PRIVATE KEY-----
-MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCDH78XUX+cxmTPQ1hVkYbu3VvBc9c82
-EyGKaGvkAo1Pkw==
------END PRIVATE KEY-----
diff --git a/tests/data_files/ec_prv.pk8nopubparam.der b/tests/data_files/ec_prv.pk8nopubparam.der
deleted file mode 100644
index 70d30fb..0000000
--- a/tests/data_files/ec_prv.pk8nopubparam.der
+++ /dev/null
diff --git a/tests/data_files/ec_prv.pk8nopubparam.pem b/tests/data_files/ec_prv.pk8nopubparam.pem
deleted file mode 100644
index 5c910c9..0000000
--- a/tests/data_files/ec_prv.pk8nopubparam.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN PRIVATE KEY-----
-ME0CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEMzAxAgEBBCDH78XUX+cxmTPQ1hVkYbu3VvBc9c82
-EyGKaGvkAo1Pk6AKBggqhkjOPQMBBw==
------END PRIVATE KEY-----
diff --git a/tests/data_files/ec_prv.pk8param.der b/tests/data_files/ec_prv.pk8param.der
deleted file mode 100644
index 8bbaa3a..0000000
--- a/tests/data_files/ec_prv.pk8param.der
+++ /dev/null
diff --git a/tests/data_files/ec_prv.pk8param.pem b/tests/data_files/ec_prv.pk8param.pem
deleted file mode 100644
index 978beca..0000000
--- a/tests/data_files/ec_prv.pk8param.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIGTAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHkwdwIBAQQgx+/F1F/nMZkz0NYVZGG7t1bwXPXP
-NhMhimhr5AKNT5OgCgYIKoZIzj0DAQehRANCAARkJXH1LofHesYJwJkoZQ0ijCVrxDFEi8e/fc1d
-6DS2Hsk55TWpL953QEIDN8RmW01lejceK3jQWs0uGDenGCcM
------END PRIVATE KEY-----
diff --git a/tests/data_files/ec_prv.sec1.comp.pem b/tests/data_files/ec_prv.sec1.comp.pem
deleted file mode 100644
index ada14c2..0000000
--- a/tests/data_files/ec_prv.sec1.comp.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MEcCAQEEGDOOhqiB4jj1Sb1vBVNJS3Pj1hEw/cbJbaAKBggqhkjOPQMBAaEcAxoA
-A1F1vN8wo3DznVOT5hJyiNgBZ7X0tLd2xg==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_prv.sec1.der b/tests/data_files/ec_prv.sec1.der
deleted file mode 100644
index fe336b7..0000000
--- a/tests/data_files/ec_prv.sec1.der
+++ /dev/null
diff --git a/tests/data_files/ec_prv.sec1.pem b/tests/data_files/ec_prv.sec1.pem
deleted file mode 100644
index a8a7990..0000000
--- a/tests/data_files/ec_prv.sec1.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MF8CAQEEGDOOhqiB4jj1Sb1vBVNJS3Pj1hEw/cbJbaAKBggqhkjOPQMBAaE0AzIA
-BFF1vN8wo3DznVOT5hJyiNgBZ7X0tLd2xnT3xvNUt9IkBiwfaFS1p68P5Xjq8ljw
-Jw==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_prv.sec1.pw.pem b/tests/data_files/ec_prv.sec1.pw.pem
deleted file mode 100644
index 62a0860..0000000
--- a/tests/data_files/ec_prv.sec1.pw.pem
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-CBC,AA94892A169FA426
-
-gSkFuUENNke5MvkWHc11/w1NQWBxaIxGT+d5oRcqs44D3tltVOwtdnYexoD9uSIL
-wMFFRLL6I5ii1Naa38nPOMaa7kLU2J3jY8SeIH1rQ43X6tlpv9WFGqDn/m6X7oKo
-RMMfGdicPZg=
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_prv.specdom.der b/tests/data_files/ec_prv.specdom.der
deleted file mode 100644
index a80a2e3..0000000
--- a/tests/data_files/ec_prv.specdom.der
+++ /dev/null
diff --git a/tests/data_files/ec_pub.comp.pem b/tests/data_files/ec_pub.comp.pem
deleted file mode 100644
index 55fac08..0000000
--- a/tests/data_files/ec_pub.comp.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN PUBLIC KEY-----
-MDEwEwYHKoZIzj0CAQYIKoZIzj0DAQEDGgADUXW83zCjcPOdU5PmEnKI2AFntfS0
-t3bG
------END PUBLIC KEY-----
diff --git a/tests/data_files/ec_pub.der b/tests/data_files/ec_pub.der
deleted file mode 100644
index e4e5915..0000000
--- a/tests/data_files/ec_pub.der
+++ /dev/null
diff --git a/tests/data_files/ec_pub.pem b/tests/data_files/ec_pub.pem
deleted file mode 100644
index d54dc94..0000000
--- a/tests/data_files/ec_pub.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN PUBLIC KEY-----
-MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEUXW83zCjcPOdU5PmEnKI2AFntfS0
-t3bGdPfG81S30iQGLB9oVLWnrw/leOryWPAn
------END PUBLIC KEY-----
diff --git a/tests/data_files/ec_x25519_prv.der b/tests/data_files/ec_x25519_prv.der
deleted file mode 100644
index ea23733..0000000
--- a/tests/data_files/ec_x25519_prv.der
+++ /dev/null
diff --git a/tests/data_files/ec_x25519_prv.pem b/tests/data_files/ec_x25519_prv.pem
deleted file mode 100644
index 0072240..0000000
--- a/tests/data_files/ec_x25519_prv.pem
+++ /dev/null
@@ -1,3 +0,0 @@
------BEGIN PRIVATE KEY-----
-MC4CAQAwBQYDK2VuBCIEILBtgpZVVDpRy6NuU1IrwKz9YK9ZRmVV+z4eeWhyqxpZ
------END PRIVATE KEY-----
diff --git a/tests/data_files/ec_x25519_pub.der b/tests/data_files/ec_x25519_pub.der
deleted file mode 100644
index 922cb76..0000000
--- a/tests/data_files/ec_x25519_pub.der
+++ /dev/null
diff --git a/tests/data_files/ec_x25519_pub.pem b/tests/data_files/ec_x25519_pub.pem
deleted file mode 100644
index 2a36b5b..0000000
--- a/tests/data_files/ec_x25519_pub.pem
+++ /dev/null
@@ -1,3 +0,0 @@
------BEGIN PUBLIC KEY-----
-MCowBQYDK2VuAyEAm8Ow6T2CM/5qi6YTiUjMEqkTYtXC7YFYTbBatUGcnRE=
------END PUBLIC KEY-----
diff --git a/tests/data_files/ec_x448_prv.der b/tests/data_files/ec_x448_prv.der
deleted file mode 100644
index f6d52f7..0000000
--- a/tests/data_files/ec_x448_prv.der
+++ /dev/null
diff --git a/tests/data_files/ec_x448_prv.pem b/tests/data_files/ec_x448_prv.pem
deleted file mode 100644
index 7bca661..0000000
--- a/tests/data_files/ec_x448_prv.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN PRIVATE KEY-----
-MEYCAQAwBQYDK2VvBDoEOGTpCDYD9atLDMYwDnjdwUTkjO4ZMB/uacXKw+4iUiED
-oe50tXsIxi5REqWe2YOoL7eD7npOGRPt
------END PRIVATE KEY-----
diff --git a/tests/data_files/ec_x448_pub.der b/tests/data_files/ec_x448_pub.der
deleted file mode 100644
index 7c44c91..0000000
--- a/tests/data_files/ec_x448_pub.der
+++ /dev/null
diff --git a/tests/data_files/ec_x448_pub.pem b/tests/data_files/ec_x448_pub.pem
deleted file mode 100644
index 306e10c..0000000
--- a/tests/data_files/ec_x448_pub.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN PUBLIC KEY-----
-MEIwBQYDK2VvAzkAlrVhn5KDNBt3nL38B9mqGKqrPwnah3ynJgaWQ5IcLzv6zZT+
-TIjhGQ1NFGWwgtOV8UqU2tO4pYQ=
------END PUBLIC KEY-----
diff --git a/tests/data_files/ecdsa_secp256r1.crt b/tests/data_files/ecdsa_secp256r1.crt
deleted file mode 100644
index 634d24c..0000000
--- a/tests/data_files/ecdsa_secp256r1.crt
+++ /dev/null
@@ -1,10 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBejCCAQACAU0wCgYIKoZIzj0EAwMwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoM
-CFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVDIENBMB4XDTIxMTEz
-MDAzMDgwMVoXDTMxMTIwMTAzMDgwMVowNDELMAkGA1UEBhMCTkwxETAPBgNVBAoM
-CFBvbGFyU1NMMRIwEAYDVQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjO
-PQMBBwNCAAR3cmVvgUs5knnV4fF4H6xvCZo8XKGw41NRg0sItl4LVyWQza+PdpNh
-vPNKz8EeXgdOhCa93gS+bmU5RUSWF95FMAoGCCqGSM49BAMDA2gAMGUCMA06tTwD
-M1t8Chka41h1JKu4d0RsGk0MoinT9MxTAE/61ScZh5lKspOKrcavJ0maUQIxAIuj
-rarmd8+OyftTRp6Wpwwfpskdb7nm44YX6eZu/Odjfq/RAdhIcn4P9QXtOgVrbw==
------END CERTIFICATE-----
diff --git a/tests/data_files/ecdsa_secp256r1.key b/tests/data_files/ecdsa_secp256r1.key
deleted file mode 100644
index e42dd4a..0000000
--- a/tests/data_files/ecdsa_secp256r1.key
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIEnJqMGMS4hWOMQxzx3xyZQTFgm1gNT9Q6DKsX2y8T7uoAoGCCqGSM49
-AwEHoUQDQgAEd3Jlb4FLOZJ51eHxeB+sbwmaPFyhsONTUYNLCLZeC1clkM2vj3aT
-YbzzSs/BHl4HToQmvd4Evm5lOUVElhfeRQ==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/ecdsa_secp384r1.crt b/tests/data_files/ecdsa_secp384r1.crt
deleted file mode 100644
index ff986a7..0000000
--- a/tests/data_files/ecdsa_secp384r1.crt
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBlzCCAR0CAU0wCgYIKoZIzj0EAwMwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoM
-CFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVDIENBMB4XDTIxMTEz
-MDAzMDgwMVoXDTMxMTIwMTAzMDgwMVowNDELMAkGA1UEBhMCTkwxETAPBgNVBAoM
-CFBvbGFyU1NMMRIwEAYDVQQDDAlsb2NhbGhvc3QwdjAQBgcqhkjOPQIBBgUrgQQA
-IgNiAATZxmK1C6KcpHmQRQ4EOur08MabFWdtES9iKnHJMFmvmZaRxWgNK0TREVed
-sS9KQTou1cRfz7Z7W2PgC5Hr5Z0JprGsLAxCgqoSMX7VkU+Zm8SIuxMug0LMNvLK
-XjN5x0cwCgYIKoZIzj0EAwMDaAAwZQIwNypsq0ahwMM7aFSS+RSTloH1D1+gIztz
-Yq54Reth6gdh1IO5R5aNZi/YP3uVcI1mAjEAisjjz7vCeKwor+HCq9cBc2rzIlkY
-5O6q4SCSgkqiCTnyFIqCassED9NPqho3KYM1
------END CERTIFICATE-----
diff --git a/tests/data_files/ecdsa_secp384r1.key b/tests/data_files/ecdsa_secp384r1.key
deleted file mode 100644
index 7890759..0000000
--- a/tests/data_files/ecdsa_secp384r1.key
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDA/XY2b4oC1aWzFzJ+Uz4r35rYd1lkrKrKzpMYHRQQX7DJ9zcrtfBAF
-PXGaBXTwp2qgBwYFK4EEACKhZANiAATZxmK1C6KcpHmQRQ4EOur08MabFWdtES9i
-KnHJMFmvmZaRxWgNK0TREVedsS9KQTou1cRfz7Z7W2PgC5Hr5Z0JprGsLAxCgqoS
-MX7VkU+Zm8SIuxMug0LMNvLKXjN5x0c=
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/ecdsa_secp521r1.crt b/tests/data_files/ecdsa_secp521r1.crt
deleted file mode 100644
index a08850c..0000000
--- a/tests/data_files/ecdsa_secp521r1.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBvjCCAUMCAU0wCgYIKoZIzj0EAwMwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoM
-CFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVDIENBMB4XDTIxMTEz
-MDAzMDgwMVoXDTMxMTIwMTAzMDgwMVowNDELMAkGA1UEBhMCTkwxETAPBgNVBAoM
-CFBvbGFyU1NMMRIwEAYDVQQDDAlsb2NhbGhvc3QwgZswEAYHKoZIzj0CAQYFK4EE
-ACMDgYYABAAd4ULVT2nrA47kt6+dPKB3Nv2c9xnrNU1ph57n88E2+w+/nwj4a+X6
-Eo7BoFHT5sZD6Fraj/rPNmPCYL0shEtvVgDO6OSKnmXQnK3YnyNd7gXzuKZGvnFf
-H2fVtDTg/yOh/Afvd0AZPkDu/287zf12WqkVUDNST+TyBfVETiksTC9qwTAKBggq
-hkjOPQQDAwNpADBmAjEAlC7039gDSgm9Ba8cCnZLWucXbtCbhRGSvVcoElYke/pu
-iwHkD1rVlnUmW3UKG587AjEAkIngapC9Hyc6MePmyafLYoLmbhDJMdR2DM4o+x8e
-2ZXUu7uLPTdWBDxmu6plRNis
------END CERTIFICATE-----
diff --git a/tests/data_files/ecdsa_secp521r1.key b/tests/data_files/ecdsa_secp521r1.key
deleted file mode 100644
index 144bb44..0000000
--- a/tests/data_files/ecdsa_secp521r1.key
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIBsbatB7t55zINpZhg6ijgVShPYFjyed5mbgbUNdKve9oo2Z+ke33Q
-lj4WsAcweO6LijjZZqWC9G0Z/5XfOtloWq6gBwYFK4EEACOhgYkDgYYABAAd4ULV
-T2nrA47kt6+dPKB3Nv2c9xnrNU1ph57n88E2+w+/nwj4a+X6Eo7BoFHT5sZD6Fra
-j/rPNmPCYL0shEtvVgDO6OSKnmXQnK3YnyNd7gXzuKZGvnFfH2fVtDTg/yOh/Afv
-d0AZPkDu/287zf12WqkVUDNST+TyBfVETiksTC9qwQ==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/enco-ca-prstr.pem b/tests/data_files/enco-ca-prstr.pem
deleted file mode 100644
index 80e2aeb..0000000
--- a/tests/data_files/enco-ca-prstr.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICSjCCAbOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBCMUAwPgYDVQQDEzdPcGVu
-VlBOIFdlYiBDQSAyMDExLjA0LjA1IDIwOjMzOjI3IFVUQyBhc2RlbW8ueW9uYW4u
-bmV0MB4XDTE5MDIxMDE0NDQwNloXDTI5MDIxMDE0NDQwNlowQjFAMD4GA1UEAxM3
-T3BlblZQTiBXZWIgQ0EgMjAxMS4wNC4wNSAyMDozMzoyNyBVVEMgYXNkZW1vLnlv
-bmFuLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxziSxcP0cBAIa/gT
-NezzARyKJQ+VgjYeqh6WElUarPh7dTMLcFcznNmV8U1MRDfIvsSgP+RkPNPzyQJD
-PcN8W455qgmEroITNwq/hWm9KjVibLH+5KzgQrJBfHvknScUmywHa45DPT9sdjpG
-mhxwDSWdvAjHQPzYAjdi/33r/C0CAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNV
-HQ4EFgQUILPajoA0fsMvfl7M6EmikEJzPEQwHwYDVR0jBBgwFoAUILPajoA0fsMv
-fl7M6EmikEJzPEQwDQYJKoZIhvcNAQEFBQADgYEAGSIhSbecGUgKc7EuhkMMcAij
-clrZ8niK+UPvJ5jSM5TnbfwKXFlmeS6MHurjzM/D693wO6eMjxLpt8/+9/5aygGm
-WAOAa5MZ+5B8Pun8cNppSSPB1L1GtXzRWECCaGko73P/r92iQc3Yd64tJ3iR6WYZ
-wK2nf23jLgbWLCXHzoA=
------END CERTIFICATE-----
diff --git a/tests/data_files/enco-cert-utf8str.pem b/tests/data_files/enco-cert-utf8str.pem
deleted file mode 100644
index fb4947a..0000000
--- a/tests/data_files/enco-cert-utf8str.pem
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICHDCCAYWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBCMUAwPgYDVQQDDDdPcGVu
-VlBOIFdlYiBDQSAyMDExLjA0LjA1IDIwOjMzOjI3IFVUQyBhc2RlbW8ueW9uYW4u
-bmV0MB4XDTE5MDIxMDE0NDQwNloXDTI5MDIxMDE0NDQwNlowFzEVMBMGA1UEAwwM
-ZHcueW9uYW4ubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHOJLFw/Rw
-EAhr+BM17PMBHIolD5WCNh6qHpYSVRqs+Ht1MwtwVzOc2ZXxTUxEN8i+xKA/5GQ8
-0/PJAkM9w3xbjnmqCYSughM3Cr+Fab0qNWJssf7krOBCskF8e+SdJxSbLAdrjkM9
-P2x2OkaaHHANJZ28CMdA/NgCN2L/fev8LQIDAQABo00wSzAJBgNVHRMEAjAAMB0G
-A1UdDgQWBBQgs9qOgDR+wy9+XszoSaKQQnM8RDAfBgNVHSMEGDAWgBQgs9qOgDR+
-wy9+XszoSaKQQnM8RDANBgkqhkiG9w0BAQUFAAOBgQCSqWP8WfM4tDzkqAe595w4
-erGt64AnMO/ZKZNXNMjMnuTtT5GRj2mMjtDuo8vCN3k1hNtb2KI66Fc9wasiQNkI
-2vwre8FnlctaB/riGUx6f6taV3lVaakB6wXKrO1x2ejT4vWO+1GQX2bWQ0Mg2znO
-zu1Gh3d+wrcqBAsFGnvcdA==
------END CERTIFICATE-----
diff --git a/tests/data_files/format_gen.key b/tests/data_files/format_gen.key
deleted file mode 100644
index 2047232..0000000
--- a/tests/data_files/format_gen.key
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMDRSzONESX4mSVT
-J69o3x9vQanXcPNviljcwKgkrXkFah6hQUAhW+4jQLxtGb+LU47gE321JGtGNb5L
-z1htjLULvc9SAplJ6OOcQUDhyFxI4o6FmUzorv49ytzH6x2IO7UOF44MyJIWGjG3
-4fohS8EQaQjkBYW7kwM/vCVT8Bl9AgMBAAECgYBTqj0cSEi5li41kOh2Z2XxiOAQ
-J0h+iNaaCmeaThfrnFrYoZXjktYF9cwANsLmZzlBlJ9Ae5oq5hMp2FFHCHn1z1U/
-BiE3yF2AXNslL0p8lMO4qGxmt2iYdE3Z8comfkyttUJ5k9thLQzU/NWATP8EZGng
-iTdEDFOW35cG26ccDQJBAPPoaiveAVN0JYxe2tYR8xb5qta89QGU6HDdTRiClap1
-5rfph5d30MQggqf1tBTiDRKOSk7uN39xwGbMzz11+NcCQQDKYHXWAsN3QlmFQKTX
-nm4G5xpl57P9U25wSC+NYOmFEieomD7YlbaBKBc0V5JNj2IqUt0EvXNh3LA5czd9
-3pHLAkAioVgZvF6h07bVFE6r4EaMd4xbCt8ah2LtS2570WagmjbU2/JlfhyFDDyg
-zlDwOhwzC0LfrBDzJlpz/hZamppnAkBswjIRdSK+sLWTWw47ojTXGNOi+EZOWcv8
-I48Kl45nqT4O6OK9WpfeCUGPK5DAhdHnlOiaZ4Xejc9W0Ih96GLJAkBOzJE8nUU5
-giUjLAxJoYepKlWh5tZsNDoGFg46+bHn9l1O6fX7tau0+jEz4tC6aA8R3HtUOrYv
-hJ61gH8x3U5J
------END PRIVATE KEY-----
diff --git a/tests/data_files/format_gen.pub b/tests/data_files/format_gen.pub
deleted file mode 100644
index 81a7ab3..0000000
--- a/tests/data_files/format_gen.pub
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA0UszjREl+JklUyevaN8fb0Gp
-13Dzb4pY3MCoJK15BWoeoUFAIVvuI0C8bRm/i1OO4BN9tSRrRjW+S89YbYy1C73P
-UgKZSejjnEFA4chcSOKOhZlM6K7+Pcrcx+sdiDu1DheODMiSFhoxt+H6IUvBEGkI
-5AWFu5MDP7wlU/AZfQIDAQAB
------END PUBLIC KEY-----
diff --git a/tests/data_files/format_pkcs12.fmt b/tests/data_files/format_pkcs12.fmt
deleted file mode 100644
index 296d599..0000000
--- a/tests/data_files/format_pkcs12.fmt
+++ /dev/null
diff --git a/tests/data_files/format_rsa.key b/tests/data_files/format_rsa.key
deleted file mode 100644
index 0c8cb57..0000000
--- a/tests/data_files/format_rsa.key
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICWwIBAAKBgQDA0UszjREl+JklUyevaN8fb0Gp13Dzb4pY3MCoJK15BWoeoUFA
-IVvuI0C8bRm/i1OO4BN9tSRrRjW+S89YbYy1C73PUgKZSejjnEFA4chcSOKOhZlM
-6K7+Pcrcx+sdiDu1DheODMiSFhoxt+H6IUvBEGkI5AWFu5MDP7wlU/AZfQIDAQAB
-AoGAU6o9HEhIuZYuNZDodmdl8YjgECdIfojWmgpnmk4X65xa2KGV45LWBfXMADbC
-5mc5QZSfQHuaKuYTKdhRRwh59c9VPwYhN8hdgFzbJS9KfJTDuKhsZrdomHRN2fHK
-Jn5MrbVCeZPbYS0M1PzVgEz/BGRp4Ik3RAxTlt+XBtunHA0CQQDz6Gor3gFTdCWM
-XtrWEfMW+arWvPUBlOhw3U0YgpWqdea36YeXd9DEIIKn9bQU4g0SjkpO7jd/ccBm
-zM89dfjXAkEAymB11gLDd0JZhUCk155uBucaZeez/VNucEgvjWDphRInqJg+2JW2
-gSgXNFeSTY9iKlLdBL1zYdywOXM3fd6RywJAIqFYGbxeodO21RROq+BGjHeMWwrf
-Godi7Utue9FmoJo21NvyZX4chQw8oM5Q8DocMwtC36wQ8yZac/4WWpqaZwJAbMIy
-EXUivrC1k1sOO6I01xjTovhGTlnL/COPCpeOZ6k+DujivVqX3glBjyuQwIXR55To
-mmeF3o3PVtCIfehiyQJATsyRPJ1FOYIlIywMSaGHqSpVoebWbDQ6BhYOOvmx5/Zd
-Tun1+7WrtPoxM+LQumgPEdx7VDq2L4SetYB/Md1OSQ==
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/hash_file_1 b/tests/data_files/hash_file_1
deleted file mode 100644
index 681fad2..0000000
--- a/tests/data_files/hash_file_1
+++ /dev/null
diff --git a/tests/data_files/hash_file_2 b/tests/data_files/hash_file_2
deleted file mode 100644
index cc44eac..0000000
--- a/tests/data_files/hash_file_2
+++ /dev/null
@@ -1,2 +0,0 @@
-'��|'D�W��~�J>UN*�X�"�Qd��i��!q�4���],0V�)o�j�~����m�GwP	j$��
�N���4ܔ��F�>5/4��1��z|-ۍ
h�*�h��A�~
-f�
�����0�����-/�b�2���ȵ
\ No newline at end of file
diff --git a/tests/data_files/hash_file_3 b/tests/data_files/hash_file_3
deleted file mode 100644
index 58bb0ba..0000000
--- a/tests/data_files/hash_file_3
+++ /dev/null
diff --git a/tests/data_files/hash_file_5 b/tests/data_files/hash_file_5
deleted file mode 100644
index de1fbf0..0000000
--- a/tests/data_files/hash_file_5
+++ /dev/null
@@ -1 +0,0 @@
-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
\ No newline at end of file
diff --git a/tests/data_files/keyUsage.decipherOnly.crt b/tests/data_files/keyUsage.decipherOnly.crt
deleted file mode 100644
index 7c37978..0000000
--- a/tests/data_files/keyUsage.decipherOnly.crt
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICFzCCAYCgAwIBAgIJAJsTzkylb95SMA0GCSqGSIb3DQEBBQUAMD8xCzAJBgNV
-BAYTAkdCMRIwEAYDVQQHDAlDYW1icmlkZ2UxHDAaBgNVBAoME0RlZmF1bHQgQ29t
-cGFueSBMdGQwHhcNMTUwNTEyMTAzNjU1WhcNMTgwNTExMTAzNjU1WjA/MQswCQYD
-VQQGEwJHQjESMBAGA1UEBwwJQ2FtYnJpZGdlMRwwGgYDVQQKDBNEZWZhdWx0IENv
-bXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9nxYOSbha/Ap4
-6rACrOMH7zfDD+0ZEHhbO0bgGRjc5ElvOaNuD321y9TnyAx+JrqPp/lFrAgNiVo1
-HPurPHfcJ+tNBUgBHboWGNENNaf9ovwFPawsBzEZraGnDaqVPEFcIsUQPVqO1lrQ
-CHLUjtqo1hMZDqe/Web0Mw9cZrqOaQIDAQABoxswGTAJBgNVHRMEAjAAMAwGA1Ud
-DwQFAwMH4IAwDQYJKoZIhvcNAQEFBQADgYEAJ0NS2wUbgRelK0qKxrR2Ts6jVYEH
-bmykx3GHjFyKpscDIn2vNyyB7ygfFglZPcw+2mn3xuVIwOV/mWxFvKHk+j2WrTQL
-tDqSC5BhFoR01veFu07JdEYvz+I+NCL5z0IGWXkUrk235Wl4w4WMZDnXTqncMNEk
-fLtpo9y79XD00QY=
------END CERTIFICATE-----
diff --git a/tests/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux b/tests/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux
deleted file mode 100644
index 967f8f5..0000000
--- a/tests/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux
+++ /dev/null
diff --git a/tests/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv b/tests/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv
deleted file mode 100644
index ab1b23f..0000000
--- a/tests/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv
+++ /dev/null
diff --git a/tests/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_pub b/tests/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_pub
deleted file mode 100644
index 5397d60..0000000
--- a/tests/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_pub
+++ /dev/null
diff --git a/tests/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv b/tests/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv
deleted file mode 100644
index db85e01..0000000
--- a/tests/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv
+++ /dev/null
diff --git a/tests/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv b/tests/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv
deleted file mode 100644
index 6e827ce..0000000
--- a/tests/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv
+++ /dev/null
diff --git a/tests/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_pub b/tests/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_pub
deleted file mode 100644
index 652c089..0000000
--- a/tests/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_pub
+++ /dev/null
diff --git a/tests/data_files/mpi_16 b/tests/data_files/mpi_16
deleted file mode 100644
index 04335d9..0000000
--- a/tests/data_files/mpi_16
+++ /dev/null
@@ -1 +0,0 @@
-label_1234567890=1f55332c3a48b910f9942f6c914e58bef37a47ee45cb164a5b6b8d1006bf59a059c21449939ebebfdf517d2e1dbac88010d7b1f141e997bd6801ddaec9d05910f4f2de2b2c4d714e2c14a72fc7f17aa428d59c531627f09
diff --git a/tests/data_files/mpi_too_big b/tests/data_files/mpi_too_big
deleted file mode 100644
index ca62352..0000000
--- a/tests/data_files/mpi_too_big
+++ /dev/null
@@ -1 +0,0 @@
-label_1234567890=1090748135619415929462984244733782862448264161996232692431832786189721331849119295216264234525201987223957291796157025273109870820177184063610979765077554799078906298842192989538609825228048205159696851613591638196771886542609324560121290553901886301017900252535799917200010079600026535836800905297805880952350501630195475653911005312364560014847426035293551245843928918752768696279344088055617515694349945406677825140814900616105920256438504578013326493565836047242407382442812245131517757519164899226365743722432277368075027627883045206501792761700945699168497257879683851737049996900961120515655050115561271491492515342105748966629547032786321505730828430221664970324396138635251626409516168005427623435996308921691446181187406395310665404885739434832877428167407495370993511868756359970390117021823616749458620969857006263612082706715408157066575137281027022310927564910276759160520878304632411049364568754920967322982459184763427383790272448438018526977764941072715611580434690827459339991961414242741410599117426060556483763756314527611362658628383368621157993638020878537675545336789915694234433955666315070087213535470255670312004130725495834508357439653828936077080978550578912967907352780054935621561090795845172954115972927479877527738560008204118558930004777748727761853813510493840581861598652211605960308356405941821189714037868726219481498727603653616298856174822413033485438785324024751419417183012281078209729303537372804574372095228703622776363945290869806258422355148507571039619387449629866808188769662815778153079393179093143648340761738581819563002994422790754955061288818308430079648693232179158765918035565216157115402992120276155607873107937477466841528362987708699450152031231862594203085693838944657061346236704234026821102958954951197087076546186622796294536451620756509351018906023773821539532776208676978589731966330308893304665169436185078350641568336944530051437491311298834367265238595404904273455928723949525227184617404367854754610474377019768025576605881038077270707717942221977090385438585844095492116099852538903974655703943973086090930596963360767529964938414598185705963754561497355827813623833288906309004288017321424808663962671333528009232758350873059614118723781422101460198615747386855096896089189180441339558524822867541113212638793675567650340362970031930023397828465318547238244232028015189689660418822976000815437610652254270163595650875433851147123214227266605403581781469090806576468950587661997186505665475715792896
diff --git a/tests/data_files/parse_input/bitstring-in-dn.pem b/tests/data_files/parse_input/bitstring-in-dn.pem
deleted file mode 100644
index c50bd66..0000000
--- a/tests/data_files/parse_input/bitstring-in-dn.pem
+++ /dev/null
@@ -1,51 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEATCCAumgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBxMRMwEQYDVQQDDApUZXN0
-IENBIDAxMREwDwYDVQQIDAhFY25pdm9ycDELMAkGA1UEBhMCWFgxHjAcBgkqhkiG
-9w0BCQEWD3RjYUBleGFtcGxlLmNvbTEaMBgGA1UECgwRVGVzdCBDQSBBdXRob3Jp
-dHkwHhcNMTUwMzExMTIwNjUxWhcNMjUwMzA4MTIwNjUxWjCBmzELMAkGA1UEBhMC
-WFgxDDAKBgNVBAoMA3RjYTERMA8GA1UECAwIRWNuaXZvcnAxDDAKBgNVBAsMA1RD
-QTEPMA0GA1UEAwwGQ2xpZW50MSEwHwYJKoZIhvcNAQkBFhJjbGllbnRAZXhhbXBs
-ZS5jb20xEzARBgNVBAUTCjcxMDEwMTIyNTUxFDASBgNVBC0DCwA3MTAxMDEyMjU1
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnQS0JLb8Dqy8V2mszkWk
-V8c/NPQcG3ivueXZHqOT9JTiPqrigGcLHtlmlaJ0aUUxix7q60aOds041TFyeknT
-SUFYY4ppOhiP+fOpWKPv4ZMwhSI2XzcgYhQSNHV0lIG1we9RAAfumomDMq7oMJhb
-EGf0ihibbwZXPUwBlm10GaB4K93PNY8Bz4ekBxzQ1WJkQ5LGsQnVZSuLnvp5dWSe
-J2axxyY4hPXR30jzEyZvy4kv4nzAu5lqZ5XKLrRO4TKwZrtr+CCPVkPJRE36rWYt
-tQaJEEpNOo0ZPpTtG6F8/tGh5r8jFx/f6wG+nyANJJ98kEP8i6TPjRrg+697mLcd
-iQIDAQABo3kwdzAJBgNVHRMEAjAAMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9j
-cmwuZXhhbXBsZS5jb20vdGVzdF9jYV8wMS5jcmwwEwYDVR0lBAwwCgYIKwYBBQUH
-AwIwHQYDVR0RBBYwFIESY2xpZW50QGV4YW1wbGUuY29tMA0GCSqGSIb3DQEBBQUA
-A4IBAQBySELCnU8/PtGIG3dwhJENOSU5R7w8jpRXxHCuSBR+W6nuUCISz+z+EdF/
-A7AOJDASuS+4gkrSSmQhGFpf7E5VbF8trVZhLAZrXqKMcUreKH6v0I8MAUXmIs3G
-tqiBGf7pSYJN9DvVOOgANjdy6THuUzYv5qSvBZ4pNYEfHSlMNrV7niynd8dgPOML
-pA7GUfv5k2mMkMbSD15pTMgcavrBKYgyqcvF1C3qghfoL5+i38H8sKzF8hy7wHtE
-ESHtBq20RYA3m0UcA0e64GcanO2Ps/AQVBc7qMeHbqnqj3uUhtTkQcMUWnMgy1NR
-5RbzoLMOxq7hoOCyIaQeM/wgxeGE
------END CERTIFICATE-----
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAnQS0JLb8Dqy8V2mszkWkV8c/NPQcG3ivueXZHqOT9JTiPqri
-gGcLHtlmlaJ0aUUxix7q60aOds041TFyeknTSUFYY4ppOhiP+fOpWKPv4ZMwhSI2
-XzcgYhQSNHV0lIG1we9RAAfumomDMq7oMJhbEGf0ihibbwZXPUwBlm10GaB4K93P
-NY8Bz4ekBxzQ1WJkQ5LGsQnVZSuLnvp5dWSeJ2axxyY4hPXR30jzEyZvy4kv4nzA
-u5lqZ5XKLrRO4TKwZrtr+CCPVkPJRE36rWYttQaJEEpNOo0ZPpTtG6F8/tGh5r8j
-Fx/f6wG+nyANJJ98kEP8i6TPjRrg+697mLcdiQIDAQABAoIBAF7i3MnjGmbz080v
-OxJb23iAG54wdlvTjr3UPGTbjSmcXyxnsADQRFQcJHYAekCzY8EiqewL80OvuMx8
-2SU1P81hA70Dg5tsBHWT3Z6HUwsKG6QYjKr1cUhTwLyazhyAVgogSN6v7GzO9M3I
-DOBw8Xb0mz5oqGVre4S7TapN8n8ZG5oWm0XKGACXy0KbzY0KvWdkUzumFQ8X/ARE
-FsWyu+O69EbMqZRUKu45SrcubsdVGjOwseZHkmp5V6pc6Q/OrTHZqXJtDva5UIRq
-+Lof5scy9jiwwRnM/klvh23mz0ySU4YA3645m5KqyWR4YJCR1MnMANmXUSeYWfYz
-19+R1gECgYEAzm83lI7eIhTH38H0/jFpf3R7vNjPX3TR5waa4EXsCxhTOpoL89mR
-iNmzH0aOC4OR8rz/9PCnwmtH1lyQ4r/RokBmCp3pBxeWSlenFfV3rLCeEDo0Q/OL
-SX5DL4IbZD0VmNDt606WS7AEv93GhpN03Anw6kgHQUm1l030PR9DYZECgYEAwrgO
-/RyB/Ehw7smlysZb2sn1lvd6z8fg+pcu8ZNRKODaYCCOb8p1lnHrnIQdEmjhlmVp
-HAEuJ5jxCb+lyruV+dlx+0W/p6lHtKr0iBHG8EFkHnjN6Y+59Qu0HfSm0pZw7Ftr
-QcUDPuDJkTVUAvrZqciWlwzTWCC9KYXtasT+AHkCgYEAnP80dAUbpyvKvr/RxShr
-JYW/PWZegChmIp+BViOXWvDLC3xwrqm+5yc59QVBrjwH2WYn+26zB0dzwPFxNyHP
-GuiDMnvZ54zmve9foXGn7Gv+KjU53pvwSJqAGjeHAXr7W9c5uoVwBGv/kLPn8h1e
-+KGO2X6iFeMq+cFNiNan9iECgYBj+oGnsKWFVeS2ls8LyMGNGzmAZF2opiZ8RHgU
-DeIULS+zP8Qi3j92GdQyLxuGQlfiEvvfJzP9nOfWa5LC/4JIIUAHFo8LlT1+JHEe
-FJKi9dBkXP7NN8DxcyruXpnxctFUarQttuytslmMt2cFiKuOI7I+qJUzoMu/sEZx
-FeidcQKBgQCuralmtbl4nxjn3aR/ZgFTAKCL9WaJPh5hFJ9q4UuWxJdBX5z3Ey3/
-70ehLKYPumjmZtXynzz4BTWj1W9X+tgj/499uzV6LdQERGjT6WVy8xR9RELWW0an
-N9N1IAc4qTSjbI4EIMwMBSAoFfCux/jfDkG4g+RDnpV92sqxz2CtKg==
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/parse_input/cert_example_multi.crt b/tests/data_files/parse_input/cert_example_multi.crt
deleted file mode 100644
index 0e3295d..0000000
--- a/tests/data_files/parse_input/cert_example_multi.crt
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICojCCAYqgAwIBAgIBETANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwNzEwMTEyNzUyWhcNMjkwNzEwMTEyNzUyWjA6MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCBnzANBgkq
-hkiG9w0BAQEFAAOBjQAwgYkCgYEAxziSxcP0cBAIa/gTNezzARyKJQ+VgjYeqh6W
-ElUarPh7dTMLcFcznNmV8U1MRDfIvsSgP+RkPNPzyQJDPcN8W455qgmEroITNwq/
-hWm9KjVibLH+5KzgQrJBfHvknScUmywHa45DPT9sdjpGmhxwDSWdvAjHQPzYAjdi
-/33r/C0CAwEAAaM2MDQwMgYDVR0RBCswKYILZXhhbXBsZS5jb22CC2V4YW1wbGUu
-bmV0gg0qLmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQCJbFizurHz804x
-6NbsvsPPgLcESq0OcGOEXOCOe8seZqomhSYTXtHBzrFtRp2/gmtORq2oapoDDiq+
-I+xRLJYsUBut2NdkZmEIRSW4n4sXJwqb0fXTTkd7EAXBvGNWbERab5Sbf84oqd4t
-yjjz2u+Hvx8hZCHJG2V9qg3zaw5zJT1AfAsMbjXqi8CfU7U+Fcor+O3GeuUVgpJC
-QCXb2Qjj3ZmrCvGZA9x59XtnEN6m2O4pWkmqR/Z7MlQrZzQ80vcQMk9+qoKIr2EJ
-RcJhAtE+dLV19IlccwsDlGx5kT5N5zSYLK9nARV1/AjK48bUxGH353A1Y2MCfy0E
-dXDReJa1
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/cert_example_multi_nocn.crt b/tests/data_files/parse_input/cert_example_multi_nocn.crt
deleted file mode 100644
index 1634846..0000000
--- a/tests/data_files/parse_input/cert_example_multi_nocn.crt
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB/TCCAWagAwIBAgIJAPfGf/jpqWP5MA0GCSqGSIb3DQEBBQUAMA0xCzAJBgNV
-BAYTAk5MMB4XDTE0MDEyMjEwMDQzM1oXDTI0MDEyMjEwMDQzM1owDTELMAkGA1UE
-BhMCTkwwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN0Rip+ZurBoyirqO2pt
-WZftTslU5A3uzqB9oB6q6A7CuxNA24oSjokTJKXF9frY9ZDXyMrLxf6THa/aEiNz
-UnlGGrqgVyt2FjGzqK/nOJsIi2OZOgol7kXSGFi6uZMa7dRYmmMbN/z3FAifhWVJ
-81kybdHg6G3eUu1mtKkL2kCVAgMBAAGjZTBjMAkGA1UdEwQCMAAwCwYDVR0PBAQD
-AgXgMEkGA1UdEQRCMECCHHd3dy5zaG90b2thbi1icmF1bnNjaHdlaWcuZGWCFHd3
-dy5tYXNzaW1vLWFiYXRlLmV1hwTAqAEBhwTAqEWQMA0GCSqGSIb3DQEBBQUAA4GB
-ABjx1ytrqCyFC5/0cjWnbLK9vsvLny2ZikDewfRxqJ5zAxGWLqHOr1SmUmu2DrvB
-bkT9g5z19+iMhPnzJz1x7Q2m7WTIJTuUPK+hKZJATDLNhZ86h5Nkw8k9YzKcOrPm
-EIqsy55CSgLU0ntljqSBvSb4ifrF1NnIWej2lSfN6r+3
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/cert_md5.crt b/tests/data_files/parse_input/cert_md5.crt
deleted file mode 100644
index e514fd6..0000000
--- a/tests/data_files/parse_input/cert_md5.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDPzCCAiegAwIBAgIBBjANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MDAwMTAxMTIxMjEyWhcNMzAwMTAxMTIxMjEyWjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENlcnQgTUQ1MIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f
-M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu
-1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw
-MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v
-4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/
-/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB
-o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITAf
-BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQQFAAOC
-AQEAF4QcMshVtVbYgvvU7f2lWakubbAISM/k+FW/f7u63m0MSSoSFeYflBOC1Wf4
-imgDEnWcWTH5V7sxsLNogxfpfTuFUaKfHeQmRhAK4UgqbDEs4dZvgo3wZ/w92G0/
-QNntJefnqaFiITXZTn6J8hxeoEq4QbucbWgeY6fTAwXtIv40BvMOSakkuIFAyIvV
-90VY1j4vnx0/xv5lIBAxah1HdtXhqtDu/sUfdCtWX5SCcVUwwM3gZ4Q1ZdWQmlvF
-737ZG7XaINxsDaI04sJxc7qvuRYhLdCwUPnZL5TGEQJ8jNa/39eEbnkvs7hbTU98
-6qG8UAYsSI7aMe1j7DZpkoPL9w==
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/cert_sha1.crt b/tests/data_files/parse_input/cert_sha1.crt
deleted file mode 100644
index 1e23585..0000000
--- a/tests/data_files/parse_input/cert_sha1.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDQDCCAiigAwIBAgIBBzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA9MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGzAZBgNVBAMMElBvbGFyU1NMIENlcnQgU0hBMTCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6J
-v7joRZDb7ogWUtPxQ1BHlhJZZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVB
-Q3dfOXwJBEeCsFc5cO2j7BUZHqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYEl
-XwqxU8YwfhU5rPla7n+SnqYFW+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk
-65Wb3P5BXhem2mxbacwCuhQsFiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZP
-cG6ezr1YieJTWZ5uWpJl4og/DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEA
-AaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUH3TWPynBdHRFOwUSLD2ovUNZAqYw
-HwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQAD
-ggEBAFAHuWfjOp+GaM5dP3NBaUayXmjbrsY5fo/ysfOVV9xipzbPWvE2Bu679iU1
-Eg+5hME9VlMmQejGzG09ReXE+30gyhtO3vWA8U21YrsL3ybvS6EREHGKk238bIBh
-yDP/b0VuoNsS3xRn9WyH3TRu5re0vK68OSkLIWPd01fgvcfl6YyUY+WuuSrpYcDv
-nrgKvFZws/EE4RNldtRC1Blwy497AtmWBQWs65zj5JkNdNnm4JJqXZAArNh2GSZo
-83C/1ZSFrNo9GONsCJ0GVGEt7IK7FPqXYW7rXi30BRse33ziU7RPWGDT13bh9Rdz
-RqsoZ5h5VjtHOnMUUD99gIWinBE=
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/cert_sha224.crt b/tests/data_files/parse_input/cert_sha224.crt
deleted file mode 100644
index c8a209d..0000000
--- a/tests/data_files/parse_input/cert_sha224.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDQjCCAiqgAwIBAgIBCDANBgkqhkiG9w0BAQ4FADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA/MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHTAbBgNVBAMMFFBvbGFyU1NMIENlcnQgU0hBMjI0MIIB
-IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVh
-Xom/uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq
-1UFDd185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPht
-gSVfCrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1l
-LGTrlZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsu
-pk9wbp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQID
-AQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kC
-pjAfBgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQ4F
-AAOCAQEATdo7p7dok8gcxS0dYGluXMOsAEALyHAgvAJSZUt0x8RxemJfpquv4XG/
-rppQmtA5aPf59Fo0z5GcS0zzYFLTQIcLHKnuuG0W6yjhx3e+5J1hjLbv///vvKGN
-jq55z+CANkragMk6XQ/t+iXkh/Fq00FS+zbf1JLaMXOLst5dfv3uPQaJHwzX/EaE
-VdognXxWudNQgIvemindk9TTQon27zBS/z6nwcBCIXMDfesAjcHuBCfxl6pofK6E
-28qs4up/JayptG2CX98LGsEyAgegwTMSYGLJoWcHhrUcbF0fNOcXPgQKGTcZO4Tg
-yPYGbkG9FjgaASc2gTrYVPRZ6mY19g==
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/cert_sha256.crt b/tests/data_files/parse_input/cert_sha256.crt
deleted file mode 100644
index e56d428..0000000
--- a/tests/data_files/parse_input/cert_sha256.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDQjCCAiqgAwIBAgIBCTANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA/MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHTAbBgNVBAMMFFBvbGFyU1NMIENlcnQgU0hBMjU2MIIB
-IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVh
-Xom/uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq
-1UFDd185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPht
-gSVfCrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1l
-LGTrlZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsu
-pk9wbp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQID
-AQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kC
-pjAfBgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQsF
-AAOCAQEAuo8kRDdQj3+rgqbz7bS3ZfBVCqgbQfruRZncP0s3IQJ6g7k6BNfCTO+N
-tIgnCDhnhjK9DS4l1LTkQJKfcd6sfuwBxjHKWGZUqTqHWFm/O5MJwfMpxI305xXE
-evDzh8LK1W3moX5OcT4bx3QsY9I4nqXQkOzjGidxhOXYA2v+X5OhRt3IJ2dzmQQu
-BVXnDbzuchUfP5aeCwW6l7VX+RJOE2zlqO5yt0ejT02E44qtC5sBf24V9ko5LORw
-1J7Zk34QwsKrSPSGxOuoWNwH3fJpgZQImKgJIQCsksJ+A45CK6iz0km8oTiI3Hoo
-2LpE6UNx2M8jiZWVzH1L4tkg4fcCoQ==
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/cert_sha384.crt b/tests/data_files/parse_input/cert_sha384.crt
deleted file mode 100644
index f8ec10b..0000000
--- a/tests/data_files/parse_input/cert_sha384.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDQjCCAiqgAwIBAgIBCjANBgkqhkiG9w0BAQwFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA/MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHTAbBgNVBAMMFFBvbGFyU1NMIENlcnQgU0hBMzg0MIIB
-IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVh
-Xom/uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq
-1UFDd185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPht
-gSVfCrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1l
-LGTrlZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsu
-pk9wbp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQID
-AQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kC
-pjAfBgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQwF
-AAOCAQEAeyHm+emo4/QHqEVKj/MYPOsPrrcr5MupNE7WmoUA7SilVUlceIy8ApWR
-MUdwnh7UPkCa6K1yvayknEbHzD2Lv9BLEf5A1/a+F/LmFXiV0kXIFue13u+z7laV
-N/s/jphPVgjPwZiC1ZtOoD7WvSkIInB53j4Q3VCH6EpZxZuDO/u8CGBQ0g+9Eqhn
-W3+4GFnxUPYeN17u/opt16mEPx6WFbRl9hs5wUvND/FCDEJ/9uVNiVYlPYyHKzzq
-e3WXCHLYUKGESQX+85IrnmlwbAb33bM+sAM6naFafXTZEimeEpX3iYrHzhoU7aR7
-piojwAE+Yb3Ac+Hu1fY4CRO4ZHL6Zg==
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/cert_sha512.crt b/tests/data_files/parse_input/cert_sha512.crt
deleted file mode 100644
index b2254fa..0000000
--- a/tests/data_files/parse_input/cert_sha512.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDQjCCAiqgAwIBAgIBCzANBgkqhkiG9w0BAQ0FADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA/MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHTAbBgNVBAMMFFBvbGFyU1NMIENlcnQgU0hBNTEyMIIB
-IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVh
-Xom/uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq
-1UFDd185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPht
-gSVfCrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1l
-LGTrlZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsu
-pk9wbp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQID
-AQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kC
-pjAfBgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQ0F
-AAOCAQEABnuq7gMU6EWqcmEcj2/wiqOFUBeH9ro0tni9JZzaDAKkBMwoeJ3RP/59
-wY92UZC/SoWPm0yLK25KTwxJhd645a5ZeRk+yi1SG+oXNgZFS03F1Orat0bM5u94
-RtzLRInGzTxhlVS8HPRya2+nEaPT9YNO25vORczPDjtrI82UnysaWiKx1OCPhdP3
-ZySAkX/zE1U8Te0+948C0vmg2aTWCSk5zutryFgHH5UojmmWAkBHpX3tIm8JMRG9
-tvp6fbIDan0LmSsVK8rq5OPSwAKMso6GF4Iuxou/jP2gI+NutenX26wrffSjlPiW
-KksLNj8oL6vIUap28Oh+Gwph02biSQ==
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/cli-rsa-sha256-badalg.crt.der b/tests/data_files/parse_input/cli-rsa-sha256-badalg.crt.der
deleted file mode 100644
index c40ba2a..0000000
--- a/tests/data_files/parse_input/cli-rsa-sha256-badalg.crt.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/crl-ec-sha1.pem b/tests/data_files/parse_input/crl-ec-sha1.pem
deleted file mode 100644
index 8358640..0000000
--- a/tests/data_files/parse_input/crl-ec-sha1.pem
+++ /dev/null
@@ -1,10 +0,0 @@
------BEGIN X509 CRL-----
-MIIBbzCB9gIBATAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQ
-b2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQRcNMTMwOTI0MTYz
-MTA4WhcNMjMwOTIyMTYzMTA4WjAUMBICAQoXDTEzMDkyNDE2MjgzOFqgcjBwMG4G
-A1UdIwRnMGWAFJ1tICRJAT8ry3i1Gbx+JMnb+zZ8oUKkQDA+MQswCQYDVQQGEwJO
-TDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMg
-Q0GCCQDBQ+J+YkPM6DAJBgcqhkjOPQQBA2kAMGYCMQDVG95rrSSl4dJgbJ5vR1GW
-svEuEsAh35EhF1WrcadMuCeMQVX9cUPupFfQUpHyMfoCMQCKf0yv8pN9BAoi3FVm
-56meWPhUekgLKKMAobt2oJJY6feuiFU2YFGs1aF0rV6Bj+U=
------END X509 CRL-----
diff --git a/tests/data_files/parse_input/crl-ec-sha224.pem b/tests/data_files/parse_input/crl-ec-sha224.pem
deleted file mode 100644
index 9131f10..0000000
--- a/tests/data_files/parse_input/crl-ec-sha224.pem
+++ /dev/null
@@ -1,10 +0,0 @@
------BEGIN X509 CRL-----
-MIIBcDCB9wIBATAKBggqhkjOPQQDATA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDkyNDE2
-MzEwOFoXDTIzMDkyMjE2MzEwOFowFDASAgEKFw0xMzA5MjQxNjI4MzhaoHIwcDBu
-BgNVHSMEZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMC
-TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD
-IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwEDaAAwZQIwbn+i0dOest0IJGzuqBLA
-V5nscZPvHjDV6lWsSwurS4LC/Uv/qWteuMCp3OqQRJHcAjEA6KA0dibovfL1WKFo
-C8jUGxlMfHeWDRkqMfcjjgIpky7v50sKtDOfmFJn3HFUbiKp
------END X509 CRL-----
diff --git a/tests/data_files/parse_input/crl-ec-sha256.pem b/tests/data_files/parse_input/crl-ec-sha256.pem
deleted file mode 100644
index adfd5f8..0000000
--- a/tests/data_files/parse_input/crl-ec-sha256.pem
+++ /dev/null
@@ -1,10 +0,0 @@
------BEGIN X509 CRL-----
-MIIBcTCB9wIBATAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDkyNDE2
-MzEwOFoXDTIzMDkyMjE2MzEwOFowFDASAgEKFw0xMzA5MjQxNjI4MzhaoHIwcDBu
-BgNVHSMEZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMC
-TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD
-IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwIDaQAwZgIxAKuQ684s7gyhtxKJr6Ln
-S2BQ02f1jjPHrZVdXaZvm3C5tGi2cKkoK1aMiyC3LsRCuAIxAIMhj0TmcuIZr5fX
-g5RByD7zUnZBpoEAdgxFy4JPJ2IViWOPekSGh8b/JY1VNS6Zbw==
------END X509 CRL-----
diff --git a/tests/data_files/parse_input/crl-ec-sha384.pem b/tests/data_files/parse_input/crl-ec-sha384.pem
deleted file mode 100644
index b757abb..0000000
--- a/tests/data_files/parse_input/crl-ec-sha384.pem
+++ /dev/null
@@ -1,10 +0,0 @@
------BEGIN X509 CRL-----
-MIIBcDCB9wIBATAKBggqhkjOPQQDAzA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDkyNDE2
-MzEwOFoXDTIzMDkyMjE2MzEwOFowFDASAgEKFw0xMzA5MjQxNjI4MzhaoHIwcDBu
-BgNVHSMEZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMC
-TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD
-IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwMDaAAwZQIwateJaD13+Yi4HWBIlOov
-8ZDsvnfQfW/R0A1s2ZccAi+byurShuNGiSvsFSh5d/6QAjEA427F8bNk/fdj5YXu
-Oo1qEd7WpD2dNUb0draGSIcJGBRGzi5it14UXr9cR4S5eJ6Q
------END X509 CRL-----
diff --git a/tests/data_files/parse_input/crl-ec-sha512.pem b/tests/data_files/parse_input/crl-ec-sha512.pem
deleted file mode 100644
index f7c9402..0000000
--- a/tests/data_files/parse_input/crl-ec-sha512.pem
+++ /dev/null
@@ -1,10 +0,0 @@
------BEGIN X509 CRL-----
-MIIBcTCB9wIBATAKBggqhkjOPQQDBDA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDkyNDE2
-MzEwOFoXDTIzMDkyMjE2MzEwOFowFDASAgEKFw0xMzA5MjQxNjI4MzhaoHIwcDBu
-BgNVHSMEZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMC
-TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD
-IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwQDaQAwZgIxAL/VFrDIYUECsS0rVpAy
-6zt/CqeAZ1sa/l5LTaG1XW286n2Kibipr6EpkYZNYIQILgIxAI0wb3Py1DHPWpYf
-/BFBH7C3KYq+nWTrLeEnhrjU1LzG/CiQ8lnuskya6lw/P3lJ/A==
------END X509 CRL-----
diff --git a/tests/data_files/parse_input/crl-idp.pem b/tests/data_files/parse_input/crl-idp.pem
deleted file mode 100644
index a229e7d..0000000
--- a/tests/data_files/parse_input/crl-idp.pem
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN X509 CRL-----
-MIIBszCBnAIBATANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UE
-ChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EXDTE4MDMxNDA3
-MzE0OFoXDTI4MDMxNDA3MzE0OFqgLTArMCkGA1UdHAEB/wQfMB2gG6AZhhdodHRw
-Oi8vcGtpLmV4YW1wbGUuY29tLzANBgkqhkiG9w0BAQsFAAOCAQEAs/vp1Ybq9Lj/
-YM+O2uBqhRNdt494GYSYcZcltbQDwLgDwsFQ9S+q5zBtanhxiF3C6dyDoWS6xyY3
-dkdO9kK2YAQLNaFBCsKRrI9vGKuF5/1uIr0a8cQcqVzyRI9uK0KgGEk9/APGtqob
-nj/nt2ryGC+yEh20FmvwFn1vN5xaWK3uUIJCNDTZe+KQn150iAU/mWZG2xDdSXgm
-JtpTrY6toBgTwDGyus2wIDvAF6rBc1lRoR0BPuTR1fcUPMvr8jceZqG+xuH+vmkU
-j1B4Tu+K27ZmZMlhltfgwLzcgH9Ee1TgWPN2QqMzeZW/vNMyIIvWAWk2cFyCJj6r
-16/9upL64w==
------END X509 CRL-----
diff --git a/tests/data_files/parse_input/crl-idpnc.pem b/tests/data_files/parse_input/crl-idpnc.pem
deleted file mode 100644
index 0ebe480..0000000
--- a/tests/data_files/parse_input/crl-idpnc.pem
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN X509 CRL-----
-MIIBsDCBmQIBATANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UE
-ChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EXDTE4MDMxNDEx
-MTQzNloXDTI4MDMxNDExMTQzNlqgKjAoMCYGA1UdHAQfMB2gG6AZhhdodHRwOi8v
-cGtpLmV4YW1wbGUuY29tLzANBgkqhkiG9w0BAQsFAAOCAQEACsszsNwAMkmUrbti
-H1wpWN3LIb32MTZkBWZeFWWQ1MyzSFslgnOcu6tesJuTQJVJMGCSXZv7jkVHeeiK
-x+BAoHCrR2aRVPbmiaP43Qp/dFOOfHVMM/VVWmuEYuCQaCAeVLQgGbgAYHE9aHQN
-vBg8m7NJ95av2svLHMFIhirZlKWsAXM+aCyzoudEIhrP4Ppwt01SCtDl5gyg1Gkd
-B3wuOckjTk0xwXdlOSMH9o0SD2fkc41AFDqOZTK2NTQzNChDNFbKXl8sr9SavJCm
-k72l7wNJs6UOEhQMygyXEvqp8JbIi9JI+3TD4z4wUt0EnPkw0U48grLXFhjwBLWi
-cxyjQQ==
------END X509 CRL-----
diff --git a/tests/data_files/parse_input/crl-malformed-trailing-spaces.pem b/tests/data_files/parse_input/crl-malformed-trailing-spaces.pem
deleted file mode 100644
index 9eae3da..0000000
--- a/tests/data_files/parse_input/crl-malformed-trailing-spaces.pem
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN X509 CRL-----
-MIIBbzCB9gIBATAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQ
-b2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQRcNMTMwOTI0MTYz
-MTA4WhcNMjMwOTIyMTYzMTA4WjAUMBICAQoXDTEzMDkyNDE2MjgzOFqgcjBwMG4G
-A1UdIwRnMGWAFJ1tICRJAT8ry3i1Gbx+JMnb+zZ8oUKkQDA+MQswCQYDVQQGEwJO
-TDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMg
-Q0GCCQDBQ+J+YkPM6DAJBgcqhkjOPQQBA2kAMGYCMQDVG95rrSSl4dJgbJ5vR1GW
-svEuEsAh35EhF1WrcadMuCeMQVX9cUPupFfQUpHyMfoCMQCKf0yv8pN9BAoi3FVm
-56meWPhUekgLKKMAobt2oJJY6feuiFU2YFGs1aF0rV6Bj+U=
------END X509 CRL-----
------BEGIN X509 CRL-----
-MIIBcTCB9wIBATAKBggqhkjOPQQDBDA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDkyNDE2
-MzEwOFoXDTIzMDkyMjE2MzEwOFowFDASAgEKFw0xMzA5MjQxNjI4MzhaoHIwcDBu
-BgNVHSMEZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMC
-TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD
-IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwQDaQAwZgIxAL/VFrDIYUECsS0rVpAy
-6zt/CqeAZ1sa/l5LTaG1XW286n2Kibipr6EpkYZNYIQILgIxAI0wb3Py1DHPWpYf
-/BFBH7C3KYq+nWTrLeEnhrjU1LzG/CiQ8lnuskya6lw/P3lJ/A==
------END X509 CRL-----      
diff --git a/tests/data_files/parse_input/crl-rsa-pss-sha1.pem b/tests/data_files/parse_input/crl-rsa-pss-sha1.pem
deleted file mode 100644
index 59ca4f7..0000000
--- a/tests/data_files/parse_input/crl-rsa-pss-sha1.pem
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN X509 CRL-----
-MIICJDCCAQYCAQEwEwYJKoZIhvcNAQEKMAaiBAICAOowOzELMAkGA1UEBhMCTkwx
-ETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBFw0x
-NDAxMjAxMzQ2MzVaFw0yNDAxMTgxMzQ2MzVaMCgwEgIBChcNMTMwOTI0MTYyODM4
-WjASAgEWFw0xNDAxMjAxMzQzMDVaoGcwZTBjBgNVHSMEXDBagBS0WuSls97SUva5
-1aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NM
-MRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMBMGCSqGSIb3DQEBCjAGogQC
-AgDqA4IBAQB8ZBX0BEgRcx0lfk1ctELRu1AYoJ5BnsmQpq23Ca4YIP2yb2kTN1ZS
-4fR4SgYcNctgo2JJiNiUkCu1ZnRUOJUy8UlEio0+aeumTNz6CbeJEDhr5NC3oiV0
-MzvLn9rJVLPetOT9UrvvIy8iz5Pn1d8mu5rkt9BKQRq9NQx8riKnSIoTc91NLCMo
-mkCCB55DVbazODSWK19e6yQ0JS454RglOsqRtLJ/EDbi6lCsLXotFt3GEGMrob1O
-7Qck1Z59boaHxGYFEVnx90+4M3/qikVtwZdcBjLEmfuwYvszFw8J2y6Xwmg/HtUa
-y6li0JzWNHtkKUlCv2+SESZbD3NU8GQZ
------END X509 CRL-----
diff --git a/tests/data_files/parse_input/crl-rsa-pss-sha224.pem b/tests/data_files/parse_input/crl-rsa-pss-sha224.pem
deleted file mode 100644
index a51d5d9..0000000
--- a/tests/data_files/parse_input/crl-rsa-pss-sha224.pem
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN X509 CRL-----
-MIICejCCATECAQEwPgYJKoZIhvcNAQEKMDGgDTALBglghkgBZQMEAgShGjAYBgkq
-hkiG9w0BAQgwCwYJYIZIAWUDBAIEogQCAgDiMDsxCzAJBgNVBAYTAk5MMREwDwYD
-VQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVzdCBDQRcNMTQwMTIw
-MTM1NjA2WhcNMjQwMTE4MTM1NjA2WjAoMBICAQoXDTEzMDkyNDE2MjgzOFowEgIB
-FhcNMTQwMTIwMTM0MzA1WqBnMGUwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/r
-PrzH/f+hP6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcG
-A1UEAxMQUG9sYXJTU0wgVGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCG
-SAFlAwQCBKEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgSiBAICAOIDggEBAEJI
-i9sQOzMvvOTksN48+X+kk/wkLMKRGI222lqU6y6tP1LX3OE/+KN8gPXR+lCC+e0v
-TsRTJkpKEcmHZoP/8kOtZnLb9PdITKGMQnZ+dmn5MFEzZI/zyrYWuJTuK1Q83w0e
-Mc88cAhu8i4PTk/WnsWDphK1Q2YRupmmwWSUpp1Z2rpR+YSCedC01TVrtSUJUBw9
-NSqKDhyWYJIbS6/bFaERswC8xlMRhyLHUvikjmAK36TbIdhTnEffHOPW75sEOEEB
-f0A3VtlZ7y5yt2/a6vOauJCivxKt/PutdHfBqH43QQmoVLWC2FmT9ADTJwcsZB3D
-a6JSqCIMRCQY2JOUn0A=
------END X509 CRL-----
diff --git a/tests/data_files/parse_input/crl-rsa-pss-sha256.pem b/tests/data_files/parse_input/crl-rsa-pss-sha256.pem
deleted file mode 100644
index f16a491..0000000
--- a/tests/data_files/parse_input/crl-rsa-pss-sha256.pem
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN X509 CRL-----
-MIICejCCATECAQEwPgYJKoZIhvcNAQEKMDGgDTALBglghkgBZQMEAgGhGjAYBgkq
-hkiG9w0BAQgwCwYJYIZIAWUDBAIBogQCAgDeMDsxCzAJBgNVBAYTAk5MMREwDwYD
-VQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVzdCBDQRcNMTQwMTIw
-MTM1NjE2WhcNMjQwMTE4MTM1NjE2WjAoMBICAQoXDTEzMDkyNDE2MjgzOFowEgIB
-FhcNMTQwMTIwMTM0MzA1WqBnMGUwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/r
-PrzH/f+hP6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcG
-A1UEAxMQUG9sYXJTU0wgVGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCG
-SAFlAwQCAaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiBAICAN4DggEBAEZ4
-oqp9i5eXrN6aCSTaU1j07MVTFW/U1jQAq6GseB6bEvoEXFMUHJsgAObqCK9flfEC
-FEqXqWSo33hhPU7AKKttbDLjUYRNnQAPRUnRIl1/a1+UjqgKchWWD9ityeW8ICxo
-IdATX9reYmPDLIMqTC7zuflYkvrvdEOuBORQP5mn4j8t84MSQF/p4qzaU0XxLo4X
-ckzZCcHpa45AApCDjJMd9onhFVCYsykiYrF9NQFO8TI4lQ5jv79GoufEzvhY1SPB
-r1xz4sMpfyaoPaa3SM2/nD65E5jzXell2u2VWNGKv4zAQP0E5yGel+1rklBltadb
-XLdJyyak33CLBKu+nJc=
------END X509 CRL-----
diff --git a/tests/data_files/parse_input/crl-rsa-pss-sha384.pem b/tests/data_files/parse_input/crl-rsa-pss-sha384.pem
deleted file mode 100644
index 50f7e4c..0000000
--- a/tests/data_files/parse_input/crl-rsa-pss-sha384.pem
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN X509 CRL-----
-MIICejCCATECAQEwPgYJKoZIhvcNAQEKMDGgDTALBglghkgBZQMEAgKhGjAYBgkq
-hkiG9w0BAQgwCwYJYIZIAWUDBAICogQCAgDOMDsxCzAJBgNVBAYTAk5MMREwDwYD
-VQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVzdCBDQRcNMTQwMTIw
-MTM1NjI4WhcNMjQwMTE4MTM1NjI4WjAoMBICAQoXDTEzMDkyNDE2MjgzOFowEgIB
-FhcNMTQwMTIwMTM0MzA1WqBnMGUwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/r
-PrzH/f+hP6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcG
-A1UEAxMQUG9sYXJTU0wgVGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCG
-SAFlAwQCAqEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgKiBAICAM4DggEBAAco
-SntUGDLBOAu0IIZaVea5Nt1NMsMcppC0hWPuH1LKAwyUODBqpT+0+AuALK0eIdYR
-a7mAB+cv2fFwmwxnQWJ1Fvx4ft/N2AAfB83VRKpSo3xR8bxloHfTWKmyxJHmH9j1
-EYmLS86rj3Nhjf4m/YlQQ3Im5HwOgSgBOE8glq5D+0Wmsi9LsNEZXEzMw7TMUgbs
-y9o/ghYF/shKU4mewK3DeM9gQiTcH5A4ISXR87hBQ08AKJRAG1CLvTyzqWiUUY+k
-q8iZDYF17sHrPi2yn8q9c4zdxiaWDGDdL0Lh90wXGTAageoGEq25TMuL5FpX+u1u
-KUH/xf1jEnNzbYNGiZw=
------END X509 CRL-----
diff --git a/tests/data_files/parse_input/crl-rsa-pss-sha512.pem b/tests/data_files/parse_input/crl-rsa-pss-sha512.pem
deleted file mode 100644
index 0f1d651..0000000
--- a/tests/data_files/parse_input/crl-rsa-pss-sha512.pem
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN X509 CRL-----
-MIICejCCATECAQEwPgYJKoZIhvcNAQEKMDGgDTALBglghkgBZQMEAgOhGjAYBgkq
-hkiG9w0BAQgwCwYJYIZIAWUDBAIDogQCAgC+MDsxCzAJBgNVBAYTAk5MMREwDwYD
-VQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVzdCBDQRcNMTQwMTIw
-MTM1NjM4WhcNMjQwMTE4MTM1NjM4WjAoMBICAQoXDTEzMDkyNDE2MjgzOFowEgIB
-FhcNMTQwMTIwMTM0MzA1WqBnMGUwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/r
-PrzH/f+hP6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcG
-A1UEAxMQUG9sYXJTU0wgVGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCG
-SAFlAwQCA6EaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgOiBAICAL4DggEBAB9F
-ywBfxOjetxNbCFhOYoPY2jvFCFVdlowMGuxEhX/LktqiBXqRc2r5naQSzuHqO8Iq
-1zACtiDLri0CvgSHlravBNeY4c2wj//ueFE89tY5pK9E6vZp7cV+RfMx2YfGPAA2
-t7tWZ2rJWzELg8cZ8hpjSwFH7JmgJzjE5gi2gADhBYO6Vv5S3SOgqNjiN1OM31AU
-p6GHK5Y1jurF5Zwzs+w3wXoXgpOxxwEC4eiS86c9kNSudwTLvDTU0bYEQE1cF+K0
-sB8QWABFJfuO5kjD2w3rWgmAiOKsZoxd1xrda+WD3JhDXnoVq3oVBIVlWVz6YID8
-enMfMvwScA5AImzu9xA=
------END X509 CRL-----
diff --git a/tests/data_files/parse_input/crl_expired.pem b/tests/data_files/parse_input/crl_expired.pem
deleted file mode 100644
index cf60ae4..0000000
--- a/tests/data_files/parse_input/crl_expired.pem
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN X509 CRL-----
-MIIBqzCBlDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EXDTExMDIyMDEwMjQx
-OVoXDTExMDIyMDExMjQxOVowKDASAgEBFw0xMTAyMTIxNDQ0MDdaMBICAQMXDTEx
-MDIxMjE0NDQwN1owDQYJKoZIhvcNAQEFBQADggEBAKgP1XmCIPbfY1/UO+SVFQir
-jArZ94QnQdoan4tJ29d8DmTxJ+z9/KyWNoGeOwc9P/2GQQaZahQOBr0f6lYd67Ct
-wFVh/Q2zF8FgRcrQV7u/vJM33Q2yEsQkMGlM7rE5lC972vUKWu/NKq8bN9W/tWxZ
-SFbvTXpv024aI0IRudpOCALnIy8SFhVb2/52IN2uR6qrFizDexMEdSckgpHuJzGS
-IiANhIMn5LdQYJFjPgBzQU12tDdgzcpxtGhT10y4uQre+UbSjw+iVyml3issw59k
-OSmkWFb06LamRC215JAMok3YQO5RnxCR8EjqPcJr+7+O9a1O1++yiaitg4bUjEA=
------END X509 CRL-----
diff --git a/tests/data_files/parse_input/crl_md5.pem b/tests/data_files/parse_input/crl_md5.pem
deleted file mode 100644
index 1b17967..0000000
--- a/tests/data_files/parse_input/crl_md5.pem
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN X509 CRL-----
-MIIBqzCBlDANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EXDTExMDIxMjE0NDQw
-N1oXDTExMDQxMzE0NDQwN1owKDASAgEBFw0xMTAyMTIxNDQ0MDdaMBICAQMXDTEx
-MDIxMjE0NDQwN1owDQYJKoZIhvcNAQEEBQADggEBAKKCJZ1MwL+gKAw3RV4qEmb9
-gMDdSLJ1Vdkn9FgDx2ijNnYDtvaW+I3sOXrq7O6gVN1KEamJJbufVJA5+OE2oVbC
-husEdgQm8D5TbrGcjPIPWxgYyuuRsl7XovZhXnqTIUrC+J8oH9XzKaMc+HZb5UhR
-h8bzcyp+9jbBje7lWwKTzkuvd/I7VbS02TUkWFJTrYB0Laj8WMcgcZiyX0iZuj8j
-4hOupu0lPoSzZ4h7t0Vmay6wO+8n8LJohyiwYS7LddpOjIdP0MWifN7u/ArqNNlh
-2kg8eAc1pYOU/pJFTAAbOmC/kQpa9skd+PPIPPh9T53o3yeDQA0vFqN92JryCCU=
------END X509 CRL-----
diff --git a/tests/data_files/parse_input/crl_sha1.pem b/tests/data_files/parse_input/crl_sha1.pem
deleted file mode 100644
index 049bebf..0000000
--- a/tests/data_files/parse_input/crl_sha1.pem
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN X509 CRL-----
-MIIBqzCBlDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EXDTExMDIxMjE0NDQw
-N1oXDTExMDQxMzE0NDQwN1owKDASAgEBFw0xMTAyMTIxNDQ0MDdaMBICAQMXDTEx
-MDIxMjE0NDQwN1owDQYJKoZIhvcNAQEFBQADggEBAG64jqn7VLdvnKROsbCPR8w9
-xnox9vjuM2lGWema9sTuptw9EhArVSbibXZ1IPPyrEy1QOq3NukBqUW3KzOzYV5M
-BxZSa28FTQxtVChWkDUIMCK8BSxy07yieFf/3A8mbfcW3ZzN4akLxOweuFp6l2H7
-9oa2jeUi1BlHCZS6JYI2pHZl8qiMRiqqMleSM2k1w7TraKLNBFM8UK72brXeZjPi
-nNOzdYsQDzWo1HW7dsLWLfZKoJeyqvofVDQpC5dO56kty/do89z1OnEXfzMNeVVT
-JCeAOzuu6kdrf+9keRoWhcIoBos/XtTV57u0pgr81bLgjj5PYivevKL/kKbyvKI=
------END X509 CRL-----
diff --git a/tests/data_files/parse_input/crl_sha224.pem b/tests/data_files/parse_input/crl_sha224.pem
deleted file mode 100644
index 066f5be..0000000
--- a/tests/data_files/parse_input/crl_sha224.pem
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN X509 CRL-----
-MIIBqzCBlDANBgkqhkiG9w0BAQ4FADA7MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EXDTExMDIxMjE0NDQw
-N1oXDTExMDQxMzE0NDQwN1owKDASAgEBFw0xMTAyMTIxNDQ0MDdaMBICAQMXDTEx
-MDIxMjE0NDQwN1owDQYJKoZIhvcNAQEOBQADggEBAL2sIly2OwgBu9UfEImduTG/
-RtGEO8RkXbCRJPLZaVGQh9b8rCRVHL9tIWm372FVkKyYEm3mIrl2ry16RznRt5yx
-Dd8/DKUGUlIe1KwzjDc9O7bv1FDSXHd1USmGTheKDHNtuJXYENMHdoyR2k2BVGOZ
-ie4zUcSpqyMjBlUjgNmXN6gQIcrRImumVUjMk74+rWTa0hQ0piF2qlRuE1dDqcZP
-LkE/92rbnFeRAO91XUeEj13dif2UjlArFWd62AFp0wtIn2sb7wahhUj9/rEs6Wgx
-kdiNsRMto6/ixLrPu3vxs80ZPWHey587T1ZZ9bS/wDkp9W+W0rGyRoPVmqiKtvM=
------END X509 CRL-----
diff --git a/tests/data_files/parse_input/crl_sha256.pem b/tests/data_files/parse_input/crl_sha256.pem
deleted file mode 100644
index c3ca256..0000000
--- a/tests/data_files/parse_input/crl_sha256.pem
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN X509 CRL-----
-MIIBqzCBlDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EXDTExMDIxMjE0NDQw
-N1oXDTExMDQxMzE0NDQwN1owKDASAgEBFw0xMTAyMTIxNDQ0MDdaMBICAQMXDTEx
-MDIxMjE0NDQwN1owDQYJKoZIhvcNAQELBQADggEBAG4mBBgwfNynCYYL2CEnqore
-mgKpC32tB6WiUBu9figcvdN3nSX/1wrB8rpiE8R04C8oSFglwhotJCnlWsy42tjb
-0pk0Wuizln0PFMc/OypqRNNhwx31SHH42W4KzONiqvq3n/WkH3M1YniR1ZnMlyvi
-lJioQn6ZAoc6O6mMP1J9duKYYhiMAOV992PD1/iqXw+jYN31RwdIS8/mGzIs4ake
-EdviwhM3E4/sVbNOWCOnZFYV4m+yNAEe29HL1VKw6UXixBczct+brqXNVD3U6T0F
-5ovR6BTefZO17eT52Duke5RZGDUyQOGywxOYKI5W+FcOYdp+U5Idk399tAz2Mdw=
------END X509 CRL-----
diff --git a/tests/data_files/parse_input/crl_sha384.pem b/tests/data_files/parse_input/crl_sha384.pem
deleted file mode 100644
index b3baa2a..0000000
--- a/tests/data_files/parse_input/crl_sha384.pem
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN X509 CRL-----
-MIIBqzCBlDANBgkqhkiG9w0BAQwFADA7MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EXDTExMDIxMjE0NDQw
-N1oXDTExMDQxMzE0NDQwN1owKDASAgEBFw0xMTAyMTIxNDQ0MDdaMBICAQMXDTEx
-MDIxMjE0NDQwN1owDQYJKoZIhvcNAQEMBQADggEBAC0GpmRvsrvshp1q/SXk80HA
-m28ZvEuys9zY5/AnrtYHQfsX9QRJk5li7PlnzHtVGp8I5Qi4mJVPaJ+JmhqAc/oo
-NPmxDx8m9XF9v0XHzqQZIWlPXH8QM9WLzTazbQFXhuwnZ6LPhpo+m8cbN91mUFil
-9g+SGkma+VYV+yPRNmKyldcRVvPZUIkhTCMWkZoYrbDXUmkVQpsgz2c5ksIeMI/7
-4Qj9J38I9AOt0DlQ3etFhNc0OMnR7zY8tn9B4dejoNklEZfiyDxsDZVPusZrxnWM
-WxuehOGHZf3YESjLMtR7BW26QRHIF/nhGDHsbLiunxXI6eJlbYFoZMfwc6TMqnc=
------END X509 CRL-----
diff --git a/tests/data_files/parse_input/crl_sha512.pem b/tests/data_files/parse_input/crl_sha512.pem
deleted file mode 100644
index 4d712e5..0000000
--- a/tests/data_files/parse_input/crl_sha512.pem
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN X509 CRL-----
-MIIBqzCBlDANBgkqhkiG9w0BAQ0FADA7MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EXDTExMDIxMjE0NDQw
-N1oXDTExMDQxMzE0NDQwN1owKDASAgEBFw0xMTAyMTIxNDQ0MDdaMBICAQMXDTEx
-MDIxMjE0NDQwN1owDQYJKoZIhvcNAQENBQADggEBAH6GU24hd6d/5PmDusT+h2Kl
-e7scmhkZDPU+VJSnzHdEREYTPaoFqyVBuJOE95lZELEqdOauhO3lG2WEQVGcgEcv
-4jS2EzR3BYex1c1upqGtdIvIoA9TOLukdy6KeauomiWho2Kd7bSaXHy20jwdkLko
-/t3lVhTtBvKbh8XHVYwCaw1aCj3LydwNcS+zPnRgsMVHszFxmMNn5HCRW8lbYwcf
-UA98OmxIZs2hpBKRpvlfA5y6sXEx2+tSMg+MJrziGBgG6OR/m+KTaK5Yle9nrC+7
-hzKIe83hpktvfB1CY5Ak4Uke9/1FRqAjs5KCRxYSGQ7ZdS7DgAeGwT3slLbl/tY=
------END X509 CRL-----
diff --git a/tests/data_files/parse_input/keyUsage.decipherOnly.crt b/tests/data_files/parse_input/keyUsage.decipherOnly.crt
deleted file mode 100644
index 7c37978..0000000
--- a/tests/data_files/parse_input/keyUsage.decipherOnly.crt
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICFzCCAYCgAwIBAgIJAJsTzkylb95SMA0GCSqGSIb3DQEBBQUAMD8xCzAJBgNV
-BAYTAkdCMRIwEAYDVQQHDAlDYW1icmlkZ2UxHDAaBgNVBAoME0RlZmF1bHQgQ29t
-cGFueSBMdGQwHhcNMTUwNTEyMTAzNjU1WhcNMTgwNTExMTAzNjU1WjA/MQswCQYD
-VQQGEwJHQjESMBAGA1UEBwwJQ2FtYnJpZGdlMRwwGgYDVQQKDBNEZWZhdWx0IENv
-bXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9nxYOSbha/Ap4
-6rACrOMH7zfDD+0ZEHhbO0bgGRjc5ElvOaNuD321y9TnyAx+JrqPp/lFrAgNiVo1
-HPurPHfcJ+tNBUgBHboWGNENNaf9ovwFPawsBzEZraGnDaqVPEFcIsUQPVqO1lrQ
-CHLUjtqo1hMZDqe/Web0Mw9cZrqOaQIDAQABoxswGTAJBgNVHRMEAjAAMAwGA1Ud
-DwQFAwMH4IAwDQYJKoZIhvcNAQEFBQADgYEAJ0NS2wUbgRelK0qKxrR2Ts6jVYEH
-bmykx3GHjFyKpscDIn2vNyyB7ygfFglZPcw+2mn3xuVIwOV/mWxFvKHk+j2WrTQL
-tDqSC5BhFoR01veFu07JdEYvz+I+NCL5z0IGWXkUrk235Wl4w4WMZDnXTqncMNEk
-fLtpo9y79XD00QY=
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/multiple_san.crt b/tests/data_files/parse_input/multiple_san.crt
deleted file mode 100644
index 8cdc730..0000000
--- a/tests/data_files/parse_input/multiple_san.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB2jCCAYCgAwIBAgIBBDAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwITWJlZCBUTFMxKDAmBgNVBAMMH01iZWQgVExTIG11bHRpcGxlIG90aGVy
-bmFtZSBTQU4wHhcNMTkwNDIyMTYxMDQ4WhcNMjkwNDE5MTYxMDQ4WjBKMQswCQYD
-VQQGEwJVSzERMA8GA1UECgwITWJlZCBUTFMxKDAmBgNVBAMMH01iZWQgVExTIG11
-bHRpcGxlIG90aGVybmFtZSBTQU4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ3
-zFbZdgkeWnI+x1kt/yBu7nz5BpF00K0UtfdoIllikk7lANgjEf/qL9I0XV0WvYqI
-wmt3DVXNiioO+gHItO3/o1cwVTBTBgNVHREETDBKggtleGFtcGxlLmNvbaAfBggr
-BgEFBQcIBKATMBEGBysGAQQBEQMEBjEyMzQ1NoILZXhhbXBsZS5uZXSCDSouZXhh
-bXBsZS5vcmcwCgYIKoZIzj0EAwIDSAAwRQIhAMZUkp+pcuFQ3WWdgvV4Y+tIXOyS
-L6p0RtEAOi/GgigVAiB50n3rIUKjapYstPp3yOpGZGyRxnc6uRdSiMH5wLA4yw==
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/non-ascii-string-in-issuer.crt b/tests/data_files/parse_input/non-ascii-string-in-issuer.crt
deleted file mode 100644
index 99db871..0000000
--- a/tests/data_files/parse_input/non-ascii-string-in-issuer.crt
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDnTCCAoWgAwIBAgIUBeZT5xt08LXThG0Mbdz6P6RaK+AwDQYJKoZIhvcNAQEL
-BQAwXjELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMR8wHQYDVQQKDBbDo8KD
-wobDo8KCwrnDo8KDwoggTHRkMR4wHAYDVQQDDBXDo8KDwobDo8KCwrnDo8KDwogg
-Q0EwHhcNMjAwNTIwMTYxNzIzWhcNMjAwNjE5MTYxNzIzWjBeMQswCQYDVQQGEwJK
-UDEOMAwGA1UECAwFVG9reW8xHzAdBgNVBAoMFsOjwoPChsOjwoLCucOjwoPCiCBM
-dGQxHjAcBgNVBAMMFcOjwoPChsOjwoLCucOjwoPCiCBDQTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAMkh8YszXqyKsEzm5XMpmLd9WL6ba3QDK0uuePTj
-Uqt6RYjTHMDdu1T/gRUi15++6VAl2vUEcUKI4Lxarb9TuypsHfWLGDlioC4xo/5X
-63fbvIEK6qeluY43v3/dXVLoak4E5C3i9hGpcCVUrawlFKQeuEoNgpxtAy4cA0HV
-RhGK6cEddIo9lRksvO1jD2Xmi90+7STRYmyTVkHyj966f3xEr+8/VKcz2mG1PZgw
-x2kYwv7JZ0F+vbjU2S1OATCS4lqEPJT0ggotIJCmxdv1XorPbYn3uNjT8Lp/UHgW
-+4+K0OxdlD0GS7AxffCcq0ltVeUyHq9s2cG2AiP8603aeAUCAwEAAaNTMFEwHQYD
-VR0OBBYEFKT8qVhvMaptyhJMcvz+c3Q0fkzDMB8GA1UdIwQYMBaAFKT8qVhvMapt
-yhJMcvz+c3Q0fkzDMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AHR6U3p2DdhwdqhY73vAxtdmAML157cYoZSQiEfpp/Kr3MWoBods6VKHS6flv+T3
-TEf4G0oyEqKoJk3liIyTvUO5CiwXmiiJlYhQmWkEb3zcYVSSFXKvyEQYKLR3ggD/
-C4sCTohfYGB924vI619u6mjnNEBX7yiyZbfJ0uHd7BpOimFVeAos8hJ8Z5T+gESa
-Tiv6EJPK+m3vKTK2w45M/xLEmGMrwxEB1IZnRz19in/Iqe5/sfMfEVXJSQ052tuO
-GLl6reeMaHlbflB/HyoBRo1xM7Av6zy3TIM55Z3C6ry3pcTH6Y+U7Sz9Lw9MyYCX
-b1QAPqg1U0lZZaSNUMsiAjI=
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/rsa_multiple_san_uri.crt.der b/tests/data_files/parse_input/rsa_multiple_san_uri.crt.der
deleted file mode 100644
index ac5fab2..0000000
--- a/tests/data_files/parse_input/rsa_multiple_san_uri.crt.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/rsa_single_san_uri.crt.der b/tests/data_files/parse_input/rsa_single_san_uri.crt.der
deleted file mode 100644
index 22308c6..0000000
--- a/tests/data_files/parse_input/rsa_single_san_uri.crt.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/server1-ms.req.sha256 b/tests/data_files/parse_input/server1-ms.req.sha256
deleted file mode 100644
index b0d9414..0000000
--- a/tests/data_files/parse_input/server1-ms.req.sha256
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN NEW CERTIFICATE REQUEST-----
-MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow
-GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
-ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
-HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
-W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
-FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
-DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBCwUA
-A4IBAQBY/1nnYQ3ThVyeZb1Z2wLYoHZ5rfeJCedyP7N/gjJZjhrMbwioUft2uHpb
-+OZQfxRXJTbtj/1wpRMCoUMLWzapS7/xGx3IjoPtl42aM4M+xVYvbLjExL13kUAr
-eE4JWcMIbTEPol2zSdX/LuB+m27jEp5VsvM2ty9qOw/T4iKwjFSe6pcYZ2spks19
-3ltgjnaamwqKcN9zUA3IERTsWjr5exKYgfXm2OeeuSP0tHr7Dh+w/2XA9dGcLhrm
-TA4P8QjIgSDlyzmhYYmsrioFPuCfdi1uzs8bxmbLXbiCGZ8TDMy5oLqLo1K+j2pF
-ox+ATHKxQ/XpRQP+2OTb9sw1kM59
------END NEW CERTIFICATE REQUEST-----
diff --git a/tests/data_files/parse_input/server1.cert_type.crt b/tests/data_files/parse_input/server1.cert_type.crt
deleted file mode 100644
index 34fe4f6..0000000
--- a/tests/data_files/parse_input/server1.cert_type.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDUjCCAjqgAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
-uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
-d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
-CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
-lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
-bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
-o2AwXjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf
-BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zARBglghkgBhvhCAQEEBAMC
-BkAwDQYJKoZIhvcNAQEFBQADggEBAElJPaCG6aFHoymoCrzckPfjENxgXW2czh5t
-TsMPshkzX5p2AU89GBGdy0gQwoPuMtcznsDe4adM6Na8f30YDffATsgDECMIWtV1
-XVYKQIwFmZzEt4B+5sUmyMOLtTuuZBThOLPwOw8e4RnILKOYPHnQNRf6Eap4lFDx
-lp2pAaiXMDWH88gmWoU5XrGTppllYV0IorzJ4xV9Sg3ittNwNO40ehVQDAseFwZH
-iyh9iHz4BqtWjElmQ3hL8N/Cbqp3iN15h2pUgIj8JIt9rCsIZrsG3K42iSlPzEn2
-DCzWQSj9cQNCRVJnwgJAWnC1Hx0YYFQMgQquVxnK15THTGQAeB8=
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server1.crt b/tests/data_files/parse_input/server1.crt
deleted file mode 100644
index 258da5e..0000000
--- a/tests/data_files/parse_input/server1.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDPzCCAiegAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
-uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
-d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
-CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
-lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
-bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
-o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf
-BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQUFAAOC
-AQEAf2k5OiORp60gBNqioC2mIqSXA0CU/qzllt8IvlcMv1V0PAP9f4IEm5mdkERr
-UXjnB1Tr3edrsvXLgZ9vEosbFpNMsKfsmBkpjgWG2ui8pdn8cJiws4k4h5fuueSw
-Ps1FLK5Tfpi+GJyPqk4ha9Ojp2p9opuA0aIfLuxI+0UzXH4wgrEW/Yydowv959gf
-gGSl766CRdUvJbXOeVryFjFTRfLFFNfTvrftZk1dl8tas1nim8xfWet+BZVvq2zY
-C7LeCI9nrfuAxfMJTrWFp17y72+hCDk7NEaB2ZLVuAM/ri7LWrr2V2hLFdIAhfC2
-nUaulRRpGt/ZTISw6uSIumNoNA==
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server1.crt.der b/tests/data_files/parse_input/server1.crt.der
deleted file mode 100644
index f9f58a0..0000000
--- a/tests/data_files/parse_input/server1.crt.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/server1.ext_ku.crt b/tests/data_files/parse_input/server1.ext_ku.crt
deleted file mode 100644
index 3c4f854..0000000
--- a/tests/data_files/parse_input/server1.ext_ku.crt
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDpzCCAo+gAwIBAgIBITANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTQwNDAxMTQ0NDQzWhcNMjQwMzI5MTQ0NDQzWjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
-uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
-d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
-CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
-lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
-bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
-o4G0MIGxMAkGA1UdEwQCMAAwHQYDVR0OBBYEFB901j8pwXR0RTsFEiw9qL1DWQKm
-MGMGA1UdIwRcMFqAFLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7MQswCQYDVQQG
-EwJOTDERMA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3Qg
-Q0GCAQAwCwYDVR0PBAQDAgXgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3
-DQEBCwUAA4IBAQANtiYR2P6+a7rEtJARIgpurw1URYejATbbp3ZhaHBW603Wyb2+
-KJtm1KPCzoju/qTRt65YYkt+tu1wTzamyrkPxt8bBKmxiWnu5j1HLxdjOz8VW9lf
-vTb5egR4dU9eNXni/5QkzrdkMO+ob4puDXY7ytPuGX6YfNVhCkrhBlYDJNE57CkK
-vpCNj3+Te8PEkWPAEaUhqCnQk6qvPvpBfc/hqgwzlRMt3u5NkiVOuH72dtr4fOI1
-nlAU8D2wuvDVr3X5281ONNEtHU6rXe98vlUzS9QV9lBDdsO9nRYJzv2Nb1cjRIM5
-JZl0ILLR2tc6E/W5YXalNp37jfrFii1U9WrJ
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server1.key_usage.crt b/tests/data_files/parse_input/server1.key_usage.crt
deleted file mode 100644
index 9d70b00..0000000
--- a/tests/data_files/parse_input/server1.key_usage.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDTzCCAjegAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
-uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
-d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
-CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
-lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
-bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
-o10wWzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf
-BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zAOBgNVHQ8BAf8EBAMCBeAw
-DQYJKoZIhvcNAQEFBQADggEBAHM8eESmE8CQvuCw2/w1JSWKaU9cJIvrtpJXavRC
-yMEv6SQL0hxrNZBhFPM8vAiq6zBdic2HwuiZ9N/iEXuCf92SOcK4b/2/Flos0JI5
-quu4eGkwoNrOvfZUcO7SB8JHUvmJtTP+avF3QeRfHo9bHRtnyOs9GXqq+CMZiNgO
-Bw+/tAOml3tV1Uf+yjp6XroWLRNMbvY1Sor4UW6FFMpOii/vlJ4450OlpcJdRU70
-LpHfxjmPNvc9YOPWve75/+CNF9lMi29UoEUYslxMPylZ/L0vYxi+xuvQBTaLiZeP
-CJ59Mc63LEmJNSAwnnV8s2KXL/Okm32lf6sy0fjsrvAdoCc=
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server1.req.commas.sha256 b/tests/data_files/parse_input/server1.req.commas.sha256
deleted file mode 100644
index 0287a31..0000000
--- a/tests/data_files/parse_input/server1.req.commas.sha256
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICiTCCAXECAQAwRDELMAkGA1UEBhMCTkwxGTAXBgNVBAoMEFBvbGFyU1NMLCBD
-b21tYXMxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/uOhFkNvuiBZS
-0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFDd185fAkER4Kw
-Vzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVfCrFTxjB+FTms
-+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTrlZvc/kFeF6ba
-bFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9wbp7OvViJ4lNZ
-nm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQABoAAwDQYJKoZI
-hvcNAQELBQADggEBAI7ZtRJYX6cMuwVhwXOizPV+WD17wby+273V4R8e9/6QA4nY
-RrSciAse+nWZz9Y6toBzLWr0K/9SCzwBX4OzMvLqu4A1G/wApODCDnbGaUPNUxRt
-6qbg8y7faBWvDGjk4+OpQ0suR/pdbM/L7pImqWRNwYdSPbJumNqIdB/Ewtso0TlA
-QVZ992RPe1LovXpDCfPP2p123L7/UHezNCtu5QmzLsDfQmN/rLhCJ2NZzTsnIdnP
-jp6XYU4kRV2BPDL65k38k8CSVWb6fw9XwPNUiyO3q1Zs6jpGJRYMLj9qTEoRN1np
-RME09CN2siMcgkv8UqDeDJ4Oa9qyXS6VXsDmSNI=
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/parse_input/server1.req.md5 b/tests/data_files/parse_input/server1.req.md5
deleted file mode 100644
index 57714ed..0000000
--- a/tests/data_files/parse_input/server1.req.md5
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
-GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
-ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
-HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
-W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
-FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
-DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBBAUA
-A4IBAQCEiv3QM4xyKhYTsoOjyzQdXMhsXK3Kpw+Rh874Hf6pXHxUaYy7xLUZUx6K
-x5Bvem1HMHAdmOqYTzsE9ZblAMZNRwv/CKGS3pvMkx/VZwXQhFGlHLFG//fPrgl3
-j4dt20QsWP8LnL4LweYSYI1wt1rjgYRHeF6bG/VIck6BIYQhKOGlzIwWUmfAGym6
-q4SYrd+ObZullSarGGSfNKjIUEpYtfQBz31f5tRsyzSps7oG4uc7Xba4qnl2o9FN
-lWOMEER79QGwr7+T41FTHFztFddfJ06CCjoRCfEn0Tcsg11tSMS0851oLkMm8RyY
-aozIzO82R3Em7aPhZBiBDy3wZC2l
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/parse_input/server1.req.sha1 b/tests/data_files/parse_input/server1.req.sha1
deleted file mode 100644
index 578ec7f..0000000
--- a/tests/data_files/parse_input/server1.req.sha1
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
-GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
-ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
-HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
-W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
-FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
-DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBBQUA
-A4IBAQCiYQMOv2ALPUeg8wHKn9L5SdDbNxOzuMwhYsCYTw2TJMQO7NLUq6icEzxY
-pUIIFt60JUQjZHxQSY3y9cSivwKXQA7pPfaPaFC/aMA2GxG23t2eaIWNQX8MfcWf
-XAa8bl/vmC1MTov+mP2DGoXRiKYORrEInyDS2RaTathvHckcAv25nCIx7wYO9tC9
-LUwyoE9bhiQ7fo3KFlz4dK1HukyCM/FoPbJuL7NgdzmKVPyYCLh5Ah+TTD6+sltz
-dFc4fj28w1v3jsBXz+tLrgFQidzuUI2poxt5UwU9TKY0dAJaTCtfIRcXW3h6DGG7
-EDR6rim6sbIQkGzYvGqs4TNoJOR+
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/parse_input/server1.req.sha224 b/tests/data_files/parse_input/server1.req.sha224
deleted file mode 100644
index a4f2af4..0000000
--- a/tests/data_files/parse_input/server1.req.sha224
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
-GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
-ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
-HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
-W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
-FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
-DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBDgUA
-A4IBAQArYR2mLKU5lsHyAyGHr4PlmC/cfePmCRyC/mj1riGTjDlNC2X3J1VZDqKb
-U/uUxLudP7sbuttRksIAREATT74Pa40bMWiPUlBfA/M2mFTmKb/91uXeIISW8DL3
-xM/5BCDrhnZ/cjP23gKDgJRk+IGBNhYZDGz50TIBbDJ2e4GDkFjzANngUW64UcCQ
-7hZOYtnYLBnoRvPwtal5jZqHwsgaPPePXu+SQ8mfuAJwJ78MOCAaKw0IP1h1OnPG
-iubdl34lSIaYWwbHTdjaqUSQG3SSs4oxEvluYymrpZ6XGKXtphJXEPdTRiLu9d9l
-A5NYVgvqHFQPmuXS92zrGzB788pV
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/parse_input/server1.req.sha256 b/tests/data_files/parse_input/server1.req.sha256
deleted file mode 100644
index 6d21dc5..0000000
--- a/tests/data_files/parse_input/server1.req.sha256
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
-GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
-ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
-HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
-W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
-FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
-DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBCwUA
-A4IBAQCVlSU7qeKri7E3u8JCZbCyjsGJTH9iHYyeDZ/nDLig7iKGYvyNmyzJ76Qu
-+EntSmL2OtL95Yqooc6h1AQHzoCs+SO2wPoTUs3Ypi9r7vNNVO3ZnnxVtGgqCRVA
-W+z9W4p2mHXQhgW1HkuLa5JD1SvJViyZbx9z3ie1BQ9NVKfv++ArPIv70zBtA7O3
-PZNG1JYN30Esz7RsCDRHbz6Npvu9ggUQL/U3mvQQ+Yo+xhwu1yFV+dRH7PebBeQv
-vjcD2fXDabeofK3zztIpUIyUULX0GGClM9jslgJ/ZHUlArWKpLZph0AgF1Dzts//
-M6c/sRw7gtjXmV0zq2tf2fL4+e2b
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/parse_input/server1.req.sha384 b/tests/data_files/parse_input/server1.req.sha384
deleted file mode 100644
index b857af7..0000000
--- a/tests/data_files/parse_input/server1.req.sha384
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
-GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
-ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
-HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
-W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
-FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
-DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBDAUA
-A4IBAQBy35zHYLiYaScq1niQkzQ/BScUbdiWd2V90isBsB5Q3NjVoJl/yCaMrla3
-2XfrutpFpdqwenl5jM0o6+enKCmfur+z2/ije69Dju2aBd6A62cx1AEvFiMq7lyF
-4DYJ32+2ty6KA8EhzE3NFs7zKXxmD5ybp+oXNEvXoeU3W8a+Ld5c1K/n+Ipa0TUy
-cFBs6dCsbYO9wI6npwWqC5Hc9r/0zziMFO+4N5VORdYUFqObq4vCYOMXETpl8ryu
-lGZorNUoJ7vV55T31CDqEtb0EE+nO+nT4agfDobncYjvc3WpQuLtUB4UwR5gpZl6
-ZI+j4uwikOgGO9gcx4IjaRP3q63F
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/parse_input/server1.req.sha512 b/tests/data_files/parse_input/server1.req.sha512
deleted file mode 100644
index 85d5246..0000000
--- a/tests/data_files/parse_input/server1.req.sha512
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
-GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
-ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
-HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
-W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
-FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
-DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBDQUA
-A4IBAQBb8jNpt0nkNVWstVoOCepQSF5R1R9hF0yEr7mk3HB9oO/nK07R1Oamgjw+
-CHQReTSjIKUX53o7ZwNZB5E+jBDsGz/2Yyj/vxNHJFk2exELtW30he8K2omVHE1F
-XESbftCssWLNpTSDq6ME12+llkEDtgCtkv69oRUkuuF5ESUSZRGIZN4Vledm8SM1
-uGFtaG/PXbBbtUaNwNISDeIWDKRtbuca5web+QEi1djiUH21ZWIGEpOy7mtkYmRs
-Qt1D32FoaqFNhafiaxNIXO11yd4lgpaDDlmrOSBsELcTIF9916o3DwMeVXy0GONW
-BrwaO8q8rg+C+xvMY7858Kk8kwjb
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/parse_input/server1_pathlen_int_max-1.crt b/tests/data_files/parse_input/server1_pathlen_int_max-1.crt
deleted file mode 100644
index 4944844..0000000
--- a/tests/data_files/parse_input/server1_pathlen_int_max-1.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDSDCCAjCgAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
-uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
-d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
-CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
-lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
-bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
-o1YwVDASBgNVHRMECzAJAQH/AgR////+MB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIs
-Pai9Q1kCpjAfBgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG
-9w0BAQUFAAOCAQEAfuvq7FomQTSJmGInVwQjQddgoXpnmCZ97TpVq7jHLCFADowQ
-jeiAsxmD8mwAQqw/By0U2PSmQcS7Vrn7Le0nFKNRYYrtpx5rsTFJzS/tQsgCe0Pf
-zhiBgD1Dhw6PWAPmy+JlvhJF7REmFsM8KHQd0xSvJzB1gLN9FVlnd87C73bdDJZQ
-Zdn977+Sn5anAFGHDWeKo8GYaYGnPBQqkX0Q2EKWR7yrwcKMogOevxELogB0jRj3
-L+nBpz7mO2J6XQ85ip+tLWAGCEHo0omAIQorAoCSqtLiaz47HxOdNK0hnM7V5k8P
-05AVhxDa3WqZ9FmMaDc8j8XqmOgKYVMC4/WS0g==
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server1_pathlen_int_max.crt b/tests/data_files/parse_input/server1_pathlen_int_max.crt
deleted file mode 100644
index 517e0d6..0000000
--- a/tests/data_files/parse_input/server1_pathlen_int_max.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDSDCCAjCgAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
-uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
-d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
-CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
-lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
-bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
-o1YwVDASBgNVHRMECzAJAQH/AgR/////MB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIs
-Pai9Q1kCpjAfBgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG
-9w0BAQUFAAOCAQEAe5jPPMyWrKYGljJH2uh1gEh7KoYhmGIUfYu5A8Z2ou04yFZh
-LDyWJnkE/qpNaIw3kPuoyGBTtADYzttPvxretUmaMyteOQe8DK/mmr8vl+gb54ZP
-2jUE+R27Jp5GSGfl20LNVTBkKJloSyDaVzPI3ozje2lAsXsil8NTKbVJtfjZ9un+
-mGrpywSV7RpZC2PznGFdqQehwwnOscz0cVeMQqGcMRH3D5Bk2SjVexCaPu47QSyE
-fNm6cATiNHjw/2dg5Aue7e4K+R6le+xY3Qy85Fq/lKDeMmbrJRrNyJ9lblCeihUd
-qhkAEPelpaq5ZRM6cYJQoo0Ak64j4svjOZeF0g==
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server2.crt b/tests/data_files/parse_input/server2.crt
deleted file mode 100644
index 0745196..0000000
--- a/tests/data_files/parse_input/server2.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN
-owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz
-NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM
-tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P
-hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya
-HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD
-VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw
-FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAJklg3Q4
-cB7v7BzsxM/vLyKccO6op0/gZzM4ghuLq2Y32kl0sM6kSNUUmduuq3u/+GmUZN2A
-O/7c+Hw7hDFEIvZk98aBGjCLqn3DmgHIv8ToQ67nellQxx2Uj309PdgjNi/r9HOc
-KNAYPbBcg6MJGWWj2TI6vNaceios/DhOYx5V0j5nfqSJ/pnU0g9Ign2LAhgYpGJE
-iEM9wW7hEMkwmk0h/sqZsrJsGH5YsF/VThSq/JVO1e2mZH2vruyZKJVBq+8tDNYp
-HkK6tSyVYQhzIt3StMJWKMl/o5k2AYz6tSC164+1oG+ML3LWg8XrGKa91H4UOKap
-Awgk0+4m0T25cNs=
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server2.crt.der b/tests/data_files/parse_input/server2.crt.der
deleted file mode 100644
index 9cfa9ab..0000000
--- a/tests/data_files/parse_input/server2.crt.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/server3.crt b/tests/data_files/parse_input/server3.crt
deleted file mode 100644
index ed0d696..0000000
--- a/tests/data_files/parse_input/server3.crt
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICojCCAYqgAwIBAgIBDTANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTMwODA5MDkxNzAzWhcNMjMwODA3MDkxNzAzWjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBJMBMGByqGSM49AgEG
-CCqGSM49AwEBAzIABH0AoQyUhPABS38y67uEVs4O3RXmKKrBdUR7/L2QPB8EC2p5
-fQcsej6EFasvlTdJ/6OBkjCBjzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTkF2s2sgaJ
-OtleQ7bgZH2Hq33eNzBjBgNVHSMEXDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/
-pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQ
-b2xhclNTTCBUZXN0IENBggEAMA0GCSqGSIb3DQEBBQUAA4IBAQBjmSIjGKD1eH5W
-4bl2MXfNIsTwc2vv/MAAhBzBEbTXd3T37+zAGPGjKncvTB+oufUVRGkoKbfoC6Jm
-DYSEUuxtnUZOko/C//XlCEtK0TuS2aLEqF3gJjBJTCfthEdAhJCtmPAQDCzeKsdx
-CoOtH0NQx6Xl64oDt2wYSQNWUTGLPfRpdsVEvBHhHYATQijkl2ZH8BDjsYcBicrS
-qmCeN+0T1B9vrOQVEZe+fwgzVL38n8lkJZNPIbdovA9WLHwXAEzPv4la3w0qh4Tb
-kSb8HtILl4I474QxrFywylyXR/p2znPleRIRgB5HtUp9tLSWkB0bwMlqQlg2EHXu
-CAQ1sXmQ
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server4.crt b/tests/data_files/parse_input/server4.crt
deleted file mode 100644
index 96b1aa7..0000000
--- a/tests/data_files/parse_input/server4.crt
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC6jCCAnCgAwIBAgIBCDAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAKvXjL5VfYc7D/truqEpYcZcvlUhnuCNDJctYDJL
-vgYYj5uxDxLHBXvnEHLgO5K+lps42p+r/dd4oE64ttRoeZZUvr+7eBnW35n0EpPA
-Ik9Gwu+vg7GfxmifgIR8hZnOQkt2OjvvpChPCxvUailtB450Izh+mEK/hYFr+7Jl
-NnxR1XQlbbyDM7Ect1HwYcuS3MBlBqq048J+0KEkQXICSjKeHFga9eDCq+Jyfqe5
-bt0K30hl1N0164B7aoh08Eomme+aSuAsz+MsJ3m7AO2DUYdrDxlrky1QrvRWWfX0
-d8djTM+uHTo1DviRM6o9+P9DfoFd53/Z0Km03sVLQWvUrhECAwEAAaOBnTCBmjAJ
-BgNVHRMEAjAAMB0GA1UdDgQWBBTAlAm1+0L41mhqYWjFiejsRVrGeTBuBgNVHSME
-ZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMCTkwxETAP
-BgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVDIENBggkA
-wUPifmJDzOgwCgYIKoZIzj0EAwIDaAAwZQIxAPWlxnMcjBaxaVieQYSLBqzizS3/
-O8Na6owRGPk0/UK+j5O9NTBHk+uXW/fQblKamQIwUQl4dl6gkRDE4rBR/yGjZZ1Z
-3dEpvL2Wimt3keD7AcLpYB2FJ1mVcY1XQUeK1Vfc
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server5-directoryname-seq-malformed.crt.der b/tests/data_files/parse_input/server5-directoryname-seq-malformed.crt.der
deleted file mode 100644
index 4b0c325..0000000
--- a/tests/data_files/parse_input/server5-directoryname-seq-malformed.crt.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/server5-directoryname.crt.der b/tests/data_files/parse_input/server5-directoryname.crt.der
deleted file mode 100644
index 4badea1..0000000
--- a/tests/data_files/parse_input/server5-directoryname.crt.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/server5-fan.crt.der b/tests/data_files/parse_input/server5-fan.crt.der
deleted file mode 100644
index db4e5bd..0000000
--- a/tests/data_files/parse_input/server5-fan.crt.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/server5-non-compliant.crt b/tests/data_files/parse_input/server5-non-compliant.crt
deleted file mode 100644
index abea17d..0000000
--- a/tests/data_files/parse_input/server5-non-compliant.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBwjCCAUagAwIBAgIBATAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQTAe
-Fw0wMTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMCQxIjAgBgNVBAMMGVRlc3Qg
-RUMgUkZDIG5vbi1jb21wbGlhbnQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ3
-zFbZdgkeWnI+x1kt/yBu7nz5BpF00K0UtfdoIllikk7lANgjEf/qL9I0XV0WvYqI
-wmt3DVXNiioO+gHItO3/o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRQYaWP1AfZ
-14IBDOVlf4xjRqcTvjAfBgNVHSMEGDAWgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAM
-BggqhkjOPQQDAgUAA2gAMGUCMAJ3J/DooFSaBG2OhzyWai32q6INDZfoS2bToSKf
-gy6hbJiIX/G9eFts5+BJQ3QpjgIxALRmIgdR91BDdqpeF5JCmhgjbfbgMQ7mrMeS
-ZGfNyFyjS75QnIA6nKryQmgPXo+sCQ==
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server5-nonprintable_othername.crt.der b/tests/data_files/parse_input/server5-nonprintable_othername.crt.der
deleted file mode 100644
index dd0fc7e..0000000
--- a/tests/data_files/parse_input/server5-nonprintable_othername.crt.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/server5-othername.crt.der b/tests/data_files/parse_input/server5-othername.crt.der
deleted file mode 100644
index 0ef31cf..0000000
--- a/tests/data_files/parse_input/server5-othername.crt.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/server5-second-directoryname-oid-malformed.crt.der b/tests/data_files/parse_input/server5-second-directoryname-oid-malformed.crt.der
deleted file mode 100644
index 7074fd8..0000000
--- a/tests/data_files/parse_input/server5-second-directoryname-oid-malformed.crt.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/server5-sha1.crt b/tests/data_files/parse_input/server5-sha1.crt
deleted file mode 100644
index 73e2d17..0000000
--- a/tests/data_files/parse_input/server5-sha1.crt
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICHTCCAaSgAwIBAgIBEjAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYD
-VQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAeFw0x
-MzA5MjQxNjIxMjdaFw0yMzA5MjIxNjIxMjdaMDQxCzAJBgNVBAYTAk5MMREwDwYD
-VQQKEwhQb2xhclNTTDESMBAGA1UEAxMJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYI
-KoZIzj0DAQcDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDY
-IxH/6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/6OBnTCBmjAJBgNVHRMEAjAAMB0G
-A1UdDgQWBBRQYaWP1AfZ14IBDOVlf4xjRqcTvjBuBgNVHSMEZzBlgBSdbSAkSQE/
-K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFy
-U1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVDIENBggkAwUPifmJDzOgwCQYH
-KoZIzj0EAQNoADBlAjEAyjvzRWtxbXvkoYTYSQY9gFBpP7/wTZ2q6FbRiAuZULFt
-lc0PMPDfVZChgA6iDH+BAjBdkOb73f2pOwZpMRqrOgqSynbt2uWY87mC5lRlNEoR
-WXEv1AzIeBCv+81DN1Iuu4w=
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server5-sha224.crt b/tests/data_files/parse_input/server5-sha224.crt
deleted file mode 100644
index 47b1168..0000000
--- a/tests/data_files/parse_input/server5-sha224.crt
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICIDCCAaWgAwIBAgIBEzAKBggqhkjOPQQDATA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTYyMTI3WhcNMjMwOTIyMTYyMTI3WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
-CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
-2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd
-BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB
-PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh
-clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
-CCqGSM49BAMBA2kAMGYCMQCj0EyFUzDRmfokWzLVEWN0epR4/sZytfIeozp6BqWH
-qaTBdAR2vthIKC7dKuUkg34CMQD6YtB2O9Vso79gbzSen2qh7gK7VvGE+31EVPbR
-Ce/oNG/3OfhRSdn3FOvBBg2UErM=
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server5-sha384.crt b/tests/data_files/parse_input/server5-sha384.crt
deleted file mode 100644
index 5d6a79b..0000000
--- a/tests/data_files/parse_input/server5-sha384.crt
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICHzCCAaWgAwIBAgIBFDAKBggqhkjOPQQDAzA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTYyMTI3WhcNMjMwOTIyMTYyMTI3WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
-CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
-2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd
-BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB
-PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh
-clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
-CCqGSM49BAMDA2gAMGUCMQCnsd/6VB2kLIqMRsWdkJvRaQROyAg78CQExFEY3CMv
-9t0kWRXPc4nCMH69RjQVvC4CMB4lk9A7hnX2zQy3bbUhOCOvXcsQdEe8AMgJBviz
-5Nob2wThRqsm1wjCF60fyzXWuA==
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server5-sha512.crt b/tests/data_files/parse_input/server5-sha512.crt
deleted file mode 100644
index 16112ac..0000000
--- a/tests/data_files/parse_input/server5-sha512.crt
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICHzCCAaWgAwIBAgIBFTAKBggqhkjOPQQDBDA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTYyMTI3WhcNMjMwOTIyMTYyMTI3WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
-CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
-2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd
-BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB
-PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh
-clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
-CCqGSM49BAMEA2gAMGUCMFPL2OI8arcbRlKAbRb/YfGibo4Mwts8KX3fOuRCbXEn
-pDWeb82kBqfXwzPJwamFOwIxAPGzyhWrxn0qEynWV5nzFK02PYBnYFgClISyyudH
-HJGHtbEVRc5JA8ALnggaLVpuvg==
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server5-two-directorynames.crt.der b/tests/data_files/parse_input/server5-two-directorynames.crt.der
deleted file mode 100644
index c98a018..0000000
--- a/tests/data_files/parse_input/server5-two-directorynames.crt.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/server5-unsupported_othername.crt.der b/tests/data_files/parse_input/server5-unsupported_othername.crt.der
deleted file mode 100644
index 1d9c205..0000000
--- a/tests/data_files/parse_input/server5-unsupported_othername.crt.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/server5.crt b/tests/data_files/parse_input/server5.crt
deleted file mode 100644
index 4597428..0000000
--- a/tests/data_files/parse_input/server5.crt
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICHzCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
-CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
-2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd
-BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB
-PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh
-clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
-CCqGSM49BAMCA2gAMGUCMQCaLFzXptui5WQN8LlO3ddh1hMxx6tzgLvT03MTVK2S
-C12r0Lz3ri/moSEpNZWqPjkCMCE2f53GXcYLqyfyJR078c/xNSUU5+Xxl7VZ414V
-fGa5kHvHARBPc8YAIVIqDvHH1Q==
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server5.req.sha1 b/tests/data_files/parse_input/server5.req.sha1
deleted file mode 100644
index 1a14a15..0000000
--- a/tests/data_files/parse_input/server5.req.sha1
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIBGDCBvwIBADA0MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxEjAQ
-BgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDfMVtl2
-CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA2CMR/+ov0jRdXRa9iojCa3cN
-Vc2KKg76Aci07f+gKTAnBgkqhkiG9w0BCQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0P
-BAQDAgXgMAkGByqGSM49BAEDSQAwRgIhALSf2Mj3er+ocZCN++aEoIp5PQ9JCkPY
-b88ghuTyS7DCAiEA+CnVzNN0I2kpnmKUOUcXxLcjoPaLROgxtubDvKv5ckM=
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/parse_input/server5.req.sha224 b/tests/data_files/parse_input/server5.req.sha224
deleted file mode 100644
index 2766834..0000000
--- a/tests/data_files/parse_input/server5.req.sha224
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIBGDCBvwIBADA0MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxEjAQ
-BgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDfMVtl2
-CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA2CMR/+ov0jRdXRa9iojCa3cN
-Vc2KKg76Aci07f+gKTAnBgkqhkiG9w0BCQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0P
-BAQDAgXgMAoGCCqGSM49BAMBA0gAMEUCIDYaN1m9MRk5mhX1U8aZKd0alyGKWqcR
-oglF2MsIii/2AiEAjFHs8XQ0Q4yDF8oLztCxlq3nAvqmPdQz9T+TkEfh+PA=
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/parse_input/server5.req.sha256 b/tests/data_files/parse_input/server5.req.sha256
deleted file mode 100644
index c59e15f..0000000
--- a/tests/data_files/parse_input/server5.req.sha256
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIBFzCBvwIBADA0MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxEjAQ
-BgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDfMVtl2
-CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA2CMR/+ov0jRdXRa9iojCa3cN
-Vc2KKg76Aci07f+gKTAnBgkqhkiG9w0BCQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0P
-BAQDAgXgMAoGCCqGSM49BAMCA0cAMEQCIGmRFdjjd53oM2Zpt3E5vfqujnA+DHWk
-s9OudcSWBdjmAiA7BAYjGnXyL6ATPqM7qnLVGTf3JMT+1rXl7esBm/0APA==
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/parse_input/server5.req.sha384 b/tests/data_files/parse_input/server5.req.sha384
deleted file mode 100644
index 87556c6..0000000
--- a/tests/data_files/parse_input/server5.req.sha384
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIBFzCBvwIBADA0MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxEjAQ
-BgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDfMVtl2
-CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA2CMR/+ov0jRdXRa9iojCa3cN
-Vc2KKg76Aci07f+gKTAnBgkqhkiG9w0BCQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0P
-BAQDAgXgMAoGCCqGSM49BAMDA0cAMEQCIDnO+PIPZJGqiky9unvq13uXxahw1bpk
-Zb5NRV0c06Q5AiAo5B49tp3kDN/n0BDNt1BBGLUfhcU+Qn2SQenCyfuGLg==
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/parse_input/server5.req.sha512 b/tests/data_files/parse_input/server5.req.sha512
deleted file mode 100644
index 607741e..0000000
--- a/tests/data_files/parse_input/server5.req.sha512
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIBGDCBvwIBADA0MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxEjAQ
-BgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDfMVtl2
-CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA2CMR/+ov0jRdXRa9iojCa3cN
-Vc2KKg76Aci07f+gKTAnBgkqhkiG9w0BCQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0P
-BAQDAgXgMAoGCCqGSM49BAMEA0gAMEUCIQD8xdtluTiBJM50d/WvDeUvPbXOUMlL
-8xEJXU2WOK+RLAIgS8U6Z8tlJpXLEisz/j4gdABG3Y3h4PBJjlpszFisTNo=
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/parse_input/server7_all_space.crt b/tests/data_files/parse_input/server7_all_space.crt
deleted file mode 100644
index a979830..0000000
--- a/tests/data_files/parse_input/server7_all_space.crt
+++ /dev/null
@@ -1,47 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDwjCCAaqgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJt
-ZWRpYXRlIENBMB4XDTEzMDkyNDE2MTIyNFoXDTIzMDkyMjE2MTIyNFowNDELMAk G
-A1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3Qw
-WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXqoZyychmoCRxzrd4Vu96m
-47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeYBmskr22rlKjyo4GVMIGS
-MAkGA1UdEwQCMAAwHQYDVR0OBBYEFNIK06V3H85VsFxGoo5zbL+hYCa7MGYGA1Ud
-IwRfMF2AFDh32Gt3nCh3gotO2BupHveUFrcOoUKkQDA+MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GC
-AQ4wDQYJKoZIhvcNAQELBQADggIBADRoQ5fHKw+vkl0D3aqLX1XrZidb+25AWbhr
-FYXdaskN219PrXBL3cV8x5tK6qsPKSyyw1lue80OmhXs/w7PJkOHHUSWRnmTv7lr
-8Us3Zr/yOF/VVqzdGs7DlOTpyzEBdugI9uar/aCqHDoltN8wOduOoQB9aojYpROj
-+gjlEO0mgt/87XpjYOig1o0jv44QYDQZQzpj1zeIn6WMe6xk9YDwCLMjRIpg++c7
-QyxvcEJTn80wX1SaEBM2gau97G7bORLMwBVkMT4oSY+iKYgpPpawOnMJbqUP73Dm
-yfJExDdrW/BbWZ/vKIcSqSZIbkHdkNjUDVHczyVwQxZxzvLFw/B1k9s7jYFsi5eK
-TNAdXFa4et1H2sd+uhu24GxsjmJioDrftixcgzPVBjDCjH8QWkBEX292WJ58on0e
-deWLpZUnzPdE1B4rsiPw1Vg28mGgr2O1xgBQr/fx6A+8ItNTzAXbZfEcult9ypwM
-0b6YDNe5IvdKk8iwz3mof0VNy47K6xoCaE/fxxWkjoXK8x2wfswGeP2QgUzQE93b
-OtjdHpsG1c7gIVFQmKATyAPUz4vqmezgNRleXU0oL0PYtoCmKQ51UjNMUfmO9xCj
-VJaNa2iTQ5Dgic+CW4TYAgj5/9g9X3WfwnDNxrZ0UxxawGElczHXqbrNleTtPaKp
-a8Si6UK5
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTU1NTE0WhcNMjMwOTIyMTU1NTE0WjBIMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq
-vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR
-wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF
-CaBCLhhdK1Fjf8HjkT/PkctWnho8NTwivc9+nqRZjXe/eIcqm5HwjDDhu+gz+o0g
-Vz9MfZNi1JyCrOyNZcy+cr2QeNnNVGnFq8xTxtu6dLunhpmLFj2mm0Vjwa7Ypj5q
-AjpqTMtDvqbRuToyoyzajhMNcCAf7gwzIupJJFVdjdtgYAcQwzikwF5HoITJzzJ2
-qgxF7CmvGZNb7G99mLdLdhtclH3wAQKHYwEGJo7XKyNEuHPQgB+e0cg1SD1HqlAM
-uCfGGTWQ6me7Bjan3t0NzoTdDq6IpKTesbaY+/9e2xn8DCrhBKLXQMZFDZqUoLYA
-kGPOEGgvlPnIIXAawouxCaNYEh5Uw871YMSPT28rLdFr49dwYOtDg9foA8hDIW2P
-d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br
-Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg
-updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHf Y
-a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
-AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaAAwZQIxAPyE+u+eP7gRrSFjQicmpYg8jiFUCYEowWY2zuOG
-i1HXYwmpDHfasQ3rNSuf/gHvjwIwbSSjumDk+uYNci/KMELDsD0MFHxZhhBc9Hp9
-Af5cNR8KhzegznL6amRObGGKmX1F
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server7_int-ca.crt b/tests/data_files/parse_input/server7_int-ca.crt
deleted file mode 100644
index d3ddc46..0000000
--- a/tests/data_files/parse_input/server7_int-ca.crt
+++ /dev/null
@@ -1,47 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDwjCCAaqgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJt
-ZWRpYXRlIENBMB4XDTEzMDkyNDE2MTIyNFoXDTIzMDkyMjE2MTIyNFowNDELMAkG
-A1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3Qw
-WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXqoZyychmoCRxzrd4Vu96m
-47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeYBmskr22rlKjyo4GVMIGS
-MAkGA1UdEwQCMAAwHQYDVR0OBBYEFNIK06V3H85VsFxGoo5zbL+hYCa7MGYGA1Ud
-IwRfMF2AFDh32Gt3nCh3gotO2BupHveUFrcOoUKkQDA+MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GC
-AQ4wDQYJKoZIhvcNAQELBQADggIBADRoQ5fHKw+vkl0D3aqLX1XrZidb+25AWbhr
-FYXdaskN219PrXBL3cV8x5tK6qsPKSyyw1lue80OmhXs/w7PJkOHHUSWRnmTv7lr
-8Us3Zr/yOF/VVqzdGs7DlOTpyzEBdugI9uar/aCqHDoltN8wOduOoQB9aojYpROj
-+gjlEO0mgt/87XpjYOig1o0jv44QYDQZQzpj1zeIn6WMe6xk9YDwCLMjRIpg++c7
-QyxvcEJTn80wX1SaEBM2gau97G7bORLMwBVkMT4oSY+iKYgpPpawOnMJbqUP73Dm
-yfJExDdrW/BbWZ/vKIcSqSZIbkHdkNjUDVHczyVwQxZxzvLFw/B1k9s7jYFsi5eK
-TNAdXFa4et1H2sd+uhu24GxsjmJioDrftixcgzPVBjDCjH8QWkBEX292WJ58on0e
-deWLpZUnzPdE1B4rsiPw1Vg28mGgr2O1xgBQr/fx6A+8ItNTzAXbZfEcult9ypwM
-0b6YDNe5IvdKk8iwz3mof0VNy47K6xoCaE/fxxWkjoXK8x2wfswGeP2QgUzQE93b
-OtjdHpsG1c7gIVFQmKATyAPUz4vqmezgNRleXU0oL0PYtoCmKQ51UjNMUfmO9xCj
-VJaNa2iTQ5Dgic+CW4TYAgj5/9g9X3WfwnDNxrZ0UxxawGElczHXqbrNleTtPaKp
-a8Si6UK5
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTU1NTE0WhcNMjMwOTIyMTU1NTE0WjBIMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq
-vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR
-wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF
-CaBCLhhdK1Fjf8HjkT/PkctWnho8NTwivc9+nqRZjXe/eIcqm5HwjDDhu+gz+o0g
-Vz9MfZNi1JyCrOyNZcy+cr2QeNnNVGnFq8xTxtu6dLunhpmLFj2mm0Vjwa7Ypj5q
-AjpqTMtDvqbRuToyoyzajhMNcCAf7gwzIupJJFVdjdtgYAcQwzikwF5HoITJzzJ2
-qgxF7CmvGZNb7G99mLdLdhtclH3wAQKHYwEGJo7XKyNEuHPQgB+e0cg1SD1HqlAM
-uCfGGTWQ6me7Bjan3t0NzoTdDq6IpKTesbaY+/9e2xn8DCrhBKLXQMZFDZqUoLYA
-kGPOEGgvlPnIIXAawouxCaNYEh5Uw871YMSPT28rLdFr49dwYOtDg9foA8hDIW2P
-d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br
-Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg
-updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY
-a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
-AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaAAwZQIxAPyE+u+eP7gRrSFjQicmpYg8jiFUCYEowWY2zuOG
-i1HXYwmpDHfasQ3rNSuf/gHvjwIwbSSjumDk+uYNci/KMELDsD0MFHxZhhBc9Hp9
-Af5cNR8KhzegznL6amRObGGKmX1F
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server7_pem_space.crt b/tests/data_files/parse_input/server7_pem_space.crt
deleted file mode 100644
index 0ef0fc7..0000000
--- a/tests/data_files/parse_input/server7_pem_space.crt
+++ /dev/null
@@ -1,47 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDwjCCAaqgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJt
-ZWRpYXRlIENBMB4XDTEzMDkyNDE2MTIyNFoXDTIzMDkyMjE2MTIyNFowNDELMAk G
-A1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3Qw
-WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXqoZyychmoCRxzrd4Vu96m
-47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeYBmskr22rlKjyo4GVMIGS
-MAkGA1UdEwQCMAAwHQYDVR0OBBYEFNIK06V3H85VsFxGoo5zbL+hYCa7MGYGA1Ud
-IwRfMF2AFDh32Gt3nCh3gotO2BupHveUFrcOoUKkQDA+MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GC
-AQ4wDQYJKoZIhvcNAQELBQADggIBADRoQ5fHKw+vkl0D3aqLX1XrZidb+25AWbhr
-FYXdaskN219PrXBL3cV8x5tK6qsPKSyyw1lue80OmhXs/w7PJkOHHUSWRnmTv7lr
-8Us3Zr/yOF/VVqzdGs7DlOTpyzEBdugI9uar/aCqHDoltN8wOduOoQB9aojYpROj
-+gjlEO0mgt/87XpjYOig1o0jv44QYDQZQzpj1zeIn6WMe6xk9YDwCLMjRIpg++c7
-QyxvcEJTn80wX1SaEBM2gau97G7bORLMwBVkMT4oSY+iKYgpPpawOnMJbqUP73Dm
-yfJExDdrW/BbWZ/vKIcSqSZIbkHdkNjUDVHczyVwQxZxzvLFw/B1k9s7jYFsi5eK
-TNAdXFa4et1H2sd+uhu24GxsjmJioDrftixcgzPVBjDCjH8QWkBEX292WJ58on0e
-deWLpZUnzPdE1B4rsiPw1Vg28mGgr2O1xgBQr/fx6A+8ItNTzAXbZfEcult9ypwM
-0b6YDNe5IvdKk8iwz3mof0VNy47K6xoCaE/fxxWkjoXK8x2wfswGeP2QgUzQE93b
-OtjdHpsG1c7gIVFQmKATyAPUz4vqmezgNRleXU0oL0PYtoCmKQ51UjNMUfmO9xCj
-VJaNa2iTQ5Dgic+CW4TYAgj5/9g9X3WfwnDNxrZ0UxxawGElczHXqbrNleTtPaKp
-a8Si6UK5
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTU1NTE0WhcNMjMwOTIyMTU1NTE0WjBIMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq
-vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR
-wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF
-CaBCLhhdK1Fjf8HjkT/PkctWnho8NTwivc9+nqRZjXe/eIcqm5HwjDDhu+gz+o0g
-Vz9MfZNi1JyCrOyNZcy+cr2QeNnNVGnFq8xTxtu6dLunhpmLFj2mm0Vjwa7Ypj5q
-AjpqTMtDvqbRuToyoyzajhMNcCAf7gwzIupJJFVdjdtgYAcQwzikwF5HoITJzzJ2
-qgxF7CmvGZNb7G99mLdLdhtclH3wAQKHYwEGJo7XKyNEuHPQgB+e0cg1SD1HqlAM
-uCfGGTWQ6me7Bjan3t0NzoTdDq6IpKTesbaY+/9e2xn8DCrhBKLXQMZFDZqUoLYA
-kGPOEGgvlPnIIXAawouxCaNYEh5Uw871YMSPT28rLdFr49dwYOtDg9foA8hDIW2P
-d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br
-Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg
-updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY
-a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
-AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaAAwZQIxAPyE+u+eP7gRrSFjQicmpYg8jiFUCYEowWY2zuOG
-i1HXYwmpDHfasQ3rNSuf/gHvjwIwbSSjumDk+uYNci/KMELDsD0MFHxZhhBc9Hp9
-Af5cNR8KhzegznL6amRObGGKmX1F
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server7_trailing_space.crt b/tests/data_files/parse_input/server7_trailing_space.crt
deleted file mode 100644
index 6faf8cf..0000000
--- a/tests/data_files/parse_input/server7_trailing_space.crt
+++ /dev/null
@@ -1,47 +0,0 @@
------BEGIN CERTIFICATE----- 
-MIIDwjCCAaqgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJOTDER 
-MA8GA1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJt 
-ZWRpYXRlIENBMB4XDTEzMDkyNDE2MTIyNFoXDTIzMDkyMjE2MTIyNFowNDELMAkG 
-A1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3Qw 
-WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXqoZyychmoCRxzrd4Vu96m 
-47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeYBmskr22rlKjyo4GVMIGS 
-MAkGA1UdEwQCMAAwHQYDVR0OBBYEFNIK06V3H85VsFxGoo5zbL+hYCa7MGYGA1Ud 
-IwRfMF2AFDh32Gt3nCh3gotO2BupHveUFrcOoUKkQDA+MQswCQYDVQQGEwJOTDER 
-MA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GC 
-AQ4wDQYJKoZIhvcNAQELBQADggIBADRoQ5fHKw+vkl0D3aqLX1XrZidb+25AWbhr 
-FYXdaskN219PrXBL3cV8x5tK6qsPKSyyw1lue80OmhXs/w7PJkOHHUSWRnmTv7lr 
-8Us3Zr/yOF/VVqzdGs7DlOTpyzEBdugI9uar/aCqHDoltN8wOduOoQB9aojYpROj 
-+gjlEO0mgt/87XpjYOig1o0jv44QYDQZQzpj1zeIn6WMe6xk9YDwCLMjRIpg++c7 
-QyxvcEJTn80wX1SaEBM2gau97G7bORLMwBVkMT4oSY+iKYgpPpawOnMJbqUP73Dm 
-yfJExDdrW/BbWZ/vKIcSqSZIbkHdkNjUDVHczyVwQxZxzvLFw/B1k9s7jYFsi5eK 
-TNAdXFa4et1H2sd+uhu24GxsjmJioDrftixcgzPVBjDCjH8QWkBEX292WJ58on0e 
-deWLpZUnzPdE1B4rsiPw1Vg28mGgr2O1xgBQr/fx6A+8ItNTzAXbZfEcult9ypwM 
-0b6YDNe5IvdKk8iwz3mof0VNy47K6xoCaE/fxxWkjoXK8x2wfswGeP2QgUzQE93b 
-OtjdHpsG1c7gIVFQmKATyAPUz4vqmezgNRleXU0oL0PYtoCmKQ51UjNMUfmO9xCj 
-VJaNa2iTQ5Dgic+CW4TYAgj5/9g9X3WfwnDNxrZ0UxxawGElczHXqbrNleTtPaKp 
-a8Si6UK5 
------END CERTIFICATE----- 
------BEGIN CERTIFICATE----- 
-MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G 
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN 
-MTMwOTI0MTU1NTE0WhcNMjMwOTIyMTU1NTE0WjBIMQswCQYDVQQGEwJOTDERMA8G 
-A1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp 
-YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq 
-vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR 
-wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF 
-CaBCLhhdK1Fjf8HjkT/PkctWnho8NTwivc9+nqRZjXe/eIcqm5HwjDDhu+gz+o0g 
-Vz9MfZNi1JyCrOyNZcy+cr2QeNnNVGnFq8xTxtu6dLunhpmLFj2mm0Vjwa7Ypj5q 
-AjpqTMtDvqbRuToyoyzajhMNcCAf7gwzIupJJFVdjdtgYAcQwzikwF5HoITJzzJ2 
-qgxF7CmvGZNb7G99mLdLdhtclH3wAQKHYwEGJo7XKyNEuHPQgB+e0cg1SD1HqlAM 
-uCfGGTWQ6me7Bjan3t0NzoTdDq6IpKTesbaY+/9e2xn8DCrhBKLXQMZFDZqUoLYA 
-kGPOEGgvlPnIIXAawouxCaNYEh5Uw871YMSPT28rLdFr49dwYOtDg9foA8hDIW2P 
-d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br 
-Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg 
-updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY 
-a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7 
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE 
-AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w 
-CgYIKoZIzj0EAwIDaAAwZQIxAPyE+u+eP7gRrSFjQicmpYg8jiFUCYEowWY2zuOG 
-i1HXYwmpDHfasQ3rNSuf/gHvjwIwbSSjumDk+uYNci/KMELDsD0MFHxZhhBc9Hp9 
-Af5cNR8KhzegznL6amRObGGKmX1F 
------END CERTIFICATE----- 
diff --git a/tests/data_files/parse_input/server9-sha224.crt b/tests/data_files/parse_input/server9-sha224.crt
deleted file mode 100644
index 1b05f31..0000000
--- a/tests/data_files/parse_input/server9-sha224.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDWzCCAhKgAwIBAgIBFzA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCBKEa
-MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgSiBAICAOIwOzELMAkGA1UEBhMCTkwx
-ETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBMB4X
-DTE0MDEyMDEzNTczNloXDTI0MDExODEzNTczNlowNDELMAkGA1UEBhMCTkwxETAP
-BgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcN
-AQEBBQADgY0AMIGJAoGBAN0Rip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7C
-uxNA24oSjokTJKXF9frY9ZDXyMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsI
-i2OZOgol7kXSGFi6uZMa7dRYmmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCV
-AgMBAAGjgZIwgY8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy
-36fOvVEwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJ
-BgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wg
-VGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCBKEaMBgGCSqG
-SIb3DQEBCDALBglghkgBZQMEAgSiBAICAOIDggEBADJExjfWWvL28lgj+GGgviqo
-PHZLxI0pLQUnFJQ9Kpu6jxfICseBF00Z6BJE/RcYDpIie5GDt/8u/i6xB6Li29Pm
-g5nANgd/Y3fFnW7d0ydVjiSnetlPuf/jTlWQl6mQTH2xqYu8J8d3JRxQdRiDYbVm
-uywW2d6rksiqm6dPD5l4A5DcemcYo8f/1Ifj5WNDCV8/OHex+AnW2ccDvWAnVgSR
-B2VpOXJzVFuBsuf4tGVm/2TUMSB6NcvFc6TeJk1kzbZxii4QjKXtH1SfrVP59iEe
-l17NYAEWARjBpQWBiutRG+QM2et0sNiUBuWxTkvd0eSgencNysVAOsZqrqaX3CY=
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server9-sha256.crt b/tests/data_files/parse_input/server9-sha256.crt
deleted file mode 100644
index 7d0aa39..0000000
--- a/tests/data_files/parse_input/server9-sha256.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDWzCCAhKgAwIBAgIBGDA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAaEa
-MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiBAICAN4wOzELMAkGA1UEBhMCTkwx
-ETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBMB4X
-DTE0MDEyMDEzNTc0NVoXDTI0MDExODEzNTc0NVowNDELMAkGA1UEBhMCTkwxETAP
-BgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcN
-AQEBBQADgY0AMIGJAoGBAN0Rip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7C
-uxNA24oSjokTJKXF9frY9ZDXyMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsI
-i2OZOgol7kXSGFi6uZMa7dRYmmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCV
-AgMBAAGjgZIwgY8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy
-36fOvVEwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJ
-BgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wg
-VGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAaEaMBgGCSqG
-SIb3DQEBCDALBglghkgBZQMEAgGiBAICAN4DggEBAH0+knqkcLaxeDkenBQgd4Qg
-3ZyAhtpiLU689mw+3cXB/uzFrCIxEL5aGh1eSj+DszB+FtsZ06ux7JVQqVOA2Wm9
-yLxC6wF8OOYj0nBa91BWLhRAHLhmIdWsVk7Hl9KojZd4TwV2N+ZEV/BLxyoRvK4H
-V4xCpzgDSiTPe8Etk4r+0akbr6bsOUBayPb7MGLHubZKq8NsFAmmynp+fPmHd3SE
-0ooJdiZ1MmKPKLE5Og/hXCI8qeiXQUR6oQ7b2XONsrI2HIj2SA9dA5qmHwE5PbMu
-zqxQ3R83boqLXbkFORn+UiYLmffqdoWuNy00BHMCrxRA9DUv+WyN4npLMF8rOJw=
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server9-sha384.crt b/tests/data_files/parse_input/server9-sha384.crt
deleted file mode 100644
index aaa63e6..0000000
--- a/tests/data_files/parse_input/server9-sha384.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDWzCCAhKgAwIBAgIBGTA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAqEa
-MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgKiBAICAM4wOzELMAkGA1UEBhMCTkwx
-ETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBMB4X
-DTE0MDEyMDEzNTc1OFoXDTI0MDExODEzNTc1OFowNDELMAkGA1UEBhMCTkwxETAP
-BgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcN
-AQEBBQADgY0AMIGJAoGBAN0Rip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7C
-uxNA24oSjokTJKXF9frY9ZDXyMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsI
-i2OZOgol7kXSGFi6uZMa7dRYmmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCV
-AgMBAAGjgZIwgY8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy
-36fOvVEwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJ
-BgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wg
-VGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAqEaMBgGCSqG
-SIb3DQEBCDALBglghkgBZQMEAgKiBAICAM4DggEBABf8Gyq2VYuN1EBW1nOapDQp
-B/KuafNW2GEJ7FmQKNyA7MIj1Yqo2MtJ6/OQojRQ3F5rnO4yjmvIPsXeQaMxJBiI
-aaoAlLpH++F+oXMq/0aS0WSZrSLrsh2Fpay9cBDGwek2rDOX9kM+ZcPzGitVwWKX
-TnOW22hpcl7u95CpZH+JZTcto5nL3tTyV9pIy+tSKQQfjPB+G0TAZCsOkbCGPLug
-qdjvqFQwOf15VxQMj7NRiXjlqJvsx+I7B2AIhrs4DzQMEyiWq9S/PzpQuFU5v/Kg
-s2iMLJ5ygv5aN3PYqGlE1ZmvgyRp5h/LaTGI2L6lzRTnecOhtPv30N2tyaDAEfo=
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server9-sha512.crt b/tests/data_files/parse_input/server9-sha512.crt
deleted file mode 100644
index a211b92..0000000
--- a/tests/data_files/parse_input/server9-sha512.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDWzCCAhKgAwIBAgIBGjA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCA6Ea
-MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgOiBAICAL4wOzELMAkGA1UEBhMCTkwx
-ETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBMB4X
-DTE0MDEyMDEzNTgxMloXDTI0MDExODEzNTgxMlowNDELMAkGA1UEBhMCTkwxETAP
-BgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcN
-AQEBBQADgY0AMIGJAoGBAN0Rip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7C
-uxNA24oSjokTJKXF9frY9ZDXyMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsI
-i2OZOgol7kXSGFi6uZMa7dRYmmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCV
-AgMBAAGjgZIwgY8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy
-36fOvVEwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJ
-BgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wg
-VGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCA6EaMBgGCSqG
-SIb3DQEBCDALBglghkgBZQMEAgOiBAICAL4DggEBACdVozFq6rUiXo+ib5Y2oPsR
-6xxl4Ydn3LpUoYrPpTOrhcXJWW/tOLHGuCF/mSRfUzKaMIfL418cZHYnvumvuttu
-6z3tp5E1VsiZCU2MWJnzjKSxFBOss43AmpJHHoapGFZu2pxObBPqegAKHYkKWOLk
-tJDj47PurWgEek9j1nL7Pc1tVf59fm/ySp4fWkXLLvQiKid1516VioLyacUvK3zU
-6Egz8jMt7D5c9KpaExLRTANVsThqO5/dmR36bOwm3Hpbde7DNdgxru41tiLMqJs/
-5pX3ceaJ1XQ/l0idj5/9ipvqHHUguyk7H22HwQHQdSD9oIha8kEM3P6CjpfE7yY=
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server9.crt b/tests/data_files/parse_input/server9.crt
deleted file mode 100644
index a6f9fbc..0000000
--- a/tests/data_files/parse_input/server9.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDBTCCAeegAwIBAgIBFjATBgkqhkiG9w0BAQowBqIEAgIA6jA7MQswCQYDVQQG
-EwJOTDERMA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3Qg
-Q0EwHhcNMTQwMTIwMTMzODE2WhcNMjQwMTE4MTMzODE2WjA0MQswCQYDVQQGEwJO
-TDERMA8GA1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkq
-hkiG9w0BAQEFAAOBjQAwgYkCgYEA3RGKn5m6sGjKKuo7am1Zl+1OyVTkDe7OoH2g
-HqroDsK7E0DbihKOiRMkpcX1+tj1kNfIysvF/pMdr9oSI3NSeUYauqBXK3YWMbOo
-r+c4mwiLY5k6CiXuRdIYWLq5kxrt1FiaYxs3/PcUCJ+FZUnzWTJt0eDobd5S7Wa0
-qQvaQJUCAwEAAaOBkjCBjzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTu88f1HxWlTUeJ
-wdMiY7Lfp869UTBjBgNVHSMEXDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0w
-OzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xh
-clNTTCBUZXN0IENBggEAMBMGCSqGSIb3DQEBCjAGogQCAgDqA4IBAQDAog/jXydR
-vDIugTzBXtfVK0CEX8iyQ4cVzQmXWSne8204v943K5D2hktSBkjdQUdcnVvVgLR6
-te50jV89ptN/NofX+fo9fhSRN9vGgQVWzOOFiO0zcThy749pirJu1Kq5OJdthIyW
-Pu0UCz5G0k3kTp0JPevGlsNc8S9Ak1tFuB0IPJjrbfODWHS2LDuO+dB6gpkNTdrj
-88ogYtBsN4D5gsXBRUfobXokUwejBwLrD6XwyQx+0bMwSCxgHEhxvuUkx1vdlXGw
-JG3aF92u8mIxoKSAPaPdqy930mQvmpUWcN5Y1IMbtEGoQCKMYgosFcazJpJcjnX1
-o4Hl/lqjwCEG
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server9.req.sha1 b/tests/data_files/parse_input/server9.req.sha1
deleted file mode 100644
index b9d0053..0000000
--- a/tests/data_files/parse_input/server9.req.sha1
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIBojCCAQYCAQAwNDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIw
-EAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN0R
-ip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7CuxNA24oSjokTJKXF9frY9ZDX
-yMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsIi2OZOgol7kXSGFi6uZMa7dRY
-mmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCVAgMBAAGgKTAnBgkqhkiG9w0B
-CQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMBIGCSqGSIb3DQEBCjAFogMC
-AWoDgYEA2n8SOoiJCs+YyH2VXoUVxhutdXGP4+7cECakl2mmVEKhxXDMEG7hEFkB
-mkk4b1kRNOQHKqUq3crfi0OkMcPGkPiLlYLKgT51CgsBhuJaMsdCYo/5POgTZD4u
-FI5gfyO70Xpq9QmrWEqqTdalRG7+UmGa3VEUVyXTDnQZfU1N2QE=
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/parse_input/server9.req.sha224 b/tests/data_files/parse_input/server9.req.sha224
deleted file mode 100644
index fe1c797..0000000
--- a/tests/data_files/parse_input/server9.req.sha224
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIBzTCCAQYCAQAwNDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIw
-EAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN0R
-ip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7CuxNA24oSjokTJKXF9frY9ZDX
-yMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsIi2OZOgol7kXSGFi6uZMa7dRY
-mmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCVAgMBAAGgKTAnBgkqhkiG9w0B
-CQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMD0GCSqGSIb3DQEBCjAwoA0w
-CwYJYIZIAWUDBAIEoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCBKIDAgFiA4GB
-AMlYYZKqpDqg5UZZq3NB3QUR9qftY/52/0gPfruw5s2gNtFmG1uyEBJX/oc7C/fU
-lxo74HDraWJyvP7c3MMhOuwr/RfPNQhA2Hgwz9RuJIBhQrJfiZuHsCfiKVofMuMf
-ar/4EKfyoELDdilhg6i+abahGOkqyXsjavFtyDSeCpXH
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/parse_input/server9.req.sha256 b/tests/data_files/parse_input/server9.req.sha256
deleted file mode 100644
index 0ef9ef0..0000000
--- a/tests/data_files/parse_input/server9.req.sha256
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIBzTCCAQYCAQAwNDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIw
-EAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN0R
-ip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7CuxNA24oSjokTJKXF9frY9ZDX
-yMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsIi2OZOgol7kXSGFi6uZMa7dRY
-mmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCVAgMBAAGgKTAnBgkqhkiG9w0B
-CQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMD0GCSqGSIb3DQEBCjAwoA0w
-CwYJYIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgFeA4GB
-ACUaCTidvzWVJNKmRrriufThGUfw5Xgdsc3Ga8Cx+vRf+bPZmR3NVkc0Zq9uc0+8
-d1WXaLzbmge6IbcvTPWCLNDAWI9UzoQ6WS9myM3eDEGdruClYwb5BVLx3MvhvooK
-L/H6snE1dHNPXyCNVFTJIll3bRlVMRsfZpDhmz8/ImJ4
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/parse_input/server9.req.sha384 b/tests/data_files/parse_input/server9.req.sha384
deleted file mode 100644
index 0103450..0000000
--- a/tests/data_files/parse_input/server9.req.sha384
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIBzTCCAQYCAQAwNDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIw
-EAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN0R
-ip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7CuxNA24oSjokTJKXF9frY9ZDX
-yMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsIi2OZOgol7kXSGFi6uZMa7dRY
-mmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCVAgMBAAGgKTAnBgkqhkiG9w0B
-CQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMD0GCSqGSIb3DQEBCjAwoA0w
-CwYJYIZIAWUDBAICoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAqIDAgFOA4GB
-ANfZGK6nE/CP9PuALFzbA/mvOnYlI60pMowscRfCYpvR25iQJVhAJfYVXADRN3qd
-NAiFWNVcjFMIkRlq7qifBN97VHGeYoWIuw9gYEb3OqDGzOsYP0KIgMNt8/A4qCkj
-5MzolOYyT+N+QFGV0pdCNpX7QppfNdFyFAmWXa171RzG
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/parse_input/server9.req.sha512 b/tests/data_files/parse_input/server9.req.sha512
deleted file mode 100644
index 676b5c9..0000000
--- a/tests/data_files/parse_input/server9.req.sha512
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIBzTCCAQYCAQAwNDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIw
-EAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN0R
-ip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7CuxNA24oSjokTJKXF9frY9ZDX
-yMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsIi2OZOgol7kXSGFi6uZMa7dRY
-mmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCVAgMBAAGgKTAnBgkqhkiG9w0B
-CQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMD0GCSqGSIb3DQEBCjAwoA0w
-CwYJYIZIAWUDBAIDoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCA6IDAgE+A4GB
-ACxWBhPkhyVlBY/mwkrW7OjYsaN2/ZlFSv76w63b61BpigReJsggMut5EPOgfGYJ
-rzygKDlF/NtmMN22jWrFup9LsZJAX0gYbLmliiaG9Hch+i/8b42oaQTDWGFZ9LiY
-W7F7X0f9lpzNKOtQ8ix0s+nYS2ONyzfu55+Rlzf8/63M
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/parse_input/test-ca-any_policy.crt b/tests/data_files/parse_input/test-ca-any_policy.crt
deleted file mode 100644
index af87439..0000000
--- a/tests/data_files/parse_input/test-ca-any_policy.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDFDCCAfygAwIBAgIBADANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMzIxMTY0MDU5WhcNMjkwMzIxMTY0MDU5WjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
-mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
-50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
-YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
-R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
-KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-IzAhMAwGA1UdEwQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMA0GCSqGSIb3DQEB
-CwUAA4IBAQCHadUDZiIjJhcrG+rYrpOVgMu548rc5kHLC7zVSVfszfdOJq/TdXQT
-Lbn9i+AAVRYJU2kHWKD2fvgOYIIBeEGFJKohlKZ82irWxt0Ltph31cuygLcpqNq9
-KRQ/dh3S0w9vn1A1ubYGKTzTnZGELTVzMlXZGTRbAOylMu4eWac6LHymE2EBqmOq
-fPCuWdFB62ewQWRa+dRO92Aphh870u43/iLbw7hs4s8hokZP7Ewg6AHb4qjVePdF
-jjxAO6x5VCj/WQRnw7muAy0P3l5AhYXAIUdnkdYca5Ja6LfdEJiVeTdE3IU6UJg+
-gAu9swDhUlEuIlCrOdC3tOPDslsOIgTV
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/test-ca-any_policy_ec.crt b/tests/data_files/parse_input/test-ca-any_policy_ec.crt
deleted file mode 100644
index 821a92c..0000000
--- a/tests/data_files/parse_input/test-ca-any_policy_ec.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBzDCCAVGgAwIBAgIBADAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTkwMzI1MDkwMjQ1WhcNMjkwMzI1MDkwMjQ1WjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwdjAQ
-BgcqhkjOPQIBBgUrgQQAIgNiAATD2is0QTdYL4dW/vyJuilDS07gbsMOV1MzOVjU
-UrSRlTkLI99fFyRiSPwalSnOLC2HwohSgK/Waqsh3bjTHG5YuMrosmmO80GtKcO0
-X3WnR2/VGSlVaZpTOyC0ZhZgMx6jIzAhMAwGA1UdEwQFMAMBAf8wEQYDVR0gBAow
-CDAGBgRVHSAAMAoGCCqGSM49BAMCA2kAMGYCMQDWHgmWMckbGLd7XREnJVAv+XRp
-XANOCbWLDu+Fik6c28S+qR6zGEKKGiPHYeDpjRACMQDnYcFBwlfuAB6td3fteG0P
-AWngOaGHmUFEA6h24b5Z6/GSFD9FK9rVRdxQc4Olz7U=
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/test-ca-any_policy_with_qualifier.crt b/tests/data_files/parse_input/test-ca-any_policy_with_qualifier.crt
deleted file mode 100644
index a052bc6..0000000
--- a/tests/data_files/parse_input/test-ca-any_policy_with_qualifier.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDMjCCAhqgAwIBAgIBADANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwNDI4MTMxNDMxWhcNMjkwNDI4MTMxNDMxWjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
-mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
-50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
-YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
-R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
-KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-QTA/MAwGA1UdEwQFMAMBAf8wLwYDVR0gBCgwJjAkBgRVHSAAMBwwGgYIKwYBBQUH
-AgEWDkNQUyB1cmkgc3RyaW5nMA0GCSqGSIb3DQEBCwUAA4IBAQBo3CLwvTakVDWs
-XUZz3ehGgk39KzmYOb3m9bBfMpOplDfE8Zaj8TDZZsxXpNCXT85GgbrAdr6pONQJ
-Mqd3TzTXCs6tmmIOVDToOj6nKtm2nNSf+1TUuLRgeavgCoicoQZOtW5tAehw/RTE
-4VQXSm+ZWotYwK1jvlHS0LaehUy53GsNxWBJHCc3exD+iyutXTZ89jczIKuWpEIN
-pTdI/EYVD2r6r/IITRnJpGjNXOhGB4zvgFlwv88GeF5lG6Si9YD+swO8JuJP35q6
-7cPA/vtrjoiyM3kXmmN1LZGIfEMKNwEcyVhvl+d6sReomI3HAKOj9IIG7umFKi6t
-axMwzK3Y
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/test-ca-any_policy_with_qualifier_ec.crt b/tests/data_files/parse_input/test-ca-any_policy_with_qualifier_ec.crt
deleted file mode 100644
index 5e1491d..0000000
--- a/tests/data_files/parse_input/test-ca-any_policy_with_qualifier_ec.crt
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB6DCCAW+gAwIBAgIBADAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTkwNDI4MTAxNjA1WhcNMjkwNDI4MTAxNjA1WjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwdjAQ
-BgcqhkjOPQIBBgUrgQQAIgNiAATD2is0QTdYL4dW/vyJuilDS07gbsMOV1MzOVjU
-UrSRlTkLI99fFyRiSPwalSnOLC2HwohSgK/Waqsh3bjTHG5YuMrosmmO80GtKcO0
-X3WnR2/VGSlVaZpTOyC0ZhZgMx6jQTA/MAwGA1UdEwQFMAMBAf8wLwYDVR0gBCgw
-JjAkBgRVHSAAMBwwGgYIKwYBBQUHAgEWDkNQUyB1cmkgc3RyaW5nMAoGCCqGSM49
-BAMCA2cAMGQCMDvi5bBVplU3Gct+iYRmRW9ewty5b+1OX0ggzA+ExXpL1Obo6A16
-a2h1kb7Oy4+BSAIwXZHYb6OEWkOngISfwSZxDiiNXOTwvCu2/oFGC8xTENn0B88m
-2WwPzh4jnvXhNh0w
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/test-ca-multi_policy.crt b/tests/data_files/parse_input/test-ca-multi_policy.crt
deleted file mode 100644
index 168e99f..0000000
--- a/tests/data_files/parse_input/test-ca-multi_policy.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDGzCCAgOgAwIBAgIBADANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwNDI4MTI1OTE5WhcNMjkwNDI4MTI1OTE5WjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
-mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
-50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
-YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
-R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
-KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-KjAoMAwGA1UdEwQFMAMBAf8wGAYDVR0gBBEwDzAFBgMqAwQwBgYEVR0gADANBgkq
-hkiG9w0BAQsFAAOCAQEAPwOUmjnrcBA7dt5drCakEz9HOpj8gZQd1fyVGv221LCL
-h2W1Ngd2WlcADhPQcTdqNx4Dk+KPiBjPEooE9M7d3K33Qn/dVkmOYiW6E/4wU2tM
-cqFj7rg8Now4lBaEqEmBP+cpv+mYqavPcKy3tz4wn1SnA3MpT1hEazhNe4yInNAY
-4YqRBbWuBGkePjbce6Lf+rTfaA7kJnyuC9SHguQRmWtV3xzNzLUFn+V/jYSqYvYU
-2MjDFgCYCmW0xl5Wo8wMWWAvMbO2mRJ37OLUkSOkxgeEL6OihY1GPkbfxC2qV6mR
-4VjmfclwXumiDAvVLhW8hWjCxg8gc69G7kCkVbljLA==
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/test-ca-multi_policy_ec.crt b/tests/data_files/parse_input/test-ca-multi_policy_ec.crt
deleted file mode 100644
index 70ea2eb..0000000
--- a/tests/data_files/parse_input/test-ca-multi_policy_ec.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB0zCCAVigAwIBAgIBADAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTkwNDI4MTI1OTUxWhcNMjkwNDI4MTI1OTUxWjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwdjAQ
-BgcqhkjOPQIBBgUrgQQAIgNiAATD2is0QTdYL4dW/vyJuilDS07gbsMOV1MzOVjU
-UrSRlTkLI99fFyRiSPwalSnOLC2HwohSgK/Waqsh3bjTHG5YuMrosmmO80GtKcO0
-X3WnR2/VGSlVaZpTOyC0ZhZgMx6jKjAoMAwGA1UdEwQFMAMBAf8wGAYDVR0gBBEw
-DzAFBgMqAwQwBgYEVR0gADAKBggqhkjOPQQDAgNpADBmAjEAqyz2v+6i3xXF4qlr
-o89qxwlpIn9sR0xU+qo9tgcM6Fa7IDdAU1lhweN8MpkJTtrGAjEAmgNI/08M8n6/
-sMM0Xutt5u9EUHb+4y0uyOfYMcEPr+pCUM4GPxBP6RdqI8Wu9OQf
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/test-ca-unsupported_policy.crt b/tests/data_files/parse_input/test-ca-unsupported_policy.crt
deleted file mode 100644
index bf47d95..0000000
--- a/tests/data_files/parse_input/test-ca-unsupported_policy.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDEzCCAfugAwIBAgIBADANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwNDI4MTMwMDEzWhcNMjkwNDI4MTMwMDEzWjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
-mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
-50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
-YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
-R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
-KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-IjAgMAwGA1UdEwQFMAMBAf8wEAYDVR0gBAkwBzAFBgMqAwQwDQYJKoZIhvcNAQEL
-BQADggEBAGvARX2orRXDmc2a7nSrbRFkdw/7qbL8Y+wLeM94SsZVgzGcxzRx1KvG
-2H5nBvPKgAzBqWVPU7eDPjrETIfsCxSu+yklBIg5QYRuOcprLtQPkFVfl+WLd31F
-lS1uMgZkahIr57aHoJLYPrEjW4CBHoliT8xfrvVZi4+ym7i/vFqXL7IJ+PIklNF8
-2/b4SAB9hRI5oPw1TV9Q0v2PqMXL/0cp/9Roe+H28Tcrody6jTtEdsU2wbaxhxMd
-YK4Ak1FkhKItumINbtAUnHgBVwO2IivGZgsYulC/9y1uh5NU1HxMzqh04UEMgre+
-9SeEjhwFkq16Njc5Cdt/7iFLeiaHcNU=
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/test-ca-unsupported_policy_ec.crt b/tests/data_files/parse_input/test-ca-unsupported_policy_ec.crt
deleted file mode 100644
index 161e83c..0000000
--- a/tests/data_files/parse_input/test-ca-unsupported_policy_ec.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIByjCCAVCgAwIBAgIBADAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTkwNDI4MTMwMDE5WhcNMjkwNDI4MTMwMDE5WjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwdjAQ
-BgcqhkjOPQIBBgUrgQQAIgNiAATD2is0QTdYL4dW/vyJuilDS07gbsMOV1MzOVjU
-UrSRlTkLI99fFyRiSPwalSnOLC2HwohSgK/Waqsh3bjTHG5YuMrosmmO80GtKcO0
-X3WnR2/VGSlVaZpTOyC0ZhZgMx6jIjAgMAwGA1UdEwQFMAMBAf8wEAYDVR0gBAkw
-BzAFBgMqAwQwCgYIKoZIzj0EAwIDaAAwZQIwKUY3aTL6UR2H1Q1OzIJw7vxUso4P
-2PksCWb62kQeAnhYK85t1VGQiA49iHCXVKuXAjEAq+1qvlmwHX1E99ha/rvxcAYp
-UmxXLmSb53RT0NvhEKnUVGGUp2pBNAVVJOH+G0NI
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/test-ca.crt b/tests/data_files/parse_input/test-ca.crt
deleted file mode 100644
index 31790b5..0000000
--- a/tests/data_files/parse_input/test-ca.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
-mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
-50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
-YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
-R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
-KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/
-MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBBQUA
-A4IBAQB0ZiNRFdia6kskaPnhrqejIRq8YMEGAf2oIPnyZ78xoyERgc35lHGyMtsL
-hWicNjP4d/hS9As4j5KA2gdNGi5ETA1X7SowWOGsryivSpMSHVy1+HdfWlsYQOzm
-8o+faQNUm8XzPVmttfAVspxeHSxJZ36Oo+QWZ5wZlCIEyjEdLUId+Tm4Bz3B5jRD
-zZa/SaqDokq66N2zpbgKKAl3GU2O++fBqP2dSkdQykmTxhLLWRN8FJqhYATyQntZ
-0QSi3W9HfSZPnFTcPIXeoiPd2pLlxt1hZu8dws2LTXE63uP6MM4LHvWxiuJaWkP/
-mtxyUALj2pQxRitopORFQdn7AOY5
------END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/test-ca.crt.der b/tests/data_files/parse_input/test-ca.crt.der
deleted file mode 100644
index 5d94810..0000000
--- a/tests/data_files/parse_input/test-ca.crt.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/test_cert_rfc822name.crt.der b/tests/data_files/parse_input/test_cert_rfc822name.crt.der
deleted file mode 100644
index cdc8189..0000000
--- a/tests/data_files/parse_input/test_cert_rfc822name.crt.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/test_csr_v3_all.csr.der b/tests/data_files/parse_input/test_csr_v3_all.csr.der
deleted file mode 100644
index 7e717f3..0000000
--- a/tests/data_files/parse_input/test_csr_v3_all.csr.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request.csr.der
deleted file mode 100644
index 96a11e8..0000000
--- a/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request.csr.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der
deleted file mode 100644
index f61c7c8..0000000
--- a/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der
deleted file mode 100644
index e6db2cc..0000000
--- a/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der
deleted file mode 100644
index 620fa7d..0000000
--- a/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der
deleted file mode 100644
index 1d358e5..0000000
--- a/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_id_tag.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_id_tag.csr.der
deleted file mode 100644
index f8d0689..0000000
--- a/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_id_tag.csr.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_len1.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_len1.csr.der
deleted file mode 100644
index 01eabff..0000000
--- a/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_len1.csr.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_len2.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_len2.csr.der
deleted file mode 100644
index 875db76..0000000
--- a/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_len2.csr.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der
deleted file mode 100644
index 38273ca..0000000
--- a/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/test_csr_v3_all_malformed_duplicated_extension.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_duplicated_extension.csr.der
deleted file mode 100644
index 4e2a221..0000000
--- a/tests/data_files/parse_input/test_csr_v3_all_malformed_duplicated_extension.csr.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_data_len1.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_data_len1.csr.der
deleted file mode 100644
index 6116118..0000000
--- a/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_data_len1.csr.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_data_len2.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_data_len2.csr.der
deleted file mode 100644
index a49209a..0000000
--- a/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_data_len2.csr.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_data_tag.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_data_tag.csr.der
deleted file mode 100644
index ccae723..0000000
--- a/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_data_tag.csr.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_id_tag.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_id_tag.csr.der
deleted file mode 100644
index 989e404..0000000
--- a/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_id_tag.csr.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der
deleted file mode 100644
index a6fd2d7..0000000
--- a/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der
deleted file mode 100644
index 6fdcfc8..0000000
--- a/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der
deleted file mode 100644
index f1090f9..0000000
--- a/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_type_oid.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_type_oid.csr.der
deleted file mode 100644
index 36bc61e..0000000
--- a/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_type_oid.csr.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der
deleted file mode 100644
index fecb15e..0000000
--- a/tests/data_files/parse_input/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/test_csr_v3_keyUsage.csr.der b/tests/data_files/parse_input/test_csr_v3_keyUsage.csr.der
deleted file mode 100644
index f8be020..0000000
--- a/tests/data_files/parse_input/test_csr_v3_keyUsage.csr.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/test_csr_v3_nsCertType.csr.der b/tests/data_files/parse_input/test_csr_v3_nsCertType.csr.der
deleted file mode 100644
index cf9588d..0000000
--- a/tests/data_files/parse_input/test_csr_v3_nsCertType.csr.der
+++ /dev/null
diff --git a/tests/data_files/parse_input/test_csr_v3_subjectAltName.csr.der b/tests/data_files/parse_input/test_csr_v3_subjectAltName.csr.der
deleted file mode 100644
index 2ccb3bb..0000000
--- a/tests/data_files/parse_input/test_csr_v3_subjectAltName.csr.der
+++ /dev/null
diff --git a/tests/data_files/passwd.psk b/tests/data_files/passwd.psk
deleted file mode 100644
index 17fee37..0000000
--- a/tests/data_files/passwd.psk
+++ /dev/null
@@ -1 +0,0 @@
-Client_identity:6162636465666768696a6b6c6d6e6f70
diff --git a/tests/data_files/pkcs7-rsa-expired.crt b/tests/data_files/pkcs7-rsa-expired.crt
deleted file mode 100644
index ced181d..0000000
--- a/tests/data_files/pkcs7-rsa-expired.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDVTCCAj2gAwIBAgIUOrWS2Prj+YfE0116bm4XvxqfRlkwDQYJKoZIhvcNAQEL
-BQAwOjELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRswGQYDVQQDDBJQS0NT
-NyBDZXJ0IEV4cGlyZWQwHhcNMTIxMjE3MTkyNzE4WhcNMTMxMjE3MTkyNzE4WjA6
-MQswCQYDVQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxGzAZBgNVBAMMElBLQ1M3IENl
-cnQgRXhwaXJlZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKwdVgoF
-OCcb8wCxLXbiiRuglTa4iQM/L2pGvQQgJ3HeApAzrbL0zg0SsT02K9YqAsta7z/U
-fhVFPawtY3QZU4lg5OukPMJK0JZpYynjDkx4B9mp8fPlzzwalzXDFnrGaS84z0st
-jibLDGPs9LL8oRyQSFsum3FSM2CDTw6gFCNYVYB7fz9DLtWh8igOmW1ZmDgxoNYA
-ZyWEEcZmzWOG5MSYt8Nx4R5DMuxDa8q50M46sFQ/8kFerlAcvAz7nZQq10F65wdy
-JAB/WKZknbdN72ntlHdvbUViax2U4DJNdztuOJYc2GAlLrWmYk09yNorlNsEXjQp
-8w5jsjPhlQcnMiECAwEAAaNTMFEwHQYDVR0OBBYEFDOXFiHCdGU5Ebamuhj8tEoU
-bGA3MB8GA1UdIwQYMBaAFDOXFiHCdGU5Ebamuhj8tEoUbGA3MA8GA1UdEwEB/wQF
-MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAA0D8sXvET5XUGs3FwhuBm43ydr8W1u7
-07zxRNvMYO6Qrsfxh4UAw9IlHbLhL2mrdPRn1IF9Dtpf/xA2A8QOfDj5/rAUFmnX
-C+GO0Yb7/gSuyo6u2o8ICSFDsTkOKCYldneaDt2LIPLidlmTndrqWV3nzOCQqbtz
-0DObTVVK0X/hXvSx2k2R71sf1fRLWSHMQBxwe4MTcyXfXqrjq3eRP2xRzGWrVXhu
-0U/PYBVPSW0Bfka4toTf8VpZLkwwVbg+9QOIpvGa0kNMsWWgyezLEOkZB1G1JXYF
-3FW6LTDP0h64/8xB8YcnttaGstwgEJjoS1W4CjaRL0tNKmRYS5Mu5+E=
------END CERTIFICATE-----
diff --git a/tests/data_files/pkcs7-rsa-expired.der b/tests/data_files/pkcs7-rsa-expired.der
deleted file mode 100644
index 508ec5c..0000000
--- a/tests/data_files/pkcs7-rsa-expired.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7-rsa-expired.key b/tests/data_files/pkcs7-rsa-expired.key
deleted file mode 100644
index de941d3..0000000
--- a/tests/data_files/pkcs7-rsa-expired.key
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCsHVYKBTgnG/MA
-sS124okboJU2uIkDPy9qRr0EICdx3gKQM62y9M4NErE9NivWKgLLWu8/1H4VRT2s
-LWN0GVOJYOTrpDzCStCWaWMp4w5MeAfZqfHz5c88Gpc1wxZ6xmkvOM9LLY4mywxj
-7PSy/KEckEhbLptxUjNgg08OoBQjWFWAe38/Qy7VofIoDpltWZg4MaDWAGclhBHG
-Zs1jhuTEmLfDceEeQzLsQ2vKudDOOrBUP/JBXq5QHLwM+52UKtdBeucHciQAf1im
-ZJ23Te9p7ZR3b21FYmsdlOAyTXc7bjiWHNhgJS61pmJNPcjaK5TbBF40KfMOY7Iz
-4ZUHJzIhAgMBAAECggEAb8pSIwoG0egmarGp7QjwswAXSsaLP4+ftXCivnZACIaB
-tbXLQWweFYGpmy9/Q4hf7kNvGE9lYV1q1FVavoLgrl8/8Qno6O19E+T5orA2jlZ8
-CtWGMLt4YfqHckT3aeFLWn+UrKi3Jt1Fe/XhbgwGfS39wTPBhNY2Rp6jD8XLrrRV
-jEBwCGZxRaoQxvf1hddyRob9INQiYxiqhkqkZsFRuuKhm28tv/6nrb3UOFEd6h1r
-9Cg2m0BGF7unmFRq3ZM/xJvhMSZlQE8UMpyiLAvs6vTUBlN8OKoTGQQgW8JeFwi8
-Dh1oUmw0JOnwiLA/1KPGSc7O6i+54ogNiK4N1U9X0QKBgQDTuB8pHdTyUfXKIm3R
-n9/xCAJ/NWJAXjcpUEwoI2BKsZkzhLMlPtT5F86CTOn8P2cxZwZixfgo84z3Mx2A
-2D03z4W9FsFsBA7bOY6mpdcupX6IogM7Tgguo+Rh/DwzI7KVgVqio/4YY1zw3kou
-FcfIIz5wb79UiFLs12gQUcQQBQKBgQDQHLOood0gGOpCwRTd4BnUnlX43w3WSobR
-0Za6rR76qJn13LMF/rBsq5gczvagI1jZ1N96O0qbkL2yPmFeH/ih6vNOgu4uCyv+
-LogBnN5yixXYkapRJ3gXZfAdBl2b9ihXJgvWV1YF/6QuLK2V/JTbUQQ8aboO8Vgv
-98WcbojgbQKBgQCYICozrv29h+ql7QsfnlKYq/qvULpiKdBU3R97j7+2q9m6zNS0
-JGt+9/4oXf+agiwxsSdDfaAMPMPDM3U1iSqjmXctINamOFw8ZST81RjCqaM7pb3Q
-tQboDFcjmMvgqvu8tQ9c4ZzIBU1YvUBr0LaWNcy9mW3O3Y1IJJbfcwD/yQKBgQCo
-QAwfsX0MjhgWj/NGzf8UHk5zPiH5tZb52vB5S61YCScv1pYFqrsHoFMCN3C8Vtdm
-hOuH7peK3aH/kN83MbHZdhHuz3uwTefrP8NFSoWtJTUsOdfwdHBqukc9r//OL1y9
-2EyJpWIux1b83bIZKHNQPFeoX/HEUupxHWft6I9QoQKBgQCDsbRTjU3beP+EGv9S
-OB7b4EnfTt//JGLjUWQEeZtZbCOCrvtMiZmVfWFmEk9cwBipB5Nczcbzo572jU4X
-cjfuoBmvV+IVOki5NfA2OwOwfsxGY6DZdNwIAJSOyr1xqUetW9KE6BJEVroMi5eO
-sBaxriPC7PYMrBLGnWX4Ysh1ig==
------END PRIVATE KEY-----
diff --git a/tests/data_files/pkcs7-rsa-sha256-1.crt b/tests/data_files/pkcs7-rsa-sha256-1.crt
deleted file mode 100644
index fe282ab..0000000
--- a/tests/data_files/pkcs7-rsa-sha256-1.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDSTCCAjGgAwIBAgIUI2LNEq0VTrCDZpmJyvSG20rKV+MwDQYJKoZIhvcNAQEL
-BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT
-NyBDZXJ0IDEwHhcNMjMwNTA4MTAxOTExWhcNMzMwNTA4MTAxOTExWjA0MQswCQYD
-VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMTCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqiVc1m06wYnKshqXSoOFDl
-iFW6F/3I/vVmD6/kyTmsZ425tiCiunmSR2rlJc7/2aWbTH0P3ut3dinnooUsSws8
-EwRTjSdECDzF96QTCIUvhMHINQfpQuxSr9leK3AvoiCPi3XUefKhTuoF1A/bTQx2
-QcNzJluQPAzdvUDFBZLdLImjJ7gid1j7KSRZHjVxnFPnolr1EELXDJs29RVup1in
-8fOaBIlHEArWuSgV2aQ7uVLuBHM8Nz0Y810PElgUaOCMxGvo/Ew4TpBJfDipSD2l
-WFPisxnBzjmq3byi+mARpr+BHxETvbrZ1uRbaIA6bzGL1PZlw/vMcvuTHu3yKMkC
-AwEAAaNTMFEwHQYDVR0OBBYEFBvPc+YWbxPtP3MFjmyrL6lQkJJvMB8GA1UdIwQY
-MBaAFBvPc+YWbxPtP3MFjmyrL6lQkJJvMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAJK7huNJR+TlkZBHiCtb0KMfljHRWPuAL6fW0mGvBDeZyRTH
-OzGdqgjnYzgYZ538pG7TsMGomrSQwlATfICKsf8dNSlnPqOiIPo2fdd8gr/tO7yl
-FG/KvXk0v5Dfs4RGUs7UYdmzncEYC2JsToFsD4jja+5tnY//NJRxkJdswfn+wBqH
-wN+y4qELdq+AEBKymbQsIwOBt3UdeVUwBBjtqJXFtET9yhqkqVxnb/i0jHrhjyiS
-Q/Y+T9s35+A6XlI6nSiJLDxMfgJVCWa2OtGI//aAlzlw+6dHiiJVVBHpZbW0YTY4
-qE7kjhPrddJYlB6k4S3ub9j4e87k0P0IyFptxw8=
------END CERTIFICATE-----
diff --git a/tests/data_files/pkcs7-rsa-sha256-1.der b/tests/data_files/pkcs7-rsa-sha256-1.der
deleted file mode 100644
index ed29e40..0000000
--- a/tests/data_files/pkcs7-rsa-sha256-1.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7-rsa-sha256-1.key b/tests/data_files/pkcs7-rsa-sha256-1.key
deleted file mode 100644
index c6367fb..0000000
--- a/tests/data_files/pkcs7-rsa-sha256-1.key
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCaolXNZtOsGJyr
-Ial0qDhQ5YhVuhf9yP71Zg+v5Mk5rGeNubYgorp5kkdq5SXO/9mlm0x9D97rd3Yp
-56KFLEsLPBMEU40nRAg8xfekEwiFL4TByDUH6ULsUq/ZXitwL6Igj4t11HnyoU7q
-BdQP200MdkHDcyZbkDwM3b1AxQWS3SyJoye4IndY+ykkWR41cZxT56Ja9RBC1wyb
-NvUVbqdYp/HzmgSJRxAK1rkoFdmkO7lS7gRzPDc9GPNdDxJYFGjgjMRr6PxMOE6Q
-SXw4qUg9pVhT4rMZwc45qt28ovpgEaa/gR8RE7262dbkW2iAOm8xi9T2ZcP7zHL7
-kx7t8ijJAgMBAAECggEACirXl611yERng7iPRO59InOPKOzXID6XpgDHkgYJ5ZcE
-iYzvENsGRhFUTQ7jUyafM8x/5V62ZnbYwAVdGiLJDeRtryyDtNPcM0vEfkcqmaA/
-20J72yjvF60RpyoSEtqs7zVlAvK9MHMDBm/q6z59BM9fQFfJSz6y9hkb1R8HQGpc
-ktIBxqANvQ3XYzPwxBdECB6YH12t1UkCEFNmOVup7M/TpMBu79h4cd69Q709iOqP
-9kIOxABrRE7evWpwYHFCI7QfbRpFeY7I9b94NQULmOLKJm8QfYfXumzfIQ3gqUW2
-WyIOJc5zAftQ/7Ddu5CKbqsL7yBiMGxI4IHQZ/gEcQKBgQDBE3Fl8XW7JpP9J0vw
-VvCBGJgPOU7tn9JG082RUr0pi7HRiEo23zL37PvwPwjn81SkWmh9WcIQFm8Ip4Oy
-9sUMR0oInjU3PaAI2oRQCOPynod23wC4tVmjLrNBek8T2AnTtkvSZalooACNumgD
-Ef/hpMYDa2O9dTbjtqNOp2AOuQKBgQDNB6UGzwY+HDG444Ir/Q2s2XjOD1cvG3q8
-3NaSnIHuxJeUhYlBXmWsygpGLrq4i5h4EWPz8qKWQwBDwsZIBGisJFQcQzsXS9/Z
-+F8l555ikb/AsbZHrWw+miTauXT0xe1dbjkqqpAiiYfJFeDss32WqgaAUD28IK9P
-djR85p9ikQKBgHuRDPcYZKelFftjpfcoPP3yFodPvxLXQUVxElQaZtPrAp++IPkj
-OcRwWAE25mVEVvxknBD1W/zdzqv0QZZM1ml4SopfbmFvQDfKWfm65uAE01+hcx3D
-ep20KqcSNv/VONzVA4ug4p4CILiT/zNP1rq7sLrJhOjg1oNABR42goSJAoGAcs1N
-Ajr5a92tmbEKOkc/WQGMOxUr5Bym5QlivEUWG/PITElZSVjp5Y5bomCX/K1teg2C
-wh2iHDD3/PkavUh6s6jDz+91Lt41QX9pB3hhnx+tFuBrCEd6zLLS4AXoDwakmiQV
-rmZCvpPzjAzMHL2EHNCnQ0Gqz6QdhYjSav1XUYECgYBiv8t7WZFLIsi7Baa1oocv
-VU9WsohcqTGP8/i+J4fuRRVGDLl/jcBFm5dYzGVSbpBaM0qhfGIyaAmInHozxooR
-+izbLM5nSAO3fXEsPROEx9RwLxQmrs2Ee5W4qDajTm3VOhfQXHQf/z5o3xsdnQJt
-mbHCXPhmMn9O6jmrDlGeMg==
------END PRIVATE KEY-----
diff --git a/tests/data_files/pkcs7-rsa-sha256-1.pem b/tests/data_files/pkcs7-rsa-sha256-1.pem
deleted file mode 100644
index deee4b2..0000000
--- a/tests/data_files/pkcs7-rsa-sha256-1.pem
+++ /dev/null
@@ -1,48 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDSTCCAjGgAwIBAgIUI2LNEq0VTrCDZpmJyvSG20rKV+MwDQYJKoZIhvcNAQEL
-BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT
-NyBDZXJ0IDEwHhcNMjMwNTA4MTAxOTExWhcNMzMwNTA4MTAxOTExWjA0MQswCQYD
-VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMTCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqiVc1m06wYnKshqXSoOFDl
-iFW6F/3I/vVmD6/kyTmsZ425tiCiunmSR2rlJc7/2aWbTH0P3ut3dinnooUsSws8
-EwRTjSdECDzF96QTCIUvhMHINQfpQuxSr9leK3AvoiCPi3XUefKhTuoF1A/bTQx2
-QcNzJluQPAzdvUDFBZLdLImjJ7gid1j7KSRZHjVxnFPnolr1EELXDJs29RVup1in
-8fOaBIlHEArWuSgV2aQ7uVLuBHM8Nz0Y810PElgUaOCMxGvo/Ew4TpBJfDipSD2l
-WFPisxnBzjmq3byi+mARpr+BHxETvbrZ1uRbaIA6bzGL1PZlw/vMcvuTHu3yKMkC
-AwEAAaNTMFEwHQYDVR0OBBYEFBvPc+YWbxPtP3MFjmyrL6lQkJJvMB8GA1UdIwQY
-MBaAFBvPc+YWbxPtP3MFjmyrL6lQkJJvMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAJK7huNJR+TlkZBHiCtb0KMfljHRWPuAL6fW0mGvBDeZyRTH
-OzGdqgjnYzgYZ538pG7TsMGomrSQwlATfICKsf8dNSlnPqOiIPo2fdd8gr/tO7yl
-FG/KvXk0v5Dfs4RGUs7UYdmzncEYC2JsToFsD4jja+5tnY//NJRxkJdswfn+wBqH
-wN+y4qELdq+AEBKymbQsIwOBt3UdeVUwBBjtqJXFtET9yhqkqVxnb/i0jHrhjyiS
-Q/Y+T9s35+A6XlI6nSiJLDxMfgJVCWa2OtGI//aAlzlw+6dHiiJVVBHpZbW0YTY4
-qE7kjhPrddJYlB6k4S3ub9j4e87k0P0IyFptxw8=
------END CERTIFICATE-----
------BEGIN PRIVATE KEY-----
-MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCaolXNZtOsGJyr
-Ial0qDhQ5YhVuhf9yP71Zg+v5Mk5rGeNubYgorp5kkdq5SXO/9mlm0x9D97rd3Yp
-56KFLEsLPBMEU40nRAg8xfekEwiFL4TByDUH6ULsUq/ZXitwL6Igj4t11HnyoU7q
-BdQP200MdkHDcyZbkDwM3b1AxQWS3SyJoye4IndY+ykkWR41cZxT56Ja9RBC1wyb
-NvUVbqdYp/HzmgSJRxAK1rkoFdmkO7lS7gRzPDc9GPNdDxJYFGjgjMRr6PxMOE6Q
-SXw4qUg9pVhT4rMZwc45qt28ovpgEaa/gR8RE7262dbkW2iAOm8xi9T2ZcP7zHL7
-kx7t8ijJAgMBAAECggEACirXl611yERng7iPRO59InOPKOzXID6XpgDHkgYJ5ZcE
-iYzvENsGRhFUTQ7jUyafM8x/5V62ZnbYwAVdGiLJDeRtryyDtNPcM0vEfkcqmaA/
-20J72yjvF60RpyoSEtqs7zVlAvK9MHMDBm/q6z59BM9fQFfJSz6y9hkb1R8HQGpc
-ktIBxqANvQ3XYzPwxBdECB6YH12t1UkCEFNmOVup7M/TpMBu79h4cd69Q709iOqP
-9kIOxABrRE7evWpwYHFCI7QfbRpFeY7I9b94NQULmOLKJm8QfYfXumzfIQ3gqUW2
-WyIOJc5zAftQ/7Ddu5CKbqsL7yBiMGxI4IHQZ/gEcQKBgQDBE3Fl8XW7JpP9J0vw
-VvCBGJgPOU7tn9JG082RUr0pi7HRiEo23zL37PvwPwjn81SkWmh9WcIQFm8Ip4Oy
-9sUMR0oInjU3PaAI2oRQCOPynod23wC4tVmjLrNBek8T2AnTtkvSZalooACNumgD
-Ef/hpMYDa2O9dTbjtqNOp2AOuQKBgQDNB6UGzwY+HDG444Ir/Q2s2XjOD1cvG3q8
-3NaSnIHuxJeUhYlBXmWsygpGLrq4i5h4EWPz8qKWQwBDwsZIBGisJFQcQzsXS9/Z
-+F8l555ikb/AsbZHrWw+miTauXT0xe1dbjkqqpAiiYfJFeDss32WqgaAUD28IK9P
-djR85p9ikQKBgHuRDPcYZKelFftjpfcoPP3yFodPvxLXQUVxElQaZtPrAp++IPkj
-OcRwWAE25mVEVvxknBD1W/zdzqv0QZZM1ml4SopfbmFvQDfKWfm65uAE01+hcx3D
-ep20KqcSNv/VONzVA4ug4p4CILiT/zNP1rq7sLrJhOjg1oNABR42goSJAoGAcs1N
-Ajr5a92tmbEKOkc/WQGMOxUr5Bym5QlivEUWG/PITElZSVjp5Y5bomCX/K1teg2C
-wh2iHDD3/PkavUh6s6jDz+91Lt41QX9pB3hhnx+tFuBrCEd6zLLS4AXoDwakmiQV
-rmZCvpPzjAzMHL2EHNCnQ0Gqz6QdhYjSav1XUYECgYBiv8t7WZFLIsi7Baa1oocv
-VU9WsohcqTGP8/i+J4fuRRVGDLl/jcBFm5dYzGVSbpBaM0qhfGIyaAmInHozxooR
-+izbLM5nSAO3fXEsPROEx9RwLxQmrs2Ee5W4qDajTm3VOhfQXHQf/z5o3xsdnQJt
-mbHCXPhmMn9O6jmrDlGeMg==
------END PRIVATE KEY-----
diff --git a/tests/data_files/pkcs7-rsa-sha256-2.crt b/tests/data_files/pkcs7-rsa-sha256-2.crt
deleted file mode 100644
index 2f0becb..0000000
--- a/tests/data_files/pkcs7-rsa-sha256-2.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDSTCCAjGgAwIBAgIULQiixEME/TOd8CzfFgp/HxWQOj4wDQYJKoZIhvcNAQEL
-BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT
-NyBDZXJ0IDIwHhcNMjMwNTA4MTAxOTExWhcNMzMwNTA4MTAxOTExWjA0MQswCQYD
-VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMjCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANarbCe4NkIbeBjAEKWuHhA7
-haz080iy8N1Xbdr0Xa6llOLKgsDVNxkzW+WHRgJNZAtN8XgT7IubIrno9ygcBK5B
-b1E4/Butpfnw5aSJhW2uI8Wl7/xCvonEDd3jBQUA4cO8x3ie+7WcGJC2mUXlgUuJ
-jdvX7/px5DQuJwy0R3Vul0IOSBvzXVo9UOTYkmoQI2e2UcAk6aU3zQKK8Db5dmlR
-cA+sVCb9j1tEmSXQAj0XfXv0Sqijwr7MUYB9vUt2wYexC3b0SosqNqg7MYx6eDUJ
-adVvPwHW4VQh5Rv9TVYr9Rpc1pyfgjtvlnouPU+yROJ9VO0irbMY5LI2rAIpQksC
-AwEAAaNTMFEwHQYDVR0OBBYEFOozYBd7pxAmsVUtJwSQvRGNvKO9MB8GA1UdIwQY
-MBaAFOozYBd7pxAmsVUtJwSQvRGNvKO9MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAJmOMP3gVqP0/vFqPdMjIa5Pjtwy02z4Z4uLplo/4K8CQp6T
-+XMfz+p/UDoglyAuZ34TQ/dnGMM9EFEBgm/O5dJHl442+FrortIEhzGo0QAf+XYK
-9HQKVk0a5ecVO9CZw2mduxMJ//r9GyFG0XSqpNqt2yi7UgcPsrq+2OqhzYngYmyr
-V5HtQzwBaIqwoXzhHIOX1pJg4GUxrhsaqInrhUM0VTdfpKcRlzFsimQ60LZ6GMcm
-rPy3oLs1ioVfYS7et0MnGhgSHIjBeocqYKchzfBk/NnF0eK+lJo+hrGk6F2rDJ4G
-ViNKP6MhMBzlZ73yTRTWZcYu6O+sg5cHwjlHhRc=
------END CERTIFICATE-----
diff --git a/tests/data_files/pkcs7-rsa-sha256-2.der b/tests/data_files/pkcs7-rsa-sha256-2.der
deleted file mode 100644
index a101435..0000000
--- a/tests/data_files/pkcs7-rsa-sha256-2.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7-rsa-sha256-2.key b/tests/data_files/pkcs7-rsa-sha256-2.key
deleted file mode 100644
index fe78b11..0000000
--- a/tests/data_files/pkcs7-rsa-sha256-2.key
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEuwIBADANBgkqhkiG9w0BAQEFAASCBKUwggShAgEAAoIBAQDWq2wnuDZCG3gY
-wBClrh4QO4Ws9PNIsvDdV23a9F2upZTiyoLA1TcZM1vlh0YCTWQLTfF4E+yLmyK5
-6PcoHASuQW9ROPwbraX58OWkiYVtriPFpe/8Qr6JxA3d4wUFAOHDvMd4nvu1nBiQ
-tplF5YFLiY3b1+/6ceQ0LicMtEd1bpdCDkgb811aPVDk2JJqECNntlHAJOmlN80C
-ivA2+XZpUXAPrFQm/Y9bRJkl0AI9F3179Eqoo8K+zFGAfb1LdsGHsQt29EqLKjao
-OzGMeng1CWnVbz8B1uFUIeUb/U1WK/UaXNacn4I7b5Z6Lj1PskTifVTtIq2zGOSy
-NqwCKUJLAgMBAAECgf8TtKi4/K/+YYckvnzIuLMJymz684FhqwtxRhVPhB8VaR3B
-s9VM3kWwioZlC4XhsDj+0KjZ3PpZ1mPZrQkDJY9Ib7lIO3LpF4ek6fgqonUdHF8s
-RY9CGN5kxxp+w9gyHWKcFTg6Wl3AzhNzNU/cmrTDulzLUYc19j58i8AJ6oKkxNcT
-gie9c38wDjZr67cynARkS9N94WkMsOQzM59TzOfukldsbwYISZahR/L9hgQqzcFL
-hxsrQbZ0M5XFziOjuDGzJZswbbTvkupqt0EwEXcI1jnvOtKPC50RaIY9y9sQYRPX
-RXFzUaBGKHjLWtEYQd/bXWTtCLx6C4FDRkOsVQUCgYEA69z8xq8lp77lD2gNsh3x
-o8cnnx3xcwnj+9bEDDKXgA1RBwnXpQ/Gq5Jme7zm9552xJXDQwckuJQ9/Fd4L8Zy
-ZjyOuYC6Mdc4ncwo1yT9Rv6ipSq/dsVKQbMYaOxtQ6Lce1wPyF32slu2mPlwOgIo
-w0Adl3MqC+Gk3ANcPWyJha8CgYEA6P86jw8MfaA4qTn6Zy1YEq17+8Chd15PA2E7
-NWdEL75Jr+Im9kTY+niWcZo6q/JKa5FokxrSB988NMK6Qd20d2gZijc1yHprC1fq
-W3RP9C2qvEOs+4+w38F63JkBXOyqh6+bqclsEDk5COoe2EdIevF4PQheWuQtbNHv
-7G5yECUCgYEApNTDMnakch5OJf4p1BhpDnPXlLNwUVzQHudwCrYweiTUQ371XT0x
-MiYVyNOy9cmgZrHiy6zqVLQEvZzDOWAOArS/aZQ0izBFOMG8qN4Iwtyg/ZxqQa6O
-vmtS28Cee24Nd4hW30gLZ4oAideIPoHTyt+7zmOFNthyRe9zPtnjIbECgYAfnrOV
-wpcRXXMTFDk1U2QGdODEk6nWB0h1zvY4EyGf0RUy92AOP92qcD8Kf8HCoAkVfBBT
-Fmq2gscq6dpZIfth0RDWPxPfdy2bxnyZmLlZC/GFxzFsml2IoDtKQMF8mOmzrFNV
-wW4W7Y0d9pflBheCB88niUE02I6JnBwRXBPCuQKBgD01VJsGqgFvlvjK0KVpPVCB
-KK0GPI5TFNSDjYSIG25Vm4lYmiWwr54iaqWvlK9SFXH0C9R1VAuU+uaY+8tGM4o5
-RO9mk0AvIJ4BC0FZHS2fHDld/37WO3rh66Qym6zgp02ZPYDSLXT18sf0SVMAzU7h
-2j60FMMEJPr7clx+n6xU
------END PRIVATE KEY-----
diff --git a/tests/data_files/pkcs7-rsa-sha256-2.pem b/tests/data_files/pkcs7-rsa-sha256-2.pem
deleted file mode 100644
index 71004b5..0000000
--- a/tests/data_files/pkcs7-rsa-sha256-2.pem
+++ /dev/null
@@ -1,48 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDSTCCAjGgAwIBAgIULQiixEME/TOd8CzfFgp/HxWQOj4wDQYJKoZIhvcNAQEL
-BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT
-NyBDZXJ0IDIwHhcNMjMwNTA4MTAxOTExWhcNMzMwNTA4MTAxOTExWjA0MQswCQYD
-VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMjCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANarbCe4NkIbeBjAEKWuHhA7
-haz080iy8N1Xbdr0Xa6llOLKgsDVNxkzW+WHRgJNZAtN8XgT7IubIrno9ygcBK5B
-b1E4/Butpfnw5aSJhW2uI8Wl7/xCvonEDd3jBQUA4cO8x3ie+7WcGJC2mUXlgUuJ
-jdvX7/px5DQuJwy0R3Vul0IOSBvzXVo9UOTYkmoQI2e2UcAk6aU3zQKK8Db5dmlR
-cA+sVCb9j1tEmSXQAj0XfXv0Sqijwr7MUYB9vUt2wYexC3b0SosqNqg7MYx6eDUJ
-adVvPwHW4VQh5Rv9TVYr9Rpc1pyfgjtvlnouPU+yROJ9VO0irbMY5LI2rAIpQksC
-AwEAAaNTMFEwHQYDVR0OBBYEFOozYBd7pxAmsVUtJwSQvRGNvKO9MB8GA1UdIwQY
-MBaAFOozYBd7pxAmsVUtJwSQvRGNvKO9MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAJmOMP3gVqP0/vFqPdMjIa5Pjtwy02z4Z4uLplo/4K8CQp6T
-+XMfz+p/UDoglyAuZ34TQ/dnGMM9EFEBgm/O5dJHl442+FrortIEhzGo0QAf+XYK
-9HQKVk0a5ecVO9CZw2mduxMJ//r9GyFG0XSqpNqt2yi7UgcPsrq+2OqhzYngYmyr
-V5HtQzwBaIqwoXzhHIOX1pJg4GUxrhsaqInrhUM0VTdfpKcRlzFsimQ60LZ6GMcm
-rPy3oLs1ioVfYS7et0MnGhgSHIjBeocqYKchzfBk/NnF0eK+lJo+hrGk6F2rDJ4G
-ViNKP6MhMBzlZ73yTRTWZcYu6O+sg5cHwjlHhRc=
------END CERTIFICATE-----
------BEGIN PRIVATE KEY-----
-MIIEuwIBADANBgkqhkiG9w0BAQEFAASCBKUwggShAgEAAoIBAQDWq2wnuDZCG3gY
-wBClrh4QO4Ws9PNIsvDdV23a9F2upZTiyoLA1TcZM1vlh0YCTWQLTfF4E+yLmyK5
-6PcoHASuQW9ROPwbraX58OWkiYVtriPFpe/8Qr6JxA3d4wUFAOHDvMd4nvu1nBiQ
-tplF5YFLiY3b1+/6ceQ0LicMtEd1bpdCDkgb811aPVDk2JJqECNntlHAJOmlN80C
-ivA2+XZpUXAPrFQm/Y9bRJkl0AI9F3179Eqoo8K+zFGAfb1LdsGHsQt29EqLKjao
-OzGMeng1CWnVbz8B1uFUIeUb/U1WK/UaXNacn4I7b5Z6Lj1PskTifVTtIq2zGOSy
-NqwCKUJLAgMBAAECgf8TtKi4/K/+YYckvnzIuLMJymz684FhqwtxRhVPhB8VaR3B
-s9VM3kWwioZlC4XhsDj+0KjZ3PpZ1mPZrQkDJY9Ib7lIO3LpF4ek6fgqonUdHF8s
-RY9CGN5kxxp+w9gyHWKcFTg6Wl3AzhNzNU/cmrTDulzLUYc19j58i8AJ6oKkxNcT
-gie9c38wDjZr67cynARkS9N94WkMsOQzM59TzOfukldsbwYISZahR/L9hgQqzcFL
-hxsrQbZ0M5XFziOjuDGzJZswbbTvkupqt0EwEXcI1jnvOtKPC50RaIY9y9sQYRPX
-RXFzUaBGKHjLWtEYQd/bXWTtCLx6C4FDRkOsVQUCgYEA69z8xq8lp77lD2gNsh3x
-o8cnnx3xcwnj+9bEDDKXgA1RBwnXpQ/Gq5Jme7zm9552xJXDQwckuJQ9/Fd4L8Zy
-ZjyOuYC6Mdc4ncwo1yT9Rv6ipSq/dsVKQbMYaOxtQ6Lce1wPyF32slu2mPlwOgIo
-w0Adl3MqC+Gk3ANcPWyJha8CgYEA6P86jw8MfaA4qTn6Zy1YEq17+8Chd15PA2E7
-NWdEL75Jr+Im9kTY+niWcZo6q/JKa5FokxrSB988NMK6Qd20d2gZijc1yHprC1fq
-W3RP9C2qvEOs+4+w38F63JkBXOyqh6+bqclsEDk5COoe2EdIevF4PQheWuQtbNHv
-7G5yECUCgYEApNTDMnakch5OJf4p1BhpDnPXlLNwUVzQHudwCrYweiTUQ371XT0x
-MiYVyNOy9cmgZrHiy6zqVLQEvZzDOWAOArS/aZQ0izBFOMG8qN4Iwtyg/ZxqQa6O
-vmtS28Cee24Nd4hW30gLZ4oAideIPoHTyt+7zmOFNthyRe9zPtnjIbECgYAfnrOV
-wpcRXXMTFDk1U2QGdODEk6nWB0h1zvY4EyGf0RUy92AOP92qcD8Kf8HCoAkVfBBT
-Fmq2gscq6dpZIfth0RDWPxPfdy2bxnyZmLlZC/GFxzFsml2IoDtKQMF8mOmzrFNV
-wW4W7Y0d9pflBheCB88niUE02I6JnBwRXBPCuQKBgD01VJsGqgFvlvjK0KVpPVCB
-KK0GPI5TFNSDjYSIG25Vm4lYmiWwr54iaqWvlK9SFXH0C9R1VAuU+uaY+8tGM4o5
-RO9mk0AvIJ4BC0FZHS2fHDld/37WO3rh66Qym6zgp02ZPYDSLXT18sf0SVMAzU7h
-2j60FMMEJPr7clx+n6xU
------END PRIVATE KEY-----
diff --git a/tests/data_files/pkcs7-rsa-sha256-3.crt b/tests/data_files/pkcs7-rsa-sha256-3.crt
deleted file mode 100644
index 03ce5b35..0000000
--- a/tests/data_files/pkcs7-rsa-sha256-3.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDSTCCAjGgAwIBAgIUT1tppAbQpx6vLbVzRx/54bi0ehowDQYJKoZIhvcNAQEL
-BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT
-NyBDZXJ0IDMwHhcNMjMwNTA4MTAxOTExWhcNMzMwNTA4MTAxOTExWjA0MQswCQYD
-VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO1SO1OUqWVMqINj+MZPgE5s
-8sdFrVyXlt/3EqXNs6zUBr12Kj4USt5tmVyF1FxYsw76U1ZpeUUBIrQ62CyQgZtD
-l96tipHbxFneWXV0COrp+2rjWUDz3bY0lM39JCrOxlBDx/QYOJHm4HAeWPkg0F1R
-26kKLNUYxg54gtjnauleWefrMcV3S69RTJGlf3hVJ1fltz/yw8N9XG8XxANZT0Cz
-JV31yzLMxCTm2iBXXALSkw5QDVT+SD0mbkYT26bwtAvXptPjbC7ZrOxYyrmnhk2U
-aPVewp5ncrDhZpfKCXVG6qtSQ3zHu6WwBCk3hdZ9RpBMDMOm+VFl+rGgD46p2osC
-AwEAAaNTMFEwHQYDVR0OBBYEFGNzo9wwEk9/t6xxxpby/NRmNJRlMB8GA1UdIwQY
-MBaAFGNzo9wwEk9/t6xxxpby/NRmNJRlMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAKJEmDyEmw8Q6mbaqREvmNScGrA60wONTQdlX3lny4VzqAzi
-MxIeCIfwSvR9Lho0lPmFMErdDPTUKzWmlAXUSlsyjnGrqP5uCixTUBZ9Ic1gaxDz
-Mere8nr7yow+I9euYNN1/dNJZP9mcrP269FGyTuM/8Woi+zaJHr0Y8K9TRRXudqP
-wu6X/qZ+OeQrW4WMeb1+eZ59FtRadamsQabxvtgkRJhmqNsGQ/i+S0SqGt2t2xvq
-lTxshA5p17bLQmTJsNKXbQeVPH99M+ecXvwN0hj3fDnQeDMTjdKOsyFupyZ+vxN+
-pFvT7lP0hrOuU07FFqt36B0xObB1QwZb2DPcEIw=
------END CERTIFICATE-----
diff --git a/tests/data_files/pkcs7-rsa-sha256-3.key b/tests/data_files/pkcs7-rsa-sha256-3.key
deleted file mode 100644
index 17c4eed..0000000
--- a/tests/data_files/pkcs7-rsa-sha256-3.key
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDtUjtTlKllTKiD
-Y/jGT4BObPLHRa1cl5bf9xKlzbOs1Aa9dio+FErebZlchdRcWLMO+lNWaXlFASK0
-OtgskIGbQ5ferYqR28RZ3ll1dAjq6ftq41lA8922NJTN/SQqzsZQQ8f0GDiR5uBw
-Hlj5INBdUdupCizVGMYOeILY52rpXlnn6zHFd0uvUUyRpX94VSdX5bc/8sPDfVxv
-F8QDWU9AsyVd9csyzMQk5togV1wC0pMOUA1U/kg9Jm5GE9um8LQL16bT42wu2azs
-WMq5p4ZNlGj1XsKeZ3Kw4WaXygl1RuqrUkN8x7ulsAQpN4XWfUaQTAzDpvlRZfqx
-oA+OqdqLAgMBAAECggEAU51l9rBJsL2+H7Dw/VoUcE1Vip1Dk/x69YUVRmK/2/RG
-Pams/3th15WQ87bZWAIOcIgFJcx6pDPeuNaExMrTR1Oc5iGJ0ZM3TpyXM1lDLRVs
-dkAM+eQSKTjEdwEqJYT9/VisUhXYlJteV1Jx8bC8iSymspu5qQkV+xI9s9NxaTAd
-19U5NoozZRBS37lU3WxMhPCHCrbl6vwcfvtsZClEICA8YUKyS+wUh0wjzgkQrORT
-kaTxY8YyQ/ufSIkA3XKJX1flO1UdNFJcHhseiXWuuUTKUMvWNILUoFpbky5uYb5z
-VM7u57ZBF3uVHmvJNYS04iQdNkV1ZkpWH8opuQ1kyQKBgQD2jl6Y0qTy/s+g9aQ7
-ypZ0zi/lhIJaTBDqxwJA18e8+4kq3WEEBDD1X/eT44nVPhGy78ccJZCnw2PBHy1k
-6xVCfGAZVV850m9JGf4L/VEN6D5qdB2owJPVCEh7fa6hVvLKYFNCuvs0osKCVnyy
-PGq8ixAP5sJp8yoEnlUi0II3UwKBgQD2aU7xdQgba7uMu2rJo0bzDKfxv4q5nUYO
-XLBm7l+Mz6Uz68A/scLsKWmdvmdPKy83pmR/2RJ1pp0HNVfa8rL+0DHCqf1PApE+
-jFgcQIdnyzwRFHPDH/9zmrHUy32L5MdiQEWwqg9wP2HYbuv9VbN0Rn3HTFdRVarD
-hg36/hSA6QKBgBaH+iMTFNnT6Vt3NzPzln5EHWJnEpZ33w/lcdJFJc6iWe2d33DD
-hUnXJEPShlUDYBCvEs4CrM5375TFaZuQVBgIT6vg/lvFXEAc7Pdhhde0goet5sv2
-FUxhfmYynRPHY1aVKOavOaecvBO3HZwYI1TpjGU3nEqcWxmi8nrE/TFbAoGALGaD
-XAzLfi1maRBoSJcMNMVmCbCK7bFCK1pWSuXO/892pClpxdBhIC7CIjNp6CEO7Acm
-escBhYOVLfRVtVUgHbwkC0CYLUF4LH4bblPOUkyTsTwvM8yzOgB45LAaGjgKGVEd
-fZzXFVHGbrpl+YsUv/Hnvh6qaTR3ha3FHSHlTekCgYEA889EzlEOwmu69z06RJsZ
-mlYoR0/1xxiYmSNy+hXWoM64G99R94bc/bx/QSJAXu93HX4N0GHPmjjpZvk1IjHL
-zQGikdb2jvbKnRcR/4DiXQ1jggk59bCUDaQkpEbBvtCLj/LjMnwxAJAoCOGjuIxG
-hmSyoAlNQm47tGD3i+2erv0=
------END PRIVATE KEY-----
diff --git a/tests/data_files/pkcs7-rsa-sha256-3.pem b/tests/data_files/pkcs7-rsa-sha256-3.pem
deleted file mode 100644
index 0dc2fe9..0000000
--- a/tests/data_files/pkcs7-rsa-sha256-3.pem
+++ /dev/null
@@ -1,48 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDSTCCAjGgAwIBAgIUT1tppAbQpx6vLbVzRx/54bi0ehowDQYJKoZIhvcNAQEL
-BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT
-NyBDZXJ0IDMwHhcNMjMwNTA4MTAxOTExWhcNMzMwNTA4MTAxOTExWjA0MQswCQYD
-VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO1SO1OUqWVMqINj+MZPgE5s
-8sdFrVyXlt/3EqXNs6zUBr12Kj4USt5tmVyF1FxYsw76U1ZpeUUBIrQ62CyQgZtD
-l96tipHbxFneWXV0COrp+2rjWUDz3bY0lM39JCrOxlBDx/QYOJHm4HAeWPkg0F1R
-26kKLNUYxg54gtjnauleWefrMcV3S69RTJGlf3hVJ1fltz/yw8N9XG8XxANZT0Cz
-JV31yzLMxCTm2iBXXALSkw5QDVT+SD0mbkYT26bwtAvXptPjbC7ZrOxYyrmnhk2U
-aPVewp5ncrDhZpfKCXVG6qtSQ3zHu6WwBCk3hdZ9RpBMDMOm+VFl+rGgD46p2osC
-AwEAAaNTMFEwHQYDVR0OBBYEFGNzo9wwEk9/t6xxxpby/NRmNJRlMB8GA1UdIwQY
-MBaAFGNzo9wwEk9/t6xxxpby/NRmNJRlMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAKJEmDyEmw8Q6mbaqREvmNScGrA60wONTQdlX3lny4VzqAzi
-MxIeCIfwSvR9Lho0lPmFMErdDPTUKzWmlAXUSlsyjnGrqP5uCixTUBZ9Ic1gaxDz
-Mere8nr7yow+I9euYNN1/dNJZP9mcrP269FGyTuM/8Woi+zaJHr0Y8K9TRRXudqP
-wu6X/qZ+OeQrW4WMeb1+eZ59FtRadamsQabxvtgkRJhmqNsGQ/i+S0SqGt2t2xvq
-lTxshA5p17bLQmTJsNKXbQeVPH99M+ecXvwN0hj3fDnQeDMTjdKOsyFupyZ+vxN+
-pFvT7lP0hrOuU07FFqt36B0xObB1QwZb2DPcEIw=
------END CERTIFICATE-----
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDtUjtTlKllTKiD
-Y/jGT4BObPLHRa1cl5bf9xKlzbOs1Aa9dio+FErebZlchdRcWLMO+lNWaXlFASK0
-OtgskIGbQ5ferYqR28RZ3ll1dAjq6ftq41lA8922NJTN/SQqzsZQQ8f0GDiR5uBw
-Hlj5INBdUdupCizVGMYOeILY52rpXlnn6zHFd0uvUUyRpX94VSdX5bc/8sPDfVxv
-F8QDWU9AsyVd9csyzMQk5togV1wC0pMOUA1U/kg9Jm5GE9um8LQL16bT42wu2azs
-WMq5p4ZNlGj1XsKeZ3Kw4WaXygl1RuqrUkN8x7ulsAQpN4XWfUaQTAzDpvlRZfqx
-oA+OqdqLAgMBAAECggEAU51l9rBJsL2+H7Dw/VoUcE1Vip1Dk/x69YUVRmK/2/RG
-Pams/3th15WQ87bZWAIOcIgFJcx6pDPeuNaExMrTR1Oc5iGJ0ZM3TpyXM1lDLRVs
-dkAM+eQSKTjEdwEqJYT9/VisUhXYlJteV1Jx8bC8iSymspu5qQkV+xI9s9NxaTAd
-19U5NoozZRBS37lU3WxMhPCHCrbl6vwcfvtsZClEICA8YUKyS+wUh0wjzgkQrORT
-kaTxY8YyQ/ufSIkA3XKJX1flO1UdNFJcHhseiXWuuUTKUMvWNILUoFpbky5uYb5z
-VM7u57ZBF3uVHmvJNYS04iQdNkV1ZkpWH8opuQ1kyQKBgQD2jl6Y0qTy/s+g9aQ7
-ypZ0zi/lhIJaTBDqxwJA18e8+4kq3WEEBDD1X/eT44nVPhGy78ccJZCnw2PBHy1k
-6xVCfGAZVV850m9JGf4L/VEN6D5qdB2owJPVCEh7fa6hVvLKYFNCuvs0osKCVnyy
-PGq8ixAP5sJp8yoEnlUi0II3UwKBgQD2aU7xdQgba7uMu2rJo0bzDKfxv4q5nUYO
-XLBm7l+Mz6Uz68A/scLsKWmdvmdPKy83pmR/2RJ1pp0HNVfa8rL+0DHCqf1PApE+
-jFgcQIdnyzwRFHPDH/9zmrHUy32L5MdiQEWwqg9wP2HYbuv9VbN0Rn3HTFdRVarD
-hg36/hSA6QKBgBaH+iMTFNnT6Vt3NzPzln5EHWJnEpZ33w/lcdJFJc6iWe2d33DD
-hUnXJEPShlUDYBCvEs4CrM5375TFaZuQVBgIT6vg/lvFXEAc7Pdhhde0goet5sv2
-FUxhfmYynRPHY1aVKOavOaecvBO3HZwYI1TpjGU3nEqcWxmi8nrE/TFbAoGALGaD
-XAzLfi1maRBoSJcMNMVmCbCK7bFCK1pWSuXO/892pClpxdBhIC7CIjNp6CEO7Acm
-escBhYOVLfRVtVUgHbwkC0CYLUF4LH4bblPOUkyTsTwvM8yzOgB45LAaGjgKGVEd
-fZzXFVHGbrpl+YsUv/Hnvh6qaTR3ha3FHSHlTekCgYEA889EzlEOwmu69z06RJsZ
-mlYoR0/1xxiYmSNy+hXWoM64G99R94bc/bx/QSJAXu93HX4N0GHPmjjpZvk1IjHL
-zQGikdb2jvbKnRcR/4DiXQ1jggk59bCUDaQkpEbBvtCLj/LjMnwxAJAoCOGjuIxG
-hmSyoAlNQm47tGD3i+2erv0=
------END PRIVATE KEY-----
diff --git a/tests/data_files/pkcs7_data.bin b/tests/data_files/pkcs7_data.bin
deleted file mode 100644
index 40ee264..0000000
--- a/tests/data_files/pkcs7_data.bin
+++ /dev/null
@@ -1 +0,0 @@
-Hello

diff --git a/tests/data_files/pkcs7_data_1.bin b/tests/data_files/pkcs7_data_1.bin
deleted file mode 100644
index 78c6bae..0000000
--- a/tests/data_files/pkcs7_data_1.bin
+++ /dev/null
@@ -1 +0,0 @@
-2

diff --git a/tests/data_files/pkcs7_data_3_signed.der b/tests/data_files/pkcs7_data_3_signed.der
deleted file mode 100644
index 23181ae..0000000
--- a/tests/data_files/pkcs7_data_3_signed.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_data_cert_encrypted.der b/tests/data_files/pkcs7_data_cert_encrypted.der
deleted file mode 100644
index c3d8642..0000000
--- a/tests/data_files/pkcs7_data_cert_encrypted.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_data_cert_signed_sha1.der b/tests/data_files/pkcs7_data_cert_signed_sha1.der
deleted file mode 100644
index 878e9ec..0000000
--- a/tests/data_files/pkcs7_data_cert_signed_sha1.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_data_cert_signed_sha256.der b/tests/data_files/pkcs7_data_cert_signed_sha256.der
deleted file mode 100644
index cc48123..0000000
--- a/tests/data_files/pkcs7_data_cert_signed_sha256.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_data_cert_signed_sha512.der b/tests/data_files/pkcs7_data_cert_signed_sha512.der
deleted file mode 100644
index 75bdf0f..0000000
--- a/tests/data_files/pkcs7_data_cert_signed_sha512.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_data_cert_signed_v2.der b/tests/data_files/pkcs7_data_cert_signed_v2.der
deleted file mode 100644
index 950db20..0000000
--- a/tests/data_files/pkcs7_data_cert_signed_v2.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_data_cert_signeddata_sha256.der b/tests/data_files/pkcs7_data_cert_signeddata_sha256.der
deleted file mode 100644
index cb97b9b..0000000
--- a/tests/data_files/pkcs7_data_cert_signeddata_sha256.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_data_multiple_certs_signed.der b/tests/data_files/pkcs7_data_multiple_certs_signed.der
deleted file mode 100644
index 63d7194..0000000
--- a/tests/data_files/pkcs7_data_multiple_certs_signed.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_data_multiple_signed.der b/tests/data_files/pkcs7_data_multiple_signed.der
deleted file mode 100644
index cc441fb..0000000
--- a/tests/data_files/pkcs7_data_multiple_signed.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_data_no_signers.der b/tests/data_files/pkcs7_data_no_signers.der
deleted file mode 100644
index b75c991..0000000
--- a/tests/data_files/pkcs7_data_no_signers.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_data_rsa_expired.der b/tests/data_files/pkcs7_data_rsa_expired.der
deleted file mode 100644
index 63af49d..0000000
--- a/tests/data_files/pkcs7_data_rsa_expired.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_data_signed_badcert.der b/tests/data_files/pkcs7_data_signed_badcert.der
deleted file mode 100644
index c74d69d..0000000
--- a/tests/data_files/pkcs7_data_signed_badcert.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_data_signed_badsigner.der b/tests/data_files/pkcs7_data_signed_badsigner.der
deleted file mode 100644
index ba629dc..0000000
--- a/tests/data_files/pkcs7_data_signed_badsigner.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_data_signed_badsigner1_badsize.der b/tests/data_files/pkcs7_data_signed_badsigner1_badsize.der
deleted file mode 100644
index dbe9320..0000000
--- a/tests/data_files/pkcs7_data_signed_badsigner1_badsize.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_data_signed_badsigner1_badtag.der b/tests/data_files/pkcs7_data_signed_badsigner1_badtag.der
deleted file mode 100644
index 198b929..0000000
--- a/tests/data_files/pkcs7_data_signed_badsigner1_badtag.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_data_signed_badsigner1_fuzzbad.der b/tests/data_files/pkcs7_data_signed_badsigner1_fuzzbad.der
deleted file mode 100644
index f613e3d..0000000
--- a/tests/data_files/pkcs7_data_signed_badsigner1_fuzzbad.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_data_signed_badsigner2_badsize.der b/tests/data_files/pkcs7_data_signed_badsigner2_badsize.der
deleted file mode 100644
index 0e64767..0000000
--- a/tests/data_files/pkcs7_data_signed_badsigner2_badsize.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_data_signed_badsigner2_badtag.der b/tests/data_files/pkcs7_data_signed_badsigner2_badtag.der
deleted file mode 100644
index caaa305..0000000
--- a/tests/data_files/pkcs7_data_signed_badsigner2_badtag.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_data_signed_badsigner2_fuzzbad.der b/tests/data_files/pkcs7_data_signed_badsigner2_fuzzbad.der
deleted file mode 100644
index f7e0df4..0000000
--- a/tests/data_files/pkcs7_data_signed_badsigner2_fuzzbad.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_data_with_signature.der b/tests/data_files/pkcs7_data_with_signature.der
deleted file mode 100644
index b98cab6..0000000
--- a/tests/data_files/pkcs7_data_with_signature.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_data_without_cert_signed.der b/tests/data_files/pkcs7_data_without_cert_signed.der
deleted file mode 100644
index 390361f..0000000
--- a/tests/data_files/pkcs7_data_without_cert_signed.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der b/tests/data_files/pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der
deleted file mode 100644
index 0fbc65b..0000000
--- a/tests/data_files/pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_signerInfo_2_invalid_tag.der b/tests/data_files/pkcs7_signerInfo_2_invalid_tag.der
deleted file mode 100644
index 4f059c2..0000000
--- a/tests/data_files/pkcs7_signerInfo_2_invalid_tag.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_signerInfo_issuer_invalid_size.der b/tests/data_files/pkcs7_signerInfo_issuer_invalid_size.der
deleted file mode 100644
index cd77545..0000000
--- a/tests/data_files/pkcs7_signerInfo_issuer_invalid_size.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_signerInfo_serial_invalid_size.der b/tests/data_files/pkcs7_signerInfo_serial_invalid_size.der
deleted file mode 100644
index 5efa3a9..0000000
--- a/tests/data_files/pkcs7_signerInfo_serial_invalid_size.der
+++ /dev/null
diff --git a/tests/data_files/pkcs7_zerolendata.bin b/tests/data_files/pkcs7_zerolendata.bin
deleted file mode 100644
index e69de29..0000000
--- a/tests/data_files/pkcs7_zerolendata.bin
+++ /dev/null
diff --git a/tests/data_files/pkcs7_zerolendata_detached.der b/tests/data_files/pkcs7_zerolendata_detached.der
deleted file mode 100644
index 5f9b62e..0000000
--- a/tests/data_files/pkcs7_zerolendata_detached.der
+++ /dev/null
diff --git a/tests/data_files/print_c.pl b/tests/data_files/print_c.pl
deleted file mode 100755
index ce8ed6f..0000000
--- a/tests/data_files/print_c.pl
+++ /dev/null
@@ -1,50 +0,0 @@
-#!/usr/bin/env perl
-#
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-use strict;
-use warnings;
-
-if (!@ARGV || $ARGV[0] == '--help') {
-    print <<EOF;
-Usage: $0 mbedtls_test_foo <file.pem
-       $0 TEST_FOO mbedtls_test_foo <file.pem
-Print out a PEM file as C code defining a string constant.
-
-Used to include some of the test data in /library/certs.c for
-self-tests and sample programs.
-EOF
-    exit;
-}
-
-my $pp_name = @ARGV > 1 ? shift @ARGV : undef;
-my $name = shift @ARGV;
-
-my @lines = map {chomp; s/([\\"])/\\$1/g; "\"$_\\r\\n\""} <STDIN>;
-
-if (defined $pp_name) {
-    foreach ("#define $pp_name", @lines[0..@lines-2]) {
-        printf "%-72s\\\n", $_;
-    }
-    print "$lines[@lines-1]\n";
-    print "const char $name\[\] = $pp_name;\n";
-} else {
-    print "const char $name\[\] =";
-    foreach (@lines) {
-        print "\n$_";
-    }
-    print ";\n";
-}
diff --git a/tests/data_files/rsa4096_prv.der b/tests/data_files/rsa4096_prv.der
deleted file mode 100644
index 86ea818..0000000
--- a/tests/data_files/rsa4096_prv.der
+++ /dev/null
diff --git a/tests/data_files/rsa4096_prv.pem b/tests/data_files/rsa4096_prv.pem
deleted file mode 100644
index b674aa0..0000000
--- a/tests/data_files/rsa4096_prv.pem
+++ /dev/null
@@ -1,51 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIJKQIBAAKCAgEA5F2mqEsdntPAEij6HfCYnKiLMGnm6PcfsaFYeFYO1EufOjN5
-ZJP90cr3CrCnN9JOAdpBbTpzA0RcIcAdWBzvNNAtIMvSfi22WJYVjzD0Bvs2rCYH
-76Yc6vfx7y9zXZcanh8S/2t7B64xmxOWL4RE+f8HWTijAWlyUFDk+DuJWpQK2o0b
-hE4S8mX+uUl3afNW5CiPsRky1N1v4a7/J2b7cG+7pDWUcjnvmNCN84v+gSucXfKg
-/LiAnZgY7xih2ePEhkkIqn6kU0cVBQj1cZ7hXGRaZ/MnqZ2y+KjiuFot2saNk/v0
-vjjW+xOx76qJV99LtN/1qvCYnO1RqMv2EM8WhErLcgiRrihzaz3a2GaumL30CcNi
-xrEXRyEjFaO/klqkpuZRHTtyUnkvhUkPUHuHn45XPxZ7a2XRyrSbFyyS0amTjQwQ
-CveSRiJFjK5TZ56CVGKF/DmuLSHeTY3vwi+WXVdKMYQ6Zi9jwFJo/S4TRpzp+DTS
-H68FrFRqE1+qIVyWQjmhWxuvPhqVkG0IT7CZ0M8lWesysyI759f5D8DhEp/KbWLD
-eXWCzcNSbgWGHW5JA+fCV7+8m0PqodIy5D8Lhwm2tI5dA6Qcro8X127RWVaVsN8L
-Izdf1THXfnZIm1fDBNUfhXapKfnFV8EvALFX2Gy8M3kZQ3slaGegILfqRKcCAwEA
-AQKCAgBg8z1gr1so5b7iNtFQyqcPwyIscJleiCPFdrknhWmQSXaU7+t2frnASkmt
-GSg0s6z4bl9ebvULCweOMJCEquwG4OZ3yPBZLzD91OHcQ60mFZq1ZQPzgvM98fud
-TujMb+0V+h1HoKq/rP1UV/FnxOC/vbyx7TCO1eR5Io7CsAv1D2q4NDXdaoPyssh8
-gysWKP/Xpzyxs//3jPcFuhSK9taCen0QDssx31TP7KKHJgTrc8dTv0EHaZD41uym
-/S8hYOg7FmB+eXtr+355/76r+Qa2Aci73ugUw2WK2bA/EdHr0mWi0NGrvFfQiiD9
-ncnnK15psLcMVk6EOOB1J/oUUsa8n6/lQiTJYRfFlf0hr+mbMEgdfImM2Xn4wF8Y
-Ovapp8Gj/XO7FVVaWW8dIVUrgyrCuOz5SW11Pb0/KFebzOQytST0S3z1j55bUl5L
-mDxR0rJU+fMvbdJvMgHgi6YYI1MBbSFmK7/Ue9HZaGxfUPBqXJetOgAJnuoWUqO4
-AtpYbLaIiqvdIDi1xF4jDMGIoOl7CnFzU9B3PjCkX4aGdARpXqRABwFT9bpf1lWe
-DsEhbIg4/qTWKcA6DxIXaDhgP9eH6NDWS6WKb8L1SZ3mMytjaCxKsV6p7p9DjJR1
-dwOmY0Hv7eBYhjVYUj3ybZs6dfFlIg+M5RtarlOsFhZJ9nVhEQKCAQEA/l0FHos6
-k5c1726blx7zlRm9mOt+rV1nbEOSZUny++oXGyXrUYvX5NX+p8soF0Im9dCuiguQ
-sdKNK6DZCIayennwwEncjKWH+O9VahXxMS9RwtaRDNWJRx3SP6b2s4T1W6PVZdTd
-K7MlMB182ckvs67WQ2hMHNcKrTHuTddpAYSD5Lh/QYD6IdWqs6lwLAtmL7/WTkN7
-XdPhzVfCXLjeBBqr7PakNM9qI7duw29QpSfnArshDmvwiuVOGVGCcm4qB1RV0sQg
-KQJ5nt9X5VoK2SMDR2IzYbq5I/wexiHIbr4kThaGok55lGiCNRjkane+/rSOirZX
-Yo0sJ3RTUrBLyQKCAQEA5dXPAYF7lAo3Xpwo0Qou9IFc0qtiFK9pAp0q81DSbDJC
-lkZOMm/ofzE6vF6jxja2skXccbEhIDu876m9370uRUAAmfimAdmRhUk+JzrlHXxO
-tFSxbyG0iCmwtCSZmiBcMfvFJ/5HepBhxbUDBIc6Pi8EOgjcQdnJYr60KJxbovK0
-wr9mnwwaK7SrE+mX5vN2aOwGpG9n61ibUT1aELR9alOZ8H4SlhLtZvgP02YoOCSW
-BKKe44fbOk/qUlZG1D6O6/H/OMT4TMyYgaswy0QuMHTjOBXrkAmVSch5dwo0eoxx
-dFhn31nF9S5rBZt/PdBPR3imz7U6MoBh6/8olHFk7wKCAQEAxbOTGQxqOPDccP7t
-W+YouQjKvqK7URA6JIHYtXVmsLpfvzAX2Mfyw+A4ED7tKDa4hXLvVkhq7GuUYgag
-6emXq24/25UNIRw/tRKAtvXbA7mduOyAzRLjoizhj6u8MAf1lIaghIeQaDjTfLRO
-qA+hTe1kh/v2vKu/lqIqcMIu0Ykn4owsDMOspsOl7AKUNwedIxvd+/KjXmgjJzFA
-1kSx+0qnuoRxWMKl4qDeLHTGn7eF7C96H/VxfuN/clpSI5LQg+Xe1vStcnKECSHa
-9V6o8+As2jzPZvR0li2N1b3IRZrwKOmFN337LYiVO6PfVYlBIENCTzoubWEAoqHd
-aXWxUQKCAQEAuMDYuLMnbeeQfuM1BGUVPcNHpKnUHCCtX0aMIi+UFxmH4Vj+vxiq
-YqRmPMovCMUus7vo6xOiN1EOHfHrChH/QfejBCKW/+GvUt9/sPVs+/jTI675OwZz
-IwmwW/8X4oek1SE4aV/EgcfScKWDmX5C2X3d/fDlbaHuewwlsoeOOjy0BeDqU2vd
-FckTxNwAGc0YIFurMz/C37LIl9OjtM4CCxjNJD+UHUN1x1IdFqiGKCtw1KUM6IZr
-OkLHcAyevzrSlORhb3cWylWlOocsoBlcr+MmTA2C4LRzZ25aBdEUQnbnNMlkJmz5
-7o+zxDwtWrk7IY7hORLLh5EgJh9ktX85zQKCAQAZILSp21azS3KzKdAvq5u2KVAV
-GumDf1douO5o+5HjV2Kcf5tkzj4A1ffVZKt7auZCNURAG4jaNIccScZBz33EtCuB
-wvRQp5f8DN9EQH4yjaNIbPkFrKzgz5AY08n10PBm+X3cY48P27oR/IDfr2wVtCAE
-UufjLZCkuUjdCFD1wJSCj7LNwjZURuCTocvtaa7HEqnjW9VB4aAbdtf53WRsbYwt
-ZFEWVp8sYc917I6OUJFQcT7jxbv4kbUAXICLaLtaLW2bWfdRtFQSo08pmZAKxxCv
-6Vu5VLZ8LGLVkpie8FEaYd/89gEsHh6HgY9LsJN7WxoaJn1sLmEtmyw9xRSW
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa4096_pub.der b/tests/data_files/rsa4096_pub.der
deleted file mode 100644
index 270bf3a..0000000
--- a/tests/data_files/rsa4096_pub.der
+++ /dev/null
diff --git a/tests/data_files/rsa4096_pub.pem b/tests/data_files/rsa4096_pub.pem
deleted file mode 100644
index 15d13d3..0000000
--- a/tests/data_files/rsa4096_pub.pem
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5F2mqEsdntPAEij6HfCY
-nKiLMGnm6PcfsaFYeFYO1EufOjN5ZJP90cr3CrCnN9JOAdpBbTpzA0RcIcAdWBzv
-NNAtIMvSfi22WJYVjzD0Bvs2rCYH76Yc6vfx7y9zXZcanh8S/2t7B64xmxOWL4RE
-+f8HWTijAWlyUFDk+DuJWpQK2o0bhE4S8mX+uUl3afNW5CiPsRky1N1v4a7/J2b7
-cG+7pDWUcjnvmNCN84v+gSucXfKg/LiAnZgY7xih2ePEhkkIqn6kU0cVBQj1cZ7h
-XGRaZ/MnqZ2y+KjiuFot2saNk/v0vjjW+xOx76qJV99LtN/1qvCYnO1RqMv2EM8W
-hErLcgiRrihzaz3a2GaumL30CcNixrEXRyEjFaO/klqkpuZRHTtyUnkvhUkPUHuH
-n45XPxZ7a2XRyrSbFyyS0amTjQwQCveSRiJFjK5TZ56CVGKF/DmuLSHeTY3vwi+W
-XVdKMYQ6Zi9jwFJo/S4TRpzp+DTSH68FrFRqE1+qIVyWQjmhWxuvPhqVkG0IT7CZ
-0M8lWesysyI759f5D8DhEp/KbWLDeXWCzcNSbgWGHW5JA+fCV7+8m0PqodIy5D8L
-hwm2tI5dA6Qcro8X127RWVaVsN8LIzdf1THXfnZIm1fDBNUfhXapKfnFV8EvALFX
-2Gy8M3kZQ3slaGegILfqRKcCAwEAAQ==
------END PUBLIC KEY-----
diff --git a/tests/data_files/rsa512.key b/tests/data_files/rsa512.key
deleted file mode 100644
index 1fd7987..0000000
--- a/tests/data_files/rsa512.key
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIBOwIBAAJBALB20jJQgW+aqwIwfkUrl/DK51mDabQWJOivx5caWaE4kvZLB+qm
-7JKMFgstbsj50N1bY8izrAdntPZciS9WwQ8CAwEAAQJAKYfNcIoB7II6PQmsrhrU
-Z5dZW3fSKNANX7X/A1DwR0DlF8uZnpWsWbYcRoXX7QjvepZqc54wryhW55Wlm6yI
-AQIhAOJIaLjSpbHjzzcJQ7mylxn2WGIlbJPPzJ9OaFZCZQvxAiEAx6OEAvl6JKa6
-6a+N2Wvhtcgb4qqR6UHQGJQYGJz5nP8CIAvgoR6ScAAWZRoOcm+c4DGMrLb6H+ji
-T2tNQkzEz2kBAiEAmw34GStU36STpa6RGJ4+tyZN6jWakDVqf7x+HpfFE1cCIQDc
-KzXIxec2taye4OeIa1v4W/MigMmYE9w93Uw/Qi3azA==
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa521.key b/tests/data_files/rsa521.key
deleted file mode 100644
index 0b940aa..0000000
--- a/tests/data_files/rsa521.key
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIBPQIBAAJCATG2mGDzy5v4XqNY/fK9KZDxt3qA1qT9+BekPdiWvffdJq+KwCN/
-Um4NM7EFyXH9vU/6ns6Z/EafMez0Kej1YsHDAgMBAAECQCdoYjwdMSHp4kksL5Aa
-0kDc58ni0chy9IgXo+FHjTVmR9DkaZANrwfVvYMJxqYCZo0im1Dw7ZJBUDJQNXnl
-ZokCIRiSk66I24AWa7XGUFvatVwXWi2ACE4QEKqzWQe1mQ24/wIhDHD1TCKpqucA
-XDI+1N7EHs+fN4CfTSWe8FPGiK6q3VM9AiESrKKLi/q011U4KeS8SfR2blDcL2cg
-XFkuQWqxzzLoGOUCIQmgl5E0+Ypwe0zc7NYZFDarf4+ZjqxKQnXCvk0irMHcGQIh
-EVPli6RQb3Gcx7vXJHltzSTno7NElzBDRMBVUlBmVxAJ
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa522.key b/tests/data_files/rsa522.key
deleted file mode 100644
index 18fbe70..0000000
--- a/tests/data_files/rsa522.key
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIBPgIBAAJCAtMCdT492ij0L02fkshkdCDqb7yXwQ+EmLlmqVPzV2mNZYEGDf4y
-yKuY20vFzirN8MHm5ASnWhMoJVDBqjfTzci/AgMBAAECQU05ffxf7uVg74yC9tKg
-qCa746NpMh3OM+HZrUxiOXv0sJMRXNEPD5HNLtgcNY6MI5NYbUvkOXktnFZpxWYP
-TH7BAiEeFJGs5Z6gRd2v/IbYLMFDHgjqho04INGTOvnyI7lGVKUCIRgJM7moFuoM
-UrKTmJK1uOzauWEykCKgc6BGH6TGZoEWkwIhBzQn2v82qO1ydOYGKRk2w2sa+Yd1
-pH5/kkHqf+m8QjKdAiEQ9eVW+4J30wxD0JyX4b1E/S5UpN5KYNhWX0US+6D3NBsC
-IRxePzdQlutZWg0Cnku3QE1tOLBCFlP7QVVl5FbKcY5H5w==
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa528.key b/tests/data_files/rsa528.key
deleted file mode 100644
index fd463b5..0000000
--- a/tests/data_files/rsa528.key
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIBRQIBAAJDAOMcJG1GSFmEJh/RdMqz1DVzRGAuzXk8R9vlQlLTe7NQvGNDWbGV
-FVQggORySktnIpG+V8dkj1Finq7yNOhH2ZzGXwIDAQABAkMAsWYyLglQSlwnS4NZ
-L1z4zieTqW3lomWr2+BgxkHbxl2w0Rx4L+Ezp+YK6mhtIQWNkoytPvWJJMS7Jrkg
-agMAHQJBAiIA+F1y5GO0Bv+igsNLXwwtbCqs8hAkavU9W8egt/oDbhzbAiIA6hds
-PZp/s1X7n7dwfmebSs+3vLZFuQfifN8XZLw0CXHNAiEuEzgDQrPdMIN3er96zImI
-rYoUBgabiQ9u/WPFfa4xOU0CIgDDYC089Tfjy72pPgcr2PkpZVhqro5esg/8PI5f
-yxx7TXkCIgCYoE8Y5IxomtL1ub1AQzPe9UyyUGzQB1yWeiloJh6LjxA=
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_multiple_san_uri.key b/tests/data_files/rsa_multiple_san_uri.key
deleted file mode 100644
index c8c3492..0000000
--- a/tests/data_files/rsa_multiple_san_uri.key
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCxc5q8z8XR6vH2
-1Ko29Mk3dOKpSOrX9Tb5HtmCQMoKIxnTUQrNkVeOQtiQt6XZo05cbA6Z87kWDgGJ
-P/5Lxofrx13Rp1xZzZ+0AAPfvUCY5tzZwmicQWvu9st6JwTyaLTCzSt0cPTUs5Hi
-hJt9RzSW6GTk5ANjjgoewOMhwh5f84JRURJ2INZjz4namBGe/9f14ZHxKWuxl5in
-+z582rSEhLXrPLbaKjT3Jphff51xsusC+pP0xNqkAcrGJ+/Jk0Vk6ClRCd40ZcTB
-4SkOqsZ8/uGWnradkrN74PoMMnSKKOuxlsVMPfzMkrlMbuazO4nK/osTAnoSqMUv
-COBdXkTtAgMBAAECggEANVlTIQa6K3UeD546GlGXmQOcDVbtu8VuJJFgxScjVs7c
-uco4nDrg/tUb9M4xn2/YZDLcZO6AK6BEV/YURsXGIV2L2DcfraQDKoOCpqZoIE/v
-/8vR1YBZqbsqy2ulshdGmPZD5Tr8cGIYLui9MnnQ1rnBc4sVdb3DTyGgZ4rLxP6X
-0BoHw+LQA0wwSbE/NW71qmeDSEDkSkUQISVg6Rp06U0PZaJAWtYoBNKGAsDGAhjc
-vVTXE5B9d+3yOM0InCWFsM/bUvaUv/yxxTcZnVq9Lji3KwDhy63F99pUaFnV6Rf2
-3CKO3VHegWSwMcnYaBbufDqWPHuEDSlZ0nRhrbrKRQKBgQD6dQd0xPHfxIz5l+AC
-1kPHIsUKPEirrJKTVHlxQwT0yVpD+yUkF95HY6NgHVHKnRP9qicqr3raIfA01VQc
-y+lhXo6xUAqYsKvB9m4njERFWMTCVSVU30Klhic/s4R/1abKlvkax1SiQFIRStqC
-onsZ0M1Isw69/I8Yha3mzv/gvwKBgQC1YPXnd5dZmdbe0UibBWjU5X6AQGt+oxL+
-+6EP3EfuRmYI3i3r2bdbB3ELd95f8tgV0UagmjQfFoigBsuRfbhrQEPSHMBWYpAV
-+TZKxUvmpJXwLEgxcPv7VTTvxw0qL1u1s/dX6WBfEOUgVzPgcp+IJGEr1MZekTqt
-P65coDpZUwKBgAmrLuiBGd1Lly2jgVBauS8c1oJ4pU2LUfVCE5Ydwjk49LUfIuXr
-zfbvj8UMHLY3rifiw7RQJev5124StjaOYKoTnmqV7nLKjzbjroj0T0ZmEOJ3qwNF
-wyrkrOs2oOzWcKPthBxWiZvh48krHJhicWIjv2kJEI6hC10k+/unDhW9AoGAZyRg
-MeRb+OP2wHaapy0IVCi9Kwl3F2h8oOtOx8ooTWNTGq/dxUTlc6pjqnXbyww5vQ5o
-72NBSHxz7SxwDqhDexnsd0tKRNV/wj8ZlKNlah8l9JH568OoR2BI3iF/ZwHPUSCq
-Ax//YZAl+6IbKgOEnNKzP02cEKLdjy+rY5jqFWkCgYEAmEl4mg1IGoVDM6d3iIPP
-JLz5DghV8kP++99vFrJx07D6e/uhzojR73Ye+fq69Vy0yjGXpaRPwwHfvPzDA1hm
-ir7rJWsbbskR+iTn2yKvIpB1wBI1u0SQ4lnJ1ZIVJPVlh4yA29JvPT7/7/2nQ/s6
-v0N2oKrfaiKc7BjCz3eYW4Q=
------END PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_1024_3des.pem b/tests/data_files/rsa_pkcs1_1024_3des.pem
deleted file mode 100644
index 1bc87c9..0000000
--- a/tests/data_files/rsa_pkcs1_1024_3des.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,4A004A85A2D2D627
-
-Ls3vMslumxSeBR4o+oncq359q0k0rDTO5FIFxcw7psy6ggd9Vpr3AdIq9qvevmuB
-2t1KtlcHoI+Wi+PkpukHCpCvM0Kju19PQuNSvn6eFtR9VOwgk6x+j9x9ZeZp0Qks
-BgsGzGubqdN3ze7CEwYGM6CvVpoP3qNC9hR6IogZ9VPTjZ0vM92cm4foSDSABxGt
-Q37bLE1OKOfcCTvqx7/r+4U5Z47okeXvOS/Hf7yzayF9ZHuS0hCr+jGWl7qBWNyE
-Ze7ITQ19RA7YS2nlvCvq/8rfduQsJyZTV0gIultM3tZ9qNwr1i5yp7Iq4U6O8SGC
-cR/95R0Z8PMN2DSXoMJBsSRbK32r2GXJoGjvg+4R0UoTbc1MhUTtsoclIz98lsHk
-zVxgPMzk4mEmQGaKVp/wa1ji+9joTkcv3cALHxTtNcE/dElAHBYjjJ7r9V4uAv3t
-jay7R8SIPPh7iyuY4NTtDA5m8yyBKt7v6K5hb2WhT4aucWXHYTize+TxSTpekhrG
-J0EEz5zhWsrLhXHV1KcGDIHVXlMnu7LCGyVNFCWKRBXIbZaujed0xwWgjfXKbkYd
-MKePX76g5OyKFGGcv5KUknlQJhoRElrSz6pywbpwkl0Xqc1dusy1sZ9b5Uh6zjNc
-r5sBvj1k7iK27bzdEuL1I3DEcUdmXLNF3dehNo4v5WQL5iBePLoFSxyL8EJkMQOx
-fpwoutPzE7l71To1zmE3pmFdZbEXTfjcfqkRy9b4t57gUuo1UEhYYxoB0D0i+BkH
-T0ZmJl4Qp2euaaMqYYN2E9FJAyrmpwBMvtgs5oprXRR6geZweT+J9g==
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_1024_aes128.pem b/tests/data_files/rsa_pkcs1_1024_aes128.pem
deleted file mode 100644
index f76290f..0000000
--- a/tests/data_files/rsa_pkcs1_1024_aes128.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,BF176C0F284E2E5F3D50F9C82D9CF950
-
-AS/03rvTNYSsPzqtLr13jwrSOVaTUYniMzj42/4psKVTmrI7Kaiujsa2bjI5Ae7S
-HDAumVDdRCDO/AV5qL7iJ0iJ+PqOh6aL89PktcYjkgx6XK8FDOq1wl+dPLjmrsYn
-oRyRcEllZigBZRbYpnuKZOQ25vnHxGeZ5A4dLm3zUXoMnNXs1h0rPDix/Yd2AbTh
-p371Ac6LC8i3KlOIvjlzCFaOWQNwCkffutXDb+TN86xF9+DkJ0bxHhWhHvf9+fI7
-XJFgLAeCpIUMCdhdqwVqr4Y5X0NBA3spmftK4iILn32+RHfLBshRwompMD1mo4Jd
-ueEY2P57z7fNxeCaHww7r+OUdZbySauuAmwWHEoA4NxDXAX7c/1/PoPKOI8Y1OPB
-00bKQtzGE+FSJQjRzK/n9mIZQFS0A+H54EZ1Iu/ojTpEzmzzE0TR+75lZyfqaf9D
-BhQcyjgkwnJpJ2S+u/ssJl0vpC4bKGqs/r3eWmLJQYvZuPKPqorCAUab/ta+dYfi
-gxD1DjBCdosbUOolIsjJfsejSuhEQulpaI61DWeMMap5UvzfZLLrQ5kJuibi8XqM
-oQioenXf8gPc/FOFiLAAzLKtNjmAgD4tNdA3exmkHwKj8ds+HHS/2FmF+oJ2LR3O
-tmO+cov3ZReOVp7wzR6lctG1b2WoVRu3kzwzoOik+SFBnR1v5z3uEggJV6/cyfKm
-U3KzhOkrghOjonAqw9+H+Q9hLO8d76cDAwyDB3KxLO9yzdpukB3f+wS+RgaTdrxc
-oMSiXklsO9Ro9NIYzYKABjQ1tDLeY8SOOidoLJrrXltJNDKZSVLR3edyk1rZEFXf
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_1024_aes192.pem b/tests/data_files/rsa_pkcs1_1024_aes192.pem
deleted file mode 100644
index c819c02..0000000
--- a/tests/data_files/rsa_pkcs1_1024_aes192.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-192-CBC,B83D6A5D09E192044299B9D06C41BDA7
-
-DQvNvAQflmShH/6aRopfKpdKCerQBAf4RYC7+MZLYaUxXUuUzFuIuUyEmNbgsvny
-ARfFtjCL07e+SGJ31hdR/BM8wWgv3v5P5+VyAnd64vUP0R2mFl92CZVxzcXw2TAf
-PbxDrgmiFxv9WfUsa2aDkDhQjKYb4qlLv1WFc1UM68jLiL8W5UBWKKQFnCivcORD
-GlsGTSxMq3YXW0QQQ5x47/4uWaXROLnIuRW7ZSeCi0wgG+RkBW1yUH6plhhSb/Aa
-EnHqsAlCMZDLwrkgeSnmsMSTpbUcCKfiZmJB5sJeJX3RVwZ6l04MHMBtWh9b5fIZ
-4ieSeDJfHqtUgJ9ie8JcLHuNsUxu5Crzjv6yuZ5su6P+YSMsNhHtOBUXAaSunRh1
-1brw1eG7E6qCnRYr7YyvtKhppDXLHf4sB8tdumTCHhBdxxUd49+SrmY8pznkNjAz
-Zhfky0/GKe+fTTMzHNjtw9/qhj0NllUpA6SyptMM1vWe62OkcQYSYeH81btdR22H
-Kubx1iYMx2hr6dsvM1+BWP8CmtD6wFEhIMBNKYcg/AWHA/NMpd7E2HTmviXBdEVA
-4xMh9fTx0cJ9YnNBuVgNNPGSJJLa7JGWdfdCUpTY6S0YEvTQw+1letrVbW3xumW2
-Tk/G/dS0t41QJuaW1sv9DkJJcl1696PSI4ysDJx9Y8LtV1+DzvdlxSyJdg3mJHEL
-qC6bCvj9IhjLsrTDWPuwXjIPl2ycG5FGtAn79pJhlDJzKJZKsbzmQJAvD5jj99l5
-ZiJ1UkmVdsFeQLxU9hsKD2Cvpl9/tdhUvLaZ0UPl43c5XaBSwcT9eztiLUXGivzc
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_1024_aes256.pem b/tests/data_files/rsa_pkcs1_1024_aes256.pem
deleted file mode 100644
index 9450ec1..0000000
--- a/tests/data_files/rsa_pkcs1_1024_aes256.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-256-CBC,28A56EB102CAFF494BF4AFB55C4ED52A
-
-5yOXbxDDgomJtRFC9iBL819dU/vCOe0JlwdyQOQbagd1Efj7oErrMuVZJOl18d/o
-2G6OtjqlynzoeqkTwE0yJEyRMLz6CIZp0wHGoDMyT4Oe86uGh3ki9ZqIWlgxt+mA
-7e1RApFnZOCzmHCGZNCqdSNUV5G/cs7or6Gd9HvdKSCdxffPptE6FaaY8OX4737P
-pr7svylp569Secz6MO1Rds7eOPEjAZBJyDSah2AMIiEMJxGrZ662iFo/3S1MuDOY
-/xoDHtP/Vo3ep6D8Fp24PeJ4/iocu6hmhAIO4j+zLN6uow/Wu+D8kBKMhtrUtnHO
-AoP6sjkNOsMg7fbTEqTrXHkOw92PbZSBbwsgB5z6kKeTCYVDBHUaDDlOTbCxw+t8
-PH6IOrQXUIPl7dt2ilfLjqgzpw4T+RCYp1xgM1ZIsoCspUpizmMTPwtn7fuIjUHb
-copBjLOT4tUx7itVi2tTAMvtiW9mrHVI8xgpqSiTz2Hg4uMCFlxkglrwp1yIUClY
-BtMGL7qA/l/gmhHRYDpkzf+ewuTeOImyyfEnAawVT3+G6p3tf/Cs9RVgUCnCrFHa
-/BuYhGTtTV+R6F7+3yRk/XORp9R3K4BbgWHHma2dB0zYIFDXYtlrODUyQ362Tv1q
-JNFis2PbtNB7DRKrB/KtteWtg32mSaTL446a0HCF0VpFB/nq0wEPCvghed5KYHSR
-PzoegmnjkDikgid4O/RhcOC5+qEykNalddhQOY6CxJEwVTAviHbQAyW3eP1AnIa+
-+Ifc2o67i57bkLLlg0pqHITlz1+g7SWDj7Aix2Y68zWZVL3n+e/wzqbdYqMVxiGz
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_1024_clear.pem b/tests/data_files/rsa_pkcs1_1024_clear.pem
deleted file mode 100644
index e26eac3..0000000
--- a/tests/data_files/rsa_pkcs1_1024_clear.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDHOJLFw/RwEAhr+BM17PMBHIolD5WCNh6qHpYSVRqs+Ht1Mwtw
-VzOc2ZXxTUxEN8i+xKA/5GQ80/PJAkM9w3xbjnmqCYSughM3Cr+Fab0qNWJssf7k
-rOBCskF8e+SdJxSbLAdrjkM9P2x2OkaaHHANJZ28CMdA/NgCN2L/fev8LQIDAQAB
-AoGBAL2/t6Qf6PDXhH350apaHnYfjcCQ4FEeZQSZj0y0vGylW0mcrbd5hxJM+BDW
-E98h1tVEiHFygrqhEiCRRCROzmDhjlPVymxBXP+Jev4xeV5mvf2PzgwOR8MTdbFo
-dOSI6t9bhpCyp0Ln8eQzGXtuWsH6arJsyJJ9JzCrzeI48sjNAkEA+lgGSPNyWHZW
-E0zdtznvGphYKPMuDUTGzm1gTZ0oes6qjr4OA9rD3NTGHVW1FVLq63leTiqK8sOS
-uJduIauW4wJBAMu4214tyhB720BuLH7vD0mCKipzD0cEuAdf3NEel3KZxnHD4AK+
-xeiEfFCstMg5uMCNLkShGjMZ5zNfRIqxfa8CQDJjW0h9r6s8jlCuLQY/I/A/b6c2
-YzOKf1V3UGXu1wH47P10JZADDV86eHHZGWykVuJ0eFXVXEhGsxZybFlcly8CQDet
-Ks7fZsUAhJhkQ+bhAOWPHGUDkx5OrNjfGyNP4AYi/rgi1zsI1l/IrY0C1lmOZO7C
-5u08tkNXBfflRn89KOMCQAwCFgbZqd/VDFyemqwMZAXp+Y1HvGeZI0pr3vBJzO3W
-OvIa0KckJ793UjS6Iijfnyy9pWmKJLdKEMe/AtSRDi0=
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_1024_des.pem b/tests/data_files/rsa_pkcs1_1024_des.pem
deleted file mode 100644
index 9eafbb6..0000000
--- a/tests/data_files/rsa_pkcs1_1024_des.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-CBC,B23EB871129DD92A
-
-F6S1xLJn+qc/BVv7/0RjykUUqvLR12OcChmOFo3hboC5omWrmPzhhy1IS9XuVZuy
-1gFiqMQwwLcvp5jtMvWTw2kW9zKVcnRiuzlc/wV07bpYS4YV7chi7aGp2+5oUhvV
-Ea9HgFQbx6ZYARk/bcFpejLsptiUBu2gNyy6FC+Bwov36H51y+f3tJIl51ImWnGQ
-R1HMDtLuzHTb31CmWvXCYf14IT3gowxvpO8smaqoYOIw4XeSzprBKMgqXL69/qjk
-+et4W4/zG0p5R4WlKBaReXJ2C57xvSTmbaqbCjIYroshlPo9csPAwFtRrWi4Aqv5
-j9OELmZzgK745QnL3IkqsjQuS+Luqg8s4OFifcwBLSVpo2pWhdJnKk40cai8QLpr
-St8e3BHGZPdxacC04cTc8zN8Xr7r76lZ7h+ppksx0uoTV2U0+3caMqyyByuF5If+
-RUYXOJ0Y2jUMUYdid3k+C0bn5VbChFCxniv10LpJZ24Nt4RKEYy+2VhIQ+FuAbQ/
-dSMJdqBP4TTBu0DzCmqaGvgjjKLTFF635hzP+cFvaFWhVOY2v4tkV+4zkvBUKzss
-Ef3ZwhDses56/KTI54GUJqWxNK+a1ekor3tr1IUMPzeaApzUSRXusT62QMBOW0q9
-8lSNcAywvWrlcZ127J2zZMrk0SKo1jNNzYKWt0e9XpqMWAq07SlUL0MJCt/KYw6J
-1eXT+xE9H5FEZvQkBFCHYyAyq54P3yrWV9y01xi0y3ruBf50i7k/IrAtE9c1FZda
-2h5qh0GNAEiGRr8bbh3A3wugidwAVoHQeuMnAsShf+5gj8Np7W9kEQ==
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_2048_3des.pem b/tests/data_files/rsa_pkcs1_2048_3des.pem
deleted file mode 100644
index ac7ef3c..0000000
--- a/tests/data_files/rsa_pkcs1_2048_3des.pem
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,3F3828FEA9BF197C
-
-30fgMPEIKER2VH64TsY5lk8ICdP0prc+UiW/tjbQL+2APptirB5SDRAtuwTvbFRc
-Da97zrRwrhhGxNVobJhhffQlyB6vhM6h5aq9dKwD3auOVFosOm0xdiAC/tv+DqAx
-DIZIhYUB5IeleQ5rlDJWoReUeOcnB+d7VP+Zlc1l7zDMx/3FgOyOhlq7dufNUGnY
-n0tZWKItiV7rOYWTjbDu79BpG52VyHf217v+DeDSugom4FIWQS+XwIKg7xvEnxn/
-vX9pgiaVfXlfZLfUMhKIP+azOIm5BdqB2rklCpa17/7aQ8gQid3qolOMObWfnBcr
-MWY2BAq7qSkebPydELB+ULgGP2F7Xdx41RfsAq8RNyVITx0G/NDkYELx02M30f0G
-8FGAP9ft1m5DMBbAYBUhZHlSFZ/9G/gWa/VskSmjniq83+RO24fXoTxYUx716z4S
-NmDV6QEv5V8ZgLtspoC003H6FWTPXuDim8UuwJeGJ719kXChT2imMeAUpITuoC81
-edv2Yf4sqAqg0EqFlsW6Sd/1k7+GZKfW0LgCRvTaqYoZp0ey4wxFoa8jqvz67jKA
-H4nywF2gyf17wk8CM01gXcGypyQcNHrqq7ai+Qr2pxyw8xNBIz5PgWmJ+3Etef0G
-hy/tHfQqgqerk/ghiAnDJH4pc048BjFdXfoIr/gMGDM5aHBDJpZuEAmhgC8PMDmV
-NjG5TxzRDlxTH1dKDI9SkMukURy9aYYVJgm0RA+Ehn6NnhZrdShv2G4MsLmEZSsm
-aik4l71NlDZlAJNYGYik7bXI16Ou9cfU1JNT9+xZ8NcYIMFH7CPRPaTcuW+SgsaM
-P7wVw5rUP9+rPwhcZCleRaR2vkD4MRK4r4+HqjIpPzlBagO8FHb5/wxhbRXUQrEW
-r7F1bMa0ZlxIGRf+Tq2mLr0suuL2Rlvth6WeVVi+Il0VllO88e4cwA2EbPRW0G+2
-+yuOsb5PRf63BF3FFVhM4jGxYbC+uuGg0qC/RoI60A+098MlJZRoVV4qvvF5tOM6
-PHCqsxIijXHp4/Vvfu//E93AtVSnPxblXsUIYLx78NXMMl1j/i2PHJpTvxhGICwU
-j4WUKXT/TQISYrfNiaqc521vq1MeCeYRi5JnILxvMz5UJIQ5ehUQJ6aDxN0OzZk7
-qGFhKD5K91X2ApoE6fq38fxYkh+MN3mjD7uBArQE37TxtDdX3+l7kcxHAiILQUcS
-TIe4qYuyxHzuSlt07fkVWQg8ukDdHYBy/vL3HjDj+fuKATiSXbOLP3s5QgAiZQv5
-yzljGNvqtagxJMTjIeD8SUbg2kFwS6FR7q67S57jyyikSkeDKFXjOg56Zb8gEoBU
-nrzTkLICntwdZqFpITklGfF3tZDIWWgbYZMqEOVk+u6WQWv+rBlXfgyW1UbmcgOP
-yoiJRSvqtsVwY5cSyuiZcm4Py6VM33ad4/fd4E9W3HQL/axHfdUzN3YMGOsd/PfO
-AdgGl81+uIgttDOjj+X+HF17gq3jZA409MZEyyBXEI1QXOJE8EKOVnzjHd+nO3OZ
-GmXYWveeyMUrZba/VVoVB5S/wZntL64GHd+GqaXSuEgjmqYFTPgsehCUYoHHxxeA
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_2048_aes128.pem b/tests/data_files/rsa_pkcs1_2048_aes128.pem
deleted file mode 100644
index 4b9578e..0000000
--- a/tests/data_files/rsa_pkcs1_2048_aes128.pem
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,4D279F635142BFE952A71E8EE6D14B0D
-
-6+qW0XUu06eXe0jjSsmRGySu1KXnEjg+682sUbxOk//2YitaMx8wMQqRQvT9Uusp
-lW7tYOz47wiz2UrJXKo8Rxow3B38wW7vwjh/Xaw4m6DlcID8Ho3ubN1n9Or9goi9
-Kg3NYtrIWac5njywFzf17TIlxmbHg3wF98c0bKRInBGZxVcEtbcdRiM0ZSst4IAm
-xi7vEwHHyo7d3cBJoItJ/1kELqHmwFoWZj2wlXCVEHUU5pFfK5WY7uq5P9FQFBmI
-et0IeCCdysZyRmS8Y6BY5cWv2u9mccIvvazQev8H3W8hQ/LS418yYenqd8CAuvct
-N0tTpVhV+jXxPwV1+F29kpkburnHrbDN+ZUIVaAdea/yNMC+bcoEypnpT6D1m2ig
-ouV7jecJSOxhaDh4h1JccR6Pu2DOWTDpn6pxUrCIo4+2lVbLXOeDS8ClhFf5VzX0
-D+5ZOAdm/LSQIOBXBtqOJ2qDBJINZgpQlRDvo8wDHchslDChTNKdvzjgr/hxdPeE
-tAf33lXR0TgqX2vhwbpjqMX2Zi+7VL8ylcjWITdderiNDueDpy7UN45f+0DVhNfT
-JIleuqNl09tL34unugpM+QSzgJ0odHpZ1VXkr7zgSFOYau6/drlexS61KXsqk6x0
-rs+n9ssgVqS3HCne0l8I4VOejutBLAVGOXoz7EC9PtS+iYavetnEcqf4SBPHikrn
-j67x/wz7jlEsSCyYA8SfPJY1wcKgfKaSU+w2XxAo5bMBjb3QiBYRSvb67q+DtO8K
-hUnZMqdbvzFIyXfP4/5WGhBe7ho0dQrtVT+PcCxknMMQ+kyQp+f+jbddLCvcKQFa
-Dlvw4XpMR4Ee2ukkaWpXAc6ES301NnXoAwlvKAkThfRDHwGckGfiEIunEZN5l1TK
-0X1tp21gUZYE+o7SZNI98Sh2CjxIQSKdA212hI3A+2mOwqBNoZcoDBqrvd2cCoNR
-xDA65eV8l5HrDAtMHHt5wTHzcfMik1CTHwL0/O8izQH+fTHKw8xR+VEoGbbQRkAY
-PJzMvehkVkc7e4K22nXAs38LARUW0D77ppR78VV2d/D5FCIXrDn58pi4RjjnQOO4
-yoGv4snLhnMq8bYQ5En9403cbMCJBYp4gvC09xeNNkL6EKoBjpupSMrZNn19VsrO
-VkACjifittw08/g5ncuAAO98YHQKmNPTM6py707dMs4L5jTOcLHCqo+fo+Wnx9Nx
-v7JmWNuFwfG+gIBIYIKmW0om+pcxfYMsry8byIUGNj5SnaGtl5kLD67Lr+LLJwBJ
-TNbGd8auBVtroIjdGVnvwtS1oM6eNXogL++sD7NBY5GdJvOMVP9X0VjyfHd+byjL
-SfTAJq986dSO+5262mRY3fLsKCeQ/quIvxGsJ2sdRoTFXyKFUu5etuOH+40Yhivx
-SnyUd+mVH3MF2sWpuBRE3Ny87mmE8CzFBh+pDdVpdvb1I387wwhpcSfW/6ila16R
-1NSvAFwXMeZkxpZZ6hn1Avyc1VQi0fICjKCR0WYY7+Fl3Uv9uXznzuv9COHe2nmu
-Giom0TSsOhNeMq0N9AbnUEPAhhIEsaMSZAOODsrvtbRijCcrCkY31EI0O2pT0Vgg
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_2048_aes192.pem b/tests/data_files/rsa_pkcs1_2048_aes192.pem
deleted file mode 100644
index a9585bf..0000000
--- a/tests/data_files/rsa_pkcs1_2048_aes192.pem
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-192-CBC,9253446D0CFFFA0AA50C251F129E6148
-
-CrtEJsyM72x0zqFnS3qGqTF8JtaUgKe7EkBRoDt5iEowPZFjPM6QILEsBQLAcG4J
-RKi3My1S2nBweRpEvTYZHHzHXsO4UyTCNfeIDl7F1lJ4lO+SB/kBkjAWUTcdT+h/
-x5F6F+dZDMKgYvDjvvZfQyl+x3aDd0y2ZqWQWJEvqH/uGQK921d7sdDFclwDVrUT
-YWjF91KNzycRaOvTHjX9X/bW4UZZif9KTZSKSr71zOX16YHU7aIWJH+OPD/DSylf
-dbhZAVwRBlCsUxckkReg7u13D93jlOlgP0ufvpDAeR1y+jumLOeWddiMBtRtFUPj
-IfS2RPcyP8NQnv09tru+ra6KqRJnT6SKRGS3/+cgXGIirwNz0PbYYN0BCIOh12Co
-sK7gzCbVrbLLLSLuENsC4NeihK4WBe0NqZDU9BMqZ/ardjwhiT2InM+hZC+HbltV
-4h2k/We2LSP3rAU9a7v6ve7U4OI1kFEGn+sNPuDb03C7IkIA3ThASh3gPq1nKs7O
-uWQ6SINnZiPXDvlqZiQHzFipF4OBRRxvlYyly7IBdbIfw46cT4dnQh9uBqSadVq7
-dUf25ouFP6uvnmaZ9gEWvpa5yEafb4+x4io4CLbHPp/pPIgOJKIv2Olh5biN8IhM
-BdO0surr+BHFogjjfh7p47yFNx3N4E+wc9wmEAzNgWijqq/btu6GxYkBltSwbh4X
-8SSwfWrRxmY9+n4zIyehFJ/Q4VCsVTz2meyAc1hCyi21XWm8uBSA55DHmGXrrxwh
-j4VQBzn6qYsWJPjvBfwluq0OOKjfniaoa8QiH3+Evmjyfs4wWaSDXOdxAZFvA8JG
-oqiuFPuQwmsFLxrVsL9UMPj8U++zHahqOWzCFzrd3LlUrEAE6NRrzLmB5RPcdACM
-cgoEgFRR6l81ZWOC+aM+vDyc1u15iOrYhbtgfeeUmj75nJQ3TLXDRv+BryRtP2Wd
-kI6lNUL9M8QzqYfJqfKzJ9mKEGa5iuDH1RcWr7cOv8xZtq+ZrzI3BvWMeYs3CTpg
-PFgKGg3uWvF6uwq6MQJIXU5K9AZtZE33oH0CQtDjSUVdrFyWgNmDgMGgMZlCeynC
-y/82/qCO3xiFUoK53sh7Qv9Qa0xtIeWsRrZyutyxQQv9Lq5xuiOnqL29TL+GVPJm
-/wztj2ElsxqPMgnDHJHjixBBC9POX3yHciDAiuXIukz3u6bsPhBfZKwZ6IhsKTVs
-R1XMadx8g4kHiv1GnbK0/jlZDC+ne1C5yJg5F0n3X9lx0KJ0tlNe2N2/mWeVd0Eu
-mIQq9fLYTrOguE6bSSp6sMzmtpm00Ef3GHSXsf3cWVOFRMEWGLJklDoPgPr/rSke
-QwLb0U/in/NOqmO1gfl9y70XM2zJDDDPrSN+SDf7zEu9Y7R6KmHsT4wbcC/LnSbM
-/TOodgWOBti4h9EybHc5udSMMSyQxBedAh7I0OkCyBDgXXyQv2g0ak3EgMMlaUHV
-8Gtf6y2g4Kwh5DPpJJIJ/kxgsicO6XbSGOm/Ya7i67MBaG3TBZ74B4T/urEYYc2X
-X2p8+n3RGXG6BKOQcXR195GWwwjxy+HI6hzXGO41Q7mrs1mOsUvk66VXYFFLpEcK
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_2048_aes256.pem b/tests/data_files/rsa_pkcs1_2048_aes256.pem
deleted file mode 100644
index 2e396e1..0000000
--- a/tests/data_files/rsa_pkcs1_2048_aes256.pem
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-256-CBC,44804F408DA69A39B0DF6B8E84F4F663
-
-zEIU+VIoZQIfjf55n7N2sCz7QOOZbVdvEacGnjOEh6NoZ41R4F+bio5HthVcq8qo
-hyKUcZaPm3+2AceL/xfdx00pq52GqYVl41MSDTiKwCBE8ulCiHmh9bMZHPToAysC
-sQlXWDP1FIcmILk+/OnorPLpsox2Is8CELgVfkd9j/ytCMA0TPVEqxqJzrmwp76p
-vP2MWS65MIoDFnLHcabHdZZQlTP5DdRj3AlNfHqUMIGygzs0vEmpHjHttOFW9mMF
-HIQ2x+Sznragg9ExjVgW4BgTD5SrXKAEDUcMv64w6VCE8Tox1QaWbKoWKEPMFBnZ
-HH7uVQJnptFFgJ7cKd6xu+TynEMe4X6iR5GAqPIqd1rhjWFxkQb7zCUy9PukFHlH
-uZ3kSLVGV2FDFWN0Hy1R0rfrEFOXc07dwg5lp6AXG7NziJoMChSS2ipAbXo2uE3G
-PdIw6nAR/abyZqtwlyZD1jO2R8WIXYiGUeeXhC0C7OO73J7IZnZox6bbVemFyZw1
-AKgDGjuaEbBC2jBEt3TE5/Aaefef+/nm7MENF9BJlPF465H1ZfFbE3PRf+2eVPf2
-Q/dsfxKFG+Ui86qcXjBjex5BvC2kfMqXumdoTlEx24FGFCRUHB5dmnWRUejglJ9Y
-QWfolL6ccre3LPYDSmGAnAzfSB8yCqtvsvT92NDFsSsO6KYBy6grhnvv0ieVcUh+
-iDQa5f80fB7ugitliOPPBzWjt5P9FDJJ7Ht2Fpbor0Ig/JKngyTfTRVjTh15PEMc
-kYHFFoeT9r5w/4wABsh6/REnuiahcJlcUadN8js/zrPPXAoAjZGfpvin0uv6haBL
-Qh9OHLSw/61J2EP7Jx1IL1TPBCBSsuNb4PLT4e3kqq6GVJNRHCMRpN35ytZr4pqj
-lkEgl1uVVeOgJYWr8jMDWrCh9ih6xBCxGCb7SSUmeRU7FUJ+ybBbvfsnMWn1TJZX
-Bee2PTac6JkXNdDgM/Pe+B/wCFR3clg0ptmr13hmLqmkbCMxkpCVCM+vPA01GNgc
-MjYIxTNxB470tKva3jWqC86ffsvvmZb9eTEog/cfCABscX3Y2ufYl71t49tIOs8X
-5AXE6GdJDCqJhyE9pDkt2prxeoDSh7tcDnxjb6JfAhvmNORrjv1hI9mmC+IT8F//
-QrqxIxBjgKszkFeG7dS5MHo16FCsawCJyl87Dyq+51KTyqeqsXBvODsNT7FnrBmg
-Hho96pEJQ4y0YqP/aXNo89fVfYM3hbdUS9XtN6xh4N4vXI6sNVS9NQzfZTcrtGAM
-H6IE/AEYp4htKeFUM+QQsPZI/EcgL5e5GP7BA7xrx5L4T94kHIjz69iKSd1zNKT6
-KhOWNsWzHZABOnpYQPvsjjDeIG9/u0ryXYGtH5dwX/z3VvIz2mQ0w14OIw2KzVYu
-KGUpGXRvSx+o7QYulVh1Q4BrA03bSaKtmYnCzpaKKslCBXxbQlTIvL2hlienA63T
-V9l9edsJCtzElSfJteqc2uh5oVDkGkgUkfmrY1b/8RHKKbjeEKHOEZB2ZxMTT3mk
-RGx6HBKoLSG5jC4TjjUcAIY0NAmJRLsabrBTDLBUqxnMZroF75Id9KaZHSa74x+Z
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_2048_clear.pem b/tests/data_files/rsa_pkcs1_2048_clear.pem
deleted file mode 100644
index d947634..0000000
--- a/tests/data_files/rsa_pkcs1_2048_clear.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAqFVn+bKgHDTGFY6QU25+HlEP7ppDRC320hNPs91pri4VZrjL
-hOD4/N7sAoWTZiIOGCo5pJ+OztG7GA2B5tC9/cmdSN8UAXR8YO49+8ZqN4g9Ox6q
-91E42Rq5A9aCMkr7wm5Ym3cK9dZGXHVa4QsROdnoaIKpu3UbbjYOrmQSXXzEkTiX
-wMTIsXz8SclaRYNhHtnv6CKAIm1sTP4a3GyGeCzBW40zknNcgTqHo6J3FLw1AENY
-iaQEeXqTOxq3MFWm0HQFoJC4IND54RiARCo7+qJe+aqMGPwIIzQEXRIQVVcG3lvU
-8lUyTPpegYb2O4zdRrCE7GCpBBe137NmJcZMtQIDAQABAoIBABl8JKu3EWpzyvGE
-jfEzr0BjwWe8TybJVq7jYZO3l8JZE8BjhdxuOwP9s/mFw5UY3s1lxyhXR8WkFxFD
-KkGJpNoBZiCcNWkq+5GpQBUYKwiRRcPnlrauw06LLyuXlEqM86SyFBQlZ7FkaW6i
-Dco4ZLk/dmIsNgo9ZpO+92YLnIQumq5nAY4Mw6CVra54koDmLXorJzidAo2n0059
-K0hUUMgh4o1BEn5I+YPZOkmASsNUh6zbm26tyaiBnU47ueYE//+RPCTPTI4ePBG5
-8nGuRGebGpdOm9OO3IGgps80mADnVUI3QTjcwQlY1pEeaQ6FMf6WpfwFSzssD6WS
-lfEoVBkCgYEA0vRCLOvbhikfaKCnAkaBYlhna1BI32gPa4+bwCKupaI2Kl3uRhPT
-JB+I+fzWXjPZDq4JsuTcHCpP2EpfBi3ltXmjmmI742D4h20Cv9lPWItICn11HHcQ
-aV40Td2Lo96N8fSzwdgr0cH8fVvTEWaZiUMZpafypNIecf7UMMi7opMCgYEAzEdP
-e/zyTHUIUpYI4OlD/C+mCHGOGnDtVG5RIAPNOiXuDshGBetQf+GmCt88RjH5Gz4R
-LuYhOQIKObtMRzsgD8UbxBoRtmwTAtaX/e/rZiW6kEgplwA7ZV/7oADOBEqhf5Yz
-ublAtD1VS9zDXr6ZoTeJVmZ0VMlKXPd3wgnZ+JcCgYBgYQRS7bcwBl25OZzT5055
-lhY560Y/+5T/+W6ZS78rIX9Jv/x6u9f9awLz49Y0189Va6I2v2To4VP1Z5Ueh52p
-WderUzI1Yjpp9R4KdMhRleDmGgeFZ8hxu35+DLgduDJ11uzBpXfvr4ch5u/5xTxk
-f+mZy6+KKg2K23gqiatgTQKBgQCW2Amfmvco8jrFETlZK6ciL+VA0umGKOF3uUZ6
-h5QiXiPeEpFyiYMWC4BbAuE1TG2QalKx+QmLWTBH1UDMUKKqQnjwY/e0ZzXaoK/3
-uhRvh2iuZjsf3/H8N9ZNHosCrEF5P2bOvDdFYQz9SfWSntg/Lg1iGaHJgiJBaBOs
-2y1z3QKBgQDF1Fd/BqSCKA3WM0+3Bf7Mu4l40CKmzjFpVGALTQIscfE4kUiymXna
-DLWearAGdiGpWLD9Wq6/hBC+LLQXQ0zckITz3L2Lh5IJBoysOc2R+N2BHdSvVlti
-sF7IbcMbszEf8rtt2+ZosApwouLjqtb//15r8CfKiUKDRYNP3OBN2A==
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_2048_des.pem b/tests/data_files/rsa_pkcs1_2048_des.pem
deleted file mode 100644
index c296833..0000000
--- a/tests/data_files/rsa_pkcs1_2048_des.pem
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-CBC,A21ED2721C71226F
-
-KC/2MeXdBpU0LCzk1qh2ZkN4f/GNMR2iqyUYYqGdcXGe2tiw1ge21cH9+TPrwX9n
-oHFPLGstWmCZDpp6ogyDLR5YD4pcCYrVaqKtHVaNnkuGj2ShMef8ql7c+xcXpWDH
-ptya071WCyQO7yifUMj0KzSgN7evDjn7m94sbmBQ7T0hWhmKs9WiBDHqEG4zDsfC
-StmDtaXoILmmruCrVgvGWAlCTfye4mBaqXvFjNl4xATLn/Nksk0TgmFijrRP0ynm
-+J2shgJGyHvwSgwiX7bkOqhJrEZqI9v/ob2slaG9Kod5NUXiHKxnZjdqcH6PC4i9
-ZCdJTLlNzBEGm4Pq5w5kqm5OxD9ScTfyYKyeXbWpkCJmU8HRkXm0m3DP8jRoF6Il
-QwMCY5ANRZ81sEzQQa6obdaXeioMaD1+CpvMVBCsu9EXVAmTiH5Jwj+xbtMXwjz1
-LNIGIlZg8YutLBfnMxnz9RFbz1+PBwJpKIDkK2Sp+Twh/3hbEfsxNrMl59urDyll
-9iO/u45sY6wVXomuHiPrclC32S8QW61hGB44aGwdYTDfpTQ4hRo03xuE3l6x3GFZ
-W8CPPReIsqv6m8bT2T8THgGDYmTJs/LOQFhZacTbnHi5LwVjNKyf/zq3TXBo8sTh
-O2mpmt0Qu7VWOlEqmwmAGdzgxmuPnJtbKpPhAQbqTo35usRd7EjWkgTRzTEd7yle
-t5ylUXQoA1DFO+H+VPmzzOo443BLhINJD8nhHKVfGj3VVpWFnZgDALhFB3pC+lpn
-5ESLfD1wnMSlSUmKCYbOF5zgmasTAAOi0gaFKW7FehbAPbDha5OyrmZWO6/USAqt
-3SrobdHX8XiEjrq83CWlTPDL98gL/LO2lv6lWoO9AA6t32Zur3oS6pjFEYTZtzT2
-sztUpGQbV5OSh7TSSoKRUHKl/0YqBeO/TBUBpM+H+rTtksdnUG9u+wKF7rZodMtS
-TsnIb4onpmmk2GZc5YkV36P2kDlsceZHRPte7Vi5zEZvelHUOmiamGtpXWMug9um
-lnRs6oryDFffoEZ3gHDetE0bG6f+pRtpnvMJ8VWOFXDnuei2Rv43HLtf5p02+ELq
-m0/HtvjFGDvro7ktYFNogpVgAfOwadBArSelmH71GJa/4KvUcM6Anx+yJm2adqE6
-5Ugm8JTaJTxBTHqv8dEKsyDN/5M4QcBC1AfTx3R8XGjqYeApHd0das7w8FdDZtNJ
-MK7Oqa2HEq3ChaV8OaiyHul34gR+NttskcQkgRfJX+LJ2j3IxVAqmUdid8LFJL28
-Rpx/pONcGJHjdubbZZ67Cldb/nUs0ST+HQ+BJbYZNqTeDDBSCIsye+MUKnqBIOl/
-30zEUz5WMe2w+c5BWw65aVL7F6gtKao+W93CQ4yZGbNRfiglX193BQYwR1+7QAWT
-78jf5WyYzFj3VU8iwZ/PQ3njCR9Fumm75xtIlAhHqliKg8C3Jfb8uZvSjvntkjWn
-ksgsLRF+/P1PdulaRYNcZAoYKTz9vYpVaWlSyOm3HnKpl2wSoJXrp/cHzd37FyqW
-z8CeXtMSvio2wXmadhBEEoc8QSY5s3/J6jDJaWUxkQNPdWZkDmVgDC0DUlfEdSqh
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_2048_public.der b/tests/data_files/rsa_pkcs1_2048_public.der
deleted file mode 100644
index b686514..0000000
--- a/tests/data_files/rsa_pkcs1_2048_public.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs1_2048_public.pem b/tests/data_files/rsa_pkcs1_2048_public.pem
deleted file mode 100644
index 9040cb0..0000000
--- a/tests/data_files/rsa_pkcs1_2048_public.pem
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN RSA PUBLIC KEY-----
-MIIBCgKCAQEA2xx/LgvNv87RdRCgorjOfariBeB62ERjj7W9wLAZuTe4GUoO8V10
-gGdGhwbeW38GA73BjV4HFdRb9Nzlzz35wREsrmq5ir0dZ2YX6k692xWagofk8HjD
-o4WHsP2fqZlf4zPszOoLtWFe8Ul+P6Mt6gEMzEKadpvE0DfTsRcBYQEWWX4cF8NT
-/dFyy0xgFdp94uqtUO+O4ovUandV1nDZa7vx7jkEOKO94tHgZmvinEeZ6Sjmtvwu
-ymdDhOjVg9admGsBPoHcPHrK+fOc99YoGyd4fMPQ1WOngTSJrSVqvfLq7fpX/OU0
-xsEPcS3SCBAbrURB4P55oGOTirFd6bDubwIDAQAB
------END RSA PUBLIC KEY-----
diff --git a/tests/data_files/rsa_pkcs1_4096_3des.pem b/tests/data_files/rsa_pkcs1_4096_3des.pem
deleted file mode 100644
index 6de58fb..0000000
--- a/tests/data_files/rsa_pkcs1_4096_3des.pem
+++ /dev/null
@@ -1,54 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,08A2EE4A627B9219
-
-BZXLuKYuOupeUZGJPIIiGd1dFXaBiFNmczkwjADQeQPb5rzf89n2d7N1442YkJ5q
-nIvyHoezi2er4bhxUX6ToftGdd9X/WeAbuW3QfzlLccf69RgLpKjWasKRlws27WE
-ighuRsgPK+UO2CzR1PSBi2OIRdAsUFhUx4IN1oSMPcx5eR3jglH+jrFwv7oOclmz
-KBWxAKBguVOFpYfbjy77Oa1sainVFIZMeXOqkOSggfX+kmHg9Vk+AgkCAhM7iy5m
-u/2uYjL1Fp3OUuMcnjWG3GAurKAfquWcifF3GSzH6lLyJllC/RnsUwB034J5PHB0
-KrfHipJyIqFSj+lOizDteA65EoT576+4VOpts0aCc5sZeouQS28nyOVKbOtaAXJL
-seQbR26RoAw6ngD8JZAFw4QrhekKRPKzkTq8s5E8QplW/Q+G2P4gmn7WeKDQGHW+
-8FJtBd3kmzIydaM8TkdgZOBaNPAvkRdJfPcce1xdhCOVfI+jM2ZrUjGNjGlVChLv
-P9cKwP1KgzUVb/jYEboD8d+ia3xwOfB2sfNS7mDoTWeJzle7zl3Np2IVNpND6zpy
-eP4sTjSMDJNGZI34aGkGQEBCznX/ssCT00CVLS4tikQQvHGGasHVqn12gTn+c4yl
-ranvfJ72h8DIpHenIQdvzRhTHG1wqIn1SpLOxxRzUCtGUuSWmbTk2Hxxk8xZUoNu
-n9n9mXv4DecGOmmaA2zHq9N/lmPv9ekRneMypD5sRjo9OUJVPeNkiHCzp8ud+Nr4
-PcKeZSsh9SBbGcgQXrGedntjualYq8/yoE0cLKOud3uq9PA7gtR6u3A+nT1NFMuD
-hnsnlDj5p+k1rWDt4GnYDSjRrbFMZ3K+s/OaJ0+Ul7WXBup+0X48zNXv+8FPxsxr
-4zMFpLuhxLAI6IJlqjM8TQhRmP79oGxolF/rNyOR+3K+HFjEFaBW/Cm6WZVKYV6N
-6kY4HBFsYFhdfPlIpKX2FfdH0WT3yzHLuMBsb1Cc3u8DSYThg/vxldwj1LZnTUJL
-ah/r94RjOXd2IDe3CvgxK8ofT5XdAPZHBKXosnMTBx0HZ/prwFXt4YvrwbSxHwT6
-Ekk+uqMZE73Ln5Qh4i1iEH0j6Gwyw+PekVsc5h++Et/7wHlvF1dv+RB1imQvZ09n
-Qst9uN6SYhhfHm7CbGpNjMFJGopEgA719QoWnzCefgnuiULWd1nvUTjsmAw+w3DR
-WbWVX88K62wE9g22uK/EB+yvyQjbOYDroTIlpL1Pndmj5R86Q84m6zgOsImmn7Jp
-fbG1CXlRCIlFCD87dxNSccMeUB5cE/qpxtaAntYqChgcbNdQATuO2YB77ZQyL9T+
-cxCOIXzhnxhqvfZ/Gb6kT4LjxYFzuY2dVIwiGAHtqASpbrB8qhsj5SOcGg+qdNwD
-LcN8nOIz90u9+odzilr5BZZIU/mFKzhPw4+Mv5QohAk4PUx50yz6NvFiCDwIhPxX
-9MvV6l1pr2Kx6nH0uzpC8H524zL2zhYmNhUdRUOCPApLv5a58t8QkgymFD7ZXQmz
-oYtIyuv0D7F5SfHcDCul0sQ/cOoVSLIX5lj23M1SLRVeUOCO1HGK1wLaZX7jLzbf
-sZUFFWclSehoyt3Z83M9/nbDq+b1Vlk/1qrxO6/AVYBneb3KKYXiYXIQHkGt6ClF
-yeAPRXunxm+R/qoXaIETcknyCOH3teePL0uC1aD4jJEwlFH3JvlSSA3ruAsrBuzQ
-Oy9VUq/Q1lK09SRT+EKzmVhvb3lVYkP99Du1BoIyD9IURGyxoT4Flfn2E+tfN2CS
-Jf/JQEtf5eI6jSM3xq9fslQORSNGWm+Gb8i1wH/Sl86d7OZMdma5fyfqA4dYAi+W
-2k5sPNomZ2z8kL8uixR8Bt/Bg8nkIKjLpZIu4cd0gP8BWbmJ6axfwbcmP78Qk1Tq
-kwW49WVg6Sc4sW3T+zPdV1wGm7DdW3KfJJOV+6i6q4GTf+4Idh0631lVC3L4wJ2v
-C0l6XgR/VZQ0O5NFGeRU0tdrqvck27BjOkngRvDjTkApngilLrggvIXSeYMku3q1
-2MuydcUFA3najp/F5v+jTiYIzJkuYsF4T49M8N7L0XLuzmhpYK7EU6E6VdsoABCY
-JWWzdZdfQ/dkGCbn1gIbSi92hG2YQ8nOJ8wOfm2fynO9iCu3o6h59sJ4zrplAyFs
-TTdK6yd0uDnp9glPmurcEXmYOGVjVfRCRRx3K9tE2QHub7lGew52KrcKt9FUPaGc
-iD/WQi6WdSVa+YvLopFBLzaau60QrwORYKBiZIOyZyVq4LVWcg1FIbni+1NTOpTO
-bo7/ymJVA8yPqlcexbYAUUL9zF9BfS+lE+MWygA83dWVogIpORu8Us4GtUf9Atq8
-Q+uxiIK6V2h3KQn20E3EHFmoRJJ7My3GPHxuG8/mczEAVMhfZJSXqGNiUOgc9EIz
-eFsfoyPiUoOkL0WCXYnt9GDPX+P5FZ2ycfLb7pQUCFqY/9Lr+0LzaEqqV/GLyBRH
-SR8j61eEV4ZlISLA10eWkkyVVHRA2OeAc2kmaVC2H7xBUY7owYDDtlUzKeKL0/al
-gvCqE7kcazHcoiBkQI8IzslFW2Q/plURJGkuiUPou36aFFTj77C2oeWT5hRxc+X3
-9frLSIRQItMhxIRxIccxuv46lHYGA/fiPLJ+L+GiuZZHYX11UIQ9wX+XB2eNLZFS
-hvJy7+u9hsYyi7KWYnXM+8I5+RO2NhXfKhPwW9IJ1aMWMUh/VEYlGOMJGSr5c6qy
-21qNuK0D5a6tKRkHxaUlLvPOlylqGINRZiupjXIrkbzNy5pEYqz3sJSv31FHUmc5
-EbrQJsI1ia1hEY5Zgq0eQc3k6HcfmfgIIZ2GB83N7AGrpMRyH9g5ZguxhdbSMjcR
-1ZgUxx3sXWPIIwlLTsxl4wY6CqTQG2ZNPya2PTW2X+Qsl78NhLqKUgXHsfQjViKO
-ZY/02FZEObhIfBprdq0HIu2sFKtqyzO14kVe4MX+ZrB+d7QmwPqDsKb9EpUWimFs
-HFPsOkJ0lc8EY5i+V5XecWOhQccjEzoqQzffnlWC+E08/G0MyngXfym/JPRJxYu4
-nFYfGzbdedXl7vYXisw2kbrrQW/EtkVfYyho4G06tszUccLGh9akU1ie6ekDQT2o
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_4096_aes128.pem b/tests/data_files/rsa_pkcs1_4096_aes128.pem
deleted file mode 100644
index c54c1be..0000000
--- a/tests/data_files/rsa_pkcs1_4096_aes128.pem
+++ /dev/null
@@ -1,54 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,2DBF602A00D044C2770D4CDA0D26E8F1
-
-945LBJrU1VrfEqmgyMSQmw0BtwxxjzegntS9iB/6XsTuRbyiOpj1YgiF8oHYhNXm
-8Ubgwe0WEkqYOxyWvrBDxFgFfcpHvmrNvPssKW7u2jFx+wKKDCIBHuXIIfm8TJ1t
-lhal/TpRAs0Zu6ub66UG6WNxtKIW8Na74OyHiBk74V0GCpNAnNNpWsJ4YW+M3wep
-rMXnySl0EJ8caZYCXVzcHQVVygCEHCtSr+cehCPSJl2jeWIwqqy6fiFWYDj6s03C
-eTylSyWFOMjpTmi593Dh8vwJ8bIC4aci3BP/+TYlvT6+91voYz/X8HtlNMen/nhP
-ZRYbfwH/Qy2FaEhHI9VzQu83Wok07K9TayDBkjh2HDIL/SugeLGqBEeVzVN4aM2O
-/QA8wg+gEBTOZH/uXim/81/pWAaYfXPH76/OxjgdrbKQx1CN9GR+h8stFrMnTlQV
-AycGUc83rnWEJM9t/3KyrDMSPwbm8lm2npdboh0iXi/OocXxrW9Mm8OpD1mXFOg2
-Lm84CCs+X7lwiDMbBNRSFiiUSzmzX8GWMkwh+jjAiTa98pbc7EKcTlYlkOkOTeVj
-rj8Xb9eBz/AfdrV52XnDBXhNmlpe41ceiw2aPmZ2UhfaHbm9wYL70GTrTvbVG/gC
-u8yYT/3BLZ6j9BAaS1QlA/sbJvlvc3TqQA7wGUd8RonG1rqEK39wBM6M9dHddre9
-XyCXAaHH4GbXTGFY9xYGcoL61HFrEl6HZ8vBOs41rYROPYIkWJXFmoDHY1aZo1Oa
-ofhJG2bvv6gZQdt2f5JKeWSCMpQFSP4PWj8Z8TXvHHYQm9e3dImVK0E2go6MjVrd
-ZS6WsJajlp0UB6ceLFX+NYP5YH4u+VJF1PQ2M6+yno0BJpjPBFhv2pEHLxPCQDXg
-L66ZgCiW5WPFfnm2PZOE4qtlK2msJGDzOez+nvOc/Pxv2BVhWKhOM9Jyc7c/at2M
-gGNV3DPGFlRnuCdHDQy3ncb30fQsjJqQU2Xrj5DMYDaWcLTjznwXO5GMfVAQufdg
-EJAYGa730fPudLsT/pDJUIj24Iz4Xfnd6ilj6C2Sbdl91JZP0JwFkEuQ43zo9Nr8
-vMcz+wzfkbq9gXKOM3WNjbHFX/BfS+/vM04Cu4m6dhLIFDw1sguI5yCaHOUiuk2E
-gwGHkE2rKo+/afymCXYas/INFr944eIfkK/dMyMZI16CZZtiowG1UoFzynNb9o8U
-NUMhy8Ba5qrbvx8LhaQkHbeiBZ2vKmyay5Y9FYZ0JiY/Jn3ngiec8zsgZG3as9XY
-3quTs9W8fa0HYTNvJ4o9xZembpWMj+HLGjwZ8uiSQUFDp4mcwltb7t4cnFfu1X9Z
-MPPKzHTrECAd8A1XH6HEmeZhUaMwtLt4vNm0daXe4LvgMAHk3pQO1flVrsRxl3K0
-VD5NhJCG1UTl3OUTV2WL5+WW76JkdZ4Mn1N8tTpyLmQraifG9yBhGMxUNl4x5brf
-uAQGzV/U09eEjU8pDVZEteaLAbFqH0xsp8Chz9dGM6pKy2t2H/ZFvk3g5YOKo7cX
-mMGf1wG8WRyiZTxM+XK+tpmUkuPgRjxdw7rFTTwKNG5VmBymIHGR7lwiv7fLPXo1
-0v3gCztnKBTfCdGUjdG8yRNGAKtT4VdRsCFeUYl3ZehQUXlO3ZU6bcVv8DGFmPli
-B566h8BPIkQ49MKbxX2E6ukw5hGzilAoY4VN8txXGtncvm0FUTt+ji+wjIDAKjZM
-DWMm4bN7/LCEfsx8f1+XivzqQY7hdVntkeUH6R9GMmJ7ldfR4DYVzGljB1xZmVNV
-FD+HihBMVCtvzXLax5zlrf4iunmSMPBW8cNTJCHXNu8HbxNnlhIQ55G77DDIn8RC
-sh2UDHEWfkXuhhCfdxOMCUIBTBMCgK4N4pRdxEmj+RFKJR1wHY3SyMrcU7ye5/nr
-mxBF0HZKmHm6+U/oASjHeycUi2sXbzu60H+rSQjXVnCuFMubQ7LzJzNddmRc346O
-6fNa+28RUAxdmWOD8co5N7f80GAGKh4VwD6Hi7KDFdXPNFclesjTKF8U6E/Q/hjm
-HkH+uVeOKZI+41qiNxIpqP+76h4u69ZgZlYVd0qkbRABLBPN69cgsR4EEcLX8JLD
-rwgPaLrLyX9muYsFf6I99DDjcqbW4BAu8gjzE5qGZWQnOXAfSihUBqE2VgUQttF1
-Lw+fEe34AqJFr3ARcQg8RsZLomtQbba8VxQBVMiPgi+53HSz9IHTApTQ2ukuFB6x
-h/uyVtBImLCEmBu5p2ZSBx1SWXM9A2pj1tg7CgS6l5F+VIFInkjBmSVvRooCj/eL
-kaEXz65E96Pq0tmRlw+Zg4Xo3RaU+Ah2Vt/6Je9ljD90wpso6QbQBNnJMDF01EKu
-KJvvxf60xXB8j/EZvYm/7wDItCRnSBFZnOQlIfzy4bvM/TLFWN1AgOsIuWjROe+n
-Daq5gnCBeTwNwiSkoM5WjjlGGl3K1ubm8t1dEbjgL0tUHEv/A+cD94SkqwdPiL+K
-uY3qmWni4ZfwD7V0l9cCkUpdhmmCuX5v3ylwmSvXJ70Ag6tABDSMZK5pj2GTVGno
-ggZYcO6eORb8iaiE5ZkJ3tRYjUtbXuqTharC2OqlwEvlOGF72SrQEiS12zgkGYnJ
-ZYDGz+wDA2CCpFXxNwL1ZZp6ABgH2rgL3RUqPGrXefdib2lNupvrm7s69//wJmpC
-yH4Hex8Y7zA9I1cumIPFARQIOgNbvnCoplRYNeX4TmIMY9uMGtFNRHvrk24bCdz+
-leOGPWFPrT2SbPb6ctGRwZmgXq9NLcea62ErzDHBwEvMxFVhKAGoRUR97YZv2y3F
-hkj/kdgQVg5TEQfYWINkDlGX8kpRcyHKYA/VPzupgI9g7dvP65O9Fo3sivJ3RM8N
-QJj1hcGn6disCHnw4PrgnxDkVELIAOD5xye5919AYj3j/MwIu7kGANNjJk34Tu6P
-gRxagTKQB5qyBMsYJl7k/D0RUPA8OsRH1Z1Vl1+ZXtaraQP95Ozoin74NPESKMnf
-8lhmetneI9kgnW7zDxZbz5On26/UnXB9FfJFPsHS60SVpUFihFudrpSB6CHxvYAm
-hN5EUekFEAgB7LJ0Tcgc49MbVdMKk7H2Umoovc1Th2DBeET0Q1yabaPG3SQF9lPH
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_4096_aes192.pem b/tests/data_files/rsa_pkcs1_4096_aes192.pem
deleted file mode 100644
index 8f2af5a..0000000
--- a/tests/data_files/rsa_pkcs1_4096_aes192.pem
+++ /dev/null
@@ -1,54 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-192-CBC,3F70213897D2A537A35A891E5682E0BE
-
-cjhXvbgnfdO1KzCgWFTwBr0ga2bwtEhFIWSE2EeFXK4IWz413L9nfGyx4VGMcb4b
-j9f1XvJIM53bZ1lrqPkDd90qzq3GG1juNdAKUqUSATFUjo41/KLE/yCETMEhWCIr
-LdH51NvRGozU75SR+i3DlZGSepn2geDjdCrCQuwVOJlG3sXiyEKYvBpQDHYWhuH8
-isM6Vlh9sibC1WhYrvslY6M9l8C0WuKGkqZcJmIYC2q6uHTcq1g3vyZ7ZEwxSYe8
-qxGMJa9MwkmwAaT9d/FTLjXwfagl0Waz1dSBOegtqcTTjaougv+df0y9VcxVYcay
-lMhjo3wasTl1k8PW6tM1SEEXA+4QJsGWdQSqi9TqwiqwPcsxAZ5ycNmF+Kr7h3dY
-7yFzc1E3xMpH1zR2lOfvwKk+2aWEyeHrREd611Fpu4Dl0WEtxnTphswt+FHhmNqF
-J8OAm2Cyd+pzkPJOJXgbaYqM/ff7DTo9KQd+WJbizOVW9tIwz9benq3KCuL0NyJK
-r0Al9BI4ysc+3hmfPKhrGzvP/BaGPTAfE2Rk9qajPfyt1vYg6WzLrvvyPTuS14mC
-Ldbfzl/KBZz3ED3eqmW3/uMxIZcnRUL0jr7DPkdN5hoJyEbtu/kT4Cjke9IrOnOR
-rVHowECNOjiA+Z5cIW3HFK4jjQwUZKMrZNrN6gRbT/ZDa5CwgdmmFG49U+GwNHmu
-cXvNnaGY8PDPvXBG9nmJ7mDA8P/VFPYQVcPLlTbcA3QL8NUBWi95tp4FX0tdEouP
-+nR08+UutUnifGDgScBeBvzI1eYP8Tb4jc/yQDT1L2qsk0bY9LNTgo5XMOuStM/d
-Hf1IH2vx5o4S71PtUClJ52dGSbdr1FGB7CNLOHugaX+D0FsjxsFiAnPAvOvZ64zR
-vILBa9G7pFxhP2cbo1jO6mAixN6pXoZTEYv2i0SpFvQzxAP98PZqWFdAFLPjEza/
-Q+OUs4xV7MdcRh/wycihFCCeGs0QFcmZtlinP7qkTpaXUKdcQmJHj5CTawu2GFZz
-4S53US3p8LqoBMOb5dgG8zzaCh85evrG6liKGtzpY3obsGZYej/Dvuht+Q2Pn9a9
-viln5g7al1KEz0cU1VTfB+SIunCMfNS36e0zl8PbSG231vEQqVbx8Xv5zgzSL5wg
-I+XtotQEgQE57miw0hjW+DCaDaBc7mpYzPBaqtC0qJUSOpFE/fig21H4uDBBZbk3
-Pf5fkLXrCuoT1EJQ1iYAuJo6KTdvIO//6h1lXu3ZeassNKS3k6yAmyy+mN9+SY4i
-RQR/tjyqbKRVoCLiNJ/h917NSa5jFJVM3DQD9ZNYR8KEzVFhullZd+MKeuVM4NoA
-H7K50+vCfIPetZfkamT6DQxcgqwRz10pfY02HmNwx5sPk+US7epVcBlEQofklLEq
-fUV3oVbnaID1FjcITwvL//MIYMyHa83e/WFkOLORxzRCOnCe5lZMRNNrWFZCCiqb
-X61aRfeGtEkEvxe4QYbUnk2jOJYsaBW08T0gOPKaIo6DpzzGKsotzYrTFs4sVr+p
-QfQvWVKq8yYwgBe+qCseNcbPFUd40xGSbZrYGLB/Btax5431A1KsRUlzo5gdDDoB
-fEGA9oFbVTZ93r+hK+zs6lWXeefe3m1wAetlLWpEneNe9V0mHZ/GiPY3cpE8dJNV
-OPucb0DQqJJdmCfC9ZXxgpXSppqB3jo+C75lgTyd2kepwf9uiVTz/ysnHvj7T5tF
-A05lfnQa30MdllCBaYisJa77Tpq8VoB1boogC/UNsCorsuXCDe4PvKPeElGokdwF
-Z32HdTWftm+9ZkiQBY7aKxPELnMaTEvxV7p3O45bqcLt2yuLejDSp64lPkX3I1Ze
-nPdEnYfOLacvDWxZAmqDmzCTwbLqeuqeXEy7SDELsOsLjJQorIcv+t4y175javpP
-8f9TNhteNhOTjg2com3KtyyApUPZHxEnFlq88zbWCqOg3pOLYXbm8qaHs2shlDoP
-Qi18GHQy8eu/mnju6UDASAY5xCCkfuh3GVQX9TqU63kK3j3+VNFmD8v8luStPFqZ
-Z41mebckvTPsdH1wzNSZ0yu1m0nTfGrbNbtG1gDEdnTBsLH4P1hm3DFVOLh1S4TK
-iVl0JUnGbWmSP5AJjbxLw4Y8KrKgKMC7SDGlSyWiEH+rPkVtqrJEwG0nnanstM8M
-Ddbf5YvpWXFYGzCERMm2WrpWVrXLwXdMW497cO+YeYviwGDTmAqFU8PoJkDCt3F/
-WbP7Sl8Y9r+a92eyoWlOh9iP1uEneNsT3z95wpqWlj9eYZlFNjD8aY/FXgfnjXey
-dehNvuCNor5+FI8fuOHj1C/2Z0PskmzoYuWmno5sPhNtE2GpWhUFejVF6QdbRbzm
-6WY9+sJeXaZcrd+AGH51ODgsliSPP48bCfkynkni6bVyURPYeTduhd9Ww8ZXpjNi
-ROUGA73edxzZffhAuqujKNE7+cs25kVchZ5zh3S9RYCW4iXfMsIyLv2bi6dqJPtD
-YW6emBTTHMYNE1EFyBVA/WLL75EDExJeCbIaCf7sh4lsVI6MMyU0TwTmZ+jNANqi
-Ciiys0AYSfRAs41m36h1Efy8G1bx946iShl/BYQS/6Bv0nr/LAOfaqo8mx9/jj/z
-Zx95oX8rKViAj/dtlH+/teW+i2zVVgjcvDr1pvekeb1n7xNLxMZs2bGHTeGFrqrB
-1rv9h9uVJP11YP7AuyAflAC3LOKOtxen8cxhvFWJGW/djyrEaETyKy7mG87v63ze
-OboJYP0F2005FS3xRZJGohcysp+CDZS/2r0DfiUi1b/yXeMf6yOdh3rXSVDDrxBZ
-ZOciIgadV2wwMgj3tMpHfA4kRuNWMdr2OUws3/Kl2vVo2sd7oh+Nrud+peSnWq1f
-0yhsbrEhxTFeSKxd39qkUg8ELMsO3mLjUVKC1bFZzd3cHulVJhBRC0vCrVAgfFye
-hy7E9sU4+cbbGGb30k8WODn7ciG146B4rv+ZXDTuDG/PJeDf5FLrJAg78RycF1Xb
-vRfMIcrygIczxKgd8sHuAk0/yYN8tM88+9wEzPr5F6Z2Dj6Giai8TH8p3t9SOpev
-JIFSVyPYxUWg5B0kCOLhihe2aBP2Gi3+VoWbNoRiqH7dV6refqZG1CPf4RzKJdT2
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_4096_aes256.pem b/tests/data_files/rsa_pkcs1_4096_aes256.pem
deleted file mode 100644
index e2fc2e2..0000000
--- a/tests/data_files/rsa_pkcs1_4096_aes256.pem
+++ /dev/null
@@ -1,54 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-256-CBC,52B3A521A4BE45F79E26667FB6F79A81
-
-m10sgThu0xP1wMx+664P/NHSZSjTW63ntAUwVsCfpWamzPLGWOQwGqhfTP7FF8Aj
-ckgoYL9Gryulm4/YLH4lh78/beGVYbY+dhOiQoJ284J28v1hGbwr7jRITuabKted
-PSqD8UEWqHRmJojDe9yznbfAKjdRyBapQg9qrbKsuumq9KKmEb/7kXKIy0eEe2lS
-U0/aGFlPh2jpyLuV16K5NbeIZBzyuowZWcF12AI6gc+axP33gpWPDoNqP1PLluT3
-LFx7o/1S0mMpVNQ9GUcxk8X3mngJi89AyUVoby1YIffGEQWKM/lqbl4/uztVRaH+
-ZL6d/loOmIV3FqDs4RlDTUGMbauvur3BroH/sFNNfsPv0L60U5ZqNVWpJSLdiyzT
-Baqm0jET+pQnwO5pNVMmC4lV7ZTIRcoSmXwautuoxAPoJKGjrU2nKGCFWvbYyq6f
-pIR7RUH39pz6ivzW6+cHbS5B/6X4BLGMrgk4Y+DNUWtDaPebocIZKPhUfvnqwb79
-oNyDmn3wIniyOYsZg3YzVOoZGanWfEfMc8AQf/MsHmSETRRG3+zGqfuF2grgLt5M
-6f3yz5ybKnMYC3U+Qug/R0xCw4r9PygCF9S1in2mPj4alyfgU7bfTSnyIeEEzA/e
-csEnv8c3BUrfu5Mr5H2miBByEnaE8LoW4e/fo9Rjjli5YYPyS0Gmj9dsp2Sxh6d0
-F6uwftnHWidmPjzlYYRaCnCd13cf7MzIgCAALKU6YyZgj6wHZ9UGHuPY/gmM3Tly
-rTxtaZ8RkQ63QLyC3rfed9/rScZLP3unnWrE8srxIBfkrdmF7q9F7GvpDLxjg+F/
-SPDXBU91sAVCLsV4uEVmx2uYBnCGQCvk/sESlsDWVHbIzhqQeeGOTFTwRi1L7dEb
-b4+/+t5AtWV2/Jqp57c+pi9MISB6dGRi8PwzVL5o18mRqQoqDMGazqiZrnkQ2HLl
-kpXAPaZiEC0B/nbHk1jvs7T8vyckNCo3u40Th0WWMWDBg2oMNkFg02Syp9suBfGv
-eof3G7qPKGZ42hrMt/niBhRhyK4hB5P8ZtcYs/TdJJVAK3oBHbwZb44j8efkng05
-3gGCvvRjCYqP7ijhHaIBatqsStuAoJqZTQsXed+5BenACYqGxT8mJl+JMqS2kjum
-Mt9WNK6EWV5uTe/8M/A4BMbR77/AOgLBYIWpOWcsjnTWDayZiapEwnKoMPUjePlr
-pbwSdPhP2VHHFKqNak+OEDsPm3ouYrCAowe/kU+WvGuyf/83BizJZ4cbnu4XE7JO
-jw5PHrfIW0HhdqNDM5CagQOOWQazCUB/uH+ehqt0tbDmx7ZHPtA35ZQy+tVYcvFE
-RMozwpEcDQHDyooWBIWXx8v8LYySH5kYUkwTySe0WQrPjFAQ4WOQDTaq98gm/q6b
-oUGQZeRwPAdUa1muj1xUELzbeok8h2uLFS3VEliLKMo9s3gK/GKcmyb3vhZpE+uW
-JHRR+MkvSHNOyV3eT0m6S8zTj+WxDAkrwA4OWN+pZndlIMzUuJ5OH4iyXBDIbozX
-OYZgHXN4hXLO2ThNFvud6JFj/pHurTVBIATSo4Bb+VCynRmtiV6OmHoDoNQPrv0J
-OtttwAbKEIUp0dQLMDzxiyqnurEkvwXJJA/hXbh7pxCVt8mlTzuVWLLxN+paF5Ro
-3BincBlVtPdWcx75TEXhewnF/JiM29iG5qx6NQmaIe4f0MGtPCFFnedhMJg/zKpf
-WRQiXWfsCCJWPM6NQdCxmFJkPuoFWGU3wpFepUFrYVwgnSnwYdmDphyo8IzMdZKJ
-HoC6TcfxoX3EaOOFYNPDrYqFU64gpfIX537Cunr4l11kmt9F2CpZSZ7SRT/b+fDn
-JDk8+Adm8bdisO2ap/Uktei8ibEXMcpB5I0/t6VDOGFLnvax+u+eGH77YK0zVExP
-5N6h8kuMFTLYSiDi01rOxB3EgAXYqiMNttM3XyKUiNvLRIuBqiAWjQ/i94PifQzG
-i1UeItRU6Dx4JlJhKnk5C174dGwv2cg6iZpKydHexRyKl+/+pmvYFsNOQxkLc/U8
-uxxHANzHRImndCsFiWfX5Wm5AuY9Rj5EbW3D5vsGiAT2wm9Ire+OkIgAzOpp+Y+b
-llT2q7aKV6ZRbGYxqy2b7crPhC1+OgvVapGdavCh1Kl28wZyW0z63KzwhKrfpzTG
-keJn9uokrNTo8i7kB9OYQnB+Yj4l+FpX0vF6mC80HWtpe8dN1fEa+nBhMg9NYaeW
-W/VBcd6HHsMUbI+LCxhJdJYm5ZcN7+7AkoIp1lkWb3hVDutKYKFE35o2PQaulVUw
-Tsya4tqVB4FpXZ703IkBXKf2rS+mUZLkBM0FD0NZcVFC9DbYFKhqArhPygP8Dp0b
-70eMENpvur+Y28Xi5nhgB5bYtb8AKuEPr2A+MQ2e0RNyS9ADf62Xnml1xKpPjtvP
-lz40QIZai03vR4jY60RRVYxiCfbAjdR7UDnuyNynGXgRYR17GAEssztuWszOuneF
-uZrUF+QqvjDnuX6TqUUzd7DR0tt9n5nWEeX94YEwkdnGMrPSDjYVBFrUzxb0C8EO
-YduXo/ZQVQy0egZNqiIYt9MnaLpnm61PNqYjNAJ+4Lu48q7R1x3mnJj2XcHOonpI
-gn3riWaDVOg5oS/M8T2Kog5QTfZXqYj4JYluWZjgPl1OwbxflAPvZ9SJwPnQoENA
-v3emZVeCZDH7aIbLVIXPOq5cZtstuqFCVzafY8Fc9WpAQ7Av1TiSvJb/xPeD0D9g
-Ka9q9E6K1Y+Y+4gdDkRnssG0ymLk+F164+6cuCAVALwGwW+VtDyc1e1cc+445siC
-6epL71QT94CfZMQ7A0ZkgusKrL3Yvwkjf6mBkOvKeh14rbdrAltzCSrf9PmEJtB8
-BRI+CWhsBGUwqqT41U5SFkRG2G1Kx7xILbZgJXJfE71esB77zvTSZRc6/IuvLUyH
-Lt+crv6L4NrN80dHYrdpcRKspIYOMpBSGGH8OMfSVU/kvAPVB2zqzHgFxA0oHkm9
-cLCLIPVZP8F2iA8Eghm9uGILxdUkR+YdAY2ZEr2N3722ZIMBBDIljdQEaRAGDh/H
-B5e3w69NVD9d8cKHz/M7ld5O9B0o+G+/yrDkAokJuGACHjqhEzhBfpDO1orNb7Sj
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_4096_clear.pem b/tests/data_files/rsa_pkcs1_4096_clear.pem
deleted file mode 100644
index 96933cf..0000000
--- a/tests/data_files/rsa_pkcs1_4096_clear.pem
+++ /dev/null
@@ -1,51 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIJKAIBAAKCAgEAzoPnqYh/7ETGmdNWcczq73FW++HfSm1PdeJqi9VlaQHvm4TZ
-hj3JZAp3iw/DyQFiKDRGwukLbroWrQ5tGnksEmuLWYiinaCnApVLqgw3crzCTBoO
-XoRwyj9mE7I8D2NyjBwak/Q3mnbqAouNVNtE2WAqBzEHNIBvub1BuIhh9MzqQViB
-4SFLyuOzfSPfuRWO0/7RkykoiYC0o12SY+fALP12PMSqwsSuzTXaPNUBI94ScwZO
-MAc8ey7jomUKPnEZRASBwCNaC+NYr5RlR4JP2hqozma0nbzndPwPdYZ2m4uZnTzP
-+2Y9FbP2brRYCkMbPOmnt0g2CjiDdw1J0UHbFT9OOVXTmFYrGu/BlF3sX7akLz8l
-+4EWQ97acGQ2goPk1wpiaoxFAujZsCGWGSdEWEM6LEmY6Jr/2cyX4Elw4+Q7Ljxp
-DRN6jc3QFoui62bkKqozqPs+1yu93vPe8GRHIHxCzNTa3oDsE4MVX+boc/CY12nK
-9uDkBjpwL4L8/FRFSMDbqiVlCnwqkQZhfutzgD64IMy0B2FhbvaPM+22OEEHVEb2
-hq/Gbs4y6aPQP4VtIWe+UrFh0FUIR0xayGnME+blxD2Px9oJ3KpJ2IEG9ulxtHXe
-Lzw5jgC584s4wFJz8R2DL/js1dbNXiSQZnNOau0J2srz7w2XFo1puGxY9UsCAwEA
-AQKCAgBp/PKRZNfah7WxzvAnuba9qtqsrVDvHsjQRKLQH3ZLfU3e8EC/j8hjSqft
-u+qMp+QbpDDI6dgPPPxUVvoRwyymS4GaMvDam0/7mGnb3Sc8ALprWlgTlD9a3Uzj
-QO9oKm7oj6foVUeQRAV3xu2DJoHgWmVXiYccH+q3VfV74qr7e4uie+00gOUoPNKq
-oBW7JOBH1xjyQQZoA6Ex0t1F3vQXYwIi0ACfs1fPRBs8a0mJgfjQBeVs6tnUks0L
-VHX8dAk2imWZGcumHEkw26VbHPskgdgvDjEWX5QeyxqYA6mtzOjK9SH88YzaLaGF
-UZN5uNUq3vRPsYTim/yExlIjTnxEL+dNAeI0kZQpHZK8G4yHbWQ0WRJGd73lxIUS
-fXiV4/MJNi/0pPfEklZ6TThUZI26im9QxRzGDxiIk5IfL4o9kF3JXdjNNd/rm62h
-/t9pQdb7UvXGzU2RkN9q/fOsdXF7n4xibAtUMzCDSnQwID5sI13gIxsIYpLP6x1x
-8Ew2s/4j4xVfyDt/TwimAgCdFQFZuO5IiHNVoAqa7mCcAJH5UFdtFkRvDhtk9/Il
-zF9XpG+Bf6vwloUw/NEczjYzNLjKAnl1fZJCgU16ct6VQ6ysR2DXRzNi9VLigWJY
-RC/+r4PvOTP0TB5Fid6MtPAakb1/YCP25zg7XZxRW1oAVS4n2QKCAQEA9DGty3ZL
-h4BruBSRmkZfGySKS3Wo/eXyrY7kv8/6+Er7DKoGzcVbOeQxBBzwJMgssRkxSTpO
-SedraYBA8mb8E1T3ZfuzS2eNPSMNci9ukWl7xSYUJh4BogmVqUDQPdtScgRdantP
-/lSFSXFSHoRvte2aeTP6YVIwa6nYICnTi/F10++LBJPHBTWDW/DVjn6zoV4WBlML
-zx8C3GAoXDMP38eJN+Yld9ApnlTfVv+yxKGJpJSCy7fDgjr6tVMMfMRlm9CJztqd
-hAEVFRhX0HbRYnuU/vcQH8lk9NYDCY57+8xazcc/NdYthZANdRVOX0MVWVhxRrGs
-QlBRKL7idcwEFwKCAQEA2H/i1q/oXXAsJ/HdCKVg4Y3dKG3XutDNJOHw7UTPOQdO
-Vr8LA6hit+D6zkRlLyGFY22XqlwY8ae0lWlj+dCAbfefdIoNQwXz/K0F1ofz9CCc
-qLBBccrvoB5+Lab9Sk7YEjxKAt8d/6UXk19OSKJFxxn/s2zwUtKIl+0gkKpbKLFp
-QjP01B45GhYxHvwDTn3odittlaFw0VilnqDb5gqm2ficWgt15NZo160p3+f0MpCu
-6f3umM0eRpLsvZxmHmVQmyQGR+STD5AlMHXAJjVoPP7iy8EOnrgGnJgY6uEVTEK/
-2hZ0qYaqU1rPveXSJ/g8su0sokarwKlOC7iXa8+07QKCAQBm75IdVE5eXioKPNFr
-wQJSRMLvMDf+XzI/Kx8OJDPc+m59VibsEqdz7dcjrrckKiV8uevmvGdIC/9hR6kZ
-BYR4+bYYDVP1Ez+cZ+xBF/F55odAAd84eimiDnxCDoo5qPxGB8UBH94GjcZpwRUm
-vBkDDZeyQ9DluWmj2MK8PCVqtmw+3JkzYr/gWEB5PzomiQ5blXefTt6Jfr8L+pTI
-2NV2NXyITcG5kcwZbBmBaOQIszd8YwYHrf0CJq6MROfcqEVUu0F8Kvd/L52deNd7
-jrqQ0xtppufrHlAqTRSWsLNe3zPfzn+8x/4EcUba9hJFYdfcA8YsULUWdxjfHigE
-E+4dAoIBAQCjXq2f75HaoIDRi7ONiK44xkJy9aBq+pEzGcQiZ2Av2pGE6Bi5o+EK
-fJ0F9ZqdHCB5zQM7rM+t2y1r6eFla67eTJNo75veTam1rCLRpjmyqMFOkeJwqgB0
-xU3VyUMtRZ3K9O+shw0uEjheHvcF3F3nRnkrvjMDbJdifa+rOsIbTPTu3iILxtq0
-ErbyeJ1OJ7i5I0BIP1DQyKIBt8T4LGWH6hCh6jAGhL0Ms0D8Ex604XT8YYAgkfgc
-rVY0JsbwfOd8ioyqx5MplU5a6SAcNQT5siUWOBJ+NsPWeveilkLqDxySx4s1Ocdh
-qw9Ebx5MxweWxV5+/fExKxEXyy2IT25pAoIBABGpeb93kYkzbycwkJl3wsqCPIby
-kHwxWFpc0B3w4ugZQAUYt5EiJtLCiKpBqjm+6/1Gdv9zAJTndKnKPeY43gSjTV3P
-bObZ3X7X8UuAI9yJ1TybGQKmqlPzMSViBMLu0JaOYCyan0CCSZUMB8Np9XSGkvwN
-dgG9jzxqj6XvY+z9ghj3ffhB8o43T/VPIUh4ncIHH6dCToaMWAzPWAbAaIEbAjnv
-zqGFToTirBHQguS9U5tmrUxgwdeZEXKt8UE1j/GVirAngnNiImigeUfNUlovmtv2
-CJuAkxzzREpVNdQUVn4+UnMNaaLs8lP+vVqL0ojBRGN3eZEQrvJi4LEbCDc=
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_4096_des.pem b/tests/data_files/rsa_pkcs1_4096_des.pem
deleted file mode 100644
index 5bcc71e..0000000
--- a/tests/data_files/rsa_pkcs1_4096_des.pem
+++ /dev/null
@@ -1,54 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-CBC,2B0C21459A0C9951
-
-KN6p9tJbTD9sZ8jVAp7fX8Sug6XqCi8YF+oy0SB9NeHO+YBDGJDNtWHSMSKzjbxk
-r5AN+75uV2pEoRrLyYaWVA22sbAJc766ZQX01tSkxUX96J++Do4zUxR+GJusIUnj
-RBVDZfz7vg/qa3xJy5x3cB0iqunrGGCQJ+CZsUtYnk26V3iMBjTu/WQ+vqt2RRIy
-dwzQNPy2LWkXQ7KIoh8yDGjGtWf3XYFYQU37jGlSoOG/AVxa7CrXdtATfa/kGLVP
-fOeT4wDLjKdawT4GUhUj5yt70SUSFtisNtTCKsLGLSpgvO4KWMYOsvo6uB4jxUEF
-X5pBJLz4978DJ4N4L09Qg2DxC2JIyxZ5L1dJiWSgMVnKtq4HM1J6VFNUseB0ZDB5
-X5/S8AWwfb7gtBRD8hZc+UBaBApgU/us3AZhkqczsa35j12op+mpLGnAWiQNqumn
-iHdcCOJT6ZL8dq57qmbEzzyrcdhYtFJmv+GLS6m4YMKk4CHf9lcD/8CmjxhxVZ+x
-OkeKF/MK6f1iUmXwZl28QIcoXrTzinyLjF2RbNQfhrgI2ZUTlbVgDVWhygB1eeXm
-sW9J4B1H3zGslbOcrqdh0NHdWKTvTp+lfzTtrUtd0TqgRXErFJ6e3pKDDCDgglrI
-7lyyrG9sOF2+BmYevLUe6R8XCBIFhbx0axClN19k2OnjvCbNpVlBeyUF/vbYzcBX
-1toINEauWM2J9noi0ysFs7vy9nBVlFcrNnSXNFSgbydn73fYk2WnO5myoBBapsKD
-Ph9sT48/E7xfgDmKJ+TLyz0Jfo94RMOQGgD8qNvZvAcxTpwZRY1q9c0crCihOdXE
-qavdYIzIDF8oh46/SGSU3RilE14uHHOtowzWKc2jzD/Ly5/cHTZy+DfPd1ezL0Ym
-w34jj952+FdMMXb9cmzS9Vw3zHNndWCMZ/9tPJMRoqGgbFxcXViwjWlkyNoGn2u2
-J4InmiIbxwvEt8JNfHC8qLLZkQbtdwLKP7viz2Lmyn2kSR7fWenTDr/bwgaLRhWK
-Ii4/BiZy+R0vjR64U/12+XtdYI69ijkwOITDLePY+4SYeZjHTe2BhihhfVlR8sLL
-xP0JW7MqnFs/eJy+xe+PU1MKG/WWpwhi+jGWPiYJq7cuIwz4l3x4GCuE7R+6EF9x
-SxvwD67EhI9myx/ilzdPiPJBwPWqEvd9jVEvqbTBJERiNGH8XXH1pjZ/gPdKxH7L
-QnJ+BcZrxxrNW+xKwvkABq12QhF60XkMik3o4XROY4mS9CGIOi7d+B1mrG69Hkg9
-BVVCwVibbYyX+7+Hb90x9x0e4CY9nm7h0PrGMj0vGFSY0oUKka1OPra3gqZVQzdN
-Vb+hG22Iw36VlbGbkoEezL+ic7Hpvrl4WwAcNz8Bq5iyQLbupp/rdkmYh/JL4rSh
-509YdEFAUV60eNPcGuSnxhxB2m6Oi5ViENMw/zU2po0oZkh5XUPCin+Q+Dg58z1D
-qeWg+ZVhLMucsWeXUQiNA3UQEJde/nayi1f2SxMWuvZxsaS5Wh6PrqutfwtOokuf
-DJzWJHiMavKP9nfIj9phlomZru1R/2fWEme89rCrUHv3Kl9qV4dwRMCDFsqL6iuh
-siD1BjJ2EFwm8sPnNL4GW0SZPsWZiF/ENasiVbUhvRB6gyj9YYomimIhOIjtn7As
-6dJpKFAYOFJDXFv9Ofj9sSdDQP/4GYwKTaYGbGYo/qIDPriiquA7CGBI/gksAmoL
-DqBsSXrUCaiPF7Xc8Lji5oCTH34WQd0TYLOXawWB+oiCCCUwnIt8fClGBmvbfMfu
-5oXoVPUFSDgKCylTedXJjkUXMREvNdQbSNb9osmp81WveLz3HVU7yYksuJK2Ungx
-R+QeINhN7wC6E8JJUYtn6AvxfhLpMBpjDfQ1zOqDitye4Z0YR/aI42d5ll2ZilL0
-giof2N7Spnu0g5f1twuW8rIl1BjykiJHAkIFoTHaQApQDtV/iDarJJJ05Og1lWGk
-4s5WMwXtVJiq4QIGheCW2ho9eKjcijoUzCDvK8pfb33jTd4/77h5M8DQwzyzVIqP
-ap5mVK8WTd7NJypw/VP00EoyKTgYiRY1jxCCYtVajukg6BvLnZijP2YA/E+ivpau
-lumYhCYJj/wZHxhBuL1qjjz74Eol6J81VPAgt3Dqmj4Did9XHl2K+OMzWlDfe+Ah
-eQFEK0xhkPyScYAE59dTV2Grf+abGBxYnH8RzwxUi3/F0DVWW0lLZx3tfjfJ2GVp
-dh54pdlN4DLIDcx6tuKMU/F0NC3l+esQy6sd+Cn62pj8IoJyOBStZuG9b3fJ5CfH
-dAkjlCJwtX6F+X/3MAMYLMsFL1L5BxXIdn7F+mJftndtDRX4PuKuW2wv5zM7UiWa
-oQSKofdQFI4w5jxup7SbYedLPFu22Gt8IpLWheEjxU6tOmWmp1F+SCFoM9vkv2+4
-hZjDexRp5jidGs8A3rzwQOpnWKD/HGtsJZAMYe1+UFwGJNpz7oNM2It4kfuvVqRE
-Kvesu5Ut+2FmRJ80Y5nZWY53mZHle9GTGlJeFTeueOE+aFzpj8ghWXY5swUlcNwc
-05J3fqom2j9Zt8PGt1yaVo6Hd/BbIdXJ3lWe63CnjlznSBKWn7XpgeiJ+sU+zqYE
-vclIczNVJL+FuOa9h38jn0yblMZQybStDPYpOCpb/AHxr14EFkZJKCs5zNn9RV/S
-ypllyB3DT9fBCWed8rxAH0PQ5iYc9UNeSkfmWapfJT4YCUmzNYU0C/f7blYet3xL
-1gOXpiISdTh7ilzFe/i5d1I1UegmtTSj/MmVtT8mw1gqc6NIaFIFY+VKU6am0z07
-+aD5llI0Ok3/J2YMJKrW14u8VU6oAKfSqhZRdWnEemBJiAgKre9r+3qwg3pGgBCt
-sRYpXZaRLbzmtFjI5Mfy0uB2zhB0XuqVCCgqT7WqzfWilgLRPW1PLJoMxOykg9FW
-3EofQFJZ1/jHCm0Mxcy2a5edwgjIHevRQGGAWHaOnjiHXKBhpnRRTlxsv+ct13kH
-c8cT7E1vQ614hRluDfTeQmyHXerlkSwgZDsEaJpOJ2nWnes2k6u6hRLNEPMoQy5F
-dUdCwLvXxNEnClgx8IizMJmxzhvmAHF+9//WgJS+KxB002MnP4wX8ejpnCgM1/oe
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_1024_public.der b/tests/data_files/rsa_pkcs8_1024_public.der
deleted file mode 100644
index fe42998..0000000
--- a/tests/data_files/rsa_pkcs8_1024_public.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_2048_public.der b/tests/data_files/rsa_pkcs8_2048_public.der
deleted file mode 100644
index 8644a56..0000000
--- a/tests/data_files/rsa_pkcs8_2048_public.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_2048_public.pem b/tests/data_files/rsa_pkcs8_2048_public.pem
deleted file mode 100644
index f1e29cc..0000000
--- a/tests/data_files/rsa_pkcs8_2048_public.pem
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2xx/LgvNv87RdRCgorjO
-fariBeB62ERjj7W9wLAZuTe4GUoO8V10gGdGhwbeW38GA73BjV4HFdRb9Nzlzz35
-wREsrmq5ir0dZ2YX6k692xWagofk8HjDo4WHsP2fqZlf4zPszOoLtWFe8Ul+P6Mt
-6gEMzEKadpvE0DfTsRcBYQEWWX4cF8NT/dFyy0xgFdp94uqtUO+O4ovUandV1nDZ
-a7vx7jkEOKO94tHgZmvinEeZ6SjmtvwuymdDhOjVg9admGsBPoHcPHrK+fOc99Yo
-Gyd4fMPQ1WOngTSJrSVqvfLq7fpX/OU0xsEPcS3SCBAbrURB4P55oGOTirFd6bDu
-bwIDAQAB
------END PUBLIC KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_1024_2des.der b/tests/data_files/rsa_pkcs8_pbe_sha1_1024_2des.der
deleted file mode 100644
index e064e86..0000000
--- a/tests/data_files/rsa_pkcs8_pbe_sha1_1024_2des.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem b/tests/data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem
deleted file mode 100644
index a809e03..0000000
--- a/tests/data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIICojAcBgoqhkiG9w0BDAEEMA4ECAvRaVQoz78HAgIIAASCAoBiIDDzD49HEwvC
-COrRrODVgYMJ4+jy08j0yQoyjjcLRt2TCMdNZ6F6ATuc7YUQhcvJIVT8RLGxluJ9
-Biolgd5Ur3elFFl/8D4jSR7x9zmEFq6fxDjrkcbb1vK/1pth9Cqfh7FXQgD6Dlmp
-2Y1YTdrelZTQs0hRZye0YmQB/qpBs+1VY+zkSNvKtlJZqPYnKawMxD9Dif7glpDV
-ndpZvNXDbbRy3vLq8k0rKRIJQ7mLjmAA+3kgRRtUhCSTbvUs9oIGqgq7xm60mcAz
-yG4LfRQ2khZSQTK47PENsDoZrazioZ6F4d7qmB/peLWuvqVdpBY6gADecxJoGq5a
-4qvZy5srgYvOFfGi8T3L88mJc38U2WQ2s/eHsmSzC7EmXapNE3OE6qwDfn3bkOF4
-odksNaz0IoK+msaUc1eweExE97ERlNKo+XuJeO7Q3rjO4+JkFINONbpfFJoSmZEm
-XX15ZYFFkYZ5eI36zOpX4ilHmTFmXq7BOmNz8hHWwmKUSVx8JsdvpMDbl7bfTtxU
-sTzS5LIgbxpP1n/RdTRe03ALuCFIyD/bFdbjH0tzzKChV8Y9OIHFt9aLDMU/br5i
-tRQFh1D5baGV2atoXi080s4iiAm/ZN95btvLOs0C+ixHpolgHsVwrkJgKIzdQKCb
-4CSHYst3/4Q/3KTm4Cp4uslKgVD2fbnSWMmHnN70kERG2kTLkCexS/Hht7YDU3WV
-g0xSRKbmedpYJ0N4pSvpIwQKAaoBWpgUVjcWOnadLNFHz7rnpwDw5cfhWBKyOor+
-1YxRhpPCLzec7UG9dYu403ATh5nbhxnmz8JkUqumSt/fvfC7j8RSWhNIsBvoiWxh
-7SCrd1Z1
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_1024_3des.der b/tests/data_files/rsa_pkcs8_pbe_sha1_1024_3des.der
deleted file mode 100644
index 5a35ea8..0000000
--- a/tests/data_files/rsa_pkcs8_pbe_sha1_1024_3des.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem b/tests/data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem
deleted file mode 100644
index ba60e47..0000000
--- a/tests/data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIICojAcBgoqhkiG9w0BDAEDMA4ECFLoZ7dfvmefAgIIAASCAoCmLLB9OoXC5hH7
-nQ1+s4xBIk1CEfKAJGw0KRMaKsztHCB7hQwizu/pzJlGjDHlDVNkue79C0x3rhPU
-1+894yR7pcwToUeJGkv1WGKmxOJUFJjmhnsBPQw7VK/0LkJJtaMriAyoB/3goQ9w
-9itzzPBatbrc3t1omc0BQKvjl8T6qKoYOO7sKgKp8aKYxzf51fhlq7NPETnDK2Q0
-ib1L4cVeZS8MHsvl+rY37rrscTAIunEgx8hZj704ZjBMXb+wKvLNtWhpKdwyhwog
-zusj155WD/GmqfXQyaTNu3KGKZ+1CtzJ57LC6hQou3tVvqX5lxRv3mk6PdZMeI5Y
-vBaU4lBFUd7OEtVrpEegeMnKWAB6a5y83lhrK3t8yc2l7yzvkhLOK6iwF4OEjRXq
-lZLZCcKzdVOt2WodwmQ7Q+ul+unnnlaBD8A/mScX5GJQxy7g+aczcPerMbHE4Ndx
-H/ut6J4HM65TzVXl6EUGd1B5MkHa5nBqudqsyCAAYyZHlw2I3S4OF5MElsFJYlxE
-vv5qCOajPCowvND2vWi9oVntTsbC/c34/Tmxlott8zlSIj5c2sDeEfDi3vJ6nrMe
-W7tpAEyXe7Mh/Ya6jbJF64f9FLUHMwGjVsaHSTzMW89zp4H8Gw9ujiE5E8FwsVpJ
-NLF/KMRjARZEu+uuhrWbsDQ3B3iHZ94fOH8oQn4K7TPpbK8INj/JG5/FPjTKk9Lw
-1ji/zJFD4VfKuZdoRAoMRbC72i0i0h8ZBlZfpeG/pawaTJCE1SVLEvtHKB++2YHX
-ZeDqzL95FdQwnK3FgfqfNLGMlIbG2JSuCE9JBY+92RsvXjMJRZxkZjvYL+C3alHR
-VBkyv+4V
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_2048_2des.der b/tests/data_files/rsa_pkcs8_pbe_sha1_2048_2des.der
deleted file mode 100644
index 9c33ac9..0000000
--- a/tests/data_files/rsa_pkcs8_pbe_sha1_2048_2des.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem b/tests/data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem
deleted file mode 100644
index 534f109..0000000
--- a/tests/data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem
+++ /dev/null
@@ -1,29 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIE6jAcBgoqhkiG9w0BDAEEMA4ECA5GT+CJ7KU4AgIIAASCBMjIenQGGZ2PvUzA
-9D9eyOS6Tnry7U35p/WsQ+DOp6p1fniIWQmMj2s2dH5+rq1N7acCPEpmTLvDZb0e
-+YFrRQU44WuwAR9itfpvr4/yR/NzyvlGlDqY2BiJJIRc9g2oQixBLcN66GMVS8YF
-Y9RadQYO3gMoR6adn3Of/6nxDvzy+4RHegXE2c6i15g563nObozLemnnThM6KiIa
-+B4wOHbQD+ytp5D9oX9xbW7rK5v+SH834vlLtENres/Fr/DMV6rZGvYAPkJTxEcN
-5eTTKpeB45xAZ0DLd5OBrBtVQw/33NIHR6unWbQcD7/Tyb2UvJEwf3RvNQ8LlQ1P
-xwd85NBB1jNJ3cFMGZYCGL24m72KTanGdhuzBtXvaAEJe7fLdhtsDhJeD56yFMGX
-2KlEvzgvIQYBBIqIgOsnoBAqXg4QdDN8GRc43VmnVjd+zMmQyq30Y6S30SkAs1Wt
-lqoKw+HXSLVn3dt6fH/mwM4scau8r/qQxhsw/YkTXspGFvzjI34ejbh7kvlHe57o
-1TyJMDcKeGrpC253TJKd5xPnzY9vFQ3OuoLd4Xt2cDbhz+EB/A0IJzRRxPE0Yx0Y
-WRU5Y3I1EXI82Hv/DncGFuG91s+OIoWqB4ME9qByec8NQOH8h4Bz7Z6XuCINDBwN
-u1GMAsocVL7SwaYdBtmG3Vx3+tFHj7W9IdFBd80nDzavoY08BTJCbfC/P6KgMj87
-oVtl3iD2yecfozPg8ffA4oqTfAW4ACbq6rU9KyETOqNPlRYvqcs8yLK54MRT7hMN
-HeT32iOhMVdf/rqO2F3LasYUXY/MY3LFAlBaVWOuXvZ2sRHxDx36G0wyl5kA+Gea
-kUftk2h6VtzWywQOzDetbYkSgNW3L6SrrD//3C8Y8vN1s3WB61flF12hR388LPHW
-56KjT63/7fp58D94NotijYmXv1S1Vzu360hRmrj2+AsgInfFO2ldB0jxnSDJqyyK
-D6SSOEY4jr1BvtZT+FNYBPCJyWiEuDedN+BPpo3arlNRG5uxttSQrXhXA9mtGFBL
-wMxMdigt/+KKvZ/4yAmQjfm8JC3kDNC5w90t1Ky8Wb2SqCvW9tMK3whex8tJrER2
-UzAXyjSk3xngsbgopr1dsNVcfJPtMbPFW3X+pVqhwFgN0sVThkXLt2CRS7NTcOFL
-mRzDjUphbX1YI5jiERja2+SOvqHvBbzDCvftR46W6h2RZIVICqpULS1Zz32nro0g
-4fRBxOr4Ii3bL+wZx8uvYBDws/WjfWeOhDSyUEJx1pl3DnzspwP17JvdMvCoaxpA
-qA/+wjogVmyMTaUO2tseo+jKf7Tp5Nd8P3tMelFVI1VxARUV/KXo/gllwYW/aM5H
-8gzV5PXZXR3hKGNi+nrv5++JtddrmyisUEBVyBTDqwZHl1KCwmfZcFvsBbNOmdXd
-SKp8Tqd5QwmgcOmVeTl9YxHhL7/3zNQB5F8V0ZNDsEXiVy0+UEEjFj1yLfbsl+2D
-vWSl30AScCrIsa81iKk385wlAjftaO1XaR57ZxoDiHvG0ZJUtOV6YmW/RnkQUPZz
-9+kMTdCjmcSIh6eF7AW6XR3OQ3tTqxLStSH8BUNM9RYnkeBCn5YPnGmgA4rI/Oo5
-8Rsd8ZHYYP6EVbRqqV4=
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_2048_3des.der b/tests/data_files/rsa_pkcs8_pbe_sha1_2048_3des.der
deleted file mode 100644
index 28162fb..0000000
--- a/tests/data_files/rsa_pkcs8_pbe_sha1_2048_3des.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem b/tests/data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem
deleted file mode 100644
index bb9d227..0000000
--- a/tests/data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem
+++ /dev/null
@@ -1,29 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIE6jAcBgoqhkiG9w0BDAEDMA4ECMCMlAMpv/XoAgIIAASCBMhBuDiyb2dI7UGr
-SSjkSXankWDZDnnu9ctLQNh86M63CcomlJelhpPlYOGiE8d190awlciHVdd6bqTK
-TeMaeGGf2fG1oKrbXwTu/dhdVBXun82E6XYioHwaz574Cc4FE3zTX5AyiXQuEVpZ
-aiMnwwpH9QuurlxOPxWlsv2j1bWo1nkenM7itJ1UqprvXZQRZgvfyVzLrW7k/T4g
-MYzoowNNHzuS/IHaWXddpMsO/BGkaD376aSdQtmp89Xocq4ON2o4pjGs0r+iQ5rz
-/IjdbNl6vq0KOP5Lkwob7Cl3ROGVim08hYivCDgxFFuN444n9oRFa5HcPkTT2uI4
-JLkJ6UtFfziXkPkMJAbYYNtKFp6XLnQEZ7IZGttGBwuSF/b19e6WIjrhkmc4PtTN
-3GEtlnn8WeiohKz7zxINBAjGgH3QfL0SZnJctXXKArJTkpuMcbhvXIgR40ZlV12n
-sF9IexnKbhCANkUd09xsDYevxes//6kyXKBvfw9jDNpRqN5JE/dfLtWZz/VdPfGh
-z2ZNr/YCOpK6aum8GlPF3XGh0+5dXlRm6ODI5swGqLrJD28E0RBL+I580o7WLJKg
-JJCycK/Ny+Bg4GTtqA5jtYihP8oRARdTHaDplujiGdh743qn1dGTBJ+McYxrPUQ1
-wWyNvEfaosF6GmZtFI4Jtp8rleLUmzfB34u09hzf7LgzD2WI9akgtDVH+sIOfXr5
-2iQUdkXumM+TGzCHso8mHVBKAWFn4IpqbpImJcUUcg3NV07lqtwOR2bM0nYnCQTx
-ZSxtzs8dJxCGPPYPqmZukMSZfUHVN6zDmEpHbzbEgDbUTdmtVy80Zo7YTzec9fqE
-CKlfK+6i06YMncZV4uqMzWUtbENTCX77w99Q5pQTpVRsaV9dDCgn6m8T7zxt7JHC
-2uyH2H0Xk7aYQ3aeKqfwmHXkcGIexkxqJkR0JOcRa1wSEhMWnkoN1IPPA0HpcuWL
-/QBI+Y2ZoDBjQVcbtB/VlCe6lBTBw+4Pb+fOqdt9DXgqMhoBXeeLIA9UZHef2v8z
-cHT02+QpLZfdf8X8hcgca+kSvEiBrjUClivM5U1RcG7uE/Hqc0JE17B9LboRqzyk
-MUvaWntz9HR09Z3Dlrvz/rBcVYkgF+tiLESPlINqnRLUsN+/xn9+VezFizO0G39X
-95gO9W6lwc+CAA7iZL4+yVzfZa652Yg2eck8EOgZ2N9r+Vd/7rPsv6ysGpU/7p/z
-96zCPaZ5FRzVUrh2jQb9ne8SKr2C08XxAO6pqvDEJxHBYC1U8dvki3dfbyO/rNei
-GzXpJPnIvIkE1++XxPlWZz7xFOEP5qufivzm+P6cGCNbme3mY64NYhNsDox92S6h
-PtYYxdjGrp+de3+vRwQXFkt8WHxg3jxBk1H06832rdP5Nx4SOpPEhFv4xE46oVr+
-WcOi7h15De6dk+0pPZaBffBj2eZjs5lqdokSjyS4ScCgMUVHz/Emq6XLE51C2SOb
-c9Zo6w6/zxxfxoXJ+CF8Srmsn5H7cw/tqnTZZmOjsLw0Uh4LaHS5BIwvqfB4z1EU
-6RwXSVvjNdZ+7uBKtmE3rETgAneiNSt8JWvpSxV/deq1exseugi89soTc+ki1Swn
-UdVwFqkfgdODn/zZGp8=
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_4096_2des.der b/tests/data_files/rsa_pkcs8_pbe_sha1_4096_2des.der
deleted file mode 100644
index 6d654f4..0000000
--- a/tests/data_files/rsa_pkcs8_pbe_sha1_4096_2des.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem b/tests/data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem
deleted file mode 100644
index 28008ad..0000000
--- a/tests/data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem
+++ /dev/null
@@ -1,53 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIJajAcBgoqhkiG9w0BDAEEMA4ECPkUjozrjcILAgIIAASCCUh6qXN1usH9xFF1
-BGJOOudiy+TSxZXhEFx5BBhUo7QgeixZ8evDOsjiKXeFCaLszkdN6q0+a26G37Vz
-Pq6umDbE4lmwt4WSfvwTPEKmb1Z0e3EKiqJunjigvCASaxsnU6YebzvGAcCqiCHx
-PvHLME/5zWhrBWvsPapGZMIOplXuZneQz1wwtLeUtHdRE3DNbbBj43BhRtNu0HA/
-S3WtwBVn+pzeNuAt4c1skQzp4Vi5wZtVxbw4UZPesK5K3v3rw3irl3zI5MWb/Oav
-T8ZDcsGmOEnDJQCVD7LnKcXXwSCsvkFOAZ32UikX0g+htY0AX1691Dtjga5cNhnW
-Vo6kdAO9JzrYTPgzacldbUg9DdOB+Jf2fcUnFtQEG/t8jN1IroswiTkySQ8FEn4b
-ch9CFvMJmR9yQ/Xtb2E30CzIJZ8gcfbR+kIxtJaowSB7N9YEFcCehfxH+stFifU/
-O1MW1k6H+KQ4OFMChRJr4ZDQxGj6yK341G6sJn8KV1/YN6mAdjh0oYkWO1WTKIMs
-MEdVyrP6RU8r6tWppS8J3C91qHBp5Uq7QQ+S5cgYLB4C9Y11UuRCePdGx4rx//aA
-ibPWNvnI/0Y9+76KpWos+QgcRvkd1xUWN6lc2p8W6BNW5a7xGf0TggNaGy4PQ5Zu
-oQc9T6c1OKB00Z4CKXkLV31whq7UPcC3bi0VT3hRr0WBI8L128QhV00WqwKpyRsW
-HZb7tnkm3fU6hirLrSb/nmh/fQ8E2wTju5LvRqXNdjk7u69Tfs30qgYlDXUtGd4v
-MzM3Xpw6he1QirK2jYKGX0aNcarc5eWHm0hc4HelJO83cQCaWv+CHcNl96hix5Zs
-i+ME5L/C3nJ+5xRfsMdceIggwWL4ZRaH/8zMid9petOqmkYausQgbBZfdW6jvNxA
-BPjV+rJDD+o0SC82ZXBK2TDNRVPJ0TYGSjh4fUp4yRpM0I3UZV0eOl2tTu9xwBJu
-ErcklEDfu0Do2uD+w2dV9fU3fI5kZJQWNfhgMqUumbAl/pNpOAaU/WxX6GynaX6x
-NgntoNIO2m8hzev5ORdxcRm90cdrtc1gBqkX+cKfepDE0tr21/8J1cRcgGc+M5tX
-jpHCJWl3wgnfQUfJam8KRPYEzVFQg+NHHa0YnWLihAi/UwUegjekZbF8LNmqftEh
-OU+PfluF/kOecEFiXPlzejlnzZtgpDh9oev0fJQVkH+1zDCMJDmTAyYa/RofpVNh
-yslPPMVMvbrarrZUR13EcdHgq3h76+wrgr5afnQMkCduVuTrZv0UbJ87Bj8L1Q9l
-AcwCtuP9ADijvOGtyv3/TVFxVkwLhjMJrxd7rr5pZZ70O/zaZK7zponJ/ieaeu8Q
-YanLTkLKDXk8HXBcBV3J4FJ5s19JKMLOWFde/jE3/+FN6drUz4D/oKAKNzzAYmKA
-6TWmB1ICmyXubc/oPiwNFLc/KiNcIL6k30d0ezPOVCQ+Wvu4mM4vOCKm8hxg5rFm
-yn+KO3wLYi3T/iT6nUYGUpjTvEUGjvn5dwRcPIA2TgQNxJy+KswIpz0P9GbjRVLJ
-+Wb/c+wbzLzM9KgmM6IYz1+Bzhmz/45iFhZBjGAILxu8G3hOmdoQJFePwqkehHgT
-6L49fJ9niPkc3cUsRCMiY3zoflV0mtiworxNgaHEq+J6bRcSSp4sRNH/AGrG6FHa
-dI/9FNgZwSE6rMvE3IxVCwlkF836DzRvlcELosS12KW69pNZokbONc/NZBsyuWq2
-g/rjVN7Iyx5TYt4DUgF38OtZexgJzgaZeKJh8q7nvThpZo0MzbfL1ony1uslmmpx
-sMjKqGIPtU/Gcj9eSAQqBY5cWbNOUXyC39Akoe+YVNg2BS46s1Oj+IU0d8yyMtGs
-SKGlsO7EuT0Ndn6ZrIXMhWvJzy4XuAGmhdpgeDkDHh6iwLEHZAqGZ8qbgO+UW+cb
-pn2o5PHyCiMjkX9M04GzVSKQ36ULapXlqEH6PP/rXz2aZftvMtWZjaygh3240gOH
-bZNkYKwe/yQMprb05wvMU+g4pKmz8g6GZ9/ddvSBxDuFc39iwiukZTUA/lfER+kS
-c1vC2Qo0/aPXUWXDPF2OMwPYzHdvRgZtd3y4no6lzl+Mmsx8v0l53+ErBWFvxX+b
-2jRwxJroalyZox9HD3XIb2nl5ZBDdGQ7C8WpSwlJvYDV7FsOh7ijz6UM9iQ8RKJv
-6HYoWLAZ6Tjx1KJQ7j51wUMMWtmy5ktPCCphLYlHTyhLGNAuYY1/y4dSVPHtsjqn
-bA5WGNwBILDvi8tJqSOgbkqQCd4zwZG4LgLp1yfrITX9Lq2spFnivRug0LySuTOd
-/htruYm7ArA1GX6xzihD03DiVnWU1IawzOmDhujFwkwlrI+zMFuVsoObocQkEPTr
-7Z1dQhafMQhHZ4LI4t9camcB3ytCEsGsURFnATqYsJGc83a5NhSoqSP4b4AWlMye
-vOILcaoOW+UpjMah7+MIahz0NOr9YKpCNvgM4WybKcsWVjer4fKh8GiWowoHEQKS
-+RR9OqfGhIzcSoYE3yxURE5zUB7dbvRtWhIIP+NW03eL+kCLbKK8QY/jsTm8kKS/
-tKZIv63xaA+BX0o0Uchgf9bvf0Nra5+CLGb6Q8NWeCnw4YmwkANiv13eeOzepuYQ
-YldTRYAxxjGLJqxBDPb9MCVBB0G6cXvk7MUNL3MChG5bGZqlY/UkV7Yyp5nLiFRo
-1a/LQKGHtlbSaNgyGUwof72qfNQZshbPvT+v72YXF53NkzxZzjA/fxp6qUd/Xhoa
-HEXILcDRpUNEbdp1adnv8WMJh2q9X/D2qHiCxMJXsQZZEXjuILtZzjqj4cuVoPxZ
-qfzGHtaBZJymol95iqcYXpYW3OYDYUJDMby7mEENfyoYA+mYx/7qlVaLBPScWZwx
-NTOrntNRYrhLcabHsG6iT8jGYfpAw5Li7YlCMIzXo289fFKMxTUB5ynpPkRRxHeT
-AW1itLT3AOsg/E7CMF/4ePe8T7bx/2Mj6YlovE0L2n9lu3AIKZAkdlst4qS1gy0K
-2pYFJn6qIwBKVXC8RwQxX+nBOMFxTbrF0AxZ3Ff2IF1x0+JimljBFNr+ZN9I78sQ
-lJUtQrgooNSYZJ3wLAZ8DrHb11dg6EsT8B5dtt3EsnZZZ1IHFbedAP0JxVxTTe0+
-7+0jri5fFGtpGIDCl70=
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_4096_3des.der b/tests/data_files/rsa_pkcs8_pbe_sha1_4096_3des.der
deleted file mode 100644
index b6c8249..0000000
--- a/tests/data_files/rsa_pkcs8_pbe_sha1_4096_3des.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem b/tests/data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem
deleted file mode 100644
index e4333e4..0000000
--- a/tests/data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem
+++ /dev/null
@@ -1,53 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIJajAcBgoqhkiG9w0BDAEDMA4ECLM+ZvfOIzTqAgIIAASCCUjfmUnY9iRw1tT8
-WER9PHxdcq3hHQwc1NE31oae0fgzT7SDLrcQaoFsiieBa5DpCszjxErG3xlCOspm
-XPHD2zGdGu3tKfmf0ZhezMPfREg3OhQNDn82TIKEbs9bxvDkSuKjuDGGohWGNu1k
-8eE5MfkrWUwcz2mGhPjgM0vyBJkMeMioZLzoccwgSti6AAwo4f6ITnUjbUR65VQo
-l8Aj/JuuYmnWm7v/eh+I+4fkXHE/DpFRaIPrhzY4+EhgTLSHvkoEEnMGACS6AyQw
-+n6IZ8Un3SkDPv8laZTUZIRRJVFmC1e6B2KW/Ky25EhnahDNvGALTanYdsvUFTXb
-+dr7HAZjAQdWZGazifUNiqGBuSTXy81zK2NJBcztsAqaELWEufvGfBNngcXwgqN9
-vw4XHkK6mbAVCiVdIO5gx3z30LVdQLeXQE//pn4Cx0cmwXcoCw+5pIaTHQe5HMWe
-4+pqQ7igwr8zFAFi5ClEfQP0L2DlBI/Wg4mFEP6ROW9FxGg5+9Sy+l3A7ke3lh5d
-Ed3N0iqMAU0Ra9QXnqlArxwimuzLLleV0nMOL5jtG0qDWQhx5Aqb8QPkN4LGrZWI
-VG7LFfPxFXFe8LlwI2n68CXOwYWAS2v+8Z1m4Xe+0ZfNMk0UUWhigXDmgXihRkoY
-cDfVQxR+LBDoYcTXTVawP+YDyIeVz5X+EaRkN0m6bC8zG7/tYBEafdqjytUrtnZw
-za+CfYRNPT5DZfURL32yKOSJ25PXUGfMt+shITmVCJakkIpI5WzhOoXbFVSNrNDt
-3jhzgcSVOge0RCiS3iXQLOzhqLJHc7BkOkgRBw+HR3HIpmiXNm+GJJdVTxJYsdf4
-REIW3tGzC+77BXdgmI8bvOXTvOkA4aEYskNGzoslqpoIvcHVjliHbHcjQLkOc9uE
-B6TB2qebX3GUFw6PtaazBcCs/WmFooprn1k99+Tp1ZSNXdfXMaq4IAkrixJn2MRS
-T4vhzF7rrNQz/x3ky8QnFTvVKg+Ruo7bgJ83J3vuPTDZFO9RPTADjETA5FEHZTtP
-Fj9vcPDawNwl2ww0eeqhiM3Lx/nGzz0+8DRykWAX7TPQdHmSEF+F19nhMrdls1F2
-b//ULjF5z3eV/qE+Rvjl8u7SkylXPvKbtVl1MV0us4tbwEz9pOViKk8sViISj1Gg
-RzydfhpuCq5cFExDvHbUy0EvOZN6tq/FcuQa02jqVWybmqmQtVUhUX2Cgn9EVE5B
-KYGj2od5eRyx+1Nb9uaYz7WO9hX5U/zpGvZweGgz7+/vdt+Yb/zTvP6beyKbJVhy
-7gvBiuQcSV29bSUu6wn0IAN+34eMqkbhcS7F7e9/QVTNKaKF6Wx5jtoTUDp9iUlN
-C702/MghLNKp4g33MkxryxYgVTbD8YuLalwQqzmytE7AnWX/f6Z+px1Z5aPGEfPl
-R+DgvWWAptmb6NtcwYkue76dxy5PBdBsaq4K++W2CxdU0c0yj6I3X3ukzlPWz59R
-T6q1ArHXv4dkMfa6bV0db83nldsypXN05qP6CsMrycGQlYQHKlVRjCav9W2hCKyp
-nJvL3WTelGyDrC5cRNTZ3N8peMmWVazF49LhMZPpOyRKrvtynmRyB+oIQPe1ncOJ
-8VOszefTLpzaIvJsFcygDq8ukZQsLxhyZghC0rKltaeVNYrbf+c1yZc7Xc3CTigY
-YCZPNgIb2CVBwxCV+BhfpYAjCZ5h2lJqt32JwxJcc+c9+ZXO9hvYXY54Sv/ccK5D
-O5TRDlFmS+PPg6H96LoyOYKy8BGACgTAIQFSNpOQq+LCDLcdxpsUxtfdLTfHyu4k
-0+vNterIJ7NW5dZAU1rs5s2Kv/bIglMrYMUPV8gsewQTeHL4OwtcWgMWjgeASTdy
-PQZCHw0l7NZBugUYwlMh7JiYerLhiAn8CoqLay6SKpI0OFhSjFwc5AIsSsBPOX+o
-Y1kPWqzIBeaHOJYHyl/y4fvCz/8XC6nKD2wEem0i50RUMfZqAX/JHmEe2jxkECgI
-XDIWPPLjP4xmb30qTIO7zsOPCc6RUCcPfjaTWKdvlL6GE4mUeS8+U4P6KrwY0KzA
-yNKaGvm+QsET8f4YYma9h8Qtjmm9obr6eHIAOhw//qd4gniau/4xo8cROYJXOYzY
-WMinLRNwO2U8k2hIzzH4c2G6GQ2+4PBlJwjpDj3OX4wG2O86IlTgWC9R/qoWDVLr
-6uuzCtfc3hOQvBhscOBuwQdRH1h5Q8aznHzafovJhyuUi/HywcC+EQjuVnlEUDOH
-LQdPczisyByRn7tgZVflKsgsKGRWu38LiCYJTWNSgFTgS0r7vPXf9sGFEsyezHhK
-FFpUMga0NbQ+TgRv+7jDgjnmXu5fUrl/LdhuXEp8porhLd0QXNdfyd4xssNnHDAq
-nN9SlG/VXqZNe/FX8Nbg2dvaXAm2Xqnfss8NYSpHdlWQvMPAjzyqictqjP8lKCK2
-BQ+ryu3Shq9jP1LoKbxjR9A1gZUcDe6YIcAUn4vu/7ehmCvbZIMhDwGCbdrabtrk
-Y6V0/74a6lih0BoIAn5eF5em1wFlXxGVl+F/5O8IZv6FvpaH3DZTIwqUVRc08eai
-2zm5OPNLlBiapfLD4jOYi/RLWOEn0TVOjZCPLK+Ij9+I4zhKR14kGtjuwQf77Owh
-8t1pNW2kuxqtAR6XniQNlrzraeOA33TagSaBmFT0SuM3Mt6w5iwPTZ0GMnSAKCxg
-93Qi/g7GlNgNRbWEV7yW5BJcVuem9Zzq/nvUPHQ35MRhAb3LVf4JDX78ipKM5nuN
-nb1si+4lhxll3JK7HmTG9vW5VgRCdslfYmgLjVGGQizyoCsd/H3++7AUskDsptOG
-c9iJtXE2RbW/VW8e+4TvqNwDCrtXGbLtw3GGyRoPdrAYOpABkuFoP0yYtvwM16dp
-2kAvaIntN1aZbGVblJVNILv9SfmARchemI5Gl86RfyX9XyPAZ2Gma2QTXgm0f6An
-BOYpqHE/7E4tEL69cyzkJjtjES0KqZ2BH3UXQNtuewo0bx4u9FSt5GP1qdx5v0+I
-stI1KFTS4Pd97LdssbynNJsCex1ns6zXE60JlppXkTFInlor4bMi76PfjKYepQtJ
-qIw+cDvt/u1KVQh8KJv+c1xQuABJk18RERYC0os5tTR81UaBAiqNwttJ4vjcC7Ku
-yIu5YIqzVqms9uKNYNw=
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der
deleted file mode 100644
index 4f860bc..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem
deleted file mode 100644
index c7cf185..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIERyXk+8ULCgCAggA
-MBQGCCqGSIb3DQMHBAhUeao9yOi6uwSCAoDMyMGii0I2y8CvM8SrY9tRx+Zt8WsP
-vhEWhI1kbzWpZUdS1URWGZZz6oS33GnvUDmN1fZC3V/k9OcknZvfv8UtHj6RhK3a
-dBgLVjEkFfqz2/4cOfha9FrRUJXXwW5JmnNhn3e8WZTvbtEt0e89n4jZWjWnkeoJ
-rySKWuPn9SKzwFdPh7ur8N2BfjvwxdAZ1uShnj/Umik8o5wJZUz/7w0nd7JpcsOE
-r9wC446li8t3owkm81z5jFTQW9SYZmT0ecICF1CRJgsp060TQzBeAKAM2skiOZXr
-ldQBUqZBrYV2ZZ3+bepLrmsgobxDzhiNrRXjs+8lO3TGerc6ZD496Xv5XSJF3QuF
-aUjWnaW2YX46nRWY60Bq3IhAbuAGF3YGvk4O/+n90Y4NUXj8mwLq8sFMlXKMyxLy
-fHBfWKpwTFgtdBO4nSPrn310+xiPSxU61WGMZkBlgv5X75xiX5ZYktUxVlktvr1Z
-+ZPeIMRzuoeK8J8iwzx1ADbOVPCAGnPuYbvUalGoGQkjCUEdL08XauaUdK0eDMTh
-5gh1amQg+PTb/ZmYAhaDjHsuzIIgfWtsfL+Xk9AsTimK/qwP6mQLT6Kb+PowX3mQ
-Tr4SkJH31Jp6mTxueoCtqPEC1BxhuDlqlTvmPdgIPCf4dbFtsEsSGbWRUYuZXgwg
-Qmhp6TC3YNPVtLusoCMwjXkUSxRhScAzb6RpEGJwL94grF1UvTfleTGfOppKxZdG
-yjzbJcUlcSCuw844HZDwHVzORQT3zxaguKuu/XcgINd5mU2STOopz3AkHhKLSFej
-UANon6Dke8NLp96JvX/NN8zqvauRHg/r7RgcSHQWRZpbAzX4bgsEX2Mc
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.der
deleted file mode 100644
index 4d55a591..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.pem
deleted file mode 100644
index b47b5e8..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIC1DBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIc1vbNC/8pHsCAggA
-MAwGCCqGSIb3DQIIBQAwFAYIKoZIhvcNAwcECLMkF/Djhb0fBIICgAg/jv44TuAQ
-yB+WMkHpvVS25ZLJabHUyHLS+vqhEkz2AqvJNETL/L6bIHRD1o4BJ8Fcrc339Bz+
-zuFHnK7JG0PzRKl9RcO/SY9lfLFNkXtyPxB6DtSXeYTV49NtAvWPV46LSBnMqnP5
-/Tkmk+sE3Lx+sBMqe/rpBeZM31fB9ShS9FgDGfE+ARvzcuQslYNazdT2KVeu+5Tp
-qSN1lhAW18Dwo3r1IpnhWGZ5r66TEEunhGI+mX9GdkDhhFiHHn3tUPiWSh9UAPH2
-W59/c7sY0Rn5AmqeHu6F2b99ScRaLhkt6aFNnBAcnrjHhqZJOl4UOR7OGL3WlNjN
-FXfCzJ3/+lA+NNEVWScb4xs6RNQRnJ9NHyfdSJuQQM/HXhaW1nSYoFS8nKDpenXA
-8hb3gbrGeB0MybmpGtiR4MhJD7FWnH0uQsA4dOrrx2XYaPUBZGtqzvrIDmzO6jv1
-ixmuSyw7nZSYqT554tPT97oBRPHhQVdz7fGBEqxrBNJR1cQjS35Q3oes6jarzTsu
-z8REC1QXZtgbWZvlm2m0iwKhQItqOfSnlNkL0IUJGUF8j3Ijz/fbNsfPOObpQCic
-ARz1Mnq9ZaDMrvMMpJHcMhYe3y75zuv9WODuPl9vNVc7KRRWgqVDmBHYZqHh4M2w
-T86WrEbnbNEHHPhXgSsaKYXvBD7zWocfQ3r2HEstHj9AmoqslxIDptqJv/8Lye9E
-kbv+d48oEkStDIfa032Ha95zsMp7BuvWStwnOG2q5sCexNpQdw3Mp7Y2oejVKRS8
-Vc/icnFu35VxZLq/vBEFEDjzbCQ0ayk+GKYWyAxW7gsmWtSWDskv0WaJ0cNj5u2L
-+BsyzY8Hw7s=
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.der
deleted file mode 100644
index 2ec275f..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.pem
deleted file mode 100644
index 9593454..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIC1DBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI9ROEj7BZDIsCAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECD8QzMKCoJNPBIICgG/g7EGQ8k7c
-5j0huNkV3WdtH4a3b5w3xD5mzGy2LoTaM+iLdatb7JSA63v5KmWwYI9WDqGsbAfE
-gApGcoAkXtb2FlnMOb1azjDHVkHkMGkINKD8LvwGEb5/eqW6Qk1GS6WH2q7IuruG
-y77wsxkk2gLJcdO8+k0aLMZTQ5lyTm3d2ap2f5QA78NGo0n9zJJs6JAWsoXfdMZk
-ShrYwJWaAYDlFVn3vne55mC54Omx1wCqNM+0kkTvbCS1U96FYNzbvIZe1gaULxAc
-GkRIan8Mo5da+2jI0GZf6w9S5E3f8zi7lltGlfmcN4bMZR3fGwpAdPx7oW9j0GVc
-162Dmn8SS9tgT2pWeDb1DjjabeSc5YzMIJpblMJM6KB4g2GpKhuWNtfHLIxR0M+7
-YTvmwE25L4Oq6bOzuM4lX8rp1fTqnOQDmXHIB7PO3w+kh2nxUwOoB/9nXNlkdUw6
-CbsKOr0MV98Ab8pTvwhZUm3UhHzONInDkHH5POHqqWc5XCfpW1fekUuOIkr3yPrt
-F1lY0KBMq6FMcMm/aZDAaM6rB2yLzfe8ErtA7zwkfb3j44bYFFjo3WiaaBUnpmps
-oAHdDqJMpsfs2sQeEa7jMb6dGUjlUU/3S+nf9cpQAH2spWbDMhM5Sewc9JpGDk4w
-6KD9ICHr+FgT0sF8hTbBZifxAeuXuaq6r3LGaYNs6EvADC3MzSNu0dt2ZK4i804O
-y3LSXX/5zVqSbmtQ6NW5oL0bAR4SP+QLCJtXYLI0n7WWJwesFokW3ZWgvOJe40gk
-9oNQ8DyBRlK8ier9K/nyS0VVo6QGxPAKr2Th960ekBWleHr4UGnTUFM/iuTuOTJu
-l6dmAeTEdaE=
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.der
deleted file mode 100644
index 106aa99..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.pem
deleted file mode 100644
index 3baddef..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIC1DBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIwD3fpS8RxVkCAggA
-MAwGCCqGSIb3DQIKBQAwFAYIKoZIhvcNAwcECOmyF+CEzwvIBIICgPFC3z4bUVPM
-EgLGuLP6CiDPSKuCx3VdAu5/G5WjjU+dDvEYDtOrVfbBpVhgGAYYuhXlI2bzoO2Z
-RPZLwmaVZMUUPqHjNZHND0BPsHnb54Lyw+xnhIvipYpt7m3+swL9JUzbK4bImhzD
-3UdVYaCwwnpnAcTy9gleqoQ2ikCX28Oc+bZ0VUUIX+KVbVOv3gNN4w5uTyUDRGgl
-AW2E2IKoNNW8oQzZYatdSMMb4Qu09HRevWpUkB//XGrCcC8aAwynxHrz7hSrJYbt
-SJVNsyl+djFRcKg8sudGUPua+mYWEecCs9/MVataWfpnT8hPtPUAQpyRpC9Yxa+c
-yYfl+7jHvJk54Lw92P9YAb5k0T57+G7Fpxi6MaXn6FAMqFHY2dJO7cxsg41qkF6A
-sc3nvcxAxj4gtCgV0d0vVLDjbgjcAevLbzOsJVDzB8y2i6V5l+2/ffV6DjjYO8Hb
-jVl6psDscX4VfX1zkEIyTF2P77luZ1gvXuFDw3+y+HpUAAE11vvFH1hmj7RR7uH+
-Y1Y7gUvUA9KSvIStsSzfdcQwaZTMNdfUNkPzKHMVZJNQ2KYkv8F4QSA7qpC07Kt9
-4iCj+D+8nMxS9s2xsZo3lgksB3srmn6ryQimEcLb/cFWbkTSGAah81UOIVtNJT1l
-Tmwv35rSTELD4YVWz7CHh9nE2JxeLg6WmtlzF5ALxi5L/grZUN8lx6jNeC8/O8fy
-twXR/LD1xmAn6wxcxraqnctBqzknpOP3Eize7pCDpOJR0Z1WaHvULez8G2CedEo2
-SvU8YqnJ44ceom2V3wDS4+005Xq3zKDY6xL2htnDHd2vOPstGLfHxEppNpjBqa9A
-qj22QdMCv58=
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.der
deleted file mode 100644
index cb158b5..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.pem
deleted file mode 100644
index 95d946b..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIC1DBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQINtUwWQJ0GUACAggA
-MAwGCCqGSIb3DQILBQAwFAYIKoZIhvcNAwcECADq8lFajhVgBIICgJfbFYo4Pk6o
-m0FhCL1/6VwE8oNU8iRbzYLs+ZjpHDKKs72N97M6FkPgwYQmcLBiJgYDfk+otjIy
-Sv2QOklnEi8Vu22c+5P7UQxbobSf26hGgRlvue9xwBWylnBj9VwvgUAhbKUKJDW2
-lcUryZBQM9vX3cpeJUN7DsRFA0gyYjuoNTm1+Y1G4UqZcQUJyIVqSHA/dKpitnhR
-xRNP/IkkY4GxTE3VXSoOm9KecA72iAnBdzrO3yMx7PkWUotZolMXK//5eacginYw
-dSQIZDCnodaC0ugH/7QuKbe3UUyMt9b/a7Fx6c8CiR3xA1sJt0N9xGK0M1+JFBqr
-cewSxvF7I+IRRE6buo1S5rqzBTZFfGArvyklBKgC0UmSFu9B25HcQzrBEXMPneG7
-W736jjfwclwKwboCXt/gHJBM69Pf2Y/Otjf1HGFcly9D+P8SPq8dkBSp49Ua9RpH
-gtXpaBiNZ9Q3DIXMu1U9wLYhYJZQxU+FQHuO4wGR7h1KdSzZCg84E/T232qDr1Rf
-7vLo7OHsAtQGU1pZGGorlTcY8KKwdeyo9Qk31jIZf4DwLKu+Zk1zICHrE1kuwNVE
-5dcIIKA86Pu4iw2i91At2GJbGJku9j173rSL4IHV4ESUKKoHMH2ncBfjcTtjBXXj
-FyauFwU6qFo71WXRMGKZpZgRenK2Lyr8/e1g/nEbHDfqN9ntgDlJhqku6ROP1Jns
-WzqnWRquSk93p0xDMZAXxUZSmCzGlBr5xPhCOmHp7YWZrLmKVdWXM/6MFWpj5KeW
-raxqwtiL0gU5wkKUkIxvIrjp0PqtU2q2dzwoL0blAXKEqU4v1nMeW2qhY30qz/rT
-wu95SzZgh+Q=
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der
deleted file mode 100644
index 6f1eac2..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem
deleted file mode 100644
index 9ffa511..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIICwzA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQIn5qnCAJVLccCAggA
-MBEGBSsOAwIHBAi4cuNF2wB86gSCAoCiwf84D3eyaesCJsiUCgk7bakku/Y10456
-CzrvLgneXNCbksRuCb8iFtYtiHQJcUkAko9B4uVh/3u+L9dNMnBAEEfdW8E+40WM
-tJZcX2f+FMZPaXNnGkS6mGRJc12tRmg+1wZTlKWrk1hHzEom3SpPHsIvz+aWlXUO
-Vq0mYp+CQIRC311E+lxCT2acamfgyxrNHZpafUq2GwK3NjS55jBg5DYcp5uhMOvd
-sPTh72+ZXZq8qn6dqu//RD3L13px9GGsdFPcwT0BPdpKYLkJfdAXRY002DpjAU9R
-k3LVxl0O9Z9VDzjnwyJ1qSjmo+Ejz4WsDfwT2oLGrn+6UenTsHxAE2MXmC+mm4r1
-CJ6vdkgw4PTJGxgwVoXaskfzCyz5LjW3oyEQAQn0DHZ1kVS1s+pFSQo05S7wfjjR
-KcYwfkMjiTHzWQ5LQmt8/a7GdKSJNEi1I9cs3M/HjlUa3U/KOYrdYlQGp1eD7N5p
-mFqc16EdWaPjtVEZWWgprjLFA1SmqAnBtah9xSOHCOmqxbiUiUa1tQExglVYJfTT
-cy6HRMBEP4yflxPrONYiHFLigBrb+Er0IRx93BjxGXWOriPytiYWG/idjP10Rmmy
-3michch8jBYL+fGNiZs/sbK6+UVfHbAv5lMNvNVuntlnnCJkobBTdUww2YJKAamb
-m/URTp8k1xKenzCfc/oqj2zl0j/vxr5jsv30JL8ryHzsUKYnhy3aoFNpknyM6Kid
-UAaQtYX11+5tvnI+uKxzjW4AYi45PmLTul+bN4Zb/CysfGbWPtv5fiyM1mvSlyj/
-fI98jOK5GM2bALc1cj/ThK6RNtsRwCGohp6RO3wSlmfBdYye7OLk
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.der
deleted file mode 100644
index d29a1e6..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.pem
deleted file mode 100644
index 9fd035c..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIC0TBLBgkqhkiG9w0BBQ0wPjApBgkqhkiG9w0BBQwwHAQIoN4P/1fEZkUCAggA
-MAwGCCqGSIb3DQIIBQAwEQYFKw4DAgcECJntwhGUq6HXBIICgB4ql0o/M9lv7Px6
-DUZBn1QFddPrr0slxLK7CoR1gabr9FI91o+dpyejeLHF2VFUYY3F56Q7f0P0b6Fo
-+OekgX1ySvsM5EPGZBopXaAnAaoiYuZRSfiLeauHHCC/eJx5SH58pwqy0rY4j2ND
-U1dYB+AVsdpRVv/MOSn6MblqauywTo3rIleK8SsuywV7NqIDLb3CHWEkUQEHJoFB
-NfNb51u3GETcrYWf49V1WCbftPHj6YHlsfmUwivGCieAnNckJvUXa2TTXq+tWpO3
-8ar1cRHCFZSgx2chTgY+S5KoXcSmTp1ilNb0XADQYyWGVH3FUo1BBVk+iwNWM6vA
-d6yhtdAATsdaA8e26ehXsWDUV5OVxctgjX6NVem7hJJEmGxRLQIYfR1Z2bsJp/eG
-ZiweIIhsSMyKQI1jTBV10VwX8M2ovffHfAmtxbZKGVPVLnxW+ilBy6YMR6viZW/1
-EPVKeKjqlgZkhLVBNgu9WsIeP0I+RvNPMaRE8j028NW71WGdgwJ4Qb+Z3687Ob9q
-tgNwp32isZ0K99UX6fUj9sR+kEcF0yMaysE1PXJd56HNydftORdq9o0jetZadlE4
-WYEvIfUd6U4nHK6OcUsNVNLua0XB1hH+K1CcPgY6JV90apsE05fP6oncPwDQT25s
-8wzGpitug30N8CtH/fS+4WjJo5qa8To/JZibg3KhufeRMYKLyflfV0cp7nMtdbtd
-e1CI6KFhD+oBLzsSdG0BrwaSVfxsayQQGuz3FYx2NlcTRhgXeM13pmqmv/xoMYqE
-+BC0kiRhZ0yIh7Xpzg/FZNjbuQpQvqbYmlqFdKsz6YjeKcqvGMI9iav9nRA+ag3Q
-qUmDliI=
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.der
deleted file mode 100644
index 7f576bd..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.pem
deleted file mode 100644
index 22d39e3..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIC0TBLBgkqhkiG9w0BBQ0wPjApBgkqhkiG9w0BBQwwHAQIDhZ7Qmf2HYACAggA
-MAwGCCqGSIb3DQIJBQAwEQYFKw4DAgcECHj4bQ/zjLVVBIICgOZGVB9PiB/MTUYA
-HdiMnbJ3ackg1x5NBk4Jxlae/4WWBX9Cg6uGMA5CP6XlzhlFSDji+L7+OatW51/A
-0nREuJWAoAAlayQujwuXN5YWOHzlf8007IHzKQqGtRTjhgGSa5kddXzfYvqLVsdV
-MAb+8UZgc+6wO0Ag27rEWjvx4HKUzS03sqVqF/Rl22oK0VMbVWU12PqLMMBpL6BA
-19MKsKDe6yO4fRbipT3aJ0fv6RW6RESWAXc/9dG/P/0kEZXvi4OwR0dkT0s9m2D3
-7r9Z+0AK5uSRU/ftcYIf5ARvIOLltfNN0TUo58I+f7CTKCDLUQbEfDLsHNuGaAfA
-YRLyZukS1fppZiog/JtwGQsIWMChxE4SVThmYhqJ4mCUA3I2SXKSaS4TMAPrEJm4
-onOG2NSgHQWdf9cHNMHeGj4Ey+qgDHMYUC49ScsZQecdd395j5T0znIJk4ysawGr
-34vt8HIn6iCxp2ZbHzqLm1qeV2Lgme+G9IxJi9+UR+eL0BZdaCt6tdyF9/4HXXTz
-hrcHC7vFVVe1HnK4B2AzO2uitGE3aEodRertqJbafWyOfip6Agjbx/Eu5IDFFrCU
-KxgZxV4agc3/zjwmwapVEZdTr9pyP/6HBxIhhd0KEX9cVMauCcOA83U+iezBaZHS
-frP3GVqBs+CzCx4nIXiCRacc/pf6tec9nL7mbrUtT+lQoCOPcJKcUAZyW305+5Nq
-mGho5y6i+AsF1M1l/Ar2gUGMN9//VscombNMRFXUE2Q8yL5//gJRS1rN7U3w5dRI
-3Bk6pbMp+RlbtzeS2zA9cuLGWtxvdblYCo90p2iam8zqfDKEZ4dFfJlPZvRw2hot
-7BkFp/Q=
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.der
deleted file mode 100644
index 4445235..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.pem
deleted file mode 100644
index f8dbf40..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIC0TBLBgkqhkiG9w0BBQ0wPjApBgkqhkiG9w0BBQwwHAQIyjiH4pgiIocCAggA
-MAwGCCqGSIb3DQIKBQAwEQYFKw4DAgcECEdyE8cGZqBBBIICgIdIfRQNFFEOtqwL
-lB2vZybq9bcajUSLvYnl2q/E9Em2QzgmsEggebCdyRvPjNWfuoPIYO5ZQYhnU5YM
-V1uMIwAlg/6Jj8FVAMgZnaHyktx2usYCecTXXtfth0d+Q0EVqI2+nXZqUoiaORFs
-FsxHZTF9VHpv30edGR2wQ4cSUbRA7v7hMkpQVTLwNupHd327fike4dFqPV+irAPy
-YMV8SWxEicpB5wCqRqHIhtxv27XW0UK8Ki/GcpVO0PzS0vTJl2T79F/oMzo7ncb5
-rUvvq0xIfey0iCWbUfEuQrKS6WmAjKjTXJJnc2EuZVrG3PgDVOS/QO4VcHzXTS5r
-tHQ3uulMBQjZOjGTUbXn2MD7Z3oXjuKmyWamaporesEh1axNw45mgc0cHMB86UHc
-k+yChpETztRzdcJM5MRfhJOkDfU+8oD0QUHqi+0pEdqw6MPsFQewHQ801pZuWX5m
-fvDBFYYKtc3ujNRyB5yy6MusALEc4PhQT93sYR5k3jK7NzvN035syRf/Zu+LUJPO
-75x7Wmix0h6fes9Cv63en+PmBHVveLU+aSM6/wXoA+R0O7BSmUSI4PWb6PF5EIff
-Yqd0ZWNIJY+gC8ZwfteA/GW8Xi+DWxF43SeDUZKXCsVU7TXawuujtNyP+QOxxhBg
-ydIbM6/hQ62LhhQDmcCNlPh0qldvqbcvFrRjRKDXFDoI6F1z8gfMyAGTYAXPfyqQ
-BT93R1/RMRs+haLqUZJJwpaLjpQmd3AbmHe1mHfilbY1D3KzXOXfHlsDl5YAcBQg
-HpFaVulgHLrBus9ou5jgOpVnTizqDpv5YSW5gzjdZBPyF3s5jxLZfY11SdjOwVov
-h34eTTQ=
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.der
deleted file mode 100644
index 400aa5d..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.pem
deleted file mode 100644
index 12725ab..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIC0TBLBgkqhkiG9w0BBQ0wPjApBgkqhkiG9w0BBQwwHAQIEfr61PLRSswCAggA
-MAwGCCqGSIb3DQILBQAwEQYFKw4DAgcECIis3kdV3MqyBIICgN8cVWWhMwix1YF1
-5atoT1U1EWGOUokVtb+oTlqJfMvnZeCHc6kYMwbWvTqga88AUhSssFL9WaXPb67a
-BlhYYkijNdOcu7m0V331RWdzxGAYHHv6Zb+43+/a3fx0hYwWsAKBLKnYXbxAckA1
-NSuItKnyrWCprvhelNLJRBY3aJG9EeqjIeh0MLFMbIhFJosnB7oMliYVu4DxnMNq
-JzWoiBHllgidjZm/vTTmfH9gL0ya6TwBgmj4gOvRu30P9wdBPxS7IZi0xj618SMm
-eOSVdRpuxvX4gzQ0TuWTzFIRdhCFx5fL366tVca/YZ+9qRO5oOqAucVKWZ5zcMVp
-yD1SOjMDP7x+3LBzIYAYb74kHol8ejIQM3IrO0nzANer5M/KWIRbXoDuyLzeiqrG
-FbzpL/kAQ37L7o+GS6gyYgN0lQoZxlgTt4t1+DCNAMWh4xmFTNJgXB6a846u6c41
-K4GQrwOXGAr0pYdNg44fB5fqw+594VKxHEa+7MpMvzos4wsISkrCjbFRVCuO78HY
-rwsD6pWtac02fg+8+a8cTmUXGkzoEKE80hTC0r1SO2w0RabyjTHxRQyZtcCgavkr
-E6Avbabq3GDdxT4IpTI6LiDKFaRUpxMnTyToTlGzsi7sjELHDqgOw4/PbTeNeyJH
-PPqoB71p9Djitpw0plUoO9MWQQPWB7ro3W0g+2lS1782wTk+9jWBDVdgDV8+FYJG
-cr4GxoADHFOt2viKf+7cq5ZP8HxvLfHF4kULslea2AM+3yTQ5TTAahCbGOPVJgaA
-tcqOZIGpIxk+aRceZRrKPerXRmZvRItbgZ+QUCw3kRxgzanOHB671jp+VORMFzJR
-jhpl0rs=
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der
deleted file mode 100644
index eda37aa..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem
deleted file mode 100644
index 27cfe33..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIZdITGAo/50oCAggA
-MBQGCCqGSIb3DQMHBAjfWCAUwMOuFQSCBMg/StIx8CULnYk9CXeG/+Eg19XVKIko
-tb3HTIgC09NBXDMPZw1C47MOSo1i7PDuwD/i5QduKpWPDQMWck3sjf43k6Q2daRz
-7+dYLU5loKNRZ7HiYuODSL15/nhzwFmhsuPFm03/SCQqWfp6FtZvSDDXHtzPG4LG
-v+OaVo5X5N/AqvP5cdB2g4q2l/MDtY+/m19XqzAAWvmvZjZxOJ+xLk1jzK+uSi0B
-X/E+TdESGIseVWu8FXm+4WNkvwO4pFjJByzcskazUqvWVgmErMUv2lTLnZVsjjT3
-oM1wY55zsgg4YDpv8tBj3X8A6EmM9Bx9C3qxerZH3Xw2quNOcRUx3VmZ50p46nNh
-Og9v0OQKZiD7Z++L9quZ8PSmjcgq959Cwh8r/EFxDHM78gSTxA68UJfNxPjmvxmh
-9GkI3lQSp8ZD4dFUUujUtI0QmB4xNU95FHLRQmg+L6i+6vEH6FaqyE1UB11y+lks
-1it70NkMZx+aR0yd1UgE7RVZxXolNLaq5hMXcS32P57dqzIcluKGMcpAmOM1uaGh
-Bwk3rNX8CFSX/QJ6QdZjy6k0+WxmQD1dJ5bc0+WMeuT8rpGpqSvwXyeaikagU6sH
-JFgaLmWewd5xY9/+WCe0nPKJ9UqSCQ6Hod0+2BiiDgnfDWeBD/E0gPcVV9sdMeWi
-aaiIGd/a2YxB5yW0oAIBBFnm5koTWeKW/K+LDWOE67S2qSxIfr1goFxIDbe1Y2Mv
-tDfWzTVp/GxTpIxKxobCiEBWrk4e8vUMp25Jjne4fW1+/bwIZBjirpgBO9w/fIXU
-LuEEZgEyczGgGulij/7P9XhyMFEPmr43LpOo0poFpRHjvBCFKZuxw/+PbxRhSqC1
-Ov0d32XlNzOqtklQv4XZc13AOKJGdRqw/h5GXud1a05sgUuwQqX09kDjQuJ6hm9Z
-ftWihbzSUxRg6UMz8ZPAAzl56pKYREfVV/UNJ9u1PFDg0peQDdl0pl7ql+Di1v76
-wGjf3JQ7Yy+zGkWfnvSHOWJs5Kyyj3Dkl8fJA/AwYUvsd1JdfXHYVR1vxg4vIyWr
-d6YU6ZmEtYE7EeYEkD0xeKOtkeEwgFcIAuv39J71Er3CDwsMKJapD7ZWPG0u6Ni0
-CF2a9igYN+mPAostcVm4wBIXam/wZgDxTYX4eXtuVVc3VIr+XU3G3WeS3KCgigSU
-FtluJri02JsoSsTvTxGfa7pjYgr2IXrSeQYPZ03ikGDa+wGNSJliNhE4LLbbOKFp
-SStTO7yEXaWpYH4mVWK6rulw8AHQC45t8XHtW3UU+o3eE4XL+dzCvqlEjBwJAQ2J
-2yymxc4GArd32dDEuHZEEYwpm22cX0aQ3yJw+rhGa0h72fpZEaOrCN0cdw6m1UaN
-porEH2oYOeR6SE5qdu6+PyHwqVNgdxby+dqbn1D3NfsBWg9BnqOgBWUgIGKmRKHD
-rmD03c/2yqInzEEzmSzlQPS0CP49o0A8pIAP/43GwflT1wtDw80DsGmgqIRiyWfp
-u5n0Ocu6UrKxLdlpv9hLHTMbvUZMiLOef7IK+K+Bxc5dXttPe7rtBNhzJp00by8q
-CxJc5tYWb1yjznACC6hOsoLyGAbF7S0iKzjea3KcqnJC27oB4iCFpHITFRtwG2R1
-+IQ=
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.der
deleted file mode 100644
index 56e17ea..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.pem
deleted file mode 100644
index 8ed6460..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.pem
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIur3B1wRZWJ0CAggA
-MAwGCCqGSIb3DQIIBQAwFAYIKoZIhvcNAwcECEnKPmr6wiNuBIIEyKNZuEXIk0Eo
-AC7KnJWaEhSDsr4zte/uGDTeOGRVT6MreaWUH3i/zwHXsavEBsw9ksLYqxXsIeJ9
-jfbn24gxlnKC4NR/GyDaIUBnwGlCZKGxoteoXBDXbQTFGLeHKs0ABUqjLZaPKvNB
-qt9wQS+zQ8I6zSQyslUfcDr3CZNgHADdmDFiKisAmT1pbtBgPgzmxLNSmx9C1qwG
-ejuZ/SJ0YYAdRPkDh1p2yEiAIfRVFTgWcjltcd69yDk7huA/2VCxWJyVDCGrEnlm
-UJyybUcXXofneBp/g0J3njaIbIftmYIC+763EKD/dqVIRXVxrkHyYcvZ2nVNUT73
-Uflk+JuHIjTO4jHXiPcaPdAEPLeB2D3Geq5ISYOvTzOeurfD16Y9hrN3IHi9gedm
-JTcEPkAx2hcb19h74XlV5tcQ5ImsPgLRl0euODN07+nj14AFxCQhuoGx+Yj04NkK
-dV/l1rLsbmLiqr4n+y5ezGr0GJARVinLCBehptzxaipXPzRW71IQSddbtlSl1rz5
-Npv0HlwGgwTacv7T0ZdWncaw0VjxjXAwHBD82fCiuH3qZAXEa0M4drxROeIncart
-MIky9qIRjfImr3oh6GLxNBB3FEFFf+23CO+Qt3vrh0j8sVYn3cpbgHcqv0q4fca7
-Sq2okw4RjxcDHyLgWiR20tUkqJT8FYQr0u0Ay+LT2YVVO7+EQVqvlraQcOS4Fkfa
-Vnggn6sdyhWWCV1rab0v81qZYBvRoUK/ynICKCbXaJ8d1mirdNGgs3FxpVAiUPZ6
-LYZ21Uwtj9OoeEQ06GPKq60xHjUmTsNiEkh31AIlSAgdsN/0+pUiD6f1lCWfiLUi
-8MuFUDXqkqXAvnJW2/mKrLvcx7Ebm02rkNw7AdAnUnEx9BGxD1B0TVZtRid6mPSO
-kXv7adNyBH7qoI9vGGQ1ptNRcNxhxqgGgtfwI+0mV6P6G8BJMl8urZYN8aAC7dJX
-/k9EICTUcOU6nIyFFe8tk4kkcjdo9BNkgB4JjANT4ptR2w950tYVqDMHBm1eKPBC
-bL3SnDDm4Cplsy7zAdUPsCe7/Zk3K2SJwUj/lDUTDGCTtq4RplfDEBWb218XWgA6
-rHgi9/EFH3YCZM8EiE9Mnx9UafdnfKhk3tm3I5nKo56C54os/EKL8W+lhXYdK9dz
-peehTsjEQjF0/1OE0097XlCShP8E0bdluoFkD8mKYC7mGv0muJLuHdGMEaCKzKoS
-LBKpZNYdOu2wlFfCkf8zSWO4eZYKbSUL88AoEM7A/kquQsQnb80FkciPFazlF9lb
-ihxh3YD+TNH58zpYvqgOZkBflW4kKIYbyWOm+ARMq+eVph1aNKMdzeW7Gmf1Fab3
-SQmfuEBAfS8u5ghW3J57q8gSJSGB8bpYWAmNGGeQE2g8C6HTxJ34kU2HoFLo8a1/
-cqrExWl0/lkhwqc7PpvJbKIMxVOOXtVMrzG2XBCkfQSmtwwOqH1g6AZv+6sXyLZJ
-PmvQ+R/23+eDqp/lymz0G6F6B10pldgqt5FHYxGaVEp7GIx6L+GtI6G2qGxpHJA9
-x//r3gdd21Fd6y7qHYOLO4fEYAe2sN0mJVjxFLsg9AhCzfxKEHsit5LMdTkGFRG0
-XGP/QsVNcWJaYyaKTXaTCQ==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.der
deleted file mode 100644
index 847de7a..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.pem
deleted file mode 100644
index 33a770e..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.pem
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIv/X98EPvjcYCAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECO5EBOummZrzBIIEyG+qrKhGE4TX
-ch9QUfLBhcklrpcd4xOF0FfwVfaO17gWAOp2Ukdm1MBof1fF2wU0hNG+dX+wIMhM
-/MFZWx5J0PLULmAe+m5rEVqRVY13Kxa5UJ8W4oglXVfeRkTvyuWr0Ov8E4wrh193
-jmGXA+jAjMZaAgHWZzmHDX0NwEeoitkFEXJc3tt7WAaq93/QmtTYKH5eoae17M1o
-yiSAxI1uNzHryPRt+6hp1z+sCAcniIe0fF6GrmkS9KcFzO99yehhrxyojiFPLSDr
-Cfv8mWY7nUSFAW5UBR6KA6Ggp27FyKXKc/k9fvZzASJzyjxG90FHyIEdxw5KsWU5
-NAAO+P2Da8aX2xctAnKxY78cFB9Iu5RSCGc92pp+G7OcdFUjXsYXr9KEX9s5bObh
-TuYGtepHEKLajFZ9JvhjQm/t2lYa0GGBNH5j1wwmfdIqZZR82mYgsgVVhyp8NC+Y
-Yw7K/rjZDgpQYSrUHGxlPYoxZwAHvbTHuTuGI3N3mS6kK4Y2NY0OLQOrVnFGNT57
-ER2LK2PDUrk3tqTwpIcRKIqeMRayqNQ9MUsjjQ+v+yPcbwbZ78Ci2niq4vclq+84
-tReLs/JBo4WHfdtFdzCnIqLVx2K6mjkaGL5q7tKYQoDjHxaU7Rp8cqy4d3EFovZr
-W15EZaFo70vsxN6Dkr7lkJdBbDbeQCdkTyL4sLimYKselKZZLUl/gKw2hCC8vfoU
-Jjs7td4IQ0vhBtVT46PUdLnvxcqpGoYBMiVNlGYowP0ugd2MHISFeMYytSSq4Kqn
-0OnbqG262WnuxXIufm86KTs9c/x1+ZTrAKrk6XarmbF8I7pB0jBjObZntGmZ05bF
-vJgRUDAx9sheNwPPiIM/7ttCDoxU1escT+u4l675FkHMhZDUSLSRqVNvGmt/ES2F
-c/dIq4iDGgG+MZP85S09ah5KKruDE7wvZdpA7NTWzSN/FL6JokU+GsaWGt32Hmia
-OK8F/CRtUfHFUjLIk/+v5wzqYWqI3LjorXQSV9pWmtahp1cLQ5Wba9vsPP/Wvi+2
-m7FyBEJtgKP813YOND5ZG+NndlkUahwditGJ2XtpS4sDhFyQ50oQm6vVY3nxlkyi
-7gcCE8xOI8ufFS7CBl12pFys5XS6htkmBbMSncOoNo7P1kuu/n+CcjCnWAY1iFsN
-OkYOKDZlRdkbish4JqTe0LdRV2CcpGmDoZkMqAo/gacweT1OswgxPZqRAlaakDsk
-0z+wy1wNgJlLF6Mhub1zT15e1Q+/wHUNsAcIRbEsq4vfSVn562/umqqVZleHUfoB
-tAKAAIwee5aNB8fBcUFCqiNPFGnyuJdEy2QCu/xiFQ4M5EGGApPOoQpSCu40X8kx
-tIsIihquALlL2nx7jPvBIpasKq9SRRg54VYp+5WQBVxUSAY9EsaRSuNrkTJTG88q
-4WO5rHW3WFZOwfU2LGvjhz7SY+9H7B/A5aRuTuU9BkVnm5w9WtkS5pHU24WJ34MY
-LESH1yE99OtvHuz5PwX1kcoYKdGnd6OeNkRLWl72GeTiU8bTJkB8SHx9Ol4kVTuH
-fPsY/ekPh0rSuhj7L0kCTPJqU0+Xfl3rqWAKlpXLFzMKyIEhu9kGgGRAr7kB9ACL
-ocX/IfJDcGRqP9cpBI04aA==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.der
deleted file mode 100644
index 5a7c60f..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem
deleted file mode 100644
index 0d1b587..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIYFcs8Uhn2poCAggA
-MAwGCCqGSIb3DQIKBQAwFAYIKoZIhvcNAwcECKCBLl+C+3nCBIIEyEnIPlXdh1e3
-+cnyhX7dCRzR/NsygcRBJUPdwRUMAaOo/t+oZxFmHnblchxQ+pFoHrI9GVwg8uID
-meEHlzSSKt8kOTvJ3C148jRFJy61YH6k5GEN+z5ihS9uTszaXRUlEsGfP1/SzWY9
-ME+pX+0kwJ4az87mYKyNUwK4U5d65Ic30pvRJc4unvFtRz6wtwqU+EV283pXHfyc
-VNgQFjb1IPHEz/PSuE9p94mQvdIbVmuK2dRiMag/HcABvVhxzLldKyEHHhrHR0pa
-gc41+3HVjz0b6RPE24zNrxA9bU+1URGwlkIlh7Jpc/ZuYRj6LQ33xUdYZcMZw0b4
-pSFJcUgX+GUXLyWLqhIxxc+GIeL2Vt5G0ea5KEqxOvSj2bJV2/JA0KtmrcIjX5Kz
-d/9bAvxatcqIikVNVkQpUc1glKiIBfVrmyJ4XUlX9i5F3cgl18zrYUI4zPSBn8o5
-yxSfCuIMx+3zS4BiyugGNOclIbpLMjQuMrXxrt7S+QlXfdbXvyNfxa3qfqf7/P2k
-ykxl0z1bjvkck6XoFGXdb13isUEtY2NjujZKZe55BLGqr7FsIIQSTAHilwMpK+CV
-fA1EL4ck1+7FV+l8fJ0nN1Li1xOnDeAFuO2m91uibNMYPvRSoX9c+HQKXCdGfiuk
-5tfNaq8bbXeIJ/P8wTjMZqI2l6HZRuXvvmRHN2zZ4BSsT3+61xtvSTISEimDSm5T
-hYY583LG5lpFoOC0Y4EUw/ltmQpKW7AGkLg7SyC9oKvoeWM4c2t8HrL3iKPXtkwd
-A/iEfZTxzmR57u+ZMlbws0evPiZQml8voJnuT6qwbos7g7V/Pc3Rj+b84JZcI2Jz
-D89/VudIHfFDTXC/gcSRG4bd0glILJHT9FOCAlX5TEuRyeWasoVOV+m3Pi8vQM1u
-tCsjE9UdoIdhoI5j94VhzHApdD4fePcQW9DysYa2R10gWIZKUvhUHH3FWLR2X2gK
-Wiz5YkhEGXBRtDHd4cx8EM1bJMKwFyYXjXTPGfGlGiPt8b9u4F++IlsKcgGgPIvh
-2rIm4jHuN3LRRlFkJ5B0kuOOxZ6GBfxasS+Ix4DZoIfqZsGNI5Wu2ikGZOKxX7Ij
-G9RvcdpVV8C2Y+M9qI2+x93WAtQ+NRJo4/+gJ0O9bVUhjjAmIHu2bMtbvr9aPJhd
-OpB9VQxB3c5mEXkNOV52oOGnIGVjbJMb4e3/MRpWtTFVcX6r200Gn6Hn3MnWZXdd
-H7pOpAowTcTlFcbJ0WWjfZygj5HKKUOFzPYNnXKizjzQhF6yK0mphKFY+8tpFQqB
-mV/1HlWJTSsAmh/FN21B2qq+KRiwMdpzKIEKC47mK+dzzo1mrTqmExvbiaLG8upr
-KMb/lEnSCasiZKTh71J3+5vUE+Nw73rYNZcdh7fj+GBK9KJ3hdKwYc/9yyQx1Lua
-4aXnUM6vQAsV+OLYNQE8vXMRtuftbPbV9sqiBLPIc/0P2EJ9mbEye8FM+koHUCKo
-xtJe5SK36DMwAas6tjimouVgWTcAdbq9r8jQlCJ1WxXPUcCJdv6pFQUGKQ+34TMK
-uWOhErUNRdqel9DthU5ig5dZs2DqlzbRzWYosZc1B6Q4/nua2JiBi8IeqtPILr2a
-JYJ9DNzxn07lcFHiVgrJuA==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.der
deleted file mode 100644
index 51d4cb0..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.pem
deleted file mode 100644
index dd9897b..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.pem
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI9z8gVJbtqxwCAggA
-MAwGCCqGSIb3DQILBQAwFAYIKoZIhvcNAwcECCQqQHRFeFdeBIIEyMJpY0A21GrC
-pKBL07F7zOyuFIdwQT2f0wnL6lPWvUg02M2jlHCLDYlciCeUhE9fHUDA67814lvM
-dlZ8KgCsp+2mqkoZB/hRvvS+ZdUqkwSI1J3Wt5hz4dKq0cebJWpDAcY/+031+zTU
-9iCshfsWAGdlcAIBZOEXDwejNfIayp5cFKvQqg7kmED+KN71QmSVmVyKafh5m0SC
-2Y3CoZTQ1982VImx4ZOfh+r86XNkrKLj3KYC1K6DR64Uwq2yLNoypTjdUig81ste
-Dhqm+0YXVN4dxXCLF4desKWxN9v78VmCuHvYkRyunj9Q43GVp51cMQfFRBLWIqnB
-OrT8k020lne0MxO1xju2sr3GWA4Wn6MLqrxSdfTq+P7ZYcSh2BchkDPslxi5gNPS
-Hv5o28rkVW/K34UQw72Kur5JGMRNwJpye2rSPUbtLKb0z81nPzJMP+BCl9DttTr2
-zDkkn/AFBRuKH0uWrKv+9f7FDu4hxsdFFnLcD6kWlX/V37b5tYAcy9Atd7lykw8F
-K8wAoYZHyzYaIR5otYV5XgjMcw+z9U+5t4ouXSYght88Y10Tq1IYnIx0I55KaV44
-uCdrptsKnXXWvIux8h8p/SUwvJOrECc/nYxyfS42diH3V3VGV78fw6n74nDOYnLK
-ruIASg92TXUp3Qd8xdoiqdTfx8ZCgNy0mmrYycrP3cUciAYURuKWjjdTN++fk2Vx
-Rw1KTFgTf0Z3dxEMIKDHHDiGUbO9cE8oEMWCv0YJ9n97suoIN3vOcifxG/93RE5M
-1xe91IEY494/DdgsMqb0D4T0G5rbFHnNY8bTDKIDpvZKzcbnm9vnxPi7Q1S1kkJG
-230apDz1Rln0AFO51SAVS8QoF5wP69cL9vrC5miVh3mwqkDVoHnLNpJrT1o/XcVR
-Jl1j1t9lgFNJhVTltTPza4FydXRe2ZBCNKpDci1jFtD8KYZGOCc+PQtJ0Wtcx4qJ
-KVGO52gUT+DSxmaKd+3RyG7MsDw1CPT8inHkACa2G+GGQvqukbjLppQDkvmUPkTa
-fEotMYqnlvqznwiWURl962lyRJJsxClC6Q9R7Pe7pxohsthIHgZFMMuECenUdhYj
-3TdqtKKdbShoF2SBnwYUVScH2VR2ZE8ZLlldNIA+WswG4x242NoemE76JC6DyUQN
-WaxFLL813TmiLYtRq1QZsiqCqr2jRBMJA4cdCt4jMZXpLd8heviNtcPmf6uEpHV6
-VBQmun8dCQAUeCHKsrkOLnAcnrIl9gPlyR6qVAI8tnfs4IezjnvAh7+cN8cQ1AZw
-xRvoAHJfR7GMT7Rp/GTLrSYU+swlnjrDLQ7DwZ6seOVyzmKo1zRjysQ7qF5m6ELp
-hlu6ED1/VZZw2kSbv6BVzYmWHCGnuyl/n9zXImMR9vcM/uTogjc/38F4zBlSyz78
-wHy4EWMn2jWyRYYFfwwLvrxmU1IHkNUKYfaM6qeq7F8R7cqbZhZ1cCrAGcIhPrPy
-ig7iEmTblRw+ARmY+cjUuJtbU/a38kEfCMIbKKnUg4vUnO6s2XCGG9TpmcLR1Ti/
-80tOsEuvg5ZJB3FFGHhSH1gDMAKQwCkcP4wbP/YhzBhq9WU24AA82RtOsFV4xjFV
-ptyV+PmEpJl0DpDeIv0I+w==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der
deleted file mode 100644
index c7c4c8d..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem
deleted file mode 100644
index 50337f4..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem
+++ /dev/null
@@ -1,29 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFCzA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQIS9yo58mAF2wCAggA
-MBEGBSsOAwIHBAic2lQFfsyAzQSCBMgy5+fLYS4AjX8ayw5sJGpf75L+R8/AN0kK
-+nr9nJUz2agr+XWGvNBkjA6XOhcsSNRym7j72g3uRNoqVjdVWI4mn4wEo9f9gWgo
-asGoPKvar3WkxgBvADSPyK5u2hD81ebel2maPwkpn2kDEfsXyWTDWxqnAUFthOCB
-2cWNzjij1g3l6RI9ADSf6X5IbgTfdNiDfQw/D+pneJVMc2L0vCGk1yZiu9pva8M5
-pLSp8sUGgzDDe3cX/h87JL4vb9De8zFgZ7hCfFXmr53BnULPzKrBgRyD6YD+UOSe
-XFMYGNR6yCYTCJiOEJTn5i0FzoFor40lzF7aigSqh7YVl8tFLPEzH51yGBIGlfMJ
-rruY5CA+T7RGP/kIUGw7LftVOs46vNjyNjvt4yXby9Jk18+0EV7Drk+bNJR7ACpm
-ViLWVIvnNF30gqCBJdXa+gU1/yDjsprVy7QfT47iZ5cQ5zUzSJpjRDxt8c8aEgOv
-48TWjtbBiWo0UiEnF48rf8VN47gS/FUxsQ3x9payA0KZnMQfqqLn2QfvBG6TW4ku
-MIOQuCHrFxEEk+XRQ7PLcKctzCwm+Au2vR21pdgQSTupiFnOalAbazsKOYweMPds
-ScvwZpfBnKIE8O7vi//hOsIilw3T8S1RCogvqJcWBAjHSrfKsLqhTR+vsLqYZkGY
-tkdoy29he7uHd2tFoTo5E5zRR1cNjCmt4dEmVR2HZOQ+6FIvk1c/ry14KJEZPUyJ
-YrVeyH2h3sija4snUMlB76UsYDka6QS6P62StxR/T922gbJqmEC9yA3QeMvn1x14
-p8tZxy2+ClzjrieyX+B+8DYFQ3dhvX72eFm5X0pQxK5XIZFOHzEdrff2169/++B7
-C3smjwPfrkajiAbWQixwrBZiSh2KwPMuAPFohfTXE9O2fNYN8I2iLnoRho4MuG7B
-3jTy1b4aySyMnS3I0T4nQKJyIFxRjRg9ovPcUlsu5xmFXRiXI5NqMwboDVk8pZxv
-ChMH+EL9hNmatf5Mth3GzOSC1CIE/rg/+2SkPK3BrNGwFD49JuP2b+4mocVYCjrm
-L2yoZkNq+mOUkpnXI4O3uR1rtQfALBQm3PDroqtKQHn4tCpav5BKgzuLIFyrr67D
-B2vN3KAIIBrVp8luI4/Jf77hrFTF8DMWSN801ig4pg+T5pKKYyVZe1C57UMk94Jp
-RjEzrASBSnEZof3hMvciudp/u4EsxrGKwSUx+Vy3vztQ/F3HpisuodKSErDkO0Sy
-8ycWmR8q4eNRMYyTOhT3c/650msdRbZB2lelwTl+fqg9oIUJNX4Z6FmBVfAPRM0S
-QTSEJu1i28qpVYiRSmnAGLvGETNWJnwXXKaOtoIpmX5kneEDOQ8ZCJHcigYENB25
-9SVdOP22DMJzivmwWdRvKqG4XHKgOT6t0oJ1LUNm/fB4KMoABMzfLjrslzJWSCDV
-CMNYSuZE0oMRVpj2VaDZxet8DQ0+rTJ+BszVJXXsaV3DLWXg8Iv9in/X3bQvZJLf
-ZHSEanldcmtrOY0K8jufh8Fk8XjD494a6t+vI8G/8oGWY4rDkBFG+seBNsnG9hDz
-wOBw/2fpHqwNz1FPDfwn/SBfIAuyLUsxe/w+KpOb91jXi48ifx64fzb4jr0Jm98=
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.der
deleted file mode 100644
index 40026f9..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.pem
deleted file mode 100644
index af4c413..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.pem
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFGTBLBgkqhkiG9w0BBQ0wPjApBgkqhkiG9w0BBQwwHAQI/++dnhs4VZYCAggA
-MAwGCCqGSIb3DQIIBQAwEQYFKw4DAgcECI5DLMkayM1pBIIEyEJHtZlUPIPn6DB6
-Z017kFJdaF29AqSatT5tukN862+b+0bGwoda5aR5lr4edgmmwMhR+1pTewsWyZK1
-xCYHwn0Jna1HXKRLfsoNdKCFPyvJkx9OdbNfop2uqbS/vrsriMKMloKV1KXUGqCI
-zZ7BVEgfgH4hZu7cX5HH0tMw2/CzrC5OjMhFq/OyRe4retfACxN34WVAqMM4/N0S
-S0ciNYR4C3vKu5+Nfk4R3GGMmmz1WejkYH0QMXFtq9IU8vbMUhAaBXIo7xwkAbQA
-UJF5lurXLJELCIR1KQVEjfYCXViH2ZbhAZuk2BV0B8qIKhh9GhvL+y2nporiEhN4
-ddE7PdAmZPgi9vJ34+jY8E2UiXpXDkSr/8LpLRVQ/UISttARVkW49cOQ7oOV9hOB
-R+0K9fyZWAJI7cZQSsuIPSO5DwDkXclWUFYaa9C0BcHRaz8ACkHu2vSF94LwG1th
-WBvVvm9kTqznq2tNoAk18b4RKN2nVUkfhBJeR2GaJhzsshnpTo356kYNKpSUIm+S
-4bg087Zovrsf0C+49mr+9uGNbDQ2EfG2BJ31faBJ4bwRNata7l3FvqlMLBFJEpUf
-l2EIlr4qX9wfF9OnkmT0gGuuxwB9njCpe7XHbvjmvKalo9s9iP1z5rd9f6UPzDQh
-XdV9pooBusM2Z/VjkrUxRdyurlewD+UQn2MLiRF7t4Rgx5+4g6nooIQlcV49JhEP
-4Of5uDkWzHQ4G6TbffU/sd7THcwTp5wTot0BT2IPuP6qgLFRSQYwx5zplraVfTOm
-GmXD8Y0I8DP3bymMVSuJWFQrSL/8X5b3snOhzF1J9o21NqetXY+YkGIZPfL80jUm
-7ZRSsjz7A4M3MGhsD2i/gwGAUdkJ0kacdnBYCZjfvhEiMtyJhrtpRDT7pSFHCN4z
-jCok/m94d+mPXcI7dSCfQ+4FUSMXDX6IKv7ivsoJ8wqI3YiR9cHdK+EZLWPKb0xE
-I9Y1H93K9pQFlew3U7TzoFEJcee0JHlyM7JGShPQP/mPEoPsHTRoGjYwYp8OHEol
-GAjRutyMS5/pEL3zqT0nWsr8rEEwtm8tpPKuMclPt/p2LCpVBVgTpuVF/Hfnr8Ab
-teL2bpC/D0W0OOOMU3MlfU822vlm1gC5Yh+I/+b3jsgd4xH84PZUBGDLO5+Wrslw
-f5BPuO/DHADonB+DeGqwSFol7zxqYWufdI1jb1YE5pWV7dO2e0vTD7463o6V907+
-Zfc4k7h5ohS/W+RGQDBM5lplssWcOPK5Rx8LpP/vXHFp6+EPnGJTFBg6I4fUYAZK
-HbJAnLkjWjfy7F4AEBkx8jBjYyDqNx3r4WLMU5ds06C5nzG0usTpAtoJk6k3G/Hr
-l/jMr/za+6TrtXyNBDGpZohgxP0wT4+hAMyLGymYnSWFlRVkkf0BANbtcJBszbAZ
-EvNvJaCecjVw2ZsnLo+rapA5V87wR6Rzpc5Yh6IxLQs/pNOcl8S9HhC+EzwcErLk
-J1LB5piJy64kLmzxC/wmJYvR5hY8GjMU8Q8cHOD5SVk0B87SOCt9LHuskl8j5/3/
-tLEjJ4T6nHSf8swXl4B2e0td8/5Cf6mnyqiuOyQK1yGhMjXbi6taYaxb2fNHBV68
-d6QDbGs8iCwGsp6ssw==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.der
deleted file mode 100644
index e25b4fb..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.pem
deleted file mode 100644
index 717d3ff..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.pem
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFGTBLBgkqhkiG9w0BBQ0wPjApBgkqhkiG9w0BBQwwHAQIkkRHl74lgxACAggA
-MAwGCCqGSIb3DQIJBQAwEQYFKw4DAgcECAGUDJYAr+n6BIIEyOthlgMNgyfjvQd8
-ZqQYF52juYrlvEdk/NY2xlEfa7NKUdEBS6jvL0lHOaCcn0dRbykqs+Do9yiWsW2A
-cQ5BLrie7C/IeZSaF90Dh90QUe/aFvE/1fBjwuSdLj6Rf12MRXxtyCJb0WkStrUB
-Rgb6ReGUiUVz7fJu0ePZeNKqVtCa+LDenaUaqo82L7y05KLoQP+qrQb94UK2B6IS
-xUSORehQZnf6dpoXHMS5CFCv4Lw/C2VusBIZnAhEVWm3MljxMycOJz27YMLXiczj
-H//rm8BhZQ5X2jYTvo8S0BPgRXPnxasvIAYLbAFvK3KP0umX7THVoYsXpwBgphS3
-penm9HExXsyYLNbefq9jPL4LlatNDi2LAg1QOr30jxGC73xESbYsM1WYIB24RSNL
-ZKyhINxxsqcSkvuce5dtShWXkqD7P0nUNzygT1uSD4AJEKOaDL/YtA4dsTt/LCT7
-Ct8w9TR2+QkQdxgZri1S9+jSmPQgcg0BobPMncysTjTyC59Oh9KPcJCThR4BXitz
-cvocqt1CsiKiMGR51xHfMs+p06DwTTz2LRYiLdXco72D57O4lixOk5LqXF0qiBfV
-mN7LTqBIvuYiK9aEBZ53HRRurAhrOWBJ/UxM/VYi+lyCAUBhRu9XI02g0HA2UrlX
-9RnuB/a44Ce5mgQWdEYdQIkI7JB0Kj05ktWdiXeLCPtTG0ytfQ0Cv/EwbWCG2tu6
-PEEmayz3KqMR/Av9jqsnk2qU7kKqR7hySMfoTuaMGpjcxCpj3Lg6Tmo0Nrvn5svc
-NNChDlrgwyp4dX5ub1bwYYzibG8x23+fKKkil7NqZ3gqZ5ecmgX5XiU6VdBCz2kJ
-k1xGGiyt89+gDdmoc+HyjRTJgfChZWiI6EhV3LZOnMa0ZUpQiM4lmq0SlQ78zSmY
-ZyqG9dSEFWg6BMrOUpZbuY63wjvrxSHrHLAbCTlI9BRkFhmfwiyJ90FfMBUjBt6w
-yCPW2r5aFPIhngNS3EayJKhAwchGHN2XdfeDj9GFhWZAIQsXS8R7JuGDIug7+QMj
-WL77m1jy0K4PiGf3lt7PVy8KOqbiOHyzYQsuAuuMD7NZdV4+dVzznTe3HbXLWtxj
-itPFNuSudfFBotAWDV2yOF4B7XbcTw4CEGv9bVJoGatJdaubzidUHPJUozWYQX8K
-cw0LqdR8yxMtHOc9FYyawLbQMzcMzt/lijS75iO+vspT9TYXxf9rC5yX8xlSHHa0
-jlgvjnTDyEsrUnGHk9kNe906GV42YDO9MUJPvUmlv6/bAKA5iWX2+Jo5rwIWk6sg
-vW33g7NPMn0I0pwzaWDaLd1XNP3JpjODwkL/5n9F2x1+LsbPpuk48DOnXQi7MV0J
-2ZWSSxZltTLpObG8mI4dWrh5DXeswJIIta4ki1lSyFLu+hMY+PUVozyd6GVd4T0o
-cVepNU1rHqxvsLHVkMsixypHpZwnkQigrE8EYeuMZQKPq7luHwh1AkTASr3SJF0/
-uztq0vmtn/0+lg7rI0pW+oFAlscmcRMrcOCLaX/TkvgX1JvO5lspIjP6IdaXsYNJ
-14GImtXxQaPgAtWJ48o/AzF8KPez98DfnmpXKBM0K/kK5OGuxHvNCJ3eTDYS6X8I
-Sj6Qf6Z9cjwB2xRFkw==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der
deleted file mode 100644
index 6674c48..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.pem
deleted file mode 100644
index 3c4c1d0..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.pem
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFGTBLBgkqhkiG9w0BBQ0wPjApBgkqhkiG9w0BBQwwHAQI8Cw9Sk5zfxMCAggA
-MAwGCCqGSIb3DQIKBQAwEQYFKw4DAgcECC+kVvp/AVLmBIIEyBFjgh+mM2+bo+8t
-sT+q+rntFVzZUpz4PtOqLCipiJluD20C18qg9Hy69npCFR/Lnw6UvYvCNL/YO9An
-Hm54eFCf5cPGxgRBmvxGroKg3LFyKQz7yDmLmUdrJ8XgdNcWBO0y5gcYaEhTpim9
-qZYC3rhleQY3Lx+C889/1k4kcC7PSmAi3BTZ/npnB9x/Kr4tYTtcd50WDP4fIfa4
-ROBGuvtmor2caSINPxHk+SetW55npIKhkQFGQM9o8MOGWvmTY0iLd0iIabCngKqS
-WHc1Fd3rCWAOZ+Sx1BP/uSi8iKQRONa1M8e7FkAtOI3T8qfF89k8G8VLzkyBSdnr
-jJFpohITjzIBV0d6oOApTSmHDWgtyrwKftg1kDyJZc79CgOAo2pVuDrWXmi9rphj
-IyJ+EK3f+SPD/X3wMabpdn5rwF1qRJ19IhJewzveiV8drQdlZAeES1qlxePQBmHY
-mTzl3vQ7DkElwzVJyzMHll6o3viHvROeQO80nXMIfzFd8ShXwfYOGfNB4k6fqduq
-BVj7s7lyWRHI7iP0ruVwit3tlFKzU5yQLqbUNk6HOuGs8R9IeWIV6/LXusvbPl5e
-n4N4ImkAX5JpP1KOjmLJZygHRsL6FMC8a3KgUAcqYoqrsukn7HC4By0PIERaD+z4
-NrVsaN4YGQyVdFosNUQqqjz9mB8JsL9zuT0KM6opskznD8gjT+vyT9A+UQDHv1be
-8M5Pp8Yf+kLlL/r4j3Bujk9QDhbwlNxH475TtqbAGZKw/oeGk3oxIMT/Eb4ike0/
-vQm4xkPYpPgGGVsneirnuxddqjWR9X70f19hPjmDD8EiI95QY+ibTdtDuHPO1bjn
-yWT4kzXsafQ6msOVPD5OncodbuiUzie85B3hebuVbDIMfQx5lyH1LjEByaxF/Afy
-pvalyLdVsDjUlqWM1qrx6gBbgQtJotwZWYdWv77vH/iPWuuwhpRXsWDcwRtIEaT/
-JFcGgGuoMeiZt4wwv21Mysxcg7p/wVBj9ZZ5qzVmNDb40lpFnL77LpF2oic0ymeh
-kOuz9u2C03F1tL4rCoN/wG3nGXzbKDNG2esHGVFHtopVTlLf2wumM/yo57xdDGe3
-IhhpyrEO9fSsP3z2thkJG0BMcy0lU/O4w3lV93IGZICDqBx7F9+H3UzpN6EW7TIy
-YvVgZogye6/KN3+nYKYBGK15l1jciQk3vD5zowwKtMa1sMnfOycKi+MOZV9gk2AT
-w4Zpr0nHZMgmH1rYrT1plRbnz1712dx5xjrZ0FIwR63xg0MkCWSIl1eiJCnXDGtv
-rUU46vuOS0TfS0Ax6ZneNOARvSE/WrSh9d6d2GyLBRFhrP/QHY3K/bfRhu3OB/qr
-GdSsOwBYE6SHQ6P8kAyW+8WfBWOU+rwDweJB51tTf1ZaaQpvM3TUoGCW8+8lveqj
-zecdMa6ETnTyfxT1rXOjE7qRpYgdhyb6f72RvjMffpIwSIcGqvYrx/fdUlT5ytVL
-2vNb1qnk/DxCF0cDm2OBY5tLbXwU0zw6hZeU2Etk1DzeQv6iwza4b9aftmJfuoZx
-D+pcrGCQ7e5I5g7Jznwv5e27ANMTW4DXK60kj4iElUZ/qPdHuu/AwUJCOGshtbsX
-1Sg132S1caBKWrVDjg==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.der
deleted file mode 100644
index 2275254..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.pem
deleted file mode 100644
index 15521d4..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.pem
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFGTBLBgkqhkiG9w0BBQ0wPjApBgkqhkiG9w0BBQwwHAQIzK6kx/qbJD8CAggA
-MAwGCCqGSIb3DQILBQAwEQYFKw4DAgcECD74OAvJ1+LsBIIEyOekZ0qcxeX6hEYZ
-4ONCHu41tmOKSvByGeUBZvenjJQ48AgTGYUXNoYri1ohnbQ3bcqiP0TUDfT4zRcQ
-ZFZLuzAtwV8ZfZcYRCQ7kKxGfkciZJhjeHeuBy3moEbznzg9TEPCVzoOD+k3f6+W
-7/bSycV7jk89CdaWU3FKU/W/RLZarpm99Uzat0Ecc2KOa/TckNTBvD9Ysj2j3D7Y
-UmdmfUGORvwQhJG0mwv7OpkLFbFbYBehWp8/Fk5izJVdJs+77c2qiQvgeend1D41
-ZUBKtbKCoc3Inp83cSkl2XonncCUxBKLiWHAzZxhPiIHwZXGXHjCOUqbs/sXEogs
-3HT5PHVQjqPGIbl5B8NYetelB1h1Udq4Py1VZqjLhZFH8q2SnjRxC9to4bXaiW9N
-451NL5S8bJrcaun6E5cD74p32F8IOjR2Ojr3ofEFHQFVUFlLPY3gQ+IZs34hQBNR
-QY75ffQDykZPBpLw0hIJkr1LoYfuEMdN0tPRRxYVO1lKAW0xbOAd0UEslFcsyXCY
-oUnQP50nVpG44TI6bNfLj5y07EyMFo6vB/XiDXh9/Az8jIfsPeYOGIVMYFSnourw
-3cjTPFrJnEQd8CHxjLLnB3ZeXIo4l03hZBy+qFOIF2Ezke0fmRtjO+OUVm8lAy2Z
-J1wSTThBlsWX2/JOzh7kiWDipX0fN8sTGeepazxI8nNANX7ALcxwuLrjvPOmTxfX
-ElpwebOvCxonwWR0C1gyZ0feOI8kh0dKwe0xi2fqxCwxWzPxN3EQZ+FtoUdtzPoF
-7QRBFERPefUpO6214t1PgJMWvLjjCsOFy4tnF46nWI/r1XLOQlLP5cwAIXZlnSXz
-ky6YqPm2OniXq5XqvyLOMy1RoLINJY1dhgBXFtC5I1ZQAmGJGmX9IxVjrRky9kKt
-362X98edUUMMmW48L8RcyYOOVLpFewAmU/fr3qoUDjusOtC8O66J/V4vjI3G8Ve9
-kNLiPxQqbyfHHdbC2Pp6rXZXcl7L5FW/fc2YaZRqCuFpuGXZQ+SKrMXKY8oLa4tL
-Emf4isvdlRQjuveXoebxPsoG9Ww3pz3nl7NQ40cnSxb1zxm/heQmAczPE0faDsOi
-pGAQP7jAefh2XwJ6RWRqzyuA3bDWC7E4ASYODIJ1IAogMMOlg940hlmCXZ/8993C
-aTncCQO10ibemZsWvD/X2+gL3LSgBi2Q6NjHqj4MPAe6yAOA2USc1GzwSW4WEpIg
-+ttJpKZFnnnxzCfUU+pTz2ONGV7J5a50BiRLgslPawm0lbYl2BvjbSZJul9oqqy/
-7FI5Jy83OaHrqyMSRNKZbkPWy58zrhQNaiUaCrLE3C+hzj1k9BXrWm39AQM7olnp
-T0yi7pivXYEff0/d8tClqQAzy0DnKEW58xQODxhFkZm70X0HkUABD3QObHb2DSjG
-PE1XV9pXP/3pci+SFznuvn0p6CN3l+rIXW+pb6O4KW65go0LTo1evIuKTFjVtZyf
-KqbgDrdu/Fd0KJJy7S2cg/i02x7TfcSJE8C3EDyyESpGegE8XAH2NEltO1yt0+/z
-26d06Hr2livL87yVpzW8b4H1SlifZmPhy082InF65W1w4hAmmsWARfPmZUG0LWoG
-6zRPj13ojxpLPr8kyw==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der
deleted file mode 100644
index bca2ff8..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem
deleted file mode 100644
index c5113e7..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem
+++ /dev/null
@@ -1,54 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIJjjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIRkUpAqxZvr4CAggA
-MBQGCCqGSIb3DQMHBAjFyO62L4EIxwSCCUgDa+4NxmT4wXuKjxhe0+FV2qY41npE
-e6jBLdDQuqtSlB4M9A+AVtKWi1sncYzV8FLtPofX25HCciByddYaxsYFtVdmaY1p
-ckl9kBU2JIEZ9kvfBxcuHEVeesbvws4hJMO3ADf5CPS+vivEpYt4W6VUANZJTGwD
-jA3QBIjSdJlC4ievdcxOn0mUc8Y7X+RMmAhEV778vQoTMaoYKOpAa5aQsL5eN392
-GRexE5rzhI+jSctBnGL1t8IhUbceBnLjAIDRyNrQFnDypzAMrV/Wqtvf3H8o7m/G
-3YGSuGa4LbR32PAkT9MrZLIoaKBGxPu64UvxfBFm5RIubtrIgpQXHo5m84Jpwef4
-fD/0argZoh1DSlP/LMJ2s/Rhz6fM4bXohtpPJCqo55FLxjhfBrA180SNXwOWbUtp
-wsR5qIhy78REHGHjm7ClQBvy7zr20yFJn0+XGFF58W2+GTKstOg6o+L64Ad5byei
-VE0SxPhFUamiY2HGmLpBdbl7Rb5El57GJY6cDl9JRgLPoVZf0eYzScv58n1oLT4p
-jHkLZgi7RkoLf9SAyR+Pq8dg+j7b7KLVy3fgIPJxmqERm8kqU4KKs1G5oSmD0wI3
-YVWCB9knPTU7VFnvBvDxmD+02uY5lcKCHIllLSZNWJFjtsYU6MJcLC+6dBDHokF5
-76/h5g7oe++YJjut759NqxeKWpXyJLbHgPT9W0+Q2bODItERHF2d3abGDuo4oY/I
-28+ihesssWEfkRx4s7wY8KkbsT6FCXfR4uTxuYYeygsmN7F6rQhM97ErGeH9LtmW
-JNq6A/RCZaA4rYiAUzpIFZ8x61EhoQtuSgs8EBJo2W7JSJc35zaMFb6oL0Qqkq3w
-rMHlBXlTlf0phppJQxrEPqfCPfqdtAJVLk1SxpfW2RgQH0Gbl/VYbK3Fdu2kdnYA
-my3uuOqT5k5vG2rdBkvIZWMqB97CWQNBZmiV8hUYjqIJ4HipCY3ZTtnXIipQVS8M
-lnVFc+7nSTkzAQ5/RrTBAguiD+b4CvY0H+CVIp5FgaMuo2BaviqqLN8Nx2fUvCGl
-7KsXhWjztJgKPbLubUu2UcmOh4QaTrFQ7Lb+/yt3HHzaUWLV/I4hdOgH3VNdTDbh
-Y6+55ayW/gXzODhI21bDWRBa6RCyffRtYx+4fccpAz4mz58ho7QyvOoKnVzb6Len
-EAAAPJctuwMbY+thu2mBOICn+fni/AMTqTggY37Mk4BAi0641F/6RkujGlz9/2FA
-GFifDO/VSWO9OprlmYCr0HuuGdMaHB+VTEj5j+cwpJ5imUhQHaN1Q3masJmD+sdH
-27Du/O164hIdblbvUsS+9v3l+EgMbHqC61RQbBuNzs/1slxTz7uO61a5Snu8XYWP
-pibxyCaGznvyunCZGTiWuHNYR8OnEJAM4O/wU4ThCzb+fxKDMchs1LG0ptw54L/B
-86oMiScXlkCbdl9fjPRuHTuWBqFDm0Lz77POyXzJFpre2XDbQeSQyTzZFeAOFeGy
-P4mrLDMvxsrUU8U3EGeQtTvdiFjNS3Ba6k/VN7qjkBcETQHEmmOnO7EVDn9csybm
-q+voR7JpokjD2YKCp2MwUUO+rjuTl8LYxUPrmpofY0yH2c+0OqHA6txszkEXgGbz
-oXrgFKZqSM+kFGpaRCIPjkulCdC6IB9i0Qu8w1hCMVUPIN5HFoCkP+JC5jzdz08p
-s8m2ZgkVmcZQCmtq0IaRQH2nPS1n2V2dbEd12r4exfxXiiU7GZ42jszfopEhF2wl
-GCIjc/joTLGZ2M28tGVFDIg+kuCLiB/C97Uf3WGDTmDfqOY2aBfHcJ97rCHIyxpH
-ZVnn94IBvanuoA1DZvEs8tmG4dG/QPhstTVcYZg9wALzOURXZix2zRJca937sEoO
-PpVXOj5509lrQwOtbizl3zUcJNT9GJBYWQTpceNVY/1JhB6EKfnZ+Am+qVD8/rjg
-1ei/jndWOmX628CGuqhCPT7VUnC/0H4oIvYnf+QJlNqv6sbhStw/VPNpMzDiOhnN
-Kl/1aGktHth+IFdzTpmqFbRIxLkvvrAzjxLRGfOnH2N5V+sWBudq6PsQ38QbpdEd
-WlF37Xdq74wpQKmX165eE10hd42DJkDORPUycpVTr3y0zDVUjnu5Bo2xi2AZqBoH
-aylv9hae26ZYLzp2RmAQFkEFxcpuqUvuJq4MtCxmvXivttrBRqaFmBKojxJyOOon
-JQQo6aiof1Zd3inx7Prao/aWI77R/vdaS/j1IWqyOFu5BMi3tkdL7yAxLq/e5cbX
-KF+bJAvKvdjV48cPyMQ4i+SiJQtFBEj5l7ynrJ2XaOCh2jhxwyLJHG9/qGU5dF0M
-YuD4OY8gTxZDpi1jTU5Q6WUqaQBTUrLQqWXEhDLhyHe+f1mqb6IfAfrW8X/Kbp19
-KeOmyOESPIrfz75yG/nQ3IpEk4ufOmNwA9kXYveZOYtFNfZJcjYMIlC37ypg8+Ly
-dzvLpx8xuOplz8aMHtNLojkKKoKpc4KYZ+QZzj9FOB6r0mvc9Sqj2A3xFgntnZal
-soJwZmaonKT3kRQxDZ3woU+JDfw2Sdg0Fb0jWvoyPcYdnQoExR7uF9Q9O262oAPg
-r8g5UNtcKXpGz1x2/IfVNUQwIQfmz1Slty61ed7l+qNcd51jK9RAW8HGbx8Blukn
-izE152He9hrM6XhO3h3WaSw7qx7//5n+VNV0yqp3rQnQDr6V+zcfjgRiNWITXkHg
-a2Xvju81h5zT/RJD9jon3PBg88effiBF01UD+DxENNsJ2WKtc70HvhRgZoI6/e5b
-04YX6HBLSwdbUCLoiXFbXDFtRE0Krmba0tU/i0eRgzUipPDrQQUNt/6x3a7Ks48A
-OC3/EDfcCYzu12W9h0TR09YlfiNJnalxGSU2CgzdxWhXvqxu5lfswIgj6c759RnD
-v6676NRTlS6J+wn4S0ShNon1D/9siAGkLbhRKBc9TjRhxSGwHLRFYSbRD0ql0RLZ
-/8kIlsKSmX/wJo1k9g3MwEN+SddRkbFZwjgZy4vgTQhrH6r4WQzCUXcO9F1i4Acw
-rnMmV9fUJ/IZ22snbGny6yaBa5T9RcvPpCW81PXeFBZo0cK9xrs0t5eRqwmyKTpF
-FpldzwRoyFRjDnGVACMo/X1eaCwvew+1M8fcSs1p+qrBfrfRiI4tg8bNrYdL/0u1
-RoE=
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der
deleted file mode 100644
index 52ac321..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem
deleted file mode 100644
index 37ef346..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem
+++ /dev/null
@@ -1,54 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIJnDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIRl88LFEpd/kCAggA
-MAwGCCqGSIb3DQIIBQAwFAYIKoZIhvcNAwcECO5zuB7UfA1kBIIJSKsBzUEGcl3o
-O0otMlmavjyeS8Py3hGQwvLZBLE/8F2Tuo/aUbijUfE6nhKCwCozqAEqIm3VGsqI
-Vl0lEsKpH//6vsvGCB2ZXd92nfVW8zJcCWAn6wCK6tjozH/l/M6z1cSXSEppvmZ1
-O3fmzghYUunK62isvZskV2K7mn+O6jhunSiWqkTBrUzno+jFF58RrMv+M/7SWH3P
-e8brU6OcovgcecbrLW3t5Ui4AJWftphU99ZohlMF/7j15Et6rx6OpHmTKFGabeQU
-vK27rZ1fziUHNebWG8nWlwPlAZyspT5w7uOH4YLfOYKbwem80ZVOiDMF1Vh3MvKj
-5duWTxAVYPt01+k+rM8hO8oILZgwIqfTOB1/kf4HWpV/Zn/87jC8jqj6xlO7O9wm
-CnB6NRSc1+qcpRJrqKGz6jVGgmVs3ZYWbLS3z2ZnEEemnfCH7lat4m0C2tSZ5D3p
-tBSkLONHj1lu0PSjiC+Qmfovgh8QWduZ9uFzviuwLaWpHyOKlIQzqSv8i1TPnaBY
-QROHQR5rHL40RJN0Exnt32wxz/h6DVCQOJ69ZRI6WAxC1PL5gZVrLXzr9E2ClmNO
-D4TCOwKACDjybF5SfQk8FFJ7hK03DrFaQ2apqkG+VfbdtWpbge+D8n7+KCm1l8Eo
-3RNBh67yKDVNvjTwaV3irkCq3R4sTKlwV4R7mjKcLXDFes50pXKWG+cPlO03Rdso
-YgKdt2a/yFcNYm8n1Mo2VW5m1Zb7jNvoWGnr5uMALeEQYvywvFyH7p71agpsXwBS
-EBHj7Cu10yQ66SVaiQEhxul+rZTEZ+XwmmEEvQaNaqrhS1pn2FX2rtZzDhguZZlZ
-20tsZWqT+4ekXWJ/kua/ur5g32GU9y5zz6r+dw8g+SMVZHHI6etqwRHfnQbjKqLh
-lPo+hrqh81gzYUPD1CzqQj1wFNLjaPw+vxqoRSL82rRMgvc9q9km5J5pQ4cBx//D
-Ath7L0UjEFg3Lpf5BmFwSapIJyX9eLnZelayw+K6FWbKxf/QfqqcHJuThAS4Mvg/
-nuunYjGr+co/7F/Y6T9++JfoXwRXJwtrYh46ZPCZh6uqrWJdtCkFthNjLkKDqbiL
-VGAObkZkc0/uaXrNmpBDjs6bHtayLcsegbJQ9lUUvSds/khmcrGvpi4BMDSRjmSP
-cm++WHJxytP0w7NyA34lmHYZf0d6jC486UB3dW2pATKhhckzBcInzmtO+QtnTZ8o
-gK1U97ergh0faxVDRhLt8M0Eeab2HtZLENpJfmyK5TN3V6jdXm9dNTrFhdzAAk9A
-FkyIcFvn9lziTRaVGLg52g+V6Dgj1Hnn8FmCbr5UcF7fn4TYN+XV6jc0Iqem2UiK
-rZgOyAUE5sZhDNO5g28wTk4J5tGNHWvl+aDXf73x/PGeI+136KC9BLk5kZZGFAxu
-bOusu46mI4dgWzivdKXWAfKZ27g8SdP7hMe3meFOewMESSgZrUkW53UypOP76RaW
-r45E5T5GNsa+xVyhBl5wSebw3DhrbJ3/Uw2YezrqN/Jtu+t9vO/AvnR6CxlSp2HI
-CBrFCVZaBNiWKGeHrC7GM9fNzfGpzxmB3bDvKOElttfoM+aapD5nHacjaC0w5nJM
-AR91RYOhqIuv5tVH+hqiOf8YDjSE3eQMJfsSVRyxSnxt/lSsaHgqqSsO5vRbGids
-/eRnXOgRhRzyG1p5RX+1MmihPsjyBAzLYgSQv4SxlVqLWu1I4jK5MR5qGPLEw+b6
-CxVVU6pPIRYgRHx5BaXEzgw0aiSJANpg47mH/SVyOot8WKDkzL5+GJ2zHfTjyjrc
-uWdTCK5zvBw1xIF6mKFmpy+prG/nXxMcEKMufIc1OtBABbhIUWOdPNUwe0RkI33C
-5EalHbVdavZUjz0EcQW/PQbYzxf0RD7u2uxRMhnSzjwGpvlI6JpQNihUMPXKBRlH
-Q/fQtj5CBapvYy6NI1p6QSKKHOonAPOXoZjHDgktKd/EThwSuWwgQl4KJG2dm2mG
-rDNqLwR6RGow9rfFRCQtFSsqV6W0Ws+JFKJYSuTXIRVNYLUiA8hldy6tu3fYkRpE
-Y3T+iR38E03QyHs77FLA0hDjJJNYrk9s5RLkHNsHfA9XuZqplcMBJEI4ABxHtiLK
-9PIULkHmHTzdHyNuQifnGHgUdn/ABOaqypgiJF8I8Ijthg9Jnb80qsnHPSCTZEWY
-6TNeUN7H6zkyQKthRmhWj153YqR/9YP9FtZJ6zq2X/lz6Tn/a7y6eg5djvj4yLea
-QBUWdFV4YMw5w4FtosVI2VQyal5y3UDsKU2zfRPtBpK8MCjereTnZ6NXJHLSp2ih
-CFdJrMlV/uifHHC3BV4w0VcOqqsg1Js4jDH4bVYsLJpGfrAtOKukLQU4TbEdGRNm
-PNgc/ZHAHCnst5ZoOXNI/z7ioznJL+xEj4YyBME6qE4oBOSzixjIFcnMAWTYs3s+
-N9PKIbi58j+FJxIobg+CW1/0POI93cNYkf+DaVn/lEXW/+8GCCoCvEQw//XLgbiS
-pORzGPw6dwtF9Bh/fA42beaiKOtYNYLa0O2fI2Y8HjUHU278jOkQy3MMD1/FlpVX
-4hS6mpnTLyv200vQz2MdHMDTdhG3ZGdeIiGoj09ixMEIZ3AUMhT1KuRgGyD9AEv8
-4nwe0vpXXKHkJMjPDFRO/pncpqttGAtOk7lZWIJol32+kX54my/Csw1FIcL464Rb
-XKwoajCCEwdk3HZmb0vcbJf9hOyt8dq/gKjAWRJhYVazZT/WXETu3oPMgagw7skr
-GqXdiAgCIRr5p096wpdVP9z3Wx92wW3IM3obiT6gtE1tU9J+pesGRefWcg4juoM/
-yWBFWflQgn6MplFUtu8BTTR/8rIWpoCgqGUFLehAshEWrctQXpKEMiy32KiZX3dl
-gYgu+JauYEPU93XZXYsqlwKLylvMvQSBcqM5O3PT1QI3pl+mPzh9gtN5ngS5t0JP
-ey0uyuPz1OXIANflAqBA893PXjWigm3D3f6yPluwgZYkCucXud2maN5RzsIGWnH2
-cuNfCLpqPup89ZvruEMWL10AYQe18LaXx5At5bPB/c7RmW/XD/XtsWtiVcDttW3M
-z7fhXBH89iS883zLmiU3UN+aso2nOevWkPVobKAq2DwCXU2+FosY4B244BRfBZjm
-UBjk3M7hAwb/9PuoNrLUsg==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der
deleted file mode 100644
index fdf2ed2..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem
deleted file mode 100644
index c3c0635..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem
+++ /dev/null
@@ -1,54 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIJnDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI/PTNX5reUuICAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECNepsPdfwKiMBIIJSHRy7kOzfWTH
-O9Lp0TcHFXh2dkB3d9v8HDTquWY5brLGRVquXKEJo7DOK3MY/0Kaq3/s2hmwsAtG
-XzsC7nKuYfeAaL/vC4065g8LWxXoCczkwLyJ8wl+i5lB9UYZO7UQ17ZQOvQquvYA
-KKqe+IxFBJP7QLpI+iSYh6RGoqltU2CVW6rnVpA6mB1J5fR/w913bfkq/F8eLD3k
-HIiUvKf71zu9YZNX1eMo4kCQJh5gV83D0oXo18RRe7uzcBq9ZVs90oKSuMKArqKp
-+yiawCBmzUU8NVelWfpfdTAxRDgIj+5EzLd/Y94MHeie0GCPk8V4uDuoqnT8z9mG
-IQPRe1x5IYpK+/6hcvEj3SSJlW7WVOkKxQfaTTxNVhXaSnfCwIUfHO+gYvGjN0HX
-6P9gF9+LNlnHRA0dCdHpGFlvw/N5TZ/rmFmzqxLGmuLfocbVmYG5t2lZtBb7oEnl
-D3Yx7tk2GtKg5uWXCLN1tGf22syzyLsNuHoUFLce8QzIgW8MJbeTu29vBTV7YJRY
-akmJDkl1SX8GmkbemxN7jSRGQD0c8vHjnGdVevoc4z011gL+bEhzJu+dGlbpzLB2
-VGmhptvc0iTHFHVzeYJhvRfdG60lB7P1/XbTUVmZ5bPsrW+FgGNr0Vs670csFXIS
-khTIC15Ey3kvyuB9BNoYE2l/kKyd1FeHqS+ISHriG2KGHO44Bak62Ol10DBv1/ks
-YV0/3AQes39hoxGSqrTXxAoJDa3kttRz4/7lyrTCjRZoB66FD/q+hV93rzBBwPCU
-PWva8LxcsYmF3VAIIudxfW68CuV8oq8p8+pJ1JjdZ8uyr8j+YuuX60o0vHRQAr6v
-n4/zph9ssbThv22pN64MbGkZGpfC1r/8SXqMdmEu8mjvwLiC+S6+CDdUkZB1jPYa
-JX6oEcextSvIivTlMC3AAff1ZZLDjotlchu/Ky3/ugu9oNC6zhzPWug69aUctumO
-ahXbhAOjswkTjBp0TPvsIIylTNDwWNEfB9q16Tfj3I0d3VKCZOaJM7iDll/rM8M/
-AWBJ0L4dDuhvsM2TjMzJ8p4JXaxfX9OjgR1+cuRe2YzQPUDBeOt+mz2SCjgOCW6j
-r1k76ilGmUD1JQby8T8MScSp9H2zi3RIuaDVJwHMPu5KooUR8eF7w4cTqsS0FhdI
-n91M+o0TDcOzOjmDj0vH2tP2HPMlqMOHUut+Tm0J9flTtxQoAlftPq3bXhFjT7Wp
-ry8JPZuzQDUMdQvi2+J4yXnc0+ElWAdSkaqpEpkOekgY0lTj3W/+GuxPPPqAxLF5
-GaZ5fCLFJF/ioQ55J3cnChfZRXrlQw08zsQiLdCyFq4Tnbx6Hmgt48jKhPddvxhu
-b/StlvaRV+UaMdlnl3Mr3DwWjwIVgOEe8/c6T0TA7rhlh2muoO4dT1t42stGQZAy
-rB5PoKJwLtzoyQKdk+LCvgrrdLmIQmK0AB14OhEAoWwnOyz9XZ7QM7Zi2j/msZXj
-ipmzwdxn2+Zfl4g83dn3pXy0+X8MugcXLUfgRtNEk6ZAk8P1PaQZtiOT2DS+Khuj
-WvnalHKoNYSeOfq1MJJkZ5kG6wriJewXtyRZtyXolTW0WbKNpcs/EtHbPxCceONe
-CcYPPXnnQQ4Fwl8jNxUUs9vO2uLXOs4yKPkwgX7KBmGIlYLBjM1isNhi88fVXBvd
-RTLFblxlnRHhjQmBQaLdkWwR7hN3TwdcxtobaRw7w7A3Pg76ktY+Y1jAuqu3HqTi
-q+k7dicH29LFKs/ry5dAFJPgpG9EHPVemS/PIMKHp0wRLlHmP5+LvdRgSNKLUoyy
-wlz+aZJXKobk5MIcLRZRAm7KF/hHfwldLMybrzobwwteTl8MtvQYpHc1cqAFtqEd
-V49YwFCX0SNQLOcdJZyRoltcftiINsnoTzOKDN4y4NaHpU69lO8AA9TUx1UyH83o
-jGUGAtAHQwUwmwygr+NRzq+1OHGA1JKLLfdwGKct2SY2smicjnOOgjF/x0wiSwyo
-HjuARsdR0pc9ancPQ0KnD/6eqc2AcHXiCFi/xu7rCTwsmO5crSXRL1U/5CF8K29g
-olCXV8cS6X7gqyARQMHXWN0Qx4vN6TqT7vuzLaaiC8cYiiKvDo63GPyT6qRZ5uY4
-u05ZLr18xzRM4hjUbxZaDyefOkL1DE9CO3rJDGX6njSLh3IxSNQVXNh6lu0Tx8CC
-HA1S3a8eR9Da/tBD8PLwaQ0xvpHHQWsdX58Nb3AFu+W+ee4NFq0ZrPqlhLpSOGRn
-bW+U25YFdIMsO41VhafsFKSd+/l7VwJqOSZzMgxLEr3p9ASFBbuzQeDVWr0kMYum
-+Wf6ISkwu/s7hpnMibSACV3x1Fawwie8vH8zH6rg1aw2AITfb5RuIdA3h0uX7r/o
-6MTUEgy21T14z/KPDfhJ5jP6ZNuVzpQJGgQfAsJzPKVZg2DramRvgSvdLw+/LB7J
-FedNAXSgdeSJyLiwy9glD+1dWVj7gc0cj+HBQzAwSMdwoX5E7Rk7UX0O0S7y1+Q6
-w+Gd8yxl4NDaM/5PH9TSKC5oroPot4qH+oTUw/y32Kl5TXfJvWHaKDcluIQyB+4Z
-ABvuEaxz3NR3yI5Xe+KDtprRtfI9IK8p0tFVYpZfFUULzjK+JGKi8g1CcDnqIM+S
-1HdSJP/qsMMlb1iL619nXhWqO/hcVZvIffhYzKZJFAurqcEkc393zxnxkiA1ZaY4
-1sCBLnQWsmLeSKQ3rmzr4iPlG34Is5GsuV57s6w6NvmU11BTFh91psdpJ0iQLJm0
-jrUvZCTShcaV+lAGkqvnx5AIbPdZYSec6/J7J0OpmSypEfXITXO0Ihr8c7LMzPmL
-AIHef/8cqJqJnM0pIZcptrdya3OTItfjZbOJ39Zkm+Vs0h6rpkpn5sfTBPONYti+
-JnB9yq6lWqo2wW4p9pyE5XXWcABMeq0uPoGXrZPY9It/aPB9RUCxID020Ehz7J1B
-Y4yZjEx3Vii+LAg+AykB/0FL1Xe4SIn1/ShmEzan2wPxt3oNdCF5+6t/hgU1z+zE
-hwpGnZfL8aMTSk4U2q1SJs3MQk9BlTmbKsOvajN+Cj8ZLa0X2oHjEV4o5Qc4Ggs5
-EZ/BJxGBwOFWkN41XE2DUW5E4Kq3AYShVAqmq24KIh1rOxrXebzEdn9+Jt+VWz4s
-WqDsuRKobaoDpFFCQBLvQA==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der
deleted file mode 100644
index 5dec3c8..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem
deleted file mode 100644
index 1fa0d7f..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem
+++ /dev/null
@@ -1,54 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIJnDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIVgqE2qHcvS0CAggA
-MAwGCCqGSIb3DQIKBQAwFAYIKoZIhvcNAwcECGKk4ACuW0MdBIIJSHQF+Aj8c5X/
-6jHvWF+R+49XZYsWssnwBFbEIPJVTNUN6qMedRUhWMmMGDpkvJNIDxvRgTfRaypg
-rp1/Cdn+Mow/dQhLnwNSf3rUJ5caonLMhQZJOu1yCxUfKJ6sPiOBKDNs7LDoXmca
-98O8Ivlwd6kM+ThKzyB5BVoRAjF/TLa4RWBxhVdCYb6wmKnrn4T/r9jT218T8kMg
-uZBkH8CUEE85GaLAhDSfCGSgidXPkqrUaYWhcUjv3N82+nHnnJy0enKppFFEYgCv
-WvwIR0Ay0eWJfC4JSQXgPOX8+CLI8epHEUXnqp8e1tmG2WZAmOXZLbUvENRTkviV
-ZmQQ/OE77gvQer/sZ0ZU1oMuUshQrWVzMiItACsMAgbywM3psdBemXK79jqB7/Fm
-r4QVHGb8w7dNJ0cLbM4ytVuV8JbrVSbDlRZgtvGbBQtA5fJK+aGrJ9Dgxo0o7oZg
-nI5Yvrj1UmjWfHOWL6SpKKUih00bcbzgXgFzt69186wdznVvdkNqjI9RORHhumtQ
-VlgsR+5xVCo/RZ/UOYtLRRxF1MHSoUa7l7UAq17ZpNNaN8Yv4ndrp+8VO2UrIDXE
-Sr8shbltIUFO3KbYB4rBpT8m0DCxYANDMMiQQvNq3CVaUwxboiaj6lPG+Vlzx880
-6UiZRwNLvjLlUPv7UfIiB8m7CfcQ3ngpiKVxqgi9vubgQx1/ify1PNijhZh40K5/
-qvMto38iojhCudgQbeCAH8judkbWoaL0v3jMhXC+hROaizAEDzR4iWLTpblCD6sE
-yo+1+jcpmtJzux9bi1sgOSIzU5dYPe8k3Lti612BNVTPbwAva9REF/dovML1TWog
-y4IZHDyfK3p9VF9ZZ6xiiijp9pkBB0PuksGns4+14HAEyNj9lrIc8kZgSedWVu7J
-E63z514VZLiHxj4LC9U5AHTwT5Qh1WKt5YJaNn7CpZXg0fdK3AznqHfzziO0s6jk
-XFwrIzsG+zNPSYie5Avhsb9IYsAhm7j0anuEHyGS4Of8KEGIgPgzGHMfd40hOjkA
-tOCzqRmF/ir6IO/7c8wiSyoSa/YHkzHB9hgPvpkqbOPelARzMqD9z1nnpklPyJJI
-ssRgcSoE13/IhfLjbIpXCUGG9dIAwOIWddRWrw4bmoZWZaUwA/zxGfesQRGD3BzG
-X9fCFPx1oAwBha1/VnujQRxtMZTj0WgxlFWWKMyB4z+TGP8R78roJZr+nwRIoJv2
-yE/1VK8Qs1lXlKRO4MdTVJ26DeKuyFYfLwY6bSSDBMX00/H/mrnT2GS8nHQRelnz
-CfD90GIiSfcKcDq3c6Zn8LE3sG21rfFpww+YDwtvtbU441PB84KEix6R3HJrCeBc
-QKj8cA7rnE2E3qTd4vjfl5sWB4Dnbic5ft6/+cdyWahik68xQLhO+EnMSHPO/0G6
-uJAFdRHV5LIestOGWzXpnNvvdi4Lum7aZVWYYwKHIHofBRFrgXaHMqh1qyMSpJDV
-A9uKe2ZBvBEm9kwMqIMjECE/Irv1JTxUKwdzq2Ri1btNRQwy6ftFAeKZWrVtC4tr
-q+RhXrEkFmERjL7mSNASoYL0zeVKvzMre24S9lZvTIEqtli7MgkVz0ocw+FAs3Ir
-J9ti3Tm7qW7l3fab6D0/fF+Hs4VfDXGFlkCf09iFs3IXz9j6E0nPdUp1sy8tz75I
-c+vq7A8b6eT1s8ZZRPKiqcLDEE8gnQFcWG39+nF8q+cXPCCDqq3iKq7IdUxEyzkr
-eubINvE2Fjm5Jow2KbuR5J+xbbuG7p9FDcjpjn23halDyliRUf9JF4gi1PwA4RwC
-JVUV/akKRtm2bpVTeNPbN394LWmp/he+tjH/zjc8dmfxYM83v4+fDHPo4KBMwz4V
-dZ9Lj+XKuh8EZynO3abtDmjWbR8fFmUZ+R7Wg6pFlv4e0NXWPxsobXO8wa5fRWxW
-LEoJPcV7B5HmPFL9nQInhJdU/kZx4QpndHl00w9UMpgVpf5lWbRCCxLemVyVE35V
-iQAfpsvZBRmGIpaijwY885yMWhbr9wkya+u5FQwgUFcmE9WqlRdHnTR3IDQbcwZM
-RsBldIuxhReW2UcksSs3k7SeiEkIv9x8dI5ICCL2mmDvdFierH4GAQnLgCBbndI4
-AuWzFxBPalxDCtPghHM6xkv1no20iYmnAdDC2I0EfRaHAnYj43QHpi+mfUgGaOPb
-cQQUI7VPECOlR0w04Wz+Bkbecf90aULctkEOnHW0AaILW4hQRrww4TaIHyWEg86K
-At3wtHA5NnfZJEioEVdzpNspRDgtCDcaXMLE2RJIS155w/A3CRta03Jc04ypCdqA
-4LXCa/Lgk/bWzTVATQxVeeix36wNjXO5e9QotUP4qEDf3ASHw3cnDMM5TtM4SQp2
-KQkUK+wNutiliOml8sltGmomcPBQb///i5XOqE9C/IBLO9xHu+BwoaiKjOo9NGed
-cYx90Lja35E1jU/m9oMe863WSmE2frptxttUtVhqnL8CYiic4IMQ8pV61+GusdCy
-Xg5rh1uVdwOQ3MBNHz3yNV0p5zfHCOgDFcfOqu6A6bym+7Xlbe484sPYAde9onUL
-MTsKHye3sMmyZite2iMBMeiGU83OofXOyk5mX0fOhAhXoC5kVpyCslhPPmOnCFwj
-1j2SEdsDiUuBX2Sd7TmNd+PK1GXAnjKxUDIky0lLZVSD1u470az0B2RwtsU44Bld
-4w+E2sArnIj3HbnsiiZhKmiFkPVM3HTTypS939683/ltJh/e5jHxELkknp4Cryn0
-qvdIdnR7u4SvQH1HBYWRLDGNfdGsEKyzTRZmk/1Va6b3Z80Bf6EUmJEKQrbhNz3D
-OTPxrT7TAhO8EEPmzFveUQCtwUXpyg+Rk9NA2WMPkSB+Ie4SQukqo51mx53mtOkX
-zRKvbJjsNUQ5N/MbRMy6Ie7S1FmBYYLtsmGMGXnm0t98LhOME9hVoqgPvcfTG3J3
-jHTZ4vghJDKmasDS0Wd96sM4sbw1DJts+8YmUIqs5Zijgy+30nVbo7aTEtRqIEu0
-eKSuHsHgkUsmoaQ4EQTPgboQMcehjH3tAL3sQnmxrqrGXi5hzaoddAT/lCzXTyx1
-C1TTWXAVNESWnJ2qqv4YHfnbHwQORRcfdtzVwFBAfEtWEvko1xTm0JG/kFX1Hhxn
-ytLnH0e5Bl4+Jc72C7FDAQ==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der
deleted file mode 100644
index 71f125c..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem
deleted file mode 100644
index 194a895..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem
+++ /dev/null
@@ -1,54 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIJnDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIoWPVdNPvfTECAggA
-MAwGCCqGSIb3DQILBQAwFAYIKoZIhvcNAwcECLYc1CA1Gf4IBIIJSG4dPOE6vprB
-zPJLrO1hdLj3za2tdK/QlDbqMScFUC2mXq5cJ9rwwa7AyKtL0U4Q1O07Vw5GB92L
-FVbY4hIRC0XtutCwhqlr0kUaIqH/IjyY6jy62Keu5KYYvkjPMFBkYBQD1UA/BT48
-+yIPH/RSXbpKU6z1KaW9FiEtPoXfw7kxyXHIglAEQtPaN+aeEvpuDiRAN38SU8Ci
-j+Ub7spft4D7X5oARaAgQCNuhO7Lr9FD4OuxhurWoiFb7NJPuwTr35PK6wWYfjwC
-kpd4iRCAhi4cl1z0ZofSmTyS21lz7uc3xJy6ztVMqOo52mIr3lFHatpC75/c0L3d
-Cwcz0UNvkMOR1u1Z5iZhoqsFaysrKeddM/6iBWP2osuz7lTZ7z95hgksBF1wnPSh
-5goSu7ZVbYnsn3WZGVQyDKbCcz2BzPj/RLzSYwjrr48h0ROj1acvZTdfFVioiiKg
-t0w97W5h6DgnDZO0/yiN5Q/GLD+Laizawu2HD8e8dlkaMCD3rEl4RL7iigh4Co+F
-8Raw+UPma/rdHX1mZttnk/bkOrpNVcrEL+ZxmQFn5it0Vn+U75sNHem3c4A+Hhzj
-JaQtCPwChYTb8AZmNw/vFrKkUtNpMILHB/1sBHS7TIo0sEXJwWDEtrPLJDLvhojv
-JIIpGQmoCqDHZpsYLGqI/kHtWRl3jAXGmVlqkt+QgjbkDxxr7kSBAcqEouuFcKKa
-m2My3XxGMJrOP8iWuWpZx1p77oQcpIoIvnF06eq66x1H1oJaqYTgn4W/WBd7qScv
-ILCTh3ceWYCh5Co/S+MonwqM2Ppc7JWIVinnrpduFWbuvvB/sugrjEoSAFNh+cqT
-jTxM8+1tAVv7xyuOdFbR3TgiUeEfsK6E1+1Y6YKsqtiXpYN9PMpaLg+Gbw4+5esx
-z4Mn2JSsYSejohhSZikrUMHE3Z8RgxMn2WkQ3hMNjaFetD45xUTla2v5yRgYd7yr
-AQK7Chej4wtLx6yi5sTaiebxrrAunL4jBe2JpBeYg3J2dJjjPDr9Ym+YSSoc3s90
-+yplLoPxszvMfFaEAKrBI2lm3kemij7chtzSNAnkW/x02yxKcgwriNGHppojUQR6
-j4Bf9kvfZX1opyA/JSysGRDj99FHop4E4lHriwFNWMfoYj63BKluQFfmsCOptokf
-9W/nAw+XTSFu9ojlXTSPtlyn3jPsSflYtO3UjMJsm9DHuRA/ZLpQ7Q11pOvI0hqj
-XfLuQ4dhDTHpFE7Lfla4tOwz/lAOSqeuqUfYKqa9heH/LlpUBbsAQM+XSLqh2cVE
-M5FXvRTcqdU9yJlMVo5+Asq5iK1cb18e3BSgAaHloJ3UaxiOaR8Ad26ryZsjAQXk
-vKlqGQ2nvYmn7i9z7hYcVZRbXnDYsyA7tFHSYLTDUlOjtC4YjdmnAjRojezRHUoz
-l1bceyBUGSKASMF08fHdMu3U1ffvze/GYr+uj5XyR4gZn1w2lkVYCC0GWAYuwdD/
-4xVR1qxDb1trdui+FNS/ET6FzlMtHHEO9f/veEPV8hsIgAouUVncN0bW0GKS0Fsp
-N72r3bNHfv8tE9W5HPF+/ATh6zD0InHqOyX2wc51wFWnSWdC00DluZl5KS5wPi3S
-MsLsRK6STboeOXgr8MhsmASGX1yUBWEs/G6jLAUDexM3FCQgYWCgCdPnMKvtesXn
-3qOhdi6On1BPqvATyXndyQ4D2SLYv1mJ6CLTPO7PTyuCWobL9Is+S+D923+CpuI+
-1POOKOLgex8sflOa4bSkpWo36JvQOOp6dXYJ+5IUlA1MZphgtKzInz+WYar2hdHR
-o6fuGzdne79XZrKSveK9L0r3H3h4n5JEZ9A6cd8bDAiYQp6w5yl7vXU7P0NL9HwR
-XiSGHaoHlRIOr4wbIqNTnX681hq62S8dPtajukz8QOhgOox/gLULgTpSDMXhTN1q
-NV/Bft6+lU9+PC0Dye3YesJWykuQFt2hM3Og4eWB9Ha/ACsGmzbgTAMtNLCD0Mud
-m2DYCO/GpUDL6dDHJDzB2qBao5zSq+zoeYpP7d9Qs4amVxFwenLPf90BI0IV+D8N
-0kh6rh9e1j/rmPv1qKzj2WvTqdBWmqOZvU5TBwAozeRI58JoSRiQLs1DfZ9o6V2H
-bRvmVxdPHTryevrFqL8jEMypBNgB+A9x5VzhnD3y1z7rxKr4+7WW3Yu60EP5irVa
-EjoKBE2hoGCuFfLGJn4xkpOzjN12SVGzL8NfXRtbkC8IBsOr13njFLNVLwzy7EwA
-LFM9QN04KV6Z9AEX8d92NqT7w/9Su2ZgFe5aPTlPW/23uwL4o41U+FFrZU53/Pyu
-e3vNy1AAh4INqP0urpy9Gnp4LP/u/AwrbdzmvJt8yjnKk03AaKNjNgFuprdplvqY
-9TUFlr7sCf/TQ4w3BTZYI1VQNrduur5FwZblI9Q6obGunMPy3IYGeV6CcCchYkXp
-u9vbe4hFFrsPlpOz5DHZT/5gI0g1ZYFJq+H73Ku78syDrWHiTGYJinj1s+Aceiak
-J0sId66GMtunyojveJOUwfxliIKXUn37TqH8HLjEYk09Uy1yXBZVLaMhXIShGMs2
-aSL3nXv2KmGDGSFTBto1R69DPsHsb/oVDLUwgF5xyZFum2UE+D17mCK1RMczsWFz
-+RIHc5SYwipdn1jBfJa/r3Gg7l7bM6/Fy2oAdrhcdB2oPV9cXF/Afyfu1yyXZfVu
-Z6MWhorqZGvJ7HY+G5JFxumubE3u2x1EkrqAaFIjDc7NQQwHKxGyMTKg9I04WQew
-8wcbSuvCcI4NVt9HMy0fR5+3QkSeZnoKI6CwqRqLEsexNO6N6l3V7dFgDUOFqe1b
-Yl/81bS6b072jskkIsbFXTn76S95G3UYrEiYdn22+6KPLyOWQLczmVvztdVh6sOw
-WRoiKYXdW2UnO2AYOXCQyUxUjW06m6BJ8F0NLJ3HVuJazKouF7iZsLpHBzI8luNz
-VF4t0NLX60wv5G0AZLivVmVAadB4JIyT17ufud6sH0oSyVRid42zfBNzfn7L9rIv
-vmjfhI7SeoT2MsE7l/QtQy9hJFSh+DpdWw2taJmxP210qXA8tgGgLjDqHJ+k0wvE
-laqHGOzY4J/y4OPsGN2fiW8nRCoravNz26Ff9PZ0S35WJ46qxcMH3pIfxvIdtXZS
-HESFHzL1ejv9Y4y0O56l+w==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der
deleted file mode 100644
index f40c9c9..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem
deleted file mode 100644
index d4b6933..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem
+++ /dev/null
@@ -1,53 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIJizA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQI8DHSrAxFTFACAggA
-MBEGBSsOAwIHBAi4/Xl5t4O13QSCCUgq3P508tXVUz0IuJ6CV41vd02FUQl6IxWU
-gk97TENxKooQ1EBuUYDWtiuSICJ/RTKt/y3JoYcYBpdjeEnkJG2L14DfgS+sdKfC
-18v1EDDiAssre//n9sZfUKBWHs8SqcPyNJvBWMLUW7QNtMhoMj1VEQzTH76v1ZvO
-ojy8akuZ+rqE+EnOPtuEOdJiDYW6yRRp4Y/MqUyx6PZPAHfIk/JJV6yulfGSEFLc
-+gGI/CUfEfsi2JVIva7JpvfO3N5O1fyC3cx0BsT3gousOkacxcRb8pqgHbMY49Ss
-eR4XCQHwOItpc/tHtNOnZUWQzNxZ3d40vxVV+KuvKiT1nzB3sx/4GacS+ZWkCE8y
-qYvbtvi6XqCpGeZc0iZN2ER9hBucGPU14aNoB4ujFx0u8x01sWf9ARLICIAMAsck
-pMdLwTZ684NkyK7haFnS06f3AOn+LRI4G7mo5wlD6YeXg9dIk/OYUCjFI35uMB6H
-RGOdEqAncx92tPaQYMBBWbX+arqaNEsdrBnovItsnlMTCvoIxGQas3LNZPhYmS78
-bwhlXnZwjnifvRHVFM8c5JuOmvYkPgE6RYPaLMwbZkIhxbbOyQi+gkYJhJgZLrjD
-I9BDUEYReSCmWH8hwCDe6BHrUL40C27tL075hz4x8EBySJrG4udZ6RCwnUiM6bQO
-26nJ7gGjsuBcCN9GVcGsCJ+bfltOvsLUPjS3Ypus1RXKsoe2RL2NbGAVh3gLb4kY
-Lm5agI23g66yI7An+9YA4s1LbgeiE9M1pOgZgJ4MWSVjRjIoxC9aSiNfz+cyaNCK
-sd4l9CuH/pXid9aEluvZKDdu5fVC00ZuMRUzcC8CzVJ6tDq5a7ASqxC624bJYF2J
-nf1OYo4ctY3ExVdAyc0cohlIrarqO+cgdVxdQ9FOgKjZC9Z2xxZigetfQLFVROm2
-XMrD35iIFEi7wYRsUBCyy+ClSHtty2/r17PeE4jvLbNv5vvh1CEe6GD/J+vd3WXp
-meGPmSsYTTnlnM0861tBtfgqBmyKCeiKrPlzqNTsfppLoL4FtRF8WvxmbKvahDwN
-lQOnMhNKF5JoyYREGNAySljaWQaoliFMwO4ZhUR1OMqhC5jEmwp35dz2nZCaweMn
-t9+iuxOygOB7k8w8xRQ/p87/lVDDYLRg5dpCqyn0a+THOkCepD7yFi4+4CG7Qbso
-D1KYvoBe+QXheW/eqJQlGQaxhXB5pOwXfNbcYoByuClqyQ24WLBk6c6R+3qBSnzC
-uTarp5ne6vi8cAK3N4Ho9AOqgqb1NZmSQbu73InKKPDbn16pkFQlTa8g1f0+ktPd
-u+U71s2VtJKSGOGDD8yav9BrSYNXcJ4P2UROIdhQwuEh/9p4AcJWElMVufWDhOn0
-m65t1QB3emjVwHzcHweAuJZwBfap9SKduV3DbFd+BVLROlWT0H7/++p6FXcsZaFJ
-6rQBlSqWHBCHDB1UuNTLo6Pv9HfhxiS792L24LRqQkI2/1zcdT8jlQt91qtIwv23
-F7mGpBPGU05oKDVEPUFTI9K7NNx5CUUnQqVs8fDk/ihQlTQd03LSC3UWOB/gpaa9
-/NSw9qugLNAL6KTQVBJ3ZYfZc7VOJCz6g82Ys9wRmS3eJMacya+djtt0jW/rVlJp
-/VeuDGgrsWMVx9SuXqzoSMaQbfXUkWCMNlpbHJhxz3UQMKvvQrWN3Oz+Nm1azptD
-Gq0xQ+/L25Gax0x9Ks3HE6TKD81AKXmn4HO/g/kvMJxLXJzwyqEk0KpFUlFRXNQp
-PNfNxCz6HytdagFp/1IB9AmdLVznS0tD3hEDijm137pHY4XJwNWLn5/AlGzIRljn
-6iNubxNvJJXGayBrzQS7O9+OvWuqaIY5VeO+ZtNIVO3I2wice2NosHPj+JdtabG6
-z9oj6Of3B3clgudcbDVJ540JoBZa3VMG1qpsg5XOw1K/PUUr9+ky8erRwjUN66L0
-YXCfvi6u7Y85gwm7H+w3k99Q2KW3J2H9nmnRbLHzHDBIHNqcIAm1/idSm45hNBwZ
-P+NuaMuEPB1B7ST69JZfe/puGPnqpj33cZYejxwkdmK4MnqCUfe77rac/bxllp/k
-eGVZtlEVwdA4dpx3jFZll183uZxRH8D/gZAy7px8X8pskrdEq18JLlcnsgDGf/EB
-PDGjSLsBXWA1z3QS1Sp+elVqqsZj4RbzdrIKunq68wEBcVSccNZhR4dMMv9qL1FP
-YnCsnpOV9JuRtViEWgN0LYSJaqwPaf6CQBypmmC38S7Yk9gzjQ1Gj/oGPF89YHQZ
-F8mCIZOTT7MIvdPwDkiYC6zKw+oJU0l6Qc9jcB/JXwNajb2Z0jJ6L7GM5jScp+rU
-w7CYIHtHOPU7PF+ArZsLuSMRGptp+tPybzvoMg9zxG/uBJ1al5+OI+5Ok5xCNDT+
-FkuJboihFK5yTpLhzjvA7YsQMFLy1zU449gRK5DWqUrYw+YKS26mgzzB3fkS/yhD
-G4/Y96xIn76639uEPhGtQh7OCg0gu7/+mP1ZboeLY/vCqLgV/RzLAMqGH6934avR
-EXUuba75LQrqwZbPD4oB32yTjfapKO0uGCubnDRq620221h48dqejCqljKu95Jvh
-W3up/DAJRWnZ9JfNWubW8hzVZoF6BySTlACjXbU9rFPJuARchcXmM6RKrrSBPYlo
-vrF97Ym6RGUo7ozTgRDFTH0IUz5bGjtylR1qtzpvNsvD+254dYDfIKSCyrgOdnvB
-ZCNNS6OluegQbFr6Lu0Qd9F2PAtKer2djXDb1UDiceY2XXnPehAmlnkI27ljij5K
-0vo1j21E0ISc8VVeC5PwJ66yVqkQyPFq6OTHUCrOrnDvjqDGMqPj+dwIYGJPBAqS
-jDTpVlgB8OrvE7z23KOMrthdr7t4wWeTiu/9PEvfP5lODYZ6fLAko27O5W1i6az+
-2rPE/q9Ek25z/UaBr5xcUa9S/I+B3+gvJpg8/O72xHd1LV6fQu7LbWSUSmVw3NQo
-MNVQgyJ4oRrFA70QSLwpUIyD/Lac4RNPIIDnnPy4wZO74NdBkKkqBC0BOG0zAVNy
-650rSYn3/RexpTZV7HfFwBViO+s6l3UgRrE0UD6vK3BAkvZKMb19I34DUfYQdGB4
-YRyQzIsolhoy27ZxW6aSAvU4W5idjPJG9aWuHPB4qnhJyI9Y1+D2exGSa/WIanM=
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der
deleted file mode 100644
index efd8b5c..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem
deleted file mode 100644
index 16b13a4..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem
+++ /dev/null
@@ -1,54 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIJmTBLBgkqhkiG9w0BBQ0wPjApBgkqhkiG9w0BBQwwHAQIVI1x10/M7+ACAggA
-MAwGCCqGSIb3DQIIBQAwEQYFKw4DAgcECPtdOOUMWuSbBIIJSAksArEUkFkTphQT
-0c8tc3j45tJKHXFXhtt4V4pX26Ydh4cjenAveKvrawKhmpSW7O0n6A81nwwOxUH5
-VaPDrA20Uz61+S5BbC8bDa7U6IhA2g6nr5qERb9rCl4eUvm3RWyzEqbLeiUER1Rw
-XrxiMva7wIZhZJNMdq5Bb9yhI1XMLlowf2WvNJGCgGC4aKbr1hp3AqJ3O79iRckF
-XP0fyLt5u8CSU/1NWGAUkQbnqAXYpE0gN7tzDLbBcAyRet7njaplj0XaZlOdOofT
-JQ8db7bavSGe7PeGjC2EZUNElgbHUbb2P31rNN76YR6JqN9cvj8gCGV1DETjEbgY
-theTtptT7/f7UWzR2xrts1iieYRy0luPo5xPOa4UDvbYcHtUVgSkrblw4A0Id9R2
-8dRN8pW/7GPeaV6eqgUYVrqx76zVu8l7QtiZuA05tH2eVrTsMe9DnsvFV/kZIVpb
-8fnkokxp5OZOIIsUxIQdA4fxHA5k3Dw6/0bXVgYHXJTpdIlA8yHFgAkOFkhi9Wl0
-+d02COhFQUMB8vqsHc61aFAvKTMwMIs8/ui34rTSBnBLsmMQlNxgNzc14Dz3fGcj
-LU1lHosX+l9M+vEtiMD+lp3szj7b2+o1apc41L38CWo8XXVLyZ2lmQSHXz+PRWSl
-afjR1chBzlulvELqIMZkjsBazv4jHJOD7Alwcg9pb/i0QqFTbZzDyRmHW2Vfjn7f
-ZzfXZvnW0KLjH4BvRiSpkum/9PbXxQnxryMC36MHmEFUS2vwi5UUjSM9Ak1sdeUH
-b3D00kcERPREb8Pru9+aqK7fBmV+QTAhG5UqJ1E+Zx1YZp5791At4oC7udTud7eE
-n/1zKs1JWh/u8QZkLzHBkBZDIaRSCN6E/zSDmx4VjwCRv08fJK1ChkJJKs6mtCSA
-mQ5noc1kqy8Osaj56FpOxV6Jgr6vpEO7vYpBnQ0DGU5lkE1ij3puyaODR0CMgWXO
-DdoYWW1F53Sewu9MSpSf0/AZZZ4S2lQGhsH7Kfco/hXKV+/9Sj/8Mw82MDVojPvT
-vCc23ORArMRzWFItdDR0jkFVj3sV3csjvjG7/uuRtnapHqqhwiNbfRYoW8cL0y3O
-NO5179OE8Xmo0hHKYaDs3Nr+3dnFwQJ9HEJnKrH5MM2G1qUFknBYFqYEkmCXO87G
-ZtEIywtFEGElGymGWWhlg6tJxEcObN8sNHf0hqv7kH/jN6JuEFLQlfLz1b20XNka
-3rv5WKj7lMrpII9agGO7VR+zbpJ2RYv0a4N+D46SZGIoWKjravmrMzFhXju54HMR
-OKrL06njAoRE0TfpqGzv3InPJg7L8Bb9FtXMdficQ8BM5f62b7u8xcce7VLyhz+6
-1cboaTywfD9mbGteysdoooFihVThc49/DPSi01jqZ4PE937tGDlt5GWFiIOaobF/
-zfWxJq3BWA1LaVj44r9P4jORcP0fWvabcgzlD7vewvSk7cp+g8fGYipN8t4oqynp
-DGXYVCTzckllwNnVlCRcOpwYgdaz/2dEMqh4UH5bPI86Lu2J6Mr9iTuQ3CL967Lg
-hEVmb7HTO2Tr5mnAIkAUveJbLXqPGynh6d3k39m56h5DyPKDPBidjkXFnLlSJwO4
-RPoAyVB3JOMEJ5Am/pXauj7NXErNTKRuWVQVspszi6ycoaiPGfXWYypZXy9W6hJ9
-NWif4SKTpVVYBWH39YXBfyHwnSHeggsvUpmVzRldXuLRags82i4bVd6AjXZRQLfg
-SuvH/RPshm1CUwt+TArl6FM9MjdIOQM/8YUbyk/BcZsdM9ChHa+1soMXAhjz59ge
-T19BzvZWeDIuw9uatqSL/QWAENQcKalo1zFphkFLkHCQnvs3+cwPLo8AP9ES1W4G
-4KyiO+5e/04XqFDOg2iRYoaHEhM0zGTJpU9TDJQ1AQAmHj8TJ4eL6s5OaSzWN3dP
-C4d4V9Ay2y4VFNacVuOTAI945+yi6GN+63sL4FB723Jkruma9vhOhqGht5WOltXl
-yBjcMFmxhsvk9yErnPN/lUIpvy/BlAfPkTmSzTcam/ZfCOgIfFarbR5Hahynf6u4
-x2ECWJtELt5jhxs1gnepZRh71WJbjo25SJO/PSI13uMhd0cBIlhu0iiVtGzucgeU
-PzUC6PO1gB2WgkFXaF839TO/dVpgbK2sBjRUjzqnYs+YMSVwiNY8gc2VAnXQu+oV
-NdNaPEF79JTp14Tq0rmhcjczdVQ7gCNUD5g8ehovAkp6DkKCoMmbKgagP9MnKrhS
-0tkaZwpLxRYiz7vZJhZvz1i64C7auy90fJxVAmsl0sC97dWsbcLaQoIKuwfn0kO8
-q2Rx4xRMixI5uoWDYamNL5RAo1nmsvCQCWO/E5pKzEyykFZfQ+iX5/cFgjXmMBcJ
-1PRRrQcHvtAV51GhPXxPnskltHDUEV1xovYGH0yk20NZPEIVLf2OVGpcQICDzLyB
-IwxufeHMkakAcQO1ngz6czBMMPFhEqaTBDafybw94ObpVrpjO8bEuj96nmFh5hc0
-o/dnMsU8q7syRIinjZTMcvwYLE1C6BSdY0j9TwDdFvH0IhmPaKgCxgoKuyiS2UtD
-G8JPZI9ymOKMnzaqLc5F56j2LSsOIf1o6svHWG2nGGCLCMgLaDCl1rkVYOhQ56Bf
-/a/iPfzkz1IYCO6zvq7AfImGHS7HLCk2Iusc2Oicf3fpjJ8TuMDwgUauGx9RKN2b
-znBUQeI1d6PWflz/Xl1L8GTDc/YI344axYvi3F9HND+gcOEpfcw8jxy/yMYHv2RT
-S4bGyRodGrVZDg7AjFyzLuwapM+GS09Qxdr/4cdEzLT+cuD+K9NsOr/TSvZD7YO8
-09yVbXWBIHOXoVKPz8PSg6bb+Wzk73btacNRgaWlqa2EhT2g5pwSAcDwrTqN9GG7
-0MiyEsWd2uCET8LBXmLPC4U0iHg85X0jC/fdM7xpRAKayuh5omYwyxxunZhAZ18H
-1meJbao8mCqDopih6HYgDbH3sQvk2BUIr0wX3MC7ITLAiIiziJdvXWYaIrDf+y61
-gCf+0REpAKV0uaH1/PkOp7vmjeOHdUdSOOSH5AkyqBt4jNJDwi2yth3XJoyH+b+6
-XGuzvCFDuwIZa9PPsAXkg7lb7+n9L0LSddUChVZQ0NVirNRGTek8p8Y8SYPJZHk3
-ZuoG/kXvaiCSaP0ceg==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der
deleted file mode 100644
index 460fec8..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem
deleted file mode 100644
index fce0fa4..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem
+++ /dev/null
@@ -1,54 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIJmTBLBgkqhkiG9w0BBQ0wPjApBgkqhkiG9w0BBQwwHAQIeGIEeTeMjjUCAggA
-MAwGCCqGSIb3DQIJBQAwEQYFKw4DAgcECAVqbN6bg9XtBIIJSMsnr6bHptgBKqX3
-4QknOpx4J8Z3yp5PjEAgA2FAehZspTmAEF1vMYZqle3VOzBH5MqCk4UA3Ep5eK5m
-d8xYHiqjCCRqVfy2DTgiXgqAiknHFrHNMW29pzNiG7NP/rQhmR2EOIH8376N0HY3
-OgEW5bFVwgkknWzb7LQ4Uhcbd/fb2NC5WGJrpVNb1fQXjbvzPairSSz54tO+0MmW
-3sjv+4LR2CqQqsurcUmcC0OQUL+srOLbbDV2ENuQEH5MwPpoy+xFcgMHX8KyjYBq
-WIolLU9EGxeRfNVBLGD2aMMmKC3o91S75pqz/2VQ6agChtzBIihi4BV3CWe/m0Wz
-0Ikn5PgcGnUOHq9xByWA+ZA407Rzmpc1yj8y94VmFveMFiqEz/0gCaoSh70CAjsb
-lmFg10lOS2N6jQHz5RcZG5mkZbSW9aU0x5HkJWBKqo3uJ1iG9PzkJ46xrkyoW8MD
-UGAUSNAraFrFJBDHQCRsgINMvvbPS9aTSzKDOC+X6qtrTbZRd4mkkRcxW+sUtEcm
-MS5xKgXK5aFyJMqcaPtHgFqB6I1mQzzF+mXpq5atp1own/oQRSfacLGuZ2w21Y6B
-Wc4/Hw22H3QXBGxWHS2/R9KFGvoekUwe0472jA/jPKKx9N5PKahiwrMoD3UmdGNh
-7greULvNAdAS3JWBZMk9dRPgD4NS3b2mcbjDXX/u6OZ/dai86xF1u1chanFF2+6I
-6Jntv1lJf+taNHxKbzzX6n+0IrYiFtyQZFwLNeN9XjrSUe2r3yfkPsfFC/Pant9H
-pbG8tnuDfB4FfeDuBfJrr3Jn6+S3TG1H8vIvkNxs8QE/1DPvIblnNZieO68FJask
-7gQb5wYMIcnYznTrmYSFjj2Pz78O+XwEA86v6n8HuzgwzQxkbPAry4ODkIcoD4A7
-ZqPCrJqENkdOamfHO4cPwnaYiuE/+ySz2EnAYr3460PLktbBt3yQN5ICr2tHDOpF
-uK+2HQ/n9nwHhb7y0I+y02wfE5pK/+Qlnnwa2k5qecjlW2ArM701T96NAugm3+5B
-nmytXOOEo5ihc3lwPHQCY4u1p42kZhTwhw6Avbym0MTpL08AspYUK8zesbhtkSVP
-lyPqWFO98TqkyaHDfqwbbNsPzoelf/Abpl90Yr+NTXqpDIt+DaDEQITicsHcOTlH
-fyVG36Fp/A/BePMYEaJ4CH9rcQ8UeVuPM9I4TkLY8DD/uNoD4wzp9KXUmbOke82C
-JNpIzWcgTzSmn93ZrEIPLcdHEwe4SqVquzX5JHszm8OsJKupgYD72yWFJoYrxo47
-QQ0m/hgqgXb1NYurTAmBNUsZSG3LwY2p2whz3JEdqWMnfZX3SQFduSWow2FGEoJj
-EHBkduWt2yena6kKqE6GStKun3Z48BR48tHHZKHgG8fKiBNZfnyXRXy58d4FJtF0
-mq906Xxmphxv+xtAchyUabgQxVdaNODMCeY2UtP95elNYz9K+8HUl4THdx8eWHRn
-umlXSiIDNJ/kesHsBhtHuj/nk1vyLzTnMyGgZToQXKNSjnrWHH4aLWaglvJrsLi/
-huzz5wVB7Ihhc1aB50kKCHmtjUiCAV5c7MtPiGFSI/8Z5T/i249e6qfbBoiXkbAH
-wc6rvWCf4dBgXaOEI6yBA/maszl6iGhz9N8/lInWvfS9LVoW6ZlwQHQ/nfc/06oy
-ZKT0T8ynjfuOGOuuEcLuwxH9FMdpjAyUzoa7EGAjvUANX6A2N2QkOUi1Smg4pm7B
-ZG6zHDUDv2Cy5sFQmN8MWtY72uTobbMKuCd9xDZ/FJjAqZg0IaLU+yvS0DL7ReUi
-k8E020LmR3m8rga018lcGJM38z65M7HN0drkc3lzuY4yHH+tJTNQ2JqfreT7wVbH
-pQ/xqzkZ9hO5u6+KFQDj1etq32XTsLiFpJBmbl91gUm4DVRTN4M18U9LNT64prc1
-9QYqCxlDq9rwgWqlaKnnJ8iPICmWkwLI6CAkqisXvOiW77BUGoE8pjzN4d59S96h
-vz/Ncgf2AA/EkH0qbMmxLms5q3vYfjBNjbvhwj7sdNBIWnMukMKs2pqamDL64DkH
-5usjm0YGcLkPE7IyEpxv8hqUt1YcIlGuK/RiODTPYPoGmu/Qag/CSjd/QJv4yDOT
-fyJTlfmn9s1jsVerDazKt/IcPnIOkhyvmucSznPBgo4uJRjl0e7D75it6Vp0ki2K
-aHBY0O5LSIz3IlNo64o4Q9Be+848SG5s3CTekXePlf3ZqFccozmU5kimv6FFL/5y
-GDppveL1Oe+JRCgZiBXCGM4vzI6RW+WGUeHNY78vW9p4WzMh0c/vYL445jBN6utk
-xg8jtY3YhWJ4xCnXD7GfIXGBzCYH/DHbtb5Vro5668NVjoSgCmf1DG1zRILYteYx
-fL8o3CyZridfLCl0bQG8kAXkqikGzFsnNE0UNvGI3uxF8kV2PV3LEM3IHqUcB3mt
-JM6/IoLMigIec5QHGwigrrQu2fQU0ESrVbImulwRdN8C65hNJXRasRSRoQXogSsA
-5FJmp0m3LD7txOZuGEpI7nV/JMZYsGS63Asw/5DOWbSTwoJaBX8o6U77sDSdGa4Q
-pryCldJRd8951JDd4YD/mfezuPD5ZrL092Ljx3ei9SoCLiBUHhI/T7MYAMOrzQOY
-X3whFHiZpLkaBeF2ZOJL6MTS4eS7tzDUiL7DvcSPnFX1X/Ei2GC/RmbUZirKCYDF
-GxwinAWMYAyiIfj2BeGE3uiGXnUFTtdzKzPaBMvA0RlebuWWFz7ohyz/GJGnzAwp
-rN+ueyUIAa5k5MMZu3FLdkdIwHBJVRqmyRnx03SUFRXawyGO5hv4Xr9XvzCKcQ6A
-QQFjln6Oh2b7KOKyUseFlEa45Dopx46SVWkYMzzuG8Du53z7rnepzepOK99/QUCv
-HTSJ7J8ySCnstBPp8Cghl7BkgsStVZEq9bydDHwezhy5XuAwMgLWaVg0qYApFTYo
-R5fMh6XGR83aDvoGTOXBbwCTP1I4VX9C0E6hKjwCuqbRCdb2fNZbHWb9qhbLxg30
-9ne4p9v+X03UacKxXRj1vcZPK5u8Zy99bR8hf85iXQEJJRBed07FbiYEO0LFlaCF
-D0st72u3r/V6cr8tj4nL0+Vdi/REnch0dCb30113KvLjU6jAO/rU8maTYZ0JYDlk
-CFOA3zlwA7tyo7+qTg==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der
deleted file mode 100644
index c78ff2e..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem
deleted file mode 100644
index 53251e4..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem
+++ /dev/null
@@ -1,54 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIJmTBLBgkqhkiG9w0BBQ0wPjApBgkqhkiG9w0BBQwwHAQI/44xqqStiVUCAggA
-MAwGCCqGSIb3DQIKBQAwEQYFKw4DAgcECISKMFVzj/gJBIIJSDl8mpZz2qwI2/bA
-G+i8Eem50G7EdQNLsIkCG8Qgu/IplVx7MyGLd3FUmPpSVnEsxvfk3rRJb8NDnm9m
-YcJRy09H3CFv+q/nqyrXR20jVFNVshho6+Ky6A5x+jSrlzlgY7IHFXcRSfaNX3oL
-vg+TpJfG5Ls9oDwEzG0C5FZlblrSXVL8dKEKwF74crYCm8zhqUJGuaZsSkpq7LiL
-9wpvPkA4VmI/qqqeINwyhHP9DYGUEGCAieL6Qbk3hzHnvZybnhmyLjnJdyWNg2aF
-E1kgBo6ePj7LeMvFI7UaJY+lqVkOA2vlqmU6La8IP0OaFQHhYwLbgEJE0jPihMnD
-7bysQvcoQrPc5vaj5RFuAcsjvx7uCFyFk5afaMyWAxUzxpfzl7tTIuFkjmTz74S+
-nFThzKCEoyxGYOAP25nYSLhKmWCmQMskhacvYc7MCuUkZvj5xTCVDp1i6yN9TcyN
-SDq7EhHir+DbFBYtd6P7pL0oz0aMEJoNMpk2PFQTr/d7iid06GwWccsjuhdfKKaR
-Dkh3hldz+SHZ7eLvrp5sKF9v3hPhX8qAfKn+72ri2JNBtiJvcn0zkHK+4WPv7giy
-ZTohABGs5Ju+C2tMC4QCWuHx4onKHoqAM6okVOQmdOWVOGlC1n9MykGU2vIyYcXt
-ih9abRsYm39XRocSqosqU1Vh0Wxt2cPcwqQ3Ym0RevV+LirLpVrS74fskH05f8kO
-6mhv9ybBPNCXbbMlO5He6v7ck+RALOzpR1hkwdn+2K1vZG7gF7PUrF7ZF0OzDDaM
-0iB5kRRr/gdyFP2cVwEUl80KHqUTTscSS1ZkASIMX9Z3spFdDHxFo7j6QFl+nW9t
-IYoyJI9QmcIxgpL984hTKEexoJdQfmi1CKkNoJTmk7ypgAKqiTc7o7iOtXjz8lyf
-SFVRJQdfDbqlaHqOzxW7XkcD8qTTzgSMcnJEM6+FbJg9WVOU8yDc2KNKv1kmbP9u
-a12AzFDRTCA+D9+g0UUdTZhjcVEULLpa0Wshoi2NdcnB2Tn/FhSJZctflqr1u3TH
-np85NxayNRisEh/gCVkHlv9lmH2xjLGEz/AlRT0f682qgt9SP1nzcTIxY/i1T8Oh
-BmiY/lsEKUSKOhsBO/tm2VPOE9dUOSATlNzxRhItqTAl3xbRGbt8rdQ4nQE6MAd8
-ofwPTjRheJmBFfh3vZVPpKxgScpQ+OmJ7Jx8McgMCMwv4Wj+thIPFGWqrS+m8HsJ
-IxvPF+QuJ4ECqISCzetUJKI0MknWxlWsE7tgZSjLyQbMLaiKLocBwGZUlOOOp+lR
-7GY56oAbANqXhjbA+AoBFqe5GrizCvjEVYKg5Rj9OeHHEIxLK7vPeND6tvSfmK+C
-lZ7xv5Zo20IT87kg9oqhe9cLoNOk+NeWd39xMKUCBoxYK180ylX4yPWJGn/AIIxZ
-8wNCYhtTO1ZYwx2pf2KWm8SlvC0BtvIU7umwyB/M7M2h/XBgO9nhrk5uVKfsSsSk
-BrJVeKA1rnw8YNpPy6ncVwRJDVJDxxfctxZdp9tkZi5h3MZWgBeQfYhlJMTWQp6N
-5cfdhwprGwyjlQU+NGE1wBvno4c/wq11/jcIEizepJmo+J35uoNTYXuA/yvmG7Ov
-N+8Qvv7qf52mCN7wfON49bEcMpAg8/HF2F/ojT+PRUe0escWxvASKRSQ4fTMgiPV
-AIhR1N0Zv+434S3UdaYx0RQjjuaZAil+UcdV3RViILfvsZNzc2SnUQ3WJsWctrvO
-tr0q0EOCG3xbBLQs2KWnDu1bHDhGzk3D3FDk4EXQtvZE/uB2Y0AoxwtmPWnkSmSR
-IDVZIb1gN/5RIx7E7O2QY8vPrk1mOw53QGIWU8XthSOlX5fdhWIDwSVHnK9ReCwp
-gOE9AvO2RtGCHNzejhRYEAkwf+AbmQewAd+HpKcu+pev7kaHpFBQkC5YZW173OWF
-CwJ4iAkjZpr+FMgcG3J5ztxgYKuz8fRa58RZAdcGtFd5LLWG2KL3djYH146z4ofk
-m7NWrFWGlhXcQn6/ylv7GYyCZMN+UTcwSP4LaihXK9PlfosKEhpR7+FoSBquPook
-Dr9tfUlKIWFUru4mJTvGGEHG8Kc6ey1yyHJGNcWQr20eALqrK7bCyo3U7R2zNQ3V
-NtrKD7K1jEZfv8a7G+XhgIPTpFydUhIfMhIDvo95kA9oRAiPqe94Ycdb7RVmUtv5
-xceKm+wOpwGcntKiVSWWejkm7fw2lk9CHci5s0gfacZvAhkWGCuT73/K2reo8wQ5
-zHtEeS0ZEjzjzDukS+wIhZ1unlHK6ZYSsweNdky9frLHTs6gLzu6Ac5YqKqqImOI
-VeR7oKrhopTLxLwWkbAZNau3h3LoWwPatgwmPX4OBAge9xGeo5BAm23DQGLtokYj
-hISAoYzc6qhr0ScHFOBxEg3EoHFVUNVYLpAAIHVDVnZYxeiekBSOoILM9CK8JxwS
-BsSXjZIJqg+Kg2HXvDewIXA7OrDxXBhxPSsF7oTY8ZlutCZQI8BURpxTaQP4gqxH
-ckw37M7hsEBNorNfL61z6DhyWk6R1AvQ/6jUbFo3tNPRexzwZlYSyl0IgAwBgmW+
-/JcJgbOIXWPF5r6R254CZ3uX6xi+2UwPtYsPRLKwQsCLwK7Gvcq5dYkFJ1OeletT
-7tlqSOIW3UakmviM9u9uM6DW1ZRCWzAmNci4YrQGIMmmEBbaqe3dwhcOmHaUtMKu
-dOUV+lBezeGsx4yVxEJkflkcg0SXSh2xlKM4gxuf8EiTeTq9BI6ZOtSW/nUzYmiM
-Yqc9BElBrWN/xRxxPgnE3oE0KsEIK7E/go5eaobwYTZV5K+Tot0fVmR6WHPwR/4Z
-RJTHXJlJ0RxacHFLWKz+6/MWp4LPnwd/0GUYMCi2FUptjVdEGa4mCFfsO2SHpHWr
-p9W6/wdy2FXcvSJGou87z0V/uYGxVh7ZDb743p+/f6UmzJLUF+LrZbpdJZrxVNEE
-Di2EypkPFJiqekDbQaBv+rFuRoFAniE17LK1kuWPthnKHjajQJbdMusXJ9FWGjn/
-+YoVfrw49WAc3e1w0FeHo5NKSEnB5c3JFquSUFF8AxJn/+EDibhprr5viq89Q4OH
-I4zc1PJ1a/1b5ihSBhgCihowIyp1jeQLCYxHtur6zMyr+ksuYnwlCAActmJF1Nj9
-iYasACAfY+b76HC5aw==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der
deleted file mode 100644
index 4d38a0f..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der
+++ /dev/null
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem
deleted file mode 100644
index 11504a6..0000000
--- a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem
+++ /dev/null
@@ -1,54 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIJmTBLBgkqhkiG9w0BBQ0wPjApBgkqhkiG9w0BBQwwHAQIGOnVLKvKgHACAggA
-MAwGCCqGSIb3DQILBQAwEQYFKw4DAgcECIGG28/TJRaGBIIJSFh6ZJN8xJaH30k1
-rH+L1DyTH4CELsRd164RoqfUq8rp6+XcNG/S41PdI3efK28iyLx85AcqFArqHHUM
-7yGA6vmuSVz39ZXdu1CVMi7OQ4dTdg3KBXaz96cnyZ1EsoruibQDn6mQq1D0LG1u
-5phVLsnfQLDiOFUFm6X4q9FdJj6NUJdOY5XRJZEu6q3wEmVXDfL7zYXJl2gZuiGO
-eDp/d0IVcYFd1od0V8qI90nWPCeZziMcnR8wAloV2p8xiqHuVhV/4+I53ENqbqxo
-v+0aObO3JsaxLVML6JGhabd2k1v3QAZLawMVGBNa/7IEOBVeD4j6VSiZPdKN473i
-oXxRsya6HqCD4kx+zbofbL4dEZliLDmISoHRl9ipQfr1+Y//JYhEf6gLzmdFqP3q
-N92+rVwdRWfmVdIsgdLiinJWO1xZ1dUnWvGOYZNjurGVHqv2IrDBd8FDjl/yMU6z
-osnOynXspoSA53kQ46ZvArln8QGzWt1bD466nu86dXOkrfbAmS59VaNY4Y1D033l
-p+d94eEjRwFUsQbRWv8mvb+KPn+nYcWZFNCg2RhTUKnU0Od1SHY5f9jfGFUyobYp
-/tg6eizo7T+rU9PZoTkGnCf1qOwNPpbSh5FcLVajeDiYokoyc17VQJcc1xzKeIOs
-tcU7kK/jA1GofCVhH3S1OPYqdjGvvoTVAYyXH3SuH04a8UJvFsRl8XdTNYOyecqi
-tH17PADDa2UTvKE2dLhxxVUoO9dZVeEorNiFWCQ/rsl5M1eT9KXh2lvZRM+Yxo3+
-NPP1/CGa5sDYx9aZQPoJc6aTJicmqx/srRtMR/RuwBUUH/1AENHdNLBL2IPfYjsL
-xKU/ox62cs2sCIywkBkR9WHPTqaU7HU6rlD8phinfljA5rMj3P3zrNk8XqfHNTpV
-BVA2Eczf1HNizvLxE3+vp/eGYCecuLfnqwRj5zAjiYPcy8s1vETDkXSWdc9vQf2c
-zky7tdAMS2WLFIulBIqYFDhicdlp9LTaeUOiwNIbPLVMzKy8zzW3UhMXyVi9EBCt
-IDhkUTdaLmiHB0F14NISRK6/isa4Vfe+/Z9ML/z9iFm8eC6LMy+/YgWZD0vYIwow
-JKHuEuuUuDR7gkHgZ/cvjMsyOI26uiW/W8qfAk7OR/qlZXMgWCQTgVBEcgmZio8U
-BcVDRPKFqLCKOINQ4poxt45Ez+xRlYdwExPnSRD7ZMFPYcUllO+S72JYGsYdGs60
-i529HgXKp/bS+1JKK/zxQmjApZ5kWGmc7kAUU76zprd7NKmdpWv1nbDJBtNU1bmW
-nzE/GXyNMYVGuxGnu/9scKSRATLzvLXtviRKoZVFm+6m7gR8J4GVSu8TxaXlYxg9
-NR+UujQJeoChR2dHvAZXc5g3j9rjQXZYlMm6M5rq0CbMlfeAFSwyG3Gm6D/cRxJg
-MHPaU7HpeZL5r7rJwNfUt/c/cuQ5C8CadgTgDd1NW50uEUoJh3QGE2K3Jq+0wG9h
-sk72lnVzH0bnMbJDXEV1btrs2qnnSots74+8F24gQb9PRQliuk50LGNddgrGoSgB
-b9eaBl7cgcy7T1XUv4I+aEW+sfa8bGBffIF2nk3oCrkW9Sbdeh8qSE9uthewpGvK
-WxBhCn6zUryHmt5ppiC6JrHJridCSu4RNbYL2umAM4DNh4lE5rBvFrCHaqet7hdy
-wheQGRQnRzNru5alCxfNWXXuOp9naFmF5RFDWvSXukn8qfxzRcjMhvNS+z21O9nK
-LPRaX9AICLGC+1C++Ka4pjVJVT/WhElXVap313Oj/Rc6KvRCdGpqMLVxPIrPFvbj
-vzNFa/YEU3RK/wjO6/kQPtlcfwMzZFkDHMWiYMCUoi6Dpvze/mKSTA9G9lmc+/BF
-sgqLZM7yltTmiGKQUDSlUOs08ZmPw1+HSOu2DZKWQ+2XoHSMih5ezu7GZ0xvUt4T
-BHV95sRDCAvUywGTIPhx5xa+gICVeL97DOUCS+Y+WJYmeSlZ5r+dyg2V7+CX+qjr
-ENMpouV8bIMpN05qXez8MuO4vJdDDsjqxq+y5kwN/ugb+DOq5okeRIaWRPWdyceT
-NCayiE+5nnfdPMQAAJqZ/LGSx09fyamJqhcG3RJosFfrVPjj7aASUWi1BFjxIe1L
-3fFSU9UDh9hfJczZx+hNKb56vhgrO+DaIbDMNMQqh6C2zdCirBT6M1NXhWvHKjkj
-/MNyLBwnCWTUZ7gufn/0MAr1DaeoE6TzcwDCpW6ntXF9tG7L4DVbA8Cqy+M0HnQL
-Pi2BCh4KrRiV1G4N8xDDCQw6IkfKRGGO6wCJ1HTnA2xmKqCzE2Ul8S/3+aEEpRNT
-3FrcrEi+nzAkzBBkPcHaxayx3mR00Wv/mwcI7SoYKKfuidESQy+VBAHqekTmSELw
-YRTdrXTKNWYlyms7pKMOgdqZAhFVOYxKBVaiuUeOGtvCNZ2qf7TOG/pT3nqTAbAg
-UeP7kvf2BaYlKoFog3uvRypcWLomQqY6hwvWW7IwquHwxeFdCHHeNrr9CoBrF2lz
-Z162/inTRzSbUhjumhLGEiJSzZyrEErjBjF5jE07TioEgmnXyCFWoc4nBnZ2+KXb
-J7/QWMsCJwb/CsvQxegd8X6SwLDfH/28py+UAqSTi/HA2GY/68Q3PQ17V7fyg5l0
-h6FShhYOKmForUNwqn2TwGPH+0swtOU2fKFq0NMHPSvta6U0wpaRZMCojw8AV3y+
-lUdKesz2siioxfeIxhD1Rm1KZ5p1N/FgyAEu6wpWj8okQjxRiGe+GQLheQpsL/ZW
-HsljSq73o9v/F7xNE9xqIxEGnUDYIAQCX47CiQOTTR9Lz6N/t36Eew1+KjiI4Xda
-VCu207ipFQPpNkvc13z2NWC/4NeRQg82LCYep4y+ZblcyqLqvMwOhJro2Kxoe1e1
-rv1Mwzd0ShUosb/2CChCRdirLJFXaXzm+PzBZoCyJEWcSxi56By58jh6H+XeUxCj
-0fl7eXLHb4sv8kf7P0KJGCxNY7ik3TLJjncsA9gLmFAeRcYWKq5SuSEW3DmfDSXZ
-CC1pSsvFBvV60ZFm2r96xqFHKFHOb15qm9DBXphr870nZQB7+QgRwp+jd+xdXUDS
-PelVGau5uoRN2tFPNvoeGyww9lkuNAJWK4U+LdLwHsQOUIKTf1rgwz5C077omOh4
-3u+3zMTCMRDNhiJb3g==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_single_san_uri.crt.der b/tests/data_files/rsa_single_san_uri.crt.der
deleted file mode 100644
index 22308c6..0000000
--- a/tests/data_files/rsa_single_san_uri.crt.der
+++ /dev/null
diff --git a/tests/data_files/rsa_single_san_uri.key b/tests/data_files/rsa_single_san_uri.key
deleted file mode 100644
index bb6c0ca..0000000
--- a/tests/data_files/rsa_single_san_uri.key
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCng06zdlkhYiBK
-43H+cK+vkHYvvRA2RtWbLMw+9rV9IrdGQ+iQQ/X1SZfDl2hWUiKTpabcuGYzY38H
-lXW4UXwTB36KEe7G3yF/fbvYzNsdUCAVOzNs/0EMvXJeD/Dm5CBMEsG6V0ovHmkc
-c80fQYQiSxgjpWyRpKdP+z/2imGph9onuu7EWOpAXGArozlLL5OixQ2dmutsc5ap
-hfgwq6za00uKsFifolRtAhiH86N0vjiAJkzZR83uBlI285sj5+EzRrtjVv+kgsLW
-gLDlj3bgsuKQDfxWhe+mpy2PIJ41kqktCz1qew3wyHI2ysE+6htHYQMNbCtkRMdX
-/4t1yx95AgMBAAECggEAIIhn6IK7nLgp/WFe6kOIW1h7G5pkY6YuJgz1PeU8Kilr
-3sGhkSMhyZmZV+s34EvjWzl4xrUpZCGWsipcyodIyYlTEg2ZihYbs17/9IMUqwS8
-tmLhAfIw+ABzDcGaz7zOaPfbmA0L40rMrzHuTHu05dQfxAyEoWSQ+f+Z1I/bl8jy
-GdXQVtqZzqJcWXbXt+3+B4f2/d7K5xzb7lv/8zhAf/zoG9srMByPa6/Do5rVas5Q
-NmzJPwXngxE5dJcHsWU4FkHbSbJj0khW858MJ4o5Ddw5ZOPimqlcmpClb01wCdXf
-13o2ozKGE/xq3InU7MA4ad0tLMdEM8R7yhUZ9Xe/gQKBgQDYXt4BhiamnSl1tHR8
-MiiyzkcZuVH04/A6FsnUhcbQF9iCqO9szw50k0z7DVIGS9dSY9kmMdEcpsX6m2XC
-XfEsxHBm0wmJqLUGq3UzM6oDsyZG1fkTg+eMzbVO0sv4xdhJLPpmsck5yJ8t0TxB
-8gIS9yNEw7+w6rZhgSRsMT+WhQKBgQDGMZ0qIdFi1Ae7ueTcBCe+cjgmTG9nXq6+
-qRokU63rPP9y8XTVD6hRmviMRl4skt0F39yGJ7janIQnOBrf2DVEX4Mcf0sY4vDJ
-msDV5jkbzgbAEas0ejO4h+dpRqa4mUiU1JR/Pb1jZHNOg7ZfTw45WPqBGsLTEpAt
-OsKVUgbZZQKBgCIe+8WjwS6fNC2SspfvVQm1i/Lbjbgfxf9zHor8ObkROZyJRZCU
-KoRpwkcI97l0dlVQ16q1SnPJPQljPi3joKfdppggia2CxGFz4nybliEVPGEJV0kj
-kP1cZ04x4eauVIhdpnNRcBlDsQ6Jo4YGwxr4jEBI2k7tBKvlsLe7IHr9AoGAeJmi
-IAwaBIAvAH16lKL2qD2Ki0uBkq4buSrfHHHK59TjQEdLJ4byjk21pm3/SjJHyhZR
-c1TieCw7gj3ypHlE2IkiGAohYVBe4t6HLuF7qL6yfteBjVo69LPGDdqPAs9LSj0c
-61xfTQbH32PoapCJgD3zmPH20Ud/cfZKh2A1iL0CgYEAwQgGxHVo+/d3BhLQvQHt
-64fE+qrZA5oWWwBh8EzR+98eOnDCF3Gm6chrEs9boOzlwxr9LU4TgiBnpyYrQCEw
-AdOA9dhYz91d+chJZjKo635Y9byN9rutr3/EfqZLxWL73k1y5LNAYL+jyAab0Jsw
-l2xG6PNj5rItkgO3j50qA7s=
------END PRIVATE KEY-----
diff --git a/tests/data_files/server1-nospace.crt b/tests/data_files/server1-nospace.crt
deleted file mode 100644
index 4c3cb90..0000000
--- a/tests/data_files/server1-nospace.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDPjCCAiagAwIBAgIBHzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEHBvbGFyc3NsLmV4YW1wbGUwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpAh89QGrVVVOL/TbugmUuFWFeib+4
-6EWQ2+6IFlLT8UNQR5YSWWSHa/0r4Eb5c77dz5LhkVvtZqBviSl5RYDQg2rVQUN3
-Xzl8CQRHgrBXOXDto+wVGR6oMwhHwQVCqf1Mw7Tf3QYfTRBRQGdzEw9A+G2BJV8K
-sVPGMH4VOaz5Wu5/kp6mBVvnE5eFtSOS2dQkBtUJJYl1B92mGo8/CRm+rWUsZOuV
-m9z+QV4XptpsW2nMAroULBYknErczdD3Umdz8S2gI/1+9DHKLXDKiQsE2y6mT3Bu
-ns69WIniU1meblqSZeKIPwyUGaPd5eidlRPtKdurcBLcWsprF6tSglSxAgMBAAGj
-TTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFB901j8pwXR0RTsFEiw9qL1DWQKmMB8G
-A1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBCwUAA4IB
-AQC8fX3ZiHu6GoYBB5Vo1l6CXXDhHB6r43Pp+BHoOCouiiy4useiPLu5S84gmNoC
-v8ZR+b9lAaysCMHAbth9vgtW+aXckBY6xKo8CsmGXcqZqujD6qrDif5q6UpXa4Oe
-fr6ITkecY4Z9oN/aN5el5zzUd5zkoyQDI5Bn1gMdvV7AwM7Haq+5gTFwM7HJnphz
-GZ8GLxWU1dWeAfsGm58ey6J28OjIkmfP3yL/kBKMhiQZydbH9Y8Yal7YwhayXxES
-i7YwhNmPcGAgDBm5Sno7BvHiIqsNX1sssC3aZUaZvldJGY+4Y9fFZHenBwTREj/S
-CnEgazC2RJ3kYg3mP/QhE0US
------END CERTIFICATE-----
diff --git a/tests/data_files/server1-v1.crt b/tests/data_files/server1-v1.crt
deleted file mode 100644
index 8ca9007..0000000
--- a/tests/data_files/server1-v1.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDHTCCAgUCDFOitscEzU2OvIALwTANBgkqhkiG9w0BAQsFADBQMRwwGgYDVQQD
-DBNQb2xhclNTTCBUZXN0IENBIHYxMRAwDgYDVQQLDAd0ZXN0aW5nMREwDwYDVQQK
-DAhQb2xhclNTTDELMAkGA1UEBhMCTkwwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEw
-MTQ0NDA2WjBOMRowGAYDVQQDDBFzZXJ2ZXIxL2ludC1jYS12MTEQMA4GA1UECwwH
-dGVzdGluZzERMA8GA1UECgwIUG9sYXJTU0wxCzAJBgNVBAYTAk5MMIIBIjANBgkq
-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/uOhF
-kNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFDd185
-fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVfCrFT
-xjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTrlZvc
-/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9wbp7O
-vViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQABMA0G
-CSqGSIb3DQEBCwUAA4IBAQBrdYAEzdH6ryyYaolYvp8Fvq0wZxp6Bdcxvi0LUGmb
-TdWcNrPU9IYASc5QSrSWPj0c9vhLVbDZAONfn92thi7C2zQXok2Q3jW038ycNSXN
-lVxFkdY4GYa3E6Og1LVIySyzfyyNuHKKWbB5wZCWbzOgu2Q1MHSNvPhKjbDhyGtT
-Mq3Qy6TyzUFbXMRBixcJC/Cy4zsqvWBanVtBmwlvgE4Q50CUgybzSEIL5j+aPLuW
-aj8j2NRB2+7vPeoWd8ry5YxEKB3DRuXHHyyFnT5O8MpWuCl764qFMc8S/i7yVcmZ
-egZQw0dCmE5J4EGX0BEQEM24ll2e8SxL351hbCQ+EfvF
------END CERTIFICATE-----
diff --git a/tests/data_files/server1.80serial.crt b/tests/data_files/server1.80serial.crt
deleted file mode 100644
index 3ce8570..0000000
--- a/tests/data_files/server1.80serial.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDRDCCAiygAwIBAgIGAIARIjNEMA0GCSqGSIb3DQEBBQUAMDsxCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBD
-QTAeFw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMDwxCzAJBgNVBAYTAk5M
-MREwDwYDVQQKDAhQb2xhclNTTDEaMBgGA1UEAwwRUG9sYXJTU0wgU2VydmVyIDEw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpAh89QGrVVVOL/TbugmUu
-FWFeib+46EWQ2+6IFlLT8UNQR5YSWWSHa/0r4Eb5c77dz5LhkVvtZqBviSl5RYDQ
-g2rVQUN3Xzl8CQRHgrBXOXDto+wVGR6oMwhHwQVCqf1Mw7Tf3QYfTRBRQGdzEw9A
-+G2BJV8KsVPGMH4VOaz5Wu5/kp6mBVvnE5eFtSOS2dQkBtUJJYl1B92mGo8/CRm+
-rWUsZOuVm9z+QV4XptpsW2nMAroULBYknErczdD3Umdz8S2gI/1+9DHKLXDKiQsE
-2y6mT3Buns69WIniU1meblqSZeKIPwyUGaPd5eidlRPtKdurcBLcWsprF6tSglSx
-AgMBAAGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFB901j8pwXR0RTsFEiw9qL1D
-WQKmMB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEB
-BQUAA4IBAQBJKeTUCctb/wCxBte2AIiaTfATzukTVtGhKkdy3cY6U2DVSXc+s+jr
-Kut8AYnjp1T6bho98RHbbk+hu+0gBWL2ysJd1+slLBUEotUMTkzgA1YdBXy9J/eM
-HJ2a0ydFll/m2rXx7RRJWSbcgPZxQLDfollnNVfhcb75O3GsT3YfEIsjLmon7NHr
-rJmTp773trg0cNJ6j5dKMA/2SQH5PL1cmcFgNfVZ+etNRIhwpIQYySWJ/468Mcg5
-ZKPY6nubIIj+HPB3Mhy8d9U3gAJvc9iEdzbKjrkJdVROONsyMYge4vnbjyKUr7/m
-ZN1O6pZy9Fvgbdhvx4ZHpfgEsa1qfLCH
------END CERTIFICATE-----
diff --git a/tests/data_files/server1.allSubjectAltNames.crt b/tests/data_files/server1.allSubjectAltNames.crt
deleted file mode 100644
index 13af873..0000000
--- a/tests/data_files/server1.allSubjectAltNames.crt
+++ /dev/null
@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDzTCCArWgAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
-uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
-d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
-CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
-lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
-bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
-o4HaMIHXMAkGA1UdEwQCMAAwHQYDVR0OBBYEFB901j8pwXR0RTsFEiw9qL1DWQKm
-MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MIGJBgNVHREEgYEwf4EQ
-bWFpbEBleGFtcGxlLmNvbYILZXhhbXBsZS5jb22kQDA+MQswCQYDVQQGEwJVSzER
-MA8GA1UECgwITWJlZCBUTFMxHDAaBgNVBAMME1N1YmplY3RBbHROYW1lIHRlc3SH
-BAECAwSGFmh0dHA6Ly9wa2kuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQEFBQADggEB
-AGPFB8YGpe6PRniPkYVlpCf5WwleYCpcP4AEvFHj5dD1UcBcqKjppJRGssg+S0fP
-nNwYRjaVjKuhWSGIMrk0nZqsiexnkCma0S8kdFvHtCfbR9c9pQSn44olVMbHx/t8
-dzv7Z48HqsqvG0hn3AwDlZ+KrnTZFzzpWzfLkbPdZko/oHoFmqEekEuyOK9vO3fj
-eNm5SzYtqOigw8TxkTb1+Qi9Cj66VEwVESW1y/TL9073Kx0lBoY8wj1Pvfdhplrg
-IwYIwrr0HM+7nlYEhEI++NAbZhjQoS2kF5i7xpomUkYH9ePbrwWYBcuN00pljXEm
-ioY0KKlx00fRehPH/6TBHZI=
------END CERTIFICATE-----
diff --git a/tests/data_files/server1.asciichars.crt b/tests/data_files/server1.asciichars.crt
deleted file mode 100644
index 824e46e..0000000
--- a/tests/data_files/server1.asciichars.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDQDCCAiigAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA9MQswCQYDVQQGEwJOTDESMBAG
-A1UECgwJ5p6B5ZywU1NMMRowGAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6J
-v7joRZDb7ogWUtPxQ1BHlhJZZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVB
-Q3dfOXwJBEeCsFc5cO2j7BUZHqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYEl
-XwqxU8YwfhU5rPla7n+SnqYFW+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk
-65Wb3P5BXhem2mxbacwCuhQsFiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZP
-cG6ezr1YieJTWZ5uWpJl4og/DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEA
-AaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUH3TWPynBdHRFOwUSLD2ovUNZAqYw
-HwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQAD
-ggEBAHqJLYmgkQ6yqml3PZM6iwbmo+lZLyDEPFpl/thHZm5LI8TTYOeU+wMAZ6KI
-VumyjZxypmLF2MiiJ2f3zQooU7H1waAcTpsafTuD6RRYdthYYxs1L9gCm1ZT2Ga8
-fgn3wrugPLUrtSM/TkTj6F4XkSlluzZpEKsSYLSoyde+uQgdbtR+3Tc+3oU8xBMM
-N6uq4VQC49avIQkI+598E3vKrjGGt3l2a1Ts1qvXWjo9mpJW5GM4e1zfogKnc8XQ
-K1hYQ39wL42l9Hijwre85O0PSBfbNOv1BPSDm8das3VNzGsUIz8InkAKAKCKwxG6
-BCw3D/CE8s6DCnpb+eK1sVJwZ4E=
------END CERTIFICATE-----
diff --git a/tests/data_files/server1.ca.crt b/tests/data_files/server1.ca.crt
deleted file mode 100644
index 84691d6..0000000
--- a/tests/data_files/server1.ca.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDRTCCAi2gAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
-uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
-d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
-CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
-lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
-bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
-o1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9
-Q1kCpjAfBgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0B
-AQUFAAOCAQEAgt0Fk6cLMjsZUkVpkpTw6EJuKA48H8ieUSTDzYoaDWJQsFY34OIc
-0UpfMwl1jl0qEcVboOdcJHug0EXsfm6XUlSJkPnmcdt/N4gU3/TVkdQwqbvrwjae
-S+Jb1E7fTAiauMi6++svV/sfKqE3OCTJWF+6D0LdgnxEVZM6DvnFU9Jvw+CPTIx6
-+SYZLm5sOTL0sWMIxwAEjwGJ3T1m0sjPjnnl4Jn/XtD8UuRRYB/RS6e2TlKovwWP
-G3eUdEs2QJ5lnnD+d7AUYq9nAYnb42M1ZdAxRQxxu2wweiTpUubvT4W6wkG8veix
-UM45EKsxPinnK0rK9bzrPDwpntIHhEUcSQ==
------END CERTIFICATE-----
diff --git a/tests/data_files/server1.ca.der b/tests/data_files/server1.ca.der
deleted file mode 100644
index a5ff059..0000000
--- a/tests/data_files/server1.ca.der
+++ /dev/null
diff --git a/tests/data_files/server1.ca_noauthid.crt b/tests/data_files/server1.ca_noauthid.crt
deleted file mode 100644
index e66956d..0000000
--- a/tests/data_files/server1.ca_noauthid.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDJDCCAgygAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
-uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
-d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
-CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
-lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
-bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
-ozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9
-Q1kCpjANBgkqhkiG9w0BAQUFAAOCAQEAMblPCsjj6RJ8sOm54sdlSJOTGWEo/1LF
-q1bJnKE3FXDeU8pbhEhpfsd2zcKdJxzp7Bg8Ms/xKBuOZhn/4C/n2FwZpEeAsS7J
-tZifKp+GXVs0xbcji9aB8niWXSl/CoICpvHpMAz8k2HT4LDvbC2ElXkqLT7n7k1B
-/ODI3BME34NquyBTDezQb4Gz7bx42OKLrxZkKrO3UF3TQTYBZvlH7IO7SvZhQPGk
-b8a2jKYfeQCCIvcywWQ7qzlgzTgnXJ0RrLyCqOqLFs6ztHPgclHa+XYF5yftSKIS
-zTJLT0IWBtwgB2opv7YSx7tKYhj+uHHY7C3iSXzAgPy5TYkissGXbw==
------END CERTIFICATE-----
diff --git a/tests/data_files/server1.cert_type.crt b/tests/data_files/server1.cert_type.crt
deleted file mode 100644
index 34fe4f6..0000000
--- a/tests/data_files/server1.cert_type.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDUjCCAjqgAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
-uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
-d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
-CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
-lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
-bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
-o2AwXjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf
-BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zARBglghkgBhvhCAQEEBAMC
-BkAwDQYJKoZIhvcNAQEFBQADggEBAElJPaCG6aFHoymoCrzckPfjENxgXW2czh5t
-TsMPshkzX5p2AU89GBGdy0gQwoPuMtcznsDe4adM6Na8f30YDffATsgDECMIWtV1
-XVYKQIwFmZzEt4B+5sUmyMOLtTuuZBThOLPwOw8e4RnILKOYPHnQNRf6Eap4lFDx
-lp2pAaiXMDWH88gmWoU5XrGTppllYV0IorzJ4xV9Sg3ittNwNO40ehVQDAseFwZH
-iyh9iHz4BqtWjElmQ3hL8N/Cbqp3iN15h2pUgIj8JIt9rCsIZrsG3K42iSlPzEn2
-DCzWQSj9cQNCRVJnwgJAWnC1Hx0YYFQMgQquVxnK15THTGQAeB8=
------END CERTIFICATE-----
diff --git a/tests/data_files/server1.cert_type.crt.openssl.v3_ext b/tests/data_files/server1.cert_type.crt.openssl.v3_ext
deleted file mode 100644
index bd225ff..0000000
--- a/tests/data_files/server1.cert_type.crt.openssl.v3_ext
+++ /dev/null
@@ -1,5 +0,0 @@
-[v3_ext]
-basicConstraints = CA:false
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid
-nsCertType=server
diff --git a/tests/data_files/server1.cert_type_noauthid.crt b/tests/data_files/server1.cert_type_noauthid.crt
deleted file mode 100644
index c3a66ea..0000000
--- a/tests/data_files/server1.cert_type_noauthid.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDMTCCAhmgAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
-uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
-d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
-CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
-lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
-bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
-oz8wPTAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAR
-BglghkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQEFBQADggEBAEPc9VSJK60+WkAw
-GZX3/AWJE8h31fZ++2Zu7O1V2ddI68Qoha41bORXdizfQFjTJkV/QHjbaCZKqpt0
-riGKvRpXfl3VDlf9fEZUnQEfIk612AjLwkHoNIKbCitrVoWu+p2V4kuKQpFky/so
-wr/sl29fWa4innFUVgmQC52l4UiIU2rCV0RTpLofVKWRZPlzIi+AlMFkvz3JqRP0
-raKw8DHdGlrLg22VelrY0dXjUriWrSTDi2QdB+yn0FdrPap2nZiFctW1S0/wOCy+
-r0uVYQ+IsebJYST9dUuQNhWSZOhsjxOo+Gp36tywQzrjXFk7Jai8AkHoBmZVmx6b
-a0/J7/w=
------END CERTIFICATE-----
diff --git a/tests/data_files/server1.commas.crt b/tests/data_files/server1.commas.crt
deleted file mode 100644
index 5acd255..0000000
--- a/tests/data_files/server1.commas.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDRzCCAi+gAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjBEMQswCQYDVQQGEwJOTDEZMBcG
-A1UECgwQUG9sYXJTU0wsIENvbW1hczEaMBgGA1UEAwwRUG9sYXJTU0wgU2VydmVy
-IDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpAh89QGrVVVOL/Tbu
-gmUuFWFeib+46EWQ2+6IFlLT8UNQR5YSWWSHa/0r4Eb5c77dz5LhkVvtZqBviSl5
-RYDQg2rVQUN3Xzl8CQRHgrBXOXDto+wVGR6oMwhHwQVCqf1Mw7Tf3QYfTRBRQGdz
-Ew9A+G2BJV8KsVPGMH4VOaz5Wu5/kp6mBVvnE5eFtSOS2dQkBtUJJYl1B92mGo8/
-CRm+rWUsZOuVm9z+QV4XptpsW2nMAroULBYknErczdD3Umdz8S2gI/1+9DHKLXDK
-iQsE2y6mT3Buns69WIniU1meblqSZeKIPwyUGaPd5eidlRPtKdurcBLcWsprF6tS
-glSxAgMBAAGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFB901j8pwXR0RTsFEiw9
-qL1DWQKmMB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3
-DQEBBQUAA4IBAQA1Ecg+VVJRmgFF9cnlztnXj4y9QKj8MCf2uZA3nTNe1Deh9l17
-ZNNWdPkXzVzf0IeR3LQRKT+daTzxuOOCSV9OxOcN0dIODBwa97BtNQfuWw2eWC9I
-3UOVXbx8Ga+bXnD8ouatpyEG0FfhLO5YgEP0K9TyyN/nFa9kkB2Kvpy8yWm3w9WG
-WgsOr2fpIExfC2ZFaiu3NVGTpT9fLv8RTatSC1XLA5Sr8NNHia3zCvEJEAlTuFHs
-wm8apIAHlb44bbgW+7UwBIH9r2A21gQFy3v4cTLtlbnaUBbHUJvarK4ru70J+gew
-OO3NZ1ocvnV+qGIcc7LgyNA8pZW5Jbewb/gN
------END CERTIFICATE-----
diff --git a/tests/data_files/server1.crt b/tests/data_files/server1.crt
deleted file mode 100644
index 258da5e..0000000
--- a/tests/data_files/server1.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDPzCCAiegAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
-uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
-d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
-CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
-lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
-bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
-o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf
-BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQUFAAOC
-AQEAf2k5OiORp60gBNqioC2mIqSXA0CU/qzllt8IvlcMv1V0PAP9f4IEm5mdkERr
-UXjnB1Tr3edrsvXLgZ9vEosbFpNMsKfsmBkpjgWG2ui8pdn8cJiws4k4h5fuueSw
-Ps1FLK5Tfpi+GJyPqk4ha9Ojp2p9opuA0aIfLuxI+0UzXH4wgrEW/Yydowv959gf
-gGSl766CRdUvJbXOeVryFjFTRfLFFNfTvrftZk1dl8tas1nim8xfWet+BZVvq2zY
-C7LeCI9nrfuAxfMJTrWFp17y72+hCDk7NEaB2ZLVuAM/ri7LWrr2V2hLFdIAhfC2
-nUaulRRpGt/ZTISw6uSIumNoNA==
------END CERTIFICATE-----
diff --git a/tests/data_files/server1.crt.openssl.v3_ext b/tests/data_files/server1.crt.openssl.v3_ext
deleted file mode 100644
index 239d56a..0000000
--- a/tests/data_files/server1.crt.openssl.v3_ext
+++ /dev/null
@@ -1,4 +0,0 @@
-[v3_ext]
-basicConstraints = CA:false
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid
diff --git a/tests/data_files/server1.csr b/tests/data_files/server1.csr
deleted file mode 100644
index 804c4a5..0000000
--- a/tests/data_files/server1.csr
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow
-GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
-ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
-HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
-W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
-FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
-DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBCwUA
-A4IBAQBY/1nnYQ3ThVyeZb1Z2wLYoHZ5rfeJCedyP7N/gjJZjhrMbwioUft2uHpb
-+OZQfxRXJTbtj/1wpRMCoUMLWzapS7/xGx3IjoPtl42aM4M+xVYvbLjExL13kUAr
-eE4JWcMIbTEPol2zSdX/LuB+m27jEp5VsvM2ty9qOw/T4iKwjFSe6pcYZ2spks19
-3ltgjnaamwqKcN9zUA3IERTsWjr5exKYgfXm2OeeuSP0tHr7Dh+w/2XA9dGcLhrm
-TA4P8QjIgSDlyzmhYYmsrioFPuCfdi1uzs8bxmbLXbiCGZ8TDMy5oLqLo1K+j2pF
-ox+ATHKxQ/XpRQP+2OTb9sw1kM59
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server1.der b/tests/data_files/server1.der
deleted file mode 100644
index fcf45cd..0000000
--- a/tests/data_files/server1.der
+++ /dev/null
diff --git a/tests/data_files/server1.hashsymbol.crt b/tests/data_files/server1.hashsymbol.crt
deleted file mode 100644
index 9db7300..0000000
--- a/tests/data_files/server1.hashsymbol.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDQDCCAiigAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA9MQswCQYDVQQGEwJOTDESMBAG
-A1UECgwJI1BvbGFyU1NMMRowGAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6J
-v7joRZDb7ogWUtPxQ1BHlhJZZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVB
-Q3dfOXwJBEeCsFc5cO2j7BUZHqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYEl
-XwqxU8YwfhU5rPla7n+SnqYFW+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk
-65Wb3P5BXhem2mxbacwCuhQsFiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZP
-cG6ezr1YieJTWZ5uWpJl4og/DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEA
-AaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUH3TWPynBdHRFOwUSLD2ovUNZAqYw
-HwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQAD
-ggEBAJcKcv/Xro61Sxm0GH42pYu7AvtD2b8nynvA8BW9gCHmiIHvHQWNO9NTMuno
-1+HdzQVF1JxHC/A/hvXsczxGEc3jVnVeg1fwi8mZ/Fy1XtAVCTA0yJu7JTaaYbg+
-IU2y7Nu36FSOztLpOfHGmwVDoJ1+wCzG/id64hXwJRrHvUfGK4EvIsV97swhk2Do
-zSAfDA9N+QNV4zeiF9mLMOpUhCUBq8r41EDqm9lM0wSd3HNen8jwO20F4F1b1dYm
-L+bMarvUgHq91f128m2fF3sWNnz4RGoagSI/aOU/AP6Ksq8SUruGHpqrVWLClA6n
-EyyTPlNTwYIRCydZt7zlsw1/4h4=
------END CERTIFICATE-----
diff --git a/tests/data_files/server1.key b/tests/data_files/server1.key
deleted file mode 100644
index 4281a5f..0000000
--- a/tests/data_files/server1.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/uOhFkNvuiBZS0/FDUEeW
-Ellkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFDd185fAkER4KwVzlw7aPs
-FRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVfCrFTxjB+FTms+Vruf5Ke
-pgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTrlZvc/kFeF6babFtpzAK6
-FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9wbp7OvViJ4lNZnm5akmXi
-iD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQABAoIBABaJ9eiRQq4Ypv+w
-UTcVpLC0oTueWzcpor1i1zjG4Vzqe/Ok2FqyGToGKMlFK7Hwwa+LEyeJ3xyV5yd4
-v1Mw9bDZFdJC1eCBjoUAHtX6k9HOE0Vd6woVQ4Vi6OPI1g7B5Mnr/58rNrnN6TMs
-x58NF6euecwTU811QJrZtLbX7j2Cr28yB2Vs8qyYlHwVw5jbDOv43D7vU5gmlIDN
-0JQRuWAnOuPzZNoJr4SfJKqHNGxYYY6pHZ1s0dOTLIDb/B8KQWapA2kRmZyid2EH
-nwzgLbAsHJCf+bQnhXjXuxtUsrcIL8noZLazlOMxwNEammglVWW23Ud/QRnFgJg5
-UgcAcRECgYEA19uYetht5qmwdJ+12oC6zeO+vXLcyD9gon23T5J6w2YThld7/OW0
-oArQJGgkAdaq0pcTyOIjtTQVMFygdVmCEJmxh/3RutPcTeydqW9fphKDMej32J8e
-GniGmNGiclbcfNOS8E5TGp445yZb9P1+7AHng16bGg3Ykj5EA4G+HCcCgYEAyHAl
-//ekk8YjQElm+8izLtFkymIK0aCtEe9C/RIRhFYBeFaotC5dStNhBOncn4ovMAPD
-lX/92yDi9OP8PPLN3a4B9XpW3k/SS5GrbT5cwOivBHNllZSmu/2qz5WPGcjVCOrB
-LYl3YWr2h3EGKICT03kEoTkiDBvCeOpW7cCGl2cCgYBD5whoXHz1+ptPlI4YVjZt
-Xh86aU+ajpVPiEyJ84I6xXmO4SZXv8q6LaycR0ZMbcL+zBelMb4Z2nBv7jNrtuR7
-ZF28cdPv+YVr3esaybZE/73VjXup4SQPH6r3l7qKTVi+y6+FeJ4b2Xn8/MwgnT23
-8EFrye7wmzpthrjOgZnUMQKBgE9Lhsz/5J0Nis6Y+2Pqn3CLKEukg9Ewtqdct2y0
-5Dcta0F3TyCRIxlCDKTL/BslqMtfAdY4H268UO0+8IAQMn9boqzBrHIgs/pvc5kx
-TbKHmw2wtWR6vYersBKVgVpbCGSRssDYHGFu1n74qM4HJ/RGcR1zI9QUe1gopSFD
-xDtLAoGAVAdWvrqDwgoL2hHW3scGpxdE/ygJDOwHnf+1B9goKAOP5lf2FJaiAxf3
-ectoPOgZbCmm/iiDmigu703ld3O+VoCLDD4qx3R+KyALL78gtVJYzSRiKhzgCZ3g
-mKsIVRBq4IfwiwyMNG2BYZQAwbSDjjPtn/kPBduPzPj7eriByhI=
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/server1.key.der b/tests/data_files/server1.key.der
deleted file mode 100644
index 88288d1..0000000
--- a/tests/data_files/server1.key.der
+++ /dev/null
diff --git a/tests/data_files/server1.key_ext_usage.crt b/tests/data_files/server1.key_ext_usage.crt
deleted file mode 100644
index bbe2c35..0000000
--- a/tests/data_files/server1.key_ext_usage.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDVzCCAj+gAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
-uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
-d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
-CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
-lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
-bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
-o2UwYzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf
-BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zAWBgNVHSUBAf8EDDAKBggr
-BgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEAegtCN4EObE69RjW1hKUEQ/InrIsf
-poKIgJCh3sck+FYKjcsMhRPBztnZaqjvkLnmCcq0Yv7uUDThHsNuu+NbeVr4flZL
-gUoSSdHXYrJ8qDYez6oGoxttoZ33sqD3LQfzWZhDoTyjGUHTiWaA6KidCsWzkhKY
-aNXF7O8dHO7k06I2UWt7SKbBm1dPj8OM4285kkQ7KCpG27ABtHePkp9aG66O/ktD
-GbZs0AaYpeVnB9v1vSp6xInDCWydDFbmEE0mzAQr285UU07QEpnU1W/2qZHfLxnQ
-GiDpR5pxoKXkskj2VuHPZPqbIkv9v2+bjeyXHDRSL7Rj087xhD5uXKb9fw==
------END CERTIFICATE-----
diff --git a/tests/data_files/server1.key_ext_usages.crt b/tests/data_files/server1.key_ext_usages.crt
deleted file mode 100644
index 0c3d963..0000000
--- a/tests/data_files/server1.key_ext_usages.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDYTCCAkmgAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
-uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
-d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
-CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
-lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
-bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
-o28wbTAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf
-BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zAgBgNVHSUBAf8EFjAUBggr
-BgEFBQcDAwYIKwYBBQUHAwgwDQYJKoZIhvcNAQEFBQADggEBADIT9M10vT5yzMSR
-GaaImXjyTRIBK683Vxnq5jqAJ75KzNUC52aiCOfd9/hAMkq3Pj+r6tIsH+jsl5PL
-E4iv8GVDlbjA57icTD30XbolL4YPUvZYclxVopfRhTiDa5KJ1lYkUwWAE/Glj66Q
-WO7Hihl+GYXap2e7dBZ7hGHdv6J1gRfA1OW6iB23Wl4xb0Y1CGc16yJZwuFbtbwM
-w8z8a0XNd2UQTYesYlIvVpVcx2atgkbZwehPWGNCLGngz60fultj7JdLuUHi+r0z
-DtjbSPsHDZDAer6ZxjaA4hkcnppacFttC+deD8bQ8+2JjHF6Gb/MBnaYIbOZOBgC
-8CPIBjk=
------END CERTIFICATE-----
diff --git a/tests/data_files/server1.key_usage.crt b/tests/data_files/server1.key_usage.crt
deleted file mode 100644
index 9d70b00..0000000
--- a/tests/data_files/server1.key_usage.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDTzCCAjegAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
-uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
-d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
-CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
-lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
-bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
-o10wWzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf
-BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zAOBgNVHQ8BAf8EBAMCBeAw
-DQYJKoZIhvcNAQEFBQADggEBAHM8eESmE8CQvuCw2/w1JSWKaU9cJIvrtpJXavRC
-yMEv6SQL0hxrNZBhFPM8vAiq6zBdic2HwuiZ9N/iEXuCf92SOcK4b/2/Flos0JI5
-quu4eGkwoNrOvfZUcO7SB8JHUvmJtTP+avF3QeRfHo9bHRtnyOs9GXqq+CMZiNgO
-Bw+/tAOml3tV1Uf+yjp6XroWLRNMbvY1Sor4UW6FFMpOii/vlJ4450OlpcJdRU70
-LpHfxjmPNvc9YOPWve75/+CNF9lMi29UoEUYslxMPylZ/L0vYxi+xuvQBTaLiZeP
-CJ59Mc63LEmJNSAwnnV8s2KXL/Okm32lf6sy0fjsrvAdoCc=
------END CERTIFICATE-----
diff --git a/tests/data_files/server1.key_usage.crt.openssl.v3_ext b/tests/data_files/server1.key_usage.crt.openssl.v3_ext
deleted file mode 100644
index e255027..0000000
--- a/tests/data_files/server1.key_usage.crt.openssl.v3_ext
+++ /dev/null
@@ -1,5 +0,0 @@
-[v3_ext]
-basicConstraints = CA:false
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid
-keyUsage=critical, digitalSignature, nonRepudiation, keyEncipherment
diff --git a/tests/data_files/server1.key_usage_noauthid.crt b/tests/data_files/server1.key_usage_noauthid.crt
deleted file mode 100644
index b2d5d83..0000000
--- a/tests/data_files/server1.key_usage_noauthid.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDLjCCAhagAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
-uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
-d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
-CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
-lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
-bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
-ozwwOjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAO
-BgNVHQ8BAf8EBAMCBeAwDQYJKoZIhvcNAQEFBQADggEBAJVYcBoNiXBLOY53sJcH
-1X0oQA/KMVODJP1+rr/e6SuyROVgqUfFA/7Hn5evb94Ftxlb0d8uOlpoHWtyaRVw
-JR3tKCGiyiSzAS5tXiioOYt6fLDg9B2mpvFqa9ISqsvzbR3aNj/8uM7ni/aSxjhf
-L40SvCHbAsN5N087K55wiqUvkJFs2Ifl9IqCYjjq32Wuroi8lnPXSY1LTQ3DZqdj
-yogX+HWj+Psd+U8BLyFnfuqKeQ0U2xpJiFMbdG+IkzPYj+IjNZo6+rcK0LQkEcZm
-l4oQaDEaXi+7SqNbdpBJ5K3ZrSNNdt8pc1xhue2XXMFLEqO94ERTwnxiTg9TGRZ0
-u2U=
------END CERTIFICATE-----
diff --git a/tests/data_files/server1.long_serial.crt b/tests/data_files/server1.long_serial.crt
deleted file mode 100644
index 1bd6955..0000000
--- a/tests/data_files/server1.long_serial.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDUjCCAjqgAwIBAgIUESIzRFVmd4iZqrvM3e7/ABEiM0QwDQYJKoZIhvcNAQEF
-BQAwOzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQ
-b2xhclNTTCBUZXN0IENBMB4XDTE5MDIxMDE0NDQwNloXDTI5MDIxMDE0NDQwNlow
-PDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRowGAYDVQQDDBFQb2xh
-clNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkC
-Hz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZZIdr/SvgRvlzvt3P
-kuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZHqgzCEfBBUKp/UzD
-tN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYFW+cTl4W1I5LZ1CQG
-1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQsFiScStzN0PdSZ3Px
-LaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/DJQZo93l6J2VE+0p
-26twEtxaymsXq1KCVLECAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUH3TW
-PynBdHRFOwUSLD2ovUNZAqYwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH
-/f8wDQYJKoZIhvcNAQEFBQADggEBAC9qt4BC8zKb5o00ZVtTX0XYKWchHKYSrHk2
-r+zfW8pRcSaTGRTtMGkF7vozFrCX4Pr4vCKXOYFKQ/UEpWv5WzW7nB0+Ja0g4gnc
-9bLtg51n+IIG93ITGDm5+9YpsX6HsXSBpfY0vo9TwKg3bG1X26WG8j6m+V684hwV
-yveRUIrSvvgVJOBSe5rhn/pLmcpbI0nkPBGlqPd10qWc0RYSrSAa3bq/dpoqR7hY
-BGbbV1/9IgFhr2r44R17bhqevK3VhK4KOPRT5VMXjTh1iG4L13lIxBIuu+Lw0Pc0
-s+gQTGntA/sZkijC7mw0/q3nsRDKhHHXTDf2gjdUhMvFwYzmKBI=
------END CERTIFICATE-----
diff --git a/tests/data_files/server1.long_serial_FF.crt b/tests/data_files/server1.long_serial_FF.crt
deleted file mode 100644
index 8094fd7..0000000
--- a/tests/data_files/server1.long_serial_FF.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDTzCCAjegAwIBAgIRAP////////////////////8wDQYJKoZIhvcNAQEFBQAw
-OzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xh
-clNTTCBUZXN0IENBMB4XDTE5MDIxMDE0NDQwNloXDTI5MDIxMDE0NDQwNlowPDEL
-MAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRowGAYDVQQDDBFQb2xhclNT
-TCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkCHz1A
-atVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZZIdr/SvgRvlzvt3PkuGR
-W+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZHqgzCEfBBUKp/UzDtN/d
-Bh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYFW+cTl4W1I5LZ1CQG1Qkl
-iXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQsFiScStzN0PdSZ3PxLaAj
-/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/DJQZo93l6J2VE+0p26tw
-EtxaymsXq1KCVLECAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUH3TWPynB
-dHRFOwUSLD2ovUNZAqYwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8w
-DQYJKoZIhvcNAQEFBQADggEBADYfhZU2lWxBamt7m3A4XQj6bZ4BZlabv5IbLI32
-nej6w/6/gsXPI85nfZqpIn6IYwAeDRdJo/eUqYkIdoy5DEP+50pgCGJK5HAoBWVJ
-THKeVJn/vPH3Dz/CaCYQoHTmSi+ChfIhPh84UUdfVpv2qNInII4RxFlSAHUkRMbV
-BX6imMSD5M508G6vWGUUc6G/sx/s7vtVeGGPyNOQPgwMTes60Mewpu9LKKaSwfqQ
-DgEa8WzxPrPEyOUiIp7ClwlXe3JECHIjm445qmENgfY/8tlsyAdYKSkotfiuoUWb
-daylD6QVUXn67loYDPZALghpDxmSm21VE7feTWOUbOpe14U=
------END CERTIFICATE-----
diff --git a/tests/data_files/server1.noauthid.crt b/tests/data_files/server1.noauthid.crt
deleted file mode 100644
index ba195eb..0000000
--- a/tests/data_files/server1.noauthid.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
-uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
-d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
-CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
-lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
-bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
-oywwKjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAN
-BgkqhkiG9w0BAQUFAAOCAQEAwEHP5IyPK/D9CEXfyQqE72RHl8uqMQCl6LcHiv9C
-pTnu7hsbGgP0j8BIgBxHcpiJzPuCLNzOsCsfMfgfE9H0c50ePqNXpyOl6bLcQaw5
-TJapUFWtrZmC/nZWYZOvQ01/0QVKkgW2aXnQWV0EBqdwRHtJs3F1wBpKv/4bR31p
-kzDMP+WOdIvMzxh5o0lSi++Tx6h7mk61PU/sw0K5NwxF6X7AIvla0sbOcEa9lH8W
-bnkuieYbLA6euNPha1gjltT3aEkP5ZdnL/Vy/paCsT17bs6MNfeh99dd+WBvyBzQ
-Hx9XRgMLRd1bZv0sli9q7Yz3V+d+cmv3D/3nRYVI/+wUmw==
------END CERTIFICATE-----
diff --git a/tests/data_files/server1.pubkey b/tests/data_files/server1.pubkey
deleted file mode 100644
index 93c669c..0000000
--- a/tests/data_files/server1.pubkey
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJl
-LhVhXom/uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA
-0INq1UFDd185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMP
-QPhtgSVfCrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZ
-vq1lLGTrlZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokL
-BNsupk9wbp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJU
-sQIDAQAB
------END PUBLIC KEY-----
diff --git a/tests/data_files/server1.pubkey.der b/tests/data_files/server1.pubkey.der
deleted file mode 100644
index 1a432a4..0000000
--- a/tests/data_files/server1.pubkey.der
+++ /dev/null
diff --git a/tests/data_files/server1.req.cert_type b/tests/data_files/server1.req.cert_type
deleted file mode 100644
index 39ff3fd..0000000
--- a/tests/data_files/server1.req.cert_type
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICpTCCAY0CAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
-GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
-ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
-HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
-W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
-FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
-DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAkMCIGCSqGSIb3DQEJDjEV
-MBMwEQYJYIZIAYb4QgEBBAQDAgZAMA0GCSqGSIb3DQEBBQUAA4IBAQBErZcEaEEO
-hLbRVuB3+N5by0mogdJsatJFSgW2/VztLvQBYu0O+VmTbZwCAWejA8U+cr6uPlyf
-b4lDqj3W+XykeK9bSzoSr1yNO2VAcE74Y0ZrSz2yXMfT5R9IyKqQZspaKD8MOmYH
-BqUH9o/phnGcaEG5xeSfhM1O/YNZuGnlLDQBGwT5puHOaLfjECvs8eZLopIWEBlD
-QkRlhYqZBwhGZ8D/TxqG4teFtnBX5FG7UoSSVuneBrkREQM7ElhtD9jCWjfMnqm1
-59G84OycClwaKU7/Dm6zeMGDyFoMksBud7lyDHMhxvwSbzb1JR5v8iBsmVY2dhHt
-Ot3Fx2be0gIr
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server1.req.cert_type_empty b/tests/data_files/server1.req.cert_type_empty
deleted file mode 100644
index 70fd111..0000000
--- a/tests/data_files/server1.req.cert_type_empty
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICpDCCAYwCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
-GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
-ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
-HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
-W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
-FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
-DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAjMCEGCSqGSIb3DQEJDjEU
-MBIwEAYJYIZIAYb4QgEBBAMDAQAwDQYJKoZIhvcNAQEFBQADggEBACU0LLDBIMgG
-B7gyNANHv42RovhQdzmUulqJPHNHx3v9G17F00bEykJb/r3awW6l5fhY/6oPydsY
-hnWEM6VVCUkJ6Zqm2/wE49uaNTbFd9JU4OywRBfjHHSTOGnYFg+BYSfwaIkSCkx2
-kVhyklFm7My5wkyDPpFSU2tTfgsgaQMyTm93a2kxM7qJ/X3gFDG8o7R0vyojFVSI
-mwsF9QsC6N9cygdFx23zCB0KsJ9KfmBqaTsdbKh8BsocYm5FJCw4WS/CBrCWBj+z
-N7yEJj4SR5F+P7sFc5I0HANov5wQe8E3+WxxQt8jcqIje6DlaaGja44cXOzvFQyx
-Hg/6H5EtBQc=
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server1.req.key_usage b/tests/data_files/server1.req.key_usage
deleted file mode 100644
index 30e4812..0000000
--- a/tests/data_files/server1.req.key_usage
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICnzCCAYcCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
-GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
-ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
-HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
-W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
-FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
-DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAeMBwGCSqGSIb3DQEJDjEP
-MA0wCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBBQUAA4IBAQBsJ3v1Ar2X28GJsRSJ
-WRQwFQwIbR/D0cHrwTf0ZfZttClytuc18JZlwkH3EG/rNkWaFp6MKIZoRMOBuSPc
-MNvvKIo4nPaeouDPruymx0gNenlyRL3D4OZpBO/BmQIQjbUKWFbzEnEqvwvMDUnG
-8w7UjPSFcxj2HzENr62HLPKKnVpL3nDXWK1a2A77KF9aMxyoWQ6FXb2xPD9cJjdo
-c1jwskQbgosQzKKwwp5yxq0zRD3EAGw4A78mgHMfgFprq9e9azaB0JeyFG2Vn0t0
-L+vfiDEVQ3eJXSCen1kEVyHRju8g53UcSgd+JicWFboFj2/mJBuyW6yM++RGA9B5
-Zd62
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server1.req.key_usage_empty b/tests/data_files/server1.req.key_usage_empty
deleted file mode 100644
index 47e56bf..0000000
--- a/tests/data_files/server1.req.key_usage_empty
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICnjCCAYYCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
-GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
-ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
-HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
-W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
-FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
-DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAdMBsGCSqGSIb3DQEJDjEO
-MAwwCgYDVR0PBAMDAQAwDQYJKoZIhvcNAQEFBQADggEBAAqQ/EU/3oMt7YW4vWgm
-0Q7F4v7DrFEoVMWfBzNWhMNIijzoaWKY8jwseZMzu8aCNQlJnM7c9FJF+OCgS7L5
-0ctwzjfCOi5I5cKgqv8WpuMZWHXNtB7YtjUWIZVri/RazCncZEwJGCKQjmQYrGJm
-Qmu2+D+DWY+nEW47ZfDH9jOJtatnREjSNsKzc44L9zUaEy3bi+m455XGH+ABmeb7
-Iqmguh10xUyY6rEOFEuqvFyFr5g1eb53Rr5CQxGfw1j+2bbSh+rVb6Ehf9LAijyu
-Ygqa91hGab/CjykS6HMrD91ouWtt2Rt3zCKo4Xxe8dlAszKB4W83M9OgDVVpiCfC
-t3A=
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server1.req.ku-ct b/tests/data_files/server1.req.ku-ct
deleted file mode 100644
index ebd01f5..0000000
--- a/tests/data_files/server1.req.ku-ct
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICsjCCAZoCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
-GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
-ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
-HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
-W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
-FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
-DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAxMC8GCSqGSIb3DQEJDjEi
-MCAwCwYDVR0PBAQDAgXgMBEGCWCGSAGG+EIBAQQEAwIGQDANBgkqhkiG9w0BAQUF
-AAOCAQEAWUMyIXHi4BbIxOeCD/Vtu9LGV8ENMV7dwYVEQcwrt1AHahtYgUtkoGcP
-lOPqg1lbg22bu8dLPoY4HAzxCOAGs27otWL5LlE9M5QPH1RedEycmOuYrMl6K988
-hfDBJ+OkgCShcM91+udrc0gpDEI7N01A+fmukQ6EiaQjIf7HME/EKQqhEuEQMXHC
-GBvdNuEF5BfV3aAYuT+xfdXDU2ZWwXXWAHGmVh3ntnhtEG6SnXSnBATU2wa4tpBd
-KLbEbcsiy2uj0OLJlvG6LqsNggtkD58GCGpLpaVxdW80yw+f/krwLpeyocE1KGcT
-7eX+9yhLe9NIZojvevw+53dNE7BUfw==
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server1.req.md5 b/tests/data_files/server1.req.md5
deleted file mode 100644
index 57714ed..0000000
--- a/tests/data_files/server1.req.md5
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
-GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
-ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
-HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
-W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
-FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
-DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBBAUA
-A4IBAQCEiv3QM4xyKhYTsoOjyzQdXMhsXK3Kpw+Rh874Hf6pXHxUaYy7xLUZUx6K
-x5Bvem1HMHAdmOqYTzsE9ZblAMZNRwv/CKGS3pvMkx/VZwXQhFGlHLFG//fPrgl3
-j4dt20QsWP8LnL4LweYSYI1wt1rjgYRHeF6bG/VIck6BIYQhKOGlzIwWUmfAGym6
-q4SYrd+ObZullSarGGSfNKjIUEpYtfQBz31f5tRsyzSps7oG4uc7Xba4qnl2o9FN
-lWOMEER79QGwr7+T41FTHFztFddfJ06CCjoRCfEn0Tcsg11tSMS0851oLkMm8RyY
-aozIzO82R3Em7aPhZBiBDy3wZC2l
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server1.req.sha1 b/tests/data_files/server1.req.sha1
deleted file mode 100644
index 578ec7f..0000000
--- a/tests/data_files/server1.req.sha1
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
-GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
-ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
-HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
-W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
-FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
-DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBBQUA
-A4IBAQCiYQMOv2ALPUeg8wHKn9L5SdDbNxOzuMwhYsCYTw2TJMQO7NLUq6icEzxY
-pUIIFt60JUQjZHxQSY3y9cSivwKXQA7pPfaPaFC/aMA2GxG23t2eaIWNQX8MfcWf
-XAa8bl/vmC1MTov+mP2DGoXRiKYORrEInyDS2RaTathvHckcAv25nCIx7wYO9tC9
-LUwyoE9bhiQ7fo3KFlz4dK1HukyCM/FoPbJuL7NgdzmKVPyYCLh5Ah+TTD6+sltz
-dFc4fj28w1v3jsBXz+tLrgFQidzuUI2poxt5UwU9TKY0dAJaTCtfIRcXW3h6DGG7
-EDR6rim6sbIQkGzYvGqs4TNoJOR+
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server1.req.sha224 b/tests/data_files/server1.req.sha224
deleted file mode 100644
index a4f2af4..0000000
--- a/tests/data_files/server1.req.sha224
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
-GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
-ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
-HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
-W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
-FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
-DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBDgUA
-A4IBAQArYR2mLKU5lsHyAyGHr4PlmC/cfePmCRyC/mj1riGTjDlNC2X3J1VZDqKb
-U/uUxLudP7sbuttRksIAREATT74Pa40bMWiPUlBfA/M2mFTmKb/91uXeIISW8DL3
-xM/5BCDrhnZ/cjP23gKDgJRk+IGBNhYZDGz50TIBbDJ2e4GDkFjzANngUW64UcCQ
-7hZOYtnYLBnoRvPwtal5jZqHwsgaPPePXu+SQ8mfuAJwJ78MOCAaKw0IP1h1OnPG
-iubdl34lSIaYWwbHTdjaqUSQG3SSs4oxEvluYymrpZ6XGKXtphJXEPdTRiLu9d9l
-A5NYVgvqHFQPmuXS92zrGzB788pV
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server1.req.sha256 b/tests/data_files/server1.req.sha256
deleted file mode 100644
index 6d21dc5..0000000
--- a/tests/data_files/server1.req.sha256
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
-GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
-ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
-HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
-W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
-FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
-DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBCwUA
-A4IBAQCVlSU7qeKri7E3u8JCZbCyjsGJTH9iHYyeDZ/nDLig7iKGYvyNmyzJ76Qu
-+EntSmL2OtL95Yqooc6h1AQHzoCs+SO2wPoTUs3Ypi9r7vNNVO3ZnnxVtGgqCRVA
-W+z9W4p2mHXQhgW1HkuLa5JD1SvJViyZbx9z3ie1BQ9NVKfv++ArPIv70zBtA7O3
-PZNG1JYN30Esz7RsCDRHbz6Npvu9ggUQL/U3mvQQ+Yo+xhwu1yFV+dRH7PebBeQv
-vjcD2fXDabeofK3zztIpUIyUULX0GGClM9jslgJ/ZHUlArWKpLZph0AgF1Dzts//
-M6c/sRw7gtjXmV0zq2tf2fL4+e2b
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server1.req.sha256.conf b/tests/data_files/server1.req.sha256.conf
deleted file mode 100644
index 0d35818..0000000
--- a/tests/data_files/server1.req.sha256.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-req_extensions = req_ext
-
-[req_ext]
-extendedKeyUsage = serverAuth
-subjectAltName = @alt_names
-
-[alt_names]
-email = mail@example.com
-DNS = example.com
-dirName = dirname_sect
-IP = 127.0.0.1
-URI = http://pki.example.com
-
-[dirname_sect]
-C=UK
-O=Mbed TLS
-CN=Mbed TLS directoryName SAN
diff --git a/tests/data_files/server1.req.sha256.ext b/tests/data_files/server1.req.sha256.ext
deleted file mode 100644
index 1bb05da..0000000
--- a/tests/data_files/server1.req.sha256.ext
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIDPzCCAicCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
-GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
-ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
-HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
-W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
-FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
-DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaCBvTCBugYJKoZIhvcNAQkO
-MYGsMIGpMBMGA1UdJQQMMAoGCCsGAQUFBwMBMIGRBgNVHREEgYkwgYaBEG1haWxA
-ZXhhbXBsZS5jb22CC2V4YW1wbGUuY29tpEcwRTELMAkGA1UEBhMCVUsxETAPBgNV
-BAoMCE1iZWQgVExTMSMwIQYDVQQDDBpNYmVkIFRMUyBkaXJlY3RvcnlOYW1lIFNB
-TocEfwAAAYYWaHR0cDovL3BraS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOC
-AQEAclrNmmgAoa4ctwyBwD1T8jbyBeuxTf+ifc+MQ6pE7YuYSlanHE5l/CoVlW14
-lR5gA01pWJJ7T8RBvo25OqXbvMFSafeGXpSHOG69A6p/7YULtbPuS6uvtdR0m3t+
-2IacL0q5FsSmPw07RNfVGDFniKVqD8eAuYnhFztk0+uZVYD4xGezUckb2wTbzFpu
-lUA/NhoWfCyV44TDR5fy23qNXywEhatDU/3nMmSJpBVy4y7J6BQVCl/fbyuKIOqu
-0OVP+FvANSO46twA9+38hI+/nPuVwtbBvg1aLBMbLZ3Egi2uozokYFYL22JYNGJo
-XORQgR66Sdrvfhiug+F5xmldCg==
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server1.req.sha384 b/tests/data_files/server1.req.sha384
deleted file mode 100644
index b857af7..0000000
--- a/tests/data_files/server1.req.sha384
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
-GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
-ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
-HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
-W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
-FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
-DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBDAUA
-A4IBAQBy35zHYLiYaScq1niQkzQ/BScUbdiWd2V90isBsB5Q3NjVoJl/yCaMrla3
-2XfrutpFpdqwenl5jM0o6+enKCmfur+z2/ije69Dju2aBd6A62cx1AEvFiMq7lyF
-4DYJ32+2ty6KA8EhzE3NFs7zKXxmD5ybp+oXNEvXoeU3W8a+Ld5c1K/n+Ipa0TUy
-cFBs6dCsbYO9wI6npwWqC5Hc9r/0zziMFO+4N5VORdYUFqObq4vCYOMXETpl8ryu
-lGZorNUoJ7vV55T31CDqEtb0EE+nO+nT4agfDobncYjvc3WpQuLtUB4UwR5gpZl6
-ZI+j4uwikOgGO9gcx4IjaRP3q63F
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server1.req.sha512 b/tests/data_files/server1.req.sha512
deleted file mode 100644
index 85d5246..0000000
--- a/tests/data_files/server1.req.sha512
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
-GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
-ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
-HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
-W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
-FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
-DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBDQUA
-A4IBAQBb8jNpt0nkNVWstVoOCepQSF5R1R9hF0yEr7mk3HB9oO/nK07R1Oamgjw+
-CHQReTSjIKUX53o7ZwNZB5E+jBDsGz/2Yyj/vxNHJFk2exELtW30he8K2omVHE1F
-XESbftCssWLNpTSDq6ME12+llkEDtgCtkv69oRUkuuF5ESUSZRGIZN4Vledm8SM1
-uGFtaG/PXbBbtUaNwNISDeIWDKRtbuca5web+QEi1djiUH21ZWIGEpOy7mtkYmRs
-Qt1D32FoaqFNhafiaxNIXO11yd4lgpaDDlmrOSBsELcTIF9916o3DwMeVXy0GONW
-BrwaO8q8rg+C+xvMY7858Kk8kwjb
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server1.spaces.crt b/tests/data_files/server1.spaces.crt
deleted file mode 100644
index b77132a..0000000
--- a/tests/data_files/server1.spaces.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDQTCCAimgAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA+MQswCQYDVQQGEwJOTDETMBEG
-A1UECgwKIFBvbGFyU1NMIDEaMBgGA1UEAwwRUG9sYXJTU0wgU2VydmVyIDEwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpAh89QGrVVVOL/TbugmUuFWFe
-ib+46EWQ2+6IFlLT8UNQR5YSWWSHa/0r4Eb5c77dz5LhkVvtZqBviSl5RYDQg2rV
-QUN3Xzl8CQRHgrBXOXDto+wVGR6oMwhHwQVCqf1Mw7Tf3QYfTRBRQGdzEw9A+G2B
-JV8KsVPGMH4VOaz5Wu5/kp6mBVvnE5eFtSOS2dQkBtUJJYl1B92mGo8/CRm+rWUs
-ZOuVm9z+QV4XptpsW2nMAroULBYknErczdD3Umdz8S2gI/1+9DHKLXDKiQsE2y6m
-T3Buns69WIniU1meblqSZeKIPwyUGaPd5eidlRPtKdurcBLcWsprF6tSglSxAgMB
-AAGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFB901j8pwXR0RTsFEiw9qL1DWQKm
-MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBBQUA
-A4IBAQBsR3jOFh7uGF5MCvEK8DrSmmvcFJzMmTRp0hCMeb0wEULhrMKeRDIa2yvr
-FrHHCUNAk2HjsjJevpCM8f3ibDqecckfbxE2vT9IUCmPrtOWmhQR/Il5TR9FvYns
-4BF1KUPRqGUFAXoIN+xKcYdp+myIluGHumM4Bop7tAZ5gg68IV/UJh5RqShxiLgV
-rxHzrp6oM1kn199m2wc1Twy2YwcNmfJDSOLV6K4xWjwcc8Eq+rLhuWUs5GNdrSEY
-ZjWmF1AlbVVChU3Dl5XOAY8T6+wJst5RIwkf1Fl1TPCZX8FWzGM9HYiYW0cC7cno
-IdSS7mVGxNrNe+6/Cu+zfqeiLdN2
------END CERTIFICATE-----
diff --git a/tests/data_files/server1.v1.crt b/tests/data_files/server1.v1.crt
deleted file mode 100644
index 47e3813..0000000
--- a/tests/data_files/server1.v1.crt
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC6zCCAdMCAQEwDQYJKoZIhvcNAQEFBQAwOzELMAkGA1UEBhMCTkwxETAPBgNV
-BAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBMB4XDTE5MDIx
-MDE0NDQwNloXDTI5MDIxMDE0NDQwNlowPDELMAkGA1UEBhMCTkwxETAPBgNVBAoM
-CFBvbGFyU1NMMRowGAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb
-7ogWUtPxQ1BHlhJZZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJ
-BEeCsFc5cO2j7BUZHqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8Yw
-fhU5rPla7n+SnqYFW+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5B
-Xhem2mxbacwCuhQsFiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1Y
-ieJTWZ5uWpJl4og/DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAATANBgkq
-hkiG9w0BAQUFAAOCAQEAfuGhX2pcmQglXcslzRuastNUW8AGatDsjssDec27L/c6
-bCz/yQCaZtw2gk9QLsYMOtef/hfb7Rbu5fLwCn4zcQdmuh17nHcWh7fmtXsoebiz
-kzV4GMEaU+Cc6ws1h8GuLTLKpr/iMYFBhT1cjVGmi0C2FHBj8vbWv7sEEIUovrMQ
-7eh1Y1NkZa+w0sagiMfhWs2DTzNikby9mmJYUSmKTX1dI23YYPEIG+3shkY88VC0
-IBuH2i+pUXKN+xKhh9bbwLGdHIfNHhuIvfkkALhDuAOvqAis1buEAUoHR3qahHkh
-2nzY/ROBG3+NCSDggHEf6xxCDg8xZpkdbKKRFMGBCA==
------END CERTIFICATE-----
diff --git a/tests/data_files/server10-badsign.crt b/tests/data_files/server10-badsign.crt
deleted file mode 100644
index d4ac4b1..0000000
--- a/tests/data_files/server10-badsign.crt
+++ /dev/null
@@ -1,10 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBXTCCAQKgAwIBAgIBSzAMBggqhkjOPQQDAgUAMEoxCzAJBgNVBAYTAlVLMREw
-DwYDVQQKDAhtYmVkIFRMUzEoMCYGA1UEAwwfbWJlZCBUTFMgVGVzdCBpbnRlcm1l
-ZGlhdGUgQ0EgMzAeFw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMBQxEjAQ
-BgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBxt9+na
-peqhnLJyGagJHHOt3hW73qbjs08F6G0QLjppN5eAOcF1/77OcAGsC19cFE1DPwBE
-h5gGaySvbauUqPKjDTALMAkGA1UdEwQCMAAwDAYIKoZIzj0EAwIFAANHADBEAiBw
-JW8c5xNiHIn83+Fx74JiW0IyRKe9TRN3w+MmfcFKwwIgWyjAp/xKOBaQ2ifRqXH6
-3mQUjQNFzHPFpWqjHCp0vS0=
------END CERTIFICATE-----
diff --git a/tests/data_files/server10-bs_int3.pem b/tests/data_files/server10-bs_int3.pem
deleted file mode 100644
index d824c43..0000000
--- a/tests/data_files/server10-bs_int3.pem
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBXTCCAQKgAwIBAgIBSzAMBggqhkjOPQQDAgUAMEoxCzAJBgNVBAYTAlVLMREw
-DwYDVQQKDAhtYmVkIFRMUzEoMCYGA1UEAwwfbWJlZCBUTFMgVGVzdCBpbnRlcm1l
-ZGlhdGUgQ0EgMzAeFw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMBQxEjAQ
-BgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBxt9+na
-peqhnLJyGagJHHOt3hW73qbjs08F6G0QLjppN5eAOcF1/77OcAGsC19cFE1DPwBE
-h5gGaySvbauUqPKjDTALMAkGA1UdEwQCMAAwDAYIKoZIzj0EAwIFAANHADBEAiBw
-JW8c5xNiHIn83+Fx74JiW0IyRKe9TRN3w+MmfcFKwwIgWyjAp/xKOBaQ2ifRqXH6
-3mQUjQNFzHPFpWqjHCp0vS0=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBszCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIEVDIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owSjELMAkG
-A1UEBhMCVUsxETAPBgNVBAoMCG1iZWQgVExTMSgwJgYDVQQDDB9tYmVkIFRMUyBU
-ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
-732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9
-2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNn
-ADBkAjAZx8k0q+DtT/LJd1FjPcG/peoQDfMBL2jS/6PwxW+3+ZPMpHZn0r+JpCaF
-+V/sM9kCMGqcxQwx/bsMaK0y9zqshC7/S5hVlA+WRVyMfEGJmXnfbdwh6CByKIwv
-1GRe86dg1A==
------END CERTIFICATE-----
diff --git a/tests/data_files/server10.crt b/tests/data_files/server10.crt
deleted file mode 100644
index 52b5ea0..0000000
--- a/tests/data_files/server10.crt
+++ /dev/null
@@ -1,10 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBXTCCAQKgAwIBAgIBSzAMBggqhkjOPQQDAgUAMEoxCzAJBgNVBAYTAlVLMREw
-DwYDVQQKDAhtYmVkIFRMUzEoMCYGA1UEAwwfbWJlZCBUTFMgVGVzdCBpbnRlcm1l
-ZGlhdGUgQ0EgMzAeFw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMBQxEjAQ
-BgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBxt9+na
-peqhnLJyGagJHHOt3hW73qbjs08F6G0QLjppN5eAOcF1/77OcAGsC19cFE1DPwBE
-h5gGaySvbauUqPKjDTALMAkGA1UdEwQCMAAwDAYIKoZIzj0EAwIFAANHADBEAiBw
-JW8c5xNiHIn83+Fx74JiW0IyRKe9TRN3w+MmfcFKwwIgWyjAp/xKOBaQ2ifRqXH6
-3mQUjQNFzHPFpWqjHCp0vS4=
------END CERTIFICATE-----
diff --git a/tests/data_files/server10.key b/tests/data_files/server10.key
deleted file mode 100644
index 0088331..0000000
--- a/tests/data_files/server10.key
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEILBDMs7bRVxVg6ovTpf2zB9m+22jY7R3LNKRvCPfa6YJoAoGCCqGSM49
-AwEHoUQDQgAEHG336dql6qGcsnIZqAkcc63eFbvepuOzTwXobRAuOmk3l4A5wXX/
-vs5wAawLX1wUTUM/AESHmAZrJK9tq5So8g==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/server10_int3-bs.pem b/tests/data_files/server10_int3-bs.pem
deleted file mode 100644
index 9a82b17..0000000
--- a/tests/data_files/server10_int3-bs.pem
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBXTCCAQKgAwIBAgIBSzAMBggqhkjOPQQDAgUAMEoxCzAJBgNVBAYTAlVLMREw
-DwYDVQQKDAhtYmVkIFRMUzEoMCYGA1UEAwwfbWJlZCBUTFMgVGVzdCBpbnRlcm1l
-ZGlhdGUgQ0EgMzAeFw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMBQxEjAQ
-BgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBxt9+na
-peqhnLJyGagJHHOt3hW73qbjs08F6G0QLjppN5eAOcF1/77OcAGsC19cFE1DPwBE
-h5gGaySvbauUqPKjDTALMAkGA1UdEwQCMAAwDAYIKoZIzj0EAwIFAANHADBEAiBw
-JW8c5xNiHIn83+Fx74JiW0IyRKe9TRN3w+MmfcFKwwIgWyjAp/xKOBaQ2ifRqXH6
-3mQUjQNFzHPFpWqjHCp0vS4=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBszCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIEVDIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owSjELMAkG
-A1UEBhMCVUsxETAPBgNVBAoMCG1iZWQgVExTMSgwJgYDVQQDDB9tYmVkIFRMUyBU
-ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
-732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9
-2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNn
-ADBkAjAZx8k0q+DtT/LJd1FjPcG/peoQDfMBL2jS/6PwxW+3+ZPMpHZn0r+JpCaF
-+V/sM9kCMGqcxQwx/bsMaK0y9zqshC7/S5hVlA+WRVyMfEGJmXnfbdwh6CByKIwv
-1GRe86dg10==
------END CERTIFICATE-----
diff --git a/tests/data_files/server10_int3_int-ca2.crt b/tests/data_files/server10_int3_int-ca2.crt
deleted file mode 100644
index b585292..0000000
--- a/tests/data_files/server10_int3_int-ca2.crt
+++ /dev/null
@@ -1,40 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBXTCCAQKgAwIBAgIBSzAMBggqhkjOPQQDAgUAMEoxCzAJBgNVBAYTAlVLMREw
-DwYDVQQKDAhtYmVkIFRMUzEoMCYGA1UEAwwfbWJlZCBUTFMgVGVzdCBpbnRlcm1l
-ZGlhdGUgQ0EgMzAeFw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMBQxEjAQ
-BgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBxt9+na
-peqhnLJyGagJHHOt3hW73qbjs08F6G0QLjppN5eAOcF1/77OcAGsC19cFE1DPwBE
-h5gGaySvbauUqPKjDTALMAkGA1UdEwQCMAAwDAYIKoZIzj0EAwIFAANHADBEAiBw
-JW8c5xNiHIn83+Fx74JiW0IyRKe9TRN3w+MmfcFKwwIgWyjAp/xKOBaQ2ifRqXH6
-3mQUjQNFzHPFpWqjHCp0vS4=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBszCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIEVDIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owSjELMAkG
-A1UEBhMCVUsxETAPBgNVBAoMCG1iZWQgVExTMSgwJgYDVQQDDB9tYmVkIFRMUyBU
-ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
-732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9
-2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNn
-ADBkAjAZx8k0q+DtT/LJd1FjPcG/peoQDfMBL2jS/6PwxW+3+ZPMpHZn0r+JpCaF
-+V/sM9kCMGqcxQwx/bsMaK0y9zqshC7/S5hVlA+WRVyMfEGJmXnfbdwh6CByKIwv
-1GRe86dg1A==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIC6TCCAdGgAwIBAgIBDzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MjMwNTE3MDkyNzAyWhcNMzMwNTE3MDkyNzAyWjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8Oih3fX5SLeN1dmFncQl
-WMw9+Y6sXblhlrXBxhXxjwdwpCHENn+foUVdrqYVYa7Suv3QVeO6nJ19H3QNixW8
-ik1P+hxsbaq8bta78vAyHmC4EmXQLg1w7oxb9Q82qX1Yo4GVMIGSMB0GA1UdDgQW
-BBQPib1jQevLXhco/2gwPcGI0JxYOTBjBgNVHSMEXDBagBS0WuSls97SUva51aaV
-D+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRkw
-FwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEDMAwGA1UdEwQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAHTN0URrP2MpwD8vODymjjq7iaB7WFZ4CWUjx9LWu3PPZbX2
-12MxzkyFaVR7rnPKZSFHJJEmNaPDJWwYhGQRXLCoD6NiJy6De4fa5gSYoXthRGFf
-GnFXZu3e37GDKoKP87TZ+VXcyx6PHvPxJB3/9N94Vj2Yh3hCs7F72GmwfDww6ooj
-whIqhxBYOhPleANs70FZ7Y7tjZV1RtQ1/9sRcbyv9OvdPuWvukBVq1KM6nqVHBZ3
-/4kHBWaFaWMq/AAxMxaTGFAOA8S2yU56jkB65viQrpQQWffBJWK+WfrcgxRWqR33
-hqG3yT1IWbJ5E11XL9TCKD+DReqeXHyYawx8fBU=
------END CERTIFICATE-----
diff --git a/tests/data_files/server10_int3_int-ca2_ca.crt b/tests/data_files/server10_int3_int-ca2_ca.crt
deleted file mode 100644
index 3601a20..0000000
--- a/tests/data_files/server10_int3_int-ca2_ca.crt
+++ /dev/null
@@ -1,60 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBXTCCAQKgAwIBAgIBSzAMBggqhkjOPQQDAgUAMEoxCzAJBgNVBAYTAlVLMREw
-DwYDVQQKDAhtYmVkIFRMUzEoMCYGA1UEAwwfbWJlZCBUTFMgVGVzdCBpbnRlcm1l
-ZGlhdGUgQ0EgMzAeFw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMBQxEjAQ
-BgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBxt9+na
-peqhnLJyGagJHHOt3hW73qbjs08F6G0QLjppN5eAOcF1/77OcAGsC19cFE1DPwBE
-h5gGaySvbauUqPKjDTALMAkGA1UdEwQCMAAwDAYIKoZIzj0EAwIFAANHADBEAiBw
-JW8c5xNiHIn83+Fx74JiW0IyRKe9TRN3w+MmfcFKwwIgWyjAp/xKOBaQ2ifRqXH6
-3mQUjQNFzHPFpWqjHCp0vS4=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBszCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIEVDIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owSjELMAkG
-A1UEBhMCVUsxETAPBgNVBAoMCG1iZWQgVExTMSgwJgYDVQQDDB9tYmVkIFRMUyBU
-ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
-732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9
-2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNn
-ADBkAjAZx8k0q+DtT/LJd1FjPcG/peoQDfMBL2jS/6PwxW+3+ZPMpHZn0r+JpCaF
-+V/sM9kCMGqcxQwx/bsMaK0y9zqshC7/S5hVlA+WRVyMfEGJmXnfbdwh6CByKIwv
-1GRe86dg1A==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIC6TCCAdGgAwIBAgIBDzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MjMwNTE3MDkyNzAyWhcNMzMwNTE3MDkyNzAyWjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8Oih3fX5SLeN1dmFncQl
-WMw9+Y6sXblhlrXBxhXxjwdwpCHENn+foUVdrqYVYa7Suv3QVeO6nJ19H3QNixW8
-ik1P+hxsbaq8bta78vAyHmC4EmXQLg1w7oxb9Q82qX1Yo4GVMIGSMB0GA1UdDgQW
-BBQPib1jQevLXhco/2gwPcGI0JxYOTBjBgNVHSMEXDBagBS0WuSls97SUva51aaV
-D+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRkw
-FwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEDMAwGA1UdEwQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAHTN0URrP2MpwD8vODymjjq7iaB7WFZ4CWUjx9LWu3PPZbX2
-12MxzkyFaVR7rnPKZSFHJJEmNaPDJWwYhGQRXLCoD6NiJy6De4fa5gSYoXthRGFf
-GnFXZu3e37GDKoKP87TZ+VXcyx6PHvPxJB3/9N94Vj2Yh3hCs7F72GmwfDww6ooj
-whIqhxBYOhPleANs70FZ7Y7tjZV1RtQ1/9sRcbyv9OvdPuWvukBVq1KM6nqVHBZ3
-/4kHBWaFaWMq/AAxMxaTGFAOA8S2yU56jkB65viQrpQQWffBJWK+WfrcgxRWqR33
-hqG3yT1IWbJ5E11XL9TCKD+DReqeXHyYawx8fBU=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIDRDCCAiygAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
-mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
-50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
-YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
-R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
-KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-UzBRMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68
-x/3/MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEB
-BQUAA4IBAQCz557ZZmWv5UTTHebzTyVzku5ldpcicJPqKHP3xZ4tPPY52JQyJg/T
-hsRB44yTyNo3/jo9or2KgVnc+/nCmnlvTq22a/j26DtKZ7wD9MWxunpkqRwExtA/
-G816msrl6X6m50WwdLXTvaVJGXCYp8TPVLx5YY3WPIVoX0CPN7Hs9iNJNiEWo4Qf
-7dAqjWBB/QpusmWhjaDSc4+cFhT24Yo9HuS1yrkUTrBtJaj0AykTsiyFm6SBVDNH
-9XIxCgYy9QrYbDKNtJXhuevpN0yUMV/aUnIkU2wTTouhOzZisjNk0sS1guqmSHzf
-hlf8qotOhNvFXpEsCGwZUywayo7c4DtO
------END CERTIFICATE-----
diff --git a/tests/data_files/server10_int3_spurious_int-ca2.crt b/tests/data_files/server10_int3_spurious_int-ca2.crt
deleted file mode 100644
index 87cc476..0000000
--- a/tests/data_files/server10_int3_spurious_int-ca2.crt
+++ /dev/null
@@ -1,64 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBXTCCAQKgAwIBAgIBSzAMBggqhkjOPQQDAgUAMEoxCzAJBgNVBAYTAlVLMREw
-DwYDVQQKDAhtYmVkIFRMUzEoMCYGA1UEAwwfbWJlZCBUTFMgVGVzdCBpbnRlcm1l
-ZGlhdGUgQ0EgMzAeFw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMBQxEjAQ
-BgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBxt9+na
-peqhnLJyGagJHHOt3hW73qbjs08F6G0QLjppN5eAOcF1/77OcAGsC19cFE1DPwBE
-h5gGaySvbauUqPKjDTALMAkGA1UdEwQCMAAwDAYIKoZIzj0EAwIFAANHADBEAiBw
-JW8c5xNiHIn83+Fx74JiW0IyRKe9TRN3w+MmfcFKwwIgWyjAp/xKOBaQ2ifRqXH6
-3mQUjQNFzHPFpWqjHCp0vS4=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIBszCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIEVDIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owSjELMAkG
-A1UEBhMCVUsxETAPBgNVBAoMCG1iZWQgVExTMSgwJgYDVQQDDB9tYmVkIFRMUyBU
-ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
-732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9
-2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNn
-ADBkAjAZx8k0q+DtT/LJd1FjPcG/peoQDfMBL2jS/6PwxW+3+ZPMpHZn0r+JpCaF
-+V/sM9kCMGqcxQwx/bsMaK0y9zqshC7/S5hVlA+WRVyMfEGJmXnfbdwh6CByKIwv
-1GRe86dg1A==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MjMwNTE3MDcxMDM3WhcNMzMwNTE3MDcxMDM3WjBIMQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq
-vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR
-wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF
-CaBCLhhdK1Fjf8HjkT/PkctWnho8NTwivc9+nqRZjXe/eIcqm5HwjDDhu+gz+o0g
-Vz9MfZNi1JyCrOyNZcy+cr2QeNnNVGnFq8xTxtu6dLunhpmLFj2mm0Vjwa7Ypj5q
-AjpqTMtDvqbRuToyoyzajhMNcCAf7gwzIupJJFVdjdtgYAcQwzikwF5HoITJzzJ2
-qgxF7CmvGZNb7G99mLdLdhtclH3wAQKHYwEGJo7XKyNEuHPQgB+e0cg1SD1HqlAM
-uCfGGTWQ6me7Bjan3t0NzoTdDq6IpKTesbaY+/9e2xn8DCrhBKLXQMZFDZqUoLYA
-kGPOEGgvlPnIIXAawouxCaNYEh5Uw871YMSPT28rLdFr49dwYOtDg9foA8hDIW2P
-d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br
-Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg
-updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY
-a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xhclNTTDEcMBoGA1UE
-AwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaAAwZQIxAOAch+gz4rHfI/pm8MIDssMtJCqzS6xtOvQHJZ9l
-fdgWfJV5cSHJpOIWGXeFKKR18wIwODTRnTIioy+bYacNq8TQPjzdVlT9XbYkWIYN
-JAuV9fLJJdB5nZUG3l85Dt27VNkT
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIC6TCCAdGgAwIBAgIBDzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MjMwNTE3MDkyNzAyWhcNMzMwNTE3MDkyNzAyWjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8Oih3fX5SLeN1dmFncQl
-WMw9+Y6sXblhlrXBxhXxjwdwpCHENn+foUVdrqYVYa7Suv3QVeO6nJ19H3QNixW8
-ik1P+hxsbaq8bta78vAyHmC4EmXQLg1w7oxb9Q82qX1Yo4GVMIGSMB0GA1UdDgQW
-BBQPib1jQevLXhco/2gwPcGI0JxYOTBjBgNVHSMEXDBagBS0WuSls97SUva51aaV
-D+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRkw
-FwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEDMAwGA1UdEwQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAHTN0URrP2MpwD8vODymjjq7iaB7WFZ4CWUjx9LWu3PPZbX2
-12MxzkyFaVR7rnPKZSFHJJEmNaPDJWwYhGQRXLCoD6NiJy6De4fa5gSYoXthRGFf
-GnFXZu3e37GDKoKP87TZ+VXcyx6PHvPxJB3/9N94Vj2Yh3hCs7F72GmwfDww6ooj
-whIqhxBYOhPleANs70FZ7Y7tjZV1RtQ1/9sRcbyv9OvdPuWvukBVq1KM6nqVHBZ3
-/4kHBWaFaWMq/AAxMxaTGFAOA8S2yU56jkB65viQrpQQWffBJWK+WfrcgxRWqR33
-hqG3yT1IWbJ5E11XL9TCKD+DReqeXHyYawx8fBU=
------END CERTIFICATE-----
diff --git a/tests/data_files/server1_ca.crt b/tests/data_files/server1_ca.crt
deleted file mode 100644
index a597732..0000000
--- a/tests/data_files/server1_ca.crt
+++ /dev/null
@@ -1,40 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDPzCCAiegAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
-uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
-d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
-CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
-lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
-bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
-o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf
-BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQUFAAOC
-AQEAf2k5OiORp60gBNqioC2mIqSXA0CU/qzllt8IvlcMv1V0PAP9f4IEm5mdkERr
-UXjnB1Tr3edrsvXLgZ9vEosbFpNMsKfsmBkpjgWG2ui8pdn8cJiws4k4h5fuueSw
-Ps1FLK5Tfpi+GJyPqk4ha9Ojp2p9opuA0aIfLuxI+0UzXH4wgrEW/Yydowv959gf
-gGSl766CRdUvJbXOeVryFjFTRfLFFNfTvrftZk1dl8tas1nim8xfWet+BZVvq2zY
-C7LeCI9nrfuAxfMJTrWFp17y72+hCDk7NEaB2ZLVuAM/ri7LWrr2V2hLFdIAhfC2
-nUaulRRpGt/ZTISw6uSIumNoNA==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
-mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
-50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
-YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
-R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
-KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/
-MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBBQUA
-A4IBAQB0ZiNRFdia6kskaPnhrqejIRq8YMEGAf2oIPnyZ78xoyERgc35lHGyMtsL
-hWicNjP4d/hS9As4j5KA2gdNGi5ETA1X7SowWOGsryivSpMSHVy1+HdfWlsYQOzm
-8o+faQNUm8XzPVmttfAVspxeHSxJZ36Oo+QWZ5wZlCIEyjEdLUId+Tm4Bz3B5jRD
-zZa/SaqDokq66N2zpbgKKAl3GU2O++fBqP2dSkdQykmTxhLLWRN8FJqhYATyQntZ
-0QSi3W9HfSZPnFTcPIXeoiPd2pLlxt1hZu8dws2LTXE63uP6MM4LHvWxiuJaWkP/
-mtxyUALj2pQxRitopORFQdn7AOY5
------END CERTIFICATE-----
diff --git a/tests/data_files/server1_csr.opensslconf b/tests/data_files/server1_csr.opensslconf
deleted file mode 100644
index 6e7075e..0000000
--- a/tests/data_files/server1_csr.opensslconf
+++ /dev/null
@@ -1,10 +0,0 @@
-[ req ]
-distinguished_name = req_distinguished_name
-prompt             = no
-# Restrict to non-UTF8 PrintableStrings.
-string_mask        = nombstr
-
-[ req_distinguished_name ]
-C  = NL
-O  = PolarSSL
-CN = PolarSSL Server 1
diff --git a/tests/data_files/server2-badsign.crt b/tests/data_files/server2-badsign.crt
deleted file mode 100644
index a9e40ba..0000000
--- a/tests/data_files/server2-badsign.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN
-owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz
-NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM
-tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P
-hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya
-HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD
-VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw
-FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAJklg3T/
-////7BzsxM/vLyKccO6op0/gZzM4ghuLq2Y32kl0sM6kSNUUmduuq3u/+GmUZN2A
-O/7c+Hw7hDFEIvZk98aBGjCLqn3DmgHIv8ToQ67nellQxx2Uj309PdgjNi/r9HOc
-KNAYPbBcg6MJGWWj2TI6vNaceios/DhOYx5V0j5nfqSJ/pnU0g9Ign2LAhgYpGJE
-iEM9wW7hEMkwmk0h/sqZsrJsGH5YsF/VThSq/JVO1e2mZH2vruyZKJVBq+8tDNYp
-HkK6tSyVYQhzIt3StMJWKMl/o5k2AYz6tSC164+1oG+ML3LWg8XrGKa91H4UOKap
-Awgk0+4m0T25cNs=
------END CERTIFICATE-----
diff --git a/tests/data_files/server2-sha256.crt b/tests/data_files/server2-sha256.crt
deleted file mode 100644
index b31be6b..0000000
--- a/tests/data_files/server2-sha256.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN
-owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz
-NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM
-tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P
-hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya
-HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD
-VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw
-FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJh
-Pqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6U
-HoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq9
-1C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sv
-a1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0
-e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbo
-pMZqLmbBm/7WPLc=
------END CERTIFICATE-----
diff --git a/tests/data_files/server2-sha256.crt.der b/tests/data_files/server2-sha256.crt.der
deleted file mode 100644
index 699270b..0000000
--- a/tests/data_files/server2-sha256.crt.der
+++ /dev/null
diff --git a/tests/data_files/server2-v1-chain.crt b/tests/data_files/server2-v1-chain.crt
deleted file mode 100644
index 8ac003b..0000000
--- a/tests/data_files/server2-v1-chain.crt
+++ /dev/null
@@ -1,38 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDETCCAfkCDFOittkjXbxFc/m3bDANBgkqhkiG9w0BAQsFADBOMRowGAYDVQQD
-DBFzZXJ2ZXIxL2ludC1jYS12MTEQMA4GA1UECwwHdGVzdGluZzERMA8GA1UECgwI
-UG9sYXJTU0wxCzAJBgNVBAYTAk5MMB4XDTE5MDIxMDE0NDQwNloXDTI5MDIxMDE0
-NDQwNlowRDEQMA4GA1UEAwwHc2VydmVyMjEQMA4GA1UECwwHdGVzdGluZzERMA8G
-A1UECgwIUG9sYXJTU0wxCzAJBgNVBAYTAk5MMIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r
-lqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP64bF2
-2JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQ
-Zn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7i
-GMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/oNJhb
-y3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABMA0GCSqGSIb3DQEBCwUA
-A4IBAQBmzdRQV8c0AbT8+IlPf7EpzfdhBwBtDj7N8GPEHL+NqS1hHt7TH3L7jBN3
-CqLUgrAP1LFmQrjW5IPZYNZEA+LxMMjAehvOH71pBsFGvQOpx2CwmqM86s9FIgIa
-zob7L34+xVEZfmR09PsLiT7gF13ht0HkvVZ2haBU0k3vV97aEVvPtbqrlR6RfLrZ
-8nXBFt5CkzGxepS4wBCW4TrGXxpMJ0WnnhcLJVnExUd6YbzGP+ewXCKegD1wDX6z
-UsEVGDQV97u3tszF43kx0nu/Q5DYMCqJV0kpIsMB467xPnNqyMdGtTbZq2Is8oj6
-VA+fctBdN0CW4jo+qkOif0l/F8Az
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIDHTCCAgUCDFOitscEzU2OvIALwTANBgkqhkiG9w0BAQsFADBQMRwwGgYDVQQD
-DBNQb2xhclNTTCBUZXN0IENBIHYxMRAwDgYDVQQLDAd0ZXN0aW5nMREwDwYDVQQK
-DAhQb2xhclNTTDELMAkGA1UEBhMCTkwwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEw
-MTQ0NDA2WjBOMRowGAYDVQQDDBFzZXJ2ZXIxL2ludC1jYS12MTEQMA4GA1UECwwH
-dGVzdGluZzERMA8GA1UECgwIUG9sYXJTU0wxCzAJBgNVBAYTAk5MMIIBIjANBgkq
-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/uOhF
-kNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFDd185
-fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVfCrFT
-xjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTrlZvc
-/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9wbp7O
-vViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQABMA0G
-CSqGSIb3DQEBCwUAA4IBAQBrdYAEzdH6ryyYaolYvp8Fvq0wZxp6Bdcxvi0LUGmb
-TdWcNrPU9IYASc5QSrSWPj0c9vhLVbDZAONfn92thi7C2zQXok2Q3jW038ycNSXN
-lVxFkdY4GYa3E6Og1LVIySyzfyyNuHKKWbB5wZCWbzOgu2Q1MHSNvPhKjbDhyGtT
-Mq3Qy6TyzUFbXMRBixcJC/Cy4zsqvWBanVtBmwlvgE4Q50CUgybzSEIL5j+aPLuW
-aj8j2NRB2+7vPeoWd8ry5YxEKB3DRuXHHyyFnT5O8MpWuCl764qFMc8S/i7yVcmZ
-egZQw0dCmE5J4EGX0BEQEM24ll2e8SxL351hbCQ+EfvF
------END CERTIFICATE-----
diff --git a/tests/data_files/server2-v1.crt b/tests/data_files/server2-v1.crt
deleted file mode 100644
index 990cd4b..0000000
--- a/tests/data_files/server2-v1.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDETCCAfkCDFOittkjXbxFc/m3bDANBgkqhkiG9w0BAQsFADBOMRowGAYDVQQD
-DBFzZXJ2ZXIxL2ludC1jYS12MTEQMA4GA1UECwwHdGVzdGluZzERMA8GA1UECgwI
-UG9sYXJTU0wxCzAJBgNVBAYTAk5MMB4XDTE5MDIxMDE0NDQwNloXDTI5MDIxMDE0
-NDQwNlowRDEQMA4GA1UEAwwHc2VydmVyMjEQMA4GA1UECwwHdGVzdGluZzERMA8G
-A1UECgwIUG9sYXJTU0wxCzAJBgNVBAYTAk5MMIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r
-lqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP64bF2
-2JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQ
-Zn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7i
-GMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/oNJhb
-y3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABMA0GCSqGSIb3DQEBCwUA
-A4IBAQBmzdRQV8c0AbT8+IlPf7EpzfdhBwBtDj7N8GPEHL+NqS1hHt7TH3L7jBN3
-CqLUgrAP1LFmQrjW5IPZYNZEA+LxMMjAehvOH71pBsFGvQOpx2CwmqM86s9FIgIa
-zob7L34+xVEZfmR09PsLiT7gF13ht0HkvVZ2haBU0k3vV97aEVvPtbqrlR6RfLrZ
-8nXBFt5CkzGxepS4wBCW4TrGXxpMJ0WnnhcLJVnExUd6YbzGP+ewXCKegD1wDX6z
-UsEVGDQV97u3tszF43kx0nu/Q5DYMCqJV0kpIsMB467xPnNqyMdGtTbZq2Is8oj6
-VA+fctBdN0CW4jo+qkOif0l/F8Az
------END CERTIFICATE-----
diff --git a/tests/data_files/server2.crt b/tests/data_files/server2.crt
deleted file mode 100644
index 0745196..0000000
--- a/tests/data_files/server2.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN
-owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz
-NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM
-tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P
-hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya
-HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD
-VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw
-FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAJklg3Q4
-cB7v7BzsxM/vLyKccO6op0/gZzM4ghuLq2Y32kl0sM6kSNUUmduuq3u/+GmUZN2A
-O/7c+Hw7hDFEIvZk98aBGjCLqn3DmgHIv8ToQ67nellQxx2Uj309PdgjNi/r9HOc
-KNAYPbBcg6MJGWWj2TI6vNaceios/DhOYx5V0j5nfqSJ/pnU0g9Ign2LAhgYpGJE
-iEM9wW7hEMkwmk0h/sqZsrJsGH5YsF/VThSq/JVO1e2mZH2vruyZKJVBq+8tDNYp
-HkK6tSyVYQhzIt3StMJWKMl/o5k2AYz6tSC164+1oG+ML3LWg8XrGKa91H4UOKap
-Awgk0+4m0T25cNs=
------END CERTIFICATE-----
diff --git a/tests/data_files/server2.crt.der b/tests/data_files/server2.crt.der
deleted file mode 100644
index 9cfa9ab..0000000
--- a/tests/data_files/server2.crt.der
+++ /dev/null
diff --git a/tests/data_files/server2.der b/tests/data_files/server2.der
deleted file mode 100644
index ec03190..0000000
--- a/tests/data_files/server2.der
+++ /dev/null
diff --git a/tests/data_files/server2.key b/tests/data_files/server2.key
deleted file mode 100644
index 70a764a..0000000
--- a/tests/data_files/server2.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r
-lqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP64bF2
-2JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQ
-Zn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7i
-GMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/oNJhb
-y3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABAoIBAQCXR0S8EIHFGORZ
-++AtOg6eENxD+xVs0f1IeGz57Tjo3QnXX7VBZNdj+p1ECvhCE/G7XnkgU5hLZX+G
-Z0jkz/tqJOI0vRSdLBbipHnWouyBQ4e/A1yIJdlBtqXxJ1KE/ituHRbNc4j4kL8Z
-/r6pvwnTI0PSx2Eqs048YdS92LT6qAv4flbNDxMn2uY7s4ycS4Q8w1JXnCeaAnYm
-WYI5wxO+bvRELR2Mcz5DmVnL8jRyml6l6582bSv5oufReFIbyPZbQWlXgYnpu6He
-GTc7E1zKYQGG/9+DQUl/1vQuCPqQwny0tQoX2w5tdYpdMdVm+zkLtbajzdTviJJa
-TWzL6lt5AoGBAN86+SVeJDcmQJcv4Eq6UhtRr4QGMiQMz0Sod6ettYxYzMgxtw28
-CIrgpozCc+UaZJLo7UxvC6an85r1b2nKPCLQFaggJ0H4Q0J/sZOhBIXaoBzWxveK
-nupceKdVxGsFi8CDy86DBfiyFivfBj+47BbaQzPBj7C4rK7UlLjab2rDAoGBAN2u
-AM2gchoFiu4v1HFL8D7lweEpi6ZnMJjnEu/dEgGQJFjwdpLnPbsj4c75odQ4Gz8g
-sw9lao9VVzbusoRE/JGI4aTdO0pATXyG7eG1Qu+5Yc1YGXcCrliA2xM9xx+d7f+s
-mPzN+WIEg5GJDYZDjAzHG5BNvi/FfM1C9dOtjv2dAoGAF0t5KmwbjWHBhcVqO4Ic
-BVvN3BIlc1ue2YRXEDlxY5b0r8N4XceMgKmW18OHApZxfl8uPDauWZLXOgl4uepv
-whZC3EuWrSyyICNhLY21Ah7hbIEBPF3L3ZsOwC+UErL+dXWLdB56Jgy3gZaBeW7b
-vDrEnocJbqCm7IukhXHOBK8CgYEAwqdHB0hqyNSzIOGY7v9abzB6pUdA3BZiQvEs
-3LjHVd4HPJ2x0N8CgrBIWOE0q8+0hSMmeE96WW/7jD3fPWwCR5zlXknxBQsfv0gP
-3BC5PR0Qdypz+d+9zfMf625kyit4T/hzwhDveZUzHnk1Cf+IG7Q+TOEnLnWAWBED
-ISOWmrUCgYAFEmRxgwAc/u+D6t0syCwAYh6POtscq9Y0i9GyWk89NzgC4NdwwbBH
-4AgahOxIxXx2gxJnq3yfkJfIjwf0s2DyP0kY2y6Ua1OeomPeY9mrIS4tCuDQ6LrE
-TB6l9VGoxJL4fyHnZb8L5gGvnB1bbD8cL6YPaDiOhcRseC9vBiEuVg==
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/server2.key.der b/tests/data_files/server2.key.der
deleted file mode 100644
index 9905ce7..0000000
--- a/tests/data_files/server2.key.der
+++ /dev/null
diff --git a/tests/data_files/server2.key.enc b/tests/data_files/server2.key.enc
deleted file mode 100644
index 773aaad..0000000
--- a/tests/data_files/server2.key.enc
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-256-CBC,3DDADF5AEA525DD282D9D5E0B978AEE2
-
-thP0fyNhHEWvVWHpBSGAA4C6wlqWwuCbYTGVs6GW07YNiyvInE/XxtKCrEJ6ORpR
-tPZ0sTtmRFQgiAW4nSjol6AhnMAYCkt+bl2opihuKHr2IBKpGIytCwYwDB/soMw5
-/vYuZU3osENnWcv+R1+0PohU6eqo1bVBrk+Mrm+ZSX886uDNxAaqAW9dtsC7fZYV
-w/uCOlk78rtrJUOTKfh3VEXG1fb/rYAP7bZYwzkmJZRozFPzjhnZZSOssz4xwCwY
-04oHHrMDFCpbBmlZRLg60c5u0nduQx3SKig9o6gHCDoOYT0Bq64lvZLiPcwN7axV
-L7+7TJ9u/kALO0CqAltiuz18msaErXIE3pHEGDt5zxgUcLxT4IhhixWfOL09nqjl
-IltEBn0JAVC3qYsEzFGnr3C2NXLTYIFU8m1qtIyEc8vuhKw7HCgp3W/xw9f2jKZF
-JivFX80URuBTs2/TWuGBKTmIGLQFWYPKwhyl9HNbbI8q5XdxKNiVxDnZfPU/icef
-nJ+nM7msrkvXj4SdHO/if+rxQ07T/MHfU8PeqUL2LQAxY4gfBvkKJ/UAjfsHv0B2
-1WcZAt0yqrJu/ydOkQpwmQ/XCh/dITNYnxXZ0bjtY5fG+QGxA3RvqyfKbQFTi8qg
-Nx8cxOUD1dZwZ6KrosdSFGkNkZwgIWAbIK4O3TLN5lD42031kx4iiKlxdjw6Q2df
-MEVL6FqYXf4n5MhGQ5mu5MkEO9IDaz/iBdm2jkkjWaxozNC51r/i+STtsVQnY2f2
-pubekEnCOoqXN6BjuVLN28XSTLLTlJ5i9tdIMlIFUKfiNpJjOTjYBopZEf5hm3h4
-ollq6QhW9DIIsVuYgSpvoyLYLl57kvYgk1oGhV0KZyh7IPzRXTjEBiMTO+MZEoH0
-f3x2RU3LvMagb36zWs6CShV/TwAE08Mwbi7UDWYRHHaeO2bcKoEDGOXiOfsXE9HW
-OVmAlIheR/W1eVAcszHcSVtXOjlsJ02CeVEcATnJCk6Ug0vc0TspCnwOCvM8+RmE
-jQ0E6GeT6R/DVHW9XBNFxFxiS6ySd3yo9rKVLdGGPHns+qmlSMTAfYROoR1V8UiQ
-0Tvd1CfVVBeYCm9UrWUXvGzoC3rstbD7SinGbdSU4wATIPeb+v1Tz/vVhr8AoRLJ
-JK3jHMKCHH59Wx+tk8JdqAm8fgUK/69A5+gitZlM6sAmnfBJ6Vm8hqACLpjPXDWy
-LjNDwWGqgWgqDOubY+ZJQwjUGQdPdGbEUF0ABZ6si9wW+RVVGSPAfiFqE4b/QwA/
-RZh1nm7dc/3elXxwXP60MyEsVddAP691xlDdL9mRpbDMx/JSp/hABFmdPOEtu5EB
-02DS37+pOdI1kWkFiI4kkccZL04CTWLWh2lxb0RqUqQMeOf6j/WSTJ2In5etbHSB
-R8IQOsfRINm3fD11SXXKUM7IzMi9VBD7TblN2HR9iXbW7twa8O0MRH805eY+vjsM
-kcYoOtWSh+OFP9txcwjiXUBmVQDPtb+myGXmchSpMIFNV2tHVvVmUFBSipyAKr98
-3YI7mvWO0AVWXAqRHYmM3DLjlEXCauXCjgVicC/EUdA5CAO95X/ZQTNwBk8kYjy+
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/server2.ku-ds.crt b/tests/data_files/server2.ku-ds.crt
deleted file mode 100644
index d1e1251..0000000
--- a/tests/data_files/server2.ku-ds.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDRzCCAi+gAwIBAgIBLDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN
-owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz
-NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM
-tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P
-hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya
-HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNdMFswCQYD
-VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw
-FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDgYDVR0PAQH/BAQDAgeAMA0GCSqGSIb3
-DQEBBQUAA4IBAQCcDy5VWW133eL1TesUkejziAz9QNBHvWkKNs0jF6+fRgWgFP5Y
-EE87rQX0Z1XiyTDB4LdKfivRi3TMD7EX8o6q9C3H/ilu5anrgha8WziMrtv/s9IF
-QjpyHdnXGoXmA9uDqQLtucR5yep3ux4mlwS8GG3IUkpkdysNOrVvSARm0ZagQ9tn
-YZyEjGd8wP3jKYNJAB2OdnvX9OqBmEyvSmMucSidkMkdLrUcjmOtz+AkqoRGewwc
-eClstlp8NEuP37q2KLYtbQMpio1Kzsr3PCey1UImKNjauypS2Dpzl1RnmBw+c5En
-SdLMa+ns3odRhF0IvENDhz/mKZJvwtoz/NBz
------END CERTIFICATE-----
diff --git a/tests/data_files/server2.ku-ds_ke.crt b/tests/data_files/server2.ku-ds_ke.crt
deleted file mode 100644
index eb23245..0000000
--- a/tests/data_files/server2.ku-ds_ke.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDRzCCAi+gAwIBAgIBMDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN
-owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz
-NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM
-tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P
-hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya
-HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNdMFswCQYD
-VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw
-FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3
-DQEBBQUAA4IBAQB6u7D3tAsB75aZEcUfv2XyeLX4P99mzx2yOBSsPaIDTRyv0XoT
-vbgUA7viX/F7I8b2kc6ihRXSu/98c7Vr/uSm0LfV3VMgoAXBCWNg/5c/N3c0YnZ2
-imuv0yeXw5cJI3iYQJmllawdrGgOslfPuO7kqrFt3uGaylITpVLQ7w7iDpPbAFM8
-kPpO6CMyCFi6miQYoZchTTP9X3dpbpNdB2FlSVT55J6TIvH5x4t7XCFJuvYYJxrf
-8I3UFR3OnBR625zUHXJ6uV8yHG5ze+4K2n9CHcyX7zuZ+bB0e8wIS6Xf99M+1ApF
-ESvXwHI0Fu8s/PJ+leD28CRJQMuAOJIYBMnS
------END CERTIFICATE-----
diff --git a/tests/data_files/server2.ku-ka.crt b/tests/data_files/server2.ku-ka.crt
deleted file mode 100644
index ce97e82..0000000
--- a/tests/data_files/server2.ku-ka.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDRzCCAi+gAwIBAgIBKjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN
-owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz
-NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM
-tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P
-hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya
-HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNdMFswCQYD
-VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw
-FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDgYDVR0PAQH/BAQDAgMIMA0GCSqGSIb3
-DQEBBQUAA4IBAQAxJDMtlqpFHKw5ymqzgfnm0aY51PZOXpsPfoed7Vz2PzSB2eJ0
-JQc+QuLhippy8hnPmPZg/HQ/gedbxFKPiIiYEh86GvnBFozQ+c8sE0h6tJgVOJJi
-ADUNeVJoq03WIroTMqAB0uW0rHB+OFm7uRwIDFr2gWVrKZKg/KsDrxtng2wPOgbU
-xvPRtNyaOZjV0GjuBhWxpPTxXw27e5Mq3MS5B9piZgPXmam5lZdOe0LNrbQShfmP
-4mk4drjdQaUrL3JLpLt8S4oihZU+dOHkYdZVHSAuuGikZK7qPfEdP/yrZTCgtY54
-vXxv47xT9L+pWtiTosBmsy/ewvWprVJIxLh3
------END CERTIFICATE-----
diff --git a/tests/data_files/server2.ku-ke.crt b/tests/data_files/server2.ku-ke.crt
deleted file mode 100644
index 21e6cf0..0000000
--- a/tests/data_files/server2.ku-ke.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDRzCCAi+gAwIBAgIBKzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN
-owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz
-NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM
-tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P
-hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya
-HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNdMFswCQYD
-VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw
-FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDgYDVR0PAQH/BAQDAgUgMA0GCSqGSIb3
-DQEBBQUAA4IBAQCeNpH2eSUXpq0CPlE6P1/bJW2f0vKFWMnZ6B3eFCdMCcKJ6LYV
-BA1Dn5G5HEW4mBMJfyMwD5sklyEzQDCgIDjws+BRUflMr71AerfesHIGdW4jAw10
-aWwFMeszzZ54ZahX2GHPcwWfTccSf9tpSaRMlNBEIz8lfb2iEZ2HR9eAmAqYgtR1
-RbYcsNfC0oBYOCTRmvXi+wpGcUWn+VbIv6rHrQYnWXiPAuPJUqIpM0x9q0kT6NCi
-LfdhaVV2DPnvBYGRcXX78JK5/MQt/sv4JSefRpvxpVQCmbo0amz7hUMHGCflAbro
-FpyBlfcpj0lSRoaU9x0mCYzqwDYd+4NJZUGT
------END CERTIFICATE-----
diff --git a/tests/data_files/server3.crt b/tests/data_files/server3.crt
deleted file mode 100644
index 46987c3..0000000
--- a/tests/data_files/server3.crt
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICXDCCAUSgAwIBAgIBDTANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDBJMBMGByqGSM49AgEG
-CCqGSM49AwEBAzIABH0AoQyUhPABS38y67uEVs4O3RXmKKrBdUR7/L2QPB8EC2p5
-fQcsej6EFasvlTdJ/6NNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQU5BdrNrIGiTrZ
-XkO24GR9h6t93jcwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJ
-KoZIhvcNAQEFBQADggEBAKSCuGCXcpDrVwRVgHVlUsxACRDUH2QirsLFAUk1CGsR
-SniBgWi+5KGK8fd3Tf+GkVeIZocaf7tnKm0YJg8W5QPDnwrMD2L1SjYFgc7r1G4f
-579FOo0qRKdJabTV0e022XFyN77JJHAm8RkjZEnzUuW7k8/RohY8NBzh+KACyHOi
-96DhGsBp9LG6QIKB1rxiNx4wq3WUygaMgImoaDRqgAFxJjwRBEhcsWtU2AmoOKdO
-hzQp+EzEjn04+ScJpMzMF4FY+kLaz9PlvEO61aQuZsC2fUmk+M6q8xcBNEdoFNvv
-0cOl5Liuewb32srAZWCMpbHFxaT9Nd3TxJwFxFCJpvc=
------END CERTIFICATE-----
diff --git a/tests/data_files/server3.key b/tests/data_files/server3.key
deleted file mode 100644
index fecf44d..0000000
--- a/tests/data_files/server3.key
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MF8CAQEEGItTogpE7AOnjvYuTqm+9OabmsX02XKIAqAKBggqhkjOPQMBAaE0AzIA
-BH0AoQyUhPABS38y67uEVs4O3RXmKKrBdUR7/L2QPB8EC2p5fQcsej6EFasvlTdJ
-/w==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/server4.crt b/tests/data_files/server4.crt
deleted file mode 100644
index 2b4134d..0000000
--- a/tests/data_files/server4.crt
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICnTCCAiGgAwIBAgIBCDAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQTAe
-Fw0xOTAyMTAxNDQ0MDBaFw0yOTAyMTAxNDQ0MDBaMDQxCzAJBgNVBAYTAk5MMREw
-DwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq9eMvlV9hzsP+2u6oSlhxly+VSGe4I0Mly1g
-Mku+BhiPm7EPEscFe+cQcuA7kr6Wmzjan6v913igTri21Gh5llS+v7t4GdbfmfQS
-k8AiT0bC76+DsZ/GaJ+AhHyFmc5CS3Y6O++kKE8LG9RqKW0HjnQjOH6YQr+FgWv7
-smU2fFHVdCVtvIMzsRy3UfBhy5LcwGUGqrTjwn7QoSRBcgJKMp4cWBr14MKr4nJ+
-p7lu3QrfSGXU3TXrgHtqiHTwSiaZ75pK4CzP4ywnebsA7YNRh2sPGWuTLVCu9FZZ
-9fR3x2NMz64dOjUO+JEzqj34/0N+gV3nf9nQqbTexUtBa9SuEQIDAQABo00wSzAJ
-BgNVHRMEAjAAMB0GA1UdDgQWBBTAlAm1+0L41mhqYWjFiejsRVrGeTAfBgNVHSME
-GDAWgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMQDB
-ek00E3uHPwnUDBVAPRJThsj2mQr/MSCTwRMNXnNlki9Lux0qGd6uvhp5v31I7V0C
-MDiCHwEm55sU4gWrAxYVKVVV9qMTG2Moy4YnJDDlxwpyXPta5Ac2FV+0AbInBXSM
-Bg==
------END CERTIFICATE-----
diff --git a/tests/data_files/server4.key b/tests/data_files/server4.key
deleted file mode 100644
index 9e4daee..0000000
--- a/tests/data_files/server4.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAq9eMvlV9hzsP+2u6oSlhxly+VSGe4I0Mly1gMku+BhiPm7EP
-EscFe+cQcuA7kr6Wmzjan6v913igTri21Gh5llS+v7t4GdbfmfQSk8AiT0bC76+D
-sZ/GaJ+AhHyFmc5CS3Y6O++kKE8LG9RqKW0HjnQjOH6YQr+FgWv7smU2fFHVdCVt
-vIMzsRy3UfBhy5LcwGUGqrTjwn7QoSRBcgJKMp4cWBr14MKr4nJ+p7lu3QrfSGXU
-3TXrgHtqiHTwSiaZ75pK4CzP4ywnebsA7YNRh2sPGWuTLVCu9FZZ9fR3x2NMz64d
-OjUO+JEzqj34/0N+gV3nf9nQqbTexUtBa9SuEQIDAQABAoIBAHnxtYvgCPttG1NU
-yJTTU/I7IEozWJaLIZMqfShT/Z4/0bEvfb3ag/bAKzkKDNx+6Utvlh1XJQTCMiiL
-BhtHpHjc3JwdAgZ8KCMNRB2ba/2L/ouupqrm8hqOjdn2r6xM5Vi9pmegEIMWTJDM
-NSX+nC0oF1Jg69X6KViFc5DOKFMhacSEwLJkv/EqCgdWaBoqMlTtTWKdm34xSN2L
-P5o9kOgihTBNUUnVBUWJiT7C6bBAFwb1rECpvNOk6h+lvG+fSDZKYdwBrAsKspIy
-/aXZD4qaicefGblrHcZv2og/zYkFs4riWNOmglxZyrK/3rFFk0B8mBk1mWQvrK7+
-Jq/R4k0CgYEA0hO29hJjeTBDdOWgzyXr5uppmR1WU7fv/Jy8PLRMvUvmiMQqRDK3
-zwGc6H938wdsubpdTCLPhq0rhDCTqtwIEAuFjZIYJs4yZzfy6klaD3516iIgb+W7
-fe1RkYMBp9wV0x272vzP4Y5p/fzp5xhvN52OkhQsjHRHewfDaUwSFScCgYEA0Wgi
-kGVK6OxzoMCgiWx/L+y3yrYuHdWANTIIa5RvZk4UQqEFkGYGVP1rpbB/fAa1Yqev
-qXkLZqad2dhJCuBVryGt29CHsbnEQ/QuTwlGmyZj1U8NnJBgNCPTdmGTBIm/7w9S
-ESZ48bUlcqzsZn1Big/A6JX1e5i9b/1jyozNVgcCgYEAnRZc49iQRZjPeGQVQZEL
-u5ph6DrFyMhsTistnv77uzk8Y9y79k8unz6HhFt86GAO7zrqdPo60GxBdBGW+laa
-ONVEwr4SDUJ28jQmEwdSru9TYQav1ryk3N9O9U5POKQcNcewJ2qQUAvcOi6bAVGG
-KMJKT/WB8m0o3ljJyL03cFUCgYBoHFTq42Fd8oj+SCbIjCej5RXvc6nz7Tzjta9Y
-BSFphLIv+ixxAThustv9MYYAXLl7hhEgueyAKaBbOVv/S09uVdlBayi7pLc+bb1E
-UEFJS8nguH/08hbSdWlh9tsIK5BAQ6ayniUNTtmCbRTPU8Ds6i4ntL6qp2KvthQS
-FPTVqwKBgQC8m2sJapMms0/7EeGpUwMO+WNCHeRyujnriWYL8Kms0lmAn8NrQoA5
-wgbx0nZ/VrXtLPGHy915jxDXOU1Yc2gqEf5Qm/GnByUuml1mUSldiPciSJvKzMqP
-LeWnb62HD60t/zwstN20Yzt6mBLocm1PPdPhPweI/EF6pSgvlw5NTw==
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/server5-badsign.crt b/tests/data_files/server5-badsign.crt
deleted file mode 100644
index b641f70..0000000
--- a/tests/data_files/server5-badsign.crt
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICIDCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MjMwNTE3MDcxMDM2WhcNMzMwNTE0MDcxMDM2WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
-CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
-2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd
-BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB
-PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xh
-clNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
-CCqGSM49BAMCA2kAMGYCMQDg6p7PPfr2+n7nGvya3pU4ust3k7Obk4/tZX+uHHRQ
-qaccsyULeFNzkyRvWHFeT5sCMQCzDJX79Ii7hILYza/iXWJe/BjJEE8MteCRGXDN
-06jC+BLgOH1KQV9ArqEh3AhOhE0=
------END CERTIFICATE-----
diff --git a/tests/data_files/server5-der0.crt b/tests/data_files/server5-der0.crt
deleted file mode 100644
index 1e0a008..0000000
--- a/tests/data_files/server5-der0.crt
+++ /dev/null
diff --git a/tests/data_files/server5-der1a.crt b/tests/data_files/server5-der1a.crt
deleted file mode 100644
index c143298..0000000
--- a/tests/data_files/server5-der1a.crt
+++ /dev/null
diff --git a/tests/data_files/server5-der1b.crt b/tests/data_files/server5-der1b.crt
deleted file mode 100644
index 6989679..0000000
--- a/tests/data_files/server5-der1b.crt
+++ /dev/null
diff --git a/tests/data_files/server5-der2.crt b/tests/data_files/server5-der2.crt
deleted file mode 100644
index 56ad14c..0000000
--- a/tests/data_files/server5-der2.crt
+++ /dev/null
diff --git a/tests/data_files/server5-der4.crt b/tests/data_files/server5-der4.crt
deleted file mode 100644
index 4ceed41..0000000
--- a/tests/data_files/server5-der4.crt
+++ /dev/null
diff --git a/tests/data_files/server5-der8.crt b/tests/data_files/server5-der8.crt
deleted file mode 100644
index 07ffd2f..0000000
--- a/tests/data_files/server5-der8.crt
+++ /dev/null
diff --git a/tests/data_files/server5-der9.crt b/tests/data_files/server5-der9.crt
deleted file mode 100644
index aa8f9a1..0000000
--- a/tests/data_files/server5-der9.crt
+++ /dev/null
diff --git a/tests/data_files/server5-expired.crt b/tests/data_files/server5-expired.crt
deleted file mode 100644
index d726e5c..0000000
--- a/tests/data_files/server5-expired.crt
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICHjCCAaWgAwIBAgIBHjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MDQwMzEwMTIwOTMwWhcNMTQwMzA4MTIwOTMwWjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
-CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
-2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd
-BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB
-PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh
-clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
-CCqGSM49BAMCA2cAMGQCMCDxvDmhlrEk0r4hqCwvQDxWEoXPbbD1gglfLT3BsGpu
-XHUQ1W2HwB3o/7N5I13BBgIwcmG17zyNIOkYiyExYtPCZCpbofEMpRY5qWG0K6YL
-fN08jSzyFt6kbO4ak0D6tC5Q
------END CERTIFICATE-----
diff --git a/tests/data_files/server5-future.crt b/tests/data_files/server5-future.crt
deleted file mode 100644
index 969c84b..0000000
--- a/tests/data_files/server5-future.crt
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICHjCCAaWgAwIBAgIBHTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MzIwMzEwMTEwNDExWhcNNDIwMzA4MTEwNDExWjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
-CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
-2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd
-BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB
-PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh
-clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
-CCqGSM49BAMCA2cAMGQCMAZWcb+NYxFVK+W6Z5eknM2TrbqQGZEYHQXeV9/XF0t7
-TLDhA6a/pFDTJVZunFzesgIwfqkBYuvMkiNlS4lWcVyf8L4CZIHCn1yHnOCxu8ix
-uqgLb4na3i94x9urgbZZYfVK
------END CERTIFICATE-----
diff --git a/tests/data_files/server5-selfsigned.crt b/tests/data_files/server5-selfsigned.crt
deleted file mode 100644
index 0eafe70..0000000
--- a/tests/data_files/server5-selfsigned.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBxzCCAW2gAwIBAgIMU6LLSxJOrYN9qJSyMAoGCCqGSM49BAMCMEcxEzARBgNV
-BAMMCnNlbGZzaWduZWQxEDAOBgNVBAsMB3Rlc3RpbmcxETAPBgNVBAoMCFBvbGFy
-U1NMMQswCQYDVQQGEwJOTDAeFw0yMzA1MDkwMjQ5NTdaFw0zMzA1MDYwMjQ5NTda
-MEcxEzARBgNVBAMMCnNlbGZzaWduZWQxEDAOBgNVBAsMB3Rlc3RpbmcxETAPBgNV
-BAoMCFBvbGFyU1NMMQswCQYDVQQGEwJOTDBZMBMGByqGSM49AgEGCCqGSM49AwEH
-A0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA2CMR/+ov0jRd
-XRa9iojCa3cNVc2KKg76Aci07f+jPzA9MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/
-BAQDAgeAMB0GA1UdDgQWBBRQYaWP1AfZ14IBDOVlf4xjRqcTvjAKBggqhkjOPQQD
-AgNIADBFAiAXiJxDrd5aLzGB/Uc3kYBIBuSUIMGvol2c8EvwmF3zmQIhAPFrKMgA
-s2awzo/PBB5gFTkDub88wRYwS1R9JPYCXUO0
------END CERTIFICATE-----
diff --git a/tests/data_files/server5-sha1.crt b/tests/data_files/server5-sha1.crt
deleted file mode 100644
index 6c14183..0000000
--- a/tests/data_files/server5-sha1.crt
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICHjCCAaSgAwIBAgIBCTAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYD
-VQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQTAeFw0y
-MzA1MTcwNzEwMzdaFw0zMzA1MTQwNzEwMzdaMDQxCzAJBgNVBAYTAk5MMREwDwYD
-VQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYI
-KoZIzj0DAQcDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDY
-IxH/6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/6OBnTCBmjAJBgNVHRMEAjAAMB0G
-A1UdDgQWBBRQYaWP1AfZ14IBDOVlf4xjRqcTvjBuBgNVHSMEZzBlgBSdbSAkSQE/
-K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFy
-U1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVDIENBggkAwUPifmJDzOgwCQYH
-KoZIzj0EAQNpADBmAjEAnbhJ4O/x6bcBgB0FnX44q9j9pjBYHN9ZK59bHxqerhyJ
-12DlVbNoOonlkFYVUsgCAjEAmnUolKu+XUtS2is3d0M2V6cPwZxq5qI0+wBR79/p
-NRjFOlyP69OWs9CI2cyYLbGc
------END CERTIFICATE-----
diff --git a/tests/data_files/server5-sha224.crt b/tests/data_files/server5-sha224.crt
deleted file mode 100644
index ad01b10..0000000
--- a/tests/data_files/server5-sha224.crt
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICHzCCAaWgAwIBAgIBCTAKBggqhkjOPQQDATA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MjMwNTE3MDcxMDM3WhcNMzMwNTE0MDcxMDM3WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
-CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
-2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd
-BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB
-PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xh
-clNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
-CCqGSM49BAMBA2gAMGUCMQDlCvtvCAgJDiGQnqOYwzmeafyyNbpSRZwcpV84FSkm
-pwKw2jTv3WaXujSNu7B62GoCME97oLBGSgiOMD5QUEdOjABkCV4E2slyvk4Gk71c
-9e92VgA3rKPRXlvwACPsbFIQJQ==
------END CERTIFICATE-----
diff --git a/tests/data_files/server5-sha384.crt b/tests/data_files/server5-sha384.crt
deleted file mode 100644
index 7de6f8c..0000000
--- a/tests/data_files/server5-sha384.crt
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICHzCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAzA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MjMwNTE3MDcxMDM3WhcNMzMwNTE0MDcxMDM3WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
-CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
-2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd
-BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB
-PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xh
-clNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
-CCqGSM49BAMDA2gAMGUCMQDPV3rbJX6rigR5SJQGNzqfreq8Y3O+mlAQkuo9sicU
-llVXjN3g41dOJmaEO2yHjMQCMCecXLQsYjQn2wPh/XyE+PL48Yp0+Y6+HEHCjLk3
-JOTQqo73a9xN+yhrud2ssT830w==
------END CERTIFICATE-----
diff --git a/tests/data_files/server5-sha512.crt b/tests/data_files/server5-sha512.crt
deleted file mode 100644
index 8bea8c2..0000000
--- a/tests/data_files/server5-sha512.crt
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICHjCCAaWgAwIBAgIBCTAKBggqhkjOPQQDBDA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MjMwNTE3MDcxMDM3WhcNMzMwNTE0MDcxMDM3WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
-CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
-2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd
-BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB
-PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xh
-clNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
-CCqGSM49BAMEA2cAMGQCMEekbPD8GQQmK1uJ3wXgC/VdRdfmEBM/urkmXYINcHrz
-E6xLpFE/jxZ0wb5SXteLtQIwZ8ZJIDLnxGciX/mtfx0dOII3bna72yRkGfT+0b/C
-sj9KvVuQ0y1oaP9Rbg35dbcH
------END CERTIFICATE-----
diff --git a/tests/data_files/server5-ss-expired.crt b/tests/data_files/server5-ss-expired.crt
deleted file mode 100644
index 287ce98..0000000
--- a/tests/data_files/server5-ss-expired.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1jCCAX2gAwIBAgIJANhkYQXjo814MAoGCCqGSM49BAMCMEgxCzAJBgNVBAYT
-AlVLMREwDwYDVQQKDAhtYmVkIFRMUzESMBAGA1UECwwJdGVzdHN1aXRlMRIwEAYD
-VQQDDAlsb2NhbGhvc3QwHhcNMDcwNjI3MDkyNzE1WhcNMTcwNjI3MDkyNzE1WjBI
-MQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMxEjAQBgNVBAsMCXRlc3Rz
-dWl0ZTESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
-QgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/6i/SNF1d
-Fr2KiMJrdw1VzYoqDvoByLTt/6NQME4wHQYDVR0OBBYEFFBhpY/UB9nXggEM5WV/
-jGNGpxO+MB8GA1UdIwQYMBaAFFBhpY/UB9nXggEM5WV/jGNGpxO+MAwGA1UdEwQF
-MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgIAQ47gmTsbA8pphQ1jBeLQDp7W99qr6P
-oTl7/vYSJJcCICxNSJGLrNu8TfWLhgJiRsozMR9jGhp+tse1rlGUUJL6
------END CERTIFICATE-----
diff --git a/tests/data_files/server5-ss-forgeca.crt b/tests/data_files/server5-ss-forgeca.crt
deleted file mode 100644
index cf5bd6d..0000000
--- a/tests/data_files/server5-ss-forgeca.crt
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBkzCCATmgAwIBAgIBTTAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G
-A1UECgwIbWJlZCBUTFMxKDAmBgNVBAMMH21iZWQgVExTIFRlc3QgaW50ZXJtZWRp
-YXRlIENBIDMwHhcNMjMwNTE3MDkxNDIxWhcNMzMwNTE0MDkxNDIxWjBKMQswCQYD
-VQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMxKDAmBgNVBAMMH21iZWQgVExTIFRl
-c3QgaW50ZXJtZWRpYXRlIENBIDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ3
-zFbZdgkeWnI+x1kt/yBu7nz5BpF00K0UtfdoIllikk7lANgjEf/qL9I0XV0WvYqI
-wmt3DVXNiioO+gHItO3/oxAwDjAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0gA
-MEUCIQD0f3GH9cEJ7cJWPIfwAL/1cGREqO//O/1XggWZv/clnQIgQmlMzGzuUDHq
-/mTgGQ9ceSAB9B9im9rcgY6DRFZULnY=
------END CERTIFICATE-----
diff --git a/tests/data_files/server5-tricky-ip-san-malformed-len.crt.der b/tests/data_files/server5-tricky-ip-san-malformed-len.crt.der
deleted file mode 100644
index a26da6c..0000000
--- a/tests/data_files/server5-tricky-ip-san-malformed-len.crt.der
+++ /dev/null
diff --git a/tests/data_files/server5-tricky-ip-san.crt.der b/tests/data_files/server5-tricky-ip-san.crt.der
deleted file mode 100644
index 0bd06f8..0000000
--- a/tests/data_files/server5-tricky-ip-san.crt.der
+++ /dev/null
diff --git a/tests/data_files/server5.crt b/tests/data_files/server5.crt
deleted file mode 100644
index 2eab999..0000000
--- a/tests/data_files/server5.crt
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICIDCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MjMwNTE3MDcxMDM2WhcNMzMwNTE0MDcxMDM2WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
-CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
-2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd
-BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB
-PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xh
-clNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
-CCqGSM49BAMCA2kAMGYCMQDg6p7PPfr2+n7nGvya3pU4ust3k7Obk4/tZX+uHHRQ
-qaccsyULeFNzkyRvWHFeT5sCMQCzDJX79Ii7hILYza/iXWJe/BjJEE8MteCRGXDN
-06jC+BLgOH1KQV9ArqEh3AhOhEg=
------END CERTIFICATE-----
diff --git a/tests/data_files/server5.crt.der b/tests/data_files/server5.crt.der
deleted file mode 100644
index 1e0a008..0000000
--- a/tests/data_files/server5.crt.der
+++ /dev/null
diff --git a/tests/data_files/server5.crt.openssl.v3_ext b/tests/data_files/server5.crt.openssl.v3_ext
deleted file mode 100644
index 594e90a..0000000
--- a/tests/data_files/server5.crt.openssl.v3_ext
+++ /dev/null
@@ -1,3 +0,0 @@
-basicConstraints = CA:false
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
diff --git a/tests/data_files/server5.eku-cli.crt b/tests/data_files/server5.eku-cli.crt
deleted file mode 100644
index 8d04559..0000000
--- a/tests/data_files/server5.eku-cli.crt
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB6zCCAW6gAwIBAgIBPDAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQTAe
-Fw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMDQxCzAJBgNVBAYTAk5MMREw
-DwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0C
-AQYIKoZIzj0DAQcDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO
-5QDYIxH/6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/6NlMGMwCQYDVR0TBAIwADAd
-BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wHwYDVR0jBBgwFoAUnW0gJEkB
-PyvLeLUZvH4kydv7NnwwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwIwDAYIKoZIzj0E
-AwIFAANpADBmAjEAoC1Xxg8Xt3tvM2ZER4jCRv7iSYPWGgNtcYNJj3G0lb0PYi1l
-Nd0cqdGxydhm7RJLAjEApAE8koD1ccIPnSFTagT7shOSz1/lOU4wwAWswcwolzt3
-xrvFlMoTeJx3sS3Zqdr8
------END CERTIFICATE-----
diff --git a/tests/data_files/server5.eku-cs.crt b/tests/data_files/server5.eku-cs.crt
deleted file mode 100644
index c00bc3b..0000000
--- a/tests/data_files/server5.eku-cs.crt
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB6jCCAW6gAwIBAgIBOjAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQTAe
-Fw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMDQxCzAJBgNVBAYTAk5MMREw
-DwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0C
-AQYIKoZIzj0DAQcDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO
-5QDYIxH/6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/6NlMGMwCQYDVR0TBAIwADAd
-BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wHwYDVR0jBBgwFoAUnW0gJEkB
-PyvLeLUZvH4kydv7NnwwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwMwDAYIKoZIzj0E
-AwIFAANoADBlAjBlMU7Fh18cel20P3rY7esvtPLDHQQKWSCO91XHHkZi1zRPq2px
-nwVHayXnOS3CPRsCMQCQDYTyVMS8oEIrm0XPI6HrbCMUq2bhPwaYpelU/asOzYI3
-gOjGCDFHtyedJHVK0rs=
------END CERTIFICATE-----
diff --git a/tests/data_files/server5.eku-cs_any.crt b/tests/data_files/server5.eku-cs_any.crt
deleted file mode 100644
index 912d929..0000000
--- a/tests/data_files/server5.eku-cs_any.crt
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB8DCCAXSgAwIBAgIBOzAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQTAe
-Fw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMDQxCzAJBgNVBAYTAk5MMREw
-DwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0C
-AQYIKoZIzj0DAQcDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO
-5QDYIxH/6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/6NrMGkwCQYDVR0TBAIwADAd
-BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wHwYDVR0jBBgwFoAUnW0gJEkB
-PyvLeLUZvH4kydv7NnwwHAYDVR0lAQH/BBIwEAYIKwYBBQUHAwMGBFUdJQAwDAYI
-KoZIzj0EAwIFAANoADBlAjEA89+l8gNC0H75Tzdz/75W6EjGSzZ3m50S4cK5jD6+
-ZZLpRcbIqPqMT2MNkCm7ImNpAjAlTkFLVCGnTNX/q7QWOrx8aPXXAeZtY5NFxd66
-EJJb+YHTQ80hZhLWX8/QaAJjniU=
------END CERTIFICATE-----
diff --git a/tests/data_files/server5.eku-srv.crt b/tests/data_files/server5.eku-srv.crt
deleted file mode 100644
index b173afc..0000000
--- a/tests/data_files/server5.eku-srv.crt
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB6jCCAW6gAwIBAgIBPjAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQTAe
-Fw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMDQxCzAJBgNVBAYTAk5MMREw
-DwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0C
-AQYIKoZIzj0DAQcDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO
-5QDYIxH/6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/6NlMGMwCQYDVR0TBAIwADAd
-BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wHwYDVR0jBBgwFoAUnW0gJEkB
-PyvLeLUZvH4kydv7NnwwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwEwDAYIKoZIzj0E
-AwIFAANoADBlAjEAh+l47FmXR/nUxD8bfnS3sT+QTgc8pXUEqh/gXUs2xINVSoL+
-ZewgcNb2UanzCNheAjAnUY4b0M9YHp/eJjls5RzGX6JXtcWwn9JvO1HqMQnHthcy
-hPEQ3lW7XG0DIQS1drk=
------END CERTIFICATE-----
diff --git a/tests/data_files/server5.eku-srv_cli.crt b/tests/data_files/server5.eku-srv_cli.crt
deleted file mode 100644
index be2531e..0000000
--- a/tests/data_files/server5.eku-srv_cli.crt
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB8zCCAXigAwIBAgIBPTAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQTAe
-Fw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMDQxCzAJBgNVBAYTAk5MMREw
-DwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0C
-AQYIKoZIzj0DAQcDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO
-5QDYIxH/6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/6NvMG0wCQYDVR0TBAIwADAd
-BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wHwYDVR0jBBgwFoAUnW0gJEkB
-PyvLeLUZvH4kydv7NnwwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
-MAwGCCqGSM49BAMCBQADZwAwZAIwHu/xjSqHK91yEM+KgEFGU8Xc3o9rEVrCBFeW
-ChIa3slZZdG4OuIm06Tsabf0pBLHAjBYKjoUwWEuDOOQKbbJZG8gKDzMAgEpe/RW
-wAjY7i6CzZ1NKfFQ9fQdwA+yjq2fnlg=
------END CERTIFICATE-----
diff --git a/tests/data_files/server5.key b/tests/data_files/server5.key
deleted file mode 100644
index c8459ee..0000000
--- a/tests/data_files/server5.key
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIPEqEyB2AnCoPL/9U/YDHvdqXYbIogTywwyp6/UfDw6noAoGCCqGSM49
-AwEHoUQDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/
-6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/w==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/server5.key.der b/tests/data_files/server5.key.der
deleted file mode 100644
index 6bd4ebb..0000000
--- a/tests/data_files/server5.key.der
+++ /dev/null
diff --git a/tests/data_files/server5.key.enc b/tests/data_files/server5.key.enc
deleted file mode 100644
index 8e622c0..0000000
--- a/tests/data_files/server5.key.enc
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-256-CBC,69FEA263918128D4DD673B2732E2D7EC
-
-+Q4P1nVcfGoittxagWHvyBLVPbhjmTA/SZ6W5TB+5scOzgfRlcse4jIII899EQxx
-HrfhgQwzQ12TgTZ2Y8neI+RsUqFLTLinvd8c/luBKLeDECjjhyBXOJic2dRPUaLQ
-Nyg3bI0Srr6aq6nETjh8i+dSzE/wjyNzXBMdN3KhOjE=
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/server5.ku-ds.crt b/tests/data_files/server5.ku-ds.crt
deleted file mode 100644
index dafff9b..0000000
--- a/tests/data_files/server5.ku-ds.crt
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB4zCCAWagAwIBAgIBLTAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQTAe
-Fw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMDQxCzAJBgNVBAYTAk5MMREw
-DwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0C
-AQYIKoZIzj0DAQcDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO
-5QDYIxH/6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/6NdMFswCQYDVR0TBAIwADAd
-BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wHwYDVR0jBBgwFoAUnW0gJEkB
-PyvLeLUZvH4kydv7NnwwDgYDVR0PAQH/BAQDAgeAMAwGCCqGSM49BAMCBQADaQAw
-ZgIxALHO0QR+4vz+fj4WwBQMa55oJDlp1J0PpqoJYKTf6DRx5rNuZxSbNu2wJQWz
-MJ9ekQIxAMPo/Rhu4e9KRkEf9rYU9Ynd7t9/PCsXw4JZuxZfToURDsrAI/Pnqc0H
-4+FA/EuPJA==
------END CERTIFICATE-----
diff --git a/tests/data_files/server5.ku-ka.crt b/tests/data_files/server5.ku-ka.crt
deleted file mode 100644
index 74a4235..0000000
--- a/tests/data_files/server5.ku-ka.crt
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB4jCCAWagAwIBAgIBLjAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQTAe
-Fw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMDQxCzAJBgNVBAYTAk5MMREw
-DwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0C
-AQYIKoZIzj0DAQcDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO
-5QDYIxH/6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/6NdMFswCQYDVR0TBAIwADAd
-BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wHwYDVR0jBBgwFoAUnW0gJEkB
-PyvLeLUZvH4kydv7NnwwDgYDVR0PAQH/BAQDAgMIMAwGCCqGSM49BAMCBQADaAAw
-ZQIwCVbbPiS8MJUOz8JBmgLHojKDaJOd4lSfSak0GSl02UjT8OiNyRzA+FlFWO94
-YMjyAjEA14/ubZ1ZW3/0hkiFHzhTD2SXbTfYbhDZSq2PR+9sBlUrrx1GhzWw/cOD
-3jZd4DQO
------END CERTIFICATE-----
diff --git a/tests/data_files/server5.ku-ke.crt b/tests/data_files/server5.ku-ke.crt
deleted file mode 100644
index 6b4e74e..0000000
--- a/tests/data_files/server5.ku-ke.crt
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB4TCCAWagAwIBAgIBLzAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQTAe
-Fw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMDQxCzAJBgNVBAYTAk5MMREw
-DwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0C
-AQYIKoZIzj0DAQcDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO
-5QDYIxH/6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/6NdMFswCQYDVR0TBAIwADAd
-BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wHwYDVR0jBBgwFoAUnW0gJEkB
-PyvLeLUZvH4kydv7NnwwDgYDVR0PAQH/BAQDAgUgMAwGCCqGSM49BAMCBQADZwAw
-ZAIwezTY0tigIg6u1dFl90LHYcZ+lJK4BO5Y6U9pn952NFo24NsL8qnG4nxwsL3M
-VvV7AjBQ+oZyKSyNp8XRAHYC6lERH7/Gh7HrVWyTRo9iPPL6tE4x/jE7jL9ifgl+
-F6982sk=
------END CERTIFICATE-----
diff --git a/tests/data_files/server5.req.ku.sha1 b/tests/data_files/server5.req.ku.sha1
deleted file mode 100644
index c73a0e2..0000000
--- a/tests/data_files/server5.req.ku.sha1
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIBFDCBvAIBADA8MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGjAY
-BgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
-QgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/6i/SNF1d
-Fr2KiMJrdw1VzYoqDvoByLTt/6AeMBwGCSqGSIb3DQEJDjEPMA0wCwYDVR0PBAQD
-AgbAMAkGByqGSM49BAEDSAAwRQIhAJyChfsSpNIhLjeDB3eBWVjb685y0IJHoNp/
-Ho463k83AiAB9+M9k8nLjKVkEYaVfmE/fPKQVkeuywIO0RMmZ40gAQ==
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server6-ss-child.crt b/tests/data_files/server6-ss-child.crt
deleted file mode 100644
index fc28f34..0000000
--- a/tests/data_files/server6-ss-child.crt
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB7jCCAZSgAwIBAgIMU6LLWCI5lHSn7HnsMAoGCCqGSM49BAMCMEcxEzARBgNV
-BAMMCnNlbGZzaWduZWQxEDAOBgNVBAsMB3Rlc3RpbmcxETAPBgNVBAoMCFBvbGFy
-U1NMMQswCQYDVQQGEwJOTDAeFw0yMzA1MDkwNjA2NDJaFw0zMzA1MDYwNjA2NDJa
-ME0xGTAXBgNVBAMMEHNlbGZzaWduZWQtY2hpbGQxEDAOBgNVBAsMB3Rlc3Rpbmcx
-ETAPBgNVBAoMCFBvbGFyU1NMMQswCQYDVQQGEwJOTDBZMBMGByqGSM49AgEGCCqG
-SM49AwEHA0IABIFZMXZJJPoVraugMW4O7TMR+pElVcGwwZwDcj6Yui2kcjeJH0M3
-jR+OOtjwV+gvT8kApPfbcw+yxgSU0UA7OOOjYDBeMAwGA1UdEwEB/wQCMAAwDgYD
-VR0PAQH/BAQDAgeAMB0GA1UdDgQWBBR+ZY8+MwMU5eG+YLLghX+M52ArezAfBgNV
-HSMEGDAWgBRQYaWP1AfZ14IBDOVlf4xjRqcTvjAKBggqhkjOPQQDAgNIADBFAiAl
-Y2yXg5sZunmo+McUBzvSao1wRxw+9XBSM+Dph5gfhgIhAPlI+lSvD4mzlBzn01Mg
-0tMpKHbY34iadcMWBUgibMiA
------END CERTIFICATE-----
diff --git a/tests/data_files/server6-ss-child.crt.openssl.v3_ext b/tests/data_files/server6-ss-child.crt.openssl.v3_ext
deleted file mode 100644
index dd9cdaa..0000000
--- a/tests/data_files/server6-ss-child.crt.openssl.v3_ext
+++ /dev/null
@@ -1,4 +0,0 @@
-basicConstraints = critical,CA:false
-keyUsage=critical,digitalSignature
-subjectKeyIdentifier=hash
-
diff --git a/tests/data_files/server6.crt b/tests/data_files/server6.crt
deleted file mode 100644
index 51e4393..0000000
--- a/tests/data_files/server6.crt
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICIDCCAaWgAwIBAgIBCjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MjMwNTE3MDcxMDM3WhcNMzMwNTE0MDcxMDM3WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
-CCqGSM49AwEHA0IABIFZMXZJJPoVraugMW4O7TMR+pElVcGwwZwDcj6Yui2kcjeJ
-H0M3jR+OOtjwV+gvT8kApPfbcw+yxgSU0UA7OOOjgZ0wgZowCQYDVR0TBAIwADAd
-BgNVHQ4EFgQUfmWPPjMDFOXhvmCy4IV/jOdgK3swbgYDVR0jBGcwZYAUnW0gJEkB
-PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xh
-clNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
-CCqGSM49BAMCA2kAMGYCMQC7mlP+bq/c4hKB3zfJgPdwSnzzQOkXwdA2O6QumC2o
-ZuHyjUYV5/ZyU8QQ7cNnKnYCMQD9ByA7ddpVE2Gk+OVuBPGfwV4O2COgFrasfrTn
-KgfuCEF96BhSjLDXWKB4IFWaXUQ=
------END CERTIFICATE-----
diff --git a/tests/data_files/server6.key b/tests/data_files/server6.key
deleted file mode 100644
index 1311cfa..0000000
--- a/tests/data_files/server6.key
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIEQZG5j8IkRLxa9OoZJzD3KkrXqIgi9cHZMVv2s/VcPOoAoGCCqGSM49
-AwEHoUQDQgAEgVkxdkkk+hWtq6Axbg7tMxH6kSVVwbDBnANyPpi6LaRyN4kfQzeN
-H4462PBX6C9PyQCk99tzD7LGBJTRQDs44w==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/server7-badsign.crt b/tests/data_files/server7-badsign.crt
deleted file mode 100644
index e0d18b0..0000000
--- a/tests/data_files/server7-badsign.crt
+++ /dev/null
@@ -1,47 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDwjCCAaqgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJt
-ZWRpYXRlIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owNDELMAkG
-A1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRIwEAYDVQQDDAlsb2NhbGhvc3Qw
-WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXqoZyychmoCRxzrd4Vu96m
-47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeYBmskr22rlKjyo4GVMIGS
-MB0GA1UdDgQWBBTSCtOldx/OVbBcRqKOc2y/oWAmuzBmBgNVHSMEXzBdgBQ4d9hr
-d5wod4KLTtgbqR73lBa3DqFCpEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBv
-bGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVDIENBggEOMAkGA1UdEwQC
-MAAwDQYJKoZIhvcNAQELBQADggIBADU9ZyZWfX1T1Pi0PRBeqpm52pehUX2wMsyi
-KudSpLeN++eS9p/R0hpNuB8WvZcsFy/qul0djPARKGpYgYTZQvOQ10VcY40jxttm
-ETScnnqKH2lMr0asOpM31kKt/ghJS0njUhI9NY6yAI2XhcDzItSpqOhn6YLC3mrW
-DIyBCksLKEu8x/KpRbvj3QK1ez3cHItoxCCe9gy8tMEwb8FE15dtDuL7G7iRb4Dh
-VyL6qzBRvJP9AcQKT4PTaOMwu8O+hClDvLllJzCkJX4qZmQr3jwO8Emi9dvQ87ZF
-cDpLbxqIgtRF8lkxn00UuhuugMgM8ldTd/aRxZrddIgFVNmEdWIWBu5ZTWmBM/FH
-aguuZr3mty7Jh4XZJ0RZ4H7XaYzoVnCK9cA5koRv/gtSQdDh8BiYlJwWx8adqygo
-fibinQnIOhZ4HcnlTDshsb5eY+GtkSLmc8735V5rtEt7zrtahFT5I7r2X6dDiPdD
-Blvb9/5gIMC3fy0NZigDueBOYF78kpxqMRknt6x86irVdbRXw1fpVux24cfTDc/u
-5Eat4YFfM1eKZnuOETumPOoa27jvcYTPMOsUN8+Q8Os6SDkJC8e2obedQoffQC06
-1Xzri3HOHzZrPHLGkwAFNYBynl1/wxGu0vPlmpzJDzc7y0e1FgKqD6YadAQM+APA
-ZKasihO0
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MjMwNTE3MDcxMDM3WhcNMzMwNTE3MDcxMDM3WjBIMQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq
-vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR
-wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF
-CaBCLhhdK1Fjf8HjkT/PkctWnho8NTwivc9+nqRZjXe/eIcqm5HwjDDhu+gz+o0g
-Vz9MfZNi1JyCrOyNZcy+cr2QeNnNVGnFq8xTxtu6dLunhpmLFj2mm0Vjwa7Ypj5q
-AjpqTMtDvqbRuToyoyzajhMNcCAf7gwzIupJJFVdjdtgYAcQwzikwF5HoITJzzJ2
-qgxF7CmvGZNb7G99mLdLdhtclH3wAQKHYwEGJo7XKyNEuHPQgB+e0cg1SD1HqlAM
-uCfGGTWQ6me7Bjan3t0NzoTdDq6IpKTesbaY+/9e2xn8DCrhBKLXQMZFDZqUoLYA
-kGPOEGgvlPnIIXAawouxCaNYEh5Uw871YMSPT28rLdFr49dwYOtDg9foA8hDIW2P
-d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br
-Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg
-updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY
-a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xhclNTTDEcMBoGA1UE
-AwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaAAwZQIxAOAch+gz4rHfI/pm8MIDssMtJCqzS6xtOvQHJZ9l
-fdgWfJV5cSHJpOIWGXeFKKR18wIwODTRnTIioy+bYacNq8TQPjzdVlT9XbYkWIYN
-JAuV9fLJJdB5nZUG3l85Dt27VNkT
------END CERTIFICATE-----
diff --git a/tests/data_files/server7-expired.crt b/tests/data_files/server7-expired.crt
deleted file mode 100644
index 9c423c9..0000000
--- a/tests/data_files/server7-expired.crt
+++ /dev/null
@@ -1,47 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDwjCCAaqgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJt
-ZWRpYXRlIENBMB4XDTEzMDUxNjA3MTAzN1oXDTIzMDUxNzA3MTAzN1owNDELMAkG
-A1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRIwEAYDVQQDDAlsb2NhbGhvc3Qw
-WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXqoZyychmoCRxzrd4Vu96m
-47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeYBmskr22rlKjyo4GVMIGS
-MB0GA1UdDgQWBBTSCtOldx/OVbBcRqKOc2y/oWAmuzBmBgNVHSMEXzBdgBQ4d9hr
-d5wod4KLTtgbqR73lBa3DqFCpEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBv
-bGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVDIENBggEOMAkGA1UdEwQC
-MAAwDQYJKoZIhvcNAQELBQADggIBAHX0pu54c8rk2F76lxnMKuS+C3Kiwab0KxII
-ZkpAgpk5sj2KxiGrNLDhK0ZGjVlVuUjauySVuBUfrr8GfjQ1xE7RUrxwBrEU5fVs
-FHKscBF58AaIXIPf5xIuCdc2C487Leuu+LIbGsg9EvKq/pg7avIB9hSjvwn5W3m3
-3o8eL/ahD4t5rh8r7hKptY+7dqeraBrmCnitxsRQToMV+jy2RCGD3vYUDxyJc3x+
-m3o7nWGreyLCqPCRgeEh9RKbbhygcoBtdjojZABZmlGa9BO72hK5lhy2a1QiIOiL
-OoBgDFf8gVo81MX02RtSQISZLq/hJ8smtil8oaKgJ+VyGjfCR1uZY7RpaEfP4U+R
-tX8gqt/4TJ4mIJOv4xL12XsV65rZuB7+yhZ6rqWRlZx9Aa4/GqxIbALrQPs17uRX
-41TPIdz3Pjq3w3x3bdGxbyF0TvJRaeobB60KHlrm6DWltY7k2Ucju9oTko6bJLgp
-rCRC1JkTXzWS3jZDqULTVPxDsZjVRqwEl46PPe0gSloB+h/ulq8rNIG1snWTGdNQ
-Bovbko9lFHA8md8f7ZULQ6pB8SV/LH2qufSsWb5LY9ZfHUprwH2oBQ+A9eYkk5ZR
-LJC879ZC8w8LMQfBGT22fLnOJ2qS6GyguB+y17beF8RMgFpiFTzoD1nPQAd9cyGY
-b2ta+9o9
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MjMwNTE3MDcxMDM3WhcNMzMwNTE3MDcxMDM3WjBIMQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq
-vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR
-wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF
-CaBCLhhdK1Fjf8HjkT/PkctWnho8NTwivc9+nqRZjXe/eIcqm5HwjDDhu+gz+o0g
-Vz9MfZNi1JyCrOyNZcy+cr2QeNnNVGnFq8xTxtu6dLunhpmLFj2mm0Vjwa7Ypj5q
-AjpqTMtDvqbRuToyoyzajhMNcCAf7gwzIupJJFVdjdtgYAcQwzikwF5HoITJzzJ2
-qgxF7CmvGZNb7G99mLdLdhtclH3wAQKHYwEGJo7XKyNEuHPQgB+e0cg1SD1HqlAM
-uCfGGTWQ6me7Bjan3t0NzoTdDq6IpKTesbaY+/9e2xn8DCrhBKLXQMZFDZqUoLYA
-kGPOEGgvlPnIIXAawouxCaNYEh5Uw871YMSPT28rLdFr49dwYOtDg9foA8hDIW2P
-d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br
-Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg
-updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY
-a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xhclNTTDEcMBoGA1UE
-AwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaAAwZQIxAOAch+gz4rHfI/pm8MIDssMtJCqzS6xtOvQHJZ9l
-fdgWfJV5cSHJpOIWGXeFKKR18wIwODTRnTIioy+bYacNq8TQPjzdVlT9XbYkWIYN
-JAuV9fLJJdB5nZUG3l85Dt27VNkT
------END CERTIFICATE-----
diff --git a/tests/data_files/server7-future.crt b/tests/data_files/server7-future.crt
deleted file mode 100644
index b725eb7..0000000
--- a/tests/data_files/server7-future.crt
+++ /dev/null
@@ -1,47 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDwjCCAaqgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJt
-ZWRpYXRlIENBMB4XDTMzMDUxNzA3MTAzN1oXDTQzMDUxODA3MTAzN1owNDELMAkG
-A1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRIwEAYDVQQDDAlsb2NhbGhvc3Qw
-WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXqoZyychmoCRxzrd4Vu96m
-47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeYBmskr22rlKjyo4GVMIGS
-MB0GA1UdDgQWBBTSCtOldx/OVbBcRqKOc2y/oWAmuzBmBgNVHSMEXzBdgBQ4d9hr
-d5wod4KLTtgbqR73lBa3DqFCpEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBv
-bGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVDIENBggEOMAkGA1UdEwQC
-MAAwDQYJKoZIhvcNAQELBQADggIBAFgzS8NNGRayelUleAee5udbk9+fkkxvYA/p
-QEaD+UvuSmgJ7iEU0gx6cJ2RcEbg/NqgrMBni8ayiGptOZRTq4j8bPcrZZCrcsvO
-jFk/yXwWIv1hRofQ8wBynPOgbtPJ5J7zYkE0sqXbAPOWeNdya+R0CuSex5DW9kj/
-+tiXGXdGiLKu/FOC9tedfsu67a+ZEK0Q3rbFqsWpHdQcKIEN4A18xPBXNtx/DJuq
-0+fcjtIsigpRvLbLSFuvSI5vWP1MFyuMDTLYVKN1PceRg2yxpKecKbsDpeSRX3R9
-Fs444mDSJs75i8fkdXS4GLXfJjJOft3HbRtEEznF5sITppjr40PszMvOj2njWPPn
-o3ECca7HbhuhtqIGfM5+2mCwPgmm7fEmYILVYgTihFfPKUhGUKN+4Qp75gOzMKds
-7t8NRFTKPEpFmicc1wKfEsp22UWC6azyTu6iVByWlt+fojFbdHjvxDY8iIqBFU6/
-44uLMTxu9r9gMSZK9sX7vGIgeER3RnArP0ZSxAvoxG3lu+QQXwItxnTKQnA3CDra
-MkmwSM5kMewO/Ub1bgkdQ3j/DD0uSwreEdg0fvxaAJIH2N/lOFUWPrzbg8TJR1Sb
-ohctT+uAKoPQrxsZuSdrz9QHOdgkPR6gp9bdnXkZSa9jGX7Pd5Ur5LDEXljol1ZL
-T97oaKB7
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MjMwNTE3MDcxMDM3WhcNMzMwNTE3MDcxMDM3WjBIMQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq
-vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR
-wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF
-CaBCLhhdK1Fjf8HjkT/PkctWnho8NTwivc9+nqRZjXe/eIcqm5HwjDDhu+gz+o0g
-Vz9MfZNi1JyCrOyNZcy+cr2QeNnNVGnFq8xTxtu6dLunhpmLFj2mm0Vjwa7Ypj5q
-AjpqTMtDvqbRuToyoyzajhMNcCAf7gwzIupJJFVdjdtgYAcQwzikwF5HoITJzzJ2
-qgxF7CmvGZNb7G99mLdLdhtclH3wAQKHYwEGJo7XKyNEuHPQgB+e0cg1SD1HqlAM
-uCfGGTWQ6me7Bjan3t0NzoTdDq6IpKTesbaY+/9e2xn8DCrhBKLXQMZFDZqUoLYA
-kGPOEGgvlPnIIXAawouxCaNYEh5Uw871YMSPT28rLdFr49dwYOtDg9foA8hDIW2P
-d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br
-Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg
-updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY
-a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xhclNTTDEcMBoGA1UE
-AwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaAAwZQIxAOAch+gz4rHfI/pm8MIDssMtJCqzS6xtOvQHJZ9l
-fdgWfJV5cSHJpOIWGXeFKKR18wIwODTRnTIioy+bYacNq8TQPjzdVlT9XbYkWIYN
-JAuV9fLJJdB5nZUG3l85Dt27VNkT
------END CERTIFICATE-----
diff --git a/tests/data_files/server7.crt b/tests/data_files/server7.crt
deleted file mode 100644
index c5c2cb8..0000000
--- a/tests/data_files/server7.crt
+++ /dev/null
@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDwjCCAaqgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJt
-ZWRpYXRlIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owNDELMAkG
-A1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRIwEAYDVQQDDAlsb2NhbGhvc3Qw
-WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXqoZyychmoCRxzrd4Vu96m
-47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeYBmskr22rlKjyo4GVMIGS
-MB0GA1UdDgQWBBTSCtOldx/OVbBcRqKOc2y/oWAmuzBmBgNVHSMEXzBdgBQ4d9hr
-d5wod4KLTtgbqR73lBa3DqFCpEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBv
-bGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVDIENBggEOMAkGA1UdEwQC
-MAAwDQYJKoZIhvcNAQELBQADggIBADU9ZyZWfX1T1Pi0PRBeqpm52pehUX2wMsyi
-KudSpLeN++eS9p/R0hpNuB8WvZcsFy/qul0djPARKGpYgYTZQvOQ10VcY40jxttm
-ETScnnqKH2lMr0asOpM31kKt/ghJS0njUhI9NY6yAI2XhcDzItSpqOhn6YLC3mrW
-DIyBCksLKEu8x/KpRbvj3QK1ez3cHItoxCCe9gy8tMEwb8FE15dtDuL7G7iRb4Dh
-VyL6qzBRvJP9AcQKT4PTaOMwu8O+hClDvLllJzCkJX4qZmQr3jwO8Emi9dvQ87ZF
-cDpLbxqIgtRF8lkxn00UuhuugMgM8ldTd/aRxZrddIgFVNmEdWIWBu5ZTWmBM/FH
-aguuZr3mty7Jh4XZJ0RZ4H7XaYzoVnCK9cA5koRv/gtSQdDh8BiYlJwWx8adqygo
-fibinQnIOhZ4HcnlTDshsb5eY+GtkSLmc8735V5rtEt7zrtahFT5I7r2X6dDiPdD
-Blvb9/5gIMC3fy0NZigDueBOYF78kpxqMRknt6x86irVdbRXw1fpVux24cfTDc/u
-5Eat4YFfM1eKZnuOETumPOoa27jvcYTPMOsUN8+Q8Os6SDkJC8e2obedQoffQC06
-1Xzri3HOHzZrPHLGkwAFNYBynl1/wxGu0vPlmpzJDzc7y0e1FgKqD6YadAQM+APA
-ZKasihO3
------END CERTIFICATE-----
diff --git a/tests/data_files/server7.key b/tests/data_files/server7.key
deleted file mode 100644
index 0088331..0000000
--- a/tests/data_files/server7.key
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEILBDMs7bRVxVg6ovTpf2zB9m+22jY7R3LNKRvCPfa6YJoAoGCCqGSM49
-AwEHoUQDQgAEHG336dql6qGcsnIZqAkcc63eFbvepuOzTwXobRAuOmk3l4A5wXX/
-vs5wAawLX1wUTUM/AESHmAZrJK9tq5So8g==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/server7_int-ca-exp.crt b/tests/data_files/server7_int-ca-exp.crt
deleted file mode 100644
index a3a8f69..0000000
--- a/tests/data_files/server7_int-ca-exp.crt
+++ /dev/null
@@ -1,47 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDwjCCAaqgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJt
-ZWRpYXRlIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owNDELMAkG
-A1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRIwEAYDVQQDDAlsb2NhbGhvc3Qw
-WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXqoZyychmoCRxzrd4Vu96m
-47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeYBmskr22rlKjyo4GVMIGS
-MB0GA1UdDgQWBBTSCtOldx/OVbBcRqKOc2y/oWAmuzBmBgNVHSMEXzBdgBQ4d9hr
-d5wod4KLTtgbqR73lBa3DqFCpEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBv
-bGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVDIENBggEOMAkGA1UdEwQC
-MAAwDQYJKoZIhvcNAQELBQADggIBADU9ZyZWfX1T1Pi0PRBeqpm52pehUX2wMsyi
-KudSpLeN++eS9p/R0hpNuB8WvZcsFy/qul0djPARKGpYgYTZQvOQ10VcY40jxttm
-ETScnnqKH2lMr0asOpM31kKt/ghJS0njUhI9NY6yAI2XhcDzItSpqOhn6YLC3mrW
-DIyBCksLKEu8x/KpRbvj3QK1ez3cHItoxCCe9gy8tMEwb8FE15dtDuL7G7iRb4Dh
-VyL6qzBRvJP9AcQKT4PTaOMwu8O+hClDvLllJzCkJX4qZmQr3jwO8Emi9dvQ87ZF
-cDpLbxqIgtRF8lkxn00UuhuugMgM8ldTd/aRxZrddIgFVNmEdWIWBu5ZTWmBM/FH
-aguuZr3mty7Jh4XZJ0RZ4H7XaYzoVnCK9cA5koRv/gtSQdDh8BiYlJwWx8adqygo
-fibinQnIOhZ4HcnlTDshsb5eY+GtkSLmc8735V5rtEt7zrtahFT5I7r2X6dDiPdD
-Blvb9/5gIMC3fy0NZigDueBOYF78kpxqMRknt6x86irVdbRXw1fpVux24cfTDc/u
-5Eat4YFfM1eKZnuOETumPOoa27jvcYTPMOsUN8+Q8Os6SDkJC8e2obedQoffQC06
-1Xzri3HOHzZrPHLGkwAFNYBynl1/wxGu0vPlmpzJDzc7y0e1FgKqD6YadAQM+APA
-ZKasihO3
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwNTE2MDcxMDM3WhcNMjMwNTE3MDcxMDM3WjBIMQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq
-vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR
-wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF
-CaBCLhhdK1Fjf8HjkT/PkctWnho8NTwivc9+nqRZjXe/eIcqm5HwjDDhu+gz+o0g
-Vz9MfZNi1JyCrOyNZcy+cr2QeNnNVGnFq8xTxtu6dLunhpmLFj2mm0Vjwa7Ypj5q
-AjpqTMtDvqbRuToyoyzajhMNcCAf7gwzIupJJFVdjdtgYAcQwzikwF5HoITJzzJ2
-qgxF7CmvGZNb7G99mLdLdhtclH3wAQKHYwEGJo7XKyNEuHPQgB+e0cg1SD1HqlAM
-uCfGGTWQ6me7Bjan3t0NzoTdDq6IpKTesbaY+/9e2xn8DCrhBKLXQMZFDZqUoLYA
-kGPOEGgvlPnIIXAawouxCaNYEh5Uw871YMSPT28rLdFr49dwYOtDg9foA8hDIW2P
-d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br
-Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg
-updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY
-a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xhclNTTDEcMBoGA1UE
-AwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaAAwZQIxAJH0e4fySJI2nJt1Knd+yU7zn1jTFDAABJMbndhR
-07OSM6vwUaGSMVatSzr8ah+UDgIwaI/MBcorSxT92jAQb1W5dJkEudoYSg49fjAf
-z0BtLCVhFwQlrzCqgXC98SGfT6sZ
------END CERTIFICATE-----
diff --git a/tests/data_files/server7_int-ca.crt b/tests/data_files/server7_int-ca.crt
deleted file mode 100644
index cb108a4..0000000
--- a/tests/data_files/server7_int-ca.crt
+++ /dev/null
@@ -1,47 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDwjCCAaqgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJt
-ZWRpYXRlIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owNDELMAkG
-A1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRIwEAYDVQQDDAlsb2NhbGhvc3Qw
-WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXqoZyychmoCRxzrd4Vu96m
-47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeYBmskr22rlKjyo4GVMIGS
-MB0GA1UdDgQWBBTSCtOldx/OVbBcRqKOc2y/oWAmuzBmBgNVHSMEXzBdgBQ4d9hr
-d5wod4KLTtgbqR73lBa3DqFCpEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBv
-bGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVDIENBggEOMAkGA1UdEwQC
-MAAwDQYJKoZIhvcNAQELBQADggIBADU9ZyZWfX1T1Pi0PRBeqpm52pehUX2wMsyi
-KudSpLeN++eS9p/R0hpNuB8WvZcsFy/qul0djPARKGpYgYTZQvOQ10VcY40jxttm
-ETScnnqKH2lMr0asOpM31kKt/ghJS0njUhI9NY6yAI2XhcDzItSpqOhn6YLC3mrW
-DIyBCksLKEu8x/KpRbvj3QK1ez3cHItoxCCe9gy8tMEwb8FE15dtDuL7G7iRb4Dh
-VyL6qzBRvJP9AcQKT4PTaOMwu8O+hClDvLllJzCkJX4qZmQr3jwO8Emi9dvQ87ZF
-cDpLbxqIgtRF8lkxn00UuhuugMgM8ldTd/aRxZrddIgFVNmEdWIWBu5ZTWmBM/FH
-aguuZr3mty7Jh4XZJ0RZ4H7XaYzoVnCK9cA5koRv/gtSQdDh8BiYlJwWx8adqygo
-fibinQnIOhZ4HcnlTDshsb5eY+GtkSLmc8735V5rtEt7zrtahFT5I7r2X6dDiPdD
-Blvb9/5gIMC3fy0NZigDueBOYF78kpxqMRknt6x86irVdbRXw1fpVux24cfTDc/u
-5Eat4YFfM1eKZnuOETumPOoa27jvcYTPMOsUN8+Q8Os6SDkJC8e2obedQoffQC06
-1Xzri3HOHzZrPHLGkwAFNYBynl1/wxGu0vPlmpzJDzc7y0e1FgKqD6YadAQM+APA
-ZKasihO3
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MjMwNTE3MDcxMDM3WhcNMzMwNTE3MDcxMDM3WjBIMQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq
-vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR
-wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF
-CaBCLhhdK1Fjf8HjkT/PkctWnho8NTwivc9+nqRZjXe/eIcqm5HwjDDhu+gz+o0g
-Vz9MfZNi1JyCrOyNZcy+cr2QeNnNVGnFq8xTxtu6dLunhpmLFj2mm0Vjwa7Ypj5q
-AjpqTMtDvqbRuToyoyzajhMNcCAf7gwzIupJJFVdjdtgYAcQwzikwF5HoITJzzJ2
-qgxF7CmvGZNb7G99mLdLdhtclH3wAQKHYwEGJo7XKyNEuHPQgB+e0cg1SD1HqlAM
-uCfGGTWQ6me7Bjan3t0NzoTdDq6IpKTesbaY+/9e2xn8DCrhBKLXQMZFDZqUoLYA
-kGPOEGgvlPnIIXAawouxCaNYEh5Uw871YMSPT28rLdFr49dwYOtDg9foA8hDIW2P
-d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br
-Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg
-updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY
-a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xhclNTTDEcMBoGA1UE
-AwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaAAwZQIxAOAch+gz4rHfI/pm8MIDssMtJCqzS6xtOvQHJZ9l
-fdgWfJV5cSHJpOIWGXeFKKR18wIwODTRnTIioy+bYacNq8TQPjzdVlT9XbYkWIYN
-JAuV9fLJJdB5nZUG3l85Dt27VNkT
------END CERTIFICATE-----
diff --git a/tests/data_files/server7_int-ca_ca2.crt b/tests/data_files/server7_int-ca_ca2.crt
deleted file mode 100644
index 097447f..0000000
--- a/tests/data_files/server7_int-ca_ca2.crt
+++ /dev/null
@@ -1,60 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDwjCCAaqgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJt
-ZWRpYXRlIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owNDELMAkG
-A1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRIwEAYDVQQDDAlsb2NhbGhvc3Qw
-WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXqoZyychmoCRxzrd4Vu96m
-47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeYBmskr22rlKjyo4GVMIGS
-MB0GA1UdDgQWBBTSCtOldx/OVbBcRqKOc2y/oWAmuzBmBgNVHSMEXzBdgBQ4d9hr
-d5wod4KLTtgbqR73lBa3DqFCpEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBv
-bGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVDIENBggEOMAkGA1UdEwQC
-MAAwDQYJKoZIhvcNAQELBQADggIBADU9ZyZWfX1T1Pi0PRBeqpm52pehUX2wMsyi
-KudSpLeN++eS9p/R0hpNuB8WvZcsFy/qul0djPARKGpYgYTZQvOQ10VcY40jxttm
-ETScnnqKH2lMr0asOpM31kKt/ghJS0njUhI9NY6yAI2XhcDzItSpqOhn6YLC3mrW
-DIyBCksLKEu8x/KpRbvj3QK1ez3cHItoxCCe9gy8tMEwb8FE15dtDuL7G7iRb4Dh
-VyL6qzBRvJP9AcQKT4PTaOMwu8O+hClDvLllJzCkJX4qZmQr3jwO8Emi9dvQ87ZF
-cDpLbxqIgtRF8lkxn00UuhuugMgM8ldTd/aRxZrddIgFVNmEdWIWBu5ZTWmBM/FH
-aguuZr3mty7Jh4XZJ0RZ4H7XaYzoVnCK9cA5koRv/gtSQdDh8BiYlJwWx8adqygo
-fibinQnIOhZ4HcnlTDshsb5eY+GtkSLmc8735V5rtEt7zrtahFT5I7r2X6dDiPdD
-Blvb9/5gIMC3fy0NZigDueBOYF78kpxqMRknt6x86irVdbRXw1fpVux24cfTDc/u
-5Eat4YFfM1eKZnuOETumPOoa27jvcYTPMOsUN8+Q8Os6SDkJC8e2obedQoffQC06
-1Xzri3HOHzZrPHLGkwAFNYBynl1/wxGu0vPlmpzJDzc7y0e1FgKqD6YadAQM+APA
-ZKasihO3
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MjMwNTE3MDcxMDM3WhcNMzMwNTE3MDcxMDM3WjBIMQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq
-vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR
-wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF
-CaBCLhhdK1Fjf8HjkT/PkctWnho8NTwivc9+nqRZjXe/eIcqm5HwjDDhu+gz+o0g
-Vz9MfZNi1JyCrOyNZcy+cr2QeNnNVGnFq8xTxtu6dLunhpmLFj2mm0Vjwa7Ypj5q
-AjpqTMtDvqbRuToyoyzajhMNcCAf7gwzIupJJFVdjdtgYAcQwzikwF5HoITJzzJ2
-qgxF7CmvGZNb7G99mLdLdhtclH3wAQKHYwEGJo7XKyNEuHPQgB+e0cg1SD1HqlAM
-uCfGGTWQ6me7Bjan3t0NzoTdDq6IpKTesbaY+/9e2xn8DCrhBKLXQMZFDZqUoLYA
-kGPOEGgvlPnIIXAawouxCaNYEh5Uw871YMSPT28rLdFr49dwYOtDg9foA8hDIW2P
-d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br
-Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg
-updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY
-a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xhclNTTDEcMBoGA1UE
-AwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaAAwZQIxAOAch+gz4rHfI/pm8MIDssMtJCqzS6xtOvQHJZ9l
-fdgWfJV5cSHJpOIWGXeFKKR18wIwODTRnTIioy+bYacNq8TQPjzdVlT9XbYkWIYN
-JAuV9fLJJdB5nZUG3l85Dt27VNkT
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIICBzCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE
-BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
-IEVDIENBMB4XDTE5MDIxMDE0NDQwMFoXDTI5MDIxMDE0NDQwMFowPjELMAkGA1UE
-BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
-IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO
-4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK
-6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1MwUTAPBgNVHRMBAf8EBTAD
-AQH/MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSd
-bSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMQDpNWfBIlzq
-6xV2UwQD/1YGz9fQUM7AfNKzVa2PVBpf/QD1TAylTYTF4GI6qlb6EPYCMF/YVa29
-N5yC1mFAir19jb9Pl9iiIkRm17dM4y6m5VIMepEPm/VlWAa8H5p1+BPbGw==
------END CERTIFICATE-----
diff --git a/tests/data_files/server7_spurious_int-ca.crt b/tests/data_files/server7_spurious_int-ca.crt
deleted file mode 100644
index fdc1146..0000000
--- a/tests/data_files/server7_spurious_int-ca.crt
+++ /dev/null
@@ -1,65 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDwjCCAaqgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJt
-ZWRpYXRlIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owNDELMAkG
-A1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRIwEAYDVQQDDAlsb2NhbGhvc3Qw
-WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXqoZyychmoCRxzrd4Vu96m
-47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeYBmskr22rlKjyo4GVMIGS
-MB0GA1UdDgQWBBTSCtOldx/OVbBcRqKOc2y/oWAmuzBmBgNVHSMEXzBdgBQ4d9hr
-d5wod4KLTtgbqR73lBa3DqFCpEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBv
-bGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVDIENBggEOMAkGA1UdEwQC
-MAAwDQYJKoZIhvcNAQELBQADggIBADU9ZyZWfX1T1Pi0PRBeqpm52pehUX2wMsyi
-KudSpLeN++eS9p/R0hpNuB8WvZcsFy/qul0djPARKGpYgYTZQvOQ10VcY40jxttm
-ETScnnqKH2lMr0asOpM31kKt/ghJS0njUhI9NY6yAI2XhcDzItSpqOhn6YLC3mrW
-DIyBCksLKEu8x/KpRbvj3QK1ez3cHItoxCCe9gy8tMEwb8FE15dtDuL7G7iRb4Dh
-VyL6qzBRvJP9AcQKT4PTaOMwu8O+hClDvLllJzCkJX4qZmQr3jwO8Emi9dvQ87ZF
-cDpLbxqIgtRF8lkxn00UuhuugMgM8ldTd/aRxZrddIgFVNmEdWIWBu5ZTWmBM/FH
-aguuZr3mty7Jh4XZJ0RZ4H7XaYzoVnCK9cA5koRv/gtSQdDh8BiYlJwWx8adqygo
-fibinQnIOhZ4HcnlTDshsb5eY+GtkSLmc8735V5rtEt7zrtahFT5I7r2X6dDiPdD
-Blvb9/5gIMC3fy0NZigDueBOYF78kpxqMRknt6x86irVdbRXw1fpVux24cfTDc/u
-5Eat4YFfM1eKZnuOETumPOoa27jvcYTPMOsUN8+Q8Os6SDkJC8e2obedQoffQC06
-1Xzri3HOHzZrPHLGkwAFNYBynl1/wxGu0vPlmpzJDzc7y0e1FgKqD6YadAQM+APA
-ZKasihO3
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIC6TCCAdGgAwIBAgIBDzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MjMwNTE3MDcxMDM3WhcNMzMwNTE3MDcxMDM3WjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8Oih3fX5SLeN1dmFncQl
-WMw9+Y6sXblhlrXBxhXxjwdwpCHENn+foUVdrqYVYa7Suv3QVeO6nJ19H3QNixW8
-ik1P+hxsbaq8bta78vAyHmC4EmXQLg1w7oxb9Q82qX1Yo4GVMIGSMB0GA1UdDgQW
-BBQPib1jQevLXhco/2gwPcGI0JxYOTBjBgNVHSMEXDBagBS0WuSls97SUva51aaV
-D+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRkw
-FwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEDMAwGA1UdEwQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBABN3b1ltNlBQ9PhwJhxBWENlMNdy1vyKBGH3EdZ7w4uHJJOm
-w8JS5p/B5+9fDIIOThDr80hLq4QOQVJhxAT1/Zsb2OzsTxc1BaCNbBv2Y+FyFcpL
-I8EjMF+gnSgbs46kGKce1EJNrZrkvpCngtNj7qqg9qnPXd1en0z349xHJPmYuWEb
-9sHdVlwnebPm1n9u1NzpktAChb28UFnBYTWraZCtMBMozuMhz6mo66XOEyH06Ypa
-QPOlBmbgW/e+fuXow41QUqP2tvVL6MsmSZFWk8hr45rNRzeTok1M5bW91sZ78We5
-95m3T6IE+qpj2/RILncwy7vWBlFzbuiIA3eSJa8=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MjMwNTE3MDcxMDM3WhcNMzMwNTE3MDcxMDM3WjBIMQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq
-vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR
-wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF
-CaBCLhhdK1Fjf8HjkT/PkctWnho8NTwivc9+nqRZjXe/eIcqm5HwjDDhu+gz+o0g
-Vz9MfZNi1JyCrOyNZcy+cr2QeNnNVGnFq8xTxtu6dLunhpmLFj2mm0Vjwa7Ypj5q
-AjpqTMtDvqbRuToyoyzajhMNcCAf7gwzIupJJFVdjdtgYAcQwzikwF5HoITJzzJ2
-qgxF7CmvGZNb7G99mLdLdhtclH3wAQKHYwEGJo7XKyNEuHPQgB+e0cg1SD1HqlAM
-uCfGGTWQ6me7Bjan3t0NzoTdDq6IpKTesbaY+/9e2xn8DCrhBKLXQMZFDZqUoLYA
-kGPOEGgvlPnIIXAawouxCaNYEh5Uw871YMSPT28rLdFr49dwYOtDg9foA8hDIW2P
-d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br
-Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg
-updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY
-a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xhclNTTDEcMBoGA1UE
-AwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaAAwZQIxAOAch+gz4rHfI/pm8MIDssMtJCqzS6xtOvQHJZ9l
-fdgWfJV5cSHJpOIWGXeFKKR18wIwODTRnTIioy+bYacNq8TQPjzdVlT9XbYkWIYN
-JAuV9fLJJdB5nZUG3l85Dt27VNkT
------END CERTIFICATE-----
diff --git a/tests/data_files/server8.crt b/tests/data_files/server8.crt
deleted file mode 100644
index 515b17b..0000000
--- a/tests/data_files/server8.crt
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICqTCCAi6gAwIBAgIBETAMBggqhkjOPQQDAgUAMEsxCzAJBgNVBAYTAk5MMREw
-DwYDVQQKDAhQb2xhclNTTDEpMCcGA1UEAwwgUG9sYXJTU0wgVGVzdCBJbnRlcm1l
-ZGlhdGUgRUMgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQsw
-CQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9z
-dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANscfy4Lzb/O0XUQoKK4
-zn2q4gXgethEY4+1vcCwGbk3uBlKDvFddIBnRocG3lt/BgO9wY1eBxXUW/Tc5c89
-+cERLK5quYq9HWdmF+pOvdsVmoKH5PB4w6OFh7D9n6mZX+Mz7MzqC7VhXvFJfj+j
-LeoBDMxCmnabxNA307EXAWEBFll+HBfDU/3RcstMYBXafeLqrVDvjuKL1Gp3VdZw
-2Wu78e45BDijveLR4GZr4pxHmeko5rb8LspnQ4To1YPWnZhrAT6B3Dx6yvnznPfW
-KBsneHzD0NVjp4E0ia0lar3y6u36V/zlNMbBD3Et0ggQG61EQeD+eaBjk4qxXemw
-7m8CAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQU4j/mLfTnuKaM3G0XpxhA
-J2F2Dx0wHwYDVR0jBBgwFoAUD4m9Y0Hry14XKP9oMD3BiNCcWDkwDAYIKoZIzj0E
-AwIFAANnADBkAjA3KJ1/SvOZnpmtqturkt+0DhQIXGMRDPnPksCuy/wqGHR8DsWS
-dEa7PQEgrbA60HoCMCpH2fYtcAfhg5gGg+QxmVsUIt/9Gd9syQlnX7wNCfweUeSS
-MxG1isOdUiQTajM1TQ==
------END CERTIFICATE-----
diff --git a/tests/data_files/server8.key b/tests/data_files/server8.key
deleted file mode 100644
index aa9941e..0000000
--- a/tests/data_files/server8.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA2xx/LgvNv87RdRCgorjOfariBeB62ERjj7W9wLAZuTe4GUoO
-8V10gGdGhwbeW38GA73BjV4HFdRb9Nzlzz35wREsrmq5ir0dZ2YX6k692xWagofk
-8HjDo4WHsP2fqZlf4zPszOoLtWFe8Ul+P6Mt6gEMzEKadpvE0DfTsRcBYQEWWX4c
-F8NT/dFyy0xgFdp94uqtUO+O4ovUandV1nDZa7vx7jkEOKO94tHgZmvinEeZ6Sjm
-tvwuymdDhOjVg9admGsBPoHcPHrK+fOc99YoGyd4fMPQ1WOngTSJrSVqvfLq7fpX
-/OU0xsEPcS3SCBAbrURB4P55oGOTirFd6bDubwIDAQABAoIBAFvf3xQXrvY2am2D
-w1d31l2rQYrlTZ1RT836js41CRQ44OD5xLpATZFpvJDxuFr1MDhxYK8+NgpZORW7
-akEz432pDes0pQgftCyfCngc/E7ZCCijgsOyX5Y5b2QvdLtQrHxAUZK6sJ4lbgIO
-pvlYGvB78DnV057YQfZs8j7XPqTFYVNlIx6xCFxwiMTeUGZvSrN8CpKT/5zsSE5d
-xX2alaYiWl2oSOI7axrtpMEXAI0A/O/N1mI+n3cs15cfAJa/fMjEMmGz0Pqg5IlS
-IwZWpr6BzbdHldO/XlVErKMo4lADUmsr2d+q3vfQmLEAyizp7OmU9vc+DXcK9jH+
-aDd0gcECgYEA7SAVA/banYejN7Ovn84pJ+mguINMwPFZd9eW9op1PgRryGCpdh77
-qV64YIjFhwt1JQQIf5GCPD5Um0Z8mY59a6MU+sJGGB7xwVuCuXbDAKJJF6/58f7/
-MoLzsoQFy50TpA90T0WOvMWDnWSLTYjRr1fFTKNWNcvPoFOnmAydGbUCgYEA7I1X
-mCFRSGiu0NdN2j7mwtTudI4m/qyYfUQxpSvvgN2DSHtG56h8Dz1w7CpNlLDHodPP
-e8oiXMS/bBBNwWHu9hxhBqdmvj4C+K5Ax0EKYx7CsHWK7BJ8u8Ak8xwaufMiejt5
-ioJhI4pyukBEqJbnuzmuDcuoqxPF1ZTmM/WzrhMCgYBi5V9+cMUKsFhFUf6sUqpd
-iBXM/o3TZpVe4x6GIob1X5ioUJA8wH1LTULul/xx7zhjQMRemAxOHdzhictLq97p
-NnH4h2/+fWFsuELUIREBQa3kYDOJV0WOBomm6WMVYaSgZwWmTidS2bmjuhxTMP3q
-+FtENFcvRpqIjns2cgRPhQKBgQDcjhia5o2z9q7wV57mG3nrNL+0ewoOsHxpZ5jm
-SSXBQEf038RHoIczanUMLZEyTvWDhErTP690UZmtNzJYWWiFngY1PwYD4SvCFC6f
-2ZvGuVqLTr0dyUr1f3y0E4Mz12dREn0LUO8jRSYdVGjvy+v6XBhWEoqMIB54OqG8
-1p0WcwKBgF4KfzBOi1DarCuxaa6huUdNc8efog5GO1lmNenKlRuPLp5wp3qvWsyH
-blfbtJQNE1DhbDGwmzPCGLc3wXx0t0gCrcMkxoRATFMNOSLodG7Mbkj9AoEMx94X
-XYfi5vYftbEUmZeZtHZBI3o3up/xtPcuGNlb8BSIIOaQtIYybxKa
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/server8_int-ca2.crt b/tests/data_files/server8_int-ca2.crt
deleted file mode 100644
index e99727d..0000000
--- a/tests/data_files/server8_int-ca2.crt
+++ /dev/null
@@ -1,35 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICqTCCAi6gAwIBAgIBETAMBggqhkjOPQQDAgUAMEsxCzAJBgNVBAYTAk5MMREw
-DwYDVQQKDAhQb2xhclNTTDEpMCcGA1UEAwwgUG9sYXJTU0wgVGVzdCBJbnRlcm1l
-ZGlhdGUgRUMgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQsw
-CQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9z
-dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANscfy4Lzb/O0XUQoKK4
-zn2q4gXgethEY4+1vcCwGbk3uBlKDvFddIBnRocG3lt/BgO9wY1eBxXUW/Tc5c89
-+cERLK5quYq9HWdmF+pOvdsVmoKH5PB4w6OFh7D9n6mZX+Mz7MzqC7VhXvFJfj+j
-LeoBDMxCmnabxNA307EXAWEBFll+HBfDU/3RcstMYBXafeLqrVDvjuKL1Gp3VdZw
-2Wu78e45BDijveLR4GZr4pxHmeko5rb8LspnQ4To1YPWnZhrAT6B3Dx6yvnznPfW
-KBsneHzD0NVjp4E0ia0lar3y6u36V/zlNMbBD3Et0ggQG61EQeD+eaBjk4qxXemw
-7m8CAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQU4j/mLfTnuKaM3G0XpxhA
-J2F2Dx0wHwYDVR0jBBgwFoAUD4m9Y0Hry14XKP9oMD3BiNCcWDkwDAYIKoZIzj0E
-AwIFAANnADBkAjA3KJ1/SvOZnpmtqturkt+0DhQIXGMRDPnPksCuy/wqGHR8DsWS
-dEa7PQEgrbA60HoCMCpH2fYtcAfhg5gGg+QxmVsUIt/9Gd9syQlnX7wNCfweUeSS
-MxG1isOdUiQTajM1TQ==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIC6TCCAdGgAwIBAgIBDzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MjMwNTE3MDkyNzAyWhcNMzMwNTE3MDkyNzAyWjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8Oih3fX5SLeN1dmFncQl
-WMw9+Y6sXblhlrXBxhXxjwdwpCHENn+foUVdrqYVYa7Suv3QVeO6nJ19H3QNixW8
-ik1P+hxsbaq8bta78vAyHmC4EmXQLg1w7oxb9Q82qX1Yo4GVMIGSMB0GA1UdDgQW
-BBQPib1jQevLXhco/2gwPcGI0JxYOTBjBgNVHSMEXDBagBS0WuSls97SUva51aaV
-D+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRkw
-FwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEDMAwGA1UdEwQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAHTN0URrP2MpwD8vODymjjq7iaB7WFZ4CWUjx9LWu3PPZbX2
-12MxzkyFaVR7rnPKZSFHJJEmNaPDJWwYhGQRXLCoD6NiJy6De4fa5gSYoXthRGFf
-GnFXZu3e37GDKoKP87TZ+VXcyx6PHvPxJB3/9N94Vj2Yh3hCs7F72GmwfDww6ooj
-whIqhxBYOhPleANs70FZ7Y7tjZV1RtQ1/9sRcbyv9OvdPuWvukBVq1KM6nqVHBZ3
-/4kHBWaFaWMq/AAxMxaTGFAOA8S2yU56jkB65viQrpQQWffBJWK+WfrcgxRWqR33
-hqG3yT1IWbJ5E11XL9TCKD+DReqeXHyYawx8fBU=
------END CERTIFICATE-----
diff --git a/tests/data_files/server9-bad-mgfhash.crt b/tests/data_files/server9-bad-mgfhash.crt
deleted file mode 100644
index ad29942..0000000
--- a/tests/data_files/server9-bad-mgfhash.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDYzCCAhagAwIBAgIBGDBCBgkqhkiG9w0BAQowNaAPMA0GCWCGSAFlAwQCAQUA
-oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCBAUAogQCAgDeMDsxCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBD
-QTAeFw0yMzA1MTcwODM5NDhaFw0zMzA1MTcwODM5NDhaMDQxCzAJBgNVBAYTAk5M
-MREwDwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqG
-SIb3DQEBAQUAA4GNADCBiQKBgQDdEYqfmbqwaMoq6jtqbVmX7U7JVOQN7s6gfaAe
-qugOwrsTQNuKEo6JEySlxfX62PWQ18jKy8X+kx2v2hIjc1J5Rhq6oFcrdhYxs6iv
-5zibCItjmToKJe5F0hhYurmTGu3UWJpjGzf89xQIn4VlSfNZMm3R4Oht3lLtZrSp
-C9pAlQIDAQABo4GSMIGPMB0GA1UdDgQWBBTu88f1HxWlTUeJwdMiY7Lfp869UTBj
-BgNVHSMEXDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMC
-TkwxETAPBgNVBAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENB
-ggEDMAkGA1UdEwQCMAAwQgYJKoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgEFAKEc
-MBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgQFAKIEAgIA3gOCAQEAaQlf1GPhvPHp
-hFgTdIB5x5zACVb4a4ONuySVckfMpWk2nlkRSu3Kgv4j8l/jfNpfr+we4lG72xEn
-FV3em8dEzxvXd5jXCfR/hWJKYVoWh0055qWw7FpG20vRFKttU8UFclL7KvMs4InZ
-vDpbPs5EwBQXTg/manL9TD9t/zqWAUJj1yHWiIISYzfWmsaoTi8jNxSR1+lkmPPP
-ZWQwyUJrh82Mw3VwNGxXOfpGIwmjXPia8MafjjH/RtHNx7ukCk+6q1ZlH57NolZJ
-dlQTJv21+vxyYr6GZdHXzdJwWMnFSof6VGwayNzetSnVhJb0SQqTBt8Vu5xQtXGa
-QcCjGyCAIg==
------END CERTIFICATE-----
diff --git a/tests/data_files/server9-bad-saltlen.crt b/tests/data_files/server9-bad-saltlen.crt
deleted file mode 100644
index 45bf20e..0000000
--- a/tests/data_files/server9-bad-saltlen.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDYzCCAhagAwIBAgIBGDBCBgkqhkiG9w0BAQowNaAPMA0GCWCGSAFlAwQCAQUA
-oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogQCAgDeMDsxCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBD
-QTAeFw0yMzA1MjIwNzMwMDZaFw0zMzA1MTkwNzMwMDZaMDQxCzAJBgNVBAYTAk5M
-MREwDwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqG
-SIb3DQEBAQUAA4GNADCBiQKBgQDdEYqfmbqwaMoq6jtqbVmX7U7JVOQN7s6gfaAe
-qugOwrsTQNuKEo6JEySlxfX62PWQ18jKy8X+kx2v2hIjc1J5Rhq6oFcrdhYxs6iv
-5zibCItjmToKJe5F0hhYurmTGu3UWJpjGzf89xQIn4VlSfNZMm3R4Oht3lLtZrSp
-C9pAlQIDAQABo4GSMIGPMAkGA1UdEwQCMAAwHQYDVR0OBBYEFO7zx/UfFaVNR4nB
-0yJjst+nzr1RMGMGA1UdIwRcMFqAFLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7
-MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFy
-U1NMIFRlc3QgQ0GCAQMwQgYJKoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgEFAKEc
-MBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIEAgIA3gOCAQEAlQo9OnchZbLQ
-PTXs9NgXDoQb4JvUG/Fsq09/e8ivWaHkE7mKeNRrP8qMdAw914Bs1NQf9F75CWJe
-5YtmLcE5gSbVj3qa6zVuQWEcrseKz6wpAFLsHKbF6kKfUgcI56xmD2DhhIHny+5B
-9ObM0RQpCmAYXjU2CvknXeBzpX2cGOLD/Nexk1oBF6PI0rDUBqg3cexsJ5XfJwYg
-tkjkZ321s9N09BsioauH6d9x9/Ysz7Qp7Bqpb1E7dV4bDuT5vwPWwPIUAav897Vt
-s0uMZHoVasj57UwqDv8tm0db6f2VOL7r5GBMjbp6newW8Me47uXSBXKy8tFJMolj
-yKuEQkKKyA==
------END CERTIFICATE-----
diff --git a/tests/data_files/server9-badsign.crt b/tests/data_files/server9-badsign.crt
deleted file mode 100644
index 8656b1a..0000000
--- a/tests/data_files/server9-badsign.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDBTCCAeegAwIBAgIBFjATBgkqhkiG9w0BAQowBqIEAgIA6jA7MQswCQYDVQQG
-EwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3Qg
-Q0EwHhcNMjMwNTE3MDgwNDAwWhcNMzMwNTE3MDgwNDAwWjA0MQswCQYDVQQGEwJO
-TDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkq
-hkiG9w0BAQEFAAOBjQAwgYkCgYEA3RGKn5m6sGjKKuo7am1Zl+1OyVTkDe7OoH2g
-HqroDsK7E0DbihKOiRMkpcX1+tj1kNfIysvF/pMdr9oSI3NSeUYauqBXK3YWMbOo
-r+c4mwiLY5k6CiXuRdIYWLq5kxrt1FiaYxs3/PcUCJ+FZUnzWTJt0eDobd5S7Wa0
-qQvaQJUCAwEAAaOBkjCBjzAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy36fOvVEw
-YwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBD
-QYIBAzAJBgNVHRMEAjAAMBMGCSqGSIb3DQEBCjAGogQCAgDqA4IBAQC2DLHQ05x6
-imJNztE/Tnk/lPQ01Pw6Girdbk4bgxcGwGj+1u5wAIHNpJ50TOggg3HxTyb7p344
-/tVMxz7nrHZQ5ASdn2kDCyCmEqhmj48isWAIml+7J9cBeImJoEfYqjtqtoVkGxFy
-SuoZAQWkkqDpyFhKhIjLQ8JuSE6wWMX/kc6TFSSxepnZU1SFOXfCiaVr5tFQzBP7
-loppIANLjKeMjpOdU86PmRQ2LyzaCH1OMnjVndeqNmZt0NyzZ18cFPvm6+DVVVuP
-Q+6nReShCdAlU+dJqsqj8JsQneNMTxjv4OBoXVmE/kZTj/DBTtwmxkVi7K4aYMFi
-UYUZ4RiwG1/0
------END CERTIFICATE-----
diff --git a/tests/data_files/server9-defaults.crt b/tests/data_files/server9-defaults.crt
deleted file mode 100644
index 8613f52..0000000
--- a/tests/data_files/server9-defaults.crt
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC+TCCAeGgAwIBAgIBSDANBgkqhkiG9w0BAQowADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MjMwNTE3MDcxMDM3WhcNMzMwNTE3MDcxMDM3WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0B
-AQEFAAOBjQAwgYkCgYEA3RGKn5m6sGjKKuo7am1Zl+1OyVTkDe7OoH2gHqroDsK7
-E0DbihKOiRMkpcX1+tj1kNfIysvF/pMdr9oSI3NSeUYauqBXK3YWMbOor+c4mwiL
-Y5k6CiXuRdIYWLq5kxrt1FiaYxs3/PcUCJ+FZUnzWTJt0eDobd5S7Wa0qQvaQJUC
-AwEAAaOBkjCBjzAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy36fOvVEwYwYDVR0j
-BFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNVBAYTAk5MMREw
-DwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBDQYIBAzAJ
-BgNVHRMEAjAAMA0GCSqGSIb3DQEBCjAAA4IBAQASsc5y7sDP4prOLGAl2EB5d+Gg
-w/Vk9+g3KXpeIUCL6gmECNLENmmBe6zZR8/Ax6R1hUe/Cbflepxsx627Eg29NCZK
-Bo/AQoz658kwEzr4jhF8M6y9sdsf5/OauoRxDLcMEywIkgmuFvZIpyEwXix6arsK
-mNWnW0FwSr2NaXozD7OquGwTEAvAbtei+5JAeVvvGi1u32D2JPVHk3zv05LXtx8b
-8bEmzZLthFk3GbSkGHC3K5rjNgTMwY0BhNBW6qFyY5mL0bHVDbZQxD9RRwDifGty
-fTo7odJDAHU1xucWF6dOU5nAqiFKlc3eITdBKt+d10yBSr7qXciHkHpAzCvh
------END CERTIFICATE-----
diff --git a/tests/data_files/server9-sha224.crt b/tests/data_files/server9-sha224.crt
deleted file mode 100644
index ed648c8..0000000
--- a/tests/data_files/server9-sha224.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDYzCCAhagAwIBAgIBFzBCBgkqhkiG9w0BAQowNaAPMA0GCWCGSAFlAwQCBAUA
-oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCBAUAogQCAgDiMDsxCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBD
-QTAeFw0yMzA1MTcwNzEwMzdaFw0zMzA1MTQwNzEwMzdaMDQxCzAJBgNVBAYTAk5M
-MREwDwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqG
-SIb3DQEBAQUAA4GNADCBiQKBgQDdEYqfmbqwaMoq6jtqbVmX7U7JVOQN7s6gfaAe
-qugOwrsTQNuKEo6JEySlxfX62PWQ18jKy8X+kx2v2hIjc1J5Rhq6oFcrdhYxs6iv
-5zibCItjmToKJe5F0hhYurmTGu3UWJpjGzf89xQIn4VlSfNZMm3R4Oht3lLtZrSp
-C9pAlQIDAQABo4GSMIGPMAkGA1UdEwQCMAAwHQYDVR0OBBYEFO7zx/UfFaVNR4nB
-0yJjst+nzr1RMGMGA1UdIwRcMFqAFLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7
-MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFy
-U1NMIFRlc3QgQ0GCAQMwQgYJKoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgQFAKEc
-MBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgQFAKIEAgIA4gOCAQEAjG73ZOe2pQn6
-jqiTHALGM0IG8BBCamo3gzbCjZPz3ZnTpZii1pQSFPGEBaKCgrtKrjvoP21ZDUnq
-3HjTUzGtGbHk3h+UJcVYgFuONidguUDaALGtXIPWUlqBBeJL+Y+01zJRnMpC2hV7
-JUOM3es02te8RM6srCdW1fP9x+Lx4G2Kjj7kEzKafEbwFesS4LbBXsWkID8xDPHO
-DLKvg66tPeksDBT4n7f7H51eNlyIwwMDKTc+N9Ri5OeW1HOqtbyo/yJlHvQqnCld
-E8gW+AVoeZmN6n/4yemnCEkFRqgbRSIGVoPmOY9d/FfGLmClcaZFPcH+w1JDhF71
-3egYnUY/9g==
------END CERTIFICATE-----
diff --git a/tests/data_files/server9-sha256.crt b/tests/data_files/server9-sha256.crt
deleted file mode 100644
index ef37b3f..0000000
--- a/tests/data_files/server9-sha256.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDYzCCAhagAwIBAgIBFzBCBgkqhkiG9w0BAQowNaAPMA0GCWCGSAFlAwQCAQUA
-oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogQCAgDeMDsxCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBD
-QTAeFw0yMzA1MTcwNzEwMzdaFw0zMzA1MTQwNzEwMzdaMDQxCzAJBgNVBAYTAk5M
-MREwDwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqG
-SIb3DQEBAQUAA4GNADCBiQKBgQDdEYqfmbqwaMoq6jtqbVmX7U7JVOQN7s6gfaAe
-qugOwrsTQNuKEo6JEySlxfX62PWQ18jKy8X+kx2v2hIjc1J5Rhq6oFcrdhYxs6iv
-5zibCItjmToKJe5F0hhYurmTGu3UWJpjGzf89xQIn4VlSfNZMm3R4Oht3lLtZrSp
-C9pAlQIDAQABo4GSMIGPMAkGA1UdEwQCMAAwHQYDVR0OBBYEFO7zx/UfFaVNR4nB
-0yJjst+nzr1RMGMGA1UdIwRcMFqAFLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7
-MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFy
-U1NMIFRlc3QgQ0GCAQMwQgYJKoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgEFAKEc
-MBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIEAgIA3gOCAQEAXcWlfbIjRJX3
-eCkj03eKLvhawFndN6mWMOTVvr20Vdhhn57wngSKYgtsbOZhpT+pIXTTpxhku7uS
-Pg6NDU0W13xbrcIsYxkZRcN6AYcnV0NxnhdfkmxwDjLyohgm8IdgvHb04r73OP0j
-KmnZfJJpnxkVGD8NFGj2hBCR7ynbVBAfJegl0Lruxc4AlrniG6MW9xfkmE3EfOQg
-dwZv3UuhxzEhLmR933BCijwfhBVfyzarGjDtZjQYNwWKhRl+OXM+L14Ofq7htSxz
-kSM5KJfCAzLFNd6N2YU84IhqwTS4CZ/bE1HchEYPtXm97bj8Vldrfv2up/4Rc0kF
-a8P+xLLmug==
------END CERTIFICATE-----
diff --git a/tests/data_files/server9-sha384.crt b/tests/data_files/server9-sha384.crt
deleted file mode 100644
index 2ea0108..0000000
--- a/tests/data_files/server9-sha384.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDYzCCAhagAwIBAgIBFzBCBgkqhkiG9w0BAQowNaAPMA0GCWCGSAFlAwQCAgUA
-oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAgUAogQCAgDOMDsxCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBD
-QTAeFw0yMzA1MTcwNzEwMzdaFw0zMzA1MTQwNzEwMzdaMDQxCzAJBgNVBAYTAk5M
-MREwDwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqG
-SIb3DQEBAQUAA4GNADCBiQKBgQDdEYqfmbqwaMoq6jtqbVmX7U7JVOQN7s6gfaAe
-qugOwrsTQNuKEo6JEySlxfX62PWQ18jKy8X+kx2v2hIjc1J5Rhq6oFcrdhYxs6iv
-5zibCItjmToKJe5F0hhYurmTGu3UWJpjGzf89xQIn4VlSfNZMm3R4Oht3lLtZrSp
-C9pAlQIDAQABo4GSMIGPMAkGA1UdEwQCMAAwHQYDVR0OBBYEFO7zx/UfFaVNR4nB
-0yJjst+nzr1RMGMGA1UdIwRcMFqAFLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7
-MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFy
-U1NMIFRlc3QgQ0GCAQMwQgYJKoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgIFAKEc
-MBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgIFAKIEAgIAzgOCAQEAmTU2HqAA7gbB
-tJlDAve8nGbdCim4YjRXWceHGCpoFIWrs6onlHCvnZ2Wr8iPk+wnd7ShIpp8vGb/
-476y8pfaA2n8vYWhQKDCTTUXJN4tUc7i8Uz4RGdK48vHVvZCtCT/8MmPPouOIZcU
-/Kkenw2jv5R/CpiirVUsjNx6BYcdu1zzEU+uoBLom6sZ6LGRlIB0prFWcxrVjfzx
-2C8ZxMW8NWj6EQipQJ2U+CCycA2HkbCmt3FnEXmN5OWThvnKdshoPkMn2HwhAOzn
-cjZQhQT3WSufvZ9bYe7HZ5e1e7k6aMXBvW89ECxc12mZfSjlYmlvfHZuO8D2sP2i
-RidkcXFMxQ==
------END CERTIFICATE-----
diff --git a/tests/data_files/server9-sha512.crt b/tests/data_files/server9-sha512.crt
deleted file mode 100644
index 4abdf68..0000000
--- a/tests/data_files/server9-sha512.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDYzCCAhagAwIBAgIBFzBCBgkqhkiG9w0BAQowNaAPMA0GCWCGSAFlAwQCAwUA
-oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAwUAogQCAgC+MDsxCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBD
-QTAeFw0yMzA1MTcwNzEwMzdaFw0zMzA1MTQwNzEwMzdaMDQxCzAJBgNVBAYTAk5M
-MREwDwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqG
-SIb3DQEBAQUAA4GNADCBiQKBgQDdEYqfmbqwaMoq6jtqbVmX7U7JVOQN7s6gfaAe
-qugOwrsTQNuKEo6JEySlxfX62PWQ18jKy8X+kx2v2hIjc1J5Rhq6oFcrdhYxs6iv
-5zibCItjmToKJe5F0hhYurmTGu3UWJpjGzf89xQIn4VlSfNZMm3R4Oht3lLtZrSp
-C9pAlQIDAQABo4GSMIGPMAkGA1UdEwQCMAAwHQYDVR0OBBYEFO7zx/UfFaVNR4nB
-0yJjst+nzr1RMGMGA1UdIwRcMFqAFLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7
-MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFy
-U1NMIFRlc3QgQ0GCAQMwQgYJKoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgMFAKEc
-MBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgMFAKIEAgIAvgOCAQEAVut9oL/0V/vo
-f9VKxAZfyy0zFy+LOHzV1H5qQaPKJnXIAUp/sDtvOjugqHKjamg6dCIVy292Yxcx
-rW8WcMR1Bj9MQ5Qrv++TZ0a1e0qet1GYxj4MQkU30XlJq/Jh7ede9Vh/yBxKTQq7
-oaJ6fOTFWcz1JZDrZrKffBOqIp5jQWPARilUDN6FiRNYV3/14aWVGnNbqGfoY8CC
-WvpC0iAvrQxjdQQf6nIYrzcGNzvrpRbhpzBPUyUIrM1o+nyiNAJPlyncjFwmfw9g
-80FP1XnRIIKmlTTG7ivkjHKzE6WXZSQPjArg0jxQAX1uLKJGFhu+ueKyoPOHQXS0
-O1z3OQn3+w==
------END CERTIFICATE-----
diff --git a/tests/data_files/server9-with-ca.crt b/tests/data_files/server9-with-ca.crt
deleted file mode 100644
index 51c0ada..0000000
--- a/tests/data_files/server9-with-ca.crt
+++ /dev/null
@@ -1,39 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDBTCCAeegAwIBAgIBFjATBgkqhkiG9w0BAQowBqIEAgIA6jA7MQswCQYDVQQG
-EwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3Qg
-Q0EwHhcNMjMwNTE3MDgwNDAwWhcNMzMwNTE3MDgwNDAwWjA0MQswCQYDVQQGEwJO
-TDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkq
-hkiG9w0BAQEFAAOBjQAwgYkCgYEA3RGKn5m6sGjKKuo7am1Zl+1OyVTkDe7OoH2g
-HqroDsK7E0DbihKOiRMkpcX1+tj1kNfIysvF/pMdr9oSI3NSeUYauqBXK3YWMbOo
-r+c4mwiLY5k6CiXuRdIYWLq5kxrt1FiaYxs3/PcUCJ+FZUnzWTJt0eDobd5S7Wa0
-qQvaQJUCAwEAAaOBkjCBjzAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy36fOvVEw
-YwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBD
-QYIBAzAJBgNVHRMEAjAAMBMGCSqGSIb3DQEBCjAGogQCAgDqA4IBAQC2DLHQ05x6
-imJNztE/Tnk/lPQ01Pw6Girdbk4bgxcGwGj+1u5wAIHNpJ50TOggg3HxTyb7p344
-/tVMxz7nrHZQ5ASdn2kDCyCmEqhmj48isWAIml+7J9cBeImJoEfYqjtqtoVkGxFy
-SuoZAQWkkqDpyFhKhIjLQ8JuSE6wWMX/kc6TFSSxepnZU1SFOXfCiaVr5tFQzBP7
-loppIANLjKeMjpOdU86PmRQ2LyzaCH1OMnjVndeqNmZt0NyzZ18cFPvm6+DVVVuP
-Q+6nReShCdAlU+dJqsqj8JsQneNMTxjv4OBoXVmE/kZTj/DBTtwmxkVi7K4aYMFi
-UYUZ4RiwG1/7
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIDRDCCAiygAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
-mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
-50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
-YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
-R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
-KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-UzBRMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68
-x/3/MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEB
-BQUAA4IBAQCz557ZZmWv5UTTHebzTyVzku5ldpcicJPqKHP3xZ4tPPY52JQyJg/T
-hsRB44yTyNo3/jo9or2KgVnc+/nCmnlvTq22a/j26DtKZ7wD9MWxunpkqRwExtA/
-G816msrl6X6m50WwdLXTvaVJGXCYp8TPVLx5YY3WPIVoX0CPN7Hs9iNJNiEWo4Qf
-7dAqjWBB/QpusmWhjaDSc4+cFhT24Yo9HuS1yrkUTrBtJaj0AykTsiyFm6SBVDNH
-9XIxCgYy9QrYbDKNtJXhuevpN0yUMV/aUnIkU2wTTouhOzZisjNk0sS1guqmSHzf
-hlf8qotOhNvFXpEsCGwZUywayo7c4DtO
------END CERTIFICATE-----
diff --git a/tests/data_files/server9.crt b/tests/data_files/server9.crt
deleted file mode 100644
index 26567ae..0000000
--- a/tests/data_files/server9.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDBTCCAeegAwIBAgIBFjATBgkqhkiG9w0BAQowBqIEAgIA6jA7MQswCQYDVQQG
-EwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3Qg
-Q0EwHhcNMjMwNTE3MDgwNDAwWhcNMzMwNTE3MDgwNDAwWjA0MQswCQYDVQQGEwJO
-TDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkq
-hkiG9w0BAQEFAAOBjQAwgYkCgYEA3RGKn5m6sGjKKuo7am1Zl+1OyVTkDe7OoH2g
-HqroDsK7E0DbihKOiRMkpcX1+tj1kNfIysvF/pMdr9oSI3NSeUYauqBXK3YWMbOo
-r+c4mwiLY5k6CiXuRdIYWLq5kxrt1FiaYxs3/PcUCJ+FZUnzWTJt0eDobd5S7Wa0
-qQvaQJUCAwEAAaOBkjCBjzAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy36fOvVEw
-YwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBD
-QYIBAzAJBgNVHRMEAjAAMBMGCSqGSIb3DQEBCjAGogQCAgDqA4IBAQC2DLHQ05x6
-imJNztE/Tnk/lPQ01Pw6Girdbk4bgxcGwGj+1u5wAIHNpJ50TOggg3HxTyb7p344
-/tVMxz7nrHZQ5ASdn2kDCyCmEqhmj48isWAIml+7J9cBeImJoEfYqjtqtoVkGxFy
-SuoZAQWkkqDpyFhKhIjLQ8JuSE6wWMX/kc6TFSSxepnZU1SFOXfCiaVr5tFQzBP7
-loppIANLjKeMjpOdU86PmRQ2LyzaCH1OMnjVndeqNmZt0NyzZ18cFPvm6+DVVVuP
-Q+6nReShCdAlU+dJqsqj8JsQneNMTxjv4OBoXVmE/kZTj/DBTtwmxkVi7K4aYMFi
-UYUZ4RiwG1/7
------END CERTIFICATE-----
diff --git a/tests/data_files/server9.key b/tests/data_files/server9.key
deleted file mode 100644
index e005864..0000000
--- a/tests/data_files/server9.key
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDdEYqfmbqwaMoq6jtqbVmX7U7JVOQN7s6gfaAequgOwrsTQNuK
-Eo6JEySlxfX62PWQ18jKy8X+kx2v2hIjc1J5Rhq6oFcrdhYxs6iv5zibCItjmToK
-Je5F0hhYurmTGu3UWJpjGzf89xQIn4VlSfNZMm3R4Oht3lLtZrSpC9pAlQIDAQAB
-AoGAHFCE2tBL0xB45Go/1e/Pi9//OVZAJ3Cw0mmEuqjVNB7I6zxhYhviWbgz92+V
-g92KBlU9CIx0/ZhGMyHRNO0uYNEZUJyM8zItoo/nmU31+VaHOGgpei04HZrn1Nmw
-QS01FVrn9wzKR/5qeEBmxE7rVMDQo8QLnllC3jXzIVUtX4ECQQD2g9dleWYbqIQe
-Q9paXxzvODhCzNtQwD0PnOKc54Nu4zm3JI45REtunmG8et+Ncms9RycTjNlWPGJT
-62jgaJexAkEA5ZMNv4u9NNRfZprmlNyvjSOf+w7fdKzhcnkHbGkfLnFdc7vq0XFC
-nwORsdjpOvWQUwrV2Cw8Pl4rKa4B4iqUJQJBAMVti6maU3udN8qhXxP3js3LwctG
-E/OVMpH5fMha5jl9w/B4V2tn1d3O/MmdwsKeu2JFRPd0W2+kRr+dDs6DFdECQQC1
-3g9QJRWY2n1RPXlZiJKSDxzXuOqQ9bwMAZE98vE+y5Qq8T2O+li6vAsZhysNCChz
-gOvzuudmyRcMh8r6Lpz5AkAUKK3gYtJFiVH2arRig3JjZJqixgSTolMT1n+HG4uM
-tnBqBiEBVwBxEqaohla/rHR5joZCdcDN8xq0yeTQyLH9
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/simplepass.psk b/tests/data_files/simplepass.psk
deleted file mode 100644
index 93e7ab4..0000000
--- a/tests/data_files/simplepass.psk
+++ /dev/null
@@ -1 +0,0 @@
-0a0b0c:010203
diff --git a/tests/data_files/test-ca-alt-good.crt b/tests/data_files/test-ca-alt-good.crt
deleted file mode 100644
index eebecd6..0000000
--- a/tests/data_files/test-ca-alt-good.crt
+++ /dev/null
@@ -1,41 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjExMTIwMzI5WhcNMjkwMjExMTIwMzI5WjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVMGU/SScKXxyxwJfcxL4xSnkSqfvk
-F+3jczKU+d5MlKcivkP9Rm/wLEKAcFJxG8ECZMHhxxT8YD+DSUEA5SI2G2xFu84f
-mNCKP4ojcBrzLVYuGg+D+vrp6mi9Q51TIMxQawxkYuU89v9R9ReQorwoDGASrTpC
-6bBvXiMnkFxFlpN07jkoUj34+6vL2350gRXGUGnMcfS4e13P2Sm2KRRvyppz8CkT
-yG1Wta3Ixeb7EuZsmsdTPs3nl+bI/6gcfrhOOmWPJVGiBNvM4YpCxsnbrFsT8U0k
-s1Ys+1JSVx0ekzRAUTCs7AB6Lo/iphsTJs3BfvT5w8PSx8wtsvbc/1dLAgMBAAGj
-gZUwgZIwHQYDVR0OBBYEFIYHI4jii/4CYv4qY+nw3ynWlQJIMGMGA1UdIwRcMFqA
-FIYHI4jii/4CYv4qY+nw3ynWlQJIoT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UE
-CgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQAwDAYDVR0T
-BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEABPGZwsyeHNp8hKqnOIafQsi4zrES
-izIUntfkCglgHKg+cdmzqUyXrtfrwcVJtz/farfVooeRdfY6kOYNmTihYdHiffoX
-5tOhYV1Rh+exD4mtl2xhw69YPXkUTDStzQTTTxZ/yIxWqmYdrZycmywM6v1Hxdzk
-JnvthTvEthWfrSdMQ2ssdqVgB0h/WZztBCZhLL2mCCG/eNu+5ktJTLFDdjp/IPrn
-/APQt7GjQ1rFFmRAeOHezsSINhQHjH44DiMeL+lU66nUxSrovrVoI2undwBXpl18
-+7/oa+et6+1UktN669P1BnNxLfY6J41P79+S+mA8gP4EA95/AObQyoUPpw==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
-mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
-50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
-YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
-R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
-KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/
-MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBCwUA
-A4IBAQA4qFSCth2q22uJIdE4KGHJsJjVEfw2/xn+MkTvCMfxVrvmRvqCtjE4tKDl
-oK4MxFOek07oDZwvtAT9ijn1hHftTNS7RH9zd/fxNpfcHnMZXVC4w4DNA1fSANtW
-5sY1JB5Je9jScrsLSS+mAjyv0Ow3Hb2Bix8wu7xNNrV5fIf7Ubm+wt6SqEBxu3Kb
-+EfObAT4huf3czznhH3C17ed6NSbXwoXfby7stWUDeRJv08RaFOykf/Aae7bY5PL
-yTVrkAnikMntJ9YI+hNNYt3inqq11A5cN0+rVTst8UKCxzQ4GpvroSwPKTFkbMw4
-/anT1dVxr/BtwJfiESoK3/4CeXR1
------END CERTIFICATE-----
diff --git a/tests/data_files/test-ca-alt.crt b/tests/data_files/test-ca-alt.crt
deleted file mode 100644
index 4dad3c3..0000000
--- a/tests/data_files/test-ca-alt.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjExMTIwMzI5WhcNMjkwMjExMTIwMzI5WjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVMGU/SScKXxyxwJfcxL4xSnkSqfvk
-F+3jczKU+d5MlKcivkP9Rm/wLEKAcFJxG8ECZMHhxxT8YD+DSUEA5SI2G2xFu84f
-mNCKP4ojcBrzLVYuGg+D+vrp6mi9Q51TIMxQawxkYuU89v9R9ReQorwoDGASrTpC
-6bBvXiMnkFxFlpN07jkoUj34+6vL2350gRXGUGnMcfS4e13P2Sm2KRRvyppz8CkT
-yG1Wta3Ixeb7EuZsmsdTPs3nl+bI/6gcfrhOOmWPJVGiBNvM4YpCxsnbrFsT8U0k
-s1Ys+1JSVx0ekzRAUTCs7AB6Lo/iphsTJs3BfvT5w8PSx8wtsvbc/1dLAgMBAAGj
-gZUwgZIwHQYDVR0OBBYEFIYHI4jii/4CYv4qY+nw3ynWlQJIMGMGA1UdIwRcMFqA
-FIYHI4jii/4CYv4qY+nw3ynWlQJIoT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UE
-CgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQAwDAYDVR0T
-BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEABPGZwsyeHNp8hKqnOIafQsi4zrES
-izIUntfkCglgHKg+cdmzqUyXrtfrwcVJtz/farfVooeRdfY6kOYNmTihYdHiffoX
-5tOhYV1Rh+exD4mtl2xhw69YPXkUTDStzQTTTxZ/yIxWqmYdrZycmywM6v1Hxdzk
-JnvthTvEthWfrSdMQ2ssdqVgB0h/WZztBCZhLL2mCCG/eNu+5ktJTLFDdjp/IPrn
-/APQt7GjQ1rFFmRAeOHezsSINhQHjH44DiMeL+lU66nUxSrovrVoI2undwBXpl18
-+7/oa+et6+1UktN669P1BnNxLfY6J41P79+S+mA8gP4EA95/AObQyoUPpw==
------END CERTIFICATE-----
diff --git a/tests/data_files/test-ca-alt.csr b/tests/data_files/test-ca-alt.csr
deleted file mode 100644
index 09bf678..0000000
--- a/tests/data_files/test-ca-alt.csr
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICgDCCAWgCAQAwOzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRkw
-FwYDVQQDDBBQb2xhclNTTCBUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEA1TBlP0knCl8cscCX3MS+MUp5Eqn75Bft43MylPneTJSnIr5D/UZv
-8CxCgHBScRvBAmTB4ccU/GA/g0lBAOUiNhtsRbvOH5jQij+KI3Aa8y1WLhoPg/r6
-6epovUOdUyDMUGsMZGLlPPb/UfUXkKK8KAxgEq06Qumwb14jJ5BcRZaTdO45KFI9
-+Pury9t+dIEVxlBpzHH0uHtdz9kptikUb8qac/ApE8htVrWtyMXm+xLmbJrHUz7N
-55fmyP+oHH64TjpljyVRogTbzOGKQsbJ26xbE/FNJLNWLPtSUlcdHpM0QFEwrOwA
-ei6P4qYbEybNwX70+cPD0sfMLbL23P9XSwIDAQABoAAwDQYJKoZIhvcNAQELBQAD
-ggEBALje0yFtL/IqLip/X6NVc1oJ+2PgxOzVhEdZPcQ7F+mbDa9w6SvQN9pH4HXp
-P8AGLYnzQgmAlhsSOn7nhJSfQXlcuLdA/oVjhuRqiA+ZrlByeMfSiaBmCvLOWkwl
-FzF+/8HJRlV8B0mq0dIE3pWczAVFcTxRtIONUfmg3p0RWYkdg8y2S3H1n7OPKmM0
-DNC2o226ZFJEDVsQHfkFn3YO6HFLrPRi5jqTGgiNRH7KepZtppu59ZAAHmYzH02v
-PCrxD1MIMCpFfVTbdfPgC0S8TFY8GO5H0Gzy2ixaJVst2RwuGbp/3DK5ixDulV4R
-zbd5qcS3RXE5eQb6LwwNzOUpqLw=
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/test-ca-alt.key b/tests/data_files/test-ca-alt.key
deleted file mode 100644
index 7df19a0..0000000
--- a/tests/data_files/test-ca-alt.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA1TBlP0knCl8cscCX3MS+MUp5Eqn75Bft43MylPneTJSnIr5D
-/UZv8CxCgHBScRvBAmTB4ccU/GA/g0lBAOUiNhtsRbvOH5jQij+KI3Aa8y1WLhoP
-g/r66epovUOdUyDMUGsMZGLlPPb/UfUXkKK8KAxgEq06Qumwb14jJ5BcRZaTdO45
-KFI9+Pury9t+dIEVxlBpzHH0uHtdz9kptikUb8qac/ApE8htVrWtyMXm+xLmbJrH
-Uz7N55fmyP+oHH64TjpljyVRogTbzOGKQsbJ26xbE/FNJLNWLPtSUlcdHpM0QFEw
-rOwAei6P4qYbEybNwX70+cPD0sfMLbL23P9XSwIDAQABAoIBAHO1/844s0Ly2s0z
-vnlqI9z3Ef3qWzizMEA6v2KSuHCSYqD96kMnHwyZyUKTNHwF112oOH+GIcLVrsNg
-WDLXKxl5CuxSgg8uT0oqMJ0JdOc2XUdKh89XwyaBP3Yyo8qBy8N+RsyZzNipK21d
-fPvZCA0oomCguzWkR0o7KxOHTD3L/ZGwiqOqzMRfaRznLxjsZZ3RoNF1fkmXtdXH
-I+T8rWxFeZYN3LaRI/viCPF8yYgFUvOPL1R9Yzq5Z/jSyyUPN+IhSqL/zb/NyLiY
-ttdwmMA/yackChlfp06D4Xlrbf2hFxmvnCnE4bh/CINhjfjKyz88KUAKR9xEQifc
-FAb5CzkCgYEA9/5hlSAqR6guf5orz9jgqhaNcWGpU3rzYmUlISFhzArym41w4a4a
-9rAi5QEraEA1WR/Ymr5Xvt7mqwKlGkaKwyPbVqdXFOaQp2vKZNPmHWbLVYW49IZt
-hx5CreMpy0lVU2SLA/+g/DPse2wx85wgx8kpudEmU91ThuxBdF0IHr0CgYEA3BJc
-Y/pqAw9fluvlYpgAyGyG0k8d3xb0uUnV1u+rvMZiOiJQerNawMc/PoYkhhRPKXkM
-DQS8oMM858kgT1qCcvFZZzWDqGhRqbxmtjJ2w1nWIi9q+0z0/X9qbxiZbZr0Iklx
-MeYtQuRIGois/D7GQjyI5rHXVj9k3b39pepSEqcCgYEA1AHxtIZB/u6FieroR5E2
-R9Jt6x89nbN/vH+RpWgfbktxqo/Zj+XDAWAFBNfiHwa9VMsH5wqQgwmWE154fSUP
-XdIaolL+/Ew8IBTjex04HaySajOesdT2b8vr3zJTuYmg22EaAzoXi2RsZ/tQHN49
-m+6asFNgO9P7o134ex1JYtUCgYEAuU2gi/Kb9y2nsH267TTOW/S95TIHFgTPVYEt
-VMkEU3S72vVvzJFe1jovL6dl85wAOAybsA6QAdHDY+v/j7HHa597RyNRU6lbMc/Y
-sIt3YvAvFSPWMfnPw+/Yn+kXr6ms7X3nmTuWWt+7MtRozBDTgYxVPeL7Tb0dYnUK
-sfzG1LsCgYEAvxhLJHYTKtjus8h/xVpj3Kto0j0AvtXtd1DUsQ2kKGRT/B1AFbVs
-zSNjR4vJg+iotbiIq6JBxHyWxZsHQUNIXjoTqEgQpBbneEnb1ilO1DEGDK7vwlFn
-M4tHi5neEiGI55WQduJ2ha/tc0KbDcxw/VBZAmKVmpeXaUNZAiMMFB0=
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/test-ca-good-alt.crt b/tests/data_files/test-ca-good-alt.crt
deleted file mode 100644
index 3d15ea7..0000000
--- a/tests/data_files/test-ca-good-alt.crt
+++ /dev/null
@@ -1,41 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
-mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
-50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
-YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
-R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
-KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/
-MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBCwUA
-A4IBAQA4qFSCth2q22uJIdE4KGHJsJjVEfw2/xn+MkTvCMfxVrvmRvqCtjE4tKDl
-oK4MxFOek07oDZwvtAT9ijn1hHftTNS7RH9zd/fxNpfcHnMZXVC4w4DNA1fSANtW
-5sY1JB5Je9jScrsLSS+mAjyv0Ow3Hb2Bix8wu7xNNrV5fIf7Ubm+wt6SqEBxu3Kb
-+EfObAT4huf3czznhH3C17ed6NSbXwoXfby7stWUDeRJv08RaFOykf/Aae7bY5PL
-yTVrkAnikMntJ9YI+hNNYt3inqq11A5cN0+rVTst8UKCxzQ4GpvroSwPKTFkbMw4
-/anT1dVxr/BtwJfiESoK3/4CeXR1
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjExMTIwMzI5WhcNMjkwMjExMTIwMzI5WjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVMGU/SScKXxyxwJfcxL4xSnkSqfvk
-F+3jczKU+d5MlKcivkP9Rm/wLEKAcFJxG8ECZMHhxxT8YD+DSUEA5SI2G2xFu84f
-mNCKP4ojcBrzLVYuGg+D+vrp6mi9Q51TIMxQawxkYuU89v9R9ReQorwoDGASrTpC
-6bBvXiMnkFxFlpN07jkoUj34+6vL2350gRXGUGnMcfS4e13P2Sm2KRRvyppz8CkT
-yG1Wta3Ixeb7EuZsmsdTPs3nl+bI/6gcfrhOOmWPJVGiBNvM4YpCxsnbrFsT8U0k
-s1Ys+1JSVx0ekzRAUTCs7AB6Lo/iphsTJs3BfvT5w8PSx8wtsvbc/1dLAgMBAAGj
-gZUwgZIwHQYDVR0OBBYEFIYHI4jii/4CYv4qY+nw3ynWlQJIMGMGA1UdIwRcMFqA
-FIYHI4jii/4CYv4qY+nw3ynWlQJIoT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UE
-CgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQAwDAYDVR0T
-BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEABPGZwsyeHNp8hKqnOIafQsi4zrES
-izIUntfkCglgHKg+cdmzqUyXrtfrwcVJtz/farfVooeRdfY6kOYNmTihYdHiffoX
-5tOhYV1Rh+exD4mtl2xhw69YPXkUTDStzQTTTxZ/yIxWqmYdrZycmywM6v1Hxdzk
-JnvthTvEthWfrSdMQ2ssdqVgB0h/WZztBCZhLL2mCCG/eNu+5ktJTLFDdjp/IPrn
-/APQt7GjQ1rFFmRAeOHezsSINhQHjH44DiMeL+lU66nUxSrovrVoI2undwBXpl18
-+7/oa+et6+1UktN669P1BnNxLfY6J41P79+S+mA8gP4EA95/AObQyoUPpw==
------END CERTIFICATE-----
diff --git a/tests/data_files/test-ca-sha1.crt b/tests/data_files/test-ca-sha1.crt
deleted file mode 100644
index 31790b5..0000000
--- a/tests/data_files/test-ca-sha1.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
-mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
-50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
-YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
-R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
-KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/
-MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBBQUA
-A4IBAQB0ZiNRFdia6kskaPnhrqejIRq8YMEGAf2oIPnyZ78xoyERgc35lHGyMtsL
-hWicNjP4d/hS9As4j5KA2gdNGi5ETA1X7SowWOGsryivSpMSHVy1+HdfWlsYQOzm
-8o+faQNUm8XzPVmttfAVspxeHSxJZ36Oo+QWZ5wZlCIEyjEdLUId+Tm4Bz3B5jRD
-zZa/SaqDokq66N2zpbgKKAl3GU2O++fBqP2dSkdQykmTxhLLWRN8FJqhYATyQntZ
-0QSi3W9HfSZPnFTcPIXeoiPd2pLlxt1hZu8dws2LTXE63uP6MM4LHvWxiuJaWkP/
-mtxyUALj2pQxRitopORFQdn7AOY5
------END CERTIFICATE-----
diff --git a/tests/data_files/test-ca-sha1.crt.der b/tests/data_files/test-ca-sha1.crt.der
deleted file mode 100644
index 5d94810..0000000
--- a/tests/data_files/test-ca-sha1.crt.der
+++ /dev/null
diff --git a/tests/data_files/test-ca-sha256.crt b/tests/data_files/test-ca-sha256.crt
deleted file mode 100644
index 9c71cef..0000000
--- a/tests/data_files/test-ca-sha256.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
-mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
-50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
-YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
-R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
-KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/
-MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBCwUA
-A4IBAQA4qFSCth2q22uJIdE4KGHJsJjVEfw2/xn+MkTvCMfxVrvmRvqCtjE4tKDl
-oK4MxFOek07oDZwvtAT9ijn1hHftTNS7RH9zd/fxNpfcHnMZXVC4w4DNA1fSANtW
-5sY1JB5Je9jScrsLSS+mAjyv0Ow3Hb2Bix8wu7xNNrV5fIf7Ubm+wt6SqEBxu3Kb
-+EfObAT4huf3czznhH3C17ed6NSbXwoXfby7stWUDeRJv08RaFOykf/Aae7bY5PL
-yTVrkAnikMntJ9YI+hNNYt3inqq11A5cN0+rVTst8UKCxzQ4GpvroSwPKTFkbMw4
-/anT1dVxr/BtwJfiESoK3/4CeXR1
------END CERTIFICATE-----
diff --git a/tests/data_files/test-ca-sha256.crt.der b/tests/data_files/test-ca-sha256.crt.der
deleted file mode 100644
index aefec20..0000000
--- a/tests/data_files/test-ca-sha256.crt.der
+++ /dev/null
diff --git a/tests/data_files/test-ca-v1.crt b/tests/data_files/test-ca-v1.crt
deleted file mode 100644
index 2f10f6d..0000000
--- a/tests/data_files/test-ca-v1.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDHzCCAgcCDFOito4FQA5VXJOV5TANBgkqhkiG9w0BAQsFADBQMRwwGgYDVQQD
-DBNQb2xhclNTTCBUZXN0IENBIHYxMRAwDgYDVQQLDAd0ZXN0aW5nMREwDwYDVQQK
-DAhQb2xhclNTTDELMAkGA1UEBhMCTkwwHhcNMTkwMjEwMTQ0NDAwWhcNMjkwMjEw
-MTQ0NDAwWjBQMRwwGgYDVQQDDBNQb2xhclNTTCBUZXN0IENBIHYxMRAwDgYDVQQL
-DAd0ZXN0aW5nMREwDwYDVQQKDAhQb2xhclNTTDELMAkGA1UEBhMCTkwwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
-mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
-50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
-YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
-R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
-KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAEw
-DQYJKoZIhvcNAQELBQADggEBAAtVAWmbymwKDj9v8m7SVLHF0mw4i3gBFVPJqYRQ
-y9CnUD68kUr4qK7wyQIv/gDRYuqZVNnBq4Jwzm+tPEBHpYAF5H/7Mynpb4h+uZ3a
-6kaWURXKzx53ZuFHLu1FuRov+SZU3ZtXClTYFKeyDb+fcth/8thR9V59v7ZE7zlb
-8zbyL+dqfyxvmxZCUzHbNKVrliiUUFXfW53T+B7Ysxner5mnqM1aPxckhXVHEJ47
-TBoIhpBoJ/HmHCiWz8BeoowSpG7u+QOezIKk8l5Pd2f8MeqwyaqIeAy0lh2nP7pB
-UtWET/0bsdiPn8SR9B3hWpKUDRvnHDDZuZiKtrdDEqsD04M=
------END CERTIFICATE-----
diff --git a/tests/data_files/test-ca.crt b/tests/data_files/test-ca.crt
deleted file mode 100644
index ef7e4c7..0000000
--- a/tests/data_files/test-ca.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDRDCCAiygAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
-mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
-50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
-YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
-R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
-KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-UzBRMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68
-x/3/MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEB
-BQUAA4IBAQCz557ZZmWv5UTTHebzTyVzku5ldpcicJPqKHP3xZ4tPPY52JQyJg/T
-hsRB44yTyNo3/jo9or2KgVnc+/nCmnlvTq22a/j26DtKZ7wD9MWxunpkqRwExtA/
-G816msrl6X6m50WwdLXTvaVJGXCYp8TPVLx5YY3WPIVoX0CPN7Hs9iNJNiEWo4Qf
-7dAqjWBB/QpusmWhjaDSc4+cFhT24Yo9HuS1yrkUTrBtJaj0AykTsiyFm6SBVDNH
-9XIxCgYy9QrYbDKNtJXhuevpN0yUMV/aUnIkU2wTTouhOzZisjNk0sS1guqmSHzf
-hlf8qotOhNvFXpEsCGwZUywayo7c4DtO
------END CERTIFICATE-----
diff --git a/tests/data_files/test-ca.der b/tests/data_files/test-ca.der
deleted file mode 100644
index 039fb9e..0000000
--- a/tests/data_files/test-ca.der
+++ /dev/null
diff --git a/tests/data_files/test-ca.key b/tests/data_files/test-ca.key
deleted file mode 100644
index de8be1d..0000000
--- a/tests/data_files/test-ca.key
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,781840E6B804AE83D2AF71127C4CE314
-
-etQ3xgGLbuYF9vR1km03TH5fwfly1hOlix0PtfQ+t9HG065vTtSEHYc/OyHwdy79
-NCLX5RUrPh06E/XlKzMNVHAXqkwFnIwNzRLsOozeP1L7iZEZb9QMeiN5Org+btCO
-bylXPB4YirfuE7GSJalWY/pq3FQtD33zTIKmNhXfVj3sbwGI/8D9XjaKUb8PODOB
-skOalmx6RvYRvg0lmRxB3+T3wejIsrrDPweYqte9B6dVHIVG1ZmvoA6/wnKZZZeV
-sjj8OpL3OwUBrjuGSknE9Rs6kCuSCbHOYVK8VzcZmCYpie0TFnb3Sk8M6vjfW+45
-U7WUMlSAPxKH6lJDzWdwHqLvsVJwuNnaAaBXg9/8U/rzQEWuq8Ar3s8fw2Jg3F1G
-L6N5ZAEfCz3Sa0N9WKafR/RSQj+rq8Z3w4POAafhbzk249uo5K8B1Z3cQwLxeXIl
-UbRQz1TZy4oNTfQzCahYruPNyvwgTkfwAFFvbLAdaiJd2ZtLBoqYE64TYakYnvcC
-itim1bmySIKoxlMfBGFmMuF03epT0pSx701jlGzGi0l0m16NEjoVxDwo5j93SmiM
-sQdjC1lOGk2iCLkphIQqHFjFJYWjvh1UUIqWZf+ZWOOxlf4x9a1pUVj6FvtECxNB
-/mA/m4Iq4LAuVXHE1MpHeq067lJ6wWlrsb2WVmiNGfQ2AC7fMtpcPuunBVT9NV1m
-1rbDzIgLIWAzqz/cy3N8Q8vfxnrFtmNUyM191Zyq+YF14hIKWX9J1qR4LXwWAzVV
-UrC8IL4pA2mtRkW4qFsB0EmHAxO/cedDTPjVFty5WSzhNuvYZxX45HAkGIfK6d21
-7WHPhHG+zaaUTWMUVixB0IcKp6RecjYPFzBHS0YeX88Ue2cyT/90jMiQ9ssOgRrG
-ZJRJvZAc3TSCnY9sNPYoGrJPiZuCnlUj3ENNurYVy12ai0WFxwnNUZjRUhDS6hjm
-cDHD5TlI9MZ6M+Mb/Bw4Ig8HuTHOtQBYD9vhtXsG+B7H/j6cS+1umaKjrnG/kK4W
-R6YXwM2faAi+DwgjjoMXSzRqSTF8PdTIWbAXo3bc2qsXPTMBA8PEp4nb5scHZ4Ts
-EcBNp2jv0j4gBkRmGIab17cWMrlagjFy89DhqZUFwKdeZs+yJ92A5xstWxOUfpEP
-90T/bsp1G5d7WW5fl2TRJvYJNDM+djkKIh0zCkduiZ36oVM6nDdbjmXqjQXopeSD
-gtOourBRF8g99W0fW8QT+yPhP0Pkyz6EG8eQO6Zwh439xdoVwu9jUzQAPmZ0uNeR
-xTXXihYyv72z27rInjLiIPXL25K9eDVLlcSR3RyG7YYgjdQAL2VJDLcBz5jox1uQ
-0guoD5wmfu2FWLqYE7HeTYntdY53lCflwq0GHRMjrrsVpx+5VDQ6Yi47Ny9SWLcp
-fPI3iBkXuGRWupzs6N4pQdSO0dU28KfpMM5QvFoLIn67brCHEQij4dgFrCTYEyBX
-9+jiNImUFYUhAFuxvUbfZt4O/ABLIElvHLfJs1oYCmI/nWpvLFqXB5rnzPNfEi0H
-PGGe1Hj/t+CJIp/6ios3yNy2QtXO754TZH2UVu51Ykyig5PFjZVoUkbRvHQYcWfU
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/test-ca.key.der b/tests/data_files/test-ca.key.der
deleted file mode 100644
index 4678a1a..0000000
--- a/tests/data_files/test-ca.key.der
+++ /dev/null
diff --git a/tests/data_files/test-ca.opensslconf b/tests/data_files/test-ca.opensslconf
deleted file mode 100644
index 0340e9e..0000000
--- a/tests/data_files/test-ca.opensslconf
+++ /dev/null
@@ -1,125 +0,0 @@
-[req]
-x509_extensions = v3_ca
-distinguished_name = req_dn
-
-[req_dn]
-countryName = NL
-organizationalUnitName = PolarSSL
-commonName = PolarSSL Test CA
-
-[v3_ca]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:true
-
-[no_subj_auth_id]
-subjectKeyIdentifier=none
-authorityKeyIdentifier=none
-basicConstraints = CA:true
-
-[othername_san]
-subjectAltName=otherName:1.3.6.1.5.5.7.8.4;SEQ:hw_module_name
-
-[nonprintable_othername_san]
-subjectAltName=otherName:1.3.6.1.5.5.7.8.4;SEQ:nonprintable_hw_module_name
-
-[unsupported_othername_san]
-subjectAltName=otherName:1.2.3.4;UTF8:some other identifier
-
-[dns_alt_names]
-subjectAltName=DNS:example.com, DNS:example.net, DNS:*.example.org
-
-[rfc822name_names]
-subjectAltName=email:my@other.address,email:second@other.address
-
-[alt_names]
-DNS.1=example.com
-otherName.1=1.3.6.1.5.5.7.8.4;SEQ:hw_module_name
-DNS.2=example.net
-DNS.3=*.example.org
-
-[multiple_san]
-subjectAltName=@alt_names
-
-[ext_multi_nocn]
-basicConstraints = CA:false
-keyUsage = digitalSignature, nonRepudiation, keyEncipherment
-subjectAltName = DNS:www.shotokan-braunschweig.de,DNS:www.massimo-abate.eu,IP:192.168.1.1,IP:192.168.69.144
-
-[hw_module_name]
-hwtype = OID:1.3.6.1.4.1.17.3
-hwserial = OCT:123456
-
-[nonprintable_hw_module_name]
-hwtype = OID:1.3.6.1.4.1.17.3
-hwserial = FORMAT:HEX, OCT:3132338081008180333231
-
-[v3_any_policy_ca]
-basicConstraints = CA:true
-certificatePolicies = 2.5.29.32.0
-
-[v3_any_policy_qualifier_ca]
-basicConstraints = CA:true
-certificatePolicies = @policy_info
-
-[v3_multi_policy_ca]
-basicConstraints = CA:true
-certificatePolicies = 1.2.3.4,2.5.29.32.0
-
-[v3_unsupported_policy_ca]
-basicConstraints = CA:true
-certificatePolicies = 1.2.3.4
-
-[policy_info]
-policyIdentifier = 2.5.29.32.0
-CPS.1 ="CPS uri string"
-
-[fan_cert]
-extendedKeyUsage = 1.3.6.1.4.1.45605.1
-
-[noext_ca]
-basicConstraints = CA:true
-
-[test_ca]
-database = /dev/null
-
-[crl_ext_idp]
-issuingDistributionPoint=critical, @idpdata
-
-[crl_ext_idp_nc]
-issuingDistributionPoint=@idpdata
-
-[idpdata]
-fullname=URI:http://pki.example.com/
-
-# these IPs are the ascii values for 'abcd' and 'abcd.example.com'
-[tricky_ip_san]
-subjectAltName=IP:97.98.99.100,IP:6162:6364:2e65:7861:6d70:6c65:2e63:6f6d
-
-[csr_ext_v3_keyUsage]
-keyUsage = digitalSignature, keyEncipherment
-
-[csr_ext_v3_subjectAltName]
-subjectAltName=DNS:example.com, DNS:example.net, DNS:*.example.org
-
-[csr_ext_v3_nsCertType]
-nsCertType=server
-
-[csr_ext_v3_all]
-keyUsage = cRLSign
-subjectAltName=otherName:1.3.6.1.5.5.7.8.4;SEQ:nonprintable_hw_module_name
-nsCertType=client
-
-[directory_name_san]
-subjectAltName=dirName:dirname_sect
-
-[two_directorynames]
-subjectAltName=dirName:dirname_sect, dirName:dirname_to_malform
-
-[dirname_sect]
-C=UK
-O=Mbed TLS
-CN=Mbed TLS directoryName SAN
-
-[dirname_to_malform]
-O=MALFORM_ME
diff --git a/tests/data_files/test-ca.req.sha256 b/tests/data_files/test-ca.req.sha256
deleted file mode 100644
index 1114338..0000000
--- a/tests/data_files/test-ca.req.sha256
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICgDCCAWgCAQAwOzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRkw
-FwYDVQQDDBBQb2xhclNTTCBUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAwN83/Be74JadP4beljJ9RKUWoM0h8ZnU7OrLfBhYCJSl7JvFi98a
-Hpk4mYcee8CNOd84XXB4B9Oe2ZPouXJRxc6jMFKp8udAcBTLRKJyC8LlQPk+5aYO
-s/nsSmPAuCkAdJxXO6ilBJBx8b2D2T/WpeI8Ko/vJ2DDxp/LuuxgfbfmhDK+T/tY
-JiIDW9S01fv145YucMDkLr38Lu7iQVXANC59JHJpy0exFECDfWf0hvYxq/F5pLK1
-LhL5hBfwYm8nPhNYsVQNIZpzN6Ewz2+S3Pbp/KzbLijRfgJLI6AV8jhlZAnqDG6O
-Gxegccizm8mr6cPyz4eWj4ACMp6ZWG+i1QIDAQABoAAwDQYJKoZIhvcNAQELBQAD
-ggEBAKI+q840+CyPj6DJDJr9mP/aE8U+VyxbarQuZHxbiyS2HDuNQNFvP2TmCDRx
-juERTU8yDOj3F2p7JhFF4QkCP2TP4JFYjLlOE7ISxYegGdJNNO6W00btMHG1s0aW
-uPcPIIy9HxGiOFFmjYz7Jo8mcFl+bl4ET7zPoj21R4dOl7E3oYLtEZqTuiWnfW2H
-+whurU13PYyog3jvJex99VIL8ZRliUSKgdmQ7A4GMvE6kf6Uk+441ynZ7RQr4jF9
-xsVIrR7cyt/SsVEYF+2SfJi0dO9pf6yV3PdwtpU2URTyZoitlneqEINXKi7Qx6E+
-+f5fAI8FbCJtgKEKf2TfqiH6sCI=
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/test-ca.req_ec.sha256 b/tests/data_files/test-ca.req_ec.sha256
deleted file mode 100644
index 6d46b2a..0000000
--- a/tests/data_files/test-ca.req_ec.sha256
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIBOTCBvQIBADA+MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxHDAa
-BgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNi
-AATD2is0QTdYL4dW/vyJuilDS07gbsMOV1MzOVjUUrSRlTkLI99fFyRiSPwalSnO
-LC2HwohSgK/Waqsh3bjTHG5YuMrosmmO80GtKcO0X3WnR2/VGSlVaZpTOyC0ZhZg
-Mx6gADAMBggqhkjOPQQDAgUAA2kAMGYCMQDElef9+KfRbZOA29ZyU750fB3ob82E
-8R711+hk9HOsk0G9Uccp3tT+1nhCcMNhnWsCMQD6Y8e9jcEaKSPiWWfgCZ5NaQ5l
-pvPDUdcPV8sZt2cgNS8fcRIIHblQKvr6miHXl9Y=
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/test-ca.server1.db b/tests/data_files/test-ca.server1.db
deleted file mode 100644
index 3c0e012..0000000
--- a/tests/data_files/test-ca.server1.db
+++ /dev/null
@@ -1,2 +0,0 @@
-R	210212144406Z	110212124407Z	01	unknown	/C=NL/O=PolarSSL/CN=PolarSSL Server 1
-R	210212144400Z	110212124407Z	03	unknown	/C=NL/O=PolarSSL/CN=PolarSSL Test CA
diff --git a/tests/data_files/test-ca.server1.future-crl.db b/tests/data_files/test-ca.server1.future-crl.db
deleted file mode 100644
index 763aa12..0000000
--- a/tests/data_files/test-ca.server1.future-crl.db
+++ /dev/null
@@ -1,2 +0,0 @@
-R	210212144406Z	290101124407Z	01	unknown	/C=NL/O=PolarSSL/CN=PolarSSL Server 1
-R	210212144400Z	290101124407Z	03	unknown	/C=NL/O=PolarSSL/CN=PolarSSL Test CA
diff --git a/tests/data_files/test-ca.server1.future-crl.opensslconf b/tests/data_files/test-ca.server1.future-crl.opensslconf
deleted file mode 100644
index e9ce754..0000000
--- a/tests/data_files/test-ca.server1.future-crl.opensslconf
+++ /dev/null
@@ -1,18 +0,0 @@
- [ ca ]
- default_ca             = test-ca
-
- [ test-ca ]
- certificate            = test-ca.crt
- private_key            = test-ca.key
- serial                 = test-ca.server1.serial
- default_md             = sha1
- default_startdate      = 110212144406Z
- default_enddate        = 210212144406Z
- new_certs_dir          = ./
- database               = ./test-ca.server1.future-crl.db
- policy                 = policy_match
-
- [policy_match]
- countryName            = supplied
- organizationName       = supplied
- commonName             = supplied
diff --git a/tests/data_files/test-ca.server1.opensslconf b/tests/data_files/test-ca.server1.opensslconf
deleted file mode 100644
index 209b0ff..0000000
--- a/tests/data_files/test-ca.server1.opensslconf
+++ /dev/null
@@ -1,18 +0,0 @@
- [ ca ]
- default_ca             = test-ca
-
- [ test-ca ]
- certificate            = test-ca.crt
- private_key            = test-ca.key
- serial                 = test-ca.server1.serial
- default_md             = sha1
- default_startdate      = 110212144406Z
- default_enddate        = 210212144406Z
- new_certs_dir          = ./
- database               = ./test-ca.server1.db
- policy                 = policy_match
-
- [policy_match]
- countryName            = supplied
- organizationName       = supplied
- commonName             = supplied
diff --git a/tests/data_files/test-ca.server1.test_serial.opensslconf b/tests/data_files/test-ca.server1.test_serial.opensslconf
deleted file mode 100644
index 43a520e..0000000
--- a/tests/data_files/test-ca.server1.test_serial.opensslconf
+++ /dev/null
@@ -1,25 +0,0 @@
- [ ca ]
- default_ca             = test-ca
-
- [ test-ca ]
- certificate            = test-ca.crt
- private_key            = test-ca.key
- serial                 = test-ca.server1.tmp.serial
- default_md             = sha1
- default_startdate      = 20190210144406Z
- default_enddate        = 20290210144406Z
- x509_extensions        = v3_ca
- new_certs_dir          = ./
- database               = ./test-ca.server1.db
- policy                 = policy_match
- unique_subject         = no
-
- [v3_ca]
- basicConstraints = CA:false
- subjectKeyIdentifier=hash
- authorityKeyIdentifier=keyid:always
-
- [policy_match]
- countryName            = supplied
- organizationName       = supplied
- commonName             = supplied
diff --git a/tests/data_files/test-ca2-expired.crt b/tests/data_files/test-ca2-expired.crt
deleted file mode 100644
index 22e4797..0000000
--- a/tests/data_files/test-ca2-expired.crt
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB/TCCAYCgAwIBAgIBATAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAe
-Fw0wMzA5MjQxNTQ5NDhaFw0xMzA5MjQxNTQ5NDhaMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTB2
-MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBuww5XUzM5
-WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiyaY7zQa0p
-w7RfdadHb9UZKVVpmlM7ILRmFmAzHqNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4E
-FgQUnW0gJEkBPyvLeLUZvH4kydv7NnwwHwYDVR0jBBgwFoAUnW0gJEkBPyvLeLUZ
-vH4kydv7NnwwDAYIKoZIzj0EAwIFAANpADBmAjEAvQ/49lXXrLYdOIGtTaYWjpZP
-tRBXQiGPMzUvmKBk7gM7bF4iFPsdJikyXHmuwv3RAjEA8vtUX8fAAB3fbh5dEXRm
-l7tz0Sw/RW6AHFtaIauGkhHqeKIaKIi6WSgHu6x97uyg
------END CERTIFICATE-----
diff --git a/tests/data_files/test-ca2.crt b/tests/data_files/test-ca2.crt
deleted file mode 100644
index b974f4c..0000000
--- a/tests/data_files/test-ca2.crt
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICBzCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE
-BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
-IEVDIENBMB4XDTE5MDIxMDE0NDQwMFoXDTI5MDIxMDE0NDQwMFowPjELMAkGA1UE
-BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
-IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO
-4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK
-6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1MwUTAPBgNVHRMBAf8EBTAD
-AQH/MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSd
-bSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMQDpNWfBIlzq
-6xV2UwQD/1YGz9fQUM7AfNKzVa2PVBpf/QD1TAylTYTF4GI6qlb6EPYCMF/YVa29
-N5yC1mFAir19jb9Pl9iiIkRm17dM4y6m5VIMepEPm/VlWAa8H5p1+BPbGw==
------END CERTIFICATE-----
diff --git a/tests/data_files/test-ca2.crt.der b/tests/data_files/test-ca2.crt.der
deleted file mode 100644
index 70d6abc..0000000
--- a/tests/data_files/test-ca2.crt.der
+++ /dev/null
diff --git a/tests/data_files/test-ca2.key b/tests/data_files/test-ca2.key
deleted file mode 100644
index ccbba3c..0000000
--- a/tests/data_files/test-ca2.key
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDCD2RUOoHHwVxAzozi4hsGmEV1ttAPhKXZF14dvI6tEIOpke4WxdueF
-lap01tGkXuqgBwYFK4EEACKhZANiAATD2is0QTdYL4dW/vyJuilDS07gbsMOV1Mz
-OVjUUrSRlTkLI99fFyRiSPwalSnOLC2HwohSgK/Waqsh3bjTHG5YuMrosmmO80Gt
-KcO0X3WnR2/VGSlVaZpTOyC0ZhZgMx4=
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/test-ca2.key.der b/tests/data_files/test-ca2.key.der
deleted file mode 100644
index bf64141..0000000
--- a/tests/data_files/test-ca2.key.der
+++ /dev/null
diff --git a/tests/data_files/test-ca2.key.enc b/tests/data_files/test-ca2.key.enc
deleted file mode 100644
index bb70990..0000000
--- a/tests/data_files/test-ca2.key.enc
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,307EAB469933D64E
-
-IxbrRmKcAzctJqPdTQLA4SWyBYYGYJVkYEna+F7Pa5t5Yg/gKADrFKcm6B72e7DG
-ihExtZI648s0zdYw6qSJ74vrPSuWDe5qm93BqsfVH9svtCzWHW0pm1p0KTBCFfUq
-UsuWTITwJImcnlAs1gaRZ3sAWm7cOUidL0fo2G0fYUFNcYoCSLffCFTEHBuPnagb
-a77x/sY1Bvii8S9/XhDTb6pTMx06wzrm
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/test-ca2.ku-crl.crt b/tests/data_files/test-ca2.ku-crl.crt
deleted file mode 100644
index 303a2c0..0000000
--- a/tests/data_files/test-ca2.ku-crl.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB2DCCAV6gAwIBAgIUN3DAVq0Kn9k3FPUPZGW2d3rZn28wCgYIKoZIzj0EAwIw
-PjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xh
-cnNzbCBUZXN0IEVDIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1ow
-PjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xh
-cnNzbCBUZXN0IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+H
-Vv78ibopQ0tO4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqr
-Id240xxuWLjK6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeox0wGzAMBgNV
-HRMEBTADAQH/MAsGA1UdDwQEAwIBAjAKBggqhkjOPQQDAgNoADBlAjAxoq/Q4PEA
-8SDd3cQaVIwx8oJVEzfJo1BB2w1LnjvUXZrQydjNXMU4Jgorm/2/uLgCMQCyI6cZ
-EAIgKPYlT6/zJHBj45qejs527OfI4Xn+kQ7OvHQtHaCAzQw4h7Jfx+gXaUo=
------END CERTIFICATE-----
diff --git a/tests/data_files/test-ca2.ku-crl.crt.openssl.v3_ext b/tests/data_files/test-ca2.ku-crl.crt.openssl.v3_ext
deleted file mode 100644
index 4bc5d3c..0000000
--- a/tests/data_files/test-ca2.ku-crl.crt.openssl.v3_ext
+++ /dev/null
@@ -1,4 +0,0 @@
-basicConstraints = CA:true
-subjectKeyIdentifier=none
-keyUsage = cRLSign
-
diff --git a/tests/data_files/test-ca2.ku-crt.crt b/tests/data_files/test-ca2.ku-crt.crt
deleted file mode 100644
index 5cad7b2..0000000
--- a/tests/data_files/test-ca2.ku-crt.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB2DCCAV6gAwIBAgIUYDcYIJ6EBbKafKeXLgPLE+RsJZowCgYIKoZIzj0EAwIw
-PjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xh
-cnNzbCBUZXN0IEVDIENBMB4XDTIzMDUxMjEwMzEwNVoXDTMzMDUxMjEwMzEwNVow
-PjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xh
-cnNzbCBUZXN0IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+H
-Vv78ibopQ0tO4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqr
-Id240xxuWLjK6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeox0wGzAMBgNV
-HRMEBTADAQH/MAsGA1UdDwQEAwICBDAKBggqhkjOPQQDAgNoADBlAjBwsfyYiZB6
-PpDgIbYRbZ4VT9GGFNE3L4C1IH8RNwzvywLvQfVp3ocRAkzEoRpmKAsCMQDOGm48
-d7zKl7IzmBuOWXYlukWDDWwpNI67z7g0JawfypKIxcPTZFiQXVtDdTdkrGY=
------END CERTIFICATE-----
diff --git a/tests/data_files/test-ca2.ku-crt.crt.openssl.v3_ext b/tests/data_files/test-ca2.ku-crt.crt.openssl.v3_ext
deleted file mode 100644
index 997c893..0000000
--- a/tests/data_files/test-ca2.ku-crt.crt.openssl.v3_ext
+++ /dev/null
@@ -1,4 +0,0 @@
-basicConstraints = CA:true
-subjectKeyIdentifier=none
-keyUsage = keyCertSign
-
diff --git a/tests/data_files/test-ca2.ku-crt_crl.crt b/tests/data_files/test-ca2.ku-crt_crl.crt
deleted file mode 100644
index 4c69582..0000000
--- a/tests/data_files/test-ca2.ku-crt_crl.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB2TCCAV6gAwIBAgIUd5f42F4ahjkx9AIN035pcF4WFikwCgYIKoZIzj0EAwIw
-PjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xh
-cnNzbCBUZXN0IEVDIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1ow
-PjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xh
-cnNzbCBUZXN0IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+H
-Vv78ibopQ0tO4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqr
-Id240xxuWLjK6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeox0wGzAMBgNV
-HRMEBTADAQH/MAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDAgNpADBmAjEA6IUvQwSw
-vEkHjU9YNsPcUsJf0UTHUW1T8mNbgk+zCl6fzeU73oCXH6zoi5q6vLgjAjEAv63C
-xknmJJ4H3Zlc+O5GlcX9VQNZDn1xV7hf2yW1Gf7wLTnSWTf5bXATaIQ6QLO1
------END CERTIFICATE-----
diff --git a/tests/data_files/test-ca2.ku-crt_crl.crt.openssl.v3_ext b/tests/data_files/test-ca2.ku-crt_crl.crt.openssl.v3_ext
deleted file mode 100644
index 0fd73a2..0000000
--- a/tests/data_files/test-ca2.ku-crt_crl.crt.openssl.v3_ext
+++ /dev/null
@@ -1,4 +0,0 @@
-basicConstraints = CA:true
-subjectKeyIdentifier=none
-keyUsage = keyCertSign, cRLSign
-
diff --git a/tests/data_files/test-ca2.ku-ds.crt b/tests/data_files/test-ca2.ku-ds.crt
deleted file mode 100644
index 2907aa7..0000000
--- a/tests/data_files/test-ca2.ku-ds.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB2TCCAV6gAwIBAgIUb5xsO6FEmAz+XpGFHpW7ODFvup0wCgYIKoZIzj0EAwIw
-PjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xh
-cnNzbCBUZXN0IEVDIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1ow
-PjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xh
-cnNzbCBUZXN0IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+H
-Vv78ibopQ0tO4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqr
-Id240xxuWLjK6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeox0wGzAMBgNV
-HRMEBTADAQH/MAsGA1UdDwQEAwIHgDAKBggqhkjOPQQDAgNpADBmAjEA44HVvGYv
-meA3SpaNJmubLKjsQlGNnEUUo1IO0NBP5yWG0dRFkX8NQ0bzH/1n6FJcAjEAm9wj
-xdmEPUr6PY54c0IQJNeeF76L1/+EszXrSDQ7TLv1YC4d4uMNmqwR9EGuUX+/
------END CERTIFICATE-----
diff --git a/tests/data_files/test-ca2.ku-ds.crt.openssl.v3_ext b/tests/data_files/test-ca2.ku-ds.crt.openssl.v3_ext
deleted file mode 100644
index 08e49d4..0000000
--- a/tests/data_files/test-ca2.ku-ds.crt.openssl.v3_ext
+++ /dev/null
@@ -1,4 +0,0 @@
-basicConstraints = CA:true
-subjectKeyIdentifier=none
-keyUsage = digitalSignature
-
diff --git a/tests/data_files/test-ca2.req.sha256 b/tests/data_files/test-ca2.req.sha256
deleted file mode 100644
index 6d46b2a..0000000
--- a/tests/data_files/test-ca2.req.sha256
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIBOTCBvQIBADA+MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxHDAa
-BgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNi
-AATD2is0QTdYL4dW/vyJuilDS07gbsMOV1MzOVjUUrSRlTkLI99fFyRiSPwalSnO
-LC2HwohSgK/Waqsh3bjTHG5YuMrosmmO80GtKcO0X3WnR2/VGSlVaZpTOyC0ZhZg
-Mx6gADAMBggqhkjOPQQDAgUAA2kAMGYCMQDElef9+KfRbZOA29ZyU750fB3ob82E
-8R711+hk9HOsk0G9Uccp3tT+1nhCcMNhnWsCMQD6Y8e9jcEaKSPiWWfgCZ5NaQ5l
-pvPDUdcPV8sZt2cgNS8fcRIIHblQKvr6miHXl9Y=
------END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/test-ca2_cat-future-invalid.crt b/tests/data_files/test-ca2_cat-future-invalid.crt
deleted file mode 100644
index 833e497..0000000
--- a/tests/data_files/test-ca2_cat-future-invalid.crt
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICBjCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE
-BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
-IEVDIENBMB4XDTI5MDIxMDE0NDQwMFoXDTM5MDIxMDE0NDQwMFowPjELMAkGA1UE
-BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
-IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO
-4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK
-6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1MwUTAPBgNVHRMBAf8EBTAD
-AQH/MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSd
-bSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2cAMGQCMCDwxpvV0mzZ
-5nyr3tpLILyaERGyVuSGHAJqd88fsWEiV6/xmiOTeIGlN8WLVL03FQIwJYnSIeCj
-vwuQaWzeIypEnGIT2A2eJ2IIrJrFr9xpafqN1vRDSK5VZuM1B4RtW2OU
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIICIDCCAaWgAwIBAgIBCjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MjMwNTE3MDcxMDM3WhcNMzMwNTE0MDcxMDM3WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
-CCqGSM49AwEHA0IABIFZMXZJJPoVraugMW4O7TMR+pElVcGwwZwDcj6Yui2kcjeJ
-H0M3jR+OOtjwV+gvT8kApPfbcw+yxgSU0UA7OOOjgZ0wgZowCQYDVR0TBAIwADAd
-BgNVHQ4EFgQUfmWPPjMDFOXhvmCy4IV/jOdgK3swbgYDVR0jBGcwZYAUnW0gJEkB
-PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xh
-clNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
-CCqGSM49BAMCA2kAMGYCMQC7mlP+bq/c4hKB3zfJgPdwSnzzQOkXwdA2O6QumC2o
-ZuHyjUYV5/ZyU8QQ7cNnKnYCMQD9ByA7ddpVE2Gk+OVuBPGfwV4O2COgFrasfrTn
-KgfuCEF96BhSjLDXWKB4IFWaXUQ=
------END CERTIFICATE-----
diff --git a/tests/data_files/test-ca2_cat-future-present.crt b/tests/data_files/test-ca2_cat-future-present.crt
deleted file mode 100644
index 649cca0..0000000
--- a/tests/data_files/test-ca2_cat-future-present.crt
+++ /dev/null
@@ -1,26 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICBjCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE
-BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
-IEVDIENBMB4XDTI5MDIxMDE0NDQwMFoXDTM5MDIxMDE0NDQwMFowPjELMAkGA1UE
-BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
-IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO
-4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK
-6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1MwUTAPBgNVHRMBAf8EBTAD
-AQH/MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSd
-bSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2cAMGQCMCDwxpvV0mzZ
-5nyr3tpLILyaERGyVuSGHAJqd88fsWEiV6/xmiOTeIGlN8WLVL03FQIwJYnSIeCj
-vwuQaWzeIypEnGIT2A2eJ2IIrJrFr9xpafqN1vRDSK5VZuM1B4RtW2OU
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIICBzCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE
-BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
-IEVDIENBMB4XDTE5MDIxMDE0NDQwMFoXDTI5MDIxMDE0NDQwMFowPjELMAkGA1UE
-BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
-IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO
-4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK
-6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1MwUTAPBgNVHRMBAf8EBTAD
-AQH/MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSd
-bSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMQDpNWfBIlzq
-6xV2UwQD/1YGz9fQUM7AfNKzVa2PVBpf/QD1TAylTYTF4GI6qlb6EPYCMF/YVa29
-N5yC1mFAir19jb9Pl9iiIkRm17dM4y6m5VIMepEPm/VlWAa8H5p1+BPbGw==
------END CERTIFICATE-----
diff --git a/tests/data_files/test-ca2_cat-past-invalid.crt b/tests/data_files/test-ca2_cat-past-invalid.crt
deleted file mode 100644
index a0b0a2f..0000000
--- a/tests/data_files/test-ca2_cat-past-invalid.crt
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB/TCCAYCgAwIBAgIBATAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAe
-Fw0wMzA5MjQxNTQ5NDhaFw0xMzA5MjQxNTQ5NDhaMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTB2
-MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBuww5XUzM5
-WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiyaY7zQa0p
-w7RfdadHb9UZKVVpmlM7ILRmFmAzHqNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4E
-FgQUnW0gJEkBPyvLeLUZvH4kydv7NnwwHwYDVR0jBBgwFoAUnW0gJEkBPyvLeLUZ
-vH4kydv7NnwwDAYIKoZIzj0EAwIFAANpADBmAjEAvQ/49lXXrLYdOIGtTaYWjpZP
-tRBXQiGPMzUvmKBk7gM7bF4iFPsdJikyXHmuwv3RAjEA8vtUX8fAAB3fbh5dEXRm
-l7tz0Sw/RW6AHFtaIauGkhHqeKIaKIi6WSgHu6x97uyg
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIICIDCCAaWgAwIBAgIBCjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MjMwNTE3MDcxMDM3WhcNMzMwNTE0MDcxMDM3WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
-CCqGSM49AwEHA0IABIFZMXZJJPoVraugMW4O7TMR+pElVcGwwZwDcj6Yui2kcjeJ
-H0M3jR+OOtjwV+gvT8kApPfbcw+yxgSU0UA7OOOjgZ0wgZowCQYDVR0TBAIwADAd
-BgNVHQ4EFgQUfmWPPjMDFOXhvmCy4IV/jOdgK3swbgYDVR0jBGcwZYAUnW0gJEkB
-PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xh
-clNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
-CCqGSM49BAMCA2kAMGYCMQC7mlP+bq/c4hKB3zfJgPdwSnzzQOkXwdA2O6QumC2o
-ZuHyjUYV5/ZyU8QQ7cNnKnYCMQD9ByA7ddpVE2Gk+OVuBPGfwV4O2COgFrasfrTn
-KgfuCEF96BhSjLDXWKB4IFWaXUQ=
------END CERTIFICATE-----
diff --git a/tests/data_files/test-ca2_cat-past-present.crt b/tests/data_files/test-ca2_cat-past-present.crt
deleted file mode 100644
index 24e05c6..0000000
--- a/tests/data_files/test-ca2_cat-past-present.crt
+++ /dev/null
@@ -1,26 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB/TCCAYCgAwIBAgIBATAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAe
-Fw0wMzA5MjQxNTQ5NDhaFw0xMzA5MjQxNTQ5NDhaMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTB2
-MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBuww5XUzM5
-WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiyaY7zQa0p
-w7RfdadHb9UZKVVpmlM7ILRmFmAzHqNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4E
-FgQUnW0gJEkBPyvLeLUZvH4kydv7NnwwHwYDVR0jBBgwFoAUnW0gJEkBPyvLeLUZ
-vH4kydv7NnwwDAYIKoZIzj0EAwIFAANpADBmAjEAvQ/49lXXrLYdOIGtTaYWjpZP
-tRBXQiGPMzUvmKBk7gM7bF4iFPsdJikyXHmuwv3RAjEA8vtUX8fAAB3fbh5dEXRm
-l7tz0Sw/RW6AHFtaIauGkhHqeKIaKIi6WSgHu6x97uyg
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIICBzCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE
-BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
-IEVDIENBMB4XDTE5MDIxMDE0NDQwMFoXDTI5MDIxMDE0NDQwMFowPjELMAkGA1UE
-BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
-IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO
-4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK
-6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1MwUTAPBgNVHRMBAf8EBTAD
-AQH/MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSd
-bSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMQDpNWfBIlzq
-6xV2UwQD/1YGz9fQUM7AfNKzVa2PVBpf/QD1TAylTYTF4GI6qlb6EPYCMF/YVa29
-N5yC1mFAir19jb9Pl9iiIkRm17dM4y6m5VIMepEPm/VlWAa8H5p1+BPbGw==
------END CERTIFICATE-----
diff --git a/tests/data_files/test-ca2_cat-present-future.crt b/tests/data_files/test-ca2_cat-present-future.crt
deleted file mode 100644
index 6539479..0000000
--- a/tests/data_files/test-ca2_cat-present-future.crt
+++ /dev/null
@@ -1,26 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICBzCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE
-BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
-IEVDIENBMB4XDTE5MDIxMDE0NDQwMFoXDTI5MDIxMDE0NDQwMFowPjELMAkGA1UE
-BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
-IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO
-4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK
-6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1MwUTAPBgNVHRMBAf8EBTAD
-AQH/MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSd
-bSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMQDpNWfBIlzq
-6xV2UwQD/1YGz9fQUM7AfNKzVa2PVBpf/QD1TAylTYTF4GI6qlb6EPYCMF/YVa29
-N5yC1mFAir19jb9Pl9iiIkRm17dM4y6m5VIMepEPm/VlWAa8H5p1+BPbGw==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIICBjCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE
-BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
-IEVDIENBMB4XDTI5MDIxMDE0NDQwMFoXDTM5MDIxMDE0NDQwMFowPjELMAkGA1UE
-BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
-IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO
-4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK
-6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1MwUTAPBgNVHRMBAf8EBTAD
-AQH/MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSd
-bSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2cAMGQCMCDwxpvV0mzZ
-5nyr3tpLILyaERGyVuSGHAJqd88fsWEiV6/xmiOTeIGlN8WLVL03FQIwJYnSIeCj
-vwuQaWzeIypEnGIT2A2eJ2IIrJrFr9xpafqN1vRDSK5VZuM1B4RtW2OU
------END CERTIFICATE-----
diff --git a/tests/data_files/test-ca2_cat-present-past.crt b/tests/data_files/test-ca2_cat-present-past.crt
deleted file mode 100644
index 08aeeea..0000000
--- a/tests/data_files/test-ca2_cat-present-past.crt
+++ /dev/null
@@ -1,26 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICBzCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE
-BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
-IEVDIENBMB4XDTE5MDIxMDE0NDQwMFoXDTI5MDIxMDE0NDQwMFowPjELMAkGA1UE
-BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
-IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO
-4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK
-6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1MwUTAPBgNVHRMBAf8EBTAD
-AQH/MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSd
-bSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMQDpNWfBIlzq
-6xV2UwQD/1YGz9fQUM7AfNKzVa2PVBpf/QD1TAylTYTF4GI6qlb6EPYCMF/YVa29
-N5yC1mFAir19jb9Pl9iiIkRm17dM4y6m5VIMepEPm/VlWAa8H5p1+BPbGw==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB/TCCAYCgAwIBAgIBATAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAe
-Fw0wMzA5MjQxNTQ5NDhaFw0xMzA5MjQxNTQ5NDhaMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTB2
-MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBuww5XUzM5
-WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiyaY7zQa0p
-w7RfdadHb9UZKVVpmlM7ILRmFmAzHqNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4E
-FgQUnW0gJEkBPyvLeLUZvH4kydv7NnwwHwYDVR0jBBgwFoAUnW0gJEkBPyvLeLUZ
-vH4kydv7NnwwDAYIKoZIzj0EAwIFAANpADBmAjEAvQ/49lXXrLYdOIGtTaYWjpZP
-tRBXQiGPMzUvmKBk7gM7bF4iFPsdJikyXHmuwv3RAjEA8vtUX8fAAB3fbh5dEXRm
-l7tz0Sw/RW6AHFtaIauGkhHqeKIaKIi6WSgHu6x97uyg
------END CERTIFICATE-----
diff --git a/tests/data_files/test-ca_cat12.crt b/tests/data_files/test-ca_cat12.crt
deleted file mode 100644
index c54bcc1..0000000
--- a/tests/data_files/test-ca_cat12.crt
+++ /dev/null
@@ -1,33 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDRDCCAiygAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
-mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
-50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
-YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
-R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
-KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-UzBRMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68
-x/3/MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEB
-BQUAA4IBAQCz557ZZmWv5UTTHebzTyVzku5ldpcicJPqKHP3xZ4tPPY52JQyJg/T
-hsRB44yTyNo3/jo9or2KgVnc+/nCmnlvTq22a/j26DtKZ7wD9MWxunpkqRwExtA/
-G816msrl6X6m50WwdLXTvaVJGXCYp8TPVLx5YY3WPIVoX0CPN7Hs9iNJNiEWo4Qf
-7dAqjWBB/QpusmWhjaDSc4+cFhT24Yo9HuS1yrkUTrBtJaj0AykTsiyFm6SBVDNH
-9XIxCgYy9QrYbDKNtJXhuevpN0yUMV/aUnIkU2wTTouhOzZisjNk0sS1guqmSHzf
-hlf8qotOhNvFXpEsCGwZUywayo7c4DtO
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIICBzCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE
-BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
-IEVDIENBMB4XDTE5MDIxMDE0NDQwMFoXDTI5MDIxMDE0NDQwMFowPjELMAkGA1UE
-BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
-IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO
-4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK
-6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1MwUTAPBgNVHRMBAf8EBTAD
-AQH/MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSd
-bSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMQDpNWfBIlzq
-6xV2UwQD/1YGz9fQUM7AfNKzVa2PVBpf/QD1TAylTYTF4GI6qlb6EPYCMF/YVa29
-N5yC1mFAir19jb9Pl9iiIkRm17dM4y6m5VIMepEPm/VlWAa8H5p1+BPbGw==
------END CERTIFICATE-----
diff --git a/tests/data_files/test-ca_cat21.crt b/tests/data_files/test-ca_cat21.crt
deleted file mode 100644
index b090dc6..0000000
--- a/tests/data_files/test-ca_cat21.crt
+++ /dev/null
@@ -1,33 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICBzCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE
-BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
-IEVDIENBMB4XDTE5MDIxMDE0NDQwMFoXDTI5MDIxMDE0NDQwMFowPjELMAkGA1UE
-BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
-IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO
-4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK
-6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1MwUTAPBgNVHRMBAf8EBTAD
-AQH/MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSd
-bSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMQDpNWfBIlzq
-6xV2UwQD/1YGz9fQUM7AfNKzVa2PVBpf/QD1TAylTYTF4GI6qlb6EPYCMF/YVa29
-N5yC1mFAir19jb9Pl9iiIkRm17dM4y6m5VIMepEPm/VlWAa8H5p1+BPbGw==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIDRDCCAiygAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
-mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
-50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
-YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
-R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
-KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-UzBRMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68
-x/3/MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEB
-BQUAA4IBAQCz557ZZmWv5UTTHebzTyVzku5ldpcicJPqKHP3xZ4tPPY52JQyJg/T
-hsRB44yTyNo3/jo9or2KgVnc+/nCmnlvTq22a/j26DtKZ7wD9MWxunpkqRwExtA/
-G816msrl6X6m50WwdLXTvaVJGXCYp8TPVLx5YY3WPIVoX0CPN7Hs9iNJNiEWo4Qf
-7dAqjWBB/QpusmWhjaDSc4+cFhT24Yo9HuS1yrkUTrBtJaj0AykTsiyFm6SBVDNH
-9XIxCgYy9QrYbDKNtJXhuevpN0yUMV/aUnIkU2wTTouhOzZisjNk0sS1guqmSHzf
-hlf8qotOhNvFXpEsCGwZUywayo7c4DtO
------END CERTIFICATE-----
diff --git a/tests/data_files/test-ca_printable.crt b/tests/data_files/test-ca_printable.crt
deleted file mode 100644
index 1e95b6d..0000000
--- a/tests/data_files/test-ca_printable.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDhzCCAm+gAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjExMTM0NTI5WhcNMjkwMjExMTM0NTI5WjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
-mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
-50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
-YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
-R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
-KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-gZUwgZIwHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/MGMGA1UdIwRcMFqA
-FLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UE
-CgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQMwDAYDVR0T
-BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAbhaFBCuqOenkJdwQvr3B3hX8MGER
-s0PWgKwSkrkfaRp8Vg2GBaVt+GdqtL+wpo9NYoeoPrEOjWHm7grdolhcKOs9SdKq
-XsiQKCJqvwqiJ0PfIwSA30ZqIGtb3I9WLXBXregk/ku9se2GhKlLCYeW09Tq3pex
-tGottVVypNJuMed+yX2MUMHrAW7+/ZJhxfTVTv6YYqqr6eufvLiYPhUgihTndqj9
-Keko1kOb7XyYMGKGEmLYFXS4oJc5uvwhkyTIjIZr6enYRzjLTkmhVpznSXdERKjl
-b8Jh/hzdws8yQOCk+NlqZPKz9LDQiI5p5tT4eGmX5w4fD30QYzgTQWLSKQ==
------END CERTIFICATE-----
diff --git a/tests/data_files/test-ca_uppercase.crt b/tests/data_files/test-ca_uppercase.crt
deleted file mode 100644
index 3126a11..0000000
--- a/tests/data_files/test-ca_uppercase.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDhzCCAm+gAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjExMTM0NTQ3WhcNMjkwMjExMTM0NTQ3WjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
-mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
-50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
-YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
-R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
-KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-gZUwgZIwHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/MGMGA1UdIwRcMFqA
-FLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UE
-CgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQMwDAYDVR0T
-BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAFs2TDNHnSAONhAJcaz4W5gi9Gzdq
-PgG30wTf2FWCtbmY7b/tPfXi+O8zn42cmuVC6m7lp5akisN34bubQNjrMYvhkg9o
-PK+mIJw9/JxfMX8JYCQaU8UV4K+xaBY9Gu9jNhZklt0RUKgdhr/9r217R9ClX5XZ
-+HBmQCUG1AXlD8qmMxu2VVkgBubMLZQQxsy6L3b3x0NKXx0SiO7YBVtFTB9KpwlG
-0R6lso+XfrQK3Q0g/kASyhuaaDfIGNPtNG+wEe/gA9K3NUY99TwKWpHhz5Yd+mfW
-rJcP89L7thXizripRT22b/ElPIgLSYarjKA317wkQJxYQ3ElkpgNbhaKHg==
------END CERTIFICATE-----
diff --git a/tests/data_files/test-ca_utf8.crt b/tests/data_files/test-ca_utf8.crt
deleted file mode 100644
index 2dadc77..0000000
--- a/tests/data_files/test-ca_utf8.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDhzCCAm+gAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTkwMjExMTM0NTE0WhcNMjkwMjExMTM0NTE0WjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
-mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
-50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
-YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
-R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
-KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-gZUwgZIwHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/MGMGA1UdIwRcMFqA
-FLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UE
-CgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQMwDAYDVR0T
-BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAKePyGUC4+Ehb1/e0ldwipj8SZZPe
-QEXwUfF2T3Km/Bgo7tRhCMoRkMbqtGhhWM/nVfHlsFj68nQisxpGyuFzMdb/56aX
-Zh5KSocnlvvFeD3nQCQClnCRiboReuasIpH7UrFSLJgk30O+7mAWHLRD3n51hOTy
-50seLBgBUbXw/wYcxpS718DTUw9tSuRDxB/uGB5iwhz1lOnnslL0vswKacNFisGd
-7H7Vyn6YQFFuw6W04V4RzClXEyPTJg5QRMKR+vGMtoMTCNUG+sAwwM5NiAM4CDXc
-0vPALzpvlXnf2pi1WWSZSLgGMgn99N+7XXaA5W1FJ97fTzprTnOG6kl0YA==
------END CERTIFICATE-----
diff --git a/tests/data_files/test-int-ca-exp.crt b/tests/data_files/test-int-ca-exp.crt
deleted file mode 100644
index 835c7db..0000000
--- a/tests/data_files/test-int-ca-exp.crt
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwNTE2MDcxMDM3WhcNMjMwNTE3MDcxMDM3WjBIMQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq
-vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR
-wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF
-CaBCLhhdK1Fjf8HjkT/PkctWnho8NTwivc9+nqRZjXe/eIcqm5HwjDDhu+gz+o0g
-Vz9MfZNi1JyCrOyNZcy+cr2QeNnNVGnFq8xTxtu6dLunhpmLFj2mm0Vjwa7Ypj5q
-AjpqTMtDvqbRuToyoyzajhMNcCAf7gwzIupJJFVdjdtgYAcQwzikwF5HoITJzzJ2
-qgxF7CmvGZNb7G99mLdLdhtclH3wAQKHYwEGJo7XKyNEuHPQgB+e0cg1SD1HqlAM
-uCfGGTWQ6me7Bjan3t0NzoTdDq6IpKTesbaY+/9e2xn8DCrhBKLXQMZFDZqUoLYA
-kGPOEGgvlPnIIXAawouxCaNYEh5Uw871YMSPT28rLdFr49dwYOtDg9foA8hDIW2P
-d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br
-Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg
-updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY
-a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xhclNTTDEcMBoGA1UE
-AwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaAAwZQIxAJH0e4fySJI2nJt1Knd+yU7zn1jTFDAABJMbndhR
-07OSM6vwUaGSMVatSzr8ah+UDgIwaI/MBcorSxT92jAQb1W5dJkEudoYSg49fjAf
-z0BtLCVhFwQlrzCqgXC98SGfT6sZ
------END CERTIFICATE-----
diff --git a/tests/data_files/test-int-ca.crt b/tests/data_files/test-int-ca.crt
deleted file mode 100644
index 8b2846d..0000000
--- a/tests/data_files/test-int-ca.crt
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MjMwNTE3MDcxMDM3WhcNMzMwNTE3MDcxMDM3WjBIMQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq
-vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR
-wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF
-CaBCLhhdK1Fjf8HjkT/PkctWnho8NTwivc9+nqRZjXe/eIcqm5HwjDDhu+gz+o0g
-Vz9MfZNi1JyCrOyNZcy+cr2QeNnNVGnFq8xTxtu6dLunhpmLFj2mm0Vjwa7Ypj5q
-AjpqTMtDvqbRuToyoyzajhMNcCAf7gwzIupJJFVdjdtgYAcQwzikwF5HoITJzzJ2
-qgxF7CmvGZNb7G99mLdLdhtclH3wAQKHYwEGJo7XKyNEuHPQgB+e0cg1SD1HqlAM
-uCfGGTWQ6me7Bjan3t0NzoTdDq6IpKTesbaY+/9e2xn8DCrhBKLXQMZFDZqUoLYA
-kGPOEGgvlPnIIXAawouxCaNYEh5Uw871YMSPT28rLdFr49dwYOtDg9foA8hDIW2P
-d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br
-Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg
-updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY
-a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xhclNTTDEcMBoGA1UE
-AwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaAAwZQIxAOAch+gz4rHfI/pm8MIDssMtJCqzS6xtOvQHJZ9l
-fdgWfJV5cSHJpOIWGXeFKKR18wIwODTRnTIioy+bYacNq8TQPjzdVlT9XbYkWIYN
-JAuV9fLJJdB5nZUG3l85Dt27VNkT
------END CERTIFICATE-----
diff --git a/tests/data_files/test-int-ca.key b/tests/data_files/test-int-ca.key
deleted file mode 100644
index 4fd62f3..0000000
--- a/tests/data_files/test-int-ca.key
+++ /dev/null
@@ -1,51 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIJKQIBAAKCAgEAo1Oc8nr6fMTqvowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7Jep
-dFjAVbBtyQRJSiY1ja0tgLQDDKZRwfEI+b4azse460InPHv7C1TN0upXlxuj6m9B
-1IlP+sBaM7WBC6dVfPO+jVMIxgkFCaBCLhhdK1Fjf8HjkT/PkctWnho8NTwivc9+
-nqRZjXe/eIcqm5HwjDDhu+gz+o0gVz9MfZNi1JyCrOyNZcy+cr2QeNnNVGnFq8xT
-xtu6dLunhpmLFj2mm0Vjwa7Ypj5qAjpqTMtDvqbRuToyoyzajhMNcCAf7gwzIupJ
-JFVdjdtgYAcQwzikwF5HoITJzzJ2qgxF7CmvGZNb7G99mLdLdhtclH3wAQKHYwEG
-Jo7XKyNEuHPQgB+e0cg1SD1HqlAMuCfGGTWQ6me7Bjan3t0NzoTdDq6IpKTesbaY
-+/9e2xn8DCrhBKLXQMZFDZqUoLYAkGPOEGgvlPnIIXAawouxCaNYEh5Uw871YMSP
-T28rLdFr49dwYOtDg9foA8hDIW2Pd6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz
-9bqBVNlNOESSqm4kiCJFmslm/6brNp0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TY
-YhMbfnfFyo4m707ebcflPbBEN2dgupdQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEA
-AQKCAgEAgyuxzuSJrA8SYLptIoP+e7YiUqCOfy1Z9q3paLeUAhRmWilrxK9KuQcb
-BOhWXCDXvdMpykXIdS5WVyZYCQtuyEeK8haNIHyKII2ZSB1A/3EJckysWB93hnFZ
-gFHzNALOG64+iY34a+Pukc6NmCulGBcjjAWR2KOg9vyRsiRr2m1TkZHFpW9lJMLZ
-mdkklRDeWhkgEiPpKv6QzMFfkzL9mregE3VgEjQfeFNaZlS2HWddhB5z4i+yTfIw
-F1/VXqVg2y8dcP4VrV5PET8NBGPzInkj0lk1NeveE2Cl2DlUq4BMyWvUFkQhAL8B
-Zd4GzmL9nimZ6Qb8dVWYC/YTahoIL3+YUCZAGIeczAo6dryheUsj1w3pSErOIY9U
-dGSyq9I9XYXqcRNeyfkoNVOZ7ugqk4DvMyv64tt+NIIy9SZGcHuWo3GL0FdKiR5c
-Xbn18tD+Wwrka0O1ntvzX1qkwJcpvu5+xNVbobkM4DiluoivOq+29CGANtG2Et7S
-m6KCUwSElKsvpI4dNW4nWcbdj8i8gcLiKjqRu9n2BdkvAHaMhVbl9xnp9sveGLcR
-iFg6mDsCQuVEH8bGPIMIav/3VUjy1wbMAA54PsqKM0aTA+DHnleXchVAhMm9eHD8
-yrV8eb8/bcCbWvhDDi80kuRIaDSsYTwMWpzjz6MU9v8OuFGZZaECggEBANL44VQ7
-7tok5XeJJgnRV/PGNlHKksctPMj+ye8iSDrRvHVlHHqvZ26MZJPgXwHCO/NVIWv6
-hfCYlfmP/63fZ1WJqDUDxHOgjIbPtOIKTsJi3PbbODVrsycZ3y5OjpbjXKG97cKM
-6RX6zbnjtGKPfbUJx+kuAOxmkFLiLJGNlLqzaJafkgWjUAV/nT6Qm2663msfZ/Md
-7uDFDNOTbPS74ki5JTjlj8xmxAPcnxjNJ2ijDQ7eiCAm6JozJYy9PYixmuScFF2x
-D2N6E9/JWUcYezybUgOLzbwzvJkCRJoBXj09F8cb3m6ZQ04n2peQg/0bn6HUVovF
-opZJW9uZTRmFae0CggEBAMYveBnYRXyWqENf8PZ8xlqiOvJBARaIYQOPy1t4LeOv
-t4ssvkSJPEG0tP2IT6ptecNN9CVRdPJn7tsgvjgPvqgymLlaw8DheFS3EK4sFd0a
-SIwrYcXY8fyAFuGbbcx2JTfmxwLGYXeWG4MDkcYctUhXiObMb0YI2eXlTu4JXqJH
-q1myl7pi3gux7JcFjr0ANh9mDOYXzL52WqZObaVUUNn8p/aNWpati9Z9PL2uJNxY
-myZbTqWGTpZ8XlZnZYg8bHVJGoc7/seSDEnSreGQtXl6MrnsN9bDU6UhufI0iAiH
-fCeELpxjBpvZi2TzYnltX+21f3oUXurXT4eYPJm6YU0CggEBAIrJUSphtvJovU/S
-uGRTBEIIzekmk0JWHxu2iU84RT30hb7QwlhvFWLjFrM1MirtBRVBlpf7Gau6JUck
-lLVkNw1NXotprA3Iu0lgUIU29LLp6KS4eBSkghmh6nEDGshmT6TTVhrbKebctAOq
-qRsBfFfhVFKwgckCe8Uapukls4bSyWX1GVF+KwFC/0WOScIhSno8Ed0cfu38k0CI
-RnAFPYpLyhHQ6rUzkZVcyIi/RUKPqOJ0QCaukewG45ffUiCffd8QUlGETjRJtdNN
-GN8tWrz3DI/qo3BAtLwPguOxLLaqfv7r9Xradi1vCF0Wo82ZI32JO1n9rMSjA7vF
-8LNuUc0CggEAedBPh8Mw4qVPgyoDV93VpXu1s5VU796fkqrdmblCq4Ij1L2JrWKU
-0OYboQIZxW1IvEy71fw9X4mWfMWhZZ/31jZTPQqW64UqixeCfyvFvIMdOFqp3Au+
-oS6x4bXBRT0RH00P4ZrB6dkvy9Vz0ktu+aokEYhylJ94HyBU5WaI7kITBi0JqZx/
-Urzn6OOXmn/4xE/becoDJMZmbXYjWs16bKIpMxgrKBY/r3SG0yeorG8h3e+dZYwp
-3cFP0tf2xkgteeGXFqw/q7cPKoj+K3jgsmvzpeeVYsHoNcWHH2I+gs+T9k3+wEz1
-kPGkBka6rlwV7Gv0kLrYpIv27CcciHjQuQKCAQActQM3DTC3pzEwwPeYMnSXL9/s
-uDqbj3MV6H8fxPIGJWfpDst7nWXhT81uKG6fYmeg5Z6nJXfP0dUF5TpW1zk6VGwn
-t/ch6U7HYpseZsywdZPVIo/upgkowXSl6mfqyxzGngXuORh4zhRpcn4GTwzHG2Te
-xNqMEb/i/IWnvtfvyfhEBewJcMr9Npwrg615pCiZ8y3cjvJf/gl0cGZ5LIuWBQB5
-F16JxF3mm1XCukTXZO90vg3Y1JxeB+YYyF+1aQL+DgvhGZNRrGrBT/QuXQpiMCMf
-VM9oZVrI7cYVNnPBEoHVcyP21NQ5AWoFTaSpMJiHZ4FBie0BGO6IkzMcG23r
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/test-int-ca2.crt b/tests/data_files/test-int-ca2.crt
deleted file mode 100644
index 80f39b9..0000000
--- a/tests/data_files/test-int-ca2.crt
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC6TCCAdGgAwIBAgIBDzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MjMwNTE3MDkyNzAyWhcNMzMwNTE3MDkyNzAyWjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8Oih3fX5SLeN1dmFncQl
-WMw9+Y6sXblhlrXBxhXxjwdwpCHENn+foUVdrqYVYa7Suv3QVeO6nJ19H3QNixW8
-ik1P+hxsbaq8bta78vAyHmC4EmXQLg1w7oxb9Q82qX1Yo4GVMIGSMB0GA1UdDgQW
-BBQPib1jQevLXhco/2gwPcGI0JxYOTBjBgNVHSMEXDBagBS0WuSls97SUva51aaV
-D+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRkw
-FwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEDMAwGA1UdEwQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAHTN0URrP2MpwD8vODymjjq7iaB7WFZ4CWUjx9LWu3PPZbX2
-12MxzkyFaVR7rnPKZSFHJJEmNaPDJWwYhGQRXLCoD6NiJy6De4fa5gSYoXthRGFf
-GnFXZu3e37GDKoKP87TZ+VXcyx6PHvPxJB3/9N94Vj2Yh3hCs7F72GmwfDww6ooj
-whIqhxBYOhPleANs70FZ7Y7tjZV1RtQ1/9sRcbyv9OvdPuWvukBVq1KM6nqVHBZ3
-/4kHBWaFaWMq/AAxMxaTGFAOA8S2yU56jkB65viQrpQQWffBJWK+WfrcgxRWqR33
-hqG3yT1IWbJ5E11XL9TCKD+DReqeXHyYawx8fBU=
------END CERTIFICATE-----
diff --git a/tests/data_files/test-int-ca2.key b/tests/data_files/test-int-ca2.key
deleted file mode 100644
index 9df5b7a..0000000
--- a/tests/data_files/test-int-ca2.key
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDAtxOHUV4be1MdH1frBHzxITCyUSxrVjJN8QTvTVk558ka0a3zhd4Pb
-ekWt7wBPXQegBwYFK4EEACKhZANiAATw6KHd9flIt43V2YWdxCVYzD35jqxduWGW
-tcHGFfGPB3CkIcQ2f5+hRV2uphVhrtK6/dBV47qcnX0fdA2LFbyKTU/6HGxtqrxu
-1rvy8DIeYLgSZdAuDXDujFv1DzapfVg=
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/test-int-ca3-badsign.crt b/tests/data_files/test-int-ca3-badsign.crt
deleted file mode 100644
index 8c36315..0000000
--- a/tests/data_files/test-int-ca3-badsign.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBszCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIEVDIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owSjELMAkG
-A1UEBhMCVUsxETAPBgNVBAoMCG1iZWQgVExTMSgwJgYDVQQDDB9tYmVkIFRMUyBU
-ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
-732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9
-2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNn
-ADBkAjAZx8k0q+DtT/LJd1FjPcG/peoQDfMBL2jS/6PwxW+3+ZPMpHZn0r+JpCaF
-+V/sM9kCMGqcxQwx/bsMaK0y9zqshC7/S5hVlA+WRVyMfEGJmXnfbdwh6CByKIwv
-1GRe86dg10==
------END CERTIFICATE-----
diff --git a/tests/data_files/test-int-ca3.crt b/tests/data_files/test-int-ca3.crt
deleted file mode 100644
index 3aa64b1..0000000
--- a/tests/data_files/test-int-ca3.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBszCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIEVDIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owSjELMAkG
-A1UEBhMCVUsxETAPBgNVBAoMCG1iZWQgVExTMSgwJgYDVQQDDB9tYmVkIFRMUyBU
-ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
-732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9
-2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNn
-ADBkAjAZx8k0q+DtT/LJd1FjPcG/peoQDfMBL2jS/6PwxW+3+ZPMpHZn0r+JpCaF
-+V/sM9kCMGqcxQwx/bsMaK0y9zqshC7/S5hVlA+WRVyMfEGJmXnfbdwh6CByKIwv
-1GRe86dg1A==
------END CERTIFICATE-----
diff --git a/tests/data_files/test-int-ca3.key b/tests/data_files/test-int-ca3.key
deleted file mode 100644
index 1bcc711..0000000
--- a/tests/data_files/test-int-ca3.key
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIC9zTt8jgjBlbq+qCsGj6uclaKLYBqxYSmUiuBdM1KG9oAoGCCqGSM49
-AwEHoUQDQgAE732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9h
-hP7X/5js/DX92J/utoHyjUtVpQOzdTrbsQ==
------END EC PRIVATE KEY-----
diff --git a/tests/data_files/test_certs.h.jinja2 b/tests/data_files/test_certs.h.jinja2
deleted file mode 100644
index 92131dd..0000000
--- a/tests/data_files/test_certs.h.jinja2
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- *  X.509 test certificates
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/* THIS FILE is generated by `tests/scripts/generate_test_cert_macros.py` */
-/* *INDENT-OFF* */
-
-{% for mode, name, value in macros %}
-    {% if mode == 'string' %}
-/* This is taken from {{value}}. */
-/* BEGIN FILE string macro {{name}} {{value}} */
-#define {{name}}{{ '\\' | put_to_column(position=80-9-name|length)}}
-        {% for line in value | read_lines %}
-    "{{line}}\r\n"{% if not loop.last %}{{ '\\' | put_to_column(position=80-10-1-line|length)}}
-        {% endif %}
-        {% endfor %}
-
-/* END FILE */
-    {% endif %}
-    {% if mode == 'binary' %}
-/* This is generated from {{value}}. */
-/* BEGIN FILE binary macro {{name}} {{value}} */
-#define {{name}} {% raw -%} { {%- endraw %} {{ '\\' | put_to_column(position=80-11-name|length)}}
-        {% for line in value | read_as_c_array %}
-            {% if not loop.last %}
-        {{line}},{{ '\\' | put_to_column(position=80-9-line|length)}}
-            {% else %}
-        {{line}}{{ '\\' | put_to_column(position=80-8-line|length)}}
-            {% endif %}
-        {% endfor %}
-{% raw -%} } {%- endraw %}
-
-/* END FILE */
-    {% endif %}
-    {% if mode == 'password' %}
-#define {{name}} "{{value}}"
-    {% endif %}
-
-{% endfor %}
diff --git a/tests/docker/bionic/Dockerfile b/tests/docker/bionic/Dockerfile
index d44cdff..e4c49fa 100644
--- a/tests/docker/bionic/Dockerfile
+++ b/tests/docker/bionic/Dockerfile
@@ -10,19 +10,7 @@
 # for the set of Docker images we use on the CI.
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#  http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 ARG MAKEFLAGS_PARALLEL=""
 ARG MY_REGISTRY=
 
diff --git a/tests/git-scripts/pre-push.sh b/tests/git-scripts/pre-push.sh
index ce43467..9192678 100755
--- a/tests/git-scripts/pre-push.sh
+++ b/tests/git-scripts/pre-push.sh
@@ -2,19 +2,7 @@
 # pre-push.sh
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 #
 # Purpose
 #
diff --git a/tests/include/alt-dummy/aes_alt.h b/tests/include/alt-dummy/aes_alt.h
index 21d85f1..dc47dd1 100644
--- a/tests/include/alt-dummy/aes_alt.h
+++ b/tests/include/alt-dummy/aes_alt.h
@@ -1,19 +1,7 @@
 /* aes_alt.h with dummy types for MBEDTLS_AES_ALT */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef AES_ALT_H
diff --git a/tests/include/alt-dummy/aria_alt.h b/tests/include/alt-dummy/aria_alt.h
index aabec9c..94db8c7 100644
--- a/tests/include/alt-dummy/aria_alt.h
+++ b/tests/include/alt-dummy/aria_alt.h
@@ -1,19 +1,7 @@
 /* aria_alt.h with dummy types for MBEDTLS_ARIA_ALT */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef ARIA_ALT_H
diff --git a/tests/include/alt-dummy/camellia_alt.h b/tests/include/alt-dummy/camellia_alt.h
index b42613b..97bc16b 100644
--- a/tests/include/alt-dummy/camellia_alt.h
+++ b/tests/include/alt-dummy/camellia_alt.h
@@ -1,19 +1,7 @@
 /* camellia_alt.h with dummy types for MBEDTLS_CAMELLIA_ALT */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef CAMELLIA_ALT_H
diff --git a/tests/include/alt-dummy/ccm_alt.h b/tests/include/alt-dummy/ccm_alt.h
index 5ec7d4e..c25f42b 100644
--- a/tests/include/alt-dummy/ccm_alt.h
+++ b/tests/include/alt-dummy/ccm_alt.h
@@ -1,19 +1,7 @@
 /* ccm_alt.h with dummy types for MBEDTLS_CCM_ALT */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef CCM_ALT_H
diff --git a/tests/include/alt-dummy/chacha20_alt.h b/tests/include/alt-dummy/chacha20_alt.h
index a53a330..6fd84d0 100644
--- a/tests/include/alt-dummy/chacha20_alt.h
+++ b/tests/include/alt-dummy/chacha20_alt.h
@@ -1,19 +1,7 @@
 /* chacha20_alt.h with dummy types for MBEDTLS_CHACHA20_ALT */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef CHACHA20_ALT_H
diff --git a/tests/include/alt-dummy/chachapoly_alt.h b/tests/include/alt-dummy/chachapoly_alt.h
index 584a421..de28ced 100644
--- a/tests/include/alt-dummy/chachapoly_alt.h
+++ b/tests/include/alt-dummy/chachapoly_alt.h
@@ -1,19 +1,7 @@
 /* chachapoly_alt.h with dummy types for MBEDTLS_CHACHAPOLY_ALT */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef CHACHAPOLY_ALT_H
diff --git a/tests/include/alt-dummy/cmac_alt.h b/tests/include/alt-dummy/cmac_alt.h
index 13c998d..68b53d7 100644
--- a/tests/include/alt-dummy/cmac_alt.h
+++ b/tests/include/alt-dummy/cmac_alt.h
@@ -1,19 +1,7 @@
 /* cmac_alt.h with dummy types for MBEDTLS_CMAC_ALT */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef CMAC_ALT_H
diff --git a/tests/include/alt-dummy/des_alt.h b/tests/include/alt-dummy/des_alt.h
index 3b8abe4..d079861 100644
--- a/tests/include/alt-dummy/des_alt.h
+++ b/tests/include/alt-dummy/des_alt.h
@@ -1,19 +1,7 @@
 /* des_alt.h with dummy types for MBEDTLS_DES_ALT */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  *
  */
 
diff --git a/tests/include/alt-dummy/dhm_alt.h b/tests/include/alt-dummy/dhm_alt.h
deleted file mode 100644
index ccb3bd3..0000000
--- a/tests/include/alt-dummy/dhm_alt.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/* dhm_alt.h with dummy types for MBEDTLS_DHM_ALT */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef DHM_ALT_H
-#define DHM_ALT_H
-
-typedef struct mbedtls_dhm_context {
-    int dummy;
-}
-mbedtls_dhm_context;
-
-
-#endif /* dhm_alt.h */
diff --git a/tests/include/alt-dummy/ecjpake_alt.h b/tests/include/alt-dummy/ecjpake_alt.h
deleted file mode 100644
index 90c21da..0000000
--- a/tests/include/alt-dummy/ecjpake_alt.h
+++ /dev/null
@@ -1,27 +0,0 @@
-/* ecjpake_alt.h with dummy types for MBEDTLS_ECJPAKE_ALT */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef ECJPAKE_ALT_H
-#define ECJPAKE_ALT_H
-
-typedef struct mbedtls_ecjpake_context {
-    int dummy;
-} mbedtls_ecjpake_context;
-
-
-#endif /* ecjpake_alt.h */
diff --git a/tests/include/alt-dummy/ecp_alt.h b/tests/include/alt-dummy/ecp_alt.h
deleted file mode 100644
index 56c9810..0000000
--- a/tests/include/alt-dummy/ecp_alt.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/* ecp_alt.h with dummy types for MBEDTLS_ECP_ALT */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef ECP_ALT_H
-#define ECP_ALT_H
-
-typedef struct mbedtls_ecp_group {
-    const mbedtls_ecp_group_id id;
-    const mbedtls_mpi P;
-    const mbedtls_mpi A;
-    const mbedtls_mpi B;
-    const mbedtls_ecp_point G;
-    const mbedtls_mpi N;
-    const size_t pbits;
-    const size_t nbits;
-}
-mbedtls_ecp_group;
-
-#endif /* ecp_alt.h */
diff --git a/tests/include/alt-dummy/gcm_alt.h b/tests/include/alt-dummy/gcm_alt.h
index 7be5b62..cfa73d2 100644
--- a/tests/include/alt-dummy/gcm_alt.h
+++ b/tests/include/alt-dummy/gcm_alt.h
@@ -1,19 +1,7 @@
 /* gcm_alt.h with dummy types for MBEDTLS_GCM_ALT */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef GCM_ALT_H
diff --git a/tests/include/alt-dummy/md5_alt.h b/tests/include/alt-dummy/md5_alt.h
index 1f3e5ed..e3a15d7 100644
--- a/tests/include/alt-dummy/md5_alt.h
+++ b/tests/include/alt-dummy/md5_alt.h
@@ -1,19 +1,7 @@
 /* md5_alt.h with dummy types for MBEDTLS_MD5_ALT */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef MD5_ALT_H
diff --git a/tests/include/alt-dummy/nist_kw_alt.h b/tests/include/alt-dummy/nist_kw_alt.h
index 8fec116..1274d40 100644
--- a/tests/include/alt-dummy/nist_kw_alt.h
+++ b/tests/include/alt-dummy/nist_kw_alt.h
@@ -1,19 +1,7 @@
 /* nist_kw_alt.h with dummy types for MBEDTLS_NIST_KW_ALT */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef NIST_KW_ALT_H
diff --git a/tests/include/alt-dummy/platform_alt.h b/tests/include/alt-dummy/platform_alt.h
index 836f299..6757392 100644
--- a/tests/include/alt-dummy/platform_alt.h
+++ b/tests/include/alt-dummy/platform_alt.h
@@ -1,19 +1,7 @@
 /* platform_alt.h with dummy types for MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef PLATFORM_ALT_H
diff --git a/tests/include/alt-dummy/poly1305_alt.h b/tests/include/alt-dummy/poly1305_alt.h
index 5a8295f..c8ed1bc 100644
--- a/tests/include/alt-dummy/poly1305_alt.h
+++ b/tests/include/alt-dummy/poly1305_alt.h
@@ -1,19 +1,7 @@
 /* poly1305_alt.h with dummy types for MBEDTLS_POLY1305_ALT */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef POLY1305_ALT_H
diff --git a/tests/include/alt-dummy/ripemd160_alt.h b/tests/include/alt-dummy/ripemd160_alt.h
index ca3b338..72ae47e 100644
--- a/tests/include/alt-dummy/ripemd160_alt.h
+++ b/tests/include/alt-dummy/ripemd160_alt.h
@@ -1,19 +1,7 @@
 /* ripemd160_alt.h with dummy types for MBEDTLS_RIPEMD160_ALT */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef RIPEMD160_ALT_H
diff --git a/tests/include/alt-dummy/rsa_alt.h b/tests/include/alt-dummy/rsa_alt.h
deleted file mode 100644
index 24f672b..0000000
--- a/tests/include/alt-dummy/rsa_alt.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/* rsa_alt.h with dummy types for MBEDTLS_RSA_ALT */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-#ifndef RSA_ALT_H
-#define RSA_ALT_H
-
-typedef struct mbedtls_rsa_context {
-    int dummy;
-}
-mbedtls_rsa_context;
-
-
-#endif /* rsa_alt.h */
diff --git a/tests/include/alt-dummy/sha1_alt.h b/tests/include/alt-dummy/sha1_alt.h
index 36bf71d..d8ac971 100644
--- a/tests/include/alt-dummy/sha1_alt.h
+++ b/tests/include/alt-dummy/sha1_alt.h
@@ -1,19 +1,7 @@
 /* sha1_alt.h with dummy types for MBEDTLS_SHA1_ALT */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef SHA1_ALT_H
diff --git a/tests/include/alt-dummy/sha256_alt.h b/tests/include/alt-dummy/sha256_alt.h
index 304734b..b1900ad 100644
--- a/tests/include/alt-dummy/sha256_alt.h
+++ b/tests/include/alt-dummy/sha256_alt.h
@@ -1,19 +1,7 @@
 /* sha256_alt.h with dummy types for MBEDTLS_SHA256_ALT */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef SHA256_ALT_H
diff --git a/tests/include/alt-dummy/sha512_alt.h b/tests/include/alt-dummy/sha512_alt.h
index 13e5810..857bc91 100644
--- a/tests/include/alt-dummy/sha512_alt.h
+++ b/tests/include/alt-dummy/sha512_alt.h
@@ -1,19 +1,7 @@
 /* sha512_alt.h with dummy types for MBEDTLS_SHA512_ALT */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef SHA512_ALT_H
diff --git a/tests/include/alt-dummy/threading_alt.h b/tests/include/alt-dummy/threading_alt.h
index 4003506..07d5da4 100644
--- a/tests/include/alt-dummy/threading_alt.h
+++ b/tests/include/alt-dummy/threading_alt.h
@@ -1,19 +1,7 @@
 /* threading_alt.h with dummy types for MBEDTLS_THREADING_ALT */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef THREADING_ALT_H
diff --git a/tests/include/alt-dummy/timing_alt.h b/tests/include/alt-dummy/timing_alt.h
index 9d4e100..69bee60 100644
--- a/tests/include/alt-dummy/timing_alt.h
+++ b/tests/include/alt-dummy/timing_alt.h
@@ -1,19 +1,7 @@
 /* timing_alt.h with dummy types for MBEDTLS_TIMING_ALT */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef TIMING_ALT_H
diff --git a/tests/include/baremetal-override/time.h b/tests/include/baremetal-override/time.h
index 40eed2d..0a44275 100644
--- a/tests/include/baremetal-override/time.h
+++ b/tests/include/baremetal-override/time.h
@@ -1,18 +1,6 @@
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #error "time.h included in a configuration without MBEDTLS_HAVE_TIME"
diff --git a/tests/include/spe/crypto_spe.h b/tests/include/spe/crypto_spe.h
index de84264..fdf3a2d 100644
--- a/tests/include/spe/crypto_spe.h
+++ b/tests/include/spe/crypto_spe.h
@@ -1,18 +1,6 @@
 /*
  * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may
- * not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  *
  */
 
diff --git a/tests/include/test/arguments.h b/tests/include/test/arguments.h
index 74bbbd5..6d267b6 100644
--- a/tests/include/test/arguments.h
+++ b/tests/include/test/arguments.h
@@ -8,19 +8,7 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef TEST_ARGUMENTS_H
diff --git a/tests/include/test/asn1_helpers.h b/tests/include/test/asn1_helpers.h
index dee3cbd..2eb9171 100644
--- a/tests/include/test/asn1_helpers.h
+++ b/tests/include/test/asn1_helpers.h
@@ -2,19 +2,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef ASN1_HELPERS_H
diff --git a/tests/include/test/bignum_helpers.h b/tests/include/test/bignum_helpers.h
index fc97d23..a5e49cb 100644
--- a/tests/include/test/bignum_helpers.h
+++ b/tests/include/test/bignum_helpers.h
@@ -7,19 +7,7 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef TEST_BIGNUM_HELPERS_H
@@ -89,14 +77,14 @@ void mbedtls_test_mpi_mod_modulus_free_with_limbs(mbedtls_mpi_mod_modulus *N);
  *
  * - This function guarantees that if \p s begins with '-' then the sign
  *   bit of the result will be negative, even if the value is 0.
- *   When this function encounters such a "negative 0", it
- *   increments #mbedtls_test_case_uses_negative_0.
- * - The size of the result is exactly the minimum number of limbs needed
- *   to fit the digits in the input. In particular, this function constructs
- *   a bignum with 0 limbs for an empty string, and a bignum with leading 0
- *   limbs if the string has sufficiently many leading 0 digits.
- *   This is important so that the "0 (null)" and "0 (1 limb)" and
- *   "leading zeros" test cases do what they claim.
+ *   When this function encounters such a "negative 0", it calls
+ *   mbedtls_test_increment_case_uses_negative_0().
+ * - The size of the result is exactly the minimum number of limbs needed to fit
+ *   the digits in the input. In particular, this function constructs a bignum
+ *   with 0 limbs for an empty string, and a bignum with leading 0 limbs if the
+ *   string has sufficiently many leading 0 digits. This is important so that
+ *   the "0 (null)" and "0 (1 limb)" and "leading zeros" test cases do what they
+ *   claim.
  *
  * \param[out] X        The MPI object to populate. It must be initialized.
  * \param[in] s         The null-terminated hexadecimal string to read from.
@@ -105,14 +93,6 @@ void mbedtls_test_mpi_mod_modulus_free_with_limbs(mbedtls_mpi_mod_modulus *N);
  */
 int mbedtls_test_read_mpi(mbedtls_mpi *X, const char *s);
 
-/** Nonzero if the current test case had an input parsed with
- * mbedtls_test_read_mpi() that is a negative 0 (`"-"`, `"-0"`, `"-00"`, etc.,
- * constructing a result with the sign bit set to -1 and the value being
- * all-limbs-0, which is not a valid representation in #mbedtls_mpi but is
- * tested for robustness).
- */
-extern unsigned mbedtls_test_case_uses_negative_0;
-
 #endif /* MBEDTLS_BIGNUM_C */
 
 #endif /* TEST_BIGNUM_HELPERS_H */
diff --git a/tests/include/test/certs.h b/tests/include/test/certs.h
index 65c5582..db69536 100644
--- a/tests/include/test/certs.h
+++ b/tests/include/test/certs.h
@@ -5,19 +5,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 #ifndef MBEDTLS_CERTS_H
 #define MBEDTLS_CERTS_H
diff --git a/tests/include/test/constant_flow.h b/tests/include/test/constant_flow.h
index f3d676e..c5658eb 100644
--- a/tests/include/test/constant_flow.h
+++ b/tests/include/test/constant_flow.h
@@ -6,19 +6,7 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef TEST_CONSTANT_FLOW_H
diff --git a/tests/include/test/drivers/aead.h b/tests/include/test/drivers/aead.h
index 037a255..a033e39 100644
--- a/tests/include/test/drivers/aead.h
+++ b/tests/include/test/drivers/aead.h
@@ -2,19 +2,7 @@
  * Test driver for AEAD driver entry points.
  */
 /*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef PSA_CRYPTO_TEST_DRIVERS_AEAD_H
diff --git a/tests/include/test/drivers/asymmetric_encryption.h b/tests/include/test/drivers/asymmetric_encryption.h
index c602d2f..0ac7708 100644
--- a/tests/include/test/drivers/asymmetric_encryption.h
+++ b/tests/include/test/drivers/asymmetric_encryption.h
@@ -2,19 +2,7 @@
  * Test driver for asymmetric encryption.
  */
 /*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef PSA_CRYPTO_TEST_DRIVERS_ASYMMETRIC_ENCRYPTION_H
diff --git a/tests/include/test/drivers/cipher.h b/tests/include/test/drivers/cipher.h
index 54c37f7..2fe47e4 100644
--- a/tests/include/test/drivers/cipher.h
+++ b/tests/include/test/drivers/cipher.h
@@ -2,19 +2,7 @@
  * Test driver for cipher functions
  */
 /*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef PSA_CRYPTO_TEST_DRIVERS_CIPHER_H
@@ -35,11 +23,17 @@ typedef struct {
     /* If not PSA_SUCCESS, return this error code instead of processing the
      * function call. */
     psa_status_t forced_status;
+    psa_status_t forced_status_encrypt;
+    psa_status_t forced_status_set_iv;
     /* Count the amount of times one of the cipher driver functions is called. */
     unsigned long hits;
+    unsigned long hits_encrypt;
+    unsigned long hits_set_iv;
 } mbedtls_test_driver_cipher_hooks_t;
 
-#define MBEDTLS_TEST_DRIVER_CIPHER_INIT { NULL, 0, PSA_SUCCESS, 0 }
+#define MBEDTLS_TEST_DRIVER_CIPHER_INIT { NULL, 0, \
+                                          PSA_SUCCESS, PSA_SUCCESS, PSA_SUCCESS, \
+                                          0, 0, 0 }
 static inline mbedtls_test_driver_cipher_hooks_t
 mbedtls_test_driver_cipher_hooks_init(void)
 {
diff --git a/tests/include/test/drivers/config_test_driver.h b/tests/include/test/drivers/config_test_driver.h
index 81f9883..ec8bcb6 100644
--- a/tests/include/test/drivers/config_test_driver.h
+++ b/tests/include/test/drivers/config_test_driver.h
@@ -7,19 +7,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef MBEDTLS_CONFIG_H
@@ -52,5 +40,7 @@
 //#define MBEDTLS_MD_C
 //#define MBEDTLS_PEM_PARSE_C
 //#define MBEDTLS_BASE64_C
+//#define MBEDTLS_THREADING_C
+//#define MBEDTLS_THREADING_PTHREAD
 
 #endif /* MBEDTLS_CONFIG_H */
diff --git a/tests/include/test/drivers/crypto_config_test_driver_extension.h b/tests/include/test/drivers/crypto_config_test_driver_extension.h
index ef8c88a..66378e7 100644
--- a/tests/include/test/drivers/crypto_config_test_driver_extension.h
+++ b/tests/include/test/drivers/crypto_config_test_driver_extension.h
@@ -1,9 +1,24 @@
 /**
- * This file is intended to be used to build PSA test driver libraries. It is
- * intended to be appended by the test build system to the crypto_config.h file
- * of the Mbed TLS library the test library will be linked to. It mirrors the
- * PSA_ACCEL_* macros defining the cryptographic operations the test library
- * supports.
+ * This file is intended to be used to build PSA external test driver
+ * libraries (libtestdriver1).
+ *
+ * It is intended to be appended by the test build system to the
+ * crypto_config.h file of the Mbed TLS library the test library will be
+ * linked to (see `tests/Makefile` libtestdriver1 target). This is done in
+ * order to insert it at the right time: after the main configuration
+ * (PSA_WANT) but before the logic that determines what built-ins to enable
+ * based on PSA_WANT and MBEDTLS_PSA_ACCEL macros.
+ *
+ * It reverses the PSA_ACCEL_* macros defining the cryptographic operations
+ * that will be accelerated in the main library:
+ * - When something is accelerated in the main library, we need it supported
+ *   in libtestdriver1, so we disable the accel macro in order to the built-in
+ *   to be enabled.
+ * - When something is NOT accelerated in the main library, we don't need it
+ *   in libtestdriver1, so we enable its accel macro in order to the built-in
+ *   to be disabled, to keep libtestdriver1 minimal. (We can't adjust the
+ *   PSA_WANT macros as they need to be the same between libtestdriver1 and
+ *   the main library, since they determine the ABI between the two.)
  */
 
 #include "psa/crypto_legacy.h"
@@ -32,6 +47,14 @@
 #endif
 #endif
 
+#if defined(PSA_WANT_ALG_CMAC)
+#if defined(MBEDTLS_PSA_ACCEL_ALG_CMAC)
+#undef MBEDTLS_PSA_ACCEL_ALG_CMAC
+#else
+#define MBEDTLS_PSA_ACCEL_ALG_CMAC 1
+#endif
+#endif
+
 #if defined(PSA_WANT_ALG_CTR)
 #if defined(MBEDTLS_PSA_ACCEL_ALG_CTR)
 #undef MBEDTLS_PSA_ACCEL_ALG_CTR
@@ -40,6 +63,126 @@
 #endif
 #endif
 
+#if defined(PSA_WANT_ALG_STREAM_CIPHER)
+#if defined(MBEDTLS_PSA_ACCEL_ALG_STREAM_CIPHER)
+#undef MBEDTLS_PSA_ACCEL_ALG_STREAM_CIPHER
+#else
+#define MBEDTLS_PSA_ACCEL_ALG_STREAM_CIPHER 1
+#endif
+#endif
+
+#if defined(PSA_WANT_ALG_ECB_NO_PADDING)
+#if defined(MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING)
+#undef MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING
+#else
+#define MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING 1
+#endif
+#endif
+
+#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
+#if defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_256)
+#undef MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_256
+#else
+#define MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_256 1
+#endif
+#endif
+
+#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
+#if defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_384)
+#undef MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_384
+#else
+#define MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_384 1
+#endif
+#endif
+
+#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
+#if defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_512)
+#undef MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_512
+#else
+#define MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_512 1
+#endif
+#endif
+
+#if defined(PSA_WANT_ECC_MONTGOMERY_255)
+#if defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255)
+#undef MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255
+#else
+#define MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255 1
+#endif
+#endif
+
+#if defined(PSA_WANT_ECC_MONTGOMERY_448)
+#if defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448)
+#undef MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448
+#else
+#define MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448 1
+#endif
+#endif
+
+#if defined(PSA_WANT_ECC_SECP_K1_192)
+#if defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192)
+#undef MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192
+#else
+#define MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192 1
+#endif
+#endif
+
+#if defined(PSA_WANT_ECC_SECP_K1_224)
+#if defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224)
+#undef MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224
+#else
+#define MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224 1
+#endif
+#endif
+
+#if defined(PSA_WANT_ECC_SECP_K1_256)
+#if defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256)
+#undef MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256
+#else
+#define MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256 1
+#endif
+#endif
+
+#if defined(PSA_WANT_ECC_SECP_R1_192)
+#if defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192)
+#undef MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192
+#else
+#define MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192 1
+#endif
+#endif
+
+#if defined(PSA_WANT_ECC_SECP_R1_224)
+#if defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224)
+#undef MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224
+#else
+#define MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224 1
+#endif
+#endif
+
+#if defined(PSA_WANT_ECC_SECP_R1_256)
+#if defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256)
+#undef MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256
+#else
+#define MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256 1
+#endif
+#endif
+
+#if defined(PSA_WANT_ECC_SECP_R1_384)
+#if defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384)
+#undef MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384
+#else
+#define MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384 1
+#endif
+#endif
+
+#if defined(PSA_WANT_ECC_SECP_R1_521)
+#if defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521)
+#undef MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521
+#else
+#define MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521 1
+#endif
+#endif
+
 #if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)
 #if defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA)
 #undef MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA
@@ -64,6 +207,46 @@
 #endif
 #endif
 
+#if defined(PSA_WANT_DH_RFC7919_2048)
+#if defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_2048)
+#undef MBEDTLS_PSA_ACCEL_DH_RFC7919_2048
+#else
+#define MBEDTLS_PSA_ACCEL_DH_RFC7919_2048
+#endif
+#endif
+
+#if defined(PSA_WANT_DH_RFC7919_3072)
+#if defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_3072)
+#undef MBEDTLS_PSA_ACCEL_DH_RFC7919_3072
+#else
+#define MBEDTLS_PSA_ACCEL_DH_RFC7919_3072
+#endif
+#endif
+
+#if defined(PSA_WANT_DH_RFC7919_4096)
+#if defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_4096)
+#undef MBEDTLS_PSA_ACCEL_DH_RFC7919_4096
+#else
+#define MBEDTLS_PSA_ACCEL_DH_RFC7919_4096
+#endif
+#endif
+
+#if defined(PSA_WANT_DH_RFC7919_6144)
+#if defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_6144)
+#undef MBEDTLS_PSA_ACCEL_DH_RFC7919_6144
+#else
+#define MBEDTLS_PSA_ACCEL_DH_RFC7919_6144
+#endif
+#endif
+
+#if defined(PSA_WANT_DH_RFC7919_8192)
+#if defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_8192)
+#undef MBEDTLS_PSA_ACCEL_DH_RFC7919_8192
+#else
+#define MBEDTLS_PSA_ACCEL_DH_RFC7919_8192
+#endif
+#endif
+
 #if defined(PSA_WANT_ALG_FFDH)
 #if defined(MBEDTLS_PSA_ACCEL_ALG_FFDH)
 #undef MBEDTLS_PSA_ACCEL_ALG_FFDH
@@ -393,38 +576,114 @@
 #endif
 #endif
 
-#define MBEDTLS_PSA_ACCEL_ALG_CBC_MAC 1
-#define MBEDTLS_PSA_ACCEL_ALG_CCM 1
-#define MBEDTLS_PSA_ACCEL_ALG_CMAC 1
-#define MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING 1
+#if defined(PSA_WANT_ALG_GCM)
+#if defined(MBEDTLS_PSA_ACCEL_ALG_GCM)
+#undef MBEDTLS_PSA_ACCEL_ALG_GCM
+#else
 #define MBEDTLS_PSA_ACCEL_ALG_GCM 1
+#endif
+#endif
+
+#if defined(PSA_WANT_ALG_CCM)
+#if defined(MBEDTLS_PSA_ACCEL_ALG_CCM)
+#undef MBEDTLS_PSA_ACCEL_ALG_CCM
+#else
+#define MBEDTLS_PSA_ACCEL_ALG_CCM 1
+#endif
+#endif
+
+#if defined(PSA_WANT_ALG_CCM_STAR_NO_TAG)
+#if defined(MBEDTLS_PSA_ACCEL_ALG_CCM_STAR_NO_TAG)
+#undef MBEDTLS_PSA_ACCEL_ALG_CCM_STAR_NO_TAG
+#else
+#define MBEDTLS_PSA_ACCEL_ALG_CCM_STAR_NO_TAG 1
+#endif
+#endif
+
+#if defined(PSA_WANT_ALG_CBC_MAC)
+#if defined(MBEDTLS_PSA_ACCEL_ALG_CBC_MAC)
+#undef MBEDTLS_PSA_ACCEL_ALG_CBC_MAC
+#else
+#define MBEDTLS_PSA_ACCEL_ALG_CBC_MAC 1
+#endif
+#endif
+
+#if defined(PSA_WANT_ALG_HMAC)
+#if defined(MBEDTLS_PSA_ACCEL_ALG_HMAC)
+#undef MBEDTLS_PSA_ACCEL_ALG_HMAC
+#else
+#define MBEDTLS_PSA_ACCEL_ALG_HMAC 1
+#endif
+#endif
+
+#if defined(PSA_WANT_ALG_HKDF)
+#if defined(MBEDTLS_PSA_ACCEL_ALG_HKDF)
+#undef MBEDTLS_PSA_ACCEL_ALG_HKDF
+#else
 #define MBEDTLS_PSA_ACCEL_ALG_HKDF 1
+#endif
+#endif
+
+#if defined(PSA_WANT_ALG_HKDF_EXTRACT)
+#if defined(MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT)
+#undef MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT
+#else
 #define MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT 1
+#endif
+#endif
+
+#if defined(PSA_WANT_ALG_HKDF_EXPAND)
+#if defined(MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND)
+#undef MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND
+#else
 #define MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND 1
-#define MBEDTLS_PSA_ACCEL_ALG_HMAC 1
+#endif
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_OAEP)
+#if defined(MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP)
+#undef MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP
+#else
 #define MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP 1
-#define MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT 1
-#define MBEDTLS_PSA_ACCEL_ALG_STREAM_CIPHER 1
+#endif
+#endif
 
-#if defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) && \
-    defined(MBEDTLS_PSA_ACCEL_ALG_ECDH) && \
-    defined(MBEDTLS_PSA_ACCEL_ALG_JPAKE)
-#define MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_256 1
-#define MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_384 1
-#define MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_512 1
-#define MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255 1
-#define MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448 1
-#define MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192 1
-#define MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224 1
-#define MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256 1
-#define MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192 1
-#define MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224 1
-#define MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256 1
-#define MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384 1
-#define MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521 1
+#if defined(PSA_WANT_ALG_RSA_PKCS1V15_CRYPT)
+#if defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT)
+#undef MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT
+#else
+#define MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT 1
+#endif
 #endif
 
+#if defined(PSA_WANT_KEY_TYPE_DERIVE)
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DERIVE)
+#undef MBEDTLS_PSA_ACCEL_KEY_TYPE_DERIVE
+#else
 #define MBEDTLS_PSA_ACCEL_KEY_TYPE_DERIVE 1
+#endif
+#endif
+
+#if defined(PSA_WANT_KEY_TYPE_HMAC)
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_HMAC)
+#undef MBEDTLS_PSA_ACCEL_KEY_TYPE_HMAC
+#else
 #define MBEDTLS_PSA_ACCEL_KEY_TYPE_HMAC 1
+#endif
+#endif
+
+#if defined(PSA_WANT_KEY_TYPE_DES)
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DES)
+#undef MBEDTLS_PSA_ACCEL_KEY_TYPE_DES
+#else
 #define MBEDTLS_PSA_ACCEL_KEY_TYPE_DES 1
+#endif
+#endif
+
+#if defined(PSA_WANT_KEY_TYPE_RAW_DATA)
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RAW_DATA)
+#undef MBEDTLS_PSA_ACCEL_KEY_TYPE_RAW_DATA
+#else
 #define MBEDTLS_PSA_ACCEL_KEY_TYPE_RAW_DATA 1
+#endif
+#endif
diff --git a/tests/include/test/drivers/hash.h b/tests/include/test/drivers/hash.h
index f1da8d3..ad48c45 100644
--- a/tests/include/test/drivers/hash.h
+++ b/tests/include/test/drivers/hash.h
@@ -2,19 +2,7 @@
  * Test driver for hash driver entry points.
  */
 /*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef PSA_CRYPTO_TEST_DRIVERS_HASH_H
diff --git a/tests/include/test/drivers/key_agreement.h b/tests/include/test/drivers/key_agreement.h
index aaf74a8..ca82b3a 100644
--- a/tests/include/test/drivers/key_agreement.h
+++ b/tests/include/test/drivers/key_agreement.h
@@ -2,19 +2,7 @@
  * Test driver for key agreement functions.
  */
 /*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef PSA_CRYPTO_TEST_DRIVERS_KEY_AGREEMENT_H
diff --git a/tests/include/test/drivers/key_management.h b/tests/include/test/drivers/key_management.h
index 43df0d6..1d9bc43 100644
--- a/tests/include/test/drivers/key_management.h
+++ b/tests/include/test/drivers/key_management.h
@@ -2,19 +2,7 @@
  * Test driver for generating and verifying keys.
  */
 /*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef PSA_CRYPTO_TEST_DRIVERS_KEY_MANAGEMENT_H
@@ -38,6 +26,10 @@ typedef struct {
     /* Count the amount of times one of the key management driver functions
      * is called. */
     unsigned long hits;
+    /* Subset of hits which only counts public key export operations */
+    unsigned long hits_export_public_key;
+    /* Subset of hits which only counts key generation operations */
+    unsigned long hits_generate_key;
     /* Location of the last key management driver called to import a key. */
     psa_key_location_t location;
 } mbedtls_test_driver_key_management_hooks_t;
@@ -46,7 +38,7 @@ typedef struct {
  * sense that no PSA specification will assign a meaning to this location
  * (stated first in version 1.0.1 of the specification) and that it is not
  * used as a location of an opaque test drivers. */
-#define MBEDTLS_TEST_DRIVER_KEY_MANAGEMENT_INIT { NULL, 0, PSA_SUCCESS, 0, 0x800000 }
+#define MBEDTLS_TEST_DRIVER_KEY_MANAGEMENT_INIT { NULL, 0, PSA_SUCCESS, 0, 0, 0, 0x800000 }
 static inline mbedtls_test_driver_key_management_hooks_t
 mbedtls_test_driver_key_management_hooks_init(void)
 {
@@ -77,6 +69,10 @@ void mbedtls_test_transparent_free(void);
 psa_status_t mbedtls_test_opaque_init(void);
 void mbedtls_test_opaque_free(void);
 
+psa_status_t mbedtls_test_opaque_unwrap_key(
+    const uint8_t *wrapped_key, size_t wrapped_key_length, uint8_t *key_buffer,
+    size_t key_buffer_size, size_t *key_buffer_length);
+
 psa_status_t mbedtls_test_transparent_generate_key(
     const psa_key_attributes_t *attributes,
     uint8_t *key, size_t key_size, size_t *key_length);
diff --git a/tests/include/test/drivers/mac.h b/tests/include/test/drivers/mac.h
index bdc2b70..d92eff9 100644
--- a/tests/include/test/drivers/mac.h
+++ b/tests/include/test/drivers/mac.h
@@ -2,19 +2,7 @@
  * Test driver for MAC driver entry points.
  */
 /*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef PSA_CRYPTO_TEST_DRIVERS_MAC_H
diff --git a/tests/include/test/drivers/pake.h b/tests/include/test/drivers/pake.h
index 331ee49..d292ca0 100644
--- a/tests/include/test/drivers/pake.h
+++ b/tests/include/test/drivers/pake.h
@@ -2,19 +2,7 @@
  * Test driver for PAKE driver entry points.
  */
 /*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef PSA_CRYPTO_TEST_DRIVERS_PAKE_H
diff --git a/tests/include/test/drivers/signature.h b/tests/include/test/drivers/signature.h
index 4c56a12..8c5703e 100644
--- a/tests/include/test/drivers/signature.h
+++ b/tests/include/test/drivers/signature.h
@@ -2,19 +2,7 @@
  * Test driver for signature functions.
  */
 /*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef PSA_CRYPTO_TEST_DRIVERS_SIGNATURE_H
diff --git a/tests/include/test/drivers/test_driver.h b/tests/include/test/drivers/test_driver.h
index 541ee03..74605d6 100644
--- a/tests/include/test/drivers/test_driver.h
+++ b/tests/include/test/drivers/test_driver.h
@@ -2,19 +2,7 @@
  * Umbrella include for all of the test driver functionality
  */
 /*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef PSA_CRYPTO_TEST_DRIVER_H
diff --git a/tests/include/test/fake_external_rng_for_test.h b/tests/include/test/fake_external_rng_for_test.h
index 01bfb91..e3e331d 100644
--- a/tests/include/test/fake_external_rng_for_test.h
+++ b/tests/include/test/fake_external_rng_for_test.h
@@ -4,19 +4,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef FAKE_EXTERNAL_RNG_FOR_TEST_H
diff --git a/tests/include/test/helpers.h b/tests/include/test/helpers.h
index dd4a6a2..d08100f 100644
--- a/tests/include/test/helpers.h
+++ b/tests/include/test/helpers.h
@@ -7,19 +7,7 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef TEST_HELPERS_H
@@ -32,9 +20,29 @@
 
 #include "mbedtls/build_info.h"
 
-#if defined(MBEDTLS_THREADING_C) && defined(MBEDTLS_THREADING_PTHREAD) && \
-    defined(MBEDTLS_TEST_HOOKS)
-#define MBEDTLS_TEST_MUTEX_USAGE
+#if defined(__SANITIZE_ADDRESS__) /* gcc -fsanitize=address */
+#  define MBEDTLS_TEST_HAVE_ASAN
+#endif
+#if defined(__SANITIZE_THREAD__) /* gcc -fsanitize-thread */
+#  define MBEDTLS_TEST_HAVE_TSAN
+#endif
+
+#if defined(__has_feature)
+#  if __has_feature(address_sanitizer) /* clang -fsanitize=address */
+#    define MBEDTLS_TEST_HAVE_ASAN
+#  endif
+#  if __has_feature(memory_sanitizer) /* clang -fsanitize=memory */
+#    define MBEDTLS_TEST_HAVE_MSAN
+#  endif
+#  if __has_feature(thread_sanitizer) /* clang -fsanitize=thread */
+#    define MBEDTLS_TEST_HAVE_TSAN
+#  endif
+#endif
+
+#include "test/threading_helpers.h"
+
+#if defined(MBEDTLS_TEST_MUTEX_USAGE)
+#include "mbedtls/threading.h"
 #endif
 
 #include "mbedtls/platform.h"
@@ -58,20 +66,128 @@ typedef enum {
     MBEDTLS_TEST_RESULT_SKIPPED
 } mbedtls_test_result_t;
 
+#define MBEDTLS_TEST_LINE_LENGTH 76
+
 typedef struct {
     mbedtls_test_result_t result;
     const char *test;
     const char *filename;
     int line_no;
     unsigned long step;
-    char line1[76];
-    char line2[76];
+    char line1[MBEDTLS_TEST_LINE_LENGTH];
+    char line2[MBEDTLS_TEST_LINE_LENGTH];
 #if defined(MBEDTLS_TEST_MUTEX_USAGE)
     const char *mutex_usage_error;
 #endif
+#if defined(MBEDTLS_BIGNUM_C)
+    unsigned case_uses_negative_0;
+#endif
 }
 mbedtls_test_info_t;
-extern mbedtls_test_info_t mbedtls_test_info;
+
+/**
+ * \brief           Get the current test result status
+ *
+ * \return          The current test result status
+ */
+mbedtls_test_result_t mbedtls_test_get_result(void);
+
+/**
+ * \brief           Get the current test name/description
+ *
+ * \return          The current test name/description
+ */
+const char *mbedtls_test_get_test(void);
+
+/**
+ * \brief           Get the current test filename
+ *
+ * \return          The current test filename
+ */
+const char *mbedtls_get_test_filename(void);
+
+/**
+ * \brief           Get the current test file line number (for failure / skip)
+ *
+ * \return          The current test file line number (for failure / skip)
+ */
+int mbedtls_test_get_line_no(void);
+
+/**
+ * \brief           Increment the current test step.
+ *
+ * \note            It is not recommended for multiple threads to call this
+ *                  function concurrently - whilst it is entirely thread safe,
+ *                  the order of calls to this function can obviously not be
+ *                  ensured, so unexpected results may occur.
+ */
+void mbedtls_test_increment_step(void);
+
+/**
+ * \brief           Get the current test step
+ *
+ * \return          The current test step
+ */
+unsigned long mbedtls_test_get_step(void);
+
+/**
+ * \brief           Get the current test line buffer 1
+ *
+ * \param line      Buffer of minimum size \c MBEDTLS_TEST_LINE_LENGTH,
+ *                  which will have line buffer 1 copied to it.
+ */
+void mbedtls_test_get_line1(char *line);
+
+/**
+ * \brief           Get the current test line buffer 2
+ *
+ * \param line      Buffer of minimum size \c MBEDTLS_TEST_LINE_LENGTH,
+ *                  which will have line buffer 1 copied to it.
+ */
+void mbedtls_test_get_line2(char *line);
+
+#if defined(MBEDTLS_TEST_MUTEX_USAGE)
+/**
+ * \brief           Get the current mutex usage error message
+ *
+ * \return          The current mutex error message (may be NULL if no error)
+ */
+const char *mbedtls_test_get_mutex_usage_error(void);
+
+/**
+ * \brief           Set the current mutex usage error message
+ *
+ * \note            This will only set the mutex error message if one has not
+ *                  already been set, or if we are clearing the message (msg is
+ *                  NULL)
+ *
+ * \param msg       Error message to set (can be NULL to clear)
+ */
+void mbedtls_test_set_mutex_usage_error(const char *msg);
+#endif
+
+#if defined(MBEDTLS_BIGNUM_C)
+
+/**
+ * \brief           Get whether the current test is a bignum test that uses
+ *                  negative zero.
+ *
+ * \return          non zero if the current test uses bignum negative zero.
+ */
+unsigned mbedtls_test_get_case_uses_negative_0(void);
+
+/**
+ * \brief           Indicate that the current test uses bignum negative zero.
+ *
+ * \note            This function is called if the current test case had an
+ *                  input parsed with mbedtls_test_read_mpi() that is a negative
+ *                  0 (`"-"`, `"-0"`, `"-00"`, etc., constructing a result with
+ *                  the sign bit set to -1 and the value being all-limbs-0,
+ *                  which is not a valid representation in #mbedtls_mpi but is
+ *                  tested for robustness). *
+ */
+void  mbedtls_test_increment_case_uses_negative_0(void);
+#endif
 
 int mbedtls_test_platform_setup(void);
 void mbedtls_test_platform_teardown(void);
@@ -108,24 +224,42 @@ void mbedtls_test_fail(const char *test, int line_no, const char *filename);
 void mbedtls_test_skip(const char *test, int line_no, const char *filename);
 
 /**
- * \brief       Set the test step number for failure reports.
+ * \brief           Set the test step number for failure reports.
+ *
+ *                  Call this function to display "step NNN" in addition to the
+ *                  line number and file name if a test fails. Typically the
+ *                  "step number" is the index of a for loop but it can be
+ *                  whatever you want.
  *
- *              Call this function to display "step NNN" in addition to the
- *              line number and file name if a test fails. Typically the "step
- *              number" is the index of a for loop but it can be whatever you
- *              want.
+ * \note            It is not recommended for multiple threads to call this
+ *                  function concurrently - whilst it is entirely thread safe,
+ *                  the order of calls to this function can obviously not be
+ *                  ensured, so unexpected results may occur.
  *
  * \param step  The step number to report.
  */
 void mbedtls_test_set_step(unsigned long step);
 
 /**
- * \brief       Reset mbedtls_test_info to a ready/starting state.
+ * \brief           Reset mbedtls_test_info to a ready/starting state.
  */
 void mbedtls_test_info_reset(void);
 
+#ifdef MBEDTLS_TEST_MUTEX_USAGE
 /**
- * \brief           Record the current test case as a failure if two integers
+ * \brief           Get the test info data mutex.
+ *
+ * \note            This is designed only to be used by threading_helpers to
+ *                  avoid a deadlock, not for general access to this mutex.
+ *
+ * \return          The test info data mutex.
+ */
+mbedtls_threading_mutex_t *mbedtls_test_get_info_mutex(void);
+
+#endif /* MBEDTLS_TEST_MUTEX_USAGE */
+
+/**
+ * \brief Record the current test case as a failure if two integers
  *                  have a different value.
  *
  *                  This function is usually called via the macro
@@ -251,16 +385,6 @@ int mbedtls_test_hexcmp(uint8_t *a, uint8_t *b,
 #include "test/fake_external_rng_for_test.h"
 #endif
 
-#if defined(MBEDTLS_TEST_MUTEX_USAGE)
-/** Permanently activate the mutex usage verification framework. See
- * threading_helpers.c for information. */
-void mbedtls_test_mutex_usage_init(void);
-
-/** Call this function after executing a test case to check for mutex usage
- * errors. */
-void mbedtls_test_mutex_usage_check(void);
-#endif /* MBEDTLS_TEST_MUTEX_USAGE */
-
 #if defined(MBEDTLS_TEST_HOOKS)
 /**
  * \brief   Check that only a pure high-level error code is being combined with
diff --git a/tests/include/test/macros.h b/tests/include/test/macros.h
index 3bfbe33..a73e06f 100644
--- a/tests/include/test/macros.h
+++ b/tests/include/test/macros.h
@@ -6,19 +6,7 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef TEST_MACROS_H
@@ -137,8 +125,8 @@
     do {                                                    \
         TEST_ASSERT((pointer) == NULL);                     \
         if ((item_count) != 0) {                            \
-            (pointer) = mbedtls_calloc(sizeof(*(pointer)),  \
-                                       (item_count));       \
+            (pointer) = mbedtls_calloc((item_count),        \
+                                       sizeof(*(pointer))); \
             TEST_ASSERT((pointer) != NULL);                 \
         }                                                   \
     } while (0)
@@ -167,8 +155,8 @@
 #define TEST_CALLOC_NONNULL(pointer, item_count)            \
     do {                                                    \
         TEST_ASSERT((pointer) == NULL);                     \
-        (pointer) = mbedtls_calloc(sizeof(*(pointer)),      \
-                                   (item_count));           \
+        (pointer) = mbedtls_calloc((item_count),            \
+                                   sizeof(*(pointer)));     \
         if (((pointer) == NULL) && ((item_count) == 0)) {   \
             (pointer) = mbedtls_calloc(1, 1);               \
         }                                                   \
@@ -187,8 +175,8 @@
     do {                                                    \
         TEST_ASSERT((pointer) == NULL);                     \
         if ((item_count) != 0) {                            \
-            (pointer) = mbedtls_calloc(sizeof(*(pointer)),  \
-                                       (item_count));       \
+            (pointer) = mbedtls_calloc((item_count),        \
+                                       sizeof(*(pointer))); \
             TEST_ASSUME((pointer) != NULL);                 \
         }                                                   \
     } while (0)
diff --git a/tests/include/test/memory.h b/tests/include/test/memory.h
new file mode 100644
index 0000000..940d9e6
--- /dev/null
+++ b/tests/include/test/memory.h
@@ -0,0 +1,108 @@
+/**
+ * \file memory.h
+ *
+ * \brief   Helper macros and functions related to testing memory management.
+ */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef TEST_MEMORY_H
+#define TEST_MEMORY_H
+
+#include "mbedtls/build_info.h"
+#include "mbedtls/platform.h"
+#include "test/helpers.h"
+
+/** \def MBEDTLS_TEST_MEMORY_CAN_POISON
+ *
+ * This macro is defined if the tests are compiled with a method to mark
+ * memory as poisoned, which can be used to enforce some memory access
+ * policies.
+ *
+ * Support for the C11 thread_local keyword is also required.
+ *
+ * Currently, only Asan (Address Sanitizer) is supported.
+ */
+#if defined(MBEDTLS_TEST_HAVE_ASAN) && \
+    (__STDC_VERSION__ >= 201112L) && \
+    !defined(PSA_CRYPTO_DRIVER_TEST)
+#  define MBEDTLS_TEST_MEMORY_CAN_POISON
+#endif
+
+/** \def MBEDTLS_TEST_MEMORY_POISON(buf, size)
+ *
+ * Poison a memory area so that any attempt to read or write from it will
+ * cause a runtime failure.
+ *
+ * Depending on the implementation, this may poison a few bytes beyond the
+ * indicated region, but will never poison a separate object on the heap
+ * or a separate object with more than the alignment of a long long.
+ *
+ * The behavior is undefined if any part of the memory area is invalid.
+ *
+ * This is a no-op in builds without a poisoning method.
+ * See #MBEDTLS_TEST_MEMORY_CAN_POISON.
+ *
+ * \param buf   Pointer to the beginning of the memory area to poison.
+ * \param size  Size of the memory area in bytes.
+ */
+
+/** \def MBEDTLS_TEST_MEMORY_UNPOISON(buf, size)
+ *
+ * Undo the effect of #MBEDTLS_TEST_MEMORY_POISON.
+ *
+ * The behavior is undefined if any part of the memory area is invalid,
+ * or if the memory area contains a mixture of poisoned and unpoisoned parts.
+ *
+ * This is a no-op in builds without a poisoning method.
+ * See #MBEDTLS_TEST_MEMORY_CAN_POISON.
+ *
+ * \param buf   Pointer to the beginning of the memory area to unpoison.
+ * \param size  Size of the memory area in bytes.
+ */
+
+#if defined(MBEDTLS_TEST_MEMORY_CAN_POISON)
+
+/** Thread-local variable used to enable memory poisoning. This is set and
+ *  unset in the test wrappers so that calls to PSA functions from the library
+ *  do not poison memory.
+ */
+extern _Thread_local unsigned int mbedtls_test_memory_poisoning_count;
+
+/** Poison a memory area so that any attempt to read or write from it will
+ * cause a runtime failure.
+ *
+ * The behavior is undefined if any part of the memory area is invalid.
+ */
+void mbedtls_test_memory_poison(const unsigned char *ptr, size_t size);
+#define MBEDTLS_TEST_MEMORY_POISON(ptr, size)    \
+    do { \
+        mbedtls_test_memory_poisoning_count++; \
+        mbedtls_test_memory_poison(ptr, size); \
+    } while (0)
+
+/** Undo the effect of mbedtls_test_memory_poison().
+ *
+ * This is a no-op if the given area is entirely valid, unpoisoned memory.
+ *
+ * The behavior is undefined if any part of the memory area is invalid,
+ * or if the memory area contains a mixture of poisoned and unpoisoned parts.
+ */
+void mbedtls_test_memory_unpoison(const unsigned char *ptr, size_t size);
+#define MBEDTLS_TEST_MEMORY_UNPOISON(ptr, size)    \
+    do { \
+        mbedtls_test_memory_unpoison(ptr, size); \
+        if (mbedtls_test_memory_poisoning_count != 0) { \
+            mbedtls_test_memory_poisoning_count--; \
+        } \
+    } while (0)
+
+#else /* MBEDTLS_TEST_MEMORY_CAN_POISON */
+#define MBEDTLS_TEST_MEMORY_POISON(ptr, size) ((void) (ptr), (void) (size))
+#define MBEDTLS_TEST_MEMORY_UNPOISON(ptr, size) ((void) (ptr), (void) (size))
+#endif /* MBEDTLS_TEST_MEMORY_CAN_POISON */
+
+#endif /* TEST_MEMORY_H */
diff --git a/tests/include/test/psa_crypto_helpers.h b/tests/include/test/psa_crypto_helpers.h
index 9ba7dbc..7393d81 100644
--- a/tests/include/test/psa_crypto_helpers.h
+++ b/tests/include/test/psa_crypto_helpers.h
@@ -3,19 +3,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef PSA_CRYPTO_HELPERS_H
@@ -23,15 +11,11 @@
 
 #include "test/helpers.h"
 
-#if defined(MBEDTLS_PSA_CRYPTO_C)
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
 #include "test/psa_helpers.h"
 #include <psa/crypto.h>
 #endif
 
-#if defined(MBEDTLS_MD_LIGHT)
-#include "mbedtls/md.h"
-#endif
-
 #if defined(MBEDTLS_PSA_CRYPTO_C)
 /** Initialize the PSA Crypto subsystem. */
 #define PSA_INIT() PSA_ASSERT(psa_crypto_init())
@@ -54,12 +38,15 @@
         mbedtls_psa_crypto_free();                                      \
     }                                                                   \
     while (0)
-#else /*MBEDTLS_PSA_CRYPTO_C */
+#elif defined(MBEDTLS_PSA_CRYPTO_CLIENT) /* MBEDTLS_PSA_CRYPTO_CLIENT && !MBEDTLS_PSA_CRYPTO_C */
+#define PSA_INIT() PSA_ASSERT(psa_crypto_init())
+#define PSA_DONE() mbedtls_psa_crypto_free();
+#else  /* MBEDTLS_PSA_CRYPTO_CLIENT && !MBEDTLS_PSA_CRYPTO_C */
 #define PSA_INIT() ((void) 0)
 #define PSA_DONE() ((void) 0)
 #endif /* MBEDTLS_PSA_CRYPTO_C */
 
-#if defined(MBEDTLS_PSA_CRYPTO_C)
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
 
 #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
 
@@ -329,7 +316,7 @@ uint64_t mbedtls_test_parse_binary_string(data_t *bin_string);
     }                                                                      \
     while (0)
 
-#endif /* MBEDTLS_PSA_CRYPTO_C */
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
 
 /** \def USE_PSA_INIT
  *
@@ -382,6 +369,30 @@ uint64_t mbedtls_test_parse_binary_string(data_t *bin_string);
 #define MD_PSA_DONE() ((void) 0)
 #endif /* MBEDTLS_MD_SOME_PSA */
 
+/** \def BLOCK_CIPHER_PSA_INIT
+ *
+ * Call this macro to initialize the PSA subsystem if BLOCK_CIPHER uses a driver,
+ * and do nothing otherwise.
+ *
+ * If the initialization fails, mark the test case as failed and jump to the
+ * \p exit label.
+ */
+/** \def BLOCK_CIPHER_PSA_DONE
+ *
+ * Call this macro at the end of a test case if you called #BLOCK_CIPHER_PSA_INIT.
+ *
+ * This is like #PSA_DONE except it does nothing under the same conditions as
+ * #BLOCK_CIPHER_PSA_INIT.
+ */
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+#define BLOCK_CIPHER_PSA_INIT()   PSA_INIT()
+#define BLOCK_CIPHER_PSA_DONE()   PSA_DONE()
+#else /* MBEDTLS_MD_SOME_PSA */
+#define BLOCK_CIPHER_PSA_INIT() ((void) 0)
+#define BLOCK_CIPHER_PSA_DONE() ((void) 0)
+#endif /* MBEDTLS_MD_SOME_PSA */
+
+
 /** \def MD_OR_USE_PSA_INIT
  *
  * Call this macro to initialize the PSA subsystem if MD uses a driver,
@@ -407,4 +418,27 @@ uint64_t mbedtls_test_parse_binary_string(data_t *bin_string);
 #define MD_OR_USE_PSA_DONE() ((void) 0)
 #endif
 
+/** \def AES_PSA_INIT
+ *
+ * Call this macro to initialize the PSA subsystem if AES_C is not defined,
+ * so that CTR_DRBG uses PSA implementation to get AES-ECB.
+ *
+ * If the initialization fails, mark the test case as failed and jump to the
+ * \p exit label.
+ */
+/** \def AES_PSA_DONE
+ *
+ * Call this macro at the end of a test case if you called #AES_PSA_INIT.
+ *
+ * This is like #PSA_DONE except it does nothing under the same conditions as
+ * #AES_PSA_INIT.
+ */
+#if defined(MBEDTLS_AES_C)
+#define AES_PSA_INIT() ((void) 0)
+#define AES_PSA_DONE() ((void) 0)
+#else /* MBEDTLS_AES_C */
+#define AES_PSA_INIT()   PSA_INIT()
+#define AES_PSA_DONE()   PSA_DONE()
+#endif /* MBEDTLS_AES_C */
+
 #endif /* PSA_CRYPTO_HELPERS_H */
diff --git a/tests/include/test/psa_exercise_key.h b/tests/include/test/psa_exercise_key.h
index 46f4d08..f6be307 100644
--- a/tests/include/test/psa_exercise_key.h
+++ b/tests/include/test/psa_exercise_key.h
@@ -3,19 +3,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef PSA_EXERCISE_KEY_H
@@ -26,21 +14,17 @@
 
 #include <psa/crypto.h>
 
+#if defined(MBEDTLS_PK_C)
+#include <mbedtls/pk.h>
+#endif
+
 /** \def KNOWN_SUPPORTED_HASH_ALG
  *
  * A hash algorithm that is known to be supported.
  *
  * This is used in some smoke tests.
  */
-#if defined(PSA_WANT_ALG_MD5)
-#define KNOWN_SUPPORTED_HASH_ALG PSA_ALG_MD5
-/* PSA_WANT_ALG_RIPEMD160 omitted. This is necessary for the sake of
- * exercise_signature_key() because Mbed TLS doesn't support RIPEMD160
- * in RSA PKCS#1v1.5 signatures. A RIPEMD160-only configuration would be
- * implausible anyway. */
-#elif defined(PSA_WANT_ALG_SHA_1)
-#define KNOWN_SUPPORTED_HASH_ALG PSA_ALG_SHA_1
-#elif defined(PSA_WANT_ALG_SHA_256)
+#if defined(PSA_WANT_ALG_SHA_256)
 #define KNOWN_SUPPORTED_HASH_ALG PSA_ALG_SHA_256
 #elif defined(PSA_WANT_ALG_SHA_384)
 #define KNOWN_SUPPORTED_HASH_ALG PSA_ALG_SHA_384
@@ -48,6 +32,14 @@
 #define KNOWN_SUPPORTED_HASH_ALG PSA_ALG_SHA_512
 #elif defined(PSA_WANT_ALG_SHA3_256)
 #define KNOWN_SUPPORTED_HASH_ALG PSA_ALG_SHA3_256
+#elif defined(PSA_WANT_ALG_SHA_1)
+#define KNOWN_SUPPORTED_HASH_ALG PSA_ALG_SHA_1
+#elif defined(PSA_WANT_ALG_MD5)
+#define KNOWN_SUPPORTED_HASH_ALG PSA_ALG_MD5
+/* PSA_WANT_ALG_RIPEMD160 omitted. This is necessary for the sake of
+ * exercise_signature_key() because Mbed TLS doesn't support RIPEMD160
+ * in RSA PKCS#1v1.5 signatures. A RIPEMD160-only configuration would be
+ * implausible anyway. */
 #else
 #undef KNOWN_SUPPORTED_HASH_ALG
 #endif
@@ -58,12 +50,13 @@
  *
  * For simplicity's sake, stick to block ciphers with 16-byte blocks.
  */
-#if defined(MBEDTLS_AES_C)
+#if defined(PSA_WANT_KEY_TYPE_AES)
 #define KNOWN_SUPPORTED_BLOCK_CIPHER PSA_KEY_TYPE_AES
-#elif defined(MBEDTLS_ARIA_C)
+#elif defined(PSA_WANT_KEY_TYPE_ARIA)
 #define KNOWN_SUPPORTED_BLOCK_CIPHER PSA_KEY_TYPE_ARIA
-#elif defined(MBEDTLS_CAMELLIA_C)
+#elif defined(PSA_WANT_KEY_TYPE_CAMELLIA)
 #define KNOWN_SUPPORTED_BLOCK_CIPHER PSA_KEY_TYPE_CAMELLIA
+#else
 #undef KNOWN_SUPPORTED_BLOCK_CIPHER
 #endif
 
@@ -93,13 +86,13 @@
  *
  * This is used in some smoke tests.
  */
-#if defined(KNOWN_SUPPORTED_BLOCK_CIPHER) && defined(MBEDTLS_CIPHER_MODE_CTR)
+#if defined(KNOWN_SUPPORTED_BLOCK_CIPHER) && defined(PSA_WANT_ALG_CTR)
 #define KNOWN_SUPPORTED_BLOCK_CIPHER_ALG PSA_ALG_CTR
-#elif defined(KNOWN_SUPPORTED_BLOCK_CIPHER) && defined(MBEDTLS_CIPHER_MODE_CBC)
+#elif defined(KNOWN_SUPPORTED_BLOCK_CIPHER) && defined(PSA_WANT_ALG_CBC_NO_PADDING)
 #define KNOWN_SUPPORTED_BLOCK_CIPHER_ALG PSA_ALG_CBC_NO_PADDING
-#elif defined(KNOWN_SUPPORTED_BLOCK_CIPHER) && defined(MBEDTLS_CIPHER_MODE_CFB)
+#elif defined(KNOWN_SUPPORTED_BLOCK_CIPHER) && defined(PSA_WANT_ALG_CFB)
 #define KNOWN_SUPPORTED_BLOCK_CIPHER_ALG PSA_ALG_CFB
-#elif defined(KNOWN_SUPPORTED_BLOCK_CIPHER) && defined(MBEDTLS_CIPHER_MODE_OFB)
+#elif defined(KNOWN_SUPPORTED_BLOCK_CIPHER) && defined(PSA_WANT_ALG_OFB)
 #define KNOWN_SUPPORTED_BLOCK_CIPHER_ALG PSA_ALG_OFB
 #else
 #undef KNOWN_SUPPORTED_BLOCK_CIPHER_ALG
@@ -130,6 +123,9 @@
  * \param input2            The first input to pass.
  * \param input2_length     The length of \p input2 in bytes.
  * \param capacity          The capacity to set.
+ * \param key_destroyable   If set to 1, a failure due to the key not existing
+ *                          or the key being destroyed mid-operation will only
+ *                          be reported if the error code is unexpected.
  *
  * \return                  \c 1 on success, \c 0 on failure.
  */
@@ -139,7 +135,7 @@ int mbedtls_test_psa_setup_key_derivation_wrap(
     psa_algorithm_t alg,
     const unsigned char *input1, size_t input1_length,
     const unsigned char *input2, size_t input2_length,
-    size_t capacity);
+    size_t capacity, int key_destroyable);
 
 /** Perform a key agreement using the given key pair against its public key
  * using psa_raw_key_agreement().
@@ -150,12 +146,15 @@ int mbedtls_test_psa_setup_key_derivation_wrap(
  *
  * \param alg               A key agreement algorithm compatible with \p key.
  * \param key               A key that allows key agreement with \p alg.
+ * \param key_destroyable   If set to 1, a failure due to the key not existing
+ *                          or the key being destroyed mid-operation will only
+ *                          be reported if the error code is unexpected.
  *
  * \return                  \c 1 on success, \c 0 on failure.
  */
 psa_status_t mbedtls_test_psa_raw_key_agreement_with_self(
     psa_algorithm_t alg,
-    mbedtls_svc_key_id_t key);
+    mbedtls_svc_key_id_t key, int key_destroyable);
 
 /** Perform a key agreement using the given key pair against its public key
  * using psa_key_derivation_raw_key().
@@ -169,12 +168,15 @@ psa_status_t mbedtls_test_psa_raw_key_agreement_with_self(
  *                          \p key.
  * \param key               A key pair object that is suitable for a key
  *                          agreement with \p operation.
+ * \param key_destroyable   If set to 1, a failure due to the key not existing
+ *                          or the key being destroyed mid-operation will only
+ *                          be reported if the error code is unexpected.
  *
  * \return                  \c 1 on success, \c 0 on failure.
  */
 psa_status_t mbedtls_test_psa_key_agreement_with_self(
     psa_key_derivation_operation_t *operation,
-    mbedtls_svc_key_id_t key);
+    mbedtls_svc_key_id_t key, int key_destroyable);
 
 /** Perform sanity checks on the given key representation.
  *
@@ -216,20 +218,69 @@ int mbedtls_test_psa_exported_key_sanity_check(
  * ```
  * if( ! exercise_key( ... ) ) goto exit;
  * ```
- *
- * \param key       The key to exercise. It should be capable of performing
- *                  \p alg.
- * \param usage     The usage flags to assume.
- * \param alg       The algorithm to exercise.
+ * To use this function for multi-threaded tests where the key
+ * may be destroyed at any point: call this function with key_destroyable set
+ * to 1, while another thread calls psa_destroy_key on the same key;
+ * this will test whether destroying the key in use leads to any corruption.
+ *
+ * There cannot be a set of concurrent calls:
+ * `mbedtls_test_psa_exercise_key(ki,...)` such that each ki is a unique
+ * persistent key not loaded into any key slot, and i is greater than the
+ * number of free key slots.
+ * This is because such scenarios can lead to unsupported
+ * `PSA_ERROR_INSUFFICIENT_MEMORY` return codes.
+ *
+ *
+ * \param key               The key to exercise. It should be capable of performing
+ *                          \p alg.
+ * \param usage             The usage flags to assume.
+ * \param alg               The algorithm to exercise.
+ * \param key_destroyable   If set to 1, a failure due to the key not existing
+ *                          or the key being destroyed mid-operation will only
+ *                          be reported if the error code is unexpected.
  *
  * \retval 0 The key failed the smoke tests.
  * \retval 1 The key passed the smoke tests.
  */
 int mbedtls_test_psa_exercise_key(mbedtls_svc_key_id_t key,
                                   psa_key_usage_t usage,
-                                  psa_algorithm_t alg);
+                                  psa_algorithm_t alg,
+                                  int key_destroyable);
 
 psa_key_usage_t mbedtls_test_psa_usage_to_exercise(psa_key_type_t type,
                                                    psa_algorithm_t alg);
 
+/** Whether the specified algorithm can be exercised.
+ *
+ * \note This function is solely based on the algorithm and does not
+ *       consider potential issues with the compatibility of a key.
+ *       The idea is that you already have a key, so you know that the
+ *       key type is supported, and you want to exercise the key but
+ *       only if the algorithm given in its policy is enabled in the
+ *       compile-time configuration.
+ *
+ * \note This function currently only supports signature algorithms
+ *       (including wildcards).
+ *       TODO: a more general mechanism, which should be automatically
+ *       generated and possibly available as a library function?
+ */
+int mbedtls_test_can_exercise_psa_algorithm(psa_algorithm_t alg);
+
+#if defined(MBEDTLS_PK_C)
+/** PK-PSA key consistency test.
+ *
+ * This function tests that the pk context and the PSA key are
+ * consistent. At a minimum:
+ *
+ * - The two objects must contain keys of the same type,
+ *   or a key pair and a public key of the matching type.
+ * - The two objects must have the same public key.
+ *
+ * \retval 0 The key failed the consistency tests.
+ * \retval 1 The key passed the consistency tests.
+ */
+int mbedtls_test_key_consistency_psa_pk(mbedtls_svc_key_id_t psa_key,
+                                        const mbedtls_pk_context *pk);
+#endif /* MBEDTLS_PK_C */
+
 #endif /* PSA_EXERCISE_KEY_H */
diff --git a/tests/include/test/psa_helpers.h b/tests/include/test/psa_helpers.h
index 2665fac..b617189 100644
--- a/tests/include/test/psa_helpers.h
+++ b/tests/include/test/psa_helpers.h
@@ -3,19 +3,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef PSA_HELPERS_H
diff --git a/tests/include/test/psa_memory_poisoning_wrappers.h b/tests/include/test/psa_memory_poisoning_wrappers.h
new file mode 100644
index 0000000..3f30b65
--- /dev/null
+++ b/tests/include/test/psa_memory_poisoning_wrappers.h
@@ -0,0 +1,40 @@
+/** Support for memory poisoning wrappers for PSA functions.
+ *
+ *  The wrappers poison the input and output buffers of each function
+ *  before calling it, to ensure that it does not access the buffers
+ *  except by calling the approved buffer-copying functions.
+ *
+ * This header declares support functions. The wrappers themselves are
+ * decalred in the automatically generated file `test/psa_test_wrappers.h`.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_MEMORY_POISONING_WRAPPERS_H
+#define PSA_MEMORY_POISONING_WRAPPERS_H
+
+#include "psa/crypto.h"
+
+#include "test/memory.h"
+
+#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_TEST_MEMORY_CAN_POISON)
+
+/**
+ * \brief         Setup the memory poisoning test hooks used by
+ *                psa_crypto_copy_input() and psa_crypto_copy_output() for
+ *                memory poisoning.
+ */
+void mbedtls_poison_test_hooks_setup(void);
+
+/**
+ * \brief         Teardown the memory poisoning test hooks used by
+ *                psa_crypto_copy_input() and psa_crypto_copy_output() for
+ *                memory poisoning.
+ */
+void mbedtls_poison_test_hooks_teardown(void);
+
+#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_TEST_MEMORY_CAN_POISON */
+
+#endif /* PSA_MEMORY_POISONING_WRAPPERS_H */
diff --git a/tests/include/test/psa_test_wrappers.h b/tests/include/test/psa_test_wrappers.h
new file mode 100644
index 0000000..e6d712b
--- /dev/null
+++ b/tests/include/test/psa_test_wrappers.h
@@ -0,0 +1,771 @@
+/* Automatically generated by generate_psa_wrappers.py, do not edit! */
+
+/* Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef TEST_PSA_TEST_WRAPPERS_H
+#define TEST_PSA_TEST_WRAPPERS_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <mbedtls/build_info.h>
+
+#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_TEST_HOOKS) && \
+    !defined(RECORD_PSA_STATUS_COVERAGE_LOG)
+
+#include <psa/crypto.h>
+
+#include <test/memory.h>
+#include <test/psa_crypto_helpers.h>
+#include <test/psa_test_wrappers.h>
+
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
+psa_status_t mbedtls_test_wrap_mbedtls_psa_inject_entropy(
+    const uint8_t *arg0_seed,
+    size_t arg1_seed_size);
+#define mbedtls_psa_inject_entropy(arg0_seed, arg1_seed_size) \
+    mbedtls_test_wrap_mbedtls_psa_inject_entropy(arg0_seed, arg1_seed_size)
+#endif /* defined(MBEDTLS_PSA_INJECT_ENTROPY) */
+
+#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
+psa_status_t mbedtls_test_wrap_mbedtls_psa_platform_get_builtin_key(
+    mbedtls_svc_key_id_t arg0_key_id,
+    psa_key_lifetime_t *arg1_lifetime,
+    psa_drv_slot_number_t *arg2_slot_number);
+#define mbedtls_psa_platform_get_builtin_key(arg0_key_id, arg1_lifetime, arg2_slot_number) \
+    mbedtls_test_wrap_mbedtls_psa_platform_get_builtin_key(arg0_key_id, arg1_lifetime, arg2_slot_number)
+#endif /* defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS) */
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+psa_status_t mbedtls_test_wrap_mbedtls_psa_register_se_key(
+    const psa_key_attributes_t *arg0_attributes);
+#define mbedtls_psa_register_se_key(arg0_attributes) \
+    mbedtls_test_wrap_mbedtls_psa_register_se_key(arg0_attributes)
+#endif /* defined(MBEDTLS_PSA_CRYPTO_SE_C) */
+
+psa_status_t mbedtls_test_wrap_psa_aead_abort(
+    psa_aead_operation_t *arg0_operation);
+#define psa_aead_abort(arg0_operation) \
+    mbedtls_test_wrap_psa_aead_abort(arg0_operation)
+
+psa_status_t mbedtls_test_wrap_psa_aead_decrypt(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_algorithm_t arg1_alg,
+    const uint8_t *arg2_nonce,
+    size_t arg3_nonce_length,
+    const uint8_t *arg4_additional_data,
+    size_t arg5_additional_data_length,
+    const uint8_t *arg6_ciphertext,
+    size_t arg7_ciphertext_length,
+    uint8_t *arg8_plaintext,
+    size_t arg9_plaintext_size,
+    size_t *arg10_plaintext_length);
+#define psa_aead_decrypt(arg0_key, arg1_alg, arg2_nonce, arg3_nonce_length, arg4_additional_data, arg5_additional_data_length, arg6_ciphertext, arg7_ciphertext_length, arg8_plaintext, arg9_plaintext_size, arg10_plaintext_length) \
+    mbedtls_test_wrap_psa_aead_decrypt(arg0_key, arg1_alg, arg2_nonce, arg3_nonce_length, arg4_additional_data, arg5_additional_data_length, arg6_ciphertext, arg7_ciphertext_length, arg8_plaintext, arg9_plaintext_size, arg10_plaintext_length)
+
+psa_status_t mbedtls_test_wrap_psa_aead_decrypt_setup(
+    psa_aead_operation_t *arg0_operation,
+    mbedtls_svc_key_id_t arg1_key,
+    psa_algorithm_t arg2_alg);
+#define psa_aead_decrypt_setup(arg0_operation, arg1_key, arg2_alg) \
+    mbedtls_test_wrap_psa_aead_decrypt_setup(arg0_operation, arg1_key, arg2_alg)
+
+psa_status_t mbedtls_test_wrap_psa_aead_encrypt(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_algorithm_t arg1_alg,
+    const uint8_t *arg2_nonce,
+    size_t arg3_nonce_length,
+    const uint8_t *arg4_additional_data,
+    size_t arg5_additional_data_length,
+    const uint8_t *arg6_plaintext,
+    size_t arg7_plaintext_length,
+    uint8_t *arg8_ciphertext,
+    size_t arg9_ciphertext_size,
+    size_t *arg10_ciphertext_length);
+#define psa_aead_encrypt(arg0_key, arg1_alg, arg2_nonce, arg3_nonce_length, arg4_additional_data, arg5_additional_data_length, arg6_plaintext, arg7_plaintext_length, arg8_ciphertext, arg9_ciphertext_size, arg10_ciphertext_length) \
+    mbedtls_test_wrap_psa_aead_encrypt(arg0_key, arg1_alg, arg2_nonce, arg3_nonce_length, arg4_additional_data, arg5_additional_data_length, arg6_plaintext, arg7_plaintext_length, arg8_ciphertext, arg9_ciphertext_size, arg10_ciphertext_length)
+
+psa_status_t mbedtls_test_wrap_psa_aead_encrypt_setup(
+    psa_aead_operation_t *arg0_operation,
+    mbedtls_svc_key_id_t arg1_key,
+    psa_algorithm_t arg2_alg);
+#define psa_aead_encrypt_setup(arg0_operation, arg1_key, arg2_alg) \
+    mbedtls_test_wrap_psa_aead_encrypt_setup(arg0_operation, arg1_key, arg2_alg)
+
+psa_status_t mbedtls_test_wrap_psa_aead_finish(
+    psa_aead_operation_t *arg0_operation,
+    uint8_t *arg1_ciphertext,
+    size_t arg2_ciphertext_size,
+    size_t *arg3_ciphertext_length,
+    uint8_t *arg4_tag,
+    size_t arg5_tag_size,
+    size_t *arg6_tag_length);
+#define psa_aead_finish(arg0_operation, arg1_ciphertext, arg2_ciphertext_size, arg3_ciphertext_length, arg4_tag, arg5_tag_size, arg6_tag_length) \
+    mbedtls_test_wrap_psa_aead_finish(arg0_operation, arg1_ciphertext, arg2_ciphertext_size, arg3_ciphertext_length, arg4_tag, arg5_tag_size, arg6_tag_length)
+
+psa_status_t mbedtls_test_wrap_psa_aead_generate_nonce(
+    psa_aead_operation_t *arg0_operation,
+    uint8_t *arg1_nonce,
+    size_t arg2_nonce_size,
+    size_t *arg3_nonce_length);
+#define psa_aead_generate_nonce(arg0_operation, arg1_nonce, arg2_nonce_size, arg3_nonce_length) \
+    mbedtls_test_wrap_psa_aead_generate_nonce(arg0_operation, arg1_nonce, arg2_nonce_size, arg3_nonce_length)
+
+psa_status_t mbedtls_test_wrap_psa_aead_set_lengths(
+    psa_aead_operation_t *arg0_operation,
+    size_t arg1_ad_length,
+    size_t arg2_plaintext_length);
+#define psa_aead_set_lengths(arg0_operation, arg1_ad_length, arg2_plaintext_length) \
+    mbedtls_test_wrap_psa_aead_set_lengths(arg0_operation, arg1_ad_length, arg2_plaintext_length)
+
+psa_status_t mbedtls_test_wrap_psa_aead_set_nonce(
+    psa_aead_operation_t *arg0_operation,
+    const uint8_t *arg1_nonce,
+    size_t arg2_nonce_length);
+#define psa_aead_set_nonce(arg0_operation, arg1_nonce, arg2_nonce_length) \
+    mbedtls_test_wrap_psa_aead_set_nonce(arg0_operation, arg1_nonce, arg2_nonce_length)
+
+psa_status_t mbedtls_test_wrap_psa_aead_update(
+    psa_aead_operation_t *arg0_operation,
+    const uint8_t *arg1_input,
+    size_t arg2_input_length,
+    uint8_t *arg3_output,
+    size_t arg4_output_size,
+    size_t *arg5_output_length);
+#define psa_aead_update(arg0_operation, arg1_input, arg2_input_length, arg3_output, arg4_output_size, arg5_output_length) \
+    mbedtls_test_wrap_psa_aead_update(arg0_operation, arg1_input, arg2_input_length, arg3_output, arg4_output_size, arg5_output_length)
+
+psa_status_t mbedtls_test_wrap_psa_aead_update_ad(
+    psa_aead_operation_t *arg0_operation,
+    const uint8_t *arg1_input,
+    size_t arg2_input_length);
+#define psa_aead_update_ad(arg0_operation, arg1_input, arg2_input_length) \
+    mbedtls_test_wrap_psa_aead_update_ad(arg0_operation, arg1_input, arg2_input_length)
+
+psa_status_t mbedtls_test_wrap_psa_aead_verify(
+    psa_aead_operation_t *arg0_operation,
+    uint8_t *arg1_plaintext,
+    size_t arg2_plaintext_size,
+    size_t *arg3_plaintext_length,
+    const uint8_t *arg4_tag,
+    size_t arg5_tag_length);
+#define psa_aead_verify(arg0_operation, arg1_plaintext, arg2_plaintext_size, arg3_plaintext_length, arg4_tag, arg5_tag_length) \
+    mbedtls_test_wrap_psa_aead_verify(arg0_operation, arg1_plaintext, arg2_plaintext_size, arg3_plaintext_length, arg4_tag, arg5_tag_length)
+
+psa_status_t mbedtls_test_wrap_psa_asymmetric_decrypt(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_algorithm_t arg1_alg,
+    const uint8_t *arg2_input,
+    size_t arg3_input_length,
+    const uint8_t *arg4_salt,
+    size_t arg5_salt_length,
+    uint8_t *arg6_output,
+    size_t arg7_output_size,
+    size_t *arg8_output_length);
+#define psa_asymmetric_decrypt(arg0_key, arg1_alg, arg2_input, arg3_input_length, arg4_salt, arg5_salt_length, arg6_output, arg7_output_size, arg8_output_length) \
+    mbedtls_test_wrap_psa_asymmetric_decrypt(arg0_key, arg1_alg, arg2_input, arg3_input_length, arg4_salt, arg5_salt_length, arg6_output, arg7_output_size, arg8_output_length)
+
+psa_status_t mbedtls_test_wrap_psa_asymmetric_encrypt(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_algorithm_t arg1_alg,
+    const uint8_t *arg2_input,
+    size_t arg3_input_length,
+    const uint8_t *arg4_salt,
+    size_t arg5_salt_length,
+    uint8_t *arg6_output,
+    size_t arg7_output_size,
+    size_t *arg8_output_length);
+#define psa_asymmetric_encrypt(arg0_key, arg1_alg, arg2_input, arg3_input_length, arg4_salt, arg5_salt_length, arg6_output, arg7_output_size, arg8_output_length) \
+    mbedtls_test_wrap_psa_asymmetric_encrypt(arg0_key, arg1_alg, arg2_input, arg3_input_length, arg4_salt, arg5_salt_length, arg6_output, arg7_output_size, arg8_output_length)
+
+psa_status_t mbedtls_test_wrap_psa_cipher_abort(
+    psa_cipher_operation_t *arg0_operation);
+#define psa_cipher_abort(arg0_operation) \
+    mbedtls_test_wrap_psa_cipher_abort(arg0_operation)
+
+psa_status_t mbedtls_test_wrap_psa_cipher_decrypt(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_algorithm_t arg1_alg,
+    const uint8_t *arg2_input,
+    size_t arg3_input_length,
+    uint8_t *arg4_output,
+    size_t arg5_output_size,
+    size_t *arg6_output_length);
+#define psa_cipher_decrypt(arg0_key, arg1_alg, arg2_input, arg3_input_length, arg4_output, arg5_output_size, arg6_output_length) \
+    mbedtls_test_wrap_psa_cipher_decrypt(arg0_key, arg1_alg, arg2_input, arg3_input_length, arg4_output, arg5_output_size, arg6_output_length)
+
+psa_status_t mbedtls_test_wrap_psa_cipher_decrypt_setup(
+    psa_cipher_operation_t *arg0_operation,
+    mbedtls_svc_key_id_t arg1_key,
+    psa_algorithm_t arg2_alg);
+#define psa_cipher_decrypt_setup(arg0_operation, arg1_key, arg2_alg) \
+    mbedtls_test_wrap_psa_cipher_decrypt_setup(arg0_operation, arg1_key, arg2_alg)
+
+psa_status_t mbedtls_test_wrap_psa_cipher_encrypt(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_algorithm_t arg1_alg,
+    const uint8_t *arg2_input,
+    size_t arg3_input_length,
+    uint8_t *arg4_output,
+    size_t arg5_output_size,
+    size_t *arg6_output_length);
+#define psa_cipher_encrypt(arg0_key, arg1_alg, arg2_input, arg3_input_length, arg4_output, arg5_output_size, arg6_output_length) \
+    mbedtls_test_wrap_psa_cipher_encrypt(arg0_key, arg1_alg, arg2_input, arg3_input_length, arg4_output, arg5_output_size, arg6_output_length)
+
+psa_status_t mbedtls_test_wrap_psa_cipher_encrypt_setup(
+    psa_cipher_operation_t *arg0_operation,
+    mbedtls_svc_key_id_t arg1_key,
+    psa_algorithm_t arg2_alg);
+#define psa_cipher_encrypt_setup(arg0_operation, arg1_key, arg2_alg) \
+    mbedtls_test_wrap_psa_cipher_encrypt_setup(arg0_operation, arg1_key, arg2_alg)
+
+psa_status_t mbedtls_test_wrap_psa_cipher_finish(
+    psa_cipher_operation_t *arg0_operation,
+    uint8_t *arg1_output,
+    size_t arg2_output_size,
+    size_t *arg3_output_length);
+#define psa_cipher_finish(arg0_operation, arg1_output, arg2_output_size, arg3_output_length) \
+    mbedtls_test_wrap_psa_cipher_finish(arg0_operation, arg1_output, arg2_output_size, arg3_output_length)
+
+psa_status_t mbedtls_test_wrap_psa_cipher_generate_iv(
+    psa_cipher_operation_t *arg0_operation,
+    uint8_t *arg1_iv,
+    size_t arg2_iv_size,
+    size_t *arg3_iv_length);
+#define psa_cipher_generate_iv(arg0_operation, arg1_iv, arg2_iv_size, arg3_iv_length) \
+    mbedtls_test_wrap_psa_cipher_generate_iv(arg0_operation, arg1_iv, arg2_iv_size, arg3_iv_length)
+
+psa_status_t mbedtls_test_wrap_psa_cipher_set_iv(
+    psa_cipher_operation_t *arg0_operation,
+    const uint8_t *arg1_iv,
+    size_t arg2_iv_length);
+#define psa_cipher_set_iv(arg0_operation, arg1_iv, arg2_iv_length) \
+    mbedtls_test_wrap_psa_cipher_set_iv(arg0_operation, arg1_iv, arg2_iv_length)
+
+psa_status_t mbedtls_test_wrap_psa_cipher_update(
+    psa_cipher_operation_t *arg0_operation,
+    const uint8_t *arg1_input,
+    size_t arg2_input_length,
+    uint8_t *arg3_output,
+    size_t arg4_output_size,
+    size_t *arg5_output_length);
+#define psa_cipher_update(arg0_operation, arg1_input, arg2_input_length, arg3_output, arg4_output_size, arg5_output_length) \
+    mbedtls_test_wrap_psa_cipher_update(arg0_operation, arg1_input, arg2_input_length, arg3_output, arg4_output_size, arg5_output_length)
+
+psa_status_t mbedtls_test_wrap_psa_copy_key(
+    mbedtls_svc_key_id_t arg0_source_key,
+    const psa_key_attributes_t *arg1_attributes,
+    mbedtls_svc_key_id_t *arg2_target_key);
+#define psa_copy_key(arg0_source_key, arg1_attributes, arg2_target_key) \
+    mbedtls_test_wrap_psa_copy_key(arg0_source_key, arg1_attributes, arg2_target_key)
+
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_cipher_suite(
+    const psa_crypto_driver_pake_inputs_t *arg0_inputs,
+    psa_pake_cipher_suite_t *arg1_cipher_suite);
+#define psa_crypto_driver_pake_get_cipher_suite(arg0_inputs, arg1_cipher_suite) \
+    mbedtls_test_wrap_psa_crypto_driver_pake_get_cipher_suite(arg0_inputs, arg1_cipher_suite)
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_password(
+    const psa_crypto_driver_pake_inputs_t *arg0_inputs,
+    uint8_t *arg1_buffer,
+    size_t arg2_buffer_size,
+    size_t *arg3_buffer_length);
+#define psa_crypto_driver_pake_get_password(arg0_inputs, arg1_buffer, arg2_buffer_size, arg3_buffer_length) \
+    mbedtls_test_wrap_psa_crypto_driver_pake_get_password(arg0_inputs, arg1_buffer, arg2_buffer_size, arg3_buffer_length)
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_password_len(
+    const psa_crypto_driver_pake_inputs_t *arg0_inputs,
+    size_t *arg1_password_len);
+#define psa_crypto_driver_pake_get_password_len(arg0_inputs, arg1_password_len) \
+    mbedtls_test_wrap_psa_crypto_driver_pake_get_password_len(arg0_inputs, arg1_password_len)
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_peer(
+    const psa_crypto_driver_pake_inputs_t *arg0_inputs,
+    uint8_t *arg1_peer_id,
+    size_t arg2_peer_id_size,
+    size_t *arg3_peer_id_length);
+#define psa_crypto_driver_pake_get_peer(arg0_inputs, arg1_peer_id, arg2_peer_id_size, arg3_peer_id_length) \
+    mbedtls_test_wrap_psa_crypto_driver_pake_get_peer(arg0_inputs, arg1_peer_id, arg2_peer_id_size, arg3_peer_id_length)
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_peer_len(
+    const psa_crypto_driver_pake_inputs_t *arg0_inputs,
+    size_t *arg1_peer_len);
+#define psa_crypto_driver_pake_get_peer_len(arg0_inputs, arg1_peer_len) \
+    mbedtls_test_wrap_psa_crypto_driver_pake_get_peer_len(arg0_inputs, arg1_peer_len)
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_user(
+    const psa_crypto_driver_pake_inputs_t *arg0_inputs,
+    uint8_t *arg1_user_id,
+    size_t arg2_user_id_size,
+    size_t *arg3_user_id_len);
+#define psa_crypto_driver_pake_get_user(arg0_inputs, arg1_user_id, arg2_user_id_size, arg3_user_id_len) \
+    mbedtls_test_wrap_psa_crypto_driver_pake_get_user(arg0_inputs, arg1_user_id, arg2_user_id_size, arg3_user_id_len)
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_user_len(
+    const psa_crypto_driver_pake_inputs_t *arg0_inputs,
+    size_t *arg1_user_len);
+#define psa_crypto_driver_pake_get_user_len(arg0_inputs, arg1_user_len) \
+    mbedtls_test_wrap_psa_crypto_driver_pake_get_user_len(arg0_inputs, arg1_user_len)
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+psa_status_t mbedtls_test_wrap_psa_crypto_init(void);
+#define psa_crypto_init() \
+    mbedtls_test_wrap_psa_crypto_init()
+
+psa_status_t mbedtls_test_wrap_psa_destroy_key(
+    mbedtls_svc_key_id_t arg0_key);
+#define psa_destroy_key(arg0_key) \
+    mbedtls_test_wrap_psa_destroy_key(arg0_key)
+
+psa_status_t mbedtls_test_wrap_psa_export_key(
+    mbedtls_svc_key_id_t arg0_key,
+    uint8_t *arg1_data,
+    size_t arg2_data_size,
+    size_t *arg3_data_length);
+#define psa_export_key(arg0_key, arg1_data, arg2_data_size, arg3_data_length) \
+    mbedtls_test_wrap_psa_export_key(arg0_key, arg1_data, arg2_data_size, arg3_data_length)
+
+psa_status_t mbedtls_test_wrap_psa_export_public_key(
+    mbedtls_svc_key_id_t arg0_key,
+    uint8_t *arg1_data,
+    size_t arg2_data_size,
+    size_t *arg3_data_length);
+#define psa_export_public_key(arg0_key, arg1_data, arg2_data_size, arg3_data_length) \
+    mbedtls_test_wrap_psa_export_public_key(arg0_key, arg1_data, arg2_data_size, arg3_data_length)
+
+psa_status_t mbedtls_test_wrap_psa_generate_key(
+    const psa_key_attributes_t *arg0_attributes,
+    mbedtls_svc_key_id_t *arg1_key);
+#define psa_generate_key(arg0_attributes, arg1_key) \
+    mbedtls_test_wrap_psa_generate_key(arg0_attributes, arg1_key)
+
+psa_status_t mbedtls_test_wrap_psa_generate_key_ext(
+    const psa_key_attributes_t *arg0_attributes,
+    const psa_key_production_parameters_t *arg1_params,
+    size_t arg2_params_data_length,
+    mbedtls_svc_key_id_t *arg3_key);
+#define psa_generate_key_ext(arg0_attributes, arg1_params, arg2_params_data_length, arg3_key) \
+    mbedtls_test_wrap_psa_generate_key_ext(arg0_attributes, arg1_params, arg2_params_data_length, arg3_key)
+
+psa_status_t mbedtls_test_wrap_psa_generate_random(
+    uint8_t *arg0_output,
+    size_t arg1_output_size);
+#define psa_generate_random(arg0_output, arg1_output_size) \
+    mbedtls_test_wrap_psa_generate_random(arg0_output, arg1_output_size)
+
+psa_status_t mbedtls_test_wrap_psa_get_key_attributes(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_key_attributes_t *arg1_attributes);
+#define psa_get_key_attributes(arg0_key, arg1_attributes) \
+    mbedtls_test_wrap_psa_get_key_attributes(arg0_key, arg1_attributes)
+
+psa_status_t mbedtls_test_wrap_psa_hash_abort(
+    psa_hash_operation_t *arg0_operation);
+#define psa_hash_abort(arg0_operation) \
+    mbedtls_test_wrap_psa_hash_abort(arg0_operation)
+
+psa_status_t mbedtls_test_wrap_psa_hash_clone(
+    const psa_hash_operation_t *arg0_source_operation,
+    psa_hash_operation_t *arg1_target_operation);
+#define psa_hash_clone(arg0_source_operation, arg1_target_operation) \
+    mbedtls_test_wrap_psa_hash_clone(arg0_source_operation, arg1_target_operation)
+
+psa_status_t mbedtls_test_wrap_psa_hash_compare(
+    psa_algorithm_t arg0_alg,
+    const uint8_t *arg1_input,
+    size_t arg2_input_length,
+    const uint8_t *arg3_hash,
+    size_t arg4_hash_length);
+#define psa_hash_compare(arg0_alg, arg1_input, arg2_input_length, arg3_hash, arg4_hash_length) \
+    mbedtls_test_wrap_psa_hash_compare(arg0_alg, arg1_input, arg2_input_length, arg3_hash, arg4_hash_length)
+
+psa_status_t mbedtls_test_wrap_psa_hash_compute(
+    psa_algorithm_t arg0_alg,
+    const uint8_t *arg1_input,
+    size_t arg2_input_length,
+    uint8_t *arg3_hash,
+    size_t arg4_hash_size,
+    size_t *arg5_hash_length);
+#define psa_hash_compute(arg0_alg, arg1_input, arg2_input_length, arg3_hash, arg4_hash_size, arg5_hash_length) \
+    mbedtls_test_wrap_psa_hash_compute(arg0_alg, arg1_input, arg2_input_length, arg3_hash, arg4_hash_size, arg5_hash_length)
+
+psa_status_t mbedtls_test_wrap_psa_hash_finish(
+    psa_hash_operation_t *arg0_operation,
+    uint8_t *arg1_hash,
+    size_t arg2_hash_size,
+    size_t *arg3_hash_length);
+#define psa_hash_finish(arg0_operation, arg1_hash, arg2_hash_size, arg3_hash_length) \
+    mbedtls_test_wrap_psa_hash_finish(arg0_operation, arg1_hash, arg2_hash_size, arg3_hash_length)
+
+psa_status_t mbedtls_test_wrap_psa_hash_setup(
+    psa_hash_operation_t *arg0_operation,
+    psa_algorithm_t arg1_alg);
+#define psa_hash_setup(arg0_operation, arg1_alg) \
+    mbedtls_test_wrap_psa_hash_setup(arg0_operation, arg1_alg)
+
+psa_status_t mbedtls_test_wrap_psa_hash_update(
+    psa_hash_operation_t *arg0_operation,
+    const uint8_t *arg1_input,
+    size_t arg2_input_length);
+#define psa_hash_update(arg0_operation, arg1_input, arg2_input_length) \
+    mbedtls_test_wrap_psa_hash_update(arg0_operation, arg1_input, arg2_input_length)
+
+psa_status_t mbedtls_test_wrap_psa_hash_verify(
+    psa_hash_operation_t *arg0_operation,
+    const uint8_t *arg1_hash,
+    size_t arg2_hash_length);
+#define psa_hash_verify(arg0_operation, arg1_hash, arg2_hash_length) \
+    mbedtls_test_wrap_psa_hash_verify(arg0_operation, arg1_hash, arg2_hash_length)
+
+psa_status_t mbedtls_test_wrap_psa_import_key(
+    const psa_key_attributes_t *arg0_attributes,
+    const uint8_t *arg1_data,
+    size_t arg2_data_length,
+    mbedtls_svc_key_id_t *arg3_key);
+#define psa_import_key(arg0_attributes, arg1_data, arg2_data_length, arg3_key) \
+    mbedtls_test_wrap_psa_import_key(arg0_attributes, arg1_data, arg2_data_length, arg3_key)
+
+psa_status_t mbedtls_test_wrap_psa_key_derivation_abort(
+    psa_key_derivation_operation_t *arg0_operation);
+#define psa_key_derivation_abort(arg0_operation) \
+    mbedtls_test_wrap_psa_key_derivation_abort(arg0_operation)
+
+psa_status_t mbedtls_test_wrap_psa_key_derivation_get_capacity(
+    const psa_key_derivation_operation_t *arg0_operation,
+    size_t *arg1_capacity);
+#define psa_key_derivation_get_capacity(arg0_operation, arg1_capacity) \
+    mbedtls_test_wrap_psa_key_derivation_get_capacity(arg0_operation, arg1_capacity)
+
+psa_status_t mbedtls_test_wrap_psa_key_derivation_input_bytes(
+    psa_key_derivation_operation_t *arg0_operation,
+    psa_key_derivation_step_t arg1_step,
+    const uint8_t *arg2_data,
+    size_t arg3_data_length);
+#define psa_key_derivation_input_bytes(arg0_operation, arg1_step, arg2_data, arg3_data_length) \
+    mbedtls_test_wrap_psa_key_derivation_input_bytes(arg0_operation, arg1_step, arg2_data, arg3_data_length)
+
+psa_status_t mbedtls_test_wrap_psa_key_derivation_input_integer(
+    psa_key_derivation_operation_t *arg0_operation,
+    psa_key_derivation_step_t arg1_step,
+    uint64_t arg2_value);
+#define psa_key_derivation_input_integer(arg0_operation, arg1_step, arg2_value) \
+    mbedtls_test_wrap_psa_key_derivation_input_integer(arg0_operation, arg1_step, arg2_value)
+
+psa_status_t mbedtls_test_wrap_psa_key_derivation_input_key(
+    psa_key_derivation_operation_t *arg0_operation,
+    psa_key_derivation_step_t arg1_step,
+    mbedtls_svc_key_id_t arg2_key);
+#define psa_key_derivation_input_key(arg0_operation, arg1_step, arg2_key) \
+    mbedtls_test_wrap_psa_key_derivation_input_key(arg0_operation, arg1_step, arg2_key)
+
+psa_status_t mbedtls_test_wrap_psa_key_derivation_key_agreement(
+    psa_key_derivation_operation_t *arg0_operation,
+    psa_key_derivation_step_t arg1_step,
+    mbedtls_svc_key_id_t arg2_private_key,
+    const uint8_t *arg3_peer_key,
+    size_t arg4_peer_key_length);
+#define psa_key_derivation_key_agreement(arg0_operation, arg1_step, arg2_private_key, arg3_peer_key, arg4_peer_key_length) \
+    mbedtls_test_wrap_psa_key_derivation_key_agreement(arg0_operation, arg1_step, arg2_private_key, arg3_peer_key, arg4_peer_key_length)
+
+psa_status_t mbedtls_test_wrap_psa_key_derivation_output_bytes(
+    psa_key_derivation_operation_t *arg0_operation,
+    uint8_t *arg1_output,
+    size_t arg2_output_length);
+#define psa_key_derivation_output_bytes(arg0_operation, arg1_output, arg2_output_length) \
+    mbedtls_test_wrap_psa_key_derivation_output_bytes(arg0_operation, arg1_output, arg2_output_length)
+
+psa_status_t mbedtls_test_wrap_psa_key_derivation_output_key(
+    const psa_key_attributes_t *arg0_attributes,
+    psa_key_derivation_operation_t *arg1_operation,
+    mbedtls_svc_key_id_t *arg2_key);
+#define psa_key_derivation_output_key(arg0_attributes, arg1_operation, arg2_key) \
+    mbedtls_test_wrap_psa_key_derivation_output_key(arg0_attributes, arg1_operation, arg2_key)
+
+psa_status_t mbedtls_test_wrap_psa_key_derivation_output_key_ext(
+    const psa_key_attributes_t *arg0_attributes,
+    psa_key_derivation_operation_t *arg1_operation,
+    const psa_key_production_parameters_t *arg2_params,
+    size_t arg3_params_data_length,
+    mbedtls_svc_key_id_t *arg4_key);
+#define psa_key_derivation_output_key_ext(arg0_attributes, arg1_operation, arg2_params, arg3_params_data_length, arg4_key) \
+    mbedtls_test_wrap_psa_key_derivation_output_key_ext(arg0_attributes, arg1_operation, arg2_params, arg3_params_data_length, arg4_key)
+
+psa_status_t mbedtls_test_wrap_psa_key_derivation_set_capacity(
+    psa_key_derivation_operation_t *arg0_operation,
+    size_t arg1_capacity);
+#define psa_key_derivation_set_capacity(arg0_operation, arg1_capacity) \
+    mbedtls_test_wrap_psa_key_derivation_set_capacity(arg0_operation, arg1_capacity)
+
+psa_status_t mbedtls_test_wrap_psa_key_derivation_setup(
+    psa_key_derivation_operation_t *arg0_operation,
+    psa_algorithm_t arg1_alg);
+#define psa_key_derivation_setup(arg0_operation, arg1_alg) \
+    mbedtls_test_wrap_psa_key_derivation_setup(arg0_operation, arg1_alg)
+
+psa_status_t mbedtls_test_wrap_psa_mac_abort(
+    psa_mac_operation_t *arg0_operation);
+#define psa_mac_abort(arg0_operation) \
+    mbedtls_test_wrap_psa_mac_abort(arg0_operation)
+
+psa_status_t mbedtls_test_wrap_psa_mac_compute(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_algorithm_t arg1_alg,
+    const uint8_t *arg2_input,
+    size_t arg3_input_length,
+    uint8_t *arg4_mac,
+    size_t arg5_mac_size,
+    size_t *arg6_mac_length);
+#define psa_mac_compute(arg0_key, arg1_alg, arg2_input, arg3_input_length, arg4_mac, arg5_mac_size, arg6_mac_length) \
+    mbedtls_test_wrap_psa_mac_compute(arg0_key, arg1_alg, arg2_input, arg3_input_length, arg4_mac, arg5_mac_size, arg6_mac_length)
+
+psa_status_t mbedtls_test_wrap_psa_mac_sign_finish(
+    psa_mac_operation_t *arg0_operation,
+    uint8_t *arg1_mac,
+    size_t arg2_mac_size,
+    size_t *arg3_mac_length);
+#define psa_mac_sign_finish(arg0_operation, arg1_mac, arg2_mac_size, arg3_mac_length) \
+    mbedtls_test_wrap_psa_mac_sign_finish(arg0_operation, arg1_mac, arg2_mac_size, arg3_mac_length)
+
+psa_status_t mbedtls_test_wrap_psa_mac_sign_setup(
+    psa_mac_operation_t *arg0_operation,
+    mbedtls_svc_key_id_t arg1_key,
+    psa_algorithm_t arg2_alg);
+#define psa_mac_sign_setup(arg0_operation, arg1_key, arg2_alg) \
+    mbedtls_test_wrap_psa_mac_sign_setup(arg0_operation, arg1_key, arg2_alg)
+
+psa_status_t mbedtls_test_wrap_psa_mac_update(
+    psa_mac_operation_t *arg0_operation,
+    const uint8_t *arg1_input,
+    size_t arg2_input_length);
+#define psa_mac_update(arg0_operation, arg1_input, arg2_input_length) \
+    mbedtls_test_wrap_psa_mac_update(arg0_operation, arg1_input, arg2_input_length)
+
+psa_status_t mbedtls_test_wrap_psa_mac_verify(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_algorithm_t arg1_alg,
+    const uint8_t *arg2_input,
+    size_t arg3_input_length,
+    const uint8_t *arg4_mac,
+    size_t arg5_mac_length);
+#define psa_mac_verify(arg0_key, arg1_alg, arg2_input, arg3_input_length, arg4_mac, arg5_mac_length) \
+    mbedtls_test_wrap_psa_mac_verify(arg0_key, arg1_alg, arg2_input, arg3_input_length, arg4_mac, arg5_mac_length)
+
+psa_status_t mbedtls_test_wrap_psa_mac_verify_finish(
+    psa_mac_operation_t *arg0_operation,
+    const uint8_t *arg1_mac,
+    size_t arg2_mac_length);
+#define psa_mac_verify_finish(arg0_operation, arg1_mac, arg2_mac_length) \
+    mbedtls_test_wrap_psa_mac_verify_finish(arg0_operation, arg1_mac, arg2_mac_length)
+
+psa_status_t mbedtls_test_wrap_psa_mac_verify_setup(
+    psa_mac_operation_t *arg0_operation,
+    mbedtls_svc_key_id_t arg1_key,
+    psa_algorithm_t arg2_alg);
+#define psa_mac_verify_setup(arg0_operation, arg1_key, arg2_alg) \
+    mbedtls_test_wrap_psa_mac_verify_setup(arg0_operation, arg1_key, arg2_alg)
+
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_pake_abort(
+    psa_pake_operation_t *arg0_operation);
+#define psa_pake_abort(arg0_operation) \
+    mbedtls_test_wrap_psa_pake_abort(arg0_operation)
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_pake_get_implicit_key(
+    psa_pake_operation_t *arg0_operation,
+    psa_key_derivation_operation_t *arg1_output);
+#define psa_pake_get_implicit_key(arg0_operation, arg1_output) \
+    mbedtls_test_wrap_psa_pake_get_implicit_key(arg0_operation, arg1_output)
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_pake_input(
+    psa_pake_operation_t *arg0_operation,
+    psa_pake_step_t arg1_step,
+    const uint8_t *arg2_input,
+    size_t arg3_input_length);
+#define psa_pake_input(arg0_operation, arg1_step, arg2_input, arg3_input_length) \
+    mbedtls_test_wrap_psa_pake_input(arg0_operation, arg1_step, arg2_input, arg3_input_length)
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_pake_output(
+    psa_pake_operation_t *arg0_operation,
+    psa_pake_step_t arg1_step,
+    uint8_t *arg2_output,
+    size_t arg3_output_size,
+    size_t *arg4_output_length);
+#define psa_pake_output(arg0_operation, arg1_step, arg2_output, arg3_output_size, arg4_output_length) \
+    mbedtls_test_wrap_psa_pake_output(arg0_operation, arg1_step, arg2_output, arg3_output_size, arg4_output_length)
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_pake_set_password_key(
+    psa_pake_operation_t *arg0_operation,
+    mbedtls_svc_key_id_t arg1_password);
+#define psa_pake_set_password_key(arg0_operation, arg1_password) \
+    mbedtls_test_wrap_psa_pake_set_password_key(arg0_operation, arg1_password)
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_pake_set_peer(
+    psa_pake_operation_t *arg0_operation,
+    const uint8_t *arg1_peer_id,
+    size_t arg2_peer_id_len);
+#define psa_pake_set_peer(arg0_operation, arg1_peer_id, arg2_peer_id_len) \
+    mbedtls_test_wrap_psa_pake_set_peer(arg0_operation, arg1_peer_id, arg2_peer_id_len)
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_pake_set_role(
+    psa_pake_operation_t *arg0_operation,
+    psa_pake_role_t arg1_role);
+#define psa_pake_set_role(arg0_operation, arg1_role) \
+    mbedtls_test_wrap_psa_pake_set_role(arg0_operation, arg1_role)
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_pake_set_user(
+    psa_pake_operation_t *arg0_operation,
+    const uint8_t *arg1_user_id,
+    size_t arg2_user_id_len);
+#define psa_pake_set_user(arg0_operation, arg1_user_id, arg2_user_id_len) \
+    mbedtls_test_wrap_psa_pake_set_user(arg0_operation, arg1_user_id, arg2_user_id_len)
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_pake_setup(
+    psa_pake_operation_t *arg0_operation,
+    const psa_pake_cipher_suite_t *arg1_cipher_suite);
+#define psa_pake_setup(arg0_operation, arg1_cipher_suite) \
+    mbedtls_test_wrap_psa_pake_setup(arg0_operation, arg1_cipher_suite)
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+psa_status_t mbedtls_test_wrap_psa_purge_key(
+    mbedtls_svc_key_id_t arg0_key);
+#define psa_purge_key(arg0_key) \
+    mbedtls_test_wrap_psa_purge_key(arg0_key)
+
+psa_status_t mbedtls_test_wrap_psa_raw_key_agreement(
+    psa_algorithm_t arg0_alg,
+    mbedtls_svc_key_id_t arg1_private_key,
+    const uint8_t *arg2_peer_key,
+    size_t arg3_peer_key_length,
+    uint8_t *arg4_output,
+    size_t arg5_output_size,
+    size_t *arg6_output_length);
+#define psa_raw_key_agreement(arg0_alg, arg1_private_key, arg2_peer_key, arg3_peer_key_length, arg4_output, arg5_output_size, arg6_output_length) \
+    mbedtls_test_wrap_psa_raw_key_agreement(arg0_alg, arg1_private_key, arg2_peer_key, arg3_peer_key_length, arg4_output, arg5_output_size, arg6_output_length)
+
+psa_status_t mbedtls_test_wrap_psa_sign_hash(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_algorithm_t arg1_alg,
+    const uint8_t *arg2_hash,
+    size_t arg3_hash_length,
+    uint8_t *arg4_signature,
+    size_t arg5_signature_size,
+    size_t *arg6_signature_length);
+#define psa_sign_hash(arg0_key, arg1_alg, arg2_hash, arg3_hash_length, arg4_signature, arg5_signature_size, arg6_signature_length) \
+    mbedtls_test_wrap_psa_sign_hash(arg0_key, arg1_alg, arg2_hash, arg3_hash_length, arg4_signature, arg5_signature_size, arg6_signature_length)
+
+psa_status_t mbedtls_test_wrap_psa_sign_hash_abort(
+    psa_sign_hash_interruptible_operation_t *arg0_operation);
+#define psa_sign_hash_abort(arg0_operation) \
+    mbedtls_test_wrap_psa_sign_hash_abort(arg0_operation)
+
+psa_status_t mbedtls_test_wrap_psa_sign_hash_complete(
+    psa_sign_hash_interruptible_operation_t *arg0_operation,
+    uint8_t *arg1_signature,
+    size_t arg2_signature_size,
+    size_t *arg3_signature_length);
+#define psa_sign_hash_complete(arg0_operation, arg1_signature, arg2_signature_size, arg3_signature_length) \
+    mbedtls_test_wrap_psa_sign_hash_complete(arg0_operation, arg1_signature, arg2_signature_size, arg3_signature_length)
+
+psa_status_t mbedtls_test_wrap_psa_sign_hash_start(
+    psa_sign_hash_interruptible_operation_t *arg0_operation,
+    mbedtls_svc_key_id_t arg1_key,
+    psa_algorithm_t arg2_alg,
+    const uint8_t *arg3_hash,
+    size_t arg4_hash_length);
+#define psa_sign_hash_start(arg0_operation, arg1_key, arg2_alg, arg3_hash, arg4_hash_length) \
+    mbedtls_test_wrap_psa_sign_hash_start(arg0_operation, arg1_key, arg2_alg, arg3_hash, arg4_hash_length)
+
+psa_status_t mbedtls_test_wrap_psa_sign_message(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_algorithm_t arg1_alg,
+    const uint8_t *arg2_input,
+    size_t arg3_input_length,
+    uint8_t *arg4_signature,
+    size_t arg5_signature_size,
+    size_t *arg6_signature_length);
+#define psa_sign_message(arg0_key, arg1_alg, arg2_input, arg3_input_length, arg4_signature, arg5_signature_size, arg6_signature_length) \
+    mbedtls_test_wrap_psa_sign_message(arg0_key, arg1_alg, arg2_input, arg3_input_length, arg4_signature, arg5_signature_size, arg6_signature_length)
+
+psa_status_t mbedtls_test_wrap_psa_verify_hash(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_algorithm_t arg1_alg,
+    const uint8_t *arg2_hash,
+    size_t arg3_hash_length,
+    const uint8_t *arg4_signature,
+    size_t arg5_signature_length);
+#define psa_verify_hash(arg0_key, arg1_alg, arg2_hash, arg3_hash_length, arg4_signature, arg5_signature_length) \
+    mbedtls_test_wrap_psa_verify_hash(arg0_key, arg1_alg, arg2_hash, arg3_hash_length, arg4_signature, arg5_signature_length)
+
+psa_status_t mbedtls_test_wrap_psa_verify_hash_abort(
+    psa_verify_hash_interruptible_operation_t *arg0_operation);
+#define psa_verify_hash_abort(arg0_operation) \
+    mbedtls_test_wrap_psa_verify_hash_abort(arg0_operation)
+
+psa_status_t mbedtls_test_wrap_psa_verify_hash_complete(
+    psa_verify_hash_interruptible_operation_t *arg0_operation);
+#define psa_verify_hash_complete(arg0_operation) \
+    mbedtls_test_wrap_psa_verify_hash_complete(arg0_operation)
+
+psa_status_t mbedtls_test_wrap_psa_verify_hash_start(
+    psa_verify_hash_interruptible_operation_t *arg0_operation,
+    mbedtls_svc_key_id_t arg1_key,
+    psa_algorithm_t arg2_alg,
+    const uint8_t *arg3_hash,
+    size_t arg4_hash_length,
+    const uint8_t *arg5_signature,
+    size_t arg6_signature_length);
+#define psa_verify_hash_start(arg0_operation, arg1_key, arg2_alg, arg3_hash, arg4_hash_length, arg5_signature, arg6_signature_length) \
+    mbedtls_test_wrap_psa_verify_hash_start(arg0_operation, arg1_key, arg2_alg, arg3_hash, arg4_hash_length, arg5_signature, arg6_signature_length)
+
+psa_status_t mbedtls_test_wrap_psa_verify_message(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_algorithm_t arg1_alg,
+    const uint8_t *arg2_input,
+    size_t arg3_input_length,
+    const uint8_t *arg4_signature,
+    size_t arg5_signature_length);
+#define psa_verify_message(arg0_key, arg1_alg, arg2_input, arg3_input_length, arg4_signature, arg5_signature_length) \
+    mbedtls_test_wrap_psa_verify_message(arg0_key, arg1_alg, arg2_input, arg3_input_length, arg4_signature, arg5_signature_length)
+
+#endif /* defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_TEST_HOOKS) && \
+    !defined(RECORD_PSA_STATUS_COVERAGE_LOG) */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* TEST_PSA_TEST_WRAPPERS_H */
+
+/* End of automatically generated file. */
diff --git a/tests/include/test/random.h b/tests/include/test/random.h
index c557208..6304e05 100644
--- a/tests/include/test/random.h
+++ b/tests/include/test/random.h
@@ -7,19 +7,7 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef TEST_RANDOM_H
diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h
index ddbd6a3..00e45c3 100644
--- a/tests/include/test/ssl_helpers.h
+++ b/tests/include/test/ssl_helpers.h
@@ -5,19 +5,7 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef SSL_HELPERS_H
@@ -50,21 +38,21 @@
 #endif
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-#if defined(MBEDTLS_AES_C)
-#if defined(MBEDTLS_GCM_C)
-#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(MBEDTLS_SSL_HAVE_AES)
+#if defined(MBEDTLS_SSL_HAVE_GCM)
+#if defined(PSA_WANT_ALG_SHA_384)
 #define MBEDTLS_TEST_HAS_TLS1_3_AES_256_GCM_SHA384
 #endif
 #if defined(MBEDTLS_MD_CAN_SHA256)
 #define MBEDTLS_TEST_HAS_TLS1_3_AES_128_GCM_SHA256
 #endif
-#endif /* MBEDTLS_GCM_C */
-#if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_MD_CAN_SHA256)
+#endif /* MBEDTLS_SSL_HAVE_GCM */
+#if defined(MBEDTLS_SSL_HAVE_CCM) && defined(MBEDTLS_MD_CAN_SHA256)
 #define MBEDTLS_TEST_HAS_TLS1_3_AES_128_CCM_SHA256
 #define MBEDTLS_TEST_HAS_TLS1_3_AES_128_CCM_8_SHA256
 #endif
-#endif /* MBEDTLS_AES_C */
-#if defined(MBEDTLS_CHACHAPOLY_C) && defined(MBEDTLS_MD_CAN_SHA256)
+#endif /* MBEDTLS_SSL_HAVE_AES */
+#if defined(MBEDTLS_SSL_HAVE_CHACHAPOLY) && defined(MBEDTLS_MD_CAN_SHA256)
 #define MBEDTLS_TEST_HAS_TLS1_3_CHACHA20_POLY1305_SHA256
 #endif
 
@@ -90,6 +78,10 @@ enum {
 #undef MBEDTLS_SSL_TLS1_3_LABEL
 };
 
+#if defined(MBEDTLS_SSL_ALPN)
+#define MBEDTLS_TEST_MAX_ALPN_LIST_SIZE 10
+#endif
+
 typedef struct mbedtls_test_ssl_log_pattern {
     const char *pattern;
     size_t counter;
@@ -97,6 +89,7 @@ typedef struct mbedtls_test_ssl_log_pattern {
 
 typedef struct mbedtls_test_handshake_test_options {
     const char *cipher;
+    uint16_t *group_list;
     mbedtls_ssl_protocol_version client_min_version;
     mbedtls_ssl_protocol_version client_max_version;
     mbedtls_ssl_protocol_version server_min_version;
@@ -124,9 +117,14 @@ typedef struct mbedtls_test_handshake_test_options {
     void (*srv_log_fun)(void *, int, const char *, int, const char *);
     void (*cli_log_fun)(void *, int, const char *, int, const char *);
     int resize_buffers;
+    int early_data;
+    int max_early_data_size;
 #if defined(MBEDTLS_SSL_CACHE_C)
     mbedtls_ssl_cache_context *cache;
 #endif
+#if defined(MBEDTLS_SSL_ALPN)
+    const char *alpn_list[MBEDTLS_TEST_MAX_ALPN_LIST_SIZE];
+#endif
 } mbedtls_test_handshake_test_options;
 
 /*
@@ -206,6 +204,13 @@ typedef struct mbedtls_test_ssl_endpoint {
 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
 
 /*
+ * Random number generator aimed for TLS unitary tests. Its main purpose is to
+ * simplify the set-up of a random number generator for TLS
+ * unitary tests: no need to set up a good entropy source for example.
+ */
+int mbedtls_test_random(void *p_rng, unsigned char *output, size_t output_len);
+
+/*
  * This function can be passed to mbedtls to receive output logs from it. In
  * this case, it will count the instances of a mbedtls_test_ssl_log_pattern
  * in the received logged messages.
@@ -452,8 +457,7 @@ int mbedtls_test_ssl_endpoint_init(
     mbedtls_test_handshake_test_options *options,
     mbedtls_test_message_socket_context *dtls_context,
     mbedtls_test_ssl_message_queue *input_queue,
-    mbedtls_test_ssl_message_queue *output_queue,
-    uint16_t *group_list);
+    mbedtls_test_ssl_message_queue *output_queue);
 
 /*
  * Deinitializes endpoint represented by \p ep.
@@ -497,7 +501,7 @@ int mbedtls_test_move_handshake_to_state(mbedtls_ssl_context *ssl,
 #endif
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
-    defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_AES_C)
+    defined(MBEDTLS_SSL_HAVE_CBC) && defined(MBEDTLS_SSL_HAVE_AES)
 int mbedtls_test_psa_cipher_encrypt_helper(mbedtls_ssl_transform *transform,
                                            const unsigned char *iv,
                                            size_t iv_len,
@@ -505,8 +509,8 @@ int mbedtls_test_psa_cipher_encrypt_helper(mbedtls_ssl_transform *transform,
                                            size_t ilen,
                                            unsigned char *output,
                                            size_t *olen);
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_CIPHER_MODE_CBC &&
-          MBEDTLS_AES_C */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_HAVE_CBC &&
+          MBEDTLS_SSL_HAVE_AES */
 
 int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
                                       mbedtls_ssl_transform *t_out,
@@ -543,6 +547,7 @@ int mbedtls_test_ssl_prepare_record_mac(mbedtls_record *record,
  */
 int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session,
                                             int ticket_len,
+                                            int endpoint_type,
                                             const char *crt_file);
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
@@ -601,6 +606,25 @@ int mbedtls_test_tweak_tls13_certificate_msg_vector_len(
     int *expected_result, mbedtls_ssl_chk_buf_ptr_args *args);
 #endif /* MBEDTLS_TEST_HOOKS */
 
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+int mbedtls_test_ticket_write(
+    void *p_ticket, const mbedtls_ssl_session *session,
+    unsigned char *start, const unsigned char *end,
+    size_t *tlen, uint32_t *ticket_lifetime);
+
+int mbedtls_test_ticket_parse(void *p_ticket, mbedtls_ssl_session *session,
+                              unsigned char *buf, size_t len);
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SRV_C) && \
+    defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) && \
+    defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+int mbedtls_test_get_tls13_ticket(
+    mbedtls_test_handshake_test_options *client_options,
+    mbedtls_test_handshake_test_options *server_options,
+    mbedtls_ssl_session *session);
+#endif
+
 #define ECJPAKE_TEST_PWD        "bla"
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
diff --git a/tests/include/test/threading_helpers.h b/tests/include/test/threading_helpers.h
new file mode 100644
index 0000000..79bc6c0
--- /dev/null
+++ b/tests/include/test/threading_helpers.h
@@ -0,0 +1,112 @@
+/**
+ * \file threading_helpers.h
+ *
+ * \brief This file contains the prototypes of helper functions for the purpose
+ *        of testing threading.
+ */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef THREADING_HELPERS_H
+#define THREADING_HELPERS_H
+
+#if defined MBEDTLS_THREADING_C
+
+#include "mbedtls/private_access.h"
+#include "mbedtls/build_info.h"
+
+/* Most fields of publicly available structs are private and are wrapped with
+ * MBEDTLS_PRIVATE macro. This define allows tests to access the private fields
+ * directly (without using the MBEDTLS_PRIVATE wrapper). */
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
+
+#define MBEDTLS_ERR_THREADING_THREAD_ERROR                 -0x001F
+
+#if defined(MBEDTLS_THREADING_PTHREAD)
+#include <pthread.h>
+#endif /* MBEDTLS_THREADING_PTHREAD */
+
+#if defined(MBEDTLS_THREADING_ALT)
+/* You should define the mbedtls_test_thread_t type in your header */
+#include "threading_alt.h"
+
+/**
+ * \brief                   Set your alternate threading implementation
+ *                          function pointers for test threads. If used, this
+ *                          function must be called once in the main thread
+ *                          before any other MbedTLS function is called.
+ *
+ * \note                    These functions are part of the testing API only and
+ *                          thus not considered part of the public API of
+ *                          MbedTLS and thus may change without notice.
+ *
+ * \param thread_create     The thread create function implementation.
+ * \param thread_join       The thread join function implementation.
+
+ */
+void mbedtls_test_thread_set_alt(int (*thread_create)(mbedtls_test_thread_t *thread,
+                                                      void *(*thread_func)(
+                                                          void *),
+                                                      void *thread_data),
+                                 int (*thread_join)(mbedtls_test_thread_t *thread));
+
+#else /* MBEDTLS_THREADING_ALT*/
+
+typedef struct mbedtls_test_thread_t {
+
+#if defined(MBEDTLS_THREADING_PTHREAD)
+    pthread_t MBEDTLS_PRIVATE(thread);
+#else /* MBEDTLS_THREADING_PTHREAD */
+    /* Make sure this struct is always non-empty */
+    unsigned dummy;
+#endif
+
+} mbedtls_test_thread_t;
+
+#endif /* MBEDTLS_THREADING_ALT*/
+
+/**
+ * \brief                   The function pointers for thread create and thread
+ *                          join.
+ *
+ * \note                    These functions are part of the testing API only
+ *                          and thus not considered part of the public API of
+ *                          MbedTLS and thus may change without notice.
+ *
+ * \note                    All these functions are expected to work or
+ *                          the result will be undefined.
+ */
+extern int (*mbedtls_test_thread_create)(mbedtls_test_thread_t *thread,
+                                         void *(*thread_func)(void *), void *thread_data);
+extern int (*mbedtls_test_thread_join)(mbedtls_test_thread_t *thread);
+
+#if defined(MBEDTLS_THREADING_PTHREAD) && defined(MBEDTLS_TEST_HOOKS)
+#define MBEDTLS_TEST_MUTEX_USAGE
+#endif
+
+#if defined(MBEDTLS_TEST_MUTEX_USAGE)
+/**
+ *  Activate the mutex usage verification framework. See threading_helpers.c for
+ *  information.
+ */
+void mbedtls_test_mutex_usage_init(void);
+
+/**
+ *  Deactivate the mutex usage verification framework. See threading_helpers.c
+ *  for information.
+ */
+void mbedtls_test_mutex_usage_end(void);
+
+/**
+ *  Call this function after executing a test case to check for mutex usage
+ * errors.
+ */
+void mbedtls_test_mutex_usage_check(void);
+#endif /* MBEDTLS_TEST_MUTEX_USAGE */
+
+#endif /* MBEDTLS_THREADING_C */
+
+#endif /* THREADING_HELPERS_H */
diff --git a/tests/make-in-docker.sh b/tests/make-in-docker.sh
index 0ee08dc..e57d09d 100755
--- a/tests/make-in-docker.sh
+++ b/tests/make-in-docker.sh
@@ -14,19 +14,7 @@
 # for the set of Docker images we use on the CI.
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#  http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 source tests/scripts/docker_env.sh
 
diff --git a/tests/opt-testcases/tls13-compat.sh b/tests/opt-testcases/tls13-compat.sh
index 56d2e29..b3a0295 100755
--- a/tests/opt-testcases/tls13-compat.sh
+++ b/tests/opt-testcases/tls13-compat.sh
@@ -3,19 +3,7 @@
 # tls13-compat.sh
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 #
 # Purpose
 #
@@ -25,6 +13,8 @@
 # PLEASE DO NOT EDIT THIS FILE. IF NEEDED, PLEASE MODIFY `generate_tls13_compat_tests.py`
 # AND REGENERATE THIS FILE.
 #
+
+DATA_FILES_PATH=../framework/data_files
 requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
@@ -32,8 +22,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,secp256r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -49,8 +39,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,secp256r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -66,8 +56,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,secp256r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -84,8 +74,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,secp256r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -101,8 +91,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,secp384r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -118,8 +108,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,secp384r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -135,8 +125,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,secp384r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -153,8 +143,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,secp384r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -170,8 +160,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,secp521r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -187,8 +177,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,secp521r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -204,8 +194,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,secp521r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -222,8 +212,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,secp521r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -239,8 +229,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,x25519,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -256,8 +246,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,x25519,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -273,8 +263,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,x25519,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -291,8 +281,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,x25519,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -308,8 +298,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,x448,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -325,8 +315,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,x448,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -342,8 +332,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,x448,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -360,8 +350,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,x448,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -375,10 +365,11 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -392,10 +383,11 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -409,10 +401,11 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -427,10 +420,11 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -446,8 +440,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,secp256r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -463,8 +457,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,secp256r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -480,8 +474,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,secp256r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -498,8 +492,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,secp256r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -515,8 +509,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,secp384r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -532,8 +526,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,secp384r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -549,8 +543,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,secp384r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -567,8 +561,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,secp384r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -584,8 +578,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,secp521r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -601,8 +595,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,secp521r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -618,8 +612,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,secp521r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -636,8 +630,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,secp521r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -653,8 +647,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,x25519,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -670,8 +664,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,x25519,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -687,8 +681,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,x25519,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -705,8 +699,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,x25519,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -722,8 +716,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,x448,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -739,8 +733,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,x448,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -756,8 +750,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,x448,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -774,8 +768,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,x448,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -789,10 +783,11 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -806,10 +801,11 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -823,10 +819,11 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -841,10 +838,11 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -860,8 +858,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -877,8 +875,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -894,8 +892,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -912,8 +910,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,secp256r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -929,8 +927,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -946,8 +944,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -963,8 +961,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -981,8 +979,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,secp384r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -998,8 +996,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -1015,8 +1013,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -1032,8 +1030,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -1050,8 +1048,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,secp521r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -1067,8 +1065,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -1084,8 +1082,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -1101,8 +1099,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -1119,8 +1117,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,x25519,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -1136,8 +1134,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -1153,8 +1151,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -1170,8 +1168,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -1188,8 +1186,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,x448,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -1203,10 +1201,11 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -1220,10 +1219,11 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -1237,10 +1237,11 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -1255,10 +1256,11 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -1274,8 +1276,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,secp256r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -1291,8 +1293,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,secp256r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -1308,8 +1310,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,secp256r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -1326,8 +1328,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,secp256r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -1343,8 +1345,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,secp384r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -1360,8 +1362,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,secp384r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -1377,8 +1379,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,secp384r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -1395,8 +1397,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,secp384r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -1412,8 +1414,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,secp521r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -1429,8 +1431,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,secp521r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -1446,8 +1448,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,secp521r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -1464,8 +1466,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,secp521r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -1481,8 +1483,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,x25519,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -1498,8 +1500,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,x25519,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -1515,8 +1517,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,x25519,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -1533,8 +1535,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,x25519,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -1550,8 +1552,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,x448,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -1567,8 +1569,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,x448,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -1584,8 +1586,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,x448,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -1602,8 +1604,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,x448,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -1617,10 +1619,11 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -1634,10 +1637,11 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -1651,10 +1655,11 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -1669,10 +1674,11 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -1688,8 +1694,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -1705,8 +1711,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -1722,8 +1728,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -1740,8 +1746,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,secp256r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -1757,8 +1763,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -1774,8 +1780,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -1791,8 +1797,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -1809,8 +1815,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,secp384r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -1826,8 +1832,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -1843,8 +1849,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -1860,8 +1866,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -1878,8 +1884,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,secp521r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -1895,8 +1901,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,x25519,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -1912,8 +1918,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,x25519,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -1929,8 +1935,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,x25519,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -1947,8 +1953,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,x25519,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -1964,8 +1970,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,x448,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -1981,8 +1987,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,x448,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -1998,8 +2004,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,x448,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -2016,8 +2022,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,x448,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -2031,10 +2037,11 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -2048,10 +2055,11 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -2065,10 +2073,11 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -2083,10 +2092,11 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -2104,8 +2114,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,secp256r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -2123,8 +2133,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,secp256r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -2142,8 +2152,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,secp256r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -2162,8 +2172,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,secp256r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -2181,8 +2191,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,secp384r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -2200,8 +2210,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,secp384r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -2219,8 +2229,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,secp384r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -2239,8 +2249,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,secp384r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -2258,8 +2268,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,secp521r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -2277,8 +2287,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,secp521r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -2296,8 +2306,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,secp521r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -2316,8 +2326,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,secp521r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -2335,8 +2345,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,x25519,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -2354,8 +2364,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,x25519,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -2373,8 +2383,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,x25519,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -2393,8 +2403,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,x25519,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -2412,8 +2422,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,x448,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -2431,8 +2441,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,x448,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -2450,8 +2460,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,x448,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -2470,8 +2480,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,x448,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -2485,12 +2495,13 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -2504,12 +2515,13 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -2523,12 +2535,13 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -2543,12 +2556,13 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -2566,8 +2580,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,secp256r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -2585,8 +2599,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,secp256r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -2604,8 +2618,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,secp256r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -2624,8 +2638,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,secp256r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -2643,8 +2657,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,secp384r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -2662,8 +2676,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,secp384r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -2681,8 +2695,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,secp384r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -2701,8 +2715,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,secp384r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -2720,8 +2734,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,secp521r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -2739,8 +2753,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,secp521r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -2758,8 +2772,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,secp521r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -2778,8 +2792,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,secp521r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -2797,8 +2811,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,x25519,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -2816,8 +2830,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,x25519,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -2835,8 +2849,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,x25519,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -2855,8 +2869,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,x25519,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -2874,8 +2888,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,x448,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -2893,8 +2907,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,x448,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -2912,8 +2926,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,x448,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -2932,8 +2946,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,x448,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -2947,12 +2961,13 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -2966,12 +2981,13 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -2985,12 +3001,13 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -3005,12 +3022,13 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -3028,8 +3046,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -3047,8 +3065,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -3066,8 +3084,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -3086,8 +3104,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,secp256r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -3105,8 +3123,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -3124,8 +3142,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -3143,8 +3161,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -3163,8 +3181,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,secp384r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -3182,8 +3200,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -3201,8 +3219,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -3220,8 +3238,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -3240,8 +3258,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,secp521r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -3259,8 +3277,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -3278,8 +3296,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -3297,8 +3315,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -3317,8 +3335,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,x25519,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -3336,8 +3354,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -3355,8 +3373,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -3374,8 +3392,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -3394,8 +3412,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,x448,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -3409,12 +3427,13 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -3428,12 +3447,13 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -3447,12 +3467,13 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -3467,12 +3488,13 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -3490,8 +3512,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,secp256r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -3509,8 +3531,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,secp256r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -3528,8 +3550,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,secp256r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -3548,8 +3570,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,secp256r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -3567,8 +3589,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,secp384r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -3586,8 +3608,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,secp384r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -3605,8 +3627,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,secp384r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -3625,8 +3647,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,secp384r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -3644,8 +3666,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,secp521r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -3663,8 +3685,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,secp521r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -3682,8 +3704,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,secp521r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -3702,8 +3724,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,secp521r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -3721,8 +3743,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,x25519,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -3740,8 +3762,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,x25519,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -3759,8 +3781,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,x25519,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -3779,8 +3801,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,x25519,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -3798,8 +3820,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,x448,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -3817,8 +3839,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,x448,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -3836,8 +3858,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,x448,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -3856,8 +3878,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,x448,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -3871,12 +3893,13 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -3890,12 +3913,13 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -3909,12 +3933,13 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -3929,12 +3954,13 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -3952,8 +3978,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -3971,8 +3997,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -3990,8 +4016,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -4010,8 +4036,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,secp256r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -4029,8 +4055,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -4048,8 +4074,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -4067,8 +4093,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -4087,8 +4113,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,secp384r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -4106,8 +4132,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -4125,8 +4151,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -4144,8 +4170,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -4164,8 +4190,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,secp521r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -4183,8 +4209,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,x25519,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -4202,8 +4228,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,x25519,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -4221,8 +4247,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,x25519,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -4241,8 +4267,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,x25519,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -4260,8 +4286,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,x448,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -4279,8 +4305,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,x448,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -4298,8 +4324,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,x448,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -4318,8 +4344,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,x448,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -4333,12 +4359,13 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -4352,12 +4379,13 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -4371,12 +4399,13 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -4391,12 +4420,13 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -4412,8 +4442,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,secp256r1,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4430,8 +4460,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,secp256r1,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4448,8 +4478,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,secp256r1,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4467,8 +4497,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,secp256r1,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4485,8 +4515,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,secp384r1,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4503,8 +4533,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,secp384r1,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4521,8 +4551,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,secp384r1,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4540,8 +4570,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,secp384r1,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4558,8 +4588,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,secp521r1,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4576,8 +4606,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,secp521r1,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4594,8 +4624,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,secp521r1,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4613,8 +4643,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,secp521r1,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4631,8 +4661,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,x25519,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4649,8 +4679,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,x25519,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4667,8 +4697,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,x25519,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4686,8 +4716,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,x25519,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4704,8 +4734,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,x448,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4722,8 +4752,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,x448,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4740,8 +4770,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,x448,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4759,8 +4789,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,x448,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4776,9 +4806,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4794,9 +4825,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4812,9 +4844,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4831,9 +4864,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4850,8 +4884,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,secp256r1,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4868,8 +4902,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,secp256r1,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4886,8 +4920,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,secp256r1,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4905,8 +4939,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,secp256r1,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4923,8 +4957,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,secp384r1,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4941,8 +4975,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,secp384r1,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4959,8 +4993,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,secp384r1,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4978,8 +5012,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,secp384r1,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -4996,8 +5030,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,secp521r1,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5014,8 +5048,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,secp521r1,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5032,8 +5066,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,secp521r1,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5051,8 +5085,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,secp521r1,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5069,8 +5103,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,x25519,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5087,8 +5121,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,x25519,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5105,8 +5139,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,x25519,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5124,8 +5158,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,x25519,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5142,8 +5176,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,x448,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5160,8 +5194,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,x448,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5178,8 +5212,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,x448,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5197,8 +5231,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,x448,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5214,9 +5248,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5232,9 +5267,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5250,9 +5286,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5269,9 +5306,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5288,8 +5326,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5306,8 +5344,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5324,8 +5362,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5343,8 +5381,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,secp256r1,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5361,8 +5399,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5379,8 +5417,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5397,8 +5435,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5416,8 +5454,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,secp384r1,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5434,8 +5472,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5452,8 +5490,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5470,8 +5508,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5489,8 +5527,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,secp521r1,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5507,8 +5545,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5525,8 +5563,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5543,8 +5581,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5562,8 +5600,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,x25519,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5580,8 +5618,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5598,8 +5636,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5616,8 +5654,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5635,8 +5673,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,x448,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5652,9 +5690,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5670,9 +5709,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5688,9 +5728,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5707,9 +5748,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5726,8 +5768,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,secp256r1,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5744,8 +5786,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,secp256r1,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5762,8 +5804,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,secp256r1,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5781,8 +5823,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,secp256r1,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5799,8 +5841,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,secp384r1,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5817,8 +5859,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,secp384r1,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5835,8 +5877,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,secp384r1,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5854,8 +5896,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,secp384r1,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5872,8 +5914,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,secp521r1,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5890,8 +5932,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,secp521r1,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5908,8 +5950,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,secp521r1,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5927,8 +5969,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,secp521r1,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5945,8 +5987,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,x25519,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5963,8 +6005,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,x25519,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -5981,8 +6023,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,x25519,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6000,8 +6042,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,x25519,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6018,8 +6060,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,x448,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6036,8 +6078,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,x448,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6054,8 +6096,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,x448,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6073,8 +6115,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,x448,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6090,9 +6132,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6108,9 +6151,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6126,9 +6170,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6145,9 +6190,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6164,8 +6210,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6182,8 +6228,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6200,8 +6246,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6219,8 +6265,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,secp256r1,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6237,8 +6283,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6255,8 +6301,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6273,8 +6319,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6292,8 +6338,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,secp384r1,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6310,8 +6356,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6328,8 +6374,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6346,8 +6392,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6365,8 +6411,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,secp521r1,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6383,8 +6429,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,x25519,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6401,8 +6447,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,x25519,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6419,8 +6465,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,x25519,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6438,8 +6484,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,x25519,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6456,8 +6502,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,x448,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6474,8 +6520,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,x448,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6492,8 +6538,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,x448,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6511,8 +6557,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,x448,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6528,9 +6574,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6546,9 +6593,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6564,9 +6612,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6583,9 +6632,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -6604,8 +6654,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,secp256r1,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -6624,8 +6674,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,secp256r1,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -6644,8 +6694,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,secp256r1,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -6665,8 +6715,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,secp256r1,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -6685,8 +6735,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,secp384r1,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -6705,8 +6755,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,secp384r1,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -6725,8 +6775,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,secp384r1,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -6746,8 +6796,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,secp384r1,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -6766,8 +6816,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,secp521r1,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -6786,8 +6836,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,secp521r1,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -6806,8 +6856,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,secp521r1,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -6827,8 +6877,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,secp521r1,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -6847,8 +6897,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,x25519,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -6867,8 +6917,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,x25519,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -6887,8 +6937,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,x25519,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -6908,8 +6958,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,x25519,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -6928,8 +6978,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,x448,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -6948,8 +6998,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,x448,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -6968,8 +7018,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,x448,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -6989,8 +7039,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,x448,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7008,9 +7058,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7028,9 +7079,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7048,9 +7100,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7069,9 +7122,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7090,8 +7144,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,secp256r1,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7110,8 +7164,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,secp256r1,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7130,8 +7184,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,secp256r1,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7151,8 +7205,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,secp256r1,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7171,8 +7225,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,secp384r1,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7191,8 +7245,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,secp384r1,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7211,8 +7265,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,secp384r1,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7232,8 +7286,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,secp384r1,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7252,8 +7306,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,secp521r1,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7272,8 +7326,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,secp521r1,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7292,8 +7346,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,secp521r1,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7313,8 +7367,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,secp521r1,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7333,8 +7387,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,x25519,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7353,8 +7407,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,x25519,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7373,8 +7427,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,x25519,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7394,8 +7448,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,x25519,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7414,8 +7468,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,x448,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7434,8 +7488,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,x448,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7454,8 +7508,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,x448,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7475,8 +7529,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,x448,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7494,9 +7548,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7514,9 +7569,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7534,9 +7590,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7555,9 +7612,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7576,8 +7634,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7596,8 +7654,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7616,8 +7674,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7637,8 +7695,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,secp256r1,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7657,8 +7715,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7677,8 +7735,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7697,8 +7755,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7718,8 +7776,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,secp384r1,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7738,8 +7796,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7758,8 +7816,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7778,8 +7836,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7799,8 +7857,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,secp521r1,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7819,8 +7877,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7839,8 +7897,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7859,8 +7917,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7880,8 +7938,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,x25519,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7900,8 +7958,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7920,8 +7978,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7940,8 +7998,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7961,8 +8019,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,x448,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -7980,9 +8038,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8000,9 +8059,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8020,9 +8080,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8041,9 +8102,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8062,8 +8124,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,secp256r1,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8082,8 +8144,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,secp256r1,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8102,8 +8164,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,secp256r1,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8123,8 +8185,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,secp256r1,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8143,8 +8205,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,secp384r1,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8163,8 +8225,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,secp384r1,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8183,8 +8245,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,secp384r1,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8204,8 +8266,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,secp384r1,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8224,8 +8286,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,secp521r1,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8244,8 +8306,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,secp521r1,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8264,8 +8326,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,secp521r1,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8285,8 +8347,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,secp521r1,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8305,8 +8367,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,x25519,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8325,8 +8387,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,x25519,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8345,8 +8407,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,x25519,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8366,8 +8428,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,x25519,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8386,8 +8448,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,x448,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8406,8 +8468,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,x448,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8426,8 +8488,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,x448,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8447,8 +8509,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,x448,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8466,9 +8528,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8486,9 +8549,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8506,9 +8570,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8527,9 +8592,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8548,8 +8614,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8568,8 +8634,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8588,8 +8654,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8609,8 +8675,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,secp256r1,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8629,8 +8695,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8649,8 +8715,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8669,8 +8735,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8690,8 +8756,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,secp384r1,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8710,8 +8776,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8730,8 +8796,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8750,8 +8816,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8771,8 +8837,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,secp521r1,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8791,8 +8857,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,x25519,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8811,8 +8877,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,x25519,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8831,8 +8897,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,x25519,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8852,8 +8918,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,x25519,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8872,8 +8938,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,x448,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8892,8 +8958,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,x448,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8912,8 +8978,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,x448,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8933,8 +8999,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,x448,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8952,9 +9018,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8972,9 +9039,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -8992,9 +9060,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -9013,9 +9082,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -9036,8 +9106,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,secp256r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -9062,8 +9132,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,secp256r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -9088,8 +9158,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,secp256r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -9116,8 +9186,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,secp256r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -9142,8 +9212,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,secp384r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -9168,8 +9238,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,secp384r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -9194,8 +9264,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,secp384r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -9222,8 +9292,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,secp384r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -9248,8 +9318,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,secp521r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -9274,8 +9344,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,secp521r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -9300,8 +9370,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,secp521r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -9328,8 +9398,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,secp521r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -9354,8 +9424,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,x25519,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -9380,8 +9450,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,x25519,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -9406,8 +9476,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,x25519,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -9434,8 +9504,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,x25519,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -9460,8 +9530,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,x448,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -9486,8 +9556,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,x448,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -9512,8 +9582,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,x448,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -9540,8 +9610,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,x448,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -9560,14 +9630,16 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -9586,14 +9658,16 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -9612,14 +9686,16 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -9639,15 +9715,17 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -9672,8 +9750,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,secp256r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -9698,8 +9776,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,secp256r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -9724,8 +9802,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,secp256r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -9752,8 +9830,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,secp256r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -9778,8 +9856,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,secp384r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -9804,8 +9882,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,secp384r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -9830,8 +9908,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,secp384r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -9858,8 +9936,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,secp384r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -9884,8 +9962,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,secp521r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -9910,8 +9988,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,secp521r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -9936,8 +10014,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,secp521r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -9964,8 +10042,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,secp521r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -9990,8 +10068,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,x25519,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -10016,8 +10094,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,x25519,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -10042,8 +10120,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,x25519,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -10070,8 +10148,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,x25519,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -10096,8 +10174,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,x448,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -10122,8 +10200,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,x448,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -10148,8 +10226,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,x448,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -10176,8 +10254,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,x448,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -10196,14 +10274,16 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -10222,14 +10302,16 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -10248,14 +10330,16 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -10275,15 +10359,17 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \
@@ -10308,8 +10394,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -10334,8 +10420,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -10360,8 +10446,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -10388,8 +10474,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,secp256r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -10414,8 +10500,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -10440,8 +10526,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -10466,8 +10552,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -10494,8 +10580,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,secp384r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -10520,8 +10606,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -10546,8 +10632,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -10572,8 +10658,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -10600,8 +10686,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,secp521r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -10626,8 +10712,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -10652,8 +10738,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -10678,8 +10764,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -10706,8 +10792,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,x25519,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -10732,8 +10818,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -10758,8 +10844,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -10784,8 +10870,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -10812,8 +10898,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,x448,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -10832,14 +10918,16 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -10858,14 +10946,16 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -10884,14 +10974,16 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -10911,15 +11003,17 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \
@@ -10944,8 +11038,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,secp256r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -10970,8 +11064,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,secp256r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -10996,8 +11090,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,secp256r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -11024,8 +11118,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,secp256r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -11050,8 +11144,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,secp384r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -11076,8 +11170,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,secp384r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -11102,8 +11196,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,secp384r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -11130,8 +11224,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,secp384r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -11156,8 +11250,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,secp521r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -11182,8 +11276,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,secp521r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -11208,8 +11302,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,secp521r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -11236,8 +11330,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,secp521r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -11262,8 +11356,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,x25519,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -11288,8 +11382,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,x25519,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -11314,8 +11408,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,x25519,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -11342,8 +11436,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,x25519,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -11368,8 +11462,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,x448,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -11394,8 +11488,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,x448,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -11420,8 +11514,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,x448,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -11448,8 +11542,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,x448,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -11468,14 +11562,16 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -11494,14 +11590,16 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -11520,14 +11618,16 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -11547,15 +11647,17 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \
@@ -11580,8 +11682,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -11606,8 +11708,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -11632,8 +11734,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -11660,8 +11762,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,secp256r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -11686,8 +11788,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -11712,8 +11814,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -11738,8 +11840,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -11766,8 +11868,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,secp384r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -11792,8 +11894,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -11818,8 +11920,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -11844,8 +11946,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -11872,8 +11974,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,secp521r1,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -11898,8 +12000,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,x25519,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -11924,8 +12026,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,x25519,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -11950,8 +12052,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,x25519,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -11978,8 +12080,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,x25519,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -12004,8 +12106,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,x448,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -12030,8 +12132,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,x448,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -12056,8 +12158,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,x448,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -12084,8 +12186,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,x448,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -12104,14 +12206,16 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -12130,14 +12234,16 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \
-         "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -12156,14 +12262,16 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \
-         "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -12183,15 +12291,17 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \
@@ -12212,8 +12322,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: HRR secp256r1 -> secp384r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-256:P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-256:P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp384r1(0018)" \
@@ -12227,8 +12337,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: HRR secp256r1 -> secp521r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-256:P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-256:P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp521r1(0019)" \
@@ -12242,8 +12352,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: HRR secp256r1 -> x25519" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-256:X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-256:X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x25519(001d)" \
@@ -12257,8 +12367,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: HRR secp256r1 -> x448" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-256:X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-256:X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x448(001e)" \
@@ -12270,10 +12380,11 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: HRR secp256r1 -> ffdhe2048" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-256:ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-256:ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: ffdhe2048(0100)" \
@@ -12287,8 +12398,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: HRR secp384r1 -> secp256r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-384:P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-384:P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp256r1(0017)" \
@@ -12302,8 +12413,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: HRR secp384r1 -> secp521r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-384:P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-384:P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp521r1(0019)" \
@@ -12317,8 +12428,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: HRR secp384r1 -> x25519" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-384:X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-384:X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x25519(001d)" \
@@ -12332,8 +12443,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: HRR secp384r1 -> x448" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-384:X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-384:X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x448(001e)" \
@@ -12345,10 +12456,11 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: HRR secp384r1 -> ffdhe2048" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-384:ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-384:ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: ffdhe2048(0100)" \
@@ -12362,8 +12474,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: HRR secp521r1 -> secp256r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-521:P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-521:P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp256r1(0017)" \
@@ -12377,8 +12489,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: HRR secp521r1 -> secp384r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-521:P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-521:P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp384r1(0018)" \
@@ -12392,8 +12504,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: HRR secp521r1 -> x25519" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-521:X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-521:X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x25519(001d)" \
@@ -12407,8 +12519,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: HRR secp521r1 -> x448" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-521:X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-521:X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x448(001e)" \
@@ -12420,10 +12532,11 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: HRR secp521r1 -> ffdhe2048" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-521:ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-521:ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: ffdhe2048(0100)" \
@@ -12437,8 +12550,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: HRR x25519 -> secp256r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups X25519:P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups X25519:P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp256r1(0017)" \
@@ -12452,8 +12565,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: HRR x25519 -> secp384r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups X25519:P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups X25519:P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp384r1(0018)" \
@@ -12467,8 +12580,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: HRR x25519 -> secp521r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups X25519:P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups X25519:P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp521r1(0019)" \
@@ -12482,8 +12595,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: HRR x25519 -> x448" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups X25519:X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups X25519:X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x448(001e)" \
@@ -12495,10 +12608,11 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: HRR x25519 -> ffdhe2048" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups X25519:ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups X25519:ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: ffdhe2048(0100)" \
@@ -12512,8 +12626,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: HRR x448 -> secp256r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups X448:P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups X448:P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp256r1(0017)" \
@@ -12527,8 +12641,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: HRR x448 -> secp384r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups X448:P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups X448:P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp384r1(0018)" \
@@ -12542,8 +12656,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: HRR x448 -> secp521r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups X448:P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups X448:P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp521r1(0019)" \
@@ -12557,8 +12671,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3
 run_test "TLS 1.3 O->m: HRR x448 -> x25519" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups X448:X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups X448:X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x25519(001d)" \
@@ -12570,10 +12684,11 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: HRR x448 -> ffdhe2048" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups X448:ffdhe2048 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups X448:ffdhe2048 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: ffdhe2048(0100)" \
@@ -12587,8 +12702,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: HRR ffdhe2048 -> secp256r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups ffdhe2048:P-256 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups ffdhe2048:P-256 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp256r1(0017)" \
@@ -12602,8 +12717,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: HRR ffdhe2048 -> secp384r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups ffdhe2048:P-384 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups ffdhe2048:P-384 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp384r1(0018)" \
@@ -12617,8 +12732,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: HRR ffdhe2048 -> secp521r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups ffdhe2048:P-521 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups ffdhe2048:P-521 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp521r1(0019)" \
@@ -12632,8 +12747,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: HRR ffdhe2048 -> x25519" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups ffdhe2048:X25519 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups ffdhe2048:X25519 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x25519(001d)" \
@@ -12647,8 +12762,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_openssl_tls1_3_with_ffdh
 run_test "TLS 1.3 O->m: HRR ffdhe2048 -> x448" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups ffdhe2048:X448 -msg -tls1_3" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups ffdhe2048:X448 -msg -tls1_3" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x448(001e)" \
@@ -12664,8 +12779,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR secp256r1 -> secp384r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp384r1(0018)" \
@@ -12681,8 +12796,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR secp256r1 -> secp521r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp521r1(0019)" \
@@ -12698,8 +12813,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR secp256r1 -> x25519" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x25519(001d)" \
@@ -12715,8 +12830,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR secp256r1 -> x448" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x448(001e)" \
@@ -12728,12 +12843,13 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR secp256r1 -> ffdhe2048" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: ffdhe2048(0100)" \
@@ -12749,8 +12865,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR secp384r1 -> secp256r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp256r1(0017)" \
@@ -12766,8 +12882,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR secp384r1 -> secp521r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp521r1(0019)" \
@@ -12783,8 +12899,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR secp384r1 -> x25519" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x25519(001d)" \
@@ -12800,8 +12916,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR secp384r1 -> x448" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x448(001e)" \
@@ -12813,12 +12929,13 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR secp384r1 -> ffdhe2048" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: ffdhe2048(0100)" \
@@ -12834,8 +12951,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR secp521r1 -> secp256r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp256r1(0017)" \
@@ -12851,8 +12968,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR secp521r1 -> secp384r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp384r1(0018)" \
@@ -12868,8 +12985,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR secp521r1 -> x25519" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x25519(001d)" \
@@ -12885,8 +13002,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR secp521r1 -> x448" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x448(001e)" \
@@ -12898,12 +13015,13 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR secp521r1 -> ffdhe2048" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: ffdhe2048(0100)" \
@@ -12919,8 +13037,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR x25519 -> secp256r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp256r1(0017)" \
@@ -12936,8 +13054,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR x25519 -> secp384r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp384r1(0018)" \
@@ -12953,8 +13071,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR x25519 -> secp521r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp521r1(0019)" \
@@ -12970,8 +13088,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR x25519 -> x448" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x448(001e)" \
@@ -12983,12 +13101,13 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR x25519 -> ffdhe2048" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: ffdhe2048(0100)" \
@@ -13004,8 +13123,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR x448 -> secp256r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp256r1(0017)" \
@@ -13021,8 +13140,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR x448 -> secp384r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp384r1(0018)" \
@@ -13038,8 +13157,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR x448 -> secp521r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp521r1(0019)" \
@@ -13055,8 +13174,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR x448 -> x25519" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x25519(001d)" \
@@ -13068,12 +13187,13 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR x448 -> ffdhe2048" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: ffdhe2048(0100)" \
@@ -13089,8 +13209,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR ffdhe2048 -> secp256r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp256r1(0017)" \
@@ -13106,8 +13226,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR ffdhe2048 -> secp384r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp384r1(0018)" \
@@ -13123,8 +13243,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR ffdhe2048 -> secp521r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp521r1(0019)" \
@@ -13140,8 +13260,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR ffdhe2048 -> x25519" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x25519(001d)" \
@@ -13157,8 +13277,8 @@ requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: HRR ffdhe2048 -> x448" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x448(001e)" \
@@ -13172,8 +13292,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: HRR secp256r1 -> secp384r1" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13190,8 +13310,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: HRR secp256r1 -> secp521r1" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13208,8 +13328,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: HRR secp256r1 -> x25519" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13226,8 +13346,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: HRR secp256r1 -> x448" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13244,9 +13364,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: HRR secp256r1 -> ffdhe2048" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13263,8 +13384,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: HRR secp384r1 -> secp256r1" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13281,8 +13402,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: HRR secp384r1 -> secp521r1" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13299,8 +13420,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: HRR secp384r1 -> x25519" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13317,8 +13438,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: HRR secp384r1 -> x448" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13335,9 +13456,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: HRR secp384r1 -> ffdhe2048" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13354,8 +13476,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: HRR secp521r1 -> secp256r1" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13372,8 +13494,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: HRR secp521r1 -> secp384r1" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13390,8 +13512,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: HRR secp521r1 -> x25519" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13408,8 +13530,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: HRR secp521r1 -> x448" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13426,9 +13548,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: HRR secp521r1 -> ffdhe2048" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13445,8 +13568,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: HRR x25519 -> secp256r1" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13463,8 +13586,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: HRR x25519 -> secp384r1" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13481,8 +13604,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: HRR x25519 -> secp521r1" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13499,8 +13622,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: HRR x25519 -> x448" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13517,9 +13640,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: HRR x25519 -> ffdhe2048" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13536,8 +13660,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: HRR x448 -> secp256r1" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13554,8 +13678,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: HRR x448 -> secp384r1" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13572,8 +13696,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: HRR x448 -> secp521r1" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13590,8 +13714,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->O: HRR x448 -> x25519" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13608,9 +13732,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: HRR x448 -> ffdhe2048" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,ffdhe2048" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13627,9 +13752,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: HRR ffdhe2048 -> secp256r1" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13646,9 +13772,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: HRR ffdhe2048 -> secp384r1" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13665,9 +13792,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: HRR ffdhe2048 -> secp521r1" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13684,9 +13812,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: HRR ffdhe2048 -> x25519" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13703,9 +13832,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->O: HRR ffdhe2048 -> x448" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x448" \
+         "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
          -c "Protocol is TLSv1.3" \
@@ -13724,8 +13854,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: HRR secp256r1 -> secp384r1" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -13744,8 +13874,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: HRR secp256r1 -> secp521r1" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -13764,8 +13894,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: HRR secp256r1 -> x25519" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -13784,8 +13914,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: HRR secp256r1 -> x448" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -13804,9 +13934,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: HRR secp256r1 -> ffdhe2048" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -13825,8 +13956,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: HRR secp384r1 -> secp256r1" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -13845,8 +13976,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: HRR secp384r1 -> secp521r1" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -13865,8 +13996,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: HRR secp384r1 -> x25519" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -13885,8 +14016,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: HRR secp384r1 -> x448" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -13905,9 +14036,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: HRR secp384r1 -> ffdhe2048" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -13926,8 +14058,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: HRR secp521r1 -> secp256r1" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -13946,8 +14078,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: HRR secp521r1 -> secp384r1" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -13966,8 +14098,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: HRR secp521r1 -> x25519" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -13986,8 +14118,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: HRR secp521r1 -> x448" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -14006,9 +14138,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: HRR secp521r1 -> ffdhe2048" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -14027,8 +14160,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: HRR x25519 -> secp256r1" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -14047,8 +14180,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: HRR x25519 -> secp384r1" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -14067,8 +14200,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: HRR x25519 -> secp521r1" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -14087,8 +14220,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: HRR x25519 -> x448" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -14107,9 +14240,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: HRR x25519 -> ffdhe2048" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -14128,8 +14262,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: HRR x448 -> secp256r1" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -14148,8 +14282,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: HRR x448 -> secp384r1" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -14168,8 +14302,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: HRR x448 -> secp521r1" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -14188,8 +14322,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->G: HRR x448 -> x25519" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -14208,9 +14342,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: HRR x448 -> ffdhe2048" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,ffdhe2048" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,ffdhe2048" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -14229,9 +14364,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: HRR ffdhe2048 -> secp256r1" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -14250,9 +14386,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: HRR ffdhe2048 -> secp384r1" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -14271,9 +14408,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: HRR ffdhe2048 -> secp521r1" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -14292,9 +14430,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: HRR ffdhe2048 -> x25519" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -14313,9 +14452,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->G: HRR ffdhe2048 -> x448" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -14336,8 +14476,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: HRR secp256r1 -> secp384r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp384r1(0018)" \
@@ -14361,8 +14501,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: HRR secp256r1 -> secp521r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp521r1(0019)" \
@@ -14386,8 +14526,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: HRR secp256r1 -> x25519" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x25519(001d)" \
@@ -14411,8 +14551,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: HRR secp256r1 -> x448" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x448(001e)" \
@@ -14430,15 +14570,17 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: HRR secp256r1 -> ffdhe2048" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: ffdhe2048(0100)" \
@@ -14462,8 +14604,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: HRR secp384r1 -> secp256r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp256r1(0017)" \
@@ -14487,8 +14629,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: HRR secp384r1 -> secp521r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp521r1(0019)" \
@@ -14512,8 +14654,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: HRR secp384r1 -> x25519" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x25519(001d)" \
@@ -14537,8 +14679,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: HRR secp384r1 -> x448" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x448(001e)" \
@@ -14556,15 +14698,17 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: HRR secp384r1 -> ffdhe2048" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: ffdhe2048(0100)" \
@@ -14588,8 +14732,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: HRR secp521r1 -> secp256r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp256r1(0017)" \
@@ -14613,8 +14757,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: HRR secp521r1 -> secp384r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp384r1(0018)" \
@@ -14638,8 +14782,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: HRR secp521r1 -> x25519" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x25519(001d)" \
@@ -14663,8 +14807,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: HRR secp521r1 -> x448" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x448(001e)" \
@@ -14682,15 +14826,17 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: HRR secp521r1 -> ffdhe2048" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: ffdhe2048(0100)" \
@@ -14714,8 +14860,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: HRR x25519 -> secp256r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp256r1(0017)" \
@@ -14739,8 +14885,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: HRR x25519 -> secp384r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp384r1(0018)" \
@@ -14764,8 +14910,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: HRR x25519 -> secp521r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp521r1(0019)" \
@@ -14789,8 +14935,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: HRR x25519 -> x448" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x448(001e)" \
@@ -14808,15 +14954,17 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: HRR x25519 -> ffdhe2048" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: ffdhe2048(0100)" \
@@ -14840,8 +14988,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: HRR x448 -> secp256r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp256r1(0017)" \
@@ -14865,8 +15013,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: HRR x448 -> secp384r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp384r1(0018)" \
@@ -14890,8 +15038,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: HRR x448 -> secp521r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp521r1(0019)" \
@@ -14915,8 +15063,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 run_test "TLS 1.3 m->m: HRR x448 -> x25519" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x25519(001d)" \
@@ -14934,15 +15082,17 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: HRR x448 -> ffdhe2048" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,ffdhe2048" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,ffdhe2048" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: ffdhe2048(0100)" \
@@ -14966,9 +15116,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: HRR ffdhe2048 -> secp256r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp256r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp256r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp256r1(0017)" \
@@ -14992,9 +15143,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: HRR ffdhe2048 -> secp384r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp384r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp384r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp384r1(0018)" \
@@ -15018,9 +15170,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: HRR ffdhe2048 -> secp521r1" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp521r1" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp521r1" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: secp521r1(0019)" \
@@ -15044,9 +15197,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: HRR ffdhe2048 -> x25519" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x25519" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x25519" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x25519(001d)" \
@@ -15070,9 +15224,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled PSA_WANT_ALG_ECDH
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_2048
 run_test "TLS 1.3 m->m: HRR ffdhe2048 -> x448" \
-         "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x448" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x448" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "got named group: x448(001e)" \
diff --git a/tests/opt-testcases/tls13-kex-modes.sh b/tests/opt-testcases/tls13-kex-modes.sh
index 758da1d..782bda2 100755
--- a/tests/opt-testcases/tls13-kex-modes.sh
+++ b/tests/opt-testcases/tls13-kex-modes.sh
@@ -3,19 +3,7 @@
 # tls13-kex-modes.sh
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 #
 
 # DO NOT ADD NEW TEST CASES INTO THIS FILE. The left cases will be generated by
@@ -35,7 +23,7 @@ run_test    "TLS 1.3: G->m: all/psk, good" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
             -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -S "No usable PSK or ticket" \
             -s "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -53,7 +41,7 @@ run_test    "TLS 1.3: G->m: all/psk, fail, key id mismatch" \
             -s "found pre_shared_key extension" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -90,7 +78,7 @@ run_test    "TLS 1.3: G->m: psk_or_ephemeral/psk, good" \
             -S "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
             -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -S "No usable PSK or ticket" \
             -s "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -108,7 +96,7 @@ run_test    "TLS 1.3: G->m: psk_or_ephemeral/psk, fail, key id mismatch" \
             -s "found pre_shared_key extension" \
             -S "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -145,7 +133,7 @@ run_test    "TLS 1.3: G->m: ephemeral_all/psk_ephemeral, good" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -S "Found PSK KEX MODE" \
             -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -S "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -s "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -163,7 +151,7 @@ run_test    "TLS 1.3: G->m: ephemeral_all/psk_ephemeral, fail, key id mismatch"
             -s "found pre_shared_key extension" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -S "Found PSK KEX MODE" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -200,7 +188,7 @@ run_test    "TLS 1.3: G->m: all/psk_ephemeral, good" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
             -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -S "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -s "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -218,7 +206,7 @@ run_test    "TLS 1.3: G->m: all/psk_ephemeral, fail, key id mismatch" \
             -s "found pre_shared_key extension" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -273,7 +261,7 @@ run_test    "TLS 1.3: G->m: ephemeral_all/psk_all, good" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -S "Found PSK KEX MODE" \
             -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -S "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -s "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -292,7 +280,7 @@ run_test    "TLS 1.3: G->m: ephemeral_all/psk_all, fail, key id mismatch" \
             -s "found pre_shared_key extension" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -S "Found PSK KEX MODE" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -331,7 +319,7 @@ run_test    "TLS 1.3: G->m: all/psk_all, good" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
             -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -S "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -s "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -350,7 +338,7 @@ run_test    "TLS 1.3: G->m: all/psk_all, fail, key id mismatch" \
             -s "found pre_shared_key extension" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -389,7 +377,7 @@ run_test    "TLS 1.3: G->m: psk_or_ephemeral/psk_all, good" \
             -S "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
             -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -S "No usable PSK or ticket" \
             -s "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -408,7 +396,7 @@ run_test    "TLS 1.3: G->m: psk_or_ephemeral/psk_all, fail, key id mismatch" \
             -s "found pre_shared_key extension" \
             -S "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -447,7 +435,7 @@ run_test    "TLS 1.3: G->m: ephemeral_all/ephemeral_all, good" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -S "Found PSK KEX MODE" \
             -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -S "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -s "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -466,7 +454,7 @@ run_test    "TLS 1.3: G->m: ephemeral_all/ephemeral_all, good, key id mismatch,
             -s "found pre_shared_key extension" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -S "Found PSK KEX MODE" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -s "key exchange mode: ephemeral"
@@ -505,7 +493,7 @@ run_test    "TLS 1.3: G->m: all/ephemeral_all, good" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
             -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -S "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -s "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -524,7 +512,7 @@ run_test    "TLS 1.3: G->m: all/ephemeral_all, good, key id mismatch, dhe." \
             -s "found pre_shared_key extension" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -s "key exchange mode: ephemeral"
@@ -562,8 +550,9 @@ run_test    "TLS 1.3: G->m: psk_or_ephemeral/ephemeral_all, good" \
             -s "found pre_shared_key extension" \
             -S "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
-            -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -s "No suitable PSK key exchange mode" \
+            -S "Pre shared key found" \
+            -s "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -s "key exchange mode: ephemeral"
@@ -584,7 +573,7 @@ run_test    "TLS 1.3: G->m: ephemeral_all/all, good" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -S "Found PSK KEX MODE" \
             -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -S "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -s "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -604,7 +593,7 @@ run_test    "TLS 1.3: G->m: ephemeral_all/all, good, key id mismatch, dhe." \
             -s "found pre_shared_key extension" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -S "Found PSK KEX MODE" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -s "key exchange mode: ephemeral"
@@ -645,7 +634,7 @@ run_test    "TLS 1.3: G->m: all/all, good" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
             -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -S "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -s "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -665,7 +654,7 @@ run_test    "TLS 1.3: G->m: all/all, good, key id mismatch, dhe." \
             -s "found pre_shared_key extension" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -s "key exchange mode: ephemeral"
@@ -706,7 +695,7 @@ run_test    "TLS 1.3: G->m: psk_or_ephemeral/all, good" \
             -S "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
             -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -S "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -s "key exchange mode: ephemeral"
@@ -745,8 +734,9 @@ run_test    "TLS 1.3: G->m: ephemeral_all/psk_or_ephemeral, good" \
             -s "found pre_shared_key extension" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -S "Found PSK KEX MODE" \
-            -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -s "No suitable PSK key exchange mode" \
+            -S "Pre shared key found" \
+            -s "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -s "key exchange mode: ephemeral"
@@ -766,7 +756,7 @@ run_test    "TLS 1.3: G->m: all/psk_or_ephemeral, good" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
             -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -S "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -s "key exchange mode: ephemeral"
@@ -805,7 +795,7 @@ run_test    "TLS 1.3: G->m: psk_or_ephemeral/psk_or_ephemeral, good" \
             -S "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
             -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -S "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -s "key exchange mode: ephemeral"
@@ -933,7 +923,7 @@ run_test    "TLS 1.3: O->m: all/psk, good" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
             -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -S "No usable PSK or ticket" \
             -s "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -950,7 +940,7 @@ run_test    "TLS 1.3: O->m: all/psk, fail, key id mismatch" \
             -s "found pre_shared_key extension" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -985,7 +975,7 @@ run_test    "TLS 1.3: O->m: ephemeral_all/psk_ephemeral, good" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -S "Found PSK KEX MODE" \
             -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -S "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -s "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -1002,7 +992,7 @@ run_test    "TLS 1.3: O->m: ephemeral_all/psk_ephemeral, fail, key id mismatch"
             -s "found pre_shared_key extension" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -S "Found PSK KEX MODE" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -1037,7 +1027,7 @@ run_test    "TLS 1.3: O->m: all/psk_ephemeral, good" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
             -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -S "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -s "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -1054,7 +1044,7 @@ run_test    "TLS 1.3: O->m: all/psk_ephemeral, fail, key id mismatch" \
             -s "found pre_shared_key extension" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -1090,7 +1080,7 @@ run_test    "TLS 1.3: O->m: ephemeral_all/psk_all, good" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -S "Found PSK KEX MODE" \
             -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -S "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -s "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -1108,7 +1098,7 @@ run_test    "TLS 1.3: O->m: ephemeral_all/psk_all, fail, key id mismatch" \
             -s "found pre_shared_key extension" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -S "Found PSK KEX MODE" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -1145,7 +1135,7 @@ run_test    "TLS 1.3: O->m: all/psk_all, good" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
             -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -S "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -s "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -1163,7 +1153,7 @@ run_test    "TLS 1.3: O->m: all/psk_all, fail, key id mismatch" \
             -s "found pre_shared_key extension" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -1200,7 +1190,7 @@ run_test    "TLS 1.3: O->m: ephemeral_all/ephemeral_all, good" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -S "Found PSK KEX MODE" \
             -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -S "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -s "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -1218,7 +1208,7 @@ run_test    "TLS 1.3: O->m: ephemeral_all/ephemeral_all, good, key id mismatch,
             -s "found pre_shared_key extension" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -S "Found PSK KEX MODE" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -s "key exchange mode: ephemeral"
@@ -1255,7 +1245,7 @@ run_test    "TLS 1.3: O->m: all/ephemeral_all, good" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
             -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -S "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -s "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -1273,7 +1263,7 @@ run_test    "TLS 1.3: O->m: all/ephemeral_all, good, key id mismatch, dhe." \
             -s "found pre_shared_key extension" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -s "key exchange mode: ephemeral"
@@ -1311,7 +1301,7 @@ run_test    "TLS 1.3: O->m: ephemeral_all/all, good" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -S "Found PSK KEX MODE" \
             -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -S "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -s "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -1330,7 +1320,7 @@ run_test    "TLS 1.3: O->m: ephemeral_all/all, good, key id mismatch, dhe." \
             -s "found pre_shared_key extension" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -S "Found PSK KEX MODE" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -s "key exchange mode: ephemeral"
@@ -1369,7 +1359,7 @@ run_test    "TLS 1.3: O->m: all/all, good" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
             -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -S "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -s "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
@@ -1388,7 +1378,7 @@ run_test    "TLS 1.3: O->m: all/all, good, key id mismatch, dhe." \
             -s "found pre_shared_key extension" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -s "key exchange mode: ephemeral"
@@ -1425,8 +1415,9 @@ run_test    "TLS 1.3: O->m: ephemeral_all/psk_or_ephemeral, good" \
             -s "found pre_shared_key extension" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -S "Found PSK KEX MODE" \
-            -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -s "No suitable PSK key exchange mode" \
+            -S "Pre shared key found" \
+            -s "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -s "key exchange mode: ephemeral"
@@ -1445,7 +1436,7 @@ run_test    "TLS 1.3: O->m: all/psk_or_ephemeral, good" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE" \
             -s "Pre shared key found" \
-            -S "No matched PSK or ticket" \
+            -S "No usable PSK or ticket" \
             -S "key exchange mode: psk$"  \
             -S "key exchange mode: psk_ephemeral"  \
             -s "key exchange mode: ephemeral"
@@ -1469,8 +1460,10 @@ run_test    "TLS 1.3: O->m: all/psk_or_ephemeral, fail, key material mismatch" \
             -S "key exchange mode: ephemeral"
 
 requires_openssl_tls1_3_with_compatible_ephemeral
-requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             PSA_WANT_ALG_ECDH PSA_WANT_ECC_SECP_R1_256
 run_test    "TLS 1.3: O->m: psk_ephemeral group(secp256r1) check, good" \
             "$P_SRV tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70" \
             "$O_NEXT_CLI -tls1_3 -msg  -allow_no_dhe_kex -groups P-256 \
@@ -1482,8 +1475,10 @@ run_test    "TLS 1.3: O->m: psk_ephemeral group(secp256r1) check, good" \
             -S "key exchange mode: ephemeral"
 
 requires_openssl_tls1_3_with_compatible_ephemeral
-requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             PSA_WANT_ALG_ECDH PSA_WANT_ECC_SECP_R1_384
 run_test    "TLS 1.3: O->m: psk_ephemeral group(secp384r1) check, good" \
             "$P_SRV tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70" \
             "$O_NEXT_CLI -tls1_3 -msg  -allow_no_dhe_kex -groups secp384r1 \
@@ -1495,8 +1490,10 @@ run_test    "TLS 1.3: O->m: psk_ephemeral group(secp384r1) check, good" \
             -S "key exchange mode: ephemeral"
 
 requires_openssl_tls1_3_with_compatible_ephemeral
-requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             PSA_WANT_ALG_ECDH PSA_WANT_ECC_SECP_R1_521
 run_test    "TLS 1.3: O->m: psk_ephemeral group(secp521r1) check, good" \
             "$P_SRV tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70" \
             "$O_NEXT_CLI -tls1_3 -msg  -allow_no_dhe_kex -groups secp521r1 \
@@ -1508,8 +1505,10 @@ run_test    "TLS 1.3: O->m: psk_ephemeral group(secp521r1) check, good" \
             -S "key exchange mode: ephemeral"
 
 requires_openssl_tls1_3_with_compatible_ephemeral
-requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             PSA_WANT_ALG_ECDH PSA_WANT_ECC_MONTGOMERY_255
 run_test    "TLS 1.3: O->m: psk_ephemeral group(x25519) check, good" \
             "$P_SRV tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70" \
             "$O_NEXT_CLI -tls1_3 -msg  -allow_no_dhe_kex -groups X25519 \
@@ -1521,8 +1520,10 @@ run_test    "TLS 1.3: O->m: psk_ephemeral group(x25519) check, good" \
             -S "key exchange mode: ephemeral"
 
 requires_openssl_tls1_3_with_compatible_ephemeral
-requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             PSA_WANT_ALG_ECDH PSA_WANT_ECC_MONTGOMERY_448
 run_test    "TLS 1.3: O->m: psk_ephemeral group(x448) check, good" \
             "$P_SRV tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70" \
             "$O_NEXT_CLI -tls1_3 -msg  -allow_no_dhe_kex -groups X448 \
@@ -1533,9 +1534,11 @@ run_test    "TLS 1.3: O->m: psk_ephemeral group(x448) check, good" \
             -s "key exchange mode: psk_ephemeral"  \
             -S "key exchange mode: ephemeral"
 
-requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
 requires_openssl_tls1_3_with_compatible_ephemeral
-requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             PSA_WANT_ALG_ECDH PSA_WANT_ECC_SECP_R1_384
 run_test "TLS 1.3 O->m: psk_ephemeral group(secp256r1->secp384r1) check, good" \
          "$P_SRV tls13_kex_modes=psk_ephemeral debug_level=5 psk_list=Client_identity,6162636465666768696a6b6c6d6e6f70,abc,dead,def,beef groups=secp384r1" \
          "$O_NEXT_CLI_NO_CERT -tls1_3 -msg -allow_no_dhe_kex -psk_identity Client_identity -psk 6162636465666768696a6b6c6d6e6f70 -groups P-256:P-384" \
@@ -1546,12 +1549,13 @@ run_test "TLS 1.3 O->m: psk_ephemeral group(secp256r1->secp384r1) check, good" \
          -s "key exchange mode: psk_ephemeral" \
          -S "key exchange mode: ephemeral"
 
-requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
-requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-requires_config_enabled PSA_WANT_ALG_ECDH
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             PSA_WANT_ALG_ECDH PSA_WANT_ECC_SECP_R1_384
 run_test "TLS 1.3 G->m: psk_ephemeral group(secp256r1->secp384r1) check, good" \
          "$P_SRV tls13_kex_modes=psk_ephemeral debug_level=5 psk_list=Client_identity,6162636465666768696a6b6c6d6e6f70,abc,dead,def,beef groups=secp384r1" \
          "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --priority NORMAL:-VERS-ALL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1 --pskusername Client_identity --pskkey 6162636465666768696a6b6c6d6e6f70 localhost" \
@@ -1592,7 +1596,7 @@ run_test    "TLS 1.3: m->m: psk/psk, fail, key id mismatch" \
             -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
             -c "client hello, adding psk_key_exchange_modes extension" \
             -c "client hello, adding PSK binder list" \
-            -s "No matched PSK or ticket"
+            -s "No usable PSK or ticket"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -1677,7 +1681,7 @@ run_test    "TLS 1.3: m->m: psk/psk_all, fail, key id mismatch" \
             -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
             -c "client hello, adding psk_key_exchange_modes extension" \
             -c "client hello, adding PSK binder list" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -s "ClientHello message misses mandatory extensions."
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1723,7 +1727,7 @@ run_test    "TLS 1.3: m->m: psk/all, fail, key id mismatch" \
             -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
             -c "client hello, adding psk_key_exchange_modes extension" \
             -c "client hello, adding PSK binder list" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -s "ClientHello message misses mandatory extensions."
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1781,7 +1785,7 @@ run_test    "TLS 1.3: m->m: psk_ephemeral/psk_ephemeral, fail, key id mismatch"
             -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
             -c "client hello, adding psk_key_exchange_modes extension" \
             -c "client hello, adding PSK binder list" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -s "ClientHello message misses mandatory extensions."
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1839,7 +1843,7 @@ run_test    "TLS 1.3: m->m: psk_ephemeral/ephemeral_all, fail, key id mismatch"
             -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
             -c "client hello, adding psk_key_exchange_modes extension" \
             -c "client hello, adding PSK binder list" \
-            -s "No matched PSK or ticket"
+            -s "No usable PSK or ticket"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -1882,7 +1886,7 @@ run_test    "TLS 1.3: m->m: psk_ephemeral/psk_all, fail, key id mismatch" \
             -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
             -c "client hello, adding psk_key_exchange_modes extension" \
             -c "client hello, adding PSK binder list" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -s "ClientHello message misses mandatory extensions."
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1928,7 +1932,7 @@ run_test    "TLS 1.3: m->m: psk_ephemeral/all, fail, key id mismatch" \
             -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
             -c "client hello, adding psk_key_exchange_modes extension" \
             -c "client hello, adding PSK binder list" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2059,7 +2063,7 @@ run_test    "TLS 1.3: m->m: ephemeral_all/psk_ephemeral, fail, key id mismatch"
             -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
             -c "client hello, adding psk_key_exchange_modes extension" \
             -c "client hello, adding PSK binder list" \
-            -s "No matched PSK or ticket"
+            -s "No usable PSK or ticket"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2118,7 +2122,7 @@ run_test    "TLS 1.3: m->m: ephemeral_all/ephemeral_all,good,key id mismatch,fal
             -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
             -c "client hello, adding psk_key_exchange_modes extension" \
             -c "client hello, adding PSK binder list" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -s "key exchange mode: ephemeral"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -2164,7 +2168,7 @@ run_test    "TLS 1.3: m->m: ephemeral_all/psk_all, fail, key id mismatch" \
             -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
             -c "client hello, adding psk_key_exchange_modes extension" \
             -c "client hello, adding PSK binder list" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -s "ClientHello message misses mandatory extensions."
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -2211,7 +2215,7 @@ run_test    "TLS 1.3: m->m: ephemeral_all/all, good, key id mismatch, fallback"
             -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
             -c "client hello, adding psk_key_exchange_modes extension" \
             -c "client hello, adding PSK binder list" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -s "key exchange mode: ephemeral"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -2300,7 +2304,7 @@ run_test    "TLS 1.3: m->m: psk_all/psk_ephemeral, fail, key id mismatch" \
             -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
             -c "client hello, adding psk_key_exchange_modes extension" \
             -c "client hello, adding PSK binder list" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -s "ClientHello message misses mandatory extensions."
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -2360,7 +2364,7 @@ run_test    "TLS 1.3: m->m: psk_all/ephemeral_all, fail, key id mismatch" \
             -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
             -c "client hello, adding psk_key_exchange_modes extension" \
             -c "client hello, adding PSK binder list" \
-            -s "No matched PSK or ticket"
+            -s "No usable PSK or ticket"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2404,7 +2408,7 @@ run_test    "TLS 1.3: m->m: psk_all/psk_all, fail, key id mismatch" \
             -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
             -c "client hello, adding psk_key_exchange_modes extension" \
             -c "client hello, adding PSK binder list" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -s "ClientHello message misses mandatory extensions."
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -2450,7 +2454,7 @@ run_test    "TLS 1.3: m->m: psk_all/all, fail, key id mismatch" \
             -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
             -c "client hello, adding psk_key_exchange_modes extension" \
             -c "client hello, adding PSK binder list" \
-            -s "No matched PSK or ticket"
+            -s "No usable PSK or ticket"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2497,7 +2501,7 @@ run_test    "TLS 1.3: m->m: all/psk, fail, key id mismatch" \
             -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
             -c "client hello, adding psk_key_exchange_modes extension" \
             -c "client hello, adding PSK binder list" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -s "ClientHello message misses mandatory extensions."
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -2544,7 +2548,7 @@ run_test    "TLS 1.3: m->m: all/psk_ephemeral, fail, key id mismatch" \
             -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
             -c "client hello, adding psk_key_exchange_modes extension" \
             -c "client hello, adding PSK binder list" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -s "ClientHello message misses mandatory extensions."
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -2607,7 +2611,7 @@ run_test    "TLS 1.3: m->m: all/ephemeral_all, good, key id mismatch, fallback"
             -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
             -c "client hello, adding psk_key_exchange_modes extension" \
             -c "client hello, adding PSK binder list" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -c "Selected key exchange mode: ephemeral" \
             -c "HTTP/1.0 200 OK"
 
@@ -2655,7 +2659,7 @@ run_test    "TLS 1.3: m->m: all/psk_all, fail, key id mismatch" \
             -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
             -c "client hello, adding psk_key_exchange_modes extension" \
             -c "client hello, adding PSK binder list" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -s "ClientHello message misses mandatory extensions."
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -2702,7 +2706,7 @@ run_test    "TLS 1.3: m->m: all/all, good, key id mismatch, fallback" \
             -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
             -c "client hello, adding psk_key_exchange_modes extension" \
             -c "client hello, adding PSK binder list" \
-            -s "No matched PSK or ticket" \
+            -s "No usable PSK or ticket" \
             -s "key exchange mode: ephemeral"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -2947,7 +2951,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
 run_test    "TLS 1.3: m->G: psk/all, good" \
-            "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=data_files/simplepass.psk" \
+            "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=../framework/data_files/simplepass.psk" \
             "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \
             0 \
             -c "=> write client hello" \
@@ -2967,7 +2971,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
 run_test    "TLS 1.3: m->G: psk/ephemeral_all, fail - no common kex mode" \
-            "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=data_files/simplepass.psk" \
+            "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=../framework/data_files/simplepass.psk" \
             "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \
             1 \
             -c "=> write client hello" \
@@ -2988,7 +2992,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: m->G: psk_all/all, good" \
-            "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=data_files/simplepass.psk" \
+            "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=../framework/data_files/simplepass.psk" \
             "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_all" \
             0 \
             -c "=> write client hello" \
@@ -3009,7 +3013,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: m->G: psk_all/ephemeral_all, good" \
-            "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=data_files/simplepass.psk" \
+            "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=../framework/data_files/simplepass.psk" \
             "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_all" \
             0 \
             -c "=> write client hello" \
@@ -3030,7 +3034,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: m->G: psk_ephemeral/all, good" \
-            "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=data_files/simplepass.psk" \
+            "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=../framework/data_files/simplepass.psk" \
             "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_ephemeral" \
             0 \
             -c "=> write client hello" \
@@ -3050,7 +3054,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: m->G: psk_ephemeral/ephemeral_all, good" \
-            "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=data_files/simplepass.psk" \
+            "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=../framework/data_files/simplepass.psk" \
             "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_ephemeral" \
             0 \
             -c "=> write client hello" \
@@ -3071,7 +3075,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: m->G: ephemeral/all, good" \
-            "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=data_files/simplepass.psk" \
+            "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=../framework/data_files/simplepass.psk" \
             "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=ephemeral" \
             0 \
             -c "Selected key exchange mode: ephemeral" \
@@ -3084,7 +3088,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: m->G: ephemeral/ephemeral_all, good" \
-            "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=data_files/simplepass.psk" \
+            "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=../framework/data_files/simplepass.psk" \
             "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=ephemeral" \
             0 \
             -c "Selected key exchange mode: ephemeral" \
@@ -3099,7 +3103,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: m->G: ephemeral_all/all, good" \
-            "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=data_files/simplepass.psk" \
+            "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=../framework/data_files/simplepass.psk" \
             "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=ephemeral_all" \
             0 \
             -c "=> write client hello" \
@@ -3120,7 +3124,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: m->G: ephemeral_all/ephemeral_all, good" \
-            "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=data_files/simplepass.psk" \
+            "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=../framework/data_files/simplepass.psk" \
             "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=ephemeral_all" \
             0 \
             -c "=> write client hello" \
@@ -3143,7 +3147,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: m->G: all/all, good" \
-            "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=data_files/simplepass.psk" \
+            "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=../framework/data_files/simplepass.psk" \
             "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=all" \
             0 \
             -c "=> write client hello" \
@@ -3165,7 +3169,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: m->G: all/ephemeral_all, good" \
-            "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=data_files/simplepass.psk" \
+            "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=../framework/data_files/simplepass.psk" \
             "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=all" \
             0 \
             -c "=> write client hello" \
diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh
index f30384d..9d5870d 100755
--- a/tests/opt-testcases/tls13-misc.sh
+++ b/tests/opt-testcases/tls13-misc.sh
@@ -3,19 +3,7 @@
 # tls13-misc.sh
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 #
 
 requires_gnutls_tls1_3
@@ -83,120 +71,6 @@ run_test "TLS 1.3 m->m: Multiple PSKs: invalid ticket, reconnect with PSK" \
          -S "key exchange mode: ephemeral$" \
          -s "ticket is not authentic"
 
-requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
-                             MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-run_test "TLS 1.3 m->m: Session resumption failure, ticket authentication failed." \
-         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=8 dummy_ticket=1" \
-         "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
-         0 \
-         -c "Pre-configured PSK number = 1" \
-         -S "sent selected_identity:" \
-         -s "key exchange mode: ephemeral" \
-         -S "key exchange mode: psk_ephemeral" \
-         -S "key exchange mode: psk$" \
-         -s "ticket is not authentic" \
-         -S "ticket is expired" \
-         -S "Invalid ticket start time" \
-         -S "Ticket age exceeds limitation" \
-         -S "Ticket age outside tolerance window"
-
-requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
-                             MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-run_test "TLS 1.3 m->m: Session resumption failure, ticket expired." \
-         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=8 dummy_ticket=2" \
-         "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
-         0 \
-         -c "Pre-configured PSK number = 1" \
-         -S "sent selected_identity:" \
-         -s "key exchange mode: ephemeral" \
-         -S "key exchange mode: psk_ephemeral" \
-         -S "key exchange mode: psk$" \
-         -S "ticket is not authentic" \
-         -s "ticket is expired" \
-         -S "Invalid ticket start time" \
-         -S "Ticket age exceeds limitation" \
-         -S "Ticket age outside tolerance window"
-
-requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
-                             MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-run_test "TLS 1.3 m->m: Session resumption failure, invalid start time." \
-         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=8 dummy_ticket=3" \
-         "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
-         0 \
-         -c "Pre-configured PSK number = 1" \
-         -S "sent selected_identity:" \
-         -s "key exchange mode: ephemeral" \
-         -S "key exchange mode: psk_ephemeral" \
-         -S "key exchange mode: psk$" \
-         -S "ticket is not authentic" \
-         -S "ticket is expired" \
-         -s "Invalid ticket start time" \
-         -S "Ticket age exceeds limitation" \
-         -S "Ticket age outside tolerance window"
-
-requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
-                             MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-run_test "TLS 1.3 m->m: Session resumption failure, ticket expired. too old" \
-         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=8 dummy_ticket=4" \
-         "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
-         0 \
-         -c "Pre-configured PSK number = 1" \
-         -S "sent selected_identity:" \
-         -s "key exchange mode: ephemeral" \
-         -S "key exchange mode: psk_ephemeral" \
-         -S "key exchange mode: psk$" \
-         -S "ticket is not authentic" \
-         -S "ticket is expired" \
-         -S "Invalid ticket start time" \
-         -s "Ticket age exceeds limitation" \
-         -S "Ticket age outside tolerance window"
-
-requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
-                             MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-run_test "TLS 1.3 m->m: Session resumption failure, age outside tolerance window, too young." \
-         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=8 dummy_ticket=5" \
-         "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
-         0 \
-         -c "Pre-configured PSK number = 1" \
-         -S "sent selected_identity:" \
-         -s "key exchange mode: ephemeral" \
-         -S "key exchange mode: psk_ephemeral" \
-         -S "key exchange mode: psk$" \
-         -S "ticket is not authentic" \
-         -S "ticket is expired" \
-         -S "Invalid ticket start time" \
-         -S "Ticket age exceeds limitation" \
-         -s "Ticket age outside tolerance window"
-
-requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
-                             MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-run_test "TLS 1.3 m->m: Session resumption failure, age outside tolerance window, too old." \
-         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=8 dummy_ticket=6" \
-         "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
-         0 \
-         -c "Pre-configured PSK number = 1" \
-         -S "sent selected_identity:" \
-         -s "key exchange mode: ephemeral" \
-         -S "key exchange mode: psk_ephemeral" \
-         -S "key exchange mode: psk$" \
-         -S "ticket is not authentic" \
-         -S "ticket is expired" \
-         -S "Invalid ticket start time" \
-         -S "Ticket age exceeds limitation" \
-         -s "Ticket age outside tolerance window"
-
 requires_gnutls_tls1_3
 requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
@@ -264,186 +138,612 @@ run_test    "TLS 1.3: G->m: PSK: configured ephemeral only, good." \
             0 \
             -s "key exchange mode: ephemeral$"
 
-requires_gnutls_tls1_3
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_CLI_C
-requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_EARLY_DATA
-requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
-run_test    "TLS 1.3 m->G: EarlyData: basic check, good" \
-            "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \
-            "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=900" \
-            0 \
-            -c "Reconnecting with saved session" \
-            -c "NewSessionTicket: early_data(42) extension received." \
-            -c "ClientHello: early_data(42) extension exists." \
-            -c "EncryptedExtensions: early_data(42) extension received." \
-            -c "EncryptedExtensions: early_data(42) extension exists." \
-            -c "<= write EndOfEarlyData" \
-            -s "Parsing extension 'Early Data/42' (0 bytes)" \
-            -s "Sending extension Early Data/42 (0 bytes)" \
-            -s "END OF EARLY DATA (5) was received." \
-            -s "early data accepted"
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+run_test "TLS 1.3 m->m: resumption" \
+         "$P_SRV debug_level=2 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key" \
+         "$P_CLI reco_mode=1 reconnect=1" \
+         0 \
+         -c "Protocol is TLSv1.3" \
+         -c "Saving session for reuse... ok" \
+         -c "Reconnecting with saved session... ok" \
+         -c "HTTP/1.0 200 OK" \
+         -s "Protocol is TLSv1.3" \
+         -s "key exchange mode: psk" \
+         -s "Select PSK ciphersuite"
 
-requires_gnutls_tls1_3
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_CLI_C
-requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_EARLY_DATA
-requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
-run_test    "TLS 1.3 m->G: EarlyData: no early_data in NewSessionTicket, good" \
-            "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --disable-client-cert" \
-            "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1" \
-            0 \
-            -c "Reconnecting with saved session" \
-            -C "NewSessionTicket: early_data(42) extension received." \
-            -c "ClientHello: early_data(42) extension does not exist." \
-            -C "EncryptedExtensions: early_data(42) extension received." \
-            -C "EncryptedExtensions: early_data(42) extension exists."
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+run_test "TLS 1.3 m->m: resumption with servername" \
+         "$P_SRV debug_level=2 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key \
+            sni=localhost,../framework/data_files/server2.crt,../framework/data_files/server2.key,-,-,-,polarssl.example,../framework/data_files/server1-nospace.crt,../framework/data_files/server1.key,-,-,-" \
+         "$P_CLI server_name=localhost reco_mode=1 reconnect=1" \
+         0 \
+         -c "Protocol is TLSv1.3" \
+         -c "Saving session for reuse... ok" \
+         -c "Reconnecting with saved session... ok" \
+         -c "HTTP/1.0 200 OK" \
+         -s "Protocol is TLSv1.3" \
+         -s "key exchange mode: psk" \
+         -s "Select PSK ciphersuite"
 
-#TODO: OpenSSL tests don't work now. It might be openssl options issue, cause GnuTLS has worked.
-skip_next_test
-requires_openssl_tls1_3
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_CLI_C
-requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_EARLY_DATA
-requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
-run_test    "TLS 1.3, ext PSK, early data" \
-            "$O_NEXT_SRV_EARLY_DATA -msg -debug -tls1_3 -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex -nocert" \
-            "$P_CLI debug_level=5 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \
-             1 \
-            -c "Reconnecting with saved session" \
-            -c "NewSessionTicket: early_data(42) extension received." \
-            -c "ClientHello: early_data(42) extension exists." \
-            -c "EncryptedExtensions: early_data(42) extension received." \
-            -c "EncryptedExtensions: early_data(42) extension ( ignored )."
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+run_test "TLS 1.3 m->m: resumption with ticket max lifetime (7d)" \
+         "$P_SRV debug_level=2 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key ticket_timeout=604800 tickets=1" \
+         "$P_CLI reco_mode=1 reconnect=1" \
+         0 \
+         -c "Protocol is TLSv1.3" \
+         -c "Saving session for reuse... ok" \
+         -c "Reconnecting with saved session... ok" \
+         -c "HTTP/1.0 200 OK" \
+         -s "Protocol is TLSv1.3" \
+         -s "key exchange mode: psk" \
+         -s "Select PSK ciphersuite"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+requires_ciphersuite_enabled TLS1-3-AES-256-GCM-SHA384
+run_test "TLS 1.3 m->m: resumption with AES-256-GCM-SHA384 only" \
+         "$P_SRV debug_level=2 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key" \
+         "$P_CLI force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 reco_mode=1 reconnect=1" \
+         0 \
+         -c "Protocol is TLSv1.3" \
+         -c "Ciphersuite is TLS1-3-AES-256-GCM-SHA384" \
+         -c "Saving session for reuse... ok" \
+         -c "Reconnecting with saved session... ok" \
+         -c "HTTP/1.0 200 OK" \
+         -s "Protocol is TLSv1.3" \
+         -s "key exchange mode: psk" \
+         -s "Select PSK ciphersuite: 1302 - TLS1-3-AES-256-GCM-SHA384"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_SSL_EARLY_DATA MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+run_test "TLS 1.3 m->m: resumption with early data" \
+         "$P_SRV debug_level=4 early_data=1 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key" \
+         "$P_CLI debug_level=3 early_data=1 reco_mode=1 reconnect=1" \
+         0 \
+         -c "Protocol is TLSv1.3" \
+         -c "Saving session for reuse... ok" \
+         -c "Reconnecting with saved session" \
+         -c "HTTP/1.0 200 OK" \
+         -c "received max_early_data_size" \
+         -c "NewSessionTicket: early_data(42) extension received." \
+         -c "ClientHello: early_data(42) extension exists." \
+         -c "EncryptedExtensions: early_data(42) extension received." \
+         -c "bytes of early data written" \
+         -C "0 bytes of early data written" \
+         -s "Protocol is TLSv1.3" \
+         -s "key exchange mode: psk" \
+         -s "Select PSK ciphersuite" \
+         -s "Sent max_early_data_size" \
+         -s "NewSessionTicket: early_data(42) extension exists." \
+         -s "ClientHello: early_data(42) extension exists." \
+         -s "EncryptedExtensions: early_data(42) extension exists." \
+         -s "early data bytes read"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_SSL_EARLY_DATA MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+requires_ciphersuite_enabled TLS1-3-AES-256-GCM-SHA384
+run_test "TLS 1.3 m->m: resumption with early data, AES-256-GCM-SHA384 only" \
+         "$P_SRV debug_level=4 early_data=1 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key" \
+         "$P_CLI debug_level=3 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 early_data=1 reco_mode=1 reconnect=1" \
+         0 \
+         -c "Protocol is TLSv1.3" \
+         -c "Ciphersuite is TLS1-3-AES-256-GCM-SHA384" \
+         -c "Saving session for reuse... ok" \
+         -c "Reconnecting with saved session" \
+         -c "HTTP/1.0 200 OK" \
+         -c "received max_early_data_size" \
+         -c "NewSessionTicket: early_data(42) extension received." \
+         -c "ClientHello: early_data(42) extension exists." \
+         -c "EncryptedExtensions: early_data(42) extension received." \
+         -c "bytes of early data written" \
+         -C "0 bytes of early data written" \
+         -s "Protocol is TLSv1.3" \
+         -s "key exchange mode: psk" \
+         -s "Select PSK ciphersuite: 1302 - TLS1-3-AES-256-GCM-SHA384" \
+         -s "Sent max_early_data_size" \
+         -s "NewSessionTicket: early_data(42) extension exists." \
+         -s "ClientHello: early_data(42) extension exists." \
+         -s "EncryptedExtensions: early_data(42) extension exists." \
+         -s "early data bytes read"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_SSL_EARLY_DATA MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+run_test "TLS 1.3 m->m: resumption, early data cli-enabled/srv-default" \
+         "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key" \
+         "$P_CLI debug_level=3 early_data=1 reco_mode=1 reconnect=1" \
+         0 \
+         -c "Protocol is TLSv1.3" \
+         -c "Saving session for reuse... ok" \
+         -c "Reconnecting with saved session" \
+         -c "HTTP/1.0 200 OK" \
+         -C "received max_early_data_size" \
+         -C "NewSessionTicket: early_data(42) extension received." \
+         -C "ClientHello: early_data(42) extension exists." \
+         -C "EncryptedExtensions: early_data(42) extension received." \
+         -c "0 bytes of early data written" \
+         -s "Protocol is TLSv1.3" \
+         -s "key exchange mode: psk" \
+         -s "Select PSK ciphersuite" \
+         -S "Sent max_early_data_size" \
+         -S "NewSessionTicket: early_data(42) extension exists." \
+         -S "ClientHello: early_data(42) extension exists." \
+         -S "EncryptedExtensions: early_data(42) extension exists." \
+         -S "early data bytes read"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_SSL_EARLY_DATA MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+run_test "TLS 1.3 m->m: resumption, early data cli-enabled/srv-disabled" \
+         "$P_SRV debug_level=4 early_data=0 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key" \
+         "$P_CLI debug_level=3 early_data=1 reco_mode=1 reconnect=1" \
+         0 \
+         -c "Protocol is TLSv1.3" \
+         -c "Saving session for reuse... ok" \
+         -c "Reconnecting with saved session" \
+         -c "HTTP/1.0 200 OK" \
+         -C "received max_early_data_size" \
+         -C "NewSessionTicket: early_data(42) extension received." \
+         -C "ClientHello: early_data(42) extension exists." \
+         -C "EncryptedExtensions: early_data(42) extension received." \
+         -c "0 bytes of early data written" \
+         -s "Protocol is TLSv1.3" \
+         -s "key exchange mode: psk" \
+         -s "Select PSK ciphersuite" \
+         -S "Sent max_early_data_size" \
+         -S "NewSessionTicket: early_data(42) extension exists." \
+         -S "ClientHello: early_data(42) extension exists." \
+         -S "EncryptedExtensions: early_data(42) extension exists." \
+         -S "early data bytes read"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_SSL_EARLY_DATA MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+run_test "TLS 1.3 m->m: resumption, early data cli-default/srv-enabled" \
+         "$P_SRV debug_level=4 early_data=1 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key" \
+         "$P_CLI debug_level=3 reco_mode=1 reconnect=1" \
+         0 \
+         -c "Protocol is TLSv1.3" \
+         -c "Saving session for reuse... ok" \
+         -c "Reconnecting with saved session" \
+         -c "HTTP/1.0 200 OK" \
+         -c "received max_early_data_size" \
+         -c "NewSessionTicket: early_data(42) extension received." \
+         -C "ClientHello: early_data(42) extension exists." \
+         -C "EncryptedExtensions: early_data(42) extension received." \
+         -C "bytes of early data written" \
+         -s "Protocol is TLSv1.3" \
+         -s "key exchange mode: psk" \
+         -s "Select PSK ciphersuite" \
+         -s "Sent max_early_data_size" \
+         -s "NewSessionTicket: early_data(42) extension exists." \
+         -S "ClientHello: early_data(42) extension exists." \
+         -S "EncryptedExtensions: early_data(42) extension exists." \
+         -S "early data bytes read"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_SSL_EARLY_DATA MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+run_test "TLS 1.3 m->m: resumption, early data cli-disabled/srv-enabled" \
+         "$P_SRV debug_level=4 early_data=1 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key" \
+         "$P_CLI debug_level=3 early_data=0 reco_mode=1 reconnect=1" \
+         0 \
+         -c "Protocol is TLSv1.3" \
+         -c "Saving session for reuse... ok" \
+         -c "Reconnecting with saved session" \
+         -c "HTTP/1.0 200 OK" \
+         -c "received max_early_data_size" \
+         -c "NewSessionTicket: early_data(42) extension received." \
+         -C "ClientHello: early_data(42) extension exists." \
+         -C "EncryptedExtensions: early_data(42) extension received." \
+         -C "bytes of early data written" \
+         -s "Protocol is TLSv1.3" \
+         -s "key exchange mode: psk" \
+         -s "Select PSK ciphersuite" \
+         -s "Sent max_early_data_size" \
+         -s "NewSessionTicket: early_data(42) extension exists." \
+         -S "ClientHello: early_data(42) extension exists." \
+         -S "EncryptedExtensions: early_data(42) extension exists." \
+         -S "early data bytes read"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+run_test "TLS 1.3 m->m: resumption fails, ticket lifetime too long (7d + 1s)" \
+         "$P_SRV debug_level=2 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key ticket_timeout=604801 tickets=1" \
+         "$P_CLI reco_mode=1 reconnect=1" \
+         1 \
+         -c "Protocol is TLSv1.3" \
+         -C "Saving session for reuse... ok" \
+         -c "Reconnecting with saved session... failed" \
+         -S "Protocol is TLSv1.3" \
+         -S "key exchange mode: psk" \
+         -S "Select PSK ciphersuite" \
+         -s "Ticket lifetime (604801) is greater than 7 days."
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+run_test "TLS 1.3 m->m: resumption fails, ticket lifetime=0" \
+         "$P_SRV debug_level=2 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key ticket_timeout=0 tickets=1" \
+         "$P_CLI debug_level=2 reco_mode=1 reconnect=1" \
+         1 \
+         -c "Protocol is TLSv1.3" \
+         -C "Saving session for reuse... ok" \
+         -c "Discard new session ticket" \
+         -c "Reconnecting with saved session... failed" \
+         -s "Protocol is TLSv1.3" \
+         -S "key exchange mode: psk" \
+         -S "Select PSK ciphersuite"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+run_test "TLS 1.3 m->m: resumption fails, servername check failed" \
+         "$P_SRV debug_level=2 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key \
+            sni=localhost,../framework/data_files/server2.crt,../framework/data_files/server2.key,-,-,-,polarssl.example,../framework/data_files/server1-nospace.crt,../framework/data_files/server1.key,-,-,-" \
+         "$P_CLI debug_level=4 server_name=localhost reco_server_name=remote reco_mode=1 reconnect=1" \
+         1 \
+         -c "Protocol is TLSv1.3" \
+         -c "Saving session for reuse... ok" \
+         -c "Reconnecting with saved session" \
+         -c "Hostname mismatch the session ticket, disable session resumption." \
+         -s "Protocol is TLSv1.3" \
+         -S "key exchange mode: psk" \
+         -S "Select PSK ciphersuite"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+run_test "TLS 1.3 m->m: resumption fails, ticket auth failed." \
+         "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key tickets=8 dummy_ticket=1" \
+         "$P_CLI reco_mode=1 reconnect=1" \
+         0 \
+         -c "Protocol is TLSv1.3" \
+         -s "key exchange mode: ephemeral" \
+         -s "Protocol is TLSv1.3" \
+         -c "Saving session for reuse... ok" \
+         -c "Reconnecting with saved session" \
+         -S "key exchange mode: psk" \
+         -s "ticket is not authentic" \
+         -S "ticket is expired" \
+         -S "Invalid ticket creation time" \
+         -S "Ticket age exceeds limitation" \
+         -S "Ticket age outside tolerance window"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+run_test "TLS 1.3 m->m: resumption fails, ticket expired." \
+         "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key tickets=8 dummy_ticket=2" \
+         "$P_CLI reco_mode=1 reconnect=1" \
+         0 \
+         -c "Protocol is TLSv1.3" \
+         -s "key exchange mode: ephemeral" \
+         -s "Protocol is TLSv1.3" \
+         -c "Saving session for reuse... ok" \
+         -c "Reconnecting with saved session" \
+         -S "key exchange mode: psk" \
+         -S "ticket is not authentic" \
+         -s "ticket is expired" \
+         -S "Invalid ticket creation time" \
+         -S "Ticket age exceeds limitation" \
+         -S "Ticket age outside tolerance window"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+run_test "TLS 1.3 m->m: resumption fails, invalid creation time." \
+         "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key tickets=8 dummy_ticket=3" \
+         "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
+         0 \
+         -c "Protocol is TLSv1.3" \
+         -s "key exchange mode: ephemeral" \
+         -s "Protocol is TLSv1.3" \
+         -c "Saving session for reuse... ok" \
+         -c "Reconnecting with saved session" \
+         -S "key exchange mode: psk" \
+         -S "ticket is not authentic" \
+         -S "ticket is expired" \
+         -s "Invalid ticket creation time" \
+         -S "Ticket age exceeds limitation" \
+         -S "Ticket age outside tolerance window"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+run_test "TLS 1.3 m->m: resumption fails, ticket expired, too old" \
+         "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key tickets=8 dummy_ticket=4" \
+         "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
+         0 \
+         -c "Protocol is TLSv1.3" \
+         -s "key exchange mode: ephemeral" \
+         -s "Protocol is TLSv1.3" \
+         -c "Saving session for reuse... ok" \
+         -c "Reconnecting with saved session" \
+         -S "key exchange mode: psk" \
+         -S "ticket is not authentic" \
+         -S "ticket is expired" \
+         -S "Invalid ticket creation time" \
+         -s "Ticket age exceeds limitation" \
+         -S "Ticket age outside tolerance window"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+run_test "TLS 1.3 m->m: resumption fails, age outside tolerance window, too young" \
+         "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key tickets=8 dummy_ticket=5" \
+         "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
+         0 \
+         -c "Protocol is TLSv1.3" \
+         -s "key exchange mode: ephemeral" \
+         -s "Protocol is TLSv1.3" \
+         -c "Saving session for reuse... ok" \
+         -c "Reconnecting with saved session" \
+         -S "key exchange mode: psk" \
+         -S "ticket is not authentic" \
+         -S "ticket is expired" \
+         -S "Invalid ticket creation time" \
+         -S "Ticket age exceeds limitation" \
+         -s "Ticket age outside tolerance window"
 
-requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
-                             MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+run_test "TLS 1.3 m->m: resumption fails, age outside tolerance window, too old" \
+         "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key tickets=8 dummy_ticket=6" \
+         "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
+         0 \
+         -c "Protocol is TLSv1.3" \
+         -s "key exchange mode: ephemeral" \
+         -s "Protocol is TLSv1.3" \
+         -c "Saving session for reuse... ok" \
+         -c "Reconnecting with saved session" \
+         -S "key exchange mode: psk" \
+         -S "ticket is not authentic" \
+         -S "ticket is expired" \
+         -S "Invalid ticket creation time" \
+         -S "Ticket age exceeds limitation" \
+         -s "Ticket age outside tolerance window"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
-run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/none." \
-         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key dummy_ticket=7" \
+run_test "TLS 1.3 m->m: resumption fails, cli/tkt kex modes psk/none" \
+         "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key dummy_ticket=7" \
          "$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \
          0 \
-         -c "Pre-configured PSK number = 1" \
-         -S "sent selected_identity:" \
+         -c "Protocol is TLSv1.3" \
          -s "key exchange mode: ephemeral" \
          -S "key exchange mode: psk_ephemeral" \
          -S "key exchange mode: psk$" \
-         -s "No suitable key exchange mode" \
-         -s "No matched PSK or ticket"
+         -s "found matched identity" \
+         -s "No suitable PSK key exchange mode" \
+         -s "No usable PSK or ticket"
 
-requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
-                             MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
-run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk." \
-         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key dummy_ticket=8" \
+run_test "TLS 1.3 m->m: ephemeral over psk resumption, cli/tkt kex modes psk/psk" \
+         "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key dummy_ticket=8" \
          "$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \
          0 \
-         -c "Pre-configured PSK number = 1" \
-         -S "No suitable key exchange mode" \
-         -s "found matched identity"
+         -c "Protocol is TLSv1.3" \
+         -s "key exchange mode: ephemeral" \
+         -S "key exchange mode: psk_ephemeral" \
+         -S "key exchange mode: psk$" \
+         -s "found matched identity" \
+         -S "No suitable PSK key exchange mode" \
+         -S "No usable PSK or ticket"
 
-requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
-                             MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
-run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk_ephemeral." \
-         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key dummy_ticket=9" \
+run_test "TLS 1.3 m->m: resumption fails, cli/tkt kex modes psk/psk_ephemeral" \
+         "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key dummy_ticket=9" \
          "$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \
          0 \
-         -c "Pre-configured PSK number = 1" \
-         -S "sent selected_identity:" \
+         -c "Protocol is TLSv1.3" \
          -s "key exchange mode: ephemeral" \
          -S "key exchange mode: psk_ephemeral" \
          -S "key exchange mode: psk$" \
-         -s "No suitable key exchange mode" \
-         -s "No matched PSK or ticket"
+         -s "found matched identity" \
+         -s "No suitable PSK key exchange mode" \
+         -s "No usable PSK or ticket"
 
-requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
-                             MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
-run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk_all." \
-         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key dummy_ticket=10" \
+run_test "TLS 1.3 m->m: ephemeral over psk resumption, cli/tkt kex modes psk/psk_all" \
+         "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key dummy_ticket=10" \
          "$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \
          0 \
-         -c "Pre-configured PSK number = 1" \
-         -S "No suitable key exchange mode" \
-         -s "found matched identity"
+         -c "Protocol is TLSv1.3" \
+         -s "key exchange mode: ephemeral" \
+         -S "key exchange mode: psk_ephemeral" \
+         -S "key exchange mode: psk$" \
+         -s "found matched identity" \
+         -S "No suitable PSK key exchange mode" \
+         -S "No usable PSK or ticket"
 
-requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
-                             MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/none." \
-         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key dummy_ticket=7" \
+run_test "TLS 1.3 m->m: resumption fails, cli/tkt kex modes psk_ephemeral/none" \
+         "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key dummy_ticket=7" \
          "$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \
          0 \
-         -c "Pre-configured PSK number = 1" \
-         -S "sent selected_identity:" \
+         -c "Protocol is TLSv1.3" \
          -s "key exchange mode: ephemeral" \
          -S "key exchange mode: psk_ephemeral" \
          -S "key exchange mode: psk$" \
-         -s "No suitable key exchange mode" \
-         -s "No matched PSK or ticket"
+         -s "found matched identity" \
+         -s "No suitable PSK key exchange mode" \
+         -s "No usable PSK or ticket"
 
-requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
-                             MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk." \
-         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key dummy_ticket=8" \
+run_test "TLS 1.3 m->m: resumption fails, cli/tkt kex modes psk_ephemeral/psk" \
+         "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key dummy_ticket=8" \
          "$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \
          0 \
-         -c "Pre-configured PSK number = 1" \
-         -S "sent selected_identity:" \
+         -c "Protocol is TLSv1.3" \
          -s "key exchange mode: ephemeral" \
          -S "key exchange mode: psk_ephemeral" \
          -S "key exchange mode: psk$" \
-         -s "No suitable key exchange mode" \
-         -s "No matched PSK or ticket"
+         -s "found matched identity" \
+         -s "No suitable PSK key exchange mode" \
+         -s "No usable PSK or ticket"
 
-requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
-                             MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk_ephemeral." \
-         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key dummy_ticket=9" \
+run_test "TLS 1.3 m->m: resumption, cli/tkt kex modes psk_ephemeral/psk_ephemeral" \
+         "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key dummy_ticket=9" \
          "$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \
          0 \
-         -c "Pre-configured PSK number = 1" \
-         -S "No suitable key exchange mode" \
-         -s "found matched identity"
+         -c "Protocol is TLSv1.3" \
+         -s "key exchange mode: ephemeral" \
+         -s "key exchange mode: psk_ephemeral" \
+         -S "key exchange mode: psk$" \
+         -s "found matched identity" \
+         -S "No suitable PSK key exchange mode" \
+         -S "No usable PSK or ticket"
 
-requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
-                             MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk_all." \
-         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key dummy_ticket=10" \
+run_test "TLS 1.3 m->m: resumption, cli/tkt kex modes psk_ephemeral/psk_all" \
+         "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key dummy_ticket=10" \
          "$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \
          0 \
-         -c "Pre-configured PSK number = 1" \
-         -S "No suitable key exchange mode" \
-         -s "found matched identity"
+         -c "Protocol is TLSv1.3" \
+         -s "key exchange mode: ephemeral" \
+         -s "key exchange mode: psk_ephemeral" \
+         -S "key exchange mode: psk$" \
+         -s "found matched identity" \
+         -S "No suitable PSK key exchange mode" \
+         -S "No usable PSK or ticket"
 
-requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
-                             MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/none." \
-         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key dummy_ticket=7" \
+run_test "TLS 1.3 m->m: resumption fails, cli/tkt kex modes psk_all/none" \
+         "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key dummy_ticket=7" \
          "$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \
          0 \
          -c "Pre-configured PSK number = 1" \
@@ -451,45 +751,471 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/none." \
          -s "key exchange mode: ephemeral" \
          -S "key exchange mode: psk_ephemeral" \
          -S "key exchange mode: psk$" \
-         -s "No suitable key exchange mode" \
-         -s "No matched PSK or ticket"
+         -s "No suitable PSK key exchange mode" \
+         -s "No usable PSK or ticket"
 
-requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
-                             MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk." \
-         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key dummy_ticket=8" \
+run_test "TLS 1.3 m->m: ephemeral over psk resumption, cli/tkt kex modes psk_all/psk" \
+         "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key dummy_ticket=8" \
          "$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \
          0 \
-         -c "Pre-configured PSK number = 1" \
-         -S "No suitable key exchange mode" \
-         -s "found matched identity"
+         -c "Protocol is TLSv1.3" \
+         -s "key exchange mode: ephemeral" \
+         -S "key exchange mode: psk_ephemeral" \
+         -S "key exchange mode: psk$" \
+         -s "found matched identity" \
+         -S "No suitable PSK key exchange mode" \
+         -S "No usable PSK or ticket"
 
-requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
-                             MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk_ephemeral." \
-         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key dummy_ticket=9" \
+run_test "TLS 1.3 m->m: resumption, cli/tkt kex modes psk_all/psk_ephemeral" \
+         "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key dummy_ticket=9" \
          "$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \
          0 \
-         -c "Pre-configured PSK number = 1" \
-         -S "No suitable key exchange mode" \
-         -s "found matched identity"
+         -c "Protocol is TLSv1.3" \
+         -s "key exchange mode: ephemeral" \
+         -s "key exchange mode: psk_ephemeral" \
+         -S "key exchange mode: psk$" \
+         -s "found matched identity" \
+         -S "No suitable PSK key exchange mode" \
+         -S "No usable PSK or ticket"
 
-requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
-                             MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_DEBUG_C \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk_all." \
-         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key dummy_ticket=10" \
+run_test "TLS 1.3 m->m: resumption, cli/tkt kex modes psk_all/psk_all" \
+         "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key dummy_ticket=10" \
          "$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \
          0 \
-         -c "Pre-configured PSK number = 1" \
-         -S "No suitable key exchange mode" \
-         -s "found matched identity"
+         -c "Protocol is TLSv1.3" \
+         -s "key exchange mode: ephemeral" \
+         -s "key exchange mode: psk_ephemeral" \
+         -S "key exchange mode: psk$" \
+         -s "found matched identity" \
+         -S "No suitable PSK key exchange mode" \
+         -S "No usable PSK or ticket"
 
+requires_openssl_tls1_3_with_compatible_ephemeral
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+run_test    "TLS 1.3 m->O: resumption" \
+            "$O_NEXT_SRV -msg -tls1_3 -no_resume_ephemeral -no_cache --num_tickets 1" \
+            "$P_CLI reco_mode=1 reconnect=1" \
+            0 \
+            -c "Protocol is TLSv1.3" \
+            -c "Saving session for reuse... ok" \
+            -c "Reconnecting with saved session... ok" \
+            -c "HTTP/1.0 200 ok"
+
+requires_openssl_tls1_3_with_compatible_ephemeral
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_config_disabled MBEDTLS_SSL_SESSION_TICKETS
+run_test    "TLS 1.3 m->O: resumption fails, no ticket support" \
+            "$O_NEXT_SRV -msg -tls1_3 -no_resume_ephemeral -no_cache --num_tickets 1" \
+            "$P_CLI debug_level=3 reco_mode=1 reconnect=1" \
+            1 \
+            -c "Protocol is TLSv1.3" \
+            -C "Saving session for reuse... ok" \
+            -C "Reconnecting with saved session... ok" \
+            -c "Ignore NewSessionTicket, not supported."
+
+# No early data m->O tests for the time being. The option -early_data is needed
+# to enable early data on OpenSSL server and it is not compatible with the
+# -www option we usually use for testing with OpenSSL server (see
+# O_NEXT_SRV_EARLY_DATA definition). In this configuration when running the
+# ephemeral then ticket based scenario we use for early data testing the first
+# handshake fails. The following skipped test is here to illustrate the kind
+# of testing we would like to do.
+skip_next_test
+requires_openssl_tls1_3_with_compatible_ephemeral
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_EARLY_DATA \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+run_test    "TLS 1.3 m->O: resumption with early data" \
+            "$O_NEXT_SRV_EARLY_DATA -msg -tls1_3 -no_resume_ephemeral -no_cache --num_tickets 1" \
+            "$P_CLI debug_level=3 early_data=1 reco_mode=1 reconnect=1" \
+             0 \
+            -c "Protocol is TLSv1.3" \
+            -c "Saving session for reuse... ok" \
+            -c "Reconnecting with saved session" \
+            -c "HTTP/1.0 200 OK" \
+            -c "received max_early_data_size: 16384" \
+            -c "NewSessionTicket: early_data(42) extension received." \
+            -c "ClientHello: early_data(42) extension exists." \
+            -c "EncryptedExtensions: early_data(42) extension received." \
+            -c "bytes of early data written" \
+            -s "decrypted early data with length:"
+
+requires_gnutls_tls1_3
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+run_test    "TLS 1.3 m->G: resumption" \
+            "$G_NEXT_SRV -d 5 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 --disable-client-cert" \
+            "$P_CLI reco_mode=1 reconnect=1" \
+            0 \
+            -c "Protocol is TLSv1.3" \
+            -c "Saving session for reuse... ok" \
+            -c "Reconnecting with saved session... ok" \
+            -c "HTTP/1.0 200 OK"
+
+requires_gnutls_tls1_3
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_config_disabled MBEDTLS_SSL_SESSION_TICKETS
+run_test    "TLS 1.3 m->G: resumption fails, no ticket support" \
+            "$G_NEXT_SRV -d 5 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 --disable-client-cert" \
+            "$P_CLI debug_level=3 reco_mode=1 reconnect=1" \
+            1 \
+            -c "Protocol is TLSv1.3" \
+            -C "Saving session for reuse... ok" \
+            -C "Reconnecting with saved session... ok" \
+            -c "Ignore NewSessionTicket, not supported."
+
+requires_gnutls_tls1_3
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C \
+                             MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+requires_ciphersuite_enabled TLS1-3-AES-256-GCM-SHA384
+run_test    "TLS 1.3 m->G: resumption with AES-256-GCM-SHA384 only" \
+            "$G_NEXT_SRV -d 5 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 --disable-client-cert" \
+            "$P_CLI force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 reco_mode=1 reconnect=1" \
+            0 \
+            -c "Protocol is TLSv1.3" \
+            -c "Ciphersuite is TLS1-3-AES-256-GCM-SHA384" \
+            -c "Saving session for reuse... ok" \
+            -c "Reconnecting with saved session... ok" \
+            -c "HTTP/1.0 200 OK"
+
+requires_gnutls_tls1_3
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_EARLY_DATA \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+run_test    "TLS 1.3 m->G: resumption with early data" \
+            "$G_NEXT_SRV -d 5 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 --disable-client-cert \
+                         --earlydata --maxearlydata 16384" \
+            "$P_CLI debug_level=3 early_data=1 reco_mode=1 reconnect=1" \
+            0 \
+            -c "Protocol is TLSv1.3" \
+            -c "Saving session for reuse... ok" \
+            -c "Reconnecting with saved session" \
+            -c "HTTP/1.0 200 OK" \
+            -c "received max_early_data_size: 16384" \
+            -c "NewSessionTicket: early_data(42) extension received." \
+            -c "ClientHello: early_data(42) extension exists." \
+            -c "EncryptedExtensions: early_data(42) extension received." \
+            -c "bytes of early data written" \
+            -s "decrypted early data with length:"
+
+requires_gnutls_tls1_3
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_EARLY_DATA \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+requires_ciphersuite_enabled TLS1-3-AES-256-GCM-SHA384
+run_test    "TLS 1.3 m->G: resumption with early data, AES-256-GCM-SHA384 only" \
+            "$G_NEXT_SRV -d 5 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 --disable-client-cert \
+                         --earlydata --maxearlydata 16384" \
+            "$P_CLI debug_level=3 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 early_data=1 reco_mode=1 reconnect=1" \
+            0 \
+            -c "Protocol is TLSv1.3" \
+            -c "Ciphersuite is TLS1-3-AES-256-GCM-SHA384" \
+            -c "Saving session for reuse... ok" \
+            -c "Reconnecting with saved session" \
+            -c "HTTP/1.0 200 OK" \
+            -c "received max_early_data_size: 16384" \
+            -c "NewSessionTicket: early_data(42) extension received." \
+            -c "ClientHello: early_data(42) extension exists." \
+            -c "EncryptedExtensions: early_data(42) extension received." \
+            -c "bytes of early data written" \
+            -s "decrypted early data with length:"
+
+requires_gnutls_tls1_3
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_EARLY_DATA \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+run_test    "TLS 1.3 m->G: resumption, early data cli-enabled/srv-disabled" \
+            "$G_NEXT_SRV -d 5 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --disable-client-cert" \
+            "$P_CLI debug_level=3 early_data=1 reco_mode=1 reconnect=1" \
+            0 \
+            -c "Protocol is TLSv1.3" \
+            -c "Saving session for reuse... ok" \
+            -c "Reconnecting with saved session" \
+            -c "HTTP/1.0 200 OK" \
+            -C "received max_early_data_size: 16384" \
+            -C "NewSessionTicket: early_data(42) extension received." \
+
+requires_gnutls_tls1_3
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_EARLY_DATA \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+run_test    "TLS 1.3 m->G: resumption, early data cli-default/srv-enabled" \
+            "$G_NEXT_SRV -d 5 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 --disable-client-cert \
+                         --earlydata --maxearlydata 16384" \
+            "$P_CLI debug_level=3 reco_mode=1 reconnect=1" \
+            0 \
+            -c "Protocol is TLSv1.3" \
+            -c "Saving session for reuse... ok" \
+            -c "Reconnecting with saved session" \
+            -c "HTTP/1.0 200 OK" \
+            -c "received max_early_data_size: 16384" \
+            -c "NewSessionTicket: early_data(42) extension received." \
+            -C "ClientHello: early_data(42) extension exists." \
+
+requires_gnutls_tls1_3
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_EARLY_DATA \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+run_test    "TLS 1.3 m->G: resumption, early data cli-disabled/srv-enabled" \
+            "$G_NEXT_SRV -d 5 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 --disable-client-cert \
+                         --earlydata --maxearlydata 16384" \
+            "$P_CLI debug_level=3 early_data=0 reco_mode=1 reconnect=1" \
+            0 \
+            -c "Protocol is TLSv1.3" \
+            -c "Saving session for reuse... ok" \
+            -c "Reconnecting with saved session" \
+            -c "HTTP/1.0 200 OK" \
+            -c "received max_early_data_size: 16384" \
+            -c "NewSessionTicket: early_data(42) extension received." \
+            -C "ClientHello: early_data(42) extension exists." \
+
+requires_openssl_tls1_3_with_compatible_ephemeral
+requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+# https://github.com/openssl/openssl/issues/10714
+# Until now, OpenSSL client does not support reconnect.
+skip_next_test
+run_test    "TLS 1.3 O->m: resumption" \
+            "$P_SRV debug_level=2 tickets=1" \
+            "$O_NEXT_CLI -msg -debug -tls1_3 -reconnect" \
+            0 \
+            -s "Protocol is TLSv1.3" \
+            -s "key exchange mode: psk" \
+            -s "Select PSK ciphersuite"
+
+requires_gnutls_tls1_3
+requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+run_test    "TLS 1.3 G->m: resumption" \
+            "$P_SRV debug_level=2 tickets=1" \
+            "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -r" \
+            0 \
+            -s "Protocol is TLSv1.3" \
+            -s "key exchange mode: psk" \
+            -s "Select PSK ciphersuite"
+
+requires_gnutls_tls1_3
+requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+requires_ciphersuite_enabled TLS1-3-AES-256-GCM-SHA384
+# Test the session resumption when the cipher suite for the original session is
+# TLS1-3-AES-256-GCM-SHA384. In that case, the PSK is 384 bits long and not
+# 256 bits long as with all the other TLS 1.3 cipher suites.
+run_test    "TLS 1.3 G->m: resumption with AES-256-GCM-SHA384 only" \
+            "$P_SRV debug_level=2 tickets=1" \
+            "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM -V -r" \
+            0 \
+            -s "Protocol is TLSv1.3" \
+            -s "key exchange mode: psk" \
+            -s "Select PSK ciphersuite: 1302 - TLS1-3-AES-256-GCM-SHA384"
+
+EARLY_DATA_INPUT_LEN_BLOCKS=$(( ( $( cat $EARLY_DATA_INPUT | wc -c ) + 31 ) / 32 ))
+EARLY_DATA_INPUT_LEN=$(( $EARLY_DATA_INPUT_LEN_BLOCKS * 32 ))
+
+requires_gnutls_tls1_3
+requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_SSL_SRV_C MBEDTLS_SSL_EARLY_DATA MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+run_test "TLS 1.3 G->m: resumption with early data" \
+         "$P_SRV debug_level=4 tickets=1 early_data=1 max_early_data_size=$EARLY_DATA_INPUT_LEN" \
+         "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -r \
+                      --earlydata $EARLY_DATA_INPUT" \
+         0 \
+         -s "Protocol is TLSv1.3" \
+         -s "key exchange mode: psk" \
+         -s "Select PSK ciphersuite" \
+         -s "Sent max_early_data_size=$EARLY_DATA_INPUT_LEN"        \
+         -s "NewSessionTicket: early_data(42) extension exists."    \
+         -s "ClientHello: early_data(42) extension exists."         \
+         -s "EncryptedExtensions: early_data(42) extension exists." \
+         -s "$( head -1 $EARLY_DATA_INPUT )"                        \
+         -s "$( tail -1 $EARLY_DATA_INPUT )"                        \
+         -s "200 early data bytes read"                             \
+         -s "106 early data bytes read"
+
+requires_gnutls_tls1_3
+requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_SSL_SRV_C MBEDTLS_SSL_EARLY_DATA MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+requires_ciphersuite_enabled TLS1-3-AES-256-GCM-SHA384
+run_test "TLS 1.3 G->m: resumption with early data, AES-256-GCM-SHA384 only" \
+         "$P_SRV debug_level=4 tickets=1 early_data=1 max_early_data_size=$EARLY_DATA_INPUT_LEN" \
+         "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM -V -r \
+                      --earlydata $EARLY_DATA_INPUT" \
+         0 \
+         -s "Protocol is TLSv1.3" \
+         -s "key exchange mode: psk" \
+         -s "Select PSK ciphersuite: 1302 - TLS1-3-AES-256-GCM-SHA384" \
+         -s "Sent max_early_data_size=$EARLY_DATA_INPUT_LEN"        \
+         -s "NewSessionTicket: early_data(42) extension exists."    \
+         -s "ClientHello: early_data(42) extension exists."         \
+         -s "EncryptedExtensions: early_data(42) extension exists." \
+         -s "$( head -1 $EARLY_DATA_INPUT )"                        \
+         -s "$( tail -1 $EARLY_DATA_INPUT )"                        \
+         -s "200 early data bytes read"                             \
+         -s "106 early data bytes read"
+
+# The Mbed TLS server does not allow early data for the ticket it sends but
+# the GnuTLS indicates early data anyway when resuming with the ticket and
+# sends early data. The Mbed TLS server does not expect early data in
+# association with the ticket thus it eventually fails the resumption
+# handshake. The GnuTLS client behavior is not compliant here with the TLS 1.3
+# specification and thus its behavior may change in following versions.
+requires_gnutls_tls1_3
+requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_SSL_SRV_C MBEDTLS_SSL_EARLY_DATA MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+run_test "TLS 1.3 G->m: resumption, early data cli-enabled/srv-default" \
+         "$P_SRV debug_level=4 tickets=1" \
+         "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -r \
+                      --earlydata $EARLY_DATA_INPUT" \
+         1 \
+         -s "Protocol is TLSv1.3" \
+         -s "key exchange mode: psk" \
+         -s "Select PSK ciphersuite" \
+         -S "Sent max_early_data_size" \
+         -S "NewSessionTicket: early_data(42) extension exists." \
+         -s "ClientHello: early_data(42) extension exists." \
+         -s "EarlyData: rejected, feature disabled in server configuration." \
+         -S "EncryptedExtensions: early_data(42) extension exists." \
+         -s "EarlyData: deprotect and discard app data records" \
+         -s "EarlyData: Too much early data received"
+
+# The Mbed TLS server does not allow early data for the ticket it sends but
+# the GnuTLS indicates early data anyway when resuming with the ticket and
+# sends early data. The Mbed TLS server does not expect early data in
+# association with the ticket thus it eventually fails the resumption
+# handshake. The GnuTLS client behavior is not compliant here with the TLS 1.3
+# specification and thus its behavior may change in following versions.
+requires_gnutls_tls1_3
+requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_SSL_SRV_C MBEDTLS_SSL_EARLY_DATA MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+run_test "TLS 1.3 G->m: resumption, early data cli-enabled/srv-disabled" \
+         "$P_SRV debug_level=4 tickets=1 early_data=0" \
+         "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -r \
+                      --earlydata $EARLY_DATA_INPUT" \
+         1 \
+         -s "Protocol is TLSv1.3" \
+         -s "key exchange mode: psk" \
+         -s "Select PSK ciphersuite" \
+         -S "Sent max_early_data_size" \
+         -S "NewSessionTicket: early_data(42) extension exists." \
+         -s "ClientHello: early_data(42) extension exists." \
+         -s "EarlyData: rejected, feature disabled in server configuration." \
+         -S "EncryptedExtensions: early_data(42) extension exists." \
+         -s "EarlyData: deprotect and discard app data records" \
+         -s "EarlyData: Too much early data received"
+
+requires_gnutls_tls1_3
+requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
+                             MBEDTLS_SSL_SRV_C MBEDTLS_SSL_EARLY_DATA MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+run_test "TLS 1.3 G->m: resumption, early data cli-disabled/srv-enabled" \
+         "$P_SRV debug_level=4 tickets=1 early_data=1" \
+         "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -r" \
+         0 \
+         -s "Protocol is TLSv1.3" \
+         -s "key exchange mode: psk" \
+         -s "Select PSK ciphersuite" \
+         -s "Sent max_early_data_size" \
+         -s "NewSessionTicket: early_data(42) extension exists." \
+         -S "ClientHello: early_data(42) extension exists." \
+         -S "EncryptedExtensions: early_data(42) extension exists."
+
+requires_all_configs_enabled MBEDTLS_SSL_EARLY_DATA MBEDTLS_SSL_SESSION_TICKETS \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "TLS 1.3 m->m: Ephemeral over PSK kex with early data enabled" \
+         "$P_SRV force_version=tls13 debug_level=4 early_data=1 max_early_data_size=1024" \
+         "$P_CLI debug_level=4 early_data=1 tls13_kex_modes=psk_or_ephemeral reco_mode=1 reconnect=1" \
+         0 \
+         -s "key exchange mode: ephemeral" \
+         -S "key exchange mode: psk" \
+         -s "found matched identity" \
+         -s "EarlyData: rejected, not a session resumption" \
+         -C "EncryptedExtensions: early_data(42) extension exists."
diff --git a/tests/psa-client-server/README.md b/tests/psa-client-server/README.md
new file mode 100644
index 0000000..e6d9c87
--- /dev/null
+++ b/tests/psa-client-server/README.md
@@ -0,0 +1,6 @@
+### PSA Crypto Client-Server Testing
+
+Everything in this directory should currently be considered experimental. We are adding features and extending CI support for it.
+
+Once stable, of production quality, and being tested by the CI, it will eventually be migrated into
+the [MbedTLS framework repository](https://github.com/Mbed-TLS/mbedtls-framework).
diff --git a/tests/psa-client-server/psasim/.gitignore b/tests/psa-client-server/psasim/.gitignore
new file mode 100644
index 0000000..4065abf
--- /dev/null
+++ b/tests/psa-client-server/psasim/.gitignore
@@ -0,0 +1,12 @@
+bin/*
+*.o
+*.so
+test/psa_ff_bootstrap.c
+test/psa_manifest/*
+test/client
+test/partition
+cscope.out
+*.orig
+*.swp
+*.DS_Store
+*psa_ff_bootstrap_*
diff --git a/tests/psa-client-server/psasim/Makefile b/tests/psa-client-server/psasim/Makefile
new file mode 100644
index 0000000..ec6691f
--- /dev/null
+++ b/tests/psa-client-server/psasim/Makefile
@@ -0,0 +1,81 @@
+CFLAGS += -Wall -Werror -std=c99 -D_XOPEN_SOURCE=1 -D_POSIX_C_SOURCE=200809L
+
+ifeq ($(DEBUG),1)
+override CFLAGS += -DDEBUG -O0 -g
+endif
+
+CLIENT_LIBS := -Lclient_libs -lpsaclient -lmbedtls -lmbedx509 -lmbedcrypto
+SERVER_LIBS := -Lserver_libs -lmbedcrypto
+
+MBEDTLS_ROOT_PATH = ../../..
+COMMON_INCLUDE := -I./include -I$(MBEDTLS_ROOT_PATH)/include \
+                  -I$(MBEDTLS_ROOT_PATH)/tf-psa-crypto/include \
+                  -I$(MBEDTLS_ROOT_PATH)/tf-psa-crypto/drivers/builtin/include
+
+GENERATED_H_FILES =	include/psa_manifest/manifest.h \
+					include/psa_manifest/pid.h \
+					include/psa_manifest/sid.h
+
+LIBPSACLIENT_SRC = src/psa_ff_client.c \
+		 		src/psa_sim_crypto_client.c \
+		 		src/psa_sim_serialise.c
+LIBPSACLIENT_OBJS=$(LIBPSACLIENT_SRC:.c=.o)
+
+PSA_CLIENT_BASE_SRC = $(LIBPSACLIENT_SRC) src/client.c
+
+PSA_CLIENT_FULL_SRC = $(LIBPSACLIENT_SRC) \
+				$(wildcard src/aut_*.c)
+
+PARTITION_SERVER_BOOTSTRAP = src/psa_ff_bootstrap_TEST_PARTITION.c
+
+PSA_SERVER_SRC = $(PARTITION_SERVER_BOOTSTRAP) \
+				 src/psa_ff_server.c \
+				 src/psa_sim_crypto_server.c \
+				 src/psa_sim_serialise.c
+
+.PHONY: all clean client_libs server_libs
+
+all:
+
+test/seedfile:
+	dd if=/dev/urandom of=./test/seedfile bs=64 count=1
+
+src/%.o: src/%.c $(GENERATED_H_FILES)
+	$(CC) $(COMMON_INCLUDE) $(CFLAGS) -c $< $(LDFLAGS) -o $@
+
+client_libs/libpsaclient: $(LIBPSACLIENT_OBJS)
+	mkdir -p client_libs
+	$(AR) -src client_libs/libpsaclient.a $(LIBPSACLIENT_OBJS)
+
+test/psa_client_base: $(PSA_CLIENT_BASE_SRC) $(GENERATED_H_FILES) test/seedfile
+	$(CC) $(COMMON_INCLUDE) $(CFLAGS) $(PSA_CLIENT_BASE_SRC) $(CLIENT_LIBS) $(LDFLAGS) -o $@
+
+test/psa_client_full: $(PSA_CLIENT_FULL_SRC) $(GENERATED_H_FILES) test/seedfile
+	$(CC) $(COMMON_INCLUDE) $(CFLAGS) $(PSA_CLIENT_FULL_SRC) $(CLIENT_LIBS) $(LDFLAGS) -o $@
+
+test/psa_server: $(PSA_SERVER_SRC) $(GENERATED_H_FILES)
+	$(CC) $(COMMON_INCLUDE) $(CFLAGS) $(PSA_SERVER_SRC) $(SERVER_LIBS) $(LDFLAGS) -o $@
+
+$(PARTITION_SERVER_BOOTSTRAP) $(GENERATED_H_FILES): src/manifest.json src/server.c
+	tools/psa_autogen.py src/manifest.json
+
+# Build MbedTLS libraries (crypto, x509 and tls) and copy them locally to
+# build client/server applications.
+#
+# Note: these rules assume that mbedtls_config.h is already configured by all.sh.
+# If not using all.sh then the user must do it manually.
+client_libs: client_libs/libpsaclient
+client_libs server_libs:
+	$(MAKE) -C $(MBEDTLS_ROOT_PATH)/library CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" libmbedcrypto.a libmbedx509.a libmbedtls.a
+	mkdir -p $@
+	cp $(MBEDTLS_ROOT_PATH)/library/libmbed*.a $@/
+
+clean_server_intermediate_files:
+	rm -f $(PARTITION_SERVER_BOOTSTRAP)
+	rm -rf include/psa_manifest
+
+clean: clean_server_intermediate_files
+	rm -f test/psa_client_base test/psa_client_full test/psa_server
+	rm -rf client_libs server_libs
+	rm -f test/psa_service_* test/psa_notify_* test/*.log
+	rm -f test/seedfile
diff --git a/tests/psa-client-server/psasim/README.md b/tests/psa-client-server/psasim/README.md
new file mode 100644
index 0000000..1b950d6
--- /dev/null
+++ b/tests/psa-client-server/psasim/README.md
@@ -0,0 +1,61 @@
+# psasim
+
+This tool simulates a PSA Firmware Framework implementation.
+It allows you to develop secure partitions and their clients on a desktop computer.
+It should be able to run on all systems that support POSIX and System V IPC:
+e.g. macOS, Linux, FreeBSD, and perhaps Windows 10 WSL2.
+
+Please note that the code in this directory is maintained by the Mbed TLS / PSA Crypto project solely for the purpose of testing the use of Mbed TLS with client/service separation. We do not recommend using this code for any other purpose. In particular:
+
+* This simulator is not intended to pass or demonstrate compliance.
+* This code is only intended for simulation and does not have any security goals. It does not isolate services from clients.
+
+## Building
+
+To build and run the test program make sure you have `make`, `python` and a
+C compiler installed and then enter the following commands:
+
+```sh
+make run
+```
+
+Optionally the `DEBUG=1` command line option can be enabled to increase verbosity:
+
+```sh
+make DEBUG=1 run
+```
+
+Once done with the test, it is possible to clean all the generated files with:
+
+```sh
+make clean
+```
+
+## Features
+
+The implemented API is intended to be compliant with PSA-FF 1.0.0 with the exception of a couple of things that are a work in progress:
+
+* `psa_notify` support
+* "strict" policy in manifest
+
+The only supported "interrupts" are POSIX signals, which act
+as a "virtual interrupt".
+
+The standard PSA RoT APIs are not included (e.g. cryptography, attestation, lifecycle etc).
+
+## Design
+
+The code is designed to be readable rather than fast or secure.
+In this implementation only one message is delivered to a
+RoT service at a time.
+The code is not thread-safe.
+
+## Unsupported features
+
+Because this is a simulator there are a few things that
+can't be reasonably emulated:
+
+* Manifest MMIO regions are unsupported
+* Manifest priority field is ignored
+* Partition IDs are in fact POSIX `pid_t`, which are only assigned at runtime,
+  making it infeasible to populate pid.h with correct values.
diff --git a/tests/psa-client-server/psasim/include/client.h b/tests/psa-client-server/psasim/include/client.h
new file mode 100644
index 0000000..d48498e
--- /dev/null
+++ b/tests/psa-client-server/psasim/include/client.h
@@ -0,0 +1,75 @@
+/* PSA Firmware Framework client header for psasim. */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef __PSA_CLIENT_H__
+#define __PSA_CLIENT_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <stdint.h>
+#include <stddef.h>
+
+#include "psa/crypto.h"
+
+#include "error_ext.h"
+/*********************** PSA Client Macros and Types *************************/
+
+#define PSA_FRAMEWORK_VERSION  (0x0100)
+
+#define PSA_VERSION_NONE       (0)
+
+/* PSA response types */
+#define PSA_CONNECTION_REFUSED PSA_ERROR_CONNECTION_REFUSED
+#define PSA_CONNECTION_BUSY    PSA_ERROR_CONNECTION_BUSY
+#define PSA_DROP_CONNECTION    PSA_ERROR_PROGRAMMER_ERROR
+
+/* PSA message handles */
+#define PSA_NULL_HANDLE        ((psa_handle_t) 0)
+
+#define PSA_HANDLE_IS_VALID(handle) ((psa_handle_t) (handle) > 0)
+#define PSA_HANDLE_TO_ERROR(handle) ((psa_status_t) (handle))
+
+/**
+ * A read-only input memory region provided to an RoT Service.
+ */
+typedef struct psa_invec {
+    const void *base;
+    size_t len;
+} psa_invec;
+
+/**
+ * A writable output memory region provided to an RoT Service.
+ */
+typedef struct psa_outvec {
+    void *base;
+    size_t len;
+} psa_outvec;
+
+/*************************** PSA Client API **********************************/
+
+uint32_t psa_framework_version(void);
+
+uint32_t psa_version(uint32_t sid);
+
+psa_handle_t psa_connect(uint32_t sid, uint32_t version);
+
+psa_status_t psa_call(psa_handle_t handle,
+                      int32_t type,
+                      const psa_invec *in_vec,
+                      size_t in_len,
+                      psa_outvec *out_vec,
+                      size_t out_len);
+
+void psa_close(psa_handle_t handle);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __PSA_CLIENT_H__ */
diff --git a/tests/psa-client-server/psasim/include/common.h b/tests/psa-client-server/psasim/include/common.h
new file mode 100644
index 0000000..ee5b5a3
--- /dev/null
+++ b/tests/psa-client-server/psasim/include/common.h
@@ -0,0 +1,52 @@
+/* Common definitions used for clients and services */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef _COMMON_H_
+#define _COMMON_H_
+
+#include <stdint.h>
+#include <stddef.h>
+
+/* Increasing this might break on some platforms */
+#define MAX_FRAGMENT_SIZE 200
+
+#define CONNECT_REQUEST 1
+#define CALL_REQUEST 2
+#define CLOSE_REQUEST 3
+#define VERSION_REQUEST 4
+#define READ_REQUEST    5
+#define READ_RESPONSE   6
+#define WRITE_REQUEST   7
+#define WRITE_RESPONSE  8
+#define SKIP_REQUEST    9
+#define PSA_REPLY       10
+
+#define NON_SECURE (1 << 30)
+
+typedef int32_t psa_handle_t;
+
+#define PSA_MAX_IOVEC (4u)
+
+#define PSA_IPC_CALL (0)
+
+struct message_text {
+    int qid;
+    int32_t psa_type;
+    char buf[MAX_FRAGMENT_SIZE];
+};
+
+struct message {
+    long message_type;
+    struct message_text message_text;
+};
+
+typedef struct vector_sizes {
+    size_t invec_sizes[PSA_MAX_IOVEC];
+    size_t outvec_sizes[PSA_MAX_IOVEC];
+} vector_sizes_t;
+
+#endif /* _COMMON_H_ */
diff --git a/tests/psa-client-server/psasim/include/error_ext.h b/tests/psa-client-server/psasim/include/error_ext.h
new file mode 100644
index 0000000..6c82b8a
--- /dev/null
+++ b/tests/psa-client-server/psasim/include/error_ext.h
@@ -0,0 +1,19 @@
+/* PSA status codes used by psasim. */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_ERROR_H
+#define PSA_ERROR_H
+
+#include <stdint.h>
+
+#include "common.h"
+
+#define PSA_ERROR_PROGRAMMER_ERROR      ((psa_status_t) -129)
+#define PSA_ERROR_CONNECTION_REFUSED    ((psa_status_t) -130)
+#define PSA_ERROR_CONNECTION_BUSY       ((psa_status_t) -131)
+
+#endif
diff --git a/tests/psa-client-server/psasim/include/init.h b/tests/psa-client-server/psasim/include/init.h
new file mode 100644
index 0000000..de95d90
--- /dev/null
+++ b/tests/psa-client-server/psasim/include/init.h
@@ -0,0 +1,15 @@
+/* Declarations of internal functions. */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include <stdint.h>
+#include <service.h>
+void raise_signal(psa_signal_t signal);
+void __init_psasim(const char **array,
+                   int size,
+                   const int allow_ns_clients_array[32],
+                   const uint32_t versions[32],
+                   const int strict_policy_array[32]);
diff --git a/tests/psa-client-server/psasim/include/lifecycle.h b/tests/psa-client-server/psasim/include/lifecycle.h
new file mode 100644
index 0000000..1148397
--- /dev/null
+++ b/tests/psa-client-server/psasim/include/lifecycle.h
@@ -0,0 +1,17 @@
+/* PSA lifecycle states used by psasim. */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#define PSA_LIFECYCLE_PSA_STATE_MASK (0xff00u)
+#define PSA_LIFECYCLE_IMP_STATE_MASK (0x00ffu)
+#define PSA_LIFECYCLE_UNKNOWN (0x0000u)
+#define PSA_LIFECYCLE_ASSEMBLY_AND_TEST (0x1000u)
+#define PSA_LIFECYCLE_PSA_ROT_PROVISIONING (0x2000u)
+#define PSA_LIFECYCLE_SECURED (0x3000u)
+#define PSA_LIFECYCLE_NON_PSA_ROT_DEBUG (0x4000u)
+#define PSA_LIFECYCLE_RECOVERABLE_PSA_ROT_DEBUG (0x5000u)
+#define PSA_LIFECYCLE_DECOMMISSIONED (0x6000u)
+#define psa_rot_lifecycle_state(void) PSA_LIFECYCLE_UNKNOWN
diff --git a/tests/psa-client-server/psasim/include/service.h b/tests/psa-client-server/psasim/include/service.h
new file mode 100644
index 0000000..cbcb918
--- /dev/null
+++ b/tests/psa-client-server/psasim/include/service.h
@@ -0,0 +1,253 @@
+/* PSA Firmware Framework service header for psasim. */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef __PSA_SERVICE_H__
+#define __PSA_SERVICE_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+#include <stdlib.h>
+#include <stdint.h>
+#include <stddef.h>
+
+#include "common.h"
+
+#include "psa/crypto.h"
+
+/********************** PSA Secure Partition Macros and Types ****************/
+
+/* PSA wait timeouts */
+#define PSA_POLL                (0x00000000u)
+#define PSA_BLOCK               (0x80000000u)
+
+/* A mask value that includes all Secure Partition signals */
+#define PSA_WAIT_ANY            (~0u)
+
+/* Doorbell signal */
+#define PSA_DOORBELL            (0x00000008u)
+
+/* PSA message types */
+#define PSA_IPC_CONNECT         (-1)
+#define PSA_IPC_DISCONNECT      (-2)
+
+/* Return code from psa_get() */
+#define PSA_ERR_NOMSG           (INT32_MIN + 3)
+
+/* Store a set of one or more Secure Partition signals */
+typedef uint32_t psa_signal_t;
+
+/**
+ * Describe a message received by an RoT Service after calling \ref psa_get().
+ */
+typedef struct psa_msg_t {
+    uint32_t type;              /* One of the following values:
+                                 * \ref PSA_IPC_CONNECT
+                                 * \ref PSA_IPC_CALL
+                                 * \ref PSA_IPC_DISCONNECT
+                                 */
+    psa_handle_t handle;        /* A reference generated by the SPM to the
+                                 * message returned by psa_get().
+                                 */
+    int32_t client_id;          /* Partition ID of the sender of the message */
+    void *rhandle;              /* Be useful for binding a connection to some
+                                 * application-specific data or function
+                                 * pointer within the RoT Service
+                                 * implementation.
+                                 */
+    size_t in_size[PSA_MAX_IOVEC]; /* Provide the size of each client input
+                                    * vector in bytes.
+                                    */
+    size_t out_size[PSA_MAX_IOVEC];/* Provide the size of each client output
+                                    * vector in bytes.
+                                    */
+} psa_msg_t;
+
+/************************* PSA Secure Partition API **************************/
+
+/**
+ * \brief Return the Secure Partition interrupt signals that have been asserted
+ *        from a subset of signals provided by the caller.
+ *
+ * \param[in] signal_mask       A set of signals to query. Signals that are not
+ *                              in this set will be ignored.
+ * \param[in] timeout           Specify either blocking \ref PSA_BLOCK or
+ *                              polling \ref PSA_POLL operation.
+ *
+ * \retval >0                   At least one signal is asserted.
+ * \retval 0                    No signals are asserted. This is only seen when
+ *                              a polling timeout is used.
+ */
+psa_signal_t psa_wait(psa_signal_t signal_mask, uint32_t timeout);
+
+/**
+ * \brief Retrieve the message which corresponds to a given RoT Service signal
+ *        and remove the message from the RoT Service queue.
+ *
+ * \param[in] signal            The signal value for an asserted RoT Service.
+ * \param[out] msg              Pointer to \ref psa_msg_t object for receiving
+ *                              the message.
+ *
+ * \retval PSA_SUCCESS          Success, *msg will contain the delivered
+ *                              message.
+ * \retval PSA_ERR_NOMSG        Message could not be delivered.
+ * \retval "Does not return"    The call is invalid because one or more of the
+ *                              following are true:
+ * \arg                           signal has more than a single bit set.
+ * \arg                           signal does not correspond to an RoT Service.
+ * \arg                           The RoT Service signal is not currently
+ *                                asserted.
+ * \arg                           The msg pointer provided is not a valid memory
+ *                                reference.
+ */
+psa_status_t psa_get(psa_signal_t signal, psa_msg_t *msg);
+
+/**
+ * \brief Associate some RoT Service private data with a client connection.
+ *
+ * \param[in] msg_handle        Handle for the client's message.
+ * \param[in] rhandle           Reverse handle allocated by the RoT Service.
+ *
+ * \retval void                 Success, rhandle will be provided with all
+ *                              subsequent messages delivered on this
+ *                              connection.
+ * \retval "Does not return"    msg_handle is invalid.
+ */
+void psa_set_rhandle(psa_handle_t msg_handle, void *rhandle);
+
+/**
+ * \brief Read a message parameter or part of a message parameter from a client
+ *        input vector.
+ *
+ * \param[in] msg_handle        Handle for the client's message.
+ * \param[in] invec_idx         Index of the input vector to read from. Must be
+ *                              less than \ref PSA_MAX_IOVEC.
+ * \param[out] buffer           Buffer in the Secure Partition to copy the
+ *                              requested data to.
+ * \param[in] num_bytes         Maximum number of bytes to be read from the
+ *                              client input vector.
+ *
+ * \retval >0                   Number of bytes copied.
+ * \retval 0                    There was no remaining data in this input
+ *                              vector.
+ * \retval "Does not return"    The call is invalid, one or more of the
+ *                              following are true:
+ * \arg                           msg_handle is invalid.
+ * \arg                           msg_handle does not refer to a
+ *                                \ref PSA_IPC_CALL message.
+ * \arg                           invec_idx is equal to or greater than
+ *                                \ref PSA_MAX_IOVEC.
+ * \arg                           the memory reference for buffer is invalid or
+ *                                not writable.
+ */
+size_t psa_read(psa_handle_t msg_handle, uint32_t invec_idx,
+                void *buffer, size_t num_bytes);
+
+/**
+ * \brief Skip over part of a client input vector.
+ *
+ * \param[in] msg_handle        Handle for the client's message.
+ * \param[in] invec_idx         Index of input vector to skip from. Must be
+ *                              less than \ref PSA_MAX_IOVEC.
+ * \param[in] num_bytes         Maximum number of bytes to skip in the client
+ *                              input vector.
+ *
+ * \retval >0                   Number of bytes skipped.
+ * \retval 0                    There was no remaining data in this input
+ *                              vector.
+ * \retval "Does not return"    The call is invalid, one or more of the
+ *                              following are true:
+ * \arg                           msg_handle is invalid.
+ * \arg                           msg_handle does not refer to a
+ *                                \ref PSA_IPC_CALL message.
+ * \arg                           invec_idx is equal to or greater than
+ *                                \ref PSA_MAX_IOVEC.
+ */
+size_t psa_skip(psa_handle_t msg_handle, uint32_t invec_idx, size_t num_bytes);
+
+/**
+ * \brief Write a message response to a client output vector.
+ *
+ * \param[in] msg_handle        Handle for the client's message.
+ * \param[out] outvec_idx       Index of output vector in message to write to.
+ *                              Must be less than \ref PSA_MAX_IOVEC.
+ * \param[in] buffer            Buffer with the data to write.
+ * \param[in] num_bytes         Number of bytes to write to the client output
+ *                              vector.
+ *
+ * \retval void                 Success
+ * \retval "Does not return"    The call is invalid, one or more of the
+ *                              following are true:
+ * \arg                           msg_handle is invalid.
+ * \arg                           msg_handle does not refer to a
+ *                                \ref PSA_IPC_CALL message.
+ * \arg                           outvec_idx is equal to or greater than
+ *                                \ref PSA_MAX_IOVEC.
+ * \arg                           The memory reference for buffer is invalid.
+ * \arg                           The call attempts to write data past the end
+ *                                of the client output vector.
+ */
+void psa_write(psa_handle_t msg_handle, uint32_t outvec_idx,
+               const void *buffer, size_t num_bytes);
+
+/**
+ * \brief Complete handling of a specific message and unblock the client.
+ *
+ * \param[in] msg_handle        Handle for the client's message.
+ * \param[in] status            Message result value to be reported to the
+ *                              client.
+ *
+ * \retval void                 Success.
+ * \retval "Does not return"    The call is invalid, one or more of the
+ *                              following are true:
+ * \arg                         msg_handle is invalid.
+ * \arg                         An invalid status code is specified for the
+ *                              type of message.
+ */
+void psa_reply(psa_handle_t msg_handle, psa_status_t status);
+
+/**
+ * \brief Send a PSA_DOORBELL signal to a specific Secure Partition.
+ *
+ * \param[in] partition_id      Secure Partition ID of the target partition.
+ *
+ * \retval void                 Success.
+ * \retval "Does not return"    partition_id does not correspond to a Secure
+ *                              Partition.
+ */
+void psa_notify(int32_t partition_id);
+
+/**
+ * \brief Clear the PSA_DOORBELL signal.
+ *
+ * \retval void                 Success.
+ * \retval "Does not return"    The Secure Partition's doorbell signal is not
+ *                              currently asserted.
+ */
+void psa_clear(void);
+
+/**
+ * \brief Inform the SPM that an interrupt has been handled (end of interrupt).
+ *
+ * \param[in] irq_signal        The interrupt signal that has been processed.
+ *
+ * \retval void                 Success.
+ * \retval "Does not return"    The call is invalid, one or more of the
+ *                              following are true:
+ * \arg                           irq_signal is not an interrupt signal.
+ * \arg                           irq_signal indicates more than one signal.
+ * \arg                           irq_signal is not currently asserted.
+ */
+void psa_eoi(psa_signal_t irq_signal);
+
+#define psa_panic(X) abort();
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __PSA_SERVICE_H__ */
diff --git a/tests/psa-client-server/psasim/include/util.h b/tests/psa-client-server/psasim/include/util.h
new file mode 100644
index 0000000..5eb8238
--- /dev/null
+++ b/tests/psa-client-server/psasim/include/util.h
@@ -0,0 +1,31 @@
+/* Common definitions used for clients and services */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "service.h"
+
+#define PRINT(fmt, ...) \
+    fprintf(stdout, fmt "\n", ##__VA_ARGS__)
+
+#if defined(DEBUG)
+#define INFO(fmt, ...) \
+    fprintf(stdout, "Info (%s - %d): " fmt "\n", __FILE__, __LINE__, ##__VA_ARGS__)
+#else /* !DEBUG */
+#define INFO(...)
+#endif /* DEBUG*/
+
+#define ERROR(fmt, ...) \
+    fprintf(stderr, "Error (%s - %d): " fmt "\n", __FILE__, __LINE__, ##__VA_ARGS__)
+
+#define FATAL(fmt, ...) \
+    { \
+        fprintf(stderr, "Fatal (%s - %d): " fmt "\n", __FILE__, __LINE__, ##__VA_ARGS__); \
+        abort(); \
+    }
+
+#define PROJECT_ID              'M'
+#define PATHNAMESIZE            256
+#define TMP_FILE_BASE_PATH      "./"
diff --git a/tests/psa-client-server/psasim/src/aut_main.c b/tests/psa-client-server/psasim/src/aut_main.c
new file mode 100644
index 0000000..ed19879
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/aut_main.c
@@ -0,0 +1,71 @@
+/**
+ * This is the base AUT that exectues all other AUTs meant to test PSA APIs
+ * through PSASIM.
+ */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/* First include Mbed TLS headers to get the Mbed TLS configuration and
+ * platform definitions that we'll use in this program. Also include
+ * standard C headers for functions we'll use here. */
+#include "mbedtls/build_info.h"
+
+#include "psa/crypto.h"
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+int psa_hash_compute_main(void);
+int psa_hash_main(void);
+int psa_aead_encrypt_main(char *cipher_name);
+int psa_aead_encrypt_decrypt_main(void);
+int psa_cipher_encrypt_decrypt_main(void);
+int psa_asymmetric_encrypt_decrypt_main(void);
+int psa_random_main(void);
+int psa_mac_main(void);
+int psa_key_agreement_main(void);
+int psa_sign_verify_main(void);
+int psa_hkdf_main(void);
+
+#define TEST_MODULE(main_func) \
+    do {    \
+        char title[128] = { 0 }; \
+        char separator[128] = { 0 }; \
+        int title_len = snprintf(title, sizeof(title), "=== Test: %s ===", #main_func); \
+        memset(separator, '=', title_len); \
+        printf("%s\n%s\n%s\n", separator, title, separator); \
+        ret = main_func; \
+        if (ret != 0) { \
+            goto exit; \
+        } \
+    } while (0)
+
+int main()
+{
+    int ret;
+
+    TEST_MODULE(psa_hash_compute_main());
+    TEST_MODULE(psa_hash_main());
+
+    TEST_MODULE(psa_aead_encrypt_main("aes128-gcm"));
+    TEST_MODULE(psa_aead_encrypt_main("aes256-gcm"));
+    TEST_MODULE(psa_aead_encrypt_main("aes128-gcm_8"));
+    TEST_MODULE(psa_aead_encrypt_main("chachapoly"));
+    TEST_MODULE(psa_aead_encrypt_decrypt_main());
+    TEST_MODULE(psa_cipher_encrypt_decrypt_main());
+    TEST_MODULE(psa_asymmetric_encrypt_decrypt_main());
+
+    TEST_MODULE(psa_random_main());
+
+    TEST_MODULE(psa_mac_main());
+    TEST_MODULE(psa_key_agreement_main());
+    TEST_MODULE(psa_sign_verify_main());
+    TEST_MODULE(psa_hkdf_main());
+
+exit:
+    return (ret != 0) ? 1 : 0;
+}
diff --git a/tests/psa-client-server/psasim/src/aut_psa_aead_encrypt.c b/tests/psa-client-server/psasim/src/aut_psa_aead_encrypt.c
new file mode 100644
index 0000000..64463f5
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/aut_psa_aead_encrypt.c
@@ -0,0 +1,227 @@
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "mbedtls/build_info.h"
+
+#include "psa/crypto.h"
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+const char usage[] =
+    "Usage: aead_demo [aes128-gcm|aes256-gcm|aes128-gcm_8|chachapoly]";
+
+/* Dummy data for encryption: IV/nonce, additional data, 2-part message */
+const unsigned char iv1[12] = { 0x00 };
+const unsigned char add_data1[] = { 0x01, 0x02 };
+const unsigned char msg1_part1[] = { 0x03, 0x04 };
+const unsigned char msg1_part2[] = { 0x05, 0x06, 0x07 };
+
+/* Dummy data (2nd message) */
+const unsigned char iv2[12] = { 0x10 };
+const unsigned char add_data2[] = { 0x11, 0x12 };
+const unsigned char msg2_part1[] = { 0x13, 0x14 };
+const unsigned char msg2_part2[] = { 0x15, 0x16, 0x17 };
+
+/* Maximum total size of the messages */
+#define MSG1_SIZE (sizeof(msg1_part1) + sizeof(msg1_part2))
+#define MSG2_SIZE (sizeof(msg2_part1) + sizeof(msg2_part2))
+#define MSG_MAX_SIZE (MSG1_SIZE > MSG2_SIZE ? MSG1_SIZE : MSG2_SIZE)
+
+/* Dummy key material - never do this in production!
+ * 32-byte is enough to all the key size supported by this program. */
+const unsigned char key_bytes[32] = { 0x2a };
+
+/* Print the contents of a buffer in hex */
+void print_buf(const char *title, uint8_t *buf, size_t len)
+{
+    printf("%s:", title);
+    for (size_t i = 0; i < len; i++) {
+        printf(" %02x", buf[i]);
+    }
+    printf("\n");
+}
+
+/* Run a PSA function and bail out if it fails.
+ * The symbolic name of the error code can be recovered using:
+ * programs/psa/psa_constant_name status <value> */
+#define PSA_CHECK(expr)                                       \
+    do                                                          \
+    {                                                           \
+        status = (expr);                                      \
+        if (status != PSA_SUCCESS)                             \
+        {                                                       \
+            printf("Error %d at line %d: %s\n",                \
+                   (int) status,                               \
+                   __LINE__,                                   \
+                   #expr);                                    \
+            goto exit;                                          \
+        }                                                       \
+    }                                                           \
+    while (0)
+
+/*
+ * Prepare encryption material:
+ * - interpret command-line argument
+ * - set up key
+ * - outputs: key and algorithm, which together hold all the information
+ */
+static psa_status_t aead_prepare(const char *info,
+                                 psa_key_id_t *key,
+                                 psa_algorithm_t *alg)
+{
+    psa_status_t status;
+
+    /* Convert arg to alg + key_bits + key_type */
+    size_t key_bits;
+    psa_key_type_t key_type;
+    if (strcmp(info, "aes128-gcm") == 0) {
+        *alg = PSA_ALG_GCM;
+        key_bits = 128;
+        key_type = PSA_KEY_TYPE_AES;
+    } else if (strcmp(info, "aes256-gcm") == 0) {
+        *alg = PSA_ALG_GCM;
+        key_bits = 256;
+        key_type = PSA_KEY_TYPE_AES;
+    } else if (strcmp(info, "aes128-gcm_8") == 0) {
+        *alg = PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 8);
+        key_bits = 128;
+        key_type = PSA_KEY_TYPE_AES;
+    } else if (strcmp(info, "chachapoly") == 0) {
+        *alg = PSA_ALG_CHACHA20_POLY1305;
+        key_bits = 256;
+        key_type = PSA_KEY_TYPE_CHACHA20;
+    } else {
+        puts(usage);
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    /* Prepare key attributes */
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
+    psa_set_key_algorithm(&attributes, *alg);
+    psa_set_key_type(&attributes, key_type);
+    psa_set_key_bits(&attributes, key_bits);   // optional
+
+    /* Import key */
+    PSA_CHECK(psa_import_key(&attributes, key_bytes, key_bits / 8, key));
+
+exit:
+    return status;
+}
+
+/*
+ * Print out some information.
+ *
+ * All of this information was present in the command line argument, but his
+ * function demonstrates how each piece can be recovered from (key, alg).
+ */
+static void aead_info(psa_key_id_t key, psa_algorithm_t alg)
+{
+    psa_key_attributes_t attr = PSA_KEY_ATTRIBUTES_INIT;
+    (void) psa_get_key_attributes(key, &attr);
+    psa_key_type_t key_type = psa_get_key_type(&attr);
+    size_t key_bits = psa_get_key_bits(&attr);
+    psa_algorithm_t base_alg = PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(alg);
+    size_t tag_len = PSA_AEAD_TAG_LENGTH(key_type, key_bits, alg);
+
+    const char *type_str = key_type == PSA_KEY_TYPE_AES ? "AES"
+                         : key_type == PSA_KEY_TYPE_CHACHA20 ? "Chacha"
+                         : "???";
+    const char *base_str = base_alg == PSA_ALG_GCM ? "GCM"
+                         : base_alg == PSA_ALG_CHACHA20_POLY1305 ? "ChachaPoly"
+                         : "???";
+
+    printf("%s, %u, %s, %u\n",
+           type_str, (unsigned) key_bits, base_str, (unsigned) tag_len);
+}
+
+/*
+ * Encrypt a 2-part message.
+ */
+static int aead_encrypt(psa_key_id_t key, psa_algorithm_t alg,
+                        const unsigned char *iv, size_t iv_len,
+                        const unsigned char *ad, size_t ad_len,
+                        const unsigned char *part1, size_t part1_len,
+                        const unsigned char *part2, size_t part2_len)
+{
+    psa_status_t status;
+    size_t olen, olen_tag;
+    unsigned char out[PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(MSG_MAX_SIZE)];
+    unsigned char *p = out, *end = out + sizeof(out);
+    unsigned char tag[PSA_AEAD_TAG_MAX_SIZE];
+
+    psa_aead_operation_t op = PSA_AEAD_OPERATION_INIT;
+    PSA_CHECK(psa_aead_encrypt_setup(&op, key, alg));
+
+    PSA_CHECK(psa_aead_set_nonce(&op, iv, iv_len));
+    PSA_CHECK(psa_aead_update_ad(&op, ad, ad_len));
+    PSA_CHECK(psa_aead_update(&op, part1, part1_len, p, end - p, &olen));
+    p += olen;
+    PSA_CHECK(psa_aead_update(&op, part2, part2_len, p, end - p, &olen));
+    p += olen;
+    PSA_CHECK(psa_aead_finish(&op, p, end - p, &olen,
+                              tag, sizeof(tag), &olen_tag));
+    p += olen;
+    memcpy(p, tag, olen_tag);
+    p += olen_tag;
+
+    olen = p - out;
+    print_buf("out", out, olen);
+
+exit:
+    psa_aead_abort(&op);   // required on errors, harmless on success
+    return status;
+}
+
+/*
+ * AEAD demo: set up key/alg, print out info, encrypt messages.
+ */
+static psa_status_t aead_demo(const char *info)
+{
+    psa_status_t status;
+
+    psa_key_id_t key;
+    psa_algorithm_t alg;
+
+    PSA_CHECK(aead_prepare(info, &key, &alg));
+
+    aead_info(key, alg);
+
+    PSA_CHECK(aead_encrypt(key, alg,
+                           iv1, sizeof(iv1), add_data1, sizeof(add_data1),
+                           msg1_part1, sizeof(msg1_part1),
+                           msg1_part2, sizeof(msg1_part2)));
+    PSA_CHECK(aead_encrypt(key, alg,
+                           iv2, sizeof(iv2), add_data2, sizeof(add_data2),
+                           msg2_part1, sizeof(msg2_part1),
+                           msg2_part2, sizeof(msg2_part2)));
+
+exit:
+    psa_destroy_key(key);
+
+    return status;
+}
+
+/*
+ * Main function
+ */
+int psa_aead_encrypt_main(char *cipher_name)
+{
+    psa_status_t status = PSA_SUCCESS;
+
+    /* Initialize the PSA crypto library. */
+    PSA_CHECK(psa_crypto_init());
+
+    /* Run the demo */
+    PSA_CHECK(aead_demo(cipher_name));
+
+    /* Deinitialize the PSA crypto library. */
+    mbedtls_psa_crypto_free();
+
+exit:
+    return status == PSA_SUCCESS ? EXIT_SUCCESS : EXIT_FAILURE;
+}
diff --git a/tests/psa-client-server/psasim/src/aut_psa_aead_encrypt_decrypt.c b/tests/psa-client-server/psasim/src/aut_psa_aead_encrypt_decrypt.c
new file mode 100644
index 0000000..ca090cc
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/aut_psa_aead_encrypt_decrypt.c
@@ -0,0 +1,109 @@
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "psa/crypto.h"
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#define BUFFER_SIZE 500
+
+static void print_bytestr(const uint8_t *bytes, size_t len)
+{
+    for (unsigned int idx = 0; idx < len; idx++) {
+        printf("%02X", bytes[idx]);
+    }
+}
+
+int psa_aead_encrypt_decrypt_main(void)
+{
+    psa_status_t status;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_id_t key_id = 0;
+    uint8_t encrypt[BUFFER_SIZE] = { 0 };
+    uint8_t decrypt[BUFFER_SIZE] = { 0 };
+    const uint8_t plaintext[] = "Hello World!";
+    const uint8_t key_bytes[32] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+    uint8_t nonce[PSA_AEAD_NONCE_LENGTH(PSA_KEY_TYPE_AES, PSA_ALG_CCM)];
+    size_t nonce_length = sizeof(nonce);
+    size_t ciphertext_length;
+    size_t plaintext_length;
+
+    status = psa_crypto_init();
+    if (status != PSA_SUCCESS) {
+        printf("psa_crypto_init failed\n");
+        return EXIT_FAILURE;
+    }
+
+    psa_set_key_usage_flags(&attributes,
+                            PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
+    psa_set_key_algorithm(&attributes, PSA_ALG_CCM);
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
+    psa_set_key_bits(&attributes, 256);
+
+    status = psa_import_key(&attributes, key_bytes, sizeof(key_bytes), &key_id);
+    if (status != PSA_SUCCESS) {
+        printf("psa_import_key failed\n");
+        return EXIT_FAILURE;
+    }
+
+    status = psa_generate_random(nonce, nonce_length);
+    if (status != PSA_SUCCESS) {
+        printf("psa_generate_random failed\n");
+        return EXIT_FAILURE;
+    }
+
+    status = psa_aead_encrypt(key_id,                            // key
+                              PSA_ALG_CCM,                       // algorithm
+                              nonce, nonce_length,               // nonce
+                              NULL, 0,                           // additional data
+                              plaintext, sizeof(plaintext),      // plaintext
+                              encrypt, sizeof(encrypt),          // ciphertext
+                              &ciphertext_length);               // length of output
+    if (status != PSA_SUCCESS) {
+        printf("psa_aead_encrypt failed\n");
+        return EXIT_FAILURE;
+    }
+
+    printf("AES-CCM encryption:\n");
+    printf("- Plaintext: '%s':\n", plaintext);
+    printf("- Key: ");
+    print_bytestr(key_bytes, sizeof(key_bytes));
+    printf("\n- Nonce: ");
+    print_bytestr(nonce, nonce_length);
+    printf("\n- No additional data\n");
+    printf("- Ciphertext:\n");
+
+    for (size_t j = 0; j < ciphertext_length; j++) {
+        if (j % 8 == 0) {
+            printf("\n    ");
+        }
+        printf("%02x ", encrypt[j]);
+    }
+
+    printf("\n");
+
+    status = psa_aead_decrypt(key_id,                       // key
+                              PSA_ALG_CCM,                  // algorithm
+                              nonce, nonce_length,          // nonce
+                              NULL, 0,                      // additional data
+                              encrypt, ciphertext_length,   // ciphertext
+                              decrypt, sizeof(decrypt),     // plaintext
+                              &plaintext_length);           // length of output
+    if (status != PSA_SUCCESS) {
+        printf("psa_aead_decrypt failed\n");
+        return EXIT_FAILURE;
+    }
+
+    if (memcmp(plaintext, decrypt, sizeof(plaintext)) != 0) {
+        printf("\nEncryption/Decryption failed!\n");
+    } else {
+        printf("\nEncryption/Decryption successful!\n");
+    }
+
+    psa_destroy_key(key_id);
+    mbedtls_psa_crypto_free();
+    return 0;
+}
diff --git a/tests/psa-client-server/psasim/src/aut_psa_asymmetric_encrypt_decrypt.c b/tests/psa-client-server/psasim/src/aut_psa_asymmetric_encrypt_decrypt.c
new file mode 100644
index 0000000..02d8cf4
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/aut_psa_asymmetric_encrypt_decrypt.c
@@ -0,0 +1,81 @@
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "psa/crypto.h"
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#define KEY_BITS        4096
+#define BUFFER_SIZE     PSA_BITS_TO_BYTES(KEY_BITS)
+
+static void print_bytestr(const uint8_t *bytes, size_t len)
+{
+    for (unsigned int idx = 0; idx < len; idx++) {
+        printf("%02X", bytes[idx]);
+    }
+}
+
+int psa_asymmetric_encrypt_decrypt_main(void)
+{
+    psa_status_t status;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_id_t key_id = 0;
+    uint8_t original[BUFFER_SIZE/2] = { 0 };
+    uint8_t encrypt[BUFFER_SIZE] = { 0 };
+    uint8_t decrypt[BUFFER_SIZE] = { 0 };
+    size_t encrypted_length;
+    size_t decrypted_length;
+
+    status = psa_crypto_init();
+    if (status != PSA_SUCCESS) {
+        printf("psa_crypto_init failed\n");
+        return EXIT_FAILURE;
+    }
+
+    status = psa_generate_random(original, sizeof(original));
+    if (status != PSA_SUCCESS) {
+        printf("psa_generate_random() failed\n");
+        return EXIT_FAILURE;
+    }
+
+    psa_set_key_usage_flags(&attributes,
+                            PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
+    psa_set_key_algorithm(&attributes, PSA_ALG_RSA_PKCS1V15_CRYPT);
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
+    psa_set_key_bits(&attributes, KEY_BITS);
+
+    status = psa_generate_key(&attributes, &key_id);
+    if (status != PSA_SUCCESS) {
+        printf("psa_generate_key failed (%d)\n", status);
+        return EXIT_FAILURE;
+    }
+
+    status = psa_asymmetric_encrypt(key_id, PSA_ALG_RSA_PKCS1V15_CRYPT,
+                                    original, sizeof(original), NULL, 0,
+                                    encrypt, sizeof(encrypt), &encrypted_length);
+    if (status != PSA_SUCCESS) {
+        printf("psa_asymmetric_encrypt failed (%d)\n", status);
+        return EXIT_FAILURE;
+    }
+
+    status = psa_asymmetric_decrypt(key_id, PSA_ALG_RSA_PKCS1V15_CRYPT,
+                                    encrypt, encrypted_length, NULL, 0,
+                                    decrypt, sizeof(decrypt), &decrypted_length);
+    if (status != PSA_SUCCESS) {
+        printf("psa_cipher_decrypt failed (%d)\n", status);
+        return EXIT_FAILURE;
+    }
+
+    if (memcmp(original, decrypt, sizeof(original)) != 0) {
+        printf("\nEncryption/Decryption failed!\n");
+    } else {
+        printf("\nEncryption/Decryption successful!\n");
+    }
+
+    psa_destroy_key(key_id);
+    mbedtls_psa_crypto_free();
+    return 0;
+}
diff --git a/tests/psa-client-server/psasim/src/aut_psa_cipher_encrypt_decrypt.c b/tests/psa-client-server/psasim/src/aut_psa_cipher_encrypt_decrypt.c
new file mode 100644
index 0000000..a923feb
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/aut_psa_cipher_encrypt_decrypt.c
@@ -0,0 +1,81 @@
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "psa/crypto.h"
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#define BUFFER_SIZE 4096
+
+static void print_bytestr(const uint8_t *bytes, size_t len)
+{
+    for (unsigned int idx = 0; idx < len; idx++) {
+        printf("%02X", bytes[idx]);
+    }
+}
+
+int psa_cipher_encrypt_decrypt_main(void)
+{
+    psa_status_t status;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_id_t key_id = 0;
+    uint8_t original[BUFFER_SIZE] = { 0 };
+    uint8_t encrypt[BUFFER_SIZE] = { 0 };
+    uint8_t decrypt[BUFFER_SIZE] = { 0 };
+    const uint8_t key_bytes[32] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+    size_t encrypted_length;
+    size_t decrypted_length;
+
+    status = psa_crypto_init();
+    if (status != PSA_SUCCESS) {
+        printf("psa_crypto_init failed\n");
+        return EXIT_FAILURE;
+    }
+
+    status = psa_generate_random(original, sizeof(original));
+    if (status != PSA_SUCCESS) {
+        printf("psa_generate_random() failed\n");
+        return EXIT_FAILURE;
+    }
+
+    psa_set_key_usage_flags(&attributes,
+                            PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
+    psa_set_key_algorithm(&attributes, PSA_ALG_ECB_NO_PADDING);
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
+    psa_set_key_bits(&attributes, 256);
+
+    status = psa_import_key(&attributes, key_bytes, sizeof(key_bytes), &key_id);
+    if (status != PSA_SUCCESS) {
+        printf("psa_import_key failed\n");
+        return EXIT_FAILURE;
+    }
+
+    status = psa_cipher_encrypt(key_id, PSA_ALG_ECB_NO_PADDING,
+                                original, sizeof(original),
+                                encrypt, sizeof(encrypt), &encrypted_length);
+    if (status != PSA_SUCCESS) {
+        printf("psa_cipher_encrypt failed\n");
+        return EXIT_FAILURE;
+    }
+
+    status = psa_cipher_decrypt(key_id, PSA_ALG_ECB_NO_PADDING,
+                                encrypt, encrypted_length,
+                                decrypt, sizeof(decrypt), &decrypted_length);
+    if (status != PSA_SUCCESS) {
+        printf("psa_cipher_decrypt failed\n");
+        return EXIT_FAILURE;
+    }
+
+    if (memcmp(original, decrypt, sizeof(original)) != 0) {
+        printf("\nEncryption/Decryption failed!\n");
+    } else {
+        printf("\nEncryption/Decryption successful!\n");
+    }
+
+    psa_destroy_key(key_id);
+    mbedtls_psa_crypto_free();
+    return 0;
+}
diff --git a/tests/psa-client-server/psasim/src/aut_psa_hash.c b/tests/psa-client-server/psasim/src/aut_psa_hash.c
new file mode 100644
index 0000000..b429c0b
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/aut_psa_hash.c
@@ -0,0 +1,167 @@
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "psa/crypto.h"
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "mbedtls/build_info.h"
+#include "mbedtls/platform.h"
+
+#define HASH_ALG PSA_ALG_SHA_256
+
+static const uint8_t sample_message[] = "Hello World!";
+/* sample_message is terminated with a null byte which is not part of
+ * the message itself so we make sure to subtract it in order to get
+ * the message length. */
+static const size_t sample_message_length = sizeof(sample_message) - 1;
+
+#define EXPECTED_HASH_VALUE {                                                    \
+        0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81, \
+        0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28, \
+        0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69 \
+}
+
+static const uint8_t expected_hash[] = EXPECTED_HASH_VALUE;
+static const size_t expected_hash_len = sizeof(expected_hash);
+
+int psa_hash_main(void)
+{
+    psa_status_t status;
+    uint8_t hash[PSA_HASH_LENGTH(HASH_ALG)];
+    size_t hash_length;
+    psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
+    psa_hash_operation_t cloned_hash_operation = PSA_HASH_OPERATION_INIT;
+
+    mbedtls_printf("PSA Crypto API: SHA-256 example\n\n");
+
+    status = psa_crypto_init();
+    if (status != PSA_SUCCESS) {
+        mbedtls_printf("psa_crypto_init failed\n");
+        return EXIT_FAILURE;
+    }
+
+    /* Compute hash using multi-part operation */
+    status = psa_hash_setup(&hash_operation, HASH_ALG);
+    if (status == PSA_ERROR_NOT_SUPPORTED) {
+        mbedtls_printf("unknown hash algorithm supplied\n");
+        return EXIT_FAILURE;
+    } else if (status != PSA_SUCCESS) {
+        mbedtls_printf("psa_hash_setup failed\n");
+        return EXIT_FAILURE;
+    }
+
+    status = psa_hash_update(&hash_operation, sample_message, sample_message_length);
+    if (status != PSA_SUCCESS) {
+        mbedtls_printf("psa_hash_update failed\n");
+        goto cleanup;
+    }
+
+    status = psa_hash_clone(&hash_operation, &cloned_hash_operation);
+    if (status != PSA_SUCCESS) {
+        mbedtls_printf("PSA hash clone failed\n");
+        goto cleanup;
+    }
+
+    status = psa_hash_finish(&hash_operation, hash, sizeof(hash), &hash_length);
+    if (status != PSA_SUCCESS) {
+        mbedtls_printf("psa_hash_finish failed\n");
+        goto cleanup;
+    }
+
+    /* Check the result of the operation against the sample */
+    if (hash_length != expected_hash_len ||
+        (memcmp(hash, expected_hash, expected_hash_len) != 0)) {
+        mbedtls_printf("Multi-part hash operation gave the wrong result!\n\n");
+        goto cleanup;
+    }
+
+    status =
+        psa_hash_verify(&cloned_hash_operation, expected_hash,
+                        expected_hash_len);
+    if (status != PSA_SUCCESS) {
+        mbedtls_printf("psa_hash_verify failed\n");
+        goto cleanup;
+    } else {
+        mbedtls_printf("Multi-part hash operation successful!\n");
+    }
+
+    /* A bit of white-box testing: ensure that we can abort an operation more
+     * times than there are operation slots on the simulator server.
+     */
+    for (int i = 0; i < 200; i++) {
+        /* This should be a no-op */
+        status = psa_hash_abort(&hash_operation);
+        if (status != PSA_SUCCESS) {
+            mbedtls_printf("psa_hash_abort failed\n");
+            goto cleanup;
+        }
+    }
+
+    /* Compute hash using multi-part operation using the same operation struct */
+    status = psa_hash_setup(&hash_operation, HASH_ALG);
+    if (status == PSA_ERROR_NOT_SUPPORTED) {
+        mbedtls_printf("unknown hash algorithm supplied\n");
+        goto cleanup;
+    } else if (status != PSA_SUCCESS) {
+        mbedtls_printf("psa_hash_setup failed: %d\n", status);
+        goto cleanup;
+    }
+
+    status = psa_hash_update(&hash_operation, sample_message, sample_message_length);
+    if (status != PSA_SUCCESS) {
+        mbedtls_printf("psa_hash_update failed\n");
+        goto cleanup;
+    }
+
+    /* Don't use psa_hash_finish() when going to check against an expected result */
+    status = psa_hash_verify(&hash_operation, expected_hash, expected_hash_len);
+    if (status != PSA_SUCCESS) {
+        mbedtls_printf("psa_hash_verify failed: %d\n", status);
+        goto cleanup;
+    } else {
+        mbedtls_printf("Second multi-part hash operation successful!\n");
+    }
+
+    /* Clear local variables prior to one-shot hash demo */
+    memset(hash, 0, sizeof(hash));
+    hash_length = 0;
+
+    /* Compute hash using one-shot function call */
+    status = psa_hash_compute(HASH_ALG,
+                              sample_message, sample_message_length,
+                              hash, sizeof(hash),
+                              &hash_length);
+    if (status != PSA_SUCCESS) {
+        mbedtls_printf("psa_hash_compute failed\n");
+        goto cleanup;
+    }
+
+    if (hash_length != expected_hash_len ||
+        (memcmp(hash, expected_hash, expected_hash_len) != 0)) {
+        mbedtls_printf("One-shot hash operation gave the wrong result!\n\n");
+        goto cleanup;
+    }
+
+    mbedtls_printf("One-shot hash operation successful!\n\n");
+
+    /* Print out result */
+    mbedtls_printf("The SHA-256( '%s' ) is: ", sample_message);
+
+    for (size_t j = 0; j < expected_hash_len; j++) {
+        mbedtls_printf("%02x", hash[j]);
+    }
+
+    mbedtls_printf("\n");
+
+    mbedtls_psa_crypto_free();
+    return EXIT_SUCCESS;
+
+cleanup:
+    psa_hash_abort(&hash_operation);
+    psa_hash_abort(&cloned_hash_operation);
+    return EXIT_FAILURE;
+}
diff --git a/tests/psa-client-server/psasim/src/aut_psa_hash_compute.c b/tests/psa-client-server/psasim/src/aut_psa_hash_compute.c
new file mode 100644
index 0000000..959e0c3
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/aut_psa_hash_compute.c
@@ -0,0 +1,81 @@
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "psa/crypto.h"
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "mbedtls/build_info.h"
+#include "mbedtls/platform.h"
+
+#define HASH_ALG PSA_ALG_SHA_256
+
+static const uint8_t sample_message[] = "Hello World!";
+/* sample_message is terminated with a null byte which is not part of
+ * the message itself so we make sure to subtract it in order to get
+ * the message length. */
+static const size_t sample_message_length = sizeof(sample_message) - 1;
+
+#define EXPECTED_HASH_VALUE {                                                    \
+        0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81, \
+        0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28, \
+        0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69 \
+}
+
+static const uint8_t expected_hash[] = EXPECTED_HASH_VALUE;
+static const size_t expected_hash_len = sizeof(expected_hash);
+
+int psa_hash_compute_main(void)
+{
+    psa_status_t status;
+    uint8_t hash[PSA_HASH_LENGTH(HASH_ALG)];
+    size_t hash_length;
+
+    mbedtls_printf("PSA Crypto API: SHA-256 example\n\n");
+
+    status = psa_crypto_init();
+    if (status != PSA_SUCCESS) {
+        mbedtls_printf("psa_crypto_init failed\n");
+        return EXIT_FAILURE;
+    }
+
+    /* Clear local variables prior to one-shot hash demo */
+    memset(hash, 0, sizeof(hash));
+    hash_length = 0;
+
+    /* Compute hash using one-shot function call */
+    status = psa_hash_compute(HASH_ALG,
+                              sample_message, sample_message_length,
+                              hash, sizeof(hash),
+                              &hash_length);
+    if (status != PSA_SUCCESS) {
+        mbedtls_printf("psa_hash_compute failed\n");
+        goto cleanup;
+    }
+
+    if (hash_length != expected_hash_len ||
+        (memcmp(hash, expected_hash, expected_hash_len) != 0)) {
+        mbedtls_printf("One-shot hash operation gave the wrong result!\n\n");
+        goto cleanup;
+    }
+
+    mbedtls_printf("One-shot hash operation successful!\n\n");
+
+    /* Print out result */
+    mbedtls_printf("The SHA-256( '%s' ) is: ", sample_message);
+
+    for (size_t j = 0; j < expected_hash_len; j++) {
+        mbedtls_printf("%02x", hash[j]);
+    }
+
+    mbedtls_printf("\n");
+
+    mbedtls_psa_crypto_free();
+    return EXIT_SUCCESS;
+
+cleanup:
+    return EXIT_FAILURE;
+}
diff --git a/tests/psa-client-server/psasim/src/aut_psa_hkdf.c b/tests/psa-client-server/psasim/src/aut_psa_hkdf.c
new file mode 100644
index 0000000..891fdb3
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/aut_psa_hkdf.c
@@ -0,0 +1,121 @@
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "psa/crypto.h"
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include "mbedtls/build_info.h"
+
+int psa_hkdf_main(void)
+{
+    psa_status_t status;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_id_t key_id = 0;
+    psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
+
+    /* Example test vector from RFC 5869 */
+
+    /* Input keying material (IKM) */
+    unsigned char ikm[] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                            0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b };
+
+    unsigned char salt[] =
+    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c };
+
+    /* Context and application specific information, which can be of zero length */
+    unsigned char info[] = { 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9 };
+
+    /* Expected OKM based on the RFC 5869-provided test vector */
+    unsigned char expected_okm[] = { 0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a, 0x90, 0x43,
+                                     0x4f, 0x64, 0xd0, 0x36, 0x2f, 0x2a, 0x2d, 0x2d, 0x0a, 0x90,
+                                     0xcf, 0x1a, 0x5a, 0x4c, 0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4,
+                                     0xc5, 0xbf, 0x34, 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18,
+                                     0x58, 0x65 };
+
+    /* The output size of the HKDF function depends on the hash function used.
+     * In our case we use SHA-256, which produces a 32 byte fingerprint.
+     * Therefore, we allocate a buffer of 32 bytes to hold the output keying
+     * material (OKM).
+     */
+    unsigned char output[32];
+
+    psa_algorithm_t alg = PSA_ALG_HKDF(PSA_ALG_SHA_256);
+
+    printf("PSA Crypto API: HKDF SHA-256 example\n\n");
+
+    status = psa_crypto_init();
+    if (status != PSA_SUCCESS) {
+        printf("psa_crypto_init failed\n");
+        return EXIT_FAILURE;
+    }
+
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
+    psa_set_key_algorithm(&attributes, PSA_ALG_HKDF(PSA_ALG_SHA_256));
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_DERIVE);
+
+    status = psa_import_key(&attributes, ikm, sizeof(ikm), &key_id);
+    if (status != PSA_SUCCESS) {
+        printf("psa_import_key failed\n");
+        return EXIT_FAILURE;
+    }
+
+    status = psa_key_derivation_setup(&operation, alg);
+    if (status != PSA_SUCCESS) {
+        printf("psa_key_derivation_setup failed");
+        return EXIT_FAILURE;
+    }
+
+    status = psa_key_derivation_input_bytes(&operation, PSA_KEY_DERIVATION_INPUT_SALT,
+                                            salt, sizeof(salt));
+    if (status != PSA_SUCCESS) {
+        printf("psa_key_derivation_input_bytes (salt) failed");
+        return EXIT_FAILURE;
+    }
+
+    status = psa_key_derivation_input_key(&operation, PSA_KEY_DERIVATION_INPUT_SECRET,
+                                          key_id);
+    if (status != PSA_SUCCESS) {
+        printf("psa_key_derivation_input_key failed");
+        return EXIT_FAILURE;
+    }
+
+    status = psa_key_derivation_input_bytes(&operation, PSA_KEY_DERIVATION_INPUT_INFO,
+                                            info, sizeof(info));
+    if (status != PSA_SUCCESS) {
+        printf("psa_key_derivation_input_bytes (info) failed");
+        return EXIT_FAILURE;
+    }
+
+    status = psa_key_derivation_output_bytes(&operation, output, sizeof(output));
+    if (status != PSA_SUCCESS) {
+        printf("psa_key_derivation_output_bytes failed");
+        return EXIT_FAILURE;
+    }
+
+    status = psa_key_derivation_abort(&operation);
+    if (status != PSA_SUCCESS) {
+        printf("psa_key_derivation_abort failed");
+        return EXIT_FAILURE;
+    }
+
+    printf("OKM: \n");
+
+    for (size_t j = 0; j < sizeof(output); j++) {
+        if (output[j] != expected_okm[j]) {
+            printf("\n --- Unexpected outcome!\n");
+            return EXIT_FAILURE;
+        }
+
+        if (j % 8 == 0) {
+            printf("\n    ");
+        }
+        printf("%02x ", output[j]);
+    }
+
+    printf("\n");
+    mbedtls_psa_crypto_free();
+    return EXIT_SUCCESS;
+}
diff --git a/tests/psa-client-server/psasim/src/aut_psa_key_agreement.c b/tests/psa-client-server/psasim/src/aut_psa_key_agreement.c
new file mode 100644
index 0000000..4a0aab1
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/aut_psa_key_agreement.c
@@ -0,0 +1,146 @@
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+
+#include "psa/crypto.h"
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include "mbedtls/build_info.h"
+#include "mbedtls/debug.h"
+#include "mbedtls/platform.h"
+
+#define BUFFER_SIZE 500
+
+#define SERVER_PK_VALUE {                                     \
+        0x04, 0xde, 0xa5, 0xe4, 0x5d, 0x0e, 0xa3, 0x7f, 0xc5, \
+        0x66, 0x23, 0x2a, 0x50, 0x8f, 0x4a, 0xd2, 0x0e, 0xa1, \
+        0x3d, 0x47, 0xe4, 0xbf, 0x5f, 0xa4, 0xd5, 0x4a, 0x57, \
+        0xa0, 0xba, 0x01, 0x20, 0x42, 0x08, 0x70, 0x97, 0x49, \
+        0x6e, 0xfc, 0x58, 0x3f, 0xed, 0x8b, 0x24, 0xa5, 0xb9, \
+        0xbe, 0x9a, 0x51, 0xde, 0x06, 0x3f, 0x5a, 0x00, 0xa8, \
+        0xb6, 0x98, 0xa1, 0x6f, 0xd7, 0xf2, 0x9b, 0x54, 0x85, \
+        0xf3, 0x20                                            \
+}
+
+#define KEY_BITS 256
+
+int psa_key_agreement_main(void)
+{
+    psa_status_t status;
+    psa_key_attributes_t client_attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_attributes_t server_attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_attributes_t check_attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_id_t client_key_id = 0;
+    psa_key_id_t server_key_id = 0;
+    uint8_t client_pk[BUFFER_SIZE] = { 0 };
+    size_t client_pk_len;
+    size_t key_bits;
+    psa_key_type_t key_type;
+
+    const uint8_t server_pk[] = SERVER_PK_VALUE;
+    uint8_t derived_key[BUFFER_SIZE] = { 0 };
+    size_t derived_key_len;
+
+    status = psa_crypto_init();
+    if (status != PSA_SUCCESS) {
+        mbedtls_printf("psa_crypto_init failed\n");
+        return EXIT_FAILURE;
+    }
+
+    psa_set_key_usage_flags(&client_attributes, PSA_KEY_USAGE_DERIVE);
+    psa_set_key_algorithm(&client_attributes, PSA_ALG_ECDH);
+    psa_set_key_type(&client_attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1));
+    psa_set_key_bits(&client_attributes, KEY_BITS);
+
+    /* Generate ephemeral key pair */
+    status = psa_generate_key(&client_attributes, &client_key_id);
+    if (status != PSA_SUCCESS) {
+        mbedtls_printf("psa_generate_key failed\n");
+        return EXIT_FAILURE;
+    }
+    status = psa_export_public_key(client_key_id,
+                                   client_pk, sizeof(client_pk),
+                                   &client_pk_len);
+    if (status != PSA_SUCCESS) {
+        mbedtls_printf("psa_export_public_key failed\n");
+        return EXIT_FAILURE;
+    }
+
+    mbedtls_printf("Client Public Key (%" MBEDTLS_PRINTF_SIZET " bytes):\n", client_pk_len);
+
+    for (size_t j = 0; j < client_pk_len; j++) {
+        if (j % 8 == 0) {
+            mbedtls_printf("\n    ");
+        }
+        mbedtls_printf("%02x ", client_pk[j]);
+    }
+    mbedtls_printf("\n\n");
+
+    psa_set_key_usage_flags(&server_attributes, PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT);
+    psa_set_key_algorithm(&server_attributes, PSA_ALG_ECDSA_ANY);
+    psa_set_key_type(&server_attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1));
+
+    /* Import server public key */
+    status = psa_import_key(&server_attributes, server_pk, sizeof(server_pk), &server_key_id);
+    if (status != PSA_SUCCESS) {
+        mbedtls_printf("psa_import_key failed\n");
+        return EXIT_FAILURE;
+    }
+
+    status = psa_get_key_attributes(server_key_id, &check_attributes);
+    if (status != PSA_SUCCESS) {
+        mbedtls_printf("psa_get_key_attributes failed\n");
+        return EXIT_FAILURE;
+    }
+
+    key_bits = psa_get_key_bits(&check_attributes);
+    if (key_bits != 256) {
+        mbedtls_printf("Incompatible key size!\n");
+        return EXIT_FAILURE;
+    }
+
+    key_type = psa_get_key_type(&check_attributes);
+    if (key_type != PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1)) {
+        mbedtls_printf("Unsupported key type!\n");
+        return EXIT_FAILURE;
+    }
+
+    mbedtls_printf("Server Public Key (%" MBEDTLS_PRINTF_SIZET " bytes):\n", sizeof(server_pk));
+
+    for (size_t j = 0; j < sizeof(server_pk); j++) {
+        if (j % 8 == 0) {
+            mbedtls_printf("\n    ");
+        }
+        mbedtls_printf("%02x ", server_pk[j]);
+    }
+    mbedtls_printf("\n\n");
+
+    /* Generate ECDHE derived key */
+    status = psa_raw_key_agreement(PSA_ALG_ECDH,                        // algorithm
+                                   client_key_id,                   // client secret key
+                                   server_pk, sizeof(server_pk),        // server public key
+                                   derived_key, sizeof(derived_key),    // buffer to store derived key
+                                   &derived_key_len);
+    if (status != PSA_SUCCESS) {
+        mbedtls_printf("psa_raw_key_agreement failed\n");
+        return EXIT_FAILURE;
+    }
+
+    mbedtls_printf("Derived Key (%" MBEDTLS_PRINTF_SIZET " bytes):\n", derived_key_len);
+
+    for (size_t j = 0; j < derived_key_len; j++) {
+        if (j % 8 == 0) {
+            mbedtls_printf("\n    ");
+        }
+        mbedtls_printf("%02x ", derived_key[j]);
+    }
+    mbedtls_printf("\n");
+
+    psa_destroy_key(server_key_id);
+    psa_destroy_key(client_key_id);
+    mbedtls_psa_crypto_free();
+    return EXIT_SUCCESS;
+}
diff --git a/tests/psa-client-server/psasim/src/aut_psa_mac.c b/tests/psa-client-server/psasim/src/aut_psa_mac.c
new file mode 100644
index 0000000..18b4b57
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/aut_psa_mac.c
@@ -0,0 +1,162 @@
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "psa/crypto.h"
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "mbedtls/build_info.h"
+
+/* constant-time buffer comparison */
+static inline int safer_memcmp(const void *a, const void *b, size_t n)
+{
+    size_t i;
+    volatile const unsigned char *A = (volatile const unsigned char *) a;
+    volatile const unsigned char *B = (volatile const unsigned char *) b;
+    volatile unsigned char diff = 0;
+
+    for (i = 0; i < n; i++) {
+        /* Read volatile data in order before computing diff.
+         * This avoids IAR compiler warning:
+         * 'the order of volatile accesses is undefined ..' */
+        unsigned char x = A[i], y = B[i];
+        diff |= x ^ y;
+    }
+
+    return diff;
+}
+
+
+int psa_mac_main(void)
+{
+    uint8_t input[] = "Hello World!";
+    psa_status_t status;
+    size_t mac_size_real = 0;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_id_t key_id = 0;
+    uint8_t mac[PSA_MAC_MAX_SIZE];
+    psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
+    const uint8_t key_bytes[16] = "kkkkkkkkkkkkkkkk";
+    const uint8_t mbedtls_test_hmac_sha256[] = {
+        0xae, 0x72, 0x34, 0x5a, 0x10, 0x36, 0xfb, 0x71,
+        0x35, 0x3c, 0x7d, 0x6c, 0x81, 0x98, 0x52, 0x86,
+        0x00, 0x4a, 0x43, 0x7c, 0x2d, 0xb3, 0x1a, 0xd8,
+        0x67, 0xb1, 0xad, 0x11, 0x4d, 0x18, 0x49, 0x8b
+    };
+
+    status = psa_crypto_init();
+    if (status != PSA_SUCCESS) {
+        printf("psa_crypto_init failed\n");
+        return EXIT_FAILURE;
+    }
+
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_MESSAGE |
+                            PSA_KEY_USAGE_SIGN_HASH |
+                            PSA_KEY_USAGE_SIGN_MESSAGE);
+    psa_set_key_algorithm(&attributes, PSA_ALG_HMAC(PSA_ALG_SHA_256));
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
+
+    status = psa_import_key(&attributes, key_bytes, sizeof(key_bytes), &key_id);
+    if (status != PSA_SUCCESS) {
+        printf("psa_import_key failed\n");
+        return EXIT_FAILURE;
+    }
+
+    /* Single-part MAC operation with psa_mac_compute() */
+    status = psa_mac_compute(key_id,
+                             PSA_ALG_HMAC(PSA_ALG_SHA_256),
+                             input,
+                             sizeof(input),
+                             mac,
+                             sizeof(mac),
+                             &mac_size_real);
+    if (status != PSA_SUCCESS) {
+        printf("psa_mac_compute failed\n");
+        return EXIT_FAILURE;
+    }
+
+    printf("HMAC-SHA-256(%s) with psa_mac_compute():\n", input);
+
+    for (size_t j = 0; j < mac_size_real; j++) {
+        if (j % 8 == 0) {
+            printf("\n    ");
+        }
+        printf("%02x ", mac[j]);
+    }
+
+    printf("\n");
+
+    if (safer_memcmp(mac,
+                     mbedtls_test_hmac_sha256,
+                     mac_size_real
+                     ) != 0) {
+        printf("\nMAC verified incorrectly!\n");
+    } else {
+        printf("\nMAC verified correctly!\n");
+    }
+
+    psa_destroy_key(key_id);
+
+    status = psa_import_key(&attributes, key_bytes, sizeof(key_bytes), &key_id);
+    if (status != PSA_SUCCESS) {
+        printf("psa_import_key failed\n");
+        return EXIT_FAILURE;
+    }
+
+    /* Single-part MAC operation with psa_mac_verify() */
+    status = psa_mac_verify(key_id,
+                            PSA_ALG_HMAC(PSA_ALG_SHA_256),
+                            input,
+                            sizeof(input),
+                            mbedtls_test_hmac_sha256,
+                            sizeof(mbedtls_test_hmac_sha256));
+    if (status != PSA_SUCCESS) {
+        printf("psa_mac_verify failed\n");
+        return EXIT_FAILURE;
+    } else {
+        printf("psa_mac_verify passed successfully\n");
+    }
+
+    psa_destroy_key(key_id);
+
+    status = psa_import_key(&attributes, key_bytes, sizeof(key_bytes), &key_id);
+    if (status != PSA_SUCCESS) {
+        printf("psa_import_key failed\n");
+        return EXIT_FAILURE;
+    }
+
+    /* Multi-part MAC operation */
+    status = psa_mac_sign_setup(&operation, key_id, PSA_ALG_HMAC(PSA_ALG_SHA_256));
+    if (status != PSA_SUCCESS) {
+        printf("psa_mac_sign_setup failed\n");
+        return EXIT_FAILURE;
+    }
+
+    status = psa_mac_update(&operation, input, sizeof(input));
+    if (status != PSA_SUCCESS) {
+        printf("psa_mac_update failed\n");
+        return EXIT_FAILURE;
+    }
+
+    status = psa_mac_sign_finish(&operation, mac, sizeof(mac), &mac_size_real);
+    if (status != PSA_SUCCESS) {
+        printf("psa_mac_sign_finish failed\n");
+        return EXIT_FAILURE;
+    }
+
+    if (safer_memcmp(mac,
+                     mbedtls_test_hmac_sha256,
+                     mac_size_real
+                     ) != 0) {
+        printf("MAC, calculated with multi-part MAC operation, verified incorrectly!\n");
+    } else {
+        printf("MAC, calculated with multi-part MAC operation, verified correctly!\n");
+    }
+
+    psa_destroy_key(key_id);
+    mbedtls_psa_crypto_free();
+    return EXIT_SUCCESS;
+}
diff --git a/tests/psa-client-server/psasim/src/aut_psa_random.c b/tests/psa-client-server/psasim/src/aut_psa_random.c
new file mode 100644
index 0000000..5880c4d
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/aut_psa_random.c
@@ -0,0 +1,47 @@
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "mbedtls/build_info.h"
+
+#include <psa/crypto.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "mbedtls/entropy.h"
+
+#define BUFFER_SIZE 100
+
+int psa_random_main(void)
+{
+    psa_status_t status;
+    uint8_t output[BUFFER_SIZE] = { 0 };
+
+    status = psa_crypto_init();
+    if (status != PSA_SUCCESS) {
+        printf("psa_crypto_init failed\n");
+        return EXIT_FAILURE;
+    }
+
+    status = psa_generate_random(output, BUFFER_SIZE);
+    if (status != PSA_SUCCESS) {
+        printf("psa_generate_random failed\n");
+        return EXIT_FAILURE;
+    }
+
+    printf("Random bytes generated:\n");
+
+    for (size_t j = 0; j < BUFFER_SIZE; j++) {
+        if (j % 8 == 0) {
+            printf("\n    ");
+        }
+        printf("%02x ", output[j]);
+    }
+
+    printf("\n");
+
+    mbedtls_psa_crypto_free();
+    return 0;
+}
diff --git a/tests/psa-client-server/psasim/src/aut_psa_sign_verify.c b/tests/psa-client-server/psasim/src/aut_psa_sign_verify.c
new file mode 100644
index 0000000..98df9e5
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/aut_psa_sign_verify.c
@@ -0,0 +1,93 @@
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+
+#include "psa/crypto.h"
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "mbedtls/build_info.h"
+#include "mbedtls/platform.h"
+
+#define KEY_BYTES_VALUE {                                                       \
+        0x49, 0xc9, 0xa8, 0xc1, 0x8c, 0x4b, 0x88, 0x56, 0x38, 0xc4, 0x31, 0xcf, \
+        0x1d, 0xf1, 0xc9, 0x94, 0x13, 0x16, 0x09, 0xb5, 0x80, 0xd4, 0xfd, 0x43, \
+        0xa0, 0xca, 0xb1, 0x7d, 0xb2, 0xf1, 0x3e, 0xee                          \
+}
+
+#define PLAINTEXT_VALUE "Hello World!"
+
+/* SHA-256(plaintext) */
+#define HASH_VALUE {                                                            \
+        0x5a, 0x09, 0xe8, 0xfa, 0x9c, 0x77, 0x80, 0x7b, 0x24, 0xe9, 0x9c, 0x9c, \
+        0xf9, 0x99, 0xde, 0xbf, 0xad, 0x84, 0x41, 0xe2, 0x69, 0xeb, 0x96, 0x0e, \
+        0x20, 0x1f, 0x61, 0xfc, 0x3d, 0xe2, 0x0d, 0x5a                          \
+}
+
+int psa_sign_verify_main(void)
+{
+    psa_status_t status;
+    psa_key_id_t key_id = 0;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    uint8_t signature[PSA_SIGNATURE_MAX_SIZE] = { 0 };
+    size_t signature_length;
+    const uint8_t key_bytes[] = KEY_BYTES_VALUE;
+    const uint8_t plaintext[] = PLAINTEXT_VALUE;
+    const uint8_t hash[] = HASH_VALUE;
+
+    status = psa_crypto_init();
+    if (status != PSA_SUCCESS) {
+        mbedtls_printf("psa_crypto_init failed\n");
+        return EXIT_FAILURE;
+    }
+
+    psa_set_key_usage_flags(&attributes,
+                            PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH);
+    psa_set_key_algorithm(&attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256));
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1));
+
+    status = psa_import_key(&attributes, key_bytes, sizeof(key_bytes), &key_id);
+    if (status != PSA_SUCCESS) {
+        mbedtls_printf("psa_import_key failed\n");
+        return EXIT_FAILURE;
+    }
+
+    status = psa_sign_hash(key_id,                          // key handle
+                           PSA_ALG_ECDSA(PSA_ALG_SHA_256),  // signature algorithm
+                           hash, sizeof(hash),              // hash of the message
+                           signature, sizeof(signature),    // signature (as output)
+                           &signature_length);              // length of signature output
+    if (status != PSA_SUCCESS) {
+        mbedtls_printf("psa_sign_hash failed\n");
+        return EXIT_FAILURE;
+    }
+
+    mbedtls_printf("ECDSA-SHA256 signature of SHA-256('%s'):\n", plaintext);
+
+    for (size_t j = 0; j < signature_length; j++) {
+        if (j % 8 == 0) {
+            mbedtls_printf("\n    ");
+        }
+        mbedtls_printf("%02x ", signature[j]);
+    }
+
+    mbedtls_printf("\n");
+
+    status = psa_verify_hash(key_id,                          // key handle
+                             PSA_ALG_ECDSA(PSA_ALG_SHA_256),  // signature algorithm
+                             hash, sizeof(hash),              // hash of message
+                             signature, signature_length);    // signature
+    if (status != PSA_SUCCESS) {
+        mbedtls_printf("psa_verify_hash failed\n");
+        return EXIT_FAILURE;
+    } else {
+        mbedtls_printf("\nSignature verification successful!\n");
+    }
+
+    psa_destroy_key(key_id);
+    mbedtls_psa_crypto_free();
+    return EXIT_SUCCESS;
+}
diff --git a/tests/psa-client-server/psasim/src/client.c b/tests/psa-client-server/psasim/src/client.c
new file mode 100644
index 0000000..4c63abf
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/client.c
@@ -0,0 +1,23 @@
+/* psasim test client */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/* Includes from mbedtls */
+#include "psa/crypto.h"
+#include "util.h"
+
+int main()
+{
+    /* psa_crypto_init() connects to the server */
+    psa_status_t status = psa_crypto_init();
+    if (status != PSA_SUCCESS) {
+        ERROR("psa_crypto_init returned %d", status);
+        return 1;
+    }
+
+    mbedtls_psa_crypto_free();
+    return 0;
+}
diff --git a/tests/psa-client-server/psasim/src/manifest.json b/tests/psa-client-server/psasim/src/manifest.json
new file mode 100644
index 0000000..e67b636
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/manifest.json
@@ -0,0 +1,29 @@
+{
+   "psa_framework_version":1.0,
+   "name":"TEST_PARTITION",
+   "type":"PSA-ROT",
+   "priority":"LOW",
+   "entry_point":"psa_server_main",
+   "stack_size":"0x400",
+   "heap_size":"0x100",
+   "services":[
+      {
+         "name":"PSA_SID_CRYPTO",
+         "sid":"0x0000F000",
+         "signal":"PSA_CRYPTO",
+         "non_secure_clients": "true",
+         "minor_version":1,
+         "minor_policy":"STRICT"
+      }
+   ],
+   "irqs": [
+        {
+                "source": "SIGINT",
+                "signal": "SIGINT_SIG"
+        },
+        {
+                "source": "SIGTSTP",
+                "signal": "SIGSTP_SIG"
+        }
+   ]
+}
diff --git a/tests/psa-client-server/psasim/src/psa_ff_client.c b/tests/psa-client-server/psasim/src/psa_ff_client.c
new file mode 100644
index 0000000..0d6bbf3
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/psa_ff_client.c
@@ -0,0 +1,385 @@
+/* PSA firmware framework client API */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include <stdint.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <assert.h>
+#include <stdio.h>
+#include <string.h>
+#include <strings.h>
+#include <inttypes.h>
+#include <sys/types.h>
+#include <sys/ipc.h>
+#include <sys/msg.h>
+
+#include "client.h"
+#include "common.h"
+#include "error_ext.h"
+#include "util.h"
+
+typedef struct internal_handle {
+    int server_qid;
+    int client_qid;
+    int internal_server_qid;
+    int valid;
+} internal_handle_t;
+
+typedef struct vectors {
+    const psa_invec *in_vec;
+    size_t in_len;
+    psa_outvec *out_vec;
+    size_t out_len;
+} vectors_t;
+
+/* Note that this implementation is functional and not secure */
+int __psa_ff_client_security_state = NON_SECURE;
+
+/* Access to this global is not thread safe */
+#define MAX_HANDLES 32
+static internal_handle_t handles[MAX_HANDLES] = { { 0 } };
+
+static int get_next_free_handle()
+{
+    /* Never return handle 0 as it's a special null handle */
+    for (int i = 1; i < MAX_HANDLES; i++) {
+        if (handles[i].valid == 0) {
+            return i;
+        }
+    }
+    return -1;
+}
+
+static int handle_is_valid(psa_handle_t handle)
+{
+    if (handle > 0 && handle < MAX_HANDLES) {
+        if (handles[handle].valid == 1) {
+            return 1;
+        }
+    }
+    ERROR("ERROR: Invalid handle");
+    return 0;
+}
+
+static int get_queue_info(char *path, int *cqid, int *sqid)
+{
+    key_t server_queue_key;
+    int rx_qid, server_qid;
+
+    INFO("Attempting to contact a RoT service queue");
+
+    if ((rx_qid = msgget(IPC_PRIVATE, 0660)) == -1) {
+        ERROR("msgget: rx_qid");
+        return -1;
+    }
+
+    if ((server_queue_key = ftok(path, PROJECT_ID)) == -1) {
+        ERROR("ftok");
+        return -2;
+    }
+
+    if ((server_qid = msgget(server_queue_key, 0)) == -1) {
+        ERROR("msgget: server_qid");
+        return -3;
+    }
+
+    *cqid = rx_qid;
+    *sqid = server_qid;
+
+    return 0;
+}
+
+static psa_status_t process_response(int rx_qid, vectors_t *vecs, int type,
+                                     int *internal_server_qid)
+{
+    struct message response, request;
+    psa_status_t ret = PSA_ERROR_CONNECTION_REFUSED;
+    size_t invec_seek[4] = { 0 };
+    size_t data_size;
+    psa_status_t invec, outvec; /* TODO: Should these be size_t ? */
+
+    assert(internal_server_qid > 0);
+
+    while (1) {
+        data_size = 0;
+        invec = 0;
+        outvec = 0;
+
+        /* read response from server */
+        if (msgrcv(rx_qid, &response, sizeof(struct message_text), 0, 0) == -1) {
+            ERROR("   msgrcv failed");
+            return ret;
+        }
+
+        /* process return message from server */
+        switch (response.message_type) {
+            case PSA_REPLY:
+                memcpy(&ret, response.message_text.buf, sizeof(psa_status_t));
+                INFO("   Message received from server: %d", ret);
+                if (type == PSA_IPC_CONNECT && ret > 0) {
+                    *internal_server_qid = ret;
+                    INFO("   ASSSIGNED q ID %d", *internal_server_qid);
+                    ret = PSA_SUCCESS;
+                }
+                return ret;
+                break;
+            case READ_REQUEST:
+                /* read data request */
+                request.message_type = READ_RESPONSE;
+
+                assert(vecs != 0);
+
+                memcpy(&invec, response.message_text.buf, sizeof(psa_status_t));
+                memcpy(&data_size, response.message_text.buf+sizeof(size_t), sizeof(size_t));
+                INFO("   Partition asked for %lu bytes from invec %d", data_size, invec);
+
+                /* need to add more checks here */
+                assert(invec >= 0 && invec < PSA_MAX_IOVEC);
+
+                if (data_size > MAX_FRAGMENT_SIZE) {
+                    data_size = MAX_FRAGMENT_SIZE;
+                }
+
+                /* send response */
+                INFO("   invec_seek[invec] is %lu", invec_seek[invec]);
+                INFO("   Reading from offset %p", vecs->in_vec[invec].base + invec_seek[invec]);
+                memcpy(request.message_text.buf,
+                       (vecs->in_vec[invec].base + invec_seek[invec]),
+                       data_size);
+
+                /* update invec base TODO: check me */
+                invec_seek[invec] = invec_seek[invec] + data_size;
+
+                INFO("   Sending message of type %li", request.message_type);
+                INFO("       with content %s", request.message_text.buf);
+
+                if (msgsnd(*internal_server_qid, &request,
+                           sizeof(int) + sizeof(uint32_t) + data_size, 0) == -1) {
+                    ERROR("Internal error: failed to respond to read request");
+                }
+                break;
+            case WRITE_REQUEST:
+                assert(vecs != 0);
+
+                request.message_type = WRITE_RESPONSE;
+
+                memcpy(&outvec, response.message_text.buf, sizeof(psa_status_t));
+                memcpy(&data_size, response.message_text.buf + sizeof(size_t), sizeof(size_t));
+                INFO("   Partition wants to write %lu bytes to outvec %d", data_size, outvec);
+
+                assert(outvec >= 0 && outvec < PSA_MAX_IOVEC);
+
+                /* copy memory into message and send back amount written */
+                size_t sofar = vecs->out_vec[outvec].len;
+                memcpy(vecs->out_vec[outvec].base + sofar,
+                       response.message_text.buf+(sizeof(size_t)*2), data_size);
+                INFO("   Data size is %lu", data_size);
+                vecs->out_vec[outvec].len += data_size;
+
+                INFO("   Sending message of type %li", request.message_type);
+
+                /* send response */
+                if (msgsnd(*internal_server_qid, &request, sizeof(int) + data_size, 0) == -1) {
+                    ERROR("Internal error: failed to respond to write request");
+                }
+                break;
+            case SKIP_REQUEST:
+                memcpy(&invec, response.message_text.buf, sizeof(psa_status_t));
+                memcpy(&data_size, response.message_text.buf+sizeof(size_t), sizeof(size_t));
+                INFO("   Partition asked to skip %lu bytes in invec %d", data_size, invec);
+                assert(invec >= 0 && invec < PSA_MAX_IOVEC);
+                /* update invec base TODO: check me */
+                invec_seek[invec] = invec_seek[invec] + data_size;
+                break;
+
+            default:
+                FATAL("   ERROR: unknown internal message type: %ld",
+                      response.message_type);
+        }
+    }
+}
+
+static psa_status_t send(int rx_qid, int server_qid, int *internal_server_qid,
+                         int32_t type, uint32_t minor_version, vectors_t *vecs)
+{
+    psa_status_t ret = PSA_ERROR_CONNECTION_REFUSED;
+    size_t request_msg_size = (sizeof(int) + sizeof(long)); /* msg type plus queue id */
+    struct message request;
+    request.message_type = 1; /* TODO: change this */
+    request.message_text.psa_type = type;
+    vector_sizes_t vec_sizes;
+
+    /* If the client is non-secure then set the NS bit */
+    if (__psa_ff_client_security_state != 0) {
+        request.message_type |= NON_SECURE;
+    }
+
+    assert(request.message_type >= 0);
+
+    INFO("SEND: Sending message of type %ld with psa_type %d", request.message_type, type);
+    INFO("     internal_server_qid = %i", *internal_server_qid);
+
+    request.message_text.qid = rx_qid;
+
+    if (type == PSA_IPC_CONNECT) {
+        memcpy(request.message_text.buf, &minor_version, sizeof(minor_version));
+        request_msg_size = request_msg_size + sizeof(minor_version);
+        INFO("   Request msg size is %lu", request_msg_size);
+    } else {
+        assert(internal_server_qid > 0);
+    }
+
+    if (vecs != NULL && type >= PSA_IPC_CALL) {
+
+        memset(&vec_sizes, 0, sizeof(vec_sizes));
+
+        /* Copy invec sizes */
+        for (size_t i = 0; i < (vecs->in_len); i++) {
+            vec_sizes.invec_sizes[i] = vecs->in_vec[i].len;
+            INFO("   Client sending vector %lu: %lu", i, vec_sizes.invec_sizes[i]);
+        }
+
+        /* Copy outvec sizes */
+        for (size_t i = 0; i < (vecs->out_len); i++) {
+            vec_sizes.outvec_sizes[i] = vecs->out_vec[i].len;
+
+            /* Reset to 0 since we need to eventually fill in with bytes written */
+            vecs->out_vec[i].len = 0;
+        }
+
+        memcpy(request.message_text.buf, &vec_sizes, sizeof(vec_sizes));
+        request_msg_size = request_msg_size + sizeof(vec_sizes);
+    }
+
+    INFO("   Sending and then waiting");
+
+    /* send message to server */
+    if (msgsnd(server_qid, &request, request_msg_size, 0) == -1) {
+        ERROR("   msgsnd failed");
+        return ret;
+    }
+
+    return process_response(rx_qid, vecs, type, internal_server_qid);
+}
+
+
+uint32_t psa_framework_version(void)
+{
+    return PSA_FRAMEWORK_VERSION;
+}
+
+psa_handle_t psa_connect(uint32_t sid, uint32_t minor_version)
+{
+    int idx;
+    psa_status_t ret;
+    char pathname[PATHNAMESIZE] = { 0 };
+
+    idx = get_next_free_handle();
+
+    /* if there's a free handle available */
+    if (idx >= 0) {
+        snprintf(pathname, PATHNAMESIZE - 1, TMP_FILE_BASE_PATH "psa_service_%u", sid);
+        INFO("Attempting to contact RoT service at %s", pathname);
+
+        /* if communication is possible */
+        if (get_queue_info(pathname, &handles[idx].client_qid, &handles[idx].server_qid) >= 0) {
+
+            ret = send(handles[idx].client_qid,
+                       handles[idx].server_qid,
+                       &handles[idx].internal_server_qid,
+                       PSA_IPC_CONNECT,
+                       minor_version,
+                       NULL);
+
+            /* if connection accepted by RoT service */
+            if (ret >= 0) {
+                handles[idx].valid = 1;
+                return idx;
+            } else {
+                ERROR("Server didn't like you");
+            }
+        } else {
+            ERROR("Couldn't contact RoT service. Does it exist?");
+
+            if (__psa_ff_client_security_state == 0) {
+                ERROR("Invalid SID");
+            }
+        }
+    }
+
+    INFO("Couldn't obtain a free handle");
+    return PSA_ERROR_CONNECTION_REFUSED;
+}
+
+uint32_t psa_version(uint32_t sid)
+{
+    int idx;
+    psa_status_t ret;
+    char pathname[PATHNAMESIZE] = { 0 };
+
+    idx = get_next_free_handle();
+
+    if (idx >= 0) {
+        snprintf(pathname, PATHNAMESIZE, TMP_FILE_BASE_PATH "psa_service_%u", sid);
+        if (get_queue_info(pathname, &handles[idx].client_qid, &handles[idx].server_qid) >= 0) {
+            ret = send(handles[idx].client_qid,
+                       handles[idx].server_qid,
+                       &handles[idx].internal_server_qid,
+                       VERSION_REQUEST,
+                       0,
+                       NULL);
+            INFO("psa_version: Recieved from server %d", ret);
+            if (ret > 0) {
+                return ret;
+            }
+        }
+    }
+    ERROR("psa_version failed: does the service exist?");
+    return PSA_VERSION_NONE;
+}
+
+psa_status_t psa_call(psa_handle_t handle,
+                      int32_t type,
+                      const psa_invec *in_vec,
+                      size_t in_len,
+                      psa_outvec *out_vec,
+                      size_t out_len)
+{
+    handle_is_valid(handle);
+
+    if ((in_len + out_len) > PSA_MAX_IOVEC) {
+        ERROR("Too many iovecs: %lu + %lu", in_len, out_len);
+    }
+
+    vectors_t vecs = { 0 };
+    vecs.in_vec = in_vec;
+    vecs.in_len = in_len;
+    vecs.out_vec = out_vec;
+    vecs.out_len = out_len;
+
+    return send(handles[handle].client_qid,
+                handles[handle].server_qid,
+                &handles[handle].internal_server_qid,
+                type,
+                0,
+                &vecs);
+}
+
+void psa_close(psa_handle_t handle)
+{
+    handle_is_valid(handle);
+    if (send(handles[handle].client_qid, handles[handle].server_qid,
+             &handles[handle].internal_server_qid, PSA_IPC_DISCONNECT, 0, NULL)) {
+        ERROR("ERROR: Couldn't send disconnect msg");
+    } else {
+        if (msgctl(handles[handle].client_qid, IPC_RMID, NULL) != 0) {
+            ERROR("ERROR: Failed to delete msg queue");
+        }
+    }
+    INFO("Closing handle %u", handle);
+    handles[handle].valid = 0;
+}
diff --git a/tests/psa-client-server/psasim/src/psa_ff_server.c b/tests/psa-client-server/psasim/src/psa_ff_server.c
new file mode 100644
index 0000000..b106092
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/psa_ff_server.c
@@ -0,0 +1,655 @@
+/* PSA Firmware Framework service API */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include <sys/types.h>
+#include <sys/ipc.h>
+#include <sys/msg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <strings.h>
+#include <unistd.h>
+#include <time.h>
+#include <assert.h>
+
+#include "service.h"
+#include "init.h"
+#include "error_ext.h"
+#include "common.h"
+#include "util.h"
+
+#define MAX_CLIENTS 128
+#define MAX_MESSAGES 32
+
+struct connection {
+    uint32_t client;
+    void *rhandle;
+    int client_to_server_q;
+};
+
+/* Note that this implementation is functional and not secure. */
+int __psa_ff_client_security_state = NON_SECURE;
+
+static psa_msg_t messages[MAX_MESSAGES]; /* Message slots */
+static uint8_t pending_message[MAX_MESSAGES] = { 0 }; /* Booleans indicating active message slots */
+static uint32_t message_client[MAX_MESSAGES] = { 0 }; /* Each client's response queue  */
+static int nsacl[32];
+static int strict_policy[32] = { 0 };
+static uint32_t rot_svc_versions[32];
+static int rot_svc_incoming_queue[32] = { -1 };
+static struct connection connections[MAX_CLIENTS] = { { 0 } };
+
+static uint32_t exposed_signals = 0;
+
+void print_vectors(vector_sizes_t *sizes)
+{
+    INFO("Printing iovec sizes");
+    for (int j = 0; j < PSA_MAX_IOVEC; j++) {
+        INFO("Invec  %d: %lu", j, sizes->invec_sizes[j]);
+    }
+
+    for (int j = 0; j < PSA_MAX_IOVEC; j++) {
+        INFO("Outvec %d: %lu", j, sizes->outvec_sizes[j]);
+    }
+}
+
+int find_connection(uint32_t client)
+{
+    for (int i = 1; i < MAX_CLIENTS; i++) {
+        if (client == connections[i].client) {
+            return i;
+        }
+    }
+    return -1;
+}
+
+void destroy_connection(uint32_t client)
+{
+    int idx = find_connection(client);
+    if (idx >= 0) {
+        connections[idx].client = 0;
+        connections[idx].rhandle = 0;
+        INFO("Destroying connection");
+    } else {
+        ERROR("Couldn't destroy connection for %u", client);
+    }
+}
+
+int find_free_connection()
+{
+    INFO("Allocating connection");
+    return find_connection(0);
+}
+
+static void reply(psa_handle_t msg_handle, psa_status_t status)
+{
+    pending_message[msg_handle] = 1;
+    psa_reply(msg_handle, status);
+    pending_message[msg_handle] = 0;
+}
+
+psa_signal_t psa_wait(psa_signal_t signal_mask, uint32_t timeout)
+{
+    psa_signal_t mask;
+    struct message msg;
+    vector_sizes_t sizes;
+    struct msqid_ds qinfo;
+    uint32_t requested_version;
+    ssize_t len;
+    int idx;
+
+    if (timeout == PSA_POLL) {
+        INFO("psa_wait: Called in polling mode");
+    }
+
+    do {
+        mask = signal_mask;
+
+        /* Check the status of each queue */
+        for (int i = 0; i < 32; i++) {
+            if (mask & 0x1) {
+                if (i < 3) {
+                    // do nothing (reserved)
+                } else if (i == 3) {
+                    // this must be psa doorbell
+                } else {
+                    /* Check if this signal corresponds to a queue */
+                    if (rot_svc_incoming_queue[i] >= 0 && (pending_message[i] == 0)) {
+
+                        /* AFAIK there is no "peek" method in SysV, so try to get a message */
+                        len = msgrcv(rot_svc_incoming_queue[i],
+                                     &msg,
+                                     sizeof(struct message_text),
+                                     0,
+                                     IPC_NOWAIT);
+                        if (len > 0) {
+
+                            INFO("Storing that QID in message_client[%d]", i);
+                            INFO("The message handle will be %d", i);
+
+                            msgctl(rot_svc_incoming_queue[i], IPC_STAT, &qinfo);
+                            messages[i].client_id = qinfo.msg_lspid; /* PID of last msgsnd(2) call */
+                            message_client[i] = msg.message_text.qid;
+                            idx = find_connection(msg.message_text.qid);
+
+                            if (msg.message_type & NON_SECURE) {
+                                /* This is a non-secure message */
+
+                                /* Check if NS client is allowed for this RoT service */
+                                if (nsacl[i] <= 0) {
+#if 0
+                                    INFO(
+                                        "Rejecting non-secure client due to manifest security policy");
+                                    reply(i, PSA_ERROR_CONNECTION_REFUSED);
+                                    continue; /* Skip to next signal */
+#endif
+                                }
+
+                                msg.message_type &= ~(NON_SECURE); /* clear */
+                                messages[i].client_id = messages[i].client_id * -1;
+                            }
+
+                            INFO("Got a message from client ID %d", messages[i].client_id);
+                            INFO("Message type is %lu", msg.message_type);
+                            INFO("PSA message type is %d", msg.message_text.psa_type);
+
+                            messages[i].handle = i;
+
+                            switch (msg.message_text.psa_type) {
+                                case PSA_IPC_CONNECT:
+
+                                    if (len >= 16) {
+                                        memcpy(&requested_version, msg.message_text.buf,
+                                               sizeof(requested_version));
+                                        INFO("Requesting version %u", requested_version);
+                                        INFO("Implemented version %u", rot_svc_versions[i]);
+                                        /* TODO: need to check whether the policy is strict,
+                                         * and if so, then reject the client if the number doesn't match */
+
+                                        if (requested_version > rot_svc_versions[i]) {
+                                            INFO(
+                                                "Rejecting client because requested version that was too high");
+                                            reply(i, PSA_ERROR_CONNECTION_REFUSED);
+                                            continue; /* Skip to next signal */
+                                        }
+
+                                        if (strict_policy[i] == 1 &&
+                                            (requested_version != rot_svc_versions[i])) {
+                                            INFO(
+                                                "Rejecting client because enforcing a STRICT version policy");
+                                            reply(i, PSA_ERROR_CONNECTION_REFUSED);
+                                            continue; /* Skip to next signal */
+                                        } else {
+                                            INFO("Not rejecting client");
+                                        }
+                                    }
+
+                                    messages[i].type = PSA_IPC_CONNECT;
+
+                                    if (idx < 0) {
+                                        idx = find_free_connection();
+                                    }
+
+                                    if (idx >= 0) {
+                                        connections[idx].client = msg.message_text.qid;
+                                    } else {
+                                        /* We've run out of system wide connections */
+                                        reply(i, PSA_ERROR_CONNECTION_BUSY);
+                                        ERROR("Ran out of free connections");
+                                        continue;
+                                    }
+
+                                    break;
+                                case PSA_IPC_DISCONNECT:
+                                    messages[i].type = PSA_IPC_DISCONNECT;
+                                    break;
+                                case VERSION_REQUEST:
+                                    INFO("Got a version request");
+                                    reply(i, rot_svc_versions[i]);
+                                    continue; /* Skip to next signal */
+                                    break;
+
+                                default:
+
+                                    /* PSA CALL */
+                                    if (msg.message_text.psa_type >= 0) {
+                                        messages[i].type = msg.message_text.psa_type;
+                                        memcpy(&sizes, msg.message_text.buf, sizeof(sizes));
+                                        print_vectors(&sizes);
+                                        memcpy(&messages[i].in_size, &sizes.invec_sizes,
+                                               (sizeof(size_t) * PSA_MAX_IOVEC));
+                                        memcpy(&messages[i].out_size, &sizes.outvec_sizes,
+                                               (sizeof(size_t) * PSA_MAX_IOVEC));
+                                    } else {
+                                        FATAL("UNKNOWN MESSAGE TYPE RECEIVED %li",
+                                              msg.message_type);
+                                    }
+                                    break;
+                            }
+                            messages[i].handle = i;
+
+                            /* Check if the client has a connection */
+                            if (idx >= 0) {
+                                messages[i].rhandle = connections[idx].rhandle;
+                            } else {
+                                /* Client is begging for a programmer error */
+                                reply(i, PSA_ERROR_PROGRAMMER_ERROR);
+                                continue;
+                            }
+
+                            /* House keeping */
+                            pending_message[i] = 1; /* set message as pending */
+                            exposed_signals |= (0x1 << i); /* assert the signal */
+                        }
+                    }
+                }
+                mask = mask >> 1;
+            }
+        }
+
+        if ((timeout == PSA_BLOCK) && (exposed_signals > 0)) {
+            break;
+        } else {
+            /* There is no 'select' function in SysV to block on multiple queues, so busy-wait :( */
+        }
+    } while (timeout == PSA_BLOCK);
+
+    /* Assert signals */
+    return signal_mask & exposed_signals;
+}
+
+static int signal_to_index(psa_signal_t signal)
+{
+    int i;
+    int count = 0;
+    int ret = -1;
+
+    for (i = 0; i < 32; i++) {
+        if (signal & 0x1) {
+            ret = i;
+            count++;
+        }
+        signal = signal >> 1;
+    }
+
+    if (count > 1) {
+        ERROR("ERROR: Too many signals");
+        return -1; /* Too many signals */
+    }
+    return ret;
+}
+
+static void clear_signal(psa_signal_t signal)
+{
+    exposed_signals = exposed_signals & ~signal;
+}
+
+void raise_signal(psa_signal_t signal)
+{
+    exposed_signals |= signal;
+}
+
+psa_status_t psa_get(psa_signal_t signal, psa_msg_t *msg)
+{
+    int index = signal_to_index(signal);
+    if (index < 0) {
+        ERROR("Bad signal");
+    }
+
+    clear_signal(signal);
+
+    assert(messages[index].handle != 0);
+
+    if (pending_message[index] == 1) {
+        INFO("There is a pending message!");
+        memcpy(msg, &messages[index], sizeof(struct psa_msg_t));
+        assert(msg->handle != 0);
+        return PSA_SUCCESS;
+    } else {
+        INFO("no pending message");
+    }
+
+    return PSA_ERROR_DOES_NOT_EXIST;
+}
+
+static inline int is_valid_msg_handle(psa_handle_t h)
+{
+    if (h > 0 && h < MAX_MESSAGES) {
+        return 1;
+    }
+    ERROR("Not a valid message handle");
+    return 0;
+}
+
+static inline int is_call_msg(psa_handle_t h)
+{
+    assert(messages[h].type >= PSA_IPC_CALL);
+    return 1;
+}
+
+void psa_set_rhandle(psa_handle_t msg_handle, void *rhandle)
+{
+    is_valid_msg_handle(msg_handle);
+    int idx = find_connection(message_client[msg_handle]);
+    INFO("Setting rhandle to %p", rhandle);
+    assert(idx >= 0);
+    connections[idx].rhandle = rhandle;
+}
+
+/* Sends a message from the server to the client. Does not wait for a response */
+static void send_msg(psa_handle_t msg_handle,
+                     int ctrl_msg,
+                     psa_status_t status,
+                     size_t amount,
+                     const void *data,
+                     size_t data_amount)
+{
+    struct message response;
+    int flags = 0;
+
+    assert(ctrl_msg > 0); /* According to System V, it must be greater than 0 */
+
+    response.message_type = ctrl_msg;
+    if (ctrl_msg == PSA_REPLY) {
+        memcpy(response.message_text.buf, &status, sizeof(psa_status_t));
+    } else if (ctrl_msg == READ_REQUEST || ctrl_msg == WRITE_REQUEST || ctrl_msg == SKIP_REQUEST) {
+        memcpy(response.message_text.buf, &status, sizeof(psa_status_t));
+        memcpy(response.message_text.buf+sizeof(size_t), &amount, sizeof(size_t));
+        if (ctrl_msg == WRITE_REQUEST) {
+            /* TODO: Check if too big */
+            memcpy(response.message_text.buf + (sizeof(size_t) * 2), data, data_amount);
+        }
+    }
+
+    /* TODO: sizeof doesn't need to be so big here for small responses */
+    if (msgsnd(message_client[msg_handle], &response, sizeof(response.message_text), flags) == -1) {
+        ERROR("Failed to reply");
+    }
+}
+
+static size_t skip(psa_handle_t msg_handle, uint32_t invec_idx, size_t num_bytes)
+{
+    if (num_bytes < (messages[msg_handle].in_size[invec_idx] - num_bytes)) {
+        messages[msg_handle].in_size[invec_idx] = messages[msg_handle].in_size[invec_idx] -
+                                                  num_bytes;
+        return num_bytes;
+    } else {
+        if (num_bytes >= messages[msg_handle].in_size[invec_idx]) {
+            size_t ret = messages[msg_handle].in_size[invec_idx];
+            messages[msg_handle].in_size[invec_idx] = 0;
+            return ret;
+        } else {
+            return num_bytes;
+        }
+    }
+}
+
+size_t psa_read(psa_handle_t msg_handle, uint32_t invec_idx,
+                void *buffer, size_t num_bytes)
+{
+    size_t sofar = 0;
+    struct message msg = { 0 };
+    int idx;
+    ssize_t len;
+
+    is_valid_msg_handle(msg_handle);
+    is_call_msg(msg_handle);
+
+    if (invec_idx >= PSA_MAX_IOVEC) {
+        ERROR("Invalid iovec number");
+    }
+
+    /* If user wants more data than what's available, truncate their request */
+    if (num_bytes > messages[msg_handle].in_size[invec_idx]) {
+        num_bytes = messages[msg_handle].in_size[invec_idx];
+    }
+
+    while (sofar < num_bytes) {
+        INFO("Server: requesting %lu bytes from client", (num_bytes - sofar));
+        send_msg(msg_handle, READ_REQUEST, invec_idx, (num_bytes - sofar), NULL, 0);
+
+        idx = find_connection(message_client[msg_handle]);
+        assert(idx >= 0);
+
+        len = msgrcv(connections[idx].client_to_server_q, &msg, sizeof(struct message_text), 0, 0);
+        len = (len - offsetof(struct message_text, buf));
+
+        if (len < 0) {
+            FATAL("Internal error: failed to dispatch read request to the client");
+        }
+
+        if (len > (num_bytes - sofar)) {
+            if ((num_bytes - sofar) > 0) {
+                memcpy(buffer+sofar, msg.message_text.buf, (num_bytes - sofar));
+            }
+        } else {
+            memcpy(buffer + sofar, msg.message_text.buf, len);
+        }
+
+        INFO("Printing what i got so far: %s", msg.message_text.buf);
+
+        sofar = sofar + len;
+    }
+
+    /* Update the seek count */
+    skip(msg_handle, invec_idx, num_bytes);
+    INFO("Finished psa_read");
+    return sofar;
+}
+
+void psa_write(psa_handle_t msg_handle, uint32_t outvec_idx,
+               const void *buffer, size_t num_bytes)
+{
+    size_t sofar = 0;
+    struct message msg = { 0 };
+    int idx;
+    ssize_t len;
+
+    is_valid_msg_handle(msg_handle);
+    is_call_msg(msg_handle);
+
+    if (outvec_idx >= PSA_MAX_IOVEC) {
+        ERROR("Invalid iovec number");
+    }
+
+    if (num_bytes > messages[msg_handle].out_size[outvec_idx]) {
+        ERROR("Program tried to write too much data %lu/%lu", num_bytes,
+              messages[msg_handle].out_size[outvec_idx]);
+    }
+
+    while (sofar < num_bytes) {
+        size_t sending = (num_bytes - sofar);
+        if (sending > (MAX_FRAGMENT_SIZE - (sizeof(size_t) * 2))) {
+            sending = MAX_FRAGMENT_SIZE - (sizeof(size_t) * 2);
+        }
+
+        INFO("Server: sending %lu bytes to client, sofar = %lu", sending, (long) sofar);
+
+        send_msg(msg_handle, WRITE_REQUEST, outvec_idx, sending, buffer + sofar, sending);
+
+        idx = find_connection(message_client[msg_handle]);
+        assert(idx >= 0);
+
+        len = msgrcv(connections[idx].client_to_server_q, &msg, sizeof(struct message_text), 0, 0);
+        if (len < 1) {
+            FATAL("Client didn't give me a full response");
+        }
+        sofar = sofar + sending;
+    }
+
+    /* Update the seek count */
+    messages[msg_handle].out_size[outvec_idx] -= num_bytes;
+}
+
+size_t psa_skip(psa_handle_t msg_handle, uint32_t invec_idx, size_t num_bytes)
+{
+    is_valid_msg_handle(msg_handle);
+    is_call_msg(msg_handle);
+
+    size_t ret = skip(msg_handle, invec_idx, num_bytes);
+
+    /* notify client to skip */
+    send_msg(msg_handle, SKIP_REQUEST, invec_idx, num_bytes, NULL, 0);
+    return ret;
+}
+
+static void destroy_temporary_queue(int myqid)
+{
+    if (msgctl(myqid, IPC_RMID, NULL) != 0) {
+        INFO("ERROR: Failed to delete msg queue %d", myqid);
+    }
+}
+
+static int make_temporary_queue()
+{
+    int myqid;
+    if ((myqid = msgget(IPC_PRIVATE, 0660)) == -1) {
+        INFO("msgget: myqid");
+        return -1;
+    }
+    return myqid;
+}
+
+/**
+ * Assumes msg_handle is the index into the message array
+ */
+void psa_reply(psa_handle_t msg_handle, psa_status_t status)
+{
+    int idx, q;
+    is_valid_msg_handle(msg_handle);
+
+    if (pending_message[msg_handle] != 1) {
+        ERROR("Not a valid message handle");
+    }
+
+    if (messages[msg_handle].type == PSA_IPC_CONNECT) {
+        switch (status) {
+            case PSA_SUCCESS:
+                idx = find_connection(message_client[msg_handle]);
+                q = make_temporary_queue();
+                if (q > 0 && idx >= 0) {
+                    connections[idx].client_to_server_q = q;
+                    status = q;
+                } else {
+                    FATAL("What happened?");
+                }
+                break;
+            case PSA_ERROR_CONNECTION_REFUSED:
+                destroy_connection(message_client[msg_handle]);
+                break;
+            case PSA_ERROR_CONNECTION_BUSY:
+                destroy_connection(message_client[msg_handle]);
+                break;
+            case PSA_ERROR_PROGRAMMER_ERROR:
+                destroy_connection(message_client[msg_handle]);
+                break;
+            default:
+                ERROR("Not a valid reply %d", status);
+        }
+    } else if (messages[msg_handle].type == PSA_IPC_DISCONNECT) {
+        idx = find_connection(message_client[msg_handle]);
+        if (idx >= 0) {
+            destroy_temporary_queue(connections[idx].client_to_server_q);
+        }
+        destroy_connection(message_client[msg_handle]);
+    }
+
+    send_msg(msg_handle, PSA_REPLY, status, 0, NULL, 0);
+
+    pending_message[msg_handle] = 0;
+    message_client[msg_handle] = 0;
+}
+
+/* TODO: make sure you only clear interrupt signals, and not others */
+void psa_eoi(psa_signal_t signal)
+{
+    int index = signal_to_index(signal);
+    if (index >= 0 && (rot_svc_incoming_queue[index] >= 0)) {
+        clear_signal(signal);
+    } else {
+        ERROR("Tried to EOI a signal that isn't an interrupt");
+    }
+}
+
+void psa_notify(int32_t partition_id)
+{
+    char pathname[PATHNAMESIZE] = { 0 };
+
+    if (partition_id < 0) {
+        ERROR("Not a valid secure partition");
+    }
+
+    snprintf(pathname, PATHNAMESIZE, "/tmp/psa_notify_%u", partition_id);
+    INFO("psa_notify: notifying partition %u using %s",
+         partition_id, pathname);
+    INFO("psa_notify is unimplemented");
+}
+
+void psa_clear(void)
+{
+    clear_signal(PSA_DOORBELL);
+}
+
+void __init_psasim(const char **array,
+                   int size,
+                   const int allow_ns_clients_array[32],
+                   const uint32_t versions[32],
+                   const int strict_policy_array[32])
+{
+    static uint8_t library_initialised = 0;
+    key_t key;
+    int qid;
+    FILE *fp;
+    char doorbell_path[PATHNAMESIZE] = { 0 };
+    char queue_path[PATHNAMESIZE];
+    snprintf(doorbell_path, PATHNAMESIZE, TMP_FILE_BASE_PATH "psa_notify_%u", getpid());
+
+    if (library_initialised > 0) {
+        return;
+    } else {
+        library_initialised = 1;
+    }
+
+    if (size != 32) {
+        FATAL("Unsupported value. Aborting.");
+    }
+
+    array[3] = doorbell_path;
+
+    for (int i = 0; i < 32; i++) {
+        if (strncmp(array[i], "", 1) != 0) {
+            INFO("Setting up %s", array[i]);
+            memset(queue_path, 0, sizeof(queue_path));
+            snprintf(queue_path, sizeof(queue_path), "%s%s", TMP_FILE_BASE_PATH, array[i]);
+
+            /* Create file if doesn't exist */
+            fp = fopen(queue_path, "ab+");
+            if (fp) {
+                fclose(fp);
+            }
+
+            if ((key = ftok(queue_path, PROJECT_ID)) == -1) {
+                FATAL("Error finding message queue during initialisation");
+            }
+
+            /* TODO: Investigate. Permissions are likely to be too relaxed */
+            if ((qid = msgget(key, IPC_CREAT | 0660)) == -1) {
+                FATAL("Error opening message queue during initialisation");
+            } else {
+                rot_svc_incoming_queue[i] = qid;
+            }
+        }
+    }
+
+    memcpy(nsacl, allow_ns_clients_array, sizeof(int) * 32);
+    memcpy(strict_policy, strict_policy_array, sizeof(int) * 32);
+    memcpy(rot_svc_versions, versions, sizeof(uint32_t) * 32);
+    memset(&connections, 0, sizeof(struct connection) * MAX_CLIENTS);
+
+    __psa_ff_client_security_state = 0; /* Set the client status to SECURE */
+}
diff --git a/tests/psa-client-server/psasim/src/psa_functions_codes.h b/tests/psa-client-server/psasim/src/psa_functions_codes.h
new file mode 100644
index 0000000..bc1b844
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/psa_functions_codes.h
@@ -0,0 +1,93 @@
+/* THIS FILE WAS AUTO-GENERATED BY psa_sim_generate.pl. DO NOT EDIT!! */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef _PSA_FUNCTIONS_CODES_H_
+#define  _PSA_FUNCTIONS_CODES_H_
+
+enum {
+    /* Start here to avoid overlap with PSA_IPC_CONNECT, PSA_IPC_DISCONNECT
+     * and VERSION_REQUEST */
+    PSA_CRYPTO_INIT = 100,
+    PSA_AEAD_ABORT,
+    PSA_AEAD_DECRYPT,
+    PSA_AEAD_DECRYPT_SETUP,
+    PSA_AEAD_ENCRYPT,
+    PSA_AEAD_ENCRYPT_SETUP,
+    PSA_AEAD_FINISH,
+    PSA_AEAD_GENERATE_NONCE,
+    PSA_AEAD_SET_LENGTHS,
+    PSA_AEAD_SET_NONCE,
+    PSA_AEAD_UPDATE,
+    PSA_AEAD_UPDATE_AD,
+    PSA_AEAD_VERIFY,
+    PSA_ASYMMETRIC_DECRYPT,
+    PSA_ASYMMETRIC_ENCRYPT,
+    PSA_CIPHER_ABORT,
+    PSA_CIPHER_DECRYPT,
+    PSA_CIPHER_DECRYPT_SETUP,
+    PSA_CIPHER_ENCRYPT,
+    PSA_CIPHER_ENCRYPT_SETUP,
+    PSA_CIPHER_FINISH,
+    PSA_CIPHER_GENERATE_IV,
+    PSA_CIPHER_SET_IV,
+    PSA_CIPHER_UPDATE,
+    PSA_COPY_KEY,
+    PSA_DESTROY_KEY,
+    PSA_EXPORT_KEY,
+    PSA_EXPORT_PUBLIC_KEY,
+    PSA_GENERATE_KEY,
+    PSA_GENERATE_KEY_EXT,
+    PSA_GENERATE_RANDOM,
+    PSA_GET_KEY_ATTRIBUTES,
+    PSA_HASH_ABORT,
+    PSA_HASH_CLONE,
+    PSA_HASH_COMPARE,
+    PSA_HASH_COMPUTE,
+    PSA_HASH_FINISH,
+    PSA_HASH_SETUP,
+    PSA_HASH_UPDATE,
+    PSA_HASH_VERIFY,
+    PSA_IMPORT_KEY,
+    PSA_INTERRUPTIBLE_GET_MAX_OPS,
+    PSA_INTERRUPTIBLE_SET_MAX_OPS,
+    PSA_KEY_DERIVATION_ABORT,
+    PSA_KEY_DERIVATION_GET_CAPACITY,
+    PSA_KEY_DERIVATION_INPUT_BYTES,
+    PSA_KEY_DERIVATION_INPUT_INTEGER,
+    PSA_KEY_DERIVATION_INPUT_KEY,
+    PSA_KEY_DERIVATION_KEY_AGREEMENT,
+    PSA_KEY_DERIVATION_OUTPUT_BYTES,
+    PSA_KEY_DERIVATION_OUTPUT_KEY,
+    PSA_KEY_DERIVATION_OUTPUT_KEY_EXT,
+    PSA_KEY_DERIVATION_SET_CAPACITY,
+    PSA_KEY_DERIVATION_SETUP,
+    PSA_MAC_ABORT,
+    PSA_MAC_COMPUTE,
+    PSA_MAC_SIGN_FINISH,
+    PSA_MAC_SIGN_SETUP,
+    PSA_MAC_UPDATE,
+    PSA_MAC_VERIFY,
+    PSA_MAC_VERIFY_FINISH,
+    PSA_MAC_VERIFY_SETUP,
+    PSA_PURGE_KEY,
+    PSA_RAW_KEY_AGREEMENT,
+    PSA_RESET_KEY_ATTRIBUTES,
+    PSA_SIGN_HASH,
+    PSA_SIGN_HASH_ABORT,
+    PSA_SIGN_HASH_COMPLETE,
+    PSA_SIGN_HASH_GET_NUM_OPS,
+    PSA_SIGN_HASH_START,
+    PSA_SIGN_MESSAGE,
+    PSA_VERIFY_HASH,
+    PSA_VERIFY_HASH_ABORT,
+    PSA_VERIFY_HASH_COMPLETE,
+    PSA_VERIFY_HASH_GET_NUM_OPS,
+    PSA_VERIFY_HASH_START,
+    PSA_VERIFY_MESSAGE,
+};
+
+#endif /*  _PSA_FUNCTIONS_CODES_H_ */
diff --git a/tests/psa-client-server/psasim/src/psa_sim_crypto_client.c b/tests/psa-client-server/psasim/src/psa_sim_crypto_client.c
new file mode 100644
index 0000000..4200f6c
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/psa_sim_crypto_client.c
@@ -0,0 +1,6778 @@
+/* THIS FILE WAS AUTO-GENERATED BY psa_sim_generate.pl. DO NOT EDIT!! */
+
+/* client calls */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include <stdio.h>
+#include <unistd.h>
+
+/* Includes from psasim */
+#include <client.h>
+#include <util.h>
+#include "psa_manifest/sid.h"
+#include "psa_functions_codes.h"
+#include "psa_sim_serialise.h"
+
+/* Includes from mbedtls */
+#include "mbedtls/version.h"
+#include "psa/crypto.h"
+
+#define CLIENT_PRINT(fmt, ...) \
+    INFO("Client: " fmt, ##__VA_ARGS__)
+
+static psa_handle_t handle = -1;
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+#error "Error: MBEDTLS_PSA_CRYPTO_C must be disabled on client build"
+#endif
+
+int psa_crypto_call(int function,
+                    uint8_t *in_params, size_t in_params_len,
+                    uint8_t **out_params, size_t *out_params_len)
+{
+    // psa_outvec outvecs[1];
+    if (handle < 0) {
+        fprintf(stderr, "NOT CONNECTED\n");
+        exit(1);
+    }
+
+    psa_invec invec;
+    invec.base = in_params;
+    invec.len = in_params_len;
+
+    size_t max_receive = 24576;
+    uint8_t *receive = malloc(max_receive);
+    if (receive == NULL) {
+        fprintf(stderr, "FAILED to allocate %u bytes\n", (unsigned) max_receive);
+        exit(1);
+    }
+
+    size_t actual_received = 0;
+
+    psa_outvec outvecs[2];
+    outvecs[0].base = &actual_received;
+    outvecs[0].len = sizeof(actual_received);
+    outvecs[1].base = receive;
+    outvecs[1].len = max_receive;
+
+    psa_status_t status = psa_call(handle, function, &invec, 1, outvecs, 2);
+    if (status != PSA_SUCCESS) {
+        free(receive);
+        return 0;
+    }
+
+    *out_params = receive;
+    *out_params_len = actual_received;
+
+    return 1;   // success
+}
+
+psa_status_t psa_crypto_init(void)
+{
+    char mbedtls_version[18];
+    uint8_t *result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    mbedtls_version_get_string_full(mbedtls_version);
+    CLIENT_PRINT("%s", mbedtls_version);
+
+    CLIENT_PRINT("My PID: %d", getpid());
+
+    CLIENT_PRINT("PSA version: %u", psa_version(PSA_SID_CRYPTO_SID));
+    handle = psa_connect(PSA_SID_CRYPTO_SID, 1);
+
+    if (handle < 0) {
+        CLIENT_PRINT("Couldn't connect %d", handle);
+        return PSA_ERROR_COMMUNICATION_FAILURE;
+    }
+
+    int ok = psa_crypto_call(PSA_CRYPTO_INIT, NULL, 0, &result, &result_length);
+    CLIENT_PRINT("PSA_CRYPTO_INIT returned: %d", ok);
+
+    if (!ok) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(&rpos, &rremain, &status);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(result);
+
+    return status;
+}
+
+void mbedtls_psa_crypto_free(void)
+{
+    /* Do not try to close a connection that was never started.*/
+    if (handle == -1) {
+        return;
+    }
+
+    CLIENT_PRINT("Closing handle");
+    psa_close(handle);
+    handle = -1;
+}
+
+
+psa_status_t psa_aead_abort(
+    psa_aead_operation_t *operation
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_aead_operation_t_needs(*operation);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_aead_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_AEAD_ABORT,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_AEAD_ABORT server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_aead_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_aead_decrypt(
+    mbedtls_svc_key_id_t key,
+    psa_algorithm_t alg,
+    const uint8_t *nonce, size_t  nonce_length,
+    const uint8_t *additional_data, size_t  additional_data_length,
+    const uint8_t *ciphertext, size_t  ciphertext_length,
+    uint8_t *plaintext, size_t  plaintext_size,
+    size_t *plaintext_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key) +
+        psasim_serialise_psa_algorithm_t_needs(alg) +
+        psasim_serialise_buffer_needs(nonce, nonce_length) +
+        psasim_serialise_buffer_needs(additional_data, additional_data_length) +
+        psasim_serialise_buffer_needs(ciphertext, ciphertext_length) +
+        psasim_serialise_buffer_needs(plaintext, plaintext_size) +
+        psasim_serialise_size_t_needs(*plaintext_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        nonce, nonce_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        additional_data, additional_data_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        ciphertext, ciphertext_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        plaintext, plaintext_size);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *plaintext_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_AEAD_DECRYPT,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_AEAD_DECRYPT server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        plaintext, plaintext_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        plaintext_length);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_aead_decrypt_setup(
+    psa_aead_operation_t *operation,
+    mbedtls_svc_key_id_t key,
+    psa_algorithm_t alg
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_aead_operation_t_needs(*operation) +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key) +
+        psasim_serialise_psa_algorithm_t_needs(alg);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_aead_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_AEAD_DECRYPT_SETUP,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_AEAD_DECRYPT_SETUP server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_aead_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_aead_encrypt(
+    mbedtls_svc_key_id_t key,
+    psa_algorithm_t alg,
+    const uint8_t *nonce, size_t  nonce_length,
+    const uint8_t *additional_data, size_t  additional_data_length,
+    const uint8_t *plaintext, size_t  plaintext_length,
+    uint8_t *ciphertext, size_t  ciphertext_size,
+    size_t *ciphertext_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key) +
+        psasim_serialise_psa_algorithm_t_needs(alg) +
+        psasim_serialise_buffer_needs(nonce, nonce_length) +
+        psasim_serialise_buffer_needs(additional_data, additional_data_length) +
+        psasim_serialise_buffer_needs(plaintext, plaintext_length) +
+        psasim_serialise_buffer_needs(ciphertext, ciphertext_size) +
+        psasim_serialise_size_t_needs(*ciphertext_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        nonce, nonce_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        additional_data, additional_data_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        plaintext, plaintext_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        ciphertext, ciphertext_size);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *ciphertext_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_AEAD_ENCRYPT,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_AEAD_ENCRYPT server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        ciphertext, ciphertext_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        ciphertext_length);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_aead_encrypt_setup(
+    psa_aead_operation_t *operation,
+    mbedtls_svc_key_id_t key,
+    psa_algorithm_t alg
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_aead_operation_t_needs(*operation) +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key) +
+        psasim_serialise_psa_algorithm_t_needs(alg);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_aead_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_AEAD_ENCRYPT_SETUP,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_AEAD_ENCRYPT_SETUP server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_aead_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_aead_finish(
+    psa_aead_operation_t *operation,
+    uint8_t *ciphertext, size_t  ciphertext_size,
+    size_t *ciphertext_length,
+    uint8_t *tag, size_t  tag_size,
+    size_t *tag_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_aead_operation_t_needs(*operation) +
+        psasim_serialise_buffer_needs(ciphertext, ciphertext_size) +
+        psasim_serialise_size_t_needs(*ciphertext_length) +
+        psasim_serialise_buffer_needs(tag, tag_size) +
+        psasim_serialise_size_t_needs(*tag_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_aead_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        ciphertext, ciphertext_size);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *ciphertext_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        tag, tag_size);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *tag_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_AEAD_FINISH,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_AEAD_FINISH server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_aead_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        ciphertext, ciphertext_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        ciphertext_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        tag, tag_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        tag_length);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_aead_generate_nonce(
+    psa_aead_operation_t *operation,
+    uint8_t *nonce, size_t  nonce_size,
+    size_t *nonce_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_aead_operation_t_needs(*operation) +
+        psasim_serialise_buffer_needs(nonce, nonce_size) +
+        psasim_serialise_size_t_needs(*nonce_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_aead_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        nonce, nonce_size);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *nonce_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_AEAD_GENERATE_NONCE,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_AEAD_GENERATE_NONCE server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_aead_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        nonce, nonce_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        nonce_length);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_aead_set_lengths(
+    psa_aead_operation_t *operation,
+    size_t ad_length,
+    size_t plaintext_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_aead_operation_t_needs(*operation) +
+        psasim_serialise_size_t_needs(ad_length) +
+        psasim_serialise_size_t_needs(plaintext_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_aead_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        ad_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        plaintext_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_AEAD_SET_LENGTHS,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_AEAD_SET_LENGTHS server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_aead_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_aead_set_nonce(
+    psa_aead_operation_t *operation,
+    const uint8_t *nonce, size_t  nonce_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_aead_operation_t_needs(*operation) +
+        psasim_serialise_buffer_needs(nonce, nonce_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_aead_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        nonce, nonce_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_AEAD_SET_NONCE,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_AEAD_SET_NONCE server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_aead_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_aead_update(
+    psa_aead_operation_t *operation,
+    const uint8_t *input, size_t  input_length,
+    uint8_t *output, size_t  output_size,
+    size_t *output_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_aead_operation_t_needs(*operation) +
+        psasim_serialise_buffer_needs(input, input_length) +
+        psasim_serialise_buffer_needs(output, output_size) +
+        psasim_serialise_size_t_needs(*output_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_aead_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        input, input_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_AEAD_UPDATE,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_AEAD_UPDATE server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_aead_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_aead_update_ad(
+    psa_aead_operation_t *operation,
+    const uint8_t *input, size_t  input_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_aead_operation_t_needs(*operation) +
+        psasim_serialise_buffer_needs(input, input_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_aead_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        input, input_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_AEAD_UPDATE_AD,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_AEAD_UPDATE_AD server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_aead_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_aead_verify(
+    psa_aead_operation_t *operation,
+    uint8_t *plaintext, size_t  plaintext_size,
+    size_t *plaintext_length,
+    const uint8_t *tag, size_t  tag_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_aead_operation_t_needs(*operation) +
+        psasim_serialise_buffer_needs(plaintext, plaintext_size) +
+        psasim_serialise_size_t_needs(*plaintext_length) +
+        psasim_serialise_buffer_needs(tag, tag_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_aead_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        plaintext, plaintext_size);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *plaintext_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        tag, tag_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_AEAD_VERIFY,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_AEAD_VERIFY server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_aead_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        plaintext, plaintext_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        plaintext_length);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_asymmetric_decrypt(
+    mbedtls_svc_key_id_t key,
+    psa_algorithm_t alg,
+    const uint8_t *input, size_t  input_length,
+    const uint8_t *salt, size_t  salt_length,
+    uint8_t *output, size_t  output_size,
+    size_t *output_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key) +
+        psasim_serialise_psa_algorithm_t_needs(alg) +
+        psasim_serialise_buffer_needs(input, input_length) +
+        psasim_serialise_buffer_needs(salt, salt_length) +
+        psasim_serialise_buffer_needs(output, output_size) +
+        psasim_serialise_size_t_needs(*output_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        input, input_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        salt, salt_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_ASYMMETRIC_DECRYPT,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_ASYMMETRIC_DECRYPT server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_asymmetric_encrypt(
+    mbedtls_svc_key_id_t key,
+    psa_algorithm_t alg,
+    const uint8_t *input, size_t  input_length,
+    const uint8_t *salt, size_t  salt_length,
+    uint8_t *output, size_t  output_size,
+    size_t *output_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key) +
+        psasim_serialise_psa_algorithm_t_needs(alg) +
+        psasim_serialise_buffer_needs(input, input_length) +
+        psasim_serialise_buffer_needs(salt, salt_length) +
+        psasim_serialise_buffer_needs(output, output_size) +
+        psasim_serialise_size_t_needs(*output_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        input, input_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        salt, salt_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_ASYMMETRIC_ENCRYPT,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_ASYMMETRIC_ENCRYPT server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_cipher_abort(
+    psa_cipher_operation_t *operation
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_cipher_operation_t_needs(*operation);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_cipher_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_CIPHER_ABORT,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_CIPHER_ABORT server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_cipher_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_cipher_decrypt(
+    mbedtls_svc_key_id_t key,
+    psa_algorithm_t alg,
+    const uint8_t *input, size_t  input_length,
+    uint8_t *output, size_t  output_size,
+    size_t *output_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key) +
+        psasim_serialise_psa_algorithm_t_needs(alg) +
+        psasim_serialise_buffer_needs(input, input_length) +
+        psasim_serialise_buffer_needs(output, output_size) +
+        psasim_serialise_size_t_needs(*output_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        input, input_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_CIPHER_DECRYPT,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_CIPHER_DECRYPT server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_cipher_decrypt_setup(
+    psa_cipher_operation_t *operation,
+    mbedtls_svc_key_id_t key,
+    psa_algorithm_t alg
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_cipher_operation_t_needs(*operation) +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key) +
+        psasim_serialise_psa_algorithm_t_needs(alg);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_cipher_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_CIPHER_DECRYPT_SETUP,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_CIPHER_DECRYPT_SETUP server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_cipher_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_cipher_encrypt(
+    mbedtls_svc_key_id_t key,
+    psa_algorithm_t alg,
+    const uint8_t *input, size_t  input_length,
+    uint8_t *output, size_t  output_size,
+    size_t *output_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key) +
+        psasim_serialise_psa_algorithm_t_needs(alg) +
+        psasim_serialise_buffer_needs(input, input_length) +
+        psasim_serialise_buffer_needs(output, output_size) +
+        psasim_serialise_size_t_needs(*output_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        input, input_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_CIPHER_ENCRYPT,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_CIPHER_ENCRYPT server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_cipher_encrypt_setup(
+    psa_cipher_operation_t *operation,
+    mbedtls_svc_key_id_t key,
+    psa_algorithm_t alg
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_cipher_operation_t_needs(*operation) +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key) +
+        psasim_serialise_psa_algorithm_t_needs(alg);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_cipher_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_CIPHER_ENCRYPT_SETUP,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_CIPHER_ENCRYPT_SETUP server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_cipher_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_cipher_finish(
+    psa_cipher_operation_t *operation,
+    uint8_t *output, size_t  output_size,
+    size_t *output_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_cipher_operation_t_needs(*operation) +
+        psasim_serialise_buffer_needs(output, output_size) +
+        psasim_serialise_size_t_needs(*output_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_cipher_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_CIPHER_FINISH,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_CIPHER_FINISH server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_cipher_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_cipher_generate_iv(
+    psa_cipher_operation_t *operation,
+    uint8_t *iv, size_t  iv_size,
+    size_t *iv_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_cipher_operation_t_needs(*operation) +
+        psasim_serialise_buffer_needs(iv, iv_size) +
+        psasim_serialise_size_t_needs(*iv_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_cipher_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        iv, iv_size);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *iv_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_CIPHER_GENERATE_IV,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_CIPHER_GENERATE_IV server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_cipher_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        iv, iv_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        iv_length);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_cipher_set_iv(
+    psa_cipher_operation_t *operation,
+    const uint8_t *iv, size_t  iv_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_cipher_operation_t_needs(*operation) +
+        psasim_serialise_buffer_needs(iv, iv_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_cipher_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        iv, iv_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_CIPHER_SET_IV,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_CIPHER_SET_IV server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_cipher_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_cipher_update(
+    psa_cipher_operation_t *operation,
+    const uint8_t *input, size_t  input_length,
+    uint8_t *output, size_t  output_size,
+    size_t *output_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_cipher_operation_t_needs(*operation) +
+        psasim_serialise_buffer_needs(input, input_length) +
+        psasim_serialise_buffer_needs(output, output_size) +
+        psasim_serialise_size_t_needs(*output_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_cipher_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        input, input_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_CIPHER_UPDATE,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_CIPHER_UPDATE server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_cipher_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_copy_key(
+    mbedtls_svc_key_id_t source_key,
+    const psa_key_attributes_t *attributes,
+    mbedtls_svc_key_id_t *target_key
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(source_key) +
+        psasim_serialise_psa_key_attributes_t_needs(*attributes) +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(*target_key);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        source_key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_attributes_t(
+        &pos, &remaining,
+        *attributes);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        *target_key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_COPY_KEY,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_COPY_KEY server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &rpos, &rremain,
+        target_key);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_destroy_key(
+    mbedtls_svc_key_id_t key
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_DESTROY_KEY,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_DESTROY_KEY server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_export_key(
+    mbedtls_svc_key_id_t key,
+    uint8_t *data, size_t  data_size,
+    size_t *data_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key) +
+        psasim_serialise_buffer_needs(data, data_size) +
+        psasim_serialise_size_t_needs(*data_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        data, data_size);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *data_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_EXPORT_KEY,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_EXPORT_KEY server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        data, data_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        data_length);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_export_public_key(
+    mbedtls_svc_key_id_t key,
+    uint8_t *data, size_t  data_size,
+    size_t *data_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key) +
+        psasim_serialise_buffer_needs(data, data_size) +
+        psasim_serialise_size_t_needs(*data_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        data, data_size);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *data_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_EXPORT_PUBLIC_KEY,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_EXPORT_PUBLIC_KEY server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        data, data_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        data_length);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_generate_key(
+    const psa_key_attributes_t *attributes,
+    mbedtls_svc_key_id_t *key
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_key_attributes_t_needs(*attributes) +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(*key);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_attributes_t(
+        &pos, &remaining,
+        *attributes);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        *key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_GENERATE_KEY,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_GENERATE_KEY server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &rpos, &rremain,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_generate_key_ext(
+    const psa_key_attributes_t *attributes,
+    const psa_key_production_parameters_t *params, size_t  params_data_length,
+    mbedtls_svc_key_id_t *key
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_key_attributes_t_needs(*attributes) +
+        psasim_serialise_psa_key_production_parameters_t_needs(params, params_data_length) +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(*key);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_attributes_t(
+        &pos, &remaining,
+        *attributes);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_production_parameters_t(
+        &pos, &remaining,
+        params, params_data_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        *key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_GENERATE_KEY_EXT,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_GENERATE_KEY_EXT server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &rpos, &rremain,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_generate_random(
+    uint8_t *output, size_t  output_size
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_buffer_needs(output, output_size);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_GENERATE_RANDOM,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_GENERATE_RANDOM server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_get_key_attributes(
+    mbedtls_svc_key_id_t key,
+    psa_key_attributes_t *attributes
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key) +
+        psasim_serialise_psa_key_attributes_t_needs(*attributes);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_attributes_t(
+        &pos, &remaining,
+        *attributes);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_GET_KEY_ATTRIBUTES,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_GET_KEY_ATTRIBUTES server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_attributes_t(
+        &rpos, &rremain,
+        attributes);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_hash_abort(
+    psa_hash_operation_t *operation
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_hash_operation_t_needs(*operation);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_hash_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_HASH_ABORT,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_HASH_ABORT server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_hash_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_hash_clone(
+    const psa_hash_operation_t *source_operation,
+    psa_hash_operation_t *target_operation
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_hash_operation_t_needs(*source_operation) +
+        psasim_serialise_psa_hash_operation_t_needs(*target_operation);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_hash_operation_t(
+        &pos, &remaining,
+        *source_operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_hash_operation_t(
+        &pos, &remaining,
+        *target_operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_HASH_CLONE,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_HASH_CLONE server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_hash_operation_t(
+        &rpos, &rremain,
+        target_operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_hash_compare(
+    psa_algorithm_t alg,
+    const uint8_t *input, size_t  input_length,
+    const uint8_t *hash, size_t  hash_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_algorithm_t_needs(alg) +
+        psasim_serialise_buffer_needs(input, input_length) +
+        psasim_serialise_buffer_needs(hash, hash_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        input, input_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        hash, hash_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_HASH_COMPARE,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_HASH_COMPARE server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_hash_compute(
+    psa_algorithm_t alg,
+    const uint8_t *input, size_t  input_length,
+    uint8_t *hash, size_t  hash_size,
+    size_t *hash_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_algorithm_t_needs(alg) +
+        psasim_serialise_buffer_needs(input, input_length) +
+        psasim_serialise_buffer_needs(hash, hash_size) +
+        psasim_serialise_size_t_needs(*hash_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        input, input_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        hash, hash_size);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *hash_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_HASH_COMPUTE,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_HASH_COMPUTE server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        hash, hash_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        hash_length);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_hash_finish(
+    psa_hash_operation_t *operation,
+    uint8_t *hash, size_t  hash_size,
+    size_t *hash_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_hash_operation_t_needs(*operation) +
+        psasim_serialise_buffer_needs(hash, hash_size) +
+        psasim_serialise_size_t_needs(*hash_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_hash_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        hash, hash_size);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *hash_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_HASH_FINISH,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_HASH_FINISH server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_hash_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        hash, hash_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        hash_length);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_hash_setup(
+    psa_hash_operation_t *operation,
+    psa_algorithm_t alg
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_hash_operation_t_needs(*operation) +
+        psasim_serialise_psa_algorithm_t_needs(alg);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_hash_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_HASH_SETUP,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_HASH_SETUP server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_hash_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_hash_update(
+    psa_hash_operation_t *operation,
+    const uint8_t *input, size_t  input_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_hash_operation_t_needs(*operation) +
+        psasim_serialise_buffer_needs(input, input_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_hash_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        input, input_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_HASH_UPDATE,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_HASH_UPDATE server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_hash_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_hash_verify(
+    psa_hash_operation_t *operation,
+    const uint8_t *hash, size_t  hash_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_hash_operation_t_needs(*operation) +
+        psasim_serialise_buffer_needs(hash, hash_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_hash_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        hash, hash_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_HASH_VERIFY,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_HASH_VERIFY server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_hash_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_import_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data, size_t  data_length,
+    mbedtls_svc_key_id_t *key
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_key_attributes_t_needs(*attributes) +
+        psasim_serialise_buffer_needs(data, data_length) +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(*key);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_attributes_t(
+        &pos, &remaining,
+        *attributes);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        data, data_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        *key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_IMPORT_KEY,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_IMPORT_KEY server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &rpos, &rremain,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+uint32_t psa_interruptible_get_max_ops(
+    void
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    uint32_t value = 0;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        0;
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        value = 0;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_INTERRUPTIBLE_GET_MAX_OPS,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_INTERRUPTIBLE_GET_MAX_OPS server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_uint32_t(
+        &rpos, &rremain,
+        &value);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return value;
+}
+
+
+void psa_interruptible_set_max_ops(
+    uint32_t max_ops
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_uint32_t_needs(max_ops);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_uint32_t(
+        &pos, &remaining,
+        max_ops);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_INTERRUPTIBLE_SET_MAX_OPS,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_INTERRUPTIBLE_SET_MAX_OPS server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+}
+
+
+psa_status_t psa_key_derivation_abort(
+    psa_key_derivation_operation_t *operation
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_key_derivation_operation_t_needs(*operation);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_derivation_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_KEY_DERIVATION_ABORT,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_KEY_DERIVATION_ABORT server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_derivation_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_key_derivation_get_capacity(
+    const psa_key_derivation_operation_t *operation,
+    size_t *capacity
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_key_derivation_operation_t_needs(*operation) +
+        psasim_serialise_size_t_needs(*capacity);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_derivation_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *capacity);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_KEY_DERIVATION_GET_CAPACITY,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_KEY_DERIVATION_GET_CAPACITY server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        capacity);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_key_derivation_input_bytes(
+    psa_key_derivation_operation_t *operation,
+    psa_key_derivation_step_t step,
+    const uint8_t *data, size_t  data_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_key_derivation_operation_t_needs(*operation) +
+        psasim_serialise_psa_key_derivation_step_t_needs(step) +
+        psasim_serialise_buffer_needs(data, data_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_derivation_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_derivation_step_t(
+        &pos, &remaining,
+        step);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        data, data_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_KEY_DERIVATION_INPUT_BYTES,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_KEY_DERIVATION_INPUT_BYTES server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_derivation_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_key_derivation_input_integer(
+    psa_key_derivation_operation_t *operation,
+    psa_key_derivation_step_t step,
+    uint64_t value
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_key_derivation_operation_t_needs(*operation) +
+        psasim_serialise_psa_key_derivation_step_t_needs(step) +
+        psasim_serialise_uint64_t_needs(value);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_derivation_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_derivation_step_t(
+        &pos, &remaining,
+        step);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_uint64_t(
+        &pos, &remaining,
+        value);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_KEY_DERIVATION_INPUT_INTEGER,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_KEY_DERIVATION_INPUT_INTEGER server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_derivation_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_key_derivation_input_key(
+    psa_key_derivation_operation_t *operation,
+    psa_key_derivation_step_t step,
+    mbedtls_svc_key_id_t key
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_key_derivation_operation_t_needs(*operation) +
+        psasim_serialise_psa_key_derivation_step_t_needs(step) +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_derivation_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_derivation_step_t(
+        &pos, &remaining,
+        step);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_KEY_DERIVATION_INPUT_KEY,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_KEY_DERIVATION_INPUT_KEY server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_derivation_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_key_derivation_key_agreement(
+    psa_key_derivation_operation_t *operation,
+    psa_key_derivation_step_t step,
+    mbedtls_svc_key_id_t private_key,
+    const uint8_t *peer_key, size_t  peer_key_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_key_derivation_operation_t_needs(*operation) +
+        psasim_serialise_psa_key_derivation_step_t_needs(step) +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(private_key) +
+        psasim_serialise_buffer_needs(peer_key, peer_key_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_derivation_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_derivation_step_t(
+        &pos, &remaining,
+        step);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        private_key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        peer_key, peer_key_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_KEY_DERIVATION_KEY_AGREEMENT,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_KEY_DERIVATION_KEY_AGREEMENT server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_derivation_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_key_derivation_output_bytes(
+    psa_key_derivation_operation_t *operation,
+    uint8_t *output, size_t  output_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_key_derivation_operation_t_needs(*operation) +
+        psasim_serialise_buffer_needs(output, output_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_derivation_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        output, output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_KEY_DERIVATION_OUTPUT_BYTES,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_KEY_DERIVATION_OUTPUT_BYTES server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_derivation_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        output, output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_key_derivation_output_key(
+    const psa_key_attributes_t *attributes,
+    psa_key_derivation_operation_t *operation,
+    mbedtls_svc_key_id_t *key
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_key_attributes_t_needs(*attributes) +
+        psasim_serialise_psa_key_derivation_operation_t_needs(*operation) +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(*key);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_attributes_t(
+        &pos, &remaining,
+        *attributes);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_derivation_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        *key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_KEY_DERIVATION_OUTPUT_KEY,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_KEY_DERIVATION_OUTPUT_KEY server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_derivation_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &rpos, &rremain,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_key_derivation_output_key_ext(
+    const psa_key_attributes_t *attributes,
+    psa_key_derivation_operation_t *operation,
+    const psa_key_production_parameters_t *params, size_t  params_data_length,
+    mbedtls_svc_key_id_t *key
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_key_attributes_t_needs(*attributes) +
+        psasim_serialise_psa_key_derivation_operation_t_needs(*operation) +
+        psasim_serialise_psa_key_production_parameters_t_needs(params, params_data_length) +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(*key);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_attributes_t(
+        &pos, &remaining,
+        *attributes);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_derivation_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_production_parameters_t(
+        &pos, &remaining,
+        params, params_data_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        *key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_KEY_DERIVATION_OUTPUT_KEY_EXT,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_KEY_DERIVATION_OUTPUT_KEY_EXT server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_derivation_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &rpos, &rremain,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_key_derivation_set_capacity(
+    psa_key_derivation_operation_t *operation,
+    size_t capacity
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_key_derivation_operation_t_needs(*operation) +
+        psasim_serialise_size_t_needs(capacity);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_derivation_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        capacity);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_KEY_DERIVATION_SET_CAPACITY,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_KEY_DERIVATION_SET_CAPACITY server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_derivation_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_key_derivation_setup(
+    psa_key_derivation_operation_t *operation,
+    psa_algorithm_t alg
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_key_derivation_operation_t_needs(*operation) +
+        psasim_serialise_psa_algorithm_t_needs(alg);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_derivation_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_KEY_DERIVATION_SETUP,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_KEY_DERIVATION_SETUP server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_derivation_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_mac_abort(
+    psa_mac_operation_t *operation
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_mac_operation_t_needs(*operation);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_mac_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_MAC_ABORT,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_MAC_ABORT server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_mac_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_mac_compute(
+    mbedtls_svc_key_id_t key,
+    psa_algorithm_t alg,
+    const uint8_t *input, size_t  input_length,
+    uint8_t *mac, size_t  mac_size,
+    size_t *mac_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key) +
+        psasim_serialise_psa_algorithm_t_needs(alg) +
+        psasim_serialise_buffer_needs(input, input_length) +
+        psasim_serialise_buffer_needs(mac, mac_size) +
+        psasim_serialise_size_t_needs(*mac_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        input, input_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        mac, mac_size);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *mac_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_MAC_COMPUTE,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_MAC_COMPUTE server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        mac, mac_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        mac_length);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_mac_sign_finish(
+    psa_mac_operation_t *operation,
+    uint8_t *mac, size_t  mac_size,
+    size_t *mac_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_mac_operation_t_needs(*operation) +
+        psasim_serialise_buffer_needs(mac, mac_size) +
+        psasim_serialise_size_t_needs(*mac_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_mac_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        mac, mac_size);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *mac_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_MAC_SIGN_FINISH,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_MAC_SIGN_FINISH server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_mac_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        mac, mac_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        mac_length);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_mac_sign_setup(
+    psa_mac_operation_t *operation,
+    mbedtls_svc_key_id_t key,
+    psa_algorithm_t alg
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_mac_operation_t_needs(*operation) +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key) +
+        psasim_serialise_psa_algorithm_t_needs(alg);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_mac_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_MAC_SIGN_SETUP,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_MAC_SIGN_SETUP server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_mac_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_mac_update(
+    psa_mac_operation_t *operation,
+    const uint8_t *input, size_t  input_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_mac_operation_t_needs(*operation) +
+        psasim_serialise_buffer_needs(input, input_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_mac_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        input, input_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_MAC_UPDATE,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_MAC_UPDATE server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_mac_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_mac_verify(
+    mbedtls_svc_key_id_t key,
+    psa_algorithm_t alg,
+    const uint8_t *input, size_t  input_length,
+    const uint8_t *mac, size_t  mac_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key) +
+        psasim_serialise_psa_algorithm_t_needs(alg) +
+        psasim_serialise_buffer_needs(input, input_length) +
+        psasim_serialise_buffer_needs(mac, mac_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        input, input_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        mac, mac_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_MAC_VERIFY,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_MAC_VERIFY server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_mac_verify_finish(
+    psa_mac_operation_t *operation,
+    const uint8_t *mac, size_t  mac_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_mac_operation_t_needs(*operation) +
+        psasim_serialise_buffer_needs(mac, mac_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_mac_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        mac, mac_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_MAC_VERIFY_FINISH,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_MAC_VERIFY_FINISH server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_mac_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_mac_verify_setup(
+    psa_mac_operation_t *operation,
+    mbedtls_svc_key_id_t key,
+    psa_algorithm_t alg
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_mac_operation_t_needs(*operation) +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key) +
+        psasim_serialise_psa_algorithm_t_needs(alg);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_mac_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_MAC_VERIFY_SETUP,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_MAC_VERIFY_SETUP server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_mac_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_purge_key(
+    mbedtls_svc_key_id_t key
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_PURGE_KEY,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_PURGE_KEY server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_raw_key_agreement(
+    psa_algorithm_t alg,
+    mbedtls_svc_key_id_t private_key,
+    const uint8_t *peer_key, size_t  peer_key_length,
+    uint8_t *output, size_t  output_size,
+    size_t *output_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_algorithm_t_needs(alg) +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(private_key) +
+        psasim_serialise_buffer_needs(peer_key, peer_key_length) +
+        psasim_serialise_buffer_needs(output, output_size) +
+        psasim_serialise_size_t_needs(*output_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        private_key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        peer_key, peer_key_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_RAW_KEY_AGREEMENT,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_RAW_KEY_AGREEMENT server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+void psa_reset_key_attributes(
+    psa_key_attributes_t *attributes
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_key_attributes_t_needs(*attributes);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_key_attributes_t(
+        &pos, &remaining,
+        *attributes);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_RESET_KEY_ATTRIBUTES,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_RESET_KEY_ATTRIBUTES server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_attributes_t(
+        &rpos, &rremain,
+        attributes);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+}
+
+
+psa_status_t psa_sign_hash(
+    mbedtls_svc_key_id_t key,
+    psa_algorithm_t alg,
+    const uint8_t *hash, size_t  hash_length,
+    uint8_t *signature, size_t  signature_size,
+    size_t *signature_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key) +
+        psasim_serialise_psa_algorithm_t_needs(alg) +
+        psasim_serialise_buffer_needs(hash, hash_length) +
+        psasim_serialise_buffer_needs(signature, signature_size) +
+        psasim_serialise_size_t_needs(*signature_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        hash, hash_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        signature, signature_size);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *signature_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_SIGN_HASH,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_SIGN_HASH server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        signature, signature_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        signature_length);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_sign_hash_abort(
+    psa_sign_hash_interruptible_operation_t *operation
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_sign_hash_interruptible_operation_t_needs(*operation);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_sign_hash_interruptible_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_SIGN_HASH_ABORT,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_SIGN_HASH_ABORT server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_sign_hash_interruptible_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_sign_hash_complete(
+    psa_sign_hash_interruptible_operation_t *operation,
+    uint8_t *signature, size_t  signature_size,
+    size_t *signature_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_sign_hash_interruptible_operation_t_needs(*operation) +
+        psasim_serialise_buffer_needs(signature, signature_size) +
+        psasim_serialise_size_t_needs(*signature_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_sign_hash_interruptible_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        signature, signature_size);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *signature_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_SIGN_HASH_COMPLETE,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_SIGN_HASH_COMPLETE server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_sign_hash_interruptible_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        signature, signature_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        signature_length);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+uint32_t psa_sign_hash_get_num_ops(
+    const psa_sign_hash_interruptible_operation_t *operation
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    uint32_t value = 0;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_sign_hash_interruptible_operation_t_needs(*operation);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        value = 0;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_sign_hash_interruptible_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_SIGN_HASH_GET_NUM_OPS,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_SIGN_HASH_GET_NUM_OPS server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_uint32_t(
+        &rpos, &rremain,
+        &value);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return value;
+}
+
+
+psa_status_t psa_sign_hash_start(
+    psa_sign_hash_interruptible_operation_t *operation,
+    mbedtls_svc_key_id_t key,
+    psa_algorithm_t alg,
+    const uint8_t *hash, size_t  hash_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_sign_hash_interruptible_operation_t_needs(*operation) +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key) +
+        psasim_serialise_psa_algorithm_t_needs(alg) +
+        psasim_serialise_buffer_needs(hash, hash_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_sign_hash_interruptible_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        hash, hash_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_SIGN_HASH_START,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_SIGN_HASH_START server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_sign_hash_interruptible_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_sign_message(
+    mbedtls_svc_key_id_t key,
+    psa_algorithm_t alg,
+    const uint8_t *input, size_t  input_length,
+    uint8_t *signature, size_t  signature_size,
+    size_t *signature_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key) +
+        psasim_serialise_psa_algorithm_t_needs(alg) +
+        psasim_serialise_buffer_needs(input, input_length) +
+        psasim_serialise_buffer_needs(signature, signature_size) +
+        psasim_serialise_size_t_needs(*signature_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        input, input_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        signature, signature_size);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_size_t(
+        &pos, &remaining,
+        *signature_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_SIGN_MESSAGE,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_SIGN_MESSAGE server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        signature, signature_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &rpos, &rremain,
+        signature_length);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_verify_hash(
+    mbedtls_svc_key_id_t key,
+    psa_algorithm_t alg,
+    const uint8_t *hash, size_t  hash_length,
+    const uint8_t *signature, size_t  signature_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key) +
+        psasim_serialise_psa_algorithm_t_needs(alg) +
+        psasim_serialise_buffer_needs(hash, hash_length) +
+        psasim_serialise_buffer_needs(signature, signature_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        hash, hash_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        signature, signature_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_VERIFY_HASH,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_VERIFY_HASH server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_verify_hash_abort(
+    psa_verify_hash_interruptible_operation_t *operation
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_verify_hash_interruptible_operation_t_needs(*operation);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_verify_hash_interruptible_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_VERIFY_HASH_ABORT,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_VERIFY_HASH_ABORT server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_verify_hash_interruptible_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_verify_hash_complete(
+    psa_verify_hash_interruptible_operation_t *operation
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_verify_hash_interruptible_operation_t_needs(*operation);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_verify_hash_interruptible_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_VERIFY_HASH_COMPLETE,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_VERIFY_HASH_COMPLETE server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_verify_hash_interruptible_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+uint32_t psa_verify_hash_get_num_ops(
+    const psa_verify_hash_interruptible_operation_t *operation
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    uint32_t value = 0;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_verify_hash_interruptible_operation_t_needs(*operation);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        value = 0;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_verify_hash_interruptible_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_VERIFY_HASH_GET_NUM_OPS,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_VERIFY_HASH_GET_NUM_OPS server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_uint32_t(
+        &rpos, &rremain,
+        &value);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return value;
+}
+
+
+psa_status_t psa_verify_hash_start(
+    psa_verify_hash_interruptible_operation_t *operation,
+    mbedtls_svc_key_id_t key,
+    psa_algorithm_t alg,
+    const uint8_t *hash, size_t  hash_length,
+    const uint8_t *signature, size_t  signature_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_verify_hash_interruptible_operation_t_needs(*operation) +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key) +
+        psasim_serialise_psa_algorithm_t_needs(alg) +
+        psasim_serialise_buffer_needs(hash, hash_length) +
+        psasim_serialise_buffer_needs(signature, signature_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_verify_hash_interruptible_operation_t(
+        &pos, &remaining,
+        *operation);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        hash, hash_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        signature, signature_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_VERIFY_HASH_START,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_VERIFY_HASH_START server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_verify_hash_interruptible_operation_t(
+        &rpos, &rremain,
+        operation);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
+
+
+psa_status_t psa_verify_message(
+    mbedtls_svc_key_id_t key,
+    psa_algorithm_t alg,
+    const uint8_t *input, size_t  input_length,
+    const uint8_t *signature, size_t  signature_length
+    )
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key) +
+        psasim_serialise_psa_algorithm_t_needs(alg) +
+        psasim_serialise_buffer_needs(input, input_length) +
+        psasim_serialise_buffer_needs(signature, signature_length);
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_psa_algorithm_t(
+        &pos, &remaining,
+        alg);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        input, input_length);
+    if (!ok) {
+        goto fail;
+    }
+    ok = psasim_serialise_buffer(
+        &pos, &remaining,
+        signature, signature_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psa_crypto_call(PSA_VERIFY_MESSAGE,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("PSA_VERIFY_MESSAGE server call failed\n");
+        goto fail;
+    }
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(
+        &rpos, &rremain,
+        &status);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(ser_params);
+    free(ser_result);
+
+    return status;
+}
diff --git a/tests/psa-client-server/psasim/src/psa_sim_crypto_server.c b/tests/psa-client-server/psasim/src/psa_sim_crypto_server.c
new file mode 100644
index 0000000..cab32c4
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/psa_sim_crypto_server.c
@@ -0,0 +1,7933 @@
+/* THIS FILE WAS AUTO-GENERATED BY psa_sim_generate.pl. DO NOT EDIT!! */
+
+/* server implementations */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <psa/crypto.h>
+
+#include "psa_functions_codes.h"
+#include "psa_sim_serialise.h"
+
+#include "service.h"
+
+#if !defined(MBEDTLS_PSA_CRYPTO_C)
+#error "Error: MBEDTLS_PSA_CRYPTO_C must be enabled on server build"
+#endif
+
+// Returns 1 for success, 0 for failure
+int psa_crypto_init_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    uint8_t *result = NULL;
+    int ok;
+
+    // Now we call the actual target function
+
+    status = psa_crypto_init(
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_aead_abort_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_aead_operation_t *operation;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_aead_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_aead_abort(
+        operation
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_aead_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_aead_operation_t(
+        &rpos, &rremain,
+        operation, 1);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_aead_decrypt_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_svc_key_id_t key;
+    psa_algorithm_t alg;
+    uint8_t *nonce = NULL;
+    size_t nonce_length;
+    uint8_t *additional_data = NULL;
+    size_t additional_data_length;
+    uint8_t *ciphertext = NULL;
+    size_t ciphertext_length;
+    uint8_t *plaintext = NULL;
+    size_t plaintext_size;
+    size_t plaintext_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &nonce, &nonce_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &additional_data, &additional_data_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &ciphertext, &ciphertext_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &plaintext, &plaintext_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &plaintext_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_aead_decrypt(
+        key,
+        alg,
+        nonce, nonce_length,
+        additional_data, additional_data_length,
+        ciphertext, ciphertext_length,
+        plaintext, plaintext_size,
+        &plaintext_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_serialise_buffer_needs(plaintext, plaintext_size) +
+        psasim_serialise_size_t_needs(plaintext_length);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        plaintext, plaintext_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        plaintext_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(nonce);
+    free(additional_data);
+    free(ciphertext);
+    free(plaintext);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(nonce);
+    free(additional_data);
+    free(ciphertext);
+    free(plaintext);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_aead_decrypt_setup_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_aead_operation_t *operation;
+    mbedtls_svc_key_id_t key;
+    psa_algorithm_t alg;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_aead_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_aead_decrypt_setup(
+        operation,
+        key,
+        alg
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_aead_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_aead_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_aead_encrypt_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_svc_key_id_t key;
+    psa_algorithm_t alg;
+    uint8_t *nonce = NULL;
+    size_t nonce_length;
+    uint8_t *additional_data = NULL;
+    size_t additional_data_length;
+    uint8_t *plaintext = NULL;
+    size_t plaintext_length;
+    uint8_t *ciphertext = NULL;
+    size_t ciphertext_size;
+    size_t ciphertext_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &nonce, &nonce_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &additional_data, &additional_data_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &plaintext, &plaintext_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &ciphertext, &ciphertext_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &ciphertext_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_aead_encrypt(
+        key,
+        alg,
+        nonce, nonce_length,
+        additional_data, additional_data_length,
+        plaintext, plaintext_length,
+        ciphertext, ciphertext_size,
+        &ciphertext_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_serialise_buffer_needs(ciphertext, ciphertext_size) +
+        psasim_serialise_size_t_needs(ciphertext_length);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        ciphertext, ciphertext_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        ciphertext_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(nonce);
+    free(additional_data);
+    free(plaintext);
+    free(ciphertext);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(nonce);
+    free(additional_data);
+    free(plaintext);
+    free(ciphertext);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_aead_encrypt_setup_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_aead_operation_t *operation;
+    mbedtls_svc_key_id_t key;
+    psa_algorithm_t alg;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_aead_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_aead_encrypt_setup(
+        operation,
+        key,
+        alg
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_aead_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_aead_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_aead_finish_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_aead_operation_t *operation;
+    uint8_t *ciphertext = NULL;
+    size_t ciphertext_size;
+    size_t ciphertext_length;
+    uint8_t *tag = NULL;
+    size_t tag_size;
+    size_t tag_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_aead_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &ciphertext, &ciphertext_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &ciphertext_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &tag, &tag_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &tag_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_aead_finish(
+        operation,
+        ciphertext, ciphertext_size,
+        &ciphertext_length,
+        tag, tag_size,
+        &tag_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_aead_operation_t_needs(operation) +
+        psasim_serialise_buffer_needs(ciphertext, ciphertext_size) +
+        psasim_serialise_size_t_needs(ciphertext_length) +
+        psasim_serialise_buffer_needs(tag, tag_size) +
+        psasim_serialise_size_t_needs(tag_length);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_aead_operation_t(
+        &rpos, &rremain,
+        operation, 1);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        ciphertext, ciphertext_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        ciphertext_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        tag, tag_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        tag_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(ciphertext);
+    free(tag);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(ciphertext);
+    free(tag);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_aead_generate_nonce_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_aead_operation_t *operation;
+    uint8_t *nonce = NULL;
+    size_t nonce_size;
+    size_t nonce_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_aead_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &nonce, &nonce_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &nonce_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_aead_generate_nonce(
+        operation,
+        nonce, nonce_size,
+        &nonce_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_aead_operation_t_needs(operation) +
+        psasim_serialise_buffer_needs(nonce, nonce_size) +
+        psasim_serialise_size_t_needs(nonce_length);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_aead_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        nonce, nonce_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        nonce_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(nonce);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(nonce);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_aead_set_lengths_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_aead_operation_t *operation;
+    size_t ad_length;
+    size_t plaintext_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_aead_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &ad_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &plaintext_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_aead_set_lengths(
+        operation,
+        ad_length,
+        plaintext_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_aead_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_aead_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_aead_set_nonce_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_aead_operation_t *operation;
+    uint8_t *nonce = NULL;
+    size_t nonce_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_aead_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &nonce, &nonce_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_aead_set_nonce(
+        operation,
+        nonce, nonce_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_aead_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_aead_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(nonce);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(nonce);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_aead_update_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_aead_operation_t *operation;
+    uint8_t *input = NULL;
+    size_t input_length;
+    uint8_t *output = NULL;
+    size_t output_size;
+    size_t output_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_aead_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &input, &input_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &output, &output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_aead_update(
+        operation,
+        input, input_length,
+        output, output_size,
+        &output_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_aead_operation_t_needs(operation) +
+        psasim_serialise_buffer_needs(output, output_size) +
+        psasim_serialise_size_t_needs(output_length);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_aead_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(input);
+    free(output);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(input);
+    free(output);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_aead_update_ad_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_aead_operation_t *operation;
+    uint8_t *input = NULL;
+    size_t input_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_aead_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &input, &input_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_aead_update_ad(
+        operation,
+        input, input_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_aead_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_aead_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(input);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(input);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_aead_verify_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_aead_operation_t *operation;
+    uint8_t *plaintext = NULL;
+    size_t plaintext_size;
+    size_t plaintext_length;
+    uint8_t *tag = NULL;
+    size_t tag_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_aead_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &plaintext, &plaintext_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &plaintext_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &tag, &tag_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_aead_verify(
+        operation,
+        plaintext, plaintext_size,
+        &plaintext_length,
+        tag, tag_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_aead_operation_t_needs(operation) +
+        psasim_serialise_buffer_needs(plaintext, plaintext_size) +
+        psasim_serialise_size_t_needs(plaintext_length);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_aead_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        plaintext, plaintext_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        plaintext_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(plaintext);
+    free(tag);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(plaintext);
+    free(tag);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_asymmetric_decrypt_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_svc_key_id_t key;
+    psa_algorithm_t alg;
+    uint8_t *input = NULL;
+    size_t input_length;
+    uint8_t *salt = NULL;
+    size_t salt_length;
+    uint8_t *output = NULL;
+    size_t output_size;
+    size_t output_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &input, &input_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &salt, &salt_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &output, &output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_asymmetric_decrypt(
+        key,
+        alg,
+        input, input_length,
+        salt, salt_length,
+        output, output_size,
+        &output_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_serialise_buffer_needs(output, output_size) +
+        psasim_serialise_size_t_needs(output_length);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(input);
+    free(salt);
+    free(output);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(input);
+    free(salt);
+    free(output);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_asymmetric_encrypt_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_svc_key_id_t key;
+    psa_algorithm_t alg;
+    uint8_t *input = NULL;
+    size_t input_length;
+    uint8_t *salt = NULL;
+    size_t salt_length;
+    uint8_t *output = NULL;
+    size_t output_size;
+    size_t output_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &input, &input_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &salt, &salt_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &output, &output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_asymmetric_encrypt(
+        key,
+        alg,
+        input, input_length,
+        salt, salt_length,
+        output, output_size,
+        &output_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_serialise_buffer_needs(output, output_size) +
+        psasim_serialise_size_t_needs(output_length);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(input);
+    free(salt);
+    free(output);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(input);
+    free(salt);
+    free(output);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_cipher_abort_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_cipher_operation_t *operation;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_cipher_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_cipher_abort(
+        operation
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_cipher_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_cipher_operation_t(
+        &rpos, &rremain,
+        operation, 1);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_cipher_decrypt_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_svc_key_id_t key;
+    psa_algorithm_t alg;
+    uint8_t *input = NULL;
+    size_t input_length;
+    uint8_t *output = NULL;
+    size_t output_size;
+    size_t output_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &input, &input_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &output, &output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_cipher_decrypt(
+        key,
+        alg,
+        input, input_length,
+        output, output_size,
+        &output_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_serialise_buffer_needs(output, output_size) +
+        psasim_serialise_size_t_needs(output_length);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(input);
+    free(output);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(input);
+    free(output);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_cipher_decrypt_setup_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_cipher_operation_t *operation;
+    mbedtls_svc_key_id_t key;
+    psa_algorithm_t alg;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_cipher_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_cipher_decrypt_setup(
+        operation,
+        key,
+        alg
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_cipher_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_cipher_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_cipher_encrypt_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_svc_key_id_t key;
+    psa_algorithm_t alg;
+    uint8_t *input = NULL;
+    size_t input_length;
+    uint8_t *output = NULL;
+    size_t output_size;
+    size_t output_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &input, &input_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &output, &output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_cipher_encrypt(
+        key,
+        alg,
+        input, input_length,
+        output, output_size,
+        &output_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_serialise_buffer_needs(output, output_size) +
+        psasim_serialise_size_t_needs(output_length);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(input);
+    free(output);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(input);
+    free(output);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_cipher_encrypt_setup_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_cipher_operation_t *operation;
+    mbedtls_svc_key_id_t key;
+    psa_algorithm_t alg;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_cipher_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_cipher_encrypt_setup(
+        operation,
+        key,
+        alg
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_cipher_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_cipher_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_cipher_finish_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_cipher_operation_t *operation;
+    uint8_t *output = NULL;
+    size_t output_size;
+    size_t output_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_cipher_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &output, &output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_cipher_finish(
+        operation,
+        output, output_size,
+        &output_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_cipher_operation_t_needs(operation) +
+        psasim_serialise_buffer_needs(output, output_size) +
+        psasim_serialise_size_t_needs(output_length);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_cipher_operation_t(
+        &rpos, &rremain,
+        operation, 1);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(output);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(output);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_cipher_generate_iv_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_cipher_operation_t *operation;
+    uint8_t *iv = NULL;
+    size_t iv_size;
+    size_t iv_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_cipher_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &iv, &iv_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &iv_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_cipher_generate_iv(
+        operation,
+        iv, iv_size,
+        &iv_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_cipher_operation_t_needs(operation) +
+        psasim_serialise_buffer_needs(iv, iv_size) +
+        psasim_serialise_size_t_needs(iv_length);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_cipher_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        iv, iv_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        iv_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(iv);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(iv);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_cipher_set_iv_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_cipher_operation_t *operation;
+    uint8_t *iv = NULL;
+    size_t iv_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_cipher_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &iv, &iv_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_cipher_set_iv(
+        operation,
+        iv, iv_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_cipher_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_cipher_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(iv);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(iv);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_cipher_update_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_cipher_operation_t *operation;
+    uint8_t *input = NULL;
+    size_t input_length;
+    uint8_t *output = NULL;
+    size_t output_size;
+    size_t output_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_cipher_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &input, &input_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &output, &output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_cipher_update(
+        operation,
+        input, input_length,
+        output, output_size,
+        &output_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_cipher_operation_t_needs(operation) +
+        psasim_serialise_buffer_needs(output, output_size) +
+        psasim_serialise_size_t_needs(output_length);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_cipher_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(input);
+    free(output);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(input);
+    free(output);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_copy_key_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_svc_key_id_t source_key;
+    psa_key_attributes_t attributes;
+    mbedtls_svc_key_id_t target_key;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &source_key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_attributes_t(
+        &pos, &remaining,
+        &attributes);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &target_key);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_copy_key(
+        source_key,
+        &attributes,
+        &target_key
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(target_key);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &rpos, &rremain,
+        target_key);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_destroy_key_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_svc_key_id_t key;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_destroy_key(
+        key
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_export_key_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_svc_key_id_t key;
+    uint8_t *data = NULL;
+    size_t data_size;
+    size_t data_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &data, &data_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &data_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_export_key(
+        key,
+        data, data_size,
+        &data_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_serialise_buffer_needs(data, data_size) +
+        psasim_serialise_size_t_needs(data_length);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        data, data_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        data_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(data);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(data);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_export_public_key_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_svc_key_id_t key;
+    uint8_t *data = NULL;
+    size_t data_size;
+    size_t data_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &data, &data_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &data_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_export_public_key(
+        key,
+        data, data_size,
+        &data_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_serialise_buffer_needs(data, data_size) +
+        psasim_serialise_size_t_needs(data_length);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        data, data_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        data_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(data);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(data);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_generate_key_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_attributes_t attributes;
+    mbedtls_svc_key_id_t key;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_attributes_t(
+        &pos, &remaining,
+        &attributes);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_generate_key(
+        &attributes,
+        &key
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &rpos, &rremain,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_generate_key_ext_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_attributes_t attributes;
+    psa_key_production_parameters_t *params = NULL;
+    size_t params_data_length;
+    mbedtls_svc_key_id_t key;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_attributes_t(
+        &pos, &remaining,
+        &attributes);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_production_parameters_t(
+        &pos, &remaining,
+        &params, &params_data_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_generate_key_ext(
+        &attributes,
+        params, params_data_length,
+        &key
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &rpos, &rremain,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(params);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(params);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_generate_random_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    uint8_t *output = NULL;
+    size_t output_size;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &output, &output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_generate_random(
+        output, output_size
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_serialise_buffer_needs(output, output_size);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(output);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(output);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_get_key_attributes_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_svc_key_id_t key;
+    psa_key_attributes_t attributes;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_attributes_t(
+        &pos, &remaining,
+        &attributes);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_get_key_attributes(
+        key,
+        &attributes
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_serialise_psa_key_attributes_t_needs(attributes);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_key_attributes_t(
+        &rpos, &rremain,
+        attributes);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_hash_abort_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_hash_operation_t *operation;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_hash_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_hash_abort(
+        operation
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_hash_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_hash_operation_t(
+        &rpos, &rremain,
+        operation, 1);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_hash_clone_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_hash_operation_t *source_operation;
+    psa_hash_operation_t *target_operation;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_hash_operation_t(
+        &pos, &remaining,
+        &source_operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_hash_operation_t(
+        &pos, &remaining,
+        &target_operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_hash_clone(
+        source_operation,
+        target_operation
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_hash_operation_t_needs(target_operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_hash_operation_t(
+        &rpos, &rremain,
+        target_operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_hash_compare_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_algorithm_t alg;
+    uint8_t *input = NULL;
+    size_t input_length;
+    uint8_t *hash = NULL;
+    size_t hash_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &input, &input_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &hash, &hash_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_hash_compare(
+        alg,
+        input, input_length,
+        hash, hash_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(input);
+    free(hash);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(input);
+    free(hash);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_hash_compute_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_algorithm_t alg;
+    uint8_t *input = NULL;
+    size_t input_length;
+    uint8_t *hash = NULL;
+    size_t hash_size;
+    size_t hash_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &input, &input_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &hash, &hash_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &hash_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_hash_compute(
+        alg,
+        input, input_length,
+        hash, hash_size,
+        &hash_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_serialise_buffer_needs(hash, hash_size) +
+        psasim_serialise_size_t_needs(hash_length);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        hash, hash_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        hash_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(input);
+    free(hash);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(input);
+    free(hash);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_hash_finish_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_hash_operation_t *operation;
+    uint8_t *hash = NULL;
+    size_t hash_size;
+    size_t hash_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_hash_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &hash, &hash_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &hash_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_hash_finish(
+        operation,
+        hash, hash_size,
+        &hash_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_hash_operation_t_needs(operation) +
+        psasim_serialise_buffer_needs(hash, hash_size) +
+        psasim_serialise_size_t_needs(hash_length);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_hash_operation_t(
+        &rpos, &rremain,
+        operation, 1);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        hash, hash_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        hash_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(hash);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(hash);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_hash_setup_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_hash_operation_t *operation;
+    psa_algorithm_t alg;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_hash_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_hash_setup(
+        operation,
+        alg
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_hash_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_hash_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_hash_update_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_hash_operation_t *operation;
+    uint8_t *input = NULL;
+    size_t input_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_hash_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &input, &input_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_hash_update(
+        operation,
+        input, input_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_hash_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_hash_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(input);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(input);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_hash_verify_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_hash_operation_t *operation;
+    uint8_t *hash = NULL;
+    size_t hash_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_hash_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &hash, &hash_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_hash_verify(
+        operation,
+        hash, hash_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_hash_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_hash_operation_t(
+        &rpos, &rremain,
+        operation, 1);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(hash);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(hash);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_import_key_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_attributes_t attributes;
+    uint8_t *data = NULL;
+    size_t data_length;
+    mbedtls_svc_key_id_t key;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_attributes_t(
+        &pos, &remaining,
+        &attributes);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &data, &data_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_import_key(
+        &attributes,
+        data, data_length,
+        &key
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &rpos, &rremain,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(data);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(data);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_interruptible_get_max_ops_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    uint32_t value = 0;
+
+    uint8_t *result = NULL;
+    int ok;
+
+    // Now we call the actual target function
+
+    value = psa_interruptible_get_max_ops(
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_uint32_t_needs(value);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_uint32_t(
+        &rpos, &rremain,
+        value);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_interruptible_set_max_ops_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    uint32_t max_ops;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_uint32_t(
+        &pos, &remaining,
+        &max_ops);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    psa_interruptible_set_max_ops(
+        max_ops
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs();
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_key_derivation_abort_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_derivation_operation_t *operation;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_key_derivation_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_key_derivation_abort(
+        operation
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_key_derivation_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_key_derivation_operation_t(
+        &rpos, &rremain,
+        operation, 1);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_key_derivation_get_capacity_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_derivation_operation_t *operation;
+    size_t capacity;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_key_derivation_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &capacity);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_key_derivation_get_capacity(
+        operation,
+        &capacity
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_serialise_size_t_needs(capacity);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        capacity);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_key_derivation_input_bytes_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_derivation_operation_t *operation;
+    psa_key_derivation_step_t step;
+    uint8_t *data = NULL;
+    size_t data_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_key_derivation_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_derivation_step_t(
+        &pos, &remaining,
+        &step);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &data, &data_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_key_derivation_input_bytes(
+        operation,
+        step,
+        data, data_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_key_derivation_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_key_derivation_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(data);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(data);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_key_derivation_input_integer_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_derivation_operation_t *operation;
+    psa_key_derivation_step_t step;
+    uint64_t value;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_key_derivation_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_derivation_step_t(
+        &pos, &remaining,
+        &step);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_uint64_t(
+        &pos, &remaining,
+        &value);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_key_derivation_input_integer(
+        operation,
+        step,
+        value
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_key_derivation_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_key_derivation_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_key_derivation_input_key_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_derivation_operation_t *operation;
+    psa_key_derivation_step_t step;
+    mbedtls_svc_key_id_t key;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_key_derivation_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_derivation_step_t(
+        &pos, &remaining,
+        &step);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_key_derivation_input_key(
+        operation,
+        step,
+        key
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_key_derivation_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_key_derivation_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_key_derivation_key_agreement_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_derivation_operation_t *operation;
+    psa_key_derivation_step_t step;
+    mbedtls_svc_key_id_t private_key;
+    uint8_t *peer_key = NULL;
+    size_t peer_key_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_key_derivation_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_derivation_step_t(
+        &pos, &remaining,
+        &step);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &private_key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &peer_key, &peer_key_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_key_derivation_key_agreement(
+        operation,
+        step,
+        private_key,
+        peer_key, peer_key_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_key_derivation_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_key_derivation_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(peer_key);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(peer_key);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_key_derivation_output_bytes_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_derivation_operation_t *operation;
+    uint8_t *output = NULL;
+    size_t output_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_key_derivation_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &output, &output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_key_derivation_output_bytes(
+        operation,
+        output, output_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_key_derivation_operation_t_needs(operation) +
+        psasim_serialise_buffer_needs(output, output_length);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_key_derivation_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        output, output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(output);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(output);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_key_derivation_output_key_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_attributes_t attributes;
+    psa_key_derivation_operation_t *operation;
+    mbedtls_svc_key_id_t key;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_attributes_t(
+        &pos, &remaining,
+        &attributes);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_key_derivation_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_key_derivation_output_key(
+        &attributes,
+        operation,
+        &key
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_key_derivation_operation_t_needs(operation) +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_key_derivation_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &rpos, &rremain,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_key_derivation_output_key_ext_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_attributes_t attributes;
+    psa_key_derivation_operation_t *operation;
+    psa_key_production_parameters_t *params = NULL;
+    size_t params_data_length;
+    mbedtls_svc_key_id_t key;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_attributes_t(
+        &pos, &remaining,
+        &attributes);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_key_derivation_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_production_parameters_t(
+        &pos, &remaining,
+        &params, &params_data_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_key_derivation_output_key_ext(
+        &attributes,
+        operation,
+        params, params_data_length,
+        &key
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_key_derivation_operation_t_needs(operation) +
+        psasim_serialise_mbedtls_svc_key_id_t_needs(key);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_key_derivation_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_mbedtls_svc_key_id_t(
+        &rpos, &rremain,
+        key);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(params);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(params);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_key_derivation_set_capacity_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_derivation_operation_t *operation;
+    size_t capacity;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_key_derivation_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &capacity);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_key_derivation_set_capacity(
+        operation,
+        capacity
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_key_derivation_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_key_derivation_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_key_derivation_setup_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_derivation_operation_t *operation;
+    psa_algorithm_t alg;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_key_derivation_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_key_derivation_setup(
+        operation,
+        alg
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_key_derivation_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_key_derivation_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_mac_abort_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_mac_operation_t *operation;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_mac_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_mac_abort(
+        operation
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_mac_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_mac_operation_t(
+        &rpos, &rremain,
+        operation, 1);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_mac_compute_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_svc_key_id_t key;
+    psa_algorithm_t alg;
+    uint8_t *input = NULL;
+    size_t input_length;
+    uint8_t *mac = NULL;
+    size_t mac_size;
+    size_t mac_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &input, &input_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &mac, &mac_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &mac_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_mac_compute(
+        key,
+        alg,
+        input, input_length,
+        mac, mac_size,
+        &mac_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_serialise_buffer_needs(mac, mac_size) +
+        psasim_serialise_size_t_needs(mac_length);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        mac, mac_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        mac_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(input);
+    free(mac);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(input);
+    free(mac);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_mac_sign_finish_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_mac_operation_t *operation;
+    uint8_t *mac = NULL;
+    size_t mac_size;
+    size_t mac_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_mac_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &mac, &mac_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &mac_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_mac_sign_finish(
+        operation,
+        mac, mac_size,
+        &mac_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_mac_operation_t_needs(operation) +
+        psasim_serialise_buffer_needs(mac, mac_size) +
+        psasim_serialise_size_t_needs(mac_length);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_mac_operation_t(
+        &rpos, &rremain,
+        operation, 1);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        mac, mac_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        mac_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(mac);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(mac);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_mac_sign_setup_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_mac_operation_t *operation;
+    mbedtls_svc_key_id_t key;
+    psa_algorithm_t alg;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_mac_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_mac_sign_setup(
+        operation,
+        key,
+        alg
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_mac_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_mac_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_mac_update_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_mac_operation_t *operation;
+    uint8_t *input = NULL;
+    size_t input_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_mac_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &input, &input_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_mac_update(
+        operation,
+        input, input_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_mac_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_mac_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(input);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(input);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_mac_verify_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_svc_key_id_t key;
+    psa_algorithm_t alg;
+    uint8_t *input = NULL;
+    size_t input_length;
+    uint8_t *mac = NULL;
+    size_t mac_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &input, &input_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &mac, &mac_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_mac_verify(
+        key,
+        alg,
+        input, input_length,
+        mac, mac_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(input);
+    free(mac);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(input);
+    free(mac);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_mac_verify_finish_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_mac_operation_t *operation;
+    uint8_t *mac = NULL;
+    size_t mac_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_mac_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &mac, &mac_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_mac_verify_finish(
+        operation,
+        mac, mac_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_mac_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_mac_operation_t(
+        &rpos, &rremain,
+        operation, 1);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(mac);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(mac);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_mac_verify_setup_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_mac_operation_t *operation;
+    mbedtls_svc_key_id_t key;
+    psa_algorithm_t alg;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_mac_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_mac_verify_setup(
+        operation,
+        key,
+        alg
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_mac_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_mac_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_purge_key_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_svc_key_id_t key;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_purge_key(
+        key
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_raw_key_agreement_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_algorithm_t alg;
+    mbedtls_svc_key_id_t private_key;
+    uint8_t *peer_key = NULL;
+    size_t peer_key_length;
+    uint8_t *output = NULL;
+    size_t output_size;
+    size_t output_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &private_key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &peer_key, &peer_key_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &output, &output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_raw_key_agreement(
+        alg,
+        private_key,
+        peer_key, peer_key_length,
+        output, output_size,
+        &output_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_serialise_buffer_needs(output, output_size) +
+        psasim_serialise_size_t_needs(output_length);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        output, output_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        output_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(peer_key);
+    free(output);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(peer_key);
+    free(output);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_reset_key_attributes_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_key_attributes_t attributes;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_key_attributes_t(
+        &pos, &remaining,
+        &attributes);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    psa_reset_key_attributes(
+        &attributes
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_key_attributes_t_needs(attributes);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_key_attributes_t(
+        &rpos, &rremain,
+        attributes);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_sign_hash_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_svc_key_id_t key;
+    psa_algorithm_t alg;
+    uint8_t *hash = NULL;
+    size_t hash_length;
+    uint8_t *signature = NULL;
+    size_t signature_size;
+    size_t signature_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &hash, &hash_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &signature, &signature_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &signature_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_sign_hash(
+        key,
+        alg,
+        hash, hash_length,
+        signature, signature_size,
+        &signature_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_serialise_buffer_needs(signature, signature_size) +
+        psasim_serialise_size_t_needs(signature_length);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        signature, signature_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        signature_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(hash);
+    free(signature);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(hash);
+    free(signature);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_sign_hash_abort_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_sign_hash_interruptible_operation_t *operation;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_sign_hash_interruptible_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_sign_hash_abort(
+        operation
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_sign_hash_interruptible_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_sign_hash_interruptible_operation_t(
+        &rpos, &rremain,
+        operation, 1);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_sign_hash_complete_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_sign_hash_interruptible_operation_t *operation;
+    uint8_t *signature = NULL;
+    size_t signature_size;
+    size_t signature_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_sign_hash_interruptible_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &signature, &signature_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &signature_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_sign_hash_complete(
+        operation,
+        signature, signature_size,
+        &signature_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_sign_hash_interruptible_operation_t_needs(operation) +
+        psasim_serialise_buffer_needs(signature, signature_size) +
+        psasim_serialise_size_t_needs(signature_length);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_sign_hash_interruptible_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        signature, signature_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        signature_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(signature);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(signature);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_sign_hash_get_num_ops_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    uint32_t value = 0;
+    psa_sign_hash_interruptible_operation_t *operation;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_sign_hash_interruptible_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    value = psa_sign_hash_get_num_ops(
+        operation
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_uint32_t_needs(value);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_uint32_t(
+        &rpos, &rremain,
+        value);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_sign_hash_start_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_sign_hash_interruptible_operation_t *operation;
+    mbedtls_svc_key_id_t key;
+    psa_algorithm_t alg;
+    uint8_t *hash = NULL;
+    size_t hash_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_sign_hash_interruptible_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &hash, &hash_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_sign_hash_start(
+        operation,
+        key,
+        alg,
+        hash, hash_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_sign_hash_interruptible_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_sign_hash_interruptible_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(hash);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(hash);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_sign_message_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_svc_key_id_t key;
+    psa_algorithm_t alg;
+    uint8_t *input = NULL;
+    size_t input_length;
+    uint8_t *signature = NULL;
+    size_t signature_size;
+    size_t signature_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &input, &input_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &signature, &signature_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_size_t(
+        &pos, &remaining,
+        &signature_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_sign_message(
+        key,
+        alg,
+        input, input_length,
+        signature, signature_size,
+        &signature_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_serialise_buffer_needs(signature, signature_size) +
+        psasim_serialise_size_t_needs(signature_length);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        signature, signature_size);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_size_t(
+        &rpos, &rremain,
+        signature_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(input);
+    free(signature);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(input);
+    free(signature);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_verify_hash_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_svc_key_id_t key;
+    psa_algorithm_t alg;
+    uint8_t *hash = NULL;
+    size_t hash_length;
+    uint8_t *signature = NULL;
+    size_t signature_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &hash, &hash_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &signature, &signature_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_verify_hash(
+        key,
+        alg,
+        hash, hash_length,
+        signature, signature_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(hash);
+    free(signature);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(hash);
+    free(signature);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_verify_hash_abort_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_verify_hash_interruptible_operation_t *operation;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_verify_hash_interruptible_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_verify_hash_abort(
+        operation
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_verify_hash_interruptible_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_verify_hash_interruptible_operation_t(
+        &rpos, &rremain,
+        operation, 1);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_verify_hash_complete_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_verify_hash_interruptible_operation_t *operation;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_verify_hash_interruptible_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_verify_hash_complete(
+        operation
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_verify_hash_interruptible_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_verify_hash_interruptible_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_verify_hash_get_num_ops_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    uint32_t value = 0;
+    psa_verify_hash_interruptible_operation_t *operation;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_verify_hash_interruptible_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    value = psa_verify_hash_get_num_ops(
+        operation
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_uint32_t_needs(value);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_uint32_t(
+        &rpos, &rremain,
+        value);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_verify_hash_start_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_verify_hash_interruptible_operation_t *operation;
+    mbedtls_svc_key_id_t key;
+    psa_algorithm_t alg;
+    uint8_t *hash = NULL;
+    size_t hash_length;
+    uint8_t *signature = NULL;
+    size_t signature_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_deserialise_psa_verify_hash_interruptible_operation_t(
+        &pos, &remaining,
+        &operation);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &hash, &hash_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &signature, &signature_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_verify_hash_start(
+        operation,
+        key,
+        alg,
+        hash, hash_length,
+        signature, signature_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status) +
+        psasim_server_serialise_psa_verify_hash_interruptible_operation_t_needs(operation);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_server_serialise_psa_verify_hash_interruptible_operation_t(
+        &rpos, &rremain,
+        operation, 0);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(hash);
+    free(signature);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(hash);
+    free(signature);
+
+    return 0;       // This shouldn't happen!
+}
+
+// Returns 1 for success, 0 for failure
+int psa_verify_message_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_svc_key_id_t key;
+    psa_algorithm_t alg;
+    uint8_t *input = NULL;
+    size_t input_length;
+    uint8_t *signature = NULL;
+    size_t signature_length;
+
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+    uint8_t *result = NULL;
+    int ok;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_mbedtls_svc_key_id_t(
+        &pos, &remaining,
+        &key);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_algorithm_t(
+        &pos, &remaining,
+        &alg);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &input, &input_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_buffer(
+        &pos, &remaining,
+        &signature, &signature_length);
+    if (!ok) {
+        goto fail;
+    }
+
+    // Now we call the actual target function
+
+    status = psa_verify_message(
+        key,
+        alg,
+        input, input_length,
+        signature, signature_length
+        );
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs() +
+        psasim_serialise_psa_status_t_needs(status);
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_serialise_psa_status_t(
+        &rpos, &rremain,
+        status);
+    if (!ok) {
+        goto fail;
+    }
+
+    *out_params = result;
+    *out_params_len = result_size;
+
+    free(input);
+    free(signature);
+
+    return 1;   // success
+
+fail:
+    free(result);
+
+    free(input);
+    free(signature);
+
+    return 0;       // This shouldn't happen!
+}
+
+psa_status_t psa_crypto_call(psa_msg_t msg)
+{
+    int ok = 0;
+
+    int func = msg.type;
+
+    /* We only expect a single input buffer, with everything serialised in it */
+    if (msg.in_size[1] != 0 || msg.in_size[2] != 0 || msg.in_size[3] != 0) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    /* We expect exactly 2 output buffers, one for size, the other for data */
+    if (msg.out_size[0] != sizeof(size_t) || msg.out_size[1] == 0 ||
+        msg.out_size[2] != 0 || msg.out_size[3] != 0) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    uint8_t *in_params = NULL;
+    size_t in_params_len = 0;
+    uint8_t *out_params = NULL;
+    size_t out_params_len = 0;
+
+    in_params_len = msg.in_size[0];
+    in_params = malloc(in_params_len);
+    if (in_params == NULL) {
+        return PSA_ERROR_INSUFFICIENT_MEMORY;
+    }
+
+    /* Read the bytes from the client */
+    size_t actual = psa_read(msg.handle, 0, in_params, in_params_len);
+    if (actual != in_params_len) {
+        free(in_params);
+        return PSA_ERROR_CORRUPTION_DETECTED;
+    }
+
+    switch (func) {
+        case PSA_CRYPTO_INIT:
+            ok = psa_crypto_init_wrapper(in_params, in_params_len,
+                                         &out_params, &out_params_len);
+            break;
+        case PSA_AEAD_ABORT:
+            ok = psa_aead_abort_wrapper(in_params, in_params_len,
+                                        &out_params, &out_params_len);
+            break;
+        case PSA_AEAD_DECRYPT:
+            ok = psa_aead_decrypt_wrapper(in_params, in_params_len,
+                                          &out_params, &out_params_len);
+            break;
+        case PSA_AEAD_DECRYPT_SETUP:
+            ok = psa_aead_decrypt_setup_wrapper(in_params, in_params_len,
+                                                &out_params, &out_params_len);
+            break;
+        case PSA_AEAD_ENCRYPT:
+            ok = psa_aead_encrypt_wrapper(in_params, in_params_len,
+                                          &out_params, &out_params_len);
+            break;
+        case PSA_AEAD_ENCRYPT_SETUP:
+            ok = psa_aead_encrypt_setup_wrapper(in_params, in_params_len,
+                                                &out_params, &out_params_len);
+            break;
+        case PSA_AEAD_FINISH:
+            ok = psa_aead_finish_wrapper(in_params, in_params_len,
+                                         &out_params, &out_params_len);
+            break;
+        case PSA_AEAD_GENERATE_NONCE:
+            ok = psa_aead_generate_nonce_wrapper(in_params, in_params_len,
+                                                 &out_params, &out_params_len);
+            break;
+        case PSA_AEAD_SET_LENGTHS:
+            ok = psa_aead_set_lengths_wrapper(in_params, in_params_len,
+                                              &out_params, &out_params_len);
+            break;
+        case PSA_AEAD_SET_NONCE:
+            ok = psa_aead_set_nonce_wrapper(in_params, in_params_len,
+                                            &out_params, &out_params_len);
+            break;
+        case PSA_AEAD_UPDATE:
+            ok = psa_aead_update_wrapper(in_params, in_params_len,
+                                         &out_params, &out_params_len);
+            break;
+        case PSA_AEAD_UPDATE_AD:
+            ok = psa_aead_update_ad_wrapper(in_params, in_params_len,
+                                            &out_params, &out_params_len);
+            break;
+        case PSA_AEAD_VERIFY:
+            ok = psa_aead_verify_wrapper(in_params, in_params_len,
+                                         &out_params, &out_params_len);
+            break;
+        case PSA_ASYMMETRIC_DECRYPT:
+            ok = psa_asymmetric_decrypt_wrapper(in_params, in_params_len,
+                                                &out_params, &out_params_len);
+            break;
+        case PSA_ASYMMETRIC_ENCRYPT:
+            ok = psa_asymmetric_encrypt_wrapper(in_params, in_params_len,
+                                                &out_params, &out_params_len);
+            break;
+        case PSA_CIPHER_ABORT:
+            ok = psa_cipher_abort_wrapper(in_params, in_params_len,
+                                          &out_params, &out_params_len);
+            break;
+        case PSA_CIPHER_DECRYPT:
+            ok = psa_cipher_decrypt_wrapper(in_params, in_params_len,
+                                            &out_params, &out_params_len);
+            break;
+        case PSA_CIPHER_DECRYPT_SETUP:
+            ok = psa_cipher_decrypt_setup_wrapper(in_params, in_params_len,
+                                                  &out_params, &out_params_len);
+            break;
+        case PSA_CIPHER_ENCRYPT:
+            ok = psa_cipher_encrypt_wrapper(in_params, in_params_len,
+                                            &out_params, &out_params_len);
+            break;
+        case PSA_CIPHER_ENCRYPT_SETUP:
+            ok = psa_cipher_encrypt_setup_wrapper(in_params, in_params_len,
+                                                  &out_params, &out_params_len);
+            break;
+        case PSA_CIPHER_FINISH:
+            ok = psa_cipher_finish_wrapper(in_params, in_params_len,
+                                           &out_params, &out_params_len);
+            break;
+        case PSA_CIPHER_GENERATE_IV:
+            ok = psa_cipher_generate_iv_wrapper(in_params, in_params_len,
+                                                &out_params, &out_params_len);
+            break;
+        case PSA_CIPHER_SET_IV:
+            ok = psa_cipher_set_iv_wrapper(in_params, in_params_len,
+                                           &out_params, &out_params_len);
+            break;
+        case PSA_CIPHER_UPDATE:
+            ok = psa_cipher_update_wrapper(in_params, in_params_len,
+                                           &out_params, &out_params_len);
+            break;
+        case PSA_COPY_KEY:
+            ok = psa_copy_key_wrapper(in_params, in_params_len,
+                                      &out_params, &out_params_len);
+            break;
+        case PSA_DESTROY_KEY:
+            ok = psa_destroy_key_wrapper(in_params, in_params_len,
+                                         &out_params, &out_params_len);
+            break;
+        case PSA_EXPORT_KEY:
+            ok = psa_export_key_wrapper(in_params, in_params_len,
+                                        &out_params, &out_params_len);
+            break;
+        case PSA_EXPORT_PUBLIC_KEY:
+            ok = psa_export_public_key_wrapper(in_params, in_params_len,
+                                               &out_params, &out_params_len);
+            break;
+        case PSA_GENERATE_KEY:
+            ok = psa_generate_key_wrapper(in_params, in_params_len,
+                                          &out_params, &out_params_len);
+            break;
+        case PSA_GENERATE_KEY_EXT:
+            ok = psa_generate_key_ext_wrapper(in_params, in_params_len,
+                                              &out_params, &out_params_len);
+            break;
+        case PSA_GENERATE_RANDOM:
+            ok = psa_generate_random_wrapper(in_params, in_params_len,
+                                             &out_params, &out_params_len);
+            break;
+        case PSA_GET_KEY_ATTRIBUTES:
+            ok = psa_get_key_attributes_wrapper(in_params, in_params_len,
+                                                &out_params, &out_params_len);
+            break;
+        case PSA_HASH_ABORT:
+            ok = psa_hash_abort_wrapper(in_params, in_params_len,
+                                        &out_params, &out_params_len);
+            break;
+        case PSA_HASH_CLONE:
+            ok = psa_hash_clone_wrapper(in_params, in_params_len,
+                                        &out_params, &out_params_len);
+            break;
+        case PSA_HASH_COMPARE:
+            ok = psa_hash_compare_wrapper(in_params, in_params_len,
+                                          &out_params, &out_params_len);
+            break;
+        case PSA_HASH_COMPUTE:
+            ok = psa_hash_compute_wrapper(in_params, in_params_len,
+                                          &out_params, &out_params_len);
+            break;
+        case PSA_HASH_FINISH:
+            ok = psa_hash_finish_wrapper(in_params, in_params_len,
+                                         &out_params, &out_params_len);
+            break;
+        case PSA_HASH_SETUP:
+            ok = psa_hash_setup_wrapper(in_params, in_params_len,
+                                        &out_params, &out_params_len);
+            break;
+        case PSA_HASH_UPDATE:
+            ok = psa_hash_update_wrapper(in_params, in_params_len,
+                                         &out_params, &out_params_len);
+            break;
+        case PSA_HASH_VERIFY:
+            ok = psa_hash_verify_wrapper(in_params, in_params_len,
+                                         &out_params, &out_params_len);
+            break;
+        case PSA_IMPORT_KEY:
+            ok = psa_import_key_wrapper(in_params, in_params_len,
+                                        &out_params, &out_params_len);
+            break;
+        case PSA_INTERRUPTIBLE_GET_MAX_OPS:
+            ok = psa_interruptible_get_max_ops_wrapper(in_params, in_params_len,
+                                                       &out_params, &out_params_len);
+            break;
+        case PSA_INTERRUPTIBLE_SET_MAX_OPS:
+            ok = psa_interruptible_set_max_ops_wrapper(in_params, in_params_len,
+                                                       &out_params, &out_params_len);
+            break;
+        case PSA_KEY_DERIVATION_ABORT:
+            ok = psa_key_derivation_abort_wrapper(in_params, in_params_len,
+                                                  &out_params, &out_params_len);
+            break;
+        case PSA_KEY_DERIVATION_GET_CAPACITY:
+            ok = psa_key_derivation_get_capacity_wrapper(in_params, in_params_len,
+                                                         &out_params, &out_params_len);
+            break;
+        case PSA_KEY_DERIVATION_INPUT_BYTES:
+            ok = psa_key_derivation_input_bytes_wrapper(in_params, in_params_len,
+                                                        &out_params, &out_params_len);
+            break;
+        case PSA_KEY_DERIVATION_INPUT_INTEGER:
+            ok = psa_key_derivation_input_integer_wrapper(in_params, in_params_len,
+                                                          &out_params, &out_params_len);
+            break;
+        case PSA_KEY_DERIVATION_INPUT_KEY:
+            ok = psa_key_derivation_input_key_wrapper(in_params, in_params_len,
+                                                      &out_params, &out_params_len);
+            break;
+        case PSA_KEY_DERIVATION_KEY_AGREEMENT:
+            ok = psa_key_derivation_key_agreement_wrapper(in_params, in_params_len,
+                                                          &out_params, &out_params_len);
+            break;
+        case PSA_KEY_DERIVATION_OUTPUT_BYTES:
+            ok = psa_key_derivation_output_bytes_wrapper(in_params, in_params_len,
+                                                         &out_params, &out_params_len);
+            break;
+        case PSA_KEY_DERIVATION_OUTPUT_KEY:
+            ok = psa_key_derivation_output_key_wrapper(in_params, in_params_len,
+                                                       &out_params, &out_params_len);
+            break;
+        case PSA_KEY_DERIVATION_OUTPUT_KEY_EXT:
+            ok = psa_key_derivation_output_key_ext_wrapper(in_params, in_params_len,
+                                                           &out_params, &out_params_len);
+            break;
+        case PSA_KEY_DERIVATION_SET_CAPACITY:
+            ok = psa_key_derivation_set_capacity_wrapper(in_params, in_params_len,
+                                                         &out_params, &out_params_len);
+            break;
+        case PSA_KEY_DERIVATION_SETUP:
+            ok = psa_key_derivation_setup_wrapper(in_params, in_params_len,
+                                                  &out_params, &out_params_len);
+            break;
+        case PSA_MAC_ABORT:
+            ok = psa_mac_abort_wrapper(in_params, in_params_len,
+                                       &out_params, &out_params_len);
+            break;
+        case PSA_MAC_COMPUTE:
+            ok = psa_mac_compute_wrapper(in_params, in_params_len,
+                                         &out_params, &out_params_len);
+            break;
+        case PSA_MAC_SIGN_FINISH:
+            ok = psa_mac_sign_finish_wrapper(in_params, in_params_len,
+                                             &out_params, &out_params_len);
+            break;
+        case PSA_MAC_SIGN_SETUP:
+            ok = psa_mac_sign_setup_wrapper(in_params, in_params_len,
+                                            &out_params, &out_params_len);
+            break;
+        case PSA_MAC_UPDATE:
+            ok = psa_mac_update_wrapper(in_params, in_params_len,
+                                        &out_params, &out_params_len);
+            break;
+        case PSA_MAC_VERIFY:
+            ok = psa_mac_verify_wrapper(in_params, in_params_len,
+                                        &out_params, &out_params_len);
+            break;
+        case PSA_MAC_VERIFY_FINISH:
+            ok = psa_mac_verify_finish_wrapper(in_params, in_params_len,
+                                               &out_params, &out_params_len);
+            break;
+        case PSA_MAC_VERIFY_SETUP:
+            ok = psa_mac_verify_setup_wrapper(in_params, in_params_len,
+                                              &out_params, &out_params_len);
+            break;
+        case PSA_PURGE_KEY:
+            ok = psa_purge_key_wrapper(in_params, in_params_len,
+                                       &out_params, &out_params_len);
+            break;
+        case PSA_RAW_KEY_AGREEMENT:
+            ok = psa_raw_key_agreement_wrapper(in_params, in_params_len,
+                                               &out_params, &out_params_len);
+            break;
+        case PSA_RESET_KEY_ATTRIBUTES:
+            ok = psa_reset_key_attributes_wrapper(in_params, in_params_len,
+                                                  &out_params, &out_params_len);
+            break;
+        case PSA_SIGN_HASH:
+            ok = psa_sign_hash_wrapper(in_params, in_params_len,
+                                       &out_params, &out_params_len);
+            break;
+        case PSA_SIGN_HASH_ABORT:
+            ok = psa_sign_hash_abort_wrapper(in_params, in_params_len,
+                                             &out_params, &out_params_len);
+            break;
+        case PSA_SIGN_HASH_COMPLETE:
+            ok = psa_sign_hash_complete_wrapper(in_params, in_params_len,
+                                                &out_params, &out_params_len);
+            break;
+        case PSA_SIGN_HASH_GET_NUM_OPS:
+            ok = psa_sign_hash_get_num_ops_wrapper(in_params, in_params_len,
+                                                   &out_params, &out_params_len);
+            break;
+        case PSA_SIGN_HASH_START:
+            ok = psa_sign_hash_start_wrapper(in_params, in_params_len,
+                                             &out_params, &out_params_len);
+            break;
+        case PSA_SIGN_MESSAGE:
+            ok = psa_sign_message_wrapper(in_params, in_params_len,
+                                          &out_params, &out_params_len);
+            break;
+        case PSA_VERIFY_HASH:
+            ok = psa_verify_hash_wrapper(in_params, in_params_len,
+                                         &out_params, &out_params_len);
+            break;
+        case PSA_VERIFY_HASH_ABORT:
+            ok = psa_verify_hash_abort_wrapper(in_params, in_params_len,
+                                               &out_params, &out_params_len);
+            break;
+        case PSA_VERIFY_HASH_COMPLETE:
+            ok = psa_verify_hash_complete_wrapper(in_params, in_params_len,
+                                                  &out_params, &out_params_len);
+            break;
+        case PSA_VERIFY_HASH_GET_NUM_OPS:
+            ok = psa_verify_hash_get_num_ops_wrapper(in_params, in_params_len,
+                                                     &out_params, &out_params_len);
+            break;
+        case PSA_VERIFY_HASH_START:
+            ok = psa_verify_hash_start_wrapper(in_params, in_params_len,
+                                               &out_params, &out_params_len);
+            break;
+        case PSA_VERIFY_MESSAGE:
+            ok = psa_verify_message_wrapper(in_params, in_params_len,
+                                            &out_params, &out_params_len);
+            break;
+    }
+
+    free(in_params);
+
+    if (out_params_len > msg.out_size[1]) {
+        fprintf(stderr, "unable to write %zu bytes into buffer of %zu bytes\n",
+                out_params_len, msg.out_size[1]);
+        exit(1);
+    }
+
+    /* Write the exact amount of data we're returning */
+    psa_write(msg.handle, 0, &out_params_len, sizeof(out_params_len));
+
+    /* And write the data itself */
+    if (out_params_len) {
+        psa_write(msg.handle, 1, out_params, out_params_len);
+    }
+
+    free(out_params);
+
+    return ok ? PSA_SUCCESS : PSA_ERROR_GENERIC_ERROR;
+}
+
+void psa_crypto_close(void)
+{
+    psa_sim_serialize_reset();
+}
diff --git a/tests/psa-client-server/psasim/src/psa_sim_generate.pl b/tests/psa-client-server/psasim/src/psa_sim_generate.pl
new file mode 100755
index 0000000..dd2fe9e
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/psa_sim_generate.pl
@@ -0,0 +1,5569 @@
+#!/usr/bin/env perl
+#
+# This is a proof-of-concept script to show that the client and server wrappers
+# can be created by a script. It is not hooked into the build, so is run
+# manually and the output files are what are to be reviewed. In due course
+# this will be replaced by a Python script.
+#
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+#
+use strict;
+use Data::Dumper;
+use JSON qw(encode_json);
+
+my $debug = 0;
+
+# Globals (sorry!)
+my %functions = get_functions();
+my @functions = sort keys %functions;
+
+# We don't want these functions (e.g. because they are not implemented, etc)
+my @skip_functions = qw(
+    psa_key_derivation_verify_bytes
+    psa_key_derivation_verify_key
+);
+
+# Remove @skip_functions from @functions
+my %skip_functions = map { $_ => 1 } @skip_functions;
+@functions = grep(!exists($skip_functions{$_}), @functions);
+
+# get_functions(), called above, returns a data structure for each function
+# that we need to create client and server stubs for. In this example Perl script,
+# the function declarations we want are in the data section (after __END__ at
+# the bottom of this file), but a production Python version should process
+# psa_crypto.h.
+#
+# In this script, the data for psa_crypto_init() looks like:
+#
+#   "psa_crypto_init": {
+#     "return": {               # Info on return type
+#       "type": "psa_status_t", # Return type
+#       "name": "status",       # Name to be used for this in C code
+#       "default": "PSA_ERROR_CORRUPTION_DETECTED"      # Default value
+#     },
+#     "args": [],               # void function, so args empty
+#   }
+#
+# The data for psa_hash_compute() looks like:
+#
+#  "psa_hash_compute": {
+#    "return": {                # Information on return type
+#      "type": "psa_status_t",
+#      "name": "status",
+#      "default": "PSA_ERROR_CORRUPTION_DETECTED"
+#    },
+#    "args": [{
+#        "type": "psa_algorithm_t",             # Type of first argument
+#        "ctypename": "psa_algorithm_t ",       # C type with trailing spaces
+#                                               # (so that e.g. `char *` looks ok)
+#        "name": "alg",
+#        "is_output": 0
+#      }, {
+#        "type": "const buffer",                # Specially created
+#        "ctypename": "",                       # (so no C type)
+#        "name": "input, input_length",         # A pair of arguments
+#        "is_output": 0                         # const, so not an output argument
+#      }, {
+#        "type": "buffer",                      # Specially created
+#        "ctypename": "",
+#        "name": "hash, hash_size",
+#        "is_output": 1                         # Not const, so output argument
+#      }, {
+#        "type": "size_t",                      # size_t *hash_length
+#        "ctypename": "size_t ",
+#        "name": "*hash_length",                # * comes into the name
+#        "is_output": 1
+#      }
+#    ],
+#  },
+#
+# It's possible that a production version might not need both type and ctypename;
+# that was done for convenience and future-proofing during development.
+
+# We'll do psa_crypto_init() first
+put_crypto_init_first(\@functions);
+
+write_function_codes("psa_functions_codes.h");
+
+write_client_calls("psa_sim_crypto_client.c");
+
+write_server_implementations("psa_sim_crypto_server.c");
+
+sub write_function_codes
+{
+    my ($file) = @_;
+
+    open(my $fh, ">", $file) || die("$0: $file: $!\n");
+
+    # NOTE: psa_crypto_init() is written manually
+
+    print $fh <<EOF;
+/* THIS FILE WAS AUTO-GENERATED BY psa_sim_generate.pl. DO NOT EDIT!! */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef _PSA_FUNCTIONS_CODES_H_
+#define  _PSA_FUNCTIONS_CODES_H_
+
+enum {
+    /* Start here to avoid overlap with PSA_IPC_CONNECT, PSA_IPC_DISCONNECT
+     * and VERSION_REQUEST */
+    PSA_CRYPTO_INIT = 100,
+EOF
+
+    for my $function (@functions) {
+        my $enum = uc($function);
+        if ($enum ne "PSA_CRYPTO_INIT") {
+            print $fh <<EOF;
+    $enum,
+EOF
+        }
+    }
+
+    print $fh <<EOF;
+};
+
+#endif /*  _PSA_FUNCTIONS_CODES_H_ */
+EOF
+
+    close($fh);
+}
+
+sub write_client_calls
+{
+    my ($file) = @_;
+
+    open(my $fh, ">", $file) || die("$0: $file: $!\n");
+
+    print $fh client_calls_header();
+
+    for my $function (@functions) {
+        # psa_crypto_init() is hand written to establish connection to server
+        if ($function ne "psa_crypto_init") {
+            my $f = $functions{$function};
+            output_client($fh, $f, $function);
+        }
+    }
+
+    close($fh);
+}
+
+sub write_server_implementations
+{
+    my ($file) = @_;
+
+    open(my $fh, ">", $file) || die("$0: $file: $!\n");
+
+    print $fh server_implementations_header();
+
+    print $fh debug_functions() if $debug;
+
+    for my $function (@functions) {
+        my $f = $functions{$function};
+        output_server_wrapper($fh, $f, $function);
+    }
+
+    # Now output a switch statement that calls each of the wrappers
+
+    print $fh <<EOF;
+
+psa_status_t psa_crypto_call(psa_msg_t msg)
+{
+    int ok = 0;
+
+    int func = msg.type;
+
+    /* We only expect a single input buffer, with everything serialised in it */
+    if (msg.in_size[1] != 0 || msg.in_size[2] != 0 || msg.in_size[3] != 0) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    /* We expect exactly 2 output buffers, one for size, the other for data */
+    if (msg.out_size[0] != sizeof(size_t) || msg.out_size[1] == 0 ||
+        msg.out_size[2] != 0 || msg.out_size[3] != 0) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    uint8_t *in_params = NULL;
+    size_t in_params_len = 0;
+    uint8_t *out_params = NULL;
+    size_t out_params_len = 0;
+
+    in_params_len = msg.in_size[0];
+    in_params = malloc(in_params_len);
+    if (in_params == NULL) {
+        return PSA_ERROR_INSUFFICIENT_MEMORY;
+    }
+
+    /* Read the bytes from the client */
+    size_t actual = psa_read(msg.handle, 0, in_params, in_params_len);
+    if (actual != in_params_len) {
+        free(in_params);
+        return PSA_ERROR_CORRUPTION_DETECTED;
+    }
+
+    switch (func) {
+EOF
+
+    for my $function (@functions) {
+        my $f = $functions{$function};
+        my $enum = uc($function);
+
+        # Create this call, in a way acceptable to uncustify:
+        #            ok = ${function}_wrapper(in_params, in_params_len,
+        #                                     &out_params, &out_params_len);
+        my $first_line = "            ok = ${function}_wrapper(in_params, in_params_len,";
+        my $idx = index($first_line, "(");
+        die("can't find (") if $idx < 0;
+        my $indent = " " x ($idx + 1);
+
+        print $fh <<EOF;
+        case $enum:
+$first_line
+$indent&out_params, &out_params_len);
+            break;
+EOF
+    }
+
+    print $fh <<EOF;
+    }
+
+    free(in_params);
+
+    if (out_params_len > msg.out_size[1]) {
+        fprintf(stderr, "unable to write %zu bytes into buffer of %zu bytes\\n",
+                out_params_len, msg.out_size[1]);
+        exit(1);
+    }
+
+    /* Write the exact amount of data we're returning */
+    psa_write(msg.handle, 0, &out_params_len, sizeof(out_params_len));
+
+    /* And write the data itself */
+    if (out_params_len) {
+        psa_write(msg.handle, 1, out_params, out_params_len);
+    }
+
+    free(out_params);
+
+    return ok ? PSA_SUCCESS : PSA_ERROR_GENERIC_ERROR;
+}
+EOF
+
+    # Finally, add psa_crypto_close()
+
+    print $fh <<EOF;
+
+void psa_crypto_close(void)
+{
+    psa_sim_serialize_reset();
+}
+EOF
+
+    close($fh);
+}
+
+sub server_implementations_header
+{
+    return <<'EOF';
+/* THIS FILE WAS AUTO-GENERATED BY psa_sim_generate.pl. DO NOT EDIT!! */
+
+/* server implementations */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <psa/crypto.h>
+
+#include "psa_functions_codes.h"
+#include "psa_sim_serialise.h"
+
+#include "service.h"
+
+#if !defined(MBEDTLS_PSA_CRYPTO_C)
+#error "Error: MBEDTLS_PSA_CRYPTO_C must be enabled on server build"
+#endif
+EOF
+}
+
+sub client_calls_header
+{
+    my $code = <<'EOF';
+/* THIS FILE WAS AUTO-GENERATED BY psa_sim_generate.pl. DO NOT EDIT!! */
+
+/* client calls */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include <stdio.h>
+#include <unistd.h>
+
+/* Includes from psasim */
+#include <client.h>
+#include <util.h>
+#include "psa_manifest/sid.h"
+#include "psa_functions_codes.h"
+#include "psa_sim_serialise.h"
+
+/* Includes from mbedtls */
+#include "mbedtls/version.h"
+#include "psa/crypto.h"
+
+#define CLIENT_PRINT(fmt, ...) \
+    INFO("Client: " fmt, ##__VA_ARGS__)
+
+static psa_handle_t handle = -1;
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+#error "Error: MBEDTLS_PSA_CRYPTO_C must be disabled on client build"
+#endif
+EOF
+
+    $code .= debug_functions() if $debug;
+
+    $code .= <<'EOF';
+
+int psa_crypto_call(int function,
+                    uint8_t *in_params, size_t in_params_len,
+                    uint8_t **out_params, size_t *out_params_len)
+{
+    // psa_outvec outvecs[1];
+    if (handle < 0) {
+        fprintf(stderr, "NOT CONNECTED\n");
+        exit(1);
+    }
+
+    psa_invec invec;
+    invec.base = in_params;
+    invec.len = in_params_len;
+
+    size_t max_receive = 24576;
+    uint8_t *receive = malloc(max_receive);
+    if (receive == NULL) {
+        fprintf(stderr, "FAILED to allocate %u bytes\n", (unsigned) max_receive);
+        exit(1);
+    }
+
+    size_t actual_received = 0;
+
+    psa_outvec outvecs[2];
+    outvecs[0].base = &actual_received;
+    outvecs[0].len = sizeof(actual_received);
+    outvecs[1].base = receive;
+    outvecs[1].len = max_receive;
+
+    psa_status_t status = psa_call(handle, function, &invec, 1, outvecs, 2);
+    if (status != PSA_SUCCESS) {
+        free(receive);
+        return 0;
+    }
+
+    *out_params = receive;
+    *out_params_len = actual_received;
+
+    return 1;   // success
+}
+
+psa_status_t psa_crypto_init(void)
+{
+    char mbedtls_version[18];
+    uint8_t *result = NULL;
+    size_t result_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    mbedtls_version_get_string_full(mbedtls_version);
+    CLIENT_PRINT("%s", mbedtls_version);
+
+    CLIENT_PRINT("My PID: %d", getpid());
+
+    CLIENT_PRINT("PSA version: %u", psa_version(PSA_SID_CRYPTO_SID));
+    handle = psa_connect(PSA_SID_CRYPTO_SID, 1);
+
+    if (handle < 0) {
+        CLIENT_PRINT("Couldn't connect %d", handle);
+        return PSA_ERROR_COMMUNICATION_FAILURE;
+    }
+
+    int ok = psa_crypto_call(PSA_CRYPTO_INIT, NULL, 0, &result, &result_length);
+    CLIENT_PRINT("PSA_CRYPTO_INIT returned: %d", ok);
+
+    if (!ok) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+
+    ok = psasim_deserialise_psa_status_t(&rpos, &rremain, &status);
+    if (!ok) {
+        goto fail;
+    }
+
+fail:
+    free(result);
+
+    return status;
+}
+
+void mbedtls_psa_crypto_free(void)
+{
+    /* Do not try to close a connection that was never started.*/
+    if (handle == -1) {
+        return;
+    }
+
+    CLIENT_PRINT("Closing handle");
+    psa_close(handle);
+    handle = -1;
+}
+EOF
+}
+
+sub debug_functions
+{
+    return <<EOF;
+
+static inline char hex_digit(char nibble) {
+    return (nibble < 10) ? (nibble + '0') : (nibble + 'a' - 10);
+}
+
+int hex_byte(char *p, uint8_t b)
+{
+    p[0] = hex_digit(b >> 4);
+    p[1] = hex_digit(b & 0x0F);
+
+    return 2;
+}
+
+int hex_uint16(char *p, uint16_t b)
+{
+    hex_byte(p, b >> 8);
+    hex_byte(p + 2, b & 0xFF);
+
+    return 4;
+}
+
+char human_char(uint8_t c)
+{
+    return (c >= ' ' && c <= '~') ? (char)c : '.';
+}
+
+void dump_buffer(const uint8_t *buffer, size_t len)
+{
+    char line[80];
+
+    const uint8_t *p = buffer;
+
+    size_t max = (len > 0xFFFF) ? 0xFFFF : len;
+
+    for (size_t i = 0; i < max; i += 16) {
+
+        char *q = line;
+
+        q += hex_uint16(q, (uint16_t)i);
+        *q++ = ' ';
+        *q++ = ' ';
+
+        size_t ll = (i + 16 > max) ? (max % 16) : 16;
+
+        size_t j;
+        for (j = 0; j < ll; j++) {
+            q += hex_byte(q, p[i + j]);
+            *q++ = ' ';
+        }
+
+        while (j++ < 16) {
+            *q++ = ' ';
+            *q++ = ' ';
+            *q++ = ' ';
+        }
+
+        *q++ = ' ';
+
+        for (j = 0; j < ll; j++) {
+            *q++ = human_char(p[i + j]);
+        }
+
+        *q = '\\0';
+
+        printf("%s\\n", line);
+    }
+}
+
+void hex_dump(uint8_t *p, size_t n)
+{
+    for (size_t i = 0; i < n; i++) {
+        printf("0x%02X ", p[i]);
+    }
+    printf("\\n");
+}
+EOF
+}
+
+sub output_server_wrapper
+{
+    my ($fh, $f, $name) = @_;
+
+    my $ret_type = $f->{return}->{type};
+    my $ret_name = $f->{return}->{name};
+    my $ret_default = $f->{return}->{default};
+
+    my @buffers = ();           # We need to free() these on exit
+
+    print $fh <<EOF;
+
+// Returns 1 for success, 0 for failure
+int ${name}_wrapper(
+    uint8_t *in_params, size_t in_params_len,
+    uint8_t **out_params, size_t *out_params_len)
+{
+EOF
+
+    print $fh <<EOF unless $ret_type eq "void";
+    $ret_type $ret_name = $ret_default;
+EOF
+    # Output the variables we will need when we call the target function
+
+    my $args = $f->{args};
+
+    for my $i (0 .. $#$args) {
+        my $arg = $args->[$i];
+        my $argtype = $arg->{type};     # e.g. int, psa_algorithm_t, or "buffer"
+        my $argname = $arg->{name};
+        $argtype =~ s/^const //;
+
+        if ($argtype =~ /^(const )?buffer$/) {
+            my ($n1, $n2) = split(/,\s*/, $argname);
+            print $fh <<EOF;
+    uint8_t *$n1 = NULL;
+    size_t $n2;
+EOF
+            push(@buffers, $n1);        # Add to the list to be free()d at end
+        } elsif ($argtype =~ /^(const )?psa_key_production_parameters_t$/) {
+            my ($n1, $n2) = split(/,\s*/, $argname);
+            print $fh <<EOF;
+    psa_key_production_parameters_t *$n1 = NULL;
+    size_t $n2;
+EOF
+            push(@buffers, $n1);        # Add to the list to be free()d at end
+        } else {
+            $argname =~ s/^\*//;        # Remove any leading *
+            my $pointer = ($argtype =~ /^psa_\w+_operation_t/) ? "*" : "";
+            print $fh <<EOF;
+    $argtype $pointer$argname;
+EOF
+        }
+    }
+
+    print $fh "\n";
+
+    if ($#$args >= 0) {          # If we have any args (>= 0)
+        print $fh <<EOF;
+    uint8_t *pos = in_params;
+    size_t remaining = in_params_len;
+EOF
+    }
+
+    print $fh <<EOF;
+    uint8_t *result = NULL;
+    int ok;
+EOF
+
+    print $fh <<EOF if $debug;
+
+    printf("$name: server\\n");
+EOF
+    if ($#$args >= 0) {          # If we have any args (>= 0)
+        print $fh <<EOF;
+
+    ok = psasim_deserialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+EOF
+    }
+
+    for my $i (0 .. $#$args) {
+        my $arg = $args->[$i];
+        my $argtype = $arg->{type};     # e.g. int, psa_algorithm_t, or "buffer"
+        my $argname = $arg->{name};
+        my $sep = ($i == $#$args) ? ";" : " +";
+        $argtype =~ s/^const //;
+
+        if ($argtype =~ /^(const )?buffer$/) {
+            my ($n1, $n2) = split(/,\s*/, $argname);
+            print $fh <<EOF;
+
+    ok = psasim_deserialise_${argtype}(
+        &pos, &remaining,
+        &$n1, &$n2);
+    if (!ok) {
+        goto fail;
+    }
+EOF
+        } elsif ($argtype =~ /^(const )?psa_key_production_parameters_t$/) {
+            my ($n1, $n2) = split(/,\s*/, $argname);
+            print $fh <<EOF;
+
+    ok = psasim_deserialise_${argtype}(
+        &pos, &remaining,
+        &$n1, &$n2);
+    if (!ok) {
+        goto fail;
+    }
+EOF
+        } else {
+            $argname =~ s/^\*//;        # Remove any leading *
+            my $server_specific = ($argtype =~ /^psa_\w+_operation_t/) ? "server_" : "";
+            print $fh <<EOF;
+
+    ok = psasim_${server_specific}deserialise_${argtype}(
+        &pos, &remaining,
+        &$argname);
+    if (!ok) {
+        goto fail;
+    }
+EOF
+        }
+    }
+
+    print $fh <<EOF;
+
+    // Now we call the actual target function
+EOF
+    output_call($fh, $f, $name, 1);
+
+    my @outputs = grep($_->{is_output}, @$args);
+
+    my $sep1 = (($ret_type eq "void") and ($#outputs < 0)) ? ";" : " +";
+
+    print $fh <<EOF;
+
+    // NOTE: Should really check there is no overflow as we go along.
+    size_t result_size =
+        psasim_serialise_begin_needs()$sep1
+EOF
+
+    if ($ret_type ne "void") {
+        my $sep = ($#outputs < 0) ? ";" : " +";
+        print $fh <<EOF;
+        psasim_serialise_${ret_type}_needs($ret_name)$sep
+EOF
+    }
+
+    for my $i (0 .. $#outputs) {
+        my $arg = $outputs[$i];
+        die("$i: this should have been filtered out by grep") unless $arg->{is_output};
+        my $argtype = $arg->{type};     # e.g. int, psa_algorithm_t, or "buffer"
+        my $argname = $arg->{name};
+        my $sep = ($i == $#outputs) ? ";" : " +";
+        $argtype =~ s/^const //;
+        $argname =~ s/^\*//;        # Remove any leading *
+        my $server_specific = ($argtype =~ /^psa_\w+_operation_t/) ? "server_" : "";
+
+        print $fh <<EOF;
+        psasim_${server_specific}serialise_${argtype}_needs($argname)$sep
+EOF
+    }
+
+    print $fh <<EOF;
+
+    result = malloc(result_size);
+    if (result == NULL) {
+        goto fail;
+    }
+
+    uint8_t *rpos = result;
+    size_t rremain = result_size;
+
+    ok = psasim_serialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+EOF
+
+    if ($ret_type ne "void") {
+        print $fh <<EOF;
+
+    ok = psasim_serialise_${ret_type}(
+        &rpos, &rremain,
+        $ret_name);
+    if (!ok) {
+        goto fail;
+    }
+EOF
+    }
+
+    my @outputs = grep($_->{is_output}, @$args);
+
+    for my $i (0 .. $#outputs) {
+        my $arg = $outputs[$i];
+        die("$i: this should have been filtered out by grep") unless $arg->{is_output};
+        my $argtype = $arg->{type};     # e.g. int, psa_algorithm_t, or "buffer"
+        my $argname = $arg->{name};
+        my $sep = ($i == $#outputs) ? ";" : " +";
+        $argtype =~ s/^const //;
+
+        if ($argtype eq "buffer") {
+            print $fh <<EOF;
+
+    ok = psasim_serialise_buffer(
+        &rpos, &rremain,
+        $argname);
+    if (!ok) {
+        goto fail;
+    }
+EOF
+        } elsif ($argtype eq "psa_key_production_parameters_t") {
+            print $fh <<EOF;
+
+    ok = psasim_serialise_psa_key_production_parameters_t(
+        &rpos, &rremain,
+        $argname);
+    if (!ok) {
+        goto fail;
+    }
+EOF
+        } else {
+            if ($argname =~ /^\*/) {
+                $argname =~ s/^\*//;    # since it's already a pointer
+            } else {
+                die("$0: $argname: HOW TO OUTPUT?\n");
+            }
+
+            my $server_specific = ($argtype =~ /^psa_\w+_operation_t/) ? "server_" : "";
+
+            my $completed = ""; # Only needed on server serialise calls
+            if (length($server_specific)) {
+                # On server serialisation, which is only for operation types,
+                # we need to mark the operation as completed (variously called
+                # terminated or inactive in psa/crypto.h) on certain calls.
+                $completed = ($name =~ /_(abort|finish|hash_verify)$/) ? ", 1" : ", 0";
+            }
+
+            print $fh <<EOF;
+
+    ok = psasim_${server_specific}serialise_${argtype}(
+        &rpos, &rremain,
+        $argname$completed);
+    if (!ok) {
+        goto fail;
+    }
+EOF
+        }
+    }
+
+    my $free_buffers = join("", map { "    free($_);\n" } @buffers);
+    $free_buffers = "\n" . $free_buffers if length($free_buffers);
+
+    print $fh <<EOF;
+
+    *out_params = result;
+    *out_params_len = result_size;
+$free_buffers
+    return 1;   // success
+
+fail:
+    free(result);
+$free_buffers
+    return 0;       // This shouldn't happen!
+}
+EOF
+}
+
+sub output_client
+{
+    my ($fh, $f, $name) = @_;
+
+    print $fh "\n";
+
+    output_definition_begin($fh, $f, $name);
+
+    my $ret_type = $f->{return}->{type};
+    my $ret_name = $f->{return}->{name};
+    my $ret_default = $f->{return}->{default};
+
+    print $fh <<EOF;
+{
+    uint8_t *ser_params = NULL;
+    uint8_t *ser_result = NULL;
+    size_t result_length;
+EOF
+    print $fh <<EOF unless $ret_type eq "void";
+    $ret_type $ret_name = $ret_default;
+EOF
+
+    print $fh <<EOF if $debug;
+
+    printf("$name: client\\n");
+EOF
+
+    print $fh <<EOF;
+
+    size_t needed =
+        psasim_serialise_begin_needs() +
+EOF
+
+    my $args = $f->{args};
+
+    for my $i (0 .. $#$args) {
+        my $arg = $args->[$i];
+        my $argtype = $arg->{type};     # e.g. int, psa_algorithm_t, or "buffer"
+        my $argname = $arg->{name};
+        my $sep = ($i == $#$args) ? ";" : " +";
+        $argtype =~ s/^const //;
+
+        print $fh <<EOF;
+        psasim_serialise_${argtype}_needs($argname)$sep
+EOF
+    }
+
+    print $fh <<EOF if $#$args < 0;
+        0;
+EOF
+
+    print $fh <<EOF;
+
+    ser_params = malloc(needed);
+    if (ser_params == NULL) {
+EOF
+
+    if ($ret_type eq "psa_status_t") {
+        print $fh <<EOF if $;
+        $ret_name = PSA_ERROR_INSUFFICIENT_MEMORY;
+EOF
+    } elsif ($ret_type eq "uint32_t") {
+        print $fh <<EOF if $;
+        $ret_name = 0;
+EOF
+    }
+
+    print $fh <<EOF;
+        goto fail;
+    }
+
+    uint8_t *pos = ser_params;
+    size_t remaining = needed;
+    int ok;
+    ok = psasim_serialise_begin(&pos, &remaining);
+    if (!ok) {
+        goto fail;
+    }
+EOF
+
+    for my $i (0 .. $#$args) {
+        my $arg = $args->[$i];
+        my $argtype = $arg->{type};     # e.g. int, psa_algorithm_t, or "buffer"
+        my $argname = $arg->{name};
+        my $sep = ($i == $#$args) ? ";" : " +";
+        $argtype =~ s/^const //;
+
+        print $fh <<EOF;
+    ok = psasim_serialise_${argtype}(
+        &pos, &remaining,
+        $argname);
+    if (!ok) {
+        goto fail;
+    }
+EOF
+    }
+
+    print $fh <<EOF if $debug;
+
+    printf("client sending %d:\\n", (int)(pos - ser_params));
+    dump_buffer(ser_params, (size_t)(pos - ser_params));
+EOF
+
+    my $enum = uc($name);
+
+    print $fh <<EOF;
+
+    ok = psa_crypto_call($enum,
+                         ser_params, (size_t) (pos - ser_params), &ser_result, &result_length);
+    if (!ok) {
+        printf("$enum server call failed\\n");
+        goto fail;
+    }
+EOF
+
+    print $fh <<EOF if $debug;
+
+    printf("client receiving %d:\\n", (int)result_length);
+    dump_buffer(ser_result, result_length);
+EOF
+
+    print $fh <<EOF;
+
+    uint8_t *rpos = ser_result;
+    size_t rremain = result_length;
+
+    ok = psasim_deserialise_begin(&rpos, &rremain);
+    if (!ok) {
+        goto fail;
+    }
+EOF
+
+    print $fh <<EOF if $ret_type ne "void";
+
+    ok = psasim_deserialise_$ret_type(
+        &rpos, &rremain,
+        &$ret_name);
+    if (!ok) {
+        goto fail;
+    }
+EOF
+
+    my @outputs = grep($_->{is_output}, @$args);
+
+    for my $i (0 .. $#outputs) {
+        my $arg = $outputs[$i];
+        die("$i: this should have been filtered out by grep") unless $arg->{is_output};
+        my $argtype = $arg->{type};     # e.g. int, psa_algorithm_t, or "buffer"
+        my $argname = $arg->{name};
+        my $sep = ($i == $#outputs) ? ";" : " +";
+        $argtype =~ s/^const //;
+
+        if ($argtype eq "buffer") {
+            print $fh <<EOF;
+
+    ok = psasim_deserialise_return_buffer(
+        &rpos, &rremain,
+        $argname);
+    if (!ok) {
+        goto fail;
+    }
+EOF
+        } else {
+            if ($argname =~ /^\*/) {
+                $argname =~ s/^\*//;    # since it's already a pointer
+            } else {
+                die("$0: $argname: HOW TO OUTPUT?\n");
+            }
+
+            print $fh <<EOF;
+
+    ok = psasim_deserialise_${argtype}(
+        &rpos, &rremain,
+        $argname);
+    if (!ok) {
+        goto fail;
+    }
+EOF
+        }
+    }
+    print $fh <<EOF;
+
+fail:
+    free(ser_params);
+    free(ser_result);
+EOF
+
+    print $fh <<EOF if $ret_type ne "void";
+
+    return $ret_name;
+EOF
+
+    print $fh <<EOF;
+}
+EOF
+}
+
+sub output_declaration
+{
+    my ($f, $name) = @_;
+
+    output_signature($f, $name, "declaration");
+}
+
+sub output_definition_begin
+{
+    my ($fh, $f, $name) = @_;
+
+    output_signature($fh, $f, $name, "definition");
+}
+
+sub output_call
+{
+    my ($fh, $f, $name, $is_server) = @_;
+
+    my $ret_type = $f->{return}->{type};
+    my $ret_name = $f->{return}->{name};
+    my $args = $f->{args};
+
+    if ($ret_type eq "void") {
+        print $fh "\n    $name(\n";
+    } else {
+        print $fh "\n    $ret_name = $name(\n";
+    }
+
+    print $fh "        );\n" if $#$args < 0; # If no arguments, empty arg list
+
+    for my $i (0 .. $#$args) {
+        my $arg = $args->[$i];
+        my $argtype = $arg->{type};     # e.g. int, psa_algorithm_t, or "buffer"
+        my $argname = $arg->{name};
+
+        if ($argtype =~ /^(const )?buffer$/) {
+            my ($n1, $n2) = split(/,\s*/, $argname);
+            print $fh "        $n1, $n2";
+        } elsif ($argtype =~ /^(const )?psa_key_production_parameters_t$/) {
+            my ($n1, $n2) = split(/,\s*/, $argname);
+            print $fh "        $n1, $n2";
+        } else {
+            $argname =~ s/^\*/\&/;      # Replace leading * with &
+            if ($is_server && $argtype =~ /^psa_\w+_operation_t/) {
+                $argname =~ s/^\&//;    # Actually, for psa_XXX_operation_t, don't do this on the server side
+            }
+            print $fh "        $argname";
+        }
+        my $sep = ($i == $#$args) ? "\n        );" : ",";
+        print $fh "$sep\n";
+    }
+}
+
+sub output_signature
+{
+    my ($fh, $f, $name, $what) = @_;
+
+    my $ret_type = $f->{return}->{type};
+    my $args = $f->{args};
+
+    my $final_sep = ($what eq "declaration") ? "\n);" : "\n    )";
+
+    print $fh "\n$ret_type $name(\n";
+
+    print $fh "    void\n    )\n" if $#$args < 0;   # No arguments
+
+    for my $i (0 .. $#$args) {
+        my $arg = $args->[$i];
+        my $argtype = $arg->{type};             # e.g. int, psa_algorithm_t, or "buffer"
+        my $ctypename = $arg->{ctypename};      # e.g. "int ", "char *"; empty for buffer
+        my $argname = $arg->{name};
+
+        if ($argtype =~ /^(const )?buffer$/) {
+            my $const = length($1) ? "const " : "";
+            my ($n1, $n2) = split(/,/, $argname);
+            print $fh "    ${const}uint8_t *$n1, size_t $n2";
+        } elsif ($argtype =~ /^(const )?psa_key_production_parameters_t$/) {
+            my $const = length($1) ? "const " : "";
+            my ($n1, $n2) = split(/,/, $argname);
+            print $fh "    ${const}psa_key_production_parameters_t *$n1, size_t $n2";
+        } else {
+            print $fh "    $ctypename$argname";
+        }
+        my $sep = ($i == $#$args) ? $final_sep : ",";
+        print $fh "$sep\n";
+    }
+}
+
+sub get_functions
+{
+    my $src = "";
+    while (<DATA>) {
+        chomp;
+        s/\/\/.*//;
+        s/\s+^//;
+        s/\s+/ /g;
+        $_ .= "\n";
+        $src .= $_;
+    }
+
+    $src =~ s/\/\*.*?\*\///gs;
+
+    my @src = split(/\n+/, $src);
+
+    my @rebuild = ();
+    my %funcs = ();
+    for (my $i = 0; $i <= $#src; $i++) {
+        my $line = $src[$i];
+        if ($line =~ /^(psa_status_t|uint32_t|void) (psa_\w*)\(/) { # begin function definition
+            #print "have one $line\n";
+            while ($line !~ /;/) {
+                $line .= $src[$i + 1];
+                $i++;
+            }
+            $line =~ s/\s+/ /g;
+            if ($line =~ /(\w+)\s+\b(\w+)\s*\(\s*(.*\S)\s*\)\s*[;{]/s) {
+                my ($ret_type, $func, $args) = ($1, $2, $3);
+                my $copy = $line;
+                $copy =~ s/{$//;
+                my $f = {
+                    "orig" => $copy,
+                };
+
+                my @args = split(/\s*,\s*/, $args);
+
+                my $ret_name = "";
+                $ret_name = "status" if $ret_type eq "psa_status_t";
+                $ret_name = "value" if $ret_type eq "uint32_t";
+                $ret_name = "(void)" if $ret_type eq "void";
+                die("ret_name for $ret_type?") unless length($ret_name);
+                my $ret_default = "";
+                $ret_default = "PSA_ERROR_CORRUPTION_DETECTED" if $ret_type eq "psa_status_t";
+                $ret_default = "0" if $ret_type eq "uint32_t";
+                $ret_default = "(void)" if $ret_type eq "void";
+                die("ret_default for $ret_type?") unless length($ret_default);
+
+                #print "FUNC $func RET_NAME $ret_name RET_TYPE $ret_type ARGS (", join("; ", @args), ")\n";
+
+                $f->{return} = {
+                    "type" => $ret_type,
+                    "default" => $ret_default,
+                    "name" => $ret_name,
+                };
+                $f->{args} = [];
+                # psa_algorithm_t alg; const uint8_t *input; size_t input_length; uint8_t *hash; size_t hash_size; size_t *hash_length
+                for (my $i = 0; $i <= $#args; $i++) {
+                    my $arg = $args[$i];
+                    # "type" => "psa_algorithm_t",
+                    # "ctypename" => "psa_algorithm_t ",
+                    # "name" => "alg",
+                    # "is_output" => 0,
+                    my ($type, $ctype, $name, $is_output);
+                    if ($arg =~ /^(\w+)\s+(\w+)$/) {    # e.g. psa_algorithm_t alg
+                        ($type, $name) = ($1, $2);
+                        $ctype = $type . " ";
+                        $is_output = 0;
+                    } elsif ($arg =~ /^((const)\s+)?uint8_t\s*\*\s*(\w+)$/) {
+                        $type = "buffer";
+                        $is_output = (length($1) == 0) ? 1 : 0;
+                        $type = "const buffer" if !$is_output;
+                        $ctype = "";
+                        $name = $3;
+                        #print("$arg: $name: might be a buffer?\n");
+                        die("$arg: not a buffer 1!\n") if $i == $#args;
+                        my $next = $args[$i + 1];
+                        if ($func eq "psa_key_derivation_verify_bytes" &&
+                            $arg eq "const uint8_t *expected_output" &&
+                            $next eq "size_t output_length") {
+                            $next = "size_t expected_output_length";    # doesn't follow naming convention, so override
+                        }
+                        die("$arg: not a buffer 2!\n") if $next !~ /^size_t\s+(${name}_\w+)$/;
+                        $i++;                   # We're using the next param here
+                        my $nname = $1;
+                        $name .= ", " . $nname;
+                    } elsif ($arg =~ /^((const)\s+)?psa_key_production_parameters_t\s*\*\s*(\w+)$/) {
+                        $type = "psa_key_production_parameters_t";
+                        $is_output = (length($1) == 0) ? 1 : 0;
+                        $type = "const psa_key_production_parameters_t" if !$is_output;
+                        $ctype = "";
+                        $name = $3;
+                        #print("$arg: $name: might be a psa_key_production_parameters_t?\n");
+                        die("$arg: not a psa_key_production_parameters_t 1!\n") if $i == $#args;
+                        my $next = $args[$i + 1];
+                        die("$arg: $func: $name: $next: not a psa_key_production_parameters_t 2!\n") if $next !~ /^size_t\s+(${name}_\w+)$/;
+                        $i++;                   # We're using the next param here
+                        my $nname = $1;
+                        $name .= ", " . $nname;
+                    } elsif ($arg =~ /^((const)\s+)?(\w+)\s*\*(\w+)$/) {
+                        ($type, $name) = ($3, "*" . $4);
+                        $ctype = $1 . $type . " ";
+                        $is_output = (length($1) == 0) ? 1 : 0;
+                    } elsif ($arg eq "void") {
+                         # we'll just ignore this one
+                    } else {
+                        die("ARG HELP $arg\n");
+                    }
+                    #print "$arg => <$type><$ctype><$name><$is_output>\n";
+                    if ($arg ne "void") {
+                        push(@{$f->{args}}, {
+                            "type" => $type,
+                            "ctypename" => $ctype,
+                            "name" => $name,
+                            "is_output" => $is_output,
+                        });
+                    }
+                }
+                $funcs{$func} = $f;
+            } else {
+                die("FAILED");
+            }
+            push(@rebuild, $line);
+        } elsif ($line =~ /^static psa_\w+_t (psa_\w*)\(/) { # begin function definition
+             # IGNORE static functions
+        } else {
+            if ($line =~ /psa_/) {
+                print "NOT PARSED: $line\n";
+            }
+            push(@rebuild, $line);
+        }
+    }
+
+    #print ::Dumper(\%funcs);
+    #exit;
+
+    return %funcs;
+}
+
+sub put_crypto_init_first
+{
+    my ($functions) = @_;
+
+    my $want_first = "psa_crypto_init";
+
+    my $idx = undef;
+    for my $i (0 .. $#$functions) {
+        if ($functions->[$i] eq $want_first) {
+            $idx = $i;
+            last;
+        }
+    }
+
+    if (defined($idx) && $idx != 0) {   # Do nothing if already first
+        splice(@$functions, $idx, 1);
+        unshift(@$functions, $want_first);
+    }
+}
+
+__END__
+/**
+ * \brief Library initialization.
+ *
+ * Applications must call this function before calling any other
+ * function in this module.
+ *
+ * Applications may call this function more than once. Once a call
+ * succeeds, subsequent calls are guaranteed to succeed.
+ *
+ * If the application calls other functions before calling psa_crypto_init(),
+ * the behavior is undefined. Implementations are encouraged to either perform
+ * the operation as if the library had been initialized or to return
+ * #PSA_ERROR_BAD_STATE or some other applicable error. In particular,
+ * implementations should not return a success status if the lack of
+ * initialization may have security implications, for example due to improper
+ * seeding of the random number generator.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ */
+psa_status_t psa_crypto_init(void);
+
+/** Calculate the hash (digest) of a message.
+ *
+ * \note To verify the hash of a message against an
+ *       expected value, use psa_hash_compare() instead.
+ *
+ * \param alg               The hash algorithm to compute (\c PSA_ALG_XXX value
+ *                          such that #PSA_ALG_IS_HASH(\p alg) is true).
+ * \param[in] input         Buffer containing the message to hash.
+ * \param input_length      Size of the \p input buffer in bytes.
+ * \param[out] hash         Buffer where the hash is to be written.
+ * \param hash_size         Size of the \p hash buffer in bytes.
+ * \param[out] hash_length  On success, the number of bytes
+ *                          that make up the hash value. This is always
+ *                          #PSA_HASH_LENGTH(\p alg).
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not a hash algorithm.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         \p hash_size is too small
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_hash_compute(psa_algorithm_t alg,
+                              const uint8_t *input,
+                              size_t input_length,
+                              uint8_t *hash,
+                              size_t hash_size,
+                              size_t *hash_length);
+
+/* XXX We put this next one in place to check we ignore static functions
+ *     when we eventually read all this from a real header file
+ */
+
+/** Return an initial value for a hash operation object.
+ */
+static psa_hash_operation_t psa_hash_operation_init(void);
+
+/* XXX Back to normal function declarations */
+
+/** Set up a multipart hash operation.
+ *
+ * The sequence of operations to calculate a hash (message digest)
+ * is as follows:
+ * -# Allocate an operation object which will be passed to all the functions
+ *    listed here.
+ * -# Initialize the operation object with one of the methods described in the
+ *    documentation for #psa_hash_operation_t, e.g. #PSA_HASH_OPERATION_INIT.
+ * -# Call psa_hash_setup() to specify the algorithm.
+ * -# Call psa_hash_update() zero, one or more times, passing a fragment
+ *    of the message each time. The hash that is calculated is the hash
+ *    of the concatenation of these messages in order.
+ * -# To calculate the hash, call psa_hash_finish().
+ *    To compare the hash with an expected value, call psa_hash_verify().
+ *
+ * If an error occurs at any step after a call to psa_hash_setup(), the
+ * operation will need to be reset by a call to psa_hash_abort(). The
+ * application may call psa_hash_abort() at any time after the operation
+ * has been initialized.
+ *
+ * After a successful call to psa_hash_setup(), the application must
+ * eventually terminate the operation. The following events terminate an
+ * operation:
+ * - A successful call to psa_hash_finish() or psa_hash_verify().
+ * - A call to psa_hash_abort().
+ *
+ * \param[in,out] operation The operation object to set up. It must have
+ *                          been initialized as per the documentation for
+ *                          #psa_hash_operation_t and not yet in use.
+ * \param alg               The hash algorithm to compute (\c PSA_ALG_XXX value
+ *                          such that #PSA_ALG_IS_HASH(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not a supported hash algorithm.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p alg is not a hash algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be inactive), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_hash_setup(psa_hash_operation_t *operation,
+                            psa_algorithm_t alg);
+
+/** Add a message fragment to a multipart hash operation.
+ *
+ * The application must call psa_hash_setup() before calling this function.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_hash_abort().
+ *
+ * \param[in,out] operation Active hash operation.
+ * \param[in] input         Buffer containing the message fragment to hash.
+ * \param input_length      Size of the \p input buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_hash_update(psa_hash_operation_t *operation,
+                             const uint8_t *input,
+                             size_t input_length);
+
+/** Finish the calculation of the hash of a message.
+ *
+ * The application must call psa_hash_setup() before calling this function.
+ * This function calculates the hash of the message formed by concatenating
+ * the inputs passed to preceding calls to psa_hash_update().
+ *
+ * When this function returns successfully, the operation becomes inactive.
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_hash_abort().
+ *
+ * \warning Applications should not call this function if they expect
+ *          a specific value for the hash. Call psa_hash_verify() instead.
+ *          Beware that comparing integrity or authenticity data such as
+ *          hash values with a function such as \c memcmp is risky
+ *          because the time taken by the comparison may leak information
+ *          about the hashed data which could allow an attacker to guess
+ *          a valid hash and thereby bypass security controls.
+ *
+ * \param[in,out] operation     Active hash operation.
+ * \param[out] hash             Buffer where the hash is to be written.
+ * \param hash_size             Size of the \p hash buffer in bytes.
+ * \param[out] hash_length      On success, the number of bytes
+ *                              that make up the hash value. This is always
+ *                              #PSA_HASH_LENGTH(\c alg) where \c alg is the
+ *                              hash algorithm that is calculated.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p hash buffer is too small. You can determine a
+ *         sufficient buffer size by calling #PSA_HASH_LENGTH(\c alg)
+ *         where \c alg is the hash algorithm that is calculated.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_hash_finish(psa_hash_operation_t *operation,
+                             uint8_t *hash,
+                             size_t hash_size,
+                             size_t *hash_length);
+
+/** Finish the calculation of the hash of a message and compare it with
+ * an expected value.
+ *
+ * The application must call psa_hash_setup() before calling this function.
+ * This function calculates the hash of the message formed by concatenating
+ * the inputs passed to preceding calls to psa_hash_update(). It then
+ * compares the calculated hash with the expected hash passed as a
+ * parameter to this function.
+ *
+ * When this function returns successfully, the operation becomes inactive.
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_hash_abort().
+ *
+ * \note Implementations shall make the best effort to ensure that the
+ * comparison between the actual hash and the expected hash is performed
+ * in constant time.
+ *
+ * \param[in,out] operation     Active hash operation.
+ * \param[in] hash              Buffer containing the expected hash value.
+ * \param hash_length           Size of the \p hash buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The expected hash is identical to the actual hash of the message.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The hash of the message was calculated successfully, but it
+ *         differs from the expected hash.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_hash_verify(psa_hash_operation_t *operation,
+                             const uint8_t *hash,
+                             size_t hash_length);
+
+/** Abort a hash operation.
+ *
+ * Aborting an operation frees all associated resources except for the
+ * \p operation structure itself. Once aborted, the operation object
+ * can be reused for another operation by calling
+ * psa_hash_setup() again.
+ *
+ * You may call this function any time after the operation object has
+ * been initialized by one of the methods described in #psa_hash_operation_t.
+ *
+ * In particular, calling psa_hash_abort() after the operation has been
+ * terminated by a call to psa_hash_abort(), psa_hash_finish() or
+ * psa_hash_verify() is safe and has no effect.
+ *
+ * \param[in,out] operation     Initialized hash operation.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_hash_abort(psa_hash_operation_t *operation);
+
+/** Clone a hash operation.
+ *
+ * This function copies the state of an ongoing hash operation to
+ * a new operation object. In other words, this function is equivalent
+ * to calling psa_hash_setup() on \p target_operation with the same
+ * algorithm that \p source_operation was set up for, then
+ * psa_hash_update() on \p target_operation with the same input that
+ * that was passed to \p source_operation. After this function returns, the
+ * two objects are independent, i.e. subsequent calls involving one of
+ * the objects do not affect the other object.
+ *
+ * \param[in] source_operation      The active hash operation to clone.
+ * \param[in,out] target_operation  The operation object to set up.
+ *                                  It must be initialized but not active.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The \p source_operation state is not valid (it must be active), or
+ *         the \p target_operation state is not valid (it must be inactive), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation,
+                            psa_hash_operation_t *target_operation);
+
+/** Calculate the hash (digest) of a message and compare it with a
+ * reference value.
+ *
+ * \param alg               The hash algorithm to compute (\c PSA_ALG_XXX value
+ *                          such that #PSA_ALG_IS_HASH(\p alg) is true).
+ * \param[in] input         Buffer containing the message to hash.
+ * \param input_length      Size of the \p input buffer in bytes.
+ * \param[out] hash         Buffer containing the expected hash value.
+ * \param hash_length       Size of the \p hash buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The expected hash is identical to the actual hash of the input.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The hash of the message was calculated successfully, but it
+ *         differs from the expected hash.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not a hash algorithm.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p input_length or \p hash_length do not match the hash size for \p alg
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_hash_compare(psa_algorithm_t alg,
+                              const uint8_t *input,
+                              size_t input_length,
+                              const uint8_t *hash,
+                              size_t hash_length);
+
+/** Process an authenticated encryption operation.
+ *
+ * \param key                     Identifier of the key to use for the
+ *                                operation. It must allow the usage
+ *                                #PSA_KEY_USAGE_ENCRYPT.
+ * \param alg                     The AEAD algorithm to compute
+ *                                (\c PSA_ALG_XXX value such that
+ *                                #PSA_ALG_IS_AEAD(\p alg) is true).
+ * \param[in] nonce               Nonce or IV to use.
+ * \param nonce_length            Size of the \p nonce buffer in bytes.
+ * \param[in] additional_data     Additional data that will be authenticated
+ *                                but not encrypted.
+ * \param additional_data_length  Size of \p additional_data in bytes.
+ * \param[in] plaintext           Data that will be authenticated and
+ *                                encrypted.
+ * \param plaintext_length        Size of \p plaintext in bytes.
+ * \param[out] ciphertext         Output buffer for the authenticated and
+ *                                encrypted data. The additional data is not
+ *                                part of this output. For algorithms where the
+ *                                encrypted data and the authentication tag
+ *                                are defined as separate outputs, the
+ *                                authentication tag is appended to the
+ *                                encrypted data.
+ * \param ciphertext_size         Size of the \p ciphertext buffer in bytes.
+ *                                This must be appropriate for the selected
+ *                                algorithm and key:
+ *                                - A sufficient output size is
+ *                                  #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type,
+ *                                  \p alg, \p plaintext_length) where
+ *                                  \c key_type is the type of \p key.
+ *                                - #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p
+ *                                  plaintext_length) evaluates to the maximum
+ *                                  ciphertext size of any supported AEAD
+ *                                  encryption.
+ * \param[out] ciphertext_length  On success, the size of the output
+ *                                in the \p ciphertext buffer.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not compatible with \p alg.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not an AEAD algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         \p ciphertext_size is too small.
+ *         #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, \p alg,
+ *         \p plaintext_length) or
+ *         #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length) can be used to
+ *         determine the required buffer size.
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key,
+                              psa_algorithm_t alg,
+                              const uint8_t *nonce,
+                              size_t nonce_length,
+                              const uint8_t *additional_data,
+                              size_t additional_data_length,
+                              const uint8_t *plaintext,
+                              size_t plaintext_length,
+                              uint8_t *ciphertext,
+                              size_t ciphertext_size,
+                              size_t *ciphertext_length);
+
+/** Process an authenticated decryption operation.
+ *
+ * \param key                     Identifier of the key to use for the
+ *                                operation. It must allow the usage
+ *                                #PSA_KEY_USAGE_DECRYPT.
+ * \param alg                     The AEAD algorithm to compute
+ *                                (\c PSA_ALG_XXX value such that
+ *                                #PSA_ALG_IS_AEAD(\p alg) is true).
+ * \param[in] nonce               Nonce or IV to use.
+ * \param nonce_length            Size of the \p nonce buffer in bytes.
+ * \param[in] additional_data     Additional data that has been authenticated
+ *                                but not encrypted.
+ * \param additional_data_length  Size of \p additional_data in bytes.
+ * \param[in] ciphertext          Data that has been authenticated and
+ *                                encrypted. For algorithms where the
+ *                                encrypted data and the authentication tag
+ *                                are defined as separate inputs, the buffer
+ *                                must contain the encrypted data followed
+ *                                by the authentication tag.
+ * \param ciphertext_length       Size of \p ciphertext in bytes.
+ * \param[out] plaintext          Output buffer for the decrypted data.
+ * \param plaintext_size          Size of the \p plaintext buffer in bytes.
+ *                                This must be appropriate for the selected
+ *                                algorithm and key:
+ *                                - A sufficient output size is
+ *                                  #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type,
+ *                                  \p alg, \p ciphertext_length) where
+ *                                  \c key_type is the type of \p key.
+ *                                - #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p
+ *                                  ciphertext_length) evaluates to the maximum
+ *                                  plaintext size of any supported AEAD
+ *                                  decryption.
+ * \param[out] plaintext_length   On success, the size of the output
+ *                                in the \p plaintext buffer.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The ciphertext is not authentic.
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not compatible with \p alg.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not an AEAD algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         \p plaintext_size is too small.
+ *         #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, \p alg,
+ *         \p ciphertext_length) or
+ *         #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length) can be used
+ *         to determine the required buffer size.
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_aead_decrypt(mbedtls_svc_key_id_t key,
+                              psa_algorithm_t alg,
+                              const uint8_t *nonce,
+                              size_t nonce_length,
+                              const uint8_t *additional_data,
+                              size_t additional_data_length,
+                              const uint8_t *ciphertext,
+                              size_t ciphertext_length,
+                              uint8_t *plaintext,
+                              size_t plaintext_size,
+                              size_t *plaintext_length);
+
+/** The type of the state data structure for multipart AEAD operations.
+ *
+ * Before calling any function on an AEAD operation object, the application
+ * must initialize it by any of the following means:
+ * - Set the structure to all-bits-zero, for example:
+ *   \code
+ *   psa_aead_operation_t operation;
+ *   memset(&operation, 0, sizeof(operation));
+ *   \endcode
+ * - Initialize the structure to logical zero values, for example:
+ *   \code
+ *   psa_aead_operation_t operation = {0};
+ *   \endcode
+ * - Initialize the structure to the initializer #PSA_AEAD_OPERATION_INIT,
+ *   for example:
+ *   \code
+ *   psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
+ *   \endcode
+ * - Assign the result of the function psa_aead_operation_init()
+ *   to the structure, for example:
+ *   \code
+ *   psa_aead_operation_t operation;
+ *   operation = psa_aead_operation_init();
+ *   \endcode
+ *
+ * This is an implementation-defined \c struct. Applications should not
+ * make any assumptions about the content of this structure.
+ * Implementation details can change in future versions without notice. */
+typedef struct psa_aead_operation_s psa_aead_operation_t;
+
+/** \def PSA_AEAD_OPERATION_INIT
+ *
+ * This macro returns a suitable initializer for an AEAD operation object of
+ * type #psa_aead_operation_t.
+ */
+
+/** Return an initial value for an AEAD operation object.
+ */
+static psa_aead_operation_t psa_aead_operation_init(void);
+
+/** Set the key for a multipart authenticated encryption operation.
+ *
+ * The sequence of operations to encrypt a message with authentication
+ * is as follows:
+ * -# Allocate an operation object which will be passed to all the functions
+ *    listed here.
+ * -# Initialize the operation object with one of the methods described in the
+ *    documentation for #psa_aead_operation_t, e.g.
+ *    #PSA_AEAD_OPERATION_INIT.
+ * -# Call psa_aead_encrypt_setup() to specify the algorithm and key.
+ * -# If needed, call psa_aead_set_lengths() to specify the length of the
+ *    inputs to the subsequent calls to psa_aead_update_ad() and
+ *    psa_aead_update(). See the documentation of psa_aead_set_lengths()
+ *    for details.
+ * -# Call either psa_aead_generate_nonce() or psa_aead_set_nonce() to
+ *    generate or set the nonce. You should use
+ *    psa_aead_generate_nonce() unless the protocol you are implementing
+ *    requires a specific nonce value.
+ * -# Call psa_aead_update_ad() zero, one or more times, passing a fragment
+ *    of the non-encrypted additional authenticated data each time.
+ * -# Call psa_aead_update() zero, one or more times, passing a fragment
+ *    of the message to encrypt each time.
+ * -# Call psa_aead_finish().
+ *
+ * If an error occurs at any step after a call to psa_aead_encrypt_setup(),
+ * the operation will need to be reset by a call to psa_aead_abort(). The
+ * application may call psa_aead_abort() at any time after the operation
+ * has been initialized.
+ *
+ * After a successful call to psa_aead_encrypt_setup(), the application must
+ * eventually terminate the operation. The following events terminate an
+ * operation:
+ * - A successful call to psa_aead_finish().
+ * - A call to psa_aead_abort().
+ *
+ * \param[in,out] operation     The operation object to set up. It must have
+ *                              been initialized as per the documentation for
+ *                              #psa_aead_operation_t and not yet in use.
+ * \param key                   Identifier of the key to use for the operation.
+ *                              It must remain valid until the operation
+ *                              terminates. It must allow the usage
+ *                              #PSA_KEY_USAGE_ENCRYPT.
+ * \param alg                   The AEAD algorithm to compute
+ *                              (\c PSA_ALG_XXX value such that
+ *                              #PSA_ALG_IS_AEAD(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be inactive), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not compatible with \p alg.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not an AEAD algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
+                                    mbedtls_svc_key_id_t key,
+                                    psa_algorithm_t alg);
+
+/** Set the key for a multipart authenticated decryption operation.
+ *
+ * The sequence of operations to decrypt a message with authentication
+ * is as follows:
+ * -# Allocate an operation object which will be passed to all the functions
+ *    listed here.
+ * -# Initialize the operation object with one of the methods described in the
+ *    documentation for #psa_aead_operation_t, e.g.
+ *    #PSA_AEAD_OPERATION_INIT.
+ * -# Call psa_aead_decrypt_setup() to specify the algorithm and key.
+ * -# If needed, call psa_aead_set_lengths() to specify the length of the
+ *    inputs to the subsequent calls to psa_aead_update_ad() and
+ *    psa_aead_update(). See the documentation of psa_aead_set_lengths()
+ *    for details.
+ * -# Call psa_aead_set_nonce() with the nonce for the decryption.
+ * -# Call psa_aead_update_ad() zero, one or more times, passing a fragment
+ *    of the non-encrypted additional authenticated data each time.
+ * -# Call psa_aead_update() zero, one or more times, passing a fragment
+ *    of the ciphertext to decrypt each time.
+ * -# Call psa_aead_verify().
+ *
+ * If an error occurs at any step after a call to psa_aead_decrypt_setup(),
+ * the operation will need to be reset by a call to psa_aead_abort(). The
+ * application may call psa_aead_abort() at any time after the operation
+ * has been initialized.
+ *
+ * After a successful call to psa_aead_decrypt_setup(), the application must
+ * eventually terminate the operation. The following events terminate an
+ * operation:
+ * - A successful call to psa_aead_verify().
+ * - A call to psa_aead_abort().
+ *
+ * \param[in,out] operation     The operation object to set up. It must have
+ *                              been initialized as per the documentation for
+ *                              #psa_aead_operation_t and not yet in use.
+ * \param key                   Identifier of the key to use for the operation.
+ *                              It must remain valid until the operation
+ *                              terminates. It must allow the usage
+ *                              #PSA_KEY_USAGE_DECRYPT.
+ * \param alg                   The AEAD algorithm to compute
+ *                              (\c PSA_ALG_XXX value such that
+ *                              #PSA_ALG_IS_AEAD(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not compatible with \p alg.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not an AEAD algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be inactive), or the
+ *         library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_aead_decrypt_setup(psa_aead_operation_t *operation,
+                                    mbedtls_svc_key_id_t key,
+                                    psa_algorithm_t alg);
+
+/** Generate a random nonce for an authenticated encryption operation.
+ *
+ * This function generates a random nonce for the authenticated encryption
+ * operation with an appropriate size for the chosen algorithm, key type
+ * and key size.
+ *
+ * The application must call psa_aead_encrypt_setup() before
+ * calling this function.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_aead_abort().
+ *
+ * \param[in,out] operation     Active AEAD operation.
+ * \param[out] nonce            Buffer where the generated nonce is to be
+ *                              written.
+ * \param nonce_size            Size of the \p nonce buffer in bytes.
+ * \param[out] nonce_length     On success, the number of bytes of the
+ *                              generated nonce.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p nonce buffer is too small.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be an active aead encrypt
+ *         operation, with no nonce set), or the library has not been
+ *         previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_aead_generate_nonce(psa_aead_operation_t *operation,
+                                     uint8_t *nonce,
+                                     size_t nonce_size,
+                                     size_t *nonce_length);
+
+/** Set the nonce for an authenticated encryption or decryption operation.
+ *
+ * This function sets the nonce for the authenticated
+ * encryption or decryption operation.
+ *
+ * The application must call psa_aead_encrypt_setup() or
+ * psa_aead_decrypt_setup() before calling this function.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_aead_abort().
+ *
+ * \note When encrypting, applications should use psa_aead_generate_nonce()
+ * instead of this function, unless implementing a protocol that requires
+ * a non-random IV.
+ *
+ * \param[in,out] operation     Active AEAD operation.
+ * \param[in] nonce             Buffer containing the nonce to use.
+ * \param nonce_length          Size of the nonce in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The size of \p nonce is not acceptable for the chosen algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active, with no nonce
+ *         set), or the library has not been previously initialized
+ *         by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_aead_set_nonce(psa_aead_operation_t *operation,
+                                const uint8_t *nonce,
+                                size_t nonce_length);
+
+/** Declare the lengths of the message and additional data for AEAD.
+ *
+ * The application must call this function before calling
+ * psa_aead_update_ad() or psa_aead_update() if the algorithm for
+ * the operation requires it. If the algorithm does not require it,
+ * calling this function is optional, but if this function is called
+ * then the implementation must enforce the lengths.
+ *
+ * You may call this function before or after setting the nonce with
+ * psa_aead_set_nonce() or psa_aead_generate_nonce().
+ *
+ * - For #PSA_ALG_CCM, calling this function is required.
+ * - For the other AEAD algorithms defined in this specification, calling
+ *   this function is not required.
+ * - For vendor-defined algorithm, refer to the vendor documentation.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_aead_abort().
+ *
+ * \param[in,out] operation     Active AEAD operation.
+ * \param ad_length             Size of the non-encrypted additional
+ *                              authenticated data in bytes.
+ * \param plaintext_length      Size of the plaintext to encrypt in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         At least one of the lengths is not acceptable for the chosen
+ *         algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active, and
+ *         psa_aead_update_ad() and psa_aead_update() must not have been
+ *         called yet), or the library has not been previously initialized
+ *         by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_aead_set_lengths(psa_aead_operation_t *operation,
+                                  size_t ad_length,
+                                  size_t plaintext_length);
+
+/** Pass additional data to an active AEAD operation.
+ *
+ * Additional data is authenticated, but not encrypted.
+ *
+ * You may call this function multiple times to pass successive fragments
+ * of the additional data. You may not call this function after passing
+ * data to encrypt or decrypt with psa_aead_update().
+ *
+ * Before calling this function, you must:
+ * 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup().
+ * 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce().
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_aead_abort().
+ *
+ * \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS,
+ *          there is no guarantee that the input is valid. Therefore, until
+ *          you have called psa_aead_verify() and it has returned #PSA_SUCCESS,
+ *          treat the input as untrusted and prepare to undo any action that
+ *          depends on the input if psa_aead_verify() returns an error status.
+ *
+ * \param[in,out] operation     Active AEAD operation.
+ * \param[in] input             Buffer containing the fragment of
+ *                              additional data.
+ * \param input_length          Size of the \p input buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The total input length overflows the additional data length that
+ *         was previously specified with psa_aead_set_lengths().
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active, have a nonce
+ *         set, have lengths set if required by the algorithm, and
+ *         psa_aead_update() must not have been called yet), or the library
+ *         has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_aead_update_ad(psa_aead_operation_t *operation,
+                                const uint8_t *input,
+                                size_t input_length);
+
+/** Encrypt or decrypt a message fragment in an active AEAD operation.
+ *
+ * Before calling this function, you must:
+ * 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup().
+ *    The choice of setup function determines whether this function
+ *    encrypts or decrypts its input.
+ * 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce().
+ * 3. Call psa_aead_update_ad() to pass all the additional data.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_aead_abort().
+ *
+ * \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS,
+ *          there is no guarantee that the input is valid. Therefore, until
+ *          you have called psa_aead_verify() and it has returned #PSA_SUCCESS:
+ *          - Do not use the output in any way other than storing it in a
+ *            confidential location. If you take any action that depends
+ *            on the tentative decrypted data, this action will need to be
+ *            undone if the input turns out not to be valid. Furthermore,
+ *            if an adversary can observe that this action took place
+ *            (for example through timing), they may be able to use this
+ *            fact as an oracle to decrypt any message encrypted with the
+ *            same key.
+ *          - In particular, do not copy the output anywhere but to a
+ *            memory or storage space that you have exclusive access to.
+ *
+ * This function does not require the input to be aligned to any
+ * particular block boundary. If the implementation can only process
+ * a whole block at a time, it must consume all the input provided, but
+ * it may delay the end of the corresponding output until a subsequent
+ * call to psa_aead_update(), psa_aead_finish() or psa_aead_verify()
+ * provides sufficient input. The amount of data that can be delayed
+ * in this way is bounded by #PSA_AEAD_UPDATE_OUTPUT_SIZE.
+ *
+ * \param[in,out] operation     Active AEAD operation.
+ * \param[in] input             Buffer containing the message fragment to
+ *                              encrypt or decrypt.
+ * \param input_length          Size of the \p input buffer in bytes.
+ * \param[out] output           Buffer where the output is to be written.
+ * \param output_size           Size of the \p output buffer in bytes.
+ *                              This must be appropriate for the selected
+ *                                algorithm and key:
+ *                                - A sufficient output size is
+ *                                  #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type,
+ *                                  \c alg, \p input_length) where
+ *                                  \c key_type is the type of key and \c alg is
+ *                                  the algorithm that were used to set up the
+ *                                  operation.
+ *                                - #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p
+ *                                  input_length) evaluates to the maximum
+ *                                  output size of any supported AEAD
+ *                                  algorithm.
+ * \param[out] output_length    On success, the number of bytes
+ *                              that make up the returned output.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p output buffer is too small.
+ *         #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, \c alg, \p input_length) or
+ *         #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length) can be used to
+ *         determine the required buffer size.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The total length of input to psa_aead_update_ad() so far is
+ *         less than the additional data length that was previously
+ *         specified with psa_aead_set_lengths(), or
+ *         the total input length overflows the plaintext length that
+ *         was previously specified with psa_aead_set_lengths().
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active, have a nonce
+ *         set, and have lengths set if required by the algorithm), or the
+ *         library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_aead_update(psa_aead_operation_t *operation,
+                             const uint8_t *input,
+                             size_t input_length,
+                             uint8_t *output,
+                             size_t output_size,
+                             size_t *output_length);
+
+/** Finish encrypting a message in an AEAD operation.
+ *
+ * The operation must have been set up with psa_aead_encrypt_setup().
+ *
+ * This function finishes the authentication of the additional data
+ * formed by concatenating the inputs passed to preceding calls to
+ * psa_aead_update_ad() with the plaintext formed by concatenating the
+ * inputs passed to preceding calls to psa_aead_update().
+ *
+ * This function has two output buffers:
+ * - \p ciphertext contains trailing ciphertext that was buffered from
+ *   preceding calls to psa_aead_update().
+ * - \p tag contains the authentication tag.
+ *
+ * When this function returns successfully, the operation becomes inactive.
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_aead_abort().
+ *
+ * \param[in,out] operation     Active AEAD operation.
+ * \param[out] ciphertext       Buffer where the last part of the ciphertext
+ *                              is to be written.
+ * \param ciphertext_size       Size of the \p ciphertext buffer in bytes.
+ *                              This must be appropriate for the selected
+ *                              algorithm and key:
+ *                              - A sufficient output size is
+ *                                #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type,
+ *                                \c alg) where \c key_type is the type of key
+ *                                and \c alg is the algorithm that were used to
+ *                                set up the operation.
+ *                              - #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE evaluates to
+ *                                the maximum output size of any supported AEAD
+ *                                algorithm.
+ * \param[out] ciphertext_length On success, the number of bytes of
+ *                              returned ciphertext.
+ * \param[out] tag              Buffer where the authentication tag is
+ *                              to be written.
+ * \param tag_size              Size of the \p tag buffer in bytes.
+ *                              This must be appropriate for the selected
+ *                              algorithm and key:
+ *                              - The exact tag size is #PSA_AEAD_TAG_LENGTH(\c
+ *                                key_type, \c key_bits, \c alg) where
+ *                                \c key_type and \c key_bits are the type and
+ *                                bit-size of the key, and \c alg is the
+ *                                algorithm that were used in the call to
+ *                                psa_aead_encrypt_setup().
+ *                              - #PSA_AEAD_TAG_MAX_SIZE evaluates to the
+ *                                maximum tag size of any supported AEAD
+ *                                algorithm.
+ * \param[out] tag_length       On success, the number of bytes
+ *                              that make up the returned tag.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p ciphertext or \p tag buffer is too small.
+ *         #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, \c alg) or
+ *         #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE can be used to determine the
+ *         required \p ciphertext buffer size. #PSA_AEAD_TAG_LENGTH(\c key_type,
+ *         \c key_bits, \c alg) or #PSA_AEAD_TAG_MAX_SIZE can be used to
+ *         determine the required \p tag buffer size.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The total length of input to psa_aead_update_ad() so far is
+ *         less than the additional data length that was previously
+ *         specified with psa_aead_set_lengths(), or
+ *         the total length of input to psa_aead_update() so far is
+ *         less than the plaintext length that was previously
+ *         specified with psa_aead_set_lengths().
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be an active encryption
+ *         operation with a nonce set), or the library has not been previously
+ *         initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_aead_finish(psa_aead_operation_t *operation,
+                             uint8_t *ciphertext,
+                             size_t ciphertext_size,
+                             size_t *ciphertext_length,
+                             uint8_t *tag,
+                             size_t tag_size,
+                             size_t *tag_length);
+
+/** Finish authenticating and decrypting a message in an AEAD operation.
+ *
+ * The operation must have been set up with psa_aead_decrypt_setup().
+ *
+ * This function finishes the authenticated decryption of the message
+ * components:
+ *
+ * -  The additional data consisting of the concatenation of the inputs
+ *    passed to preceding calls to psa_aead_update_ad().
+ * -  The ciphertext consisting of the concatenation of the inputs passed to
+ *    preceding calls to psa_aead_update().
+ * -  The tag passed to this function call.
+ *
+ * If the authentication tag is correct, this function outputs any remaining
+ * plaintext and reports success. If the authentication tag is not correct,
+ * this function returns #PSA_ERROR_INVALID_SIGNATURE.
+ *
+ * When this function returns successfully, the operation becomes inactive.
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_aead_abort().
+ *
+ * \note Implementations shall make the best effort to ensure that the
+ * comparison between the actual tag and the expected tag is performed
+ * in constant time.
+ *
+ * \param[in,out] operation     Active AEAD operation.
+ * \param[out] plaintext        Buffer where the last part of the plaintext
+ *                              is to be written. This is the remaining data
+ *                              from previous calls to psa_aead_update()
+ *                              that could not be processed until the end
+ *                              of the input.
+ * \param plaintext_size        Size of the \p plaintext buffer in bytes.
+ *                              This must be appropriate for the selected algorithm and key:
+ *                              - A sufficient output size is
+ *                                #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type,
+ *                                \c alg) where \c key_type is the type of key
+ *                                and \c alg is the algorithm that were used to
+ *                                set up the operation.
+ *                              - #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE evaluates to
+ *                                the maximum output size of any supported AEAD
+ *                                algorithm.
+ * \param[out] plaintext_length On success, the number of bytes of
+ *                              returned plaintext.
+ * \param[in] tag               Buffer containing the authentication tag.
+ * \param tag_length            Size of the \p tag buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The calculations were successful, but the authentication tag is
+ *         not correct.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p plaintext buffer is too small.
+ *         #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, \c alg) or
+ *         #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE can be used to determine the
+ *         required buffer size.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The total length of input to psa_aead_update_ad() so far is
+ *         less than the additional data length that was previously
+ *         specified with psa_aead_set_lengths(), or
+ *         the total length of input to psa_aead_update() so far is
+ *         less than the plaintext length that was previously
+ *         specified with psa_aead_set_lengths().
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be an active decryption
+ *         operation with a nonce set), or the library has not been previously
+ *         initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_aead_verify(psa_aead_operation_t *operation,
+                             uint8_t *plaintext,
+                             size_t plaintext_size,
+                             size_t *plaintext_length,
+                             const uint8_t *tag,
+                             size_t tag_length);
+
+/** Abort an AEAD operation.
+ *
+ * Aborting an operation frees all associated resources except for the
+ * \p operation structure itself. Once aborted, the operation object
+ * can be reused for another operation by calling
+ * psa_aead_encrypt_setup() or psa_aead_decrypt_setup() again.
+ *
+ * You may call this function any time after the operation object has
+ * been initialized as described in #psa_aead_operation_t.
+ *
+ * In particular, calling psa_aead_abort() after the operation has been
+ * terminated by a call to psa_aead_abort(), psa_aead_finish() or
+ * psa_aead_verify() is safe and has no effect.
+ *
+ * \param[in,out] operation     Initialized AEAD operation.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_aead_abort(psa_aead_operation_t *operation);
+
+/**
+ * \brief Import a key in binary format.
+ *
+ * This function supports any output from psa_export_key(). Refer to the
+ * documentation of psa_export_public_key() for the format of public keys
+ * and to the documentation of psa_export_key() for the format for
+ * other key types.
+ *
+ * The key data determines the key size. The attributes may optionally
+ * specify a key size; in this case it must match the size determined
+ * from the key data. A key size of 0 in \p attributes indicates that
+ * the key size is solely determined by the key data.
+ *
+ * Implementations must reject an attempt to import a key of size 0.
+ *
+ * This specification supports a single format for each key type.
+ * Implementations may support other formats as long as the standard
+ * format is supported. Implementations that support other formats
+ * should ensure that the formats are clearly unambiguous so as to
+ * minimize the risk that an invalid input is accidentally interpreted
+ * according to a different format.
+ *
+ * \param[in] attributes    The attributes for the new key.
+ *                          The key size is always determined from the
+ *                          \p data buffer.
+ *                          If the key size in \p attributes is nonzero,
+ *                          it must be equal to the size from \p data.
+ * \param[out] key          On success, an identifier to the newly created key.
+ *                          For persistent keys, this is the key identifier
+ *                          defined in \p attributes.
+ *                          \c 0 on failure.
+ * \param[in] data    Buffer containing the key data. The content of this
+ *                    buffer is interpreted according to the type declared
+ *                    in \p attributes.
+ *                    All implementations must support at least the format
+ *                    described in the documentation
+ *                    of psa_export_key() or psa_export_public_key() for
+ *                    the chosen type. Implementations may allow other
+ *                    formats, but should be conservative: implementations
+ *                    should err on the side of rejecting content if it
+ *                    may be erroneous (e.g. wrong type or truncated data).
+ * \param data_length Size of the \p data buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ *         If the key is persistent, the key material and the key's metadata
+ *         have been saved to persistent storage.
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ *         This is an attempt to create a persistent key, and there is
+ *         already a persistent key with the given identifier.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         The key type or key size is not supported, either by the
+ *         implementation in general or in this particular persistent location.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The key attributes, as a whole, are invalid, or
+ *         the key data is not correctly formatted, or
+ *         the size in \p attributes is nonzero and does not match the size
+ *         of the key data.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
+                            const uint8_t *data,
+                            size_t data_length,
+                            mbedtls_svc_key_id_t *key);
+
+/** Retrieve the attributes of a key.
+ *
+ * This function first resets the attribute structure as with
+ * psa_reset_key_attributes(). It then copies the attributes of
+ * the given key into the given attribute structure.
+ *
+ * \note This function may allocate memory or other resources.
+ *       Once you have called this function on an attribute structure,
+ *       you must call psa_reset_key_attributes() to free these resources.
+ *
+ * \param[in] key               Identifier of the key to query.
+ * \param[in,out] attributes    On success, the attributes of the key.
+ *                              On failure, equivalent to a
+ *                              freshly-initialized structure.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key,
+                                    psa_key_attributes_t *attributes);
+
+/**
+ * \brief Destroy a key.
+ *
+ * This function destroys a key from both volatile
+ * memory and, if applicable, non-volatile storage. Implementations shall
+ * make a best effort to ensure that the key material cannot be recovered.
+ *
+ * This function also erases any metadata such as policies and frees
+ * resources associated with the key.
+ *
+ * If a key is currently in use in a multipart operation, then destroying the
+ * key will cause the multipart operation to fail.
+ *
+ * \warning    We can only guarantee that the the key material will
+ *             eventually be wiped from memory. With threading enabled
+ *             and during concurrent execution, copies of the key material may
+ *             still exist until all threads have finished using the key.
+ *
+ * \param key  Identifier of the key to erase. If this is \c 0, do nothing and
+ *             return #PSA_SUCCESS.
+ *
+ * \retval #PSA_SUCCESS
+ *         \p key was a valid identifier and the key material that it
+ *         referred to has been erased. Alternatively, \p key is \c 0.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The key cannot be erased because it is
+ *         read-only, either due to a policy or due to physical restrictions.
+ * \retval #PSA_ERROR_INVALID_HANDLE
+ *         \p key is not a valid identifier nor \c 0.
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE
+ *         There was a failure in communication with the cryptoprocessor.
+ *         The key material may still be present in the cryptoprocessor.
+ * \retval #PSA_ERROR_DATA_INVALID
+ *         This error is typically a result of either storage corruption on a
+ *         cleartext storage backend, or an attempt to read data that was
+ *         written by an incompatible version of the library.
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ *         The storage is corrupted. Implementations shall make a best effort
+ *         to erase key material even in this stage, however applications
+ *         should be aware that it may be impossible to guarantee that the
+ *         key material is not recoverable in such cases.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ *         An unexpected condition which is not a storage corruption or
+ *         a communication failure occurred. The cryptoprocessor may have
+ *         been compromised.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_destroy_key(mbedtls_svc_key_id_t key);
+
+/**
+ * \brief Generate random bytes.
+ *
+ * \warning This function **can** fail! Callers MUST check the return status
+ *          and MUST NOT use the content of the output buffer if the return
+ *          status is not #PSA_SUCCESS.
+ *
+ * \note    To generate a key, use psa_generate_key() instead.
+ *
+ * \param[out] output       Output buffer for the generated data.
+ * \param output_size       Number of bytes to generate and output.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_generate_random(uint8_t *output,
+                                 size_t output_size);
+
+/** Calculate the MAC (message authentication code) of a message.
+ *
+ * \note To verify the MAC of a message against an
+ *       expected value, use psa_mac_verify() instead.
+ *       Beware that comparing integrity or authenticity data such as
+ *       MAC values with a function such as \c memcmp is risky
+ *       because the time taken by the comparison may leak information
+ *       about the MAC value which could allow an attacker to guess
+ *       a valid MAC and thereby bypass security controls.
+ *
+ * \param key               Identifier of the key to use for the operation. It
+ *                          must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE.
+ * \param alg               The MAC algorithm to compute (\c PSA_ALG_XXX value
+ *                          such that #PSA_ALG_IS_MAC(\p alg) is true).
+ * \param[in] input         Buffer containing the input message.
+ * \param input_length      Size of the \p input buffer in bytes.
+ * \param[out] mac          Buffer where the MAC value is to be written.
+ * \param mac_size          Size of the \p mac buffer in bytes.
+ * \param[out] mac_length   On success, the number of bytes
+ *                          that make up the MAC value.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not compatible with \p alg.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not a MAC algorithm.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         \p mac_size is too small
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ *         The key could not be retrieved from storage.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_mac_compute(mbedtls_svc_key_id_t key,
+                             psa_algorithm_t alg,
+                             const uint8_t *input,
+                             size_t input_length,
+                             uint8_t *mac,
+                             size_t mac_size,
+                             size_t *mac_length);
+
+/** Calculate the MAC of a message and compare it with a reference value.
+ *
+ * \param key               Identifier of the key to use for the operation. It
+ *                          must allow the usage PSA_KEY_USAGE_VERIFY_MESSAGE.
+ * \param alg               The MAC algorithm to compute (\c PSA_ALG_XXX value
+ *                          such that #PSA_ALG_IS_MAC(\p alg) is true).
+ * \param[in] input         Buffer containing the input message.
+ * \param input_length      Size of the \p input buffer in bytes.
+ * \param[in] mac           Buffer containing the expected MAC value.
+ * \param mac_length        Size of the \p mac buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The expected MAC is identical to the actual MAC of the input.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The MAC of the message was calculated successfully, but it
+ *         differs from the expected value.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not compatible with \p alg.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not a MAC algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ *         The key could not be retrieved from storage.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_mac_verify(mbedtls_svc_key_id_t key,
+                            psa_algorithm_t alg,
+                            const uint8_t *input,
+                            size_t input_length,
+                            const uint8_t *mac,
+                            size_t mac_length);
+
+/** The type of the state data structure for multipart MAC operations.
+ *
+ * Before calling any function on a MAC operation object, the application must
+ * initialize it by any of the following means:
+ * - Set the structure to all-bits-zero, for example:
+ *   \code
+ *   psa_mac_operation_t operation;
+ *   memset(&operation, 0, sizeof(operation));
+ *   \endcode
+ * - Initialize the structure to logical zero values, for example:
+ *   \code
+ *   psa_mac_operation_t operation = {0};
+ *   \endcode
+ * - Initialize the structure to the initializer #PSA_MAC_OPERATION_INIT,
+ *   for example:
+ *   \code
+ *   psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
+ *   \endcode
+ * - Assign the result of the function psa_mac_operation_init()
+ *   to the structure, for example:
+ *   \code
+ *   psa_mac_operation_t operation;
+ *   operation = psa_mac_operation_init();
+ *   \endcode
+ *
+ *
+ * This is an implementation-defined \c struct. Applications should not
+ * make any assumptions about the content of this structure.
+ * Implementation details can change in future versions without notice. */
+typedef struct psa_mac_operation_s psa_mac_operation_t;
+
+/** \def PSA_MAC_OPERATION_INIT
+ *
+ * This macro returns a suitable initializer for a MAC operation object of type
+ * #psa_mac_operation_t.
+ */
+
+/** Return an initial value for a MAC operation object.
+ */
+static psa_mac_operation_t psa_mac_operation_init(void);
+
+/** Set up a multipart MAC calculation operation.
+ *
+ * This function sets up the calculation of the MAC
+ * (message authentication code) of a byte string.
+ * To verify the MAC of a message against an
+ * expected value, use psa_mac_verify_setup() instead.
+ *
+ * The sequence of operations to calculate a MAC is as follows:
+ * -# Allocate an operation object which will be passed to all the functions
+ *    listed here.
+ * -# Initialize the operation object with one of the methods described in the
+ *    documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT.
+ * -# Call psa_mac_sign_setup() to specify the algorithm and key.
+ * -# Call psa_mac_update() zero, one or more times, passing a fragment
+ *    of the message each time. The MAC that is calculated is the MAC
+ *    of the concatenation of these messages in order.
+ * -# At the end of the message, call psa_mac_sign_finish() to finish
+ *    calculating the MAC value and retrieve it.
+ *
+ * If an error occurs at any step after a call to psa_mac_sign_setup(), the
+ * operation will need to be reset by a call to psa_mac_abort(). The
+ * application may call psa_mac_abort() at any time after the operation
+ * has been initialized.
+ *
+ * After a successful call to psa_mac_sign_setup(), the application must
+ * eventually terminate the operation through one of the following methods:
+ * - A successful call to psa_mac_sign_finish().
+ * - A call to psa_mac_abort().
+ *
+ * \param[in,out] operation The operation object to set up. It must have
+ *                          been initialized as per the documentation for
+ *                          #psa_mac_operation_t and not yet in use.
+ * \param key               Identifier of the key to use for the operation. It
+ *                          must remain valid until the operation terminates.
+ *                          It must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE.
+ * \param alg               The MAC algorithm to compute (\c PSA_ALG_XXX value
+ *                          such that #PSA_ALG_IS_MAC(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not compatible with \p alg.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not a MAC algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ *         The key could not be retrieved from storage.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be inactive), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
+                                mbedtls_svc_key_id_t key,
+                                psa_algorithm_t alg);
+
+/** Set up a multipart MAC verification operation.
+ *
+ * This function sets up the verification of the MAC
+ * (message authentication code) of a byte string against an expected value.
+ *
+ * The sequence of operations to verify a MAC is as follows:
+ * -# Allocate an operation object which will be passed to all the functions
+ *    listed here.
+ * -# Initialize the operation object with one of the methods described in the
+ *    documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT.
+ * -# Call psa_mac_verify_setup() to specify the algorithm and key.
+ * -# Call psa_mac_update() zero, one or more times, passing a fragment
+ *    of the message each time. The MAC that is calculated is the MAC
+ *    of the concatenation of these messages in order.
+ * -# At the end of the message, call psa_mac_verify_finish() to finish
+ *    calculating the actual MAC of the message and verify it against
+ *    the expected value.
+ *
+ * If an error occurs at any step after a call to psa_mac_verify_setup(), the
+ * operation will need to be reset by a call to psa_mac_abort(). The
+ * application may call psa_mac_abort() at any time after the operation
+ * has been initialized.
+ *
+ * After a successful call to psa_mac_verify_setup(), the application must
+ * eventually terminate the operation through one of the following methods:
+ * - A successful call to psa_mac_verify_finish().
+ * - A call to psa_mac_abort().
+ *
+ * \param[in,out] operation The operation object to set up. It must have
+ *                          been initialized as per the documentation for
+ *                          #psa_mac_operation_t and not yet in use.
+ * \param key               Identifier of the key to use for the operation. It
+ *                          must remain valid until the operation terminates.
+ *                          It must allow the usage
+ *                          PSA_KEY_USAGE_VERIFY_MESSAGE.
+ * \param alg               The MAC algorithm to compute (\c PSA_ALG_XXX value
+ *                          such that #PSA_ALG_IS_MAC(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \c key is not compatible with \c alg.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \c alg is not supported or is not a MAC algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ *         The key could not be retrieved from storage.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be inactive), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
+                                  mbedtls_svc_key_id_t key,
+                                  psa_algorithm_t alg);
+
+/** Add a message fragment to a multipart MAC operation.
+ *
+ * The application must call psa_mac_sign_setup() or psa_mac_verify_setup()
+ * before calling this function.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_mac_abort().
+ *
+ * \param[in,out] operation Active MAC operation.
+ * \param[in] input         Buffer containing the message fragment to add to
+ *                          the MAC calculation.
+ * \param input_length      Size of the \p input buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_mac_update(psa_mac_operation_t *operation,
+                            const uint8_t *input,
+                            size_t input_length);
+
+/** Finish the calculation of the MAC of a message.
+ *
+ * The application must call psa_mac_sign_setup() before calling this function.
+ * This function calculates the MAC of the message formed by concatenating
+ * the inputs passed to preceding calls to psa_mac_update().
+ *
+ * When this function returns successfully, the operation becomes inactive.
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_mac_abort().
+ *
+ * \warning Applications should not call this function if they expect
+ *          a specific value for the MAC. Call psa_mac_verify_finish() instead.
+ *          Beware that comparing integrity or authenticity data such as
+ *          MAC values with a function such as \c memcmp is risky
+ *          because the time taken by the comparison may leak information
+ *          about the MAC value which could allow an attacker to guess
+ *          a valid MAC and thereby bypass security controls.
+ *
+ * \param[in,out] operation Active MAC operation.
+ * \param[out] mac          Buffer where the MAC value is to be written.
+ * \param mac_size          Size of the \p mac buffer in bytes.
+ * \param[out] mac_length   On success, the number of bytes
+ *                          that make up the MAC value. This is always
+ *                          #PSA_MAC_LENGTH(\c key_type, \c key_bits, \c alg)
+ *                          where \c key_type and \c key_bits are the type and
+ *                          bit-size respectively of the key and \c alg is the
+ *                          MAC algorithm that is calculated.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p mac buffer is too small. You can determine a
+ *         sufficient buffer size by calling PSA_MAC_LENGTH().
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be an active mac sign
+ *         operation), or the library has not been previously initialized
+ *         by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_mac_sign_finish(psa_mac_operation_t *operation,
+                                 uint8_t *mac,
+                                 size_t mac_size,
+                                 size_t *mac_length);
+
+/** Finish the calculation of the MAC of a message and compare it with
+ * an expected value.
+ *
+ * The application must call psa_mac_verify_setup() before calling this function.
+ * This function calculates the MAC of the message formed by concatenating
+ * the inputs passed to preceding calls to psa_mac_update(). It then
+ * compares the calculated MAC with the expected MAC passed as a
+ * parameter to this function.
+ *
+ * When this function returns successfully, the operation becomes inactive.
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_mac_abort().
+ *
+ * \note Implementations shall make the best effort to ensure that the
+ * comparison between the actual MAC and the expected MAC is performed
+ * in constant time.
+ *
+ * \param[in,out] operation Active MAC operation.
+ * \param[in] mac           Buffer containing the expected MAC value.
+ * \param mac_length        Size of the \p mac buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The expected MAC is identical to the actual MAC of the message.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The MAC of the message was calculated successfully, but it
+ *         differs from the expected MAC.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be an active mac verify
+ *         operation), or the library has not been previously initialized
+ *         by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_mac_verify_finish(psa_mac_operation_t *operation,
+                                   const uint8_t *mac,
+                                   size_t mac_length);
+
+/** Abort a MAC operation.
+ *
+ * Aborting an operation frees all associated resources except for the
+ * \p operation structure itself. Once aborted, the operation object
+ * can be reused for another operation by calling
+ * psa_mac_sign_setup() or psa_mac_verify_setup() again.
+ *
+ * You may call this function any time after the operation object has
+ * been initialized by one of the methods described in #psa_mac_operation_t.
+ *
+ * In particular, calling psa_mac_abort() after the operation has been
+ * terminated by a call to psa_mac_abort(), psa_mac_sign_finish() or
+ * psa_mac_verify_finish() is safe and has no effect.
+ *
+ * \param[in,out] operation Initialized MAC operation.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_mac_abort(psa_mac_operation_t *operation);
+
+/** Encrypt a message using a symmetric cipher.
+ *
+ * This function encrypts a message with a random IV (initialization
+ * vector). Use the multipart operation interface with a
+ * #psa_cipher_operation_t object to provide other forms of IV.
+ *
+ * \param key                   Identifier of the key to use for the operation.
+ *                              It must allow the usage #PSA_KEY_USAGE_ENCRYPT.
+ * \param alg                   The cipher algorithm to compute
+ *                              (\c PSA_ALG_XXX value such that
+ *                              #PSA_ALG_IS_CIPHER(\p alg) is true).
+ * \param[in] input             Buffer containing the message to encrypt.
+ * \param input_length          Size of the \p input buffer in bytes.
+ * \param[out] output           Buffer where the output is to be written.
+ *                              The output contains the IV followed by
+ *                              the ciphertext proper.
+ * \param output_size           Size of the \p output buffer in bytes.
+ * \param[out] output_length    On success, the number of bytes
+ *                              that make up the output.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not compatible with \p alg.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not a cipher algorithm.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_cipher_encrypt(mbedtls_svc_key_id_t key,
+                                psa_algorithm_t alg,
+                                const uint8_t *input,
+                                size_t input_length,
+                                uint8_t *output,
+                                size_t output_size,
+                                size_t *output_length);
+
+/** Decrypt a message using a symmetric cipher.
+ *
+ * This function decrypts a message encrypted with a symmetric cipher.
+ *
+ * \param key                   Identifier of the key to use for the operation.
+ *                              It must remain valid until the operation
+ *                              terminates. It must allow the usage
+ *                              #PSA_KEY_USAGE_DECRYPT.
+ * \param alg                   The cipher algorithm to compute
+ *                              (\c PSA_ALG_XXX value such that
+ *                              #PSA_ALG_IS_CIPHER(\p alg) is true).
+ * \param[in] input             Buffer containing the message to decrypt.
+ *                              This consists of the IV followed by the
+ *                              ciphertext proper.
+ * \param input_length          Size of the \p input buffer in bytes.
+ * \param[out] output           Buffer where the plaintext is to be written.
+ * \param output_size           Size of the \p output buffer in bytes.
+ * \param[out] output_length    On success, the number of bytes
+ *                              that make up the output.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not compatible with \p alg.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not a cipher algorithm.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_cipher_decrypt(mbedtls_svc_key_id_t key,
+                                psa_algorithm_t alg,
+                                const uint8_t *input,
+                                size_t input_length,
+                                uint8_t *output,
+                                size_t output_size,
+                                size_t *output_length);
+
+/** The type of the state data structure for multipart cipher operations.
+ *
+ * Before calling any function on a cipher operation object, the application
+ * must initialize it by any of the following means:
+ * - Set the structure to all-bits-zero, for example:
+ *   \code
+ *   psa_cipher_operation_t operation;
+ *   memset(&operation, 0, sizeof(operation));
+ *   \endcode
+ * - Initialize the structure to logical zero values, for example:
+ *   \code
+ *   psa_cipher_operation_t operation = {0};
+ *   \endcode
+ * - Initialize the structure to the initializer #PSA_CIPHER_OPERATION_INIT,
+ *   for example:
+ *   \code
+ *   psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
+ *   \endcode
+ * - Assign the result of the function psa_cipher_operation_init()
+ *   to the structure, for example:
+ *   \code
+ *   psa_cipher_operation_t operation;
+ *   operation = psa_cipher_operation_init();
+ *   \endcode
+ *
+ * This is an implementation-defined \c struct. Applications should not
+ * make any assumptions about the content of this structure.
+ * Implementation details can change in future versions without notice. */
+typedef struct psa_cipher_operation_s psa_cipher_operation_t;
+
+/** \def PSA_CIPHER_OPERATION_INIT
+ *
+ * This macro returns a suitable initializer for a cipher operation object of
+ * type #psa_cipher_operation_t.
+ */
+
+/** Return an initial value for a cipher operation object.
+ */
+static psa_cipher_operation_t psa_cipher_operation_init(void);
+
+/** Set the key for a multipart symmetric encryption operation.
+ *
+ * The sequence of operations to encrypt a message with a symmetric cipher
+ * is as follows:
+ * -# Allocate an operation object which will be passed to all the functions
+ *    listed here.
+ * -# Initialize the operation object with one of the methods described in the
+ *    documentation for #psa_cipher_operation_t, e.g.
+ *    #PSA_CIPHER_OPERATION_INIT.
+ * -# Call psa_cipher_encrypt_setup() to specify the algorithm and key.
+ * -# Call either psa_cipher_generate_iv() or psa_cipher_set_iv() to
+ *    generate or set the IV (initialization vector). You should use
+ *    psa_cipher_generate_iv() unless the protocol you are implementing
+ *    requires a specific IV value.
+ * -# Call psa_cipher_update() zero, one or more times, passing a fragment
+ *    of the message each time.
+ * -# Call psa_cipher_finish().
+ *
+ * If an error occurs at any step after a call to psa_cipher_encrypt_setup(),
+ * the operation will need to be reset by a call to psa_cipher_abort(). The
+ * application may call psa_cipher_abort() at any time after the operation
+ * has been initialized.
+ *
+ * After a successful call to psa_cipher_encrypt_setup(), the application must
+ * eventually terminate the operation. The following events terminate an
+ * operation:
+ * - A successful call to psa_cipher_finish().
+ * - A call to psa_cipher_abort().
+ *
+ * \param[in,out] operation     The operation object to set up. It must have
+ *                              been initialized as per the documentation for
+ *                              #psa_cipher_operation_t and not yet in use.
+ * \param key                   Identifier of the key to use for the operation.
+ *                              It must remain valid until the operation
+ *                              terminates. It must allow the usage
+ *                              #PSA_KEY_USAGE_ENCRYPT.
+ * \param alg                   The cipher algorithm to compute
+ *                              (\c PSA_ALG_XXX value such that
+ *                              #PSA_ALG_IS_CIPHER(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not compatible with \p alg.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not a cipher algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be inactive), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
+                                      mbedtls_svc_key_id_t key,
+                                      psa_algorithm_t alg);
+
+/** Set the key for a multipart symmetric decryption operation.
+ *
+ * The sequence of operations to decrypt a message with a symmetric cipher
+ * is as follows:
+ * -# Allocate an operation object which will be passed to all the functions
+ *    listed here.
+ * -# Initialize the operation object with one of the methods described in the
+ *    documentation for #psa_cipher_operation_t, e.g.
+ *    #PSA_CIPHER_OPERATION_INIT.
+ * -# Call psa_cipher_decrypt_setup() to specify the algorithm and key.
+ * -# Call psa_cipher_set_iv() with the IV (initialization vector) for the
+ *    decryption. If the IV is prepended to the ciphertext, you can call
+ *    psa_cipher_update() on a buffer containing the IV followed by the
+ *    beginning of the message.
+ * -# Call psa_cipher_update() zero, one or more times, passing a fragment
+ *    of the message each time.
+ * -# Call psa_cipher_finish().
+ *
+ * If an error occurs at any step after a call to psa_cipher_decrypt_setup(),
+ * the operation will need to be reset by a call to psa_cipher_abort(). The
+ * application may call psa_cipher_abort() at any time after the operation
+ * has been initialized.
+ *
+ * After a successful call to psa_cipher_decrypt_setup(), the application must
+ * eventually terminate the operation. The following events terminate an
+ * operation:
+ * - A successful call to psa_cipher_finish().
+ * - A call to psa_cipher_abort().
+ *
+ * \param[in,out] operation     The operation object to set up. It must have
+ *                              been initialized as per the documentation for
+ *                              #psa_cipher_operation_t and not yet in use.
+ * \param key                   Identifier of the key to use for the operation.
+ *                              It must remain valid until the operation
+ *                              terminates. It must allow the usage
+ *                              #PSA_KEY_USAGE_DECRYPT.
+ * \param alg                   The cipher algorithm to compute
+ *                              (\c PSA_ALG_XXX value such that
+ *                              #PSA_ALG_IS_CIPHER(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not compatible with \p alg.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not a cipher algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be inactive), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
+                                      mbedtls_svc_key_id_t key,
+                                      psa_algorithm_t alg);
+
+/** Generate an IV for a symmetric encryption operation.
+ *
+ * This function generates a random IV (initialization vector), nonce
+ * or initial counter value for the encryption operation as appropriate
+ * for the chosen algorithm, key type and key size.
+ *
+ * The application must call psa_cipher_encrypt_setup() before
+ * calling this function.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_cipher_abort().
+ *
+ * \param[in,out] operation     Active cipher operation.
+ * \param[out] iv               Buffer where the generated IV is to be written.
+ * \param iv_size               Size of the \p iv buffer in bytes.
+ * \param[out] iv_length        On success, the number of bytes of the
+ *                              generated IV.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p iv buffer is too small.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active, with no IV set),
+ *         or the library has not been previously initialized
+ *         by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_cipher_generate_iv(psa_cipher_operation_t *operation,
+                                    uint8_t *iv,
+                                    size_t iv_size,
+                                    size_t *iv_length);
+
+/** Set the IV for a symmetric encryption or decryption operation.
+ *
+ * This function sets the IV (initialization vector), nonce
+ * or initial counter value for the encryption or decryption operation.
+ *
+ * The application must call psa_cipher_encrypt_setup() before
+ * calling this function.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_cipher_abort().
+ *
+ * \note When encrypting, applications should use psa_cipher_generate_iv()
+ * instead of this function, unless implementing a protocol that requires
+ * a non-random IV.
+ *
+ * \param[in,out] operation     Active cipher operation.
+ * \param[in] iv                Buffer containing the IV to use.
+ * \param iv_length             Size of the IV in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The size of \p iv is not acceptable for the chosen algorithm,
+ *         or the chosen algorithm does not use an IV.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be an active cipher
+ *         encrypt operation, with no IV set), or the library has not been
+ *         previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation,
+                               const uint8_t *iv,
+                               size_t iv_length);
+
+/** Encrypt or decrypt a message fragment in an active cipher operation.
+ *
+ * Before calling this function, you must:
+ * 1. Call either psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup().
+ *    The choice of setup function determines whether this function
+ *    encrypts or decrypts its input.
+ * 2. If the algorithm requires an IV, call psa_cipher_generate_iv()
+ *    (recommended when encrypting) or psa_cipher_set_iv().
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_cipher_abort().
+ *
+ * \param[in,out] operation     Active cipher operation.
+ * \param[in] input             Buffer containing the message fragment to
+ *                              encrypt or decrypt.
+ * \param input_length          Size of the \p input buffer in bytes.
+ * \param[out] output           Buffer where the output is to be written.
+ * \param output_size           Size of the \p output buffer in bytes.
+ * \param[out] output_length    On success, the number of bytes
+ *                              that make up the returned output.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p output buffer is too small.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active, with an IV set
+ *         if required for the algorithm), or the library has not been
+ *         previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_cipher_update(psa_cipher_operation_t *operation,
+                               const uint8_t *input,
+                               size_t input_length,
+                               uint8_t *output,
+                               size_t output_size,
+                               size_t *output_length);
+
+/** Finish encrypting or decrypting a message in a cipher operation.
+ *
+ * The application must call psa_cipher_encrypt_setup() or
+ * psa_cipher_decrypt_setup() before calling this function. The choice
+ * of setup function determines whether this function encrypts or
+ * decrypts its input.
+ *
+ * This function finishes the encryption or decryption of the message
+ * formed by concatenating the inputs passed to preceding calls to
+ * psa_cipher_update().
+ *
+ * When this function returns successfully, the operation becomes inactive.
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_cipher_abort().
+ *
+ * \param[in,out] operation     Active cipher operation.
+ * \param[out] output           Buffer where the output is to be written.
+ * \param output_size           Size of the \p output buffer in bytes.
+ * \param[out] output_length    On success, the number of bytes
+ *                              that make up the returned output.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The total input size passed to this operation is not valid for
+ *         this particular algorithm. For example, the algorithm is a based
+ *         on block cipher and requires a whole number of blocks, but the
+ *         total input size is not a multiple of the block size.
+ * \retval #PSA_ERROR_INVALID_PADDING
+ *         This is a decryption operation for an algorithm that includes
+ *         padding, and the ciphertext does not contain valid padding.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p output buffer is too small.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active, with an IV set
+ *         if required for the algorithm), or the library has not been
+ *         previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_cipher_finish(psa_cipher_operation_t *operation,
+                               uint8_t *output,
+                               size_t output_size,
+                               size_t *output_length);
+
+/** Abort a cipher operation.
+ *
+ * Aborting an operation frees all associated resources except for the
+ * \p operation structure itself. Once aborted, the operation object
+ * can be reused for another operation by calling
+ * psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup() again.
+ *
+ * You may call this function any time after the operation object has
+ * been initialized as described in #psa_cipher_operation_t.
+ *
+ * In particular, calling psa_cipher_abort() after the operation has been
+ * terminated by a call to psa_cipher_abort() or psa_cipher_finish()
+ * is safe and has no effect.
+ *
+ * \param[in,out] operation     Initialized cipher operation.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation);
+
+/** \defgroup key_derivation Key derivation and pseudorandom generation
+ * @{
+ */
+
+/** The type of the state data structure for key derivation operations.
+ *
+ * Before calling any function on a key derivation operation object, the
+ * application must initialize it by any of the following means:
+ * - Set the structure to all-bits-zero, for example:
+ *   \code
+ *   psa_key_derivation_operation_t operation;
+ *   memset(&operation, 0, sizeof(operation));
+ *   \endcode
+ * - Initialize the structure to logical zero values, for example:
+ *   \code
+ *   psa_key_derivation_operation_t operation = {0};
+ *   \endcode
+ * - Initialize the structure to the initializer #PSA_KEY_DERIVATION_OPERATION_INIT,
+ *   for example:
+ *   \code
+ *   psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
+ *   \endcode
+ * - Assign the result of the function psa_key_derivation_operation_init()
+ *   to the structure, for example:
+ *   \code
+ *   psa_key_derivation_operation_t operation;
+ *   operation = psa_key_derivation_operation_init();
+ *   \endcode
+ *
+ * This is an implementation-defined \c struct. Applications should not
+ * make any assumptions about the content of this structure.
+ * Implementation details can change in future versions without notice.
+ */
+typedef struct psa_key_derivation_s psa_key_derivation_operation_t;
+
+/** \def PSA_KEY_DERIVATION_OPERATION_INIT
+ *
+ * This macro returns a suitable initializer for a key derivation operation
+ * object of type #psa_key_derivation_operation_t.
+ */
+
+/** Return an initial value for a key derivation operation object.
+ */
+static psa_key_derivation_operation_t psa_key_derivation_operation_init(void);
+
+/** Set up a key derivation operation.
+ *
+ * A key derivation algorithm takes some inputs and uses them to generate
+ * a byte stream in a deterministic way.
+ * This byte stream can be used to produce keys and other
+ * cryptographic material.
+ *
+ * To derive a key:
+ * -# Start with an initialized object of type #psa_key_derivation_operation_t.
+ * -# Call psa_key_derivation_setup() to select the algorithm.
+ * -# Provide the inputs for the key derivation by calling
+ *    psa_key_derivation_input_bytes() or psa_key_derivation_input_key()
+ *    as appropriate. Which inputs are needed, in what order, and whether
+ *    they may be keys and if so of what type depends on the algorithm.
+ * -# Optionally set the operation's maximum capacity with
+ *    psa_key_derivation_set_capacity(). You may do this before, in the middle
+ *    of or after providing inputs. For some algorithms, this step is mandatory
+ *    because the output depends on the maximum capacity.
+ * -# To derive a key, call psa_key_derivation_output_key() or
+ *    psa_key_derivation_output_key_ext().
+ *    To derive a byte string for a different purpose, call
+ *    psa_key_derivation_output_bytes().
+ *    Successive calls to these functions use successive output bytes
+ *    calculated by the key derivation algorithm.
+ * -# Clean up the key derivation operation object with
+ *    psa_key_derivation_abort().
+ *
+ * If this function returns an error, the key derivation operation object is
+ * not changed.
+ *
+ * If an error occurs at any step after a call to psa_key_derivation_setup(),
+ * the operation will need to be reset by a call to psa_key_derivation_abort().
+ *
+ * Implementations must reject an attempt to derive a key of size 0.
+ *
+ * \param[in,out] operation       The key derivation operation object
+ *                                to set up. It must
+ *                                have been initialized but not set up yet.
+ * \param alg                     The key derivation algorithm to compute
+ *                                (\c PSA_ALG_XXX value such that
+ *                                #PSA_ALG_IS_KEY_DERIVATION(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \c alg is not a key derivation algorithm.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \c alg is not supported or is not a key derivation algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be inactive), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_setup(
+    psa_key_derivation_operation_t *operation,
+    psa_algorithm_t alg);
+
+/** Retrieve the current capacity of a key derivation operation.
+ *
+ * The capacity of a key derivation is the maximum number of bytes that it can
+ * return. When you get *N* bytes of output from a key derivation operation,
+ * this reduces its capacity by *N*.
+ *
+ * \param[in] operation     The operation to query.
+ * \param[out] capacity     On success, the capacity of the operation.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_get_capacity(
+    const psa_key_derivation_operation_t *operation,
+    size_t *capacity);
+
+/** Set the maximum capacity of a key derivation operation.
+ *
+ * The capacity of a key derivation operation is the maximum number of bytes
+ * that the key derivation operation can return from this point onwards.
+ *
+ * \param[in,out] operation The key derivation operation object to modify.
+ * \param capacity          The new capacity of the operation.
+ *                          It must be less or equal to the operation's
+ *                          current capacity.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p capacity is larger than the operation's current capacity.
+ *         In this case, the operation object remains valid and its capacity
+ *         remains unchanged.
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active), or the
+ *         library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_set_capacity(
+    psa_key_derivation_operation_t *operation,
+    size_t capacity);
+
+/** Use the maximum possible capacity for a key derivation operation.
+ *
+ * Use this value as the capacity argument when setting up a key derivation
+ * to indicate that the operation should have the maximum possible capacity.
+ * The value of the maximum possible capacity depends on the key derivation
+ * algorithm.
+ */
+#define PSA_KEY_DERIVATION_UNLIMITED_CAPACITY ((size_t) (-1))
+
+/** Provide an input for key derivation or key agreement.
+ *
+ * Which inputs are required and in what order depends on the algorithm.
+ * Refer to the documentation of each key derivation or key agreement
+ * algorithm for information.
+ *
+ * This function passes direct inputs, which is usually correct for
+ * non-secret inputs. To pass a secret input, which should be in a key
+ * object, call psa_key_derivation_input_key() instead of this function.
+ * Refer to the documentation of individual step types
+ * (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t)
+ * for more information.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_key_derivation_abort().
+ *
+ * \param[in,out] operation       The key derivation operation object to use.
+ *                                It must have been set up with
+ *                                psa_key_derivation_setup() and must not
+ *                                have produced any output yet.
+ * \param step                    Which step the input data is for.
+ * \param[in] data                Input data to use.
+ * \param data_length             Size of the \p data buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \c step is not compatible with the operation's algorithm, or
+ *         \c step does not allow direct inputs.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid for this input \p step, or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_input_bytes(
+    psa_key_derivation_operation_t *operation,
+    psa_key_derivation_step_t step,
+    const uint8_t *data,
+    size_t data_length);
+
+/** Provide a numeric input for key derivation or key agreement.
+ *
+ * Which inputs are required and in what order depends on the algorithm.
+ * However, when an algorithm requires a particular order, numeric inputs
+ * usually come first as they tend to be configuration parameters.
+ * Refer to the documentation of each key derivation or key agreement
+ * algorithm for information.
+ *
+ * This function is used for inputs which are fixed-size non-negative
+ * integers.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_key_derivation_abort().
+ *
+ * \param[in,out] operation       The key derivation operation object to use.
+ *                                It must have been set up with
+ *                                psa_key_derivation_setup() and must not
+ *                                have produced any output yet.
+ * \param step                    Which step the input data is for.
+ * \param[in] value               The value of the numeric input.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \c step is not compatible with the operation's algorithm, or
+ *         \c step does not allow numeric inputs.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid for this input \p step, or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_input_integer(
+    psa_key_derivation_operation_t *operation,
+    psa_key_derivation_step_t step,
+    uint64_t value);
+
+/** Provide an input for key derivation in the form of a key.
+ *
+ * Which inputs are required and in what order depends on the algorithm.
+ * Refer to the documentation of each key derivation or key agreement
+ * algorithm for information.
+ *
+ * This function obtains input from a key object, which is usually correct for
+ * secret inputs or for non-secret personalization strings kept in the key
+ * store. To pass a non-secret parameter which is not in the key store,
+ * call psa_key_derivation_input_bytes() instead of this function.
+ * Refer to the documentation of individual step types
+ * (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t)
+ * for more information.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_key_derivation_abort().
+ *
+ * \param[in,out] operation       The key derivation operation object to use.
+ *                                It must have been set up with
+ *                                psa_key_derivation_setup() and must not
+ *                                have produced any output yet.
+ * \param step                    Which step the input data is for.
+ * \param key                     Identifier of the key. It must have an
+ *                                appropriate type for step and must allow the
+ *                                usage #PSA_KEY_USAGE_DERIVE or
+ *                                #PSA_KEY_USAGE_VERIFY_DERIVATION (see note)
+ *                                and the algorithm used by the operation.
+ *
+ * \note Once all inputs steps are completed, the operations will allow:
+ * - psa_key_derivation_output_bytes() if each input was either a direct input
+ *   or  a key with #PSA_KEY_USAGE_DERIVE set;
+ * - psa_key_derivation_output_key() or psa_key_derivation_output_key_ext()
+ *   if the input for step
+ *   #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD
+ *   was from a key slot with #PSA_KEY_USAGE_DERIVE and each other input was
+ *   either a direct input or a key with #PSA_KEY_USAGE_DERIVE set;
+ * - psa_key_derivation_verify_bytes() if each input was either a direct input
+ *   or  a key with #PSA_KEY_USAGE_VERIFY_DERIVATION set;
+ * - psa_key_derivation_verify_key() under the same conditions as
+ *   psa_key_derivation_verify_bytes().
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The key allows neither #PSA_KEY_USAGE_DERIVE nor
+ *         #PSA_KEY_USAGE_VERIFY_DERIVATION, or it doesn't allow this
+ *         algorithm.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \c step is not compatible with the operation's algorithm, or
+ *         \c step does not allow key inputs of the given type
+ *         or does not allow key inputs at all.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid for this input \p step, or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_input_key(
+    psa_key_derivation_operation_t *operation,
+    psa_key_derivation_step_t step,
+    mbedtls_svc_key_id_t key);
+
+/** Perform a key agreement and use the shared secret as input to a key
+ * derivation.
+ *
+ * A key agreement algorithm takes two inputs: a private key \p private_key
+ * a public key \p peer_key.
+ * The result of this function is passed as input to a key derivation.
+ * The output of this key derivation can be extracted by reading from the
+ * resulting operation to produce keys and other cryptographic material.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_key_derivation_abort().
+ *
+ * \param[in,out] operation       The key derivation operation object to use.
+ *                                It must have been set up with
+ *                                psa_key_derivation_setup() with a
+ *                                key agreement and derivation algorithm
+ *                                \c alg (\c PSA_ALG_XXX value such that
+ *                                #PSA_ALG_IS_KEY_AGREEMENT(\c alg) is true
+ *                                and #PSA_ALG_IS_RAW_KEY_AGREEMENT(\c alg)
+ *                                is false).
+ *                                The operation must be ready for an
+ *                                input of the type given by \p step.
+ * \param step                    Which step the input data is for.
+ * \param private_key             Identifier of the private key to use. It must
+ *                                allow the usage #PSA_KEY_USAGE_DERIVE.
+ * \param[in] peer_key      Public key of the peer. The peer key must be in the
+ *                          same format that psa_import_key() accepts for the
+ *                          public key type corresponding to the type of
+ *                          private_key. That is, this function performs the
+ *                          equivalent of
+ *                          #psa_import_key(...,
+ *                          `peer_key`, `peer_key_length`) where
+ *                          with key attributes indicating the public key
+ *                          type corresponding to the type of `private_key`.
+ *                          For example, for EC keys, this means that peer_key
+ *                          is interpreted as a point on the curve that the
+ *                          private key is on. The standard formats for public
+ *                          keys are documented in the documentation of
+ *                          psa_export_public_key().
+ * \param peer_key_length         Size of \p peer_key in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \c private_key is not compatible with \c alg,
+ *         or \p peer_key is not valid for \c alg or not compatible with
+ *         \c private_key, or \c step does not allow an input resulting
+ *         from a key agreement.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \c alg is not supported or is not a key derivation algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid for this key agreement \p step,
+ *         or the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_key_agreement(
+    psa_key_derivation_operation_t *operation,
+    psa_key_derivation_step_t step,
+    mbedtls_svc_key_id_t private_key,
+    const uint8_t *peer_key,
+    size_t peer_key_length);
+
+/** Read some data from a key derivation operation.
+ *
+ * This function calculates output bytes from a key derivation algorithm and
+ * return those bytes.
+ * If you view the key derivation's output as a stream of bytes, this
+ * function destructively reads the requested number of bytes from the
+ * stream.
+ * The operation's capacity decreases by the number of bytes read.
+ *
+ * If this function returns an error status other than
+ * #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error
+ * state and must be aborted by calling psa_key_derivation_abort().
+ *
+ * \param[in,out] operation The key derivation operation object to read from.
+ * \param[out] output       Buffer where the output will be written.
+ * \param output_length     Number of bytes to output.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         One of the inputs was a key whose policy didn't allow
+ *         #PSA_KEY_USAGE_DERIVE.
+ * \retval #PSA_ERROR_INSUFFICIENT_DATA
+ *                          The operation's capacity was less than
+ *                          \p output_length bytes. Note that in this case,
+ *                          no output is written to the output buffer.
+ *                          The operation's capacity is set to 0, thus
+ *                          subsequent calls to this function will not
+ *                          succeed, even with a smaller output buffer.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active and completed
+ *         all required input steps), or the library has not been previously
+ *         initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_output_bytes(
+    psa_key_derivation_operation_t *operation,
+    uint8_t *output,
+    size_t output_length);
+
+/** Derive a key from an ongoing key derivation operation.
+ *
+ * This function calculates output bytes from a key derivation algorithm
+ * and uses those bytes to generate a key deterministically.
+ * The key's location, usage policy, type and size are taken from
+ * \p attributes.
+ *
+ * If you view the key derivation's output as a stream of bytes, this
+ * function destructively reads as many bytes as required from the
+ * stream.
+ * The operation's capacity decreases by the number of bytes read.
+ *
+ * If this function returns an error status other than
+ * #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error
+ * state and must be aborted by calling psa_key_derivation_abort().
+ *
+ * How much output is produced and consumed from the operation, and how
+ * the key is derived, depends on the key type and on the key size
+ * (denoted \c bits below):
+ *
+ * - For key types for which the key is an arbitrary sequence of bytes
+ *   of a given size, this function is functionally equivalent to
+ *   calling #psa_key_derivation_output_bytes
+ *   and passing the resulting output to #psa_import_key.
+ *   However, this function has a security benefit:
+ *   if the implementation provides an isolation boundary then
+ *   the key material is not exposed outside the isolation boundary.
+ *   As a consequence, for these key types, this function always consumes
+ *   exactly (\c bits / 8) bytes from the operation.
+ *   The following key types defined in this specification follow this scheme:
+ *
+ *     - #PSA_KEY_TYPE_AES;
+ *     - #PSA_KEY_TYPE_ARIA;
+ *     - #PSA_KEY_TYPE_CAMELLIA;
+ *     - #PSA_KEY_TYPE_DERIVE;
+ *     - #PSA_KEY_TYPE_HMAC;
+ *     - #PSA_KEY_TYPE_PASSWORD_HASH.
+ *
+ * - For ECC keys on a Montgomery elliptic curve
+ *   (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a
+ *   Montgomery curve), this function always draws a byte string whose
+ *   length is determined by the curve, and sets the mandatory bits
+ *   accordingly. That is:
+ *
+ *     - Curve25519 (#PSA_ECC_FAMILY_MONTGOMERY, 255 bits): draw a 32-byte
+ *       string and process it as specified in RFC 7748 &sect;5.
+ *     - Curve448 (#PSA_ECC_FAMILY_MONTGOMERY, 448 bits): draw a 56-byte
+ *       string and process it as specified in RFC 7748 &sect;5.
+ *
+ * - For key types for which the key is represented by a single sequence of
+ *   \c bits bits with constraints as to which bit sequences are acceptable,
+ *   this function draws a byte string of length (\c bits / 8) bytes rounded
+ *   up to the nearest whole number of bytes. If the resulting byte string
+ *   is acceptable, it becomes the key, otherwise the drawn bytes are discarded.
+ *   This process is repeated until an acceptable byte string is drawn.
+ *   The byte string drawn from the operation is interpreted as specified
+ *   for the output produced by psa_export_key().
+ *   The following key types defined in this specification follow this scheme:
+ *
+ *     - #PSA_KEY_TYPE_DES.
+ *       Force-set the parity bits, but discard forbidden weak keys.
+ *       For 2-key and 3-key triple-DES, the three keys are generated
+ *       successively (for example, for 3-key triple-DES,
+ *       if the first 8 bytes specify a weak key and the next 8 bytes do not,
+ *       discard the first 8 bytes, use the next 8 bytes as the first key,
+ *       and continue reading output from the operation to derive the other
+ *       two keys).
+ *     - Finite-field Diffie-Hellman keys (#PSA_KEY_TYPE_DH_KEY_PAIR(\c group)
+ *       where \c group designates any Diffie-Hellman group) and
+ *       ECC keys on a Weierstrass elliptic curve
+ *       (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a
+ *       Weierstrass curve).
+ *       For these key types, interpret the byte string as integer
+ *       in big-endian order. Discard it if it is not in the range
+ *       [0, *N* - 2] where *N* is the boundary of the private key domain
+ *       (the prime *p* for Diffie-Hellman, the subprime *q* for DSA,
+ *       or the order of the curve's base point for ECC).
+ *       Add 1 to the resulting integer and use this as the private key *x*.
+ *       This method allows compliance to NIST standards, specifically
+ *       the methods titled "key-pair generation by testing candidates"
+ *       in NIST SP 800-56A &sect;5.6.1.1.4 for Diffie-Hellman,
+ *       in FIPS 186-4 &sect;B.1.2 for DSA, and
+ *       in NIST SP 800-56A &sect;5.6.1.2.2 or
+ *       FIPS 186-4 &sect;B.4.2 for elliptic curve keys.
+ *
+ * - For other key types, including #PSA_KEY_TYPE_RSA_KEY_PAIR,
+ *   the way in which the operation output is consumed is
+ *   implementation-defined.
+ *
+ * In all cases, the data that is read is discarded from the operation.
+ * The operation's capacity is decreased by the number of bytes read.
+ *
+ * For algorithms that take an input step #PSA_KEY_DERIVATION_INPUT_SECRET,
+ * the input to that step must be provided with psa_key_derivation_input_key().
+ * Future versions of this specification may include additional restrictions
+ * on the derived key based on the attributes and strength of the secret key.
+ *
+ * \note This function is equivalent to calling
+ *       psa_key_derivation_output_key_ext()
+ *       with the production parameters #PSA_KEY_PRODUCTION_PARAMETERS_INIT
+ *       and `params_data_length == 0` (i.e. `params->data` is empty).
+ *
+ * \param[in] attributes    The attributes for the new key.
+ *                          If the key type to be created is
+ *                          #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in
+ *                          the policy must be the same as in the current
+ *                          operation.
+ * \param[in,out] operation The key derivation operation object to read from.
+ * \param[out] key          On success, an identifier for the newly created
+ *                          key. For persistent keys, this is the key
+ *                          identifier defined in \p attributes.
+ *                          \c 0 on failure.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ *         If the key is persistent, the key material and the key's metadata
+ *         have been saved to persistent storage.
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ *         This is an attempt to create a persistent key, and there is
+ *         already a persistent key with the given identifier.
+ * \retval #PSA_ERROR_INSUFFICIENT_DATA
+ *         There was not enough data to create the desired key.
+ *         Note that in this case, no output is written to the output buffer.
+ *         The operation's capacity is set to 0, thus subsequent calls to
+ *         this function will not succeed, even with a smaller output buffer.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         The key type or key size is not supported, either by the
+ *         implementation in general or in this particular location.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The provided key attributes are not valid for the operation.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The #PSA_KEY_DERIVATION_INPUT_SECRET or
+ *         #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a
+ *         key; or one of the inputs was a key whose policy didn't allow
+ *         #PSA_KEY_USAGE_DERIVE.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active and completed
+ *         all required input steps), or the library has not been previously
+ *         initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_output_key(
+    const psa_key_attributes_t *attributes,
+    psa_key_derivation_operation_t *operation,
+    mbedtls_svc_key_id_t *key);
+
+/** Derive a key from an ongoing key derivation operation with custom
+ *  production parameters.
+ *
+ * See the description of psa_key_derivation_out_key() for the operation of
+ * this function with the default production parameters.
+ * Mbed TLS currently does not currently support any non-default production
+ * parameters.
+ *
+ * \note This function is experimental and may change in future minor
+ *       versions of Mbed TLS.
+ *
+ * \param[in] attributes    The attributes for the new key.
+ *                          If the key type to be created is
+ *                          #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in
+ *                          the policy must be the same as in the current
+ *                          operation.
+ * \param[in,out] operation The key derivation operation object to read from.
+ * \param[in] params        Customization parameters for the key derivation.
+ *                          When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT
+ *                          with \p params_data_length = 0,
+ *                          this function is equivalent to
+ *                          psa_key_derivation_output_key().
+ *                          Mbed TLS currently only supports the default
+ *                          production parameters, i.e.
+ *                          #PSA_KEY_PRODUCTION_PARAMETERS_INIT,
+ *                          for all key types.
+ * \param params_data_length
+ *                          Length of `params->data` in bytes.
+ * \param[out] key          On success, an identifier for the newly created
+ *                          key. For persistent keys, this is the key
+ *                          identifier defined in \p attributes.
+ *                          \c 0 on failure.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ *         If the key is persistent, the key material and the key's metadata
+ *         have been saved to persistent storage.
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ *         This is an attempt to create a persistent key, and there is
+ *         already a persistent key with the given identifier.
+ * \retval #PSA_ERROR_INSUFFICIENT_DATA
+ *         There was not enough data to create the desired key.
+ *         Note that in this case, no output is written to the output buffer.
+ *         The operation's capacity is set to 0, thus subsequent calls to
+ *         this function will not succeed, even with a smaller output buffer.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         The key type or key size is not supported, either by the
+ *         implementation in general or in this particular location.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The provided key attributes are not valid for the operation.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The #PSA_KEY_DERIVATION_INPUT_SECRET or
+ *         #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a
+ *         key; or one of the inputs was a key whose policy didn't allow
+ *         #PSA_KEY_USAGE_DERIVE.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active and completed
+ *         all required input steps), or the library has not been previously
+ *         initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_output_key_ext(
+    const psa_key_attributes_t *attributes,
+    psa_key_derivation_operation_t *operation,
+    const psa_key_production_parameters_t *params,
+    size_t params_data_length,
+    mbedtls_svc_key_id_t *key);
+
+/** Compare output data from a key derivation operation to an expected value.
+ *
+ * This function calculates output bytes from a key derivation algorithm and
+ * compares those bytes to an expected value in constant time.
+ * If you view the key derivation's output as a stream of bytes, this
+ * function destructively reads the expected number of bytes from the
+ * stream before comparing them.
+ * The operation's capacity decreases by the number of bytes read.
+ *
+ * This is functionally equivalent to the following code:
+ * \code
+ * psa_key_derivation_output_bytes(operation, tmp, output_length);
+ * if (memcmp(output, tmp, output_length) != 0)
+ *     return PSA_ERROR_INVALID_SIGNATURE;
+ * \endcode
+ * except (1) it works even if the key's policy does not allow outputting the
+ * bytes, and (2) the comparison will be done in constant time.
+ *
+ * If this function returns an error status other than
+ * #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE,
+ * the operation enters an error state and must be aborted by calling
+ * psa_key_derivation_abort().
+ *
+ * \param[in,out] operation The key derivation operation object to read from.
+ * \param[in] expected_output Buffer containing the expected derivation output.
+ * \param output_length     Length of the expected output; this is also the
+ *                          number of bytes that will be read.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The output was read successfully, but it differs from the expected
+ *         output.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         One of the inputs was a key whose policy didn't allow
+ *         #PSA_KEY_USAGE_VERIFY_DERIVATION.
+ * \retval #PSA_ERROR_INSUFFICIENT_DATA
+ *                          The operation's capacity was less than
+ *                          \p output_length bytes. Note that in this case,
+ *                          the operation's capacity is set to 0, thus
+ *                          subsequent calls to this function will not
+ *                          succeed, even with a smaller expected output.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active and completed
+ *         all required input steps), or the library has not been previously
+ *         initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_verify_bytes(
+    psa_key_derivation_operation_t *operation,
+    const uint8_t *expected_output,
+    size_t output_length);
+
+/** Compare output data from a key derivation operation to an expected value
+ * stored in a key object.
+ *
+ * This function calculates output bytes from a key derivation algorithm and
+ * compares those bytes to an expected value, provided as key of type
+ * #PSA_KEY_TYPE_PASSWORD_HASH.
+ * If you view the key derivation's output as a stream of bytes, this
+ * function destructively reads the number of bytes corresponding to the
+ * length of the expected value from the stream before comparing them.
+ * The operation's capacity decreases by the number of bytes read.
+ *
+ * This is functionally equivalent to exporting the key and calling
+ * psa_key_derivation_verify_bytes() on the result, except that it
+ * works even if the key cannot be exported.
+ *
+ * If this function returns an error status other than
+ * #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE,
+ * the operation enters an error state and must be aborted by calling
+ * psa_key_derivation_abort().
+ *
+ * \param[in,out] operation The key derivation operation object to read from.
+ * \param[in] expected      A key of type #PSA_KEY_TYPE_PASSWORD_HASH
+ *                          containing the expected output. Its policy must
+ *                          include the #PSA_KEY_USAGE_VERIFY_DERIVATION flag
+ *                          and the permitted algorithm must match the
+ *                          operation. The value of this key was likely
+ *                          computed by a previous call to
+ *                          psa_key_derivation_output_key() or
+ *                          psa_key_derivation_output_key_ext().
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The output was read successfully, but if differs from the expected
+ *         output.
+ * \retval #PSA_ERROR_INVALID_HANDLE
+ *         The key passed as the expected value does not exist.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The key passed as the expected value has an invalid type.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The key passed as the expected value does not allow this usage or
+ *         this algorithm; or one of the inputs was a key whose policy didn't
+ *         allow #PSA_KEY_USAGE_VERIFY_DERIVATION.
+ * \retval #PSA_ERROR_INSUFFICIENT_DATA
+ *                          The operation's capacity was less than
+ *                          the length of the expected value. In this case,
+ *                          the operation's capacity is set to 0, thus
+ *                          subsequent calls to this function will not
+ *                          succeed, even with a smaller expected output.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active and completed
+ *         all required input steps), or the library has not been previously
+ *         initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_verify_key(
+    psa_key_derivation_operation_t *operation,
+    psa_key_id_t expected);
+
+/** Abort a key derivation operation.
+ *
+ * Aborting an operation frees all associated resources except for the \c
+ * operation structure itself. Once aborted, the operation object can be reused
+ * for another operation by calling psa_key_derivation_setup() again.
+ *
+ * This function may be called at any time after the operation
+ * object has been initialized as described in #psa_key_derivation_operation_t.
+ *
+ * In particular, it is valid to call psa_key_derivation_abort() twice, or to
+ * call psa_key_derivation_abort() on an operation that has not been set up.
+ *
+ * \param[in,out] operation    The operation to abort.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_abort(
+    psa_key_derivation_operation_t *operation);
+
+/** Perform a key agreement and return the raw shared secret.
+ *
+ * \warning The raw result of a key agreement algorithm such as finite-field
+ * Diffie-Hellman or elliptic curve Diffie-Hellman has biases and should
+ * not be used directly as key material. It should instead be passed as
+ * input to a key derivation algorithm. To chain a key agreement with
+ * a key derivation, use psa_key_derivation_key_agreement() and other
+ * functions from the key derivation interface.
+ *
+ * \param alg                     The key agreement algorithm to compute
+ *                                (\c PSA_ALG_XXX value such that
+ *                                #PSA_ALG_IS_RAW_KEY_AGREEMENT(\p alg)
+ *                                is true).
+ * \param private_key             Identifier of the private key to use. It must
+ *                                allow the usage #PSA_KEY_USAGE_DERIVE.
+ * \param[in] peer_key            Public key of the peer. It must be
+ *                                in the same format that psa_import_key()
+ *                                accepts. The standard formats for public
+ *                                keys are documented in the documentation
+ *                                of psa_export_public_key().
+ * \param peer_key_length         Size of \p peer_key in bytes.
+ * \param[out] output             Buffer where the decrypted message is to
+ *                                be written.
+ * \param output_size             Size of the \c output buffer in bytes.
+ * \param[out] output_length      On success, the number of bytes
+ *                                that make up the returned output.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p alg is not a key agreement algorithm, or
+ *         \p private_key is not compatible with \p alg,
+ *         or \p peer_key is not valid for \p alg or not compatible with
+ *         \p private_key.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         \p output_size is too small
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not a supported key agreement algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_raw_key_agreement(psa_algorithm_t alg,
+                                   mbedtls_svc_key_id_t private_key,
+                                   const uint8_t *peer_key,
+                                   size_t peer_key_length,
+                                   uint8_t *output,
+                                   size_t output_size,
+                                   size_t *output_length);
+
+/**
+ * \brief Generate a key or key pair.
+ *
+ * The key is generated randomly.
+ * Its location, usage policy, type and size are taken from \p attributes.
+ *
+ * Implementations must reject an attempt to generate a key of size 0.
+ *
+ * The following type-specific considerations apply:
+ * - For RSA keys (#PSA_KEY_TYPE_RSA_KEY_PAIR),
+ *   the public exponent is 65537.
+ *   The modulus is a product of two probabilistic primes
+ *   between 2^{n-1} and 2^n where n is the bit size specified in the
+ *   attributes.
+ *
+ * \note This function is equivalent to calling psa_generate_key_ext()
+ *       with the production parameters #PSA_KEY_PRODUCTION_PARAMETERS_INIT
+ *       and `params_data_length == 0` (i.e. `params->data` is empty).
+ *
+ * \param[in] attributes    The attributes for the new key.
+ * \param[out] key          On success, an identifier for the newly created
+ *                          key. For persistent keys, this is the key
+ *                          identifier defined in \p attributes.
+ *                          \c 0 on failure.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ *         If the key is persistent, the key material and the key's metadata
+ *         have been saved to persistent storage.
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ *         This is an attempt to create a persistent key, and there is
+ *         already a persistent key with the given identifier.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
+                              mbedtls_svc_key_id_t *key);
+
+/**
+ * \brief Generate a key or key pair using custom production parameters.
+ *
+ * See the description of psa_generate_key() for the operation of this
+ * function with the default production parameters. In addition, this function
+ * supports the following production customizations, described in more detail
+ * in the documentation of ::psa_key_production_parameters_t:
+ *
+ * - RSA keys: generation with a custom public exponent.
+ *
+ * \note This function is experimental and may change in future minor
+ *       versions of Mbed TLS.
+ *
+ * \param[in] attributes    The attributes for the new key.
+ * \param[in] params        Customization parameters for the key generation.
+ *                          When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT
+ *                          with \p params_data_length = 0,
+ *                          this function is equivalent to
+ *                          psa_generate_key().
+ * \param params_data_length
+ *                          Length of `params->data` in bytes.
+ * \param[out] key          On success, an identifier for the newly created
+ *                          key. For persistent keys, this is the key
+ *                          identifier defined in \p attributes.
+ *                          \c 0 on failure.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ *         If the key is persistent, the key material and the key's metadata
+ *         have been saved to persistent storage.
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ *         This is an attempt to create a persistent key, and there is
+ *         already a persistent key with the given identifier.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes,
+                                  const psa_key_production_parameters_t *params,
+                                  size_t params_data_length,
+                                  mbedtls_svc_key_id_t *key);
+
+/**
+ * \brief Sign a message with a private key. For hash-and-sign algorithms,
+ *        this includes the hashing step.
+ *
+ * \note To perform a multi-part hash-and-sign signature algorithm, first use
+ *       a multi-part hash operation and then pass the resulting hash to
+ *       psa_sign_hash(). PSA_ALG_GET_HASH(\p alg) can be used to determine the
+ *       hash algorithm to use.
+ *
+ * \param[in]  key              Identifier of the key to use for the operation.
+ *                              It must be an asymmetric key pair. The key must
+ *                              allow the usage #PSA_KEY_USAGE_SIGN_MESSAGE.
+ * \param[in]  alg              An asymmetric signature algorithm (PSA_ALG_XXX
+ *                              value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg)
+ *                              is true), that is compatible with the type of
+ *                              \p key.
+ * \param[in]  input            The input message to sign.
+ * \param[in]  input_length     Size of the \p input buffer in bytes.
+ * \param[out] signature        Buffer where the signature is to be written.
+ * \param[in]  signature_size   Size of the \p signature buffer in bytes. This
+ *                              must be appropriate for the selected
+ *                              algorithm and key:
+ *                              - The required signature size is
+ *                                #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ *                                where \c key_type and \c key_bits are the type and
+ *                                bit-size respectively of key.
+ *                              - #PSA_SIGNATURE_MAX_SIZE evaluates to the
+ *                                maximum signature size of any supported
+ *                                signature algorithm.
+ * \param[out] signature_length On success, the number of bytes that make up
+ *                              the returned signature value.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag,
+ *         or it does not permit the requested algorithm.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p signature buffer is too small. You can
+ *         determine a sufficient buffer size by calling
+ *         #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ *         where \c key_type and \c key_bits are the type and bit-size
+ *         respectively of \p key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_sign_message(mbedtls_svc_key_id_t key,
+                              psa_algorithm_t alg,
+                              const uint8_t *input,
+                              size_t input_length,
+                              uint8_t *signature,
+                              size_t signature_size,
+                              size_t *signature_length);
+
+/** \brief Verify the signature of a message with a public key, using
+ *         a hash-and-sign verification algorithm.
+ *
+ * \note To perform a multi-part hash-and-sign signature verification
+ *       algorithm, first use a multi-part hash operation to hash the message
+ *       and then pass the resulting hash to psa_verify_hash().
+ *       PSA_ALG_GET_HASH(\p alg) can be used to determine the hash algorithm
+ *       to use.
+ *
+ * \param[in]  key              Identifier of the key to use for the operation.
+ *                              It must be a public key or an asymmetric key
+ *                              pair. The key must allow the usage
+ *                              #PSA_KEY_USAGE_VERIFY_MESSAGE.
+ * \param[in]  alg              An asymmetric signature algorithm (PSA_ALG_XXX
+ *                              value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg)
+ *                              is true), that is compatible with the type of
+ *                              \p key.
+ * \param[in]  input            The message whose signature is to be verified.
+ * \param[in]  input_length     Size of the \p input buffer in bytes.
+ * \param[in] signature         Buffer containing the signature to verify.
+ * \param[in]  signature_length Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag,
+ *         or it does not permit the requested algorithm.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The calculation was performed successfully, but the passed signature
+ *         is not a valid signature.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_verify_message(mbedtls_svc_key_id_t key,
+                                psa_algorithm_t alg,
+                                const uint8_t *input,
+                                size_t input_length,
+                                const uint8_t *signature,
+                                size_t signature_length);
+
+/**
+ * \brief Sign a hash or short message with a private key.
+ *
+ * Note that to perform a hash-and-sign signature algorithm, you must
+ * first calculate the hash by calling psa_hash_setup(), psa_hash_update()
+ * and psa_hash_finish(), or alternatively by calling psa_hash_compute().
+ * Then pass the resulting hash as the \p hash
+ * parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg)
+ * to determine the hash algorithm to use.
+ *
+ * \param key                   Identifier of the key to use for the operation.
+ *                              It must be an asymmetric key pair. The key must
+ *                              allow the usage #PSA_KEY_USAGE_SIGN_HASH.
+ * \param alg                   A signature algorithm (PSA_ALG_XXX
+ *                              value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
+ *                              is true), that is compatible with
+ *                              the type of \p key.
+ * \param[in] hash              The hash or message to sign.
+ * \param hash_length           Size of the \p hash buffer in bytes.
+ * \param[out] signature        Buffer where the signature is to be written.
+ * \param signature_size        Size of the \p signature buffer in bytes.
+ * \param[out] signature_length On success, the number of bytes
+ *                              that make up the returned signature value.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p signature buffer is too small. You can
+ *         determine a sufficient buffer size by calling
+ *         #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ *         where \c key_type and \c key_bits are the type and bit-size
+ *         respectively of \p key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_sign_hash(mbedtls_svc_key_id_t key,
+                           psa_algorithm_t alg,
+                           const uint8_t *hash,
+                           size_t hash_length,
+                           uint8_t *signature,
+                           size_t signature_size,
+                           size_t *signature_length);
+
+/**
+ * \brief Verify the signature of a hash or short message using a public key.
+ *
+ * Note that to perform a hash-and-sign signature algorithm, you must
+ * first calculate the hash by calling psa_hash_setup(), psa_hash_update()
+ * and psa_hash_finish(), or alternatively by calling psa_hash_compute().
+ * Then pass the resulting hash as the \p hash
+ * parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg)
+ * to determine the hash algorithm to use.
+ *
+ * \param key               Identifier of the key to use for the operation. It
+ *                          must be a public key or an asymmetric key pair. The
+ *                          key must allow the usage
+ *                          #PSA_KEY_USAGE_VERIFY_HASH.
+ * \param alg               A signature algorithm (PSA_ALG_XXX
+ *                          value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
+ *                          is true), that is compatible with
+ *                          the type of \p key.
+ * \param[in] hash          The hash or message whose signature is to be
+ *                          verified.
+ * \param hash_length       Size of the \p hash buffer in bytes.
+ * \param[in] signature     Buffer containing the signature to verify.
+ * \param signature_length  Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The signature is valid.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The calculation was performed successfully, but the passed
+ *         signature is not a valid signature.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_verify_hash(mbedtls_svc_key_id_t key,
+                             psa_algorithm_t alg,
+                             const uint8_t *hash,
+                             size_t hash_length,
+                             const uint8_t *signature,
+                             size_t signature_length);
+
+/**
+ * \brief Encrypt a short message with a public key.
+ *
+ * \param key                   Identifier of the key to use for the operation.
+ *                              It must be a public key or an asymmetric key
+ *                              pair. It must allow the usage
+ *                              #PSA_KEY_USAGE_ENCRYPT.
+ * \param alg                   An asymmetric encryption algorithm that is
+ *                              compatible with the type of \p key.
+ * \param[in] input             The message to encrypt.
+ * \param input_length          Size of the \p input buffer in bytes.
+ * \param[in] salt              A salt or label, if supported by the
+ *                              encryption algorithm.
+ *                              If the algorithm does not support a
+ *                              salt, pass \c NULL.
+ *                              If the algorithm supports an optional
+ *                              salt and you do not want to pass a salt,
+ *                              pass \c NULL.
+ *
+ *                              - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is
+ *                                supported.
+ * \param salt_length           Size of the \p salt buffer in bytes.
+ *                              If \p salt is \c NULL, pass 0.
+ * \param[out] output           Buffer where the encrypted message is to
+ *                              be written.
+ * \param output_size           Size of the \p output buffer in bytes.
+ * \param[out] output_length    On success, the number of bytes
+ *                              that make up the returned output.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p output buffer is too small. You can
+ *         determine a sufficient buffer size by calling
+ *         #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ *         where \c key_type and \c key_bits are the type and bit-size
+ *         respectively of \p key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_asymmetric_encrypt(mbedtls_svc_key_id_t key,
+                                    psa_algorithm_t alg,
+                                    const uint8_t *input,
+                                    size_t input_length,
+                                    const uint8_t *salt,
+                                    size_t salt_length,
+                                    uint8_t *output,
+                                    size_t output_size,
+                                    size_t *output_length);
+
+/**
+ * \brief Decrypt a short message with a private key.
+ *
+ * \param key                   Identifier of the key to use for the operation.
+ *                              It must be an asymmetric key pair. It must
+ *                              allow the usage #PSA_KEY_USAGE_DECRYPT.
+ * \param alg                   An asymmetric encryption algorithm that is
+ *                              compatible with the type of \p key.
+ * \param[in] input             The message to decrypt.
+ * \param input_length          Size of the \p input buffer in bytes.
+ * \param[in] salt              A salt or label, if supported by the
+ *                              encryption algorithm.
+ *                              If the algorithm does not support a
+ *                              salt, pass \c NULL.
+ *                              If the algorithm supports an optional
+ *                              salt and you do not want to pass a salt,
+ *                              pass \c NULL.
+ *
+ *                              - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is
+ *                                supported.
+ * \param salt_length           Size of the \p salt buffer in bytes.
+ *                              If \p salt is \c NULL, pass 0.
+ * \param[out] output           Buffer where the decrypted message is to
+ *                              be written.
+ * \param output_size           Size of the \c output buffer in bytes.
+ * \param[out] output_length    On success, the number of bytes
+ *                              that make up the returned output.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p output buffer is too small. You can
+ *         determine a sufficient buffer size by calling
+ *         #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ *         where \c key_type and \c key_bits are the type and bit-size
+ *         respectively of \p key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_INVALID_PADDING \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_asymmetric_decrypt(mbedtls_svc_key_id_t key,
+                                    psa_algorithm_t alg,
+                                    const uint8_t *input,
+                                    size_t input_length,
+                                    const uint8_t *salt,
+                                    size_t salt_length,
+                                    uint8_t *output,
+                                    size_t output_size,
+                                    size_t *output_length);
+
+/** Remove non-essential copies of key material from memory.
+ *
+ * If the key identifier designates a volatile key, this functions does not do
+ * anything and returns successfully.
+ *
+ * If the key identifier designates a persistent key, then this function will
+ * free all resources associated with the key in volatile memory. The key
+ * data in persistent storage is not affected and the key can still be used.
+ *
+ * \param key Identifier of the key to purge.
+ *
+ * \retval #PSA_SUCCESS
+ *         The key material will have been removed from memory if it is not
+ *         currently required.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not a valid key identifier.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_purge_key(mbedtls_svc_key_id_t key);
+
+/**
+ * \brief Export a key in binary format.
+ *
+ * The output of this function can be passed to psa_import_key() to
+ * create an equivalent object.
+ *
+ * If the implementation of psa_import_key() supports other formats
+ * beyond the format specified here, the output from psa_export_key()
+ * must use the representation specified here, not the original
+ * representation.
+ *
+ * For standard key types, the output format is as follows:
+ *
+ * - For symmetric keys (including MAC keys), the format is the
+ *   raw bytes of the key.
+ * - For DES, the key data consists of 8 bytes. The parity bits must be
+ *   correct.
+ * - For Triple-DES, the format is the concatenation of the
+ *   two or three DES keys.
+ * - For RSA key pairs (#PSA_KEY_TYPE_RSA_KEY_PAIR), the format
+ *   is the non-encrypted DER encoding of the representation defined by
+ *   PKCS\#1 (RFC 8017) as `RSAPrivateKey`, version 0.
+ *   ```
+ *   RSAPrivateKey ::= SEQUENCE {
+ *       version             INTEGER,  -- must be 0
+ *       modulus             INTEGER,  -- n
+ *       publicExponent      INTEGER,  -- e
+ *       privateExponent     INTEGER,  -- d
+ *       prime1              INTEGER,  -- p
+ *       prime2              INTEGER,  -- q
+ *       exponent1           INTEGER,  -- d mod (p-1)
+ *       exponent2           INTEGER,  -- d mod (q-1)
+ *       coefficient         INTEGER,  -- (inverse of q) mod p
+ *   }
+ *   ```
+ * - For elliptic curve key pairs (key types for which
+ *   #PSA_KEY_TYPE_IS_ECC_KEY_PAIR is true), the format is
+ *   a representation of the private value as a `ceiling(m/8)`-byte string
+ *   where `m` is the bit size associated with the curve, i.e. the bit size
+ *   of the order of the curve's coordinate field. This byte string is
+ *   in little-endian order for Montgomery curves (curve types
+ *   `PSA_ECC_FAMILY_CURVEXXX`), and in big-endian order for Weierstrass
+ *   curves (curve types `PSA_ECC_FAMILY_SECTXXX`, `PSA_ECC_FAMILY_SECPXXX`
+ *   and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`).
+ *   For Weierstrass curves, this is the content of the `privateKey` field of
+ *   the `ECPrivateKey` format defined by RFC 5915.  For Montgomery curves,
+ *   the format is defined by RFC 7748, and output is masked according to §5.
+ *   For twisted Edwards curves, the private key is as defined by RFC 8032
+ *   (a 32-byte string for Edwards25519, a 57-byte string for Edwards448).
+ * - For Diffie-Hellman key exchange key pairs (key types for which
+ *   #PSA_KEY_TYPE_IS_DH_KEY_PAIR is true), the
+ *   format is the representation of the private key `x` as a big-endian byte
+ *   string. The length of the byte string is the private key size in bytes
+ *   (leading zeroes are not stripped).
+ * - For public keys (key types for which #PSA_KEY_TYPE_IS_PUBLIC_KEY is
+ *   true), the format is the same as for psa_export_public_key().
+ *
+ * The policy on the key must have the usage flag #PSA_KEY_USAGE_EXPORT set.
+ *
+ * \param key               Identifier of the key to export. It must allow the
+ *                          usage #PSA_KEY_USAGE_EXPORT, unless it is a public
+ *                          key.
+ * \param[out] data         Buffer where the key data is to be written.
+ * \param data_size         Size of the \p data buffer in bytes.
+ * \param[out] data_length  On success, the number of bytes
+ *                          that make up the key data.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The key does not have the #PSA_KEY_USAGE_EXPORT flag.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p data buffer is too small. You can determine a
+ *         sufficient buffer size by calling
+ *         #PSA_EXPORT_KEY_OUTPUT_SIZE(\c type, \c bits)
+ *         where \c type is the key type
+ *         and \c bits is the key size in bits.
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_export_key(mbedtls_svc_key_id_t key,
+                            uint8_t *data,
+                            size_t data_size,
+                            size_t *data_length);
+
+/**
+ * \brief Export a public key or the public part of a key pair in binary format.
+ *
+ * The output of this function can be passed to psa_import_key() to
+ * create an object that is equivalent to the public key.
+ *
+ * This specification supports a single format for each key type.
+ * Implementations may support other formats as long as the standard
+ * format is supported. Implementations that support other formats
+ * should ensure that the formats are clearly unambiguous so as to
+ * minimize the risk that an invalid input is accidentally interpreted
+ * according to a different format.
+ *
+ * For standard key types, the output format is as follows:
+ * - For RSA public keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY), the DER encoding of
+ *   the representation defined by RFC 3279 &sect;2.3.1 as `RSAPublicKey`.
+ *   ```
+ *   RSAPublicKey ::= SEQUENCE {
+ *      modulus            INTEGER,    -- n
+ *      publicExponent     INTEGER  }  -- e
+ *   ```
+ * - For elliptic curve keys on a twisted Edwards curve (key types for which
+ *   #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true and #PSA_KEY_TYPE_ECC_GET_FAMILY
+ *   returns #PSA_ECC_FAMILY_TWISTED_EDWARDS), the public key is as defined
+ *   by RFC 8032
+ *   (a 32-byte string for Edwards25519, a 57-byte string for Edwards448).
+ * - For other elliptic curve public keys (key types for which
+ *   #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true), the format is the uncompressed
+ *   representation defined by SEC1 &sect;2.3.3 as the content of an ECPoint.
+ *   Let `m` be the bit size associated with the curve, i.e. the bit size of
+ *   `q` for a curve over `F_q`. The representation consists of:
+ *      - The byte 0x04;
+ *      - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
+ *      - `y_P` as a `ceiling(m/8)`-byte string, big-endian.
+ * - For Diffie-Hellman key exchange public keys (key types for which
+ *   #PSA_KEY_TYPE_IS_DH_PUBLIC_KEY is true),
+ *   the format is the representation of the public key `y = g^x mod p` as a
+ *   big-endian byte string. The length of the byte string is the length of the
+ *   base prime `p` in bytes.
+ *
+ * Exporting a public key object or the public part of a key pair is
+ * always permitted, regardless of the key's usage flags.
+ *
+ * \param key               Identifier of the key to export.
+ * \param[out] data         Buffer where the key data is to be written.
+ * \param data_size         Size of the \p data buffer in bytes.
+ * \param[out] data_length  On success, the number of bytes
+ *                          that make up the key data.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The key is neither a public key nor a key pair.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p data buffer is too small. You can determine a
+ *         sufficient buffer size by calling
+ *         #PSA_EXPORT_KEY_OUTPUT_SIZE(#PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(\c type), \c bits)
+ *         where \c type is the key type
+ *         and \c bits is the key size in bits.
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_export_public_key(mbedtls_svc_key_id_t key,
+                                   uint8_t *data,
+                                   size_t data_size,
+                                   size_t *data_length);
+
+/**
+ * \brief                       Set the maximum number of ops allowed to be
+ *                              executed by an interruptible function in a
+ *                              single call.
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ * \note                        The time taken to execute a single op is
+ *                              implementation specific and depends on
+ *                              software, hardware, the algorithm, key type and
+ *                              curve chosen. Even within a single operation,
+ *                              successive ops can take differing amounts of
+ *                              time. The only guarantee is that lower values
+ *                              for \p max_ops means functions will block for a
+ *                              lesser maximum amount of time. The functions
+ *                              \c psa_sign_interruptible_get_num_ops() and
+ *                              \c psa_verify_interruptible_get_num_ops() are
+ *                              provided to help with tuning this value.
+ *
+ * \note                        This value defaults to
+ *                              #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, which
+ *                              means the whole operation will be done in one
+ *                              go, regardless of the number of ops required.
+ *
+ * \note                        If more ops are needed to complete a
+ *                              computation, #PSA_OPERATION_INCOMPLETE will be
+ *                              returned by the function performing the
+ *                              computation. It is then the caller's
+ *                              responsibility to either call again with the
+ *                              same operation context until it returns 0 or an
+ *                              error code; or to call the relevant abort
+ *                              function if the answer is no longer required.
+ *
+ * \note                        The interpretation of \p max_ops is also
+ *                              implementation defined. On a hard real time
+ *                              system, this can indicate a hard deadline, as a
+ *                              real-time system needs a guarantee of not
+ *                              spending more than X time, however care must be
+ *                              taken in such an implementation to avoid the
+ *                              situation whereby calls just return, not being
+ *                              able to do any actual work within the allotted
+ *                              time.  On a non-real-time system, the
+ *                              implementation can be more relaxed, but again
+ *                              whether this number should be interpreted as as
+ *                              hard or soft limit or even whether a less than
+ *                              or equals as regards to ops executed in a
+ *                              single call is implementation defined.
+ *
+ * \note                        For keys in local storage when no accelerator
+ *                              driver applies, please see also the
+ *                              documentation for \c mbedtls_ecp_set_max_ops(),
+ *                              which is the internal implementation in these
+ *                              cases.
+ *
+ * \warning                     With implementations that interpret this number
+ *                              as a hard limit, setting this number too small
+ *                              may result in an infinite loop, whereby each
+ *                              call results in immediate return with no ops
+ *                              done (as there is not enough time to execute
+ *                              any), and thus no result will ever be achieved.
+ *
+ * \note                        This only applies to functions whose
+ *                              documentation mentions they may return
+ *                              #PSA_OPERATION_INCOMPLETE.
+ *
+ * \param max_ops               The maximum number of ops to be executed in a
+ *                              single call. This can be a number from 0 to
+ *                              #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0
+ *                              is the least amount of work done per call.
+ */
+void psa_interruptible_set_max_ops(uint32_t max_ops);
+
+/**
+ * \brief                       Get the maximum number of ops allowed to be
+ *                              executed by an interruptible function in a
+ *                              single call. This will return the last
+ *                              value set by
+ *                              \c psa_interruptible_set_max_ops() or
+ *                              #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED if
+ *                              that function has never been called.
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ * \return                      Maximum number of ops allowed to be
+ *                              executed by an interruptible function in a
+ *                              single call.
+ */
+uint32_t psa_interruptible_get_max_ops(void);
+
+/**
+ * \brief                       Get the number of ops that a hash signing
+ *                              operation has taken so far. If the operation
+ *                              has completed, then this will represent the
+ *                              number of ops required for the entire
+ *                              operation. After initialization or calling
+ *                              \c psa_sign_hash_interruptible_abort() on
+ *                              the operation, a value of 0 will be returned.
+ *
+ * \note                        This interface is guaranteed re-entrant and
+ *                              thus may be called from driver code.
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ *                              This is a helper provided to help you tune the
+ *                              value passed to \c
+ *                              psa_interruptible_set_max_ops().
+ *
+ * \param operation             The \c psa_sign_hash_interruptible_operation_t
+ *                              to use. This must be initialized first.
+ *
+ * \return                      Number of ops that the operation has taken so
+ *                              far.
+ */
+uint32_t psa_sign_hash_get_num_ops(
+    const psa_sign_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief                       Get the number of ops that a hash verification
+ *                              operation has taken so far. If the operation
+ *                              has completed, then this will represent the
+ *                              number of ops required for the entire
+ *                              operation. After initialization or calling \c
+ *                              psa_verify_hash_interruptible_abort() on the
+ *                              operation, a value of 0 will be returned.
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ *                              This is a helper provided to help you tune the
+ *                              value passed to \c
+ *                              psa_interruptible_set_max_ops().
+ *
+ * \param operation             The \c
+ *                              psa_verify_hash_interruptible_operation_t to
+ *                              use. This must be initialized first.
+ *
+ * \return                      Number of ops that the operation has taken so
+ *                              far.
+ */
+uint32_t psa_verify_hash_get_num_ops(
+    const psa_verify_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief                       Start signing a hash or short message with a
+ *                              private key, in an interruptible manner.
+ *
+ * \see                         \c psa_sign_hash_complete()
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ * \note                        This function combined with \c
+ *                              psa_sign_hash_complete() is equivalent to
+ *                              \c psa_sign_hash() but
+ *                              \c psa_sign_hash_complete() can return early and
+ *                              resume according to the limit set with \c
+ *                              psa_interruptible_set_max_ops() to reduce the
+ *                              maximum time spent in a function call.
+ *
+ * \note                        Users should call \c psa_sign_hash_complete()
+ *                              repeatedly on the same context after a
+ *                              successful call to this function until \c
+ *                              psa_sign_hash_complete() either returns 0 or an
+ *                              error. \c psa_sign_hash_complete() will return
+ *                              #PSA_OPERATION_INCOMPLETE if there is more work
+ *                              to do. Alternatively users can call
+ *                              \c psa_sign_hash_abort() at any point if they no
+ *                              longer want the result.
+ *
+ * \note                        If this function returns an error status, the
+ *                              operation enters an error state and must be
+ *                              aborted by calling \c psa_sign_hash_abort().
+ *
+ * \param[in, out] operation    The \c psa_sign_hash_interruptible_operation_t
+ *                              to use. This must be initialized first.
+ *
+ * \param key                   Identifier of the key to use for the operation.
+ *                              It must be an asymmetric key pair. The key must
+ *                              allow the usage #PSA_KEY_USAGE_SIGN_HASH.
+ * \param alg                   A signature algorithm (\c PSA_ALG_XXX
+ *                              value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
+ *                              is true), that is compatible with
+ *                              the type of \p key.
+ * \param[in] hash              The hash or message to sign.
+ * \param hash_length           Size of the \p hash buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The operation started successfully - call \c psa_sign_hash_complete()
+ *         with the same context to complete the operation
+ *
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The key does not have the #PSA_KEY_USAGE_SIGN_HASH flag, or it does
+ *         not permit the requested algorithm.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         An operation has previously been started on this context, and is
+ *         still in progress.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_sign_hash_start(
+    psa_sign_hash_interruptible_operation_t *operation,
+    mbedtls_svc_key_id_t key, psa_algorithm_t alg,
+    const uint8_t *hash, size_t hash_length);
+
+/**
+ * \brief                       Continue and eventually complete the action of
+ *                              signing a hash or short message with a private
+ *                              key, in an interruptible manner.
+ *
+ * \see                         \c psa_sign_hash_start()
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ * \note                        This function combined with \c
+ *                              psa_sign_hash_start() is equivalent to
+ *                              \c psa_sign_hash() but this function can return
+ *                              early and resume according to the limit set with
+ *                              \c psa_interruptible_set_max_ops() to reduce the
+ *                              maximum time spent in a function call.
+ *
+ * \note                        Users should call this function on the same
+ *                              operation object repeatedly until it either
+ *                              returns 0 or an error. This function will return
+ *                              #PSA_OPERATION_INCOMPLETE if there is more work
+ *                              to do. Alternatively users can call
+ *                              \c psa_sign_hash_abort() at any point if they no
+ *                              longer want the result.
+ *
+ * \note                        When this function returns successfully, the
+ *                              operation becomes inactive. If this function
+ *                              returns an error status, the operation enters an
+ *                              error state and must be aborted by calling
+ *                              \c psa_sign_hash_abort().
+ *
+ * \param[in, out] operation    The \c psa_sign_hash_interruptible_operation_t
+ *                              to use. This must be initialized first, and have
+ *                              had \c psa_sign_hash_start() called with it
+ *                              first.
+ *
+ * \param[out] signature        Buffer where the signature is to be written.
+ * \param signature_size        Size of the \p signature buffer in bytes. This
+ *                              must be appropriate for the selected
+ *                              algorithm and key:
+ *                              - The required signature size is
+ *                                #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c
+ *                                key_bits, \c alg) where \c key_type and \c
+ *                                key_bits are the type and bit-size
+ *                                respectively of key.
+ *                              - #PSA_SIGNATURE_MAX_SIZE evaluates to the
+ *                                maximum signature size of any supported
+ *                                signature algorithm.
+ * \param[out] signature_length On success, the number of bytes that make up
+ *                              the returned signature value.
+ *
+ * \retval #PSA_SUCCESS
+ *         Operation completed successfully
+ *
+ * \retval #PSA_OPERATION_INCOMPLETE
+ *         Operation was interrupted due to the setting of \c
+ *         psa_interruptible_set_max_ops(). There is still work to be done.
+ *         Call this function again with the same operation object.
+ *
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p signature buffer is too small. You can
+ *         determine a sufficient buffer size by calling
+ *         #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \c alg)
+ *         where \c key_type and \c key_bits are the type and bit-size
+ *         respectively of \c key.
+ *
+ * \retval #PSA_ERROR_BAD_STATE
+ *         An operation was not previously started on this context via
+ *         \c psa_sign_hash_start().
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has either not been previously initialized by
+ *         psa_crypto_init() or you did not previously call
+ *         psa_sign_hash_start() with this operation object. It is
+ *         implementation-dependent whether a failure to initialize results in
+ *         this error code.
+ */
+psa_status_t psa_sign_hash_complete(
+    psa_sign_hash_interruptible_operation_t *operation,
+    uint8_t *signature, size_t signature_size,
+    size_t *signature_length);
+
+/**
+ * \brief                       Abort a sign hash operation.
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ * \note                        This function is the only function that clears
+ *                              the number of ops completed as part of the
+ *                              operation. Please ensure you copy this value via
+ *                              \c psa_sign_hash_get_num_ops() if required
+ *                              before calling.
+ *
+ * \note                        Aborting an operation frees all associated
+ *                              resources except for the \p operation structure
+ *                              itself. Once aborted, the operation object can
+ *                              be reused for another operation by calling \c
+ *                              psa_sign_hash_start() again.
+ *
+ * \note                        You may call this function any time after the
+ *                              operation object has been initialized. In
+ *                              particular, calling \c psa_sign_hash_abort()
+ *                              after the operation has already been terminated
+ *                              by a call to \c psa_sign_hash_abort() or
+ *                              psa_sign_hash_complete() is safe.
+ *
+ * \param[in,out] operation     Initialized sign hash operation.
+ *
+ * \retval #PSA_SUCCESS
+ *         The operation was aborted successfully.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_sign_hash_abort(
+    psa_sign_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief                       Start reading and verifying a hash or short
+ *                              message, in an interruptible manner.
+ *
+ * \see                         \c psa_verify_hash_complete()
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ * \note                        This function combined with \c
+ *                              psa_verify_hash_complete() is equivalent to
+ *                              \c psa_verify_hash() but \c
+ *                              psa_verify_hash_complete() can return early and
+ *                              resume according to the limit set with \c
+ *                              psa_interruptible_set_max_ops() to reduce the
+ *                              maximum time spent in a function.
+ *
+ * \note                        Users should call \c psa_verify_hash_complete()
+ *                              repeatedly on the same operation object after a
+ *                              successful call to this function until \c
+ *                              psa_verify_hash_complete() either returns 0 or
+ *                              an error. \c psa_verify_hash_complete() will
+ *                              return #PSA_OPERATION_INCOMPLETE if there is
+ *                              more work to do. Alternatively users can call
+ *                              \c psa_verify_hash_abort() at any point if they
+ *                              no longer want the result.
+ *
+ * \note                        If this function returns an error status, the
+ *                              operation enters an error state and must be
+ *                              aborted by calling \c psa_verify_hash_abort().
+ *
+ * \param[in, out] operation    The \c psa_verify_hash_interruptible_operation_t
+ *                              to use. This must be initialized first.
+ *
+ * \param key                   Identifier of the key to use for the operation.
+ *                              The key must allow the usage
+ *                              #PSA_KEY_USAGE_VERIFY_HASH.
+ * \param alg                   A signature algorithm (\c PSA_ALG_XXX
+ *                              value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
+ *                              is true), that is compatible with
+ *                              the type of \p key.
+ * \param[in] hash              The hash whose signature is to be verified.
+ * \param hash_length           Size of the \p hash buffer in bytes.
+ * \param[in] signature         Buffer containing the signature to verify.
+ * \param signature_length      Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The operation started successfully - please call \c
+ *         psa_verify_hash_complete() with the same context to complete the
+ *         operation.
+ *
+ * \retval #PSA_ERROR_BAD_STATE
+ *         Another operation has already been started on this context, and is
+ *         still in progress.
+ *
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The key does not have the #PSA_KEY_USAGE_VERIFY_HASH flag, or it does
+ *         not permit the requested algorithm.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_verify_hash_start(
+    psa_verify_hash_interruptible_operation_t *operation,
+    mbedtls_svc_key_id_t key, psa_algorithm_t alg,
+    const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length);
+
+/**
+ * \brief                       Continue and eventually complete the action of
+ *                              reading and verifying a hash or short message
+ *                              signed with a private key, in an interruptible
+ *                              manner.
+ *
+ * \see                         \c psa_verify_hash_start()
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ * \note                        This function combined with \c
+ *                              psa_verify_hash_start() is equivalent to
+ *                              \c psa_verify_hash() but this function can
+ *                              return early and resume according to the limit
+ *                              set with \c psa_interruptible_set_max_ops() to
+ *                              reduce the maximum time spent in a function
+ *                              call.
+ *
+ * \note                        Users should call this function on the same
+ *                              operation object repeatedly until it either
+ *                              returns 0 or an error. This function will return
+ *                              #PSA_OPERATION_INCOMPLETE if there is more work
+ *                              to do. Alternatively users can call
+ *                              \c psa_verify_hash_abort() at any point if they
+ *                              no longer want the result.
+ *
+ * \note                        When this function returns successfully, the
+ *                              operation becomes inactive. If this function
+ *                              returns an error status, the operation enters an
+ *                              error state and must be aborted by calling
+ *                              \c psa_verify_hash_abort().
+ *
+ * \param[in, out] operation    The \c psa_verify_hash_interruptible_operation_t
+ *                              to use. This must be initialized first, and have
+ *                              had \c psa_verify_hash_start() called with it
+ *                              first.
+ *
+ * \retval #PSA_SUCCESS
+ *         Operation completed successfully, and the passed signature is valid.
+ *
+ * \retval #PSA_OPERATION_INCOMPLETE
+ *         Operation was interrupted due to the setting of \c
+ *         psa_interruptible_set_max_ops(). There is still work to be done.
+ *         Call this function again with the same operation object.
+ *
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The calculation was performed successfully, but the passed
+ *         signature is not a valid signature.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         An operation was not previously started on this context via
+ *         \c psa_verify_hash_start().
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has either not been previously initialized by
+ *         psa_crypto_init() or you did not previously call
+ *         psa_verify_hash_start() on this object. It is
+ *         implementation-dependent whether a failure to initialize results in
+ *         this error code.
+ */
+psa_status_t psa_verify_hash_complete(
+    psa_verify_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief                     Abort a verify hash operation.
+ *
+ * \warning                   This is a beta API, and thus subject to change at
+ *                            any point. It is not bound by the usual interface
+ *                            stability promises.
+ *
+ * \note                      This function is the only function that clears the
+ *                            number of ops completed as part of the operation.
+ *                            Please ensure you copy this value via
+ *                            \c psa_verify_hash_get_num_ops() if required
+ *                            before calling.
+ *
+ * \note                      Aborting an operation frees all associated
+ *                            resources except for the operation structure
+ *                            itself. Once aborted, the operation object can be
+ *                            reused for another operation by calling \c
+ *                            psa_verify_hash_start() again.
+ *
+ * \note                      You may call this function any time after the
+ *                            operation object has been initialized.
+ *                            In particular, calling \c psa_verify_hash_abort()
+ *                            after the operation has already been terminated by
+ *                            a call to \c psa_verify_hash_abort() or
+ *                            psa_verify_hash_complete() is safe.
+ *
+ * \param[in,out] operation   Initialized verify hash operation.
+ *
+ * \retval #PSA_SUCCESS
+ *         The operation was aborted successfully.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_verify_hash_abort(
+    psa_verify_hash_interruptible_operation_t *operation);
+
+/** Make a copy of a key.
+ *
+ * Copy key material from one location to another.
+ *
+ * This function is primarily useful to copy a key from one location
+ * to another, since it populates a key using the material from
+ * another key which may have a different lifetime.
+ *
+ * This function may be used to share a key with a different party,
+ * subject to implementation-defined restrictions on key sharing.
+ *
+ * The policy on the source key must have the usage flag
+ * #PSA_KEY_USAGE_COPY set.
+ * This flag is sufficient to permit the copy if the key has the lifetime
+ * #PSA_KEY_LIFETIME_VOLATILE or #PSA_KEY_LIFETIME_PERSISTENT.
+ * Some secure elements do not provide a way to copy a key without
+ * making it extractable from the secure element. If a key is located
+ * in such a secure element, then the key must have both usage flags
+ * #PSA_KEY_USAGE_COPY and #PSA_KEY_USAGE_EXPORT in order to make
+ * a copy of the key outside the secure element.
+ *
+ * The resulting key may only be used in a way that conforms to
+ * both the policy of the original key and the policy specified in
+ * the \p attributes parameter:
+ * - The usage flags on the resulting key are the bitwise-and of the
+ *   usage flags on the source policy and the usage flags in \p attributes.
+ * - If both allow the same algorithm or wildcard-based
+ *   algorithm policy, the resulting key has the same algorithm policy.
+ * - If either of the policies allows an algorithm and the other policy
+ *   allows a wildcard-based algorithm policy that includes this algorithm,
+ *   the resulting key allows the same algorithm.
+ * - If the policies do not allow any algorithm in common, this function
+ *   fails with the status #PSA_ERROR_INVALID_ARGUMENT.
+ *
+ * The effect of this function on implementation-defined attributes is
+ * implementation-defined.
+ *
+ * \param source_key        The key to copy. It must allow the usage
+ *                          #PSA_KEY_USAGE_COPY. If a private or secret key is
+ *                          being copied outside of a secure element it must
+ *                          also allow #PSA_KEY_USAGE_EXPORT.
+ * \param[in] attributes    The attributes for the new key.
+ *                          They are used as follows:
+ *                          - The key type and size may be 0. If either is
+ *                            nonzero, it must match the corresponding
+ *                            attribute of the source key.
+ *                          - The key location (the lifetime and, for
+ *                            persistent keys, the key identifier) is
+ *                            used directly.
+ *                          - The policy constraints (usage flags and
+ *                            algorithm policy) are combined from
+ *                            the source key and \p attributes so that
+ *                            both sets of restrictions apply, as
+ *                            described in the documentation of this function.
+ * \param[out] target_key   On success, an identifier for the newly created
+ *                          key. For persistent keys, this is the key
+ *                          identifier defined in \p attributes.
+ *                          \c 0 on failure.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE
+ *         \p source_key is invalid.
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ *         This is an attempt to create a persistent key, and there is
+ *         already a persistent key with the given identifier.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The lifetime or identifier in \p attributes are invalid, or
+ *         the policy constraints on the source and specified in
+ *         \p attributes are incompatible, or
+ *         \p attributes specifies a key type or key size
+ *         which does not match the attributes of the source key.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The source key does not have the #PSA_KEY_USAGE_COPY usage flag, or
+ *         the source key is not exportable and its lifetime does not
+ *         allow copying it to the target's lifetime.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_copy_key(mbedtls_svc_key_id_t source_key,
+                          const psa_key_attributes_t *attributes,
+                          mbedtls_svc_key_id_t *target_key);
+
+/** Reset a key attribute structure to a freshly initialized state.
+ *
+ * You must initialize the attribute structure as described in the
+ * documentation of the type #psa_key_attributes_t before calling this
+ * function. Once the structure has been initialized, you may call this
+ * function at any time.
+ *
+ * This function frees any auxiliary resources that the structure
+ * may contain.
+ *
+ * \param[in,out] attributes    The attribute structure to reset.
+ */
+void psa_reset_key_attributes(psa_key_attributes_t *attributes);
diff --git a/tests/psa-client-server/psasim/src/psa_sim_serialise.c b/tests/psa-client-server/psasim/src/psa_sim_serialise.c
new file mode 100644
index 0000000..92ecdd2
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/psa_sim_serialise.c
@@ -0,0 +1,1715 @@
+/**
+ * \file psa_sim_serialise.c
+ *
+ * \brief Rough-and-ready serialisation and deserialisation for the PSA Crypto simulator
+ */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "psa_sim_serialise.h"
+#include "util.h"
+#include <stdlib.h>
+#include <string.h>
+
+/* Basic idea:
+ *
+ * All arguments to a function will be serialised into a single buffer to
+ * be sent to the server with the PSA crypto function to be called.
+ *
+ * All returned data (the function's return value and any values returned
+ * via `out` parameters) will similarly be serialised into a buffer to be
+ * sent back to the client from the server.
+ *
+ * For each data type foo (e.g. int, size_t, psa_algorithm_t, but also "buffer"
+ * where "buffer" is a (uint8_t *, size_t) pair, we have a pair of functions,
+ * psasim_serialise_foo() and psasim_deserialise_foo().
+ *
+ * We also have psasim_serialise_foo_needs() functions, which return a
+ * size_t giving the number of bytes that serialising that instance of that
+ * type will need. This allows callers to size buffers for serialisation.
+ *
+ * Each serialised buffer starts with a version byte, bytes that indicate
+ * the size of basic C types, and four bytes that indicate the endianness
+ * (to avoid incompatibilities if we ever run this over a network - we are
+ * not aiming for universality, just for correctness and simplicity).
+ *
+ * Most types are serialised as a fixed-size (per type) octet string, with
+ * no type indication. This is acceptable as (a) this is for the test PSA crypto
+ * simulator only, not production, and (b) these functions are called by
+ * code that itself is written by script.
+ *
+ * We also want to keep serialised data reasonably compact as communication
+ * between client and server goes in messages of less than 200 bytes each.
+ *
+ * Many serialisation functions can be created by a script; an exemplar Perl
+ * script is included. It is not hooked into the build and so must be run
+ * manually, but is expected to be replaced by a Python script in due course.
+ * Types that can have their functions created by script include plain old C
+ * data types (e.g. int), types typedef'd to those, and even structures that
+ * don't contain pointers.
+ */
+
+/* include/psa/crypto_platform.h:typedef uint32_t mbedtls_psa_client_handle_t;
+ * but we don't get it on server builds, so redefine it here with a unique type name
+ */
+typedef uint32_t psasim_client_handle_t;
+
+typedef struct psasim_operation_s {
+    psasim_client_handle_t handle;
+} psasim_operation_t;
+
+#define MAX_LIVE_HANDLES_PER_CLASS   100        /* this many slots */
+
+static psa_hash_operation_t hash_operations[
+    MAX_LIVE_HANDLES_PER_CLASS];
+static psasim_client_handle_t hash_operation_handles[
+    MAX_LIVE_HANDLES_PER_CLASS];
+static psasim_client_handle_t next_hash_operation_handle = 1;
+
+/* Get a free slot */
+static ssize_t allocate_hash_operation_slot(void)
+{
+    psasim_client_handle_t handle = next_hash_operation_handle++;
+    if (next_hash_operation_handle == 0) {      /* wrapped around */
+        FATAL("Hash operation handle wrapped");
+    }
+
+    for (ssize_t i = 0; i < MAX_LIVE_HANDLES_PER_CLASS; i++) {
+        if (hash_operation_handles[i] == 0) {
+            hash_operation_handles[i] = handle;
+            return i;
+        }
+    }
+
+    ERROR("All slots are currently used. Unable to allocate a new one.");
+
+    return -1;  /* all in use */
+}
+
+/* Find the slot given the handle */
+static ssize_t find_hash_slot_by_handle(psasim_client_handle_t handle)
+{
+    for (ssize_t i = 0; i < MAX_LIVE_HANDLES_PER_CLASS; i++) {
+        if (hash_operation_handles[i] == handle) {
+            return i;
+        }
+    }
+
+    ERROR("Unable to find slot by handle %u", handle);
+
+    return -1;  /* not found */
+}
+
+static psa_aead_operation_t aead_operations[
+    MAX_LIVE_HANDLES_PER_CLASS];
+static psasim_client_handle_t aead_operation_handles[
+    MAX_LIVE_HANDLES_PER_CLASS];
+static psasim_client_handle_t next_aead_operation_handle = 1;
+
+/* Get a free slot */
+static ssize_t allocate_aead_operation_slot(void)
+{
+    psasim_client_handle_t handle = next_aead_operation_handle++;
+    if (next_aead_operation_handle == 0) {      /* wrapped around */
+        FATAL("Aead operation handle wrapped");
+    }
+
+    for (ssize_t i = 0; i < MAX_LIVE_HANDLES_PER_CLASS; i++) {
+        if (aead_operation_handles[i] == 0) {
+            aead_operation_handles[i] = handle;
+            return i;
+        }
+    }
+
+    ERROR("All slots are currently used. Unable to allocate a new one.");
+
+    return -1;  /* all in use */
+}
+
+/* Find the slot given the handle */
+static ssize_t find_aead_slot_by_handle(psasim_client_handle_t handle)
+{
+    for (ssize_t i = 0; i < MAX_LIVE_HANDLES_PER_CLASS; i++) {
+        if (aead_operation_handles[i] == handle) {
+            return i;
+        }
+    }
+
+    ERROR("Unable to find slot by handle %u", handle);
+
+    return -1;  /* not found */
+}
+
+static psa_mac_operation_t mac_operations[
+    MAX_LIVE_HANDLES_PER_CLASS];
+static psasim_client_handle_t mac_operation_handles[
+    MAX_LIVE_HANDLES_PER_CLASS];
+static psasim_client_handle_t next_mac_operation_handle = 1;
+
+/* Get a free slot */
+static ssize_t allocate_mac_operation_slot(void)
+{
+    psasim_client_handle_t handle = next_mac_operation_handle++;
+    if (next_mac_operation_handle == 0) {      /* wrapped around */
+        FATAL("Mac operation handle wrapped");
+    }
+
+    for (ssize_t i = 0; i < MAX_LIVE_HANDLES_PER_CLASS; i++) {
+        if (mac_operation_handles[i] == 0) {
+            mac_operation_handles[i] = handle;
+            return i;
+        }
+    }
+
+    ERROR("All slots are currently used. Unable to allocate a new one.");
+
+    return -1;  /* all in use */
+}
+
+/* Find the slot given the handle */
+static ssize_t find_mac_slot_by_handle(psasim_client_handle_t handle)
+{
+    for (ssize_t i = 0; i < MAX_LIVE_HANDLES_PER_CLASS; i++) {
+        if (mac_operation_handles[i] == handle) {
+            return i;
+        }
+    }
+
+    ERROR("Unable to find slot by handle %u", handle);
+
+    return -1;  /* not found */
+}
+
+static psa_cipher_operation_t cipher_operations[
+    MAX_LIVE_HANDLES_PER_CLASS];
+static psasim_client_handle_t cipher_operation_handles[
+    MAX_LIVE_HANDLES_PER_CLASS];
+static psasim_client_handle_t next_cipher_operation_handle = 1;
+
+/* Get a free slot */
+static ssize_t allocate_cipher_operation_slot(void)
+{
+    psasim_client_handle_t handle = next_cipher_operation_handle++;
+    if (next_cipher_operation_handle == 0) {      /* wrapped around */
+        FATAL("Cipher operation handle wrapped");
+    }
+
+    for (ssize_t i = 0; i < MAX_LIVE_HANDLES_PER_CLASS; i++) {
+        if (cipher_operation_handles[i] == 0) {
+            cipher_operation_handles[i] = handle;
+            return i;
+        }
+    }
+
+    ERROR("All slots are currently used. Unable to allocate a new one.");
+
+    return -1;  /* all in use */
+}
+
+/* Find the slot given the handle */
+static ssize_t find_cipher_slot_by_handle(psasim_client_handle_t handle)
+{
+    for (ssize_t i = 0; i < MAX_LIVE_HANDLES_PER_CLASS; i++) {
+        if (cipher_operation_handles[i] == handle) {
+            return i;
+        }
+    }
+
+    ERROR("Unable to find slot by handle %u", handle);
+
+    return -1;  /* not found */
+}
+
+static psa_key_derivation_operation_t key_derivation_operations[
+    MAX_LIVE_HANDLES_PER_CLASS];
+static psasim_client_handle_t key_derivation_operation_handles[
+    MAX_LIVE_HANDLES_PER_CLASS];
+static psasim_client_handle_t next_key_derivation_operation_handle = 1;
+
+/* Get a free slot */
+static ssize_t allocate_key_derivation_operation_slot(void)
+{
+    psasim_client_handle_t handle = next_key_derivation_operation_handle++;
+    if (next_key_derivation_operation_handle == 0) {      /* wrapped around */
+        FATAL("Key_derivation operation handle wrapped");
+    }
+
+    for (ssize_t i = 0; i < MAX_LIVE_HANDLES_PER_CLASS; i++) {
+        if (key_derivation_operation_handles[i] == 0) {
+            key_derivation_operation_handles[i] = handle;
+            return i;
+        }
+    }
+
+    ERROR("All slots are currently used. Unable to allocate a new one.");
+
+    return -1;  /* all in use */
+}
+
+/* Find the slot given the handle */
+static ssize_t find_key_derivation_slot_by_handle(psasim_client_handle_t handle)
+{
+    for (ssize_t i = 0; i < MAX_LIVE_HANDLES_PER_CLASS; i++) {
+        if (key_derivation_operation_handles[i] == handle) {
+            return i;
+        }
+    }
+
+    ERROR("Unable to find slot by handle %u", handle);
+
+    return -1;  /* not found */
+}
+
+static psa_sign_hash_interruptible_operation_t sign_hash_interruptible_operations[
+    MAX_LIVE_HANDLES_PER_CLASS];
+static psasim_client_handle_t sign_hash_interruptible_operation_handles[
+    MAX_LIVE_HANDLES_PER_CLASS];
+static psasim_client_handle_t next_sign_hash_interruptible_operation_handle = 1;
+
+/* Get a free slot */
+static ssize_t allocate_sign_hash_interruptible_operation_slot(void)
+{
+    psasim_client_handle_t handle = next_sign_hash_interruptible_operation_handle++;
+    if (next_sign_hash_interruptible_operation_handle == 0) {      /* wrapped around */
+        FATAL("Sign_hash_interruptible operation handle wrapped");
+    }
+
+    for (ssize_t i = 0; i < MAX_LIVE_HANDLES_PER_CLASS; i++) {
+        if (sign_hash_interruptible_operation_handles[i] == 0) {
+            sign_hash_interruptible_operation_handles[i] = handle;
+            return i;
+        }
+    }
+
+    ERROR("All slots are currently used. Unable to allocate a new one.");
+
+    return -1;  /* all in use */
+}
+
+/* Find the slot given the handle */
+static ssize_t find_sign_hash_interruptible_slot_by_handle(psasim_client_handle_t handle)
+{
+    for (ssize_t i = 0; i < MAX_LIVE_HANDLES_PER_CLASS; i++) {
+        if (sign_hash_interruptible_operation_handles[i] == handle) {
+            return i;
+        }
+    }
+
+    ERROR("Unable to find slot by handle %u", handle);
+
+    return -1;  /* not found */
+}
+
+static psa_verify_hash_interruptible_operation_t verify_hash_interruptible_operations[
+    MAX_LIVE_HANDLES_PER_CLASS];
+static psasim_client_handle_t verify_hash_interruptible_operation_handles[
+    MAX_LIVE_HANDLES_PER_CLASS];
+static psasim_client_handle_t next_verify_hash_interruptible_operation_handle = 1;
+
+/* Get a free slot */
+static ssize_t allocate_verify_hash_interruptible_operation_slot(void)
+{
+    psasim_client_handle_t handle = next_verify_hash_interruptible_operation_handle++;
+    if (next_verify_hash_interruptible_operation_handle == 0) {      /* wrapped around */
+        FATAL("Verify_hash_interruptible operation handle wrapped");
+    }
+
+    for (ssize_t i = 0; i < MAX_LIVE_HANDLES_PER_CLASS; i++) {
+        if (verify_hash_interruptible_operation_handles[i] == 0) {
+            verify_hash_interruptible_operation_handles[i] = handle;
+            return i;
+        }
+    }
+
+    ERROR("All slots are currently used. Unable to allocate a new one.");
+
+    return -1;  /* all in use */
+}
+
+/* Find the slot given the handle */
+static ssize_t find_verify_hash_interruptible_slot_by_handle(psasim_client_handle_t handle)
+{
+    for (ssize_t i = 0; i < MAX_LIVE_HANDLES_PER_CLASS; i++) {
+        if (verify_hash_interruptible_operation_handles[i] == handle) {
+            return i;
+        }
+    }
+
+    ERROR("Unable to find slot by handle %u", handle);
+
+    return -1;  /* not found */
+}
+
+size_t psasim_serialise_begin_needs(void)
+{
+    /* The serialisation buffer will
+     * start with a byte of 0 to indicate version 0,
+     * then have 1 byte each for length of int, long, void *,
+     * then have 4 bytes to indicate endianness. */
+    return 4 + sizeof(uint32_t);
+}
+
+int psasim_serialise_begin(uint8_t **pos, size_t *remaining)
+{
+    uint32_t endian = 0x1234;
+
+    if (*remaining < 4 + sizeof(endian)) {
+        return 0;
+    }
+
+    *(*pos)++ = 0;      /* version */
+    *(*pos)++ = (uint8_t) sizeof(int);
+    *(*pos)++ = (uint8_t) sizeof(long);
+    *(*pos)++ = (uint8_t) sizeof(void *);
+
+    memcpy(*pos, &endian, sizeof(endian));
+
+    *pos += sizeof(endian);
+
+    return 1;
+}
+
+int psasim_deserialise_begin(uint8_t **pos, size_t *remaining)
+{
+    uint8_t version = 255;
+    uint8_t int_size = 0;
+    uint8_t long_size = 0;
+    uint8_t ptr_size = 0;
+    uint32_t endian;
+
+    if (*remaining < 4 + sizeof(endian)) {
+        return 0;
+    }
+
+    memcpy(&version, (*pos)++, sizeof(version));
+    if (version != 0) {
+        return 0;
+    }
+
+    memcpy(&int_size, (*pos)++, sizeof(int_size));
+    if (int_size != sizeof(int)) {
+        return 0;
+    }
+
+    memcpy(&long_size, (*pos)++, sizeof(long_size));
+    if (long_size != sizeof(long)) {
+        return 0;
+    }
+
+    memcpy(&ptr_size, (*pos)++, sizeof(ptr_size));
+    if (ptr_size != sizeof(void *)) {
+        return 0;
+    }
+
+    *remaining -= 4;
+
+    memcpy(&endian, *pos, sizeof(endian));
+    if (endian != 0x1234) {
+        return 0;
+    }
+
+    *pos += sizeof(endian);
+    *remaining -= sizeof(endian);
+
+    return 1;
+}
+
+size_t psasim_serialise_unsigned_int_needs(
+    unsigned int value)
+{
+    return sizeof(value);
+}
+
+int psasim_serialise_unsigned_int(uint8_t **pos,
+                                  size_t *remaining,
+                                  unsigned int value)
+{
+    if (*remaining < sizeof(value)) {
+        return 0;
+    }
+
+    memcpy(*pos, &value, sizeof(value));
+    *pos += sizeof(value);
+
+    return 1;
+}
+
+int psasim_deserialise_unsigned_int(uint8_t **pos,
+                                    size_t *remaining,
+                                    unsigned int *value)
+{
+    if (*remaining < sizeof(*value)) {
+        return 0;
+    }
+
+    memcpy(value, *pos, sizeof(*value));
+
+    *pos += sizeof(*value);
+    *remaining -= sizeof(*value);
+
+    return 1;
+}
+
+size_t psasim_serialise_int_needs(
+    int value)
+{
+    return sizeof(value);
+}
+
+int psasim_serialise_int(uint8_t **pos,
+                         size_t *remaining,
+                         int value)
+{
+    if (*remaining < sizeof(value)) {
+        return 0;
+    }
+
+    memcpy(*pos, &value, sizeof(value));
+    *pos += sizeof(value);
+
+    return 1;
+}
+
+int psasim_deserialise_int(uint8_t **pos,
+                           size_t *remaining,
+                           int *value)
+{
+    if (*remaining < sizeof(*value)) {
+        return 0;
+    }
+
+    memcpy(value, *pos, sizeof(*value));
+
+    *pos += sizeof(*value);
+    *remaining -= sizeof(*value);
+
+    return 1;
+}
+
+size_t psasim_serialise_size_t_needs(
+    size_t value)
+{
+    return sizeof(value);
+}
+
+int psasim_serialise_size_t(uint8_t **pos,
+                            size_t *remaining,
+                            size_t value)
+{
+    if (*remaining < sizeof(value)) {
+        return 0;
+    }
+
+    memcpy(*pos, &value, sizeof(value));
+    *pos += sizeof(value);
+
+    return 1;
+}
+
+int psasim_deserialise_size_t(uint8_t **pos,
+                              size_t *remaining,
+                              size_t *value)
+{
+    if (*remaining < sizeof(*value)) {
+        return 0;
+    }
+
+    memcpy(value, *pos, sizeof(*value));
+
+    *pos += sizeof(*value);
+    *remaining -= sizeof(*value);
+
+    return 1;
+}
+
+size_t psasim_serialise_uint16_t_needs(
+    uint16_t value)
+{
+    return sizeof(value);
+}
+
+int psasim_serialise_uint16_t(uint8_t **pos,
+                              size_t *remaining,
+                              uint16_t value)
+{
+    if (*remaining < sizeof(value)) {
+        return 0;
+    }
+
+    memcpy(*pos, &value, sizeof(value));
+    *pos += sizeof(value);
+
+    return 1;
+}
+
+int psasim_deserialise_uint16_t(uint8_t **pos,
+                                size_t *remaining,
+                                uint16_t *value)
+{
+    if (*remaining < sizeof(*value)) {
+        return 0;
+    }
+
+    memcpy(value, *pos, sizeof(*value));
+
+    *pos += sizeof(*value);
+    *remaining -= sizeof(*value);
+
+    return 1;
+}
+
+size_t psasim_serialise_uint32_t_needs(
+    uint32_t value)
+{
+    return sizeof(value);
+}
+
+int psasim_serialise_uint32_t(uint8_t **pos,
+                              size_t *remaining,
+                              uint32_t value)
+{
+    if (*remaining < sizeof(value)) {
+        return 0;
+    }
+
+    memcpy(*pos, &value, sizeof(value));
+    *pos += sizeof(value);
+
+    return 1;
+}
+
+int psasim_deserialise_uint32_t(uint8_t **pos,
+                                size_t *remaining,
+                                uint32_t *value)
+{
+    if (*remaining < sizeof(*value)) {
+        return 0;
+    }
+
+    memcpy(value, *pos, sizeof(*value));
+
+    *pos += sizeof(*value);
+    *remaining -= sizeof(*value);
+
+    return 1;
+}
+
+size_t psasim_serialise_uint64_t_needs(
+    uint64_t value)
+{
+    return sizeof(value);
+}
+
+int psasim_serialise_uint64_t(uint8_t **pos,
+                              size_t *remaining,
+                              uint64_t value)
+{
+    if (*remaining < sizeof(value)) {
+        return 0;
+    }
+
+    memcpy(*pos, &value, sizeof(value));
+    *pos += sizeof(value);
+
+    return 1;
+}
+
+int psasim_deserialise_uint64_t(uint8_t **pos,
+                                size_t *remaining,
+                                uint64_t *value)
+{
+    if (*remaining < sizeof(*value)) {
+        return 0;
+    }
+
+    memcpy(value, *pos, sizeof(*value));
+
+    *pos += sizeof(*value);
+    *remaining -= sizeof(*value);
+
+    return 1;
+}
+
+size_t psasim_serialise_buffer_needs(const uint8_t *buffer, size_t buffer_size)
+{
+    (void) buffer;
+    return sizeof(buffer_size) + buffer_size;
+}
+
+int psasim_serialise_buffer(uint8_t **pos,
+                            size_t *remaining,
+                            const uint8_t *buffer,
+                            size_t buffer_length)
+{
+    if (*remaining < sizeof(buffer_length) + buffer_length) {
+        return 0;
+    }
+
+    memcpy(*pos, &buffer_length, sizeof(buffer_length));
+    *pos += sizeof(buffer_length);
+
+    if (buffer_length > 0) {    // To be able to serialise (NULL, 0)
+        memcpy(*pos, buffer, buffer_length);
+        *pos += buffer_length;
+    }
+
+    return 1;
+}
+
+int psasim_deserialise_buffer(uint8_t **pos,
+                              size_t *remaining,
+                              uint8_t **buffer,
+                              size_t *buffer_length)
+{
+    if (*remaining < sizeof(*buffer_length)) {
+        return 0;
+    }
+
+    memcpy(buffer_length, *pos, sizeof(*buffer_length));
+
+    *pos += sizeof(buffer_length);
+    *remaining -= sizeof(buffer_length);
+
+    if (*buffer_length == 0) {          // Deserialise (NULL, 0)
+        *buffer = NULL;
+        return 1;
+    }
+
+    if (*remaining < *buffer_length) {
+        return 0;
+    }
+
+    uint8_t *data = malloc(*buffer_length);
+    if (data == NULL) {
+        return 0;
+    }
+
+    memcpy(data, *pos, *buffer_length);
+    *pos += *buffer_length;
+    *remaining -= *buffer_length;
+
+    *buffer = data;
+
+    return 1;
+}
+
+/* When the client is deserialising a buffer returned from the server, it needs
+ * to use this function to deserialised the  returned buffer. It should use the
+ * usual \c psasim_serialise_buffer() function to serialise the outbound
+ * buffer. */
+int psasim_deserialise_return_buffer(uint8_t **pos,
+                                     size_t *remaining,
+                                     uint8_t *buffer,
+                                     size_t buffer_length)
+{
+    if (*remaining < sizeof(buffer_length)) {
+        return 0;
+    }
+
+    size_t length_check;
+
+    memcpy(&length_check, *pos, sizeof(buffer_length));
+
+    *pos += sizeof(buffer_length);
+    *remaining -= sizeof(buffer_length);
+
+    if (buffer_length != length_check) {        // Make sure we're sent back the same we sent to the server
+        return 0;
+    }
+
+    if (length_check == 0) {          // Deserialise (NULL, 0)
+        return 1;
+    }
+
+    if (*remaining < buffer_length) {
+        return 0;
+    }
+
+    memcpy(buffer, *pos, buffer_length);
+    *pos += buffer_length;
+    *remaining -= buffer_length;
+
+    return 1;
+}
+
+#define SER_TAG_SIZE        4
+
+size_t psasim_serialise_psa_key_production_parameters_t_needs(
+    const psa_key_production_parameters_t *params,
+    size_t data_length)
+{
+    /* We will serialise with 4-byte tag = "PKPP" + 4-byte overall length at the beginning,
+     * followed by size_t data_length, then the actual data from the structure.
+     */
+    return SER_TAG_SIZE + sizeof(uint32_t) + sizeof(data_length) + sizeof(*params) + data_length;
+}
+
+int psasim_serialise_psa_key_production_parameters_t(uint8_t **pos,
+                                                     size_t *remaining,
+                                                     const psa_key_production_parameters_t *params,
+                                                     size_t data_length)
+{
+    if (data_length > UINT32_MAX / 2) {       /* arbitrary limit */
+        return 0;       /* too big to serialise */
+    }
+
+    /* We use 32-bit lengths, which should be enough for any reasonable usage :) */
+    /* (the UINT32_MAX / 2 above is an even more conservative check to avoid overflow here) */
+    uint32_t len = (uint32_t) (sizeof(data_length) + sizeof(*params) + data_length);
+    if (*remaining < SER_TAG_SIZE + sizeof(uint32_t) + len) {
+        return 0;
+    }
+
+    char tag[SER_TAG_SIZE] = "PKPP";
+
+    memcpy(*pos, tag, sizeof(tag));
+    memcpy(*pos + sizeof(tag), &len, sizeof(len));
+    *pos += sizeof(tag) + sizeof(len);
+    *remaining -= sizeof(tag) + sizeof(len);
+
+    memcpy(*pos, &data_length, sizeof(data_length));
+    memcpy(*pos + sizeof(data_length), params, sizeof(*params) + data_length);
+    *pos += sizeof(data_length) + sizeof(*params) + data_length;
+    *remaining -= sizeof(data_length) + sizeof(*params) + data_length;
+
+    return 1;
+}
+
+int psasim_deserialise_psa_key_production_parameters_t(uint8_t **pos,
+                                                       size_t *remaining,
+                                                       psa_key_production_parameters_t **params,
+                                                       size_t *data_length)
+{
+    if (*remaining < SER_TAG_SIZE + sizeof(uint32_t)) {
+        return 0;       /* can't even be an empty serialisation */
+    }
+
+    char tag[SER_TAG_SIZE] = "PKPP";    /* expected */
+    uint32_t len;
+
+    memcpy(&len, *pos + sizeof(tag), sizeof(len));
+
+    if (memcmp(*pos, tag, sizeof(tag)) != 0) {
+        return 0;       /* wrong tag */
+    }
+
+    *pos += sizeof(tag) + sizeof(len);
+    *remaining -= sizeof(tag) + sizeof(len);
+
+    if (*remaining < sizeof(*data_length)) {
+        return 0;       /* missing data_length */
+    }
+    memcpy(data_length, *pos, sizeof(*data_length));
+
+    if ((size_t) len != (sizeof(data_length) + sizeof(**params) + *data_length)) {
+        return 0;       /* wrong length */
+    }
+
+    if (*remaining < sizeof(*data_length) + sizeof(**params) + *data_length) {
+        return 0;       /* not enough data provided */
+    }
+
+    *pos += sizeof(data_length);
+    *remaining -= sizeof(data_length);
+
+    psa_key_production_parameters_t *out = malloc(sizeof(**params) + *data_length);
+    if (out == NULL) {
+        return 0;       /* allocation failure */
+    }
+
+    memcpy(out, *pos, sizeof(*out) + *data_length);
+    *pos += sizeof(*out) + *data_length;
+    *remaining -= sizeof(*out) + *data_length;
+
+    *params = out;
+
+    return 1;
+}
+
+size_t psasim_serialise_psa_status_t_needs(
+    psa_status_t value)
+{
+    return psasim_serialise_int_needs(value);
+}
+
+int psasim_serialise_psa_status_t(uint8_t **pos,
+                                  size_t *remaining,
+                                  psa_status_t value)
+{
+    return psasim_serialise_int(pos, remaining, value);
+}
+
+int psasim_deserialise_psa_status_t(uint8_t **pos,
+                                    size_t *remaining,
+                                    psa_status_t *value)
+{
+    return psasim_deserialise_int(pos, remaining, value);
+}
+
+size_t psasim_serialise_psa_algorithm_t_needs(
+    psa_algorithm_t value)
+{
+    return psasim_serialise_unsigned_int_needs(value);
+}
+
+int psasim_serialise_psa_algorithm_t(uint8_t **pos,
+                                     size_t *remaining,
+                                     psa_algorithm_t value)
+{
+    return psasim_serialise_unsigned_int(pos, remaining, value);
+}
+
+int psasim_deserialise_psa_algorithm_t(uint8_t **pos,
+                                       size_t *remaining,
+                                       psa_algorithm_t *value)
+{
+    return psasim_deserialise_unsigned_int(pos, remaining, value);
+}
+
+size_t psasim_serialise_psa_key_derivation_step_t_needs(
+    psa_key_derivation_step_t value)
+{
+    return psasim_serialise_uint16_t_needs(value);
+}
+
+int psasim_serialise_psa_key_derivation_step_t(uint8_t **pos,
+                                               size_t *remaining,
+                                               psa_key_derivation_step_t value)
+{
+    return psasim_serialise_uint16_t(pos, remaining, value);
+}
+
+int psasim_deserialise_psa_key_derivation_step_t(uint8_t **pos,
+                                                 size_t *remaining,
+                                                 psa_key_derivation_step_t *value)
+{
+    return psasim_deserialise_uint16_t(pos, remaining, value);
+}
+
+size_t psasim_serialise_psa_hash_operation_t_needs(
+    psa_hash_operation_t value)
+{
+    return sizeof(value);
+}
+
+int psasim_serialise_psa_hash_operation_t(uint8_t **pos,
+                                          size_t *remaining,
+                                          psa_hash_operation_t value)
+{
+    if (*remaining < sizeof(value)) {
+        return 0;
+    }
+
+    memcpy(*pos, &value, sizeof(value));
+    *pos += sizeof(value);
+
+    return 1;
+}
+
+int psasim_deserialise_psa_hash_operation_t(uint8_t **pos,
+                                            size_t *remaining,
+                                            psa_hash_operation_t *value)
+{
+    if (*remaining < sizeof(*value)) {
+        return 0;
+    }
+
+    memcpy(value, *pos, sizeof(*value));
+
+    *pos += sizeof(*value);
+    *remaining -= sizeof(*value);
+
+    return 1;
+}
+
+size_t psasim_server_serialise_psa_hash_operation_t_needs(
+    psa_hash_operation_t *operation)
+{
+    (void) operation;
+
+    /* We will actually return a handle */
+    return sizeof(psasim_operation_t);
+}
+
+int psasim_server_serialise_psa_hash_operation_t(uint8_t **pos,
+                                                 size_t *remaining,
+                                                 psa_hash_operation_t *operation,
+                                                 int completed)
+{
+    psasim_operation_t client_operation;
+
+    if (*remaining < sizeof(client_operation)) {
+        return 0;
+    }
+
+    ssize_t slot = operation - hash_operations;
+
+    if (completed) {
+        memset(&hash_operations[slot],
+               0,
+               sizeof(psa_hash_operation_t));
+        hash_operation_handles[slot] = 0;
+    }
+
+    client_operation.handle = hash_operation_handles[slot];
+
+    memcpy(*pos, &client_operation, sizeof(client_operation));
+    *pos += sizeof(client_operation);
+
+    return 1;
+}
+
+int psasim_server_deserialise_psa_hash_operation_t(uint8_t **pos,
+                                                   size_t *remaining,
+                                                   psa_hash_operation_t **operation)
+{
+    psasim_operation_t client_operation;
+
+    if (*remaining < sizeof(psasim_operation_t)) {
+        return 0;
+    }
+
+    memcpy(&client_operation, *pos, sizeof(psasim_operation_t));
+    *pos += sizeof(psasim_operation_t);
+    *remaining -= sizeof(psasim_operation_t);
+
+    ssize_t slot;
+    if (client_operation.handle == 0) {         /* We need a new handle */
+        slot = allocate_hash_operation_slot();
+    } else {
+        slot = find_hash_slot_by_handle(client_operation.handle);
+    }
+
+    if (slot < 0) {
+        return 0;
+    }
+
+    *operation = &hash_operations[slot];
+
+    return 1;
+}
+
+size_t psasim_serialise_psa_aead_operation_t_needs(
+    psa_aead_operation_t value)
+{
+    return sizeof(value);
+}
+
+int psasim_serialise_psa_aead_operation_t(uint8_t **pos,
+                                          size_t *remaining,
+                                          psa_aead_operation_t value)
+{
+    if (*remaining < sizeof(value)) {
+        return 0;
+    }
+
+    memcpy(*pos, &value, sizeof(value));
+    *pos += sizeof(value);
+
+    return 1;
+}
+
+int psasim_deserialise_psa_aead_operation_t(uint8_t **pos,
+                                            size_t *remaining,
+                                            psa_aead_operation_t *value)
+{
+    if (*remaining < sizeof(*value)) {
+        return 0;
+    }
+
+    memcpy(value, *pos, sizeof(*value));
+
+    *pos += sizeof(*value);
+    *remaining -= sizeof(*value);
+
+    return 1;
+}
+
+size_t psasim_server_serialise_psa_aead_operation_t_needs(
+    psa_aead_operation_t *operation)
+{
+    (void) operation;
+
+    /* We will actually return a handle */
+    return sizeof(psasim_operation_t);
+}
+
+int psasim_server_serialise_psa_aead_operation_t(uint8_t **pos,
+                                                 size_t *remaining,
+                                                 psa_aead_operation_t *operation,
+                                                 int completed)
+{
+    psasim_operation_t client_operation;
+
+    if (*remaining < sizeof(client_operation)) {
+        return 0;
+    }
+
+    ssize_t slot = operation - aead_operations;
+
+    if (completed) {
+        memset(&aead_operations[slot],
+               0,
+               sizeof(psa_aead_operation_t));
+        aead_operation_handles[slot] = 0;
+    }
+
+    client_operation.handle = aead_operation_handles[slot];
+
+    memcpy(*pos, &client_operation, sizeof(client_operation));
+    *pos += sizeof(client_operation);
+
+    return 1;
+}
+
+int psasim_server_deserialise_psa_aead_operation_t(uint8_t **pos,
+                                                   size_t *remaining,
+                                                   psa_aead_operation_t **operation)
+{
+    psasim_operation_t client_operation;
+
+    if (*remaining < sizeof(psasim_operation_t)) {
+        return 0;
+    }
+
+    memcpy(&client_operation, *pos, sizeof(psasim_operation_t));
+    *pos += sizeof(psasim_operation_t);
+    *remaining -= sizeof(psasim_operation_t);
+
+    ssize_t slot;
+    if (client_operation.handle == 0) {         /* We need a new handle */
+        slot = allocate_aead_operation_slot();
+    } else {
+        slot = find_aead_slot_by_handle(client_operation.handle);
+    }
+
+    if (slot < 0) {
+        return 0;
+    }
+
+    *operation = &aead_operations[slot];
+
+    return 1;
+}
+
+size_t psasim_serialise_psa_key_attributes_t_needs(
+    psa_key_attributes_t value)
+{
+    return sizeof(value);
+}
+
+int psasim_serialise_psa_key_attributes_t(uint8_t **pos,
+                                          size_t *remaining,
+                                          psa_key_attributes_t value)
+{
+    if (*remaining < sizeof(value)) {
+        return 0;
+    }
+
+    memcpy(*pos, &value, sizeof(value));
+    *pos += sizeof(value);
+
+    return 1;
+}
+
+int psasim_deserialise_psa_key_attributes_t(uint8_t **pos,
+                                            size_t *remaining,
+                                            psa_key_attributes_t *value)
+{
+    if (*remaining < sizeof(*value)) {
+        return 0;
+    }
+
+    memcpy(value, *pos, sizeof(*value));
+
+    *pos += sizeof(*value);
+    *remaining -= sizeof(*value);
+
+    return 1;
+}
+
+size_t psasim_serialise_psa_mac_operation_t_needs(
+    psa_mac_operation_t value)
+{
+    return sizeof(value);
+}
+
+int psasim_serialise_psa_mac_operation_t(uint8_t **pos,
+                                         size_t *remaining,
+                                         psa_mac_operation_t value)
+{
+    if (*remaining < sizeof(value)) {
+        return 0;
+    }
+
+    memcpy(*pos, &value, sizeof(value));
+    *pos += sizeof(value);
+
+    return 1;
+}
+
+int psasim_deserialise_psa_mac_operation_t(uint8_t **pos,
+                                           size_t *remaining,
+                                           psa_mac_operation_t *value)
+{
+    if (*remaining < sizeof(*value)) {
+        return 0;
+    }
+
+    memcpy(value, *pos, sizeof(*value));
+
+    *pos += sizeof(*value);
+    *remaining -= sizeof(*value);
+
+    return 1;
+}
+
+size_t psasim_server_serialise_psa_mac_operation_t_needs(
+    psa_mac_operation_t *operation)
+{
+    (void) operation;
+
+    /* We will actually return a handle */
+    return sizeof(psasim_operation_t);
+}
+
+int psasim_server_serialise_psa_mac_operation_t(uint8_t **pos,
+                                                size_t *remaining,
+                                                psa_mac_operation_t *operation,
+                                                int completed)
+{
+    psasim_operation_t client_operation;
+
+    if (*remaining < sizeof(client_operation)) {
+        return 0;
+    }
+
+    ssize_t slot = operation - mac_operations;
+
+    if (completed) {
+        memset(&mac_operations[slot],
+               0,
+               sizeof(psa_mac_operation_t));
+        mac_operation_handles[slot] = 0;
+    }
+
+    client_operation.handle = mac_operation_handles[slot];
+
+    memcpy(*pos, &client_operation, sizeof(client_operation));
+    *pos += sizeof(client_operation);
+
+    return 1;
+}
+
+int psasim_server_deserialise_psa_mac_operation_t(uint8_t **pos,
+                                                  size_t *remaining,
+                                                  psa_mac_operation_t **operation)
+{
+    psasim_operation_t client_operation;
+
+    if (*remaining < sizeof(psasim_operation_t)) {
+        return 0;
+    }
+
+    memcpy(&client_operation, *pos, sizeof(psasim_operation_t));
+    *pos += sizeof(psasim_operation_t);
+    *remaining -= sizeof(psasim_operation_t);
+
+    ssize_t slot;
+    if (client_operation.handle == 0) {         /* We need a new handle */
+        slot = allocate_mac_operation_slot();
+    } else {
+        slot = find_mac_slot_by_handle(client_operation.handle);
+    }
+
+    if (slot < 0) {
+        return 0;
+    }
+
+    *operation = &mac_operations[slot];
+
+    return 1;
+}
+
+size_t psasim_serialise_psa_cipher_operation_t_needs(
+    psa_cipher_operation_t value)
+{
+    return sizeof(value);
+}
+
+int psasim_serialise_psa_cipher_operation_t(uint8_t **pos,
+                                            size_t *remaining,
+                                            psa_cipher_operation_t value)
+{
+    if (*remaining < sizeof(value)) {
+        return 0;
+    }
+
+    memcpy(*pos, &value, sizeof(value));
+    *pos += sizeof(value);
+
+    return 1;
+}
+
+int psasim_deserialise_psa_cipher_operation_t(uint8_t **pos,
+                                              size_t *remaining,
+                                              psa_cipher_operation_t *value)
+{
+    if (*remaining < sizeof(*value)) {
+        return 0;
+    }
+
+    memcpy(value, *pos, sizeof(*value));
+
+    *pos += sizeof(*value);
+    *remaining -= sizeof(*value);
+
+    return 1;
+}
+
+size_t psasim_server_serialise_psa_cipher_operation_t_needs(
+    psa_cipher_operation_t *operation)
+{
+    (void) operation;
+
+    /* We will actually return a handle */
+    return sizeof(psasim_operation_t);
+}
+
+int psasim_server_serialise_psa_cipher_operation_t(uint8_t **pos,
+                                                   size_t *remaining,
+                                                   psa_cipher_operation_t *operation,
+                                                   int completed)
+{
+    psasim_operation_t client_operation;
+
+    if (*remaining < sizeof(client_operation)) {
+        return 0;
+    }
+
+    ssize_t slot = operation - cipher_operations;
+
+    if (completed) {
+        memset(&cipher_operations[slot],
+               0,
+               sizeof(psa_cipher_operation_t));
+        cipher_operation_handles[slot] = 0;
+    }
+
+    client_operation.handle = cipher_operation_handles[slot];
+
+    memcpy(*pos, &client_operation, sizeof(client_operation));
+    *pos += sizeof(client_operation);
+
+    return 1;
+}
+
+int psasim_server_deserialise_psa_cipher_operation_t(uint8_t **pos,
+                                                     size_t *remaining,
+                                                     psa_cipher_operation_t **operation)
+{
+    psasim_operation_t client_operation;
+
+    if (*remaining < sizeof(psasim_operation_t)) {
+        return 0;
+    }
+
+    memcpy(&client_operation, *pos, sizeof(psasim_operation_t));
+    *pos += sizeof(psasim_operation_t);
+    *remaining -= sizeof(psasim_operation_t);
+
+    ssize_t slot;
+    if (client_operation.handle == 0) {         /* We need a new handle */
+        slot = allocate_cipher_operation_slot();
+    } else {
+        slot = find_cipher_slot_by_handle(client_operation.handle);
+    }
+
+    if (slot < 0) {
+        return 0;
+    }
+
+    *operation = &cipher_operations[slot];
+
+    return 1;
+}
+
+size_t psasim_serialise_psa_key_derivation_operation_t_needs(
+    psa_key_derivation_operation_t value)
+{
+    return sizeof(value);
+}
+
+int psasim_serialise_psa_key_derivation_operation_t(uint8_t **pos,
+                                                    size_t *remaining,
+                                                    psa_key_derivation_operation_t value)
+{
+    if (*remaining < sizeof(value)) {
+        return 0;
+    }
+
+    memcpy(*pos, &value, sizeof(value));
+    *pos += sizeof(value);
+
+    return 1;
+}
+
+int psasim_deserialise_psa_key_derivation_operation_t(uint8_t **pos,
+                                                      size_t *remaining,
+                                                      psa_key_derivation_operation_t *value)
+{
+    if (*remaining < sizeof(*value)) {
+        return 0;
+    }
+
+    memcpy(value, *pos, sizeof(*value));
+
+    *pos += sizeof(*value);
+    *remaining -= sizeof(*value);
+
+    return 1;
+}
+
+size_t psasim_server_serialise_psa_key_derivation_operation_t_needs(
+    psa_key_derivation_operation_t *operation)
+{
+    (void) operation;
+
+    /* We will actually return a handle */
+    return sizeof(psasim_operation_t);
+}
+
+int psasim_server_serialise_psa_key_derivation_operation_t(uint8_t **pos,
+                                                           size_t *remaining,
+                                                           psa_key_derivation_operation_t *operation,
+                                                           int completed)
+{
+    psasim_operation_t client_operation;
+
+    if (*remaining < sizeof(client_operation)) {
+        return 0;
+    }
+
+    ssize_t slot = operation - key_derivation_operations;
+
+    if (completed) {
+        memset(&key_derivation_operations[slot],
+               0,
+               sizeof(psa_key_derivation_operation_t));
+        key_derivation_operation_handles[slot] = 0;
+    }
+
+    client_operation.handle = key_derivation_operation_handles[slot];
+
+    memcpy(*pos, &client_operation, sizeof(client_operation));
+    *pos += sizeof(client_operation);
+
+    return 1;
+}
+
+int psasim_server_deserialise_psa_key_derivation_operation_t(uint8_t **pos,
+                                                             size_t *remaining,
+                                                             psa_key_derivation_operation_t **operation)
+{
+    psasim_operation_t client_operation;
+
+    if (*remaining < sizeof(psasim_operation_t)) {
+        return 0;
+    }
+
+    memcpy(&client_operation, *pos, sizeof(psasim_operation_t));
+    *pos += sizeof(psasim_operation_t);
+    *remaining -= sizeof(psasim_operation_t);
+
+    ssize_t slot;
+    if (client_operation.handle == 0) {         /* We need a new handle */
+        slot = allocate_key_derivation_operation_slot();
+    } else {
+        slot = find_key_derivation_slot_by_handle(client_operation.handle);
+    }
+
+    if (slot < 0) {
+        return 0;
+    }
+
+    *operation = &key_derivation_operations[slot];
+
+    return 1;
+}
+
+size_t psasim_serialise_psa_sign_hash_interruptible_operation_t_needs(
+    psa_sign_hash_interruptible_operation_t value)
+{
+    return sizeof(value);
+}
+
+int psasim_serialise_psa_sign_hash_interruptible_operation_t(uint8_t **pos,
+                                                             size_t *remaining,
+                                                             psa_sign_hash_interruptible_operation_t value)
+{
+    if (*remaining < sizeof(value)) {
+        return 0;
+    }
+
+    memcpy(*pos, &value, sizeof(value));
+    *pos += sizeof(value);
+
+    return 1;
+}
+
+int psasim_deserialise_psa_sign_hash_interruptible_operation_t(uint8_t **pos,
+                                                               size_t *remaining,
+                                                               psa_sign_hash_interruptible_operation_t *value)
+{
+    if (*remaining < sizeof(*value)) {
+        return 0;
+    }
+
+    memcpy(value, *pos, sizeof(*value));
+
+    *pos += sizeof(*value);
+    *remaining -= sizeof(*value);
+
+    return 1;
+}
+
+size_t psasim_server_serialise_psa_sign_hash_interruptible_operation_t_needs(
+    psa_sign_hash_interruptible_operation_t *operation)
+{
+    (void) operation;
+
+    /* We will actually return a handle */
+    return sizeof(psasim_operation_t);
+}
+
+int psasim_server_serialise_psa_sign_hash_interruptible_operation_t(uint8_t **pos,
+                                                                    size_t *remaining,
+                                                                    psa_sign_hash_interruptible_operation_t *operation,
+                                                                    int completed)
+{
+    psasim_operation_t client_operation;
+
+    if (*remaining < sizeof(client_operation)) {
+        return 0;
+    }
+
+    ssize_t slot = operation - sign_hash_interruptible_operations;
+
+    if (completed) {
+        memset(&sign_hash_interruptible_operations[slot],
+               0,
+               sizeof(psa_sign_hash_interruptible_operation_t));
+        sign_hash_interruptible_operation_handles[slot] = 0;
+    }
+
+    client_operation.handle = sign_hash_interruptible_operation_handles[slot];
+
+    memcpy(*pos, &client_operation, sizeof(client_operation));
+    *pos += sizeof(client_operation);
+
+    return 1;
+}
+
+int psasim_server_deserialise_psa_sign_hash_interruptible_operation_t(uint8_t **pos,
+                                                                      size_t *remaining,
+                                                                      psa_sign_hash_interruptible_operation_t **operation)
+{
+    psasim_operation_t client_operation;
+
+    if (*remaining < sizeof(psasim_operation_t)) {
+        return 0;
+    }
+
+    memcpy(&client_operation, *pos, sizeof(psasim_operation_t));
+    *pos += sizeof(psasim_operation_t);
+    *remaining -= sizeof(psasim_operation_t);
+
+    ssize_t slot;
+    if (client_operation.handle == 0) {         /* We need a new handle */
+        slot = allocate_sign_hash_interruptible_operation_slot();
+    } else {
+        slot = find_sign_hash_interruptible_slot_by_handle(client_operation.handle);
+    }
+
+    if (slot < 0) {
+        return 0;
+    }
+
+    *operation = &sign_hash_interruptible_operations[slot];
+
+    return 1;
+}
+
+size_t psasim_serialise_psa_verify_hash_interruptible_operation_t_needs(
+    psa_verify_hash_interruptible_operation_t value)
+{
+    return sizeof(value);
+}
+
+int psasim_serialise_psa_verify_hash_interruptible_operation_t(uint8_t **pos,
+                                                               size_t *remaining,
+                                                               psa_verify_hash_interruptible_operation_t value)
+{
+    if (*remaining < sizeof(value)) {
+        return 0;
+    }
+
+    memcpy(*pos, &value, sizeof(value));
+    *pos += sizeof(value);
+
+    return 1;
+}
+
+int psasim_deserialise_psa_verify_hash_interruptible_operation_t(uint8_t **pos,
+                                                                 size_t *remaining,
+                                                                 psa_verify_hash_interruptible_operation_t *value)
+{
+    if (*remaining < sizeof(*value)) {
+        return 0;
+    }
+
+    memcpy(value, *pos, sizeof(*value));
+
+    *pos += sizeof(*value);
+    *remaining -= sizeof(*value);
+
+    return 1;
+}
+
+size_t psasim_server_serialise_psa_verify_hash_interruptible_operation_t_needs(
+    psa_verify_hash_interruptible_operation_t *operation)
+{
+    (void) operation;
+
+    /* We will actually return a handle */
+    return sizeof(psasim_operation_t);
+}
+
+int psasim_server_serialise_psa_verify_hash_interruptible_operation_t(uint8_t **pos,
+                                                                      size_t *remaining,
+                                                                      psa_verify_hash_interruptible_operation_t *operation,
+                                                                      int completed)
+{
+    psasim_operation_t client_operation;
+
+    if (*remaining < sizeof(client_operation)) {
+        return 0;
+    }
+
+    ssize_t slot = operation - verify_hash_interruptible_operations;
+
+    if (completed) {
+        memset(&verify_hash_interruptible_operations[slot],
+               0,
+               sizeof(psa_verify_hash_interruptible_operation_t));
+        verify_hash_interruptible_operation_handles[slot] = 0;
+    }
+
+    client_operation.handle = verify_hash_interruptible_operation_handles[slot];
+
+    memcpy(*pos, &client_operation, sizeof(client_operation));
+    *pos += sizeof(client_operation);
+
+    return 1;
+}
+
+int psasim_server_deserialise_psa_verify_hash_interruptible_operation_t(uint8_t **pos,
+                                                                        size_t *remaining,
+                                                                        psa_verify_hash_interruptible_operation_t **operation)
+{
+    psasim_operation_t client_operation;
+
+    if (*remaining < sizeof(psasim_operation_t)) {
+        return 0;
+    }
+
+    memcpy(&client_operation, *pos, sizeof(psasim_operation_t));
+    *pos += sizeof(psasim_operation_t);
+    *remaining -= sizeof(psasim_operation_t);
+
+    ssize_t slot;
+    if (client_operation.handle == 0) {         /* We need a new handle */
+        slot = allocate_verify_hash_interruptible_operation_slot();
+    } else {
+        slot = find_verify_hash_interruptible_slot_by_handle(client_operation.handle);
+    }
+
+    if (slot < 0) {
+        return 0;
+    }
+
+    *operation = &verify_hash_interruptible_operations[slot];
+
+    return 1;
+}
+
+size_t psasim_serialise_mbedtls_svc_key_id_t_needs(
+    mbedtls_svc_key_id_t value)
+{
+    return sizeof(value);
+}
+
+int psasim_serialise_mbedtls_svc_key_id_t(uint8_t **pos,
+                                          size_t *remaining,
+                                          mbedtls_svc_key_id_t value)
+{
+    if (*remaining < sizeof(value)) {
+        return 0;
+    }
+
+    memcpy(*pos, &value, sizeof(value));
+    *pos += sizeof(value);
+
+    return 1;
+}
+
+int psasim_deserialise_mbedtls_svc_key_id_t(uint8_t **pos,
+                                            size_t *remaining,
+                                            mbedtls_svc_key_id_t *value)
+{
+    if (*remaining < sizeof(*value)) {
+        return 0;
+    }
+
+    memcpy(value, *pos, sizeof(*value));
+
+    *pos += sizeof(*value);
+    *remaining -= sizeof(*value);
+
+    return 1;
+}
+
+void psa_sim_serialize_reset(void)
+{
+    memset(hash_operation_handles, 0,
+           sizeof(hash_operation_handles));
+    memset(hash_operations, 0,
+           sizeof(hash_operations));
+    memset(aead_operation_handles, 0,
+           sizeof(aead_operation_handles));
+    memset(aead_operations, 0,
+           sizeof(aead_operations));
+    memset(mac_operation_handles, 0,
+           sizeof(mac_operation_handles));
+    memset(mac_operations, 0,
+           sizeof(mac_operations));
+    memset(cipher_operation_handles, 0,
+           sizeof(cipher_operation_handles));
+    memset(cipher_operations, 0,
+           sizeof(cipher_operations));
+    memset(key_derivation_operation_handles, 0,
+           sizeof(key_derivation_operation_handles));
+    memset(key_derivation_operations, 0,
+           sizeof(key_derivation_operations));
+    memset(sign_hash_interruptible_operation_handles, 0,
+           sizeof(sign_hash_interruptible_operation_handles));
+    memset(sign_hash_interruptible_operations, 0,
+           sizeof(sign_hash_interruptible_operations));
+    memset(verify_hash_interruptible_operation_handles, 0,
+           sizeof(verify_hash_interruptible_operation_handles));
+    memset(verify_hash_interruptible_operations, 0,
+           sizeof(verify_hash_interruptible_operations));
+}
diff --git a/tests/psa-client-server/psasim/src/psa_sim_serialise.h b/tests/psa-client-server/psasim/src/psa_sim_serialise.h
new file mode 100644
index 0000000..f60e371
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/psa_sim_serialise.h
@@ -0,0 +1,1310 @@
+/**
+ * \file psa_sim_serialise.h
+ *
+ * \brief Rough-and-ready serialisation and deserialisation for the PSA Crypto simulator
+ */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include <stdint.h>
+#include <stddef.h>
+
+#include "psa/crypto.h"
+#include "psa/crypto_types.h"
+#include "psa/crypto_values.h"
+
+/* Basic idea:
+ *
+ * All arguments to a function will be serialised into a single buffer to
+ * be sent to the server with the PSA crypto function to be called.
+ *
+ * All returned data (the function's return value and any values returned
+ * via `out` parameters) will similarly be serialised into a buffer to be
+ * sent back to the client from the server.
+ *
+ * For each data type foo (e.g. int, size_t, psa_algorithm_t, but also "buffer"
+ * where "buffer" is a (uint8_t *, size_t) pair, we have a pair of functions,
+ * psasim_serialise_foo() and psasim_deserialise_foo().
+ *
+ * We also have psasim_serialise_foo_needs() functions, which return a
+ * size_t giving the number of bytes that serialising that instance of that
+ * type will need. This allows callers to size buffers for serialisation.
+ *
+ * Each serialised buffer starts with a version byte, bytes that indicate
+ * the size of basic C types, and four bytes that indicate the endianness
+ * (to avoid incompatibilities if we ever run this over a network - we are
+ * not aiming for universality, just for correctness and simplicity).
+ *
+ * Most types are serialised as a fixed-size (per type) octet string, with
+ * no type indication. This is acceptable as (a) this is for the test PSA crypto
+ * simulator only, not production, and (b) these functions are called by
+ * code that itself is written by script.
+ *
+ * We also want to keep serialised data reasonably compact as communication
+ * between client and server goes in messages of less than 200 bytes each.
+ *
+ * Many serialisation functions can be created by a script; an exemplar Perl
+ * script is included. It is not hooked into the build and so must be run
+ * manually, but is expected to be replaced by a Python script in due course.
+ * Types that can have their functions created by script include plain old C
+ * data types (e.g. int), types typedef'd to those, and even structures that
+ * don't contain pointers.
+ */
+
+/** Reset all operation slots.
+ *
+ * Should be called when all clients have disconnected.
+ */
+void psa_sim_serialize_reset(void);
+
+/** Return how much buffer space is needed by \c psasim_serialise_begin().
+ *
+ * \return                   The number of bytes needed in the buffer for
+ *                           \c psasim_serialise_begin()'s output.
+ */
+size_t psasim_serialise_begin_needs(void);
+
+/** Begin serialisation into a buffer.
+ *
+ *                           This must be the first serialisation API called
+ *                           on a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error (likely
+ *                           no space).
+ */
+int psasim_serialise_begin(uint8_t **pos, size_t *remaining);
+
+/** Begin deserialisation of a buffer.
+ *
+ *                           This must be the first deserialisation API called
+ *                           on a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_begin(uint8_t **pos, size_t *remaining);
+
+/** Return how much buffer space is needed by \c psasim_serialise_unsigned_int()
+ *  to serialise an `unsigned int`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_unsigned_int() to serialise
+ *                           the given value.
+ */
+size_t psasim_serialise_unsigned_int_needs(
+    unsigned int value);
+
+/** Serialise an `unsigned int` into a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_serialise_unsigned_int(uint8_t **pos,
+                                  size_t *remaining,
+                                  unsigned int value);
+
+/** Deserialise an `unsigned int` from a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to an `unsigned int` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_unsigned_int(uint8_t **pos,
+                                    size_t *remaining,
+                                    unsigned int *value);
+
+/** Return how much buffer space is needed by \c psasim_serialise_int()
+ *  to serialise an `int`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_int() to serialise
+ *                           the given value.
+ */
+size_t psasim_serialise_int_needs(
+    int value);
+
+/** Serialise an `int` into a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_serialise_int(uint8_t **pos,
+                         size_t *remaining,
+                         int value);
+
+/** Deserialise an `int` from a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to an `int` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_int(uint8_t **pos,
+                           size_t *remaining,
+                           int *value);
+
+/** Return how much buffer space is needed by \c psasim_serialise_size_t()
+ *  to serialise a `size_t`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_size_t() to serialise
+ *                           the given value.
+ */
+size_t psasim_serialise_size_t_needs(
+    size_t value);
+
+/** Serialise a `size_t` into a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_serialise_size_t(uint8_t **pos,
+                            size_t *remaining,
+                            size_t value);
+
+/** Deserialise a `size_t` from a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to a `size_t` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_size_t(uint8_t **pos,
+                              size_t *remaining,
+                              size_t *value);
+
+/** Return how much buffer space is needed by \c psasim_serialise_uint16_t()
+ *  to serialise an `uint16_t`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_uint16_t() to serialise
+ *                           the given value.
+ */
+size_t psasim_serialise_uint16_t_needs(
+    uint16_t value);
+
+/** Serialise an `uint16_t` into a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_serialise_uint16_t(uint8_t **pos,
+                              size_t *remaining,
+                              uint16_t value);
+
+/** Deserialise an `uint16_t` from a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to an `uint16_t` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_uint16_t(uint8_t **pos,
+                                size_t *remaining,
+                                uint16_t *value);
+
+/** Return how much buffer space is needed by \c psasim_serialise_uint32_t()
+ *  to serialise an `uint32_t`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_uint32_t() to serialise
+ *                           the given value.
+ */
+size_t psasim_serialise_uint32_t_needs(
+    uint32_t value);
+
+/** Serialise an `uint32_t` into a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_serialise_uint32_t(uint8_t **pos,
+                              size_t *remaining,
+                              uint32_t value);
+
+/** Deserialise an `uint32_t` from a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to an `uint32_t` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_uint32_t(uint8_t **pos,
+                                size_t *remaining,
+                                uint32_t *value);
+
+/** Return how much buffer space is needed by \c psasim_serialise_uint64_t()
+ *  to serialise an `uint64_t`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_uint64_t() to serialise
+ *                           the given value.
+ */
+size_t psasim_serialise_uint64_t_needs(
+    uint64_t value);
+
+/** Serialise an `uint64_t` into a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_serialise_uint64_t(uint8_t **pos,
+                              size_t *remaining,
+                              uint64_t value);
+
+/** Deserialise an `uint64_t` from a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to an `uint64_t` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_uint64_t(uint8_t **pos,
+                                size_t *remaining,
+                                uint64_t *value);
+
+/** Return how much space is needed by \c psasim_serialise_buffer()
+ *  to serialise a buffer: a (`uint8_t *`, `size_t`) pair.
+ *
+ * \param buffer             Pointer to the buffer to be serialised
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ * \param buffer_size        Number of bytes in the buffer to be serialised.
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_buffer() to serialise
+ *                           the specified buffer.
+ */
+size_t psasim_serialise_buffer_needs(const uint8_t *buffer, size_t buffer_size);
+
+/** Serialise a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param buffer             Pointer to the buffer to be serialised.
+ * \param buffer_length      Number of bytes in the buffer to be serialised.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_serialise_buffer(uint8_t **pos, size_t *remaining,
+                            const uint8_t *buffer, size_t buffer_length);
+
+/** Deserialise a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the serialisation buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the serialisation buffer.
+ * \param buffer             Pointer to a `uint8_t *` to receive the address
+ *                           of a newly-allocated buffer, which the caller
+ *                           must `free()`.
+ * \param buffer_length      Pointer to a `size_t` to receive the number of
+ *                           bytes in the deserialised buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_buffer(uint8_t **pos, size_t *remaining,
+                              uint8_t **buffer, size_t *buffer_length);
+
+/** Deserialise a buffer returned from the server.
+ *
+ * When the client is deserialising a buffer returned from the server, it needs
+ * to use this function to deserialised the  returned buffer. It should use the
+ * usual \c psasim_serialise_buffer() function to serialise the outbound
+ * buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the serialisation buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the serialisation buffer.
+ * \param buffer             Pointer to a `uint8_t *` to receive the address
+ *                           of a newly-allocated buffer, which the caller
+ *                           must `free()`.
+ * \param buffer_length      Pointer to a `size_t` to receive the number of
+ *                           bytes in the deserialised buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_return_buffer(uint8_t **pos, size_t *remaining,
+                                     uint8_t *buffer, size_t buffer_length);
+
+/** Return how much space is needed by \c psasim_serialise_psa_key_production_parameters_t()
+ *  to serialise a psa_key_production_parameters_t (a structure with a flexible array member).
+ *
+ * \param params             Pointer to the struct to be serialised
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ * \param data_length        Number of bytes in the data[] of the struct to be serialised.
+ *
+ * \return                   The number of bytes needed in the serialisation buffer by
+ *                           \c psasim_serialise_psa_key_production_parameters_t() to serialise
+ *                           the specified structure.
+ */
+size_t psasim_serialise_psa_key_production_parameters_t_needs(
+    const psa_key_production_parameters_t *params,
+    size_t buffer_size);
+
+/** Serialise a psa_key_production_parameters_t.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param params             Pointer to the structure to be serialised.
+ * \param data_length        Number of bytes in the data[] of the struct to be serialised.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_serialise_psa_key_production_parameters_t(uint8_t **pos,
+                                                     size_t *remaining,
+                                                     const psa_key_production_parameters_t *params,
+                                                     size_t data_length);
+
+/** Deserialise a psa_key_production_parameters_t.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the serialisation buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the serialisation buffer.
+ * \param params             Pointer to a `psa_key_production_parameters_t *` to
+ *                           receive the address of a newly-allocated structure,
+ *                           which the caller must `free()`.
+ * \param data_length        Pointer to a `size_t` to receive the number of
+ *                           bytes in the data[] member of the structure deserialised.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_psa_key_production_parameters_t(uint8_t **pos, size_t *remaining,
+                                                       psa_key_production_parameters_t **params,
+                                                       size_t *buffer_length);
+
+/** Return how much buffer space is needed by \c psasim_serialise_psa_status_t()
+ *  to serialise a `psa_status_t`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_psa_status_t() to serialise
+ *                           the given value.
+ */
+size_t psasim_serialise_psa_status_t_needs(
+    psa_status_t value);
+
+/** Serialise a `psa_status_t` into a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_serialise_psa_status_t(uint8_t **pos,
+                                  size_t *remaining,
+                                  psa_status_t value);
+
+/** Deserialise a `psa_status_t` from a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to a `psa_status_t` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_psa_status_t(uint8_t **pos,
+                                    size_t *remaining,
+                                    psa_status_t *value);
+
+/** Return how much buffer space is needed by \c psasim_serialise_psa_algorithm_t()
+ *  to serialise a `psa_algorithm_t`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_psa_algorithm_t() to serialise
+ *                           the given value.
+ */
+size_t psasim_serialise_psa_algorithm_t_needs(
+    psa_algorithm_t value);
+
+/** Serialise a `psa_algorithm_t` into a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_serialise_psa_algorithm_t(uint8_t **pos,
+                                     size_t *remaining,
+                                     psa_algorithm_t value);
+
+/** Deserialise a `psa_algorithm_t` from a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to a `psa_algorithm_t` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_psa_algorithm_t(uint8_t **pos,
+                                       size_t *remaining,
+                                       psa_algorithm_t *value);
+
+/** Return how much buffer space is needed by \c psasim_serialise_psa_key_derivation_step_t()
+ *  to serialise a `psa_key_derivation_step_t`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_psa_key_derivation_step_t() to serialise
+ *                           the given value.
+ */
+size_t psasim_serialise_psa_key_derivation_step_t_needs(
+    psa_key_derivation_step_t value);
+
+/** Serialise a `psa_key_derivation_step_t` into a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_serialise_psa_key_derivation_step_t(uint8_t **pos,
+                                               size_t *remaining,
+                                               psa_key_derivation_step_t value);
+
+/** Deserialise a `psa_key_derivation_step_t` from a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to a `psa_key_derivation_step_t` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_psa_key_derivation_step_t(uint8_t **pos,
+                                                 size_t *remaining,
+                                                 psa_key_derivation_step_t *value);
+
+/** Return how much buffer space is needed by \c psasim_serialise_psa_hash_operation_t()
+ *  to serialise a `psa_hash_operation_t`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_psa_hash_operation_t() to serialise
+ *                           the given value.
+ */
+size_t psasim_serialise_psa_hash_operation_t_needs(
+    psa_hash_operation_t value);
+
+/** Serialise a `psa_hash_operation_t` into a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_serialise_psa_hash_operation_t(uint8_t **pos,
+                                          size_t *remaining,
+                                          psa_hash_operation_t value);
+
+/** Deserialise a `psa_hash_operation_t` from a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to a `psa_hash_operation_t` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_psa_hash_operation_t(uint8_t **pos,
+                                            size_t *remaining,
+                                            psa_hash_operation_t *value);
+
+/** Return how much buffer space is needed by \c psasim_server_serialise_psa_hash_operation_t()
+ *  to serialise a `psa_hash_operation_t`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_psa_hash_operation_t() to serialise
+ *                           the given value.
+ */
+size_t psasim_server_serialise_psa_hash_operation_t_needs(
+    psa_hash_operation_t *value);
+
+/** Serialise a `psa_hash_operation_t` into a buffer on the server side.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ * \param completed          Non-zero if the operation is now completed (set by
+ *                           finish and abort calls).
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_server_serialise_psa_hash_operation_t(uint8_t **pos,
+                                                 size_t *remaining,
+                                                 psa_hash_operation_t *value,
+                                                 int completed);
+
+/** Deserialise a `psa_hash_operation_t` from a buffer on the server side.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to a `psa_hash_operation_t` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_server_deserialise_psa_hash_operation_t(uint8_t **pos,
+                                                   size_t *remaining,
+                                                   psa_hash_operation_t **value);
+
+/** Return how much buffer space is needed by \c psasim_serialise_psa_aead_operation_t()
+ *  to serialise a `psa_aead_operation_t`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_psa_aead_operation_t() to serialise
+ *                           the given value.
+ */
+size_t psasim_serialise_psa_aead_operation_t_needs(
+    psa_aead_operation_t value);
+
+/** Serialise a `psa_aead_operation_t` into a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_serialise_psa_aead_operation_t(uint8_t **pos,
+                                          size_t *remaining,
+                                          psa_aead_operation_t value);
+
+/** Deserialise a `psa_aead_operation_t` from a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to a `psa_aead_operation_t` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_psa_aead_operation_t(uint8_t **pos,
+                                            size_t *remaining,
+                                            psa_aead_operation_t *value);
+
+/** Return how much buffer space is needed by \c psasim_server_serialise_psa_aead_operation_t()
+ *  to serialise a `psa_aead_operation_t`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_psa_aead_operation_t() to serialise
+ *                           the given value.
+ */
+size_t psasim_server_serialise_psa_aead_operation_t_needs(
+    psa_aead_operation_t *value);
+
+/** Serialise a `psa_aead_operation_t` into a buffer on the server side.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ * \param completed          Non-zero if the operation is now completed (set by
+ *                           finish and abort calls).
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_server_serialise_psa_aead_operation_t(uint8_t **pos,
+                                                 size_t *remaining,
+                                                 psa_aead_operation_t *value,
+                                                 int completed);
+
+/** Deserialise a `psa_aead_operation_t` from a buffer on the server side.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to a `psa_aead_operation_t` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_server_deserialise_psa_aead_operation_t(uint8_t **pos,
+                                                   size_t *remaining,
+                                                   psa_aead_operation_t **value);
+
+/** Return how much buffer space is needed by \c psasim_serialise_psa_key_attributes_t()
+ *  to serialise a `psa_key_attributes_t`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_psa_key_attributes_t() to serialise
+ *                           the given value.
+ */
+size_t psasim_serialise_psa_key_attributes_t_needs(
+    psa_key_attributes_t value);
+
+/** Serialise a `psa_key_attributes_t` into a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_serialise_psa_key_attributes_t(uint8_t **pos,
+                                          size_t *remaining,
+                                          psa_key_attributes_t value);
+
+/** Deserialise a `psa_key_attributes_t` from a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to a `psa_key_attributes_t` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_psa_key_attributes_t(uint8_t **pos,
+                                            size_t *remaining,
+                                            psa_key_attributes_t *value);
+
+/** Return how much buffer space is needed by \c psasim_serialise_psa_mac_operation_t()
+ *  to serialise a `psa_mac_operation_t`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_psa_mac_operation_t() to serialise
+ *                           the given value.
+ */
+size_t psasim_serialise_psa_mac_operation_t_needs(
+    psa_mac_operation_t value);
+
+/** Serialise a `psa_mac_operation_t` into a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_serialise_psa_mac_operation_t(uint8_t **pos,
+                                         size_t *remaining,
+                                         psa_mac_operation_t value);
+
+/** Deserialise a `psa_mac_operation_t` from a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to a `psa_mac_operation_t` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_psa_mac_operation_t(uint8_t **pos,
+                                           size_t *remaining,
+                                           psa_mac_operation_t *value);
+
+/** Return how much buffer space is needed by \c psasim_server_serialise_psa_mac_operation_t()
+ *  to serialise a `psa_mac_operation_t`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_psa_mac_operation_t() to serialise
+ *                           the given value.
+ */
+size_t psasim_server_serialise_psa_mac_operation_t_needs(
+    psa_mac_operation_t *value);
+
+/** Serialise a `psa_mac_operation_t` into a buffer on the server side.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ * \param completed          Non-zero if the operation is now completed (set by
+ *                           finish and abort calls).
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_server_serialise_psa_mac_operation_t(uint8_t **pos,
+                                                size_t *remaining,
+                                                psa_mac_operation_t *value,
+                                                int completed);
+
+/** Deserialise a `psa_mac_operation_t` from a buffer on the server side.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to a `psa_mac_operation_t` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_server_deserialise_psa_mac_operation_t(uint8_t **pos,
+                                                  size_t *remaining,
+                                                  psa_mac_operation_t **value);
+
+/** Return how much buffer space is needed by \c psasim_serialise_psa_cipher_operation_t()
+ *  to serialise a `psa_cipher_operation_t`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_psa_cipher_operation_t() to serialise
+ *                           the given value.
+ */
+size_t psasim_serialise_psa_cipher_operation_t_needs(
+    psa_cipher_operation_t value);
+
+/** Serialise a `psa_cipher_operation_t` into a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_serialise_psa_cipher_operation_t(uint8_t **pos,
+                                            size_t *remaining,
+                                            psa_cipher_operation_t value);
+
+/** Deserialise a `psa_cipher_operation_t` from a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to a `psa_cipher_operation_t` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_psa_cipher_operation_t(uint8_t **pos,
+                                              size_t *remaining,
+                                              psa_cipher_operation_t *value);
+
+/** Return how much buffer space is needed by \c psasim_server_serialise_psa_cipher_operation_t()
+ *  to serialise a `psa_cipher_operation_t`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_psa_cipher_operation_t() to serialise
+ *                           the given value.
+ */
+size_t psasim_server_serialise_psa_cipher_operation_t_needs(
+    psa_cipher_operation_t *value);
+
+/** Serialise a `psa_cipher_operation_t` into a buffer on the server side.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ * \param completed          Non-zero if the operation is now completed (set by
+ *                           finish and abort calls).
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_server_serialise_psa_cipher_operation_t(uint8_t **pos,
+                                                   size_t *remaining,
+                                                   psa_cipher_operation_t *value,
+                                                   int completed);
+
+/** Deserialise a `psa_cipher_operation_t` from a buffer on the server side.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to a `psa_cipher_operation_t` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_server_deserialise_psa_cipher_operation_t(uint8_t **pos,
+                                                     size_t *remaining,
+                                                     psa_cipher_operation_t **value);
+
+/** Return how much buffer space is needed by \c psasim_serialise_psa_key_derivation_operation_t()
+ *  to serialise a `psa_key_derivation_operation_t`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_psa_key_derivation_operation_t() to serialise
+ *                           the given value.
+ */
+size_t psasim_serialise_psa_key_derivation_operation_t_needs(
+    psa_key_derivation_operation_t value);
+
+/** Serialise a `psa_key_derivation_operation_t` into a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_serialise_psa_key_derivation_operation_t(uint8_t **pos,
+                                                    size_t *remaining,
+                                                    psa_key_derivation_operation_t value);
+
+/** Deserialise a `psa_key_derivation_operation_t` from a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to a `psa_key_derivation_operation_t` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_psa_key_derivation_operation_t(uint8_t **pos,
+                                                      size_t *remaining,
+                                                      psa_key_derivation_operation_t *value);
+
+/** Return how much buffer space is needed by \c psasim_server_serialise_psa_key_derivation_operation_t()
+ *  to serialise a `psa_key_derivation_operation_t`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_psa_key_derivation_operation_t() to serialise
+ *                           the given value.
+ */
+size_t psasim_server_serialise_psa_key_derivation_operation_t_needs(
+    psa_key_derivation_operation_t *value);
+
+/** Serialise a `psa_key_derivation_operation_t` into a buffer on the server side.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ * \param completed          Non-zero if the operation is now completed (set by
+ *                           finish and abort calls).
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_server_serialise_psa_key_derivation_operation_t(uint8_t **pos,
+                                                           size_t *remaining,
+                                                           psa_key_derivation_operation_t *value,
+                                                           int completed);
+
+/** Deserialise a `psa_key_derivation_operation_t` from a buffer on the server side.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to a `psa_key_derivation_operation_t` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_server_deserialise_psa_key_derivation_operation_t(uint8_t **pos,
+                                                             size_t *remaining,
+                                                             psa_key_derivation_operation_t **value);
+
+/** Return how much buffer space is needed by \c psasim_serialise_psa_sign_hash_interruptible_operation_t()
+ *  to serialise a `psa_sign_hash_interruptible_operation_t`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_psa_sign_hash_interruptible_operation_t() to serialise
+ *                           the given value.
+ */
+size_t psasim_serialise_psa_sign_hash_interruptible_operation_t_needs(
+    psa_sign_hash_interruptible_operation_t value);
+
+/** Serialise a `psa_sign_hash_interruptible_operation_t` into a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_serialise_psa_sign_hash_interruptible_operation_t(uint8_t **pos,
+                                                             size_t *remaining,
+                                                             psa_sign_hash_interruptible_operation_t value);
+
+/** Deserialise a `psa_sign_hash_interruptible_operation_t` from a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to a `psa_sign_hash_interruptible_operation_t` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_psa_sign_hash_interruptible_operation_t(uint8_t **pos,
+                                                               size_t *remaining,
+                                                               psa_sign_hash_interruptible_operation_t *value);
+
+/** Return how much buffer space is needed by \c psasim_server_serialise_psa_sign_hash_interruptible_operation_t()
+ *  to serialise a `psa_sign_hash_interruptible_operation_t`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_psa_sign_hash_interruptible_operation_t() to serialise
+ *                           the given value.
+ */
+size_t psasim_server_serialise_psa_sign_hash_interruptible_operation_t_needs(
+    psa_sign_hash_interruptible_operation_t *value);
+
+/** Serialise a `psa_sign_hash_interruptible_operation_t` into a buffer on the server side.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ * \param completed          Non-zero if the operation is now completed (set by
+ *                           finish and abort calls).
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_server_serialise_psa_sign_hash_interruptible_operation_t(uint8_t **pos,
+                                                                    size_t *remaining,
+                                                                    psa_sign_hash_interruptible_operation_t *value,
+                                                                    int completed);
+
+/** Deserialise a `psa_sign_hash_interruptible_operation_t` from a buffer on the server side.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to a `psa_sign_hash_interruptible_operation_t` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_server_deserialise_psa_sign_hash_interruptible_operation_t(uint8_t **pos,
+                                                                      size_t *remaining,
+                                                                      psa_sign_hash_interruptible_operation_t **value);
+
+/** Return how much buffer space is needed by \c psasim_serialise_psa_verify_hash_interruptible_operation_t()
+ *  to serialise a `psa_verify_hash_interruptible_operation_t`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_psa_verify_hash_interruptible_operation_t() to serialise
+ *                           the given value.
+ */
+size_t psasim_serialise_psa_verify_hash_interruptible_operation_t_needs(
+    psa_verify_hash_interruptible_operation_t value);
+
+/** Serialise a `psa_verify_hash_interruptible_operation_t` into a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_serialise_psa_verify_hash_interruptible_operation_t(uint8_t **pos,
+                                                               size_t *remaining,
+                                                               psa_verify_hash_interruptible_operation_t value);
+
+/** Deserialise a `psa_verify_hash_interruptible_operation_t` from a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to a `psa_verify_hash_interruptible_operation_t` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_psa_verify_hash_interruptible_operation_t(uint8_t **pos,
+                                                                 size_t *remaining,
+                                                                 psa_verify_hash_interruptible_operation_t *value);
+
+/** Return how much buffer space is needed by \c psasim_server_serialise_psa_verify_hash_interruptible_operation_t()
+ *  to serialise a `psa_verify_hash_interruptible_operation_t`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_psa_verify_hash_interruptible_operation_t() to serialise
+ *                           the given value.
+ */
+size_t psasim_server_serialise_psa_verify_hash_interruptible_operation_t_needs(
+    psa_verify_hash_interruptible_operation_t *value);
+
+/** Serialise a `psa_verify_hash_interruptible_operation_t` into a buffer on the server side.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ * \param completed          Non-zero if the operation is now completed (set by
+ *                           finish and abort calls).
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_server_serialise_psa_verify_hash_interruptible_operation_t(uint8_t **pos,
+                                                                      size_t *remaining,
+                                                                      psa_verify_hash_interruptible_operation_t *value,
+                                                                      int completed);
+
+/** Deserialise a `psa_verify_hash_interruptible_operation_t` from a buffer on the server side.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to a `psa_verify_hash_interruptible_operation_t` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_server_deserialise_psa_verify_hash_interruptible_operation_t(uint8_t **pos,
+                                                                        size_t *remaining,
+                                                                        psa_verify_hash_interruptible_operation_t **value);
+
+/** Return how much buffer space is needed by \c psasim_serialise_mbedtls_svc_key_id_t()
+ *  to serialise a `mbedtls_svc_key_id_t`.
+ *
+ * \param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_mbedtls_svc_key_id_t() to serialise
+ *                           the given value.
+ */
+size_t psasim_serialise_mbedtls_svc_key_id_t_needs(
+    mbedtls_svc_key_id_t value);
+
+/** Serialise a `mbedtls_svc_key_id_t` into a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              The value to serialise into the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_serialise_mbedtls_svc_key_id_t(uint8_t **pos,
+                                          size_t *remaining,
+                                          mbedtls_svc_key_id_t value);
+
+/** Deserialise a `mbedtls_svc_key_id_t` from a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param value              Pointer to a `mbedtls_svc_key_id_t` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_mbedtls_svc_key_id_t(uint8_t **pos,
+                                            size_t *remaining,
+                                            mbedtls_svc_key_id_t *value);
diff --git a/tests/psa-client-server/psasim/src/psa_sim_serialise.pl b/tests/psa-client-server/psasim/src/psa_sim_serialise.pl
new file mode 100755
index 0000000..75e6cd0
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/psa_sim_serialise.pl
@@ -0,0 +1,1204 @@
+#!/usr/bin/env perl
+#
+# psa_sim_serialise.pl - Sample Perl script to show how many serialisation
+#                        functions can be created by templated scripting.
+#
+# This is an example only, and is expected to be replaced by a Python script
+# for production use. It is not hooked into the build: it needs to be run
+# manually:
+#
+# perl psa_sim_serialise.pl h > psa_sim_serialise.h
+# perl psa_sim_serialise.pl c > psa_sim_serialise.c
+#
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+#
+use strict;
+
+my $usage = "$0: usage: $0 c|h\n";
+my $which = lc(shift) || die($usage);
+die($usage) unless $which eq "c" || $which eq "h";
+
+# Most types are serialised as a fixed-size (per type) octet string, with
+# no type indication. This is acceptable as (a) this is for the test PSA crypto
+# simulator only, not production, and (b) these functions are called by
+# code that itself is written by script.
+#
+# We also want to keep serialised data reasonably compact as communication
+# between client and server goes in messages of less than 200 bytes each.
+#
+# This script is able to create serialisation functions for plain old C data
+# types (e.g. unsigned int), types typedef'd to those, and even structures
+# that don't contain pointers.
+#
+# Structures that contain pointers will need to have their serialisation and
+# deserialisation functions written manually (like those for the "buffer" type
+# are).
+#
+my @types = qw(unsigned-int int size_t
+               uint16_t uint32_t uint64_t
+               buffer
+               psa_key_production_parameters_t
+               psa_status_t psa_algorithm_t psa_key_derivation_step_t
+               psa_hash_operation_t
+               psa_aead_operation_t
+               psa_key_attributes_t
+               psa_mac_operation_t
+               psa_cipher_operation_t
+               psa_key_derivation_operation_t
+               psa_sign_hash_interruptible_operation_t
+               psa_verify_hash_interruptible_operation_t
+               mbedtls_svc_key_id_t);
+
+grep(s/-/ /g, @types);
+
+# IS-A: Some data types are typedef'd; we serialise them as the other type
+my %isa = (
+    "psa_status_t" => "int",
+    "psa_algorithm_t" => "unsigned int",
+    "psa_key_derivation_step_t" => "uint16_t",
+);
+
+if ($which eq "h") {
+
+    print h_header();
+
+    for my $type (@types) {
+        if ($type eq "buffer") {
+            print declare_buffer_functions();
+        } elsif ($type eq "psa_key_production_parameters_t") {
+            print declare_psa_key_production_parameters_t_functions();
+        } else {
+            print declare_needs($type, "");
+            print declare_serialise($type, "");
+            print declare_deserialise($type, "");
+
+            if ($type =~ /^psa_\w+_operation_t$/) {
+                print declare_needs($type, "server_");
+                print declare_serialise($type, "server_");
+                print declare_deserialise($type, "server_");
+            }
+        }
+    }
+
+} elsif ($which eq "c") {
+
+    my $have_operation_types = (grep(/psa_\w+_operation_t/, @types)) ? 1 : 0;
+
+    print c_header();
+    print c_define_types_for_operation_types() if $have_operation_types;
+
+    for my $type (@types) {
+        next unless $type =~ /^psa_(\w+)_operation_t$/;
+        print define_operation_type_data_and_functions($1);
+    }
+
+    print c_define_begins();
+
+    for my $type (@types) {
+        if ($type eq "buffer") {
+            print define_buffer_functions();
+        } elsif ($type eq "psa_key_production_parameters_t") {
+            print define_psa_key_production_parameters_t_functions();
+        } elsif (exists($isa{$type})) {
+            print define_needs_isa($type, $isa{$type});
+            print define_serialise_isa($type, $isa{$type});
+            print define_deserialise_isa($type, $isa{$type});
+        } else {
+            print define_needs($type);
+            print define_serialise($type);
+            print define_deserialise($type);
+
+            if ($type =~ /^psa_\w+_operation_t$/) {
+                print define_server_needs($type);
+                print define_server_serialise($type);
+                print define_server_deserialise($type);
+            }
+        }
+    }
+
+    print define_server_serialize_reset(@types);
+} else {
+    die("internal error - shouldn't happen");
+}
+
+sub declare_needs
+{
+    my ($type, $server) = @_;
+
+    my $an = ($type =~ /^[ui]/) ? "an" : "a";
+    my $type_d = $type;
+    $type_d =~ s/ /_/g;
+
+    my $ptr = (length($server)) ? "*" : "";
+
+    return <<EOF;
+
+/** Return how much buffer space is needed by \\c psasim_${server}serialise_$type_d()
+ *  to serialise $an `$type`.
+ *
+ * \\param value              The value that will be serialised into the buffer
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ *
+ * \\return                   The number of bytes needed in the buffer by
+ *                           \\c psasim_serialise_$type_d() to serialise
+ *                           the given value.
+ */
+size_t psasim_${server}serialise_${type_d}_needs(
+    $type ${ptr}value);
+EOF
+}
+
+sub declare_serialise
+{
+    my ($type, $server) = @_;
+
+    my $an = ($type =~ /^[ui]/) ? "an" : "a";
+    my $type_d = $type;
+    $type_d =~ s/ /_/g;
+
+    if (length($server) && $type !~ /^psa_(\w+)_operation_t$/) {
+        die("$0: declare_server_serialise: $type: not supported\n");
+    }
+
+    my $server_side = (length($server)) ? " on the server side" : "";
+
+    my $ptr = (length($server)) ? "*" : "";
+
+    my $code = <<EOF;
+
+/** Serialise $an `$type` into a buffer${server_side}.
+ *
+ * \\param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \\param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \\param value              The value to serialise into the buffer.
+EOF
+
+    $code .= <<EOF if length($server);
+ * \\param completed          Non-zero if the operation is now completed (set by
+ *                           finish and abort calls).
+EOF
+
+    my $value_sep = (length($server)) ? "," : ");";
+
+    $code .= <<EOF;
+ *
+ * \\return                   \\c 1 on success ("okay"), \\c 0 on error.
+ */
+int psasim_${server}serialise_$type_d(uint8_t **pos,
+                             size_t *remaining,
+                             $type ${ptr}value$value_sep
+EOF
+
+    $code .= <<EOF if length($server);
+                             int completed);
+EOF
+
+    return align_declaration($code);
+}
+
+sub declare_deserialise
+{
+    my ($type, $server) = @_;
+
+    my $an = ($type =~ /^[ui]/) ? "an" : "a";
+    my $type_d = $type;
+    $type_d =~ s/ /_/g;
+
+    my $server_side = (length($server)) ? " on the server side" : "";
+
+    my $ptr = (length($server)) ? "*" : "";
+
+    return align_declaration(<<EOF);
+
+/** Deserialise $an `$type` from a buffer${server_side}.
+ *
+ * \\param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \\param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \\param value              Pointer to $an `$type` to receive the value
+ *                           deserialised from the buffer.
+ *
+ * \\return                   \\c 1 on success ("okay"), \\c 0 on error.
+ */
+int psasim_${server}deserialise_$type_d(uint8_t **pos,
+                               size_t *remaining,
+                               $type ${ptr}*value);
+EOF
+}
+
+sub declare_buffer_functions
+{
+    return <<'EOF';
+
+/** Return how much space is needed by \c psasim_serialise_buffer()
+ *  to serialise a buffer: a (`uint8_t *`, `size_t`) pair.
+ *
+ * \param buffer             Pointer to the buffer to be serialised
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ * \param buffer_size        Number of bytes in the buffer to be serialised.
+ *
+ * \return                   The number of bytes needed in the buffer by
+ *                           \c psasim_serialise_buffer() to serialise
+ *                           the specified buffer.
+ */
+size_t psasim_serialise_buffer_needs(const uint8_t *buffer, size_t buffer_size);
+
+/** Serialise a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param buffer             Pointer to the buffer to be serialised.
+ * \param buffer_length      Number of bytes in the buffer to be serialised.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_serialise_buffer(uint8_t **pos, size_t *remaining,
+                            const uint8_t *buffer, size_t buffer_length);
+
+/** Deserialise a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the serialisation buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the serialisation buffer.
+ * \param buffer             Pointer to a `uint8_t *` to receive the address
+ *                           of a newly-allocated buffer, which the caller
+ *                           must `free()`.
+ * \param buffer_length      Pointer to a `size_t` to receive the number of
+ *                           bytes in the deserialised buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_buffer(uint8_t **pos, size_t *remaining,
+                              uint8_t **buffer, size_t *buffer_length);
+
+/** Deserialise a buffer returned from the server.
+ *
+ * When the client is deserialising a buffer returned from the server, it needs
+ * to use this function to deserialised the  returned buffer. It should use the
+ * usual \c psasim_serialise_buffer() function to serialise the outbound
+ * buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the serialisation buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the serialisation buffer.
+ * \param buffer             Pointer to a `uint8_t *` to receive the address
+ *                           of a newly-allocated buffer, which the caller
+ *                           must `free()`.
+ * \param buffer_length      Pointer to a `size_t` to receive the number of
+ *                           bytes in the deserialised buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_return_buffer(uint8_t **pos, size_t *remaining,
+                                     uint8_t *buffer, size_t buffer_length);
+EOF
+}
+
+sub declare_psa_key_production_parameters_t_functions
+{
+    return <<'EOF';
+
+/** Return how much space is needed by \c psasim_serialise_psa_key_production_parameters_t()
+ *  to serialise a psa_key_production_parameters_t (a structure with a flexible array member).
+ *
+ * \param params             Pointer to the struct to be serialised
+ *                           (needed in case some serialisations are value-
+ *                           dependent).
+ * \param data_length        Number of bytes in the data[] of the struct to be serialised.
+ *
+ * \return                   The number of bytes needed in the serialisation buffer by
+ *                           \c psasim_serialise_psa_key_production_parameters_t() to serialise
+ *                           the specified structure.
+ */
+size_t psasim_serialise_psa_key_production_parameters_t_needs(
+    const psa_key_production_parameters_t *params,
+    size_t buffer_size);
+
+/** Serialise a psa_key_production_parameters_t.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ * \param params             Pointer to the structure to be serialised.
+ * \param data_length        Number of bytes in the data[] of the struct to be serialised.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_serialise_psa_key_production_parameters_t(uint8_t **pos,
+                                                     size_t *remaining,
+                                                     const psa_key_production_parameters_t *params,
+                                                     size_t data_length);
+
+/** Deserialise a psa_key_production_parameters_t.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the serialisation buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the serialisation buffer.
+ * \param params             Pointer to a `psa_key_production_parameters_t *` to
+ *                           receive the address of a newly-allocated structure,
+ *                           which the caller must `free()`.
+ * \param data_length        Pointer to a `size_t` to receive the number of
+ *                           bytes in the data[] member of the structure deserialised.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_psa_key_production_parameters_t(uint8_t **pos, size_t *remaining,
+                                                       psa_key_production_parameters_t **params,
+                                                       size_t *buffer_length);
+EOF
+}
+
+sub h_header
+{
+    return <<'EOF';
+/**
+ * \file psa_sim_serialise.h
+ *
+ * \brief Rough-and-ready serialisation and deserialisation for the PSA Crypto simulator
+ */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include <stdint.h>
+#include <stddef.h>
+
+#include "psa/crypto.h"
+#include "psa/crypto_types.h"
+#include "psa/crypto_values.h"
+
+/* Basic idea:
+ *
+ * All arguments to a function will be serialised into a single buffer to
+ * be sent to the server with the PSA crypto function to be called.
+ *
+ * All returned data (the function's return value and any values returned
+ * via `out` parameters) will similarly be serialised into a buffer to be
+ * sent back to the client from the server.
+ *
+ * For each data type foo (e.g. int, size_t, psa_algorithm_t, but also "buffer"
+ * where "buffer" is a (uint8_t *, size_t) pair, we have a pair of functions,
+ * psasim_serialise_foo() and psasim_deserialise_foo().
+ *
+ * We also have psasim_serialise_foo_needs() functions, which return a
+ * size_t giving the number of bytes that serialising that instance of that
+ * type will need. This allows callers to size buffers for serialisation.
+ *
+ * Each serialised buffer starts with a version byte, bytes that indicate
+ * the size of basic C types, and four bytes that indicate the endianness
+ * (to avoid incompatibilities if we ever run this over a network - we are
+ * not aiming for universality, just for correctness and simplicity).
+ *
+ * Most types are serialised as a fixed-size (per type) octet string, with
+ * no type indication. This is acceptable as (a) this is for the test PSA crypto
+ * simulator only, not production, and (b) these functions are called by
+ * code that itself is written by script.
+ *
+ * We also want to keep serialised data reasonably compact as communication
+ * between client and server goes in messages of less than 200 bytes each.
+ *
+ * Many serialisation functions can be created by a script; an exemplar Perl
+ * script is included. It is not hooked into the build and so must be run
+ * manually, but is expected to be replaced by a Python script in due course.
+ * Types that can have their functions created by script include plain old C
+ * data types (e.g. int), types typedef'd to those, and even structures that
+ * don't contain pointers.
+ */
+
+/** Reset all operation slots.
+ *
+ * Should be called when all clients have disconnected.
+ */
+void psa_sim_serialize_reset(void);
+
+/** Return how much buffer space is needed by \c psasim_serialise_begin().
+ *
+ * \return                   The number of bytes needed in the buffer for
+ *                           \c psasim_serialise_begin()'s output.
+ */
+size_t psasim_serialise_begin_needs(void);
+
+/** Begin serialisation into a buffer.
+ *
+ *                           This must be the first serialisation API called
+ *                           on a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error (likely
+ *                           no space).
+ */
+int psasim_serialise_begin(uint8_t **pos, size_t *remaining);
+
+/** Begin deserialisation of a buffer.
+ *
+ *                           This must be the first deserialisation API called
+ *                           on a buffer.
+ *
+ * \param pos[in,out]        Pointer to a `uint8_t *` holding current position
+ *                           in the buffer.
+ * \param remaining[in,out]  Pointer to a `size_t` holding number of bytes
+ *                           remaining in the buffer.
+ *
+ * \return                   \c 1 on success ("okay"), \c 0 on error.
+ */
+int psasim_deserialise_begin(uint8_t **pos, size_t *remaining);
+EOF
+}
+
+sub define_needs
+{
+    my ($type) = @_;
+
+    my $type_d = $type;
+    $type_d =~ s/ /_/g;
+
+    return <<EOF;
+
+size_t psasim_serialise_${type_d}_needs(
+    $type value)
+{
+    return sizeof(value);
+}
+EOF
+}
+
+sub define_server_needs
+{
+    my ($type) = @_;
+
+    my $type_d = $type;
+    $type_d =~ s/ /_/g;
+
+    return <<EOF;
+
+size_t psasim_server_serialise_${type_d}_needs(
+    $type *operation)
+{
+    (void) operation;
+
+    /* We will actually return a handle */
+    return sizeof(psasim_operation_t);
+}
+EOF
+}
+
+sub define_needs_isa
+{
+    my ($type, $isa) = @_;
+
+    my $type_d = $type;
+    $type_d =~ s/ /_/g;
+
+    my $isa_d = $isa;
+    $isa_d =~ s/ /_/g;
+
+    return <<EOF;
+
+size_t psasim_serialise_${type_d}_needs(
+    $type value)
+{
+    return psasim_serialise_${isa_d}_needs(value);
+}
+EOF
+}
+
+sub define_serialise
+{
+    my ($type) = @_;
+
+    my $type_d = $type;
+    $type_d =~ s/ /_/g;
+
+    return align_signature(<<EOF);
+
+int psasim_serialise_$type_d(uint8_t **pos,
+                             size_t *remaining,
+                             $type value)
+{
+    if (*remaining < sizeof(value)) {
+        return 0;
+    }
+
+    memcpy(*pos, &value, sizeof(value));
+    *pos += sizeof(value);
+
+    return 1;
+}
+EOF
+}
+
+sub define_server_serialise
+{
+    my ($type) = @_;
+
+    my $t;
+    if ($type =~ /^psa_(\w+)_operation_t$/) {
+        $t = $1;
+    } else {
+        die("$0: define_server_serialise: $type: not supported\n");
+    }
+
+    my $type_d = $type;
+    $type_d =~ s/ /_/g;
+
+    return align_signature(<<EOF);
+
+int psasim_server_serialise_$type_d(uint8_t **pos,
+                             size_t *remaining,
+                             $type *operation,
+                             int completed)
+{
+    psasim_operation_t client_operation;
+
+    if (*remaining < sizeof(client_operation)) {
+        return 0;
+    }
+
+    ssize_t slot = operation - ${t}_operations;
+
+    if (completed) {
+        memset(&${t}_operations[slot],
+               0,
+               sizeof($type_d));
+        ${t}_operation_handles[slot] = 0;
+    }
+
+    client_operation.handle = ${t}_operation_handles[slot];
+
+    memcpy(*pos, &client_operation, sizeof(client_operation));
+    *pos += sizeof(client_operation);
+
+    return 1;
+}
+EOF
+}
+
+sub define_serialise_isa
+{
+    my ($type, $isa) = @_;
+
+    my $type_d = $type;
+    $type_d =~ s/ /_/g;
+
+    my $isa_d = $isa;
+    $isa_d =~ s/ /_/g;
+
+    return align_signature(<<EOF);
+
+int psasim_serialise_$type_d(uint8_t **pos,
+                             size_t *remaining,
+                             $type value)
+{
+    return psasim_serialise_$isa_d(pos, remaining, value);
+}
+EOF
+}
+
+sub define_deserialise
+{
+    my ($type) = @_;
+
+    my $type_d = $type;
+    $type_d =~ s/ /_/g;
+
+    return align_signature(<<EOF);
+
+int psasim_deserialise_$type_d(uint8_t **pos,
+                               size_t *remaining,
+                               $type *value)
+{
+    if (*remaining < sizeof(*value)) {
+        return 0;
+    }
+
+    memcpy(value, *pos, sizeof(*value));
+
+    *pos += sizeof(*value);
+    *remaining -= sizeof(*value);
+
+    return 1;
+}
+EOF
+}
+
+sub define_server_deserialise
+{
+    my ($type) = @_;
+
+    my $t;
+    if ($type =~ /^psa_(\w+)_operation_t$/) {
+        $t = $1;
+    } else {
+        die("$0: define_server_deserialise: $type: not supported\n");
+    }
+
+    my $type_d = $type;
+    $type_d =~ s/ /_/g;
+
+    return align_signature(<<EOF);
+
+int psasim_server_deserialise_$type_d(uint8_t **pos,
+                               size_t *remaining,
+                               $type **operation)
+{
+    psasim_operation_t client_operation;
+
+    if (*remaining < sizeof(psasim_operation_t)) {
+        return 0;
+    }
+
+    memcpy(&client_operation, *pos, sizeof(psasim_operation_t));
+    *pos += sizeof(psasim_operation_t);
+    *remaining -= sizeof(psasim_operation_t);
+
+    ssize_t slot;
+    if (client_operation.handle == 0) {         /* We need a new handle */
+        slot = allocate_${t}_operation_slot();
+    } else {
+        slot = find_${t}_slot_by_handle(client_operation.handle);
+    }
+
+    if (slot < 0) {
+        return 0;
+    }
+
+    *operation = &${t}_operations[slot];
+
+    return 1;
+}
+EOF
+}
+
+sub define_deserialise_isa
+{
+    my ($type, $isa) = @_;
+
+    my $type_d = $type;
+    $type_d =~ s/ /_/g;
+
+    my $isa_d = $isa;
+    $isa_d =~ s/ /_/g;
+
+    return align_signature(<<EOF);
+
+int psasim_deserialise_$type_d(uint8_t **pos,
+                              size_t *remaining,
+                              $type *value)
+{
+    return psasim_deserialise_$isa_d(pos, remaining, value);
+}
+EOF
+}
+
+sub define_buffer_functions
+{
+    return <<'EOF';
+
+size_t psasim_serialise_buffer_needs(const uint8_t *buffer, size_t buffer_size)
+{
+    (void) buffer;
+    return sizeof(buffer_size) + buffer_size;
+}
+
+int psasim_serialise_buffer(uint8_t **pos,
+                            size_t *remaining,
+                            const uint8_t *buffer,
+                            size_t buffer_length)
+{
+    if (*remaining < sizeof(buffer_length) + buffer_length) {
+        return 0;
+    }
+
+    memcpy(*pos, &buffer_length, sizeof(buffer_length));
+    *pos += sizeof(buffer_length);
+
+    if (buffer_length > 0) {    // To be able to serialise (NULL, 0)
+        memcpy(*pos, buffer, buffer_length);
+        *pos += buffer_length;
+    }
+
+    return 1;
+}
+
+int psasim_deserialise_buffer(uint8_t **pos,
+                              size_t *remaining,
+                              uint8_t **buffer,
+                              size_t *buffer_length)
+{
+    if (*remaining < sizeof(*buffer_length)) {
+        return 0;
+    }
+
+    memcpy(buffer_length, *pos, sizeof(*buffer_length));
+
+    *pos += sizeof(buffer_length);
+    *remaining -= sizeof(buffer_length);
+
+    if (*buffer_length == 0) {          // Deserialise (NULL, 0)
+        *buffer = NULL;
+        return 1;
+    }
+
+    if (*remaining < *buffer_length) {
+        return 0;
+    }
+
+    uint8_t *data = malloc(*buffer_length);
+    if (data == NULL) {
+        return 0;
+    }
+
+    memcpy(data, *pos, *buffer_length);
+    *pos += *buffer_length;
+    *remaining -= *buffer_length;
+
+    *buffer = data;
+
+    return 1;
+}
+
+/* When the client is deserialising a buffer returned from the server, it needs
+ * to use this function to deserialised the  returned buffer. It should use the
+ * usual \c psasim_serialise_buffer() function to serialise the outbound
+ * buffer. */
+int psasim_deserialise_return_buffer(uint8_t **pos,
+                                     size_t *remaining,
+                                     uint8_t *buffer,
+                                     size_t buffer_length)
+{
+    if (*remaining < sizeof(buffer_length)) {
+        return 0;
+    }
+
+    size_t length_check;
+
+    memcpy(&length_check, *pos, sizeof(buffer_length));
+
+    *pos += sizeof(buffer_length);
+    *remaining -= sizeof(buffer_length);
+
+    if (buffer_length != length_check) {        // Make sure we're sent back the same we sent to the server
+        return 0;
+    }
+
+    if (length_check == 0) {          // Deserialise (NULL, 0)
+        return 1;
+    }
+
+    if (*remaining < buffer_length) {
+        return 0;
+    }
+
+    memcpy(buffer, *pos, buffer_length);
+    *pos += buffer_length;
+    *remaining -= buffer_length;
+
+    return 1;
+}
+EOF
+}
+
+sub define_psa_key_production_parameters_t_functions
+{
+    return <<'EOF';
+
+#define SER_TAG_SIZE        4
+
+size_t psasim_serialise_psa_key_production_parameters_t_needs(
+    const psa_key_production_parameters_t *params,
+    size_t data_length)
+{
+    /* We will serialise with 4-byte tag = "PKPP" + 4-byte overall length at the beginning,
+     * followed by size_t data_length, then the actual data from the structure.
+     */
+    return SER_TAG_SIZE + sizeof(uint32_t) + sizeof(data_length) + sizeof(*params) + data_length;
+}
+
+int psasim_serialise_psa_key_production_parameters_t(uint8_t **pos,
+                                                     size_t *remaining,
+                                                     const psa_key_production_parameters_t *params,
+                                                     size_t data_length)
+{
+    if (data_length > UINT32_MAX / 2) {       /* arbitrary limit */
+        return 0;       /* too big to serialise */
+    }
+
+    /* We use 32-bit lengths, which should be enough for any reasonable usage :) */
+    /* (the UINT32_MAX / 2 above is an even more conservative check to avoid overflow here) */
+    uint32_t len = (uint32_t) (sizeof(data_length) + sizeof(*params) + data_length);
+    if (*remaining < SER_TAG_SIZE + sizeof(uint32_t) + len) {
+        return 0;
+    }
+
+    char tag[SER_TAG_SIZE] = "PKPP";
+
+    memcpy(*pos, tag, sizeof(tag));
+    memcpy(*pos + sizeof(tag), &len, sizeof(len));
+    *pos += sizeof(tag) + sizeof(len);
+    *remaining -= sizeof(tag) + sizeof(len);
+
+    memcpy(*pos, &data_length, sizeof(data_length));
+    memcpy(*pos + sizeof(data_length), params, sizeof(*params) + data_length);
+    *pos += sizeof(data_length) + sizeof(*params) + data_length;
+    *remaining -= sizeof(data_length) + sizeof(*params) + data_length;
+
+    return 1;
+}
+
+int psasim_deserialise_psa_key_production_parameters_t(uint8_t **pos,
+                                                       size_t *remaining,
+                                                       psa_key_production_parameters_t **params,
+                                                       size_t *data_length)
+{
+    if (*remaining < SER_TAG_SIZE + sizeof(uint32_t)) {
+        return 0;       /* can't even be an empty serialisation */
+    }
+
+    char tag[SER_TAG_SIZE] = "PKPP";    /* expected */
+    uint32_t len;
+
+    memcpy(&len, *pos + sizeof(tag), sizeof(len));
+
+    if (memcmp(*pos, tag, sizeof(tag)) != 0) {
+        return 0;       /* wrong tag */
+    }
+
+    *pos += sizeof(tag) + sizeof(len);
+    *remaining -= sizeof(tag) + sizeof(len);
+
+    if (*remaining < sizeof(*data_length)) {
+        return 0;       /* missing data_length */
+    }
+    memcpy(data_length, *pos, sizeof(*data_length));
+
+    if ((size_t) len != (sizeof(data_length) + sizeof(**params) + *data_length)) {
+        return 0;       /* wrong length */
+    }
+
+    if (*remaining < sizeof(*data_length) + sizeof(**params) + *data_length) {
+        return 0;       /* not enough data provided */
+    }
+
+    *pos += sizeof(data_length);
+    *remaining -= sizeof(data_length);
+
+    psa_key_production_parameters_t *out = malloc(sizeof(**params) + *data_length);
+    if (out == NULL) {
+        return 0;       /* allocation failure */
+    }
+
+    memcpy(out, *pos, sizeof(*out) + *data_length);
+    *pos += sizeof(*out) + *data_length;
+    *remaining -= sizeof(*out) + *data_length;
+
+    *params = out;
+
+    return 1;
+}
+EOF
+}
+
+sub c_header
+{
+    return <<'EOF';
+/**
+ * \file psa_sim_serialise.c
+ *
+ * \brief Rough-and-ready serialisation and deserialisation for the PSA Crypto simulator
+ */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "psa_sim_serialise.h"
+#include "util.h"
+#include <stdlib.h>
+#include <string.h>
+
+/* Basic idea:
+ *
+ * All arguments to a function will be serialised into a single buffer to
+ * be sent to the server with the PSA crypto function to be called.
+ *
+ * All returned data (the function's return value and any values returned
+ * via `out` parameters) will similarly be serialised into a buffer to be
+ * sent back to the client from the server.
+ *
+ * For each data type foo (e.g. int, size_t, psa_algorithm_t, but also "buffer"
+ * where "buffer" is a (uint8_t *, size_t) pair, we have a pair of functions,
+ * psasim_serialise_foo() and psasim_deserialise_foo().
+ *
+ * We also have psasim_serialise_foo_needs() functions, which return a
+ * size_t giving the number of bytes that serialising that instance of that
+ * type will need. This allows callers to size buffers for serialisation.
+ *
+ * Each serialised buffer starts with a version byte, bytes that indicate
+ * the size of basic C types, and four bytes that indicate the endianness
+ * (to avoid incompatibilities if we ever run this over a network - we are
+ * not aiming for universality, just for correctness and simplicity).
+ *
+ * Most types are serialised as a fixed-size (per type) octet string, with
+ * no type indication. This is acceptable as (a) this is for the test PSA crypto
+ * simulator only, not production, and (b) these functions are called by
+ * code that itself is written by script.
+ *
+ * We also want to keep serialised data reasonably compact as communication
+ * between client and server goes in messages of less than 200 bytes each.
+ *
+ * Many serialisation functions can be created by a script; an exemplar Perl
+ * script is included. It is not hooked into the build and so must be run
+ * manually, but is expected to be replaced by a Python script in due course.
+ * Types that can have their functions created by script include plain old C
+ * data types (e.g. int), types typedef'd to those, and even structures that
+ * don't contain pointers.
+ */
+EOF
+}
+
+sub c_define_types_for_operation_types
+{
+    return <<'EOF';
+
+/* include/psa/crypto_platform.h:typedef uint32_t mbedtls_psa_client_handle_t;
+ * but we don't get it on server builds, so redefine it here with a unique type name
+ */
+typedef uint32_t psasim_client_handle_t;
+
+typedef struct psasim_operation_s {
+    psasim_client_handle_t handle;
+} psasim_operation_t;
+
+#define MAX_LIVE_HANDLES_PER_CLASS   100        /* this many slots */
+EOF
+}
+
+sub define_operation_type_data_and_functions
+{
+    my ($type) = @_;    # e.g. 'hash' rather than 'psa_hash_operation_t'
+
+    my $utype = ucfirst($type);
+
+    return <<EOF;
+
+static psa_${type}_operation_t ${type}_operations[
+    MAX_LIVE_HANDLES_PER_CLASS];
+static psasim_client_handle_t ${type}_operation_handles[
+    MAX_LIVE_HANDLES_PER_CLASS];
+static psasim_client_handle_t next_${type}_operation_handle = 1;
+
+/* Get a free slot */
+static ssize_t allocate_${type}_operation_slot(void)
+{
+    psasim_client_handle_t handle = next_${type}_operation_handle++;
+    if (next_${type}_operation_handle == 0) {      /* wrapped around */
+        FATAL("$utype operation handle wrapped");
+    }
+
+    for (ssize_t i = 0; i < MAX_LIVE_HANDLES_PER_CLASS; i++) {
+        if (${type}_operation_handles[i] == 0) {
+            ${type}_operation_handles[i] = handle;
+            return i;
+        }
+    }
+
+    ERROR("All slots are currently used. Unable to allocate a new one.");
+
+    return -1;  /* all in use */
+}
+
+/* Find the slot given the handle */
+static ssize_t find_${type}_slot_by_handle(psasim_client_handle_t handle)
+{
+    for (ssize_t i = 0; i < MAX_LIVE_HANDLES_PER_CLASS; i++) {
+        if (${type}_operation_handles[i] == handle) {
+            return i;
+        }
+    }
+
+    ERROR("Unable to find slot by handle %u", handle);
+
+    return -1;  /* not found */
+}
+EOF
+}
+
+sub c_define_begins
+{
+    return <<'EOF';
+
+size_t psasim_serialise_begin_needs(void)
+{
+    /* The serialisation buffer will
+     * start with a byte of 0 to indicate version 0,
+     * then have 1 byte each for length of int, long, void *,
+     * then have 4 bytes to indicate endianness. */
+    return 4 + sizeof(uint32_t);
+}
+
+int psasim_serialise_begin(uint8_t **pos, size_t *remaining)
+{
+    uint32_t endian = 0x1234;
+
+    if (*remaining < 4 + sizeof(endian)) {
+        return 0;
+    }
+
+    *(*pos)++ = 0;      /* version */
+    *(*pos)++ = (uint8_t) sizeof(int);
+    *(*pos)++ = (uint8_t) sizeof(long);
+    *(*pos)++ = (uint8_t) sizeof(void *);
+
+    memcpy(*pos, &endian, sizeof(endian));
+
+    *pos += sizeof(endian);
+
+    return 1;
+}
+
+int psasim_deserialise_begin(uint8_t **pos, size_t *remaining)
+{
+    uint8_t version = 255;
+    uint8_t int_size = 0;
+    uint8_t long_size = 0;
+    uint8_t ptr_size = 0;
+    uint32_t endian;
+
+    if (*remaining < 4 + sizeof(endian)) {
+        return 0;
+    }
+
+    memcpy(&version, (*pos)++, sizeof(version));
+    if (version != 0) {
+        return 0;
+    }
+
+    memcpy(&int_size, (*pos)++, sizeof(int_size));
+    if (int_size != sizeof(int)) {
+        return 0;
+    }
+
+    memcpy(&long_size, (*pos)++, sizeof(long_size));
+    if (long_size != sizeof(long)) {
+        return 0;
+    }
+
+    memcpy(&ptr_size, (*pos)++, sizeof(ptr_size));
+    if (ptr_size != sizeof(void *)) {
+        return 0;
+    }
+
+    *remaining -= 4;
+
+    memcpy(&endian, *pos, sizeof(endian));
+    if (endian != 0x1234) {
+        return 0;
+    }
+
+    *pos += sizeof(endian);
+    *remaining -= sizeof(endian);
+
+    return 1;
+}
+EOF
+}
+
+# Return the code for psa_sim_serialize_reset()
+sub define_server_serialize_reset
+{
+    my @types = @_;
+
+    my $code = <<EOF;
+
+void psa_sim_serialize_reset(void)
+{
+EOF
+
+    for my $type (@types) {
+        next unless $type =~ /^psa_(\w+_operation)_t$/;
+
+        my $what = $1;  # e.g. "hash_operation"
+
+        $code .= <<EOF;
+    memset(${what}_handles, 0,
+           sizeof(${what}_handles));
+    memset(${what}s, 0,
+           sizeof(${what}s));
+EOF
+    }
+
+    $code .= <<EOF;
+}
+EOF
+}
+
+# Horrible way to align first few lines of function signature to appease
+# uncrustify (these are usually the 2nd-4th lines of code, indices 1, 2 and 3)
+#
+sub align_signature
+{
+    my ($code) = @_;
+
+    my @code = split(/\n/, $code);
+
+    my $i = 1;
+    # Find where the ( is
+    my $idx = index($code[$i], "(");
+    die("can't find (") if $idx < 0;
+
+    my $indent = " " x ($idx + 1);
+
+    do {
+        # Indent each line up until the one that ends with )
+        $code[++$i] =~ s/^\s+/$indent/;
+    } while $code[$i] !~ /\)$/;
+
+    return join("\n", @code) . "\n";
+}
+
+# Horrible way to align the function declaration to appease uncrustify
+#
+sub align_declaration
+{
+    my ($code) = @_;
+
+    my @code = split(/\n/, $code);
+
+    # Find out which lines we need to massage
+    my $i;
+    for ($i = 0; $i <= $#code; $i++) {
+        last if $code[$i] =~ /^int psasim_/;
+    }
+    die("can't find int psasim_") if $i > $#code;
+
+    # Find where the ( is
+    my $idx = index($code[$i], "(");
+    die("can't find (") if $idx < 0;
+
+    my $indent = " " x ($idx + 1);
+    do {
+        # Indent each line up until the one with the ; on it
+        $code[++$i] =~ s/^\s+/$indent/;
+    } while ($code[$i] !~ /;/);
+
+    return join("\n", @code) . "\n";
+}
diff --git a/tests/psa-client-server/psasim/src/server.c b/tests/psa-client-server/psasim/src/server.c
new file mode 100644
index 0000000..10ab5a2
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/server.c
@@ -0,0 +1,116 @@
+/* psasim test server */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include <unistd.h>
+#include <stdio.h>
+
+/* Includes from psasim */
+#include "service.h"
+#include "error_ext.h"
+#include "util.h"
+#include "psa_manifest/manifest.h"
+#include "psa_functions_codes.h"
+
+/* Includes from mbedtls */
+#include "mbedtls/version.h"
+#include "psa/crypto.h"
+
+#ifdef DEBUG
+#define SERVER_PRINT(fmt, ...) \
+    PRINT("Server: " fmt, ##__VA_ARGS__)
+#else
+#define SERVER_PRINT(...)
+#endif
+
+#define BUF_SIZE 25
+
+static int kill_on_disconnect = 0; /* Kill the server on client disconnection. */
+
+void parse_input_args(int argc, char *argv[])
+{
+    int opt;
+
+    while ((opt = getopt(argc, argv, "k")) != -1) {
+        switch (opt) {
+            case 'k':
+                kill_on_disconnect = 1;
+                break;
+            default:
+                fprintf(stderr, "Usage: %s [-k]\n", argv[0]);
+                exit(EXIT_FAILURE);
+        }
+    }
+}
+
+int psa_server_main(int argc, char *argv[])
+{
+    psa_status_t ret = PSA_ERROR_PROGRAMMER_ERROR;
+    psa_msg_t msg = { -1 };
+    const int magic_num = 66;
+    int client_disconnected = 0;
+    char mbedtls_version[18];
+    extern psa_status_t psa_crypto_call(psa_msg_t msg);
+    extern psa_status_t psa_crypto_close(void);
+
+    mbedtls_version_get_string_full(mbedtls_version);
+    SERVER_PRINT("%s", mbedtls_version);
+
+    parse_input_args(argc, argv);
+    SERVER_PRINT("Starting");
+
+    while (!(kill_on_disconnect && client_disconnected)) {
+        psa_signal_t signals = psa_wait(PSA_WAIT_ANY, PSA_BLOCK);
+
+        if (signals > 0) {
+            SERVER_PRINT("Signals: 0x%08x", signals);
+        }
+
+        if (signals & PSA_CRYPTO_SIGNAL) {
+            if (PSA_SUCCESS == psa_get(PSA_CRYPTO_SIGNAL, &msg)) {
+                SERVER_PRINT("handle: %d - rhandle: %p", msg.handle, (int *) msg.rhandle);
+                switch (msg.type) {
+                    case PSA_IPC_CONNECT:
+                        SERVER_PRINT("Got a connection message");
+                        psa_set_rhandle(msg.handle, (void *) &magic_num);
+                        ret = PSA_SUCCESS;
+                        break;
+                    case PSA_IPC_DISCONNECT:
+                        SERVER_PRINT("Got a disconnection message");
+                        ret = PSA_SUCCESS;
+                        client_disconnected = 1;
+                        psa_crypto_close();
+                        break;
+                    default:
+                        SERVER_PRINT("Got an IPC call of type %d", msg.type);
+                        ret = psa_crypto_call(msg);
+                        SERVER_PRINT("Internal function call returned %d", ret);
+
+                        if (msg.client_id > 0) {
+                            psa_notify(msg.client_id);
+                        } else {
+                            SERVER_PRINT("Client is non-secure, so won't notify");
+                        }
+                }
+
+                psa_reply(msg.handle, ret);
+            } else {
+                SERVER_PRINT("Failed to retrieve message");
+            }
+        } else if (SIGSTP_SIG & signals) {
+            SERVER_PRINT("Recieved SIGSTP signal. Gonna EOI it.");
+            psa_eoi(SIGSTP_SIG);
+        } else if (SIGINT_SIG & signals) {
+            SERVER_PRINT("Handling interrupt!");
+            SERVER_PRINT("Gracefully quitting");
+            psa_panic();
+        } else {
+            SERVER_PRINT("No signal asserted");
+        }
+    }
+
+    return 0;
+}
diff --git a/tests/psa-client-server/psasim/test/kill_server.sh b/tests/psa-client-server/psasim/test/kill_server.sh
new file mode 100755
index 0000000..7aba5a3
--- /dev/null
+++ b/tests/psa-client-server/psasim/test/kill_server.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+set -e
+
+pkill psa_server || true
+
+# Remove temporary files and logs
+rm -f psa_notify_*
+rm -f psa_service_*
+rm -f psa_server.log
+
+# Remove all IPCs
+ipcs -q | awk '{ printf " -q " $2 }' | xargs ipcrm > /dev/null 2>&1 || true
diff --git a/tests/psa-client-server/psasim/test/run_test.sh b/tests/psa-client-server/psasim/test/run_test.sh
new file mode 100755
index 0000000..ac9c4c8
--- /dev/null
+++ b/tests/psa-client-server/psasim/test/run_test.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+# This is a simple bash script that tests psa_client/psa_server interaction.
+# This script is automatically executed when "make run" is launched by the
+# "psasim" root folder. The script can also be launched manually once
+# binary files are built (i.e. after "make test" is executed from the "psasim"
+# root folder).
+
+set -e
+
+cd "$(dirname "$0")"
+
+CLIENT_BIN=$1
+shift
+
+ipcs | grep q | awk '{ printf " -q " $2 }' | xargs ipcrm > /dev/null 2>&1 || true
+
+./start_server.sh
+./$CLIENT_BIN "$@"
+
+# Kill server once client exited
+pkill psa_server
diff --git a/tests/psa-client-server/psasim/test/start_server.sh b/tests/psa-client-server/psasim/test/start_server.sh
new file mode 100755
index 0000000..fcc8a97
--- /dev/null
+++ b/tests/psa-client-server/psasim/test/start_server.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+set -e
+
+# The server creates some local files when it starts up so we can wait for this
+# event as signal that the server is ready so that we can start client(s).
+function wait_for_server_startup() {
+    while [ $(find . -name "psa_notify_*" | wc -l) -eq 0 ]; do
+        sleep 0.1
+    done
+}
+
+$(dirname "$0")/kill_server.sh
+
+$(dirname "$0")/psa_server &
+wait_for_server_startup
diff --git a/tests/psa-client-server/psasim/tools/psa_autogen.py b/tests/psa-client-server/psasim/tools/psa_autogen.py
new file mode 100755
index 0000000..fbc9806
--- /dev/null
+++ b/tests/psa-client-server/psasim/tools/psa_autogen.py
@@ -0,0 +1,174 @@
+#!/usr/bin/env python3
+"""This hacky script generates a partition from a manifest file"""
+
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+import json
+import os
+import sys
+from os import listdir
+
+if len(sys.argv) != 2:
+    print("Usage: psa_autogen <manifest_file>")
+    sys.exit(1)
+
+FILENAME = str(sys.argv[1])
+
+SCRIPT_PATH = os.path.dirname(__file__)
+GENERATED_H_PATH = os.path.join(SCRIPT_PATH, "..", "include", "psa_manifest")
+GENERATED_C_PATH = os.path.join(SCRIPT_PATH, "..", "src")
+
+MANIFEST_FILE = os.path.join(GENERATED_H_PATH, "manifest.h")
+PID_FILE = os.path.join(GENERATED_H_PATH, "pid.h")
+SID_FILE = os.path.join(GENERATED_H_PATH, "sid.h")
+
+with open(str(FILENAME), "r") as read_file:
+    data = json.load(read_file)
+    FILENAME = os.path.basename(FILENAME)
+    FILENAME = FILENAME.split('.')[0]
+    print("Base filename is " + str(FILENAME))
+
+    if str(data['psa_framework_version'] == "1.0"):
+        entry_point = str(data['entry_point'])
+        partition_name = str(data['name'])
+        services = data['services']
+        try:
+            irqs = data['irqs']
+        except KeyError:
+            irqs = []
+
+        try:
+            os.mkdir(GENERATED_H_PATH)
+            print("Generating psa_manifest directory")
+        except OSError:
+            print("PSA manifest directory already exists")
+
+        manifest_content = []
+        pids_content = []
+        sids_content = []
+
+        if len(services) > 28:
+           print ("Unsupported number of services")
+
+        count = 4 # For creating SID array
+        nsacl = "const int ns_allowed[32] = { "
+        policy = "const int strict_policy[32] = { "
+        qcode = "const char *psa_queues[] = { "
+        versions = "const uint32_t versions[32] = { "
+        queue_path = "psa_service_"
+        start = False
+
+        for x in range(0, count):
+            qcode = qcode + "\"\", "
+            nsacl = nsacl + "0, "
+            policy = policy + "0, "
+            versions = versions + "0, "
+
+        # Go through all the services to make sid.h and pid.h
+        for svc in services:
+            manifest_content.append("#define {}_SIGNAL    0x{:08x}".format(svc['signal'], 2**count))
+            sids_content.append("#define {}_SID    {}".format(svc['name'], svc['sid']))
+            qcode = qcode + "\"" + queue_path + str(int(svc['sid'], 16)) + "\","
+            ns_clients = svc['non_secure_clients']
+            print(str(svc))
+            if ns_clients == "true":
+                nsacl = nsacl + "1, "
+            else:
+                nsacl = nsacl + "0, "
+            try:
+                versions = versions + str(svc['minor_version']) + ", "
+            except KeyError:
+                versions = versions + "1, "
+
+            strict = 0
+            try:
+                if str(svc['minor_policy']).lower() == "strict":
+                    strict = 1
+                    policy = policy + "1, "
+                else:
+                    policy = policy + "0, "
+            except KeyError:
+                strict = 0
+                policy = policy + "0, "
+
+            count = count+1
+
+        sigcode = ""
+        handlercode = "void __sig_handler(int signo) {\n"
+        irqcount = count
+        for irq in irqs:
+            manifest_content.append("#define {}    0x{:08x}".format(irq['signal'], 2**irqcount))
+            sigcode = sigcode + "    signal({}, __sig_handler);\n".format(irq['source'])
+            handlercode = handlercode + \
+                          "    if (signo == {}) {{ raise_signal(0x{:08x}); }};\n".format(irq['source'], 2**irqcount)
+            irqcount = irqcount+1
+
+        handlercode = handlercode + "}\n"
+
+        while (count < 32):
+            qcode = qcode + "\"\", "
+            nsacl = nsacl + "0, "
+            versions = versions + "0, "
+            policy = policy + "0, "
+            count = count + 1
+
+        qcode = qcode + "};\n"
+        nsacl = nsacl + "};\n"
+        versions = versions + "};\n"
+        policy = policy + "};\n"
+
+        with open(MANIFEST_FILE, "wt") as output:
+            output.write("\n".join(manifest_content))
+        with open(SID_FILE, "wt") as output:
+            output.write("\n".join(sids_content))
+        with open(PID_FILE, "wt") as output:
+            output.write("\n".join(pids_content))
+
+        symbols = []
+
+        # Go through source files and look for the entrypoint
+        for root, directories, filenames in os.walk(GENERATED_C_PATH):
+            for filename in filenames:
+                if "psa_ff_bootstrap" in filename or filename == "psa_manifest":
+                    continue
+                try:
+                    fullpath = os.path.join(root,filename)
+                    with open(fullpath, encoding='utf-8') as currentFile:
+                        text = currentFile.read()
+                        if str(entry_point + "(") in text:
+                            symbols.append(filename)
+                except IOError:
+                    print("Couldn't open " + filename)
+                except UnicodeDecodeError:
+                    pass
+
+        print(str("Number of entrypoints detected: " + str(len(symbols))))
+        if len(symbols) < 1:
+            print("Couldn't find function " + entry_point)
+            sys.exit(1)
+        elif len(symbols) > 1:
+            print("Duplicate entrypoint symbol detected: " + str(symbols))
+            sys.exit(2)
+        else:
+            C_FILENAME = os.path.join(GENERATED_C_PATH, "psa_ff_bootstrap_" + partition_name + ".c")
+            c_content = []
+            c_content.append("#include <init.h>")
+            c_content.append("#include \"" + symbols[0] + "\"")
+            c_content.append("#include <signal.h>")
+            c_content.append(qcode)
+            c_content.append(nsacl)
+            c_content.append(policy)
+            c_content.append(versions)
+            c_content.append(handlercode)
+            c_content.append("int main(int argc, char *argv[]) {")
+            c_content.append("    (void) argc;")
+            c_content.append(sigcode)
+            c_content.append("    __init_psasim(psa_queues, 32, ns_allowed, versions,"
+                             "strict_policy);")
+            c_content.append("    " + entry_point + "(argc, argv);")
+            c_content.append("}")
+            with open(C_FILENAME, "wt") as output:
+                output.write("\n".join(c_content))
+
+            print("Success")
diff --git a/tests/scripts/all-in-docker.sh b/tests/scripts/all-in-docker.sh
index 7c03d91..b2a31c2 100755
--- a/tests/scripts/all-in-docker.sh
+++ b/tests/scripts/all-in-docker.sh
@@ -17,19 +17,7 @@
 # See also all.sh for notes about invocation of that script.
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#  http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 source tests/scripts/docker_env.sh
 
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 9290aa6..b2f6bf2 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -3,19 +3,7 @@
 # all.sh
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 
 
@@ -56,7 +44,7 @@
 #     * GNUTLS_{CLI,SERV} = 3.4.10
 #     * GNUTLS_NEXT_{CLI,SERV} = 3.7.2
 #     * OPENSSL = 1.0.2g (without Debian/Ubuntu patches)
-#     * OPENSSL_NEXT = 1.1.1a
+#     * OPENSSL_NEXT = 3.1.2
 # See the invocation of check_tools below for details.
 #
 # This script must be invoked from the toplevel directory of a git
@@ -86,6 +74,7 @@
 #      * component_check_XXX: quick tests that aren't worth parallelizing.
 #      * component_build_XXX: build things but don't run them.
 #      * component_test_XXX: build and test.
+#      * component_release_XXX: tests that the CI should skip during PR testing.
 #  * support_XXX: if support_XXX exists and returns false then
 #    component_XXX is not run by default.
 #  * post_XXX: things to do after running the tests.
@@ -144,10 +133,19 @@ pre_check_environment () {
 pre_initialize_variables () {
     if in_mbedtls_repo; then
         CONFIG_H='include/mbedtls/mbedtls_config.h'
+        if [ -d tf-psa-crypto ]; then
+            CRYPTO_CONFIG_H='tf-psa-crypto/include/psa/crypto_config.h'
+            PSA_CORE_PATH='tf-psa-crypto/core'
+            BUILTIN_SRC_PATH='tf-psa-crypto/drivers/builtin/src'
+        else
+            CRYPTO_CONFIG_H='include/psa/crypto_config.h'
+        fi
     else
         CONFIG_H='drivers/builtin/include/mbedtls/mbedtls_config.h'
+        CRYPTO_CONFIG_H='include/psa/crypto_config.h'
+        PSA_CORE_PATH='core'
+        BUILTIN_SRC_PATH='drivers/builtin/src'
     fi
-    CRYPTO_CONFIG_H='include/psa/crypto_config.h'
     CONFIG_TEST_DRIVER_H='tests/include/test/drivers/config_test_driver.h'
 
     # Files that are clobbered by some jobs will be backed up. Use a different
@@ -175,6 +173,9 @@ pre_initialize_variables () {
     # basic-build-test.sh as well.
     RELEASE_SEED=1
 
+    # Specify character collation for regular expressions and sorting with C locale
+    export LC_COLLATE=C
+
     : ${MBEDTLS_TEST_OUTCOME_FILE=}
     : ${MBEDTLS_TEST_PLATFORM="$(uname -s | tr -c \\n0-9A-Za-z _)-$(uname -m | tr -c \\n0-9A-Za-z _)"}
     export MBEDTLS_TEST_OUTCOME_FILE
@@ -198,6 +199,14 @@ pre_initialize_variables () {
     if [ -z "${MAKEFLAGS+set}" ]; then
         export MAKEFLAGS="-j$(all_sh_nproc)"
     fi
+    # if CC is not set, use clang by default (if present) to improve build times
+    if [ -z "${CC+set}" ] && (type clang > /dev/null 2>&1); then
+        export CC="clang"
+    fi
+
+    if [ -n "${OPENSSL_3+set}" ]; then
+        export OPENSSL_NEXT="$OPENSSL_3"
+    fi
 
     # Include more verbose output for failing tests run by CMake or make
     export CTEST_OUTPUT_ON_FAILURE=1
@@ -205,6 +214,8 @@ pre_initialize_variables () {
     # CFLAGS and LDFLAGS for Asan builds that don't use CMake
     # default to -O2, use -Ox _after_ this if you want another level
     ASAN_CFLAGS='-O2 -Werror -fsanitize=address,undefined -fno-sanitize-recover=all'
+    # Normally, tests should use this compiler for ASAN testing
+    ASAN_CC=clang
 
     # Platform tests have an allocation that returns null
     export ASAN_OPTIONS="allocator_may_return_null=1"
@@ -214,15 +225,21 @@ pre_initialize_variables () {
     # defined in this script whose name starts with "component_".
     ALL_COMPONENTS=$(compgen -A function component_ | sed 's/component_//')
 
-    # Exclude components that are not supported on this platform.
-    SUPPORTED_COMPONENTS=
-    for component in $ALL_COMPONENTS; do
-        case $(type "support_$component" 2>&1) in
-            *' function'*)
-                if ! support_$component; then continue; fi;;
-        esac
-        SUPPORTED_COMPONENTS="$SUPPORTED_COMPONENTS $component"
-    done
+    PSASIM_PATH='tests/psa-client-server/psasim/'
+
+    # Delay determining SUPPORTED_COMPONENTS until the command line options have a chance to override
+    # the commands set by the environment
+}
+
+setup_quiet_wrappers()
+{
+    # Pick up "quiet" wrappers for make and cmake, which don't output very much
+    # unless there is an error. This reduces logging overhead in the CI.
+    #
+    # Note that the cmake wrapper breaks unless we use an absolute path here.
+    if [[ -e ${PWD}/tests/scripts/quiet ]]; then
+        export PATH=${PWD}/tests/scripts/quiet:$PATH
+    fi
 }
 
 # Test whether the component $1 is included in the command line patterns.
@@ -321,8 +338,15 @@ cleanup()
               -iname CTestTestfile.cmake -o \
               -iname CMakeCache.txt -o \
               -path './cmake/*.cmake' \) -exec rm -f {} \+
-    # Recover files overwritten by in-tree CMake builds
-    rm -f include/Makefile include/mbedtls/Makefile programs/!(fuzz)/Makefile
+    # Remove Makefiles generated by in-tree CMake builds
+    rm -f pkgconfig/Makefile framework/Makefile
+    rm -f include/Makefile programs/!(fuzz)/Makefile
+    rm -f tf-psa-crypto/Makefile tf-psa-crypto/include/Makefile
+    rm -f tf-psa-crypto/core/Makefile tf-psa-crypto/drivers/Makefile
+    rm -f tf-psa-crypto/drivers/everest/Makefile
+    rm -f tf-psa-crypto/drivers/p256-m/Makefile
+    rm -f tf-psa-crypto/drivers/builtin/Makefile
+    rm -f tf-psa-crypto/drivers/builtin/src/Makefile
 
     # Remove any artifacts from the component_test_cmake_as_subdirectory test.
     rm -rf programs/test/cmake_subproject/build
@@ -347,6 +371,24 @@ cleanup()
     done
 }
 
+# This is a helper function to be used in psasim builds. It is meant to clean
+# up the library's workspace after the server build and before the client
+# build. Built libraries (mbedcrypto, mbedx509 and mbedtls) are supposed to be
+# already copied to psasim folder at this point.
+helper_psasim_cleanup_before_client() {
+    # Clean up library files
+    make -C library clean
+    # Clean up intermediate files that were used to build the server
+    make -C $PSASIM_PATH clean_server_intermediate_files
+    # Restore files that were backup before building library files. This
+    # includes $CONFIG_H and $CRYPTO_CONFIG_H.
+    for x in $files_to_back_up; do
+        if [[ -e "$x$backup_suffix" ]]; then
+            cp -p "$x$backup_suffix" "$x"
+        fi
+    done
+}
+
 # Final cleanup when this script exits (except when exiting on a failure
 # in non-keep-going mode).
 final_cleanup () {
@@ -409,13 +451,18 @@ armc6_build_test()
     FLAGS="$1"
 
     msg "build: ARM Compiler 6 ($FLAGS)"
+    make clean
     ARM_TOOL_VARIANT="ult" CC="$ARMC6_CC" AR="$ARMC6_AR" CFLAGS="$FLAGS" \
                     WARNING_CFLAGS='-Werror -xc -std=c99' make lib
 
     msg "size: ARM Compiler 6 ($FLAGS)"
     "$ARMC6_FROMELF" -z library/*.o
-
-    make clean
+    if [ -n ${PSA_CORE_PATH} ]; then
+        "$ARMC6_FROMELF" -z ${PSA_CORE_PATH}/*.o
+    fi
+    if [ -n ${BUILTIN_SRC_PATH} ]; then
+        "$ARMC6_FROMELF" -z ${BUILTIN_SRC_PATH}/*.o
+    fi
 }
 
 err_msg()
@@ -433,22 +480,11 @@ check_tools()
     done
 }
 
-pre_parse_command_line_for_dirs () {
-    # Make an early pass through the options given, so we can set directories
-    # for Arm compilers, before SUPPORTED_COMPONENTS is determined.
-    while [ $# -gt 0 ]; do
-        case "$1" in
-            --armc5-bin-dir) shift; ARMC5_BIN_DIR="$1";;
-            --armc6-bin-dir) shift; ARMC6_BIN_DIR="$1";;
-        esac
-        shift
-    done
-}
-
 pre_parse_command_line () {
     COMMAND_LINE_COMPONENTS=
     all_except=0
     error_test=0
+    list_components=0
     restore_first=0
     no_armcc=
 
@@ -461,8 +497,8 @@ pre_parse_command_line () {
             --arm-none-eabi-gcc-prefix) shift; ARM_NONE_EABI_GCC_PREFIX="$1";;
             --arm-linux-gnueabi-gcc-prefix) shift; ARM_LINUX_GNUEABI_GCC_PREFIX="$1";;
             --armcc) no_armcc=;;
-            --armc5-bin-dir) shift; ;; # assignment to ARMC5_BIN_DIR done in pre_parse_command_line_for_dirs
-            --armc6-bin-dir) shift; ;; # assignment to ARMC6_BIN_DIR done in pre_parse_command_line_for_dirs
+            --armc5-bin-dir) shift; ARMC5_BIN_DIR="$1";;
+            --armc6-bin-dir) shift; ARMC6_BIN_DIR="$1";;
             --clang-earliest) shift; CLANG_EARLIEST="$1";;
             --clang-latest) shift; CLANG_LATEST="$1";;
             --error-test) error_test=$((error_test + 1));;
@@ -477,7 +513,7 @@ pre_parse_command_line () {
             --help|-h) usage; exit;;
             --keep-going|-k) KEEP_GOING=1;;
             --list-all-components) printf '%s\n' $ALL_COMPONENTS; exit;;
-            --list-components) printf '%s\n' $SUPPORTED_COMPONENTS; exit;;
+            --list-components) list_components=1;;
             --memory|-m) MEMORY=1;;
             --no-append-outcome) append_outcome=0;;
             --no-armcc) no_armcc=1;;
@@ -504,6 +540,21 @@ pre_parse_command_line () {
         shift
     done
 
+    # Exclude components that are not supported on this platform.
+    SUPPORTED_COMPONENTS=
+    for component in $ALL_COMPONENTS; do
+        case $(type "support_$component" 2>&1) in
+            *' function'*)
+                if ! support_$component; then continue; fi;;
+        esac
+        SUPPORTED_COMPONENTS="$SUPPORTED_COMPONENTS $component"
+    done
+
+    if [ $list_components -eq 1 ]; then
+        printf '%s\n' $SUPPORTED_COMPONENTS
+        exit
+    fi
+
     # With no list of components, run everything.
     if [ -z "$COMMAND_LINE_COMPONENTS" ] && [ $restore_first -eq 0 ]; then
         all_except=1
@@ -634,6 +685,7 @@ pre_setup_keep_going () {
         case "$1" in
             "msg "*) false;;
             "cd "*) false;;
+            "diff "*) true;;
             *make*[\ /]tests*) false;; # make tests, make CFLAGS=-I../tests, ...
             *test*) true;; # make test, tests/stuff, env V=v tests/stuff, ...
             *make*check*) true;;
@@ -756,7 +808,7 @@ pre_check_tools () {
         # Require OpenSSL and GnuTLS if running any tests (as opposed to
         # only doing builds). Not all tests run OpenSSL and GnuTLS, but this
         # is a good enough approximation in practice.
-        *" test_"*)
+        *" test_"* | *" release_test_"*)
             # To avoid setting OpenSSL and GnuTLS for each call to compat.sh
             # and ssl-opt.sh, we just export the variables they require.
             export OPENSSL="$OPENSSL"
@@ -826,6 +878,14 @@ pre_generate_files() {
     fi
 }
 
+clang_version() {
+    if command -v clang > /dev/null ; then
+        clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#'
+    else
+        echo 0  # report version 0 for "no clang"
+    fi
+}
+
 ################################################################
 #### Helpers for components using libtestdriver1
 ################################################################
@@ -864,7 +924,7 @@ pre_generate_files() {
 #        Example:
 #          loc_extra_list="ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512"
 #          helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
-#    4b. Call helper_libtestdriver1_make_main "$loc_accel_list". Any
+#    3b. Call helper_libtestdriver1_make_main "$loc_accel_list". Any
 #        additional arguments will be passed to make: this can be useful if
 #        you don't want to build everything when iterating during development.
 #        Example:
@@ -883,16 +943,101 @@ helper_libtestdriver1_adjust_config() {
     # Enable PSA-based config (necessary to use drivers)
     scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
 
-    # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having
-    # partial support for cipher operations in the driver test library.
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_STREAM_CIPHER
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING
-
     # Dynamic secure element support is a deprecated feature and needs to be disabled here.
     # This is done to have the same form of psa_key_attributes_s for libdriver and library.
     scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
+
+    # If threading is enabled on the normal build, then we need to enable it in the drivers as well,
+    # otherwise we will end up running multithreaded tests without mutexes to protect them.
+    if scripts/config.py get MBEDTLS_THREADING_C; then
+        scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_THREADING_C
+    fi
+
+    if scripts/config.py get MBEDTLS_THREADING_PTHREAD; then
+        scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_THREADING_PTHREAD
+    fi
+}
+
+# Build the drivers library libtestdriver1.a (with ASan).
+#
+# Parameters:
+# 1. a space-separated list of things to accelerate;
+# 2. optional: a space-separate list of things to also support.
+# Here "things" are PSA_WANT_ symbols but with PSA_WANT_ removed.
+helper_libtestdriver1_make_drivers() {
+    loc_accel_flags=$( echo "$1 ${2-}" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
+    make CC=$ASAN_CC -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
+}
+
+# Build the main libraries, programs and tests,
+# linking to the drivers library (with ASan).
+#
+# Parameters:
+# 1. a space-separated list of things to accelerate;
+# *. remaining arguments if any are passed directly to make
+#    (examples: lib, -C tests test_suite_xxx, etc.)
+# Here "things" are PSA_WANT_ symbols but with PSA_WANT_ removed.
+helper_libtestdriver1_make_main() {
+    loc_accel_list=$1
+    shift
+
+    # we need flags both with and without the LIBTESTDRIVER1_ prefix
+    loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
+    loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" "$@"
 }
 
+# Set some default values $CONFIG_H in order to build server or client sides
+# in PSASIM. There is only 1 mandatory parameter:
+# - $1: target which can be "client" or "server"
+helper_psasim_config() {
+    TARGET=$1
+
+    if [ "$TARGET" == "client" ]; then
+        scripts/config.py full
+        scripts/config.py unset MBEDTLS_PSA_CRYPTO_C
+        scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
+        # Dynamic secure element support is a deprecated feature and it is not
+        # available when CRYPTO_C and PSA_CRYPTO_STORAGE_C are disabled.
+        scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
+        # Disable potentially problematic features
+        scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
+        scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+        scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+        scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+        scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
+        scripts/config.py unset MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+    else
+        scripts/config.py crypto_full
+        scripts/config.py unset MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
+        # We need to match the client with MBEDTLS_PSA_CRYPTO_SE_C
+        scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
+        # Also ensure MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER not set (to match client)
+        scripts/config.py unset MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+    fi
+}
+
+# Helper to build the libraries for client/server in PSASIM. If the server is
+# being built, then it builds also the final executable.
+# There is only 1 mandatory parameter:
+# - $1: target which can be "client" or "server"
+helper_psasim_build() {
+    TARGET=$1
+    shift
+    TARGET_LIB=${TARGET}_libs
+
+    make -C $PSASIM_PATH CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" $TARGET_LIB "$@"
+
+    # Build also the server application after its libraries have been built.
+    if [ "$TARGET" == "server" ]; then
+        make -C $PSASIM_PATH CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" test/psa_server
+    fi
+}
+
+################################################################
+#### Configuration helpers
+################################################################
+
 # When called with no parameter this function disables all builtin curves.
 # The function optionally accepts 1 parameter: a space-separated list of the
 # curves that should be kept enabled.
@@ -917,6 +1062,18 @@ helper_get_psa_curve_list () {
     echo "$loc_list"
 }
 
+# Helper returning the list of supported DH groups from CRYPTO_CONFIG_H,
+# without the "PSA_WANT_" prefix. This becomes handy for accelerating DH groups
+# in the following helpers.
+helper_get_psa_dh_group_list () {
+    loc_list=""
+    for item in $(sed -n 's/^#define PSA_WANT_\(DH_RFC7919_[0-9]*\).*/\1/p' <"$CRYPTO_CONFIG_H"); do
+        loc_list="$loc_list $item"
+    done
+
+    echo "$loc_list"
+}
+
 # Get the list of uncommented PSA_WANT_KEY_TYPE_xxx_ from CRYPTO_CONFIG_H. This
 # is useful to easily get a list of key type symbols to accelerate.
 # The function accepts a single argument which is the key type: ECC, DH, RSA.
@@ -934,33 +1091,22 @@ helper_get_psa_key_type_list() {
     echo "$loc_list"
 }
 
-# Build the drivers library libtestdriver1.a (with ASan).
-#
-# Parameters:
-# 1. a space-separated list of things to accelerate;
-# 2. optional: a space-separate list of things to also support.
-# Here "things" are PSA_WANT_ symbols but with PSA_WANT_ removed.
-helper_libtestdriver1_make_drivers() {
-    loc_accel_flags=$( echo "$1 ${2-}" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
-    make -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
-}
-
-# Build the main libraries, programs and tests,
-# linking to the drivers library (with ASan).
-#
-# Parameters:
-# 1. a space-separated list of things to accelerate;
-# *. remaining arguments if any are passed directly to make
-#    (examples: lib, -C tests test_suite_xxx, etc.)
-# Here "things" are PSA_WANT_ symbols but with PSA_WANT_ removed.
-helper_libtestdriver1_make_main() {
-    loc_accel_list=$1
-    shift
-
-    # we need flags both with and without the LIBTESTDRIVER1_ prefix
-    loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
-    loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
-    make CFLAGS="$ASAN_CFLAGS -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" "$@"
+# Helper function for controlling (start & stop) the psasim server.
+helper_psasim_server() {
+    OPERATION=$1
+    if [ "$OPERATION" == "start" ]; then
+    (
+        cd tests
+        msg "start server"
+        psa-client-server/psasim/test/start_server.sh
+    )
+    else
+    (
+        cd tests
+        msg "terminate server and cleanup"
+        psa-client-server/psasim//test/kill_server.sh
+    )
+    fi
 }
 
 ################################################################
@@ -981,6 +1127,8 @@ helper_libtestdriver1_make_main() {
 component_check_recursion () {
     msg "Check: recursion.pl" # < 1s
     tests/scripts/recursion.pl library/*.c
+    tests/scripts/recursion.pl ${PSA_CORE_PATH}/*.c
+    tests/scripts/recursion.pl ${BUILTIN_SRC_PATH}/*.c
 }
 
 component_check_generated_files () {
@@ -1041,6 +1189,61 @@ component_check_test_cases () {
     unset opt
 }
 
+component_check_test_dependencies () {
+    msg "Check: test case dependencies: legacy vs PSA" # < 1s
+    # The purpose of this component is to catch unjustified dependencies on
+    # legacy feature macros (MBEDTLS_xxx) in PSA tests. Generally speaking,
+    # PSA test should use PSA feature macros (PSA_WANT_xxx, more rarely
+    # MBEDTLS_PSA_xxx).
+    #
+    # Most of the time, use of legacy MBEDTLS_xxx macros are mistakes, which
+    # this component is meant to catch. However a few of them are justified,
+    # mostly by the absence of a PSA equivalent, so this component includes a
+    # list of expected exceptions.
+
+    found="check-test-deps-found-$$"
+    expected="check-test-deps-expected-$$"
+
+    # Find legacy dependencies in PSA tests
+    grep 'depends_on' \
+        tests/suites/test_suite_psa*.data tests/suites/test_suite_psa*.function |
+        grep -Eo '!?MBEDTLS_[^: ]*' |
+        grep -v -e MBEDTLS_PSA_ -e MBEDTLS_TEST_ |
+        sort -u > $found
+
+    # Expected ones with justification - keep in sorted order by ASCII table!
+    rm -f $expected
+    # No PSA equivalent - WANT_KEY_TYPE_AES means all sizes
+    echo "!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH" >> $expected
+    # No PSA equivalent - used to skip decryption tests in PSA-ECB, CBC/XTS/NIST_KW/DES
+    echo "!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT" >> $expected
+    # MBEDTLS_ASN1_WRITE_C is used by import_rsa_made_up() in test_suite_psa_crypto
+    # in order to build a fake RSA key of the wanted size based on
+    # PSA_VENDOR_RSA_MAX_KEY_BITS. The legacy module is only used by
+    # the test code and that's probably the most convenient way of achieving
+    # the test's goal.
+    echo "MBEDTLS_ASN1_WRITE_C" >> $expected
+    # No PSA equivalent - we should probably have one in the future.
+    echo "MBEDTLS_ECP_RESTARTABLE" >> $expected
+    # No PSA equivalent - needed by some init tests
+    echo "MBEDTLS_ENTROPY_NV_SEED" >> $expected
+    # No PSA equivalent - required to run threaded tests.
+    echo "MBEDTLS_THREADING_PTHREAD" >> $expected
+
+    # Compare reality with expectation.
+    # We want an exact match, to ensure the above list remains up-to-date.
+    #
+    # The output should be empty. When it's not:
+    # - Each '+' line is a macro that was found but not expected. You want to
+    # find where that macro occurs, and either replace it with PSA macros, or
+    # add it to the exceptions list above with a justification.
+    # - Each '-' line is a macro that was expected but not found; it means the
+    # exceptions list above should be updated by removing that macro.
+    diff -U0 $expected $found
+
+    rm $found $expected
+}
+
 component_check_doxygen_warnings () {
     msg "Check: doxygen warnings (builds the documentation)" # ~ 3s
     tests/scripts/doxygen.sh
@@ -1082,6 +1285,9 @@ component_test_default_cmake_gcc_asan () {
     msg "test: selftest (ASan build)" # ~ 10s
     programs/test/selftest
 
+    msg "test: metatests (GCC, ASan build)"
+    tests/scripts/run-metatests.sh any asan poison
+
     msg "test: ssl-opt.sh (ASan build)" # ~ 1 min
     tests/ssl-opt.sh
 
@@ -1123,14 +1329,19 @@ component_test_full_cmake_gcc_asan () {
     msg "test: main suites (inc. selftests) (full config, ASan build)"
     make test
 
-    msg "test: selftest (ASan build)" # ~ 10s
+    msg "test: selftest (full config, ASan build)" # ~ 10s
     programs/test/selftest
 
     msg "test: ssl-opt.sh (full config, ASan build)"
     tests/ssl-opt.sh
 
-    msg "test: compat.sh (full config, ASan build)"
-    tests/compat.sh
+    # Note: the next two invocations cover all compat.sh test cases.
+    # We should use the same here and in basic-build-test.sh.
+    msg "test: compat.sh: default version (full config, ASan build)"
+    tests/compat.sh -e 'ARIA\|CHACHA'
+
+    msg "test: compat.sh: next: ARIA, Chacha (full config, ASan build)"
+    env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
 
     msg "test: context-info.sh (full config, ASan build)" # ~ 15 sec
     tests/context-info.sh
@@ -1144,19 +1355,24 @@ component_test_full_cmake_gcc_asan_new_bignum () {
     CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
 
-    msg "test: main suites (inc. selftests) (full config, ASan build)"
+    msg "test: main suites (inc. selftests) (full config, new bignum, ASan)"
     make test
 
-    msg "test: selftest (ASan build)" # ~ 10s
+    msg "test: selftest (full config, new bignum, ASan)" # ~ 10s
     programs/test/selftest
 
-    msg "test: ssl-opt.sh (full config, ASan build)"
+    msg "test: ssl-opt.sh (full config, new bignum, ASan)"
     tests/ssl-opt.sh
 
-    msg "test: compat.sh (full config, ASan build)"
-    tests/compat.sh
+    # Note: the next two invocations cover all compat.sh test cases.
+    # We should use the same here and in basic-build-test.sh.
+    msg "test: compat.sh: default version (full config, new bignum, ASan)"
+    tests/compat.sh -e 'ARIA\|CHACHA'
 
-    msg "test: context-info.sh (full config, ASan build)" # ~ 15 sec
+    msg "test: compat.sh: next: ARIA, Chacha (full config, new bignum, ASan)"
+    env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
+
+    msg "test: context-info.sh (full config, new bignum, ASan)" # ~ 15 sec
     tests/context-info.sh
 }
 
@@ -1171,6 +1387,17 @@ component_test_psa_crypto_key_id_encodes_owner () {
     make test
 }
 
+component_test_psa_assume_exclusive_buffers () {
+    msg "build: full config + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS, cmake, gcc, ASan"
+    scripts/config.py full
+    scripts/config.py set MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
+    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    make
+
+    msg "test: full config + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS, cmake, gcc, ASan"
+    make test
+}
+
 # check_renamed_symbols HEADER LIB
 # Check that if HEADER contains '#define MACRO ...' then MACRO is not a symbol
 # name is LIB.
@@ -1196,25 +1423,14 @@ component_build_psa_crypto_spm () {
     check_renamed_symbols tests/include/spe/crypto_spe.h library/libmbedcrypto.a
 }
 
-component_test_psa_crypto_client () {
-    msg "build: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT, make"
-    scripts/config.py unset MBEDTLS_PSA_CRYPTO_C
-    scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
-    scripts/config.py set MBEDTLS_PSA_CRYPTO_CLIENT
-    scripts/config.py unset MBEDTLS_LMS_C
-    scripts/config.py unset MBEDTLS_LMS_PRIVATE
-    make
-
-    msg "test: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT, make"
-    make test
-}
-
-component_test_psa_crypto_rsa_no_genprime() {
-    msg "build: default config minus MBEDTLS_GENPRIME"
+component_test_no_rsa_key_pair_generation() {
+    msg "build: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE"
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
     scripts/config.py unset MBEDTLS_GENPRIME
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
     make
 
-    msg "test: default config minus MBEDTLS_GENPRIME"
+    msg "test: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE"
     make test
 }
 
@@ -1229,14 +1445,14 @@ component_test_ref_configs () {
     # whether they're on or off. So, disable cmake's (over-sensitive here)
     # dependency resolution for generated files and just rely on them being
     # present (thanks to pre_generate_files) by turning GEN_FILES off.
-    CC=gcc cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan .
+    CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan .
     tests/scripts/test-ref-configs.pl
 }
 
 component_test_no_renegotiation () {
     msg "build: Default + !MBEDTLS_SSL_RENEGOTIATION (ASan build)" # ~ 6 min
     scripts/config.py unset MBEDTLS_SSL_RENEGOTIATION
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
 
     msg "test: !MBEDTLS_SSL_RENEGOTIATION - main suites (inc. selftests) (ASan build)" # ~ 50s
@@ -1252,7 +1468,7 @@ component_test_no_pem_no_fs () {
     scripts/config.py unset MBEDTLS_FS_IO
     scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C # requires a filesystem
     scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C # requires PSA ITS
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
 
     msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - main suites (inc. selftests) (ASan build)" # ~ 50s
@@ -1265,7 +1481,7 @@ component_test_no_pem_no_fs () {
 component_test_rsa_no_crt () {
     msg "build: Default + RSA_NO_CRT (ASan build)" # ~ 6 min
     scripts/config.py set MBEDTLS_RSA_NO_CRT
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
 
     msg "test: RSA_NO_CRT - main suites (inc. selftests) (ASan build)" # ~ 50s
@@ -1288,7 +1504,7 @@ component_test_no_ctr_drbg_classic () {
     scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
     scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
 
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
 
     msg "test: Full minus CTR_DRBG, classic crypto - main suites"
@@ -1310,7 +1526,7 @@ component_test_no_ctr_drbg_use_psa () {
     scripts/config.py unset MBEDTLS_CTR_DRBG_C
     scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
 
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
 
     msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - main suites"
@@ -1334,7 +1550,7 @@ component_test_no_hmac_drbg_classic () {
     scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
     scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
 
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
 
     msg "test: Full minus HMAC_DRBG, classic crypto - main suites"
@@ -1361,7 +1577,7 @@ component_test_no_hmac_drbg_use_psa () {
     scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
     scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
 
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
 
     msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - main suites"
@@ -1396,7 +1612,7 @@ component_test_psa_external_rng_no_drbg_classic () {
     # When MBEDTLS_USE_PSA_CRYPTO is disabled and there is no DRBG,
     # the SSL test programs don't have an RNG and can't work. Explicitly
     # make them use the PSA RNG with -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG.
-    make CFLAGS="$ASAN_CFLAGS -O2 -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG" LDFLAGS="$ASAN_CFLAGS"
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG" LDFLAGS="$ASAN_CFLAGS"
 
     msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - main suites"
     make test
@@ -1415,7 +1631,7 @@ component_test_psa_external_rng_no_drbg_use_psa () {
     scripts/config.py unset MBEDTLS_CTR_DRBG_C
     scripts/config.py unset MBEDTLS_HMAC_DRBG_C
     scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
-    make CFLAGS="$ASAN_CFLAGS -O2" LDFLAGS="$ASAN_CFLAGS"
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
 
     msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites"
     make test
@@ -1430,7 +1646,7 @@ component_test_psa_external_rng_use_psa_crypto () {
     scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
     scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
     scripts/config.py unset MBEDTLS_CTR_DRBG_C
-    make CFLAGS="$ASAN_CFLAGS -O2" LDFLAGS="$ASAN_CFLAGS"
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
 
     msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
     make test
@@ -1448,7 +1664,7 @@ component_test_psa_inject_entropy () {
     scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
     scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_READ
     scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_WRITE
-    make CFLAGS="$ASAN_CFLAGS '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" LDFLAGS="$ASAN_CFLAGS"
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" LDFLAGS="$ASAN_CFLAGS"
 
     msg "test: full + MBEDTLS_PSA_INJECT_ENTROPY"
     make test
@@ -1465,10 +1681,27 @@ component_test_sw_inet_pton () {
     make test
 }
 
+component_full_no_pkparse_pkwrite() {
+    msg "build: full without pkparse and pkwrite"
+
+    scripts/config.py crypto_full
+    scripts/config.py unset MBEDTLS_PK_PARSE_C
+    scripts/config.py unset MBEDTLS_PK_WRITE_C
+
+    make CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
+
+    # Ensure that PK_[PARSE|WRITE]_C were not re-enabled accidentally (additive config).
+    not grep mbedtls_pk_parse_key ${BUILTIN_SRC_PATH}/pkparse.o
+    not grep mbedtls_pk_write_key_der ${BUILTIN_SRC_PATH}/pkwrite.o
+
+    msg "test: full without pkparse and pkwrite"
+    make test
+}
+
 component_test_crypto_full_md_light_only () {
     msg "build: crypto_full with only the light subset of MD"
     scripts/config.py crypto_full
-    scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG
+
     # Disable MD
     scripts/config.py unset MBEDTLS_MD_C
     # Disable direct dependencies of MD_C
@@ -1477,144 +1710,131 @@ component_test_crypto_full_md_light_only () {
     scripts/config.py unset MBEDTLS_PKCS7_C
     # Disable indirect dependencies of MD_C
     scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # needs HMAC_DRBG
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
     # Disable things that would auto-enable MD_C
     scripts/config.py unset MBEDTLS_PKCS5_C
 
     # Note: MD-light is auto-enabled in build_info.h by modules that need it,
     # which we haven't disabled, so no need to explicitly enable it.
-    make CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
 
     # Make sure we don't have the HMAC functions, but the hashing functions
-    not grep mbedtls_md_hmac library/md.o
-    grep mbedtls_md library/md.o
+    not grep mbedtls_md_hmac ${BUILTIN_SRC_PATH}/md.o
+    grep mbedtls_md ${BUILTIN_SRC_PATH}/md.o
 
     msg "test: crypto_full with only the light subset of MD"
     make test
 }
 
 component_test_full_no_cipher () {
-    msg "build: full minus CIPHER"
+    msg "build: full no CIPHER"
+
     scripts/config.py full
     scripts/config.py unset MBEDTLS_CIPHER_C
-    # Don't pull in cipher via PSA mechanisms
-    # (currently ignored anyway because we completely disable PSA)
-    scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG
-    # Direct dependencies
-    scripts/config.py unset MBEDTLS_CCM_C
+
+    # The built-in implementation of the following algs/key-types depends
+    # on CIPHER_C so we disable them.
+    # This does not hold for KEY_TYPE_CHACHA20 and ALG_CHACHA20_POLY1305
+    # so we keep them enabled.
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CMAC
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CFB
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CTR
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_OFB
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_STREAM_CIPHER
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
+
+    # The following modules directly depends on CIPHER_C
     scripts/config.py unset MBEDTLS_CMAC_C
-    scripts/config.py unset MBEDTLS_GCM_C
     scripts/config.py unset MBEDTLS_NIST_KW_C
-    scripts/config.py unset MBEDTLS_PKCS12_C
-    scripts/config.py unset MBEDTLS_PKCS5_C
-    scripts/config.py unset MBEDTLS_PSA_CRYPTO_C
-    scripts/config.py unset MBEDTLS_SSL_TLS_C
-    scripts/config.py unset MBEDTLS_SSL_TICKET_C
-    # Indirect dependencies
-    scripts/config.py unset MBEDTLS_SSL_CLI_C
-    scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
-    scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
-    scripts/config.py unset MBEDTLS_SSL_DTLS_ANTI_REPLAY
-    scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID
-    scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
-    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    scripts/config.py unset MBEDTLS_SSL_SRV_C
-    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
-    scripts/config.py unset MBEDTLS_LMS_C
-    scripts/config.py unset MBEDTLS_LMS_PRIVATE
+
     make
 
-    msg "test: full minus CIPHER"
+    # Ensure that CIPHER_C was not re-enabled
+    not grep mbedtls_cipher_init ${BUILTIN_SRC_PATH}/cipher.o
+
+    msg "test: full no CIPHER"
     make test
 }
 
-component_test_full_no_bignum () {
-    msg "build: full minus bignum"
+component_test_full_no_ccm() {
+    msg "build: full no PSA_WANT_ALG_CCM"
+
+    # Full config enables:
+    # - USE_PSA_CRYPTO so that TLS code dispatches cipher/AEAD to PSA
+    # - CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated
     scripts/config.py full
-    scripts/config.py unset MBEDTLS_BIGNUM_C
-    # Direct dependencies of bignum
-    scripts/config.py unset MBEDTLS_ECP_C
-    scripts/config.py unset MBEDTLS_RSA_C
-    scripts/config.py unset MBEDTLS_DHM_C
-    # Direct dependencies of ECP
-    scripts/config.py unset MBEDTLS_ECDH_C
-    scripts/config.py unset MBEDTLS_ECDSA_C
-    scripts/config.py unset MBEDTLS_ECJPAKE_C
-    scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
-    # Disable what auto-enables ECP_LIGHT
-    scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED
-    scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED
-    # Indirect dependencies of ECP
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
-    scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
-    scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-    # Direct dependencies of DHM
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
-    # Direct dependencies of RSA
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-    scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
-    # PK and its dependencies
-    scripts/config.py unset MBEDTLS_PK_C
-    scripts/config.py unset MBEDTLS_PK_PARSE_C
-    scripts/config.py unset MBEDTLS_PK_WRITE_C
-    scripts/config.py unset MBEDTLS_X509_USE_C
-    scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C
-    scripts/config.py unset MBEDTLS_X509_CRL_PARSE_C
-    scripts/config.py unset MBEDTLS_X509_CSR_PARSE_C
-    scripts/config.py unset MBEDTLS_X509_CREATE_C
-    scripts/config.py unset MBEDTLS_X509_CRT_WRITE_C
-    scripts/config.py unset MBEDTLS_X509_CSR_WRITE_C
-    scripts/config.py unset MBEDTLS_PKCS7_C
-    scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION
-    scripts/config.py unset MBEDTLS_SSL_ASYNC_PRIVATE
-    scripts/config.py unset MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
+
+    # Disable PSA_WANT_ALG_CCM so that CCM is not supported in PSA. CCM_C is still
+    # enabled, but not used from TLS since USE_PSA is set.
+    # This is helpful to ensure that TLS tests below have proper dependencies.
+    #
+    # Note: also PSA_WANT_ALG_CCM_STAR_NO_TAG is enabled, but it does not cause
+    # PSA_WANT_ALG_CCM to be re-enabled.
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM
 
     make
 
-    msg "test: full minus bignum"
+    msg "test: full no PSA_WANT_ALG_CCM"
     make test
 }
 
-component_test_tls1_2_default_stream_cipher_only () {
-    msg "build: default with only stream cipher"
+component_test_full_no_ccm_star_no_tag() {
+    msg "build: full no PSA_WANT_ALG_CCM_STAR_NO_TAG"
 
-    # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C
-    scripts/config.py unset MBEDTLS_GCM_C
-    scripts/config.py unset MBEDTLS_CCM_C
-    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
-    # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
-    scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
-    # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
-    scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
-    # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
-    scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER
-    # Modules that depend on AEAD
-    scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
-    scripts/config.py unset MBEDTLS_SSL_TICKET_C
+    # Full config enables CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated
+    scripts/config.py full
+
+    # Disable CCM_STAR_NO_TAG, which is the target of this test, as well as all
+    # other components that enable MBEDTLS_PSA_BUILTIN_CIPHER internal symbol.
+    # This basically disables all unauthenticated ciphers on the PSA side, while
+    # keeping AEADs enabled.
+    #
+    # Note: PSA_WANT_ALG_CCM is enabled, but it does not cause
+    # PSA_WANT_ALG_CCM_STAR_NO_TAG to be re-enabled.
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_STREAM_CIPHER
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
 
     make
 
-    msg "test: default with only stream cipher"
-    make test
+    # Ensure MBEDTLS_PSA_BUILTIN_CIPHER was not enabled
+    not grep mbedtls_psa_cipher ${PSA_CORE_PATH}/psa_crypto_cipher.o
 
-    # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite.
+    msg "test: full no PSA_WANT_ALG_CCM_STAR_NO_TAG"
+    make test
 }
 
-component_test_tls1_2_default_stream_cipher_only_use_psa () {
+component_test_tls1_2_default_stream_cipher_only () {
     msg "build: default with only stream cipher use psa"
 
     scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
     # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
+    # Note: The three unsets below are to be removed for Mbed TLS 4.0
     scripts/config.py unset MBEDTLS_GCM_C
     scripts/config.py unset MBEDTLS_CCM_C
     scripts/config.py unset MBEDTLS_CHACHAPOLY_C
+    #Disable TLS 1.3 (as no AEAD)
+    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
+    # Disable CBC. Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be unset here to fully disable CBC
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
     # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
+    # Note: The unset below is to be removed for 4.0
     scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
     # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
     scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
@@ -1633,41 +1853,23 @@ component_test_tls1_2_default_stream_cipher_only_use_psa () {
 }
 
 component_test_tls1_2_default_cbc_legacy_cipher_only () {
-    msg "build: default with only CBC-legacy cipher"
-
-    # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
-    scripts/config.py unset MBEDTLS_GCM_C
-    scripts/config.py unset MBEDTLS_CCM_C
-    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
-    # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
-    scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
-    # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
-    scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
-    # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
-    scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
-    # Modules that depend on AEAD
-    scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
-    scripts/config.py unset MBEDTLS_SSL_TICKET_C
-
-    make
-
-    msg "test: default with only CBC-legacy cipher"
-    make test
-
-    msg "test: default with only CBC-legacy cipher - ssl-opt.sh (subset)"
-    tests/ssl-opt.sh -f "TLS 1.2"
-}
-
-component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () {
     msg "build: default with only CBC-legacy cipher use psa"
 
     scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
     # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
+    # Note: The three unsets below are to be removed for Mbed TLS 4.0
     scripts/config.py unset MBEDTLS_GCM_C
     scripts/config.py unset MBEDTLS_CCM_C
     scripts/config.py unset MBEDTLS_CHACHAPOLY_C
+    #Disable TLS 1.3 (as no AEAD)
+    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
     # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
-    scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
+    scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
     # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
     scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
     # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
@@ -1686,41 +1888,23 @@ component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () {
 }
 
 component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () {
-    msg "build: default with only CBC-legacy and CBC-EtM ciphers"
-
-    # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
-    scripts/config.py unset MBEDTLS_GCM_C
-    scripts/config.py unset MBEDTLS_CCM_C
-    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
-    # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
-    scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
-    # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
-    scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC
-    # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
-    scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
-    # Modules that depend on AEAD
-    scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
-    scripts/config.py unset MBEDTLS_SSL_TICKET_C
-
-    make
-
-    msg "test: default with only CBC-legacy and CBC-EtM ciphers"
-    make test
-
-    msg "test: default with only CBC-legacy and CBC-EtM ciphers - ssl-opt.sh (subset)"
-    tests/ssl-opt.sh -f "TLS 1.2"
-}
-
-component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () {
     msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa"
 
     scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
     # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
+    # Note: The three unsets below are to be removed for Mbed TLS 4.0
     scripts/config.py unset MBEDTLS_GCM_C
     scripts/config.py unset MBEDTLS_CCM_C
     scripts/config.py unset MBEDTLS_CHACHAPOLY_C
+    #Disable TLS 1.3 (as no AEAD)
+    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
     # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
-    scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
+    scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
     # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
     scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC
     # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
@@ -1780,6 +1964,9 @@ component_test_everest () {
     msg "test: Everest ECDH context - main suites (inc. selftests) (ASan build)" # ~ 50s
     make test
 
+    msg "test: metatests (clang, ASan)"
+    tests/scripts/run-metatests.sh any asan poison
+
     msg "test: Everest ECDH context - ECDH-related part of ssl-opt.sh (ASan build)" # ~ 5s
     tests/ssl-opt.sh -f ECDH
 
@@ -1790,16 +1977,23 @@ component_test_everest () {
 
 component_test_everest_curve25519_only () {
     msg "build: Everest ECDH context, only Curve25519" # ~ 6 min
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
     scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
     scripts/config.py unset MBEDTLS_ECDSA_C
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA
+    scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_ECDH
     scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
     scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
     scripts/config.py unset MBEDTLS_ECJPAKE_C
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE
+
     # Disable all curves
     scripts/config.py unset-all "MBEDTLS_ECP_DP_[0-9A-Z_a-z]*_ENABLED"
-    scripts/config.py set MBEDTLS_ECP_DP_CURVE25519_ENABLED
+    scripts/config.py -f $CRYPTO_CONFIG_H unset-all "PSA_WANT_ECC_[0-9A-Z_a-z]*$"
+    scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ECC_MONTGOMERY_255
 
-    make CFLAGS="$ASAN_CFLAGS -O2" LDFLAGS="$ASAN_CFLAGS"
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
 
     msg "test: Everest ECDH context, only Curve25519" # ~ 50s
     make test
@@ -1809,7 +2003,7 @@ component_test_small_ssl_out_content_len () {
     msg "build: small SSL_OUT_CONTENT_LEN (ASan build)"
     scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384
     scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 4096
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
 
     msg "test: small SSL_OUT_CONTENT_LEN - ssl-opt.sh MFL and large packet tests"
@@ -1820,7 +2014,7 @@ component_test_small_ssl_in_content_len () {
     msg "build: small SSL_IN_CONTENT_LEN (ASan build)"
     scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 4096
     scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 16384
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
 
     msg "test: small SSL_IN_CONTENT_LEN - ssl-opt.sh MFL tests"
@@ -1830,7 +2024,7 @@ component_test_small_ssl_in_content_len () {
 component_test_small_ssl_dtls_max_buffering () {
     msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0"
     scripts/config.py set MBEDTLS_SSL_DTLS_MAX_BUFFERING 1000
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
 
     msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0 - ssl-opt.sh specific reordering test"
@@ -1840,7 +2034,7 @@ component_test_small_ssl_dtls_max_buffering () {
 component_test_small_mbedtls_ssl_dtls_max_buffering () {
     msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1"
     scripts/config.py set MBEDTLS_SSL_DTLS_MAX_BUFFERING 190
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
 
     msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1 - ssl-opt.sh specific reordering test"
@@ -1868,6 +2062,9 @@ component_test_full_cmake_clang () {
     msg "test: cpp_dummy_build (full config, clang)" # ~ 1s
     programs/test/cpp_dummy_build
 
+    msg "test: metatests (clang)"
+    tests/scripts/run-metatests.sh any pthread
+
     msg "program demos (full config, clang)" # ~10s
     tests/scripts/run_demos.py
 
@@ -1876,12 +2073,6 @@ component_test_full_cmake_clang () {
 
     msg "test: ssl-opt.sh default, ECJPAKE, SSL async (full config)" # ~ 1s
     tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private'
-
-    msg "test: compat.sh NULL (full config)" # ~ 2 min
-    tests/compat.sh -e '^$' -f 'NULL'
-
-    msg "test: compat.sh ARIA + ChachaPoly"
-    env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
 }
 
 skip_suites_without_constant_flow () {
@@ -1942,7 +2133,7 @@ component_test_memsan_constant_flow_psa () {
     make test
 }
 
-component_test_valgrind_constant_flow () {
+component_release_test_valgrind_constant_flow () {
     # This tests both (1) everything that valgrind's memcheck usually checks
     # (heap buffer overflows, use of uninitialized memory, use-after-free,
     # etc.) and (2) branches or memory access depending on secret values,
@@ -1976,7 +2167,7 @@ component_test_valgrind_constant_flow () {
     make memcheck
 }
 
-component_test_valgrind_constant_flow_psa () {
+component_release_test_valgrind_constant_flow_psa () {
     # This tests both (1) everything that valgrind's memcheck usually checks
     # (heap buffer overflows, use of uninitialized memory, use-after-free,
     # etc.) and (2) branches or memory access depending on secret values,
@@ -1999,12 +2190,30 @@ component_test_valgrind_constant_flow_psa () {
     make memcheck
 }
 
+component_test_tsan () {
+    msg "build: TSan (clang)"
+    scripts/config.py full
+    scripts/config.py set MBEDTLS_THREADING_C
+    scripts/config.py set MBEDTLS_THREADING_PTHREAD
+    # Self-tests do not currently use multiple threads.
+    scripts/config.py unset MBEDTLS_SELF_TEST
+
+    # The deprecated MBEDTLS_PSA_CRYPTO_SE_C interface is not thread safe.
+    scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
+
+    CC=clang cmake -D CMAKE_BUILD_TYPE:String=TSan .
+    make
+
+    msg "test: main suites (TSan)"
+    make test
+}
+
 component_test_default_no_deprecated () {
     # Test that removing the deprecated features from the default
     # configuration leaves something consistent.
     msg "build: make, default + MBEDTLS_DEPRECATED_REMOVED" # ~ 30s
     scripts/config.py set MBEDTLS_DEPRECATED_REMOVED
-    make CC=gcc CFLAGS='-O -Werror -Wall -Wextra'
+    make CFLAGS='-O -Werror -Wall -Wextra'
 
     msg "test: make, default + MBEDTLS_DEPRECATED_REMOVED" # ~ 5s
     make test
@@ -2013,7 +2222,7 @@ component_test_default_no_deprecated () {
 component_test_full_no_deprecated () {
     msg "build: make, full_no_deprecated config" # ~ 30s
     scripts/config.py full_no_deprecated
-    make CC=gcc CFLAGS='-O -Werror -Wall -Wextra'
+    make CFLAGS='-O -Werror -Wall -Wextra'
 
     msg "test: make, full_no_deprecated config" # ~ 5s
     make test
@@ -2030,7 +2239,7 @@ component_test_full_no_deprecated_deprecated_warning () {
     scripts/config.py full_no_deprecated
     scripts/config.py unset MBEDTLS_DEPRECATED_REMOVED
     scripts/config.py set MBEDTLS_DEPRECATED_WARNING
-    make CC=gcc CFLAGS='-O -Werror -Wall -Wextra'
+    make CFLAGS='-O -Werror -Wall -Wextra'
 
     msg "test: make, full_no_deprecated config, MBEDTLS_DEPRECATED_WARNING" # ~ 5s
     make test
@@ -2043,6 +2252,8 @@ component_test_full_deprecated_warning () {
     scripts/config.py full
     scripts/config.py set MBEDTLS_DEPRECATED_WARNING
     # Expect warnings from '#warning' directives in check_config.h.
+    # Note that gcc is required to allow the use of -Wno-error=cpp, which allows us to
+    # display #warning messages without them being treated as errors.
     make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-error=cpp' lib programs
 
     msg "build: make tests, full config + MBEDTLS_DEPRECATED_WARNING, expect warnings" # ~ 30s
@@ -2204,6 +2415,26 @@ component_test_depends_py_pkalgs_psa () {
     tests/scripts/depends.py pkalgs
 }
 
+component_test_psa_crypto_config_ffdh_2048_only () {
+    msg "build: full config - only DH 2048"
+
+    scripts/config.py full
+
+    # Disable all DH groups other than 2048.
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_3072
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_4096
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_6144
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_8192
+
+    make CFLAGS="$ASAN_CFLAGS -Werror" LDFLAGS="$ASAN_CFLAGS"
+
+    msg "test: full config - only DH 2048"
+    make test
+
+    msg "ssl-opt: full config - only DH 2048"
+    tests/ssl-opt.sh -f "ffdh"
+}
+
 component_build_no_pk_rsa_alt_support () {
     msg "build: !MBEDTLS_PK_RSA_ALT_SUPPORT" # ~30s
 
@@ -2213,7 +2444,7 @@ component_build_no_pk_rsa_alt_support () {
     scripts/config.py set MBEDTLS_X509_CRT_WRITE_C
 
     # Only compile - this is primarily to test for compile issues
-    make CC=gcc CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy'
+    make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy'
 }
 
 component_build_module_alt () {
@@ -2221,9 +2452,8 @@ component_build_module_alt () {
     scripts/config.py full
 
     # Disable options that are incompatible with some ALT implementations:
-    # aesni.c and padlock.c reference mbedtls_aes_context fields directly.
+    # aesni.c references mbedtls_aes_context fields directly.
     scripts/config.py unset MBEDTLS_AESNI_C
-    scripts/config.py unset MBEDTLS_PADLOCK_C
     scripts/config.py unset MBEDTLS_AESCE_C
     # MBEDTLS_ECP_RESTARTABLE is documented as incompatible.
     scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
@@ -2232,9 +2462,9 @@ component_build_module_alt () {
     # The SpecifiedECDomain parsing code accesses mbedtls_ecp_group fields
     # directly and assumes the implementation works with partial groups.
     scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED
-    # MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_A64_CRYPTO_*
-    scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
-    scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
+    # MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*
+    scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
+    scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
     # MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_A64_CRYPTO_*
     scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
     scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY
@@ -2242,29 +2472,18 @@ component_build_module_alt () {
     # Enable all MBEDTLS_XXX_ALT for whole modules. Do not enable
     # MBEDTLS_XXX_YYY_ALT which are for single functions.
     scripts/config.py set-all 'MBEDTLS_([A-Z0-9]*|NIST_KW)_ALT'
-    scripts/config.py unset MBEDTLS_DHM_ALT #incompatible with MBEDTLS_DEBUG_C
 
     # We can only compile, not link, since we don't have any implementations
     # suitable for testing with the dummy alt headers.
-    make CC=gcc CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' lib
-}
-
-component_build_dhm_alt () {
-    msg "build: MBEDTLS_DHM_ALT" # ~30s
-    scripts/config.py full
-    scripts/config.py set MBEDTLS_DHM_ALT
-    # debug.c currently references mbedtls_dhm_context fields directly.
-    scripts/config.py unset MBEDTLS_DEBUG_C
-    # We can only compile, not link, since we don't have any implementations
-    # suitable for testing with the dummy alt headers.
-    make CC=gcc CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' lib
+    make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' lib
 }
 
-component_test_no_use_psa_crypto_full_cmake_asan() {
-    # full minus MBEDTLS_USE_PSA_CRYPTO: run the same set of tests as basic-build-test.sh
-    msg "build: cmake, full config minus MBEDTLS_USE_PSA_CRYPTO, ASan"
+component_test_no_psa_crypto_full_cmake_asan() {
+    # full minus MBEDTLS_PSA_CRYPTO_C: run the same set of tests as basic-build-test.sh
+    msg "build: cmake, full config minus PSA crypto, ASan"
     scripts/config.py full
     scripts/config.py unset MBEDTLS_PSA_CRYPTO_C
+    scripts/config.py unset MBEDTLS_PSA_CRYPTO_CLIENT
     scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
     scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
     scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C
@@ -2272,25 +2491,24 @@ component_test_no_use_psa_crypto_full_cmake_asan() {
     scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
     scripts/config.py unset MBEDTLS_LMS_C
     scripts/config.py unset MBEDTLS_LMS_PRIVATE
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
 
-    msg "test: main suites (full minus MBEDTLS_USE_PSA_CRYPTO)"
+    msg "test: main suites (full minus PSA crypto)"
     make test
 
     # Note: ssl-opt.sh has some test cases that depend on
     # MBEDTLS_ECP_RESTARTABLE && !MBEDTLS_USE_PSA_CRYPTO
     # This is the only component where those tests are not skipped.
-    msg "test: ssl-opt.sh (full minus MBEDTLS_USE_PSA_CRYPTO)"
+    msg "test: ssl-opt.sh (full minus PSA crypto)"
     tests/ssl-opt.sh
 
-    msg "test: compat.sh default (full minus MBEDTLS_USE_PSA_CRYPTO)"
-    tests/compat.sh
-
-    msg "test: compat.sh NULL (full minus MBEDTLS_USE_PSA_CRYPTO)"
-    tests/compat.sh -f 'NULL'
+    # Note: the next two invocations cover all compat.sh test cases.
+    # We should use the same here and in basic-build-test.sh.
+    msg "test: compat.sh: default version (full minus PSA crypto)"
+    tests/compat.sh -e 'ARIA\|CHACHA'
 
-    msg "test: compat.sh ARIA + ChachaPoly (full minus MBEDTLS_USE_PSA_CRYPTO)"
+    msg "test: compat.sh: next: ARIA, Chacha (full minus PSA crypto)"
     env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
 }
 
@@ -2299,19 +2517,14 @@ component_test_psa_crypto_config_accel_ecdsa () {
 
     # Algorithms and key types to accelerate
     loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
-                    $(helper_get_psa_key_type_list "ECC")"
-
-    # Note: Those are handled in a special way by the libtestdriver machinery,
-    # so we only want to include them in the accel list when building the main
-    # libraries, hence the use of a separate variable.
-    loc_curve_list="$(helper_get_psa_curve_list)"
+                    $(helper_get_psa_key_type_list "ECC") \
+                    $(helper_get_psa_curve_list)"
 
     # Configure
     # ---------
 
     # Start from default config (no USE_PSA) + TLS 1.3
     helper_libtestdriver1_adjust_config "default"
-    scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3
 
     # Disable the module that's accelerated
     scripts/config.py unset MBEDTLS_ECDSA_C
@@ -2329,10 +2542,10 @@ component_test_psa_crypto_config_accel_ecdsa () {
 
     helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
 
-    helper_libtestdriver1_make_main "$loc_accel_list $loc_curve_list"
+    helper_libtestdriver1_make_main "$loc_accel_list"
 
     # Make sure this was not re-enabled by accident (additive config)
-    not grep mbedtls_ecdsa_ library/ecdsa.o
+    not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
 
     # Run the tests
     # -------------
@@ -2346,17 +2559,13 @@ component_test_psa_crypto_config_accel_ecdh () {
 
     # Algorithms and key types to accelerate
     loc_accel_list="ALG_ECDH \
-                    $(helper_get_psa_key_type_list "ECC")"
-
-    # Note: Those are handled in a special way by the libtestdriver machinery,
-    # so we only want to include them in the accel list when building the main
-    # libraries, hence the use of a separate variable.
-    loc_curve_list="$(helper_get_psa_curve_list)"
+                    $(helper_get_psa_key_type_list "ECC") \
+                    $(helper_get_psa_curve_list)"
 
     # Configure
     # ---------
 
-    # Start from default config (no TLS 1.3, no USE_PSA)
+    # Start from default config (no USE_PSA)
     helper_libtestdriver1_adjust_config "default"
 
     # Disable the module that's accelerated
@@ -2374,10 +2583,10 @@ component_test_psa_crypto_config_accel_ecdh () {
 
     helper_libtestdriver1_make_drivers "$loc_accel_list"
 
-    helper_libtestdriver1_make_main "$loc_accel_list $loc_curve_list"
+    helper_libtestdriver1_make_main "$loc_accel_list"
 
     # Make sure this was not re-enabled by accident (additive config)
-    not grep mbedtls_ecdh_ library/ecdh.o
+    not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
 
     # Run the tests
     # -------------
@@ -2391,7 +2600,8 @@ component_test_psa_crypto_config_accel_ffdh () {
 
     # Algorithms and key types to accelerate
     loc_accel_list="ALG_FFDH \
-                    $(helper_get_psa_key_type_list "DH")"
+                    $(helper_get_psa_key_type_list "DH") \
+                    $(helper_get_psa_dh_group_list)"
 
     # Configure
     # ---------
@@ -2414,7 +2624,7 @@ component_test_psa_crypto_config_accel_ffdh () {
     helper_libtestdriver1_make_main "$loc_accel_list"
 
     # Make sure this was not re-enabled by accident (additive config)
-    not grep mbedtls_dhm_ library/dhm.o
+    not grep mbedtls_dhm_ ${BUILTIN_SRC_PATH}/dhm.o
 
     # Run the tests
     # -------------
@@ -2448,12 +2658,8 @@ component_test_psa_crypto_config_accel_pake() {
     msg "build: full with accelerated PAKE"
 
     loc_accel_list="ALG_JPAKE \
-                    $(helper_get_psa_key_type_list "ECC")"
-
-    # Note: Those are handled in a special way by the libtestdriver machinery,
-    # so we only want to include them in the accel list when building the main
-    # libraries, hence the use of a separate variable.
-    loc_curve_list="$(helper_get_psa_curve_list)"
+                    $(helper_get_psa_key_type_list "ECC") \
+                    $(helper_get_psa_curve_list)"
 
     # Configure
     # ---------
@@ -2469,10 +2675,10 @@ component_test_psa_crypto_config_accel_pake() {
 
     helper_libtestdriver1_make_drivers "$loc_accel_list"
 
-    helper_libtestdriver1_make_main "$loc_accel_list $loc_curve_list"
+    helper_libtestdriver1_make_main "$loc_accel_list"
 
     # Make sure this was not re-enabled by accident (additive config)
-    not grep mbedtls_ecjpake_init library/ecjpake.o
+    not grep mbedtls_ecjpake_init ${BUILTIN_SRC_PATH}/ecjpake.o
 
     # Run the tests
     # -------------
@@ -2492,12 +2698,8 @@ component_test_psa_crypto_config_accel_ecc_some_key_types () {
                     KEY_TYPE_ECC_PUBLIC_KEY \
                     KEY_TYPE_ECC_KEY_PAIR_BASIC \
                     KEY_TYPE_ECC_KEY_PAIR_IMPORT \
-                    KEY_TYPE_ECC_KEY_PAIR_EXPORT"
-
-    # Note: Curves are handled in a special way by the libtestdriver machinery,
-    # so we only want to include them in the accel list when building the main
-    # libraries, hence the use of a separate variable.
-    loc_curve_list="$(helper_get_psa_curve_list)"
+                    KEY_TYPE_ECC_KEY_PAIR_EXPORT \
+                    $(helper_get_psa_curve_list)"
 
     # Configure
     # ---------
@@ -2530,13 +2732,13 @@ component_test_psa_crypto_config_accel_ecc_some_key_types () {
                     ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
     helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
 
-    helper_libtestdriver1_make_main "$loc_accel_list $loc_curve_list"
+    helper_libtestdriver1_make_main "$loc_accel_list"
 
     # ECP should be re-enabled but not the others
-    not grep mbedtls_ecdh_ library/ecdh.o
-    not grep mbedtls_ecdsa library/ecdsa.o
-    not grep mbedtls_ecjpake  library/ecjpake.o
-    grep mbedtls_ecp library/ecp.o
+    not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
+    not grep mbedtls_ecdsa ${BUILTIN_SRC_PATH}/ecdsa.o
+    not grep mbedtls_ecjpake  ${BUILTIN_SRC_PATH}/ecjpake.o
+    grep mbedtls_ecp ${BUILTIN_SRC_PATH}/ecp.o
 
     # Run the tests
     # -------------
@@ -2559,12 +2761,6 @@ common_test_psa_crypto_config_accel_ecc_some_curves () {
 
     msg "build: crypto_full minus PK with accelerated EC algs and $desc curves"
 
-    # Algorithms and key types to accelerate
-    loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
-                    ALG_ECDH \
-                    ALG_JPAKE \
-                    $(helper_get_psa_key_type_list "ECC")"
-
     # Note: Curves are handled in a special way by the libtestdriver machinery,
     # so we only want to include them in the accel list when building the main
     # libraries, hence the use of a separate variable.
@@ -2588,6 +2784,13 @@ common_test_psa_crypto_config_accel_ecc_some_curves () {
         loc_curve_list=$loc_non_weierstrass_list
     fi
 
+    # Algorithms and key types to accelerate
+    loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
+                    ALG_ECDH \
+                    ALG_JPAKE \
+                    $(helper_get_psa_key_type_list "ECC") \
+                    $loc_curve_list"
+
     # Configure
     # ---------
 
@@ -2597,12 +2800,6 @@ common_test_psa_crypto_config_accel_ecc_some_curves () {
     scripts/config.py unset MBEDTLS_PK_C
     scripts/config.py unset MBEDTLS_PK_PARSE_C
     scripts/config.py unset MBEDTLS_PK_WRITE_C
-    # We need to disable RSA too or PK will be re-enabled.
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*"
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*"
-    scripts/config.py unset MBEDTLS_RSA_C
-    scripts/config.py unset MBEDTLS_PKCS1_V15
-    scripts/config.py unset MBEDTLS_PKCS1_V21
 
     # Disable modules that are accelerated - some will be re-enabled
     scripts/config.py unset MBEDTLS_ECDSA_C
@@ -2629,30 +2826,30 @@ common_test_psa_crypto_config_accel_ecc_some_curves () {
                     ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
     helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
 
-    helper_libtestdriver1_make_main "$loc_accel_list $loc_curve_list"
+    helper_libtestdriver1_make_main "$loc_accel_list"
 
     # We expect ECDH to be re-enabled for the missing curves
-    grep mbedtls_ecdh_ library/ecdh.o
+    grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
     # We expect ECP to be re-enabled, however the parts specific to the
     # families of curves that are accelerated should be ommited.
     # - functions with mxz in the name are specific to Montgomery curves
     # - ecp_muladd is specific to Weierstrass curves
-    ##nm library/ecp.o | tee ecp.syms
+    ##nm ${BUILTIN_SRC_PATH}/ecp.o | tee ecp.syms
     if [ $weierstrass -eq 1 ]; then
-        not grep mbedtls_ecp_muladd library/ecp.o
-        grep mxz library/ecp.o
+        not grep mbedtls_ecp_muladd ${BUILTIN_SRC_PATH}/ecp.o
+        grep mxz ${BUILTIN_SRC_PATH}/ecp.o
     else
-        grep mbedtls_ecp_muladd library/ecp.o
-        not grep mxz library/ecp.o
+        grep mbedtls_ecp_muladd ${BUILTIN_SRC_PATH}/ecp.o
+        not grep mxz ${BUILTIN_SRC_PATH}/ecp.o
     fi
     # We expect ECDSA and ECJPAKE to be re-enabled only when
     # Weierstrass curves are not accelerated
     if [ $weierstrass -eq 1 ]; then
-        not grep mbedtls_ecdsa library/ecdsa.o
-        not grep mbedtls_ecjpake  library/ecjpake.o
+        not grep mbedtls_ecdsa ${BUILTIN_SRC_PATH}/ecdsa.o
+        not grep mbedtls_ecjpake  ${BUILTIN_SRC_PATH}/ecjpake.o
     else
-        grep mbedtls_ecdsa library/ecdsa.o
-        grep mbedtls_ecjpake  library/ecjpake.o
+        grep mbedtls_ecdsa ${BUILTIN_SRC_PATH}/ecdsa.o
+        grep mbedtls_ecjpake  ${BUILTIN_SRC_PATH}/ecjpake.o
     fi
 
     # Run the tests
@@ -2707,12 +2904,8 @@ component_test_psa_crypto_config_accel_ecc_ecp_light_only () {
     loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
                     ALG_ECDH \
                     ALG_JPAKE \
-                    $(helper_get_psa_key_type_list "ECC")"
-
-    # Note: Those are handled in a special way by the libtestdriver machinery,
-    # so we only want to include them in the accel list when building the main
-    # libraries, hence the use of a separate variable.
-    loc_curve_list="$(helper_get_psa_curve_list)"
+                    $(helper_get_psa_key_type_list "ECC") \
+                    $(helper_get_psa_curve_list)"
 
     # Configure
     # ---------
@@ -2732,13 +2925,13 @@ component_test_psa_crypto_config_accel_ecc_ecp_light_only () {
                     ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
     helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
 
-    helper_libtestdriver1_make_main "$loc_accel_list $loc_curve_list"
+    helper_libtestdriver1_make_main "$loc_accel_list"
 
     # Make sure any built-in EC alg was not re-enabled by accident (additive config)
-    not grep mbedtls_ecdsa_ library/ecdsa.o
-    not grep mbedtls_ecdh_ library/ecdh.o
-    not grep mbedtls_ecjpake_ library/ecjpake.o
-    not grep mbedtls_ecp_mul library/ecp.o
+    not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
+    not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
+    not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o
+    not grep mbedtls_ecp_mul ${BUILTIN_SRC_PATH}/ecp.o
 
     # Run the tests
     # -------------
@@ -2815,12 +3008,8 @@ component_test_psa_crypto_config_accel_ecc_no_ecp_at_all () {
     loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
                     ALG_ECDH \
                     ALG_JPAKE \
-                    $(helper_get_psa_key_type_list "ECC")"
-
-    # Note: Those are handled in a special way by the libtestdriver machinery,
-    # so we only want to include them in the accel list when building the main
-    # libraries, hence the use of a separate variable.
-    loc_curve_list="$(helper_get_psa_curve_list)"
+                    $(helper_get_psa_key_type_list "ECC") \
+                    $(helper_get_psa_curve_list)"
 
     # Configure
     # ---------
@@ -2840,14 +3029,14 @@ component_test_psa_crypto_config_accel_ecc_no_ecp_at_all () {
 
     helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
 
-    helper_libtestdriver1_make_main "$loc_accel_list $loc_curve_list"
+    helper_libtestdriver1_make_main "$loc_accel_list"
 
     # Make sure any built-in EC alg was not re-enabled by accident (additive config)
-    not grep mbedtls_ecdsa_ library/ecdsa.o
-    not grep mbedtls_ecdh_ library/ecdh.o
-    not grep mbedtls_ecjpake_ library/ecjpake.o
+    not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
+    not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
+    not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o
     # Also ensure that ECP module was not re-enabled
-    not grep mbedtls_ecp_ library/ecp.o
+    not grep mbedtls_ecp_ ${BUILTIN_SRC_PATH}/ecp.o
 
     # Run the tests
     # -------------
@@ -2936,8 +3125,9 @@ config_psa_crypto_config_accel_ecc_ffdh_no_bignum() {
     if [ "$test_target" = "ECC" ]; then
         # When testing ECC only, we disable FFDH support, both from builtin and
         # PSA sides, and also disable the key exchanges that depend on DHM.
-        scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_FFDH
+        scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_FFDH
         scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_DH_[0-9A-Z_a-z]*"
+        scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_DH_RFC7919_[0-9]*"
         scripts/config.py unset MBEDTLS_DHM_C
         scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
         scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
@@ -2986,19 +3176,16 @@ common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
     loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
                     ALG_ECDH \
                     ALG_JPAKE \
-                    $(helper_get_psa_key_type_list "ECC")"
+                    $(helper_get_psa_key_type_list "ECC") \
+                    $(helper_get_psa_curve_list)"
     # Optionally we can also add DH to the list of accelerated items
     if [ "$test_target" = "ECC_DH" ]; then
         loc_accel_list="$loc_accel_list \
                         ALG_FFDH \
-                        $(helper_get_psa_key_type_list "DH")"
+                        $(helper_get_psa_key_type_list "DH") \
+                        $(helper_get_psa_dh_group_list)"
     fi
 
-    # Note: Those are handled in a special way by the libtestdriver machinery,
-    # so we only want to include them in the accel list when building the main
-    # libraries, hence the use of a separate variable.
-    loc_curve_list="$(helper_get_psa_curve_list)"
-
     # Configure
     # ---------
 
@@ -3017,17 +3204,17 @@ common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
 
     helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
 
-    helper_libtestdriver1_make_main "$loc_accel_list $loc_curve_list"
+    helper_libtestdriver1_make_main "$loc_accel_list"
 
     # Make sure any built-in EC alg was not re-enabled by accident (additive config)
-    not grep mbedtls_ecdsa_ library/ecdsa.o
-    not grep mbedtls_ecdh_ library/ecdh.o
-    not grep mbedtls_ecjpake_ library/ecjpake.o
+    not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
+    not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
+    not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o
     # Also ensure that ECP, RSA, [DHM] or BIGNUM modules were not re-enabled
-    not grep mbedtls_ecp_ library/ecp.o
-    not grep mbedtls_rsa_ library/rsa.o
-    not grep mbedtls_mpi_ library/bignum.o
-    not grep mbedtls_dhm_ library/dhm.o
+    not grep mbedtls_ecp_ ${BUILTIN_SRC_PATH}/ecp.o
+    not grep mbedtls_rsa_ ${BUILTIN_SRC_PATH}/rsa.o
+    not grep mbedtls_mpi_ ${BUILTIN_SRC_PATH}/bignum.o
+    not grep mbedtls_dhm_ ${BUILTIN_SRC_PATH}/dhm.o
 
     # Run the tests
     # -------------
@@ -3095,49 +3282,21 @@ component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () {
 # - component_test_tfm_config()
 common_tfm_config () {
     # Enable TF-M config
-    cp configs/tfm_mbedcrypto_config_profile_medium.h "$CONFIG_H"
-    cp configs/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H"
+    cp configs/config-tfm.h "$CONFIG_H"
+    echo "#undef MBEDTLS_PSA_CRYPTO_CONFIG_FILE" >> "$CONFIG_H"
+    cp configs/ext/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H"
 
-    # Adjust for the fact that we're building outside the TF-M environment.
-    #
-    # TF-M has separation, our build doesn't
-    scripts/config.py unset MBEDTLS_PSA_CRYPTO_SPM
-    scripts/config.py unset MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
-    # TF-M provdes its own (dummy) implemenation, from their tree
-    scripts/config.py unset MBEDTLS_AES_DECRYPT_ALT
-    scripts/config.py unset MBEDTLS_AES_SETKEY_DEC_ALT
-    # We have an OS that provides entropy, use it
-    scripts/config.py unset MBEDTLS_NO_PLATFORM_ENTROPY
-
-    # Other config adjustments to make the tests pass.
-    # Those should probably be adopted upstream.
+    # Other config adjustment to make the tests pass.
+    # This should probably be adopted upstream.
     #
     # - USE_PSA_CRYPTO for PK_HAVE_ECC_KEYS
     echo "#define MBEDTLS_USE_PSA_CRYPTO" >> "$CONFIG_H"
-    # pkparse.c and pkwrite.c fail to link without this
-    echo "#define MBEDTLS_OID_C" >> "$CONFIG_H"
-    # - ASN1_[PARSE/WRITE]_C found by check_config.h for pkparse/pkwrite
-    echo "#define MBEDTLS_ASN1_PARSE_C" >> "$CONFIG_H"
-    echo "#define MBEDTLS_ASN1_WRITE_C" >> "$CONFIG_H"
-    # - MD_C for HKDF_C
-    echo "#define MBEDTLS_MD_C" >> "$CONFIG_H"
-
-    # Config adjustments for better test coverage in our environment.
-    # These are not needed just to build and pass tests.
+
+    # Config adjustment for better test coverage in our environment.
+    # This is not needed just to build and pass tests.
     #
     # Enable filesystem I/O for the benefit of PK parse/write tests.
     echo "#define MBEDTLS_FS_IO" >> "$CONFIG_H"
-    # Disable this for maximal ASan efficiency
-    scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
-
-    # Config adjustments for features that are not supported
-    # when using only drivers / by p256-m
-    #
-    # Disable all the features that auto-enable ECP_LIGHT (see build_info.h)
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
-    # Disable deterministic ECDSA as p256-m only does randomized
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
-
 }
 
 # Keep this in sync with component_test_tfm_config() as they are both meant
@@ -3147,18 +3306,24 @@ component_test_tfm_config_p256m_driver_accel_ec () {
 
     common_tfm_config
 
-    # Build crypto library specifying we want to use P256M code for EC operations
-    make CFLAGS="$ASAN_CFLAGS -DMBEDTLS_PSA_P256M_DRIVER_ENABLED -I../tests/include/spe" LDFLAGS="$ASAN_CFLAGS"
+    # Build crypto library
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I../tests/include/spe" LDFLAGS="$ASAN_CFLAGS"
 
     # Make sure any built-in EC alg was not re-enabled by accident (additive config)
-    not grep mbedtls_ecdsa_ library/ecdsa.o
-    not grep mbedtls_ecdh_ library/ecdh.o
-    not grep mbedtls_ecjpake_ library/ecjpake.o
+    not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
+    not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
+    not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o
     # Also ensure that ECP, RSA, DHM or BIGNUM modules were not re-enabled
-    not grep mbedtls_ecp_ library/ecp.o
-    not grep mbedtls_rsa_ library/rsa.o
-    not grep mbedtls_dhm_ library/dhm.o
-    not grep mbedtls_mpi_ library/bignum.o
+    not grep mbedtls_ecp_ ${BUILTIN_SRC_PATH}/ecp.o
+    not grep mbedtls_rsa_ ${BUILTIN_SRC_PATH}/rsa.o
+    not grep mbedtls_dhm_ ${BUILTIN_SRC_PATH}/dhm.o
+    not grep mbedtls_mpi_ ${BUILTIN_SRC_PATH}/bignum.o
+    # Check that p256m was built
+    grep -q p256_ecdsa_ library/libmbedcrypto.a
+
+    # In "config-tfm.h" we disabled CIPHER_C tweaking TF-M's configuration
+    # files, so we want to ensure that it has not be re-enabled accidentally.
+    not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o
 
     # Run the tests
     msg "test: TF-M config + p256m driver + accel ECDH(E)/ECDSA"
@@ -3171,9 +3336,20 @@ component_test_tfm_config_p256m_driver_accel_ec () {
 component_test_tfm_config() {
     common_tfm_config
 
+    # Disable P256M driver, which is on by default, so that analyze_outcomes
+    # can compare this test with test_tfm_config_p256m_driver_accel_ec
+    echo "#undef MBEDTLS_PSA_P256M_DRIVER_ENABLED" >> "$CONFIG_H"
+
     msg "build: TF-M config"
     make CFLAGS='-Werror -Wall -Wextra -I../tests/include/spe' tests
 
+    # Check that p256m was not built
+    not grep p256_ecdsa_ library/libmbedcrypto.a
+
+    # In "config-tfm.h" we disabled CIPHER_C tweaking TF-M's configuration
+    # files, so we want to ensure that it has not be re-enabled accidentally.
+    not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o
+
     msg "test: TF-M config"
     make test
 }
@@ -3234,7 +3410,7 @@ build_and_test_psa_want_key_pair_partial() {
     # crypto_config.h so we just disable the one we don't want.
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset "$disabled_psa_want"
 
-    make CC=gcc CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
 
     msg "test: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}"
     make test
@@ -3248,77 +3424,75 @@ component_test_psa_ecc_key_pair_no_generate() {
     build_and_test_psa_want_key_pair_partial "ECC" "GENERATE"
 }
 
-component_test_psa_crypto_config_accel_rsa_signature () {
-    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated RSA signature"
-
-    loc_accel_list="ALG_RSA_PKCS1V15_SIGN ALG_RSA_PSS KEY_TYPE_RSA_KEY_PAIR KEY_TYPE_RSA_PUBLIC_KEY"
+config_psa_crypto_accel_rsa () {
+    driver_only=$1
 
-    # Configure
-    # ---------
+    # Start from crypto_full config (no X.509, no TLS)
+    helper_libtestdriver1_adjust_config "crypto_full"
 
-    # Start from default config (no TLS 1.3, no USE_PSA)
-    helper_libtestdriver1_adjust_config "default"
+    if [ "$driver_only" -eq 1 ]; then
+        # Remove RSA support and its dependencies
+        scripts/config.py unset MBEDTLS_RSA_C
+        scripts/config.py unset MBEDTLS_PKCS1_V15
+        scripts/config.py unset MBEDTLS_PKCS1_V21
+
+        # We need PEM parsing in the test library as well to support the import
+        # of PEM encoded RSA keys.
+        scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C
+        scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_BASE64_C
+    fi
+}
 
-    # It seems it is not possible to remove only the support for RSA signature
-    # in the library. Thus we have to remove all RSA support (signature and
-    # encryption/decryption). AS there is no driver support for asymmetric
-    # encryption/decryption so far remove RSA encryption/decryption from the
-    # application algorithm list.
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
+component_test_psa_crypto_config_accel_rsa_crypto () {
+    msg "build: crypto_full with accelerated RSA"
 
-    # Remove RSA support and its dependencies
-    scripts/config.py unset MBEDTLS_RSA_C
-    scripts/config.py unset MBEDTLS_PKCS1_V15
-    scripts/config.py unset MBEDTLS_PKCS1_V21
-    scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+    loc_accel_list="ALG_RSA_OAEP ALG_RSA_PSS \
+                    ALG_RSA_PKCS1V15_CRYPT ALG_RSA_PKCS1V15_SIGN \
+                    KEY_TYPE_RSA_PUBLIC_KEY \
+                    KEY_TYPE_RSA_KEY_PAIR_BASIC \
+                    KEY_TYPE_RSA_KEY_PAIR_GENERATE \
+                    KEY_TYPE_RSA_KEY_PAIR_IMPORT \
+                    KEY_TYPE_RSA_KEY_PAIR_EXPORT"
 
-    # Make sure both the library and the test library support the SHA hash
-    # algorithms and only those ones (SHA256 is included by default). That way:
-    # - the test library can compute the RSA signatures even in the case of a
-    #   composite RSA signature algorithm based on a SHA hash (no other hash
-    #   used in the unit tests).
-    # - the dependency of RSA signature tests on PSA_WANT_ALG_SHA_xyz is
-    #   fulfilled as the hash SHA algorithm is supported by the library, and
-    #   thus the tests are run, not skipped.
-    # - when testing a signature key with an algorithm wildcard built from
-    #   PSA_ALG_ANY_HASH as algorithm to test with the key, the chosen hash
-    #   algorithm based on the hashes supported by the library is also
-    #   supported by the test library.
-    # Disable unwanted hashes here, we'll enable hashes we want in loc_extra_list.
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160_C
-    scripts/config.py unset MBEDTLS_MD5_C
-    scripts/config.py unset MBEDTLS_RIPEMD160_C
+    # Configure
+    # ---------
 
-    # We need PEM parsing in the test library as well to support the import
-    # of PEM encoded RSA keys.
-    scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C
-    scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_BASE64_C
+    config_psa_crypto_accel_rsa 1
 
     # Build
     # -----
 
-    # These hashes are needed for some RSA-PSS signature tests.
+    # These hashes are needed for unit tests.
     loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
-                    ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
+                    ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512 ALG_MD5"
     helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
 
     helper_libtestdriver1_make_main "$loc_accel_list"
 
     # Make sure this was not re-enabled by accident (additive config)
-    not grep mbedtls_rsa_rsassa_pkcs1_v15_sign library/rsa.o
-    not grep mbedtls_rsa_rsassa_pss_sign_ext library/rsa.o
+    not grep mbedtls_rsa ${BUILTIN_SRC_PATH}/rsa.o
 
     # Run the tests
     # -------------
 
-    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated RSA signature"
+    msg "test: crypto_full with accelerated RSA"
+    make test
+}
+
+component_test_psa_crypto_config_reference_rsa_crypto () {
+    msg "build: crypto_full with non-accelerated RSA"
+
+    # Configure
+    # ---------
+    config_psa_crypto_accel_rsa 0
+
+    # Build
+    # -----
+    make
+
+    # Run the tests
+    # -------------
+    msg "test: crypto_full with non-accelerated RSA"
     make test
 }
 
@@ -3384,7 +3558,7 @@ component_test_psa_crypto_config_accel_hash () {
     # Configure
     # ---------
 
-    # Start from default config (no TLS 1.3, no USE_PSA)
+    # Start from default config (no USE_PSA)
     helper_libtestdriver1_adjust_config "default"
 
     # Disable the things that are being accelerated
@@ -3406,11 +3580,11 @@ component_test_psa_crypto_config_accel_hash () {
 
     # There's a risk of something getting re-enabled via config_psa.h;
     # make sure it did not happen. Note: it's OK for MD_C to be enabled.
-    not grep mbedtls_md5 library/md5.o
-    not grep mbedtls_sha1 library/sha1.o
-    not grep mbedtls_sha256 library/sha256.o
-    not grep mbedtls_sha512 library/sha512.o
-    not grep mbedtls_ripemd160 library/ripemd160.o
+    not grep mbedtls_md5 ${BUILTIN_SRC_PATH}/md5.o
+    not grep mbedtls_sha1 ${BUILTIN_SRC_PATH}/sha1.o
+    not grep mbedtls_sha256 ${BUILTIN_SRC_PATH}/sha256.o
+    not grep mbedtls_sha512 ${BUILTIN_SRC_PATH}/sha512.o
+    not grep mbedtls_ripemd160 ${BUILTIN_SRC_PATH}/ripemd160.o
 
     # Run the tests
     # -------------
@@ -3419,26 +3593,6 @@ component_test_psa_crypto_config_accel_hash () {
     make test
 }
 
-component_test_psa_crypto_config_accel_hash_keep_builtins () {
-    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated+builtin hash"
-    # This component ensures that all the test cases for
-    # md_psa_dynamic_dispatch with legacy+driver in test_suite_md are run.
-
-    loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \
-                    ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
-                    ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
-
-    # Start from default config (no TLS 1.3, no USE_PSA)
-    helper_libtestdriver1_adjust_config "default"
-
-    helper_libtestdriver1_make_drivers "$loc_accel_list"
-
-    helper_libtestdriver1_make_main "$loc_accel_list"
-
-    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated+builtin hash"
-    make test
-}
-
 # Auxiliary function to build config for hashes with and without drivers
 config_psa_crypto_hash_use_psa () {
     driver_only="$1"
@@ -3451,7 +3605,7 @@ config_psa_crypto_hash_use_psa () {
         scripts/config.py unset MBEDTLS_SHA1_C
         scripts/config.py unset MBEDTLS_SHA224_C
         scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below
-        scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
+        scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
         scripts/config.py unset MBEDTLS_SHA384_C
         scripts/config.py unset MBEDTLS_SHA512_C
         scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
@@ -3483,11 +3637,11 @@ component_test_psa_crypto_config_accel_hash_use_psa () {
 
     # There's a risk of something getting re-enabled via config_psa.h;
     # make sure it did not happen. Note: it's OK for MD_C to be enabled.
-    not grep mbedtls_md5 library/md5.o
-    not grep mbedtls_sha1 library/sha1.o
-    not grep mbedtls_sha256 library/sha256.o
-    not grep mbedtls_sha512 library/sha512.o
-    not grep mbedtls_ripemd160 library/ripemd160.o
+    not grep mbedtls_md5 ${BUILTIN_SRC_PATH}/md5.o
+    not grep mbedtls_sha1 ${BUILTIN_SRC_PATH}/sha1.o
+    not grep mbedtls_sha256 ${BUILTIN_SRC_PATH}/sha256.o
+    not grep mbedtls_sha512 ${BUILTIN_SRC_PATH}/sha512.o
+    not grep mbedtls_ripemd160 ${BUILTIN_SRC_PATH}/ripemd160.o
 
     # Run the tests
     # -------------
@@ -3525,10 +3679,88 @@ component_test_psa_crypto_config_reference_hash_use_psa() {
     tests/ssl-opt.sh
 }
 
-component_test_psa_crypto_config_accel_cipher () {
-    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated cipher"
+# Auxiliary function to build config for hashes with and without drivers
+config_psa_crypto_hmac_use_psa () {
+    driver_only="$1"
+    # start with config full for maximum coverage (also enables USE_PSA)
+    helper_libtestdriver1_adjust_config "full"
+
+    if [ "$driver_only" -eq 1 ]; then
+        # Disable MD_C in order to disable the builtin support for HMAC. MD_LIGHT
+        # is still enabled though (for ENTROPY_C among others).
+        scripts/config.py unset MBEDTLS_MD_C
+        # Disable also the builtin hashes since they are supported by the driver
+        # and MD module is able to perform PSA dispathing.
+        scripts/config.py unset-all MBEDTLS_SHA
+        scripts/config.py unset MBEDTLS_MD5_C
+        scripts/config.py unset MBEDTLS_RIPEMD160_C
+    fi
+
+    # Direct dependencies of MD_C. We disable them also in the reference
+    # component to work with the same set of features.
+    scripts/config.py unset MBEDTLS_PKCS7_C
+    scripts/config.py unset MBEDTLS_PKCS5_C
+    scripts/config.py unset MBEDTLS_HMAC_DRBG_C
+    scripts/config.py unset MBEDTLS_HKDF_C
+    # Dependencies of HMAC_DRBG
+    scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
+}
+
+component_test_psa_crypto_config_accel_hmac() {
+    msg "test: full with accelerated hmac"
+
+    loc_accel_list="ALG_HMAC KEY_TYPE_HMAC \
+                    ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \
+                    ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
+                    ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
+
+    # Configure
+    # ---------
+
+    config_psa_crypto_hmac_use_psa 1
+
+    # Build
+    # -----
+
+    helper_libtestdriver1_make_drivers "$loc_accel_list"
+
+    helper_libtestdriver1_make_main "$loc_accel_list"
+
+    # Ensure that built-in support for HMAC is disabled.
+    not grep mbedtls_md_hmac ${BUILTIN_SRC_PATH}/md.o
+
+    # Run the tests
+    # -------------
+
+    msg "test: full with accelerated hmac"
+    make test
+}
+
+component_test_psa_crypto_config_reference_hmac() {
+    msg "test: full without accelerated hmac"
+
+    config_psa_crypto_hmac_use_psa 0
+
+    make
+
+    msg "test: full without accelerated hmac"
+    make test
+}
+
+component_test_psa_crypto_config_accel_des () {
+    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated DES"
+
+    # Albeit this components aims at accelerating DES which should only support
+    # CBC and ECB modes, we need to accelerate more than that otherwise DES_C
+    # would automatically be re-enabled by "config_adjust_legacy_from_psa.c"
+    loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 \
+                    ALG_CTR ALG_CFB ALG_OFB ALG_XTS ALG_CMAC \
+                    KEY_TYPE_DES"
 
-    loc_accel_list="ALG_CBC_NO_PADDING ALG_CBC_PKCS7 ALG_CTR ALG_CFB ALG_OFB ALG_XTS KEY_TYPE_DES"
+    # Note: we cannot accelerate all ciphers' key types otherwise we would also
+    # have to either disable CCM/GCM or accelerate them, but that's out of scope
+    # of this component. This limitation will be addressed by #8598.
 
     # Configure
     # ---------
@@ -3536,14 +3768,6 @@ component_test_psa_crypto_config_accel_cipher () {
     # Start from the full config
     helper_libtestdriver1_adjust_config "full"
 
-    # There is no intended accelerator support for ALG CMAC. Therefore, asking
-    # for it in the build implies the inclusion of the Mbed TLS cipher
-    # operations. As we want to test here with cipher operations solely
-    # supported by accelerators, disabled this PSA configuration option.
-    # (Note: the same applies to STREAM_CIPHER and ECB_NO_PADDING, which are
-    # already disabled by helper_libtestdriver1_adjust_config above.)
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC
-
     # Disable the things that are being accelerated
     scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
     scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7
@@ -3552,6 +3776,7 @@ component_test_psa_crypto_config_accel_cipher () {
     scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB
     scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
     scripts/config.py unset MBEDTLS_DES_C
+    scripts/config.py unset MBEDTLS_CMAC_C
 
     # Build
     # -----
@@ -3561,12 +3786,12 @@ component_test_psa_crypto_config_accel_cipher () {
     helper_libtestdriver1_make_main "$loc_accel_list"
 
     # Make sure this was not re-enabled by accident (additive config)
-    not grep mbedtls_des* library/des.o
+    not grep mbedtls_des* ${BUILTIN_SRC_PATH}/des.o
 
     # Run the tests
     # -------------
 
-    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated cipher"
+    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated DES"
     make test
 }
 
@@ -3587,6 +3812,9 @@ component_test_psa_crypto_config_accel_aead () {
     scripts/config.py unset MBEDTLS_CCM_C
     scripts/config.py unset MBEDTLS_CHACHAPOLY_C
 
+    # Disable CCM_STAR_NO_TAG because this re-enables CCM_C.
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG
+
     # Build
     # -----
 
@@ -3595,9 +3823,9 @@ component_test_psa_crypto_config_accel_aead () {
     helper_libtestdriver1_make_main "$loc_accel_list"
 
     # Make sure this was not re-enabled by accident (additive config)
-    not grep mbedtls_ccm library/ccm.o
-    not grep mbedtls_gcm library/gcm.o
-    not grep mbedtls_chachapoly library/chachapoly.o
+    not grep mbedtls_ccm ${BUILTIN_SRC_PATH}/ccm.o
+    not grep mbedtls_gcm ${BUILTIN_SRC_PATH}/gcm.o
+    not grep mbedtls_chachapoly ${BUILTIN_SRC_PATH}/chachapoly.o
 
     # Run the tests
     # -------------
@@ -3606,310 +3834,238 @@ component_test_psa_crypto_config_accel_aead () {
     make test
 }
 
-component_test_aead_chachapoly_disabled() {
-    msg "build: full minus CHACHAPOLY"
-    scripts/config.py full
-    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -O2" LDFLAGS="$ASAN_CFLAGS"
+# This is a common configuration function used in:
+# - component_test_psa_crypto_config_accel_cipher_aead_cmac
+# - component_test_psa_crypto_config_reference_cipher_aead_cmac
+common_psa_crypto_config_accel_cipher_aead_cmac() {
+    # Start from the full config
+    helper_libtestdriver1_adjust_config "full"
 
-    msg "test: full minus CHACHAPOLY"
-    make test
+    scripts/config.py unset MBEDTLS_NIST_KW_C
 }
 
-component_test_aead_only_ccm() {
-    msg "build: full minus CHACHAPOLY and GCM"
-    scripts/config.py full
-    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
+# The 2 following test components, i.e.
+# - component_test_psa_crypto_config_accel_cipher_aead_cmac
+# - component_test_psa_crypto_config_reference_cipher_aead_cmac
+# are meant to be used together in analyze_outcomes.py script in order to test
+# driver's coverage for ciphers and AEADs.
+component_test_psa_crypto_config_accel_cipher_aead_cmac () {
+    msg "build: full config with accelerated cipher inc. AEAD and CMAC"
+
+    loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 ALG_CTR ALG_CFB \
+                    ALG_OFB ALG_XTS ALG_STREAM_CIPHER ALG_CCM_STAR_NO_TAG \
+                    ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 ALG_CMAC \
+                    KEY_TYPE_DES KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CHACHA20 KEY_TYPE_CAMELLIA"
+
+    # Configure
+    # ---------
+
+    common_psa_crypto_config_accel_cipher_aead_cmac
+
+    # Disable the things that are being accelerated
+    scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
+    scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7
+    scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR
+    scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB
+    scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB
+    scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
     scripts/config.py unset MBEDTLS_GCM_C
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -O2" LDFLAGS="$ASAN_CFLAGS"
+    scripts/config.py unset MBEDTLS_CCM_C
+    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
+    scripts/config.py unset MBEDTLS_CMAC_C
+    scripts/config.py unset MBEDTLS_DES_C
+    scripts/config.py unset MBEDTLS_AES_C
+    scripts/config.py unset MBEDTLS_ARIA_C
+    scripts/config.py unset MBEDTLS_CHACHA20_C
+    scripts/config.py unset MBEDTLS_CAMELLIA_C
 
-    msg "test: full minus CHACHAPOLY and GCM"
-    make test
-}
+    # Disable CIPHER_C entirely as all ciphers/AEADs are accelerated and PSA
+    # does not depend on it.
+    scripts/config.py unset MBEDTLS_CIPHER_C
 
-component_test_ccm_aes_sha256() {
-    msg "build: CCM + AES + SHA256 configuration"
+    # Build
+    # -----
 
-    cp "$CONFIG_TEST_DRIVER_H" "$CONFIG_H"
-    cp configs/crypto-config-ccm-aes-sha256.h "$CRYPTO_CONFIG_H"
+    helper_libtestdriver1_make_drivers "$loc_accel_list"
 
-    make CC=gcc
+    helper_libtestdriver1_make_main "$loc_accel_list"
 
-    msg "test: CCM + AES + SHA256 configuration"
+    # Make sure this was not re-enabled by accident (additive config)
+    not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o
+    not grep mbedtls_des ${BUILTIN_SRC_PATH}/des.o
+    not grep mbedtls_aes ${BUILTIN_SRC_PATH}/aes.o
+    not grep mbedtls_aria ${BUILTIN_SRC_PATH}/aria.o
+    not grep mbedtls_camellia ${BUILTIN_SRC_PATH}/camellia.o
+    not grep mbedtls_ccm ${BUILTIN_SRC_PATH}/ccm.o
+    not grep mbedtls_gcm ${BUILTIN_SRC_PATH}/gcm.o
+    not grep mbedtls_chachapoly ${BUILTIN_SRC_PATH}/chachapoly.o
+    not grep mbedtls_cmac ${BUILTIN_SRC_PATH}/cmac.o
+
+    # Run the tests
+    # -------------
+
+    msg "test: full config with accelerated cipher inc. AEAD and CMAC"
     make test
-}
 
-# This should be renamed to test and updated once the accelerator ECDH code is in place and ready to test.
-component_build_psa_accel_alg_ecdh() {
-    msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_ECDH without MBEDTLS_ECDH_C"
-    scripts/config.py full
-    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
-    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    scripts/config.py unset MBEDTLS_ECDH_C
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDH -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
-}
+    msg "ssl-opt: full config with accelerated cipher inc. AEAD and CMAC"
+    tests/ssl-opt.sh
 
-# This should be renamed to test and updated once the accelerator HMAC code is in place and ready to test.
-component_build_psa_accel_alg_hmac() {
-    msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_HMAC"
-    scripts/config.py full
-    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
-    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HMAC -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+    msg "compat.sh: full config with accelerated cipher inc. AEAD and CMAC"
+    tests/compat.sh -V NO -p mbedTLS
 }
 
-# This should be renamed to test and updated once the accelerator HKDF code is in place and ready to test.
-component_build_psa_accel_alg_hkdf() {
-    msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_HKDF without MBEDTLS_HKDF_C"
-    scripts/config.py full
-    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
-    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    scripts/config.py unset MBEDTLS_HKDF_C
-    # Make sure to unset TLS1_3 since it requires HKDF_C and will not build properly without it.
-    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HKDF -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
-}
+component_test_psa_crypto_config_reference_cipher_aead_cmac () {
+    msg "build: full config with non-accelerated cipher inc. AEAD and CMAC"
+    common_psa_crypto_config_accel_cipher_aead_cmac
 
-# This should be renamed to test and updated once the accelerator MD5 code is in place and ready to test.
-component_build_psa_accel_alg_md5() {
-    msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_MD5 - other hashes"
-    scripts/config.py full
-    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
-    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
-    scripts/config.py unset MBEDTLS_LMS_C
-    scripts/config.py unset MBEDTLS_LMS_PRIVATE
-    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_MD5 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
-}
+    make
 
-# This should be renamed to test and updated once the accelerator RIPEMD160 code is in place and ready to test.
-component_build_psa_accel_alg_ripemd160() {
-    msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RIPEMD160 - other hashes"
-    scripts/config.py full
-    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
-    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
-    scripts/config.py unset MBEDTLS_LMS_C
-    scripts/config.py unset MBEDTLS_LMS_PRIVATE
-    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RIPEMD160 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
-}
+    msg "test: full config with non-accelerated cipher inc. AEAD and CMAC"
+    make test
 
-# This should be renamed to test and updated once the accelerator SHA1 code is in place and ready to test.
-component_build_psa_accel_alg_sha1() {
-    msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_1 - other hashes"
-    scripts/config.py full
-    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
-    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
-    scripts/config.py unset MBEDTLS_LMS_C
-    scripts/config.py unset MBEDTLS_LMS_PRIVATE
-    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_1 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
-}
+    msg "ssl-opt: full config with non-accelerated cipher inc. AEAD and CMAC"
+    tests/ssl-opt.sh
 
-# This should be renamed to test and updated once the accelerator SHA224 code is in place and ready to test.
-component_build_psa_accel_alg_sha224() {
-    msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_224 - other hashes"
-    scripts/config.py full
-    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
-    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
-    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_224 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
-}
-
-# This should be renamed to test and updated once the accelerator SHA256 code is in place and ready to test.
-component_build_psa_accel_alg_sha256() {
-    msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_256 - other hashes"
-    scripts/config.py full
-    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
-    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512
-    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_256 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
-}
-
-# This should be renamed to test and updated once the accelerator SHA384 code is in place and ready to test.
-component_build_psa_accel_alg_sha384() {
-    msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_384 - other hashes"
-    scripts/config.py full
-    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
-    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
-    scripts/config.py unset MBEDTLS_LMS_C
-    scripts/config.py unset MBEDTLS_LMS_PRIVATE
-    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_384 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+    msg "compat.sh: full config with non-accelerated cipher inc. AEAD and CMAC"
+    tests/compat.sh -V NO -p mbedTLS
 }
 
-# This should be renamed to test and updated once the accelerator SHA512 code is in place and ready to test.
-component_build_psa_accel_alg_sha512() {
-    msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_512 - other hashes"
-    scripts/config.py full
-    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
-    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
-    scripts/config.py unset MBEDTLS_LMS_C
-    scripts/config.py unset MBEDTLS_LMS_PRIVATE
-    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_512 -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
-}
+common_block_cipher_dispatch() {
+    TEST_WITH_DRIVER="$1"
 
-# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
-component_build_psa_accel_alg_rsa_pkcs1v15_crypt() {
-    msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PKCS1V15_CRYPT + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY"
-    scripts/config.py full
-    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
-    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS
-    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+    # Start from the full config
+    helper_libtestdriver1_adjust_config "full"
+
+    if [ "$TEST_WITH_DRIVER" -eq 1 ]; then
+        # Disable key types that are accelerated (there is no legacy equivalent
+        # symbol for ECB)
+        scripts/config.py unset MBEDTLS_AES_C
+        scripts/config.py unset MBEDTLS_ARIA_C
+        scripts/config.py unset MBEDTLS_CAMELLIA_C
+    fi
+
+    # Disable cipher's modes that, when not accelerated, cause
+    # legacy key types to be re-enabled in "config_adjust_legacy_from_psa.h".
+    # Keep this also in the reference component in order to skip the same tests
+    # that were skipped in the accelerated one.
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
+
+    # Disable direct dependency on AES_C
+    scripts/config.py unset MBEDTLS_NIST_KW_C
+
+    # Prevent the cipher module from using deprecated PSA path. The reason is
+    # that otherwise there will be tests relying on "aes_info" (defined in
+    # "cipher_wrap.c") whose functions are not available when AES_C is
+    # not defined. ARIA and Camellia are not a problem in this case because
+    # the PSA path is not tested for these key types.
+    scripts/config.py set MBEDTLS_DEPRECATED_REMOVED
 }
 
-# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
-component_build_psa_accel_alg_rsa_pkcs1v15_sign() {
-    msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PKCS1V15_SIGN + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY"
-    scripts/config.py full
-    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
-    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PKCS1V15_SIGN 1
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS
-    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+component_test_full_block_cipher_psa_dispatch () {
+    msg "build: full + PSA dispatch in block_cipher"
+
+    loc_accel_list="ALG_ECB_NO_PADDING \
+                    KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CAMELLIA"
+
+    # Configure
+    # ---------
+
+    common_block_cipher_dispatch 1
+
+    # Build
+    # -----
+
+    helper_libtestdriver1_make_drivers "$loc_accel_list"
+
+    helper_libtestdriver1_make_main "$loc_accel_list"
+
+    # Make sure disabled components were not re-enabled by accident (additive
+    # config)
+    not grep mbedtls_aes_ ${BUILTIN_SRC_PATH}/aes.o
+    not grep mbedtls_aria_ ${BUILTIN_SRC_PATH}/aria.o
+    not grep mbedtls_camellia_ ${BUILTIN_SRC_PATH}/camellia.o
+
+    # Run the tests
+    # -------------
+
+    msg "test: full + PSA dispatch in block_cipher"
+    make test
 }
 
-# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
-component_build_psa_accel_alg_rsa_oaep() {
-    msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_OAEP + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY"
-    scripts/config.py full
-    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
-    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_OAEP 1
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS
-    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_OAEP -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+# This is the reference component of component_test_full_block_cipher_psa_dispatch
+component_test_full_block_cipher_legacy_dispatch () {
+    msg "build: full + legacy dispatch in block_cipher"
+
+    common_block_cipher_dispatch 0
+
+    make
+
+    msg "test: full + legacy dispatch in block_cipher"
+    make test
 }
 
-# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
-component_build_psa_accel_alg_rsa_pss() {
-    msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PSS + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY"
+component_test_aead_chachapoly_disabled() {
+    msg "build: full minus CHACHAPOLY"
     scripts/config.py full
-    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
-    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PSS 1
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP
-    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PSS -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
+
+    msg "test: full minus CHACHAPOLY"
+    make test
 }
 
-# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
-component_build_psa_accel_key_type_rsa_key_pair() {
-    msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_xxx + PSA_WANT_ALG_RSA_PSS"
-    scripts/config.py full
-    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
-    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PSS 1
-    scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC 1
-    scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT 1
-    scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1
-    scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1
-    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
-}
-
-# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
-component_build_psa_accel_key_type_rsa_public_key() {
-    msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY + PSA_WANT_ALG_RSA_PSS"
+component_test_aead_only_ccm() {
+    msg "build: full minus CHACHAPOLY and GCM"
     scripts/config.py full
-    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
-    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PSS 1
-    scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
-    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
+    scripts/config.py unset MBEDTLS_GCM_C
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
+
+    msg "test: full minus CHACHAPOLY and GCM"
+    make test
 }
 
+component_test_ccm_aes_sha256() {
+    msg "build: CCM + AES + SHA256 configuration"
+
+    cp "$CONFIG_TEST_DRIVER_H" "$CONFIG_H"
+    cp configs/crypto-config-ccm-aes-sha256.h "$CRYPTO_CONFIG_H"
+
+    make
+
+    msg "test: CCM + AES + SHA256 configuration"
+    make test
+}
 
 support_build_tfm_armcc () {
-    armc6_cc="$ARMC6_BIN_DIR/armclang"
-    (check_tools "$armc6_cc" > /dev/null 2>&1)
+    support_build_armcc
 }
 
 component_build_tfm_armcc() {
     # test the TF-M configuration can build cleanly with various warning flags enabled
-    cp configs/tfm_mbedcrypto_config_profile_medium.h "$CONFIG_H"
-    cp configs/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H"
+    cp configs/config-tfm.h "$CONFIG_H"
 
     msg "build: TF-M config, armclang armv7-m thumb2"
-    make clean
     armc6_build_test "--target=arm-arm-none-eabi -march=armv7-m -mthumb -Os -std=c99 -Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused -I../tests/include/spe"
 }
 
 component_build_tfm() {
-    # test the TF-M configuration can build cleanly with various warning flags enabled
-    cp configs/tfm_mbedcrypto_config_profile_medium.h "$CONFIG_H"
-    cp configs/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H"
+    # Check that the TF-M configuration can build cleanly with various
+    # warning flags enabled. We don't build or run tests, since the
+    # TF-M configuration needs a TF-M platform. A tweaked version of
+    # the configuration that works on mainstream platforms is in
+    # configs/config-tfm.h, tested via test-ref-configs.pl.
+    cp configs/config-tfm.h "$CONFIG_H"
 
     msg "build: TF-M config, clang, armv7-m thumb2"
     make lib CC="clang" CFLAGS="--target=arm-linux-gnueabihf -march=armv7-m -mthumb -Os -std=c99 -Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused -I../tests/include/spe"
@@ -3939,9 +4095,8 @@ build_test_config_combos() {
         ./scripts/config.py unset ${opt}
     done
 
-    # enter the directory containing the target file & strip the dir from the filename
-    cd $(dirname ${file})
-    file=$(basename ${file})
+    # enter the library directory
+    cd library
 
     # The most common issue is unused variables/functions, so ensure -Wunused is set.
     warning_flags="-Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused"
@@ -3956,7 +4111,7 @@ build_test_config_combos() {
     deps=""
 
     len=${#options[@]}
-    source_file=${file%.o}.c
+    source_file=../${file%.o}.c
 
     targets=0
     echo 'include Makefile' >${makefile}
@@ -3996,9 +4151,6 @@ build_test_config_combos() {
 
 validate_aes_config_variations() {
     if [[ "$1" == *"MBEDTLS_AES_USE_HARDWARE_ONLY"* ]]; then
-        if [[ "$1" == *"MBEDTLS_PADLOCK_C"* ]]; then
-            return 1
-        fi
         if [[ !(("$HOSTTYPE" == "aarch64" && "$1" != *"MBEDTLS_AESCE_C"*) || \
                 ("$HOSTTYPE" == "x86_64"  && "$1" != *"MBEDTLS_AESNI_C"*)) ]]; then
             return 1
@@ -4013,12 +4165,30 @@ component_build_aes_variations() {
     # aes.o has many #if defined(...) guards that intersect in complex ways.
     # Test that all the combinations build cleanly.
 
+    MBEDTLS_ROOT_DIR="$PWD"
     msg "build: aes.o for all combinations of relevant config options"
 
-    build_test_config_combos library/aes.o validate_aes_config_variations \
+    build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \
+        "MBEDTLS_AES_SETKEY_ENC_ALT" "MBEDTLS_AES_DECRYPT_ALT" \
+        "MBEDTLS_AES_ROM_TABLES" "MBEDTLS_AES_ENCRYPT_ALT" "MBEDTLS_AES_SETKEY_DEC_ALT" \
+        "MBEDTLS_AES_FEWER_TABLES" "MBEDTLS_AES_USE_HARDWARE_ONLY" \
+        "MBEDTLS_AESNI_C" "MBEDTLS_AESCE_C" "MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH"
+
+    cd "$MBEDTLS_ROOT_DIR"
+    msg "build: aes.o for all combinations of relevant config options + BLOCK_CIPHER_NO_DECRYPT"
+
+    # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT is incompatible with ECB in PSA, CBC/XTS/NIST_KW/DES,
+    # manually set or unset those configurations to check
+    # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT with various combinations in aes.o.
+    scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
+    scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
+    scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
+    scripts/config.py unset MBEDTLS_DES_C
+    scripts/config.py unset MBEDTLS_NIST_KW_C
+    build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \
         "MBEDTLS_AES_SETKEY_ENC_ALT" "MBEDTLS_AES_DECRYPT_ALT" \
         "MBEDTLS_AES_ROM_TABLES" "MBEDTLS_AES_ENCRYPT_ALT" "MBEDTLS_AES_SETKEY_DEC_ALT" \
-        "MBEDTLS_AES_FEWER_TABLES" "MBEDTLS_PADLOCK_C" "MBEDTLS_AES_USE_HARDWARE_ONLY" \
+        "MBEDTLS_AES_FEWER_TABLES" "MBEDTLS_AES_USE_HARDWARE_ONLY" \
         "MBEDTLS_AESNI_C" "MBEDTLS_AESCE_C" "MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH"
 }
 
@@ -4027,23 +4197,14 @@ component_test_no_platform () {
     # This should catch missing mbedtls_printf definitions, and by disabling file
     # IO, it should catch missing '#include <stdio.h>'
     msg "build: full config except platform/fsio/net, make, gcc, C99" # ~ 30s
-    scripts/config.py full
+    scripts/config.py full_no_platform
     scripts/config.py unset MBEDTLS_PLATFORM_C
     scripts/config.py unset MBEDTLS_NET_C
-    scripts/config.py unset MBEDTLS_PLATFORM_MEMORY
-    scripts/config.py unset MBEDTLS_PLATFORM_PRINTF_ALT
-    scripts/config.py unset MBEDTLS_PLATFORM_FPRINTF_ALT
-    scripts/config.py unset MBEDTLS_PLATFORM_SNPRINTF_ALT
-    scripts/config.py unset MBEDTLS_PLATFORM_VSNPRINTF_ALT
-    scripts/config.py unset MBEDTLS_PLATFORM_TIME_ALT
-    scripts/config.py unset MBEDTLS_PLATFORM_EXIT_ALT
-    scripts/config.py unset MBEDTLS_PLATFORM_SETBUF_ALT
-    scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
-    scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
     scripts/config.py unset MBEDTLS_FS_IO
     scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
     scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
     scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C
+    scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
     # Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19,
     # to re-enable platform integration features otherwise disabled in C99 builds
     make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -Os -D_DEFAULT_SOURCE' lib programs
@@ -4091,7 +4252,7 @@ component_test_memory_buffer_allocator_backtrace () {
     scripts/config.py set MBEDTLS_PLATFORM_MEMORY
     scripts/config.py set MBEDTLS_MEMORY_BACKTRACE
     scripts/config.py set MBEDTLS_MEMORY_DEBUG
-    CC=gcc cmake -DCMAKE_BUILD_TYPE:String=Release .
+    cmake -DCMAKE_BUILD_TYPE:String=Release .
     make
 
     msg "test: MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE"
@@ -4102,7 +4263,7 @@ component_test_memory_buffer_allocator () {
     msg "build: default config with memory buffer allocator"
     scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C
     scripts/config.py set MBEDTLS_PLATFORM_MEMORY
-    CC=gcc cmake -DCMAKE_BUILD_TYPE:String=Release .
+    cmake -DCMAKE_BUILD_TYPE:String=Release .
     make
 
     msg "test: MBEDTLS_MEMORY_BUFFER_ALLOC_C"
@@ -4117,7 +4278,7 @@ component_test_no_max_fragment_length () {
     # Run max fragment length tests with MFL disabled
     msg "build: default config except MFL extension (ASan build)" # ~ 30s
     scripts/config.py unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
 
     msg "test: ssl-opt.sh, MFL-related tests"
@@ -4127,7 +4288,8 @@ component_test_no_max_fragment_length () {
 component_test_asan_remove_peer_certificate () {
     msg "build: default config with MBEDTLS_SSL_KEEP_PEER_CERTIFICATE disabled (ASan build)"
     scripts/config.py unset MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
+    CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
 
     msg "test: !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE"
@@ -4148,7 +4310,7 @@ component_test_no_max_fragment_length_small_ssl_out_content_len () {
     scripts/config.py unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
     scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384
     scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 4096
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
 
     msg "test: MFL tests (disabled MFL extension case) & large packet tests"
@@ -4161,7 +4323,7 @@ component_test_no_max_fragment_length_small_ssl_out_content_len () {
 component_test_variable_ssl_in_out_buffer_len () {
     msg "build: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled (ASan build)"
     scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
 
     msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled"
@@ -4178,7 +4340,7 @@ component_test_dtls_cid_legacy () {
     msg "build: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled (ASan build)"
     scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 1
 
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
 
     msg "test: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy)"
@@ -4198,7 +4360,7 @@ component_test_ssl_alloc_buffer_and_mfl () {
     scripts/config.py set MBEDTLS_MEMORY_DEBUG
     scripts/config.py set MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
     scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
-    CC=gcc cmake -DCMAKE_BUILD_TYPE:String=Release .
+    cmake -DCMAKE_BUILD_TYPE:String=Release .
     make
 
     msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_MEMORY_DEBUG and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH"
@@ -4210,22 +4372,29 @@ component_test_ssl_alloc_buffer_and_mfl () {
 
 component_test_when_no_ciphersuites_have_mac () {
     msg "build: when no ciphersuites have MAC"
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
+
     scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
     scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
     scripts/config.py unset MBEDTLS_CMAC_C
+
     make
 
-    msg "test: !MBEDTLS_SSL_SOME_MODES_USE_MAC"
+    msg "test: !MBEDTLS_SSL_SOME_SUITES_USE_MAC"
     make test
 
-    msg "test ssl-opt.sh: !MBEDTLS_SSL_SOME_MODES_USE_MAC"
+    msg "test ssl-opt.sh: !MBEDTLS_SSL_SOME_SUITES_USE_MAC"
     tests/ssl-opt.sh -f 'Default\|EtM' -e 'without EtM'
 }
 
 component_test_no_date_time () {
     msg "build: default config without MBEDTLS_HAVE_TIME_DATE"
     scripts/config.py unset MBEDTLS_HAVE_TIME_DATE
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Check .
+    cmake -D CMAKE_BUILD_TYPE:String=Check .
     make
 
     msg "test: !MBEDTLS_HAVE_TIME_DATE - main suites"
@@ -4237,7 +4406,7 @@ component_test_platform_calloc_macro () {
     scripts/config.py set MBEDTLS_PLATFORM_MEMORY
     scripts/config.py set MBEDTLS_PLATFORM_CALLOC_MACRO calloc
     scripts/config.py set MBEDTLS_PLATFORM_FREE_MACRO   free
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
 
     msg "test: MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO enabled (ASan build)"
@@ -4247,7 +4416,7 @@ component_test_platform_calloc_macro () {
 component_test_malloc_0_null () {
     msg "build: malloc(0) returns NULL (ASan+UBSan build)"
     scripts/config.py full
-    make CC=gcc CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"$PWD/tests/configs/user-config-malloc-0-null.h\"' $ASAN_CFLAGS -O" LDFLAGS="$ASAN_CFLAGS"
+    make CC=$ASAN_CC CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"$PWD/tests/configs/user-config-malloc-0-null.h\"' $ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
 
     msg "test: malloc(0) returns NULL (ASan+UBSan build)"
     make test
@@ -4331,10 +4500,28 @@ component_test_aesni () { # ~ 60s
     not grep -q "AES note: built-in implementation." ./programs/test/selftest
 }
 
+component_test_sha3_variations() {
+    msg "sha3 loop unroll variations"
+
+    # define minimal config sufficient to test SHA3
+    cat > include/mbedtls/mbedtls_config.h << END
+        #define MBEDTLS_SELF_TEST
+        #define MBEDTLS_SHA3_C
+END
+
+    msg "all loops unrolled"
+    make clean
+    make -C tests test_suite_shax CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=1 -DMBEDTLS_SHA3_PI_UNROLL=1 -DMBEDTLS_SHA3_CHI_UNROLL=1 -DMBEDTLS_SHA3_RHO_UNROLL=1"
+    ./tests/test_suite_shax
 
+    msg "all loops rolled up"
+    make clean
+    make -C tests test_suite_shax CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=0 -DMBEDTLS_SHA3_PI_UNROLL=0 -DMBEDTLS_SHA3_CHI_UNROLL=0 -DMBEDTLS_SHA3_RHO_UNROLL=0"
+    ./tests/test_suite_shax
+}
 
 support_test_aesni_m32() {
-    support_test_m32_o0 && (lscpu | grep -qw aes)
+    support_test_m32_no_asm && (lscpu | grep -qw aes)
 }
 
 component_test_aesni_m32 () { # ~ 60s
@@ -4344,23 +4531,20 @@ component_test_aesni_m32 () { # ~ 60s
 
     msg "build: default config with different AES implementations"
     scripts/config.py set MBEDTLS_AESNI_C
-    scripts/config.py set MBEDTLS_PADLOCK_C
     scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY
     scripts/config.py set MBEDTLS_HAVE_ASM
 
-    # test the intrinsics implementation
-    msg "AES tests, test intrinsics"
+    # test the intrinsics implementation with gcc
+    msg "AES tests, test intrinsics (gcc)"
     make clean
-    make CC=gcc CFLAGS='-m32 -Werror -Wall -Wextra -mpclmul -msse2 -maes' LDFLAGS='-m32'
+    make CC=gcc CFLAGS='-m32 -Werror -Wall -Wextra' LDFLAGS='-m32'
     # check that we built intrinsics - this should be used by default when supported by the compiler
     ./programs/test/selftest aes | grep "AESNI code" | grep -q "intrinsics"
     grep -q "AES note: using AESNI" ./programs/test/selftest
     grep -q "AES note: built-in implementation." ./programs/test/selftest
-    grep -q "AES note: using VIA Padlock" ./programs/test/selftest
     grep -q mbedtls_aesni_has_support ./programs/test/selftest
 
     scripts/config.py set MBEDTLS_AESNI_C
-    scripts/config.py unset MBEDTLS_PADLOCK_C
     scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY
     msg "AES tests, test AESNI only"
     make clean
@@ -4369,10 +4553,31 @@ component_test_aesni_m32 () { # ~ 60s
     ./programs/test/selftest aes | not grep -q "AES note: built-in implementation."
     grep -q "AES note: using AESNI" ./programs/test/selftest
     not grep -q "AES note: built-in implementation." ./programs/test/selftest
-    not grep -q "AES note: using VIA Padlock" ./programs/test/selftest
     not grep -q mbedtls_aesni_has_support ./programs/test/selftest
 }
 
+support_test_aesni_m32_clang() {
+    # clang >= 4 is required to build with target attributes
+    support_test_aesni_m32 && [[ $(clang_version) -ge 4 ]]
+}
+
+component_test_aesni_m32_clang() {
+
+    scripts/config.py set MBEDTLS_AESNI_C
+    scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY
+    scripts/config.py set MBEDTLS_HAVE_ASM
+
+    # test the intrinsics implementation with clang
+    msg "AES tests, test intrinsics (clang)"
+    make clean
+    make CC=clang CFLAGS='-m32 -Werror -Wall -Wextra' LDFLAGS='-m32'
+    # check that we built intrinsics - this should be used by default when supported by the compiler
+    ./programs/test/selftest aes | grep "AESNI code" | grep -q "intrinsics"
+    grep -q "AES note: using AESNI" ./programs/test/selftest
+    grep -q "AES note: built-in implementation." ./programs/test/selftest
+    grep -q mbedtls_aesni_has_support ./programs/test/selftest
+}
+
 # For timebeing, no aarch64 gcc available in CI and no arm64 CI node.
 component_build_aes_aesce_armcc () {
     msg "Build: AESCE test on arm64 platform without plain C."
@@ -4387,7 +4592,7 @@ component_build_aes_aesce_armcc () {
     # unavailable, and the user is notified via a #warning. So enabling
     # this feature would prevent us from building with -Werror on
     # armclang. Tracked in #7198.
-    scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
+    scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
     scripts/config.py set MBEDTLS_HAVE_ASM
 
     msg "AESCE, build with default configuration."
@@ -4401,22 +4606,131 @@ component_build_aes_aesce_armcc () {
     armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto"
 }
 
-# For timebeing, no VIA Padlock platform available.
-component_build_aes_via_padlock () {
+support_build_aes_armce() {
+    # clang >= 11 is required to build with AES extensions
+    [[ $(clang_version) -ge 11 ]]
+}
+
+component_build_aes_armce () {
+    # Test variations of AES with Armv8 crypto extensions
+    scripts/config.py set MBEDTLS_AESCE_C
+    scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY
+
+    msg "MBEDTLS_AES_USE_HARDWARE_ONLY, clang, aarch64"
+    make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a+crypto"
+
+    msg "MBEDTLS_AES_USE_HARDWARE_ONLY, clang, arm"
+    make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm"
+
+    msg "MBEDTLS_AES_USE_HARDWARE_ONLY, clang, thumb"
+    make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
 
-    msg "AES:VIA PadLock, build with default configuration."
-    scripts/config.py unset MBEDTLS_AESNI_C
-    scripts/config.py set MBEDTLS_PADLOCK_C
     scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2" LDFLAGS="-m32 $ASAN_CFLAGS"
-    grep -q mbedtls_padlock_has_support ./programs/test/selftest
 
+    msg "no MBEDTLS_AES_USE_HARDWARE_ONLY, clang, aarch64"
+    make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a+crypto"
+
+    msg "no MBEDTLS_AES_USE_HARDWARE_ONLY, clang, arm"
+    make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm"
+
+    msg "no MBEDTLS_AES_USE_HARDWARE_ONLY, clang, thumb"
+    make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
+
+    # test for presence of AES instructions
+    scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY
+    msg "clang, test A32 crypto instructions built"
+    make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S"
+    grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
+    msg "clang, test T32 crypto instructions built"
+    make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S"
+    grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
+    msg "clang, test aarch64 crypto instructions built"
+    make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S"
+    grep -E 'aes[a-z]+\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
+
+    # test for absence of AES instructions
+    scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY
+    scripts/config.py unset MBEDTLS_AESCE_C
+    msg "clang, test A32 crypto instructions not built"
+    make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S"
+    not grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
+    msg "clang, test T32 crypto instructions not built"
+    make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S"
+    not grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
+    msg "clang, test aarch64 crypto instructions not built"
+    make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S"
+    not grep -E 'aes[a-z]+\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
+}
+
+support_build_sha_armce() {
+    # clang >= 4 is required to build with SHA extensions
+    [[ $(clang_version) -ge 4 ]]
 }
 
-support_build_aes_via_padlock_only () {
-    ( [ "$MBEDTLS_TEST_PLATFORM" == "Linux-x86_64" ] || \
-        [ "$MBEDTLS_TEST_PLATFORM" == "Linux-amd64" ] ) && \
-    [ "`dpkg --print-foreign-architectures`" == "i386" ]
+component_build_sha_armce () {
+    scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
+
+
+    # Test variations of SHA256 Armv8 crypto extensions
+    scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
+        msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY clang, aarch64"
+        make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a"
+        msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY clang, arm"
+        make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm"
+    scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
+
+
+    # test the deprecated form of the config option
+    scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
+        msg "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY clang, thumb"
+        make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
+    scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
+
+    scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
+        msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT clang, aarch64"
+        make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a"
+    scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
+
+
+    # test the deprecated form of the config option
+    scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
+        msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, arm"
+        make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -std=c99"
+        msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, thumb"
+        make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
+    scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
+
+
+    # examine the disassembly for presence of SHA instructions
+    for opt in MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT; do
+        scripts/config.py set ${opt}
+            msg "${opt} clang, test A32 crypto instructions built"
+            make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S"
+            grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
+
+            msg "${opt} clang, test T32 crypto instructions built"
+            make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S"
+            grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
+
+            msg "${opt} clang, test aarch64 crypto instructions built"
+            make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S"
+            grep -E 'sha256[a-z0-9]+\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
+        scripts/config.py unset ${opt}
+    done
+
+
+    # examine the disassembly for absence of SHA instructions
+    msg "clang, test A32 crypto instructions not built"
+    make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S"
+    not grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
+
+    msg "clang, test T32 crypto instructions not built"
+    make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S"
+    not grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
+
+    msg "clang, test aarch64 crypto instructions not built"
+    make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S"
+    not grep -E 'sha256[a-z0-9]+\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
 }
 
 support_build_aes_aesce_armcc () {
@@ -4426,9 +4740,8 @@ support_build_aes_aesce_armcc () {
 component_test_aes_only_128_bit_keys () {
     msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH"
     scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-    scripts/config.py unset MBEDTLS_PADLOCK_C
 
-    make CC=gcc CFLAGS='-Werror -Wall -Wextra'
+    make CFLAGS='-O2 -Werror -Wall -Wextra'
 
     msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH"
     make test
@@ -4438,7 +4751,6 @@ component_test_no_ctr_drbg_aes_only_128_bit_keys () {
     msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C"
     scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
     scripts/config.py unset MBEDTLS_CTR_DRBG_C
-    scripts/config.py unset MBEDTLS_PADLOCK_C
 
     make CC=clang CFLAGS='-Werror -Wall -Wextra'
 
@@ -4449,11 +4761,10 @@ component_test_no_ctr_drbg_aes_only_128_bit_keys () {
 component_test_aes_only_128_bit_keys_have_builtins () {
     msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C"
     scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-    scripts/config.py unset MBEDTLS_PADLOCK_C
     scripts/config.py unset MBEDTLS_AESNI_C
     scripts/config.py unset MBEDTLS_AESCE_C
 
-    make CC=gcc CFLAGS='-Werror -Wall -Wextra'
+    make CFLAGS='-O2 -Werror -Wall -Wextra'
 
     msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C"
     make test
@@ -4462,10 +4773,22 @@ component_test_aes_only_128_bit_keys_have_builtins () {
     programs/test/selftest
 }
 
+component_test_gcm_largetable () {
+    msg "build: default config + GCM_LARGE_TABLE - AESNI_C - AESCE_C"
+    scripts/config.py set MBEDTLS_GCM_LARGE_TABLE
+    scripts/config.py unset MBEDTLS_AESNI_C
+    scripts/config.py unset MBEDTLS_AESCE_C
+
+    make CFLAGS='-O2 -Werror -Wall -Wextra'
+
+    msg "test: default config - GCM_LARGE_TABLE - AESNI_C - AESCE_C"
+    make test
+}
+
 component_test_aes_fewer_tables () {
     msg "build: default config with AES_FEWER_TABLES enabled"
     scripts/config.py set MBEDTLS_AES_FEWER_TABLES
-    make CC=gcc CFLAGS='-Werror -Wall -Wextra'
+    make CFLAGS='-O2 -Werror -Wall -Wextra'
 
     msg "test: AES_FEWER_TABLES"
     make test
@@ -4474,7 +4797,7 @@ component_test_aes_fewer_tables () {
 component_test_aes_rom_tables () {
     msg "build: default config with AES_ROM_TABLES enabled"
     scripts/config.py set MBEDTLS_AES_ROM_TABLES
-    make CC=gcc CFLAGS='-Werror -Wall -Wextra'
+    make CFLAGS='-O2 -Werror -Wall -Wextra'
 
     msg "test: AES_ROM_TABLES"
     make test
@@ -4484,18 +4807,174 @@ component_test_aes_fewer_tables_and_rom_tables () {
     msg "build: default config with AES_ROM_TABLES and AES_FEWER_TABLES enabled"
     scripts/config.py set MBEDTLS_AES_FEWER_TABLES
     scripts/config.py set MBEDTLS_AES_ROM_TABLES
-    make CC=gcc CFLAGS='-Werror -Wall -Wextra'
+    make CFLAGS='-O2 -Werror -Wall -Wextra'
 
     msg "test: AES_FEWER_TABLES + AES_ROM_TABLES"
     make test
 }
 
+# helper for common_block_cipher_no_decrypt() which:
+# - enable/disable the list of config options passed from -s/-u respectively.
+# - build
+# - test for tests_suite_xxx
+# - selftest
+#
+# Usage: helper_block_cipher_no_decrypt_build_test
+#        [-s set_opts] [-u unset_opts] [-c cflags] [-l ldflags] [option [...]]
+# Options:  -s set_opts     the list of config options to enable
+#           -u unset_opts   the list of config options to disable
+#           -c cflags       the list of options passed to CFLAGS
+#           -l ldflags      the list of options passed to LDFLAGS
+helper_block_cipher_no_decrypt_build_test () {
+    while [ $# -gt 0 ]; do
+        case "$1" in
+            -s)
+                shift; local set_opts="$1";;
+            -u)
+                shift; local unset_opts="$1";;
+            -c)
+                shift; local cflags="-Werror -Wall -Wextra $1";;
+            -l)
+                shift; local ldflags="$1";;
+        esac
+        shift
+    done
+    set_opts="${set_opts:-}"
+    unset_opts="${unset_opts:-}"
+    cflags="${cflags:-}"
+    ldflags="${ldflags:-}"
+
+    [ -n "$set_opts" ] && echo "Enabling: $set_opts" && scripts/config.py set-all $set_opts
+    [ -n "$unset_opts" ] && echo "Disabling: $unset_opts" && scripts/config.py unset-all $unset_opts
+
+    msg "build: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}"
+    make clean
+    make CFLAGS="-O2 $cflags" LDFLAGS="$ldflags"
+
+    # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA
+    not grep mbedtls_aes_setkey_dec ${BUILTIN_SRC_PATH}/aes.o
+    not grep mbedtls_aria_setkey_dec ${BUILTIN_SRC_PATH}/aria.o
+    not grep mbedtls_camellia_setkey_dec ${BUILTIN_SRC_PATH}/camellia.o
+    # Make sure we don't have mbedtls_internal_aes_decrypt in AES
+    not grep mbedtls_internal_aes_decrypt ${BUILTIN_SRC_PATH}/aes.o
+    # Make sure we don't have mbedtls_aesni_inverse_key in AESNI
+    not grep mbedtls_aesni_inverse_key ${BUILTIN_SRC_PATH}/aesni.o
+
+    msg "test: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}"
+    make test
+
+    msg "selftest: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}"
+    programs/test/selftest
+}
+
+# This is a common configuration function used in:
+# - component_test_block_cipher_no_decrypt_aesni_legacy()
+# - component_test_block_cipher_no_decrypt_aesni_use_psa()
+# in order to test BLOCK_CIPHER_NO_DECRYPT with AESNI intrinsics,
+# AESNI assembly and AES C implementation on x86_64 and with AESNI intrinsics
+# on x86.
+common_block_cipher_no_decrypt () {
+    # test AESNI intrinsics
+    helper_block_cipher_no_decrypt_build_test \
+        -s "MBEDTLS_AESNI_C" \
+        -c "-mpclmul -msse2 -maes"
+
+    # test AESNI assembly
+    helper_block_cipher_no_decrypt_build_test \
+        -s "MBEDTLS_AESNI_C" \
+        -c "-mno-pclmul -mno-sse2 -mno-aes"
+
+    # test AES C implementation
+    helper_block_cipher_no_decrypt_build_test \
+        -u "MBEDTLS_AESNI_C"
+
+    # test AESNI intrinsics for i386 target
+    helper_block_cipher_no_decrypt_build_test \
+        -s "MBEDTLS_AESNI_C" \
+        -c "-m32 -mpclmul -msse2 -maes" \
+        -l "-m32"
+}
+
+# This is a configuration function used in component_test_block_cipher_no_decrypt_xxx:
+# usage: 0: no PSA crypto configuration
+#        1: use PSA crypto configuration
+config_block_cipher_no_decrypt () {
+    use_psa=$1
+
+    scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
+    scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
+    scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
+    scripts/config.py unset MBEDTLS_DES_C
+    scripts/config.py unset MBEDTLS_NIST_KW_C
+
+    if [ "$use_psa" -eq 1 ]; then
+        # Enable support for cryptographic mechanisms through the PSA API.
+        # Note: XTS, KW are not yet supported via the PSA API in Mbed TLS.
+        scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+        scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING
+        scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
+        scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING
+        scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_DES
+    fi
+}
+
+component_test_block_cipher_no_decrypt_aesni () {
+    # This consistently causes an llvm crash on clang 3.8, so use gcc
+    export CC=gcc
+    config_block_cipher_no_decrypt 0
+    common_block_cipher_no_decrypt
+}
+
+component_test_block_cipher_no_decrypt_aesni_use_psa () {
+    # This consistently causes an llvm crash on clang 3.8, so use gcc
+    export CC=gcc
+    config_block_cipher_no_decrypt 1
+    common_block_cipher_no_decrypt
+}
+
+support_test_block_cipher_no_decrypt_aesce_armcc () {
+    support_build_armcc
+}
+
+component_test_block_cipher_no_decrypt_aesce_armcc () {
+    scripts/config.py baremetal
+
+    # armc[56] don't support SHA-512 intrinsics
+    scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
+
+    # Stop armclang warning about feature detection for A64_CRYPTO.
+    # With this enabled, the library does build correctly under armclang,
+    # but in baremetal builds (as tested here), feature detection is
+    # unavailable, and the user is notified via a #warning. So enabling
+    # this feature would prevent us from building with -Werror on
+    # armclang. Tracked in #7198.
+    scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
+    scripts/config.py set MBEDTLS_HAVE_ASM
+
+    config_block_cipher_no_decrypt 1
+
+    # test AESCE baremetal build
+    scripts/config.py set MBEDTLS_AESCE_C
+    msg "build: default config + BLOCK_CIPHER_NO_DECRYPT with AESCE"
+    armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto -Werror -Wall -Wextra"
+
+    # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA
+    not grep mbedtls_aes_setkey_dec ${BUILTIN_SRC_PATH}/aes.o
+    not grep mbedtls_aria_setkey_dec ${BUILTIN_SRC_PATH}/aria.o
+    not grep mbedtls_camellia_setkey_dec ${BUILTIN_SRC_PATH}/camellia.o
+    # Make sure we don't have mbedtls_internal_aes_decrypt in AES
+    not grep mbedtls_internal_aes_decrypt ${BUILTIN_SRC_PATH}/aes.o
+    # Make sure we don't have mbedtls_aesce_inverse_key and aesce_decrypt_block in AESCE
+    not grep mbedtls_aesce_inverse_key ${BUILTIN_SRC_PATH}/aesce.o
+    not grep aesce_decrypt_block ${BUILTIN_SRC_PATH}/aesce.o
+}
+
 component_test_ctr_drbg_aes_256_sha_256 () {
     msg "build: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)"
     scripts/config.py full
     scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
     scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
 
     msg "test: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)"
@@ -4507,7 +4986,7 @@ component_test_ctr_drbg_aes_128_sha_512 () {
     scripts/config.py full
     scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
     scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
 
     msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)"
@@ -4520,7 +4999,7 @@ component_test_ctr_drbg_aes_128_sha_256 () {
     scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
     scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
     scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
 
     msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)"
@@ -4544,7 +5023,7 @@ component_test_psa_crypto_drivers () {
     loc_cflags="${loc_cflags} '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'"
     loc_cflags="${loc_cflags} -I../tests/include -O2"
 
-    make CC=gcc CFLAGS="${loc_cflags}" LDFLAGS="$ASAN_CFLAGS"
+    make CC=$ASAN_CC CFLAGS="${loc_cflags}" LDFLAGS="$ASAN_CFLAGS"
 
     msg "test: full + test drivers dispatching to builtins"
     make test
@@ -4652,9 +5131,11 @@ component_build_psa_config_file () {
     make clean
 
     msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE + MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE" # ~40s
-    # In the user config, disable one feature, which will reflect on the
-    # mbedtls configuration so we can query it with query_compile_time_config.
+    # In the user config, disable one feature and its dependencies, which will
+    # reflect on the mbedtls configuration so we can query it with
+    # query_compile_time_config.
     echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h
+    echo '#undef PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128' >> psa_user_config.h
     scripts/config.py unset MBEDTLS_CMAC_C
     make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DMBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'"
     not programs/test/query_compile_time_config MBEDTLS_CMAC_C
@@ -4683,18 +5164,22 @@ component_build_psa_alt_headers () {
     programs/test/query_included_headers | not grep -x PSA_CRYPTO_STRUCT_H
 }
 
-component_test_m32_o0 () {
-    # Build without optimization, so as to use portable C code (in a 32-bit
+component_test_m32_no_asm () {
+    # Build without assembly, so as to use portable C code (in a 32-bit
     # build) and not the i386-specific inline assembly.
-    msg "build: i386, make, gcc -O0 (ASan build)" # ~ 30s
+    #
+    # Note that we require gcc, because clang Asan builds fail to link for
+    # this target (cannot find libclang_rt.lsan-i386.a - this is a known clang issue).
+    msg "build: i386, make, gcc, no asm (ASan build)" # ~ 30s
     scripts/config.py full
-    scripts/config.py unset MBEDTLS_AESNI_C # AESNI depends on cpu modifiers
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O0" LDFLAGS="-m32 $ASAN_CFLAGS"
+    scripts/config.py unset MBEDTLS_HAVE_ASM
+    scripts/config.py unset MBEDTLS_AESNI_C # AESNI for 32-bit is tested in test_aesni_m32
+    make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS"
 
-    msg "test: i386, make, gcc -O0 (ASan build)"
+    msg "test: i386, make, gcc, no asm (ASan build)"
     make test
 }
-support_test_m32_o0 () {
+support_test_m32_no_asm () {
     case $(uname -m) in
         amd64|x86_64) true;;
         *) false;;
@@ -4706,8 +5191,8 @@ component_test_m32_o2 () {
     # and go faster for tests.
     msg "build: i386, make, gcc -O2 (ASan build)" # ~ 30s
     scripts/config.py full
-    scripts/config.py unset MBEDTLS_AESNI_C # AESNI depends on cpu modifiers
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2" LDFLAGS="-m32 $ASAN_CFLAGS"
+    scripts/config.py unset MBEDTLS_AESNI_C # AESNI for 32-bit is tested in test_aesni_m32
+    make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS"
 
     msg "test: i386, make, gcc -O2 (ASan build)"
     make test
@@ -4716,14 +5201,14 @@ component_test_m32_o2 () {
     tests/ssl-opt.sh
 }
 support_test_m32_o2 () {
-    support_test_m32_o0 "$@"
+    support_test_m32_no_asm "$@"
 }
 
 component_test_m32_everest () {
     msg "build: i386, Everest ECDH context (ASan build)" # ~ 6 min
     scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
-    scripts/config.py unset MBEDTLS_AESNI_C # AESNI depends on cpu modifiers
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2" LDFLAGS="-m32 $ASAN_CFLAGS"
+    scripts/config.py unset MBEDTLS_AESNI_C # AESNI for 32-bit is tested in test_aesni_m32
+    make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS"
 
     msg "test: i386, Everest ECDH context - main suites (inc. selftests) (ASan build)" # ~ 50s
     make test
@@ -4736,13 +5221,13 @@ component_test_m32_everest () {
     tests/compat.sh -f ECDH -V NO -e 'ARIA\|CAMELLIA\|CHACHA'
 }
 support_test_m32_everest () {
-    support_test_m32_o0 "$@"
+    support_test_m32_no_asm "$@"
 }
 
 component_test_mx32 () {
     msg "build: 64-bit ILP32, make, gcc" # ~ 30s
     scripts/config.py full
-    make CC=gcc CFLAGS='-Werror -Wall -Wextra -mx32' LDFLAGS='-mx32'
+    make CC=gcc CFLAGS='-O2 -Werror -Wall -Wextra -mx32' LDFLAGS='-mx32'
 
     msg "test: 64-bit ILP32, make, gcc"
     make test
@@ -4757,7 +5242,7 @@ support_test_mx32 () {
 component_test_min_mpi_window_size () {
     msg "build: Default + MBEDTLS_MPI_WINDOW_SIZE=1 (ASan build)" # ~ 10s
     scripts/config.py set MBEDTLS_MPI_WINDOW_SIZE 1
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
 
     msg "test: MBEDTLS_MPI_WINDOW_SIZE=1 - main suites (inc. selftests) (ASan build)" # ~ 10s
@@ -4768,9 +5253,8 @@ component_test_have_int32 () {
     msg "build: gcc, force 32-bit bignum limbs"
     scripts/config.py unset MBEDTLS_HAVE_ASM
     scripts/config.py unset MBEDTLS_AESNI_C
-    scripts/config.py unset MBEDTLS_PADLOCK_C
     scripts/config.py unset MBEDTLS_AESCE_C
-    make CC=gcc CFLAGS='-Werror -Wall -Wextra -DMBEDTLS_HAVE_INT32'
+    make CC=gcc CFLAGS='-O2 -Werror -Wall -Wextra -DMBEDTLS_HAVE_INT32'
 
     msg "test: gcc, force 32-bit bignum limbs"
     make test
@@ -4780,9 +5264,8 @@ component_test_have_int64 () {
     msg "build: gcc, force 64-bit bignum limbs"
     scripts/config.py unset MBEDTLS_HAVE_ASM
     scripts/config.py unset MBEDTLS_AESNI_C
-    scripts/config.py unset MBEDTLS_PADLOCK_C
     scripts/config.py unset MBEDTLS_AESCE_C
-    make CC=gcc CFLAGS='-Werror -Wall -Wextra -DMBEDTLS_HAVE_INT64'
+    make CC=gcc CFLAGS='-O2 -Werror -Wall -Wextra -DMBEDTLS_HAVE_INT64'
 
     msg "test: gcc, force 64-bit bignum limbs"
     make test
@@ -4792,7 +5275,6 @@ component_test_have_int32_cmake_new_bignum () {
     msg "build: gcc, force 32-bit bignum limbs, new bignum interface, test hooks (ASan build)"
     scripts/config.py unset MBEDTLS_HAVE_ASM
     scripts/config.py unset MBEDTLS_AESNI_C
-    scripts/config.py unset MBEDTLS_PADLOCK_C
     scripts/config.py unset MBEDTLS_AESCE_C
     scripts/config.py set MBEDTLS_TEST_HOOKS
     scripts/config.py set MBEDTLS_ECP_WITH_MPI_UINT
@@ -4857,6 +5339,8 @@ component_build_arm_none_eabi_gcc () {
 
     msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -O1, baremetal+debug"
     ${ARM_NONE_EABI_GCC_PREFIX}size -t library/*.o
+    ${ARM_NONE_EABI_GCC_PREFIX}size -t ${PSA_CORE_PATH}/*.o
+    ${ARM_NONE_EABI_GCC_PREFIX}size -t ${BUILTIN_SRC_PATH}/*.o
 }
 
 component_build_arm_linux_gnueabi_gcc_arm5vte () {
@@ -4871,6 +5355,8 @@ component_build_arm_linux_gnueabi_gcc_arm5vte () {
 
     msg "size: ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc -march=armv5te -O1, baremetal+debug"
     ${ARM_LINUX_GNUEABI_GCC_PREFIX}size -t library/*.o
+    ${ARM_LINUX_GNUEABI_GCC_PREFIX}size -t ${PSA_CORE_PATH}/*.o
+    ${ARM_LINUX_GNUEABI_GCC_PREFIX}size -t ${BUILTIN_SRC_PATH}/*.o
 }
 support_build_arm_linux_gnueabi_gcc_arm5vte () {
     type ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc >/dev/null 2>&1
@@ -4886,6 +5372,8 @@ component_build_arm_none_eabi_gcc_arm5vte () {
 
     msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -march=armv5te -O1, baremetal+debug"
     ${ARM_NONE_EABI_GCC_PREFIX}size -t library/*.o
+    ${ARM_NONE_EABI_GCC_PREFIX}size -t ${PSA_CORE_PATH}/*.o
+    ${ARM_NONE_EABI_GCC_PREFIX}size -t ${BUILTIN_SRC_PATH}/*.o
 }
 
 component_build_arm_none_eabi_gcc_m0plus () {
@@ -4895,6 +5383,8 @@ component_build_arm_none_eabi_gcc_m0plus () {
 
     msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -mthumb -mcpu=cortex-m0plus -Os, baremetal_size"
     ${ARM_NONE_EABI_GCC_PREFIX}size -t library/*.o
+    ${ARM_NONE_EABI_GCC_PREFIX}size -t ${PSA_CORE_PATH}/*.o
+    ${ARM_NONE_EABI_GCC_PREFIX}size -t ${BUILTIN_SRC_PATH}/*.o
     for lib in library/*.a; do
         echo "$lib:"
         ${ARM_NONE_EABI_GCC_PREFIX}size -t $lib | grep TOTALS
@@ -4908,6 +5398,8 @@ component_build_arm_none_eabi_gcc_no_udbl_division () {
     make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra' lib
     echo "Checking that software 64-bit division is not required"
     not grep __aeabi_uldiv library/*.o
+    not grep __aeabi_uldiv ${PSA_CORE_PATH}/*.o
+    not grep __aeabi_uldiv ${BUILTIN_SRC_PATH}/*.o
 }
 
 component_build_arm_none_eabi_gcc_no_64bit_multiplication () {
@@ -4917,6 +5409,8 @@ component_build_arm_none_eabi_gcc_no_64bit_multiplication () {
     make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -O1 -march=armv6-m -mthumb' lib
     echo "Checking that software 64-bit multiplication is not required"
     not grep __aeabi_lmul library/*.o
+    not grep __aeabi_lmul ${PSA_CORE_PATH}/*.o
+    not grep __aeabi_lmul ${BUILTIN_SRC_PATH}/*.o
 }
 
 component_build_arm_clang_thumb () {
@@ -4944,13 +5438,16 @@ component_build_armcc () {
     # armc[56] don't support SHA-512 intrinsics
     scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
 
+    # older versions of armcc/armclang don't support AESCE_C on 32-bit Arm
+    scripts/config.py unset MBEDTLS_AESCE_C
+
     # Stop armclang warning about feature detection for A64_CRYPTO.
     # With this enabled, the library does build correctly under armclang,
     # but in baremetal builds (as tested here), feature detection is
     # unavailable, and the user is notified via a #warning. So enabling
     # this feature would prevent us from building with -Werror on
     # armclang. Tracked in #7198.
-    scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
+    scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
 
     scripts/config.py set MBEDTLS_HAVE_ASM
 
@@ -4958,8 +5455,8 @@ component_build_armcc () {
 
     msg "size: ARM Compiler 5"
     "$ARMC5_FROMELF" -z library/*.o
-
-    make clean
+    "$ARMC5_FROMELF" -z ${PSA_CORE_PATH}/*.o
+    "$ARMC5_FROMELF" -z ${BUILTIN_SRC_PATH}/*.o
 
     # Compile mostly with -O1 since some Arm inline assembly is disabled for -O0.
 
@@ -4978,14 +5475,18 @@ component_build_armcc () {
     # ARM Compiler 6 - Target ARMv8-M
     armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv8-m.main"
 
-    # ARM Compiler 6 - Target ARMv8.2-A - AArch64
-    armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8.2-a+crypto"
-
     # ARM Compiler 6 - Target Cortex-M0 - no optimisation
     armc6_build_test "-O0 --target=arm-arm-none-eabi -mcpu=cortex-m0"
 
     # ARM Compiler 6 - Target Cortex-M0
     armc6_build_test "-Os --target=arm-arm-none-eabi -mcpu=cortex-m0"
+
+    # ARM Compiler 6 - Target ARMv8.2-A - AArch64
+    #
+    # Re-enable MBEDTLS_AESCE_C as this should be supported by the version of armclang
+    # that we have in our CI
+    scripts/config.py set MBEDTLS_AESCE_C
+    armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8.2-a+crypto"
 }
 
 support_build_armcc () {
@@ -4994,9 +5495,26 @@ support_build_armcc () {
     (check_tools "$armc5_cc" "$armc6_cc" > /dev/null 2>&1)
 }
 
+component_test_tls12_only () {
+    msg "build: default config without MBEDTLS_SSL_PROTO_TLS1_3, cmake, gcc, ASan"
+    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
+    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    make
+
+    msg "test: main suites (inc. selftests) (ASan build)"
+    make test
+
+    msg "test: ssl-opt.sh (ASan build)"
+    tests/ssl-opt.sh
+
+    msg "test: compat.sh (ASan build)"
+    tests/compat.sh
+}
+
 component_test_tls13_only () {
-    msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3, without MBEDTLS_SSL_PROTO_TLS1_2"
+    msg "build: default config without MBEDTLS_SSL_PROTO_TLS1_2"
     scripts/config.py set MBEDTLS_SSL_EARLY_DATA
+    scripts/config.py set MBEDTLS_SSL_RECORD_SIZE_LIMIT
     make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
 
     msg "test: TLS 1.3 only, all key exchange modes enabled"
@@ -5131,61 +5649,59 @@ component_test_tls13_only_ephemeral_all () {
     tests/ssl-opt.sh
 }
 
-component_test_tls13 () {
-    msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without padding"
-    scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3
-    scripts/config.py set MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+component_test_tls13_no_padding () {
+    msg "build: default config plus early data minus padding"
     scripts/config.py set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1
     scripts/config.py set MBEDTLS_SSL_EARLY_DATA
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
-    msg "test: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without padding"
+    msg "test: default config plus early data minus padding"
     make test
-    msg "ssl-opt.sh (TLS 1.3)"
+    msg "ssl-opt.sh (TLS 1.3 no padding)"
     tests/ssl-opt.sh
 }
 
 component_test_tls13_no_compatibility_mode () {
-    msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without padding"
-    scripts/config.py set   MBEDTLS_SSL_PROTO_TLS1_3
+    msg "build: default config plus early data minus middlebox compatibility mode"
     scripts/config.py unset MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-    scripts/config.py set   MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1
     scripts/config.py set   MBEDTLS_SSL_EARLY_DATA
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
     make
-    msg "test: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without padding"
+    msg "test: default config plus early data minus middlebox compatibility mode"
     make test
     msg "ssl-opt.sh (TLS 1.3 no compatibility mode)"
     tests/ssl-opt.sh
 }
 
-component_test_tls13_only_record_size_limit () {
-    msg "build: TLS 1.3 only from default, record size limit extension enabled"
-    scripts/config.py set MBEDTLS_SSL_RECORD_SIZE_LIMIT
-    make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
-
-    msg "test_suite_ssl: TLS 1.3 only, record size limit extension enabled"
-    cd tests; ./test_suite_ssl; cd ..
-
-    msg "ssl-opt.sh: (TLS 1.3 only, record size limit extension tests only)"
-    # Both the server and the client will currently abort the handshake when they encounter the
-    # record size limit extension. There is no way to prevent gnutls-cli from sending the extension
-    # which makes all G_NEXT_CLI + P_SRV tests fail. Thus, run only the tests for the this extension.
-    tests/ssl-opt.sh -f "Record Size Limit"
+component_test_full_minus_session_tickets() {
+    msg "build: full config without session tickets"
+    scripts/config.py full
+    scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS
+    scripts/config.py unset MBEDTLS_SSL_EARLY_DATA
+    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    make
+    msg "test: full config without session tickets"
+    make test
+    msg "ssl-opt.sh (full config without session tickets)"
+    tests/ssl-opt.sh
 }
 
 component_build_mingw () {
     msg "build: Windows cross build - mingw64, make (Link Library)" # ~ 30s
-    scripts/config.py unset MBEDTLS_AESNI_C # AESNI depends on cpu modifiers
-    make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib programs
+    make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 lib programs
 
     # note Make tests only builds the tests, but doesn't run them
-    make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror' WINDOWS_BUILD=1 tests
+    make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -maes -msse2 -mpclmul' WINDOWS_BUILD=1 tests
     make WINDOWS_BUILD=1 clean
 
     msg "build: Windows cross build - mingw64, make (DLL)" # ~ 30s
-    make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 SHARED=1 lib programs
-    make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 SHARED=1 tests
+    make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 SHARED=1 lib programs
+    make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 SHARED=1 tests
+    make WINDOWS_BUILD=1 clean
+
+    msg "build: Windows cross build - mingw64, make (Library only, default config without MBEDTLS_AESNI_C)" # ~ 30s
+    ./scripts/config.py unset MBEDTLS_AESNI_C #
+    make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib
     make WINDOWS_BUILD=1 clean
 }
 support_build_mingw() {
@@ -5204,6 +5720,9 @@ component_test_memsan () {
     msg "test: main suites (MSan)" # ~ 10s
     make test
 
+    msg "test: metatests (MSan)"
+    tests/scripts/run-metatests.sh any msan
+
     msg "program demos (MSan)" # ~20s
     tests/scripts/run_demos.py
 
@@ -5218,7 +5737,7 @@ component_test_memsan () {
     fi
 }
 
-component_test_valgrind () {
+component_release_test_valgrind () {
     msg "build: Release (clang)"
     # default config, in particular without MBEDTLS_USE_PSA_CRYPTO
     CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release .
@@ -5246,7 +5765,7 @@ component_test_valgrind () {
     fi
 }
 
-component_test_valgrind_psa () {
+component_release_test_valgrind_psa () {
     msg "build: Release, full (clang)"
     # full config, in particular with MBEDTLS_USE_PSA_CRYPTO
     scripts/config.py full
@@ -5425,6 +5944,15 @@ support_build_cmake_custom_config_file () {
     support_test_cmake_out_of_source
 }
 
+component_build_cmake_programs_no_testing () {
+    # Verify that the type of builds performed by oss-fuzz don't get accidentally broken
+    msg "build: cmake with -DENABLE_PROGRAMS=ON and -DENABLE_TESTING=OFF"
+    cmake -DENABLE_PROGRAMS=ON -DENABLE_TESTING=OFF .
+    make
+}
+support_build_cmake_programs_no_testing () {
+    support_test_cmake_out_of_source
+}
 
 component_build_zeroize_checks () {
     msg "build: check for obviously wrong calls to mbedtls_platform_zeroize()"
@@ -5432,7 +5960,7 @@ component_build_zeroize_checks () {
     scripts/config.py full
 
     # Only compile - we're looking for sizeof-pointer-memaccess warnings
-    make CC=gcc CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-zeroize-memset.h\"' -DMBEDTLS_TEST_DEFINES_ZEROIZE -Werror -Wsizeof-pointer-memaccess"
+    make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-zeroize-memset.h\"' -DMBEDTLS_TEST_DEFINES_ZEROIZE -Werror -Wsizeof-pointer-memaccess"
 }
 
 
@@ -5465,11 +5993,12 @@ component_test_zeroize () {
 }
 
 component_test_psa_compliance () {
+    # The arch tests build with gcc, so require use of gcc here to link properly
     msg "build: make, default config (out-of-box), libmbedcrypto.a only"
-    make -C library libmbedcrypto.a
+    CC=gcc make -C library libmbedcrypto.a
 
     msg "unit test: test_psa_compliance.py"
-    ./tests/scripts/test_psa_compliance.py
+    CC=gcc ./tests/scripts/test_psa_compliance.py
 }
 
 support_test_psa_compliance () {
@@ -5506,12 +6035,68 @@ component_check_test_helpers () {
     # unittest writes out mundane stuff like number or tests run on stderr.
     # Our convention is to reserve stderr for actual errors, and write
     # harmless info on stdout so it can be suppress with --quiet.
-    ./tests/scripts/test_generate_test_code.py 2>&1
+    ./framework/scripts/test_generate_test_code.py 2>&1
 
     msg "unit test: translate_ciphers.py"
     python3 -m unittest tests/scripts/translate_ciphers.py 2>&1
 }
 
+component_test_psasim() {
+    msg "build server library and application"
+    scripts/config.py crypto
+    helper_psasim_config server
+    helper_psasim_build server
+
+    helper_psasim_cleanup_before_client
+
+    msg "build library for client"
+    helper_psasim_config client
+    helper_psasim_build client
+
+    msg "build basic psasim client"
+    make -C tests/psa-client-server/psasim CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" test/psa_client_base
+    msg "test basic psasim client"
+    tests/psa-client-server/psasim/test/run_test.sh psa_client_base
+
+    msg "build full psasim client"
+    make -C tests/psa-client-server/psasim CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" test/psa_client_full
+    msg "test full psasim client"
+    tests/psa-client-server/psasim/test/run_test.sh psa_client_full
+
+    make -C tests/psa-client-server/psasim clean
+}
+
+component_test_suite_with_psasim()
+{
+    msg "build server library and application"
+    helper_psasim_config server
+    # Modify server's library configuration here (if needed)
+    helper_psasim_build server
+
+    helper_psasim_cleanup_before_client
+
+    msg "build client library"
+    helper_psasim_config client
+    # PAKE functions are still unsupported from PSASIM
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE
+    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
+    helper_psasim_build client
+
+    msg "build test suites"
+    make PSASIM=1 CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" tests
+
+    helper_psasim_server start
+
+    # psasim takes an extremely long execution time on some test suites so we
+    # exclude them from the list.
+    SKIP_TEST_SUITES="constant_time_hmac,lmots,lms"
+    export SKIP_TEST_SUITES
+
+    msg "run test suites"
+    make PSASIM=1 test
+
+    helper_psasim_server kill
+}
 
 ################################################################
 #### Termination
@@ -5603,10 +6188,10 @@ run_component () {
 
 # Preliminary setup
 pre_check_environment
-pre_parse_command_line_for_dirs "$@"
 pre_initialize_variables
 pre_parse_command_line "$@"
 
+setup_quiet_wrappers
 pre_check_git
 pre_restore_files
 pre_back_up
diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 1f20734..f8147d1 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -12,9 +12,36 @@ import traceback
 import re
 import subprocess
 import os
+import typing
 
 import check_test_cases
 
+
+# `ComponentOutcomes` is a named tuple which is defined as:
+# ComponentOutcomes(
+#     successes = {
+#         "<suite_case>",
+#         ...
+#     },
+#     failures = {
+#         "<suite_case>",
+#         ...
+#     }
+# )
+# suite_case = "<suite>;<case>"
+ComponentOutcomes = typing.NamedTuple('ComponentOutcomes',
+                                      [('successes', typing.Set[str]),
+                                       ('failures', typing.Set[str])])
+
+# `Outcomes` is a representation of the outcomes file,
+# which defined as:
+# Outcomes = {
+#     "<component>": ComponentOutcomes,
+#     ...
+# }
+Outcomes = typing.Dict[str, ComponentOutcomes]
+
+
 class Results:
     """Process analysis results."""
 
@@ -22,164 +49,170 @@ class Results:
         self.error_count = 0
         self.warning_count = 0
 
-    @staticmethod
-    def log(fmt, *args, **kwargs):
-        sys.stderr.write((fmt + '\n').format(*args, **kwargs))
+    def new_section(self, fmt, *args, **kwargs):
+        self._print_line('\n*** ' + fmt + ' ***\n', *args, **kwargs)
+
+    def info(self, fmt, *args, **kwargs):
+        self._print_line('Info: ' + fmt, *args, **kwargs)
 
     def error(self, fmt, *args, **kwargs):
-        self.log('Error: ' + fmt, *args, **kwargs)
         self.error_count += 1
+        self._print_line('Error: ' + fmt, *args, **kwargs)
 
     def warning(self, fmt, *args, **kwargs):
-        self.log('Warning: ' + fmt, *args, **kwargs)
         self.warning_count += 1
+        self._print_line('Warning: ' + fmt, *args, **kwargs)
 
-class TestCaseOutcomes:
-    """The outcomes of one test case across many configurations."""
-    # pylint: disable=too-few-public-methods
-
-    def __init__(self):
-        # Collect a list of witnesses of the test case succeeding or failing.
-        # Currently we don't do anything with witnesses except count them.
-        # The format of a witness is determined by the read_outcome_file
-        # function; it's the platform and configuration joined by ';'.
-        self.successes = []
-        self.failures = []
-
-    def hits(self):
-        """Return the number of times a test case has been run.
-
-        This includes passes and failures, but not skips.
-        """
-        return len(self.successes) + len(self.failures)
+    @staticmethod
+    def _print_line(fmt, *args, **kwargs):
+        sys.stderr.write((fmt + '\n').format(*args, **kwargs))
 
-def execute_reference_driver_tests(ref_component, driver_component, outcome_file):
+def execute_reference_driver_tests(results: Results, ref_component: str, driver_component: str, \
+                                   outcome_file: str) -> None:
     """Run the tests specified in ref_component and driver_component. Results
     are stored in the output_file and they will be used for the following
     coverage analysis"""
-    # If the outcome file already exists, we assume that the user wants to
-    # perform the comparison analysis again without repeating the tests.
-    if os.path.exists(outcome_file):
-        Results.log("Outcome file (" + outcome_file + ") already exists. " + \
-                    "Tests will be skipped.")
-        return
+    results.new_section("Test {} and {}", ref_component, driver_component)
 
     shell_command = "tests/scripts/all.sh --outcome-file " + outcome_file + \
                     " " + ref_component + " " + driver_component
-    Results.log("Running: " + shell_command)
+    results.info("Running: {}", shell_command)
     ret_val = subprocess.run(shell_command.split(), check=False).returncode
 
     if ret_val != 0:
-        Results.log("Error: failed to run reference/driver components")
-        sys.exit(ret_val)
+        results.error("failed to run reference/driver components")
 
-def analyze_coverage(results, outcomes, allow_list, full_coverage):
+def analyze_coverage(results: Results, outcomes: Outcomes,
+                     allow_list: typing.List[str], full_coverage: bool) -> None:
     """Check that all available test cases are executed at least once."""
+    # Make sure that the generated data files are present (and up-to-date).
+    # This allows analyze_outcomes.py to run correctly on a fresh Git
+    # checkout.
+    cp = subprocess.run(['make', 'generated_files'],
+                        cwd='tests',
+                        stdout=subprocess.PIPE, stderr=subprocess.STDOUT,
+                        check=False)
+    if cp.returncode != 0:
+        sys.stderr.write(cp.stdout.decode('utf-8'))
+        results.error("Failed \"make generated_files\" in tests. "
+                      "Coverage analysis may be incorrect.")
     available = check_test_cases.collect_available_test_cases()
-    for key in available:
-        hits = outcomes[key].hits() if key in outcomes else 0
-        if hits == 0 and key not in allow_list:
+    for suite_case in available:
+        hit = any(suite_case in comp_outcomes.successes or
+                  suite_case in comp_outcomes.failures
+                  for comp_outcomes in outcomes.values())
+
+        if not hit and suite_case not in allow_list:
             if full_coverage:
-                results.error('Test case not executed: {}', key)
+                results.error('Test case not executed: {}', suite_case)
             else:
-                results.warning('Test case not executed: {}', key)
-        elif hits != 0 and key in allow_list:
+                results.warning('Test case not executed: {}', suite_case)
+        elif hit and suite_case in allow_list:
             # Test Case should be removed from the allow list.
             if full_coverage:
-                results.error('Allow listed test case was executed: {}', key)
+                results.error('Allow listed test case was executed: {}', suite_case)
             else:
-                results.warning('Allow listed test case was executed: {}', key)
+                results.warning('Allow listed test case was executed: {}', suite_case)
 
-def analyze_driver_vs_reference(outcomes, component_ref, component_driver,
-                                ignored_suites, ignored_test=None):
-    """Check that all tests executed in the reference component are also
-    executed in the corresponding driver component.
+def name_matches_pattern(name: str, str_or_re) -> bool:
+    """Check if name matches a pattern, that may be a string or regex.
+    - If the pattern is a string, name must be equal to match.
+    - If the pattern is a regex, name must fully match.
+    """
+    # The CI's python is too old for re.Pattern
+    #if isinstance(str_or_re, re.Pattern):
+    if not isinstance(str_or_re, str):
+        return str_or_re.fullmatch(name) is not None
+    else:
+        return str_or_re == name
+
+def analyze_driver_vs_reference(results: Results, outcomes: Outcomes,
+                                component_ref: str, component_driver: str,
+                                ignored_suites: typing.List[str], ignored_tests=None) -> None:
+    """Check that all tests passing in the reference component are also
+    passing in the corresponding driver component.
     Skip:
     - full test suites provided in ignored_suites list
     - only some specific test inside a test suite, for which the corresponding
       output string is provided
     """
-    available = check_test_cases.collect_available_test_cases()
-    result = True
+    ref_outcomes = outcomes.get("component_" + component_ref)
+    driver_outcomes = outcomes.get("component_" + component_driver)
 
-    for key in available:
-        # Continue if test was not executed by any component
-        hits = outcomes[key].hits() if key in outcomes else 0
-        if hits == 0:
-            continue
-        # Skip ignored test suites
-        full_test_suite = key.split(';')[0] # retrieve full test suite name
-        test_string = key.split(';')[1] # retrieve the text string of this test
+    if ref_outcomes is None or driver_outcomes is None:
+        results.error("required components are missing: bad outcome file?")
+        return
+
+    if not ref_outcomes.successes:
+        results.error("no passing test in reference component: bad outcome file?")
+        return
+
+    for suite_case in ref_outcomes.successes:
+        # suite_case is like "test_suite_foo.bar;Description of test case"
+        (full_test_suite, test_string) = suite_case.split(';')
         test_suite = full_test_suite.split('.')[0] # retrieve main part of test suite name
+
+        # Immediately skip fully-ignored test suites
         if test_suite in ignored_suites or full_test_suite in ignored_suites:
             continue
-        if ((full_test_suite in ignored_test) and
-                (test_string in ignored_test[full_test_suite])):
-            continue
-        # Search for tests that run in reference component and not in driver component
-        driver_test_passed = False
-        reference_test_passed = False
-        for entry in outcomes[key].successes:
-            if component_driver in entry:
-                driver_test_passed = True
-            if component_ref in entry:
-                reference_test_passed = True
-        if(reference_test_passed and not driver_test_passed):
-            Results.log(key)
-            result = False
-    return result
-
-def analyze_outcomes(outcomes, args):
+
+        # For ignored test cases inside test suites, just remember and:
+        # don't issue an error if they're skipped with drivers,
+        # but issue an error if they're not (means we have a bad entry).
+        ignored = False
+        for str_or_re in (ignored_tests.get(full_test_suite, []) +
+                          ignored_tests.get(test_suite, [])):
+            if name_matches_pattern(test_string, str_or_re):
+                ignored = True
+
+        if not ignored and not suite_case in driver_outcomes.successes:
+            results.error("PASS -> SKIP/FAIL: {}", suite_case)
+        if ignored and suite_case in driver_outcomes.successes:
+            results.error("uselessly ignored: {}", suite_case)
+
+def analyze_outcomes(results: Results, outcomes: Outcomes, args) -> None:
     """Run all analyses on the given outcome collection."""
-    results = Results()
     analyze_coverage(results, outcomes, args['allow_list'],
                      args['full_coverage'])
-    return results
 
-def read_outcome_file(outcome_file):
+def read_outcome_file(outcome_file: str) -> Outcomes:
     """Parse an outcome file and return an outcome collection.
-
-An outcome collection is a dictionary mapping keys to TestCaseOutcomes objects.
-The keys are the test suite name and the test case description, separated
-by a semicolon.
-"""
+    """
     outcomes = {}
     with open(outcome_file, 'r', encoding='utf-8') as input_file:
         for line in input_file:
-            (platform, config, suite, case, result, _cause) = line.split(';')
-            key = ';'.join([suite, case])
-            setup = ';'.join([platform, config])
-            if key not in outcomes:
-                outcomes[key] = TestCaseOutcomes()
+            (_platform, component, suite, case, result, _cause) = line.split(';')
+            # Note that `component` is not unique. If a test case passes on Linux
+            # and fails on FreeBSD, it'll end up in both the successes set and
+            # the failures set.
+            suite_case = ';'.join([suite, case])
+            if component not in outcomes:
+                outcomes[component] = ComponentOutcomes(set(), set())
             if result == 'PASS':
-                outcomes[key].successes.append(setup)
+                outcomes[component].successes.add(suite_case)
             elif result == 'FAIL':
-                outcomes[key].failures.append(setup)
+                outcomes[component].failures.add(suite_case)
+
     return outcomes
 
-def do_analyze_coverage(outcome_file, args):
+def do_analyze_coverage(results: Results, outcomes: Outcomes, args) -> None:
     """Perform coverage analysis."""
-    outcomes = read_outcome_file(outcome_file)
-    Results.log("\n*** Analyze coverage ***\n")
-    results = analyze_outcomes(outcomes, args)
-    return results.error_count == 0
+    results.new_section("Analyze coverage")
+    analyze_outcomes(results, outcomes, args)
 
-def do_analyze_driver_vs_reference(outcome_file, args):
+def do_analyze_driver_vs_reference(results: Results, outcomes: Outcomes, args) -> None:
     """Perform driver vs reference analyze."""
-    execute_reference_driver_tests(args['component_ref'], \
-                                    args['component_driver'], outcome_file)
+    results.new_section("Analyze driver {} vs reference {}",
+                        args['component_driver'], args['component_ref'])
 
     ignored_suites = ['test_suite_' + x for x in args['ignored_suites']]
 
-    outcomes = read_outcome_file(outcome_file)
-    Results.log("\n*** Analyze driver {} vs reference {} ***\n".format(
-        args['component_driver'], args['component_ref']))
-    return analyze_driver_vs_reference(outcomes, args['component_ref'],
-                                       args['component_driver'], ignored_suites,
-                                       args['ignored_tests'])
+    analyze_driver_vs_reference(results, outcomes,
+                                args['component_ref'], args['component_driver'],
+                                ignored_suites, args['ignored_tests'])
 
 # List of tasks with a function that can handle this task and additional arguments if required
-TASKS = {
+KNOWN_TASKS = {
     'analyze_coverage':                 {
         'test_function': do_analyze_coverage,
         'args': {
@@ -209,6 +242,121 @@ TASKS = {
                 'psa_crypto_low_hash.generated', # testing the builtins
             ],
             'ignored_tests': {
+                'test_suite_config': [
+                    re.compile(r'.*\bMBEDTLS_(MD5|RIPEMD160|SHA[0-9]+)_.*'),
+                ],
+                'test_suite_platform': [
+                    # Incompatible with sanitizers (e.g. ASan). If the driver
+                    # component uses a sanitizer but the reference component
+                    # doesn't, we have a PASS vs SKIP mismatch.
+                    'Check mbedtls_calloc overallocation',
+                ],
+            }
+        }
+    },
+    'analyze_driver_vs_reference_hmac': {
+        'test_function': do_analyze_driver_vs_reference,
+        'args': {
+            'component_ref': 'test_psa_crypto_config_reference_hmac',
+            'component_driver': 'test_psa_crypto_config_accel_hmac',
+            'ignored_suites': [
+                # These suites require legacy hash support, which is disabled
+                # in the accelerated component.
+                'shax', 'mdx',
+                # This suite tests builtins directly, but these are missing
+                # in the accelerated case.
+                'psa_crypto_low_hash.generated',
+            ],
+            'ignored_tests': {
+                'test_suite_config': [
+                    re.compile(r'.*\bMBEDTLS_(MD5|RIPEMD160|SHA[0-9]+)_.*'),
+                    re.compile(r'.*\bMBEDTLS_MD_C\b')
+                ],
+                'test_suite_md': [
+                    # Builtin HMAC is not supported in the accelerate component.
+                    re.compile('.*HMAC.*'),
+                    # Following tests make use of functions which are not available
+                    # when MD_C is disabled, as it happens in the accelerated
+                    # test component.
+                    re.compile('generic .* Hash file .*'),
+                    'MD list',
+                ],
+                'test_suite_md.psa': [
+                    # "legacy only" tests require hash algorithms to be NOT
+                    # accelerated, but this of course false for the accelerated
+                    # test component.
+                    re.compile('PSA dispatch .* legacy only'),
+                ],
+                'test_suite_platform': [
+                    # Incompatible with sanitizers (e.g. ASan). If the driver
+                    # component uses a sanitizer but the reference component
+                    # doesn't, we have a PASS vs SKIP mismatch.
+                    'Check mbedtls_calloc overallocation',
+                ],
+            }
+        }
+    },
+    'analyze_driver_vs_reference_cipher_aead_cmac': {
+        'test_function': do_analyze_driver_vs_reference,
+        'args': {
+            'component_ref': 'test_psa_crypto_config_reference_cipher_aead_cmac',
+            'component_driver': 'test_psa_crypto_config_accel_cipher_aead_cmac',
+            # Modules replaced by drivers.
+            'ignored_suites': [
+                # low-level (block/stream) cipher modules
+                'aes', 'aria', 'camellia', 'des', 'chacha20',
+                # AEAD modes and CMAC
+                'ccm', 'chachapoly', 'cmac', 'gcm',
+                # The Cipher abstraction layer
+                'cipher',
+            ],
+            'ignored_tests': {
+                'test_suite_config': [
+                    re.compile(r'.*\bMBEDTLS_(AES|ARIA|CAMELLIA|CHACHA20|DES)_.*'),
+                    re.compile(r'.*\bMBEDTLS_(CCM|CHACHAPOLY|CMAC|GCM)_.*'),
+                    re.compile(r'.*\bMBEDTLS_AES(\w+)_C\b.*'),
+                    re.compile(r'.*\bMBEDTLS_CIPHER_.*'),
+                ],
+                # PEM decryption is not supported so far.
+                # The rest of PEM (write, unencrypted read) works though.
+                'test_suite_pem': [
+                    re.compile(r'PEM read .*(AES|DES|\bencrypt).*'),
+                ],
+                'test_suite_platform': [
+                    # Incompatible with sanitizers (e.g. ASan). If the driver
+                    # component uses a sanitizer but the reference component
+                    # doesn't, we have a PASS vs SKIP mismatch.
+                    'Check mbedtls_calloc overallocation',
+                ],
+                # Following tests depend on AES_C/DES_C but are not about
+                # them really, just need to know some error code is there.
+                'test_suite_error': [
+                    'Low and high error',
+                    'Single low error'
+                ],
+                # Similar to test_suite_error above.
+                'test_suite_version': [
+                    'Check for MBEDTLS_AES_C when already present',
+                ],
+                # The en/decryption part of PKCS#12 is not supported so far.
+                # The rest of PKCS#12 (key derivation) works though.
+                'test_suite_pkcs12': [
+                    re.compile(r'PBE Encrypt, .*'),
+                    re.compile(r'PBE Decrypt, .*'),
+                ],
+                # The en/decryption part of PKCS#5 is not supported so far.
+                # The rest of PKCS#5 (PBKDF2) works though.
+                'test_suite_pkcs5': [
+                    re.compile(r'PBES2 Encrypt, .*'),
+                    re.compile(r'PBES2 Decrypt .*'),
+                ],
+                # Encrypted keys are not supported so far.
+                # pylint: disable=line-too-long
+                'test_suite_pkparse': [
+                    'Key ASN1 (Encrypted key PKCS12, trailing garbage data)',
+                    'Key ASN1 (Encrypted key PKCS5, trailing garbage data)',
+                    re.compile(r'Parse (RSA|EC) Key .*\(.* ([Ee]ncrypted|password).*\)'),
+                ],
             }
         }
     },
@@ -218,11 +366,22 @@ TASKS = {
             'component_ref': 'test_psa_crypto_config_reference_ecc_ecp_light_only',
             'component_driver': 'test_psa_crypto_config_accel_ecc_ecp_light_only',
             'ignored_suites': [
-                'ecdsa',
-                'ecdh',
-                'ecjpake',
+                # Modules replaced by drivers
+                'ecdsa', 'ecdh', 'ecjpake',
             ],
             'ignored_tests': {
+                'test_suite_config': [
+                    re.compile(r'.*\bMBEDTLS_(ECDH|ECDSA|ECJPAKE|ECP)_.*'),
+                ],
+                'test_suite_platform': [
+                    # Incompatible with sanitizers (e.g. ASan). If the driver
+                    # component uses a sanitizer but the reference component
+                    # doesn't, we have a PASS vs SKIP mismatch.
+                    'Check mbedtls_calloc overallocation',
+                ],
+                # This test wants a legacy function that takes f_rng, p_rng
+                # arguments, and uses legacy ECDSA for that. The test is
+                # really about the wrapper around the PSA RNG, not ECDSA.
                 'test_suite_random': [
                     'PSA classic wrapper: ECDSA signature (SECP256R1)',
                 ],
@@ -230,49 +389,15 @@ TASKS = {
                 # so we must ignore disparities in the tests for which ECP_C
                 # is required.
                 'test_suite_ecp': [
-                    'ECP check public-private #1 (OK)',
-                    'ECP check public-private #2 (group none)',
-                    'ECP check public-private #3 (group mismatch)',
-                    'ECP check public-private #4 (Qx mismatch)',
-                    'ECP check public-private #5 (Qy mismatch)',
-                    'ECP check public-private #6 (wrong Qx)',
-                    'ECP check public-private #7 (wrong Qy)',
-                    'ECP gen keypair [#1]',
-                    'ECP gen keypair [#2]',
-                    'ECP gen keypair [#3]',
-                    'ECP gen keypair wrapper',
-                    'ECP point muladd secp256r1 #1',
-                    'ECP point muladd secp256r1 #2',
-                    'ECP point multiplication Curve25519 (element of order 2: origin) #3',
-                    'ECP point multiplication Curve25519 (element of order 4: 1) #4',
-                    'ECP point multiplication Curve25519 (element of order 8) #5',
-                    'ECP point multiplication Curve25519 (normalized) #1',
-                    'ECP point multiplication Curve25519 (not normalized) #2',
-                    'ECP point multiplication rng fail Curve25519',
-                    'ECP point multiplication rng fail secp256r1',
-                    'ECP test vectors Curve25519',
-                    'ECP test vectors Curve448 (RFC 7748 6.2, after decodeUCoordinate)',
-                    'ECP test vectors brainpoolP256r1 rfc 7027',
-                    'ECP test vectors brainpoolP384r1 rfc 7027',
-                    'ECP test vectors brainpoolP512r1 rfc 7027',
-                    'ECP test vectors secp192k1',
-                    'ECP test vectors secp192r1 rfc 5114',
-                    'ECP test vectors secp224k1',
-                    'ECP test vectors secp224r1 rfc 5114',
-                    'ECP test vectors secp256k1',
-                    'ECP test vectors secp256r1 rfc 5114',
-                    'ECP test vectors secp384r1 rfc 5114',
-                    'ECP test vectors secp521r1 rfc 5114',
-                ],
-                'test_suite_psa_crypto': [
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1',
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1 (1 redraw)',
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1, exercise ECDSA',
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp384r1',
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #0',
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #1',
+                    re.compile(r'ECP check public-private .*'),
+                    re.compile(r'ECP calculate public: .*'),
+                    re.compile(r'ECP gen keypair .*'),
+                    re.compile(r'ECP point muladd .*'),
+                    re.compile(r'ECP point multiplication .*'),
+                    re.compile(r'ECP test vectors .*'),
                 ],
                 'test_suite_ssl': [
+                    # This deprecated function is only present when ECP_C is On.
                     'Test configuration of groups for DHE through mbedtls_ssl_conf_curves()',
                 ],
             }
@@ -284,32 +409,24 @@ TASKS = {
             'component_ref': 'test_psa_crypto_config_reference_ecc_no_ecp_at_all',
             'component_driver': 'test_psa_crypto_config_accel_ecc_no_ecp_at_all',
             'ignored_suites': [
-                # Ignore test suites for the modules that are disabled in the
-                # accelerated test case.
-                'ecp',
-                'ecdsa',
-                'ecdh',
-                'ecjpake',
+                # Modules replaced by drivers
+                'ecp', 'ecdsa', 'ecdh', 'ecjpake',
             ],
             'ignored_tests': {
+                'test_suite_config': [
+                    re.compile(r'.*\bMBEDTLS_(ECDH|ECDSA|ECJPAKE|ECP)_.*'),
+                    re.compile(r'.*\bMBEDTLS_PK_PARSE_EC_COMPRESSED\b.*'),
+                ],
+                'test_suite_platform': [
+                    # Incompatible with sanitizers (e.g. ASan). If the driver
+                    # component uses a sanitizer but the reference component
+                    # doesn't, we have a PASS vs SKIP mismatch.
+                    'Check mbedtls_calloc overallocation',
+                ],
+                # See ecp_light_only
                 'test_suite_random': [
                     'PSA classic wrapper: ECDSA signature (SECP256R1)',
                 ],
-                'test_suite_psa_crypto': [
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1',
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1 (1 redraw)',
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1, exercise ECDSA',
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp384r1',
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #0',
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #1',
-                    'PSA key derivation: bits=7 invalid for ECC BRAINPOOL_P_R1 (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC SECP_K1 (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC SECP_R1 (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC SECP_R2 (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC SECT_K1 (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC SECT_R1 (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC SECT_R2 (ECC enabled)',
-                ],
                 'test_suite_pkparse': [
                     # When PK_PARSE_C and ECP_C are defined then PK_PARSE_EC_COMPRESSED
                     # is automatically enabled in build_info.h (backward compatibility)
@@ -317,23 +434,10 @@ TASKS = {
                     # consequence compressed points are supported in the reference
                     # component but not in the accelerated one, so they should be skipped
                     # while checking driver's coverage.
-                    'Parse EC Key #10a (SEC1 PEM, secp384r1, compressed)',
-                    'Parse EC Key #11a (SEC1 PEM, secp521r1, compressed)',
-                    'Parse EC Key #12a (SEC1 PEM, bp256r1, compressed)',
-                    'Parse EC Key #13a (SEC1 PEM, bp384r1, compressed)',
-                    'Parse EC Key #14a (SEC1 PEM, bp512r1, compressed)',
-                    'Parse EC Key #2a (SEC1 PEM, secp192r1, compressed)',
-                    'Parse EC Key #8a (SEC1 PEM, secp224r1, compressed)',
-                    'Parse EC Key #9a (SEC1 PEM, secp256r1, compressed)',
-                    'Parse Public EC Key #2a (RFC 5480, PEM, secp192r1, compressed)',
-                    'Parse Public EC Key #3a (RFC 5480, secp224r1, compressed)',
-                    'Parse Public EC Key #4a (RFC 5480, secp256r1, compressed)',
-                    'Parse Public EC Key #5a (RFC 5480, secp384r1, compressed)',
-                    'Parse Public EC Key #6a (RFC 5480, secp521r1, compressed)',
-                    'Parse Public EC Key #7a (RFC 5480, brainpoolP256r1, compressed)',
-                    'Parse Public EC Key #8a (RFC 5480, brainpoolP384r1, compressed)',
-                    'Parse Public EC Key #9a (RFC 5480, brainpoolP512r1, compressed)',
+                    re.compile(r'Parse EC Key .*compressed\)'),
+                    re.compile(r'Parse Public EC Key .*compressed\)'),
                 ],
+                # See ecp_light_only
                 'test_suite_ssl': [
                     'Test configuration of groups for DHE through mbedtls_ssl_conf_curves()',
                 ],
@@ -346,90 +450,42 @@ TASKS = {
             'component_ref': 'test_psa_crypto_config_reference_ecc_no_bignum',
             'component_driver': 'test_psa_crypto_config_accel_ecc_no_bignum',
             'ignored_suites': [
-                # Ignore test suites for the modules that are disabled in the
-                # accelerated test case.
-                'ecp',
-                'ecdsa',
-                'ecdh',
-                'ecjpake',
-                'bignum_core',
-                'bignum_random',
-                'bignum_mod',
-                'bignum_mod_raw',
-                'bignum.generated',
-                'bignum.misc',
+                # Modules replaced by drivers
+                'ecp', 'ecdsa', 'ecdh', 'ecjpake',
+                'bignum_core', 'bignum_random', 'bignum_mod', 'bignum_mod_raw',
+                'bignum.generated', 'bignum.misc',
             ],
             'ignored_tests': {
+                'test_suite_config': [
+                    re.compile(r'.*\bMBEDTLS_BIGNUM_C\b.*'),
+                    re.compile(r'.*\bMBEDTLS_(ECDH|ECDSA|ECJPAKE|ECP)_.*'),
+                    re.compile(r'.*\bMBEDTLS_PK_PARSE_EC_COMPRESSED\b.*'),
+                ],
+                'test_suite_platform': [
+                    # Incompatible with sanitizers (e.g. ASan). If the driver
+                    # component uses a sanitizer but the reference component
+                    # doesn't, we have a PASS vs SKIP mismatch.
+                    'Check mbedtls_calloc overallocation',
+                ],
+                # See ecp_light_only
                 'test_suite_random': [
                     'PSA classic wrapper: ECDSA signature (SECP256R1)',
                 ],
-                'test_suite_psa_crypto': [
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1',
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1 (1 redraw)',
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1, exercise ECDSA',
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp384r1',
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #0',
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #1',
-                    'PSA key derivation: bits=7 invalid for ECC BRAINPOOL_P_R1 (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC SECP_K1 (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC SECP_R1 (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC SECP_R2 (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC SECT_K1 (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC SECT_R1 (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC SECT_R2 (ECC enabled)',
-                ],
+                # See no_ecp_at_all
                 'test_suite_pkparse': [
-                    # See the description provided above in the
-                    # analyze_driver_vs_reference_no_ecp_at_all component.
-                    'Parse EC Key #10a (SEC1 PEM, secp384r1, compressed)',
-                    'Parse EC Key #11a (SEC1 PEM, secp521r1, compressed)',
-                    'Parse EC Key #12a (SEC1 PEM, bp256r1, compressed)',
-                    'Parse EC Key #13a (SEC1 PEM, bp384r1, compressed)',
-                    'Parse EC Key #14a (SEC1 PEM, bp512r1, compressed)',
-                    'Parse EC Key #2a (SEC1 PEM, secp192r1, compressed)',
-                    'Parse EC Key #8a (SEC1 PEM, secp224r1, compressed)',
-                    'Parse EC Key #9a (SEC1 PEM, secp256r1, compressed)',
-                    'Parse Public EC Key #2a (RFC 5480, PEM, secp192r1, compressed)',
-                    'Parse Public EC Key #3a (RFC 5480, secp224r1, compressed)',
-                    'Parse Public EC Key #4a (RFC 5480, secp256r1, compressed)',
-                    'Parse Public EC Key #5a (RFC 5480, secp384r1, compressed)',
-                    'Parse Public EC Key #6a (RFC 5480, secp521r1, compressed)',
-                    'Parse Public EC Key #7a (RFC 5480, brainpoolP256r1, compressed)',
-                    'Parse Public EC Key #8a (RFC 5480, brainpoolP384r1, compressed)',
-                    'Parse Public EC Key #9a (RFC 5480, brainpoolP512r1, compressed)',
+                    re.compile(r'Parse EC Key .*compressed\)'),
+                    re.compile(r'Parse Public EC Key .*compressed\)'),
                 ],
                 'test_suite_asn1parse': [
-                    # This test depends on BIGNUM_C
                     'INTEGER too large for mpi',
                 ],
                 'test_suite_asn1write': [
-                    # Following tests depends on BIGNUM_C
-                    'ASN.1 Write mpi 0 (1 limb)',
-                    'ASN.1 Write mpi 0 (null)',
-                    'ASN.1 Write mpi 0x100',
-                    'ASN.1 Write mpi 0x7f',
-                    'ASN.1 Write mpi 0x7f with leading 0 limb',
-                    'ASN.1 Write mpi 0x80',
-                    'ASN.1 Write mpi 0x80 with leading 0 limb',
-                    'ASN.1 Write mpi 0xff',
-                    'ASN.1 Write mpi 1',
-                    'ASN.1 Write mpi, 127*8 bits',
-                    'ASN.1 Write mpi, 127*8+1 bits',
-                    'ASN.1 Write mpi, 127*8-1 bits',
-                    'ASN.1 Write mpi, 255*8 bits',
-                    'ASN.1 Write mpi, 255*8-1 bits',
-                    'ASN.1 Write mpi, 256*8-1 bits',
+                    re.compile(r'ASN.1 Write mpi.*'),
                 ],
                 'test_suite_debug': [
-                    # Following tests depends on BIGNUM_C
-                    'Debug print mbedtls_mpi #2: 3 bits',
-                    'Debug print mbedtls_mpi: 0 (empty representation)',
-                    'Debug print mbedtls_mpi: 0 (non-empty representation)',
-                    'Debug print mbedtls_mpi: 49 bits',
-                    'Debug print mbedtls_mpi: 759 bits',
-                    'Debug print mbedtls_mpi: 764 bits #1',
-                    'Debug print mbedtls_mpi: 764 bits #2',
+                    re.compile(r'Debug print mbedtls_mpi.*'),
                 ],
+                # See ecp_light_only
                 'test_suite_ssl': [
                     'Test configuration of groups for DHE through mbedtls_ssl_conf_curves()',
                 ],
@@ -442,91 +498,50 @@ TASKS = {
             'component_ref': 'test_psa_crypto_config_reference_ecc_ffdh_no_bignum',
             'component_driver': 'test_psa_crypto_config_accel_ecc_ffdh_no_bignum',
             'ignored_suites': [
-                # Ignore test suites for the modules that are disabled in the
-                # accelerated test case.
-                'ecp',
-                'ecdsa',
-                'ecdh',
-                'ecjpake',
-                'bignum_core',
-                'bignum_random',
-                'bignum_mod',
-                'bignum_mod_raw',
-                'bignum.generated',
-                'bignum.misc',
-                'dhm',
+                # Modules replaced by drivers
+                'ecp', 'ecdsa', 'ecdh', 'ecjpake', 'dhm',
+                'bignum_core', 'bignum_random', 'bignum_mod', 'bignum_mod_raw',
+                'bignum.generated', 'bignum.misc',
             ],
             'ignored_tests': {
+                'ssl-opt': [
+                    # DHE support in TLS 1.2 requires built-in MBEDTLS_DHM_C
+                    # (because it needs custom groups, which PSA does not
+                    # provide), even with MBEDTLS_USE_PSA_CRYPTO.
+                    re.compile(r'PSK callback:.*\bdhe-psk\b.*'),
+                ],
+                'test_suite_config': [
+                    re.compile(r'.*\bMBEDTLS_BIGNUM_C\b.*'),
+                    re.compile(r'.*\bMBEDTLS_DHM_C\b.*'),
+                    re.compile(r'.*\bMBEDTLS_(ECDH|ECDSA|ECJPAKE|ECP)_.*'),
+                    re.compile(r'.*\bMBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED\b.*'),
+                    re.compile(r'.*\bMBEDTLS_PK_PARSE_EC_COMPRESSED\b.*'),
+                ],
+                'test_suite_platform': [
+                    # Incompatible with sanitizers (e.g. ASan). If the driver
+                    # component uses a sanitizer but the reference component
+                    # doesn't, we have a PASS vs SKIP mismatch.
+                    'Check mbedtls_calloc overallocation',
+                ],
+                # See ecp_light_only
                 'test_suite_random': [
                     'PSA classic wrapper: ECDSA signature (SECP256R1)',
                 ],
-                'test_suite_psa_crypto': [
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1',
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1 (1 redraw)',
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1, exercise ECDSA',
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp384r1',
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #0',
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #1',
-                    'PSA key derivation: bits=7 invalid for ECC BRAINPOOL_P_R1 (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC SECP_K1 (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC SECP_R1 (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC SECP_R2 (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC SECT_K1 (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC SECT_R1 (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC SECT_R2 (ECC enabled)',
-                ],
+                # See no_ecp_at_all
                 'test_suite_pkparse': [
-                    # See the description provided above in the
-                    # analyze_driver_vs_reference_no_ecp_at_all component.
-                    'Parse EC Key #10a (SEC1 PEM, secp384r1, compressed)',
-                    'Parse EC Key #11a (SEC1 PEM, secp521r1, compressed)',
-                    'Parse EC Key #12a (SEC1 PEM, bp256r1, compressed)',
-                    'Parse EC Key #13a (SEC1 PEM, bp384r1, compressed)',
-                    'Parse EC Key #14a (SEC1 PEM, bp512r1, compressed)',
-                    'Parse EC Key #2a (SEC1 PEM, secp192r1, compressed)',
-                    'Parse EC Key #8a (SEC1 PEM, secp224r1, compressed)',
-                    'Parse EC Key #9a (SEC1 PEM, secp256r1, compressed)',
-                    'Parse Public EC Key #2a (RFC 5480, PEM, secp192r1, compressed)',
-                    'Parse Public EC Key #3a (RFC 5480, secp224r1, compressed)',
-                    'Parse Public EC Key #4a (RFC 5480, secp256r1, compressed)',
-                    'Parse Public EC Key #5a (RFC 5480, secp384r1, compressed)',
-                    'Parse Public EC Key #6a (RFC 5480, secp521r1, compressed)',
-                    'Parse Public EC Key #7a (RFC 5480, brainpoolP256r1, compressed)',
-                    'Parse Public EC Key #8a (RFC 5480, brainpoolP384r1, compressed)',
-                    'Parse Public EC Key #9a (RFC 5480, brainpoolP512r1, compressed)',
+                    re.compile(r'Parse EC Key .*compressed\)'),
+                    re.compile(r'Parse Public EC Key .*compressed\)'),
                 ],
                 'test_suite_asn1parse': [
-                    # This test depends on BIGNUM_C
                     'INTEGER too large for mpi',
                 ],
                 'test_suite_asn1write': [
-                    # Following tests depends on BIGNUM_C
-                    'ASN.1 Write mpi 0 (1 limb)',
-                    'ASN.1 Write mpi 0 (null)',
-                    'ASN.1 Write mpi 0x100',
-                    'ASN.1 Write mpi 0x7f',
-                    'ASN.1 Write mpi 0x7f with leading 0 limb',
-                    'ASN.1 Write mpi 0x80',
-                    'ASN.1 Write mpi 0x80 with leading 0 limb',
-                    'ASN.1 Write mpi 0xff',
-                    'ASN.1 Write mpi 1',
-                    'ASN.1 Write mpi, 127*8 bits',
-                    'ASN.1 Write mpi, 127*8+1 bits',
-                    'ASN.1 Write mpi, 127*8-1 bits',
-                    'ASN.1 Write mpi, 255*8 bits',
-                    'ASN.1 Write mpi, 255*8-1 bits',
-                    'ASN.1 Write mpi, 256*8-1 bits',
+                    re.compile(r'ASN.1 Write mpi.*'),
                 ],
                 'test_suite_debug': [
-                    # Following tests depends on BIGNUM_C
-                    'Debug print mbedtls_mpi #2: 3 bits',
-                    'Debug print mbedtls_mpi: 0 (empty representation)',
-                    'Debug print mbedtls_mpi: 0 (non-empty representation)',
-                    'Debug print mbedtls_mpi: 49 bits',
-                    'Debug print mbedtls_mpi: 759 bits',
-                    'Debug print mbedtls_mpi: 764 bits #1',
-                    'Debug print mbedtls_mpi: 764 bits #2',
+                    re.compile(r'Debug print mbedtls_mpi.*'),
                 ],
+                # See ecp_light_only
                 'test_suite_ssl': [
                     'Test configuration of groups for DHE through mbedtls_ssl_conf_curves()',
                 ],
@@ -539,7 +554,17 @@ TASKS = {
             'component_ref': 'test_psa_crypto_config_reference_ffdh',
             'component_driver': 'test_psa_crypto_config_accel_ffdh',
             'ignored_suites': ['dhm'],
-            'ignored_tests': {}
+            'ignored_tests': {
+                'test_suite_config': [
+                    re.compile(r'.*\bMBEDTLS_DHM_C\b.*'),
+                ],
+                'test_suite_platform': [
+                    # Incompatible with sanitizers (e.g. ASan). If the driver
+                    # component uses a sanitizer but the reference component
+                    # doesn't, we have a PASS vs SKIP mismatch.
+                    'Check mbedtls_calloc overallocation',
+                ],
+            }
         }
     },
     'analyze_driver_vs_reference_tfm_config': {
@@ -548,92 +573,139 @@ TASKS = {
             'component_ref': 'test_tfm_config',
             'component_driver': 'test_tfm_config_p256m_driver_accel_ec',
             'ignored_suites': [
-                # Ignore test suites for the modules that are disabled in the
-                # accelerated test case.
-                'ecp',
-                'ecdsa',
-                'ecdh',
-                'ecjpake',
-                'bignum_core',
-                'bignum_random',
-                'bignum_mod',
-                'bignum_mod_raw',
-                'bignum.generated',
-                'bignum.misc',
+                # Modules replaced by drivers
+                'asn1parse', 'asn1write',
+                'ecp', 'ecdsa', 'ecdh', 'ecjpake',
+                'bignum_core', 'bignum_random', 'bignum_mod', 'bignum_mod_raw',
+                'bignum.generated', 'bignum.misc',
             ],
             'ignored_tests': {
-                # Ignore all tests that require DERIVE support which is disabled
-                # in the driver version
-                'test_suite_psa_crypto': [
-                    'PSA key agreement setup: ECDH + HKDF-SHA-256: good',
-                    ('PSA key agreement setup: ECDH + HKDF-SHA-256: good, key algorithm broader '
-                     'than required'),
-                    'PSA key agreement setup: ECDH + HKDF-SHA-256: public key not on curve',
-                    'PSA key agreement setup: KDF instead of a key agreement algorithm',
-                    'PSA key agreement setup: bad key agreement algorithm',
-                    'PSA key agreement: ECDH SECP256R1 (RFC 5903) + HKDF-SHA-256: capacity=8160',
-                    'PSA key agreement: ECDH SECP256R1 (RFC 5903) + HKDF-SHA-256: read 0+32',
-                    'PSA key agreement: ECDH SECP256R1 (RFC 5903) + HKDF-SHA-256: read 1+31',
-                    'PSA key agreement: ECDH SECP256R1 (RFC 5903) + HKDF-SHA-256: read 31+1',
-                    'PSA key agreement: ECDH SECP256R1 (RFC 5903) + HKDF-SHA-256: read 32+0',
-                    'PSA key agreement: ECDH SECP256R1 (RFC 5903) + HKDF-SHA-256: read 32+32',
-                    'PSA key agreement: ECDH SECP256R1 (RFC 5903) + HKDF-SHA-256: read 64+0',
-                    'PSA key derivation: ECDH on P256 with HKDF-SHA256, info first',
-                    'PSA key derivation: ECDH on P256 with HKDF-SHA256, key output',
-                    'PSA key derivation: ECDH on P256 with HKDF-SHA256, missing info',
-                    'PSA key derivation: ECDH on P256 with HKDF-SHA256, omitted salt',
-                    'PSA key derivation: ECDH on P256 with HKDF-SHA256, raw output',
-                    'PSA key derivation: ECDH on P256 with HKDF-SHA256, salt after secret',
-                    'PSA key derivation: ECDH with TLS 1.2 PRF SHA-256, good case',
-                    'PSA key derivation: ECDH with TLS 1.2 PRF SHA-256, missing label',
-                    'PSA key derivation: ECDH with TLS 1.2 PRF SHA-256, missing label and secret',
-                    'PSA key derivation: ECDH with TLS 1.2 PRF SHA-256, no inputs',
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1',
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1 (1 redraw)',
-                    'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1, exercise ECDSA',
-                    'PSA key derivation: TLS 1.2 Mix-PSK-to-MS, SHA-256, 0+48, ka',
-                    'PSA key derivation: TLS 1.2 Mix-PSK-to-MS, SHA-256, 24+24, ka',
-                    'PSA key derivation: TLS 1.2 Mix-PSK-to-MS, SHA-256, 48+0, ka',
-                    'PSA key derivation: TLS 1.2 Mix-PSK-to-MS, bad state #1, ka',
-                    'PSA key derivation: TLS 1.2 Mix-PSK-to-MS, bad state #3, ka',
-                    'PSA key derivation: TLS 1.2 Mix-PSK-to-MS, bad state #4, ka',
-                    'PSA key derivation: bits=7 invalid for ECC BRAINPOOL_P_R1 (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC MONTGOMERY (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC SECP_K1 (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC SECP_R1 (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC SECP_R2 (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC SECT_K1 (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC SECT_R1 (ECC enabled)',
-                    'PSA key derivation: bits=7 invalid for ECC SECT_R2 (ECC enabled)',
-                    'PSA raw key agreement: ECDH SECP256R1 (RFC 5903)',
+                'test_suite_config': [
+                    re.compile(r'.*\bMBEDTLS_BIGNUM_C\b.*'),
+                    re.compile(r'.*\bMBEDTLS_(ASN1\w+)_C\b.*'),
+                    re.compile(r'.*\bMBEDTLS_(ECDH|ECDSA|ECP)_.*'),
+                    re.compile(r'.*\bMBEDTLS_PSA_P256M_DRIVER_ENABLED\b.*')
                 ],
+                'test_suite_config.crypto_combinations': [
+                    'Config: ECC: Weierstrass curves only',
+                ],
+                'test_suite_platform': [
+                    # Incompatible with sanitizers (e.g. ASan). If the driver
+                    # component uses a sanitizer but the reference component
+                    # doesn't, we have a PASS vs SKIP mismatch.
+                    'Check mbedtls_calloc overallocation',
+                ],
+                # See ecp_light_only
                 'test_suite_random': [
                     'PSA classic wrapper: ECDSA signature (SECP256R1)',
                 ],
-                'test_suite_psa_crypto_pake': [
-                    'PSA PAKE: ecjpake size macros',
+            }
+        }
+    },
+    'analyze_driver_vs_reference_rsa': {
+        'test_function': do_analyze_driver_vs_reference,
+        'args': {
+            'component_ref': 'test_psa_crypto_config_reference_rsa_crypto',
+            'component_driver': 'test_psa_crypto_config_accel_rsa_crypto',
+            'ignored_suites': [
+                # Modules replaced by drivers.
+                'rsa', 'pkcs1_v15', 'pkcs1_v21',
+                # We temporarily don't care about PK stuff.
+                'pk', 'pkwrite', 'pkparse'
+            ],
+            'ignored_tests': {
+                'test_suite_config': [
+                    re.compile(r'.*\bMBEDTLS_(PKCS1|RSA)_.*'),
+                    re.compile(r'.*\bMBEDTLS_GENPRIME\b.*')
                 ],
-                'test_suite_asn1parse': [
-                    # This test depends on BIGNUM_C
-                    'INTEGER too large for mpi',
+                'test_suite_platform': [
+                    # Incompatible with sanitizers (e.g. ASan). If the driver
+                    # component uses a sanitizer but the reference component
+                    # doesn't, we have a PASS vs SKIP mismatch.
+                    'Check mbedtls_calloc overallocation',
                 ],
-                'test_suite_asn1write': [
-                    # Following tests depends on BIGNUM_C
-                    'ASN.1 Write mpi 0 (1 limb)',
-                    'ASN.1 Write mpi 0 (null)',
-                    'ASN.1 Write mpi 0x100',
-                    'ASN.1 Write mpi 0x7f',
-                    'ASN.1 Write mpi 0x7f with leading 0 limb',
-                    'ASN.1 Write mpi 0x80',
-                    'ASN.1 Write mpi 0x80 with leading 0 limb',
-                    'ASN.1 Write mpi 0xff',
-                    'ASN.1 Write mpi 1',
-                    'ASN.1 Write mpi, 127*8 bits',
-                    'ASN.1 Write mpi, 127*8+1 bits',
-                    'ASN.1 Write mpi, 127*8-1 bits',
-                    'ASN.1 Write mpi, 255*8 bits',
-                    'ASN.1 Write mpi, 255*8-1 bits',
-                    'ASN.1 Write mpi, 256*8-1 bits',
+                # Following tests depend on RSA_C but are not about
+                # them really, just need to know some error code is there.
+                'test_suite_error': [
+                    'Low and high error',
+                    'Single high error'
+                ],
+                # Constant time operations only used for PKCS1_V15
+                'test_suite_constant_time': [
+                    re.compile(r'mbedtls_ct_zeroize_if .*'),
+                    re.compile(r'mbedtls_ct_memmove_left .*')
+                ],
+                'test_suite_psa_crypto': [
+                    # We don't support generate_key_ext entry points
+                    # in drivers yet.
+                    re.compile(r'PSA generate key ext: RSA, e=.*'),
+                ],
+            }
+        }
+    },
+    'analyze_block_cipher_dispatch': {
+        'test_function': do_analyze_driver_vs_reference,
+        'args': {
+            'component_ref': 'test_full_block_cipher_legacy_dispatch',
+            'component_driver': 'test_full_block_cipher_psa_dispatch',
+            'ignored_suites': [
+                # Skipped in the accelerated component
+                'aes', 'aria', 'camellia',
+                # These require AES_C, ARIA_C or CAMELLIA_C to be enabled in
+                # order for the cipher module (actually cipher_wrapper) to work
+                # properly. However these symbols are disabled in the accelerated
+                # component so we ignore them.
+                'cipher.ccm', 'cipher.gcm', 'cipher.aes', 'cipher.aria',
+                'cipher.camellia',
+            ],
+            'ignored_tests': {
+                'test_suite_config': [
+                    re.compile(r'.*\bMBEDTLS_(AES|ARIA|CAMELLIA)_.*'),
+                    re.compile(r'.*\bMBEDTLS_AES(\w+)_C\b.*'),
+                ],
+                'test_suite_cmac': [
+                    # Following tests require AES_C/ARIA_C/CAMELLIA_C to be enabled,
+                    # but these are not available in the accelerated component.
+                    'CMAC null arguments',
+                    re.compile('CMAC.* (AES|ARIA|Camellia).*'),
+                ],
+                'test_suite_cipher.padding': [
+                    # Following tests require AES_C/CAMELLIA_C to be enabled,
+                    # but these are not available in the accelerated component.
+                    re.compile('Set( non-existent)? padding with (AES|CAMELLIA).*'),
+                ],
+                'test_suite_pkcs5': [
+                    # The AES part of PKCS#5 PBES2 is not yet supported.
+                    # The rest of PKCS#5 (PBKDF2) works, though.
+                    re.compile(r'PBES2 .* AES-.*')
+                ],
+                'test_suite_pkparse': [
+                    # PEM (called by pkparse) requires AES_C in order to decrypt
+                    # the key, but this is not available in the accelerated
+                    # component.
+                    re.compile('Parse RSA Key.*(password|AES-).*'),
+                ],
+                'test_suite_pem': [
+                    # Following tests require AES_C, but this is diabled in the
+                    # accelerated component.
+                    re.compile('PEM read .*AES.*'),
+                    'PEM read (unknown encryption algorithm)',
+                ],
+                'test_suite_error': [
+                    # Following tests depend on AES_C but are not about them
+                    # really, just need to know some error code is there.
+                    'Single low error',
+                    'Low and high error',
+                ],
+                'test_suite_version': [
+                    # Similar to test_suite_error above.
+                    'Check for MBEDTLS_AES_C when already present',
+                ],
+                'test_suite_platform': [
+                    # Incompatible with sanitizers (e.g. ASan). If the driver
+                    # component uses a sanitizer but the reference component
+                    # doesn't, we have a PASS vs SKIP mismatch.
+                    'Check mbedtls_calloc overallocation',
                 ],
             }
         }
@@ -641,11 +713,13 @@ TASKS = {
 }
 
 def main():
+    main_results = Results()
+
     try:
         parser = argparse.ArgumentParser(description=__doc__)
         parser.add_argument('outcomes', metavar='OUTCOMES.CSV',
                             help='Outcome file to analyze')
-        parser.add_argument('task', default='all', nargs='?',
+        parser.add_argument('specified_tasks', default='all', nargs='?',
                             help='Analysis to be done. By default, run all tasks. '
                                  'With one or more TASK, run only those. '
                                  'TASK can be the name of a single task or '
@@ -660,33 +734,52 @@ def main():
         options = parser.parse_args()
 
         if options.list:
-            for task in TASKS:
-                Results.log(task)
+            for task in KNOWN_TASKS:
+                print(task)
             sys.exit(0)
 
-        result = True
-
-        if options.task == 'all':
-            tasks = TASKS.keys()
+        if options.specified_tasks == 'all':
+            tasks_list = KNOWN_TASKS.keys()
         else:
-            tasks = re.split(r'[, ]+', options.task)
+            tasks_list = re.split(r'[, ]+', options.specified_tasks)
+            for task in tasks_list:
+                if task not in KNOWN_TASKS:
+                    sys.stderr.write('invalid task: {}\n'.format(task))
+                    sys.exit(2)
+
+        KNOWN_TASKS['analyze_coverage']['args']['full_coverage'] = options.full_coverage
+
+        # If the outcome file exists, parse it once and share the result
+        # among tasks to improve performance.
+        # Otherwise, it will be generated by execute_reference_driver_tests.
+        if not os.path.exists(options.outcomes):
+            if len(tasks_list) > 1:
+                sys.stderr.write("mutiple tasks found, please provide a valid outcomes file.\n")
+                sys.exit(2)
+
+            task_name = tasks_list[0]
+            task = KNOWN_TASKS[task_name]
+            if task['test_function'] != do_analyze_driver_vs_reference: # pylint: disable=comparison-with-callable
+                sys.stderr.write("please provide valid outcomes file for {}.\n".format(task_name))
+                sys.exit(2)
+
+            execute_reference_driver_tests(main_results,
+                                           task['args']['component_ref'],
+                                           task['args']['component_driver'],
+                                           options.outcomes)
+
+        outcomes = read_outcome_file(options.outcomes)
 
-            for task in tasks:
-                if task not in TASKS:
-                    Results.log('Error: invalid task: {}'.format(task))
-                    sys.exit(1)
+        for task in tasks_list:
+            test_function = KNOWN_TASKS[task]['test_function']
+            test_args = KNOWN_TASKS[task]['args']
+            test_function(main_results, outcomes, test_args)
 
-        TASKS['analyze_coverage']['args']['full_coverage'] = \
-            options.full_coverage
+        main_results.info("Overall results: {} warnings and {} errors",
+                          main_results.warning_count, main_results.error_count)
 
-        for task in TASKS:
-            if task in tasks:
-                if not TASKS[task]['test_function'](options.outcomes, TASKS[task]['args']):
-                    result = False
+        sys.exit(0 if (main_results.error_count == 0) else 1)
 
-        if result is False:
-            sys.exit(1)
-        Results.log("SUCCESS :-)")
     except Exception: # pylint: disable=broad-except
         # Print the backtrace and exit explicitly with our chosen status.
         traceback.print_exc()
diff --git a/tests/scripts/audit-validity-dates.py b/tests/scripts/audit-validity-dates.py
index 5128dc7..3d09246 100755
--- a/tests/scripts/audit-validity-dates.py
+++ b/tests/scripts/audit-validity-dates.py
@@ -1,26 +1,14 @@
 #!/usr/bin/env python3
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 """Audit validity date of X509 crt/crl/csr.
 
 This script is used to audit the validity date of crt/crl/csr used for testing.
 It prints the information about X.509 objects excluding the objects that
 are valid throughout the desired validity period. The data are collected
-from tests/data_files/ and tests/suites/*.data files by default.
+from framework/data_files/ and tests/suites/*.data files by default.
 """
 
 import os
@@ -41,8 +29,8 @@ from cryptography import x509
 from generate_test_code import FileWrapper
 
 import scripts_path # pylint: disable=unused-import
-from mbedtls_dev import build_tree
-from mbedtls_dev import logging_util
+from mbedtls_framework import build_tree
+from mbedtls_framework import logging_util
 
 def check_cryptography_version():
     match = re.match(r'^[0-9]+', cryptography.__version__)
@@ -281,12 +269,12 @@ class Auditor:
 
 
 class TestDataAuditor(Auditor):
-    """Class for auditing files in `tests/data_files/`"""
+    """Class for auditing files in `framework/data_files/`"""
 
     def collect_default_files(self):
-        """Collect all files in `tests/data_files/`"""
-        test_dir = self.find_test_dir()
-        test_data_glob = os.path.join(test_dir, 'data_files/**')
+        """Collect all files in `framework/data_files/`"""
+        test_data_glob = os.path.join(build_tree.guess_mbedtls_root(),
+                                      'framework', 'data_files/**')
         data_files = [f for f in glob.glob(test_data_glob, recursive=True)
                       if os.path.isfile(f)]
         return data_files
diff --git a/tests/scripts/basic-build-test.sh b/tests/scripts/basic-build-test.sh
index 72923f6..d2e955f 100755
--- a/tests/scripts/basic-build-test.sh
+++ b/tests/scripts/basic-build-test.sh
@@ -3,19 +3,7 @@
 # basic-build-test.sh
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 #
 # Purpose
 #
@@ -115,11 +103,7 @@ echo
 echo '################ compat.sh ################'
 {
     echo '#### compat.sh: Default versions'
-    sh compat.sh
-    echo
-
-    echo '#### compat.sh: null cipher'
-    sh compat.sh -e '^$' -f 'NULL'
+    sh compat.sh -e 'ARIA\|CHACHA'
     echo
 
     echo '#### compat.sh: next (ARIA, ChaCha)'
diff --git a/tests/scripts/basic-in-docker.sh b/tests/scripts/basic-in-docker.sh
index 02cafb0..3aca3a1 100755
--- a/tests/scripts/basic-in-docker.sh
+++ b/tests/scripts/basic-in-docker.sh
@@ -18,19 +18,7 @@
 # See docker_env.sh for prerequisites and other information.
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#  http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 source tests/scripts/docker_env.sh
 
diff --git a/tests/scripts/check-doxy-blocks.pl b/tests/scripts/check-doxy-blocks.pl
index dd95530..3199c2a 100755
--- a/tests/scripts/check-doxy-blocks.pl
+++ b/tests/scripts/check-doxy-blocks.pl
@@ -9,19 +9,7 @@
 # items that are documented, but not marked as such by mistake.
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 use warnings;
 use strict;
diff --git a/tests/scripts/check-generated-files.sh b/tests/scripts/check-generated-files.sh
index d03e5cf..56d4884 100755
--- a/tests/scripts/check-generated-files.sh
+++ b/tests/scripts/check-generated-files.sh
@@ -1,19 +1,7 @@
 #! /usr/bin/env sh
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 #
 # Purpose
 #
@@ -34,8 +22,27 @@ EOF
     exit
 fi
 
-if [ -d library -a -d include -a -d tests ]; then :; else
-    echo "Must be run from Mbed TLS root" >&2
+in_mbedtls_repo () {
+    test -d include -a -d library -a -d programs -a -d tests
+}
+
+in_tf_psa_crypto_repo () {
+    test -d include -a -d core -a -d drivers -a -d programs -a -d tests
+}
+
+if in_mbedtls_repo; then
+    if [ -d tf-psa-crypto ]; then
+        crypto_core_dir='tf-psa-crypto/core'
+        builtin_drivers_dir='tf-psa-crypto/drivers/builtin/src'
+    else
+        crypto_core_dir='library'
+        builtin_drivers_dir='library'
+    fi
+elif in_tf_psa_crypto_repo; then
+    crypto_core_dir='core'
+    builtin_drivers_dir='drivers/builtin/src/'
+else
+    echo "Must be run from Mbed TLS root or TF-PSA-Crypto root" >&2
     exit 1
 fi
 
@@ -126,16 +133,30 @@ check()
 #   - **/CMakeLists.txt (to (re)build them with cmake)
 #   - scripts/make_generated_files.bat (to generate them under Windows)
 
-check scripts/generate_errors.pl library/error.c
-check scripts/generate_query_config.pl programs/test/query_config.c
-check scripts/generate_driver_wrappers.py library/psa_crypto_driver_wrappers.h library/psa_crypto_driver_wrappers_no_static.c
-check scripts/generate_features.pl library/version_features.c
-check scripts/generate_ssl_debug_helpers.py library/ssl_debug_helpers_generated.c
-# generate_visualc_files enumerates source files (library/*.c). It doesn't
-# care about their content, but the files must exist. So it must run after
-# the step that creates or updates these files.
-check scripts/generate_visualc_files.pl visualc/VS2013
+# These checks are common to Mbed TLS and TF-PSA-Crypto
 check scripts/generate_psa_constants.py programs/psa/psa_constant_names_generated.c
-check tests/scripts/generate_bignum_tests.py $(tests/scripts/generate_bignum_tests.py --list)
-check tests/scripts/generate_ecp_tests.py $(tests/scripts/generate_ecp_tests.py --list)
-check tests/scripts/generate_psa_tests.py $(tests/scripts/generate_psa_tests.py --list)
+check framework/scripts/generate_bignum_tests.py $(framework/scripts/generate_bignum_tests.py --list)
+check framework/scripts/generate_config_tests.py $(framework/scripts/generate_config_tests.py --list)
+check framework/scripts/generate_ecp_tests.py $(framework/scripts/generate_ecp_tests.py --list)
+check framework/scripts/generate_psa_tests.py $(framework/scripts/generate_psa_tests.py --list)
+check framework/scripts/generate_test_keys.py tests/src/test_keys.h
+check scripts/generate_driver_wrappers.py ${crypto_core_dir}/psa_crypto_driver_wrappers.h \
+                                          ${crypto_core_dir}/psa_crypto_driver_wrappers_no_static.c
+
+# Additional checks for Mbed TLS only
+if in_mbedtls_repo; then
+    check scripts/generate_errors.pl ${builtin_drivers_dir}/error.c
+    check scripts/generate_query_config.pl programs/test/query_config.c
+    check scripts/generate_features.pl ${builtin_drivers_dir}/version_features.c
+    check scripts/generate_ssl_debug_helpers.py library/ssl_debug_helpers_generated.c
+    check framework/scripts/generate_test_cert_macros.py tests/src/test_certs.h
+    # generate_visualc_files enumerates source files (library/*.c). It doesn't
+    # care about their content, but the files must exist. So it must run after
+    # the step that creates or updates these files.
+    check scripts/generate_visualc_files.pl visualc/VS2017
+fi
+
+# Generated files that are present in the repository even in the development
+# branch. (This is intended to be temporary, until the generator scripts are
+# fully reviewed and the build scripts support a generated header file.)
+check framework/scripts/generate_psa_wrappers.py tests/include/test/psa_test_wrappers.h tests/src/psa_test_wrappers.c
diff --git a/tests/scripts/check-python-files.sh b/tests/scripts/check-python-files.sh
index 35319d3..77102ba 100755
--- a/tests/scripts/check-python-files.sh
+++ b/tests/scripts/check-python-files.sh
@@ -1,19 +1,7 @@
 #! /usr/bin/env sh
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 # Purpose: check Python files for potential programming errors or maintenance
 # hurdles. Run pylint to detect some potential mistakes and enforce PEP8
@@ -43,14 +31,14 @@ EOF
 
 can_pylint () {
     # Pylint 1.5.2 from Ubuntu 16.04 is too old:
-    #     E: 34, 0: Unable to import 'mbedtls_dev' (import-error)
+    #     E: 34, 0: Unable to import 'mbedtls_framework' (import-error)
     # Pylint 1.8.3 from Ubuntu 18.04 passed on the first commit containing this line.
     check_version pylint 1.8.3
 }
 
 can_mypy () {
     # mypy 0.770 is too old:
-    #     tests/scripts/test_psa_constant_names.py:34: error: Cannot find implementation or library stub for module named 'mbedtls_dev'
+    #     tests/scripts/test_psa_constant_names.py:34: error: Cannot find implementation or library stub for module named 'mbedtls_framework'
     # mypy 0.780 from pip passed on the first commit containing this line.
     check_version mypy.version 0.780
 }
@@ -67,14 +55,14 @@ elif [ "$1" = "--can-mypy" ]; then
 fi
 
 echo 'Running pylint ...'
-$PYTHON -m pylint scripts/mbedtls_dev/*.py scripts/*.py tests/scripts/*.py || {
+$PYTHON -m pylint framework/scripts/*.py framework/scripts/mbedtls_framework/*.py scripts/*.py tests/scripts/*.py || {
     echo >&2 "pylint reported errors"
     ret=1
 }
 
 echo
 echo 'Running mypy ...'
-$PYTHON -m mypy scripts/*.py tests/scripts/*.py ||
+$PYTHON -m mypy framework/scripts/*.py framework/scripts/mbedtls_framework/*.py scripts/*.py tests/scripts/*.py ||
   ret=1
 
 exit $ret
diff --git a/tests/scripts/check_files.py b/tests/scripts/check_files.py
index 238a83f..e937202 100755
--- a/tests/scripts/check_files.py
+++ b/tests/scripts/check_files.py
@@ -1,19 +1,7 @@
 #!/usr/bin/env python3
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 """
 This script checks the current state of the source code for minor issues,
@@ -22,10 +10,11 @@ trailing whitespace, and presence of UTF-8 BOM.
 Note: requires python 3, must be run from Mbed TLS root.
 """
 
-import os
 import argparse
-import logging
 import codecs
+import inspect
+import logging
+import os
 import re
 import subprocess
 import sys
@@ -35,7 +24,7 @@ except ImportError:
     pass
 
 import scripts_path # pylint: disable=unused-import
-from mbedtls_dev import build_tree
+from mbedtls_framework import build_tree
 
 
 class FileIssueTracker:
@@ -116,13 +105,14 @@ class FileIssueTracker:
 
 BINARY_FILE_PATH_RE_LIST = [
     r'docs/.*\.pdf\Z',
+    r'docs/.*\.png\Z',
     r'programs/fuzz/corpuses/[^.]+\Z',
-    r'tests/data_files/[^.]+\Z',
-    r'tests/data_files/.*\.(crt|csr|db|der|key|pubkey)\Z',
-    r'tests/data_files/.*\.req\.[^/]+\Z',
-    r'tests/data_files/.*malformed[^/]+\Z',
-    r'tests/data_files/format_pkcs12\.fmt\Z',
-    r'tests/data_files/.*\.bin\Z',
+    r'framework/data_files/[^.]+\Z',
+    r'framework/data_files/.*\.(crt|csr|db|der|key|pubkey)\Z',
+    r'framework/data_files/.*\.req\.[^/]+\Z',
+    r'framework/data_files/.*malformed[^/]+\Z',
+    r'framework/data_files/format_pkcs12\.fmt\Z',
+    r'framework/data_files/.*\.bin\Z',
 ]
 BINARY_FILE_PATH_RE = re.compile('|'.join(BINARY_FILE_PATH_RE_LIST))
 
@@ -183,6 +173,8 @@ class ShebangIssueTracker(FileIssueTracker):
         b'sh': 'sh',
     }
 
+    path_exemptions = re.compile(r'tests/scripts/quiet/.*')
+
     def is_valid_shebang(self, first_line, filepath):
         m = re.match(self._shebang_re, first_line)
         if not m:
@@ -328,8 +320,10 @@ class TabIssueTracker(LineIssueTracker):
 
     heading = "Tabs present:"
     suffix_exemptions = frozenset([
+        ".make",
         ".pem", # some openssl dumps have tabs
         ".sln",
+        "/.gitmodules",
         "/Makefile",
         "/Makefile.inc",
         "/generate_visualc_files.pl",
@@ -357,6 +351,101 @@ class MergeArtifactIssueTracker(LineIssueTracker):
         return False
 
 
+def this_location():
+    frame = inspect.currentframe()
+    assert frame is not None
+    info = inspect.getframeinfo(frame)
+    return os.path.basename(info.filename), info.lineno
+THIS_FILE_BASE_NAME, LINE_NUMBER_BEFORE_LICENSE_ISSUE_TRACKER = this_location()
+
+class LicenseIssueTracker(LineIssueTracker):
+    """Check copyright statements and license indications.
+
+    This class only checks that statements are correct if present. It does
+    not enforce the presence of statements in each file.
+    """
+
+    heading = "License issue:"
+
+    LICENSE_EXEMPTION_RE_LIST = [
+        # Exempt third-party drivers which may be under a different license
+        r'tf-psa-crypto/drivers/(?=(everest)/.*)',
+        # Documentation explaining the license may have accidental
+        # false positives.
+        r'(ChangeLog|LICENSE|framework\/LICENSE|[-0-9A-Z_a-z]+\.md)\Z',
+        # Files imported from TF-M, and not used except in test builds,
+        # may be under a different license.
+        r'configs/ext/crypto_config_profile_medium\.h\Z',
+        r'configs/ext/tfm_mbedcrypto_config_profile_medium\.h\Z',
+        r'configs/ext/README\.md\Z',
+        # Third-party file.
+        r'dco\.txt\Z',
+        r'framework\/dco\.txt\Z',
+    ]
+    path_exemptions = re.compile('|'.join(BINARY_FILE_PATH_RE_LIST +
+                                          LICENSE_EXEMPTION_RE_LIST))
+
+    COPYRIGHT_HOLDER = rb'The Mbed TLS Contributors'
+    # Catch "Copyright foo", "Copyright (C) foo", "Copyright © foo", etc.
+    COPYRIGHT_RE = re.compile(rb'.*\bcopyright\s+((?:\w|\s|[()]|[^ -~])*\w)', re.I)
+
+    SPDX_HEADER_KEY = b'SPDX-License-Identifier'
+    LICENSE_IDENTIFIER = b'Apache-2.0 OR GPL-2.0-or-later'
+    SPDX_RE = re.compile(br'.*?(' +
+                         re.escape(SPDX_HEADER_KEY) +
+                         br')(:\s*(.*?)\W*\Z|.*)', re.I)
+
+    LICENSE_MENTION_RE = re.compile(rb'.*(?:' + rb'|'.join([
+        rb'Apache License',
+        rb'General Public License',
+    ]) + rb')', re.I)
+
+    def __init__(self):
+        super().__init__()
+        # Record what problem was caused. We can't easily report it due to
+        # the structure of the script. To be fixed after
+        # https://github.com/Mbed-TLS/mbedtls/pull/2506
+        self.problem = None
+
+    def issue_with_line(self, line, filepath, line_number):
+        #pylint: disable=too-many-return-statements
+
+        # Use endswith() rather than the more correct os.path.basename()
+        # because experimentally, it makes a significant difference to
+        # the running time.
+        if filepath.endswith(THIS_FILE_BASE_NAME) and \
+           line_number > LINE_NUMBER_BEFORE_LICENSE_ISSUE_TRACKER:
+            # Avoid false positives from the code in this class.
+            # Also skip the rest of this file, which is highly unlikely to
+            # contain any problematic statements since we put those near the
+            # top of files.
+            return False
+
+        m = self.COPYRIGHT_RE.match(line)
+        if m and m.group(1) != self.COPYRIGHT_HOLDER:
+            self.problem = 'Invalid copyright line'
+            return True
+
+        m = self.SPDX_RE.match(line)
+        if m:
+            if m.group(1) != self.SPDX_HEADER_KEY:
+                self.problem = 'Misspelled ' + self.SPDX_HEADER_KEY.decode()
+                return True
+            if not m.group(3):
+                self.problem = 'Improperly formatted SPDX license identifier'
+                return True
+            if m.group(3) != self.LICENSE_IDENTIFIER:
+                self.problem = 'Wrong SPDX license identifier'
+                return True
+
+        m = self.LICENSE_MENTION_RE.match(line)
+        if m:
+            self.problem = 'Suspicious license mention'
+            return True
+
+        return False
+
+
 class IntegrityChecker:
     """Sanity-check files under the current directory."""
 
@@ -377,9 +466,11 @@ class IntegrityChecker:
             TrailingWhitespaceIssueTracker(),
             TabIssueTracker(),
             MergeArtifactIssueTracker(),
+            LicenseIssueTracker(),
         ]
 
     def setup_logger(self, log_file, level=logging.INFO):
+        """Log to log_file if provided, or to stderr if None."""
         self.logger = logging.getLogger()
         self.logger.setLevel(level)
         if log_file:
@@ -391,9 +482,27 @@ class IntegrityChecker:
 
     @staticmethod
     def collect_files():
+        """Return the list of files to check.
+
+        These are the regular files commited into Git.
+        """
+        bytes_output = subprocess.check_output(['git', '-C', 'framework',
+                                                'ls-files', '-z'])
+        bytes_framework_filepaths = bytes_output.split(b'\0')[:-1]
+        bytes_framework_filepaths = ["framework/".encode() + filepath
+                                     for filepath in bytes_framework_filepaths]
+
         bytes_output = subprocess.check_output(['git', 'ls-files', '-z'])
-        bytes_filepaths = bytes_output.split(b'\0')[:-1]
+        bytes_filepaths = bytes_output.split(b'\0')[:-1] + \
+                          bytes_framework_filepaths
         ascii_filepaths = map(lambda fp: fp.decode('ascii'), bytes_filepaths)
+
+        # Filter out directories. Normally Git doesn't list directories
+        # (it only knows about the files inside them), but there is
+        # at least one case where 'git ls-files' includes a directory:
+        # submodules. Just skip submodules (and any other directories).
+        ascii_filepaths = [fp for fp in ascii_filepaths
+                           if os.path.isfile(fp)]
         # Prepend './' to files in the top-level directory so that
         # something like `'/Makefile' in fp` matches in the top-level
         # directory as well as in subdirectories.
@@ -401,12 +510,17 @@ class IntegrityChecker:
                 for fp in ascii_filepaths]
 
     def check_files(self):
+        """Check all files for all issues."""
         for issue_to_check in self.issues_to_check:
             for filepath in self.collect_files():
                 if issue_to_check.should_check_file(filepath):
                     issue_to_check.check_file_for_issue(filepath)
 
     def output_issues(self):
+        """Log the issues found and their locations.
+
+        Return 1 if there were issues, 0 otherwise.
+        """
         integrity_return_code = 0
         for issue_to_check in self.issues_to_check:
             if issue_to_check.files_with_issues:
diff --git a/tests/scripts/check_names.py b/tests/scripts/check_names.py
index 86a7c09..4f503e4 100755
--- a/tests/scripts/check_names.py
+++ b/tests/scripts/check_names.py
@@ -1,19 +1,7 @@
 #!/usr/bin/env python3
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 """
 This script confirms that the naming of all symbols and identifiers in Mbed TLS
@@ -57,7 +45,7 @@ import subprocess
 import logging
 
 import scripts_path # pylint: disable=unused-import
-from mbedtls_dev import build_tree
+from mbedtls_framework import build_tree
 
 
 # Naming patterns to check against. These are defined outside the NameCheck
@@ -250,41 +238,63 @@ class CodeParser():
         all_macros["public"] = self.parse_macros([
             "include/mbedtls/*.h",
             "include/psa/*.h",
-            "3rdparty/everest/include/everest/everest.h",
-            "3rdparty/everest/include/everest/x25519.h"
+            "tf-psa-crypto/include/psa/*.h",
+            "tf-psa-crypto/drivers/builtin/include/mbedtls/*.h",
+            "tf-psa-crypto/drivers/everest/include/everest/everest.h",
+            "tf-psa-crypto/drivers/everest/include/everest/x25519.h"
         ])
         all_macros["internal"] = self.parse_macros([
             "library/*.h",
+            "tf-psa-crypto/core/*.h",
+            "tf-psa-crypto/drivers/builtin/src/*.h",
             "tests/include/test/drivers/*.h",
         ])
         all_macros["private"] = self.parse_macros([
             "library/*.c",
+            "tf-psa-crypto/core/*.c",
+            "tf-psa-crypto/drivers/builtin/src/*.c",
         ])
         enum_consts = self.parse_enum_consts([
             "include/mbedtls/*.h",
             "include/psa/*.h",
+            "tf-psa-crypto/include/psa/*.h",
+            "tf-psa-crypto/drivers/builtin/include/mbedtls/*.h",
             "library/*.h",
+            "tf-psa-crypto/core/*.h",
+            "tf-psa-crypto/drivers/builtin/src/*.h",
             "library/*.c",
-            "3rdparty/everest/include/everest/everest.h",
-            "3rdparty/everest/include/everest/x25519.h"
+            "tf-psa-crypto/core/*.c",
+            "tf-psa-crypto/drivers/builtin/src/*.c",
+            "tf-psa-crypto/drivers/everest/include/everest/everest.h",
+            "tf-psa-crypto/drivers/everest/include/everest/x25519.h"
         ])
         identifiers, excluded_identifiers = self.parse_identifiers([
             "include/mbedtls/*.h",
             "include/psa/*.h",
+            "tf-psa-crypto/include/psa/*.h",
+            "tf-psa-crypto/drivers/builtin/include/mbedtls/*.h",
             "library/*.h",
-            "3rdparty/everest/include/everest/everest.h",
-            "3rdparty/everest/include/everest/x25519.h"
-        ], ["3rdparty/p256-m/p256-m/p256-m.h"])
+            "tf-psa-crypto/core/*.h",
+            "tf-psa-crypto/drivers/builtin/src/*.h",
+            "tf-psa-crypto/drivers/everest/include/everest/everest.h",
+            "tf-psa-crypto/drivers/everest/include/everest/x25519.h"
+        ], ["tf-psa-crypto/drivers/p256-m/p256-m/p256-m.h"])
         mbed_psa_words = self.parse_mbed_psa_words([
             "include/mbedtls/*.h",
             "include/psa/*.h",
+            "tf-psa-crypto/include/psa/*.h",
+            "tf-psa-crypto/drivers/builtin/include/mbedtls/*.h",
             "library/*.h",
-            "3rdparty/everest/include/everest/everest.h",
-            "3rdparty/everest/include/everest/x25519.h",
+            "tf-psa-crypto/core/*.h",
+            "tf-psa-crypto/drivers/builtin/src/*.h",
+            "tf-psa-crypto/drivers/everest/include/everest/everest.h",
+            "tf-psa-crypto/drivers/everest/include/everest/x25519.h",
             "library/*.c",
-            "3rdparty/everest/library/everest.c",
-            "3rdparty/everest/library/x25519.c"
-        ], ["library/psa_crypto_driver_wrappers.h"])
+            "tf-psa-crypto/core/*.c",
+            "tf-psa-crypto/drivers/builtin/src/*.c",
+            "tf-psa-crypto/drivers/everest/library/everest.c",
+            "tf-psa-crypto/drivers/everest/library/x25519.c"
+        ], ["tf-psa-crypto/core/psa_crypto_driver_wrappers.h"])
         symbols = self.parse_symbols()
 
         # Remove identifier macros like mbedtls_printf or mbedtls_calloc
diff --git a/tests/scripts/check_test_cases.py b/tests/scripts/check_test_cases.py
index 1395d4d..d67e678 100755
--- a/tests/scripts/check_test_cases.py
+++ b/tests/scripts/check_test_cases.py
@@ -7,19 +7,7 @@ independently of the checks.
 """
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 import argparse
 import glob
@@ -28,6 +16,24 @@ import re
 import subprocess
 import sys
 
+class ScriptOutputError(ValueError):
+    """A kind of ValueError that indicates we found
+    the script doesn't list test cases in an expected
+    pattern.
+    """
+
+    @property
+    def script_name(self):
+        return super().args[0]
+
+    @property
+    def idx(self):
+        return super().args[1]
+
+    @property
+    def line(self):
+        return super().args[2]
+
 class Results:
     """Store file and line information about errors or warnings in test suites."""
 
@@ -97,33 +103,29 @@ state may override this method.
                                            data_file_name, line_number, line)
                 in_paragraph = True
 
-    def walk_ssl_opt_sh(self, file_name):
-        """Iterate over the test cases in ssl-opt.sh or a file with a similar format."""
+    def collect_from_script(self, script_name):
+        """Collect the test cases in a script by calling its listing test cases
+option"""
         descriptions = self.new_per_file_state() # pylint: disable=assignment-from-none
-        with open(file_name, 'rb') as file_contents:
-            for line_number, line in enumerate(file_contents, 1):
-                # Assume that all run_test calls have the same simple form
-                # with the test description entirely on the same line as the
-                # function name.
-                m = re.match(br'\s*run_test\s+"((?:[^\\"]|\\.)*)"', line)
-                if not m:
-                    continue
-                description = m.group(1)
-                self.process_test_case(descriptions,
-                                       file_name, line_number, description)
-
-    def walk_compat_sh(self, file_name):
-        """Iterate over the test cases compat.sh with a similar format."""
-        descriptions = self.new_per_file_state() # pylint: disable=assignment-from-none
-        compat_cmd = ['sh', file_name, '--list-test-case']
-        compat_output = subprocess.check_output(compat_cmd)
-        # Assume compat.sh is responsible for printing identical format of
-        # test case description between --list-test-case and its OUTCOME.CSV
-        description = compat_output.strip().split(b'\n')
+        listed = subprocess.check_output(['sh', script_name, '--list-test-cases'])
+        # Assume test file is responsible for printing identical format of
+        # test case description between --list-test-cases and its OUTCOME.CSV
+        #
         # idx indicates the number of test case since there is no line number
-        # in `compat.sh` for each test case.
-        for idx, descrip in enumerate(description):
-            self.process_test_case(descriptions, file_name, idx, descrip)
+        # in the script for each test case.
+        for idx, line in enumerate(listed.splitlines()):
+            # We are expecting the script to list the test cases in
+            # `<suite_name>;<description>` pattern.
+            script_outputs = line.split(b';', 1)
+            if len(script_outputs) == 2:
+                suite_name, description = script_outputs
+            else:
+                raise ScriptOutputError(script_name, idx, line.decode("utf-8"))
+
+            self.process_test_case(descriptions,
+                                   suite_name.decode('utf-8'),
+                                   idx,
+                                   description.rstrip())
 
     @staticmethod
     def collect_test_directories():
@@ -144,15 +146,10 @@ state may override this method.
             for data_file_name in glob.glob(os.path.join(directory, 'suites',
                                                          '*.data')):
                 self.walk_test_suite(data_file_name)
-            ssl_opt_sh = os.path.join(directory, 'ssl-opt.sh')
-            if os.path.exists(ssl_opt_sh):
-                self.walk_ssl_opt_sh(ssl_opt_sh)
-            for ssl_opt_file_name in glob.glob(os.path.join(directory, 'opt-testcases',
-                                                            '*.sh')):
-                self.walk_ssl_opt_sh(ssl_opt_file_name)
-            compat_sh = os.path.join(directory, 'compat.sh')
-            if os.path.exists(compat_sh):
-                self.walk_compat_sh(compat_sh)
+
+            for sh_file in ['ssl-opt.sh', 'compat.sh']:
+                sh_file = os.path.join(directory, sh_file)
+                self.collect_from_script(sh_file)
 
 class TestDescriptions(TestDescriptionExplorer):
     """Collect the available test cases."""
@@ -229,7 +226,12 @@ def main():
         return
     results = Results(options)
     checker = DescriptionChecker(results)
-    checker.walk_all()
+    try:
+        checker.walk_all()
+    except ScriptOutputError as e:
+        results.error(e.script_name, e.idx,
+                      '"{}" should be listed as "<suite_name>;<description>"',
+                      e.line)
     if (results.warnings or results.errors) and not options.quiet:
         sys.stderr.write('{}: {} errors, {} warnings\n'
                          .format(sys.argv[0], results.errors, results.warnings))
diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py
index e925641..fa17e13 100755
--- a/tests/scripts/depends.py
+++ b/tests/scripts/depends.py
@@ -1,21 +1,7 @@
 #!/usr/bin/env python3
 
-# Copyright (c) 2022, Arm Limited, All Rights Reserved.
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# This file is part of Mbed TLS (https://tls.mbed.org)
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 """
 Test Mbed TLS with a subset of algorithms.
@@ -213,7 +199,10 @@ and subsequent commands are tests that cannot run if the build failed).'''
         success = True
         for command in self.commands:
             log_command(command)
-            ret = subprocess.call(command)
+            env = os.environ.copy()
+            if 'MBEDTLS_TEST_CONFIGURATION' in env:
+                env['MBEDTLS_TEST_CONFIGURATION'] += '-' + self.name
+            ret = subprocess.call(command, env=env)
             if ret != 0:
                 if command[0] not in ['make', options.make_command]:
                     log_line('*** [{}] Error {}'.format(' '.join(command), ret))
@@ -262,16 +251,16 @@ REVERSE_DEPENDENCIES = {
                       'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED'],
     'MBEDTLS_SHA256_C': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED',
                          'MBEDTLS_ENTROPY_FORCE_SHA256',
-                         'MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT',
-                         'MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY',
+                         'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT',
+                         'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY',
                          'MBEDTLS_LMS_C',
                          'MBEDTLS_LMS_PRIVATE'],
     'MBEDTLS_SHA512_C': ['MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT',
                          'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY'],
     'MBEDTLS_SHA224_C': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED',
                          'MBEDTLS_ENTROPY_FORCE_SHA256',
-                         'MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT',
-                         'MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY'],
+                         'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT',
+                         'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY'],
     'MBEDTLS_X509_RSASSA_PSS_SUPPORT': []
 }
 
@@ -380,7 +369,11 @@ class CipherInfo: # pylint: disable=too-few-public-methods
     """Collect data about cipher.h."""
     def __init__(self):
         self.base_symbols = set()
-        with open('include/mbedtls/cipher.h', encoding="utf-8") as fh:
+        if os.path.isdir('tf-psa-crypto'):
+            cipher_h_path = 'tf-psa-crypto/drivers/builtin/include/mbedtls/cipher.h'
+        else:
+            cipher_h_path = 'include/mbedtls/cipher.h'
+        with open(cipher_h_path, encoding="utf-8") as fh:
             for line in fh:
                 m = re.match(r' *MBEDTLS_CIPHER_ID_(\w+),', line)
                 if m and m.group(1) not in ['NONE', 'NULL', '3DES']:
@@ -395,7 +388,7 @@ class DomainData:
 
     def __init__(self, options, conf):
         """Gather data about the library and establish a list of domains to test."""
-        build_command = [options.make_command, 'CFLAGS=-Werror']
+        build_command = [options.make_command, 'CFLAGS=-Werror -O2']
         build_and_test = [build_command, [options.make_command, 'test']]
         self.all_config_symbols = set(conf.settings.keys())
         # Find hash modules by name.
diff --git a/tests/scripts/docker_env.sh b/tests/scripts/docker_env.sh
index 3dbc41d..cfc98df 100755
--- a/tests/scripts/docker_env.sh
+++ b/tests/scripts/docker_env.sh
@@ -27,19 +27,7 @@
 # the Docker image.
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#  http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 
 # default values, can be overridden by the environment
diff --git a/tests/scripts/doxygen.sh b/tests/scripts/doxygen.sh
index cb87829..b6a1d45 100755
--- a/tests/scripts/doxygen.sh
+++ b/tests/scripts/doxygen.sh
@@ -3,19 +3,7 @@
 # Make sure the doxygen documentation builds without warnings
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 # Abort on errors (and uninitialised variables)
 set -eu
diff --git a/tests/scripts/gen_ctr_drbg.pl b/tests/scripts/gen_ctr_drbg.pl
index 2345b9e..ec5e5d8 100755
--- a/tests/scripts/gen_ctr_drbg.pl
+++ b/tests/scripts/gen_ctr_drbg.pl
@@ -5,19 +5,7 @@
 # and concats nonce and personalization for initialization.
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 use strict;
 
diff --git a/tests/scripts/gen_gcm_decrypt.pl b/tests/scripts/gen_gcm_decrypt.pl
index 354e351..30d45c3 100755
--- a/tests/scripts/gen_gcm_decrypt.pl
+++ b/tests/scripts/gen_gcm_decrypt.pl
@@ -4,19 +4,7 @@
 # Only first 3 of every set used for compile time saving
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 use strict;
 
diff --git a/tests/scripts/gen_gcm_encrypt.pl b/tests/scripts/gen_gcm_encrypt.pl
index 101456f..b4f0849 100755
--- a/tests/scripts/gen_gcm_encrypt.pl
+++ b/tests/scripts/gen_gcm_encrypt.pl
@@ -4,19 +4,7 @@
 # Only first 3 of every set used for compile time saving
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 use strict;
 
diff --git a/tests/scripts/gen_pkcs1_v21_sign_verify.pl b/tests/scripts/gen_pkcs1_v21_sign_verify.pl
index 609e558..fe2d3f5 100755
--- a/tests/scripts/gen_pkcs1_v21_sign_verify.pl
+++ b/tests/scripts/gen_pkcs1_v21_sign_verify.pl
@@ -1,19 +1,7 @@
 #!/usr/bin/env perl
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 use strict;
 
diff --git a/tests/scripts/generate-afl-tests.sh b/tests/scripts/generate-afl-tests.sh
index a51fbc9..d4ef0f3 100755
--- a/tests/scripts/generate-afl-tests.sh
+++ b/tests/scripts/generate-afl-tests.sh
@@ -9,19 +9,7 @@
 #                          such as 'test_suite_rsa.data'
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 # Abort on errors
 set -e
diff --git a/tests/scripts/generate_bignum_tests.py b/tests/scripts/generate_bignum_tests.py
deleted file mode 100755
index 6ee6ab3..0000000
--- a/tests/scripts/generate_bignum_tests.py
+++ /dev/null
@@ -1,199 +0,0 @@
-#!/usr/bin/env python3
-"""Generate test data for bignum functions.
-
-With no arguments, generate all test data. With non-option arguments,
-generate only the specified files.
-
-Class structure:
-
-Child classes of test_data_generation.BaseTarget (file targets) represent an output
-file. These indicate where test cases will be written to, for all subclasses of
-this target. Multiple file targets should not reuse a `target_basename`.
-
-Each subclass derived from a file target can either be:
-  - A concrete class, representing a test function, which generates test cases.
-  - An abstract class containing shared methods and attributes, not associated
-        with a test function. An example is BignumOperation, which provides
-        common features used for bignum binary operations.
-
-Both concrete and abstract subclasses can be derived from, to implement
-additional test cases (see BignumCmp and BignumCmpAbs for examples of deriving
-from abstract and concrete classes).
-
-
-Adding test case generation for a function:
-
-A subclass representing the test function should be added, deriving from a
-file target such as BignumTarget. This test class must set/implement the
-following:
-  - test_function: the function name from the associated .function file.
-  - test_name: a descriptive name or brief summary to refer to the test
-        function.
-  - arguments(): a method to generate the list of arguments required for the
-        test_function.
-  - generate_function_tests(): a method to generate TestCases for the function.
-        This should create instances of the class with required input data, and
-        call `.create_test_case()` to yield the TestCase.
-
-Additional details and other attributes/methods are given in the documentation
-of BaseTarget in test_data_generation.py.
-"""
-
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import sys
-
-from abc import ABCMeta
-from typing import List
-
-import scripts_path # pylint: disable=unused-import
-from mbedtls_dev import test_data_generation
-from mbedtls_dev import bignum_common
-# Import modules containing additional test classes
-# Test function classes in these modules will be registered by
-# the framework
-from mbedtls_dev import bignum_core, bignum_mod_raw, bignum_mod # pylint: disable=unused-import
-
-class BignumTarget(test_data_generation.BaseTarget):
-    #pylint: disable=too-few-public-methods
-    """Target for bignum (legacy) test case generation."""
-    target_basename = 'test_suite_bignum.generated'
-
-
-class BignumOperation(bignum_common.OperationCommon, BignumTarget,
-                      metaclass=ABCMeta):
-    #pylint: disable=abstract-method
-    """Common features for bignum operations in legacy tests."""
-    unique_combinations_only = True
-    input_values = [
-        "", "0", "-", "-0",
-        "7b", "-7b",
-        "0000000000000000123", "-0000000000000000123",
-        "1230000000000000000", "-1230000000000000000"
-    ]
-
-    def description_suffix(self) -> str:
-        #pylint: disable=no-self-use # derived classes need self
-        """Text to add at the end of the test case description."""
-        return ""
-
-    def description(self) -> str:
-        """Generate a description for the test case.
-
-        If not set, case_description uses the form A `symbol` B, where symbol
-        is used to represent the operation. Descriptions of each value are
-        generated to provide some context to the test case.
-        """
-        if not self.case_description:
-            self.case_description = "{} {} {}".format(
-                self.value_description(self.arg_a),
-                self.symbol,
-                self.value_description(self.arg_b)
-            )
-            description_suffix = self.description_suffix()
-            if description_suffix:
-                self.case_description += " " + description_suffix
-        return super().description()
-
-    @staticmethod
-    def value_description(val) -> str:
-        """Generate a description of the argument val.
-
-        This produces a simple description of the value, which is used in test
-        case naming to add context.
-        """
-        if val == "":
-            return "0 (null)"
-        if val == "-":
-            return "negative 0 (null)"
-        if val == "0":
-            return "0 (1 limb)"
-
-        if val[0] == "-":
-            tmp = "negative"
-            val = val[1:]
-        else:
-            tmp = "positive"
-        if val[0] == "0":
-            tmp += " with leading zero limb"
-        elif len(val) > 10:
-            tmp = "large " + tmp
-        return tmp
-
-
-class BignumCmp(BignumOperation):
-    """Test cases for bignum value comparison."""
-    count = 0
-    test_function = "mpi_cmp_mpi"
-    test_name = "MPI compare"
-    input_cases = [
-        ("-2", "-3"),
-        ("-2", "-2"),
-        ("2b4", "2b5"),
-        ("2b5", "2b6")
-        ]
-
-    def __init__(self, val_a, val_b) -> None:
-        super().__init__(val_a, val_b)
-        self._result = int(self.int_a > self.int_b) - int(self.int_a < self.int_b)
-        self.symbol = ["<", "==", ">"][self._result + 1]
-
-    def result(self) -> List[str]:
-        return [str(self._result)]
-
-
-class BignumCmpAbs(BignumCmp):
-    """Test cases for absolute bignum value comparison."""
-    count = 0
-    test_function = "mpi_cmp_abs"
-    test_name = "MPI compare (abs)"
-
-    def __init__(self, val_a, val_b) -> None:
-        super().__init__(val_a.strip("-"), val_b.strip("-"))
-
-
-class BignumAdd(BignumOperation):
-    """Test cases for bignum value addition."""
-    count = 0
-    symbol = "+"
-    test_function = "mpi_add_mpi"
-    test_name = "MPI add"
-    input_cases = bignum_common.combination_pairs(
-        [
-            "1c67967269c6", "9cde3",
-            "-1c67967269c6", "-9cde3",
-        ]
-    )
-
-    def __init__(self, val_a: str, val_b: str) -> None:
-        super().__init__(val_a, val_b)
-        self._result = self.int_a + self.int_b
-
-    def description_suffix(self) -> str:
-        if (self.int_a >= 0 and self.int_b >= 0):
-            return "" # obviously positive result or 0
-        if (self.int_a <= 0 and self.int_b <= 0):
-            return "" # obviously negative result or 0
-        # The sign of the result is not obvious, so indicate it
-        return ", result{}0".format('>' if self._result > 0 else
-                                    '<' if self._result < 0 else '=')
-
-    def result(self) -> List[str]:
-        return [bignum_common.quote_str("{:x}".format(self._result))]
-
-if __name__ == '__main__':
-    # Use the section of the docstring relevant to the CLI as description
-    test_data_generation.main(sys.argv[1:], "\n".join(__doc__.splitlines()[:4]))
diff --git a/tests/scripts/generate_ecp_tests.py b/tests/scripts/generate_ecp_tests.py
deleted file mode 100755
index abbfda5..0000000
--- a/tests/scripts/generate_ecp_tests.py
+++ /dev/null
@@ -1,34 +0,0 @@
-#!/usr/bin/env python3
-"""Generate test data for ecp functions.
-
-The command line usage, class structure and available methods are the same
-as in generate_bignum_tests.py.
-"""
-
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import sys
-
-import scripts_path # pylint: disable=unused-import
-from mbedtls_dev import test_data_generation
-# Import modules containing additional test classes
-# Test function classes in these modules will be registered by
-# the framework
-from mbedtls_dev import ecp # pylint: disable=unused-import
-
-if __name__ == '__main__':
-    # Use the section of the docstring relevant to the CLI as description
-    test_data_generation.main(sys.argv[1:], "\n".join(__doc__.splitlines()[:4]))
diff --git a/tests/scripts/generate_pkcs7_tests.py b/tests/scripts/generate_pkcs7_tests.py
deleted file mode 100755
index 0e73850..0000000
--- a/tests/scripts/generate_pkcs7_tests.py
+++ /dev/null
@@ -1,195 +0,0 @@
-#!/usr/bin/env python3
-#
-#  Copyright The Mbed TLS Contributors
-#  SPDX-License-Identifier: Apache-2.0
-#
-#  Licensed under the Apache License, Version 2.0 (the "License"); you may
-#  not use this file except in compliance with the License.
-#  You may obtain a copy of the License at
-#
-#  http://www.apache.org/licenses/LICENSE-2.0
-#
-#  Unless required by applicable law or agreed to in writing, software
-#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-#  See the License for the specific language governing permissions and
-#  limitations under the License.
-#
-
-"""
-Make fuzz like testing for pkcs7 tests
-Given a valid DER pkcs7 file add tests to the test_suite_pkcs7.data file
- - It is expected that the pkcs7_asn1_fail( data_t *pkcs7_buf )
-    function is defined in test_suite_pkcs7.function
- - This is not meant to be portable code, if anything it is meant to serve as
-   documentation for showing how those ugly tests in test_suite_pkcs7.data were created
-"""
-
-
-import sys
-from os.path import exists
-
-PKCS7_TEST_FILE = "../suites/test_suite_pkcs7.data"
-
-class Test: # pylint: disable=too-few-public-methods
-    """
-    A instance of a test in test_suite_pkcs7.data
-    """
-    def __init__(self, name, depends, func_call):
-        self.name = name
-        self.depends = depends
-        self.func_call = func_call
-
-    # pylint: disable=no-self-use
-    def to_string(self):
-        return "\n" + self.name + "\n" + self.depends + "\n" + self.func_call + "\n"
-
-class TestData:
-    """
-    Take in test_suite_pkcs7.data file.
-    Allow for new tests to be added.
-    """
-    mandatory_dep = "MBEDTLS_MD_CAN_SHA256"
-    test_name = "PKCS7 Parse Failure Invalid ASN1"
-    test_function = "pkcs7_asn1_fail:"
-    def __init__(self, file_name):
-        self.file_name = file_name
-        self.last_test_num, self.old_tests = self.read_test_file(file_name)
-        self.new_tests = []
-
-    # pylint: disable=no-self-use
-    def read_test_file(self, file):
-        """
-        Parse the test_suite_pkcs7.data file.
-        """
-        tests = []
-        if not exists(file):
-            print(file + " Does not exist")
-            sys.exit()
-        with open(file, "r", encoding='UTF-8') as fp:
-            data = fp.read()
-        lines = [line.strip() for line in data.split('\n') if len(line.strip()) > 1]
-        i = 0
-        while i < len(lines):
-            if "depends" in lines[i+1]:
-                tests.append(Test(lines[i], lines[i+1], lines[i+2]))
-                i += 3
-            else:
-                tests.append(Test(lines[i], None, lines[i+1]))
-                i += 2
-        latest_test_num = float(tests[-1].name.split('#')[1])
-        return latest_test_num, tests
-
-    def add(self, name, func_call):
-        self.last_test_num += 1
-        self.new_tests.append(Test(self.test_name + ": " + name +  " #" + \
-                str(self.last_test_num), "depends_on:" + self.mandatory_dep, \
-                self.test_function + '"' + func_call + '"'))
-
-    def write_changes(self):
-        with open(self.file_name, 'a', encoding='UTF-8') as fw:
-            fw.write("\n")
-            for t in self.new_tests:
-                fw.write(t.to_string())
-
-
-def asn1_mutate(data):
-    """
-    We have been given an asn1 structure representing a pkcs7.
-    We want to return an array of slightly modified versions of this data
-    they should be modified in a way which makes the structure invalid
-
-    We know that asn1 structures are:
-    |---1 byte showing data type---|----byte(s) for length of data---|---data content--|
-    We know that some data types can contain other data types.
-    Return a dictionary of reasons and mutated data types.
-    """
-
-    # off the bat just add bytes to start and end of the buffer
-    mutations = []
-    reasons = []
-    mutations.append(["00"] + data)
-    reasons.append("Add null byte to start")
-    mutations.append(data + ["00"])
-    reasons.append("Add null byte to end")
-    # for every asn1 entry we should attempt to:
-    #    - change the data type tag
-    #    - make the length longer than actual
-    #    - make the length shorter than actual
-    i = 0
-    while i < len(data):
-        tag_i = i
-        leng_i = tag_i + 1
-        data_i = leng_i + 1 + (int(data[leng_i][1], 16) if data[leng_i][0] == '8' else 0)
-        if data[leng_i][0] == '8':
-            length = int(''.join(data[leng_i + 1: data_i]), 16)
-        else:
-            length = int(data[leng_i], 16)
-
-        tag = data[tag_i]
-        print("Looking at ans1: offset " + str(i) + " tag = " + tag + \
-                ", length = " + str(length)+ ":")
-        print(''.join(data[data_i:data_i+length]))
-        # change tag to something else
-        if tag == "02":
-            # turn integers into octet strings
-            new_tag = "04"
-        else:
-            # turn everything else into an integer
-            new_tag = "02"
-        mutations.append(data[:tag_i] + [new_tag] + data[leng_i:])
-        reasons.append("Change tag " + tag + " to " + new_tag)
-
-        # change lengths to too big
-        # skip any edge cases which would cause carry over
-        if int(data[data_i - 1], 16) < 255:
-            new_length = str(hex(int(data[data_i - 1], 16) + 1))[2:]
-            if len(new_length) == 1:
-                new_length = "0"+new_length
-            mutations.append(data[:data_i -1] + [new_length] + data[data_i:])
-            reasons.append("Change length from " + str(length) + " to " \
-                    + str(length + 1))
-            # we can add another test here for tags that contain other tags \
-            # where they have more data than there containing tags account for
-            if tag in ["30", "a0", "31"]:
-                mutations.append(data[:data_i -1] + [new_length] + \
-                        data[data_i:data_i + length] + ["00"] + \
-                        data[data_i + length:])
-                reasons.append("Change contents of tag " + tag + " to contain \
-                        one unaccounted extra byte")
-        # change lengths to too small
-        if int(data[data_i - 1], 16) > 0:
-            new_length = str(hex(int(data[data_i - 1], 16) - 1))[2:]
-            if len(new_length) == 1:
-                new_length = "0"+new_length
-            mutations.append(data[:data_i -1] + [new_length] + data[data_i:])
-            reasons.append("Change length from " + str(length) + " to " + str(length - 1))
-
-        # some tag types contain other tag types so we should iterate into the data
-        if tag in ["30", "a0", "31"]:
-            i = data_i
-        else:
-            i = data_i + length
-
-    return list(zip(reasons, mutations))
-
-if __name__ == "__main__":
-    if len(sys.argv) < 2:
-        print("USAGE: " + sys.argv[0] + " <pkcs7_der_file>")
-        sys.exit()
-
-    DATA_FILE = sys.argv[1]
-    TEST_DATA = TestData(PKCS7_TEST_FILE)
-    with open(DATA_FILE, 'rb') as f:
-        DATA_STR = f.read().hex()
-    # make data an array of byte strings eg ['de','ad','be','ef']
-    HEX_DATA = list(map(''.join, [[DATA_STR[i], DATA_STR[i+1]] for i in range(0, len(DATA_STR), \
-            2)]))
-    # returns tuples of test_names and modified data buffers
-    MUT_ARR = asn1_mutate(HEX_DATA)
-
-    print("made " + str(len(MUT_ARR)) + " new tests")
-    for new_test in MUT_ARR:
-        TEST_DATA.add(new_test[0], ''.join(new_test[1]))
-
-    TEST_DATA.write_changes()
diff --git a/tests/scripts/generate_psa_tests.py b/tests/scripts/generate_psa_tests.py
deleted file mode 100755
index b6f83c1..0000000
--- a/tests/scripts/generate_psa_tests.py
+++ /dev/null
@@ -1,862 +0,0 @@
-#!/usr/bin/env python3
-"""Generate test data for PSA cryptographic mechanisms.
-
-With no arguments, generate all test data. With non-option arguments,
-generate only the specified files.
-"""
-
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import enum
-import re
-import sys
-from typing import Callable, Dict, FrozenSet, Iterable, Iterator, List, Optional
-
-import scripts_path # pylint: disable=unused-import
-from mbedtls_dev import crypto_data_tests
-from mbedtls_dev import crypto_knowledge
-from mbedtls_dev import macro_collector #pylint: disable=unused-import
-from mbedtls_dev import psa_information
-from mbedtls_dev import psa_storage
-from mbedtls_dev import test_case
-from mbedtls_dev import test_data_generation
-
-
-
-def test_case_for_key_type_not_supported(
-        verb: str, key_type: str, bits: int,
-        dependencies: List[str],
-        *args: str,
-        param_descr: str = ''
-) -> test_case.TestCase:
-    """Return one test case exercising a key creation method
-    for an unsupported key type or size.
-    """
-    psa_information.hack_dependencies_not_implemented(dependencies)
-    tc = test_case.TestCase()
-    short_key_type = crypto_knowledge.short_expression(key_type)
-    adverb = 'not' if dependencies else 'never'
-    if param_descr:
-        adverb = param_descr + ' ' + adverb
-    tc.set_description('PSA {} {} {}-bit {} supported'
-                       .format(verb, short_key_type, bits, adverb))
-    tc.set_dependencies(dependencies)
-    tc.set_function(verb + '_not_supported')
-    tc.set_arguments([key_type] + list(args))
-    return tc
-
-class KeyTypeNotSupported:
-    """Generate test cases for when a key type is not supported."""
-
-    def __init__(self, info: psa_information.Information) -> None:
-        self.constructors = info.constructors
-
-    ALWAYS_SUPPORTED = frozenset([
-        'PSA_KEY_TYPE_DERIVE',
-        'PSA_KEY_TYPE_PASSWORD',
-        'PSA_KEY_TYPE_PASSWORD_HASH',
-        'PSA_KEY_TYPE_RAW_DATA',
-        'PSA_KEY_TYPE_HMAC'
-    ])
-    def test_cases_for_key_type_not_supported(
-            self,
-            kt: crypto_knowledge.KeyType,
-            param: Optional[int] = None,
-            param_descr: str = '',
-    ) -> Iterator[test_case.TestCase]:
-        """Return test cases exercising key creation when the given type is unsupported.
-
-        If param is present and not None, emit test cases conditioned on this
-        parameter not being supported. If it is absent or None, emit test cases
-        conditioned on the base type not being supported.
-        """
-        if kt.name in self.ALWAYS_SUPPORTED:
-            # Don't generate test cases for key types that are always supported.
-            # They would be skipped in all configurations, which is noise.
-            return
-        import_dependencies = [('!' if param is None else '') +
-                               psa_information.psa_want_symbol(kt.name)]
-        if kt.params is not None:
-            import_dependencies += [('!' if param == i else '') +
-                                    psa_information.psa_want_symbol(sym)
-                                    for i, sym in enumerate(kt.params)]
-        if kt.name.endswith('_PUBLIC_KEY'):
-            generate_dependencies = []
-        else:
-            generate_dependencies = \
-                psa_information.fix_key_pair_dependencies(import_dependencies, 'GENERATE')
-            import_dependencies = \
-                psa_information.fix_key_pair_dependencies(import_dependencies, 'BASIC')
-        for bits in kt.sizes_to_test():
-            yield test_case_for_key_type_not_supported(
-                'import', kt.expression, bits,
-                psa_information.finish_family_dependencies(import_dependencies, bits),
-                test_case.hex_string(kt.key_material(bits)),
-                param_descr=param_descr,
-            )
-            if not generate_dependencies and param is not None:
-                # If generation is impossible for this key type, rather than
-                # supported or not depending on implementation capabilities,
-                # only generate the test case once.
-                continue
-                # For public key we expect that key generation fails with
-                # INVALID_ARGUMENT. It is handled by KeyGenerate class.
-            if not kt.is_public():
-                yield test_case_for_key_type_not_supported(
-                    'generate', kt.expression, bits,
-                    psa_information.finish_family_dependencies(generate_dependencies, bits),
-                    str(bits),
-                    param_descr=param_descr,
-                )
-            # To be added: derive
-
-    ECC_KEY_TYPES = ('PSA_KEY_TYPE_ECC_KEY_PAIR',
-                     'PSA_KEY_TYPE_ECC_PUBLIC_KEY')
-    DH_KEY_TYPES = ('PSA_KEY_TYPE_DH_KEY_PAIR',
-                    'PSA_KEY_TYPE_DH_PUBLIC_KEY')
-
-    def test_cases_for_not_supported(self) -> Iterator[test_case.TestCase]:
-        """Generate test cases that exercise the creation of keys of unsupported types."""
-        for key_type in sorted(self.constructors.key_types):
-            if key_type in self.ECC_KEY_TYPES:
-                continue
-            if key_type in self.DH_KEY_TYPES:
-                continue
-            kt = crypto_knowledge.KeyType(key_type)
-            yield from self.test_cases_for_key_type_not_supported(kt)
-        for curve_family in sorted(self.constructors.ecc_curves):
-            for constr in self.ECC_KEY_TYPES:
-                kt = crypto_knowledge.KeyType(constr, [curve_family])
-                yield from self.test_cases_for_key_type_not_supported(
-                    kt, param_descr='type')
-                yield from self.test_cases_for_key_type_not_supported(
-                    kt, 0, param_descr='curve')
-        for dh_family in sorted(self.constructors.dh_groups):
-            for constr in self.DH_KEY_TYPES:
-                kt = crypto_knowledge.KeyType(constr, [dh_family])
-                yield from self.test_cases_for_key_type_not_supported(
-                    kt, param_descr='type')
-                yield from self.test_cases_for_key_type_not_supported(
-                    kt, 0, param_descr='group')
-
-def test_case_for_key_generation(
-        key_type: str, bits: int,
-        dependencies: List[str],
-        *args: str,
-        result: str = ''
-) -> test_case.TestCase:
-    """Return one test case exercising a key generation.
-    """
-    psa_information.hack_dependencies_not_implemented(dependencies)
-    tc = test_case.TestCase()
-    short_key_type = crypto_knowledge.short_expression(key_type)
-    tc.set_description('PSA {} {}-bit'
-                       .format(short_key_type, bits))
-    tc.set_dependencies(dependencies)
-    tc.set_function('generate_key')
-    tc.set_arguments([key_type] + list(args) + [result])
-
-    return tc
-
-class KeyGenerate:
-    """Generate positive and negative (invalid argument) test cases for key generation."""
-
-    def __init__(self, info: psa_information.Information) -> None:
-        self.constructors = info.constructors
-
-    ECC_KEY_TYPES = ('PSA_KEY_TYPE_ECC_KEY_PAIR',
-                     'PSA_KEY_TYPE_ECC_PUBLIC_KEY')
-    DH_KEY_TYPES = ('PSA_KEY_TYPE_DH_KEY_PAIR',
-                    'PSA_KEY_TYPE_DH_PUBLIC_KEY')
-
-    @staticmethod
-    def test_cases_for_key_type_key_generation(
-            kt: crypto_knowledge.KeyType
-    ) -> Iterator[test_case.TestCase]:
-        """Return test cases exercising key generation.
-
-        All key types can be generated except for public keys. For public key
-        PSA_ERROR_INVALID_ARGUMENT status is expected.
-        """
-        result = 'PSA_SUCCESS'
-
-        import_dependencies = [psa_information.psa_want_symbol(kt.name)]
-        if kt.params is not None:
-            import_dependencies += [psa_information.psa_want_symbol(sym)
-                                    for i, sym in enumerate(kt.params)]
-        if kt.name.endswith('_PUBLIC_KEY'):
-            # The library checks whether the key type is a public key generically,
-            # before it reaches a point where it needs support for the specific key
-            # type, so it returns INVALID_ARGUMENT for unsupported public key types.
-            generate_dependencies = []
-            result = 'PSA_ERROR_INVALID_ARGUMENT'
-        else:
-            generate_dependencies = \
-                psa_information.fix_key_pair_dependencies(import_dependencies, 'GENERATE')
-        for bits in kt.sizes_to_test():
-            if kt.name == 'PSA_KEY_TYPE_RSA_KEY_PAIR':
-                size_dependency = "PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS <= " +  str(bits)
-                test_dependencies = generate_dependencies + [size_dependency]
-            else:
-                test_dependencies = generate_dependencies
-            yield test_case_for_key_generation(
-                kt.expression, bits,
-                psa_information.finish_family_dependencies(test_dependencies, bits),
-                str(bits),
-                result
-            )
-
-    def test_cases_for_key_generation(self) -> Iterator[test_case.TestCase]:
-        """Generate test cases that exercise the generation of keys."""
-        for key_type in sorted(self.constructors.key_types):
-            if key_type in self.ECC_KEY_TYPES:
-                continue
-            if key_type in self.DH_KEY_TYPES:
-                continue
-            kt = crypto_knowledge.KeyType(key_type)
-            yield from self.test_cases_for_key_type_key_generation(kt)
-        for curve_family in sorted(self.constructors.ecc_curves):
-            for constr in self.ECC_KEY_TYPES:
-                kt = crypto_knowledge.KeyType(constr, [curve_family])
-                yield from self.test_cases_for_key_type_key_generation(kt)
-        for dh_family in sorted(self.constructors.dh_groups):
-            for constr in self.DH_KEY_TYPES:
-                kt = crypto_knowledge.KeyType(constr, [dh_family])
-                yield from self.test_cases_for_key_type_key_generation(kt)
-
-class OpFail:
-    """Generate test cases for operations that must fail."""
-    #pylint: disable=too-few-public-methods
-
-    class Reason(enum.Enum):
-        NOT_SUPPORTED = 0
-        INVALID = 1
-        INCOMPATIBLE = 2
-        PUBLIC = 3
-
-    def __init__(self, info: psa_information.Information) -> None:
-        self.constructors = info.constructors
-        key_type_expressions = self.constructors.generate_expressions(
-            sorted(self.constructors.key_types)
-        )
-        self.key_types = [crypto_knowledge.KeyType(kt_expr)
-                          for kt_expr in key_type_expressions]
-
-    def make_test_case(
-            self,
-            alg: crypto_knowledge.Algorithm,
-            category: crypto_knowledge.AlgorithmCategory,
-            reason: 'Reason',
-            kt: Optional[crypto_knowledge.KeyType] = None,
-            not_deps: FrozenSet[str] = frozenset(),
-    ) -> test_case.TestCase:
-        """Construct a failure test case for a one-key or keyless operation."""
-        #pylint: disable=too-many-arguments,too-many-locals
-        tc = test_case.TestCase()
-        pretty_alg = alg.short_expression()
-        if reason == self.Reason.NOT_SUPPORTED:
-            short_deps = [re.sub(r'PSA_WANT_ALG_', r'', dep)
-                          for dep in not_deps]
-            pretty_reason = '!' + '&'.join(sorted(short_deps))
-        else:
-            pretty_reason = reason.name.lower()
-        if kt:
-            key_type = kt.expression
-            pretty_type = kt.short_expression()
-        else:
-            key_type = ''
-            pretty_type = ''
-        tc.set_description('PSA {} {}: {}{}'
-                           .format(category.name.lower(),
-                                   pretty_alg,
-                                   pretty_reason,
-                                   ' with ' + pretty_type if pretty_type else ''))
-        dependencies = psa_information.automatic_dependencies(alg.base_expression, key_type)
-        dependencies = psa_information.fix_key_pair_dependencies(dependencies, 'BASIC')
-        for i, dep in enumerate(dependencies):
-            if dep in not_deps:
-                dependencies[i] = '!' + dep
-        tc.set_dependencies(dependencies)
-        tc.set_function(category.name.lower() + '_fail')
-        arguments = [] # type: List[str]
-        if kt:
-            key_material = kt.key_material(kt.sizes_to_test()[0])
-            arguments += [key_type, test_case.hex_string(key_material)]
-        arguments.append(alg.expression)
-        if category.is_asymmetric():
-            arguments.append('1' if reason == self.Reason.PUBLIC else '0')
-        error = ('NOT_SUPPORTED' if reason == self.Reason.NOT_SUPPORTED else
-                 'INVALID_ARGUMENT')
-        arguments.append('PSA_ERROR_' + error)
-        tc.set_arguments(arguments)
-        return tc
-
-    def no_key_test_cases(
-            self,
-            alg: crypto_knowledge.Algorithm,
-            category: crypto_knowledge.AlgorithmCategory,
-    ) -> Iterator[test_case.TestCase]:
-        """Generate failure test cases for keyless operations with the specified algorithm."""
-        if alg.can_do(category):
-            # Compatible operation, unsupported algorithm
-            for dep in psa_information.automatic_dependencies(alg.base_expression):
-                yield self.make_test_case(alg, category,
-                                          self.Reason.NOT_SUPPORTED,
-                                          not_deps=frozenset([dep]))
-        else:
-            # Incompatible operation, supported algorithm
-            yield self.make_test_case(alg, category, self.Reason.INVALID)
-
-    def one_key_test_cases(
-            self,
-            alg: crypto_knowledge.Algorithm,
-            category: crypto_knowledge.AlgorithmCategory,
-    ) -> Iterator[test_case.TestCase]:
-        """Generate failure test cases for one-key operations with the specified algorithm."""
-        for kt in self.key_types:
-            key_is_compatible = kt.can_do(alg)
-            if key_is_compatible and alg.can_do(category):
-                # Compatible key and operation, unsupported algorithm
-                for dep in psa_information.automatic_dependencies(alg.base_expression):
-                    yield self.make_test_case(alg, category,
-                                              self.Reason.NOT_SUPPORTED,
-                                              kt=kt, not_deps=frozenset([dep]))
-                # Public key for a private-key operation
-                if category.is_asymmetric() and kt.is_public():
-                    yield self.make_test_case(alg, category,
-                                              self.Reason.PUBLIC,
-                                              kt=kt)
-            elif key_is_compatible:
-                # Compatible key, incompatible operation, supported algorithm
-                yield self.make_test_case(alg, category,
-                                          self.Reason.INVALID,
-                                          kt=kt)
-            elif alg.can_do(category):
-                # Incompatible key, compatible operation, supported algorithm
-                yield self.make_test_case(alg, category,
-                                          self.Reason.INCOMPATIBLE,
-                                          kt=kt)
-            else:
-                # Incompatible key and operation. Don't test cases where
-                # multiple things are wrong, to keep the number of test
-                # cases reasonable.
-                pass
-
-    def test_cases_for_algorithm(
-            self,
-            alg: crypto_knowledge.Algorithm,
-    ) -> Iterator[test_case.TestCase]:
-        """Generate operation failure test cases for the specified algorithm."""
-        for category in crypto_knowledge.AlgorithmCategory:
-            if category == crypto_knowledge.AlgorithmCategory.PAKE:
-                # PAKE operations are not implemented yet
-                pass
-            elif category.requires_key():
-                yield from self.one_key_test_cases(alg, category)
-            else:
-                yield from self.no_key_test_cases(alg, category)
-
-    def all_test_cases(self) -> Iterator[test_case.TestCase]:
-        """Generate all test cases for operations that must fail."""
-        algorithms = sorted(self.constructors.algorithms)
-        for expr in self.constructors.generate_expressions(algorithms):
-            alg = crypto_knowledge.Algorithm(expr)
-            yield from self.test_cases_for_algorithm(alg)
-
-
-class StorageKey(psa_storage.Key):
-    """Representation of a key for storage format testing."""
-
-    IMPLICIT_USAGE_FLAGS = {
-        'PSA_KEY_USAGE_SIGN_HASH': 'PSA_KEY_USAGE_SIGN_MESSAGE',
-        'PSA_KEY_USAGE_VERIFY_HASH': 'PSA_KEY_USAGE_VERIFY_MESSAGE'
-    } #type: Dict[str, str]
-    """Mapping of usage flags to the flags that they imply."""
-
-    def __init__(
-            self,
-            usage: Iterable[str],
-            without_implicit_usage: Optional[bool] = False,
-            **kwargs
-    ) -> None:
-        """Prepare to generate a key.
-
-        * `usage`                 : The usage flags used for the key.
-        * `without_implicit_usage`: Flag to define to apply the usage extension
-        """
-        usage_flags = set(usage)
-        if not without_implicit_usage:
-            for flag in sorted(usage_flags):
-                if flag in self.IMPLICIT_USAGE_FLAGS:
-                    usage_flags.add(self.IMPLICIT_USAGE_FLAGS[flag])
-        if usage_flags:
-            usage_expression = ' | '.join(sorted(usage_flags))
-        else:
-            usage_expression = '0'
-        super().__init__(usage=usage_expression, **kwargs)
-
-class StorageTestData(StorageKey):
-    """Representation of test case data for storage format testing."""
-
-    def __init__(
-            self,
-            description: str,
-            expected_usage: Optional[List[str]] = None,
-            **kwargs
-    ) -> None:
-        """Prepare to generate test data
-
-        * `description`   : used for the test case names
-        * `expected_usage`: the usage flags generated as the expected usage flags
-                            in the test cases. CAn differ from the usage flags
-                            stored in the keys because of the usage flags extension.
-        """
-        super().__init__(**kwargs)
-        self.description = description #type: str
-        if expected_usage is None:
-            self.expected_usage = self.usage #type: psa_storage.Expr
-        elif expected_usage:
-            self.expected_usage = psa_storage.Expr(' | '.join(expected_usage))
-        else:
-            self.expected_usage = psa_storage.Expr(0)
-
-class StorageFormat:
-    """Storage format stability test cases."""
-
-    def __init__(self, info: psa_information.Information, version: int, forward: bool) -> None:
-        """Prepare to generate test cases for storage format stability.
-
-        * `info`: information about the API. See the `Information` class.
-        * `version`: the storage format version to generate test cases for.
-        * `forward`: if true, generate forward compatibility test cases which
-          save a key and check that its representation is as intended. Otherwise
-          generate backward compatibility test cases which inject a key
-          representation and check that it can be read and used.
-        """
-        self.constructors = info.constructors #type: macro_collector.PSAMacroEnumerator
-        self.version = version #type: int
-        self.forward = forward #type: bool
-
-    RSA_OAEP_RE = re.compile(r'PSA_ALG_RSA_OAEP\((.*)\)\Z')
-    BRAINPOOL_RE = re.compile(r'PSA_KEY_TYPE_\w+\(PSA_ECC_FAMILY_BRAINPOOL_\w+\)\Z')
-    @classmethod
-    def exercise_key_with_algorithm(
-            cls,
-            key_type: psa_storage.Expr, bits: int,
-            alg: psa_storage.Expr
-    ) -> bool:
-        """Whether to exercise the given key with the given algorithm.
-
-        Normally only the type and algorithm matter for compatibility, and
-        this is handled in crypto_knowledge.KeyType.can_do(). This function
-        exists to detect exceptional cases. Exceptional cases detected here
-        are not tested in OpFail and should therefore have manually written
-        test cases.
-        """
-        # Some test keys have the RAW_DATA type and attributes that don't
-        # necessarily make sense. We do this to validate numerical
-        # encodings of the attributes.
-        # Raw data keys have no useful exercise anyway so there is no
-        # loss of test coverage.
-        if key_type.string == 'PSA_KEY_TYPE_RAW_DATA':
-            return False
-        # OAEP requires room for two hashes plus wrapping
-        m = cls.RSA_OAEP_RE.match(alg.string)
-        if m:
-            hash_alg = m.group(1)
-            hash_length = crypto_knowledge.Algorithm.hash_length(hash_alg)
-            key_length = (bits + 7) // 8
-            # Leave enough room for at least one byte of plaintext
-            return key_length > 2 * hash_length + 2
-        # There's nothing wrong with ECC keys on Brainpool curves,
-        # but operations with them are very slow. So we only exercise them
-        # with a single algorithm, not with all possible hashes. We do
-        # exercise other curves with all algorithms so test coverage is
-        # perfectly adequate like this.
-        m = cls.BRAINPOOL_RE.match(key_type.string)
-        if m and alg.string != 'PSA_ALG_ECDSA_ANY':
-            return False
-        return True
-
-    def make_test_case(self, key: StorageTestData) -> test_case.TestCase:
-        """Construct a storage format test case for the given key.
-
-        If ``forward`` is true, generate a forward compatibility test case:
-        create a key and validate that it has the expected representation.
-        Otherwise generate a backward compatibility test case: inject the
-        key representation into storage and validate that it can be read
-        correctly.
-        """
-        verb = 'save' if self.forward else 'read'
-        tc = test_case.TestCase()
-        tc.set_description(verb + ' ' + key.description)
-        dependencies = psa_information.automatic_dependencies(
-            key.lifetime.string, key.type.string,
-            key.alg.string, key.alg2.string,
-        )
-        dependencies = psa_information.finish_family_dependencies(dependencies, key.bits)
-        dependencies += psa_information.generate_key_dependencies(key.description)
-        dependencies = psa_information.fix_key_pair_dependencies(dependencies, 'BASIC')
-        tc.set_dependencies(dependencies)
-        tc.set_function('key_storage_' + verb)
-        if self.forward:
-            extra_arguments = []
-        else:
-            flags = []
-            if self.exercise_key_with_algorithm(key.type, key.bits, key.alg):
-                flags.append('TEST_FLAG_EXERCISE')
-            if 'READ_ONLY' in key.lifetime.string:
-                flags.append('TEST_FLAG_READ_ONLY')
-            extra_arguments = [' | '.join(flags) if flags else '0']
-        tc.set_arguments([key.lifetime.string,
-                          key.type.string, str(key.bits),
-                          key.expected_usage.string,
-                          key.alg.string, key.alg2.string,
-                          '"' + key.material.hex() + '"',
-                          '"' + key.hex() + '"',
-                          *extra_arguments])
-        return tc
-
-    def key_for_lifetime(
-            self,
-            lifetime: str,
-    ) -> StorageTestData:
-        """Construct a test key for the given lifetime."""
-        short = lifetime
-        short = re.sub(r'PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION',
-                       r'', short)
-        short = crypto_knowledge.short_expression(short)
-        description = 'lifetime: ' + short
-        key = StorageTestData(version=self.version,
-                              id=1, lifetime=lifetime,
-                              type='PSA_KEY_TYPE_RAW_DATA', bits=8,
-                              usage=['PSA_KEY_USAGE_EXPORT'], alg=0, alg2=0,
-                              material=b'L',
-                              description=description)
-        return key
-
-    def all_keys_for_lifetimes(self) -> Iterator[StorageTestData]:
-        """Generate test keys covering lifetimes."""
-        lifetimes = sorted(self.constructors.lifetimes)
-        expressions = self.constructors.generate_expressions(lifetimes)
-        for lifetime in expressions:
-            # Don't attempt to create or load a volatile key in storage
-            if 'VOLATILE' in lifetime:
-                continue
-            # Don't attempt to create a read-only key in storage,
-            # but do attempt to load one.
-            if 'READ_ONLY' in lifetime and self.forward:
-                continue
-            yield self.key_for_lifetime(lifetime)
-
-    def key_for_usage_flags(
-            self,
-            usage_flags: List[str],
-            short: Optional[str] = None,
-            test_implicit_usage: Optional[bool] = True
-    ) -> StorageTestData:
-        """Construct a test key for the given key usage."""
-        extra_desc = ' without implication' if test_implicit_usage else ''
-        description = 'usage' + extra_desc + ': '
-        key1 = StorageTestData(version=self.version,
-                               id=1, lifetime=0x00000001,
-                               type='PSA_KEY_TYPE_RAW_DATA', bits=8,
-                               expected_usage=usage_flags,
-                               without_implicit_usage=not test_implicit_usage,
-                               usage=usage_flags, alg=0, alg2=0,
-                               material=b'K',
-                               description=description)
-        if short is None:
-            usage_expr = key1.expected_usage.string
-            key1.description += crypto_knowledge.short_expression(usage_expr)
-        else:
-            key1.description += short
-        return key1
-
-    def generate_keys_for_usage_flags(self, **kwargs) -> Iterator[StorageTestData]:
-        """Generate test keys covering usage flags."""
-        known_flags = sorted(self.constructors.key_usage_flags)
-        yield self.key_for_usage_flags(['0'], **kwargs)
-        for usage_flag in known_flags:
-            yield self.key_for_usage_flags([usage_flag], **kwargs)
-        for flag1, flag2 in zip(known_flags,
-                                known_flags[1:] + [known_flags[0]]):
-            yield self.key_for_usage_flags([flag1, flag2], **kwargs)
-
-    def generate_key_for_all_usage_flags(self) -> Iterator[StorageTestData]:
-        known_flags = sorted(self.constructors.key_usage_flags)
-        yield self.key_for_usage_flags(known_flags, short='all known')
-
-    def all_keys_for_usage_flags(self) -> Iterator[StorageTestData]:
-        yield from self.generate_keys_for_usage_flags()
-        yield from self.generate_key_for_all_usage_flags()
-
-    def key_for_type_and_alg(
-            self,
-            kt: crypto_knowledge.KeyType,
-            bits: int,
-            alg: Optional[crypto_knowledge.Algorithm] = None,
-    ) -> StorageTestData:
-        """Construct a test key of the given type.
-
-        If alg is not None, this key allows it.
-        """
-        usage_flags = ['PSA_KEY_USAGE_EXPORT']
-        alg1 = 0 #type: psa_storage.Exprable
-        alg2 = 0
-        if alg is not None:
-            alg1 = alg.expression
-            usage_flags += alg.usage_flags(public=kt.is_public())
-        key_material = kt.key_material(bits)
-        description = 'type: {} {}-bit'.format(kt.short_expression(1), bits)
-        if alg is not None:
-            description += ', ' + alg.short_expression(1)
-        key = StorageTestData(version=self.version,
-                              id=1, lifetime=0x00000001,
-                              type=kt.expression, bits=bits,
-                              usage=usage_flags, alg=alg1, alg2=alg2,
-                              material=key_material,
-                              description=description)
-        return key
-
-    def keys_for_type(
-            self,
-            key_type: str,
-            all_algorithms: List[crypto_knowledge.Algorithm],
-    ) -> Iterator[StorageTestData]:
-        """Generate test keys for the given key type."""
-        kt = crypto_knowledge.KeyType(key_type)
-        for bits in kt.sizes_to_test():
-            # Test a non-exercisable key, as well as exercisable keys for
-            # each compatible algorithm.
-            # To do: test reading a key from storage with an incompatible
-            # or unsupported algorithm.
-            yield self.key_for_type_and_alg(kt, bits)
-            compatible_algorithms = [alg for alg in all_algorithms
-                                     if kt.can_do(alg)]
-            for alg in compatible_algorithms:
-                yield self.key_for_type_and_alg(kt, bits, alg)
-
-    def all_keys_for_types(self) -> Iterator[StorageTestData]:
-        """Generate test keys covering key types and their representations."""
-        key_types = sorted(self.constructors.key_types)
-        all_algorithms = [crypto_knowledge.Algorithm(alg)
-                          for alg in self.constructors.generate_expressions(
-                              sorted(self.constructors.algorithms)
-                          )]
-        for key_type in self.constructors.generate_expressions(key_types):
-            yield from self.keys_for_type(key_type, all_algorithms)
-
-    def keys_for_algorithm(self, alg: str) -> Iterator[StorageTestData]:
-        """Generate test keys for the encoding of the specified algorithm."""
-        # These test cases only validate the encoding of algorithms, not
-        # whether the key read from storage is suitable for an operation.
-        # `keys_for_types` generate read tests with an algorithm and a
-        # compatible key.
-        descr = crypto_knowledge.short_expression(alg, 1)
-        usage = ['PSA_KEY_USAGE_EXPORT']
-        key1 = StorageTestData(version=self.version,
-                               id=1, lifetime=0x00000001,
-                               type='PSA_KEY_TYPE_RAW_DATA', bits=8,
-                               usage=usage, alg=alg, alg2=0,
-                               material=b'K',
-                               description='alg: ' + descr)
-        yield key1
-        key2 = StorageTestData(version=self.version,
-                               id=1, lifetime=0x00000001,
-                               type='PSA_KEY_TYPE_RAW_DATA', bits=8,
-                               usage=usage, alg=0, alg2=alg,
-                               material=b'L',
-                               description='alg2: ' + descr)
-        yield key2
-
-    def all_keys_for_algorithms(self) -> Iterator[StorageTestData]:
-        """Generate test keys covering algorithm encodings."""
-        algorithms = sorted(self.constructors.algorithms)
-        for alg in self.constructors.generate_expressions(algorithms):
-            yield from self.keys_for_algorithm(alg)
-
-    def generate_all_keys(self) -> Iterator[StorageTestData]:
-        """Generate all keys for the test cases."""
-        yield from self.all_keys_for_lifetimes()
-        yield from self.all_keys_for_usage_flags()
-        yield from self.all_keys_for_types()
-        yield from self.all_keys_for_algorithms()
-
-    def all_test_cases(self) -> Iterator[test_case.TestCase]:
-        """Generate all storage format test cases."""
-        # First build a list of all keys, then construct all the corresponding
-        # test cases. This allows all required information to be obtained in
-        # one go, which is a significant performance gain as the information
-        # includes numerical values obtained by compiling a C program.
-        all_keys = list(self.generate_all_keys())
-        for key in all_keys:
-            if key.location_value() != 0:
-                # Skip keys with a non-default location, because they
-                # require a driver and we currently have no mechanism to
-                # determine whether a driver is available.
-                continue
-            yield self.make_test_case(key)
-
-class StorageFormatForward(StorageFormat):
-    """Storage format stability test cases for forward compatibility."""
-
-    def __init__(self, info: psa_information.Information, version: int) -> None:
-        super().__init__(info, version, True)
-
-class StorageFormatV0(StorageFormat):
-    """Storage format stability test cases for version 0 compatibility."""
-
-    def __init__(self, info: psa_information.Information) -> None:
-        super().__init__(info, 0, False)
-
-    def all_keys_for_usage_flags(self) -> Iterator[StorageTestData]:
-        """Generate test keys covering usage flags."""
-        yield from super().all_keys_for_usage_flags()
-        yield from self.generate_keys_for_usage_flags(test_implicit_usage=False)
-
-    def keys_for_implicit_usage(
-            self,
-            implyer_usage: str,
-            alg: str,
-            key_type: crypto_knowledge.KeyType
-    ) -> StorageTestData:
-        # pylint: disable=too-many-locals
-        """Generate test keys for the specified implicit usage flag,
-           algorithm and key type combination.
-        """
-        bits = key_type.sizes_to_test()[0]
-        implicit_usage = StorageKey.IMPLICIT_USAGE_FLAGS[implyer_usage]
-        usage_flags = ['PSA_KEY_USAGE_EXPORT']
-        material_usage_flags = usage_flags + [implyer_usage]
-        expected_usage_flags = material_usage_flags + [implicit_usage]
-        alg2 = 0
-        key_material = key_type.key_material(bits)
-        usage_expression = crypto_knowledge.short_expression(implyer_usage, 1)
-        alg_expression = crypto_knowledge.short_expression(alg, 1)
-        key_type_expression = key_type.short_expression(1)
-        description = 'implied by {}: {} {} {}-bit'.format(
-            usage_expression, alg_expression, key_type_expression, bits)
-        key = StorageTestData(version=self.version,
-                              id=1, lifetime=0x00000001,
-                              type=key_type.expression, bits=bits,
-                              usage=material_usage_flags,
-                              expected_usage=expected_usage_flags,
-                              without_implicit_usage=True,
-                              alg=alg, alg2=alg2,
-                              material=key_material,
-                              description=description)
-        return key
-
-    def gather_key_types_for_sign_alg(self) -> Dict[str, List[str]]:
-        # pylint: disable=too-many-locals
-        """Match possible key types for sign algorithms."""
-        # To create a valid combination both the algorithms and key types
-        # must be filtered. Pair them with keywords created from its names.
-        incompatible_alg_keyword = frozenset(['RAW', 'ANY', 'PURE'])
-        incompatible_key_type_keywords = frozenset(['MONTGOMERY'])
-        keyword_translation = {
-            'ECDSA': 'ECC',
-            'ED[0-9]*.*' : 'EDWARDS'
-        }
-        exclusive_keywords = {
-            'EDWARDS': 'ECC'
-        }
-        key_types = set(self.constructors.generate_expressions(self.constructors.key_types))
-        algorithms = set(self.constructors.generate_expressions(self.constructors.sign_algorithms))
-        alg_with_keys = {} #type: Dict[str, List[str]]
-        translation_table = str.maketrans('(', '_', ')')
-        for alg in algorithms:
-            # Generate keywords from the name of the algorithm
-            alg_keywords = set(alg.partition('(')[0].split(sep='_')[2:])
-            # Translate keywords for better matching with the key types
-            for keyword in alg_keywords.copy():
-                for pattern, replace in keyword_translation.items():
-                    if re.match(pattern, keyword):
-                        alg_keywords.remove(keyword)
-                        alg_keywords.add(replace)
-            # Filter out incompatible algorithms
-            if not alg_keywords.isdisjoint(incompatible_alg_keyword):
-                continue
-
-            for key_type in key_types:
-                # Generate keywords from the of the key type
-                key_type_keywords = set(key_type.translate(translation_table).split(sep='_')[3:])
-
-                # Remove ambiguous keywords
-                for keyword1, keyword2 in exclusive_keywords.items():
-                    if keyword1 in key_type_keywords:
-                        key_type_keywords.remove(keyword2)
-
-                if key_type_keywords.isdisjoint(incompatible_key_type_keywords) and\
-                   not key_type_keywords.isdisjoint(alg_keywords):
-                    if alg in alg_with_keys:
-                        alg_with_keys[alg].append(key_type)
-                    else:
-                        alg_with_keys[alg] = [key_type]
-        return alg_with_keys
-
-    def all_keys_for_implicit_usage(self) -> Iterator[StorageTestData]:
-        """Generate test keys for usage flag extensions."""
-        # Generate a key type and algorithm pair for each extendable usage
-        # flag to generate a valid key for exercising. The key is generated
-        # without usage extension to check the extension compatibility.
-        alg_with_keys = self.gather_key_types_for_sign_alg()
-
-        for usage in sorted(StorageKey.IMPLICIT_USAGE_FLAGS, key=str):
-            for alg in sorted(alg_with_keys):
-                for key_type in sorted(alg_with_keys[alg]):
-                    # The key types must be filtered to fit the specific usage flag.
-                    kt = crypto_knowledge.KeyType(key_type)
-                    if kt.is_public() and '_SIGN_' in usage:
-                        # Can't sign with a public key
-                        continue
-                    yield self.keys_for_implicit_usage(usage, alg, kt)
-
-    def generate_all_keys(self) -> Iterator[StorageTestData]:
-        yield from super().generate_all_keys()
-        yield from self.all_keys_for_implicit_usage()
-
-
-class PSATestGenerator(test_data_generation.TestGenerator):
-    """Test generator subclass including PSA targets and info."""
-    # Note that targets whose names contain 'test_format' have their content
-    # validated by `abi_check.py`.
-    targets = {
-        'test_suite_psa_crypto_generate_key.generated':
-        lambda info: KeyGenerate(info).test_cases_for_key_generation(),
-        'test_suite_psa_crypto_not_supported.generated':
-        lambda info: KeyTypeNotSupported(info).test_cases_for_not_supported(),
-        'test_suite_psa_crypto_low_hash.generated':
-        lambda info: crypto_data_tests.HashPSALowLevel(info).all_test_cases(),
-        'test_suite_psa_crypto_op_fail.generated':
-        lambda info: OpFail(info).all_test_cases(),
-        'test_suite_psa_crypto_storage_format.current':
-        lambda info: StorageFormatForward(info, 0).all_test_cases(),
-        'test_suite_psa_crypto_storage_format.v0':
-        lambda info: StorageFormatV0(info).all_test_cases(),
-    } #type: Dict[str, Callable[[psa_information.Information], Iterable[test_case.TestCase]]]
-
-    def __init__(self, options):
-        super().__init__(options)
-        self.info = psa_information.Information()
-
-    def generate_target(self, name: str, *target_args) -> None:
-        super().generate_target(name, self.info)
-
-
-if __name__ == '__main__':
-    test_data_generation.main(sys.argv[1:], __doc__, PSATestGenerator)
diff --git a/tests/scripts/generate_server9_bad_saltlen.py b/tests/scripts/generate_server9_bad_saltlen.py
new file mode 100755
index 0000000..9af4dd3
--- /dev/null
+++ b/tests/scripts/generate_server9_bad_saltlen.py
@@ -0,0 +1,87 @@
+#!/usr/bin/env python3
+"""Generate server9-bad-saltlen.crt
+
+Generate a certificate signed with RSA-PSS, with an incorrect salt length.
+"""
+
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+import subprocess
+import argparse
+from asn1crypto import pem, x509, core #type: ignore #pylint: disable=import-error
+
+OPENSSL_RSA_PSS_CERT_COMMAND = r'''
+openssl x509 -req -CA {ca_name}.crt -CAkey {ca_name}.key -set_serial 24 {ca_password} \
+    {openssl_extfile} -days 3650 -outform DER -in {csr}  \
+    -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:{anounce_saltlen} \
+    -sigopt rsa_mgf1_md:sha256
+'''
+SIG_OPT = \
+    r'-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:{saltlen} -sigopt rsa_mgf1_md:sha256'
+OPENSSL_RSA_PSS_DGST_COMMAND = r'''openssl dgst -sign {ca_name}.key {ca_password} \
+    -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:{actual_saltlen} \
+    -sigopt rsa_mgf1_md:sha256'''
+
+
+def auto_int(x):
+    return int(x, 0)
+
+
+def build_argparser(parser):
+    """Build argument parser"""
+    parser.description = __doc__
+    parser.add_argument('--ca-name', type=str, required=True,
+                        help='Basename of CA files')
+    parser.add_argument('--ca-password', type=str,
+                        required=True, help='CA key file password')
+    parser.add_argument('--csr', type=str, required=True,
+                        help='CSR file for generating certificate')
+    parser.add_argument('--openssl-extfile', type=str,
+                        required=True, help='X905 v3 extension config file')
+    parser.add_argument('--anounce_saltlen', type=auto_int,
+                        required=True, help='Announced salt length')
+    parser.add_argument('--actual_saltlen', type=auto_int,
+                        required=True, help='Actual salt length')
+    parser.add_argument('--output', type=str, required=True)
+
+
+def main():
+    parser = argparse.ArgumentParser()
+    build_argparser(parser)
+    args = parser.parse_args()
+
+    return generate(**vars(args))
+
+def generate(**kwargs):
+    """Generate different salt length certificate file."""
+    ca_password = kwargs.get('ca_password', '')
+    if ca_password:
+        kwargs['ca_password'] = r'-passin "pass:{ca_password}"'.format(
+            **kwargs)
+    else:
+        kwargs['ca_password'] = ''
+    extfile = kwargs.get('openssl_extfile', '')
+    if extfile:
+        kwargs['openssl_extfile'] = '-extfile {openssl_extfile}'.format(
+            **kwargs)
+    else:
+        kwargs['openssl_extfile'] = ''
+
+    cmd = OPENSSL_RSA_PSS_CERT_COMMAND.format(**kwargs)
+    der_bytes = subprocess.check_output(cmd, shell=True)
+    target_certificate = x509.Certificate.load(der_bytes)
+
+    cmd = OPENSSL_RSA_PSS_DGST_COMMAND.format(**kwargs)
+    #pylint: disable=unexpected-keyword-arg
+    der_bytes = subprocess.check_output(cmd,
+                                        input=target_certificate['tbs_certificate'].dump(),
+                                        shell=True)
+
+    with open(kwargs.get('output'), 'wb') as f:
+        target_certificate['signature_value'] = core.OctetBitString(der_bytes)
+        f.write(pem.armor('CERTIFICATE', target_certificate.dump()))
+
+
+if __name__ == '__main__':
+    main()
diff --git a/tests/scripts/generate_test_cert_macros.py b/tests/scripts/generate_test_cert_macros.py
deleted file mode 100755
index 4494917..0000000
--- a/tests/scripts/generate_test_cert_macros.py
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/usr/bin/env python3
-
-"""
-Generate `tests/src/test_certs.h` which includes certficaties/keys/certificate list for testing.
-"""
-
-#
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-import os
-import sys
-import argparse
-import jinja2
-
-class MacroDefineAction(argparse.Action):
-    #pylint: disable=signature-differs, too-few-public-methods
-    def __call__(self, parser, namespace, values, option_string):
-        if not hasattr(namespace, 'values'):
-            setattr(namespace, 'values', [])
-        macro_name, filename = values
-        if self.dest in ('string', 'binary') and not os.path.exists(filename):
-            raise argparse.ArgumentError(
-                None, '`{}`: Input file does not exist.'.format(filename))
-        namespace.values.append((self.dest, macro_name, filename))
-
-
-def macro_define_type(value):
-    ret = value.split('=', 1)
-    if len(ret) != 2:
-        raise argparse.ArgumentTypeError(
-            '`{}` is not MACRO=value format'.format(value))
-    return ret
-
-
-def build_argparser(parser):
-    parser.description = __doc__
-    parser.add_argument('--string', type=macro_define_type, action=MacroDefineAction,
-                        metavar='MACRO_NAME=path/to/file', help='PEM to C string. ')
-    parser.add_argument('--binary', type=macro_define_type, action=MacroDefineAction,
-                        metavar='MACRO_NAME=path/to/file',
-                        help='DER to C arrary.')
-    parser.add_argument('--password', type=macro_define_type, action=MacroDefineAction,
-                        metavar='MACRO_NAME=password', help='Password to C string.')
-    parser.add_argument('--output', type=str, required=True)
-
-
-def main():
-    parser = argparse.ArgumentParser()
-    build_argparser(parser)
-    args = parser.parse_args()
-    return generate(**vars(args))
-
-#pylint: disable=dangerous-default-value, unused-argument
-def generate(values=[], output=None, **kwargs):
-    """Generate C header file.
-    """
-    this_dir = os.path.dirname(os.path.abspath(__file__))
-    template_loader = jinja2.FileSystemLoader(
-        searchpath=os.path.join(this_dir, '..', 'data_files'))
-    template_env = jinja2.Environment(
-        loader=template_loader, lstrip_blocks=True, trim_blocks=True)
-
-    def read_as_c_array(filename):
-        with open(filename, 'rb') as f:
-            data = f.read(12)
-            while data:
-                yield ', '.join(['{:#04x}'.format(b) for b in data])
-                data = f.read(12)
-
-    def read_lines(filename):
-        with open(filename) as f:
-            try:
-                for line in f:
-                    yield line.strip()
-            except:
-                print(filename)
-                raise
-
-    def put_to_column(value, position=0):
-        return ' '*position + value
-
-    template_env.filters['read_as_c_array'] = read_as_c_array
-    template_env.filters['read_lines'] = read_lines
-    template_env.filters['put_to_column'] = put_to_column
-
-    template = template_env.get_template('test_certs.h.jinja2')
-
-    with open(output, 'w') as f:
-        f.write(template.render(macros=values))
-
-
-if __name__ == '__main__':
-    sys.exit(main())
diff --git a/tests/scripts/generate_test_code.py b/tests/scripts/generate_test_code.py
deleted file mode 100755
index 76806de..0000000
--- a/tests/scripts/generate_test_code.py
+++ /dev/null
@@ -1,1289 +0,0 @@
-#!/usr/bin/env python3
-# Test suites code generator.
-#
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-"""
-This script is a key part of Mbed TLS test suites framework. For
-understanding the script it is important to understand the
-framework. This doc string contains a summary of the framework
-and explains the function of this script.
-
-Mbed TLS test suites:
-=====================
-Scope:
-------
-The test suites focus on unit testing the crypto primitives and also
-include x509 parser tests. Tests can be added to test any Mbed TLS
-module. However, the framework is not capable of testing SSL
-protocol, since that requires full stack execution and that is best
-tested as part of the system test.
-
-Test case definition:
----------------------
-Tests are defined in a test_suite_<module>[.<optional sub module>].data
-file. A test definition contains:
- test name
- optional build macro dependencies
- test function
- test parameters
-
-Test dependencies are build macros that can be specified to indicate
-the build config in which the test is valid. For example if a test
-depends on a feature that is only enabled by defining a macro. Then
-that macro should be specified as a dependency of the test.
-
-Test function is the function that implements the test steps. This
-function is specified for different tests that perform same steps
-with different parameters.
-
-Test parameters are specified in string form separated by ':'.
-Parameters can be of type string, binary data specified as hex
-string and integer constants specified as integer, macro or
-as an expression. Following is an example test definition:
-
- AES 128 GCM Encrypt and decrypt 8 bytes
- depends_on:MBEDTLS_AES_C:MBEDTLS_GCM_C
- enc_dec_buf:MBEDTLS_CIPHER_AES_128_GCM:"AES-128-GCM":128:8:-1
-
-Test functions:
----------------
-Test functions are coded in C in test_suite_<module>.function files.
-Functions file is itself not compilable and contains special
-format patterns to specify test suite dependencies, start and end
-of functions and function dependencies. Check any existing functions
-file for example.
-
-Execution:
-----------
-Tests are executed in 3 steps:
-- Generating test_suite_<module>[.<optional sub module>].c file
-  for each corresponding .data file.
-- Building each source file into executables.
-- Running each executable and printing report.
-
-Generating C test source requires more than just the test functions.
-Following extras are required:
-- Process main()
-- Reading .data file and dispatching test cases.
-- Platform specific test case execution
-- Dependency checking
-- Integer expression evaluation
-- Test function dispatch
-
-Build dependencies and integer expressions (in the test parameters)
-are specified as strings in the .data file. Their run time value is
-not known at the generation stage. Hence, they need to be translated
-into run time evaluations. This script generates the run time checks
-for dependencies and integer expressions.
-
-Similarly, function names have to be translated into function calls.
-This script also generates code for function dispatch.
-
-The extra code mentioned here is either generated by this script
-or it comes from the input files: helpers file, platform file and
-the template file.
-
-Helper file:
-------------
-Helpers file contains common helper/utility functions and data.
-
-Platform file:
---------------
-Platform file contains platform specific setup code and test case
-dispatch code. For example, host_test.function reads test data
-file from host's file system and dispatches tests.
-
-Template file:
----------
-Template file for example main_test.function is a template C file in
-which generated code and code from input files is substituted to
-generate a compilable C file. It also contains skeleton functions for
-dependency checks, expression evaluation and function dispatch. These
-functions are populated with checks and return codes by this script.
-
-Template file contains "replacement" fields that are formatted
-strings processed by Python string.Template.substitute() method.
-
-This script:
-============
-Core function of this script is to fill the template file with
-code that is generated or read from helpers and platform files.
-
-This script replaces following fields in the template and generates
-the test source file:
-
-__MBEDTLS_TEST_TEMPLATE__TEST_COMMON_HELPERS
-            All common code from helpers.function
-            is substituted here.
-__MBEDTLS_TEST_TEMPLATE__FUNCTIONS_CODE
-            Test functions are substituted here
-            from the input test_suit_xyz.function
-            file. C preprocessor checks are generated
-            for the build dependencies specified
-            in the input file. This script also
-            generates wrappers for the test
-            functions with code to expand the
-            string parameters read from the data
-            file.
-__MBEDTLS_TEST_TEMPLATE__EXPRESSION_CODE
-            This script enumerates the
-            expressions in the .data file and
-            generates code to handle enumerated
-            expression Ids and return the values.
-__MBEDTLS_TEST_TEMPLATE__DEP_CHECK_CODE
-            This script enumerates all
-            build dependencies and generate
-            code to handle enumerated build
-            dependency Id and return status: if
-            the dependency is defined or not.
-__MBEDTLS_TEST_TEMPLATE__DISPATCH_CODE
-            This script enumerates the functions
-            specified in the input test data file
-            and generates the initializer for the
-            function table in the template
-            file.
-__MBEDTLS_TEST_TEMPLATE__PLATFORM_CODE
-            Platform specific setup and test
-            dispatch code.
-
-"""
-
-
-import os
-import re
-import sys
-import string
-import argparse
-
-
-# Types recognized as signed integer arguments in test functions.
-SIGNED_INTEGER_TYPES = frozenset([
-    'char',
-    'short',
-    'short int',
-    'int',
-    'int8_t',
-    'int16_t',
-    'int32_t',
-    'int64_t',
-    'intmax_t',
-    'long',
-    'long int',
-    'long long int',
-    'mbedtls_mpi_sint',
-    'psa_status_t',
-])
-# Types recognized as string arguments in test functions.
-STRING_TYPES = frozenset(['char*', 'const char*', 'char const*'])
-# Types recognized as hex data arguments in test functions.
-DATA_TYPES = frozenset(['data_t*', 'const data_t*', 'data_t const*'])
-
-BEGIN_HEADER_REGEX = r'/\*\s*BEGIN_HEADER\s*\*/'
-END_HEADER_REGEX = r'/\*\s*END_HEADER\s*\*/'
-
-BEGIN_SUITE_HELPERS_REGEX = r'/\*\s*BEGIN_SUITE_HELPERS\s*\*/'
-END_SUITE_HELPERS_REGEX = r'/\*\s*END_SUITE_HELPERS\s*\*/'
-
-BEGIN_DEP_REGEX = r'BEGIN_DEPENDENCIES'
-END_DEP_REGEX = r'END_DEPENDENCIES'
-
-BEGIN_CASE_REGEX = r'/\*\s*BEGIN_CASE\s*(?P<depends_on>.*?)\s*\*/'
-END_CASE_REGEX = r'/\*\s*END_CASE\s*\*/'
-
-DEPENDENCY_REGEX = r'depends_on:(?P<dependencies>.*)'
-C_IDENTIFIER_REGEX = r'!?[a-z_][a-z0-9_]*'
-CONDITION_OPERATOR_REGEX = r'[!=]=|[<>]=?'
-# forbid 0ddd which might be accidentally octal or accidentally decimal
-CONDITION_VALUE_REGEX = r'[-+]?(0x[0-9a-f]+|0|[1-9][0-9]*)'
-CONDITION_REGEX = r'({})(?:\s*({})\s*({}))?$'.format(C_IDENTIFIER_REGEX,
-                                                     CONDITION_OPERATOR_REGEX,
-                                                     CONDITION_VALUE_REGEX)
-TEST_FUNCTION_VALIDATION_REGEX = r'\s*void\s+(?P<func_name>\w+)\s*\('
-FUNCTION_ARG_LIST_END_REGEX = r'.*\)'
-EXIT_LABEL_REGEX = r'^exit:'
-
-
-class GeneratorInputError(Exception):
-    """
-    Exception to indicate error in the input files to this script.
-    This includes missing patterns, test function names and other
-    parsing errors.
-    """
-    pass
-
-
-class FileWrapper:
-    """
-    This class extends the file object with attribute line_no,
-    that indicates line number for the line that is read.
-    """
-
-    def __init__(self, file_name) -> None:
-        """
-        Instantiate the file object and initialize the line number to 0.
-
-        :param file_name: File path to open.
-        """
-        # private mix-in file object
-        self._f = open(file_name, 'rb')
-        self._line_no = 0
-
-    def __iter__(self):
-        return self
-
-    def __next__(self):
-        """
-        This method makes FileWrapper iterable.
-        It counts the line numbers as each line is read.
-
-        :return: Line read from file.
-        """
-        line = self._f.__next__()
-        self._line_no += 1
-        # Convert byte array to string with correct encoding and
-        # strip any whitespaces added in the decoding process.
-        return line.decode(sys.getdefaultencoding()).rstrip()+ '\n'
-
-    def __enter__(self):
-        return self
-
-    def __exit__(self, exc_type, exc_val, exc_tb):
-        self._f.__exit__(exc_type, exc_val, exc_tb)
-
-    @property
-    def line_no(self):
-        """
-        Property that indicates line number for the line that is read.
-        """
-        return self._line_no
-
-    @property
-    def name(self):
-        """
-        Property that indicates name of the file that is read.
-        """
-        return self._f.name
-
-
-def split_dep(dep):
-    """
-    Split NOT character '!' from dependency. Used by gen_dependencies()
-
-    :param dep: Dependency list
-    :return: string tuple. Ex: ('!', MACRO) for !MACRO and ('', MACRO) for
-             MACRO.
-    """
-    return ('!', dep[1:]) if dep[0] == '!' else ('', dep)
-
-
-def gen_dependencies(dependencies):
-    """
-    Test suite data and functions specifies compile time dependencies.
-    This function generates C preprocessor code from the input
-    dependency list. Caller uses the generated preprocessor code to
-    wrap dependent code.
-    A dependency in the input list can have a leading '!' character
-    to negate a condition. '!' is separated from the dependency using
-    function split_dep() and proper preprocessor check is generated
-    accordingly.
-
-    :param dependencies: List of dependencies.
-    :return: if defined and endif code with macro annotations for
-             readability.
-    """
-    dep_start = ''.join(['#if %sdefined(%s)\n' % (x, y) for x, y in
-                         map(split_dep, dependencies)])
-    dep_end = ''.join(['#endif /* %s */\n' %
-                       x for x in reversed(dependencies)])
-
-    return dep_start, dep_end
-
-
-def gen_dependencies_one_line(dependencies):
-    """
-    Similar to gen_dependencies() but generates dependency checks in one line.
-    Useful for generating code with #else block.
-
-    :param dependencies: List of dependencies.
-    :return: Preprocessor check code
-    """
-    defines = '#if ' if dependencies else ''
-    defines += ' && '.join(['%sdefined(%s)' % (x, y) for x, y in map(
-        split_dep, dependencies)])
-    return defines
-
-
-def gen_function_wrapper(name, local_vars, args_dispatch):
-    """
-    Creates test function wrapper code. A wrapper has the code to
-    unpack parameters from parameters[] array.
-
-    :param name: Test function name
-    :param local_vars: Local variables declaration code
-    :param args_dispatch: List of dispatch arguments.
-           Ex: ['(char *) params[0]', '*((int *) params[1])']
-    :return: Test function wrapper.
-    """
-    # Then create the wrapper
-    wrapper = '''
-void {name}_wrapper( void ** params )
-{{
-{unused_params}{locals}
-    {name}( {args} );
-}}
-'''.format(name=name,
-           unused_params='' if args_dispatch else '    (void)params;\n',
-           args=', '.join(args_dispatch),
-           locals=local_vars)
-    return wrapper
-
-
-def gen_dispatch(name, dependencies):
-    """
-    Test suite code template main_test.function defines a C function
-    array to contain test case functions. This function generates an
-    initializer entry for a function in that array. The entry is
-    composed of a compile time check for the test function
-    dependencies. At compile time the test function is assigned when
-    dependencies are met, else NULL is assigned.
-
-    :param name: Test function name
-    :param dependencies: List of dependencies
-    :return: Dispatch code.
-    """
-    if dependencies:
-        preprocessor_check = gen_dependencies_one_line(dependencies)
-        dispatch_code = '''
-{preprocessor_check}
-    {name}_wrapper,
-#else
-    NULL,
-#endif
-'''.format(preprocessor_check=preprocessor_check, name=name)
-    else:
-        dispatch_code = '''
-    {name}_wrapper,
-'''.format(name=name)
-
-    return dispatch_code
-
-
-def parse_until_pattern(funcs_f, end_regex):
-    """
-    Matches pattern end_regex to the lines read from the file object.
-    Returns the lines read until end pattern is matched.
-
-    :param funcs_f: file object for .function file
-    :param end_regex: Pattern to stop parsing
-    :return: Lines read before the end pattern
-    """
-    headers = '#line %d "%s"\n' % (funcs_f.line_no + 1, funcs_f.name)
-    for line in funcs_f:
-        if re.search(end_regex, line):
-            break
-        headers += line
-    else:
-        raise GeneratorInputError("file: %s - end pattern [%s] not found!" %
-                                  (funcs_f.name, end_regex))
-
-    return headers
-
-
-def validate_dependency(dependency):
-    """
-    Validates a C macro and raises GeneratorInputError on invalid input.
-    :param dependency: Input macro dependency
-    :return: input dependency stripped of leading & trailing white spaces.
-    """
-    dependency = dependency.strip()
-    if not re.match(CONDITION_REGEX, dependency, re.I):
-        raise GeneratorInputError('Invalid dependency %s' % dependency)
-    return dependency
-
-
-def parse_dependencies(inp_str):
-    """
-    Parses dependencies out of inp_str, validates them and returns a
-    list of macros.
-
-    :param inp_str: Input string with macros delimited by ':'.
-    :return: list of dependencies
-    """
-    dependencies = list(map(validate_dependency, inp_str.split(':')))
-    return dependencies
-
-
-def parse_suite_dependencies(funcs_f):
-    """
-    Parses test suite dependencies specified at the top of a
-    .function file, that starts with pattern BEGIN_DEPENDENCIES
-    and end with END_DEPENDENCIES. Dependencies are specified
-    after pattern 'depends_on:' and are delimited by ':'.
-
-    :param funcs_f: file object for .function file
-    :return: List of test suite dependencies.
-    """
-    dependencies = []
-    for line in funcs_f:
-        match = re.search(DEPENDENCY_REGEX, line.strip())
-        if match:
-            try:
-                dependencies = parse_dependencies(match.group('dependencies'))
-            except GeneratorInputError as error:
-                raise GeneratorInputError(
-                    str(error) + " - %s:%d" % (funcs_f.name, funcs_f.line_no))
-        if re.search(END_DEP_REGEX, line):
-            break
-    else:
-        raise GeneratorInputError("file: %s - end dependency pattern [%s]"
-                                  " not found!" % (funcs_f.name,
-                                                   END_DEP_REGEX))
-
-    return dependencies
-
-
-def parse_function_dependencies(line):
-    """
-    Parses function dependencies, that are in the same line as
-    comment BEGIN_CASE. Dependencies are specified after pattern
-    'depends_on:' and are delimited by ':'.
-
-    :param line: Line from .function file that has dependencies.
-    :return: List of dependencies.
-    """
-    dependencies = []
-    match = re.search(BEGIN_CASE_REGEX, line)
-    dep_str = match.group('depends_on')
-    if dep_str:
-        match = re.search(DEPENDENCY_REGEX, dep_str)
-        if match:
-            dependencies += parse_dependencies(match.group('dependencies'))
-
-    return dependencies
-
-
-ARGUMENT_DECLARATION_REGEX = re.compile(r'(.+?) ?(?:\bconst\b)? ?(\w+)\Z', re.S)
-def parse_function_argument(arg, arg_idx, args, local_vars, args_dispatch):
-    """
-    Parses one test function's argument declaration.
-
-    :param arg: argument declaration.
-    :param arg_idx: current wrapper argument index.
-    :param args: accumulator of arguments' internal types.
-    :param local_vars: accumulator of internal variable declarations.
-    :param args_dispatch: accumulator of argument usage expressions.
-    :return: the number of new wrapper arguments,
-             or None if the argument declaration is invalid.
-    """
-    # Normalize whitespace
-    arg = arg.strip()
-    arg = re.sub(r'\s*\*\s*', r'*', arg)
-    arg = re.sub(r'\s+', r' ', arg)
-    # Extract name and type
-    m = ARGUMENT_DECLARATION_REGEX.search(arg)
-    if not m:
-        # E.g. "int x[42]"
-        return None
-    typ, _ = m.groups()
-    if typ in SIGNED_INTEGER_TYPES:
-        args.append('int')
-        args_dispatch.append('((mbedtls_test_argument_t *) params[%d])->sint' % arg_idx)
-        return 1
-    if typ in STRING_TYPES:
-        args.append('char*')
-        args_dispatch.append('(char *) params[%d]' % arg_idx)
-        return 1
-    if typ in DATA_TYPES:
-        args.append('hex')
-        # create a structure
-        pointer_initializer = '(uint8_t *) params[%d]' % arg_idx
-        len_initializer = '((mbedtls_test_argument_t *) params[%d])->len' % (arg_idx+1)
-        local_vars.append('    data_t data%d = {%s, %s};\n' %
-                          (arg_idx, pointer_initializer, len_initializer))
-        args_dispatch.append('&data%d' % arg_idx)
-        return 2
-    return None
-
-ARGUMENT_LIST_REGEX = re.compile(r'\((.*?)\)', re.S)
-def parse_function_arguments(line):
-    """
-    Parses test function signature for validation and generates
-    a dispatch wrapper function that translates input test vectors
-    read from the data file into test function arguments.
-
-    :param line: Line from .function file that has a function
-                 signature.
-    :return: argument list, local variables for
-             wrapper function and argument dispatch code.
-    """
-    # Process arguments, ex: <type> arg1, <type> arg2 )
-    # This script assumes that the argument list is terminated by ')'
-    # i.e. the test functions will not have a function pointer
-    # argument.
-    m = ARGUMENT_LIST_REGEX.search(line)
-    arg_list = m.group(1).strip()
-    if arg_list in ['', 'void']:
-        return [], '', []
-    args = []
-    local_vars = []
-    args_dispatch = []
-    arg_idx = 0
-    for arg in arg_list.split(','):
-        indexes = parse_function_argument(arg, arg_idx,
-                                          args, local_vars, args_dispatch)
-        if indexes is None:
-            raise ValueError("Test function arguments can only be 'int', "
-                             "'char *' or 'data_t'\n%s" % line)
-        arg_idx += indexes
-
-    return args, ''.join(local_vars), args_dispatch
-
-
-def generate_function_code(name, code, local_vars, args_dispatch,
-                           dependencies):
-    """
-    Generate function code with preprocessor checks and parameter dispatch
-    wrapper.
-
-    :param name: Function name
-    :param code: Function code
-    :param local_vars: Local variables for function wrapper
-    :param args_dispatch: Argument dispatch code
-    :param dependencies: Preprocessor dependencies list
-    :return: Final function code
-    """
-    # Add exit label if not present
-    if code.find('exit:') == -1:
-        split_code = code.rsplit('}', 1)
-        if len(split_code) == 2:
-            code = """exit:
-    ;
-}""".join(split_code)
-
-    code += gen_function_wrapper(name, local_vars, args_dispatch)
-    preprocessor_check_start, preprocessor_check_end = \
-        gen_dependencies(dependencies)
-    return preprocessor_check_start + code + preprocessor_check_end
-
-COMMENT_START_REGEX = re.compile(r'/[*/]')
-
-def skip_comments(line, stream):
-    """Remove comments in line.
-
-    If the line contains an unfinished comment, read more lines from stream
-    until the line that contains the comment.
-
-    :return: The original line with inner comments replaced by spaces.
-             Trailing comments and whitespace may be removed completely.
-    """
-    pos = 0
-    while True:
-        opening = COMMENT_START_REGEX.search(line, pos)
-        if not opening:
-            break
-        if line[opening.start(0) + 1] == '/': # //...
-            continuation = line
-            # Count the number of line breaks, to keep line numbers aligned
-            # in the output.
-            line_count = 1
-            while continuation.endswith('\\\n'):
-                # This errors out if the file ends with an unfinished line
-                # comment. That's acceptable to not complicate the code further.
-                continuation = next(stream)
-                line_count += 1
-            return line[:opening.start(0)].rstrip() + '\n' * line_count
-        # Parsing /*...*/, looking for the end
-        closing = line.find('*/', opening.end(0))
-        while closing == -1:
-            # This errors out if the file ends with an unfinished block
-            # comment. That's acceptable to not complicate the code further.
-            line += next(stream)
-            closing = line.find('*/', opening.end(0))
-        pos = closing + 2
-        # Replace inner comment by spaces. There needs to be at least one space
-        # for things like 'int/*ihatespaces*/foo'. Go further and preserve the
-        # width of the comment and line breaks, this way positions in error
-        # messages remain correct.
-        line = (line[:opening.start(0)] +
-                re.sub(r'.', r' ', line[opening.start(0):pos]) +
-                line[pos:])
-    # Strip whitespace at the end of lines (it's irrelevant to error messages).
-    return re.sub(r' +(\n|\Z)', r'\1', line)
-
-def parse_function_code(funcs_f, dependencies, suite_dependencies):
-    """
-    Parses out a function from function file object and generates
-    function and dispatch code.
-
-    :param funcs_f: file object of the functions file.
-    :param dependencies: List of dependencies
-    :param suite_dependencies: List of test suite dependencies
-    :return: Function name, arguments, function code and dispatch code.
-    """
-    line_directive = '#line %d "%s"\n' % (funcs_f.line_no + 1, funcs_f.name)
-    code = ''
-    has_exit_label = False
-    for line in funcs_f:
-        # Check function signature. Function signature may be split
-        # across multiple lines. Here we try to find the start of
-        # arguments list, then remove '\n's and apply the regex to
-        # detect function start.
-        line = skip_comments(line, funcs_f)
-        up_to_arg_list_start = code + line[:line.find('(') + 1]
-        match = re.match(TEST_FUNCTION_VALIDATION_REGEX,
-                         up_to_arg_list_start.replace('\n', ' '), re.I)
-        if match:
-            # check if we have full signature i.e. split in more lines
-            name = match.group('func_name')
-            if not re.match(FUNCTION_ARG_LIST_END_REGEX, line):
-                for lin in funcs_f:
-                    line += skip_comments(lin, funcs_f)
-                    if re.search(FUNCTION_ARG_LIST_END_REGEX, line):
-                        break
-            args, local_vars, args_dispatch = parse_function_arguments(
-                line)
-            code += line
-            break
-        code += line
-    else:
-        raise GeneratorInputError("file: %s - Test functions not found!" %
-                                  funcs_f.name)
-
-    # Prefix test function name with 'test_'
-    code = code.replace(name, 'test_' + name, 1)
-    name = 'test_' + name
-
-    # If a test function has no arguments then add 'void' argument to
-    # avoid "-Wstrict-prototypes" warnings from clang
-    if len(args) == 0:
-        code = code.replace('()', '(void)', 1)
-
-    for line in funcs_f:
-        if re.search(END_CASE_REGEX, line):
-            break
-        if not has_exit_label:
-            has_exit_label = \
-                re.search(EXIT_LABEL_REGEX, line.strip()) is not None
-        code += line
-    else:
-        raise GeneratorInputError("file: %s - end case pattern [%s] not "
-                                  "found!" % (funcs_f.name, END_CASE_REGEX))
-
-    code = line_directive + code
-    code = generate_function_code(name, code, local_vars, args_dispatch,
-                                  dependencies)
-    dispatch_code = gen_dispatch(name, suite_dependencies + dependencies)
-    return (name, args, code, dispatch_code)
-
-
-def parse_functions(funcs_f):
-    """
-    Parses a test_suite_xxx.function file and returns information
-    for generating a C source file for the test suite.
-
-    :param funcs_f: file object of the functions file.
-    :return: List of test suite dependencies, test function dispatch
-             code, function code and a dict with function identifiers
-             and arguments info.
-    """
-    suite_helpers = ''
-    suite_dependencies = []
-    suite_functions = ''
-    func_info = {}
-    function_idx = 0
-    dispatch_code = ''
-    for line in funcs_f:
-        if re.search(BEGIN_HEADER_REGEX, line):
-            suite_helpers += parse_until_pattern(funcs_f, END_HEADER_REGEX)
-        elif re.search(BEGIN_SUITE_HELPERS_REGEX, line):
-            suite_helpers += parse_until_pattern(funcs_f,
-                                                 END_SUITE_HELPERS_REGEX)
-        elif re.search(BEGIN_DEP_REGEX, line):
-            suite_dependencies += parse_suite_dependencies(funcs_f)
-        elif re.search(BEGIN_CASE_REGEX, line):
-            try:
-                dependencies = parse_function_dependencies(line)
-            except GeneratorInputError as error:
-                raise GeneratorInputError(
-                    "%s:%d: %s" % (funcs_f.name, funcs_f.line_no,
-                                   str(error)))
-            func_name, args, func_code, func_dispatch =\
-                parse_function_code(funcs_f, dependencies, suite_dependencies)
-            suite_functions += func_code
-            # Generate dispatch code and enumeration info
-            if func_name in func_info:
-                raise GeneratorInputError(
-                    "file: %s - function %s re-declared at line %d" %
-                    (funcs_f.name, func_name, funcs_f.line_no))
-            func_info[func_name] = (function_idx, args)
-            dispatch_code += '/* Function Id: %d */\n' % function_idx
-            dispatch_code += func_dispatch
-            function_idx += 1
-
-    func_code = (suite_helpers +
-                 suite_functions).join(gen_dependencies(suite_dependencies))
-    return suite_dependencies, dispatch_code, func_code, func_info
-
-
-def escaped_split(inp_str, split_char):
-    """
-    Split inp_str on character split_char but ignore if escaped.
-    Since, return value is used to write back to the intermediate
-    data file, any escape characters in the input are retained in the
-    output.
-
-    :param inp_str: String to split
-    :param split_char: Split character
-    :return: List of splits
-    """
-    if len(split_char) > 1:
-        raise ValueError('Expected split character. Found string!')
-    out = re.sub(r'(\\.)|' + split_char,
-                 lambda m: m.group(1) or '\n', inp_str,
-                 len(inp_str)).split('\n')
-    out = [x for x in out if x]
-    return out
-
-
-def parse_test_data(data_f):
-    """
-    Parses .data file for each test case name, test function name,
-    test dependencies and test arguments. This information is
-    correlated with the test functions file for generating an
-    intermediate data file replacing the strings for test function
-    names, dependencies and integer constant expressions with
-    identifiers. Mainly for optimising space for on-target
-    execution.
-
-    :param data_f: file object of the data file.
-    :return: Generator that yields line number, test name, function name,
-             dependency list and function argument list.
-    """
-    __state_read_name = 0
-    __state_read_args = 1
-    state = __state_read_name
-    dependencies = []
-    name = ''
-    for line in data_f:
-        line = line.strip()
-        # Skip comments
-        if line.startswith('#'):
-            continue
-
-        # Blank line indicates end of test
-        if not line:
-            if state == __state_read_args:
-                raise GeneratorInputError("[%s:%d] Newline before arguments. "
-                                          "Test function and arguments "
-                                          "missing for %s" %
-                                          (data_f.name, data_f.line_no, name))
-            continue
-
-        if state == __state_read_name:
-            # Read test name
-            name = line
-            state = __state_read_args
-        elif state == __state_read_args:
-            # Check dependencies
-            match = re.search(DEPENDENCY_REGEX, line)
-            if match:
-                try:
-                    dependencies = parse_dependencies(
-                        match.group('dependencies'))
-                except GeneratorInputError as error:
-                    raise GeneratorInputError(
-                        str(error) + " - %s:%d" %
-                        (data_f.name, data_f.line_no))
-            else:
-                # Read test vectors
-                parts = escaped_split(line, ':')
-                test_function = parts[0]
-                args = parts[1:]
-                yield data_f.line_no, name, test_function, dependencies, args
-                dependencies = []
-                state = __state_read_name
-    if state == __state_read_args:
-        raise GeneratorInputError("[%s:%d] Newline before arguments. "
-                                  "Test function and arguments missing for "
-                                  "%s" % (data_f.name, data_f.line_no, name))
-
-
-def gen_dep_check(dep_id, dep):
-    """
-    Generate code for checking dependency with the associated
-    identifier.
-
-    :param dep_id: Dependency identifier
-    :param dep: Dependency macro
-    :return: Dependency check code
-    """
-    if dep_id < 0:
-        raise GeneratorInputError("Dependency Id should be a positive "
-                                  "integer.")
-    _not, dep = ('!', dep[1:]) if dep[0] == '!' else ('', dep)
-    if not dep:
-        raise GeneratorInputError("Dependency should not be an empty string.")
-
-    dependency = re.match(CONDITION_REGEX, dep, re.I)
-    if not dependency:
-        raise GeneratorInputError('Invalid dependency %s' % dep)
-
-    _defined = '' if dependency.group(2) else 'defined'
-    _cond = dependency.group(2) if dependency.group(2) else ''
-    _value = dependency.group(3) if dependency.group(3) else ''
-
-    dep_check = '''
-        case {id}:
-            {{
-#if {_not}{_defined}({macro}{_cond}{_value})
-                ret = DEPENDENCY_SUPPORTED;
-#else
-                ret = DEPENDENCY_NOT_SUPPORTED;
-#endif
-            }}
-            break;'''.format(_not=_not, _defined=_defined,
-                             macro=dependency.group(1), id=dep_id,
-                             _cond=_cond, _value=_value)
-    return dep_check
-
-
-def gen_expression_check(exp_id, exp):
-    """
-    Generates code for evaluating an integer expression using
-    associated expression Id.
-
-    :param exp_id: Expression Identifier
-    :param exp: Expression/Macro
-    :return: Expression check code
-    """
-    if exp_id < 0:
-        raise GeneratorInputError("Expression Id should be a positive "
-                                  "integer.")
-    if not exp:
-        raise GeneratorInputError("Expression should not be an empty string.")
-    exp_code = '''
-        case {exp_id}:
-            {{
-                *out_value = {expression};
-            }}
-            break;'''.format(exp_id=exp_id, expression=exp)
-    return exp_code
-
-
-def write_dependencies(out_data_f, test_dependencies, unique_dependencies):
-    """
-    Write dependencies to intermediate test data file, replacing
-    the string form with identifiers. Also, generates dependency
-    check code.
-
-    :param out_data_f: Output intermediate data file
-    :param test_dependencies: Dependencies
-    :param unique_dependencies: Mutable list to track unique dependencies
-           that are global to this re-entrant function.
-    :return: returns dependency check code.
-    """
-    dep_check_code = ''
-    if test_dependencies:
-        out_data_f.write('depends_on')
-        for dep in test_dependencies:
-            if dep not in unique_dependencies:
-                unique_dependencies.append(dep)
-                dep_id = unique_dependencies.index(dep)
-                dep_check_code += gen_dep_check(dep_id, dep)
-            else:
-                dep_id = unique_dependencies.index(dep)
-            out_data_f.write(':' + str(dep_id))
-        out_data_f.write('\n')
-    return dep_check_code
-
-
-INT_VAL_REGEX = re.compile(r'-?(\d+|0x[0-9a-f]+)$', re.I)
-def val_is_int(val: str) -> bool:
-    """Whether val is suitable as an 'int' parameter in the .datax file."""
-    if not INT_VAL_REGEX.match(val):
-        return False
-    # Limit the range to what is guaranteed to get through strtol()
-    return abs(int(val, 0)) <= 0x7fffffff
-
-def write_parameters(out_data_f, test_args, func_args, unique_expressions):
-    """
-    Writes test parameters to the intermediate data file, replacing
-    the string form with identifiers. Also, generates expression
-    check code.
-
-    :param out_data_f: Output intermediate data file
-    :param test_args: Test parameters
-    :param func_args: Function arguments
-    :param unique_expressions: Mutable list to track unique
-           expressions that are global to this re-entrant function.
-    :return: Returns expression check code.
-    """
-    expression_code = ''
-    for i, _ in enumerate(test_args):
-        typ = func_args[i]
-        val = test_args[i]
-
-        # Pass small integer constants literally. This reduces the size of
-        # the C code. Register anything else as an expression.
-        if typ == 'int' and not val_is_int(val):
-            typ = 'exp'
-            if val not in unique_expressions:
-                unique_expressions.append(val)
-                # exp_id can be derived from len(). But for
-                # readability and consistency with case of existing
-                # let's use index().
-                exp_id = unique_expressions.index(val)
-                expression_code += gen_expression_check(exp_id, val)
-                val = exp_id
-            else:
-                val = unique_expressions.index(val)
-        out_data_f.write(':' + typ + ':' + str(val))
-    out_data_f.write('\n')
-    return expression_code
-
-
-def gen_suite_dep_checks(suite_dependencies, dep_check_code, expression_code):
-    """
-    Generates preprocessor checks for test suite dependencies.
-
-    :param suite_dependencies: Test suite dependencies read from the
-            .function file.
-    :param dep_check_code: Dependency check code
-    :param expression_code: Expression check code
-    :return: Dependency and expression code guarded by test suite
-             dependencies.
-    """
-    if suite_dependencies:
-        preprocessor_check = gen_dependencies_one_line(suite_dependencies)
-        dep_check_code = '''
-{preprocessor_check}
-{code}
-#endif
-'''.format(preprocessor_check=preprocessor_check, code=dep_check_code)
-        expression_code = '''
-{preprocessor_check}
-{code}
-#endif
-'''.format(preprocessor_check=preprocessor_check, code=expression_code)
-    return dep_check_code, expression_code
-
-
-def get_function_info(func_info, function_name, line_no):
-    """Look up information about a test function by name.
-
-    Raise an informative expression if function_name is not found.
-
-    :param func_info: dictionary mapping function names to their information.
-    :param function_name: the function name as written in the .function and
-                          .data files.
-    :param line_no: line number for error messages.
-    :return Function information (id, args).
-    """
-    test_function_name = 'test_' + function_name
-    if test_function_name not in func_info:
-        raise GeneratorInputError("%d: Function %s not found!" %
-                                  (line_no, test_function_name))
-    return func_info[test_function_name]
-
-
-def gen_from_test_data(data_f, out_data_f, func_info, suite_dependencies):
-    """
-    This function reads test case name, dependencies and test vectors
-    from the .data file. This information is correlated with the test
-    functions file for generating an intermediate data file replacing
-    the strings for test function names, dependencies and integer
-    constant expressions with identifiers. Mainly for optimising
-    space for on-target execution.
-    It also generates test case dependency check code and expression
-    evaluation code.
-
-    :param data_f: Data file object
-    :param out_data_f: Output intermediate data file
-    :param func_info: Dict keyed by function and with function id
-           and arguments info
-    :param suite_dependencies: Test suite dependencies
-    :return: Returns dependency and expression check code
-    """
-    unique_dependencies = []
-    unique_expressions = []
-    dep_check_code = ''
-    expression_code = ''
-    for line_no, test_name, function_name, test_dependencies, test_args in \
-            parse_test_data(data_f):
-        out_data_f.write(test_name + '\n')
-
-        # Write dependencies
-        dep_check_code += write_dependencies(out_data_f, test_dependencies,
-                                             unique_dependencies)
-
-        # Write test function name
-        func_id, func_args = \
-            get_function_info(func_info, function_name, line_no)
-        out_data_f.write(str(func_id))
-
-        # Write parameters
-        if len(test_args) != len(func_args):
-            raise GeneratorInputError("%d: Invalid number of arguments in test "
-                                      "%s. See function %s signature." %
-                                      (line_no, test_name, function_name))
-        expression_code += write_parameters(out_data_f, test_args, func_args,
-                                            unique_expressions)
-
-        # Write a newline as test case separator
-        out_data_f.write('\n')
-
-    dep_check_code, expression_code = gen_suite_dep_checks(
-        suite_dependencies, dep_check_code, expression_code)
-    return dep_check_code, expression_code
-
-
-def add_input_info(funcs_file, data_file, template_file,
-                   c_file, snippets):
-    """
-    Add generator input info in snippets.
-
-    :param funcs_file: Functions file object
-    :param data_file: Data file object
-    :param template_file: Template file object
-    :param c_file: Output C file object
-    :param snippets: Dictionary to contain code pieces to be
-                     substituted in the template.
-    :return:
-    """
-    snippets['test_file'] = c_file
-    snippets['test_main_file'] = template_file
-    snippets['test_case_file'] = funcs_file
-    snippets['test_case_data_file'] = data_file
-
-
-def read_code_from_input_files(platform_file, helpers_file,
-                               out_data_file, snippets):
-    """
-    Read code from input files and create substitutions for replacement
-    strings in the template file.
-
-    :param platform_file: Platform file object
-    :param helpers_file: Helper functions file object
-    :param out_data_file: Output intermediate data file object
-    :param snippets: Dictionary to contain code pieces to be
-                     substituted in the template.
-    :return:
-    """
-    # Read helpers
-    with open(helpers_file, 'r') as help_f, open(platform_file, 'r') as \
-            platform_f:
-        snippets['test_common_helper_file'] = helpers_file
-        snippets['test_common_helpers'] = help_f.read()
-        snippets['test_platform_file'] = platform_file
-        snippets['platform_code'] = platform_f.read().replace(
-            'DATA_FILE', out_data_file.replace('\\', '\\\\'))  # escape '\'
-
-
-def write_test_source_file(template_file, c_file, snippets):
-    """
-    Write output source file with generated source code.
-
-    :param template_file: Template file name
-    :param c_file: Output source file
-    :param snippets: Generated and code snippets
-    :return:
-    """
-
-    # Create a placeholder pattern with the correct named capture groups
-    # to override the default provided with Template.
-    # Match nothing (no way of escaping placeholders).
-    escaped = "(?P<escaped>(?!))"
-    # Match the "__MBEDTLS_TEST_TEMPLATE__PLACEHOLDER_NAME" pattern.
-    named = "__MBEDTLS_TEST_TEMPLATE__(?P<named>[A-Z][_A-Z0-9]*)"
-    # Match nothing (no braced placeholder syntax).
-    braced = "(?P<braced>(?!))"
-    # If not already matched, a "__MBEDTLS_TEST_TEMPLATE__" prefix is invalid.
-    invalid = "(?P<invalid>__MBEDTLS_TEST_TEMPLATE__)"
-    placeholder_pattern = re.compile("|".join([escaped, named, braced, invalid]))
-
-    with open(template_file, 'r') as template_f, open(c_file, 'w') as c_f:
-        for line_no, line in enumerate(template_f.readlines(), 1):
-            # Update line number. +1 as #line directive sets next line number
-            snippets['line_no'] = line_no + 1
-            template = string.Template(line)
-            template.pattern = placeholder_pattern
-            snippets = {k.upper():v for (k, v) in snippets.items()}
-            code = template.substitute(**snippets)
-            c_f.write(code)
-
-
-def parse_function_file(funcs_file, snippets):
-    """
-    Parse function file and generate function dispatch code.
-
-    :param funcs_file: Functions file name
-    :param snippets: Dictionary to contain code pieces to be
-                     substituted in the template.
-    :return:
-    """
-    with FileWrapper(funcs_file) as funcs_f:
-        suite_dependencies, dispatch_code, func_code, func_info = \
-            parse_functions(funcs_f)
-        snippets['functions_code'] = func_code
-        snippets['dispatch_code'] = dispatch_code
-        return suite_dependencies, func_info
-
-
-def generate_intermediate_data_file(data_file, out_data_file,
-                                    suite_dependencies, func_info, snippets):
-    """
-    Generates intermediate data file from input data file and
-    information read from functions file.
-
-    :param data_file: Data file name
-    :param out_data_file: Output/Intermediate data file
-    :param suite_dependencies: List of suite dependencies.
-    :param func_info: Function info parsed from functions file.
-    :param snippets: Dictionary to contain code pieces to be
-                     substituted in the template.
-    :return:
-    """
-    with FileWrapper(data_file) as data_f, \
-            open(out_data_file, 'w') as out_data_f:
-        dep_check_code, expression_code = gen_from_test_data(
-            data_f, out_data_f, func_info, suite_dependencies)
-        snippets['dep_check_code'] = dep_check_code
-        snippets['expression_code'] = expression_code
-
-
-def generate_code(**input_info):
-    """
-    Generates C source code from test suite file, data file, common
-    helpers file and platform file.
-
-    input_info expands to following parameters:
-    funcs_file: Functions file object
-    data_file: Data file object
-    template_file: Template file object
-    platform_file: Platform file object
-    helpers_file: Helper functions file object
-    suites_dir: Test suites dir
-    c_file: Output C file object
-    out_data_file: Output intermediate data file object
-    :return:
-    """
-    funcs_file = input_info['funcs_file']
-    data_file = input_info['data_file']
-    template_file = input_info['template_file']
-    platform_file = input_info['platform_file']
-    helpers_file = input_info['helpers_file']
-    suites_dir = input_info['suites_dir']
-    c_file = input_info['c_file']
-    out_data_file = input_info['out_data_file']
-    for name, path in [('Functions file', funcs_file),
-                       ('Data file', data_file),
-                       ('Template file', template_file),
-                       ('Platform file', platform_file),
-                       ('Helpers code file', helpers_file),
-                       ('Suites dir', suites_dir)]:
-        if not os.path.exists(path):
-            raise IOError("ERROR: %s [%s] not found!" % (name, path))
-
-    snippets = {'generator_script': os.path.basename(__file__)}
-    read_code_from_input_files(platform_file, helpers_file,
-                               out_data_file, snippets)
-    add_input_info(funcs_file, data_file, template_file,
-                   c_file, snippets)
-    suite_dependencies, func_info = parse_function_file(funcs_file, snippets)
-    generate_intermediate_data_file(data_file, out_data_file,
-                                    suite_dependencies, func_info, snippets)
-    write_test_source_file(template_file, c_file, snippets)
-
-
-def main():
-    """
-    Command line parser.
-
-    :return:
-    """
-    parser = argparse.ArgumentParser(
-        description='Dynamically generate test suite code.')
-
-    parser.add_argument("-f", "--functions-file",
-                        dest="funcs_file",
-                        help="Functions file",
-                        metavar="FUNCTIONS_FILE",
-                        required=True)
-
-    parser.add_argument("-d", "--data-file",
-                        dest="data_file",
-                        help="Data file",
-                        metavar="DATA_FILE",
-                        required=True)
-
-    parser.add_argument("-t", "--template-file",
-                        dest="template_file",
-                        help="Template file",
-                        metavar="TEMPLATE_FILE",
-                        required=True)
-
-    parser.add_argument("-s", "--suites-dir",
-                        dest="suites_dir",
-                        help="Suites dir",
-                        metavar="SUITES_DIR",
-                        required=True)
-
-    parser.add_argument("--helpers-file",
-                        dest="helpers_file",
-                        help="Helpers file",
-                        metavar="HELPERS_FILE",
-                        required=True)
-
-    parser.add_argument("-p", "--platform-file",
-                        dest="platform_file",
-                        help="Platform code file",
-                        metavar="PLATFORM_FILE",
-                        required=True)
-
-    parser.add_argument("-o", "--out-dir",
-                        dest="out_dir",
-                        help="Dir where generated code and scripts are copied",
-                        metavar="OUT_DIR",
-                        required=True)
-
-    args = parser.parse_args()
-
-    data_file_name = os.path.basename(args.data_file)
-    data_name = os.path.splitext(data_file_name)[0]
-
-    out_c_file = os.path.join(args.out_dir, data_name + '.c')
-    out_data_file = os.path.join(args.out_dir, data_name + '.datax')
-
-    out_c_file_dir = os.path.dirname(out_c_file)
-    out_data_file_dir = os.path.dirname(out_data_file)
-    for directory in [out_c_file_dir, out_data_file_dir]:
-        if not os.path.exists(directory):
-            os.makedirs(directory)
-
-    generate_code(funcs_file=args.funcs_file, data_file=args.data_file,
-                  template_file=args.template_file,
-                  platform_file=args.platform_file,
-                  helpers_file=args.helpers_file, suites_dir=args.suites_dir,
-                  c_file=out_c_file, out_data_file=out_data_file)
-
-
-if __name__ == "__main__":
-    try:
-        main()
-    except GeneratorInputError as err:
-        sys.exit("%s: input error: %s" %
-                 (os.path.basename(sys.argv[0]), str(err)))
diff --git a/tests/scripts/generate_tls13_compat_tests.py b/tests/scripts/generate_tls13_compat_tests.py
index 05d80a5..dde37b7 100755
--- a/tests/scripts/generate_tls13_compat_tests.py
+++ b/tests/scripts/generate_tls13_compat_tests.py
@@ -3,19 +3,7 @@
 # generate_tls13_compat_tests.py
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 """
 Generate TLSv1.3 Compat test cases
@@ -32,18 +20,18 @@ from collections import namedtuple
 Certificate = namedtuple("Certificate", ['cafile', 'certfile', 'keyfile'])
 # define the certificate parameters for signature algorithms
 CERTIFICATES = {
-    'ecdsa_secp256r1_sha256': Certificate('data_files/test-ca2.crt',
-                                          'data_files/ecdsa_secp256r1.crt',
-                                          'data_files/ecdsa_secp256r1.key'),
-    'ecdsa_secp384r1_sha384': Certificate('data_files/test-ca2.crt',
-                                          'data_files/ecdsa_secp384r1.crt',
-                                          'data_files/ecdsa_secp384r1.key'),
-    'ecdsa_secp521r1_sha512': Certificate('data_files/test-ca2.crt',
-                                          'data_files/ecdsa_secp521r1.crt',
-                                          'data_files/ecdsa_secp521r1.key'),
-    'rsa_pss_rsae_sha256': Certificate('data_files/test-ca_cat12.crt',
-                                       'data_files/server2-sha256.crt', 'data_files/server2.key'
-                                       )
+    'ecdsa_secp256r1_sha256': Certificate('$DATA_FILES_PATH/test-ca2.crt',
+                                          '$DATA_FILES_PATH/ecdsa_secp256r1.crt',
+                                          '$DATA_FILES_PATH/ecdsa_secp256r1.key'),
+    'ecdsa_secp384r1_sha384': Certificate('$DATA_FILES_PATH/test-ca2.crt',
+                                          '$DATA_FILES_PATH/ecdsa_secp384r1.crt',
+                                          '$DATA_FILES_PATH/ecdsa_secp384r1.key'),
+    'ecdsa_secp521r1_sha512': Certificate('$DATA_FILES_PATH/test-ca2.crt',
+                                          '$DATA_FILES_PATH/ecdsa_secp521r1.crt',
+                                          '$DATA_FILES_PATH/ecdsa_secp521r1.key'),
+    'rsa_pss_rsae_sha256': Certificate('$DATA_FILES_PATH/test-ca_cat12.crt',
+                                       '$DATA_FILES_PATH/server2-sha256.crt',
+                                       '$DATA_FILES_PATH/server2.key')
 }
 
 CIPHER_SUITE_IANA_VALUE = {
@@ -365,6 +353,19 @@ class MbedTLSBase(TLSProgram):
             ret += ["groups={named_groups}".format(named_groups=named_groups)]
         return ret
 
+    #pylint: disable=missing-function-docstring
+    def add_ffdh_group_requirements(self, requirement_list):
+        if 'ffdhe2048' in self._named_groups:
+            requirement_list.append('requires_config_enabled PSA_WANT_DH_RFC7919_2048')
+        if 'ffdhe3072' in self._named_groups:
+            requirement_list.append('requires_config_enabled PSA_WANT_DH_RFC7919_2048')
+        if 'ffdhe4096' in self._named_groups:
+            requirement_list.append('requires_config_enabled PSA_WANT_DH_RFC7919_2048')
+        if 'ffdhe6144' in self._named_groups:
+            requirement_list.append('requires_config_enabled PSA_WANT_DH_RFC7919_2048')
+        if 'ffdhe8192' in self._named_groups:
+            requirement_list.append('requires_config_enabled PSA_WANT_DH_RFC7919_2048')
+
     def pre_checks(self):
         ret = ['requires_config_enabled MBEDTLS_DEBUG_C',
                'requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED']
@@ -377,13 +378,14 @@ class MbedTLSBase(TLSProgram):
                 'requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT')
 
         ec_groups = ['secp256r1', 'secp384r1', 'secp521r1', 'x25519', 'x448']
-        ffdh_groups = ['ffdhe2048']
+        ffdh_groups = ['ffdhe2048', 'ffdhe3072', 'ffdhe4096', 'ffdhe6144', 'ffdhe8192']
 
         if any(x in ec_groups for x in self._named_groups):
             ret.append('requires_config_enabled PSA_WANT_ALG_ECDH')
 
         if any(x in ffdh_groups for x in self._named_groups):
             ret.append('requires_config_enabled PSA_WANT_ALG_FFDH')
+            self.add_ffdh_group_requirements(ret)
 
         return ret
 
@@ -536,19 +538,7 @@ SSL_OUTPUT_HEADER = '''#!/bin/sh
 # {filename}
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 #
 # Purpose
 #
@@ -559,6 +549,9 @@ SSL_OUTPUT_HEADER = '''#!/bin/sh
 # AND REGENERATE THIS FILE.
 #
 '''
+DATA_FILES_PATH_VAR = '''
+DATA_FILES_PATH=../framework/data_files
+'''
 
 def main():
     """
@@ -638,6 +631,7 @@ def main():
             with open(args.output, 'w', encoding="utf-8") as f:
                 f.write(SSL_OUTPUT_HEADER.format(
                     filename=os.path.basename(args.output), cmd=' '.join(sys.argv)))
+                f.write(DATA_FILES_PATH_VAR)
                 f.write('\n\n'.join(get_all_test_cases()))
                 f.write('\n')
         else:
diff --git a/tests/scripts/list-identifiers.sh b/tests/scripts/list-identifiers.sh
index 9b93080..4ccac23 100755
--- a/tests/scripts/list-identifiers.sh
+++ b/tests/scripts/list-identifiers.sh
@@ -10,19 +10,7 @@
 # Usage: list-identifiers.sh [ -i | --internal ]
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 set -eu
 
diff --git a/tests/scripts/list_internal_identifiers.py b/tests/scripts/list_internal_identifiers.py
index 6b41607..052feca 100755
--- a/tests/scripts/list_internal_identifiers.py
+++ b/tests/scripts/list_internal_identifiers.py
@@ -1,19 +1,7 @@
 #!/usr/bin/env python3
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 """
 This script generates a file called identifiers that contains all Mbed TLS
@@ -45,7 +33,9 @@ def main():
     name_check = CodeParser(logging.getLogger())
     result = name_check.parse_identifiers([
         "include/mbedtls/*_internal.h",
-        "library/*.h"
+        "library/*.h",
+        "tf-psa-crypto/core/*.h",
+        "tf-psa-crypto/drivers/builtin/src/*.h"
     ])[0]
     result.sort(key=lambda x: x.name)
 
diff --git a/tests/scripts/psa_collect_statuses.py b/tests/scripts/psa_collect_statuses.py
index f685bab..11bbebc 100755
--- a/tests/scripts/psa_collect_statuses.py
+++ b/tests/scripts/psa_collect_statuses.py
@@ -13,19 +13,7 @@ only supported with make (as opposed to CMake or other build methods).
 """
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 import argparse
 import os
diff --git a/tests/scripts/quiet/cmake b/tests/scripts/quiet/cmake
new file mode 100755
index 0000000..a34365b
--- /dev/null
+++ b/tests/scripts/quiet/cmake
@@ -0,0 +1,19 @@
+#! /usr/bin/env bash
+#
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+#
+# This swallows the output of the wrapped tool, unless there is an error.
+# This helps reduce excess logging in the CI.
+
+# If you are debugging a build / CI issue, you can get complete unsilenced logs
+# by un-commenting the following line (or setting VERBOSE_LOGS in your environment):
+
+# export VERBOSE_LOGS=1
+
+# don't silence invocations containing these arguments
+NO_SILENCE=" --version "
+
+TOOL="cmake"
+
+. "$(dirname "$0")/quiet.sh"
diff --git a/tests/scripts/quiet/make b/tests/scripts/quiet/make
new file mode 100755
index 0000000..920e5b8
--- /dev/null
+++ b/tests/scripts/quiet/make
@@ -0,0 +1,19 @@
+#! /usr/bin/env bash
+#
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+#
+# This swallows the output of the wrapped tool, unless there is an error.
+# This helps reduce excess logging in the CI.
+
+# If you are debugging a build / CI issue, you can get complete unsilenced logs
+# by un-commenting the following line (or setting VERBOSE_LOGS in your environment):
+
+# export VERBOSE_LOGS=1
+
+# don't silence invocations containing these arguments
+NO_SILENCE=" --version | test "
+
+TOOL="make"
+
+. "$(dirname "$0")/quiet.sh"
diff --git a/tests/scripts/quiet/quiet.sh b/tests/scripts/quiet/quiet.sh
new file mode 100644
index 0000000..0f26184
--- /dev/null
+++ b/tests/scripts/quiet/quiet.sh
@@ -0,0 +1,79 @@
+# -*-mode: sh; sh-shell: bash -*-
+#
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+#
+# This swallows the output of the wrapped tool, unless there is an error.
+# This helps reduce excess logging in the CI.
+
+# If you are debugging a build / CI issue, you can get complete unsilenced logs
+# by un-commenting the following line (or setting VERBOSE_LOGS in your environment):
+#
+# VERBOSE_LOGS=1
+#
+# This script provides most of the functionality for the adjacent make and cmake
+# wrappers.
+#
+# It requires two variables to be set:
+#
+# TOOL       - the name of the tool that is being wrapped (with no path), e.g. "make"
+#
+# NO_SILENCE - a regex that describes the commandline arguments for which output will not
+#              be silenced, e.g. " --version | test ". In this example, "make lib test" will
+#              not be silent, but "make lib" will be.
+
+# Identify path to original tool. There is an edge-case here where the quiet wrapper is on the path via
+# a symlink or relative path, but "type -ap" yields the wrapper with it's normalised path. We use
+# the -ef operator to compare paths, to avoid picking the wrapper in this case (to avoid infinitely
+# recursing).
+while IFS= read -r ORIGINAL_TOOL; do
+    if ! [[ $ORIGINAL_TOOL -ef "$0" ]]; then break; fi
+done < <(type -ap -- "$TOOL")
+
+print_quoted_args() {
+    # similar to printf '%q' "$@"
+    # but produce more human-readable results for common/simple cases like "a b"
+    for a in "$@"; do
+        # Get bash to quote the string
+        printf -v q '%q' "$a"
+        simple_pattern="^([-[:alnum:]_+./:@]+=)?([^']*)$"
+        if [[ "$a" != "$q" && $a =~ $simple_pattern ]]; then
+            # a requires some quoting (a != q), but has no single quotes, so we can
+            # simplify the quoted form - e.g.:
+            #   a b        -> 'a b'
+            #   CFLAGS=a b -> CFLAGS='a b'
+            q="${BASH_REMATCH[1]}'${BASH_REMATCH[2]}'"
+        fi
+        printf " %s" "$q"
+    done
+}
+
+if [[ ! " $* " =~ " --version " ]]; then
+    # Display the command being invoked - if it succeeds, this is all that will
+    # be displayed. Don't do this for invocations with --version, because
+    # this output is often parsed by scripts, so we don't want to modify it.
+    printf %s "${TOOL}"    1>&2
+    print_quoted_args "$@" 1>&2
+    echo                   1>&2
+fi
+
+if [[ " $@ " =~ $NO_SILENCE || -n "${VERBOSE_LOGS}" ]]; then
+    # Run original command with no output supression
+    exec "${ORIGINAL_TOOL}" "$@"
+else
+    # Run original command and capture output & exit status
+    TMPFILE=$(mktemp "quiet-${TOOL}.XXXXXX")
+    "${ORIGINAL_TOOL}" "$@" > "${TMPFILE}" 2>&1
+    EXIT_STATUS=$?
+
+    if [[ $EXIT_STATUS -ne 0 ]]; then
+        # On error, display the full output
+        cat "${TMPFILE}"
+    fi
+
+    # Remove tmpfile
+    rm "${TMPFILE}"
+
+    # Propagate the exit status
+    exit $EXIT_STATUS
+fi
diff --git a/tests/scripts/recursion.pl b/tests/scripts/recursion.pl
index 2a7dba5..3cdeff7 100755
--- a/tests/scripts/recursion.pl
+++ b/tests/scripts/recursion.pl
@@ -9,19 +9,7 @@
 # Typical usage: scripts/recursion.pl library/*.c
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 use warnings;
 use strict;
diff --git a/tests/scripts/run-metatests.sh b/tests/scripts/run-metatests.sh
new file mode 100755
index 0000000..22a302c
--- /dev/null
+++ b/tests/scripts/run-metatests.sh
@@ -0,0 +1,89 @@
+#!/bin/sh
+
+help () {
+    cat <<EOF
+Usage: $0 [OPTION] [PLATFORM]...
+Run all the metatests whose platform matches any of the given PLATFORM.
+A PLATFORM can contain shell wildcards.
+
+Expected output: a lot of scary-looking error messages, since each
+metatest is expected to report a failure. The final line should be
+"Ran N metatests, all good."
+
+If something goes wrong: the final line should be
+"Ran N metatests, X unexpected successes". Look for "Unexpected success"
+in the logs above.
+
+  -l  List the available metatests, don't run them.
+EOF
+}
+
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+set -e -u
+
+if [ -d programs ]; then
+    METATEST_PROGRAM=programs/test/metatest
+elif [ -d ../programs ]; then
+    METATEST_PROGRAM=../programs/test/metatest
+elif [ -d ../../programs ]; then
+    METATEST_PROGRAM=../../programs/test/metatest
+else
+    echo >&2 "$0: FATAL: programs/test/metatest not found"
+    exit 120
+fi
+
+LIST_ONLY=
+while getopts hl OPTLET; do
+    case $OPTLET in
+        h) help; exit;;
+        l) LIST_ONLY=1;;
+        \?) help >&2; exit 120;;
+    esac
+done
+shift $((OPTIND - 1))
+
+list_matches () {
+    while read name platform junk; do
+        for pattern in "$@"; do
+            case $platform in
+                $pattern) echo "$name"; break;;
+            esac
+        done
+    done
+}
+
+count=0
+errors=0
+run_metatest () {
+    ret=0
+    "$METATEST_PROGRAM" "$1" || ret=$?
+    if [ $ret -eq 0 ]; then
+        echo >&2 "$0: Unexpected success: $1"
+        errors=$((errors + 1))
+    fi
+    count=$((count + 1))
+}
+
+# Don't pipe the output of metatest so that if it fails, this script exits
+# immediately with a failure status.
+full_list=$("$METATEST_PROGRAM" list)
+matching_list=$(printf '%s\n' "$full_list" | list_matches "$@")
+
+if [ -n "$LIST_ONLY" ]; then
+    printf '%s\n' $matching_list
+    exit
+fi
+
+for name in $matching_list; do
+    run_metatest "$name"
+done
+
+if [ $errors -eq 0 ]; then
+    echo "Ran $count metatests, all good."
+    exit 0
+else
+    echo "Ran $count metatests, $errors unexpected successes."
+    exit 1
+fi
diff --git a/tests/scripts/run-test-suites.pl b/tests/scripts/run-test-suites.pl
index cedc0bf..e0ee3f5 100755
--- a/tests/scripts/run-test-suites.pl
+++ b/tests/scripts/run-test-suites.pl
@@ -3,19 +3,7 @@
 # run-test-suites.pl
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 =head1 SYNOPSIS
 
diff --git a/tests/scripts/scripts_path.py b/tests/scripts/scripts_path.py
index 10bf6f8..ce2afcf 100644
--- a/tests/scripts/scripts_path.py
+++ b/tests/scripts/scripts_path.py
@@ -6,19 +6,8 @@ Usage:
 """
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
 
 import os
 import sys
@@ -26,3 +15,6 @@ import sys
 sys.path.append(os.path.join(os.path.dirname(__file__),
                              os.path.pardir, os.path.pardir,
                              'scripts'))
+sys.path.append(os.path.join(os.path.dirname(__file__),
+                             os.path.pardir, os.path.pardir,
+                             'framework', 'scripts'))
diff --git a/tests/scripts/set_psa_test_dependencies.py b/tests/scripts/set_psa_test_dependencies.py
index 7f4ebeb..f68dfcb 100755
--- a/tests/scripts/set_psa_test_dependencies.py
+++ b/tests/scripts/set_psa_test_dependencies.py
@@ -4,19 +4,7 @@
 """
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 import os
 import re
diff --git a/tests/scripts/tcp_client.pl b/tests/scripts/tcp_client.pl
index 17f824e..9aff22d 100755
--- a/tests/scripts/tcp_client.pl
+++ b/tests/scripts/tcp_client.pl
@@ -6,19 +6,7 @@
 #   RESPONSE: regexp that must match the server's response
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 use warnings;
 use strict;
diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl
index 15209b4..9198293 100755
--- a/tests/scripts/test-ref-configs.pl
+++ b/tests/scripts/test-ref-configs.pl
@@ -3,19 +3,7 @@
 # test-ref-configs.pl
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 #
 # Purpose
 #
@@ -29,29 +17,24 @@ use strict;
 
 my %configs = (
     'config-ccm-psk-tls1_2.h' => {
-        'compat' => '-m tls12 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'',
-        'test_again_with_use_psa' => 1
+        'compat' => '-m tls12 -f \'^TLS_PSK_WITH_AES_..._CCM_8\'',
     },
     'config-ccm-psk-dtls1_2.h' => {
-        'compat' => '-m dtls12 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'',
+        'compat' => '-m dtls12 -f \'^TLS_PSK_WITH_AES_..._CCM_8\'',
         'opt' => ' ',
         'opt_needs_debug' => 1,
-        'test_again_with_use_psa' => 1
-    },
-    'config-no-entropy.h' => {
     },
     'config-suite-b.h' => {
-        'compat' => "-m tls12 -f 'ECDHE-ECDSA.*AES.*GCM' -p mbedTLS",
-        'test_again_with_use_psa' => 1,
+        'compat' => "-m tls12 -f 'ECDHE_ECDSA.*AES.*GCM' -p mbedTLS",
         'opt' => ' ',
         'opt_needs_debug' => 1,
     },
     'config-symmetric-only.h' => {
-        'test_again_with_use_psa' => 0, # Uses PSA by default, no need to test it twice
+    },
+    'config-tfm.h' => {
     },
     'config-thread.h' => {
         'opt' => '-f ECJPAKE.*nolog',
-        'test_again_with_use_psa' => 1,
     },
 );
 
@@ -157,7 +140,10 @@ sub perform_test {
 }
 
 foreach my $conf ( @configs_to_test ) {
-    my $test_with_psa = $configs{$conf}{'test_again_with_use_psa'};
+    system("grep '//#define MBEDTLS_USE_PSA_CRYPTO' configs/$conf > /dev/null");
+    die "grep ... configs/$conf: $!" if $? != 0 && $? != 0x100;
+    my $test_with_psa = $? == 0;
+
     if ( $test_with_psa )
     {
         perform_test( $conf, $configs{$conf}, $test_with_psa );
diff --git a/tests/scripts/test_config_script.py b/tests/scripts/test_config_script.py
index e230e3c..e500b33 100755
--- a/tests/scripts/test_config_script.py
+++ b/tests/scripts/test_config_script.py
@@ -14,19 +14,8 @@ Sample usage:
 """
 
 ## Copyright The Mbed TLS Contributors
-## SPDX-License-Identifier: Apache-2.0
+## SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 ##
-## Licensed under the Apache License, Version 2.0 (the "License"); you may
-## not use this file except in compliance with the License.
-## You may obtain a copy of the License at
-##
-## http://www.apache.org/licenses/LICENSE-2.0
-##
-## Unless required by applicable law or agreed to in writing, software
-## distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-## WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-## See the License for the specific language governing permissions and
-## limitations under the License.
 
 import argparse
 import glob
diff --git a/tests/scripts/test_generate_test_code.py b/tests/scripts/test_generate_test_code.py
deleted file mode 100755
index b32d184..0000000
--- a/tests/scripts/test_generate_test_code.py
+++ /dev/null
@@ -1,1927 +0,0 @@
-#!/usr/bin/env python3
-# Unit test for generate_test_code.py
-#
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-"""
-Unit tests for generate_test_code.py
-"""
-
-from io import StringIO
-from unittest import TestCase, main as unittest_main
-from unittest.mock import patch
-
-from generate_test_code import gen_dependencies, gen_dependencies_one_line
-from generate_test_code import gen_function_wrapper, gen_dispatch
-from generate_test_code import parse_until_pattern, GeneratorInputError
-from generate_test_code import parse_suite_dependencies
-from generate_test_code import parse_function_dependencies
-from generate_test_code import parse_function_arguments, parse_function_code
-from generate_test_code import parse_functions, END_HEADER_REGEX
-from generate_test_code import END_SUITE_HELPERS_REGEX, escaped_split
-from generate_test_code import parse_test_data, gen_dep_check
-from generate_test_code import gen_expression_check, write_dependencies
-from generate_test_code import write_parameters, gen_suite_dep_checks
-from generate_test_code import gen_from_test_data
-
-
-class GenDep(TestCase):
-    """
-    Test suite for function gen_dep()
-    """
-
-    def test_dependencies_list(self):
-        """
-        Test that gen_dep() correctly creates dependencies for given
-        dependency list.
-        :return:
-        """
-        dependencies = ['DEP1', 'DEP2']
-        dep_start, dep_end = gen_dependencies(dependencies)
-        preprocessor1, preprocessor2 = dep_start.splitlines()
-        endif1, endif2 = dep_end.splitlines()
-        self.assertEqual(preprocessor1, '#if defined(DEP1)',
-                         'Preprocessor generated incorrectly')
-        self.assertEqual(preprocessor2, '#if defined(DEP2)',
-                         'Preprocessor generated incorrectly')
-        self.assertEqual(endif1, '#endif /* DEP2 */',
-                         'Preprocessor generated incorrectly')
-        self.assertEqual(endif2, '#endif /* DEP1 */',
-                         'Preprocessor generated incorrectly')
-
-    def test_disabled_dependencies_list(self):
-        """
-        Test that gen_dep() correctly creates dependencies for given
-        dependency list.
-        :return:
-        """
-        dependencies = ['!DEP1', '!DEP2']
-        dep_start, dep_end = gen_dependencies(dependencies)
-        preprocessor1, preprocessor2 = dep_start.splitlines()
-        endif1, endif2 = dep_end.splitlines()
-        self.assertEqual(preprocessor1, '#if !defined(DEP1)',
-                         'Preprocessor generated incorrectly')
-        self.assertEqual(preprocessor2, '#if !defined(DEP2)',
-                         'Preprocessor generated incorrectly')
-        self.assertEqual(endif1, '#endif /* !DEP2 */',
-                         'Preprocessor generated incorrectly')
-        self.assertEqual(endif2, '#endif /* !DEP1 */',
-                         'Preprocessor generated incorrectly')
-
-    def test_mixed_dependencies_list(self):
-        """
-        Test that gen_dep() correctly creates dependencies for given
-        dependency list.
-        :return:
-        """
-        dependencies = ['!DEP1', 'DEP2']
-        dep_start, dep_end = gen_dependencies(dependencies)
-        preprocessor1, preprocessor2 = dep_start.splitlines()
-        endif1, endif2 = dep_end.splitlines()
-        self.assertEqual(preprocessor1, '#if !defined(DEP1)',
-                         'Preprocessor generated incorrectly')
-        self.assertEqual(preprocessor2, '#if defined(DEP2)',
-                         'Preprocessor generated incorrectly')
-        self.assertEqual(endif1, '#endif /* DEP2 */',
-                         'Preprocessor generated incorrectly')
-        self.assertEqual(endif2, '#endif /* !DEP1 */',
-                         'Preprocessor generated incorrectly')
-
-    def test_empty_dependencies_list(self):
-        """
-        Test that gen_dep() correctly creates dependencies for given
-        dependency list.
-        :return:
-        """
-        dependencies = []
-        dep_start, dep_end = gen_dependencies(dependencies)
-        self.assertEqual(dep_start, '', 'Preprocessor generated incorrectly')
-        self.assertEqual(dep_end, '', 'Preprocessor generated incorrectly')
-
-    def test_large_dependencies_list(self):
-        """
-        Test that gen_dep() correctly creates dependencies for given
-        dependency list.
-        :return:
-        """
-        dependencies = []
-        count = 10
-        for i in range(count):
-            dependencies.append('DEP%d' % i)
-        dep_start, dep_end = gen_dependencies(dependencies)
-        self.assertEqual(len(dep_start.splitlines()), count,
-                         'Preprocessor generated incorrectly')
-        self.assertEqual(len(dep_end.splitlines()), count,
-                         'Preprocessor generated incorrectly')
-
-
-class GenDepOneLine(TestCase):
-    """
-    Test Suite for testing gen_dependencies_one_line()
-    """
-
-    def test_dependencies_list(self):
-        """
-        Test that gen_dep() correctly creates dependencies for given
-        dependency list.
-        :return:
-        """
-        dependencies = ['DEP1', 'DEP2']
-        dep_str = gen_dependencies_one_line(dependencies)
-        self.assertEqual(dep_str, '#if defined(DEP1) && defined(DEP2)',
-                         'Preprocessor generated incorrectly')
-
-    def test_disabled_dependencies_list(self):
-        """
-        Test that gen_dep() correctly creates dependencies for given
-        dependency list.
-        :return:
-        """
-        dependencies = ['!DEP1', '!DEP2']
-        dep_str = gen_dependencies_one_line(dependencies)
-        self.assertEqual(dep_str, '#if !defined(DEP1) && !defined(DEP2)',
-                         'Preprocessor generated incorrectly')
-
-    def test_mixed_dependencies_list(self):
-        """
-        Test that gen_dep() correctly creates dependencies for given
-        dependency list.
-        :return:
-        """
-        dependencies = ['!DEP1', 'DEP2']
-        dep_str = gen_dependencies_one_line(dependencies)
-        self.assertEqual(dep_str, '#if !defined(DEP1) && defined(DEP2)',
-                         'Preprocessor generated incorrectly')
-
-    def test_empty_dependencies_list(self):
-        """
-        Test that gen_dep() correctly creates dependencies for given
-        dependency list.
-        :return:
-        """
-        dependencies = []
-        dep_str = gen_dependencies_one_line(dependencies)
-        self.assertEqual(dep_str, '', 'Preprocessor generated incorrectly')
-
-    def test_large_dependencies_list(self):
-        """
-        Test that gen_dep() correctly creates dependencies for given
-        dependency list.
-        :return:
-        """
-        dependencies = []
-        count = 10
-        for i in range(count):
-            dependencies.append('DEP%d' % i)
-        dep_str = gen_dependencies_one_line(dependencies)
-        expected = '#if ' + ' && '.join(['defined(%s)' %
-                                         x for x in dependencies])
-        self.assertEqual(dep_str, expected,
-                         'Preprocessor generated incorrectly')
-
-
-class GenFunctionWrapper(TestCase):
-    """
-    Test Suite for testing gen_function_wrapper()
-    """
-
-    def test_params_unpack(self):
-        """
-        Test that params are properly unpacked in the function call.
-
-        :return:
-        """
-        code = gen_function_wrapper('test_a', '', ('a', 'b', 'c', 'd'))
-        expected = '''
-void test_a_wrapper( void ** params )
-{
-
-    test_a( a, b, c, d );
-}
-'''
-        self.assertEqual(code, expected)
-
-    def test_local(self):
-        """
-        Test that params are properly unpacked in the function call.
-
-        :return:
-        """
-        code = gen_function_wrapper('test_a',
-                                    'int x = 1;', ('x', 'b', 'c', 'd'))
-        expected = '''
-void test_a_wrapper( void ** params )
-{
-int x = 1;
-    test_a( x, b, c, d );
-}
-'''
-        self.assertEqual(code, expected)
-
-    def test_empty_params(self):
-        """
-        Test that params are properly unpacked in the function call.
-
-        :return:
-        """
-        code = gen_function_wrapper('test_a', '', ())
-        expected = '''
-void test_a_wrapper( void ** params )
-{
-    (void)params;
-
-    test_a(  );
-}
-'''
-        self.assertEqual(code, expected)
-
-
-class GenDispatch(TestCase):
-    """
-    Test suite for testing gen_dispatch()
-    """
-
-    def test_dispatch(self):
-        """
-        Test that dispatch table entry is generated correctly.
-        :return:
-        """
-        code = gen_dispatch('test_a', ['DEP1', 'DEP2'])
-        expected = '''
-#if defined(DEP1) && defined(DEP2)
-    test_a_wrapper,
-#else
-    NULL,
-#endif
-'''
-        self.assertEqual(code, expected)
-
-    def test_empty_dependencies(self):
-        """
-        Test empty dependency list.
-        :return:
-        """
-        code = gen_dispatch('test_a', [])
-        expected = '''
-    test_a_wrapper,
-'''
-        self.assertEqual(code, expected)
-
-
-class StringIOWrapper(StringIO):
-    """
-    file like class to mock file object in tests.
-    """
-    def __init__(self, file_name, data, line_no=0):
-        """
-        Init file handle.
-
-        :param file_name:
-        :param data:
-        :param line_no:
-        """
-        super(StringIOWrapper, self).__init__(data)
-        self.line_no = line_no
-        self.name = file_name
-
-    def next(self):
-        """
-        Iterator method. This method overrides base class's
-        next method and extends the next method to count the line
-        numbers as each line is read.
-
-        :return: Line read from file.
-        """
-        parent = super(StringIOWrapper, self)
-        line = parent.__next__()
-        return line
-
-    def readline(self, _length=0):
-        """
-        Wrap the base class readline.
-
-        :param length:
-        :return:
-        """
-        line = super(StringIOWrapper, self).readline()
-        if line is not None:
-            self.line_no += 1
-        return line
-
-
-class ParseUntilPattern(TestCase):
-    """
-    Test Suite for testing parse_until_pattern().
-    """
-
-    def test_suite_headers(self):
-        """
-        Test that suite headers are parsed correctly.
-
-        :return:
-        """
-        data = '''#include "mbedtls/ecp.h"
-
-#define ECP_PF_UNKNOWN     -1
-/* END_HEADER */
-'''
-        expected = '''#line 1 "test_suite_ut.function"
-#include "mbedtls/ecp.h"
-
-#define ECP_PF_UNKNOWN     -1
-'''
-        stream = StringIOWrapper('test_suite_ut.function', data, line_no=0)
-        headers = parse_until_pattern(stream, END_HEADER_REGEX)
-        self.assertEqual(headers, expected)
-
-    def test_line_no(self):
-        """
-        Test that #line is set to correct line no. in source .function file.
-
-        :return:
-        """
-        data = '''#include "mbedtls/ecp.h"
-
-#define ECP_PF_UNKNOWN     -1
-/* END_HEADER */
-'''
-        offset_line_no = 5
-        expected = '''#line %d "test_suite_ut.function"
-#include "mbedtls/ecp.h"
-
-#define ECP_PF_UNKNOWN     -1
-''' % (offset_line_no + 1)
-        stream = StringIOWrapper('test_suite_ut.function', data,
-                                 offset_line_no)
-        headers = parse_until_pattern(stream, END_HEADER_REGEX)
-        self.assertEqual(headers, expected)
-
-    def test_no_end_header_comment(self):
-        """
-        Test that InvalidFileFormat is raised when end header comment is
-        missing.
-        :return:
-        """
-        data = '''#include "mbedtls/ecp.h"
-
-#define ECP_PF_UNKNOWN     -1
-
-'''
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        self.assertRaises(GeneratorInputError, parse_until_pattern, stream,
-                          END_HEADER_REGEX)
-
-
-class ParseSuiteDependencies(TestCase):
-    """
-    Test Suite for testing parse_suite_dependencies().
-    """
-
-    def test_suite_dependencies(self):
-        """
-
-        :return:
-        """
-        data = '''
- * depends_on:MBEDTLS_ECP_C
- * END_DEPENDENCIES
- */
-'''
-        expected = ['MBEDTLS_ECP_C']
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        dependencies = parse_suite_dependencies(stream)
-        self.assertEqual(dependencies, expected)
-
-    def test_no_end_dep_comment(self):
-        """
-        Test that InvalidFileFormat is raised when end dep comment is missing.
-        :return:
-        """
-        data = '''
-* depends_on:MBEDTLS_ECP_C
-'''
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        self.assertRaises(GeneratorInputError, parse_suite_dependencies,
-                          stream)
-
-    def test_dependencies_split(self):
-        """
-        Test that InvalidFileFormat is raised when end dep comment is missing.
-        :return:
-        """
-        data = '''
- * depends_on:MBEDTLS_ECP_C:A:B:   C  : D :F : G: !H
- * END_DEPENDENCIES
- */
-'''
-        expected = ['MBEDTLS_ECP_C', 'A', 'B', 'C', 'D', 'F', 'G', '!H']
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        dependencies = parse_suite_dependencies(stream)
-        self.assertEqual(dependencies, expected)
-
-
-class ParseFuncDependencies(TestCase):
-    """
-    Test Suite for testing parse_function_dependencies()
-    """
-
-    def test_function_dependencies(self):
-        """
-        Test that parse_function_dependencies() correctly parses function
-        dependencies.
-        :return:
-        """
-        line = '/* BEGIN_CASE ' \
-               'depends_on:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_FS_IO */'
-        expected = ['MBEDTLS_ENTROPY_NV_SEED', 'MBEDTLS_FS_IO']
-        dependencies = parse_function_dependencies(line)
-        self.assertEqual(dependencies, expected)
-
-    def test_no_dependencies(self):
-        """
-        Test that parse_function_dependencies() correctly parses function
-        dependencies.
-        :return:
-        """
-        line = '/* BEGIN_CASE */'
-        dependencies = parse_function_dependencies(line)
-        self.assertEqual(dependencies, [])
-
-    def test_tolerance(self):
-        """
-        Test that parse_function_dependencies() correctly parses function
-        dependencies.
-        :return:
-        """
-        line = '/* BEGIN_CASE depends_on:MBEDTLS_FS_IO: A : !B:C : F*/'
-        dependencies = parse_function_dependencies(line)
-        self.assertEqual(dependencies, ['MBEDTLS_FS_IO', 'A', '!B', 'C', 'F'])
-
-
-class ParseFuncSignature(TestCase):
-    """
-    Test Suite for parse_function_arguments().
-    """
-
-    def test_int_and_char_params(self):
-        """
-        Test int and char parameters parsing
-        :return:
-        """
-        line = 'void entropy_threshold( char * a, int b, int result )'
-        args, local, arg_dispatch = parse_function_arguments(line)
-        self.assertEqual(args, ['char*', 'int', 'int'])
-        self.assertEqual(local, '')
-        self.assertEqual(arg_dispatch,
-                         ['(char *) params[0]',
-                          '((mbedtls_test_argument_t *) params[1])->sint',
-                          '((mbedtls_test_argument_t *) params[2])->sint'])
-
-    def test_hex_params(self):
-        """
-        Test hex parameters parsing
-        :return:
-        """
-        line = 'void entropy_threshold( char * a, data_t * h, int result )'
-        args, local, arg_dispatch = parse_function_arguments(line)
-        self.assertEqual(args, ['char*', 'hex', 'int'])
-        self.assertEqual(local,
-                         '    data_t data1 = {(uint8_t *) params[1], '
-                         '((mbedtls_test_argument_t *) params[2])->len};\n')
-        self.assertEqual(arg_dispatch, ['(char *) params[0]',
-                                        '&data1',
-                                        '((mbedtls_test_argument_t *) params[3])->sint'])
-
-    def test_unsupported_arg(self):
-        """
-        Test unsupported argument type
-        :return:
-        """
-        line = 'void entropy_threshold( char * a, data_t * h, unknown_t result )'
-        self.assertRaises(ValueError, parse_function_arguments, line)
-
-    def test_empty_params(self):
-        """
-        Test no parameters (nothing between parentheses).
-        :return:
-        """
-        line = 'void entropy_threshold()'
-        args, local, arg_dispatch = parse_function_arguments(line)
-        self.assertEqual(args, [])
-        self.assertEqual(local, '')
-        self.assertEqual(arg_dispatch, [])
-
-    def test_blank_params(self):
-        """
-        Test no parameters (space between parentheses).
-        :return:
-        """
-        line = 'void entropy_threshold( )'
-        args, local, arg_dispatch = parse_function_arguments(line)
-        self.assertEqual(args, [])
-        self.assertEqual(local, '')
-        self.assertEqual(arg_dispatch, [])
-
-    def test_void_params(self):
-        """
-        Test no parameters (void keyword).
-        :return:
-        """
-        line = 'void entropy_threshold(void)'
-        args, local, arg_dispatch = parse_function_arguments(line)
-        self.assertEqual(args, [])
-        self.assertEqual(local, '')
-        self.assertEqual(arg_dispatch, [])
-
-    def test_void_space_params(self):
-        """
-        Test no parameters (void with spaces).
-        :return:
-        """
-        line = 'void entropy_threshold( void )'
-        args, local, arg_dispatch = parse_function_arguments(line)
-        self.assertEqual(args, [])
-        self.assertEqual(local, '')
-        self.assertEqual(arg_dispatch, [])
-
-
-class ParseFunctionCode(TestCase):
-    """
-    Test suite for testing parse_function_code()
-    """
-
-    def test_no_function(self):
-        """
-        Test no test function found.
-        :return:
-        """
-        data = '''
-No
-test
-function
-'''
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        err_msg = 'file: test_suite_ut.function - Test functions not found!'
-        self.assertRaisesRegex(GeneratorInputError, err_msg,
-                               parse_function_code, stream, [], [])
-
-    def test_no_end_case_comment(self):
-        """
-        Test missing end case.
-        :return:
-        """
-        data = '''
-void test_func()
-{
-}
-'''
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        err_msg = r'file: test_suite_ut.function - '\
-                  'end case pattern .*? not found!'
-        self.assertRaisesRegex(GeneratorInputError, err_msg,
-                               parse_function_code, stream, [], [])
-
-    @patch("generate_test_code.parse_function_arguments")
-    def test_function_called(self,
-                             parse_function_arguments_mock):
-        """
-        Test parse_function_code()
-        :return:
-        """
-        parse_function_arguments_mock.return_value = ([], '', [])
-        data = '''
-void test_func()
-{
-}
-'''
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        self.assertRaises(GeneratorInputError, parse_function_code,
-                          stream, [], [])
-        self.assertTrue(parse_function_arguments_mock.called)
-        parse_function_arguments_mock.assert_called_with('void test_func()\n')
-
-    @patch("generate_test_code.gen_dispatch")
-    @patch("generate_test_code.gen_dependencies")
-    @patch("generate_test_code.gen_function_wrapper")
-    @patch("generate_test_code.parse_function_arguments")
-    def test_return(self, parse_function_arguments_mock,
-                    gen_function_wrapper_mock,
-                    gen_dependencies_mock,
-                    gen_dispatch_mock):
-        """
-        Test generated code.
-        :return:
-        """
-        parse_function_arguments_mock.return_value = ([], '', [])
-        gen_function_wrapper_mock.return_value = ''
-        gen_dependencies_mock.side_effect = gen_dependencies
-        gen_dispatch_mock.side_effect = gen_dispatch
-        data = '''
-void func()
-{
-    ba ba black sheep
-    have you any wool
-}
-/* END_CASE */
-'''
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        name, arg, code, dispatch_code = parse_function_code(stream, [], [])
-
-        self.assertTrue(parse_function_arguments_mock.called)
-        parse_function_arguments_mock.assert_called_with('void func()\n')
-        gen_function_wrapper_mock.assert_called_with('test_func', '', [])
-        self.assertEqual(name, 'test_func')
-        self.assertEqual(arg, [])
-        expected = '''#line 1 "test_suite_ut.function"
-
-void test_func(void)
-{
-    ba ba black sheep
-    have you any wool
-exit:
-    ;
-}
-'''
-        self.assertEqual(code, expected)
-        self.assertEqual(dispatch_code, "\n    test_func_wrapper,\n")
-
-    @patch("generate_test_code.gen_dispatch")
-    @patch("generate_test_code.gen_dependencies")
-    @patch("generate_test_code.gen_function_wrapper")
-    @patch("generate_test_code.parse_function_arguments")
-    def test_with_exit_label(self, parse_function_arguments_mock,
-                             gen_function_wrapper_mock,
-                             gen_dependencies_mock,
-                             gen_dispatch_mock):
-        """
-        Test when exit label is present.
-        :return:
-        """
-        parse_function_arguments_mock.return_value = ([], '', [])
-        gen_function_wrapper_mock.return_value = ''
-        gen_dependencies_mock.side_effect = gen_dependencies
-        gen_dispatch_mock.side_effect = gen_dispatch
-        data = '''
-void func()
-{
-    ba ba black sheep
-    have you any wool
-exit:
-    yes sir yes sir
-    3 bags full
-}
-/* END_CASE */
-'''
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        _, _, code, _ = parse_function_code(stream, [], [])
-
-        expected = '''#line 1 "test_suite_ut.function"
-
-void test_func(void)
-{
-    ba ba black sheep
-    have you any wool
-exit:
-    yes sir yes sir
-    3 bags full
-}
-'''
-        self.assertEqual(code, expected)
-
-    def test_non_void_function(self):
-        """
-        Test invalid signature (non void).
-        :return:
-        """
-        data = 'int entropy_threshold( char * a, data_t * h, int result )'
-        err_msg = 'file: test_suite_ut.function - Test functions not found!'
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        self.assertRaisesRegex(GeneratorInputError, err_msg,
-                               parse_function_code, stream, [], [])
-
-    @patch("generate_test_code.gen_dispatch")
-    @patch("generate_test_code.gen_dependencies")
-    @patch("generate_test_code.gen_function_wrapper")
-    @patch("generate_test_code.parse_function_arguments")
-    def test_function_name_on_newline(self, parse_function_arguments_mock,
-                                      gen_function_wrapper_mock,
-                                      gen_dependencies_mock,
-                                      gen_dispatch_mock):
-        """
-        Test with line break before the function name.
-        :return:
-        """
-        parse_function_arguments_mock.return_value = ([], '', [])
-        gen_function_wrapper_mock.return_value = ''
-        gen_dependencies_mock.side_effect = gen_dependencies
-        gen_dispatch_mock.side_effect = gen_dispatch
-        data = '''
-void
-
-
-func()
-{
-    ba ba black sheep
-    have you any wool
-exit:
-    yes sir yes sir
-    3 bags full
-}
-/* END_CASE */
-'''
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        _, _, code, _ = parse_function_code(stream, [], [])
-
-        expected = '''#line 1 "test_suite_ut.function"
-
-void
-
-
-test_func(void)
-{
-    ba ba black sheep
-    have you any wool
-exit:
-    yes sir yes sir
-    3 bags full
-}
-'''
-        self.assertEqual(code, expected)
-
-    @patch("generate_test_code.gen_dispatch")
-    @patch("generate_test_code.gen_dependencies")
-    @patch("generate_test_code.gen_function_wrapper")
-    @patch("generate_test_code.parse_function_arguments")
-    def test_case_starting_with_comment(self, parse_function_arguments_mock,
-                                        gen_function_wrapper_mock,
-                                        gen_dependencies_mock,
-                                        gen_dispatch_mock):
-        """
-        Test with comments before the function signature
-        :return:
-        """
-        parse_function_arguments_mock.return_value = ([], '', [])
-        gen_function_wrapper_mock.return_value = ''
-        gen_dependencies_mock.side_effect = gen_dependencies
-        gen_dispatch_mock.side_effect = gen_dispatch
-        data = '''/* comment */
-/* more
- * comment */
-// this is\\
-still \\
-a comment
-void func()
-{
-    ba ba black sheep
-    have you any wool
-exit:
-    yes sir yes sir
-    3 bags full
-}
-/* END_CASE */
-'''
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        _, _, code, _ = parse_function_code(stream, [], [])
-
-        expected = '''#line 1 "test_suite_ut.function"
-
-
-
-
-
-
-void test_func(void)
-{
-    ba ba black sheep
-    have you any wool
-exit:
-    yes sir yes sir
-    3 bags full
-}
-'''
-        self.assertEqual(code, expected)
-
-    @patch("generate_test_code.gen_dispatch")
-    @patch("generate_test_code.gen_dependencies")
-    @patch("generate_test_code.gen_function_wrapper")
-    @patch("generate_test_code.parse_function_arguments")
-    def test_comment_in_prototype(self, parse_function_arguments_mock,
-                                  gen_function_wrapper_mock,
-                                  gen_dependencies_mock,
-                                  gen_dispatch_mock):
-        """
-        Test with comments in the function prototype
-        :return:
-        """
-        parse_function_arguments_mock.return_value = ([], '', [])
-        gen_function_wrapper_mock.return_value = ''
-        gen_dependencies_mock.side_effect = gen_dependencies
-        gen_dispatch_mock.side_effect = gen_dispatch
-        data = '''
-void func( int x, // (line \\
-                     comment)
-           int y /* lone closing parenthesis) */ )
-{
-    ba ba black sheep
-    have you any wool
-exit:
-    yes sir yes sir
-    3 bags full
-}
-/* END_CASE */
-'''
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        _, _, code, _ = parse_function_code(stream, [], [])
-
-        expected = '''#line 1 "test_suite_ut.function"
-
-void test_func( int x,
-
-           int y                                 )
-{
-    ba ba black sheep
-    have you any wool
-exit:
-    yes sir yes sir
-    3 bags full
-}
-'''
-        self.assertEqual(code, expected)
-
-    @patch("generate_test_code.gen_dispatch")
-    @patch("generate_test_code.gen_dependencies")
-    @patch("generate_test_code.gen_function_wrapper")
-    @patch("generate_test_code.parse_function_arguments")
-    def test_line_comment_in_block_comment(self, parse_function_arguments_mock,
-                                           gen_function_wrapper_mock,
-                                           gen_dependencies_mock,
-                                           gen_dispatch_mock):
-        """
-        Test with line comment in block comment.
-        :return:
-        """
-        parse_function_arguments_mock.return_value = ([], '', [])
-        gen_function_wrapper_mock.return_value = ''
-        gen_dependencies_mock.side_effect = gen_dependencies
-        gen_dispatch_mock.side_effect = gen_dispatch
-        data = '''
-void func( int x /* // */ )
-{
-    ba ba black sheep
-    have you any wool
-exit:
-    yes sir yes sir
-    3 bags full
-}
-/* END_CASE */
-'''
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        _, _, code, _ = parse_function_code(stream, [], [])
-
-        expected = '''#line 1 "test_suite_ut.function"
-
-void test_func( int x          )
-{
-    ba ba black sheep
-    have you any wool
-exit:
-    yes sir yes sir
-    3 bags full
-}
-'''
-        self.assertEqual(code, expected)
-
-    @patch("generate_test_code.gen_dispatch")
-    @patch("generate_test_code.gen_dependencies")
-    @patch("generate_test_code.gen_function_wrapper")
-    @patch("generate_test_code.parse_function_arguments")
-    def test_block_comment_in_line_comment(self, parse_function_arguments_mock,
-                                           gen_function_wrapper_mock,
-                                           gen_dependencies_mock,
-                                           gen_dispatch_mock):
-        """
-        Test with block comment in line comment.
-        :return:
-        """
-        parse_function_arguments_mock.return_value = ([], '', [])
-        gen_function_wrapper_mock.return_value = ''
-        gen_dependencies_mock.side_effect = gen_dependencies
-        gen_dispatch_mock.side_effect = gen_dispatch
-        data = '''
-// /*
-void func( int x )
-{
-    ba ba black sheep
-    have you any wool
-exit:
-    yes sir yes sir
-    3 bags full
-}
-/* END_CASE */
-'''
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        _, _, code, _ = parse_function_code(stream, [], [])
-
-        expected = '''#line 1 "test_suite_ut.function"
-
-
-void test_func( int x )
-{
-    ba ba black sheep
-    have you any wool
-exit:
-    yes sir yes sir
-    3 bags full
-}
-'''
-        self.assertEqual(code, expected)
-
-
-class ParseFunction(TestCase):
-    """
-    Test Suite for testing parse_functions()
-    """
-
-    @patch("generate_test_code.parse_until_pattern")
-    def test_begin_header(self, parse_until_pattern_mock):
-        """
-        Test that begin header is checked and parse_until_pattern() is called.
-        :return:
-        """
-        def stop(*_unused):
-            """Stop when parse_until_pattern is called."""
-            raise Exception
-        parse_until_pattern_mock.side_effect = stop
-        data = '''/* BEGIN_HEADER */
-#include "mbedtls/ecp.h"
-
-#define ECP_PF_UNKNOWN     -1
-/* END_HEADER */
-'''
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        self.assertRaises(Exception, parse_functions, stream)
-        parse_until_pattern_mock.assert_called_with(stream, END_HEADER_REGEX)
-        self.assertEqual(stream.line_no, 1)
-
-    @patch("generate_test_code.parse_until_pattern")
-    def test_begin_helper(self, parse_until_pattern_mock):
-        """
-        Test that begin helper is checked and parse_until_pattern() is called.
-        :return:
-        """
-        def stop(*_unused):
-            """Stop when parse_until_pattern is called."""
-            raise Exception
-        parse_until_pattern_mock.side_effect = stop
-        data = '''/* BEGIN_SUITE_HELPERS */
-void print_hello_world()
-{
-    printf("Hello World!\n");
-}
-/* END_SUITE_HELPERS */
-'''
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        self.assertRaises(Exception, parse_functions, stream)
-        parse_until_pattern_mock.assert_called_with(stream,
-                                                    END_SUITE_HELPERS_REGEX)
-        self.assertEqual(stream.line_no, 1)
-
-    @patch("generate_test_code.parse_suite_dependencies")
-    def test_begin_dep(self, parse_suite_dependencies_mock):
-        """
-        Test that begin dep is checked and parse_suite_dependencies() is
-        called.
-        :return:
-        """
-        def stop(*_unused):
-            """Stop when parse_until_pattern is called."""
-            raise Exception
-        parse_suite_dependencies_mock.side_effect = stop
-        data = '''/* BEGIN_DEPENDENCIES
- * depends_on:MBEDTLS_ECP_C
- * END_DEPENDENCIES
- */
-'''
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        self.assertRaises(Exception, parse_functions, stream)
-        parse_suite_dependencies_mock.assert_called_with(stream)
-        self.assertEqual(stream.line_no, 1)
-
-    @patch("generate_test_code.parse_function_dependencies")
-    def test_begin_function_dep(self, func_mock):
-        """
-        Test that begin dep is checked and parse_function_dependencies() is
-        called.
-        :return:
-        """
-        def stop(*_unused):
-            """Stop when parse_until_pattern is called."""
-            raise Exception
-        func_mock.side_effect = stop
-
-        dependencies_str = '/* BEGIN_CASE ' \
-            'depends_on:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_FS_IO */\n'
-        data = '''%svoid test_func()
-{
-}
-''' % dependencies_str
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        self.assertRaises(Exception, parse_functions, stream)
-        func_mock.assert_called_with(dependencies_str)
-        self.assertEqual(stream.line_no, 1)
-
-    @patch("generate_test_code.parse_function_code")
-    @patch("generate_test_code.parse_function_dependencies")
-    def test_return(self, func_mock1, func_mock2):
-        """
-        Test that begin case is checked and parse_function_code() is called.
-        :return:
-        """
-        func_mock1.return_value = []
-        in_func_code = '''void test_func()
-{
-}
-'''
-        func_dispatch = '''
-    test_func_wrapper,
-'''
-        func_mock2.return_value = 'test_func', [],\
-            in_func_code, func_dispatch
-        dependencies_str = '/* BEGIN_CASE ' \
-            'depends_on:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_FS_IO */\n'
-        data = '''%svoid test_func()
-{
-}
-''' % dependencies_str
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        suite_dependencies, dispatch_code, func_code, func_info = \
-            parse_functions(stream)
-        func_mock1.assert_called_with(dependencies_str)
-        func_mock2.assert_called_with(stream, [], [])
-        self.assertEqual(stream.line_no, 5)
-        self.assertEqual(suite_dependencies, [])
-        expected_dispatch_code = '''/* Function Id: 0 */
-
-    test_func_wrapper,
-'''
-        self.assertEqual(dispatch_code, expected_dispatch_code)
-        self.assertEqual(func_code, in_func_code)
-        self.assertEqual(func_info, {'test_func': (0, [])})
-
-    def test_parsing(self):
-        """
-        Test case parsing.
-        :return:
-        """
-        data = '''/* BEGIN_HEADER */
-#include "mbedtls/ecp.h"
-
-#define ECP_PF_UNKNOWN     -1
-/* END_HEADER */
-
-/* BEGIN_DEPENDENCIES
- * depends_on:MBEDTLS_ECP_C
- * END_DEPENDENCIES
- */
-
-/* BEGIN_CASE depends_on:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_FS_IO */
-void func1()
-{
-}
-/* END_CASE */
-
-/* BEGIN_CASE depends_on:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_FS_IO */
-void func2()
-{
-}
-/* END_CASE */
-'''
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        suite_dependencies, dispatch_code, func_code, func_info = \
-            parse_functions(stream)
-        self.assertEqual(stream.line_no, 23)
-        self.assertEqual(suite_dependencies, ['MBEDTLS_ECP_C'])
-
-        expected_dispatch_code = '''/* Function Id: 0 */
-
-#if defined(MBEDTLS_ECP_C) && defined(MBEDTLS_ENTROPY_NV_SEED) && defined(MBEDTLS_FS_IO)
-    test_func1_wrapper,
-#else
-    NULL,
-#endif
-/* Function Id: 1 */
-
-#if defined(MBEDTLS_ECP_C) && defined(MBEDTLS_ENTROPY_NV_SEED) && defined(MBEDTLS_FS_IO)
-    test_func2_wrapper,
-#else
-    NULL,
-#endif
-'''
-        self.assertEqual(dispatch_code, expected_dispatch_code)
-        expected_func_code = '''#if defined(MBEDTLS_ECP_C)
-#line 2 "test_suite_ut.function"
-#include "mbedtls/ecp.h"
-
-#define ECP_PF_UNKNOWN     -1
-#if defined(MBEDTLS_ENTROPY_NV_SEED)
-#if defined(MBEDTLS_FS_IO)
-#line 13 "test_suite_ut.function"
-void test_func1(void)
-{
-exit:
-    ;
-}
-
-void test_func1_wrapper( void ** params )
-{
-    (void)params;
-
-    test_func1(  );
-}
-#endif /* MBEDTLS_FS_IO */
-#endif /* MBEDTLS_ENTROPY_NV_SEED */
-#if defined(MBEDTLS_ENTROPY_NV_SEED)
-#if defined(MBEDTLS_FS_IO)
-#line 19 "test_suite_ut.function"
-void test_func2(void)
-{
-exit:
-    ;
-}
-
-void test_func2_wrapper( void ** params )
-{
-    (void)params;
-
-    test_func2(  );
-}
-#endif /* MBEDTLS_FS_IO */
-#endif /* MBEDTLS_ENTROPY_NV_SEED */
-#endif /* MBEDTLS_ECP_C */
-'''
-        self.assertEqual(func_code, expected_func_code)
-        self.assertEqual(func_info, {'test_func1': (0, []),
-                                     'test_func2': (1, [])})
-
-    def test_same_function_name(self):
-        """
-        Test name conflict.
-        :return:
-        """
-        data = '''/* BEGIN_HEADER */
-#include "mbedtls/ecp.h"
-
-#define ECP_PF_UNKNOWN     -1
-/* END_HEADER */
-
-/* BEGIN_DEPENDENCIES
- * depends_on:MBEDTLS_ECP_C
- * END_DEPENDENCIES
- */
-
-/* BEGIN_CASE depends_on:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_FS_IO */
-void func()
-{
-}
-/* END_CASE */
-
-/* BEGIN_CASE depends_on:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_FS_IO */
-void func()
-{
-}
-/* END_CASE */
-'''
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        self.assertRaises(GeneratorInputError, parse_functions, stream)
-
-
-class EscapedSplit(TestCase):
-    """
-    Test suite for testing escaped_split().
-    Note: Since escaped_split() output is used to write back to the
-    intermediate data file. Any escape characters in the input are
-    retained in the output.
-    """
-
-    def test_invalid_input(self):
-        """
-        Test when input split character is not a character.
-        :return:
-        """
-        self.assertRaises(ValueError, escaped_split, '', 'string')
-
-    def test_empty_string(self):
-        """
-        Test empty string input.
-        :return:
-        """
-        splits = escaped_split('', ':')
-        self.assertEqual(splits, [])
-
-    def test_no_escape(self):
-        """
-        Test with no escape character. The behaviour should be same as
-        str.split()
-        :return:
-        """
-        test_str = 'yahoo:google'
-        splits = escaped_split(test_str, ':')
-        self.assertEqual(splits, test_str.split(':'))
-
-    def test_escaped_input(self):
-        """
-        Test input that has escaped delimiter.
-        :return:
-        """
-        test_str = r'yahoo\:google:facebook'
-        splits = escaped_split(test_str, ':')
-        self.assertEqual(splits, [r'yahoo\:google', 'facebook'])
-
-    def test_escaped_escape(self):
-        """
-        Test input that has escaped delimiter.
-        :return:
-        """
-        test_str = r'yahoo\\:google:facebook'
-        splits = escaped_split(test_str, ':')
-        self.assertEqual(splits, [r'yahoo\\', 'google', 'facebook'])
-
-    def test_all_at_once(self):
-        """
-        Test input that has escaped delimiter.
-        :return:
-        """
-        test_str = r'yahoo\\:google:facebook\:instagram\\:bbc\\:wikipedia'
-        splits = escaped_split(test_str, ':')
-        self.assertEqual(splits, [r'yahoo\\', r'google',
-                                  r'facebook\:instagram\\',
-                                  r'bbc\\', r'wikipedia'])
-
-
-class ParseTestData(TestCase):
-    """
-    Test suite for parse test data.
-    """
-
-    def test_parser(self):
-        """
-        Test that tests are parsed correctly from data file.
-        :return:
-        """
-        data = """
-Diffie-Hellman full exchange #1
-dhm_do_dhm:10:"23":10:"5"
-
-Diffie-Hellman full exchange #2
-dhm_do_dhm:10:"93450983094850938450983409623":10:"9345098304850938450983409622"
-
-Diffie-Hellman full exchange #3
-dhm_do_dhm:10:"9345098382739712938719287391879381271":10:"9345098792137312973297123912791271"
-
-Diffie-Hellman selftest
-dhm_selftest:
-"""
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        # List of (name, function_name, dependencies, args)
-        tests = list(parse_test_data(stream))
-        test1, test2, test3, test4 = tests
-        self.assertEqual(test1[0], 3)
-        self.assertEqual(test1[1], 'Diffie-Hellman full exchange #1')
-        self.assertEqual(test1[2], 'dhm_do_dhm')
-        self.assertEqual(test1[3], [])
-        self.assertEqual(test1[4], ['10', '"23"', '10', '"5"'])
-
-        self.assertEqual(test2[0], 6)
-        self.assertEqual(test2[1], 'Diffie-Hellman full exchange #2')
-        self.assertEqual(test2[2], 'dhm_do_dhm')
-        self.assertEqual(test2[3], [])
-        self.assertEqual(test2[4], ['10', '"93450983094850938450983409623"',
-                                    '10', '"9345098304850938450983409622"'])
-
-        self.assertEqual(test3[0], 9)
-        self.assertEqual(test3[1], 'Diffie-Hellman full exchange #3')
-        self.assertEqual(test3[2], 'dhm_do_dhm')
-        self.assertEqual(test3[3], [])
-        self.assertEqual(test3[4], ['10',
-                                    '"9345098382739712938719287391879381271"',
-                                    '10',
-                                    '"9345098792137312973297123912791271"'])
-
-        self.assertEqual(test4[0], 12)
-        self.assertEqual(test4[1], 'Diffie-Hellman selftest')
-        self.assertEqual(test4[2], 'dhm_selftest')
-        self.assertEqual(test4[3], [])
-        self.assertEqual(test4[4], [])
-
-    def test_with_dependencies(self):
-        """
-        Test that tests with dependencies are parsed.
-        :return:
-        """
-        data = """
-Diffie-Hellman full exchange #1
-depends_on:YAHOO
-dhm_do_dhm:10:"23":10:"5"
-
-Diffie-Hellman full exchange #2
-dhm_do_dhm:10:"93450983094850938450983409623":10:"9345098304850938450983409622"
-
-"""
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        # List of (name, function_name, dependencies, args)
-        tests = list(parse_test_data(stream))
-        test1, test2 = tests
-        self.assertEqual(test1[0], 4)
-        self.assertEqual(test1[1], 'Diffie-Hellman full exchange #1')
-        self.assertEqual(test1[2], 'dhm_do_dhm')
-        self.assertEqual(test1[3], ['YAHOO'])
-        self.assertEqual(test1[4], ['10', '"23"', '10', '"5"'])
-
-        self.assertEqual(test2[0], 7)
-        self.assertEqual(test2[1], 'Diffie-Hellman full exchange #2')
-        self.assertEqual(test2[2], 'dhm_do_dhm')
-        self.assertEqual(test2[3], [])
-        self.assertEqual(test2[4], ['10', '"93450983094850938450983409623"',
-                                    '10', '"9345098304850938450983409622"'])
-
-    def test_no_args(self):
-        """
-        Test GeneratorInputError is raised when test function name and
-        args line is missing.
-        :return:
-        """
-        data = """
-Diffie-Hellman full exchange #1
-depends_on:YAHOO
-
-
-Diffie-Hellman full exchange #2
-dhm_do_dhm:10:"93450983094850938450983409623":10:"9345098304850938450983409622"
-
-"""
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        err = None
-        try:
-            for _, _, _, _, _ in parse_test_data(stream):
-                pass
-        except GeneratorInputError as err:
-            self.assertEqual(type(err), GeneratorInputError)
-
-    def test_incomplete_data(self):
-        """
-        Test GeneratorInputError is raised when test function name
-        and args line is missing.
-        :return:
-        """
-        data = """
-Diffie-Hellman full exchange #1
-depends_on:YAHOO
-"""
-        stream = StringIOWrapper('test_suite_ut.function', data)
-        err = None
-        try:
-            for _, _, _, _, _ in parse_test_data(stream):
-                pass
-        except GeneratorInputError as err:
-            self.assertEqual(type(err), GeneratorInputError)
-
-
-class GenDepCheck(TestCase):
-    """
-    Test suite for gen_dep_check(). It is assumed this function is
-    called with valid inputs.
-    """
-
-    def test_gen_dep_check(self):
-        """
-        Test that dependency check code generated correctly.
-        :return:
-        """
-        expected = """
-        case 5:
-            {
-#if defined(YAHOO)
-                ret = DEPENDENCY_SUPPORTED;
-#else
-                ret = DEPENDENCY_NOT_SUPPORTED;
-#endif
-            }
-            break;"""
-        out = gen_dep_check(5, 'YAHOO')
-        self.assertEqual(out, expected)
-
-    def test_not_defined_dependency(self):
-        """
-        Test dependency with !.
-        :return:
-        """
-        expected = """
-        case 5:
-            {
-#if !defined(YAHOO)
-                ret = DEPENDENCY_SUPPORTED;
-#else
-                ret = DEPENDENCY_NOT_SUPPORTED;
-#endif
-            }
-            break;"""
-        out = gen_dep_check(5, '!YAHOO')
-        self.assertEqual(out, expected)
-
-    def test_empty_dependency(self):
-        """
-        Test invalid dependency input.
-        :return:
-        """
-        self.assertRaises(GeneratorInputError, gen_dep_check, 5, '!')
-
-    def test_negative_dep_id(self):
-        """
-        Test invalid dependency input.
-        :return:
-        """
-        self.assertRaises(GeneratorInputError, gen_dep_check, -1, 'YAHOO')
-
-
-class GenExpCheck(TestCase):
-    """
-    Test suite for gen_expression_check(). It is assumed this function
-    is called with valid inputs.
-    """
-
-    def test_gen_exp_check(self):
-        """
-        Test that expression check code generated correctly.
-        :return:
-        """
-        expected = """
-        case 5:
-            {
-                *out_value = YAHOO;
-            }
-            break;"""
-        out = gen_expression_check(5, 'YAHOO')
-        self.assertEqual(out, expected)
-
-    def test_invalid_expression(self):
-        """
-        Test invalid expression input.
-        :return:
-        """
-        self.assertRaises(GeneratorInputError, gen_expression_check, 5, '')
-
-    def test_negative_exp_id(self):
-        """
-        Test invalid expression id.
-        :return:
-        """
-        self.assertRaises(GeneratorInputError, gen_expression_check,
-                          -1, 'YAHOO')
-
-
-class WriteDependencies(TestCase):
-    """
-    Test suite for testing write_dependencies.
-    """
-
-    def test_no_test_dependencies(self):
-        """
-        Test when test dependencies input is empty.
-        :return:
-        """
-        stream = StringIOWrapper('test_suite_ut.data', '')
-        unique_dependencies = []
-        dep_check_code = write_dependencies(stream, [], unique_dependencies)
-        self.assertEqual(dep_check_code, '')
-        self.assertEqual(len(unique_dependencies), 0)
-        self.assertEqual(stream.getvalue(), '')
-
-    def test_unique_dep_ids(self):
-        """
-
-        :return:
-        """
-        stream = StringIOWrapper('test_suite_ut.data', '')
-        unique_dependencies = []
-        dep_check_code = write_dependencies(stream, ['DEP3', 'DEP2', 'DEP1'],
-                                            unique_dependencies)
-        expect_dep_check_code = '''
-        case 0:
-            {
-#if defined(DEP3)
-                ret = DEPENDENCY_SUPPORTED;
-#else
-                ret = DEPENDENCY_NOT_SUPPORTED;
-#endif
-            }
-            break;
-        case 1:
-            {
-#if defined(DEP2)
-                ret = DEPENDENCY_SUPPORTED;
-#else
-                ret = DEPENDENCY_NOT_SUPPORTED;
-#endif
-            }
-            break;
-        case 2:
-            {
-#if defined(DEP1)
-                ret = DEPENDENCY_SUPPORTED;
-#else
-                ret = DEPENDENCY_NOT_SUPPORTED;
-#endif
-            }
-            break;'''
-        self.assertEqual(dep_check_code, expect_dep_check_code)
-        self.assertEqual(len(unique_dependencies), 3)
-        self.assertEqual(stream.getvalue(), 'depends_on:0:1:2\n')
-
-    def test_dep_id_repeat(self):
-        """
-
-        :return:
-        """
-        stream = StringIOWrapper('test_suite_ut.data', '')
-        unique_dependencies = []
-        dep_check_code = ''
-        dep_check_code += write_dependencies(stream, ['DEP3', 'DEP2'],
-                                             unique_dependencies)
-        dep_check_code += write_dependencies(stream, ['DEP2', 'DEP1'],
-                                             unique_dependencies)
-        dep_check_code += write_dependencies(stream, ['DEP1', 'DEP3'],
-                                             unique_dependencies)
-        expect_dep_check_code = '''
-        case 0:
-            {
-#if defined(DEP3)
-                ret = DEPENDENCY_SUPPORTED;
-#else
-                ret = DEPENDENCY_NOT_SUPPORTED;
-#endif
-            }
-            break;
-        case 1:
-            {
-#if defined(DEP2)
-                ret = DEPENDENCY_SUPPORTED;
-#else
-                ret = DEPENDENCY_NOT_SUPPORTED;
-#endif
-            }
-            break;
-        case 2:
-            {
-#if defined(DEP1)
-                ret = DEPENDENCY_SUPPORTED;
-#else
-                ret = DEPENDENCY_NOT_SUPPORTED;
-#endif
-            }
-            break;'''
-        self.assertEqual(dep_check_code, expect_dep_check_code)
-        self.assertEqual(len(unique_dependencies), 3)
-        self.assertEqual(stream.getvalue(),
-                         'depends_on:0:1\ndepends_on:1:2\ndepends_on:2:0\n')
-
-
-class WriteParams(TestCase):
-    """
-    Test Suite for testing write_parameters().
-    """
-
-    def test_no_params(self):
-        """
-        Test with empty test_args
-        :return:
-        """
-        stream = StringIOWrapper('test_suite_ut.data', '')
-        unique_expressions = []
-        expression_code = write_parameters(stream, [], [], unique_expressions)
-        self.assertEqual(len(unique_expressions), 0)
-        self.assertEqual(expression_code, '')
-        self.assertEqual(stream.getvalue(), '\n')
-
-    def test_no_exp_param(self):
-        """
-        Test when there is no macro or expression in the params.
-        :return:
-        """
-        stream = StringIOWrapper('test_suite_ut.data', '')
-        unique_expressions = []
-        expression_code = write_parameters(stream, ['"Yahoo"', '"abcdef00"',
-                                                    '0'],
-                                           ['char*', 'hex', 'int'],
-                                           unique_expressions)
-        self.assertEqual(len(unique_expressions), 0)
-        self.assertEqual(expression_code, '')
-        self.assertEqual(stream.getvalue(),
-                         ':char*:"Yahoo":hex:"abcdef00":int:0\n')
-
-    def test_hex_format_int_param(self):
-        """
-        Test int parameter in hex format.
-        :return:
-        """
-        stream = StringIOWrapper('test_suite_ut.data', '')
-        unique_expressions = []
-        expression_code = write_parameters(stream,
-                                           ['"Yahoo"', '"abcdef00"', '0xAA'],
-                                           ['char*', 'hex', 'int'],
-                                           unique_expressions)
-        self.assertEqual(len(unique_expressions), 0)
-        self.assertEqual(expression_code, '')
-        self.assertEqual(stream.getvalue(),
-                         ':char*:"Yahoo":hex:"abcdef00":int:0xAA\n')
-
-    def test_with_exp_param(self):
-        """
-        Test when there is macro or expression in the params.
-        :return:
-        """
-        stream = StringIOWrapper('test_suite_ut.data', '')
-        unique_expressions = []
-        expression_code = write_parameters(stream,
-                                           ['"Yahoo"', '"abcdef00"', '0',
-                                            'MACRO1', 'MACRO2', 'MACRO3'],
-                                           ['char*', 'hex', 'int',
-                                            'int', 'int', 'int'],
-                                           unique_expressions)
-        self.assertEqual(len(unique_expressions), 3)
-        self.assertEqual(unique_expressions, ['MACRO1', 'MACRO2', 'MACRO3'])
-        expected_expression_code = '''
-        case 0:
-            {
-                *out_value = MACRO1;
-            }
-            break;
-        case 1:
-            {
-                *out_value = MACRO2;
-            }
-            break;
-        case 2:
-            {
-                *out_value = MACRO3;
-            }
-            break;'''
-        self.assertEqual(expression_code, expected_expression_code)
-        self.assertEqual(stream.getvalue(),
-                         ':char*:"Yahoo":hex:"abcdef00":int:0:exp:0:exp:1'
-                         ':exp:2\n')
-
-    def test_with_repeat_calls(self):
-        """
-        Test when write_parameter() is called with same macro or expression.
-        :return:
-        """
-        stream = StringIOWrapper('test_suite_ut.data', '')
-        unique_expressions = []
-        expression_code = ''
-        expression_code += write_parameters(stream,
-                                            ['"Yahoo"', 'MACRO1', 'MACRO2'],
-                                            ['char*', 'int', 'int'],
-                                            unique_expressions)
-        expression_code += write_parameters(stream,
-                                            ['"abcdef00"', 'MACRO2', 'MACRO3'],
-                                            ['hex', 'int', 'int'],
-                                            unique_expressions)
-        expression_code += write_parameters(stream,
-                                            ['0', 'MACRO3', 'MACRO1'],
-                                            ['int', 'int', 'int'],
-                                            unique_expressions)
-        self.assertEqual(len(unique_expressions), 3)
-        self.assertEqual(unique_expressions, ['MACRO1', 'MACRO2', 'MACRO3'])
-        expected_expression_code = '''
-        case 0:
-            {
-                *out_value = MACRO1;
-            }
-            break;
-        case 1:
-            {
-                *out_value = MACRO2;
-            }
-            break;
-        case 2:
-            {
-                *out_value = MACRO3;
-            }
-            break;'''
-        self.assertEqual(expression_code, expected_expression_code)
-        expected_data_file = ''':char*:"Yahoo":exp:0:exp:1
-:hex:"abcdef00":exp:1:exp:2
-:int:0:exp:2:exp:0
-'''
-        self.assertEqual(stream.getvalue(), expected_data_file)
-
-
-class GenTestSuiteDependenciesChecks(TestCase):
-    """
-    Test suite for testing gen_suite_dep_checks()
-    """
-    def test_empty_suite_dependencies(self):
-        """
-        Test with empty suite_dependencies list.
-
-        :return:
-        """
-        dep_check_code, expression_code = \
-            gen_suite_dep_checks([], 'DEP_CHECK_CODE', 'EXPRESSION_CODE')
-        self.assertEqual(dep_check_code, 'DEP_CHECK_CODE')
-        self.assertEqual(expression_code, 'EXPRESSION_CODE')
-
-    def test_suite_dependencies(self):
-        """
-        Test with suite_dependencies list.
-
-        :return:
-        """
-        dep_check_code, expression_code = \
-            gen_suite_dep_checks(['SUITE_DEP'], 'DEP_CHECK_CODE',
-                                 'EXPRESSION_CODE')
-        expected_dep_check_code = '''
-#if defined(SUITE_DEP)
-DEP_CHECK_CODE
-#endif
-'''
-        expected_expression_code = '''
-#if defined(SUITE_DEP)
-EXPRESSION_CODE
-#endif
-'''
-        self.assertEqual(dep_check_code, expected_dep_check_code)
-        self.assertEqual(expression_code, expected_expression_code)
-
-    def test_no_dep_no_exp(self):
-        """
-        Test when there are no dependency and expression code.
-        :return:
-        """
-        dep_check_code, expression_code = gen_suite_dep_checks([], '', '')
-        self.assertEqual(dep_check_code, '')
-        self.assertEqual(expression_code, '')
-
-
-class GenFromTestData(TestCase):
-    """
-    Test suite for gen_from_test_data()
-    """
-
-    @staticmethod
-    @patch("generate_test_code.write_dependencies")
-    @patch("generate_test_code.write_parameters")
-    @patch("generate_test_code.gen_suite_dep_checks")
-    def test_intermediate_data_file(func_mock1,
-                                    write_parameters_mock,
-                                    write_dependencies_mock):
-        """
-        Test that intermediate data file is written with expected data.
-        :return:
-        """
-        data = '''
-My test
-depends_on:DEP1
-func1:0
-'''
-        data_f = StringIOWrapper('test_suite_ut.data', data)
-        out_data_f = StringIOWrapper('test_suite_ut.datax', '')
-        func_info = {'test_func1': (1, ('int',))}
-        suite_dependencies = []
-        write_parameters_mock.side_effect = write_parameters
-        write_dependencies_mock.side_effect = write_dependencies
-        func_mock1.side_effect = gen_suite_dep_checks
-        gen_from_test_data(data_f, out_data_f, func_info, suite_dependencies)
-        write_dependencies_mock.assert_called_with(out_data_f,
-                                                   ['DEP1'], ['DEP1'])
-        write_parameters_mock.assert_called_with(out_data_f, ['0'],
-                                                 ('int',), [])
-        expected_dep_check_code = '''
-        case 0:
-            {
-#if defined(DEP1)
-                ret = DEPENDENCY_SUPPORTED;
-#else
-                ret = DEPENDENCY_NOT_SUPPORTED;
-#endif
-            }
-            break;'''
-        func_mock1.assert_called_with(
-            suite_dependencies, expected_dep_check_code, '')
-
-    def test_function_not_found(self):
-        """
-        Test that AssertError is raised when function info in not found.
-        :return:
-        """
-        data = '''
-My test
-depends_on:DEP1
-func1:0
-'''
-        data_f = StringIOWrapper('test_suite_ut.data', data)
-        out_data_f = StringIOWrapper('test_suite_ut.datax', '')
-        func_info = {'test_func2': (1, ('int',))}
-        suite_dependencies = []
-        self.assertRaises(GeneratorInputError, gen_from_test_data,
-                          data_f, out_data_f, func_info, suite_dependencies)
-
-    def test_different_func_args(self):
-        """
-        Test that AssertError is raised when no. of parameters and
-        function args differ.
-        :return:
-        """
-        data = '''
-My test
-depends_on:DEP1
-func1:0
-'''
-        data_f = StringIOWrapper('test_suite_ut.data', data)
-        out_data_f = StringIOWrapper('test_suite_ut.datax', '')
-        func_info = {'test_func2': (1, ('int', 'hex'))}
-        suite_dependencies = []
-        self.assertRaises(GeneratorInputError, gen_from_test_data, data_f,
-                          out_data_f, func_info, suite_dependencies)
-
-    def test_output(self):
-        """
-        Test that intermediate data file is written with expected data.
-        :return:
-        """
-        data = '''
-My test 1
-depends_on:DEP1
-func1:0:0xfa:MACRO1:MACRO2
-
-My test 2
-depends_on:DEP1:DEP2
-func2:"yahoo":88:MACRO1
-'''
-        data_f = StringIOWrapper('test_suite_ut.data', data)
-        out_data_f = StringIOWrapper('test_suite_ut.datax', '')
-        func_info = {'test_func1': (0, ('int', 'int', 'int', 'int')),
-                     'test_func2': (1, ('char*', 'int', 'int'))}
-        suite_dependencies = []
-        dep_check_code, expression_code = \
-            gen_from_test_data(data_f, out_data_f, func_info,
-                               suite_dependencies)
-        expected_dep_check_code = '''
-        case 0:
-            {
-#if defined(DEP1)
-                ret = DEPENDENCY_SUPPORTED;
-#else
-                ret = DEPENDENCY_NOT_SUPPORTED;
-#endif
-            }
-            break;
-        case 1:
-            {
-#if defined(DEP2)
-                ret = DEPENDENCY_SUPPORTED;
-#else
-                ret = DEPENDENCY_NOT_SUPPORTED;
-#endif
-            }
-            break;'''
-        expected_data = '''My test 1
-depends_on:0
-0:int:0:int:0xfa:exp:0:exp:1
-
-My test 2
-depends_on:0:1
-1:char*:"yahoo":int:88:exp:0
-
-'''
-        expected_expression_code = '''
-        case 0:
-            {
-                *out_value = MACRO1;
-            }
-            break;
-        case 1:
-            {
-                *out_value = MACRO2;
-            }
-            break;'''
-        self.assertEqual(dep_check_code, expected_dep_check_code)
-        self.assertEqual(out_data_f.getvalue(), expected_data)
-        self.assertEqual(expression_code, expected_expression_code)
-
-
-if __name__ == '__main__':
-    unittest_main()
diff --git a/tests/scripts/test_psa_compliance.py b/tests/scripts/test_psa_compliance.py
index 9cd220f..7c09afc 100755
--- a/tests/scripts/test_psa_compliance.py
+++ b/tests/scripts/test_psa_compliance.py
@@ -8,19 +8,7 @@ keep the list of known defects as up to date as possible.
 """
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 import argparse
 import os
@@ -32,29 +20,17 @@ from typing import List
 
 #pylint: disable=unused-import
 import scripts_path
-from mbedtls_dev import build_tree
+from mbedtls_framework import build_tree
 
 # PSA Compliance tests we expect to fail due to known defects in Mbed TLS /
 # TF-PSA-Crypto (or the test suite).
 # The test numbers correspond to the numbers used by the console output of the test suite.
 # Test number 2xx corresponds to the files in the folder
 # psa-arch-tests/api-tests/dev_apis/crypto/test_c0xx
-EXPECTED_FAILURES = {
-    # psa_hash_suspend() and psa_hash_resume() are not supported.
-    # - Tracked in issue #3274
-    262, 263
-}
-
-# We currently use a fork of ARM-software/psa-arch-tests, with a couple of downstream patches
-# that allow it to build with Mbed TLS 3, and fixes a couple of issues in the compliance test suite.
-# These fixes allow the tests numbered 216, 248 and 249 to complete successfully.
-#
-# Once all the fixes are upstreamed, this fork should be replaced with an upstream commit/tag.
-# - Tracked in issue #5145
-#
-# Web URL: https://github.com/bensze01/psa-arch-tests/tree/fixes-for-mbedtls-3
-PSA_ARCH_TESTS_REPO = 'https://github.com/bensze01/psa-arch-tests.git'
-PSA_ARCH_TESTS_REF = 'fix-pr-5736'
+EXPECTED_FAILURES = {} # type: dict
+
+PSA_ARCH_TESTS_REPO = 'https://github.com/ARM-software/psa-arch-tests.git'
+PSA_ARCH_TESTS_REF = 'v23.06_API1.5_ADAC_EAC'
 
 #pylint: disable=too-many-branches,too-many-statements,too-many-locals
 def main(library_build_dir: str):
@@ -62,11 +38,14 @@ def main(library_build_dir: str):
 
     in_tf_psa_crypto_repo = build_tree.looks_like_tf_psa_crypto_root(root_dir)
 
+    crypto_name = build_tree.crypto_library_filename(root_dir)
+
+    # Temporary, while the crypto library is still located in the library
+    # directory. This will not be the case anymore when it will be built by
+    # the TF-PSA-Crypto build system.
     if in_tf_psa_crypto_repo:
-        crypto_name = 'tfpsacrypto'
-        library_subdir = 'core'
+        library_subdir = build_tree.crypto_core_directory(root_dir, relative=True)
     else:
-        crypto_name = 'mbedcrypto'
         library_subdir = 'library'
 
     crypto_lib_filename = (library_build_dir + '/' +
@@ -101,8 +80,14 @@ def main(library_build_dir: str):
         os.mkdir(build_dir)
         os.chdir(build_dir)
 
-        extra_includes = (';{}/drivers/builtin/include'.format(root_dir)
-                          if in_tf_psa_crypto_repo else '')
+        # Temporary while the PSA compliance test suite is still run as part
+        # of Mbed TLS testing. When it is not the case anymore, the second case
+        # can be removed.
+        if in_tf_psa_crypto_repo:
+            extra_includes = ';{}/drivers/builtin/include'.format(root_dir)
+        elif os.path.isdir(os.path.join(root_dir, 'tf-psa-crypto')):
+            extra_includes = ';{}/tf-psa-crypto/include'.format(root_dir) + \
+                             (';{}/tf-psa-crypto/drivers/builtin/include'.format(root_dir))
 
         #pylint: disable=bad-continuation
         subprocess.check_call([
diff --git a/tests/scripts/test_psa_constant_names.py b/tests/scripts/test_psa_constant_names.py
index e43a0ba..f35351c 100755
--- a/tests/scripts/test_psa_constant_names.py
+++ b/tests/scripts/test_psa_constant_names.py
@@ -8,19 +8,7 @@ or 1 (with a Python backtrace) if there was an operational error.
 """
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 import argparse
 from collections import namedtuple
@@ -31,9 +19,9 @@ import sys
 from typing import Iterable, List, Optional, Tuple
 
 import scripts_path # pylint: disable=unused-import
-from mbedtls_dev import c_build_helper
-from mbedtls_dev.macro_collector import InputsForTest, PSAMacroEnumerator
-from mbedtls_dev import typing_util
+from mbedtls_framework import c_build_helper
+from mbedtls_framework.macro_collector import InputsForTest, PSAMacroEnumerator
+from mbedtls_framework import typing_util
 
 def gather_inputs(headers: Iterable[str],
                   test_suites: Iterable[str],
@@ -173,7 +161,9 @@ TEST_SUITES = ['tests/suites/test_suite_psa_crypto_metadata.data']
 def main():
     parser = argparse.ArgumentParser(description=globals()['__doc__'])
     parser.add_argument('--include', '-I',
-                        action='append', default=['include'],
+                        action='append', default=['tf-psa-crypto/include',
+                                                  'tf-psa-crypto/drivers/builtin/include',
+                                                  'include'],
                         help='Directory for header files')
     parser.add_argument('--keep-c',
                         action='store_true', dest='keep_c', default=False,
diff --git a/tests/scripts/test_zeroize.gdb b/tests/scripts/test_zeroize.gdb
index 66c6304..57f771f 100644
--- a/tests/scripts/test_zeroize.gdb
+++ b/tests/scripts/test_zeroize.gdb
@@ -1,19 +1,7 @@
 # test_zeroize.gdb
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 #
 # Purpose
 #
diff --git a/tests/scripts/translate_ciphers.py b/tests/scripts/translate_ciphers.py
index a8db4bb..90514fc 100755
--- a/tests/scripts/translate_ciphers.py
+++ b/tests/scripts/translate_ciphers.py
@@ -3,19 +3,7 @@
 # translate_ciphers.py
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 """
 Translate standard ciphersuite names to GnuTLS, OpenSSL and Mbed TLS standards.
diff --git a/tests/scripts/travis-log-failure.sh b/tests/scripts/travis-log-failure.sh
index 249b3f8..3daecf3 100755
--- a/tests/scripts/travis-log-failure.sh
+++ b/tests/scripts/travis-log-failure.sh
@@ -3,19 +3,7 @@
 # travis-log-failure.sh
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 #
 # Purpose
 #
diff --git a/tests/src/asn1_helpers.c b/tests/src/asn1_helpers.c
index aaf7587..c8df199 100644
--- a/tests/src/asn1_helpers.c
+++ b/tests/src/asn1_helpers.c
@@ -5,19 +5,7 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include <test/helpers.h>
diff --git a/tests/src/bignum_helpers.c b/tests/src/bignum_helpers.c
index 214530d..913f5e3 100644
--- a/tests/src/bignum_helpers.c
+++ b/tests/src/bignum_helpers.c
@@ -7,19 +7,7 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #define MBEDTLS_ALLOW_PRIVATE_ACCESS
@@ -147,7 +135,7 @@ int mbedtls_test_read_mpi(mbedtls_mpi *X, const char *s)
     }
     if (negative) {
         if (mbedtls_mpi_cmp_int(X, 0) == 0) {
-            ++mbedtls_test_case_uses_negative_0;
+            mbedtls_test_increment_case_uses_negative_0();
         }
         X->s = -1;
     }
diff --git a/tests/src/certs.c b/tests/src/certs.c
index b834e4a..879f088 100644
--- a/tests/src/certs.c
+++ b/tests/src/certs.c
@@ -2,19 +2,7 @@
  *  X.509 test certificates
  *
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include "common.h"
diff --git a/tests/src/drivers/hash.c b/tests/src/drivers/hash.c
index 8fb1982..2416ba8 100644
--- a/tests/src/drivers/hash.c
+++ b/tests/src/drivers/hash.c
@@ -2,19 +2,7 @@
  * Test driver for hash entry points.
  */
 /*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include <test/helpers.h>
@@ -25,7 +13,7 @@
 #include "test/drivers/hash.h"
 
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
-#include "libtestdriver1/library/psa_crypto_hash.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_hash.h"
 #endif
 
 mbedtls_test_driver_hash_hooks_t
diff --git a/tests/src/drivers/platform_builtin_keys.c b/tests/src/drivers/platform_builtin_keys.c
index 6334a43..01fc050 100644
--- a/tests/src/drivers/platform_builtin_keys.c
+++ b/tests/src/drivers/platform_builtin_keys.c
@@ -5,19 +5,7 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include <test/helpers.h>
diff --git a/tests/src/drivers/test_driver_aead.c b/tests/src/drivers/test_driver_aead.c
index 6dadf52..080b4db 100644
--- a/tests/src/drivers/test_driver_aead.c
+++ b/tests/src/drivers/test_driver_aead.c
@@ -2,19 +2,7 @@
  * Test driver for AEAD entry points.
  */
 /*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include <test/helpers.h>
@@ -28,7 +16,7 @@
 #include "mbedtls/constant_time.h"
 
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
-#include "libtestdriver1/library/psa_crypto_aead.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_aead.h"
 #endif
 
 mbedtls_test_driver_aead_hooks_t
diff --git a/tests/src/drivers/test_driver_asymmetric_encryption.c b/tests/src/drivers/test_driver_asymmetric_encryption.c
index cf0e90c..55e09b2 100644
--- a/tests/src/drivers/test_driver_asymmetric_encryption.c
+++ b/tests/src/drivers/test_driver_asymmetric_encryption.c
@@ -2,19 +2,7 @@
  * Test driver for asymmetric encryption.
  */
 /*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include <test/helpers.h>
@@ -25,11 +13,15 @@
 #include "psa_crypto_rsa.h"
 #include "string.h"
 #include "test/drivers/asymmetric_encryption.h"
+#include "test/drivers/key_management.h"
 
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
-#include "libtestdriver1/library/psa_crypto_rsa.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_rsa.h"
 #endif
 
+#define PSA_RSA_KEY_PAIR_MAX_SIZE \
+    PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS)
+
 mbedtls_test_driver_asymmetric_encryption_hooks_t mbedtls_test_driver_asymmetric_encryption_hooks =
     MBEDTLS_TEST_DRIVER_ASYMMETRIC_ENCRYPTION_INIT;
 
@@ -58,8 +50,7 @@ psa_status_t mbedtls_test_transparent_asymmetric_encrypt(
         return mbedtls_test_driver_asymmetric_encryption_hooks.forced_status;
     }
 
-#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
-    defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER)
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
     return libtestdriver1_mbedtls_psa_asymmetric_encrypt(
         (const libtestdriver1_psa_key_attributes_t *) attributes,
         key_buffer, key_buffer_size,
@@ -100,8 +91,7 @@ psa_status_t mbedtls_test_transparent_asymmetric_decrypt(
         return mbedtls_test_driver_asymmetric_encryption_hooks.forced_status;
     }
 
-#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
-    defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER)
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
     return libtestdriver1_mbedtls_psa_asymmetric_decrypt(
         (const libtestdriver1_psa_key_attributes_t *) attributes,
         key_buffer, key_buffer_size,
@@ -118,7 +108,7 @@ psa_status_t mbedtls_test_transparent_asymmetric_decrypt(
 }
 
 /*
- * opaque versions - TODO
+ * opaque versions
  */
 psa_status_t mbedtls_test_opaque_asymmetric_encrypt(
     const psa_key_attributes_t *attributes, const uint8_t *key,
@@ -126,17 +116,31 @@ psa_status_t mbedtls_test_opaque_asymmetric_encrypt(
     size_t input_length, const uint8_t *salt, size_t salt_length,
     uint8_t *output, size_t output_size, size_t *output_length)
 {
-    (void) attributes;
-    (void) key;
-    (void) key_length;
-    (void) alg;
-    (void) input;
-    (void) input_length;
-    (void) salt;
-    (void) salt_length;
-    (void) output;
-    (void) output_size;
-    (void) output_length;
+    unsigned char unwrapped_key[PSA_RSA_KEY_PAIR_MAX_SIZE];
+    size_t unwrapped_key_length;
+    psa_status_t status;
+
+    status = mbedtls_test_opaque_unwrap_key(key, key_length,
+                                            unwrapped_key, sizeof(unwrapped_key),
+                                            &unwrapped_key_length);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
+    (defined(MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP) || defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT))
+    return libtestdriver1_mbedtls_psa_asymmetric_encrypt(
+        (const libtestdriver1_psa_key_attributes_t *) attributes,
+        unwrapped_key, unwrapped_key_length,
+        alg, input, input_length, salt, salt_length,
+        output, output_size, output_length);
+#else
+    return mbedtls_psa_asymmetric_encrypt(
+        attributes, unwrapped_key, unwrapped_key_length,
+        alg, input, input_length, salt, salt_length,
+        output, output_size, output_length);
+#endif
+
     return PSA_ERROR_NOT_SUPPORTED;
 }
 
@@ -146,17 +150,31 @@ psa_status_t mbedtls_test_opaque_asymmetric_decrypt(
     size_t input_length, const uint8_t *salt, size_t salt_length,
     uint8_t *output, size_t output_size, size_t *output_length)
 {
-    (void) attributes;
-    (void) key;
-    (void) key_length;
-    (void) alg;
-    (void) input;
-    (void) input_length;
-    (void) salt;
-    (void) salt_length;
-    (void) output;
-    (void) output_size;
-    (void) output_length;
+    unsigned char unwrapped_key[PSA_RSA_KEY_PAIR_MAX_SIZE];
+    size_t unwrapped_key_length;
+    psa_status_t status;
+
+    status = mbedtls_test_opaque_unwrap_key(key, key_length,
+                                            unwrapped_key, sizeof(unwrapped_key),
+                                            &unwrapped_key_length);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
+    (defined(MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP) || defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT))
+    return libtestdriver1_mbedtls_psa_asymmetric_decrypt(
+        (const libtestdriver1_psa_key_attributes_t *) attributes,
+        unwrapped_key, unwrapped_key_length,
+        alg, input, input_length, salt, salt_length,
+        output, output_size, output_length);
+#else
+    return mbedtls_psa_asymmetric_decrypt(
+        attributes, unwrapped_key, unwrapped_key_length,
+        alg, input, input_length, salt, salt_length,
+        output, output_size, output_length);
+#endif
+
     return PSA_ERROR_NOT_SUPPORTED;
 }
 
diff --git a/tests/src/drivers/test_driver_cipher.c b/tests/src/drivers/test_driver_cipher.c
index 42e79c4..ace0ed3 100644
--- a/tests/src/drivers/test_driver_cipher.c
+++ b/tests/src/drivers/test_driver_cipher.c
@@ -3,19 +3,7 @@
  * Currently only supports multi-part operations using AES-CTR.
  */
 /*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include <test/helpers.h>
@@ -31,7 +19,7 @@
 #include "test/random.h"
 
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
-#include "libtestdriver1/library/psa_crypto_cipher.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_cipher.h"
 #endif
 
 #include <string.h>
@@ -53,6 +41,7 @@ psa_status_t mbedtls_test_transparent_cipher_encrypt(
     size_t *output_length)
 {
     mbedtls_test_driver_cipher_hooks.hits++;
+    mbedtls_test_driver_cipher_hooks.hits_encrypt++;
 
     if (mbedtls_test_driver_cipher_hooks.forced_output != NULL) {
         if (output_size < mbedtls_test_driver_cipher_hooks.forced_output_length) {
@@ -70,6 +59,9 @@ psa_status_t mbedtls_test_transparent_cipher_encrypt(
     if (mbedtls_test_driver_cipher_hooks.forced_status != PSA_SUCCESS) {
         return mbedtls_test_driver_cipher_hooks.forced_status;
     }
+    if (mbedtls_test_driver_cipher_hooks.forced_status_encrypt != PSA_SUCCESS) {
+        return mbedtls_test_driver_cipher_hooks.forced_status_encrypt;
+    }
 
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
     defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER)
@@ -220,10 +212,14 @@ psa_status_t mbedtls_test_transparent_cipher_set_iv(
     size_t iv_length)
 {
     mbedtls_test_driver_cipher_hooks.hits++;
+    mbedtls_test_driver_cipher_hooks.hits_set_iv++;
 
     if (mbedtls_test_driver_cipher_hooks.forced_status != PSA_SUCCESS) {
         return mbedtls_test_driver_cipher_hooks.forced_status;
     }
+    if (mbedtls_test_driver_cipher_hooks.forced_status_set_iv != PSA_SUCCESS) {
+        return mbedtls_test_driver_cipher_hooks.forced_status_set_iv;
+    }
 
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
     defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER)
diff --git a/tests/src/drivers/test_driver_key_agreement.c b/tests/src/drivers/test_driver_key_agreement.c
index 9cf82a3..8a8e3a8 100644
--- a/tests/src/drivers/test_driver_key_agreement.c
+++ b/tests/src/drivers/test_driver_key_agreement.c
@@ -2,19 +2,7 @@
  * Test driver for key agreement functions.
  */
 /*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include <test/helpers.h>
@@ -32,9 +20,9 @@
 #include <string.h>
 
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
-#include "libtestdriver1/include/psa/crypto.h"
-#include "libtestdriver1/library/psa_crypto_ecp.h"
-#include "libtestdriver1/library/psa_crypto_ffdh.h"
+#include "libtestdriver1/tf-psa-crypto/include/psa/crypto.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_ecp.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_ffdh.h"
 #endif
 
 mbedtls_test_driver_key_agreement_hooks_t
diff --git a/tests/src/drivers/test_driver_key_management.c b/tests/src/drivers/test_driver_key_management.c
index 19da47a..c0869f1 100644
--- a/tests/src/drivers/test_driver_key_management.c
+++ b/tests/src/drivers/test_driver_key_management.c
@@ -3,19 +3,7 @@
  * Currently only supports generating and verifying ECC keys.
  */
 /*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include <test/helpers.h>
@@ -35,9 +23,9 @@
 #include "test/random.h"
 
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
-#include "libtestdriver1/library/psa_crypto_ecp.h"
-#include "libtestdriver1/library/psa_crypto_rsa.h"
-#include "libtestdriver1/library/psa_crypto_ffdh.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_ecp.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_rsa.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_ffdh.h"
 #endif
 
 #include <string.h>
@@ -171,7 +159,7 @@ static psa_status_t mbedtls_test_opaque_wrap_key(
  * The argument key_buffer_length is filled with the unwrapped(clear)
  * key_size on success.
  * */
-static psa_status_t mbedtls_test_opaque_unwrap_key(
+psa_status_t mbedtls_test_opaque_unwrap_key(
     const uint8_t *wrapped_key,
     size_t wrapped_key_length,
     uint8_t *key_buffer,
@@ -205,6 +193,7 @@ psa_status_t mbedtls_test_transparent_generate_key(
     uint8_t *key, size_t key_size, size_t *key_length)
 {
     ++mbedtls_test_driver_key_management_hooks.hits;
+    ++mbedtls_test_driver_key_management_hooks.hits_generate_key;
 
     if (mbedtls_test_driver_key_management_hooks.forced_status != PSA_SUCCESS) {
         return mbedtls_test_driver_key_management_hooks.forced_status;
@@ -237,10 +226,13 @@ psa_status_t mbedtls_test_transparent_generate_key(
         defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
         return libtestdriver1_mbedtls_psa_rsa_generate_key(
             (const libtestdriver1_psa_key_attributes_t *) attributes,
+            NULL, 0, /* We don't support custom e in the test driver yet */
             key, key_size, key_length);
 #elif defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
         return mbedtls_psa_rsa_generate_key(
-            attributes, key, key_size, key_length);
+            attributes,
+            NULL, 0, /* We don't support custom e in the test driver yet */
+            key, key_size, key_length);
 #endif
     } else if (PSA_KEY_TYPE_IS_DH(psa_get_key_type(attributes))
                && PSA_KEY_TYPE_IS_KEY_PAIR(psa_get_key_type(attributes))) {
@@ -541,6 +533,7 @@ psa_status_t mbedtls_test_transparent_export_public_key(
     uint8_t *data, size_t data_size, size_t *data_length)
 {
     ++mbedtls_test_driver_key_management_hooks.hits;
+    ++mbedtls_test_driver_key_management_hooks.hits_export_public_key;
 
     if (mbedtls_test_driver_key_management_hooks.forced_status != PSA_SUCCESS) {
         return mbedtls_test_driver_key_management_hooks.forced_status;
diff --git a/tests/src/drivers/test_driver_mac.c b/tests/src/drivers/test_driver_mac.c
index 96c1685..de43e49 100644
--- a/tests/src/drivers/test_driver_mac.c
+++ b/tests/src/drivers/test_driver_mac.c
@@ -2,19 +2,7 @@
  * Test driver for MAC entry points.
  */
 /*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include <test/helpers.h>
@@ -25,7 +13,7 @@
 #include "test/drivers/mac.h"
 
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
-#include "libtestdriver1/library/psa_crypto_mac.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_mac.h"
 #endif
 
 mbedtls_test_driver_mac_hooks_t mbedtls_test_driver_mac_hooks =
diff --git a/tests/src/drivers/test_driver_pake.c b/tests/src/drivers/test_driver_pake.c
index 69bd4ff..9631101 100644
--- a/tests/src/drivers/test_driver_pake.c
+++ b/tests/src/drivers/test_driver_pake.c
@@ -1,20 +1,8 @@
 /*
- * Test driver for MAC entry points.
+ * Test driver for PAKE entry points.
  */
 /*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include <test/helpers.h>
@@ -26,7 +14,7 @@
 #include "string.h"
 
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
-#include "libtestdriver1/library/psa_crypto_pake.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_pake.h"
 #endif
 
 mbedtls_test_driver_pake_hooks_t mbedtls_test_driver_pake_hooks =
diff --git a/tests/src/drivers/test_driver_signature.c b/tests/src/drivers/test_driver_signature.c
index c312477..02c6298 100644
--- a/tests/src/drivers/test_driver_signature.c
+++ b/tests/src/drivers/test_driver_signature.c
@@ -4,19 +4,7 @@
  * only deterministic ECDSA on curves secp256r1, secp384r1 and secp521r1.
  */
 /*  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include <test/helpers.h>
@@ -33,15 +21,14 @@
 #include "test/drivers/signature.h"
 #include "test/drivers/hash.h"
 
-#include "mbedtls/md.h"
 #include "mbedtls/ecdsa.h"
 
 #include "test/random.h"
 
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
-#include "libtestdriver1/library/psa_crypto_ecp.h"
-#include "libtestdriver1/library/psa_crypto_hash.h"
-#include "libtestdriver1/library/psa_crypto_rsa.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_ecp.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_hash.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_rsa.h"
 #endif
 
 #include <string.h>
@@ -62,7 +49,7 @@ psa_status_t sign_hash(
     size_t signature_size,
     size_t *signature_length)
 {
-    if (attributes->core.type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
+    if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
         if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||
             PSA_ALG_IS_RSA_PSS(alg)) {
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
@@ -84,7 +71,7 @@ psa_status_t sign_hash(
         } else {
             return PSA_ERROR_INVALID_ARGUMENT;
         }
-    } else if (PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
+    } else if (PSA_KEY_TYPE_IS_ECC(attributes->type)) {
         if (PSA_ALG_IS_ECDSA(alg)) {
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
             (defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
@@ -129,7 +116,7 @@ psa_status_t verify_hash(
     const uint8_t *signature,
     size_t signature_length)
 {
-    if (PSA_KEY_TYPE_IS_RSA(attributes->core.type)) {
+    if (PSA_KEY_TYPE_IS_RSA(attributes->type)) {
         if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||
             PSA_ALG_IS_RSA_PSS(alg)) {
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
@@ -151,7 +138,7 @@ psa_status_t verify_hash(
         } else {
             return PSA_ERROR_INVALID_ARGUMENT;
         }
-    } else if (PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
+    } else if (PSA_KEY_TYPE_IS_ECC(attributes->type)) {
         if (PSA_ALG_IS_ECDSA(alg)) {
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
             (defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
diff --git a/tests/src/fake_external_rng_for_test.c b/tests/src/fake_external_rng_for_test.c
index 89af7d3..c0bfde5 100644
--- a/tests/src/fake_external_rng_for_test.c
+++ b/tests/src/fake_external_rng_for_test.c
@@ -5,19 +5,7 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include <test/fake_external_rng_for_test.h>
diff --git a/tests/src/helpers.c b/tests/src/helpers.c
index 7cac6e0..065d17d 100644
--- a/tests/src/helpers.c
+++ b/tests/src/helpers.c
@@ -1,18 +1,6 @@
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include <test/constant_flow.h>
@@ -25,6 +13,13 @@
 #include <test/psa_crypto_helpers.h>
 #endif
 
+#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_PSA_CRYPTO_C)
+#include <test/psa_memory_poisoning_wrappers.h>
+#endif
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
 /*----------------------------------------------------------------------------*/
 /* Static global variables */
 
@@ -32,7 +27,288 @@
 static mbedtls_platform_context platform_ctx;
 #endif
 
-mbedtls_test_info_t mbedtls_test_info;
+static mbedtls_test_info_t mbedtls_test_info;
+
+#ifdef MBEDTLS_THREADING_C
+mbedtls_threading_mutex_t mbedtls_test_info_mutex;
+#endif /* MBEDTLS_THREADING_C */
+
+/*----------------------------------------------------------------------------*/
+/* Mbedtls Test Info accessors
+ *
+ * NOTE - there are two types of accessors here: public accessors and internal
+ * accessors. The public accessors have prototypes in helpers.h and lock
+ * mbedtls_test_info_mutex (if mutexes are enabled). The _internal accessors,
+ * which are expected to be used from this module *only*, do not lock the mutex.
+ * These are designed to be called from within public functions which already
+ * hold the mutex. The main reason for this difference is the need to set
+ * multiple test data values atomically (without releasing the mutex) to prevent
+ * race conditions. */
+
+mbedtls_test_result_t mbedtls_test_get_result(void)
+{
+    mbedtls_test_result_t result;
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_lock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
+    result =  mbedtls_test_info.result;
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_unlock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
+    return result;
+}
+
+static void mbedtls_test_set_result_internal(mbedtls_test_result_t result, const char *test,
+                                             int line_no, const char *filename)
+{
+    /* Internal function only - mbedtls_test_info_mutex should be held prior
+     * to calling this function. */
+
+    mbedtls_test_info.result = result;
+    mbedtls_test_info.test = test;
+    mbedtls_test_info.line_no = line_no;
+    mbedtls_test_info.filename = filename;
+}
+
+const char *mbedtls_test_get_test(void)
+{
+    const char *test;
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_lock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
+    test = mbedtls_test_info.test;
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_unlock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
+    return test;
+}
+const char *mbedtls_get_test_filename(void)
+{
+    const char *filename;
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_lock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
+    /* It should be ok just to pass back the pointer here, as it is going to
+     * be a pointer into non changing data. */
+    filename = mbedtls_test_info.filename;
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_unlock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
+    return filename;
+}
+
+int mbedtls_test_get_line_no(void)
+{
+    int line_no;
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_lock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
+    line_no = mbedtls_test_info.line_no;
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_unlock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
+    return line_no;
+}
+
+void mbedtls_test_increment_step(void)
+{
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_lock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
+    ++mbedtls_test_info.step;
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_unlock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+}
+
+unsigned long mbedtls_test_get_step(void)
+{
+    unsigned long step;
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_lock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
+    step = mbedtls_test_info.step;
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_unlock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
+    return step;
+}
+
+static void mbedtls_test_reset_step_internal(void)
+{
+    /* Internal function only - mbedtls_test_info_mutex should be held prior
+     * to calling this function. */
+
+    mbedtls_test_info.step = (unsigned long) (-1);
+}
+
+void mbedtls_test_set_step(unsigned long step)
+{
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_lock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
+    mbedtls_test_info.step = step;
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_unlock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+}
+
+void mbedtls_test_get_line1(char *line)
+{
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_lock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
+    memcpy(line, mbedtls_test_info.line1, MBEDTLS_TEST_LINE_LENGTH);
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_unlock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+}
+
+static void mbedtls_test_set_line1_internal(const char *line)
+{
+    /* Internal function only - mbedtls_test_info_mutex should be held prior
+     * to calling this function. */
+
+    if (line == NULL) {
+        memset(mbedtls_test_info.line1, 0, MBEDTLS_TEST_LINE_LENGTH);
+    } else {
+        memcpy(mbedtls_test_info.line1, line, MBEDTLS_TEST_LINE_LENGTH);
+    }
+}
+
+void mbedtls_test_get_line2(char *line)
+{
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_lock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
+    memcpy(line, mbedtls_test_info.line2, MBEDTLS_TEST_LINE_LENGTH);
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_unlock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+}
+
+static void mbedtls_test_set_line2_internal(const char *line)
+{
+    /* Internal function only - mbedtls_test_info_mutex should be held prior
+     * to calling this function. */
+
+    if (line == NULL) {
+        memset(mbedtls_test_info.line2, 0, MBEDTLS_TEST_LINE_LENGTH);
+    } else {
+        memcpy(mbedtls_test_info.line2, line, MBEDTLS_TEST_LINE_LENGTH);
+    }
+}
+
+
+#if defined(MBEDTLS_TEST_MUTEX_USAGE)
+const char *mbedtls_test_get_mutex_usage_error(void)
+{
+    const char *usage_error;
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_lock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
+    usage_error = mbedtls_test_info.mutex_usage_error;
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_unlock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
+    return usage_error;
+}
+
+void mbedtls_test_set_mutex_usage_error(const char *msg)
+{
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_lock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
+    if (mbedtls_test_info.mutex_usage_error == NULL || msg == NULL) {
+        mbedtls_test_info.mutex_usage_error = msg;
+    }
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_unlock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+}
+#endif // #if defined(MBEDTLS_TEST_MUTEX_USAGE)
+
+#if defined(MBEDTLS_BIGNUM_C)
+
+unsigned mbedtls_test_get_case_uses_negative_0(void)
+{
+    unsigned test_case_uses_negative_0 = 0;
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_lock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+    test_case_uses_negative_0 = mbedtls_test_info.case_uses_negative_0;
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_unlock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
+    return test_case_uses_negative_0;
+}
+
+static void mbedtls_test_set_case_uses_negative_0_internal(unsigned uses)
+{
+    /* Internal function only - mbedtls_test_info_mutex should be held prior
+     * to calling this function. */
+
+    mbedtls_test_info.case_uses_negative_0 = uses;
+}
+
+void mbedtls_test_increment_case_uses_negative_0(void)
+{
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_lock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
+    ++mbedtls_test_info.case_uses_negative_0;
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_unlock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+}
+
+#endif /* MBEDTLS_BIGNUM_C */
+
+#ifdef MBEDTLS_TEST_MUTEX_USAGE
+mbedtls_threading_mutex_t *mbedtls_test_get_info_mutex(void)
+{
+    return &mbedtls_test_info_mutex;
+}
+
+#endif /* MBEDTLS_TEST_MUTEX_USAGE */
 
 /*----------------------------------------------------------------------------*/
 /* Helper Functions */
@@ -41,6 +317,12 @@ int mbedtls_test_platform_setup(void)
 {
     int ret = 0;
 
+#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_PSA_CRYPTO_C) \
+    && !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) \
+    && defined(MBEDTLS_TEST_MEMORY_CAN_POISON)
+    mbedtls_poison_test_hooks_setup();
+#endif
+
 #if defined(MBEDTLS_PSA_INJECT_ENTROPY)
     /* Make sure that injected entropy is present. Otherwise
      * psa_crypto_init() will fail. This is not necessary for test suites
@@ -56,11 +338,24 @@ int mbedtls_test_platform_setup(void)
     ret = mbedtls_platform_setup(&platform_ctx);
 #endif /* MBEDTLS_PLATFORM_C */
 
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_init(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
     return ret;
 }
 
 void mbedtls_test_platform_teardown(void)
 {
+#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_PSA_CRYPTO_C) \
+    && !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) \
+    &&  defined(MBEDTLS_TEST_MEMORY_CAN_POISON)
+    mbedtls_poison_test_hooks_teardown();
+#endif
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_free(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
 #if defined(MBEDTLS_PLATFORM_C)
     mbedtls_platform_teardown(&platform_ctx);
 #endif /* MBEDTLS_PLATFORM_C */
@@ -81,48 +376,63 @@ int mbedtls_test_ascii2uc(const char c, unsigned char *uc)
     return 0;
 }
 
-void mbedtls_test_fail(const char *test, int line_no, const char *filename)
+static void mbedtls_test_fail_internal(const char *test, int line_no, const char *filename)
 {
-    if (mbedtls_test_info.result == MBEDTLS_TEST_RESULT_FAILED) {
-        /* We've already recorded the test as having failed. Don't
+    /* Internal function only - mbedtls_test_info_mutex should be held prior
+     * to calling this function. */
+
+    /* Don't use accessor, we already hold mutex. */
+    if (mbedtls_test_info.result != MBEDTLS_TEST_RESULT_FAILED) {
+        /* If we have already recorded the test as having failed then don't
          * overwrite any previous information about the failure. */
-        return;
+        mbedtls_test_set_result_internal(MBEDTLS_TEST_RESULT_FAILED, test, line_no, filename);
     }
-    mbedtls_test_info.result = MBEDTLS_TEST_RESULT_FAILED;
-    mbedtls_test_info.test = test;
-    mbedtls_test_info.line_no = line_no;
-    mbedtls_test_info.filename = filename;
 }
 
-void mbedtls_test_skip(const char *test, int line_no, const char *filename)
+void mbedtls_test_fail(const char *test, int line_no, const char *filename)
 {
-    mbedtls_test_info.result = MBEDTLS_TEST_RESULT_SKIPPED;
-    mbedtls_test_info.test = test;
-    mbedtls_test_info.line_no = line_no;
-    mbedtls_test_info.filename = filename;
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_lock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
+    mbedtls_test_fail_internal(test, line_no, filename);
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_unlock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
 }
 
-void mbedtls_test_set_step(unsigned long step)
+void mbedtls_test_skip(const char *test, int line_no, const char *filename)
 {
-    mbedtls_test_info.step = step;
-}
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_lock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
 
-#if defined(MBEDTLS_BIGNUM_C)
-unsigned mbedtls_test_case_uses_negative_0 = 0;
-#endif
+    mbedtls_test_set_result_internal(MBEDTLS_TEST_RESULT_SKIPPED, test, line_no, filename);
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_unlock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+}
 
 void mbedtls_test_info_reset(void)
 {
-    mbedtls_test_info.result = MBEDTLS_TEST_RESULT_SUCCESS;
-    mbedtls_test_info.step = (unsigned long) (-1);
-    mbedtls_test_info.test = 0;
-    mbedtls_test_info.line_no = 0;
-    mbedtls_test_info.filename = 0;
-    memset(mbedtls_test_info.line1, 0, sizeof(mbedtls_test_info.line1));
-    memset(mbedtls_test_info.line2, 0, sizeof(mbedtls_test_info.line2));
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_lock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
+    mbedtls_test_set_result_internal(MBEDTLS_TEST_RESULT_SUCCESS, 0, 0, 0);
+    mbedtls_test_reset_step_internal();
+    mbedtls_test_set_line1_internal(NULL);
+    mbedtls_test_set_line2_internal(NULL);
+
 #if defined(MBEDTLS_BIGNUM_C)
-    mbedtls_test_case_uses_negative_0 = 0;
+    mbedtls_test_set_case_uses_negative_0_internal(0);
 #endif
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_unlock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
 }
 
 int mbedtls_test_equal(const char *test, int line_no, const char *filename,
@@ -135,20 +445,31 @@ int mbedtls_test_equal(const char *test, int line_no, const char *filename,
         return 1;
     }
 
-    if (mbedtls_test_info.result == MBEDTLS_TEST_RESULT_FAILED) {
-        /* We've already recorded the test as having failed. Don't
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_lock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
+    /* Don't use accessor, as we already hold mutex. */
+    if (mbedtls_test_info.result != MBEDTLS_TEST_RESULT_FAILED) {
+        /* If we've already recorded the test as having failed then don't
          * overwrite any previous information about the failure. */
-        return 0;
+
+        char buf[MBEDTLS_TEST_LINE_LENGTH];
+        mbedtls_test_fail_internal(test, line_no, filename);
+        (void) mbedtls_snprintf(buf, sizeof(buf),
+                                "lhs = 0x%016llx = %lld",
+                                value1, (long long) value1);
+        mbedtls_test_set_line1_internal(buf);
+        (void) mbedtls_snprintf(buf, sizeof(buf),
+                                "rhs = 0x%016llx = %lld",
+                                value2, (long long) value2);
+        mbedtls_test_set_line2_internal(buf);
     }
-    mbedtls_test_fail(test, line_no, filename);
-    (void) mbedtls_snprintf(mbedtls_test_info.line1,
-                            sizeof(mbedtls_test_info.line1),
-                            "lhs = 0x%016llx = %lld",
-                            value1, (long long) value1);
-    (void) mbedtls_snprintf(mbedtls_test_info.line2,
-                            sizeof(mbedtls_test_info.line2),
-                            "rhs = 0x%016llx = %lld",
-                            value2, (long long) value2);
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_unlock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
     return 0;
 }
 
@@ -162,20 +483,31 @@ int mbedtls_test_le_u(const char *test, int line_no, const char *filename,
         return 1;
     }
 
-    if (mbedtls_test_info.result == MBEDTLS_TEST_RESULT_FAILED) {
-        /* We've already recorded the test as having failed. Don't
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_lock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
+    /* Don't use accessor, we already hold mutex. */
+    if (mbedtls_test_info.result != MBEDTLS_TEST_RESULT_FAILED) {
+        /* If we've already recorded the test as having failed then don't
          * overwrite any previous information about the failure. */
-        return 0;
+
+        char buf[MBEDTLS_TEST_LINE_LENGTH];
+        mbedtls_test_fail_internal(test, line_no, filename);
+        (void) mbedtls_snprintf(buf, sizeof(buf),
+                                "lhs = 0x%016llx = %llu",
+                                value1, value1);
+        mbedtls_test_set_line1_internal(buf);
+        (void) mbedtls_snprintf(buf, sizeof(buf),
+                                "rhs = 0x%016llx = %llu",
+                                value2, value2);
+        mbedtls_test_set_line2_internal(buf);
     }
-    mbedtls_test_fail(test, line_no, filename);
-    (void) mbedtls_snprintf(mbedtls_test_info.line1,
-                            sizeof(mbedtls_test_info.line1),
-                            "lhs = 0x%016llx = %llu",
-                            value1, value1);
-    (void) mbedtls_snprintf(mbedtls_test_info.line2,
-                            sizeof(mbedtls_test_info.line2),
-                            "rhs = 0x%016llx = %llu",
-                            value2, value2);
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_unlock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
     return 0;
 }
 
@@ -189,20 +521,31 @@ int mbedtls_test_le_s(const char *test, int line_no, const char *filename,
         return 1;
     }
 
-    if (mbedtls_test_info.result == MBEDTLS_TEST_RESULT_FAILED) {
-        /* We've already recorded the test as having failed. Don't
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_lock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
+    /* Don't use accessor, we already hold mutex. */
+    if (mbedtls_test_info.result != MBEDTLS_TEST_RESULT_FAILED) {
+        /* If we've already recorded the test as having failed then don't
          * overwrite any previous information about the failure. */
-        return 0;
+
+        char buf[MBEDTLS_TEST_LINE_LENGTH];
+        mbedtls_test_fail_internal(test, line_no, filename);
+        (void) mbedtls_snprintf(buf, sizeof(buf),
+                                "lhs = 0x%016llx = %lld",
+                                (unsigned long long) value1, value1);
+        mbedtls_test_set_line1_internal(buf);
+        (void) mbedtls_snprintf(buf, sizeof(buf),
+                                "rhs = 0x%016llx = %lld",
+                                (unsigned long long) value2, value2);
+        mbedtls_test_set_line2_internal(buf);
     }
-    mbedtls_test_fail(test, line_no, filename);
-    (void) mbedtls_snprintf(mbedtls_test_info.line1,
-                            sizeof(mbedtls_test_info.line1),
-                            "lhs = 0x%016llx = %lld",
-                            (unsigned long long) value1, value1);
-    (void) mbedtls_snprintf(mbedtls_test_info.line2,
-                            sizeof(mbedtls_test_info.line2),
-                            "rhs = 0x%016llx = %lld",
-                            (unsigned long long) value2, value2);
+
+#ifdef MBEDTLS_THREADING_C
+    mbedtls_mutex_unlock(&mbedtls_test_info_mutex);
+#endif /* MBEDTLS_THREADING_C */
+
     return 0;
 }
 
diff --git a/tests/src/psa_crypto_helpers.c b/tests/src/psa_crypto_helpers.c
index 52ff031..e1ea2b5 100644
--- a/tests/src/psa_crypto_helpers.c
+++ b/tests/src/psa_crypto_helpers.c
@@ -5,19 +5,7 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include <test/helpers.h>
@@ -82,9 +70,20 @@ const char *mbedtls_test_helper_is_psa_leaking(void)
 
     mbedtls_psa_get_stats(&stats);
 
+#if defined(MBEDTLS_CTR_DRBG_C) && !defined(MBEDTLS_AES_C) && \
+    !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+    /* When AES_C is not defined and PSA does not have an external RNG,
+     * then CTR_DRBG uses PSA to perform AES-ECB. In this scenario 1 key
+     * slot is used internally from PSA to hold the AES key and it should
+     * not be taken into account when evaluating remaining open slots. */
+    if (stats.volatile_slots > 1) {
+        return "A volatile slot has not been closed properly.";
+    }
+#else
     if (stats.volatile_slots != 0) {
         return "A volatile slot has not been closed properly.";
     }
+#endif
     if (stats.persistent_slots != 0) {
         return "A persistent slot has not been closed properly.";
     }
diff --git a/tests/src/psa_crypto_stubs.c b/tests/src/psa_crypto_stubs.c
new file mode 100644
index 0000000..81d7f4b
--- /dev/null
+++ b/tests/src/psa_crypto_stubs.c
@@ -0,0 +1,75 @@
+/** \file psa_crypto_stubs.c
+ *
+ * \brief Stub functions when MBEDTLS_PSA_CRYPTO_CLIENT is enabled but
+ *        MBEDTLS_PSA_CRYPTO_C is disabled.
+ */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include <psa/crypto.h>
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
+
+psa_status_t psa_generate_random(uint8_t *output,
+                                 size_t output_size)
+{
+    (void) output;
+    (void) output_size;
+
+    return PSA_ERROR_COMMUNICATION_FAILURE;
+}
+
+psa_status_t psa_export_key(mbedtls_svc_key_id_t key,
+                            uint8_t *data,
+                            size_t data_size,
+                            size_t *data_length)
+{
+    (void) key;
+    (void) data;
+    (void) data_size;
+    (void) data_length;
+    return PSA_ERROR_COMMUNICATION_FAILURE;
+}
+
+psa_status_t psa_export_public_key(mbedtls_svc_key_id_t key,
+                                   uint8_t *data,
+                                   size_t data_size,
+                                   size_t *data_length)
+{
+    (void) key;
+    (void) data;
+    (void) data_size;
+    (void) data_length;
+    return PSA_ERROR_COMMUNICATION_FAILURE;
+}
+
+psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key,
+                                    psa_key_attributes_t *attributes)
+{
+    (void) key;
+    (void) attributes;
+    return PSA_ERROR_COMMUNICATION_FAILURE;
+}
+
+psa_status_t psa_hash_abort(psa_hash_operation_t *operation)
+{
+    (void) operation;
+    return PSA_ERROR_COMMUNICATION_FAILURE;
+}
+
+psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
+                            const uint8_t *data,
+                            size_t data_length,
+                            mbedtls_svc_key_id_t *key)
+{
+    (void) attributes;
+    (void) data;
+    (void) data_length;
+    (void) key;
+    return PSA_ERROR_COMMUNICATION_FAILURE;
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT && !MBEDTLS_PSA_CRYPTO_C */
diff --git a/tests/src/psa_exercise_key.c b/tests/src/psa_exercise_key.c
index c4488b5..b223276 100644
--- a/tests/src/psa_exercise_key.c
+++ b/tests/src/psa_exercise_key.c
@@ -4,26 +4,14 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include <test/helpers.h>
 #include <test/macros.h>
 #include <test/psa_exercise_key.h>
 
-#if defined(MBEDTLS_PSA_CRYPTO_C)
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
 
 #include <mbedtls/asn1.h>
 #include <psa/crypto.h>
@@ -32,6 +20,16 @@
 #include <psa_crypto_slot_management.h>
 #include <test/psa_crypto_helpers.h>
 
+#if defined(MBEDTLS_PK_C)
+#include <pk_internal.h>
+#endif
+#if defined(MBEDTLS_ECP_C)
+#include <mbedtls/ecp.h>
+#endif
+#if defined(MBEDTLS_RSA_C)
+#include <rsa_internal.h>
+#endif
+
 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
 static int lifetime_is_dynamic_secure_element(psa_key_lifetime_t lifetime)
 {
@@ -40,7 +38,8 @@ static int lifetime_is_dynamic_secure_element(psa_key_lifetime_t lifetime)
 }
 #endif
 
-static int check_key_attributes_sanity(mbedtls_svc_key_id_t key)
+static int check_key_attributes_sanity(mbedtls_svc_key_id_t key,
+                                       int key_destroyable)
 {
     int ok = 0;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
@@ -48,8 +47,13 @@ static int check_key_attributes_sanity(mbedtls_svc_key_id_t key)
     mbedtls_svc_key_id_t id;
     psa_key_type_t type;
     size_t bits;
-
-    PSA_ASSERT(psa_get_key_attributes(key, &attributes));
+    psa_status_t status = psa_get_key_attributes(key, &attributes);
+    if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+        /* The key has been destroyed. */
+        psa_reset_key_attributes(&attributes);
+        return 1;
+    }
+    PSA_ASSERT(status);
     lifetime = psa_get_key_lifetime(&attributes);
     id = psa_get_key_id(&attributes);
     type = psa_get_key_type(&attributes);
@@ -68,17 +72,20 @@ static int check_key_attributes_sanity(mbedtls_svc_key_id_t key)
             (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(id) <= PSA_KEY_ID_USER_MAX));
     }
 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-    /* randomly-generated 64-bit constant, should never appear in test data */
-    psa_key_slot_number_t slot_number = 0xec94d4a5058a1a21;
-    psa_status_t status = psa_get_key_slot_number(&attributes, &slot_number);
-    if (lifetime_is_dynamic_secure_element(lifetime)) {
-        /* Mbed TLS currently always exposes the slot number to
-         * applications. This is not mandated by the PSA specification
-         * and may change in future versions. */
-        TEST_EQUAL(status, 0);
-        TEST_ASSERT(slot_number != 0xec94d4a5058a1a21);
-    } else {
-        TEST_EQUAL(status, PSA_ERROR_INVALID_ARGUMENT);
+    /* MBEDTLS_PSA_CRYPTO_SE_C does not support thread safety. */
+    if (key_destroyable == 0) {
+        /* randomly-generated 64-bit constant, should never appear in test data */
+        psa_key_slot_number_t slot_number = 0xec94d4a5058a1a21;
+        status = psa_get_key_slot_number(&attributes, &slot_number);
+        if (lifetime_is_dynamic_secure_element(lifetime)) {
+            /* Mbed TLS currently always exposes the slot number to
+             * applications. This is not mandated by the PSA specification
+             * and may change in future versions. */
+            TEST_EQUAL(status, 0);
+            TEST_ASSERT(slot_number != 0xec94d4a5058a1a21);
+        } else {
+            TEST_EQUAL(status, PSA_ERROR_INVALID_ARGUMENT);
+        }
     }
 #endif
 
@@ -112,20 +119,27 @@ exit:
 
 static int exercise_mac_key(mbedtls_svc_key_id_t key,
                             psa_key_usage_t usage,
-                            psa_algorithm_t alg)
+                            psa_algorithm_t alg,
+                            int key_destroyable)
 {
     psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
     const unsigned char input[] = "foo";
     unsigned char mac[PSA_MAC_MAX_SIZE] = { 0 };
     size_t mac_length = sizeof(mac);
-
+    psa_status_t status = PSA_SUCCESS;
     /* Convert wildcard algorithm to exercisable algorithm */
     if (alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) {
         alg = PSA_ALG_TRUNCATED_MAC(alg, PSA_MAC_TRUNCATED_LENGTH(alg));
     }
 
     if (usage & PSA_KEY_USAGE_SIGN_HASH) {
-        PSA_ASSERT(psa_mac_sign_setup(&operation, key, alg));
+        status = psa_mac_sign_setup(&operation, key, alg);
+        if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+            /* The key has been destroyed. */
+            PSA_ASSERT(psa_mac_abort(&operation));
+            return 1;
+        }
+        PSA_ASSERT(status);
         PSA_ASSERT(psa_mac_update(&operation,
                                   input, sizeof(input)));
         PSA_ASSERT(psa_mac_sign_finish(&operation,
@@ -138,7 +152,13 @@ static int exercise_mac_key(mbedtls_svc_key_id_t key,
             (usage & PSA_KEY_USAGE_SIGN_HASH ?
              PSA_SUCCESS :
              PSA_ERROR_INVALID_SIGNATURE);
-        PSA_ASSERT(psa_mac_verify_setup(&operation, key, alg));
+        status = psa_mac_verify_setup(&operation, key, alg);
+        if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+            /* The key has been destroyed. */
+            PSA_ASSERT(psa_mac_abort(&operation));
+            return 1;
+        }
+        PSA_ASSERT(status);
         PSA_ASSERT(psa_mac_update(&operation,
                                   input, sizeof(input)));
         TEST_EQUAL(psa_mac_verify_finish(&operation, mac, mac_length),
@@ -154,7 +174,8 @@ exit:
 
 static int exercise_cipher_key(mbedtls_svc_key_id_t key,
                                psa_key_usage_t usage,
-                               psa_algorithm_t alg)
+                               psa_algorithm_t alg,
+                               int key_destroyable)
 {
     psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
     unsigned char iv[PSA_CIPHER_IV_MAX_SIZE] = { 0 };
@@ -166,13 +187,20 @@ static int exercise_cipher_key(mbedtls_svc_key_id_t key,
     size_t ciphertext_length = sizeof(ciphertext);
     unsigned char decrypted[sizeof(ciphertext)];
     size_t part_length;
+    psa_status_t status = PSA_SUCCESS;
 
     PSA_ASSERT(psa_get_key_attributes(key, &attributes));
     key_type = psa_get_key_type(&attributes);
     iv_length = PSA_CIPHER_IV_LENGTH(key_type, alg);
 
     if (usage & PSA_KEY_USAGE_ENCRYPT) {
-        PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
+        status = psa_cipher_encrypt_setup(&operation, key, alg);
+        if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+            /* The key has been destroyed. */
+            PSA_ASSERT(psa_cipher_abort(&operation));
+            return 1;
+        }
+        PSA_ASSERT(status);
         if (iv_length != 0) {
             PSA_ASSERT(psa_cipher_generate_iv(&operation,
                                               iv, sizeof(iv),
@@ -190,12 +218,17 @@ static int exercise_cipher_key(mbedtls_svc_key_id_t key,
     }
 
     if (usage & PSA_KEY_USAGE_DECRYPT) {
-        psa_status_t status;
         int maybe_invalid_padding = 0;
         if (!(usage & PSA_KEY_USAGE_ENCRYPT)) {
             maybe_invalid_padding = !PSA_ALG_IS_STREAM_CIPHER(alg);
         }
-        PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg));
+        status = psa_cipher_decrypt_setup(&operation, key, alg);
+        if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+            /* The key has been destroyed. */
+            PSA_ASSERT(psa_cipher_abort(&operation));
+            return 1;
+        }
+        PSA_ASSERT(status);
         if (iv_length != 0) {
             PSA_ASSERT(psa_cipher_set_iv(&operation,
                                          iv, iv_length));
@@ -229,7 +262,8 @@ exit:
 
 static int exercise_aead_key(mbedtls_svc_key_id_t key,
                              psa_key_usage_t usage,
-                             psa_algorithm_t alg)
+                             psa_algorithm_t alg,
+                             int key_destroyable)
 {
     unsigned char nonce[PSA_AEAD_NONCE_MAX_SIZE] = { 0 };
     size_t nonce_length;
@@ -239,6 +273,7 @@ static int exercise_aead_key(mbedtls_svc_key_id_t key,
     unsigned char ciphertext[48] = "(wabblewebblewibblewobblewubble)";
     size_t ciphertext_length = sizeof(ciphertext);
     size_t plaintext_length = sizeof(ciphertext);
+    psa_status_t status = PSA_SUCCESS;
 
     /* Convert wildcard algorithm to exercisable algorithm */
     if (alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) {
@@ -250,12 +285,17 @@ static int exercise_aead_key(mbedtls_svc_key_id_t key,
     nonce_length = PSA_AEAD_NONCE_LENGTH(key_type, alg);
 
     if (usage & PSA_KEY_USAGE_ENCRYPT) {
-        PSA_ASSERT(psa_aead_encrypt(key, alg,
-                                    nonce, nonce_length,
-                                    NULL, 0,
-                                    plaintext, sizeof(plaintext),
-                                    ciphertext, sizeof(ciphertext),
-                                    &ciphertext_length));
+        status = psa_aead_encrypt(key, alg,
+                                  nonce, nonce_length,
+                                  NULL, 0,
+                                  plaintext, sizeof(plaintext),
+                                  ciphertext, sizeof(ciphertext),
+                                  &ciphertext_length);
+        if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+            /* The key has been destroyed. */
+            return 1;
+        }
+        PSA_ASSERT(status);
     }
 
     if (usage & PSA_KEY_USAGE_DECRYPT) {
@@ -263,13 +303,17 @@ static int exercise_aead_key(mbedtls_svc_key_id_t key,
             (usage & PSA_KEY_USAGE_ENCRYPT ?
              PSA_SUCCESS :
              PSA_ERROR_INVALID_SIGNATURE);
-        TEST_EQUAL(psa_aead_decrypt(key, alg,
-                                    nonce, nonce_length,
-                                    NULL, 0,
-                                    ciphertext, ciphertext_length,
-                                    plaintext, sizeof(plaintext),
-                                    &plaintext_length),
-                   verify_status);
+        status = psa_aead_decrypt(key, alg,
+                                  nonce, nonce_length,
+                                  NULL, 0,
+                                  ciphertext, ciphertext_length,
+                                  plaintext, sizeof(plaintext),
+                                  &plaintext_length);
+        if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+            /* The key has been destroyed. */
+            return 1;
+        }
+        TEST_ASSERT(status == verify_status);
     }
 
     return 1;
@@ -293,25 +337,29 @@ static int can_sign_or_verify_message(psa_key_usage_t usage,
 
 static int exercise_signature_key(mbedtls_svc_key_id_t key,
                                   psa_key_usage_t usage,
-                                  psa_algorithm_t alg)
+                                  psa_algorithm_t alg,
+                                  int key_destroyable)
 {
+    /* If the policy allows signing with any hash, just pick one. */
+    psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
+    if (PSA_ALG_IS_SIGN_HASH(alg) && hash_alg == PSA_ALG_ANY_HASH &&
+        usage & (PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH |
+                 PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE)) {
+#if defined(KNOWN_SUPPORTED_HASH_ALG)
+        hash_alg = KNOWN_SUPPORTED_HASH_ALG;
+        alg ^= PSA_ALG_ANY_HASH ^ hash_alg;
+#else
+        TEST_FAIL("No hash algorithm for hash-and-sign testing");
+#endif
+    }
+    psa_status_t status = PSA_SUCCESS;
+
     if (usage & (PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH) &&
         PSA_ALG_IS_SIGN_HASH(alg)) {
         unsigned char payload[PSA_HASH_MAX_SIZE] = { 1 };
         size_t payload_length = 16;
         unsigned char signature[PSA_SIGNATURE_MAX_SIZE] = { 0 };
         size_t signature_length = sizeof(signature);
-        psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
-
-        /* If the policy allows signing with any hash, just pick one. */
-        if (PSA_ALG_IS_SIGN_HASH(alg) && hash_alg == PSA_ALG_ANY_HASH) {
-    #if defined(KNOWN_SUPPORTED_HASH_ALG)
-            hash_alg = KNOWN_SUPPORTED_HASH_ALG;
-            alg ^= PSA_ALG_ANY_HASH ^ hash_alg;
-    #else
-            TEST_FAIL("No hash algorithm for hash-and-sign testing");
-    #endif
-        }
 
         /* Some algorithms require the payload to have the size of
          * the hash encoded in the algorithm. Use this input size
@@ -321,10 +369,15 @@ static int exercise_signature_key(mbedtls_svc_key_id_t key,
         }
 
         if (usage & PSA_KEY_USAGE_SIGN_HASH) {
-            PSA_ASSERT(psa_sign_hash(key, alg,
-                                     payload, payload_length,
-                                     signature, sizeof(signature),
-                                     &signature_length));
+            status = psa_sign_hash(key, alg,
+                                   payload, payload_length,
+                                   signature, sizeof(signature),
+                                   &signature_length);
+            if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+                /* The key has been destroyed. */
+                return 1;
+            }
+            PSA_ASSERT(status);
         }
 
         if (usage & PSA_KEY_USAGE_VERIFY_HASH) {
@@ -332,10 +385,14 @@ static int exercise_signature_key(mbedtls_svc_key_id_t key,
                 (usage & PSA_KEY_USAGE_SIGN_HASH ?
                  PSA_SUCCESS :
                  PSA_ERROR_INVALID_SIGNATURE);
-            TEST_EQUAL(psa_verify_hash(key, alg,
-                                       payload, payload_length,
-                                       signature, signature_length),
-                       verify_status);
+            status = psa_verify_hash(key, alg,
+                                     payload, payload_length,
+                                     signature, signature_length);
+            if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+                /* The key has been destroyed. */
+                return 1;
+            }
+            TEST_ASSERT(status == verify_status);
         }
     }
 
@@ -346,10 +403,15 @@ static int exercise_signature_key(mbedtls_svc_key_id_t key,
         size_t signature_length = sizeof(signature);
 
         if (usage & PSA_KEY_USAGE_SIGN_MESSAGE) {
-            PSA_ASSERT(psa_sign_message(key, alg,
-                                        message, message_length,
-                                        signature, sizeof(signature),
-                                        &signature_length));
+            status = psa_sign_message(key, alg,
+                                      message, message_length,
+                                      signature, sizeof(signature),
+                                      &signature_length);
+            if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+                /* The key has been destroyed. */
+                return 1;
+            }
+            PSA_ASSERT(status);
         }
 
         if (usage & PSA_KEY_USAGE_VERIFY_MESSAGE) {
@@ -357,10 +419,14 @@ static int exercise_signature_key(mbedtls_svc_key_id_t key,
                 (usage & PSA_KEY_USAGE_SIGN_MESSAGE ?
                  PSA_SUCCESS :
                  PSA_ERROR_INVALID_SIGNATURE);
-            TEST_EQUAL(psa_verify_message(key, alg,
-                                          message, message_length,
-                                          signature, signature_length),
-                       verify_status);
+            status = psa_verify_message(key, alg,
+                                        message, message_length,
+                                        signature, signature_length);
+            if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+                /* The key has been destroyed. */
+                return 1;
+            }
+            TEST_ASSERT(status == verify_status);
         }
     }
 
@@ -372,28 +438,39 @@ exit:
 
 static int exercise_asymmetric_encryption_key(mbedtls_svc_key_id_t key,
                                               psa_key_usage_t usage,
-                                              psa_algorithm_t alg)
+                                              psa_algorithm_t alg,
+                                              int key_destroyable)
 {
-    unsigned char plaintext[256] = "Hello, world...";
-    unsigned char ciphertext[256] = "(wabblewebblewibblewobblewubble)";
+    unsigned char plaintext[PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE] =
+        "Hello, world...";
+    unsigned char ciphertext[PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE] =
+        "(wabblewebblewibblewobblewubble)";
     size_t ciphertext_length = sizeof(ciphertext);
     size_t plaintext_length = 16;
-
+    psa_status_t status = PSA_SUCCESS;
     if (usage & PSA_KEY_USAGE_ENCRYPT) {
-        PSA_ASSERT(psa_asymmetric_encrypt(key, alg,
-                                          plaintext, plaintext_length,
-                                          NULL, 0,
-                                          ciphertext, sizeof(ciphertext),
-                                          &ciphertext_length));
+        status = psa_asymmetric_encrypt(key, alg,
+                                        plaintext, plaintext_length,
+                                        NULL, 0,
+                                        ciphertext, sizeof(ciphertext),
+                                        &ciphertext_length);
+        if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+            /* The key has been destroyed. */
+            return 1;
+        }
+        PSA_ASSERT(status);
     }
 
     if (usage & PSA_KEY_USAGE_DECRYPT) {
-        psa_status_t status =
-            psa_asymmetric_decrypt(key, alg,
-                                   ciphertext, ciphertext_length,
-                                   NULL, 0,
-                                   plaintext, sizeof(plaintext),
-                                   &plaintext_length);
+        status = psa_asymmetric_decrypt(key, alg,
+                                        ciphertext, ciphertext_length,
+                                        NULL, 0,
+                                        plaintext, sizeof(plaintext),
+                                        &plaintext_length);
+        if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+            /* The key has been destroyed. */
+            return 1;
+        }
         TEST_ASSERT(status == PSA_SUCCESS ||
                     ((usage & PSA_KEY_USAGE_ENCRYPT) == 0 &&
                      (status == PSA_ERROR_INVALID_ARGUMENT ||
@@ -412,16 +489,47 @@ int mbedtls_test_psa_setup_key_derivation_wrap(
     psa_algorithm_t alg,
     const unsigned char *input1, size_t input1_length,
     const unsigned char *input2, size_t input2_length,
-    size_t capacity)
+    size_t capacity, int key_destroyable)
 {
     PSA_ASSERT(psa_key_derivation_setup(operation, alg));
+    psa_status_t status = PSA_SUCCESS;
     if (PSA_ALG_IS_HKDF(alg)) {
         PSA_ASSERT(psa_key_derivation_input_bytes(operation,
                                                   PSA_KEY_DERIVATION_INPUT_SALT,
                                                   input1, input1_length));
-        PSA_ASSERT(psa_key_derivation_input_key(operation,
-                                                PSA_KEY_DERIVATION_INPUT_SECRET,
-                                                key));
+        status = psa_key_derivation_input_key(operation,
+                                              PSA_KEY_DERIVATION_INPUT_SECRET,
+                                              key);
+        if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+            /* The key has been destroyed. */
+            return 1;
+        }
+        PSA_ASSERT(status);
+        PSA_ASSERT(psa_key_derivation_input_bytes(operation,
+                                                  PSA_KEY_DERIVATION_INPUT_INFO,
+                                                  input2,
+                                                  input2_length));
+    } else if (PSA_ALG_IS_HKDF_EXTRACT(alg)) {
+        PSA_ASSERT(psa_key_derivation_input_bytes(operation,
+                                                  PSA_KEY_DERIVATION_INPUT_SALT,
+                                                  input1, input1_length));
+        status = psa_key_derivation_input_key(operation,
+                                              PSA_KEY_DERIVATION_INPUT_SECRET,
+                                              key);
+        if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+            /* The key has been destroyed. */
+            return 1;
+        }
+        PSA_ASSERT(status);
+    } else if (PSA_ALG_IS_HKDF_EXPAND(alg)) {
+        status = psa_key_derivation_input_key(operation,
+                                              PSA_KEY_DERIVATION_INPUT_SECRET,
+                                              key);
+        if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+            /* The key has been destroyed. */
+            return 1;
+        }
+        PSA_ASSERT(status);
         PSA_ASSERT(psa_key_derivation_input_bytes(operation,
                                                   PSA_KEY_DERIVATION_INPUT_INFO,
                                                   input2,
@@ -431,9 +539,14 @@ int mbedtls_test_psa_setup_key_derivation_wrap(
         PSA_ASSERT(psa_key_derivation_input_bytes(operation,
                                                   PSA_KEY_DERIVATION_INPUT_SEED,
                                                   input1, input1_length));
-        PSA_ASSERT(psa_key_derivation_input_key(operation,
-                                                PSA_KEY_DERIVATION_INPUT_SECRET,
-                                                key));
+        status = psa_key_derivation_input_key(operation,
+                                              PSA_KEY_DERIVATION_INPUT_SECRET,
+                                              key);
+        if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+            /* The key has been destroyed. */
+            return 1;
+        }
+        PSA_ASSERT(status);
         PSA_ASSERT(psa_key_derivation_input_bytes(operation,
                                                   PSA_KEY_DERIVATION_INPUT_LABEL,
                                                   input2, input2_length));
@@ -445,9 +558,18 @@ int mbedtls_test_psa_setup_key_derivation_wrap(
                                                   PSA_KEY_DERIVATION_INPUT_SALT,
                                                   input2,
                                                   input2_length));
-        PSA_ASSERT(psa_key_derivation_input_key(operation,
-                                                PSA_KEY_DERIVATION_INPUT_PASSWORD,
-                                                key));
+        status = psa_key_derivation_input_key(operation,
+                                              PSA_KEY_DERIVATION_INPUT_PASSWORD,
+                                              key);
+        if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+            /* The key has been destroyed. */
+            return 1;
+        }
+        PSA_ASSERT(status);
+    } else if (alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
+        PSA_ASSERT(psa_key_derivation_input_bytes(operation,
+                                                  PSA_KEY_DERIVATION_INPUT_SECRET,
+                                                  input1, input1_length));
     } else {
         TEST_FAIL("Key derivation algorithm not supported");
     }
@@ -465,7 +587,8 @@ exit:
 
 static int exercise_key_derivation_key(mbedtls_svc_key_id_t key,
                                        psa_key_usage_t usage,
-                                       psa_algorithm_t alg)
+                                       psa_algorithm_t alg,
+                                       int key_destroyable)
 {
     psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
     unsigned char input1[] = "Input 1";
@@ -479,14 +602,20 @@ static int exercise_key_derivation_key(mbedtls_svc_key_id_t key,
         if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, key, alg,
                                                         input1, input1_length,
                                                         input2, input2_length,
-                                                        capacity)) {
+                                                        capacity, key_destroyable)) {
             goto exit;
         }
 
-        PSA_ASSERT(psa_key_derivation_output_bytes(&operation,
-                                                   output,
-                                                   capacity));
-        PSA_ASSERT(psa_key_derivation_abort(&operation));
+        psa_status_t status = psa_key_derivation_output_bytes(&operation,
+                                                              output,
+                                                              capacity);
+        if (key_destroyable && status == PSA_ERROR_BAD_STATE) {
+            /* The key has been destroyed. */
+            PSA_ASSERT(psa_key_derivation_abort(&operation));
+        } else {
+            PSA_ASSERT(status);
+            PSA_ASSERT(psa_key_derivation_abort(&operation));
+        }
     }
 
     return 1;
@@ -499,31 +628,45 @@ exit:
  * private key against its own public key. */
 psa_status_t mbedtls_test_psa_key_agreement_with_self(
     psa_key_derivation_operation_t *operation,
-    mbedtls_svc_key_id_t key)
+    mbedtls_svc_key_id_t key, int key_destroyable)
 {
     psa_key_type_t private_key_type;
     psa_key_type_t public_key_type;
     size_t key_bits;
     uint8_t *public_key = NULL;
     size_t public_key_length;
-    /* Return GENERIC_ERROR if something other than the final call to
-     * psa_key_derivation_key_agreement fails. This isn't fully satisfactory,
-     * but it's good enough: callers will report it as a failed test anyway. */
-    psa_status_t status = PSA_ERROR_GENERIC_ERROR;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
 
-    PSA_ASSERT(psa_get_key_attributes(key, &attributes));
+    psa_status_t status = psa_get_key_attributes(key, &attributes);
+    if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+        /* The key has been destroyed. */
+        psa_reset_key_attributes(&attributes);
+        return PSA_SUCCESS;
+    }
+    PSA_ASSERT(status);
+
     private_key_type = psa_get_key_type(&attributes);
     key_bits = psa_get_key_bits(&attributes);
     public_key_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(private_key_type);
     public_key_length = PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(public_key_type, key_bits);
     TEST_CALLOC(public_key, public_key_length);
-    PSA_ASSERT(psa_export_public_key(key, public_key, public_key_length,
-                                     &public_key_length));
+    status = psa_export_public_key(key, public_key, public_key_length,
+                                   &public_key_length);
+    if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+        /* The key has been destroyed. */
+        status = PSA_SUCCESS;
+        goto exit;
+    }
+    PSA_ASSERT(status);
 
     status = psa_key_derivation_key_agreement(
         operation, PSA_KEY_DERIVATION_INPUT_SECRET, key,
         public_key, public_key_length);
+    if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+        /* The key has been destroyed. */
+        status = PSA_SUCCESS;
+        goto exit;
+    }
 exit:
     /*
      * Key attributes may have been returned by psa_get_key_attributes()
@@ -539,7 +682,8 @@ exit:
  * private key against its own public key. */
 psa_status_t mbedtls_test_psa_raw_key_agreement_with_self(
     psa_algorithm_t alg,
-    mbedtls_svc_key_id_t key)
+    mbedtls_svc_key_id_t key,
+    int key_destroyable)
 {
     psa_key_type_t private_key_type;
     psa_key_type_t public_key_type;
@@ -548,25 +692,39 @@ psa_status_t mbedtls_test_psa_raw_key_agreement_with_self(
     size_t public_key_length;
     uint8_t output[1024];
     size_t output_length;
-    /* Return GENERIC_ERROR if something other than the final call to
-     * psa_key_derivation_key_agreement fails. This isn't fully satisfactory,
-     * but it's good enough: callers will report it as a failed test anyway. */
-    psa_status_t status = PSA_ERROR_GENERIC_ERROR;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
 
-    PSA_ASSERT(psa_get_key_attributes(key, &attributes));
+    psa_status_t status = psa_get_key_attributes(key, &attributes);
+    if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+        /* The key has been destroyed. */
+        psa_reset_key_attributes(&attributes);
+        return PSA_SUCCESS;
+    }
+    PSA_ASSERT(status);
+
     private_key_type = psa_get_key_type(&attributes);
     key_bits = psa_get_key_bits(&attributes);
     public_key_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(private_key_type);
     public_key_length = PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(public_key_type, key_bits);
     TEST_CALLOC(public_key, public_key_length);
-    PSA_ASSERT(psa_export_public_key(key,
-                                     public_key, public_key_length,
-                                     &public_key_length));
+    status = psa_export_public_key(key,
+                                   public_key, public_key_length,
+                                   &public_key_length);
+    if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+        /* The key has been destroyed. */
+        status = PSA_SUCCESS;
+        goto exit;
+    }
+    PSA_ASSERT(status);
 
     status = psa_raw_key_agreement(alg, key,
                                    public_key, public_key_length,
                                    output, sizeof(output), &output_length);
+    if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+        /* The key has been destroyed. */
+        status = PSA_SUCCESS;
+        goto exit;
+    }
     if (status == PSA_SUCCESS) {
         TEST_ASSERT(output_length <=
                     PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(private_key_type,
@@ -588,14 +746,16 @@ exit:
 
 static int exercise_raw_key_agreement_key(mbedtls_svc_key_id_t key,
                                           psa_key_usage_t usage,
-                                          psa_algorithm_t alg)
+                                          psa_algorithm_t alg,
+                                          int key_destroyable)
 {
     int ok = 0;
 
     if (usage & PSA_KEY_USAGE_DERIVE) {
         /* We need two keys to exercise key agreement. Exercise the
          * private key against its own public key. */
-        PSA_ASSERT(mbedtls_test_psa_raw_key_agreement_with_self(alg, key));
+        PSA_ASSERT(mbedtls_test_psa_raw_key_agreement_with_self(alg, key,
+                                                                key_destroyable));
     }
     ok = 1;
 
@@ -605,7 +765,8 @@ exit:
 
 static int exercise_key_agreement_key(mbedtls_svc_key_id_t key,
                                       psa_key_usage_t usage,
-                                      psa_algorithm_t alg)
+                                      psa_algorithm_t alg,
+                                      int key_destroyable)
 {
     psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
     unsigned char input[1] = { 0 };
@@ -636,7 +797,12 @@ static int exercise_key_agreement_key(mbedtls_svc_key_id_t key,
            hash length. Otherwise test should fail with INVALID_ARGUMENT. */
         if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) {
             psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-            PSA_ASSERT(psa_get_key_attributes(key, &attributes));
+            psa_status_t status = psa_get_key_attributes(key, &attributes);
+            if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+                /* The key has been destroyed. */
+                ok = 1;
+            }
+            PSA_ASSERT(status);
             size_t key_bits = psa_get_key_bits(&attributes);
             psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(kdf_alg);
 
@@ -645,7 +811,8 @@ static int exercise_key_agreement_key(mbedtls_svc_key_id_t key,
             }
         }
 
-        TEST_EQUAL(mbedtls_test_psa_key_agreement_with_self(&operation, key),
+        TEST_EQUAL(mbedtls_test_psa_key_agreement_with_self(&operation, key,
+                                                            key_destroyable),
                    expected_key_agreement_status);
 
         if (expected_key_agreement_status != PSA_SUCCESS) {
@@ -836,7 +1003,8 @@ exit:
 }
 
 static int exercise_export_key(mbedtls_svc_key_id_t key,
-                               psa_key_usage_t usage)
+                               psa_key_usage_t usage,
+                               int key_destroyable)
 {
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
     uint8_t *exported = NULL;
@@ -844,25 +1012,31 @@ static int exercise_export_key(mbedtls_svc_key_id_t key,
     size_t exported_length = 0;
     int ok = 0;
 
-    PSA_ASSERT(psa_get_key_attributes(key, &attributes));
+    psa_status_t status = psa_get_key_attributes(key, &attributes);
+    if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+        /* The key has been destroyed. */
+        psa_reset_key_attributes(&attributes);
+        return 1;
+    }
+    PSA_ASSERT(status);
 
     exported_size = PSA_EXPORT_KEY_OUTPUT_SIZE(
         psa_get_key_type(&attributes),
         psa_get_key_bits(&attributes));
     TEST_CALLOC(exported, exported_size);
 
-    if ((usage & PSA_KEY_USAGE_EXPORT) == 0 &&
-        !PSA_KEY_TYPE_IS_PUBLIC_KEY(psa_get_key_type(&attributes))) {
-        TEST_EQUAL(psa_export_key(key, exported,
-                                  exported_size, &exported_length),
-                   PSA_ERROR_NOT_PERMITTED);
+    status = psa_export_key(key, exported, exported_size, &exported_length);
+    if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+        /* The key has been destroyed. */
+        ok = 1;
+        goto exit;
+    } else if ((usage & PSA_KEY_USAGE_EXPORT) == 0 &&
+               !PSA_KEY_TYPE_IS_PUBLIC_KEY(psa_get_key_type(&attributes))) {
+        TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
         ok = 1;
         goto exit;
     }
-
-    PSA_ASSERT(psa_export_key(key,
-                              exported, exported_size,
-                              &exported_length));
+    PSA_ASSERT(status);
     ok = mbedtls_test_psa_exported_key_sanity_check(
         psa_get_key_type(&attributes), psa_get_key_bits(&attributes),
         exported, exported_length);
@@ -878,7 +1052,8 @@ exit:
     return ok;
 }
 
-static int exercise_export_public_key(mbedtls_svc_key_id_t key)
+static int exercise_export_public_key(mbedtls_svc_key_id_t key,
+                                      int key_destroyable)
 {
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
     psa_key_type_t public_type;
@@ -887,16 +1062,27 @@ static int exercise_export_public_key(mbedtls_svc_key_id_t key)
     size_t exported_length = 0;
     int ok = 0;
 
-    PSA_ASSERT(psa_get_key_attributes(key, &attributes));
+    psa_status_t status = psa_get_key_attributes(key, &attributes);
+    if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+        /* The key has been destroyed. */
+        psa_reset_key_attributes(&attributes);
+        return 1;
+    }
+    PSA_ASSERT(status);
     if (!PSA_KEY_TYPE_IS_ASYMMETRIC(psa_get_key_type(&attributes))) {
         exported_size = PSA_EXPORT_KEY_OUTPUT_SIZE(
             psa_get_key_type(&attributes),
             psa_get_key_bits(&attributes));
         TEST_CALLOC(exported, exported_size);
 
-        TEST_EQUAL(psa_export_public_key(key, exported,
-                                         exported_size, &exported_length),
-                   PSA_ERROR_INVALID_ARGUMENT);
+        status = psa_export_public_key(key, exported,
+                                       exported_size, &exported_length);
+        if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+            /* The key has been destroyed. */
+            ok = 1;
+            goto exit;
+        }
+        TEST_EQUAL(status, PSA_ERROR_INVALID_ARGUMENT);
         ok = 1;
         goto exit;
     }
@@ -907,9 +1093,14 @@ static int exercise_export_public_key(mbedtls_svc_key_id_t key)
                                                       psa_get_key_bits(&attributes));
     TEST_CALLOC(exported, exported_size);
 
-    PSA_ASSERT(psa_export_public_key(key,
-                                     exported, exported_size,
-                                     &exported_length));
+    status = psa_export_public_key(key, exported,
+                                   exported_size, &exported_length);
+    if (key_destroyable && status == PSA_ERROR_INVALID_HANDLE) {
+        /* The key has been destroyed. */
+        ok = 1;
+        goto exit;
+    }
+    PSA_ASSERT(status);
     ok = mbedtls_test_psa_exported_key_sanity_check(
         public_type, psa_get_key_bits(&attributes),
         exported, exported_length);
@@ -927,38 +1118,43 @@ exit:
 
 int mbedtls_test_psa_exercise_key(mbedtls_svc_key_id_t key,
                                   psa_key_usage_t usage,
-                                  psa_algorithm_t alg)
+                                  psa_algorithm_t alg,
+                                  int key_destroyable)
 {
     int ok = 0;
 
-    if (!check_key_attributes_sanity(key)) {
+    if (!check_key_attributes_sanity(key, key_destroyable)) {
         return 0;
     }
 
     if (alg == 0) {
         ok = 1; /* If no algorithm, do nothing (used for raw data "keys"). */
     } else if (PSA_ALG_IS_MAC(alg)) {
-        ok = exercise_mac_key(key, usage, alg);
+        ok = exercise_mac_key(key, usage, alg, key_destroyable);
     } else if (PSA_ALG_IS_CIPHER(alg)) {
-        ok = exercise_cipher_key(key, usage, alg);
+        ok = exercise_cipher_key(key, usage, alg, key_destroyable);
     } else if (PSA_ALG_IS_AEAD(alg)) {
-        ok = exercise_aead_key(key, usage, alg);
+        ok = exercise_aead_key(key, usage, alg, key_destroyable);
     } else if (PSA_ALG_IS_SIGN(alg)) {
-        ok = exercise_signature_key(key, usage, alg);
+        ok = exercise_signature_key(key, usage, alg, key_destroyable);
     } else if (PSA_ALG_IS_ASYMMETRIC_ENCRYPTION(alg)) {
-        ok = exercise_asymmetric_encryption_key(key, usage, alg);
+        ok = exercise_asymmetric_encryption_key(key, usage, alg,
+                                                key_destroyable);
     } else if (PSA_ALG_IS_KEY_DERIVATION(alg)) {
-        ok = exercise_key_derivation_key(key, usage, alg);
+        ok = exercise_key_derivation_key(key, usage, alg, key_destroyable);
     } else if (PSA_ALG_IS_RAW_KEY_AGREEMENT(alg)) {
-        ok = exercise_raw_key_agreement_key(key, usage, alg);
+        ok = exercise_raw_key_agreement_key(key, usage, alg, key_destroyable);
     } else if (PSA_ALG_IS_KEY_AGREEMENT(alg)) {
-        ok = exercise_key_agreement_key(key, usage, alg);
+        ok = exercise_key_agreement_key(key, usage, alg, key_destroyable);
     } else {
         TEST_FAIL("No code to exercise this category of algorithm");
     }
 
-    ok = ok && exercise_export_key(key, usage);
-    ok = ok && exercise_export_public_key(key);
+    ok = ok && exercise_export_key(key,
+                                   usage,
+                                   key_destroyable);
+    ok = ok && exercise_export_public_key(key,
+                                          key_destroyable);
 
 exit:
     return ok;
@@ -998,4 +1194,142 @@ psa_key_usage_t mbedtls_test_psa_usage_to_exercise(psa_key_type_t type,
 
 }
 
-#endif /* MBEDTLS_PSA_CRYPTO_C */
+int mbedtls_test_can_exercise_psa_algorithm(psa_algorithm_t alg)
+{
+    /* Reject algorithms that we know are not supported. Default to
+     * attempting exercise, so that if an algorithm is missing from this
+     * function, the result will be a test failure and not silently
+     * omitting exercise. */
+#if !defined(PSA_WANT_ALG_RSA_PKCS1V15_CRYPT)
+    if (alg == PSA_ALG_RSA_PKCS1V15_CRYPT) {
+        return 0;
+    }
+#endif
+#if !defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN)
+    if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg)) {
+        return 0;
+    }
+#endif
+#if !defined(PSA_WANT_ALG_RSA_PSS)
+    if (PSA_ALG_IS_RSA_PSS_STANDARD_SALT(alg)) {
+        return 0;
+    }
+#endif
+#if !defined(PSA_WANT_ALG_RSA_PSS_ANY_SALT)
+    if (PSA_ALG_IS_RSA_PSS_ANY_SALT(alg)) {
+        return 0;
+    }
+#endif
+#if !defined(PSA_WANT_ALG_ECDSA)
+    if (PSA_ALG_IS_ECDSA(alg)) {
+        return 0;
+    }
+#endif
+#if !defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)
+    if (PSA_ALG_IS_DETERMINISTIC_ECDSA(alg)) {
+        return 0;
+    }
+#endif
+#if !defined(PSA_WANT_ALG_ECDH)
+    if (PSA_ALG_IS_ECDH(alg)) {
+        return 0;
+    }
+#endif
+    (void) alg;
+    return 1;
+}
+
+#if defined(MBEDTLS_PK_C)
+int mbedtls_test_key_consistency_psa_pk(mbedtls_svc_key_id_t psa_key,
+                                        const mbedtls_pk_context *pk)
+{
+    psa_key_attributes_t psa_attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_attributes_t pk_attributes = PSA_KEY_ATTRIBUTES_INIT;
+    int ok = 0;
+
+    PSA_ASSERT(psa_get_key_attributes(psa_key, &psa_attributes));
+    psa_key_type_t psa_type = psa_get_key_type(&psa_attributes);
+    mbedtls_pk_type_t pk_type = mbedtls_pk_get_type(pk);
+
+    TEST_ASSERT(PSA_KEY_TYPE_IS_PUBLIC_KEY(psa_type) ||
+                PSA_KEY_TYPE_IS_KEY_PAIR(psa_type));
+    TEST_EQUAL(psa_get_key_bits(&psa_attributes), mbedtls_pk_get_bitlen(pk));
+
+    uint8_t pk_public_buffer[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
+    const uint8_t *pk_public = NULL;
+    size_t pk_public_length = 0;
+
+    switch (pk_type) {
+#if defined(MBEDTLS_RSA_C)
+        case MBEDTLS_PK_RSA:
+            TEST_ASSERT(PSA_KEY_TYPE_IS_RSA(psa_type));
+            const mbedtls_rsa_context *rsa = mbedtls_pk_rsa(*pk);
+            uint8_t *const end = pk_public_buffer + sizeof(pk_public_buffer);
+            uint8_t *cursor = end;
+            TEST_LE_U(1, mbedtls_rsa_write_pubkey(rsa,
+                                                  pk_public_buffer, &cursor));
+            pk_public = cursor;
+            pk_public_length = end - pk_public;
+            break;
+#endif
+
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+        case MBEDTLS_PK_ECKEY:
+        case MBEDTLS_PK_ECKEY_DH:
+        case MBEDTLS_PK_ECDSA:
+            TEST_ASSERT(PSA_KEY_TYPE_IS_ECC(psa_type));
+            TEST_EQUAL(PSA_KEY_TYPE_ECC_GET_FAMILY(psa_type), pk->ec_family);
+            pk_public = pk->pub_raw;
+            pk_public_length = pk->pub_raw_len;
+            break;
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) && !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+        case MBEDTLS_PK_ECKEY:
+        case MBEDTLS_PK_ECKEY_DH:
+        case MBEDTLS_PK_ECDSA:
+            TEST_ASSERT(PSA_KEY_TYPE_IS_ECC(psa_get_key_type(&psa_attributes)));
+            const mbedtls_ecp_keypair *ec = mbedtls_pk_ec_ro(*pk);
+            TEST_EQUAL(mbedtls_ecp_write_public_key(
+                           ec, MBEDTLS_ECP_PF_UNCOMPRESSED, &pk_public_length,
+                           pk_public_buffer, sizeof(pk_public_buffer)), 0);
+            pk_public = pk_public_buffer;
+            break;
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS && !MBEDTLS_PK_USE_PSA_EC_DATA */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+        case MBEDTLS_PK_OPAQUE:
+            PSA_ASSERT(psa_get_key_attributes(pk->priv_id, &pk_attributes));
+            psa_key_type_t pk_psa_type = psa_get_key_type(&pk_attributes);
+            TEST_EQUAL(PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(psa_type),
+                       PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(pk_psa_type));
+            PSA_ASSERT(psa_export_public_key(psa_key,
+                                             pk_public_buffer,
+                                             sizeof(pk_public_buffer),
+                                             &pk_public_length));
+            pk_public = pk_public_buffer;
+            break;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+        default:
+            TEST_FAIL("pk type not supported");
+    }
+
+    uint8_t psa_public[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
+    size_t psa_public_length = 0;
+    PSA_ASSERT(psa_export_public_key(psa_key,
+                                     psa_public, sizeof(psa_public),
+                                     &psa_public_length));
+    TEST_MEMORY_COMPARE(pk_public, pk_public_length,
+                        psa_public, psa_public_length);
+
+    ok = 1;
+
+exit:
+    psa_reset_key_attributes(&psa_attributes);
+    psa_reset_key_attributes(&pk_attributes);
+    return ok;
+}
+#endif /* MBEDTLS_PK_C */
+
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
diff --git a/tests/src/psa_memory_poisoning_wrappers.c b/tests/src/psa_memory_poisoning_wrappers.c
new file mode 100644
index 0000000..05cba18
--- /dev/null
+++ b/tests/src/psa_memory_poisoning_wrappers.c
@@ -0,0 +1,31 @@
+/** Helper functions for memory poisoning in tests.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#include "test/memory.h"
+
+#include "psa_crypto_invasive.h"
+
+#if defined(MBEDTLS_TEST_HOOKS)  && defined(MBEDTLS_PSA_CRYPTO_C) \
+    && defined(MBEDTLS_TEST_MEMORY_CAN_POISON)
+
+void mbedtls_poison_test_hooks_setup(void)
+{
+    psa_input_pre_copy_hook = mbedtls_test_memory_unpoison;
+    psa_input_post_copy_hook = mbedtls_test_memory_poison;
+    psa_output_pre_copy_hook = mbedtls_test_memory_unpoison;
+    psa_output_post_copy_hook = mbedtls_test_memory_poison;
+}
+
+void mbedtls_poison_test_hooks_teardown(void)
+{
+    psa_input_pre_copy_hook = NULL;
+    psa_input_post_copy_hook = NULL;
+    psa_output_pre_copy_hook = NULL;
+    psa_output_post_copy_hook = NULL;
+}
+
+#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_PSA_CRYPTO_C &&
+          MBEDTLS_TEST_MEMORY_CAN_POISON */
diff --git a/tests/src/psa_test_wrappers.c b/tests/src/psa_test_wrappers.c
new file mode 100644
index 0000000..24e05c8
--- /dev/null
+++ b/tests/src/psa_test_wrappers.c
@@ -0,0 +1,1353 @@
+/* Automatically generated by generate_psa_wrappers.py, do not edit! */
+
+/* Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include <mbedtls/build_info.h>
+
+#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_TEST_HOOKS) && \
+    !defined(RECORD_PSA_STATUS_COVERAGE_LOG)
+
+#include <psa/crypto.h>
+
+#include <test/memory.h>
+#include <test/psa_crypto_helpers.h>
+#include <test/psa_test_wrappers.h>
+
+/* Wrapper for mbedtls_psa_inject_entropy */
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
+psa_status_t mbedtls_test_wrap_mbedtls_psa_inject_entropy(
+    const uint8_t *arg0_seed,
+    size_t arg1_seed_size)
+{
+    psa_status_t status = (mbedtls_psa_inject_entropy)(arg0_seed, arg1_seed_size);
+    return status;
+}
+#endif /* defined(MBEDTLS_PSA_INJECT_ENTROPY) */
+
+/* Wrapper for mbedtls_psa_platform_get_builtin_key */
+#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
+psa_status_t mbedtls_test_wrap_mbedtls_psa_platform_get_builtin_key(
+    mbedtls_svc_key_id_t arg0_key_id,
+    psa_key_lifetime_t *arg1_lifetime,
+    psa_drv_slot_number_t *arg2_slot_number)
+{
+    psa_status_t status = (mbedtls_psa_platform_get_builtin_key)(arg0_key_id, arg1_lifetime, arg2_slot_number);
+    return status;
+}
+#endif /* defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS) */
+
+/* Wrapper for mbedtls_psa_register_se_key */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+psa_status_t mbedtls_test_wrap_mbedtls_psa_register_se_key(
+    const psa_key_attributes_t *arg0_attributes)
+{
+    psa_status_t status = (mbedtls_psa_register_se_key)(arg0_attributes);
+    return status;
+}
+#endif /* defined(MBEDTLS_PSA_CRYPTO_SE_C) */
+
+/* Wrapper for psa_aead_abort */
+psa_status_t mbedtls_test_wrap_psa_aead_abort(
+    psa_aead_operation_t *arg0_operation)
+{
+    psa_status_t status = (psa_aead_abort)(arg0_operation);
+    return status;
+}
+
+/* Wrapper for psa_aead_decrypt */
+psa_status_t mbedtls_test_wrap_psa_aead_decrypt(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_algorithm_t arg1_alg,
+    const uint8_t *arg2_nonce,
+    size_t arg3_nonce_length,
+    const uint8_t *arg4_additional_data,
+    size_t arg5_additional_data_length,
+    const uint8_t *arg6_ciphertext,
+    size_t arg7_ciphertext_length,
+    uint8_t *arg8_plaintext,
+    size_t arg9_plaintext_size,
+    size_t *arg10_plaintext_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg2_nonce, arg3_nonce_length);
+    MBEDTLS_TEST_MEMORY_POISON(arg4_additional_data, arg5_additional_data_length);
+    MBEDTLS_TEST_MEMORY_POISON(arg6_ciphertext, arg7_ciphertext_length);
+    MBEDTLS_TEST_MEMORY_POISON(arg8_plaintext, arg9_plaintext_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_aead_decrypt)(arg0_key, arg1_alg, arg2_nonce, arg3_nonce_length, arg4_additional_data, arg5_additional_data_length, arg6_ciphertext, arg7_ciphertext_length, arg8_plaintext, arg9_plaintext_size, arg10_plaintext_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg2_nonce, arg3_nonce_length);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg4_additional_data, arg5_additional_data_length);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg6_ciphertext, arg7_ciphertext_length);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg8_plaintext, arg9_plaintext_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_aead_decrypt_setup */
+psa_status_t mbedtls_test_wrap_psa_aead_decrypt_setup(
+    psa_aead_operation_t *arg0_operation,
+    mbedtls_svc_key_id_t arg1_key,
+    psa_algorithm_t arg2_alg)
+{
+    psa_status_t status = (psa_aead_decrypt_setup)(arg0_operation, arg1_key, arg2_alg);
+    return status;
+}
+
+/* Wrapper for psa_aead_encrypt */
+psa_status_t mbedtls_test_wrap_psa_aead_encrypt(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_algorithm_t arg1_alg,
+    const uint8_t *arg2_nonce,
+    size_t arg3_nonce_length,
+    const uint8_t *arg4_additional_data,
+    size_t arg5_additional_data_length,
+    const uint8_t *arg6_plaintext,
+    size_t arg7_plaintext_length,
+    uint8_t *arg8_ciphertext,
+    size_t arg9_ciphertext_size,
+    size_t *arg10_ciphertext_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg2_nonce, arg3_nonce_length);
+    MBEDTLS_TEST_MEMORY_POISON(arg4_additional_data, arg5_additional_data_length);
+    MBEDTLS_TEST_MEMORY_POISON(arg6_plaintext, arg7_plaintext_length);
+    MBEDTLS_TEST_MEMORY_POISON(arg8_ciphertext, arg9_ciphertext_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_aead_encrypt)(arg0_key, arg1_alg, arg2_nonce, arg3_nonce_length, arg4_additional_data, arg5_additional_data_length, arg6_plaintext, arg7_plaintext_length, arg8_ciphertext, arg9_ciphertext_size, arg10_ciphertext_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg2_nonce, arg3_nonce_length);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg4_additional_data, arg5_additional_data_length);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg6_plaintext, arg7_plaintext_length);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg8_ciphertext, arg9_ciphertext_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_aead_encrypt_setup */
+psa_status_t mbedtls_test_wrap_psa_aead_encrypt_setup(
+    psa_aead_operation_t *arg0_operation,
+    mbedtls_svc_key_id_t arg1_key,
+    psa_algorithm_t arg2_alg)
+{
+    psa_status_t status = (psa_aead_encrypt_setup)(arg0_operation, arg1_key, arg2_alg);
+    return status;
+}
+
+/* Wrapper for psa_aead_finish */
+psa_status_t mbedtls_test_wrap_psa_aead_finish(
+    psa_aead_operation_t *arg0_operation,
+    uint8_t *arg1_ciphertext,
+    size_t arg2_ciphertext_size,
+    size_t *arg3_ciphertext_length,
+    uint8_t *arg4_tag,
+    size_t arg5_tag_size,
+    size_t *arg6_tag_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_ciphertext, arg2_ciphertext_size);
+    MBEDTLS_TEST_MEMORY_POISON(arg4_tag, arg5_tag_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_aead_finish)(arg0_operation, arg1_ciphertext, arg2_ciphertext_size, arg3_ciphertext_length, arg4_tag, arg5_tag_size, arg6_tag_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_ciphertext, arg2_ciphertext_size);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg4_tag, arg5_tag_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_aead_generate_nonce */
+psa_status_t mbedtls_test_wrap_psa_aead_generate_nonce(
+    psa_aead_operation_t *arg0_operation,
+    uint8_t *arg1_nonce,
+    size_t arg2_nonce_size,
+    size_t *arg3_nonce_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_nonce, arg2_nonce_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_aead_generate_nonce)(arg0_operation, arg1_nonce, arg2_nonce_size, arg3_nonce_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_nonce, arg2_nonce_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_aead_set_lengths */
+psa_status_t mbedtls_test_wrap_psa_aead_set_lengths(
+    psa_aead_operation_t *arg0_operation,
+    size_t arg1_ad_length,
+    size_t arg2_plaintext_length)
+{
+    psa_status_t status = (psa_aead_set_lengths)(arg0_operation, arg1_ad_length, arg2_plaintext_length);
+    return status;
+}
+
+/* Wrapper for psa_aead_set_nonce */
+psa_status_t mbedtls_test_wrap_psa_aead_set_nonce(
+    psa_aead_operation_t *arg0_operation,
+    const uint8_t *arg1_nonce,
+    size_t arg2_nonce_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_nonce, arg2_nonce_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_aead_set_nonce)(arg0_operation, arg1_nonce, arg2_nonce_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_nonce, arg2_nonce_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_aead_update */
+psa_status_t mbedtls_test_wrap_psa_aead_update(
+    psa_aead_operation_t *arg0_operation,
+    const uint8_t *arg1_input,
+    size_t arg2_input_length,
+    uint8_t *arg3_output,
+    size_t arg4_output_size,
+    size_t *arg5_output_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_input, arg2_input_length);
+    MBEDTLS_TEST_MEMORY_POISON(arg3_output, arg4_output_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_aead_update)(arg0_operation, arg1_input, arg2_input_length, arg3_output, arg4_output_size, arg5_output_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_input, arg2_input_length);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg3_output, arg4_output_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_aead_update_ad */
+psa_status_t mbedtls_test_wrap_psa_aead_update_ad(
+    psa_aead_operation_t *arg0_operation,
+    const uint8_t *arg1_input,
+    size_t arg2_input_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_input, arg2_input_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_aead_update_ad)(arg0_operation, arg1_input, arg2_input_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_input, arg2_input_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_aead_verify */
+psa_status_t mbedtls_test_wrap_psa_aead_verify(
+    psa_aead_operation_t *arg0_operation,
+    uint8_t *arg1_plaintext,
+    size_t arg2_plaintext_size,
+    size_t *arg3_plaintext_length,
+    const uint8_t *arg4_tag,
+    size_t arg5_tag_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_plaintext, arg2_plaintext_size);
+    MBEDTLS_TEST_MEMORY_POISON(arg4_tag, arg5_tag_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_aead_verify)(arg0_operation, arg1_plaintext, arg2_plaintext_size, arg3_plaintext_length, arg4_tag, arg5_tag_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_plaintext, arg2_plaintext_size);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg4_tag, arg5_tag_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_asymmetric_decrypt */
+psa_status_t mbedtls_test_wrap_psa_asymmetric_decrypt(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_algorithm_t arg1_alg,
+    const uint8_t *arg2_input,
+    size_t arg3_input_length,
+    const uint8_t *arg4_salt,
+    size_t arg5_salt_length,
+    uint8_t *arg6_output,
+    size_t arg7_output_size,
+    size_t *arg8_output_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg2_input, arg3_input_length);
+    MBEDTLS_TEST_MEMORY_POISON(arg4_salt, arg5_salt_length);
+    MBEDTLS_TEST_MEMORY_POISON(arg6_output, arg7_output_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_asymmetric_decrypt)(arg0_key, arg1_alg, arg2_input, arg3_input_length, arg4_salt, arg5_salt_length, arg6_output, arg7_output_size, arg8_output_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg2_input, arg3_input_length);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg4_salt, arg5_salt_length);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg6_output, arg7_output_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_asymmetric_encrypt */
+psa_status_t mbedtls_test_wrap_psa_asymmetric_encrypt(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_algorithm_t arg1_alg,
+    const uint8_t *arg2_input,
+    size_t arg3_input_length,
+    const uint8_t *arg4_salt,
+    size_t arg5_salt_length,
+    uint8_t *arg6_output,
+    size_t arg7_output_size,
+    size_t *arg8_output_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg2_input, arg3_input_length);
+    MBEDTLS_TEST_MEMORY_POISON(arg4_salt, arg5_salt_length);
+    MBEDTLS_TEST_MEMORY_POISON(arg6_output, arg7_output_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_asymmetric_encrypt)(arg0_key, arg1_alg, arg2_input, arg3_input_length, arg4_salt, arg5_salt_length, arg6_output, arg7_output_size, arg8_output_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg2_input, arg3_input_length);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg4_salt, arg5_salt_length);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg6_output, arg7_output_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_cipher_abort */
+psa_status_t mbedtls_test_wrap_psa_cipher_abort(
+    psa_cipher_operation_t *arg0_operation)
+{
+    psa_status_t status = (psa_cipher_abort)(arg0_operation);
+    return status;
+}
+
+/* Wrapper for psa_cipher_decrypt */
+psa_status_t mbedtls_test_wrap_psa_cipher_decrypt(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_algorithm_t arg1_alg,
+    const uint8_t *arg2_input,
+    size_t arg3_input_length,
+    uint8_t *arg4_output,
+    size_t arg5_output_size,
+    size_t *arg6_output_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg2_input, arg3_input_length);
+    MBEDTLS_TEST_MEMORY_POISON(arg4_output, arg5_output_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_cipher_decrypt)(arg0_key, arg1_alg, arg2_input, arg3_input_length, arg4_output, arg5_output_size, arg6_output_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg2_input, arg3_input_length);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg4_output, arg5_output_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_cipher_decrypt_setup */
+psa_status_t mbedtls_test_wrap_psa_cipher_decrypt_setup(
+    psa_cipher_operation_t *arg0_operation,
+    mbedtls_svc_key_id_t arg1_key,
+    psa_algorithm_t arg2_alg)
+{
+    psa_status_t status = (psa_cipher_decrypt_setup)(arg0_operation, arg1_key, arg2_alg);
+    return status;
+}
+
+/* Wrapper for psa_cipher_encrypt */
+psa_status_t mbedtls_test_wrap_psa_cipher_encrypt(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_algorithm_t arg1_alg,
+    const uint8_t *arg2_input,
+    size_t arg3_input_length,
+    uint8_t *arg4_output,
+    size_t arg5_output_size,
+    size_t *arg6_output_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg2_input, arg3_input_length);
+    MBEDTLS_TEST_MEMORY_POISON(arg4_output, arg5_output_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_cipher_encrypt)(arg0_key, arg1_alg, arg2_input, arg3_input_length, arg4_output, arg5_output_size, arg6_output_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg2_input, arg3_input_length);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg4_output, arg5_output_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_cipher_encrypt_setup */
+psa_status_t mbedtls_test_wrap_psa_cipher_encrypt_setup(
+    psa_cipher_operation_t *arg0_operation,
+    mbedtls_svc_key_id_t arg1_key,
+    psa_algorithm_t arg2_alg)
+{
+    psa_status_t status = (psa_cipher_encrypt_setup)(arg0_operation, arg1_key, arg2_alg);
+    return status;
+}
+
+/* Wrapper for psa_cipher_finish */
+psa_status_t mbedtls_test_wrap_psa_cipher_finish(
+    psa_cipher_operation_t *arg0_operation,
+    uint8_t *arg1_output,
+    size_t arg2_output_size,
+    size_t *arg3_output_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_output, arg2_output_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_cipher_finish)(arg0_operation, arg1_output, arg2_output_size, arg3_output_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_output, arg2_output_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_cipher_generate_iv */
+psa_status_t mbedtls_test_wrap_psa_cipher_generate_iv(
+    psa_cipher_operation_t *arg0_operation,
+    uint8_t *arg1_iv,
+    size_t arg2_iv_size,
+    size_t *arg3_iv_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_iv, arg2_iv_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_cipher_generate_iv)(arg0_operation, arg1_iv, arg2_iv_size, arg3_iv_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_iv, arg2_iv_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_cipher_set_iv */
+psa_status_t mbedtls_test_wrap_psa_cipher_set_iv(
+    psa_cipher_operation_t *arg0_operation,
+    const uint8_t *arg1_iv,
+    size_t arg2_iv_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_iv, arg2_iv_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_cipher_set_iv)(arg0_operation, arg1_iv, arg2_iv_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_iv, arg2_iv_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_cipher_update */
+psa_status_t mbedtls_test_wrap_psa_cipher_update(
+    psa_cipher_operation_t *arg0_operation,
+    const uint8_t *arg1_input,
+    size_t arg2_input_length,
+    uint8_t *arg3_output,
+    size_t arg4_output_size,
+    size_t *arg5_output_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_input, arg2_input_length);
+    MBEDTLS_TEST_MEMORY_POISON(arg3_output, arg4_output_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_cipher_update)(arg0_operation, arg1_input, arg2_input_length, arg3_output, arg4_output_size, arg5_output_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_input, arg2_input_length);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg3_output, arg4_output_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_copy_key */
+psa_status_t mbedtls_test_wrap_psa_copy_key(
+    mbedtls_svc_key_id_t arg0_source_key,
+    const psa_key_attributes_t *arg1_attributes,
+    mbedtls_svc_key_id_t *arg2_target_key)
+{
+    psa_status_t status = (psa_copy_key)(arg0_source_key, arg1_attributes, arg2_target_key);
+    return status;
+}
+
+/* Wrapper for psa_crypto_driver_pake_get_cipher_suite */
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_cipher_suite(
+    const psa_crypto_driver_pake_inputs_t *arg0_inputs,
+    psa_pake_cipher_suite_t *arg1_cipher_suite)
+{
+    psa_status_t status = (psa_crypto_driver_pake_get_cipher_suite)(arg0_inputs, arg1_cipher_suite);
+    return status;
+}
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+/* Wrapper for psa_crypto_driver_pake_get_password */
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_password(
+    const psa_crypto_driver_pake_inputs_t *arg0_inputs,
+    uint8_t *arg1_buffer,
+    size_t arg2_buffer_size,
+    size_t *arg3_buffer_length)
+{
+    psa_status_t status = (psa_crypto_driver_pake_get_password)(arg0_inputs, arg1_buffer, arg2_buffer_size, arg3_buffer_length);
+    return status;
+}
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+/* Wrapper for psa_crypto_driver_pake_get_password_len */
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_password_len(
+    const psa_crypto_driver_pake_inputs_t *arg0_inputs,
+    size_t *arg1_password_len)
+{
+    psa_status_t status = (psa_crypto_driver_pake_get_password_len)(arg0_inputs, arg1_password_len);
+    return status;
+}
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+/* Wrapper for psa_crypto_driver_pake_get_peer */
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_peer(
+    const psa_crypto_driver_pake_inputs_t *arg0_inputs,
+    uint8_t *arg1_peer_id,
+    size_t arg2_peer_id_size,
+    size_t *arg3_peer_id_length)
+{
+    psa_status_t status = (psa_crypto_driver_pake_get_peer)(arg0_inputs, arg1_peer_id, arg2_peer_id_size, arg3_peer_id_length);
+    return status;
+}
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+/* Wrapper for psa_crypto_driver_pake_get_peer_len */
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_peer_len(
+    const psa_crypto_driver_pake_inputs_t *arg0_inputs,
+    size_t *arg1_peer_len)
+{
+    psa_status_t status = (psa_crypto_driver_pake_get_peer_len)(arg0_inputs, arg1_peer_len);
+    return status;
+}
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+/* Wrapper for psa_crypto_driver_pake_get_user */
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_user(
+    const psa_crypto_driver_pake_inputs_t *arg0_inputs,
+    uint8_t *arg1_user_id,
+    size_t arg2_user_id_size,
+    size_t *arg3_user_id_len)
+{
+    psa_status_t status = (psa_crypto_driver_pake_get_user)(arg0_inputs, arg1_user_id, arg2_user_id_size, arg3_user_id_len);
+    return status;
+}
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+/* Wrapper for psa_crypto_driver_pake_get_user_len */
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_user_len(
+    const psa_crypto_driver_pake_inputs_t *arg0_inputs,
+    size_t *arg1_user_len)
+{
+    psa_status_t status = (psa_crypto_driver_pake_get_user_len)(arg0_inputs, arg1_user_len);
+    return status;
+}
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+/* Wrapper for psa_crypto_init */
+psa_status_t mbedtls_test_wrap_psa_crypto_init(void)
+{
+    psa_status_t status = (psa_crypto_init)();
+    return status;
+}
+
+/* Wrapper for psa_destroy_key */
+psa_status_t mbedtls_test_wrap_psa_destroy_key(
+    mbedtls_svc_key_id_t arg0_key)
+{
+    psa_status_t status = (psa_destroy_key)(arg0_key);
+    return status;
+}
+
+/* Wrapper for psa_export_key */
+psa_status_t mbedtls_test_wrap_psa_export_key(
+    mbedtls_svc_key_id_t arg0_key,
+    uint8_t *arg1_data,
+    size_t arg2_data_size,
+    size_t *arg3_data_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_data, arg2_data_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_export_key)(arg0_key, arg1_data, arg2_data_size, arg3_data_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_data, arg2_data_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_export_public_key */
+psa_status_t mbedtls_test_wrap_psa_export_public_key(
+    mbedtls_svc_key_id_t arg0_key,
+    uint8_t *arg1_data,
+    size_t arg2_data_size,
+    size_t *arg3_data_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_data, arg2_data_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_export_public_key)(arg0_key, arg1_data, arg2_data_size, arg3_data_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_data, arg2_data_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_generate_key */
+psa_status_t mbedtls_test_wrap_psa_generate_key(
+    const psa_key_attributes_t *arg0_attributes,
+    mbedtls_svc_key_id_t *arg1_key)
+{
+    psa_status_t status = (psa_generate_key)(arg0_attributes, arg1_key);
+    return status;
+}
+
+/* Wrapper for psa_generate_key_ext */
+psa_status_t mbedtls_test_wrap_psa_generate_key_ext(
+    const psa_key_attributes_t *arg0_attributes,
+    const psa_key_production_parameters_t *arg1_params,
+    size_t arg2_params_data_length,
+    mbedtls_svc_key_id_t *arg3_key)
+{
+    psa_status_t status = (psa_generate_key_ext)(arg0_attributes, arg1_params, arg2_params_data_length, arg3_key);
+    return status;
+}
+
+/* Wrapper for psa_generate_random */
+psa_status_t mbedtls_test_wrap_psa_generate_random(
+    uint8_t *arg0_output,
+    size_t arg1_output_size)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg0_output, arg1_output_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_generate_random)(arg0_output, arg1_output_size);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg0_output, arg1_output_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_get_key_attributes */
+psa_status_t mbedtls_test_wrap_psa_get_key_attributes(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_key_attributes_t *arg1_attributes)
+{
+    psa_status_t status = (psa_get_key_attributes)(arg0_key, arg1_attributes);
+    return status;
+}
+
+/* Wrapper for psa_hash_abort */
+psa_status_t mbedtls_test_wrap_psa_hash_abort(
+    psa_hash_operation_t *arg0_operation)
+{
+    psa_status_t status = (psa_hash_abort)(arg0_operation);
+    return status;
+}
+
+/* Wrapper for psa_hash_clone */
+psa_status_t mbedtls_test_wrap_psa_hash_clone(
+    const psa_hash_operation_t *arg0_source_operation,
+    psa_hash_operation_t *arg1_target_operation)
+{
+    psa_status_t status = (psa_hash_clone)(arg0_source_operation, arg1_target_operation);
+    return status;
+}
+
+/* Wrapper for psa_hash_compare */
+psa_status_t mbedtls_test_wrap_psa_hash_compare(
+    psa_algorithm_t arg0_alg,
+    const uint8_t *arg1_input,
+    size_t arg2_input_length,
+    const uint8_t *arg3_hash,
+    size_t arg4_hash_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_input, arg2_input_length);
+    MBEDTLS_TEST_MEMORY_POISON(arg3_hash, arg4_hash_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_hash_compare)(arg0_alg, arg1_input, arg2_input_length, arg3_hash, arg4_hash_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_input, arg2_input_length);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg3_hash, arg4_hash_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_hash_compute */
+psa_status_t mbedtls_test_wrap_psa_hash_compute(
+    psa_algorithm_t arg0_alg,
+    const uint8_t *arg1_input,
+    size_t arg2_input_length,
+    uint8_t *arg3_hash,
+    size_t arg4_hash_size,
+    size_t *arg5_hash_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_input, arg2_input_length);
+    MBEDTLS_TEST_MEMORY_POISON(arg3_hash, arg4_hash_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_hash_compute)(arg0_alg, arg1_input, arg2_input_length, arg3_hash, arg4_hash_size, arg5_hash_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_input, arg2_input_length);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg3_hash, arg4_hash_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_hash_finish */
+psa_status_t mbedtls_test_wrap_psa_hash_finish(
+    psa_hash_operation_t *arg0_operation,
+    uint8_t *arg1_hash,
+    size_t arg2_hash_size,
+    size_t *arg3_hash_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_hash, arg2_hash_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_hash_finish)(arg0_operation, arg1_hash, arg2_hash_size, arg3_hash_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_hash, arg2_hash_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_hash_setup */
+psa_status_t mbedtls_test_wrap_psa_hash_setup(
+    psa_hash_operation_t *arg0_operation,
+    psa_algorithm_t arg1_alg)
+{
+    psa_status_t status = (psa_hash_setup)(arg0_operation, arg1_alg);
+    return status;
+}
+
+/* Wrapper for psa_hash_update */
+psa_status_t mbedtls_test_wrap_psa_hash_update(
+    psa_hash_operation_t *arg0_operation,
+    const uint8_t *arg1_input,
+    size_t arg2_input_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_input, arg2_input_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_hash_update)(arg0_operation, arg1_input, arg2_input_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_input, arg2_input_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_hash_verify */
+psa_status_t mbedtls_test_wrap_psa_hash_verify(
+    psa_hash_operation_t *arg0_operation,
+    const uint8_t *arg1_hash,
+    size_t arg2_hash_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_hash, arg2_hash_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_hash_verify)(arg0_operation, arg1_hash, arg2_hash_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_hash, arg2_hash_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_import_key */
+psa_status_t mbedtls_test_wrap_psa_import_key(
+    const psa_key_attributes_t *arg0_attributes,
+    const uint8_t *arg1_data,
+    size_t arg2_data_length,
+    mbedtls_svc_key_id_t *arg3_key)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_data, arg2_data_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_import_key)(arg0_attributes, arg1_data, arg2_data_length, arg3_key);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_data, arg2_data_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_key_derivation_abort */
+psa_status_t mbedtls_test_wrap_psa_key_derivation_abort(
+    psa_key_derivation_operation_t *arg0_operation)
+{
+    psa_status_t status = (psa_key_derivation_abort)(arg0_operation);
+    return status;
+}
+
+/* Wrapper for psa_key_derivation_get_capacity */
+psa_status_t mbedtls_test_wrap_psa_key_derivation_get_capacity(
+    const psa_key_derivation_operation_t *arg0_operation,
+    size_t *arg1_capacity)
+{
+    psa_status_t status = (psa_key_derivation_get_capacity)(arg0_operation, arg1_capacity);
+    return status;
+}
+
+/* Wrapper for psa_key_derivation_input_bytes */
+psa_status_t mbedtls_test_wrap_psa_key_derivation_input_bytes(
+    psa_key_derivation_operation_t *arg0_operation,
+    psa_key_derivation_step_t arg1_step,
+    const uint8_t *arg2_data,
+    size_t arg3_data_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg2_data, arg3_data_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_key_derivation_input_bytes)(arg0_operation, arg1_step, arg2_data, arg3_data_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg2_data, arg3_data_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_key_derivation_input_integer */
+psa_status_t mbedtls_test_wrap_psa_key_derivation_input_integer(
+    psa_key_derivation_operation_t *arg0_operation,
+    psa_key_derivation_step_t arg1_step,
+    uint64_t arg2_value)
+{
+    psa_status_t status = (psa_key_derivation_input_integer)(arg0_operation, arg1_step, arg2_value);
+    return status;
+}
+
+/* Wrapper for psa_key_derivation_input_key */
+psa_status_t mbedtls_test_wrap_psa_key_derivation_input_key(
+    psa_key_derivation_operation_t *arg0_operation,
+    psa_key_derivation_step_t arg1_step,
+    mbedtls_svc_key_id_t arg2_key)
+{
+    psa_status_t status = (psa_key_derivation_input_key)(arg0_operation, arg1_step, arg2_key);
+    return status;
+}
+
+/* Wrapper for psa_key_derivation_key_agreement */
+psa_status_t mbedtls_test_wrap_psa_key_derivation_key_agreement(
+    psa_key_derivation_operation_t *arg0_operation,
+    psa_key_derivation_step_t arg1_step,
+    mbedtls_svc_key_id_t arg2_private_key,
+    const uint8_t *arg3_peer_key,
+    size_t arg4_peer_key_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg3_peer_key, arg4_peer_key_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_key_derivation_key_agreement)(arg0_operation, arg1_step, arg2_private_key, arg3_peer_key, arg4_peer_key_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg3_peer_key, arg4_peer_key_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_key_derivation_output_bytes */
+psa_status_t mbedtls_test_wrap_psa_key_derivation_output_bytes(
+    psa_key_derivation_operation_t *arg0_operation,
+    uint8_t *arg1_output,
+    size_t arg2_output_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_output, arg2_output_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_key_derivation_output_bytes)(arg0_operation, arg1_output, arg2_output_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_output, arg2_output_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_key_derivation_output_key */
+psa_status_t mbedtls_test_wrap_psa_key_derivation_output_key(
+    const psa_key_attributes_t *arg0_attributes,
+    psa_key_derivation_operation_t *arg1_operation,
+    mbedtls_svc_key_id_t *arg2_key)
+{
+    psa_status_t status = (psa_key_derivation_output_key)(arg0_attributes, arg1_operation, arg2_key);
+    return status;
+}
+
+/* Wrapper for psa_key_derivation_output_key_ext */
+psa_status_t mbedtls_test_wrap_psa_key_derivation_output_key_ext(
+    const psa_key_attributes_t *arg0_attributes,
+    psa_key_derivation_operation_t *arg1_operation,
+    const psa_key_production_parameters_t *arg2_params,
+    size_t arg3_params_data_length,
+    mbedtls_svc_key_id_t *arg4_key)
+{
+    psa_status_t status = (psa_key_derivation_output_key_ext)(arg0_attributes, arg1_operation, arg2_params, arg3_params_data_length, arg4_key);
+    return status;
+}
+
+/* Wrapper for psa_key_derivation_set_capacity */
+psa_status_t mbedtls_test_wrap_psa_key_derivation_set_capacity(
+    psa_key_derivation_operation_t *arg0_operation,
+    size_t arg1_capacity)
+{
+    psa_status_t status = (psa_key_derivation_set_capacity)(arg0_operation, arg1_capacity);
+    return status;
+}
+
+/* Wrapper for psa_key_derivation_setup */
+psa_status_t mbedtls_test_wrap_psa_key_derivation_setup(
+    psa_key_derivation_operation_t *arg0_operation,
+    psa_algorithm_t arg1_alg)
+{
+    psa_status_t status = (psa_key_derivation_setup)(arg0_operation, arg1_alg);
+    return status;
+}
+
+/* Wrapper for psa_mac_abort */
+psa_status_t mbedtls_test_wrap_psa_mac_abort(
+    psa_mac_operation_t *arg0_operation)
+{
+    psa_status_t status = (psa_mac_abort)(arg0_operation);
+    return status;
+}
+
+/* Wrapper for psa_mac_compute */
+psa_status_t mbedtls_test_wrap_psa_mac_compute(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_algorithm_t arg1_alg,
+    const uint8_t *arg2_input,
+    size_t arg3_input_length,
+    uint8_t *arg4_mac,
+    size_t arg5_mac_size,
+    size_t *arg6_mac_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg2_input, arg3_input_length);
+    MBEDTLS_TEST_MEMORY_POISON(arg4_mac, arg5_mac_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_mac_compute)(arg0_key, arg1_alg, arg2_input, arg3_input_length, arg4_mac, arg5_mac_size, arg6_mac_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg2_input, arg3_input_length);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg4_mac, arg5_mac_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_mac_sign_finish */
+psa_status_t mbedtls_test_wrap_psa_mac_sign_finish(
+    psa_mac_operation_t *arg0_operation,
+    uint8_t *arg1_mac,
+    size_t arg2_mac_size,
+    size_t *arg3_mac_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_mac, arg2_mac_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_mac_sign_finish)(arg0_operation, arg1_mac, arg2_mac_size, arg3_mac_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_mac, arg2_mac_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_mac_sign_setup */
+psa_status_t mbedtls_test_wrap_psa_mac_sign_setup(
+    psa_mac_operation_t *arg0_operation,
+    mbedtls_svc_key_id_t arg1_key,
+    psa_algorithm_t arg2_alg)
+{
+    psa_status_t status = (psa_mac_sign_setup)(arg0_operation, arg1_key, arg2_alg);
+    return status;
+}
+
+/* Wrapper for psa_mac_update */
+psa_status_t mbedtls_test_wrap_psa_mac_update(
+    psa_mac_operation_t *arg0_operation,
+    const uint8_t *arg1_input,
+    size_t arg2_input_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_input, arg2_input_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_mac_update)(arg0_operation, arg1_input, arg2_input_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_input, arg2_input_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_mac_verify */
+psa_status_t mbedtls_test_wrap_psa_mac_verify(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_algorithm_t arg1_alg,
+    const uint8_t *arg2_input,
+    size_t arg3_input_length,
+    const uint8_t *arg4_mac,
+    size_t arg5_mac_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg2_input, arg3_input_length);
+    MBEDTLS_TEST_MEMORY_POISON(arg4_mac, arg5_mac_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_mac_verify)(arg0_key, arg1_alg, arg2_input, arg3_input_length, arg4_mac, arg5_mac_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg2_input, arg3_input_length);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg4_mac, arg5_mac_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_mac_verify_finish */
+psa_status_t mbedtls_test_wrap_psa_mac_verify_finish(
+    psa_mac_operation_t *arg0_operation,
+    const uint8_t *arg1_mac,
+    size_t arg2_mac_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_mac, arg2_mac_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_mac_verify_finish)(arg0_operation, arg1_mac, arg2_mac_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_mac, arg2_mac_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_mac_verify_setup */
+psa_status_t mbedtls_test_wrap_psa_mac_verify_setup(
+    psa_mac_operation_t *arg0_operation,
+    mbedtls_svc_key_id_t arg1_key,
+    psa_algorithm_t arg2_alg)
+{
+    psa_status_t status = (psa_mac_verify_setup)(arg0_operation, arg1_key, arg2_alg);
+    return status;
+}
+
+/* Wrapper for psa_pake_abort */
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_pake_abort(
+    psa_pake_operation_t *arg0_operation)
+{
+    psa_status_t status = (psa_pake_abort)(arg0_operation);
+    return status;
+}
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+/* Wrapper for psa_pake_get_implicit_key */
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_pake_get_implicit_key(
+    psa_pake_operation_t *arg0_operation,
+    psa_key_derivation_operation_t *arg1_output)
+{
+    psa_status_t status = (psa_pake_get_implicit_key)(arg0_operation, arg1_output);
+    return status;
+}
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+/* Wrapper for psa_pake_input */
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_pake_input(
+    psa_pake_operation_t *arg0_operation,
+    psa_pake_step_t arg1_step,
+    const uint8_t *arg2_input,
+    size_t arg3_input_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg2_input, arg3_input_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_pake_input)(arg0_operation, arg1_step, arg2_input, arg3_input_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg2_input, arg3_input_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+/* Wrapper for psa_pake_output */
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_pake_output(
+    psa_pake_operation_t *arg0_operation,
+    psa_pake_step_t arg1_step,
+    uint8_t *arg2_output,
+    size_t arg3_output_size,
+    size_t *arg4_output_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg2_output, arg3_output_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_pake_output)(arg0_operation, arg1_step, arg2_output, arg3_output_size, arg4_output_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg2_output, arg3_output_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+/* Wrapper for psa_pake_set_password_key */
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_pake_set_password_key(
+    psa_pake_operation_t *arg0_operation,
+    mbedtls_svc_key_id_t arg1_password)
+{
+    psa_status_t status = (psa_pake_set_password_key)(arg0_operation, arg1_password);
+    return status;
+}
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+/* Wrapper for psa_pake_set_peer */
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_pake_set_peer(
+    psa_pake_operation_t *arg0_operation,
+    const uint8_t *arg1_peer_id,
+    size_t arg2_peer_id_len)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_peer_id, arg2_peer_id_len);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_pake_set_peer)(arg0_operation, arg1_peer_id, arg2_peer_id_len);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_peer_id, arg2_peer_id_len);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+/* Wrapper for psa_pake_set_role */
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_pake_set_role(
+    psa_pake_operation_t *arg0_operation,
+    psa_pake_role_t arg1_role)
+{
+    psa_status_t status = (psa_pake_set_role)(arg0_operation, arg1_role);
+    return status;
+}
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+/* Wrapper for psa_pake_set_user */
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_pake_set_user(
+    psa_pake_operation_t *arg0_operation,
+    const uint8_t *arg1_user_id,
+    size_t arg2_user_id_len)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_user_id, arg2_user_id_len);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_pake_set_user)(arg0_operation, arg1_user_id, arg2_user_id_len);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_user_id, arg2_user_id_len);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+/* Wrapper for psa_pake_setup */
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t mbedtls_test_wrap_psa_pake_setup(
+    psa_pake_operation_t *arg0_operation,
+    const psa_pake_cipher_suite_t *arg1_cipher_suite)
+{
+    psa_status_t status = (psa_pake_setup)(arg0_operation, arg1_cipher_suite);
+    return status;
+}
+#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */
+
+/* Wrapper for psa_purge_key */
+psa_status_t mbedtls_test_wrap_psa_purge_key(
+    mbedtls_svc_key_id_t arg0_key)
+{
+    psa_status_t status = (psa_purge_key)(arg0_key);
+    return status;
+}
+
+/* Wrapper for psa_raw_key_agreement */
+psa_status_t mbedtls_test_wrap_psa_raw_key_agreement(
+    psa_algorithm_t arg0_alg,
+    mbedtls_svc_key_id_t arg1_private_key,
+    const uint8_t *arg2_peer_key,
+    size_t arg3_peer_key_length,
+    uint8_t *arg4_output,
+    size_t arg5_output_size,
+    size_t *arg6_output_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg2_peer_key, arg3_peer_key_length);
+    MBEDTLS_TEST_MEMORY_POISON(arg4_output, arg5_output_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_raw_key_agreement)(arg0_alg, arg1_private_key, arg2_peer_key, arg3_peer_key_length, arg4_output, arg5_output_size, arg6_output_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg2_peer_key, arg3_peer_key_length);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg4_output, arg5_output_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_sign_hash */
+psa_status_t mbedtls_test_wrap_psa_sign_hash(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_algorithm_t arg1_alg,
+    const uint8_t *arg2_hash,
+    size_t arg3_hash_length,
+    uint8_t *arg4_signature,
+    size_t arg5_signature_size,
+    size_t *arg6_signature_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg2_hash, arg3_hash_length);
+    MBEDTLS_TEST_MEMORY_POISON(arg4_signature, arg5_signature_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_sign_hash)(arg0_key, arg1_alg, arg2_hash, arg3_hash_length, arg4_signature, arg5_signature_size, arg6_signature_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg2_hash, arg3_hash_length);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg4_signature, arg5_signature_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_sign_hash_abort */
+psa_status_t mbedtls_test_wrap_psa_sign_hash_abort(
+    psa_sign_hash_interruptible_operation_t *arg0_operation)
+{
+    psa_status_t status = (psa_sign_hash_abort)(arg0_operation);
+    return status;
+}
+
+/* Wrapper for psa_sign_hash_complete */
+psa_status_t mbedtls_test_wrap_psa_sign_hash_complete(
+    psa_sign_hash_interruptible_operation_t *arg0_operation,
+    uint8_t *arg1_signature,
+    size_t arg2_signature_size,
+    size_t *arg3_signature_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg1_signature, arg2_signature_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_sign_hash_complete)(arg0_operation, arg1_signature, arg2_signature_size, arg3_signature_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg1_signature, arg2_signature_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_sign_hash_start */
+psa_status_t mbedtls_test_wrap_psa_sign_hash_start(
+    psa_sign_hash_interruptible_operation_t *arg0_operation,
+    mbedtls_svc_key_id_t arg1_key,
+    psa_algorithm_t arg2_alg,
+    const uint8_t *arg3_hash,
+    size_t arg4_hash_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg3_hash, arg4_hash_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_sign_hash_start)(arg0_operation, arg1_key, arg2_alg, arg3_hash, arg4_hash_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg3_hash, arg4_hash_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_sign_message */
+psa_status_t mbedtls_test_wrap_psa_sign_message(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_algorithm_t arg1_alg,
+    const uint8_t *arg2_input,
+    size_t arg3_input_length,
+    uint8_t *arg4_signature,
+    size_t arg5_signature_size,
+    size_t *arg6_signature_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg2_input, arg3_input_length);
+    MBEDTLS_TEST_MEMORY_POISON(arg4_signature, arg5_signature_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_sign_message)(arg0_key, arg1_alg, arg2_input, arg3_input_length, arg4_signature, arg5_signature_size, arg6_signature_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg2_input, arg3_input_length);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg4_signature, arg5_signature_size);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_verify_hash */
+psa_status_t mbedtls_test_wrap_psa_verify_hash(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_algorithm_t arg1_alg,
+    const uint8_t *arg2_hash,
+    size_t arg3_hash_length,
+    const uint8_t *arg4_signature,
+    size_t arg5_signature_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg2_hash, arg3_hash_length);
+    MBEDTLS_TEST_MEMORY_POISON(arg4_signature, arg5_signature_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_verify_hash)(arg0_key, arg1_alg, arg2_hash, arg3_hash_length, arg4_signature, arg5_signature_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg2_hash, arg3_hash_length);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg4_signature, arg5_signature_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_verify_hash_abort */
+psa_status_t mbedtls_test_wrap_psa_verify_hash_abort(
+    psa_verify_hash_interruptible_operation_t *arg0_operation)
+{
+    psa_status_t status = (psa_verify_hash_abort)(arg0_operation);
+    return status;
+}
+
+/* Wrapper for psa_verify_hash_complete */
+psa_status_t mbedtls_test_wrap_psa_verify_hash_complete(
+    psa_verify_hash_interruptible_operation_t *arg0_operation)
+{
+    psa_status_t status = (psa_verify_hash_complete)(arg0_operation);
+    return status;
+}
+
+/* Wrapper for psa_verify_hash_start */
+psa_status_t mbedtls_test_wrap_psa_verify_hash_start(
+    psa_verify_hash_interruptible_operation_t *arg0_operation,
+    mbedtls_svc_key_id_t arg1_key,
+    psa_algorithm_t arg2_alg,
+    const uint8_t *arg3_hash,
+    size_t arg4_hash_length,
+    const uint8_t *arg5_signature,
+    size_t arg6_signature_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg3_hash, arg4_hash_length);
+    MBEDTLS_TEST_MEMORY_POISON(arg5_signature, arg6_signature_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_verify_hash_start)(arg0_operation, arg1_key, arg2_alg, arg3_hash, arg4_hash_length, arg5_signature, arg6_signature_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg3_hash, arg4_hash_length);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg5_signature, arg6_signature_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+/* Wrapper for psa_verify_message */
+psa_status_t mbedtls_test_wrap_psa_verify_message(
+    mbedtls_svc_key_id_t arg0_key,
+    psa_algorithm_t arg1_alg,
+    const uint8_t *arg2_input,
+    size_t arg3_input_length,
+    const uint8_t *arg4_signature,
+    size_t arg5_signature_length)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_POISON(arg2_input, arg3_input_length);
+    MBEDTLS_TEST_MEMORY_POISON(arg4_signature, arg5_signature_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    psa_status_t status = (psa_verify_message)(arg0_key, arg1_alg, arg2_input, arg3_input_length, arg4_signature, arg5_signature_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg2_input, arg3_input_length);
+    MBEDTLS_TEST_MEMORY_UNPOISON(arg4_signature, arg5_signature_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+    return status;
+}
+
+#endif /* defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_TEST_HOOKS) && \
+    !defined(RECORD_PSA_STATUS_COVERAGE_LOG) */
+
+/* End of automatically generated file. */
diff --git a/tests/src/random.c b/tests/src/random.c
index d20103c..d041f36 100644
--- a/tests/src/random.c
+++ b/tests/src/random.c
@@ -7,19 +7,7 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 /*
diff --git a/tests/src/test_certs.h b/tests/src/test_certs.h
deleted file mode 100644
index 866d1e0..0000000
--- a/tests/src/test_certs.h
+++ /dev/null
@@ -1,1238 +0,0 @@
-/*
- *  X.509 test certificates
- *
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/* THIS FILE is generated by `tests/scripts/generate_test_cert_macros.py` */
-/* *INDENT-OFF* */
-
-/* This is taken from test-ca2.crt. */
-/* BEGIN FILE string macro TEST_CA_CRT_EC_PEM test-ca2.crt */
-#define TEST_CA_CRT_EC_PEM                                                     \
-    "-----BEGIN CERTIFICATE-----\r\n"                                          \
-    "MIICBzCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE\r\n"     \
-    "BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0\r\n"     \
-    "IEVDIENBMB4XDTE5MDIxMDE0NDQwMFoXDTI5MDIxMDE0NDQwMFowPjELMAkGA1UE\r\n"     \
-    "BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0\r\n"     \
-    "IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO\r\n"     \
-    "4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK\r\n"     \
-    "6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1MwUTAPBgNVHRMBAf8EBTAD\r\n"     \
-    "AQH/MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSd\r\n"     \
-    "bSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMQDpNWfBIlzq\r\n"     \
-    "6xV2UwQD/1YGz9fQUM7AfNKzVa2PVBpf/QD1TAylTYTF4GI6qlb6EPYCMF/YVa29\r\n"     \
-    "N5yC1mFAir19jb9Pl9iiIkRm17dM4y6m5VIMepEPm/VlWAa8H5p1+BPbGw==\r\n"         \
-    "-----END CERTIFICATE-----\r\n"
-/* END FILE */
-
-/* This is generated from test-ca2.crt.der. */
-/* BEGIN FILE binary macro TEST_CA_CRT_EC_DER test-ca2.crt.der */
-#define TEST_CA_CRT_EC_DER {                                                    \
-        0x30, 0x82, 0x02, 0x07, 0x30, 0x82, 0x01, 0x8b, 0xa0, 0x03, 0x02, 0x01, \
-        0x02, 0x02, 0x09, 0x00, 0xc1, 0x43, 0xe2, 0x7e, 0x62, 0x43, 0xcc, 0xe8, \
-        0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, \
-        0x05, 0x00, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, \
-        0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, \
-        0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, \
-        0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x13, 0x50, \
-        0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65, 0x73, 0x74, \
-        0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x39, \
-        0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, 0x30, 0x5a, 0x17, \
-        0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, \
-        0x30, 0x5a, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, \
-        0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, \
-        0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, \
-        0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x13, 0x50, \
-        0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65, 0x73, 0x74, \
-        0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, \
-        0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, \
-        0x00, 0x22, 0x03, 0x62, 0x00, 0x04, 0xc3, 0xda, 0x2b, 0x34, 0x41, 0x37, \
-        0x58, 0x2f, 0x87, 0x56, 0xfe, 0xfc, 0x89, 0xba, 0x29, 0x43, 0x4b, 0x4e, \
-        0xe0, 0x6e, 0xc3, 0x0e, 0x57, 0x53, 0x33, 0x39, 0x58, 0xd4, 0x52, 0xb4, \
-        0x91, 0x95, 0x39, 0x0b, 0x23, 0xdf, 0x5f, 0x17, 0x24, 0x62, 0x48, 0xfc, \
-        0x1a, 0x95, 0x29, 0xce, 0x2c, 0x2d, 0x87, 0xc2, 0x88, 0x52, 0x80, 0xaf, \
-        0xd6, 0x6a, 0xab, 0x21, 0xdd, 0xb8, 0xd3, 0x1c, 0x6e, 0x58, 0xb8, 0xca, \
-        0xe8, 0xb2, 0x69, 0x8e, 0xf3, 0x41, 0xad, 0x29, 0xc3, 0xb4, 0x5f, 0x75, \
-        0xa7, 0x47, 0x6f, 0xd5, 0x19, 0x29, 0x55, 0x69, 0x9a, 0x53, 0x3b, 0x20, \
-        0xb4, 0x66, 0x16, 0x60, 0x33, 0x1e, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x0f, \
-        0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, \
-        0x01, 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, \
-        0x04, 0x14, 0x9d, 0x6d, 0x20, 0x24, 0x49, 0x01, 0x3f, 0x2b, 0xcb, 0x78, \
-        0xb5, 0x19, 0xbc, 0x7e, 0x24, 0xc9, 0xdb, 0xfb, 0x36, 0x7c, 0x30, 0x1f, \
-        0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x9d, \
-        0x6d, 0x20, 0x24, 0x49, 0x01, 0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, \
-        0x7e, 0x24, 0xc9, 0xdb, 0xfb, 0x36, 0x7c, 0x30, 0x0c, 0x06, 0x08, 0x2a, \
-        0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x05, 0x00, 0x03, 0x68, 0x00, \
-        0x30, 0x65, 0x02, 0x31, 0x00, 0xe9, 0x35, 0x67, 0xc1, 0x22, 0x5c, 0xea, \
-        0xeb, 0x15, 0x76, 0x53, 0x04, 0x03, 0xff, 0x56, 0x06, 0xcf, 0xd7, 0xd0, \
-        0x50, 0xce, 0xc0, 0x7c, 0xd2, 0xb3, 0x55, 0xad, 0x8f, 0x54, 0x1a, 0x5f, \
-        0xfd, 0x00, 0xf5, 0x4c, 0x0c, 0xa5, 0x4d, 0x84, 0xc5, 0xe0, 0x62, 0x3a, \
-        0xaa, 0x56, 0xfa, 0x10, 0xf6, 0x02, 0x30, 0x5f, 0xd8, 0x55, 0xad, 0xbd, \
-        0x37, 0x9c, 0x82, 0xd6, 0x61, 0x40, 0x8a, 0xbd, 0x7d, 0x8d, 0xbf, 0x4f, \
-        0x97, 0xd8, 0xa2, 0x22, 0x44, 0x66, 0xd7, 0xb7, 0x4c, 0xe3, 0x2e, 0xa6, \
-        0xe5, 0x52, 0x0c, 0x7a, 0x91, 0x0f, 0x9b, 0xf5, 0x65, 0x58, 0x06, 0xbc, \
-        0x1f, 0x9a, 0x75, 0xf8, 0x13, 0xdb, 0x1b                                \
-}
-/* END FILE */
-
-/* This is taken from test-ca2.key.enc. */
-/* BEGIN FILE string macro TEST_CA_KEY_EC_PEM test-ca2.key.enc */
-#define TEST_CA_KEY_EC_PEM                                                     \
-    "-----BEGIN EC PRIVATE KEY-----\r\n"                                       \
-    "Proc-Type: 4,ENCRYPTED\r\n"                                               \
-    "DEK-Info: DES-EDE3-CBC,307EAB469933D64E\r\n"                              \
-    "\r\n"                                                                     \
-    "IxbrRmKcAzctJqPdTQLA4SWyBYYGYJVkYEna+F7Pa5t5Yg/gKADrFKcm6B72e7DG\r\n"     \
-    "ihExtZI648s0zdYw6qSJ74vrPSuWDe5qm93BqsfVH9svtCzWHW0pm1p0KTBCFfUq\r\n"     \
-    "UsuWTITwJImcnlAs1gaRZ3sAWm7cOUidL0fo2G0fYUFNcYoCSLffCFTEHBuPnagb\r\n"     \
-    "a77x/sY1Bvii8S9/XhDTb6pTMx06wzrm\r\n"                                     \
-    "-----END EC PRIVATE KEY-----\r\n"
-/* END FILE */
-
-#define TEST_CA_PWD_EC_PEM "PolarSSLTest"
-
-/* This is generated from test-ca2.key.der. */
-/* BEGIN FILE binary macro TEST_CA_KEY_EC_DER test-ca2.key.der */
-#define TEST_CA_KEY_EC_DER {                                                    \
-        0x30, 0x81, 0xa4, 0x02, 0x01, 0x01, 0x04, 0x30, 0x83, 0xd9, 0x15, 0x0e, \
-        0xa0, 0x71, 0xf0, 0x57, 0x10, 0x33, 0xa3, 0x38, 0xb8, 0x86, 0xc1, 0xa6, \
-        0x11, 0x5d, 0x6d, 0xb4, 0x03, 0xe1, 0x29, 0x76, 0x45, 0xd7, 0x87, 0x6f, \
-        0x23, 0xab, 0x44, 0x20, 0xea, 0x64, 0x7b, 0x85, 0xb1, 0x76, 0xe7, 0x85, \
-        0x95, 0xaa, 0x74, 0xd6, 0xd1, 0xa4, 0x5e, 0xea, 0xa0, 0x07, 0x06, 0x05, \
-        0x2b, 0x81, 0x04, 0x00, 0x22, 0xa1, 0x64, 0x03, 0x62, 0x00, 0x04, 0xc3, \
-        0xda, 0x2b, 0x34, 0x41, 0x37, 0x58, 0x2f, 0x87, 0x56, 0xfe, 0xfc, 0x89, \
-        0xba, 0x29, 0x43, 0x4b, 0x4e, 0xe0, 0x6e, 0xc3, 0x0e, 0x57, 0x53, 0x33, \
-        0x39, 0x58, 0xd4, 0x52, 0xb4, 0x91, 0x95, 0x39, 0x0b, 0x23, 0xdf, 0x5f, \
-        0x17, 0x24, 0x62, 0x48, 0xfc, 0x1a, 0x95, 0x29, 0xce, 0x2c, 0x2d, 0x87, \
-        0xc2, 0x88, 0x52, 0x80, 0xaf, 0xd6, 0x6a, 0xab, 0x21, 0xdd, 0xb8, 0xd3, \
-        0x1c, 0x6e, 0x58, 0xb8, 0xca, 0xe8, 0xb2, 0x69, 0x8e, 0xf3, 0x41, 0xad, \
-        0x29, 0xc3, 0xb4, 0x5f, 0x75, 0xa7, 0x47, 0x6f, 0xd5, 0x19, 0x29, 0x55, \
-        0x69, 0x9a, 0x53, 0x3b, 0x20, 0xb4, 0x66, 0x16, 0x60, 0x33, 0x1e        \
-}
-/* END FILE */
-
-/* This is taken from test-ca-sha256.crt. */
-/* BEGIN FILE string macro TEST_CA_CRT_RSA_SHA256_PEM test-ca-sha256.crt */
-#define TEST_CA_CRT_RSA_SHA256_PEM                                             \
-    "-----BEGIN CERTIFICATE-----\r\n"                                          \
-    "MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n"     \
-    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"     \
-    "MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n"     \
-    "A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n"     \
-    "CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n"     \
-    "mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n"     \
-    "50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n"     \
-    "YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n"     \
-    "R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n"     \
-    "KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n"     \
-    "UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/\r\n"     \
-    "MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBCwUA\r\n"     \
-    "A4IBAQA4qFSCth2q22uJIdE4KGHJsJjVEfw2/xn+MkTvCMfxVrvmRvqCtjE4tKDl\r\n"     \
-    "oK4MxFOek07oDZwvtAT9ijn1hHftTNS7RH9zd/fxNpfcHnMZXVC4w4DNA1fSANtW\r\n"     \
-    "5sY1JB5Je9jScrsLSS+mAjyv0Ow3Hb2Bix8wu7xNNrV5fIf7Ubm+wt6SqEBxu3Kb\r\n"     \
-    "+EfObAT4huf3czznhH3C17ed6NSbXwoXfby7stWUDeRJv08RaFOykf/Aae7bY5PL\r\n"     \
-    "yTVrkAnikMntJ9YI+hNNYt3inqq11A5cN0+rVTst8UKCxzQ4GpvroSwPKTFkbMw4\r\n"     \
-    "/anT1dVxr/BtwJfiESoK3/4CeXR1\r\n"                                         \
-    "-----END CERTIFICATE-----\r\n"
-/* END FILE */
-
-/* This is generated from test-ca-sha256.crt.der. */
-/* BEGIN FILE binary macro TEST_CA_CRT_RSA_SHA256_DER test-ca-sha256.crt.der */
-#define TEST_CA_CRT_RSA_SHA256_DER {                                            \
-        0x30, 0x82, 0x03, 0x41, 0x30, 0x82, 0x02, 0x29, 0xa0, 0x03, 0x02, 0x01, \
-        0x02, 0x02, 0x01, 0x03, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, \
-        0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30, \
-        0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, \
-        0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, \
-        0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, \
-        0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, \
-        0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, \
-        0x31, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, 0x30, \
-        0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, \
-        0x34, 0x30, 0x30, 0x5a, 0x30, 0x3b, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, \
-        0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, \
-        0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, \
-        0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, \
-        0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x20, 0x54, 0x65, \
-        0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, \
-        0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, \
-        0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, \
-        0x01, 0x00, 0xc0, 0xdf, 0x37, 0xfc, 0x17, 0xbb, 0xe0, 0x96, 0x9d, 0x3f, \
-        0x86, 0xde, 0x96, 0x32, 0x7d, 0x44, 0xa5, 0x16, 0xa0, 0xcd, 0x21, 0xf1, \
-        0x99, 0xd4, 0xec, 0xea, 0xcb, 0x7c, 0x18, 0x58, 0x08, 0x94, 0xa5, 0xec, \
-        0x9b, 0xc5, 0x8b, 0xdf, 0x1a, 0x1e, 0x99, 0x38, 0x99, 0x87, 0x1e, 0x7b, \
-        0xc0, 0x8d, 0x39, 0xdf, 0x38, 0x5d, 0x70, 0x78, 0x07, 0xd3, 0x9e, 0xd9, \
-        0x93, 0xe8, 0xb9, 0x72, 0x51, 0xc5, 0xce, 0xa3, 0x30, 0x52, 0xa9, 0xf2, \
-        0xe7, 0x40, 0x70, 0x14, 0xcb, 0x44, 0xa2, 0x72, 0x0b, 0xc2, 0xe5, 0x40, \
-        0xf9, 0x3e, 0xe5, 0xa6, 0x0e, 0xb3, 0xf9, 0xec, 0x4a, 0x63, 0xc0, 0xb8, \
-        0x29, 0x00, 0x74, 0x9c, 0x57, 0x3b, 0xa8, 0xa5, 0x04, 0x90, 0x71, 0xf1, \
-        0xbd, 0x83, 0xd9, 0x3f, 0xd6, 0xa5, 0xe2, 0x3c, 0x2a, 0x8f, 0xef, 0x27, \
-        0x60, 0xc3, 0xc6, 0x9f, 0xcb, 0xba, 0xec, 0x60, 0x7d, 0xb7, 0xe6, 0x84, \
-        0x32, 0xbe, 0x4f, 0xfb, 0x58, 0x26, 0x22, 0x03, 0x5b, 0xd4, 0xb4, 0xd5, \
-        0xfb, 0xf5, 0xe3, 0x96, 0x2e, 0x70, 0xc0, 0xe4, 0x2e, 0xbd, 0xfc, 0x2e, \
-        0xee, 0xe2, 0x41, 0x55, 0xc0, 0x34, 0x2e, 0x7d, 0x24, 0x72, 0x69, 0xcb, \
-        0x47, 0xb1, 0x14, 0x40, 0x83, 0x7d, 0x67, 0xf4, 0x86, 0xf6, 0x31, 0xab, \
-        0xf1, 0x79, 0xa4, 0xb2, 0xb5, 0x2e, 0x12, 0xf9, 0x84, 0x17, 0xf0, 0x62, \
-        0x6f, 0x27, 0x3e, 0x13, 0x58, 0xb1, 0x54, 0x0d, 0x21, 0x9a, 0x73, 0x37, \
-        0xa1, 0x30, 0xcf, 0x6f, 0x92, 0xdc, 0xf6, 0xe9, 0xfc, 0xac, 0xdb, 0x2e, \
-        0x28, 0xd1, 0x7e, 0x02, 0x4b, 0x23, 0xa0, 0x15, 0xf2, 0x38, 0x65, 0x64, \
-        0x09, 0xea, 0x0c, 0x6e, 0x8e, 0x1b, 0x17, 0xa0, 0x71, 0xc8, 0xb3, 0x9b, \
-        0xc9, 0xab, 0xe9, 0xc3, 0xf2, 0xcf, 0x87, 0x96, 0x8f, 0x80, 0x02, 0x32, \
-        0x9e, 0x99, 0x58, 0x6f, 0xa2, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, \
-        0x50, 0x30, 0x4e, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, \
-        0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, \
-        0x04, 0x16, 0x04, 0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, \
-        0xf6, 0xb9, 0xd5, 0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, \
-        0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, \
-        0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6, 0xb9, 0xd5, \
-        0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30, 0x0d, 0x06, \
-        0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, \
-        0x03, 0x82, 0x01, 0x01, 0x00, 0x38, 0xa8, 0x54, 0x82, 0xb6, 0x1d, 0xaa, \
-        0xdb, 0x6b, 0x89, 0x21, 0xd1, 0x38, 0x28, 0x61, 0xc9, 0xb0, 0x98, 0xd5, \
-        0x11, 0xfc, 0x36, 0xff, 0x19, 0xfe, 0x32, 0x44, 0xef, 0x08, 0xc7, 0xf1, \
-        0x56, 0xbb, 0xe6, 0x46, 0xfa, 0x82, 0xb6, 0x31, 0x38, 0xb4, 0xa0, 0xe5, \
-        0xa0, 0xae, 0x0c, 0xc4, 0x53, 0x9e, 0x93, 0x4e, 0xe8, 0x0d, 0x9c, 0x2f, \
-        0xb4, 0x04, 0xfd, 0x8a, 0x39, 0xf5, 0x84, 0x77, 0xed, 0x4c, 0xd4, 0xbb, \
-        0x44, 0x7f, 0x73, 0x77, 0xf7, 0xf1, 0x36, 0x97, 0xdc, 0x1e, 0x73, 0x19, \
-        0x5d, 0x50, 0xb8, 0xc3, 0x80, 0xcd, 0x03, 0x57, 0xd2, 0x00, 0xdb, 0x56, \
-        0xe6, 0xc6, 0x35, 0x24, 0x1e, 0x49, 0x7b, 0xd8, 0xd2, 0x72, 0xbb, 0x0b, \
-        0x49, 0x2f, 0xa6, 0x02, 0x3c, 0xaf, 0xd0, 0xec, 0x37, 0x1d, 0xbd, 0x81, \
-        0x8b, 0x1f, 0x30, 0xbb, 0xbc, 0x4d, 0x36, 0xb5, 0x79, 0x7c, 0x87, 0xfb, \
-        0x51, 0xb9, 0xbe, 0xc2, 0xde, 0x92, 0xa8, 0x40, 0x71, 0xbb, 0x72, 0x9b, \
-        0xf8, 0x47, 0xce, 0x6c, 0x04, 0xf8, 0x86, 0xe7, 0xf7, 0x73, 0x3c, 0xe7, \
-        0x84, 0x7d, 0xc2, 0xd7, 0xb7, 0x9d, 0xe8, 0xd4, 0x9b, 0x5f, 0x0a, 0x17, \
-        0x7d, 0xbc, 0xbb, 0xb2, 0xd5, 0x94, 0x0d, 0xe4, 0x49, 0xbf, 0x4f, 0x11, \
-        0x68, 0x53, 0xb2, 0x91, 0xff, 0xc0, 0x69, 0xee, 0xdb, 0x63, 0x93, 0xcb, \
-        0xc9, 0x35, 0x6b, 0x90, 0x09, 0xe2, 0x90, 0xc9, 0xed, 0x27, 0xd6, 0x08, \
-        0xfa, 0x13, 0x4d, 0x62, 0xdd, 0xe2, 0x9e, 0xaa, 0xb5, 0xd4, 0x0e, 0x5c, \
-        0x37, 0x4f, 0xab, 0x55, 0x3b, 0x2d, 0xf1, 0x42, 0x82, 0xc7, 0x34, 0x38, \
-        0x1a, 0x9b, 0xeb, 0xa1, 0x2c, 0x0f, 0x29, 0x31, 0x64, 0x6c, 0xcc, 0x38, \
-        0xfd, 0xa9, 0xd3, 0xd5, 0xd5, 0x71, 0xaf, 0xf0, 0x6d, 0xc0, 0x97, 0xe2, \
-        0x11, 0x2a, 0x0a, 0xdf, 0xfe, 0x02, 0x79, 0x74, 0x75                    \
-}
-/* END FILE */
-
-/* This is taken from test-ca-sha1.crt. */
-/* BEGIN FILE string macro TEST_CA_CRT_RSA_SHA1_PEM test-ca-sha1.crt */
-#define TEST_CA_CRT_RSA_SHA1_PEM                                               \
-    "-----BEGIN CERTIFICATE-----\r\n"                                          \
-    "MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n"     \
-    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"     \
-    "MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n"     \
-    "A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n"     \
-    "CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n"     \
-    "mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n"     \
-    "50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n"     \
-    "YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n"     \
-    "R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n"     \
-    "KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n"     \
-    "UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/\r\n"     \
-    "MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBBQUA\r\n"     \
-    "A4IBAQB0ZiNRFdia6kskaPnhrqejIRq8YMEGAf2oIPnyZ78xoyERgc35lHGyMtsL\r\n"     \
-    "hWicNjP4d/hS9As4j5KA2gdNGi5ETA1X7SowWOGsryivSpMSHVy1+HdfWlsYQOzm\r\n"     \
-    "8o+faQNUm8XzPVmttfAVspxeHSxJZ36Oo+QWZ5wZlCIEyjEdLUId+Tm4Bz3B5jRD\r\n"     \
-    "zZa/SaqDokq66N2zpbgKKAl3GU2O++fBqP2dSkdQykmTxhLLWRN8FJqhYATyQntZ\r\n"     \
-    "0QSi3W9HfSZPnFTcPIXeoiPd2pLlxt1hZu8dws2LTXE63uP6MM4LHvWxiuJaWkP/\r\n"     \
-    "mtxyUALj2pQxRitopORFQdn7AOY5\r\n"                                         \
-    "-----END CERTIFICATE-----\r\n"
-/* END FILE */
-
-/* This is generated from test-ca-sha1.crt.der. */
-/* BEGIN FILE binary macro TEST_CA_CRT_RSA_SHA1_DER test-ca-sha1.crt.der */
-#define TEST_CA_CRT_RSA_SHA1_DER {                                              \
-        0x30, 0x82, 0x03, 0x41, 0x30, 0x82, 0x02, 0x29, 0xa0, 0x03, 0x02, 0x01, \
-        0x02, 0x02, 0x01, 0x03, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, \
-        0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30, \
-        0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, \
-        0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, \
-        0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, \
-        0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, \
-        0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, \
-        0x31, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, 0x30, \
-        0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, \
-        0x34, 0x30, 0x30, 0x5a, 0x30, 0x3b, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, \
-        0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, \
-        0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, \
-        0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, \
-        0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x20, 0x54, 0x65, \
-        0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, \
-        0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, \
-        0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, \
-        0x01, 0x00, 0xc0, 0xdf, 0x37, 0xfc, 0x17, 0xbb, 0xe0, 0x96, 0x9d, 0x3f, \
-        0x86, 0xde, 0x96, 0x32, 0x7d, 0x44, 0xa5, 0x16, 0xa0, 0xcd, 0x21, 0xf1, \
-        0x99, 0xd4, 0xec, 0xea, 0xcb, 0x7c, 0x18, 0x58, 0x08, 0x94, 0xa5, 0xec, \
-        0x9b, 0xc5, 0x8b, 0xdf, 0x1a, 0x1e, 0x99, 0x38, 0x99, 0x87, 0x1e, 0x7b, \
-        0xc0, 0x8d, 0x39, 0xdf, 0x38, 0x5d, 0x70, 0x78, 0x07, 0xd3, 0x9e, 0xd9, \
-        0x93, 0xe8, 0xb9, 0x72, 0x51, 0xc5, 0xce, 0xa3, 0x30, 0x52, 0xa9, 0xf2, \
-        0xe7, 0x40, 0x70, 0x14, 0xcb, 0x44, 0xa2, 0x72, 0x0b, 0xc2, 0xe5, 0x40, \
-        0xf9, 0x3e, 0xe5, 0xa6, 0x0e, 0xb3, 0xf9, 0xec, 0x4a, 0x63, 0xc0, 0xb8, \
-        0x29, 0x00, 0x74, 0x9c, 0x57, 0x3b, 0xa8, 0xa5, 0x04, 0x90, 0x71, 0xf1, \
-        0xbd, 0x83, 0xd9, 0x3f, 0xd6, 0xa5, 0xe2, 0x3c, 0x2a, 0x8f, 0xef, 0x27, \
-        0x60, 0xc3, 0xc6, 0x9f, 0xcb, 0xba, 0xec, 0x60, 0x7d, 0xb7, 0xe6, 0x84, \
-        0x32, 0xbe, 0x4f, 0xfb, 0x58, 0x26, 0x22, 0x03, 0x5b, 0xd4, 0xb4, 0xd5, \
-        0xfb, 0xf5, 0xe3, 0x96, 0x2e, 0x70, 0xc0, 0xe4, 0x2e, 0xbd, 0xfc, 0x2e, \
-        0xee, 0xe2, 0x41, 0x55, 0xc0, 0x34, 0x2e, 0x7d, 0x24, 0x72, 0x69, 0xcb, \
-        0x47, 0xb1, 0x14, 0x40, 0x83, 0x7d, 0x67, 0xf4, 0x86, 0xf6, 0x31, 0xab, \
-        0xf1, 0x79, 0xa4, 0xb2, 0xb5, 0x2e, 0x12, 0xf9, 0x84, 0x17, 0xf0, 0x62, \
-        0x6f, 0x27, 0x3e, 0x13, 0x58, 0xb1, 0x54, 0x0d, 0x21, 0x9a, 0x73, 0x37, \
-        0xa1, 0x30, 0xcf, 0x6f, 0x92, 0xdc, 0xf6, 0xe9, 0xfc, 0xac, 0xdb, 0x2e, \
-        0x28, 0xd1, 0x7e, 0x02, 0x4b, 0x23, 0xa0, 0x15, 0xf2, 0x38, 0x65, 0x64, \
-        0x09, 0xea, 0x0c, 0x6e, 0x8e, 0x1b, 0x17, 0xa0, 0x71, 0xc8, 0xb3, 0x9b, \
-        0xc9, 0xab, 0xe9, 0xc3, 0xf2, 0xcf, 0x87, 0x96, 0x8f, 0x80, 0x02, 0x32, \
-        0x9e, 0x99, 0x58, 0x6f, 0xa2, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, \
-        0x50, 0x30, 0x4e, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, \
-        0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, \
-        0x04, 0x16, 0x04, 0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, \
-        0xf6, 0xb9, 0xd5, 0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, \
-        0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, \
-        0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6, 0xb9, 0xd5, \
-        0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30, 0x0d, 0x06, \
-        0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, \
-        0x03, 0x82, 0x01, 0x01, 0x00, 0x74, 0x66, 0x23, 0x51, 0x15, 0xd8, 0x9a, \
-        0xea, 0x4b, 0x24, 0x68, 0xf9, 0xe1, 0xae, 0xa7, 0xa3, 0x21, 0x1a, 0xbc, \
-        0x60, 0xc1, 0x06, 0x01, 0xfd, 0xa8, 0x20, 0xf9, 0xf2, 0x67, 0xbf, 0x31, \
-        0xa3, 0x21, 0x11, 0x81, 0xcd, 0xf9, 0x94, 0x71, 0xb2, 0x32, 0xdb, 0x0b, \
-        0x85, 0x68, 0x9c, 0x36, 0x33, 0xf8, 0x77, 0xf8, 0x52, 0xf4, 0x0b, 0x38, \
-        0x8f, 0x92, 0x80, 0xda, 0x07, 0x4d, 0x1a, 0x2e, 0x44, 0x4c, 0x0d, 0x57, \
-        0xed, 0x2a, 0x30, 0x58, 0xe1, 0xac, 0xaf, 0x28, 0xaf, 0x4a, 0x93, 0x12, \
-        0x1d, 0x5c, 0xb5, 0xf8, 0x77, 0x5f, 0x5a, 0x5b, 0x18, 0x40, 0xec, 0xe6, \
-        0xf2, 0x8f, 0x9f, 0x69, 0x03, 0x54, 0x9b, 0xc5, 0xf3, 0x3d, 0x59, 0xad, \
-        0xb5, 0xf0, 0x15, 0xb2, 0x9c, 0x5e, 0x1d, 0x2c, 0x49, 0x67, 0x7e, 0x8e, \
-        0xa3, 0xe4, 0x16, 0x67, 0x9c, 0x19, 0x94, 0x22, 0x04, 0xca, 0x31, 0x1d, \
-        0x2d, 0x42, 0x1d, 0xf9, 0x39, 0xb8, 0x07, 0x3d, 0xc1, 0xe6, 0x34, 0x43, \
-        0xcd, 0x96, 0xbf, 0x49, 0xaa, 0x83, 0xa2, 0x4a, 0xba, 0xe8, 0xdd, 0xb3, \
-        0xa5, 0xb8, 0x0a, 0x28, 0x09, 0x77, 0x19, 0x4d, 0x8e, 0xfb, 0xe7, 0xc1, \
-        0xa8, 0xfd, 0x9d, 0x4a, 0x47, 0x50, 0xca, 0x49, 0x93, 0xc6, 0x12, 0xcb, \
-        0x59, 0x13, 0x7c, 0x14, 0x9a, 0xa1, 0x60, 0x04, 0xf2, 0x42, 0x7b, 0x59, \
-        0xd1, 0x04, 0xa2, 0xdd, 0x6f, 0x47, 0x7d, 0x26, 0x4f, 0x9c, 0x54, 0xdc, \
-        0x3c, 0x85, 0xde, 0xa2, 0x23, 0xdd, 0xda, 0x92, 0xe5, 0xc6, 0xdd, 0x61, \
-        0x66, 0xef, 0x1d, 0xc2, 0xcd, 0x8b, 0x4d, 0x71, 0x3a, 0xde, 0xe3, 0xfa, \
-        0x30, 0xce, 0x0b, 0x1e, 0xf5, 0xb1, 0x8a, 0xe2, 0x5a, 0x5a, 0x43, 0xff, \
-        0x9a, 0xdc, 0x72, 0x50, 0x02, 0xe3, 0xda, 0x94, 0x31, 0x46, 0x2b, 0x68, \
-        0xa4, 0xe4, 0x45, 0x41, 0xd9, 0xfb, 0x00, 0xe6, 0x39                    \
-}
-/* END FILE */
-
-/* This is taken from test-ca.key. */
-/* BEGIN FILE string macro TEST_CA_KEY_RSA_PEM test-ca.key */
-#define TEST_CA_KEY_RSA_PEM                                                    \
-    "-----BEGIN RSA PRIVATE KEY-----\r\n"                                      \
-    "Proc-Type: 4,ENCRYPTED\r\n"                                               \
-    "DEK-Info: AES-128-CBC,781840E6B804AE83D2AF71127C4CE314\r\n"               \
-    "\r\n"                                                                     \
-    "etQ3xgGLbuYF9vR1km03TH5fwfly1hOlix0PtfQ+t9HG065vTtSEHYc/OyHwdy79\r\n"     \
-    "NCLX5RUrPh06E/XlKzMNVHAXqkwFnIwNzRLsOozeP1L7iZEZb9QMeiN5Org+btCO\r\n"     \
-    "bylXPB4YirfuE7GSJalWY/pq3FQtD33zTIKmNhXfVj3sbwGI/8D9XjaKUb8PODOB\r\n"     \
-    "skOalmx6RvYRvg0lmRxB3+T3wejIsrrDPweYqte9B6dVHIVG1ZmvoA6/wnKZZZeV\r\n"     \
-    "sjj8OpL3OwUBrjuGSknE9Rs6kCuSCbHOYVK8VzcZmCYpie0TFnb3Sk8M6vjfW+45\r\n"     \
-    "U7WUMlSAPxKH6lJDzWdwHqLvsVJwuNnaAaBXg9/8U/rzQEWuq8Ar3s8fw2Jg3F1G\r\n"     \
-    "L6N5ZAEfCz3Sa0N9WKafR/RSQj+rq8Z3w4POAafhbzk249uo5K8B1Z3cQwLxeXIl\r\n"     \
-    "UbRQz1TZy4oNTfQzCahYruPNyvwgTkfwAFFvbLAdaiJd2ZtLBoqYE64TYakYnvcC\r\n"     \
-    "itim1bmySIKoxlMfBGFmMuF03epT0pSx701jlGzGi0l0m16NEjoVxDwo5j93SmiM\r\n"     \
-    "sQdjC1lOGk2iCLkphIQqHFjFJYWjvh1UUIqWZf+ZWOOxlf4x9a1pUVj6FvtECxNB\r\n"     \
-    "/mA/m4Iq4LAuVXHE1MpHeq067lJ6wWlrsb2WVmiNGfQ2AC7fMtpcPuunBVT9NV1m\r\n"     \
-    "1rbDzIgLIWAzqz/cy3N8Q8vfxnrFtmNUyM191Zyq+YF14hIKWX9J1qR4LXwWAzVV\r\n"     \
-    "UrC8IL4pA2mtRkW4qFsB0EmHAxO/cedDTPjVFty5WSzhNuvYZxX45HAkGIfK6d21\r\n"     \
-    "7WHPhHG+zaaUTWMUVixB0IcKp6RecjYPFzBHS0YeX88Ue2cyT/90jMiQ9ssOgRrG\r\n"     \
-    "ZJRJvZAc3TSCnY9sNPYoGrJPiZuCnlUj3ENNurYVy12ai0WFxwnNUZjRUhDS6hjm\r\n"     \
-    "cDHD5TlI9MZ6M+Mb/Bw4Ig8HuTHOtQBYD9vhtXsG+B7H/j6cS+1umaKjrnG/kK4W\r\n"     \
-    "R6YXwM2faAi+DwgjjoMXSzRqSTF8PdTIWbAXo3bc2qsXPTMBA8PEp4nb5scHZ4Ts\r\n"     \
-    "EcBNp2jv0j4gBkRmGIab17cWMrlagjFy89DhqZUFwKdeZs+yJ92A5xstWxOUfpEP\r\n"     \
-    "90T/bsp1G5d7WW5fl2TRJvYJNDM+djkKIh0zCkduiZ36oVM6nDdbjmXqjQXopeSD\r\n"     \
-    "gtOourBRF8g99W0fW8QT+yPhP0Pkyz6EG8eQO6Zwh439xdoVwu9jUzQAPmZ0uNeR\r\n"     \
-    "xTXXihYyv72z27rInjLiIPXL25K9eDVLlcSR3RyG7YYgjdQAL2VJDLcBz5jox1uQ\r\n"     \
-    "0guoD5wmfu2FWLqYE7HeTYntdY53lCflwq0GHRMjrrsVpx+5VDQ6Yi47Ny9SWLcp\r\n"     \
-    "fPI3iBkXuGRWupzs6N4pQdSO0dU28KfpMM5QvFoLIn67brCHEQij4dgFrCTYEyBX\r\n"     \
-    "9+jiNImUFYUhAFuxvUbfZt4O/ABLIElvHLfJs1oYCmI/nWpvLFqXB5rnzPNfEi0H\r\n"     \
-    "PGGe1Hj/t+CJIp/6ios3yNy2QtXO754TZH2UVu51Ykyig5PFjZVoUkbRvHQYcWfU\r\n"     \
-    "-----END RSA PRIVATE KEY-----\r\n"
-/* END FILE */
-
-#define TEST_CA_PWD_RSA_PEM "PolarSSLTest"
-
-/* This is generated from test-ca.key.der. */
-/* BEGIN FILE binary macro TEST_CA_KEY_RSA_DER test-ca.key.der */
-#define TEST_CA_KEY_RSA_DER {                                                   \
-        0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, \
-        0xc0, 0xdf, 0x37, 0xfc, 0x17, 0xbb, 0xe0, 0x96, 0x9d, 0x3f, 0x86, 0xde, \
-        0x96, 0x32, 0x7d, 0x44, 0xa5, 0x16, 0xa0, 0xcd, 0x21, 0xf1, 0x99, 0xd4, \
-        0xec, 0xea, 0xcb, 0x7c, 0x18, 0x58, 0x08, 0x94, 0xa5, 0xec, 0x9b, 0xc5, \
-        0x8b, 0xdf, 0x1a, 0x1e, 0x99, 0x38, 0x99, 0x87, 0x1e, 0x7b, 0xc0, 0x8d, \
-        0x39, 0xdf, 0x38, 0x5d, 0x70, 0x78, 0x07, 0xd3, 0x9e, 0xd9, 0x93, 0xe8, \
-        0xb9, 0x72, 0x51, 0xc5, 0xce, 0xa3, 0x30, 0x52, 0xa9, 0xf2, 0xe7, 0x40, \
-        0x70, 0x14, 0xcb, 0x44, 0xa2, 0x72, 0x0b, 0xc2, 0xe5, 0x40, 0xf9, 0x3e, \
-        0xe5, 0xa6, 0x0e, 0xb3, 0xf9, 0xec, 0x4a, 0x63, 0xc0, 0xb8, 0x29, 0x00, \
-        0x74, 0x9c, 0x57, 0x3b, 0xa8, 0xa5, 0x04, 0x90, 0x71, 0xf1, 0xbd, 0x83, \
-        0xd9, 0x3f, 0xd6, 0xa5, 0xe2, 0x3c, 0x2a, 0x8f, 0xef, 0x27, 0x60, 0xc3, \
-        0xc6, 0x9f, 0xcb, 0xba, 0xec, 0x60, 0x7d, 0xb7, 0xe6, 0x84, 0x32, 0xbe, \
-        0x4f, 0xfb, 0x58, 0x26, 0x22, 0x03, 0x5b, 0xd4, 0xb4, 0xd5, 0xfb, 0xf5, \
-        0xe3, 0x96, 0x2e, 0x70, 0xc0, 0xe4, 0x2e, 0xbd, 0xfc, 0x2e, 0xee, 0xe2, \
-        0x41, 0x55, 0xc0, 0x34, 0x2e, 0x7d, 0x24, 0x72, 0x69, 0xcb, 0x47, 0xb1, \
-        0x14, 0x40, 0x83, 0x7d, 0x67, 0xf4, 0x86, 0xf6, 0x31, 0xab, 0xf1, 0x79, \
-        0xa4, 0xb2, 0xb5, 0x2e, 0x12, 0xf9, 0x84, 0x17, 0xf0, 0x62, 0x6f, 0x27, \
-        0x3e, 0x13, 0x58, 0xb1, 0x54, 0x0d, 0x21, 0x9a, 0x73, 0x37, 0xa1, 0x30, \
-        0xcf, 0x6f, 0x92, 0xdc, 0xf6, 0xe9, 0xfc, 0xac, 0xdb, 0x2e, 0x28, 0xd1, \
-        0x7e, 0x02, 0x4b, 0x23, 0xa0, 0x15, 0xf2, 0x38, 0x65, 0x64, 0x09, 0xea, \
-        0x0c, 0x6e, 0x8e, 0x1b, 0x17, 0xa0, 0x71, 0xc8, 0xb3, 0x9b, 0xc9, 0xab, \
-        0xe9, 0xc3, 0xf2, 0xcf, 0x87, 0x96, 0x8f, 0x80, 0x02, 0x32, 0x9e, 0x99, \
-        0x58, 0x6f, 0xa2, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01, \
-        0x00, 0x3f, 0xf7, 0x07, 0xd3, 0x34, 0x6f, 0xdb, 0xc9, 0x37, 0xb7, 0x84, \
-        0xdc, 0x37, 0x45, 0xe1, 0x63, 0xad, 0xb8, 0xb6, 0x75, 0xb1, 0xc7, 0x35, \
-        0xb4, 0x77, 0x2a, 0x5b, 0x77, 0xf9, 0x7e, 0xe0, 0xc1, 0xa3, 0xd1, 0xb7, \
-        0xcb, 0xa9, 0x5a, 0xc1, 0x87, 0xda, 0x5a, 0xfa, 0x17, 0xe4, 0xd5, 0x38, \
-        0x03, 0xde, 0x68, 0x98, 0x81, 0xec, 0xb5, 0xf2, 0x2a, 0x8d, 0xe9, 0x2c, \
-        0xf3, 0xa6, 0xe5, 0x32, 0x17, 0x7f, 0x33, 0x81, 0xe8, 0x38, 0x72, 0xd5, \
-        0x9c, 0xfa, 0x4e, 0xfb, 0x26, 0xf5, 0x15, 0x0b, 0xaf, 0x84, 0x66, 0xab, \
-        0x02, 0xe0, 0x18, 0xd5, 0x91, 0x7c, 0xd6, 0x8f, 0xc9, 0x4b, 0x76, 0x08, \
-        0x2b, 0x1d, 0x81, 0x68, 0x30, 0xe1, 0xfa, 0x70, 0x6c, 0x13, 0x4e, 0x10, \
-        0x03, 0x35, 0x3e, 0xc5, 0xca, 0x58, 0x20, 0x8a, 0x21, 0x18, 0x38, 0xa0, \
-        0x0f, 0xed, 0xc4, 0xbb, 0x45, 0x6f, 0xf5, 0x84, 0x5b, 0xb0, 0xcf, 0x4e, \
-        0x9d, 0x58, 0x13, 0x6b, 0x35, 0x35, 0x69, 0xa1, 0xd2, 0xc4, 0xf2, 0xc1, \
-        0x48, 0x04, 0x20, 0x51, 0xb9, 0x6b, 0xa4, 0x5d, 0xa5, 0x4b, 0x84, 0x88, \
-        0x43, 0x48, 0x99, 0x2c, 0xbb, 0xa4, 0x97, 0xd6, 0xd6, 0x18, 0xf6, 0xec, \
-        0x5c, 0xd1, 0x31, 0x49, 0xc9, 0xf2, 0x8f, 0x0b, 0x4d, 0xef, 0x09, 0x02, \
-        0xfe, 0x7d, 0xfd, 0xbb, 0xaf, 0x2b, 0x83, 0x94, 0x22, 0xc4, 0xa7, 0x3e, \
-        0x66, 0xf5, 0xe0, 0x57, 0xdc, 0xf2, 0xed, 0x2c, 0x3e, 0x81, 0x74, 0x76, \
-        0x1e, 0x96, 0x6f, 0x74, 0x1e, 0x32, 0x0e, 0x14, 0x31, 0xd0, 0x74, 0xf0, \
-        0xf4, 0x07, 0xbd, 0xc3, 0xd1, 0x22, 0xc2, 0xa8, 0x95, 0x92, 0x06, 0x7f, \
-        0x43, 0x02, 0x91, 0xbc, 0xdd, 0x23, 0x01, 0x89, 0x94, 0x20, 0x44, 0x64, \
-        0xf5, 0x1d, 0x67, 0xd2, 0x8f, 0xe8, 0x69, 0xa5, 0x29, 0x25, 0xe6, 0x50, \
-        0x9c, 0xe3, 0xe9, 0xcb, 0x75, 0x02, 0x81, 0x81, 0x00, 0xe2, 0x29, 0x3e, \
-        0xaa, 0x6b, 0xd5, 0x59, 0x1e, 0x9c, 0xe6, 0x47, 0xd5, 0xb6, 0xd7, 0xe3, \
-        0xf1, 0x8e, 0x9e, 0xe9, 0x83, 0x5f, 0x10, 0x9f, 0x63, 0xec, 0x04, 0x44, \
-        0xcc, 0x3f, 0xf8, 0xd9, 0x3a, 0x17, 0xe0, 0x4f, 0xfe, 0xd8, 0x4d, 0xcd, \
-        0x46, 0x54, 0x74, 0xbf, 0x0a, 0xc4, 0x67, 0x9c, 0xa7, 0xd8, 0x89, 0x65, \
-        0x4c, 0xfd, 0x58, 0x2a, 0x47, 0x0f, 0xf4, 0x37, 0xb6, 0x55, 0xb0, 0x1d, \
-        0xed, 0xa7, 0x39, 0xfc, 0x4f, 0xa3, 0xc4, 0x75, 0x3a, 0xa3, 0x98, 0xa7, \
-        0x45, 0xf5, 0x66, 0xcb, 0x7c, 0x65, 0xfb, 0x80, 0x23, 0xe6, 0xff, 0xfd, \
-        0x99, 0x1f, 0x8e, 0x6b, 0xff, 0x5e, 0x93, 0x66, 0xdf, 0x6c, 0x6f, 0xc3, \
-        0xf6, 0x38, 0x2e, 0xff, 0x69, 0xb5, 0xac, 0xae, 0xbb, 0xc6, 0x71, 0x16, \
-        0x6b, 0xd0, 0xf8, 0x22, 0xd9, 0xf8, 0xa2, 0x72, 0x20, 0xd2, 0xe2, 0x3a, \
-        0x70, 0x4b, 0xde, 0xab, 0x2f, 0x02, 0x81, 0x81, 0x00, 0xda, 0x51, 0x9b, \
-        0xb8, 0xb2, 0x2a, 0x14, 0x75, 0x58, 0x40, 0x8d, 0x27, 0x70, 0xfa, 0x31, \
-        0x48, 0xb0, 0x20, 0x21, 0x34, 0xfa, 0x4c, 0x57, 0xa8, 0x11, 0x88, 0xf3, \
-        0xa7, 0xae, 0x21, 0xe9, 0xb6, 0x2b, 0xd1, 0xcd, 0xa7, 0xf8, 0xd8, 0x0c, \
-        0x8a, 0x76, 0x22, 0x35, 0x44, 0xce, 0x3f, 0x25, 0x29, 0x83, 0x7d, 0x79, \
-        0xa7, 0x31, 0xd6, 0xec, 0xb2, 0xbf, 0xda, 0x34, 0xb6, 0xf6, 0xb2, 0x3b, \
-        0xf3, 0x78, 0x5a, 0x04, 0x83, 0x33, 0x3e, 0xa2, 0xe2, 0x81, 0x82, 0x13, \
-        0xd4, 0x35, 0x17, 0x63, 0x9b, 0x9e, 0xc4, 0x8d, 0x91, 0x4c, 0x03, 0x77, \
-        0xc7, 0x71, 0x5b, 0xee, 0x83, 0x6d, 0xd5, 0x78, 0x88, 0xf6, 0x2c, 0x79, \
-        0xc2, 0x4a, 0xb4, 0x79, 0x90, 0x70, 0xbf, 0xdf, 0x34, 0x56, 0x96, 0x71, \
-        0xe3, 0x0e, 0x68, 0x91, 0xbc, 0xea, 0xcb, 0x33, 0xc0, 0xbe, 0x45, 0xd7, \
-        0xfc, 0x30, 0xfd, 0x01, 0x3b, 0x02, 0x81, 0x81, 0x00, 0xd2, 0x9f, 0x2a, \
-        0xb7, 0x38, 0x19, 0xc7, 0x17, 0x95, 0x73, 0x78, 0xae, 0xf5, 0xcb, 0x75, \
-        0x83, 0x7f, 0x19, 0x4b, 0xcb, 0x86, 0xfb, 0x4a, 0x15, 0x9a, 0xb6, 0x17, \
-        0x04, 0x49, 0x07, 0x8d, 0xf6, 0x66, 0x4a, 0x06, 0xf6, 0x05, 0xa7, 0xdf, \
-        0x66, 0x82, 0x3c, 0xff, 0xb6, 0x1d, 0x57, 0x89, 0x33, 0x5f, 0x9c, 0x05, \
-        0x75, 0x7f, 0xf3, 0x5d, 0xdc, 0x34, 0x65, 0x72, 0x85, 0x22, 0xa4, 0x14, \
-        0x1b, 0x41, 0xc3, 0xe4, 0xd0, 0x9e, 0x69, 0xd5, 0xeb, 0x38, 0x74, 0x70, \
-        0x43, 0xdc, 0xd9, 0x50, 0xe4, 0x97, 0x6d, 0x73, 0xd6, 0xfb, 0xc8, 0xa7, \
-        0xfa, 0xb4, 0xc2, 0xc4, 0x9d, 0x5d, 0x0c, 0xd5, 0x9f, 0x79, 0xb3, 0x54, \
-        0xc2, 0xb7, 0x6c, 0x3d, 0x7d, 0xcb, 0x2d, 0xf8, 0xc4, 0xf3, 0x78, 0x5a, \
-        0x33, 0x2a, 0xb8, 0x0c, 0x6d, 0x06, 0xfa, 0xf2, 0x62, 0xd3, 0x42, 0xd0, \
-        0xbd, 0xc8, 0x4a, 0xa5, 0x0d, 0x02, 0x81, 0x81, 0x00, 0xd4, 0xa9, 0x90, \
-        0x15, 0xde, 0xbf, 0x2c, 0xc4, 0x8d, 0x9d, 0xfb, 0xa1, 0xc2, 0xe4, 0x83, \
-        0xe3, 0x79, 0x65, 0x22, 0xd3, 0xb7, 0x49, 0x6c, 0x4d, 0x94, 0x1f, 0x22, \
-        0xb1, 0x60, 0xe7, 0x3a, 0x00, 0xb1, 0x38, 0xa2, 0xab, 0x0f, 0xb4, 0x6c, \
-        0xaa, 0xe7, 0x9e, 0x34, 0xe3, 0x7c, 0x40, 0x78, 0x53, 0xb2, 0xf9, 0x23, \
-        0xea, 0xa0, 0x9a, 0xea, 0x60, 0xc8, 0x8f, 0xa6, 0xaf, 0xdf, 0x29, 0x09, \
-        0x4b, 0x06, 0x1e, 0x31, 0xad, 0x17, 0xda, 0xd8, 0xd1, 0xe9, 0x33, 0xab, \
-        0x5b, 0x18, 0x08, 0x5b, 0x87, 0xf8, 0xa5, 0x1f, 0xfd, 0xbb, 0xdc, 0xd8, \
-        0xed, 0x97, 0x57, 0xe4, 0xc3, 0x73, 0xd6, 0xf0, 0x9e, 0x01, 0xa6, 0x9b, \
-        0x48, 0x8e, 0x7a, 0xb4, 0xbb, 0xe5, 0x88, 0x91, 0xc5, 0x2a, 0xdf, 0x4b, \
-        0xba, 0xd0, 0x8b, 0x3e, 0x03, 0x97, 0x77, 0x2f, 0x47, 0x7e, 0x51, 0x0c, \
-        0xae, 0x65, 0x8d, 0xde, 0x87, 0x02, 0x81, 0x80, 0x20, 0x24, 0x0f, 0xd2, \
-        0xaf, 0xc2, 0x28, 0x3b, 0x97, 0x20, 0xb2, 0x92, 0x49, 0xeb, 0x09, 0x68, \
-        0x40, 0xb2, 0xbe, 0xd1, 0xc3, 0x83, 0x94, 0x34, 0x38, 0xd6, 0xc9, 0xec, \
-        0x34, 0x09, 0xf9, 0x41, 0x6d, 0x5c, 0x42, 0x94, 0xf7, 0x04, 0xfc, 0x32, \
-        0x39, 0x69, 0xbc, 0x1c, 0xfb, 0x3e, 0x61, 0x98, 0xc0, 0x80, 0xd8, 0x36, \
-        0x47, 0xc3, 0x6d, 0xc2, 0x2e, 0xe7, 0x81, 0x2a, 0x17, 0x34, 0x64, 0x30, \
-        0x4e, 0x96, 0xbb, 0x26, 0x16, 0xb9, 0x41, 0x36, 0xfe, 0x8a, 0xd6, 0x53, \
-        0x7c, 0xaa, 0xec, 0x39, 0x42, 0x50, 0xef, 0xe3, 0xb3, 0x01, 0x28, 0x32, \
-        0xca, 0x6d, 0xf5, 0x9a, 0x1e, 0x9f, 0x37, 0xbe, 0xfe, 0x38, 0x20, 0x22, \
-        0x91, 0x8c, 0xcd, 0x95, 0x02, 0xf2, 0x4d, 0x6f, 0x1a, 0xb4, 0x43, 0xf0, \
-        0x19, 0xdf, 0x65, 0xc0, 0x92, 0xe7, 0x9d, 0x2f, 0x09, 0xe7, 0xec, 0x69, \
-        0xa8, 0xc2, 0x8f, 0x0d                                                  \
-}
-/* END FILE */
-
-/* This is taken from server5.crt. */
-/* BEGIN FILE string macro TEST_SRV_CRT_EC_PEM server5.crt */
-#define TEST_SRV_CRT_EC_PEM                                                    \
-    "-----BEGIN CERTIFICATE-----\r\n"                                          \
-    "MIICIDCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G\r\n"     \
-    "A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN\r\n"     \
-    "MjMwNTE3MDcxMDM2WhcNMzMwNTE0MDcxMDM2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n"     \
-    "A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG\r\n"     \
-    "CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA\r\n"     \
-    "2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd\r\n"     \
-    "BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB\r\n"     \
-    "PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xh\r\n"     \
-    "clNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG\r\n"     \
-    "CCqGSM49BAMCA2kAMGYCMQDg6p7PPfr2+n7nGvya3pU4ust3k7Obk4/tZX+uHHRQ\r\n"     \
-    "qaccsyULeFNzkyRvWHFeT5sCMQCzDJX79Ii7hILYza/iXWJe/BjJEE8MteCRGXDN\r\n"     \
-    "06jC+BLgOH1KQV9ArqEh3AhOhEg=\r\n"                                         \
-    "-----END CERTIFICATE-----\r\n"
-/* END FILE */
-
-/* This is generated from server5.crt.der. */
-/* BEGIN FILE binary macro TEST_SRV_CRT_EC_DER server5.crt.der */
-#define TEST_SRV_CRT_EC_DER {                                                   \
-        0x30, 0x82, 0x02, 0x20, 0x30, 0x82, 0x01, 0xa5, 0xa0, 0x03, 0x02, 0x01, \
-        0x02, 0x02, 0x01, 0x09, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, \
-        0x3d, 0x04, 0x03, 0x02, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, \
-        0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, \
-        0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, \
-        0x53, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, \
-        0x13, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65, \
-        0x73, 0x74, 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, \
-        0x32, 0x33, 0x30, 0x35, 0x31, 0x37, 0x30, 0x37, 0x31, 0x30, 0x33, 0x36, \
-        0x5a, 0x17, 0x0d, 0x33, 0x33, 0x30, 0x35, 0x31, 0x34, 0x30, 0x37, 0x31, \
-        0x30, 0x33, 0x36, 0x5a, 0x30, 0x34, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, \
-        0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, \
-        0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, \
-        0x53, 0x4c, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, \
-        0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x30, 0x59, \
-        0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, \
-        0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, \
-        0x04, 0x37, 0xcc, 0x56, 0xd9, 0x76, 0x09, 0x1e, 0x5a, 0x72, 0x3e, 0xc7, \
-        0x59, 0x2d, 0xff, 0x20, 0x6e, 0xee, 0x7c, 0xf9, 0x06, 0x91, 0x74, 0xd0, \
-        0xad, 0x14, 0xb5, 0xf7, 0x68, 0x22, 0x59, 0x62, 0x92, 0x4e, 0xe5, 0x00, \
-        0xd8, 0x23, 0x11, 0xff, 0xea, 0x2f, 0xd2, 0x34, 0x5d, 0x5d, 0x16, 0xbd, \
-        0x8a, 0x88, 0xc2, 0x6b, 0x77, 0x0d, 0x55, 0xcd, 0x8a, 0x2a, 0x0e, 0xfa, \
-        0x01, 0xc8, 0xb4, 0xed, 0xff, 0xa3, 0x81, 0x9d, 0x30, 0x81, 0x9a, 0x30, \
-        0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d, \
-        0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x50, 0x61, 0xa5, \
-        0x8f, 0xd4, 0x07, 0xd9, 0xd7, 0x82, 0x01, 0x0c, 0xe5, 0x65, 0x7f, 0x8c, \
-        0x63, 0x46, 0xa7, 0x13, 0xbe, 0x30, 0x6e, 0x06, 0x03, 0x55, 0x1d, 0x23, \
-        0x04, 0x67, 0x30, 0x65, 0x80, 0x14, 0x9d, 0x6d, 0x20, 0x24, 0x49, 0x01, \
-        0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, 0x7e, 0x24, 0xc9, 0xdb, 0xfb, \
-        0x36, 0x7c, 0xa1, 0x42, 0xa4, 0x40, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, \
-        0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, \
-        0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, \
-        0x72, 0x53, 0x53, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, \
-        0x03, 0x0c, 0x13, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, \
-        0x54, 0x65, 0x73, 0x74, 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x82, 0x09, \
-        0x00, 0xc1, 0x43, 0xe2, 0x7e, 0x62, 0x43, 0xcc, 0xe8, 0x30, 0x0a, 0x06, \
-        0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x69, 0x00, \
-        0x30, 0x66, 0x02, 0x31, 0x00, 0xe0, 0xea, 0x9e, 0xcf, 0x3d, 0xfa, 0xf6, \
-        0xfa, 0x7e, 0xe7, 0x1a, 0xfc, 0x9a, 0xde, 0x95, 0x38, 0xba, 0xcb, 0x77, \
-        0x93, 0xb3, 0x9b, 0x93, 0x8f, 0xed, 0x65, 0x7f, 0xae, 0x1c, 0x74, 0x50, \
-        0xa9, 0xa7, 0x1c, 0xb3, 0x25, 0x0b, 0x78, 0x53, 0x73, 0x93, 0x24, 0x6f, \
-        0x58, 0x71, 0x5e, 0x4f, 0x9b, 0x02, 0x31, 0x00, 0xb3, 0x0c, 0x95, 0xfb, \
-        0xf4, 0x88, 0xbb, 0x84, 0x82, 0xd8, 0xcd, 0xaf, 0xe2, 0x5d, 0x62, 0x5e, \
-        0xfc, 0x18, 0xc9, 0x10, 0x4f, 0x0c, 0xb5, 0xe0, 0x91, 0x19, 0x70, 0xcd, \
-        0xd3, 0xa8, 0xc2, 0xf8, 0x12, 0xe0, 0x38, 0x7d, 0x4a, 0x41, 0x5f, 0x40, \
-        0xae, 0xa1, 0x21, 0xdc, 0x08, 0x4e, 0x84, 0x48                          \
-}
-/* END FILE */
-
-/* This is taken from server5.key. */
-/* BEGIN FILE string macro TEST_SRV_KEY_EC_PEM server5.key */
-#define TEST_SRV_KEY_EC_PEM                                                    \
-    "-----BEGIN EC PRIVATE KEY-----\r\n"                                       \
-    "MHcCAQEEIPEqEyB2AnCoPL/9U/YDHvdqXYbIogTywwyp6/UfDw6noAoGCCqGSM49\r\n"     \
-    "AwEHoUQDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/\r\n"     \
-    "6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/w==\r\n"                                 \
-    "-----END EC PRIVATE KEY-----\r\n"
-/* END FILE */
-
-/* This is generated from server5.key.der. */
-/* BEGIN FILE binary macro TEST_SRV_KEY_EC_DER server5.key.der */
-#define TEST_SRV_KEY_EC_DER {                                                   \
-        0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0xf1, 0x2a, 0x13, 0x20, 0x76, \
-        0x02, 0x70, 0xa8, 0x3c, 0xbf, 0xfd, 0x53, 0xf6, 0x03, 0x1e, 0xf7, 0x6a, \
-        0x5d, 0x86, 0xc8, 0xa2, 0x04, 0xf2, 0xc3, 0x0c, 0xa9, 0xeb, 0xf5, 0x1f, \
-        0x0f, 0x0e, 0xa7, 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, \
-        0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0x37, 0xcc, 0x56, \
-        0xd9, 0x76, 0x09, 0x1e, 0x5a, 0x72, 0x3e, 0xc7, 0x59, 0x2d, 0xff, 0x20, \
-        0x6e, 0xee, 0x7c, 0xf9, 0x06, 0x91, 0x74, 0xd0, 0xad, 0x14, 0xb5, 0xf7, \
-        0x68, 0x22, 0x59, 0x62, 0x92, 0x4e, 0xe5, 0x00, 0xd8, 0x23, 0x11, 0xff, \
-        0xea, 0x2f, 0xd2, 0x34, 0x5d, 0x5d, 0x16, 0xbd, 0x8a, 0x88, 0xc2, 0x6b, \
-        0x77, 0x0d, 0x55, 0xcd, 0x8a, 0x2a, 0x0e, 0xfa, 0x01, 0xc8, 0xb4, 0xed, \
-        0xff                                                                    \
-}
-/* END FILE */
-
-/* This is taken from server2-sha256.crt. */
-/* BEGIN FILE string macro TEST_SRV_CRT_RSA_SHA256_PEM server2-sha256.crt */
-#define TEST_SRV_CRT_RSA_SHA256_PEM                                            \
-    "-----BEGIN CERTIFICATE-----\r\n"                                          \
-    "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n"     \
-    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"     \
-    "MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n"     \
-    "A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n"     \
-    "AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n"     \
-    "owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n"     \
-    "NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n"     \
-    "tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n"     \
-    "hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n"     \
-    "HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n"     \
-    "VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n"     \
-    "FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJh\r\n"     \
-    "Pqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6U\r\n"     \
-    "HoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq9\r\n"     \
-    "1C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sv\r\n"     \
-    "a1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0\r\n"     \
-    "e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbo\r\n"     \
-    "pMZqLmbBm/7WPLc=\r\n"                                                     \
-    "-----END CERTIFICATE-----\r\n"
-/* END FILE */
-
-/* This is generated from server2-sha256.crt.der. */
-/* BEGIN FILE binary macro TEST_SRV_CRT_RSA_SHA256_DER server2-sha256.crt.der */
-#define TEST_SRV_CRT_RSA_SHA256_DER {                                           \
-        0x30, 0x82, 0x03, 0x37, 0x30, 0x82, 0x02, 0x1f, 0xa0, 0x03, 0x02, 0x01, \
-        0x02, 0x02, 0x01, 0x02, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, \
-        0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30, \
-        0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, \
-        0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, \
-        0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, \
-        0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, \
-        0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, \
-        0x31, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, 0x36, \
-        0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, \
-        0x34, 0x30, 0x36, 0x5a, 0x30, 0x34, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, \
-        0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, \
-        0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, \
-        0x53, 0x4c, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, \
-        0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x30, 0x82, \
-        0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, \
-        0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, \
-        0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc1, 0x4d, 0xa3, 0xdd, 0xe7, \
-        0xcd, 0x1d, 0xd1, 0x04, 0xd7, 0x49, 0x72, 0xb8, 0x99, 0xac, 0x0e, 0x78, \
-        0xe4, 0x3a, 0x3c, 0x4a, 0xcf, 0x3a, 0x13, 0x16, 0xd0, 0x5a, 0xe4, 0xcd, \
-        0xa3, 0x00, 0x88, 0xa7, 0xee, 0x1e, 0x6b, 0x96, 0xa7, 0x52, 0xb4, 0x90, \
-        0xef, 0x2d, 0x72, 0x7a, 0x3e, 0x24, 0x9a, 0xfc, 0xb6, 0x34, 0xac, 0x24, \
-        0xf5, 0x77, 0xe0, 0x26, 0x64, 0x8c, 0x9c, 0xb0, 0x28, 0x7d, 0xa1, 0xda, \
-        0xea, 0x8c, 0xe6, 0xc9, 0x1c, 0x96, 0xbc, 0xfe, 0xc1, 0x04, 0x52, 0xb3, \
-        0x36, 0xd4, 0xa3, 0xfa, 0xe1, 0xb1, 0x76, 0xd8, 0x90, 0xc1, 0x61, 0xb4, \
-        0x66, 0x52, 0x36, 0xa2, 0x26, 0x53, 0xaa, 0xab, 0x74, 0x5e, 0x07, 0x7d, \
-        0x19, 0x82, 0xdb, 0x2a, 0xd8, 0x1f, 0xa0, 0xd9, 0x0d, 0x1c, 0x2d, 0x49, \
-        0x66, 0xf7, 0x5b, 0x25, 0x73, 0x46, 0xe8, 0x0b, 0x8a, 0x4f, 0x69, 0x0c, \
-        0xb5, 0x00, 0x90, 0xe1, 0xda, 0x82, 0x10, 0x66, 0x7d, 0xae, 0x54, 0x2b, \
-        0x8b, 0x65, 0x79, 0x91, 0xa1, 0xe2, 0x61, 0xc3, 0xcd, 0x40, 0x49, 0x08, \
-        0xee, 0x68, 0x0c, 0xf1, 0x8b, 0x86, 0xd2, 0x46, 0xbf, 0xd0, 0xb8, 0xaa, \
-        0x11, 0x03, 0x1e, 0x7f, 0x56, 0xa8, 0x1a, 0x1e, 0x44, 0x18, 0x0f, 0x0f, \
-        0x85, 0x8b, 0xda, 0x8b, 0x44, 0x5e, 0xe2, 0x18, 0xc6, 0x62, 0x2f, 0xc7, \
-        0x66, 0x8d, 0xfa, 0x5d, 0xd8, 0x7d, 0xf3, 0x27, 0x89, 0x29, 0x01, 0xc5, \
-        0x90, 0x0e, 0x3f, 0x27, 0xf1, 0x30, 0xc8, 0x4a, 0x0e, 0xef, 0xd6, 0xde, \
-        0xc7, 0xc7, 0x27, 0x6b, 0xc7, 0x05, 0x3d, 0x7a, 0xc4, 0x02, 0x3c, 0x9a, \
-        0x1d, 0x3e, 0x0f, 0xe8, 0x34, 0x98, 0x5b, 0xcb, 0x73, 0x4b, 0x52, 0x96, \
-        0xd8, 0x11, 0xa2, 0x2c, 0x80, 0x88, 0x69, 0x39, 0x5a, 0xd3, 0x0f, 0xb0, \
-        0xde, 0x59, 0x2f, 0x11, 0xc7, 0xf7, 0xea, 0x12, 0x01, 0x30, 0x97, 0x02, \
-        0x03, 0x01, 0x00, 0x01, 0xa3, 0x4d, 0x30, 0x4b, 0x30, 0x09, 0x06, 0x03, \
-        0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, \
-        0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xa5, 0x05, 0xe8, 0x64, 0xb8, 0xdc, \
-        0xdf, 0x60, 0x0f, 0x50, 0x12, 0x4d, 0x60, 0xa8, 0x64, 0xaf, 0x4d, 0x8b, \
-        0x43, 0x93, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, \
-        0x16, 0x80, 0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6, \
-        0xb9, 0xd5, 0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30, \
-        0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, \
-        0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x2e, 0x3a, 0xe4, 0x52, 0x61, \
-        0x3e, 0xa7, 0xa5, 0xef, 0x32, 0x67, 0x80, 0x72, 0x07, 0x26, 0xba, 0xa3, \
-        0xff, 0x05, 0x40, 0xc4, 0x60, 0x05, 0x39, 0x31, 0x77, 0xf7, 0xa5, 0xca, \
-        0x01, 0x31, 0x80, 0xa7, 0xe1, 0xd1, 0x0a, 0xa2, 0x7c, 0xd5, 0x1c, 0xba, \
-        0xd0, 0x23, 0x4a, 0xd6, 0x30, 0xf3, 0x93, 0xc7, 0x6f, 0xe8, 0xce, 0x94, \
-        0x1e, 0x84, 0xbb, 0x44, 0x81, 0x62, 0x33, 0xff, 0x6b, 0x5d, 0x00, 0x9b, \
-        0x25, 0xf8, 0x8f, 0x0f, 0x9c, 0x4c, 0x4d, 0xe8, 0xd9, 0xa7, 0x99, 0xf9, \
-        0x51, 0x81, 0xc0, 0x9b, 0x1b, 0x31, 0x0d, 0xa6, 0xb3, 0x7c, 0x0e, 0x45, \
-        0xb8, 0x18, 0x64, 0x7e, 0x89, 0x0a, 0x2b, 0xa8, 0xc3, 0xe0, 0x4a, 0xbd, \
-        0xd4, 0x2f, 0x78, 0xc4, 0x62, 0x9b, 0xe9, 0x7e, 0x3f, 0x56, 0x46, 0x8f, \
-        0x17, 0xb7, 0x2a, 0xa0, 0x10, 0x70, 0xfd, 0xb1, 0xf1, 0x6b, 0x05, 0xdc, \
-        0xd1, 0x41, 0x0f, 0x8e, 0xa6, 0xb2, 0x88, 0x1a, 0x42, 0x61, 0x4f, 0xeb, \
-        0x26, 0x85, 0x59, 0x80, 0xba, 0x85, 0x54, 0xfe, 0xcf, 0xc7, 0x7b, 0x2f, \
-        0x6b, 0x59, 0xce, 0xac, 0xdc, 0x7c, 0xac, 0xf3, 0xc8, 0xd6, 0x12, 0x7e, \
-        0x64, 0xe8, 0x3c, 0x99, 0xa8, 0x8f, 0x4f, 0x11, 0xd9, 0x9c, 0x15, 0x4b, \
-        0x6a, 0x44, 0x92, 0x2d, 0x0c, 0xbf, 0xb1, 0x67, 0x96, 0xc9, 0xac, 0xce, \
-        0xd5, 0x19, 0xeb, 0x6f, 0x18, 0xeb, 0x6e, 0x04, 0x2d, 0x60, 0xac, 0xf4, \
-        0x7b, 0x79, 0xf0, 0x1a, 0x9b, 0xb5, 0xc3, 0x5d, 0xef, 0x7d, 0xc9, 0x05, \
-        0x99, 0x44, 0x81, 0x84, 0x75, 0xc7, 0xec, 0x00, 0x12, 0xfc, 0x7a, 0x4a, \
-        0x0b, 0x82, 0x07, 0xec, 0x6d, 0x86, 0x02, 0x4d, 0xfe, 0x9f, 0xc8, 0x92, \
-        0x48, 0xde, 0xf5, 0xb1, 0x9c, 0xe9, 0xc6, 0x89, 0xd0, 0xc1, 0x56, 0xe8, \
-        0xa4, 0xc6, 0x6a, 0x2e, 0x66, 0xc1, 0x9b, 0xfe, 0xd6, 0x3c, 0xb7        \
-}
-/* END FILE */
-
-/* This is taken from server2.crt. */
-/* BEGIN FILE string macro TEST_SRV_CRT_RSA_SHA1_PEM server2.crt */
-#define TEST_SRV_CRT_RSA_SHA1_PEM                                              \
-    "-----BEGIN CERTIFICATE-----\r\n"                                          \
-    "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n"     \
-    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"     \
-    "MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n"     \
-    "A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n"     \
-    "AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n"     \
-    "owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n"     \
-    "NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n"     \
-    "tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n"     \
-    "hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n"     \
-    "HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n"     \
-    "VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n"     \
-    "FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAJklg3Q4\r\n"     \
-    "cB7v7BzsxM/vLyKccO6op0/gZzM4ghuLq2Y32kl0sM6kSNUUmduuq3u/+GmUZN2A\r\n"     \
-    "O/7c+Hw7hDFEIvZk98aBGjCLqn3DmgHIv8ToQ67nellQxx2Uj309PdgjNi/r9HOc\r\n"     \
-    "KNAYPbBcg6MJGWWj2TI6vNaceios/DhOYx5V0j5nfqSJ/pnU0g9Ign2LAhgYpGJE\r\n"     \
-    "iEM9wW7hEMkwmk0h/sqZsrJsGH5YsF/VThSq/JVO1e2mZH2vruyZKJVBq+8tDNYp\r\n"     \
-    "HkK6tSyVYQhzIt3StMJWKMl/o5k2AYz6tSC164+1oG+ML3LWg8XrGKa91H4UOKap\r\n"     \
-    "Awgk0+4m0T25cNs=\r\n"                                                     \
-    "-----END CERTIFICATE-----\r\n"
-/* END FILE */
-
-/* This is generated from server2.crt.der. */
-/* BEGIN FILE binary macro TEST_SRV_CRT_RSA_SHA1_DER server2.crt.der */
-#define TEST_SRV_CRT_RSA_SHA1_DER {                                             \
-        0x30, 0x82, 0x03, 0x37, 0x30, 0x82, 0x02, 0x1f, 0xa0, 0x03, 0x02, 0x01, \
-        0x02, 0x02, 0x01, 0x02, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, \
-        0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30, \
-        0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, \
-        0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, \
-        0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, \
-        0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, \
-        0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, \
-        0x31, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, 0x36, \
-        0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, \
-        0x34, 0x30, 0x36, 0x5a, 0x30, 0x34, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, \
-        0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, \
-        0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, \
-        0x53, 0x4c, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, \
-        0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x30, 0x82, \
-        0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, \
-        0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, \
-        0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc1, 0x4d, 0xa3, 0xdd, 0xe7, \
-        0xcd, 0x1d, 0xd1, 0x04, 0xd7, 0x49, 0x72, 0xb8, 0x99, 0xac, 0x0e, 0x78, \
-        0xe4, 0x3a, 0x3c, 0x4a, 0xcf, 0x3a, 0x13, 0x16, 0xd0, 0x5a, 0xe4, 0xcd, \
-        0xa3, 0x00, 0x88, 0xa7, 0xee, 0x1e, 0x6b, 0x96, 0xa7, 0x52, 0xb4, 0x90, \
-        0xef, 0x2d, 0x72, 0x7a, 0x3e, 0x24, 0x9a, 0xfc, 0xb6, 0x34, 0xac, 0x24, \
-        0xf5, 0x77, 0xe0, 0x26, 0x64, 0x8c, 0x9c, 0xb0, 0x28, 0x7d, 0xa1, 0xda, \
-        0xea, 0x8c, 0xe6, 0xc9, 0x1c, 0x96, 0xbc, 0xfe, 0xc1, 0x04, 0x52, 0xb3, \
-        0x36, 0xd4, 0xa3, 0xfa, 0xe1, 0xb1, 0x76, 0xd8, 0x90, 0xc1, 0x61, 0xb4, \
-        0x66, 0x52, 0x36, 0xa2, 0x26, 0x53, 0xaa, 0xab, 0x74, 0x5e, 0x07, 0x7d, \
-        0x19, 0x82, 0xdb, 0x2a, 0xd8, 0x1f, 0xa0, 0xd9, 0x0d, 0x1c, 0x2d, 0x49, \
-        0x66, 0xf7, 0x5b, 0x25, 0x73, 0x46, 0xe8, 0x0b, 0x8a, 0x4f, 0x69, 0x0c, \
-        0xb5, 0x00, 0x90, 0xe1, 0xda, 0x82, 0x10, 0x66, 0x7d, 0xae, 0x54, 0x2b, \
-        0x8b, 0x65, 0x79, 0x91, 0xa1, 0xe2, 0x61, 0xc3, 0xcd, 0x40, 0x49, 0x08, \
-        0xee, 0x68, 0x0c, 0xf1, 0x8b, 0x86, 0xd2, 0x46, 0xbf, 0xd0, 0xb8, 0xaa, \
-        0x11, 0x03, 0x1e, 0x7f, 0x56, 0xa8, 0x1a, 0x1e, 0x44, 0x18, 0x0f, 0x0f, \
-        0x85, 0x8b, 0xda, 0x8b, 0x44, 0x5e, 0xe2, 0x18, 0xc6, 0x62, 0x2f, 0xc7, \
-        0x66, 0x8d, 0xfa, 0x5d, 0xd8, 0x7d, 0xf3, 0x27, 0x89, 0x29, 0x01, 0xc5, \
-        0x90, 0x0e, 0x3f, 0x27, 0xf1, 0x30, 0xc8, 0x4a, 0x0e, 0xef, 0xd6, 0xde, \
-        0xc7, 0xc7, 0x27, 0x6b, 0xc7, 0x05, 0x3d, 0x7a, 0xc4, 0x02, 0x3c, 0x9a, \
-        0x1d, 0x3e, 0x0f, 0xe8, 0x34, 0x98, 0x5b, 0xcb, 0x73, 0x4b, 0x52, 0x96, \
-        0xd8, 0x11, 0xa2, 0x2c, 0x80, 0x88, 0x69, 0x39, 0x5a, 0xd3, 0x0f, 0xb0, \
-        0xde, 0x59, 0x2f, 0x11, 0xc7, 0xf7, 0xea, 0x12, 0x01, 0x30, 0x97, 0x02, \
-        0x03, 0x01, 0x00, 0x01, 0xa3, 0x4d, 0x30, 0x4b, 0x30, 0x09, 0x06, 0x03, \
-        0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, \
-        0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xa5, 0x05, 0xe8, 0x64, 0xb8, 0xdc, \
-        0xdf, 0x60, 0x0f, 0x50, 0x12, 0x4d, 0x60, 0xa8, 0x64, 0xaf, 0x4d, 0x8b, \
-        0x43, 0x93, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, \
-        0x16, 0x80, 0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6, \
-        0xb9, 0xd5, 0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30, \
-        0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, \
-        0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x99, 0x25, 0x83, 0x74, 0x38, \
-        0x70, 0x1e, 0xef, 0xec, 0x1c, 0xec, 0xc4, 0xcf, 0xef, 0x2f, 0x22, 0x9c, \
-        0x70, 0xee, 0xa8, 0xa7, 0x4f, 0xe0, 0x67, 0x33, 0x38, 0x82, 0x1b, 0x8b, \
-        0xab, 0x66, 0x37, 0xda, 0x49, 0x74, 0xb0, 0xce, 0xa4, 0x48, 0xd5, 0x14, \
-        0x99, 0xdb, 0xae, 0xab, 0x7b, 0xbf, 0xf8, 0x69, 0x94, 0x64, 0xdd, 0x80, \
-        0x3b, 0xfe, 0xdc, 0xf8, 0x7c, 0x3b, 0x84, 0x31, 0x44, 0x22, 0xf6, 0x64, \
-        0xf7, 0xc6, 0x81, 0x1a, 0x30, 0x8b, 0xaa, 0x7d, 0xc3, 0x9a, 0x01, 0xc8, \
-        0xbf, 0xc4, 0xe8, 0x43, 0xae, 0xe7, 0x7a, 0x59, 0x50, 0xc7, 0x1d, 0x94, \
-        0x8f, 0x7d, 0x3d, 0x3d, 0xd8, 0x23, 0x36, 0x2f, 0xeb, 0xf4, 0x73, 0x9c, \
-        0x28, 0xd0, 0x18, 0x3d, 0xb0, 0x5c, 0x83, 0xa3, 0x09, 0x19, 0x65, 0xa3, \
-        0xd9, 0x32, 0x3a, 0xbc, 0xd6, 0x9c, 0x7a, 0x2a, 0x2c, 0xfc, 0x38, 0x4e, \
-        0x63, 0x1e, 0x55, 0xd2, 0x3e, 0x67, 0x7e, 0xa4, 0x89, 0xfe, 0x99, 0xd4, \
-        0xd2, 0x0f, 0x48, 0x82, 0x7d, 0x8b, 0x02, 0x18, 0x18, 0xa4, 0x62, 0x44, \
-        0x88, 0x43, 0x3d, 0xc1, 0x6e, 0xe1, 0x10, 0xc9, 0x30, 0x9a, 0x4d, 0x21, \
-        0xfe, 0xca, 0x99, 0xb2, 0xb2, 0x6c, 0x18, 0x7e, 0x58, 0xb0, 0x5f, 0xd5, \
-        0x4e, 0x14, 0xaa, 0xfc, 0x95, 0x4e, 0xd5, 0xed, 0xa6, 0x64, 0x7d, 0xaf, \
-        0xae, 0xec, 0x99, 0x28, 0x95, 0x41, 0xab, 0xef, 0x2d, 0x0c, 0xd6, 0x29, \
-        0x1e, 0x42, 0xba, 0xb5, 0x2c, 0x95, 0x61, 0x08, 0x73, 0x22, 0xdd, 0xd2, \
-        0xb4, 0xc2, 0x56, 0x28, 0xc9, 0x7f, 0xa3, 0x99, 0x36, 0x01, 0x8c, 0xfa, \
-        0xb5, 0x20, 0xb5, 0xeb, 0x8f, 0xb5, 0xa0, 0x6f, 0x8c, 0x2f, 0x72, 0xd6, \
-        0x83, 0xc5, 0xeb, 0x18, 0xa6, 0xbd, 0xd4, 0x7e, 0x14, 0x38, 0xa6, 0xa9, \
-        0x03, 0x08, 0x24, 0xd3, 0xee, 0x26, 0xd1, 0x3d, 0xb9, 0x70, 0xdb        \
-}
-/* END FILE */
-
-/* This is taken from server2.key. */
-/* BEGIN FILE string macro TEST_SRV_KEY_RSA_PEM server2.key */
-#define TEST_SRV_KEY_RSA_PEM                                                   \
-    "-----BEGIN RSA PRIVATE KEY-----\r\n"                                      \
-    "MIIEpAIBAAKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r\r\n"     \
-    "lqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP64bF2\r\n"     \
-    "2JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQ\r\n"     \
-    "Zn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7i\r\n"     \
-    "GMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/oNJhb\r\n"     \
-    "y3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABAoIBAQCXR0S8EIHFGORZ\r\n"     \
-    "++AtOg6eENxD+xVs0f1IeGz57Tjo3QnXX7VBZNdj+p1ECvhCE/G7XnkgU5hLZX+G\r\n"     \
-    "Z0jkz/tqJOI0vRSdLBbipHnWouyBQ4e/A1yIJdlBtqXxJ1KE/ituHRbNc4j4kL8Z\r\n"     \
-    "/r6pvwnTI0PSx2Eqs048YdS92LT6qAv4flbNDxMn2uY7s4ycS4Q8w1JXnCeaAnYm\r\n"     \
-    "WYI5wxO+bvRELR2Mcz5DmVnL8jRyml6l6582bSv5oufReFIbyPZbQWlXgYnpu6He\r\n"     \
-    "GTc7E1zKYQGG/9+DQUl/1vQuCPqQwny0tQoX2w5tdYpdMdVm+zkLtbajzdTviJJa\r\n"     \
-    "TWzL6lt5AoGBAN86+SVeJDcmQJcv4Eq6UhtRr4QGMiQMz0Sod6ettYxYzMgxtw28\r\n"     \
-    "CIrgpozCc+UaZJLo7UxvC6an85r1b2nKPCLQFaggJ0H4Q0J/sZOhBIXaoBzWxveK\r\n"     \
-    "nupceKdVxGsFi8CDy86DBfiyFivfBj+47BbaQzPBj7C4rK7UlLjab2rDAoGBAN2u\r\n"     \
-    "AM2gchoFiu4v1HFL8D7lweEpi6ZnMJjnEu/dEgGQJFjwdpLnPbsj4c75odQ4Gz8g\r\n"     \
-    "sw9lao9VVzbusoRE/JGI4aTdO0pATXyG7eG1Qu+5Yc1YGXcCrliA2xM9xx+d7f+s\r\n"     \
-    "mPzN+WIEg5GJDYZDjAzHG5BNvi/FfM1C9dOtjv2dAoGAF0t5KmwbjWHBhcVqO4Ic\r\n"     \
-    "BVvN3BIlc1ue2YRXEDlxY5b0r8N4XceMgKmW18OHApZxfl8uPDauWZLXOgl4uepv\r\n"     \
-    "whZC3EuWrSyyICNhLY21Ah7hbIEBPF3L3ZsOwC+UErL+dXWLdB56Jgy3gZaBeW7b\r\n"     \
-    "vDrEnocJbqCm7IukhXHOBK8CgYEAwqdHB0hqyNSzIOGY7v9abzB6pUdA3BZiQvEs\r\n"     \
-    "3LjHVd4HPJ2x0N8CgrBIWOE0q8+0hSMmeE96WW/7jD3fPWwCR5zlXknxBQsfv0gP\r\n"     \
-    "3BC5PR0Qdypz+d+9zfMf625kyit4T/hzwhDveZUzHnk1Cf+IG7Q+TOEnLnWAWBED\r\n"     \
-    "ISOWmrUCgYAFEmRxgwAc/u+D6t0syCwAYh6POtscq9Y0i9GyWk89NzgC4NdwwbBH\r\n"     \
-    "4AgahOxIxXx2gxJnq3yfkJfIjwf0s2DyP0kY2y6Ua1OeomPeY9mrIS4tCuDQ6LrE\r\n"     \
-    "TB6l9VGoxJL4fyHnZb8L5gGvnB1bbD8cL6YPaDiOhcRseC9vBiEuVg==\r\n"             \
-    "-----END RSA PRIVATE KEY-----\r\n"
-/* END FILE */
-
-/* This is generated from server2.key.der. */
-/* BEGIN FILE binary macro TEST_SRV_KEY_RSA_DER server2.key.der */
-#define TEST_SRV_KEY_RSA_DER {                                                  \
-        0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, \
-        0xc1, 0x4d, 0xa3, 0xdd, 0xe7, 0xcd, 0x1d, 0xd1, 0x04, 0xd7, 0x49, 0x72, \
-        0xb8, 0x99, 0xac, 0x0e, 0x78, 0xe4, 0x3a, 0x3c, 0x4a, 0xcf, 0x3a, 0x13, \
-        0x16, 0xd0, 0x5a, 0xe4, 0xcd, 0xa3, 0x00, 0x88, 0xa7, 0xee, 0x1e, 0x6b, \
-        0x96, 0xa7, 0x52, 0xb4, 0x90, 0xef, 0x2d, 0x72, 0x7a, 0x3e, 0x24, 0x9a, \
-        0xfc, 0xb6, 0x34, 0xac, 0x24, 0xf5, 0x77, 0xe0, 0x26, 0x64, 0x8c, 0x9c, \
-        0xb0, 0x28, 0x7d, 0xa1, 0xda, 0xea, 0x8c, 0xe6, 0xc9, 0x1c, 0x96, 0xbc, \
-        0xfe, 0xc1, 0x04, 0x52, 0xb3, 0x36, 0xd4, 0xa3, 0xfa, 0xe1, 0xb1, 0x76, \
-        0xd8, 0x90, 0xc1, 0x61, 0xb4, 0x66, 0x52, 0x36, 0xa2, 0x26, 0x53, 0xaa, \
-        0xab, 0x74, 0x5e, 0x07, 0x7d, 0x19, 0x82, 0xdb, 0x2a, 0xd8, 0x1f, 0xa0, \
-        0xd9, 0x0d, 0x1c, 0x2d, 0x49, 0x66, 0xf7, 0x5b, 0x25, 0x73, 0x46, 0xe8, \
-        0x0b, 0x8a, 0x4f, 0x69, 0x0c, 0xb5, 0x00, 0x90, 0xe1, 0xda, 0x82, 0x10, \
-        0x66, 0x7d, 0xae, 0x54, 0x2b, 0x8b, 0x65, 0x79, 0x91, 0xa1, 0xe2, 0x61, \
-        0xc3, 0xcd, 0x40, 0x49, 0x08, 0xee, 0x68, 0x0c, 0xf1, 0x8b, 0x86, 0xd2, \
-        0x46, 0xbf, 0xd0, 0xb8, 0xaa, 0x11, 0x03, 0x1e, 0x7f, 0x56, 0xa8, 0x1a, \
-        0x1e, 0x44, 0x18, 0x0f, 0x0f, 0x85, 0x8b, 0xda, 0x8b, 0x44, 0x5e, 0xe2, \
-        0x18, 0xc6, 0x62, 0x2f, 0xc7, 0x66, 0x8d, 0xfa, 0x5d, 0xd8, 0x7d, 0xf3, \
-        0x27, 0x89, 0x29, 0x01, 0xc5, 0x90, 0x0e, 0x3f, 0x27, 0xf1, 0x30, 0xc8, \
-        0x4a, 0x0e, 0xef, 0xd6, 0xde, 0xc7, 0xc7, 0x27, 0x6b, 0xc7, 0x05, 0x3d, \
-        0x7a, 0xc4, 0x02, 0x3c, 0x9a, 0x1d, 0x3e, 0x0f, 0xe8, 0x34, 0x98, 0x5b, \
-        0xcb, 0x73, 0x4b, 0x52, 0x96, 0xd8, 0x11, 0xa2, 0x2c, 0x80, 0x88, 0x69, \
-        0x39, 0x5a, 0xd3, 0x0f, 0xb0, 0xde, 0x59, 0x2f, 0x11, 0xc7, 0xf7, 0xea, \
-        0x12, 0x01, 0x30, 0x97, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01, \
-        0x01, 0x00, 0x97, 0x47, 0x44, 0xbc, 0x10, 0x81, 0xc5, 0x18, 0xe4, 0x59, \
-        0xfb, 0xe0, 0x2d, 0x3a, 0x0e, 0x9e, 0x10, 0xdc, 0x43, 0xfb, 0x15, 0x6c, \
-        0xd1, 0xfd, 0x48, 0x78, 0x6c, 0xf9, 0xed, 0x38, 0xe8, 0xdd, 0x09, 0xd7, \
-        0x5f, 0xb5, 0x41, 0x64, 0xd7, 0x63, 0xfa, 0x9d, 0x44, 0x0a, 0xf8, 0x42, \
-        0x13, 0xf1, 0xbb, 0x5e, 0x79, 0x20, 0x53, 0x98, 0x4b, 0x65, 0x7f, 0x86, \
-        0x67, 0x48, 0xe4, 0xcf, 0xfb, 0x6a, 0x24, 0xe2, 0x34, 0xbd, 0x14, 0x9d, \
-        0x2c, 0x16, 0xe2, 0xa4, 0x79, 0xd6, 0xa2, 0xec, 0x81, 0x43, 0x87, 0xbf, \
-        0x03, 0x5c, 0x88, 0x25, 0xd9, 0x41, 0xb6, 0xa5, 0xf1, 0x27, 0x52, 0x84, \
-        0xfe, 0x2b, 0x6e, 0x1d, 0x16, 0xcd, 0x73, 0x88, 0xf8, 0x90, 0xbf, 0x19, \
-        0xfe, 0xbe, 0xa9, 0xbf, 0x09, 0xd3, 0x23, 0x43, 0xd2, 0xc7, 0x61, 0x2a, \
-        0xb3, 0x4e, 0x3c, 0x61, 0xd4, 0xbd, 0xd8, 0xb4, 0xfa, 0xa8, 0x0b, 0xf8, \
-        0x7e, 0x56, 0xcd, 0x0f, 0x13, 0x27, 0xda, 0xe6, 0x3b, 0xb3, 0x8c, 0x9c, \
-        0x4b, 0x84, 0x3c, 0xc3, 0x52, 0x57, 0x9c, 0x27, 0x9a, 0x02, 0x76, 0x26, \
-        0x59, 0x82, 0x39, 0xc3, 0x13, 0xbe, 0x6e, 0xf4, 0x44, 0x2d, 0x1d, 0x8c, \
-        0x73, 0x3e, 0x43, 0x99, 0x59, 0xcb, 0xf2, 0x34, 0x72, 0x9a, 0x5e, 0xa5, \
-        0xeb, 0x9f, 0x36, 0x6d, 0x2b, 0xf9, 0xa2, 0xe7, 0xd1, 0x78, 0x52, 0x1b, \
-        0xc8, 0xf6, 0x5b, 0x41, 0x69, 0x57, 0x81, 0x89, 0xe9, 0xbb, 0xa1, 0xde, \
-        0x19, 0x37, 0x3b, 0x13, 0x5c, 0xca, 0x61, 0x01, 0x86, 0xff, 0xdf, 0x83, \
-        0x41, 0x49, 0x7f, 0xd6, 0xf4, 0x2e, 0x08, 0xfa, 0x90, 0xc2, 0x7c, 0xb4, \
-        0xb5, 0x0a, 0x17, 0xdb, 0x0e, 0x6d, 0x75, 0x8a, 0x5d, 0x31, 0xd5, 0x66, \
-        0xfb, 0x39, 0x0b, 0xb5, 0xb6, 0xa3, 0xcd, 0xd4, 0xef, 0x88, 0x92, 0x5a, \
-        0x4d, 0x6c, 0xcb, 0xea, 0x5b, 0x79, 0x02, 0x81, 0x81, 0x00, 0xdf, 0x3a, \
-        0xf9, 0x25, 0x5e, 0x24, 0x37, 0x26, 0x40, 0x97, 0x2f, 0xe0, 0x4a, 0xba, \
-        0x52, 0x1b, 0x51, 0xaf, 0x84, 0x06, 0x32, 0x24, 0x0c, 0xcf, 0x44, 0xa8, \
-        0x77, 0xa7, 0xad, 0xb5, 0x8c, 0x58, 0xcc, 0xc8, 0x31, 0xb7, 0x0d, 0xbc, \
-        0x08, 0x8a, 0xe0, 0xa6, 0x8c, 0xc2, 0x73, 0xe5, 0x1a, 0x64, 0x92, 0xe8, \
-        0xed, 0x4c, 0x6f, 0x0b, 0xa6, 0xa7, 0xf3, 0x9a, 0xf5, 0x6f, 0x69, 0xca, \
-        0x3c, 0x22, 0xd0, 0x15, 0xa8, 0x20, 0x27, 0x41, 0xf8, 0x43, 0x42, 0x7f, \
-        0xb1, 0x93, 0xa1, 0x04, 0x85, 0xda, 0xa0, 0x1c, 0xd6, 0xc6, 0xf7, 0x8a, \
-        0x9e, 0xea, 0x5c, 0x78, 0xa7, 0x55, 0xc4, 0x6b, 0x05, 0x8b, 0xc0, 0x83, \
-        0xcb, 0xce, 0x83, 0x05, 0xf8, 0xb2, 0x16, 0x2b, 0xdf, 0x06, 0x3f, 0xb8, \
-        0xec, 0x16, 0xda, 0x43, 0x33, 0xc1, 0x8f, 0xb0, 0xb8, 0xac, 0xae, 0xd4, \
-        0x94, 0xb8, 0xda, 0x6f, 0x6a, 0xc3, 0x02, 0x81, 0x81, 0x00, 0xdd, 0xae, \
-        0x00, 0xcd, 0xa0, 0x72, 0x1a, 0x05, 0x8a, 0xee, 0x2f, 0xd4, 0x71, 0x4b, \
-        0xf0, 0x3e, 0xe5, 0xc1, 0xe1, 0x29, 0x8b, 0xa6, 0x67, 0x30, 0x98, 0xe7, \
-        0x12, 0xef, 0xdd, 0x12, 0x01, 0x90, 0x24, 0x58, 0xf0, 0x76, 0x92, 0xe7, \
-        0x3d, 0xbb, 0x23, 0xe1, 0xce, 0xf9, 0xa1, 0xd4, 0x38, 0x1b, 0x3f, 0x20, \
-        0xb3, 0x0f, 0x65, 0x6a, 0x8f, 0x55, 0x57, 0x36, 0xee, 0xb2, 0x84, 0x44, \
-        0xfc, 0x91, 0x88, 0xe1, 0xa4, 0xdd, 0x3b, 0x4a, 0x40, 0x4d, 0x7c, 0x86, \
-        0xed, 0xe1, 0xb5, 0x42, 0xef, 0xb9, 0x61, 0xcd, 0x58, 0x19, 0x77, 0x02, \
-        0xae, 0x58, 0x80, 0xdb, 0x13, 0x3d, 0xc7, 0x1f, 0x9d, 0xed, 0xff, 0xac, \
-        0x98, 0xfc, 0xcd, 0xf9, 0x62, 0x04, 0x83, 0x91, 0x89, 0x0d, 0x86, 0x43, \
-        0x8c, 0x0c, 0xc7, 0x1b, 0x90, 0x4d, 0xbe, 0x2f, 0xc5, 0x7c, 0xcd, 0x42, \
-        0xf5, 0xd3, 0xad, 0x8e, 0xfd, 0x9d, 0x02, 0x81, 0x80, 0x17, 0x4b, 0x79, \
-        0x2a, 0x6c, 0x1b, 0x8d, 0x61, 0xc1, 0x85, 0xc5, 0x6a, 0x3b, 0x82, 0x1c, \
-        0x05, 0x5b, 0xcd, 0xdc, 0x12, 0x25, 0x73, 0x5b, 0x9e, 0xd9, 0x84, 0x57, \
-        0x10, 0x39, 0x71, 0x63, 0x96, 0xf4, 0xaf, 0xc3, 0x78, 0x5d, 0xc7, 0x8c, \
-        0x80, 0xa9, 0x96, 0xd7, 0xc3, 0x87, 0x02, 0x96, 0x71, 0x7e, 0x5f, 0x2e, \
-        0x3c, 0x36, 0xae, 0x59, 0x92, 0xd7, 0x3a, 0x09, 0x78, 0xb9, 0xea, 0x6f, \
-        0xc2, 0x16, 0x42, 0xdc, 0x4b, 0x96, 0xad, 0x2c, 0xb2, 0x20, 0x23, 0x61, \
-        0x2d, 0x8d, 0xb5, 0x02, 0x1e, 0xe1, 0x6c, 0x81, 0x01, 0x3c, 0x5d, 0xcb, \
-        0xdd, 0x9b, 0x0e, 0xc0, 0x2f, 0x94, 0x12, 0xb2, 0xfe, 0x75, 0x75, 0x8b, \
-        0x74, 0x1e, 0x7a, 0x26, 0x0c, 0xb7, 0x81, 0x96, 0x81, 0x79, 0x6e, 0xdb, \
-        0xbc, 0x3a, 0xc4, 0x9e, 0x87, 0x09, 0x6e, 0xa0, 0xa6, 0xec, 0x8b, 0xa4, \
-        0x85, 0x71, 0xce, 0x04, 0xaf, 0x02, 0x81, 0x81, 0x00, 0xc2, 0xa7, 0x47, \
-        0x07, 0x48, 0x6a, 0xc8, 0xd4, 0xb3, 0x20, 0xe1, 0x98, 0xee, 0xff, 0x5a, \
-        0x6f, 0x30, 0x7a, 0xa5, 0x47, 0x40, 0xdc, 0x16, 0x62, 0x42, 0xf1, 0x2c, \
-        0xdc, 0xb8, 0xc7, 0x55, 0xde, 0x07, 0x3c, 0x9d, 0xb1, 0xd0, 0xdf, 0x02, \
-        0x82, 0xb0, 0x48, 0x58, 0xe1, 0x34, 0xab, 0xcf, 0xb4, 0x85, 0x23, 0x26, \
-        0x78, 0x4f, 0x7a, 0x59, 0x6f, 0xfb, 0x8c, 0x3d, 0xdf, 0x3d, 0x6c, 0x02, \
-        0x47, 0x9c, 0xe5, 0x5e, 0x49, 0xf1, 0x05, 0x0b, 0x1f, 0xbf, 0x48, 0x0f, \
-        0xdc, 0x10, 0xb9, 0x3d, 0x1d, 0x10, 0x77, 0x2a, 0x73, 0xf9, 0xdf, 0xbd, \
-        0xcd, 0xf3, 0x1f, 0xeb, 0x6e, 0x64, 0xca, 0x2b, 0x78, 0x4f, 0xf8, 0x73, \
-        0xc2, 0x10, 0xef, 0x79, 0x95, 0x33, 0x1e, 0x79, 0x35, 0x09, 0xff, 0x88, \
-        0x1b, 0xb4, 0x3e, 0x4c, 0xe1, 0x27, 0x2e, 0x75, 0x80, 0x58, 0x11, 0x03, \
-        0x21, 0x23, 0x96, 0x9a, 0xb5, 0x02, 0x81, 0x80, 0x05, 0x12, 0x64, 0x71, \
-        0x83, 0x00, 0x1c, 0xfe, 0xef, 0x83, 0xea, 0xdd, 0x2c, 0xc8, 0x2c, 0x00, \
-        0x62, 0x1e, 0x8f, 0x3a, 0xdb, 0x1c, 0xab, 0xd6, 0x34, 0x8b, 0xd1, 0xb2, \
-        0x5a, 0x4f, 0x3d, 0x37, 0x38, 0x02, 0xe0, 0xd7, 0x70, 0xc1, 0xb0, 0x47, \
-        0xe0, 0x08, 0x1a, 0x84, 0xec, 0x48, 0xc5, 0x7c, 0x76, 0x83, 0x12, 0x67, \
-        0xab, 0x7c, 0x9f, 0x90, 0x97, 0xc8, 0x8f, 0x07, 0xf4, 0xb3, 0x60, 0xf2, \
-        0x3f, 0x49, 0x18, 0xdb, 0x2e, 0x94, 0x6b, 0x53, 0x9e, 0xa2, 0x63, 0xde, \
-        0x63, 0xd9, 0xab, 0x21, 0x2e, 0x2d, 0x0a, 0xe0, 0xd0, 0xe8, 0xba, 0xc4, \
-        0x4c, 0x1e, 0xa5, 0xf5, 0x51, 0xa8, 0xc4, 0x92, 0xf8, 0x7f, 0x21, 0xe7, \
-        0x65, 0xbf, 0x0b, 0xe6, 0x01, 0xaf, 0x9c, 0x1d, 0x5b, 0x6c, 0x3f, 0x1c, \
-        0x2f, 0xa6, 0x0f, 0x68, 0x38, 0x8e, 0x85, 0xc4, 0x6c, 0x78, 0x2f, 0x6f, \
-        0x06, 0x21, 0x2e, 0x56                                                  \
-}
-/* END FILE */
-
-/* This is taken from cli2.crt. */
-/* BEGIN FILE string macro TEST_CLI_CRT_EC_PEM cli2.crt */
-#define TEST_CLI_CRT_EC_PEM                                                    \
-    "-----BEGIN CERTIFICATE-----\r\n"                                          \
-    "MIIB3zCCAWOgAwIBAgIBDTAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw\r\n"     \
-    "DwYDVQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJTU0wgVGVzdCBFQyBDQTAe\r\n"     \
-    "Fw0xOTAyMTAxNDQ0MDBaFw0yOTAyMTAxNDQ0MDBaMEExCzAJBgNVBAYTAk5MMREw\r\n"     \
-    "DwYDVQQKDAhQb2xhclNTTDEfMB0GA1UEAwwWUG9sYXJTU0wgVGVzdCBDbGllbnQg\r\n"     \
-    "MjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFflrrFz39Osu5O4gf8Sru7mU6zO\r\n"     \
-    "VVP2NA7MLuNjJQvfmOLzXGA2lsDVGBRw5X+f1UtFGOWwbNVc+JaPh3Cj5MejTTBL\r\n"     \
-    "MAkGA1UdEwQCMAAwHQYDVR0OBBYEFHoAX4Zk/OBd5REQO7LmO8QmP8/iMB8GA1Ud\r\n"     \
-    "IwQYMBaAFJ1tICRJAT8ry3i1Gbx+JMnb+zZ8MAwGCCqGSM49BAMCBQADaAAwZQIx\r\n"     \
-    "AMqme4DKMldUlplDET9Q6Eptre7uUWKhsLOF+zPkKDlfzpIkJYEFgcloDHGYw80u\r\n"     \
-    "IgIwNftyPXsabTqMM7iEHgVpX/GRozKklY9yQI/5eoA6gGW7Y+imuGR/oao5ySOb\r\n"     \
-    "a9Vk\r\n"                                                                 \
-    "-----END CERTIFICATE-----\r\n"
-/* END FILE */
-
-/* This is generated from cli2.crt.der. */
-/* BEGIN FILE binary macro TEST_CLI_CRT_EC_DER cli2.crt.der */
-#define TEST_CLI_CRT_EC_DER {                                                   \
-        0x30, 0x82, 0x01, 0xdf, 0x30, 0x82, 0x01, 0x63, 0xa0, 0x03, 0x02, 0x01, \
-        0x02, 0x02, 0x01, 0x0d, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, \
-        0x3d, 0x04, 0x03, 0x02, 0x05, 0x00, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, \
-        0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, \
-        0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, \
-        0x72, 0x53, 0x53, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, \
-        0x03, 0x0c, 0x13, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x20, \
-        0x54, 0x65, 0x73, 0x74, 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x30, 0x1e, \
-        0x17, 0x0d, 0x31, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, \
-        0x30, 0x30, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, \
-        0x34, 0x34, 0x34, 0x30, 0x30, 0x5a, 0x30, 0x41, 0x31, 0x0b, 0x30, 0x09, \
-        0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, \
-        0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, \
-        0x72, 0x53, 0x53, 0x4c, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, \
-        0x03, 0x0c, 0x16, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x20, \
-        0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, \
-        0x32, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, \
-        0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, \
-        0x03, 0x42, 0x00, 0x04, 0x57, 0xe5, 0xae, 0xb1, 0x73, 0xdf, 0xd3, 0xac, \
-        0xbb, 0x93, 0xb8, 0x81, 0xff, 0x12, 0xae, 0xee, 0xe6, 0x53, 0xac, 0xce, \
-        0x55, 0x53, 0xf6, 0x34, 0x0e, 0xcc, 0x2e, 0xe3, 0x63, 0x25, 0x0b, 0xdf, \
-        0x98, 0xe2, 0xf3, 0x5c, 0x60, 0x36, 0x96, 0xc0, 0xd5, 0x18, 0x14, 0x70, \
-        0xe5, 0x7f, 0x9f, 0xd5, 0x4b, 0x45, 0x18, 0xe5, 0xb0, 0x6c, 0xd5, 0x5c, \
-        0xf8, 0x96, 0x8f, 0x87, 0x70, 0xa3, 0xe4, 0xc7, 0xa3, 0x4d, 0x30, 0x4b, \
-        0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, \
-        0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x7a, 0x00, \
-        0x5f, 0x86, 0x64, 0xfc, 0xe0, 0x5d, 0xe5, 0x11, 0x10, 0x3b, 0xb2, 0xe6, \
-        0x3b, 0xc4, 0x26, 0x3f, 0xcf, 0xe2, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, \
-        0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x9d, 0x6d, 0x20, 0x24, 0x49, \
-        0x01, 0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, 0x7e, 0x24, 0xc9, 0xdb, \
-        0xfb, 0x36, 0x7c, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, \
-        0x04, 0x03, 0x02, 0x05, 0x00, 0x03, 0x68, 0x00, 0x30, 0x65, 0x02, 0x31, \
-        0x00, 0xca, 0xa6, 0x7b, 0x80, 0xca, 0x32, 0x57, 0x54, 0x96, 0x99, 0x43, \
-        0x11, 0x3f, 0x50, 0xe8, 0x4a, 0x6d, 0xad, 0xee, 0xee, 0x51, 0x62, 0xa1, \
-        0xb0, 0xb3, 0x85, 0xfb, 0x33, 0xe4, 0x28, 0x39, 0x5f, 0xce, 0x92, 0x24, \
-        0x25, 0x81, 0x05, 0x81, 0xc9, 0x68, 0x0c, 0x71, 0x98, 0xc3, 0xcd, 0x2e, \
-        0x22, 0x02, 0x30, 0x35, 0xfb, 0x72, 0x3d, 0x7b, 0x1a, 0x6d, 0x3a, 0x8c, \
-        0x33, 0xb8, 0x84, 0x1e, 0x05, 0x69, 0x5f, 0xf1, 0x91, 0xa3, 0x32, 0xa4, \
-        0x95, 0x8f, 0x72, 0x40, 0x8f, 0xf9, 0x7a, 0x80, 0x3a, 0x80, 0x65, 0xbb, \
-        0x63, 0xe8, 0xa6, 0xb8, 0x64, 0x7f, 0xa1, 0xaa, 0x39, 0xc9, 0x23, 0x9b, \
-        0x6b, 0xd5, 0x64                                                        \
-}
-/* END FILE */
-
-/* This is taken from cli2.key. */
-/* BEGIN FILE string macro TEST_CLI_KEY_EC_PEM cli2.key */
-#define TEST_CLI_KEY_EC_PEM                                                    \
-    "-----BEGIN EC PRIVATE KEY-----\r\n"                                       \
-    "MHcCAQEEIPb3hmTxZ3/mZI3vyk7p3U3wBf+WIop6hDhkFzJhmLcqoAoGCCqGSM49\r\n"     \
-    "AwEHoUQDQgAEV+WusXPf06y7k7iB/xKu7uZTrM5VU/Y0Dswu42MlC9+Y4vNcYDaW\r\n"     \
-    "wNUYFHDlf5/VS0UY5bBs1Vz4lo+HcKPkxw==\r\n"                                 \
-    "-----END EC PRIVATE KEY-----\r\n"
-/* END FILE */
-
-/* This is generated from cli2.key.der. */
-/* BEGIN FILE binary macro TEST_CLI_KEY_EC_DER cli2.key.der */
-#define TEST_CLI_KEY_EC_DER {                                                   \
-        0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0xf6, 0xf7, 0x86, 0x64, 0xf1, \
-        0x67, 0x7f, 0xe6, 0x64, 0x8d, 0xef, 0xca, 0x4e, 0xe9, 0xdd, 0x4d, 0xf0, \
-        0x05, 0xff, 0x96, 0x22, 0x8a, 0x7a, 0x84, 0x38, 0x64, 0x17, 0x32, 0x61, \
-        0x98, 0xb7, 0x2a, 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, \
-        0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0x57, 0xe5, 0xae, \
-        0xb1, 0x73, 0xdf, 0xd3, 0xac, 0xbb, 0x93, 0xb8, 0x81, 0xff, 0x12, 0xae, \
-        0xee, 0xe6, 0x53, 0xac, 0xce, 0x55, 0x53, 0xf6, 0x34, 0x0e, 0xcc, 0x2e, \
-        0xe3, 0x63, 0x25, 0x0b, 0xdf, 0x98, 0xe2, 0xf3, 0x5c, 0x60, 0x36, 0x96, \
-        0xc0, 0xd5, 0x18, 0x14, 0x70, 0xe5, 0x7f, 0x9f, 0xd5, 0x4b, 0x45, 0x18, \
-        0xe5, 0xb0, 0x6c, 0xd5, 0x5c, 0xf8, 0x96, 0x8f, 0x87, 0x70, 0xa3, 0xe4, \
-        0xc7                                                                    \
-}
-/* END FILE */
-
-/* This is taken from cli-rsa-sha256.crt. */
-/* BEGIN FILE string macro TEST_CLI_CRT_RSA_PEM cli-rsa-sha256.crt */
-#define TEST_CLI_CRT_RSA_PEM                                                   \
-    "-----BEGIN CERTIFICATE-----\r\n"                                          \
-    "MIIDPzCCAiegAwIBAgIBBDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n"     \
-    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"     \
-    "MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G\r\n"     \
-    "A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENsaWVudCAyMIIBIjAN\r\n"     \
-    "BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f\r\n"     \
-    "M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu\r\n"     \
-    "1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw\r\n"     \
-    "MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v\r\n"     \
-    "4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/\r\n"     \
-    "/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB\r\n"     \
-    "o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITAf\r\n"     \
-    "BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQsFAAOC\r\n"     \
-    "AQEAXidv1d4pLlBiKWED95rMycBdgDcgyNqJxakFkRfRyA2y1mlyTn7uBXRkNLY5\r\n"     \
-    "ZFzK82GCjk2Q2OD4RZSCPAJJqLpHHU34t71ciffvy2KK81YvrxczRhMAE64i+qna\r\n"     \
-    "yP3Td2XuWJR05PVPoSemsNELs9gWttdnYy3ce+EY2Y0n7Rsi7982EeLIAA7H6ca4\r\n"     \
-    "2Es/NUH//JZJT32OP0doMxeDRA+vplkKqTLLWf7dX26LIriBkBaRCgR5Yv9LBPFc\r\n"     \
-    "NOtpzu/LbrY7QFXKJMI+JXDudCsOn8KCmiA4d6Emisqfh3V3485l7HEQNcvLTxlD\r\n"     \
-    "6zDQyi0/ykYUYZkwQTK1N2Nvlw==\r\n"                                         \
-    "-----END CERTIFICATE-----\r\n"
-/* END FILE */
-
-/* This is generated from cli-rsa-sha256.crt.der. */
-/* BEGIN FILE binary macro TEST_CLI_CRT_RSA_DER cli-rsa-sha256.crt.der */
-#define TEST_CLI_CRT_RSA_DER {                                                  \
-        0x30, 0x82, 0x03, 0x3f, 0x30, 0x82, 0x02, 0x27, 0xa0, 0x03, 0x02, 0x01, \
-        0x02, 0x02, 0x01, 0x04, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, \
-        0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30, \
-        0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, \
-        0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, \
-        0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, \
-        0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, \
-        0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, \
-        0x31, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, 0x36, \
-        0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, \
-        0x34, 0x30, 0x36, 0x5a, 0x30, 0x3c, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, \
-        0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, \
-        0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, \
-        0x53, 0x4c, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, \
-        0x11, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x20, 0x43, 0x6c, \
-        0x69, 0x65, 0x6e, 0x74, 0x20, 0x32, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, \
-        0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, \
-        0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, \
-        0x01, 0x01, 0x00, 0xc8, 0x74, 0xc4, 0xcc, 0xb9, 0xf9, 0xb5, 0x79, 0xe9, \
-        0x45, 0xd9, 0x14, 0x60, 0xb0, 0x7d, 0xbb, 0x93, 0xf2, 0x6b, 0x1e, 0x9f, \
-        0x33, 0xad, 0x0d, 0x8f, 0x8a, 0x3c, 0x56, 0x65, 0xe5, 0xdc, 0x44, 0xd9, \
-        0xcc, 0x66, 0x85, 0x07, 0xd5, 0xf8, 0x27, 0xb0, 0x4a, 0x35, 0xd0, 0x63, \
-        0x9e, 0x0a, 0x6e, 0x1b, 0xb7, 0xda, 0xf0, 0x7e, 0xab, 0xee, 0x0c, 0x10, \
-        0x93, 0x86, 0x49, 0x18, 0x34, 0xf3, 0xa8, 0x2a, 0xd2, 0x57, 0xf5, 0x2e, \
-        0xd4, 0x2f, 0x77, 0x29, 0x84, 0x61, 0x4d, 0x82, 0x50, 0x8f, 0xa7, 0x95, \
-        0x48, 0x70, 0xf5, 0x6e, 0x4d, 0xb2, 0xd5, 0x13, 0xc3, 0xd2, 0x1a, 0xed, \
-        0xe6, 0x43, 0xea, 0x42, 0x14, 0xeb, 0x74, 0xea, 0xc0, 0xed, 0x1f, 0xd4, \
-        0x57, 0x4e, 0xa9, 0xf3, 0xa8, 0xed, 0xd2, 0xe0, 0xc1, 0x30, 0x71, 0x30, \
-        0x32, 0x30, 0xd5, 0xd3, 0xf6, 0x08, 0xd0, 0x56, 0x4f, 0x46, 0x8e, 0xf2, \
-        0x5f, 0xf9, 0x3d, 0x67, 0x91, 0x88, 0x30, 0x2e, 0x42, 0xb2, 0xdf, 0x7d, \
-        0xfb, 0xe5, 0x0c, 0x77, 0xff, 0xec, 0x31, 0xc0, 0x78, 0x8f, 0xbf, 0xc2, \
-        0x7f, 0xca, 0xad, 0x6c, 0x21, 0xd6, 0x8d, 0xd9, 0x8b, 0x6a, 0x8e, 0x6f, \
-        0xe0, 0x9b, 0xf8, 0x10, 0x56, 0xcc, 0xb3, 0x8e, 0x13, 0x15, 0xe6, 0x34, \
-        0x04, 0x66, 0xc7, 0xee, 0xf9, 0x36, 0x0e, 0x6a, 0x95, 0xf6, 0x09, 0x9a, \
-        0x06, 0x67, 0xf4, 0x65, 0x71, 0xf8, 0xca, 0xa4, 0xb1, 0x25, 0xe0, 0xfe, \
-        0x3c, 0x8b, 0x35, 0x04, 0x67, 0xba, 0xe0, 0x4f, 0x76, 0x85, 0xfc, 0x7f, \
-        0xfc, 0x36, 0x6b, 0xb5, 0xe9, 0xcd, 0x2d, 0x03, 0x62, 0x4e, 0xb3, 0x3d, \
-        0x00, 0xcf, 0xaf, 0x76, 0xa0, 0x69, 0x56, 0x83, 0x6a, 0xd2, 0xa8, 0xd4, \
-        0xe7, 0x50, 0x71, 0xe6, 0xb5, 0x36, 0x05, 0x77, 0x05, 0x6d, 0x7b, 0xc8, \
-        0xe4, 0xc4, 0xfd, 0x4c, 0xd5, 0x21, 0x5f, 0x02, 0x03, 0x01, 0x00, 0x01, \
-        0xa3, 0x4d, 0x30, 0x4b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, \
-        0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, \
-        0x04, 0x14, 0x71, 0xa1, 0x00, 0x73, 0x72, 0x40, 0x2f, 0x54, 0x76, 0x5e, \
-        0x33, 0xfc, 0x52, 0x8f, 0xbc, 0xf1, 0xdd, 0x6b, 0x46, 0x21, 0x30, 0x1f, \
-        0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xb4, \
-        0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6, 0xb9, 0xd5, 0xa6, 0x95, \
-        0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, \
-        0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, \
-        0x01, 0x01, 0x00, 0x5e, 0x27, 0x6f, 0xd5, 0xde, 0x29, 0x2e, 0x50, 0x62, \
-        0x29, 0x61, 0x03, 0xf7, 0x9a, 0xcc, 0xc9, 0xc0, 0x5d, 0x80, 0x37, 0x20, \
-        0xc8, 0xda, 0x89, 0xc5, 0xa9, 0x05, 0x91, 0x17, 0xd1, 0xc8, 0x0d, 0xb2, \
-        0xd6, 0x69, 0x72, 0x4e, 0x7e, 0xee, 0x05, 0x74, 0x64, 0x34, 0xb6, 0x39, \
-        0x64, 0x5c, 0xca, 0xf3, 0x61, 0x82, 0x8e, 0x4d, 0x90, 0xd8, 0xe0, 0xf8, \
-        0x45, 0x94, 0x82, 0x3c, 0x02, 0x49, 0xa8, 0xba, 0x47, 0x1d, 0x4d, 0xf8, \
-        0xb7, 0xbd, 0x5c, 0x89, 0xf7, 0xef, 0xcb, 0x62, 0x8a, 0xf3, 0x56, 0x2f, \
-        0xaf, 0x17, 0x33, 0x46, 0x13, 0x00, 0x13, 0xae, 0x22, 0xfa, 0xa9, 0xda, \
-        0xc8, 0xfd, 0xd3, 0x77, 0x65, 0xee, 0x58, 0x94, 0x74, 0xe4, 0xf5, 0x4f, \
-        0xa1, 0x27, 0xa6, 0xb0, 0xd1, 0x0b, 0xb3, 0xd8, 0x16, 0xb6, 0xd7, 0x67, \
-        0x63, 0x2d, 0xdc, 0x7b, 0xe1, 0x18, 0xd9, 0x8d, 0x27, 0xed, 0x1b, 0x22, \
-        0xef, 0xdf, 0x36, 0x11, 0xe2, 0xc8, 0x00, 0x0e, 0xc7, 0xe9, 0xc6, 0xb8, \
-        0xd8, 0x4b, 0x3f, 0x35, 0x41, 0xff, 0xfc, 0x96, 0x49, 0x4f, 0x7d, 0x8e, \
-        0x3f, 0x47, 0x68, 0x33, 0x17, 0x83, 0x44, 0x0f, 0xaf, 0xa6, 0x59, 0x0a, \
-        0xa9, 0x32, 0xcb, 0x59, 0xfe, 0xdd, 0x5f, 0x6e, 0x8b, 0x22, 0xb8, 0x81, \
-        0x90, 0x16, 0x91, 0x0a, 0x04, 0x79, 0x62, 0xff, 0x4b, 0x04, 0xf1, 0x5c, \
-        0x34, 0xeb, 0x69, 0xce, 0xef, 0xcb, 0x6e, 0xb6, 0x3b, 0x40, 0x55, 0xca, \
-        0x24, 0xc2, 0x3e, 0x25, 0x70, 0xee, 0x74, 0x2b, 0x0e, 0x9f, 0xc2, 0x82, \
-        0x9a, 0x20, 0x38, 0x77, 0xa1, 0x26, 0x8a, 0xca, 0x9f, 0x87, 0x75, 0x77, \
-        0xe3, 0xce, 0x65, 0xec, 0x71, 0x10, 0x35, 0xcb, 0xcb, 0x4f, 0x19, 0x43, \
-        0xeb, 0x30, 0xd0, 0xca, 0x2d, 0x3f, 0xca, 0x46, 0x14, 0x61, 0x99, 0x30, \
-        0x41, 0x32, 0xb5, 0x37, 0x63, 0x6f, 0x97                                \
-}
-/* END FILE */
-
-/* This is taken from cli-rsa.key. */
-/* BEGIN FILE string macro TEST_CLI_KEY_RSA_PEM cli-rsa.key */
-#define TEST_CLI_KEY_RSA_PEM                                                   \
-    "-----BEGIN RSA PRIVATE KEY-----\r\n"                                      \
-    "MIIEpAIBAAKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6fM60Nj4o8VmXl3ETZzGaF\r\n"     \
-    "B9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu1C93KYRhTYJQj6eVSHD1\r\n"     \
-    "bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEwMjDV0/YI0FZPRo7yX/k9\r\n"     \
-    "Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v4Jv4EFbMs44TFeY0BGbH\r\n"     \
-    "7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx//DZrtenNLQNiTrM9AM+v\r\n"     \
-    "dqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQABAoIBAGdNtfYDiap6bzst\r\n"     \
-    "yhCiI8m9TtrhZw4MisaEaN/ll3XSjaOG2dvV6xMZCMV+5TeXDHOAZnY18Yi18vzz\r\n"     \
-    "4Ut2TnNFzizCECYNaA2fST3WgInnxUkV3YXAyP6CNxJaCmv2aA0yFr2kFVSeaKGt\r\n"     \
-    "ymvljNp2NVkvm7Th8fBQBO7I7AXhz43k0mR7XmPgewe8ApZOG3hstkOaMvbWAvWA\r\n"     \
-    "zCZupdDjZYjOJqlA4eEA4H8/w7F83r5CugeBE8LgEREjLPiyejrU5H1fubEY+h0d\r\n"     \
-    "l5HZBJ68ybTXfQ5U9o/QKA3dd0toBEhhdRUDGzWtjvwkEQfqF1reGWj/tod/gCpf\r\n"     \
-    "DFi6X0ECgYEA4wOv/pjSC3ty6TuOvKX2rOUiBrLXXv2JSxZnMoMiWI5ipLQt+RYT\r\n"     \
-    "VPafL/m7Dn6MbwjayOkcZhBwk5CNz5A6Q4lJ64Mq/lqHznRCQQ2Mc1G8eyDF/fYL\r\n"     \
-    "Ze2pLvwP9VD5jTc2miDfw+MnvJhywRRLcemDFP8k4hQVtm8PMp3ZmNECgYEA4gz7\r\n"     \
-    "wzObR4gn8ibe617uQPZjWzUj9dUHYd+in1gwBCIrtNnaRn9I9U/Q6tegRYpii4ys\r\n"     \
-    "c176NmU+umy6XmuSKV5qD9bSpZWG2nLFnslrN15Lm3fhZxoeMNhBaEDTnLT26yoi\r\n"     \
-    "33gp0mSSWy94ZEqipms+ULF6sY1ZtFW6tpGFoy8CgYAQHhnnvJflIs2ky4q10B60\r\n"     \
-    "ZcxFp3rtDpkp0JxhFLhiizFrujMtZSjYNm5U7KkgPVHhLELEUvCmOnKTt4ap/vZ0\r\n"     \
-    "BxJNe1GZH3pW6SAvGDQpl9sG7uu/vTFP+lCxukmzxB0DrrDcvorEkKMom7ZCCRvW\r\n"     \
-    "KZsZ6YeH2Z81BauRj218kQKBgQCUV/DgKP2985xDTT79N08jUo3hTP5MVYCCuj/+\r\n"     \
-    "UeEw1TvZcx3LJby7P6Xad6a1/BqveaGyFKIfEFIaBUBItk801sDDpDaYc4gL00Xc\r\n"     \
-    "7lFuBHOZkxJYlss5QrGpuOEl9ZwUt5IrFLBdYaKqNHzNVC1pCPfb/JyH6Dr2HUxq\r\n"     \
-    "gxUwAQKBgQCcU6G2L8AG9d9c0UpOyL1tMvFe5Ttw0KjlQVdsh1MP6yigYo9DYuwu\r\n"     \
-    "bHFVW2r0dBTqegP2/KTOxKzaHfC1qf0RGDsUoJCNJrd1cwoCLG8P2EF4w3OBrKqv\r\n"     \
-    "8u4ytY0F+Vlanj5lm3TaoHSVF1+NWPyOTiwevIECGKwSxvlki4fDAA==\r\n"             \
-    "-----END RSA PRIVATE KEY-----\r\n"
-/* END FILE */
-
-/* This is generated from cli-rsa.key.der. */
-/* BEGIN FILE binary macro TEST_CLI_KEY_RSA_DER cli-rsa.key.der */
-#define TEST_CLI_KEY_RSA_DER {                                                  \
-        0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, \
-        0xc8, 0x74, 0xc4, 0xcc, 0xb9, 0xf9, 0xb5, 0x79, 0xe9, 0x45, 0xd9, 0x14, \
-        0x60, 0xb0, 0x7d, 0xbb, 0x93, 0xf2, 0x6b, 0x1e, 0x9f, 0x33, 0xad, 0x0d, \
-        0x8f, 0x8a, 0x3c, 0x56, 0x65, 0xe5, 0xdc, 0x44, 0xd9, 0xcc, 0x66, 0x85, \
-        0x07, 0xd5, 0xf8, 0x27, 0xb0, 0x4a, 0x35, 0xd0, 0x63, 0x9e, 0x0a, 0x6e, \
-        0x1b, 0xb7, 0xda, 0xf0, 0x7e, 0xab, 0xee, 0x0c, 0x10, 0x93, 0x86, 0x49, \
-        0x18, 0x34, 0xf3, 0xa8, 0x2a, 0xd2, 0x57, 0xf5, 0x2e, 0xd4, 0x2f, 0x77, \
-        0x29, 0x84, 0x61, 0x4d, 0x82, 0x50, 0x8f, 0xa7, 0x95, 0x48, 0x70, 0xf5, \
-        0x6e, 0x4d, 0xb2, 0xd5, 0x13, 0xc3, 0xd2, 0x1a, 0xed, 0xe6, 0x43, 0xea, \
-        0x42, 0x14, 0xeb, 0x74, 0xea, 0xc0, 0xed, 0x1f, 0xd4, 0x57, 0x4e, 0xa9, \
-        0xf3, 0xa8, 0xed, 0xd2, 0xe0, 0xc1, 0x30, 0x71, 0x30, 0x32, 0x30, 0xd5, \
-        0xd3, 0xf6, 0x08, 0xd0, 0x56, 0x4f, 0x46, 0x8e, 0xf2, 0x5f, 0xf9, 0x3d, \
-        0x67, 0x91, 0x88, 0x30, 0x2e, 0x42, 0xb2, 0xdf, 0x7d, 0xfb, 0xe5, 0x0c, \
-        0x77, 0xff, 0xec, 0x31, 0xc0, 0x78, 0x8f, 0xbf, 0xc2, 0x7f, 0xca, 0xad, \
-        0x6c, 0x21, 0xd6, 0x8d, 0xd9, 0x8b, 0x6a, 0x8e, 0x6f, 0xe0, 0x9b, 0xf8, \
-        0x10, 0x56, 0xcc, 0xb3, 0x8e, 0x13, 0x15, 0xe6, 0x34, 0x04, 0x66, 0xc7, \
-        0xee, 0xf9, 0x36, 0x0e, 0x6a, 0x95, 0xf6, 0x09, 0x9a, 0x06, 0x67, 0xf4, \
-        0x65, 0x71, 0xf8, 0xca, 0xa4, 0xb1, 0x25, 0xe0, 0xfe, 0x3c, 0x8b, 0x35, \
-        0x04, 0x67, 0xba, 0xe0, 0x4f, 0x76, 0x85, 0xfc, 0x7f, 0xfc, 0x36, 0x6b, \
-        0xb5, 0xe9, 0xcd, 0x2d, 0x03, 0x62, 0x4e, 0xb3, 0x3d, 0x00, 0xcf, 0xaf, \
-        0x76, 0xa0, 0x69, 0x56, 0x83, 0x6a, 0xd2, 0xa8, 0xd4, 0xe7, 0x50, 0x71, \
-        0xe6, 0xb5, 0x36, 0x05, 0x77, 0x05, 0x6d, 0x7b, 0xc8, 0xe4, 0xc4, 0xfd, \
-        0x4c, 0xd5, 0x21, 0x5f, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01, \
-        0x00, 0x67, 0x4d, 0xb5, 0xf6, 0x03, 0x89, 0xaa, 0x7a, 0x6f, 0x3b, 0x2d, \
-        0xca, 0x10, 0xa2, 0x23, 0xc9, 0xbd, 0x4e, 0xda, 0xe1, 0x67, 0x0e, 0x0c, \
-        0x8a, 0xc6, 0x84, 0x68, 0xdf, 0xe5, 0x97, 0x75, 0xd2, 0x8d, 0xa3, 0x86, \
-        0xd9, 0xdb, 0xd5, 0xeb, 0x13, 0x19, 0x08, 0xc5, 0x7e, 0xe5, 0x37, 0x97, \
-        0x0c, 0x73, 0x80, 0x66, 0x76, 0x35, 0xf1, 0x88, 0xb5, 0xf2, 0xfc, 0xf3, \
-        0xe1, 0x4b, 0x76, 0x4e, 0x73, 0x45, 0xce, 0x2c, 0xc2, 0x10, 0x26, 0x0d, \
-        0x68, 0x0d, 0x9f, 0x49, 0x3d, 0xd6, 0x80, 0x89, 0xe7, 0xc5, 0x49, 0x15, \
-        0xdd, 0x85, 0xc0, 0xc8, 0xfe, 0x82, 0x37, 0x12, 0x5a, 0x0a, 0x6b, 0xf6, \
-        0x68, 0x0d, 0x32, 0x16, 0xbd, 0xa4, 0x15, 0x54, 0x9e, 0x68, 0xa1, 0xad, \
-        0xca, 0x6b, 0xe5, 0x8c, 0xda, 0x76, 0x35, 0x59, 0x2f, 0x9b, 0xb4, 0xe1, \
-        0xf1, 0xf0, 0x50, 0x04, 0xee, 0xc8, 0xec, 0x05, 0xe1, 0xcf, 0x8d, 0xe4, \
-        0xd2, 0x64, 0x7b, 0x5e, 0x63, 0xe0, 0x7b, 0x07, 0xbc, 0x02, 0x96, 0x4e, \
-        0x1b, 0x78, 0x6c, 0xb6, 0x43, 0x9a, 0x32, 0xf6, 0xd6, 0x02, 0xf5, 0x80, \
-        0xcc, 0x26, 0x6e, 0xa5, 0xd0, 0xe3, 0x65, 0x88, 0xce, 0x26, 0xa9, 0x40, \
-        0xe1, 0xe1, 0x00, 0xe0, 0x7f, 0x3f, 0xc3, 0xb1, 0x7c, 0xde, 0xbe, 0x42, \
-        0xba, 0x07, 0x81, 0x13, 0xc2, 0xe0, 0x11, 0x11, 0x23, 0x2c, 0xf8, 0xb2, \
-        0x7a, 0x3a, 0xd4, 0xe4, 0x7d, 0x5f, 0xb9, 0xb1, 0x18, 0xfa, 0x1d, 0x1d, \
-        0x97, 0x91, 0xd9, 0x04, 0x9e, 0xbc, 0xc9, 0xb4, 0xd7, 0x7d, 0x0e, 0x54, \
-        0xf6, 0x8f, 0xd0, 0x28, 0x0d, 0xdd, 0x77, 0x4b, 0x68, 0x04, 0x48, 0x61, \
-        0x75, 0x15, 0x03, 0x1b, 0x35, 0xad, 0x8e, 0xfc, 0x24, 0x11, 0x07, 0xea, \
-        0x17, 0x5a, 0xde, 0x19, 0x68, 0xff, 0xb6, 0x87, 0x7f, 0x80, 0x2a, 0x5f, \
-        0x0c, 0x58, 0xba, 0x5f, 0x41, 0x02, 0x81, 0x81, 0x00, 0xe3, 0x03, 0xaf, \
-        0xfe, 0x98, 0xd2, 0x0b, 0x7b, 0x72, 0xe9, 0x3b, 0x8e, 0xbc, 0xa5, 0xf6, \
-        0xac, 0xe5, 0x22, 0x06, 0xb2, 0xd7, 0x5e, 0xfd, 0x89, 0x4b, 0x16, 0x67, \
-        0x32, 0x83, 0x22, 0x58, 0x8e, 0x62, 0xa4, 0xb4, 0x2d, 0xf9, 0x16, 0x13, \
-        0x54, 0xf6, 0x9f, 0x2f, 0xf9, 0xbb, 0x0e, 0x7e, 0x8c, 0x6f, 0x08, 0xda, \
-        0xc8, 0xe9, 0x1c, 0x66, 0x10, 0x70, 0x93, 0x90, 0x8d, 0xcf, 0x90, 0x3a, \
-        0x43, 0x89, 0x49, 0xeb, 0x83, 0x2a, 0xfe, 0x5a, 0x87, 0xce, 0x74, 0x42, \
-        0x41, 0x0d, 0x8c, 0x73, 0x51, 0xbc, 0x7b, 0x20, 0xc5, 0xfd, 0xf6, 0x0b, \
-        0x65, 0xed, 0xa9, 0x2e, 0xfc, 0x0f, 0xf5, 0x50, 0xf9, 0x8d, 0x37, 0x36, \
-        0x9a, 0x20, 0xdf, 0xc3, 0xe3, 0x27, 0xbc, 0x98, 0x72, 0xc1, 0x14, 0x4b, \
-        0x71, 0xe9, 0x83, 0x14, 0xff, 0x24, 0xe2, 0x14, 0x15, 0xb6, 0x6f, 0x0f, \
-        0x32, 0x9d, 0xd9, 0x98, 0xd1, 0x02, 0x81, 0x81, 0x00, 0xe2, 0x0c, 0xfb, \
-        0xc3, 0x33, 0x9b, 0x47, 0x88, 0x27, 0xf2, 0x26, 0xde, 0xeb, 0x5e, 0xee, \
-        0x40, 0xf6, 0x63, 0x5b, 0x35, 0x23, 0xf5, 0xd5, 0x07, 0x61, 0xdf, 0xa2, \
-        0x9f, 0x58, 0x30, 0x04, 0x22, 0x2b, 0xb4, 0xd9, 0xda, 0x46, 0x7f, 0x48, \
-        0xf5, 0x4f, 0xd0, 0xea, 0xd7, 0xa0, 0x45, 0x8a, 0x62, 0x8b, 0x8c, 0xac, \
-        0x73, 0x5e, 0xfa, 0x36, 0x65, 0x3e, 0xba, 0x6c, 0xba, 0x5e, 0x6b, 0x92, \
-        0x29, 0x5e, 0x6a, 0x0f, 0xd6, 0xd2, 0xa5, 0x95, 0x86, 0xda, 0x72, 0xc5, \
-        0x9e, 0xc9, 0x6b, 0x37, 0x5e, 0x4b, 0x9b, 0x77, 0xe1, 0x67, 0x1a, 0x1e, \
-        0x30, 0xd8, 0x41, 0x68, 0x40, 0xd3, 0x9c, 0xb4, 0xf6, 0xeb, 0x2a, 0x22, \
-        0xdf, 0x78, 0x29, 0xd2, 0x64, 0x92, 0x5b, 0x2f, 0x78, 0x64, 0x4a, 0xa2, \
-        0xa6, 0x6b, 0x3e, 0x50, 0xb1, 0x7a, 0xb1, 0x8d, 0x59, 0xb4, 0x55, 0xba, \
-        0xb6, 0x91, 0x85, 0xa3, 0x2f, 0x02, 0x81, 0x80, 0x10, 0x1e, 0x19, 0xe7, \
-        0xbc, 0x97, 0xe5, 0x22, 0xcd, 0xa4, 0xcb, 0x8a, 0xb5, 0xd0, 0x1e, 0xb4, \
-        0x65, 0xcc, 0x45, 0xa7, 0x7a, 0xed, 0x0e, 0x99, 0x29, 0xd0, 0x9c, 0x61, \
-        0x14, 0xb8, 0x62, 0x8b, 0x31, 0x6b, 0xba, 0x33, 0x2d, 0x65, 0x28, 0xd8, \
-        0x36, 0x6e, 0x54, 0xec, 0xa9, 0x20, 0x3d, 0x51, 0xe1, 0x2c, 0x42, 0xc4, \
-        0x52, 0xf0, 0xa6, 0x3a, 0x72, 0x93, 0xb7, 0x86, 0xa9, 0xfe, 0xf6, 0x74, \
-        0x07, 0x12, 0x4d, 0x7b, 0x51, 0x99, 0x1f, 0x7a, 0x56, 0xe9, 0x20, 0x2f, \
-        0x18, 0x34, 0x29, 0x97, 0xdb, 0x06, 0xee, 0xeb, 0xbf, 0xbd, 0x31, 0x4f, \
-        0xfa, 0x50, 0xb1, 0xba, 0x49, 0xb3, 0xc4, 0x1d, 0x03, 0xae, 0xb0, 0xdc, \
-        0xbe, 0x8a, 0xc4, 0x90, 0xa3, 0x28, 0x9b, 0xb6, 0x42, 0x09, 0x1b, 0xd6, \
-        0x29, 0x9b, 0x19, 0xe9, 0x87, 0x87, 0xd9, 0x9f, 0x35, 0x05, 0xab, 0x91, \
-        0x8f, 0x6d, 0x7c, 0x91, 0x02, 0x81, 0x81, 0x00, 0x94, 0x57, 0xf0, 0xe0, \
-        0x28, 0xfd, 0xbd, 0xf3, 0x9c, 0x43, 0x4d, 0x3e, 0xfd, 0x37, 0x4f, 0x23, \
-        0x52, 0x8d, 0xe1, 0x4c, 0xfe, 0x4c, 0x55, 0x80, 0x82, 0xba, 0x3f, 0xfe, \
-        0x51, 0xe1, 0x30, 0xd5, 0x3b, 0xd9, 0x73, 0x1d, 0xcb, 0x25, 0xbc, 0xbb, \
-        0x3f, 0xa5, 0xda, 0x77, 0xa6, 0xb5, 0xfc, 0x1a, 0xaf, 0x79, 0xa1, 0xb2, \
-        0x14, 0xa2, 0x1f, 0x10, 0x52, 0x1a, 0x05, 0x40, 0x48, 0xb6, 0x4f, 0x34, \
-        0xd6, 0xc0, 0xc3, 0xa4, 0x36, 0x98, 0x73, 0x88, 0x0b, 0xd3, 0x45, 0xdc, \
-        0xee, 0x51, 0x6e, 0x04, 0x73, 0x99, 0x93, 0x12, 0x58, 0x96, 0xcb, 0x39, \
-        0x42, 0xb1, 0xa9, 0xb8, 0xe1, 0x25, 0xf5, 0x9c, 0x14, 0xb7, 0x92, 0x2b, \
-        0x14, 0xb0, 0x5d, 0x61, 0xa2, 0xaa, 0x34, 0x7c, 0xcd, 0x54, 0x2d, 0x69, \
-        0x08, 0xf7, 0xdb, 0xfc, 0x9c, 0x87, 0xe8, 0x3a, 0xf6, 0x1d, 0x4c, 0x6a, \
-        0x83, 0x15, 0x30, 0x01, 0x02, 0x81, 0x81, 0x00, 0x9c, 0x53, 0xa1, 0xb6, \
-        0x2f, 0xc0, 0x06, 0xf5, 0xdf, 0x5c, 0xd1, 0x4a, 0x4e, 0xc8, 0xbd, 0x6d, \
-        0x32, 0xf1, 0x5e, 0xe5, 0x3b, 0x70, 0xd0, 0xa8, 0xe5, 0x41, 0x57, 0x6c, \
-        0x87, 0x53, 0x0f, 0xeb, 0x28, 0xa0, 0x62, 0x8f, 0x43, 0x62, 0xec, 0x2e, \
-        0x6c, 0x71, 0x55, 0x5b, 0x6a, 0xf4, 0x74, 0x14, 0xea, 0x7a, 0x03, 0xf6, \
-        0xfc, 0xa4, 0xce, 0xc4, 0xac, 0xda, 0x1d, 0xf0, 0xb5, 0xa9, 0xfd, 0x11, \
-        0x18, 0x3b, 0x14, 0xa0, 0x90, 0x8d, 0x26, 0xb7, 0x75, 0x73, 0x0a, 0x02, \
-        0x2c, 0x6f, 0x0f, 0xd8, 0x41, 0x78, 0xc3, 0x73, 0x81, 0xac, 0xaa, 0xaf, \
-        0xf2, 0xee, 0x32, 0xb5, 0x8d, 0x05, 0xf9, 0x59, 0x5a, 0x9e, 0x3e, 0x65, \
-        0x9b, 0x74, 0xda, 0xa0, 0x74, 0x95, 0x17, 0x5f, 0x8d, 0x58, 0xfc, 0x8e, \
-        0x4e, 0x2c, 0x1e, 0xbc, 0x81, 0x02, 0x18, 0xac, 0x12, 0xc6, 0xf9, 0x64, \
-        0x8b, 0x87, 0xc3, 0x00                                                  \
-}
-/* END FILE */
-
diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c
index 5c305cb..255849f 100644
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c
@@ -5,28 +5,14 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include <test/ssl_helpers.h>
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
 
 #if defined(MBEDTLS_SSL_TLS_C)
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
-static int rng_seed = 0xBEEF;
-static int rng_get(void *p_rng, unsigned char *output, size_t output_len)
+int mbedtls_test_random(void *p_rng, unsigned char *output, size_t output_len)
 {
     (void) p_rng;
     for (size_t i = 0; i < output_len; i++) {
@@ -35,7 +21,6 @@ static int rng_get(void *p_rng, unsigned char *output, size_t output_len)
 
     return 0;
 }
-#endif
 
 void mbedtls_test_ssl_log_analyzer(void *ctx, int level,
                                    const char *file, int line,
@@ -58,39 +43,32 @@ void mbedtls_test_init_handshake_options(
     mbedtls_test_handshake_test_options *opts)
 {
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+    static int rng_seed = 0xBEEF;
+
     srand(rng_seed);
     rng_seed += 0xD0;
 #endif
+
+    memset(opts, 0, sizeof(*opts));
+
     opts->cipher = "";
     opts->client_min_version = MBEDTLS_SSL_VERSION_UNKNOWN;
     opts->client_max_version = MBEDTLS_SSL_VERSION_UNKNOWN;
     opts->server_min_version = MBEDTLS_SSL_VERSION_UNKNOWN;
     opts->server_max_version = MBEDTLS_SSL_VERSION_UNKNOWN;
     opts->expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_3;
-    opts->expected_handshake_result = 0;
-    opts->expected_ciphersuite = 0;
     opts->pk_alg = MBEDTLS_PK_RSA;
-    opts->opaque_alg = 0;
-    opts->opaque_alg2 = 0;
-    opts->opaque_usage = 0;
-    opts->psk_str = NULL;
-    opts->dtls = 0;
     opts->srv_auth_mode = MBEDTLS_SSL_VERIFY_NONE;
-    opts->serialize = 0;
     opts->mfl = MBEDTLS_SSL_MAX_FRAG_LEN_NONE;
     opts->cli_msg_len = 100;
     opts->srv_msg_len = 100;
     opts->expected_cli_fragments = 1;
     opts->expected_srv_fragments = 1;
-    opts->renegotiate = 0;
     opts->legacy_renegotiation = MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION;
-    opts->srv_log_obj = NULL;
-    opts->srv_log_obj = NULL;
-    opts->srv_log_fun = NULL;
-    opts->cli_log_fun = NULL;
     opts->resize_buffers = 1;
+    opts->early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
+    opts->max_early_data_size = -1;
 #if defined(MBEDTLS_SSL_CACHE_C)
-    opts->cache = NULL;
     TEST_CALLOC(opts->cache, 1);
     mbedtls_ssl_cache_init(opts->cache);
 #if defined(MBEDTLS_HAVE_TIME)
@@ -707,9 +685,20 @@ int mbedtls_test_ssl_endpoint_certificate_init(mbedtls_test_ssl_endpoint *ep,
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     if (opaque_alg != 0) {
-        TEST_EQUAL(mbedtls_pk_wrap_as_opaque(cert->pkey, &key_slot,
-                                             opaque_alg, opaque_usage,
-                                             opaque_alg2), 0);
+        psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+        /* Use a fake key usage to get a successful initial guess for the PSA attributes. */
+        TEST_EQUAL(mbedtls_pk_get_psa_attributes(cert->pkey, PSA_KEY_USAGE_SIGN_HASH,
+                                                 &key_attr), 0);
+        /* Then manually usage, alg and alg2 as requested by the test. */
+        psa_set_key_usage_flags(&key_attr, opaque_usage);
+        psa_set_key_algorithm(&key_attr, opaque_alg);
+        if (opaque_alg2 != PSA_ALG_NONE) {
+            psa_set_key_enrollment_algorithm(&key_attr, opaque_alg2);
+        }
+        TEST_EQUAL(mbedtls_pk_import_into_psa(cert->pkey, &key_attr, &key_slot), 0);
+        mbedtls_pk_free(cert->pkey);
+        mbedtls_pk_init(cert->pkey);
+        TEST_EQUAL(mbedtls_pk_setup_opaque(cert->pkey, key_slot), 0);
     }
 #else
     (void) opaque_alg;
@@ -745,8 +734,7 @@ int mbedtls_test_ssl_endpoint_init(
     mbedtls_test_handshake_test_options *options,
     mbedtls_test_message_socket_context *dtls_context,
     mbedtls_test_ssl_message_queue *input_queue,
-    mbedtls_test_ssl_message_queue *output_queue,
-    uint16_t *group_list)
+    mbedtls_test_ssl_message_queue *output_queue)
 {
     int ret = -1;
     uintptr_t user_data_n;
@@ -767,7 +755,7 @@ int mbedtls_test_ssl_endpoint_init(
 
     mbedtls_ssl_init(&(ep->ssl));
     mbedtls_ssl_config_init(&(ep->conf));
-    mbedtls_ssl_conf_rng(&(ep->conf), rng_get, NULL);
+    mbedtls_ssl_conf_rng(&(ep->conf), mbedtls_test_random, NULL);
 
     TEST_ASSERT(mbedtls_ssl_conf_get_user_data_p(&ep->conf) == NULL);
     TEST_EQUAL(mbedtls_ssl_conf_get_user_data_n(&ep->conf), 0);
@@ -830,12 +818,29 @@ int mbedtls_test_ssl_endpoint_init(
         }
     }
 
-    if (group_list != NULL) {
-        mbedtls_ssl_conf_groups(&(ep->conf), group_list);
+    if (options->group_list != NULL) {
+        mbedtls_ssl_conf_groups(&(ep->conf), options->group_list);
     }
 
     mbedtls_ssl_conf_authmode(&(ep->conf), MBEDTLS_SSL_VERIFY_REQUIRED);
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+    mbedtls_ssl_conf_early_data(&(ep->conf), options->early_data);
+#if defined(MBEDTLS_SSL_SRV_C)
+    if (endpoint_type == MBEDTLS_SSL_IS_SERVER &&
+        (options->max_early_data_size >= 0)) {
+        mbedtls_ssl_conf_max_early_data_size(&(ep->conf),
+                                             options->max_early_data_size);
+    }
+#endif
+#if defined(MBEDTLS_SSL_ALPN)
+    /* check that alpn_list contains at least one valid entry */
+    if (options->alpn_list[0] != NULL) {
+        mbedtls_ssl_conf_alpn_protocols(&(ep->conf), options->alpn_list);
+    }
+#endif
+#endif
+
 #if defined(MBEDTLS_SSL_CACHE_C) && defined(MBEDTLS_SSL_SRV_C)
     if (endpoint_type == MBEDTLS_SSL_IS_SERVER && options->cache != NULL) {
         mbedtls_ssl_conf_session_cache(&(ep->conf), options->cache,
@@ -853,6 +858,23 @@ int mbedtls_test_ssl_endpoint_init(
     }
 #endif
 
+#if defined(MBEDTLS_DEBUG_C)
+#if defined(MBEDTLS_SSL_SRV_C)
+    if (endpoint_type == MBEDTLS_SSL_IS_SERVER &&
+        options->srv_log_fun != NULL) {
+        mbedtls_ssl_conf_dbg(&(ep->conf), options->srv_log_fun,
+                             options->srv_log_obj);
+    }
+#endif
+#if defined(MBEDTLS_SSL_CLI_C)
+    if (endpoint_type == MBEDTLS_SSL_IS_CLIENT &&
+        options->cli_log_fun != NULL) {
+        mbedtls_ssl_conf_dbg(&(ep->conf), options->cli_log_fun,
+                             options->cli_log_obj);
+    }
+#endif
+#endif /* MBEDTLS_DEBUG_C */
+
     ret = mbedtls_test_ssl_endpoint_certificate_init(ep, options->pk_alg,
                                                      options->opaque_alg,
                                                      options->opaque_alg2,
@@ -1057,7 +1079,7 @@ static int psk_dummy_callback(void *p_info, mbedtls_ssl_context *ssl,
           MBEDTLS_SSL_SRV_C */
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
-    defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_AES_C)
+    defined(MBEDTLS_SSL_HAVE_CBC) && defined(MBEDTLS_SSL_HAVE_AES)
 int mbedtls_test_psa_cipher_encrypt_helper(mbedtls_ssl_transform *transform,
                                            const unsigned char *iv,
                                            size_t iv_len,
@@ -1105,8 +1127,125 @@ int mbedtls_test_psa_cipher_encrypt_helper(mbedtls_ssl_transform *transform,
                                 iv, iv_len, input, ilen, output, olen);
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_CIPHER_MODE_CBC &&
-          MBEDTLS_AES_C */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_HAVE_CBC &&
+          MBEDTLS_SSL_HAVE_AES */
+
+static void mbedtls_test_ssl_cipher_info_from_type(mbedtls_cipher_type_t cipher_type,
+                                                   mbedtls_cipher_mode_t *cipher_mode,
+                                                   size_t *key_bits, size_t *iv_len)
+{
+    switch (cipher_type) {
+        case MBEDTLS_CIPHER_AES_128_CBC:
+            *cipher_mode = MBEDTLS_MODE_CBC;
+            *key_bits = 128;
+            *iv_len = 16;
+            break;
+        case MBEDTLS_CIPHER_AES_256_CBC:
+            *cipher_mode = MBEDTLS_MODE_CBC;
+            *key_bits = 256;
+            *iv_len = 16;
+            break;
+        case MBEDTLS_CIPHER_ARIA_128_CBC:
+            *cipher_mode = MBEDTLS_MODE_CBC;
+            *key_bits = 128;
+            *iv_len = 16;
+            break;
+        case MBEDTLS_CIPHER_ARIA_256_CBC:
+            *cipher_mode = MBEDTLS_MODE_CBC;
+            *key_bits = 256;
+            *iv_len = 16;
+            break;
+        case MBEDTLS_CIPHER_CAMELLIA_128_CBC:
+            *cipher_mode = MBEDTLS_MODE_CBC;
+            *key_bits = 128;
+            *iv_len = 16;
+            break;
+        case MBEDTLS_CIPHER_CAMELLIA_256_CBC:
+            *cipher_mode = MBEDTLS_MODE_CBC;
+            *key_bits = 256;
+            *iv_len = 16;
+            break;
+
+        case MBEDTLS_CIPHER_AES_128_CCM:
+            *cipher_mode = MBEDTLS_MODE_CCM;
+            *key_bits = 128;
+            *iv_len = 12;
+            break;
+        case MBEDTLS_CIPHER_AES_192_CCM:
+            *cipher_mode = MBEDTLS_MODE_CCM;
+            *key_bits = 192;
+            *iv_len = 12;
+            break;
+        case MBEDTLS_CIPHER_AES_256_CCM:
+            *cipher_mode = MBEDTLS_MODE_CCM;
+            *key_bits = 256;
+            *iv_len = 12;
+            break;
+        case MBEDTLS_CIPHER_CAMELLIA_128_CCM:
+            *cipher_mode = MBEDTLS_MODE_CCM;
+            *key_bits = 128;
+            *iv_len = 12;
+            break;
+        case MBEDTLS_CIPHER_CAMELLIA_192_CCM:
+            *cipher_mode = MBEDTLS_MODE_CCM;
+            *key_bits = 192;
+            *iv_len = 12;
+            break;
+        case MBEDTLS_CIPHER_CAMELLIA_256_CCM:
+            *cipher_mode = MBEDTLS_MODE_CCM;
+            *key_bits = 256;
+            *iv_len = 12;
+            break;
+
+        case MBEDTLS_CIPHER_AES_128_GCM:
+            *cipher_mode = MBEDTLS_MODE_GCM;
+            *key_bits = 128;
+            *iv_len = 12;
+            break;
+        case MBEDTLS_CIPHER_AES_192_GCM:
+            *cipher_mode = MBEDTLS_MODE_GCM;
+            *key_bits = 192;
+            *iv_len = 12;
+            break;
+        case MBEDTLS_CIPHER_AES_256_GCM:
+            *cipher_mode = MBEDTLS_MODE_GCM;
+            *key_bits = 256;
+            *iv_len = 12;
+            break;
+        case MBEDTLS_CIPHER_CAMELLIA_128_GCM:
+            *cipher_mode = MBEDTLS_MODE_GCM;
+            *key_bits = 128;
+            *iv_len = 12;
+            break;
+        case MBEDTLS_CIPHER_CAMELLIA_192_GCM:
+            *cipher_mode = MBEDTLS_MODE_GCM;
+            *key_bits = 192;
+            *iv_len = 12;
+            break;
+        case MBEDTLS_CIPHER_CAMELLIA_256_GCM:
+            *cipher_mode = MBEDTLS_MODE_GCM;
+            *key_bits = 256;
+            *iv_len = 12;
+            break;
+
+        case MBEDTLS_CIPHER_CHACHA20_POLY1305:
+            *cipher_mode = MBEDTLS_MODE_CHACHAPOLY;
+            *key_bits = 256;
+            *iv_len = 12;
+            break;
+
+        case MBEDTLS_CIPHER_NULL:
+            *cipher_mode = MBEDTLS_MODE_STREAM;
+            *key_bits = 0;
+            *iv_len = 0;
+            break;
+
+        default:
+            *cipher_mode = MBEDTLS_MODE_NONE;
+            *key_bits = 0;
+            *iv_len = 0;
+    }
+}
 
 int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
                                       mbedtls_ssl_transform *t_out,
@@ -1116,18 +1255,20 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
                                       size_t cid0_len,
                                       size_t cid1_len)
 {
-    mbedtls_cipher_info_t const *cipher_info;
+    mbedtls_cipher_mode_t cipher_mode = MBEDTLS_MODE_NONE;
+    size_t key_bits = 0;
     int ret = 0;
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     psa_key_type_t key_type;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
     psa_algorithm_t alg;
-    size_t key_bits;
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+#else
+    mbedtls_cipher_info_t const *cipher_info;
 #endif
 
-    size_t keylen, maclen, ivlen;
+    size_t keylen, maclen, ivlen = 0;
     unsigned char *key0 = NULL, *key1 = NULL;
     unsigned char *md0 = NULL, *md1 = NULL;
     unsigned char iv_enc[16], iv_dec[16];
@@ -1144,15 +1285,11 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
 
     maclen = 0;
-
-    /* Pick cipher */
-    cipher_info = mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) cipher_type);
-    CHK(cipher_info != NULL);
-    CHK(mbedtls_cipher_info_get_iv_size(cipher_info) <= 16);
-    CHK(mbedtls_cipher_info_get_key_bitlen(cipher_info) % 8 == 0);
+    mbedtls_test_ssl_cipher_info_from_type((mbedtls_cipher_type_t) cipher_type,
+                                           &cipher_mode, &key_bits, &ivlen);
 
     /* Pick keys */
-    keylen = mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8;
+    keylen = key_bits / 8;
     /* Allocate `keylen + 1` bytes to ensure that we get
      * a non-NULL pointers from `mbedtls_calloc` even if
      * `keylen == 0` in the case of the NULL cipher. */
@@ -1162,6 +1299,12 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
     memset(key1, 0x2, keylen);
 
 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
+    /* Pick cipher */
+    cipher_info = mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) cipher_type);
+    CHK(cipher_info != NULL);
+    CHK(mbedtls_cipher_info_get_iv_size(cipher_info) <= 16);
+    CHK(mbedtls_cipher_info_get_key_bitlen(cipher_info) % 8 == 0);
+
     /* Setup cipher contexts */
     CHK(mbedtls_cipher_setup(&t_in->cipher_ctx_enc,  cipher_info) == 0);
     CHK(mbedtls_cipher_setup(&t_in->cipher_ctx_dec,  cipher_info) == 0);
@@ -1169,7 +1312,7 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
     CHK(mbedtls_cipher_setup(&t_out->cipher_ctx_dec, cipher_info) == 0);
 
 #if defined(MBEDTLS_CIPHER_MODE_CBC)
-    if (cipher_info->mode == MBEDTLS_MODE_CBC) {
+    if (cipher_mode == MBEDTLS_MODE_CBC) {
         CHK(mbedtls_cipher_set_padding_mode(&t_in->cipher_ctx_enc,
                                             MBEDTLS_PADDING_NONE) == 0);
         CHK(mbedtls_cipher_set_padding_mode(&t_in->cipher_ctx_dec,
@@ -1197,12 +1340,12 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
                               (keylen << 3 > INT_MAX) ? INT_MAX : (int) keylen << 3,
                               MBEDTLS_DECRYPT)
         == 0);
-#endif
+#endif /* !MBEDTLS_USE_PSA_CRYPTO */
 
     /* Setup MAC contexts */
 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
-    if (cipher_info->mode == MBEDTLS_MODE_CBC ||
-        cipher_info->mode == MBEDTLS_MODE_STREAM) {
+    if (cipher_mode == MBEDTLS_MODE_CBC ||
+        cipher_mode == MBEDTLS_MODE_STREAM) {
 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
         mbedtls_md_info_t const *md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) hash_id);
         CHK(md_info != NULL);
@@ -1240,7 +1383,7 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
                            md1, maclen,
                            &t_out->psa_mac_enc) == PSA_SUCCESS);
 
-        if (cipher_info->mode == MBEDTLS_MODE_STREAM ||
+        if (cipher_mode == MBEDTLS_MODE_STREAM ||
             etm == MBEDTLS_SSL_ETM_DISABLED) {
             /* mbedtls_ct_hmac() requires the key to be exportable */
             psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT |
@@ -1279,7 +1422,6 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
 
     /* Pick IV's (regardless of whether they
      * are being used by the transform). */
-    ivlen = mbedtls_cipher_info_get_iv_size(cipher_info);
     memset(iv_enc, 0x3, sizeof(iv_enc));
     memset(iv_dec, 0x4, sizeof(iv_dec));
 
@@ -1300,7 +1442,7 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
     t_out->ivlen = ivlen;
     t_in->ivlen = ivlen;
 
-    switch (cipher_info->mode) {
+    switch (cipher_mode) {
         case MBEDTLS_MODE_GCM:
         case MBEDTLS_MODE_CCM:
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
@@ -1525,14 +1667,23 @@ exit:
 }
 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
 
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
 int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session,
                                             int ticket_len,
+                                            int endpoint_type,
                                             const char *crt_file)
 {
+    (void) ticket_len;
+
 #if defined(MBEDTLS_HAVE_TIME)
     session->start = mbedtls_time(NULL) - 42;
 #endif
     session->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
+
+    TEST_ASSERT(endpoint_type == MBEDTLS_SSL_IS_CLIENT ||
+                endpoint_type == MBEDTLS_SSL_IS_SERVER);
+
+    session->endpoint = endpoint_type;
     session->ciphersuite = 0xabcd;
     session->id_len = sizeof(session->id);
     memset(session->id, 66, session->id_len);
@@ -1598,7 +1749,8 @@ int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session,
 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED && MBEDTLS_FS_IO */
     session->verify_result = 0xdeadbeef;
 
-#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if defined(MBEDTLS_SSL_CLI_C)
     if (ticket_len != 0) {
         session->ticket = mbedtls_calloc(1, ticket_len);
         if (session->ticket == NULL) {
@@ -1608,9 +1760,14 @@ int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session,
     }
     session->ticket_len = ticket_len;
     session->ticket_lifetime = 86401;
-#else
-    (void) ticket_len;
+#endif /* MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_HAVE_TIME)
+    if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
+        session->ticket_creation_time = mbedtls_ms_time() - 42;
+    }
 #endif
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
 
 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
     session->mfl_code = 1;
@@ -1619,8 +1776,10 @@ int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session,
     session->encrypt_then_mac = 1;
 #endif
 
+exit:
     return 0;
 }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
 int mbedtls_test_ssl_tls13_populate_session(mbedtls_ssl_session *session,
@@ -1632,22 +1791,35 @@ int mbedtls_test_ssl_tls13_populate_session(mbedtls_ssl_session *session,
     session->endpoint = endpoint_type == MBEDTLS_SSL_IS_CLIENT ?
                         MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER;
     session->ciphersuite = 0xabcd;
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
     session->ticket_age_add = 0x87654321;
     session->ticket_flags = 0x7;
-
     session->resumption_key_len = 32;
     memset(session->resumption_key, 0x99, sizeof(session->resumption_key));
+#endif
 
-#if defined(MBEDTLS_HAVE_TIME)
+#if defined(MBEDTLS_SSL_SRV_C)
     if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
-        session->start = mbedtls_time(NULL) - 42;
-    }
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
+        int ret = mbedtls_ssl_session_set_ticket_alpn(session, "ALPNExample");
+        if (ret != 0) {
+            return -1;
+        }
 #endif
+#if defined(MBEDTLS_HAVE_TIME)
+        session->ticket_creation_time = mbedtls_ms_time() - 42;
+#endif
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+    }
+#endif /* MBEDTLS_SSL_SRV_C */
 
 #if defined(MBEDTLS_SSL_CLI_C)
     if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
 #if defined(MBEDTLS_HAVE_TIME)
-        session->ticket_received = mbedtls_time(NULL) - 40;
+        session->ticket_reception_time = mbedtls_ms_time() - 40;
 #endif
         session->ticket_lifetime = 0xfedcba98;
 
@@ -1659,9 +1831,26 @@ int mbedtls_test_ssl_tls13_populate_session(mbedtls_ssl_session *session,
             }
             memset(session->ticket, 33, ticket_len);
         }
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+        char hostname[] = "hostname example";
+        session->hostname = mbedtls_calloc(1, sizeof(hostname));
+        if (session->hostname == NULL) {
+            return -1;
+        }
+        memcpy(session->hostname, hostname, sizeof(hostname));
+#endif
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
     }
 #endif /* MBEDTLS_SSL_CLI_C */
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+    session->max_early_data_size = 0x87654321;
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+    session->record_size_limit = 2048;
+#endif
+
     return 0;
 }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
@@ -1859,13 +2048,19 @@ void mbedtls_test_ssl_perform_handshake(
     mbedtls_test_message_socket_init(&server_context);
     mbedtls_test_message_socket_init(&client_context);
 
+#if defined(MBEDTLS_DEBUG_C)
+    if (options->cli_log_fun || options->srv_log_fun) {
+        mbedtls_debug_set_threshold(4);
+    }
+#endif
+
     /* Client side */
     if (options->dtls != 0) {
         TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&client,
                                                    MBEDTLS_SSL_IS_CLIENT,
                                                    options, &client_context,
                                                    &client_queue,
-                                                   &server_queue, NULL) == 0);
+                                                   &server_queue) == 0);
 #if defined(MBEDTLS_TIMING_C)
         mbedtls_ssl_set_timer_cb(&client.ssl, &timer_client,
                                  mbedtls_timing_set_delay,
@@ -1875,28 +2070,20 @@ void mbedtls_test_ssl_perform_handshake(
         TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&client,
                                                    MBEDTLS_SSL_IS_CLIENT,
                                                    options, NULL, NULL,
-                                                   NULL, NULL) == 0);
+                                                   NULL) == 0);
     }
 
     if (strlen(options->cipher) > 0) {
         set_ciphersuite(&client.conf, options->cipher, forced_ciphersuite);
     }
 
-#if defined(MBEDTLS_DEBUG_C)
-    if (options->cli_log_fun) {
-        mbedtls_debug_set_threshold(4);
-        mbedtls_ssl_conf_dbg(&client.conf, options->cli_log_fun,
-                             options->cli_log_obj);
-    }
-#endif
-
     /* Server side */
     if (options->dtls != 0) {
         TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&server,
                                                    MBEDTLS_SSL_IS_SERVER,
                                                    options, &server_context,
                                                    &server_queue,
-                                                   &client_queue, NULL) == 0);
+                                                   &client_queue) == 0);
 #if defined(MBEDTLS_TIMING_C)
         mbedtls_ssl_set_timer_cb(&server.ssl, &timer_server,
                                  mbedtls_timing_set_delay,
@@ -1905,7 +2092,7 @@ void mbedtls_test_ssl_perform_handshake(
     } else {
         TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&server,
                                                    MBEDTLS_SSL_IS_SERVER,
-                                                   options, NULL, NULL, NULL,
+                                                   options, NULL, NULL,
                                                    NULL) == 0);
     }
 
@@ -1954,14 +2141,6 @@ void mbedtls_test_ssl_perform_handshake(
     }
 #endif /* MBEDTLS_SSL_RENEGOTIATION */
 
-#if defined(MBEDTLS_DEBUG_C)
-    if (options->srv_log_fun) {
-        mbedtls_debug_set_threshold(4);
-        mbedtls_ssl_conf_dbg(&server.conf, options->srv_log_fun,
-                             options->srv_log_obj);
-    }
-#endif
-
     TEST_ASSERT(mbedtls_test_mock_socket_connect(&(client.socket),
                                                  &(server.socket),
                                                  BUFFSIZE) == 0);
@@ -2301,4 +2480,96 @@ int mbedtls_test_tweak_tls13_certificate_msg_vector_len(
     return 0;
 }
 #endif /* MBEDTLS_TEST_HOOKS */
+
+/*
+ * Functions for tests based on tickets. Implementations of the
+ * write/parse ticket interfaces as defined by mbedtls_ssl_ticket_write/parse_t.
+ * Basically same implementations as in ticket.c without the encryption. That
+ * way we can tweak easily tickets characteristics to simulate misbehaving
+ * peers.
+ */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+int mbedtls_test_ticket_write(
+    void *p_ticket, const mbedtls_ssl_session *session,
+    unsigned char *start, const unsigned char *end,
+    size_t *tlen, uint32_t *lifetime)
+{
+    int ret;
+    ((void) p_ticket);
+
+    if ((ret = mbedtls_ssl_session_save(session, start, end - start,
+                                        tlen)) != 0) {
+        return ret;
+    }
+
+    /* Maximum ticket lifetime as defined in RFC 8446 */
+    *lifetime = 7 * 24 * 3600;
+
+    return 0;
+}
+
+int mbedtls_test_ticket_parse(void *p_ticket, mbedtls_ssl_session *session,
+                              unsigned char *buf, size_t len)
+{
+    ((void) p_ticket);
+
+    return mbedtls_ssl_session_load(session, buf, len);
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SRV_C) && \
+    defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) && \
+    defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+int mbedtls_test_get_tls13_ticket(
+    mbedtls_test_handshake_test_options *client_options,
+    mbedtls_test_handshake_test_options *server_options,
+    mbedtls_ssl_session *session)
+{
+    int ret = -1;
+    unsigned char buf[64];
+    mbedtls_test_ssl_endpoint client_ep, server_ep;
+
+    mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
+    mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
+
+    ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
+                                         client_options, NULL, NULL, NULL);
+    TEST_EQUAL(ret, 0);
+
+    ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
+                                         server_options, NULL, NULL, NULL);
+    TEST_EQUAL(ret, 0);
+
+    mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
+                                        mbedtls_test_ticket_write,
+                                        mbedtls_test_ticket_parse,
+                                        NULL);
+
+    ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
+                                           &(server_ep.socket), 1024);
+    TEST_EQUAL(ret, 0);
+
+    TEST_EQUAL(mbedtls_test_move_handshake_to_state(
+                   &(server_ep.ssl), &(client_ep.ssl),
+                   MBEDTLS_SSL_HANDSHAKE_OVER), 0);
+
+    TEST_EQUAL(server_ep.ssl.handshake->new_session_tickets_count, 0);
+
+    do {
+        ret = mbedtls_ssl_read(&(client_ep.ssl), buf, sizeof(buf));
+    } while (ret != MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET);
+
+    ret = mbedtls_ssl_get_session(&(client_ep.ssl), session);
+    TEST_EQUAL(ret, 0);
+
+exit:
+    mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
+    mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
+
+    return ret;
+}
+#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SRV_C &&
+          MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS &&
+          MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
+
 #endif /* MBEDTLS_SSL_TLS_C */
diff --git a/tests/src/test_memory.c b/tests/src/test_memory.c
new file mode 100644
index 0000000..ac9dde6
--- /dev/null
+++ b/tests/src/test_memory.c
@@ -0,0 +1,60 @@
+/**
+ * \file memory.c
+ *
+ * \brief   Helper functions related to testing memory management.
+ */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include <test/helpers.h>
+#include <test/macros.h>
+#include <test/memory.h>
+
+#if defined(MBEDTLS_TEST_MEMORY_CAN_POISON)
+#include <sanitizer/asan_interface.h>
+#include <stdint.h>
+#endif
+
+#if defined(MBEDTLS_TEST_MEMORY_CAN_POISON)
+
+_Thread_local unsigned int mbedtls_test_memory_poisoning_count = 0;
+
+static void align_for_asan(const unsigned char **p_ptr, size_t *p_size)
+{
+    uintptr_t start = (uintptr_t) *p_ptr;
+    uintptr_t end = start + (uintptr_t) *p_size;
+    /* ASan can only poison regions with 8-byte alignment, and only poisons a
+     * region if it's fully within the requested range. We want to poison the
+     * whole requested region and don't mind a few extra bytes. Therefore,
+     * align start down to an 8-byte boundary, and end up to an 8-byte
+     * boundary. */
+    start = start & ~(uintptr_t) 7;
+    end = (end + 7) & ~(uintptr_t) 7;
+    *p_ptr = (const unsigned char *) start;
+    *p_size = end - start;
+}
+
+void mbedtls_test_memory_poison(const unsigned char *ptr, size_t size)
+{
+    if (mbedtls_test_memory_poisoning_count == 0) {
+        return;
+    }
+    if (size == 0) {
+        return;
+    }
+    align_for_asan(&ptr, &size);
+    __asan_poison_memory_region(ptr, size);
+}
+
+void mbedtls_test_memory_unpoison(const unsigned char *ptr, size_t size)
+{
+    if (size == 0) {
+        return;
+    }
+    align_for_asan(&ptr, &size);
+    __asan_unpoison_memory_region(ptr, size);
+}
+#endif /* Memory poisoning */
diff --git a/tests/src/threading_helpers.c b/tests/src/threading_helpers.c
index ae6e590..c1686c2 100644
--- a/tests/src/threading_helpers.c
+++ b/tests/src/threading_helpers.c
@@ -2,24 +2,78 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #include <test/helpers.h>
+#include <test/threading_helpers.h>
 #include <test/macros.h>
 
+#include "mbedtls/threading.h"
+
+#if defined(MBEDTLS_THREADING_C)
+
+#if defined(MBEDTLS_THREADING_PTHREAD)
+
+static int threading_thread_create_pthread(mbedtls_test_thread_t *thread, void *(*thread_func)(
+                                               void *), void *thread_data)
+{
+    if (thread == NULL || thread_func == NULL) {
+        return MBEDTLS_ERR_THREADING_BAD_INPUT_DATA;
+    }
+
+    if (pthread_create(&thread->thread, NULL, thread_func, thread_data)) {
+        return MBEDTLS_ERR_THREADING_THREAD_ERROR;
+    }
+
+    return 0;
+}
+
+static int threading_thread_join_pthread(mbedtls_test_thread_t *thread)
+{
+    if (thread == NULL) {
+        return MBEDTLS_ERR_THREADING_BAD_INPUT_DATA;
+    }
+
+    if (pthread_join(thread->thread, NULL) != 0) {
+        return MBEDTLS_ERR_THREADING_THREAD_ERROR;
+    }
+
+    return 0;
+}
+
+int (*mbedtls_test_thread_create)(mbedtls_test_thread_t *thread, void *(*thread_func)(void *),
+                                  void *thread_data) = threading_thread_create_pthread;
+int (*mbedtls_test_thread_join)(mbedtls_test_thread_t *thread) = threading_thread_join_pthread;
+
+#endif /* MBEDTLS_THREADING_PTHREAD */
+
+#if defined(MBEDTLS_THREADING_ALT)
+
+static int threading_thread_create_fail(mbedtls_test_thread_t *thread,
+                                        void *(*thread_func)(void *),
+                                        void *thread_data)
+{
+    (void) thread;
+    (void) thread_func;
+    (void) thread_data;
+
+    return MBEDTLS_ERR_THREADING_BAD_INPUT_DATA;
+}
+
+static int threading_thread_join_fail(mbedtls_test_thread_t *thread)
+{
+    (void) thread;
+
+    return MBEDTLS_ERR_THREADING_BAD_INPUT_DATA;
+}
+
+int (*mbedtls_test_thread_create)(mbedtls_test_thread_t *thread, void *(*thread_func)(void *),
+                                  void *thread_data) = threading_thread_create_fail;
+int (*mbedtls_test_thread_join)(mbedtls_test_thread_t *thread) = threading_thread_join_fail;
+
+#endif /* MBEDTLS_THREADING_ALT */
+
 #if defined(MBEDTLS_TEST_MUTEX_USAGE)
 
 #include "mbedtls/threading.h"
@@ -70,15 +124,15 @@
  * indicate the exact location of the problematic call. To locate the error,
  * use a debugger and set a breakpoint on mbedtls_test_mutex_usage_error().
  */
-enum value_of_mutex_is_valid_field {
-    /* Potential values for the is_valid field of mbedtls_threading_mutex_t.
+enum value_of_mutex_state_field {
+    /* Potential values for the state field of mbedtls_threading_mutex_t.
      * Note that MUTEX_FREED must be 0 and MUTEX_IDLE must be 1 for
      * compatibility with threading_mutex_init_pthread() and
      * threading_mutex_free_pthread(). MUTEX_LOCKED could be any nonzero
      * value. */
-    MUTEX_FREED = 0, //!< Set by threading_mutex_free_pthread
-    MUTEX_IDLE = 1, //!< Set by threading_mutex_init_pthread and by our unlock
-    MUTEX_LOCKED = 2, //!< Set by our lock
+    MUTEX_FREED = 0, //! < Set by mbedtls_test_wrap_mutex_free
+    MUTEX_IDLE = 1, //! < Set by mbedtls_test_wrap_mutex_init and by mbedtls_test_wrap_mutex_unlock
+    MUTEX_LOCKED = 2, //! < Set by mbedtls_test_wrap_mutex_lock
 };
 
 typedef struct {
@@ -89,10 +143,30 @@ typedef struct {
 } mutex_functions_t;
 static mutex_functions_t mutex_functions;
 
-/** The total number of calls to mbedtls_mutex_init(), minus the total number
- * of calls to mbedtls_mutex_free().
+/**
+ *  The mutex used to guard live_mutexes below and access to the status variable
+ *  in every mbedtls_threading_mutex_t.
+ *  Note that we are not reporting any errors when locking and unlocking this
+ *  mutex. This is for a couple of reasons:
+ *
+ *  1. We have no real way of reporting any errors with this mutex - we cannot
+ *  report it back to the caller, as the failure was not that of the mutex
+ *  passed in. We could fail the test, but again this would indicate a problem
+ *  with the test code that did not exist.
+ *
+ *  2. Any failure to lock is unlikely to be intermittent, and will thus not
+ *  give false test results - the overall result would be to turn off the
+ *  testing. This is not a situation that is likely to happen with normal
+ *  testing and we still have TSan to fall back on should this happen.
+ */
+mbedtls_threading_mutex_t mbedtls_test_mutex_mutex;
+
+/**
+ *  The total number of calls to mbedtls_mutex_init(), minus the total number
+ *  of calls to mbedtls_mutex_free().
  *
- * Reset to 0 after each test case.
+ *  Do not read or write without holding mbedtls_test_mutex_mutex (above). Reset
+ *  to 0 after each test case.
  */
 static int live_mutexes;
 
@@ -100,9 +174,8 @@ static void mbedtls_test_mutex_usage_error(mbedtls_threading_mutex_t *mutex,
                                            const char *msg)
 {
     (void) mutex;
-    if (mbedtls_test_info.mutex_usage_error == NULL) {
-        mbedtls_test_info.mutex_usage_error = msg;
-    }
+
+    mbedtls_test_set_mutex_usage_error(msg);
     mbedtls_fprintf(stdout, "[mutex: %s] ", msg);
     /* Don't mark the test as failed yet. This way, if the test fails later
      * for a functional reason, the test framework will report the message
@@ -110,79 +183,122 @@ static void mbedtls_test_mutex_usage_error(mbedtls_threading_mutex_t *mutex,
      * mbedtls_test_mutex_usage_check() will mark it as failed. */
 }
 
+static int mbedtls_test_mutex_can_test(mbedtls_threading_mutex_t *mutex)
+{
+    /* If we attempt to run tests on this mutex then we are going to run into a
+     * couple of problems:
+     * 1. If any test on this mutex fails, we are going to deadlock when
+     * reporting that failure, as we already hold the mutex at that point.
+     * 2. Given the 'global' position of the initialization and free of this
+     * mutex, it will be shown as leaked on the first test run. */
+    if (mutex == mbedtls_test_get_info_mutex()) {
+        return 0;
+    }
+
+    return 1;
+}
+
 static void mbedtls_test_wrap_mutex_init(mbedtls_threading_mutex_t *mutex)
 {
     mutex_functions.init(mutex);
-    if (mutex->is_valid) {
-        ++live_mutexes;
+
+    if (mbedtls_test_mutex_can_test(mutex)) {
+        if (mutex_functions.lock(&mbedtls_test_mutex_mutex) == 0) {
+            mutex->state = MUTEX_IDLE;
+            ++live_mutexes;
+
+            mutex_functions.unlock(&mbedtls_test_mutex_mutex);
+        }
     }
 }
 
 static void mbedtls_test_wrap_mutex_free(mbedtls_threading_mutex_t *mutex)
 {
-    switch (mutex->is_valid) {
-        case MUTEX_FREED:
-            mbedtls_test_mutex_usage_error(mutex, "free without init or double free");
-            break;
-        case MUTEX_IDLE:
-            /* Do nothing. The underlying free function will reset is_valid
-             * to 0. */
-            break;
-        case MUTEX_LOCKED:
-            mbedtls_test_mutex_usage_error(mutex, "free without unlock");
-            break;
-        default:
-            mbedtls_test_mutex_usage_error(mutex, "corrupted state");
-            break;
-    }
-    if (mutex->is_valid) {
-        --live_mutexes;
+    if (mbedtls_test_mutex_can_test(mutex)) {
+        if (mutex_functions.lock(&mbedtls_test_mutex_mutex) == 0) {
+
+            switch (mutex->state) {
+                case MUTEX_FREED:
+                    mbedtls_test_mutex_usage_error(mutex, "free without init or double free");
+                    break;
+                case MUTEX_IDLE:
+                    mutex->state = MUTEX_FREED;
+                    --live_mutexes;
+                    break;
+                case MUTEX_LOCKED:
+                    mbedtls_test_mutex_usage_error(mutex, "free without unlock");
+                    break;
+                default:
+                    mbedtls_test_mutex_usage_error(mutex, "corrupted state");
+                    break;
+            }
+
+            mutex_functions.unlock(&mbedtls_test_mutex_mutex);
+        }
     }
+
     mutex_functions.free(mutex);
 }
 
 static int mbedtls_test_wrap_mutex_lock(mbedtls_threading_mutex_t *mutex)
 {
+    /* Lock the passed in mutex first, so that the only way to change the state
+     * is to hold the passed in and internal mutex - otherwise we create a race
+     * condition. */
     int ret = mutex_functions.lock(mutex);
-    switch (mutex->is_valid) {
-        case MUTEX_FREED:
-            mbedtls_test_mutex_usage_error(mutex, "lock without init");
-            break;
-        case MUTEX_IDLE:
-            if (ret == 0) {
-                mutex->is_valid = 2;
+
+    if (mbedtls_test_mutex_can_test(mutex)) {
+        if (mutex_functions.lock(&mbedtls_test_mutex_mutex) == 0) {
+            switch (mutex->state) {
+                case MUTEX_FREED:
+                    mbedtls_test_mutex_usage_error(mutex, "lock without init");
+                    break;
+                case MUTEX_IDLE:
+                    if (ret == 0) {
+                        mutex->state = MUTEX_LOCKED;
+                    }
+                    break;
+                case MUTEX_LOCKED:
+                    mbedtls_test_mutex_usage_error(mutex, "double lock");
+                    break;
+                default:
+                    mbedtls_test_mutex_usage_error(mutex, "corrupted state");
+                    break;
             }
-            break;
-        case MUTEX_LOCKED:
-            mbedtls_test_mutex_usage_error(mutex, "double lock");
-            break;
-        default:
-            mbedtls_test_mutex_usage_error(mutex, "corrupted state");
-            break;
+
+            mutex_functions.unlock(&mbedtls_test_mutex_mutex);
+        }
     }
+
     return ret;
 }
 
 static int mbedtls_test_wrap_mutex_unlock(mbedtls_threading_mutex_t *mutex)
 {
-    int ret = mutex_functions.unlock(mutex);
-    switch (mutex->is_valid) {
-        case MUTEX_FREED:
-            mbedtls_test_mutex_usage_error(mutex, "unlock without init");
-            break;
-        case MUTEX_IDLE:
-            mbedtls_test_mutex_usage_error(mutex, "unlock without lock");
-            break;
-        case MUTEX_LOCKED:
-            if (ret == 0) {
-                mutex->is_valid = MUTEX_IDLE;
+    /* Lock the internal mutex first and change state, so that the only way to
+     * change the state is to hold the passed in and internal mutex - otherwise
+     * we create a race condition. */
+    if (mbedtls_test_mutex_can_test(mutex)) {
+        if (mutex_functions.lock(&mbedtls_test_mutex_mutex) == 0) {
+            switch (mutex->state) {
+                case MUTEX_FREED:
+                    mbedtls_test_mutex_usage_error(mutex, "unlock without init");
+                    break;
+                case MUTEX_IDLE:
+                    mbedtls_test_mutex_usage_error(mutex, "unlock without lock");
+                    break;
+                case MUTEX_LOCKED:
+                    mutex->state = MUTEX_IDLE;
+                    break;
+                default:
+                    mbedtls_test_mutex_usage_error(mutex, "corrupted state");
+                    break;
             }
-            break;
-        default:
-            mbedtls_test_mutex_usage_error(mutex, "corrupted state");
-            break;
+            mutex_functions.unlock(&mbedtls_test_mutex_mutex);
+        }
     }
-    return ret;
+
+    return mutex_functions.unlock(mutex);
 }
 
 void mbedtls_test_mutex_usage_init(void)
@@ -195,28 +311,44 @@ void mbedtls_test_mutex_usage_init(void)
     mbedtls_mutex_free = &mbedtls_test_wrap_mutex_free;
     mbedtls_mutex_lock = &mbedtls_test_wrap_mutex_lock;
     mbedtls_mutex_unlock = &mbedtls_test_wrap_mutex_unlock;
+
+    mutex_functions.init(&mbedtls_test_mutex_mutex);
 }
 
 void mbedtls_test_mutex_usage_check(void)
 {
-    if (live_mutexes != 0) {
-        /* A positive number (more init than free) means that a mutex resource
-         * is leaking (on platforms where a mutex consumes more than the
-         * mbedtls_threading_mutex_t object itself). The rare case of a
-         * negative number means a missing init somewhere. */
-        mbedtls_fprintf(stdout, "[mutex: %d leaked] ", live_mutexes);
-        live_mutexes = 0;
-        if (mbedtls_test_info.mutex_usage_error == NULL) {
-            mbedtls_test_info.mutex_usage_error = "missing free";
+    if (mutex_functions.lock(&mbedtls_test_mutex_mutex) == 0) {
+        if (live_mutexes != 0) {
+            /* A positive number (more init than free) means that a mutex resource
+             * is leaking (on platforms where a mutex consumes more than the
+             * mbedtls_threading_mutex_t object itself). The (hopefully) rare
+             * case of a negative number means a missing init somewhere. */
+            mbedtls_fprintf(stdout, "[mutex: %d leaked] ", live_mutexes);
+            live_mutexes = 0;
+            mbedtls_test_set_mutex_usage_error("missing free");
         }
+        if (mbedtls_test_get_mutex_usage_error() != NULL &&
+            mbedtls_test_get_result() != MBEDTLS_TEST_RESULT_FAILED) {
+            /* Functionally, the test passed. But there was a mutex usage error,
+             * so mark the test as failed after all. */
+            mbedtls_test_fail("Mutex usage error", __LINE__, __FILE__);
+        }
+        mbedtls_test_set_mutex_usage_error(NULL);
+
+        mutex_functions.unlock(&mbedtls_test_mutex_mutex);
     }
-    if (mbedtls_test_info.mutex_usage_error != NULL &&
-        mbedtls_test_info.result != MBEDTLS_TEST_RESULT_FAILED) {
-        /* Functionally, the test passed. But there was a mutex usage error,
-         * so mark the test as failed after all. */
-        mbedtls_test_fail("Mutex usage error", __LINE__, __FILE__);
-    }
-    mbedtls_test_info.mutex_usage_error = NULL;
+}
+
+void mbedtls_test_mutex_usage_end(void)
+{
+    mbedtls_mutex_init = mutex_functions.init;
+    mbedtls_mutex_free = mutex_functions.free;
+    mbedtls_mutex_lock = mutex_functions.lock;
+    mbedtls_mutex_unlock = mutex_functions.unlock;
+
+    mutex_functions.free(&mbedtls_test_mutex_mutex);
 }
 
 #endif /* MBEDTLS_TEST_MUTEX_USAGE */
+
+#endif /* MBEDTLS_THREADING_C */
diff --git a/tests/ssl-opt-in-docker.sh b/tests/ssl-opt-in-docker.sh
index 159be4c..c0c85fc 100755
--- a/tests/ssl-opt-in-docker.sh
+++ b/tests/ssl-opt-in-docker.sh
@@ -22,19 +22,7 @@
 # - ssl-opt.sh for notes about invocation of that script.
 
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#  http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 
 source tests/scripts/docker_env.sh
 
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 0dcff67..1cc1115 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -3,19 +3,7 @@
 # ssl-opt.sh
 #
 # Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 #
 # Purpose
 #
@@ -41,6 +29,8 @@ if ! cd "$(dirname "$0")"; then
     exit 125
 fi
 
+DATA_FILES_PATH=../framework/data_files
+
 # default values, can be overridden by the environment
 : ${P_SRV:=../programs/ssl/ssl_server2}
 : ${P_CLI:=../programs/ssl/ssl_client2}
@@ -72,20 +62,47 @@ guess_config_name() {
 : ${MBEDTLS_TEST_OUTCOME_FILE=}
 : ${MBEDTLS_TEST_CONFIGURATION:="$(guess_config_name)"}
 : ${MBEDTLS_TEST_PLATFORM:="$(uname -s | tr -c \\n0-9A-Za-z _)-$(uname -m | tr -c \\n0-9A-Za-z _)"}
+: ${EARLY_DATA_INPUT:="$DATA_FILES_PATH/tls13_early_data.txt"}
 
-O_SRV="$OPENSSL s_server -www -cert data_files/server5.crt -key data_files/server5.key"
+O_SRV="$OPENSSL s_server -www -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key"
 O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL s_client"
-G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
-G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
+G_SRV="$GNUTLS_SERV --x509certfile $DATA_FILES_PATH/server5.crt --x509keyfile $DATA_FILES_PATH/server5.key"
+G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt"
 TCP_CLIENT="$PERL scripts/tcp_client.pl"
 
 # alternative versions of OpenSSL and GnuTLS (no default path)
 
+# If $OPENSSL is at least 1.1.1, use it as OPENSSL_NEXT as well.
+if [ -z "${OPENSSL_NEXT:-}" ]; then
+    case $($OPENSSL version) in
+        OpenSSL\ 1.1.[1-9]*) OPENSSL_NEXT=$OPENSSL;;
+        OpenSSL\ [3-9]*) OPENSSL_NEXT=$OPENSSL;;
+    esac
+fi
+
+# If $GNUTLS_CLI is at least 3.7, use it as GNUTLS_NEXT_CLI as well.
+if [ -z "${GNUTLS_NEXT_CLI:-}" ]; then
+    case $($GNUTLS_CLI --version) in
+        gnutls-cli\ 3.[1-9][0-9]*) GNUTLS_NEXT_CLI=$GNUTLS_CLI;;
+        gnutls-cli\ 3.[7-9].*) GNUTLS_NEXT_CLI=$GNUTLS_CLI;;
+        gnutls-cli\ [4-9]*) GNUTLS_NEXT_CLI=$GNUTLS_CLI;;
+    esac
+fi
+
+# If $GNUTLS_SERV is at least 3.7, use it as GNUTLS_NEXT_SERV as well.
+if [ -z "${GNUTLS_NEXT_SERV:-}" ]; then
+    case $($GNUTLS_SERV --version) in
+        gnutls-cli\ 3.[1-9][0-9]*) GNUTLS_NEXT_SERV=$GNUTLS_SERV;;
+        gnutls-cli\ 3.[7-9].*) GNUTLS_NEXT_SERV=$GNUTLS_SERV;;
+        gnutls-cli\ [4-9]*) GNUTLS_NEXT_SERV=$GNUTLS_SERV;;
+    esac
+fi
+
 if [ -n "${OPENSSL_NEXT:-}" ]; then
-    O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key"
-    O_NEXT_SRV_EARLY_DATA="$OPENSSL_NEXT s_server -early_data -cert data_files/server5.crt -key data_files/server5.key"
+    O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key"
+    O_NEXT_SRV_EARLY_DATA="$OPENSSL_NEXT s_server -early_data -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key"
     O_NEXT_SRV_NO_CERT="$OPENSSL_NEXT s_server -www "
-    O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client -CAfile data_files/test-ca_cat12.crt"
+    O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client -CAfile $DATA_FILES_PATH/test-ca_cat12.crt"
     O_NEXT_CLI_NO_CERT="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client"
 else
     O_NEXT_SRV=false
@@ -96,7 +113,7 @@ else
 fi
 
 if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
-    G_NEXT_SRV="$GNUTLS_NEXT_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
+    G_NEXT_SRV="$GNUTLS_NEXT_SERV --x509certfile $DATA_FILES_PATH/server5.crt --x509keyfile $DATA_FILES_PATH/server5.key"
     G_NEXT_SRV_NO_CERT="$GNUTLS_NEXT_SERV"
 else
     G_NEXT_SRV=false
@@ -104,7 +121,7 @@ else
 fi
 
 if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
-    G_NEXT_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_NEXT_CLI --x509cafile data_files/test-ca_cat12.crt"
+    G_NEXT_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_NEXT_CLI --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt"
     G_NEXT_CLI_NO_CERT="echo 'GET / HTTP/1.0' | $GNUTLS_NEXT_CLI"
 else
     G_NEXT_CLI=false
@@ -122,8 +139,11 @@ FILTER='.*'
 EXCLUDE='^$'
 
 SHOW_TEST_NUMBER=0
+LIST_TESTS=0
 RUN_TEST_NUMBER=''
+RUN_TEST_SUITE=''
 
+MIN_TESTS=1
 PRESERVE_LOGS=0
 
 # Pick a "unique" server port in the range 10000-19999, and a proxy
@@ -141,11 +161,15 @@ print_usage() {
     printf "  -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
     printf "  -s|--show-numbers\tShow test numbers in front of test names\n"
     printf "  -p|--preserve-logs\tPreserve logs of successful tests as well\n"
+    printf "     --list-test-cases\tList all potential test cases (No Execution)\n"
+    printf "     --min      \tMinimum number of non-skipped tests (default 1)\n"
     printf "     --outcome-file\tFile where test outcomes are written\n"
     printf "                \t(default: \$MBEDTLS_TEST_OUTCOME_FILE, none if empty)\n"
     printf "     --port     \tTCP/UDP port (default: randomish 1xxxx)\n"
     printf "     --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
     printf "     --seed     \tInteger seed value to use for this test run\n"
+    printf "     --test-suite\tOnly matching test suites are executed\n"
+    printf "                 \t(comma-separated, e.g. 'ssl-opt,tls13-compat')\n\n"
 }
 
 get_options() {
@@ -166,9 +190,15 @@ get_options() {
             -s|--show-numbers)
                 SHOW_TEST_NUMBER=1
                 ;;
+            -l|--list-test-cases)
+                LIST_TESTS=1
+                ;;
             -p|--preserve-logs)
                 PRESERVE_LOGS=1
                 ;;
+            --min)
+                shift; MIN_TESTS=$1
+                ;;
             --outcome-file)
                 shift; MBEDTLS_TEST_OUTCOME_FILE=$1
                 ;;
@@ -181,6 +211,9 @@ get_options() {
             --seed)
                 shift; SEED="$1"
                 ;;
+            --test-suite)
+                shift; RUN_TEST_SUITE="$1"
+                ;;
             -h|--help)
                 print_usage
                 exit 0
@@ -195,11 +228,18 @@ get_options() {
     done
 }
 
+get_options "$@"
+
 # Read boolean configuration options from mbedtls_config.h for easy and quick
 # testing. Skip non-boolean options (with something other than spaces
 # and a comment after "#define SYMBOL"). The variable contains a
 # space-separated list of symbols.
-CONFIGS_ENABLED=" $(echo `$P_QUERY -l` )"
+if [ "$LIST_TESTS" -eq 0 ];then
+    CONFIGS_ENABLED=" $(echo `$P_QUERY -l` )"
+else
+    P_QUERY=":"
+    CONFIGS_ENABLED=""
+fi
 # Skip next test; use this macro to skip tests which are legitimate
 # in theory and expected to be re-introduced at some point, but
 # aren't expected to succeed at the moment due to problems outside
@@ -233,28 +273,28 @@ requires_config_disabled() {
 }
 
 requires_all_configs_enabled() {
-    if ! $P_QUERY -all $*
+    if ! $P_QUERY -all $* 2>&1 > /dev/null
     then
         SKIP_NEXT="YES"
     fi
 }
 
 requires_all_configs_disabled() {
-    if $P_QUERY -any $*
+    if $P_QUERY -any $* 2>&1 > /dev/null
     then
         SKIP_NEXT="YES"
     fi
 }
 
 requires_any_configs_enabled() {
-    if ! $P_QUERY -any $*
+    if ! $P_QUERY -any $* 2>&1 > /dev/null
     then
         SKIP_NEXT="YES"
     fi
 }
 
 requires_any_configs_disabled() {
-    if $P_QUERY -all $*
+    if $P_QUERY -all $* 2>&1 > /dev/null
     then
         SKIP_NEXT="YES"
     fi
@@ -295,7 +335,12 @@ get_config_value_or_default() {
     #
     # Note that if the configuration is not defined or is defined to nothing,
     # the output of this function will be an empty string.
-    ${P_SRV} "query_config=${1}"
+    if [ "$LIST_TESTS" -eq 0 ];then
+        ${P_SRV} "query_config=${1}"
+    else
+        echo "1"
+    fi
+
 }
 
 requires_config_value_at_least() {
@@ -346,9 +391,18 @@ requires_protocol_version() {
 
 # Space-separated list of ciphersuites supported by this build of
 # Mbed TLS.
-P_CIPHERSUITES=" $($P_CLI --help 2>/dev/null |
-                   grep 'TLS-\|TLS1-3' |
-                   tr -s ' \n' ' ')"
+P_CIPHERSUITES=""
+if [ "$LIST_TESTS" -eq 0 ]; then
+    P_CIPHERSUITES=" $($P_CLI help_ciphersuites 2>/dev/null |
+                       grep 'TLS-\|TLS1-3' |
+                       tr -s ' \n' ' ')"
+
+    if [ -z "${P_CIPHERSUITES# }" ]; then
+        echo >&2 "$0: fatal error: no cipher suites found!"
+        exit 125
+    fi
+fi
+
 requires_ciphersuite_enabled() {
     case $P_CIPHERSUITES in
         *" $1 "*) :;;
@@ -356,6 +410,34 @@ requires_ciphersuite_enabled() {
     esac
 }
 
+requires_cipher_enabled() {
+    KEY_TYPE=$1
+    MODE=${2:-}
+    if is_config_enabled MBEDTLS_USE_PSA_CRYPTO; then
+        case "$KEY_TYPE" in
+            CHACHA20)
+                requires_config_enabled PSA_WANT_ALG_CHACHA20_POLY1305
+                requires_config_enabled PSA_WANT_KEY_TYPE_CHACHA20
+                ;;
+            *)
+                requires_config_enabled PSA_WANT_ALG_${MODE}
+                requires_config_enabled PSA_WANT_KEY_TYPE_${KEY_TYPE}
+                ;;
+        esac
+    else
+        case "$KEY_TYPE" in
+            CHACHA20)
+                requires_config_enabled MBEDTLS_CHACHA20_C
+                requires_config_enabled MBEDTLS_CHACHAPOLY_C
+                ;;
+            *)
+                requires_config_enabled MBEDTLS_${MODE}_C
+                requires_config_enabled MBEDTLS_${KEY_TYPE}_C
+                ;;
+        esac
+    fi
+}
+
 # Automatically detect required features based on command line parameters.
 # Parameters are:
 # - $1 = command line (call to a TLS client or server program)
@@ -394,9 +476,9 @@ detect_required_features() {
     esac
 
     case "$CMD_LINE" in
-        *server5*|\
-        *server7*|\
-        *dir-maxpath*)
+        */server5*|\
+        */server7*|\
+        */dir-maxpath*)
             if [ "$TLS_VERSION" = "TLS13" ]; then
                 # In case of TLS13 the support for ECDSA is enough
                 requires_pk_alg "ECDSA"
@@ -428,9 +510,15 @@ detect_required_features() {
     esac
 
     case "$CMD_LINE" in
-        *server2*|\
-        *server7*)
-            # server2 and server7 certificates use RSA encryption
+        */server1*|\
+        */server2*|\
+        */server7*)
+            # Certificates with an RSA key. The algorithm requirement is
+            # some subset of {PKCS#1v1.5 encryption, PKCS#1v1.5 signature,
+            # PSS signature}. We can't easily tell which subset works, and
+            # we aren't currently running ssl-opt.sh in configurations
+            # where partial RSA support is a problem, so generically, we
+            # just require RSA and it works out for our tests so far.
             requires_config_enabled "MBEDTLS_RSA_C"
     esac
 
@@ -445,9 +533,10 @@ requires_certificate_authentication () {
 
 adapt_cmd_for_psk () {
     case "$2" in
-        *openssl*) s='-psk abc123 -nocert';;
-        *gnutls-*) s='--pskkey=abc123';;
-        *) s='psk=abc123';;
+        *openssl*s_server*) s='-psk 73776f726466697368 -nocert';;
+        *openssl*) s='-psk 73776f726466697368';;
+        *gnutls-*) s='--pskusername=Client_identity --pskkey=73776f726466697368';;
+        *) s='psk=73776f726466697368';;
     esac
     eval $1='"$2 $s"'
     unset s
@@ -806,19 +895,20 @@ requires_not_i686() {
     fi
 }
 
-# Calculate the input & output maximum content lengths set in the config
 MAX_CONTENT_LEN=16384
 MAX_IN_LEN=$( get_config_value_or_default "MBEDTLS_SSL_IN_CONTENT_LEN" )
 MAX_OUT_LEN=$( get_config_value_or_default "MBEDTLS_SSL_OUT_CONTENT_LEN" )
+if [ "$LIST_TESTS" -eq 0 ];then
+    # Calculate the input & output maximum content lengths set in the config
 
-# Calculate the maximum content length that fits both
-if [ "$MAX_IN_LEN" -lt "$MAX_CONTENT_LEN" ]; then
-    MAX_CONTENT_LEN="$MAX_IN_LEN"
-fi
-if [ "$MAX_OUT_LEN" -lt "$MAX_CONTENT_LEN" ]; then
-    MAX_CONTENT_LEN="$MAX_OUT_LEN"
+    # Calculate the maximum content length that fits both
+    if [ "$MAX_IN_LEN" -lt "$MAX_CONTENT_LEN" ]; then
+        MAX_CONTENT_LEN="$MAX_IN_LEN"
+    fi
+    if [ "$MAX_OUT_LEN" -lt "$MAX_CONTENT_LEN" ]; then
+        MAX_CONTENT_LEN="$MAX_OUT_LEN"
+    fi
 fi
-
 # skip the next test if the SSL output buffer is less than 16KB
 requires_full_size_output_buffer() {
     if [ "$MAX_OUT_LEN" -ne 16384 ]; then
@@ -860,6 +950,7 @@ print_name() {
     fi
 
     LINE="$LINE$1"
+
     printf "%s " "$LINE"
     LEN=$(( 72 - `echo "$LINE" | wc -c` ))
     for i in `seq 1 $LEN`; do printf '.'; done
@@ -1505,7 +1596,7 @@ do_run_test_once() {
 # $1 and $2 contain the server and client command lines, respectively.
 #
 # Note: this function only provides some guess about TLS version by simply
-#       looking at the server/client command lines. Even thought this works
+#       looking at the server/client command lines. Even though this works
 #       for the sake of tests' filtering (especially in conjunction with the
 #       detect_required_features() function), it does NOT guarantee that the
 #       result is accurate. It does not check other conditions, such as:
@@ -1577,6 +1668,18 @@ run_test() {
         return
     fi
 
+    if [ "$LIST_TESTS" -gt 0 ]; then
+        printf "%s\n" "${TEST_SUITE_NAME:-ssl-opt};$NAME"
+        return
+    fi
+
+    # Use ssl-opt as default test suite name. Also see record_outcome function
+    if is_excluded_test_suite "${TEST_SUITE_NAME:-ssl-opt}"; then
+        # Do not skip next test and skip current test.
+        SKIP_NEXT="NO"
+        return
+    fi
+
     print_name "$NAME"
 
     # Do we only run numbered tests?
@@ -1603,7 +1706,7 @@ run_test() {
 
     # Check if test uses files
     case "$SRV_CMD $CLI_CMD" in
-        *data_files/*)
+        *$DATA_FILES_PATH/*)
             requires_config_enabled MBEDTLS_FS_IO;;
     esac
 
@@ -1613,7 +1716,7 @@ run_test() {
         requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
     fi
 
-    # Check if we are trying to use an external tool wich does not support ECDH
+    # Check if we are trying to use an external tool which does not support ECDH
     EXT_WO_ECDH=$(use_ext_tool_without_ecdh_support "$SRV_CMD" "$CLI_CMD")
 
     # Guess the TLS version which is going to be used
@@ -1722,7 +1825,7 @@ run_test_memory_after_hanshake_with_mfl()
     run_test    "Handshake memory usage (MFL $1)" \
                 "$P_SRV debug_level=3 auth_mode=required force_version=tls12" \
                 "$P_CLI debug_level=3 \
-                    crt_file=data_files/server5.crt key_file=data_files/server5.key \
+                    crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
                     force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM max_frag_len=$1" \
                 0 \
                 -F "handshake_memory_check $MEMORY_USAGE_LIMIT"
@@ -1741,7 +1844,7 @@ run_tests_memory_after_hanshake()
     run_test    "Handshake memory usage initial (MFL 16384 - default)" \
                 "$P_SRV debug_level=3 auth_mode=required force_version=tls12" \
                 "$P_CLI debug_level=3 \
-                    crt_file=data_files/server5.crt key_file=data_files/server5.key \
+                    crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
                     force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM" \
                 0 \
                 -F "handshake_memory_get MEMORY_USAGE_MFL_16K"
@@ -1774,8 +1877,6 @@ cleanup() {
 # MAIN
 #
 
-get_options "$@"
-
 # Make the outcome file path relative to the original directory, not
 # to .../tests
 case "$MBEDTLS_TEST_OUTCOME_FILE" in
@@ -1826,109 +1927,127 @@ else
     }
 fi
 
-# sanity checks, avoid an avalanche of errors
-P_SRV_BIN="${P_SRV%%[  ]*}"
-P_CLI_BIN="${P_CLI%%[  ]*}"
-P_PXY_BIN="${P_PXY%%[  ]*}"
-if [ ! -x "$P_SRV_BIN" ]; then
-    echo "Command '$P_SRV_BIN' is not an executable file"
-    exit 1
-fi
-if [ ! -x "$P_CLI_BIN" ]; then
-    echo "Command '$P_CLI_BIN' is not an executable file"
-    exit 1
-fi
-if [ ! -x "$P_PXY_BIN" ]; then
-    echo "Command '$P_PXY_BIN' is not an executable file"
-    exit 1
-fi
-if [ "$MEMCHECK" -gt 0 ]; then
-    if which valgrind >/dev/null 2>&1; then :; else
-        echo "Memcheck not possible. Valgrind not found"
+# Filter tests according to TEST_SUITE_NAME
+is_excluded_test_suite () {
+    if [ -n "$RUN_TEST_SUITE" ]
+    then
+        case ",$RUN_TEST_SUITE," in
+            *",$1,"*) false;;
+            *) true;;
+        esac
+    else
+        false
+    fi
+
+}
+
+
+if [ "$LIST_TESTS" -eq 0 ];then
+
+    # sanity checks, avoid an avalanche of errors
+    P_SRV_BIN="${P_SRV%%[  ]*}"
+    P_CLI_BIN="${P_CLI%%[  ]*}"
+    P_PXY_BIN="${P_PXY%%[  ]*}"
+    if [ ! -x "$P_SRV_BIN" ]; then
+        echo "Command '$P_SRV_BIN' is not an executable file"
+        exit 1
+    fi
+    if [ ! -x "$P_CLI_BIN" ]; then
+        echo "Command '$P_CLI_BIN' is not an executable file"
+        exit 1
+    fi
+    if [ ! -x "$P_PXY_BIN" ]; then
+        echo "Command '$P_PXY_BIN' is not an executable file"
+        exit 1
+    fi
+    if [ "$MEMCHECK" -gt 0 ]; then
+        if which valgrind >/dev/null 2>&1; then :; else
+            echo "Memcheck not possible. Valgrind not found"
+            exit 1
+        fi
+    fi
+    if which $OPENSSL >/dev/null 2>&1; then :; else
+        echo "Command '$OPENSSL' not found"
         exit 1
     fi
-fi
-if which $OPENSSL >/dev/null 2>&1; then :; else
-    echo "Command '$OPENSSL' not found"
-    exit 1
-fi
 
-# used by watchdog
-MAIN_PID="$$"
+    # used by watchdog
+    MAIN_PID="$$"
 
-# We use somewhat arbitrary delays for tests:
-# - how long do we wait for the server to start (when lsof not available)?
-# - how long do we allow for the client to finish?
-#   (not to check performance, just to avoid waiting indefinitely)
-# Things are slower with valgrind, so give extra time here.
-#
-# Note: without lsof, there is a trade-off between the running time of this
-# script and the risk of spurious errors because we didn't wait long enough.
-# The watchdog delay on the other hand doesn't affect normal running time of
-# the script, only the case where a client or server gets stuck.
-if [ "$MEMCHECK" -gt 0 ]; then
-    START_DELAY=6
-    DOG_DELAY=60
-else
-    START_DELAY=2
-    DOG_DELAY=20
-fi
+    # We use somewhat arbitrary delays for tests:
+    # - how long do we wait for the server to start (when lsof not available)?
+    # - how long do we allow for the client to finish?
+    #   (not to check performance, just to avoid waiting indefinitely)
+    # Things are slower with valgrind, so give extra time here.
+    #
+    # Note: without lsof, there is a trade-off between the running time of this
+    # script and the risk of spurious errors because we didn't wait long enough.
+    # The watchdog delay on the other hand doesn't affect normal running time of
+    # the script, only the case where a client or server gets stuck.
+    if [ "$MEMCHECK" -gt 0 ]; then
+        START_DELAY=6
+        DOG_DELAY=60
+    else
+        START_DELAY=2
+        DOG_DELAY=20
+    fi
 
-# some particular tests need more time:
-# - for the client, we multiply the usual watchdog limit by a factor
-# - for the server, we sleep for a number of seconds after the client exits
-# see client_need_more_time() and server_needs_more_time()
-CLI_DELAY_FACTOR=1
-SRV_DELAY_SECONDS=0
-
-# fix commands to use this port, force IPv4 while at it
-# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
-# Note: Using 'localhost' rather than 127.0.0.1 here is unwise, as on many
-# machines that will resolve to ::1, and we don't want ipv6 here.
-P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
-P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
-P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
-O_SRV="$O_SRV -accept $SRV_PORT"
-O_CLI="$O_CLI -connect 127.0.0.1:+SRV_PORT"
-G_SRV="$G_SRV -p $SRV_PORT"
-G_CLI="$G_CLI -p +SRV_PORT"
-
-# Newer versions of OpenSSL have a syntax to enable all "ciphers", even
-# low-security ones. This covers not just cipher suites but also protocol
-# versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on
-# OpenSSL 1.1.1f from Ubuntu 20.04. The syntax was only introduced in
-# OpenSSL 1.1.0 (21e0c1d23afff48601eb93135defddae51f7e2e3) and I can't find
-# a way to discover it from -help, so check the openssl version.
-case $($OPENSSL version) in
-    "OpenSSL 0"*|"OpenSSL 1.0"*) :;;
-    *)
-        O_CLI="$O_CLI -cipher ALL@SECLEVEL=0"
-        O_SRV="$O_SRV -cipher ALL@SECLEVEL=0"
-        ;;
-esac
+    # some particular tests need more time:
+    # - for the client, we multiply the usual watchdog limit by a factor
+    # - for the server, we sleep for a number of seconds after the client exits
+    # see client_need_more_time() and server_needs_more_time()
+    CLI_DELAY_FACTOR=1
+    SRV_DELAY_SECONDS=0
 
-if [ -n "${OPENSSL_NEXT:-}" ]; then
-    O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT"
-    O_NEXT_SRV_NO_CERT="$O_NEXT_SRV_NO_CERT -accept $SRV_PORT"
-    O_NEXT_SRV_EARLY_DATA="$O_NEXT_SRV_EARLY_DATA -accept $SRV_PORT"
-    O_NEXT_CLI="$O_NEXT_CLI -connect 127.0.0.1:+SRV_PORT"
-    O_NEXT_CLI_NO_CERT="$O_NEXT_CLI_NO_CERT -connect 127.0.0.1:+SRV_PORT"
-fi
+    # fix commands to use this port, force IPv4 while at it
+    # +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
+    # Note: Using 'localhost' rather than 127.0.0.1 here is unwise, as on many
+    # machines that will resolve to ::1, and we don't want ipv6 here.
+    P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
+    P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
+    P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
+    O_SRV="$O_SRV -accept $SRV_PORT"
+    O_CLI="$O_CLI -connect 127.0.0.1:+SRV_PORT"
+    G_SRV="$G_SRV -p $SRV_PORT"
+    G_CLI="$G_CLI -p +SRV_PORT"
+
+    # Newer versions of OpenSSL have a syntax to enable all "ciphers", even
+    # low-security ones. This covers not just cipher suites but also protocol
+    # versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on
+    # OpenSSL 1.1.1f from Ubuntu 20.04. The syntax was only introduced in
+    # OpenSSL 1.1.0 (21e0c1d23afff48601eb93135defddae51f7e2e3) and I can't find
+    # a way to discover it from -help, so check the openssl version.
+    case $($OPENSSL version) in
+        "OpenSSL 0"*|"OpenSSL 1.0"*) :;;
+        *)
+            O_CLI="$O_CLI -cipher ALL@SECLEVEL=0"
+            O_SRV="$O_SRV -cipher ALL@SECLEVEL=0"
+            ;;
+    esac
 
-if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
-    G_NEXT_SRV="$G_NEXT_SRV -p $SRV_PORT"
-    G_NEXT_SRV_NO_CERT="$G_NEXT_SRV_NO_CERT -p $SRV_PORT"
-fi
+    if [ -n "${OPENSSL_NEXT:-}" ]; then
+        O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT"
+        O_NEXT_SRV_NO_CERT="$O_NEXT_SRV_NO_CERT -accept $SRV_PORT"
+        O_NEXT_SRV_EARLY_DATA="$O_NEXT_SRV_EARLY_DATA -accept $SRV_PORT"
+        O_NEXT_CLI="$O_NEXT_CLI -connect 127.0.0.1:+SRV_PORT"
+        O_NEXT_CLI_NO_CERT="$O_NEXT_CLI_NO_CERT -connect 127.0.0.1:+SRV_PORT"
+    fi
 
-if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
-    G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT"
-    G_NEXT_CLI_NO_CERT="$G_NEXT_CLI_NO_CERT -p +SRV_PORT localhost"
-fi
+    if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
+        G_NEXT_SRV="$G_NEXT_SRV -p $SRV_PORT"
+        G_NEXT_SRV_NO_CERT="$G_NEXT_SRV_NO_CERT -p $SRV_PORT"
+    fi
+
+    if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
+        G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT"
+        G_NEXT_CLI_NO_CERT="$G_NEXT_CLI_NO_CERT -p +SRV_PORT localhost"
+    fi
 
-# Allow SHA-1, because many of our test certificates use it
-P_SRV="$P_SRV allow_sha1=1"
-P_CLI="$P_CLI allow_sha1=1"
+    # Allow SHA-1, because many of our test certificates use it
+    P_SRV="$P_SRV allow_sha1=1"
+    P_CLI="$P_CLI allow_sha1=1"
 
+fi
 # Also pick a unique name for intermediate files
 SRV_OUT="srv_out.$$"
 CLI_OUT="cli_out.$$"
@@ -1968,64 +2087,6 @@ run_test    "Default, DTLS" \
             -s "Protocol is DTLSv1.2" \
             -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
 
-# GnuTLS can be setup to send a ClientHello containing a supported versions
-# extension proposing TLS 1.2 (preferred) and then TLS 1.3. In that case,
-# a TLS 1.3 and TLS 1.2 capable server is supposed to negotiate TLS 1.2 and
-# to indicate in the ServerHello that it downgrades from TLS 1.3. The GnuTLS
-# client then detects the downgrade indication and aborts the handshake even
-# if TLS 1.2 was its preferred version. Keeping the test even if the
-# handshake fails eventually as it exercices parts of the Mbed TLS
-# implementation that are otherwise not exercised.
-requires_gnutls_tls1_3
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_SRV_C
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-run_test    "Server selecting TLS 1.2 over TLS 1.3" \
-            "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \
-            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" \
-            1 \
-            -c "Detected downgrade to TLS 1.2 from TLS 1.3"
-
-requires_gnutls_tls1_3
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_SRV_C
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-run_test    "Server selecting TLS 1.2" \
-            "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \
-            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" \
-            0 \
-            -s "Protocol is TLSv1.2" \
-            -c "HTTP/1.0 200 OK"
-
-requires_gnutls_tls1_3
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_SRV_C
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
-run_test    "Server selecting TLS 1.3, over TLS 1.2 if supported" \
-            "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \
-            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:%DISABLE_TLS13_COMPAT_MODE" \
-            0 \
-            -s "Protocol is TLSv1.3" \
-            -c "HTTP/1.0 200 OK"
-
-requires_gnutls_tls1_3
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_SRV_C
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
-requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test    "Server selecting TLS 1.3, over TLS 1.2 if supported - compat mode enabled" \
-            "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \
-            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2" \
-            0 \
-            -s "Protocol is TLSv1.3" \
-            -c "HTTP/1.0 200 OK"
-
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
 run_test    "TLS client auth: required" \
             "$P_SRV auth_mode=required" \
@@ -2048,26 +2109,41 @@ run_test    "key size: TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
             -c "Key size is 128"
 
 requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
+requires_config_enabled MBEDTLS_MD_CAN_MD5
+# server5.key.enc is in PEM format and AES-256-CBC crypted. Unfortunately PEM
+# module does not support PSA dispatching so we need builtin support.
+requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
+requires_config_enabled MBEDTLS_AES_C
 requires_hash_alg SHA_256
 run_test    "TLS: password protected client key" \
             "$P_SRV force_version=tls12 auth_mode=required" \
-            "$P_CLI crt_file=data_files/server5.crt key_file=data_files/server5.key.enc key_pwd=PolarSSLTest" \
+            "$P_CLI crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key.enc key_pwd=PolarSSLTest" \
             0
 
 requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
+requires_config_enabled MBEDTLS_MD_CAN_MD5
+# server5.key.enc is in PEM format and AES-256-CBC crypted. Unfortunately PEM
+# module does not support PSA dispatching so we need builtin support.
+requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
+requires_config_enabled MBEDTLS_AES_C
 requires_hash_alg SHA_256
 run_test    "TLS: password protected server key" \
-            "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key.enc key_pwd=PolarSSLTest" \
+            "$P_SRV crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key.enc key_pwd=PolarSSLTest" \
             "$P_CLI force_version=tls12" \
             0
 
 requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
 requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_MD_CAN_MD5
+# server5.key.enc is in PEM format and AES-256-CBC crypted. Unfortunately PEM
+# module does not support PSA dispatching so we need builtin support.
+requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
+requires_config_enabled MBEDTLS_AES_C
 requires_hash_alg SHA_256
 run_test    "TLS: password protected server key, two certificates" \
             "$P_SRV force_version=tls12\
-              key_file=data_files/server5.key.enc key_pwd=PolarSSLTest crt_file=data_files/server5.crt \
-              key_file2=data_files/server2.key.enc key_pwd2=PolarSSLTest crt_file2=data_files/server2.crt" \
+              key_file=$DATA_FILES_PATH/server5.key.enc key_pwd=PolarSSLTest crt_file=$DATA_FILES_PATH/server5.crt \
+              key_file2=$DATA_FILES_PATH/server2.key.enc key_pwd2=PolarSSLTest crt_file2=$DATA_FILES_PATH/server2.crt" \
             "$P_CLI" \
             0
 
@@ -2085,8 +2161,8 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
 requires_hash_alg SHA_256
 run_test    "CA callback on server" \
             "$P_SRV force_version=tls12 auth_mode=required" \
-            "$P_CLI ca_callback=1 debug_level=3 crt_file=data_files/server5.crt \
-             key_file=data_files/server5.key" \
+            "$P_CLI ca_callback=1 debug_level=3 crt_file=$DATA_FILES_PATH/server5.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             0 \
             -c "use CA callback for X.509 CRT verification" \
             -s "Verifying peer X.509 certificate... ok" \
@@ -2099,10 +2175,10 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 requires_hash_alg SHA_256
 run_test    "Opaque key for client authentication: ECDHE-ECDSA" \
-            "$P_SRV force_version=tls12 auth_mode=required crt_file=data_files/server5.crt \
-             key_file=data_files/server5.key" \
-            "$P_CLI key_opaque=1 crt_file=data_files/server5.crt \
-             key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none" \
+            "$P_SRV force_version=tls12 auth_mode=required crt_file=$DATA_FILES_PATH/server5.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
+            "$P_CLI key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \
+             key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdsa-sign,none" \
             0 \
             -c "key type: Opaque" \
             -c "Ciphersuite is TLS-ECDHE-ECDSA" \
@@ -2118,10 +2194,10 @@ requires_config_enabled MBEDTLS_RSA_C
 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
 requires_hash_alg SHA_256
 run_test    "Opaque key for client authentication: ECDHE-RSA" \
-            "$P_SRV force_version=tls12 auth_mode=required crt_file=data_files/server2-sha256.crt \
-             key_file=data_files/server2.key" \
-            "$P_CLI key_opaque=1 crt_file=data_files/server2-sha256.crt \
-             key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
+            "$P_SRV force_version=tls12 auth_mode=required crt_file=$DATA_FILES_PATH/server2-sha256.crt \
+             key_file=$DATA_FILES_PATH/server2.key" \
+            "$P_CLI key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
+             key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
             0 \
             -c "key type: Opaque" \
             -c "Ciphersuite is TLS-ECDHE-RSA" \
@@ -2135,10 +2211,10 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
 requires_config_enabled MBEDTLS_RSA_C
 requires_hash_alg SHA_256
 run_test    "Opaque key for client authentication: DHE-RSA" \
-            "$P_SRV force_version=tls12 auth_mode=required crt_file=data_files/server2-sha256.crt \
-             key_file=data_files/server2.key" \
-            "$P_CLI key_opaque=1 crt_file=data_files/server2-sha256.crt \
-             key_file=data_files/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
+            "$P_SRV force_version=tls12 auth_mode=required crt_file=$DATA_FILES_PATH/server2-sha256.crt \
+             key_file=$DATA_FILES_PATH/server2.key" \
+            "$P_CLI key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
+             key_file=$DATA_FILES_PATH/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
              key_opaque_algs=rsa-sign-pkcs1,none" \
             0 \
             -c "key type: Opaque" \
@@ -2154,8 +2230,8 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 requires_hash_alg SHA_256
 run_test    "Opaque key for server authentication: ECDHE-ECDSA" \
-            "$P_SRV key_opaque=1 crt_file=data_files/server5.crt \
-             key_file=data_files/server5.key  key_opaque_algs=ecdsa-sign,none" \
+            "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \
+             key_file=$DATA_FILES_PATH/server5.key  key_opaque_algs=ecdsa-sign,none" \
             "$P_CLI force_version=tls12" \
             0 \
             -c "Verifying peer X.509 certificate... ok" \
@@ -2170,8 +2246,8 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
 requires_hash_alg SHA_256
 run_test    "Opaque key for server authentication: ECDH-" \
             "$P_SRV auth_mode=required key_opaque=1\
-             crt_file=data_files/server5.ku-ka.crt\
-             key_file=data_files/server5.key key_opaque_algs=ecdh,none" \
+             crt_file=$DATA_FILES_PATH/server5.ku-ka.crt\
+             key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdh,none" \
             "$P_CLI force_version=tls12" \
             0 \
             -c "Verifying peer X.509 certificate... ok" \
@@ -2186,8 +2262,8 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
 requires_config_disabled MBEDTLS_SSL_ASYNC_PRIVATE
 requires_hash_alg SHA_256
 run_test    "Opaque key for server authentication: invalid key: decrypt with ECC key, no async" \
-            "$P_SRV key_opaque=1 crt_file=data_files/server5.crt \
-             key_file=data_files/server5.key key_opaque_algs=rsa-decrypt,none \
+            "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \
+             key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=rsa-decrypt,none \
              debug_level=1" \
             "$P_CLI force_version=tls12" \
             1 \
@@ -2203,8 +2279,8 @@ requires_config_enabled MBEDTLS_RSA_C
 requires_config_disabled MBEDTLS_SSL_ASYNC_PRIVATE
 requires_hash_alg SHA_256
 run_test    "Opaque key for server authentication: invalid key: ecdh with RSA key, no async" \
-            "$P_SRV key_opaque=1 crt_file=data_files/server2-sha256.crt \
-             key_file=data_files/server2.key key_opaque_algs=ecdh,none \
+            "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
+             key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=ecdh,none \
              debug_level=1" \
             "$P_CLI force_version=tls12" \
             1 \
@@ -2218,8 +2294,8 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
 requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
 requires_hash_alg SHA_256
 run_test    "Opaque key for server authentication: invalid alg: decrypt with ECC key, async" \
-            "$P_SRV key_opaque=1 crt_file=data_files/server5.crt \
-             key_file=data_files/server5.key key_opaque_algs=rsa-decrypt,none \
+            "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \
+             key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=rsa-decrypt,none \
              debug_level=1" \
             "$P_CLI force_version=tls12" \
             1 \
@@ -2234,8 +2310,8 @@ requires_config_enabled MBEDTLS_RSA_C
 requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
 requires_hash_alg SHA_256
 run_test    "Opaque key for server authentication: invalid alg: ecdh with RSA key, async" \
-            "$P_SRV key_opaque=1 crt_file=data_files/server2-sha256.crt \
-             key_file=data_files/server2.key key_opaque_algs=ecdh,none \
+            "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
+             key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=ecdh,none \
              debug_level=1" \
             "$P_CLI force_version=tls12" \
             1 \
@@ -2247,10 +2323,9 @@ run_test    "Opaque key for server authentication: invalid alg: ecdh with RSA ke
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
 requires_hash_alg SHA_256
-requires_config_enabled MBEDTLS_CCM_C
 run_test    "Opaque key for server authentication: invalid alg: ECDHE-ECDSA with ecdh" \
-            "$P_SRV key_opaque=1 crt_file=data_files/server5.crt \
-             key_file=data_files/server5.key key_opaque_algs=ecdh,none \
+            "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \
+             key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdh,none \
              debug_level=1" \
             "$P_CLI force_version=tls12 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-CCM" \
             1 \
@@ -2265,9 +2340,9 @@ requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 requires_hash_alg SHA_256
 requires_config_disabled MBEDTLS_X509_REMOVE_INFO
 run_test    "Opaque keys for server authentication: EC keys with different algs, force ECDHE-ECDSA" \
-            "$P_SRV force_version=tls12 key_opaque=1 crt_file=data_files/server7.crt \
-             key_file=data_files/server7.key key_opaque_algs=ecdh,none \
-             crt_file2=data_files/server5.crt key_file2=data_files/server5.key \
+            "$P_SRV force_version=tls12 key_opaque=1 crt_file=$DATA_FILES_PATH/server7.crt \
+             key_file=$DATA_FILES_PATH/server7.key key_opaque_algs=ecdh,none \
+             crt_file2=$DATA_FILES_PATH/server5.crt key_file2=$DATA_FILES_PATH/server5.key \
              key_opaque_algs2=ecdsa-sign,none" \
             "$P_CLI force_version=tls12" \
             0 \
@@ -2284,9 +2359,9 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
 requires_hash_alg SHA_384
 requires_config_disabled MBEDTLS_X509_REMOVE_INFO
 run_test    "Opaque keys for server authentication: EC keys with different algs, force ECDH-ECDSA" \
-            "$P_SRV key_opaque=1 crt_file=data_files/server7.crt \
-             key_file=data_files/server7.key key_opaque_algs=ecdsa-sign,none \
-             crt_file2=data_files/server5.crt key_file2=data_files/server5.key \
+            "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server7.crt \
+             key_file=$DATA_FILES_PATH/server7.key key_opaque_algs=ecdsa-sign,none \
+             crt_file2=$DATA_FILES_PATH/server5.crt key_file2=$DATA_FILES_PATH/server5.key \
              key_opaque_algs2=ecdh,none debug_level=3" \
             "$P_CLI force_version=tls12 force_ciphersuite=TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384" \
             0 \
@@ -2301,13 +2376,12 @@ run_test    "Opaque keys for server authentication: EC keys with different algs,
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
 requires_hash_alg SHA_384
-requires_config_enabled MBEDTLS_CCM_C
 requires_config_disabled MBEDTLS_X509_REMOVE_INFO
 run_test    "Opaque keys for server authentication: EC + RSA, force ECDHE-ECDSA" \
-            "$P_SRV key_opaque=1 crt_file=data_files/server5.crt \
-             key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none \
-             crt_file2=data_files/server2-sha256.crt \
-             key_file2=data_files/server2.key key_opaque_algs2=rsa-sign-pkcs1,none" \
+            "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \
+             key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdsa-sign,none \
+             crt_file2=$DATA_FILES_PATH/server2-sha256.crt \
+             key_file2=$DATA_FILES_PATH/server2.key key_opaque_algs2=rsa-sign-pkcs1,none" \
             "$P_CLI force_version=tls12 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-CCM" \
             0 \
             -c "Verifying peer X.509 certificate... ok" \
@@ -2382,8 +2456,8 @@ requires_config_enabled MBEDTLS_RSA_C
 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
 requires_hash_alg SHA_256
 run_test    "Opaque key for server authentication: ECDHE-RSA" \
-            "$P_SRV key_opaque=1 crt_file=data_files/server2-sha256.crt \
-             key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
+            "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
+             key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
             "$P_CLI force_version=tls12" \
             0 \
             -c "Verifying peer X.509 certificate... ok" \
@@ -2398,8 +2472,8 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
 requires_config_enabled MBEDTLS_RSA_C
 requires_hash_alg SHA_256
 run_test    "Opaque key for server authentication: DHE-RSA" \
-            "$P_SRV key_opaque=1 crt_file=data_files/server2-sha256.crt \
-             key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
+            "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
+             key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
             "$P_CLI force_version=tls12 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
             0 \
             -c "Verifying peer X.509 certificate... ok" \
@@ -2415,9 +2489,9 @@ requires_config_enabled MBEDTLS_RSA_C
 requires_hash_alg SHA_256
 run_test    "Opaque key for server authentication: RSA-PSK" \
             "$P_SRV debug_level=1 key_opaque=1 key_opaque_algs=rsa-decrypt,none \
-             psk=abc123 psk_identity=foo" \
+             psk=73776f726466697368 psk_identity=foo" \
             "$P_CLI force_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \
-             psk=abc123 psk_identity=foo" \
+             psk=73776f726466697368 psk_identity=foo" \
             0 \
             -c "Verifying peer X.509 certificate... ok" \
             -c "Ciphersuite is TLS-RSA-PSK-" \
@@ -2446,10 +2520,10 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
 requires_config_enabled MBEDTLS_RSA_C
 requires_hash_alg SHA_256
 run_test    "Opaque key for server authentication: DHE-RSA, PSS instead of PKCS1" \
-            "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \
-             key_file=data_files/server2.key key_opaque_algs=rsa-sign-pss,none debug_level=1" \
-            "$P_CLI crt_file=data_files/server2-sha256.crt \
-             key_file=data_files/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
+            "$P_SRV auth_mode=required key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
+             key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pss,none debug_level=1" \
+            "$P_CLI crt_file=$DATA_FILES_PATH/server2-sha256.crt \
+             key_file=$DATA_FILES_PATH/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
             1 \
             -s "key types: Opaque, none" \
             -s "got ciphersuites in common, but none of them usable" \
@@ -2463,10 +2537,10 @@ requires_hash_alg SHA_256
 requires_config_disabled MBEDTLS_X509_REMOVE_INFO
 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
 run_test    "Opaque keys for server authentication: RSA keys with different algs" \
-            "$P_SRV force_version=tls12 auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \
-             key_file=data_files/server2.key key_opaque_algs=rsa-sign-pss,none \
-             crt_file2=data_files/server4.crt \
-             key_file2=data_files/server4.key key_opaque_algs2=rsa-sign-pkcs1,none" \
+            "$P_SRV force_version=tls12 auth_mode=required key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
+             key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pss,none \
+             crt_file2=$DATA_FILES_PATH/server4.crt \
+             key_file2=$DATA_FILES_PATH/server4.key key_opaque_algs2=rsa-sign-pkcs1,none" \
             "$P_CLI force_version=tls12" \
             0 \
             -c "Verifying peer X.509 certificate... ok" \
@@ -2481,13 +2555,12 @@ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
 requires_config_enabled MBEDTLS_RSA_C
 requires_hash_alg SHA_384
-requires_config_enabled MBEDTLS_GCM_C
 requires_config_disabled MBEDTLS_X509_REMOVE_INFO
 run_test    "Opaque keys for server authentication: EC + RSA, force DHE-RSA" \
-            "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server5.crt \
-             key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none \
-             crt_file2=data_files/server4.crt \
-             key_file2=data_files/server4.key key_opaque_algs2=rsa-sign-pkcs1,none" \
+            "$P_SRV auth_mode=required key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \
+             key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdsa-sign,none \
+             crt_file2=$DATA_FILES_PATH/server4.crt \
+             key_file2=$DATA_FILES_PATH/server4.key key_opaque_algs2=rsa-sign-pkcs1,none" \
             "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
             0 \
             -c "Verifying peer X.509 certificate... ok" \
@@ -2504,10 +2577,10 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 requires_hash_alg SHA_256
 run_test    "Opaque key for client/server authentication: ECDHE-ECDSA" \
-            "$P_SRV force_version=tls12 auth_mode=required key_opaque=1 crt_file=data_files/server5.crt \
-             key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none" \
-            "$P_CLI key_opaque=1 crt_file=data_files/server5.crt \
-             key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none" \
+            "$P_SRV force_version=tls12 auth_mode=required key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \
+             key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdsa-sign,none" \
+            "$P_CLI key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \
+             key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdsa-sign,none" \
             0 \
             -c "key type: Opaque" \
             -c "Verifying peer X.509 certificate... ok" \
@@ -2525,10 +2598,10 @@ requires_config_enabled MBEDTLS_RSA_C
 requires_hash_alg SHA_256
 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
 run_test    "Opaque key for client/server authentication: ECDHE-RSA" \
-            "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \
-             key_file=data_files/server2.key  key_opaque_algs=rsa-sign-pkcs1,none" \
-            "$P_CLI force_version=tls12 key_opaque=1 crt_file=data_files/server2-sha256.crt \
-             key_file=data_files/server2.key  key_opaque_algs=rsa-sign-pkcs1,none" \
+            "$P_SRV auth_mode=required key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
+             key_file=$DATA_FILES_PATH/server2.key  key_opaque_algs=rsa-sign-pkcs1,none" \
+            "$P_CLI force_version=tls12 key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
+             key_file=$DATA_FILES_PATH/server2.key  key_opaque_algs=rsa-sign-pkcs1,none" \
             0 \
             -c "key type: Opaque" \
             -c "Verifying peer X.509 certificate... ok" \
@@ -2544,10 +2617,10 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
 requires_config_enabled MBEDTLS_RSA_C
 requires_hash_alg SHA_256
 run_test    "Opaque key for client/server authentication: DHE-RSA" \
-            "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \
-             key_file=data_files/server2.key  key_opaque_algs=rsa-sign-pkcs1,none" \
-            "$P_CLI key_opaque=1 crt_file=data_files/server2-sha256.crt \
-             key_file=data_files/server2.key  key_opaque_algs=rsa-sign-pkcs1,none \
+            "$P_SRV auth_mode=required key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
+             key_file=$DATA_FILES_PATH/server2.key  key_opaque_algs=rsa-sign-pkcs1,none" \
+            "$P_CLI key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
+             key_file=$DATA_FILES_PATH/server2.key  key_opaque_algs=rsa-sign-pkcs1,none \
              force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
             0 \
             -c "key type: Opaque" \
@@ -2572,32 +2645,32 @@ run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
 run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
 run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
 
-requires_config_enabled MBEDTLS_ECP_DP_SECP521R1_ENABLED
+requires_config_enabled PSA_WANT_ECC_SECP_R1_521
 run_test_psa_force_curve "secp521r1"
-requires_config_enabled MBEDTLS_ECP_DP_BP512R1_ENABLED
+requires_config_enabled PSA_WANT_ECC_BRAINPOOL_P_R1_512
 run_test_psa_force_curve "brainpoolP512r1"
-requires_config_enabled MBEDTLS_ECP_DP_SECP384R1_ENABLED
+requires_config_enabled PSA_WANT_ECC_SECP_R1_384
 run_test_psa_force_curve "secp384r1"
-requires_config_enabled MBEDTLS_ECP_DP_BP384R1_ENABLED
+requires_config_enabled PSA_WANT_ECC_BRAINPOOL_P_R1_384
 run_test_psa_force_curve "brainpoolP384r1"
-requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
+requires_config_enabled PSA_WANT_ECC_SECP_R1_256
 run_test_psa_force_curve "secp256r1"
-requires_config_enabled MBEDTLS_ECP_DP_SECP256K1_ENABLED
+requires_config_enabled PSA_WANT_ECC_SECP_K1_256
 run_test_psa_force_curve "secp256k1"
-requires_config_enabled MBEDTLS_ECP_DP_BP256R1_ENABLED
+requires_config_enabled PSA_WANT_ECC_BRAINPOOL_P_R1_256
 run_test_psa_force_curve "brainpoolP256r1"
-requires_config_enabled MBEDTLS_ECP_DP_SECP224R1_ENABLED
+requires_config_enabled PSA_WANT_ECC_SECP_R1_224
 run_test_psa_force_curve "secp224r1"
 ## SECP224K1 is buggy via the PSA API
 ## (https://github.com/Mbed-TLS/mbedtls/issues/3541),
 ## so it is disabled in PSA even when it's enabled in Mbed TLS.
 ## The proper dependency would be on PSA_WANT_ECC_SECP_K1_224 but
 ## dependencies on PSA symbols in ssl-opt.sh are not implemented yet.
-#requires_config_enabled MBEDTLS_ECP_DP_SECP224K1_ENABLED
+#requires_config_enabled PSA_WANT_ECC_SECP_K1_224
 #run_test_psa_force_curve "secp224k1"
-requires_config_enabled MBEDTLS_ECP_DP_SECP192R1_ENABLED
+requires_config_enabled PSA_WANT_ECC_SECP_R1_192
 run_test_psa_force_curve "secp192r1"
-requires_config_enabled MBEDTLS_ECP_DP_SECP192K1_ENABLED
+requires_config_enabled PSA_WANT_ECC_SECP_K1_192
 run_test_psa_force_curve "secp192k1"
 
 # Test current time in ServerHello
@@ -2639,8 +2712,8 @@ requires_any_configs_enabled "MBEDTLS_ECP_DP_SECP256R1_ENABLED \
 requires_hash_alg SHA_256
 run_test    "Single supported algorithm sending: openssl client" \
             "$P_SRV sig_algs=ecdsa_secp256r1_sha256 auth_mode=required" \
-            "$O_CLI -cert data_files/server6.crt \
-                    -key data_files/server6.key" \
+            "$O_CLI -cert $DATA_FILES_PATH/server6.crt \
+                    -key $DATA_FILES_PATH/server6.key" \
             0
 
 # Tests for certificate verification callback
@@ -2665,36 +2738,44 @@ run_test    "Context-specific CRT verification callback" \
             -C "error"
 
 # Tests for SHA-1 support
+requires_hash_alg SHA_1
 run_test    "SHA-1 forbidden by default in server certificate" \
-            "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
+            "$P_SRV key_file=$DATA_FILES_PATH/server2.key crt_file=$DATA_FILES_PATH/server2.crt" \
             "$P_CLI debug_level=2 force_version=tls12 allow_sha1=0" \
             1 \
             -c "The certificate is signed with an unacceptable hash"
 
+requires_hash_alg SHA_1
 run_test    "SHA-1 explicitly allowed in server certificate" \
-            "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
+            "$P_SRV key_file=$DATA_FILES_PATH/server2.key crt_file=$DATA_FILES_PATH/server2.crt" \
             "$P_CLI force_version=tls12 allow_sha1=1" \
             0
 
 run_test    "SHA-256 allowed by default in server certificate" \
-            "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
+            "$P_SRV key_file=$DATA_FILES_PATH/server2.key crt_file=$DATA_FILES_PATH/server2-sha256.crt" \
             "$P_CLI force_version=tls12 allow_sha1=0" \
             0
 
+requires_hash_alg SHA_1
+requires_config_enabled MBEDTLS_RSA_C
 run_test    "SHA-1 forbidden by default in client certificate" \
             "$P_SRV force_version=tls12 auth_mode=required allow_sha1=0" \
-            "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
+            "$P_CLI key_file=$DATA_FILES_PATH/cli-rsa.key crt_file=$DATA_FILES_PATH/cli-rsa-sha1.crt" \
             1 \
             -s "The certificate is signed with an unacceptable hash"
 
+requires_hash_alg SHA_1
+requires_config_enabled MBEDTLS_RSA_C
 run_test    "SHA-1 explicitly allowed in client certificate" \
             "$P_SRV force_version=tls12 auth_mode=required allow_sha1=1" \
-            "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
+            "$P_CLI key_file=$DATA_FILES_PATH/cli-rsa.key crt_file=$DATA_FILES_PATH/cli-rsa-sha1.crt" \
             0
 
+requires_config_enabled MBEDTLS_RSA_C
+requires_hash_alg SHA_256
 run_test    "SHA-256 allowed by default in client certificate" \
             "$P_SRV force_version=tls12 auth_mode=required allow_sha1=0" \
-            "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
+            "$P_CLI key_file=$DATA_FILES_PATH/cli-rsa.key crt_file=$DATA_FILES_PATH/cli-rsa-sha256.crt" \
             0
 
 # Tests for datagram packing
@@ -3698,6 +3779,7 @@ run_test    "CBC Record splitting: TLS 1.2, no splitting" \
 
 # Tests for Session Tickets
 
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets: basic" \
             "$P_SRV debug_level=3 tickets=1" \
             "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@@ -3712,6 +3794,7 @@ run_test    "Session resume using tickets: basic" \
             -s "a session has been resumed" \
             -c "a session has been resumed"
 
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets: manual rotation" \
             "$P_SRV debug_level=3 tickets=1 ticket_rotate=1" \
             "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@@ -3726,6 +3809,7 @@ run_test    "Session resume using tickets: manual rotation" \
             -s "a session has been resumed" \
             -c "a session has been resumed"
 
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets: cache disabled" \
             "$P_SRV debug_level=3 tickets=1 cache_max=0" \
             "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@@ -3740,6 +3824,7 @@ run_test    "Session resume using tickets: cache disabled" \
             -s "a session has been resumed" \
             -c "a session has been resumed"
 
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets: timeout" \
             "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
             "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1 reco_delay=2000" \
@@ -3754,6 +3839,7 @@ run_test    "Session resume using tickets: timeout" \
             -S "a session has been resumed" \
             -C "a session has been resumed"
 
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets: session copy" \
             "$P_SRV debug_level=3 tickets=1 cache_max=0" \
             "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1 reco_mode=0" \
@@ -3769,6 +3855,7 @@ run_test    "Session resume using tickets: session copy" \
             -c "a session has been resumed"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets: openssl server" \
             "$O_SRV -tls1_2" \
             "$P_CLI debug_level=3 tickets=1 reconnect=1" \
@@ -3779,8 +3866,9 @@ run_test    "Session resume using tickets: openssl server" \
             -c "a session has been resumed"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets: openssl client" \
-            "$P_SRV debug_level=3 tickets=1" \
+            "$P_SRV force_version=tls12 debug_level=3 tickets=1" \
             "( $O_CLI -sess_out $SESSION; \
                $O_CLI -sess_in $SESSION; \
                rm -f $SESSION )" \
@@ -3791,6 +3879,8 @@ run_test    "Session resume using tickets: openssl client" \
             -s "session successfully restored from ticket" \
             -s "a session has been resumed"
 
+requires_cipher_enabled "AES" "GCM"
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets: AES-128-GCM" \
             "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-128-GCM" \
             "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@@ -3805,6 +3895,8 @@ run_test    "Session resume using tickets: AES-128-GCM" \
             -s "a session has been resumed" \
             -c "a session has been resumed"
 
+requires_cipher_enabled "AES" "GCM"
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets: AES-192-GCM" \
             "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-192-GCM" \
             "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@@ -3819,6 +3911,8 @@ run_test    "Session resume using tickets: AES-192-GCM" \
             -s "a session has been resumed" \
             -c "a session has been resumed"
 
+requires_cipher_enabled "AES" "CCM"
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets: AES-128-CCM" \
             "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-128-CCM" \
             "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@@ -3833,6 +3927,8 @@ run_test    "Session resume using tickets: AES-128-CCM" \
             -s "a session has been resumed" \
             -c "a session has been resumed"
 
+requires_cipher_enabled "AES" "CCM"
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets: AES-192-CCM" \
             "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-192-CCM" \
             "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@@ -3847,6 +3943,8 @@ run_test    "Session resume using tickets: AES-192-CCM" \
             -s "a session has been resumed" \
             -c "a session has been resumed"
 
+requires_cipher_enabled "AES" "CCM"
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets: AES-256-CCM" \
             "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-256-CCM" \
             "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@@ -3861,6 +3959,8 @@ run_test    "Session resume using tickets: AES-256-CCM" \
             -s "a session has been resumed" \
             -c "a session has been resumed"
 
+requires_cipher_enabled "CAMELLIA" "CCM"
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets: CAMELLIA-128-CCM" \
             "$P_SRV debug_level=3 tickets=1 ticket_aead=CAMELLIA-128-CCM" \
             "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@@ -3875,6 +3975,8 @@ run_test    "Session resume using tickets: CAMELLIA-128-CCM" \
             -s "a session has been resumed" \
             -c "a session has been resumed"
 
+requires_cipher_enabled "CAMELLIA" "CCM"
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets: CAMELLIA-192-CCM" \
             "$P_SRV debug_level=3 tickets=1 ticket_aead=CAMELLIA-192-CCM" \
             "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@@ -3889,6 +3991,8 @@ run_test    "Session resume using tickets: CAMELLIA-192-CCM" \
             -s "a session has been resumed" \
             -c "a session has been resumed"
 
+requires_cipher_enabled "CAMELLIA" "CCM"
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets: CAMELLIA-256-CCM" \
             "$P_SRV debug_level=3 tickets=1 ticket_aead=CAMELLIA-256-CCM" \
             "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@@ -3903,6 +4007,8 @@ run_test    "Session resume using tickets: CAMELLIA-256-CCM" \
             -s "a session has been resumed" \
             -c "a session has been resumed"
 
+requires_cipher_enabled "ARIA" "GCM"
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets: ARIA-128-GCM" \
             "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-128-GCM" \
             "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@@ -3917,6 +4023,8 @@ run_test    "Session resume using tickets: ARIA-128-GCM" \
             -s "a session has been resumed" \
             -c "a session has been resumed"
 
+requires_cipher_enabled "ARIA" "GCM"
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets: ARIA-192-GCM" \
             "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-192-GCM" \
             "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@@ -3931,6 +4039,8 @@ run_test    "Session resume using tickets: ARIA-192-GCM" \
             -s "a session has been resumed" \
             -c "a session has been resumed"
 
+requires_cipher_enabled "ARIA" "GCM"
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets: ARIA-256-GCM" \
             "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-256-GCM" \
             "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@@ -3945,6 +4055,8 @@ run_test    "Session resume using tickets: ARIA-256-GCM" \
             -s "a session has been resumed" \
             -c "a session has been resumed"
 
+requires_cipher_enabled "ARIA" "CCM"
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets: ARIA-128-CCM" \
             "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-128-CCM" \
             "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@@ -3959,6 +4071,8 @@ run_test    "Session resume using tickets: ARIA-128-CCM" \
             -s "a session has been resumed" \
             -c "a session has been resumed"
 
+requires_cipher_enabled "ARIA" "CCM"
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets: ARIA-192-CCM" \
             "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-192-CCM" \
             "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@@ -3973,6 +4087,8 @@ run_test    "Session resume using tickets: ARIA-192-CCM" \
             -s "a session has been resumed" \
             -c "a session has been resumed"
 
+requires_cipher_enabled "ARIA" "CCM"
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets: ARIA-256-CCM" \
             "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-256-CCM" \
             "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@@ -3987,6 +4103,8 @@ run_test    "Session resume using tickets: ARIA-256-CCM" \
             -s "a session has been resumed" \
             -c "a session has been resumed"
 
+requires_cipher_enabled "CHACHA20"
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets: CHACHA20-POLY1305" \
             "$P_SRV debug_level=3 tickets=1 ticket_aead=CHACHA20-POLY1305" \
             "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@@ -4004,6 +4122,7 @@ run_test    "Session resume using tickets: CHACHA20-POLY1305" \
 # Tests for Session Tickets with DTLS
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets, DTLS: basic" \
             "$P_SRV debug_level=3 dtls=1 tickets=1" \
             "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \
@@ -4019,6 +4138,7 @@ run_test    "Session resume using tickets, DTLS: basic" \
             -c "a session has been resumed"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets, DTLS: cache disabled" \
             "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
             "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \
@@ -4034,6 +4154,7 @@ run_test    "Session resume using tickets, DTLS: cache disabled" \
             -c "a session has been resumed"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets, DTLS: timeout" \
             "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \
             "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1 reco_delay=2000" \
@@ -4049,6 +4170,7 @@ run_test    "Session resume using tickets, DTLS: timeout" \
             -C "a session has been resumed"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets, DTLS: session copy" \
             "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
             "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1 reco_mode=0" \
@@ -4064,6 +4186,7 @@ run_test    "Session resume using tickets, DTLS: session copy" \
             -c "a session has been resumed"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets, DTLS: openssl server" \
             "$O_SRV -dtls" \
             "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
@@ -4077,6 +4200,7 @@ run_test    "Session resume using tickets, DTLS: openssl server" \
 # probability with OpenSSL 1.0.2g on the CI, see #5012.
 requires_openssl_next
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using tickets, DTLS: openssl client" \
             "$P_SRV dtls=1 debug_level=3 tickets=1" \
             "( $O_NEXT_CLI -dtls -sess_out $SESSION; \
@@ -4092,6 +4216,7 @@ run_test    "Session resume using tickets, DTLS: openssl client" \
 # Tests for Session Resume based on session-ID and cache
 
 requires_config_enabled MBEDTLS_SSL_CACHE_C
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using cache: tickets enabled on client" \
             "$P_SRV debug_level=3 tickets=0" \
             "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@@ -4107,6 +4232,7 @@ run_test    "Session resume using cache: tickets enabled on client" \
             -c "a session has been resumed"
 
 requires_config_enabled MBEDTLS_SSL_CACHE_C
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using cache: tickets enabled on server" \
             "$P_SRV debug_level=3 tickets=1" \
             "$P_CLI force_version=tls12 debug_level=3 tickets=0 reconnect=1" \
@@ -4198,6 +4324,7 @@ run_test    "Session resume using cache: session copy" \
             -c "a session has been resumed"
 
 requires_config_enabled MBEDTLS_SSL_CACHE_C
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using cache: openssl client" \
             "$P_SRV force_version=tls12 debug_level=3 tickets=0" \
             "( $O_CLI -sess_out $SESSION; \
@@ -4247,6 +4374,7 @@ run_test    "Session resume and connection ID" \
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_config_enabled MBEDTLS_SSL_CACHE_C
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using cache, DTLS: tickets enabled on client" \
             "$P_SRV dtls=1 debug_level=3 tickets=0" \
             "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1 skip_close_notify=1" \
@@ -4263,6 +4391,7 @@ run_test    "Session resume using cache, DTLS: tickets enabled on client" \
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_config_enabled MBEDTLS_SSL_CACHE_C
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using cache, DTLS: tickets enabled on server" \
             "$P_SRV dtls=1 debug_level=3 tickets=1" \
             "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
@@ -4348,6 +4477,7 @@ run_test    "Session resume using cache, DTLS: session copy" \
 requires_openssl_next
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_config_enabled MBEDTLS_SSL_CACHE_C
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Session resume using cache, DTLS: openssl client" \
             "$P_SRV dtls=1 debug_level=3 tickets=0" \
             "( $O_NEXT_CLI -dtls -sess_out $SESSION; \
@@ -4375,7 +4505,7 @@ run_test    "Session resume using cache, DTLS: openssl server" \
 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "Max fragment length: enabled, default" \
-            "$P_SRV debug_level=3" \
+            "$P_SRV debug_level=3 force_version=tls12" \
             "$P_CLI debug_level=3" \
             0 \
             -c "Maximum incoming record payload length is $MAX_CONTENT_LEN" \
@@ -4390,7 +4520,7 @@ run_test    "Max fragment length: enabled, default" \
 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "Max fragment length: enabled, default, larger message" \
-            "$P_SRV debug_level=3" \
+            "$P_SRV debug_level=3 force_version=tls12" \
             "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
             0 \
             -c "Maximum incoming record payload length is $MAX_CONTENT_LEN" \
@@ -4428,7 +4558,7 @@ run_test    "Max fragment length, DTLS: enabled, default, larger message" \
 requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "Max fragment length: disabled, larger message" \
-            "$P_SRV debug_level=3" \
+            "$P_SRV debug_level=3 force_version=tls12" \
             "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
             0 \
             -C "Maximum incoming record payload length is 16384" \
@@ -4442,7 +4572,7 @@ run_test    "Max fragment length: disabled, larger message" \
 requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "Max fragment length, DTLS: disabled, larger message" \
-            "$P_SRV debug_level=3 dtls=1" \
+            "$P_SRV debug_level=3 dtls=1 force_version=tls12" \
             "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
             1 \
             -C "Maximum incoming record payload length is 16384" \
@@ -4730,38 +4860,373 @@ run_test    "Max fragment length: DTLS client, larger message" \
 
 requires_gnutls_tls1_3
 requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-run_test    "Record Size Limit: TLS 1.3: Server-side parsing, debug output and fatal alert" \
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "Record Size Limit: TLS 1.3: Server-side parsing and debug output" \
             "$P_SRV debug_level=3 force_version=tls13" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4" \
-            1 \
-            -c "Preparing extension (Record Size Limit/28) for 'client hello'" \
-            -c "Sending extension Record Size Limit/28 (2 bytes)" \
-            -s "ClientHello: record_size_limit(28) extension received."\
-            -s "found record_size_limit extension" \
+            0 \
             -s "RecordSizeLimit: 16385 Bytes" \
-            -c "Received alert \[110]: An unsupported extension was sent"
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 16383" \
+            -s "bytes written in 1 fragments"
 
 requires_gnutls_tls1_3
 requires_gnutls_record_size_limit
-requires_gnutls_next_disable_tls13_compat
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
-run_test    "Record Size Limit: TLS 1.3: Client-side parsing, debug output and fatal alert" \
-            "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%DISABLE_TLS13_COMPAT_MODE --disable-client-cert -d 4" \
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "Record Size Limit: TLS 1.3: Client-side parsing and debug output" \
+            "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL --disable-client-cert -d 4" \
             "$P_CLI debug_level=4 force_version=tls13" \
             0 \
-            -s "Preparing extension (Record Size Limit/28) for 'encrypted extensions'"
-# The P_CLI can not yet send the Record Size Limit extension. Thus, the G_NEXT_SRV does not send
-# a response in its EncryptedExtensions record.
-#            -s "Parsing extension 'Record Size Limit/28 (2 bytes)" \
-#            -s "Sending extension Record Size Limit/28 (2 bytes)" \
-#            -c "EncryptedExtensions: record_size_limit(28) extension received."\
-#            -c "found record_size_limit extension" \
-#            -c "RecordSizeLimit: 16385 Bytes" \
-#            -s "Received alert \[110]: An unsupported extension was sent"
+            -c "Sent RecordSizeLimit: 16384 Bytes"                                      \
+            -c "ClientHello: record_size_limit(28) extension exists."                   \
+            -c "EncryptedExtensions: record_size_limit(28) extension received."         \
+            -c "RecordSizeLimit: 16385 Bytes"                                           \
+
+# In the following tests, --recordsize is the value used by the G_NEXT_CLI (3.7.2) to configure the
+# maximum record size using gnutls_record_set_max_size()
+# (https://gnutls.org/reference/gnutls-gnutls.html#gnutls-record-set-max-size).
+# There is currently a lower limit of 512, caused by gnutls_record_set_max_size()
+# not respecting the "%ALLOW_SMALL_RECORDS" priority string and not using the
+# more recent function gnutls_record_set_max_recv_size()
+# (https://gnutls.org/reference/gnutls-gnutls.html#gnutls-record-set-max-recv-size).
+# There is currently an upper limit of 4096, caused by the cli arg parser:
+# https://gitlab.com/gnutls/gnutls/-/blob/3.7.2/src/cli-args.def#L395.
+# Thus, these tests are currently limited to the value range 512-4096.
+# Also, the value sent in the extension will be one larger than the value
+# set at the command line:
+# https://gitlab.com/gnutls/gnutls/-/blob/3.7.2/lib/ext/record_size_limit.c#L142
+
+# Currently test certificates being used do not fit in 513 record size limit
+# so for 513 record size limit tests we use preshared key to avoid sending
+# the certificate.
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 1 fragment" \
+            "$P_SRV debug_level=3 force_version=tls13 tls13_kex_modes=psk \
+                    psk_list=Client_identity,6162636465666768696a6b6c6d6e6f70 \
+                    response_size=256" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK --recordsize 512 \
+                    --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70" \
+            0 \
+            -s "RecordSizeLimit: 513 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Sent RecordSizeLimit: 16384 Bytes" \
+            -s "EncryptedExtensions: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 511" \
+            -s "256 bytes written in 1 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 2 fragments" \
+            "$P_SRV debug_level=3 force_version=tls13 tls13_kex_modes=psk \
+                    psk_list=Client_identity,6162636465666768696a6b6c6d6e6f70 \
+                    response_size=768" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK --recordsize 512 \
+                         --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70" \
+            0 \
+            -s "RecordSizeLimit: 513 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Sent RecordSizeLimit: 16384 Bytes" \
+            -s "EncryptedExtensions: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 511" \
+            -s "768 bytes written in 2 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 3 fragments" \
+            "$P_SRV debug_level=3 force_version=tls13 tls13_kex_modes=psk \
+                    psk_list=Client_identity,6162636465666768696a6b6c6d6e6f70 \
+                    response_size=1280" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK --recordsize 512 \
+                         --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70" \
+            0 \
+            -s "RecordSizeLimit: 513 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Sent RecordSizeLimit: 16384 Bytes" \
+            -s "EncryptedExtensions: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 511" \
+            -s "1280 bytes written in 3 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 1 fragment" \
+            "$P_SRV debug_level=3 force_version=tls13 response_size=512" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
+            0 \
+            -s "RecordSizeLimit: 1024 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Sent RecordSizeLimit: 16384 Bytes" \
+            -s "EncryptedExtensions: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 1023" \
+            -s "512 bytes written in 1 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 2 fragments" \
+            "$P_SRV debug_level=3 force_version=tls13 response_size=1536" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
+            0 \
+            -s "RecordSizeLimit: 1024 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Sent RecordSizeLimit: 16384 Bytes" \
+            -s "EncryptedExtensions: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 1023" \
+            -s "1536 bytes written in 2 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 3 fragments" \
+            "$P_SRV debug_level=3 force_version=tls13 response_size=2560" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
+            0 \
+            -s "RecordSizeLimit: 1024 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Sent RecordSizeLimit: 16384 Bytes" \
+            -s "EncryptedExtensions: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 1023" \
+            -s "2560 bytes written in 3 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 1 fragment" \
+            "$P_SRV debug_level=3 force_version=tls13 response_size=2048" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \
+            0 \
+            -s "RecordSizeLimit: 4096 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Sent RecordSizeLimit: 16384 Bytes" \
+            -s "EncryptedExtensions: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 4095" \
+            -s "2048 bytes written in 1 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 2 fragments" \
+            "$P_SRV debug_level=3 force_version=tls13 response_size=6144" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \
+            0 \
+            -s "RecordSizeLimit: 4096 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Sent RecordSizeLimit: 16384 Bytes" \
+            -s "EncryptedExtensions: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 4095" \
+            -s "6144 bytes written in 2 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 3 fragments" \
+            "$P_SRV debug_level=3 force_version=tls13 response_size=10240" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \
+            0 \
+            -s "RecordSizeLimit: 4096 Bytes" \
+            -s "ClientHello: record_size_limit(28) extension exists." \
+            -s "Sent RecordSizeLimit: 16384 Bytes" \
+            -s "EncryptedExtensions: record_size_limit(28) extension exists." \
+            -s "Maximum outgoing record payload length is 4095" \
+            -s "10240 bytes written in 3 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "Record Size Limit: TLS 1.3: Client complies with record size limit (513), 1 fragment" \
+            "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --disable-client-cert --recordsize 512" \
+            "$P_CLI debug_level=4 force_version=tls13 request_size=256" \
+            0 \
+            -c "Sent RecordSizeLimit: 16384 Bytes" \
+            -c "ClientHello: record_size_limit(28) extension exists." \
+            -c "RecordSizeLimit: 513 Bytes" \
+            -c "EncryptedExtensions: record_size_limit(28) extension exists." \
+            -c "Maximum outgoing record payload length is 511" \
+            -c "256 bytes written in 1 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "Record Size Limit: TLS 1.3: Client complies with record size limit (513), 2 fragments" \
+            "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --disable-client-cert --recordsize 512" \
+            "$P_CLI debug_level=4 force_version=tls13 request_size=768" \
+            0 \
+            -c "Sent RecordSizeLimit: 16384 Bytes" \
+            -c "ClientHello: record_size_limit(28) extension exists." \
+            -c "RecordSizeLimit: 513 Bytes" \
+            -c "EncryptedExtensions: record_size_limit(28) extension exists." \
+            -c "Maximum outgoing record payload length is 511" \
+            -c "768 bytes written in 2 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "Record Size Limit: TLS 1.3: Client complies with record size limit (513), 3 fragments" \
+            "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --disable-client-cert --recordsize 512" \
+            "$P_CLI debug_level=4 force_version=tls13 request_size=1280" \
+            0 \
+            -c "Sent RecordSizeLimit: 16384 Bytes" \
+            -c "ClientHello: record_size_limit(28) extension exists." \
+            -c "RecordSizeLimit: 513 Bytes" \
+            -c "EncryptedExtensions: record_size_limit(28) extension exists." \
+            -c "Maximum outgoing record payload length is 511" \
+            -c "1280 bytes written in 3 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "Record Size Limit: TLS 1.3: Client complies with record size limit (1024), 1 fragment" \
+            "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --recordsize 1023" \
+            "$P_CLI debug_level=4 force_version=tls13 request_size=512" \
+            0 \
+            -c "Sent RecordSizeLimit: 16384 Bytes" \
+            -c "ClientHello: record_size_limit(28) extension exists." \
+            -c "RecordSizeLimit: 1024 Bytes" \
+            -c "EncryptedExtensions: record_size_limit(28) extension exists." \
+            -c "Maximum outgoing record payload length is 1023" \
+            -c "512 bytes written in 1 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "Record Size Limit: TLS 1.3: Client complies with record size limit (1024), 2 fragments" \
+            "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --recordsize 1023" \
+            "$P_CLI debug_level=4 force_version=tls13 request_size=1536" \
+            0 \
+            -c "Sent RecordSizeLimit: 16384 Bytes" \
+            -c "ClientHello: record_size_limit(28) extension exists." \
+            -c "RecordSizeLimit: 1024 Bytes" \
+            -c "EncryptedExtensions: record_size_limit(28) extension exists." \
+            -c "Maximum outgoing record payload length is 1023" \
+            -c "1536 bytes written in 2 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "Record Size Limit: TLS 1.3: Client complies with record size limit (1024), 3 fragments" \
+            "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --recordsize 1023" \
+            "$P_CLI debug_level=4 force_version=tls13 request_size=2560" \
+            0 \
+            -c "Sent RecordSizeLimit: 16384 Bytes" \
+            -c "ClientHello: record_size_limit(28) extension exists." \
+            -c "RecordSizeLimit: 1024 Bytes" \
+            -c "EncryptedExtensions: record_size_limit(28) extension exists." \
+            -c "Maximum outgoing record payload length is 1023" \
+            -c "2560 bytes written in 3 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "Record Size Limit: TLS 1.3: Client complies with record size limit (4096), 1 fragment" \
+            "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --recordsize 4095" \
+            "$P_CLI debug_level=4 force_version=tls13 request_size=2048" \
+            0 \
+            -c "Sent RecordSizeLimit: 16384 Bytes" \
+            -c "ClientHello: record_size_limit(28) extension exists." \
+            -c "RecordSizeLimit: 4096 Bytes" \
+            -c "EncryptedExtensions: record_size_limit(28) extension exists." \
+            -c "Maximum outgoing record payload length is 4095" \
+            -c "2048 bytes written in 1 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "Record Size Limit: TLS 1.3: Client complies with record size limit (4096), 2 fragments" \
+            "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --recordsize 4095" \
+            "$P_CLI debug_level=4 force_version=tls13 request_size=6144" \
+            0 \
+            -c "Sent RecordSizeLimit: 16384 Bytes" \
+            -c "ClientHello: record_size_limit(28) extension exists." \
+            -c "RecordSizeLimit: 4096 Bytes" \
+            -c "EncryptedExtensions: record_size_limit(28) extension exists." \
+            -c "Maximum outgoing record payload length is 4095" \
+            -c "6144 bytes written in 2 fragments"
+
+requires_gnutls_tls1_3
+requires_gnutls_record_size_limit
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "Record Size Limit: TLS 1.3: Client complies with record size limit (4096), 3 fragments" \
+            "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --recordsize 4095" \
+            "$P_CLI debug_level=4 force_version=tls13 request_size=10240" \
+            0 \
+            -c "Sent RecordSizeLimit: 16384 Bytes" \
+            -c "ClientHello: record_size_limit(28) extension exists." \
+            -c "RecordSizeLimit: 4096 Bytes" \
+            -c "EncryptedExtensions: record_size_limit(28) extension exists." \
+            -c "Maximum outgoing record payload length is 4095" \
+            -c "10240 bytes written in 3 fragments"
+
+# TODO: For time being, we send fixed value of RecordSizeLimit defined by
+# MBEDTLS_SSL_IN_CONTENT_LEN. Once we support variable buffer length of
+# RecordSizeLimit, we need to modify value of RecordSizeLimit in below test.
+requires_config_value_equals "MBEDTLS_SSL_IN_CONTENT_LEN" 16384
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "Record Size Limit: TLS 1.3 m->m: both peer comply with record size limit (default)" \
+            "$P_SRV debug_level=4 force_version=tls13" \
+            "$P_CLI debug_level=4" \
+            0 \
+            -c "Sent RecordSizeLimit: $MAX_IN_LEN Bytes"         \
+            -c "RecordSizeLimit: $MAX_IN_LEN Bytes"              \
+            -s "RecordSizeLimit: $MAX_IN_LEN Bytes"              \
+            -s "Sent RecordSizeLimit: $MAX_IN_LEN Bytes"         \
+            -s "Maximum outgoing record payload length is 16383" \
+            -s "Maximum incoming record payload length is 16384"
+
+# End of Record size limit tests
 
 # Tests for renegotiation
 
+# G_NEXT_SRV is used in renegotiation tests becuase of the increased
+# extensions limit since we exceed the limit in G_SRV when we send
+# TLS 1.3 extensions in the initial handshake.
+
 # Renegotiation SCSV always added, regardless of SSL_RENEGOTIATION
 run_test    "Renegotiation: none, for reference" \
             "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
@@ -5092,7 +5557,7 @@ requires_gnutls
 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "Renegotiation: gnutls server strict, client-initiated" \
-            "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%SAFE_RENEGOTIATION" \
+            "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%SAFE_RENEGOTIATION" \
             "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
             0 \
             -c "client hello, adding renegotiation extension" \
@@ -5106,7 +5571,7 @@ requires_gnutls
 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "Renegotiation: gnutls server unsafe, client-initiated default" \
-            "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
+            "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
             "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
             1 \
             -c "client hello, adding renegotiation extension" \
@@ -5120,7 +5585,7 @@ requires_gnutls
 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
-            "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
+            "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
             "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
              allow_legacy=0" \
             1 \
@@ -5135,7 +5600,7 @@ requires_gnutls
 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "Renegotiation: gnutls server unsafe, client-inititated legacy" \
-            "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
+            "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
             "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
              allow_legacy=1" \
             0 \
@@ -5196,7 +5661,7 @@ requires_gnutls
 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "Renegotiation: DTLS, gnutls server, client-initiated" \
-            "$G_SRV -u --mtu 4096" \
+            "$G_NEXT_SRV -u --mtu 4096" \
             "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
             0 \
             -c "client hello, adding renegotiation extension" \
@@ -5209,9 +5674,10 @@ run_test    "Renegotiation: DTLS, gnutls server, client-initiated" \
 # Test for the "secure renegotiation" extension only (no actual renegotiation)
 
 requires_gnutls
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "Renego ext: gnutls server strict, client default" \
-            "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%SAFE_RENEGOTIATION" \
+            "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%SAFE_RENEGOTIATION" \
             "$P_CLI debug_level=3" \
             0 \
             -c "found renegotiation extension" \
@@ -5219,9 +5685,10 @@ run_test    "Renego ext: gnutls server strict, client default" \
             -c "HTTP/1.0 200 [Oo][Kk]"
 
 requires_gnutls
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "Renego ext: gnutls server unsafe, client default" \
-            "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
+            "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
             "$P_CLI debug_level=3" \
             0 \
             -C "found renegotiation extension" \
@@ -5229,9 +5696,10 @@ run_test    "Renego ext: gnutls server unsafe, client default" \
             -c "HTTP/1.0 200 [Oo][Kk]"
 
 requires_gnutls
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "Renego ext: gnutls server unsafe, client break legacy" \
-            "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
+            "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
             "$P_CLI debug_level=3 allow_legacy=-1" \
             1 \
             -C "found renegotiation extension" \
@@ -5239,28 +5707,31 @@ run_test    "Renego ext: gnutls server unsafe, client break legacy" \
             -C "HTTP/1.0 200 [Oo][Kk]"
 
 requires_gnutls
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "Renego ext: gnutls client strict, server default" \
             "$P_SRV debug_level=3" \
-            "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION localhost" \
+            "$G_CLI --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%SAFE_RENEGOTIATION localhost" \
             0 \
             -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
             -s "server hello, secure renegotiation extension"
 
 requires_gnutls
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "Renego ext: gnutls client unsafe, server default" \
             "$P_SRV debug_level=3" \
-            "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
+            "$G_CLI --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION localhost" \
             0 \
             -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
             -S "server hello, secure renegotiation extension"
 
 requires_gnutls
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "Renego ext: gnutls client unsafe, server break legacy" \
             "$P_SRV debug_level=3 allow_legacy=-1" \
-            "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
+            "$G_CLI --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION localhost" \
             1 \
             -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
             -S "server hello, secure renegotiation extension"
@@ -5270,8 +5741,8 @@ run_test    "Renego ext: gnutls client unsafe, server break legacy" \
 requires_gnutls
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "DER format: no trailing bytes" \
-            "$P_SRV crt_file=data_files/server5-der0.crt \
-             key_file=data_files/server5.key" \
+            "$P_SRV crt_file=$DATA_FILES_PATH/server5-der0.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             "$G_CLI localhost" \
             0 \
             -c "Handshake was completed" \
@@ -5279,8 +5750,8 @@ run_test    "DER format: no trailing bytes" \
 requires_gnutls
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "DER format: with a trailing zero byte" \
-            "$P_SRV crt_file=data_files/server5-der1a.crt \
-             key_file=data_files/server5.key" \
+            "$P_SRV crt_file=$DATA_FILES_PATH/server5-der1a.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             "$G_CLI localhost" \
             0 \
             -c "Handshake was completed" \
@@ -5288,8 +5759,8 @@ run_test    "DER format: with a trailing zero byte" \
 requires_gnutls
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "DER format: with a trailing random byte" \
-            "$P_SRV crt_file=data_files/server5-der1b.crt \
-             key_file=data_files/server5.key" \
+            "$P_SRV crt_file=$DATA_FILES_PATH/server5-der1b.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             "$G_CLI localhost" \
             0 \
             -c "Handshake was completed" \
@@ -5297,8 +5768,8 @@ run_test    "DER format: with a trailing random byte" \
 requires_gnutls
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "DER format: with 2 trailing random bytes" \
-            "$P_SRV crt_file=data_files/server5-der2.crt \
-             key_file=data_files/server5.key" \
+            "$P_SRV crt_file=$DATA_FILES_PATH/server5-der2.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             "$G_CLI localhost" \
             0 \
             -c "Handshake was completed" \
@@ -5306,8 +5777,8 @@ run_test    "DER format: with 2 trailing random bytes" \
 requires_gnutls
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "DER format: with 4 trailing random bytes" \
-            "$P_SRV crt_file=data_files/server5-der4.crt \
-             key_file=data_files/server5.key" \
+            "$P_SRV crt_file=$DATA_FILES_PATH/server5-der4.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             "$G_CLI localhost" \
             0 \
             -c "Handshake was completed" \
@@ -5315,8 +5786,8 @@ run_test    "DER format: with 4 trailing random bytes" \
 requires_gnutls
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "DER format: with 8 trailing random bytes" \
-            "$P_SRV crt_file=data_files/server5-der8.crt \
-             key_file=data_files/server5.key" \
+            "$P_SRV crt_file=$DATA_FILES_PATH/server5-der8.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             "$G_CLI localhost" \
             0 \
             -c "Handshake was completed" \
@@ -5324,8 +5795,8 @@ run_test    "DER format: with 8 trailing random bytes" \
 requires_gnutls
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "DER format: with 9 trailing random bytes" \
-            "$P_SRV crt_file=data_files/server5-der9.crt \
-             key_file=data_files/server5.key" \
+            "$P_SRV crt_file=$DATA_FILES_PATH/server5-der9.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             "$G_CLI localhost" \
             0 \
             -c "Handshake was completed" \
@@ -5335,8 +5806,8 @@ run_test    "DER format: with 9 trailing random bytes" \
 
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
 run_test    "Authentication: server badcert, client required" \
-            "$P_SRV crt_file=data_files/server5-badsign.crt \
-             key_file=data_files/server5.key" \
+            "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             "$P_CLI debug_level=1 auth_mode=required" \
             1 \
             -c "x509_verify_cert() returned" \
@@ -5345,8 +5816,8 @@ run_test    "Authentication: server badcert, client required" \
             -c "X509 - Certificate verification failed"
 
 run_test    "Authentication: server badcert, client optional" \
-            "$P_SRV crt_file=data_files/server5-badsign.crt \
-             key_file=data_files/server5.key" \
+            "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             "$P_CLI force_version=tls12 debug_level=1 auth_mode=optional" \
             0 \
             -c "x509_verify_cert() returned" \
@@ -5385,8 +5856,8 @@ run_test    "Authentication: server goodcert, client required, no trusted CA" \
 # different means to have the server ignoring the client's supported curve list.
 
 run_test    "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
-            "$P_SRV debug_level=1 key_file=data_files/server5.key \
-             crt_file=data_files/server5.ku-ka.crt" \
+            "$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \
+             crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \
             "$P_CLI force_version=tls12 debug_level=3 auth_mode=required groups=secp521r1" \
             1 \
             -c "bad certificate (EC key curve)"\
@@ -5394,8 +5865,8 @@ run_test    "Authentication: server ECDH p256v1, client required, p256v1 unsuppo
             -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
 
 run_test    "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
-            "$P_SRV debug_level=1 key_file=data_files/server5.key \
-             crt_file=data_files/server5.ku-ka.crt" \
+            "$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \
+             crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \
             "$P_CLI force_version=tls12 debug_level=3 auth_mode=optional groups=secp521r1" \
             1 \
             -c "bad certificate (EC key curve)"\
@@ -5403,8 +5874,8 @@ run_test    "Authentication: server ECDH p256v1, client optional, p256v1 unsuppo
             -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
 
 run_test    "Authentication: server badcert, client none" \
-            "$P_SRV crt_file=data_files/server5-badsign.crt \
-             key_file=data_files/server5.key" \
+            "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             "$P_CLI force_version=tls12 debug_level=1 auth_mode=none" \
             0 \
             -C "x509_verify_cert() returned" \
@@ -5415,8 +5886,8 @@ run_test    "Authentication: server badcert, client none" \
 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
 run_test    "Authentication: client SHA256, server required" \
             "$P_SRV auth_mode=required" \
-            "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
-             key_file=data_files/server6.key \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server6.crt \
+             key_file=$DATA_FILES_PATH/server6.key \
              force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
             0 \
             -c "Supported Signature Algorithm found: 04 " \
@@ -5425,8 +5896,8 @@ run_test    "Authentication: client SHA256, server required" \
 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
 run_test    "Authentication: client SHA384, server required" \
             "$P_SRV auth_mode=required" \
-            "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
-             key_file=data_files/server6.key \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server6.crt \
+             key_file=$DATA_FILES_PATH/server6.key \
              force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
             0 \
             -c "Supported Signature Algorithm found: 04 " \
@@ -5436,7 +5907,7 @@ requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
 run_test    "Authentication: client has no cert, server required (TLS)" \
             "$P_SRV debug_level=3 auth_mode=required" \
             "$P_CLI debug_level=3 crt_file=none \
-             key_file=data_files/server5.key" \
+             key_file=$DATA_FILES_PATH/server5.key" \
             1 \
             -S "skip write certificate request" \
             -C "skip parse certificate request" \
@@ -5451,8 +5922,8 @@ run_test    "Authentication: client has no cert, server required (TLS)" \
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
 run_test    "Authentication: client badcert, server required" \
             "$P_SRV debug_level=3 auth_mode=required" \
-            "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
-             key_file=data_files/server5.key" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             1 \
             -S "skip write certificate request" \
             -C "skip parse certificate request" \
@@ -5471,9 +5942,9 @@ run_test    "Authentication: client badcert, server required" \
 
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
 run_test    "Authentication: client cert self-signed and trusted, server required" \
-            "$P_SRV debug_level=3 auth_mode=required ca_file=data_files/server5-selfsigned.crt" \
-            "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
-             key_file=data_files/server5.key" \
+            "$P_SRV debug_level=3 auth_mode=required ca_file=$DATA_FILES_PATH/server5-selfsigned.crt" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-selfsigned.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             0 \
             -S "skip write certificate request" \
             -C "skip parse certificate request" \
@@ -5488,8 +5959,8 @@ run_test    "Authentication: client cert self-signed and trusted, server require
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
 run_test    "Authentication: client cert not trusted, server required" \
             "$P_SRV debug_level=3 auth_mode=required" \
-            "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
-             key_file=data_files/server5.key" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-selfsigned.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             1 \
             -S "skip write certificate request" \
             -C "skip parse certificate request" \
@@ -5505,8 +5976,8 @@ run_test    "Authentication: client cert not trusted, server required" \
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
 run_test    "Authentication: client badcert, server optional" \
             "$P_SRV debug_level=3 auth_mode=optional" \
-            "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
-             key_file=data_files/server5.key" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             0 \
             -S "skip write certificate request" \
             -C "skip parse certificate request" \
@@ -5523,8 +5994,8 @@ run_test    "Authentication: client badcert, server optional" \
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
 run_test    "Authentication: client badcert, server none" \
             "$P_SRV debug_level=3 auth_mode=none" \
-            "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
-             key_file=data_files/server5.key" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             0 \
             -s "skip write certificate request" \
             -C "skip parse certificate request" \
@@ -5602,27 +6073,27 @@ MAX_IM_CA='8'
 requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
 requires_full_size_output_buffer
 run_test    "Authentication: server max_int chain, client default" \
-            "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
-                    key_file=data_files/dir-maxpath/09.key" \
-            "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
+            "$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c09.pem \
+                    key_file=$DATA_FILES_PATH/dir-maxpath/09.key" \
+            "$P_CLI server_name=CA09 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \
             0 \
             -C "X509 - A fatal error occurred"
 
 requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
 requires_full_size_output_buffer
 run_test    "Authentication: server max_int+1 chain, client default" \
-            "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
-                    key_file=data_files/dir-maxpath/10.key" \
-            "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
+            "$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
+                    key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
+            "$P_CLI server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \
             1 \
             -c "X509 - A fatal error occurred"
 
 requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
 requires_full_size_output_buffer
 run_test    "Authentication: server max_int+1 chain, client optional" \
-            "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
-                    key_file=data_files/dir-maxpath/10.key" \
-            "$P_CLI force_version=tls12 server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
+            "$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
+                    key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
+            "$P_CLI force_version=tls12 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt \
                     auth_mode=optional" \
             1 \
             -c "X509 - A fatal error occurred"
@@ -5630,9 +6101,9 @@ run_test    "Authentication: server max_int+1 chain, client optional" \
 requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
 requires_full_size_output_buffer
 run_test    "Authentication: server max_int+1 chain, client none" \
-            "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
-                    key_file=data_files/dir-maxpath/10.key" \
-            "$P_CLI force_version=tls12 server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
+            "$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
+                    key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
+            "$P_CLI force_version=tls12 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt \
                     auth_mode=none" \
             0 \
             -C "X509 - A fatal error occurred"
@@ -5640,36 +6111,36 @@ run_test    "Authentication: server max_int+1 chain, client none" \
 requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
 requires_full_size_output_buffer
 run_test    "Authentication: client max_int+1 chain, server default" \
-            "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
-            "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
-                    key_file=data_files/dir-maxpath/10.key" \
+            "$P_SRV ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \
+            "$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
+                    key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
             0 \
             -S "X509 - A fatal error occurred"
 
 requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
 requires_full_size_output_buffer
 run_test    "Authentication: client max_int+1 chain, server optional" \
-            "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
-            "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
-                    key_file=data_files/dir-maxpath/10.key" \
+            "$P_SRV ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=optional" \
+            "$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
+                    key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
             1 \
             -s "X509 - A fatal error occurred"
 
 requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
 requires_full_size_output_buffer
 run_test    "Authentication: client max_int+1 chain, server required" \
-            "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
-            "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
-                    key_file=data_files/dir-maxpath/10.key" \
+            "$P_SRV ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \
+            "$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
+                    key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
             1 \
             -s "X509 - A fatal error occurred"
 
 requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
 requires_full_size_output_buffer
 run_test    "Authentication: client max_int chain, server required" \
-            "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
-            "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
-                    key_file=data_files/dir-maxpath/09.key" \
+            "$P_SRV ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \
+            "$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c09.pem \
+                    key_file=$DATA_FILES_PATH/dir-maxpath/09.key" \
             0 \
             -S "X509 - A fatal error occurred"
 
@@ -5678,23 +6149,23 @@ run_test    "Authentication: client max_int chain, server required" \
 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
 run_test    "Authentication: send CA list in CertificateRequest  (default)" \
             "$P_SRV debug_level=3 auth_mode=required" \
-            "$P_CLI force_version=tls12 crt_file=data_files/server6.crt \
-             key_file=data_files/server6.key" \
+            "$P_CLI force_version=tls12 crt_file=$DATA_FILES_PATH/server6.crt \
+             key_file=$DATA_FILES_PATH/server6.key" \
             0 \
             -s "requested DN"
 
 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
 run_test    "Authentication: do not send CA list in CertificateRequest" \
             "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
-            "$P_CLI force_version=tls12 crt_file=data_files/server6.crt \
-             key_file=data_files/server6.key" \
+            "$P_CLI force_version=tls12 crt_file=$DATA_FILES_PATH/server6.crt \
+             key_file=$DATA_FILES_PATH/server6.key" \
             0 \
             -S "requested DN"
 
 run_test    "Authentication: send CA list in CertificateRequest, client self signed" \
             "$P_SRV force_version=tls12 debug_level=3 auth_mode=required cert_req_ca_list=0" \
-            "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
-             key_file=data_files/server5.key" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-selfsigned.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             1 \
             -S "requested DN" \
             -s "x509_verify_cert() returned" \
@@ -5706,33 +6177,33 @@ run_test    "Authentication: send CA list in CertificateRequest, client self sig
 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
 run_test    "Authentication: send alt conf DN hints in CertificateRequest" \
             "$P_SRV debug_level=3 auth_mode=optional cert_req_ca_list=2 \
-             crt_file2=data_files/server1.crt \
-             key_file2=data_files/server1.key" \
+             crt_file2=$DATA_FILES_PATH/server1.crt \
+             key_file2=$DATA_FILES_PATH/server1.key" \
             "$P_CLI force_version=tls12 debug_level=3 auth_mode=optional \
-             crt_file=data_files/server6.crt \
-             key_file=data_files/server6.key" \
+             crt_file=$DATA_FILES_PATH/server6.crt \
+             key_file=$DATA_FILES_PATH/server6.key" \
             0 \
             -c "DN hint: C=NL, O=PolarSSL, CN=PolarSSL Server 1"
 
 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
 run_test    "Authentication: send alt conf DN hints in CertificateRequest (2)" \
             "$P_SRV debug_level=3 auth_mode=optional cert_req_ca_list=2 \
-             crt_file2=data_files/server2.crt \
-             key_file2=data_files/server2.key" \
+             crt_file2=$DATA_FILES_PATH/server2.crt \
+             key_file2=$DATA_FILES_PATH/server2.key" \
             "$P_CLI force_version=tls12 debug_level=3 auth_mode=optional \
-             crt_file=data_files/server6.crt \
-             key_file=data_files/server6.key" \
+             crt_file=$DATA_FILES_PATH/server6.crt \
+             key_file=$DATA_FILES_PATH/server6.key" \
             0 \
             -c "DN hint: C=NL, O=PolarSSL, CN=localhost"
 
 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
 run_test    "Authentication: send alt hs DN hints in CertificateRequest" \
             "$P_SRV debug_level=3 auth_mode=optional cert_req_ca_list=3 \
-             crt_file2=data_files/server1.crt \
-             key_file2=data_files/server1.key" \
+             crt_file2=$DATA_FILES_PATH/server1.crt \
+             key_file2=$DATA_FILES_PATH/server1.key" \
             "$P_CLI force_version=tls12 debug_level=3 auth_mode=optional \
-             crt_file=data_files/server6.crt \
-             key_file=data_files/server6.key" \
+             crt_file=$DATA_FILES_PATH/server6.crt \
+             key_file=$DATA_FILES_PATH/server6.key" \
             0 \
             -c "DN hint: C=NL, O=PolarSSL, CN=PolarSSL Server 1"
 
@@ -5741,8 +6212,8 @@ run_test    "Authentication: send alt hs DN hints in CertificateRequest" \
 
 requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
 run_test    "Authentication, CA callback: server badcert, client required" \
-            "$P_SRV crt_file=data_files/server5-badsign.crt \
-             key_file=data_files/server5.key" \
+            "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 auth_mode=required" \
             1 \
             -c "use CA callback for X.509 CRT verification" \
@@ -5753,8 +6224,8 @@ run_test    "Authentication, CA callback: server badcert, client required" \
 
 requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
 run_test    "Authentication, CA callback: server badcert, client optional" \
-            "$P_SRV crt_file=data_files/server5-badsign.crt \
-             key_file=data_files/server5.key" \
+            "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 auth_mode=optional" \
             0 \
             -c "use CA callback for X.509 CRT verification" \
@@ -5772,8 +6243,8 @@ run_test    "Authentication, CA callback: server badcert, client optional" \
 
 requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
 run_test    "Authentication, CA callback: server ECDH p256v1, client required, p256v1 unsupported" \
-            "$P_SRV debug_level=1 key_file=data_files/server5.key \
-             crt_file=data_files/server5.ku-ka.crt" \
+            "$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \
+             crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \
             "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 auth_mode=required groups=secp521r1" \
             1 \
             -c "use CA callback for X.509 CRT verification" \
@@ -5783,8 +6254,8 @@ run_test    "Authentication, CA callback: server ECDH p256v1, client required, p
 
 requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
 run_test    "Authentication, CA callback: server ECDH p256v1, client optional, p256v1 unsupported" \
-            "$P_SRV debug_level=1 key_file=data_files/server5.key \
-             crt_file=data_files/server5.ku-ka.crt" \
+            "$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \
+             crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \
             "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 auth_mode=optional groups=secp521r1" \
             1 \
             -c "use CA callback for X.509 CRT verification" \
@@ -5796,8 +6267,8 @@ requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
 run_test    "Authentication, CA callback: client SHA256, server required" \
             "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
-            "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
-             key_file=data_files/server6.key \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server6.crt \
+             key_file=$DATA_FILES_PATH/server6.key \
              force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
             0 \
             -s "use CA callback for X.509 CRT verification" \
@@ -5808,8 +6279,8 @@ requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
 run_test    "Authentication, CA callback: client SHA384, server required" \
             "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
-            "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
-             key_file=data_files/server6.key \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server6.crt \
+             key_file=$DATA_FILES_PATH/server6.key \
              force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
             0 \
             -s "use CA callback for X.509 CRT verification" \
@@ -5819,8 +6290,8 @@ run_test    "Authentication, CA callback: client SHA384, server required" \
 requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
 run_test    "Authentication, CA callback: client badcert, server required" \
             "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 auth_mode=required" \
-            "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
-             key_file=data_files/server5.key" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             1 \
             -s "use CA callback for X.509 CRT verification" \
             -S "skip write certificate request" \
@@ -5842,8 +6313,8 @@ run_test    "Authentication, CA callback: client badcert, server required" \
 requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
 run_test    "Authentication, CA callback: client cert not trusted, server required" \
             "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 auth_mode=required" \
-            "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
-             key_file=data_files/server5.key" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-selfsigned.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             1 \
             -s "use CA callback for X.509 CRT verification" \
             -S "skip write certificate request" \
@@ -5861,8 +6332,8 @@ run_test    "Authentication, CA callback: client cert not trusted, server requir
 requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
 run_test    "Authentication, CA callback: client badcert, server optional" \
             "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 auth_mode=optional" \
-            "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
-             key_file=data_files/server5.key" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             0 \
             -s "use CA callback for X.509 CRT verification" \
             -S "skip write certificate request" \
@@ -5881,9 +6352,9 @@ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
 requires_full_size_output_buffer
 requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
 run_test    "Authentication, CA callback: server max_int chain, client default" \
-            "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
-                    key_file=data_files/dir-maxpath/09.key" \
-            "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
+            "$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c09.pem \
+                    key_file=$DATA_FILES_PATH/dir-maxpath/09.key" \
+            "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 server_name=CA09 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \
             0 \
             -c "use CA callback for X.509 CRT verification" \
             -C "X509 - A fatal error occurred"
@@ -5892,9 +6363,9 @@ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
 requires_full_size_output_buffer
 requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
 run_test    "Authentication, CA callback: server max_int+1 chain, client default" \
-            "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
-                    key_file=data_files/dir-maxpath/10.key" \
-            "$P_CLI force_version=tls12 debug_level=3 ca_callback=1 server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
+            "$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
+                    key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
+            "$P_CLI force_version=tls12 debug_level=3 ca_callback=1 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \
             1 \
             -c "use CA callback for X.509 CRT verification" \
             -c "X509 - A fatal error occurred"
@@ -5903,9 +6374,9 @@ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
 requires_full_size_output_buffer
 requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
 run_test    "Authentication, CA callback: server max_int+1 chain, client optional" \
-            "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
-                    key_file=data_files/dir-maxpath/10.key" \
-            "$P_CLI force_version=tls12 ca_callback=1 server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
+            "$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
+                    key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
+            "$P_CLI force_version=tls12 ca_callback=1 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt \
                     debug_level=3 auth_mode=optional" \
             1 \
             -c "use CA callback for X.509 CRT verification" \
@@ -5915,9 +6386,9 @@ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
 requires_full_size_output_buffer
 requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
 run_test    "Authentication, CA callback: client max_int+1 chain, server optional" \
-            "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
-            "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
-                    key_file=data_files/dir-maxpath/10.key" \
+            "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=optional" \
+            "$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
+                    key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
             1 \
             -s "use CA callback for X.509 CRT verification" \
             -s "X509 - A fatal error occurred"
@@ -5926,9 +6397,9 @@ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
 requires_full_size_output_buffer
 requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
 run_test    "Authentication, CA callback: client max_int+1 chain, server required" \
-            "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
-            "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
-                    key_file=data_files/dir-maxpath/10.key" \
+            "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \
+            "$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
+                    key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
             1 \
             -s "use CA callback for X.509 CRT verification" \
             -s "X509 - A fatal error occurred"
@@ -5937,9 +6408,9 @@ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
 requires_full_size_output_buffer
 requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
 run_test    "Authentication, CA callback: client max_int chain, server required" \
-            "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
-            "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
-                    key_file=data_files/dir-maxpath/09.key" \
+            "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \
+            "$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c09.pem \
+                    key_file=$DATA_FILES_PATH/dir-maxpath/09.key" \
             0 \
             -s "use CA callback for X.509 CRT verification" \
             -S "X509 - A fatal error occurred"
@@ -5948,10 +6419,10 @@ run_test    "Authentication, CA callback: client max_int chain, server required"
 
 requires_config_disabled MBEDTLS_X509_REMOVE_INFO
 run_test    "Certificate hash: client TLS 1.2 -> SHA-2" \
-            "$P_SRV force_version=tls12 crt_file=data_files/server5.crt \
-                    key_file=data_files/server5.key \
-                    crt_file2=data_files/server5-sha1.crt \
-                    key_file2=data_files/server5.key" \
+            "$P_SRV force_version=tls12 crt_file=$DATA_FILES_PATH/server5.crt \
+                    key_file=$DATA_FILES_PATH/server5.key \
+                    crt_file2=$DATA_FILES_PATH/server5-sha1.crt \
+                    key_file2=$DATA_FILES_PATH/server5.key" \
             "$P_CLI" \
             0 \
             -c "signed using.*ECDSA with SHA256" \
@@ -5963,7 +6434,7 @@ requires_config_disabled MBEDTLS_X509_REMOVE_INFO
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
 run_test    "SNI: no SNI callback" \
             "$P_SRV debug_level=3 \
-             crt_file=data_files/server5.crt key_file=data_files/server5.key" \
+             crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key" \
             "$P_CLI server_name=localhost" \
             0 \
             -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
@@ -5973,8 +6444,8 @@ requires_config_disabled MBEDTLS_X509_REMOVE_INFO
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
 run_test    "SNI: matching cert 1" \
             "$P_SRV debug_level=3 \
-             crt_file=data_files/server5.crt key_file=data_files/server5.key \
-             sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
+             crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
+             sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \
             "$P_CLI server_name=localhost" \
             0 \
             -s "parse ServerName extension" \
@@ -5985,8 +6456,8 @@ requires_config_disabled MBEDTLS_X509_REMOVE_INFO
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
 run_test    "SNI: matching cert 2" \
             "$P_SRV debug_level=3 \
-             crt_file=data_files/server5.crt key_file=data_files/server5.key \
-             sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
+             crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
+             sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \
             "$P_CLI server_name=polarssl.example" \
             0 \
             -s "parse ServerName extension" \
@@ -5997,8 +6468,8 @@ requires_config_disabled MBEDTLS_X509_REMOVE_INFO
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
 run_test    "SNI: no matching cert" \
             "$P_SRV debug_level=3 \
-             crt_file=data_files/server5.crt key_file=data_files/server5.key \
-             sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
+             crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
+             sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \
             "$P_CLI server_name=nonesuch.example" \
             1 \
             -s "parse ServerName extension" \
@@ -6010,8 +6481,8 @@ run_test    "SNI: no matching cert" \
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
 run_test    "SNI: client auth no override: optional" \
             "$P_SRV debug_level=3 auth_mode=optional \
-             crt_file=data_files/server5.crt key_file=data_files/server5.key \
-             sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
+             crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
+             sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-" \
             "$P_CLI debug_level=3 server_name=localhost" \
             0 \
             -S "skip write certificate request" \
@@ -6024,8 +6495,8 @@ run_test    "SNI: client auth no override: optional" \
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
 run_test    "SNI: client auth override: none -> optional" \
             "$P_SRV debug_level=3 auth_mode=none \
-             crt_file=data_files/server5.crt key_file=data_files/server5.key \
-             sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
+             crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
+             sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,optional" \
             "$P_CLI debug_level=3 server_name=localhost" \
             0 \
             -S "skip write certificate request" \
@@ -6038,8 +6509,8 @@ run_test    "SNI: client auth override: none -> optional" \
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
 run_test    "SNI: client auth override: optional -> none" \
             "$P_SRV debug_level=3 auth_mode=optional \
-             crt_file=data_files/server5.crt key_file=data_files/server5.key \
-             sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
+             crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
+             sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,none" \
             "$P_CLI debug_level=3 server_name=localhost" \
             0 \
             -s "skip write certificate request" \
@@ -6050,11 +6521,11 @@ run_test    "SNI: client auth override: optional -> none" \
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
 run_test    "SNI: CA no override" \
             "$P_SRV debug_level=3 auth_mode=optional \
-             crt_file=data_files/server5.crt key_file=data_files/server5.key \
-             ca_file=data_files/test-ca.crt \
-             sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
+             crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
+             ca_file=$DATA_FILES_PATH/test-ca.crt \
+             sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,required" \
             "$P_CLI debug_level=3 server_name=localhost \
-             crt_file=data_files/server6.crt key_file=data_files/server6.key" \
+             crt_file=$DATA_FILES_PATH/server6.crt key_file=$DATA_FILES_PATH/server6.key" \
             1 \
             -S "skip write certificate request" \
             -C "skip parse certificate request" \
@@ -6069,11 +6540,11 @@ run_test    "SNI: CA no override" \
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
 run_test    "SNI: CA override" \
             "$P_SRV debug_level=3 auth_mode=optional \
-             crt_file=data_files/server5.crt key_file=data_files/server5.key \
-             ca_file=data_files/test-ca.crt \
-             sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
+             crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
+             ca_file=$DATA_FILES_PATH/test-ca.crt \
+             sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,$DATA_FILES_PATH/test-ca2.crt,-,required" \
             "$P_CLI debug_level=3 server_name=localhost \
-             crt_file=data_files/server6.crt key_file=data_files/server6.key" \
+             crt_file=$DATA_FILES_PATH/server6.crt key_file=$DATA_FILES_PATH/server6.key" \
             0 \
             -S "skip write certificate request" \
             -C "skip parse certificate request" \
@@ -6088,11 +6559,11 @@ run_test    "SNI: CA override" \
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
 run_test    "SNI: CA override with CRL" \
             "$P_SRV debug_level=3 auth_mode=optional \
-             crt_file=data_files/server5.crt key_file=data_files/server5.key \
-             ca_file=data_files/test-ca.crt \
-             sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
+             crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
+             ca_file=$DATA_FILES_PATH/test-ca.crt \
+             sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,$DATA_FILES_PATH/test-ca2.crt,$DATA_FILES_PATH/crl-ec-sha256.pem,required" \
             "$P_CLI debug_level=3 server_name=localhost \
-             crt_file=data_files/server6.crt key_file=data_files/server6.key" \
+             crt_file=$DATA_FILES_PATH/server6.crt key_file=$DATA_FILES_PATH/server6.key" \
             1 \
             -S "skip write certificate request" \
             -C "skip parse certificate request" \
@@ -6110,7 +6581,7 @@ requires_config_disabled MBEDTLS_X509_REMOVE_INFO
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "SNI: DTLS, no SNI callback" \
             "$P_SRV debug_level=3 dtls=1 \
-             crt_file=data_files/server5.crt key_file=data_files/server5.key" \
+             crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key" \
             "$P_CLI server_name=localhost dtls=1" \
             0 \
             -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
@@ -6120,8 +6591,8 @@ requires_config_disabled MBEDTLS_X509_REMOVE_INFO
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "SNI: DTLS, matching cert 1" \
             "$P_SRV debug_level=3 dtls=1 \
-             crt_file=data_files/server5.crt key_file=data_files/server5.key \
-             sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
+             crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
+             sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \
             "$P_CLI server_name=localhost dtls=1" \
             0 \
             -s "parse ServerName extension" \
@@ -6132,8 +6603,8 @@ requires_config_disabled MBEDTLS_X509_REMOVE_INFO
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "SNI: DTLS, matching cert 2" \
             "$P_SRV debug_level=3 dtls=1 \
-             crt_file=data_files/server5.crt key_file=data_files/server5.key \
-             sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
+             crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
+             sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \
             "$P_CLI server_name=polarssl.example dtls=1" \
             0 \
             -s "parse ServerName extension" \
@@ -6143,8 +6614,8 @@ run_test    "SNI: DTLS, matching cert 2" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "SNI: DTLS, no matching cert" \
             "$P_SRV debug_level=3 dtls=1 \
-             crt_file=data_files/server5.crt key_file=data_files/server5.key \
-             sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
+             crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
+             sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \
             "$P_CLI server_name=nonesuch.example dtls=1" \
             1 \
             -s "parse ServerName extension" \
@@ -6156,8 +6627,8 @@ run_test    "SNI: DTLS, no matching cert" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "SNI: DTLS, client auth no override: optional" \
             "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
-             crt_file=data_files/server5.crt key_file=data_files/server5.key \
-             sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
+             crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
+             sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-" \
             "$P_CLI debug_level=3 server_name=localhost dtls=1" \
             0 \
             -S "skip write certificate request" \
@@ -6170,8 +6641,8 @@ run_test    "SNI: DTLS, client auth no override: optional" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "SNI: DTLS, client auth override: none -> optional" \
             "$P_SRV debug_level=3 auth_mode=none dtls=1 \
-             crt_file=data_files/server5.crt key_file=data_files/server5.key \
-             sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
+             crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
+             sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,optional" \
             "$P_CLI debug_level=3 server_name=localhost dtls=1" \
             0 \
             -S "skip write certificate request" \
@@ -6184,8 +6655,8 @@ run_test    "SNI: DTLS, client auth override: none -> optional" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "SNI: DTLS, client auth override: optional -> none" \
             "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
-             crt_file=data_files/server5.crt key_file=data_files/server5.key \
-             sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
+             crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
+             sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,none" \
             "$P_CLI debug_level=3 server_name=localhost dtls=1" \
             0 \
             -s "skip write certificate request" \
@@ -6198,11 +6669,11 @@ run_test    "SNI: DTLS, client auth override: optional -> none" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "SNI: DTLS, CA no override" \
             "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
-             crt_file=data_files/server5.crt key_file=data_files/server5.key \
-             ca_file=data_files/test-ca.crt \
-             sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
+             crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
+             ca_file=$DATA_FILES_PATH/test-ca.crt \
+             sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,required" \
             "$P_CLI debug_level=3 server_name=localhost dtls=1 \
-             crt_file=data_files/server6.crt key_file=data_files/server6.key" \
+             crt_file=$DATA_FILES_PATH/server6.crt key_file=$DATA_FILES_PATH/server6.key" \
             1 \
             -S "skip write certificate request" \
             -C "skip parse certificate request" \
@@ -6217,11 +6688,11 @@ run_test    "SNI: DTLS, CA no override" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "SNI: DTLS, CA override" \
             "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
-             crt_file=data_files/server5.crt key_file=data_files/server5.key \
-             ca_file=data_files/test-ca.crt \
-             sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
+             crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
+             ca_file=$DATA_FILES_PATH/test-ca.crt \
+             sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,$DATA_FILES_PATH/test-ca2.crt,-,required" \
             "$P_CLI debug_level=3 server_name=localhost dtls=1 \
-             crt_file=data_files/server6.crt key_file=data_files/server6.key" \
+             crt_file=$DATA_FILES_PATH/server6.crt key_file=$DATA_FILES_PATH/server6.key" \
             0 \
             -S "skip write certificate request" \
             -C "skip parse certificate request" \
@@ -6236,11 +6707,11 @@ run_test    "SNI: DTLS, CA override" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "SNI: DTLS, CA override with CRL" \
             "$P_SRV debug_level=3 auth_mode=optional \
-             crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \
-             ca_file=data_files/test-ca.crt \
-             sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
+             crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key dtls=1 \
+             ca_file=$DATA_FILES_PATH/test-ca.crt \
+             sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,$DATA_FILES_PATH/test-ca2.crt,$DATA_FILES_PATH/crl-ec-sha256.pem,required" \
             "$P_CLI debug_level=3 server_name=localhost dtls=1 \
-             crt_file=data_files/server6.crt key_file=data_files/server6.key" \
+             crt_file=$DATA_FILES_PATH/server6.crt key_file=$DATA_FILES_PATH/server6.key" \
             1 \
             -S "skip write certificate request" \
             -C "skip parse certificate request" \
@@ -6273,6 +6744,7 @@ run_test    "Non-blocking I/O: client auth" \
             -c "Read from server: .* bytes read"
 
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Non-blocking I/O: ticket" \
             "$P_SRV nbio=2 tickets=1 auth_mode=none" \
             "$P_CLI nbio=2 tickets=1" \
@@ -6282,6 +6754,7 @@ run_test    "Non-blocking I/O: ticket" \
             -c "Read from server: .* bytes read"
 
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Non-blocking I/O: ticket + client auth" \
             "$P_SRV nbio=2 tickets=1 auth_mode=required" \
             "$P_CLI nbio=2 tickets=1" \
@@ -6291,6 +6764,7 @@ run_test    "Non-blocking I/O: ticket + client auth" \
             -c "Read from server: .* bytes read"
 
 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Non-blocking I/O: TLS 1.2 + ticket + client auth + resume" \
             "$P_SRV nbio=2 tickets=1 auth_mode=required" \
             "$P_CLI force_version=tls12 nbio=2 tickets=1 reconnect=1" \
@@ -6302,6 +6776,7 @@ run_test    "Non-blocking I/O: TLS 1.2 + ticket + client auth + resume" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Non-blocking I/O: TLS 1.3 + ticket + client auth + resume" \
             "$P_SRV nbio=2 tickets=1 auth_mode=required" \
             "$P_CLI nbio=2 tickets=1 reconnect=1" \
@@ -6311,6 +6786,7 @@ run_test    "Non-blocking I/O: TLS 1.3 + ticket + client auth + resume" \
             -c "Read from server: .* bytes read"
 
 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Non-blocking I/O: TLS 1.2 + ticket + resume" \
             "$P_SRV nbio=2 tickets=1 auth_mode=none" \
             "$P_CLI force_version=tls12 nbio=2 tickets=1 reconnect=1" \
@@ -6322,6 +6798,7 @@ run_test    "Non-blocking I/O: TLS 1.2 + ticket + resume" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Non-blocking I/O: TLS 1.3 + ticket + resume" \
             "$P_SRV nbio=2 tickets=1 auth_mode=none" \
             "$P_CLI nbio=2 tickets=1 reconnect=1" \
@@ -6360,6 +6837,7 @@ run_test    "Event-driven I/O: client auth" \
             -c "Read from server: .* bytes read"
 
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Event-driven I/O: ticket" \
             "$P_SRV event=1 tickets=1 auth_mode=none" \
             "$P_CLI event=1 tickets=1" \
@@ -6369,6 +6847,7 @@ run_test    "Event-driven I/O: ticket" \
             -c "Read from server: .* bytes read"
 
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Event-driven I/O: ticket + client auth" \
             "$P_SRV event=1 tickets=1 auth_mode=required" \
             "$P_CLI event=1 tickets=1" \
@@ -6378,6 +6857,7 @@ run_test    "Event-driven I/O: ticket + client auth" \
             -c "Read from server: .* bytes read"
 
 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Event-driven I/O: TLS 1.2 + ticket + client auth + resume" \
             "$P_SRV event=1 tickets=1 auth_mode=required" \
             "$P_CLI force_version=tls12 event=1 tickets=1 reconnect=1" \
@@ -6389,6 +6869,7 @@ run_test    "Event-driven I/O: TLS 1.2 + ticket + client auth + resume" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Event-driven I/O: TLS 1.3 + ticket + client auth + resume" \
             "$P_SRV event=1 tickets=1 auth_mode=required" \
             "$P_CLI event=1 tickets=1 reconnect=1" \
@@ -6398,6 +6879,7 @@ run_test    "Event-driven I/O: TLS 1.3 + ticket + client auth + resume" \
             -c "Read from server: .* bytes read"
 
 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Event-driven I/O: TLS 1.2 + ticket + resume" \
             "$P_SRV event=1 tickets=1 auth_mode=none" \
             "$P_CLI force_version=tls12 event=1 tickets=1 reconnect=1" \
@@ -6409,6 +6891,7 @@ run_test    "Event-driven I/O: TLS 1.2 + ticket + resume" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Event-driven I/O: TLS 1.3 + ticket + resume" \
             "$P_SRV event=1 tickets=1 auth_mode=none" \
             "$P_CLI event=1 tickets=1 reconnect=1" \
@@ -6441,6 +6924,7 @@ run_test    "Event-driven I/O, DTLS: client auth" \
             -c "Read from server: .* bytes read"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Event-driven I/O, DTLS: ticket" \
             "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
             "$P_CLI dtls=1 event=1 tickets=1" \
@@ -6448,6 +6932,7 @@ run_test    "Event-driven I/O, DTLS: ticket" \
             -c "Read from server: .* bytes read"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Event-driven I/O, DTLS: ticket + client auth" \
             "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
             "$P_CLI dtls=1 event=1 tickets=1" \
@@ -6455,6 +6940,7 @@ run_test    "Event-driven I/O, DTLS: ticket + client auth" \
             -c "Read from server: .* bytes read"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Event-driven I/O, DTLS: ticket + client auth + resume" \
             "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
             "$P_CLI dtls=1 event=1 tickets=1 reconnect=1 skip_close_notify=1" \
@@ -6462,6 +6948,7 @@ run_test    "Event-driven I/O, DTLS: ticket + client auth + resume" \
             -c "Read from server: .* bytes read"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "Event-driven I/O, DTLS: ticket + resume" \
             "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
             "$P_CLI dtls=1 event=1 tickets=1 reconnect=1 skip_close_notify=1" \
@@ -6488,39 +6975,470 @@ run_test    "Event-driven I/O, DTLS: session-id resume, UDP packing" \
             0 \
             -c "Read from server: .* bytes read"
 
-# Tests for version negotiation
+# Tests for version negotiation. Some information to ease the understanding
+# of the version negotiation test titles below:
+# . 1.2/1.3 means that only TLS 1.2/TLS 1.3 is enabled.
+# . 1.2+1.3 means that both TLS 1.2 and TLS 1.3 are enabled.
+# . 1.2+(1.3)/(1.2)+1.3 means that TLS 1.2/1.3 is enabled and that
+#   TLS 1.3/1.2 may be enabled or not.
+# . max=1.2 means that both TLS 1.2 and TLS 1.3 are enabled at build time but
+#   TLS 1.3 is disabled at runtime (maximum negotiable version is TLS 1.2).
+# . min=1.3 means that both TLS 1.2 and TLS 1.3 are enabled at build time but
+#   TLS 1.2 is disabled at runtime (minimum negotiable version is TLS 1.3).
+
+# Tests for version negotiation, MbedTLS client and server
 
-run_test    "Version check: all -> 1.2" \
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+run_test    "Version nego m->m: cli 1.2, srv 1.2 -> 1.2" \
             "$P_SRV" \
-            "$P_CLI force_version=tls12" \
+            "$P_CLI" \
             0 \
             -S "mbedtls_ssl_handshake returned" \
             -C "mbedtls_ssl_handshake returned" \
             -s "Protocol is TLSv1.2" \
             -c "Protocol is TLSv1.2"
 
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test    "Not supported version check: cli TLS 1.0" \
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
+requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+run_test    "Version nego m->m: cli max=1.2, srv max=1.2 -> 1.2" \
+            "$P_SRV max_version=tls12" \
+            "$P_CLI max_version=tls12" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -C "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.2" \
+            -c "Protocol is TLSv1.2"
+
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test    "Version nego m->m: cli 1.3, srv 1.3 -> 1.3" \
+            "$P_SRV" \
+            "$P_CLI" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -C "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.3" \
+            -c "Protocol is TLSv1.3"
+
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "Version nego m->m: cli min=1.3, srv min=1.3 -> 1.3" \
+            "$P_SRV min_version=tls13" \
+            "$P_CLI min_version=tls13" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -C "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.3" \
+            -c "Protocol is TLSv1.3"
+
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "Version nego m->m: cli 1.2+1.3, srv 1.2+1.3 -> 1.3" \
+            "$P_SRV" \
+            "$P_CLI" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -C "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.3" \
+            -c "Protocol is TLSv1.3"
+
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "Version nego m->m: cli 1.2+1.3, srv min=1.3 -> 1.3" \
+            "$P_SRV min_version=tls13" \
+            "$P_CLI" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -C "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.3" \
+            -c "Protocol is TLSv1.3"
+
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
+requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+run_test    "Version nego m->m: cli 1.2+1.3, srv max=1.2 -> 1.2" \
+            "$P_SRV max_version=tls12" \
+            "$P_CLI" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -C "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.2" \
+            -c "Protocol is TLSv1.2"
+
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
+requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+run_test    "Version nego m->m: cli max=1.2, srv 1.2+1.3 -> 1.2" \
+            "$P_SRV" \
+            "$P_CLI max_version=tls12" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -C "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.2" \
+            -c "Protocol is TLSv1.2"
+
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "Version nego m->m: cli min=1.3, srv 1.2+1.3 -> 1.3" \
+            "$P_SRV" \
+            "$P_CLI min_version=tls13" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -C "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.3" \
+            -c "Protocol is TLSv1.3"
+
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
+run_test    "Not supported version m->m: cli max=1.2, srv min=1.3" \
+            "$P_SRV min_version=tls13" \
+            "$P_CLI max_version=tls12" \
+            1 \
+            -s "Handshake protocol not within min/max boundaries" \
+            -S "Protocol is TLSv1.2" \
+            -C "Protocol is TLSv1.2" \
+            -S "Protocol is TLSv1.3" \
+            -C "Protocol is TLSv1.3"
+
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
+run_test    "Not supported version m->m: cli min=1.3, srv max=1.2" \
+            "$P_SRV max_version=tls12" \
+            "$P_CLI min_version=tls13" \
+            1 \
+            -s "The handshake negotiation failed" \
+            -S "Protocol is TLSv1.2" \
+            -C "Protocol is TLSv1.2" \
+            -S "Protocol is TLSv1.3" \
+            -C "Protocol is TLSv1.3"
+
+# Tests of version negotiation on server side against GnuTLS client
+
+requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_2
+requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+run_test    "Server version nego G->m: cli 1.2, srv 1.2+(1.3) -> 1.2" \
+            "$P_SRV" \
+            "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.2"
+
+requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
+requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+run_test    "Server version nego G->m: cli 1.2, srv max=1.2 -> 1.2" \
+            "$P_SRV max_version=tls12" \
+            "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.2"
+
+requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+run_test    "Server version nego G->m: cli 1.3, srv (1.2)+1.3 -> 1.3" \
+            "$P_SRV" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.3"
+
+requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+run_test    "Server version nego G->m: cli 1.3, srv min=1.3 -> 1.3" \
+            "$P_SRV min_version=tls13" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.3"
+
+requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+run_test    "Server version nego G->m: cli 1.2+1.3, srv (1.2)+1.3 -> 1.3" \
+            "$P_SRV" \
+            "$G_NEXT_CLI localhost --priority=NORMAL" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.3"
+
+requires_gnutls_next_disable_tls13_compat
+requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "Server version nego G->m (no compat): cli 1.2+1.3, srv (1.2)+1.3 -> 1.3" \
+            "$P_SRV" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:%DISABLE_TLS13_COMPAT_MODE" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.3"
+
+# GnuTLS can be setup to send a ClientHello containing a supported versions
+# extension proposing TLS 1.2 (preferred) and then TLS 1.3. In that case,
+# a TLS 1.3 and TLS 1.2 capable server is supposed to negotiate TLS 1.2 and
+# to indicate in the ServerHello that it downgrades from TLS 1.3. The GnuTLS
+# client then detects the downgrade indication and aborts the handshake even
+# if TLS 1.2 was its preferred version. Keeping the test even if the
+# handshake fails eventually as it exercices parts of the Mbed TLS
+# implementation that are otherwise not exercised.
+requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+run_test    "Server version nego G->m: cli 1.2+1.3 (1.2 preferred!), srv 1.2+1.3 -> 1.2" \
+            "$P_SRV" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" \
+            1 \
+            -c "Detected downgrade to TLS 1.2 from TLS 1.3"
+
+requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+run_test    "Server version nego G->m: cli 1.2+1.3, srv min=1.3 -> 1.3" \
+            "$P_SRV min_version=tls13" \
+            "$G_NEXT_CLI localhost --priority=NORMAL" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.3"
+
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+run_test    "Server version nego G->m: cli 1.2+1.3, srv 1.2 -> 1.2" \
+            "$P_SRV" \
+            "$G_NEXT_CLI localhost --priority=NORMAL" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.2"
+
+requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
+requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+run_test    "Server version nego G->m: cli 1.2+1.3, max=1.2 -> 1.2" \
+            "$P_SRV max_version=tls12" \
+            "$G_NEXT_CLI localhost --priority=NORMAL" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.2"
+
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test    "Not supported version G->m: cli 1.0, (1.2)+(1.3)" \
             "$P_SRV" \
             "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.0" \
             1 \
             -s "Handshake protocol not within min/max boundaries" \
-            -c "Error in protocol version" \
-            -S "Protocol is TLSv1.0" \
-            -C "Handshake was completed"
+            -S "Protocol is TLSv1.0"
 
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test    "Not supported version check: cli TLS 1.1" \
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test    "Not supported version G->m: cli 1.1, (1.2)+(1.3)" \
             "$P_SRV" \
             "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.1" \
             1 \
             -s "Handshake protocol not within min/max boundaries" \
-            -c "Error in protocol version" \
-            -S "Protocol is TLSv1.1" \
-            -C "Handshake was completed"
+            -S "Protocol is TLSv1.1"
+
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test    "Not supported version G->m: cli 1.2, srv 1.3" \
+            "$P_SRV" \
+            "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \
+            1 \
+            -s "Handshake protocol not within min/max boundaries" \
+            -S "Protocol is TLSv1.2"
+
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3
+run_test    "Not supported version G->m: cli 1.3, srv 1.2" \
+            "$P_SRV" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \
+            1 \
+            -S "Handshake protocol not within min/max boundaries" \
+            -s "The handshake negotiation failed" \
+            -S "Protocol is TLSv1.3"
+
+requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
+run_test    "Not supported version G->m: cli 1.2, srv min=1.3" \
+            "$P_SRV min_version=tls13" \
+            "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \
+            1 \
+            -s "Handshake protocol not within min/max boundaries" \
+            -S "Protocol is TLSv1.2"
+
+requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
+run_test    "Not supported version G->m: cli 1.3, srv max=1.2" \
+            "$P_SRV max_version=tls12" \
+            "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \
+            1 \
+            -S "Handshake protocol not within min/max boundaries" \
+            -s "The handshake negotiation failed" \
+            -S "Protocol is TLSv1.3"
+
+# Tests of version negotiation on server side against OpenSSL client
+
+requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_2
+requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+run_test    "Server version nego O->m: cli 1.2, srv 1.2+(1.3) -> 1.2" \
+            "$P_SRV" \
+            "$O_NEXT_CLI -tls1_2" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.2"
+
+requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
+requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+run_test    "Server version nego O->m: cli 1.2, srv max=1.2 -> 1.2" \
+            "$P_SRV max_version=tls12" \
+            "$O_NEXT_CLI -tls1_2" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.2"
+
+requires_openssl_tls1_3_with_compatible_ephemeral
+requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+run_test    "Server version nego O->m: cli 1.3, srv (1.2)+1.3 -> 1.3" \
+            "$P_SRV" \
+            "$O_NEXT_CLI -tls1_3" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.3"
+
+requires_openssl_tls1_3_with_compatible_ephemeral
+requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+run_test    "Server version nego O->m: cli 1.3, srv min=1.3 -> 1.3" \
+            "$P_SRV min_version=tls13" \
+            "$O_NEXT_CLI -tls1_3" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.3"
+
+requires_openssl_tls1_3_with_compatible_ephemeral
+requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+run_test    "Server version nego O->m: cli 1.2+1.3, srv (1.2)+1.3 -> 1.3" \
+            "$P_SRV" \
+            "$O_NEXT_CLI" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.3"
+
+requires_openssl_tls1_3_with_compatible_ephemeral
+requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "Server version nego O->m (no compat): cli 1.2+1.3, srv (1.2)+1.3 -> 1.3" \
+            "$P_SRV" \
+            "$O_NEXT_CLI -no_middlebox" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.3"
+
+requires_openssl_tls1_3_with_compatible_ephemeral
+requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+run_test    "Server version nego O->m: cli 1.2+1.3, srv min=1.3 -> 1.3" \
+            "$P_SRV min_version=tls13" \
+            "$O_NEXT_CLI" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.3"
+
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+run_test    "Server version nego O->m: cli 1.2+1.3, srv 1.2 -> 1.2" \
+            "$P_SRV" \
+            "$O_NEXT_CLI" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.2"
+
+requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
+requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+run_test    "Server version nego O->m: cli 1.2+1.3, srv max=1.2 -> 1.2" \
+            "$P_SRV max_version=tls12" \
+            "$O_NEXT_CLI" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -s "Protocol is TLSv1.2"
+
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test    "Not supported version O->m: cli 1.0, srv (1.2)+(1.3)" \
+            "$P_SRV" \
+            "$O_CLI -tls1" \
+            1 \
+            -s "Handshake protocol not within min/max boundaries" \
+            -S "Protocol is TLSv1.0"
+
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test    "Not supported version O->m: cli 1.1, srv (1.2)+(1.3)" \
+            "$P_SRV" \
+            "$O_CLI -tls1_1" \
+            1 \
+            -s "Handshake protocol not within min/max boundaries" \
+            -S "Protocol is TLSv1.1"
+
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test    "Not supported version O->m: cli 1.2, srv 1.3" \
+            "$P_SRV" \
+            "$O_NEXT_CLI -tls1_2" \
+            1 \
+            -s "Handshake protocol not within min/max boundaries" \
+            -S "Protocol is TLSv1.2"
+
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3
+run_test    "Not supported version O->m: cli 1.3, srv 1.2" \
+            "$P_SRV" \
+            "$O_NEXT_CLI -tls1_3" \
+            1 \
+            -S "Handshake protocol not within min/max boundaries" \
+            -s "The handshake negotiation failed" \
+            -S "Protocol is TLSv1.3"
+
+requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
+run_test    "Not supported version O->m: cli 1.2, srv min=1.3" \
+            "$P_SRV min_version=tls13" \
+            "$O_NEXT_CLI -tls1_2" \
+            1 \
+            -s "Handshake protocol not within min/max boundaries" \
+            -S "Protocol is TLSv1.2"
+
+requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
+run_test    "Not supported version O->m: cli 1.3, srv max=1.2" \
+            "$P_SRV max_version=tls12" \
+            "$O_NEXT_CLI -tls1_3" \
+            1 \
+            -S "Handshake protocol not within min/max boundaries" \
+            -s "The handshake negotiation failed" \
+            -S "Protocol is TLSv1.3"
+
+# Tests of version negotiation on client side against GnuTLS and OpenSSL server
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test    "Not supported version check: srv max TLS 1.0" \
+run_test    "Not supported version: srv max TLS 1.0" \
             "$G_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" \
             "$P_CLI" \
             1 \
@@ -6530,7 +7448,7 @@ run_test    "Not supported version check: srv max TLS 1.0" \
             -C "Protocol is TLSv1.0"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test    "Not supported version check: srv max TLS 1.1" \
+run_test    "Not supported version: srv max TLS 1.1" \
             "$G_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1" \
             "$P_CLI" \
             1 \
@@ -6539,6 +7457,88 @@ run_test    "Not supported version check: srv max TLS 1.1" \
             -S "Version: TLS1.1" \
             -C "Protocol is TLSv1.1"
 
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+skip_handshake_stage_check
+requires_gnutls_tls1_3
+run_test    "TLS 1.3: Not supported version:gnutls: srv max TLS 1.0" \
+            "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0 -d 4" \
+            "$P_CLI debug_level=4" \
+            1 \
+            -s "Client's version: 3.3" \
+            -S "Version: TLS1.0" \
+            -C "Protocol is TLSv1.0"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+skip_handshake_stage_check
+requires_gnutls_tls1_3
+run_test    "TLS 1.3: Not supported version:gnutls: srv max TLS 1.1" \
+            "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1 -d 4" \
+            "$P_CLI debug_level=4" \
+            1 \
+            -s "Client's version: 3.3" \
+            -S "Version: TLS1.1" \
+            -C "Protocol is TLSv1.1"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+skip_handshake_stage_check
+requires_gnutls_tls1_3
+run_test    "TLS 1.3: Not supported version:gnutls: srv max TLS 1.2" \
+            "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 -d 4" \
+            "$P_CLI force_version=tls13 debug_level=4" \
+            1 \
+            -s "Client's version: 3.3" \
+            -c "is a fatal alert message (msg 40)" \
+            -S "Version: TLS1.2" \
+            -C "Protocol is TLSv1.2"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+skip_handshake_stage_check
+requires_openssl_next
+run_test    "TLS 1.3: Not supported version:openssl: srv max TLS 1.0" \
+            "$O_NEXT_SRV -msg -tls1" \
+            "$P_CLI debug_level=4" \
+            1 \
+            -s "fatal protocol_version" \
+            -c "is a fatal alert message (msg 70)" \
+            -S "Version: TLS1.0" \
+            -C "Protocol  : TLSv1.0"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+skip_handshake_stage_check
+requires_openssl_next
+run_test    "TLS 1.3: Not supported version:openssl: srv max TLS 1.1" \
+            "$O_NEXT_SRV -msg -tls1_1" \
+            "$P_CLI debug_level=4" \
+            1 \
+            -s "fatal protocol_version" \
+            -c "is a fatal alert message (msg 70)" \
+            -S "Version: TLS1.1" \
+            -C "Protocol  : TLSv1.1"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+skip_handshake_stage_check
+requires_openssl_next
+run_test    "TLS 1.3: Not supported version:openssl: srv max TLS 1.2" \
+            "$O_NEXT_SRV -msg -tls1_2" \
+            "$P_CLI force_version=tls13 debug_level=4" \
+            1 \
+            -s "fatal protocol_version" \
+            -c "is a fatal alert message (msg 70)" \
+            -S "Version: TLS1.2" \
+            -C "Protocol  : TLSv1.2"
+
 # Tests for ALPN extension
 
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
@@ -6637,45 +7637,45 @@ run_test    "ALPN: both, no common" \
 # server-side certificate/suite selection
 
 run_test    "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
-            "$P_SRV force_version=tls12 key_file=data_files/server2.key \
-             crt_file=data_files/server2.ku-ds.crt" \
+            "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server2.key \
+             crt_file=$DATA_FILES_PATH/server2.ku-ds.crt" \
             "$P_CLI" \
             0 \
             -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
 
 run_test    "keyUsage srv: RSA, keyEncipherment -> RSA" \
-            "$P_SRV force_version=tls12 key_file=data_files/server2.key \
-             crt_file=data_files/server2.ku-ke.crt" \
+            "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server2.key \
+             crt_file=$DATA_FILES_PATH/server2.ku-ke.crt" \
             "$P_CLI" \
             0 \
             -c "Ciphersuite is TLS-RSA-WITH-"
 
 run_test    "keyUsage srv: RSA, keyAgreement -> fail" \
-            "$P_SRV force_version=tls12 key_file=data_files/server2.key \
-             crt_file=data_files/server2.ku-ka.crt" \
+            "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server2.key \
+             crt_file=$DATA_FILES_PATH/server2.ku-ka.crt" \
             "$P_CLI" \
             1 \
             -C "Ciphersuite is "
 
 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 run_test    "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
-            "$P_SRV force_version=tls12 key_file=data_files/server5.key \
-             crt_file=data_files/server5.ku-ds.crt" \
+            "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server5.key \
+             crt_file=$DATA_FILES_PATH/server5.ku-ds.crt" \
             "$P_CLI" \
             0 \
             -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
 
 
 run_test    "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
-            "$P_SRV force_version=tls12 key_file=data_files/server5.key \
-             crt_file=data_files/server5.ku-ka.crt" \
+            "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server5.key \
+             crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \
             "$P_CLI" \
             0 \
             -c "Ciphersuite is TLS-ECDH-"
 
 run_test    "keyUsage srv: ECDSA, keyEncipherment -> fail" \
-            "$P_SRV force_version=tls12 key_file=data_files/server5.key \
-             crt_file=data_files/server5.ku-ke.crt" \
+            "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server5.key \
+             crt_file=$DATA_FILES_PATH/server5.ku-ke.crt" \
             "$P_CLI" \
             1 \
             -C "Ciphersuite is "
@@ -6684,8 +7684,8 @@ run_test    "keyUsage srv: ECDSA, keyEncipherment -> fail" \
 # client-side checking of server cert
 
 run_test    "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
-            "$O_SRV -tls1_2 -key data_files/server2.key \
-             -cert data_files/server2.ku-ds_ke.crt" \
+            "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
+             -cert $DATA_FILES_PATH/server2.ku-ds_ke.crt" \
             "$P_CLI debug_level=1 \
              force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
             0 \
@@ -6694,8 +7694,8 @@ run_test    "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
             -c "Ciphersuite is TLS-"
 
 run_test    "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
-            "$O_SRV -tls1_2 -key data_files/server2.key \
-             -cert data_files/server2.ku-ds_ke.crt" \
+            "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
+             -cert $DATA_FILES_PATH/server2.ku-ds_ke.crt" \
             "$P_CLI debug_level=1 \
              force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
             0 \
@@ -6704,8 +7704,8 @@ run_test    "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
             -c "Ciphersuite is TLS-"
 
 run_test    "keyUsage cli: KeyEncipherment, RSA: OK" \
-            "$O_SRV -tls1_2 -key data_files/server2.key \
-             -cert data_files/server2.ku-ke.crt" \
+            "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
+             -cert $DATA_FILES_PATH/server2.ku-ke.crt" \
             "$P_CLI debug_level=1 \
              force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
             0 \
@@ -6714,8 +7714,8 @@ run_test    "keyUsage cli: KeyEncipherment, RSA: OK" \
             -c "Ciphersuite is TLS-"
 
 run_test    "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
-            "$O_SRV -tls1_2 -key data_files/server2.key \
-             -cert data_files/server2.ku-ke.crt" \
+            "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
+             -cert $DATA_FILES_PATH/server2.ku-ke.crt" \
             "$P_CLI debug_level=1 \
              force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
             1 \
@@ -6724,8 +7724,8 @@ run_test    "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
             -C "Ciphersuite is TLS-"
 
 run_test    "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
-            "$O_SRV -tls1_2 -key data_files/server2.key \
-             -cert data_files/server2.ku-ke.crt" \
+            "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
+             -cert $DATA_FILES_PATH/server2.ku-ke.crt" \
             "$P_CLI debug_level=1 auth_mode=optional \
              force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
             0 \
@@ -6735,8 +7735,8 @@ run_test    "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
             -c "! Usage does not match the keyUsage extension"
 
 run_test    "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
-            "$O_SRV -tls1_2 -key data_files/server2.key \
-             -cert data_files/server2.ku-ds.crt" \
+            "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
+             -cert $DATA_FILES_PATH/server2.ku-ds.crt" \
             "$P_CLI debug_level=1 \
              force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
             0 \
@@ -6745,8 +7745,8 @@ run_test    "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
             -c "Ciphersuite is TLS-"
 
 run_test    "keyUsage cli: DigitalSignature, RSA: fail" \
-            "$O_SRV -tls1_2 -key data_files/server2.key \
-             -cert data_files/server2.ku-ds.crt" \
+            "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
+             -cert $DATA_FILES_PATH/server2.ku-ds.crt" \
             "$P_CLI debug_level=1 \
              force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
             1 \
@@ -6755,8 +7755,8 @@ run_test    "keyUsage cli: DigitalSignature, RSA: fail" \
             -C "Ciphersuite is TLS-"
 
 run_test    "keyUsage cli: DigitalSignature, RSA: fail, soft" \
-            "$O_SRV -tls1_2 -key data_files/server2.key \
-             -cert data_files/server2.ku-ds.crt" \
+            "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
+             -cert $DATA_FILES_PATH/server2.ku-ds.crt" \
             "$P_CLI debug_level=1 auth_mode=optional \
              force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
             0 \
@@ -6769,8 +7769,8 @@ requires_openssl_tls1_3_with_compatible_ephemeral
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "keyUsage cli 1.3: DigitalSignature+KeyEncipherment, RSA: OK" \
-            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server2.key \
-             -cert data_files/server2.ku-ds_ke.crt" \
+            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server2.key \
+             -cert $DATA_FILES_PATH/server2-sha256.ku-ds_ke.crt" \
             "$P_CLI debug_level=3" \
             0 \
             -C "bad certificate (usage extensions)" \
@@ -6781,8 +7781,8 @@ requires_openssl_tls1_3_with_compatible_ephemeral
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "keyUsage cli 1.3: KeyEncipherment, RSA: fail" \
-            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server2.key \
-             -cert data_files/server2.ku-ke.crt" \
+            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server2.key \
+             -cert $DATA_FILES_PATH/server2-sha256.ku-ke.crt" \
             "$P_CLI debug_level=1" \
             1 \
             -c "bad certificate (usage extensions)" \
@@ -6793,8 +7793,8 @@ requires_openssl_tls1_3_with_compatible_ephemeral
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "keyUsage cli 1.3: KeyAgreement, RSA: fail" \
-            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server2.key \
-             -cert data_files/server2.ku-ka.crt" \
+            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server2.key \
+             -cert $DATA_FILES_PATH/server2-sha256.ku-ka.crt" \
             "$P_CLI debug_level=1" \
             1 \
             -c "bad certificate (usage extensions)" \
@@ -6805,8 +7805,8 @@ requires_openssl_tls1_3_with_compatible_ephemeral
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "keyUsage cli 1.3: DigitalSignature, ECDSA: OK" \
-            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
-             -cert data_files/server5.ku-ds.crt" \
+            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \
+             -cert $DATA_FILES_PATH/server5.ku-ds.crt" \
             "$P_CLI debug_level=3" \
             0 \
             -C "bad certificate (usage extensions)" \
@@ -6817,8 +7817,8 @@ requires_openssl_tls1_3_with_compatible_ephemeral
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "keyUsage cli 1.3: KeyEncipherment, ECDSA: fail" \
-            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
-             -cert data_files/server5.ku-ke.crt" \
+            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \
+             -cert $DATA_FILES_PATH/server5.ku-ke.crt" \
             "$P_CLI debug_level=1" \
             1 \
             -c "bad certificate (usage extensions)" \
@@ -6829,8 +7829,8 @@ requires_openssl_tls1_3_with_compatible_ephemeral
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "keyUsage cli 1.3: KeyAgreement, ECDSA: fail" \
-            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
-             -cert data_files/server5.ku-ka.crt" \
+            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \
+             -cert $DATA_FILES_PATH/server5.ku-ka.crt" \
             "$P_CLI debug_level=1" \
             1 \
             -c "bad certificate (usage extensions)" \
@@ -6843,8 +7843,8 @@ run_test    "keyUsage cli 1.3: KeyAgreement, ECDSA: fail" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "keyUsage cli-auth: RSA, DigitalSignature: OK" \
             "$P_SRV debug_level=1 auth_mode=optional" \
-            "$O_CLI -key data_files/server2.key \
-             -cert data_files/server2.ku-ds.crt" \
+            "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server2.key \
+             -cert $DATA_FILES_PATH/server2.ku-ds.crt" \
             0 \
             -s "Verifying peer X.509 certificate... ok" \
             -S "bad certificate (usage extensions)" \
@@ -6853,17 +7853,17 @@ run_test    "keyUsage cli-auth: RSA, DigitalSignature: OK" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
             "$P_SRV debug_level=1 auth_mode=optional" \
-            "$O_CLI -key data_files/server2.key \
-             -cert data_files/server2.ku-ke.crt" \
+            "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server2.key \
+             -cert $DATA_FILES_PATH/server2.ku-ke.crt" \
             0 \
             -s "bad certificate (usage extensions)" \
             -S "Processing of the Certificate handshake message failed"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
-            "$P_SRV debug_level=1 auth_mode=required" \
-            "$O_CLI -key data_files/server2.key \
-             -cert data_files/server2.ku-ke.crt" \
+            "$P_SRV debug_level=1 force_version=tls12 auth_mode=required" \
+            "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server2.key \
+             -cert $DATA_FILES_PATH/server2.ku-ke.crt" \
             1 \
             -s "bad certificate (usage extensions)" \
             -s "Processing of the Certificate handshake message failed"
@@ -6871,8 +7871,8 @@ run_test    "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
             "$P_SRV debug_level=1 auth_mode=optional" \
-            "$O_CLI -key data_files/server5.key \
-             -cert data_files/server5.ku-ds.crt" \
+            "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \
+             -cert $DATA_FILES_PATH/server5.ku-ds.crt" \
             0 \
             -s "Verifying peer X.509 certificate... ok" \
             -S "bad certificate (usage extensions)" \
@@ -6881,8 +7881,8 @@ run_test    "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
             "$P_SRV debug_level=1 auth_mode=optional" \
-            "$O_CLI -key data_files/server5.key \
-             -cert data_files/server5.ku-ka.crt" \
+            "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \
+             -cert $DATA_FILES_PATH/server5.ku-ka.crt" \
             0 \
             -s "bad certificate (usage extensions)" \
             -S "Processing of the Certificate handshake message failed"
@@ -6892,8 +7892,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "keyUsage cli-auth 1.3: RSA, DigitalSignature: OK" \
             "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \
-            "$O_NEXT_CLI_NO_CERT -key data_files/server2.key \
-             -cert data_files/server2.ku-ds.crt" \
+            "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server2.key \
+             -cert $DATA_FILES_PATH/server2-sha256.ku-ds.crt" \
             0 \
             -s "Verifying peer X.509 certificate... ok" \
             -S "bad certificate (usage extensions)" \
@@ -6904,8 +7904,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "keyUsage cli-auth 1.3: RSA, KeyEncipherment: fail (soft)" \
             "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \
-            "$O_NEXT_CLI_NO_CERT -key data_files/server2.key \
-             -cert data_files/server2.ku-ke.crt" \
+            "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server2.key \
+             -cert $DATA_FILES_PATH/server2-sha256.ku-ke.crt" \
             0 \
             -s "bad certificate (usage extensions)" \
             -S "Processing of the Certificate handshake message failed"
@@ -6915,8 +7915,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "keyUsage cli-auth 1.3: ECDSA, DigitalSignature: OK" \
             "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \
-            "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \
-             -cert data_files/server5.ku-ds.crt" \
+            "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server5.key \
+             -cert $DATA_FILES_PATH/server5.ku-ds.crt" \
             0 \
             -s "Verifying peer X.509 certificate... ok" \
             -S "bad certificate (usage extensions)" \
@@ -6927,8 +7927,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "keyUsage cli-auth 1.3: ECDSA, KeyAgreement: fail (soft)" \
             "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \
-            "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \
-             -cert data_files/server5.ku-ka.crt" \
+            "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server5.key \
+             -cert $DATA_FILES_PATH/server5.ku-ka.crt" \
             0 \
             -s "bad certificate (usage extensions)" \
             -S "Processing of the Certificate handshake message failed"
@@ -6937,29 +7937,29 @@ run_test    "keyUsage cli-auth 1.3: ECDSA, KeyAgreement: fail (soft)" \
 
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
 run_test    "extKeyUsage srv: serverAuth -> OK" \
-            "$P_SRV key_file=data_files/server5.key \
-             crt_file=data_files/server5.eku-srv.crt" \
+            "$P_SRV key_file=$DATA_FILES_PATH/server5.key \
+             crt_file=$DATA_FILES_PATH/server5.eku-srv.crt" \
             "$P_CLI" \
             0
 
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
 run_test    "extKeyUsage srv: serverAuth,clientAuth -> OK" \
-            "$P_SRV key_file=data_files/server5.key \
-             crt_file=data_files/server5.eku-srv.crt" \
+            "$P_SRV key_file=$DATA_FILES_PATH/server5.key \
+             crt_file=$DATA_FILES_PATH/server5.eku-srv.crt" \
             "$P_CLI" \
             0
 
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
 run_test    "extKeyUsage srv: codeSign,anyEKU -> OK" \
-            "$P_SRV key_file=data_files/server5.key \
-             crt_file=data_files/server5.eku-cs_any.crt" \
+            "$P_SRV key_file=$DATA_FILES_PATH/server5.key \
+             crt_file=$DATA_FILES_PATH/server5.eku-cs_any.crt" \
             "$P_CLI" \
             0
 
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
 run_test    "extKeyUsage srv: codeSign -> fail" \
-            "$P_SRV key_file=data_files/server5.key \
-             crt_file=data_files/server5.eku-cli.crt" \
+            "$P_SRV key_file=$DATA_FILES_PATH/server5.key \
+             crt_file=$DATA_FILES_PATH/server5.eku-cli.crt" \
             "$P_CLI" \
             1
 
@@ -6967,8 +7967,8 @@ run_test    "extKeyUsage srv: codeSign -> fail" \
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "extKeyUsage cli: serverAuth -> OK" \
-            "$O_SRV -tls1_2 -key data_files/server5.key \
-             -cert data_files/server5.eku-srv.crt" \
+            "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server5.key \
+             -cert $DATA_FILES_PATH/server5.eku-srv.crt" \
             "$P_CLI debug_level=1" \
             0 \
             -C "bad certificate (usage extensions)" \
@@ -6977,8 +7977,8 @@ run_test    "extKeyUsage cli: serverAuth -> OK" \
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "extKeyUsage cli: serverAuth,clientAuth -> OK" \
-            "$O_SRV -tls1_2 -key data_files/server5.key \
-             -cert data_files/server5.eku-srv_cli.crt" \
+            "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server5.key \
+             -cert $DATA_FILES_PATH/server5.eku-srv_cli.crt" \
             "$P_CLI debug_level=1" \
             0 \
             -C "bad certificate (usage extensions)" \
@@ -6987,8 +7987,8 @@ run_test    "extKeyUsage cli: serverAuth,clientAuth -> OK" \
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "extKeyUsage cli: codeSign,anyEKU -> OK" \
-            "$O_SRV -tls1_2 -key data_files/server5.key \
-             -cert data_files/server5.eku-cs_any.crt" \
+            "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server5.key \
+             -cert $DATA_FILES_PATH/server5.eku-cs_any.crt" \
             "$P_CLI debug_level=1" \
             0 \
             -C "bad certificate (usage extensions)" \
@@ -6997,8 +7997,8 @@ run_test    "extKeyUsage cli: codeSign,anyEKU -> OK" \
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "extKeyUsage cli: codeSign -> fail" \
-            "$O_SRV -tls1_2 -key data_files/server5.key \
-             -cert data_files/server5.eku-cs.crt" \
+            "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server5.key \
+             -cert $DATA_FILES_PATH/server5.eku-cs.crt" \
             "$P_CLI debug_level=1" \
             1 \
             -c "bad certificate (usage extensions)" \
@@ -7009,8 +8009,8 @@ requires_openssl_tls1_3_with_compatible_ephemeral
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "extKeyUsage cli 1.3: serverAuth -> OK" \
-            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
-             -cert data_files/server5.eku-srv.crt" \
+            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \
+             -cert $DATA_FILES_PATH/server5.eku-srv.crt" \
             "$P_CLI debug_level=1" \
             0 \
             -C "bad certificate (usage extensions)" \
@@ -7021,8 +8021,8 @@ requires_openssl_tls1_3_with_compatible_ephemeral
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "extKeyUsage cli 1.3: serverAuth,clientAuth -> OK" \
-            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
-             -cert data_files/server5.eku-srv_cli.crt" \
+            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \
+             -cert $DATA_FILES_PATH/server5.eku-srv_cli.crt" \
             "$P_CLI debug_level=1" \
             0 \
             -C "bad certificate (usage extensions)" \
@@ -7033,8 +8033,8 @@ requires_openssl_tls1_3_with_compatible_ephemeral
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "extKeyUsage cli 1.3: codeSign,anyEKU -> OK" \
-            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
-             -cert data_files/server5.eku-cs_any.crt" \
+            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \
+             -cert $DATA_FILES_PATH/server5.eku-cs_any.crt" \
             "$P_CLI debug_level=1" \
             0 \
             -C "bad certificate (usage extensions)" \
@@ -7045,8 +8045,8 @@ requires_openssl_tls1_3_with_compatible_ephemeral
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "extKeyUsage cli 1.3: codeSign -> fail" \
-            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \
-             -cert data_files/server5.eku-cs.crt" \
+            "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \
+             -cert $DATA_FILES_PATH/server5.eku-cs.crt" \
             "$P_CLI debug_level=1" \
             1 \
             -c "bad certificate (usage extensions)" \
@@ -7058,8 +8058,8 @@ run_test    "extKeyUsage cli 1.3: codeSign -> fail" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "extKeyUsage cli-auth: clientAuth -> OK" \
             "$P_SRV debug_level=1 auth_mode=optional" \
-            "$O_CLI -key data_files/server5.key \
-             -cert data_files/server5.eku-cli.crt" \
+            "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \
+             -cert $DATA_FILES_PATH/server5.eku-cli.crt" \
             0 \
             -S "bad certificate (usage extensions)" \
             -S "Processing of the Certificate handshake message failed"
@@ -7067,8 +8067,8 @@ run_test    "extKeyUsage cli-auth: clientAuth -> OK" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
             "$P_SRV debug_level=1 auth_mode=optional" \
-            "$O_CLI -key data_files/server5.key \
-             -cert data_files/server5.eku-srv_cli.crt" \
+            "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \
+             -cert $DATA_FILES_PATH/server5.eku-srv_cli.crt" \
             0 \
             -S "bad certificate (usage extensions)" \
             -S "Processing of the Certificate handshake message failed"
@@ -7076,8 +8076,8 @@ run_test    "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
             "$P_SRV debug_level=1 auth_mode=optional" \
-            "$O_CLI -key data_files/server5.key \
-             -cert data_files/server5.eku-cs_any.crt" \
+            "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \
+             -cert $DATA_FILES_PATH/server5.eku-cs_any.crt" \
             0 \
             -S "bad certificate (usage extensions)" \
             -S "Processing of the Certificate handshake message failed"
@@ -7085,8 +8085,8 @@ run_test    "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "extKeyUsage cli-auth: codeSign -> fail (soft)" \
             "$P_SRV debug_level=1 auth_mode=optional" \
-            "$O_CLI -key data_files/server5.key \
-             -cert data_files/server5.eku-cs.crt" \
+            "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \
+             -cert $DATA_FILES_PATH/server5.eku-cs.crt" \
             0 \
             -s "bad certificate (usage extensions)" \
             -S "Processing of the Certificate handshake message failed"
@@ -7094,8 +8094,8 @@ run_test    "extKeyUsage cli-auth: codeSign -> fail (soft)" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "extKeyUsage cli-auth: codeSign -> fail (hard)" \
             "$P_SRV debug_level=1 auth_mode=required" \
-            "$O_CLI -key data_files/server5.key \
-             -cert data_files/server5.eku-cs.crt" \
+            "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \
+             -cert $DATA_FILES_PATH/server5.eku-cs.crt" \
             1 \
             -s "bad certificate (usage extensions)" \
             -s "Processing of the Certificate handshake message failed"
@@ -7105,8 +8105,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "extKeyUsage cli-auth 1.3: clientAuth -> OK" \
             "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \
-            "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \
-             -cert data_files/server5.eku-cli.crt" \
+            "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server5.key \
+             -cert $DATA_FILES_PATH/server5.eku-cli.crt" \
             0 \
             -S "bad certificate (usage extensions)" \
             -S "Processing of the Certificate handshake message failed"
@@ -7116,8 +8116,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "extKeyUsage cli-auth 1.3: serverAuth,clientAuth -> OK" \
             "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \
-            "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \
-             -cert data_files/server5.eku-srv_cli.crt" \
+            "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server5.key \
+             -cert $DATA_FILES_PATH/server5.eku-srv_cli.crt" \
             0 \
             -S "bad certificate (usage extensions)" \
             -S "Processing of the Certificate handshake message failed"
@@ -7127,8 +8127,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "extKeyUsage cli-auth 1.3: codeSign,anyEKU -> OK" \
             "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \
-            "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \
-             -cert data_files/server5.eku-cs_any.crt" \
+            "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server5.key \
+             -cert $DATA_FILES_PATH/server5.eku-cs_any.crt" \
             0 \
             -S "bad certificate (usage extensions)" \
             -S "Processing of the Certificate handshake message failed"
@@ -7138,8 +8138,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "extKeyUsage cli-auth 1.3: codeSign -> fail (soft)" \
             "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \
-            "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \
-             -cert data_files/server5.eku-cs.crt" \
+            "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server5.key \
+             -cert $DATA_FILES_PATH/server5.eku-cs.crt" \
             0 \
             -s "bad certificate (usage extensions)" \
             -S "Processing of the Certificate handshake message failed"
@@ -7155,7 +8155,7 @@ run_test    "DHM parameters: reference" \
             -c "value of 'DHM: G ' (2 bits)"
 
 run_test    "DHM parameters: other parameters" \
-            "$P_SRV dhm_file=data_files/dhparams.pem" \
+            "$P_SRV dhm_file=$DATA_FILES_PATH/dhparams.pem" \
             "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
                     debug_level=3" \
             0 \
@@ -7179,49 +8179,49 @@ run_test    "DHM size: server default, client 2048, OK" \
             -C "DHM prime too short:"
 
 run_test    "DHM size: server 1024, client default, OK" \
-            "$P_SRV dhm_file=data_files/dhparams.pem" \
+            "$P_SRV dhm_file=$DATA_FILES_PATH/dhparams.pem" \
             "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
                     debug_level=1" \
             0 \
             -C "DHM prime too short:"
 
 run_test    "DHM size: server 999, client 999, OK" \
-            "$P_SRV dhm_file=data_files/dh.999.pem" \
+            "$P_SRV dhm_file=$DATA_FILES_PATH/dh.999.pem" \
             "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
                     debug_level=1 dhmlen=999" \
             0 \
             -C "DHM prime too short:"
 
 run_test    "DHM size: server 1000, client 1000, OK" \
-            "$P_SRV dhm_file=data_files/dh.1000.pem" \
+            "$P_SRV dhm_file=$DATA_FILES_PATH/dh.1000.pem" \
             "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
                     debug_level=1 dhmlen=1000" \
             0 \
             -C "DHM prime too short:"
 
 run_test    "DHM size: server 1000, client default, rejected" \
-            "$P_SRV dhm_file=data_files/dh.1000.pem" \
+            "$P_SRV dhm_file=$DATA_FILES_PATH/dh.1000.pem" \
             "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
                     debug_level=1" \
             1 \
             -c "DHM prime too short:"
 
 run_test    "DHM size: server 1000, client 1001, rejected" \
-            "$P_SRV dhm_file=data_files/dh.1000.pem" \
+            "$P_SRV dhm_file=$DATA_FILES_PATH/dh.1000.pem" \
             "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
                     debug_level=1 dhmlen=1001" \
             1 \
             -c "DHM prime too short:"
 
 run_test    "DHM size: server 999, client 1000, rejected" \
-            "$P_SRV dhm_file=data_files/dh.999.pem" \
+            "$P_SRV dhm_file=$DATA_FILES_PATH/dh.999.pem" \
             "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
                     debug_level=1 dhmlen=1000" \
             1 \
             -c "DHM prime too short:"
 
 run_test    "DHM size: server 998, client 999, rejected" \
-            "$P_SRV dhm_file=data_files/dh.998.pem" \
+            "$P_SRV dhm_file=$DATA_FILES_PATH/dh.998.pem" \
             "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
                     debug_level=1 dhmlen=999" \
             1 \
@@ -7237,9 +8237,9 @@ run_test    "DHM size: server default, client 2049, rejected" \
 # Tests for PSK callback
 
 run_test    "PSK callback: psk, no callback" \
-            "$P_SRV psk=abc123 psk_identity=foo" \
+            "$P_SRV psk=73776f726466697368 psk_identity=foo" \
             "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
-            psk_identity=foo psk=abc123" \
+            psk_identity=foo psk=73776f726466697368" \
             0 \
             -S "SSL - The handshake negotiation failed" \
             -S "SSL - Unknown identity received" \
@@ -7247,9 +8247,9 @@ run_test    "PSK callback: psk, no callback" \
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: opaque psk on client, no callback" \
-            "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
+            "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
             "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
-            psk_identity=foo psk=abc123 psk_opaque=1" \
+            psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
             0 \
             -C "session hash for extended master secret"\
             -S "session hash for extended master secret"\
@@ -7259,9 +8259,9 @@ run_test    "PSK callback: opaque psk on client, no callback" \
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: opaque psk on client, no callback, SHA-384" \
-            "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
+            "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
             "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
-            psk_identity=foo psk=abc123 psk_opaque=1" \
+            psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
             0 \
             -C "session hash for extended master secret"\
             -S "session hash for extended master secret"\
@@ -7271,9 +8271,9 @@ run_test    "PSK callback: opaque psk on client, no callback, SHA-384" \
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: opaque psk on client, no callback, EMS" \
-            "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
+            "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
             "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
-            psk_identity=foo psk=abc123 psk_opaque=1" \
+            psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
             0 \
             -c "session hash for extended master secret"\
             -s "session hash for extended master secret"\
@@ -7283,9 +8283,9 @@ run_test    "PSK callback: opaque psk on client, no callback, EMS" \
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: opaque psk on client, no callback, SHA-384, EMS" \
-            "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
+            "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
             "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
-            psk_identity=foo psk=abc123 psk_opaque=1" \
+            psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
             0 \
             -c "session hash for extended master secret"\
             -s "session hash for extended master secret"\
@@ -7295,9 +8295,9 @@ run_test    "PSK callback: opaque psk on client, no callback, SHA-384, EMS" \
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: opaque rsa-psk on client, no callback" \
-            "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
+            "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
             "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \
-            psk_identity=foo psk=abc123 psk_opaque=1" \
+            psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
             0 \
             -C "session hash for extended master secret"\
             -S "session hash for extended master secret"\
@@ -7307,9 +8307,9 @@ run_test    "PSK callback: opaque rsa-psk on client, no callback" \
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: opaque rsa-psk on client, no callback, SHA-384" \
-            "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
+            "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
             "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
-            psk_identity=foo psk=abc123 psk_opaque=1" \
+            psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
             0 \
             -C "session hash for extended master secret"\
             -S "session hash for extended master secret"\
@@ -7319,9 +8319,9 @@ run_test    "PSK callback: opaque rsa-psk on client, no callback, SHA-384" \
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: opaque rsa-psk on client, no callback, EMS" \
-            "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
+            "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
             "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
-            psk_identity=foo psk=abc123 psk_opaque=1" \
+            psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
             0 \
             -c "session hash for extended master secret"\
             -s "session hash for extended master secret"\
@@ -7331,9 +8331,9 @@ run_test    "PSK callback: opaque rsa-psk on client, no callback, EMS" \
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: opaque rsa-psk on client, no callback, SHA-384, EMS" \
-            "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
+            "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
             "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
-            psk_identity=foo psk=abc123 psk_opaque=1" \
+            psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
             0 \
             -c "session hash for extended master secret"\
             -s "session hash for extended master secret"\
@@ -7343,9 +8343,9 @@ run_test    "PSK callback: opaque rsa-psk on client, no callback, SHA-384, EMS"
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: opaque ecdhe-psk on client, no callback" \
-            "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
+            "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
             "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
-            psk_identity=foo psk=abc123 psk_opaque=1" \
+            psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
             0 \
             -C "session hash for extended master secret"\
             -S "session hash for extended master secret"\
@@ -7355,9 +8355,9 @@ run_test    "PSK callback: opaque ecdhe-psk on client, no callback" \
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: opaque ecdhe-psk on client, no callback, SHA-384" \
-            "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
+            "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
             "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
-            psk_identity=foo psk=abc123 psk_opaque=1" \
+            psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
             0 \
             -C "session hash for extended master secret"\
             -S "session hash for extended master secret"\
@@ -7367,9 +8367,9 @@ run_test    "PSK callback: opaque ecdhe-psk on client, no callback, SHA-384" \
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: opaque ecdhe-psk on client, no callback, EMS" \
-            "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
+            "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
             "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
-            psk_identity=foo psk=abc123 psk_opaque=1" \
+            psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
             0 \
             -c "session hash for extended master secret"\
             -s "session hash for extended master secret"\
@@ -7379,9 +8379,9 @@ run_test    "PSK callback: opaque ecdhe-psk on client, no callback, EMS" \
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: opaque ecdhe-psk on client, no callback, SHA-384, EMS" \
-            "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
+            "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
             "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
-            psk_identity=foo psk=abc123 psk_opaque=1" \
+            psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
             0 \
             -c "session hash for extended master secret"\
             -s "session hash for extended master secret"\
@@ -7391,9 +8391,9 @@ run_test    "PSK callback: opaque ecdhe-psk on client, no callback, SHA-384, EMS
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: opaque dhe-psk on client, no callback" \
-            "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
+            "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
             "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA256 \
-            psk_identity=foo psk=abc123 psk_opaque=1" \
+            psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
             0 \
             -C "session hash for extended master secret"\
             -S "session hash for extended master secret"\
@@ -7403,9 +8403,9 @@ run_test    "PSK callback: opaque dhe-psk on client, no callback" \
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: opaque dhe-psk on client, no callback, SHA-384" \
-            "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
+            "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
             "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
-            psk_identity=foo psk=abc123 psk_opaque=1" \
+            psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
             0 \
             -C "session hash for extended master secret"\
             -S "session hash for extended master secret"\
@@ -7415,9 +8415,9 @@ run_test    "PSK callback: opaque dhe-psk on client, no callback, SHA-384" \
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: opaque dhe-psk on client, no callback, EMS" \
-            "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
+            "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
             "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
-            psk_identity=foo psk=abc123 psk_opaque=1" \
+            psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
             0 \
             -c "session hash for extended master secret"\
             -s "session hash for extended master secret"\
@@ -7427,9 +8427,9 @@ run_test    "PSK callback: opaque dhe-psk on client, no callback, EMS" \
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: opaque dhe-psk on client, no callback, SHA-384, EMS" \
-            "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
+            "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
             "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
-            psk_identity=foo psk=abc123 psk_opaque=1" \
+            psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
             0 \
             -c "session hash for extended master secret"\
             -s "session hash for extended master secret"\
@@ -7439,9 +8439,9 @@ run_test    "PSK callback: opaque dhe-psk on client, no callback, SHA-384, EMS"
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: raw psk on client, static opaque on server, no callback" \
-            "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
+            "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
             "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
-            psk_identity=foo psk=abc123" \
+            psk_identity=foo psk=73776f726466697368" \
             0 \
             -C "session hash for extended master secret"\
             -S "session hash for extended master secret"\
@@ -7451,9 +8451,9 @@ run_test    "PSK callback: raw psk on client, static opaque on server, no callba
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: raw psk on client, static opaque on server, no callback, SHA-384" \
-            "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \
+            "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \
             "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
-            psk_identity=foo psk=abc123" \
+            psk_identity=foo psk=73776f726466697368" \
             0 \
             -C "session hash for extended master secret"\
             -S "session hash for extended master secret"\
@@ -7463,10 +8463,10 @@ run_test    "PSK callback: raw psk on client, static opaque on server, no callba
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: raw psk on client, static opaque on server, no callback, EMS" \
-            "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
+            "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
             force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
             "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
-            psk_identity=foo psk=abc123 extended_ms=1" \
+            psk_identity=foo psk=73776f726466697368 extended_ms=1" \
             0 \
             -c "session hash for extended master secret"\
             -s "session hash for extended master secret"\
@@ -7476,10 +8476,10 @@ run_test    "PSK callback: raw psk on client, static opaque on server, no callba
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: raw psk on client, static opaque on server, no callback, EMS, SHA384" \
-            "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
+            "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
             force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
             "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
-            psk_identity=foo psk=abc123 extended_ms=1" \
+            psk_identity=foo psk=73776f726466697368 extended_ms=1" \
             0 \
             -c "session hash for extended master secret"\
             -s "session hash for extended master secret"\
@@ -7489,9 +8489,9 @@ run_test    "PSK callback: raw psk on client, static opaque on server, no callba
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: raw rsa-psk on client, static opaque on server, no callback" \
-            "$P_SRV extended_ms=0 debug_level=5 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA" \
+            "$P_SRV extended_ms=0 debug_level=5 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA" \
             "$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
-            psk_identity=foo psk=abc123" \
+            psk_identity=foo psk=73776f726466697368" \
             0 \
             -C "session hash for extended master secret"\
             -S "session hash for extended master secret"\
@@ -7501,9 +8501,9 @@ run_test    "PSK callback: raw rsa-psk on client, static opaque on server, no ca
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: raw rsa-psk on client, static opaque on server, no callback, SHA-384" \
-            "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384" \
+            "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384" \
             "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
-            psk_identity=foo psk=abc123" \
+            psk_identity=foo psk=73776f726466697368" \
             0 \
             -C "session hash for extended master secret"\
             -S "session hash for extended master secret"\
@@ -7513,10 +8513,10 @@ run_test    "PSK callback: raw rsa-psk on client, static opaque on server, no ca
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: raw rsa-psk on client, static opaque on server, no callback, EMS" \
-            "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
+            "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
             force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
             "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
-            psk_identity=foo psk=abc123 extended_ms=1" \
+            psk_identity=foo psk=73776f726466697368 extended_ms=1" \
             0 \
             -c "session hash for extended master secret"\
             -s "session hash for extended master secret"\
@@ -7526,10 +8526,10 @@ run_test    "PSK callback: raw rsa-psk on client, static opaque on server, no ca
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: raw rsa-psk on client, static opaque on server, no callback, EMS, SHA384" \
-            "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
+            "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
             force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
             "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
-            psk_identity=foo psk=abc123 extended_ms=1" \
+            psk_identity=foo psk=73776f726466697368 extended_ms=1" \
             0 \
             -c "session hash for extended master secret"\
             -s "session hash for extended master secret"\
@@ -7539,9 +8539,9 @@ run_test    "PSK callback: raw rsa-psk on client, static opaque on server, no ca
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback" \
-            "$P_SRV extended_ms=0 debug_level=5 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA" \
+            "$P_SRV extended_ms=0 debug_level=5 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA" \
             "$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
-            psk_identity=foo psk=abc123" \
+            psk_identity=foo psk=73776f726466697368" \
             0 \
             -C "session hash for extended master secret"\
             -S "session hash for extended master secret"\
@@ -7551,9 +8551,9 @@ run_test    "PSK callback: raw ecdhe-psk on client, static opaque on server, no
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback, SHA-384" \
-            "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384" \
+            "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384" \
             "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
-            psk_identity=foo psk=abc123" \
+            psk_identity=foo psk=73776f726466697368" \
             0 \
             -C "session hash for extended master secret"\
             -S "session hash for extended master secret"\
@@ -7563,10 +8563,10 @@ run_test    "PSK callback: raw ecdhe-psk on client, static opaque on server, no
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback, EMS" \
-            "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
+            "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
             force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
             "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
-            psk_identity=foo psk=abc123 extended_ms=1" \
+            psk_identity=foo psk=73776f726466697368 extended_ms=1" \
             0 \
             -c "session hash for extended master secret"\
             -s "session hash for extended master secret"\
@@ -7576,10 +8576,10 @@ run_test    "PSK callback: raw ecdhe-psk on client, static opaque on server, no
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback, EMS, SHA384" \
-            "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
+            "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
             force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
             "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
-            psk_identity=foo psk=abc123 extended_ms=1" \
+            psk_identity=foo psk=73776f726466697368 extended_ms=1" \
             0 \
             -c "session hash for extended master secret"\
             -s "session hash for extended master secret"\
@@ -7589,9 +8589,9 @@ run_test    "PSK callback: raw ecdhe-psk on client, static opaque on server, no
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: raw dhe-psk on client, static opaque on server, no callback" \
-            "$P_SRV extended_ms=0 debug_level=5 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA" \
+            "$P_SRV extended_ms=0 debug_level=5 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA" \
             "$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
-            psk_identity=foo psk=abc123" \
+            psk_identity=foo psk=73776f726466697368" \
             0 \
             -C "session hash for extended master secret"\
             -S "session hash for extended master secret"\
@@ -7601,9 +8601,9 @@ run_test    "PSK callback: raw dhe-psk on client, static opaque on server, no ca
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: raw dhe-psk on client, static opaque on server, no callback, SHA-384" \
-            "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384" \
+            "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384" \
             "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
-            psk_identity=foo psk=abc123" \
+            psk_identity=foo psk=73776f726466697368" \
             0 \
             -C "session hash for extended master secret"\
             -S "session hash for extended master secret"\
@@ -7613,10 +8613,10 @@ run_test    "PSK callback: raw dhe-psk on client, static opaque on server, no ca
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: raw dhe-psk on client, static opaque on server, no callback, EMS" \
-            "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
+            "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
             force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
             "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
-            psk_identity=foo psk=abc123 extended_ms=1" \
+            psk_identity=foo psk=73776f726466697368 extended_ms=1" \
             0 \
             -c "session hash for extended master secret"\
             -s "session hash for extended master secret"\
@@ -7626,10 +8626,10 @@ run_test    "PSK callback: raw dhe-psk on client, static opaque on server, no ca
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: raw dhe-psk on client, static opaque on server, no callback, EMS, SHA384" \
-            "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
+            "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
             force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
             "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
-            psk_identity=foo psk=abc123 extended_ms=1" \
+            psk_identity=foo psk=73776f726466697368 extended_ms=1" \
             0 \
             -c "session hash for extended master secret"\
             -s "session hash for extended master secret"\
@@ -7839,7 +8839,7 @@ run_test    "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, o
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: raw psk on client, mismatching static raw PSK on server, opaque PSK from callback" \
-            "$P_SRV extended_ms=0 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
+            "$P_SRV extended_ms=0 psk_identity=foo psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
             "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
             psk_identity=def psk=beef" \
             0 \
@@ -7851,7 +8851,7 @@ run_test    "PSK callback: raw psk on client, mismatching static raw PSK on serv
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: raw psk on client, mismatching static opaque PSK on server, opaque PSK from callback" \
-            "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
+            "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
             "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
             psk_identity=def psk=beef" \
             0 \
@@ -7863,7 +8863,7 @@ run_test    "PSK callback: raw psk on client, mismatching static opaque PSK on s
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: raw psk on client, mismatching static opaque PSK on server, raw PSK from callback" \
-            "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
+            "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
             "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
             psk_identity=def psk=beef" \
             0 \
@@ -7875,7 +8875,7 @@ run_test    "PSK callback: raw psk on client, mismatching static opaque PSK on s
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: raw psk on client, id-matching but wrong raw PSK on server, opaque PSK from callback" \
-            "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
+            "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
             "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
             psk_identity=def psk=beef" \
             0 \
@@ -7887,7 +8887,7 @@ run_test    "PSK callback: raw psk on client, id-matching but wrong raw PSK on s
 
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "PSK callback: raw psk on client, matching opaque PSK on server, wrong opaque PSK from callback" \
-            "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=beef debug_level=3 psk_list=abc,dead,def,abc123 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
+            "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=beef debug_level=3 psk_list=abc,dead,def,73776f726466697368 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
             "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
             psk_identity=def psk=beef" \
             1 \
@@ -7896,16 +8896,16 @@ run_test    "PSK callback: raw psk on client, matching opaque PSK on server, wro
 run_test    "PSK callback: no psk, no callback" \
             "$P_SRV" \
             "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
-            psk_identity=foo psk=abc123" \
+            psk_identity=foo psk=73776f726466697368" \
             1 \
             -s "SSL - The handshake negotiation failed" \
             -S "SSL - Unknown identity received" \
             -S "SSL - Verification of the message MAC failed"
 
 run_test    "PSK callback: callback overrides other settings" \
-            "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
+            "$P_SRV psk=73776f726466697368 psk_identity=foo psk_list=abc,dead,def,beef" \
             "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
-            psk_identity=foo psk=abc123" \
+            psk_identity=foo psk=73776f726466697368" \
             1 \
             -S "SSL - The handshake negotiation failed" \
             -s "SSL - Unknown identity received" \
@@ -8123,11 +9123,25 @@ run_test    "ECJPAKE: working, DTLS, nolog" \
 
 # Test for ClientHello without extensions
 
+# Without extensions, ECC is impossible (no curve negotiation).
+requires_config_enabled MBEDTLS_RSA_C
 requires_gnutls
-run_test    "ClientHello without extensions" \
+run_test    "ClientHello without extensions: RSA" \
             "$P_SRV force_version=tls12 debug_level=3" \
             "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
             0 \
+            -s "Ciphersuite is .*-RSA-WITH-.*" \
+            -S "Ciphersuite is .*-EC.*" \
+            -s "dumping 'client hello extensions' (0 bytes)"
+
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+requires_gnutls
+run_test    "ClientHello without extensions: PSK" \
+            "$P_SRV force_version=tls12 debug_level=3 psk=73776f726466697368" \
+            "$G_CLI --priority=NORMAL:+PSK:-RSA:-DHE-RSA:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION --pskusername=Client_identity --pskkey=73776f726466697368 localhost" \
+            0 \
+            -s "Ciphersuite is .*-PSK-.*" \
+            -S "Ciphersuite is .*-EC.*" \
             -s "dumping 'client hello extensions' (0 bytes)"
 
 # Tests for mbedtls_ssl_get_bytes_avail()
@@ -8157,7 +9171,7 @@ run_test    "mbedtls_ssl_get_bytes_avail: extra data (*2)" \
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "mbedtls_ssl_get_bytes_avail: extra data (max)" \
-            "$P_SRV buffer_size=100" \
+            "$P_SRV buffer_size=100 force_version=tls12" \
             "$P_CLI request_size=$MAX_CONTENT_LEN" \
             0 \
             -s "Read from client: $MAX_CONTENT_LEN bytes read (100 + $((MAX_CONTENT_LEN - 100)))"
@@ -8346,20 +9360,20 @@ run_test    "Large client packet TLS 1.2 AEAD shorter tag" \
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "Large client packet TLS 1.3 AEAD" \
             "$P_SRV" \
-            "$P_CLI request_size=16384 \
+            "$P_CLI request_size=16383 \
              force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \
             0 \
-            -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
-            -s "Read from client: $MAX_CONTENT_LEN bytes read"
+            -c "16383 bytes written in $(fragments_for_write 16383) fragments" \
+            -s "Read from client: 16383 bytes read"
 
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "Large client packet TLS 1.3 AEAD shorter tag" \
             "$P_SRV" \
-            "$P_CLI request_size=16384 \
+            "$P_CLI request_size=16383 \
              force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \
             0 \
-            -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
-            -s "Read from client: $MAX_CONTENT_LEN bytes read"
+            -c "16383 bytes written in $(fragments_for_write 16383) fragments" \
+            -s "Read from client: 16383 bytes read"
 
 # The tests below fail when the server's OUT_CONTENT_LEN is less than 16384.
 run_test    "Large server packet TLS 1.2 BlockCipher" \
@@ -8402,17 +9416,17 @@ run_test    "Large server packet TLS 1.2 AEAD shorter tag" \
 
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "Large server packet TLS 1.3 AEAD" \
-            "$P_SRV response_size=16384" \
+            "$P_SRV response_size=16383" \
             "$P_CLI force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \
             0 \
-            -c "Read from server: 16384 bytes read"
+            -c "Read from server: 16383 bytes read"
 
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "Large server packet TLS 1.3 AEAD shorter tag" \
-            "$P_SRV response_size=16384" \
+            "$P_SRV response_size=16383" \
             "$P_CLI force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \
             0 \
-            -c "Read from server: 16384 bytes read"
+            -c "Read from server: 16383 bytes read"
 
 # Tests for restartable ECC
 
@@ -8423,7 +9437,7 @@ requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
 run_test    "EC restart: TLS, default" \
             "$P_SRV groups=secp256r1 auth_mode=required" \
             "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
-             key_file=data_files/server5.key crt_file=data_files/server5.crt  \
+             key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt  \
              debug_level=1" \
             0 \
             -C "x509_verify_cert.*4b00" \
@@ -8436,7 +9450,7 @@ requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
 run_test    "EC restart: TLS, max_ops=0" \
             "$P_SRV groups=secp256r1 auth_mode=required" \
             "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
-             key_file=data_files/server5.key crt_file=data_files/server5.crt  \
+             key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt  \
              debug_level=1 ec_max_ops=0" \
             0 \
             -C "x509_verify_cert.*4b00" \
@@ -8449,7 +9463,7 @@ requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
 run_test    "EC restart: TLS, max_ops=65535" \
             "$P_SRV groups=secp256r1 auth_mode=required" \
             "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
-             key_file=data_files/server5.key crt_file=data_files/server5.crt  \
+             key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt  \
              debug_level=1 ec_max_ops=65535" \
             0 \
             -C "x509_verify_cert.*4b00" \
@@ -8464,7 +9478,7 @@ requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "EC restart: TLS, max_ops=1000 (no USE_PSA)" \
             "$P_SRV groups=secp256r1 auth_mode=required" \
             "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
-             key_file=data_files/server5.key crt_file=data_files/server5.crt  \
+             key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt  \
              debug_level=1 ec_max_ops=1000" \
             0 \
             -c "x509_verify_cert.*4b00" \
@@ -8480,7 +9494,7 @@ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "EC restart: TLS, max_ops=1000 (USE_PSA)" \
             "$P_SRV groups=secp256r1 auth_mode=required" \
             "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
-             key_file=data_files/server5.key crt_file=data_files/server5.crt  \
+             key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt  \
              debug_level=1 ec_max_ops=1000" \
             0 \
             -c "x509_verify_cert.*4b00" \
@@ -8494,10 +9508,10 @@ requires_config_enabled MBEDTLS_ECP_RESTARTABLE
 requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
 run_test    "EC restart: TLS, max_ops=1000, badsign" \
             "$P_SRV groups=secp256r1 auth_mode=required \
-             crt_file=data_files/server5-badsign.crt \
-             key_file=data_files/server5.key" \
+             crt_file=$DATA_FILES_PATH/server5-badsign.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
-             key_file=data_files/server5.key crt_file=data_files/server5.crt  \
+             key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt  \
              debug_level=1 ec_max_ops=1000" \
             1 \
             -c "x509_verify_cert.*4b00" \
@@ -8514,10 +9528,10 @@ requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
 requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_PSA)" \
             "$P_SRV groups=secp256r1 auth_mode=required \
-             crt_file=data_files/server5-badsign.crt \
-             key_file=data_files/server5.key" \
+             crt_file=$DATA_FILES_PATH/server5-badsign.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
-             key_file=data_files/server5.key crt_file=data_files/server5.crt  \
+             key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt  \
              debug_level=1 ec_max_ops=1000 auth_mode=optional" \
             0 \
             -c "x509_verify_cert.*4b00" \
@@ -8535,10 +9549,10 @@ requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA)" \
             "$P_SRV groups=secp256r1 auth_mode=required \
-             crt_file=data_files/server5-badsign.crt \
-             key_file=data_files/server5.key" \
+             crt_file=$DATA_FILES_PATH/server5-badsign.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
-             key_file=data_files/server5.key crt_file=data_files/server5.crt  \
+             key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt  \
              debug_level=1 ec_max_ops=1000 auth_mode=optional" \
             0 \
             -c "x509_verify_cert.*4b00" \
@@ -8555,10 +9569,10 @@ requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
 requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)" \
             "$P_SRV groups=secp256r1 auth_mode=required \
-             crt_file=data_files/server5-badsign.crt \
-             key_file=data_files/server5.key" \
+             crt_file=$DATA_FILES_PATH/server5-badsign.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
-             key_file=data_files/server5.key crt_file=data_files/server5.crt  \
+             key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt  \
              debug_level=1 ec_max_ops=1000 auth_mode=none" \
             0 \
             -C "x509_verify_cert.*4b00" \
@@ -8576,10 +9590,10 @@ requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \
             "$P_SRV groups=secp256r1 auth_mode=required \
-             crt_file=data_files/server5-badsign.crt \
-             key_file=data_files/server5.key" \
+             crt_file=$DATA_FILES_PATH/server5-badsign.crt \
+             key_file=$DATA_FILES_PATH/server5.key" \
             "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
-             key_file=data_files/server5.key crt_file=data_files/server5.crt  \
+             key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt  \
              debug_level=1 ec_max_ops=1000 auth_mode=none" \
             0 \
             -C "x509_verify_cert.*4b00" \
@@ -8597,7 +9611,7 @@ requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "EC restart: DTLS, max_ops=1000 (no USE_PSA)" \
             "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \
             "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
-             key_file=data_files/server5.key crt_file=data_files/server5.crt  \
+             key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt  \
              dtls=1 debug_level=1 ec_max_ops=1000" \
             0 \
             -c "x509_verify_cert.*4b00" \
@@ -8613,7 +9627,7 @@ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "EC restart: DTLS, max_ops=1000 (USE_PSA)" \
             "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \
             "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
-             key_file=data_files/server5.key crt_file=data_files/server5.crt  \
+             key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt  \
              dtls=1 debug_level=1 ec_max_ops=1000" \
             0 \
             -c "x509_verify_cert.*4b00" \
@@ -8660,7 +9674,7 @@ requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
 run_test    "EC restart: TLS, max_ops=1000, ECDHE-RSA" \
             "$P_SRV groups=secp256r1 auth_mode=required" \
             "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 \
-             key_file=data_files/server5.key crt_file=data_files/server5.crt  \
+             key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt  \
              debug_level=1 ec_max_ops=1000" \
             0 \
             -C "x509_verify_cert.*4b00" \
@@ -8706,8 +9720,8 @@ requires_config_disabled MBEDTLS_X509_REMOVE_INFO
 run_test    "SSL async private: sign, SNI" \
             "$P_SRV force_version=tls12 debug_level=3 \
              async_operations=s async_private_delay1=0 async_private_delay2=0 \
-             crt_file=data_files/server5.crt key_file=data_files/server5.key \
-             sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
+             crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
+             sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \
             "$P_CLI server_name=polarssl.example" \
             0 \
             -s "Async sign callback: using key slot " \
@@ -8737,9 +9751,9 @@ run_test    "SSL async private: decrypt, delay=1" \
 
 requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
 run_test    "SSL async private: decrypt RSA-PSK, delay=0" \
-            "$P_SRV psk=abc123 \
+            "$P_SRV psk=73776f726466697368 \
              async_operations=d async_private_delay1=0 async_private_delay2=0" \
-            "$P_CLI psk=abc123 \
+            "$P_CLI psk=73776f726466697368 \
              force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
             0 \
             -s "Async decrypt callback: using key slot " \
@@ -8747,9 +9761,9 @@ run_test    "SSL async private: decrypt RSA-PSK, delay=0" \
 
 requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
 run_test    "SSL async private: decrypt RSA-PSK, delay=1" \
-            "$P_SRV psk=abc123 \
+            "$P_SRV psk=73776f726466697368 \
              async_operations=d async_private_delay1=1 async_private_delay2=1" \
-            "$P_CLI psk=abc123 \
+            "$P_CLI psk=73776f726466697368 \
              force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
             0 \
             -s "Async decrypt callback: using key slot " \
@@ -8787,8 +9801,8 @@ requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
 run_test    "SSL async private: slot 0 used with key1" \
             "$P_SRV \
              async_operations=s async_private_delay1=1 \
-             key_file=data_files/server5.key crt_file=data_files/server5.crt \
-             key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
+             key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
+             key_file2=$DATA_FILES_PATH/server2.key crt_file2=$DATA_FILES_PATH/server2.crt" \
             "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
             0 \
             -s "Async sign callback: using key slot 0," \
@@ -8800,8 +9814,8 @@ requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
 run_test    "SSL async private: slot 0 used with key2" \
             "$P_SRV \
              async_operations=s async_private_delay2=1 \
-             key_file=data_files/server5.key crt_file=data_files/server5.crt \
-             key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
+             key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
+             key_file2=$DATA_FILES_PATH/server2.key crt_file2=$DATA_FILES_PATH/server2.crt" \
             "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
             0 \
             -s "Async sign callback: using key slot 0," \
@@ -8813,8 +9827,8 @@ requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
 run_test    "SSL async private: slot 1 used with key2" \
             "$P_SRV \
              async_operations=s async_private_delay1=1 async_private_delay2=1 \
-             key_file=data_files/server5.key crt_file=data_files/server5.crt \
-             key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
+             key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
+             key_file2=$DATA_FILES_PATH/server2.key crt_file2=$DATA_FILES_PATH/server2.crt" \
             "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
             0 \
             -s "Async sign callback: using key slot 1," \
@@ -8826,8 +9840,8 @@ requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
 run_test    "SSL async private: fall back to transparent key" \
             "$P_SRV \
              async_operations=s async_private_delay1=1 \
-             key_file=data_files/server5.key crt_file=data_files/server5.crt \
-             key_file2=data_files/server2.key crt_file2=data_files/server2.crt " \
+             key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
+             key_file2=$DATA_FILES_PATH/server2.key crt_file2=$DATA_FILES_PATH/server2.crt " \
             "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
             0 \
             -s "Async sign callback: no key matches this certificate."
@@ -8934,8 +9948,8 @@ requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 run_test    "SSL async private: cancel after start then fall back to transparent key" \
             "$P_SRV \
              async_operations=s async_private_delay1=1 async_private_error=-2 \
-             key_file=data_files/server5.key crt_file=data_files/server5.crt \
-             key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
+             key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
+             key_file2=$DATA_FILES_PATH/server2.key crt_file2=$DATA_FILES_PATH/server2.crt" \
             "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
              [ \$? -eq 1 ] &&
              $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
@@ -8956,8 +9970,8 @@ requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 run_test    "SSL async private: sign, error in resume then fall back to transparent key" \
             "$P_SRV \
              async_operations=s async_private_delay1=1 async_private_error=-3 \
-             key_file=data_files/server5.key crt_file=data_files/server5.crt \
-             key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
+             key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
+             key_file2=$DATA_FILES_PATH/server2.key crt_file2=$DATA_FILES_PATH/server2.crt" \
             "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
              [ \$? -eq 1 ] &&
              $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
@@ -9015,8 +10029,6 @@ run_test    "SSL async private: renegotiation: server-initiated, decrypt" \
 
 # Tests for ECC extensions (rfc 4492)
 
-requires_config_enabled MBEDTLS_AES_C
-requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
 requires_hash_alg SHA_256
 requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 run_test    "Force a non ECC ciphersuite in the client side" \
@@ -9028,8 +10040,6 @@ run_test    "Force a non ECC ciphersuite in the client side" \
             -S "found supported elliptic curves extension" \
             -S "found supported point formats extension"
 
-requires_config_enabled MBEDTLS_AES_C
-requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
 requires_hash_alg SHA_256
 requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 run_test    "Force a non ECC ciphersuite in the server side" \
@@ -9039,8 +10049,6 @@ run_test    "Force a non ECC ciphersuite in the server side" \
             -C "found supported_point_formats extension" \
             -S "server hello, supported_point_formats extension"
 
-requires_config_enabled MBEDTLS_AES_C
-requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
 requires_hash_alg SHA_256
 run_test    "Force an ECC ciphersuite in the client side" \
             "$P_SRV debug_level=3" \
@@ -9051,8 +10059,6 @@ run_test    "Force an ECC ciphersuite in the client side" \
             -s "found supported elliptic curves extension" \
             -s "found supported point formats extension"
 
-requires_config_enabled MBEDTLS_AES_C
-requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
 requires_hash_alg SHA_256
 run_test    "Force an ECC ciphersuite in the server side" \
             "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
@@ -9207,8 +10213,8 @@ run_test    "DTLS client auth: none, client has no cert" \
             -s "! Certificate verification was skipped"
 
 run_test    "DTLS wrong PSK: badmac alert" \
-            "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
-            "$P_CLI dtls=1 psk=abc124" \
+            "$P_SRV dtls=1 psk=73776f726466697368 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
+            "$P_CLI dtls=1 psk=73776f726466697374" \
             1 \
             -s "SSL - Verification of the message MAC failed" \
             -c "SSL - A fatal alert message was received from our peer"
@@ -9332,13 +10338,13 @@ requires_max_content_len 4096
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "DTLS fragmenting: none (for reference)" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=required \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              hs_timeout=2500-60000 \
              max_frag_len=4096" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              hs_timeout=2500-60000 \
              max_frag_len=4096" \
             0 \
@@ -9353,13 +10359,13 @@ requires_max_content_len 2048
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "DTLS fragmenting: server only (max_frag_len)" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=required \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              hs_timeout=2500-60000 \
              max_frag_len=1024" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              hs_timeout=2500-60000 \
              max_frag_len=2048" \
             0 \
@@ -9378,13 +10384,13 @@ requires_max_content_len 4096
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "DTLS fragmenting: server only (more) (max_frag_len)" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=required \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              hs_timeout=2500-60000 \
              max_frag_len=512" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              hs_timeout=2500-60000 \
              max_frag_len=4096" \
             0 \
@@ -9399,13 +10405,13 @@ requires_max_content_len 2048
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "DTLS fragmenting: client-initiated, server only (max_frag_len)" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=none \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              hs_timeout=2500-60000 \
              max_frag_len=2048" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              hs_timeout=2500-60000 \
              max_frag_len=1024" \
              0 \
@@ -9428,13 +10434,13 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "DTLS fragmenting: client-initiated, server only (max_frag_len), proxy MTU" \
             -p "$P_PXY mtu=1110" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=none \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              hs_timeout=2500-60000 \
              max_frag_len=2048" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              hs_timeout=2500-60000 \
              max_frag_len=1024" \
             0 \
@@ -9449,13 +10455,13 @@ requires_max_content_len 2048
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "DTLS fragmenting: client-initiated, both (max_frag_len)" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=required \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              hs_timeout=2500-60000 \
              max_frag_len=2048" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              hs_timeout=2500-60000 \
              max_frag_len=1024" \
             0 \
@@ -9478,13 +10484,13 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" \
             -p "$P_PXY mtu=1110" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=required \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              hs_timeout=2500-60000 \
              max_frag_len=2048" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              hs_timeout=2500-60000 \
              max_frag_len=1024" \
             0 \
@@ -9498,13 +10504,13 @@ requires_max_content_len 4096
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "DTLS fragmenting: none (for reference) (MTU)" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=required \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              hs_timeout=2500-60000 \
              mtu=4096" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              hs_timeout=2500-60000 \
              mtu=4096" \
             0 \
@@ -9518,13 +10524,13 @@ requires_max_content_len 4096
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "DTLS fragmenting: client (MTU)" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=required \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              hs_timeout=3500-60000 \
              mtu=4096" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              hs_timeout=3500-60000 \
              mtu=1024" \
             0 \
@@ -9538,13 +10544,13 @@ requires_max_content_len 2048
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "DTLS fragmenting: server (MTU)" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=required \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              hs_timeout=2500-60000 \
              mtu=512" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              hs_timeout=2500-60000 \
              mtu=2048" \
             0 \
@@ -9559,13 +10565,13 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "DTLS fragmenting: both (MTU=1024)" \
             -p "$P_PXY mtu=1024" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=required \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              hs_timeout=2500-60000 \
              mtu=1024" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              hs_timeout=2500-60000 \
              mtu=1024" \
             0 \
@@ -9577,19 +10583,17 @@ run_test    "DTLS fragmenting: both (MTU=1024)" \
 requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
 requires_config_enabled MBEDTLS_RSA_C
 requires_hash_alg SHA_256
-requires_config_enabled MBEDTLS_AES_C
-requires_config_enabled MBEDTLS_GCM_C
 requires_max_content_len 2048
 run_test    "DTLS fragmenting: both (MTU=512)" \
             -p "$P_PXY mtu=512" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=required \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              hs_timeout=2500-60000 \
              mtu=512" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
              hs_timeout=2500-60000 \
              mtu=512" \
@@ -9607,18 +10611,16 @@ run_test    "DTLS fragmenting: both (MTU=512)" \
 not_with_valgrind
 requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
 requires_config_enabled MBEDTLS_RSA_C
-requires_config_enabled MBEDTLS_AES_C
-requires_config_enabled MBEDTLS_GCM_C
 requires_max_content_len 2048
 run_test    "DTLS fragmenting: proxy MTU: auto-reduction (not valgrind)" \
             -p "$P_PXY mtu=508" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=required \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              hs_timeout=400-3200" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
              hs_timeout=400-3200" \
             0 \
@@ -9630,18 +10632,16 @@ run_test    "DTLS fragmenting: proxy MTU: auto-reduction (not valgrind)" \
 only_with_valgrind
 requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
 requires_config_enabled MBEDTLS_RSA_C
-requires_config_enabled MBEDTLS_AES_C
-requires_config_enabled MBEDTLS_GCM_C
 requires_max_content_len 2048
 run_test    "DTLS fragmenting: proxy MTU: auto-reduction (with valgrind)" \
             -p "$P_PXY mtu=508" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=required \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              hs_timeout=250-10000" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
              hs_timeout=250-10000" \
             0 \
@@ -9660,13 +10660,13 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \
             -p "$P_PXY mtu=1024" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=required \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              hs_timeout=10000-60000 \
              mtu=1024" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              hs_timeout=10000-60000 \
              mtu=1024" \
             0 \
@@ -9682,19 +10682,17 @@ run_test    "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \
 not_with_valgrind # spurious autoreduction due to timeout
 requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
 requires_config_enabled MBEDTLS_RSA_C
-requires_config_enabled MBEDTLS_AES_C
-requires_config_enabled MBEDTLS_GCM_C
 requires_max_content_len 2048
 run_test    "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \
             -p "$P_PXY mtu=512" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=required \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              hs_timeout=10000-60000 \
              mtu=512" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
              hs_timeout=10000-60000 \
              mtu=512" \
@@ -9712,13 +10710,13 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \
             -p "$P_PXY mtu=1024" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=required \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              hs_timeout=10000-60000 \
              mtu=1024 nbio=2" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              hs_timeout=10000-60000 \
              mtu=1024 nbio=2" \
             0 \
@@ -9731,19 +10729,17 @@ run_test    "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \
 not_with_valgrind # spurious autoreduction due to timeout
 requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
 requires_config_enabled MBEDTLS_RSA_C
-requires_config_enabled MBEDTLS_AES_C
-requires_config_enabled MBEDTLS_GCM_C
 requires_max_content_len 2048
 run_test    "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \
             -p "$P_PXY mtu=512" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=required \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              hs_timeout=10000-60000 \
              mtu=512 nbio=2" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
              hs_timeout=10000-60000 \
              mtu=512 nbio=2" \
@@ -9766,19 +10762,17 @@ run_test    "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \
 not_with_valgrind # spurious autoreduction due to timeout
 requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
 requires_config_enabled MBEDTLS_RSA_C
-requires_config_enabled MBEDTLS_AES_C
-requires_config_enabled MBEDTLS_GCM_C
 requires_max_content_len 2048
 run_test    "DTLS fragmenting: proxy MTU, resumed handshake" \
             -p "$P_PXY mtu=1450" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=required \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              hs_timeout=10000-60000 \
              mtu=1450" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              hs_timeout=10000-60000 \
              force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
              mtu=1450 reconnect=1 skip_close_notify=1 reco_delay=1000" \
@@ -9795,21 +10789,20 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
 requires_config_enabled MBEDTLS_RSA_C
 requires_hash_alg SHA_256
 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
-requires_config_enabled MBEDTLS_CHACHAPOLY_C
 requires_max_content_len 2048
 run_test    "DTLS fragmenting: proxy MTU, ChachaPoly renego" \
             -p "$P_PXY mtu=512" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=required \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              exchanges=2 renegotiation=1 \
              hs_timeout=10000-60000 \
              mtu=512" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              exchanges=2 renegotiation=1 renegotiate=1 \
-             force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+             force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 \
              hs_timeout=10000-60000 \
              mtu=512" \
             0 \
@@ -9825,20 +10818,18 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
 requires_config_enabled MBEDTLS_RSA_C
 requires_hash_alg SHA_256
 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
-requires_config_enabled MBEDTLS_AES_C
-requires_config_enabled MBEDTLS_GCM_C
 requires_max_content_len 2048
 run_test    "DTLS fragmenting: proxy MTU, AES-GCM renego" \
             -p "$P_PXY mtu=512" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=required \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              exchanges=2 renegotiation=1 \
              hs_timeout=10000-60000 \
              mtu=512" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              exchanges=2 renegotiation=1 renegotiate=1 \
              force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
              hs_timeout=10000-60000 \
@@ -9856,21 +10847,19 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
 requires_config_enabled MBEDTLS_RSA_C
 requires_hash_alg SHA_256
 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
-requires_config_enabled MBEDTLS_AES_C
-requires_config_enabled MBEDTLS_CCM_C
 requires_max_content_len 2048
 run_test    "DTLS fragmenting: proxy MTU, AES-CCM renego" \
             -p "$P_PXY mtu=1024" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=required \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              exchanges=2 renegotiation=1 \
              force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
              hs_timeout=10000-60000 \
              mtu=1024" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              exchanges=2 renegotiation=1 renegotiate=1 \
              hs_timeout=10000-60000 \
              mtu=1024" \
@@ -9887,22 +10876,20 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
 requires_config_enabled MBEDTLS_RSA_C
 requires_hash_alg SHA_256
 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
-requires_config_enabled MBEDTLS_AES_C
-requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
 requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC
 requires_max_content_len 2048
 run_test    "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \
             -p "$P_PXY mtu=1024" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=required \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              exchanges=2 renegotiation=1 \
              force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \
              hs_timeout=10000-60000 \
              mtu=1024" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              exchanges=2 renegotiation=1 renegotiate=1 \
              hs_timeout=10000-60000 \
              mtu=1024" \
@@ -9919,21 +10906,19 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
 requires_config_enabled MBEDTLS_RSA_C
 requires_hash_alg SHA_256
 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
-requires_config_enabled MBEDTLS_AES_C
-requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
 requires_max_content_len 2048
 run_test    "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \
             -p "$P_PXY mtu=1024" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=required \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              exchanges=2 renegotiation=1 \
              force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 etm=0 \
              hs_timeout=10000-60000 \
              mtu=1024" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              exchanges=2 renegotiation=1 renegotiate=1 \
              hs_timeout=10000-60000 \
              mtu=1024" \
@@ -9946,19 +10931,17 @@ run_test    "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \
 # Forcing ciphersuite for this test to fit the MTU of 512 with full config.
 requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
 requires_config_enabled MBEDTLS_RSA_C
-requires_config_enabled MBEDTLS_AES_C
-requires_config_enabled MBEDTLS_GCM_C
 client_needs_more_time 2
 requires_max_content_len 2048
 run_test    "DTLS fragmenting: proxy MTU + 3d" \
             -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
             "$P_SRV dgram_packing=0 dtls=1 debug_level=2 auth_mode=required \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              hs_timeout=250-10000 mtu=512" \
             "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
              hs_timeout=250-10000 mtu=512" \
             0 \
@@ -9969,19 +10952,17 @@ run_test    "DTLS fragmenting: proxy MTU + 3d" \
 # Forcing ciphersuite for this test to fit the MTU of 512 with full config.
 requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
 requires_config_enabled MBEDTLS_RSA_C
-requires_config_enabled MBEDTLS_AES_C
-requires_config_enabled MBEDTLS_GCM_C
 client_needs_more_time 2
 requires_max_content_len 2048
 run_test    "DTLS fragmenting: proxy MTU + 3d, nbio" \
             -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
             "$P_SRV dtls=1 debug_level=2 auth_mode=required \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              hs_timeout=250-10000 mtu=512 nbio=2" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
              hs_timeout=250-10000 mtu=512 nbio=2" \
             0 \
@@ -10000,8 +10981,8 @@ requires_max_content_len 2048
 run_test    "DTLS fragmenting: gnutls server, DTLS 1.2" \
             "$G_SRV -u" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              mtu=512 force_version=dtls12" \
             0 \
             -c "fragmenting handshake message" \
@@ -10021,8 +11002,8 @@ requires_not_i686
 requires_max_content_len 2048
 run_test    "DTLS fragmenting: gnutls client, DTLS 1.2" \
             "$P_SRV dtls=1 debug_level=2 \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              mtu=512 force_version=dtls12" \
             "$G_CLI -u --insecure 127.0.0.1" \
             0 \
@@ -10034,8 +11015,8 @@ requires_max_content_len 2048
 run_test    "DTLS fragmenting: openssl server, DTLS 1.2" \
             "$O_SRV -dtls1_2 -verify 10" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              mtu=512 force_version=dtls12" \
             0 \
             -c "fragmenting handshake message" \
@@ -10046,8 +11027,8 @@ requires_config_enabled MBEDTLS_RSA_C
 requires_max_content_len 2048
 run_test    "DTLS fragmenting: openssl client, DTLS 1.2" \
             "$P_SRV dtls=1 debug_level=2 \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              mtu=512 force_version=dtls12" \
             "$O_CLI -dtls1_2" \
             0 \
@@ -10066,8 +11047,8 @@ run_test    "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \
             -p "$P_PXY drop=8 delay=8 duplicate=8" \
             "$G_NEXT_SRV -u" \
             "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              hs_timeout=250-60000 mtu=512 force_version=dtls12" \
             0 \
             -c "fragmenting handshake message" \
@@ -10081,8 +11062,8 @@ requires_max_content_len 2048
 run_test    "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \
             -p "$P_PXY drop=8 delay=8 duplicate=8" \
             "$P_SRV dtls=1 debug_level=2 \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              hs_timeout=250-60000 mtu=512 force_version=dtls12" \
            "$G_NEXT_CLI -u --insecure 127.0.0.1" \
             0 \
@@ -10099,8 +11080,8 @@ run_test    "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \
             -p "$P_PXY drop=8 delay=8 duplicate=8" \
             "$O_NEXT_SRV -dtls1_2 -verify 10" \
             "$P_CLI dtls=1 debug_level=2 \
-             crt_file=data_files/server8_int-ca2.crt \
-             key_file=data_files/server8.key \
+             crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
+             key_file=$DATA_FILES_PATH/server8.key \
              hs_timeout=250-60000 mtu=512 force_version=dtls12" \
             0 \
             -c "fragmenting handshake message" \
@@ -10116,8 +11097,8 @@ requires_max_content_len 2048
 run_test    "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \
             -p "$P_PXY drop=8 delay=8 duplicate=8" \
             "$P_SRV dtls=1 debug_level=2 \
-             crt_file=data_files/server7_int-ca.crt \
-             key_file=data_files/server7.key \
+             crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
+             key_file=$DATA_FILES_PATH/server7.key \
              hs_timeout=250-60000 mtu=512 force_version=dtls12" \
             "$O_CLI -dtls1_2" \
             0 \
@@ -10934,6 +11915,7 @@ run_test    "DTLS reordering: Buffer out-of-order handshake message on server" \
 
 requires_certificate_authentication
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "DTLS reordering: Buffer out-of-order CCS message on client"\
             -p "$P_PXY delay_srv=NewSessionTicket" \
             "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
@@ -11000,8 +11982,8 @@ requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 190
 requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 230
 run_test    "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" \
             -p "$P_PXY delay_srv=NewSessionTicket delay_srv=NewSessionTicket delay_ccs=1" \
-            "$P_SRV mtu=140 response_size=90 dgram_packing=0 psk=abc123 psk_identity=foo cookies=0 dtls=1 debug_level=2" \
-            "$P_CLI dgram_packing=0 dtls=1 debug_level=2 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=abc123 psk_identity=foo" \
+            "$P_SRV mtu=140 response_size=90 dgram_packing=0 psk=73776f726466697368 psk_identity=foo cookies=0 dtls=1 debug_level=2" \
+            "$P_CLI dgram_packing=0 dtls=1 debug_level=2 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=73776f726466697368 psk_identity=foo" \
             0 \
             -s "Buffer record from epoch 1" \
             -s "Found buffered record from current epoch - load" \
@@ -11015,8 +11997,8 @@ client_needs_more_time 2
 run_test    "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
             "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
-             psk=abc123" \
-            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
+             psk=73776f726466697368" \
+            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
              force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
             0 \
             -s "Extra-header:" \
@@ -11054,6 +12036,7 @@ run_test    "DTLS proxy: 3d, FS, client auth" \
 
 client_needs_more_time 2
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "DTLS proxy: 3d, FS, ticket" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
             "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=none" \
@@ -11064,6 +12047,7 @@ run_test    "DTLS proxy: 3d, FS, ticket" \
 
 client_needs_more_time 2
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
             "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=required" \
@@ -11074,6 +12058,7 @@ run_test    "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
 
 client_needs_more_time 2
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
 run_test    "DTLS proxy: 3d, max handshake, nbio" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
             "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1 \
@@ -11088,8 +12073,8 @@ requires_config_enabled MBEDTLS_SSL_CACHE_C
 run_test    "DTLS proxy: 3d, min handshake, resumption" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
             "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
-             psk=abc123 debug_level=3" \
-            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
+             psk=73776f726466697368 debug_level=3" \
+            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
              debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
              force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
             0 \
@@ -11103,8 +12088,8 @@ requires_config_enabled MBEDTLS_SSL_CACHE_C
 run_test    "DTLS proxy: 3d, min handshake, resumption, nbio" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
             "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
-             psk=abc123 debug_level=3 nbio=2" \
-            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
+             psk=73776f726466697368 debug_level=3 nbio=2" \
+            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
              debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
              force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
             0 \
@@ -11118,8 +12103,8 @@ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
 run_test    "DTLS proxy: 3d, min handshake, client-initiated renego" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
             "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
-             psk=abc123 renegotiation=1 debug_level=2" \
-            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
+             psk=73776f726466697368 renegotiation=1 debug_level=2" \
+            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
              renegotiate=1 debug_level=2 \
              force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
             0 \
@@ -11133,8 +12118,8 @@ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
 run_test    "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
             "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
-             psk=abc123 renegotiation=1 debug_level=2" \
-            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
+             psk=73776f726466697368 renegotiation=1 debug_level=2" \
+            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
              renegotiate=1 debug_level=2 \
              force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
             0 \
@@ -11148,9 +12133,9 @@ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
 run_test    "DTLS proxy: 3d, min handshake, server-initiated renego" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
             "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
-             psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
+             psk=73776f726466697368 renegotiate=1 renegotiation=1 exchanges=4 \
              debug_level=2" \
-            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
+            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
              renegotiation=1 exchanges=4 debug_level=2 \
              force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
             0 \
@@ -11164,9 +12149,9 @@ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
 run_test    "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
             "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
-             psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
+             psk=73776f726466697368 renegotiate=1 renegotiation=1 exchanges=4 \
              debug_level=2 nbio=2" \
-            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
+            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
              renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
              force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
             0 \
@@ -11284,7 +12269,7 @@ requires_ciphersuite_enabled TLS1-3-CHACHA20-POLY1305-SHA256
 requires_any_configs_enabled "PSA_WANT_ECC_MONTGOMERY_255"
 requires_any_configs_enabled "PSA_WANT_ECC_SECP_R1_256"
 run_test    "TLS 1.3: Default" \
-            "$P_SRV allow_sha1=0 debug_level=3 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13" \
+            "$P_SRV allow_sha1=0 debug_level=3 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key force_version=tls13" \
             "$P_CLI allow_sha1=0" \
             0 \
             -s "Protocol is TLSv1.3" \
@@ -11292,6 +12277,30 @@ run_test    "TLS 1.3: Default" \
             -s "ECDH/FFDH group: " \
             -s "selected signature algorithm ecdsa_secp256r1_sha256"
 
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+run_test    "Establish TLS 1.2 then TLS 1.3 session" \
+            "$P_SRV" \
+            "( $P_CLI force_version=tls12; \
+               $P_CLI force_version=tls13 )" \
+            0 \
+            -s "Protocol is TLSv1.2" \
+            -s "Protocol is TLSv1.3" \
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+run_test    "Establish TLS 1.3 then TLS 1.2 session" \
+            "$P_SRV" \
+            "( $P_CLI force_version=tls13; \
+               $P_CLI force_version=tls12 )" \
+            0 \
+            -s "Protocol is TLSv1.3" \
+            -s "Protocol is TLSv1.2" \
+
 requires_openssl_tls1_3_with_compatible_ephemeral
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_CLI_C
@@ -11434,7 +12443,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_SSL_ALPN
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: server alpn - openssl" \
-            "$P_SRV debug_level=3 tickets=0 crt_file=data_files/server5.crt key_file=data_files/server5.key alpn=h2" \
+            "$P_SRV debug_level=3 tickets=0 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key alpn=h2" \
             "$O_NEXT_CLI -msg -tls1_3 -no_middlebox -alpn h2" \
             0 \
             -s "found alpn extension" \
@@ -11449,7 +12458,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_SSL_ALPN
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: server alpn - gnutls" \
-            "$P_SRV debug_level=3 tickets=0 crt_file=data_files/server5.crt key_file=data_files/server5.key alpn=h2" \
+            "$P_SRV debug_level=3 tickets=0 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key alpn=h2" \
             "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V --alpn h2" \
             0 \
             -s "found alpn extension" \
@@ -11458,88 +12467,6 @@ run_test    "TLS 1.3: server alpn - gnutls" \
             -s "HTTP/1.0 200 OK" \
             -s "Application Layer Protocol is h2"
 
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_CLI_C
-skip_handshake_stage_check
-requires_gnutls_tls1_3
-run_test    "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.0" \
-            "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0 -d 4" \
-            "$P_CLI debug_level=4" \
-            1 \
-            -s "Client's version: 3.3" \
-            -S "Version: TLS1.0" \
-            -C "Protocol is TLSv1.0"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_CLI_C
-skip_handshake_stage_check
-requires_gnutls_tls1_3
-run_test    "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.1" \
-            "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1 -d 4" \
-            "$P_CLI debug_level=4" \
-            1 \
-            -s "Client's version: 3.3" \
-            -S "Version: TLS1.1" \
-            -C "Protocol is TLSv1.1"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_CLI_C
-skip_handshake_stage_check
-requires_gnutls_tls1_3
-run_test    "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.2" \
-            "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 -d 4" \
-            "$P_CLI force_version=tls13 debug_level=4" \
-            1 \
-            -s "Client's version: 3.3" \
-            -c "is a fatal alert message (msg 40)" \
-            -S "Version: TLS1.2" \
-            -C "Protocol is TLSv1.2"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_CLI_C
-skip_handshake_stage_check
-requires_openssl_next
-run_test    "TLS 1.3: Not supported version check:openssl: srv max TLS 1.0" \
-            "$O_NEXT_SRV -msg -tls1" \
-            "$P_CLI debug_level=4" \
-            1 \
-            -s "fatal protocol_version" \
-            -c "is a fatal alert message (msg 70)" \
-            -S "Version: TLS1.0" \
-            -C "Protocol  : TLSv1.0"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_CLI_C
-skip_handshake_stage_check
-requires_openssl_next
-run_test    "TLS 1.3: Not supported version check:openssl: srv max TLS 1.1" \
-            "$O_NEXT_SRV -msg -tls1_1" \
-            "$P_CLI debug_level=4" \
-            1 \
-            -s "fatal protocol_version" \
-            -c "is a fatal alert message (msg 70)" \
-            -S "Version: TLS1.1" \
-            -C "Protocol  : TLSv1.1"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_CLI_C
-skip_handshake_stage_check
-requires_openssl_next
-run_test    "TLS 1.3: Not supported version check:openssl: srv max TLS 1.2" \
-            "$O_NEXT_SRV -msg -tls1_2" \
-            "$P_CLI force_version=tls13 debug_level=4" \
-            1 \
-            -s "fatal protocol_version" \
-            -c "is a fatal alert message (msg 70)" \
-            -S "Version: TLS1.2" \
-            -C "Protocol  : TLSv1.2"
-
 requires_openssl_tls1_3_with_compatible_ephemeral
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_CLI_C
@@ -11578,7 +12505,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication, no server middlebox compat - openssl" \
             "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10 -no_middlebox" \
-            "$P_CLI debug_level=4 crt_file=data_files/cli2.crt key_file=data_files/cli2.key" \
+            "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/cli2.crt key_file=$DATA_FILES_PATH/cli2.key" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11592,8 +12519,8 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication, no server middlebox compat - gnutls" \
             "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE" \
-            "$P_CLI debug_level=3 crt_file=data_files/cli2.crt \
-                    key_file=data_files/cli2.key" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/cli2.crt \
+                    key_file=$DATA_FILES_PATH/cli2.key" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11607,8 +12534,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication, ecdsa_secp256r1_sha256 - openssl" \
             "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
-            "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp256r1.crt \
-                    key_file=data_files/ecdsa_secp256r1.key" \
+            "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt \
+                    key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11623,8 +12550,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication, ecdsa_secp256r1_sha256 - gnutls" \
             "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
-            "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp256r1.crt \
-                    key_file=data_files/ecdsa_secp256r1.key" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt \
+                    key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11638,8 +12565,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication, ecdsa_secp384r1_sha384 - openssl" \
             "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
-            "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp384r1.crt \
-                    key_file=data_files/ecdsa_secp384r1.key" \
+            "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt \
+                    key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11654,8 +12581,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication, ecdsa_secp384r1_sha384 - gnutls" \
             "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
-            "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp384r1.crt \
-                    key_file=data_files/ecdsa_secp384r1.key" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt \
+                    key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11669,8 +12596,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication, ecdsa_secp521r1_sha512 - openssl" \
             "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
-            "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp521r1.crt \
-                    key_file=data_files/ecdsa_secp521r1.key" \
+            "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt \
+                    key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11685,8 +12612,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication, ecdsa_secp521r1_sha512 - gnutls" \
             "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
-            "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp521r1.crt \
-                    key_file=data_files/ecdsa_secp521r1.key" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt \
+                    key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11701,8 +12628,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication, rsa_pss_rsae_sha256 - openssl" \
             "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
-            "$P_CLI debug_level=4 crt_file=data_files/cert_sha256.crt \
-                    key_file=data_files/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256" \
+            "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/cert_sha256.crt \
+                    key_file=$DATA_FILES_PATH/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11718,8 +12645,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication, rsa_pss_rsae_sha256 - gnutls" \
             "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
-            "$P_CLI debug_level=3 crt_file=data_files/server2-sha256.crt \
-                    key_file=data_files/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
+                    key_file=$DATA_FILES_PATH/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11734,8 +12661,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication, rsa_pss_rsae_sha384 - openssl" \
             "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
-            "$P_CLI debug_level=4 crt_file=data_files/cert_sha256.crt \
-                    key_file=data_files/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha384" \
+            "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/cert_sha256.crt \
+                    key_file=$DATA_FILES_PATH/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha384" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11751,8 +12678,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication, rsa_pss_rsae_sha384 - gnutls" \
             "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
-            "$P_CLI debug_level=3 crt_file=data_files/server2-sha256.crt \
-                    key_file=data_files/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha384" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
+                    key_file=$DATA_FILES_PATH/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha384" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11767,8 +12694,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication, rsa_pss_rsae_sha512 - openssl" \
             "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
-            "$P_CLI debug_level=4 crt_file=data_files/cert_sha256.crt \
-                    key_file=data_files/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha512" \
+            "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/cert_sha256.crt \
+                    key_file=$DATA_FILES_PATH/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha512" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11784,8 +12711,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication, rsa_pss_rsae_sha512 - gnutls" \
             "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
-            "$P_CLI debug_level=3 crt_file=data_files/server2-sha256.crt \
-                    key_file=data_files/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha512" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
+                    key_file=$DATA_FILES_PATH/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha512" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11801,8 +12728,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
 run_test    "TLS 1.3: Client authentication, client alg not in server list - openssl" \
             "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10
                 -sigalgs ecdsa_secp256r1_sha256" \
-            "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp521r1.crt \
-                    key_file=data_files/ecdsa_secp521r1.key sig_algs=ecdsa_secp256r1_sha256,ecdsa_secp521r1_sha512" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt \
+                    key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key sig_algs=ecdsa_secp256r1_sha256,ecdsa_secp521r1_sha512" \
             1 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11818,8 +12745,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication, client alg not in server list - gnutls" \
             "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:-SIGN-ALL:+SIGN-ECDSA-SECP256R1-SHA256:%NO_TICKETS" \
-            "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp521r1.crt \
-                    key_file=data_files/ecdsa_secp521r1.key sig_algs=ecdsa_secp256r1_sha256,ecdsa_secp521r1_sha512" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt \
+                    key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key sig_algs=ecdsa_secp256r1_sha256,ecdsa_secp521r1_sha512" \
             1 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11834,7 +12761,7 @@ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication - opaque key, no server middlebox compat - openssl" \
             "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10 -no_middlebox" \
-            "$P_CLI debug_level=4 crt_file=data_files/cli2.crt key_file=data_files/cli2.key key_opaque=1" \
+            "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/cli2.crt key_file=$DATA_FILES_PATH/cli2.key key_opaque=1" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11849,8 +12776,8 @@ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication - opaque key, no server middlebox compat - gnutls" \
             "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE" \
-            "$P_CLI debug_level=3 crt_file=data_files/cli2.crt \
-                    key_file=data_files/cli2.key key_opaque=1" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/cli2.crt \
+                    key_file=$DATA_FILES_PATH/cli2.key key_opaque=1" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11865,8 +12792,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication - opaque key, ecdsa_secp256r1_sha256 - openssl" \
             "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
-            "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp256r1.crt \
-                    key_file=data_files/ecdsa_secp256r1.key key_opaque=1" \
+            "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt \
+                    key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key key_opaque=1" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11882,8 +12809,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication - opaque key, ecdsa_secp256r1_sha256 - gnutls" \
             "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
-            "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp256r1.crt \
-                    key_file=data_files/ecdsa_secp256r1.key key_opaque=1" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt \
+                    key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key key_opaque=1" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11898,8 +12825,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication - opaque key, ecdsa_secp384r1_sha384 - openssl" \
             "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
-            "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp384r1.crt \
-                    key_file=data_files/ecdsa_secp384r1.key key_opaque=1" \
+            "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt \
+                    key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key key_opaque=1" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11915,8 +12842,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication - opaque key, ecdsa_secp384r1_sha384 - gnutls" \
             "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
-            "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp384r1.crt \
-                    key_file=data_files/ecdsa_secp384r1.key key_opaque=1" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt \
+                    key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key key_opaque=1" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11931,8 +12858,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication - opaque key, ecdsa_secp521r1_sha512 - openssl" \
             "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
-            "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp521r1.crt \
-                    key_file=data_files/ecdsa_secp521r1.key key_opaque=1" \
+            "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt \
+                    key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key key_opaque=1" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11948,8 +12875,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication - opaque key, ecdsa_secp521r1_sha512 - gnutls" \
             "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
-            "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp521r1.crt \
-                    key_file=data_files/ecdsa_secp521r1.key key_opaque=1" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt \
+                    key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key key_opaque=1" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11965,8 +12892,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha256 - openssl" \
             "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
-            "$P_CLI debug_level=4 crt_file=data_files/cert_sha256.crt \
-                    key_file=data_files/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256 key_opaque=1" \
+            "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/cert_sha256.crt \
+                    key_file=$DATA_FILES_PATH/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256 key_opaque=1" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -11983,8 +12910,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha256 - gnutls" \
             "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
-            "$P_CLI debug_level=3 crt_file=data_files/server2-sha256.crt \
-                    key_file=data_files/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256 key_opaque=1" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
+                    key_file=$DATA_FILES_PATH/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256 key_opaque=1" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -12000,8 +12927,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha384 - openssl" \
             "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
-            "$P_CLI debug_level=4 crt_file=data_files/cert_sha256.crt \
-                    key_file=data_files/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha384 key_opaque=1" \
+            "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/cert_sha256.crt \
+                    key_file=$DATA_FILES_PATH/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha384 key_opaque=1" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -12018,8 +12945,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha384 - gnutls" \
             "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
-            "$P_CLI debug_level=3 crt_file=data_files/server2-sha256.crt \
-                    key_file=data_files/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha384 key_opaque=1" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
+                    key_file=$DATA_FILES_PATH/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha384 key_opaque=1" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -12035,8 +12962,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha512 - openssl" \
             "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
-            "$P_CLI debug_level=4 crt_file=data_files/cert_sha256.crt \
-                    key_file=data_files/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha512 key_opaque=1" \
+            "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/cert_sha256.crt \
+                    key_file=$DATA_FILES_PATH/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha512 key_opaque=1" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -12053,8 +12980,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha512 - gnutls" \
             "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
-            "$P_CLI debug_level=3 crt_file=data_files/server2-sha256.crt \
-                    key_file=data_files/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha512 key_opaque=1" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
+                    key_file=$DATA_FILES_PATH/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha512 key_opaque=1" \
             0 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -12071,8 +12998,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
 run_test    "TLS 1.3: Client authentication - opaque key, client alg not in server list - openssl" \
             "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10
                 -sigalgs ecdsa_secp256r1_sha256" \
-            "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp521r1.crt \
-                    key_file=data_files/ecdsa_secp521r1.key sig_algs=ecdsa_secp256r1_sha256,ecdsa_secp521r1_sha512 key_opaque=1" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt \
+                    key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key sig_algs=ecdsa_secp256r1_sha256,ecdsa_secp521r1_sha512 key_opaque=1" \
             1 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -12089,8 +13016,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Client authentication - opaque key, client alg not in server list - gnutls" \
             "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:-SIGN-ALL:+SIGN-ECDSA-SECP256R1-SHA256:%NO_TICKETS" \
-            "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp521r1.crt \
-                    key_file=data_files/ecdsa_secp521r1.key sig_algs=ecdsa_secp256r1_sha256,ecdsa_secp521r1_sha512 key_opaque=1" \
+            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt \
+                    key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key sig_algs=ecdsa_secp256r1_sha256,ecdsa_secp521r1_sha512 key_opaque=1" \
             1 \
             -c "got a certificate request" \
             -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
@@ -12166,7 +13093,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Server side check - openssl" \
-            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \
+            "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
             "$O_NEXT_CLI -msg -debug -tls1_3 -no_middlebox" \
             0 \
             -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
@@ -12183,8 +13110,8 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Server side check - openssl with client authentication" \
-            "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \
-            "$O_NEXT_CLI -msg -debug -cert data_files/server5.crt -key data_files/server5.key -tls1_3 -no_middlebox" \
+            "$P_SRV debug_level=4 auth_mode=required crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
+            "$O_NEXT_CLI -msg -debug -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -tls1_3 -no_middlebox" \
             0 \
             -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
             -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
@@ -12203,7 +13130,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Server side check - gnutls" \
-            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \
+            "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
             "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
             0 \
             -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
@@ -12222,8 +13149,8 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Server side check - gnutls with client authentication" \
-            "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \
-            "$G_NEXT_CLI localhost -d 4 --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
+            "$P_SRV debug_level=4 auth_mode=required crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
+            "$G_NEXT_CLI localhost -d 4 --x509certfile $DATA_FILES_PATH/server5.crt --x509keyfile $DATA_FILES_PATH/server5.key --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
             0 \
             -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
             -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
@@ -12241,7 +13168,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Server side check - mbedtls" \
-            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \
+            "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
             "$P_CLI debug_level=4" \
             0 \
             -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
@@ -12260,8 +13187,8 @@ requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Server side check - mbedtls with client authentication" \
-            "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \
-            "$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
+            "$P_SRV debug_level=4 auth_mode=required crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
+            "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key" \
             0 \
             -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
             -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
@@ -12277,7 +13204,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Server side check - mbedtls with client empty certificate" \
-            "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \
+            "$P_SRV debug_level=4 auth_mode=required crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
             "$P_CLI debug_level=4 crt_file=none key_file=none" \
             1 \
             -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
@@ -12295,7 +13222,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Server side check - mbedtls with optional client authentication" \
-            "$P_SRV debug_level=4 auth_mode=optional crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \
+            "$P_SRV debug_level=4 auth_mode=optional crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
             "$P_CLI debug_level=4 crt_file=none key_file=none" \
             0 \
             -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
@@ -12342,9 +13269,9 @@ requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Server side check - openssl with sni" \
-            "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0 \
-             sni=localhost,data_files/server5.crt,data_files/server5.key,data_files/test-ca_cat12.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
-            "$O_NEXT_CLI -msg -debug -servername localhost -CAfile data_files/test-ca_cat12.crt -cert data_files/server5.crt -key data_files/server5.key -tls1_3" \
+            "$P_SRV debug_level=4 auth_mode=required crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0 \
+             sni=localhost,$DATA_FILES_PATH/server5.crt,$DATA_FILES_PATH/server5.key,$DATA_FILES_PATH/test-ca_cat12.crt,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \
+            "$O_NEXT_CLI -msg -debug -servername localhost -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -tls1_3" \
             0 \
             -s "parse ServerName extension" \
             -s "HTTP/1.0 200 OK"
@@ -12355,9 +13282,9 @@ requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Server side check - gnutls with sni" \
-            "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0 \
-             sni=localhost,data_files/server5.crt,data_files/server5.key,data_files/test-ca_cat12.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
-            "$G_NEXT_CLI localhost -d 4 --sni-hostname=localhost --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS -V" \
+            "$P_SRV debug_level=4 auth_mode=required crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0 \
+             sni=localhost,$DATA_FILES_PATH/server5.crt,$DATA_FILES_PATH/server5.key,$DATA_FILES_PATH/test-ca_cat12.crt,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \
+            "$G_NEXT_CLI localhost -d 4 --sni-hostname=localhost --x509certfile $DATA_FILES_PATH/server5.crt --x509keyfile $DATA_FILES_PATH/server5.key --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS -V" \
             0 \
             -s "parse ServerName extension" \
             -s "HTTP/1.0 200 OK"
@@ -12368,9 +13295,9 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Server side check - mbedtls with sni" \
-            "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0 \
-             sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
-            "$P_CLI debug_level=4 server_name=localhost crt_file=data_files/server5.crt key_file=data_files/server5.key" \
+            "$P_SRV debug_level=4 auth_mode=required crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0 \
+             sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \
+            "$P_CLI debug_level=4 server_name=localhost crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key" \
             0 \
             -s "parse ServerName extension" \
             -s "HTTP/1.0 200 OK"
@@ -12494,7 +13421,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3 O->m both peers do not support middlebox compatibility" \
-            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \
+            "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
             "$O_NEXT_CLI -msg -debug -no_middlebox" \
             0 \
             -s "Protocol is TLSv1.3" \
@@ -12507,7 +13434,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3 O->m server with middlebox compat support, not client" \
-            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \
+            "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
             "$O_NEXT_CLI -msg -debug -no_middlebox" \
             0 \
             -s "Protocol is TLSv1.3" \
@@ -12519,7 +13446,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3 O->m both with middlebox compat support" \
-            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \
+            "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
             "$O_NEXT_CLI -msg -debug" \
             0 \
             -s "Protocol is TLSv1.3" \
@@ -12534,7 +13461,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3 G->m both peers do not support middlebox compatibility" \
-            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \
+            "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
             "$G_NEXT_CLI localhost --priority=NORMAL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
             0 \
             -s "Protocol is TLSv1.3" \
@@ -12549,7 +13476,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3 G->m server with middlebox compat support, not client" \
-            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \
+            "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
             "$G_NEXT_CLI localhost --debug=10 --priority=NORMAL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
             0 \
             -s "Protocol is TLSv1.3" \
@@ -12565,7 +13492,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3 G->m both with middlebox compat support" \
-            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \
+            "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
             "$G_NEXT_CLI localhost --debug=10 --priority=NORMAL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
             0 \
             -s "Protocol is TLSv1.3" \
@@ -12690,7 +13617,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3 O->m HRR both peers do not support middlebox compatibility" \
-            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key groups=secp384r1 tickets=0" \
+            "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key groups=secp384r1 tickets=0" \
             "$O_NEXT_CLI -msg -debug -groups P-256:P-384 -no_middlebox" \
             0 \
             -s "Protocol is TLSv1.3" \
@@ -12703,7 +13630,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3 O->m HRR server with middlebox compat support, not client" \
-            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key groups=secp384r1 tickets=0" \
+            "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key groups=secp384r1 tickets=0" \
             "$O_NEXT_CLI -msg -debug -groups P-256:P-384 -no_middlebox" \
             0 \
             -s "Protocol is TLSv1.3" \
@@ -12715,7 +13642,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3 O->m HRR both with middlebox compat support" \
-            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key groups=secp384r1 tickets=0" \
+            "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key groups=secp384r1 tickets=0" \
             "$O_NEXT_CLI -msg -debug -groups P-256:P-384" \
             0 \
             -s "Protocol is TLSv1.3" \
@@ -12730,7 +13657,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3 G->m HRR both peers do not support middlebox compatibility" \
-            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key groups=secp384r1 tickets=0" \
+            "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key groups=secp384r1 tickets=0" \
             "$G_NEXT_CLI localhost --priority=NORMAL:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
             0 \
             -s "Protocol is TLSv1.3" \
@@ -12746,7 +13673,7 @@ requires_config_enabled PSA_WANT_ALG_ECDH
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3 G->m HRR server with middlebox compat support, not client" \
-            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key groups=secp384r1 tickets=0" \
+            "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key groups=secp384r1 tickets=0" \
             "$G_NEXT_CLI localhost --debug=10 --priority=NORMAL:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
             0 \
             -s "Protocol is TLSv1.3" \
@@ -12763,7 +13690,7 @@ requires_config_enabled PSA_WANT_ALG_ECDH
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3 G->m HRR both with middlebox compat support" \
-            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key groups=secp384r1 tickets=0" \
+            "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key groups=secp384r1 tickets=0" \
             "$G_NEXT_CLI localhost --debug=10 --priority=NORMAL:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
             0 \
             -s "Protocol is TLSv1.3" \
@@ -12776,10 +13703,10 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Check signature algorithm order, m->O" \
-            "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key
+            "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key
                                  -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache
                                  -Verify 10 -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:ecdsa_secp256r1_sha256" \
-            "$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \
+            "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key \
                     sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
             0 \
             -c "Protocol is TLSv1.3" \
@@ -12792,10 +13719,10 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Check signature algorithm order, m->G" \
-            "$G_NEXT_SRV_NO_CERT --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key
+            "$G_NEXT_SRV_NO_CERT --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key
                     -d 4
                     --priority=NORMAL:-VERS-ALL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-PSS-RSAE-SHA384:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS " \
-            "$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \
+            "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key \
                     sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
             0 \
             -c "Protocol is TLSv1.3" \
@@ -12809,10 +13736,10 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Check signature algorithm order, m->m" \
             "$P_SRV debug_level=4 auth_mode=required
-                    crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key
-                    crt_file=data_files/server5.crt key_file=data_files/server5.key
+                    crt_file2=$DATA_FILES_PATH/server2-sha256.crt key_file2=$DATA_FILES_PATH/server2.key
+                    crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key
                     sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \
-            "$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \
+            "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key \
                     sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
             0 \
             -c "Protocol is TLSv1.3" \
@@ -12828,11 +13755,11 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Check signature algorithm order, O->m" \
             "$P_SRV debug_level=4 auth_mode=required
-                    crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key
-                    crt_file=data_files/server5.crt key_file=data_files/server5.key
+                    crt_file2=$DATA_FILES_PATH/server2-sha256.crt key_file2=$DATA_FILES_PATH/server2.key
+                    crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key
                     sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \
-            "$O_NEXT_CLI_NO_CERT -msg -CAfile data_files/test-ca_cat12.crt \
-                                 -cert data_files/server2-sha256.crt -key data_files/server2.key \
+            "$O_NEXT_CLI_NO_CERT -msg -CAfile $DATA_FILES_PATH/test-ca_cat12.crt \
+                                 -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key \
                                  -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:ecdsa_secp256r1_sha256"  \
             0 \
             -c "TLSv1.3" \
@@ -12846,11 +13773,11 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Check signature algorithm order, G->m" \
             "$P_SRV debug_level=4 auth_mode=required
-                    crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key
-                    crt_file=data_files/server5.crt key_file=data_files/server5.key
+                    crt_file2=$DATA_FILES_PATH/server2-sha256.crt key_file2=$DATA_FILES_PATH/server2.key
+                    crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key
                     sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \
-            "$G_NEXT_CLI_NO_CERT localhost -d 4 --x509cafile data_files/test-ca_cat12.crt \
-                                 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key \
+            "$G_NEXT_CLI_NO_CERT localhost -d 4 --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt \
+                                 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key \
                                  --priority=NORMAL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-PSS-RSAE-SHA384"  \
             0 \
             -c "Negotiated version: 3.4" \
@@ -12865,11 +13792,11 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Check server no suitable signature algorithm, G->m" \
             "$P_SRV debug_level=4 auth_mode=required
-                    crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key
-                    crt_file=data_files/server5.crt key_file=data_files/server5.key
+                    crt_file2=$DATA_FILES_PATH/server2-sha256.crt key_file2=$DATA_FILES_PATH/server2.key
+                    crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key
                     sig_algs=rsa_pkcs1_sha512,ecdsa_secp256r1_sha256 " \
-            "$G_NEXT_CLI_NO_CERT localhost -d 4 --x509cafile data_files/test-ca_cat12.crt \
-                                 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key \
+            "$G_NEXT_CLI_NO_CERT localhost -d 4 --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt \
+                                 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key \
                                  --priority=NORMAL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-ECDSA-SECP521R1-SHA512"  \
             1 \
             -S "ssl_tls13_pick_key_cert:check signature algorithm"
@@ -12881,11 +13808,11 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Check server no suitable signature algorithm, O->m" \
             "$P_SRV debug_level=4 auth_mode=required
-                    crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key
-                    crt_file=data_files/server5.crt key_file=data_files/server5.key
+                    crt_file2=$DATA_FILES_PATH/server2-sha256.crt key_file2=$DATA_FILES_PATH/server2.key
+                    crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key
                     sig_algs=rsa_pkcs1_sha512,ecdsa_secp256r1_sha256" \
-            "$O_NEXT_CLI_NO_CERT -msg -CAfile data_files/test-ca_cat12.crt \
-                                 -cert data_files/server2-sha256.crt -key data_files/server2.key \
+            "$O_NEXT_CLI_NO_CERT -msg -CAfile $DATA_FILES_PATH/test-ca_cat12.crt \
+                                 -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key \
                                  -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:ecdsa_secp521r1_sha512"  \
             1 \
             -S "ssl_tls13_pick_key_cert:check signature algorithm"
@@ -12897,10 +13824,10 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Check server no suitable signature algorithm, m->m" \
             "$P_SRV debug_level=4 auth_mode=required
-                    crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key
-                    crt_file=data_files/server5.crt key_file=data_files/server5.key
+                    crt_file2=$DATA_FILES_PATH/server2-sha256.crt key_file2=$DATA_FILES_PATH/server2.key
+                    crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key
                     sig_algs=rsa_pkcs1_sha512,ecdsa_secp256r1_sha256 " \
-            "$P_CLI allow_sha1=0 debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \
+            "$P_CLI allow_sha1=0 debug_level=4 crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key \
                     sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,ecdsa_secp521r1_sha512" \
             1 \
             -S "ssl_tls13_pick_key_cert:check signature algorithm"
@@ -12912,9 +13839,9 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Check server no suitable certificate, G->m" \
             "$P_SRV debug_level=4
-                    crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key
+                    crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key
                     sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \
-            "$G_NEXT_CLI_NO_CERT localhost -d 4 --x509cafile data_files/test-ca_cat12.crt \
+            "$G_NEXT_CLI_NO_CERT localhost -d 4 --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt \
                                  --priority=NORMAL:-SIGN-ALL:+SIGN-ECDSA-SECP521R1-SHA512:+SIGN-ECDSA-SECP256R1-SHA256"  \
             1 \
             -s "ssl_tls13_pick_key_cert:no suitable certificate found"
@@ -12926,9 +13853,9 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Check server no suitable certificate, O->m" \
             "$P_SRV debug_level=4
-                    crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key
+                    crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key
                     sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \
-            "$O_NEXT_CLI_NO_CERT -msg -CAfile data_files/test-ca_cat12.crt \
+            "$O_NEXT_CLI_NO_CERT -msg -CAfile $DATA_FILES_PATH/test-ca_cat12.crt \
                                  -sigalgs ecdsa_secp521r1_sha512:ecdsa_secp256r1_sha256"  \
             1 \
             -s "ssl_tls13_pick_key_cert:no suitable certificate found"
@@ -12940,7 +13867,7 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Check server no suitable certificate, m->m" \
             "$P_SRV debug_level=4
-                    crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key
+                    crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key
                     sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \
             "$P_CLI allow_sha1=0 debug_level=4 \
                     sig_algs=ecdsa_secp521r1_sha512,ecdsa_secp256r1_sha256" \
@@ -12953,10 +13880,10 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Check client no signature algorithm, m->O" \
-            "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key
+            "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key
                                  -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache
                                  -Verify 10 -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:ecdsa_secp521r1_sha512" \
-            "$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key \
+            "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
                     sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
             1 \
             -c "no suitable signature algorithm"
@@ -12967,10 +13894,10 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Check client no signature algorithm, m->G" \
-            "$G_NEXT_SRV_NO_CERT --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key
+            "$G_NEXT_SRV_NO_CERT --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key
                     -d 4
                     --priority=NORMAL:-VERS-ALL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-PSS-RSAE-SHA384:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS " \
-            "$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key \
+            "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
                     sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
             1 \
             -c "no suitable signature algorithm"
@@ -12982,142 +13909,23 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: Check client no signature algorithm, m->m" \
             "$P_SRV debug_level=4 auth_mode=required
-                    crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key
-                    crt_file=data_files/server5.crt key_file=data_files/server5.key
+                    crt_file2=$DATA_FILES_PATH/server2-sha256.crt key_file2=$DATA_FILES_PATH/server2.key
+                    crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key
                     sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp521r1_sha512" \
-            "$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key \
+            "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
                     sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
             1 \
             -c "no suitable signature algorithm"
 
 requires_openssl_tls1_3_with_compatible_ephemeral
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_CLI_C
-requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-run_test    "TLS 1.3: NewSessionTicket: Basic check, m->O" \
-            "$O_NEXT_SRV -msg -tls1_3 -no_resume_ephemeral -no_cache --num_tickets 4" \
-            "$P_CLI debug_level=1 reco_mode=1 reconnect=1" \
-            0 \
-            -c "Protocol is TLSv1.3" \
-            -c "got new session ticket." \
-            -c "Saving session for reuse... ok" \
-            -c "Reconnecting with saved session" \
-            -c "HTTP/1.0 200 ok"
-
-requires_gnutls_tls1_3
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_CLI_C
-requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-run_test    "TLS 1.3: NewSessionTicket: Basic check, m->G" \
-            "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 --disable-client-cert" \
-            "$P_CLI debug_level=1 reco_mode=1 reconnect=1" \
-            0 \
-            -c "Protocol is TLSv1.3" \
-            -c "got new session ticket." \
-            -c "Saving session for reuse... ok" \
-            -c "Reconnecting with saved session" \
-            -c "HTTP/1.0 200 OK" \
-            -s "This is a resumed session"
-
-requires_openssl_tls1_3_with_compatible_ephemeral
-requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
-requires_config_enabled MBEDTLS_SSL_SRV_C
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-# https://github.com/openssl/openssl/issues/10714
-# Until now, OpenSSL client does not support reconnect.
-skip_next_test
-run_test    "TLS 1.3: NewSessionTicket: Basic check, O->m" \
-            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=4" \
-            "$O_NEXT_CLI -msg -debug -tls1_3 -reconnect" \
-            0 \
-            -s "=> write NewSessionTicket msg" \
-            -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET" \
-            -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH"
-
-requires_gnutls_tls1_3
-requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
-requires_config_enabled MBEDTLS_SSL_SRV_C
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-run_test    "TLS 1.3: NewSessionTicket: Basic check, G->m" \
-            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=4" \
-            "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -r" \
-            0 \
-            -c "Connecting again- trying to resume previous session" \
-            -c "NEW SESSION TICKET (4) was received" \
-            -s "=> write NewSessionTicket msg" \
-            -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET" \
-            -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH" \
-            -s "key exchange mode: ephemeral" \
-            -s "key exchange mode: psk_ephemeral" \
-            -s "found pre_shared_key extension"
-
-requires_gnutls_tls1_3
-requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
-requires_config_enabled MBEDTLS_SSL_SRV_C
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-# Test the session resumption when the cipher suite for the original session is
-# TLS1-3-AES-256-GCM-SHA384. In that case, the PSK is 384 bits long and not
-# 256 bits long as with all the other TLS 1.3 cipher suites.
-requires_ciphersuite_enabled TLS1-3-AES-256-GCM-SHA384
-run_test    "TLS 1.3: NewSessionTicket: Basic check with AES-256-GCM only, G->m" \
-            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=4" \
-            "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM -V -r" \
-            0 \
-            -c "Connecting again- trying to resume previous session" \
-            -c "NEW SESSION TICKET (4) was received" \
-            -s "Ciphersuite is TLS1-3-AES-256-GCM-SHA384" \
-            -s "=> write NewSessionTicket msg" \
-            -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET" \
-            -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH" \
-            -s "key exchange mode: ephemeral" \
-            -s "key exchange mode: psk_ephemeral" \
-            -s "found pre_shared_key extension"
-
-requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
-requires_config_enabled MBEDTLS_SSL_SRV_C
-requires_config_enabled MBEDTLS_SSL_CLI_C
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-run_test    "TLS 1.3: NewSessionTicket: Basic check, m->m" \
-            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=4" \
-            "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
-            0 \
-            -c "Protocol is TLSv1.3" \
-            -c "got new session ticket ( 3 )" \
-            -c "Saving session for reuse... ok" \
-            -c "Reconnecting with saved session" \
-            -c "HTTP/1.0 200 OK"    \
-            -s "=> write NewSessionTicket msg" \
-            -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET" \
-            -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH" \
-            -s "key exchange mode: ephemeral" \
-            -s "key exchange mode: psk_ephemeral" \
-            -s "found pre_shared_key extension"
-
-requires_openssl_tls1_3_with_compatible_ephemeral
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_CLI_C
 run_test    "TLS 1.2: Check rsa_pss_rsae compatibility issue, m->O" \
-            "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key
+            "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key
                                  -msg -tls1_2
                                  -Verify 10 " \
-            "$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key
+            "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key
                     sig_algs=rsa_pss_rsae_sha512,rsa_pkcs1_sha512
                     min_version=tls12 max_version=tls13 " \
             0 \
@@ -13130,73 +13938,29 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_CLI_C
 run_test    "TLS 1.2: Check rsa_pss_rsae compatibility issue, m->G" \
-            "$G_NEXT_SRV_NO_CERT --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key
+            "$G_NEXT_SRV_NO_CERT --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key
                     -d 4
                     --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \
-            "$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key
+            "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key
                     sig_algs=rsa_pss_rsae_sha512,rsa_pkcs1_sha512
                     min_version=tls12 max_version=tls13 " \
             0 \
             -c "Protocol is TLSv1.2" \
             -c "HTTP/1.0 200 [Oo][Kk]"
 
-requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
-requires_config_enabled MBEDTLS_SSL_SRV_C
-requires_config_enabled MBEDTLS_SSL_CLI_C
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-run_test    "TLS 1.3: NewSessionTicket: servername check, m->m" \
-            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=4 \
-            sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
-            "$P_CLI debug_level=4 server_name=localhost reco_mode=1 reconnect=1" \
-            0 \
-            -c "Protocol is TLSv1.3" \
-            -c "got new session ticket." \
-            -c "Saving session for reuse... ok" \
-            -c "Reconnecting with saved session" \
-            -c "HTTP/1.0 200 OK"    \
-            -s "=> write NewSessionTicket msg" \
-            -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET" \
-            -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH" \
-            -s "key exchange mode: ephemeral" \
-            -s "key exchange mode: psk_ephemeral" \
-            -s "found pre_shared_key extension"
-
-requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
-requires_config_enabled MBEDTLS_SSL_SRV_C
-requires_config_enabled MBEDTLS_SSL_CLI_C
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-run_test    "TLS 1.3: NewSessionTicket: servername negative check, m->m" \
-            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=4 \
-            sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
-            "$P_CLI debug_level=4 server_name=localhost reco_server_name=remote reco_mode=1 reconnect=1" \
-            1 \
-            -c "Protocol is TLSv1.3" \
-            -c "got new session ticket." \
-            -c "Saving session for reuse... ok" \
-            -c "Reconnecting with saved session" \
-            -c "Hostname mismatch the session ticket, disable session resumption."    \
-            -s "=> write NewSessionTicket msg" \
-            -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET" \
-            -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH"
-
 requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_3072
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,ffdhe3072,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe3072 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE3072:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe3072 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE3072:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -13215,9 +13979,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_3072
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe3072,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE3072:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe3072" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE3072:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe3072" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -13233,12 +13998,13 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_4096
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,ffdhe4096,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe4096 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE4096:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe4096 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE4096:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -13257,9 +14023,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_4096
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe4096,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE4096:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe4096" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE4096:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe4096" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -13275,12 +14042,13 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_6144
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,ffdhe6144,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe6144 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE6144:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe6144 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE6144:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -13298,9 +14066,10 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_6144
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe6144,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE6144:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe6144" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE6144:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe6144" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -13316,13 +14085,14 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_8192
 requires_gnutls_tls1_3
 requires_gnutls_next_no_ticket
 requires_gnutls_next_disable_tls13_compat
 client_needs_more_time 4
 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,ffdhe8192,rsa_pss_rsae_sha256" \
-         "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe8192 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
-         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE8192:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe8192 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
+         "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE8192:+VERS-TLS1.3:%NO_TICKETS" \
          0 \
          -s "Protocol is TLSv1.3" \
          -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
@@ -13340,10 +14110,11 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled PSA_WANT_DH_RFC7919_8192
 client_needs_more_time 4
 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe8192,rsa_pss_rsae_sha256" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE8192:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe8192" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE8192:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe8192" \
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "Protocol is TLSv1.3" \
@@ -13359,8 +14130,8 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test    "TLS 1.3: no HRR in case of PSK key exchange mode" \
-            "$P_SRV nbio=2 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk groups=none" \
-            "$P_CLI nbio=2 debug_level=3 psk=010203 psk_identity=0a0b0c tls13_kex_modes=all" \
+            "$P_SRV nbio=2 psk=73776f726466697368 psk_identity=0a0b0c tls13_kex_modes=psk groups=none" \
+            "$P_CLI nbio=2 debug_level=3 psk=73776f726466697368 psk_identity=0a0b0c tls13_kex_modes=all" \
             0 \
             -C "received HelloRetryRequest message" \
             -c "Selected key exchange mode: psk$" \
@@ -13374,17 +14145,30 @@ requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
 requires_max_content_len 16384
 run_tests_memory_after_hanshake
 
-# Final report
+if [ "$LIST_TESTS" -eq 0 ]; then
 
-echo "------------------------------------------------------------------------"
+    # Final report
 
-if [ $FAILS = 0 ]; then
-    printf "PASSED"
-else
-    printf "FAILED"
+    echo "------------------------------------------------------------------------"
+
+    if [ $FAILS = 0 ]; then
+        printf "PASSED"
+    else
+        printf "FAILED"
+    fi
+    PASSES=$(( $TESTS - $FAILS ))
+    echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
+
+    if [ $((TESTS - SKIPS)) -lt $MIN_TESTS ]; then
+        cat <<EOF
+Error: Expected to run at least $MIN_TESTS, but only ran $((TESTS - SKIPS)).
+Maybe a bad filter ('$FILTER') or a bad configuration?
+EOF
+        if [ $FAILS -eq 0 ]; then
+            FAILS=1
+        fi
+    fi
 fi
-PASSES=$(( $TESTS - $FAILS ))
-echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
 
 if [ $FAILS -gt 255 ]; then
     # Clamp at 255 as caller gets exit code & 0xFF
diff --git a/tests/suites/helpers.function b/tests/suites/helpers.function
index 86ff5b4..b5f5796 100644
--- a/tests/suites/helpers.function
+++ b/tests/suites/helpers.function
@@ -8,6 +8,7 @@
 #include <test/random.h>
 #include <test/bignum_helpers.h>
 #include <test/psa_crypto_helpers.h>
+#include <test/threading_helpers.h>
 
 #include <errno.h>
 #include <limits.h>
diff --git a/tests/suites/host_test.function b/tests/suites/host_test.function
index 06f391f..eb42a07 100644
--- a/tests/suites/host_test.function
+++ b/tests/suites/host_test.function
@@ -371,14 +371,12 @@ static void write_outcome_entry(FILE *outcome_file,
  * \param missing_unmet_dependencies Non-zero if there was a problem tracking
  *                                   all unmet dependencies, 0 otherwise.
  * \param ret                        The test dispatch status (DISPATCH_xxx).
- * \param info                       A pointer to the test info structure.
  */
 static void write_outcome_result(FILE *outcome_file,
                                  size_t unmet_dep_count,
                                  int unmet_dependencies[],
                                  int missing_unmet_dependencies,
-                                 int ret,
-                                 const mbedtls_test_info_t *info)
+                                 int ret)
 {
     if (outcome_file == NULL) {
         return;
@@ -401,7 +399,7 @@ static void write_outcome_result(FILE *outcome_file,
                 }
                 break;
             }
-            switch (info->result) {
+            switch (mbedtls_test_get_result()) {
                 case MBEDTLS_TEST_RESULT_SUCCESS:
                     mbedtls_fprintf(outcome_file, "PASS;");
                     break;
@@ -410,8 +408,9 @@ static void write_outcome_result(FILE *outcome_file,
                     break;
                 default:
                     mbedtls_fprintf(outcome_file, "FAIL;%s:%d:%s",
-                                    info->filename, info->line_no,
-                                    info->test);
+                                    mbedtls_get_test_filename(),
+                                    mbedtls_test_get_line_no(),
+                                    mbedtls_test_get_test());
                     break;
             }
             break;
@@ -432,6 +431,50 @@ static void write_outcome_result(FILE *outcome_file,
     fflush(outcome_file);
 }
 
+#if defined(__unix__) ||                                \
+    (defined(__APPLE__) && defined(__MACH__))
+#define MBEDTLS_HAVE_CHDIR
+#endif
+
+#if defined(MBEDTLS_HAVE_CHDIR)
+/** Try chdir to the directory containing argv0.
+ *
+ * Failures are silent.
+ */
+static void try_chdir_if_supported(const char *argv0)
+{
+    /* We might want to allow backslash as well, for Windows. But then we also
+     * need to consider chdir() vs _chdir(), and different conventions
+     * regarding paths in argv[0] (naively enabling this code with
+     * backslash support on Windows leads to chdir into the wrong directory
+     * on the CI). */
+    const char *slash = strrchr(argv0, '/');
+    if (slash == NULL) {
+        return;
+    }
+    size_t path_size = slash - argv0 + 1;
+    char *path = mbedtls_calloc(1, path_size);
+    if (path == NULL) {
+        return;
+    }
+    memcpy(path, argv0, path_size - 1);
+    path[path_size - 1] = 0;
+    int ret = chdir(path);
+    if (ret != 0) {
+        mbedtls_fprintf(stderr, "%s: note: chdir(\"%s\") failed.\n",
+                        __func__, path);
+    }
+    mbedtls_free(path);
+}
+#else /* MBEDTLS_HAVE_CHDIR */
+/* No chdir() or no support for parsing argv[0] on this platform. */
+static void try_chdir_if_supported(const char *argv0)
+{
+    (void) argv0;
+    return;
+}
+#endif /* MBEDTLS_HAVE_CHDIR */
+
 /**
  * \brief       Desktop implementation of execute_tests().
  *              Parses command line and executes tests from
@@ -570,7 +613,7 @@ int execute_tests(int argc, const char **argv)
                 break;
             }
             mbedtls_fprintf(stdout, "%s%.66s",
-                            mbedtls_test_info.result == MBEDTLS_TEST_RESULT_FAILED ?
+                            mbedtls_test_get_result() == MBEDTLS_TEST_RESULT_FAILED ?
                             "\n" : "", buf);
             mbedtls_fprintf(stdout, " ");
             for (i = strlen(buf) + 1; i < 67; i++) {
@@ -646,7 +689,7 @@ int execute_tests(int argc, const char **argv)
             write_outcome_result(outcome_file,
                                  unmet_dep_count, unmet_dependencies,
                                  missing_unmet_dependencies,
-                                 ret, &mbedtls_test_info);
+                                 ret);
             if (unmet_dep_count > 0 || ret == DISPATCH_UNSUPPORTED_SUITE) {
                 total_skipped++;
                 mbedtls_fprintf(stdout, "----");
@@ -671,30 +714,33 @@ int execute_tests(int argc, const char **argv)
                 unmet_dep_count = 0;
                 missing_unmet_dependencies = 0;
             } else if (ret == DISPATCH_TEST_SUCCESS) {
-                if (mbedtls_test_info.result == MBEDTLS_TEST_RESULT_SUCCESS) {
+                if (mbedtls_test_get_result() == MBEDTLS_TEST_RESULT_SUCCESS) {
                     mbedtls_fprintf(stdout, "PASS\n");
-                } else if (mbedtls_test_info.result == MBEDTLS_TEST_RESULT_SKIPPED) {
+                } else if (mbedtls_test_get_result() == MBEDTLS_TEST_RESULT_SKIPPED) {
                     mbedtls_fprintf(stdout, "----\n");
                     total_skipped++;
                 } else {
+                    char line_buffer[MBEDTLS_TEST_LINE_LENGTH];
+
                     total_errors++;
                     mbedtls_fprintf(stdout, "FAILED\n");
                     mbedtls_fprintf(stdout, "  %s\n  at ",
-                                    mbedtls_test_info.test);
-                    if (mbedtls_test_info.step != (unsigned long) (-1)) {
+                                    mbedtls_test_get_test());
+                    if (mbedtls_test_get_step() != (unsigned long) (-1)) {
                         mbedtls_fprintf(stdout, "step %lu, ",
-                                        mbedtls_test_info.step);
+                                        mbedtls_test_get_step());
                     }
                     mbedtls_fprintf(stdout, "line %d, %s",
-                                    mbedtls_test_info.line_no,
-                                    mbedtls_test_info.filename);
-                    if (mbedtls_test_info.line1[0] != 0) {
-                        mbedtls_fprintf(stdout, "\n  %s",
-                                        mbedtls_test_info.line1);
+                                    mbedtls_test_get_line_no(),
+                                    mbedtls_get_test_filename());
+
+                    mbedtls_test_get_line1(line_buffer);
+                    if (line_buffer[0] != 0) {
+                        mbedtls_fprintf(stdout, "\n  %s", line_buffer);
                     }
-                    if (mbedtls_test_info.line2[0] != 0) {
-                        mbedtls_fprintf(stdout, "\n  %s",
-                                        mbedtls_test_info.line2);
+                    mbedtls_test_get_line2(line_buffer);
+                    if (line_buffer[0] != 0) {
+                        mbedtls_fprintf(stdout, "\n  %s", line_buffer);
                     }
                 }
                 fflush(stdout);
@@ -728,6 +774,10 @@ int execute_tests(int argc, const char **argv)
     mbedtls_fprintf(stdout, " (%u / %u tests (%u skipped))\n",
                     total_tests - total_errors, total_tests, total_skipped);
 
+#if defined(MBEDTLS_TEST_MUTEX_USAGE)
+    mbedtls_test_mutex_usage_end();
+#endif
+
 #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && \
     !defined(TEST_SUITE_MEMORY_BUFFER_ALLOC)
 #if defined(MBEDTLS_MEMORY_DEBUG)
diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function
index 6c8d98e..f327a03 100644
--- a/tests/suites/main_test.function
+++ b/tests/suites/main_test.function
@@ -237,6 +237,21 @@ int main(int argc, const char *argv[])
 #endif
 #endif
 
+    /* Try changing to the directory containing the executable, if
+     * using the default data file. This allows running the executable
+     * from another directory (e.g. the project root) and still access
+     * the .datax file as well as data files used by test cases
+     * (typically from framework/data_files).
+     *
+     * Note that we do this before the platform setup (which may access
+     * files such as a random seed). We also do this before accessing
+     * test-specific files such as the outcome file, which is arguably
+     * not desirable and should be fixed later.
+     */
+    if (argc == 1) {
+        try_chdir_if_supported(argv[0]);
+    }
+
     int ret = mbedtls_test_platform_setup();
     if (ret != 0) {
         mbedtls_fprintf(stderr,
diff --git a/tests/suites/test_suite_aes.ctr.data b/tests/suites/test_suite_aes.ctr.data
new file mode 100644
index 0000000..a148236
--- /dev/null
+++ b/tests/suites/test_suite_aes.ctr.data
@@ -0,0 +1,137 @@
+# Test vectors from NIST Special Publication 800-38A 2001 Edition
+# Recommendation for Block Edition Cipher Modes of Operation
+
+# as below, but corrupt the key to check the test catches it
+AES-CTR NIST 128 bad
+aes_ctr:"00000000000000000000000000000000":"f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":"874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee":1
+
+AES-CTR NIST 128
+aes_ctr:"2b7e151628aed2a6abf7158809cf4f3c":"f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":"874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee":0
+
+AES-CTR NIST 192
+depends_on:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+aes_ctr:"8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b":"f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":"1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e941e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050":0
+
+AES-CTR NIST 256
+depends_on:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+aes_ctr:"603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4":"f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":"601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c52b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6":0
+
+AES-CTR aes_encrypt_ctr_multipart 1 1
+aes_encrypt_ctr_multipart:1:1
+
+AES-CTR aes_encrypt_ctr_multipart 2 1
+aes_encrypt_ctr_multipart:2:1
+
+AES-CTR aes_encrypt_ctr_multipart 2 2
+aes_encrypt_ctr_multipart:2:2
+
+AES-CTR aes_encrypt_ctr_multipart 4 1
+aes_encrypt_ctr_multipart:4:1
+
+AES-CTR aes_encrypt_ctr_multipart 4 2
+aes_encrypt_ctr_multipart:4:2
+
+AES-CTR aes_encrypt_ctr_multipart 15 1
+aes_encrypt_ctr_multipart:15:1
+
+AES-CTR aes_encrypt_ctr_multipart 15 2
+aes_encrypt_ctr_multipart:15:2
+
+AES-CTR aes_encrypt_ctr_multipart 15 8
+aes_encrypt_ctr_multipart:15:8
+
+AES-CTR aes_encrypt_ctr_multipart 15 15
+aes_encrypt_ctr_multipart:15:15
+
+AES-CTR aes_encrypt_ctr_multipart 16 1
+aes_encrypt_ctr_multipart:16:1
+
+AES-CTR aes_encrypt_ctr_multipart 16 2
+aes_encrypt_ctr_multipart:16:2
+
+AES-CTR aes_encrypt_ctr_multipart 16 8
+aes_encrypt_ctr_multipart:16:8
+
+AES-CTR aes_encrypt_ctr_multipart 16 15
+aes_encrypt_ctr_multipart:16:15
+
+AES-CTR aes_encrypt_ctr_multipart 16 16
+aes_encrypt_ctr_multipart:16:16
+
+AES-CTR aes_encrypt_ctr_multipart 17 1
+aes_encrypt_ctr_multipart:17:1
+
+AES-CTR aes_encrypt_ctr_multipart 17 2
+aes_encrypt_ctr_multipart:17:2
+
+AES-CTR aes_encrypt_ctr_multipart 17 8
+aes_encrypt_ctr_multipart:17:8
+
+AES-CTR aes_encrypt_ctr_multipart 17 15
+aes_encrypt_ctr_multipart:17:15
+
+AES-CTR aes_encrypt_ctr_multipart 17 16
+aes_encrypt_ctr_multipart:17:16
+
+AES-CTR aes_encrypt_ctr_multipart 63 1
+aes_encrypt_ctr_multipart:63:1
+
+AES-CTR aes_encrypt_ctr_multipart 63 2
+aes_encrypt_ctr_multipart:63:2
+
+AES-CTR aes_encrypt_ctr_multipart 63 8
+aes_encrypt_ctr_multipart:63:8
+
+AES-CTR aes_encrypt_ctr_multipart 63 15
+aes_encrypt_ctr_multipart:63:15
+
+AES-CTR aes_encrypt_ctr_multipart 63 16
+aes_encrypt_ctr_multipart:63:16
+
+AES-CTR aes_encrypt_ctr_multipart 63 17
+aes_encrypt_ctr_multipart:63:17
+
+AES-CTR aes_encrypt_ctr_multipart 64 1
+aes_encrypt_ctr_multipart:64:1
+
+AES-CTR aes_encrypt_ctr_multipart 64 2
+aes_encrypt_ctr_multipart:64:2
+
+AES-CTR aes_encrypt_ctr_multipart 64 8
+aes_encrypt_ctr_multipart:64:8
+
+AES-CTR aes_encrypt_ctr_multipart 64 15
+aes_encrypt_ctr_multipart:64:15
+
+AES-CTR aes_encrypt_ctr_multipart 64 16
+aes_encrypt_ctr_multipart:64:16
+
+AES-CTR aes_encrypt_ctr_multipart 64 17
+aes_encrypt_ctr_multipart:64:17
+
+AES-CTR aes_encrypt_ctr_multipart 1024 1
+aes_encrypt_ctr_multipart:1024:1
+
+AES-CTR aes_encrypt_ctr_multipart 1024 10
+aes_encrypt_ctr_multipart:1024:10
+
+AES-CTR aes_encrypt_ctr_multipart 1024 15
+aes_encrypt_ctr_multipart:1024:15
+
+AES-CTR aes_encrypt_ctr_multipart 1024 16
+aes_encrypt_ctr_multipart:1024:16
+
+AES-CTR aes_encrypt_ctr_multipart 1024 63
+aes_encrypt_ctr_multipart:1024:63
+
+AES-CTR aes_encrypt_ctr_multipart 1024 64
+aes_encrypt_ctr_multipart:1024:64
+
+AES-CTR aes_encrypt_ctr_multipart 1024 65
+aes_encrypt_ctr_multipart:1024:65
+
+AES-CTR aes_encrypt_ctr_multipart 1024 1023
+aes_encrypt_ctr_multipart:1024:1023
+
+AES-CTR aes_encrypt_ctr_multipart 1024 1024
+aes_encrypt_ctr_multipart:1024:1024
diff --git a/tests/suites/test_suite_aes.function b/tests/suites/test_suite_aes.function
index d495b49..9118a98 100644
--- a/tests/suites/test_suite_aes.function
+++ b/tests/suites/test_suite_aes.function
@@ -6,6 +6,7 @@
  * master, enc and dec must be AES context objects. They don't need to
  * be initialized, and are left freed.
  */
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
 static int test_copy(const data_t *key,
                      mbedtls_aes_context *master,
                      mbedtls_aes_context *enc,
@@ -55,6 +56,7 @@ exit:
      * with alternative implementations. */
     return 0;
 }
+#endif
 
 /* END_HEADER */
 
@@ -86,7 +88,125 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CTR */
+void aes_ctr(data_t *key, data_t *ictr, data_t *pt, data_t *ct, int expected)
+{
+    unsigned char *output = NULL;
+    unsigned char ctr[16];
+    unsigned char stream_block[16];
+    mbedtls_aes_context ctx;
+
+    // sanity checks on test input
+    TEST_ASSERT(pt->len == ct->len);
+    TEST_ASSERT(key->len == 16 || key->len == 24 || key->len == 32);
+
+    TEST_CALLOC(output, pt->len);
+
+    // expected result is always success on zero-length input, so skip len == 0 if expecting failure
+    for (size_t len = (expected == 0 ? 0 : 1); len <= pt->len; len++) {
+        for (int i = 0; i < 2; i++) {
+            mbedtls_aes_init(&ctx);
+            TEST_ASSERT(mbedtls_aes_setkey_enc(&ctx, key->x, key->len * 8) == 0);
+
+            memcpy(ctr, ictr->x, 16);
+            memset(stream_block, 0, 16);
+            memset(output, 0, pt->len);
+
+            size_t nc_off = 0;
+
+            if (i == 0) {
+                // encrypt
+                TEST_EQUAL(mbedtls_aes_crypt_ctr(&ctx, len, &nc_off, ctr,
+                                                 stream_block, pt->x, output), 0);
+                TEST_ASSERT(!!memcmp(output, ct->x, len) == expected);
+            } else {
+                // decrypt
+                TEST_EQUAL(mbedtls_aes_crypt_ctr(&ctx, len, &nc_off, ctr,
+                                                 stream_block, ct->x, output), 0);
+                TEST_ASSERT(!!memcmp(output, pt->x, len) == expected);
+            }
+        }
+    }
+
+exit:
+    mbedtls_free(output);
+    mbedtls_aes_free(&ctx);
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CTR */
+void aes_encrypt_ctr_multipart(int length, int step_size)
+{
+    unsigned char key[16];
+    unsigned char ctr_a[16];
+    unsigned char ctr_b[16];
+    unsigned char stream_block_a[16];
+    unsigned char stream_block_b[16];
+    unsigned char *input = NULL;
+    unsigned char *output_a = NULL;
+    unsigned char *output_b = NULL;
+    mbedtls_aes_context ctx;
+    size_t nc_off_a, nc_off_b;
+
+    TEST_ASSERT(length >= 0);
+    TEST_ASSERT(step_size > 0);
+
+    TEST_CALLOC(input, length);
+    TEST_CALLOC(output_a, length);
+    TEST_CALLOC(output_b, length);
+
+    // set up a random key
+    mbedtls_test_rnd_std_rand(NULL, key, sizeof(key));
+
+    // random input
+    mbedtls_test_rnd_std_rand(NULL, input, length);
+
+
+    // complete encryption in one call
+    mbedtls_aes_init(&ctx);
+    TEST_ASSERT(mbedtls_aes_setkey_enc(&ctx, key, sizeof(key) * 8) == 0);
+    memset(ctr_a, 0, sizeof(ctr_a));
+    memset(stream_block_a, 0, sizeof(stream_block_a));
+    nc_off_a = 0;
+    TEST_EQUAL(mbedtls_aes_crypt_ctr(&ctx, length, &nc_off_a, ctr_a,
+                                     stream_block_a, input, output_a), 0);
+    mbedtls_aes_free(&ctx);
+
+
+    // encrypt in multiple steps of varying size
+    mbedtls_aes_init(&ctx);
+    TEST_ASSERT(mbedtls_aes_setkey_enc(&ctx, key, sizeof(key) * 8) == 0);
+    memset(ctr_b, 0, sizeof(ctr_b));
+    memset(stream_block_b, 0, sizeof(stream_block_b));
+    nc_off_b = 0;
+    size_t remaining = length;
+    unsigned char *ip = input, *op = output_b;
+    while (remaining != 0) {
+        size_t l = MIN(remaining, (size_t) step_size);
+        step_size *= 2;
+        remaining -= l;
+        TEST_EQUAL(mbedtls_aes_crypt_ctr(&ctx, l, &nc_off_b, ctr_b, stream_block_b, ip, op), 0);
+        ip += l;
+        op += l;
+    }
+
+    // finally, validate that multiple steps produced same result as single-pass
+    TEST_MEMORY_COMPARE(output_a, length, output_b, length);
+    TEST_MEMORY_COMPARE(ctr_a, sizeof(ctr_a), ctr_b, sizeof(ctr_b));
+    TEST_MEMORY_COMPARE(stream_block_a, sizeof(stream_block_a),
+                        stream_block_b, sizeof(stream_block_b));
+    TEST_EQUAL(nc_off_a, nc_off_b);
+
+exit:
+    mbedtls_free(input);
+    mbedtls_free(output_a);
+    mbedtls_free(output_b);
+
+    mbedtls_aes_free(&ctx);
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
 void aes_decrypt_ecb(data_t *key_str, data_t *src_str,
                      data_t *dst, int setkey_result)
 {
@@ -523,7 +643,7 @@ void aes_misc_params()
 }
 /* END_CASE */
 
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
 void aes_ecb_copy_context(data_t *key)
 {
     /* We test context copying multiple times, with different alignments
diff --git a/tests/suites/test_suite_aria.function b/tests/suites/test_suite_aria.function
index 579dddf..a454eba 100644
--- a/tests/suites/test_suite_aria.function
+++ b/tests/suites/test_suite_aria.function
@@ -16,7 +16,7 @@
  * END_DEPENDENCIES
  */
 
-/* BEGIN_CASE depends_on:NOT_DEFINED */
+/* BEGIN_CASE */
 void aria_invalid_param()
 {
     mbedtls_aria_context ctx;
@@ -52,8 +52,10 @@ void aria_invalid_param()
                                          output));
 #endif /* MBEDTLS_CIPHER_MODE_CFB */
 
+#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
 exit:
     return;
+#endif
 
 }
 /* END_CASE */
@@ -86,7 +88,7 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
 void aria_decrypt_ecb(data_t *key_str, data_t *src_str,
                       data_t *expected_output, int setkey_result)
 {
diff --git a/tests/suites/test_suite_bignum.function b/tests/suites/test_suite_bignum.function
index c90f1bb..f3a64e1 100644
--- a/tests/suites/test_suite_bignum.function
+++ b/tests/suites/test_suite_bignum.function
@@ -24,7 +24,7 @@ static int sign_is_valid(const mbedtls_mpi *X)
      * we sometimes test the robustness of library functions when given
      * a negative zero input. If a test case has a negative zero as input,
      * we don't mind if the function has a negative zero output. */
-    if (!mbedtls_test_case_uses_negative_0 &&
+    if (!mbedtls_test_get_case_uses_negative_0() &&
         mbedtls_mpi_bitlen(X) == 0 && X->s != 1) {
         return 0;
     }
@@ -144,6 +144,26 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
+void mpi_zero_length_buffer_is_null()
+{
+    mbedtls_mpi X;
+    size_t olen;
+
+    mbedtls_mpi_init(&X);
+
+    /* Simply test that the following functions do not crash when a NULL buffer
+     * pointer and 0 length is passed. We don't care much about the return value. */
+    TEST_EQUAL(mbedtls_mpi_read_binary(&X, NULL, 0), 0);
+    TEST_EQUAL(mbedtls_mpi_read_binary_le(&X, NULL, 0), 0);
+    TEST_EQUAL(mbedtls_mpi_write_string(&X, 16, NULL, 0, &olen), MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL);
+    TEST_EQUAL(mbedtls_mpi_write_binary(&X, NULL, 0), 0);
+
+exit:
+    mbedtls_mpi_free(&X);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
 void mpi_read_binary(data_t *buf, char *input_A)
 {
     mbedtls_mpi X;
@@ -946,6 +966,45 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
+void mpi_exp_mod_min_RR(char *input_A, char *input_E,
+                        char *input_N, char *input_X,
+                        int exp_result)
+{
+    mbedtls_mpi A, E, N, RR, Z, X;
+    int res;
+    mbedtls_mpi_init(&A); mbedtls_mpi_init(&E); mbedtls_mpi_init(&N);
+    mbedtls_mpi_init(&RR); mbedtls_mpi_init(&Z); mbedtls_mpi_init(&X);
+
+    TEST_EQUAL(mbedtls_test_read_mpi(&A, input_A), 0);
+    TEST_EQUAL(mbedtls_test_read_mpi(&E, input_E), 0);
+    TEST_EQUAL(mbedtls_test_read_mpi(&N, input_N), 0);
+    TEST_EQUAL(mbedtls_test_read_mpi(&X, input_X), 0);
+
+    TEST_EQUAL(mbedtls_mpi_core_get_mont_r2_unsafe(&RR, &N), 0);
+    TEST_EQUAL(mbedtls_mpi_shrink(&RR, 0), 0);
+    /* The objective of this test is to check that exp_mod defends
+     * against a smaller RR. */
+    TEST_LE_U(RR.n, N.n - 1);
+
+    res = mbedtls_mpi_exp_mod(&Z, &A, &E, &N, &RR);
+    /* We know that exp_mod internally needs RR to be as large as N.
+     * Validate that it is the case now, otherwise there was probably
+     * a buffer overread. */
+    TEST_EQUAL(RR.n, N.n);
+
+    TEST_EQUAL(res, exp_result);
+    if (res == 0) {
+        TEST_EQUAL(sign_is_valid(&Z), 1);
+        TEST_EQUAL(mbedtls_mpi_cmp_mpi(&Z, &X), 0);
+    }
+
+exit:
+    mbedtls_mpi_free(&A); mbedtls_mpi_free(&E); mbedtls_mpi_free(&N);
+    mbedtls_mpi_free(&RR); mbedtls_mpi_free(&Z); mbedtls_mpi_free(&X);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
 void mpi_exp_mod(char *input_A, char *input_E,
                  char *input_N, char *input_X,
                  int exp_result)
diff --git a/tests/suites/test_suite_bignum.misc.data b/tests/suites/test_suite_bignum.misc.data
index 9d068f1..c16c689 100644
--- a/tests/suites/test_suite_bignum.misc.data
+++ b/tests/suites/test_suite_bignum.misc.data
@@ -82,6 +82,9 @@ mpi_read_write_string:16:"":2:"0":4:0:0
 Test mpi_write_string #10 (Negative hex with odd number of digits)
 mpi_read_write_string:16:"-1":16:"":3:0:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
 
+Provide NULL buffer with 0 length
+mpi_zero_length_buffer_is_null
+
 Base test mbedtls_mpi_read_binary #1
 mpi_read_binary:"0941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"0941379D00FED1491FE15DF284DFDE4A142F68AA8D412023195CEE66883E6290FFE703F4EA5963BF212713CEE46B107C09182B5EDCD955ADAC418BF4918E2889AF48E1099D513830CEC85C26AC1E158B52620E33BA8692F893EFBB2F958B4424"
 
@@ -107,19 +110,19 @@ Test mbedtls_mpi_write_binary_le #2 (Buffer too small)
 mpi_write_binary_le:"123123123123123123123123123":"23311223311223311223311223":13:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
 
 Base test mbedtls_mpi_read_file #1
-mpi_read_file:"data_files/mpi_16":"01f55332c3a48b910f9942f6c914e58bef37a47ee45cb164a5b6b8d1006bf59a059c21449939ebebfdf517d2e1dbac88010d7b1f141e997bd6801ddaec9d05910f4f2de2b2c4d714e2c14a72fc7f17aa428d59c531627f09":0
+mpi_read_file:"../framework/data_files/mpi_16":"01f55332c3a48b910f9942f6c914e58bef37a47ee45cb164a5b6b8d1006bf59a059c21449939ebebfdf517d2e1dbac88010d7b1f141e997bd6801ddaec9d05910f4f2de2b2c4d714e2c14a72fc7f17aa428d59c531627f09":0
 
 Test mbedtls_mpi_read_file #1 (Empty file)
-mpi_read_file:"data_files/hash_file_4":"":MBEDTLS_ERR_MPI_FILE_IO_ERROR
+mpi_read_file:"../framework/data_files/hash_file_4":"":MBEDTLS_ERR_MPI_FILE_IO_ERROR
 
 Test mbedtls_mpi_read_file #2 (Illegal input)
-mpi_read_file:"data_files/hash_file_2":"":0
+mpi_read_file:"../framework/data_files/hash_file_2":"":0
 
 Test mbedtls_mpi_read_file #3 (Input too big)
-mpi_read_file:"data_files/mpi_too_big":"":MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
+mpi_read_file:"../framework/data_files/mpi_too_big":"":MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
 
 Base test mbedtls_mpi_write_file #1
-mpi_write_file:"941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"data_files/mpi_write"
+mpi_write_file:"941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"../framework/data_files/mpi_write"
 
 Test mbedtls_mpi_lsb: 0 (null)
 mpi_lsb:"":0
@@ -1359,6 +1362,9 @@ mpi_exp_mod:"04":"00":"09":"1":0
 Test mbedtls_mpi_exp_mod: 10 ^ 0 (1 limb) mod 9
 mpi_exp_mod:"0a":"00":"09":"1":0
 
+Test mbedtls_mpi_exp_mod: -3 ^ 3 mod 27
+mpi_exp_mod:"-3":"3":"1b":"1b":0
+
 Test mbedtls_mpi_exp_mod: MAX_SIZE exponent
 mpi_exp_mod_size:2:MBEDTLS_MPI_MAX_SIZE:10:"":0
 
@@ -1388,6 +1394,14 @@ Test mbedtls_mpi_exp_mod (Negative base) [#2]
 depends_on:MPI_MAX_BITS_LARGER_THAN_792
 mpi_exp_mod:"-9f13012cd92aa72fb86ac8879d2fde4f7fd661aaae43a00971f081cc60ca277059d5c37e89652e2af2585d281d66ef6a9d38a117e9608e9e7574cd142dc55278838a2161dd56db9470d4c1da2d5df15a908ee2eb886aaa890f23be16de59386663a12f1afbb325431a3e835e3fd89b98b96a6f77382f458ef9a37e1f84a03045c8676ab55291a94c2228ea15448ee96b626b998":"40a54d1b9e86789f06d9607fb158672d64867665c73ee9abb545fc7a785634b354c7bae5b962ce8040cf45f2c1f3d3659b2ee5ede17534c8fc2ec85c815e8df1fe7048d12c90ee31b88a68a081f17f0d8ce5f4030521e9400083bcea73a429031d4ca7949c2000d597088e0c39a6014d8bf962b73bb2e8083bd0390a4e00b9b3":"eeaf0ab9adb38dd69c33f80afa8fc5e86072618775ff3c0b9ea2314c9c256576d674df7496ea81d3383b4813d692c6e0e0d5d8e250b98be48e495c1d6089dad15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e57ec68edbc3c05726cc02fd4cbf4976eaa9afd5138fe8376435b9fc61d2fc0eb06e3":"21acc7199e1b90f9b4844ffe12c19f00ec548c5d32b21c647d48b6015d8eb9ec9db05b4f3d44db4227a2b5659c1a7cceb9d5fa8fa60376047953ce7397d90aaeb7465e14e820734f84aa52ad0fc66701bcbb991d57715806a11531268e1e83dd48288c72b424a6287e9ce4e5cc4db0dd67614aecc23b0124a5776d36e5c89483":0
 
+Test mbedtls_mpi_exp_mod (N.n=3, RR.n=1 on 32 bit)
+depends_on:MBEDTLS_HAVE_INT32
+mpi_exp_mod_min_RR:"10":"2":"10000000100000001":"100":0
+
+Test mbedtls_mpi_exp_mod (N.n=3, RR.n=1 on 64 bit)
+depends_on:MBEDTLS_HAVE_INT64
+mpi_exp_mod_min_RR:"10":"2":"100000000000000010000000000000001":"100":0
+
 Base test GCD #1
 mpi_gcd:"2b5":"261":"15"
 
diff --git a/tests/suites/test_suite_block_cipher.data b/tests/suites/test_suite_block_cipher.data
new file mode 100644
index 0000000..097b567
--- /dev/null
+++ b/tests/suites/test_suite_block_cipher.data
@@ -0,0 +1,255 @@
+Invalid input
+invalid:
+
+AES-128-ECB Encrypt NIST KAT #1
+depends_on:MBEDTLS_AES_C
+test_vec:MBEDTLS_CIPHER_ID_AES:"00000000000000000000000000000000":"f34481ec3cc627bacd5dc3fb08f273e6":"0336763e966d92595a567cc9ce537f5e"
+
+AES-128-ECB Encrypt NIST KAT #2
+depends_on:MBEDTLS_AES_C
+test_vec:MBEDTLS_CIPHER_ID_AES:"00000000000000000000000000000000":"9798c4640bad75c7c3227db910174e72":"a9a1631bf4996954ebc093957b234589"
+
+AES-128-ECB Encrypt NIST KAT #3
+depends_on:MBEDTLS_AES_C
+test_vec:MBEDTLS_CIPHER_ID_AES:"00000000000000000000000000000000":"96ab5c2ff612d9dfaae8c31f30c42168":"ff4f8391a6a40ca5b25d23bedd44a597"
+
+AES-128-ECB Encrypt NIST KAT #4
+depends_on:MBEDTLS_AES_C
+test_vec:MBEDTLS_CIPHER_ID_AES:"e0000000000000000000000000000000":"00000000000000000000000000000000":"72a1da770f5d7ac4c9ef94d822affd97"
+
+AES-128-ECB Encrypt NIST KAT #5
+depends_on:MBEDTLS_AES_C
+test_vec:MBEDTLS_CIPHER_ID_AES:"f0000000000000000000000000000000":"00000000000000000000000000000000":"970014d634e2b7650777e8e84d03ccd8"
+
+AES-128-ECB Encrypt NIST KAT #6
+depends_on:MBEDTLS_AES_C
+test_vec:MBEDTLS_CIPHER_ID_AES:"f8000000000000000000000000000000":"00000000000000000000000000000000":"f17e79aed0db7e279e955b5f493875a7"
+
+AES-128-ECB Encrypt NIST KAT #7
+depends_on:MBEDTLS_AES_C
+test_vec:MBEDTLS_CIPHER_ID_AES:"fffffffffffff0000000000000000000":"00000000000000000000000000000000":"7b90785125505fad59b13c186dd66ce3"
+
+AES-128-ECB Encrypt NIST KAT #8
+depends_on:MBEDTLS_AES_C
+test_vec:MBEDTLS_CIPHER_ID_AES:"fffffffffffff8000000000000000000":"00000000000000000000000000000000":"8b527a6aebdaec9eaef8eda2cb7783e5"
+
+AES-128-ECB Encrypt NIST KAT #9
+depends_on:MBEDTLS_AES_C
+test_vec:MBEDTLS_CIPHER_ID_AES:"fffffffffffffc000000000000000000":"00000000000000000000000000000000":"43fdaf53ebbc9880c228617d6a9b548b"
+
+AES-128-ECB Encrypt NIST KAT #10
+depends_on:MBEDTLS_AES_C
+test_vec:MBEDTLS_CIPHER_ID_AES:"ffffffffffffffffffffffffffffc000":"00000000000000000000000000000000":"70c46bb30692be657f7eaa93ebad9897"
+
+AES-128-ECB Encrypt NIST KAT #11
+depends_on:MBEDTLS_AES_C
+test_vec:MBEDTLS_CIPHER_ID_AES:"ffffffffffffffffffffffffffffe000":"00000000000000000000000000000000":"323994cfb9da285a5d9642e1759b224a"
+
+AES-128-ECB Encrypt NIST KAT #12
+depends_on:MBEDTLS_AES_C
+test_vec:MBEDTLS_CIPHER_ID_AES:"fffffffffffffffffffffffffffff000":"00000000000000000000000000000000":"1dbf57877b7b17385c85d0b54851e371"
+
+AES-128-ECB Encrypt NIST KAT #13
+depends_on:MBEDTLS_AES_C
+test_vec:MBEDTLS_CIPHER_ID_AES:"00000000000000000000000000000000":"ffffffffffffffc00000000000000000":"3a4d354f02bb5a5e47d39666867f246a"
+
+AES-128-ECB Encrypt NIST KAT #14
+depends_on:MBEDTLS_AES_C
+test_vec:MBEDTLS_CIPHER_ID_AES:"00000000000000000000000000000000":"ffffffffffffffe00000000000000000":"d451b8d6e1e1a0ebb155fbbf6e7b7dc3"
+
+AES-128-ECB Encrypt NIST KAT #15
+depends_on:MBEDTLS_AES_C
+test_vec:MBEDTLS_CIPHER_ID_AES:"00000000000000000000000000000000":"fffffffffffffff00000000000000000":"6898d4f42fa7ba6a10ac05e87b9f2080"
+
+AES-128-ECB Encrypt NIST KAT #16
+depends_on:MBEDTLS_AES_C
+test_vec:MBEDTLS_CIPHER_ID_AES:"00000000000000000000000000000000":"ffffffffffffffffffffffffe0000000":"082eb8be35f442fb52668e16a591d1d6"
+
+AES-128-ECB Encrypt NIST KAT #17
+depends_on:MBEDTLS_AES_C
+test_vec:MBEDTLS_CIPHER_ID_AES:"00000000000000000000000000000000":"fffffffffffffffffffffffff0000000":"e656f9ecf5fe27ec3e4a73d00c282fb3"
+
+AES-128-ECB Encrypt NIST KAT #18
+depends_on:MBEDTLS_AES_C
+test_vec:MBEDTLS_CIPHER_ID_AES:"00000000000000000000000000000000":"fffffffffffffffffffffffff8000000":"2ca8209d63274cd9a29bb74bcd77683a"
+
+AES-192-ECB Encrypt NIST KAT #1
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+test_vec:MBEDTLS_CIPHER_ID_AES:"000000000000000000000000000000000000000000000000":"fffffffffffffffffffff80000000000":"156f07767a85a4312321f63968338a01"
+
+AES-192-ECB Encrypt NIST KAT #2
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+test_vec:MBEDTLS_CIPHER_ID_AES:"000000000000000000000000000000000000000000000000":"fffffffffffffffffffffc0000000000":"15eec9ebf42b9ca76897d2cd6c5a12e2"
+
+AES-192-ECB Encrypt NIST KAT #3
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+test_vec:MBEDTLS_CIPHER_ID_AES:"000000000000000000000000000000000000000000000000":"fffffffffffffffffffffe0000000000":"db0d3a6fdcc13f915e2b302ceeb70fd8"
+
+AES-192-ECB Encrypt NIST KAT #4
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+test_vec:MBEDTLS_CIPHER_ID_AES:"000000000000000000000000000000000000000000000000":"51719783d3185a535bd75adc65071ce1":"4f354592ff7c8847d2d0870ca9481b7c"
+
+AES-192-ECB Encrypt NIST KAT #5
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+test_vec:MBEDTLS_CIPHER_ID_AES:"000000000000000000000000000000000000000000000000":"26aa49dcfe7629a8901a69a9914e6dfd":"d5e08bf9a182e857cf40b3a36ee248cc"
+
+AES-192-ECB Encrypt NIST KAT #6
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+test_vec:MBEDTLS_CIPHER_ID_AES:"000000000000000000000000000000000000000000000000":"941a4773058224e1ef66d10e0a6ee782":"067cd9d3749207791841562507fa9626"
+
+AES-192-ECB Encrypt NIST KAT #7
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+test_vec:MBEDTLS_CIPHER_ID_AES:"d2926527e0aa9f37b45e2ec2ade5853ef807576104c7ace3":"00000000000000000000000000000000":"dd619e1cf204446112e0af2b9afa8f8c"
+
+AES-192-ECB Encrypt NIST KAT #8
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+test_vec:MBEDTLS_CIPHER_ID_AES:"982215f4e173dfa0fcffe5d3da41c4812c7bcc8ed3540f93":"00000000000000000000000000000000":"d4f0aae13c8fe9339fbf9e69ed0ad74d"
+
+AES-192-ECB Encrypt NIST KAT #9
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+test_vec:MBEDTLS_CIPHER_ID_AES:"98c6b8e01e379fbd14e61af6af891596583565f2a27d59e9":"00000000000000000000000000000000":"19c80ec4a6deb7e5ed1033dda933498f"
+
+AES-192-ECB Encrypt NIST KAT #10
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+test_vec:MBEDTLS_CIPHER_ID_AES:"fffffffffffffffffffffffffff800000000000000000000":"00000000000000000000000000000000":"8dd274bd0f1b58ae345d9e7233f9b8f3"
+
+AES-192-ECB Encrypt NIST KAT #11
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+test_vec:MBEDTLS_CIPHER_ID_AES:"fffffffffffffffffffffffffffc00000000000000000000":"00000000000000000000000000000000":"9d6bdc8f4ce5feb0f3bed2e4b9a9bb0b"
+
+AES-192-ECB Encrypt NIST KAT #12
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+test_vec:MBEDTLS_CIPHER_ID_AES:"fffffffffffffffffffffffffffe00000000000000000000":"00000000000000000000000000000000":"fd5548bcf3f42565f7efa94562528d46"
+
+AES-256-ECB Encrypt NIST KAT #1
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+test_vec:MBEDTLS_CIPHER_ID_AES:"c1cc358b449909a19436cfbb3f852ef8bcb5ed12ac7058325f56e6099aab1a1c":"00000000000000000000000000000000":"352065272169abf9856843927d0674fd"
+
+AES-256-ECB Encrypt NIST KAT #2
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+test_vec:MBEDTLS_CIPHER_ID_AES:"984ca75f4ee8d706f46c2d98c0bf4a45f5b00d791c2dfeb191b5ed8e420fd627":"00000000000000000000000000000000":"4307456a9e67813b452e15fa8fffe398"
+
+AES-256-ECB Encrypt NIST KAT #3
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+test_vec:MBEDTLS_CIPHER_ID_AES:"b43d08a447ac8609baadae4ff12918b9f68fc1653f1269222f123981ded7a92f":"00000000000000000000000000000000":"4663446607354989477a5c6f0f007ef4"
+
+AES-256-ECB Encrypt NIST KAT #4
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+test_vec:MBEDTLS_CIPHER_ID_AES:"0000000000000000000000000000000000000000000000000000000000000000":"0b24af36193ce4665f2825d7b4749c98":"a9ff75bd7cf6613d3731c77c3b6d0c04"
+
+AES-256-ECB Encrypt NIST KAT #5
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+test_vec:MBEDTLS_CIPHER_ID_AES:"0000000000000000000000000000000000000000000000000000000000000000":"761c1fe41a18acf20d241650611d90f1":"623a52fcea5d443e48d9181ab32c7421"
+
+AES-256-ECB Encrypt NIST KAT #6
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+test_vec:MBEDTLS_CIPHER_ID_AES:"0000000000000000000000000000000000000000000000000000000000000000":"8a560769d605868ad80d819bdba03771":"38f2c7ae10612415d27ca190d27da8b4"
+
+AES-256-ECB Encrypt NIST KAT #7
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+test_vec:MBEDTLS_CIPHER_ID_AES:"0000000000000000000000000000000000000000000000000000000000000000":"ffffff80000000000000000000000000":"36aff0ef7bf3280772cf4cac80a0d2b2"
+
+AES-256-ECB Encrypt NIST KAT #8
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+test_vec:MBEDTLS_CIPHER_ID_AES:"0000000000000000000000000000000000000000000000000000000000000000":"ffffffc0000000000000000000000000":"1f8eedea0f62a1406d58cfc3ecea72cf"
+
+AES-256-ECB Encrypt NIST KAT #9
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+test_vec:MBEDTLS_CIPHER_ID_AES:"0000000000000000000000000000000000000000000000000000000000000000":"ffffffe0000000000000000000000000":"abf4154a3375a1d3e6b1d454438f95a6"
+
+AES-256-ECB Encrypt NIST KAT #10
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+test_vec:MBEDTLS_CIPHER_ID_AES:"ffffffffffffffffffffffffffffffffffff8000000000000000000000000000":"00000000000000000000000000000000":"45d089c36d5c5a4efc689e3b0de10dd5"
+
+AES-256-ECB Encrypt NIST KAT #11
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+test_vec:MBEDTLS_CIPHER_ID_AES:"ffffffffffffffffffffffffffffffffffffc000000000000000000000000000":"00000000000000000000000000000000":"b4da5df4becb5462e03a0ed00d295629"
+
+AES-256-ECB Encrypt NIST KAT #12
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+test_vec:MBEDTLS_CIPHER_ID_AES:"ffffffffffffffffffffffffffffffffffffe000000000000000000000000000":"00000000000000000000000000000000":"dcf4e129136c1a4b7a0f38935cc34b2b"
+
+ARIA-128-ECB Encrypt - RFC 5794
+depends_on:MBEDTLS_ARIA_C
+test_vec:MBEDTLS_CIPHER_ID_ARIA:"000102030405060708090a0b0c0d0e0f":"00112233445566778899aabbccddeeff":"d718fbd6ab644c739da95f3be6451778"
+
+ARIA-192-ECB Encrypt - RFC 5794
+depends_on:MBEDTLS_ARIA_C
+test_vec:MBEDTLS_CIPHER_ID_ARIA:"000102030405060708090a0b0c0d0e0f1011121314151617":"00112233445566778899aabbccddeeff":"26449c1805dbe7aa25a468ce263a9e79"
+
+ARIA-256-ECB Encrypt - RFC 5794
+depends_on:MBEDTLS_ARIA_C
+test_vec:MBEDTLS_CIPHER_ID_ARIA:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f":"00112233445566778899aabbccddeeff":"f92bd7c79fb72e2f2b8f80c1972d24fc"
+
+Camellia-128-ECB Encrypt RFC3713 #1
+depends_on:MBEDTLS_CAMELLIA_C
+test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"0123456789abcdeffedcba9876543210":"0123456789abcdeffedcba9876543210":"67673138549669730857065648eabe43"
+
+Camellia-192-ECB Encrypt RFC3713 #1
+depends_on:MBEDTLS_CAMELLIA_C
+test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"0123456789abcdeffedcba98765432100011223344556677":"0123456789abcdeffedcba9876543210":"b4993401b3e996f84ee5cee7d79b09b9"
+
+Camellia-256-ECB Encrypt RFC3713 #1
+depends_on:MBEDTLS_CAMELLIA_C
+test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"0123456789abcdeffedcba987654321000112233445566778899aabbccddeeff":"0123456789abcdeffedcba9876543210":"9acc237dff16d76c20ef7c919e3a7509"
+
+Camellia-128-ECB Encrypt Perl EVP #1 [#1]
+depends_on:MBEDTLS_CAMELLIA_C
+test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"000102030405060708090A0B0C0D0E0F":"00112233445566778899AABBCCDDEEFF":"77CF412067AF8270613529149919546F"
+
+Camellia-192-ECB Encrypt Perl EVP #1 [#1]
+depends_on:MBEDTLS_CAMELLIA_C
+test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"000102030405060708090A0B0C0D0E0F1011121314151617":"00112233445566778899AABBCCDDEEFF":"B22F3C36B72D31329EEE8ADDC2906C68"
+
+Camellia-256-ECB Encrypt Perl EVP #1 [#1]
+depends_on:MBEDTLS_CAMELLIA_C
+test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F":"00112233445566778899AABBCCDDEEFF":"2EDF1F3418D53B88841FC8985FB1ECF2"
+
+Camellia-128-ECB Encrypt Perl EVP #1 [#2]
+depends_on:MBEDTLS_CAMELLIA_C
+test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"2B7E151628AED2A6ABF7158809CF4F3C":"6BC1BEE22E409F96E93D7E117393172A":"432FC5DCD628115B7C388D770B270C96"
+
+Camellia-128-ECB Encrypt Perl EVP #2
+depends_on:MBEDTLS_CAMELLIA_C
+test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"2B7E151628AED2A6ABF7158809CF4F3C":"AE2D8A571E03AC9C9EB76FAC45AF8E51":"0BE1F14023782A22E8384C5ABB7FAB2B"
+
+Camellia-128-ECB Encrypt Perl EVP #3
+depends_on:MBEDTLS_CAMELLIA_C
+test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"2B7E151628AED2A6ABF7158809CF4F3C":"30C81C46A35CE411E5FBC1191A0A52EF":"A0A1ABCD1893AB6FE0FE5B65DF5F8636"
+
+Camellia-128-ECB Encrypt Perl EVP #4
+depends_on:MBEDTLS_CAMELLIA_C
+test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"2B7E151628AED2A6ABF7158809CF4F3C":"F69F2445DF4F9B17AD2B417BE66C3710":"E61925E0D5DFAA9BB29F815B3076E51A"
+
+Camellia-192-ECB Encrypt Perl EVP #1 [#2]
+depends_on:MBEDTLS_CAMELLIA_C
+test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B":"6BC1BEE22E409F96E93D7E117393172A":"CCCC6C4E138B45848514D48D0D3439D3"
+
+Camellia-192-ECB Encrypt Perl EVP #2
+depends_on:MBEDTLS_CAMELLIA_C
+test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B":"AE2D8A571E03AC9C9EB76FAC45AF8E51":"5713C62C14B2EC0F8393B6AFD6F5785A"
+
+Camellia-192-ECB Encrypt Perl EVP #3
+depends_on:MBEDTLS_CAMELLIA_C
+test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B":"30C81C46A35CE411E5FBC1191A0A52EF":"B40ED2B60EB54D09D030CF511FEEF366"
+
+Camellia-192-ECB Encrypt Perl EVP #4
+depends_on:MBEDTLS_CAMELLIA_C
+test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B":"F69F2445DF4F9B17AD2B417BE66C3710":"909DBD95799096748CB27357E73E1D26"
+
+Camellia-256-ECB Encrypt Perl EVP #1 [#2]
+depends_on:MBEDTLS_CAMELLIA_C
+test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4":"6BC1BEE22E409F96E93D7E117393172A":"BEFD219B112FA00098919CD101C9CCFA"
+
+Camellia-256-ECB Encrypt Perl EVP #2
+depends_on:MBEDTLS_CAMELLIA_C
+test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4":"AE2D8A571E03AC9C9EB76FAC45AF8E51":"C91D3A8F1AEA08A9386CF4B66C0169EA"
+
+Camellia-256-ECB Encrypt Perl EVP #3
+depends_on:MBEDTLS_CAMELLIA_C
+test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4":"30C81C46A35CE411E5FBC1191A0A52EF":"A623D711DC5F25A51BB8A80D56397D28"
+
+Camellia-256-ECB Encrypt Perl EVP #4
+depends_on:MBEDTLS_CAMELLIA_C
+test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4":"F69F2445DF4F9B17AD2B417BE66C3710":"7960109FB6DC42947FCFE59EA3C5EB6B"
+
diff --git a/tests/suites/test_suite_block_cipher.function b/tests/suites/test_suite_block_cipher.function
new file mode 100644
index 0000000..3350b0f
--- /dev/null
+++ b/tests/suites/test_suite_block_cipher.function
@@ -0,0 +1,129 @@
+/* BEGIN_HEADER */
+#include "block_cipher_internal.h"
+
+#define BLOCK_SIZE 16
+
+#if defined(MBEDTLS_AES_C)
+#define VALID_CIPHER_ID MBEDTLS_CIPHER_ID_AES
+#define BADKEY_ERROR MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
+#elif defined(MBEDTLS_ARIA_C)
+#define VALID_CIPHER_ID MBEDTLS_CIPHER_ID_ARIA
+#define BADKEY_ERROR MBEDTLS_ERR_ARIA_BAD_INPUT_DATA
+#elif defined(MBEDTLS_CAMELLIA_C)
+#define VALID_CIPHER_ID MBEDTLS_CIPHER_ID_CAMELLIA
+#define BADKEY_ERROR MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA
+#else
+#undef VALID_CIPHER_ID
+#endif
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_BLOCK_CIPHER_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE depends_on:VALID_CIPHER_ID */
+void invalid()
+{
+    /* That size is valid for a key or an input/output block. */
+    unsigned char buf[16] = { 0 };
+
+    mbedtls_block_cipher_context_t ctx;
+
+    mbedtls_block_cipher_init(&ctx);
+
+    /* Bad parameters to setup */
+    TEST_EQUAL(MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+               mbedtls_block_cipher_setup(&ctx, MBEDTLS_CIPHER_ID_NONE));
+    TEST_EQUAL(MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+               mbedtls_block_cipher_setup(&ctx, MBEDTLS_CIPHER_ID_DES));
+
+    /* setkey() before successful setup() */
+    TEST_EQUAL(MBEDTLS_ERR_CIPHER_INVALID_CONTEXT,
+               mbedtls_block_cipher_setkey(&ctx, buf, 128));
+
+    /* encrypt() before successful setup() */
+    TEST_EQUAL(MBEDTLS_ERR_CIPHER_INVALID_CONTEXT,
+               mbedtls_block_cipher_encrypt(&ctx, buf, buf));
+
+    /* free() before successful setup()
+     * No return value to check, but shouldn't cause memory errors. */
+    mbedtls_block_cipher_free(&ctx);
+
+    /* Now properly setup the context */
+    mbedtls_block_cipher_init(&ctx);
+    TEST_EQUAL(0, mbedtls_block_cipher_setup(&ctx, VALID_CIPHER_ID));
+
+    /* Bad parameters to setkey() */
+    TEST_EQUAL(BADKEY_ERROR,
+               mbedtls_block_cipher_setkey(&ctx, buf, 42));
+
+exit:
+    mbedtls_block_cipher_free(&ctx);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void test_vec(int cipher_id_arg, data_t *key, data_t *input, data_t *outref)
+{
+    mbedtls_block_cipher_context_t ctx;
+    mbedtls_cipher_id_t cipher_id = cipher_id_arg;
+    unsigned char output[BLOCK_SIZE];
+
+    mbedtls_block_cipher_init(&ctx);
+
+    memset(output, 0x00, sizeof(output));
+
+    TEST_EQUAL(0, mbedtls_block_cipher_setup(&ctx, cipher_id));
+    TEST_EQUAL(0, mbedtls_block_cipher_setkey(&ctx, key->x, 8 * key->len));
+
+    /* Encrypt with input != output */
+    TEST_EQUAL(0, mbedtls_block_cipher_encrypt(&ctx, input->x, output));
+    ASSERT_COMPARE(output, BLOCK_SIZE, outref->x, outref->len);
+
+    /* Encrypt with input == output.
+     * (Also, encrypting again ensures the previous call to encrypt()
+     * did not change the state of the context.) */
+    memcpy(output, input->x, BLOCK_SIZE);
+    TEST_EQUAL(0, mbedtls_block_cipher_encrypt(&ctx, output, output));
+    ASSERT_COMPARE(output, BLOCK_SIZE, outref->x, outref->len);
+
+exit:
+    mbedtls_block_cipher_free(&ctx);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void block_cipher_psa_dynamic_dispatch(int cipher_type, int pre_psa_ret, int post_psa_engine)
+{
+    mbedtls_block_cipher_context_t ctx;
+    (void) post_psa_engine;
+
+    /* Intentionally no PSA init here! (Will be done later.) */
+
+    mbedtls_block_cipher_init(&ctx);
+
+    /* Before PSA crypto init */
+    TEST_EQUAL(pre_psa_ret, mbedtls_block_cipher_setup(&ctx, cipher_type));
+
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+    TEST_EQUAL(ctx.engine, MBEDTLS_BLOCK_CIPHER_ENGINE_LEGACY);
+#endif
+
+    mbedtls_block_cipher_free(&ctx);
+
+    /* Now initilize PSA Crypto */
+    BLOCK_CIPHER_PSA_INIT();
+
+    mbedtls_block_cipher_init(&ctx);
+    /* After PSA Crypto init */
+    TEST_EQUAL(0, mbedtls_block_cipher_setup(&ctx, cipher_type));
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+    TEST_EQUAL(ctx.engine, post_psa_engine);
+#endif
+
+exit:
+    mbedtls_block_cipher_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_block_cipher.psa.data b/tests/suites/test_suite_block_cipher.psa.data
new file mode 100644
index 0000000..eb0c278
--- /dev/null
+++ b/tests/suites/test_suite_block_cipher.psa.data
@@ -0,0 +1,35 @@
+AES - legacy only
+depends_on:MBEDTLS_BLOCK_CIPHER_AES_VIA_LEGACY:!MBEDTLS_BLOCK_CIPHER_AES_VIA_PSA
+block_cipher_psa_dynamic_dispatch:MBEDTLS_CIPHER_ID_AES:0:MBEDTLS_BLOCK_CIPHER_ENGINE_LEGACY
+
+AES - driver only
+depends_on:!MBEDTLS_BLOCK_CIPHER_AES_VIA_LEGACY:MBEDTLS_BLOCK_CIPHER_AES_VIA_PSA
+block_cipher_psa_dynamic_dispatch:MBEDTLS_CIPHER_ID_AES:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA:MBEDTLS_BLOCK_CIPHER_ENGINE_PSA
+
+AES - legacy + driver
+depends_on:MBEDTLS_BLOCK_CIPHER_AES_VIA_LEGACY:MBEDTLS_BLOCK_CIPHER_AES_VIA_PSA
+block_cipher_psa_dynamic_dispatch:MBEDTLS_CIPHER_ID_AES:0:MBEDTLS_BLOCK_CIPHER_ENGINE_PSA
+
+ARIA - legacy only
+depends_on:MBEDTLS_BLOCK_CIPHER_ARIA_VIA_LEGACY:!MBEDTLS_BLOCK_CIPHER_ARIA_VIA_PSA
+block_cipher_psa_dynamic_dispatch:MBEDTLS_CIPHER_ID_ARIA:0:MBEDTLS_BLOCK_CIPHER_ENGINE_LEGACY
+
+ARIA - driver only
+depends_on:!MBEDTLS_BLOCK_CIPHER_ARIA_VIA_LEGACY:MBEDTLS_BLOCK_CIPHER_ARIA_VIA_PSA
+block_cipher_psa_dynamic_dispatch:MBEDTLS_CIPHER_ID_ARIA:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA:MBEDTLS_BLOCK_CIPHER_ENGINE_PSA
+
+ARIA - legacy + driver
+depends_on:MBEDTLS_BLOCK_CIPHER_ARIA_VIA_LEGACY:MBEDTLS_BLOCK_CIPHER_ARIA_VIA_PSA
+block_cipher_psa_dynamic_dispatch:MBEDTLS_CIPHER_ID_ARIA:0:MBEDTLS_BLOCK_CIPHER_ENGINE_PSA
+
+Camellia - legacy only
+depends_on:MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_LEGACY:!MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_PSA
+block_cipher_psa_dynamic_dispatch:MBEDTLS_CIPHER_ID_CAMELLIA:0:MBEDTLS_BLOCK_CIPHER_ENGINE_LEGACY
+
+Camellia - driver only
+depends_on:!MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_LEGACY:MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_PSA
+block_cipher_psa_dynamic_dispatch:MBEDTLS_CIPHER_ID_CAMELLIA:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA:MBEDTLS_BLOCK_CIPHER_ENGINE_PSA
+
+Camellia - legacy + driver
+depends_on:MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_LEGACY:MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_PSA
+block_cipher_psa_dynamic_dispatch:MBEDTLS_CIPHER_ID_CAMELLIA:0:MBEDTLS_BLOCK_CIPHER_ENGINE_PSA
diff --git a/tests/suites/test_suite_camellia.function b/tests/suites/test_suite_camellia.function
index 1cef97a..6930679 100644
--- a/tests/suites/test_suite_camellia.function
+++ b/tests/suites/test_suite_camellia.function
@@ -67,7 +67,7 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
 void camellia_decrypt_ecb(data_t *key_str, data_t *src_str,
                           data_t *dst, int setkey_result)
 {
diff --git a/tests/suites/test_suite_ccm.data b/tests/suites/test_suite_ccm.data
index caf9a74..22150f7 100644
--- a/tests/suites/test_suite_ccm.data
+++ b/tests/suites/test_suite_ccm.data
@@ -2,15 +2,15 @@ CCM self test
 mbedtls_ccm_self_test:
 
 CCM init #1 AES-128: OK
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_setkey:MBEDTLS_CIPHER_ID_AES:128:0
 
 CCM init #2 CAMELLIA-256: OK
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_setkey:MBEDTLS_CIPHER_ID_CAMELLIA:256:0
 
 CCM init #3 AES-224: bad key size
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_setkey:MBEDTLS_CIPHER_ID_AES:224:MBEDTLS_ERR_CCM_BAD_INPUT
 
 CCM init #4 DES: bad block size
@@ -55,1709 +55,1709 @@ CCM* fixed tag lengths #2 all OK - tag length 0
 ccm_star_lengths:5:10:5:0:0
 
 CCM* encrypt and tag #1
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_star_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"":"ACDE480000000001":"00000005":2:"08D0842143010000000048DEAC020500000055CF000051525354":"223BC1EC841AB553":0
 
 CCM* encrypt and tag #2
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_star_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"61626364":"ACDE480000000001":"00000005":4:"69DC842143020000000048DEAC010000000048DEAC0405000000":"D43E022B":0
 
 CCM* encrypt and tag #3
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_star_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"CE":"ACDE480000000001":"00000005":6:"2BDC842143020000000048DEACFFFF010000000048DEAC060500000001":"D84FDE529061F9C6F1":0
 
 CCM* auth decrypt tag #1
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_star_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"223BC1EC841AB553":"ACDE480000000001":"00000005":2:"08D0842143010000000048DEAC020500000055CF000051525354":"":0
 
 CCM* auth decrypt tag #2
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_star_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"D43E022B":"ACDE480000000001":"00000005":4:"69DC842143020000000048DEAC010000000048DEAC0405000000":"61626364":0
 
 CCM* auth decrypt tag #3
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_star_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"D84FDE529061F9C6F1":"ACDE480000000001":"00000005":6:"2BDC842143020000000048DEACFFFF010000000048DEAC060500000001":"CE":0
 
 CCM encrypt and tag RFC 3610 #1
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E":"00000003020100A0A1A2A3A4A5":"0001020304050607":"588C979A61C663D2F066D0C2C0F989806D5F6B61DAC38417E8D12CFDF926E0"
 
 CCM encrypt and tag RFC 3610 #2
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F":"00000004030201A0A1A2A3A4A5":"0001020304050607":"72C91A36E135F8CF291CA894085C87E3CC15C439C9E43A3BA091D56E10400916"
 
 CCM encrypt and tag RFC 3610 #3
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20":"00000005040302A0A1A2A3A4A5":"0001020304050607":"51B1E5F44A197D1DA46B0F8E2D282AE871E838BB64DA8596574ADAA76FBD9FB0C5"
 
 CCM encrypt and tag RFC 3610 #4
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"0C0D0E0F101112131415161718191A1B1C1D1E":"00000006050403A0A1A2A3A4A5":"000102030405060708090A0B":"A28C6865939A9A79FAAA5C4C2A9D4A91CDAC8C96C861B9C9E61EF1"
 
 CCM encrypt and tag RFC 3610 #5
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"0C0D0E0F101112131415161718191A1B1C1D1E1F":"00000007060504A0A1A2A3A4A5":"000102030405060708090A0B":"DCF1FB7B5D9E23FB9D4E131253658AD86EBDCA3E51E83F077D9C2D93"
 
 CCM encrypt and tag RFC 3610 #6
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"0C0D0E0F101112131415161718191A1B1C1D1E1F20":"00000008070605A0A1A2A3A4A5":"000102030405060708090A0B":"6FC1B011F006568B5171A42D953D469B2570A4BD87405A0443AC91CB94"
 
 CCM encrypt and tag RFC 3610 #7
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E":"00000009080706A0A1A2A3A4A5":"0001020304050607":"0135D1B2C95F41D5D1D4FEC185D166B8094E999DFED96C048C56602C97ACBB7490"
 
 CCM encrypt and tag RFC 3610 #8
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F":"0000000A090807A0A1A2A3A4A5":"0001020304050607":"7B75399AC0831DD2F0BBD75879A2FD8F6CAE6B6CD9B7DB24C17B4433F434963F34B4"
 
 CCM encrypt and tag RFC 3610 #9
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20":"0000000B0A0908A0A1A2A3A4A5":"0001020304050607":"82531A60CC24945A4B8279181AB5C84DF21CE7F9B73F42E197EA9C07E56B5EB17E5F4E"
 
 CCM encrypt and tag RFC 3610 #10
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"0C0D0E0F101112131415161718191A1B1C1D1E":"0000000C0B0A09A0A1A2A3A4A5":"000102030405060708090A0B":"07342594157785152B074098330ABB141B947B566AA9406B4D999988DD"
 
 CCM encrypt and tag RFC 3610 #11
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"0C0D0E0F101112131415161718191A1B1C1D1E1F":"0000000D0C0B0AA0A1A2A3A4A5":"000102030405060708090A0B":"676BB20380B0E301E8AB79590A396DA78B834934F53AA2E9107A8B6C022C"
 
 CCM encrypt and tag RFC 3610 #12
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"0C0D0E0F101112131415161718191A1B1C1D1E1F20":"0000000E0D0C0BA0A1A2A3A4A5":"000102030405060708090A0B":"C0FFA0D6F05BDB67F24D43A4338D2AA4BED7B20E43CD1AA31662E7AD65D6DB"
 
 CCM encrypt and tag RFC 3610 #13
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"D7828D13B2B0BDC325A76236DF93CC6B":"08E8CF97D820EA258460E96AD9CF5289054D895CEAC47C":"00412B4EA9CDBE3C9696766CFA":"0BE1A88BACE018B1":"4CB97F86A2A4689A877947AB8091EF5386A6FFBDD080F8E78CF7CB0CDDD7B3"
 
 CCM encrypt and tag RFC 3610 #14
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"D7828D13B2B0BDC325A76236DF93CC6B":"9020EA6F91BDD85AFA0039BA4BAFF9BFB79C7028949CD0EC":"0033568EF7B2633C9696766CFA":"63018F76DC8A1BCB":"4CCB1E7CA981BEFAA0726C55D378061298C85C92814ABC33C52EE81D7D77C08A"
 
 CCM encrypt and tag RFC 3610 #15
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"D7828D13B2B0BDC325A76236DF93CC6B":"B916E0EACC1C00D7DCEC68EC0B3BBB1A02DE8A2D1AA346132E":"00103FE41336713C9696766CFA":"AA6CFA36CAE86B40":"B1D23A2220DDC0AC900D9AA03C61FCF4A559A4417767089708A776796EDB723506"
 
 CCM encrypt and tag RFC 3610 #16
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"D7828D13B2B0BDC325A76236DF93CC6B":"12DAAC5630EFA5396F770CE1A66B21F7B2101C":"00764C63B8058E3C9696766CFA":"D0D0735C531E1BECF049C244":"14D253C3967B70609B7CBB7C499160283245269A6F49975BCADEAF"
 
 CCM encrypt and tag RFC 3610 #17
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"D7828D13B2B0BDC325A76236DF93CC6B":"E88B6A46C78D63E52EB8C546EFB5DE6F75E9CC0D":"00F8B678094E3B3C9696766CFA":"77B60F011C03E1525899BCAE":"5545FF1A085EE2EFBF52B2E04BEE1E2336C73E3F762C0C7744FE7E3C"
 
 CCM encrypt and tag RFC 3610 #18
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"D7828D13B2B0BDC325A76236DF93CC6B":"6435ACBAFB11A82E2F071D7CA4A5EBD93A803BA87F":"00D560912D3F703C9696766CFA":"CD9044D2B71FDB8120EA60C0":"009769ECABDF48625594C59251E6035722675E04C847099E5AE0704551"
 
 CCM encrypt and tag RFC 3610 #19
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"D7828D13B2B0BDC325A76236DF93CC6B":"8A19B950BCF71A018E5E6701C91787659809D67DBEDD18":"0042FFF8F1951C3C9696766CFA":"D85BC7E69F944FB8":"BC218DAA947427B6DB386A99AC1AEF23ADE0B52939CB6A637CF9BEC2408897C6BA"
 
 CCM encrypt and tag RFC 3610 #20
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"D7828D13B2B0BDC325A76236DF93CC6B":"1761433C37C5A35FC1F39F406302EB907C6163BE38C98437":"00920F40E56CDC3C9696766CFA":"74A0EBC9069F5B37":"5810E6FD25874022E80361A478E3E9CF484AB04F447EFFF6F0A477CC2FC9BF548944"
 
 CCM encrypt and tag RFC 3610 #21
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"D7828D13B2B0BDC325A76236DF93CC6B":"A434A8E58500C6E41530538862D686EA9E81301B5AE4226BFA":"0027CA0C7120BC3C9696766CFA":"44A3AA3AAE6475CA":"F2BEED7BC5098E83FEB5B31608F8E29C38819A89C8E776F1544D4151A4ED3A8B87B9CE"
 
 CCM encrypt and tag RFC 3610 #22
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"D7828D13B2B0BDC325A76236DF93CC6B":"B96B49E21D621741632875DB7F6C9243D2D7C2":"005B8CCBCD9AF83C9696766CFA":"EC46BB63B02520C33C49FD70":"31D750A09DA3ED7FDDD49A2032AABF17EC8EBF7D22C8088C666BE5C197"
 
 CCM encrypt and tag RFC 3610 #23
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"D7828D13B2B0BDC325A76236DF93CC6B":"E2FCFBB880442C731BF95167C8FFD7895E337076":"003EBE94044B9A3C9696766CFA":"47A65AC78B3D594227E85E71":"E882F1DBD38CE3EDA7C23F04DD65071EB41342ACDF7E00DCCEC7AE52987D"
 
 CCM encrypt and tag RFC 3610 #24
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"D7828D13B2B0BDC325A76236DF93CC6B":"ABF21C0B02FEB88F856DF4A37381BCE3CC128517D4":"008D493B30AE8B3C9696766CFA":"6E37A6EF546D955D34AB6059":"F32905B88A641B04B9C9FFB58CC390900F3DA12AB16DCE9E82EFA16DA62059"
 
 CCM encrypt and tag AES-128 (P=0, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"54caf96ef6d448734700aadab50faf7a":"":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053"
 
 CCM encrypt and tag NIST VTT AES-128 #1 (P=24, N=13, A=32, T=4)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"43b1a6bc8d0d22d6d1ca95c18593cca5":"a2b381c7d1545c408fe29817a21dc435a154c87256346b05":"9882578e750b9682c6ca7f8f86":"2084f3861c9ad0ccee7c63a7e05aece5db8b34bd8724cc06b4ca99a7f9c4914f":"cc69ed76985e0ed4c8365a72775e5a19bfccc71aeb116c85a8c74677"
 
 CCM encrypt and tag NIST VTT AES-128 #2 (P=24, N=13, A=32, T=6)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"44e89189b815b4649c4e9b38c4275a5a":"8db6ae1eb959963931d1c5224f29ef50019d2b0db7f5f76f":"374c83e94384061ac01963f88d":"cd149d17dba7ec50000b8c5390d114697fafb61025301f4e3eaa9f4535718a08":"df952dce0f843374d33da94c969eff07b7bc2418ca9ee01e32bc2ffa8600"
 
 CCM encrypt and tag NIST VTT AES-128 #3 (P=24, N=13, A=32, T=8)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"368f35a1f80eaaacd6bb136609389727":"1cccd55825316a94c5979e049310d1d717cdfb7624289dac":"842a8445847502ea77363a16b6":"34396dfcfa6f742aea7040976bd596497a7a6fa4fb85ee8e4ca394d02095b7bf":"1a58094f0e8c6035a5584bfa8d1009c5f78fd2ca487ff222f6d1d897d6051618"
 
 CCM encrypt and tag NIST VTT AES-128 #4 (P=24, N=13, A=32, T=10)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"996a09a652fa6c82eae8be7886d7e75e":"84cdd7380f47524b86168ed95386faa402831f22045183d0":"a8b3eb68f205a46d8f632c3367":"c71620d0477c8137b77ec5c72ced4df3a1e987fd9af6b5b10853f0526d876cd5":"a7fbf9dd1b099ed3acf6bcbd0b6f7cae57bee99f9d084f826d86e69c07f053d1a607"
 
 CCM encrypt and tag NIST VTT AES-128 #5 (P=24, N=13, A=32, T=12)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"3ee186594f110fb788a8bf8aa8be5d4a":"d71864877f2578db092daba2d6a1f9f4698a9c356c7830a1":"44f705d52acf27b7f17196aa9b":"2c16724296ff85e079627be3053ea95adf35722c21886baba343bd6c79b5cb57":"b4dd74e7a0cc51aea45dfb401a41d5822c96901a83247ea0d6965f5aa6e31302a9cc2b36"
 
 CCM encrypt and tag NIST VTT AES-128 #6 (P=24, N=13, A=32, T=14)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7b2d52a5186d912cf6b83ace7740ceda":"ea384b081f60bb450808e0c20dc2914ae14a320612c3e1e8":"f47be3a2b019d1beededf5b80c":"76cf3522aff97a44b4edd0eef3b81e3ab3cd1ccc93a767a133afd508315f05ed":"79070f33114a980dfd48215051e224dfd01471ac293242afddb36e37da1ee8a88a77d7f12cc6"
 
 CCM encrypt and tag NIST VTT AES-128 #7 (P=24, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4189351b5caea375a0299e81c621bf43":"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef":"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6d80e8bf80f4a46cab06d4313f0db9be9"
 
 CCM encrypt and tag NIST VTT AES-192 #1 (P=24, N=13, A=32, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"11fd45743d946e6d37341fec49947e8c70482494a8f07fcc":"ee7e6075ba52846de5d6254959a18affc4faf59c8ef63489":"c6aeebcb146cfafaae66f78aab":"7dc8c52144a7cb65b3e5a846e8fd7eae37bf6996c299b56e49144ebf43a1770f":"137d9da59baf5cbfd46620c5f298fc766de10ac68e774edf1f2c5bad"
 
 CCM encrypt and tag NIST VTT AES-192 #2 (P=24, N=13, A=32, T=6)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"146a163bbf10746e7c1201546ba46de769be23f9d7cc2c80":"473b6600559aefb67f7976f0a5cc744fb456efd86f615648":"f5827e51707d8d64bb522985bb":"599b12ebd3347a5ad098772c44c49eed954ec27c3ba6206d899ddaabca23a762":"26d2be30e171439d54a0fec291c6024d1de09d61b44f53258ba1360406f9"
 
 CCM encrypt and tag NIST VTT AES-192 #3 (P=24, N=13, A=32, T=8)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"bdf277af2226f03ec1a0ba7a8532ade6aea9b3d519fe2d38":"0ff89eff92a530b66684cd75a39481e7e069a7d05e89b692":"cc3c596be884e7caed503315c0":"4d6546167b3ed55f01c62bd384e02e1039c0d67ef7abe33291fecb136272f73b":"6ef66a52c866bd5df20ec5096de92167ad83cab0e095ad0c778a299f1224f10c"
 
 CCM encrypt and tag NIST VTT AES-192 #4 (P=24, N=13, A=32, T=10)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"62f8eba1c2c5f66215493a6fa6ae007aae5be92f7880336a":"f5522e3405d9b77cbf3257db2b9675e618e8744a0ee03f0f":"15769753f503aa324f4b0e8ee0":"1bc05440ee3e34d0f25e90ca1ecbb555d0fb92b311621d171be6f2b719923d23":"b9103942dbbb93e15086751c9bb0a3d33112b55f95b7d4f32ff0bb90a8879812683f"
 
 CCM encrypt and tag NIST VTT AES-192 #5 (P=24, N=13, A=32, T=12)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"5a5667197f46b8027980d0a3166c0a419713d4df0629a860":"d0e4024d6e33daafc011fe463545ed20f172872f6f33cefa":"6236b01079d180fce156fbaab4":"29bdf65b29394d363d5243d4249bad087520f8d733a763daa1356be458d487e5":"479f3d408bfa00d1cd1c8bf11a167ce7ae4bcdb011f04e38733013b8ebe5e92b1917640c"
 
 CCM encrypt and tag NIST VTT AES-192 #6 (P=24, N=13, A=32, T=14)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d2d4482ea8e98c1cf309671895a16610152ce283434bca38":"78168e5cc3cddf4b90d5bc11613465030903e0196f1fe443":"6ee177d48f59bd37045ec03731":"9ef2d0d556d05cf9d1ee9dab9b322a389c75cd4e9dee2c0d08eea961efce8690":"e2324a6d5643dfc8aea8c08cbbc245494a3dcbcb800c797c3abcdb0563978785bf7fd71c6c1f"
 
 CCM encrypt and tag NIST VTT AES-192 #7 (P=24, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"a7177fd129674c6c91c1c89f4408139afe187026b8114893":"2cea0f7304860a4f40a28c8b890db60f3891b9982478495e":"31bb28f0e1e63c36ca3959dd18":"2529a834668187213f5342a1f3deea0dc2765478c7d71c9c21b9eb1351a5f6cb":"5bb7aa6ab9c02a5712d62343fbe61f774e598d6b87545612380ea23dcffc9574f672bca92e306411"
 
 CCM encrypt and tag NIST VTT AES-256 #1 (P=24, N=13, A=32, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9074b1ae4ca3342fe5bf6f14bcf2f27904f0b15179d95a654f61e699692e6f71":"239029f150bccbd67edbb67f8ae456b4ea066a4beee065f9":"2e1e0132468500d4bd47862563":"3c5f5404370abdcb1edde99de60d0682c600b034e063b7d3237723da70ab7552":"9c8d5dd227fd9f81237601830afee4f0115636c8e5d5fd743cb9afed"
 
 CCM encrypt and tag NIST VTT AES-256 #2 (P=24, N=13, A=32, T=6)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"8596a69890b0e47d43aeeca54b52029331da06fae63aa3249faaca94e2605feb":"f0b065da6ecb9ddcab855152d3b4155037adfa758ba96070":"20442e1c3f3c88919c39978b78":"4e0d3aa502bd03fe1761b167c4e0df1d228301d3ebaa4a0281becd813266e255":"d6a0f377f7c1b14dcdba729cae5271b027e71cc7850173ec265867a29eb3"
 
 CCM encrypt and tag NIST VTT AES-256 #3 (P=24, N=13, A=32, T=8)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"bae73483de27b581a7c13f178a6d7bda168c1b4a1cb9180512a13e3ab914eb61":"28ef408d57930086011b167ac04b866e5b58fe6690a0b9c3":"daf54faef6e4fc7867624b76f2":"7022eaa52c9da821da72d2edd98f6b91dfe474999b75b34699aeb38465f70c1c":"356367c6cee4453658418d9517f7c6faddcd7c65aef460138cf050f48c505151"
 
 CCM encrypt and tag NIST VTT AES-256 #4 (P=24, N=13, A=32, T=10)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d5b321b0ac2fedce0933d57d12195c7b9941f4caa95529125ed21c41fac43374":"6aa6ea668df60b0db85592d0a819c9df9e1099916272aafb":"b35fb2262edfa14938a0fba03e":"ba762bbda601d711e2dfc9dbe3003d39df1043ca845612b8e9dc9ff5c5d06ec4":"97027de5effd82c58f8dbfb909d7696fbe2d54916262912001a4d765bc1c95c90a95"
 
 CCM encrypt and tag NIST VTT AES-256 #5 (P=24, N=13, A=32, T=12)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7f4af6765cad1d511db07e33aaafd57646ec279db629048aa6770af24849aa0d":"7ebef26bf4ecf6f0ebb2eb860edbf900f27b75b4a6340fdb":"dde2a362ce81b2b6913abc3095":"404f5df97ece7431987bc098cce994fc3c063b519ffa47b0365226a0015ef695":"353022db9c568bd7183a13c40b1ba30fcc768c54264aa2cd2927a053c9244d3217a7ad05"
 
 CCM encrypt and tag NIST VTT AES-256 #6 (P=24, N=13, A=32, T=14)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"5c8b59d3e7986c277d5ad51e4a2233251076809ebf59463f47cd10b4aa951f8c":"138ee53b1914d3322c2dd0a4e02faab2236555131d5eea08":"21ff892b743d661189e205c7f3":"f1e0af185180d2eb63e50e37ba692647cac2c6a149d70c81dbd34685ed78feaa":"5b2f3026f30fdd50accc40ddd093b7997f23d7c6d3c8bc425f82c828413643b8794494cb5236"
 
 CCM encrypt and tag NIST VTT AES-256 #7 (P=24, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"60823b64e0b2da3a7eb772bd5941c534e6ff94ea96b564e2b38f82c78bb54522":"a8be794613835c4366e75817d228438f011a2ec8a86f9797":"48526f1bffc97dd65e42906983":"fab62b3e5deda7a9c1128663cc81c44b74ab1bfe70bc1c9dec7c7fd08173b80a":"cc3efe04d84a4ec5cb6a6c28dc2c2d386a359d9550dbdec963ddd56464aed6d0613159d1aa181dcb"
 
 CCM encrypt and tag NIST VPT AES-128 #1 (P=0, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2ebf60f0969013a54a3dedb19d20f6c8":"":"1de8c5e21f9db33123ff870add":"e1de6c6119d7db471136285d10b47a450221b16978569190ef6a22b055295603":"0ead29ef205fbb86d11abe5ed704b880"
 
 CCM encrypt and tag NIST VPT AES-128 #2 (P=1, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"6ae7a8e907b8720f4b0d5507c1d0dc41":"0e":"7f18ad442e536a0159e7aa8c0f":"9c9b0f11e020c6512a63dfa1a5ec8df8bd8e2ad83cf87b80b38635621c5dc0d7":"4c201784bdab19e255787fecd02000c49d"
 
 CCM encrypt and tag NIST VPT AES-128 #3 (P=2, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"3d746ae6cac5cefd01f021c0bbf4bc3c":"4360":"597b3614ff9cd567afd1aad4e5":"90446190e1ff5e48e8a09d692b217de3ad0ab4a670e7f1b437f9c07a902cad60":"e38fdb77c1f8bbac2903a2ec7bc0f9c5654d"
 
 CCM encrypt and tag NIST VPT AES-128 #4 (P=3, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"3e4fa1c6f8b00f1296956735ee86e310":"3a6734":"c6a170936568651020edfe15df":"00d57896da2435a4271afb9c98f61a650e63a4955357c47d073c5165dd4ea318":"384be657bfc5f385b179be7333eb3f57df546b"
 
 CCM encrypt and tag NIST VPT AES-128 #5 (P=4, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7ccbb8557f6e08f436d0957d4bbe7fdf":"4cabeb02":"bb8e2ef2ed9484f9021cda7073":"fba1d18a74a3bb38671ab2842ffaa434cd572a0b45320e4145930b3008d8d350":"32501f4235c4dd96e83d5ab4c3c31c523453c317"
 
 CCM encrypt and tag NIST VPT AES-128 #6 (P=5, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"3725c7905bfaca415908c617b78f8dee":"f5499a7082":"c98ec4473e051a4d4ac56fd082":"11bc87f1c2d2076ba47c5cb530dd6c2a224f7a0f7f554e23d7d29077c7787680":"e378b776242066751af249d521c6eaebdff40b2642"
 
 CCM encrypt and tag NIST VPT AES-128 #7 (P=6, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"80bead98a05d1bb173cd4fca463b8fa3":"e479990bf082":"8a14a6d255aa4032ebff37a3d7":"bb4e706e73d21df66f64173859d47e247527cd9832e20dccff8548ed5f554108":"89c9246238878427f36b1f6c633e4542f32b50ca8edb"
 
 CCM encrypt and tag NIST VPT AES-128 #8 (P=7, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"dc8ec91184ba18eae31ac2d3b252673f":"2a5775986551c8":"0da4c988f521f5648259f2bec2":"6d5573c9279897d7d1602d8a95c04bb5ca3fad2dbe89a024b3651eb227e73bb5":"4f259f2a718faea852a7c4358dfa9f5467357638acac90"
 
 CCM encrypt and tag NIST VPT AES-128 #9 (P=8, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"19f97ef5318b8005fc7133fa31dd1236":"6d972a673fbe1ca1":"01ce9814c6329dbee1d02b1321":"85853f120981f33cf1d50fde6b8bc865fe988a9f12579acdb336f9f992b08b89":"2f12a7e7acecae5d2563309efc19368cdee8266538ca89d3"
 
 CCM encrypt and tag NIST VPT AES-128 #10 (P=9, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"c17944bfaeeb808eed66ae7242ab545f":"7caae2640e734539d3":"910b3db64df3728ca98219e01b":"edf64f98b3ab593cbcf68ab37a8c9472e49cb849d4a744deae925a5a43faf262":"0dae8b3ccf0b439f6ff8ee4a233dfb7753f6bfe321b3e26959"
 
 CCM encrypt and tag NIST VPT AES-128 #11 (P=10, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"0fb9df6f638847f5de371f003dd938f4":"e10cc36bc1c5d3c646ab":"c9ddf61c052f3502ad6b229819":"4f9938d5bc3dcbe47f6b256d5e99723d0891e50c6175aba41b011e4686113c49":"7f797367de50be6dc04e4cf0d8c24189affd35060cb7ca3dd136"
 
 CCM encrypt and tag NIST VPT AES-128 #12 (P=11, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"006ff7d3153caf906ec7929f5aef9276":"31be1b241cae79c54c2446":"57db1541a185bd9cdc34d62025":"7d9681cac38e778fba11f4464f69ed9ebfea31b7ffcaf2925b3381c65d975974":"9dd8a4244fbdb30b624578a625c43233476bbb959acd9edebe2883"
 
 CCM encrypt and tag NIST VPT AES-128 #13 (P=12, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"026331e98aba9e8c23a9e8a91d0b0c97":"a82200ef3a08c390dec5cbf9":"bccfe69bba168b81cbdf7d018a":"26e011143a686a7224ddb8c5b1e5d31713fa22c386785e2c34f498ae56d07ed5":"adf4fc6f9be113066c09248fcb56a9c1a1c3bb16fbb9fbaedacdb12b"
 
 CCM encrypt and tag NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa":"89f15b1cb665a8851da03b874ca6f73242f2f227350c0277e4e72cdaa6"
 
 CCM encrypt and tag NIST VPT AES-128 #15 (P=14, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7301c907b9d2aaac355c5416ff25c59b":"484300aa3a506afcd313b49ead8d":"7304b65b6dab466273862c88b9":"2c5d114eff62c527cc2e03c33c595a80fe609bfc0fe13ce3380efe05d85cceac":"928ca58b0d373dc50c52afac787ce8eeb5d5b493661259a9d91ea31a5f7e"
 
 CCM encrypt and tag NIST VPT AES-128 #16 (P=15, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"38be46d271bf868c198052391f8a2147":"61bd1385be92097e866550a55278f0":"6758f67db9bfea5f0e0972e08b":"c6de3be97f11d0e2ab85c9353b783f25b37366a78a2012cecf5b7a87138b3c86":"7c9fa8d99b38f825315ece6a2613f55e902f296dcce870263ae50cda4fadae"
 
 CCM encrypt and tag NIST VPT AES-128 #17 (P=16, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"70010ed90e6186ecad41f0d3c7c42ff8":"be322f58efa7f8c68a635e0b9cce77f2":"a5f4f4986e98472965f5abcc4b":"3fec0e5cc24d67139437cbc8112414fc8daccd1a94b49a4c76e2d39303547317":"8e4425ae573974f0f0693a188b525812eef08e3fb15f4227e0d989a4d587a8cf"
 
 CCM encrypt and tag NIST VPT AES-128 #18 (P=17, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"79eae5baddc5887bdf3031fd1d65085b":"001343e6191f5f1738e7d19d4eec2b9592":"9da59614535d1fad35f2ece00f":"46603500af9e4e7a2f9545411a58b21a6efd21f2b5f315d02d964c09270145b3":"2162e27bfbf1d00f2404754a254665fd9270f0edb415993588b2535e2e0e4fd086"
 
 CCM encrypt and tag NIST VPT AES-128 #19 (P=18, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"c14eda0f958465246fe6ab541e5dfd75":"617868ae91f705c6b583b5fd7e1e4086a1bb":"32b63ca7e269223f80a56baaaa":"733f8e7670de3446016916510dfe722ce671570121d91331a64feb3d03f210e6":"b2dc1e548b3d3f225a34082f4391980a0788b4cc36852fd64a423fb8e872252b248e"
 
 CCM encrypt and tag NIST VPT AES-128 #20 (P=19, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"c5e7147f56ba4530b8799ababeb82772":"2f3bf0b566440912a1e47a0c07f1cfd39cb440":"bdd38e173fb20b981659c597d6":"3a069a2bfda44abbb0a82a97e5e9047258c803da2c66190d77149e0f010b3af9":"bd6265dcba9e14c59e515e395dc60bd053345fa6d7568c738e3a7fdf142d8f2d1562c0"
 
 CCM encrypt and tag NIST VPT AES-128 #21 (P=20, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"78c46e3249ca28e1ef0531d80fd37c12":"4802422c9b3b4459ba26e7863ad87b0c172cfe4b":"5de41a86ce3f3fb1b685b3ca4d":"e98a77f2a941b36232589486b05f4278275588665a06d98aec98915cc5607e06":"daea2234ea433533bf0716abe1aa3844b6d3c51e9d5ca3d8ec5065630d2de0717cdeb7d5"
 
 CCM encrypt and tag NIST VPT AES-128 #22 (P=21, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"8883002bf13b3a94b2467225970df938":"d516bbff452e7706c91c7ace3e9baa76d65ff7050f":"818a702d5c8ee973b34e9acda1":"545aeac737c0ca2a3d5e1fd966840c3a0d71e0301abbe99c7af18d24cc7e9633":"b85242fdc06344f2bd9a97b408902ebcd22aece3d42f2da4dd4d817c9fa2d44bc02163a0a9"
 
 CCM encrypt and tag NIST VPT AES-128 #23 (P=22, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"5cea00ee44cfb9cfbb598d3812e380ef":"33bfd0713f30fcac8f7f95920ac6d9b803ddd5480dd8":"948788a9c8188cb988430a7ebd":"50422c5e6a0fb8231b3bb6e2f89607019be6ad92a4dae8e0fe3f9e486476004b":"b168747dea3ae0fbede4402af9a3dc3185d6d162f859d828101682de32923788c70262b84814"
 
 CCM encrypt and tag NIST VPT AES-128 #24 (P=23, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"cb83f77751e72711401cbbf4f61aa0ed":"eede01b08f9a303cdf14c99d7a45732972c6eff2a1db06":"c0b461b2e15b8b116ef9281704":"2bd112231f903fa0dff085db48a2e2a96ec0199249b005d5ab4c2eab753f9ad0":"feb114b7bd3b43497b62454a675a632c3546d2802462c6af57647efda119c59862cd5dd3904efc"
 
 CCM encrypt and tag NIST VPT AES-128 #25 (P=24, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"43c1142877d9f450e12d7b6db47a85ba":"b506a6ba900c1147c806775324b36eb376aa01d4c3eef6f5":"76becd9d27ca8a026215f32712":"6a59aacadd416e465264c15e1a1e9bfa084687492710f9bda832e2571e468224":"14b14fe5b317411392861638ec383ae40ba95fefe34255dc2ec067887114bc370281de6f00836ce4"
 
 CCM encrypt and tag NIST VPT AES-192 #1 (P=0, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"086e2967cde99e90faaea8a94e168bf0e066c503a849a9f3":"":"929542cd690f1babcf1696cb03":"58f70bab24e0a6137e5cd3eb18656f2b5ccddc3f538a0000c65190e4a3668e71":"3bf9d93af6ffac9ac84cd3202d4e0cc8"
 
 CCM encrypt and tag NIST VPT AES-192 #2 (P=1, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"992d38768b11a236945bd4b327c3728fac24c091238b6553":"1c":"b248a90b84b0122a5ad8e12760":"27cabc40da0e1eda0ea5f8abbb7c179e30776250a7b30d711b0e106c5ee9d84a":"1a96f58c3f38c44d1a345f3e2da6679f20"
 
 CCM encrypt and tag NIST VPT AES-192 #3 (P=2, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"5012db40ff6ae23c1e1ce43768c5936c4400b0e79ae77f30":"0c6c":"b67e500b35d60ad7264240027c":"40affd355416200191ba64edec8d7d27ead235a7b2e01a12662273deb36379b8":"c996ef3d6ef9f981557506ecc8797bbaaaa7"
 
 CCM encrypt and tag NIST VPT AES-192 #4 (P=3, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"fa15cc7f0de294d7341b1fd79326c8be78e67822343c1992":"bcb898":"e5257aed2bda0495aa44591db4":"31a0338c3839931fa1dd5131cb796c4c6cfde9fb336d8a80ac35dec463be7a94":"68f08298d9a2147776dca9c1a42382bce323b2"
 
 CCM encrypt and tag NIST VPT AES-192 #5 (P=4, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b5330a8447d74a7987fb718cfae246b5c7e057991064eeaf":"b46b343e":"2ef29d62b40d8643848797cde8":"1225b036e6044df52314016760e92750de0936120395de750a2c54a7fa0cea82":"c2c39d6f9344e2de064f269d065a2a6108605916"
 
 CCM encrypt and tag NIST VPT AES-192 #6 (P=5, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"30419145ae966591b408c29e5fd14d9112542909be5363f7":"8ceaeb89fd":"27e6b2a482bbc6f13702005708":"e04e81e860daf9696098c723085d8023c240ebe7a643131e35359ab04bd650fe":"ec9d5ed36243ddf77b33d8cf2963ba76fd4e19f3c5"
 
 CCM encrypt and tag NIST VPT AES-192 #7 (P=6, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"748ad503388a34041a7bdae6361d57894357c333bacf02ca":"24d6880aed7e":"518b79d194579b19f2d8845b70":"691dd98f61fd213b0840ec5a6f06ef9a1420be0d59bde5e43546347a2a865a94":"270120f9634ec15536e21d961c675070ec4cff9037bc"
 
 CCM encrypt and tag NIST VPT AES-192 #8 (P=7, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b930cca30a3fd230c237c8f3cc6792d0c4084dff5c18d775":"2a755e362373ef":"7574802fd82fe96c05431acd40":"1cf83928b6a9e525fe578c5c0f40c322be71b3092239bff954dd6883738d6d71":"f06238b0450fd1f4b6cab1383adb420c4724aa7bdfefb7"
 
 CCM encrypt and tag NIST VPT AES-192 #9 (P=8, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"314c136999e41d137bd7ba17201a9fa406025868334e39b3":"4d54d8b06b204445":"65f7a0f4c0f5bba9d26f7e0ddb":"5c7ce4819b30b975ae6ce58dcc1bfa29a8b6dda8f4b76c7e23516487745e829c":"2baf90c490b11f9607482362ab3f157c42d0e9c6c5cffcf0"
 
 CCM encrypt and tag NIST VPT AES-192 #10 (P=9, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"a19f6be062ec0aaf33046bd52734f3336c85d8368bef86ab":"13511ae5ff6c6860a1":"7f2d07f8169c5672b4df7f6cac":"d68d5f763db6111c5d6324d694cb0236beab877daae8115ecb75d60530777b58":"b3859b757802ebd048467fd8e139eb9ee8fcdca45ed87dc1c8"
 
 CCM encrypt and tag NIST VPT AES-192 #11 (P=10, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"de1c8263345081d2dfa9afdf37675971135e178df554a4d8":"f777aba1fa70f94e6de9":"a301bb82f91a582db01355c388":"9ad52c041390d0d4aaf65a4667c3239c95e7eae6178acc23fb4e70a852d483c6":"9d8bff6d2dcde77104ac6aba025abc01416a7ca9f096ab2529cb"
 
 CCM encrypt and tag NIST VPT AES-192 #12 (P=11, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"248d36bd15f58e47fcf1c948272355821f8492e6e69f3661":"33709d9c7906e2f82dd9e2":"9e8d492c304cf6ad59102bca0e":"9ec08c7ed6b70823d819e9ab019e9929249f966fdb2069311a0ddc680ac468f5":"9114d36b79b1918b2720f40cddce66df9b4802f737bea4bd8f5378"
 
 CCM encrypt and tag NIST VPT AES-192 #13 (P=12, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"77a67fb504b961028633321111aac2c30eb6d71a8cf72056":"10554c062d269ff6dcd98493":"acadc0330194906f8c75ac287f":"8c18486d52571f70f2ba6a747aaa3d4b3ebc2e481ee1b70907dddb94bdfa0ca6":"7f8b0cad79b545e5addf0b04ff4b0f2b2a5067283210aba8630d0306"
 
 CCM encrypt and tag NIST VPT AES-192 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"0d423519e4110c06063061323f8c7c95387776b6ee4e4b6e":"4021ff104ff1dbd91e46db249f":"39abe53826d9b8e300fe747533":"cdd9bf1b4f865e922c678ec4947ea0cb02e78bd5c1538f33aeb818ad3f47e519":"7953d3cd66d093785d123f65ba37f16761dd6aedbfc789ad96edf1490d"
 
 CCM encrypt and tag NIST VPT AES-192 #15 (P=14, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"a60cf7ceb62bf3118532bc61daa25ce946991047f951b536":"d64f9426febce6a84c954dd5ded5":"7499494faa44a7576f9ed5580d":"baa482c64eefd09118549a8968f44cfea7a436913a428e30aa4ab44802a4ba35":"f7580f17266d68237747bf57c7ed8242ac1a1979c5a9e7bc67d7698c7efa"
 
 CCM encrypt and tag NIST VPT AES-192 #16 (P=15, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"82d4bc9aac298b09112073277205e1bf42176d1e6339b76c":"25a53fd3e476dc0860eeeea25fcb0c":"70325ef19e581b743095cd5eb1":"6d14bb2635c5d0ae83687f1824279cf141173527e1b32d1baf8a27f7fe34a542":"4a1cfd0023557a184b929965b0a445cb3993ca35acf354cb2b4254ff672e7f"
 
 CCM encrypt and tag NIST VPT AES-192 #17 (P=16, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"6873f1c6c30975aff6f08470264321130a6e5984ade324e9":"5051a0b0b6766cd6ea29a672769d40fe":"7c4d2f7cec04361f187f0726d5":"77743b5d83a00d2c8d5f7e10781531b496e09f3bc9295d7ae9799e64668ef8c5":"0ce5ac8d6b256fb7580bf6acc76426af40bce58fd4cd6548df90a0337c842004"
 
 CCM encrypt and tag NIST VPT AES-192 #18 (P=17, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"3cf8da27d5be1af024158985f725fd7a6242cbe0041f2c17":"f6dd2c64bf597e63263ccae1c54e0805fe":"07f77f114d7264a122a7e9db4f":"30457e99616f0247f1339b101974ea231904d0ef7bd0d5ee9b57c6c16761a282":"ce3031c3a70600e9340b2ddfe56aa72cffdc5e53e68c51ee55b276eb3f85d2cf63"
 
 CCM encrypt and tag NIST VPT AES-192 #19 (P=18, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b46a3a24c66eb846ca6413c001153dc6998970c12e7acd5a":"56d18d3e2e496440d0a5c9e1bcb464faf5bc":"b79c33c96a0a90030694163e2a":"ea9405d6a46cac9783a7b48ac2e25cc9a3a519c4658b2a8770a37240d41587fb":"01baba2e0d5b49d600d03a7ed84ee878926c0ca478f40a6fbde01f584d938a1c91bf"
 
 CCM encrypt and tag NIST VPT AES-192 #20 (P=19, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7b71045ccef735bd0c5bea3cf3b7e16e58d9c62061a204e0":"890d05420d57e3b3d8dbef117fe60c3fa6a095":"2b9ecfd179242c295fe6c6fa55":"b89166f97deb9cc7fdeb63639eeafb145895b307749ec1a293b27115f3aa8232":"f842ff6662684de8785af275fa2d82d587de0687ebe35e883cbd53b82f2a4624c03894"
 
 CCM encrypt and tag NIST VPT AES-192 #21 (P=20, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"dc7c67715f2709e150cceff020aaacf88a1e7568191acbcf":"f383bd3e6270876b74abbb5d35e7d4f11d83412c":"da56ea046990c70fa216e5e6c4":"f799818d91be7bab555a2e39f1f45810a94d07179f94fe1151d95ab963c47611":"377b5df263c5c74f63603692cbb61ea37b6d686c743f71e15490ca41d245768988719ede"
 
 CCM encrypt and tag NIST VPT AES-192 #22 (P=21, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f41e369a1599627e76983e9a4fc2e963dab4960b09ebe390":"81ad3f386bedcbf656ff535c63580d1f87e3c72326":"68ef8285b90f28bcd3cb1bacea":"dbe3e82e49624d968f5463ceb8af189fb3ad8b3b4122142b110d848a286dae71":"9f6028153e06d14d30b862a99a35413413c04a49dc6f68a03a11cf00d58f062a7b36465d13"
 
 CCM encrypt and tag NIST VPT AES-192 #23 (P=22, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"3289e59e3a7b29bf4a309afc253030bba4b9bdd64f0722f9":"53911a67b65738f87fc7c20d6db8044bde1af95838d1":"30259ce106e9bd7a8bacbaf212":"2870bd9a26c510e9a256920899bbc77a4eb9b53f927045a943d5ed6b13638cf3":"70cf37d4b6f7e707376b1574ce17c040b5143da47abb2fe9afafc2fccd98ccf63b0fdec30eac"
 
 CCM encrypt and tag NIST VPT AES-192 #24 (P=23, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"40f1aff2e44d05f12126097a0f07ac0359ba1a609356a4e6":"8d98c580fb366f330dbfda20f91d99a0878b47efd14c6d":"0df3fc6396f851785fca9aa5ff":"e9699b20b0574fce8b5cbc4ef792eb96e2c1cce36b1b1f06ea2a95fe300633cc":"579cdf9da62a2df471e03450516adb4ce99ae0f70b1776a39c3b429a1f922fac0b59e29a122e43"
 
 CCM encrypt and tag NIST VPT AES-192 #25 (P=24, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"91f9d636a071c3aad1743137e0644a73de9e47bd76acd919":"4eaf9384cad976f65f98042d561d760b5a787330dc658f6c":"1bf491ac320d660eb2dd45c6c3":"3bdfd7f18d2b6d0804d779f0679aaa2d7d32978c2df8015ae4b758d337be81dd":"635530cab14e3d0a135bb6eebb5829412676e6dd4995f99cb7e17f235bd660e7e17b2c65320e9fd4"
 
 CCM encrypt and tag NIST VPT AES-256 #1 (P=0, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"c6c14c655e52c8a4c7e8d54e974d698e1f21ee3ba717a0adfa6136d02668c476":"":"291e91b19de518cd7806de44f6":"b4f8326944a45d95f91887c2a6ac36b60eea5edef84c1c358146a666b6878335":"ca482c674b599046cc7d7ee0d00eec1e"
 
 CCM encrypt and tag NIST VPT AES-256 #2 (P=1, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"cc49d4a397887cb57bc92c8a8c26a7aac205c653ef4011c1f48390ad35f5df14":"1a":"6df8c5c28d1728975a0b766cd7":"080f82469505118842e5fa70df5323de175a37609904ee5e76288f94ca84b3c5":"a5f24e87a11a95374d4c190945bf08ef2f"
 
 CCM encrypt and tag NIST VPT AES-256 #3 (P=2, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"36b0175379e7ae19c277fe656a2252a82796309be0f0d4e1c07fdde88aca4510":"be80":"021bd8b551947be4c18cf1a455":"b5c6e8313b9c68e6bb84bffd65fa4108d243f580eab99bb80563ed1050c8266b":"ecacc3152e43d9efea26e16c1d1793e2a8c4"
 
 CCM encrypt and tag NIST VPT AES-256 #4 (P=3, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ddb739acda6c56ec9aefc4f4cbc258587f443da4e76ddfa85dbe0813a8784944":"db457c":"0bddf342121b82f906368b0d7b":"887486fff7922768186363ef17eb78e5cf2fab8f47a4eb327de8b16d63b02acb":"54473c3f65d6be431e79700378049ac06f2599"
 
 CCM encrypt and tag NIST VPT AES-256 #5 (P=4, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"62b82637e567ad27c3066d533ed76e314522ac5c53851a8c958ce6c64b82ffd0":"87294078":"5bc2896d8b81999546f88232ab":"fffb40b0d18cb23018aac109bf62d849adca42629d8a9ad1299b83fe274f9a63":"2bc22735ab21dfdcfe95bd83592fb6b4168d9a23"
 
 CCM encrypt and tag NIST VPT AES-256 #6 (P=5, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"bc29a16e19cfbe32bf4948e8e4484159bc819b7eec504e4441a1a98ca210e576":"3e8c6d1b12":"4f18bcc8ee0bbb80de30a9e086":"574931ae4b24bdf7e9217eca6ce2a07287999e529f6e106e3721c42dacf00f5d":"45f3795fcf9c66e1a43103d9a18f5fba5fab83f994"
 
 CCM encrypt and tag NIST VPT AES-256 #7 (P=6, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"5f4b4f97b6aa48adb3336c451aac377fde4adf47897fd9ccdf139f33be76b18c":"1b62ad19dcac":"7a76eac44486afdb112fc4aab9":"a66c980f6621e03ff93b55d5a148615c4ad36d6cbdd0b22b173b4b1479fb8ff7":"4ad1fcf57c12b14e0e659a6305b4aeffae82f8a66c94"
 
 CCM encrypt and tag NIST VPT AES-256 #8 (P=7, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f7aaeff3a1dc0cc5ecf220c67ad9f6dda060b4f1be3cc609cb4f18b2342a88a2":"d48daa2919348d":"d0d6871b9adc8623ac63faf00f":"e97175c23c5b47da8ce67811c6d60a7499b3b7e1347ad860519285b67201fe38":"eb32ab153a8e092fa325bafc176a07c31e6cc0a852d288"
 
 CCM encrypt and tag NIST VPT AES-256 #9 (P=8, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"493e14623cd250058a7fc66a3fee0c24b6e363b966c2314aff53b276b6c2ea7b":"e5653e512d8b0b70":"fe2d8ae8da94a6df563f89ce00":"579a637e37a0974cd2fc3b735d9ed088e8e488ffe210f043e0f9d2079a015ad6":"75d31f8d47bee5c4e2ba537355ae8ab25cc9ed3511ff5053"
 
 CCM encrypt and tag NIST VPT AES-256 #10 (P=9, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b23255372455c69244a0210e6a9e13b155a5ec9d6d0900e54a8f4d9f7a255e3a":"615d724ae94a5daf8d":"274846196d78f0af2df5860231":"69adcae8a1e9a3f2fe9e62591f7b4c5b19d3b50e769521f67e7ea8d7b58d9fc8":"f019ae51063239287d896e7127f17d13f98013b420219eb877"
 
 CCM encrypt and tag NIST VPT AES-256 #11 (P=10, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"dbf06366f766e2811ecd5d4384d6d08336adc37e0824d620cf0d9e7fd1e7afa9":"2e3cf0af8c96c7b22719":"b3503ed4e277ed9769b20c10c0":"9ae5a04baa9d02c8854e609899c6240851cbc83f81f752bc04c71affa4eed385":"e317df43ab46eb31be7e76f2730d771d56099a0c8d2703d7a24e"
 
 CCM encrypt and tag NIST VPT AES-256 #12 (P=11, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4dd555bd3a5253a90b68b5d4d46bd050340ee07ddad3a72048c657b5d76bb207":"8015c0f07a7acd4b1cbdd2":"bdb1b82ba864893c2ee8f7426c":"9bcc5848e928ba0068f7a867e79e83a6f93593354a8bfcfc306aeeb9821c1da1":"8e9f80c726980b3d42e43a6512a0481255b729a10f9edb5f07c60c"
 
 CCM encrypt and tag NIST VPT AES-256 #13 (P=12, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d3ad8cda9a0d91a205c4c05665728bb255d50a83403c9ab9243fcbbe95ae7906":"a203aeb635e195bc33fd42fa":"0b5f69697eb1af24e8e6fcb605":"ea26ea68facdac3c75ba0cdf7b1ad703c9474af83b3fbfc58e548d776b2529b9":"62666297a809c982b50722bd56bc555899345e0404b2938edf33168e"
 
 CCM encrypt and tag NIST VPT AES-256 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"e300fc7a5b96806382c35af5b2c2e8e26382751b59010d4b1cfc90a4a9cb06df":"8714eb9ecf8bdb13e919de40f9":"55b59eb434dd1ba3723ee0dc72":"9b1d85384cb6f47c0b13514a303d4e1d95af4c6442691f314a401135f07829ec":"ba6063824d314aa3cbab14b8c54c6520dac0f073856d9b9010b7857736"
 
 CCM encrypt and tag NIST VPT AES-256 #15 (P=14, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"3ae5be5904bae62609ac525e2d1cad90133447573d7b608975a6a2b16cb2efc0":"959403e0771c21a416bd03f38983":"61bf06b9fa5a450d094f3ddcb5":"0245484bcd987787fe97fda6c8ffb6e7058d7b8f7064f27514afaac4048767fd":"37a346bc4909965c5497838251826385a52c68914e9d1f63fd297ee6e7ed"
 
 CCM encrypt and tag NIST VPT AES-256 #16 (P=15, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"fab62b3e5deda7a9c1128663cc81c44b74ab1bfe70bc1c9dec7c7fd08173b80a":"54be71705e453177b53c92bbf2ab13":"a5c1b146c82c34b2e6ebeceb58":"5e60b02b26e2d5f752eb55ea5f50bb354a6f01b800cea5c815ff0030b8c7d475":"788db949697b8cd9abbc74ed9aa40cd6852dc829469368491149d6bb140071"
 
 CCM encrypt and tag NIST VPT AES-256 #17 (P=16, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ee8ce187169779d13e443d6428e38b38b55dfb90f0228a8a4e62f8f535806e62":"d15f98f2c6d670f55c78a06648332bc9":"121642c4218b391c98e6269c8a":"718d13e47522ac4cdf3f828063980b6d452fcdcd6e1a1904bf87f548a5fd5a05":"cc17bf8794c843457d899391898ed22a6f9d28fcb64234e1cd793c4144f1da50"
 
 CCM encrypt and tag NIST VPT AES-256 #18 (P=17, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7da6ef35ad594a09cb74daf27e50a6b30d6b4160cf0de41ee32bbf2a208b911d":"b0053d1f490809794250d856062d0aaa92":"98a32d7fe606583e2906420297":"217d130408a738e6a833931e69f8696960c817407301560bbe5fbd92361488b4":"a6341ee3d60eb34a8a8bc2806d50dd57a3f628ee49a8c2005c7d07d354bf80994d"
 
 CCM encrypt and tag NIST VPT AES-256 #19 (P=18, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"0786706f680c27b792d054faa63f499a8e6b5ddb90502946235bf74c022d772c":"6a26677836d65bd0d35a027d278b2534e7df":"f61ef1c8c10a863efeb4a1de86":"67874c808600a27fcab34d6f69cc5c730831ad4589075dd82479823cb9b41dc3":"d1c1f3c60603359c7d6a707f05ecb2296f8e52f2210b7a798ad5c778ee7cfd7fe6e0"
 
 CCM encrypt and tag NIST VPT AES-256 #20 (P=19, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"bac55f9847d93325bf5071c220c0a3dfeb38f214292d47b4acb7b0a597fe056f":"c1a994dc198f5676ea85801cd27cc8f47267ec":"05b50c458adbba16c55fcc454d":"89ad6ae1e550975eaa916a62615e6b6a66366a17a7e06380a95ea5cdcc1d3302":"7c9b138177590edaafec4728c4663e77458ffbe3243faec177de4a2e4a293952073e43"
 
 CCM encrypt and tag NIST VPT AES-256 #21 (P=20, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"8beedeb85d42c2a7fa6f7237b05acb197dd8e1672471ac878064fe5319eab876":"7b125c3b9612a8b554913d0384f4795c90cd387c":"8479bdfad28ebe781e9c01a3f6":"7aebdfd955d6e8a19a701d387447a4bdd59a9382156ab0c0dcd37b89419d6eff":"6cc611d816b18c6847b348e46a4119465104254a04e2dfeeeac9c3255f6227704848d5b2"
 
 CCM encrypt and tag NIST VPT AES-256 #22 (P=21, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"c3a0c126cad581012151c25cf85a44472c23f83b6095b6004f4f32cd60ec2db2":"73b09d18554471309141aa33b687f9248b50fe3154":"94ab51ce75db8b046d6ab92830":"2a243246bfe5b5ab05f51bf5f401af52d5bbaa2549cf57a18e197597fe15dd8c":"b7e8264ca70fd2a4fb76f20a8ad5da3c37f5893fb12abeeaef1187f815ca481ed8ddd3dd37"
 
 CCM encrypt and tag NIST VPT AES-256 #23 (P=22, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9cdebaeee8690b68751070691f49593668a6de12d3a948b38ddbd3f75218b2d4":"3cbb08f133270e4454bcaaa0f20f6d63c38b6572e766":"af1a97d43151f5ea9c48ad36a3":"f5353fb6bfc8f09d556158132d6cbb97d9045eacdc71f782bcef62d258b1950a":"3966930a2ae8fdd8f40e7007f3fde0bd6eb48a46e6d26eef83da9f6384b1a2bda10790dadb3f"
 
 CCM encrypt and tag NIST VPT AES-256 #24 (P=23, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d34264a12c35cdd67ac105e2826b071e46f8131d1e325f8e0ae80a6447375135":"79ac1a6a9eca5e07ce635bfd666ef72b16f3f2e140d56c":"3891e308b9f44c5b5a8b59004a":"0cda000ed754456a844c9ed61843deea9dadf5e723ea1448057712996d660f8c":"1abcc9b1649deaa0bfa7dcd23508282d9c50ca7fee72486950608d7bcb39dcf03a2cab01587f61"
 
 CCM encrypt and tag NIST VPT AES-256 #25 (P=24, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4ad98dbef0fb2a188b6c49a859c920967214b998435a00b93d931b5acecaf976":"9cea3b061e5c402d48497ea4948d75b8af7746d4e570c848":"00d772b07788536b688ff2b84a":"5f8b1400920891e8057639618183c9c847821c1aae79f2a90d75f114db21e975":"f28ec535c2d834963c85814ec4173c0b8983dff8dc4a2d4e0f73bfb28ad42aa8f75f549a93594dd4"
 
 CCM encrypt and tag NIST VNT AES-128 #1 (P=24, N=7, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"c0425ed20cd28fda67a2bcc0ab342a49":"4f065a23eeca6b18d118e1de4d7e5ca1a7c0e556d786d407":"37667f334dce90":"0b3e8d9785c74c8f41ea257d4d87495ffbbb335542b12e0d62bb177ec7a164d9":"768fccdf4898bca099e33c3d40565497dec22dd6e33dcf4384d71be8565c21a455db45816da8158c"
 
 CCM encrypt and tag NIST VNT AES-128 #2 (P=24, N=8, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"0b6256bd328a4cda2510d527c0f73ed4":"78a292662b8e05abc2d44fbefd0840795e7493028015d9f2":"21fd9011d6d9484a":"66ff35c4f86ad7755b149e14e299034763023e7384f4af8c35277d2c7e1a7de2":"5a0be834c57b59d47a4590d8d19a1206d3c06e937a9b57f74034d9fdb43c3f48932aa72177b23bf6"
 
 CCM encrypt and tag NIST VNT AES-128 #3 (P=24, N=9, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"afdccc84f257cb768b7ad735edbd1990":"56d0942490e546798f30d3c60ad4e3e110fc04f5b1c1fa83":"b7776aa998f4d1189b":"9f9ac464de508b98e789243fdb32db458538f8a291ed93ddf8aeaacfbfc371aa":"96f124c74fd737819008ddef440320f4a3733d0062c83c893e259aecf12ba08f2a2e966a3341d6d4"
 
 CCM encrypt and tag NIST VNT AES-128 #4 (P=24, N=10, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"6ccb68d3838d4ddf660b9cd904cad40f":"5ea35c082e2b190e9d98e6b2daad8672f587b4f2968072fc":"c4fb7519a19f13d9d1fc":"092e64fef08b5655a86cdb8de63ffaa7772e8730844e9016141af8bad2216246":"cda5fe3d15d00150b99120c7f206b88a4c2c4a39ca9143425603ab284a73a38cc916f8b653c92ab4"
 
 CCM encrypt and tag NIST VNT AES-128 #5 (P=24, N=11, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"e6ab9e70a4fb51b01c2e262233e64c0d":"ba15916733550d7aa82b2f6b117cd3f54c83ddc16cd0288a":"74e689eb5af9441dd690a6":"42f6518ee0fbe42f28e13b4bb2eb60517b37c9744394d9143393a879c3e107c7":"dcc151443288f35d39ed8fae6f0ce1d1eb656f4f7fd65c0b16f322ce85d7c54e71ac560fd4da9651"
 
 CCM encrypt and tag NIST VNT AES-128 #6 (P=24, N=12, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"005e8f4d8e0cbf4e1ceeb5d87a275848":"b6f345204526439daf84998f380dcfb4b4167c959c04ff65":"0ec3ac452b547b9062aac8fa":"2f1821aa57e5278ffd33c17d46615b77363149dbc98470413f6543a6b749f2ca":"9575e16f35da3c88a19c26a7b762044f4d7bbbafeff05d754829e2a7752fa3a14890972884b511d8"
 
 CCM encrypt and tag NIST VNT AES-128 #7 (P=24, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ac87fef3b76e725d66d905625a387e82":"959403e0771c21a416bd03f3898390e90d0a0899f69f9552":"61bf06b9fa5a450d094f3ddcb5":"0245484bcd987787fe97fda6c8ffb6e7058d7b8f7064f27514afaac4048767fd":"cabf8aa613d5357aa3e70173d43f1f202b628a61d18e8b572eb66bb8213a515aa61e5f0945cd57f4"
 
 CCM encrypt and tag NIST VNT AES-192 #1 (P=24, N=7, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ceb009aea4454451feadf0e6b36f45555dd04723baa448e8":"c8d275f919e17d7fe69c2a1f58939dfe4d403791b5df1310":"764043c49460b7":"6e80dd7f1badf3a1c9ab25c75f10bde78c23fa0eb8f9aaa53adefbf4cbf78fe4":"8a0f3d8229e48e7487fd95a28ad392c80b3681d4fbc7bbfd2dd6ef1c45d4ccb723dc074414db506d"
 
 CCM encrypt and tag NIST VNT AES-192 #2 (P=24, N=8, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"1dd56442fa09a42890b1b4274b950770ea8beea2e048193d":"bd92d6744cde446fc8621625658fc4bc00dcb97f06195ad7":"ad749d596d88a4b4":"c67219909828adef64422286008e1e306867a1c0b3da95444507a68b45c953e4":"076cffd0ca978fe2bad411ced45a090abafb22a99896f6a75a1969276aa2b0cdb37ccaf2845dbf6e"
 
 CCM encrypt and tag NIST VNT AES-192 #3 (P=24, N=9, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"8cc622645065c72d0d2aca75802cf1bbbd81096721627c08":"597b3614ff9cd567afd1aad4e5f52cc3fa4ca32b9b213c55":"cd84acbe9abb6a990a":"447b6f36acdad2d1cfd6e9a92f4055ad90142e61f4a19927caea9dbe634d3208":"2d7fb83e6621eed9073e0386d032c6941bef37b2cf36a4c6c5e36222d17c6fb0631c3f560a3ce4a4"
 
 CCM encrypt and tag NIST VNT AES-192 #4 (P=24, N=10, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ab72eef2aba30205c986e2052d6e2c67881d24ae5fceaa8f":"2a794b84fc9e4a7e6d70a82b5141fd132177a86b4e8fc13a":"d7a46e726ed43f1580eb":"baa86f14271b2be7dbb37ddc7c95ce4857e57aa94624d594d7bd6ceeaada8d5f":"2d7f76464417613bb61d3657481346b74fc9d6abc6a3babd39365dce86859cd82395d11bfc8cf188"
 
 CCM encrypt and tag NIST VNT AES-192 #5 (P=24, N=11, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"af84c6f302c59aeee6d5728ed5da2e3c64a5a781c52c4d1b":"6db41aeb5f7c24df8929dbc30483b3c7934b3bd1cdce5bb9":"df990c42a268950677c433":"a6ab5d78427f297a4b7e21f1091ff3a5b20caa3fe1cbcb09459d9df596a6c8e1":"8c9328258bf71970d33e23a3ff81cc1c9cbe196a1294264bfd6a7255e4801963bb30a63de3fc5b82"
 
 CCM encrypt and tag NIST VNT AES-192 #6 (P=24, N=12, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d49b255aed8be1c02eb6d8ae2bac6dcd7901f1f61df3bbf5":"062eafb0cd09d26e65108c0f56fcc7a305f31c34e0f3a24c":"1af29e721c98e81fb6286370":"64f8a0eee5487a4958a489ed35f1327e2096542c1bdb2134fb942ca91804c274":"721344e2fd05d2ee50713531052d75e4071103ab0436f65f0af2a663da51bac626c9f4128ba5ec0b"
 
 CCM encrypt and tag NIST VNT AES-192 #7 (P=24, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"36ad1e3fb630d1b1fbccfd685f44edd8984427b78deae7a9":"8b9db1c8f9b4892a5654c85467bcffa2e15e28392c938952":"3af625df8be9d7685a842f260e":"308443033ecd4a814475672b814b7c6d813d0ec2a0caeecbcaba18a2840cdb6c":"6bc6890fee299c712fb8d9df9c141f24ee1572b8f15112c2f8c99ccf2d82788cf613a61d60dae458"
 
 CCM encrypt and tag NIST VNT AES-256 #1 (P=24, N=7, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"553521a765ab0c3fd203654e9916330e189bdf951feee9b44b10da208fee7acf":"644eb34b9a126e437b5e015eea141ca1a88020f2d5d6cc2c":"aaa23f101647d8":"a355d4c611812e5f9258d7188b3df8851477094ffc2af2cf0c8670db903fbbe0":"27ed90668174ebf8241a3c74b35e1246b6617e4123578f153bdb67062a13ef4e986f5bb3d0bb4307"
 
 CCM encrypt and tag NIST VNT AES-256 #2 (P=24, N=8, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"472bf7946bce1d3c6f168f4475e5bb3a67d5df2fa01e64bce8bb6e43a6c8b177":"59eb45bbbeb054b0b97334d53580ce03f699ac2a7e490143":"790134a8db83f2da":"a7a86a4407b7ecebc89434baa65ef173e88bd2dad9899b717ca578867c2d916f":"db4961070f528ccd1a5a0681ee4d0ce3515fb890bccedc2dbc00b1d8b2bc393a8d09e87af7811f55"
 
 CCM encrypt and tag NIST VNT AES-256 #3 (P=24, N=9, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"58ae7965a508e8dd2eda69b5d888a28a1cb3783bad55d59d5b0da87137b72e93":"e61bad17640ecff926d0b0238271ee4c9f8e801dd7243e9e":"caa3d928d2bf2b7f2c":"304678b3ffd3200e33a8912bcb556b3cfec53ca17f70ecba00d359f9f51d3e3b":"7bb1137c14cb4d324a4a8f1115c619ebf74927f0bed60a8d5a9140ff50dc4da375c7d2de80de097f"
 
 CCM encrypt and tag NIST VNT AES-256 #4 (P=24, N=10, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"aecc5e18088bf9fd7b17f089bdd5607b69903b04b726361f8a81e221b1c91891":"d4291c99901345afe29f58912a414a7498f37b44362bdf3c":"c527d309ab29ee91c5fc":"8f9a73e7bc1c11e2919020ba3a404cbddf861e9e78477218e3be2cd4337b278d":"392784a9e0b14bcd37639ec5409d6ead3e75f855e5a92c33ffc040ef3977e0035ce6ea6d157c18d3"
 
 CCM encrypt and tag NIST VNT AES-256 #5 (P=24, N=11, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"97bc7482a87ba005475dfa3448f59d4b3f9c4c969d08b39b1b21ef965c0f5125":"b99bf4dc781795fc4d3a8467b06e1665d4e543657f23129f":"0bcf78103ec52d6df28887":"049c10f0cb37ae08eae2d0766563b7c5a8454f841c2061a4f71a0a2158ae6ce5":"0d3891fa0caac1f7ebe41b480920ffd34d4155064c24f3b17a483163dd8f228d1f20cd4f86cf38fd"
 
 CCM encrypt and tag NIST VNT AES-256 #6 (P=24, N=12, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d6ff67379a2ead2ca87aa4f29536258f9fb9fc2e91b0ed18e7b9f5df332dd1dc":"98626ffc6c44f13c964e7fcb7d16e988990d6d063d012d33":"2f1d0717a822e20c7cd28f0a":"d50741d34c8564d92f396b97be782923ff3c855ea9757bde419f632c83997630":"50e22db70ac2bab6d6af7059c90d00fbf0fb52eee5eb650e08aca7dec636170f481dcb9fefb85c05"
 
 CCM encrypt and tag NIST VNT AES-256 #7 (P=24, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4a75ff2f66dae2935403cce27e829ad8be98185c73f8bc61d3ce950a83007e11":"205f2a664a8512e18321a91c13ec13b9e6b633228c57cc1e":"46eb390b175e75da6193d7edb6":"282f05f734f249c0535ee396282218b7c4913c39b59ad2a03ffaf5b0e9b0f780":"58f1584f761983bef4d0060746b5d5ee610ecfda31101a7f5460e9b7856d60a5ad9803c0762f8176"
 
 CCM encrypt and tag NIST VADT AES-128 #1 (P=24, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d24a3d3dde8c84830280cb87abad0bb3":"7c86135ed9c2a515aaae0e9a208133897269220f30870006":"f1100035bb24a8d26004e0e24b":"":"1faeb0ee2ca2cd52f0aa3966578344f24e69b742c4ab37ab1123301219c70599b7c373ad4b3ad67b"
 
 CCM encrypt and tag NIST VADT AES-128 #2 (P=24, N=13, A=1, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"08b0da255d2083808a1b4d367090bacc":"1b156d7e2bf7c9a25ad91cff7b0b02161cb78ff9162286b0":"777828b13679a9e2ca89568233":"dd":"e8b80af4960d5417c15726406e345c5c46831192b03432eed16b6282283e16602331bcca9d51ce76"
 
 CCM encrypt and tag NIST VADT AES-128 #3 (P=24, N=13, A=2, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"1538cc03b60880bf3e7d388e29f27739":"e7b819a853ffe79baaa72097ff0d04f02640ae62bcfd3da5":"9e734de325026b5d7128193973":"c93c":"1d8f42f9730424fa27240bd6277f4882604f440324b11b003ca01d874439b4e1f79a26d8c6dc433a"
 
 CCM encrypt and tag NIST VADT AES-128 #4 (P=24, N=13, A=3, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f149e41d848f59276cfddd743bafa9a9":"9759e6f21f5a588010f57e6d6eae178d8b20ab59cda66f42":"14b756d66fc51134e203d1c6f9":"f5827e":"f634bf00f1f9f1f93f41049d7f3797b05e805f0b14850f4e78e2a23411147a6187da6818506232ee"
 
 CCM encrypt and tag NIST VADT AES-128 #5 (P=24, N=13, A=4, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9a57a22c7f26feff8ca6cceff214e4c2":"035c516776c706a7dd5f181fa6aa891b04dd423042ea0667":"88f30fd2b04fb8ddbce8fc26e6":"a95bdff6":"b92f7ec2ebecebdbd2977b3874e61bf496a382153b2529fc9b6443a35f329b2068916fb6ab8227eb"
 
 CCM encrypt and tag NIST VADT AES-128 #6 (P=24, N=13, A=5, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"54caf96ef6d448734700aadab50faf7a":"c69f7c5a50f3e72123371bbfd6bdf532b99ef78500508dfe":"a3803e752ae849c910d8da36af":"5f476348dd":"20c43ad83610880249f1632dd418ec9a5ed333b50e996d1a4e5a32fbe7961b832b722bc07a18595b"
 
 CCM encrypt and tag NIST VADT AES-128 #7 (P=24, N=13, A=6, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"cc0c084d7de011e2f031616a302e7a31":"15b369889699b6de1fa3ee73e5fe19814e46f129074c965b":"f0b4522847f6f8336fe534a4e7":"da853a27aee2":"f39755d160a64611368a8eccf6fcbc45ef7f1f56240eb19a2e3ca4ec3c776ab58843f617d605fd72"
 
 CCM encrypt and tag NIST VADT AES-128 #8 (P=24, N=13, A=7, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d7572ed0e37261efa02f8c83e695efdc":"1edef80c57d17f969f8bde10ab38a1a8811a124de72c526e":"f4f96d7b4384a3930b3d830f82":"922340ec94861f":"de14558cc686e1836f1f121ea1b941a9ebd4f0fb916dc870fd541b988a801cb5751c7faaf5b0c164"
 
 CCM encrypt and tag NIST VADT AES-128 #9 (P=24, N=13, A=8, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"98a42d7a0c5917deaf3b4de3f0cbe0a1":"9aa9c8358117564371366beeec923051ef433252197aaad5":"03d33ab0c2df7bfce88b5ee4c4":"2d5438b728b950d9":"9ff942baa60f440c17a78e9581216b9a947a67f04d54911feecfff971fdfaa856310b014aa59c978"
 
 CCM encrypt and tag NIST VADT AES-128 #10 (P=24, N=13, A=9, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2a68e3fe746f593c1b97cb637079c3e5":"13b4a874888db0e5d8fd814b5e7e04f7fdfbc1601ccc02bc":"cd62d0f27b7f4864dc7c343acd":"abe4f1d3812bfe3ccf":"032835a3dbf688d09cf2a32a92b101959d33ff47500f92f4fd49840440f866d1a22b0854996111d8"
 
 CCM encrypt and tag NIST VADT AES-128 #11 (P=24, N=13, A=10, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"46b067cf9b1a28cf187002e90b14e130":"cc0915194218d4536e467433cd6d79ff1d9eb9ff160ab684":"bad8c03292bf01cfd8d34f860c":"8d65880eddb9fd96d276":"bd56edc015692c6ab9bec493a9893863598414a3d11a6a0f27ecdcb257d0d30491e5bf1aa8f90958"
 
 CCM encrypt and tag NIST VADT AES-128 #12 (P=24, N=13, A=11, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"e94dac9c90984790a7c0c867536615ff":"4d64461c55eb16bf7b9120f22be349598f2f394da8460dc6":"c19f06f91e645d4199365f18c0":"537038b5357e358a930bd6":"e9fc5004c2359724e1e4411ae6f834ef6bea046d549753c88790c1648f461a31c84e62ea8592a074"
 
 CCM encrypt and tag NIST VADT AES-128 #13 (P=24, N=13, A=12, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f6bb5d59b0fa9de0828b115303bf94aa":"011fc50329bfd63a85ebd4f7693363602f1a4147371270b7":"05358f33e1fc6a53ab5a5c98ce":"040b25771239cc2a39446e3c":"4432d7eb42980734d34f19c50cf8abf71ac1b19ed75a727854e5d050a405f755047d09cb0f49546a"
 
 CCM encrypt and tag NIST VADT AES-128 #14 (P=24, N=13, A=13, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d1da2e961e78063af8de41865b226873":"8e5fa1a6662a8378cda15697e926841594f2f394fa5a34ab":"03739f5474857006340cce554d":"e3afd091d2b588465872a6300f":"ca0d95e3ff186ad6b88d45fc4079e6b7b4a615e7e8dd5f4742d522cc9dc19c47a4fa0b1528069cf8"
 
 CCM encrypt and tag NIST VADT AES-128 #15 (P=24, N=13, A=14, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"1eee667267ef10b03624cf9c341e3f75":"798e31cce0a83702a95171fb1162a17b9ce00ec3592ce262":"0630a3eae27e505c61c56e6560":"d24651ef0561282d3e20e834960c":"f3c3e52f1a1ff528a8d3783ee4e75f114e3e6416334815d2d9236d5c5c9319092078411b72c51ba8"
 
 CCM encrypt and tag NIST VADT AES-128 #16 (P=24, N=13, A=15, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"dbbd26f5d9e970e4e384b2273961be5a":"553714e17a208a2eceb847a4a2d95088388b1ac8d8ca43e0":"0b1eabe504ef4822542e397fec":"477937301c83ba02d50760b603e0ea":"1c80213268bad5402c4dc9b5d836ab7499810d0d8a974716df9a0e986ab2890736423bb3772cec3e"
 
 CCM encrypt and tag NIST VADT AES-128 #17 (P=24, N=13, A=16, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"10a7720f2e18f739c26924925af6b670":"e59782a9aea45f467b90e51a0fdf166baba05663def2d8b6":"8c4e7813ab9bce9dafee01c628":"a209941fab710fda38d11c68b13d930f":"e357b1ccdaca6f3506dc45279c2e4c59f5307a5fd6a99cd72341ea8c0785569973f90ee9ee645acc"
 
 CCM encrypt and tag NIST VADT AES-128 #18 (P=24, N=13, A=17, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"6bffab1f4f4c1ff66b4a669b515b2f8d":"d91b12e8655dd92b1332fc1d71c391c96a17111562d90ba3":"ddb34d5e0140fb96d690e1a2b7":"5cbba9ea778e01af00afb2a934f28c7211":"d302e5b2d5d90433186b804cd7717e2db2f22cdc34fb2942ab30780a2c4f12af8f35350d65284c59"
 
 CCM encrypt and tag NIST VADT AES-128 #19 (P=24, N=13, A=18, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ae6136df9ab43631ef143515dacedbe7":"6a493c5ef3769ccc4101dbb2eb36e1e5bbc577a057ce0731":"c5c445792208a50c8e93d64aa3":"e04006b68c83a5dd4ceac3cde238e48895ae":"c7584c0203c2535c5702c6ae93b7cbfb066f4a055c627a180d6d676d11fce907b5c93fa1ed7bff2b"
 
 CCM encrypt and tag NIST VADT AES-128 #20 (P=24, N=13, A=19, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f1908328edf2996ebfc9655472ca5ad0":"eede01b08f9a303cdf14c99d7a45732972c6eff2a1db06eb":"4c693364546930b6c5250e2699":"4a3634e5028df97fbe00eb016e8ea4f1918faa":"90c850790b0b380f5aeb2488fdf43c9d5ef1759861e86f6e52570e769629dcc2e568737ba53a1195"
 
 CCM encrypt and tag NIST VADT AES-128 #21 (P=24, N=13, A=20, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"61cb8eb792e95d099a1455fb789d8d16":"6ad541695a37c32d73ff6d5f870abd5b0f362a8968c4fce0":"1f37b3e59137f2a60dc09d16ac":"09db3efac9473f713da630ae92c2c8604c61c51e":"e65fcc975865c1499b088b58ba163283085d8ca68dc3b235d89756e5d78753ef22c012ae34b39a20"
 
 CCM encrypt and tag NIST VADT AES-128 #22 (P=24, N=13, A=21, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"be1ed49e2cb0caf6b6a0940c58453b93":"a9eec383f63892521e4616fcbadc5485942ffaf4669c43a7":"b78ad129457681fa7346435b97":"161d92c7df1ebb0924719e066e08b95eb4914a5eda":"949be340720c4fdc4adc05cb777dd81a2549628d33fba07e62d2b338a7b34ebd9d85c244c952d681"
 
 CCM encrypt and tag NIST VADT AES-128 #23 (P=24, N=13, A=22, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"34ab6fd7f54a2e0276fcb7cf1e203aba":"8d164f598ea141082b1069776fccd87baf6a2563cbdbc9d1":"6091afb62c1a8eed4da5624dd7":"1ab5cc3d7b01dc74e6cf838bb565fea3187d33d552a2":"0d30ab07153b5153637969e6bd3539448c541e42b3d432fd7ef14622a9b621d1721b944c60f7fd67"
 
 CCM encrypt and tag NIST VADT AES-128 #24 (P=24, N=13, A=23, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ea96f90fbae12a857f5c97e0cba57943":"49db80f22bc267a70e5636dfbc8a21c83d9691fe4b9c3051":"21cc46d9ced1539b0ad946e600":"105258d2f25f62675aee975cfdb668aff833f05b61eb2a":"d2fcc8b7809b5fc07e44083e437d8180157f1782a9ce9f65c7fa9ee2e7cdc1b755258f2212a8a8f4"
 
 CCM encrypt and tag NIST VADT AES-128 #25 (P=24, N=13, A=24, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"35b403a15212097085d6e2b77ec3d4f2":"7dd7396db6613eb80909a3b8c0029b624912aabedda0659b":"daa423bf9256c3fcc347a293aa":"d3c0ed74e5f25e4c1e479e1a51182bb018698ec267269149":"5b00cf8a66baa7fe22502ed6f4861af71fa64b550d643f95eee82c19ecba34280604b58d92dacd3f"
 
 CCM encrypt and tag NIST VADT AES-128 #26 (P=24, N=13, A=25, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7a459aadb48f1a528edae71fcf698b84":"0b3d947de8632dc8ff752f619ba7c84716fac7a23e101641":"fa4616b715ea898772b0e89dd4":"0c0b4a45df5c3919c1e1669c5af5d398d9545e44307d95c481":"7db9f3f7dc26fc2adf58d4525d26d5601e977de5a7c33911a1138cff7b624f9908b5b4d7e90a824a"
 
 CCM encrypt and tag NIST VADT AES-128 #27 (P=24, N=13, A=26, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ca748225057f735f712ecc64791367f0":"e92cd0cb97afe4fb00c4f12e9b9abe1d08db98f49a27f461":"1341a6998eb1f50d4b710a13ac":"5fb96b045f494808c02014f06074bd45b8a8ad12b4cb448ec162":"82b666694232e86e82295beae66ae67d56aceb5d6b1484ceb4a6843ec16078038c10afedc41f5362"
 
 CCM encrypt and tag NIST VADT AES-128 #28 (P=24, N=13, A=27, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"fdf2b2c7fcb3789b4e90abe607dca2af":"d7aa4efa5d75195a400018bd38f7d8cd53fdffe88df1837f":"a69ddc66e63a3415f21009d53a":"c76846da496ed87b9c0f65c6266c9a822224acde9775efb186a4a5":"150d9a8b78d9c04239d66207a1f95021bbb1b7c70d7c354825d05e5a2e76a90f6fe489fd74cab2a3"
 
 CCM encrypt and tag NIST VADT AES-128 #29 (P=24, N=13, A=28, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7d870d7e52d3053c65eefad47764cfeb":"109317556c21c969eda65a94176d7a11462c9ae18a865b6d":"37d888f4aa452d7bf217f5a529":"9610949f6d23d5b1f3989b2f4e524fab4f297a5bec8ddad4f16cb616":"4e6b967b1571c6d7b9e118b112b7ac949a4a175650316a242dd579cb0d201d22c86bbc7fbe47bd0d"
 
 CCM encrypt and tag NIST VADT AES-128 #30 (P=24, N=13, A=29, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"8fcac40527c0e7ca8eaff265ca12c053":"78d1e96af8cebdcc7e7e2a4ddcfa34f6cf9a24fb85672ad7":"ae9f012fd9af60a400e20b1690":"9ce65598cd1f86afc9aaaf172809570cc306333c25523f863c6d0e0154":"9adb9a95a9379ad795d8d3ffd4e37a045160d6d727f974a6cb3b5151f327e65447e52c7525562c91"
 
 CCM encrypt and tag NIST VADT AES-128 #31 (P=24, N=13, A=30, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ddf9f150cc3f1c15e8e773663c5b061c":"79d8841ab83279724ce35e1a8abd4e158168dcf388ab4c3d":"98c5036b7d54da9a1177105600":"20c5ab290e6d97f53c74121951f39ba865b3acc465fa3f0fb8a591622277":"d00d29396ffa9e691290d746527777bf96a851f306d4da0b1816df1e0e82bb7bc8105930ad6a2232"
 
 CCM encrypt and tag NIST VADT AES-128 #32 (P=24, N=13, A=31, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b1dc81d116d94f5eced526b37c004b95":"54390715b6e7c7bd51a234db059a51ba030cf22ee00b7277":"97c8f69fb91b17299461fd8d63":"f8b08aa83bed09ca342249b2cf9e2b45a89dcfb8711a120395e455921af481":"cb629994c3418a662a8cde1b5f4d99aa7df66e24c53dc6df11297930fd44c63675b7cca70671ef4d"
 
 CCM encrypt and tag NIST VADT AES-128 #33 (P=24, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"5a33980e71e7d67fd6cf171454dc96e5":"a34dfa24847c365291ce1b54bcf8d9a75d861e5133cc3a74":"33ae68ebb8010c6b3da6b9cb29":"eca622a37570df619e10ebb18bebadb2f2b49c4d2b2ff715873bb672e30fc0ff":"7a60fa7ee8859e283cce378fb6b95522ab8b70efcdb0265f7c4b4fa597666b86dd1353e400f28864"
 
 CCM encrypt and tag NIST VADT AES-192 #1 (P=24, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"26511fb51fcfa75cb4b44da75a6e5a0eb8d9c8f3b906f886":"39f08a2af1d8da6212550639b91fb2573e39a8eb5d801de8":"15b369889699b6de1fa3ee73e5":"":"6342b8700edec97a960eb16e7cb1eb4412fb4e263ddd2206b090155d34a76c8324e5550c3ef426ed"
 
 CCM encrypt and tag NIST VADT AES-192 #2 (P=24, N=13, A=1, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9748798c0f3cc766795c8ce0e4c979c1930dfe7faefea84a":"100fa71462277d76ca81f2cfdb3d39d3894b0ca28074a0f0":"cdf4ba655acfe8e2134fa0542f":"67":"36e2415b4f888a6072f260d7e786d803be16f8b9cbee112d7ff74e3b05b7d7c13284573bd3e7e481"
 
 CCM encrypt and tag NIST VADT AES-192 #3 (P=24, N=13, A=2, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"393dcac5a28d77297946d7ab471ae03bd303ba3499e2ce26":"262f4ac988812500cb437f52f0c182148e85a0bec67a2736":"fe7329f343f6e726a90b11ae37":"1c8b":"e6d43f822ad168aa9c2e29c07f4592d7bbeb0203f418f3020ecdbc200be353112faf20e2be711908"
 
 CCM encrypt and tag NIST VADT AES-192 #4 (P=24, N=13, A=3, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"a74abc4347e4be0acb0a73bb8f7d25c35bae13b77f80233a":"6372824bf416cd072a7ad0ae5f9f596c6127520c1b688ab4":"6a850e94940da8781159ba97ef":"a4490e":"b14a07bdc119d87611342c4c6935c5786ff1f9ae2eb49e6191c88a3cb4fbafcb8a4a157d587d7e39"
 
 CCM encrypt and tag NIST VADT AES-192 #5 (P=24, N=13, A=4, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"df052e95aea3769a433ce4e4e800b8418649bbe8c6297eb0":"e8c1a89228d8212f75c136bab7923a89f9fea18e781cb836":"ba356d392c3f700f4f2706a4ca":"8ffc0e3d":"66b5d782323925e1bd0a8413a9a5a881356453d5df2cbeb199b2e1e803550dcdde55fd66ecb45edd"
 
 CCM encrypt and tag NIST VADT AES-192 #6 (P=24, N=13, A=5, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"16d345606a315ad2406abbcb43cd8cabe948107ba6d17a72":"d3bef460223c81e4579c9d1d463ac5e0881685de1420a411":"d4ef3e9e04f1b7f20ffc5a022e":"a468f08d07":"abb85db49a9b1c8724ecbc734cc8373bd20083cfa4007b1cfe4d3a3bb25f89f692884be230c6035c"
 
 CCM encrypt and tag NIST VADT AES-192 #7 (P=24, N=13, A=6, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"1c476cfd7dd300d961fd3f24a6fe0e80742b00851676ca63":"6f3938932b5c1280311e892280d8a822a828a0be7fdb1bcd":"e300fc7a5b96806382c35af5b2":"28130f938c45":"df48662fe134e75a85abc2cece2c3b6236c88a70fa792e9beadc9601adf9fbdf4e3e94b395b0a332"
 
 CCM encrypt and tag NIST VADT AES-192 #8 (P=24, N=13, A=7, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"79d1e38a70df1cf239be168833dcd0570bc8f37b3aa26c37":"83c24f3a77b83b4ef45277ba90225f3ba1722312f52b1a07":"8229d6d7e9e21fdc789bff5dcf":"076887d2abe900":"19d880f1d959a68f162de243d4a45747ace704613359b27218d1531a066de60a95d2924a6910e990"
 
 CCM encrypt and tag NIST VADT AES-192 #9 (P=24, N=13, A=8, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"72e6cebdaf88205c4e74428664bc0d7eb4687a272217b7ca":"54bc7e3c227df4e83252a5848fea12dfdb2d14b9e67c1629":"3820db475c7cb04a0f74d8e449":"f427c47e10c45bb3":"91e7baff2b42af63e26c87ce6991af22422c1f82906858b1721961de5c768f4d19bd3034f44f08d2"
 
 CCM encrypt and tag NIST VADT AES-192 #10 (P=24, N=13, A=9, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"39c03a0c8634047b1635348f284d3dc1e752ab40548eb337":"0662e63c88e963d3e0cf2c4653515ae4474a2c78ab0394c0":"9e2ea8eb7f56087ee506925648":"28d157f09a71da80dd":"01dcd4dd3b8c1369518136ce45e8bb9df565b0ad231a887b02ada34addf0aa2f4744ed2e07995491"
 
 CCM encrypt and tag NIST VADT AES-192 #11 (P=24, N=13, A=10, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"e2a92ffbb0b5eb68cb82687f12449fae5167d375131b0b10":"048c9ba4597c3bb595bfd5048e5e9a1296f30e5c0118b177":"441ad5e1382e083a95224f395d":"2352648299b0413cb2ce":"25247a258e4ac0a988d8def60cc174a9d4578cd5346fb5150c96e8ab8774baa421f39c64a386c418"
 
 CCM encrypt and tag NIST VADT AES-192 #12 (P=24, N=13, A=11, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ef1ad3eb0bde7d4728389da2255d1f8a66ecb72e6f2f1ac4":"9f580cc6c62a05ce125c6bec109a48ca527ee26a64b14b68":"8e7d8a44244daa7df2b340993e":"521583c25eb4a3b2e46120":"ff0ff95bcb0bccd5e4aadd77ac6770f5013654eb3c6386fded2c87135861b43a99f258b6938f66e3"
 
 CCM encrypt and tag NIST VADT AES-192 #13 (P=24, N=13, A=12, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"44cba20b7204ed85327c9c71c6fea00b47ce7bdde9dea490":"6333bde218b784ccd8370492f7c8c722f8ef143af66d71d7":"f3329154d8908f4e4a5b079992":"f1e0af185180d2eb63e50e37":"b9401a4927b34dc15e9193db00212f85f0c319781ec90e3b4484d93cb422cb564acc63d3d18e169c"
 
 CCM encrypt and tag NIST VADT AES-192 #14 (P=24, N=13, A=13, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b5f43f3ae38a6165f0f990abe9ee50cd9ad7e847a0a51731":"3726c1aaf85ee8099a7ebd3268700e07d4b3f292c65bba34":"13501aebda19a9bf1b5ffaa42a":"ead4c45ff9db54f9902a6de181":"fd80e88f07dad09eed5569a4f9bb65c42ef426dda40450119503d811701642143013f28ce384d912"
 
 CCM encrypt and tag NIST VADT AES-192 #15 (P=24, N=13, A=14, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"13f179aa2a23bc90a85660306394940e9bb226ce3885ec01":"d3b36c6289ad6ae7c5d885fe83d62a76270689ce05fa3b48":"aaa52c63ca1f74a203d08c2078":"5cc924222692979a8e28ab1e0018":"bc4fcef401c2e1d1c335734ff23ea52c3474d2e6f31648a7f58649400ac9e825b038d67f0c2a6f1c"
 
 CCM encrypt and tag NIST VADT AES-192 #16 (P=24, N=13, A=15, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"c1dfc48273d406a3a7b9176f80b2dc4e9a7f68134bab66d2":"67d9728a88f1fac3af43ed6d634ba902896bd226858697d9":"1ac53ba965cdaeeef7326a37e4":"39ba54a410a58a5d11615a2163cc3b":"360f0fc714994e3b59448b50cdd61d511b4f09e0e5fb5ac826a51fe5b9b598a17eb3da10f936813b"
 
 CCM encrypt and tag NIST VADT AES-192 #17 (P=24, N=13, A=16, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d8a662ab8449bd037da0346a24565683a3bbbbd1800e3c1c":"61fdd10938557080191d13dd6c3002dd445d9af988029199":"166fb8d0e110124c09013e0568":"1c1c082eeb5b8548283d50cc2ace1c35":"23c05927502a4ee6e61e4e10552d49b020643eab476eeacc867601fe79a122a7817819655183283e"
 
 CCM encrypt and tag NIST VADT AES-192 #18 (P=24, N=13, A=17, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"116f4855121d6aa53e8b8b43a2e23d468c8568c744f49de5":"1bd3b5db392402790be16e8d0a715453928f17f3384c13a7":"924322a3ef0c64412f460a91b2":"03c2d22a3bb08bbb96b2811ce4b1110a83":"ad736402626df0f9393fe4491eb812725ad39d6facf20b5b2f9340b0d48a17ae1cc71d7515e61ee9"
 
 CCM encrypt and tag NIST VADT AES-192 #19 (P=24, N=13, A=18, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"e67f3ba11282d61fe36e38cab7b559c2fd9cbe8bf7eb5863":"d7a954dae563b93385c02c82e0143b6c17ce3067d8b54120":"a727ed373886dd872859b92ccd":"68d199e8fced02b7aeba31aa94068a25d27a":"c6cfaa1f54d041089bd81f89197e57a53b2880cefc3f9d877e30b2bcc3f1ea9ec2b8f28bf0af4ecf"
 
 CCM encrypt and tag NIST VADT AES-192 #20 (P=24, N=13, A=19, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"e0a29a2c7840cf9b41de49780b9ee92d646a4bfc5b9da74a":"344dc8b6bd66a1fbbe330a95af5dd2a8783dc264d6a9267d":"fc9fd876b1edded09f70b18824":"36e15baafa0002efbb4bb26503b7e3b79f6c68":"43b3b96aa5a54378f3bb573ffda3e154aa7f425fc3008175b60a77b9d38740356b544b1c0f259086"
 
 CCM encrypt and tag NIST VADT AES-192 #21 (P=24, N=13, A=20, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"26d0a3a8509d97f81379d21981fe1a02c579121ab7356ca0":"37ab2a0b7b69942278e21032fc83eba6cdc34f5285a8b711":"8015c0f07a7acd4b1cbdd21b54":"093ed26ada5628cfb8cfc1391526b3bcc4af97d9":"a3a60b422eb070b499cf6da0a404b13a05cedda549c6b93e6ca0e07e04674f21a46df2659a5905fb"
 
 CCM encrypt and tag NIST VADT AES-192 #22 (P=24, N=13, A=21, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"aac60835c309d837aacc635931af95702a4784c214283ebb":"e8610756528f75607b83926597ef515f4b32a8386437e6d4":"0e20602d4dc38baa1ebf94ded5":"796e55fbe7bed46d025599c258964a99574c523f6a":"e0a3d5f43e688ce104f4ae1a4fcd85500aa6b8fdbcd1b8d3003c0c3b7369e79339433e1754c0937f"
 
 CCM encrypt and tag NIST VADT AES-192 #23 (P=24, N=13, A=22, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"671544bf2988056f7f9ccd526861391a27233793a23f811f":"576b069ae2713f53d2924c1fd68f786cb2eec68892f9e1be":"0a259148a1d081e0df381ecd0c":"61dafc237cb52f83ab773ba8a885462b6f77d4924611":"ce06b3d09b02921f290544032a081a7766612940048867281bb089af0245792c16e6320cf5ffa19e"
 
 CCM encrypt and tag NIST VADT AES-192 #24 (P=24, N=13, A=23, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"90e2c63b6e5394b1aeec03f95a9d13a01a7d4e9d58610786":"44dd098b1f869d670a8a841900c4bef023a1946a0c278354":"dada5465eb9b7229807a39e557":"f5629ca0eea589f6cf963d875a7d2efb656983f2dd2231":"6b38ca85450e05e7b9362ed7e6e291a130ff233b5a561cdef7ec84dd992fdf98514f845dac8f656e"
 
 CCM encrypt and tag NIST VADT AES-192 #25 (P=24, N=13, A=24, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"13cdaaa4f5721c6d7e709cc048063cfb8b9d92e6425903e6":"d7c837971b973f5f651102bf8d032e7dcd10e306739a0d6c":"f97b532259babac5322e9d9a79":"ad6622279832502839a82348486d42e9b38626e8f06317c4":"4709600418f2839841e6d126359f6982bdb53acc7ff209635623d15b24184481eadc63bb8c878fc4"
 
 CCM encrypt and tag NIST VADT AES-192 #26 (P=24, N=13, A=25, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"90851933d4d3257137984cdb9cba2ca737322dac4dbd64bc":"ba1785a149cb8b69a4e011c11a3ff06f6d7218f525ac81b5":"be02df3a840322df8d448c600c":"69a9dd9ac8be489c3a3f7f070bdaca10699171f66ab3da9351":"89ab2efefa8406336d9e2245199fbc9454f0ef650b9ed0f446c7246bd3130803bf8d703ef5bdf15c"
 
 CCM encrypt and tag NIST VADT AES-192 #27 (P=24, N=13, A=26, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"5c5d02c93faa74a848e5046fc52f236049e28cd8096dcac6":"b4da43ebfe9396b68f4689fba8837c68d0064841c6ddd4a7":"54cbf2889437673b8875a0f567":"09fc21ac4a1f43de29621cacf3ad84e055c6b220721af7ce33bb":"d40725397229021a18f3481e3a85f70445557bb2a85e4ae8101a34c777e918e16186fda05a386572"
 
 CCM encrypt and tag NIST VADT AES-192 #28 (P=24, N=13, A=27, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"0234dae5bd7ae66c67ff0c1a3f1a191a0d7bceb451bc2b7d":"0f960a89a7e806f8709047cb7a2e7c4211ad724692c88a05":"16d345606a315ad2406abbcb43":"c37fdf7449fd7e943595d75e977089c623be0a3926e63fdbbfdf4a":"3907880d25f910eab12dd14e704d1b33ea7c453634d54da2a461f44dac1112ae3f9c65671a931d3e"
 
 CCM encrypt and tag NIST VADT AES-192 #29 (P=24, N=13, A=28, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"6351a67fd6daabd2fd49ee944dd41dd37301f958dd17fcc3":"0c0663dd69ccbffbbd0c8c2e9473d0354451ae7a20fa3695":"b8d517b033754058128d13d11a":"511c6924fa96db716f6b053b7a48aebdc1504145a56cd02d6be2590d":"19f2745df5007619c79c84d174e4521b942776478a0601d982c560fede4741e2fd3b54b3a48f3e38"
 
 CCM encrypt and tag NIST VADT AES-192 #30 (P=24, N=13, A=29, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9a5a9560baed3b8e0e90b92655d4e5f33889e5d7253d9f6c":"5bbe9c1fb2563e3e82999fe097b28da4dc6ff2e020f3b4f3":"c0049382cdd8646756d4e6bff5":"c95a86d52088a8b0107cc5b437a8938b2c9e74e46e2e03bb9bceecdbe3":"6d5401db42b5c48b79203b6ad82806d7460ac4c82ad0809b811020480e834f6fe55900a162a4e61a"
 
 CCM encrypt and tag NIST VADT AES-192 #31 (P=24, N=13, A=30, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"3e61094c80df0053e86d43fccf4e1d3ee2cdb862d3237b0a":"1fada8f4c7daea0d1c370184c169485b80a278708ed41451":"63f00b2488809fdc49ca5f05d5":"a08763ca936abdeece06467bef8c3c47c3a473636a039d4db540c867d3e3":"680dd22f16a1290bde42c9792dfa997aed24d5bd2265b6e095aa6b99d3f894d3790c2aa2dae1ba2c"
 
 CCM encrypt and tag NIST VADT AES-192 #32 (P=24, N=13, A=31, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b5664dd6ed435df006052f6ded74bb7ce9482ca9229886f7":"0b6de49b530703affc94010c2b793ddc6de0c44d48037ff2":"7a1649896f3e030c18f0205599":"c5f1a26351e53e6509c8bbbed03c42c23ad81c65fccec7ffa1cb494c7f1fc4":"56b02fea595cc24e798691ae905be3d466ca68ca744005dba260b5ea3b047020b73b5bafa17e5084"
 
 CCM encrypt and tag NIST VADT AES-192 #33 (P=24, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"50925853a84a33ff392154e4e737efc18dcfc98f4d5235a9":"718f061e8b972a3adcf465d66c5b28e8661f080127f6722f":"809343e986f6ff47f54d4cac22":"d70aef3532bdc5293a3ebb11589ac1f801c9f93ea0d656e1d04068facf9f768b":"bad3b0e6772e9c4c9c631c095e259d99692292932efb72b8966e91a19617bb748f3495aa433585bb"
 
 CCM encrypt and tag NIST VADT AES-256 #1 (P=24, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"26511fb51fcfa75cb4b44da75a6e5a0eb8d9c8f3b906f886df3ba3e6da3a1389":"30d56ff2a25b83fee791110fcaea48e41db7c7f098a81000":"72a60f345a1978fb40f28a2fa4":"":"55f068c0bbba8b598013dd1841fd740fda2902322148ab5e935753e601b79db4ae730b6ae3500731"
 
 CCM encrypt and tag NIST VADT AES-256 #2 (P=24, N=13, A=1, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"a4490ed6ab51dbfccd6f3702a857575dad44da3a27eaf31178abc97da60d1e4b":"1b5cc6b1651dec4bbbf5130343852e971c7ff1774100d9be":"26ceaf6e3b28190a17c4f0c378":"9e":"789bce069a725a96c484e64a9e54dcb7a7c268c85df47815a462ff2dd8ba44a381e1f6edab12b5a9"
 
 CCM encrypt and tag NIST VADT AES-256 #3 (P=24, N=13, A=2, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"df594db94ef8eca56a417afe946085eaed444c7cc648d07d58132e6cb5bc2bc3":"f4d7978fad36223623ccb5bb18a7373cba8a6e3b1c921259":"c1ad812bf2bbb2cdaee4636ee7":"c0c3":"bea778540a90033b2c0d087e3cc447711ea25f7eea96855506ec97f23bd6ea97834f92f7263c3195"
 
 CCM encrypt and tag NIST VADT AES-256 #4 (P=24, N=13, A=3, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d98193ab2a465e3fcd85651aaeca18b8e91489b73b7c7e93b518c4b5b81fc6ac":"edba7d6312144e90ec9eaace7576045a46e553dcb8ee5a98":"2247dc7e2674e9e0a63fe70613":"4dc2f4":"44b9ea727c847336fd739ad11f4b906b292edb810462f06ef59626ad5cdac2e4d4cb07b538a1fd8f"
 
 CCM encrypt and tag NIST VADT AES-256 #5 (P=24, N=13, A=4, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"45c8afd7373cb0f6b092af3a633d9fd97c4ca378e19d75f9b74d089429726c29":"0b92adbb251dc29a67f0bb97f8e7160862b6c4e843d07fd9":"fdb1fa230ae0b172ff98fc7496":"270981af":"274e2faea3271ea6fa0494c1951f115b5491a893056c3ee4c76fc350e585277e373e9119bf9595cb"
 
 CCM encrypt and tag NIST VADT AES-256 #6 (P=24, N=13, A=5, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"a2e6bf39efd1ceddc92b4333ed92d65efeea6c031ca345adb93a7770a8039bcd":"d822f84b023f12ea9e3ce16b904278e4aaab5e11c2c23f3f":"693cbb46bc8366086ec7cd7776":"3ba11282d6":"9f91fd2f6472e33b02b1eabb9d6655729d44c44dad6b3883fe0667bcc5806b225224b04ade8b21c1"
 
 CCM encrypt and tag NIST VADT AES-256 #7 (P=24, N=13, A=6, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"c5a850167a5bfdf56636ce9e56e2952855504e35cc4f5d24ee5e168853be82d8":"e758796d7db73bccb1697c42df691ac57974b40ca9186a43":"c45b165477e8bfa9ca3a1cd3ca":"4759557e9bab":"93ad58bd5f4f77ac4f92b0ae16c62489e4074c7f152e2ed8a88179e0d32f4928eff13b4ce2873338"
 
 CCM encrypt and tag NIST VADT AES-256 #8 (P=24, N=13, A=7, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ae8f93c3efe38e2af07e256961dd33028faa0716e5320a7ab319a10d2f4c5548":"bc9ca92a9c9919e39095d3e53fb148694620ae61227e0069":"6333bde218b784ccd8370492f7":"0b1fabdf2a4107":"45811b0c8f754bf03950e520cd4afc81c2e3eb8a11f4fd386d5a6e4b1fbee15d35939c721004502e"
 
 CCM encrypt and tag NIST VADT AES-256 #9 (P=24, N=13, A=8, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"548c2d1eb7d91e003633d4d9ff199e4a8447180edd89ac7867d25a1db288b5ce":"49fd5cbe4aff89dc3b8718f9ce545d612cbbebb289ecbf42":"23b205bd6ff8ed0bab0c98999c":"a6601111cd92c943":"3cfc6211e359ae322802fc9566f377b0dfe17d1dfe0878ebf2a9047e37cc0be1fab0006af8db8dc4"
 
 CCM encrypt and tag NIST VADT AES-256 #10 (P=24, N=13, A=9, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"aab793e377a12484dbdd74c9b3a85c74c286e1cc498663fbd7c718b5633bb91a":"7c0889854658d3408c5d8043aad2f4ae4a89449a36f8a3b8":"10022cddb323e88b3c08f95a0f":"82b8c736037ce2f2e8":"1044250f58857c69f72b5d3454d43949e5c02b3822970b280de1a3f7fc5d06cc30f06075f5504ed7"
 
 CCM encrypt and tag NIST VADT AES-256 #11 (P=24, N=13, A=10, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"06ac39896073a44283611a66ccab067e2dd2faa8da82ff9a45bb29e54d2e6e77":"3216dce3b8b1ce0e79e40fffcac728ab191aaaf319d971d3":"6c7942c9819cf69b817bfcdb0a":"215e2a6c24325340fdec":"c5b3b50ed8a7b7b96b02ba9464b6a2ff80e90548605699a63d70e6dffb31a376a1eb7f94526dca48"
 
 CCM encrypt and tag NIST VADT AES-256 #12 (P=24, N=13, A=11, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"50412c6444bcf9829506ab019e98234af1541061557412740bc120b456052763":"6cdbd63f6d591f59776f828533b28e2453a214d1d0dd8a39":"85684f94c3702c5d870310166d":"f706a3e09df95d3e21d2e0":"8c8b4ae854a5d5c265b25e3b54bded9444cc454b3e0e6a24d6c05eaf406a5ebd578e19edd5227380"
 
 CCM encrypt and tag NIST VADT AES-256 #13 (P=24, N=13, A=12, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"8a56588fe5e125237b6cdc30f940b8d88b2863ec501a0cb00b1abade1b5ce0ed":"c825952293e434ea866db558aaf486ef09a92bf366988f71":"d80210b9f9776ea36dc0e0a787":"e4296d1c8cf4ffc4b2635135":"b8b3b15fdf6a4a0b5abc313afc769e4e8413bd887552583ede3ed995d1b70561c8e28a7b1a7e3dc8"
 
 CCM encrypt and tag NIST VADT AES-256 #14 (P=24, N=13, A=13, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"a4cc7e1c90f8684e6a5f95e6898ab4e3c194cb46e196d8228062b9f3fa744930":"10d4cff95ef490923c9e0906880729d4d05412e7675cce76":"cdc2712e51c7f333d6bad78eee":"569c56b27268d3db54e728aac0":"be3ce3e9dc72499839a98ae52abb17415e8547687e8a3c7b8aaaac20d4c9276f2851cbba2b04d185"
 
 CCM encrypt and tag NIST VADT AES-256 #15 (P=24, N=13, A=14, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"347e12eec56e95aafcc7d25bf10fc756b4e42bc2e43da7f97df24331f27f1f5c":"ca88dddfc876a12f45f19562bc9ca250f43267ab251a7f34":"b8d517b033754058128d13d11a":"511c6924fa96db716f6b053b7a48":"eeedcfa8f5b5b48c1d7e277526eecb7294213b9f5785167ae949b93003dfe63c95c1d49edfb4de3f"
 
 CCM encrypt and tag NIST VADT AES-256 #16 (P=24, N=13, A=15, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"520902aa27c16dee112812b2e685aa203aeb8b8633bd1bfc99728a482d96c1fe":"533fee7d2c7740db55770e48cb1b541d990ea3f8f08ed1a6":"ddf50502f414c1bf24888f1328":"22b4f8f1aac02a9b2ef785d0ff6f93":"fc867b319e0e4ab45ec518a1b5dcec4f29982173f3abfd4d8a8f8d14d2bdac84c3737cfbd75b7c0b"
 
 CCM encrypt and tag NIST VADT AES-256 #17 (P=24, N=13, A=16, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"57da1c2704219ed59abfdf04743a9a93c87a63d471818de0f1564b2db6421562":"ddc3c1aa73fb6de92bb4db138e26f3c2e0543ab4f5924871":"4b60a47b7e90f622fa0bf803e1":"0ae8c012ff39753510df3ee80707e4e2":"daa8256d4753fdf9cfef876295badaba89b45cc497f54d220ec2c6fb687753bca4580adc6aa2f296"
 
 CCM encrypt and tag NIST VADT AES-256 #18 (P=24, N=13, A=17, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9267ebc99ccf648b146cba3c251187e24a9947d806ceb0ced6894211641a1e0d":"967daf12f16f166b7b5038f83a1cf0b980f5abf4c7746f2a":"9b7298950280e8762ecdc9bbe4":"5824689453bc406bf891b85e4576e38fe8":"7cfe2a7a54306eb8d8a63d3d1ae86794f9a2c22198b2cb4f10ca926f1a430c08c12e23db3d913e93"
 
 CCM encrypt and tag NIST VADT AES-256 #19 (P=24, N=13, A=18, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7a855e1690ee638de01db43b37401dcd569c1ae03dc73dd0a917d0cadb5abc29":"33ae68ebb8010c6b3da6b9cb29fe9f8bd09b59ec39f4ce4b":"8f160a873a1166c8b32bccbba7":"72674aca7eba2fc0eeafbd143c2c4d8aa6c8":"b22afdf4f12c43ec23e01ac1215a3f5286059211207e957057e9a9203da74387a9468f8af5e27547"
 
 CCM encrypt and tag NIST VADT AES-256 #20 (P=24, N=13, A=19, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"0ebdc6ddb4c502725dd6ee8da95d56a0d1044b4694d6ba8475a4434f23a8474f":"c7360282c85484a5a33ab1c68dd70873ab4e74ffd4a62cd5":"fb717a8c82114477253acc14f6":"41e9d65632f74f449a6842d5e6c4a86ef83791":"2e961b3a2fa1609a4e6fd04bff6ac5e306ae2638706f997b42be2e2ba05c54b619850db5c9d684fe"
 
 CCM encrypt and tag NIST VADT AES-256 #21 (P=24, N=13, A=20, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2ff64bbec197a63315c2f328dcb4837d0cdc21a5d6f89ff1d97cb51195330cd8":"4a17522da707b4b2587a0ae367a2cd2831bb593a18ef442a":"a235f8ee3de9896b71910ac02c":"2b411bea57b51d10a4d2fb17ef0f204aa53cf112":"1bf122798bd8ee8e73391d589bd046a294d1615794e69cb9e6f3ba30143acbc3a1c1c6ec74333107"
 
 CCM encrypt and tag NIST VADT AES-256 #22 (P=24, N=13, A=21, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"24e9f08a9a007f9976919e10dc432002e2e078a339677f00105c72ed35633a3f":"d3416a81b4246eb0bf8119a72a886bbc0ac9449c69f71d2f":"15977424eeec0ec7f647e6c798":"2d838eb51a4bc69a001a18adf2084a680f02a3c5fc":"e001a8fae390dc5d672cdd18f86a1f728158ec83a002050def9af5679edbcbb7db20ab6af30698db"
 
 CCM encrypt and tag NIST VADT AES-256 #23 (P=24, N=13, A=22, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"0ec1b22b8df05dc92135d2dfbefed8ea81458f5ea1b801e8a218faf6cbdf1a79":"2f59d94d4ab8eeb84c2a6fefb7fb0a3ac059c1e1a65ae34a":"97ebcb8575bb58260208d5c227":"a2f6337f86dd00d1a58448851e95d8c9bace4a5c8710":"7ca0b1dbe34b0391e524b868b0af08b3e096917664d6aa2cabc1f9d0132394149c9062b74b82f04b"
 
 CCM encrypt and tag NIST VADT AES-256 #24 (P=24, N=13, A=23, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"0875020959ed969cfb38636d1d5aabce9658b00171a7614ea9e5395331c7659c":"065ef9eeafbe077c1c7049f43eb0d8999708e8609f214d5c":"451101250ec6f26652249d59dc":"7cc9c51b69f98a06391ab32742fb6365e15106c811fe8a":"990065322a438e136860f7b019807e9feff52a642bf3d44a9163fa7a867f04cab6f52dc250070f31"
 
 CCM encrypt and tag NIST VADT AES-256 #25 (P=24, N=13, A=24, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ef4c1d2314e671f666cc6667660f1438a293208c7cc29b412d81277f0a635c91":"c99c3e79125b6fd95e737326a842424eb6c6ecea4c0475c4":"50b23b052922366c25dd40e348":"cd0522ebe1fed82465277d1c10ae9316a98b4469be63b180":"76df4be4ec8373864399acda11294b220b9f7c3a7d2b3660b25764e40ac6a171e7e6bab4fdee4288"
 
 CCM encrypt and tag NIST VADT AES-256 #26 (P=24, N=13, A=25, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"8544808e8fbf8c3a5e1d4ca751d4b603af9fe119eabc6923205815e0e748b7e7":"617d54fc6a23601c79e3984f93bfc2d151fde420863206b3":"b44a58724596b4d8dea827c1a0":"f5b2c88f5232c37273b1e66aa31cfa7201e33c21d60054d025":"57b3414db48982c6567265e1e0173bf38fdfaffe4461fbebc1411af83237c0f9eb0bfe8ed914da66"
 
 CCM encrypt and tag NIST VADT AES-256 #27 (P=24, N=13, A=26, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"e19eaddd9f1574447e7e6525f7fd67e3b42807e44fbb60e75d8c3e98abc18361":"b3b0de10b7c0996662f1b064e04e528b7d85ca1166985d33":"a8c459ce0223358826fb1ec0f0":"ef88f4393d6c1e7b7be55a12144209ee051bb779e440432721ef":"d63e6082c95c6c5ff2bc0771321a4f883ef61cff7b99e0ea8a20a1abe7c842ebc08c8c81a2743c81"
 
 CCM encrypt and tag NIST VADT AES-256 #28 (P=24, N=13, A=27, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9498f02e50487cfbda1ce6459e241233bd4c4cb10281dcb51915dbc7fb6545c0":"0d16cc69caa9f19b88b05e151b3d26accd018ca4a5786a80":"e3bd4bc3a60cddd26c20aa8636":"70cfcb828d483216b46c3cd22e2f9ee879e9e3059b566179b6e16c":"f1c4bedb8d6f91676881daa37656a7e6402f472735b04a0f1f8332f4236437737438e7aa1b5100c7"
 
 CCM encrypt and tag NIST VADT AES-256 #29 (P=24, N=13, A=28, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"3ac7d5bc4698c021e49a685cd71057e09821633957d1d59c3c30cbc3f2d1dbf8":"89198d3acc39b950f0d411119c478c60b2422ffe7e26e00b":"54c8ff5459702aac058bb3be04":"ecbd7091732e49c0f4bda2e63235ea43bbf8c8730f955f9c049dd1ec":"7717b8e4447afcea1eeebf3e39ffdab2f52828e7931ef27e475acd27900478f09fec1f479ab3a7c8"
 
 CCM encrypt and tag NIST VADT AES-256 #30 (P=24, N=13, A=29, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"948882c3667caa81c9b900996e3d591e6fcb3d08333eeb29911e9c6338710c17":"8b9130b0c3c15366831bbb19f377e3209a8dbf7619cd09bd":"43b0aca2f0a9030f90559fa6d3":"a516ca8405e5c8854e667921b5c5e1968bdd052915b55ac9984b7eefb3":"4646b2acdeb11174171da23999cd54e297daa32bbc13d30512e57c576b315f48c11877178389aaa0"
 
 CCM encrypt and tag NIST VADT AES-256 #31 (P=24, N=13, A=30, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"3bf52cc5ee86b9a0190f390a5c0366a560b557000dbe5115fd9ee11630a62769":"094b538110495e938b08cf748a6bcf3e0c80ff9c66570237":"f9fbd02f28ecc929d369182752":"ebf0b3e3199a5c3773c761c725c7600add5f9d8321c9f8e5e5fd1c7a5d2f":"4d8b53016fc8bc9677184c0fa15bbd3d671b9366d82ecb67f8562eadcdcbcdbad1299bea1523f5d2"
 
 CCM encrypt and tag NIST VADT AES-256 #32 (P=24, N=13, A=31, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"e45bb1730d0d539aab3805350ac986540de9f0f6c239ee70395c291397b70309":"bc8b3bc48c7a88c9fafde258b6ccaa9d4f0d018703d63871":"d5c7824af715bb7822b6b340fe":"860f4a09ad8b3d345c2aa18ffb803f0bc3b734a4d047a1437701a5e3d95288":"95f083ad6bbaee6ab540fe023858f8baf25e333fd3e89c00e678a392d228b210dc5c991905dacf3f"
 
 CCM encrypt and tag NIST VADT AES-256 #33 (P=24, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2e6e34070caf1b8820ed39edfa83459abe1c15a1827f1c39f7ac316c4c27910f":"771a7baa9cf83aa253349f6475d5e74dba4525307b022ba7":"c49ccef869bb86d21932cb443b":"d37e35d7cdccd9824a1ae4c787819735e4af798a3beb49d4705336d6496853ad":"eebac2475004970071dfa2cfb855c4e78b1add8dcbccfc0bd6b14027324b657a56263df148665393"
 
 CCM auth decrypt tag NIST DVPT AES-128 #1 (P=0, N=7, A=0, T=4)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4ae701103c63deca5b5a3939d7d05992":"02209f55":"5a8aa485c316e9":"":4:0:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #2 (P=0, N=7, A=0, T=4)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4ae701103c63deca5b5a3939d7d05992":"9a04c241":"3796cf51b87266":"":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #3 (P=0, N=7, A=0, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4bb3c4a4f893ad8c9bdc833c325d62b3":"75d582db43ce9b13ab4b6f7f14341330":"5a8aa485c316e9":"":16:0:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #4 (P=0, N=7, A=0, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4bb3c4a4f893ad8c9bdc833c325d62b3":"3a65e03af37b81d05acc7ec1bc39deb0":"3796cf51b87266":"":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #5 (P=0, N=13, A=0, T=4)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4bb3c4a4f893ad8c9bdc833c325d62b3":"90156f3f":"5a8aa485c316e9403aff859fbb":"":4:0:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #6 (P=0, N=13, A=0, T=4)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4bb3c4a4f893ad8c9bdc833c325d62b3":"88909016":"a16a2e741f1cd9717285b6d882":"":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #7 (P=0, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"19ebfde2d5468ba0a3031bde629b11fd":"fb04dc5a44c6bb000f2440f5154364b4":"5a8aa485c316e9403aff859fbb":"":16:0:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #8 (P=0, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"19ebfde2d5468ba0a3031bde629b11fd":"5447075bf42a59b91f08064738b015ab":"a16a2e741f1cd9717285b6d882":"":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #9 (P=24, N=7, A=0, T=4)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"19ebfde2d5468ba0a3031bde629b11fd":"a90e8ea44085ced791b2fdb7fd44b5cf0bd7d27718029bb703e1fa6b":"5a8aa485c316e9":"":4:0:"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22"
 
 CCM auth decrypt tag NIST DVPT AES-128 #10 (P=24, N=7, A=0, T=4)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"19ebfde2d5468ba0a3031bde629b11fd":"50aafe0578c115c4a8e126ff7b3ccb64dce8ccaa8ceda69f23e5d81c":"31f8fa25827d48":"":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #11 (P=24, N=7, A=0, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"197afb02ffbd8f699dacae87094d5243":"24ab9eeb0e5508cae80074f1070ee188a637171860881f1f2d9a3fbc210595b7b8b1b41523111a8e":"5a8aa485c316e9":"":16:0:"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22"
 
 CCM auth decrypt tag NIST DVPT AES-128 #12 (P=24, N=7, A=0, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"197afb02ffbd8f699dacae87094d5243":"7ebfda6fa5da1dbffd82dc29b875798fbcef8ba0084fbd2463af747cc88a001fa94e060290f209c4":"31f8fa25827d48":"":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #13 (P=24, N=13, A=0, T=4)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"197afb02ffbd8f699dacae87094d5243":"4a550134f94455979ec4bf89ad2bd80d25a77ae94e456134a3e138b9":"5a8aa485c316e9403aff859fbb":"":4:0:"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697"
 
 CCM auth decrypt tag NIST DVPT AES-128 #14 (P=24, N=13, A=0, T=4)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"197afb02ffbd8f699dacae87094d5243":"118ec53dd1bfbe52d5b9fe5dfebecf2ee674ec983eada654091a5ae9":"49004912fdd7269279b1f06a89":"":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #15 (P=24, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"90929a4b0ac65b350ad1591611fe4829":"4bfe4e35784f0a65b545477e5e2f4bae0e1e6fa717eaf2cb6a9a970b9beb2ac1bd4fd62168f8378a":"5a8aa485c316e9403aff859fbb":"":16:0:"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697"
 
 CCM auth decrypt tag NIST DVPT AES-128 #16 (P=24, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"90929a4b0ac65b350ad1591611fe4829":"0c56a503aa2c12e87450d45a7b714db980fd348f327c0065a65666144994bad0c8195bcb4ade1337":"49004912fdd7269279b1f06a89":"":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #17 (P=0, N=7, A=32, T=4)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"90929a4b0ac65b350ad1591611fe4829":"782e4318":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":4:0:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #18 (P=0, N=7, A=32, T=4)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"90929a4b0ac65b350ad1591611fe4829":"a04f270a":"a265480ca88d5f":"a2248a882ecbf850daf91933a389e78e81623d233dfd47bf8321361a38f138fe":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #19 (P=0, N=7, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"6a798d7c5e1a72b43e20ad5c7b08567b":"41b476013f45e4a781f253a6f3b1e530":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":16:0:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #20 (P=0, N=7, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"6a798d7c5e1a72b43e20ad5c7b08567b":"f9f018fcd125822616083fffebc4c8e6":"a265480ca88d5f":"a2248a882ecbf850daf91933a389e78e81623d233dfd47bf8321361a38f138fe":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #21 (P=0, N=13, A=32, T=4)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"6a798d7c5e1a72b43e20ad5c7b08567b":"9f69f24f":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":4:0:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #22 (P=0, N=13, A=32, T=4)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"6a798d7c5e1a72b43e20ad5c7b08567b":"e17afaa4":"8739b4bea1a099fe547499cbc6":"f6107696edb332b2ea059d8860fee26be42e5e12e1a4f79a8d0eafce1b2278a7":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #23 (P=0, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f9fdca4ac64fe7f014de0f43039c7571":"1859ac36a40a6b28b34266253627797a":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":16:0:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #24 (P=0, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f9fdca4ac64fe7f014de0f43039c7571":"edf8b46eb69ac0044116019dec183072":"8739b4bea1a099fe547499cbc6":"f6107696edb332b2ea059d8860fee26be42e5e12e1a4f79a8d0eafce1b2278a7":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #25 (P=24, N=7, A=32, T=4)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f9fdca4ac64fe7f014de0f43039c7571":"6be31860ca271ef448de8f8d8b39346daf4b81d7e92d65b338f125fa":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":4:0:"a265480ca88d5f536db0dc6abc40faf0d05be7a966977768"
 
 CCM auth decrypt tag NIST DVPT AES-128 #26 (P=24, N=7, A=32, T=4)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f9fdca4ac64fe7f014de0f43039c7571":"4cc57a9927a6bc401441870d3193bf89ebd163f5c01501c728a66b69":"fdd2d6f503c915":"5b92394f21ddc3ad49d9b0881b829a5935cb3a4d23e292a62fb66b5e7ab7020e":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #27 (P=24, N=7, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a7aa635ea51b0bb20a092bd5573e728c":"b351ab96b2e45515254558d5212673ee6c776d42dbca3b512cf3a20b7fd7c49e6e79bef475c2906f":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":16:0:"a265480ca88d5f536db0dc6abc40faf0d05be7a966977768"
 
 CCM auth decrypt tag NIST DVPT AES-128 #28 (P=24, N=7, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a7aa635ea51b0bb20a092bd5573e728c":"df1a5285caa41b4bb47f6e5ceceba4e82721828d68427a3081d18ca149d6766bfaccec88f194eb5b":"fdd2d6f503c915":"5b92394f21ddc3ad49d9b0881b829a5935cb3a4d23e292a62fb66b5e7ab7020e":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #29 (P=24, N=13, A=32, T=4)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a7aa635ea51b0bb20a092bd5573e728c":"934f893824e880f743d196b22d1f340a52608155087bd28ac25e5329":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":4:0:"8739b4bea1a099fe547499cbc6d1b13d849b8084c9b6acc5"
 
 CCM auth decrypt tag NIST DVPT AES-128 #30 (P=24, N=13, A=32, T=4)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a7aa635ea51b0bb20a092bd5573e728c":"f43ba9d834ad85dfab3f1c0c27c3441fe4e411a38a261a6559b3b3ee":"0812757ad0cc4d17c4cfe7a642":"ec6c44a7e94e51a3ca6dee229098391575ec7213c85267fbf7492fdbeee61b10":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #31 (P=24, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"26511fb51fcfa75cb4b44da75a6e5a0e":"50038b5fdd364ee747b70d00bd36840ece4ea19998123375c0a458bfcafa3b2609afe0f825cbf503":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":16:0:"8739b4bea1a099fe547499cbc6d1b13d849b8084c9b6acc5"
 
 CCM auth decrypt tag NIST DVPT AES-128 #32 (P=24, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"26511fb51fcfa75cb4b44da75a6e5a0e":"78ed8ff6b5a1255d0fbd0a719a9c27b059ff5f83d0c4962c390042ba8bb5f6798dab01c5afad7306":"0812757ad0cc4d17c4cfe7a642":"ec6c44a7e94e51a3ca6dee229098391575ec7213c85267fbf7492fdbeee61b10":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #1 (P=0, N=7, A=0, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"c98ad7f38b2c7e970c9b965ec87a08208384718f78206c6c":"9d4b7f3b":"5a8aa485c316e9":"":4:0:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #2 (P=0, N=7, A=0, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"c98ad7f38b2c7e970c9b965ec87a08208384718f78206c6c":"80745de9":"3796cf51b87266":"":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #3 (P=0, N=7, A=0, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4bb3c4a4f893ad8c9bdc833c325d62b3d3ad1bccf9282a65":"17223038fa99d53681ca1beabe78d1b4":"5a8aa485c316e9":"":16:0:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #4 (P=0, N=7, A=0, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4bb3c4a4f893ad8c9bdc833c325d62b3d3ad1bccf9282a65":"d0e1eeef4d2a264536bb1c2c1bde7c35":"3796cf51b87266":"":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #5 (P=0, N=13, A=0, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4bb3c4a4f893ad8c9bdc833c325d62b3d3ad1bccf9282a65":"fe69ed84":"5a8aa485c316e9403aff859fbb":"":4:0:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #6 (P=0, N=13, A=0, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4bb3c4a4f893ad8c9bdc833c325d62b3d3ad1bccf9282a65":"db7ffc82":"a16a2e741f1cd9717285b6d882":"":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #7 (P=0, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"0c66a8e547ed4f8c2c9a9a1eb5d455b9":"5a8aa485c316e9403aff859fbb":"":16:0:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #8 (P=0, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"38757b3a61a4dc97ca3ab88bf1240695":"a16a2e741f1cd9717285b6d882":"":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #9 (P=24, N=7, A=0, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"411986d04d6463100bff03f7d0bde7ea2c3488784378138cddc93a54":"5a8aa485c316e9":"":4:0:"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22"
 
 CCM auth decrypt tag NIST DVPT AES-192 #10 (P=24, N=7, A=0, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"32b649ab56162e55d4148a1292d6a225a988eb1308298273b6889036":"31f8fa25827d48":"":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #11 (P=24, N=7, A=0, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"197afb02ffbd8f699dacae87094d524324576b99844f75e1":"cba4b4aeb85f0492fd8d905c4a6d8233139833373ef188a8c5a5ebecf7ac8607fe412189e83d9d20":"5a8aa485c316e9":"":16:0:"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22"
 
 CCM auth decrypt tag NIST DVPT AES-192 #12 (P=24, N=7, A=0, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"197afb02ffbd8f699dacae87094d524324576b99844f75e1":"ca62713728b5c9d652504b0ae8fd4fee5d297ee6a8d19cb6e699f15f14d34dcaf9ba8ed4b877c97d":"31f8fa25827d48":"":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #13 (P=24, N=13, A=0, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"197afb02ffbd8f699dacae87094d524324576b99844f75e1":"042653c674ef2a90f7fb11d30848e530ae59478f1051633a34fad277":"5a8aa485c316e9403aff859fbb":"":4:0:"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697"
 
 CCM auth decrypt tag NIST DVPT AES-192 #14 (P=24, N=13, A=0, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"197afb02ffbd8f699dacae87094d524324576b99844f75e1":"1902d9769a7ba3d3268e1257395c8c2e5f98eef295dcbfa5a35df775":"49004912fdd7269279b1f06a89":"":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #15 (P=24, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"90929a4b0ac65b350ad1591611fe48297e03956f6083e451":"a5b7d8cca2069908d1ed88e6a9fe2c9bede3131dad54671ea7ade30a07d185692ab0ebdf4c78cf7a":"5a8aa485c316e9403aff859fbb":"":16:0:"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697"
 
 CCM auth decrypt tag NIST DVPT AES-192 #16 (P=24, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"90929a4b0ac65b350ad1591611fe48297e03956f6083e451":"9a98617fb97a0dfe466be692272dcdaec1c5443a3b51312ef042c86363cc05afb98c66e16be8a445":"49004912fdd7269279b1f06a89":"":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #17 (P=0, N=7, A=32, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"90929a4b0ac65b350ad1591611fe48297e03956f6083e451":"1d089a5f":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":4:0:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #18 (P=0, N=7, A=32, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"90929a4b0ac65b350ad1591611fe48297e03956f6083e451":"2f46022a":"a265480ca88d5f":"a2248a882ecbf850daf91933a389e78e81623d233dfd47bf8321361a38f138fe":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #19 (P=0, N=7, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"6a798d7c5e1a72b43e20ad5c7b08567b12ab744b61c070e2":"5280a2137fee3deefcfe9b63a1199fb3":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":16:0:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #20 (P=0, N=7, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"6a798d7c5e1a72b43e20ad5c7b08567b12ab744b61c070e2":"d40a7318c5f2d82f838c0beeefe0d598":"a265480ca88d5f":"a2248a882ecbf850daf91933a389e78e81623d233dfd47bf8321361a38f138fe":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #21 (P=0, N=13, A=32, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"6a798d7c5e1a72b43e20ad5c7b08567b12ab744b61c070e2":"5e0eaebd":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":4:0:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #22 (P=0, N=13, A=32, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"6a798d7c5e1a72b43e20ad5c7b08567b12ab744b61c070e2":"71b7fc33":"8739b4bea1a099fe547499cbc6":"f6107696edb332b2ea059d8860fee26be42e5e12e1a4f79a8d0eafce1b2278a7":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #23 (P=0, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f9fdca4ac64fe7f014de0f43039c757194d544ce5d15eed4":"d07ccf9fdc3d33aa94cda3d230da707c":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":16:0:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #24 (P=0, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f9fdca4ac64fe7f014de0f43039c757194d544ce5d15eed4":"65fe32b649dc328c9f531584897e85b3":"8739b4bea1a099fe547499cbc6":"f6107696edb332b2ea059d8860fee26be42e5e12e1a4f79a8d0eafce1b2278a7":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #25 (P=24, N=7, A=32, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f9fdca4ac64fe7f014de0f43039c757194d544ce5d15eed4":"9f6ca4af9b159148c889a6584d1183ea26e2614874b0504575dea8d1":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":4:0:"a265480ca88d5f536db0dc6abc40faf0d05be7a966977768"
 
 CCM auth decrypt tag NIST DVPT AES-192 #26 (P=24, N=7, A=32, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f9fdca4ac64fe7f014de0f43039c757194d544ce5d15eed4":"84d8212e9cfc2121252baa3b065b1edcf50497b9594db1ebd7965825":"fdd2d6f503c915":"5b92394f21ddc3ad49d9b0881b829a5935cb3a4d23e292a62fb66b5e7ab7020e":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #27 (P=24, N=7, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a7aa635ea51b0bb20a092bd5573e728ccd4b3e8cdd2ab33d":"6aab64c4787599d8f213446beadb16e08dba60e97f56dbd14d1d980d6fe0fb44b421992662b97975":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":16:0:"a265480ca88d5f536db0dc6abc40faf0d05be7a966977768"
 
 CCM auth decrypt tag NIST DVPT AES-192 #28 (P=24, N=7, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a7aa635ea51b0bb20a092bd5573e728ccd4b3e8cdd2ab33d":"4980b2ee49b1aaf393175f5ab9bae95ec7904557dfa206603c51d36c826f01384100886198a7f6a3":"fdd2d6f503c915":"5b92394f21ddc3ad49d9b0881b829a5935cb3a4d23e292a62fb66b5e7ab7020e":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #29 (P=24, N=13, A=32, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a7aa635ea51b0bb20a092bd5573e728ccd4b3e8cdd2ab33d":"16e543d0e20615ff0df15acd9927ddfe40668a54bb854cccc25e9fce":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":4:0:"8739b4bea1a099fe547499cbc6d1b13d849b8084c9b6acc5"
 
 CCM auth decrypt tag NIST DVPT AES-192 #30 (P=24, N=13, A=32, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a7aa635ea51b0bb20a092bd5573e728ccd4b3e8cdd2ab33d":"df35b109caf690656ae278bbd8f8bba687a2ce11b105dae98ecedb3e":"0812757ad0cc4d17c4cfe7a642":"ec6c44a7e94e51a3ca6dee229098391575ec7213c85267fbf7492fdbeee61b10":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #31 (P=24, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"26511fb51fcfa75cb4b44da75a6e5a0eb8d9c8f3b906f886":"c5b0b2ef17498c5570eb335df4588032958ba3d69bf6f3178464a6f7fa2b76744e8e8d95691cecb8":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":16:0:"8739b4bea1a099fe547499cbc6d1b13d849b8084c9b6acc5"
 
 CCM auth decrypt tag NIST DVPT AES-192 #32 (P=24, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"26511fb51fcfa75cb4b44da75a6e5a0eb8d9c8f3b906f886":"d1f0518929f4ae2f0543de2a7dfe4bb0110bb3057e524a1c06bd6dc2e6bcc3436cffb969ae900388":"0812757ad0cc4d17c4cfe7a642":"ec6c44a7e94e51a3ca6dee229098391575ec7213c85267fbf7492fdbeee61b10":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #1 (P=0, N=7, A=0, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"eda32f751456e33195f1f499cf2dc7c97ea127b6d488f211ccc5126fbb24afa6":"469c90bb":"a544218dadd3c1":"":4:0:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #2 (P=0, N=7, A=0, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"eda32f751456e33195f1f499cf2dc7c97ea127b6d488f211ccc5126fbb24afa6":"46a908ed":"d3d5424e20fbec":"":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #3 (P=0, N=7, A=0, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"e1b8a927a95efe94656677b692662000278b441c79e879dd5c0ddc758bdc9ee8":"8207eb14d33855a52acceed17dbcbf6e":"a544218dadd3c1":"":16:0:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #4 (P=0, N=7, A=0, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"e1b8a927a95efe94656677b692662000278b441c79e879dd5c0ddc758bdc9ee8":"60f8e127cb4d30db6df0622158cd931d":"d3d5424e20fbec":"":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #5 (P=0, N=13, A=0, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"e1b8a927a95efe94656677b692662000278b441c79e879dd5c0ddc758bdc9ee8":"8a19a133":"a544218dadd3c10583db49cf39":"":4:0:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #6 (P=0, N=13, A=0, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"e1b8a927a95efe94656677b692662000278b441c79e879dd5c0ddc758bdc9ee8":"2e317f1b":"3c0e2815d37d844f7ac240ba9d":"":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #7 (P=0, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"af063639e66c284083c5cf72b70d8bc277f5978e80d9322d99f2fdc718cda569":"97e1a8dd4259ccd2e431e057b0397fcf":"a544218dadd3c10583db49cf39":"":16:0:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #8 (P=0, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"af063639e66c284083c5cf72b70d8bc277f5978e80d9322d99f2fdc718cda569":"5a9596c511ea6a8671adefc4f2157d8b":"3c0e2815d37d844f7ac240ba9d":"":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #9 (P=24, N=7, A=0, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"af063639e66c284083c5cf72b70d8bc277f5978e80d9322d99f2fdc718cda569":"64a1341679972dc5869fcf69b19d5c5ea50aa0b5e985f5b722aa8d59":"a544218dadd3c1":"":4:0:"d3d5424e20fbec43ae495353ed830271515ab104f8860c98"
 
 CCM auth decrypt tag NIST DVPT AES-256 #10 (P=24, N=7, A=0, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"af063639e66c284083c5cf72b70d8bc277f5978e80d9322d99f2fdc718cda569":"c5b7f802bffc498c1626e3774f1d9f94045dfd8e1a10a20277d00a75":"bfcda8b5a2d0d2":"":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #11 (P=24, N=7, A=0, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f7079dfa3b5c7b056347d7e437bcded683abd6e2c9e069d333284082cbb5d453":"bc51c3925a960e7732533e4ef3a4f69ee6826de952bcb0fd374f3bb6db8377ebfc79674858c4f305":"a544218dadd3c1":"":16:0:"d3d5424e20fbec43ae495353ed830271515ab104f8860c98"
 
 CCM auth decrypt tag NIST DVPT AES-256 #12 (P=24, N=7, A=0, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f7079dfa3b5c7b056347d7e437bcded683abd6e2c9e069d333284082cbb5d453":"afa1fa8e8a70e26b02161150556d604101fdf423f332c3363275f2a4907d51b734fe7238cebbd48f":"bfcda8b5a2d0d2":"":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #13 (P=24, N=13, A=0, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f7079dfa3b5c7b056347d7e437bcded683abd6e2c9e069d333284082cbb5d453":"63e00d30e4b08fd2a1cc8d70fab327b2368e77a93be4f4123d14fb3f":"a544218dadd3c10583db49cf39":"":4:0:"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e"
 
 CCM auth decrypt tag NIST DVPT AES-256 #14 (P=24, N=13, A=0, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f7079dfa3b5c7b056347d7e437bcded683abd6e2c9e069d333284082cbb5d453":"bb5425b3869b76856ec58e39886fb6f6f2ac13fe44cb132d8d0c0099":"894dcaa61008eb8fb052c60d41":"":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #15 (P=24, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"1b0e8df63c57f05d9ac457575ea764524b8610ae5164e6215f426f5a7ae6ede4":"f0050ad16392021a3f40207bed3521fb1e9f808f49830c423a578d179902f912f9ea1afbce1120b3":"a544218dadd3c10583db49cf39":"":16:0:"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e"
 
 CCM auth decrypt tag NIST DVPT AES-256 #16 (P=24, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"1b0e8df63c57f05d9ac457575ea764524b8610ae5164e6215f426f5a7ae6ede4":"c408190d0fbf5034f83b24a8ed9657331a7ce141de4fae769084607b83bd06e6442eac8dacf583cc":"894dcaa61008eb8fb052c60d41":"":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #17 (P=0, N=7, A=32, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"1b0e8df63c57f05d9ac457575ea764524b8610ae5164e6215f426f5a7ae6ede4":"92d00fbe":"a544218dadd3c1":"d3d5424e20fbec43ae495353ed830271515ab104f8860c988d15b6d36c038eab":4:0:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #18 (P=0, N=7, A=32, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"1b0e8df63c57f05d9ac457575ea764524b8610ae5164e6215f426f5a7ae6ede4":"9143e5c4":"78c46e3249ca28":"232e957c65ffa11988e830d4617d500f1c4a35c1221f396c41ab214f074ca2dc":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #19 (P=0, N=7, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a4bc10b1a62c96d459fbaf3a5aa3face7313bb9e1253e696f96a7a8e36801088":"93af11a08379eb37a16aa2837f09d69d":"a544218dadd3c1":"d3d5424e20fbec43ae495353ed830271515ab104f8860c988d15b6d36c038eab":16:0:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #20 (P=0, N=7, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a4bc10b1a62c96d459fbaf3a5aa3face7313bb9e1253e696f96a7a8e36801088":"d19b0c14ec686a7961ca7c386d125a65":"78c46e3249ca28":"232e957c65ffa11988e830d4617d500f1c4a35c1221f396c41ab214f074ca2dc":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #21 (P=0, N=13, A=32, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a4bc10b1a62c96d459fbaf3a5aa3face7313bb9e1253e696f96a7a8e36801088":"866d4227":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":4:0:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #22 (P=0, N=13, A=32, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a4bc10b1a62c96d459fbaf3a5aa3face7313bb9e1253e696f96a7a8e36801088":"94cb1127":"e8de970f6ee8e80ede933581b5":"89f8b068d34f56bc49d839d8e47b347e6dae737b903b278632447e6c0485d26a":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #23 (P=0, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"867b0d87cf6e0f718200a97b4f6d5ad5":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":16:0:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #24 (P=0, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"677a040d46ee3f2b7838273bdad14f16":"e8de970f6ee8e80ede933581b5":"89f8b068d34f56bc49d839d8e47b347e6dae737b903b278632447e6c0485d26a":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #25 (P=24, N=7, A=32, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"c2fe12658139f5d0dd22cadf2e901695b579302a72fc56083ebc7720":"a544218dadd3c1":"d3d5424e20fbec43ae495353ed830271515ab104f8860c988d15b6d36c038eab":4:0:"78c46e3249ca28e1ef0531d80fd37c124d9aecb7be6668e3"
 
 CCM auth decrypt tag NIST DVPT AES-256 #26 (P=24, N=7, A=32, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"94748ba81229e53c38583a8564b23ebbafc6f6efdf4c2a81c44db2c9":"6ba004fd176791":"5a053b2a1bb87e85d56527bfcdcd3ecafb991bb10e4c862bb0751c700a29f54b":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #27 (P=24, N=7, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"705334e30f53dd2f92d190d2c1437c8772f940c55aa35e562214ed45bd458ffe":"3341168eb8c48468c414347fb08f71d2086f7c2d1bd581ce1ac68bd42f5ec7fa7e068cc0ecd79c2a":"a544218dadd3c1":"d3d5424e20fbec43ae495353ed830271515ab104f8860c988d15b6d36c038eab":16:0:"78c46e3249ca28e1ef0531d80fd37c124d9aecb7be6668e3"
 
 CCM auth decrypt tag NIST DVPT AES-256 #28 (P=24, N=7, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"705334e30f53dd2f92d190d2c1437c8772f940c55aa35e562214ed45bd458ffe":"d543acda712b898cbb27b8f598b2e4438ce587a836e2785147c3338a2400809e739b63ba8227d2f9":"6ba004fd176791":"5a053b2a1bb87e85d56527bfcdcd3ecafb991bb10e4c862bb0751c700a29f54b":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #29 (P=24, N=13, A=32, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"705334e30f53dd2f92d190d2c1437c8772f940c55aa35e562214ed45bd458ffe":"c0ea400b599561e7905b99262b4565d5c3dc49fad84d7c69ef891339":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":4:0:"e8de970f6ee8e80ede933581b5bcf4d837e2b72baa8b00c3"
 
 CCM auth decrypt tag NIST DVPT AES-256 #30 (P=24, N=13, A=32, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"705334e30f53dd2f92d190d2c1437c8772f940c55aa35e562214ed45bd458ffe":"60871e03ea0eb968536c99f926ea24ef43d41272ad9fb7f63d488623":"8fa501c5dd9ac9b868144c9fa5":"5bb40e3bb72b4509324a7edc852f72535f1f6283156e63f6959ffaf39dcde800":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #31 (P=24, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"314a202f836f9f257e22d8c11757832ae5131d357a72df88f3eff0ffcee0da4e":"8d34cdca37ce77be68f65baf3382e31efa693e63f914a781367f30f2eaad8c063ca50795acd90203":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":16:0:"e8de970f6ee8e80ede933581b5bcf4d837e2b72baa8b00c3"
 
 CCM auth decrypt tag NIST DVPT AES-256 #32 (P=24, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"314a202f836f9f257e22d8c11757832ae5131d357a72df88f3eff0ffcee0da4e":"516c0095cc3d85fd55e48da17c592e0c7014b9daafb82bdc4b41096dfdbe9cc1ab610f8f3e038d16":"8fa501c5dd9ac9b868144c9fa5":"5bb40e3bb72b4509324a7edc852f72535f1f6283156e63f6959ffaf39dcde800":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM-Camellia encrypt and tag RFC 5528 #1
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E":"00000003020100A0A1A2A3A4A5":"0001020304050607":"BA737185E719310492F38A5F1251DA55FAFBC949848A0DFCAECE746B3DB9AD"
 
 CCM-Camellia encrypt and tag RFC 5528 #2
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F":"00000004030201A0A1A2A3A4A5":"0001020304050607":"5D2564BF8EAFE1D99526EC016D1BF0424CFBD2CD62848F3360B2295DF24283E8"
 
 CCM-Camellia encrypt and tag RFC 5528 #3
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20":"00000005040302A0A1A2A3A4A5":"0001020304050607":"81F663D6C7787817F9203608B982AD15DC2BBD87D756F79204F551D6682F23AA46"
 
 CCM-Camellia encrypt and tag RFC 5528 #4
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"0C0D0E0F101112131415161718191A1B1C1D1E":"00000006050403A0A1A2A3A4A5":"000102030405060708090A0B":"CAEF1E827211B08F7BD90F08C77288C070A4A08B3A933A63E497A0"
 
 CCM-Camellia encrypt and tag RFC 5528 #5
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"0C0D0E0F101112131415161718191A1B1C1D1E1F":"00000007060504A0A1A2A3A4A5":"000102030405060708090A0B":"2AD3BAD94FC52E92BE438E827C1023B96A8A77258FA17BA7F331DB09"
 
 CCM-Camellia encrypt and tag RFC 5528 #6
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"0C0D0E0F101112131415161718191A1B1C1D1E1F20":"00000008070605A0A1A2A3A4A5":"000102030405060708090A0B":"FEA5480BA53FA8D3C34422AACE4DE67FFA3BB73BABAB36A1EE4FE0FE28"
 
 CCM-Camellia encrypt and tag RFC 5528 #7
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E":"00000009080706A0A1A2A3A4A5":"0001020304050607":"54532026E54C119A8D36D9EC6E1ED97416C8708C4B5C2CACAFA3BCCF7A4EBF9573"
 
 CCM-Camellia encrypt and tag RFC 5528 #8
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F":"0000000A090807A0A1A2A3A4A5":"0001020304050607":"8AD19B001A87D148F4D92BEF34525CCCE3A63C6512A6F5757388E4913EF14701F441"
 
 CCM-Camellia encrypt and tag RFC 5528 #9
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20":"0000000B0A0908A0A1A2A3A4A5":"0001020304050607":"5DB08D62407E6E31D60F9CA2C60474219AC0BE50C0D4A5778794D6E230CD25C9FEBF87"
 
 CCM-Camellia encrypt and tag RFC 5528 #10
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"0C0D0E0F101112131415161718191A1B1C1D1E":"0000000C0B0A09A0A1A2A3A4A5":"000102030405060708090A0B":"DB118CCEC1B8761C877CD8963A67D6F3BBBC5CD09299EB11F312F23237"
 
 CCM-Camellia encrypt and tag RFC 5528 #11
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"0C0D0E0F101112131415161718191A1B1C1D1E1F":"0000000D0C0B0AA0A1A2A3A4A5":"000102030405060708090A0B":"7CC83D8DC49103525B483DC5CA7EA9AB812B7056079DAFFADA16CCCF2C4E"
 
 CCM-Camellia encrypt and tag RFC 5528 #12
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"0C0D0E0F101112131415161718191A1B1C1D1E1F20":"0000000E0D0C0BA0A1A2A3A4A5":"000102030405060708090A0B":"2CD35B8820D23E7AA351B0E92FC79367238B2CC748CBB94C2947793D64AF75"
 
 CCM-Camellia encrypt and tag RFC 5528 #13
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"D75C2778078CA93D971F96FDE720F4CD":"C6B5F3E6CA2311AEF7472B203E735EA561ADB17D56C5A3":"00A970110E1927B160B6A31C1C":"6B7F464507FAE496":"A435D727348DDD22907F7EB8F5FDBB4D939DA6524DB4F64558C02D25B127EE"
 
 CCM-Camellia encrypt and tag RFC 5528 #14
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"D75C2778078CA93D971F96FDE720F4CD":"01F6CE6764C574483BB02E6BBF1E0ABD26A22572B4D80EE7":"0083CD8CE0CB42B160B6A31C1C":"986605B43DF15DE7":"8AE052508FBECA932E346F05E0DC0DFBCF939EAFFA3E587C867D6E1C48703806"
 
 CCM-Camellia encrypt and tag RFC 5528 #15
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"D75C2778078CA93D971F96FDE720F4CD":"CDF1D8406FC2E9014953897005FBFB8BA57276F92404608E08":"005F54950B18F2B160B6A31C1C":"48F2E7E1A7671A51":"08B67EE21C8BF26E473E408599E9C0836D6AF0BB18DF55466CA80878A790476DE5"
 
 CCM-Camellia encrypt and tag RFC 5528 #16
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"D75C2778078CA93D971F96FDE720F4CD":"B005DCFA0B59181426A961685A993D8C43185B":"00EC600863319AB160B6A31C1C":"DE97DF3B8CBD6D8E5030DA4C":"63B78B4967B19EDBB733CD1114F64EB226089368C354828D950CC5"
 
 CCM-Camellia encrypt and tag RFC 5528 #17
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"D75C2778078CA93D971F96FDE720F4CD":"2E20211298105F129D5ED95B93F72D30B2FACCD7":"0060CFF1A31EA1B160B6A31C1C":"A5EE93E457DF05466E782DCF":"0BC6BBE2A8B909F4629EE6DC148DA44410E18AF43147383276F66A9F"
 
 CCM-Camellia encrypt and tag RFC 5528 #18
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"D75C2778078CA93D971F96FDE720F4CD":"2645941E75632D3491AF0FC0C9876C3BE4AA7468C9":"000F85CD995C97B160B6A31C1C":"24AA1BF9A5CD876182A25074":"222AD632FA31D6AF970C345F7E77CA3BD0DC25B340A1A3D31F8D4B44B7"
 
 CCM-Camellia encrypt and tag RFC 5528 #19
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"D75C2778078CA93D971F96FDE720F4CD":"070135A6437C9DB120CD61D8F6C39C3EA125FD95A0D23D":"00C29B2CAAC4CDB160B6A31C1C":"691946B9CA07BE87":"05B8E1B9C49CFD56CF130AA6251DC2ECC06CCC508FE697A0066D57C84BEC182768"
 
 CCM-Camellia encrypt and tag RFC 5528 #20
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"D75C2778078CA93D971F96FDE720F4CD":"C8C0880E6C636E20093DD6594217D2E18877DB264E71A5CC":"002C6B7595EE62B160B6A31C1C":"D0C54ECB84627DC4":"54CEB968DEE23611575EC003DFAA1CD48849BDF5AE2EDB6B7FA775B150ED4383C5A9"
 
 CCM-Camellia encrypt and tag RFC 5528 #21
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"D75C2778078CA93D971F96FDE720F4CD":"F75DAA0710C4E64297794DC2B7D2A20757B1AA4E448002FFAB":"00C53CD4C2AA24B160B6A31C1C":"E285E0E4808CDA3D":"B1404546BF667210CA28E309B39BD6CA7E9FC8285FE698D43CD20A02E0BDCAED2010D3"
 
 CCM-Camellia encrypt and tag RFC 5528 #22
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"D75C2778078CA93D971F96FDE720F4CD":"C238822FAC5F98FF929405B0AD127A4E41854E":"00BEE9267FBADCB160B6A31C1C":"6CAEF9941141570D7C813405":"94C8959C11569A297831A721005857AB61B87A2DEA0936B6EB5F625F5D"
 
 CCM-Camellia encrypt and tag RFC 5528 #23
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"D75C2778078CA93D971F96FDE720F4CD":"4DBF3E774AD245E5D5891F9D1C32A0AE022C85D7":"00DFA8B1245007B160B6A31C1C":"36A52CF16B19A2037AB7011E":"5869E3AAD2447C74E0FC05F9A4EA74577F4DE8CA8924764296AD04119CE7"
 
 CCM-Camellia encrypt and tag RFC 5528 #24
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"D75C2778078CA93D971F96FDE720F4CD":"9DC9EDAE2FF5DF8636E8C6DE0EED55F7867E33337D":"003B8FD8D3A937B160B6A31C1C":"A4D499F78419728C19178B0C":"4B198156393B0F7796086AAFB454F8C3F034CCA966945F1FCEA7E11BEE6A2F"
 
 CCM encrypt, skip ad AES-128 (P=0, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"54caf96ef6d448734700aadab50faf7a":"":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053"
 
 CCM* encrypt, skip ad AES-128 (P=0, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"54caf96ef6d448734700aadab50faf7a":"":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053"
 
 CCM decrypt, skip ad AES-128 (P=0, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"54caf96ef6d448734700aadab50faf7a":"":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053"
 
 CCM* decrypt, skip ad AES-128 (P=0, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"54caf96ef6d448734700aadab50faf7a":"":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053"
 
 CCM encrypt, skip ad NIST VADT AES-128 (P=24, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d24a3d3dde8c84830280cb87abad0bb3":"7c86135ed9c2a515aaae0e9a208133897269220f30870006":"f1100035bb24a8d26004e0e24b":"1faeb0ee2ca2cd52f0aa3966578344f24e69b742c4ab37ab":"1123301219c70599b7c373ad4b3ad67b"
 
 CCM* encrypt, skip ad NIST VADT AES-128 (P=24, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d24a3d3dde8c84830280cb87abad0bb3":"7c86135ed9c2a515aaae0e9a208133897269220f30870006":"f1100035bb24a8d26004e0e24b":"1faeb0ee2ca2cd52f0aa3966578344f24e69b742c4ab37ab":"1123301219c70599b7c373ad4b3ad67b"
 
 CCM decrypt, skip ad NIST DVPT AES-192 (P=24, N=7, A=0, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"411986d04d6463100bff03f7d0bde7ea2c3488784378138c":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22":"ddc93a54"
 
 CCM* decrypt, skip ad NIST DVPT AES-192 (P=24, N=7, A=0, T=4)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"411986d04d6463100bff03f7d0bde7ea2c3488784378138c":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22":"ddc93a54"
 
 CCM encrypt, skip update AES-128 (P=0, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053"
 
 CCM decrypt, skip update AES-128 (P=0, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053"
 
 CCM* encrypt, skip update AES-128 (P=0, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053"
 
 CCM* decrypt, skip update AES-128 (P=0, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053"
 
 CCM encrypt, skip update NIST VPT AES-128 #1 (P=0, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"2ebf60f0969013a54a3dedb19d20f6c8":"1de8c5e21f9db33123ff870add":"e1de6c6119d7db471136285d10b47a450221b16978569190ef6a22b055295603":"0ead29ef205fbb86d11abe5ed704b880"
 
 CCM* encrypt, skip update NIST VPT AES-128 #1 (P=0, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"2ebf60f0969013a54a3dedb19d20f6c8":"1de8c5e21f9db33123ff870add":"e1de6c6119d7db471136285d10b47a450221b16978569190ef6a22b055295603":"0ead29ef205fbb86d11abe5ed704b880"
 
 CCM decrypt, skip update NIST DVPT AES-256 #23 (P=0, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":"867b0d87cf6e0f718200a97b4f6d5ad5"
 
 CCM* decrypt, skip update NIST DVPT AES-256 #23 (P=0, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":"867b0d87cf6e0f718200a97b4f6d5ad5"
 
 CCM encrypt, overflow ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
 
 CCM encrypt, incomplete ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_incomplete_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
 
 CCM encrypt, full ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_full_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
 
 CCM encrypt, incomplete ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_incomplete_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
 
 CCM encrypt, overflow update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
 
 CCM encrypt, incomplete update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_incomplete_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
 
 CCM encrypt, full update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
 
 CCM encrypt, incomplete update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_incomplete_update_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
 
 CCM decrypt, overflow ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
 
 CCM decrypt, incomplete ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_incomplete_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
 
 CCM decrypt, full ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_full_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
 
 CCM decrypt, incomplete ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_incomplete_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
 
 CCM decrypt, overflow update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16))
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
 
 CCM decrypt, incomplete update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16))
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_incomplete_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
 
 CCM decrypt, full update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
 
 CCM decrypt, incomplete update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_incomplete_update_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
 
 CCM* encrypt, overflow ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
 
 CCM* encrypt, incomplete ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_incomplete_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
 
 CCM* encrypt, full ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_full_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
 
 CCM* encrypt, overflow update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
 
 CCM* encrypt, incomplete ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_incomplete_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
 
 CCM* encrypt, incomplete update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_incomplete_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
 
 CCM* encrypt, full update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
 
 CCM* encrypt, incomplete update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_incomplete_update_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
 
 CCM* decrypt, overflow ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
 
 CCM* decrypt, incomplete ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_incomplete_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
 
 CCM* decrypt, full ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_full_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
 
 CCM* decrypt, incomplete ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_incomplete_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
 
 CCM* decrypt, overflow update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
 
 CCM* decrypt, incomplete update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_incomplete_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
 
 CCM* decrypt, full update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
 
 CCM* decrypt, incomplete update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_incomplete_update_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
 
 CCM encrypt, instant finish NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98"
 
 CCM decrypt, instant finish NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98"
 
 CCM* encrypt, instant finish NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98"
 
 CCM* decrypt, instant finish NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98"
 
 CCM encrypt, instant finish AES-128 (P=0, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af"
 
 CCM decrypt, instant finish AES-128 (P=0, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af"
 
 CCM* encrypt, instant finish AES-128 (P=0, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af"
 
 CCM* decrypt, instant finish AES-128 (P=0, N=13, A=0, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af"
 
 CCM pass unexpected auth data, NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_unexpected_ad::MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
 
 CCM encrypt, unexpected ciphertext/plaintext data, NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_unexpected_text:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
 
 CCM* encrypt, no auth NIST VADT AES-256 #1 (P=24, N=13)
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_ccm_star_no_tag:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"26511fb51fcfa75cb4b44da75a6e5a0eb8d9c8f3b906f886df3ba3e6da3a1389":"30d56ff2a25b83fee791110fcaea48e41db7c7f098a81000":"72a60f345a1978fb40f28a2fa4":"55f068c0bbba8b598013dd1841fd740fda2902322148ab5e"
 
 CCM* decrypt, no auth NIST DVPT AES-128 #15 (P=24, N=13)
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 mbedtls_ccm_star_no_tag:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"90929a4b0ac65b350ad1591611fe4829":"4bfe4e35784f0a65b545477e5e2f4bae0e1e6fa717eaf2cb":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697"
diff --git a/tests/suites/test_suite_ccm.function b/tests/suites/test_suite_ccm.function
index 5aaaaa2..dbb313b 100644
--- a/tests/suites/test_suite_ccm.function
+++ b/tests/suites/test_suite_ccm.function
@@ -66,10 +66,12 @@ exit:
  * END_DEPENDENCIES
  */
 
-/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST:MBEDTLS_AES_C */
+/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST:MBEDTLS_CCM_GCM_CAN_AES */
 void mbedtls_ccm_self_test()
 {
+    BLOCK_CIPHER_PSA_INIT();
     TEST_ASSERT(mbedtls_ccm_self_test(1) == 0);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -80,6 +82,7 @@ void mbedtls_ccm_setkey(int cipher_id, int key_size, int result)
     unsigned char key[32];
     int ret;
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_ccm_init(&ctx);
 
     memset(key, 0x2A, sizeof(key));
@@ -90,10 +93,11 @@ void mbedtls_ccm_setkey(int cipher_id, int key_size, int result)
 
 exit:
     mbedtls_ccm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:MBEDTLS_AES_C */
+/* BEGIN_CASE depends_on:MBEDTLS_CCM_GCM_CAN_AES */
 void ccm_lengths(int msg_len, int iv_len, int add_len, int tag_len, int res)
 {
     mbedtls_ccm_context ctx;
@@ -105,6 +109,7 @@ void ccm_lengths(int msg_len, int iv_len, int add_len, int tag_len, int res)
     unsigned char tag[18];
     int decrypt_ret;
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_ccm_init(&ctx);
 
     TEST_CALLOC_OR_SKIP(add, add_len);
@@ -132,10 +137,11 @@ void ccm_lengths(int msg_len, int iv_len, int add_len, int tag_len, int res)
 exit:
     mbedtls_free(add);
     mbedtls_ccm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:MBEDTLS_AES_C */
+/* BEGIN_CASE depends_on:MBEDTLS_CCM_GCM_CAN_AES */
 void ccm_star_lengths(int msg_len, int iv_len, int add_len, int tag_len,
                       int res)
 {
@@ -148,6 +154,7 @@ void ccm_star_lengths(int msg_len, int iv_len, int add_len, int tag_len,
     unsigned char tag[18];
     int decrypt_ret;
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_ccm_init(&ctx);
 
     memset(key, 0, sizeof(key));
@@ -174,6 +181,7 @@ void ccm_star_lengths(int msg_len, int iv_len, int add_len, int tag_len,
 
 exit:
     mbedtls_ccm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -198,6 +206,7 @@ void mbedtls_ccm_encrypt_and_tag(int cipher_id, data_t *key,
     /* Prepare tag buffer */
     TEST_CALLOC(tag_buf, expected_tag_len);
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_ccm_init(&ctx);
     TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
     /* Test with input == output */
@@ -230,6 +239,7 @@ exit:
     mbedtls_ccm_free(&ctx);
     mbedtls_free(io_msg_buf);
     mbedtls_free(tag_buf);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -241,6 +251,7 @@ void mbedtls_ccm_star_no_tag(int cipher_id, int mode, data_t *key,
     uint8_t *output = NULL;
     size_t olen;
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_ccm_init(&ctx);
     TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
     TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
@@ -255,6 +266,7 @@ void mbedtls_ccm_star_no_tag(int cipher_id, int mode, data_t *key,
 exit:
     mbedtls_free(output);
     mbedtls_ccm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -277,6 +289,7 @@ void mbedtls_ccm_auth_decrypt(int cipher_id, data_t *key,
         memcpy(io_msg_buf, msg->x, expected_msg_len);
     }
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_ccm_init(&ctx);
     TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
     /* Test with input == output */
@@ -317,6 +330,7 @@ void mbedtls_ccm_auth_decrypt(int cipher_id, data_t *key,
 exit:
     mbedtls_free(io_msg_buf);
     mbedtls_ccm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -364,6 +378,7 @@ void mbedtls_ccm_star_encrypt_and_tag(int cipher_id,
     iv[source_address->len + frame_counter->len] = sec_level;
     iv_len = sizeof(iv);
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_ccm_init(&ctx);
     TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id,
                                   key->x, key->len * 8), 0);
@@ -402,6 +417,7 @@ exit:
     mbedtls_ccm_free(&ctx);
     mbedtls_free(io_msg_buf);
     mbedtls_free(tag_buf);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -443,6 +459,7 @@ void mbedtls_ccm_star_auth_decrypt(int cipher_id,
     iv[source_address->len + frame_counter->len] = sec_level;
     iv_len = sizeof(iv);
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_ccm_init(&ctx);
     TEST_ASSERT(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8) == 0);
     /* Test with input == output */
@@ -479,6 +496,7 @@ void mbedtls_ccm_star_auth_decrypt(int cipher_id,
 exit:
     mbedtls_ccm_free(&ctx);
     mbedtls_free(io_msg_buf);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -495,6 +513,7 @@ void mbedtls_ccm_skip_ad(int cipher_id, int mode,
     /* Sanity checks on the test data */
     TEST_EQUAL(msg->len, result->len);
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_ccm_init(&ctx);
     TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
     TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
@@ -517,6 +536,7 @@ void mbedtls_ccm_skip_ad(int cipher_id, int mode,
 exit:
     mbedtls_free(output);
     mbedtls_ccm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -529,6 +549,7 @@ void mbedtls_ccm_skip_update(int cipher_id, int mode,
     mbedtls_ccm_context ctx;
     uint8_t *output = NULL;
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_ccm_init(&ctx);
     TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
     TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
@@ -545,6 +566,7 @@ void mbedtls_ccm_skip_update(int cipher_id, int mode,
 exit:
     mbedtls_free(output);
     mbedtls_ccm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -556,6 +578,7 @@ void mbedtls_ccm_overflow_ad(int cipher_id, int mode,
 {
     mbedtls_ccm_context ctx;
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_ccm_init(&ctx);
     TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
     TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
@@ -566,6 +589,7 @@ void mbedtls_ccm_overflow_ad(int cipher_id, int mode,
     TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update_ad(&ctx, add->x, add->len));
 exit:
     mbedtls_ccm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -577,6 +601,7 @@ void mbedtls_ccm_unexpected_ad(int cipher_id, int mode,
 {
     mbedtls_ccm_context ctx;
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_ccm_init(&ctx);
     TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
     TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
@@ -586,6 +611,7 @@ void mbedtls_ccm_unexpected_ad(int cipher_id, int mode,
     TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update_ad(&ctx, add->x, add->len));
 exit:
     mbedtls_ccm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -599,6 +625,7 @@ void mbedtls_ccm_unexpected_text(int cipher_id, int mode,
     uint8_t *output = NULL;
     size_t olen;
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_ccm_init(&ctx);
     TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
     TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
@@ -614,6 +641,7 @@ void mbedtls_ccm_unexpected_text(int cipher_id, int mode,
 exit:
     mbedtls_free(output);
     mbedtls_ccm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -625,6 +653,7 @@ void mbedtls_ccm_incomplete_ad(int cipher_id, int mode,
     mbedtls_ccm_context ctx;
     uint8_t *output = NULL;
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_ccm_init(&ctx);
     TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
     TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
@@ -639,6 +668,7 @@ void mbedtls_ccm_incomplete_ad(int cipher_id, int mode,
 exit:
     mbedtls_free(output);
     mbedtls_ccm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -651,6 +681,7 @@ void mbedtls_ccm_full_ad_and_overflow(int cipher_id, int mode,
 {
     mbedtls_ccm_context ctx;
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_ccm_init(&ctx);
     TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
     TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
@@ -663,6 +694,7 @@ void mbedtls_ccm_full_ad_and_overflow(int cipher_id, int mode,
     TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update_ad(&ctx, add->x, 1));
 exit:
     mbedtls_ccm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -679,6 +711,7 @@ void mbedtls_ccm_incomplete_ad_and_overflow(int cipher_id, int mode,
     add_second_buffer[0] = add->x[add->len - 1];
     add_second_buffer[1] = 0xAB; // some magic value
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_ccm_init(&ctx);
     TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
     TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
@@ -691,6 +724,7 @@ void mbedtls_ccm_incomplete_ad_and_overflow(int cipher_id, int mode,
     TEST_EQUAL(MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update_ad(&ctx, add_second_buffer, 2));
 exit:
     mbedtls_ccm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -704,6 +738,7 @@ void mbedtls_ccm_overflow_update(int cipher_id, int mode,
     uint8_t *output = NULL;
     size_t olen;
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_ccm_init(&ctx);
     TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
     TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
@@ -719,6 +754,7 @@ void mbedtls_ccm_overflow_update(int cipher_id, int mode,
 exit:
     mbedtls_free(output);
     mbedtls_ccm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -732,6 +768,7 @@ void mbedtls_ccm_incomplete_update(int cipher_id, int mode,
     uint8_t *output = NULL;
     size_t olen;
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_ccm_init(&ctx);
     TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
     TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
@@ -752,6 +789,7 @@ void mbedtls_ccm_incomplete_update(int cipher_id, int mode,
 exit:
     mbedtls_free(output);
     mbedtls_ccm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -766,6 +804,7 @@ void mbedtls_ccm_full_update_and_overflow(int cipher_id, int mode,
     uint8_t *output = NULL;
     size_t olen;
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_ccm_init(&ctx);
     TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
     TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
@@ -783,6 +822,7 @@ void mbedtls_ccm_full_update_and_overflow(int cipher_id, int mode,
 exit:
     mbedtls_free(output);
     mbedtls_ccm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -801,6 +841,7 @@ void mbedtls_ccm_incomplete_update_overflow(int cipher_id, int mode,
     msg_second_buffer[0] = msg->x[msg->len - 1];
     msg_second_buffer[1] = 0xAB; // some magic value
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_ccm_init(&ctx);
     TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
     TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
@@ -818,6 +859,7 @@ void mbedtls_ccm_incomplete_update_overflow(int cipher_id, int mode,
 exit:
     mbedtls_free(output);
     mbedtls_ccm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -829,6 +871,7 @@ void mbedtls_ccm_instant_finish(int cipher_id, int mode,
     mbedtls_ccm_context ctx;
     uint8_t *output = NULL;
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_ccm_init(&ctx);
     TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
     TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
@@ -842,5 +885,6 @@ void mbedtls_ccm_instant_finish(int cipher_id, int mode,
 exit:
     mbedtls_free(output);
     mbedtls_ccm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
diff --git a/tests/suites/test_suite_cipher.aes.data b/tests/suites/test_suite_cipher.aes.data
index 92e9cdd..99a662b 100644
--- a/tests/suites/test_suite_cipher.aes.data
+++ b/tests/suites/test_suite_cipher.aes.data
@@ -1595,47 +1595,47 @@ depends_on:MBEDTLS_AES_C
 test_vec_ecb:MBEDTLS_CIPHER_AES_128_ECB:MBEDTLS_ENCRYPT:"00000000000000000000000000000000":"fffffffffffffffffffffffff8000000":"2ca8209d63274cd9a29bb74bcd77683a":0
 
 AES-128-ECB Decrypt NIST KAT #1
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_AES_C:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_128_ECB:MBEDTLS_DECRYPT:"00000000000000000000000000000000":"db4f1aa530967d6732ce4715eb0ee24b":"ff000000000000000000000000000000":0
 
 AES-128-ECB Decrypt NIST KAT #2
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_AES_C:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_128_ECB:MBEDTLS_DECRYPT:"00000000000000000000000000000000":"a81738252621dd180a34f3455b4baa2f":"ff800000000000000000000000000000":0
 
 AES-128-ECB Decrypt NIST KAT #3
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_AES_C:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_128_ECB:MBEDTLS_DECRYPT:"00000000000000000000000000000000":"77e2b508db7fd89234caf7939ee5621a":"ffc00000000000000000000000000000":0
 
 AES-128-ECB Decrypt NIST KAT #4
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_AES_C:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_128_ECB:MBEDTLS_DECRYPT:"00000000000000000000000000000000":"dc43be40be0e53712f7e2bf5ca707209":"6a118a874519e64e9963798a503f1d35":0
 
 AES-128-ECB Decrypt NIST KAT #5
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_AES_C:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_128_ECB:MBEDTLS_DECRYPT:"00000000000000000000000000000000":"92beedab1895a94faa69b632e5cc47ce":"cb9fceec81286ca3e989bd979b0cb284":0
 
 AES-128-ECB Decrypt NIST KAT #6
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_AES_C:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_128_ECB:MBEDTLS_DECRYPT:"00000000000000000000000000000000":"459264f4798f6a78bacb89c15ed3d601":"b26aeb1874e47ca8358ff22378f09144":0
 
 AES-128-ECB Decrypt NIST KAT #7
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_AES_C:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_128_ECB:MBEDTLS_DECRYPT:"b69418a85332240dc82492353956ae0c":"a303d940ded8f0baff6f75414cac5243":"00000000000000000000000000000000":0
 
 AES-128-ECB Decrypt NIST KAT #8
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_AES_C:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_128_ECB:MBEDTLS_DECRYPT:"71b5c08a1993e1362e4d0ce9b22b78d5":"c2dabd117f8a3ecabfbb11d12194d9d0":"00000000000000000000000000000000":0
 
 AES-128-ECB Decrypt NIST KAT #9
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_AES_C:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_128_ECB:MBEDTLS_DECRYPT:"e234cdca2606b81f29408d5f6da21206":"fff60a4740086b3b9c56195b98d91a7b":"00000000000000000000000000000000":0
 
 AES-128-ECB Decrypt NIST KAT #10
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_AES_C:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_128_ECB:MBEDTLS_DECRYPT:"ffffffffffffffff0000000000000000":"84be19e053635f09f2665e7bae85b42d":"00000000000000000000000000000000":0
 
 AES-128-ECB Decrypt NIST KAT #11
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_AES_C:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_128_ECB:MBEDTLS_DECRYPT:"ffffffffffffffff8000000000000000":"32cd652842926aea4aa6137bb2be2b5e":"00000000000000000000000000000000":0
 
 AES-192-ECB Encrypt NIST KAT #1
@@ -1687,51 +1687,51 @@ depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 test_vec_ecb:MBEDTLS_CIPHER_AES_192_ECB:MBEDTLS_ENCRYPT:"fffffffffffffffffffffffffffe00000000000000000000":"00000000000000000000000000000000":"fd5548bcf3f42565f7efa94562528d46":0
 
 AES-192-ECB Decrypt NIST KAT #1
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_192_ECB:MBEDTLS_DECRYPT:"fffffffffffffffffffffffffffffffff000000000000000":"bb2852c891c5947d2ed44032c421b85f":"00000000000000000000000000000000":0
 
 AES-192-ECB Decrypt NIST KAT #2
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_192_ECB:MBEDTLS_DECRYPT:"fffffffffffffffffffffffffffffffff800000000000000":"1b9f5fbd5e8a4264c0a85b80409afa5e":"00000000000000000000000000000000":0
 
 AES-192-ECB Decrypt NIST KAT #3
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_192_ECB:MBEDTLS_DECRYPT:"fffffffffffffffffffffffffffffffffc00000000000000":"30dab809f85a917fe924733f424ac589":"00000000000000000000000000000000":0
 
 AES-192-ECB Decrypt NIST KAT #4
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_192_ECB:MBEDTLS_DECRYPT:"61257134a518a0d57d9d244d45f6498cbc32f2bafc522d79":"cfe4d74002696ccf7d87b14a2f9cafc9":"00000000000000000000000000000000":0
 
 AES-192-ECB Decrypt NIST KAT #5
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_192_ECB:MBEDTLS_DECRYPT:"b0ab0a6a818baef2d11fa33eac947284fb7d748cfb75e570":"d2eafd86f63b109b91f5dbb3a3fb7e13":"00000000000000000000000000000000":0
 
 AES-192-ECB Decrypt NIST KAT #6
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_192_ECB:MBEDTLS_DECRYPT:"ee053aa011c8b428cdcc3636313c54d6a03cac01c71579d6":"9b9fdd1c5975655f539998b306a324af":"00000000000000000000000000000000":0
 
 AES-192-ECB Decrypt NIST KAT #7
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_192_ECB:MBEDTLS_DECRYPT:"000000000000000000000000000000000000000000000000":"275cfc0413d8ccb70513c3859b1d0f72":"1b077a6af4b7f98229de786d7516b639":0
 
 AES-192-ECB Decrypt NIST KAT #8
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_192_ECB:MBEDTLS_DECRYPT:"000000000000000000000000000000000000000000000000":"c9b8135ff1b5adc413dfd053b21bd96d":"9c2d8842e5f48f57648205d39a239af1":0
 
 AES-192-ECB Decrypt NIST KAT #9
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_192_ECB:MBEDTLS_DECRYPT:"000000000000000000000000000000000000000000000000":"4a3650c3371ce2eb35e389a171427440":"bff52510095f518ecca60af4205444bb":0
 
 AES-192-ECB Decrypt NIST KAT #10
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_192_ECB:MBEDTLS_DECRYPT:"000000000000000000000000000000000000000000000000":"b2099795e88cc158fd75ea133d7e7fbe":"ffffffffffffffffffffc00000000000":0
 
 AES-192-ECB Decrypt NIST KAT #11
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_192_ECB:MBEDTLS_DECRYPT:"000000000000000000000000000000000000000000000000":"a6cae46fb6fadfe7a2c302a34242817b":"ffffffffffffffffffffe00000000000":0
 
 AES-192-ECB Decrypt NIST KAT #12
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_192_ECB:MBEDTLS_DECRYPT:"000000000000000000000000000000000000000000000000":"026a7024d6a902e0b3ffccbaa910cc3f":"fffffffffffffffffffff00000000000":0
 
 AES-256-ECB Encrypt NIST KAT #1
@@ -1783,51 +1783,51 @@ depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 test_vec_ecb:MBEDTLS_CIPHER_AES_256_ECB:MBEDTLS_ENCRYPT:"ffffffffffffffffffffffffffffffffffffe000000000000000000000000000":"00000000000000000000000000000000":"dcf4e129136c1a4b7a0f38935cc34b2b":0
 
 AES-256-ECB Decrypt NIST KAT #1
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_256_ECB:MBEDTLS_DECRYPT:"fffffffffffffffffffffffffffffffffffffffffffffff00000000000000000":"edf61ae362e882ddc0167474a7a77f3a":"00000000000000000000000000000000":0
 
 AES-256-ECB Decrypt NIST KAT #2
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_256_ECB:MBEDTLS_DECRYPT:"fffffffffffffffffffffffffffffffffffffffffffffff80000000000000000":"6168b00ba7859e0970ecfd757efecf7c":"00000000000000000000000000000000":0
 
 AES-256-ECB Decrypt NIST KAT #3
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_256_ECB:MBEDTLS_DECRYPT:"fffffffffffffffffffffffffffffffffffffffffffffffc0000000000000000":"d1415447866230d28bb1ea18a4cdfd02":"00000000000000000000000000000000":0
 
 AES-256-ECB Decrypt NIST KAT #4
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_256_ECB:MBEDTLS_DECRYPT:"f8be9ba615c5a952cabbca24f68f8593039624d524c816acda2c9183bd917cb9":"a3944b95ca0b52043584ef02151926a8":"00000000000000000000000000000000":0
 
 AES-256-ECB Decrypt NIST KAT #5
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_256_ECB:MBEDTLS_DECRYPT:"797f8b3d176dac5b7e34a2d539c4ef367a16f8635f6264737591c5c07bf57a3e":"a74289fe73a4c123ca189ea1e1b49ad5":"00000000000000000000000000000000":0
 
 AES-256-ECB Decrypt NIST KAT #6
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_256_ECB:MBEDTLS_DECRYPT:"6838d40caf927749c13f0329d331f448e202c73ef52c5f73a37ca635d4c47707":"b91d4ea4488644b56cf0812fa7fcf5fc":"00000000000000000000000000000000":0
 
 AES-256-ECB Decrypt NIST KAT #7
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_256_ECB:MBEDTLS_DECRYPT:"0000000000000000000000000000000000000000000000000000000000000000":"623a52fcea5d443e48d9181ab32c7421":"761c1fe41a18acf20d241650611d90f1":0
 
 AES-256-ECB Decrypt NIST KAT #8
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_256_ECB:MBEDTLS_DECRYPT:"0000000000000000000000000000000000000000000000000000000000000000":"38f2c7ae10612415d27ca190d27da8b4":"8a560769d605868ad80d819bdba03771":0
 
 AES-256-ECB Decrypt NIST KAT #9
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_256_ECB:MBEDTLS_DECRYPT:"0000000000000000000000000000000000000000000000000000000000000000":"1bc704f1bce135ceb810341b216d7abe":"91fbef2d15a97816060bee1feaa49afe":0
 
 AES-256-ECB Decrypt NIST KAT #10
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_256_ECB:MBEDTLS_DECRYPT:"0000000000000000000000000000000000000000000000000000000000000000":"ddc6bf790c15760d8d9aeb6f9a75fd4e":"80000000000000000000000000000000":0
 
 AES-256-ECB Decrypt NIST KAT #11
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_256_ECB:MBEDTLS_DECRYPT:"0000000000000000000000000000000000000000000000000000000000000000":"0a6bdc6d4c1e6280301fd8e97ddbe601":"c0000000000000000000000000000000":0
 
 AES-256-ECB Decrypt NIST KAT #12
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_ecb:MBEDTLS_CIPHER_AES_256_ECB:MBEDTLS_DECRYPT:"0000000000000000000000000000000000000000000000000000000000000000":"9b80eefb7ebe2d2b16247aa0efc72f5d":"e0000000000000000000000000000000":0
 
 AES-128-ECB crypt Encrypt NIST KAT #1
@@ -1843,15 +1843,15 @@ depends_on:MBEDTLS_AES_C
 test_vec_crypt:MBEDTLS_CIPHER_AES_128_ECB:MBEDTLS_ENCRYPT:"00000000000000000000000000000000":"":"ffffffffffffffc00000000000000000":"3a4d354f02bb5a5e47d39666867f246a":0:0
 
 AES-128-ECB crypt Decrypt NIST KAT #1
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_AES_C:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_crypt:MBEDTLS_CIPHER_AES_128_ECB:MBEDTLS_DECRYPT:"00000000000000000000000000000000":"":"db4f1aa530967d6732ce4715eb0ee24b":"ff000000000000000000000000000000":0:0
 
 AES-128-ECB crypt Decrypt NIST KAT #2
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_AES_C:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_crypt:MBEDTLS_CIPHER_AES_128_ECB:MBEDTLS_DECRYPT:"b69418a85332240dc82492353956ae0c":"":"a303d940ded8f0baff6f75414cac5243":"00000000000000000000000000000000":0:0
 
 AES-128-ECB crypt Decrypt NIST KAT #3
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_AES_C:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_crypt:MBEDTLS_CIPHER_AES_128_ECB:MBEDTLS_DECRYPT:"ffffffffffffffff8000000000000000":"":"32cd652842926aea4aa6137bb2be2b5e":"00000000000000000000000000000000":0:0
 
 AES-192-ECB crypt Encrypt NIST KAT #1
@@ -1871,19 +1871,19 @@ depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 test_vec_crypt:MBEDTLS_CIPHER_AES_192_ECB:MBEDTLS_ENCRYPT:"fffffffffffffffffffffffffff800000000000000000000":"":"00000000000000000000000000000000":"8dd274bd0f1b58ae345d9e7233f9b8f3":0:0
 
 AES-192-ECB crypt Decrypt NIST KAT #1
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_crypt:MBEDTLS_CIPHER_AES_192_ECB:MBEDTLS_DECRYPT:"fffffffffffffffffffffffffffffffff000000000000000":"":"bb2852c891c5947d2ed44032c421b85f":"00000000000000000000000000000000":0:0
 
 AES-192-ECB crypt Decrypt NIST KAT #2
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_crypt:MBEDTLS_CIPHER_AES_192_ECB:MBEDTLS_DECRYPT:"61257134a518a0d57d9d244d45f6498cbc32f2bafc522d79":"":"cfe4d74002696ccf7d87b14a2f9cafc9":"00000000000000000000000000000000":0:0
 
 AES-192-ECB crypt Decrypt NIST KAT #3
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_crypt:MBEDTLS_CIPHER_AES_192_ECB:MBEDTLS_DECRYPT:"000000000000000000000000000000000000000000000000":"":"275cfc0413d8ccb70513c3859b1d0f72":"1b077a6af4b7f98229de786d7516b639":0:0
 
 AES-192-ECB crypt Decrypt NIST KAT #4
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_crypt:MBEDTLS_CIPHER_AES_192_ECB:MBEDTLS_DECRYPT:"000000000000000000000000000000000000000000000000":"":"b2099795e88cc158fd75ea133d7e7fbe":"ffffffffffffffffffffc00000000000":0:0
 
 AES-256-ECB crypt Encrypt NIST KAT #1
@@ -1903,19 +1903,19 @@ depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 test_vec_crypt:MBEDTLS_CIPHER_AES_256_ECB:MBEDTLS_ENCRYPT:"ffffffffffffffffffffffffffffffffffff8000000000000000000000000000":"":"00000000000000000000000000000000":"45d089c36d5c5a4efc689e3b0de10dd5":0:0
 
 AES-256-ECB crypt Decrypt NIST KAT #1
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_crypt:MBEDTLS_CIPHER_AES_256_ECB:MBEDTLS_DECRYPT:"fffffffffffffffffffffffffffffffffffffffffffffff00000000000000000":"":"edf61ae362e882ddc0167474a7a77f3a":"00000000000000000000000000000000":0:0
 
 AES-256-ECB crypt Decrypt NIST KAT #2
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_crypt:MBEDTLS_CIPHER_AES_256_ECB:MBEDTLS_DECRYPT:"f8be9ba615c5a952cabbca24f68f8593039624d524c816acda2c9183bd917cb9":"":"a3944b95ca0b52043584ef02151926a8":"00000000000000000000000000000000":0:0
 
 AES-256-ECB crypt Decrypt NIST KAT #3
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_crypt:MBEDTLS_CIPHER_AES_256_ECB:MBEDTLS_DECRYPT:"0000000000000000000000000000000000000000000000000000000000000000":"":"623a52fcea5d443e48d9181ab32c7421":"761c1fe41a18acf20d241650611d90f1":0:0
 
 AES-256-ECB crypt Decrypt NIST KAT #4
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_crypt:MBEDTLS_CIPHER_AES_256_ECB:MBEDTLS_DECRYPT:"0000000000000000000000000000000000000000000000000000000000000000":"":"ddc6bf790c15760d8d9aeb6f9a75fd4e":"80000000000000000000000000000000":0:0
 
 AES-128-CBC crypt Encrypt NIST KAT #1
@@ -2127,19 +2127,19 @@ depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:
 test_vec_crypt:MBEDTLS_CIPHER_AES_128_ECB:MBEDTLS_ENCRYPT:"00000000000000000000000000000000":"":"f34481ec3cc627bacd5dc3fb08f273e6":"0336763e966d92595a567cc9ce537f5e":0:1
 
 AES-128-ECB crypt Decrypt NIST KAT #1 PSA
-depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_ECB_NO_PADDING
+depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_ECB_NO_PADDING:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_crypt:MBEDTLS_CIPHER_AES_128_ECB:MBEDTLS_DECRYPT:"00000000000000000000000000000000":"":"3ad78e726c1ec02b7ebfe92b23d9ec34":"80000000000000000000000000000000":0:1
 
 AES-128-ECB crypt Decrypt NIST KAT #2 PSA
-depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_ECB_NO_PADDING
+depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_ECB_NO_PADDING:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_crypt:MBEDTLS_CIPHER_AES_128_ECB:MBEDTLS_DECRYPT:"ffffc000000000000000000000000000":"":"df556a33438db87bc41b1752c55e5e49":"00000000000000000000000000000000":0:1
 
 AES-128-ECB crypt Decrypt NIST KAT #3 PSA
-depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_ECB_NO_PADDING
+depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_ECB_NO_PADDING:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_crypt:MBEDTLS_CIPHER_AES_128_ECB:MBEDTLS_DECRYPT:"10a58869d74be5a374cf867cfb473859":"":"6d251e6944b051e04eaa6fb4dbf78465":"00000000000000000000000000000000":0:1
 
 AES-128-ECB crypt Decrypt NIST KAT #4 PSA
-depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_ECB_NO_PADDING
+depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_ECB_NO_PADDING:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_crypt:MBEDTLS_CIPHER_AES_128_ECB:MBEDTLS_DECRYPT:"00000000000000000000000000000000":"":"0336763e966d92595a567cc9ce537f5e":"f34481ec3cc627bacd5dc3fb08f273e6":0:1
 
 AES-192-ECB crypt Encrypt NIST KAT #1 PSA
@@ -2159,19 +2159,19 @@ depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:
 test_vec_crypt:MBEDTLS_CIPHER_AES_192_ECB:MBEDTLS_ENCRYPT:"000000000000000000000000000000000000000000000000":"":"1b077a6af4b7f98229de786d7516b639":"275cfc0413d8ccb70513c3859b1d0f72":0:1
 
 AES-192-ECB crypt Decrypt NIST KAT #1 PSA
-depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_ECB_NO_PADDING:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_ECB_NO_PADDING:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_crypt:MBEDTLS_CIPHER_AES_192_ECB:MBEDTLS_DECRYPT:"000000000000000000000000000000000000000000000000":"":"6cd02513e8d4dc986b4afe087a60bd0c":"80000000000000000000000000000000":0:1
 
 AES-192-ECB crypt Decrypt NIST KAT #2 PSA
-depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_ECB_NO_PADDING:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_ECB_NO_PADDING:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_crypt:MBEDTLS_CIPHER_AES_192_ECB:MBEDTLS_DECRYPT:"ffe000000000000000000000000000000000000000000000":"":"7ababc4b3f516c9aafb35f4140b548f9":"00000000000000000000000000000000":0:1
 
 AES-192-ECB crypt Decrypt NIST KAT #3 PSA
-depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_ECB_NO_PADDING:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_ECB_NO_PADDING:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_crypt:MBEDTLS_CIPHER_AES_192_ECB:MBEDTLS_DECRYPT:"e9f065d7c13573587f7875357dfbb16c53489f6a4bd0f7cd":"":"0956259c9cd5cfd0181cca53380cde06":"00000000000000000000000000000000":0:1
 
 AES-192-ECB crypt Decrypt NIST KAT #4 PSA
-depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_ECB_NO_PADDING:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_ECB_NO_PADDING:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_crypt:MBEDTLS_CIPHER_AES_192_ECB:MBEDTLS_DECRYPT:"000000000000000000000000000000000000000000000000":"":"275cfc0413d8ccb70513c3859b1d0f72":"1b077a6af4b7f98229de786d7516b639":0:1
 
 AES-256-ECB crypt Encrypt NIST KAT #1 PSA
@@ -2191,19 +2191,19 @@ depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:
 test_vec_crypt:MBEDTLS_CIPHER_AES_256_ECB:MBEDTLS_ENCRYPT:"0000000000000000000000000000000000000000000000000000000000000000":"":"014730f80ac625fe84f026c60bfd547d":"5c9d844ed46f9885085e5d6a4f94c7d7":0:1
 
 AES-256-ECB crypt Decrypt NIST KAT #1 PSA
-depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_ECB_NO_PADDING:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_ECB_NO_PADDING:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_crypt:MBEDTLS_CIPHER_AES_256_ECB:MBEDTLS_DECRYPT:"0000000000000000000000000000000000000000000000000000000000000000":"":"ddc6bf790c15760d8d9aeb6f9a75fd4e":"80000000000000000000000000000000":0:1
 
 AES-256-ECB crypt Decrypt NIST KAT #2 PSA
-depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_ECB_NO_PADDING:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_ECB_NO_PADDING:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_crypt:MBEDTLS_CIPHER_AES_256_ECB:MBEDTLS_DECRYPT:"ffe0000000000000000000000000000000000000000000000000000000000000":"":"d1ccb9b1337002cbac42c520b5d67722":"00000000000000000000000000000000":0:1
 
 AES-256-ECB crypt Decrypt NIST KAT #3 PSA
-depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_ECB_NO_PADDING:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_ECB_NO_PADDING:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_crypt:MBEDTLS_CIPHER_AES_256_ECB:MBEDTLS_DECRYPT:"c47b0294dbbbee0fec4757f22ffeee3587ca4730c3d33b691df38bab076bc558":"":"46f2fb342d6f0ab477476fc501242c5f":"00000000000000000000000000000000":0:1
 
 AES-256-ECB crypt Decrypt NIST KAT #4 PSA
-depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_ECB_NO_PADDING:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_DEPRECATED:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_ECB_NO_PADDING:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 test_vec_crypt:MBEDTLS_CIPHER_AES_256_ECB:MBEDTLS_DECRYPT:"0000000000000000000000000000000000000000000000000000000000000000":"":"5c9d844ed46f9885085e5d6a4f94c7d7":"014730f80ac625fe84f026c60bfd547d":0:1
 
 AES-128-CCM*-NO-TAG crypt Encrypt NIST VPT AES-128 #15
diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function
index e697012..8e49d2d 100644
--- a/tests/suites/test_suite_cipher.function
+++ b/tests/suites/test_suite_cipher.function
@@ -173,8 +173,8 @@ void cipher_invalid_param_unconditional()
     unsigned char valid_buffer[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 };
     int valid_size = sizeof(valid_buffer);
     int valid_bitlen = valid_size * 8;
-    const mbedtls_cipher_info_t *valid_info = mbedtls_cipher_info_from_type(
-        *(mbedtls_cipher_list()));
+    const int *cipher_list = mbedtls_cipher_list();
+    const mbedtls_cipher_info_t *valid_info;
     size_t size_t_var;
 
     (void) valid_mode; /* In some configurations this is unused */
@@ -182,6 +182,10 @@ void cipher_invalid_param_unconditional()
     mbedtls_cipher_init(&valid_ctx);
     mbedtls_cipher_init(&invalid_ctx);
 
+    /* Ensure that there is at least 1 supported cipher, otherwise exit gracefully */
+    TEST_ASSUME(*cipher_list != 0);
+    valid_info = mbedtls_cipher_info_from_type(*cipher_list);
+
     TEST_ASSERT(mbedtls_cipher_setup(&valid_ctx, valid_info) == 0);
 
     /* mbedtls_cipher_setup() */
@@ -545,6 +549,10 @@ void enc_fail(int cipher_id, int pad_mode, int key_len, int length_val,
     /* encode length number of bytes from inbuf */
     TEST_ASSERT(0 == mbedtls_cipher_update(&ctx, inbuf, length, encbuf, &outlen));
     TEST_ASSERT(ret == mbedtls_cipher_finish(&ctx, encbuf + outlen, &outlen));
+    if (0 != ret) {
+        /* Check output parameter is set to the least-harmful value on error */
+        TEST_ASSERT(0 == outlen);
+    }
 
     /* done */
 exit:
@@ -822,6 +830,10 @@ void decrypt_test_vec(int cipher_id, int pad_mode, data_t *key,
     total_len += outlen;
     TEST_ASSERT(finish_result == mbedtls_cipher_finish(&ctx, output + outlen,
                                                        &outlen));
+    if (0 != finish_result) {
+        /* Check output parameter is set to the least-harmful value on error */
+        TEST_ASSERT(0 == outlen);
+    }
     total_len += outlen;
 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
     int tag_expected = (ctx.cipher_info->mode == MBEDTLS_MODE_GCM ||
@@ -1218,6 +1230,8 @@ void check_set_padding(int cipher_id)
     const mbedtls_cipher_info_t *cipher_info;
     size_t keylen = 0;
 
+    mbedtls_cipher_init(&ctx);
+
     cipher_info = mbedtls_cipher_info_from_type(cipher_id);
 
     if (cipher_info->mode != MBEDTLS_MODE_CBC) {
@@ -1228,8 +1242,6 @@ void check_set_padding(int cipher_id)
     TEST_CALLOC(key, keylen/8);
     memset(key, 0, keylen/8);
 
-    mbedtls_cipher_init(&ctx);
-
     TEST_EQUAL(0, mbedtls_cipher_setup(&ctx, cipher_info));
 
     TEST_EQUAL(0, mbedtls_cipher_setkey(&ctx, key, keylen,
diff --git a/tests/suites/test_suite_cmac.data b/tests/suites/test_suite_cmac.data
index 03c799f..14eb797 100644
--- a/tests/suites/test_suite_cmac.data
+++ b/tests/suites/test_suite_cmac.data
@@ -53,43 +53,43 @@ CMAC init #8 ARIA-256: wrong cipher
 depends_on:MBEDTLS_ARIA_C
 mbedtls_cmac_setkey:MBEDTLS_CIPHER_ARIA_256_ECB:256:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
 
-CMAC Single Blocks #1 - Empty block, no updates
+CMAC Single Blocks #1 AES-128 - Empty block, no updates
 depends_on:MBEDTLS_AES_C
 mbedtls_cmac_multiple_blocks:MBEDTLS_CIPHER_AES_128_ECB:"2b7e151628aed2a6abf7158809cf4f3c":128:16:"":-1:"":-1:"":-1:"":-1:"bb1d6929e95937287fa37d129b756746"
 
-CMAC Single Blocks #2 - Single 16 byte block
+CMAC Single Blocks #2 AES-128 - Single 16 byte block
 depends_on:MBEDTLS_AES_C
 mbedtls_cmac_multiple_blocks:MBEDTLS_CIPHER_AES_128_ECB:"2b7e151628aed2a6abf7158809cf4f3c":128:16:"6bc1bee22e409f96e93d7e117393172a":16:"":-1:"":-1:"":-1:"070a16b46b4d4144f79bdd9dd04a287c"
 
-CMAC Single Blocks #3 - Single 64 byte block
+CMAC Single Blocks #3 AES-128 - Single 64 byte block
 depends_on:MBEDTLS_AES_C
 mbedtls_cmac_multiple_blocks:MBEDTLS_CIPHER_AES_128_ECB:"2b7e151628aed2a6abf7158809cf4f3c":128:16:"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":64:"":-1:"":-1:"":-1:"51f0bebf7e3b9d92fc49741779363cfe"
 
-CMAC Multiple Blocks #1 - Multiple 8 byte blocks
+CMAC Multiple Blocks #1 AES-128 - Multiple 8 byte blocks
 depends_on:MBEDTLS_AES_C
 mbedtls_cmac_multiple_blocks:MBEDTLS_CIPHER_AES_128_ECB:"2b7e151628aed2a6abf7158809cf4f3c":128:16:"6bc1bee22e409f96":8:"e93d7e117393172a":8:"":-1:"":-1:"070a16b46b4d4144f79bdd9dd04a287c"
 
-CMAC Multiple Blocks #2 - Multiple 16 byte blocks
+CMAC Multiple Blocks #2 AES-128 - Multiple 16 byte blocks
 depends_on:MBEDTLS_AES_C
 mbedtls_cmac_multiple_blocks:MBEDTLS_CIPHER_AES_128_ECB:"2b7e151628aed2a6abf7158809cf4f3c":128:16:"6bc1bee22e409f96e93d7e117393172a":16:"ae2d8a571e03ac9c9eb76fac45af8e51":16:"30c81c46a35ce411e5fbc1191a0a52ef":16:"f69f2445df4f9b17ad2b417be66c3710":16:"51f0bebf7e3b9d92fc49741779363cfe"
 
-CMAC Multiple Blocks #3 - Multiple variable sized blocks
+CMAC Multiple Blocks #3 AES-128 - Multiple variable sized blocks
 depends_on:MBEDTLS_AES_C
 mbedtls_cmac_multiple_blocks:MBEDTLS_CIPHER_AES_128_ECB:"2b7e151628aed2a6abf7158809cf4f3c":128:16:"6bc1bee22e409f96":8:"e93d7e117393172aae2d8a571e03ac9c":16:"9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52ef":24:"f69f2445df4f9b17ad2b417be66c3710":16:"51f0bebf7e3b9d92fc49741779363cfe"
 
-CMAC Multiple Blocks #4 - Multiple 8 byte blocks with gaps
+CMAC Multiple Blocks #4 AES-128 - Multiple 8 byte blocks with gaps
 depends_on:MBEDTLS_AES_C
 mbedtls_cmac_multiple_blocks:MBEDTLS_CIPHER_AES_128_ECB:"2b7e151628aed2a6abf7158809cf4f3c":128:16:"":0:"6bc1bee22e409f96":8:"":0:"e93d7e117393172a":8:"070a16b46b4d4144f79bdd9dd04a287c"
 
-CMAC Multiple Operations, same key #1 - Empty, empty
+CMAC Multiple Operations, same key #1 AES-192 - Empty, empty
 depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_cmac_multiple_operations_same_key:MBEDTLS_CIPHER_AES_192_ECB:"8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b":192:16:"":-1:"":-1:"":-1:"d17ddf46adaacde531cac483de7a9367":"":-1:"":-1:"":-1:"d17ddf46adaacde531cac483de7a9367"
 
-CMAC Multiple Operations, same key #2 - Empty, 64 byte block
+CMAC Multiple Operations, same key #2 AES-192 - Empty, 64 byte block
 depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_cmac_multiple_operations_same_key:MBEDTLS_CIPHER_AES_192_ECB:"8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b":192:16:"":-1:"":-1:"":-1:"d17ddf46adaacde531cac483de7a9367":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":64:"":-1:"":-1:"a1d5df0eed790f794d77589659f39a11"
 
-CMAC Multiple Operations, same key #3 - variable byte blocks
+CMAC Multiple Operations, same key #3 AES-192 - variable byte blocks
 depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mbedtls_cmac_multiple_operations_same_key:MBEDTLS_CIPHER_AES_192_ECB:"8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b":192:16:"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51":32:"30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":32:"":-1:"a1d5df0eed790f794d77589659f39a11":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51":32:"30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":32:"":-1:"a1d5df0eed790f794d77589659f39a11"
 
diff --git a/tests/suites/test_suite_config.crypto_combinations.data b/tests/suites/test_suite_config.crypto_combinations.data
new file mode 100644
index 0000000..d3287d2
--- /dev/null
+++ b/tests/suites/test_suite_config.crypto_combinations.data
@@ -0,0 +1,9 @@
+# Interesting combinations of low-level crypto options
+
+Config: ECC: Weierstrass curves only
+depends_on:MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED:!MBEDTLS_ECP_MONTGOMERY_ENABLED
+pass:
+
+Config: ECC: Montgomery curves only
+depends_on:!MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED:MBEDTLS_ECP_MONTGOMERY_ENABLED
+pass:
diff --git a/tests/suites/test_suite_config.function b/tests/suites/test_suite_config.function
new file mode 100644
index 0000000..9e9dd01
--- /dev/null
+++ b/tests/suites/test_suite_config.function
@@ -0,0 +1,14 @@
+/* BEGIN_HEADER */
+
+/* END_HEADER */
+
+/* BEGIN_CASE */
+/* This test case always passes. It is intended solely for configuration
+ * reporting in the outcome file. Write test cases using this function
+ * with dependencies to record in which configurations the dependencies
+ * are met. */
+void pass()
+{
+    goto exit;
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_config.psa_combinations.data b/tests/suites/test_suite_config.psa_combinations.data
new file mode 100644
index 0000000..1035af2
--- /dev/null
+++ b/tests/suites/test_suite_config.psa_combinations.data
@@ -0,0 +1,9 @@
+# Interesting combinations of PSA options
+
+Config: PSA_WANT_ALG_ECDSA without PSA_WANT_ALG_DETERMINISTIC_ECDSA
+depends_on:PSA_WANT_ALG_ECDSA:!PSA_WANT_ALG_DETERMINISTIC_ECDSA
+pass:
+
+Config: PSA_WANT_ALG_DETERMINSTIC_ECDSA without PSA_WANT_ALG_ECDSA
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:!PSA_WANT_ALG_ECDSA
+pass:
diff --git a/tests/suites/test_suite_config.tls_combinations.data b/tests/suites/test_suite_config.tls_combinations.data
new file mode 100644
index 0000000..cbc57d6
--- /dev/null
+++ b/tests/suites/test_suite_config.tls_combinations.data
@@ -0,0 +1,9 @@
+# Interesting combinations of TLS options
+
+Config: TLS 1.2 without TLS 1.3
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:!MBEDTLS_SSL_PROTO_TLS1_3
+pass:
+
+Config: TLS 1.3 without TLS 1.2
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:!MBEDTLS_SSL_PROTO_TLS1_2
+pass:
diff --git a/tests/suites/test_suite_constant_time.function b/tests/suites/test_suite_constant_time.function
index 3127365..ba84397 100644
--- a/tests/suites/test_suite_constant_time.function
+++ b/tests/suites/test_suite_constant_time.function
@@ -171,7 +171,7 @@ void mbedtls_ct_if(char *c_str, char *t_str, char *f_str)
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:!MBEDTLS_RSA_ALT */
+/* BEGIN_CASE depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */
 void mbedtls_ct_zeroize_if(char *c_str, int len)
 {
     uint8_t *buf = NULL;
@@ -431,7 +431,7 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:!MBEDTLS_RSA_ALT */
+/* BEGIN_CASE depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */
 void mbedtls_ct_memmove_left(int len, int offset)
 {
     size_t l = (size_t) len;
diff --git a/tests/suites/test_suite_constant_time_hmac.data b/tests/suites/test_suite_constant_time_hmac.data
index 6a118b8..4adddfc 100644
--- a/tests/suites/test_suite_constant_time_hmac.data
+++ b/tests/suites/test_suite_constant_time_hmac.data
@@ -11,5 +11,5 @@ depends_on:MBEDTLS_MD_CAN_SHA256
 ssl_cf_hmac:MBEDTLS_MD_SHA256
 
 Constant-flow HMAC: SHA384
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 ssl_cf_hmac:MBEDTLS_MD_SHA384
diff --git a/tests/suites/test_suite_constant_time_hmac.function b/tests/suites/test_suite_constant_time_hmac.function
index 435e4b9..0e870d8 100644
--- a/tests/suites/test_suite_constant_time_hmac.function
+++ b/tests/suites/test_suite_constant_time_hmac.function
@@ -3,7 +3,8 @@
 #include <mbedtls/constant_time.h>
 #include <mbedtls/md.h>
 #include <constant_time_internal.h>
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
+#include <ssl_misc.h>
 
 #include <test/constant_flow.h>
 /* END_HEADER */
diff --git a/tests/suites/test_suite_ctr_drbg.data b/tests/suites/test_suite_ctr_drbg.data
index a72d8af..10e9bd0 100644
--- a/tests/suites/test_suite_ctr_drbg.data
+++ b/tests/suites/test_suite_ctr_drbg.data
@@ -1088,7 +1088,7 @@ depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_entropy_strength:256
 
 CTR_DRBG write/update seed file [#1]
-ctr_drbg_seed_file:"data_files/ctr_drbg_seed":0
+ctr_drbg_seed_file:"../framework/data_files/ctr_drbg_seed":0
 
 CTR_DRBG write/update seed file [#2]
 ctr_drbg_seed_file:"no_such_dir/file":MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR
@@ -1096,5 +1096,57 @@ ctr_drbg_seed_file:"no_such_dir/file":MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR
 CTR_DRBG Special Behaviours
 ctr_drbg_special_behaviours:
 
+CTR_DRBG Threads: no reseed
+ctr_drbg_threads:"1fafa98bc83d95e10f2d5ed339a553e1":0:5
+
+CTR_DRBG Threads: reseed
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+ctr_drbg_threads:"B10A961F2EA39927B4C48AEDDD299026":1:5
+
 CTR_DRBG self test
 ctr_drbg_selftest:
+
+Increment counter rollover
+ctr_increment_rollover
+
+Increment counter 00
+ctr_increment:"00"
+
+Increment counter ff00
+ctr_increment:"ff00"
+
+Increment counter ff0000
+ctr_increment:"ff0000"
+
+Increment counter ff000000
+ctr_increment:"ff000000"
+
+Increment counter ff00000000
+ctr_increment:"ff00000000"
+
+Increment counter ff0000000000
+ctr_increment:"ff0000000000"
+
+Increment counter ff000000000000
+ctr_increment:"ff000000000000"
+
+Increment counter 01
+ctr_increment:"01"
+
+Increment counter ff01
+ctr_increment:"ff01"
+
+Increment counter ff0001
+ctr_increment:"ff0001"
+
+Increment counter ff000001
+ctr_increment:"ff000001"
+
+Increment counter ff00000001
+ctr_increment:"ff00000001"
+
+Increment counter ff0000000001
+ctr_increment:"ff0000000001"
+
+Increment counter ff000000000001
+ctr_increment:"ff000000000001"
diff --git a/tests/suites/test_suite_ctr_drbg.function b/tests/suites/test_suite_ctr_drbg.function
index 7d81608..720eb3e 100644
--- a/tests/suites/test_suite_ctr_drbg.function
+++ b/tests/suites/test_suite_ctr_drbg.function
@@ -2,6 +2,11 @@
 #include "mbedtls/entropy.h"
 #include "mbedtls/ctr_drbg.h"
 #include "string.h"
+#include "ctr.h"
+
+#if defined(MBEDTLS_THREADING_PTHREAD)
+#include "mbedtls/threading.h"
+#endif
 
 /* Modes for ctr_drbg_validate */
 enum reseed_mode {
@@ -31,15 +36,13 @@ static void ctr_drbg_validate_internal(int reseed_mode, data_t *nonce,
                                        data_t *result)
 {
     mbedtls_ctr_drbg_context ctx;
+    mbedtls_ctr_drbg_init(&ctx);
     unsigned char buf[64];
 
     size_t entropy_chunk_len = (size_t) entropy_len_arg;
-
     TEST_ASSERT(entropy_chunk_len <= sizeof(buf));
 
     test_offset_idx = 0;
-    mbedtls_ctr_drbg_init(&ctx);
-
     test_max_idx = entropy->len;
 
     /* CTR_DRBG_Instantiate(entropy[:entropy->len], nonce, perso, <ignored>)
@@ -92,6 +95,19 @@ exit:
     mbedtls_ctr_drbg_free(&ctx);
 }
 
+static const int thread_random_reps = 10;
+void *thread_random_function(void *ctx)
+{
+    unsigned char out[16];
+    memset(out, 0, sizeof(out));
+
+    for (int i = 0; i < thread_random_reps; i++) {
+        TEST_EQUAL(mbedtls_ctr_drbg_random((mbedtls_ctr_drbg_context *) ctx, out, sizeof(out)), 0);
+    }
+
+exit:
+    return NULL;
+}
 /* END_HEADER */
 
 /* BEGIN_DEPENDENCIES
@@ -139,10 +155,12 @@ void ctr_drbg_validate_no_reseed(data_t *add_init, data_t *entropy,
                                  data_t *result_string)
 {
     data_t empty = { 0, 0 };
+    AES_PSA_INIT();
     ctr_drbg_validate_internal(RESEED_NEVER, add_init,
                                entropy->len, entropy,
                                &empty, add1, add2,
                                result_string);
+    AES_PSA_DONE();
     goto exit; // goto is needed to avoid warning ( no test assertions in func)
 }
 /* END_CASE */
@@ -153,10 +171,12 @@ void ctr_drbg_validate_pr(data_t *add_init, data_t *entropy,
                           data_t *result_string)
 {
     data_t empty = { 0, 0 };
+    AES_PSA_INIT();
     ctr_drbg_validate_internal(RESEED_ALWAYS, add_init,
                                entropy->len / 3, entropy,
                                &empty, add1, add2,
                                result_string);
+    AES_PSA_DONE();
     goto exit; // goto is needed to avoid warning ( no test assertions in func)
 }
 /* END_CASE */
@@ -166,10 +186,12 @@ void ctr_drbg_validate_reseed_between(data_t *add_init, data_t *entropy,
                                       data_t *add1, data_t *add_reseed,
                                       data_t *add2, data_t *result_string)
 {
+    AES_PSA_INIT();
     ctr_drbg_validate_internal(RESEED_SECOND, add_init,
                                entropy->len / 2, entropy,
                                add_reseed, add1, add2,
                                result_string);
+    AES_PSA_DONE();
     goto exit; // goto is needed to avoid warning ( no test assertions in func)
 }
 /* END_CASE */
@@ -179,10 +201,12 @@ void ctr_drbg_validate_reseed_first(data_t *add_init, data_t *entropy,
                                     data_t *add1, data_t *add_reseed,
                                     data_t *add2, data_t *result_string)
 {
+    AES_PSA_INIT();
     ctr_drbg_validate_internal(RESEED_FIRST, add_init,
                                entropy->len / 2, entropy,
                                add_reseed, add1, add2,
                                result_string);
+    AES_PSA_DONE();
     goto exit; // goto is needed to avoid warning ( no test assertions in func)
 }
 /* END_CASE */
@@ -198,6 +222,8 @@ void ctr_drbg_entropy_strength(int expected_bit_strength)
     size_t byte_strength = expected_bit_strength / 8;
 
     mbedtls_ctr_drbg_init(&ctx);
+
+    AES_PSA_INIT();
     test_offset_idx = 0;
     test_max_idx = sizeof(entropy);
     memset(entropy, 0, sizeof(entropy));
@@ -216,6 +242,7 @@ void ctr_drbg_entropy_strength(int expected_bit_strength)
 
 exit:
     mbedtls_ctr_drbg_free(&ctx);
+    AES_PSA_DONE();
 }
 /* END_CASE */
 
@@ -230,6 +257,9 @@ void ctr_drbg_entropy_usage(int entropy_nonce_len)
     size_t expected_idx = 0;
 
     mbedtls_ctr_drbg_init(&ctx);
+
+    AES_PSA_INIT();
+
     test_offset_idx = 0;
     test_max_idx = sizeof(entropy);
     memset(entropy, 0, sizeof(entropy));
@@ -309,6 +339,85 @@ void ctr_drbg_entropy_usage(int entropy_nonce_len)
 
 exit:
     mbedtls_ctr_drbg_free(&ctx);
+    AES_PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_THREADING_PTHREAD:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+void ctr_drbg_threads(data_t *expected_result, int reseed, int arg_thread_count)
+{
+    size_t thread_count = (size_t) arg_thread_count;
+    mbedtls_test_thread_t *threads = NULL;
+
+    unsigned char out[16];
+    unsigned char *entropy = NULL;
+
+    const size_t n_random_calls = thread_count * thread_random_reps + 1;
+
+    /* This is a known-answer test, and although tests use a mock entropy
+     * function the input entropy length will still affect the output.
+     * We therefore need to pick a fixed entropy length, rather than using the
+     * default entropy length (MBEDTLS_CTR_DRBG_ENTROPY_LEN). We've chosen to
+     * use the default value of MBEDTLS_CTR_DRBG_ENTROPY_LEN for SHA-512,
+     * as this was the value used when the expected answers were calculated. */
+    const size_t entropy_len = 48;
+
+    AES_PSA_INIT();
+
+    TEST_CALLOC(threads, sizeof(mbedtls_test_thread_t) * thread_count);
+    memset(out, 0, sizeof(out));
+
+    mbedtls_ctr_drbg_context ctx;
+    mbedtls_ctr_drbg_init(&ctx);
+
+    test_offset_idx = 0;
+
+    /* Need to set a non-default fixed entropy len, to ensure same output across
+     * all configs - see above for details. */
+    mbedtls_ctr_drbg_set_entropy_len(&ctx, entropy_len);
+
+    if (reseed == 0) {
+        mbedtls_ctr_drbg_set_prediction_resistance(&ctx, MBEDTLS_CTR_DRBG_PR_OFF);
+        mbedtls_ctr_drbg_set_reseed_interval(&ctx, n_random_calls + 1);
+
+        TEST_CALLOC(entropy, entropy_len + MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN);
+        test_max_idx = entropy_len + MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN;
+    } else {
+        const size_t entropy_size = ((n_random_calls + 1) * entropy_len)
+                                    + MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN;
+
+        mbedtls_ctr_drbg_set_prediction_resistance(&ctx, MBEDTLS_CTR_DRBG_PR_ON);
+
+        TEST_CALLOC(entropy, entropy_size);
+        test_max_idx = entropy_size;
+    }
+
+    TEST_EQUAL(
+        mbedtls_ctr_drbg_seed(&ctx, mbedtls_test_entropy_func, entropy, NULL, 0),
+        0);
+
+    for (size_t i = 0; i < thread_count; i++) {
+        TEST_EQUAL(
+            mbedtls_test_thread_create(&threads[i],
+                                       thread_random_function, (void *) &ctx),
+            0);
+    }
+
+    for (size_t i = 0; i < thread_count; i++) {
+        TEST_EQUAL(mbedtls_test_thread_join(&threads[i]), 0);
+    }
+
+    /* Take a last output for comparing and thus verifying the DRBG state */
+    TEST_EQUAL(mbedtls_ctr_drbg_random(&ctx, out, sizeof(out)), 0);
+
+    TEST_MEMORY_COMPARE(out, sizeof(out), expected_result->x, expected_result->len);
+
+exit:
+    mbedtls_ctr_drbg_free(&ctx);
+    mbedtls_free(entropy);
+    mbedtls_free(threads);
+
+    AES_PSA_DONE();
 }
 /* END_CASE */
 
@@ -319,6 +428,8 @@ void ctr_drbg_seed_file(char *path, int ret)
 
     mbedtls_ctr_drbg_init(&ctx);
 
+    AES_PSA_INIT();
+
     TEST_ASSERT(mbedtls_ctr_drbg_seed(&ctx, mbedtls_test_rnd_std_rand,
                                       NULL, NULL, 0) == 0);
     TEST_ASSERT(mbedtls_ctr_drbg_write_seed_file(&ctx, path) == ret);
@@ -326,12 +437,87 @@ void ctr_drbg_seed_file(char *path, int ret)
 
 exit:
     mbedtls_ctr_drbg_free(&ctx);
+    AES_PSA_DONE();
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
 void ctr_drbg_selftest()
 {
+    AES_PSA_INIT();
     TEST_ASSERT(mbedtls_ctr_drbg_self_test(1) == 0);
+    AES_PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ctr_increment_rollover()
+{
+    uint8_t c[16];
+    uint8_t r[16];
+
+    // test all increments from 2^n - 1 to 2^n (i.e. where we roll over into the next bit)
+    for (int n = 0; n <= 128; n++) {
+        memset(c, 0, 16);
+        memset(r, 0, 16);
+
+        // set least significant (highest address) n bits to 1, i.e. generate (2^n - 1)
+        for (int i = 0; i < n; i++) {
+            int bit = i % 8;
+            int byte = (i / 8);
+            c[15 - byte] |= 1 << bit;
+        }
+        // increment to get 2^n
+        mbedtls_ctr_increment_counter(c);
+
+        // now generate a reference result equal to 2^n - i.e. set only bit (n + 1)
+        // if n == 127, this will not set any bits (i.e. wraps to 0).
+        int bit = n % 8;
+        int byte = n / 8;
+        if (byte < 16) {
+            r[15 - byte] = 1 << bit;
+        }
+
+        TEST_MEMORY_COMPARE(c, 16, r, 16);
+    }
+
+    uint64_t lsb = 10, msb = 20;
+    MBEDTLS_PUT_UINT64_BE(msb, c, 0);
+    MBEDTLS_PUT_UINT64_BE(lsb, c, 8);
+    memcpy(r, c, 16);
+    mbedtls_ctr_increment_counter(c);
+    for (int i = 15; i >= 0; i--) {
+        r[i] += 1;
+        if (r[i] != 0) {
+            break;
+        }
+    }
+    TEST_MEMORY_COMPARE(c, 16, r, 16);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ctr_increment(data_t *x)
+{
+    uint8_t c[16];
+    uint8_t r[16];
+
+    // initialise c and r from test argument
+    memset(c, 0, 16);
+    memcpy(c, x->x, x->len);
+    memcpy(r, c, 16);
+
+    // increment c
+    mbedtls_ctr_increment_counter(c);
+    // increment reference
+    for (int i = 15; i >= 0; i--) {
+        r[i] += 1;
+        if (r[i] != 0) {
+            break;
+        }
+    }
+
+    // test that mbedtls_ctr_increment_counter behaviour matches reference
+    TEST_MEMORY_COMPARE(c, 16, r, 16);
 }
 /* END_CASE */
diff --git a/tests/suites/test_suite_debug.data b/tests/suites/test_suite_debug.data
index 512a04a..8b17eb8 100644
--- a/tests/suites/test_suite_debug.data
+++ b/tests/suites/test_suite_debug.data
@@ -60,8 +60,8 @@ mbedtls_debug_print_mpi:"0000000000000000000000000000000000000000000000000000000
 
 Debug print certificate #1 (RSA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_BASE64_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_debug_print_crt:"data_files/server1.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version     \: 3\nMyFile(0999)\: serial number     \: 01\nMyFile(0999)\: issuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nMyFile(0999)\: subject name      \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nMyFile(0999)\: issued  on        \: 2019-02-10 14\:44\:06\nMyFile(0999)\: expires on        \: 2029-02-10 14\:44\:06\nMyFile(0999)\: signed using      \: RSA with SHA1\nMyFile(0999)\: RSA key size      \: 2048 bits\nMyFile(0999)\: basic constraints \: CA=false\nMyFile(0999)\: value of 'crt->rsa.N' (2048 bits) is\:\nMyFile(0999)\:  a9 02 1f 3d 40 6a d5 55 53 8b fd 36 ee 82 65 2e\nMyFile(0999)\:  15 61 5e 89 bf b8 e8 45 90 db ee 88 16 52 d3 f1\nMyFile(0999)\:  43 50 47 96 12 59 64 87 6b fd 2b e0 46 f9 73 be\nMyFile(0999)\:  dd cf 92 e1 91 5b ed 66 a0 6f 89 29 79 45 80 d0\nMyFile(0999)\:  83 6a d5 41 43 77 5f 39 7c 09 04 47 82 b0 57 39\nMyFile(0999)\:  70 ed a3 ec 15 19 1e a8 33 08 47 c1 05 42 a9 fd\nMyFile(0999)\:  4c c3 b4 df dd 06 1f 4d 10 51 40 67 73 13 0f 40\nMyFile(0999)\:  f8 6d 81 25 5f 0a b1 53 c6 30 7e 15 39 ac f9 5a\nMyFile(0999)\:  ee 7f 92 9e a6 05 5b e7 13 97 85 b5 23 92 d9 d4\nMyFile(0999)\:  24 06 d5 09 25 89 75 07 dd a6 1a 8f 3f 09 19 be\nMyFile(0999)\:  ad 65 2c 64 eb 95 9b dc fe 41 5e 17 a6 da 6c 5b\nMyFile(0999)\:  69 cc 02 ba 14 2c 16 24 9c 4a dc cd d0 f7 52 67\nMyFile(0999)\:  73 f1 2d a0 23 fd 7e f4 31 ca 2d 70 ca 89 0b 04\nMyFile(0999)\:  db 2e a6 4f 70 6e 9e ce bd 58 89 e2 53 59 9e 6e\nMyFile(0999)\:  5a 92 65 e2 88 3f 0c 94 19 a3 dd e5 e8 9d 95 13\nMyFile(0999)\:  ed 29 db ab 70 12 dc 5a ca 6b 17 ab 52 82 54 b1\nMyFile(0999)\: value of 'crt->rsa.E' (17 bits) is\:\nMyFile(0999)\:  01 00 01\n"
+mbedtls_debug_print_crt:"../framework/data_files/server1.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version     \: 3\nMyFile(0999)\: serial number     \: 01\nMyFile(0999)\: issuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nMyFile(0999)\: subject name      \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nMyFile(0999)\: issued  on        \: 2019-02-10 14\:44\:06\nMyFile(0999)\: expires on        \: 2029-02-10 14\:44\:06\nMyFile(0999)\: signed using      \: RSA with SHA1\nMyFile(0999)\: RSA key size      \: 2048 bits\nMyFile(0999)\: basic constraints \: CA=false\nMyFile(0999)\: value of 'crt->rsa.N' (2048 bits) is\:\nMyFile(0999)\:  a9 02 1f 3d 40 6a d5 55 53 8b fd 36 ee 82 65 2e\nMyFile(0999)\:  15 61 5e 89 bf b8 e8 45 90 db ee 88 16 52 d3 f1\nMyFile(0999)\:  43 50 47 96 12 59 64 87 6b fd 2b e0 46 f9 73 be\nMyFile(0999)\:  dd cf 92 e1 91 5b ed 66 a0 6f 89 29 79 45 80 d0\nMyFile(0999)\:  83 6a d5 41 43 77 5f 39 7c 09 04 47 82 b0 57 39\nMyFile(0999)\:  70 ed a3 ec 15 19 1e a8 33 08 47 c1 05 42 a9 fd\nMyFile(0999)\:  4c c3 b4 df dd 06 1f 4d 10 51 40 67 73 13 0f 40\nMyFile(0999)\:  f8 6d 81 25 5f 0a b1 53 c6 30 7e 15 39 ac f9 5a\nMyFile(0999)\:  ee 7f 92 9e a6 05 5b e7 13 97 85 b5 23 92 d9 d4\nMyFile(0999)\:  24 06 d5 09 25 89 75 07 dd a6 1a 8f 3f 09 19 be\nMyFile(0999)\:  ad 65 2c 64 eb 95 9b dc fe 41 5e 17 a6 da 6c 5b\nMyFile(0999)\:  69 cc 02 ba 14 2c 16 24 9c 4a dc cd d0 f7 52 67\nMyFile(0999)\:  73 f1 2d a0 23 fd 7e f4 31 ca 2d 70 ca 89 0b 04\nMyFile(0999)\:  db 2e a6 4f 70 6e 9e ce bd 58 89 e2 53 59 9e 6e\nMyFile(0999)\:  5a 92 65 e2 88 3f 0c 94 19 a3 dd e5 e8 9d 95 13\nMyFile(0999)\:  ed 29 db ab 70 12 dc 5a ca 6b 17 ab 52 82 54 b1\nMyFile(0999)\: value of 'crt->rsa.E' (17 bits) is\:\nMyFile(0999)\:  01 00 01\n"
 
 Debug print certificate #2 (EC)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_BASE64_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_debug_print_crt:"data_files/test-ca2.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version     \: 3\nMyFile(0999)\: serial number     \: C1\:43\:E2\:7E\:62\:43\:CC\:E8\nMyFile(0999)\: issuer name       \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: subject name      \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: issued  on        \: 2019-02-10 14\:44\:00\nMyFile(0999)\: expires on        \: 2029-02-10 14\:44\:00\nMyFile(0999)\: signed using      \: ECDSA with SHA256\nMyFile(0999)\: EC key size       \: 384 bits\nMyFile(0999)\: basic constraints \: CA=true\nMyFile(0999)\: value of 'crt->eckey.Q(X)' (384 bits) is\:\nMyFile(0999)\:  c3 da 2b 34 41 37 58 2f 87 56 fe fc 89 ba 29 43\nMyFile(0999)\:  4b 4e e0 6e c3 0e 57 53 33 39 58 d4 52 b4 91 95\nMyFile(0999)\:  39 0b 23 df 5f 17 24 62 48 fc 1a 95 29 ce 2c 2d\nMyFile(0999)\: value of 'crt->eckey.Q(Y)' (384 bits) is\:\nMyFile(0999)\:  87 c2 88 52 80 af d6 6a ab 21 dd b8 d3 1c 6e 58\nMyFile(0999)\:  b8 ca e8 b2 69 8e f3 41 ad 29 c3 b4 5f 75 a7 47\nMyFile(0999)\:  6f d5 19 29 55 69 9a 53 3b 20 b4 66 16 60 33 1e\n"
+mbedtls_debug_print_crt:"../framework/data_files/test-ca2.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version     \: 3\nMyFile(0999)\: serial number     \: C1\:43\:E2\:7E\:62\:43\:CC\:E8\nMyFile(0999)\: issuer name       \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: subject name      \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: issued  on        \: 2019-02-10 14\:44\:00\nMyFile(0999)\: expires on        \: 2029-02-10 14\:44\:00\nMyFile(0999)\: signed using      \: ECDSA with SHA256\nMyFile(0999)\: EC key size       \: 384 bits\nMyFile(0999)\: basic constraints \: CA=true\nMyFile(0999)\: value of 'crt->eckey.Q(X)' (384 bits) is\:\nMyFile(0999)\:  c3 da 2b 34 41 37 58 2f 87 56 fe fc 89 ba 29 43\nMyFile(0999)\:  4b 4e e0 6e c3 0e 57 53 33 39 58 d4 52 b4 91 95\nMyFile(0999)\:  39 0b 23 df 5f 17 24 62 48 fc 1a 95 29 ce 2c 2d\nMyFile(0999)\: value of 'crt->eckey.Q(Y)' (384 bits) is\:\nMyFile(0999)\:  87 c2 88 52 80 af d6 6a ab 21 dd b8 d3 1c 6e 58\nMyFile(0999)\:  b8 ca e8 b2 69 8e f3 41 ad 29 c3 b4 5f 75 a7 47\nMyFile(0999)\:  6f d5 19 29 55 69 9a 53 3b 20 b4 66 16 60 33 1e\n"
diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function
index b961040..5cd02b9 100644
--- a/tests/suites/test_suite_debug.function
+++ b/tests/suites/test_suite_debug.function
@@ -1,7 +1,8 @@
 /* BEGIN_HEADER */
-#include "mbedtls/debug.h"
+#include "debug_internal.h"
 #include "string.h"
 #include "mbedtls/pk.h"
+#include <test/ssl_helpers.h>
 
 struct buffer_data {
     char buf[2000];
@@ -58,18 +59,18 @@ void debug_print_msg_threshold(int threshold, int level, char *file,
     mbedtls_ssl_config conf;
     struct buffer_data buffer;
 
-    MD_PSA_INIT();
-
     mbedtls_ssl_init(&ssl);
     mbedtls_ssl_config_init(&conf);
+    MD_OR_USE_PSA_INIT();
     memset(buffer.buf, 0, 2000);
     buffer.ptr = buffer.buf;
 
-    mbedtls_ssl_config_defaults(&conf,
-                                MBEDTLS_SSL_IS_CLIENT,
-                                MBEDTLS_SSL_TRANSPORT_STREAM,
-                                MBEDTLS_SSL_PRESET_DEFAULT);
-
+    TEST_EQUAL(mbedtls_ssl_config_defaults(&conf,
+                                           MBEDTLS_SSL_IS_CLIENT,
+                                           MBEDTLS_SSL_TRANSPORT_STREAM,
+                                           MBEDTLS_SSL_PRESET_DEFAULT),
+               0);
+    mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
     mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer);
 
     TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
@@ -84,7 +85,7 @@ void debug_print_msg_threshold(int threshold, int level, char *file,
 exit:
     mbedtls_ssl_free(&ssl);
     mbedtls_ssl_config_free(&conf);
-    MD_PSA_DONE();
+    MD_OR_USE_PSA_DONE();
 }
 /* END_CASE */
 
@@ -96,18 +97,18 @@ void mbedtls_debug_print_ret(char *file, int line, char *text, int value,
     mbedtls_ssl_config conf;
     struct buffer_data buffer;
 
-    MD_PSA_INIT();
-
     mbedtls_ssl_init(&ssl);
     mbedtls_ssl_config_init(&conf);
+    MD_OR_USE_PSA_INIT();
     memset(buffer.buf, 0, 2000);
     buffer.ptr = buffer.buf;
 
-    mbedtls_ssl_config_defaults(&conf,
-                                MBEDTLS_SSL_IS_CLIENT,
-                                MBEDTLS_SSL_TRANSPORT_STREAM,
-                                MBEDTLS_SSL_PRESET_DEFAULT);
-
+    TEST_EQUAL(mbedtls_ssl_config_defaults(&conf,
+                                           MBEDTLS_SSL_IS_CLIENT,
+                                           MBEDTLS_SSL_TRANSPORT_STREAM,
+                                           MBEDTLS_SSL_PRESET_DEFAULT),
+               0);
+    mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
     mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer);
 
     TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
@@ -119,7 +120,7 @@ void mbedtls_debug_print_ret(char *file, int line, char *text, int value,
 exit:
     mbedtls_ssl_free(&ssl);
     mbedtls_ssl_config_free(&conf);
-    MD_PSA_DONE();
+    MD_OR_USE_PSA_DONE();
 }
 /* END_CASE */
 
@@ -131,18 +132,18 @@ void mbedtls_debug_print_buf(char *file, int line, char *text,
     mbedtls_ssl_config conf;
     struct buffer_data buffer;
 
-    MD_PSA_INIT();
-
     mbedtls_ssl_init(&ssl);
     mbedtls_ssl_config_init(&conf);
+    MD_OR_USE_PSA_INIT();
     memset(buffer.buf, 0, 2000);
     buffer.ptr = buffer.buf;
 
-    mbedtls_ssl_config_defaults(&conf,
-                                MBEDTLS_SSL_IS_CLIENT,
-                                MBEDTLS_SSL_TRANSPORT_STREAM,
-                                MBEDTLS_SSL_PRESET_DEFAULT);
-
+    TEST_EQUAL(mbedtls_ssl_config_defaults(&conf,
+                                           MBEDTLS_SSL_IS_CLIENT,
+                                           MBEDTLS_SSL_TRANSPORT_STREAM,
+                                           MBEDTLS_SSL_PRESET_DEFAULT),
+               0);
+    mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
     mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer);
 
     TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
@@ -154,7 +155,7 @@ void mbedtls_debug_print_buf(char *file, int line, char *text,
 exit:
     mbedtls_ssl_free(&ssl);
     mbedtls_ssl_config_free(&conf);
-    MD_PSA_DONE();
+    MD_OR_USE_PSA_DONE();
 }
 /* END_CASE */
 
@@ -175,11 +176,12 @@ void mbedtls_debug_print_crt(char *crt_file, char *file, int line,
     memset(buffer.buf, 0, 2000);
     buffer.ptr = buffer.buf;
 
-    mbedtls_ssl_config_defaults(&conf,
-                                MBEDTLS_SSL_IS_CLIENT,
-                                MBEDTLS_SSL_TRANSPORT_STREAM,
-                                MBEDTLS_SSL_PRESET_DEFAULT);
-
+    TEST_EQUAL(mbedtls_ssl_config_defaults(&conf,
+                                           MBEDTLS_SSL_IS_CLIENT,
+                                           MBEDTLS_SSL_TRANSPORT_STREAM,
+                                           MBEDTLS_SSL_PRESET_DEFAULT),
+               0);
+    mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
     mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer);
 
     TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
@@ -206,19 +208,19 @@ void mbedtls_debug_print_mpi(char *value, char *file, int line,
     struct buffer_data buffer;
     mbedtls_mpi val;
 
-    MD_PSA_INIT();
-
     mbedtls_ssl_init(&ssl);
     mbedtls_ssl_config_init(&conf);
     mbedtls_mpi_init(&val);
+    MD_OR_USE_PSA_INIT();
     memset(buffer.buf, 0, 2000);
     buffer.ptr = buffer.buf;
 
-    mbedtls_ssl_config_defaults(&conf,
-                                MBEDTLS_SSL_IS_CLIENT,
-                                MBEDTLS_SSL_TRANSPORT_STREAM,
-                                MBEDTLS_SSL_PRESET_DEFAULT);
-
+    TEST_EQUAL(mbedtls_ssl_config_defaults(&conf,
+                                           MBEDTLS_SSL_IS_CLIENT,
+                                           MBEDTLS_SSL_TRANSPORT_STREAM,
+                                           MBEDTLS_SSL_PRESET_DEFAULT),
+               0);
+    mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
     mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer);
 
     TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
@@ -233,6 +235,6 @@ exit:
     mbedtls_mpi_free(&val);
     mbedtls_ssl_free(&ssl);
     mbedtls_ssl_config_free(&conf);
-    MD_PSA_DONE();
+    MD_OR_USE_PSA_DONE();
 }
 /* END_CASE */
diff --git a/tests/suites/test_suite_dhm.data b/tests/suites/test_suite_dhm.data
index 2ab5c43..4e6b23b 100644
--- a/tests/suites/test_suite_dhm.data
+++ b/tests/suites/test_suite_dhm.data
@@ -111,14 +111,14 @@ dhm_make_public:MBEDTLS_MPI_MAX_SIZE + 1:"5":MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED+
 
 DH load parameters from PEM file (1024-bit, g=2)
 depends_on:MBEDTLS_PEM_PARSE_C
-dhm_file:"data_files/dhparams.pem":"9e35f430443a09904f3a39a979797d070df53378e79c2438bef4e761f3c714553328589b041c809be1d6c6b5f1fc9f47d3a25443188253a992a56818b37ba9de5a40d362e56eff0be5417474c125c199272c8fe41dea733df6f662c92ae76556e755d10c64e6a50968f67fc6ea73d0dca8569be2ba204e23580d8bca2f4975b3":"02":128
+dhm_file:"../framework/data_files/dhparams.pem":"9e35f430443a09904f3a39a979797d070df53378e79c2438bef4e761f3c714553328589b041c809be1d6c6b5f1fc9f47d3a25443188253a992a56818b37ba9de5a40d362e56eff0be5417474c125c199272c8fe41dea733df6f662c92ae76556e755d10c64e6a50968f67fc6ea73d0dca8569be2ba204e23580d8bca2f4975b3":"02":128
 
 DH load parameters from PEM file (2048-bit, large g, privateValueLength)
 depends_on:MBEDTLS_PEM_PARSE_C
-dhm_file:"data_files/dh.optlen.pem":"b3126aeaf47153c7d67f403030b292b5bd5a6c9eae1c137af34087fce2a36a578d70c5c560ad2bdb924c4a4dbee20a1671be7103ce87defa76908936803dbeca60c33e1289c1a03ac2c6c4e49405e5902fa0596a1cbaa895cc402d5213ed4a5f1f5ba8b5e1ed3da951a4c475afeb0ca660b7368c38c8e809f382d96ae19e60dc984e61cb42b5dfd723322acf327f9e413cda6400c15c5b2ea1fa34405d83982fba40e6d852da3d91019bf23511314254dc211a90833e5b1798ee52a78198c555644729ad92f060367c74ded37704adfc273a4a33fec821bd2ebd3bc051730e97a4dd14d2b766062592f5eec09d16bb50efebf2cc00dd3e0e3418e60ec84870f7":"800abfe7dc667aa17bcd7c04614bc221a65482ccc04b604602b0e131908a938ea11b48dc515dab7abcbb1e0c7fd66511edc0d86551b7632496e03df94357e1c4ea07a7ce1e381a2fcafdff5f5bf00df828806020e875c00926e4d011f88477a1b01927d73813cad4847c6396b9244621be2b00b63c659253318413443cd244215cd7fd4cbe796e82c6cf70f89cc0c528fb8e344809b31876e7ef739d5160d095c9684188b0c8755c7a468d47f56d6db9ea012924ecb0556fb71312a8d7c93bb2898ea08ee54eeb594548285f06a973cbbe2a0cb02e90f323fe045521f34c68354a6d3e95dbfff1eb64692edc0a44f3d3e408d0e479a541e779a6054259e2d854":256
+dhm_file:"../framework/data_files/dh.optlen.pem":"b3126aeaf47153c7d67f403030b292b5bd5a6c9eae1c137af34087fce2a36a578d70c5c560ad2bdb924c4a4dbee20a1671be7103ce87defa76908936803dbeca60c33e1289c1a03ac2c6c4e49405e5902fa0596a1cbaa895cc402d5213ed4a5f1f5ba8b5e1ed3da951a4c475afeb0ca660b7368c38c8e809f382d96ae19e60dc984e61cb42b5dfd723322acf327f9e413cda6400c15c5b2ea1fa34405d83982fba40e6d852da3d91019bf23511314254dc211a90833e5b1798ee52a78198c555644729ad92f060367c74ded37704adfc273a4a33fec821bd2ebd3bc051730e97a4dd14d2b766062592f5eec09d16bb50efebf2cc00dd3e0e3418e60ec84870f7":"800abfe7dc667aa17bcd7c04614bc221a65482ccc04b604602b0e131908a938ea11b48dc515dab7abcbb1e0c7fd66511edc0d86551b7632496e03df94357e1c4ea07a7ce1e381a2fcafdff5f5bf00df828806020e875c00926e4d011f88477a1b01927d73813cad4847c6396b9244621be2b00b63c659253318413443cd244215cd7fd4cbe796e82c6cf70f89cc0c528fb8e344809b31876e7ef739d5160d095c9684188b0c8755c7a468d47f56d6db9ea012924ecb0556fb71312a8d7c93bb2898ea08ee54eeb594548285f06a973cbbe2a0cb02e90f323fe045521f34c68354a6d3e95dbfff1eb64692edc0a44f3d3e408d0e479a541e779a6054259e2d854":256
 
 DH load parameters from DER file (2048-bit, large g, privateValueLength)
-dhm_file:"data_files/dh.optlen.der":"b3126aeaf47153c7d67f403030b292b5bd5a6c9eae1c137af34087fce2a36a578d70c5c560ad2bdb924c4a4dbee20a1671be7103ce87defa76908936803dbeca60c33e1289c1a03ac2c6c4e49405e5902fa0596a1cbaa895cc402d5213ed4a5f1f5ba8b5e1ed3da951a4c475afeb0ca660b7368c38c8e809f382d96ae19e60dc984e61cb42b5dfd723322acf327f9e413cda6400c15c5b2ea1fa34405d83982fba40e6d852da3d91019bf23511314254dc211a90833e5b1798ee52a78198c555644729ad92f060367c74ded37704adfc273a4a33fec821bd2ebd3bc051730e97a4dd14d2b766062592f5eec09d16bb50efebf2cc00dd3e0e3418e60ec84870f7":"800abfe7dc667aa17bcd7c04614bc221a65482ccc04b604602b0e131908a938ea11b48dc515dab7abcbb1e0c7fd66511edc0d86551b7632496e03df94357e1c4ea07a7ce1e381a2fcafdff5f5bf00df828806020e875c00926e4d011f88477a1b01927d73813cad4847c6396b9244621be2b00b63c659253318413443cd244215cd7fd4cbe796e82c6cf70f89cc0c528fb8e344809b31876e7ef739d5160d095c9684188b0c8755c7a468d47f56d6db9ea012924ecb0556fb71312a8d7c93bb2898ea08ee54eeb594548285f06a973cbbe2a0cb02e90f323fe045521f34c68354a6d3e95dbfff1eb64692edc0a44f3d3e408d0e479a541e779a6054259e2d854":256
+dhm_file:"../framework/data_files/dh.optlen.der":"b3126aeaf47153c7d67f403030b292b5bd5a6c9eae1c137af34087fce2a36a578d70c5c560ad2bdb924c4a4dbee20a1671be7103ce87defa76908936803dbeca60c33e1289c1a03ac2c6c4e49405e5902fa0596a1cbaa895cc402d5213ed4a5f1f5ba8b5e1ed3da951a4c475afeb0ca660b7368c38c8e809f382d96ae19e60dc984e61cb42b5dfd723322acf327f9e413cda6400c15c5b2ea1fa34405d83982fba40e6d852da3d91019bf23511314254dc211a90833e5b1798ee52a78198c555644729ad92f060367c74ded37704adfc273a4a33fec821bd2ebd3bc051730e97a4dd14d2b766062592f5eec09d16bb50efebf2cc00dd3e0e3418e60ec84870f7":"800abfe7dc667aa17bcd7c04614bc221a65482ccc04b604602b0e131908a938ea11b48dc515dab7abcbb1e0c7fd66511edc0d86551b7632496e03df94357e1c4ea07a7ce1e381a2fcafdff5f5bf00df828806020e875c00926e4d011f88477a1b01927d73813cad4847c6396b9244621be2b00b63c659253318413443cd244215cd7fd4cbe796e82c6cf70f89cc0c528fb8e344809b31876e7ef739d5160d095c9684188b0c8755c7a468d47f56d6db9ea012924ecb0556fb71312a8d7c93bb2898ea08ee54eeb594548285f06a973cbbe2a0cb02e90f323fe045521f34c68354a6d3e95dbfff1eb64692edc0a44f3d3e408d0e479a541e779a6054259e2d854":256
 
 Diffie-Hellman selftest
 dhm_selftest:
diff --git a/tests/suites/test_suite_dhm.function b/tests/suites/test_suite_dhm.function
index e6f75de..2090594 100644
--- a/tests/suites/test_suite_dhm.function
+++ b/tests/suites/test_suite_dhm.function
@@ -31,7 +31,7 @@ static int check_dhm_param_output(const mbedtls_mpi *expected,
     int ok = 0;
     mbedtls_mpi_init(&actual);
 
-    ++mbedtls_test_info.step;
+    mbedtls_test_increment_step();
 
     TEST_ASSERT(size >= *offset + 2);
     n = (buffer[*offset] << 8) | buffer[*offset + 1];
diff --git a/tests/suites/test_suite_ecdh.data b/tests/suites/test_suite_ecdh.data
index cc58432..8d06067 100644
--- a/tests/suites/test_suite_ecdh.data
+++ b/tests/suites/test_suite_ecdh.data
@@ -100,3 +100,19 @@ ecdh_exchange_get_params_fail:MBEDTLS_ECP_DP_BP256R1:"12345678123456781234567812
 ECDH get_params with mismatched groups: their SECP256R1, our BP256R1
 depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_BP256R1_ENABLED
 ecdh_exchange_get_params_fail:MBEDTLS_ECP_DP_BP256R1:"1234567812345678123456781234567812345678123456781234567812345678":MBEDTLS_ECP_DP_SECP256R1:"04dad0b65394221cf9b051e1feca5787d098dfe637fc90b9ef945d0c37725811805271a0461cdb8252d61f1c456fa3e59ab1f45b33accf5f58389e0577b8990bb3":1:MBEDTLS_ERR_ECP_BAD_INPUT_DATA
+
+Context get ECP Group #1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecdh_context_grp:MBEDTLS_ECP_DP_SECP256R1
+
+Context get ECP Group #2
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecdh_primitive_random:MBEDTLS_ECP_DP_SECP384R1
+
+Context get ECP Group #3
+depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+ecdh_primitive_random:MBEDTLS_ECP_DP_SECP521R1
+
+Context get ECP Group #4
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecdh_primitive_random:MBEDTLS_ECP_DP_CURVE448
diff --git a/tests/suites/test_suite_ecdh.function b/tests/suites/test_suite_ecdh.function
index cc193da..300916f 100644
--- a/tests/suites/test_suite_ecdh.function
+++ b/tests/suites/test_suite_ecdh.function
@@ -464,3 +464,20 @@ exit:
     mbedtls_ecp_keypair_free(&their_key);
 }
 /* END_CASE */
+
+/* BEGIN_CASE */
+void ecdh_context_grp(int id)
+{
+    mbedtls_ecdh_context srv;
+
+    mbedtls_ecdh_init(&srv);
+    TEST_ASSERT(mbedtls_ecdh_setup(&srv, id) == 0);
+
+    /* Test the retrieved group id matches/*/
+    TEST_ASSERT((int) mbedtls_ecdh_get_grp_id(&srv) == id);
+
+exit:
+    mbedtls_ecdh_free(&srv);
+
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_ecdsa.data b/tests/suites/test_suite_ecdsa.data
index c852c66..8b6410b 100644
--- a/tests/suites/test_suite_ecdsa.data
+++ b/tests/suites/test_suite_ecdsa.data
@@ -95,7 +95,7 @@ depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_MD_CAN_SHA1
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP192R1:"6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD4":MBEDTLS_MD_SHA1:"8151325DCDBAE9E0FF95F9F9658432DBEDFDB209":"98C6BD12B23EAF5E2A2045132086BE3EB8EBD62ABF6698FF":"57A22B07DEA9530F8DE9471B1DC6624472E8E2844BC25B64"
 
 ECDSA deterministic test vector rfc 6979 p192 sha224 [#1]
-depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:PSA_WANT_ALG_SHA_224
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP192R1:"6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD4":MBEDTLS_MD_SHA224:"9003E374BC726550C2C289447FD0533160F875709386DFA377BFD41C":"A1F00DAD97AEEC91C95585F36200C65F3C01812AA60378F5":"E07EC1304C7C6C9DEBBE980B9692668F81D4DE7922A0F97A"
 
 ECDSA deterministic test vector rfc 6979 p192 sha256 [#1]
@@ -103,7 +103,7 @@ depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_MD_CAN_SHA256
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP192R1:"6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD4":MBEDTLS_MD_SHA256:"AF2BDBE1AA9B6EC1E2ADE1D694F41FC71A831D0268E9891562113D8A62ADD1BF":"4B0B8CE98A92866A2820E20AA6B75B56382E0F9BFD5ECB55":"CCDB006926EA9565CBADC840829D8C384E06DE1F1E381B85"
 
 ECDSA deterministic test vector rfc 6979 p192 sha384 [#1]
-depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:PSA_WANT_ALG_SHA_384
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP192R1:"6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD4":MBEDTLS_MD_SHA384:"9A9083505BC92276AEC4BE312696EF7BF3BF603F4BBD381196A029F340585312313BCA4A9B5B890EFEE42C77B1EE25FE":"DA63BF0B9ABCF948FBB1E9167F136145F7A20426DCC287D5":"C3AA2C960972BD7A2003A57E1C4C77F0578F8AE95E31EC5E"
 
 ECDSA deterministic test vector rfc 6979 p192 sha512 [#1]
@@ -115,7 +115,7 @@ depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_MD_CAN_SHA1
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP192R1:"6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD4":MBEDTLS_MD_SHA1:"A94A8FE5CCB19BA61C4C0873D391E987982FBBD3":"0F2141A0EBBC44D2E1AF90A50EBCFCE5E197B3B7D4DE036D":"EB18BC9E1F3D7387500CB99CF5F7C157070A8961E38700B7"
 
 ECDSA deterministic test vector rfc 6979 p192 sha224 [#2]
-depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:PSA_WANT_ALG_SHA_224
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP192R1:"6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD4":MBEDTLS_MD_SHA224:"90A3ED9E32B2AAF4C61C410EB925426119E1A9DC53D4286ADE99A809":"6945A1C1D1B2206B8145548F633BB61CEF04891BAF26ED34":"B7FB7FDFC339C0B9BD61A9F5A8EAF9BE58FC5CBA2CB15293"
 
 ECDSA deterministic test vector rfc 6979 p192 sha256 [#2]
@@ -123,7 +123,7 @@ depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_MD_CAN_SHA256
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP192R1:"6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD4":MBEDTLS_MD_SHA256:"9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08":"3A718BD8B4926C3B52EE6BBE67EF79B18CB6EB62B1AD97AE":"5662E6848A4A19B1F1AE2F72ACD4B8BBE50F1EAC65D9124F"
 
 ECDSA deterministic test vector rfc 6979 p192 sha384 [#2]
-depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:PSA_WANT_ALG_SHA_384
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP192R1:"6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD4":MBEDTLS_MD_SHA384:"768412320F7B0AA5812FCE428DC4706B3CAE50E02A64CAA16A782249BFE8EFC4B7EF1CCB126255D196047DFEDF17A0A9":"B234B60B4DB75A733E19280A7A6034BD6B1EE88AF5332367":"7994090B2D59BB782BE57E74A44C9A1C700413F8ABEFE77A"
 
 ECDSA deterministic test vector rfc 6979 p192 sha512 [#2]
@@ -135,7 +135,7 @@ depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED:MBEDTLS_MD_CAN_SHA1
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP224R1:"F220266E1105BFE3083E03EC7A3A654651F45E37167E88600BF257C1":MBEDTLS_MD_SHA1:"8151325DCDBAE9E0FF95F9F9658432DBEDFDB209":"22226F9D40A96E19C4A301CE5B74B115303C0F3A4FD30FC257FB57AC":"66D1CDD83E3AF75605DD6E2FEFF196D30AA7ED7A2EDF7AF475403D69"
 
 ECDSA deterministic test vector rfc 6979 p224 sha224 [#1]
-depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED:PSA_WANT_ALG_SHA_224
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP224R1:"F220266E1105BFE3083E03EC7A3A654651F45E37167E88600BF257C1":MBEDTLS_MD_SHA224:"9003E374BC726550C2C289447FD0533160F875709386DFA377BFD41C":"1CDFE6662DDE1E4A1EC4CDEDF6A1F5A2FB7FBD9145C12113E6ABFD3E":"A6694FD7718A21053F225D3F46197CA699D45006C06F871808F43EBC"
 
 ECDSA deterministic test vector rfc 6979 p224 sha256 [#1]
@@ -143,7 +143,7 @@ depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED:MBEDTLS_MD_CAN_SHA256
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP224R1:"F220266E1105BFE3083E03EC7A3A654651F45E37167E88600BF257C1":MBEDTLS_MD_SHA256:"AF2BDBE1AA9B6EC1E2ADE1D694F41FC71A831D0268E9891562113D8A62ADD1BF":"61AA3DA010E8E8406C656BC477A7A7189895E7E840CDFE8FF42307BA":"BC814050DAB5D23770879494F9E0A680DC1AF7161991BDE692B10101"
 
 ECDSA deterministic test vector rfc 6979 p224 sha384 [#1]
-depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED:PSA_WANT_ALG_SHA_384
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP224R1:"F220266E1105BFE3083E03EC7A3A654651F45E37167E88600BF257C1":MBEDTLS_MD_SHA384:"9A9083505BC92276AEC4BE312696EF7BF3BF603F4BBD381196A029F340585312313BCA4A9B5B890EFEE42C77B1EE25FE":"0B115E5E36F0F9EC81F1325A5952878D745E19D7BB3EABFABA77E953":"830F34CCDFE826CCFDC81EB4129772E20E122348A2BBD889A1B1AF1D"
 
 ECDSA deterministic test vector rfc 6979 p224 sha512 [#1]
@@ -155,7 +155,7 @@ depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED:MBEDTLS_MD_CAN_SHA1
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP224R1:"F220266E1105BFE3083E03EC7A3A654651F45E37167E88600BF257C1":MBEDTLS_MD_SHA1:"A94A8FE5CCB19BA61C4C0873D391E987982FBBD3":"DEAA646EC2AF2EA8AD53ED66B2E2DDAA49A12EFD8356561451F3E21C":"95987796F6CF2062AB8135271DE56AE55366C045F6D9593F53787BD2"
 
 ECDSA deterministic test vector rfc 6979 p224 sha224 [#2]
-depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED:PSA_WANT_ALG_SHA_224
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP224R1:"F220266E1105BFE3083E03EC7A3A654651F45E37167E88600BF257C1":MBEDTLS_MD_SHA224:"90A3ED9E32B2AAF4C61C410EB925426119E1A9DC53D4286ADE99A809":"C441CE8E261DED634E4CF84910E4C5D1D22C5CF3B732BB204DBEF019":"902F42847A63BDC5F6046ADA114953120F99442D76510150F372A3F4"
 
 ECDSA deterministic test vector rfc 6979 p224 sha256 [#2]
@@ -163,7 +163,7 @@ depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED:MBEDTLS_MD_CAN_SHA256
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP224R1:"F220266E1105BFE3083E03EC7A3A654651F45E37167E88600BF257C1":MBEDTLS_MD_SHA256:"9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08":"AD04DDE87B84747A243A631EA47A1BA6D1FAA059149AD2440DE6FBA6":"178D49B1AE90E3D8B629BE3DB5683915F4E8C99FDF6E666CF37ADCFD"
 
 ECDSA deterministic test vector rfc 6979 p224 sha384 [#2]
-depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED:PSA_WANT_ALG_SHA_384
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP224R1:"F220266E1105BFE3083E03EC7A3A654651F45E37167E88600BF257C1":MBEDTLS_MD_SHA384:"768412320F7B0AA5812FCE428DC4706B3CAE50E02A64CAA16A782249BFE8EFC4B7EF1CCB126255D196047DFEDF17A0A9":"389B92682E399B26518A95506B52C03BC9379A9DADF3391A21FB0EA4":"414A718ED3249FF6DBC5B50C27F71F01F070944DA22AB1F78F559AAB"
 
 ECDSA deterministic test vector rfc 6979 p224 sha512 [#2]
@@ -175,7 +175,7 @@ depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA1
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":MBEDTLS_MD_SHA1:"8151325DCDBAE9E0FF95F9F9658432DBEDFDB209":"61340C88C3AAEBEB4F6D667F672CA9759A6CCAA9FA8811313039EE4A35471D32":"6D7F147DAC089441BB2E2FE8F7A3FA264B9C475098FDCF6E00D7C996E1B8B7EB"
 
 ECDSA deterministic test vector rfc 6979 p256 sha224 [#1]
-depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:PSA_WANT_ALG_SHA_224
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":MBEDTLS_MD_SHA224:"9003E374BC726550C2C289447FD0533160F875709386DFA377BFD41C":"53B2FFF5D1752B2C689DF257C04C40A587FABABB3F6FC2702F1343AF7CA9AA3F":"B9AFB64FDC03DC1A131C7D2386D11E349F070AA432A4ACC918BEA988BF75C74C"
 
 ECDSA deterministic test vector rfc 6979 p256 sha256 [#1]
@@ -183,7 +183,7 @@ depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":MBEDTLS_MD_SHA256:"AF2BDBE1AA9B6EC1E2ADE1D694F41FC71A831D0268E9891562113D8A62ADD1BF":"EFD48B2AACB6A8FD1140DD9CD45E81D69D2C877B56AAF991C34D0EA84EAF3716":"F7CB1C942D657C41D436C7A1B6E29F65F3E900DBB9AFF4064DC4AB2F843ACDA8"
 
 ECDSA deterministic test vector rfc 6979 p256 sha384 [#1]
-depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:PSA_WANT_ALG_SHA_384
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":MBEDTLS_MD_SHA384:"9A9083505BC92276AEC4BE312696EF7BF3BF603F4BBD381196A029F340585312313BCA4A9B5B890EFEE42C77B1EE25FE":"0EAFEA039B20E9B42309FB1D89E213057CBF973DC0CFC8F129EDDDC800EF7719":"4861F0491E6998B9455193E34E7B0D284DDD7149A74B95B9261F13ABDE940954"
 
 ECDSA deterministic test vector rfc 6979 p256 sha512 [#1]
@@ -195,7 +195,7 @@ depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA1
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":MBEDTLS_MD_SHA1:"A94A8FE5CCB19BA61C4C0873D391E987982FBBD3":"0CBCC86FD6ABD1D99E703E1EC50069EE5C0B4BA4B9AC60E409E8EC5910D81A89":"01B9D7B73DFAA60D5651EC4591A0136F87653E0FD780C3B1BC872FFDEAE479B1"
 
 ECDSA deterministic test vector rfc 6979 p256 sha224 [#2]
-depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:PSA_WANT_ALG_SHA_224
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":MBEDTLS_MD_SHA224:"90A3ED9E32B2AAF4C61C410EB925426119E1A9DC53D4286ADE99A809":"C37EDB6F0AE79D47C3C27E962FA269BB4F441770357E114EE511F662EC34A692":"C820053A05791E521FCAAD6042D40AEA1D6B1A540138558F47D0719800E18F2D"
 
 ECDSA deterministic test vector rfc 6979 p256 sha256 [#2]
@@ -203,7 +203,7 @@ depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":MBEDTLS_MD_SHA256:"9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08":"F1ABB023518351CD71D881567B1EA663ED3EFCF6C5132B354F28D3B0B7D38367":"019F4113742A2B14BD25926B49C649155F267E60D3814B4C0CC84250E46F0083"
 
 ECDSA deterministic test vector rfc 6979 p256 sha384 [#2]
-depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:PSA_WANT_ALG_SHA_384
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":MBEDTLS_MD_SHA384:"768412320F7B0AA5812FCE428DC4706B3CAE50E02A64CAA16A782249BFE8EFC4B7EF1CCB126255D196047DFEDF17A0A9":"83910E8B48BB0C74244EBDF7F07A1C5413D61472BD941EF3920E623FBCCEBEB6":"8DDBEC54CF8CD5874883841D712142A56A8D0F218F5003CB0296B6B509619F2C"
 
 ECDSA deterministic test vector rfc 6979 p256 sha512 [#2]
@@ -215,7 +215,7 @@ depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_MD_CAN_SHA1
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP384R1:"6B9D3DAD2E1B8C1C05B19875B6659F4DE23C3B667BF297BA9AA47740787137D896D5724E4C70A825F872C9EA60D2EDF5":MBEDTLS_MD_SHA1:"8151325DCDBAE9E0FF95F9F9658432DBEDFDB209":"EC748D839243D6FBEF4FC5C4859A7DFFD7F3ABDDF72014540C16D73309834FA37B9BA002899F6FDA3A4A9386790D4EB2":"A3BCFA947BEEF4732BF247AC17F71676CB31A847B9FF0CBC9C9ED4C1A5B3FACF26F49CA031D4857570CCB5CA4424A443"
 
 ECDSA deterministic test vector rfc 6979 p384 sha224 [#1]
-depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:PSA_WANT_ALG_SHA_224
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP384R1:"6B9D3DAD2E1B8C1C05B19875B6659F4DE23C3B667BF297BA9AA47740787137D896D5724E4C70A825F872C9EA60D2EDF5":MBEDTLS_MD_SHA224:"9003E374BC726550C2C289447FD0533160F875709386DFA377BFD41C":"42356E76B55A6D9B4631C865445DBE54E056D3B3431766D0509244793C3F9366450F76EE3DE43F5A125333A6BE060122":"9DA0C81787064021E78DF658F2FBB0B042BF304665DB721F077A4298B095E4834C082C03D83028EFBF93A3C23940CA8D"
 
 ECDSA deterministic test vector rfc 6979 p384 sha256 [#1]
@@ -223,7 +223,7 @@ depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_MD_CAN_SHA256
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP384R1:"6B9D3DAD2E1B8C1C05B19875B6659F4DE23C3B667BF297BA9AA47740787137D896D5724E4C70A825F872C9EA60D2EDF5":MBEDTLS_MD_SHA256:"AF2BDBE1AA9B6EC1E2ADE1D694F41FC71A831D0268E9891562113D8A62ADD1BF":"21B13D1E013C7FA1392D03C5F99AF8B30C570C6F98D4EA8E354B63A21D3DAA33BDE1E888E63355D92FA2B3C36D8FB2CD":"F3AA443FB107745BF4BD77CB3891674632068A10CA67E3D45DB2266FA7D1FEEBEFDC63ECCD1AC42EC0CB8668A4FA0AB0"
 
 ECDSA deterministic test vector rfc 6979 p384 sha384 [#1]
-depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:PSA_WANT_ALG_SHA_384
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP384R1:"6B9D3DAD2E1B8C1C05B19875B6659F4DE23C3B667BF297BA9AA47740787137D896D5724E4C70A825F872C9EA60D2EDF5":MBEDTLS_MD_SHA384:"9A9083505BC92276AEC4BE312696EF7BF3BF603F4BBD381196A029F340585312313BCA4A9B5B890EFEE42C77B1EE25FE":"94EDBB92A5ECB8AAD4736E56C691916B3F88140666CE9FA73D64C4EA95AD133C81A648152E44ACF96E36DD1E80FABE46":"99EF4AEB15F178CEA1FE40DB2603138F130E740A19624526203B6351D0A3A94FA329C145786E679E7B82C71A38628AC8"
 
 ECDSA deterministic test vector rfc 6979 p384 sha512 [#1]
@@ -235,7 +235,7 @@ depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_MD_CAN_SHA1
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP384R1:"6B9D3DAD2E1B8C1C05B19875B6659F4DE23C3B667BF297BA9AA47740787137D896D5724E4C70A825F872C9EA60D2EDF5":MBEDTLS_MD_SHA1:"A94A8FE5CCB19BA61C4C0873D391E987982FBBD3":"4BC35D3A50EF4E30576F58CD96CE6BF638025EE624004A1F7789A8B8E43D0678ACD9D29876DAF46638645F7F404B11C7":"D5A6326C494ED3FF614703878961C0FDE7B2C278F9A65FD8C4B7186201A2991695BA1C84541327E966FA7B50F7382282"
 
 ECDSA deterministic test vector rfc 6979 p384 sha224 [#2]
-depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:PSA_WANT_ALG_SHA_224
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP384R1:"6B9D3DAD2E1B8C1C05B19875B6659F4DE23C3B667BF297BA9AA47740787137D896D5724E4C70A825F872C9EA60D2EDF5":MBEDTLS_MD_SHA224:"90A3ED9E32B2AAF4C61C410EB925426119E1A9DC53D4286ADE99A809":"E8C9D0B6EA72A0E7837FEA1D14A1A9557F29FAA45D3E7EE888FC5BF954B5E62464A9A817C47FF78B8C11066B24080E72":"07041D4A7A0379AC7232FF72E6F77B6DDB8F09B16CCE0EC3286B2BD43FA8C6141C53EA5ABEF0D8231077A04540A96B66"
 
 ECDSA deterministic test vector rfc 6979 p384 sha256 [#2]
@@ -243,7 +243,7 @@ depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_MD_CAN_SHA256
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP384R1:"6B9D3DAD2E1B8C1C05B19875B6659F4DE23C3B667BF297BA9AA47740787137D896D5724E4C70A825F872C9EA60D2EDF5":MBEDTLS_MD_SHA256:"9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08":"6D6DEFAC9AB64DABAFE36C6BF510352A4CC27001263638E5B16D9BB51D451559F918EEDAF2293BE5B475CC8F0188636B":"2D46F3BECBCC523D5F1A1256BF0C9B024D879BA9E838144C8BA6BAEB4B53B47D51AB373F9845C0514EEFB14024787265"
 
 ECDSA deterministic test vector rfc 6979 p384 sha384 [#2]
-depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:PSA_WANT_ALG_SHA_384
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP384R1:"6B9D3DAD2E1B8C1C05B19875B6659F4DE23C3B667BF297BA9AA47740787137D896D5724E4C70A825F872C9EA60D2EDF5":MBEDTLS_MD_SHA384:"768412320F7B0AA5812FCE428DC4706B3CAE50E02A64CAA16A782249BFE8EFC4B7EF1CCB126255D196047DFEDF17A0A9":"8203B63D3C853E8D77227FB377BCF7B7B772E97892A80F36AB775D509D7A5FEB0542A7F0812998DA8F1DD3CA3CF023DB":"DDD0760448D42D8A43AF45AF836FCE4DE8BE06B485E9B61B827C2F13173923E06A739F040649A667BF3B828246BAA5A5"
 
 ECDSA deterministic test vector rfc 6979 p384 sha512 [#2]
@@ -255,7 +255,7 @@ depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED:MBEDTLS_MD_CAN_SHA1
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP521R1:"0FAD06DAA62BA3B25D2FB40133DA757205DE67F5BB0018FEE8C86E1B68C7E75CAA896EB32F1F47C70855836A6D16FCC1466F6D8FBEC67DB89EC0C08B0E996B83538":MBEDTLS_MD_SHA1:"8151325DCDBAE9E0FF95F9F9658432DBEDFDB209":"0343B6EC45728975EA5CBA6659BBB6062A5FF89EEA58BE3C80B619F322C87910FE092F7D45BB0F8EEE01ED3F20BABEC079D202AE677B243AB40B5431D497C55D75D":"0E7B0E675A9B24413D448B8CC119D2BF7B2D2DF032741C096634D6D65D0DBE3D5694625FB9E8104D3B842C1B0E2D0B98BEA19341E8676AEF66AE4EBA3D5475D5D16"
 
 ECDSA deterministic test vector rfc 6979 p521 sha224 [#1]
-depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED:PSA_WANT_ALG_SHA_224
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP521R1:"0FAD06DAA62BA3B25D2FB40133DA757205DE67F5BB0018FEE8C86E1B68C7E75CAA896EB32F1F47C70855836A6D16FCC1466F6D8FBEC67DB89EC0C08B0E996B83538":MBEDTLS_MD_SHA224:"9003E374BC726550C2C289447FD0533160F875709386DFA377BFD41C":"1776331CFCDF927D666E032E00CF776187BC9FDD8E69D0DABB4109FFE1B5E2A30715F4CC923A4A5E94D2503E9ACFED92857B7F31D7152E0F8C00C15FF3D87E2ED2E":"050CB5265417FE2320BBB5A122B8E1A32BD699089851128E360E620A30C7E17BA41A666AF126CE100E5799B153B60528D5300D08489CA9178FB610A2006C254B41F"
 
 ECDSA deterministic test vector rfc 6979 p521 sha256 [#1]
@@ -263,7 +263,7 @@ depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED:MBEDTLS_MD_CAN_SHA256
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP521R1:"0FAD06DAA62BA3B25D2FB40133DA757205DE67F5BB0018FEE8C86E1B68C7E75CAA896EB32F1F47C70855836A6D16FCC1466F6D8FBEC67DB89EC0C08B0E996B83538":MBEDTLS_MD_SHA256:"AF2BDBE1AA9B6EC1E2ADE1D694F41FC71A831D0268E9891562113D8A62ADD1BF":"1511BB4D675114FE266FC4372B87682BAECC01D3CC62CF2303C92B3526012659D16876E25C7C1E57648F23B73564D67F61C6F14D527D54972810421E7D87589E1A7":"04A171143A83163D6DF460AAF61522695F207A58B95C0644D87E52AA1A347916E4F7A72930B1BC06DBE22CE3F58264AFD23704CBB63B29B931F7DE6C9D949A7ECFC"
 
 ECDSA deterministic test vector rfc 6979 p521 sha384 [#1]
-depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED:PSA_WANT_ALG_SHA_384
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP521R1:"0FAD06DAA62BA3B25D2FB40133DA757205DE67F5BB0018FEE8C86E1B68C7E75CAA896EB32F1F47C70855836A6D16FCC1466F6D8FBEC67DB89EC0C08B0E996B83538":MBEDTLS_MD_SHA384:"9A9083505BC92276AEC4BE312696EF7BF3BF603F4BBD381196A029F340585312313BCA4A9B5B890EFEE42C77B1EE25FE":"1EA842A0E17D2DE4F92C15315C63DDF72685C18195C2BB95E572B9C5136CA4B4B576AD712A52BE9730627D16054BA40CC0B8D3FF035B12AE75168397F5D50C67451":"1F21A3CEE066E1961025FB048BD5FE2B7924D0CD797BABE0A83B66F1E35EEAF5FDE143FA85DC394A7DEE766523393784484BDF3E00114A1C857CDE1AA203DB65D61"
 
 ECDSA deterministic test vector rfc 6979 p521 sha512 [#1]
@@ -275,7 +275,7 @@ depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED:MBEDTLS_MD_CAN_SHA1
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP521R1:"0FAD06DAA62BA3B25D2FB40133DA757205DE67F5BB0018FEE8C86E1B68C7E75CAA896EB32F1F47C70855836A6D16FCC1466F6D8FBEC67DB89EC0C08B0E996B83538":MBEDTLS_MD_SHA1:"A94A8FE5CCB19BA61C4C0873D391E987982FBBD3":"13BAD9F29ABE20DE37EBEB823C252CA0F63361284015A3BF430A46AAA80B87B0693F0694BD88AFE4E661FC33B094CD3B7963BED5A727ED8BD6A3A202ABE009D0367":"1E9BB81FF7944CA409AD138DBBEE228E1AFCC0C890FC78EC8604639CB0DBDC90F717A99EAD9D272855D00162EE9527567DD6A92CBD629805C0445282BBC916797FF"
 
 ECDSA deterministic test vector rfc 6979 p521 sha224 [#2]
-depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED:PSA_WANT_ALG_SHA_224
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP521R1:"0FAD06DAA62BA3B25D2FB40133DA757205DE67F5BB0018FEE8C86E1B68C7E75CAA896EB32F1F47C70855836A6D16FCC1466F6D8FBEC67DB89EC0C08B0E996B83538":MBEDTLS_MD_SHA224:"90A3ED9E32B2AAF4C61C410EB925426119E1A9DC53D4286ADE99A809":"1C7ED902E123E6815546065A2C4AF977B22AA8EADDB68B2C1110E7EA44D42086BFE4A34B67DDC0E17E96536E358219B23A706C6A6E16BA77B65E1C595D43CAE17FB":"177336676304FCB343CE028B38E7B4FBA76C1C1B277DA18CAD2A8478B2A9A9F5BEC0F3BA04F35DB3E4263569EC6AADE8C92746E4C82F8299AE1B8F1739F8FD519A4"
 
 ECDSA deterministic test vector rfc 6979 p521 sha256 [#2]
@@ -283,7 +283,7 @@ depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED:MBEDTLS_MD_CAN_SHA256
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP521R1:"0FAD06DAA62BA3B25D2FB40133DA757205DE67F5BB0018FEE8C86E1B68C7E75CAA896EB32F1F47C70855836A6D16FCC1466F6D8FBEC67DB89EC0C08B0E996B83538":MBEDTLS_MD_SHA256:"9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08":"00E871C4A14F993C6C7369501900C4BC1E9C7B0B4BA44E04868B30B41D8071042EB28C4C250411D0CE08CD197E4188EA4876F279F90B3D8D74A3C76E6F1E4656AA8":"0CD52DBAA33B063C3A6CD8058A1FB0A46A4754B034FCC644766CA14DA8CA5CA9FDE00E88C1AD60CCBA759025299079D7A427EC3CC5B619BFBC828E7769BCD694E86"
 
 ECDSA deterministic test vector rfc 6979 p521 sha384 [#2]
-depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED:PSA_WANT_ALG_SHA_384
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP521R1:"0FAD06DAA62BA3B25D2FB40133DA757205DE67F5BB0018FEE8C86E1B68C7E75CAA896EB32F1F47C70855836A6D16FCC1466F6D8FBEC67DB89EC0C08B0E996B83538":MBEDTLS_MD_SHA384:"768412320F7B0AA5812FCE428DC4706B3CAE50E02A64CAA16A782249BFE8EFC4B7EF1CCB126255D196047DFEDF17A0A9":"14BEE21A18B6D8B3C93FAB08D43E739707953244FDBE924FA926D76669E7AC8C89DF62ED8975C2D8397A65A49DCC09F6B0AC62272741924D479354D74FF6075578C":"133330865C067A0EAF72362A65E2D7BC4E461E8C8995C3B6226A21BD1AA78F0ED94FE536A0DCA35534F0CD1510C41525D163FE9D74D134881E35141ED5E8E95B979"
 
 ECDSA deterministic test vector rfc 6979 p521 sha512 [#2]
diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data
index 1002991..fd63657 100644
--- a/tests/suites/test_suite_ecp.data
+++ b/tests/suites/test_suite_ecp.data
@@ -529,6 +529,24 @@ ECP check public-private #7 (wrong Qy)
 depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
 mbedtls_ecp_check_pub_priv:MBEDTLS_ECP_DP_SECP256R1:"37cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f76822596292":"4ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edfe":MBEDTLS_ECP_DP_SECP256R1:"00f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":"37cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f76822596292":"4ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edfe":MBEDTLS_ERR_ECP_BAD_INPUT_DATA
 
+ECP calculate public: secp256r1, good
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_calc_public:MBEDTLS_ECP_DP_SECP256R1:"00f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":0:"0437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edff"
+
+ECP calculate public: secp256r1, private value out of range
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_calc_public:MBEDTLS_ECP_DP_SECP256R1:"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":MBEDTLS_ERR_ECP_INVALID_KEY:""
+
+# Alice's private key from rfc 7748, masked and adjusted for endianness
+# because the test function wants the little-endian representation.
+ECP calculate public: Curve25519, good
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_calc_public:MBEDTLS_ECP_DP_CURVE25519:"6a2cb91da5fb77b12a99c0eb872f4cdf4566b25172c1163c7da518730a6d0770":0:"8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a"
+
+ECP calculate public: Curve25519, private value not masked
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_calc_public:MBEDTLS_ECP_DP_CURVE25519:"2a2cb91da5fb77b12a99c0eb872f4cdf4566b25172c1163c7da518730a6d0770":MBEDTLS_ERR_ECP_INVALID_KEY:"8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a"
+
 ECP gen keypair [#1]
 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
 mbedtls_ecp_gen_keypair:MBEDTLS_ECP_DP_SECP192R1
@@ -581,6 +599,48 @@ genkey_mx_known_answer:447:"ffffffffffffffffffffffffffffffffffffffffffffffffffff
 ECP generate Montgomery key: Curve448, not enough entropy
 genkey_mx_known_answer:447:"4f0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f30313233343536":""
 
+ECP set public key: invalid group (0)
+ecp_set_public_key_group_check:MBEDTLS_ECP_DP_NONE:MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE
+
+ECP set public key: valid group (secp256r1)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_set_public_key_group_check:MBEDTLS_ECP_DP_SECP256R1:0
+
+ECP set public key: group not supported (secp256r1)
+depends_on:!MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_set_public_key_group_check:MBEDTLS_ECP_DP_SECP256R1:MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE
+
+ECP set public key: bad group (not in enum)
+ecp_set_public_key_group_check:MBEDTLS_ECP_DP_MAX:MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE
+
+ECP set public key: good, secp256r1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_set_public_key_good:MBEDTLS_ECP_DP_SECP256R1:"04e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e0e1ff20e1ffe120e1e1e173287170a761308491683e345cacaebb500c96e1a7bbd37772968b2c951f0579"
+
+ECP set public key: good, Curve25519
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_set_public_key_good:MBEDTLS_ECP_DP_CURVE25519:"8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a"
+
+ECP set public key after private: good, secp256r1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_set_public_key_after_private:MBEDTLS_ECP_DP_SECP256R1:"70726976617465206b6579":MBEDTLS_ECP_DP_SECP256R1:"04e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e0e1ff20e1ffe120e1e1e173287170a761308491683e345cacaebb500c96e1a7bbd37772968b2c951f0579"
+
+ECP set public key after private: good, Curve25519
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_set_public_key_after_private:MBEDTLS_ECP_DP_CURVE25519:"70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a":MBEDTLS_ECP_DP_CURVE25519:"8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a"
+
+ECP set public key after private: secp256r1 then secp256k1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP256K1_ENABLED
+ecp_set_public_key_after_private:MBEDTLS_ECP_DP_SECP256R1:"70726976617465206b6579":MBEDTLS_ECP_DP_SECP256K1:"04e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e0e1ff20e1ffe120e1e1e173287170a761308491683e345cacaebb500c96e1a7bbd37772968b2c951f0579"
+
+ECP set public key after private: secp256r1 then secp384r1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_set_public_key_after_private:MBEDTLS_ECP_DP_SECP256R1:"70726976617465206b6579":MBEDTLS_ECP_DP_SECP384R1:"04aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaae1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e0e1ff20e1ffe120e1e1e173287170a761308491683e345cacaebb500c96e1a7bbd37772968b2c951f0579bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
+
+ECP set public key after private: secp384r1 then secp256r1
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_set_public_key_after_private:MBEDTLS_ECP_DP_SECP384R1:"70726976617465206b6579":MBEDTLS_ECP_DP_SECP256R1:"04e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e1e0e1ff20e1ffe120e1e1e173287170a761308491683e345cacaebb500c96e1a7bbd37772968b2c951f0579"
+
 ECP read key #1 (short weierstrass, too small)
 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
 mbedtls_ecp_read_key:MBEDTLS_ECP_DP_SECP192R1:"00":MBEDTLS_ERR_ECP_INVALID_KEY:0
@@ -676,6 +736,261 @@ ECP read key #24 (Curve25519 RFC, OK)
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
 mbedtls_ecp_read_key:MBEDTLS_ECP_DP_CURVE25519:"70076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c6a":0:1
 
+ECP write key: secp256r1, nominal
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":32:0
+
+ECP write key: secp256r1, output longer by 1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":33:0
+
+ECP write key: secp256r1, output longer by 32
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":64:0
+
+ECP write key: secp256r1, output longer by 33
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":65:0
+
+ECP write key: secp256r1, output short by 1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":31:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
+
+ECP write key: secp256r1, output_size=1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":1:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
+
+ECP write key: secp256r1, output_size=0
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":0:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
+
+ECP write key: secp256r1, top byte = 0, output_size=32
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"00ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":32:0
+
+ECP write key: secp256r1, top byte = 0, output_size=31 (fits)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"00ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":31:0
+
+ECP write key: secp256r1, top byte = 0, output_size=30 (too small)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"00ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":30:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
+
+ECP write key: secp256r1, mostly-0 key, output_size=32
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"0000000000000000000000000000000000000000000000000000000000000001":32:0
+
+ECP write key: secp256r1, mostly-0 key, output_size=31 (fits)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"0000000000000000000000000000000000000000000000000000000000000001":31:0
+
+ECP write key: secp256r1, mostly-0 key, output_size=1 (fits)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_SECP256R1:"0000000000000000000000000000000000000000000000000000000000000001":1:0
+
+ECP write key: secp384r1, nominal
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":48:0
+
+ECP write key: secp384r1, output longer by 1
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":49:0
+
+ECP write key: secp384r1, output longer by 48
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":96:0
+
+ECP write key: secp384r1, output longer by 49
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":97:0
+
+ECP write key: secp384r1, output short by 1
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":47:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
+
+ECP write key: secp384r1, output_size=1
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":1:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
+
+ECP write key: secp384r1, output_size=0
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":0:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
+
+ECP write key: Curve25519, nominal
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":32:0
+
+ECP write key: Curve25519, output longer by 1
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":33:0
+
+ECP write key: Curve25519, output longer by 32
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":64:0
+
+ECP write key: Curve25519, output longer by 33
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":65:0
+
+ECP write key: Curve25519, output short by 1
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":31:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key: Curve25519, output_size=1
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":1:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key: Curve25519, output_size=0
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":0:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key: Curve25519, mostly-0 key, output_size=32
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_CURVE25519:"0000000000000000000000000000000000000000000000000000000000000040":32:0
+
+ECP write key: Curve25519, mostly-0 key, output_size=31
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_CURVE25519:"0000000000000000000000000000000000000000000000000000000000000040":31:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key: Curve448, nominal
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":56:0
+
+ECP write key: Curve448, output longer by 1
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":57:0
+
+ECP write key: Curve448, output longer by 32
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":112:0
+
+ECP write key: Curve448, output longer by 33
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":113:0
+
+ECP write key: Curve448, output short by 1
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":55:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key: Curve448, output_size=1
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":1:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key: Curve448, output_size=0
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":0:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key: Curve448, mostly-0 key, output_size=56
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_CURVE448:"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080":56:0
+
+ECP write key: Curve448, mostly-0 key, output_size=55
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_write_key:MBEDTLS_ECP_DP_CURVE448:"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080":55:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key ext: secp256r1, nominal
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":32:0
+
+ECP write key ext: secp256r1, output longer by 1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":33:0
+
+ECP write key ext: secp256r1, output short by 1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":31:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key ext: secp256r1, output_size=0
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":0:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key ext: secp256r1, top byte = 0, output_size=32
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"00ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":32:0
+
+ECP write key ext: secp256r1, top byte = 0, output_size=31
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"00ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":31:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key ext: secp256r1, top byte = 0, output_size=30
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"00ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":30:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key ext: secp256r1, mostly-0 key, output_size=32
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"0000000000000000000000000000000000000000000000000000000000000001":32:0
+
+ECP write key ext: secp256r1, mostly-0 key, output_size=1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"0000000000000000000000000000000000000000000000000000000000000001":1:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key ext: secp256r1, private key not set
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"":32:MBEDTLS_ERR_ECP_BAD_INPUT_DATA
+
+ECP write key ext: secp384r1, nominal
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":48:0
+
+ECP write key ext: secp384r1, output longer by 1
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":49:0
+
+ECP write key ext: secp384r1, output short by 1
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":47:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key ext: Curve25519, nominal
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":32:0
+
+ECP write key ext: Curve25519, output longer by 1
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":33:0
+
+ECP write key ext: Curve25519, output short by 1
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":31:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key ext: Curve25519, output_size=0
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":0:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key ext: Curve25519, mostly-0 key, output_size=32
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE25519:"0000000000000000000000000000000000000000000000000000000000000040":32:0
+
+ECP write key ext: Curve25519, mostly-0 key, output_size=31
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE25519:"0000000000000000000000000000000000000000000000000000000000000040":31:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key ext: Curve25519, private key not set
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE25519:"":32:MBEDTLS_ERR_ECP_BAD_INPUT_DATA
+
+ECP write key ext: Curve448, nominal
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":56:0
+
+ECP write key ext: Curve448, output longer by 1
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":57:0
+
+ECP write key ext: Curve448, output short by 1
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":55:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key ext: Curve448, mostly-0 key, output_size=56
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE448:"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080":56:0
+
+ECP write key ext: Curve448, mostly-0 key, output_size=55
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE448:"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080":55:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key ext: group not set
+ecp_write_key_ext:MBEDTLS_ECP_DP_NONE:"":32:MBEDTLS_ERR_ECP_BAD_INPUT_DATA
+
 ECP mod p192 small (more than 192 bits, less limbs than 2 * 192 bits)
 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_ECP_NIST_OPTIM
 ecp_fast_mod:MBEDTLS_ECP_DP_SECP192R1:"0100000000000103010000000000010201000000000001010100000000000100"
diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function
index 5751624..9b5c86f 100644
--- a/tests/suites/test_suite_ecp.function
+++ b/tests/suites/test_suite_ecp.function
@@ -590,29 +590,41 @@ void ecp_write_binary(int id, char *x, char *y, char *z, int format,
 {
     mbedtls_ecp_group grp;
     mbedtls_ecp_point P;
+    mbedtls_ecp_keypair key;
     unsigned char buf[256];
     size_t olen;
 
     memset(buf, 0, sizeof(buf));
 
     mbedtls_ecp_group_init(&grp); mbedtls_ecp_point_init(&P);
+    mbedtls_ecp_keypair_init(&key);
 
-    TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);
+    TEST_EQUAL(mbedtls_ecp_group_load(&grp, id), 0);
 
-    TEST_ASSERT(mbedtls_test_read_mpi(&P.X, x) == 0);
-    TEST_ASSERT(mbedtls_test_read_mpi(&P.Y, y) == 0);
-    TEST_ASSERT(mbedtls_test_read_mpi(&P.Z, z) == 0);
+    TEST_EQUAL(mbedtls_test_read_mpi(&P.X, x), 0);
+    TEST_EQUAL(mbedtls_test_read_mpi(&P.Y, y), 0);
+    TEST_EQUAL(mbedtls_test_read_mpi(&P.Z, z), 0);
 
-    TEST_ASSERT(mbedtls_ecp_point_write_binary(&grp, &P, format,
-                                               &olen, buf, blen) == ret);
+    TEST_EQUAL(mbedtls_ecp_point_write_binary(&grp, &P, format,
+                                              &olen, buf, blen), ret);
+    if (ret == 0) {
+        TEST_LE_U(olen, MBEDTLS_ECP_MAX_PT_LEN);
+        ASSERT_COMPARE(buf, olen,
+                       out->x, out->len);
+    }
 
+    memset(buf, 0, blen);
+    TEST_EQUAL(mbedtls_ecp_set_public_key(grp.id, &key, &P), 0);
+    TEST_EQUAL(mbedtls_ecp_write_public_key(&key, format,
+                                            &olen, buf, blen), ret);
     if (ret == 0) {
-        TEST_ASSERT(olen <= MBEDTLS_ECP_MAX_PT_LEN);
-        TEST_ASSERT(mbedtls_test_hexcmp(buf, out->x, olen, out->len) == 0);
+        ASSERT_COMPARE(buf, olen,
+                       out->x, out->len);
     }
 
 exit:
     mbedtls_ecp_group_free(&grp); mbedtls_ecp_point_free(&P);
+    mbedtls_ecp_keypair_free(&key);
 }
 /* END_CASE */
 
@@ -989,6 +1001,41 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_ECP_C */
+void ecp_calc_public(int grp_id, data_t *private_data,
+                     int expected_ret, data_t *expected_public)
+{
+    mbedtls_ecp_keypair key;
+    mbedtls_ecp_keypair_init(&key);
+    mbedtls_test_rnd_pseudo_info rnd_info;
+    memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info));
+
+    TEST_EQUAL(mbedtls_ecp_group_load(&key.grp, grp_id), 0);
+    TEST_EQUAL(mbedtls_mpi_read_binary(&key.d,
+                                       private_data->x, private_data->len), 0);
+
+    TEST_EQUAL(mbedtls_ecp_keypair_calc_public(&key,
+                                               &mbedtls_test_rnd_pseudo_rand, &rnd_info),
+               expected_ret);
+
+    if (expected_ret == 0) {
+        TEST_EQUAL(mbedtls_ecp_check_pub_priv(&key, &key,
+                                              &mbedtls_test_rnd_pseudo_rand, &rnd_info),
+                   0);
+        unsigned char buf[MBEDTLS_ECP_MAX_PT_LEN];
+        size_t length;
+        TEST_EQUAL(mbedtls_ecp_point_write_binary(&key.grp, &key.Q,
+                                                  MBEDTLS_ECP_PF_UNCOMPRESSED,
+                                                  &length, buf, sizeof(buf)),
+                   0);
+        ASSERT_COMPARE(expected_public->x, expected_public->len, buf, length);
+    }
+
+exit:
+    mbedtls_ecp_keypair_free(&key);
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_C */
 void mbedtls_ecp_gen_keypair(int id)
 {
     mbedtls_ecp_group grp;
@@ -1030,6 +1077,7 @@ void mbedtls_ecp_gen_key(int id)
                                     &mbedtls_test_rnd_pseudo_rand,
                                     &rnd_info) == 0);
 
+    TEST_EQUAL(mbedtls_ecp_keypair_get_group_id(&key), id);
     TEST_ASSERT(mbedtls_ecp_check_pubkey(&key.grp, &key.Q) == 0);
     TEST_ASSERT(mbedtls_ecp_check_privkey(&key.grp, &key.d) == 0);
 
@@ -1039,45 +1087,163 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
+void ecp_set_public_key_group_check(int grp_id, int expected_ret)
+{
+    mbedtls_ecp_keypair key;
+    mbedtls_ecp_keypair_init(&key);
+    mbedtls_ecp_point Q;
+    mbedtls_ecp_point_init(&Q);
+
+    TEST_EQUAL(mbedtls_ecp_set_public_key(grp_id, &key, &Q),
+               expected_ret);
+
+exit:
+    mbedtls_ecp_keypair_free(&key);
+    mbedtls_ecp_point_free(&Q);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ecp_set_public_key_good(int grp_id, data_t *public_data)
+{
+    mbedtls_ecp_keypair key;
+    mbedtls_ecp_keypair_init(&key);
+    mbedtls_ecp_group grp;
+    mbedtls_ecp_group_init(&grp);
+    mbedtls_ecp_point Q;
+    mbedtls_ecp_point_init(&Q);
+
+    TEST_EQUAL(mbedtls_ecp_group_load(&grp, grp_id), 0);
+    TEST_EQUAL(mbedtls_ecp_point_read_binary(&grp, &Q,
+                                             public_data->x, public_data->len),
+               0);
+
+    /* Freshly initialized key */
+    TEST_EQUAL(mbedtls_ecp_set_public_key(grp_id, &key, &Q), 0);
+    TEST_EQUAL(key.grp.id, grp_id);
+    TEST_EQUAL(mbedtls_ecp_point_cmp(&key.Q, &Q), 0);
+
+    /* Key with a public key already set to a different value */
+    TEST_EQUAL(mbedtls_mpi_add_int(&key.Q.X, &key.Q.X, 1), 0);
+    TEST_EQUAL(mbedtls_mpi_add_int(&key.Q.Y, &key.Q.Y, 1), 0);
+    TEST_EQUAL(mbedtls_mpi_add_int(&key.Q.Z, &key.Q.Z, 1), 0);
+    TEST_EQUAL(mbedtls_ecp_set_public_key(grp_id, &key, &Q), 0);
+    TEST_EQUAL(key.grp.id, grp_id);
+    TEST_EQUAL(mbedtls_ecp_point_cmp(&key.Q, &Q), 0);
+
+exit:
+    mbedtls_ecp_keypair_free(&key);
+    mbedtls_ecp_group_free(&grp);
+    mbedtls_ecp_point_free(&Q);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ecp_set_public_key_after_private(int private_grp_id, data_t *private_data,
+                                      int public_grp_id, data_t *public_data)
+{
+    mbedtls_ecp_keypair key;
+    mbedtls_ecp_keypair_init(&key);
+    mbedtls_ecp_group grp;
+    mbedtls_ecp_group_init(&grp);
+    mbedtls_ecp_point Q;
+    mbedtls_ecp_point_init(&Q);
+    mbedtls_mpi d;
+    mbedtls_mpi_init(&d);
+
+    TEST_EQUAL(mbedtls_ecp_group_load(&grp, public_grp_id), 0);
+    TEST_EQUAL(mbedtls_ecp_point_read_binary(&grp, &Q,
+                                             public_data->x, public_data->len),
+               0);
+    TEST_EQUAL(mbedtls_ecp_read_key(private_grp_id, &key,
+                                    private_data->x, private_data->len),
+               0);
+    TEST_EQUAL(mbedtls_mpi_copy(&d, &key.d), 0);
+
+    int ret = mbedtls_ecp_set_public_key(public_grp_id, &key, &Q);
+
+    if (private_grp_id == public_grp_id) {
+        TEST_EQUAL(ret, 0);
+        TEST_EQUAL(key.grp.id, public_grp_id);
+        TEST_EQUAL(mbedtls_ecp_point_cmp(&key.Q, &Q), 0);
+        TEST_EQUAL(mbedtls_mpi_cmp_mpi(&d, &key.d), 0);
+    } else {
+        TEST_EQUAL(ret, MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
+    }
+
+exit:
+    mbedtls_ecp_keypair_free(&key);
+    mbedtls_ecp_group_free(&grp);
+    mbedtls_ecp_point_free(&Q);
+    mbedtls_mpi_free(&d);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
 void mbedtls_ecp_read_key(int grp_id, data_t *in_key, int expected, int canonical)
 {
     int ret = 0;
     mbedtls_ecp_keypair key;
-    mbedtls_ecp_keypair key2;
-
     mbedtls_ecp_keypair_init(&key);
+    mbedtls_ecp_keypair key2;
     mbedtls_ecp_keypair_init(&key2);
 
+    TEST_EQUAL(mbedtls_mpi_lset(&key.Q.X, 1), 0);
+    TEST_EQUAL(mbedtls_mpi_lset(&key.Q.Y, 2), 0);
+    TEST_EQUAL(mbedtls_mpi_lset(&key.Q.Z, 3), 0);
+
     ret = mbedtls_ecp_read_key(grp_id, &key, in_key->x, in_key->len);
     TEST_ASSERT(ret == expected);
 
     if (expected == 0) {
+        TEST_EQUAL(mbedtls_ecp_keypair_get_group_id(&key), grp_id);
         ret = mbedtls_ecp_check_privkey(&key.grp, &key.d);
         TEST_ASSERT(ret == 0);
 
-        if (canonical) {
+        TEST_EQUAL(mbedtls_mpi_cmp_int(&key.Q.X, 1), 0);
+        TEST_EQUAL(mbedtls_mpi_cmp_int(&key.Q.Y, 2), 0);
+        TEST_EQUAL(mbedtls_mpi_cmp_int(&key.Q.Z, 3), 0);
+
+        if (canonical && in_key->len == (key.grp.nbits + 7) / 8) {
             unsigned char buf[MBEDTLS_ECP_MAX_BYTES];
+            size_t length = 0xdeadbeef;
 
-            ret = mbedtls_ecp_write_key(&key, buf, in_key->len);
-            TEST_ASSERT(ret == 0);
+            TEST_EQUAL(mbedtls_ecp_write_key_ext(&key,
+                                                 &length, buf, in_key->len), 0);
+            TEST_MEMORY_COMPARE(in_key->x, in_key->len,
+                                buf, length);
 
+#if defined(MBEDTLS_TEST_DEPRECATED)
+            memset(buf, 0, sizeof(buf));
+            TEST_EQUAL(mbedtls_ecp_write_key(&key, buf, in_key->len), 0);
             TEST_MEMORY_COMPARE(in_key->x, in_key->len,
                                 buf, in_key->len);
+#endif /* MBEDTLS_TEST_DEPRECATED */
         } else {
             unsigned char export1[MBEDTLS_ECP_MAX_BYTES];
             unsigned char export2[MBEDTLS_ECP_MAX_BYTES];
 
-            ret = mbedtls_ecp_write_key(&key, export1, in_key->len);
-            TEST_ASSERT(ret == 0);
-
-            ret = mbedtls_ecp_read_key(grp_id, &key2, export1, in_key->len);
-            TEST_ASSERT(ret == expected);
-
-            ret = mbedtls_ecp_write_key(&key2, export2, in_key->len);
-            TEST_ASSERT(ret == 0);
-
+            size_t length1 = 0xdeadbeef;
+            TEST_EQUAL(mbedtls_ecp_write_key_ext(&key, &length1,
+                                                 export1, sizeof(export1)), 0);
+            TEST_EQUAL(mbedtls_ecp_read_key(grp_id, &key2, export1, length1),
+                       expected);
+            size_t length2 = 0xdeadbeef;
+            TEST_EQUAL(mbedtls_ecp_write_key_ext(&key2, &length2,
+                                                 export2, sizeof(export2)), 0);
+            TEST_MEMORY_COMPARE(export1, length1,
+                                export2, length2);
+
+#if defined(MBEDTLS_TEST_DEPRECATED)
+            memset(export1, 0, sizeof(export1));
+            memset(export2, 0, sizeof(export2));
+            TEST_EQUAL(mbedtls_ecp_write_key(&key, export1, in_key->len), 0);
+            TEST_EQUAL(mbedtls_ecp_read_key(grp_id, &key2, export1, in_key->len),
+                       expected);
+            TEST_EQUAL(mbedtls_ecp_write_key(&key2, export2, in_key->len), 0);
             TEST_MEMORY_COMPARE(export1, in_key->len,
                                 export2, in_key->len);
+#endif /* MBEDTLS_TEST_DEPRECATED */
         }
     }
 
@@ -1087,6 +1253,102 @@ exit:
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_TEST_DEPRECATED */
+void ecp_write_key(int grp_id, data_t *in_key,
+                   int exported_size, int expected_ret)
+{
+    mbedtls_ecp_keypair key;
+    mbedtls_ecp_keypair_init(&key);
+    unsigned char *exported = NULL;
+
+    TEST_EQUAL(mbedtls_ecp_read_key(grp_id, &key, in_key->x, in_key->len), 0);
+
+    TEST_CALLOC(exported, exported_size);
+    TEST_EQUAL(mbedtls_ecp_write_key(&key, exported, exported_size),
+               expected_ret);
+
+    if (expected_ret == 0) {
+        size_t length = (key.grp.nbits + 7) / 8;
+        const unsigned char *key_start = NULL;
+        const unsigned char *zeros_start = NULL;
+        switch (mbedtls_ecp_get_type(&key.grp)) {
+            case MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS:
+                if ((size_t) exported_size < length) {
+                    length = exported_size;
+                }
+                key_start = exported + exported_size - length;
+                zeros_start = exported;
+                break;
+            case MBEDTLS_ECP_TYPE_MONTGOMERY:
+                TEST_LE_U(length, exported_size);
+                key_start = exported;
+                zeros_start = exported + length;
+                break;
+            default:
+                TEST_FAIL("Unknown ECP curve type");
+                break;
+        }
+
+        if (length < in_key->len) {
+            /* Shorter output (only possible with Weierstrass keys) */
+            for (size_t i = 0; i < in_key->len - length; i++) {
+                mbedtls_test_set_step(i);
+                TEST_EQUAL(in_key->x[i], 0);
+            }
+            TEST_MEMORY_COMPARE(in_key->x + in_key->len - length, length,
+                                key_start, length);
+        } else {
+            TEST_MEMORY_COMPARE(in_key->x, in_key->len,
+                                key_start, length);
+            for (size_t i = 0; i < exported_size - length; i++) {
+                mbedtls_test_set_step(i);
+                TEST_EQUAL(zeros_start[i], 0);
+            }
+        }
+    }
+
+exit:
+    mbedtls_ecp_keypair_free(&key);
+    mbedtls_free(exported);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ecp_write_key_ext(int grp_id, data_t *in_key,
+                       int exported_size, int expected_ret)
+{
+    mbedtls_ecp_keypair key;
+    mbedtls_ecp_keypair_init(&key);
+    unsigned char *exported = NULL;
+
+    if (in_key->len != 0) {
+        TEST_EQUAL(mbedtls_ecp_read_key(grp_id, &key, in_key->x, in_key->len), 0);
+    } else if (grp_id != MBEDTLS_ECP_DP_NONE) {
+        TEST_EQUAL(mbedtls_ecp_group_load(&key.grp, grp_id), 0);
+    }
+
+    TEST_CALLOC(exported, exported_size);
+    size_t olen = 0xdeadbeef;
+    TEST_EQUAL(mbedtls_ecp_write_key_ext(&key, &olen, exported, exported_size),
+               expected_ret);
+
+    if (expected_ret == 0) {
+        TEST_EQUAL(olen, (key.grp.nbits + 7) / 8);
+        TEST_LE_U(olen, MBEDTLS_ECP_MAX_BYTES);
+        TEST_MEMORY_COMPARE(in_key->x, in_key->len,
+                            exported, olen);
+    } else {
+        /* Robustness check: even in the error case, insist that olen is less
+         * than the buffer size. */
+        TEST_LE_U(olen, exported_size);
+    }
+
+exit:
+    mbedtls_ecp_keypair_free(&key);
+    mbedtls_free(exported);
+}
+/* END_CASE */
+
 /* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_ECP_MONTGOMERY_ENABLED:MBEDTLS_ECP_LIGHT */
 void genkey_mx_known_answer(int bits, data_t *seed, data_t *expected)
 {
@@ -1233,6 +1495,28 @@ void ecp_export(int id, char *Qx, char *Qy, char *d, int expected_ret, int inval
         TEST_EQUAL(mbedtls_ecp_point_cmp(&key.Q, &export_Q), 0);
         TEST_EQUAL(mbedtls_mpi_cmp_mpi(&key.d, &export_d), 0);
         TEST_EQUAL(mbedtls_ecp_group_cmp(&key.grp, &export_grp), 0);
+
+        /* Check consistency with the group id */
+        TEST_EQUAL(export_grp.id,
+                   mbedtls_ecp_keypair_get_group_id(&key));
+
+        /* Test null arguments: grp only */
+        mbedtls_ecp_group_free(&export_grp);
+        mbedtls_ecp_group_init(&export_grp);
+        TEST_EQUAL(mbedtls_ecp_export(&key, &export_grp, NULL, NULL), 0);
+        TEST_EQUAL(mbedtls_ecp_group_cmp(&key.grp, &export_grp), 0);
+
+        /* Test null arguments: d only */
+        mbedtls_mpi_free(&export_d);
+        mbedtls_mpi_init(&export_d);
+        TEST_EQUAL(mbedtls_ecp_export(&key, NULL, &export_d, NULL), 0);
+        TEST_EQUAL(mbedtls_mpi_cmp_mpi(&key.d, &export_d), 0);
+
+        /* Test null arguments: Q only */
+        mbedtls_ecp_point_free(&export_Q);
+        mbedtls_ecp_point_init(&export_Q);
+        TEST_EQUAL(mbedtls_ecp_export(&key, NULL, NULL, &export_Q), 0);
+        TEST_EQUAL(mbedtls_ecp_point_cmp(&key.Q, &export_Q), 0);
     }
 
 exit:
diff --git a/tests/suites/test_suite_entropy.data b/tests/suites/test_suite_entropy.data
index 0b30bb8..514fced 100644
--- a/tests/suites/test_suite_entropy.data
+++ b/tests/suites/test_suite_entropy.data
@@ -8,7 +8,7 @@ Create NV seed_file
 nv_seed_file_create:
 
 Entropy write/update seed file: good
-entropy_seed_file:"data_files/entropy_seed":0
+entropy_seed_file:"../framework/data_files/entropy_seed":0
 
 Entropy write/update seed file: nonexistent
 entropy_seed_file:"no_such_dir/file":MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR
@@ -38,7 +38,7 @@ Entropy output length: 65 > BLOCK_SIZE
 entropy_func_len:65:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
 
 Entropy failing source
-entropy_source_fail:"data_files/entropy_seed"
+entropy_source_fail:"../framework/data_files/entropy_seed"
 
 Entropy threshold: 16=2*8
 entropy_threshold:16:2:8
diff --git a/tests/suites/test_suite_entropy.function b/tests/suites/test_suite_entropy.function
index 0e013b7..5ac65fc 100644
--- a/tests/suites/test_suite_entropy.function
+++ b/tests/suites/test_suite_entropy.function
@@ -102,6 +102,7 @@ static int write_nv_seed(unsigned char *buf, size_t buf_len)
 
     if (fwrite(buf, 1, MBEDTLS_ENTROPY_BLOCK_SIZE, f) !=
         MBEDTLS_ENTROPY_BLOCK_SIZE) {
+        fclose(f);
         return -1;
     }
 
@@ -124,6 +125,7 @@ int read_nv_seed(unsigned char *buf, size_t buf_len)
 
     if (fread(buf, 1, MBEDTLS_ENTROPY_BLOCK_SIZE, f) !=
         MBEDTLS_ENTROPY_BLOCK_SIZE) {
+        fclose(f);
         return -1;
     }
 
@@ -445,7 +447,7 @@ void entropy_nv_seed_std_io()
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:MBEDTLS_MD_C:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_PLATFORM_NV_SEED_ALT */
+/* BEGIN_CASE depends_on:MBEDTLS_MD_LIGHT:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_PLATFORM_NV_SEED_ALT */
 void entropy_nv_seed(data_t *read_seed)
 {
 #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
diff --git a/tests/suites/test_suite_gcm.aes128_de.data b/tests/suites/test_suite_gcm.aes128_de.data
index ede6f24..a6d5e57 100644
--- a/tests/suites/test_suite_gcm.aes128_de.data
+++ b/tests/suites/test_suite_gcm.aes128_de.data
@@ -1,735 +1,735 @@
 AES-GCM NIST Validation (AES-128,128,0,0,128) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d785dafea3e966731ef6fc6202262584":"":"d91a46205ee94058b3b8403997592dd2":"":128:"3b92a17c1b9c3578a68cffea5a5b6245":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,128) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"aec963833b9098de1ababc853ab74d96":"":"4e0ffd93beffd732c6f7d6ad606a2d24":"":128:"e9fcedc176dfe587dc61b2011010cdf1":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,128) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c4fb9e3393681da9cec5ec96f87c5c31":"":"845e910bc055d895879f62101d08b4c7":"":128:"99fb783c497416e4b6e2a5de7c782057":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,120) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2a930f2e09beceacd9919cb76f2ac8d3":"":"340d9af44f6370eff534c653033a785a":"":120:"0c1e5e9c8fe5edfd11f114f3503d63":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,120) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fe71177e02073b1c407b5724e2263a5e":"":"83c23d20d2a9d4b8f92da96587c96b18":"":120:"43b2ca795420f35f6cb39f5dfa47a2":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,120) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b02392fd7f228888c281e59d1eaa15fb":"":"2726344ba8912c737e195424e1e6679e":"":120:"a10b601ca8053536a2af2cc255d2b6":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,112) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"21895cbafc16b7b8bf5867e88e0853d4":"":"f987ce1005d9bbd31d2452fb80957753":"":112:"952a7e265830d58a6778d68b9450":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,112) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9bb9742bf47f68caf64963d7c10a97b0":"":"34a85669de64e1cd44731905fddbcbc5":"":112:"e9b6be928aa77b2de28b480ae74c":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,112) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4e9708e4b37e2e1b5feaf4f5ab54e2a6":"":"1c53a9fdd23919b036d99560619a9939":"":112:"6611b50d6fbca83047f9f5fe1768":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,104) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"82fede79db25f00be96eb050a22cea87":"":"e9c50b517ab26c89b83c1f0cac50162c":"":104:"d0c0ce9db60b77b0e31d05e048":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,104) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1d98566fca5201abb12914311a8bd532":"":"590aef4b46a9023405d075edab7e6849":"":104:"a1cfd1a27b341f49eda2ca8305":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,104) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3038771820c2e1319f02a74b8a7a0c08":"":"e556d9f07fb69d7e9a644261c80fac92":"":104:"4d2f005d662b6a8787f231c5e1":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,96) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0fb7eef50de598d7d8b508d019a30d5a":"":"a2a2617040116c2c7e4236d2d8278213":"":96:"68413c58df7bb5f067197ca0":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,96) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8cc58b609204215c8ab4908286e56e5c":"":"fb83ea637279332677b5f68081173e99":"":96:"a2a9160d82739a55d8cd419f":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,96) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"81a5fd184742a478432963f6477e8f92":"":"da297cbb53b11d7c379e0566299b4d5a":"":96:"200bee49466fdda2f21f0062":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,64) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f604ac66d626959e595cbb7b4128e096":"":"269d2a49d533c6bb38008711f38e0b39":"":64:"468200fa4683e8be":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,64) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2e308ba7903e925f768c1d00ff3eb623":"":"335acd2aa48a47a37cfe21e491f1b141":"":64:"4872bfd5e2ff55f6":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,64) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1304e2a5a3520454a5109df61a67da7a":"":"dbe8b452acf4fa1444c3668e9ee72d26":"":64:"83a0d3440200ca95":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,32) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ecf1ec2c9a8f2e9cc799f9b9fddb3232":"":"ddf0b695aef5df2b594fcaae72b7e41c":"":32:"2819aedf":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,32) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9ab5c8ca905b5fe50461f4a68941144b":"":"96dd3927a96e16123f2e9d6b367d303f":"":32:"6e0c53ef":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,32) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b5fc7af605721a9cfe61c1ee6a4b3e22":"":"6b757d4055823d1035d01077666037d6":"":32:"e8c09ddd":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,128) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"03c0b4a6e508a8490db0d086a82c9db7":"":"ac52f6c1a05030321fa39f87e89fdb5e":"33316ca79d10a79f4fd038593e8eef09625089dc4e0ffe4bc1f2871554fa6666ab3e7fe7885edef694b410456f3ec0e513bb25f1b48d95e4820c5972c1aabb25c84c08566002dadc36df334c1ce86847964a122016d389ac873bca8c335a7a99bcef91e1b985ae5d488a2d7f78b4bf14e0c2dc715e814f4e24276057cf668172":128:"756292d8b4653887edef51679b161812":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,128) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b228d3d15219ea9ad5651fce02c8374d":"":"5c7eafaead029c3fe3cf3835fe758d0e":"8c35dd805c08686b9b4d460f81b4dcb8c46c6d57842dc3e72ba90952e2bebf17fe7184445b02f801800a944486d662a127d01d3b7f42679052cdc73ce533129af8d13957415c5495142157d6ce8a68aa977e56f562fed98e468e42522767656ce50369471060381bb752dd5e77c79677a4cadffa39e518e30a789e793b07ea21":128:"a4dde1ab93c84937c3bbc3ad5237818d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,128) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"776afcbabedd5577fe660a60f920b536":"":"5bbb7f1b14084e520408dd87b97705e9":"44631fc9d4a07416b0dfb4e2b42071e3e2be45502c9ddf72b3e61810eeda31a7d685ebb2ee43a2c06af374569f439ee1668c550067de2dece9ec46ee72b260858d6033f814e85275c5ae669b60803a8c516de32804fa34d3a213ccfaf6689046e25eeb30b9e1608e689f4d31cc664b83a468a51165f5625f12f098a6bf7ddab2":128:"a5347d41d93b587240651bcd5230264f":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,120) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"20abeafa25fc4ea7d0592cb3e9b4d5fe":"":"3aba79a58c5aa664856b41d552c7a8d3":"98cfecaae9eb9a7c3b17e6bc5f80d8a4bf7a9f4fa5e01b74cae15ee6af14633205aafe3b28fb7b7918e12322ea27352056a603746d728a61361134a561619400ff2bf679045bac2e0fbc2c1d41f8faba4b27c7827bceda4e9bf505df4185515dd3a5e26f7639c8ad5a38bc5906a44be062f02cc53862678ae36fa3de3c02c982":120:"2a67ad1471a520fe09a304f0975f31":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,120) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2bc73fba942ff105823b5dccf6befb1c":"":"902c3e3b69b1ef8395d7281ff74cce38":"4adec0b4ac00325a860044d9f9519daa4f7c163229a75819b0fd7d8e23319f030e61dfa8eadabff42ea27bc36bdb6cad249e801ca631b656836448b7172c11126bad2781e6a1aa4f62c4eda53409408b008c057e0b81215cc13ddabbb8f1915f4bbab854f8b00763a530ad5055d265778cd3080d0bd35b76a329bdd5b5a2d268":120:"ebdd7c8e87fe733138a433543542d1":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,120) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"356a4c245868243d61756cabe86da887":"":"b442f2ec6d45a17144c258fd59fe5b3b":"12cccc3c60474b0a1579c5006c2134850724fa6c9da3a7022d4f65fd238b052bdf34ea34aa7dbadad64996065acee588ab6bd29726d07ed24ffae2d33aadf3e66ebb87f57e689fd85128be1c9e3d8362fad1f8096ee391f75b576fb213d394cef6f091fc5488d9aa152be69475b9167abd6dd4fd93bbbc7b8ca316c952eb19c6":120:"ed26080dcb670590613d97d7c47cf4":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,112) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"dfa7e93aff73600fc552324253066e2c":"":"c20001e93f1cd05253c277a9445d61e4":"a64d1e20058a1f7e698622a02f7ff8dc11886717ede17bbdc3c4645a66a71d8b04346fb389a251ffb0a7f445a25faf642bb7e4697d2cacf925e78c4be98457996afb25b0516b50f179441d1923312364947f8f1e0f5715b43bd537727bf943d7b4679b0b0b28b94e56e7bbf554d9cf79fcee4387f32bb6f91efdd23620035be6":112:"6ba5e4dace9a54b50b901d9b73ad":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,112) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2ecea80b48d2ecd194a7699aa7d8ccfc":"":"8b4db08bafc23b65ae50a2d20661d270":"efc2ca1a3b41b90f8ddf74291d68f072a6e025d0c91c3ce2b133525943c73ebadc71f150be20afeb097442fa51be31a641df65d90ebd81dcbaf32711ed31f5e0271421377ffe14ddafea3ca60a600588d484856a98de73f56a766ae60bae384a4ae01a1a06821cf0c7a6b4ee4c8f413748457b3777283d3310218fb55c107293":112:"246a9d37553088b6411ebb62aa16":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,112) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d38fee3fd3d6d08224c3c83529a25d08":"":"a942ccb11cf9468186fabfc18c899801":"1c92a4ce0a1dae27e720d6f9b1e460276538de437f3812ab1177cf0273b05908f296f33ba0f4c790abe2ce958b1d92b930a0d81243e6ad09ef86ee8e3270243095096537cb1054fcfcf537d828b65af9b6cf7c50f5b8470f7908f314d0859107eed772ee1732c78e8a2e35b2493f3e8c1e601b08aeab8d9729e0294dca168c62":112:"803a08700ec86fdeb88f7a388921":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,104) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1899b0cbae41d705c6eed3226afb5bc0":"":"82d0910aa53e300a487d880d018d0dea":"6bf5583cc1007d74f3529db63b8d4e085400ccf3725eab8e19cb145f3910c61465a21486740a26f74691866a9f632af9fae81f5f0bffedf0c28a6ce0fd520bb4db04a3cd1a7d29d8801e05e4b9c9374fd89bcb539489c2f7f1f801c253a1cc737408669bcd133b62da357f7399a52179125aa59fae6707d340846886d730a835":104:"c5d58870fee9ce157f5ec1fa8f":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,104) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8b95323d86d02754f4c2874b42ec6eb0":"":"4f76084acbdef9999c71dcc794238d7c":"ebc75788377c0b264818a6f97c19cf92c29f1c7cdeb6b5f0a92d238fa4614bc35d0cfe4ec9d045cd628ff6262c460679ac15b0c6366d9289bbd217e5012279e0af0fb2cfcbdf51fe16935968cbb727f725fe5bcd4428905849746c8493600ce8b2cfc1b61b04c8b752b915fed611d6b54ef73ec4e3950d6db1807b1ce7ed1dcc":104:"c4724ff1d2c57295eb733e9cad":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,104) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"30da555559eb11cf7e0eff9d99e9607d":"":"7799275bf12335f281ec94a870f90a0b":"e735d556e15aec78d9736016c8c99db753ed14d4e4adaaa1dd7eaad702ea5dc337433f8c2b45afdf2f385fdf6c55574425571e079ca759b6235f877ed11618ff212bafd865a22b80b76b3b5cf1acfd24d92fd41607bbb7382f26cd703757088d497b16b32de80e1256c734a9b83356b6fced207177de75458481eaef59a431d7":104:"3c82272130e17c4a0a007a908e":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,96) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ed2ac74af896c5190c271cfa6af02fd2":"":"e0226e2d8da47badad1fb78b9a797f27":"8f11353ae476ff923013e6e736ffc9d23101a1c471ccc07ad372a8430d6559c376075efce2e318cdf4c9443dbf132e7e6da5524045028c97e904633b44c4d189a4b64237ac7692dd03c0e751ce9f04d0fdbd8a96074cd7dfa2fd441a52328b4ac3974b4902db45663f7b6f24947dba618f8b9769e927faf84c9f49ad8239b9fb":96:"db8af7a0d548fc54d9457c73":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,96) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0225b73fe5fbbe52f838d873173959d8":"":"02a048764f48d9aed1147ee922395bbf":"9b46a57b06e156c877e94c089814493ead879397dab3dfcab2db349ef387efcd0cc339a7e79131a2c580188fc7429044a465b8329d74cd8f47272a4ed32582b1c5c7e3d32341ae902ea4923dc33df8062bc24bb51a11d2ecc82f464f615041387f9c82bd2135d4e240fe56fa8a68e6a9a417e6702430a434b14d70cf02db3181":96:"e2c2ce4022c49a95c9ac9026":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,96) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"89ca3771a0ef3287568b4ac036120198":"":"7e83d2ffa8af8c554cfd71a0db56ef5b":"1bd7a9d6262882bd12c62bd50942965b3cdcadf5e0fab2dc4d0daf0ee4b16e92c6e2464c0caa423cdce88e4d843490609716ec5e44c41672c656ac0e444d3622557ea8420c94deae3ad190ddaf859f6f8c23e4e2e32a46d28df23de4f99bd6c34f69e06eddfdfa5f263dbe8baf9d4296b2c543e4c4847271e7590374edf46234":96:"06b2bf62591dc7ec1b814705":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,64) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a41a297bd96e224942998fe2192934a1":"":"6827f2c5a0b7ecd6bbc696abb0adf556":"f32041abd8543415cbac423d945dda5378a16a7e94d9ab5dbd2d32eb1c5048cc7c8e4df3ca84ec725f18c34cfdeaa7595392aabfd66d9e2f37c1165369cd806cd9d2110def6f5fad4345e5a6e2326c9300199438fcc078cd9fcf4d76872cac77fc9a0a8ac7e4d63995078a9addecf798460ff5910861b76c71bccfb6b629d722":64:"49a4917eef61f78e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,64) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a9372c058f42e0a1d019bdb528313919":"":"8d03f423230c8f00a5b6b712d426a2af":"cfef4e70fcc1821eeccf7c7b5eb3c0c3b5f72dc762426e0bd26242f8aa68c5b716ab97eded5e5720caccc1965da603d556d8214d5828f2cf276d95bf552d47313876796221f62ccb818a6d801088755d58cfb751bfed0d5a19718d4e0f94b850e0279b3a69295d1837cba958a6cc56e7594080b9e5b954a199fdc9e54ddc8583":64:"b82cd11cd3575c8d":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,64) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6302b7338f8fa84195ad9abbacd89b4e":"":"e1bed5c53547cbc85f3411fbb43bb08b":"bcd329c076e8da2797d50dcdcf271cecf3ce12f3c136ed746edc722f907be6133276ee099038fdc5d73eec812739c7489d4bcc275f95451b44890416e3ffe5a1b6fa3986b84eee3adad774c6feaecb1f785053eeda2cfc18953b8547866d98918dbe0a6abc168ac7d77467a367f11c284924d9d186ef64ef0fd54eacd75156d2":64:"5222d092e9e8bd6c":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,32) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"78b5c28d62e4b2097873a1180bd5a3a5":"":"c93902c2819ee494f0fc4b259ee65dd8":"e6b1192674a02083a6cf36d4ba93ba40a5331fadf63fd1eb2efa2ee9c0d8818472aaaf2b4705746011753f30f447c8f58dd34d29606daf57eadc172529837058cb78a378b19da8d63c321f550dfa256b5fd9f30e93d8f377443bfcd125f86a079a1765d2010be73d060f24eebae8d05e644688b2149bc39e18bd527bc066f2ba":32:"eae48137":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,32) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3d84130578070e036c9e3df5b5509473":"":"3b9b4950523a19c6866fd2b0cde541fd":"a764931e1b21a140c54a8619aacdb4358834987fb6e263cec525f888f9e9764c165aaa7db74f2c42273f912daeae6d72b232a872ac2c652d7cd3af3a5753f58331c11b6c866475697876dbc4c6ca0e52a00ba015ee3c3b7fb444c6e50a4b4b9bbe135fc0632d32a3f79f333d8f487771ed12522e664b9cf90e66da267f47a74d":32:"79987692":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,32) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"08428605ab4742a3e8a55354d4764620":"":"128f5f4a817e4af04113847a223adeb0":"464b484ed79d93a48e0f804e04df69d7ca10ad04ba7188d69e6549ab50503baaec67e0acba5537d1163c868fd3e350e9d0ae9123046bc76815c201a947aa4a7e4ed239ce889d4ff9c8d043877de06df5fc27cf67442b729b02e9c30287c0821ef9fa15d4cccbc53a95fa9ec3ed432ca960ebbf5a169ccada95a5bf4c7c968830":32:"3eb3e3a2":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,128) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0dd358bc3f992f26e81e3a2f3aa2d517":"87cc4fd75788c9d5cc83bae5d764dd249d178ab23224049795d4288b5ed9ea3f317068a39a7574b300c8544226e87b08e008fbe241d094545c211d56ac44437d41491a438272738968c8d371aa7787b5f606c8549a9d868d8a71380e9657d3c0337979feb01de5991fc1470dfc59eb02511efbbff3fcb479a862ba3844a25aaa":"d8c750bb443ee1a169dfe97cfe4d855b":"":128:"a81d13973baa22a751833d7d3f94b3b1":"":"77949b29f085bb3abb71a5386003811233056d3296eb093370f7777dadd306d93d59dcb9754d3857cf2758091ba661f845ef0582f6ae0e134328106f0d5d16b541cd74fdc756dc7b53f4f8a194daeea9369ebb1630c01ccb307b848e9527da20a39898d748fd59206f0b79d0ed946a8958033a45bd9ae673518b32606748eb65":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,128) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"43b5f18227e5c74288dbeff03801acd6":"f58d630f10cfca61d4644d4f6505bab629e8e8faf1673e64417f9b79e622966a7011cfb3ff74db5cebf09ad3f41643d4437d213204a6c8397e7d59b8a5b1970aed2b6bb5ea1933c72c351f6ba96c0b0b98188f6e373f5db6c5ebece911ec7a1848abd3ae335515c774e0027dab7d1c07d047d3b8825ff94222dbaf6f9ab597ee":"08ee12246cf7edb81da3d610f3ebd167":"":128:"82d83b2f7da218d1d1441a5b37bcb065":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,128) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9a433c612d7e1bdff881e4d63ba8b141":"ce10758332f423228b5e4ae31efda7677586934a1d8f05d9b7a0dc4e2010ec3eaacb71a527a5fff8e787d75ebd24ad163394c891b33477ed9e2a2d853c364cb1c5d0bc317fcaf4010817dbe5f1fd1037c701b291b3a66b164bc818bf5c00a4c210a1671faa574d74c7f3543f6c09aaf117e12e2eb3dae55edb1cc5b4086b617d":"8b670cf31f470f79a6c0b79e73863ca1":"":128:"8526fd25daf890e79946a205b698f287":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,120) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8e9d75c781d63b29f1816859f7a0e0a0":"a9f1883f58e4ef78377992101ab86da0dafcefa827904dd94dff6f6704b1e45517165a34c5555a55b04c6992fb6d0840a71bd262fe59815e5c7b80fe803b47d5ba44982a3f72cb42f591d8b62df38c9f56a5868af8f68242e3a15f97be8ef2399dbace1273f509623b6f9e4d27a97436aebf2d044e75f1c62694db77ceac05de":"748a3b486b62a164cedcf1bab9325add":"":120:"131e0e4ce46d768674a7bcacdcef9c":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,120) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fe6b8553002c69396d9976bb48d30779":"786f4801b16de7a4931ab143b269c7acc68f1ed9b17a95e8929ccec7d53413059fd4267bedbf079d9d69e90314c1345bc9cb9132f1af69323157ddf7533ced42b4b7bd39004f14d326f5b03bc19084d231d93bcab328312d99b426c1e86e8e049d380bb492e2e32ad690af4cf86838d89a0dfdcbc30e8c9e9039e423a234e113":"595b17d0d76b83780235f5e0c92bd21f":"":120:"8879de07815a88877b0623de9be411":"":"b15dc7cd44adcb0783f30f592e5e03ccd47851725af9fe45bfc5b01ae35779b9a8b3f26fec468b188ec3cad40785c608d6bfd867b0ccf07a836ec20d2d9b8451636df153a32b637e7dcdbd606603d9e53f6e4c4cc8396286ce64b0ea638c10e5a567c0bc8e808080b71be51381e051336e60bf1663f6d2d7640a575e0752553b":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,120) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"14898c56009b459172fef9c17993b54f":"e7ba6ef722273238b975d551f95d3e77e9b75b24c547b86eafb457d409803bdf6e1443839d8604ee497020e1a3dbd687a819b17fdde0fcf240ce2129792792a58bfcd825773001ee959bf9ec8d228e27ce1cd93d7fb86769a3793361b6f82bf7daf284afc1ece657a1ee6346ea9294880755b9b623563ad2657ba2286488a2ef":"0862f8f87289988711a877d3231d44eb":"":120:"36938974301ae733760f83439437c4":"":"3fd56897a62743e0ab4a465bcc9777d5fd21ad2c9a59d7e4e1a60feccdc722b9820ec65cb47e1d1160d12ff2ea93abe11bc101b82514ead7d542007fee7b4e2dd6822849cd3e82d761ff7cf5ce4f40ad9fec54050a632a401451b426812cf03c2b16a8667a88bb3f7497e3308a91de6fd646d6a3562c92c24272411229a90802":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,112) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fe5253d4b071793b081ebc122cc2a5f8":"b57a0bd7714ae95e77fa9452e11a7ed4a2bec60f81ad6ddb956d4b1cb5dfc277dcb4034d501801b26733b5e08c710c3cfdccc1b208dc7a92cd7ebe166320582bcaff64cc943c36fbe7008f004e5db70c40de05fa68b0c9d4c16c8f976130f20702b99674cd2f4c93aeaeb3abca4b1114dbc3a4b33e1226ad801aa0e21f7cc49b":"49e82d86804e196421ec19ddc8541066":"":112:"e8b8ae34f842277fe92729e891e3":"":"c4a31c7ec820469f895d57579f987733337ec6547d78d17c44a18fab91f0322cfe05f23f9afaf019cf9531dec2d420f3591d334f40d78643fd957b91ab588a7e392447bd702652017ede7fb0d61d444a3b3cc4136e1d4df13d9532eb71bcf3ff0ae65e847e1c572a2f90632362bc424da2249b36a84be2c2bb216ae7708f745c":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,112) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b3502d6f0d172246e16503cdf5793296":"09268b8046f1558794e35cdc4945b94227a176dd8cb77f92f883542b1c4be698c379541fd1d557c2a07c7206afdd49506d6a1559123de1783c7a60006df06d87f9119fb105e9b278eb93f81fd316b6fdc38ef702a2b9feaa878a0d1ea999db4c593438f32e0f849f3adabf277a161afb5c1c3460039156eec78944d5666c2563":"6ce994689ff72f9df62f386a187c1a13":"":112:"21cdf44ff4993eb54b55d58e5a8f":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,112) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5fb33dd73db309b9dfd3aee605cd94bf":"f4e011f8c99038c46854b427475f23488077ebf051c4b705a1adfdd493a0a10af7a7e9453965b94f52f61ae62ce9243a82a2dbf9c5a285db3fe34ed34ed08b5926f34c48171195f7062d02a6e6e795322a0475017371cb8f645cdcac94afc66dc43e7583bdf1c25790f4235076a53de6c64f3bc5004e5a9ce4783fbf639fad97":"3f6486f9e9e645292e0e425bac232268":"":112:"7ee5e0e2082b18d09abf141f902e":"":"0503cb531f1c967dae24f16dd651d544988a732020134896a0f109222e8639bf29ff69877c6ef4ac3df1b260842f909384e3d4409b99a47112681c4b17430041ca447a903a6c1b138f0efbb3b850d8290fceac9723a32edbf8e2d6e8143b1cbc7bf2d28d1b6c7f341a69918758cc82bbab5d898fa0f572d4ceaa11234cb511ec":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,104) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a958fe3b520081b638d9e4c7d5da7ac7":"dfa9487378c7d8af9c8dbd9e533cd81503d9e4e7dab43133bad11fd3050a53a833df9cc3208af1a86110567d311d5fc54b0d627de433c381b10e113898203ac5225140f951cdb64c6494592b6453f9b6f952ec5ece732fb46c09a324f26b27cdad63588006bb5c6c00b9aa10d5d3b2f9eaab69beeddd6f93966654f964260018":"c396109e96afde6f685d3c38aa3c2fae":"":104:"06ca91004be43cf46ed4599e23":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,104) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ec319fb143eac8215b51541daec268f2":"d298d988e74927736237eb8ab09d7a86b854fa2fd1f7f3be83b417ac10aa9291f4af5b3fbaf75a296ac32369ad57ded3984b84711953e477de3035ba430a30ffb84c941936e6c8d2cae8d80159876f87dd682747f2dccc36d7c32ab227032b8ac70b313fa4202ea236e3ec4d9e4d8b48cf3b90b378edc5b1dbeec929549344f8":"8a4684f42a1775b03806574f401cff78":"":104:"e91acb1bfda191630b560debc9":"":"27ce4a622959930f4059f247d29d1438257093cc973bf1bae4e0515da88b9a7e21ec59c7e4d062035cdf88b91254d856b11c8c1944865fa12922227ded3eecccaa36341ecf5405c708e9ea173f1e6cdf090499d3bb079910771080814607a1efe62ec6835dc0333d19dd39dd9ea9f31cd3632128536149a122050bb9365b521d":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,104) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"14a3e69f351ac39b4297749a90c1365c":"051224f7b208549dcfda5f9d56ce5f0a072ef1f23f3810c693516c92622be6ed4d7a9e0f9450980ba490b2e9e3468ea7eef10bc9ebd673d91f32b748c1bf2c50cc4ebb59fc409c6d780bba00700d563ce1dc9927a6c860095a42ed053f3d640debfbfa7a4e6d5de234af19755000d95e7f414f1f78285ee165410c020038286b":"eb1c6c04437aa5a32bcc208bb3c01724":"":104:"e418815960559aefee8e0c3831":"":"797310a6ed9ce47cdc25f7f88f5dbbf6f8f4837701704d7afced250585922744598d6f95ba2eecf86e030cc5ee71b328fc1c4f2d4df945d1b91a2803d6ae8eba6881be5fe0f298dd0c0279e12720ede60b9e857ccca5abe9b4d7ee7f25108beebbfe33f05c0d9903bf613c2e7ed6a87b71b5e386d81b3ae53efd01055bbcccc2":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,96) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c34827771fc3918d1cee09ba9401b832":"ce79701b661066e53191c9acdaf677ad41622314898d7216e3f113e2e6e215d26d8bd139827f06ab3ea5c4105694e87db1dd6cec10e1f86a8744d4c541f08e40319e22ab42fc1a6c89edfd486b6f142c6bbbf84a73912e0b2e55b79db306ccabf839855afdd889e52ae981520c89e7dc29bb2adb1906cca8c93fcb21290a095b":"2379bbd39a1c22bc93b9b9cc45f3840b":"":96:"26e1f6cf0d9e0f36dfd669eb":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,96) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b1f9bd2006ec550b7b9913d383200b5d":"6d9fc8f586d50d6e0128172ae147844e80136905d3a297497a9566ca7c7445029028f14c9950acee92a5c12a9150f5e024e01c7505dd83937542b0b1288de9c292ae8ad918a09b2edf8493540b74c73d2794f2eb6eed18eba520ddea9567462c83330f33d7892fcde0b10c73a4e26ab1bef037cec7e0190b95188e9a752fee6f":"ca28fa6b64bb3b32ef7d211f1c8be759":"":96:"c87aac7ad0e85dbb103c0733":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,96) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8b2cef1a92aa0af2b00fb2a99855d5bc":"fd09525ef3c65ab5823e1b6c36b4a9449a3975c5d3a9e7e33c61fb32edcbb8e8c915b6202e3fbce87d73cc3b66d83d9ea7e1e353cc7468f08626932cf0235563e2a28953ee5a0afadb1c3cb513b1f1fc9a8a6cf326174b877448672f7731dd6430a51619da1a169ab302da5af5b38802f8bbf5890b5d9b45deda799679501dc4":"08d87b7acee87d884667f6b1e32e34d0":"":96:"3bd7685318010b0c5fe3308b":"":"583e64631c218549923e8ad33b728d07f23b0f19d2aff1ad7e20d564c591db0e117caa8f21e3f3345e3d84f0ccbb27274cddf9274410fc342cb2a5d4aea4e925d0dd5350389ee0dea23a842ff3f5c1198374a96f41e055f999cfbc2f47ceaa883da8eb6ff729f583eff1f91bd3f3254d4e81e60d9993b3455e67f405708e4422":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,64) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"175c306f8644b0c4b894ae3d0971505e":"fbe7ced7048f83e3a075661c4924eb77da1b4d6019d504afb942d728b31fd3b17557bd101c08453540a5e28d3505aeb8801a448afac2d9f68d20c0a31c7ef22bd95438851789eef1bebe8d96ac29607025b7e1366fecd3690ba90c315528dc435d9a786d36a16808d4b3e2c7c5175a1279792f1daccf51b2f91ac839465bb89a":"9860268ca2e10974f3726a0e5b9b310f":"":64:"f809105e5fc5b13c":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,64) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"08c0edcfe342a676ccdc04bdf854b4b0":"1fc8ef8480c32d908b4bcbfa7074a38e915c20ed7a1c608422087e89442d7c5af6fe9c9a716c55793248062d8e6c6e8e904e2804da3a43701e4c78ecdb67e0b25308afc6d9b463356439cd095cff1bdf0fd91ab301c79fd257046cba79a5d5cd99f2502ad968420e4d499110106072dc687f434db0955c756a174a9024373c48":"4a7b70753930fe659f8cc38e5833f0c7":"":64:"9ab1e2f3c4606376":"":"983458c3f198bc685d98cea2b23cf71f0eb126e90937cab3492a46d9dc85d76bbb8035c6e209c34b2a7187df007faabe9f3064dc63f1cb15bf5a10655e39b94732e0c6583d56327e9701344e048887a81b256181cdfa9ec42ebc990875e4852240ddcb3cbc4ea4e6307075fd314f7190f3553267bd68b19e954e310ec3f8dbab":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,64) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"241067a0301edf0f825d793e03383ea1":"6984bb9830843529fad7f5e7760db89c778d62c764fcd2136ffb35d7d869f62f61d7fef64f65b7136398c1b5a792844528a18a13fba40b186ae08d1153b538007fc460684e2add8a9ed8dd82acbb8d357240daaa0c4deb979e54715545db03fe22e6d3906e89bdc81d535dae53075a58f65099434bfeed943dbc6024a92aa06a":"a30994261f48a66bb6c1fc3d69659228":"":64:"36c3b4a732ba75ae":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,32) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"03cccb5357bd2848332d1696f2ff90cb":"5e2f18cbc1e773df9f28be08abb3d0b64d545c870c5778ac8bb396bef857d2ac1342ae1afb3bf5d64e667bf837458415d48396204fe560e3b635eb10e560e437f2d0396952998fd36e116cd047c1d7f6fc9901094454d24165c557a8816e0d0a8e0ce41e040ba6f26ca567c74fc47d9738b8cd8dae5dfc831c65bc1ba9603a07":"e0754022dfb1f813ccaf321558790806":"":32:"c75f0246":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,32) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4e5e53c84a05d5a5348bac7b2611cf62":"489c00c05dec06f282924c680f621ab99ac87f7d33ebbb4ca0eee187ec177d30d2b4afb4ee9f0dc019cf1a4da16d84b7f5f5c7fce72a32461db115b5a5a433024fd5ed3d47161836bb057a0189ed768f95e45fa967d0cc512fc91b555808c4033c945e8f2f7d36428dcb61f697e791b74e5c79b2bcb9cb81bec70d8119cd8d76":"47e40543b7d16bc9122c40b106d31d43":"":32:"81eec75d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,32) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2c94008bf377f90b7a1c0d2ea38f730c":"7b3d619d115de9970b2df4e1f25194940b3f3da04c653231e8e6946de9dc08ae5ba37e2a93c232e1f9445f31c01333045f22bd832e3b5f9833f37070fafb0ef1c44cc5637058ab64d9e07bb81b32852d4cf749a3ddbfdb494f8de8bb4e31f46033f8a16bc22e2595d023845505ea5db74dd69ab4ca940078b09efb4ff19bdb66":"abfe92931a8411a39986b74560a38211":"":32:"47d42e78":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,128) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"69eedf3777e594c30e94e9c5e2bce467":"5114e9983c96fecec3f7304ca42f52aa16cb7c6aadfb62ad537c93a3188835ca0703dad34c73cf96435b668b68a7a1d056931959316e8d3ab956bf64c4e07479c7767f9d488b0c0c351333ccf400b7e0be19a0fd173e3f2a1ae313f27e516952260fd2da9ab9daca478ebb93cd07d0b7503b32364d8e308d904d966c58f226bb":"a3330638a809ba358d6c098e4342b81e":"df4e3f2b47cf0e8590228fcf9913fb8a5eb9751bba318fd2d57be68c7e788e04fabf303699b99f26313d1c4956105cd2817aad21b91c28f3b9251e9c0b354490fa5abfcea0065aa3cc9b96772eb8af06a1a9054bf12d3ae698dfb01a13f989f8b8a4bb61686cf3adf58f05873a24d403a62a092290c2481e4159588fea6b9a09":128:"5de3068e1e20eed469265000077b1db9":"":"208e6321238bf5c6e2ef55a4b8f531cbbfb0d77374fe32df6dd663486cf79beeed39bb6910c3c78dd0cc30707a0a12b226b2d06024db25dcd8a4e620f009cafa5242121e864c7f3f4360aaf1e9d4e548d99615156f156008418c1c41ff2bbc007cecf8f209c73203e6df89b32871de637b3d6af2e277d146ae03f3404d387b77":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,128) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"45cc35311eedf0ba093bf901931a7036":"5dc8d7525eaad035c19714ae1b1e538cb66a4089027245351e0ad9297410fb3a0c1155407c10a8bb95a9ca624a9c9925dac003ee78926c6e90ff4ccdba10e8a78bda1c4478162a0e302de5ff05fb0f94c89c3c7429fb94828bdcd97d21333c2ee72963ee6f056ce272b8bab007e653a42b01d1d2041ba627f169c8c0d32e6dae":"fed5084de3c348f5a0adf4c2fd4e848a":"6e210914e4aed188d576f5ad7fc7e4cf7dd8d82f34ea3bcbdb7267cfd9045f806978dbff3460c4e8ff8c4edb6ad2edba405a8d915729d89aab2116b36a70b54f5920a97f5a571977e0329eda6c696749be940eabfc6d8b0bbd6fbdb87657b3a7695da9f5d3a7384257f20e0becd8512d3705cc246ee6ca1e610921cf92603d79":128:"266a895fc21da5176b44b446d7d1921d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,128) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9edb5231ca4a136b4df4ae22b8588f9f":"493df801c57f8bb591955712d92d3fc34518f0599fec8533b2b4473364e1df4f560c12444cf50eeb584676b7e955c742189de6b50b8e012dfa6642f3679fb02bc6d8e08d1db88c8ae955a7946263e06494e17f8df246b672942661e5563302252208f2e00a0d77068a020e26082c291a75a06f63c41e2830292a418b2b5fd9dd":"c342e9bdabe7be922b2695f5894e032c":"a45c7f8032ac5144deef8d5380f033aea2786b0592720a867f4831eaccc6b85d3fd568aedc6e472e017455b0b5b30cf7a08ea43ca587f35e1646ecd9b4dc774d11e350c82c65692be1e9541cbd72a283bdcf93dc7115545f373747b4f8d5915ed0c42fbeefd3e9bd86003d65efc2361fde5b874ddabcf8265e6b884615102eff":128:"5ed3ea75c8172fa0e8755fef7b4c90f1":"":"56696e501fac1e8d5b83ef911ed11337d5d51ff5342a82993dd5340bb9632e6606eef68ec5fe8cec6b34ebbc596c279e6cbc9221c4cde933f6d93ae014e3c4ca49593f35eaa638606d059519bac3a3373519e6184e7227d2aa62170c36479fe239cb698bfca863925a4c9fb1338685a55a6dfd3bd9c52d8ae12be8551fce6e1a":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,120) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d5fdcb8f5225090e63fae9b68f92c7cb":"d39b9cba95e3a3aab9bc1d03ff475c04faeb5b7f0510777f39e5a05756606eb7ddd154aac035d9ddaf3535629821dd8f014dedd52cd184f52fc706e3c89a3a271398c9125d9a624dafb297a56022ca2ea331ea7359ab5e65f8e14814788e64e0a886a9b1a0144bf268fdcf9d94c3d10a0452f40111da9df108252e9039eacea3":"581c818282a0905df5ffff652e5604e9":"f1ae6cd7b07f261105f555cf812a1d5bf8dd9aac07666318acffa11abb77d0238156663acbf7543825b45c6e9cddb481a40995ecd78bb5f4cba5df7c7efb00fc19c7f45e94d37697aca8ef368b99165393b6107f900194c797cd3289cb097eb5915f2abfd6aa52dd1effffdde448e30075a1c053246db54b0ec16eadca1c0071":120:"827e66b5b70dce56215cfb86c9a642":"":"cec11a12e47fd443f878e8e9fe23c65f29dd2d53cec59b799bcb0928de8e2f92fe85c27cec5c842ef30967b919accafe0c0d731b57f0bb5685d90a3061cb473e50e8aeca1346d1f47f7db06941f83f21ba5976d97c28cab547d8c1f38387a04b8a0b212da55b75fbaf9562eeeabd78eadcbab66457f0cd4e0d28133a64cb063f":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,120) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"036198cd3a3ab9319684d0f811cf2992":"6b95b9e82a695fb7b466ce3adb536f525d8314f95eada39efb49baf121093ce7d5439f0d8223e03530b85accd388a70650ca9f7e63eb32afecb7b1916ed9b762128cc641caf3e08e027c3d88481d653b6b15172e977dfb9b3f88465911aee162501cbf8501ce2b66ee151bbfdc23225f638f18750c239d62471663e5ee2a5856":"47dffc6b3b80ffef4b943bde87b9cf3c":"ec4de476cd337f564a3facb544d0ff31cd89af4c3d9a28543e45156189f8eff8f804494dda83a1fb2c30ce858884a01ec63db59268452b1eea0f0d48280bb7340eaacc84509469dd94d303774d053d7ab4fb5f6c26581efeb19165f8cb09d58ec314d09ab8356731e87fd081f661e7b2d1a7c3aa4af5448a12b742e7b210b0b0":120:"6cf68a374bea08a977ec8a04b92e8b":"":"5c2f7c408167be3d266ff634e1993fe291aef7efae245fa0b6b5bde886a810c866ae6a078286684d1b66116e636e285f03646e09f3c4ed7b184e7c171ba84f3bfd9500c6f35964a404892b4cdcdd3f697fc5b01934a86019810987a9fea7efca016049873f1072f62df3c17f57ea1d88ccd8757f7e3c5d96e8a18d5366a39ea9":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,120) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c9fbbff8f25f951ba874dfc5ff38584e":"ca401071396da00376add467490abc6e6a7d8a85852026979f7013a09cf689113c8d833560cd6c5b8fdaa8fdd818e773ac13954839a0a2c91efeaf4e0e14de43308419a8b86fa2ae600a88a6bd39dfaabc16a3c7c1b77a5c2aab7f7caceb2f8595324125efbb7c96ba16c47d0bd10568b24bf445d72d683268466e68e46df500":"1c1fc752673be6d4ff4cc749fc11e0fe":"abfde0b60acfe265b62ed68ebebc1f5f725f155c4b8a8aeec8d704701c51ff7817060c1b0ce6b80d6efc9836c9ea2bc022ec67db4cd34e945e3a1b153fd2e0f7ac84bb4b07e04cbb529ee24014b16067f9f082b940c9d5e54024d3e5e910310457478560721587da7b5343d89eec5a8fce389c01185db15e7faa9a3fa32e8ab9":120:"ff0b2c384e03b50e7e829c7a9f95aa":"":"239637fac6e180e71b2c9fa63ce8805f453d81499623ec2deba9b033350250662897867bffaf0c314244baf9e1fe3e1bb7c626d616bfbf3e0ac09a32aaf718b432337c9dc57c2d6fc4a0a09bdc05b9184d1b90c7193b7869f91e2caa8b3b35c10c6621ffae4c609bdf4e4e3f06e930541c381451ef58f4f30a559d2b79b0e6b6":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,112) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3a314ec178da96311e42334a616fb38b":"518b3f5384ab54f80497d55be7a5d6902bc7718386212c2ec7537db331514b3838f104bf9054e03039a4cfb73f41e5d0a9648e569ed738cea8d33917430dff6afa8f07a75e324b9262fa196a4439dcd66b0535ee5bea0d292600227c2a79ed03be0671740e5cb7b306d855612bd3abcbf02cf7e7cecbb6cdbb33d57b4e3234a2":"d7ea27c819e3eb2666611bb1c7fc068d":"db8dcc31a5681f13d56abd51bd2dcb0d2b171628186e215a68bf16167b4acd00c3441973c3fa62fa2698ee5c6749fc20e542364d63c40756d8bcff780269e5201bafdced3cdc97931d8203873431882c84522c151b775285d0a3c5d7667254c74724ff0ea9d417aa6c62835865dfded34edd331c0c235a089427672c5a9211c9":112:"1e774647b1ca406e0ed7141a8e1e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,112) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e818372a63b7e2c23b524e29ba752bdb":"c1bf1b702a95ceaa6b48a1cdd888ae51f58a9fc3232bd6c784529a83301c6d0cdda6e605ad9a2563f54a8d59f624ae7c589e48b85041a010dcb6fb8739d43e79a456fc0e8574af086df78680460c3cdc4e00dc3b9d4e76b0de26e9aec546705249fa7e7466c01001c2667eaf2813be1f0f116916f34843a06b201d653aa1b27e":"36e617e787cb25e154f73af1da68cb06":"71801d69796c2ce36b043c157aec9fd2e06fd1ec596126d10c26b6d44e3dc36c4fa30a030d65c382b6ddfd958e71fe9c16732e595137a3d6764c15480fc3358e9a113ba492b31274663f5842df5d1cc6bad70e83b34675a4411e2e70755aede0ff5035601be130562e27a20283d6f144ff1bdb5276dec05fad80d51b28d50688":112:"3744262bc76f283964c1c15dc069":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,112) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9a04f16882ff45816739d1b6697ce8b7":"6a4f3dbb3371f64258fd1f831349e745a4e19a33aad794b1de3788729618beed619586092120e9e5dc3ac6e0d52f991f7be61afbfaa4399ac716ad79a2734827254b1627791dc92a128a6f43426b8085dee94242e83176a3d762658f18ecc1e37e3e1531648c9caed212ea2cf3b3843cb92cb07730f30fe2dca3925470fadd06":"66f504d9a9128ad7fb7f1430d37c4784":"f641c53c83c4fb1ff8044bfa97cdf63fe75d8159d65b3e5ad585b89c083a53cf4a2f7a58eaeaf45fa71f2c07bc5725a6b03307d7f32884a133a4c803700bf1e12564b98b71f63b434ddf13ad2c467dda25ffa6effcafa72452b20c34cfae71e47096f8745b487e9f1945f5bec83f7ec2709a13b504d92315b1b727a78902be84":112:"fbb37084396394fecd9581741f3c":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,104) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"38cf029a4b20607030586cd2d82146e6":"f4c9f4476561c9ebdac71b282ae6e2f9f03547da98e66d4d857720db2fcc9ed1f363858db34c9dcaca0109d7c81db24150493115f2bb6985efa8686e3d2ab719d33b230aa4c5c70696bf42f225fb3c6704711c054a882d89b320884a78cb59cd2100496edf4010487597fb9135d8ca79693a43843e9626fd6c64a8722b3a27dc":"6330084319e2bf32cd5240f4826944bc":"80746cfb0127c592f8164d751b0e14a5b379056a884cece7ee4e9b80538d7ff6be56a3b19c135786722aaf315123b47672b0251e87ea45f0fd3601cf93f9efa6cbd9ad537f54d57f1e187f821faac24096ecec19d137c9f4cf145c278af4cd8de01c7758784fda06f1cc62d92ae1977786f3d0645714ab4ab6f48c8794b12f73":104:"7b021de5cda915ba58f90ceef4":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,104) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cf4d81fc5997c744a572bed71f4ae609":"f3d65d70326e641fbe7fd945fe9cf66c74f17d0d1020ae8ac488f39b7285c99d8632bc2201960f3d77daccfecc04428abe0853aa8d82b90a93127c72b2d2af53f7f1bd0afb99d50f0b3b24e934ec98eddb278b2c65866442cebf10208c7ce1b7ecf764858480b2a269b106fa6d2428d5ad17612e53e62ccc7ad1184663aeb9a7":"bc4e20c56931c967ce8e3b8f5f1c392f":"b6b8294abf7da5703f864721f7904d3821f5568bf4b269e44edef4f1c95ddc172d83a06c0ad9f7f1fd2e292c17a876392bc5bb705d370b2f16ff721bef7648f423346fd3a4d762676e6fcf2d690553a47224af29afed0f452d263be90eb8150a13d720f1db6f1abc1c2ec18cfbf93b8ed3c5aa7cfc1dcb514d69f90409687a4d":104:"0a86142a0af81c8df64ba689f4":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,104) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d88ad40b42ead744f1b7a36685658be1":"e99d2566fe6bcb2a04d167605db7c0f1e5567ff2d8d3292c15bbccc5d1e872bcb15a30b3bb8b1eb45e02fba15946e6bca310583a6740845a0f74f4ebfd5c59ced46875823e369e0447cc3e5d03dae530adf3c9846362c94e7f9d17207bf92d4d59981d8fd904eb8b96a0a23eb0f8d7e7a87e8e8892a2451524da6841ce575c27":"52c3158f5bd65a0a7ce1c5b57b9b295e":"dde2663335c40e5550ae192b843fa9fb4ef357b5c09d9f39dafda3296a4d14031817ee4dc1a201d677597d81e37050cd3dc86c25adbd551e947a080b6c47ec7be8a927ef7920bd1bb81f2c59801a2b9d745d33344cbe4838bcf2eb8dce53ab82c75c9bbab8e406597f6908aaa81fbbdef25aa69116c8f7a8cdc9958435aa32ac":104:"7643b3534eb5cb38331ed2e572":"":"6f87f6be2f4e7421aa26fe321045d1e23066a02158634bef35890581c92367d0bc232940de30974c70a66c60137a9f3924d12db1e5bc1b0e7131ea3620a25eb805b7d670263b82c8bbfcd6839305025390fc17d42d82daebe1b24f73ff9aa4617e3866785dded88f8b55ef89b2798ea2641a592a46428d9020f9bf853c194576":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,96) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c3ce86a212a30e724b4c624057db4e79":"3582ef7a9565c9a8e4496750ee5ca3e3a80df6238f7b7608e3394ec56d1360777921da039ede34abcedd01081babd496ba4de74a7de501181d6bb2022a6cc7f79d89a4c6a97676fb0f2b42f70e2d0bc1eaac364c3646df4f611c1d6b09737451b81b5a4da73c05fb58391c74e44498b80b26f1c29562d23c39b5d3f086b280cb":"9e03f0dd4cb2b3d830a6925e4400ed89":"92c48a39d93ea3308f55f6650d33fdf17a902076d582a94a82ac99496de9f62312292b844bbca5a683ef0f0710bbc1c7f89cbcca8f9c0299f154590d32059bd99fca5d78c450ede0d11d55075947caf2151218ce7a06c1e81985a7781a3444054170b457fd7ba816026310112abb47c8eddfd3ab7f679a0f60efc6c6dd3b759e":96:"3230fe94b6ccd63e605f87d0":"":"052347a4273cddba65b2a0b961477f07edee440a9117ab204359d2dd45ad2a6dad3b60ead891e7da6d79f3017ac90f95725a0089f04d25ce537bf53b7ea8e1ea58692d34c221db141e2a9fd7211adcee03ef8b5bf3c5d36311d20bb3d81f70f7e7272d0e2b6d12293b1a2c31b70f140a8f08d98c6231a3c429c3d0a10b2e1c1c":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,96) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a0155360b84420b5bf4fb410ea02f31e":"ecdb51522fc440f7471ea6a31f7c1ef1ec2153e5bcf6303297dbf8ddb3830b45ed9866157375ce4bdeb5e32fcbc6607984fccd7e6552628736608ab13072856d432ceccd3e90d1bb52ca9ada9cee90eb89ac10e887a1978fd0fb3d7bb20caaf35539e150be8044b725b8427c4c4a910f79980865d36344a8784bcc3d58460acb":"46f0386be7363887e7e357376305eab5":"611bc290f91798ad84f0a5ecb5a7cb8fa35e9ab6a5a51c9869a68a076e96f92c9c117595f92cbac5d33343fa2accd2541473907cbc54792c5e215ae857424c921b04ca4b81376bbedbfcc0e565c118f2aced08f247698eed5e2d202c48245161cabeac9fa195219f9799fa253e339561e13012167f1d02b4012b7791b7c863ba":96:"ac5addcc10cae6c1345520f1":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,96) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"694f621f594d96b16c32254ff06f3f9c":"e61476b8b7f101ca6005f25af2b9bee795d62720bbbf59357057ca7cd473e00f0d465255fce8d6164657603323549fb4e3d33fa51054b1a70cc7e492916dea85453e9107fe781bfeb4a622c5b2306a8dddef99386dc50745003aa7220cd7f32fb0a060fa7682576769a48f9169c7d11fe0a8a61b95f5d6dfcf216f7d0c652a84":"542db4e107485a3cd24c7ad337a4f1b5":"27b7bfa5eb34ba376e515e58ab8b6556c396820d0074a1fe3b984945dcf5251ca450456ccb4bb66ec739b03fdc5f72d24553e843255adc012d1f1c95aa3cdac5d12926465354217203052cbd4869a8b5be2e01d0fe66b5a6a8da0a2ce351557e2991ce77baa812b9c67b8e1c5a1fc348710e1a73a0fd49acfd538b7db6bef8b3":96:"0bdef4d771a1740381e7db97":"":"8b27a338fd2153d304f04655e09bd9bdf4468890ecce1e3b51de2c9a25a8d9336a9acd753ce270b1fe8d50196feac68145e0fd59c9cb3aa7c1e8af03494bc4279c6e287c849f3c775ada584ae173100946ae6921ef7c96bbc6f216093548702cf1867bb1bf1f4c9e90a34230a2b2aeb584622dd615023a43a406e64428bd9170":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,64) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"78826a5215a1d5e1b39cad5a06861f8f":"0fe2c798d7015d3e2f8725648d95729c45d357dc0c89fc63b9df5a68d3e65419540f663e9190793a29c58c495d5c6a731782acf119e2df8a96fb180ad772c301d098dbc5e3560ac45b6631a01cef7eed6db51f223775d601d2e11b9baa55e2f0651344777e5a03f6738a2013626a891b5f134f07b16598b8cbe3aeaefa1c2a26":"feb9d740fd1e221e328b5ef5ed19eff5":"ca9411b368d8295210d7a04da05a351d287f2f67d978ef1bb936de9f8065473f6fa11495da2eab13a1002231c86411d5409bbc718e2042ee99e013b1df1ef786e9fc1f2d43293c854128184efb9317c4ef82a002eac8b28fcd91d8a714a3aa25fc3c0ae4af9f4bcf5ad19a30cd8ec4b1785df70aa92074da419abe433dd4c435":64:"a724bbb295a02883":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,64) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d450f5253251121606e56687952bf2f1":"479b4f421bd8ac7f615c4a507da187cb5d4b1f1e2c6113d1f9678c1ba92dc5e17c5b525d7f3208733223eb82af0820b8476e9b08ca714ce044417b24d2238720cb8ffdc69db558cbaff52e3651b400e16c9d5ac8ed8949a19c35516f80394a04bd1cfdced7b204f779d792086e00b2ebca2f55a1140e85f5ee9ac7cfc5a31747":"fe7ff90b020fc77d7fcd90bc583850ac":"a3bca9ff25a60006eb18f993dcdc99681e414e27605264dfd25652195d7fe1489550afd07fc7346b88d93b59eb6642913646e93bf50ee1db5dd30106cf181124d8ad01c72ed99038c9798620abdf5c78c419b08c97f982b34d9e9105d9aa4538afcd37f62e2412f14f7a248fcd60abaf2b66cd4554767f99030f1a495d56a5ae":64:"6446398aff73ed23":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,64) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"90a59f6b0abf932311f0b65623c17740":"be5a948a771a8df12adaf74d702f064a75f6483c03203365fbde7d184844fe6dee0b84cf344be05b1d163817ba1516fcb87b9167ed81f884ada73b0058e2b38cba515bbbe462f4c21f8de1d41bca2cf4340aa659f9f07886c2bb620d9c3295318c07fa3c17fe8242409359c08bcb337e5cf268880839b6a20f4ee4b3f04e7024":"20778bea82a6717038e7064f48a31981":"4022d04f1454a72d2efe57533bd32757595220b20f3a37d166cec0412fb1eb2588f939ecd906c805f4827338669888e9f730905001eb1b136b95e306edf70d9ba1e5cd0aa13a25a1f28ab55cff36f9cd7036c735e3b285d26002ad2ed1074b566e252ea3ec8a9ce10882375dc3f1d9676e301dcb179eaae991120b796cc35648":64:"dc77c1d7e0902d48":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,32) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6be4ef629f0b38194c74f7b66418922d":"b67ea20a320f4ec0e4185c62a4ad79a3c97a8189a5e4d1deff9d3edff0f9a9323532853c1a2a2c1e62e4d1afebfcdf1d8461921ea601750380e63b912d8b7389198f976851d88a19f1aa32c97143668ad00838d98da1c4f2be0e6e2dc964d170d7f7ad2e2997982e5ca110e744b6e10c24ca18eadff6b129b1f290c8a7e0a593":"fb77a4b9b246271abfc656433f87628c":"e5d5227725a19a3050fbf2a97a6e854bc1218b94a4a3403b721ace3447daff68fff5553a26edd41219e68fb61fb9e964d0a3c29796251ae4eb942187cdc55d13a09dfb487e93d9e2072d7271456a77c6ccb81154443eea176314d6e3a08619b52cd880f1c28ae5214ac0090a3855dbd74f87389fe8afebd464330fb683dff81a":32:"3d8fc6fb":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,32) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c50e37244931e8debc12b3d561c83ba2":"b9abf0796f2d2f774735546cf809030f65ed0c7f6bd469ef2fe0ef32aa0225b57fbce07c36017bbc1806a81ff1a429278160a07643f864485b4e0e35d57553dc1a131e32aa10f1f91d663b10f0a418f472ed7b4bca54fd7ffdbb22c4d7764d94a7ffd04730614459431eb64335b9b65363de292c04275d40a7b968c0f5c486e9":"6c0b1fd7ab424a6883c36457d1b5521f":"516dc25f6452ae169ce293c5cee440de47353ca5ba770dca0f04175950e87a2d4c3f84fbc6eeacaac436853492929680066f959e74de4b736ab924d8367b90aaa6e9492561ad4b5aa78b6737d562e960edc3b983e2e01a186e9f22896f48d8dfcfb6a42cfe2c6006c687a27772820a1e8875bdf09e8104248ce4db883376bc04":32:"7d4393f0":"":"962509e494f10269b70ebad02b0cd799d1d41191a734863ef502aff3d3ba48dc2acf9da9a3fc3f40be4d210dc5e128bc00499aec57aa0a4669863165428687b88d46fad41e36af8ea6605586eaa5c0736d0d53b9d523e0cb5a0b285048e060a73cbf4b587d2cd787debdb2b4c8cda731a61a15b19fe8b561fbdd3a7373853ae1":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,32) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8531ddb03977383405baf2ee9ca7d64b":"d90c9e26509bdba9b1dea8d2b94f2b1881d22c2bd756ad23cd61944710a1c1f2807170ed47a6870ae654e44757fcb3822ef28b37946cafc07284f8a0c22ae3552954f0d87b8d8c825bd546935b494cacb4262d9e2a88f254f200ad31367d8b3715afbabea5f34214ffedb14d7c84806022aba2dc8f88a314ffbb24017d1a9b9f":"baf623867d6a25fd85d1f08e599c0566":"18f92cdd37dcd7f99b06838f3f68748aba367baabaebd0da9ee787d70e752fa07dea553a43b643b8d8f460175c0746675205e20a7a98acfcac864d7c4cf5ab4c41c031738c76882acda003c5af47b1c4df8894a827a317935d970d4afaee17715c9cfd1883e8c345f19d1f89e229b8edba6b4f53b86d8da1c0f159afb83b6b33":32:"2fc9de46":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,128) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"862dd5b362cfa556ca37e73cff7f4a0e":"":"81530a243655a60d22d9ab40d2520447":"":128:"3b9b2af54e610ed0b3dda96961dd8783":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,128) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3452b7bc100c334292e08343f139b9d0":"":"8f92739a30fe4ba24079f5d42753d6ac":"":128:"0eeca69f8b95e1a902cc3ab1aaa8e2af":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,128) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"31a0cbaf21b943f8badc939e94eac7eb":"":"d5bb2c4eaec47088230972ae34fcda9c":"":128:"580e728512c8e44fbb3fe2c498e05323":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,120) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9e8fca537746e7cbff97f1dcd40a3392":"":"43e9f2bf186b2af8cc022e7c7412d641":"":120:"4465a3f9d9751789bcef5c7c58cbc5":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,120) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"35b5854ca83792ad691dbda1a66790fb":"":"cff61cf9b32ea30cf7e3692aa6e74bed":"":120:"726793199df533dd9055b0ac7c939d":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,120) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"07259267c1c6a015437a5d8cfa92f9e6":"":"18b9cf2ad7ace6ec1c8366b72878cf20":"":120:"4340f6263f0ba2d82c2eb79cb0cc7e":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,112) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fa1df8955aa3ef191900b06e7c1b7d46":"":"6928c138c98a4350c318fbdccd3f44ba":"":112:"7c89d9e77515d271b6ed54c9c4e3":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,112) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c04200ce41ce77d772babb206315ec7d":"":"a885d58f0f38f9ff26d906fa1bfb12f4":"":112:"9ee0d025421f2bf18caf563953fb":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,112) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"650df049461be341c3099bd1613dcead":"":"8a4ff6327b49d297248ce2d5bd38afa8":"":112:"13f067ef0d7b448d56e70d282fed":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,104) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ee61b5bf5060fcc637dc833926898508":"":"b2dcf21f9ffa4a883044d29f087f9b85":"":104:"9ab1d66666d4dea3cbb5982238":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,104) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"01cc56ca7e64db7fbef66236a5c49493":"":"8ea5b63004189792cc040ef18b37e550":"":104:"d685aeb54aa129a21bed17766e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,104) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"134dd72ac8e28ab46720c2f42284a303":"":"c6368e4c0ba0ec90fa7488af9997a4c7":"":104:"4ad9cdf19ff7d7fd7e273efced":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,96) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"180c04b2bde6901edcda66085f73ecd9":"":"9193b206beade4cb036f01a9db187cb8":"":96:"530f5e9ed0879ccef3a7b360":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,96) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"aaac85742a55ffa07e98106d6d6b1004":"":"630cd8ab849253c4da95ac80324ecc28":"":96:"37911820c810e3700c3a9321":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,96) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ab663c4f8f2fdc7d5eabf6ef26169b4e":"":"86e6100669929e329a1d258cd3552dc9":"":96:"958d6141f7fb2b2dc7d851a6":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,64) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0dd756d49fd25380c4026ea03cafc2da":"":"6a6f7e39b0d730ea1670e13d16c12c28":"":64:"872ef05a28da5ea1":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,64) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"bd8a834b288bdc7578b6c6ab36f5d068":"":"aa77de0af5fa4dd1ed2ada5cb94813a0":"":64:"c5c094e83755f2b6":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,64) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"020d280dbd06939bbb5e6edc6f6d39c6":"":"09aea6f0e57598452719d6f63b6fe5a0":"":64:"05d6c56ba601e85b":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,32) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e47f41a27a2722df293c1431badc0f90":"":"227c036fca03171a890806b9fa0c250d":"":32:"86c22189":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,32) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9d3e112114b94e26e93d3855d4be26bd":"":"99b98525160c4bb2029da5553ff82b59":"":32:"33bee715":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,32) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5b4b7688588125349fbb66004a30d5d4":"":"b4ae363edb529d8b927c051cf21a2d9d":"":32:"6a920617":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,128) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c4b6c5b8e21c32f36b0ae4ef3b75d5cd":"":"3d1036bf0000e6f1b77a799f2ef32dec":"1cf2b6cbe86a87b4b5bb3cc50024aeb27c48143658d47b41f2f20b87ed67bd6fc3b85a3a803f66d3576608f5d6ce6cad11e02fe12de5390722dccb8242e1dd140051bef51aa9716c860d45d45bca6effbb1a4797e6e7406a04db5d823766c0f011ebc28e9a8cd4446ec8a75ea8bdc1b2fdbb5cc364fa9877886e30404593df34":128:"a49725014c214ef7cc2d28b9b2b53da7":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,128) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"63c3f81500746eaf383fe3975d84f849":"":"0799d4152fd73c1604b4610cf7171fe1":"cb8248e5f904cc9ccccf6f273fe621eee1b4d7ed98480f9e806a48b84e2d6a733772ecf8fb7fe91805715cddab2b462b89f6e6c7cf873f65031f13c357d5f57b00b7c391c39e78ad1ed94be236ca0ae316bce11bc33c5d701fdfc58abbe918b9c42f7b3d6e89d46f9784b388a6e6daf47730b9fa665d755a17e89932fa669c44":128:"c53d01e53ee4a6ea106ea4a66538265e":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,128) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b0c88b191ce6e8e4a3941f7960b7eae5":"":"e2a899961c332c815685c553351fa519":"308bf10570af48d632911f3641dea60d78046211c01a63bb8e4e5cbddfff8841d2f2b11e18ccb2170805ef4cacf7804d64e0feef40731a1704907f33b77788c18ccf35b224ec3046a67664ac9a3481d2385b6ddeec6da4f32423f94ea9663a5c51cc388cef33744a8159b4fb654dfdb5092718bf926c824be31197f07f276b5f":128:"92604d37407aff33f8b677326cbb94fc":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,120) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c818dfa0885a09f65ef78712f5ce6609":"":"ca279284723530fdd68ae880e0ce775c":"2a562abdbb483ca5f355f9cc1c5e607bdd624a078a76b717ce0f8f35d0d4c54b629f372f15d20c848d01420c6af5a7040d42063704a17b46259dcc53723caf2d4bf556143ff9117c752fa4f22c9c155c99b7bf5949d089cdafd562165b9cbf53ff51cec21f49128c8a599718bbcdb4a5d705d20509c44c8945e2a133164b9942":120:"20e9a3a98d71d460743e1efaab13c6":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,120) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2354c6b6afaa883e7ce91faca4981f8b":"":"604f2730c756c8c39a0527093bc2feb5":"959b4b0b9ce2e9120b327d2d090117553999ee10bdd384a546fc6de0957ef4b447daf07b3d07ef7dbc811f36b0fc09a175d26e4d1263cb5e21eda5ecab85d763807bb20b3cb6ac3f31d548dff00aae058d434ebcf6f7e3a37f11324134f453dd0ea7f51094863486426ff1706129a5a93c53d8c5ccb56cafa5881981fe233cb0":120:"3588c9aa769897dfa328549fbbd10a":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,120) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b0af48e6aebbb6ff5b7c92bd140b085f":"":"d210d6502a5221ac1274a9c7f5a81725":"d725311ca10eb4b4aa24e6dd19c5e72dc34fc1ff53feb25d924a9b7d8d72205790ca4b1275bd93ad60c27a5587a45659bca07c111e9748fb683a03465153ffd735b7d134b479674ab8596f0596496fe2090f623fd1e4dd730c5283d8b172db8a25df42d9b34f388ed32676a56b8ba03347e47379702654508ccd0a21ff03516e":120:"e6222f068a1e18f09ba6c771eabd86":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,112) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a05fe482fe164b2eca7f6c3e377b39d8":"":"145327bcc10335fccb93afbf4b17e6e7":"ea6f2e93b5e1bf127d40440b8d6397405246b1b48eebe16964f18928f6b4b8ee2c36322d7126905c1a5b816996e340404b586edc2d77afac11a6c1266511f9eff1a320b035442d4078f8e42ca63cf26d12a971a7adf4645d1bd9a8e4d0a20722f7c2d529beaecc4033f7738075e1cdc6d8a929da5582540678935b82e7b7ba68":112:"3900bde9fa9ae2cbeee54d04f224":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,112) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"dacbadf819eb16a63f6f091d13ed04d4":"":"b9ebce724b0dcb0989ac2d8e7ff8aaec":"7dc6e2189d8a96f3507e352e05e8fd1b4bab988c2f1c706115887119f63b78084f015d85f6b460901a02880103e4d36e8f6527dfd74e4a3acd3f578c0cc726b528875f701ff8b66e5c11b4689c346a098e123bebfa253362cb86829be73c2b85a6881fa976aa730fabb76775027feec7fd920a6c8965a4a509ea812d7c413a95":112:"8988fca83c8cfb1f8feefac46f04":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,112) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"969244c7444f3f3bf193b28f8e8e96dc":"":"49b2845a1a1c87fa66eb8f78c05ac029":"1414a07e86d8b61d1eff43e1ff4ab42c1c95e159058b74c731e3007d21a5eb78bc17b7e920363a3974aeb8608813dc9a4655199b6703ed337450702d8ab16a89776831b2c7c811fec3acc23598a0aa01680a7bf42a4e258145beb08c9f0eacf2bb5f56d26bea3ad11e1a956a630b80f3d22bf35592b4704f7c464b08b06dd7f8":112:"a291c7527385f037f62e60fd8a96":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,104) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"525abe490c8434802b69439c590a5290":"":"141f79f0501316e66451c41c7af0f0cd":"be440db66d3f81be467605a7b2805ec1df5e71e1b1b04bd7a4d05e912f5aa1912ba08de72df18613b32b7edf78963c48c80c25178b3b19262b85bb829f5377e0b368b500d6d3b442f54172d4ca4500eb5b4d478b602e5dc11d090539455087ce1e5b9ea74355fc06e9b60cbf25a9804d3f8c623fff130abc48bc2d8d116b8366":104:"038c7e95f790e6ca5ce73f9551":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,104) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"51644e025659de983f5c8156516b812e":"":"614837c743d0974e9cca497f13038c02":"60c5d062ade2c5c2dec68b734dd3e58ec474a586d1c4797fdfa2337800510134cb27a10d501927632af3c1febc275010c0d2e5abee630cd2bc792963fa82a42286ab047b934a261927311b40f5f953bfd661427921147cac7613d95ee86e16326ef67c1ed097e8fb87a78753d785de34e03a182232786079cb6be00182e41c9e":104:"77e3deba2c7f9386f85bc4a801":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,104) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"08566ca7310302dfb84d76ea0525ba20":"":"5f20ec9c35c08aa7f1c0e8a20fdbd2b3":"5d84e32768b8d1e7e3c426b3118d48e35491bf1bb454b359c8429220216efd8826be94fe1919409a128ccd8125a594f1691c9421fc3dbbb3f757bf2355bb0d074ceec165eb70e26eb53fa2cb5d84dfae06babb557805ef7b8c61c1bc76137571bcc5e84bf5987dc49013831d78bd497ccc49cde7dca2cb75e7ab967da8c6ce81":104:"873f037fc05252a44dc76f8155":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,96) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"dfb54db96383fa911bf5b4fa1218ef9a":"":"7e849e24983f63f1194b396bbd2d55e0":"d3fb689c5818810dd104693f3306a10b27178444af26798a194f7c2ab31ff3a172904b951942b1a26c8ae5b5b1ee2d86dc78bb72a335fde350766d7d9aef6f549871dd46b04b2cc319fcdd47be437d431ad18cab82d51ca9fa57f4108a8de622a92f87d28c0349fab27757fd773413f559a8c00d30e258c1f6cd96f9759bd957":96:"dada7fc7fed58db462854ef6":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,96) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"389cf888474e9403e5f4d0e22ffec439":"":"ef57794cf6fac9f9cea3e8499b53b1d6":"7ea7f7f4763ad208eb6199285b6b2819756c4e3caf2d0ac6f5076ae6785fecdcc4b138a51860ff8b87aaac3a18c2df778a4818308d458dba28f5017513e1454f60be20dae68736ea6d48b1f9deadb517df63140acbd329fbfbc9b82f3ca1862c9e998f0faff1d3ae60b005bf66829f5cf0c5fa03efbdd92d39351e3954be0257":96:"92726d90ad26130e65f2beb4":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,96) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e55abb2ca36c822bf2a030ac703cb8b4":"":"d86f7177e8ec90f9e9edf10175d5012d":"777a9d93091de56324c10712243f5541722e0b27e1f303fef6faa387a8666161ab354dbea6c43c82a24e8623bfec39aab13164add6be0dfd55d23204c0975b4ba6fbda51363befde482a9ccc1eb9f151e6ad59c77a1e24dd268389e4686f198a936dd603044a3fb653d63cff80597f5a2913c8a2ec1b7d9dce5728dd56c78c2c":96:"65025250343ed8c09b3fceed":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,64) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"586114f3b1dc087e1b2739b28c592dfe":"":"ae5a38ddd455505284434a4bcfe81ef2":"531ff8c285e532d961f49bd210a5523cd9b19a697a3a3fb26db940a496f253862405b1e825daeda7eb0445c98022b8342c8f8ea20301618483f8ab04b6ebccd7e7fc57878fb544a5bf78fa896f50ac30126ff8afca8a86388666b64c643d16812729bfd7e5c03ba52f7e6ea4c6a685404f7bcbd956964417fa0ea9a6d7290c41":64:"467a815610faeb82":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,64) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cbfe806bddb7f06b3826b097550c68f5":"":"04c1b6c9fd2ab76fc2adfe15d3421bbb":"cfa86d02599652cb4ffff027b9c6ef2336dc9fe946f64fa5ce83f624e144563d4738381bc5371c3cb55cf41ceda07e62cb635ff37246bfa428785229c6e869d5df69d7949a8577889a29e3d05b788ddd43608d9c14e3f1b51ce2085b9a976fe843e3396a74922babe6797d5f01c37ead623b5b582505bcd29edf8a6ea36b0fc7":64:"0697ac372a9acafd":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,64) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"96ce3a095a91effdd91d616f1f02ddcd":"":"579d6633ec6687afa24ef874899b58e0":"3ff3c0038148ed391b6a10aad623a82fe9209c5ba74482f11506d597b5fc7af977235d8ee9e28cf2160346ddd0e33a5bd1fb67b87dad7167fdd4b2b4000d8460ef7b3e1b59b9d61d06cfbe7945379ed6b650de86f396a38cc70d47b8a349f067d00144c903c276b323be6a929a7d7dd8ae7d254d640cdc1176f98e01a1d8c82f":64:"55a0f61032e048f3":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,32) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"24ece168c2971cf2b404ea206dc9e29d":"":"e9db62a42491664a6c46cbb0b2bafc92":"3579f6c0cb3d2a5d0c4548855c7c052d36b6a8dfc60f4ca1b4bbe28ed87306119e71982dd84c4205ceba918d675472753df1b5192d3693dbf6a061c6056e312135ffc5ff426895a7e30f7f675d2cb21de06eea5e3761b94deef7537b985d324864c9ff6ab6e230a1006720f98c958912b604a6d03e3979887c07be3ceaafc78f":32:"d2b15a23":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,32) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d3c3cf993f6740a019e61ce13c29955c":"":"af900ac348082ff32d2e0ab886079516":"2ddd0e8c99661f0757f04aa79a1ffa24ad48fbe5da68b9e71f7a0cf1b4f2ca9b757695900b7549d48847ae49950dc9b270b1569d29dcbef412216737bd83509c17ae41c34ccda318939cb37a0a380762993a7568c0b07794e78746173dd5c0d921cd50de4b548c1589e142c3dadbad42161aaeda2310f3c6d5c722d9ac69e96d":32:"f2d3a6ff":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,32) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5f1e5bd45ee8bb207ebbd730510ff218":"":"8846424a194f5de858556e6be5b65d7f":"e968947fc0e49136e730b97f6b16e393d5e4fdf3e4803a23af79211ef59f29167c60ead72fd489da32d2ffa43b2bca2074f9d1b4f5396ca65004b0806cb7c6dfa751fb6afbee3e443f3c9b0e3df6722e0d1320441400c5ca508afb657c2b7f1669b0de21761dccab9a40fc513768bd1f552692626ce35078a2e0e12f5d930647":32:"0d6c15da":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,128) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3997050377cfbb802cc438d973661688":"b02f0dd373e42c65e8e1db2dd76a432e0b2bf6e630c8aaf0d48af51b3709b175de9a19b3245ae75818274c771c06fae225c4f8b002236712336e805ab006449eb29cc5e29abd82b06c32d4c36ee99acb9a6d7d9eae6ec6ec263c002a22c4a898c74f6abd6d92112367ca7ffe82787c5b39e7012ba22825d3612af3d41e8008a8":"c95c84c263bdfd5f1de66e7e616cf3fb":"":128:"b35b3cf6ed59ccb69dbc9b47a3f284ae":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,128) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c58583f6479d9bc9f1bffddefee66e59":"564a9f700cbc1f895e4f4fa6426f73b4956896a15e6127e7560d74e3fd0b980d2ee45b7a6a3884fa613d91d13921e3f90967d7132bdafcd146dd8ff7147ed1964c2bdb3e12f4133d3dbbc3bf030ff37b1d2147c493ce885068d9ba5bebae24903aaac004aa0ab73fe789e4150e75ddc2bde2700db02e6398d53e88ac652964ac":"cee448b48d3506ff3ecc227a87987846":"":128:"361fc2896d7ee986ecef7cbe665bc60c":"":"9cce7db3fc087d8cb384f6b1a81f03b3fafa2e3281e9f0fcf08a8283929f32439bb0d302516f0ab65b79181fc223a42345bad6e46ff8bcb55add90207f74481227f71a6230a3e13739ef2d015f5003638234b01e58537b7cfab5a8edac19721f41d46948987d1bb1b1d9485a672647bb3b5cb246a1d753a0d107bff036ac7d95":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,128) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0bc2bde877e881aea512068105694968":"1a6369a45e8ef2846c42d54f92d0d140a94f9633432782dcbf094f1444a1d006acd07ef6076cd0faee226f9ff14adc1fb23e3c63ed818c9a743efbe16624981663e5a64f03f411dcd326e0c259bcadca3b3dd7660ed985c1b77f13a3b232a5934f8b54e46f8368c6e6eb75f933196fa973e7413e4b1442b9dee5e265b44255ed":"05f0c34ab2e8e8026b0a23719344b71f":"":128:"46bab9fc2dbe87b8f6ca0ed4d73e5368":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,120) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e14f45ba5d1eb52e0412240da5d7b5f9":"9a85fda19ce923f093a0c25b0c52f5d9534828af7c7687d22307004ae2d10c4592242c0f2704070307ab55b137780d1e2013a19396ab43ff6a295b63fdcf323456d149758f9a2bb37f1418d62ea6368b24d5067b9c63d2968e06d6586c7e3275faffa005f7c7bfef51303e4c2b2ed4564acd17d50efac9f5e3e7f16ce589c39b":"d7f8ef12f66f8b7c60aea02ef6ff688f":"":120:"beede05e4928c808bc660f3de95634":"":"4ad5b9ace0c0c7c07df2900faf37a902899471e7aa4a0a1ad5387f8f56d73f78f619be79a4e253f95b15d52895a05bae9ecffa916d35efacd8baf1c704d2aa4a38c234efc4dcfb191ec0fa0b522328fa5b5dff55e8c443fee660ebe3d8ad85de157a889aefc823720030a4cd6ba94a6309dd61806f0abb27772432018bc61701":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,120) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9a64579f3601b0022d357b601cd876ab":"88be1f4bc8c81b8a9d7abc073cb2751e209ab6b912c15dc094002f95a57a660b9f08b1b34f5947223205b579e704d70a9ecb54520ce3491e52965be643f729516f5cb018beeedc68a7d66c0d40a3f392ec7729c566ce1e9f964c4c0bd61b291ccb96e3d1fac18a401a302f3775697c71edb8ff5a8275a815eba9dd3b912e3759":"515efc6d036f95db7df56b1bbec0aff2":"":120:"13ea92ba35fced366d1e47c97ca5c9":"":"7fc8565760c168d640f24896c69758355b17310dbc359f38b73fc7b57fe3f4b6ecad3f298be931c96a639df3c5744f7e932b32d222f5534efb8eb5d5b98d218dce3efef5c8c7ce65738bf63412d0a8ed209071218a6fa2f7be79b38d0b2f5b571ec73f1a91721bd409b1722b313683e97d53df19ded95fd471124fa5f294a4bb":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,120) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1bda4acfd10ab635f357935bb0ab7020":"c9ac8d4ef7d83848fdc03664957c28b9b76710797d5db1c21e713e85eb0898892223e52be1644fc7362c95026ebb9c9ca74d7d3739eff10cab1eda00c36628dae0b98d119a14635800e37cd340faa6fbba9c3d41d52722cc3969612b1a8c5ca9a68773f5ee654506cb88ea65fb1eddf5ab6312d0170dc03324e483342448b854":"48b77c587616ffaa449533a91230b449":"":120:"8325e4394c91719691145e68e56439":"":"1287ad3719508a9be70c19e3b134a2eaa4415d736c55922e9abcfd7f621ea07ffb9b78d8a9668c74bbd548b5e6519ea12609d2d6197c8bd3da9c13c46628f218e7ff81884ff7eb34664ab00f86e09cd623bec248d8898ef054fce8f718a0e0978e8b5d037709c524114ec37809ac3fd1604e223e08f594e7aa12097f7dc1850b":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,112) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d21cf24bc5bd176b4b0fd4c8477bb70d":"2e7108fd25c88b799263791940594ec80b26ccd53455c837b2e6cf4e27fcf9707af3f0fe311355e1b03ac3b5ee0af09fb6fb9f0311f8545d40a658119e6a87ba8ba72cc5fdb1386bc455c8fec51a7c0fec957bed4d6441180741197962d51b17c393b57553e53602f2a343a0871ea2dc4b1506663b2768ce271b89c4ed99eec6":"208cb9dced20b18edddb91596e902124":"":112:"7edfb9daf8ca2babcc02537463e9":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,112) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3d02e2b02170986944487cba8448f998":"bc1d7553f4a28754cf59ed6f7a901901f04ce62a449db2b45ad60329d0341bb9ba421c783c28a9200b41da8ab6328d826293134a7d0c9a5775dd2735e7767efda4ad183566e0847d6d978abd1a8ab13b16b8323acef05ced3b571631e1e24ad44d65e6ffa64e03c9970e94bacb9f721aba06cda6a08806a3be63dddd8029301d":"6336077bb83eff1c9ea715de99b372cd":"":112:"0466bb2957281f64b59eafed3509":"":"5f395958f2f7acafb1bca6d3a6ec48b717f2ceeac1b77e1b0edc09a09e4a299d2ec722cc7daf34c8f4121a93c80b2adb20a2fc95afd09320f91085c93c8b082dd703814c9777501d23bf9b328f07f04652592dc5a3f4321626a695b8db8e65c8617c809eb2978d8c9a882ffa82a4bb707c1a8f9a965bdacce5c041bafc94a1c6":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,112) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cd1ad1de0521d41645d13c97a18f4a20":"588c2617517329f3e1e7ba6206a183dc9232e6a4fa8c8b89532d46235af1e542acaa7eae4d034f139b00449076ba2ef9a692cae422998878dabdac60993dce9880d280bec1419803ba937366e5285c4a7f31a5f232f8d3ef73efe7267b3ef82a02f97d320ebc9db6219fbdf1c7f611e8e5164e9ecf25b32f9c07dfa12aa705af":"413873a0b063ad039da5513896233286":"":112:"d4dbe9cae116553b0cbe1984d176":"":"bd519b7e6921e6026784cd7b836c89bc1fa98e4013b41d2bf091ef0d602e44a70df89816c068d37f0c6377af46c8bfa73ec0d5bc0b61966f23e55a15a83cea49f37cc02213b4996f9353ee2b73a798b626e524b9c15937ecf98a4eded83fb62e6deea1de31e0a7f1d210f6d964bc3e69b269da834720fd33487874489b8932a8":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,104) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1cb120e9cd718b5119b4a58af0644eff":"4c8e8fb8c87ff6b994ae71bfbf0fa4529f03bad86edf9d27cf899ea93a32972640697e00546136c1dbc7e63662200951b6479c58ae26b1bd8c3b4f507c0d945d615183196868ec4f4865d1d00bb919a00184e9663f6cb9a7a0ddfc73ee2901f7a56ef2074d554f48cef254be558fca35651be405f91c39e0367762b4715d05fa":"5a7087989bfe2f6eddcb56fde4d72529":"":104:"95d8bd12af8a5ab677309df0fb":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,104) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"315b206778c28ed0bfdd6e66088a5c39":"6186f57a85b65f54efbf9974a193012b1396fc0ca887227e1865f1c915ac2af9bbd55969f7de57ce9fb87604cf11c7bc822b542f745be8a101877a810ed72bf4544d0acb91f0f9d3c30b6a18c48b82557433d0db930e03bcecc6fb53530bfd99ee89f9e154aa1a3e2a2c2a7a9e08c9aed1deab7fae8ea5a31158b50bca2f5e79":"7ec6f47ec56dda5b52bbdaa6ad2eb6da":"":104:"930750c53effc7b84aa10b2276":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,104) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e886de1c907c97e7db8ec80a79df90f8":"c64cc9596d7c738746ab800f688eec190a4c802c55b2528931d74d294496892b81f53d3073d48f9bef1d58ce3be26547474cdda2868abeab71aff566fff613b4e5bfed1be1d2fff35d8ffa33302d3da1c82e421aa3a23848f31e26d90c0cb2ac2ae136ada73404ed3e0e1d3e7cb355a11cd2a4f9393b4d5eac988104fe1cf959":"612cacbf33266353d0a29a24532f3c0c":"":104:"76634e58d8f3a48f15875ac1d6":"":"7001d7395efb432e2804cc65c0ba5d4719ce84177ce46292c4fd62a5596bd2bab1d5c44217ac43235bd94489c43d01618a11f047d2e247062c3b88d6e59adaa1f46514fb33b7843483920bee60a41f3cb312322c305d25251b4704fb66da58637c95a9d539731434f60ef44fe3cd6d37e2c8e7089880a563938dcc98b43f08fd":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,96) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3b936e09a6477f3bd52030a29df5001d":"65cf11d1afad19b34f282f98f140315992392f5d4eed4265085b29e1e5553f4783fec681ba2d368486ba6a54c00e71c82c08ca3d097904f021ce4b0acba2d2a7005e28e5f8750ea3d18a4f78363c37583e85104234498942c639a0564b0d80055c21cb7735dd44348298291ab602f345b1d74d624750c0177fbd5cca6f99223b":"f93105be83fa5e315d73acfdcf578de7":"":96:"91b55bb5e3f3f1abcf335db5":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,96) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"dc9e2095de7b1b48481b56bf6a3604cd":"ed61ff94a3f84c72147faefa615e2df00324fb01790cf9764c72c1b8ba47f17866a1fd64ee5c2f53865d1bc24ec93165a6774466a59603199ee476c1f2da7d932c8943d126aa172d532d8475a484d42bb45fcf92766feafd7f3e2e3d42d22f6f84a90e7e688232f799d80cd2cc152ddd21ecfb137701ecafcb2b65abe2e4e6f4":"9e5268db19a1b51c0496a160ca76f8f7":"":96:"0fa9588536fca71bb44260f7":"":"ef562e301fcf923ff1a1acd3aff9b1c963058228655fe8a66cab01396547dbd2aa1f79a22eefc62944b86d1a31ebe2d17130175b8c003d6755b0eb8b79895b0f7f8046c5ae888a067ba17bc8e11a8f6e5023a9cd42f6461966c28e505b371c0f72a2606bff430a58016e99713d25ce11f10391fb4a922e27989422c6a64f9107":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,96) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3f93901fd7cc88db3ba76a158d658c7b":"16402fded879fcbfe9405902aa63ca2a520889e0045f687455469b7bb867829a01208b8dc5dcc852d8ee478993c30e6d9ec6408773b367821310a0ae171d38d71e06981ff6e845acffbc794142b87c748e12484c0636419d79be3d798cde59e9dae0a4a4a4346596427e6b235ad52e6a1b02d6f4df0c7de35fc390cae36aef14":"7e98de461e6d96c0ce6c8d8b3854cf49":"":96:"86c9a70e4bab304ae46e6542":"":"1b4c09569b42c469b3ab6b39312c214502ec09f5fe2fed1d1933d13cdc6a7b77a5d135123fa69d9207d6844b0357b26b7a2f53b33a5cd218dacda87b78b09cf259e48e74076812c432e2d0833fb269721f9347c96e158500f9b2283342a35c8de0a022edce711118d72d8fbaa354bfb0ffee465844ef2d37e24ec2cea8556648":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,64) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"42289f3d3cd5838e250ef54b128e60d1":"3edae1d554b67d2036f5fdbdb2945cc112f100adc1b47009c2e23f6a2eaee78d1f39ce8a98f715853cc29fc793fb6981ec3036834188dea7d668185ccc8642071b15de1332f6a59c8a9b4399733eb4b3d8f224af57ba6b4a8e64494bb6630b9d28e7ec3349064350febcef6a3ad1d6cca1b1da74f3d2921c2b28a2dd399c3416":"e557389a216ad724aafdab0180e1892e":"":64:"6f78bc809f31393e":"":"25c476659cc7b343a69088baf868a811ba37daca85c4093105bf98235a90aeca015ab034da008af0982f9b2e80df804c186a9b2e97f74cffd70ebb7771d874fcaf12f6d01c44a8b0ec2898cf4493cf09a16a88a65cd77909bbf0430c9603869bd5f20d56cb51d8a3f0a032fc30d925c96599d296b1ec41c2912bda426adea4fb":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,64) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3d772eabb7f19475665ca2a7e693bcfc":"e9fc4d86f5b857fa6057b73f967351e06f87288c40a95b9e378c84f1a4c0f4b80ed0a0b44ff90a8973be4199c0c4006fc4f5ea19d5f1fe8b9c8c01f4675ab85afab0592bb3daba36bb4fc7ed9eea867e9d8cc50c19fb62a5a57956e9efacebac5e9f849649d35a329bd68de97bb6e5ff7bef477a86765c2c9ec15e24cbba5c6e":"0747cbb486a013453fde1ca6abb11dbe":"":64:"8e761ffaea68f967":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,64) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fb7fd753ee6eaaf283a42a121dab4e43":"fd5cecb2c0287cb8229e97d9cc4b9885f428710528884ce663ed1728cd44cb2df93e56ef17ace0678d1e341366c652f4ba7ee45797d39be4a05c1151e5cde499e13e5d45549b5d95a174d03616d06ef96e9d7b2b6bb0d79a726b253dd64223a5f09611671b234ccf9b383952f8888814b2c167e774cfbf54e9c6b99a753f4fa9":"8164929fb54485377ecccc9b9621af5e":"":64:"40a2fa7f4370afb2":"":"6208d068be60f7b04b80fc611062e6caaef9a5cf59f850d174b7446c78c039ea9aefe4885e19c2b33911d32ce1fe3c48ddffa4b03e450fd35da03f40c4e7c5bb3b1c3f3049dbfad3ac81ca1b79cafbaa172f4900e3829d38edea3b64000f93924a801259bc4b2523445c64bc23bfee190b952468507fa4baf6dc2bec66fcf0d8":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,32) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"30d757fd73a0fd5fa49159ad0653296d":"17d485b258f80d8924e35291118cfdcffd86c47851b65f0b06a7c1f5202de82f3f460fc61b1aa38fdba7c8ded375c92cf005afe63e59d362c0960044af39241b81ca24e85c5faa43903229355b7313fee21b992ef3931d9d2407b32b3cf72dd7acbc7948395eb513cb2fd428b215ba2bd1e29c62f45d0ce231884f62480c6d8f":"b35b8df0aebd0608517f2830e0e70cd0":"":32:"954c0e99":"":"022618d2598f79104e918a09c937a82b3db59243b5e13de731fcb912e4366105797ce47f6dce7f08073f2f41e5c15fd6b1ec4b5861469a4880c3b0bd769b78c696ff29c28c9349d5a46a6e5ad9211bd4b708a8c0b6928ebbb0dac1c0a5f5ce6b05de6a50073128566a23f09cc1b826aa5803f9f750aa4debf59f24ae9f98c9b5":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,32) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d9d3cfd5900de5d5e2109e7721cfeef6":"e4243cc37cc32dfcedf9bb76890e706af6ab1e06b290b8ccfe2a55e5dabe68cb390f7636dc9676b431d4dc8ad3f6d989e510194294ab7ab0556789046743cf374d8b6462f5f95a17f3f44337d6c69ee47b0e1ad7e5ce6f9b224c54099a104e70d2d06af869b921ea47febe08f90c591ed49c1f12003afceabd2c7bba458a0111":"b4b9dfb013de6f7c44779e5a9daaf5e5":"":32:"2b81e8ce":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,32) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"68dc138f19354d73eaa1cf0e79231d74":"ce345567a76bc30d8b4fd2239788221cfa75e1a310aeeeb8c355f8eea57d80967f3047fbd4e6173fac5caeb22151fa607065953c4c35e0537b9e3788cc80de9eedf2a340698bde99a6a1bdc81265319da3e52f7a53883b7f21749237fcfd3cd4f149bb2be7a4ddd9ef0544cfe0789040d1dc951b6447304942f03ab0beae8866":"e7147749560f491420a2d893c075bb76":"":32:"70a83f6f":"":"64b021612c78b3e192e8349d48b77d02927e7fd70c7160d37cb8ef472f6bcd9df9d93431627c1c80875e208724ae05f94fdd2e005e9707b78a1bf3bbca7beec4b03ddd4d9de6235ffd6d84a8b9a1842e104c1e22df4566f6c4d3d4e3d96a56b9b8a5cdce9da70aa236109b289266036f285564060b204dfd7ac915eea0dd0b1e":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,128) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7362c86344e0aefb0cf0d04768f9c05d":"8baffc7836004deb87c0111d47c182512bf861874021ddfcd559acf2c4a51cf5bc4bfdee2d039b9c005b6af95a2607643dcf4d9cd9d62412f709334556db22fc91d7b40438505d6806ccb2f2c21ae731bc1f1c825d28a71ab27095a39985e96ccd07cfb2e75243ccafd474494a2338c324ef533ca5f17d2ac1b1883140342ced":"7e8d12c2f0dcf4f792247134234ac94b":"86d2b5debc3b10495da353d6821f6cad380776d805bd8660b08dcdb1acd87026e4f344b547a4db47b5f44cded314bec4ce9a417ce40a2acd5a21460c42dfcd27483abf3f38dd8cc5fa523b6768a26513df5896435baa97781cff1966e2e3d6ec6d0a9cdc013de5a50e4d46831667055bad04f784024a82f9cd087ae4cd37dd64":128:"9594da428fd8c1b13ecb23afa2c1af2e":"":"e2c424f42aedd56f0e17a39d43ad19c8e2731efc7a25f077aef51d55280b10e667e338bd981b82a975ef62bf53bc52496b6995d33c90c7ae14767c126826e3f32bd23f444ddcfd7a0dd323b0ae2c22defad04ce63892b45c176bd0b86f5fa057a3dc371359744cb80bbfb4a195755136a0ea90b4044a45bc1b069f3cb3695c04":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,128) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"58748bb204ccb7bdafdbf739b6c19a3e":"b72902c9ebb72a86be539b19a52fd9af00aa4de081d90c0d8ad580ebb5900177a036f40a1e9b43e3a07d715466526d6d7544e5a5551805b62463f956cd519fc99182c2d54bd62fc7ffc6e5ebf1503859b706da11a1b6c707a67a70789dbfc10ef726bd360f9f2347326e068e757c8443ddc9308a171e682359ae1bfe87194ab5":"93ac298c73c88e127a4d9dd81bf24e3d":"8f168fc4d1da13bdbefae3f9d6ac1d8cb19fcec1f43f727951af0a466d8826649a46c3cb50c045ea83849fce0eedbc042a1a435e6d9d59017997a2d5459b940078b8a7f3b6b0ff279ff8c560248296a17240ff1b0643d1f436b6e3f2079363fc49fb45f410debbdde083b92057916368cb807d603cb82e2c0dc01658bff7f1ab":128:"efba4589d4a03555766bbc3b421dd60f":"":"d5c97a659f016904ff76286f810e8e92da6f8db2c63d8a42e617760780637e32105503440cdf04d1fe67813312f1479fda8d746c8b0b080591eba83850382f600e9d8680516c6579669f0b3d0a30323510f9de1c92512790b8347751994d022156cae64da0808a649d163a0e99e869fdf224b7c1a6a8fbc613d5917eca8ee08c":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,128) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6cc13cbd62428bb8658dd3954fe9181f":"2c9ec982d1cfb644ddbc53c0759b10493206d5186affc6882fbb2ba3aa430f9bae1209db2d78dcc125f3c909a54dd84fdff96c71e678216a58390ef4308bdd90f94f7109c4edefa76a74fda64b201b7a435bbabc27298f3eaa4c2d1393bd584f811fff52638f6ad2f6d86a8c3c9c030d9d4264c8c079592a36178d25991cff09":"86740da7ce4efbed70af55e1d6c10fdf":"be561ac15e3cfda624b422af97c26719c140bb50e4a993d636efe9c7f1963fb9047a0762169b571a698ff310bc417e34d4039b7562a95af710ccc1b197964a376c986fd2ed8ac4b0c7b4e843c37a41366f2f483c821a1823f317416c7e4f32eed9b9dc2ae1a2f3ed32c4b3187358a2329aa42191b7c2fe87b6e27ff20303cb29":128:"76b990a1e010e5f088f6ae90bec40b32":"":"0b9a5f5d2e6852b75b9cf26c1b310b2200e56dafcf3c941478862cdf9737ac8e2cb9b38d41bd4a1872ea1b4cfd51a1a0b9b743aca439eefa10de8459a0a7a221c5429b3dee393f17031ca6c399df8e05657c3db55be9c9dd29e690042a4ed8db732efce7c58d6b20a2a0f7c79e42e5ada43b87ab00f481c20cac1b35514dcdc9":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,120) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"286d3f5080cfe88538571188fbeb2dd5":"55135928997711360622eda1820c815aa22115204b1e9bb567e231ac6ea2594b4d652627b6816bdc6c40a4411fd6b12fab9a1f169d81c476dbf77151bff13f98ca0d1dc0a68ea681652be089fadbc66c604284eebfc8ce4cf10f4ca6bda0e0f6634023db6e3f0f1de626c3249a28a642ecc9ec5ff401e941fa8a3c691566c0ae":"da6140bd4dc6456ddab19069e86efb35":"5d350a04562a605e9082ebd8faec6c27e561425849e7f0f05f5049859c2c1bd2c4682ebf9773fab6177d2601fd5a086cefc3adef5a2f8f6b5dc9e649e98dd0a3d1a2524419f01305bd0fcfff52d84a20d1b14dea2138dcc54eea2bf263c6fe27c3e7255f1f359d0d00fb1b350d7a04965af30027632520197e85eb41de6bb286":120:"d90d34094d740214dd3de685010ce3":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,120) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"726ae113a096769b657f973ea6d2d5dd":"90636012ba8c51d16f8f6df3d3bcabc3f09aeffbe2a762f62e677913188045b861b2e7d9a7bd93dcee46e9e4832e497a6f79db52b4e45c8dab20fa568ff9c4ace55be3216f514a3284768a25d86b1c7da5377622f3e90ed4c7bd4571715af4d0a2ab5181d0475f699202e4406bb9cfdbd4fa7f22d0dd744d36b3223134658496":"2f9900226c97585d200dd20a279c154a":"761663c3fcbf1db12bc25546b2425b8229b3153e75f79fa63958819caee3febff74603d99264b5a82ef5980439bef89301ae3206a1d01a3bbd7a6c99d27d1e934cc725daeb483f826c2c9d788fd1f67a627864cf8b5f94df777bb59ef90cb6781a2000e6f0baa4f1ea4754b47bb7cbd2699f83634e4d8ab16b325b2c49f13499":120:"d095bfb8990d4fd64752ee24f3de1e":"":"9f7759c6d24fd9aa0df02a7c0cc5f17e61622c63195f85dfafa5d820d3ad218c7288ec017821100f1fade10f9bb447a4a01e3698b045548c7619a08f2304e2818a9bf55e70b40f8b994b7dcf0cb243848cf3f6fdfec3ebbb147d01df84a3ec62cd8fa5d78ad9f2f28cd288a35eb49a5172339e9872e8e7e3350b0d69f59acd07":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,120) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"73a9eeda721c6f292e6b399e2647f8a6":"215fc7e52abe4c751ca2f7f9a5cbde9ab8b44b8d4054bb62dcea6df5b936145ca6ec83a2b78b070638fd6e5ea3bad5d0caf1b8f755f391c3e0962a92337e3eba575585eb83680075fc818860388c587746af78d5fc75ccd0a63f1612abb1ba0f04a2228ca27fbddba4878f9b2683683f516b6d6fe4f6622e603bd3c5ad45e332":"c1e80eb723960049cc4448b66433f1cf":"fb2a0b1f817404e74aee0a6ec8f2cd86f0c9114ed367b2690c44ad80f9d3377d7fd5066beaf1daa739d27ed3fba98379188016b1fe901204a174f9ffca370c181aece5e5d40939a0d460913b40b895e78a3b80ddf3d613c05e4e27bfd161ea2ef42271a2679f2cdca5b728ffb2319781c946a4f3ecacf486b754b30bb04ea60b":120:"e08161262234d0d5be22f09e5646bf":"":"b5e286183f16dd9403bec6786bd4836cc6add47947ef111fb1d5503c18c333c8fe60959502f58390d0e0f69fbe5fee13c72aed65fe6e32f6ea45877fe44f8a556aa5157b112e572197c1c350b7943c6cf2e9146018599524d27599f09c86027f2c5927e4a20c63833870e8369baa36ecc07cdb3ced520b5ae46869ff357ca089":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,112) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"90dbda7397d8fc46215a1218a6ffd0d8":"4f82a1eca6c9184240f50f7e0cfec07ec772cad5276d93043c462d8364addd9a652eed385ccc6b0faa6ca679ab3a4c3d0be6a759425fd38316ee6a1b1b0c52c1bb3b57a9bd7c8a3be95c82f37800c2e3b42dde031851937398811f8f8dc2a15bfd2d6be99a572d56f536e62bc5b041d3944da666081cd755ec347f464214bf33":"7be477d14df5dc15877ae537b62e1a56":"7358ddf1310a58871a2f76705f1cf64223c015c4d1574104d2e38783bb866205042f05c86e76c47a2516ce284911f1d2cbee079982dd77167e328b8324eec47c9244cc5668cf908c679bb586d4dd32c6c99ed99a6b571cf18b00689463e7a88cea6ea32d288301a10a9139ed6092ffe298e25b8cfb6b4be8217f16076dcd0a90":112:"776d871944159c51b2f5ec1980a6":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,112) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0c85174d428fc1c7c89ca5d1b8aaba25":"3735cbfb8000260021d1938d2a18e7737f378ecddb11a46ce387bf04e20bbfcc902457637fd152ab87017185601f32a7f906057123b6c2da31a1069c93e3cacc59a359aebd3e31b302e1a1f7d5d8f1b2917a8fe79181fa633b925ce03a1198dac48f4c959076b55bc6b3d50188af2c6aa33d83698aa8db22649f39825ba54775":"b3c9dfa4c55388a128fbf62aa5927361":"3f552d45b61cf05ae2aa92668e89f3338a15ec7c5b7113b6571cfcd9e4c4a962043ccd9323f828dd645e8a91b007ce2112b7f978ad22ee9821698a4f2559d987ae4421452ad2e8d180953297156426d4540aff2104d8637b56b034a3a1823cf962bffbc465fe6148097975a8821ca7487e6e6c7ff4ee4de899fe67345676bb1c":112:"1e7dec83830183d56f443a16471d":"":"3d98cabca4afb7c1f6b8eeed521f4666ae252ac12d17ebf4a710b9a22d839b69458387ba4bbec2f6400e0cff80fbe4682c24efcd3b8c594d9b515ca7842c9d5988c42b59b6526c29a99256451e2927f5b956ef262f97c733dfa8bff73644473b9a8562bdfca748f4733ddce94a60024dfbfcde62fb3cbd7c3d955012d5338b91":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,112) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d89f06eb07744d43d44734faf9751d07":"36cc3b2f563305208a03378f7dc036119f7de3fee77cefac06515853d36609a622382ed026c59783fbc0d9910767874c516e10c7bf3e3d104f73b3463c8d93a63418c76cb0d05e62e9c8642cb4f32caced2620912cb6c79e5110a27d5fba1ef3b4d0578077858526c5e4254365f2b2ab47a45df4af08980b3b7a9b66dff5b38c":"185f8d033713ee629e93561cf8d5acb8":"743bcb671d0aa1c547b5448d64d7c6b290777625ba28f25ca0fbf1fc66495a2fde0648a8db51039b0e7340d993aef8afb48269e660cb599837d1e46f72727762d887ee84c073d6136d1b0bc7d4c78f5673a4a6b73375937e8d54a47304845f38ca6b4f51cf14136a0826016535dc5ed003e38c3ac362b9d58ba8b555a05a1412":112:"fcad48076eb03ebe85c6d64f6357":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,104) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6150f14dc53f391e815acfabed9f9e20":"fd8f337017e1b60d6618e6e4ad37c1f230cdeb78891579c2c63d4e6a4f7d2cb7252e99de333c73db45958808c08e91359c885a7385ab6f9ed98a27927a5b83c3a456ce2e01869712675e527155ba1e339ac14a3ccd7a4b87360902f2b8381308fe5a4eac5c90d0b84da4bf5b907de6ff3139cffd23b49a78750006100183032a":"7e92dd558bd2662c3a539dfe21a352cf":"9b4624e9118e6aa5dc65b69856638f77fd3f9f562046f50ba92a64e988258637932af7979f000505b84a71ff5dd7b60bad62586b1a8837a61c15a1a1ba7f06668272c28169915d7f06297b6c2a96c8c44203a422bfd25500c82e11274ffe07706365bfd3da34af4c4dd8ad7b620de7284a5af729bea9c4ed2631bdcba2ebdb7d":104:"922a7b48ad5bf61e6d70751cfe":"":"f272a3ee9b981f97785cc6fad350e516d72d402dae0d8a531c064ec64598b2a5760f9b279c10aa1ff71bec07300ab0373187138e7a103fc4130105afa6b6346f3d368b40d6f542375de97878ad4d976d64c5c4968a17be2b1757a17c03100231c34721250cd37cc596678764083ade89ae3b1a2151ff9151edcd7ba0eb8a4649":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,104) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3e8216072ed6fcde0fe0f636b27ed718":"3b50f2a8dca9f70178503d861d9e37f5edfafc80ee023bfed390a477372986e4794175ec22ac038c3461aba50c9b2379cab48512946efdfe2cb9c12a858b373a5309324f410e6a05e88ba892759dbee6e486dc9665f66cb5950ea7e71317fa94abbebd67a3948746a998173fbbb4f14f9effbdf66d3b6e346053496a4b1934ce":"23a122cf363c3117b8c663388c760ee4":"28ce0b4a44fa83323e060f3ff6436b8829d4f842090296bdc952b6d4a6b1b1a66be06168c63c4643e6ac186f7ffd8d144f603b2d4bc0d65be48121676f9fa1f359029c512bebfd75075ff357bc55f20fc76d9f2477c9930f16408f9f09c5ae86efa2529d2f1449ceeb635b83ca13662860ef9ac04a3d8ab4605eccd2d9ae5a71":104:"531a65cc5dfeca671cc64078d1":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,104) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1af434b73a1210b08595ffa686079832":"13f6c1c2d4edcf1438a7b4e85bcd1c84a989831a64d205e7854fce8817ddfceab67d10506ccf6ed9ce50080ef809e28e46cba7b0c96be6a811f59cd09cb3b7b3fe5073ee6763f40aee61e3e65356093f97deef5a8721d995e71db27a51f60a50e34ac3348852c445188cfc64337455f317f87535d465c6f96006f4079396eba3":"ae318f3cb881d1680f6afbf6713a9a2f":"3763c9241be0d9d9a9e46e64b12e107d16cca267ff87844c2325af910cc9a485c7015d95bbe62398864d079fb2b577ba0cfad923c24fa30691ad7d767d651eed4a33d0be8f06fed43f58b2e0bb04959f10b9e8e73bd80d3a6a8c8ce637bfbdb9d02c2b0a3dd8317c4997822031a35d34b3b61819b425c10c64e839b29874ddfb":104:"2ae7350dd3d1909a73f8d64255":"":"3cd2a770300ce4c85740666640936a0fe48888788702fc37e7a8296adb40b862ec799f257a16821adaa7315bd31e8dec60e4a8faeb8ba2ee606340f0219a6440e9c1d3168425e58fac02e8a88865f30649913d988353ab81f42a5ad43f960055f0877acda20f493208c2c40754fbf4ccee040975aa358ea3fe62cbd028c1611a":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,96) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"04036d2f5273c6ff5b8364aa595359c9":"acf79b6099490af938fb5fd8913255b3daa22786b03356cdf3e0ffaf570f9f866047b8e15c9953f893d97e7098265297396868ebc383be8547e8ec9d974b6a65b5dc5147cdadef2e2ad96696e84e44f364c2ba18c8aabe21f99489957b2b5484bf3fb4fecaf5ddaa1d373e910059c978918a3d01b955de2adb475914bf2c2067":"edc433c381140dff929d9df9f62f4cb6":"404acfeeea342aeea8c8b7449af9e20ddf5b85dc7770d2144a4dd05959613d04d0cfece5a21cbb1a9175ddc9443ffacd2085332eb4c337a12a7bb294c95960e7c0bde4b8ab30a91e50267bbd0b8d2a4ed381409ea2e4c84f9a2070a793ce3c90ea8a4b140651b452674f85d5b76d0055df115608bf3a3c60996108023ebabe65":96:"71f818f1a2b789fabbda8ec1":"":"4729cb642304de928b9dca32bb3d7b7836dd3973bbccf3f013c8ff4b59eca56f5d34d1b8f030a7b581b2f8fdc1e22b76a4cbc10095559876736d318d6c96c5c64cbd9fbd1d8eb4df38a2d56640d67d490d03acc1cd32d3f377eb1907bbd600f21d740b578080ba9c6ddc7dc6c50cdcee41fec51499cb944713c0961fc64f5a70":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,96) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"59fe44c6e28d025b2ad05e6e867051ab":"20e66bae1215de9a87a0b878d39015d17e0d4542a1aaba2000cefbd5f892c26a410f55f0d7dc2f6b66690f2997032985e5516e068bfc6ec8a3669f566e280b0cefded519023b735ee3bcbfc5b6ce8203b727933a750f9bd515ec448c1f3a030aa0f40e607727a3239ebbe655d46b38a3d867e481ccf0fadbf0d59b665d2ed6b5":"eb0c30320029433f66d29b3fd5c6563b":"49b7418b87374b462d25309b1c06e3132a3c8f4a4fcf29fed58e0902509426be712639db21c076df7b83dcfcc2c2c8fcc88576f4622a4366eb42f84ebf760e3eb22b14f8b5ff83f06a6f04a924eaab05b912e126e80da22461abf7f1925fd72ebdf2aea335a044726e7c2ebbb2b8aeebab4f7de5e186b50f275b700794d895d8":96:"296c4cdaeb94beb2847dc53d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,96) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c314264cee0e6db30ebe9b2f6d4991b2":"d436ff9abfb044a332c4e009b591719a67b12a5366da0a66edf19605c34daa37588e15dd3da0d1a097215e469439de79cca74e04cd4904e5b4a6cb4e0ea54e6ba4e624ed6bd48be32d1ef68ffea1639a14e91a5914c2346ea526df95cbd4ad1b8ee842da210b35b6315c3075ecc267d51643c4b39202d0ad793cbb0045ebdc19":"4cd4431bb6dea8eb18ae74e4c35a6698":"0eeafbfd04f9a0ea18e5bdc688c7df27183f346187e9574b61222006f2b3e12e8d9d9bf1f0f15949ee1a7ee8e5c80ee903b8ba2860e15ccb999929f280200b159c2adca481748d0632a7b40601c45055f8cb5126148e6cbab2c76f543537ab54eb276188343cea3c4ab0d7b65b8754e55cfe3f6a5c41b6ea3c08b81fcecc968a":96:"fda18d2f795d900f057fe872":"":"cb9e0fb0ac13ca730b79e34745584b362d0716c344e4de90d8352b21117471ba12c97f193150b33774baee5e4a0f11b10428eaf0106c958e16aa46c5f6f3d99eed93d1b9ba3957bed05a8b9cc8c5511cf813a66dc7d773cb735b0523d8d6b0b80639b031ddc375f714c6dd50055320cd7ed44a471c8d5645c938a9005d0b5050":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,64) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"26072018bd0bda524b5beb66a622c63e":"91c524b359dae3bc49117eebfa610672af1e7754054607317d4c417e7b1a68453f72d355468f825aeb7fde044b20049aed196ec6646cce1eeeccf06cb394286272b573220cdb846613ebc4683442dccc7a19ec86ef1ec971c115726584ae1f4008f94e47d1290d8b6b7a932cfe07165fd2b94e8f96d15f73bf72939c73f4bd11":"c783d6d3b8392160e3b68038b43cf1f4":"8ae7c809a9dc40a6732a7384e3c64abb359c1b09dcb752e5a6b584873e3890230c6fc572b9ad24d849766f849c73f060fc48f664c1af9e6707e223691b77e170966ed164e0cc25ede3fbc3541c480f75b71e7be88fe730d8b361ea2733c6f37e6a59621de6004e020894b51dfb525973d641efe8d5fd9077a0bbc9dc7933a5de":64:"edffe55c60235556":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,64) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"201751d3da98bd39ff4e5990a56cfea7":"2965af0bde3565a00e61cebbfe0b51b5b5ee98dbbfff7b1b5bf61da5ba537e6f4cf5fa07d2b20e518232c4961e6bc3ae247b797429da5d7eee2fc675b07066ac2e670261c6e9a91d920c7076101d86d5ef422b58e74bdc1e0b1d58298d3ee0f510ee3a3f63a3bbc24a55be556e465c20525dd100e33815c2a128ac89574884c1":"6172468634bf4e5dda96f67d433062d7":"ae2d770f40706e1eaa36e087b0093ec11ed58afbde4695794745e7523be0a1e4e54daade393f68ba770956d1cfb267b083431851d713249ffe4b61227f1784769ce8c9127f54271526d54181513aca69dc013b2dfb4a5277f4798b1ff674bca79b3dec4a7a27fcf2905ae0ce03f727c315662cd906e57aa557d1023cce2acd84":64:"66c247e5ad4e1d6a":"":"efd064d4b4ef4c37b48ddf2fa6f5facc5e9cc4c3255b23a1e3765fabb5a339fa0eda754a5381b72989fc1323ff9a6bbaecd904eb4835e5a511b922927574673061ed8de23299ea1456054e7ebb62869878c34fb95e48c8385b5ebceecb962654cf1586b3f54e7887ce31850363e9a22be9e6fbc22e694db81aa055490495dbf2":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,64) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3bc0dcb5261a641a08e6cb00d23e4deb":"d533ad89a1a578db330c01b4e04d08238b020e36aebe87cf2b0bf0b01f1ce4197be8b0596e475a95946918152e8b334ba89f60486c31f0bd8773ca4ff1319fe92197088b131e728d64405441c4fb5466641f0b8682e6cb371f8a8936140b16677f6def8b3dd9cbf47a73f553f1dca4320ad76f387e92f910f9434543f0df0626":"16fa19f69fceed9e97173207158755a5":"92ddd3b98f08fc8538f6106f6434a1efa0a7441cc7f6fd0841103c2e4dd181ea0c9a4811b3cb1bad1986a44d8addabc02dd6980daf7d60405b38dadc836bb1d0620ceab84e0134aca7c30f9f9490436b27acfd7052f9d7f0379b8e7116571017add46b9976f4b41431d47bae6f5f34dc42410793bc26c84bfe84fb53ae138c85":64:"f5289e1204ace3b2":"":"be0c30deeffbe51706247928132002b24d29272eee6b9d618483868e67280236632fa1ae06f3ef793f67bd01b1b01f70a827367c1cd28f778910457c7cbd977dfefff1f84a522247e19b2fd01fa22ce67cef9503d45c80a5084741f04108f2462b7cdd06a8f1f044fea2b05e920bcc061fbc6910175d732f45102a63c76ae48c":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,32) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"239c15492d6deec979e79236baca4635":"d64886ce5f5b4adb7fe8f95904bc1461749c931655b02819ffdd0ae31bad4175125aa68962f8e36ec834a7d53a191a74c937e81ec93ad9ce0d3b286d3c11ff1733c0b7780130768c120b1833933561cf07399ca49b912370ae34f0e49b9c8cb9920eddc6816ab2ae261c6d7f70058a9b83a494026f249e58c4c613eefafe6974":"916b8b5417578fa83d2e9e9b8e2e7f6b":"b39eb732bc296c555cc9f00cf4caaf37d012329f344a6b74a873baf0d8dde9631f5e57b45b957d6aec0f7978e573dd78b43d459b77756037cd64d10d49966eb3a2a08d0f4d5e4f5dcb8713f4e4756acdf9925c5fc6120c477f6dffc59b0b47a3d5efd32b8c9052b321bb9b5129e5c6a095d8de563601b34608456f58d7221f2d":32:"fc08cbbe":"":"95c169721ea007c3f292e4ec7562a426d9baa7d374fd82e1e48d1eaca93d891d5ffa9acf5e3bd82e713ac627141e26a8b654920baffab948401cc3c390d6eea9d7b78c4fcb080b0aa9222e4d51bf201ccfd9328995831435e065d92ad37ee41c7c4366cc1efe15c07fc0470608866aeea96997772ecf926934c5d02efe05f250":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,32) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"db68a96e216b0dd9945f14b878487e03":"5634196a32d4cbfa7a2f874a1e0f86287d2942090e0cc6a82bd5caf40136a27ddf524a17713ce4af04ca6cb640a7205cce4ac9cb2d0ab380d533e1e968089ea5740c0fcbfa51f2424008e0b89dc7b3396b224cfaed53b3ac0604879983d3e6e6d36053de4866f52976890f72b8f4b9505e4ebdd04c0497048c3ce19336133ea4":"8a1a72e7bb740ec37ea4619c3007f8ae":"1b4f37190a59a4fff41d348798d1829031204fd7ac2a1be7b5ea385567e95e2ace25bf9e324488dd3ab8ce7f29d4c9a4f4b1a8a97f774871ee825e2c17700128d3c55908d3b684a1f550fdb8b38149ff759c21debdd54e49d64d3e8aac803dfd81600464ed484749bb993f89d4224b3d7d55c756b454466ff9fd609019ed5e83":32:"9251d3e3":"":"0c6bb3ee5de5cbb4b39d85d509bcacb3dda63fa50897936531339882962e8dc54c285c8944768d12096d4a3c2b42ffa92603cee2da9b435ec52908fca6d38ed74f898fe0ffa761f96038ff7dfeccc65bb841c3457b8de1e97d9bee82e2911602ee2dc555b33a227424dea86d610d37c447776295b412b412903ad2cede5170b6":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,32) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"659b9e729d12f68b73fdc2f7260ab114":"fd0732a38224c3f16f58de3a7f333da2ecdb6eec92b469544a891966dd4f8fb64a711a793f1ef6a90e49765eacaccdd8cc438c2b57c51902d27a82ee4f24925a864a9513a74e734ddbf77204a99a3c0060fcfbaccae48fe509bc95c3d6e1b1592889c489801265715e6e4355a45357ce467c1caa2f1c3071bd3a9168a7d223e3":"459df18e2dfbd66d6ad04978432a6d97":"ee0b0b52a729c45b899cc924f46eb1908e55aaaeeaa0c4cdaacf57948a7993a6debd7b6cd7aa426dc3b3b6f56522ba3d5700a820b1697b8170bad9ca7caf1050f13d54fb1ddeb111086cb650e1c5f4a14b6a927205a83bf49f357576fd0f884a83b068154352076a6e36a5369436d2c8351f3e6bfec65b4816e3eb3f144ed7f9":32:"8e5a6a79":"FAIL":"":0
 
 AES-GCM NIST CAVS 14.0 - empty ciphertext, AD length: 128 bytes, ciphertext updates: 0
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"63c3f81500746eaf383fe3975d84f849":"0799d4152fd73c1604b4610cf7171fe1":"cb8248e5f904cc9ccccf6f273fe621eee1b4d7ed98480f9e806a48b84e2d6a733772ecf8fb7fe91805715cddab2b462b89f6e6c7cf873f65031f13c357d5f57b00b7c391c39e78ad1ed94be236ca0ae316bce11bc33c5d701fdfc58abbe918b9c42f7b3d6e89d46f9784b388a6e6daf47730b9fa665d755a17e89932fa669c44":"c53d01e53ee4a6ea106ea4a66538265e":0
 
 AES-GCM NIST CAVS 14.0 - empty ciphertext, AD length: 128 bytes, ciphertext updates: 1
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"63c3f81500746eaf383fe3975d84f849":"0799d4152fd73c1604b4610cf7171fe1":"cb8248e5f904cc9ccccf6f273fe621eee1b4d7ed98480f9e806a48b84e2d6a733772ecf8fb7fe91805715cddab2b462b89f6e6c7cf873f65031f13c357d5f57b00b7c391c39e78ad1ed94be236ca0ae316bce11bc33c5d701fdfc58abbe918b9c42f7b3d6e89d46f9784b388a6e6daf47730b9fa665d755a17e89932fa669c44":"c53d01e53ee4a6ea106ea4a66538265e":1
 
 AES-GCM NIST CAVS 14.0 - empty ciphertext, AD length: 128 bytes, ciphertext updates: 2
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"63c3f81500746eaf383fe3975d84f849":"0799d4152fd73c1604b4610cf7171fe1":"cb8248e5f904cc9ccccf6f273fe621eee1b4d7ed98480f9e806a48b84e2d6a733772ecf8fb7fe91805715cddab2b462b89f6e6c7cf873f65031f13c357d5f57b00b7c391c39e78ad1ed94be236ca0ae316bce11bc33c5d701fdfc58abbe918b9c42f7b3d6e89d46f9784b388a6e6daf47730b9fa665d755a17e89932fa669c44":"c53d01e53ee4a6ea106ea4a66538265e":2
 
 AES-GCM NIST CAVS 14.0 - empty ciphertext, AD length: 90 bytes, ciphertext updates: 0
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"42c6e06f7f07c793864f6033f9022a41":"bd1258f14570dc663f81c31916bcb45490a7df15c95d827fd9e36aaf12f8fc51b8c0bc823faf1cccf9e6d6d3b132e874993325a1a2b1b61f9dacbb4a458de8d25dbf0ba4282d64a06686ddd0f099300b98e91362ffbeb44ebd22ad3c92ee06b230e234f85363642f57d0154aee09ff08d0e560b5728a5db8a18b26438177c45f":"ef675d5e33198af58e72d7f379dd35bd7234aa7a52ae28531ee2e77d6bf30f05c507b8cc72361f11e70017b30c0e374dd283d29c324c67d43d92868485b0ac2cc4e0dfef362df74c927f935d630611fa26c5be9bea49291d3875":"6640b62190bb4a11d4c7b37039bba6fb":0
 
 AES-GCM NIST CAVS 14.0 - empty ciphertext, AD length: 90 bytes, ciphertext updates: 1
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"42c6e06f7f07c793864f6033f9022a41":"bd1258f14570dc663f81c31916bcb45490a7df15c95d827fd9e36aaf12f8fc51b8c0bc823faf1cccf9e6d6d3b132e874993325a1a2b1b61f9dacbb4a458de8d25dbf0ba4282d64a06686ddd0f099300b98e91362ffbeb44ebd22ad3c92ee06b230e234f85363642f57d0154aee09ff08d0e560b5728a5db8a18b26438177c45f":"ef675d5e33198af58e72d7f379dd35bd7234aa7a52ae28531ee2e77d6bf30f05c507b8cc72361f11e70017b30c0e374dd283d29c324c67d43d92868485b0ac2cc4e0dfef362df74c927f935d630611fa26c5be9bea49291d3875":"6640b62190bb4a11d4c7b37039bba6fb":1
 
 AES-GCM NIST CAVS 14.0 - empty ciphertext, AD length: 90 bytes, ciphertext updates: 2
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify_empty_cipher:MBEDTLS_CIPHER_ID_AES:"42c6e06f7f07c793864f6033f9022a41":"bd1258f14570dc663f81c31916bcb45490a7df15c95d827fd9e36aaf12f8fc51b8c0bc823faf1cccf9e6d6d3b132e874993325a1a2b1b61f9dacbb4a458de8d25dbf0ba4282d64a06686ddd0f099300b98e91362ffbeb44ebd22ad3c92ee06b230e234f85363642f57d0154aee09ff08d0e560b5728a5db8a18b26438177c45f":"ef675d5e33198af58e72d7f379dd35bd7234aa7a52ae28531ee2e77d6bf30f05c507b8cc72361f11e70017b30c0e374dd283d29c324c67d43d92868485b0ac2cc4e0dfef362df74c927f935d630611fa26c5be9bea49291d3875":"6640b62190bb4a11d4c7b37039bba6fb":2
 
 AES-GCM NIST CAVS 14.0 - empty AD, ciphertext length: 128 bytes, AD updates: 0
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"c58583f6479d9bc9f1bffddefee66e59":"cee448b48d3506ff3ecc227a87987846":"564a9f700cbc1f895e4f4fa6426f73b4956896a15e6127e7560d74e3fd0b980d2ee45b7a6a3884fa613d91d13921e3f90967d7132bdafcd146dd8ff7147ed1964c2bdb3e12f4133d3dbbc3bf030ff37b1d2147c493ce885068d9ba5bebae24903aaac004aa0ab73fe789e4150e75ddc2bde2700db02e6398d53e88ac652964ac":"361fc2896d7ee986ecef7cbe665bc60c":"9cce7db3fc087d8cb384f6b1a81f03b3fafa2e3281e9f0fcf08a8283929f32439bb0d302516f0ab65b79181fc223a42345bad6e46ff8bcb55add90207f74481227f71a6230a3e13739ef2d015f5003638234b01e58537b7cfab5a8edac19721f41d46948987d1bb1b1d9485a672647bb3b5cb246a1d753a0d107bff036ac7d95":0
 
 AES-GCM NIST CAVS 14.0 - empty AD, ciphertext length: 128 bytes, AD updates: 1
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"c58583f6479d9bc9f1bffddefee66e59":"cee448b48d3506ff3ecc227a87987846":"564a9f700cbc1f895e4f4fa6426f73b4956896a15e6127e7560d74e3fd0b980d2ee45b7a6a3884fa613d91d13921e3f90967d7132bdafcd146dd8ff7147ed1964c2bdb3e12f4133d3dbbc3bf030ff37b1d2147c493ce885068d9ba5bebae24903aaac004aa0ab73fe789e4150e75ddc2bde2700db02e6398d53e88ac652964ac":"361fc2896d7ee986ecef7cbe665bc60c":"9cce7db3fc087d8cb384f6b1a81f03b3fafa2e3281e9f0fcf08a8283929f32439bb0d302516f0ab65b79181fc223a42345bad6e46ff8bcb55add90207f74481227f71a6230a3e13739ef2d015f5003638234b01e58537b7cfab5a8edac19721f41d46948987d1bb1b1d9485a672647bb3b5cb246a1d753a0d107bff036ac7d95":1
 
 AES-GCM NIST CAVS 14.0 - empty AD, ciphertext length: 128 bytes, AD updates: 2
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"c58583f6479d9bc9f1bffddefee66e59":"cee448b48d3506ff3ecc227a87987846":"564a9f700cbc1f895e4f4fa6426f73b4956896a15e6127e7560d74e3fd0b980d2ee45b7a6a3884fa613d91d13921e3f90967d7132bdafcd146dd8ff7147ed1964c2bdb3e12f4133d3dbbc3bf030ff37b1d2147c493ce885068d9ba5bebae24903aaac004aa0ab73fe789e4150e75ddc2bde2700db02e6398d53e88ac652964ac":"361fc2896d7ee986ecef7cbe665bc60c":"9cce7db3fc087d8cb384f6b1a81f03b3fafa2e3281e9f0fcf08a8283929f32439bb0d302516f0ab65b79181fc223a42345bad6e46ff8bcb55add90207f74481227f71a6230a3e13739ef2d015f5003638234b01e58537b7cfab5a8edac19721f41d46948987d1bb1b1d9485a672647bb3b5cb246a1d753a0d107bff036ac7d95":2
 
 AES-GCM NIST CAVS 14.0 - empty AD, ciphertext length: 51 bytes, AD updates: 0
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"24168b48b45759c8d4f9b061f0cbc16a":"b8e5ede75254cc4542191c7e7b0319ad81651451b639caf81c81c98301a4a0af70e291a4e35b448917be1e400fc64a22edf32913162558c2591ee3e80f397d73dfbc68b82da49bda9bcbb6aaf26919e21c1773cf51f6c5b71784f47978cc0d593b4be0259ab22b0b48de733a884c50a8c148c495973a8f5f84f2e93755666bf5":"be19c7e3d3e63f73d833c967d8d62f388ab9617a2adebe5abd99b5ec64599c46bc28bc62770e08995b0bbf27089e3e17b80424":"4aec633d4daed9ce76d697c11f66f34e":"cb7f10bda7da8a2569ed1f3b667127a1e0fb197283aa16ab8cddd43186bd126b118e671cab3e325877fe0e79f1863f89122c8f":0
 
 AES-GCM NIST CAVS 14.0 - empty AD, ciphertext length: 51 bytes, AD updates: 1
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"24168b48b45759c8d4f9b061f0cbc16a":"b8e5ede75254cc4542191c7e7b0319ad81651451b639caf81c81c98301a4a0af70e291a4e35b448917be1e400fc64a22edf32913162558c2591ee3e80f397d73dfbc68b82da49bda9bcbb6aaf26919e21c1773cf51f6c5b71784f47978cc0d593b4be0259ab22b0b48de733a884c50a8c148c495973a8f5f84f2e93755666bf5":"be19c7e3d3e63f73d833c967d8d62f388ab9617a2adebe5abd99b5ec64599c46bc28bc62770e08995b0bbf27089e3e17b80424":"4aec633d4daed9ce76d697c11f66f34e":"cb7f10bda7da8a2569ed1f3b667127a1e0fb197283aa16ab8cddd43186bd126b118e671cab3e325877fe0e79f1863f89122c8f":1
 
 AES-GCM NIST CAVS 14.0 - empty AD, ciphertext length: 51 bytes, AD updates: 2
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify_empty_ad:MBEDTLS_CIPHER_ID_AES:"24168b48b45759c8d4f9b061f0cbc16a":"b8e5ede75254cc4542191c7e7b0319ad81651451b639caf81c81c98301a4a0af70e291a4e35b448917be1e400fc64a22edf32913162558c2591ee3e80f397d73dfbc68b82da49bda9bcbb6aaf26919e21c1773cf51f6c5b71784f47978cc0d593b4be0259ab22b0b48de733a884c50a8c148c495973a8f5f84f2e93755666bf5":"be19c7e3d3e63f73d833c967d8d62f388ab9617a2adebe5abd99b5ec64599c46bc28bc62770e08995b0bbf27089e3e17b80424":"4aec633d4daed9ce76d697c11f66f34e":"cb7f10bda7da8a2569ed1f3b667127a1e0fb197283aa16ab8cddd43186bd126b118e671cab3e325877fe0e79f1863f89122c8f":2
 
 AES-GCM NIST - empty AD, empty ciphertext
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_decrypt_and_verify_no_ad_no_cipher:MBEDTLS_CIPHER_ID_AES:"cf063a34d4a9a76c2c86787d3f96db71":"113b9785971864c83b01c787":"72ac8493e3a5228b5d130a69d2510e42"
 
 AES-GCM Bad IV (AES-128,128,0,0,32) #0
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_bad_parameters:MBEDTLS_CIPHER_ID_AES:MBEDTLS_GCM_DECRYPT:"d0194b6ee68f0ed8adc4b22ed15dbf14":"":"":"":32:MBEDTLS_ERR_GCM_BAD_INPUT
 
 AES-GCM, output buffer too small, NIST Validation (AES-128,128,1024,0,128) #0
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_update_output_buffer_too_small:MBEDTLS_CIPHER_ID_AES:MBEDTLS_GCM_DECRYPT:"0dd358bc3f992f26e81e3a2f3aa2d517":"87cc4fd75788c9d5cc83bae5d764dd249d178ab23224049795d4288b5ed9ea3f317068a39a7574b300c8544226e87b08e008fbe241d094545c211d56ac44437d41491a438272738968c8d371aa7787b5f606c8549a9d868d8a71380e9657d3c0337979feb01de5991fc1470dfc59eb02511efbbff3fcb479a862ba3844a25aaa":"d8c750bb443ee1a169dfe97cfe4d855b"
 
 AES-GCM Selftest
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_selftest:
diff --git a/tests/suites/test_suite_gcm.aes128_en.data b/tests/suites/test_suite_gcm.aes128_en.data
index a87fb18..be3b067 100644
--- a/tests/suites/test_suite_gcm.aes128_en.data
+++ b/tests/suites/test_suite_gcm.aes128_en.data
@@ -1,735 +1,735 @@
 AES-GCM NIST Validation (AES-128,128,0,0,128) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"1014f74310d1718d1cc8f65f033aaf83":"":"6bb54c9fd83c12f5ba76cc83f7650d2c":"":"":128:"0b6b57db309eff920c8133b8691e0cac":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,128) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d874a25f2269e352ccdd83cc2d4e45b7":"":"9717abb9ed114f2760a067279c3821e3":"":"":128:"0e09e53e5fe8d818c5397c51173eda97":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,128) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7dab77e23b901c926454f29677eb62d4":"":"8aaec11c4a0f053d7f40badd31a63e27":"":"":128:"cec2e3230d8b762acee527e184e4c0db":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,120) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2397f163a0cb50b0e8c85f909b96adc1":"":"97a631f5f6fc928ffce32ee2c92f5e50":"":"":120:"3b74cca7bcdc07c8f8d4818de714f2":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,120) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"a7adc0d3aacef42397bbca79dd65dbdf":"":"c6d3114c1429e37314683081d484c87c":"":"":120:"d88141d27fe1748919845cfa5934bc":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,120) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"10171805d7f7a6d87b64bda57474d7fc":"":"fad65b50c1007c4b0c83c7a6720cacb8":"":"":120:"c3d3f240d3f3da317eae42a238bcc1":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,112) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"8aaa0c85d214c6c9e9e260e62f695827":"":"84e25c916f38dd6fdb732c0d6d8f86bb":"":"":112:"a774815a2a8432ca891ef4003125":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,112) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"def8b6a58b8e582e57700bab4f2a4109":"":"3615439e9fb777439eb814256c894fb2":"":"":112:"537be9c88d3a46845e6cf5f91e11":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,112) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"5894231d743f79638687c070b60beee1":"":"e34cd13b897d1c9b8011a0e63950c099":"":"":112:"d582c4bc083a8cf1af4d5c2c9b11":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,104) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"6b25f9cbdc3bcd27fd245a1c411594bc":"":"a6526f8c803b69dd5f59feca1cff78e2":"":"":104:"c7e19e08a09a9c1fa698202890":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,104) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b3235422897b6459798a97ddd709db3d":"":"96679e9362f919217d5e64068969d958":"":"":104:"44ed41bda0eb0958d407b7b787":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,104) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f65bc795434efba3c5399ed3c99ff045":"":"2e727c19a89cba6f9c04d990245fceed":"":"":104:"64830ed7f772e898800fc9ae2a":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,96) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"c6c66d50f2f76c4e911b3b17fcdcba1d":"":"77b42158a4ef5dc33039d33631bb0161":"":"":96:"1bce3ba33f73e750ab284d78":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,96) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"13558db9b7441c585d381ffc16b32517":"":"addf5dbe0975c5ad321e14dd4bdc2ad2":"":"":96:"f413c3bf125ce5317cd1c6bd":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,96) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"74638628b1361c2954ce0ac5456a1155":"":"c5861507c879e6864d7cb1f77cc55cc6":"":"":96:"8a514fdc7835711e4f458199":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,64) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7815d22c5c081df9ac2114aaa2c0cbf9":"":"822f83cd9f249dfc204b5957f0b0deab":"":"":64:"aa1f69f5d3bb79e5":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,64) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"1a847a47823cb9c298e4107c6aaff95c":"":"39348f80c6bc489f9315be7a6fcbb96f":"":"":64:"c3b3f31e56cf4895":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,64) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"16e67ea248ea6db08af1d810cb10574e":"":"50386e2075eb15ca3f3e6db6bff01969":"":"":64:"3d4f3b8526a376ae":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,32) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"26a8301636ba93e7f56309143f184241":"":"c7e32b1d312971bdc344aefaf45461bc":"":"":32:"25f1b41c":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,32) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"130a07c467067148da2790f90d73ff32":"":"800b81c9d2ff3a8e15690ffb4117e211":"":"":32:"abcc8d71":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,32) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ccfaae59c3196b8c403716424ea601f5":"":"f9b059de0efa4e3f364763d63d098410":"":"":32:"8933444f":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,128) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b5beefbdd23360f2dd1e6e3c1ddbfebf":"":"81a8494f85be635d71e5663789162494":"f9ebf242b616a42e2057ede3b56b4c27349fed148817a710654de75d1cfc5f6304709b46ef1e2ccb42f877c50f484f8a8c6b0a25cff61d9537c3fd0c69bbc6ef21cbec8986cbc9b6e87963b8d9db91b7134afe69d3d9dec3a76b6c645f9c5528968f27396cc9e989d589369c90bbfefb249e3fa416451bc3d6592cc5feefbd76":"":128:"159a642185e0756d46f1db57af975fa3":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,128) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"c465aa8fe5d534c912e654f5aaed5857":"":"5c155f7194b0d0a17b9a0c234d609443":"a3f8d705b233b574399f72350b256cb4893e130688913ce3def8e44687688c0352ff987aea35dc53bc95cdb9cdcc6e6eb280265d9a1af38d526392ab63c9b043c1b1b43e18321e84eb7e08884f2463c32b55eb5859fb10918595a724a61cfdf935e4f96d0721612720d46a946487b525779f6ce0abf04fc5608351119b7427d2":"":128:"9595a6d879cd7a949fa08e95d2b76c69":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,128) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"744b9e1692d8974d7dec349ebd7fe1e8":"":"62ad4b09fd554e0d6b3937839e693e5b":"6f9978f7078f0030c45caf49128ff72943a208a2398d08d132239f3ab5c184708e4222ec9ccde69dc86d1700c2fe0af939454bbb3962327158557860b6fa492ab8201df262a6209705c7e3129419bce8b827320893c1579ca05b32c81b3963b849428f71fe7528e710557a272117199163a35ebfbaba78f7676f7e566b16311a":"":128:"634f6fe9625be8b1af9f46bcc0fa3162":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,120) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"097c059535037c6b358dbb5a68b5f2b1":"":"00caedfa078c27e3d9551e3fb8d98d77":"6c4bde11129a959fcd6a482cb19f5f1c582c042b314f7997b0450242f9e669dc1cbb0a3b7a185bf8b035267e6f03206268008e2b97864d44d6a9c6b1b4b067d623c4b4e9c608042ea9120aed3bee80886352683891496d8980e40b8480c98c2fe08f945aa1ef6007c65220319dd8678184ab54e81083b746ec6441e87a568e0c":"":120:"5075ef45c6326726264703f72badde":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,120) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d25db5eca46c16490294423ca0c35660":"":"6f37f15d6c7ea816278ab977c29fa45e":"bd76fd431cea72a288e5d7289c651c93b5f429a54f85249021d6b595eb9ce26e18914a381a6b0299acc3725431b352670f206b731be718a598ec123dce0a2c5ac0aa4641b092e704da9f967b909ca55c2722298365a50dcb5b5ec03a1d0cbb67b8de1e8b06e724af91137e0d98e7dc1e8253887da453cdcbd2eca03deacaabb8":"":120:"00510851e9682213d4124d5517ebaf":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,120) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b3c6258a726aff94a7bcc41646c68157":"":"7f5b3315afe5167a7e9061ab8b005588":"0ef3384862c7e00c2912e7fde91345dc3134b5448e6838f41135ba9199c03a7f208887e467563b39a6c1316540c1401e8ff148386c50fcf15724a65d3210b17832d63cdce76bd2b458348332b0b542122a57e381475a59440f280db6e1f4b8d0babfd47e3db11a9ef89cba5f334f0e8e72be30afb2b1ef2df8eb7f8d3da033c4":"":120:"180489039ccf4a86c5f6349fc2235b":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,112) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"73cd0a1e2b6e12fbaa7cbace77d5119c":"":"d897681764bcc3b62c26b4aaf407cefa":"8c773e14a906c7deae362d1bf3d7e54c6be4c74c691b7f2d248693b2619219fba6eb5bc45f77af1cf7c05d3dd463158f884fe82290d145135889fd851b86ee282aa20bbdf6af78c7f9db6128b8b99e7f9b270fd222efa18f7aca6932a1024efb72113e812b3f9d2d4ccc7c85f5898ddacccbf1b441cd74097740dd922b57bade":"":112:"d8811a8990191f1e5bd15be84995":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,112) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"c1dfddafe076d0ceebb0f37bb25bc0b1":"":"29c56db10cea802c19fb6230227ab2bf":"287b73cdc62ce058cdceff8e9af7afc321716f69da9eef60c2de93630ba7d0ed0a9d303cd15521a2647159b8478593f3dd3f5b7c52081e5154e55ccbff371d7e5dfc2d05e14d666a01ec2cc6028aacadfd78dfc73bf639fc4dfa0a0c46415902bbda2443620fa5e0ce4fccf1b8591e3a548f95755102a8438300753ea5f61b9f":"":112:"309fedad1f3b81e51d69e4162e6f":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,112) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2c4087ccd28ceda147d2fcfc18579b1e":"":"9cbdd67c79ab46bcbcfa96fa2c3d7e87":"35088d18dff0a9d3929ce087668aae1d364b37a97102f3f43e11950e6ec8296d0c99b00cd1c5dff53d3a38475e7da7b9ee4ce0c6388a95d3f8b036414e4b79cd02b5468cbb277f930e7c92432a609db1effe65f60f1174b58f713e199491f9e0c29ba1f2e43306775d18c1136274af61488a2f932e95eceadfe3fe4b854fe899":"":112:"b7e83207eb313b3ceb2360bc8d4f":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,104) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"bb66584c8b18f44c11f3bd7180b9b11d":"":"39c82aee03ce0862ff99f8812cdbdcf0":"45ec858e0a5c6d81144ba893e0002818a70e9a19002a5471993077241b3fcfb4fd984f2450803293882d1c7ecb654e611578fe7d258f9a2ca3b5f0c0f0d0ec4828bdeb9299914ff2ac4cc997cf54fa908afdb3eae9f91d67c4637e1f9eb1eae2b3f482ddd5467668bc368b96bbbfc33b9ae2658e4ca43fcf4b66ba2a079d65f1":"":104:"24332fd35a83b1dfb75969819b":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,104) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7b2a230c8978d4e38fa5096ddc19d6f5":"":"cd25e744a78af858e825e1fd070324ee":"628baac336862573cee158cd3935c34df3055dadc9c1695e9ea18724f6457f0d1833aab30b85a99e0793e56000de5d6d5cb2327a4cc8bec40cd198459e7b93617713e63bbd15381a066bc44a69c9ad3dfb1984f8b33a9429eda3068d3ac5fbbaaee2b952a486e58d674ffca641d9ec1d102600af11641fd5fff725204e6c34a8":"":104:"68d49d495ff092ca8e5a2c16cb":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,104) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"73aa576e1dfad2c993afcc088bd8d62b":"":"712e665a0a83e8ecad97e92afeb35706":"314e5fee776e9d5d2a1fb64ceb78e2c9a560a34724e30da860b5588fe63d50838cb480ff8ac61d7958b470b1bfd4c84799af6cb74c4a331b198204a251e731f7d785b966da595b745d01769623492c18b9dd8bd3c75249effd2032658c715906a71dbbed847027ea75d647f9803296a41906e0915250854597a163035a8d3f45":"":104:"a41f5c9c7de2694c75856460d4":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,96) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"83f7631c4d4c466c9246cbc48e2dde6f":"":"f5d6c8c252cb687a931c38f58f74943c":"1f35e94a35d0f424bf690a15038126a41502593612efe6333cf94ea0565ca6acdefae8d74dae62df95e9261c6596c3397220e044c5b08cf39cccb27315d9b795da321204910274a93436bc0573fdba04ae6bb14c6ca955cf8b9e193a12e05796d7f4b397507614dabc457f1cd3ce19e439b6e62703f2189372938b29b7a542b9":"":96:"bb85dbd858ab7b752da7e53c":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,96) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"784e023b2d4c978151d05ee71533c56c":"":"f16d041b9f0f454db9985c8558ef8a61":"91f6e108c294640c7bc65d102d3d25a7bfbbe114acec9b495636689afd65fff794837946602ef04de7d4304a81809e0f7ddc45c476c29fd5286fcf4dd1ba76ed3ce88abdb51cd21e7aaeecb13238ac031da87ab96b2a13157278bf669d0efae28852ec3585d520d54502881322f7977d03954e17e7c0c0d8f762e34f59ca141e":"":96:"59699c639d67be6a6d7c9789":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,96) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d3a2ec66e4a72cb3540e87f4e67c7e58":"":"07a9cf9f44b07e3067d60e276322e9fb":"d7e722b82e8607a64fbfeefc7887009298f06a637fe937277e3a76e8addaeeb460ba0743912c07b500b4b51e9fec2b7eddf691d155baf689f75968160c19a8330e254220142ae843bf0687aabeb74ab607227b0a7539ec3cfea72a5c35f236623af78beffaee6e7b1adc2895732ffedb3f8520710f04eb9c2ce9b2cae215ed5c":"":96:"f29aec72368bfcfa9ae815fd":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,64) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"83f382a90146544ef4871bde891aed22":"":"c6f664f5ccfd1aaefb60f7fa3b642302":"656a2f221a1339d8f5c26393a08fa31859f626eec9a68afb6ee30e5b6859d1cbb5ed7dea6cbc4a5d537d70227d0608185df71a0252fa313be4d804567c162b743814f8b8306155931fdecf13822a524868b99a27fd2ff8f98c16edccd64520e2dce1ad645fd5255c7c436d9b876f592ef468397b00857ba948edf21215d63d99":"":64:"09df79dd8b476f69":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,64) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"64334f10a62c26fef79d9024d4ba7c5f":"":"7b85251554d4f0ff89980cf3568c5caa":"dab2892262a1832a473cd3481acbd3d1820f14361c275514ec693b40f2170ea5ff82c4f7e95a7c783ea52c43a0a399c37b31319a122fd1a722e6631efa33f8bfb6dc193986580f0344d28842a3a4a5ca6880552557f3915a65501f6ee0c1b68a4c9040f0fac381cbccb6a6e9bca23b99f2ef1abbca71c69aa27af2db176bf37d":"":64:"3e8406900a4c28bc":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,64) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"1c98ca4971c3a6333c18b88addf13368":"":"7f617f08e826a3c61882c3e00c203d4b":"ab1531fce0f279d21091c3334bd20afa55c7155bfc275330ed45f91cfc953771cbde2582f4be279918ac8b9ae07cb3b2efd14292e094891d4841be329678ad58d714fc8ce4bffe51f539f4240c14ba883b95cdc32cf4a9fd6ba4ffeafa0d6718989c46483c96cfca3fe91000f9f923d7f96725e966de068b5da65546fe38f70e":"":64:"58cc756d3bf9b6f9":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,32) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"247d3abeb807bde959e68b40a3750045":"":"3f5390cd7921fcb42c59f0db05a8a62f":"81abf375da7157a1a56068d0918037fecb7296d9b1771c54ae6030abda4b9d76feff818de81747980b2c1b005e36b3be36afbf1092edef6fd875d2903d73612addf206a6ae65886421059c70990a6ee33197f92bed649901fed62fdd20c30d81baf6090f50d9f59290528e58a0b7412ace0a293369f2b4c8d72c2fb0e1c432f5":"":32:"37bb4857":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,32) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"622be8cd3c757de00fbb7ab4563ce14f":"":"16c53a843b1549716d7c06b141861862":"a15d101580d549f2401bf0f36be0f83724875205c9109d2d69d2609cbf67504b918f0859303192b4075f952454f3e7152f898f997b36afc0356712fc08db3343054b20e88ad1274e019bf8fcc3c921d3bc8f9c1d1d24adc61f6033a83ef46a84762304f1903553748b13b1647c96eb8702ebb41ccea4d9cfebcb177c453277f2":"":32:"35778596":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,32) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"8a660aa0191f9816261387d5aeb262f6":"":"c720cb31e841480da5ba656e9b93f066":"d979affe395bd048db26d26908a1c2a435905299086cc55bb65ef782f5aed99c41743c3ae252ea087f5453bdc605abd784b337b60960946358da2218b076826659a1fafa59124a00a3424fce0d00c38eea85cfb3d1e01bcb09d9870d5b3fe728f394e0e512f5aa849d0550d45a7cc384f1e4c6b2e138efbc8f586b5b5ed09212":"":32:"cf7944b1":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,128) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ce0f8cfe9d64c4f4c045d11b97c2d918":"dfff250d380f363880963b42d6913c1ba11e8edf7c4ab8b76d79ccbaac628f548ee542f48728a9a2620a0d69339c8291e8d398440d740e310908cdee7c273cc91275ce7271ba12f69237998b07b789b3993aaac8dc4ec1914432a30f5172f79ea0539bd1f70b36d437e5170bc63039a5280816c05e1e41760b58e35696cebd55":"ad4c3627a494fc628316dc03faf81db8":"":"0de73d9702d9357c9e8619b7944e40732ac2f4dd3f1b42d8d7f36acb1f1497990d0ec3d626082cdb1384ec72a4c1d98955ba2a3aae6d81b24e9ce533eb5ede7210ae4a06d43f750138b8914d754d43bce416fee799cc4dd03949acedc34def7d6bde6ba41a4cf03d209689a3ad181f1b6dcf76ca25c87eb1c7459cc9f95ddc57":128:"5f6a3620e59fe8977286f502d0da7517":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,128) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"81371acd5553fdadc6af96fdeee4c64d":"940806fd5ddcab9937b4ba875e46bb4b7e9688d616d17fd24646f1ef1457819f55887f53bd70039bb83b4d346aabe805288ab7a5756874bdc2b3d4894217d3a036da5e9e162fa2d9819ceb561ecf817efc9493b9a60796f6dc5e717ac99bc4ba298eee4f3cd56bbc07dde970d4f07bbfa1f5fe18c29a3927abe11369091df28f":"3262501ed230bc4f5a190ab050e1bcee":"":"ffeb1907bdbfea877890a6e972a533ae661a903a257b3b912c7c768cc988e05afd71a9e6117d90d1e1b54f55de9b10cbce7a109452567483cc8d6a68b9e56da10802630591fdd8d55f9e172f0f58a7e0c56a73a1ae3c3062f0997b364eb0885d48e039b2ba1bd14dbb9c74a41cbd4b52564e470d1a8038d15207a7650bd3f1d6":128:"227d422f8797b58aa6a189658b770da9":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,128) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ef5295e9ae74729e222df6dab251158d":"59372848432f86f5740500391d2e5d5fbe1f80ea876a0ecb9a5b298d9ea7cdc28620aeb2fda015345ae476f265351b2c6b6fcd66bc8aae4dc8a95c1350cda204da3d2d2fc5e6e142dc448296d5df0cc349d1eba2fa98d2f468662616274a147fbe07927440afa3967ac09a03a8de0b03f3036bde5e272e3c4c5ff169dd730238":"194d08fcc3c08ab96fa724c381274d3f":"":"fdceeffdc8390bde6b910544db61db2f345eba0664f78f65d94b90e3e2a5251be374b3c5d881460cfff3549a01f84eb9d54087306a20f5156cd555e46bd2173386c90ea47983320fcbf24e09a05f2ec4b2577287d05e050b55b3002b753de49abef895ee97015810c06d09212b0c09e4910c64ac3981795a1e360197740360fd":128:"e94603dbd8af99ab1e14c602a38a0328":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,120) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"26db035f2ddd9f5672c6f6af156838d7":"92c315936847649756b0b1bb4a3453e6e6da866f8088d96da44412d9f47a22dda0cd817287ba42163be59a69f73963059139fb3ba44bc5ebfd95b6742546dfb4fe95608dca71911d1347be68179d99c9ebf7ee1d56b17195f8794f3a658d7cad2317ed1d4bc246cd4530e17147e9ecdf41091a411a98bb6047eee8b4f1e4a9ef":"3686d49bb8c7bd15546d453fdf30e1f3":"":"1ac98e9ccfe63a2f12a011e514f446c4c0e22dd93613b1b9b8f56d148be8a24e3682dfc1cde2b69e72d200b516a99e7466dae8cc678c6117dc14b2364cd2b952aed59722056d7dae4cfdb7d9c4f716aef2aa91a4f161d01c98d92d974247bb972de0557e175177ce34361be40c30ab9ac46240016e5ad350c3b7232c5920e051":120:"b744316880b0df3d4f90c3ffa44144":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,120) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d5c63757197a132cbb33351fd2d81a46":"e970b62ce5f06b15f8448aa2a095c2b3c8adf535e110e7f374411ed51fa19f9c4926045f796b7cd8a942b6a19811b7aae59fce37e50d6ca5a4a57bfb041a5b51c1ee82b54d03be22d9dc2bb9a2e708503b85e2479b0425a033ae825b4f232ca373e280e3cc97cf0d79397a81fb30d3b41cdaa3e788470cde86734e10a58b1e3a":"a669a4d2f841f9a0b9ede1fb61fee911":"":"522ba7220d0d4bea7ab9ca74ad8fa96ba337f7aa749cd26186499081ba325df6d6b90a81bd1c7adda0cd1ca065894f14a074ec13eff117b2a00042038aea55850056a63adf04f58fcd7269085f5ad1ef17ce7b6c40804127f14747a2ad93ec31fada83663af025a3b90c20a4ae415b1c960094e5fd57db0d93a81edcce64f72d":120:"7bfce3c8e513a89a5ee1480db9441f":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,120) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f380d3bf0d55a1cd56b7e78359eb6c66":"c0e977e91c1c50ee78d4a56c527b2d31a1a14f261aa77e52d910f8f230de4908b5cc6943e28b8c6e7ac61eebe270dcfde48d140ec13792371932e545b6ef4b52d1dfdf54c60ff892b74095a3f4a2b9000acd2cac04666a2305343b8c09f89dcc0c25bbe2a39b14624118df025962edec3dfc58d36fcac531b291ec45b5159e22":"ba3300f3a01e07dde1708343f01304d4":"":"752f09b518616a91a802cf181532c7ec65b54c59c1bab3860f0ad19971a9e5bc8843524c5ffac827067b462ebb328e2eff4dd931728de882055129997204e78717becd66e1f6c9e8a273c4251896343604ac289eb1880207a8ea012626e18e69ad7573ef73071b8e2fb22c75c7fc7bf22382d55a5d709c15e4e8ff14e2bf81e4":120:"fbf8818aee5c71ebfd19b0bcd96a7a":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,112) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"47c807cd1cf181040a4e3b1d94659db8":"c4a52c1f1f0d32c21fb85fba21d1b358b332efa066c7893c566b2e859efdde99fc67bb6167cdb0485a8ed53dd1068d90bc990f360b044039791be6048ba0ee4ce1090c9fce602af59d69069f5bff8b6219aaaed5a9b1bfc8c5b7250c5a6cfe86586fa8064124d551da38d429a17696eb1a7a0341c363f010eafd26683eecdf82":"9963a3fb156beacd6dd88c15e83929df":"":"e784ab006de8a52de1d04bc2c680d847c5decdd777cb2475ad4ab1dc529882d9e51cff5451b14ea5ff9a9bab5c5474e8a331d79564acdb2ac8159e0f46e9019bf80650c481fdaf1680cadcb8c5de9f924760b376ce5736cc4970cb8715b5999f577436283a4c21469306840af36d1e069616157d1b9ce75de3adb13d201cdf1b":112:"51e8ce23f415a39be5991a7a925b":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,112) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"a0b033d14fe902aa0892b0e87f966c41":"1cc751d890cd102486d81c618c23fa335067ac324ef11f7eddc937853db6e16d0f73727725a5a5bd580705416ecd97e368464ed0aea923ffb71c23c37f9cf9c8bd81cdbdc3d0ac34a875db3167ec1d519004d4fa4bba041af67af1ed3d4e09c32b3e8e10abd91f46836cec74b1f9c5b06c05f3b18caa78e7ff185db212b52ce0":"ad4dee18e6c19433ad52021164f8afb7":"":"a30044582dacf57332b04402e993831df0a4c1364a83c9bce7353979fb444cd1b3fe747e2c933457ff21f39e943a38a85457bfe99dc09af886734d6e4218fc65138055ad8eb5d3044f4eed658e312b6165199e682ffa226558dc4b516f8d519f149bb5a40d2bb7d59ece9e5fd05358c89e635792ad20c73c174719f9b28c7358":112:"6a18a4f880ce9e6796e1086ed05b":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,112) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"c4030ca84f132bfabaf660e036f56377":"a8fe98e2b4880d12c99c9d5193b3537b3fbc5165cc1327395174d989be5741f867332271cdc52ddb295ddbeba33698073054c6d2416fafaeb0a76aad870a6fb6097a29fba99f858d49418572c8e4dc0d074ca8af7727c773c8617495b1195d6b2687a2e37fad116dd721b60bcb5471d548c6dafe3ecdcf0c962e4659a61f4df3":"975df9c932a46d54d677af8a6c9c9cc3":"":"86b20fecebc4cf88a6a382d693117cd2a3c9eab747bf5df5f1d35e341d204d8fea6694b92552e347da676bc8d3353984e96472a509f5208ce100a2a9232478417947f85f10993c9d6939c8138bd6151aef8e2038536e8ba1ba84442e27586c1b642f9505455c738e9fd2c1b2527d1ecd3a2f6ed6e3869000ef68417ec99ff7a2":112:"3516909124c0c1f9c30453c90052":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,104) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"6e210de363f170a7ccb1b9cec8d34737":"89853fa002985a45651f2a7db2b45b7e7a7d33ce6c438ec4533c7fa257e1a384130369a68184a807fd0d92a70d91d7ddc56e5c5172c872257230d7aeb9293d785b1b8835dcde753798caff4abcd8bbc5378cd505dcf904aa69902e4f38699be972099adffc8778bd844a9a03e6b58a721a73324d956f20f2ffd00d3491f72f42":"39fe20b051ba21319a745349d908c4bf":"":"ac9d74f8f405fd482287a4a7fa359caca095c0f1b46744f19c3c11e13b0c605b9857c8cc5a1754b95bcc658416f463bf8764f373205941885948259916eaabd964f2d6c2d784f928dc5eefe331f6c04b4862d4c8e966530de6bf533a10818de852de3af7f521b167cb4eb7141ba8ae8a17be1eb714fd26a474bbbbe870a659dc":104:"7a2dfc88ad34d889f5e344ee0e":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,104) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"6bbfeda23ea644fb37666b05dc47f590":"a85ec4c2c160deda7e3de0ae449eea6ed1d24e2c8f3d5151f2ac0fd869f5a763981733b68f46c5197d76c26cce7ddc8afc6cdf4536d771cf3e9cef0098e270c5e1ff72cb0ad7f84abf44b726e0eae052d0c1553afc67c7289a43851a4d04c2856cc46b4039380436465a3b19deb56e41b859aecaf22b90578a23288d5f7d9b0e":"9d154f3cc2c5b0bdd77e86e351220960":"":"dbe575ea04b58429e68c733d99d7fb3a57e5604d6fc3baf17e0c6f981d78c070144702861316f892023515f20b697a8f3a40d821162dc9255d4775e7578285acf2cca67e902c060f80eaae29b9c011b6c110371409d914782e1e4115dc59439a2823507330852f10436b121538f22a3b619075610f1da87b6035138d78c75a79":104:"8698763c121bf3c2262ba87a40":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,104) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ce1407f666f2aa142ed4ef50eb2a4f64":"585fc1e86809247826f87424741f6ce2ce7c7228fb960803be643acd28332b2036715e2b639fe3f8de7e43e88bd8e65a6e2259391360aaf534ae7566cbd2b3961c874d08636fca117d4123b3063931d7a161d00220014339ae9f447f31b8a2d7d5466fb1ff2508397b5fa71f9b4cd278c541442a052ae4367889deaed4095127":"1225a2662d6652e3d4e9c5556bc54af4":"":"8bc13cc1cb52fbd15390cb5663ce3111c3fb943f8ed3c4f07b7aeb723649fccb90895999ec5dbdb69712d8e34ae3f325fefa49ecc7c074de8bb2ea01fa0554d7adbf49498f2f6e78aa0cd24620bab0f11bf9b2c73ad0eff780eb6c03ee9c4538952af754c566aba7c717d1ee6ac2f5ffe21dab9afd649cd65313ee686596fef0":104:"9a1f1137f9ed217815551657bf":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,96) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"5ecea1da76d6df90fd0d4077ef631b17":"d87e9a0c6a9796d60ed78924f7a8c408d5b9fab03fc76790e74029f13358fcae0035bd971a400845f508c2c2cdc3949be498193afcca6d75f8d21521ac673bd41a936a133fb5ed61098f3cb89df5234c5ca5ad3dbbe488243d282412844df0d816c430de3280ab0680a2a5629dce53f94e8eb60b790f438a70fafb8a3ed78a1b":"7d7ae2ed1cfc972f60122dec79ff06fc":"":"1eb19da71857854420c0b171f1f0714972fe7090db125d509aff6d92e5192353187f0906e3e8187f73709d1a60e074af01e83d1306d582a82edbdbebc797a733d72e2d4208675ef98ea4eaaddae2292e336fcd3fa85cdc577f4b8d3f324f0c5cf3919701208d6978f83466a02ae6cc368f57e18b9ee16e04cf6024b0c7fbad33":96:"f74b3635ec3d755dc6defbd2":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,96) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"6d6de51c30692d7863482cbbaa5ccbc3":"9f242c230ae44ad91cb0f4fe259684883968f3ca4f57a3e0cc4b03ab063a4eacdf63f9e7900a98073e345d1b497b985887e1ffb5fe7d88cefa57dd41076f2da55ce7ab0899bdc5799b23773f8f7a4dfbf1861cf4de377281fae9763dd4ea8dc7c0d632b874c86ac8e4c90339ec3f14cc51bf9241660ab828605cc602984a0f10":"c6c0fa3da95255af5f15706274fa54ee":"":"55e75daa3df3b13a33f784d5adacb2ff6861cacb297d5eaa61693985b6a0f82e9e0b3a28d10648191c6e62d6260d8a8bb471e6b37aca00dafdb2fb17454660f90c2849a9ad1733d7bc227d962b3cd86ab32d5b031eb2e717e4551cb23d448e06bac7b2a4cadb0886fde472d45de39eca2df474ba79eb58504318207325c81813":96:"8eb9086a53c41c6a67bad490":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,96) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"76b7f2307e9cf9221c8f3ff7105327f9":"bc076bfd1ff7a9fb043a371e5af7112bb0c9c442be44ca648567937bcc091c127f02ab70b81ce51b2f7a38954dca3d94b3716c6114f0ba349d6f87f5efd84506ed289dfe8a1277a5d1821c56f9f297cb647cdf36d308e6ad41c55d68a5baaa520d11d18f5ddea061c4b1b1ec162b2d5bcf7c7716235dd31eda3dc3094cb15b26":"3cdaf7932a953999a6ce5c3cbd0df7e8":"":"88c70d3cf5817f9fa669aadf731c0eb03c3d8e552f2dc763001ac94837353ab75b0c6553bb8ba2f83ef0556f73dae78f76bc22de9a9167d7be8e31da6e68b0f0bdf5566059901726b6f2890ac8745ed14f8898a937e7d3e4454246185124f65cebd278f8c11fb0de22da7248f33ef6bb82cb1c08259970714de39ea4114f85af":96:"6006fe48f74f30bc467c7c50":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,64) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"bac83044f9d8fefcd24766644317c533":"a72daba9de96bc03b5cd7449c2e97c858385475127b9614e37c197225d5789535b69f9123993c89a4815c1b4393bfe23754ddc6c01fc44cd2009b5f886988dc70a8cebb12664fa4a692db89acb91de6a9eda48542b04459149f59537e703e3e89f6d683ebb797fce3874c819d08676d926bf2da2f83a22449b89e204b5ece58a":"1307cd0e6f9ba5570e9781fca9a4f577":"":"479cdb5f65b9baff52a96c75790e3b7e239125f94525068cd1d73a1b8475080f33451ec83789d7189f5ad6a9130e7aa4df10d71ecabb5ccd980d84d0fbfb342506edcf7298ccb310c0e297dd443ded77cf1d96fc49055534439f1af583217a5de36e4df036a3b640d0212658399b629193080d38aff0d4e8aecd6c8d8f48b44f":64:"ca192f8153aa5fb7":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,64) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"627776b20ce9bb070a88f1a13d484550":"1da4a24fb12538a724f62b277410d50e918bd6224d4a61df6fb7734300643198debea71686e018bcd8455c2041265d11f7f5dcec08c31fc94784404423bcf1dc8e615227d2b0840be123a1efb8201aaa15254a14a2d76a6ddf536701cb3379d3c6b1b0d689e5896186c88d4a2c53a70bb422ecc8e0a5c3b9f3d89ce40676e4f9":"57f3f9388ea1e2c1c73f60b7d711f6ea":"":"f8a06eea528dad12b11ead51763aa68ca062f9f6c1c1f740fb910974f7ad9d2ac87c16fb74d07c3bd3b45f2e26af417e00416bdfee7ed0b69274ead70a52201c1fc05937438855f5564ec3e824daa0c59da1aa6f6cb8a44ab5f73d661b219766b80656cd3ff1e2d6909c6ce91fb14931af8580e859e9d7642678c1c35d9435d4":64:"05b432826dd9b044":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,64) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"8954e2c0a7ea80fe3c8e75246f75bdbd":"d77e11a837eff95c77dd56e9cd97f0ffcee0adcca4a2203d23ce74c804a75cef1bdd69b16228472a2395118dfce636b8916372d6a24106f9a168055c6d4b44264674ce3905b3b30f5108ebf939f3fa8f55c12e001b457b73669acd23c1dcabea05aaba34e2d0f66a4d1c9162764228ebc4d3974fdb38b1a61a207788c5deb878":"2b5f9420b3c583403d92d76a2dd681c3":"":"35b8a04d6557426def9915eb798312a7572e040a65990ce15a8a6e5acd6b419c3fa26828b6efd2f1f50f91f672fed0feaa09a6ca6b4844fac5d3db571db8bbce250086b8c89aa6fa07bdca8dd0e1fe76e0f5a821145bafa11f3a9b0b003ad09de73ad71849ac58f7fd50851aa0fbbed17d222a0a5607f9f75dd3b0d3fa45a135":64:"96511adc097838e6":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,32) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7d0f9109dd846c47527a429b98d53301":"506efc29c0f02910cc9f5b2e677bb811e366b9e4910c00b36e48e5d5b42718f3b6d1a08a2de9c6d4ce44fce00fb7e10cf89396a88bdb38dcb0dba69449195e19b72ff989666b366f03166dd47cf4c7bf72dba3048fa34329ba86bbbf32934a0992d72c463fffee94653379d23b8bb4dff03fd86cfc971a2f7cdb90589bbbcb28":"f58a5bb77f4488ee60dd85ca66fad59a":"":"2e2760c649f17c1b4ba92b1fc9b78d149a9fc831f0d0fe4125cbfc70d52047f32a7f25c716533d199af77ed05e259cc31d551187dbc2e7d9e853d5f65ab8a48840f22391072cbe29e8529cd11740f27d11513c68ad41f4acc6fb363428930fe3d7c0e698387594156e6cc789d432817c788480f3b31326fa5f034e51d2af8c44":32:"6ced7aac":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,32) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"034c805b5e83b59ad9d6a65ade3940a9":"efbec09f8189404f3dbe569d3bab9b8bfabde419fc80abb3b21a07a5fe42326d23d022406981abd558e94f4debf38f2c34c3c315cb1ae1d5f2d48eae1335b50af9dd05b60aee724edb7d4e12703d5ec8873c55e3a3d6d8d5e4daddd5240fa3ec2d1f32442ce32cde66dfac77ed213207dc4838ca9782beb9a98d6dc52838831b":"b0c19448b9f2a818fd21ba6489c34fb0":"":"a45ba5836011fc65882ba8b1d6bf7b08b17f26b9cd971eece86fbb6aac5cdfd42790a7c7390099b10dee98cb8e4bd8b3ccb3ca5d0b9d02f759431de640ad7f5dffb919a8aaa74695f94df8eff4c7cb242d643c55d6f9c8323006f3be595aa8cdbfb0d9260ad2473b244ca65a5df53d2edd69f47df608e22a68b05623150b5665":32:"43e20e94":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,32) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f3bad89e79691ae72f53964b928a09f3":"01913e4ef10226d80c5026ba9243fa41edaf5f5c232d17c034db4c0c8369f48d89a1d58b3b2dda496506c30457365bdd76710173a97022d647276a4a8ac73f0e9e211cfd7d64849409ef61cce618675eaffe88b3f14496e5eb013c0f8a122dbf16f2c675edf7f813abe9c56101e570e208e651fd956e710dc09f13ebd22b81ab":"aabf77116a75046e7ecc51a468aa21fe":"":"f7453670604ff6287ebdaa35705cf7553410452fdb1129a7fcae92565a4217b0d2927da21f3d1b2bd5ae9b7d4dcc1698fb97fc8b6622ddc04299fdebaba7f7090917776b86b2af4031fe04fa1b62987fa9ec78fbbc2badc3a31449be3a858ac7f277d331b77c0e9b12240bd98488a131dbd275b6a0ce9830ff7301d51921ba85":32:"15852690":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,128) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"839664bb6c352e64714254e4d590fb28":"752c7e877663d10f90e5c96cce2686f4aa846a12272a0aba399e860f2838827c7c718365e704084fbe1e68adb27ad18e993c800da2e05bcaf44b651944bde766e7b3ac22f068b525dd0b80b490b3498d7b7199f60faf69fee338087f7a752fb52147034de8922a3ed73b512d9c741f7bac1206e9b0871a970271f50688038ab7":"5482db71d85039076a541aaba287e7f7":"4d75a10ff29414c74d945da046ed45dc02783da28c1ee58b59cbc6f953dd09788b6d513f7366be523e6c2d877c36795942690ce9543050f7ab6f6f647d262360994f7f892e9f59941a8d440619fda8aa20350be14c13d7924c0451c1489da9a0cafd759c3798776245170ad88dbceb3cacde6ba122b656601ccb726e99d54115":"c7ee1c32f8bc0181b53ce57f116e863481db6f21666ba3fa19bd99ce83eee2d573388a0459dfede92e701982a9cc93d697f313062dbea9866526f1d720a128ab97452a35f458637116f7d9294ffc76079539061dfeff9642a049db53d89f2480a6d74a05ff25d46d7048cc16d43f7888b5aff9957b5dc828973afccff63bd42a":128:"63c8aa731a60076725cd5f9973eeadb5":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,128) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"5f2af1b14ca9598c341785189ac6e085":"790bc975865f44e3a1534e978e90b064530321a2280a9172dc7f3451773b01d4a56c1857ad0474350b945e4f34cd677c22ca89445a564b47a8526d31d18160c35d2be1e89428c3593b53877cea0d88d85b2a7ed0552e39a0e96e35ae0384a5d7868243045dcbfc245a3eb3ff99f4dd86c0a314f68d1971e773caf9c168b0aa0b":"bbf23307ad2718398b2791c16f69cc45":"26b160695de2ba40afca6bd93f1c2895f92ca9108847a8ab71ad35cac9f9c9f537ef196c5d41b10e3777c9a02ad3c73cd299a85f60e5d02794c3be2643c3e63f105b94d32cb4e3eb131d3f487fa5d1de1a4ad80cad742704ed5c19a7cf4e55531fa0f4e40a4e3808fb4875b4b5feaf576c46a03013625f04331806149e0f6057":"52c373a15e1bf86edfb4242049f186029b458e156da500ce7a8fc7a5fd8a526191ac33e6b4b79b36fda160570e2b67d0402a09b03f46c9b17317a04a4b9fbe2ddcfc128bd0e01b0be3fe23e51b69c28bcf8725b8e4208aefb1cf34fe91a2bb6d5bef7b936bec624a8f38c9cd4ac51a0187635138d55da1fb1791adfbf8459d3f":128:"db3bbdf556c9c1be9b750a208fe55c37":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,128) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"02980dff205bfa5b18037486618e1fbd":"f037ae281e45c50c9fa875f0ec9eb43251d3ae1b6acde27cb5edda7a4e384f50301a68bb6f4caf426adb31457c5eeaa789edc84fd902cb82e00dccbebe272d90cf690ca82ee748885f02daf377970e985d55994fa668fc5e3e06763e6829059fe0c3eb67033b3f5223cd4bb654484c57370d2b856d7117e32ead3d179064315b":"27354e68a004b255a380d8480dc9b19e":"37eed8620136842938ee3c3c08311d1298d3fd3f0456c056e0851a75d844fe6c61aeb2191c024ffce38686c09ab456f0ec26bd76f935d747002af9b47648502713301d5632c2e0d599b95d5543ac1206170ee6c7b365729c4d04ea042f04363857f9b8ea34e54df89e98fef0df3e67eaf241ed7ebbc7d02931934c14bb7a71ad":"f8090d0a96fc99acb8f82bbbe58343fe227d3f43fceece5492036b51ac2fa6db4bf8c98bf28b40132b1ab46517d488b147e12ceb5e6b269bb476a648d8a1133d5e97d4f4fbdfa3866a04948851cfb664f3432de223f3333248a1affa671096708ce6e2c9b4f8e79d44c504ff3cd74e8dffd4ddff490bcba3abffbade0a4e209d":128:"b5762b41241cbee4557f4be6d14d55d4":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,120) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"1fc9bcc5aee350f1ef160346b642cc20":"e0fb08cf7dc901bf698385a38e1a81acd4118f083e52aa52e1ded16ab1e840cc49fa1ead3292ce21096cc75c89dc3701102b0982fd3a6bfa55a7799e579aa7336edf365574a904bad924ec080b093a604994db4dcd8323d7d39c3c35750b0741b170481539d22551871d6a0e2ea17e4bebe8ce19ec3bc3bf4f6edae9cd7ab123":"910a81a5211ce0f542f1183c08ba96a7":"2dcf7492c4539d6abc3d259ba5970033ebc2e7ddfa1af8be11f81b459d7477f310be2171290bec2f2ae2cc51266f46e98c878dd2444afefdbdb73a417518f5fd4c116547bf442fa9a8cb2300c5ff563117b2641dcd65018081e62a7ce5c4d822563824e5eafea90cbceee788ed44e6c4f23fe8926603a15adfdb556f11a0be9a":"514d27f8413d7ed59d96c14e7e74b9f3d4518486876c469b369f8c5734145f4aa52506c8f832d4811e5f981caadedcf09875033c5b28a00f35605d773c7f9e1af7f0c795e3df1fa9b5a524f1f753836c1e2dc9edf1602d37ac120f3d8a5c093a5285dbe93957643a65f22995a2782bb455d23318f01bd18ae0d0813b01d233e5":120:"feb7a25a68b5f68000cf6245056a1f":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,120) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9cf329dc10bcebb484424c77eb785aa2":"92728a696b07704fb1deb648c5036a1c8602b4006fb2fd2d401c4b6692e252c7f66918078542cc0b1a97486964276d6e6c77bbb88a9fff0285aef70783d9f2be3b7b22f8a8c02771492150122fe022722bf64263f5d2406884108d8d608273bc02a9127fe4dbcb321ac44a7d2090cff7017d59d73ecf927b8b05968675a63ca0":"a430b979168f5df5ba21962d1bd6dd15":"4d94b7650297c66b43210c84e6e7b09385117ed8fb91adf643b2339f39a5d8dd0b0d75a793e2a669e42c5ddb0873714e01cb65da9eb73fd976a49ae9a4762bcbc06be5052f750d110a407764280b510da5fd0fdce969f86ea6bf52ad4fd9e2d81ec5cb84af0a1d406504a34c51c751daebb4421fe1994bf6db642e64bd471d9a":"c13dbfc60b34d75f8a84db1f6aa946dbfc19479d63900450389756cd1ada8f6d2d0776607f7053db6bfa6752c4b8456f0ace314ff3fd4890d6093a4a5d47dd8fbf902e3e3000f5e02ba93a00985f29ad651cb697cc061d8f3cc74e6d8d0743a1988947c9dc2305e2b7c5a78b29400d736acc238131700af38e72d8c98ba007eb":120:"82f1dd58425eb9821fcf67a6b35206":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,120) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"cf43ff6a1ef35c37862ae3b87171a173":"a1e670b3fd62039cf29edb61b26555bcd0f9184be4593bf6b20ceab263bdc76cdef34992fe0ce4d43bd93bd979b78bb252c120fbaafe4947fc0ec05cce4358a5089a841c7476b0ebfca6476e690cb9ee0b73c6700aa82aa8f4050f2c98500052a2d3274b30b0be67549d756efd163c4369b6df0236d608bfbecd784467db2488":"6c56540b3a9595f3c43f5595ace926bc":"5c0bc6e44362299642f3756acf09878bb05549eb6cd6c4942d39fe586ceac228d2aa9c92f8393e5017e73ee41002e60aa8b993c48a7638ce2ae0ae0eaa536bd749b07a8672fc620a5110af61232b6a3d527b36c86637cc1fa92c84008465fd861920884d8a784e194ec52fcbb767a68ca6fabb64ab0a0d680963140d5cfd9421":"8ad36522e4ad47d4a54c5eae0a8b9ff4911aa5b9b13b88b00488a7b678f63cf85945b8d4998d1007e27529b56f50b9e3b373bb6fd861a990514743b9707d535b40d1bdbc3f58a63b8ca30dd7934ee98ec3325d80afaa37e38b4e82d8851166589027d91347727b314e02ed08a7846e29fcd0c764834d12429d9f568b312081f3":120:"f5bf21d5eadeebdef3104d39362b85":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,112) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"a0ec7b0052541d9e9c091fb7fc481409":"5431d93278c35cfcd7ffa9ce2de5c6b922edffd5055a9eaa5b54cae088db007cf2d28efaf9edd1569341889073e87c0a88462d77016744be62132fd14a243ed6e30e12cd2f7d08a8daeec161691f3b27d4996df8745d74402ee208e4055615a8cb069d495cf5146226490ac615d7b17ab39fb4fdd098e4e7ee294d34c1312826":"00e440846db73a490573deaf3728c94f":"a3cfcb832e935eb5bc3812583b3a1b2e82920c07fda3668a35d939d8f11379bb606d39e6416b2ef336fffb15aec3f47a71e191f4ff6c56ff15913562619765b26ae094713d60bab6ab82bfc36edaaf8c7ce2cf5906554dcc5933acdb9cb42c1d24718efdc4a09256020b024b224cfe602772bd688c6c8f1041a46f7ec7d51208":"3b6de52f6e582d317f904ee768895bd4d0790912efcf27b58651d0eb7eb0b2f07222c6ffe9f7e127d98ccb132025b098a67dc0ec0083235e9f83af1ae1297df4319547cbcb745cebed36abc1f32a059a05ede6c00e0da097521ead901ad6a73be20018bda4c323faa135169e21581e5106ac20853642e9d6b17f1dd925c87281":112:"4365847fe0b7b7fbed325953df34":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,112) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f9ba053776afb01d15915e7f82a04f21":"fb59858421ffbf43d09415a77320cc9250df861e4414817e7b78cab918fa890ea0400d4237f7ebf522d97318ea79f9979a73970296827a1a9690a039e6c605a0a3efc0077156e1b15f14d88685833e09f6cd6f783d0f50579de7a30907b9d8efc4c650ec57dbf7b425ffaf9a900ec91087d470409da4d67cae7328c15a5db1fb":"df26b109244f5a808f3ea7137f2f49fa":"b21c8101ac96c41bad2925b9b6c863f54888f36e4995820ebd51f53e323e46f528d91f4318183be0282312ccde8da075fc2e82041cb41a79e9933012a4cb6e9f89717444bc734da3b7e40e903e58dd0f38bcb115684227ec533c09a93c89c2c2584bbac83a4648f82b4c9207f43b61e5ec470602076ed4731756c87d4e0e24af":"2c306fc60bff58308f2b9f08d52369e87119d7f6de2279fcdea0c46c901c8dc5b4f83578b17a00786014a17d3e380e1af4b9f32fa58b9ac763bdf86ff0c6084afe413a5dcb7617f94d76e59e370eae4829e69bcb70f10545b04ed5fd137e1159f3961b2c01089ebbe2f16a91c782d4f383fbd4d61b66138319b63d79ce9fdec3":112:"d6db5aa539a6e2e70885508d637d":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,112) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"fbbc406a669b94374c7970f2ac10c91c":"a9f334d1ae7d2960f39da4f1df85830d27c0f13fa0bd23d607ace4cf58b359584120e7c90d3062b1b23b1a9e85a740c9063ff80423b5846257e4426c174e8cd77a3dbcfe12970ebddaaa00a8ffb554b2a80decc81f9917f5a1369e8bf7288ed868457993f480d8aff0b92b3db2fda233e32fabec1a4514715364d4f70f98d62c":"46152f5a68c03dbe2f28e69f5b52e2fc":"1052f8b2d3e11da53ba9efe02ce985098d171dff9b98cbc2f6755fd88214ddb8660225a63a1c8bcaf43ff3930e239824ae8e122068b89d7fe73c658ce030cb51dae9836aafb68fad77b1cb5bff8d7d9c920ec449181e10ea643cc73abb9620dbdfa32e06c29cfbd8c7cb8b1103763616ae6f9b19c4a6e1eed88c3971c4778c2b":"7b16424c508da3fed14bb53462d1805f0f9d09f803d4e166fdadbac76f9fc566665554317431642f6e527123ea6c1c0ddcf45005213b0f2747321fa112d7b893cdcf4c1a59e8bd1c48b7d77881c6d79de3d850bce449969305797196d187196d0d81dc3423295f552d3c27d6d70e42c9a1a744a039181e733450c9985c94ae94":112:"b51dca8e00988af0987860a663ad":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,104) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"fe96eab10ff48c7942025422583d0377":"194c8bbbfae4a671386b8cd38f390f46f9df6b8661b470c310921a1c858a938045834bb10380037fbf5f5e00688554537be0fcafe8270b9b59068fa056ab1268fc166c2d729243a06650a171c929c7845c85330c04568d62977eedf3b1ba9dca13bdb8f9522817c8cb99e635e37465ec1c9f6f148d51437aa9f994a62e1bd013":"97ce3f848276783599c6875de324361e":"127628b6dcbce6fc8a8ef60798eb67b2088415635119697d20bb878c24d9c6f9c29e148521cb5e0feff892c7855d4f1c0bfb32ad33420976714dce87a0bbc18e4378bd1ef35197d0ca73051148f1199010f63caf122df5f71ad8d9c71df3eb2fbe3b2529d0ba657570358d3776f687bdb9c96d5e0e9e00c4b42d5d7a268d6a08":"12495120056ca3cac70d583603a476821bac6c57c9733b81cfb83538dc9e850f8bdf46065069591c23ebcbc6d1e2523375fb7efc80c09507fa25477ed07cee54fc4eb90168b3ef988f651fc40652474a644b1b311decf899660aef2347bb081af48950f06ebf799911e37120de94c55c20e5f0a77119be06e2b6e557f872fa0f":104:"6bac793bdc2190a195122c9854":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,104) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f2956384a65f9627dccf5126141c7bca":"89dfd185bc33adbea0c69b55d37087de3fa7fd69a9fa76aa1568ac363c5f212ae92d202b9338ef397266dd8bd1ef36cab6d1368feafec69a4e3e11e1bf1beba35d96e040d91e9d3a838966bae62a15b18d621f33efd9ec511de4bd287c722cd39b4ba43e7a6f8c8ab672d69eac6b21a8d3544ab1d64f9de31956b93b1104431e":"2f61f76bcf074a3d02f51816c0411052":"bde1508823be7984d5921db4cab1ed3017c0d73cb9bff9874f39a6f5bc449719c1c43d8fb4e76f6813b0985d4b124517f9e4e2d3c552b2f75876563c93a44c18fb6523ee732ea5b6d13417db45120653df3820a32ebdb42d544768461b1d0b55b46b09f688e47240880930fca7097ddfae35f854891e21891dbad13f661a2534":"023a9c3ab3ed0181ec8926e4bfbc0fa63e38ec8980eabd2ed75e29b681b3ec04cc8b27fad3a7ce6dc1efd680479a78f02de7ba92f45dc03de02852a2e67b35bb1dd154568df7acf59081dfc05aca02c0aa9f3f7b4fd4dbdb671b1b973a48af0c325a23467ba5cb59183540f6edf4c00376be39a3a672feb9e795d1bda96f0017":104:"613eeca3decbe09e977e0beeda":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,104) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2e9bb30ea25f50b3e7711fac05f9d44a":"17a52f4faa608dc9853d4511feb3dd9d2fb92d7a3deb3f8a7a6df3fa2a909b7db30babef12d9da71aadfad16bfd2bcb5706ef2addc58eeb8d8d13f31326f7ab1d0aabfe5525014f05cd8fb80e1ecb0654e62078440157df66f618f078cdf2b322b0f8878bcd924609c33e42059aa69fe0ddca659aea42ab907b483aa55aacc63":"9668e8b1ce9623ad52468431dfbed632":"f776c6e892e373ec86ccf706704d47cd89fa45c2abdeb0f9f6f32cde88c22f001150cc66f0fd83e9b75b97bceb98913cf143cd8a68bf06e1125031e3e7f09dfefbcaef4f04d7bf28aca1992a7e4228fd4017a5b32fc48101c8f5a609eaee9489d02200e8a13efeda60b57df53ccf2fe26309a1c1e1d40db6eb8431dbfe8d43ea":"407171db1dfb7ff20d5c97407375574220534ef75ba18dc616400e5e967e72db23783a6eb9506b611d0c67a83f5c423380ceae66d5dcdffc31e31239357b91794018e9c4c36c286f7b17ee911136d9cacf564baf5f9b9831779375e63aaade8734a91bd4000e53e5e412b3f92f8b68e0b7ad3bf6f274744e2c5a635894bf918e":104:"2741ebc33a4d4c156c21385a23":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,96) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"aa705ee70297e9212f70585d92f42aa4":"5e4b47d986d55f49708cb3e4d27072a7e850936b27b24723856acec7b2e03caccd98c2a002a2dd1d3f4dad8827a5910b42986cb00be7bff47eb401be5f324cd2cd3ea2fa41f4ef61f9771a4c0184d85d6023f37f3f54bb9d7cd621fe36ce11a82678a0754a33049106be597c53f287692ac5a42e59f09a2a117fad6c034a91b9":"89822c9db69229d1e4880afd19965908":"fdd655584a92e29a14a368f28a73f9dc608e5c2ffd308d4aeff7326bbef5ea58f84620c9ad43c0b598c271527ae60dae6db4ffd3f590e503ae7057d8c48e9b1bd8f8a8832629bbfc1391b954a4fcee77d40096eb5dcec5e0439375ed455378d716ee8f8b04ccde3291e580068dd7dbef4ba3685b51940471f24859f8e93b659b":"0f34bb4e2a4016ba41eb23e7688edd455f2d46a5097236d9a124ae0bd47349876319976aa4c3aa41680a63cea85f433e3a1b4376f79d004710d486a3fb5afbb7db2c41aca400e04f75ba91660bb68354029defeaae1853447f8fa0d470b25371da73c9e8ee841ba95fc273f88c2e4604ff29a131a7d73e60a00340e886df5359":96:"a247e88acbd4e354d7c8a80d":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,96) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ddeec78a0c23e8c5c32d3d4f9830f927":"134fd6be1a934053a539398aeaf5d3aceda3ef722a6b3568af6958a4b1207f7e9b9e835cfd46a7f3d4faed829ad23554fc7c0d1a9b32bad9477d9dd397a259cfb0bea30268aba7b8cf4a35dbf99a6b2ca968649847f717749bc5f41374e1574ad6c357f7b60b0cffcb822bd3924208d0472a973ae97550b921338792ca88fde6":"ae428ebb974ccfbbdbcf6203105724f1":"e3d5ce768c688e881e72f036341b2d91947e02b7327eb53240c85b0b93a40eb0f3346817e2c9e126209b31b57633c4384f7af46846d9bbe6fd0d6babc57b84d0f5be2a8a7b146b38914a4cea70273d5461126cfd7527ab397510176e790300a06066655907d499bded79f5bb39f6fdb03f85a415c2cc2ad1f25078f0da7df215":"865d6148c9820b67c08c17c9214de612ada6e24ed67933d13c3b3ec43637fa305673d8d52d15a195b27a6b2563682a9f98912908668e3335192b1daabf26e1e73d7d34764af006b0c14a0ffad3b6a0def59964b11eb52e829ad790069997931d09be88b8d60aef90e39dfcb0df4fd54b71597b8ac64670e703e7cb83efa3f2cb":96:"64b2458a6eaa6f12937a8643":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,96) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"829008339e983918b8d142091f84ee28":"6f30604d8c2fae216b1ed3d67485631eaada68fe89a7020d6e29f42b937e7640fc1f23c00ba48bf239740f6468289ed211ba81e809cda55fe067bdfa198bf0461daf86d4a7969de9a629513809b358630ce7eb50a783b8c98ec1bd5e56cb47032ee8fc64a939dfc4a870ea9419b16178109f1966ab964da34debcf00cc49f57e":"dc62cf12b6d0439578b457e516d8205e":"e700cd917923b16c968712b2fdbf08be1b5c3b5d9e42cc45465549898daa07c44b4cd321ba16a38aeb6720e217a58428e3a4cc125920cb3fc92f039b66716543bab71b64ebedbb1e5e3e8fbbecff3385ab0ab16b7f6554b7fbb3b4c92307c654361f984d5a6cb69b8708684d90bb1fdfabc0cb59f42c2b3707b3755a8c7abf34":"adf60c4affb2ac76cce20cf9f302b909bfda1bedc60be21b53f65d0b81bff08f7e90ecaaf12ee1f9d921926b75e244b7e8357c1cfc26013a6d1c874ed2e5cd0cce012bbfff0dff85b372d92c18dce887c1651b6467f173a67ac8cea194a6c41e77842675f60cacfbc9c81597a08959d19af632d3c191bf69505620e4290bb040":96:"6209c09dd1b7ea85d02eb9fb":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,64) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4aec55c7e4bb36c32cb543b57cfba3fc":"4cf1443a5448fd09e09e91b7cc5f8e00f53f0b75a6b17db5ab9a721167de5f7bc5de1fb711accdafb7f3f1bf6b98393e5f09e9091e26d1340122edc91f7e60f62caa218f1927c8f0032be0752520aa650f6f1ddf40412c96d49dcc2287ee17834504f1dda3f4a723e2fce064f0b8dae0789ec455922a14488623e3ac10b6e312":"6669c3022e0820634a95efa2b5578e93":"f6ae9b1aaba18acb741c9fc64cfba3841f5127b1cda5cbcd48af5987428daa5782d2676bc3e2ef23936ec29a80d6b5310282b39b77181dc680799ac9c8125fc48afd185cba2ca8900bd9a0039787b4f3a6846f3edf5f7b921dec2608fd3df67600ae0aba9378da0015bd57d66d2999bf751806d1b89214332bac50f721ca9474":"720c32b0d454f086af36a32cc7274e2f2fe08db9cf1cefecc14b42b3e5c573aefa7e9e1ee0042eee21104dc3e4d19b012099280c5a53e40a0bf662d8295dde743143a28be7305729767a37cbdf08fb3c87667939a8ffe44c96ad272e30b75aafada2963bb9636f189c37d976ed1c458295fe85ed19662c463d7c8155e9f04115":64:"4b3343b627095f60":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,64) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"8629e8064b3ba2b95bc20dd075f8e931":"85896de4b6454acf8568ccf95ab68a632330ce71ca8b4e7bfe26ad8d7e2e6b63f2032e2cd365999ffd24ece0df16904d749d06e829a291f3d07fccee27d9c6f3ff3a139d9e33f0660803de8fe79dc6ad291fad47c93543522a1c38e40697426a9855255e3e0abcb84d474ead15341c6b235ccd755e58fe6e87898d216d65abac":"dc4bcefe284cfc606f39b057b7df411b":"abfd0cb6fee8588aa68606b7e487bb9c0d2bd11205611a6f30a78d9ccf28e827cef4e966fa245e4b7b39533a4bd00176ce3c97858b0c8abdff4c548c835bf1962a6115c4ce7c05b1ce5aa29b412e816abc925b8cb998eb4b69c43a7dda1b3cf0d728072d42cb5a489db521698c5daffc3013537bbf622ef76a2e96089b7d4b96":"b295ca0d7707892fb08537f42d28a844f5877177f136b4620f69b05c83f43bf2e61323e80076c88660f5385060228bdb91d866686e691cc7e96fdaff41f2ca5f5b5d93ecec7bba82515a6e0bd604c99ef93d3ea013d899464558bc822bd765eb1ca2b8b8a7d961a6a316bf135c22d2ee552e62d8bbc5b60ca31bb53cde82fb5f":64:"d26cba11f68a5e1a":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,64) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4d901e59a491c86bf538f7b38247bb21":"4c370a9f316d25702195409d8e73bbfa40aa15c2b0ea55db9257a9ae4e8dccad14589718741a78e5a74c26a801857e388c9f141ef7df08bc01384b2b2338c38abce51d547056f4bbaf7484f9edc96df122e71f132b7bcb6484228c3ae2f741a2c8b9b208b6f49b07081334b93c501938808cdbd2e40cf95ae4f27a29e1121480":"39e2788c9697e82cae0e222a9e413d8f":"48d7d20e424df3c3efced29e860771647ae01312a96e68d33f982c540e74160a7fbdb623d4b19abb1871d74c6dadc56038954b154389b752bebc40cf4ee1505ec8d844e1a04dcae430befdb081cc84252e0840f5f5146ffe5b9594f856afc2edb33b3c6f9041c9631c5e3d812959c5504938635f72c6fe29a25bbf66a4ecd211":"262718671dd0e2c9a40b9d7297c7f6a26cd5fe4f301999a32059812719896d3a2f5350f6ec20d999fc80b8d7af5a421545b325de9180f14505f0c72250658a5014768fed63ab553de0fb01ab1368356043f6d1a6c9950c80e3d9d4637bbeea44c9d58a4148bb10974d507c62b67cc4e37eaebd7eb8e67077856cc5d1702f8e2d":64:"bd814b4584941681":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,32) #0 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2f54229167862034ef6c5ff4a1246697":"af2c89d3600329779abfbcf5be8bb83c357d4d2435fc8f4c413b956b898d22a8a889db9e2ff5e7229d7495576989695a0b52d796f9a23e9570b7caec6b46059749c29a293d31a6224baaf73711bc0e4a587abe9d0379adec6de04ce444676dfd8672e6660cfc79d7ee2e7625ce57dd4681bad66aa29bea2baf936122c3db17e7":"8168ef8ef278c832fc0ec846bc9f62e9":"abb9ed24137915265bddbd4b63f1d02efa2a99c8c373f19077c7e1c389feae36a7af42c661b0adc5dc8e4b5520d334e8e0e112d42c2977fa23485c0a85aef83f1e52d6749bd29cbebe14aea6ee1c1098aa96c6360b0192894bb2001c7c0fed7f00bb84953c23bfdda00818d1568fb94c1bd971982d6c01c12a35ef7af34f947f":"cd6dede25433fd3da6137001219b57aa54bdf6039a5a8d66138171b006194fe3e13d484e5cf57a1acdaa8e76f001df7bf41cbed2c5561a37a32113fa116d0918167c29dd9e7d46f7c18d9db33d7f1bc33ac21d159ddec57a2e158f0c0993c16dbf50582371100a8d7c55cd47c03473c5770ad562240f754c99d95ec593dca284":32:"4ab63349":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,32) #1 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b7b52fe74c5c3266edf731578d28a72e":"01a4b7da57c0f7d9aea51283004b23f899669dccd6dbaec9cd6e747c7adb52432c7c29d1411ec1df4e5e33311ad84218075dabe17f73c95511ce7950f08b618feff56bd452b33455a1a03caa8371dc7fb9aebedb3cb652d94e06bd00a98bb06d30b506d41cb516c759f6d7f793472e6d6dc9ae50cf3dc8b1ad3d0517c4f555a3":"a005750e9f8c68ae238668f0a8f015ba":"805cf3635f9d84c7608c242ee23a4837dd3f260de9afd6166b08164a0256200be9b52e5259a4a54186ec067ddfad90f5c4f92afd1c7e4f2d8443312ba3c4818b664439a02644e55467045071aa2cc7939a940e89cc52c8a53623bc6473bf843a4e0f00149b2ce1543a6540aa0d9c2c5b68ba2bd5791078deed1de3b5f48257c5":"d6124da0896d99fc7f2c3688fbca164f8fecd75b6260162c4dc2d2773ce75cf41a8c7a57998e0a7e49cc71e5ad6a04c7415f8d4fd11f1035d3a02ed744345d74ebc9c4f202f65bfa88d55c747fe777225e218f2149da22b53e6584823dbda42cc2dda56fc72b753f3923c443eb5c656515dd824d8c08cc78152226ed8c1808db":32:"60d86287":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,32) #2 [#1]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7a3501d9fbb86ab80f5faeaf8876b7c1":"4f0dfbd2aeab70c80814a1f261a1fe442eacff5d267fd0c0f93757919810f6610113f1b442270afcc47f2fa01ab01797683ec9267691a0dec45033c57f5cbdfcafdf154fc99e6140176eea92503b3f6fee5dfa5aad05f802e08a08f10e49a8b32a50c028f2bc7aa451be3747d10b96b3a1105c67c5167eccdc18b4a9b0612d03":"6d59be1833e75ce7f54ddc91ad6f5187":"3e556b1b33c42f1ad6cca67dabc6ff79d6cb667527335858e26cb4f6a3d8503ec415968ba97d2d79a3f80c1a10d75174eb5294cce8b89224eba7dfb258fb17cb5c5db7a914ace06e94cd2f2cafe3febc8adc4c2264afa2db2c6356e4c3e8667393a77a0afc36be678d5c0a4b63ae82d9922bbbc60559f331ece9947b67469469":"615ea4535f1e579d7aa45c011018f272c2e234c3ea9e2d102cfaa4a437c41e64bdef7a211ea4d858bdb656215e600911435ef9c8da68e8239e4782ced7e7add063f33f5bc62b85d9ae44ed1b139580118c5fc054ead08257b0a97632e8c503c6219294af423f0deb36758e05857ebb05c6835972488306ebfedd2ca4ce3b2c48":32:"74c6bf0e":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,128) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"195ddad2b0da195ea54a9dad0f86c161":"":"265ab1995fac4fca7c2b26c84e4a2dbc":"":"":128:"930f719034b76c232619ef2792fe6e65":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,128) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"12be48e90c849063637b1c2ab0f2b467":"":"0020c3dff2f6f3acaaae982ce38f63c3":"":"":128:"c8891f32b8015024ca42536d633b1863":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,128) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"8e792fc91675d5efd4d80d5a06378d24":"":"15ad63b969f8e313eac3c717ff9a994d":"":"":128:"de9a04b030954b0141dd78ffc67323d6":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,120) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"a668cfd45b6ef8b766a4bb187d0824d1":"":"a111e94a6426ad9b4362132052eadf4a":"":"":120:"3a3331e6a41cada2cca8e856135549":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,120) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f36e07f2689832b914e0b817010c528c":"":"654104f9d16348231e6ba6fd30c1f02c":"":"":120:"be897583bae073f42138d64e622c35":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,120) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"25d839a709d98ef9c0c9e78ece961eba":"":"b64537609040790ff648d51406710b9a":"":"":120:"4d5854c69cc973be8de41d5584407c":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,112) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"957dd619f9f19445c374ceda9e9ac082":"":"34887be03b4d4ca8ea2261b600ab0b0e":"":"":112:"60e2d50adff707d8b279bdedb277":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,112) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"a5c9a2dcaf576e67828e806082d8e780":"":"f93732aac9448c4a427e634089d7edcc":"":"":112:"f67ed1c98bd2c5f3a738e75f15ac":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,112) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"0a30a816e8d4d85d40c8e4d7c93b777e":"":"bf1f332aa19682d05cf95f2b03d26af9":"":"":112:"acfb2f7884bc496f3089e50dbf42":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,104) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b45a16bba5fba362704149dc56ba8a13":"":"64cca850412091bf4e120ccd612df353":"":"":104:"7b1adc23af9be185e5ae0b0f0e":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,104) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"0cbcbc1c72aa90e3ea7e2fe328d79723":"":"2fc5fd964b45082546636ae1e208a937":"":"":104:"fe091a768c731e54e2237bfdc4":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,104) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"94297a1ad3f0c333cd9b087b1efd43c0":"":"52ec9dc82131d7b1c69c01fed6aada10":"":"":104:"5c927dda855b76ab8fc077203b":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,96) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"1e8cf32008bdf867f0ff76e7d7ec21bd":"":"3854b7412de72fefcc4b0c2155f6910e":"":"":96:"cc8e7eccc056b06cffc307e0":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,96) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2ce1a9bd93fdde2adfd8c2c16a395b95":"":"64072313ed36eef8209f079fa622d7f0":"":"":96:"cd9e8ffc1423270015bf8e8b":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,96) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b15354ad3d874fe472719ebccd45f123":"":"1b2013153290edef60a6a438bd7517de":"":"":96:"f65a841ed510becf52b1eae7":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,64) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"14ef129784776647eb3fb8897915ab9e":"":"f7bbe9f699156549935f2b92c1dda163":"":"":64:"dd10fa64fd51231d":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,64) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"5d4470053c46a577bba7000075e9bf2c":"":"854b768fdd7492c21618ca716bc8790d":"":"":64:"1f3c73722006023a":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,64) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ea87d675a0d406c57f78a2531bfc0c9a":"":"0907503fcb06ee384526f7206180a080":"":"":64:"65d5466392b63bf6":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,32) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d3e8e27568e6e17ff807cc207e5d4eea":"":"18e51cdfb4a3a5ebc7b0d7b17727aa95":"":"":32:"a7e3f637":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,32) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"596a602164b1a0bb50ef91bce3a98796":"":"2025e72bd6a511980a8ddce34565d16a":"":"":32:"f84f92de":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,32) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d0194b6ee68f0ed8adc4b22ed15dbf14":"":"32ea8970a8cb70d6ffb3972a146c6984":"":"":32:"eef4b97a":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,128) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"869ce65e5e5e12c620076365f149784f":"":"317bf07e83c2e9717880b7d080957fe1":"ee185d738260de67f1792a7d548ea73267fbbb6543bc081fac43e00e6cca92d7d646f27054894664ffdcbe635e34cfa800912b59fdaa624b36c44c9ff4f193d3be2f97a7820a6d4ceabe967091ef672098baf82dd3b671cac4fd4f4b14e4ee388fbdaafb4dab2385df4fca23a78d31f11bca15eedd7cac778484258778106a07":"":128:"add6c89153c4c0eead03df44487742a0":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,128) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"0a05baee927bf23dd2f4b57b90fb6434":"":"8147e99dc9e462efea9c1d7f30bdf45c":"6424ca7fbf24c6c3b0b5eb9d769b26a9792c96a8585dc596208ae6cfc0b265bd8d26af31027f278bb92a9e3b365beae8d964ec7a4096513f84fa73f8739fa7e11d54d678bed19546d2b71b3d0166b25b47ad7cfa69d74057d889258a796a65f2bf8d3bb151f4e721d398e74594a186e6182c16fe4c8813dfec67215b3c4a94c0":"":128:"05fac5520a99ad7fb407c48995a2c331":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,128) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"e28c435211743a7872e4a0bd7602336a":"":"2ddbee94fcbfacea080ded468f67180c":"63190ef542656cc2b69a9b0daf8dbd2d38cd75f17b92d6d891c17b0337ad4fe4539d9154722fa430782a1d79620e974661918166e39c453c5a98759a13d2766138c7750e6cbdc7b6d7cbe44f3f4de7bb562d9bce6e6e2e815444842b89ba8b73454218c483e574ca886a84e8c9aa6f56dd1541a7e35a4a5b8f6a05ad5bb013e9":"":128:"2ce6d74cda466354a736636bf18acfc0":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,120) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2b2bec16c7d326a35a8e4c0b8c2e3674":"":"4573eb54491ed91bfa2185b762115bc8":"7a4a6b3114dabc50b201472c5cb13a79430f78eedb2ba8492c01ce10a74d08565b9bf9874bb8fb72f694a23babdd08684cb68d7e09e65813728aaa5c41f9c2b10d921f8271e200e0c519c7c46f572bc9fe3f27e13d1e6d7bda4bd66c1c4b0fec8c68a1b0ed7b0659009dc894ad55e0712ddd0837315734f2bc3b757241af35ba":"":120:"5f5d4695795b8580b0bc414a81b002":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,120) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"886fb12554b075dd9663efd076acbe56":"":"7e7a73542868fc27a01865c3aa635ad5":"cb25c2f029c7a877a0aa565c7f7347b317ad534821edeeea838996dfc42b13787e5bb237525ac926ca8a6c5078210f4a27863e8114c728d09653fa93ae990e99f0c856bc8097c2cd33cdca1a407897e2f495d2e75356aabd891702f25ff20e6b6c8a785d74b78a734e311fd236f9e970202674004ee4151879d59340b20aa23b":"":120:"8255116ee1e3cf936633017c4dec3a":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,120) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"920fdf4b39c63947d57a07eabbf3f2f5":"":"77431ebaad53e42ca7eead0d45e5bd18":"11f82f9ef7c2161ba73cf7da82c5397da5e8278da180a976f43222402e983b057171f793641a8343d6366d6cc9260dfe8becb8396b5bcfa0f46908bd809bdab61126cbb8d63f601965fb9e4b3afd66c594dfd394d4cf06f79f361771a85dcead6f45dc7df10fa434736eb109a76fe6cda32c5773d4db6449494f2a3f6c884bfe":"":120:"1291cbea1a9f8b166c7306ff9eb281":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,112) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"114060534f526895f30dfb4007356ea7":"":"5ed7fb59618ec3d081e60d8259a3f184":"a56566a98d9d4fdcebc932adc405e0b8190d537f931983168283d0431e7589333d42f2a3d6e41f268e7b566cf48694cdcfe01fbb9198804ad39e7d387039575c5de787610a23ec265505a448c3a64ddac1b0d8c567eefe5c3c2dc1bb15af45b4bd8fc2e1506ddeb2e39e04f72fd24a64cbbbc929800e0687b53eb89b3049f271":"":112:"62f770b3985388ac37e14e8d4696":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,112) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"697ca4e9de580b525d7149e8b69e8093":"":"e844153734eaebd86983aa3bf50068df":"cedcd5ffeb7988837c38a0be4234ab1b03f14367a1a3854b6dc9f33eb9a87c411326e5cb7d12dc730cb6f363da2ba68affdfb651fe497942e0dd59668f56c23dae80b7bbf905d36b501ff037fcdffa472efa4bcc1c975b67e5d7f348db73e0ce648b44ecc5b5bbbdf3101bf32ea99e3c8e8991c94fa609c93d4b375a4389023b":"":112:"95becb04cd39c868c9dbd1d4e59b":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,112) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2fa92cc97ef469efeb2c25838193435a":"":"07e6492f2377c04a85045d24940fbe8f":"0f021fb787c6de2be054bdb2741aef82ce35d951de2986c86c3dac77ee0804dfbd010d33a5dcc109769d4b8ff1471eb98fe917c7b0b374e80539f2f4432f92aa55d8398a71510c2acf85c54975fb09ff5638b936283efa3c1d3b054865f97685d6bfa0dfcffde3a20525b5324573b69dde230ea87c685e4f6b5c3c4c55828a86":"":112:"397b2b0dad7f1926bfc25a3ba0ca":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,104) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"a61f8a5777ec3da0c3e257d421286696":"":"14894cc4ff71e249f0053bbc1680331f":"9df46dde257054160854248e70625183bf957ecec36fa4f5a79a1650e04b500f7f2fab4bb873f0e813f0d6b17610bde0de95427a8e2d1293dcdde053f5b1a5a81af25d553289e89e77e4ad7d0a1190151724730149050bd021ec61a08ce2271390161c752df8b5f61c33ee39366de4c1db41d085ab9dd88e170e8c41c571e2cf":"":104:"e062ab7984221ed226be353731":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,104) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"aa2d04f4f5258c6363b1210c91aff7d1":"":"6b24c03273dcfd508cead2df0c65ef2d":"81a1b326f8f22bfecdf1f386bf8fe678a427e3886801b823a37860b9a832356724b1d352d6250cf8e8f89d0bf2314fd11464c3b4871478f0bc290ee1096c8f6cb5484176d70762289b44309d6a88e4750185abf30901bcf8d952da9abaaf9807c0c0ee8be2b247dbbfd182b83f9bfa67ca3bf448c3f5a3de3c31b058c3f944a9":"":104:"80dee09fed5183d6405beeb268":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,104) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"cf221e6cade9f6cf509afa6979cc1fb9":"":"d35433be41a259dfaf58aac1d82af462":"b31c477490e5624c4aac8e590725bfa8b3efca618e2369e9b980d6a463a014d55aa8317a9e70ce6de7c574cd15242cf4eb3eb078cd2f49fd82d1a56c6c4241342e62a2e9d94f0aaa024055cb441d650f0a6ecabfe9ef563d6bd87d4cb1bed348aee42487c13b73e52fb70f0ca6ed81924fd519806e04babfd08df1a00191caa1":"":104:"f1776b1ee7a3c49f99f34f582d":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,96) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"c98eb634c7caf52d3f3d9f344e141988":"":"a0e58176826910a69c2d68ae1c6a05c0":"6e559278bc469cc670c4d9105c3c2f8fa308e11b4a60f75664a9bfaff4f0176175ddd3c6c17ff91a208dbbc7c49efff099fa873f60849ffaa3a3003419cadaa06b92a678b80bf6c952bbbe596dd0a2eed35507c55c48a9e6131bcbda0621cff87e02be5d082944f2c8e27211527717272839601b0e26cb5aa2301afd05ae1b35":"":96:"3d8617b2db536ba7d367013c":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,96) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"c5018f4a8e2a850979b006d0498dd0fe":"":"75e4bebdd170159cff59f895ebdeb118":"25ed2831fef205690381c73e925ef7ba20d5f2e3a4b5d7beabd749fafa08a6941acb1385aed977ea824322d378649f646a812e6c87ded6ae437c68ffdd4fae937a8498ae825d7523746730af84d56380be8f575c60e7f836a862343916e98cc2aa5a27cd63cd92df63b8bb47c81fa6a53740a125bb9cbb247c916363e60f5f65":"":96:"0aa5aced93e0237bea9a0015":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,96) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"cefd40aeac28fbea6e3343a125fe1c9a":"":"324b9722166edc3831bd19c1db5bfbf2":"72b7a4289bf7f5a752665839adde8f79644424839db059ce40de326414c09691d5c7071e43722104a94e430e263bc974b98f167c50b97490bcd4286b502f607ddcec5387695463154bd9598ce8ffb6104d1f7010bc196ea2dcbfbf452d6257b1da00271fe1e6fb56c43656d5570b965e0369502443536cc46d4c05b1e863ed8f":"":96:"0c6b28de22e02fe6a4595d5f":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,64) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"58cb7cb58518ff3fecea4b44ad9fdef1":"":"fe619efb1c9502c03cb8a70792f9e046":"1a7c444a84267f52c36f3c09f8c4a88b6ffe3309b8edaad93a08d3961af28b7c2baba5165f0a9efe13fa6a0ac595da156741dc7f728c11edbd8ab02f03e45716be504778a75374ee882af488bfbc6cdd58fd81d3ac5f369f85ba42c6fd7f9df4b25fdd2fd32607ea800047e06058388c4f71a5eb4d825e8578106041c84c25a1":"":64:"8243f32002d33cdd":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,64) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"15cc4cb979a343f4adfb821d6f6e9c66":"":"68464e7eb64360c7c0a8540ac3473513":"d69f4a9595a48a50ec33ac1848df3d994eff838b28ea7c8b2c42876dadd60a3f9769bd4f61d8007c9dd4fde55edcec8f5ac3bf23b1a958fa714dd88cd5261edb69b7b086ef0f442179943f0871a6253aae99d31fdca448bc3efef353b5cc55cfc576e4a7fb73a5ab6b5af58dbd381bf7f9d69a5c2bfc902901fd485967b23bd9":"":64:"c0f4302d8276c3d3":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,64) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"6398de910ff8f3acdc2217811a1da2a1":"":"fc69b21ec18195901ffa62260fa20454":"021f225240cc9a68c4886824d373f3a70fa32b3a926c78164642450287d269d39dbd49c8c71ce7b914f83e8b53bc61c6773f98318557b45f0cc2ef2539939df7a1e6765117f75631dc5640291d20e6402d22cd2e231f9c2c67cb24ab5d8a69933c49b89c9fb2ea57136a6bf1bffe8e04d8d6c813040215f051c654d93224edfc":"":64:"314d1a332d3c590b":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,32) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"382d86868ccd08d417d94f3b73729e09":"":"069069c377958235171437b34e0fce76":"049af372e34ef7a92d0d49cf2dd03052dabacf2982eae6a817e6146ad799971be239ef5810ec3f6cc6990e9641a7b696392ad3faee38bb50746c1e93913c02dbbcbc6bf54f0d062f176779b7c0dd5d7ec7752601c9812fa80508a78bbd26922bed4f64b1ff2a8340ce1c01e317e3526cd8218ac24af87b07f8792849f6479b8e":"":32:"ffa59fa2":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,32) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"21052b2fc7bc7a662aa9dc4b6a04f25d":"":"d7e5432def6a24d486a608e5c5c919a8":"1970ed40003bccabf7f3c57bbe5ba27e4254c1511413ed421cef3a6ffb9f0192987de83ae965478c3e9979637f8b3fa5d10d69b916f03fdc92ace7736f171660156d880114aefdcc164adb6f8c03940d9b43ce8881441b41cafee3351a56fcb632aa4b09ea81adea26fb0d8c6e1ae380df922a429ae1f5b82b38d9bda4323c51":"":32:"ff342f4b":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,32) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b6c53aa91a115db64653016375bd747e":"":"8163a4fd9c2c7010bc85c86177b194ab":"93cddd318b999262c7cde2838cb5c4d78f3eb1e78d305e5f808fa5613526d724e84a0188ff42a2c34bdf3b5fff70e82b3c30346e179fb3faf378bc4e207e335a44da53a5ae33770104b95397fb5acb746e6418d0dfc7368b035af53b470fc66bd0c210b68ce1b276820b621e919f044e5cff5ced7e07dbb8825bca6b4ddd8ee2":"":32:"50b8acce":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,128) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2251815f5bdfe1111c7f9ca246662f93":"2247e781763edb1349db2cda53e5853b726c697b34497761373c3b6a1c44939207e570e14ea94bd5f9bf9b79de9cafedeabc9241e9147453648071f2240e10488c6e3d7077750a6f7ede235d44c5a96392778ec51f8aeb1a17fabe9b6c95fbc479fff954a676813ad3d2f71c76b9d096a0527f2e1b151aa8972147582c0fd2bf":"58973280c2a7122ddfcb25eb33e7270c":"":"b202eb243338849600e2feba7f25a05fe98323bd7cb721ac49d5a8136422564391462439fd92caad95fc8cdcaa9a797e1df3ef6ba7af6c761ceaf8922436dd5c8b1b257f801c40914c1331deb274c58eed102fd5fa63161c697e63dc9dfe60bd83cea885d241983a7e5f0d6a8fd02762084d52bf88ec35f156934e53dffc0395":128:"c3701ce3284d08145ad8c6d48e4ced8c":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,128) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"3199b70e7115c74e3aa3745c18fce8d1":"4fa0b090652d5a8dcd9b5f2ceaaa2dc87a40b30e2d59bdff09e1f204d1b90371de70935c385cf5b4d7e0c4e88661f418705370b901b97bf199b366e669bc727882d4aedf8171a8c39431f11af830358cd0d9e110da1a0cc6ef70efb255efdac1dc61e722a2d8b7fb4cd752c6350d558ae1ccd1c89f8ba44ab697df96681ee301":"808a019f7fb761e9701c0c4f1a1690e4":"":"8d5ed4146fb491db9456e92f753aa4f688a9bc276e6aebb782a0cdf7fe578d74ca3946fa7b7893eff6345e64251cb1b146442acb64041324e2847481fd4388b17f83206948e67c1e66b894d5d40ecac0bbe4db0c6f58b65a1f19f29429a9e76f78ef5dba0c94d88dfc06e6222a506f004d24cdb3fe26d6eb6e08e4fdf6289651":128:"908806d668451d849ba0268523eb0e4a":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,128) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"63805cef84ca7fcf281b226c3ae37230":"543fd64d1454ef6c007ee96b3ff5d2e4b7f5d15c23e7548dfd1dfad4da7774b8795e817fab3be7fbf8e4d0d351a743ea793d9d01385a552f78ede054be079aebd1511013de2096456e9fc1b83457fa1240cd39c17440d4b55c4e390119a759055ac851a02ea481eb83e294922d35f687a56d801eed638d289350e141116ffba8":"1aa9e75d7854509a85d995ee482b8eca":"":"98db9e8e3ff23f09e585e5326f525e4f8350a1f233a0aebd60d5951583eaf5220f1690ee3607ba98cf8cc99a90efb7197835957f2bda918a32e528f55d548e3c83d65910b956634224cd5415ff0332c165d1241f7a93976649ebed2cc7e62addb76231bb738ee8a291b62365965392aeb72acc5f0fbd2f88f5613fcf44a1b074":128:"9b1baa0b318e1f6e953a9f90b21cd914":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,120) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2ec9245e8f567e1cc8795bbf72f2999b":"f266d0060d290339def5f6d8dbf7d120a4c645aa90470e168b4f35342a00b8c7b7230003657d377d8568d252765df142e97a9dbfb9711d9ccf396f3d51bd91673f129d58efd80ab83a0678303e29a0dbeb1fa9fdb7fbde586a17ace65e894374ec8da1ccd3e21851ab998534de46cb43b38e241edc04b5c571dfc0aa0074d4fa":"413628d9ff3e4067d840b0abc2cda0eb":"":"145d83092a269c8afea604e9192b8bb550b9bea85f842fcc4997c2b00c6f3ca46100e814e82389f27a69a12d29340c5827e607657a00fc72c4de30079e23760769e800ee4ce46957f82d61935d07d1c70dca836c19969dfd0fe0ea740a52e2d09b1c9aa137b5e8527756fb2c2298f8400949ba24a8351c1093626723a68a79f5":120:"ad174d1edc713c187a5859a390fff8":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,120) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b08df4acd253f9dd4abc52c4be488015":"82f665910d853fd2b775bf66a1707935443574c90483fc33ba02d6479fafd99c5f816bc58a1393a44fb32711fbeb0d6936efeb3580f147c3019e9f2e2ef48b202bdd369c277791bce524f3b22ceb74c664143c4b1da819b229a5b480aa954be110ca006615d9cff5a158342a47cb6d04fbb817ae4ddff6d4f86b74205799c9c0":"e1c27d35520ea527f9a2cd9b0f717841":"":"f5b0fcd812061be999901595b3547e70f7144cc9e0b0098262be4c440e8637af782f536f571534a658ad1fb44360d9c454d1000d6957f261401e09c0f19f5146ee5433e378423f9c94a90af2185d38cbe2940a459d8409d987d04a1f3e686c2b91d4fae1f3e3bdc5a30569838201b7d30c7320d7cbd787bfd6cd40e7e2d071a1":120:"fa31e58fa32d1208dd8a67fed44033":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,120) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9c08d6efb167beb035f71554f64c12cd":"704f59d5202108b949170532ac1e78edb0e06fa323c1c69202d7d22dea4d7342199cebe949e980a21ff0fac282b868cc31ff4f6674c393c0f2cae2374664314afaf7791974b6bd6af26ade7fc266a6cd2de4f3c1f479f895ff597998cc8b929c1f05db13d9b9a4d98c9bc606eee32915bbdaeec6576e1fa6e8b22e0bb1098074":"608d56f6dea2fdf175eae189d42a85fb":"":"2c7d2618808adcf8edf5a54119471b930e07488d5fac3dcb53f4ade43674d162881bee1f27dea6d158b254d4b432e17f211515bf595a9874d89f8cf748ddaf2324078029c6463312ad32eb0aa5ebefc31c7fbfd04b37ba6b766375952c211d160b943e9d3c5e144b581157bff9071d31cfc082b55c4a0fced386ef2fc75e1a7b":120:"7a1ae03e2838294e286dca4fbbd9f1":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,112) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"192dbfdf86e48bf18710e706dc90e356":"1d7c45c8ef6f9f073c7f186e4c876c2b8fbf22feeecdc111a19071f276e838ab0572c9a68e9ad464fa88ba8d8a162e9f5ee1c4983395a890990357673467988c057eb8a0342c41867baab41456edc3932531d1c4aa0b42ce2b388d2be579dfe332f40a9b864c5e33e2b3cfd73b68d65c4db9ec46d3ba1587a56cb7887dcb3c5e":"1a511f85e0e138f4241882c20689f881":"":"3e50e821fbf83433155de7b4eb3c9a2c148b08d9d3998a3486f517fb5d0a1338faabbf95e85fa9186385bcb9e26aaa5e473d3cc7af869872e4fb36ad16c5468d994e9c71a09dd2868977f3f9064664f6ffcbac1bd313a7803c304273d69ad20369bad36adeb38480563bc6db9aa0d11a0e03d09731171c1229a756037b2c285c":112:"9393edf0934796eb97a8c513bbfc":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,112) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"daf9455bad8bee905c6cd464677b803f":"af04226cc6eb84f8167a68c2cfde33a1521dcbe781e7b97a3fae732bcd8c0616a588200328902faa5a65a27e769a720d7ea23333cc1c66c4d4e4c53facca5d6af06aea7fb49b12b04cd6ae38fe28d71cd66f769d640beeb07f508a0e3f856902cbfde6919077de378cf0486cf177f897cd0a56b69db3a31b448ebbf8fdf63736":"6cfe8490e892f5ddba8bbd1cd522ba0b":"":"e5622ca7360272a33e30f7fbeaa00956e8af0d871c433c070c8854d818eab9717293e845106770ec07da372c75266239a225ad74465e255520218c6736e51070477d70976aa7d449c32a5c85bbd6931c76e9e4355f9697bad2ea3bcc0be005da15c62db219b074b71fe4a5512157143df2c1f70bb17c6d3740d8d20eef88535f":112:"25fe6c9b2303b40ed31d1beea39a":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,112) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"82d166dddcbf4f7f66aa5ac6b12516bc":"7883f4f96c0ef7f6d9fd7c2eaad25995943078559eb24a3e6650126ddaa32301b04f737dc27b648d6115ce08feac862cb888073b22aa648c752934bb7f9c566209a97499236f782758d6f6f9a012a2fb6885ca91858f9779cc93950baa731f1874629351e6186935475a20593f66cddefff89be0fc0f9b57695b147d9acd8157":"540c2a07689bf314bc8ede71df3f4358":"":"44806e76a40bbbc2de860cd36e93d64c9f4c11994f754db6a279d6eaecfdf19966512de5223d8332a407381114d50fadb03e33e347a5f4d87c3fbf35f2d5967ba295003a2c6c12fba8394aa5b7a31365791c630734a6b2ef84eed0738cb4bc229e93c4e8529aaeadecff7ab93887b9fad5f05a88a5ba9fb449053ce4c6375d1f":112:"756d65c1b8a04485c3944e2a3cbc":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,104) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"81c1fca371968513a68ac09a7459042d":"182cb89c94171b685016bad76c445cc4561aff8e3170dd251f62efbd44910ddf8eba8a67dd1a237f2f7336f436edcfbdf9928e94c3488189110d672488c6c4e0dc4a1fb6e67dee9a1bfc3f49d2f934f305f139e98f0ba9c1ab56b5ce9ddce4ab54b6970bf6499e5e825abbb23f9e320ee05aaf0d712c09b0134839c5609e178a":"7c962a92b8daa294b4962cc3020dcd0b":"":"f91e36c79db6789a3acec9e82ec777efc1958e7e5634d30a60239eb7cae1b48f40557965e8a6f6993db3f4ae443ba167753c89f52f610ab69159ff60233310c1bb2baccb936433270f8839758bc85c53604e771e3ab0df6d6bb02e860d0eb27f425c7d30fb7566aff982d289228da5ce5a45842e10ffbe9016c9e926d7f69863":104:"0114c2de8f733fc18f203150a0":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,104) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"09ce73e733e880c6d7be92be3144db40":"a283e20adb6efedc5530f4efd71840d5fe61c902a7511cdaa939f5030880f3675959ee96e39abe082a66eba2a5a93214b22c249d7167b7a0fda360d02df855d508c7ebae7016137e54290904909b2d41a59942abec76612b17ea76ffd1ee715aa2b05b1314c0ab28631f3934d0e9efe2aef0c711e75a5c62701b3358a414958d":"f72a2fc910fdeeefe8743f57290e80af":"":"fe9a7f59abc3720706c33fa40e106663d26c0f8da0d25deb90ada8130b6f95aaec07f4a7db342b678d102b2c81464e4ca9458732783cdc3a9d504232f44e2878b0aaeec0f88efa5d7e5fb146911dcdb4569de7f114e1854ad7a95894561bd0fc4d9a5b58b5164872833283ed88fdb4900b2a596db4e8379eed4e3a5c08d5fadf":104:"9de97bfec1325936bd171c996a":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,104) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"e61d415db78d9f2695344350e0a8291e":"730c3fa9e07eea73a734b17fcbc5a969dc2c04f448f44c7f6276e32ae3504e9b15fb664908f530e83a74e25a4525f74d315ab85d7b85005401370dc50fdb86e97baf3e7acb403e476193527a1a5d642ffad6cf2555d16d28cf4c4127189056389368b76aea806906b0a38b808cb02378eea48edc005cf2c21e6547502e31d2cb":"e09dee93466a3f35605b647d16b48452":"":"ae87e754c1af1175b474b0718e3560240f55194d946d101e7c0bc7af18d90a50fa41d68516e45dc2a4dba48d457ebff18a657a873e15620ed7cf6ed3a26195b9d354ea279b24ec7802e4e95d3f3765188a64d7b8d4b7c215e7d67385efc6288724a33a1a7994f21e0dc2970076af7cf31e9ad1098537543052a2b0f62e4e8a87":104:"5de3c5716735d7d1b859debb6e":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,96) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"19bf00b228ddb6e8f1fa4ba85f866475":"10742aeda590024bac2696af8402580d2ec6ba3f51cc6f79b6cfbb3057634ced6033fa43dbaec9af8ce7e9706ca699ede88d89caed89ea023d14761bec49da724538b4f9672163a5bb5dbf92f5278fc0014eafce402cb408a1eaad6bc17ec0e835d6b80f4701f946661757b9b2d54d1b137841519dd38d72835893ea6d52a27f":"760c5b929ac3d33bee4dae0088a894f9":"":"b03d27bc7f4c9d48d555a38091347f371d0522ad4c347b4a23194c234c7877cd3621ce5a7c2fc26b38c7e6f1c2bf228ccec491f5bc352556c08e4e19ddc4e4b2c036f45a42aa425a5ff9a2e9c9e5580b538ee56fa804a86d9b1b59b6fb0d00216a96936755462979dc14990935919026fb51cdfef05b8dad03320a8112b7ada5":96:"2f1cc79408c85a9867214061":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,96) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"65bd9e7d9009dd6110dca657ccfe603e":"c1b539324a001901c2461b9747f605a2f4043b9b0f54d1357049fd1819de06df6e29880d62ef7d91f9cdd1108f3cce323f6c32cec16f7bd434e539fd00ada476ef41efe7c6907ad1cb726717ab56d6e2d32042ee2df3f90d15e1515f0a15a5f06703e06e14229d18328116148b3cc39683918e42927f62aec49ee9bcc19be38d":"3fddf7e943326e431be540c49bb917c6":"":"2813d6eef070cbdee9d5d71caa8a88c631f0b71c41813c6219a765e4fb3e6eff9afe8f8f4394fbd5646fe80bab78806eddf7549d6ca3d0d16d47ef63db93cb5620e3814efd86be151b338ee6e2c681bd37be4039b2ea4a190feccd7d65cbd56ebda81f4b66ce12cc3e2cece731c37d4237a9dd0a2c1a7697bae42176a673d62a":96:"96200bd3e64d5eea746693ba":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,96) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b9b8ac9215289aa003cecd53a90e0407":"8a6fbd067144b6d50ea73a2a7abba3ee9677bbf00312c70d808fd124541ab936229d59842c8846569a063fecb8bd1945882abd987a936991d5cdbec087937f91c4f5513feffa1984a6b8d04a7b69eb4e93e90b6825778cd2ce9a0ce54d4a468c93884619f851d2294be0bbbeef5fc0c05d2384126289283d5ddaaccd89711d73":"27d367f3f0c60acf921f8d8b228a0b2f":"":"42d98ecfb4f707ec233c7f990b0cad8f39546b861b11d8cb9d939b29ff5ab315229d946ff55927dbde82c03aa73fd7857b2ad38fa55a827dda54d2726bcee66347ce42c9cfd13ba1507d209ff2388c0ea2474e17e31d8056593b722d3c2a302a716a288592b0a36547c7fd47f7595fee9d30f5bc09a9555d7f3169e26a924db1":96:"d66974c95917ae1bf79b6685":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,64) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ccbcc39512425bc32350587f0fc3e8fd":"57d6ccda317b7ea150b18d9558b39fd78d9cb52509aa5c095c5b46da89b79918c85d469ffac7226caddd670ac8f5add47fc382df1f32b4de9cc1b2ca7c2acfbdcaa08429b97e77eedea55c8ddc7814fe4c3cc1e21f95d94301ab77b4df7572d0b8778cb2befc0f4c4a5e93429ad52d6c2a75481f38d92edb1dac563154bf90b2":"0862ebfeb40ff24bfc65d3cc600f2897":"":"e6a77e90750cf0e4c276c50c3880b3f6fa357179cbd84e22f5b43cd10abcbe04b43f191ed3fabf83eaca886f4a7f48490fb1fd92ebdacb68c5158e9f81243f7cadc7a8ba39721df68dbf2406fcb5dab823202ceea7112e5d25952de1b922beda271e7677421fde25f8cde450c40667387e5abf8da42dfe891c52bdd9f5060dba":64:"927d13cb90ee5f44":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,64) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"396b53a694b28b717c104111c4752074":"bbc3b818f4ff10b6822ea41f63ca53c27578a8126f5163a5014c60e1bc8c1a9bba67a3808c8aeee09ba9e584a3584e9b86895a3f0db2e64e71bb18b843b12f4ebbfaa1dff3734196f70c5a6d970277ab5337e8b940ae7c957646f8e96c6b5d84e9e97b620a926e655850d09bc2d94678704aa45d1788e7c23ecf37e2904a0786":"0981a151c6f6867d3830c1f9ef99c433":"":"72a5587076a1050b2b514f047ccdf7176c118db9236c0f72091513da39d7416734ac50e0a35b2905420214be8426a36e86863c9957693292bfc5bfc2e93d234a09e80f517edb7cf8e5d21d5ae6c2362b779a9b62b4c66202894d369d219ef0e4b52a342b71f248c18ffc345dc7eb0b47b3bc83ffdef921eb42b6d51abd889ef4":64:"af99f8797495dd16":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,64) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"af090618cb454324a82a75a91944dd6f":"3ebca6ff138c527b851b27b9e3917bb9a07282197868351dd599b74b332610bd634422911393171305caa4fe3f6e89ab6c033ca759e118c2d8684b903966999125c748e04312ecd2c1ac3135c3be2df9c8c67be4d8303ac7aa6c21ca7b7c20b1108f5622d8e6079f41e4be4abda99f782ad35a085b7db83482dc71b8e5d8e71c":"3380a6f20875b7d561c4a137519cccd3":"":"6be8eebe7af78c062812513785e9803f302c771e8215e4c606fc5eddc3efd8b12c96e029b4287da55d8626583e58ce0e50c4ac5a39a1b0f309d5803386738397376c0ae155087f36fd86fdda4b5c8dd079011fa9a134ca8a76de570ef165b20d7d803544cd2f3a0ffede9b35ca1c982978bf95ac100af755553fdac38d988fe9":64:"3e869dcac087aa6c":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,32) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"041cae51d9e631ef70115be58f8818ef":"f6748f4a261d876e37fe44a419cfe965888aa5ee195ae12237322f6e7ac4bfaaf16e8e29be507e2978339a1855ab918485011fd52f834bf0876ba8d89dfc01927e0930d03c0ac7dc7ba1554a879a2051011bcb34a5e4c7cea4d4fb5ed53b41ec8d17bd52b2e1b9dd417a84ac5913ce3f9fb04daf4d14be65f49d0767b9431b47":"c32f227659e0566faa09eb72d99f89c2":"":"f30fe6c8765c8c0af579c95bc2d182ccc346e587a57aa226eafb692675377a85e9ee08339a047b9cb674dabf5a25301d2c8c264bc06573e36e55ceaee39239e367b8f1a3d781a2020e548001f9f98850994c3aa79b13dfc93c1d7291befd91e044b2f5d2583d1a9f868fab4afecd46fec7d315b0cbf8a7331ef8f588d75f97e2":32:"5629e1a4":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,32) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f0577d9a7dbf7b4ada5b9758eec4c847":"5b559738634825921b5cb620b5b9f637f8b7ce33998cce1ed1a23ff01f84e58255d852a02e59e4394752405ecc15248f7616a33e64936f726de6fc6d10c3fce9ac0b3fcffbd755f16bff8462b3be24f7cf342c8d0bf1ca79b1cb4ea88d690644998a8ac3cafc8c18c8cb737e38a681026d46966b89c7d6c7a4ce7a1e1faecdd5":"b432473ae67205bc7a99f5ab2a2721e6":"":"ddfe664e28c5face3761deda1ab2dac6e36cfed538e3faf9d79c54e3c85b4baea9eedcef7f8f28c2feedec72ab2cc6aaae101b99512ef18e759b7828364e4daf9a572f8c6ad88eb82f7304989345aa4985e498dfebc58cbc45aa31c18c0dda5b1991fd998901c65807c8cff6058b1d5dfd583297da8451cef13f246547ad11df":32:"ce55ac00":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,32) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"6ca1d6ae9b5ddd6e3d68656c508df318":"d160740aed955e30c1f946088b5bc5bbaf5c84f282c32f65d099509993628ba5a51b411c6ebf57d58e9176b490ab90fa8db8a3cdc67a5f8322d06d719d91f00ca07aa2a3977dd0838487f2e9d4dd285067a1f72bb8a6c9dfca107acf1f404995bb68ed9d7e12423efe570f144e0533fa34b8d0b7156112b85c94a8fa33d7a6d9":"68a494c9002dadf4f0303dd0ebd600c0":"":"276e362cb73b405b10a98731333f6accf0d19cb96c21419d6d56b30dcf73f7208906b0e3eb103b721cdbb7eb1d4ff29ec3b7e9d433205bd9ec48c59d0075a1507ddf09275426c0ce9a58b973e06d6fceee7054ba92b1df771011ac73e39e451d9ac3375c595631090a2296d423e3ef806ac20770abf78ad04114f65661804fae":32:"8ff9a26e":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,128) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"5a3e577743b4581519b84b7538fb32e7":"172a0a14820448e5ffd017c18ee02219906f721c915c4f0ff13b7b7889812c0edb89f28be0c22deff76bc975d1ef8ef3fc40b10cce0d78933aa22e6adf2d4b7ee4ed6ef487eaddb666afd8671427f7525eb99af54a55d98159fc5d651266c65ccd915cbba60fb6e2c408ef177d682253c0b5410d77d08be1d8f175ca360becd0":"1e155ada52e250cee145d69b4a307bc0":"b9be2145b842d2f5c3d15ac032010400bffe31856441cb484d5c93e6710194b13e14077e132cfe03985d4b936bda9383c22c392968c748f7265213a8eac584aaa11eea35589e3536e39b3e4418248927fa9fcc027c5516e402445068ef793d349eb778b77fb0b37f51bfcc3c21df9999ca9985cc5bec6502445b068c2d061f41":"b5bd224140d6b826062e55754299a43a87cbe861360334897e82b7a6023ab0041736479c9aaca7c73f27e239a63e7433e048a8d2c2d26f0b18476aca7ac20837affacdffb57c618ce5982ba61fe1792c8a3a856970c095b0c4695dce961a354135075e0a786192d5875d16793a3ad0e3572a81efa24099f5ed9c92df55c15dd1":128:"74df58fd4a2a68657ce35a3ef11a9c0b":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,128) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"deb0ab6e8b0f392af6b89d253e923f1a":"14a86c431bde5c0861e6bd2cb748a13b9bfb2a4a67a0bcf067960b3a9c7a75fc7ea321863c83693c70076462ec3179f4d82ed4a1155a4b5004842fb47482bd6a83804a05af2504f6f535eb9bdc95a9a2eb80c7dcd7dff54e3c00437e4da9c433c88f6d248e4754656acdf8ea7d68106b04ebb2f1cdb247fddb0bca1f8e9ed6a5":"c1bc587c3440f1f5dea5b0a4b5ee8dfd":"602cfb09e8bf250c3a2c248c4e91234629a4fe9a18c5f8b59df215e97dd873a7c1204bd0695796908daa28b77353e0e5b37877a7441d35633119c0aee9aa82c3c18a7f577d09293fafce1895dafea42f97222a33b001907b978f11471cc0adc46243e8f7fce94803d4d0595bc9fccb9b9396b52deb943280eac2c4eda54841bc":"a72d27136d0b4efc0aa2126a246ae4946e2c62cf5055f7bde263e7516ace2b7e12179980f8dcff18dc4fcd662f38d3b9dc7f8a057827ebf27e5dab85264d9325e0eea3b12f8e9e39ad686263df75b0758cc8af0be89882bb159c95b8de392b3e295c039a520d2e56b50a6370afa57adc967f7e4ff670dab471a57fb6c81401eb":128:"eb26cdf879e0cb1320d786a642c4dfc0":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,128) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"adf6006fb1cfea0f9641a4c35b864101":"d21777e1fab632bffd82a58cb732794f112cd88bdda5a7a8d19c68ace343fd786e5e512013887105c21299f2d6ae23cae4f03047c68f019d98e76d2aa1b3a204f13f4cba13f5a8957b9aa3ebb44b8024b26cb6139a3bca3ada0520a68b8571ae89501b212a1f8ede5753d557ad2f38d9465dbb09b555300b13194bf7817321f7":"a349d97fc677d8ba6f72e8cc7191ab78":"5717bee8b31640f3999efda463d4b604c1cef62fc0dcc856efb4c50a8c6b902019c663279e1bf66fb52d82f8570b9a314647f4b1ed86eb89f4be8981225f94d4285f5ca9167434a1569b520b071ee4448d08cb8623b4cda6d1f7ad28e51a2df980b5a999025e9ba646707075a6cb2464c2a0d5fc804c98a79946fae0b4fa61fd":"345af0d804490586c9ffbada0404176f4cb1331fc77705175619f27d107512d3e6068323b276743284feb938c5718a5b013305fb42282a89e270d24585236fa18265dc7e8ddd2b3efe93a2ea05ab359323c75211f2133aa97022c9a937a467af37c92a795c682a30f2ba1c4ab2dc45e63c56cd3b29b0efac2caa3150e6a72aa3":128:"ae7d2827c4f1422b728a9fd31d8d1918":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,120) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"97c83d4628b65d94341984bbc266dc7a":"e998cc0b7677fa2e504994e99cf7bbd84ba7e356d7da178f8ff40dddc046c70554ddec1d28aa23f9c4e6fcb9effeb8e28a883ad05bd0a6041b8a24d0fceff200a4e33996e279cbf029b11d58185adeb5e5e797a74d0d8b17adcf06dfbe3ee11d8e6bc3b6a8434de6e0ddfa0fd08c913f9fb911cefca72bc3f616b4ac9821f53c":"671dcc5001c2146bf8a4e522ad702bd8":"9eb12a42d2ca06a7da37fbc23d213f5e3f5e15580f01b0ea80eb4b6bd283e307dec965745ea3b3509d3269cf25808fc6a923e97d87d0c1a30b447a5a27a06d0c88a96cd90d990bf208f1abc4934f6a0ae34a694750a74ffb27f4bb66bc799d43570b01897b98b00e6a01b95b356b11d33e852b2010da5785a691246d0be2bcfb":"5a6d8930e473e292e67425748e8618569b7a478f1e183ba4e4a64385ac4b75d3d42b1afc34cc6daff341f10c1ad8f03d77179f52a7239ab3261f5fcd5a0b4282d26fa4d08bf0c8a5c96782c073ad63ad233dfe3aa0290a03d73de14d445b9ce4ea0e3b10a4aef71c5919969b7086353c942c479a1c052a749afde2325ef46f7f":120:"b81cb7bfd0aaf22b7233bcfe363b95":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,120) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2dcd5c974c5d78cde0d3a677d0b1acdc":"21b61035ca3c149d66608d77edd9770411e0ef73a97d4be9dcde95ed7997ba97117ae6c1979195a5d916ff7a1d43ddced5287004fb60a2c81c82b5f7c8a336a603c3eb7cb160bbf21b454f810681450d65deb64e7cd229333fc5e85dc29040d7da48511b6b2524f02eaeab422b5ca817796c47b9f2d7d498abc619b2ce2912bf":"7455fea1bbbfe9479830d403e33c9d1c":"d684d38f2b12111197ca512c54c8e29ef1c3b9b089a6923cdb327c763f0ac8c2ec0900c716e211e7cba1d7c13a60fe87f5d78e5d5215d92e57a0645d9b2eab4b11870b5f7bfa9f2c9e4b9fcf7596e7719b7d0c0e6cc16efe71d8bc92e16a83d4782f08e9b97dc85a18c435b51c940189a3c2608379a21a8c46633020b9b6cd10":"eb039d8cf0bf217e3f2aa529ba872c385f2770ede6ca4ed32fd22cd3fcbfddfb92d681f00df6fbf170a5dad71c9988d556cd74bc99e18a68683e0ea7b6ef90b21ff42cef8c4627e4051bff0da00054390e10036f430dbe217e5bd939295d9c9f64c2614d42ba62efe78763cc427027edbd0b7f72eceaa8b4776ba633f2c3d500":120:"18e7b50fcec11c98fe5438a40a4164":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,120) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"e5b132bb7aca3e01105848f9b37ff516":"3b6d1a432b7fdb4022fc35d6b79ea03b6aa14d4ddf60a160e976909ca069242fb2e7d414d4e34ffdf9416823c4b3f4e018ac8ca689446647eda6a12029f886bcc9d18be150b451d78fa72b9c4dc13314077a5b04cffeb167005c7e8379940e6b998316bef9bf8b5a742e337663c0ed91d88d09d0c3ebec37aecaeb8277b13661":"24c1ba77d37f99253576f4963779fd59":"dedf78f05957bde906639bd35eacd8fba8582d288c9f14a25eb851a0a34c82fd91f2b78614ff46ca17fe7781d155cc30f3a62764b0614d57c89fddfdd46af4fa5fc540b9ee9076805d4d121aa0dad2449d228f1fc3c07d466c051c06db6846b9012e8d268c6e1e336121d272ca70d965389a5382fbfec0a439e979f16fab0283":"9976d2f3e16485b6b3699a541b6df386562b5ea4f6f9ff41d265b16e2d7d3c5f131bb5874cdffa87e704ae3cc24f1dccb62bababdcdedf8bac277a7277ca53a4d38fd31f9fc83f86a105663f045b70dabd553137b6d6222abb334b7be7689a4afa28103619f11b8b61aa92a63136ad5639f11bae64b25f09f1e2db701938fa5e":120:"29d1b8a68472f2da27aa84be714108":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,112) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"63628519a0f010620cbae37f8ad34570":"6db2919208b09a8abe5e95dcfe0f957dce1ae0e5b29f06bf321dc815ceca094f38c5c812f591aedbc9fc28cc0317bd1d89d4a3ba14f7b3e5fb2e03778990a6006e0ec2ceb47c923f3b17473f99521491a4cb2f9bd435e3133dc90e129ded9d15d78e75bfb3492458ce0964d5614508ef2a38ea02ec8664ba901891a7cc86a62b":"ce0ad75b94ab2d3918abf255c854ecf6":"c29384bd7cd013fa02487867595d739d99886a3bbed7fd5acd689f3a74f240f14c8fffd0bdea1f83bfef7b58ce512849e3a986f37afa54ddc11719169a49bd7e7138a745053417ff80cab1a32ae9be476ccb61ae055b319fdee5dcab629bb237aeb7d998ce36dd9c6908451c3bca9d3582f7fd60e69f6298d43a3b958341b611":"6205d37d720cbb628dbd5069f38ded8e566030eadb7fbdf2ed827d5f5a0117a21c75ade89782b3dc4e7307d9a7ae406ead0145aea1b6cce286103a55ce195999214b84bc25281bd7fe511868a69944d483e05ea6b39b11558ab46a33d227734eb3a386e30d58c3029ef0cb4046c0856078d57a6df194aa8c0e10f9b6ed8fb40b":112:"423fd542498825cc54501cb42b2c":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,112) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7c0e1c6bde79315f79f22ebc77107228":"9cd56b16aa4e130c3dbf30e701e8784ff39f866031e778e9ab72b858c3e333e9589b4b6cd89d6546e52a478d92bd59d0e4756d6b5037ab1873d88242ef31be643745d26395385b71034f6f0c0c84816f0c6755965fc8a7718f891d618f226684bcc77f87fe168e178b330d4b4c0eb4791028017fe6c42e68b0e195654a5d65e5":"9011dee57c3b8e112efa4d2b816cf189":"57bfcccc6f00c0abbc5f30589dbb47597838fdd50dd622eeedee33824e63ba78753c05d2543687f60dde501757b6fb74c17fe34b3e9c455eb38cf078c8c77eff68d3e3b8c244cde70ddf61703664d34159a11785cc6626eb1cad70ab94405616fff52c0f781ee6b43ef2a449924a76b762035ff479cd6006c21a62a56a14650f":"2c1ef998747163104e5a7d2a440a1a1cc2c20446a9d0cf5f138f85c1f5afd90fdc3fa4932845c150518f40bfd56569a5479126c49061ef350b4fae895170b4eb94dad7b456890a822e1bcb57f9bde5bea747d17be3d18ea201cd99bc46fee21132c6918ffb0117744f6ba3f25bc8a50f9719854314b934c3a3230f4757a49113":112:"4ef9aebb721dabe2d09101037a63":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,112) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"93f3fa85dbdb2784fb078a34b1116eb1":"e7a0fafda0b90cada671f5e2adfd2e2a5f14e4613ea76aad57e79e2cb532f655210614e2036d7ac005ed5e516814d8667ed71e0f29b9c7b470f4722327407cd6ce6dbd298cee37bff33c35e34cdfebbbf33934673469d6b98becd6d26868977e69e06deee99c118fd4da3530d367d20d15107c03efe0d7e7b38710231e0dcdf0":"f5a7b0b26d1e86f4fc69f81c9eeff2cd":"3d2a1dadccc597b5e7b6ce48760150dee01c8550b525c587abcce8c2c7fb6291683a58c2e42e7b7ba6a3c2a117ddb7e67ea058a78989d67946fd9551e30fcb52618dcb9fae079ca56b74572d7b6a7b6a5c60e906e9639eac5ee1a5a2db864721119da2c4c5110c2b8d487e792cf6929600f1587cb2d48efe6864019afc32af6e":"60da3f4b3a263bc0178379646bce391bf552f60d2833261962375d2960c629dedac681d86f7915ea3cffdad0f37e409668f923d7c860525b994b325396531994a2fbb2d4e909d0b1dce322e078b4b8cd99820a39ffd7b468bd3e73b418b9a2cd5757b7d45f0363574c925bc22d66645abd95a6b29ea6366d8c2252d1c5710d45":112:"833d2c55f5ee493060540d6b5349":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,104) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"163c05f69cdc4e518ff6445911d1ede0":"84d8a1855423293de37ebfd9715a9b46b175bc6d44e94ac8a3e7d409e8a227a57a6b85144a8ee23564fadc28742b69e89c0d4aadf0a786f9a5d5f9198923643ffc0bfd0f96e43b08f1435d4afc0e49c0e2241d938780975bc7a31cdf38f30380753bdd66be72b4dff260a35dc10b9ba35059ba61b0beab16e35068721bd950e3":"4b16188249096682b88aa5e4a13f62c1":"a238d1111efb7811f6838c3cb6f3bf3e0ecee6d8efb26845391f8adb51e497e840ea40318bf8e3cf0681c3b69951c4f03d5a4b5edf7119a150eafe6dc16b68f3d2b91e1454637135148f4fec132bfd96ca088169a35961d4c663535b9852f12a00ec4c08082553a09ea046379ce747c717036154d063d876a2b95cd7bdb42daa":"3bf751cf63bc1b433be6075303986ac1d0592dee400774d0bb7a9e72224417639e1e83e69f34226b873365f41fdac925628f32ed4b572b374310edfd892c5e0c3197e59efbc22ee11f0d4a66bd73a6f5b0de7c1cbb0612a63a262af51d418577a9bae0a8577e547382878f13047a92f51a867f8b7d283d2099c34c236918f718":104:"0d778299c4dc0415ca789dd5b2":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,104) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"a2ff7cb9fe33b04a087d9ee6db58ec0e":"ed7c22218009ceb5b322045fecc1fd748f27655397a09c2c29813eba9a5cbeebe88d4a35dfd741ef0ac1d11c4adbc6bfae824af88e3ce09f68d8ca7671de91ec9e2bd5f790d1cb1748e34b3560c9b10726ea4b85b127731d8a7fdfd0ddbed11aaf181799f71a68e542b43ed9889237d2fffe370f41064b810c2e14d1ab661517":"6c58eb8f1f561b180f07ede0d3ae3358":"00cb63fa0cf526c6db37e33cf092f3f421fd258d28446c9a7c687b941c7eb5e1c5be267db992d0d93ede0b09030f979d451ecbdbbbb386cf1d74b23d55b74f5f4d520c000c9a41922f54567ca7dfcd84c68883a23c7acc3db3cd8d340217ee7c5ea39b41cf2c0e58c270a19ee9e146d2dbfdaf8ba3e24fda7f2c5e4ba6563ef4":"f0f119bddf5ddf147fe06da9d4510d97369d8e345519df2188b8d2dbaf8b7d3e01f3c26475141aae224e5ce1b131c8096f0e2a17c4c2df62f76f009cfc8aa20ddcd75a6a4281cfa2225485ca22aabcb60ff11265acb92a19ed66797fc2b418ae4b8c70fbecf0fd63f6c22ad62bfd6f40d8d0e2abeb620b7b4f5d8b3e041a53e6":104:"7885ca22c4afd7dc6cb440ea35":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,104) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2e739a485b6293b43535379e3b309fe8":"699b9a5668042c48c63ffb323c0fab18446546417b2f33a69addce6178f9d5b7dfa891ff2004eb57a98ca012c2668e0614276d89b21b7bfa436b2aa1582daaa81a6a7722186e99dd16a5786fd0e8b09b194746232fd413984484524793a379112e297d733dce063408fe59367f5929c5086bc2191a8fdd60a346052c0d109d57":"c4deca3eeea80352624c93523f35e0ae":"704aa36a82d02c56f4992469bb7e8a3f7dda1326068bf6017e4a0c810352b476aea129c1ba1d4974bc0d0503dcf816b89c0dc8e6d066774ce97cea65b5fb5c7b5a7f93e5e2c7126dd3b241b958e47d8150b422bb91c4afc47d53cfc2d20176c2ea0c85b376dc46a86bbaa53c584aa561f6662d11de4e39e50f1a095b8555137b":"30b8fa2e52577a7e5cdc12a7c619615b134ad4b41893ba9120651cd35c6f2d48ec6b8b9fa99366c4d60e643a8ccb2cbb3568f7647f4ad1a12d14deb8aac00dc4ef780133ee8df8f494675deb7f678fed54e70d6bf43476854eb0286a49cd322cc18daa238d4580ee665fbc759295a3e12567beff3e823811093cf0f02d00820b":104:"ff89ee52fa4eaeb748c8676490":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,96) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"6bbb12361c95953a8d757bcbb92568eb":"c3fccc5693abe53a13e5209f80611fad1e81e7ce19a4612666d954b4b6d2062bee764181716d5fe0fe1de485bb739d6e8625d5b6cedcaaf6e4e5ec350bc2168c24d7764e75b0cf079d7ad1b5fc24dbed14c5ae4714734f424b3611de0f70a0a8d752fb143e1b7e51ebc965a06021de3718af30b067dde270d804fb5b87ffb29f":"48ca821e5e43fd58668380491d58cdfb":"e97280fd78eb8bd695227fc79420971081de8f24bc95d9a1794ed2bebf5b68d8b43ae8288eb5ce72db0740334ff9bc9b4e660418d3cff8c344e50c7962c367c26247806d0b5c2ae0420a724203dcf4fdefd6513f8263d995afa4780a9c4e92c25496106fec370d0450d907225190ecccfae634f11f8f74f6422a652b2b9af9e5":"61cfc5a6ab6847bf0127b35ce0712cbfa9cd28dfb3f0b4cac2624c52cf55f311e55e9abff2d4514c6feff801ea8739f874ded2efce4a440f2acd95eba6c75e09bcd91b898c98563a26b3df415658c4d04a6aaf547a90b03d1789bdf7ab8f09f6d9f222f567461380372a976240b7b180c3fa7b4507e53815af3f6b4a46973806":96:"f86d5374d1ad269cc3f36756":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,96) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"1a0a9b2dd1ae31b3e47b6df979dd2fbf":"353786f96620ae7dfa7aee163c7bb30384bb324b516cad13872f48e7251f6f4c5906748bf2a2f6167bc14453b2b2f513804308ba92d69639beac2f25274bd5477744281b7ef7d0661b3672cd45abd5bd30d98deac4ad0a565308c0224dff59e3190c86df6a5c52055f8e0f73fa024f99162219837c999a9c0a12c806f01227af":"b39c8615fa062412fd9b6ac3a7e626f6":"dea75b17cd13dd33b5016de549c44fa9c88baf424ac80c4835e868acb58082ffc4255c655878a1c627a44160d5e5054a0a04f65fdfb542cd342be2aa2e000117bf8cd67b02f3a3700755508f9af8379c226aded404117a5ca3fa70968495eab287064ee584b4ce596612f2c465d997518c6995518e3bb881967ab6b99d7f62d7":"8430b8735f0b002e098d513eec7b3a8431a3fdac2b7faf256a7bcf08f3dcd6fa549f029240acae4dbd4ad54752ba358c14893aaa67a003261c252020d14b521906b23c37dd80af703c2964ce13773dd72fa56c389768c6efbd485953900b56f6bbaa837f1668f478677621a297d4b5a2c1a86f689d8644caec51435b0dd66c77":96:"f000f2d398df18534428f382":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,96) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4da736fba2b7202ea2ba60793da3344d":"4f004852edd5dcde13507252ed8c2b20a093ac9081ce2a8133c48d2807e5f968c04a20dd52c070d6c43c704b8650da7f94e5450e0d34cfc2b2d2ba7cb5343e6b4281633c6c065dae27fab18ca71bea018eba94d20e78c5e3223c70f50cb77399c1a89436f1e7213673ae825d4fc5523645031696df10f9b5238c03f733b4dfcf":"8572af442c9af9652a192d893c18b8c3":"429915c3309fba2a42b8e89f42a9376a2f329805a4d6daae11e9a20c2f982671ef8a7539a9657777d03cbf755ef93be0d8e426ed00899a59e8b963fd44269d64692ed07b231cde93e85397cf125a75032ca3726ea1ff1b05d79f2040c1135012b90597186c1db2e16cd128d45a7b9d934ec01341d9030e9721c62f62003059b8":"ff4e46c4236304b8d52ba2d6db269f95d2cd5fe4318ce930d407051469c7e36e44bbcc909c4966276f5a2ec70021982fecbeae34df235a3e9e0370afa5a269ca8847a84b8477f7ddd6055d0f800ff4d413f63db517c96d15dbe78655748edd820f2ee79df5eca31711870022f1f5394b84f05bfef97f99cbd6205f8e522b3d5e":96:"624b0b5b6374c5153835b8e5":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,64) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"5bcc874114b9d78c3eb748a783d1448c":"7d57418bcea007247f5e18c17a2e4601c3eb8c89f61ed365d5aebee7593cdd63871d964a25fc9d723f291d39e0c4f75012471faf8e06db60c4ad8a26cf434bd82a29a8b653fdda1b86a7e4800c1d70cb5d8b8a1d1af52894082bb282ffdde8f0128a4abb68aedcfcb59160f6b5aaf452812f4d00472d2862a8b22480e71231b3":"5f4fde440faa9537d62e62994ab20fb5":"b5dfe0d971f2920ba4c029d4c346a49788b499faacdb18b8f905f1457a8b9fa48709893516a7b48bc601710bfd73c12da094c29df5776d491c9978f8ab237f605785b0304488f1c20bf5a767ba6d5e1e2961957aa107bdba2358b81ef1e06576db985b3ef8194725b75d49de1de3a57f161dede508e37ad3356134fa0a1aa48e":"6bc0dec98bece6c4e245fe978f6db113deca75e1b475bc31f1da0c7457a85ee7aac8be5f2121c0610b99a2c64519fc2514b643c379b4f53c5432b9729aea9fcecb88a2e2d0a6e74be04859a66f55fb2af1598bcb039108ef7fcfd99d94e79287ec1f62bd1bf5ff9dd51ab12fae4f6e21b95ca50032f9a65bd85f9a1aa0524950":64:"354fb8bcd38f2a26":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,64) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"427c89146eb7d76578dc173bd9e15cda":"1d39249130404d60ed40241cf3354458e06f1474b3723569d88235f03098053fc99010f39435620acc710a4e386b2ecbf9b327a8dcfbeddc084353fff029d24787ce81e74a5e1ac1ef096e0a2ae882a669ca168275806bb7f462e66c941fffc6ed44b9628450e03a5032676c1ee4aedfcb1767150d56c7d73a8a47f6d19854fa":"0092e76cd8882e5f77f4c8514491705d":"0ac4631358bb9375e07756692bde59d27012e921f054fdfea0ddb242c43421f4c7241cb210cb5c172d053de2763efd565f1138fbe7f9cd998d825ab800df900843474ebf857b3371c555b89670e86354fe430f715ebbd0ecad974fea34e3bbae43d3ca3ca178f3361f0a11fd75f60e9140f44364b02a073dcce8339fa28cb5ad":"2b385e9df4ed41cdca53a4ac8cb3e0af75eddd518b6727380712950d96c34bc6a0a6ac02184c1987548932b116ec9ae7abf01157a50e422b3e6aa62deb0cb2d81bf7fe0c25041a355ccaaeb049abb0393acfe90d869e9edfdfb646971bbb1ba9e5983cd0e2739158fab31be26cfdf9286d347b58b00f75d9f48ece1353308a91":64:"905cdf228a68bebb":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,64) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2e09660909a9aa0a50958016c3e07895":"d7b2ceb182d4a8ed57572c4237ba99bbdd589093db0f71732f9e67559d3054fa1af195aa4864fde413549d27468ffe7c5c23e242cab4ae4bb9e2657422dc3fc78fbdcde892ed202be1e47f095b09cfc53cfe86cb16e2e95444492ad5d0eef053178d6b0485731be7a5193563bf56f63cc0687fc01679254d74e9ed788645004c":"c4f865be8b5062e488b1725749a87945":"26f50acdefde4d585fc6de6c6234c9ead40684349a2bfd022df93d9774c9f5b8f50474032a417bdcc21a74da72c0297437a0cef8f527c9205797f77b4227c272e08ad0b120a2a31ef13e372cad2387ccc1bcefc88dd58899821d68f3be6a4b2cd08697d1897efcd6ed3a0d7849f6cbb50e46800627cfd26964e2cfe9f36624d9":"321f6d79a6658c7c2b67fe3c932237593a6ec7e6fd8198abc6b0b6ba5d4dac9e0695f0c64dde1c94c0383839ee37f8bbfcc516f24871fd79a9b9135ceef841e4c8ddf6b57962c0e8ad7aaf210e97a43489097270756404fddde637de461b8644fef244142820e1af12b90f16748b0915a6b773dfbbdf6b16f1beaccb4cd5edba":64:"b294db7ed69912dc":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,32) #0 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"5e45d57981f65a6b170efa758cf4553d":"bc8d4c418442743f2fdbaf95b8f87b7c15a3176085e34addf4cf0fb3c2df15587526691b07e6407ba16999b72382635a2aebb62d05c1547a7d074c857a23107c7577864e7f7bcdb5b6d1fb50136391f89c42d3f02754b0e4ed0fcb0c03576b986af5c12cf9bf5e0c585d6aaf49d0c6fb2ec30eae97b2b850a35474bfb9a2c069":"b43403b627fe9e0135192d1a048c6faa":"7a27ea26c7607e4e7e627f3161bdf15f21f3d62dc33df14951971712f960d3b2082d75395c5008e5ea00d282d350f86dac8c61f5c0f90e7797a5b61ee96f7e332ec5de51cb1377e47c641f326d1e58817c8c95feb5b2923758e33b279191d0a9ffd09b7619b0318a70775e36abf5f7ab59422ff68914e7b478c448a7b141c4bf":"90d8a6218da063c38e0f06d548a3d5685fd3e0fbaf609c77bdd573bb9c63f30590eaf8b181a2feb81c8b3f5f34a94dc94b905036a6c69b97263302b8674d9e09325065588e97c0b5b33116981f1f362a7c5bb1e996c126c31fbd63791772f4d594632f408fdf011b3f2cc750b060452c181e8e09697c8662c00c8d4f29d875a7":32:"611abef7":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,32) #1 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"00d4bf20509a61bc76430ffa5f013589":"036a191a388cf3c57c9e6f0e2f5c8bc3d5c25ee8e2fedfadb7b7433155c7e79304f0905ab2a17e1f04f2f2dacd4a41521d6ce213961df9dc9101d41df4e44246488fbedb75a01256fbc7784769eb8f99d44d5eabf93cf667ebae2437ccedc79efa58c075183d46a5c20bf4c81e0f9754ad35af65f7c8aafe7daa3460c6892b1a":"25b1026a009470a5ca8caeeb67200792":"fd75acfd5aa25fb8bccb53672e5d6a8080081506cf03df2bab0746a353510996e0237d6354ee0210a41f20f88ec6569f2b200b28c6a31464a0533a6bc45afef3ae381425a3606de2866dba694124d96da9d0a2b061b787524ee6e5d3b1ef5c4bcf168810aa177660b7e1379ac8a480ce43d73dfcc696873cea2df419f372651e":"cab80615b666c47fcabf0d9805842ab2805150abad4de0ae8b12306bed504d4a7f91f52379df65cb9587577e59dafcd4203d2ed2743d35472285e9522db0ce3dd027a01c79ac64caee29ef3752a077254b0dca269f6f206f6cc575e8fedb0ba525dcf6252fa6f7b688556933f1dee84b2ad36a266695ce8672229cedd82f20a1":32:"3287478c":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,32) #2 [#2]
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"fe481476fce76efcfc78ed144b0756f1":"246e1f2babab8da98b17cc928bd49504d7d87ea2cc174f9ffb7dbafe5969ff824a0bcb52f35441d22f3edcd10fab0ec04c0bde5abd3624ca25cbb4541b5d62a3deb52c00b75d68aaf0504d51f95b8dcbebdd8433f4966c584ac7f8c19407ca927a79fa4ead2688c4a7baafb4c31ef83c05e8848ec2b4f657aab84c109c91c277":"1a2c18c6bf13b3b2785610c71ccd98ca":"b0ab3cb5256575774b8242b89badfbe0dfdfd04f5dd75a8e5f218b28d3f6bc085a013defa5f5b15dfb46132db58ed7a9ddb812d28ee2f962796ad988561a381c02d1cf37dca5fd33e081d61cc7b3ab0b477947524a4ca4cb48c36f48b302c440be6f5777518a60585a8a16cea510dbfc5580b0daac49a2b1242ff55e91a8eae8":"5587620bbb77f70afdf3cdb7ae390edd0473286d86d3f862ad70902d90ff1d315947c959f016257a8fe1f52cc22a54f21de8cb60b74808ac7b22ea7a15945371e18b77c9571aad631aa080c60c1e472019fa85625fc80ed32a51d05e397a8987c8fece197a566689d24d05361b6f3a75616c89db6123bf5902960b21a18bc03a":32:"bd4265a8":0
 
 AES-GCM NIST CAVS 14.0 - empty plaintext, AD length: 128 bytes, ciphertext updates: 0
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"e28c435211743a7872e4a0bd7602336a":"2ddbee94fcbfacea080ded468f67180c":"63190ef542656cc2b69a9b0daf8dbd2d38cd75f17b92d6d891c17b0337ad4fe4539d9154722fa430782a1d79620e974661918166e39c453c5a98759a13d2766138c7750e6cbdc7b6d7cbe44f3f4de7bb562d9bce6e6e2e815444842b89ba8b73454218c483e574ca886a84e8c9aa6f56dd1541a7e35a4a5b8f6a05ad5bb013e9":"2ce6d74cda466354a736636bf18acfc0":0
 
 AES-GCM NIST CAVS 14.0 - empty plaintext, AD length: 128 bytes, ciphertext updates: 1
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"e28c435211743a7872e4a0bd7602336a":"2ddbee94fcbfacea080ded468f67180c":"63190ef542656cc2b69a9b0daf8dbd2d38cd75f17b92d6d891c17b0337ad4fe4539d9154722fa430782a1d79620e974661918166e39c453c5a98759a13d2766138c7750e6cbdc7b6d7cbe44f3f4de7bb562d9bce6e6e2e815444842b89ba8b73454218c483e574ca886a84e8c9aa6f56dd1541a7e35a4a5b8f6a05ad5bb013e9":"2ce6d74cda466354a736636bf18acfc0":1
 
 AES-GCM NIST CAVS 14.0 - empty plaintext, AD length: 128 bytes, ciphertext updates: 2
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"e28c435211743a7872e4a0bd7602336a":"2ddbee94fcbfacea080ded468f67180c":"63190ef542656cc2b69a9b0daf8dbd2d38cd75f17b92d6d891c17b0337ad4fe4539d9154722fa430782a1d79620e974661918166e39c453c5a98759a13d2766138c7750e6cbdc7b6d7cbe44f3f4de7bb562d9bce6e6e2e815444842b89ba8b73454218c483e574ca886a84e8c9aa6f56dd1541a7e35a4a5b8f6a05ad5bb013e9":"2ce6d74cda466354a736636bf18acfc0":2
 
 AES-GCM NIST CAVS 14.0 - empty plaintext, AD length: 90 bytes, ciphertext updates: 0
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"20b5b6b854e187b058a84d57bc1538b6":"94c1935afc061cbf254b936f":"ca418e71dbf810038174eaa3719b3fcb80531c7110ad9192d105eeaafa15b819ac005668752b344ed1b22faf77048baf03dbddb3b47d6b00e95c4f005e0cc9b7627ccafd3f21b3312aa8d91d3fa0893fe5bff7d44ca46f23afe0":"b37286ebaf4a54e0ffc2a1deafc9f6db":0
 
 AES-GCM NIST CAVS 14.0 - empty plaintext, AD length: 90 bytes, ciphertext updates: 1
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"20b5b6b854e187b058a84d57bc1538b6":"94c1935afc061cbf254b936f":"ca418e71dbf810038174eaa3719b3fcb80531c7110ad9192d105eeaafa15b819ac005668752b344ed1b22faf77048baf03dbddb3b47d6b00e95c4f005e0cc9b7627ccafd3f21b3312aa8d91d3fa0893fe5bff7d44ca46f23afe0":"b37286ebaf4a54e0ffc2a1deafc9f6db":1
 
 AES-GCM NIST CAVS 14.0 - empty plaintext, AD length: 90 bytes, ciphertext updates: 2
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag_empty_cipher:MBEDTLS_CIPHER_ID_AES:"20b5b6b854e187b058a84d57bc1538b6":"94c1935afc061cbf254b936f":"ca418e71dbf810038174eaa3719b3fcb80531c7110ad9192d105eeaafa15b819ac005668752b344ed1b22faf77048baf03dbddb3b47d6b00e95c4f005e0cc9b7627ccafd3f21b3312aa8d91d3fa0893fe5bff7d44ca46f23afe0":"b37286ebaf4a54e0ffc2a1deafc9f6db":2
 
 AES-GCM NIST CAVS 14.0 - empty AD, plaintext length: 128 bytes, AD updates: 0
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"ce0f8cfe9d64c4f4c045d11b97c2d918":"ad4c3627a494fc628316dc03faf81db8":"dfff250d380f363880963b42d6913c1ba11e8edf7c4ab8b76d79ccbaac628f548ee542f48728a9a2620a0d69339c8291e8d398440d740e310908cdee7c273cc91275ce7271ba12f69237998b07b789b3993aaac8dc4ec1914432a30f5172f79ea0539bd1f70b36d437e5170bc63039a5280816c05e1e41760b58e35696cebd55":"0de73d9702d9357c9e8619b7944e40732ac2f4dd3f1b42d8d7f36acb1f1497990d0ec3d626082cdb1384ec72a4c1d98955ba2a3aae6d81b24e9ce533eb5ede7210ae4a06d43f750138b8914d754d43bce416fee799cc4dd03949acedc34def7d6bde6ba41a4cf03d209689a3ad181f1b6dcf76ca25c87eb1c7459cc9f95ddc57":"5f6a3620e59fe8977286f502d0da7517":0
 
 AES-GCM NIST CAVS 14.0 - empty AD, plaintext length: 128 bytes, AD updates: 1
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"ce0f8cfe9d64c4f4c045d11b97c2d918":"ad4c3627a494fc628316dc03faf81db8":"dfff250d380f363880963b42d6913c1ba11e8edf7c4ab8b76d79ccbaac628f548ee542f48728a9a2620a0d69339c8291e8d398440d740e310908cdee7c273cc91275ce7271ba12f69237998b07b789b3993aaac8dc4ec1914432a30f5172f79ea0539bd1f70b36d437e5170bc63039a5280816c05e1e41760b58e35696cebd55":"0de73d9702d9357c9e8619b7944e40732ac2f4dd3f1b42d8d7f36acb1f1497990d0ec3d626082cdb1384ec72a4c1d98955ba2a3aae6d81b24e9ce533eb5ede7210ae4a06d43f750138b8914d754d43bce416fee799cc4dd03949acedc34def7d6bde6ba41a4cf03d209689a3ad181f1b6dcf76ca25c87eb1c7459cc9f95ddc57":"5f6a3620e59fe8977286f502d0da7517":1
 
 AES-GCM NIST CAVS 14.0 - empty AD, plaintext length: 128 bytes, AD updates: 2
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"ce0f8cfe9d64c4f4c045d11b97c2d918":"ad4c3627a494fc628316dc03faf81db8":"dfff250d380f363880963b42d6913c1ba11e8edf7c4ab8b76d79ccbaac628f548ee542f48728a9a2620a0d69339c8291e8d398440d740e310908cdee7c273cc91275ce7271ba12f69237998b07b789b3993aaac8dc4ec1914432a30f5172f79ea0539bd1f70b36d437e5170bc63039a5280816c05e1e41760b58e35696cebd55":"0de73d9702d9357c9e8619b7944e40732ac2f4dd3f1b42d8d7f36acb1f1497990d0ec3d626082cdb1384ec72a4c1d98955ba2a3aae6d81b24e9ce533eb5ede7210ae4a06d43f750138b8914d754d43bce416fee799cc4dd03949acedc34def7d6bde6ba41a4cf03d209689a3ad181f1b6dcf76ca25c87eb1c7459cc9f95ddc57":"5f6a3620e59fe8977286f502d0da7517":2
 
 AES-GCM NIST CAVS 14.0 - empty AD, plaintext length: 51 bytes, AD updates: 0
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"594157ec4693202b030f33798b07176d":"49b12054082660803a1df3df":"3feef98a976a1bd634f364ac428bb59cd51fb159ec1789946918dbd50ea6c9d594a3a31a5269b0da6936c29d063a5fa2cc8a1c":"c1b7a46a335f23d65b8db4008a49796906e225474f4fe7d39e55bf2efd97fd82d4167de082ae30fa01e465a601235d8d68bc69":"ba92d3661ce8b04687e8788d55417dc2":0
 
 AES-GCM NIST CAVS 14.0 - empty AD, plaintext length: 51 bytes, AD updates: 1
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"594157ec4693202b030f33798b07176d":"49b12054082660803a1df3df":"3feef98a976a1bd634f364ac428bb59cd51fb159ec1789946918dbd50ea6c9d594a3a31a5269b0da6936c29d063a5fa2cc8a1c":"c1b7a46a335f23d65b8db4008a49796906e225474f4fe7d39e55bf2efd97fd82d4167de082ae30fa01e465a601235d8d68bc69":"ba92d3661ce8b04687e8788d55417dc2":1
 
 AES-GCM NIST CAVS 14.0 - empty AD, plaintext length: 51 bytes, AD updates: 2
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_tag_empty_ad:MBEDTLS_CIPHER_ID_AES:"594157ec4693202b030f33798b07176d":"49b12054082660803a1df3df":"3feef98a976a1bd634f364ac428bb59cd51fb159ec1789946918dbd50ea6c9d594a3a31a5269b0da6936c29d063a5fa2cc8a1c":"c1b7a46a335f23d65b8db4008a49796906e225474f4fe7d39e55bf2efd97fd82d4167de082ae30fa01e465a601235d8d68bc69":"ba92d3661ce8b04687e8788d55417dc2":2
 
 AES-GCM NIST - empty AD, empty plaintext
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_encrypt_and_verify_no_ad_no_cipher:MBEDTLS_CIPHER_ID_AES:"11754cd72aec309bf52f7687212e8957":"3c819d9a9bed087615030b65":"250327c674aaf477aef2675748cf6971"
 
 AES-GCM Bad IV (AES-128,128,0,0,32) #0
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_bad_parameters:MBEDTLS_CIPHER_ID_AES:MBEDTLS_GCM_ENCRYPT:"d0194b6ee68f0ed8adc4b22ed15dbf14":"":"":"":32:MBEDTLS_ERR_GCM_BAD_INPUT
 
 AES-GCM, output buffer too small, NIST Validation (AES-128,128,1024,0,128) #0
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_update_output_buffer_too_small:MBEDTLS_CIPHER_ID_AES:MBEDTLS_GCM_ENCRYPT:"ce0f8cfe9d64c4f4c045d11b97c2d918":"dfff250d380f363880963b42d6913c1ba11e8edf7c4ab8b76d79ccbaac628f548ee542f48728a9a2620a0d69339c8291e8d398440d740e310908cdee7c273cc91275ce7271ba12f69237998b07b789b3993aaac8dc4ec1914432a30f5172f79ea0539bd1f70b36d437e5170bc63039a5280816c05e1e41760b58e35696cebd55":"ad4c3627a494fc628316dc03faf81db8"
 
 AES-GCM Selftest
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_selftest:
diff --git a/tests/suites/test_suite_gcm.aes192_de.data b/tests/suites/test_suite_gcm.aes192_de.data
index 5cf4e3b..90f665f 100644
--- a/tests/suites/test_suite_gcm.aes192_de.data
+++ b/tests/suites/test_suite_gcm.aes192_de.data
@@ -1,679 +1,679 @@
 AES-GCM NIST Validation (AES-192,128,0,0,128) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"806766a4d2b6507cc4113bc0e46eebe120eacd948c24dc7f":"":"4f801c772395c4519ec830980c8ca5a4":"":128:"8fa16452b132bebc6aa521e92cb3b0ea":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,128) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0c2abdcd2e4ae4137509761a38e6ca436b99c21b141f28f5":"":"335ca01a07081fea4e605eb5f23a778e":"":128:"d7f475dfcb92a75bc8521c12bb2e8b86":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,128) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"eef490a0c2ecb32472e1654184340cc7433c34da981c062d":"":"d9172c3344d37ff93d2dcb2170ea5d01":"":128:"017fef05260a496654896d4703db3888":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,120) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fe0c3490f1f0dba23cf5c64e6e1740d06f85e0afec6772f3":"":"f47e915163fa3df7f6c15b9d69f53907":"":120:"14e1a057a2e7ffbd2208e9c25dbba1":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,120) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4356b3b1f308df3573509945afe5268984f9d953f01096de":"":"a35b397b34a14a8e24d05a37be4d1822":"":120:"e045ecba220d22c80826b77a21b013":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,120) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e2898937cc575c8bb7444413884deafe8eaf326be8849e42":"":"169a449ccb3eb29805b15304d603b132":"":120:"3a807251f3d6242849a69972b14f6d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,112) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"75683c7df0442e10b5368fcd6bb481f0bff8d95aae90487e":"":"538641f7d1cc5c68715971cee607da73":"":112:"07d68fffe417adc3397706d73b95":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,112) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0724ee1f317997ce77bb659446fcb5a557490f40597341c7":"":"0d8eb78032d83c676820b2ef5ccc2cc8":"":112:"7da181563b26c7aefeb29e71cc69":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,112) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"be2f0f4ae4ab851b258ec5602628df261b6a69e309ff9043":"":"646a91d83ae72b9b9e9fce64135cbf73":"":112:"169e717e2bae42e3eb61d0a1a29b":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,104) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"583c328daecd18c2ac5c83a0c263de194a4c73aa4700fe76":"":"55e10d5e9b438b02505d30f211b16fea":"":104:"95c0a4ea9e80f91a4acce500f7":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,104) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b40857e7e6f26050f1e9a6cbe05e15a0ba07c2055634ad47":"":"e25ef162a4295d7d24de75a673172346":"":104:"89ea4d1f34edb716b322ea7f6f":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,104) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"627008956e31fea497fb120b438a2a043c23b1b38dc6bc10":"":"08ea464baac54469b0498419d83820e6":"":104:"ab064a8d380fe2cda38e61f9e1":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,96) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8c386d67d7c2bfd46b8571d8685b35741e87a3ed4a46c9db":"":"766996fb67ace9e6a22d7f802455d4ef":"":96:"9a641be173dc3557ea015372":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,96) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"711bc5aa6b94fa3287fad0167ac1a9ef5e8e01c16a79e95a":"":"75cdb8b83017f3dc5ac8733016ab47c7":"":96:"81e3a5580234d8e0b2204bc3":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,96) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c74620828402e0bdf3f7a5353668505dc1550a31debce59a":"":"cfbefe265583ab3a2285e8080141ba48":"":96:"355a43bcebbe7f72b6cd27ea":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,64) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1eb53aa548b41bfdc85c657ebdebdae0c7e525a6432bc012":"":"37ffc64d4b2d9c82dd17d1ad3076d82b":"":64:"34b8e037084b3f2d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,64) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"50d077575f6db91024a8e564db83324539e9b7add7bb98e4":"":"118d0283294d4084127cce4b0cd5b5fa":"":64:"507a361d8ac59882":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,64) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d9ddca0807305025d61919ed7893d7d5c5a3c9f012f4842f":"":"b78d518b6c41a9e031a00b10fb178327":"":64:"f401d546c8b739ff":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,32) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6ed8d8afde4dc3872cbc274d7c47b719205518496dd7951d":"":"14eb280288740d464e3b8f296c642daa":"":32:"39e64d7a":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,32) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"80aace5ab74f261bc09ac6f66898f69e7f348f805d52404d":"":"f54bf4aac8fb631c8b6ff5e96465fae6":"":32:"1ec1c1a1":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,32) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"23b76efd0dbc8d501885ab7d43a7dacde91edd9cde1e1048":"":"75532d15e582e6c477b411e727d4171e":"":32:"76a0e017":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,128) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"94c50453dd3ef7f7ea763ae13fa34debb9c1198abbf32326":"":"1afe962bc46e36099165552ddb329ac6":"b2920dd9b0325a87e8edda8db560bfe287e44df79cf61edba3b2c95e34629638ecb86584f05a303603065e63323523f6ccc5b605679d1722cde5561f89d268d5f8db8e6bdffda4839c4a04982e8314da78e89f8f8ad9c0fee86332906bf78d2f20afcaabdc282008c6d09df2bfe9be2c9027bb49268b8be8936be39fa8b1ae03":128:"51e1f19a7dea5cfe9b9ca9d09096c3e7":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,128) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c6a98102af3d875bcdebe594661d3a6b376970c02b11d019":"":"bea8cd85a28a2c05bf7406b8eef1efcc":"f2f80e2c042092cc7240b598ab30fad055bce85408aa0f8cefaf8a7204f0e2acb87c78f46a5867b1f1c19461cbf5ed5d2ca21c96a63fb1f42f10f394952e63520795c56df77d6a04cb5ad006ee865a47dc2349a814a630b3d4c4e0fd149f51e8fa846656ea569fd29a1ebafc061446eb80ec182f833f1f6d9083545abf52fa4c":128:"04b80f25ae9d07f5fd8220263ac3f2f7":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,128) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ec3cc45a22fdc7cc79ed658d9e9dbc138dcc7d6e795cba1a":"":"b10d9c70205e142704f9d1f74caee0f6":"714994017c169c574aaff2f8bad15f8fa6a385117f5405f74846eca873ca4a8f4876adf704f2fcaff2dfa75c17afefd08a4707292debc6d9fafda6244ca509bc52b0c6b70f09b14c0d7c667583c091d4064e241ba1f82dd43dc3ea4b8922be65faf5583f6b21ff5b22d3632eb4a426675648250e4b3e37c688d6129b954ef6a8":128:"d22407fd3ae1921d1b380461d2e60210":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,120) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5a32ebc7a2338038ced36d2b85cbc6c45cca9845a7c5aa99":"":"9afe0882e418c9af205eeb90e131d212":"61ff8a8bc22803f17e8e9f01aff865bc7d3083ff413ce392a989e46ebed5114894de906f7d36439024d8f2e69cc815ac043fff2f75169f6c9aa9761ff32d10a1353213ac756cb84bd3613f8261ef390e1d00c3a8fb82764b0cda4e0049219e87d2e92c38f78ffac242391f838a248f608bb2b56b31bbb453d1098e99d079ea1b":120:"fcbb932ddb0128df78a71971c52838":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,120) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9bf22885e7f13bcc63bb0a2ca90c20e5c86001f05edf85d8":"":"99dec21f4781284722b5074ea567c171":"9f4176dacf26e27aa0e669cd4d44bca41f83468c70b54c745a601408a214bf876941ae2ae4d26929113f5de2e7d15a7bb656541292137bf2129fdc31f06f070e3cfaf0a7b30d93d8d3c76a981d75cd0ffa0bcacb34597d5be1a055c35eefeddc07ee098603e48ad88eb7a2ec19c1aefc5c7be9a237797397aa27590d5261f67a":120:"18fd1feec5e3bbf0985312dd6100d1":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,120) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cfd75a9d3788d965895553ab5fb7a8ff0aa383b7594850a6":"":"a6df69e5f77f4d99d5318c45c87451b2":"041aeb2fa0f7df027cd7709a992e041179d499f5dbccd389035bf7e514a38b5f8368379d2d7b5015d4fa6fadfd7c75abd2d855f5ea4220315fad2c2d435d910253bf76f252a21c57fe74f7247dac32f4276d793d30d48dd61d0e14a4b7f07a56c94d3799d04324dfb2b27a22a5077e280422d4f014f253d138e74c9ac3428a7b":120:"fd78b9956e4e4522605db410f97e84":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,112) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b0b21ae138485591c6bef7b3d5a0aa0e9762c30a50e4bba2":"":"56dc980e1cba1bc2e3b4a0733d7897ca":"a38458e5cc71f22f6f5880dc018c5777c0e6c8a1301e7d0300c02c976423c2b65f522db4a90401035346d855c892cbf27092c81b969e99cb2b6198e450a95c547bb0145652c9720aaf72a975e4cb5124b483a42f84b5cd022367802c5f167a7dfc885c1f983bb4525a88c8257df3067b6d36d2dbf6323df80c3eaeffc2d176a5":112:"b11f5c0e8cb6fea1a170c9342437":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,112) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8775665aba345b1c3e626128b5afa3d0da8f4d36b8cf1ca6":"":"cd17f761670e1f104f8ea4fb0cec7166":"2ee08a51ceaca1dbbb3ee09b72f57427fd34bd95da5b4c0933cbb0fc2f7270cffd3476aa05deeb892a7e6a8a3407e61f8631d1a00e47d46efb918393ee5099df7d65c12ab8c9640bfcb3a6cce00c3243d0b3f316f0822cfeae05ee67b419393cc81846b60c42aeb5c53f0ede1280dc36aa8ef59addd10668dd61557ce760c544":112:"6cdf60e62c91a6a944fa80da1854":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,112) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cc9922299b47725952f06272168b728218d2443028d81597":"":"9b2f1a40717afcdbb6a95d6e335c9e4d":"bcfca8420bc7b9df0290d8c1bcf4e3e66d3a4be1c947af82dd541336e44e2c4fa7c6b456980b174948de30b694232b03f8eb990f849b5f57762886b449671e4f0b5e7a173f12910393bdf5c162163584c774ad3bba39794767a4cc45f4a582d307503960454631cdf551e528a863f2e014b1fca4955a78bd545dec831e4d71c7":112:"dd515e5a8b41ecc441443a749b31":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,104) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5a27d718f21c5cbdc52a745b931bc77bd1afa8b1231f8815":"":"59661051912fba45023aef4e6f9380a5":"2b7ce5cea81300ed23501493310f1316581ef8a50e37eaadd4bb5f527add6deb09e7dcc67652e44ac889b48726d8c0ae80e2b3a89dd34232eb1da32f7f4fcd5bf8e920d286db8604f23ab06eab3e6f99beb55fe3725107e9d67a491cdada1580717bbf64c28799c9ab67922da9194747f32fd84197070a86838d1c9ebae379b7":104:"f33e8f42b58f45a0456f83a13e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,104) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b83e933cf54ac58f8c7e5ed18e4ed2213059158ed9cb2c30":"":"8710af55dd79da45a4b24f6e972bc60a":"b7a428bc68696cee06f2f8b43f63b47914e29f04a4a40c0eec6193a9a24bbe012d68bea5573382dd579beeb0565b0e0334cce6724997138b198fce8325f07069d6890ac4c052e127aa6e70a6248e6536d1d3c6ac60d8cd14d9a45200f6540305f882df5fca2cac48278f94fe502b5abe2992fa2719b0ce98b7ef1b5582e0151c":104:"380128ad7f35be87a17c9590fa":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,104) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d2f85f92092385f15da43a086cff64c7448b4ee5a83ed72e":"":"9026dfd09e4553cd51c4c13ce70830de":"3c8de64c14df73c1b470a9d8aa693af96e487d548d03a92ce59c0baec8576129945c722586a66f03deb5029cbda029fb22d355952c3dadfdede20b63f4221f27c8e5d710e2b335c2d9a9b7ca899597a03c41ee6508e40a6d74814441ac3acb64a20f48a61e8a18f4bbcbd3e7e59bb3cd2be405afd6ac80d47ce6496c4b9b294c":104:"e9e5beea7d39c9250347a2a33d":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,96) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"de7df44ce007c99f7baad6a6955195f14e60999ed9818707":"":"4d209e414965fe99636c1c6493bba3a3":"da3bc6bdd414a1e07e00981cf9199371192a1fb2eaae20f7091e5fe5368e26d61b981f7f1d29f1a9085ad2789d101155a980de98d961c093941502268adb70537ad9783e6c7d5157c939f59b8ad474c3d7fc1fcc91165cdf8dd9d6ec70d6400086d564b68ebead0d03ebd3aa66ded555692b8de0baf43bc0ddef42e3a9eb34ab":96:"24483a57c20826a709b7d10a":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,96) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1dfa5ff20046c775b5e768c2bd9775066ae766345b7befc3":"":"2d49409b869b8b9fc5b67767979ca8cd":"e35d34478b228bc903ea2423697e603cc077967d7cfb062e95bc11d89fbe0a1f1d4569f89b2a7047300c1f5131d91564ec9bce014d18ba605a1c1e4e15e3e5c18413b8b59cbb25ab8f088885225de1235c16c7d9a8d06a23cb0b38fd1d5c6c19617fe08fd6bf01c965ed593149a1c6295435e98463e4f03a511d1a7e82c11f01":96:"23012503febbf26dc2d872dc":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,96) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2df3ee3a6484c48fdd0d37bab443228c7d873c984529dfb4":"":"dc6aeb41415c115d66443fbd7acdfc8f":"eafc6007fafb461d3b151bdff459e56dd09b7b48b93ea730c85e5424f762b4a9080de44497a7c56dd7855628ffc61c7b4faeb7d6f413d464fe5ec6401f3028427ae3e62db3ff39cd0f5333a664d3505ff42caa8899b96a92ec01934d4b59556feb9055e8dfb81f55e60135345bfce3e4199bfcdb3ce42523e7d24be2a04cdb67":96:"e8e80bf6e5c4a55e7964f455":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,64) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ce0787f65e6c24a1c444c35dcd38195197530aa20f1f6f3b":"":"55300431b1eaac0375681d7821e1eb7a":"84a699a34a1e597061ef95e8ec3c21b592e9236ddb98c68d7e05f1e709937b48ec34a4b88d99708d133a2cc33f5cf6819d5e7b82888e49faa5d54147d36c9e486630aa68fef88d55537119db1d57df0402f56e219f7ece7b4bb5f996dbe1c664a75174c880a00b0f2a56e35d17b69c550921961505afabf4bfd66cf04dc596d1":64:"74264163131d16ac":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,64) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3a15541b5857a668dc9899b2e198d2416e83bac13282ca46":"":"89bf8ab0cea6f59616eeb9b314d7c333":"4d2843f34f9ea13a1ac521479457005178bcf8b2ebeaeb09097ea4471da9f6cc60a532bcda1c18cab822af541de3b87de606999e994ace3951f58a02de0d6620c9ae04549326da449a3e90364a17b90b6b17debc0f454bb0e7e98aef56a1caccf8c91614d1616db30fc8223dbcd8e77bf55d8253efe034fd66f7191e0303c52f":64:"8f4877806daff10e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,64) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b61cdfd19c136ee2acbe09b7993a4683a713427518f8e559":"":"4066118061c904ed1e866d4f31d11234":"153c075ecdd184fd8a0fca25cae8f720201361ef84f3c638b148ca32c51d091a0e394236d0b51c1d2ee601914120c56dfea1289af470dbc9ef462ec5f974e455e6a83e215a2c8e27c0c5b5b45b662b7f58635a29866e8f76ab41ee628c12a24ab4d5f7954665c3e4a3a346739f20393fc5700ec79d2e3c2722c3fb3c77305337":64:"4eff7227b42f9a7d":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,32) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ce175a7df7e429fcc233540e6b8524323e91f40f592ba144":"":"c34484b4857b93e309df8e1a0e1ec9a3":"ce8d8775f047b543a6cc0d9ef9bc0db5ac5d610dc3ff6e12e0ad7cd3a399ebb762331e3c1101a189b3433a7ff4cd880a0639d2581b71e398dd982f55a11bf0f4e6ee95bacd897e8ec34649e1c256ee6ccecb33e36c76927cc5124bc2962713ad44cbd435ae3c1143796d3037fa1d659e5dad7ebf3c8cbdb5b619113d7ce8c483":32:"ff355f10":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,32) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5f659ed236ba60494e9bf1ee2cb40edcf3f25a2bac2e5bc5":"":"ad49f12f202320255406c2f40e55b034":"6da62892f436dfe9790e72d26f4858ca156d1d655c9cc4336fcf282b0f3f0b201e47f799c3019109af89ef5fd48a4811980930e82cd95f86b1995d977c847bbb06ecdcc98b1aae100b23c9c2f0dcf317a1fb36f14e90e396e6c0c594bcc0dc5f3ebf86ce7ecd4b06d1c43202734d53f55751a6e6bbda982104102af240def4eb":32:"cb4d8c1d":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,32) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a73f318b1e298ba4ac0ab2aed74f73543b1017cccbd1b240":"":"abe33b7e8d88bd30deb96d1e90c4e951":"6de616b000047b14b6759015183dd753c61499c0e665d06a89e4fb0cd0dd3064ff8651582e901ef5d0cdf3344c29c70c3aabc2aaf83cb3f284c6fe4104906d389b027e7d9ca60d010f06ef8cd9e55db2483d06552ddbe3fc43b24c55085cd998eae3edec36673445bf626e933c15b6af08ea21cbace4720b0b68fe1a374877d5":32:"4a28ec97":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,128) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"73d5be74615bc5b627eedfb95746fb5f17cbf25b500a597f":"fc40993eb8559e6b127315c03103ce31b70fc0e07a766d9eecf2e4e8d973faa4afd3053c9ebef0282c9e3d2289d21b6c339748273fa1edf6d6ef5c8f1e1e9301b250297092d9ac4f4843125ea7299d5370f7f49c258eac2a58cc9df14c162604ba0801728994dc82cb625981130c3ca8cdb3391658d4e034691e62ece0a6e407":"eb16ed8de81efde2915a901f557fba95":"":128:"804056dca9f102c4a13a930c81d77eca":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,128) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a249135c9f2f5a8b1af66442a4d4e101771a918ef8acee05":"c62b39b937edbdc9b644321d5d284e62eaa4154010c7a3208c1ef4706fba90223da04b2f686a28b975eff17386598ba77e212855692f384782c1f3c00be011e466e145f6f8b65c458e41409e01a019b290773992e19334ffaca544e28fc9044a5e86bcd2fa5ad2e76f2be3f014d8c387456a8fcfded3ae4d1194d0e3e53a2031":"80b6e48fe4a3b08d40c1636b25dfd2c4":"":128:"951c1c89b6d95661630d739dd9120a73":"":"b865f8dd64a6f51a500bcfc8cadbc9e9f5d54d2d27d815ecfe3d5731e1b230c587b46958c6187e41b52ff187a14d26aa41c5f9909a3b77859429232e5bd6c6dc22cf5590402476d033a32682e8ab8dc7ed0b089c5ab20ab9a8c5d6a3be9ea7aa56c9d3ab08de4a4a019abb447db448062f16a533d416951a8ff6f13ed5608f77":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,128) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fa832a4b37dcb3c0879a771bb8ae734f0d88b9be497797a8":"0f1105f9ec24121232b60b6ef3c3e8ca9eec1a3d7625004b857d1d77f292b6ec065d92f5bb97e0dc2fdfdf823a5db275109a9472690caea04730e4bd732c33548718e9f7658bbf3e30b8d07790cd540c5754486ed8e4d6920cefaeb1c182c4d67ebed0d205ba0bd9441a599d55e45094b380f3478bcfca9646a0d7aa18d08e52":"70835abab9f945c84ef4e97cdcf2a694":"":128:"a459be0b349f6e8392c2a86edd8a9da5":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,120) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"dda216287910d1f5c0a312f63c243612388bc510cb76c5ba":"d6617d583344d4fe472099d2a688297857215a3e31b47d1bf355ccfe9cf2398a3eba362c670c88f8c7162903275dfd4761d095900bd97eba72200d4045d72bd239bda156829c36b38b1ff5e4230125e5695f623e129829721e889da235bb7d4b9da07cce8c3ceb96964fd2f9dd1ff0997e1a3e253a688ceb1bfec76a7c567266":"7f770140df5b8678bc9c4b962b8c9034":"":120:"9823e3242b3f890c6a456f1837e039":"":"b4910277224025f58a5d0f37385b03fcd488dfef7580eb5c270c10bd7a6f6d9c7ddc2d1368d68d4e04f90e3df029ed028432a09f710be1610b2a75bd05f31bae83920573929573affd0eb03c63e0cec7a027deab792f43ee6307fd3c5078d43d5b1407ac023824d41c9437d66eeec172488f28d700aa4b54931aad7cd458456f":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,120) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c5afa1e61d4594b1c2fa637f64f18dd557e4df3255b47f24":"5c772cdf19571cd51d71fc166d33a0b892fbca4eae36ab0ac94e6164d51acb2d4e60d4f3a19c3757a93960e7fd90b9a6cdf98bdf259b370ed6c7ef8cb96dba7e3a875e6e7fe6abc76aabad30c8743b3e47c8de5d604c748eeb16806c2e75180a96af7741904eca61769d39e943eb4c4c25f2afd68e9472043de2bb03e9edae20":"151fd3ba32f5bde72adce6291bcf63ea":"":120:"f0626cc07f2ed1a7570386a4110fc1":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,120) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"febd4ff0fedd9f16bccb62380d59cd41b8eff1834347d8fa":"dc971c8f65ece2ea4130afd4db38fc657c085ea19c76fef50f5bd0f8dd364cc22471c2fa36be8cde78529f58a78888e9de10961760a01af005e42fc5b03e6f64962e6b18eaedea979d33d1b06e2038b1aad8993e5b20cae6cc93f3f7cf2ad658fbba633d74f21a2003dded5f5dda3b46ed7424845c11bab439fbb987f0be09f8":"743699d3759781e82a3d21c7cd7991c8":"":120:"1da347f9b6341049e63140395ad445":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,112) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d280d079110c1c826cc77f490d807dd8d508eb579a160c49":"a286d19610a990d64f3accd329fc005d468465a98cfa2f3606c6d0fbeb9732879bad3ca8094322a334a43155baed02d8e13a2fbf259d80066c6f418a1a74b23e0f6238f505b2b3dc906ffcb4910ce6c878b595bb4e5f8f3e2ede912b38dbafdf4659a93b056a1a67cb0ec1dbf00d93223f3b20b3f64a157105c5445b61628abf":"85b241d516b94759c9ef975f557bccea":"":112:"bbf289df539f78c3a912b141da3a":"":"b9286ab91645c20de040a805020fed53c612d493a8ce9c71649ae16bd50eab6fb7f3a9180e1651d5413aa542608d7ecbf9fc7378c0bef4d439bc35434b6cf803976b8783aecc83a91e95cea72c2a26a883b710252e0c2a6baa115739a0692c85f6d34ff06234fbdc79b8c4a8ea0a7056fb48c18f73aaf5084868abb0dfaa287d":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,112) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5e80f87fa2156c62df7be2ad16c4890de5ee5868a684fcf9":"c829073efd5c5150d2b7e2cdaeff979830d1aa983c747724ade6472c647a6e8e5033046e0359ea62fc26b4c95bccb3ac416fdf54e95815c35bf86d3fdd7856abbb618fe8fcd35a9295114926a0c9df92317d44ba1885a0c67c10b9ba24b8b2f3a464308c5578932247bf9c79d939aa3576376d2d6b4f14a378ab775531fe8abf":"9769f71c76b5b6c60462a845d2c123ad":"":112:"394b6c631a69be3ed8c90770f3d4":"":"f886bd92ca9d73a52e626b0c63a3daa138faaacf7809086d04f5c0c899362aa22e25d8659653b59c3103668461d9785bb425c6c1026ad9c924271cec9f27a9b341f708ca86f1d82a77aae88b25da9061b78b97276f3216720352629bd1a27ebf890da6f42d8c63d68342a93c382442d49dd4b62219504785cee89dffdc36f868":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,112) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d8a7b99e53f5e5b197364d4516cace4b928de50e571315e3":"d0db0ac5e14bf03729125f3137d4854b4d8ce2d264f8646da17402bdad7034c0d84d7a80f107eb202aeadbfdf063904ae9793c6ae91ee8bcc0fc0674d8111f6aea6607633f92e4be3cfbb64418101db8b0a9225c83e60ffcf7a7f71f77149a13f8c5227cd92855241e11ee363062a893a76ac282fb47b523b306cd8235cd81c2":"4b12c6701534098e23e1b4659f684d6f":"":112:"729b31c65d8699c93d741caac8e3":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,104) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c874b427b7181b0c90b887147c36f242827149324fd5c945":"bdd90190d587a564af022f06c8bd1a68735b6f18f04113fdcec24c6027aaf0271b183336fb713d247a173d9e095dae6e9badb0ab069712302875406f14320151fd43b90a3d6f35cc856636b1a6f98afc797cb5259567e2e9b7ce62d7b3370b5ee852722faf740edf815b3af460cdd7de90ca6ab6cd173844216c064b16ea3696":"4b8dda046a5b7c46abeeca2f2f9bcaf8":"":104:"fe1e427bcb15ce026413a0da87":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,104) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"56543cd6e2ebb1e3dc136a826bfc37eddb12f7a26430a1b4":"d541dd3acec2da042e6ea26fb90ff9a3861191926423b6dc99c5110b3bf150b362017159d0b85ffea397106a0d8299ec22791cb06103cd44036eed0d6d9f953724fb003068b3c3d97da129c28d97f09e6300cbea06ba66f410ca61c3311ce334c55f077c37acb3b7129c481748f79c958bc3bbeb2d3ff445ad361ed4bbc79f0a":"927ce8a596ed28c85d9cb8e688a829e6":"":104:"3a98f471112a8a646460e8efd0":"":"a602d61e7a35cbe0e463119bb66fd4bb6c75d1fe0b211b9d6a0a6e9e84b0794282318f0d33ec053f2cfba1623e865681affeaf29f3da3113995e87d51a5ab4872bb05b5be8ef2b14dfc3df5a48cbc9b10853a708ee4886a7390e8e4d286740a0dd41c025c8d72eda3f73f3cec5c33d5e50b643afd7691213cccccc2c41b9bd7a":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,104) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"caaf81cd380f3af7885ef0d6196a1688c9372c5850dc5b0b":"6f269929b92c6281e00672eaec183f187b2ddecc11c9045319521d245b595ab154dd50f045a660c4d53ae07d1b7a7fd6b21da10976eb5ffcddda08c1e9075a3b4d785faa003b4dd243f379e0654740b466704d9173bc43292ae0e279a903a955ce33b299bf2842b3461f7c9a2bd311f3e87254b5413d372ec543d6efa237b95a":"508c55f1726896f5b9f0a7024fe2fad0":"":104:"3b8026268caf599ee677ecfd70":"":"c4a96fb08d7c2eebd17046172b98569bc2441929fc0d6876aa1f389b80c05e2ede74dc6f8c3896a2ccf518e1b375ee75e4967f7cca21fa81ee176f8fb8753381ce03b2df873897131adc62a0cbebf718c8e0bb8eeed3104535f17a9c706d178d95a1b232e9dac31f2d1bdb3a1b098f3056f0e3d18be36bd746675779c0f80a10":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,96) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2fc9d9ac8469cfc718add2b03a4d8c8dcc2eeca08e5ff7bc":"bc84d8a962a9cfd179d242788473d980d177abd0af9edccb14c6dc41535439a1768978158eeed99466574ea820dbedea68c819ffd9f9915ca8392c2e03049d7198baeca1d3491fe2345e64c1012aff03985b86c831ad516d4f5eb538109fff25383c7b0fa6b940ae19b0987d8c3e4a37ccbbd2034633c1eb0df1e9ddf3a8239e":"b2a7c0d52fc60bacc3d1a94f33087095":"":96:"0a7a36ec128d0deb60869893":"":"fc3cd6486dfe944f7cb035787573a554f4fe010c15bd08d6b09f73066f6f272ff84474f3845337b6e429c947d419c511c2945ffb181492c5465940cef85077e8a6a272a07e310a2f3808f11be03d96162913c613d9c3f25c3893c2bd2a58a619a9757fd16cc20c1308f2140557330379f07dbfd8979b26b075977805f1885acc":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,96) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"81ff729efa4a9aa2eccc37c5f846235b53d3b93c79c709c8":"3992ad29eeb97d17bd5c0f04d8589903ee23ccb2b1adc2992a48a2eb62c2644c0df53b4afe4ace60dc5ec249c0c083473ebac3323539a575c14fa74c8381d1ac90cb501240f96d1779b287f7d8ba8775281d453aae37c803185f2711d21f5c00eb45cad37587ed196d1633f1eb0b33abef337447d03ec09c0e3f7fd32e8c69f0":"1bd17f04d1dc2e447b41665952ad9031":"":96:"01b0a815dc6da3e32851e1fb":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,96) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"068500e8d4f8d4af9035cdaa8e005a648352e8f28bdafc8a":"98e32428d9d21c4b60e690a2ce1cf70bee90df31302d1819b7d27fd577dd990f7ffe6ba5ef117caac718cc1880b4ca98f72db281c9609e189307302dc2866f20be3a545a565521368a6881e2642cba63b3cf4c8b5e5a8eabeb3e8b004618b8f77667c111e5402c5d7c66afd297c575ce5092e898d5831031d225cee668c186a1":"5ea9198b860679759357befdbb106b62":"":96:"d58752f66b2cb9bb2bc388eb":"":"2ef3a17fcdb154f60d5e80263b7301a8526d2de451ea49adb441aa2541986b868dab24027178f48759dbe874ae7aa7b27fb19461c6678a0ba84bbcd8567ba2412a55179e15e7c1a1392730ac392b59c51d48f8366d45b933880095800e1f36ff1ac00753f6363b0e854f494552f1f2efe028d969e6b1a8080149dd853aa6751e":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,64) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7474d9b07739001b25baf6867254994e06e54c578508232f":"1cbab2b6e4274caa80987072914f667b887198f7aaf4574608b91b5274f5afc3eb05a457554ff5d346d460f92c068bc626fd301d0bb15cb3726504b3d88ecd46a15077728ddc2b698a2e8c5ea5885fc534ac227b8f103d193f1977badf4f853a0931398da01f8019a9b1ff271b3a783ff0fae6f54db425af6e3a345ba7512cbf":"3ade6c92fe2dc575c136e3fbbba5c484":"":64:"67c25240b8e39b63":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,64) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d50d4c7d442d8a92d0489a96e897d50dda6fbe47ca7713ee":"b36b4caf1d47b0d10652824bd57b603ec1c16f4720ce7d43edde8af1b9737f61b68b882566e04da50136f27d9af4c4c57fff4c8465c8a85f0aeadc17e02709cc9ba818d9a272709e5fb65dd5612a5c5d700da399b3668a00041a51c23de616ea3f72093d85ecbfd9dd0b5d02b541fb605dcffe81e9f45a5c0c191cc0b92ac56d":"41b37c04ab8a80f5a8d9d82a3a444772":"":64:"4ee54d280829e6ef":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,64) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"38f3ec3ec775dac76ae484d5b6ca61c695c7beafba4606ca":"49726b8cefc842a02f2d7bef099871f38257cc8ea096c9ac50baced6d940acb4e8baf932bec379a973a2c3a3bc49f60f7e9eef45eafdd15bda1dd1557f068e81226af503934eb96564d14c03f0f351974c8a54fb104fb07417fe79272e4b0c0072b9f89b770326562e4e1b14cad784a2cd1b4ae1dc43623ec451a1cae55f6f84":"9af53cf6891a749ab286f5c34238088a":"":64:"6f6f344dd43b0d20":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,32) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6db4ef061513ef6690d57aef50d8011e0dd7eb4432d82374":"b7f9206995bc97311855ee832e2b40c41ab2d1a40d9263683c95b14dcc51c74d2de7b6198f9d4766c659e7619fe2693a5b188fac464ccbd5e632c5fd248cedba4028a92de12ed91415077e94cfe7a60f117052dea8916dfe0a51d92c1c03927e93012dbacd29bbbc50ce537a8173348ca904ac86df55940e9394c2895a9fe563":"623df5a0922d1e8c883debb2e0e5e0b1":"":32:"14f690d7":"":"a6414daa9be693e7ebb32480a783c54292e57feef4abbb3636bebbc3074bfc608ad55896fe9bd5ab875e52a43f715b98f52c07fc9fa6194ea0cd8ed78404f251639069c5a313ccfc6b94fb1657153ff48f16f6e22b3c4a0b7f88e188c90176447fe27fa7ddc2bac3d2b7edecad5f7605093ac4280b38ae6a4c040d2d4d491b42":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,32) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8901bec4d3c64071d8c30c720c093221e05efed71da280bf":"7c447e700db7367260dffa42050e612eff062eb0c8a6b4fe34858800bcb8ec2f622cb5213767b5771433783e9b0fa617c9ffb7fde09845dafc16dfc0df61215c0ca1191eabf43293db6603d5285859de7ef3329f5e71201586fb0188f0840ed5b877043ca06039768c77ff8687c5cfc2fd013a0b8da48344c568fce6b39e2b19":"9265abe966cb83838d7fd9302938f49d":"":32:"6f6c38bc":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,32) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2c57eb763f886154d3846cc333fc8ae8b3c7c9c3705f9872":"9fe7d210221773ba4a163850bab290ba9b7bf5e825760ac940c290a1b40cd6dd5b9fb6385ae1a79d35ee7b355b34275857d5b847bef4ac7a58f6f0e9de68687807009f5dc26244935d7bcafc7aed18316ce6c375192d2a7bf0bee8a632fe4f412440292e39339b94b28281622842f88048be4640486f2b21a119658c294ce32e":"9b3781165e7ff113ecd1d83d1df2366d":"":32:"62f32d4e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,128) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"307d31a594e54f673bea2f977835670aca4f3d45c9c376cc":"d7385a7bd0cb76e1e242fa547c474370bcc7cc7cf3e3fa37b00fe08a56383ca31d023d8c493f6d42e482b0f32e4f244dd100ea08eee6535e5bb8d27f76dbb7eead6ba8e031ccd0eaeb649edee92aeaf0f027d59efd4e39b1f34b15ceb8b592ee0f171b1773b308c0e747790b0e6ace90fc661caa5f942bdc197067f28fbe87d1":"0bdaa353c4904d32432926f27534c73c":"aa39f04559ccc2cae3d563dda831fb238b2582cb2c2bb28cff20cc20200724c8771b9805ef7464b8fc06c7b8060c6920fd2779fbc807c2292c8c1f88f8088755609a1732ff8c0b06606452b970c79997b985889404fd907c4668a0bcc11ba617175f4525523494a244da60b238468c863055f04db20ea489adf545d56c0a71d8":128:"2ddda790aae2ca427f5fb032c29673e6":"":"0b92262759897f4bd5624a891187eba6040d79322a2a5a60fb75c6c6a5badd117abe40c6d963931bbc72dca1a1bf1f5388030fe323b3b24bd408334b95908177fb59af57c5cc6b31825bc7097eec7fec19f9cdb41c0264fd22f71893bcf881c1510feb8057e64880f1ea2df8dc60bb300fd06b0a582f7be534e522caadc4a2c7":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,128) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"23c201968def551817f20e49b09dbb5aae0033305bef68a0":"77bc8af42d1b64ee39012df5fc33c554af32bfef6d9182804dcfe370dfc4b9d059bdbc55f6ba4eacb8e3a491d96a65360d790864ba60acf1a605f6b28a6591513ea3cfd768ff47aee242a8e9bdfac399b452231bfd59d81c9b91f8dc589ad751d8f9fdad01dd00631f0cb51cb0248332f24194b577e5571ceb5c037a6d0bcfe8":"bd2952d215aed5e915d863e7f7696b3e":"23f35fac583897519b94998084ad6d77666e13595109e874625bc6ccc6d0c7816a62d64b02e670fa664e3bb52c276b1bafbeb44e5f9cc3ae028daf1d787344482f31fce5d2800020732b381a8b11c6837f428204b7ed2f4c4810067f2d4da99987b66e6525fc6b9217a8f6933f1681b7cfa857e102f616a7c84adc2f676e3a8f":128:"bb9ba3a9ac7d63e67bd78d71dc3133b3":"":"17d93c921009c6b0b3ecf243d08b701422983f2dcaec9c8d7604a2d5565ed96ce5cddcb183cd5882f8d61d3202c9015d207fed16a4c1195ba712428c727601135315fc504e80c253c3a2e4a5593fc6c4a206edce1fd7104e8a888385bbb396d3cdf1eb2b2aa4d0c9e45451e99550d9cfa05aafe6e7b5319c73c33fd6f98db3c5":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,128) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6baec0669add30acb8f678ce477a2b171f89d1f41935c491":"5712b84c4c97d75f84edd50561bc1d3f1ba451cc3b358b2403b5e528290954348cf7a235b4dc11a72ddbc503191204e98a9744d85419508c8ca76438c13305f716f1e239a6d9f6423c27217a0057aa75f6d7e2fb356e7194f271459ab5482589ea311b33e3d3845952ff4067dd2b9bcc2e8f83630b0a219e904040abd643d839":"b1472f92f552ca0d62496b8fa622c569":"5ae64edf11b4dbc7294d3d01bc9faf310dc08a92b28e664e0a7525f938d32ef033033f1de8931f39a58df0eabc8784423f0a6355efcff008cae62c1d8e5b7baefd360a5a2aa1b7068522faf8e437e6419be305ada05715bf21d73bd227531fea4bc31a6ce1662aec49f1961ee28e33ae00eb20013fd84b51cfe0d5adbdaff592":128:"29a2d607b2d2d9c96d093000b401a94f":"":"beb687f062ae7f5159d07609dd58d7b81c478d180bc0b4c07ae799626ff1da2be2e0d78b2a2a1f563257f161491a5ac500cd719da6379e30d0f6d0a7a33203381e058f487fc60989923afbee76e703c03abc73bb01bd262ff6f0ac931f771e9b4f2980e7d8c0a9e939fa6e1094796894f2c78f453e4abe64cb285016435ef0e8":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,120) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7b882a2df81fdb9275fb05d120f32417e8ffedd07457e938":"0aae7213da279b34d6dcf2a691b2d0333112ea22de0c3c68d47cf9f9f4ed8ad4e03d4a60ec18c3a04ac9c2abb73e1023051029b5e8705bb69c4c50afc84deb0379db5077be1f663652f8bd8958271af2c1ac4a87e08cb526bab8a030652f2a29af8055d0f31e35475caee27f84c156ef8642e5bfef89192f5bde3c54279ffe06":"5c064d3418b89388fb21c61d8c74d2c5":"5bfa7113d34e00f34713cf07c386d055e889bb42d7f6c8631ffce5668e98cb19bed8820b90ecb2b35df7134f975700347e5514287cfef7ffa2b0ff48b1de0769b03dca6610995d67cb80052cb2e5914eb4ed43ef5861f4b9364314fde6ad2b82fbba7fd849dfa6e46ecc12edc8cabfff28d9bd23c2bcc8ab3661c9ba4d5fee06":120:"0943abb85adee47741540900cc833f":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,120) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"51d94d21482c00bb5bc7e7e03aa017ba58f5a23494b72c2a":"3a9c69c1ed2340bfde1495658dbf4f54731a19b3922a1d535df8d0b2582f5e803b5891e8ad1aa256c923956dcda2430d0c0696bce63295fb61183e040566e459338f908d23ae51f64020c1ef3d192428f23312b285fc4111d50d1add58f4a49008a22c90d3365230e9158cd56f9d84f079bdd673555d4dc76c74b02fa9920e7d":"fb21cd763e6f25540f8ad455deaccdf0":"019d1db5569eeff83306f65d653b01064854c1be8446cd2516336667c6557e7844fc349adea64a12dc19ac7e8e40b0520a48fac64571a93d669045607085ac9fa78fed99bbf644908d7763fe5f7f503947a9fe8661b7c6aef8da101acca0aed758ca1580eeb2f26ae3bf2de06ce8827a91a694179991a993cdf814efbcc61ca5":120:"a93bd682b57e1d1bf4af97e93b8927":"":"7093f44703f2cbb3d12d9872b07a8cd44deb62dae48bc573b11a1ee1c9f3105223423fac3181c312a8a61757a432d92719f486c21e311b840aa63cf530710c873df27fecda0956075923f1ecc39bffb862706f48bde2de15612930fc8630d2036e9e4cfc1c69779171bd23d9e1d5de50a9e0a0de4bd82ed3efc45299980bb4cc":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,120) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e6756470937f5d9af76f2abe6df2d0bc15ff8e39b5154071":"afae92bd56c426c095d76633701aa9bea5ce05490482c6c64ac24468c3e1af6e6030a6bb6649745b011c6729bde985b9242e22105322fbb8853dcabbd00165d0b07d7b499e0238b6513bf6351eb40635a798f7e6e2d31125dda45ffe8964596fdbff55df22d4e9025bd4f39e7c9b90e74b3ee58d6901f113900ee47a4df5afd7":"4500193711a5d817a9f48deafda39772":"92fa22dba0eee6b1de1ddd24713b1be44c7105df90e6e7a54dcbf19025e560eb4986ee080cf613898a1a69d5ab460a3b8aa2723a95ac4a4af48224b011b55fb7582ae18f6746591eab2bd33d82a8dbbae3f7877e28afef9857a623530b31d8198b2df43f903d6e48ddae0848741f9eaae7b5504c67ad13791818f3c55c9b3d1e":120:"7d9f97c97c3424c79966f5b45af090":"":"62258d60f0138c0405df4b2ec1e308b374603a9eace45932fdc2999e9e2261de8b1099473d1fc741c46c334023aa5d9359f7ef966240aaf7e310d874b5956fd180fb1124cbeb91cf86020c78a1a0335f5f029bd34677dd2d5076482f3b3e85808f54998f4bac8b8fa968febceec3458fb882fc0530271f144fb3e2ab8c1a6289":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,112) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"30db73d46b518669c45b81bc67b93bed3d0864f7e9e8e789":"750bc1d2f91d786bb1e621192a376f552538ba8c07d50d9e10b9345f31b3e5f9d8ad7c719c03d8548a3b184b741cd06c49d7fb6fe80258d60c01c2987c337c823211cee7c1cf82077266889bc7767475e0eeabb2ef6b5a1de2089aaef77565d40a1c2c470a880c911e77a186eacca173b25970574f05c0bdcd5428b39b52af7f":"5069e2d2f82b36de8c2eb171f301135d":"ef781dce556b84188adee2b6e1d64dac2751dd8592abc6c72af7b998dfae40cbe692a4cae0b4aa2c95910e270600550fca1e83640c64efb1eb0e0a90a6fc475ae1db863a64ce9cc272f00abac8a63d48dd9f1c0a5f4586224befed05be4afae5bd92249833d565cc6b65fd8955cb8a7d7bd9f4b6a229e3881212871a52c15d1c":112:"a5100c5e9a16aedf0e1bd8604335":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,112) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"209f0478f1a62cb54c551181cbd4d24b796e95f3a06b6cb9":"66db7cc97b4a8266c0a2228e8028e38d8986e79fcbcc3caff3050fdd2de87b7ff7a6895b988b0bdb7fcc4d6e2d538dcfaad43ce2f98b6d32500f5a6e6183d84cb19157a699cdde1266d6d75a251ee1a2eb97bfe6405d50be2b17a58ba6eafaee0a023a28d568fd1c914f06041a49c79b9df9efe63d56883cbbbeaba809273d2e":"7be1768f6ffb31599eb6def7d1daa41c":"9cb49357536ebe087e1475a5387907a9e51ad1550697f13c6cc04384ec8a67dea13376bdd5e26b815c84a78f921b506b9e2086de50f849185f05ba7c3041e49e42c0673df856da109a78b8e0ce918c25836f7e781e6b16168e4e5976d27ebc83f20b7bf4beadecb9b4f17a7a0d3a3db27fc65288a754b5031a2f5a1394801e6e":112:"4d2ac05bfd4b59b15a6f70ea7cd0":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,112) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1bfa30b315e7b908263330140fa2d66ed57104784a43cc70":"8eeee9865e23fa51dbbf197fa41776b7edbdb9381a22c935299cd959a46190788ae82f4e645b0362df89bfc00241964784bc7ef70f6f97e81687d52e552a33af20ae34a3005e0a7b85d094368d707c3c4cd3ef31c0daf3ccaa1676609ed199327f4139d0c120977e6babceed28896d2cb3129630f3ee135572dc39433057e26a":"b7081a3010b524218390ba6dd460a1ec":"8c1f42b5931d69ae351fcde7d2b4136d4898a4fa8ba62d55cef721dadf19beaabf9d1900bdf2e58ee568b808684eecbf7aa3c890f65c54b967b94484be082193b2d8393007389abaa9debbb49d727a2ac16b4dab2c8f276840e9c65a47974d9b04f2e63adf38b6aad763f0d7cdb2c3d58691adde6e51e0a85093a4c4944f5bf2":112:"4da85b8ec861dd8be54787bb83f1":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,104) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fc47156a693e59a1dea0618c41441fe669fc65dcfb7d0726":"3e4f0a586bad532a08c8863ebba01fd25014baa907e6032ee43d4a7dfc7c3171916dcdf9faee0531f27527872ae4e127b6b9aaee93f5e74d0ab23f3874aa0e291564bc97f17085dd7d5eb9a85d9f44574e5952929eda08863b64c85dd395c91b01fe5bef66e3fa8f9ee5bf62c25d80dc84fbe002ecfd218430b26f3549f734a1":"ea1935ed014883cc427983d7962d9992":"0d85b8513becfe8c91d0f6ffb65ec31f2cf406c51c0da88893c43d1327fd8ad1f4bab2d7b5e27438d643397034a72f8666bf641b6781bc90f764db387eae6720b5723d510194570ccd773e1b3bebfc333cc099d078583e8dac60d174d332925a24a45110c8d2abe8924ea677ac74db66ea789e2838efc96c78bceaa6236c0a67":104:"8781b045a509c4239b9f44624e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,104) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b5fcd780a03ba80341081ef96b440c0e4348afde4d60c1d5":"6316f3beb32f6f3bf8f2ff6a2c160b432bafd3036d3eefa1e4ec204f24892e37dc4d75c7ce9a24b5c49fb4df901f35ef9d5955f7dc289c56cb74753f4d6b2982267d5269d12237e21202a65061849c65e90e6702dda03a35ace3a3a098d16b4bfbb85b7232404baee37776a9b51af6b3059a5f170f4ebe4ecf11061ca3c1f1f3":"ad20cce056e74ec5d0a76d6280998f15":"28f8fcf23b9c1ba40c19ffc1092632e35f234c1e8b82bcd5309d37bf849a2ce401413d1f242cf255ed597f9a93a1d6e50676997f95aa612e580d88234a86ddc404292746f0b2f5cf15abebcea6659f998ec6a1cb5a9914fee5aa1aa5d04b3c20914e45095e4141ce9c173653dd91c3ebe4ed4a9a28f3915d7b2edba34c2a58d8":104:"2ad4520ddc3b907414d934cc1d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,104) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4382507dddccf1385fc831da8924147563416d0656e168ec":"e5c5430b960aa35dc8540215c2772d66811270859e33dd4477904759e7e5eb2986a52a4ccc9f592e614147b5ea2ead6636a15c6426336b2995d9a31ab36d76578c3540bc6693842a4bc0491c7963ee9cda2317951cf93244bd30bcdfec69a4767004636fe7d1be7300c35e80627bab9236a075a803e9e1080b9159060c643a78":"a37687c9cd4bdc1ead4e6b8f78bee7f5":"fa9ae30509cbb6fe104c21480ae7b8ec9f12f1afb17320d77b77cdf32ce8c5a3f7f927e501118c7ccd6975b79225059cef530a4fcb0a9719f5e2d3bebe7bb6ec0855e495a31e5075eb50aa6c1227e48b03e3fdf780084ac4912eb3a5674cca9dd6ac037366b230ae631a8580d2d117942dee5d5ddbbb2233afeca53289cc4f68":104:"4221818d4be45306e205813789":"":"b5b36719bc4d13a5fbf37188ea814cdf3c97a430784330540325c899570e15482300bc82c5b8163074e0544c5132e3ce93bba68bd7a8d2db81d1431b424b697c1158c4d70625666d5ff99145ca34856815c905b5a0fd95806df56b9cd5b384bda3e394b409048eb1037144cc071539c02397e931da28a43cc354d584643afd4f":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,96) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7a66db3450dac9a1e63d2639f34c5c6a3fbfb3c8e8230199":"6463a7eb2496379bc8a5635541525926a6f9fa718e338221952118ae4cf03a85f2074b4ebaf108b9c725809be1e6309c3a444b66f12286f6ea9d80c3413706b234b26372e8f00783819314a994c9e3ecf6abdd255cbfe01b3865e1390a35dcd2853a3d99ed992e82ec67ba245f088cb090adade74bdbc8a1bad0f06cbea766a6":"21f8341529b210ade7f2c6055e13007a":"1699bc8c198ab03e22d9bc4f3682aad335c6e35f3f616bb69769a9d5a202511797e770ae0d8d8528ef7b2bb25b4294d47427b43f0580fa71d93fdef667f4f4196f84e41c0b1978796d0de74a94420fb8571bff39137fa231c572b31be9ae72338288bef5f8c992121dc918538551f346e279a9047df14ec9fc0fd399cd3bd8d8":96:"4af02b81b26104d1d31e295a":"":"53fe6a34d280f2c96d1ae2b2e8baf6abd67cedf7d214312f75dd4a1bec28a641dda3e71aa398726b2b0b1f515e1f4259ee97acaf17f122db9ec7814c2de6a88d36c3ac106396ad03d337c2cd2d2b9b4b7170e23a5848ca7ea129838f967dfdfe83b45ff2a9be699bfb2346115465d59f074f09e24d8fcbd9ece0018c92776c43":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,96) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1f5c818f24d201f9fb23fcca211b0545eee5c5c9b440810d":"9a7566817a06f792e96a6a2ba8e0a01f8837e2de06796e68b0782cc54ed0b04fc5e24a1ad37d5ffb035548b882d88150e89915b89f57cde2bf3c43ab9dae356927daef6bd61cc9edd5e1b7a4abea2f71313677f1b2fdf3d8d4a7e9814ea820fbc3e5c83947db961839a985a57ced7f5e4a1efffcfd17a2c806d4cdc1e79162da":"3a163067bdd90fce0406d1c198a88771":"a5e94e233d04fe0c4b6c4684b386902fe05096702237dfbe76f73befa69b6f30394cf9fe3358997942df65842748fb4f075a3dc06e147bd8d67fc4371113a4d75c70219257c650a6f38a136659e20a1cf3a119397835c304e0fb2a33aa3c3019175c86463043d5edc6992874f61e81cd0d26af8b62cf8c8626901d4f16d84236":96:"b124eea927e2a62a875494a1":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,96) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9a301f7edf83da63bcf37216a3a33d7613331c3210281dd7":"e09cc8543db7804870004706a26e94b457c125bd648b581a196f962f2ae8fa55d9bc66530ba5020e22d282080b4720dc9a2096a11c0fcc3d9a67cd1cf95cd7cd2417ba308c761e64be24347a14c9423447094a5c72a0043c288b35e753ba0aa748f208381249fb1c8d195a472192404b6c8172663ee4b4d4ecfa426e1fb003f2":"d73a546b0fa307633ac89506fa86138b":"f57fe548cf4a551a216ffb24a1dcf1b79c95f9abf06443fd58af042d287c2165db373c82a94172db517840f22e45e966e3ead91ce1ddad132bcb844e406e84b76a0b5b0ee23064b66a229f32a2d3b9c71103f020c4ba57fc0f0608b7114914cf2ada0c5a9bc4afbfa9ce5da320f34beb2211d569a142f53bfd262f6d149c4350":96:"f536a3b8c333b1aa520d6440":"":"124a327a8c22b7652886dac2c84b8997ca8a6f61c9ba9c094b5aea41eaa050a6df6cbf280259e5466071bcfa53b4ebc76c3cc4afc8c0385189a5382933aa57c89aab78dca84331e0fe8f0aab3a7857d3e13f08dcd90ec5f0684f82088ef8eb7fd67e75de43b67afc3a0beb458f5ebd61b2c779e6c539d795c667bb7dcc2b762e":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,64) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fd40e8226fd13cb95ba50b7cdf0f07f7ab7037cf8705ca50":"75aa7df5c3c443d48ee998064b6fd112c20d2d90c98e00d025ef08d1ad3595385be99de47fa627549b827c48bc79eb1dcaf2f1be95a45f7e55755b952aee5ae0748e68bee1b014a628f3f7dc88e0ebac1d1d00e268355f5101838ce125c57003aebc02a1c9d6ae2cd6e2592f52c0be38cef21a680ae35c909cab99dce9837aef":"3406e70cbe16b047fedaa537eb892279":"390b18d22d5ecc0b5a524ae9afac6fd948ac72d1360775a88b385aa862cce8a27f3e4b420e539bec6e8958f8c1b5416c313fa0a16f921149a2bfeae29ad2348949b29a73970e5be925ec0c35218b82a020cf21bb68c6931f86b29e01b85500a73f3ee7eb78da60078f42550da83b2e301d151d69b273a050f89e57dfc4787cbf":64:"69e06c72ead69501":"":"6e8d661cd320b1b39f8494836fcf738b0ab82873d3903c9ee34d74f618aea36099926b54c1589225ec9a9d48ca53657f10d9289c31f199c37c48fb9cbe1cda1e790aaeedf73871f66a3761625cca3c4f642bc4f254868f6b903e80ceeeb015569ace23376567d3712ad16d1289dc504f15d9b2751b23e7722b9e6d8e0827859f":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,64) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a85ab87563b809b01725764d64ba4cc6a143e2e0362f0c52":"ef43629721b50bd3656b7ae31b6e4b4ba1cf2c72ed0460ee7d9fb416631ddc597e5f9aebbcf4442b95cc46e28476a464dd87caf9c1c1d6c99d3e3e059dc23f8d2fe155ff5e59c50d640bc052c62adee3aa1295b38732e3458f379e98a8dbdfed04c22a5761792e87fa67ecbcbf3b90eb1bcd1d3f49e60132452f28afece83e90":"9f991ff16a3e3eb164a4f819c9f1821a":"df289511f78d8fa2505afc4c71ab1d7c31a8d15d1e5fcbb29d70f0e56f89c4d7b30f1b3b4745b5d2cc7af34fb4c95461372bf516ec192b400dc8fdb0ca9fe1f30f5320d0fadf20155cfcddcf09233c6f591c1c89917e38a003f56b94a1e2429d1f2b6297db790d7dce84d9fa13d2d86a0e4d100e154050b07178bee4cdf18126":64:"dc4c97fe8cc53350":"":"ff0e531c7344f0425d62d5fbedf4bc8d3d5cc80647e67b852c1a58ad1516d376d954cb8dda739f6a4df3cf1507e59696610bcb6b34340d6313028e00d7197845d392e73331aaf168b474a67364d8f9dab740509fabf92af75045f0afabc1b5829264d138820952bbc484d1100d058a4de32b4ece82746b2b4a85fb2993d4add8":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,64) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f4f1e03abb927ffd0b081b9dce83a56a6dd419a6313ac34f":"0e70421499bc4bcb3851afa34cdf5be374722815abdd9bcee5f332dbe890bdc1c0210ab10667e5bb924bf3c1120e25a0c074da620076f143940989e222086d1b34a1200d09aea1f810ef6de7d8520c65eef9539fde5a6422606c588fce6264e5f91f934ede6397c4b307d2d7e07a518fce577a427fa92923cbba637ae495afad":"d1e29bb51a3c4e871d15bb0cd86257e2":"ae2911cdaaad1194c5d7868b6d8f30287105df132eb0cecca14b6e23ec7ac39cc01da1c567a0219cca7b902cc2e825e30f9524a473eb6e1d4d1beff5ab4f29103b2c7522a33dd33182fa955c4f09a75196b1072a6f0340fc55a802d29c7067f05219c21857ebff89ada11f648c1f28dfbfdaab56028f05509de17e2381457ebc":64:"44f760787f7bc3c0":"":"2199fa5051461b67581429ab19de2ccb50b8b02e12c0e1d81a8a14929f84e09d9715b7d198e77e632de4af1c08c5041276204a7ed76646385e288e96e1a4b0b0f2b1a9df7f0892beaea3cb58d9632720158f6daa4cbbfc0ebdc56ff6a5175768ff2abd24cb7669bc3fe40f8aba7869d2dd7dac86b6ebc4e4ce261edbec88db17":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,32) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"33efe20433c6a1ad261a1fed494961749e5bf9d35809b59d":"cfbeb61be50def25f513346498f75984bfe797a8ad56be34f2461e2d673f6ce14e7479a59777267b75dadc6b9522599ebe5d7b079495a58ca187ec47796f6ee8c322278ad7451b038c938928adcff6105a8ea3780aedc45b6a3323d3ae6fbce5da4fb59ca5ec0a16a70494c3c4859672348532505e44f915e0b9b8a296ef5225":"dc94673b0c49c6d3b4611e278212c748":"919f7397a6d03836423b7cac53177fcfbe457d4aa4348646f646aae1bc5a15568cdb8c96fabef278ace248aca531110a4f4f9e8ab0c32525ad816ae3facf03175232dc84addcd6065f9cc1f513966b63fd27e91a09f1921b95d6bd8f08f1dbce073bcf827847f774514b478b9d7fb5426847dd4dee6f39b5768c1fb729b32d03":32:"c5098340":"":"c5e47d8c60b04df1974b68a14095d9bc8429a413d21960b15bae4fd7356bf7872e0da0a1a385ca2982d3aa3182e63ea4bb8ca01410cd4e71ddad34aa1f12c1387902b3d56634f89c619a2e6756648ab3bf90e9bc945afc9140eb935b633bae96bb067e9ee421697bcf80b14b1b88dbf13e010b472a7ca5411db36848b9c7a37f":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,32) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3ed5dadefa0f6d14fedd1a3cdbab109f6660896a952ac5ab":"aef617f69724e020309ec39d9587520efda68a8e303686c3a41ef700cba05b7c6e43e95aadb1a566f61650c87845835e789eb2366941e3bfef6d9846af0e0dbc43249117ad6f299bbc40669ac383cdf79289ada6ccd8ccfe329a0dc6a38eea1a99550457102d10f641cda50c21f533b1f981663f74a0a7c657c04d9fc6696ff4":"553a14f1e1619f9d7bd07cd823961f25":"eb8ea81d3e328a1113942cd5efd0f2b5e7f088791c8fc05690a34584101c4d493628ee7d0099a2865ac194b9124c3fb924de0c4428d0a1c26ea3ad9a0bc89187a16673e3b6f7e370dfb2dc26e8a56a9cf91f9c2088c020a766efe0d0c91689743a603f2cd1e300a6a84828b3b515a4b9a06e6bb20457bf124cd6ce4ac8b83d51":32:"dc413c4c":"":"bc1f34991a48aabb0fea513f790f0d223e9feac4c99fa1e8427f01ab8b4b2827cfaf239342de36051a846af0306a3f82e7aed98dd0416fb078bc7f3b617b00ceb2cea4ddafc22dd022efa8303e9804510e0e888065d8427345156d823f796f74130c06db9f9934435552b4fefd051953e20ecba3a4514ac121d7d2097d597439":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,32) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6d97e8bff3923a778504fb917dbc1428a1328587047697d9":"dc1a81efd51e967767f5bdd7e2e425732c1d28451f2bf5bdf3f5a6492279330594d360dd8a193e5dbde1be49bf143a35c38bcd059f762ada65c5119e097f0976891347f4d829b087bd72daa3494b344cbd3370c4459ca243bd57aeda4cb86cdd0bf274f07830cdbf5e5be4eb9b742ddffef8aa35626d2b9ea0a29d3c3d058b28":"0c28dc4cd53725091c2fb68a476c2e40":"f3932f5e82d75a1e3eba1591c17769e1a45819ccf057c31e76fa810b93678766d25905e859775c244e96bcafbc75c4a2d95e7d02868ccb2f65e49276f0b645ac8cf6e3758402304a3c25ce2de0a49f401b1acadaff8b57589b45cc79130ddc8387f41cc383e33ef38eec019152051c756198d6f782ccf56297b9fe944269a65a":32:"e6d6df7a":"":"39327836e9d8cfb59397adcf045a85644c52c3563290795811f26350c8bce8f55ca779cbcd15479efd8144b8a39ef611153955c70bf3a7da9d4d944c2407a0d735784fcb68de1083eebf6940ebc9cf92f9f139c01404b503ff64e61126a94e881351473507884357040fd32714b872c254349071069644e2bd642905521b944e":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,128) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2c78e29971e90a01bb65973f81260b9344fa835751f5f142":"":"f1a23ce6e2bc9088a62c887abecd30ae":"":128:"d4d5c22f993c8c610145fcbe4e021687":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,128) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8c582d5b6a40ef0e4048ec20f0263572d7cc82704e380851":"":"ef221a1c66fda17906190b7c99ab60b8":"":128:"6327dcb46ffb3d0fd8fbf3d2848a8f01":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,128) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3a58abadd29e946e23ca9eb09af059913d5394971bda6a4f":"":"7c29b3196d44df78fa514a1967fcd3a6":"":128:"fc123944bbea6c5075a5f987aed9cf99":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,120) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"04bdde4c35c385783715d8a883640851b860ce0e8436ec19":"":"783f9a3c36b6d0c9fd57c15105316535":"":120:"23e21a803cac5237777014686564f2":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,120) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4ba5fba0c22fbe10c2d1690c5d99938522de9c5186721bac":"":"2acc2073089a34d4651eee39a262e8ae":"":120:"7ac742c859a02a543b50464c66dcf5":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,120) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f12890b0a8819faa5a8e0e487f7f064af42fa6d5519d009f":"":"c937615675738f4b3227c799833d1e61":"":120:"88300bd65b12dcb341f1f6d8a15584":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,112) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"51878f3630298a81297f4a21514fea637faa3815d4f26fae":"":"1f939226feab012dabfc2193637d15b1":"":112:"eed5fcb7607c038b354746d91c5b":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,112) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ae596e74840a600556a06f97b13b89e38f67c152f1a1b930":"":"e2076e1050070d468659885ea77e88d0":"":112:"b4586bdbd4b6b899648f2333eee0":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,112) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fd33b7a0efae34339ca987b5eb8075385fd1276e63cc8530":"":"2d07bb8616fc0bbb71755a1bd256e7fb":"":112:"6b60d645220cfde42d88296ac193":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,104) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5685b12a6617d554c36b62af5b8ff2239cb3ffb1d2c40e14":"":"6c31194df99d08881fa5b1dd33b45a92":"":104:"69431593c376c9f8052bf10747":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,104) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"036ae037410dae9f0741608516d03b855c9c1851df8c54a4":"":"73599275f8237f14c4a52b283c07275d":"":104:"6f7249d25c9f273434c4720275":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,104) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ac144f39ebd6124bad85c9c7fb4f75bff389ece2e8085d83":"":"d0871bfc3693245be478e6a257c79efb":"":104:"5a99d59631d0e12f58b7b95ccd":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,96) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a8a541ff11a1b8548e832d9e015edeccc94b87dadc156065":"":"c72bb300b624c27cded863eba56e7587":"":96:"ea2528e7439be2ed0a0d6b2a":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,96) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"30dd8f400335e9c688e13cc0b1007bd21736a6d395d152e2":"":"28899601fa95f532b030f11bbeb87011":"":96:"35625638589bb7f6ccdb0222":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,96) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cb8f672b04d706d7d4125d6830fff5d2ec069569bea050ce":"":"375d4134e8649367f4db9bdb07aa8594":"":96:"70610bf329683e15ecf8c79f":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,64) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"bf71e5b1cd6eb363ecd89a4958675a1166c10749e1ff1f44":"":"9f502fb5ac90ff5f5616dd1fa837387d":"":64:"a4b5138122e1209d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,64) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5b9d1dfb2303b66848e363793bdca0e5ada8599cb2c09e24":"":"2ee96384dd29f8a4c4a6102549a026ab":"":64:"3b33a10189338c3b":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,64) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a35ae271f70ebacb28173b37b921f5abcad1712a1cf5d5db":"":"8d97f354564d8185b57f7727626850a0":"":64:"813d2f98a760130c":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,32) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9bdd0cb826d5d28c2ab9777d5a0c1558e7c8227c53ed4c4f":"":"daf13501a47ee73c0197d8b774eec399":"":32:"a6d108c0":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,32) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"81b4d5ee4e1cbee1d8966fb3946409e6e64319a4b83231f5":"":"bc2f9320d6b62eea29ebc9cf7fc9f04a":"":32:"a47cdadd":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,32) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5813627d26d568dfe5a0f8184cf561fe455eb98b98841fe0":"":"817199254a912880405c9729d75ed391":"":32:"d81d9b41":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,128) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"94f160e2325da2330fbe4e15910d33c2014f01ace58e5b24":"":"80a1b99750980bf2be84a17032fc2721":"066fdd980cf043a732403ee5f65c82ca81e3fc858ad3cfa343014a8426fd3806770f127e2041efb42e31506ce83390ac5d76de2fe1806df24ce6e4bb894972a107ef99e51e4acfb0e325ab053f9824514b5941ab1ec598fbb57a5d18ed34d72992a19215d914e34ad1a22326e493d1ff2da7bc271c96ad3ab66d0c32bd711293":128:"dd153cfd7aa946280660c445f586fa28":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,128) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4785846f7c0524e78f3eb137fd433e1808af64549af69183":"":"5334476a5fa3fa50dcc4b12f8ac00b51":"e70f82d1e3361ac5a5c9a087e47984d5533ba296f9b7e4a192a4ab28a833cdbbd5cece3415cf6fbb2f8055560b5c31c98d83d139954e1c03a464739f1eb5ad982c4371cf20b8984bbd97d5f40b336f5e96df3d272b95f7547be15c3bc05b3caac7d08c5eb5de8bdd246e74f6caa6bff76ea0417730ce72b911867f88fdcf73a0":128:"c59231ddaae98e0e8db6b3fe8f4d3427":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,128) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"49b085fe1a8e1ae769ed09fc585d29eb24d589689992e6c5":"":"899878b0684fb865d30190821817b88c":"f789eafe3d02826b619ca4fbca7bb1919e5c6f7c33824a2f7f815dc50e329979705f7ef61e9adf7899d34f1b8840384ff62ef6d29eea38c45d12be9249aca69a02222cd744d81958c6816304ff0d81d6714a2023b3dd9d940db5c50afd89c52774d28d6afde2b6c68425b6acbe34682531a2e57e2b9a7729b3e8d96a729b15cc":128:"2c84bf7a8947ab93b10ae408243b4993":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,120) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"75847588760ecb6ca548747b743914c89fea367a5ccb81b6":"":"7d8a9fd254e2061c01e39eb574951924":"b03c57dfd49152401a225357f1d6e533f3a423e5cfce07b8ae7ca9daf68645e5bd67b3ca2421eac447530b27c6dc6bd9c7f1b22441b8cc8c4ac26cec2c9c0d665a35b66d779a3772d714f802d6b6272984808d0740344b6abdb63e626ef4e1ab0469da521c7908b2c95a0fd07437c0e9d4d2451ae189ad61ff19f4efb405127c":120:"e8aac14b53cdbc2028d330fc8d92a7":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,120) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e3a18a96d2e45d2f60780dc39cee7160e28cb810bf09858c":"":"26a4d659665ded39b7a1583de756d0ad":"83f8d9c58169b4c68032321197077ff5c8ee4ebb732b040748e1b55dcf53375ae86fb9646a672b5c5bc805a92c475cbb6d0ed689a58abdf2230250a7d3fbd8cfab07835fa85e738a7f74bc3e93616d844b1ec61b79f23dfea62e1815f295d43f61d7b5956103b31ca88afb0b3d37eb42cf77232dbf2258065232971c397dcbcb":120:"dc034564d4be7de243ff059b5f9160":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,120) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7be3909170ea7a2ff76f9f28241d8cc48ddeafa8517c6f8c":"":"8dee7e29350c60c5bcfec89da6617d2e":"f6e9e7a7f9716760eb43060d5c80236a0f118b0f750ebd5df01fd2dba95c556ecd2e54a3f337767321abf569c8137a8e48c5b44037ba62951e9f9f709e6e4540a36d769f3945d01a20a2ed1891c415a16d95cab7ddf9bcebf18842c830067509a2a5d49a9684324c433d53824d2f8fd326b149af17f40e5bf5e49185738fba60":120:"942b52277e9dc0a30d737d00f5e597":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,112) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1fe413bafc4753e1511b580c830449bee56e0e5b9acb852c":"":"e30829f64f3eda13bfb2ac572aceb3de":"6c772d08b4d7507e35804572fa697c646c77301954cc5c160941e49e230697ed8c23338b9f30c3ead69b1c1a2329ff025dcd3c0d0a9cc83fee4979448aa71ddb9d569bedc8c497a2a4ac3b60d087d7872f0a110bf90493ae7da03b0953734223156cd2d6c562e4a978a6dd5cdb229dd58dd4d0f50ac015f2f5e89dac4aa29a19":112:"87737873b82586bb29b406946cae":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,112) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b4bc4378d423931f9b320bb57df584c641406c1daa7448ad":"":"eca70e10c0358838a3f4a45c4b016ccd":"68d1c045c1604e3c3dd4f7c7543240aca8dbc5266dc18c5a8071e8b09e3700b7cf819044b2722d8db92021f42a0afb295d7b16ecf4e4704a50a527a2e72d7f53617c358e3b7be3d7fecda612ce6842fcfaa68f2d1b8a59d8b8391779f2fab99f820862c94029f444abe62367c5de0a4becc359660e4a5366f7d482bdc362b866":112:"06f95ca69c222a8985887925b15e":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,112) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1cd4414ffd24e830e2dc49727efa592e430a6a75391cf111":"":"a08e32ad7d63f975de314ad2c0fa13fc":"20a271f1f4c6bea8f1584ab39a7179ec448650e2ff67a7338d1bc9fab7f73b2ce5222cd07ded947d135d9d0670dc368f0a4b50ece85cbf641877f9fe0ac6a7e6afb32fdb1b3cd35360bb80cfffc34cfb94dbcbee9ca5be98a0ca846394a135860fba57c6f0125dcb9fb8b61be681ada31a997638ee172525c03dd13171534a91":112:"c68842cafc50070799f7c8acd62a":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,104) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9e0ef9ed5e6f00a721a9893e1f0d9079c5aa667a4cdd2a52":"":"5f015fd556e87ff0d0df586fb452306d":"b82986135e49e03f6f8f3ce4048ded2e63ee0c31ddc84929e022ee8561159179b3bb4403ebdafdf6beae51ac5bf4abed4dbc251433417ece3228b260eca5134e5390cba49a0b6fcbbbabb085378374e4e671d9ba265298e9864bfce256884247c36f9bddceb79b6a3e700cb3dd40088ba7bb6ab6aa11b6be261a7e5348f4a7d1":104:"ec9a79a88a164e1a6253d8312e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,104) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9bc8f15d98e089d60d4db00808700053f78b33c31652c3e4":"":"5cc0ff9bb7d5b9b2aa06f6ecf669d5bb":"24ac95a6ed2f78853f9ab20f53de47e7f662f72aea454141e2131aace7ed2daeb395bbccdbf004e23ce04ad85909f30151b6526c1ce7934726f99997bbab27055b379e5e43b80ad546e2d1655d1adad4cbe51282643bb4df086deb1b48c1bd3ac3b53c4a406be2687174028ecf7e7976e5c7a11c9a3827813ade32baef9f15ec":104:"9779b7c3ece6c23d5813e243ec":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,104) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"19afc43a4481f796d77561f80b5b2e1514c96c5d1d86e64c":"":"d4c06595fefd4a81bbbd4b40c2e1989d":"98fcca51352998d0126b5539e3fb9a238ac31c05954fc206d381909aee70983b6ab99d3f3efe8530a1c3cfe3b62756321b1d0771a5940055eba1e71fa64f29291aa5e5b0af0fcc8e6f5a02688d9e93417225eded791a35217822ffb346d3fa2809b65abe729448316be30cf661137d3c0e49846cb0df598d90eda545afb64a5e":104:"ca82448429106009094c21d70b":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,96) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b4fc31dcfef6203fdb296cc928c13b7df56bfe6f32583057":"":"6308a78dc8f3c90442dc52196649c38e":"2567d80c253b080c0158102558551445d8ce4d5ddee2014a2be5cbad62e1717a0fd4d2059447c3151192951eb11a4a7b19a952f6ba261c87f10f4c9032028de3cc5a2a573a4e993a690fc8954daa3ec92743e7343e75b646c4fa9cbc3fceb4f5d59bb439c23754c4d9666fbc16c90c0cac91679b6ad1bfe5dcf6bd1a8a67c6b5":96:"9d1603799e2485a03e7b05a0":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,96) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1c2d9412486c381440213e1588b6bb58b0da53300b9d3089":"":"727ed8846daab874d5a9918b47d016f4":"656430f0c1423018b5e2efbb1e32a5385c1a9a1779c4dbd585dea91edc39ea8752ebfc2d8064251a8a5ae71e1845f24a7e42c6371c2ecb31e2229d5f4923bffc21d4804575a84836f3cf90ec6047bb360b558a41a975ece111b5284dfa2441705a6df54fc66ca6cc1af9163ecc46902fac337d5f67f563fde8e8e7e64b8588b7":96:"05ee6ce13711535864674a5b":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,96) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"abf7a97569427225a4bd5143c716a22e62f84c145bb51511":"":"e255088cdfe8ae5c9fea86d74d2f1b7d":"b850993300f54d078f83ceb9aef7345bbf758f92365b6625c210f61dad4f2a2319f51d883a383a706392d3dfca1706eba585a6fac8bd4294c0bb2cb3f6b454d5c97819e8e5c926754840261b07ec4ef1f87cf281d75c187839689944230306e1903047915e086043990745864819ad713d34a244aa4e9d755fdb137105d7eed8":96:"0c9c17388d0610f99d0a093f":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,64) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"45a6df655e88bc880acff41520aafd0cc8aa8aeb8952fd06":"":"1125e1de94970c9e7be70e58e7626ef4":"fe9838a445b8edef19b3e9f33c8c0c265b3a12c97b8ec57ceb94f65ae5227177de38f1e338dccb2b24e5bd0f0eb8127f83eba0f1ddfa55198789df0cdd1d977fcb985ad9c7d51b96e749d2cf3cc7a1ec4dfcbc641a1a022d55def328e081af890a7e699f2dbafdf506389e045aa1219239d5868ba675a3925602b6fb6f6e6d37":64:"1c3bd1e0d4918e36":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,64) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"279f4f2ab4b70778fdb9ca7800cd20e323601d7aa2c75366":"":"0f7b402560735cf03d5da58de5b6c685":"7dd9a8c848bbcf5127161c8a419a436a0dad559f7c1613cdf41594e177016acb1ccf44be852185c42e7120902a42efe83855995ab52cf5c190d499fcfd698c671fd72949dc3ea7ddb874e586a3aa455a021cec7b5f8608462ca66f926aba76e60a5846d4eb204155cd3c1328da51ba35c3007b8bb394f34e3a8b81ddd2ea1115":64:"dab612351f75e2cb":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,64) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6716ab937755684af7403e6fba5452c1b11568a9047bb50f":"":"2fd5a446dd564619ef75b6e00905ffe0":"20d261d3192996c21da69e979c26f5f937e6ea4cb7b05c6ef556ce4d86ca0fe85ec2425d274c43b5212fe9d27bb48b04e887461a9f45f524059b87eaea2e287a8d4537f338b0212012a9d4b6610e8c97dd554e0b3c3133e05c14d0ddab3524c93fd527e223b1996b4cff0a4a7438f1d54890bf573cd803941b69e5fc6212c5d2":64:"f1d743b7e1b73af5":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,32) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7dc94b5bbd6315ad8d2b67f0c683d10cf456f822a3ebb024":"":"6f3eedeb57dcf12bfb3cd80849893c90":"ee1ff367f4b23c156e3dccff84ae4bf2b8ecec1fb5ffd25ccaa93b6c6834389bd79655bd4bac75238eb0f65d3603ecc57c8774798309e85b6677e78ed2077b712cf28795d0dc8fee994f97373a82338ef67c62378136a79a990ecbcd6367445e805efa98f9168826e57cb8dd7e7b1d5c89ad98358646fa56dd2a71c40e0275a1":32:"4dc74971":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,32) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3bbe223e253bf272599e28af6861013ecd0c88710947ed41":"":"4fbf09ffaffb600f0de38fb12315cab5":"5388146f6479f7b3b280f45655a95b847ee27c734fb2fd91f6c009b1ab1810c772c7435d3221069f9490d251b76e740147906ac1db1c209c175b21aa10881c44fb307d4d2900aa3b1d56fb0edb9f2a58505653a17fee350e12755b9656bc65c78c1593d5cb7178e29f82209caf53e60fddf725f6957cc9718bf410c4a0229ed4":32:"fb845ab7":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,32) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"461877813acfe6e9979eab729b52e3d192b3236758bb6563":"":"6985cf77b75a47a3978dd6412d59200b":"385551854a89ab37063ba0ed911501b3d632153c5c2992e154c0a334bc36620476f11495437b842409e0954f7352cbf288d158bdbbaf72621ea2ce75b708bc276f796c5aa7fd0071e522c5f175a9e7787deef79f6362101aa3607b4588f2e1df7127f617c6073593a1c792b959e201e4a7a43ea8b1c3af026376439ef629266c":32:"c840d994":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,128) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"09770f9114120a2c1c3cc416fe0eb8699e07141158a5bdff":"875e2e5b5c02e0a33e71b678aa29c15ce18ec259cf4b41874893ed3112daa56ff2a7475681b8b3d9028ef184d30658e881c908f3588f69899962074db4ddfc0597f8debb66c8388a1bccf0ffe2cf9f078dc1c93f8191f920754442ad4a325985c62de1a57a25de4e9ed5c2fd0f2c8af33f3b140bac12bf60fdb33e0ec557955b":"cff291d2364fc06a3a89e867b0e67e56":"":128:"81f1eb568d0af29680518df7378ba3e8":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,128) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4fbf1c785c087ad06b43d4163cf9b9396deffd3712856379":"96a690e5319c94d94923988025307e543f16fd970aec24524cf9808dc62b093359287251503f4231bf52cd1a16a80bfa82d8f585d96855dc1932f4919a92da2618d6448fc18a234f9acb386ab4ab4a9e38ea341e7c54faceff38c162d74e7fabbca13aadb71e9c8ae6072e7bef4073cf08aa7faaa6d639f98d15bad4ed183ced":"1c8f41424acaf009996ceaa815b24ad4":"":128:"9f3c0349c5a4a740a82d6d63bf00fb17":"":"6100b091e52366fb422251d9b68974b6c666a62a8bb77a1ffd7c7d1ae586a6ee763b84dc11aace02a25af91d194b70b3265ec46872fded54275b7ddb26ee1f20c857328f46a694fb1dce68bcaecbd587ece5b505d658d57d50333e30b639eea1f6537b37c175f62497c6c84e3cfddae214285d2d68d90dd5cd8ce2273d25c8ca":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,128) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3e0ce4fb4fe4bb2fdf97b23084ff5671b9b899624184acef":"df89974b1534f0ba262bbea5efe39d8b72820cc8a720cc99520fedbf667515c3f6d8c3e25c72c48c1cff042171df58421741aacb2a49f23167257be7d7004d56b14901b2075eaca85946e9fbf1bbf4ae98227efc62bf255a25dd0402d37c67ba553531c699dd89ff797e7a5b5b9a9aa51e73ca2dacfda0f814152aa8ed8c79f9":"a950ab0dd84115e3829ab0ad3bbb1193":"":128:"25cfde73e7a29115828dfe1617f8b53e":"":"847b54e176ccc83081cb966efc4b4a3bf7809ce0b4885009f620f61fafcaa78feee91a835ae6c1a942571811108b1e81b4c4ddac46aaff599c14988c9a1fb9f387ab7f1357b581568b7b34e167ac2c8c2b2b8a4df3fd7ad8947a363c1c0cb782ec54b1901e928821cf319669dd77eb37b15c67f13ad787ff74312812731ca3e6":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,120) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6be3c66b20e5e66ababbfba1b38e5a716eafce23a1767b69":"de1cd978354a499415176f260021abe0a8c5bc34d166f53d20e02e413e1377ce4ef5d7f58337c62251a3b4ddea0dea23c40e5de037fd5dd8a558eb53bffa4e8ce94899afa8284afab503c1a485999a154d23777f9d8a031b7ad5c6d23d6abbe3b775c77876ad50f6bed14ac0b2b88fb19c438e4b7eb03f7d4d3fcca90dd01260":"3a2acf69bba19f5d1d1947af2cfda781":"":120:"f826d212f7c1212fb8a8bf23996826":"":"fd1f7b56e5664cf4c91e58f7c50f6c5e98e42ca2e4adcc00348cee6f662b382ad4022da54a47d8faeb9b76a24dfc4f493c27fc0bc421a4648fad7b14b0df95d8752013feb033b1fd971daa2c9a5df898bece6a3b8fa078dd130071df20a68cd0f394be25dcbb3e85bdfa0df4797fa6f01f5f0da7a6e86320207ddb5b3be53ae0":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,120) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d16abb9f5b38d7f5abba9dc36995ce6ce928ed822a07b7c4":"e72f29b1fc1dbfc2d93a0f3b79ea4b9806ce9b2c4d490ac5c0c3c793df9dc7df5471e834b84d18afa5a7516f9a6a813a9b65ae2f083a854730547e28a1f60fe97d8dba1d2d433e11847b9bffd8873ec634e64365530c905dd6f274e45c9795ac127a6f356f63cc6c116c5dd8c628e7e17e1fadc58f8452bf21f53c4133198118":"3cd95429c6de1d327b9eb3c45424a87c":"":120:"13521236f190f78e75c0897c5fb237":"":"cd8bb97c28df092b6783ef653fd26f2bdc27c442bab0a4c7bee2789f389dcd1b280c0231672721bfbbc939a0449557678ec61ba0afb2e5817e6f7d94387f84ecafbfa1216d65e7f5025f47b0d2905cff7c99adf8306a3d9850c5908be05f87cb1d36a4837dba428aac97d7fbc18e3778f8d81a319259504c87fc94bd0766ed93":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,120) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0bc344b1a4078807e5f53a6e7e1e36fa83108473ae2fb4c2":"8bd73f94c71e3765bc7d17fdc90a9ba6aff9648b46300e4048985fbbd7c60c39c3766f7c524780bfc2296dc11e1132134921760a373104edc376eab6e91e9a60a5c4a5972935df12eadae074722bdc0147c3caf6a62fd449ef37d76b65f6d210283c94ac524cf13186e444d80a70b01e4373cc0462546f1caee6b49e738a742c":"bd505fcba464e6e2c58fdf29f5695fb9":"":120:"8510fff71bb879f56ea2fe43f6ff50":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,112) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c8097398fc21f93eea6a95aa93a3231096817b65520bc549":"80b0abbaebbd537a0810ed75cd172d29d50f5982e4d01f8664ddb2dfda8f57fa0ed87e64a779a1d7f5e568b6acfdc739572a7176752307b430fb1fa1c3c2c346477cebe7d01b16745ca6c8929a7f446c03ad9a9e8a5a935de78ca6c701e8c1c5e6d2550c42949cf5342fb5ef4c6ab9bb02ace8388b16edf72a1237e5d1d0e820":"776248381941e16908f52d19207881f5":"":112:"7fc4388b2f8eab0f0c2d6a08527e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,112) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"76d4bb5694faaf344db83bc6d6c47d56bb6ab52700826f2d":"9e31fda6a171f0d4a5f2af2c4f827b1312d9dda5d78fa329b8f1b6373b9b29be358601e5bb0d0c615aef4b9e441c811219f1f2ff2d0ab23e0cd829a88b5b615ee72e5e3ea604fa26cc6438ec4c30e90f7348e9116adf8e8efb7498320d2da16679fa546b1aa9afc7720b074c4e48e06862d41428c9e71a4772c2e195a6f36978":"603977845d82faccb401817ecce6e2fe":"":112:"c955a3bc316841be07e406d289c8":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,112) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a3e5020695587984074d78d9c98b8e1a5719e5f88372740e":"c0bfe3b2dc4dad17ec5a7662d86847fb67e582cc0baf469bc9baa7a075d48a8b97521a1072c2798bfbdae5ca3752eda1cb96fe5cf24af989eb77a2948aae3d8b70d83d93f84c49347f788480f34051621c358c03cf8159a70fc72cb8bc02876234ffe76b181da8b22b8796c87b0904da1af46de519c20d8d1b1dc7cc24e39ba5":"4cd56de54e5140a587be7dfd02d3a39e":"":112:"1a29527a41330259f918d99d7509":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,104) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"afe986ead799727063958e2ce13ca846f76c51605439f839":"7c1b354a5bb214bd95147e32d81e658705089c38035d0ea423eb1a5c82f97443c6903d2cf1ba7a007eec7c8ff98b8f82b073d9636a79bd47c7f2f639a8eb4e92076f9ed615766f43ac3a4f1687301ed7d507766605e0e332880ae740ab72e861a2cb6dce1df1ff8be1873d25845ee7c665e712c5bbe029a1788634bce122836c":"f85a95ed10b69623162ab68d1098de94":"":104:"3cf1cdb4a4fdc48da78a8b4e81":"":"a7f252ad7983e7083260598051bffd83f40f4d4a8b580cc2388d720a0979dde71549ddcb86b0a62c4964fca591d0982f3a203f2f8884ff4991f17e20f759ea7125ba2bb4d993722f23938994eb2709c850f33ed9889e5a3966f9d7b76add46aedf230e8f417425f9db79ccd46b5660361de7c5d87f71a9d82c491c0c3daaf56c":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,104) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2cfaa215841826a977ae6adfdd993346210c49dd04d5d493":"e8eb3b6edd0ca4201b49a6a83036445aba1a1db040f3e74511363bce769760a9914e05a067f555ca15a57c6e02e66fbe4e04dd8c8db8d6d14ebc01cc7d84a20ff0aacb69bb3679d6b7d9d2e07deda7c2d4fe4c584fe1166e78d21dc56b9cdad93709c03b9145b887f87b4f605f24f989d5e0534fc71a58e8a8619ee99f69e5f5":"537a4ee307af3072e745570aaaadce34":"":104:"df01cffbd3978850e07328e6b8":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,104) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"128ddc83d2170c403a517615056dceec0d19d6fd7632e738":"cfe9f7797ee37bfc4f564419bf2268c964479efa7435970874154432930f3b2736438da4dc9c76200009651340e23044bc9d200a32acfd4df2e1b98b0bae3e9ff9d6e8181d926d2d03f89768edc35b963d341931ac57d2739b270ce254f042b64ceac4b75223b233602c9a4bdc925967b051440c28805d816abe76fc9d593f5a":"5124b410c43d875eca6ce298c45994a7":"":104:"56ad9c1653f11a41fd649cccd8":"":"cf91f087fd7faf362caacf4a68cff51ec57b3075563e4ad0955df20b366e92bd75c3762cf4a6f0eb859872667a5c55aa5d94f5ac9479b1b9c9345b50f82379d551506a2ab02b0441b14b28b78a12b38500d703a8c19888fe612d4710eec7cd18c16d6a4b55d3c69760e2bed99efc8b551dbe2ac9b9b64715f87180b8e14d1795":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,96) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"98581c28983c4da321ce0c419cc0d476d539e77da513c894":"bdef5b65b5111b29e781a6b71a0160179c52b5bccb1ac5c0377b26cf3f61432f3ccd67633a836357c24b5099db0510a7f8110f59e8227cacd11f17ea1798b5d4d68902ca6c6eccd319fef14545edd135078b38d43b61c9af269fc72f7a209ba7897e4c6dbd21bb71d7e93d2d2426ffa1557cae28e74059d3baf06ba419a47b39":"ff10234524433b871202c2cca6acb194":"":96:"984943355a7aef15c4fb8033":"":"808e28bfd441cb8890416a757d252c986daa8d607ac9cadd2f4fd29eddbcf3b859ba298e14a4ccefe2c2752b123f87b98d6708fde48faca4bc7dd818a7ea76cfa4357932e59cb6be0e9283bdfb49454b86b9fd04aa8cdef503c65d13fcff42e9cd8f142f8c06cf7daa6d8ef8b9c9d69c39e8afd980048fecf731fd674b2a814b":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,96) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"167b8b6df8014c8f3de912b77f5a0c113580aa42d785298f":"4f787de12ba907a589edf74c8e7a6cdaaabebddd465a86e170e1efc289240298b516fddc43c7fd9bb1c51720a4455db4dd630b59aebaa82bd578eb3cb19f8b23ee6897c1fefaef820430efa6eb7d6ff04de4d8b079605fb520b0d33e96c28f0cd71983c4ce76c0ea62fd7209d21ec7b416881d545824a73d1f9f8d3323fdb90c":"49da91e926091a448d57d521cc90f3c0":"":96:"99198f55f9fa763651bba58e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,96) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"71f5f8505fba62f08fa0557dd5407fc83a852c6007ccecc8":"3e19ec02365e450e946123a3362f9859352eb52902a6bcb8a782285dfac9d2b282f56302b60d6e9f53fddd16bbf04976cf4eb84ef3b6583e9dc2f805276a7b7340dec7abde4916fb94b0ed9c9af6d4917b27e44d25f3952d0444cd32a4a574e165a23fa8c93229ceb48345171a4f20d610b5be7d9e40dcf7209128f029fed6bf":"b5efb9feae3de41b5ce9aa75583b8d21":"":96:"9604d031fa43dcd0853e641c":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,64) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4cdb38f8185a4186fc983e58a776a6454b92ecf0bffefe98":"1ca72c50a093076e9a9dfa09888b9c89eb36a942072fc536a81713f05a2669b39fdb2871b82ca47dcaf18393ca81dcb499aafcc4ed57ea79f8d4f9bd63540610215b2c65481b294638cec41264a7fdca4230df5fe1e7e3d8d26dcd0c435fec8e9bf778f9e6f13482157a9722761601e08425f6160d3bb626ae39ee1117b0353c":"aef257dd44d14d0bc75f9311ef24e85a":"":64:"d951becb0d55f9fb":"":"2eaa7e922dbd8963e2078aae216636276f3f7cb5d7f35fa759e91bddb6e247a93c388241ba1d0d37040c0b9e447c67d35b4991c1acce97914f3bc22ee50171bc5922299983ee70af79303265bc1ae1e7334202460618b4a8891d1a7eaaac5cac1e4dce024ce662d14849993f89e771fb873644b552120fd346250df39aaaa403":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,64) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ee8d3aced3aa3cb2166aa66c4a252c12dc0978830d0bc75b":"ee69b2421d43a9f383d99f9802ba4d6cf1c537b42041c86cce681049bb475e5098d4181f1902b0a49c202bf34ef70ea7b787fa685ab8f824fcc27282146d8158925bfef47ccba89aa81c0565eacb087b46b8706c9f886b7edf863701003051d6fb57e45e61d33412591ec818d016eec7dee4254636615a43dacb4f1e6ec35702":"c15c9c0b0b70c7321df044bfde2b15fb":"":64:"c5c9851a6bf686d0":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,64) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4a8538d609444e3197ab740cd33b66db1cf53600096b94e0":"8c2b8fb775d1b21c41a3dcf48ad6d68ab05be3879f9b94b305a6ce4d799e3a992c1c3a65a3e4eab563edb57424927c90c76e49386e29dd5e7de2800fcc0eefbc8b4f977f71be3754c006ee93dc09b1cfa59c424b6b3987aeb56feefc21004c63e8284b6845e395bc8843cca0917267fb4a8f2db1f7daafe7a9da95083a44de70":"0bd64d222532dae8ab63dc299355bf2a":"":64:"3477cad1fd4098b2":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,32) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"447f0f065771b6129952e52206a64fe0844658ed685e39cd":"fea5d227869e527882c63a68a6623f4a699df82b3dc715c7260a5554336df8376744c05ae89ec27d40da02d9f1c5e9e29405579fd4132143cb21cdbe3edfaaab62128ecc28018725c8dd309d2376223d2e2edfea9765699b2630ff5d9fe9bec416c0ca6418b938d195d31a08e4034c49d79e3a249edd65f985230b33c444dd02":"37e3a300542d9caf3975c6429cb8a2e8":"":32:"06bfca29":"":"e1bdd1c212b159b87e41a5f64dcba6b27aa0f5c8871fabfb588df0e06bd7730ec1beb0e3388f96c992a573ff69b34870f83c53fb65b420c1c6f92e2aa6f03917e8203d77c7f5ee08baf9fab12f9d38fc0ffb83807ba781c3dd7b62edca2121f68ef230b42b8adbd4cea072209d02713789ed559b83739a54cfde69e68bdc4128":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,32) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f465e95f6fc19fe6968b98319b547104d0c01c17105f8fc0":"2426f108368a00d2a49670a3b64b4f0569c6da9660163e7b209ec3f8d058ee11f7818a8c5030c5f4ce6e1e5a93faa3e5ae3d0bd5d712fbc891cfeb20845707edcf5e29719a5246a3b024fb12d37bd1b81df3812fd50b1dfb3e948ce546dd165cc77f903c07fe32bc7da7fbc25036679017317ce94cd8a00c1bce7379774f1714":"6cba4efc8d4840aa044a92d03d6b4d69":"":32:"92750ac9":"":"2e59b104c1a6f6d651000396adbfa009bf4cf8cbf714da8e4d3b4a62bd7f522d614decf090c7552a4b9e8d7ee457ba642d5100c0c81c14cbba8c8ff49b12827f6ebd41504ccb6dfc97cdf8532d1f7f7e603c609efa72d2ae0dce036ec4ab36849a0c06f8737d9710075a1daaed3867ca0a7e22111c0e7afae91f553b6fd66c6e":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,32) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f08e3e9f7b3a20ccdc4d98b56f2b567399a28a6b3908deab":"a986e816f1eafb532c716a555cca1839a1b0523410134ea0426ab309520b339fc1fdeb40478ae76823cee4e03b8d3450e6be92d5ff17b2f78400f0176e6d6a3930bd076a7a3c87c3397dcc0520c6b7b4ff9059ea21e71c91912a74aac2ca70eec422b507cc5c60860bb8baca01eec2a3003970ba84011efe576804b2820e306c":"4f4636d1b283bfa72c82809eb4f12519":"":32:"16c80a62":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,128) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"87b5372571fb244648053c99405999130f87a7c178052297":"ae078d1554fc6a14447a28c3dd753e790f7ef9b53e35c3e0fe63a7b1b326bc56034847f8a31c2d6358049aae990bfe7575b439db370aa515e225e0ec730488c700a7b0a96a7b8e4e8e4c6afec20decd16fe3c0f3f8d7a6cf7a8711d170829d14c706cceb00e133b8c65c8e08cd984b884662eddd2258ce629abf6b9dd28688c9":"a1cc81b87bd36affe3af50546e361c9e":"684ce23f59632308d7db14f7f6eddaf4d83271fb0c27401b09518a775b36252540f14305f0dae13ff6c0dc565c9e570759e070c8ac73dfb97abd3285689a7cdcfc941f6271be3b418740b42ba4a114421065a785be3dfa944c86af56da8209779e8736e62529c418b507c6d8ae002cbc0431747722afd64521734f99273de455":128:"98177b3428e64bc98631375905c0100f":"":"8be7df33a86b1162464af738de582a357d0ce8e213bba1b7913c0d13ad759d62c3bf4366f5130b3af2b255b7ad530b4977627f9e76b07e360c079d0f763dabbd22e976b98cd5495c6182f95bc963aad4b719446f49d3a448d11cac5bfcba4b675b8e4d88a389e2580e8f383f95bf85c72e698680d2a2bc993c9ee1ce0d1f1ac3":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,128) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a2d069b826455d5e79e65db4f1d2b6a29ae9f401bc623917":"acd6225dc5b9109d56ea565ab38dd4db432a7ec08f0db04f1c6b691c96d2eaaa6be62da7cc7fd75f931716c7f39705ea7cf828f1a5a325955e9b2c77e7fb2d562be6a89b3351b1b3d1355b43b73ed425049430314c16bf0836ed580e9390a3b8e2a652fddbfa939ca4c3c99765b09db7f30bf2ef88e1aa030e68958722cb0da3":"6d40a0c7813bc0410ff73f19bb5d89c9":"9960376b1898618d98c327c1761959d045488cc6198238bbe72662f276d47b41e8aebc06dbce63da5adcb302a61ade140c72b9cf9f6dfad6ecedd7401c9509fae349d3c7debe35117776227ba167f2b75921d7321d79f4ebca13d20af1638a1567043365f179f4162795fe4fd80b5d832e4ca70e7bf9830bc272b82182f70d2e":128:"010195091d4e1684029e58439039d91e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,128) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f3252351fe8e7c628c418c1a49709bf1f8e20add82539948":"7e8d2816d280c91d232bad43b6610e2d0532a9f670f221a3a975fb16472c2e83b168115e87a487bcd14b37f075e1faa59c42515c353cdefc728ac617b7d273fa96778e3fb5f7a1132f8e2add4a57015b15d1984338b7862356243d1c5aa628406f4a507498eda12d2f652c55e8e58113ed828783b82505790654f036b610f89a":"eacd2b1c3cf01bf4ea7582d8ee2675d5":"141cb39a2fb8e735e0c97207f1b618a4b98f6b9bf8c44a1c8e9ea575a7759cc2a02301274553e7744408b2c577b4c8c2a00e18f8717fd8a6d2f46a44eeb05d685fbef7edeb4229e7ea9b8e419ffcb504d33583b3ae421c84caeca9f9789047dd7b1810318d3765307233567bc40e003401c9f4e1b07a2a7162889e1a092aedc1":128:"63a310b4f43b421a863fb00fafd7eac4":"":"699c146927ae29025e5b20088b20af27bc75449e4725ee6b7d5dc60b44ba8a06f7d265330c16060fbd6def244630d056c82676be2dc85d891c63d005804085c93ce88f3f57c2d2c0371c31027d0a4a0031e3f473cb373db63d4ff8f65be9ebe74045de813a4e6c688110d000f6b12406881c08085c9348e1f0315038907e33f7":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,120) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e462957f2c500bf2d6bfa9af97938fdd8930e360ea4175e7":"82a7a6dd82a5ea3d9a8e9541d854978487eda298b483df02b45c76b8b38bac98ffd969dd160a2765595b19d4ea3e64351ce95764a903f595dd673d13facf5a5594e01be1d60a0c6d28b866a1f93a63a74fecb6d73ac6fb26b20c008b93db53e9dc1d3e3902359fd47734fe22a5c6958f97e9001cc4e8b6484d9542dbbdfcfcdc":"b380584a3f4e0e59add4753c282f2cf7":"682b0af6592eef173e559407e7f56574c069251b92092570cbb7f5a2f05e88bed0af48dcda45b2930b1ee7d5da78dc43ec3598a38593df7c548058eda3c9275c1304489aff95f33a6cd79e724e8d12ca0ae92b20273eb3736efcd50dc49e803ad631dcbf64376a45a687eb4e417aef08a3f5f8230d3f0b266ea732c21ed2eed7":120:"28a43253d8b37795433140641e9ffd":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,120) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4a62ddd87f41c6df756e8da0985dcd8c91e73ba395b3d79b":"37a83ee6dbdece212446739ea353cb957b9aa409c88bee042bbc3a6e5199aeb28f2b4b00ff433c0c68d6db5a197566019db8a4c7a792e2839a19a302ee02bee046adce04c1fbbd5b0c457d7cbe277992ce2c153d132269e2d1f12b084cf3026a202b4664bc9d11832e9b99c7cc5035dcfde5991dd41aeb4fbf8bec5126a9f524":"1d1843e2118772d76a0244a2c33c60bd":"028b92727b75b14cb8dfeb7a86a7fec50cd5de46aa4a34645754918b8606819d4bf8a2e7531a05ae5505492ca6cbc8c0e6d6ab2dea23bff1fdf581bb780b4a3312aa39639383fd10bcf92489801954733f16b021c2e84809345216f8f28a99773341e40c4a64305a2098eaa39f26a93bd556c97f02090e1a6c181a4e13e17d3a":120:"ab738073228bdf1e8fd4430b5c7d79":"":"e702f1bb9a1f395c74fca0ce9cdf29e7332c14acaca45200cd432a5767be38929ef8de43d0e1a5e7300c1eb669ac1ab997b31cb1403af8451e77e63505920af0f8c3abf5a9450ea47371039ba1cf2d65a14fa5f013b7ce1d175859404dcf6461a36e8bc260e7abf739d8951ddf1a3754e2d65e0aa31320a5ffca822023bc0906":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,120) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fc46976d38a581a7042a94ea4b5bfe3587ddc65d1162d71e":"4b9e858fc8f01903e426112192d4ae4686b1ae4d683b75afb2b8c63590275943d0d6d6a23b6d35796a2f101203acba107474ca6f4ff6dd87d6b77785ad1d160ef2755d84092dc70c86db5e639b689943b15efa646aff44b3f51f5d3f4cf6c8f7fc5adfe7bf2d72f75b93b8ee94ef3fa69ea0fc0bb77b3983901fdcd30bcd36f5":"b5e92563dd0339df00b7ffa2239d21bc":"7b6f6e104acbcd7188161477d8e425ff99add22df4d22de7f28d0a0075ca4ef848f68d07ed22d3165c08e40890ce04d1bd05b1a6ccb2fec8193d5f7dffc93d97a0c036b3748f708b011b68247a0249b9e1a60b652164e5c2fd7210377de804ac010c8aa08a11f40af97e8370a59f936cd14c22ea7a236d904145adc04a241fc0":120:"d4356cb417953b01f7b1110c8aa3eb":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,112) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"403e49feadd4db763652ed5c4b1e12680cfe0abc30f4696d":"221c61d769febce3913bfead9a201a805f11005ddcac185cbae00ce749de9c4362889b1b0d9546e91598e0ddedb88b673a90acca65d7e71a85636be052f361839a646dc8b834c02f3e2261d370e6bac9636b7536225b5ea77881200c8a3450d21bfd1e11afb3a470e178ecfe944a25a7cd0254e04a42b67723aac8afffd56fee":"1a60258a56e15f92814b4d372255a80d":"a4ffa9e3c612103224c86515dad4343cbca7a7daf277f5828670834f4d9af67b9a935c71b2130dfbc929c4409bffb7974ffa87523b58890770439c33342880b33319c626bf776c1c0aeb9c2a348a7681572f4ff711d94c192f3450e8b1275f9d02c742a2c9f1da316e9918bf787f22699172986cb9b10fc56d5f6b8392ff92b8":112:"62646fc8bfe38b3ba6d62f9011e3":"":"5c76c90dea7d659804ad873960906259fbdda3614277ec575d9eec730e747a2e7b9df6716b4c38d3451e319eeecee74d1f4918266fc9239de87080f1ad437b47c6904ed2d5514161ad25e3e237655e00e53fe18d452576580e89b2f1f0f6aa7e40a337fd8c48d690fe013a67264a80e9b5dfd009a9152d559aa02a68f401a09b":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,112) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c3471259512d1f03ce44c1ddac186e9a56c1434a6ac567c6":"dd5b98b3b3cf03fb92be579068a885afd984630692eb5f155fa6b49f2b1690b803d34b90e8de3cc39c2e61650ffffb51e7ef36d35ad17dc4d91f336363b0734996b162b509c9954cab3dd959bde7e437e9100d84c44104c61e29dbe12492a0272ce6eea2906d390de7808d337e8c650b3301af04a9ed52ab9ea208f3c7439d6c":"50164c63d466148ab371376d5c2b6b72":"11d1f523888bea1fbc680d34bc9b66957d651efa59e788db3d3f6f50e72184b9d14e9ff9bc05fb687520cf423d681812e007025eedf0e78e7e8191e6b62404e8eb400cf837d762a31aa248553367263d6de091fcf7abedc3e69fc118b7efb0594c89b96c387b7c28ed9a7b75db60b6b5133949b891ff81eca5790a265f12a58c":112:"6c5f38232e8a43871ab72a3419ad":"":"50438ee712720abf2089331e4c058b30c30c3d17834c507c0010ac3f974a256d01b14a45e9ce5193c5cede41330cf31e1a07a1f5e3ceca515cc971bfda0fbe0b823450efc30563e8ed941b0350f146ec75cd31a2c7e1e469c2dd860c0fd5b286219018d4fbacda164a40d2980aa3a27aa95f8b8e2cd8e2f5f20d79a22c3ff028":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,112) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ec326a1e0fe6a99421398df4fc7d8fea67b67e5f5fcd50ad":"6d5016c434a0f4b4a5d9e0b6b8e2d848a94f132f055d2d847e54601a4c9cfc5966a654d696f8a3529a48a90b491ea0d31c08eae8ef364f71f8ec7ae7f7e39bb9c331137b2578362ff165628099944ba8deb0d99ac660d5ed2215b9a7626ff1fa6173cd8dd676c988d16c9cf750a0d793f584c3c8f5fd5d167bc278f4d77a629c":"c94aa4baa840a044dbd5942787a0c951":"f8401c578f20d9c250ea86eb945184e007a0190462c7abddf238ce1ceddcc230756aa222386d8ba66ebbba13de008ced140896ac55bc47c231cc81370ca9feadc225e017d59890e6291cc4cca27db3078c0cd6cbb51afb62210226a76837c5454728cb5ce3afe7352e7fe75421f94986e6b7b26321bbca15c75ac7c13dc15f50":112:"3269922affb9d767f5abe041cc8e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,104) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a7ef81652f604e88a72416924c53979dc73cadd3575eda1c":"9ecd19a8eba9fba843486e1bbfb8d9053c5e04b24e30174d4aa89d8307439d653f8630edddafd51719c744bcb4bce3e444847567bd2cdde2995870d0634cc0ba2bde4b6bc2bc583062fb83874a1c25b50aeb945bd109a151772c077438c4d1caaeb5b0c56390ac23c6d117f3a00fd616306fc2ffc4c1e76f934b30fbbc52eec2":"0cc9ae54c9a85f3e9325c5f3658ab3b2":"d0195b744351aa25a57a99df9573dfa3cebe9850139149b64f7e4af37756a430dda8af98e4ed480e913aa82821c01c1f75b187e105a8f39621757d522c083a8d81d7d8bfe6cf15c439d0692b6affd655a11bcd2457046fae996a1075c66029867b88cd23c503ae04037dd41f27bafd5000d1f516002f9fcc0f2500e8c1b27de0":104:"22c2efeddfd5d9cb528861c4eb":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,104) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"605271a41e263c92dc14fe9df5203e79d58cc2d1289dc361":"2bda3448a283ecba31e0299c0a9e44628cb2b41fa7b1a41107e107cabc381083bdbe048f2804568fdd5fe016f4d607f694042a459ba03a2deda4cccc8cbe4612d8ed0d4575e48bc9f59843369dbe2af6d048e65ff4250e1eef61d7b1b378fe2f3305b133ddc7e37d95ca6de89a971730fc80da943a767ff137707a8d8a24329c":"7f128092a777fc503adc7f6b85eb2006":"aef9f984fb645e08d5f0aa07a31c114d2f8e9eca047e4a8d5471378cfc2ced1159dc093d174788e58447a854be58942ed9a3fd45f3f4a1af7351e087369a267797c525f134e79709097e733b9003b9be0c569fc70ee3462b815b6410e19954ce2efac121300c06fd9e00542a9c6a5a682fe1010c145acbbb8b82333bdb5ddfd9":104:"673afea592b2ce16bd058469f1":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,104) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fa076f36cb678e2275561e9553ebdf397360e5a5e44791c4":"513305e86c0cb046c5d3720b25a406392766bd1fb7de2758de370ff2e68281e211922890c61f3659460f22c45a57895b424441262a3ba0606df4e2701f38281fd3436a4d0e0f8efecd231808a9ea063dfb725015a91f27cadfe7909a0ee109eac391ac807afed1767ae0515b9c1b51ae9a48b38fe7fec7fe0ddee562c945e5ae":"1ecd53d94fe287047ff184e8b9b71a26":"5ff25f7bac5f76f533f9edffdfd2b2991d7fc4cd5a0452a1031da6094cd498297fb2a05ae8db71cb3451e4ac33a01172619035a9621d2d54f812ef5343e14b9dedc93838e4cf30e223d215b4d2476ea961a17ac7295069f25b2a12d6e2efe76d91f45632c6d4e61ff19a95d5ae36af960d95050ce98b5791df0b7e322411c884":104:"079e8db9c3e6eddb0335b1cf64":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,96) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ce9dafa0e7e53a8766fc0bc38fba807d04e14e5ed61bc234":"b585b8bf634757dac015f2f69f2ae674372a664f2115ad2d03bd3e0c335306b02d0947d3cda5991f5c0c25f12ead2c3cc2d65d575fd67091c70bc93ddb4b1e21f7b0fc6e6ae652dea93a6564ff13489f927942e64dd94bf8f821c7ffdef16df58bd8306a957821ac256da6f19c9d96e48eee87f88acb83bae05d693b70b9337b":"fd0751af49814ee98b2b0cdf730adaa6":"1cba488a0fc8a012f9a336cc7b01cbcc504178eeb08237dbedbc6c7ac68fdf3a6742751a207e43d43068abf6ef4e12a5e3c17e5a2f9398fc04ced67377cbb858fd6020fad675a880adb249e4aba94b96efa515d1cdf5c0c3071a27a3245968867ea94b2bfc2028a67be34c84c3f475944497aa8ca1ab009f8e4b11c8308c1996":96:"e5dc92f4ad4000e9b62fb637":"":"95f4324b0656bef19eca5570548fc6a7a9923f4e2a7e42066891bc132fd73bc1c9089755d996756de0072824e69c43f2db8ba2bf6f90d3c4eafc0721ceaccce1af896f9fb15fb19c4746979b6d945f593fad61d550f81d12b5945ed728c02931d7f8d917285c22a3af748d75a6bf163fddd84b941d8564c1a63192c816ad6d6d":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,96) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8a328554fed68dc4838fbc89fd162c99ec105b36651abbc9":"75986f56972c045c850ed68aeb229f203b228fdfc36cad6b16d9bd12037c48700d20d8062a983ffeca76b8d36a67ef51bc8853706e83a34e4e23ff4f4a4eb943f19dbe85e454043d7906be6587a85079f9ccd27962d2905117d2dbeaf725d6ffe87bef52b2138da153ef29b18065b3342b3f9d07837d57b8bc5f2597de06c54f":"e4f7c69a1d026eeebfc45e77bd7b3538":"e349dcedb0bfcc771c820f0d510b80cef32ae3326484e25aa183015941e7844bc46f617d5e61fd64fa71759e90fcb72ae220bcd507f0fb389b689dd3fa29b3b937eded85f26ada9e0f3f5109f82fef47c7eba7313049750ad17969e7550c0d4093ed18ee27843d082bcee8bf3fc7833d569b7723998595a5a1d871089fd238da":96:"8e8320912fff628f47e92430":"":"a1ed65cfc7e1aeccd0531bce1dc749c7aa84451ec0f29856f12f22c4105888c7d62e2e2fc8ad7a62748610b16e57490f061ad063c88800037d7244ee59e109d445205280473390336d7b6089f3a78218447b1b2398c4d0b3aac8b57a35891ad60dc1b69ad75e2e86248ceac7bb4cf3caade4a896e5ee8c76893ef990f6f65266":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,96) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6e7f6feb4022312de5c804ed1d7a37580d74499107f8cc8b":"4f5bbdf575ab8f778549f749f2265e17dc7225713e73ee6d7be163ff7071557dcc2240b0705c079008605f81396414ac64f06b1b637876e04c3fca8d0fa576cef4dd3dc553fd6808eaf120f837f9bb1d9dbbd5cf67ed497167fc7db89d3a84151b81aeab0e921057f121583df5ed7f976b206ece17a913f23485385f64c462a8":"6ce13485ffbc80567b02dd542344d7ef":"c6804a2bd8c34de14fe485c8b7caa2564adaf9fcbb754bd2cc1d88ba9183f13d110c762a3c5d2afc0fbc80aedcb91e45efe43d9320075420ee85ab22505f20e77fa4624b0387346c1bd944e9cd54055b5135c7fc92e85390ecf45a7091136b47e3d68d9076594cfad36c36047538e652178c375a2fe59a246a79784577860189":96:"974bd0c4a8cac1563a0e0ce0":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,64) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"46d6e982feff0e7d04a84384c56739b69626dde500e4b7fb":"a5160fb2d397b55a7eba02df33a042404188f02f4492d46f4edc03fc67723d64f5f7fed3a60728438703c60454a30f473ac918ffc8f98be5c5e9779ee984415e415ce3c71f9acc3f808d215be58535d3144cebe7982b9b527edbe41446161094d6fc74dec2e0a1c644bbc2cf5779a22bd4117a7edb11d13e35e95feeb418d3f0":"71a6d1e022a6bdff6460c674fb0cf048":"67a8455c7d3fbfdba3c5ec5f40e0be935fbb9417e805771832ffad06ba38a61b8377997af1f586dc0fa1e3da0b39facd520db1f0ec2bdf1904a3a897f0b507c901fab30a85de51effa9f7d4703ceeb2ca72abe0bd146ba0bd3ffdee11628310db7d65ea1343b018084ea2414995f86fefb45ba91a9dc2236d92078b4305671b5":64:"84f1efd34ff84e83":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,64) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"991dcaa2e8fdad2b4e6e462a3c06c96067ef5e9fb133496a":"9cd0c27f0c2011c1ab947400d28516c7f46d22a409a18fd35c1babf693b8030dfd7822d9ba03bb8fd56a00f9c7149c056640dde690889d2f23978eeeb28ccc26e2fc251220a3682c963f5580c654c1a6736cccb1b8ed104ec7390021d244bd9f92abde89e39a4b83eff8211c8a6259bd6ac2af1da7dfb8cf1355238056c60381":"978913d2c822ba7cc758041d5ee46759":"5a94dc81af011a8af263318b60215b9752292b194b89f6fc013b0fe8e29133de631d981862f2c131ee34905bd93caffc3b8f91aeb0264b27a509e5c6a41ae781209f8c5895d0d35b3c5e1ae34a1a92a2b979e0e62132051394940ea4d9bfffb8d89ba1e8331b15bdf05c41db83a57745a4a651a757cc8648acdcf850a2f25367":64:"15d456da7645abf2":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,64) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f29cff00781f5916930f125489c87d21f6593324d1506f65":"a3e8595747b7147d471ac4fe38014bf4a409931e3f419ff88ae249ba7a7f51bd0ede371bf153bab4b28020b7a82a8ca30b75f1e3bcfee3c13db813cbc85138ef05874dedb14a6e5b6d06d7589a83bd5e052dc64433a8e24c1188b9470ddb2536d13b4b7bff0c5afcfaa9aa0157c3aae3b1774df2df14f965d6dee4332edba67e":"50db7ee25a9f815c784236f908bfd7f2":"ec1482e18692bcd6894a364c4a6abb9c3b9818bb17e5e1fc9ec0b41702c423f3a60907e94c888fad8e78f51e1f724b39969ba7b11d31b503504b304d5c4b4cbd42634f4ec5080a9fe51c82e121ae191270dd2c307af84c82d892d982413a50ccce33698054f761a3fa93da9a1fca321296b378a50d458ba78e57a70da4676150":64:"a1e19ef2f0d4b9f1":"":"eea18261a4de31d8619e77005ebbb3998c5dcfac2bc120ae465e29d6b4c46de7e6c044c8b148ffe4eda7629c243df8af4e7ceb512d5751a3ee58defb0690b6f26b51086dedfde38748f6f0bbe6b495f4304373188e5d2dc93461bd51bf720149a7d3aa543623b122b9af0123b2cdc9020136b041a49498ec4aa696c2d3c46d06":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,32) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2087e14092dad6df8996715cb1cfca90094f030328080ffd":"6d039513061980fb195bdf2f7c7079ca4b7e0fdd50d948cbfab5ba10b99e3aea27f08abd000c428851de82cacb0d64c146cd9567e9d55b89819876d6a635bd68bcaf47ffa41e02d9ee97f5a2363bfe6131ae7a21ea5130ae953a64d57d6cbfd45260c5f1946388d445ce97d23ab7ba31a5069a4896bc940a71de32bde02bc18d":"d30504afb6f8b6ac444b4a76115d79d1":"d95845d268c8d8f9135d310c39e30f55f83ef7ffee69e6ba1f80d08e92ed473b5ac12cc8f7a872bfc8b325e6b8e374609c90beaf52d975f71caeef5ee4c13de08dce80d358ee1cd091faea209a24e3392adcfe01aeb2b2e1738bc75d4a9b7cd31df7f878141cf278d150f6faa83fb3a2fd1225542a39c900606c602f15c06a4f":32:"5412f25c":"":"1e81a4c10a3440d0002ddc1bfa42ebb08e504fcc8f0497915c51b6f5f75fee3f0cd3e9c5a81ff6528e0fecd68a36192114f17fa1a4cfe21918dac46e3ba1383c2678c7a6889a980024ee2a21bcf737f7723b5735e1ebe78996f7c7eace2802ebb8284216867d73b53a370a57d5b587d070a96db34b5b4f5afe7f39830498c112":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,32) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3fc76d627c775de2f789279dc7b67979a9f1cc23c8dcabc9":"92a60d38fc687b92d44635aafee416a142d11a025680e5aa42e9ba5aa010462991ad3dd7328ca4a693673410f9bba37f05a551b949ab0d43fc61ef3b8996dd3fc1b325e66eec6cc61ea667500f82a83e699756a139d14be6ca9747ed38cd9b1d9da032ece311331bdcd698666ddc970b8be2b746ec55fe60e65d7ae47c6f853c":"8f6fd53eb97e12dcd4d40f2843e25365":"e56995df73e52606a11de9df6c7bfb0ef93b86bf6766e319aea59372060294b0e1b13c6288c2310a4bef725a2dddb174f3e1228649861757903c4497a0eec9c141454fc75f101439a2150e368857c4f0f6e5161c42c77f632bf1c229a52595cbf16e9018de9a8f6a1e6b8b18bd244f93f001eb2eb315405d223c0d27ece9d4d9":32:"613ba486":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,32) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b10979797fb8f418a126120d45106e1779b4538751a19bf6":"e3dc64e3c02731fe6e6ec0e899183018da347bf8bd476aa7746d7a7729d83a95f64bb732ba987468d0cede154e28169f7bafa36559200795037ee38279e0e4ca40f9cfa85aa0c8035df9649345c8fdffd1c31528b485dfe443c1923180cc8fae5196d16f822be4ad07e3f1234e1d218e7c8fb37a0e4480dc6717c9c09ff5c45f":"ca362e615024a1fe11286668646cc1de":"237d95d86a5ad46035870f576a1757eded636c7234d5ed0f8039f6f59f1333cc31cb893170d1baa98bd4e79576de920120ead0fdecfb343edbc2fcc556540a91607388a05d43bdb8b55f1327552feed3b620614dfcccb2b342083896cbc81dc9670b761add998913ca813163708a45974e6d7b56dfd0511a72eb879f239d6a6d":32:"28d730ea":"":"dafde27aa8b3076bfa16ab1d89207d339c4997f8a756cc3eb62c0b023976de808ab640ba4467f2b2ea83d238861229c73387594cd43770386512ea595a70888b4c38863472279e06b923e7cf32438199b3e054ac4bc21baa8df39ddaa207ebb17fa4cad6e83ea58c3a92ec74e6e01b0a8979af145dd31d5df29750bb91b42d45":0
 
 AES-GCM Bad IV (AES-192,128,0,0,32) #0
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_bad_parameters:MBEDTLS_CIPHER_ID_AES:MBEDTLS_GCM_DECRYPT:"b10979797fb8f418a126120d45106e1779b4538751a19bf6":"":"":"":32:MBEDTLS_ERR_GCM_BAD_INPUT
 
 AES-GCM Selftest
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_selftest:
diff --git a/tests/suites/test_suite_gcm.aes192_en.data b/tests/suites/test_suite_gcm.aes192_en.data
index a3ebd1f..87bb611 100644
--- a/tests/suites/test_suite_gcm.aes192_en.data
+++ b/tests/suites/test_suite_gcm.aes192_en.data
@@ -1,679 +1,679 @@
 AES-GCM NIST Validation (AES-192,128,0,0,128) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f8022b8988383d5cfd7d9e0e208146e7868d3d714fe85744":"":"5fccd8cb551cfc9c20998da4cb981d49":"":"":128:"1b5c6c9a28f5edfa4cf99176b0f14077":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,128) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"a7d4456b8e16b82283b677bd8c4b1f56dc7f153b5cfa746f":"":"081de4a3f71f5d6fdf7801ff6c667f7d":"":"":128:"90c2729c5ba04f8f5c73726c910640aa":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,128) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"5779b60b536b096c9348cd8dafb3451280791e319b7198c2":"":"62f8e195bc79957ca8ce99a88ded1a02":"":"":128:"699d71bb63c668b533c357662f861513":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,120) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"966cfb078f695c8ad84ede2fb96fb89488fa271dd3b50346":"":"4a7b709d45745d94c5433b01fc9d57fb":"":"":120:"4a9bd213420629a5f6e471650060e0":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,120) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"cc69ed684af2c2bd2b3e2d2f9faf98acf8071a686c31e8e3":"":"0bd4197e5ab294ab7ab1e6ec75db2ac0":"":"":120:"6632b618b4cab963dd671fd53d2075":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,120) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"99deafc5ec6155043b53a86d466c2b652d59b7274bb844ef":"":"09d18e85e5ed38f51e04a724faf33a0e":"":"":120:"90bfade2f07f38b2192e24689b61cb":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,112) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"5c0c706a1fd48005e0fd0ed91b4d9f0028c500dccb28ca73":"":"595716e15498454577d3581e94f5c77e":"":"":112:"8b10eacb1f127f4c58cbb8c3516c":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,112) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ae8e125507ea16d5282fe8bac42d3cb4908b717f345e6a38":"":"0a7f64edb8cd8052fcd5b92e20c0bc2d":"":"":112:"467a2c0ba1d24c414f758200b8a4":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,112) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"02176a5a5d8cb8f5ccee3f66a22181765ce730751c135198":"":"c19ed1f52f5ebbcf89ab1907b9ebc7f7":"":"":112:"6525beb5856d6f29105777e31457":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,104) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4434d6bce3a33551733d7afe8cd477a79be8eeac19bc0a05":"":"b0eafdf326886eaacb750dcf2c104abe":"":"":104:"ab9f7923a3b9228cb9ecd7f907":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,104) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"39994c2520a6196cc3f3e8c6e4833286ce37399e0379563b":"":"dbf9c40266d95191d70739e932cd8572":"":"":104:"b29acaf5addd6b379315535375":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,104) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"1f27d054114a264b37ee1821a077773750cc79d28594f506":"":"6739d43092620f44b57e65035ce14565":"":"":104:"25e0434a3660704eee4bb82962":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,96) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"0e97d15f4992a6354e43944fd346da65ac1f0f1229189442":"":"32a64e826b500d7e85f4c42a784f7c19":"":"":96:"da8f3e0a6f156ec260aa34fd":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,96) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"27504fc47a9e9a85eaded3782cb5b088359ea1c0abbf2730":"":"c55c8dc3d6d2970c81659f2f87bf849d":"":"":96:"113e637538de291e2463abcf":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,96) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d5fc67f73de736768e5c64c37459c5eec3d27f7e337c346c":"":"2691432d3935d4ea8cb8f7c17bef3558":"":"":96:"c0af76d6f62430106ca54928":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,64) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f28292ee2c54119511a67db0d2317433abaeccabfdd5d1f1":"":"cf9331a1bb3851b2fc3aeed2d1a33eb8":"":"":64:"8e14b869a95eb12e":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,64) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2042f9244079736291ba7fe1f030cba99672a97ce361dc14":"":"aadfa619bafb21b5c738b65d632bb8b2":"":"":64:"ad6f52f25aea1c55":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,64) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d9b4eb00ac03fabb5304ac38414f7782cb0186436a4b9036":"":"809939260117b759d8dac1a69c27c12a":"":"":64:"1f7d0b3104aae50b":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,32) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b5128f4cf91d53b3a50e9b76b0b27da33cbd4b9349d89413":"":"644909f5fbcd61d850e43fbef1fb454f":"":"":32:"2ddbf709":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,32) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"3ac7ab2ade7a8e397d66be6dc7671f19cd39ad65490f1712":"":"d152359d765f41dd9cabf5c8f37cfd8a":"":"":32:"a6e4e30d":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,32) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f9c2de7e3c74b7e318413a32892d4fd070de9882158bbc82":"":"63410c83fa363a63fa78303b9994b6c6":"":"":32:"49c514ac":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,128) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"66ebdc2332276784a69b6bb137161210bac9f1d6a36d6a4c":"":"647f41b60c6a579086ba8854d043495c":"da26eebd04c27bbe7fa7b54b87d3b7227f056dd9c085fabfcb59ec665a257c6de68fd2c1c51aad5e6188e02a56f70aac49ba489802247ca327de57ea3cfa87e72cae7dd82b50341a2133b03cd0027216fcd94cf43ec8a48e1c04145b597924b37f7977db3ff23b8edc913357037d0fe02afe2bba6b91e27554edbfb77f51cc41":"":128:"420b320c2d616a0b11a7605a84f88e26":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,128) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"26b04d8427582b04318fefebac2a2298ec3ce61146f39a35":"":"99f3449c8538414e7ab595b92a7e6e10":"edfc2aa8ed91cfc0e117fc9e2d1bfe843c7cf365a2b6cabd4259686cd7aede9c7453623967a30ffbd52b30fc205208bb346ffc70584478f5f39a79d4971ed71cc3dd0200a89aef6aecda0a1f3a4bf2929b7b9e141be0ddd3671f727e5e793ef085f52ecb77a266b9a02a2c700b63d8c43da0b569510285e98b530abcdbf7739d":"":128:"091cfc38b248460eafb181ab58634a39":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,128) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"82c8197e6641d0832639e2b1d7691fbac79618b2f5db45bf":"":"69e1a3e5eed54bedc941646e3ad25a6c":"d0fcb4f4d764efc0fb52c8108e61b67a1386f1a13c1761941cc9a28c6ad15e78474cd2a65ae9475d70d9c845f14bf4d2bd2bc46c29e507a347391829e0f24495b026f681c387b3e6aec8acfa5ecaf4c3cfe796c22469478ee6744cf04a22e6aec82489f53109551f58cc6602933d1780b8b45b933f76a94ef652a8ce8bac2cc6":"":128:"8e74343ae8cf1cdda4969c1a94aab5cc":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,120) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"1a349ba960b2c8f49b7e5314911ba8de358f2e74ceddf126":"":"f5998a62ec507c5fe5b280f9c57ac626":"78445eceecf2e6d2ecf2589fd24e854bed3aecc63aef934aec9aea93dca95d58629002a4ba91e9bf6d12e13f0a844977b3c2700645281db5de381adbccd34a84346a99f34889bd46c75b1956e21aa9f87684af55d7fd0de6da07e856d9b791c0a45e9e37881092f6040a9ae9d87757142d3c9c7fc6f25db0e5b5d377865ec4da":"":120:"4d7eab0a3719fa53e552b9e5a85bdd":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,120) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"019af03d23342f7916e329b6843161e566aa859402cb07ff":"":"c5fd96765fcf6d51e23ac6d206744af0":"f9808af3403051a52b6652df03b6b37d90a471bc242c436cab6ba699139eaad16847665093798731b9969709287199233c5e77351c5e42b15453b4171237a6d16aee63773c8c0d736b3a8bf38ccf922e561c456682fbc2c7161da3b89526d9de222351bbd04ecd4e8680f26d70fe57d577ea287b199be1bbb8b76328ddee3d33":"":120:"fd36fafe4f5571fafb6ece59b77381":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,120) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"fab39ad2946b2a343d76b1ccc1939cce7ae3cd7b6ea187bc":"":"247bc71446489dd3495c4dee8a071c76":"cb2c06fa5aa54ad079741afc56dbed79061a02045b6c099d0ae2d7883b78c5fe09636cc8a5dbba0c0c76ebfdb81217526afbbe04fa4b2b78f3357025930b0f9488369bf3aa088a2107bfb6c4ba714f1c26d0380d647ada5852d2c539300a4779295412b202c3cb977a7b94c24c4dd2a891a2035f388257b84e5b31bdc895f062":"":120:"65e1aad214f49881a067d8b372ab6d":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,112) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"57b52697f72ae2df6354410a69dc3c5f28b31e6617bd78c1":"":"0d96720526491d196eca66457e3c9e71":"cbdfdb3cc73aed4297ff9aba76dd8ca4d8efe11b0f521fd7170f07461c7885252874b2ff8fd05a3943ecdc824ffcef0396980ebbddc0a53c6c99086c14fc806d90d35347d45e556e9a55ecc3a9fd74c8e5dbd19ed8b452eaeb673818ddc0695f56ddf3b139a3df378fcfe5b6ccfa358f5a5bcd1550f1d9d5f325f15f9dcd007f":"":112:"f0c49960e60fb63edbb50bfebd98":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,112) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7bf69ed06271107e11fdf016edc4aafb0e2d2ac05bdbc46f":"":"50e65aa338cfe856c80cbe1331b46abd":"a7cab4e1e56f4b9fccca08d3791560e4b6c7ceb40a10adec0536861c5c46fc3fd06c0a8eb32c9f18c40463b0f06cd0053e615dfd7caeb2b353b08ad6da1f8a23ebddf16524d2eaed70d4d7e565412dcc9598df7e107beb464b103cd8de9301cafe8b0420f0c156025d72b73d6e015ed2312535d35899aed73aa54374674d7f02":"":112:"d7fb9d78fede77981948eb013ea1":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,112) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"caa781bbed41d7a1c56d47673f74d4310a3bf8b1275031d6":"":"7795dc04261d9433367f51c3b87bf18d":"f44d77bd541e02a737c693ff3ea0adc091fff1966a593524e68954a2d7d66a48199366a5a600331cf392965b5ebedbf949203975fa9db53b72586615975e8a7b84e0633c6cf69caf482dd72b26b0a5687ec71667e7f6e5abea89c3d69d2dc42a242ef959e4039ba5b2d22a3e48424a431a77e816604769d13b7f892e2b33fcd2":"":112:"386930ced9a46097c0d1f6e65c62":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,104) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"1b268de4ff644cfa4361f8014656d5d4decbcf9cede8605c":"":"4009bb00afad026cbad117c6047f4ed8":"140c5a93293598fab85b3948b53e0ba15438a0b948e91041a13104f0ad263c8a10613e20e87ef261999a54d469ba6f1abe56ec3979623df8520a0476801987c15410ec24f5a9be72acfca71e8c5904e2ea5f8b22b8cf404b9fd533aa37e33b3d4cf91599cbb3b85ecda4aebaa27ac0365df8312c399ba1767c47fe0923f2c53e":"":104:"af36bcee7561cd7d0861085d55":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,104) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"c2843bd689ccbba60ce961b7dd50619a59234dad97567e39":"":"55a68cbaa5755d8c67bf26f03c5863c6":"d7980ab86ceb9b66ab265b68e078deddf7ba084b8967c3227839e8f31cdcfbbffa004953f3582ea9274dcf46e3ad7e7744a576dec37e0cb36fced2b2c2fcf4328f506302f5741e696ce25c49492e33c6a0c8aed5af03cdc1a266352623c6a52a555ce906f684bfd597b5e37f60b5175a981088b9d8b8b5493e4fc1bfeca64f95":"":104:"66cccb7d28d3fa70bce2900a84":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,104) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f451c5edf9849a390486dfecad437cb809c33d31f6898ba0":"":"9e2dd52c04651ceea88caf4adfb2e8ee":"87b804d4a81dc203d67a92b4fdeab959c2056dcedb28d29f216f9172817bcfb3d2256bc1c8aac23feb22b71f1fd02ea28cdf91785931750ba4865d672345b5001b1aade4f6acc7edb03758d2540e6472aff50ab3ea61a0b9ff37ff7a87b91013b14867c3e43cb097a923e6d8ddb1f52e4bd940b60d500a4e35bfa91935065f26":"":104:"e192a49f5f2b22fa39dcfa54c8":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,96) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"bd02ff8cb540ba572af3431597bdf3f23e61665f96a19b4f":"":"7198af3f594a4f0597f45fb592edef50":"ef06de48bd34f362fdb425c6e35e37d0dfa1ea874df7d201b6a1c25b736c96e3cc8ed0915807fb7ed759482ca701d28c08cbf955be244bf887df37394d1ca4d2e7eace0dc61c807b714f3161f9d7f554c9f87ad674849c136108cfd8f777997656489d3e993aad4a51b68616083876832b3085a5f8f154b83ea44702c70f2980":"":96:"43298281cd27a36e5cbac4b9":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,96) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9ecab4a4a9dda43477c993d6388387443c66ac253071c504":"":"9523b2722b927dc3afcc5f7dab2bf033":"fb84e38a84225c8ebb307df88325d020a5853bb05ac7a75ee38552c40c302d263181081b05918775cf9cd6905b9982b2ae9ef7993f28fd8714e878c9a4a8101c08e9f13581dcf4f16dabfcb9d3c471c0056805f51e67e9b75572639c3d6ce62d2f8abd64e1e66ffb292360c20155e4d528374a5a22d845340d6f1ac68d33040e":"":96:"696bb674e43cdc7d69346555":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,96) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"733df8c42cc2e70ac195615d4911ffbecbe2712230c5c292":"":"f76135eab5d42e82aedff3090a1ba606":"0c8aea747cacf2f0fdfaf368cf32b12dc49f5da9a29bee380d2d64035b73efb56fef13aa20c0b612d9615cefb94f26978fa0b371a47dd20051a1605b9f5e133b52dc514577c53319c9e2bd4ac7cdf37d56a9e715e27860a09d86cc21d0b9f0f302f6acf06f2ff00cc6c878dacb8bde51082f701314de7efd36a246f80f8a8fb6":"":96:"82e6d0c076c7d8ac0839fe18":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,64) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ba33c24c41bf9836607b6dd05e66a3d16298c897dd1d70ae":"":"4b30423df6de76dd684274afbea089d8":"71f5f6ee7bbd774fa691a3d7e0f694a6c8dfe8aaf9cd720e163ef6d5cd949c798f9e9c993adb6d64e7220aa0f17331bfa9a43b659be101726a80e5529e827c3e4b05cfb4d78db9952e58eebe64dfbc0d1baf20e7e48902215277a49ee953108526a70ee150eda85e6a0e49955f8c6323766ae10e13ecfdbe4815f4bb4ba43786":"":64:"73e80018235ded70":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,64) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"1711553980e3fc5c14c98611ddbdf426463f82c66df83a70":"":"3396bd96b83ba611ed22e12e8a5ec911":"9506f34c90611acd6ecea385a782a5739f88b4fd13b77570c4d7e0617283e7b21568e32c42ada1cf6aca1a2e2ba184d4101306ff21c9d03e0ffda4854773c26a88a5173d52960286c18753df17361bb7046d2884ee600f58775304f49cf4e782ac70cb00b3d9c345cfcb38e3880743034640bbcae83112543cd1622ebaedb221":"":64:"5d51a0868a2161a5":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,64) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"5d69dbec7ebe80f2b5b8f61fdff1f4413f5f6624010fb795":"":"a2eb3ba50dd93fa375cf682db7b2bc7b":"a0f9c0de86b54d3c176ece3305463237e1f70be3c52e2ab1c773a9d27d6fc5dadf61ce7a3d10dba8730d12c306fca8952403983bf242fc1b6efaaa153ca446a07d16a70af4cb1aa4d4c0c93d646dc3a5630f5a610aa9e6eeb873f9a06d3234642bc86b03c596235ec03019e762458abe17d37409a18ca5b7e0e0088391dd3acb":"":64:"1a827855ee98d679":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,32) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7aa732879f290aa442217212156920c69457b8ec41eab153":"":"cb593221c59846dc82fc0d0cd04af3f0":"15d7ebf94985c34b72b6675d7346f0b05bdb8fd3a278555939d2999028e4179e69352d398a5dd0e5b370bdd9cbd24d576b89709c98b6142f71f5b1ba224222afb67599fc58fe043d1a91d7ea95b56dbd086db8e3a061b1bfc6e82dc9ac728174fd3669d65db62a06380a5f72c3d091b7a1b6998041d5501e9fba8bf91a7d278c":"":32:"55b86d22":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,32) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"961a3e78f6a75944455f9d9d0345e08f4669972f3d5c202c":"":"ce43a19ac648e62ddc49d243fb34e29f":"393736558133078a0367b8248bc18c8352f92a9212e90318a5b63ad3c422ccda7c181c565629acf4fc73b2de85bc9cf38310fe703a877b3e7d3b2d416aeb962f1027077232cfa39c5e5284a1b323264175546ddfb250ce693e2dc78a0479bd89a7ab44b63e504866d2ec6b5153cfd51f29a91cd4fa2b8e09878747ae53981875":"":32:"ac701373":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,32) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"c4d492904becde4e46c2557ac833265c715bb57f18cd040d":"":"df41b22b92d43a96a7504514b92e644f":"c4dd46ce3e486d89903482de247c1e7df05809a247302db3ca8457b93d6886c0a3d1be40a90f6502ec58d0ddd715896cee37322d48ec3f0c3ad716f1bb679afdcc0e4c79e5e2e346702d349ec7b391ef7eafde618bbadce5d14d22123de611c065780a4d05e928e87d12b749888d6004224c3e457aca0190bf1a7fba2453680b":"":32:"7a259bda":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,128) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"316660f013ced78a16701b35479ffb1f7c8c4e964c1b52b8":"d262c15d08aea46f614c7f8f6a54631289e54ca97d698777388e137f431bb783601e7999e7af98775d7b87ce061d9ba56570ed8c58b6bbac5f12f751fc376ab0f14b36b40b2b5533727be3bbc9a51183405d5fd0121201ff592817d06613b504a3440b0e1a57e9ed1771766a9a5b789054f7032d20b23c5c37d77f293c677fd8":"919ceb172d2cb460bdb3b3e58debe889":"":"5f5128f7f948f0cc9fb248a24b07c54247e40080a992acddb2615d90ef9328a17bd5e9a698b00103855738aea55c4944cde4a9148bfa8db12233231861c455e52c9889119ca402eabc8f41b27000156dd29b901024336cb2b7088eb5fd534ba58f23caf140a8b2549486074e4edbfc262ed9c7c7ccaae24be8de873ad43cd13e":128:"ae22ec4c19e7616a5b877f168febd202":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,128) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"1bdb707c328304809bf0608874c9db373df3c7104a5a7049":"ca243caa145124997f5e2e6bb25d021a38d58d0ab1bbf06d086c2416c08e3512aa887cc215fdb34d0f2d78f6a45885767f15fc00b68a4df1130587de777efb9cfd59cafa077477e97edabf2bf04c9a6ce029c230385ca5f9928bca7fe5503b18774849199d2a39a378a2d3144aef4416c1718319ff1bed8021dd77a07f61eaa6":"b7e7fc0d5adaed1632c5f7d1f56458f1":"":"91c7954bdd6a49360fdce11c1bc710512bf5a57bcef241fb63e5ceabcdc9699d0c0ddb025c75195ec25e631507f13e18799e6be9798e5639ad8401f6244c5b0ace3905ae0de08e2d0fcd19d193de83943fe449af4b503a454c248e677d2f51100fd9b8b7e5388d5091089369a7c2ff38bd353e9757ef873a87f15f30232bafb4":128:"72337bdb2bfdd1f1ebe0dba6f9b7b649":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,128) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"a6dd0d7e9d6ad1ad7c7394d53e9e081c436d34c8158bbc95":"2d95d64ed3be857a5c79c7af20aee00f142557e10d780383fef2d45f16c7e2823ffee495b220c87971610e5650f7c3e8d296b3f03fc883c00351df48d97717427101aa0c08a23c408b24511621b640c210b316cf17e3dfd714f0c9aa9ddd974692d1c2ae27b9bb0fbb428e7a9da3b3cf9bd869e730ccaa3aa4bd08f01f84039a":"60b4b9c77d01232c5d3d4af81becb0dc":"":"4494460ee73d3513814e1f779bfe3a229b49348d7641e9ed4dd959b582960097ef08b91292bb9db87b4e728d01b92683f4cdc81151a69bed2096bf6fb2e45d0148404420ea16b631b421e6f4c6665fe33c2d11e7b22b6aa82b610b83214ae4d17e681972e3a1f77306d3c54d96c47d8be1fb2c8cae8300ac9db99013f25a65a1":128:"d40a246c18518ea9f8d733b42181123c":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,120) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"e9ed78cb5c10df05ad00c6f1fb35b4d28e6ddfcc16456807":"e465e57cbac0dcd1e8ccda22042abecd9d89c4ac91b0e82a41fd51107a792099e63f7cf23a889d8c04edae2c2b3a9e51dbee6c3b71ace3de08ab354a295888bb99ae0fe428dd69bc013d49a70511ef60524282347787a542fe9501b6452b5faad2f129a9795c2c4cc0881ec4af8f0e0d2d4a7a628cb051055fe831b51e250608":"3a8ad989c621ae1e82b8d255a3c95028":"":"6855e4702f1ea593bfe30ee65b3fab832778d6b11a0ad902dd37361b8d85ab76d1f2ccf7927d695eb3129286c26737b9573e26bf64b31de26f97525f84345f73bda2888a1f53c9b405ad627bbe5dea123c9fb0a4b7f193cd8fbc8fa4a5e5f64e9c083f5c048d61fd1d347b49afdc69e0ca6a82e3b064c49d5bffa2800b5cfcdf":120:"9661f5c3b0d99d4f762bdcabd48df2":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,120) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"76a5bc9a8d7c6e2822456156cea7d493702d61e7d504e3c3":"0a7fbca875fd620c3d8de788e5c27534160f68d60d70fa4167adf0c18ea25fa1f2cc551fdf447aa16678d3f82193cf421a6fa953532a3765bcb54183bf0e96527ae5e695ed3bba5d9911f36c1aa73132cd43b2698996eb43ff84420e315a06d7db02aee815461892c7ab9026953c4bc25f47153d5cb7b966b71b24dad69fa565":"09b681de6683751300c2ada84a214d02":"":"dd66e08fc500426feb497c39c5853b26376272dfabb82ab5978167faa91adb025a6ca0e8fe3d04a0d97062eee8ca6530c3788bebe4436ecdd3d9eab96d38a0cf9b8cc6a584a0facaea33ec2f4a6e61f780c3dad524df902f421e3204cec7c9a4bb3f0860e017eddeb939cdfbe6f924e1eebfbbf8ec63c55b62137d9f8845f38f":120:"4acc40a4882d7733d8f526365f2560":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,120) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f5cb564cdd6974219e87f93a030fdcad35313d4adf9d7a97":"210a799d480b4933e16fcbed632579beb6b00aec74c205dbaf64e2cb152c12f9b6969122f296efcfe328f54202446514066594848f42a3031425020b56d065d6eaf2caf507d5f51df493c11514400b889f33d0b996e721eb613569396df0528aa14eaed117dbb7c01d9c3ac39507e42a158413dab80aa687772475105eabcbbf":"90f91da5239640a70eec60d849d9ae70":"":"69a3dcf5b94a507a53fa5e62cfca269453623ccd3a537d971130a21bee884cf271b9833dec19862ab0dfe7052e7dc07b20f34aac42bc39bf1d495360c1d701ea53a9bba64b02962b4ef64fb1c90a1a2f3a6f81a6ba781d5f28b786efc365ec6a35c826544aab94b53b96613fddb65660dd336acc34a217960f6c22b9fe60dde1":120:"b67495a863fffcc773021dc7865304":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,112) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"dc2c5a020d3ea731362c29d559cb14aa4f8e3f6a554a5fee":"8cf098cb6ad79e0f0eb4ca888da004dfe6431b5982bf1490c5f2d1486c288b5d50ea0a5a63cf9d097a71348632391b4bf962bf464419c2c971e76c03eedd09d069a070c86837e16a2c39a2cb8de3e2d3f274e03998a874fa98de0933b0856e076e7f575f351d7ecd024753781f51ef600405b304e37f326846b84692448d3f2f":"bd4d45d970085e0b2bfc9477f5cd0244":"":"d44a4fd303e657670632da8dddb6a117f3e35d8afce245e7e6576711c663f36806b813ba6421ef9788681d9717a36d3eff4ae1789c242f686d8cf4ae81165191220e338bf204744c9fc70560683ec07c212846d257d924d5fc43a3d4297ac54428a32c8bb9d5137e0f4aaa42df8dec37793f3965ca658f22c866e259c80bcc59":112:"9c1d6c70e1457a8d67f81cb3dc8e":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,112) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"167cb184ab6ad15be36536f505ea5447fd996b1d9a092ef3":"0b6ec08685b5a9d32346a5fa25d208136433204f3b86182bd1d9578f0634dcbb5b59937fb87df0679334d7f41eb8bec60ae1b87994ed2cfddcb56e95a6fb4e3ab7845b0294e4afa5ad46eb5a431cbd7ad0eb0473c42c06f3f62de03d10ddda449d41137c8010af5c7c0eac7a5fde5a39b5437a2382639fe3388ce029a7d4465c":"b5cc89a1c10329bb417e6b519091cee4":"":"7ebe4a9547fb115b39b09880d6f36f8cd402bb798c6d9db036b1ebd8b87a8e9d56fc23b7ae4e8cac3500bf2f73952c37a068f1e472369b62319a8b1bc085a51fbe47e1c321dd1ba2a40692ecd68762a63467d5ecad66a3d720a8a81e02dac0ebe8df867e2f7afa367aa2688ca73565e55cf2b0072fa3681750d61e8e60275aad":112:"30454dae78f14b9616b57fdc81ba":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,112) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9bc7aad4f4bd73acf756311ff1b72b41631344b9b57cf447":"7cdf07e17f667227edc986827d55bb803c6e51f93e72d98a1cbd161b58155a1c14ca54d52254e5f88f2a08614df68cc37f6e9fac88895b53090f69544b18aee4cc03763d35e7dd94ed82d1435316e7e02367b1c43506b3ccd31e248dce81fe62fdaea3a0bfba03477d5c151b0f76f09799048d8b23699d000a9da11281efffc1":"ffa8e719f29139d12f741f0228e11dfe":"":"6ab304cb9d1ed675383ff95f7f61ffc2aa73ab1b9a691bb84777b14c7014e986ffb91da6847d3abc0349a7aa09ed1d86f2dabc09e0e25a05800bd5d616c1a665bdb119ef71bae065ed019aed20ad3b13262a902f24ccb4819dc71419994a8b4774a3b9f4f672d31aaec997cfe340d2abdc3958c41373d0315076d22189eb5065":112:"260cce7d5ed6a8666c9feaad7058":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,104) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"5bd47bea08eab8694defc2b66e60da1be40fc1e398224f9b":"083ad3fe9273b8063e144a03f88fb179b18327aba37259d7f8532303306ac9d18cfcb746cab3f9385b5bb685fbc4a252dda268044642f5dbe33ea6e1634445311e440c5507fa6beaed343c83aeb0ffc4f1cba21b39f0ff6edfff961aed3ae1796f8bfeebcd3392d92e26dd26a19a7b7c2e5910f22557fad600f8cca8aba988d4":"e45a52c5e5ecc87b4320864b38683777":"":"8fa3cd91fb93a346e1f9595088c5503a840c7d7c33aa1be147e484e2aef2a8bda77275348ca59810abef6e179888f6781862990ba8e6d96af70febd2f671a3a8d6dce9be46c1cc6dbfaae35c35a7073205411cc8ab4ddd266b31b64edab4ffea076b29803149850cca41c857b05c10148182f8e7252e67069e7517da5fc08ee1":104:"9fa3372199a2484f82c330093f":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,104) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"850a811ca18044dee4487729e619cca71f05a5b164dd1250":"6ee76712d0b1fc00e43c2312743a881ed95a0b06276c5a4d93e3d56732af6b12c7c0d1aa6ffaec562229b6443e576caecffeadd9a65b91efa1bfe48ab1ecc63c381d00fe8dc7f11365f2b28945e844e7c6ca60972f733a96f29cc12e259c7cf29e2c7bbf8f572e158782a46093c5754656d0f2e1e1ea2a0b315b5fa02dadf408":"6f79e0f62236790c89156c14bd9540a9":"":"eb1ebd78d7ac88e6f927e09fecf7feb1aa64d7435aae76cc917edd9e0624a96e945df67648c187e397954da7b0888005f7a0d05d09de424c1a0648b56707b90da4021d5a36175500337e7341d1a474fbaa94e56d7ea52155829eb6bb9d95457c138875f0738034924d59681e7c2dfffb7dc0959697468ea2b65a884c897208ab":104:"91c74a30e5bff5b2585ac7699e":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,104) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"91469828dafd30de415067236d5f49ea14e813637f1ee0c3":"e3aac00bd05ce3c9b87720db82104364c8ef6ef25d6f3c8bcf5f73f1a26f8619e831bf7bb28c4dcbac7013dc6282d07cc225bd969c582a26accd7cfffe878a3159a5ad3cb6c8b89131aada61e2960cc5431f4ef94394634e4c8b2938409bcd2e7668986c7c5cd2ed5f2c525fa0212996960ab842a43869ed430d3291799a2a1e":"cb5409aad9d227a3cf0e2c5f1031873e":"":"4aa82b1c81a911cbe84231ce7afb95188f2177b539fb77de68f3d4801a2bd09f5ee2f7e59b5d9e79be5f7a23f0612ae39d59259dabc8b1bf7dbd4adc0db520bf7e71b988fa96d6b4dfc76afdc22ea31f64c64388dd93b27518b3263b0a19007405fc08645350a69e863a97dd952c8d886b5e0f444a6e77a9ef7c7de54f405a04":104:"2a6b14c78bcb6e2718d8a28e42":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,96) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7b6907853b7d4c4a19468111d96c5de048200b5441b9411d":"3622ba252c067ce7d6cae1d1f5068e457a0cf93be01fdce6dc8652a53135d5ed445388679e3f388ee6a81220b19356b275878fbcc2a6751bee7e2a50adb7c430e4c8cae03e88465f97bcaeb151d4f0007bee6bb9864b33020717adc42d6f8a283a20f6b62ec79fb8060e3e5ecc1e91a2eaef57e9dabd3b3634236f12d4bff475":"a66ee64c15094be079084c89cb1739c1":"":"2b8c1490e13881ab3bac875cbdb86baabe7fa30445bcb39315d057171e80d02aa8471355e80ba891b26d80b375508ba2756162cc688578be313a50096d7cd6253a8094970898fb99cd2967e78a57d12b8b3e3c10502634bead5bfe2c9dad332fcbda0c1bca16fd5cac78ebcbc7f15aad8b28abf3ed74a245a8e7a85cfaa712ab":96:"e52af33988855d1a31158c78":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,96) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"fe63e247e8de838a197a9e937e34c0f5a0b282533d445015":"17c5d748b8596901e97df660ca94fc970f7ebb769aff88f60acc425f50ebfb6744c6d8778c226c5d63653d9388d3fa0d4d630f94d668f3478c89e2708501edb12307a9b2189576cbc79388d291354cb9a5d1eace4ca1d9f734fc78e55ecbf86338a31ebe583cace752e8bafd0a820384136963eb2d2f4eea7b2f69597737a1ca":"8e018305675c287f802f28fe56ae5c4b":"":"c3d34e2cf1c3ad629490d70a0fec1a63c88d025ffed46ff8f5d8c0879c166ad716b702682cd0a437bdaa03a9b2e69a32fb7259b0fa930ca7a344aea37886cc9850e44de0aa049b8bc300caee82e26b2a1e5ab45c4c7cc6a15f5f595199999a0cacaa59da1b2be2a204fe13005b92ce722a000228545ae8a61b2c667a386f431b":96:"d7a6a917a286d8edf1289183":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,96) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"c739dae83a5e64bd98ffaf68b5bcbcd0155d8109e9ff2518":"56dafc06b354e84ce3ce31b7f88193124ca7e7049272beb93fbedcb3ede8e017bdb9ee5d314ec5168443fe01258d9abc4c4c27580f6299b20082b4ca87eb2589bedc459f132dfaefafffdd13f82e153a2165dcab9a9b6c10f1d0d13b127312a6f5f3d65a73b8fd057f1d88038c5137254111f7aedf21af07a35e34cf4d2166d9":"d80ac4dacb0f1441839e2068013dde3f":"":"9ae5107f4394c9050f8ca8ae6d1eb66099ccd0166f38e45c1cbc17b30e218fcf6015ac92dd7ab48bbb095a0523904c72710a86e50518d6aade269c82bc5ecdfa729802441e09aeb939abb43f5960542ad87961e2141f967d12f7190b07de99811b264dc62cb8f067872f84d21b661558ceeae4922900ffd76084e450650de79b":96:"6a180ed4f3a9d5739e559d00":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,64) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4c23ed64375d42c3a402fdadd143336d2f6babf4d4ebc176":"5541a219108ce3ce593cca8c6aa6504c84983a98851bf8610d71f79a38bdc21d5219266ad56e10ccba4898ea969815ed0d6df75312d657631e1e22e46f727a499696399a0955d94942a641383cadebc5328da2ac75bf0db709000ba3277581e1318cb5825ba112df3ea9c453ad04d03eb29d1715412cc03dbce6c8e380b36167":"daa6f68b3ce298310bcc2a7e0b2f9fec":"":"2a4e04101d4c822eba024dcea27d67eca7ba7f0ea6d5290ced9376049ae085ccae3ecb624c03eb5b2808982c88f0a5c4363a7271610b674317bbdf1538776f1fa2454c249a1b0d6c3e64bd4a356ac2aa2fd601a83d4fa76291f3ef1a9bfc858cc0aea10cff34ab9eb55411efec2a82a90af3fc80f3d8e2b56181630230890acc":64:"d408209fabf82a35":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,64) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"695dfde34f0af192faa50244ab95a6059e2e637e237eb60d":"33ca2c61a04467ad2bbd2ba8144573f0c2504a4e9945fbae250385406ed1757adb70534bd6ed854f227d93eee57c73a314f5955208e1ba5af8cc1e8b5bb07cb63030e3ae5f0ad287536f49b576418bb1d2dec40562f6bdda59c373d6668aaa9b791285716325fccbda2180e33955c8be19d05e389820ed69258c9b93e3c82e96":"a6a57792b5a738286fb575b84eea2aaa":"":"b2ce449fc806dfb93cd7c97c018c2ba7d702216ae29a530a8f22d07279c7570c6288fc01fa9915b42a6be7a7d9569f71b8fc2411dd9747b5c9c7b5c0a592bcd7e8f4530ebaee37e9c7d48d7a56be7e2df1d91cecfd11bec09bbca7ce7106942989594e791e00e23557c843acf5164f3863d90f606ad8328696f4ca51fd29346c":64:"050bd720de1b1350":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,64) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"1a89a516204837bc780ad9b26717e51ccf42591bf58c75c1":"c72a1b8707522442b992cb21a7526dfd341e27a11e761f594abbfacc2ac26ea48523d0113e38adbfc06d4af8809cb606454467fd253ca442241e8921b906d6c007dd09e139e568194666d5da0b33c7ca67876856cf504e8dfab4a5b0a77cfb1883d532ef7c70b35b0838882f144991c25a2331863eaaaa2059401f61378750e5":"a9b1ef7744075cd6cc024f8c7b3b0b6e":"":"0ec50150590bb419df0d6c410edfc2f8805a602ff247e3b50881ad3efb598ed053d8dd1deff86460db0081c0eb3effe9ea94564f74000166f08db24da6cfcba91a9ee1e98b8671db99edbe8fde11d0e898bb130e1b27358fc42be03fb3348af7de9376af495c0ec71aed56d680632195539b2d1d5bf804328d0928a44c9731ce":64:"6c9f55e67533828c":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,32) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4107d51f7d6e24aa605959d5d46b4c7e1743b7d5e3ae07b6":"e5074ffbaf5e771e12f9e7cc8e7701b970aa7897928681383ea0f91bce8200ec6782dc9618e065e142c4ef2f7019791e74edfe2040b08bdf328d7d9658e7473beab65359d35ed168a2bb39f3c3f59890353405a82f48e16d388eb8f2145ed9bff016e725791cabca913813e7485f387223711c1ad098ffa0f72f74a048ec17ea":"94a88f6872995b26da39efb5e3f93334":"":"bf32a717c945e1e2fe91fd38f3c7084210a7966cb83235d28f701ebcae6b2042226e932e4601eb3ed4728ca32bf7065fcdc98017dabcac23f0f80c65e92518db6c78bf4cd91f817b69f3c3a8891786d433f6c3c1a025c1d37bd1c587ba6004085571245591d615906f5c18994f09a03f3eef180d7af34f00ecfe153d5ab73933":32:"8d43426d":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,32) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"0fa6270a44c8d14937cc3ff4cc2d2c997254a42ca8a09eaf":"2252d1c4706cc46ad3e4f8c49a92cdc7d1af24deaf7b08ab7304ef804cfe261acc3a202bec0d8df42cc36a5a3ace9ed7a9465cdec3513d31de9ae7821f9444226439c8f98a9a7d99b36b91b1b00eac71080d7eb550209af5fb7b3f28d09f5060070da73a40456d60c0470773af95d16c0b33d0b5327d44188619b950590ea862":"b5f3fde841156bc408ec3de9ef3438fc":"":"4fcfc56fa722af32e804dee0f4b67f5fea542b381bc47c41451844c82e5427f6cd90c37e088dbaff722d8700a11d5dfb4282e565f32e055324e5069931c86b62feb2cdf82ca1f62aee02a70e4e274b2b957650a5cc772be86c1b1cfc41b01d20d9be8b05b9e3ff65413520789ca0f198fe00d83483a1d85aeb13094c9a827e7d":32:"1ae8f9c3":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,32) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"104c18bd2a0641fd46c2d7590d60d6d8eea74a2758ed0f4d":"4434cf5d12d07614227cfc12716a8adfc651ffe5c6476cf4489afaa698d9d19947016bdbcb5b625773252745dfeaf9b10021a5b38f742ea8a0fc5f926c80cef6568ab8639cddcf8fee9678d45ad4937d6e6b054b65512f929e897ed5f965cd14cad939732c53a847bb2758d818d5d131977649db5b59a0c5ebac37db961f9d69":"2902faec60f754f0fbb1981aeba277ff":"":"1789524845a1e36322c44dd1e938ee5d0fe6df244b751f3023d5d64d40a72598d352d9d2faba68be4e035c258b68782273925a94527fcdb977a41c1e0a96f53119b5909b23b0327c820e8f6da049a5d144a98019c4953aafd481190117573869109c265012a42f76bb4c3353f6613ccbc40a4af2f9e148bf0a0324bb43337fb7":32:"d36d2d06":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,128) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"263451f187b6dcab9d8dc4364217a483dd80c1d75f24fcea":"5e236c282eb4646fbd16a95eff2b27873f625a7e919237d75989a8a112ea80ce8db0b4aeaf5da59c3b22649dabb584284ab9673ba7edef59043eb8e99763643941a4788e7cf11bad63e13c9ef08644044b76beef68928dac22975481da4afc723b3ab3b498189542cbdffbc3f467d190cd02e9b36b6981122aa80cfa3aa3561f":"6c4552b3a03152aa464e88fd5b14356d":"435453a304fcd3c4bd6ab90d6ed8c54e6d21f75b9e56c9d48030499b04f6754cff628c4c9216f7d8a0abed5b8b7ca128c099a7deab74ecfe2c4a494b30d74833f837d254aa00d75aa963ce9c041f1916eb63d673a4af3f88817c65d4c86f5a3c28a67de2aaf75f08d1b628af333e518a7e99d980571db608407d3f447563f2df":"12dea5ea9b54957c689c7c9c6a711e2880645109a4057fafe3b32727a60ee1e24f8450310d6b8402c26b307bb0bf3cb7c6407270d95590efb938e6d77359666b11a7a3833a7122697e959645d8e9d835e0bd39bdc30397115b4c348ea825c850c1e54a60a2522a6321e4b99fa2ad9215205628c595b07c6ffed939c779d23ab2":128:"585677e0f37ae13d886c38202c3860b7":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,128) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"dbcf735d7c8701f537090d3dcf914c741ed783c24bd8265b":"18eb70dff73341298ce33ff4049fa631f2c72c158fcdea55d1231c46c95ba4013012b713bc95ba25a2114d0380c297acd05c323696db466874083e18bf544dabffbc70be4649cfe7e8bf449aeb9789d6fa412a1adf57ce732702ab962561f9e1fa850733c97b8a4158786e8ccf32af0fc2b04907124e731ffaf3fa7eacaa64b2":"09ecced8460af635e46bc82450352be5":"cc5b8f82fce3797009fbd38dfad7055a5e2ac241363f6773191d0e534e2b4592a6805c191daad377245c414df8edc4d3d9ecd191a50cf9747dde65187484802e15797d7c7e1db49ea4e423e94d9ad3b99aea6bf2928ce6addfc00848550b4d2e466e85a282cc022c7c4469d2cb16151e81bf63df378e0c676036197d9470f42a":"8298f796428faffa6085e458f149675d6c6e2cdfbc7994ee6f19af40fe8926c28904fd5ac0b9bdbd2de3f1614500a3eab1f980f82ac23cae80f3e6ba71539d1723e9f3412df345536f7517d847aae79a83ee9ad5fe38d60c6618d870cb1f203a3e1847d14d8de5295209c0e05aa196fec0eab8389e4eb66bdf3dd49d0800ffad":128:"e53ca266dd93def5bee5daf70c953dd2":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,128) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"5f8d84908a8b7f5e118482bb867102a244bcbf48b7229115":"9cd2a4e2acbeea6a73b5bffc1191d8045f63f3a14aa762eb776f35518f72bde4f9c8decd61a9319e3dfca82e682910a43de2719451e1a32839b29b27c3eb1c8f6118512d6a19cf189e2d04cf4e22459397936d60f7551244387294a7994320546f070e54f166cd7c243d13f3017b786f7df6a7fa4ece05a2fe49fc39e2225b92":"5ba986f5115d40c2cfe404007a1e2403":"06f98d4807efecfc863309f3bc64b0f04e4c16c32675ff97a3295d5657d4443f6c8b0a394d3f942705bdc19c22b8ff58e9b7c209b528b745fa0424d5898ef0e42e0909aa5ad0b01f8549e3674102ddaf4784f0ff8908cf9f9a25e7e4dd9af4da7bd13ae0cd87b6aaa6b132dc518f4a95af403e612edce63e1424dacf8e349372":"2f168fd1c819b159739a7cc783ecdb0ef9639b7965918e343e2a55f196daf584f7f14bb6e42d37b504bfc2cc08c218c5b841b2d2abce05bbf15315f471e56f04f7d54d6f1dc7b7a68b8bc7026a1441105015bcee2c39d83be35d25f0d514bd1ffe75411b32867ebf2d532a766f9bfce9e55ea3e0240d2a3713ddc2ba790bad21":128:"7f121ea36b36449e1db85e8a91ab16f3":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,120) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f6c3037a59e98a9a81094d65ca52752ad92f93bcfa671821":"26647f8f4092f80fc19f81f029c354c582b582516e8e27e97d50866e8ff755f50a8ae6422f4e996f0cf50826a68c007a5b16fd59002d368ed3285bbd04f8f9a5a524243cb8d5b3ffa184ba7384771bfc508f2e93abd2a1e7170d694d35cc0ff7f247e84ca8889efc820c3f6d9cd40afd56c5799972d7556c91cde50ac808652c":"43b4f15bbe525913a31a9adf23d1971e":"60826c97f0a99b88e7aeab774a3f2278f9d35b6c1a5fce49d9389a421543c99f68797224535dca4d7040313340da73982220040a063b045843a14f5d38763f95bdd26ef818f6e5171c8d5b47f183589afd6acd36e59b9946c1edf038ae285f500171e9850603cda36043c29860e75bfe03c21e0ef11a9aecc5d5c51bb2201d29":"e58df99cce5b2548cf39684df6a26b8f9b7969168ff21c410bc40b763842ab3b30cbb3c82e0b420c8100da61c9037a9f112db9563a3d069cdf2997e7f4dbb0b5d79b56f0e985cd8cb70355366f7afd211bd9909c48b142c6556326062d27f7f82d76b83c433f00f1716ebc95038cb57c550b5810b77788c8bf1e686a8a14b610":120:"ba6aa6d68a560642c266bf4469eaac":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,120) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"8fd9b08232a1d3fbe319d0897c74098f75b3e801d10e183a":"a677a13ae26b7a05cecfd153aaaea02ccb50db601221a3df545164bb5fe638f6ed276d4bd172b9e740a82a690aec4f18f4f3a0afb80c9a32188958e1cb3651064f55ca1211647903f63013e46b46c7f4f95589012eb4ccd2451d8e8dacc3cd066281f1f0c71f69f1c49f3f94136a522fff0d02427e4bccab056e615ff6fde1d6":"304c759800b8e275dfcfd3e5e3c61a7e":"5d2dffb00a25788548ff1b2c94745e5bfcc05eeb11e63501007335d4bd06bfb3223d4682e7e83eca0e163d1a8f2a76096ab2839ad14b45eb59ea9b29feb76f40b0d8dac55247c65e5dbe6bb2d5155ddcf2b2f924c48e1c16c990b69ac48ef2350873c1ed524ce1b8ef6c92a11c8e461303f7c32b5d65b57154197e45f1c6b792":"0779e5050dd17837d40fe3427322e717f074312f160c1951e5560797c13e4fbe47f320dc8053a39d2def4d3cc20e215978647d917ddf93fdf9eee5e54a974060dbac2a478afe5f5acbf65af4dccbd3942d130dddfd90cfc969da0c7f4b4050e34ce2e049c3bb004782abf4744c9a3ca2713ebfc5dfa16d011bc0b33d0368c108":120:"54c8a1dddfaa1cafbcc1883587b4cd":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,120) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"19d38467c1024611433a0b2780980538d88f3e8907a86e42":"2623cd0eb46a7366877149ce0204d7dc08a5e64a1adb3b6759178c4eab26ca1806fc25fc0fc99dfc77d1811e61ac1e04ee82eb69ef7527962df1707734e4aca970b8a499eb70c2b0386942906945abcd9234b92e7bec33009e70786c39bd241da3905d961473e50367cb7726df8da2662fb32101d13b75032838f01ad7946670":"8d56a9e4bed67a7eb0f7b8c5e6bbf04e":"1c7d2744a56f5185b9cdf14eb9776ffd315214540daffc69c217dd64c7d0fb4a9f7b1ccc4c1e325fc046eec4feb8df35d32f492a28d35858ad1e9bfaf95211f111473c2ff799a124b308fba996b08f185103607605922bad319c6b7fd211f97c861565bea34948bfd751e4ce2591ae777ab1df8dc9e820cdad13066ed74303c6":"edfdfa35b41c5642e5b4dd1769b635811a48ecf21915cbef3c9e2f8230953f2ed4fda8903ec7634f10d55aa58c975a6c6133a173c2aeb83d6d7fc6534ea1781dfc62408e7a17d255a983bd1c33d2f423c364893db8128a599cd037b2db318f86f1fbd895a64a9fb209490b7e9a30db8cdf42e348cfcfa7984e15c17db810ec19":120:"17dff78f61d21de4c0744e57174f70":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,112) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d69bdc9d35589e33ea9c2b956780cd9618e0df79d1083e69":"d8a75de22fd3e2d50127c6fdeabc09fab1178875998319e1ea83c9745a1d5833c6ba9df08177c349dfa412e13e1927bbd4cdfb54a21c86c149be1feb4d9de99ffd590850875a3d9c8d9306971a9802ad4ca48f73d0517322525ac8463e3d59ae9895c9b363b6f0728d7585de78cbb49757bd1919ba2f2d6ba042d0781e7a79d7":"abd4b94362501b8f307fca076fccc60d":"1ad9aa99a4c8158ec08d21ebfb62604a043fc0c248fe08daa15a89f4a7855916af8aeb681ac6600c0268ade231f918fe508f48c9cfa998effc350fa117e2772f04839f8fa1a53bca00693ecd28db27c6507750404bd89af07451d66fb7dfa47065e9d3fe24a910eb27911591e4f4e4746b35359afada4356676b3c7331c610ab":"52e88b54b410dbfb4d88092df52688ba9502b906752b4802aca5428437d795de0d3539945bebdf2bab070df4a7e630469b92fe2dde0998d44094cae7f21f84ea7806637fa5c73b138e87d04005ef1206ddf30a21f46c0aa718665e809ffc0b42b5250143604b20225ec460defaf554a8bfb5f69ef4244e02e9563c374a44f0a9":112:"1024f8e9997f5fa4684930d17431":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,112) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"6960be8fe82061e9cd783cd1c03f63a00d60ce9fc47ea496":"e0f574ddbb04831b5a86f40182f5f10d8667fe13c7065b471df157f67230c41b8c069c0218ceab93d63964be8ee853c567add2c3eab1670b03a51f9175e8e763be778ec43833cd716e1c8fe5cfb1d663149b21e06df772a3973fe1297d65188201cdb0c3533f5e9d40bb0664a97db60fc99d7e48eedebf264024006ca36361ac":"672f4378862c82738055273c72555b39":"e3a4dbce87edac519ce86349eed2dba0d371cef0d8f20b4dda3e1cd9f5799c9fd0b7494daec5bc995a6936c501212eb957ccc9ddd4c9b8a205cac122ba87b5c5a0eeba6b2af2cbc2326d953d61d089b6334ce03257203072f8e06b8c6f37692748a13e681082900fd32f0df6a3072f3a8b9bbeb3ea558e97a43d6656093d7c75":"2a3c4b79bbcfa4af04baa8413f6f1d18c9c579060ecd0cc359fcdcfc0566697ff834f7dffec84b2292e8583ecb59c9e5e5d87913a6ccaacebf371f1fff67f0be749d4ea5f5c6f4c959e9d932414a54a8e25bf2f485ecce9e70990bbc4e621ce2c8fcc3caa66b0730c6639de1bfa0124afe351912279bc3ca363f4e6013496cf1":112:"dbdd6af194f2578a0d0832d0cba1":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,112) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2b7d0115612c56a1f28c6b3cb3d51c2b4bbd4cd36ccf3dda":"3a88efa524a90b31873cba177a7e6e050dc59f42c934923db1e75fec924908370ad0c9c3b0b3c05adf12c6ef2627d8d16f832071c055aef5f581a39a8e7d9bed2629e26d5e3ecaed24048d744fba08d8d12132def62059f1a549044c1db121f47f10b3dc4a02849150aef53bd259d6814162761cbc9e1a8731d82101696e32d4":"317a60c3c29440b8ba04daf980994c46":"80d816bf4008ae51b9dd9a25c30cd7482f2289f5616c41d99881aa8f78b5efff84efe307a822174f3a5c08b381bc99b169b92057627f21dddc367723eaca2545ce3a4fba2b4633fd99459fb03e85d6d11ed041b63185f3b94f6004bdce556e2a0aaf811faf0153b3974d0bae3eabadccfc95474c940ecad5b4d5ea88f88b8c4a":"f193303bb781164e42b3d4d25569a446c86646bc0fbc93059603c0b46ec737ddfcd55df8c90e6d806bd9fef90f2b122a1758bef5c75fcdff95ce44217d9b6b0e75e77656cc7f8a8cc47729c74faf43cbf08202e9ad16c7ef8c832ce5f97f51153e178ccc3c168928f3c328cd5b4c341bb0482f6a292cfa2fa85e03d95bcd4cb1":112:"42308ffc76cb6ab3c770e06f78ba":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,104) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"75737e01a95c2ad9c860e72a57da646e01c2286a14dfec75":"fa749799afcf2242a6000c4fe1e0628db53933dde99d672e3c7b24b0cd6533b8002bb7aa8633322f4ee2e343db3a0067ad44edaa398cd90ebdb50c732e8bf95aceb4aaa4dfd1eaca617c30c30c1a18761a6d24c2de0790f54f73e0802eb82ffc0124517ddafe8336f4ec6197219346deef4ce930e8ae20117e6ebe49a2582346":"1060d78543be384e7a9dc32a06bcd524":"528a6c34c3cb3aba402b856dd7c9677d0d88821686edd86287e7484b72248f949bbdfb640df27e3d1d6b6dc1293ea6c84be72c85e5ff497f5da74d796a21f2513385a177f29f2154b2362d5ac83c3897f368d06513333f2995b701fb3e5aabac559f6018fffd02cd6b65eba9cdc629067f15d1ae431d6a22811508cd913009f8":"7e8774cb73468ad9647f6946aea30e9468fac3850b5ff173c7b346891ecda32a78b58df8d835328615f36a12c18370f3abcf021ed723830b08627767272f769a2105e4786451db0512027ce0e3f770fbb0ee0e1850a5fc479df4ad5ceff4fa3b2b9124c330c2e79d770e6f5e89acdc8d0ca9c758980dfefaaac41aaf6d472f8a":104:"6bc6632bb5b3296ede9e1c5fcd":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,104) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"a326226b24222b3389d793b61b723e9ac7059495a1b597f5":"1cc26e453a54c94c1cf902fe12307cce2fba4d5f0fc3bb63cdbac0dd0b5ba31d08dae2b4f054c86f3a3ee920d8b9f7ad8ae8b4eca090c8783cf35db5de3b95889a84f09ff3f70263c61681f00a454b0813813f0fe3ec38a6d30cc3c6a93c91a422743e7a72340cb012718b8a4a3b66a75f13e0165aa51ee4b00046cba12e966d":"327972d0c2ebc20ed5bdedc8a3a7aee5":"2edb1455bf4573a54ab921d31b7fc9e534bce0870eb6e973afccc3b1f93dd2c1a476dd88e705919caeb5d4f4a8516a718cff8858eb443ca7785579036cc7273570e7bf2489ce71a52ad623bf7223ce31232d8c9b18e52a2dd4519bb08d87301f3ae69dcc36c6dcb3b03d8fc39b6621f6b4471092e941ef090c9821a05df8575a":"5a219a0d997e879ffeb548d43de8e4f32a9ad196dc425c83f766134735ad2c9ff5d9665bd54ac3efdc50bb4a7a04ba59825f31a0f3e530aef45bba00cd6479efaa19c85edb4734f91fdad6686e50f9cc531fcabce9e8397381b4d691da4a27b7c487e93de3e3a9e769e831c69b07697e4bab470ebff628e710efa17e4c184e0f":104:"2b9ac273c059865fab46f05ae3":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,104) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"cf5f2d843042ab94fc4519d57d9229ea7e8172acf515fab7":"0e20f5a2afffa4a5f9219320716c8a26e35a19c525dddd528e5f5f06f0da082f43272361f07cfdf57423f67ad3cfdda9cf1747c602a93747cc571adfabcc9d1ec1a8128908df45fe0ede0e14ff40169dd1ecbff7f4062ee7be0a1afb370c9d5103132c1fbee9262309cb05ea150fa862d6303af71677d2de9cafdb4ecdab8d5b":"95b06c3ce1a3de73cf51e781b941097a":"765c3fae74b6fa4b6ed4ca7ab9b829d76a7759c50874a38d2ecfddaca2365f7a143c9584e255608be829950393e5f94131caf4caa04aeeeb9d595e39ef3f9830246d6066995b2d40438f7eb0944bd452ab493b422e93a3e0dc3c0fc2a4b83711ac6693f07f035fd9d031242b6ea45beb259dc0203f497a77106392e4da93c285":"f43628a227dc852e0ad931e23548fedfd57020a26638ceb95dc5601827a0691c44209d14113da56e6a1e44c72845e42ebbc7ffbbc1cf18c1d33ca459bf94b1393a4725682f911f933e3fb21f2f8cd1ac48bc5afb6cb853a09e109dadcb740a98e5e7ec875cea90be16bcdfec5f7de176eeeb07a3768b84b091c661f65e2b905e":104:"77964b5ce53209ee5307065d49":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,96) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"11cf18bbbc1d8778faf40391c30ca417739ff8e2a521926c":"a2e11ac093ab648118759183cd52ca7d5728ca87fe2f31eca28cfb13325e3e6e95974456857866dda78359023e2c998d2c93c6dfe8f72c6d4ac39ca0585a53fc074bf1124c3ada92e78462a445da23e650bf52e26b782ff50312ee2beb7410e93c8435f7b88dfb0ed63d9a3823992d796bf3ab147c33593c5e6193ef32f7a620":"bdd9a2b70e4ee0cc501feca2a5209c3b":"051c68fe0cd81b52fede137d0105e69c74771b770ea9b573ad92ecae86f420953f459755597f68c29f6fca39a27239faa940ce6c949ccd44c9f12a0160cf74a575753310f52ec5c5bb9c4474b85266494e63b6810ddf7a6abd1cf8244cebbf69d3198c4a09e8dccbc9429f81791f5c02628e9477b988e2bd10f9bd5d6731ad01":"ca899a00654730d68219ca2ed9b23058a5f40150c237143b24245de1e440329e513690f00c0c52bbd0de8074fe5d7a50fe420470249227f967340efeeb64c424881c7f3a20c405d58ea81f2309c7f74ae572b30313e2d4b419fbf5f2cf90c6706a1ae1a800a883e8b00fbbc9dc28bf5aa4a329246bbe94df5c2d4524f57370d9":96:"dd45503cc20493ec61f54f01":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,96) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"812481f8982b42b2fb86297c4b7c739652908dc498171c69":"32b27127582ceac21f968f5418e24ec8b84617f4daab0eb007f02d45812e81d486dc50909d79221c438def535b8a55946f50297963139a6b21e139e810d19bc1566b374d080a387a646bb582dc738c44156eb6c8dad613586662418edcbb18fe688d271108318de71734cb571d442e4d9537b0fcb2f5c763b3fbcac010f5c4e1":"0dad658c73c9c88dd927a502d7b14e8b":"af44f747d77a83ef0944f3bac8e835d752bb55772a7fbd3c6af27ca0eaadd122c9af1e2a9f37c2ba42779ed8cde2199125378fc88c7d6d58edc01c65491c5efc6bee58e7e8bf72f1a69d3dba47b38a50077130cbd71accd3dd4f193a53c6f2d1df694476767f79f8b71fd42745ee5bd41e90a7dd50a1597445251b32de303169":"003ae4798f6a0b97990d41373623e528618f9299cebdb0d23e3799f62bb063e5530eef7fc40c06af16965ff6895f675ffb81c004d826cbd36b5eec9bd3d90d785af03b64d12d311b6f90bcd75a40497d0fad5e54f829a097b25f7a9604f6fad475c9239a0f8d5589b8a76c6f7bc852a3b820734b426f59ee845ec3f09dd7d3d1":96:"b80bbc002cbebfb4ec5d48c0":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,96) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"a6657a7a9ddc6b4595df94d7c6bee9d13ad231cdc46ae5b4":"36857eccb5b3c220265a40980e8949135e840ef270602940d3394f3f679aed55217c1de175f6b48a16f7b394ad7d288bc425762f971b752d1372b369fb1c3a64970c8d18ad6de2e1a9a561a749e3cf9a8524e239f3121e8643bebee471e55fb5d54a3453c51b1747defac98ead8b25854ed1cae7ac44fd28cf4b1ed8988875c1":"68621ea7c6aaf1e86a3b841df9c43aa8":"bc25c38d3a200fc17f620444e404f3b3999f51ed5b860c04186750f55cc53c6423c44d0eee02a83af27d16b9652a7cb3d34a5cb19694e5399a272dacd56c4b17872fd23fdca129a4299b9c87baf209dd1cd1f355088e3f938e6d5053a847b5913f0b9135d6f290e365508bed73c61160a11a2c23aaed7551b32882c79a807230":"de8bb8e69f9ff1322f0a6c30cba5a6fccd7d17a2173a86cff5478ac8ea4ad6f4e99ddd4149e6a9b24865cc8fd6394066e24a556f3f6d48c599592c56f06a946c6b3414e2fb47e14d1f128ef26b385912367f35082099c1f3d4ea86687f19f059c56dac21923e9a151567299416eb311f5bbf9a28968b080b0b200044668f0919":96:"065f6c2b86891c719ea76984":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,64) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"20cf8c2c47cd583286157b45b575d4d69c793b4250274fe4":"a64c2131c94fa827c3a510b23b20fb6d04579bc292d2ec33efc9eb31459115da143f73fba9bd8b03b67e591497d108f900a7279542b480bd3a13ea588a29efe66688b52c3fd58598c66d8595888e87b27734e6c5b2796cc60ab2aa3dd06a29c577de5bdbf0b6c69c7034f0181050f286b9300d214f549165a0b5b56ba8e40641":"ab58d2e18eb83c20df94cd6b569c65fe":"93ff6057eaaa9559d87e3276d4d900888cb1f56434ce2677ee1486a0aa8f4e8d02c47d06e6841f3fbe5bd72dd37fa9d81bbef807dca6961910844eb9611419936310d717e1843e7b278f48ae44a57c1f227a75fa8cbc7fd57c8cc3b101e036c8ef3043642c81f381561b61da7c9d79b6da9ec46f7cf093c29c1930b27c14f991":"a3f621261af17ec4756245414280017fd36133f2f9ff89eb8979d4417b8f93892bbf7b08bab785341bf0c7b5e3643f0e33f036633e5ebeae7a750ffdfcfbab690291731e92238ba6b45859b309629224fa7efc72298d3cf1ae3b6a9e94797552afc4e3a46205f9bab7eb64e4a41aee0e45289704a97221b7118d209e0b267a68":64:"ae53564271d5de5d":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,64) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"8a311bf356cb1d1f58eab411b45b8d78b88052f3c8ab821d":"3e915e92f186fde05ad55a2597ceab81495abbaa0be107dbf6a375525d1157a322b1f65460dce0c3aa2bc08fa89f777dac4d2fc3e5f7f20a0d5e33373c7f1c3551369737124c702928726bd9db96a33bacb56f1d645fa02ca1d88629c547c0eaf9585ee23b530ea971bf439c67e3b752af882668ebe0c739b26c837887b9d2be":"0569d05f3825d16aaa89e86812f80628":"28494a12026eb89b46b6139573dcda0836a617e00e25e2daa92f9372d86c3c162cfec34d634ea48294c784825615f41e06e555cf916983931e3d6a7ccbb4448670139616e3bbf7109387a852703b0b9d12c1fbd966f72bf49a7e1461ca714872ccdc59dc775c24a85e9864461123710fd8dcc26815894ee8cf2ca48a4ec73b3b":"9ba776653e8d9d240d9c1ec355027a18731c500928925e7c50ef83c6f36957073a8386ecbfaf430634cd557b1da1bf122f37456fea3e9b58a6e99413d9d16a2f1b40dff843fe16a2fa0219ad5dd8ae4611de53d7aabbef7a87ce402e62276addc7f44e09ae9e62c5cce4ddce5695db987084385ae9a98884ec97e67b549ad440":64:"c669ca821b6ef584":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,64) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"82fc47638cfb361ecf7924c03925d6006cb99459ef5691e8":"d14a550d419b8e03762429a7abda3b17ad7a1305e5fc639e71538285cd70d78fa30e0c048e2c32d2a7fd7f82c874d63ae922db5a77111b46caefbfe4feef4df19786e5fec6a4df84f76df412b1f06bea149f1996b41b117d00d422bba5566d3af5289ca9377f325ca1e72f7d6a32df6607bde194cf4ac52c28e8aa1e8f1c9a67":"2a8e1cadd2f264f2ad7be9e7bdfa24a2":"8088358d7c3ca8951d7e8cd6cae15844edabccc8d0fcf8f169a48cf434d4814f1d7d9ae410e5581d414f952f52b852eb10fcf0f2a67bea826ea2e28331f0597152e624e148462d5952f10fa363666d57ebfe036695e1e68f79161b991e20c8ae6095232e63fde073c79603135849c62f8d98a1d80608fc081171114db41883f6":"e54cc95e845f4d1b28885e9b90d1d9d3cc51fd9d8fec9bce57de8781a28b4e5b7ab446074e84471d7a9a23748b689c354e402be77f9890a9c52a2eb9022a6a415e01285db1c6eb66d5e15f4216a4f3f45782677b6ccbf20ac7b35bd153f52a599712d09712ef1454ccf72ee48cca967f4917f1aeaeaa6eaaf8493ec7ff2dc1d4":64:"093343e49b70c938":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,32) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d3180703e1ec93b20d1ac4d64e85d5461d75f783bcd2f4fa":"b7b350db6fc0796e9fd0cb239f561bf7e27b2aa26b8e3e76d8b737caa1c1c5ad624a32f5709e4b751f8c21172d4d0f4ba38ca4d1d0e2570c084cabdd0e8880b35140c84f775c3c301a9b260825e1fd75f9835777d6c0e23d359af1a5f7caef934b91bee521531582b639be2cca87c2991f5525f4a2f64c30a1453013d73c16cf":"916d72d515d3247ba48828d4113bda3b":"1002513035cb1d7e8b2710ff8c93cec55e2e2c2b56000d4c1182b5286736acd2d6f2fc9b82f71156dba6f77463805627e4bc38c96e091ecd945df7e996e7fc3bbfdae3d85ef1337fbce960fd1d60d06962a1669e9e8d20be151f6323cb38ef68ab5e838f02a0f379567f518f15d81b192cb25a42356807c1b9c02bef8309ff44":"d590f2afcd64c574ece12c675f509efdffc01e1404cbafbc923c4b44390eff66dd839e6d800df67bc06f49f76911df3cec36a3a1521762d6d4a8ee602ebefde0178863443f918668fcde8a531f3b5ee0e4c379ecf3e75e7c59f753e41f4e39811bd3e7dd3d6bbaa1e81fdbf8bd976384a6c4505f7e4270321c7329bba7f15506":32:"22e50ed0":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,32) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"02bc0a8ab5468123009b2c69aaffd0a20a1fb082b55a7ecb":"8bf32af1632a7903f00e801ee6e5c690147c021be6886cf2462b2172786ab296e0feb96648e4a602ae6dc45e2aa60e6610356cde26b1dde3aa114c5449216a467fcde18332a6d482d24a1ee952379340d036a48b63efa092db4c30a95f402d57b9c837183e900b47805f170cfe9e69baea2b939799e983f7470bb1297f937bbf":"bcfc15308e891f32506a50c4ed41bff6":"01bff5e606a536e951213b23672db9074fa8bbf947e815d32cbfe30adc1e736517f86139840a4aa0a671b4e9bbd6a59d292db34cc87742c0dfd2d658ef157734c5fdebb3e5772d4990ad1b2675c23ddf1472e892dafe7bf140d614c50cf937923491662299ab957606f4ca5eed2facdc5c657784bac871fab04d6cd3ccb18332":"b8dff03141832970c925e7ff0038394a0df7f35add3046cc56f73e3eff59e18932aac697456107b6da7da3249049c3be5c098dd730cd4bf68cdf798c3a932b2c51f18d29e4386cbf1b7998a81b603372337784307b0beb59235eba4d3e4810899f6d71a994ba9742aea1875878ccef1bf674ee655a0720bd37e44b33cafe5742":32:"bd0be868":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,32) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7c07d5ccaadb9e3ba5b5ddf380a7a2a175522b98e31e1d34":"04d3e6bcd5ebf696fe84a702ffd5f76dcbe9679c909b36d41ce6362f229304aeb19896c6376cb3c25081f709af57d36f39f421ecdb70bed9f829558bec6e78823275fc11f9a2d5f773d27136d903ff08e5926338dfdcbc182825794e5f739efc1f0ecda8e53751edbe0d08963471fb5099f2ff31f76b479677bd6d186a409525":"e4db5c6403a03daa703516763052bce0":"b747d97f263d0ff6119df1b5332640d2e4568813adc12ed76175fdfffafd087456748abb267195688d2db41caef301117979dfd2db9714b352398594005bebb449ea20415fcfb2671253f69bf6467ce7f5bce350a834c4586eb03e766c1930e7e6ccf01283ea31b8c73d7967cde0f2a53cc46b1b50c48649044d6f753f1d54b5":"f5faf7bdd99c62ec87f93da2ca3ce31e694df0a0fd04d61914f9a7a4235de20e0a406e297ba1099fff8c14e8fd37a9d6cbe2c5c572c988cb1ff87ffe7825e1947ea3da73b8b3633721fb4e08deb3f8fcae2407d73bd4c07f32b4f9ad0b1364003b11f84037a28239e96c3996874ba8e4ec7270bf0441d648f52f3730d30e3536":32:"e0820c4d":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,128) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"dd01d48789ef7f07f80a7385e4d1b1734903bc6ec768c9f2":"":"944ed7743be9ce370cba7b7c9b7dece2":"":"":128:"dfa0ab389c3a780f598af80200c84da8":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,128) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"0383849ed0db3e52743aa82fe8cd9173b457755be8bbd46c":"":"c6b8518346ec52c001697b7bd38dc795":"":"":128:"48a1992549b627c8621e8fbaadacb16c":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,128) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"936388053ee0116b3f783ae34f000d5fe2c5d712842d46f9":"":"c5426b20c014e472c7b85be2ed0f64c8":"":"":128:"4cf0f6a45f3544e3d391375c8fe176b1":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,120) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"40dfcb3151a8dab1cb79a6a1e6a24fb55024d0e256bd4b07":"":"b8495cc54653e7ad74206153ea64c3cb":"":"":120:"1d3786412e0ceb383de3898ef2cffe":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,120) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"83ca41d8b33c6134a14d8b30b0c36d5b799574dd925f3b8b":"":"fb9aca5b4932035c65b571d170fdf524":"":"":120:"9787f7d68d2648963cb49fd7459121":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,120) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"886e646688d573c2dcc8ca229a11b394b3400408dd801503":"":"c0744685722cb87717c76fd09a721dac":"":"":120:"794fe4df0084c21ffeaf959e5b0382":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,112) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"0b845dc2c4e9e5a94bd3e8969300b16b45d3ad5eadb2e80a":"":"0900b3fa3cc9833d702655d285f904ed":"":"":112:"dc670518e150d326921bd5f43e80":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,112) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ac9fac2e32ab44a0774949d53a62c1cda04b132a3b07a211":"":"8cf6a81bfa21633ad95ffc690c737511":"":"":112:"4cd7a6e4f3ec3d41d086e6abf14c":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,112) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9f9721ef784980d03140490f760313cc8a56424affb01672":"":"c104bd8482e3fe7359c85e0e94fd4070":"":"":112:"3f682fc71989804ba74bdad04a97":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,104) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f7c935f56970678ab89f6d97315a33efae76148263e95f1e":"":"1a91965c5458f4a1fde309cd42a3f277":"":"":104:"ce266c6f0447623a3ef1f6f57c":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,104) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"30ecea6cac70a9de4f4f7f441d6b9b5608cca39d07c0ded5":"":"361e5cd21c670de39b5f0b2b89437f99":"":"":104:"48a9621522a98bc6c0acf03429":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,104) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4fb80c4fd026c3f68ab8fcb8e28e144fdb3ba00d70295ebf":"":"ee552fb94a527d18d285d6c195ca7b2f":"":"":104:"5ec97630ce593e9d560136774c":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,96) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"c0261023ee9f682789ce9ae970fb7601f07551259ef91945":"":"bffe4af76db75bc4a3d42b57c73c51b6":"":"":96:"bf827b4526da77ab2e21908c":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,96) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4fb4ab2071bff4ec239ac05c04800806df2c256a4845b13a":"":"3ee0e2e72eea437e46a873bd659b1c4a":"":"":96:"572d3ec2650ad57eec84fe00":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,96) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"193d5ebeb466d3fe68754bba413c65112ae29c5ca5e450c4":"":"04e9d31b3b1205cae37c435d5a5579df":"":"":96:"71004356f266688374437aef":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,64) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9a455ea1d9a78425a41d43e293e88de40dd6ad9ab2a63ef0":"":"c108c56a1b3261042adc89046ad1ecf8":"":"":64:"213d77ed0534cc20":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,64) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d6fff8797db2f1884b7d71e3ef3e5983234a837dbd0c2cd6":"":"6be4417d7c00fe9c731e0932a7037a71":"":"":64:"68b6c28786a017e7":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,64) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"86e6c451ea0ecaec9e365bc4831e7a6c092b65ee9bcf1b86":"":"6258168da407ce43cc18d6931497c1f3":"":"":64:"cbf20172e75a6316":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,32) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9295cc6458d907da5e7c356a7de51eb8e8d3031f72a05fb7":"":"c7eaad3389fc24a4ef96a711ffbfff9e":"":"":32:"12508e37":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,32) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"308b6ee958f81a7fbf3bc386e167459206df9c1cb999d904":"":"2c61b991ce478d9aac818d7aa75ada36":"":"":32:"32ead170":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,32) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"873d033773218387690c2871448578d8440ef36553583928":"":"02072ec745c856c6e86873a0523d603a":"":"":32:"e6a5726b":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,128) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"cfd9c1375dfd19e64b5e4b75022fabaa049627d5238cba3a":"":"0a745c6910b23c78b1b44c02f1ce11b2":"0cc6724b9f3675619fbc70117bfcfb5871e903b0f01382e404793c1dfaff5a5b4131a7fc3041014941dc2c53871bee3ff18c08e9abbb13a8ea220cb89cf65bea1581eb8ac43d148203532dad8854616210ed7f1f9467e6b22071ccc8bb7e3bd89a0ed02a7058401aa4f2b5d0ce050092b650591282e66ee789bbf032dc105503":"":128:"8ec41e9c76e96c031c18621b00c33a13":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,128) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"6c9f16c5dff4bd8d1855995dcad1c4253759b6e2a833995b":"":"3f25e3210d6d9caa8725eb55c6813cef":"7c6a66d930c95ce1028310cfa3670b77ffeb5e9b627a667859665c1dee8e69930c287fb1f1a3706ed1a0d35eb6d1becb236352a226a5b686bc27e1e1dce4ac6d5974d88b9812b39ba289b2490821319b5fd677da23fab3adbae4fb3630e2571ac887ed951a49051b0cc551e7ebe924c0cbb1c516f71db60e24773430dc34f47b":"":128:"5e000478b55ecb080c1b685f24f255a9":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,128) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"a8e393e00714cd94de0347351b924ebd555003f3a297493f":"":"9c7eaf730fa8074acd372fdc53b726c0":"ce4cb46e67d85c5e68afe61ddecb1a36da4de42774d45250d0d52b328834385ce1ceba96f703daab81d7a981cd80c469855e14d834df41e4c0c98873f3dbb777fc0562f284c466b701a530f27fc4e6838cecbd162db34b8e8a23131d60d1f9dac6c14d32a2141173f59f057f38af51a89a9c783afd3410de3f2bbd07b90a4eb2":"":128:"66bb46adf7b981f7c7e39cfffc53390f":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,120) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"bd356a8acd12b06de9f63825e93664cab1beae7f4112cc70":"":"72eaf459b8af0f787e91d117931e3cdd":"9295b227be3e1faf4e969be6c7f20d507431cf5da9e2a577c9b31538058472683bd52f0ad3f2fa9f68159c1df88e7dde40d6612f8abb0f11a0078419b34b558d9144ea6596a09e5d5548b275620e5a3096dceb2768d2f77a0b79e0b963387d3016ecc2f155d9182e3209d97c76329b830bb62df195cb2be11223565f496e751a":"":120:"2ff4aecc90e2de9a7d3d15eb314cc8":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,120) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"80ecc9587bc2cec1ba87ab431c7ed03926169c01eba19729":"":"5a65f279f453572e169db33807d9b52d":"29520d9020efa1ecf514e39a286f398c7225b945608d4b57ec873ae8bfbdd40e4cbd75b9b535c9f171cd7913ed4b21e09d6bb030eaa27ca58b08131817113c852b6cbdf550d94dddfde8595e689470cf92f9c20960b936ac0692171158e54041155482f29e4acae41565d87f5641d1aac96b8cb763b7f1267ccdbce234d067d4":"":120:"83dec0fb36463b86270656681455a0":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,120) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"94345293fb7733fea9c8b94be2f4fc26f8c3655f583e2b0e":"":"8bad4f3f289b9f4063ba39622ba2b7ee":"7e2b6520d7a554e612d01f462606c0e6d0181bafece1daf54f4316d707483a5dcd4275a08caecc1c20f3e32872fe3e57fa62d598949f5e49ef0efd53e918617e0a140338c007025493f2e0f8dbe5fca4a57d1db6333551bbca79243a73ae8a68dafb3089998359159df916ee6ba4f928a6a173390f15f2ee6045d578dd757bb1":"":120:"da305181a12517420c6f0d71fd3ee1":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,112) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"a3915523031c3caa58ce02c2b1e6ee2eb42cdaf31332432c":"":"d5416986beb3131afd6b7967836d243b":"ba4e883147c8f07afc08735e6e439798bec60e00ed3f5982f66d6b82a9af7580934112a9858f83abbd71193190298f0683453d3f8388c475fbbc8f9b6a3d2c77046b73986a54cc4559c57cbb86330267e04bcf5fd583c6d2968a7971da64c99d98623676154b0ee413ba531ebf12fce5e06b4ee0617e43bdaeb408b54d1b4445":"":112:"f273fe664e5190a506da28ea8307":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,112) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"799d3ff266644128f330ceb8c028297991b2a5593e4afa3b":"":"9d27061dd9d50817b3086f453f1f401a":"d3b5c420ac597daaac7503cd17f580e94ad779fae0d4199ada2c7da7c4a611228752375647a03241f29f810d3a6a74a140ef9651e4a6099259f7d41ec4e51a02917e8cc35edf7f60ffc473805f56f0ad51fcc767670157c050c3214d36f831a54bfeb7ab2039cb10f7919b89b0f623a572aaed313983b105fdff495d979b8a84":"":112:"e690c9afdecea2494b6cf5a576bd":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,112) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7480905cee8be7f42b9490936041a19b060331712882da55":"":"27500a09506e0133c88f65e77721b547":"52832d4118fddf182b21513db25d54a19220335f8676ea35c0941d2a38a3aa536b8c9cbf093de83c6b24da3372baba2826289bb3cac415795b9bd3ea62bb9b48450978e79b936cd70cd551e580a6de3418a2be0f4c1f062954aed6adc94d805e59ff703d239fc2318b80cee45c57f916977b319a9ce884d7e02726fdb71c3287":"":112:"52a5721e98ba1a553d8e550f137c":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,104) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"042db3f8af95ad68966bce9ca0297ed41b608683a37457f5":"":"32d3e97edd3f393da5abc3827cae1e67":"4d7c2ee6e024e95a6e684ded9898f5c7fae7da8658bdb40560dac6495e46a691e97c047e66046b55e8cf9b02d31d3caeebe3a9f8aeed756d6b0da1ac5d4ba2c5e7b54add22f681ab1d5a2ac1463e8447e08592e0c2f32605bd02f2f03c925a2159e5bdd880323f4ce18a826a00962ce418dbbd5c276e3ff30f1cbaa4795d1ce5":"":104:"e2afbb95a4944353ed21851f10":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,104) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7f5ea90f99fc76594f0f06448321bd4bb5e494a5e351e41b":"":"002a5da3c543ca56dd7e5b013b094f70":"b8150b50e36de85158a96d2096678f31f179c8765ae6ba5723ca655e890528eae96d438f9d9365575dadea3cebb4d7df3a9d5323f93696c40781a6661dd4849531e672f5cee7cdfc529416c9c3faa889d0f66ee4049c949c3c8459680f490bbb0a25e50af54de57d9e3241e0dff72604af55827b9c4d61b7d1a89f551cea2956":"":104:"db9fd90a0be35a29f805989410":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,104) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"da287d34379d56f542edb02ea673bac097150f87648a57b9":"":"6696034b1b362927b89ae1b7ab5297d7":"45818b7b69b05a121fe5c573c9903cb11477873b24a544ba919baec78d1565f4ad0766da58bfabfaa17ac3c628238a4d38b5c0b14b52e397bcac991408dd7b322ff614bd697ce2b5b94ca155a4442ddd9e502c4a5f81210c32dff33481f4211897db38f619b308f3708d554bdb6c7b8a4d2a80ccdfd5f70501c83502a312ca8a":"":104:"8e65d86edc071446454a1bef34":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,96) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"1782ac334cbffc92769a170c3cd43915f735b4423ebb4dc3":"":"736f2f24cd04e26d38e69c55b38cca7a":"5827d391efec2f8f102e5f053ac496e2910248a0eb72e8a0b3bf377c6349df02ab0410a3d28bc27abc7cbe582a03000db57843565e4fb06c4078de75c3f1a21130d55befb7ecb919ad789a4de2816c3a42d4e9b32e38d980c06045987d03739cbe7710d839c42f04f5088072c1a1044c3b89809b780e74e54ec135fbe4129ee0":"":96:"c6dc3c4ae52f3948503d84a4":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,96) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"20529c374f21c97b0a8f96f7bd5bdeb3fcd2b12db30b3ee4":"":"e6e45b7c28f7fbcae658acb533614e48":"b41290031906709ec8048f450a940eff0422a6ebc7b44666c05f17aec9debc1bfecce62d896d5df4618517fb57ce7b04ef1579ebb2636da0eead063bc74ec184b0a69ca3eba675fc7107bb52a49f93783608677565205ada7bf5a731441e44cede781120a026cc93cfe06a06fb3104a521c6987f1070823e5a880cbb3a8ecc88":"":96:"e9ec5ad57892ce18babfde73":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,96) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"5634789b29e373760ecb9952f4b94ca76f40dda57ba363dd":"":"7cd1d2d6beef44a6d6155181dfca3dc6":"0130a67935e2df082a95d0bc6dab17093fb08746a809cc82da7893c97c5efc0065388bb85c9c2986a481cc4bbdeb6e0f62d6cd22b7785a1662c70ca92a796341e90a538fe6e072976d41f2f59787d5a23c24d95a4ca73ce92a1048f0b1c79e454fb446d16587737f7cc335124b0a8fb32205e66b93bc135ad310b35eea0f670e":"":96:"4006685e2d317a1c74ef5024":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,64) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f0072110572321ad9804efb5bcbc2ae7b271b1cbb0f4897b":"":"604ed8056666b17fd27b111afd419375":"97f68c00513b2247bc88a331a3ffa1208038736d6761b3b080884a8dd46e0596f2c00c1a93bceeeee814210e57d7f1cbdb4e0c2ea6a0834baf716945af9aa98e2826ae0eb5717b241ede2b9e873f94c1db9eb5e1b25f75827c25849a2c7b92098b54845ed81f52871a2b0d12d317846cec34defaaafc3bd3cc53a6ab812bd250":"":64:"64881eaf78aeaa7d":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,64) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"e91e8c2d6928bbaf870e141ee34d3a56d00dacc8c7e50514":"":"6f3d661a3e321844d1fc12d5ec2becf6":"fc8e5b45ad1647f9dbdbb6b437abecf0a8ac66065d0e250aa2ae75525455ee13adce8c59d643b96de9002d780db64f1eb9d823c6b9a4238171db26bf5d05153d1e3c839b93495084363b845fed75671ace0c009800454596674217b19832751252f051f3995776a89209c1636b4f4b28a364bccdedb78ad36876745c1a438406":"":64:"1f4f495adfed6c1e":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,64) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"138ff9c8c556ffe7637f7602cae428d7e20dff882d44ddc3":"":"38d7005fadee55b5a0434d924d971491":"3facceb047e486998c945839ee5eddd67054bbb28308365b2909dabaed29fd5b7b34644043fa443165e07b20214710cd652fecd816d9273c700d6828d216db8f3ceaa9eed0e251585f4ee5ba4beb3c0582b8128a3ecc01f4b29cab099ba2a8931e56120802fdf6004a6c02e6dd00257a83adc95b3acb270e8000fd2126b8eb83":"":64:"fa8aed1987868388":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,32) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"1187a34ccb75fc06dafeca0235186c64ba929adac6cf6e49":"":"9dd515d3481f21efbe43198f623b34f7":"8a1b00ea5d1f4e451cea71b3d2fc9bb03b9790a8ae8ae262b3e97ebf34911f9d865c8810b9fe779fff701c72f3639654e60898d1f57eb93381749f0e2cecb4ee342f5f34473215d5c46818338ff688637217fdfa8b7ee552db01973fdb6084c3c20b530863eeb1ce798046890994f5625df2a56042d62742097cc10d512a543a":"":32:"83f45529":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,32) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4c1052610d05fb77543b6b517eb64b487ed902f9969a420f":"":"90f4c93301371158271a8f46df1c86c9":"83d009a1238f8aa40e36cbddf08a5f3d96403a03f7d079359cd6d3d0c719bf79c908654882919dbc6c27db34007b6732cb344a0f4babd26b1209ce6b134a8d2318f9a38af034b265562097b63794d7efee306e97c6ac0a991b3764ecd936c87000fa58e6689e302f12c2851b1ffc950dad7a553c8c67e01a2270e1e5e9caf30a":"":32:"30b3fd85":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,32) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"3dc62e54957bdd1968be71b7d205fedaa291349d69f2854f":"":"b8bce0f9263688ca41c4cefb26e79453":"22b6d92d8908bbdbcd0ff35299eddaf0cfb039befa2d2d83c896f373b92091d145f1771c58d60f94d3548d0cbbeabeb796d7632b5da3c66ef75cb41a35e7d1b032ccfbddbb9423e0ee054bd56b6288bdf1b616492c85393e4134ff9c066b23f3f626eac63a5fe191ce61810379c698de62922d3bdbe30697a3e3e78190756c3d":"":32:"67887aeb":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,128) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f170a6a761090355592968d67fb3514b8bfdb41cbf121341":"a050f858c87d56dfcba3ac1ccf5ba60628b3ab1b89845682a95b7f291c80f6eb1cbced4fa21e3584e21528746231e7311ec319a0fcecc329e1a7aaed0a8548e613e51db78c86c8d0cefa15e30b745b952809f87d8a4a7bbefc76a8eb824827d4334201bda7743dc497ef5fffa2812e67f2a04e5c10bf464179c6178db932ecd3":"e02ef73aee414041b137dd3cae8f2765":"":"c08c9bccf298c8a352cd72e9174f57dc9bf64d65191a9e97b43ce70afacfe76feb5b2695d72ea4635fa94144de02a54333a77c7d4adcde17c166b303f1d664e6edb081a85433a7496f91ce640f113935cdd4e7ad14c95247506ddc6620913b5c67422f599ca00b95d62a9371e44c5af5295bf96743d0f1228c96e95af3b4d366":128:"d64d9ac91548dc1bad618509633e0c25":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,128) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2ce5a40618b8bb2d9fc1d87a3333a9cd4945cfa838c8e0c6":"4ad4d103da3fb2ef8adcd1e0e823f4a857f1d6fa6273bb66574033c18ba2f760951ee0fdbe06c5cd3a0a30bd11142450f2d7e71af2fa7b9556b663fc30766508aa24e1fb2219f30ec23a6cd48b58944541d1f3e3fbf596e2ef263bddf789e7a666a68638081f0ec1a6cb3cb7feb0fddbe323b307675324ebceb25cba6d9002d4":"0c4b6c940d091efee98bf27fad79b04e":"":"ad611dd6ebaeb5a634d4bfba9f965948ea79d16294b976b7c8bb57240c5d13e10a9fe7a5b5d39143000b4f24fc331cc4988685c8d6401593a420c12e6cbd7cded06504d6a1034f70153f7b5019084a66ce818761841cab52d5bcb2a579a4acd9df50caf582bc6da2b94d4b3b78922850993ccec560795417016e55cfab651473":128:"317596eefdc011081f1dda6dae748a53":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,128) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f71d789a63213bbe17aa14f2956e9da2496a1efd1a63f6a5":"f5bf20dc6a11ce5142ff34d6c4771dbee4e74790c4ccd3cb5af408a5c7bd706bac550d7ed56805f550efc7648ab501fbbc63a1070402626c5788f076ae40e6bef2b9aab9a4bd8550fe38f7cdb0fcca2657ca26f1f729074326f45ae932182905d849b1534d3effe20dbfc3fc26dc6453d6544d481e58891405dbf876d0f254e8":"17327996f18c7096fc5b8e375ed86f47":"":"fed961a497502b2e49043ff29b9426a1e864a7fe0a88281a1572fbe62203f071710ea1d77873906369b195919a7bd5b44cbabab6eee23c3692cb8b9e4db7ee595b8d4b063d209b11d64150c45545b7eda984144e1d336a3bd3f187834bbc6950b3e7cd84895a3a5e27f8394a9aa9b657fba77181c9040b741c12fc40e849ba4b":128:"9dba8faf9d12905970ba0e29bc7e9dc4":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,120) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"83182ba753ac16554e873281599113b7620bdb042704bce8":"6915d46189fcb0f9ab9b838da2124ce06398d638fec9c1c53f07a43fa0ea09feb2bf868fd1dd521f301f9f38e2e76716038f34cc0d18ab9bf27ac282dc349002427ca774e211027baacb9f6bfad6fd7885a665e508f654bb018f0323215153cd3a5b3e7b83482c08cf07ee5ef91d64a671b3ef22801ff21cfae95d6843ccdc16":"805c6b736d62f69a4c2cd4aa3745a615":"":"76dcefca6305ded697be4488513cc3fd3d9f08f06a7c1a9133b9b3fb0f44badf5c7544881b5babcb873cab912cc8a00337fc36100e6a5ad998eac5d8568795b41166377c5114757044b9b73206d19fc34b6378a06d55b5d5e9498c7693e818dd962af9b9da2345f4ebf152f33fe85f3398a65ad7dec823a1b1155c38cf67df84":120:"746c9972aa8481253d0d54db77398a":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,120) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b176e7a68da4c74aeb91760448c0257b1e17101299e1405c":"691c436811f82e747468571f80fa8502ef5f25936fca58a8fb6b619a7a95f4938da558a3b26a2f09c8fc1f5bd347c7724d9fa377d0a52094bfaac88f3fa9b3dacc2f56d880e825809533da5980a63e01d6199fbea07f3d070e29c5d50e1013224f0ea86e7c008e3a2e63df394ef6ad93ea97d73fd4429feee495b144ef3a0d6c":"42e2e70b0096ebd489bfcf4d6ac0f2a4":"":"81f9c34c5b0668fd58ec8822c6ba75bd7eb0d1741260fad6ad5e637903aa29d5f5facaccb4b885f62e10b7371f9b6b43e3aeb69bc5093bcccd49f3ee744e49f87cd2a2c36c808c47e4687194cbfd4faec4da66b99e3d4ced9cb8ac6ffb94d7fef3ae2b92b9f613f2bda3ca6c8efa9c6df8bec998e455f6eb48519e8f8ce4e526":120:"26d0921dbb7987ef4eb428c04a583d":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,120) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"8bab5bf1cd8f259129ce358cc56ace2bbbbaefa79727f66e":"57385955b9909a0856bf54ad25d00779cd7d3dea78e1ae8965c4b7a568934d15ba1a7b2ab899f69fb1b864bd4d529319b51bf85a9b63de9cd51997ee4b2f015307cc42be9257e1b0a84e1c9e55a370476bff0a5325b21850f5b686a3bd4f1599f36d0772c406047b8ef29245c42ade862cb9d25b1e108db4f33a42dccf45c985":"ca5beea7dac2d9d24d548463977d5956":"":"67deff1accc4f279ec2eb4c2a515c17886371bc4847bdaff4aa70e170775b64855a6fb0d347baf39bb53d7239b7a63ce451effc69e8d8c3e544b77c75170a68cbc45dc96ad238aabeb5ebec159f38089b08dfbbe94e1d3934a95bd70f0b799fd84a8f563d629a5bfbb4eb3d4886b04e7dba5137d9255268dac36cbb5b5c8d35a":120:"f212eaad0e2616a02c1ec475c039e0":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,112) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"bd0e0d0c7907bdb4b4e60510f73d8ab2a30700349206ce22":"e6835a650047033a4940f72029857fae6fff2773f2aa0e4f7cb0a4abe86b6e8cb0c3e468637057f7eb20d1d30723e3c3107d0f579e31a4c3e6fa8133e1b1b51fd21a8aa80ec657c4f674c032bc4a2d3e1389cb877883317c4451ab90692337bd8aa6e9312388a0acddb508fa477cc30eb33a886e8fbced97492c9d3733cf3fc2":"1f183eea676c7ed2ead9a31928f4df5c":"":"9f1a3017d16024dbfea4ba9df5154a6a2c794f00da070043c17f0204f06f637c8fffc760424187dce4fef044faccadefa1b1bd818522915e389d307caa481af0f1f767c38216fa048f621d46880afca5c8fc582853dec95d19d19cc943e9a1861597c99041c59e8bf8e7245f9e30b1f6607843a978d0ae7a4e0f716dabc9d9f6":112:"4ceea20bf9616eb73cac15fe7e2f":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,112) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d59c476dcef60a45be253d5cfbb24742de9e3879bdfe6949":"144696d85126c682f8446fcc2724fabe4b8840d46f3de6ae2ceacb2f06a1a80fed430e3a0242f4f7c308611c802c8b8e9c992b78a5cf401fe7a4671bf081f97520919f02b66e8bffd4fe3f4a69cf3d16667e7724890cc4b66c6ae487d2d987bfacec424fdc9865af4474b04cce03fffc828b2df66d99087e63f35eca52abe864":"9bca808f02295477f2aa7f6ac1a7bfe5":"":"9d23989edd8dd9911a3f5a80de051ec7812c6ce018e683751380ff990a079f3502ec0fabfcdacf6c1fb2503094124c39ec531b5d29ee8e4e46c324fc10dbe0f31e9aa56522bcc7085ccf768425227cbab6db4127671a4cab7bc65dc1d3d9d81469493329e29a9a1cb7e5e088e84eb243493cdf1a49b16fc8d4ea2f142aa9ad23":112:"d8b20d72d95a44dfb899bc6aea25":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,112) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2f1594e840375405a682dbc1836344be8c6b3f3199ee7fd6":"9bc6b715c65347a383f77000b3efb33b16019d01605159e09c116ded52d20721bcdde3796b6f4dc33cb29ce1c48438e95d4db6102465440cecaa50ca33ebce470d8986663652e069079f9d92ff167b3f7ae568218fc62ff5a7be50b3b987dab4fc7979e5967bb0574de4bc51e774ba05f9780a49ac7b3ea46fdf35804e740812":"7f1f4a80210bcc243877fccd3e7cd42e":"":"773d6901ea64d6840ded9a05a7351c0c74737ad27e7c3dbd38dedcdede94722ae67e88851ee471aefc1f80b29a7312fa2a6f178ef2c9dde729717977e85783e2e49a1fa2e847d830fac181e95fe30077b338b9ac5d2cfa22ff9348a0771054322bc717343b9a686dafda02d6354cf9b53c932da1712b9bb352b2380de3208530":112:"fc3e0ca7de8fb79eb6851b7bca16":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,104) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"88a6d441c1b7472aecf92c294f56f3c1da1702d174eff431":"eecc12fbd00c636a7ff897c244593239d2dbca9d1f370660c9bf9759cc41dc6e95075516f8d7fc06fa91ff68701777725171c2dc0767a1953fac13008d77065cce8ee329283d3f64adb8a298aa100c42e75d62e47fbf5134a21b826fcc89ebb18707c0f4d54f6e93220484706a23a737341c601b56f6a28cc8659da56b6b51b1":"058a37eaee052daf7d1cd0e618f69a6c":"":"0f5e889deff370810ed2911f349481dfb34e8a9623abd657a9a2dc14df43dc8917451ddeee5f967af832296b148d6a5d267be4443e54cef2e21c06da74f9a614cf29ead3ca4f267068716a9fd208aefa6a9f4a8a40deee8c9fa7da76a70fcb4e6db8abc566ccdf97688aaad1a889ac505792b5ede95c57422dfec785c5e471b0":104:"5fa75148886e255a4833850d7f":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,104) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"abb4c4f8d3c44f07d5a57acba6ccf7852030daa84d09e13a":"24d82903e5074beb9a769f24a99b18c7b53c160a3c3ae4065335bec1c4170aa4c656bd7c87a8a13c0ffc6653c045445bf8a135d25a13b2d44a32c219adc6ea2695fb9e8c65f3c454dc0e2772f4a4ce51ff62ad34064b31b0f664f635de0c46530c966b54e8a081042309afb8cf1f337625fa27c0cc9e628c4ae402cbf57b813a":"c9489a51152eec2f8f1699f733dc98f5":"":"3e5528ab16aed5be8d016fe07f2ff7ac4d393439c4fe0d55437a68967d685815e359fdb8f77d68241940ce7b1947c5a98f515216254ac29977cc2a591fc8e580241442d08facbdbee9a9ff7cfbde7004346772b4607dafb91c8f66f712abee557d3da675bb3130e978a1e692fa75236676b9205341ead5277cc306f05e4eaea0":104:"fecca951ba45f5a7829be8421e":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,104) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"cbce5e6d0fdcd3ab08ccd86115149b5569584dfadf40256d":"3974339a1b90b19fd3857d812a0e59dcf43f9b0f360839940b99834ddedead79785396ab8fd0fc0e523c06f0555371fd5bc857a95c3ead26536e6deb1faabdc776ac7cfec4b60d9c24b0856ecf381efd98f941d5b2a38108922d9cf1113d1e484354b55f9c0f09d95a77fd30ec9cc04d19199931e187c56fd231f96fce5e1eb4":"ae3a25be73876b6e9dc88573d617653a":"":"4f57be0de00ca2c7c52c54b931c235fecb4ee1e5a30e29bf68f57248bafad87e484cc68465d9f64bbf502cefd2c84e5596c3c8e58a9fb51a8c8b132579a94bc32e92f7c7247dc5f69fda98727c423de5430f01b37d77e3ae6bcd06eaf5625e5c7c9c228b9dca5aad8f571369fe0964731bf1f143f2f709c7ed51641ecfc88ebc":104:"33375e21fd8df9f0196198b4b1":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,96) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"96779eaa8699469e2a3bfae8a03fd4bff7abc62d427ff985":"a343fd32fc513e0e9772acbf99feafe9de4b54e404807999b02e921e0914b2d64d0d402ef06f31e1db852899fb6db231ad4465af015b0c16407fa3666ef5c2a6d52d5b4f60b0f7fbcb13574b2aa5183393f3a91b455a85b3ed99d619bc9c5c2dbcc4f0a61a7b03e5ab98a99cee086be408ce394203f02d6d23a1e75df44a4a20":"cd7dca2969872581d51b24af40f22c6f":"":"74422abbde6e4ab674025735874d95d9fe3015620a8f748dbed63ef0e2271063b6c0d65e00d41bcf4ea86ac8b922b4d475f904c0724f0adebc2eef4a3abd0f9efd75408cc054cbd400436e0545e09e6b0bc83a9c7d1c1717589d180c7b1d4fe4ca18bde4d9b6bc98481b7971c7eb81c391ac4dd79cdefeabb5bbc210d914d30c":96:"b0e425435fd2c8a911808ba5":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,96) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"39bfb4cf533d71c02932e1cd7b800dca9ce9bca843886962":"de76f63ecf9c8d4643599f4dc3f9ed837924915ce4216759013cdb46daa0a508e06bcdb77437b0a58c40a0bd30a05ca41433218c6869f1ecd26318aff27999a2ebbb651de8e03061b8ffe3e14060720eb35a8e4dfd8c870aa4562291e3758cc1ea6c4b0fafcf210e10b31f8521bb0f6b29e8450b0cd6f8c8196ca2f7acb807a3":"d2b937bb5d2ea7d54d2b96826433f297":"":"0b0b4c92f06b17103ed581fb32d46e874fea2a2171d32aac331daa4d6c863f844fbbad72e455cd5a3ef941d8cf667fed5855da6df0ccd0c61d99b2e40a0d697368138be510a2bf2e08a7648850d2410e4a179a6d0193e49a135524092ab1f842ed4057611daaeb93e7aa46e5618b354a1091a9e77fb92a8c3c0e8e017f72deb3":96:"a188107e506c91484e632229":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,96) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"41b7d80ae487ac35aa498e5939a0f27baeedf48a494c8e91":"c26d4b918a0c967141fb5712a28698d16640d200b2934187b81ec58486b706ea1caaeb654e5fbbc0d078215aceed7d66939e0fb54d6131d8948cf58ec9571646ca75a051c2b5c98fe16f7733d42e5897b0263272015042f3134143ea3b08bc65292d8d31f30f2ed9830ccbfca2d33d290c28f4dad07c7137a4ca05f432a457c2":"626e1d936b38cf9c4c3a44ee669936ed":"":"8998e799985890d0f7e8b0fc12a8a9c63171e456ef5cb211f836a2dc7c9e3f4d1cd6280f9b0c469b703c55876b57cd1d8cef70dc745e3af8438d878cb2fe9fb1c5b2d9a2d90edf3bc5702ef3630d316574c07b5629f0db1510460af8e537dcf28d9c5b5cec6996eaa3dcde3354e39f60d5d896d8bb92718a758adb5cb9cc17d5":96:"69901cbafe637de5963e7331":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,64) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2ecce8fb50a28a085af744b44bc0ea59d6bc2c8ff1f2ff8e":"54300bfd55b227b4758cf64d8a3f56cb49b436adb4b927afa8c4b70d2584a6cba425af4fbc3840dd6f2e313f793cbc7aca8219f171c809cf1eb9b4ae8a9d0cf1a7aa203d38d67cf7719ce2248d751e8605548118e5bb9ce364349944a2205e1b77137270b83555d5d804edba2f74400f26d2d0d28eb29d7beb91e80ad66b60be":"b7e43d859697efe6681e8d0c66096d50":"":"45dac078c05e6a2c480543d406c23f3dda63f2b616007d08fbfb075a90eefab8dfbc26d334266f5d72fbc52800cf457f2bbc8062a895f75e86df7b8d87112386c9bad85573431ccfcef6a5e96d717fc37b08673bf4a5eecedf1a8215a8538e1ddb11d31a24cb1497c7b5ba380576acb9d641d71412a675f29d7abd750d84dfd1":64:"2dfe162c577dc410":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,64) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"6773e627f6c49a1687a3a75d2ee6754ebfc2628bdfceba28":"eb0a64ad510968c68a816550d9fe2eccab3bd8409ab5a685a8638f81b4b50a9a96318bff4e86f7f6e9076960be8eef60e72cee4ea81f3ba269d8ab4c9581a54638421520a6411a83e9dc83b6981a9dcdd9e4a367d57f156d131cf385c01a736b327218e6b6468d317ff78a01f1588c359a3a9b188bbe5d3ffad6b57483a976d0":"ad85becb03a05caa4533b88940ca141a":"":"959658fdff5fd802fca5c5a79d59536ba8ef1359ac7bfff81264c7827bd31b8f02ecb54f309b442a54a5a57c588ace4b49463f030b325880e7e334b43ab6a2fce469907055e548caffa2fe4679edbe291377c16c7096a48aef5659ad37702aed774188cb4426c3b727878755d683ed8c163a98a05f069a0a3c22085600759170":64:"4c0f4621b04b5667":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,64) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"1c086f7404c14160f33d6efde231eda610f92fa55ac147b4":"fc8e5cd81755e489de7e3ddd2b587149ee013bffa2ce198c514641b0e1659261edd60bdbfd873e30e399869748bfe56ba543ceb9bf5fd0e7ba2b4dc175c52f28a8a02b4816f2056648e90faf654368c64f54fd50b41ea7ca199d766728980e2ebd11246c28cfc9a0a1e11cf0df7765819af23c70f920c3efb5e2663949aaa301":"71f154f1dc19bae34b58f3d160bb432a":"":"6d60da2fd060d2aec35faf989d8df33f2413ba14842b0406e38a6a847e191eac9f4570cea647c3988faaa5505ea20f99132df2a8799cf0543e204962da1fd4f60523d7149e0dee77c16590d7e114ac5d8f88fa371dcdd254eccaa8316ee922ba23a0a07b289739413ddffc2c709c391afee9289252ddf3ddb62a4532a5515e35":64:"f47bae6488f038fe":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,32) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"bae1b3eef91ba79032117c60fb847d46f18175565d0ed10c":"9b71eeccdc91cb5f7a567a9189774f4c30d96477b88ac553df66b78a56e5c9e0986a17d80c811116d31985acfbf9d7a9bed291aa2fb6329457a836b3f8f11c16416f0a3b86dd9c717c8a050c6ceb5c27d8e2ee0dbe63f3e1e4f0aff4809e1f6f6ed64d31d494b7399cfa0dd9446321bd4256a49d0793a10a670e3f086408428e":"cec8b66a657e4bdf693f48ac52e60770":"":"015a318acb6198189ce908ab1af28578a37a48beeed772c6ed4dceb0a3bcb092df85f653234c56a25c075c8e028d4a8d90d974fb0477834ae2de8d5df53d0d03a979450b6e7a66fdc9b11f879ea9072699837f2de7192156f8e5d9411fd83d97d31fe63ece4e4326ff50a24fc75004a5ba2bd4845b29e0794696943dff1e5d6e":32:"9cf6f90a":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,32) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7c1582240ad301f831902c66334546dd681c12308add0870":"d4b716b49858a23aad478581cbb6dfd015ae550d76497229b5b1776e83f2ded8542675c63ca6a007a204b497ed2ef71ca125d91f386be9b4213cd352a797a5d78a1373f00916bb993de14e1a0af67524acfcc9fd71daa32e5def9a3f2dab5b3bba4d2f9f2cfc5f52768b41157fe79d95229d0611944e8308ec76425a966b21ec":"b6f4f3959914df413b849d559dd43055":"":"79964f8775c78009bca1b218c03056b659e5382e25e43759c8adfa78aec48d70b32ffd56b230fc1ce8c21636a80a8c150e5dbb2bd3f51607d97ed097617963dc6e7653126fe40cb36a7f71051d77e4f3b768a85ee707c45d33cc67473f94c31da3e8b4c21859002331b5f7350e3e8f9806209255ceac7089176e9d6b70abd484":32:"79e5a00b":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,32) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"fd55a356943824d20630b1539627ad1a9dcd8ee2cb4dbf49":"b8d8d6dd0631f9183ca858033a31dd583d3ee3b9510fcc69d8cd412016bf854b9edcf65c2831e63d72f4cb61a99f6f4e6dab0c2ce9c5a8cdbc179ae93aaca2c8a5b848a15309be9b34e5226aa9a5908f543fdda983fec02e4073edcc3985da5222b53f8c84b9c54c78dd8b2712b59209463595c7552e28f2a45f51cb882c0354":"aa89a122c68e997d0326984fa5bef805":"":"107a9ed561e6c45c375d31dea321c7b4a4b7641024d2c9eef6a103a750ba15e1acacbcae121510b4f56f19d29e6fb3e6fc06950b1daa521528f42284130a40e5a6c1b58b3b28003673511abcf59a4b9df1548a00f769d8681978b632f75e5da2cf21b499a24fbdd4f7efe053d4a1b20b240856d3ae27948e35098aa617def5bd":32:"7f9c886a":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,128) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4cddc8f525640fc0a0875c65b788ea75c673f84f4aacaed4":"55e3ccb855c1fd6d33e28d308485fd85abbd8ade1299936996851d44dde063ddc37962f9f67e95df02eaf3d877516240771c469be2abf2ef6c8dcbb79eb1976f825b109f752079957a7c981faa2fcea599cc52e262b84f4c2031821619f0be6fa3c38d660e9eb3e0d5de2da6b83de9866eb3efbc6a2dff27e52587c6f79e1c26":"1b883a89413f62dd6d507cd70c048855":"eeaf21bc317660b0e2afb9cd5bd450ff0bfa6cfa7e49edad600f71b971347e93b9712a6e895540c665a1d8338f61b51da9e0a4a9122409824287ba4bc06bdbba10290a40b31b5eae9dfeb6471f4a0a0c15c52a2c677c4d472630d4078ecf36dc6008faa0235a688ebbe2662e46a49b1dd58cbee82f285f3cdebda1dc54673195":"18d11513661296035f6f42d264e0b4cc7ec47f43b758c6dac95e5e3b3834362eb64447d923e107a60cd66ac359cf3a203f9070eab9fe61ae64a86606c9b50a97a19e12f731de28719fe178c9713edbb4525b221f656a340c867405c41bed3bbcb9c6da5cc6a4d37acd7a55f251a50fa15ea8f9b8955606eaa645c759ef2481e8":128:"dec3edc19fd39f29e67c9e78211c71ce":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,128) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"3b8c31830b1139a60425f6a34387f5ca2be6f5a5074adf13":"95f4ea90729de0f0b890fdf697948053f656bddf57e3d461e7ee1770161904bb2cbc8c2f801481bb54145af760e91c8b30cb22faa87efcc6f01e3f798af0bd460475754726514d53f419af2f2c373c76f05bf57d3fc1b763f72ba0fd2682d9d1d76f6ce8d55b56fc7ba883fad94f59d502244804bb87bd06f1217a4a6c5055b5":"ab5bf317ad1d6bec9cac8bc520a37b1d":"5a47d7474be6c48fa4bdbb090f4b6da494f153a4c9c8561cae4fe883000b81769b46cd65f4ce34abc3e5c6880a21d12c186974b0c933a16ba33d511e79b5f994c38e383b93eea1259d38f9fb955480792206461dd29d6d3b8ff239ea6788c8e09c15be99f094d2d5980c6c1a8efe0f97f58f7725a972111daeb87d862a90a7d0":"1d0211d7d7bc891e4fba1ba7d47ac5a4f3b7ba49df69fcfde64bf8689b0eab379d2f5567fcff691836601b96c0a3b0ec14c03bc00e9682ef0043071507988cf1453603d2aa3dc9fa490cdb0dd263b12733adb4d68a098e1ccd27c92fe1bb82fa4a94f8a1cc045a975ac368e3224ba8f57800455cc4047901bba6bf67d6e41f94":128:"23681228c722295c480397fc04c848a1":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,128) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9c2386b948f59ce651888451021772287f14a92d807d88a8":"44f00c8a7c84e8207ec15a7be0b79c88fa347e2c3d5e8d07234536d86513bc39bebfff02efb9ff27280eb37f7e8a60a426538bc1e3830bca0e76faa33b30719fab51578d15df77893bce8740f50c491b8b9f1739a695c78406b5ee4d56f80d8d564b586b0f22ffa86eca46a9d8134a9507c5b9ad82757ec51b18741abc61f23b":"7a1f7d0be4c7f8869432cb8b13527670":"f76ea9d6e976616689709700a9638204e616f4c1c3a54a27fb0dc852990d81dfd6787aa5a83b9be5087d3f7dfcd522044911fa4186511de1957b80338025c6c4aa72058aa3160047cf42166aa0089e2ec1ac8ea6d9f5f2c057f9f838a72319dbd7bb4948da3bc87fc2036a0e7b5e8cee7f045463152ff80a1711ef1096e75463":"666c4d6d3f1bec49ba936eea90d864e8ecbe0ccc7b23872a4ad7596afaec628a8165a70397289a10c67d62942e1c158f1489a9de44443ac4181e74ebf2562995c9182b57bc960f4b5d3e33fb7cf7a0c32a59c716de23639de9bc430712524d74a087647e27ff1af87a2aa0cf0b58978ad8ed616b566225d3aef2ef460be7393d":128:"53d926af7bbf7fba9798f895d182b09e":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,120) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"5852b4bbfa623e5e2f83b888f5eb6cbe06b57299e29a518c":"8cc85e520b45a85c69cd80072642ef1500b1e0a409c435d685544a6b96d3224cc40e5fe8a21c4959b2891d4a53bbff03db9939c655e6e92222c6b44c95204827bd800c74666db64907894bc4e3043fab318aa55a011ab9397592ced73f07a06282c22d9a57dd7a37eadb02f59b879b030d0a5005226c461281ce3061bf26de56":"b96f4bda25857c28fdfa42bfe598f11a":"0bfdc1b16eeae85d550a97a20211216a66b496c8c19030a263f896958e4d1decc310b955523e314647edcbe3f69970cda8e07f8b81f9074434fd86b8ec5b3fa8b155377ad28050b50523d3d185e5869bc9651d97c56ec6b8047c20d671f6dc657f4cdf73fd7d3caf4b872f3fb6376eda11b80d99cf0e85c4957607a767642da6":"b148312074ecfc8f118e3800dbd17226d55fc2c91bcbceeae2a7ca3b376f6d568dd7fcb5c0d09ce424868f1544097a0f966d354455e129096ec803a9435bbbf8f16432d30991384b88d14bcad1191b82273157d646f7a98507dc0c95c33d22e0b721c046f1c13545f4ed2df631fd2b8fc4940e10e3e66c0a4af089941a8ad94a":120:"e3f548e24a189dbbfd6ae6b9ee44c2":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,120) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2bd897e969ccee405ba9becf24787a1e1be17a571442c6da":"50b8ade5e6547c350c3f43a35a3cb641459c5ef902afc706ce2fb980b275fda62e8974d1577ef65ce9fd854d88caa10295d1045ed7563e9391d60700b5d2a4a7ba5f3de7a7d1541780b95a08eb3f0996d96aac7ee838b67ee869447617684c08566647a4991e31829907ebe4b32cfa46c0433a64f864b8b9316cb0ec2578ccee":"fef6a08d92b5b9bdae4c368fcd0cf9e8":"fb3144ec6d93704d625aa9e95be96351c6e25bccf1eaaaf9a1d405e679efe0f2da07510ab07533295a52cdc1f5a15ef5bec9e72b199625730e1baf5c1482f362f485d74233fbf764d0b6363075cebd676920a0b315d680e899733d6da05d78765db159c4f942a31d115d53f1d89cd948bc99c03adad1eee8adcef7543f9dea39":"e65ed5b6d0f51f8876f483f3d8ab8fed78ab6c2e1cf50693c8511e1cc9823e1030740ac33f05a5aa0d88205bb3071a087655f28eee7d0a07945d25e3dc00221a1dade4170cab9084c47b82376d5d439bed99150811843b176543f7944b1dd9684fa9a52117c2335dda750d9de0d9b3ef718123b6534cb012080f6ef8eda8d4d6":120:"468546d4199b9d923a607a78fa4b40":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,120) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"12141d5834b8ca48b57e0892b6027c997669dac12fe60411":"cf475b50672fd8cc4ba84d17ab1b733fee2073a584d5427155f144ddd945d4901d5a9d76e3d6ae55ab3f9514861c83bca7d53868f35bdc8606a167ac83591be30ddb954ee173ee172e8d7742a71c0fee04ccd16fb5d54a45820640405209e20f8494f08d791a2a15f5cb848df689296a04e4b01e2c19bd8d9ca8b4525853549a":"b6dcb39939a31df176dcec87eb8db90f":"daf4e0cd0b29343defb65562594b2b6fd3f005e6255500330f77a0550c1cfbade5f5973e836ce7046bc2b2ab8bb7983830ce6ce148d0998116183d1aed320d28adef9ffab48e0f6d6451c98eb83fafc75fb054991d123965dbddcf74a2c01c746bbbc8276b77f6732cf364d8a4a5dbf5aedbbe16793e8c406ba609c90f0e7669":"4c2d979b9c2dc9cbbd6d4ed04094285a44df92e7ebcdee7feccf04c66c45137a7df12110b8af805f5cae9b4a225c3f8dcfd8f401e05c6ce937cbfc5620acdf3a4917c5b857bff76f3d728cf6a82a5b356fb95d144125d53e568b313cef11c11585d310ca0f7f1234090b1b62536885e9e39b969060ad3893e476e88941fe2cdd":120:"99cec94a68d3e2d21e30cb25d03cd2":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,112) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"14b9197b7980d95b71ce1a1de6577ce769d6af4cb45f7c8f":"03b37942f12435f1c19dbcff496738207dc92edf1ab6935b564e693da1865da67fb51e8a838559ae1640da441f22ee79787f1e909cf3c32187b41a48fbc595df1c097fb37881b329fd7b30dd1e05d6052fe81edf2e10786acc8aeeb4fac636aac9432c3be3dafb55c76ec85cc13881735609773350b95eedbdb695b2de071a03":"cad0cfa7924e1e5cff90d749cfadf9f8":"283c8a38c7fc9dce071d4ff9ed79002a6862f9718678b435534e43657a94178353b9ec7e5bb877db5e4f62a2ca6bd557562989363c6fdedbd7f0f3eeec5445c41a2a8bc98117a1443ad4d5dd63a07806622cca8ea6f9f6019bd511634db28651b916e2399bbd84b03f8ec696ed5846f30320adef22ae6d164aed09edcfa25027":"83940097301e9867623c107d4447b250bf6db7d06f9e07b8d8bc6b72b079b725ea1f4b5f79bb80c518bc69a2bd73cf3aa7b88162773ac5b27a2dcccecce66e158ec0875937910e0b6f396cc7d7cac5d53b0fddf3cd70b570a647245a5264927be1b2d9c46fbc6a630b21fead46c4f35af1d163268e49a16083590893e6df4671":112:"3e3f677e68208208e5315b681b73":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,112) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"80e2eaa70362203b7561b135db581cf32e9cd816464f0b2e":"62cc2db32584a8d90f348be32224bfdcefd1fd25c5cb05c7e74becb4b40ea09d6495f73adc1fd23d148c11849bd825efdf15e144587f785770d2aef2788b748c338373a0ea43882141bc9f7c693a291c512cdcdea6d5defb2efa2324736df7fc4b434d7f4d423fb1b8853ec3fdf2c1c2881610a8d81da5de5e761f814ed38e35":"3d7e99ddea0baa45e2f9f2289d2182a3":"71663fab717ec4d9da34d4851437f4504dbd71b65b0d04eccc513282c351925c23892958b4c9dc023c5a34944ef507e0b40857d8b508ab7104d13c2fbfce2d086d466291aaa449ad36977837216a496ff375959afe4dd50dc2620a062c926b939ffdb144a656bc04bcca8d1d4fa0a9cb0a5d713721accef2d2c9688a77bb42bc":"1c56b492f50fc362c5bf70622f817e1814ae0b69db7e3055fc9e690d2adb940f9a78cfd7e08044671913baec663d9f9af6dede42fe16d200e8421d22066009535704b05b3775ac41359d7c2697e2f4bec40df69b242392eb30e2d8a664d84cf95ec21797f1ccddb72926cfdff22848d14e373f5e6c3dd349196464c98dc38365":112:"e0c1b140cd7bc4ded916aab8780e":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,112) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4b7aa649cb1488a658b4387451bf59852e845ec7d2273c69":"245251595d10d719d8d00610d391735fad377b60d7430c7db488488c1ec25c12ee0dee3aac3d7dc19aa602924a1f27a2cfa8f6354315db93b5e4d2b6e8402c4254921e683ca681dfb3c7f433a97f119e01f2acb20988dced8494e086395351f2af356b11832472cbcb109c13ff92f10a4c8fe69bd264c8933cded19a980bdbd2":"07b50b1aacdadeb03e7488458db03aaf":"2a7970ee97d612b63d2a0c29e5045ddfc6621c237bc270b3147fc0191de199b6923947e3bd3750de5155e1df29caf96ac702f948c38619e218138945595156cc5f1dcfde0d1d6a5aec48ff37c9ff2b2209a904c59593779820ea68ad95898c7ca0d0d81583c44feb0fec30665cc56620a8c9408e4275e60f5284ed7c0e58285d":"6bd53e4415765f387239c6664f837371b39f6d7ff22453211e91de5dd14272784fffb4f6b2c0bb8c6b7d1cafc55133aa0d54d410ae383008fdd87645655062322fbaa06df0a2d7ccf4cc170d1f98ec6a7ad524a3e5b07761f8ae53c9c8297faa5b5621c3854643e0085410daf5bf6c7e1f92bbbfc3691eeff1c5241d2307bbc2":112:"78d37215234f9a32571d0d8b1e51":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,104) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"512bbb490d062fe5ecc8e5ad95920a9e9b78bec6a7694dc2":"862f2724ad82a53e0574c0a2a0515bd86c5ed0b5ae92278a78ea1a90c03059d08a91d1a46678aef862b56d0320e970b7f941b784841b4d8a38d056f2bd352d48c0028086a36426bbc1436da9e021dcac705b6e03649b426cebd7a235f6d060ab6302d777fc9316db4a85e8c1387648a8f5ce2398a247413cb9374124449e498d":"2d14fb3e058f97b7c9e9edd1d97cac7e":"290078e63c81abfe99010b8344ff1a03dac095e2473d7a31888102e838768892e8216439dc3355aedd073892f4449d9d4d3ea6c25a9152c329d24cc73eaa0004832691740e60f17581201c8f7f4023d8e55faa3942ad725d21dade4c03c790b5370d4cad3923527c20ca925a2ce534a652ed7e032cb1c7906aebbdc24e6b39a4":"44e78cf3a2ce4a5e498315cb8d5e841f926408921f3665d533caebe0a7fa6c164b3d2c0b21ff3a608a7194e3194fda165ada8d5fc2e924316aa4ce201531b857877c5519f875eb49e5908d8d81b69472d03d08c785ee374c5fe91b16aee173761af7ff244571fd40aadabb360f38d301463e9da8cf8dc44d20848688ab3be47b":104:"6037cb18f8478630bc9d8090e2":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,104) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d3964ee03ec5e500f2f8c05313b78615420183fe2950be32":"b9424e4a79a08a7937da1da15061c1eb9a873748691ec9c1fc76aaa164bd34873d07437d203c92c0e89c0c5befedfbb17f721f576473253617547206fb2b340945536cd7a049864d099419cf3f7a9154c0ac8d676b0e9ec02947caa4057560af347ddb46002703f3531f27b2197790ba135e3d3c0709c86f4781890deb50f3ba":"d3d4e5fdf6e36ac75b4d51c47ce5b8f9":"6146a97a2a1c709458bef5049088fdf339e4fe29cbdf519c93d525b71c9fb501c4b58bef49d43cc7699b18fc89cee1a4a45834f517214a77fb3b91d741977308e1585c474245802118d0e2c7003057c4a19752a143195ec2a57102cb2a127d2dbefe1168492e072e74c5f6ee102a0c371b1fe2ddfd8ecbc04c6f42befecd7d46":"a2ae334bac969072e754c0e37765ca6253744941a35587bb4feda54233a7a59f037e971d254c67948b16e4c35f306c0984f00465399405ce701ba554419a736cdff5a1b4ae5ab05e625c91651f74aa64c96ab628243d31021ad56f535eae33a885b45730268f900b6df0aff18a433e2823ddb0628a7026b86b3835160e5121b0":104:"817be7dcf7adef064161b6c42d":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,104) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7a8049f521fe9a00f7bf566369e540a48ab59d83305e2829":"67243a336a10b82a0a8638b35dc147c14ac63b20977922a13de459ae2cfbdb262a79004c3a656dfbc073ec8878595e24998dc44b9435439af117c9635c479676f6edb8f522cf01571be5aa5b5bc7d1cc3264436566f8d3c684973d1e88d46282b53836a1ab5a698560e5bf7629ec12cb141867f684b369546a1d8bf48315b6c7":"e4d81f71e1de8cf4689bfe66a4647f15":"4cf6733482c218af832e99970d0717ac942ebace0fed4ce4dfa1f710b9e131a21cc03dd3ced25b78bccd1991a30bb53b463c1440b6543b19af91e31c18866c2acebb78c2a340b930518e61a63ff8d6a6e8e7960523de40a178614dad4ce5ab253e1090a097f8ec00dfeecb46aa0e8f772f01c4e706de7e824386a13944600542":"cfa8ba247ada9e6b3e5ab7dd0a7108574cc811c2986cad951168559ff697b77684880ec266f0b7d87a2ff559e368a85846becee312bb2991692d928a7c191cfdb7f1468f8b84be4bb592ea640743443bd4941a8b856c57be21eb22fcb3f6c0a80728ddc9dc5fab1c77dfceb91699009054c5a4eb0714a10b74cf0e09fa630299":104:"1dcee251cda10b2ea8f2bfe6a0":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,96) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"657567a56e585c84e4033268f08f712aa280015b77cd657f":"96d889651c4f3f5120bee233f6395fa0bbba1f6548b109be568ff96f11d24e34d67beb6c20268feba89240674b0b4552d0a6455d43e8edf943da3d8d785a5221df8ddb3a98d2fc611ac7362aef71f8f004eb455a16d1dcac488ee83d4f11c4a00c29d9990c5a2a97b897d67e51faa40999b1e510ac62fa4859123cdb37d202ae":"94dc757b6bdbfe925b762923cd0a08ed":"a2c54e8da7dca49c73550bd1f5e68449295f062d5dfe5aa4201bdf353a2a1ac9c3c61f2b5482184cef481fa378a1ea990ce203c2c7d76993c62b415ece06b9b7caacec0c4147c0cbf292e528d97c1a176fcb1ca6147cfa4bcce92cbdfe617738a92273282c7a65fcb997bceb867ce01ec74541582d3961dddf3a2af21cad3ce6":"55a5d07a77fc37090c4206f19483aa3cc03815194ded71c2b2806ad9563edfebfcf962806ba829373947e3e93f4f39794514ad7b6dbc626e29fbc35f90f573da33ab6afb5c94383fd0fdd1ee074d650d192f6d08fbd1e24a6966a81a2ffd83fab644ee914952de77e9427262314ac47c11a44bf7d2890f9b9980499bb6a1f692":96:"41c72043f6116ee6f7c11986":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,96) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"61159242d48c2ca0c30377ec2ad701135adb62d113c9f9ba":"8ae40603f6cdae4b63ac7b18b4bcbb83c65867c2ae270102efb6f00aa8af5d0400dc95085910a50a16cbcf71f06c3f3eab71345d59c6054aaac02971111c7146add8c072158e0b374d481bb540036a136ccb91523f96f24ea237940ab011ad38f2a3095c0785df91604be1fe7734cc4119b27aa784875d0a251c678900334a0b":"4fda7236bd6ebe0b316feeea31cb5ebc":"ed28e9954634ec2c9e2df493062abf3ea3e199299053a15ce8d6fe051d1076287e4e7c0b2bab0a599b763a29d0aab680626f280c4f5ad94b7792d9af532681f6e4eb2672781f2342304daff902d03b396853eaf585af4d3bf5078d064e9eea6e94e667722f15c004f4cf52253a5c65b75319b07ba539558d8a2b552390a21577":"dba251e35422f60f902f594bb58dce37131e8ae06b5f40ad23c4a70a5e25fe24c76982c9bc11a7f4e3cc62d8c1326170432633eba1634972a9bcd093b08e1c63ece07c4be79cadc888b0408e40c09636e1cf1e5e9a6f2ea44eea5409a2ffe9c3ac9a18ad7aa9041f08eb109c01ed90732a8afe0694319ef98a0269685b4d16b1":96:"b0feebfc8324fd1e9e40f7f0":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,96) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"5b4c37150f8bf0e14e0bfd37ac14e606dd273577007f24b4":"48c6486b2691b86f5f107e8fe0122a821248206d2dd3ce898a2bb3772202ffe97292852bc61513529ad95faf6383b5f6c5a7c16c4cbe33cb02e5e50f32db95ee2962aae1c9c0f5470b3baa216cc19be5ab86b53316beef14397effb8afba5b5159074e26bf5dd3b700f4ea5abd43e93ca18494e1779b8c48fcd51f46664dd262":"664f553a14dcd4dcba42f06e10b186aa":"4386e28ebd16d8276c6e84e1d7a3d9f1283e12cb177478ab46acb256b71df5a2da868134ed72ef43f73e8226df1f34e350b7f936bd43caff84a317b1e5b2e9a2b92ccab1e3e817f93222dd1e2cf870d45a8458e57948a649360c6e2439bbcc682383b50bcd3d8b000592c3ca599e598a03b9953af485f1ecc22501dcacb7110e":"05fdbb5ad403d64011e15d27cd6f5a2247e018e479e58ad3fee1e0e8ddd9e114c0e82f2c947ff9af525ce752f4aea959463899542b85c9b413d065ea175103c3b3c35f56eea52af2c54ec08a1d5b7cd5ee4f59de8be86512b770e42ab176b6b70ccbcd264d6d5cfdd2e52e618dc24251ac339ea38cdc446c778d2db3c7c3e93d":96:"77f32401db21adb775e7f1d0":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,64) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"531a380b109098eafd997bd25bfde4868d2a1ca781795e9a":"466237db78d4c770a658b9693420a2e087c978fcc434c9ac82f3e2447b2fa08be32d2ce6da25846555ffe5764234b07b35dd1d1bcb710e8a49f918f2c873681f32765b092a836e9418faba61dc59a254c923159be16f585e526616fedd3acfe2748ce19ee03868ea9836bee2c6acb1b821e231eb2d30d300387c93390d51e3a5":"ad079d0b958f09732aaa2158f6215573":"09e002c2c48beaf1122411e8624522a9e90cc3f2a040c52ffcb91136519277c39fd6a79292b8835e0fbcaef2279218106aaf75036590f8a46f6b6912053a3b391849f7e204f096288d6141d5f80c7f91dd2f2b6ebc1ced6af8216e0a594814b56bd592df800299b29e26ed7461ba3f6f3cf151b9c10ad634a01d9c5e578aa372":"d1f49f94e6fbef7e21abad23e16c06fcdfa75a8c342be67baea8e0e57dbcd2971276e993faa124ac81e6be18f68af303518efd926513cee9dbcc5ef6cf5e9c068a1210e53fdd56776148d51597e359dbaa0570b4fe15476ccc9aa79f7c765755b6f694af4269b9e18fc62a0d47708bca67dcf080e200718c22bac256f641e7a2":64:"01ec395c99a17db6":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,64) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"fbd7a92120ff973ec69b6a8189c6ea827ca20743a8781518":"1583c1578a8c8d272a970f05d875f199e497c55f03f10f7bc934fee21c30379dad3c580b3f99304a5747b61fd43428506439ede2c57f5229e13da9cb7cd6174cccbb397e98fb90455ccf3ea3b1304f432a070a2eb5205ed863326b3b86d4eb7f54ee2ffcd50ed6ef01b3ee216c53f4f2659a88fb6343396b2ded0b389c6266c5":"57658c71b2c45f6ae2d1b6775a9731cf":"45ca8a168ecca7a42847b779ef152766b902192db621d2770b56c7d592207afaf52d19a6059feb76e96b90628995bd6517af3f114e97af8d602a493b77405e93095fee6761877dc292fab696a4303102dece60951cca20cacb171abdcfd0ef6da6c90b44edba63b9b6087d876b3fff24dea909899ebd0d0371c424f51a9a84b8":"58a290cf0e774293d1b55f5ef8a305f68605c0c81668b8a1ba95fceeaa65229404e18fa54dd811a6af085c98b8854d0f956adc2aaad742cafa9ed53d7cb445451ee7a4dc1e8399ec7e5b4d004ecd22496565bf444b2e3d82ddf6a6d5e6256c5095a699d7ff3f8cf2addec73e21013ee6f3dfc0a3abf316ea5ee1d6943bc394e1":64:"af737ec3512da2b4":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,64) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"54bfc8379e0a8180b931c5188c95ab3ed3461d6e9004d182":"93327664eb576bbb64e4ff061874346b4e80a779cdeb1fbe630bf5e4307d4f2c5d5ecc94aa8bdea755c1af165fc8925bfcdf128c1ee6571e9f8344b22dfc90ed893316031661a9438b305396f3a80452c9b11924163b7fc4422b00dc58ee0e674710239975a2cf3253bf2601cd155e09547a5f3be1adda84a4b29631a8e13161":"9d15df8de4150f44d342f2031de3611c":"63331936d2972abd44c1c9f62e42bfa932dff8cc75d9f555f5a7847d08558e76f5393e08909760edbef8d2922a7ca8e1c0c505ca627c02af73253791bb35ff080b4db7dddf4c8b304999ff645227cd79f13ac87f9c963b93a79a0e946e5781cdbf1b4b1967a75314f19c7219e3b69dc2c24ba09fbbdf7184278f82818bdd0958":"18ff87dccbc24c396190c7b37c4a77f86e609db7fb2b326802714d0f196b00b84af887f1b3bd30ee0b0b192d0801ac4e59ac40e5c652b3da32aa024da3acf648da0253674c391d260c0674853c7821861059772c9a7f2775a7ef77d1d31a6ec1c51c5f3089bb516f8cf52d5a15724281086abd92a74d255b7cc84b5051be4e5b":64:"bf0f7f8084e79da5":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,32) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"21b775ef8c40a5387d6c8eda4e90d0a00c795681a2887dfc":"6346f84301d6d83e1c5bad44fa7e0821f35723713ee8d4a9e2bf15abf953425b09bd77b2360f4e62e82bf9e14e2b56be51d032aa8a96e894f19f3e84630f9eae831b329f7638b09de7210cd29778059ef1d0bc039c1e10405f3ae5e4ca33216adcfc21869d9f825344d62b50bab03f7aa7b92fdb94951a68acd01f1dee75e428":"9763e6187d4b96b1801d1f6efe7e80a5":"3bd523c16a0022b780ae8318a28f001502120bb26e2f65f4fe94019686f9d1df330e70cef1b2ba4b6ce1f7ef37750f47e602843cbc5f13ff2ceadc5091eb3601604b70bd4acad3d61950b9dd2cbfd83a391223c8e09fddd4020c0f8a8a7057139fd92f3bbe034f03cc48afdde064c8b13ea942ec0d621db959ec9d5fa95afe45":"f25408848bc27ab087b3ea053762837a534c3702dd8be01d79f075f61d76ac1d6557d392e1fab475cc7d13a5f6be6f0718bad71c3c85b5996bd3c0159e264930988e3ed506bcc94fabecfb58caaf56e2e4315bb50817cba765636d1faa91147b3880815eeb90d0934180e49132833abfa6279247d9dd4048dff851e9a551ee1c":32:"d1fb9aed":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,32) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"8a7d8197d9ceebd8e3f6b3bfb74877ccf649ac91d7057af5":"37b01df357561f5aa43b5b4b0081148213f7b74babc80f4b3c6dd78ad17687f11443cd4a57f8d7a74ca3080e2a229f78d8e6db276c1142d5f4ee764eaf09cfd70c596d7a2cad5360c2de20d5e17ec6e06a9b049bb10f8742a30a94270cc6d7709b2f09f3cb8347e41117b7ddb99e4a939f3094c016330a8f170ccccb9d3651fb":"db5144951a9f1721397b7321713a723e":"ad72fa5a05adc40fb38245da019cbf50958ccfe26abf67dfdd49f4c4af6bda8bfc99d557913b2634c5c65d33ca909360adf598b703db1dbcc29481b17ca42fce3315ea1454693b5843e751fafd78158fc040c1cbe607063ba9c0ac02ae4b88989e3cc63adda8427032c70560349e1a8ec847906a9a7b0422a694a1f9eb2b3b72":"6985ec525cfe869e1709751eb6f1ff0aabcb39ae3aa708adc452ce1a8cad8ab4f1739f660b2841566f1f5c9e15e846de7f86ca1dc085188fcaa4a3f839ab2a5f0cfd36e36965ae519fe14f98899ccb07a3ca15ec705e3160df6dbc37ab89c882012eefe51e4da8d6d6b84b3144ca87a90864ff5390abfb92992e44c46807b3c8":32:"c51604f5":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,32) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"713358e746dd84ab27b8adb3b17ea59cd75fa6cb0c13d1a8":"35b8b655efdf2d09f5ed0233c9eeb0b6f85e513834848cd594dba3c6e64f78e7af4a7a6d53bba7b43764334d6373360ae3b73b1e765978dffa7dbd805fda7825b8e317e8d3f1314aa97f877be815439c5da845028d1686283735aefac79cdb9e02ec3590091cb507089b9174cd9a6111f446feead91f19b80fd222fc6299fd1c":"26ed909f5851961dd57fa950b437e17c":"c9469ad408764cb7d417f800d3d84f03080cee9bbd53f652763accde5fba13a53a12d990094d587345da2cdc99357b9afd63945ca07b760a2c2d4948dbadb1312670ccde87655a6a68edb5982d2fcf733bb4101d38cdb1a4942a5d410f4c45f5ddf00889bc1fe5ec69b40ae8aaee60ee97bea096eeef0ea71736efdb0d8a5ec9":"cc3f9983e1d673ec2c86ae4c1e1b04e30f9f395f67c36838e15ce825b05d37e9cd40041470224da345aa2da5dfb3e0c561dd05ba7984a1332541d58e8f9160e7e8457e717bab203de3161a72b7aedfa53616b16ca77fd28d566fbf7431be559caa1a129b2f29b9c5bbf3eaba594d6650c62907eb28e176f27c3be7a3aa24cef6":32:"5be7611b":0
 
 AES-GCM Bad IV (AES-192,128,0,0,32) #0
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_bad_parameters:MBEDTLS_CIPHER_ID_AES:MBEDTLS_GCM_ENCRYPT:"b10979797fb8f418a126120d45106e1779b4538751a19bf6":"":"":"":32:MBEDTLS_ERR_GCM_BAD_INPUT
 
 AES-GCM Selftest
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_selftest:
diff --git a/tests/suites/test_suite_gcm.aes256_de.data b/tests/suites/test_suite_gcm.aes256_de.data
index 2777a27..8361c60 100644
--- a/tests/suites/test_suite_gcm.aes256_de.data
+++ b/tests/suites/test_suite_gcm.aes256_de.data
@@ -1,679 +1,679 @@
 AES-GCM NIST Validation (AES-256,128,0,0,128) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2c186654406b2b92c9639a7189d4ab5ab0b9bb87c43005027f3fa832fd3507b1":"":"3a0324d63a70400490c92e7604a3ba97":"":128:"4c61cd2e28a13d78a4e87ea7374dd01a":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,128) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"747d01d82d7382b4263e7cbf25bd198a8a92faabf8d7367584c7e2fa506e9c5f":"":"7156358b203a44ef173706fdc81900f8":"":128:"9687fb231c4742a74d6bf78c62b8ac53":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,128) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1cbe30216136b7eaf223e6a7b46c06625176d9a08182fa806a63d8b143aa768b":"":"4fe6ace582c4e26ce71ee7f756fb7a88":"":128:"d5bdf8ec2896acafb7022708d74646c7":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,120) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f31194c83bb8da979a1eabb3337ceb3d38a663790da74380d8f94142ab8b8797":"":"404efd26b665c97ea75437892cf676b6":"":120:"e491075851eec28c723159cc1b2c76":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,120) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"daeed52ae4bf5cbe1ad58ae4ccb3da81fb9c0b6f7619ca21979313ad9d3e83c1":"":"4037eadb11249884b6b38b5525ba2df4":"":120:"360c6ef41cbd9cd4a4e649712d2930":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,120) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3ad81c34389406a965c60edb3214663ac4a6bd5cfd154ae8d9dc86dae93def64":"":"cebbce06a88852d3bb2978dbe2b5995a":"":120:"bd7ca9f6bd1099cde87c0f0d7cc887":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,112) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4c152ba30aefa5b2a08b0b4d9bf3f16fc208bb0bc4c4eca9411dc262d9276bad":"":"008d040fbd7342464209f330cf56722c":"":112:"c87107585751e666bedae2b1b7e8":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,112) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9aed4ae6b1d857fdcbe5aec6db38440613dcc49f24aa31fba1f300b2585723f1":"":"947c5f0432723f2d7b560eca90842df1":"":112:"7d331fedcea0fd1e9e6a84385467":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,112) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cc80bc031676eff5f34dd076388a5130e985f9e06df4b4bf8490ff9ff20aae73":"":"51f639467083377795111d44f7d16592":"":112:"02d31f29e15f60ae3bee1ad7ea65":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,104) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"db7a40213b5b4b07e9900dc28f599403b0579cbce13fcd44dff090062f952686":"":"aea6f8690f865bca9f77a5ff843d2365":"":104:"7f2280776d6cd6802b3c85083c":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,104) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"299b874eaa8b7baf769f81f4988a41e2708ae928e69a5ba7b893e8e6b2db5c3b":"":"2aa04d85d2c0dc6f5294cb71c0d89ac1":"":104:"ea01723a22838ed65ceb80b1cf":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,104) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a6c7b4c8175db4cf23d0593ed8ea949043880fc02e2725f0ab90ae638f9dcfce":"":"ae07f8c7ac82c4f4c086e04a20db12bc":"":104:"1132e4fff06db51ff135ed9ced":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,96) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b98e1bf76828b65a81005449971fdc8b11be546d31de6616cd73c5813050c326":"":"929b006eb30d69b49a7f52392d7d3f11":"":96:"33940d330f7c019a57b74f2d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,96) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"09ccef64ae761a70fe16772cba462b058a69477c91595de26a5f1bd637c3816f":"":"e34b19381f05693f7606ce043626664d":"":96:"2adc2c45947bfa7faa5c464a":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,96) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"654cf46598e5ad3e243472a459bcd80f1e026a65429352dbd56e73fcc5895d1c":"":"a56f27709e670b85e5917d5c1d5b0cc2":"":96:"177b9a5e6d9731419dd33c5c":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,64) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"84bca1b2768b9202bf194f2d5e5a0a5f51fd8bb725f2bab8a3fccbdb64a4ea70":"":"c45b2708c5bdf65ec6cc66b6dfb3623b":"":64:"fe82300adffd8c17":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,64) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c8ae011795c9a60ad7660a31fe354fa6f7e9c2724d7a126436291680cd95c007":"":"1bd9ea6186450f9cd253ccfed2812b1c":"":64:"35214bbc510430e3":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,64) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"df2f0a8a3849f497d12bda44e12ce30a6957f3febcd5ec9bc134171326ca66d3":"":"728cb9608b67a489a382aa677b1f4f5b":"":64:"e2ef5d9cc5791c01":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,32) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"78e8a8ad1ecd17446cf9cd9c56facfd4e10faf5762da0fd0da177f6a9b9c3a71":"":"f169ce6f3ccc58f6434ae2b8ad1a63a1":"":32:"0fe57572":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,32) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"02ca6d8a862e25db9d68e4404abc107e700135df4157cfb135ce98eaa33151c9":"":"7b722fdd43cff20832812f9baf2d6791":"":32:"72dea6cc":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,32) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9a2b709dbcc3a4fb15b3ad541fb008c381b7e985b57df52f07ca7cd26ab1ecc4":"":"729baa4c0ef75ed8aae746376b39fe3c":"":32:"2a0d607c":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,128) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"449d39f863e4909984b37f2e5c09ea4d4b3e9fac67bd57c299e4e1d1f084aaa3":"":"d8e9118f331bb5a359f0aa8882861b72":"4ddcae0bc24d622e12bdeaac73e8d1ab7957af051d27dfaafce53aeed4cdd3f989ea25989a2f41cfb3c38dbd841c5560b0b5ab1861b1fbcd236865d13da55b50219462e021f8a21848a64a85326031fcec8fe47a6ef4a435dd2b2fff637644ffcf3914ef2dfa5dd556421bfd297be150b31db039f0f2cc422b282e659e70cceb":128:"c595b9d99414891228c9fa5edb5fcce3":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,128) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3e70e66813fc48f984dcda4d1c9c24f1d5d1b71ecfc8bb9581782e7cca5a5cc6":"":"d804f1051e72c9b7117002b862eb45ff":"0b1ab2b7a87cebac668c7a532fa8fa56a22cabf0c41fc1e6744ffe07c857c6865d623f508351f98f3f0c577d1eb94300a30a445472218c8ac626b0bee7d4c122d33f8130436a89add341e8ef7e00694afb4ad80d314d87ad3f921c7105eed05431b8151df7cff2c8e3790efd4acd3f60332dc7f34fdd90beef70f9093361d65b":128:"c09c2e3fdfefa222f7345ae4efb978fc":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,128) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8e534041090b45b80f287dc5fa20ebda017ad81b0530e680f62c6280fd8881af":"":"ead675b019ef5c6bbf4985f2a382d6c1":"b1db220052c4bebcef27eed6db0dc91be481179d71160c5a2ddb2fe497a05484840b04cce48980057d770fbbd0d5f3d5c633b55470617ad2cab5767188283310337825c4b0eafe13b5b11293dec230dad43b220885105767938c7ec4600fe063f98aa14bc6afb886fc874c10546749da295f571e696305bd9165486e29f43f52":128:"9aa0cdad5686ca515cd58aed94938ef4":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,120) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2de18874470c09db683cf45cd752bdfa8bf33e7967220b1a69f41f2a02da1d80":"":"af30eb2d0a0c2a50ea413f3285aa88d4":"22889b868d8ccc9f488406813caed199b23091ddd796c8632f564e7cf5a39dfb725266a931fec958659b6fc5b6b9343b8217edb0acb010afc9416601155262b57bd398d62f555953f0e15958e19ae004fbc9cb25e0269a9eaa38a4635a27bfa719fb249fa49337796bcf5f416bba87fbf3b19f0d8c11290c25ca50bbdc822f01":120:"646bbc9b14681af65b0d1c4c9f1d0d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,120) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1a1bb9122e762ecd7ff861a1d65e52607d98e7ae5bd1c3a944e443710f3b0599":"":"32f99ea4cbf52c2701c2252e5e6c863d":"91b7a70c3a06c1f7f2ea584acb5dd76177ba07323c94f2e8f7cbe93fc0bb7c389c3c88e16aa53174f0fc373bc778a6ccf91bf61b6e92c2969d3441eb17a0a835d30dcf882472a6d3cb036533b04d79f05ebfaadf221ae1c14af3f02fa41867acfdfa35f81e8a9d11d42b9a63288c759063c0c3040c3e6ee69cf7c75f9c33fea1":120:"a8e29e08623a3efdbbe8b111de30a4":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,120) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3bfad1e8f9850577f9ba3f290e9a5e91b494c2d99534220362e171a7543177ac":"":"8410886b70c57d7ded8596443bd1b157":"ca801c83596795515ea931edba00e06e332bf84246b7036e10b317e2d09a51b2981fcb664ee3bf4180bb0b12ed1cda221abc6790b27c26914f5ef9cea9536e2453cd5b247cb054e295c2687b725a97cbc484b8eb86c6ceee03bd07a54a9301a3ac0ddb23aecb825a238252e7575329058b40e75575a7f16439edf5be163ce5f5":120:"e3645db0c600dba52044efcecfc331":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,112) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"65debdf2f2191a6cd8de8ad4d5d4d0d8f731f67744e2545df6b2a7cba89c1ee0":"":"fdab2ee547dd8b6f5a4ea2dd19697b3e":"d2b0a0438ee0f145aec9a7ca452b788ecb473152b78fb75f6ace721afc7b0ae1942049b790f3a5b6221a8760295659756d35347cc04029be03459f3e23a71209b4e0bbe13a253a888c83db23376d3a6d9a539f7c9fa4a12dc64297e7c93dfa0ab53ef76b6e1d95bf6f3d5e6ee8f08662fc03ec9d40eff0a43f23ac313671bfd9":112:"c25fc157c3f2474885e2eea48aea":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,112) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"496ae810380460d40cd2fdae8c0739f16b87205cc7f57db0a71a473eb361d570":"":"77233de96f5e1744337778212b411bd5":"85f5b54b4c4af5c808120bd28d98e44e96f4126623e57684957e9fc4fd1a2d0583940b8fc8314a249325476e8d05247831b04709580ae714e8187cd38f9559419e14c9fc4f8c454ec191b8ef2a3610988fe3339d0dc6b72f5978f9eff9d596dfabf27056e3a908c6497267461386e860f6b9d65526294bcb92908b5661b06b5a":112:"4ed91af6340e70b0c2b94ab6f82e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,112) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"aca188183b46139cc7cffc82a6aaaeb2fd73cecad14e75c663bd62daf1ec711d":"":"7bbf7fb55eb70cce94cc6a2b67de55ba":"015cfba90f069545fed60f31992ff3d3c3592eb91e7a53df5978ded64291954cb99a57de82d5398ce782b68d14ac04a8b425395bd076ead59eb445721bdb2f45e19fa089117800cbbac7b8313fb165ccb1122acb654e1242dc7fe6885ea1cbb7281b1270cfa1549cdfe9b47caf47b4ac3807e562e48c066566f5e606b5023b47":112:"3bcb5c2a4261d75bfa106fb25ee1":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,104) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8cd6815f6ec15f03b7a53f159e877a5981e0ab7f6e6c261ddde4b47cbb2f2366":"":"c431c07d9adf5f61204a017259cddd75":"4e1a835402bde4f5227e64b46a1f8d0f23a9434e189377fcdf1b9621ba1987eb86a7f3b97ed0babfd674e74c5604a03dd016d71000a72bbbd00a7f7fe56ad0fcb36a3e24dd0fdb63bd66d4db415f35012416ed599796ca3f678df7eb5a1b17f75abb348ddd3b366369a7b362c9488aedab836b61f9a158f0b129c8ca0a53a81e":104:"0e463806ff34e206f703dd96b3":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,104) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8f0a72abcda104aa7fae501f9a3b686d00d3f6fe984731db8a2865bfec587073":"":"ab8acd063775d1b1314f14e90fddd1be":"02c6d426e7f20b725d8cde0a6382e49b029b52126889013ef45251f27b2fadb95ca4a9a3b16ad06999eeca4a473e813045db4942e9b9ff2e5a5e429d9bac298372344d1b781d5facabf6d779643f31ada6124eb50aad599044b54279ec9b25714ac8a3b9ad2487cec7f4b1ee245d7be3d496d6af1d4cbee1c8201312541f3064":104:"3f0ccc134091e0c0425887b1b9":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,104) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"417135cad74280e6f8597dc791431c95cb8fa63bbf7197e3ab37c4b1d6d9438a":"":"0fe22d9ba1d0e32656e3a9f07a517a27":"a0b2712e81d329d5b076a4be2ad6823cee6dbd17d9a592d065bdebb92b1ff37a56bf2f5e5341f39c574246ccda19e5f35fede49c9ba958f3920cc5440fb404fab7846884ca0c2a3af5b51f4fe97a1395571319cc5b40f8aac986d77de280db82343983982638326ef003e0c013af19c34672975dc99ccc0853a1acf7c617d965":104:"888b836c9111073924a9b43069":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,96) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"304824914e32ea0efd61be6972586093349bd2cc2cf0cff44be943682b2dbff5":"":"b6d927a71929029f6766be42746f7cb1":"7281c81c7514f4b17cb125c4649006ef8959a400a1e4d609d277e363e433725fa32346a10bcbd826b6afc8222158920d0a2db1e6fc915e81231c34c3941ecf3c6f94ffe2136190cae3dc39a4277acbc247f36291b5614a8433b1a0780434a6c50521b72ec25145bbd3b192647155d5dd9df9e66762d39592602ea99bf9bfff49":96:"b6044c4d7f59491f68b2c61e":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,96) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8a10e9abe9389738e12a4bb6f553ae81e8bd320e0dfbc05fbae2128c1fde7a23":"":"6da44354e198e3beb54792718becbcc1":"199d754630135b669bf2ec581d3027a569412ab39a78dd9d482e87b778ec65c6473656260c27827e00e566f1e3728fd7bc1853a39d00e43752c6f62c6f9b542a302eea4fd314473674f6926a878ec1e4b475d889126ce6317115aea7660b86ab7f7595695787f6954903f72361c917523615a86d6ce724bd4a20c9257984c0c6":96:"5c5683e587baf2bd32de3df5":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,96) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d164ffde5dd684becaf73e9667e3e6acb316682c41aea247899e104a54dd7a7f":"":"1d388e19e9d7a9750e2fc1187d4b075a":"f166a5b6f91261cda56f1a537f42ffb8aed10af5e0248f8910034b92dbc58d25953f1497f571d31fbf5ec30d92234b440161703851f0e43530418147ce6270fbcb5db33ab819ba8973051908704b6bea8aaca0718947e6aa82498a6e26a813981783ed9bf9d02eb1ea60927530c4700ff21f00179002b27903dd4103bbc5c645":96:"52e10495105799ead991547b":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,64) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2854188c28b15af4b8e528ab25c0950fc1384976f242716c91bddeec06f2fdea":"":"075af9c31f5252b8920092cbd999e7a0":"e9452f71093843a025bb5f655eb6a4e8316ab5946484b11818f22b62f4df75d5891fa3397537093a261dc9a7648b7477ea1f5fc761716e302763364bcab7992595edd0fc1c7f7ac719c879e6616e2007948eb8530065a6cccf73d0fe4a0598819b471b0856e6d90ea0fc0e5d36a30ee925b6b8e5dbf40e77f01efe782c0bb4f7":64:"6ff8fd87e5a31eb6":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,64) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2bfc445ac0365ae6c3c3815fd18bbd0c60ea224f6620d9b6ac442a500221f104":"":"43c5f3367a9955aaee1a0c4d4a330059":"db0bae8ce7c66a8ba2fedec22f236212e9a7ad72b371de285c7dc6d2f6c22df0ce4920e0f03f91eb1653c4490050b9f18a2a047115796f0adc41707d1ffcbf148aed5c82013f557e6c28f49434fc4eb20112f43566f212c48cec9894ac40772fcd9b611ee9444df7b73e35b8a38428ccb064c9c50491d2535e0b539f424db83e":64:"49aaa806cb2eeadd":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,64) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7b828f99aaf751bf22d993ed682e488595617a607ed74aaacbb6b60457453080":"":"d48dac1d8d77e245420feb2598812418":"f50f785f4e7c848a55a616ecf4b6b1e1ca85e16de7100c7e4273d411bd95c1380ee157ba501ba9616980195f34e39f43e335f33253342feb8ed64443483c721b85241a0320b3cac83104de2db47188c61a373fba592ea16feeefdee1f2bb43927396f58151418672ebb74afff5c029503a0d0be81430e81ed443e08b74c03183":64:"a5b71ecf845b25d0":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,32) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7b6da11d69fca3e4c907628d3eb63d95c7e502fc901372fd097e064e70831432":"":"6fe2148f250ea178d4c8ca8423ead87d":"a8097bb74ded776f578eb7588f5ef8915db9bfa7262af700c8e76ee114e07557b6786dd5a60a66b2703e7c9de5d6b42aca92568aec5d1ecc298dbd0edb150b8cc13c9a78698f7674caa94da6cacd1f3ef4ca4238c59830ea725ab3a6284e28966c8c32d9bccfb0cfd6583a5ca309debe86549a6f317d15c5f928cbc7f473310c":32:"e9cdbc52":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,32) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c5ae9328be49e761064080fc213e53e373fd86359a09d0355e2d438d9b8e68f1":"":"a7e3f8660ff925d5c88c5aceffbd7026":"2ddddba7a56cc808aec4602f09ae9bd78887827bf0315d8dbe16821606ef9d117746dd138bf1f23565d1ab8f4cee36d53fe3730632c5df9f12109b16edbeae285bb49dfdd155f5dc97b319a85362d53cc86817b7c1c31e5e87c9f37422f133d00dd0776bd92ab05ce6860573cd911645cfe3fbe515e85f744899a447fe443653":32:"e35dbac8":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,32) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e4f8ca13ba86c658cc7f42d4f029422209efbd101bc10a1df81a42cfb3a0f79f":"":"1a362fa0e4054ba11e4b06d59c8bc9cf":"e7ad5c75aa13659f8ce4b1650c46382645ec67418199b84ea445b8ceef619ef3fbde59ed3d313c459e36fcf87d26ef2b453409b32f1086934c3072c1ef0aac83762d28b1193b9afff2c083ce4300b768b0ae23ff9d3dcf65bc1693f1350da65180620aab205aceacfc683c8be53a332e2d0337a7518d2a5204f9c8d7325a4799":32:"e7a37f15":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,128) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"00050a21ca1e72cd0924be31b943c60854be6744577de3dd9d1f4fada4a19ea6":"693ffd3d92294857a99c702a0799eeca28ab066dd90917b9ea5ef8f6547f1d90b106cbec8ef2c22af9f8efa6c652f2f97c2baf33af14fe9def230d49524bd65909c3df1490f637f99e788dcc042b40e00bd524c91e2427ef991bf77e7b2f770cda6e90076c5dac4cac7ee3958b53ff8ce846c3a96281f53c2c52f5f3e523536f":"2fc1afc1395d8409919248709f468496":"":128:"e39b6a7fd5ac67a2a1cc24d5eb9d9c74":"":"cfcd6b9ff7641829cbadeaa2e56f1f150a099eccf3e378fa4da59794dcc4490aa4f9c5db0ab245bec36a7d4557a572008e42f03bc1baff3c946f23f54a4dc9828f106cf4264e4ab40165839d1085e7795b1ae0950f0ee4a08e46ada501b6b51dee0e518129c9426e5bd44c66674a9f99cfe676f002cfd344c5bbd22d3d91e600":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,128) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f10965a66255f0c3515af497ccbb257a09f22ec2d57c5edae322a3e6d2d188ef":"91598690edf2de8b27f9bc7461a84e80811cee544f0542923898328cf157590251f0342cb81d359b5dccc5391a12320d1444c26f24178977dd6705c2b365dc1ece0152c42e2f0ee3162cf886ef5529f4f16a77f3bdd2aeccd405b59addf098521d0d38cc25f1991e11be7ecf24caedb48a2a286d2e560a38fa9001c5a228c4d1":"c571ce0e911de5d883dc4a0787483235":"":128:"6d9d3a5dbc8dce385f092fff14bfffda":"":"2867996e389e09ec0da94d42e77b1e436b50065b09ca4adf1cd03240444ee699dbb7b3fc081a1869ca607d77d5ff9754fc3c997ff0a4ee17543a2ba77886b88a7128bcc51d3450df58ff3a26671b02c1d213df6adb6f7e853080eb46b504517cbaea162710a9bbc2da8b552eb6b0e0cb98e44fcab0a157312be67974678d143e":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,128) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4437ee7d16d8c3ca1aa01e20b66749efa901614d4bb4bee786ad5a5f1bfde2e6":"ff80727a3485cdbc7fab4ee9fadfdc621c538e2055706629046078f1aa3fb687fc728d3a7ffa52ae457b7b5649613eab7bafa464bb435314c49e5900750f7ad39ca9b75df6b2eaa755439e101f67b7ae4cd80dc4a9dea0027048253f2d0a6014056ca69b8c85605b00cf75fa7634a0ddf464270a8c79ce1a1324c4a4c513b24b":"275393276745bc43bae4af1e5d43a31e":"":128:"a82ff1e87d26e4d6e417b60fb2d3ce23":"":"88f994d276ed20be3932d16f551c4b7e2ed80411f2e72ce098fa0b70c22157a59edab30649fec447dd63f0c87dceca7238ef0d9561b58489ba7bd86f2892743099f40af63c432f78ac0ad0b5c2be47b9e3045e7237b096ee400f430af63a6f309de785caf190f3f4aabbe79f727a741590de542bd343df68d13db55a5f8bab41":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,120) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fe4ec037ce563dadee435cfcb2bf090f1f7ccc7d1b5b4fab2f1b738348f8ed2f":"64eb8a4bda9804c09b04cfcd89094928c21480908b81ee19d6c29c2a3631b1a5bdc8e7f8ea56f7b8b8e14a5208296026785cac3a6afa54be8af4d5faedcd12b6621bde0f8ec5a2635fe72a89468ca7704c73aa40cd2ba97aef08886b27a694d339b00e7d12a31308672f87c06a7388a1432f869eb4cc1da864140b1b33931925":"47f5264f7a5b65b671892a05fa556f63":"":120:"660462b4088f6628a630f2e4170b21":"":"4a310e035361f98b8c54fb4cef70b1a9c910552ece056ca8fdab54c52308ec0ad7fe9dd1dae92badab5010577de522088768fa6466fbccce22e14c51ca7986c4063d0f06bf578dab16a91856713198a7138395c49c78b6314b57ab72fd079028c8dc351952d90b04a7cd2b245df0c0522447cdb7d3329fd9425fe5cb40a8e7c9":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,120) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e6e1ada628ca76eb9832cc6b5efc5c9d2686bb587366a6de2d734233fa95279e":"a0ac738e0fb35246b84a6fbe319f827039515df25d0c0fc6de7c048253ae63d3c561e44a12672ffeae1cb925610b482aa422bbee0e1784fc69baac3a97d69f51e6d2a17957b44b318624ea7ec680a559f4d3f2761d09bee66efb3a312ae6b3ecb673e756b2a0f654671e82500e7ace91f2be2a74bc3bc1ec1a4b6877a53c27c8":"5a100b451e3a63a3e6d4b8a9e59c6bce":"":120:"88df9a1ea54e5bd2ef24da6880b79d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,120) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cd5c1e90d78213155c51767c52c290b3d657db8414ee0a7604a2ec7b48105667":"8e987693da0fb77b6d1282eebd3a03e05d9955ff81929b1a2c721574862a067ddee392c7ece52ca1451f3e6e321d7208882d97b4149af6d78d65c054e1bfcdfa62bd2202de32dea8363f8d7f041891ce281840f3cd906ab46ca748e5b3b11890b4014bf0271c9427c874097782d1c13dbb40e78fc8276fc134f3c29923a43a01":"4e022d8d86efbd347e8cbab7e979771f":"":120:"e7df79af0aef011299c3b882e3a45b":"":"3b20473d9b5018d089e7f74d3fef22ec2805948a9e07689831973c704a6d8db4d090af88d696ab8c3aae9740a2bbd7f03e0b18b2b591e59c335c1043a2578a89b1a9f20fd0dd53f12e00e9bfdb27de8caac772bbfc4de9e4a255a5d1b04e59625a87b8279babe613def58d890d5502abf2f709aab625dcc20c58772832c7bbab":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,112) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6e3dfc07003bb6a2d82bd5263b2832f47db4e73279266c7a9ea21f4f18eddf83":"a960da222af9d4da5797e6957d59b00f6d3893599c70e95c0984b56eb3329b191703c2532f3288b15ebf655b9b5ee4617484e5ac9c39bb06731d03ebe4fef9495d003b0ed694cf540b4dc759d32629e55512680badd81234bd71ffd55fcb5e6a85031c1dc31ee1ed198939582d8336c905717cc87101dcfcf9d833fac815c8ea":"7c0f49fb54f5e68c84e81add009284e6":"":112:"b2ec0f3da02a9eb3132fb4ebe3b8":"":"a40b6f70f0572fe0bc70d83368e7c154f7dbd501f52501630a2e523d18e216e07368521f6040d806299397722b99bcf7f85d36b8bed934b49aa1fa76d38783e6a2e392d6d0786d467f7bc894a739ecf94f0fe884a9c391154f8326bf31ea5242a18aa263d04da4b63b11de23b42d3e10a2d5460cb32700cdf50a0d89165ba22a":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,112) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4103b1ddff87a508a219c808a04ad4750668688f4c2ee75b92d28d70b98a2c94":"a00a196193ff07006b7df524824bd0971d63f447a3a7bb1b75c1e2d11789482c115cff677b54948d36dc4de34200bce97be0101d88cee39b177857dd5da3cb0d2f9d6e1150f72a3bd655e0bace1d25a657ba9a7f8dff082b4460432075afb20173da22b49beeb6a030d72ba07869ff4389fc1c28d87018d7c1a9829c21932197":"5cea906737518c2cb901016e30206276":"":112:"3a3a771dd5f31c977e154ef5c73a":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,112) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cd8c2f0c330d5db316dae7a16b57d681ca058864f7bd60f3d0de174442283f77":"e2a5ad295d35031535bf13c2993bd0b292e8a9465b9dab738e59ba03670248a1ecc92b38a55bae34729162271cc1572c35fcccb27417b48dfcbff852a7a8845cc829a4461061b558ac8b5930a5c6491ffba04a9d0dff220b3cd5e4fc2e0f3db3b2ddd90328f2cad819573a7856299620b02f5ee0267f3b56981afbf1b7d9e3e1":"387ee8c1e7f047e94d06d0322eec02fc":"":112:"62356850d12b54e39872357cfa03":"":"17b7f6bdfc1993c56dd9bd674cc276a55a46fdd9fd5fe435b9e4b7ebc7052a9dc76a99e4e43aba7d486603189c90d10a21ad3722c86bf5bc856a0f930ff5bca65be708b76bb8a29105da67f31eebcec81f28aaf526d2f8f0feac393a24959dcd612e2b93b4463f61957d2b3046bcdf855e346601e4c7760c0ca618ee7bf55381":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,104) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7e19e400872eed721d560202cd757d3eb99729496b6e3a6d38dd8afe1066045a":"3fb9abc7aba654dfb174e8899c17db222ffbb387b7260fc6f015b54f1cd74284c516e21aae3b72338e5e8dc643cfafca0678f5bda3a7539f1612dddb04366031b5a3eda55f3232c1b176cc9be7cc07e0ebca674a272224929c401a2530efc6d4eed0087b544b12d172a01bc8340d9c2a2ebcb5af8b07d96073a879fda140c196":"d2b277f78e98f1fa16f977ce72ee22a7":"":104:"4c81c044101f458fdfac9ca3b9":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,104) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d0653934a16fd36c27d54488a1829302b931bed6e26ca26047242b85b50bfb61":"c02347e1add9178d830d8baaad9aeee37e958bedf2cc846e2561fe8c83481d0a8a85911e7f1f6e444b28f30bd96c13c390e80f616feb6844ee6fa486543a2e3f38c138f45b4405e3fb331b64648219aaf1d574be948ccfca6afc18d12488db19c35b05601e47c0af5d49a93a5dd4420f38585c1eb033e173376fa390d3f948df":"94886a1845aebba5ed6b86f580be47f9":"":104:"4be34ff42085ef4443c8b6042d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,104) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d0f0ccb88c7cec9496f26a59ddc67dc59ebe49ae3dd89ef3be008598727e214c":"7845e155f4f28021291e7c814a1ace8f42b239990831aa82758fc1e376cace0b6f668f7f2f224dede1ef5b1df7ae74b2c01483701044acbbb72a9216eec6b7ef0190f114b3c73c6985c4653f11601c774d10b7f9df1f1e1f3ff4fafa20d6525edb37d9e5acfafe6d3468ee068d407fdb56dc718c98425926831253978d727854":"e5ca84b907ac761a5e68a9080da0a88a":"":104:"c8f78e4139dd3eaf2baef8aafb":"":"0cc3ede50b0d3fb9ada11300a3239a383c98f968ad65266d57a195bb18d3e568fe6cabba258da4bee9e923c7c838e06dc887a6c49cc1453ea6a227c6a83e651a8742e0316cad5efc93739393e3603446b5c920a206db1434adbb8ebde4d1a7a8699c7f6c61b2d57c9709b564338423b4f526d6c157647a6c45da9dd521061f05":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,96) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e35dcea17cbf391491ae5ba6056d0dd13b348183474dd4b614742751bdebfc32":"5213542beb044910d7fdeec8bb89de93f350760e493286eaef1140485380d429f74a4279c1842a5c64f3ca3381cb5dbb0621de48821bded650cb59703e0ca88f4e9c3d15875f9dc87d85ba7e4bae9986ef8c203fce6f0ce52c28e3a93befb4cc4ba3d963d2283cd30f9bf6ab99d92f2f4f3aff0b022f1751b89d43ea10bbb28a":"fa549b33b5a43d85f012929a4816297a":"":96:"afa61e843cee615c97de42a7":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,96) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"844c50ddc0ac1d9364b21003287d6ae6360d12bbb17a85351362420ee4ca588e":"3a3bf4ccaf05f7c02f5e158dd2c5cb08c6aed4b1ba404a6d8ef9a0737fe2f350b3e22188fc330ea63e35df82f996e3cf94d331c4246cdb25bb2c409762e05ddc21f337edee51b64f1766ad18f520b3f34735b24278d9d647c533a743e0c1e9c81e9dee975cdc47e8582113fd250ef59353605b64acb7c025a97854c1a5c03237":"2f8512bb7e214db774a217a4615139e1":"":96:"f1da1cebe00d80eb4e025feb":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,96) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2aae1aa047a20ed2d6d8336d923864cee9404f924031ae327fbfe2d293e1d93c":"8e5b6b9e4e7d01de9a919dd33c0c1eb94dcfebf28847c754c62c1c00642d9e96f15b5d28ad103ff6969be750aadfd02fc146935562c83ec459a932a2fd5fda32eb851e6cff33335abd5c2434ae4f5524d6bc74a38094ced360f4606a1a17096ff06604952c8ca94a9a6dc4a251e13b0e0c54bd8a6dff5f397a1eb1cf186fa518":"3da9af3567d70553ca3a9636f0b26470":"":96:"e1026b3d15d261b2fb47632e":"":"58c52ea9f3b162511160eed1a68b6f52b3c4f5834af728de97a3d9e4ba337b29aad12636003cf5be9ffbeae0f383f7cf32f645a8f6fc5cdc1cde91c625c69a92bc434ed671e52a0044a48f3fce55cae49a7d065c2a72603a7efe58b5a7b18ac500d1a51420e820357e7a439b1c02198ebe3d4e62d5573a3aa5f40900a21e3b41":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,64) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f3d69208cb0d27474e9a231cd46eac7c1574fff950c48bbd1ba03fad16f563df":"0d1f06eef5e8f2c81d1a73bb1dca93c22cfb6e40e9948bc75b0d84830fb9216330424f580b89050c3fb3f620eca8f9fd09fb86d2e8b3a0869c6022d8a705fc280d66fd16d3aba7395d6be4bed44145d51d42d56285f3675726d62d94c081364a6d440511de83a613c598b03078e2ec7648c6302defbbea66aafd33e1a4b1686c":"b957f05921d21f2192f587768dc12b4f":"":64:"322374fbb192abbc":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,64) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cb2cdeb17fa6bcb006c7fc60858a12a411804464458db351957e8caf42f1ee6c":"296504131354b2c1928982f12d408ba2377f2d4bbe87e4c69f92a15bf6003910a43bda6c8929df66b3ab1d202a5258cad199f32f36cc30d2dc06199c2a52f7ccadad1fce50123c5f8434dec57cc60cc780263d7aace8f59cc8a6c54bddbaded3adb12ae2ee0bacf6a8da635ff85b51a4e8a1b3dc404863b90059de4ad0f158dd":"31bd7c971a6d330b566567ab19590545":"":64:"efc5a1acf433aaa3":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,64) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f94170790fadab3240df568197f9d6f6855afaed8d07eceeaa2380121872529f":"ed231b78db082f652bc6310c396993b52de804a82464fa3fac602a1286535f59c67fc2b1b420c7321eb42b971edde24cd4cb9e75c843f2ac6fb8ecdad612d2e5049cf39327aa7a8d43ec821161c385f3fdc92284a764a5d1cbae886f07f93017f83a105bb7c3cc4fc51e2781516a2471b65c940ddae6b550ad37b35f53d7cc64":"2f9c0647a4af7f61ced45f28d45c43f1":"":64:"ab74877a0b223e1c":"":"1cb5ed0c10cee98ff8ecfa5a1b6592391bbd9f9b1dc1ff351e0af23920d546b5e27d62b94daabd32f7f96a2632dc9fd7c19bf55f3b9b7cd492e76f4d6b0f5b437c155c14a75e65bfc4120bef186da05e06a2fd3696f210292ee422ddbce6e63d99ee766b68363139438733c5e567177f72e52ef2df6a7dd33fc0376d12ec3005":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,32) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"797c0091ff8787fe7cd0427c02922620e7f6fb71c52ddcc03a9f25c89ba33490":"2d3efc8900315c3691a8e3c9de3319d4deaf538fcf41aa0e295b861d0ac85baf56d149a6437747dd6976f44016e012b88de542fb8e5b9e4ad10c19deec4b7c0b69bc1b2e33d44a981ded66127dea354b072010b8dc24b85ed2ffeea3b9c0e931619dbbf22677691f0d54fc03eaa162e0ab0d760ad41021f67057c0d6ac19ca8f":"69d81c73008a6827a692fa636fbab8bb":"":32:"be2dda5c":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,32) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"90ce1afb5500489b9edbad987f4009509c847b3e55cdf0c764ef2fb085e3d033":"98482b54edce2bac1cd64d44917dcf117ebfbfe26ad17a9b263447028304f1cf5a69559c05b5d833420f4fddb6e308277d01eb4b3235f1c4b47d33d3899325b55e7be19d43187a5b1b1354ce02a529b3df1c13b4883902ae9fc565079dee825e705f3e580371e4fd86c3b0d31bae98adb529901f346ca07127314152b4370edd":"e119e166471ecf44bc3a070639619931":"":32:"b2f54b3a":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,32) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"29264a90f114a800c0fc3247b3bda00981a12a8f85cf3a19ea4c7ffdd005f4bb":"587c8e53ab5ae8c31e16160b4a41d88798e27f4ad61c573c023c62d4dbb3952eef5026ad7b453fa9e0694347ab8fe50a6cf20da566202b81e325cee9c07ab2d4d53ed45b3ec2d2135936515f8a24f2a8116807dce9df3c44edf64c32647145152ff241d9e018e4101e400af070192dc3b498b5a213d265b4cfc8c8d4d7deccb5":"cf296aa43cb7b328e09c8975e067404e":"":32:"56015c1e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,128) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"84ff9a8772815b929d55f6052c0354cf3e02bcc8336fcfe5794952b4c45d5d96":"a87de56d49725a1625baf12fd15931fe1a6783dce5d1e744eba108f45e0c105d8141dc027d0e33ad7efb6752b43729715e2f3e2c42ebdab4d5f72f886bd821c4372244699ddded99a63dbe7763a5a3bc21cbfc253cdc2514eba2a4f54e24dca7c207cb3f6ae80153d77fe0641f357d5a073dcd425c38deb77c45f27427345516":"5c044a66e488b853baf479f7dee2aadb":"00304e3d40cbc6d2bee0778462884f4ec047a8c74bb3dd7e100f2b9d0e529fd24730063986117b56ca876b208a3691425ac63afc3d504ccb499c76622eade09717023fcb7d956b01ce24a3e53cb5da472be3fcf5b278b5d9e377de22fab75bc74afa9670f5fe9691aa0ed77e43f6abc67a61ec409ec39fd66ac0307bf195f36f":128:"72ddd9966ede9b684bc981cbb2113313":"":"aadb8537309940422f67ca393aa6182d67fe7c52092538a15e98a4254f0a9087c7f10903d5e78078c2e55de914dec8b6b35cb720e3e55963c0ac9901e44b83a0e7c5b2d3f002aec0a4a08354febe47b2abb955f2a21107626ef0b8e1e099650812a6fecf36908fce2d078c2735cf7c2b970a309e5c6d6ff29c26a05720c57105":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,128) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b5ca3991d0160b1729ae1a622dcf4b03b1f4ba86150bd66bf35cbbee9258af10":"62aad5854a238f096bdde0711ac6f5763e7fea29db068ea8c911f17ba91e6d7807883e6fc5ba7db17af33da2b00973008a3425e65cc786ce1b97360019ee2cef74563d54752be436b905705b507c3d62689df4edf0356d26b693eb43d8a2a927a9f3866b7e0e19e84a90447bd6f47e31070fa7c2a71e3f78229ee19fa47e848f":"f8402184d1cc36df07b68ecb1ab42047":"d378cfd29758bcbd21e26a324239c42c992941b3ad68d9f2b3d2def3a051fd172ee882562970ef59798ff8d9eb5f724ff17626156f4cf5d93e41ffef6e525919af6194ea9bbb58c67563d3ffd90e5a6e2a3a33bd1fa3d55eff5dba7cd439d571f7e08014c4780e3d10904ef22b660897e78258da20b2600e88d71c35ecb6329a":128:"9e8b59b4971130557aa84ec3ac7e4133":"":"556dd32edc0af3c64186fe8c000ddad1516cd14721c93c228e379d4f87e32c79e734539cec930322048f34a2b34931c585d44f09966caf187ec4b9244c991a8a5f263e9da1d08d6086e52535afdb36c7662307521cbceb9ecb470a76970243723fbc1613b6ebbcae261ac2f1936e66ce29ec7350b2e6b2f73a910ade645154f7":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,128) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"df867d1dd8a287821a54479cab6f88636d2aca30e1bf01a5dffc735e17590356":"6517272cac85d7f38902bcb4b96a0c59c4bdc46bfefa6ebacd7f2fb1629b87ca91de2ffefc42ce3cfd34dcbf01b3f7cadcea3f99e6addf35d36c51f2ceb1f85c1f56a04ec9c9fff60cd7fc238674992183ea3de72ef778561b906202b7b83fe6562a0bca9c1e0a18638e8685b998b4192f5120435809ad6e93a0422d00725262":"35019826c51dd1ef07ff915d9ac4ea96":"0375ed93f287eefe414ab2968844bd10148860c528dbf571a77aa74f98cc669a7fc317adc9f7cf2d80dda29b19db635b30a044399f3665b6176ed669146d28f5ada03b3d32d53fe46575a8afcd37f20386d9e36f7e090b4fefadfab7f008e02f1b5022c0eeb81d03443a276eae48c038ed173631687d2450b913b02c97243edb":128:"e49beb083a9b008ae97a17e3825692f0":"":"723be39bc13adbc48c861b07753f64fac1ae28fc8933acba888b6538721df0a8b91c040a26522fe0dbb7335d8f63d209e89f7cde23afa9ca3c584b336d63a91e07fdd8808b14c3214c96a202e665bbaaa34248ff30348f3d79c9f16e66ad6c5903305acd887a89b6244eb7c2d96e18b13a686de935bf3821444ee20f48678be5":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,120) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0e8e9ce6294b7fbc534a96bdd060120976a6e08315d2ea73ac61d085cd462a44":"9855f186b51358f0e2111c06bfaaeaec9bf95c55e246375c614fad9883d86c82a20c86538dc5f42a0ea69677d59a20c5112d15d2a8396f12096242ad5d7b838d16ee0679fc4017af75bc15e8ad2f77b0e802c864031cbfb0bacd95c828d1db4b7bab0713619e9e5e8fe6902aac7a9e6c42eb05f5b156f7e663ee43e6fdb62480":"4edc6be20f904b4789e5bee0a80a3fc8":"db28ce076b360816cd1e04b7729f8ab080e0a07f35204350f3bd056945aab8638c0e8311ab056f3e5debdbfbb03fae700770264faf73e0f3a05a5812aee84ab613c82f4a76da276250675f6a663f85e2c26d4f4a8666a7f4cedaffc1a7218dec11ca4e72b8b5d5b620d1efbd3d3b94a5ae0d118b9860dfd543b04c78d13a94c3":120:"03cfe6c36c3f54b3188a6ef3866b84":"":"e10142f852a0d680c983aad2b4609ccbd35ff61bb3eb66442aee6e01d4cc1cd70f45210acbd506395d6ca0cfebc195a196c94b94fc2afb9ffa3b1714653e07e048804746955e2070e1e96bff58f9bc56f3862aaa5fe23a6a57b5e764666ddec9e3e5a6af063f2c150889268619d0128b3b5562d27070e58e41aadd471d92d07e":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,120) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"886c77b80f5f3a21c01932685a540b23629f6d41d5574fc527227ed0bdf2e21b":"53a17d7b69f607f08676d6f6dd4e8db08e01333a8355d8c87616e84cdf10ef5b041fc6ddc3f6a245c0f534c2b167064af82f45e4702a5e8dede59579fdecf6713353392433950c9b97c38d9ee515ac97d0970ccf03981954540088567a30941bb2cca08cbed680500f8342faa7aebbc6c143e2ea57ba6b4ac1fd975dcc5d0871":"5ec506edb1890a5a63b464490450d419":"05b8d820c9f439d7aeae5c7da0ee25fb0dad47cc3e6f3a47e8b984e856201546975f8214531fc3c2e504d2ac10fa49cb948596b9a8fab01b95c49d6f04d1589f93b77b899e803dd20e1f00a51c0b5953e85be639109b14b100e35ca26d84ea629964b0db8260dfa5a150a66261bf37e79de2ec49e9f1b082a7c58ecd3d39b6c9":120:"ffdf56e1c1a7252b88422787536484":"":"79ee27adfa9698a97d217c5010ec807806feda37db811e398c3b82abf698aece08561fffc6c601d2691738e279eeb57e5804e1405a9913830e3ba0d7b979213ef40d733a19497d4bb1b8b2c609a8f904e29771fa230c39a48ebb8c3376f07c8013fff6e34f10fe53988a6ec87a9296c0a7cfba769adefe599ec6671012965973":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,120) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5231ca6d772edd9ea2d251e22d7d455928c22474b4b44130dad57e6511fed6ee":"2767c808410ee132291585ea74a48ad3102f883f07d060c91c5f10abd37fe0996d2210dc490260238ae15f5d74c7be2a1e15d80db09079c520047f88488a7802857a3fc3b81d85a96949997430a880177880a31d4d0c9c9045247804f057a4f2756d6e40375a4a3187c4376d6bf573ce334cda1ed88d8a50db499e7cdb89d8db":"048698a4a0feabc1f336112e2794795a":"3a81b6b0b722899ff931cb73c39222d555b83ae3f8880b982593cbc1ab8be90d1ee32fd7dfe697cf24c95b7309d82c3fed3aa6b3d5740cc86a28174ac8f17d860ebb251ac0d71751c2ff47b48bfb0b3beb4f51494464cda34feaecddb1dbbe5fa36c681ada0787d6ed728afc4008b95929a1905787917adc95f1034fedcd817a":120:"ba61edeb7b8966188854fc7926aad2":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,112) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5a3f516a7898e04e5da4efd6c7c5989b77552d195464620c2b35b9a4fda29cce":"5cc28b61ae97557774bdcd7ff653f4aa349df68d53c7e5a65263883ef1fe224ad40e86bffc2d38f28a2ed9ae1fc08563e2a1e46246106546eb8e6064c06baa0046fa137421734b7f0f94656a4f459d9d981717557d843700d116b6e5e2dd3af5f67c34edf31b40b71fd3c6f2475f9310feb70bcb973be52d41e86792c49d54c0":"9310af6974890c0a0364231f9cc8103d":"2103af8356bcb9dfc2a4f1d4ed09cbcd8e1990d23865605e19f87feb50bf8d10d0257740e5557a9297f0499c01e29a1a513ca18e6f43f7406c865cbe3951a7771128f3110c8da3bd696368901944549552842a1f6fd96cc681b45da098f3c1acb3d237d2363285f520d0b6714b698790b7660c52ac84a42c9721ac7e9d38a2ef":112:"993fc8e7176557ee9eb8dd944691":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,112) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"59c9258554363d8a885fc0f5d112fee08eadfc7ce52a0e7e73e3d0d41d9a0290":"79c491411402ea7878e480519fd984dde44bce6459303bb76d4eaf97d4e345d1aafaa68ceb0590b41cfed0f411b675d9344c7e888cccfc9eb6fe6b229d198f94ba516ee850ee7f078a4f5f32a23f92f72264e3a76a31ebd042564315ac4f2ec0bb49ba6d08cfd2d3a6308688e39f28e3ecd669c588368cee8210edf5dbefb925":"77e51e89dc47bbcac79cca21e81a61de":"25a6f8800a9b914c0ebf9a45d72355c03ee72a138eb81b2980f332645ce1d7aa4659805821866aee2b276e2c032776b4eaf36f93b5f9a72b791be24e31eff105ca6d0700e3069ee327983dd7fe1c7465d6c6d77837aff69055149988e7199847fad98605c377d997dbd40f3e2ff1a4f978a493684e401249e69540fbde96323c":112:"ee6d85d3f3703b45adb4f9b2f155":"":"44ca68deed5478074adfddc97f06f44c08bf7bca4dee8707d621fc7396fe2efcdad0a167d1708a9ff59ce4cddb86920bf1dbdf41b2109a1815ffc4e596787319114cad8adab46cf7f080c9ef20bcf67a8441ba55eac449f979280319524c74cf247818a8c5478ea6f6770996026a43781285dd89c36212050afc88faa56135fb":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,112) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5e9eae594cb54c8089330e4404ff79abb1c0841b0be5347a14633ad1e1ff44fa":"32abc1eb6077555a85a0a6fd1c78cccca6c8b375842e2eb8eee45ee6c38dc0837443d16c647252e8124639dd01c808ac5e857a25d927c2a75e2fa8955cad5beb5c206fc050cd933fc4621f5718936f01f39dd700ae1aee7537cc595df8789c5d1a6e1e87b1c7a60e3ce5d57c80dd65dee3801798e1481b1963bcc78cc69f8c50":"0917b486da754f48bb43ecc8766a7ce3":"2aa1ef2f91aeba5da10b48a882dbd4574df4e9157a18abf8cecd03e4176712ba171b6ecb0e745841ff84e35063e47b08101afc44cfd9cededb913a82f00b9d4bac922f23a22f200642270399896405d00fa5271718eefb4cd5fe7e5f32097766ebff36ff1898a1c8a1a01cc18e6121e470805c37ff298fc65ef2fb1b336d09fd":112:"92282b022e393924ab9c65b258c2":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,104) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"aaf03c3055a35362212b9b059931e7a24fc71e32bc9a533428c9dc31077f2ebc":"c0e12cdd8233878505e025d52427536be7b6bf1887d2dd20eac7092db80b22417a3a4ca83cdf5bc5e36161be1ff9b73f7ceb297c6d07c9cb2a75035a5dc079e48283daea60596f4b356ca28c243e628cbe459f069709fe193394c9b1a31d8ccc5a3a4eba30056c415e68571a2c34bb5c32efff12e9aa483c4a68be5e76aba4cd":"7dfccd077b29e6ed5720244bb76bde9f":"21edd1c6056f51fd5f314e5c26728182edcd9df92877f30498949098dcde8089eed84e76d774ef8874d77125669a302d268b99dcd66b349d0271dde6f8cc94dc4f2df3787887b1173cad94d067e346846befb108005387102854d9387d2c0fbc9636cdf73a10d145f4b612c201b46e1ff4465f6a7654ce3da5792daf9a27fb35":104:"6154c6799ad7cdc2d89801943a":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,104) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"60c775971a9eac7950ed2bdd85bd60fe948ba04c419f6743fb67f37557e46c6e":"8abb2e66a4d08074916056bb8e925551372f737f0e1b597c5d08ee102989743a273b29d7281013f8b3aee2934399cb427370d70370ee86eb41584b653660c633506a53cae747826bb7d93909f069d5aacf058b7f2bbdc58ea08653db857bda83a979fc22a4f126dfef7aac45177f4cdb802fab0c812fb35d12a8176ec21336d7":"9b92ad7079b0de09c94091386577338b":"1f6a84b0df75bd99a2a64849e9686957c6a60932ebe898d033128be9b757e9890225925d856bfdc33ff514c63145f357730bb0435c65342bc5e025267b410af6fd388a5eca01b7efc87fd3b1b791df791bd47dfab736350d7b7f368b4100e04c939d5af957bab95ed502dac904e969876674602a0f0790da2d7351b686e46590":104:"1d6cd4ab3914e109f22668867f":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,104) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3b426e449337a14bc0663246ab61b671b523c9a3130c21ed59c93fa6a5aa5ae3":"291bd5a00d71eb7d547b7c94e7030ba4a947418eaeb378a3bacd304b08c6f92f6958eaba968ac6aa23e0512a2a8ad7c1ca2f8fcf623bfc1281f5b7b598c08d2aebcd447668b23238c5e338b4c2ac7f8fd381714c596ea3e0c17aca4317a08563e58f0f52a8af08e078dc242ae54ee0fe3869f8c9687b004a4ded0aa27d8f4c5d":"e6efc96acd105fe4a48d1ac931eea096":"0902cf7a0685444126369712ac47962bc2f7a3a5837f1b6190d9ab1adb4cd35e7f0892eee628b8e07fcf2b598cebe1ec07d8c4823172ae66a135bb51cc71590707b691a66b56af1ffe38772911d11685da355728eaddd83752d21c119d7b59f4c17c2403629fa55cd70cd331aed7b0de673c85f25c2e9e0267f53f0b7480c8ca":104:"ca4bfeedcd19d301d3f08cb729":"":"bcef3f2fd101b828d36cb38530cf9a0a7a285ac1c55ee1069cc78466327e85887534c98a8891d579effd832c0f7d6e7e822fb1eea85a39317a547591def4aeed6660872859fc9d1df9725d3c40e9ccaa900e0f1426a55d20ac4f2e8e07bd3bbc687f8e059ab93e7604c97e75ac94be1c8c24f4c4da0080a4d77953fb090cbb62":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,96) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ceaf204ff504ea8e7fade1a2097f2b527a44766860447322fa5ad346cd810217":"1c8e4cf6018211518494d46c2e0607fa42e236abc28d58f8175c530f84b1f030572f5f6a74cb5517e1fb999a637d352afcbeadea9121e695675859b66b499a3a351ecba5226e58ebbb59fe12e359e4c89cd51c8703d4643c49921ae495801c73627df404b91e828e1d0e03ae09a39defb5aa5f2c8106953772ba0713d3261329":"cfdb8183251f4b61c64e73243594fdc6":"a60f3969fd1b14793dd1425aa0b1f742a4861e0b50eaffd1525cd209ba6d1252176763bb5bee59aaa55f92341cdc0705899aba44cf0ec05cbf80274ebef65cd9507fd4224b25cac19610968d6a37e2daf9ddf046ef158ef512401f8fd0e4f95662eebdee09dd4a7894cc8c409be086d41280bd78d6bc04c35a4e8cd3a2e83be3":96:"9e45029f4f13a4767ee05cec":"":"5cdc66b587ed5eebb04f42b83a6ab7017093514881c598cce332d74fa3fab927493ac15bff26835296e080b5b45ef907c0529fc2f4ed2fc09db179ef598e5d193ea60c301d3f8d823404814e3e74de0e1d2417c963e9246c353201c7a42659d447376e7d05c579dd4c3ae51c2436407b8eff16ec31f592f04b8013efcfd0f367":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,96) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"15652abe38cd09777bba21d0db04637f5737d3cb3922181b9f2d07bfdafd327a":"1d6c153dec3b4738a09c9fbdfe31a093eb7ea79b8fa49f83e5e1f46893590f074fb171fb66e30ef887767014e3a10a3aa05da2bd50dd7b7936e1d7f6f31af9030e31e76bdf147f4396464db0f6a72511c4885c6c2305d339906e3c761a3249d7ebea3bf463e8b79c3706e684575550e964b8047979f7aed6ea05056c4b5840b1":"3a5e0d223ae981efb405566264e3e776":"cd755437cb61b539908e0cfaaa36c0123f8f17d1e6539783cb61d4b56cac3bc1e971c1ea558b12669b025cb6b9ad55991c6e2f8ee8b0b7901790193e226a0fbbfff7ff0bee6a554660b9f32e061b6c04bf048484ff9ebd492f7e50e744edd72d02c8fd32f87f9421bf18a5a20ebb4d9dbe39a13c34b7296232470e8be587ba09":96:"01a573d8e99c884563310954":"":"162430c23f7adcf98575a2d9249b4b5cec42efae33776360ebfa6a19c8eee4bd6b07cbd274deadc3292b7cdbb7803e99d9f67ccc5077f3ad5808f339a05b3213dbfd11377673d4f9b486a67a72a9ac8ea9ba699861dce0de7e2fd83d3ba2a2ec7fabf18b95a2bbe2184ff7bddd63111b560b3afe7f2c76807614ba36c1b011fb":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,96) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a43f6d07042a15cd49f6f52a2a3a67c6c2ff420d95bb94b9fe03b287c3abcaf8":"b67e58c8b608724fd20aa097ee483bc4c804490cc79de635170944af75c87ae0ad8261365c1dc80d852553bcba18da9fbc3fbe61d27550a03003ef0c60202054626655509a9e1ab54677e537a4e761df011d6c6dd041c795446b384161ae9eab441afd24d19b58eb4fe5116cd7b11b751ebbd0a2adba7afc380d9d775177099a":"3b6fad21f0034bba8b1f7a344edf7a3c":"2e01c0523c8293fc51388281dccdb8d0a2d215d729289deb327b8142d716c2bb849e9476545b82f3882ba7961b70c5da2a925ba18b6b121e9215d52ac479c9129c9cd28f81584ff84509d5f9dcb7eaae66911b303cc388efa5020ac26a9cd9ea953f61992a306eb4b35bcd8447eea63cef37bb0c95c1e37811115cf26c53e8c5":96:"43470bc3d7c573cb3a5230f5":"":"e1720d451fa7ab9db4988567187244b15b6fe795dd4fef579fb72e41b21aaa436d2e5d8735a4abd232a3fb9188c75c247f6034cdebb07fd7f260f8e54efefa4f2981cafa510dd5c482a27753a7c015b3cae1c18c7c99a6d6daa4781b80f18bbe6620bfc1518a32531017a1a52aadb96a7794887c11ad6bdd68187ba14f72a4b5":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,64) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1f0f0191e18db07c0501dbab4ed952c5603a4cd249d2d8d17e62e10b96ae713f":"aad40e7866c26e486b6f6e8eb14a130d5f88891bf0d09aa8fe32f447ab8dea7bee5d3eda4499c0103a010483f2b64fdf1155499d31decf528c77dd7627884f9995c213cf7402143dbb7561d69c86886734260ac94ffac7eb33598d25714228ef43f744ec1af2a87e789f1e5d6fff0fbd5082dcc49328f194e8f8a14a5bfc962d":"ab8be16b4db809c81be4684b726c05ab":"a5a6e828352a44bd438ad58de80011be0408d410f6e762e3145f8b264a70c593476b41bb87875746c97de7d5fab120bd2f716b37c343608ee48d197a46c7546fafcdbe3e7688b7e9d2f5b6319c91d3881d804546b5f3dbe480996968dd046f406c11f0dc671be0421cbc8b4ea6811dd504281518bb96148dddf9f0dc4e2e2436":64:"d8bd7d8773893519":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,64) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a6cf7d83137f57f2310ee6bf31e8883952bb07ccdc12f516233ed533ea967e5d":"83ab20698fd7573fd121976a72b45a7f03aad84702fc8ac73d6926eabd8a546895aeffe4ba81d117507e2cd37d58eeff71cc3afa8a4449be85f228ea52f6dc6395bb43c1c9f795343720841682d9b2f00602eafa4d4cbe297bfc62467e526b9d823cc8eeecd9e5f8dbc2f65610663c6f37b3d896651b254bd60215629ade3b2a":"f17e37e73a28c682366bfe619cc673bb":"0f4dd201b18e20230b6233e0d7add6f96537dd4e82d3d0704c047fab41af5faf6bd52bd14fa9a072f81d92a2ce04352f0b66f088c67102d2d127a9850b09ff6087f194a6e8ccaba24091feb303eebb65f1203b2d22af44e7be4de71f03e6f6cbadf28e15af58f58eb62e5bddfae06df773cc3f0942520de20078dda752e3270f":64:"74110471ccd75912":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,64) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b0c85ac6b3887639838ddca94c5c69f38115aa00122322c8114642d12ea1b8fe":"0210fce418e7e2199cb8f899c81b9be74a630d00269755f882fc4db27632e99685cc12c426a7503473646df1288d0ede28408be9add5713628700f8e2b2e27d7522520ed00ac47239084651eb99e7d03e1520aae137b768f3144232c16b72158fd5da4a26a2525b9b27791bf06d1eb2e671c54daf64fddc1420bc2a30a324ba5":"14f68e533ecf02bceb9a504d452e78c7":"796a46236fd0ff6572b1d6257c874038f870aa71cbb06b39046d0fb6489d6ae8622b5154292ae5c4e1d5ff706daedb2e812533ae3a635d339a7fbe53780e3e8204924a5deb4b6856618f4c7465d125a3edffe1ab8f88b31d49537791c0f3171f08dbb5ed1d9ed863dafbae4ecb46824a4922862fe0954ee2caa09ab0e77ed8fc":64:"6fb0b5c83b5212bf":"":"5e6c362f7587936bcb306673713a6f1fb080783a20e9bbb906456973e529cfa0298206184509c30e1d3793eaaa5d564edd4488f04311821eb652e0a1f4adaf6971505ca014788c8ce085ceb3523d70284ed2bb0aebeba7af83d484df69c87f55a93b3d87baa43bd301c4e55eb8c45dcf3e4612535ea1bd5fdb4c3b9056d0cae9":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,32) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e61b1a6b40e2ab1245ff65dcfb9948318ac4fe55e9ed600cec301dae32ae0e93":"8d67fa9fcf078e421cb63abeb25dba739ab0e09a091dd06b0c616e1e888f350edb2d73a42f57f115266ea20c7f8fc143ac746649612df06a5e29b4a15934dc049be1ab49d018ab86c4f37d8c3d9c714f038029e74d8ee3dbe61d81adc63712ea413b37f7604da12107aa1695d9b0981e5a92cdfaa5fbda0e31b22c6fd6f3b499":"c356244b3034d288e4d4fe901b8e27c1":"bdcfeb09d5b97bab05a7acd9849e7de2c5beb7a4dc573c7e1c1d0c0409245a6584023114fdcc6413c800ca16847bde750b27c4d590248e2ce457c19b0f614f6aff4d78d4a19b3251531e5e852fbb05d09412cc1ff8988d1955ca6f5fe2d820f20a7642e3ae69e8122b06ba0918e806400b9b615e1abe6fdd4f56a7d02d649083":32:"86acc02f":"":"7c73182eca97d9617abb478a6ce62e3491a7e9951981c89c3071b161a4c80440614c3f24d0155073e28dcccee96bc8303dab4901ef77318df522d16d9da47770ef022395d6104cd623d93d67090a27507fc8ca04157e7939e639c62cd0e7d8a472314833c0eaa9ba2fd54a25b02854e3bff25cccd638885c082374ae520ed392":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,32) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4f5a02e9843d28c8c226ed70d44b8fced8fb757ab6ece4d4f06e3c3cec79e44f":"3ec13950d329f24074714c583bdc35686b811f775b76b0a8fcfa66fc56426c9d022f8ab0af38f8d2f71a068548330cdbe891670181ed7491bf40c739ef4dd93689fd35929b225089d2b151f83d9b3cd767300611144586767354c0491112c205409f3168092d27f9b9f433afb79820a2811984d48e70c1fb2a13bbb3ddbc53fb":"099e5d9aae89fb6391a18adf844a758e":"ad93e8662c3196e48cfdb5aa3bc923cd204151aa980cbec78f0d592b701f779c1c49f9e8686d7e2385a4146b21a643a59c18c8b82214f42560bcd686fad7c7c8e8c1944ce6b20ec9537dd14b6cf2592740ca112f4cd582250d69f240d3e957040e1f7e19c60b3c8f2bd00cb666604c38946eb9b2f17336d281b4794f71e538a2":32:"30298885":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,32) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1cdb218e0bd0e02156e5b48182990f778889793ef6018a8928e61164ac047c8e":"4d039618a0eb640329f90fe97de18bc928fc3fc7a0db42c97774bec2e882e872fc1097c8319f7837a16516bf387b1bae321c565e8fc1cb8480f051158e4685f0adba310d2c6253bc1300403cbd3f7ddcb2796a69f8bf9e73d47aada9a02673c1a3d5ecdac838abf22b385906236529a1b7dd5b8af2611a04cf4f83b15ba41cfc":"d2ffbb176f86bee958e08e5c7c6357c7":"bc580c4223f34e4f867d97febf9b03629d1c00c73df94436852cafd1408c945c5474c554cb0faf2bae35d3160c823d339a64ebd607cf765fa91f416fc6db042bc2bd7445c129b4a0e04b6f92a7b7b669eb70be9f9b2569e774db7cb7ae83943e3a12d29221356e08e5bf1b09e65f193d00d9fe89f82b84b3b8b062e649163dc8":32:"1997daa9":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,128) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"dc1a145c18bdbca760f35eea0d4a5992de04a0615964ec8b419c8288ab1470f0":"":"7f8368254955e1b6d55b5c64458f3e66":"":128:"8ddaa2c3ed09d53731834fa932d9d3af":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,128) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7b4766d3a6615ee58b390daa228ae7a541c46ce80a1efe227cc43cb777df3232":"":"274367f31ec16601fe87a8e35b7a22dd":"":128:"5f3a757b596e06e9b246ed9bac9397f9":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,128) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d19b04055bf6e7ff82e89daef66c9d8319ab25f9197e559444c5729b92c4f338":"":"796efaff4f172bef78453d36a237cd36":"":128:"3b445f38bf4db94f1a9ec771173a29e8":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,120) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7ca68e300534a90a7a87ca9906e4ac614a6aa51f769b6e6129753a4f83d10317":"":"45e6b23f8b3feefd4b0ea06880b2c324":"":120:"6c0a1c9c2cf5a40407bfa1d5958612":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,120) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a2b7cd693239bbc93599d3d12c9876e7303b227b8ae718e2c62e689e1fd62903":"":"548c9c8fcc16416a9d2b35c29f0dacb3":"":120:"3aa21f221266e7773eeba4440d1d01":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,120) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"156b854beb0c276a5e724f5da72f0d1ca4ae7cbd5f93a2257d95c2e5bfd78ad4":"":"a5129e2530f47bcad42fc5774ee09fe7":"":120:"6bb09ed183527c5d5ed46f568af35f":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,112) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d824330c60141264e1f709d63227a9a731bcc42b4adec1d8f0161b10b4fdb2ab":"":"c5afaa45312c64ab3c3cf9d6c4e0cc47":"":112:"55952a01eee29d8a1734bbdf3f8f":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,112) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b5517589948d8aea778df6fd66c17a170d327f69e504f0a4bd504c4286a9f578":"":"6404b111c6289eefa0d88ed6117bb730":"":112:"637f82e592831531a8e877adfc2c":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,112) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f6137b2bcbd327fbcc7f313efa10f6ffaed30e4782e222e1225c87103fcae905":"":"3b87b08337a82272b192bd067e3245ec":"":112:"1f2dda372f20ffddd9dd4810e05f":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,104) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b5e70d1b78e931abf44bba3f937dbc344858516a8a8afe605818dc67d0c3e4c4":"":"58e70095c6f3a0cda2cdc7775e2f383d":"":104:"1763573f7dab8b46bc177e6147":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,104) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"90de0c047d1dd01d521f2dedec7eb81bc0ace7a5a693a7869eaafbb6e725ad7b":"":"d565c9cdfb5d0a25c4083b51729626bd":"":104:"78738d3e9f5e00b49635ac9a2d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,104) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c43e8dbeafb079692483a9fcbab964b76fccca6ca99e1388a1aa9bf78dfd2f02":"":"f2bd4fe0d30c0e8d429cac90c8a7b1c8":"":104:"ea7b52490943380ccc902ca5ae":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,96) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"13540919fdb95559e37b535a427efeee334309e34c4608459e204d931b8087e7":"":"c993c1802df0f075ce92963eb9bff9bd":"":96:"edfab013213591beb53e6419":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,96) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2a7b2e07c148ff0f627ae28c241a395876bbed0c20f3fd637330e986db025714":"":"8f7e1621c2227839da4ea60548290ffa":"":96:"f9da62f59c080160ec30b43d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,96) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b3e7837a75b38ae6d4299a1ae4af3c2460dfca558708de0874d6b1a5689b8360":"":"05d363b2452beff4b47afb052ac3c973":"":96:"6b4a16d1ea1c21b22bdcb235":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,64) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9df3ccd95f7570f6ecf5e5329dcb79bcd46cbcf083fe03aa8f5bd0f645c6a607":"":"774f4e70a7577b5101c0c3d019655d3e":"":64:"98ff89a8e28c03fd":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,64) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1c7123e2e8d3774c8f1bdbb2272f19129e04f29b4351ae19c3b9d24e6ea1fe87":"":"99f25cebd6cfa7f41390b42df6a65f48":"":64:"8e14a0a4853a156a":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,64) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"490090323e9257517e2453469caa3414045cacb4d05d5cebc6b9c06fa6d19291":"":"c1beff1ff6cdd62339aa21149c4da1e6":"":64:"f998d7c08d609b3a":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,32) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"360e48dd38d9e7f5bf29a2994ab5b3c9c70247102d94049ae791850807a4c845":"":"88126c350dfc079c569210ee44a0e31a":"":32:"f2ebe5e4":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,32) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1562b32e4dd843edaf4474b62cadd8f46d50461f5b22c9f1a8eae7367d35d71b":"":"af29fdb96f726c76f76c473c873b9e08":"":32:"13fd6dfd":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,32) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d5160d0c98ffcb1c26aad755f67589000e2bb25fa940e6b1d81d780f421353d9":"":"1552604763453b48a57cea1aed8113f4":"":32:"660c5175":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,128) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c3a3ea3a097c0c2b3a4cb78462d87fd5a8f348687c4150e9d3354b388ab13d17":"":"f77945979241fb3a454d8e3da193e169":"a69bac31241a2c07d3f7e331b77f662b1e67ccb81c07f52578b01f5785de9437f02eb7627ca7b9af09c1cb428fe93d6deb31f4d6dd2f0729f87480bdeb92d985de1aaad4bcebc6fbad83bede9a5dd1ca6a15bf5d8a96d4edb5bee1f7d195e9b2e5fb2221a596d69f257c18a143eda870e22d3f2ed20c9b3b0d8c8a229c462fff":128:"6b4b1a84f49befe3897d59ce85598a9f":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,128) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e1626327d987342cba5c8c63b75b4ed65463a2b9c831f4f9f80325fa867d1d73":"":"4e25800deab7ecec2a2311f8fb44eb7d":"ebaffd558f24dae03117c69ac4b2b4aaeaffe7e0e7599eaba678bfce23a9914dc9f80b69f4a1c837a5544cba08064a8f924064cba4d783623600d8b61837a08b4e0d4eb9218c29bc3edb8dd0e78c1534ab52331f949b09b25fbf73bece7054179817bc15b4e869c5df1af569c2b19cb6d060855be9a15f2cf497c168c4e683f2":128:"8faa0ffb91311a1a2827b86fec01788d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,128) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"938da64b837275b0c80c442bdf2301aa75e387fe65a775d10a8ec840f62ff429":"":"dec6adeb60216cbb8a6c3afba49fa201":"4ac144bd95f405649444f01ab67ef3e4c0a54fdbd933b6ba00518c79db45c22c90030c45aadcfdb53ec8199be0cbb22dbb9ab938a871f4b3b0c98ed32590a051abb946c42726b3e9701f183b2092985e3457943a6350fbcaece2e6b111b179ea3fd10ac080a577a1481785111d5f294bc28519c470ff94392a51a2c40a42d8b5":128:"2211ca91a809adb8cf55f001745c0563":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,120) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e2436484ea1f454d6451ad8dbd1574b208d7a3ab4fa34869299b85c24348b43d":"":"97040d2ec094fe1c64fa35b35b7451a7":"bc198677513ce0e66697dfe52b22315fa5d8f92042f34cc9f373a01f94607df1a599132f60af010ed9b5e52162dd7b162912b68b11700e08f5fdafd84d10f760fc05ec97c05b83e55155194f399594015b90a19c04fb992e228940fe1b54ba59c4bb8318b33cc0df1cb1d71c389473dfb3eefabfe269ca95db59a7bc0201c253":120:"2e080ba16011e22a779da1922345c2":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,120) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7fb3fc72eb8a3aa5b102f90039f852cc3fd64f46915f5e49f1d9e02fe9cc13b1":"":"f6120fea313362524917c53d90bafb4f":"60c2be7fbd15faf895fd19a9ce775fe2b183b45cffafe4fcbf50d421bea97347e41a9418cfa129b2dda63b889a70063010215dbe38c37feae18bc31b34f31b726f22177f2b4b9d648dd4aa80edfd12dafaee10baa83224354432d1cb62ccabe38bb8448d162cd0d30e988d2e1a2458ffdafaacbdff928756390f66dc60d7ea45":120:"83de3f521fcfdaff902386f359e683":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,120) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"697c96d80d0a3fa9af35b86f31fb71a17aed30ce841c79896bbc8863b3b3ee04":"":"3a5163ec7e007061838d755ac219855e":"de50c12da63232768d5eb9920d49683b5b7114cb77448fa10b9d63552ec5d9c2eac94b375d11f944959f903bb20c696639b6e7f108ec1e873870098c631ddacb2c25268cfc26d2a4cacfb7dda7383374c5456bcf4daa887a887f4293f8caa14419472a8bf7ffd214dfb2743091238b6d1142b116c2b9f4360c6fe0015cd7de81":120:"cd4542b26094a1c8e058648874f06f":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,112) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"66c1d9ce3feb0e966c33e3fd542ec11cc32f18c2514b953103d32abcdc72633a":"":"46fdb88fdde9b7d74e893802a0303256":"55d2f263d2e3cf0b390fce1dd1ebd5f666086f26e1ce2f08002bedbb810ada3922c6bfcf6a6adaa556e9e326c9766f02b3eb6e278da2fa3baa7dbdb6373be3c6ecfbe646b1a39e27c5a449db9b559e7ea3496366b8cdbca00ee7a3dea7fdfbea1665bbf58bd69bb961c33a0fd7d37b580b6a82804f394f9d5d4366772cee3115":112:"96ca402b16b0f2cd0cdff77935d3":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,112) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d7c949420dc9497232cd5810f316d11f9e85d36c430b5943ba79836d88c1eb92":"":"7ef9788ff09cbeedd9569d49083a4097":"ca1de5cc3fcde2638eb72210e551e9c0e0a3f5570d5be83a9a4406b545d854bf17e75b9cd0f4c45722fbd71319a317b72a8798485e9316a1c8102432b83bc95af42f6d50700ba68f6f2e19b6af609b73ad643dfa43da94be32cc09b024e087c120e4d2c20f96f8e9ddfe7eae186a540a22131cedfe556d1ebd9306684e345fd1":112:"8233588fca3ad1698d07b25fa3c4":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,112) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6fe7c70815aa12326cdcbb2d2d3e088bbaaef98b730f87fe8510b33d30e12afe":"":"e0253bd1f19e99a7f8848206fb8ac4a4":"397897eca4856f90d14c3cdfe1ad3cba47e23174ae2dab7d2a6320898584e03bffa3ffd526f416d7b3c579b0f3628744e36eebb5df519240c81d8bbbf5c5966519c5da083ab30a7aa42deae6180e517cdd764b7f77d19cc1a84141817758887a8d7265e7e62279b9d33cd2f1ba10fd54c6c96d4b8a5dbe2318fef629c8e2af0f":112:"477b0a884d788d1905646bd66084":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,104) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cbeefb3817cb02d617f385cf2371d52c8bcbc29e5e7a55cd2da131ca184c6e89":"":"f74156d6400ae46b612531848bffe18f":"1abe2ab05ceccf2391273126fe4a4426b94d2c3b97a7f1cd2ee6bb952bf4a546e972b5a1701d5ddb0e5bb7a248fcb47107a9fc77e4b9806b68a11850119aa239fa8be1370e3a2e1a8b168f7323afdfc4b8917d92570167848a56132d68876abc386c258a9233dc8a9eb73443b052e842c3d63e8b5369acdd038404e4e9a4b038":104:"0cb67cec1820339fa0552702dd":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,104) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e6f5f65ce2fc8ec3f602f5df90eb7d506dd771337913680ac16bdcd15c56583d":"":"9212a548c597677d1747e98ce6fb18a4":"55ca486c0183d0134925880d2e21dde0af51c4c77c6038a5a9c0497884e0aa4715bdb5b4bb864acc708ac00b511a24fa08496df6a0ca83259110e97a011b876e748a1d0eae2951ce7c22661a3e2ecf50633c50e3d26fa33c2319c139b288825b7aa5efbd133a5ce7483feecb11167099565e3131d5f0cb360f2174f46cb6b37c":104:"08d7cc52d1637db2a43c399310":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,104) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0e9a0391435acb57eae2e6217e0941c79a3ff938ec6a19b8a7db2ea972e49f54":"":"27cd1d7af7e491e30c8110cc01392529":"79140d32bb32dace0779e2d37a0f744d6d973e99a279962b43a6c0af63772e8a0a21d5d9dd3c33d4b218cb2f6f24dd8d93bb4e1e6a788cb93135321ecfed455e747fa919b85b63b9e98b4980a8ccb3b19d50d735742cb5853720c2ad37fa5b0e655149583585830f8d799c0d2e67c0dc24fc9273d9730f3bb367c487a5f89a25":104:"fbb477dd4b9898a9abc5a45c63":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,96) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"55a12eeca637654252e3e40b371667e3f308b00f2fd2af696223e4cd89e3fd4e":"":"8a3793b6441258360f7f4801b03d0b26":"f5810dc5f25e49bd6d94bc63c2494aa7a579a4056a25f1dd9b2734d0b8731ee52523edd54ff475651d45c213e1bf254327fb0e2c41a7d85345b02bcc9d27b08915d332e1659671991a4bb74055967bebbba6ecceb182f57977130623d5a7b2175fa5a84b334868661c1f450b95562928b4791759796a177d59ed18bbf141e2ad":96:"99230019630647aedebbb24b":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,96) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3d353f870a9c088de5674efd97646b9c5420b2bcdfcffefcadd81682847e5331":"":"f267fa982af5c85359b6447f9b7715ea":"7cf55630867af5dff747c8dd25bcc531d94a7730a20b6c03d46059ea93fcaa00d07ee17dad0e0dff814b02dfef0cbe00b37fd2f5f95ead7c72be60016f2934d7683fc1e47185c7211c49cb03e209b088edb14e533dbcb792ab7033728904f7ff12381a236dba97894ec1fafcf853ab15fff343f9265d0283acef10168ffd1271":96:"9553b583d4f9a1a8946fe053":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,96) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d227c9ff5d17a984983056fb96f3991932ae8132377529c29238cf7db94a359d":"":"b8f6536f376a7efe0e684acf350bae70":"1cc25da31f90de7fa47ebce92754d3faa99f88d4e25ccab45645c1acdf850d55d7f02f61a0bfdc3125f29259d7da8abef532fe0966c63d3486753c8a2cb63a39349a0641b2f2b9526a03b97d58ca60fbb054c6c164ff2836688b0cad54df2b165bc082eeae660e768dde5130e30f8edc863446661c74da69b9e56de8ae388da0":96:"44b95a37fab232c2efb11231":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,64) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b2a57ef85ffcf0548c3d087012b336c46f6574cf1d97ca087bfad042ee83eec2":"":"3d580402d2a8dc4d7466e5dcb456be7a":"c2b9e95c16e55028794a63ef82d11fb83a2a75dc34a81f238e472c33264534bdd54cd07d02a0ecf9019ad1a6d6c779f339dd479e37940486950f183bade24fca2f24f06d4037b3555b09fc80279ea311769473eb0630b694a29823324cdf780d7d1a50d89f7a23b05f7a8c3ad04b7949aa9e6a55978ba48d8078b5a2fd3c1bbb":64:"072d4118e70cd5ab":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,64) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"63889ed5bf2c27d518a696b71c0f85592e3337aae95b5bf07289e4c5dfdc088d":"":"1ad534280a0fac7dce31f2ae4fb73f5a":"be1b9dabea33bb9443e27f674b27931c0fba699a33dc86fab29e50b76a9441030444b465317bbf2949faf908bc1b501d11a5ea2042e4b460a85f3be5836729e523d99b56ef39231d5c6d8ae2c2ab36ef44e2aa02a1f2c559c6e333216c7f9ed5f9b880a88e920219204c99a3ae8f90afd1396563bc59a691a93e0070b0b5fd90":64:"1bcea0ac2c1a0c73":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,64) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"94e3e2c17cfb6f52d4fdba3ba6d18bba891b6662e85df14d7e61f04adb69e0e5":"":"8a80efb3bfe220526997543409fddb4d":"05da1b0f7ac6eef488d3f087ecae7f35abe3ef36d339709dc3fcb5b471979268ee894c3b6c7f984300d70bc5ea5fba923bfb41d88652bdaecc710964c51f3e2ae2c280b7d6c8e3b9a8a8991d19d92d46c8a158123187f19397ad1ad9080b4ffd04b82b5d68d89dacd3e76439013728c1395263e722b28e45dabf1ef46b8e70b5":64:"faa5c13d899f17ea":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,32) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fe5e479ad0d79dbf717a1f51f5250d467819e444b79cb3def1e0033c80ddadd8":"":"47ce838083fd070d8544c0ad5337cdc6":"98476bf05a18c4ff1b6024dd779c1ac06d838705a0a83fe42bee5fc6ebf3b2a1a5049b67f4aabc8239cd6ff56504bcbad1e2498c159bbec2a6635933945f6ea49e5bc763dcf94f4b3643d3888f16105abb0965e24f51cb4949406124145e9ae31cc76535b4178492f38b311099df2751f674363ae7a58f6f93019653b7e6a6f0":32:"a3958500":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,32) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"27d4dedb71a8f68ca5ce2b9e56da772bf5a09b7981d41cd29f485bd2d1adb8d4":"":"7e6f0343c54539717a97b6c8b9f7dec4":"d386db78043f719b7e137cbf79a7f53dda2fe3baccbebb57d499f6eb168e5151f10081d76b72ae0f30165efbdda469e826f9246e59dbcad5c0b27691c00d6c192c24073e99c19cf8c142087c0b83c4ce2fc7ba1e696394e5620ab2d117d5dcd2ac2298997407fd5de07d008de8f9941a4a5f8074736a59404118afac0700be6c":32:"50fd1798":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,32) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5a7aa836a469d28542d0d24d3232fad266da8fc889c6b6038b726d3da25f7b20":"":"9faf7cd805803e143ec8f3f13475efd2":"1006c707f608728b2bf64734062b12a5625062bcdcb80a3ce2058352a2922d5e6fbe19681b4f0d79ad3c837f81e72f2fbf8df669894e802a39072b26c286f4b05188c708f7c6edd5f5bb90b87ffa95b86d84d6c1c4591b11d22c772a8ad7f2fe6bd8b46be0e93672df2e8bff8ba80629e1846cfd4603e75f2d98874665c1a089":32:"07764143":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,128) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a9444fd176acbe061d0221fde3ddfcc4ff74e995d981a831297c4cbda51c22a1":"c146ff5a988496cad7eced7a2ea471e0117d5d6bd2562c23ce9db4bf36d83ba3fc22e90486ec288a627d208e0b2fd3b65f8301cf7fc41d97959981a95cd1cf37effc46db99b94b21c941c3613c26a10b1a6b7793f467d58ff5134612230f1c49d7e1fcf664fe52fc6eca46273982f6fe729b009d90eb8d8e4a0b0dbe907b76da":"5714732145470da1c42452e10cd274b5":"":128:"db85b830a03357f408587410ebafd10d":"":"a3cad9a57fa28e6f6aaa37150a803bf8b77e765f0702e492c4e5ebb31ae6b12d791149153e469a92bb625784a699fd7ca517500ee3f2851840ba67063b28b481e24ba441314e8b7128f5aaccaf4c4e2c92258eb27310bf031422b7fc2f220f621d4c64837c9377222aced2411628018a409a744902c9e95c14b77d5bb7f5846b":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,128) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"686d3bd071e3f46f180611bc4ec8d7726fe72b6c617e7d42b3339f53918c9e36":"21983ad66449c557263aef299da6eef8f31d576fc17ed2dac3e836f7c2ceaff3094b2695452680e188df10c174810efd1fbaa6c832baedce0b92e4c7121447f6461ac909b4302cdf658095b1de532b536faa4fb38cfdf4192eb5c3fe090d979a343492f841b1edc6eb24b24bdcb90bbbe36d5f8409ce7d27194a7bb995ecc387":"a714e51e43aecfe2fda8f824ea1dc4b7":"":128:"cd30c3618c10d57e9a4477b4a44c5c36":"":"9610908a0eb2ee885981c9e512e1a55075a212d311073bbb2fb9248cce07af16ee4c58bdc8dbe806d28480f9065838146f3e1eb3ae97012cfe53863a13d487f061a49a6c78ca22a321fa25157dbe68c47d78f2359540cc9031ee42d78855ed90e6b8ea3d67725bfffcb6db3d438c982b5f88d9b660f7d82cb300c1fa1edebb6b":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,128) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6fe81f15a02e2ecf46e61199c057102d160e6b5d447d4a275972323fff908c3e":"0b4ee0385e6665da8fd2ae47f2d0cf1c5bd395a3bb447047ab5a3ae0b95355bf83d0381119a8d4c01acbe60cd7885da650502f73498a682fdc94f7b14f4c753226064fa15e3a90a6083e053f52f404b0d22394e243b187f913ee2c6bb16c3033f79d794852071970523a67467ce63c35390c163775de2be68b505a63f60245e8":"91d55cfdcdcd7d735d48100ff82227c3":"":128:"cd7da82e890b6d7480c7186b2ea7e6f1":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,120) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4c2095e1379389dc3810e8819314f5a2f87d1494213c5b1de1a402f7f4f746c4":"26ec8ebac0560538a948afbc18fb730e9a91f21392bde24b88b200f96114b229a5b57fa9d02cf10e6592d4dfb28bf0f00740c61157ce28784e9066ea3afd44ecf3a494723610cb593c0feffc6897e3435c6f448697ad3e241685c4e133eff53bdd0fe44dd8a033cfb1e1ea37a493934eb5303ae6ef47ce6478f767ef9e3301ab":"19788b2e0bd757947596676436e22df1":"":120:"f26a20bea561004267a0bfbf01674e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,120) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"be5351efc0277afc9759ec2464a22cb4401f7a17efd1a205e7af023c7ed30ee1":"1eca91406f338fc09c2988b1d7dc8c409d719300c03840a497d7b680cdd5e09b144903477f7116a934e1d931cf368af1fc2a0a0e7caa95475a3cd7bf585a16fda31eb3f8201db0216b37a1635c1c030836b3dd05ca5b0194388fa198e717822131d5d4318690ef82d35ac80b27fff19aec8f020dc6c6ce28f0813bbbf8230ad9":"c6b26117d9dbd80c1c242ad41abe2acc":"":120:"61051d6c0801b4a6b6ca0124c019f3":"":"95447aded336d6c20d483a6f062d533efed0261ad321d37bf8b7321b98f55c0f0082ce7f3d341b18fea29a72fc909d30cd8c84a1640227227287674a9b2f16a81b191ecf3b6232d656c32d7b38bea82a1b27d5897694a2be56d7e39aa1e725f326b91bad20455f58a94a545170cb43d13d4b91e1cee82abb6a6e0d95d4de0567":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,120) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"814c2cdfdeecf39d43bb141fbfc62dac44f7552c5e5dac2d4913303fc860119b":"0d3013a1d7132f685d001420daa6c7b643bc36b887511acc4588237d3b412c79e4ebba29c08248ad46c7239e8daa232b7483c9c4e3d1c0bbebc696401efe21f7fd6fc0525a4ab81bd9a893d5f7ab23b70ed07c00f33649b8a996a006de6c94f7793f72848793f4d5b31311c68aae1e715b37409fbe506dac038a0950f05fe82b":"0db3ade15cb0dea98a47d1377e034d63":"":120:"e62f910b6046ba4e934d3cfc6e024c":"":"374d03cfe4dacf668df5e703902cc784f011f418b43887702972dcc3f021bcb9bdd61ed5425f2975b6da7052c4859501eb2f295eb95d10ba6b2d74e7decc1acacebf8568e93a70a7f40be41ac38db6f751518c2f44a69c01c44745c51ad9a333eda9c89d001aa644f1e4063a8eb2a3592e21c6abc515b5aacaec8c32bcf1d3c4":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,112) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1ae4541110f2bc4f83cd720b5c40c8315413d896e034b75007f172baa13d29ec":"5ea811e7fbfc0e00bf2a6abfac50cad9efd90041c5f7fb8f046a0fecbd193b70a2de8a774d01dd3cd54f848cb3e9f5152ee1b052ba698bebfba1fbbdae44a260447d6e6482640ae4d01c9cac3d37d4ffe9a0de0b6001de504a33ef7620efe3ce48ecd6f5b1b3a89185c86d4d662a843ff730e040e3668d6170be4cced8a18a1c":"83f98eec51ee4cae4cb7fe28b64d1355":"":112:"df47eef69ba2faab887aa8f48e4b":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,112) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"20c9b662ec4bd13bf58d64cb0a7159b0e7fee4703af66292bf75c8bd6e42e8dc":"45b64f2ed5ac707890c0c1726adf338770ce6a728fe86bb372c4c49409a32705f881bc4d31a27c455c7c7df9dd2c541743523e7d32f88930d988857847f011be5f5f31a31e8812745147cbff5c1294d0fd4a7285db4833f22bf1975250da99c4d0dd2c9688d7f8001bb6ef2bc898ce4d42c5b78e74645b56ce992338f49d4183":"2bc0847d46f3d1064bbf8fe8567f54a2":"":112:"5a1bf25aa8d5c3fe5cf1be8e54a1":"":"9079d6275db076625e8474c2914fe483d413d5339202f98f06c3b0ef063d8f3d31029deaf7f9349bfec57e5cf11f46f02d5a6520c7992efc951adbbea6d08e53faeb10dfe8b67ee4685da9ea4fe932551a65821147d06d4c462338e6ddda52017c2bc187fd6d02b7d5193f77da809d4e59a9061efad2f9cadbc4cd9b29728d32":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,112) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0a1554db37f2e275732a77e521cbd8170729d8677a85db73feacf3c66a89d689":"5421d93b7e6e0091978c673df4f3a406aef5f13eb5e6f95da19b0783308cbe26d4fd6c669cc4a9f069d7e62e4c6fad14b80e918fe91556a9a941a28b3dbf776a68ac7c42df7059b5ed713e78120aec84e7b68e96226c2b5e11a994864ed61b122e7e42ef6cfdae278fadbae1b3ea3362f4e6dc68eef6a70477b8a3ffcfba0df9":"b9194a4d42b139f04c29178467955f1d":"":112:"05949d591793ca52e679bfdf64f3":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,104) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3ab1d9bb571c4bdc9f3ef340914bddcfe0c8e7718d4a2530334372cec86e5fcb":"80bcea307e009745724d5f15d21f3b61a5d5a8401530346b34a2adfa13e3e8c9c9327d6fad914b081e554fbe6c1c6fe070b566620e559555c702c0ab5becf61ea1d9de64351ce43b2276ef4e20b5af7ce43db6d21286af4e740ef00c6d790705afcf0ee4850fffc12c662f2bd8212feb21db31065ab8f717a7509c213352b869":"6a5335901284dd3b64dc4a7f810bab96":"":104:"04b8e5423aee8c06539f435edd":"":"36b9602eee20b8f18dce0783cd1e01a799f81ae0a1ce6d293a26c62f47e7dad85c8446697cc09c81d3d9ead6f9e55c4147211660c8aea9536cc5516e9883c7d6854be580af8cd47ba38fa8451f0dad9c904e0e7f9997eff7e29bf880cd7cedd79493a0e299efe644046e4a46bf6645dfb2397b3a482a346b215deb778c9b7636":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,104) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7dddbd5657e22750bfe6baa70a1f4ac46c1ef8bee573a57cfcef50b66f85e593":"2bf5aba83a8161b9d21ff29251fb0efa697b1ea9c1b3de8481d5fd4d6b57afda0b098decdc8278cc855f25da4116ed558fc4e665a49a8fff3aef11115757a99c10b5a73b1f794f9502186c13dc79442f9226bbf4df19a6440281f76184933aeae438a25f85dbd0781e020a9f7e29fb8e517f597719e639cbd6061ea3b4b67fb0":"fcb962c39e4850efc8ffd43d9cd960a6":"":104:"1d8cdadcf1872fb2b697e82ef6":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,104) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6916b93b2712421f1f4582de7ec4237c4e42e2b32c7dced2f8bb5bd2e0598312":"3739cca20279a36ddb857ac22beae901a49529b3182463ab81a7c46e437eb0b0571e8c16f7b626ecd9f2ca0cd83debe3f83e5d58ed3738899f4b616755eb57fb965208f261736bdf7648b1f8595c6b6a779768115e3077dfee7a42d44b555a51675fb1ce9961d0e21b2b9b477c0541184350e70decf7c14a4c24b8a6cd5fed8e":"b4d9248bb500e40de99ca2a13e743f1c":"":104:"090d03446d65adcc0a42387e8e":"":"0255be7ac7ac6feb3a21f572f6a593cc8a97f17af7064c80e478f4a6c469cf94d604bc014b003bf284d216161a9c8a493af43c6a0d8caf813a9e6f83c7ed56dd57543876b11f76aa2be80dcd79d19ac61f00fa423ac2f52fae7a8327cd91494ca4116feb735980ad0a4b1445cb7f38cc712b8aee72179e65b97fca38694e3670":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,96) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b751c8b724165009a8bd97a9d2a0e22cae5a95c4743c55eeeef0a6fe7d946bec":"e8546a5af1e38114822e60e75563a9399c88796f303c99c69d1f3c50379da81e1cd5b5a4a721e23c59da58ea4361b7ff58408e506a27fea24f9a235c6af7f7a5bd93fa31e90edfc322821c08d6324134830b7fe160b4a3e6d27866a10e6e60762a31618ef92f5c67ccb1deb1f1b188f0e687165e7c366c7418920df4f4fcdcae":"160c50c0621c03fd1572df6ba49f0d1e":"":96:"9fef9becf21901496772996f":"":"175fa6b7cd781ec057ff78ba410f2897a920739b5fc4f04bc9b998fbc7cc18e327ad44d59b167e4627256aaecd97dc3e4a7c9baaf51d177787a7f4a0a2d207a855753c4754d41348982d9418b6b24b590632d5115dc186b0ba3bec16b41fa47c0077c5d091ec705e554475024814c5167121dd224c544686398df3f33c210e82":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,96) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0faf32c22c2a4ee38fe4b5ce08f98fdf6f83b5038dcba5ec8332b3eeb5c710c7":"8a556cc30075753c6e94c2f669bca2058ff6abcbffffc82da7cfca0a45af82dfb4cf487ceb4ede72be87ee4c8b72db1e96459de1dc96721464c544c001d785f2188b9fccaec4b1a37970d38b326f30163d2fdfdf8a2ce74aec55abcd823772b54f8081d086a2e7b17b4086d6c4a5ea67828ef0b593ea1387b2c61f5dfe8f2bb0":"04885a5846f5f75a760193de7f07853c":"":96:"0c13506ed9f082dd08434342":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,96) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0dddc3d2f82bdcdbc37648a6b9b416af28753740f8e998cd1a52a0b665369f1c":"07bf84b15b21951fd22049be6991a672503ae243b8d285fb1e515e1d2c36bfd5b0d0bcce85791f2cea8f616aed68a7d9cf4eaf76418e8b1ec27751de67cbfd9d9f7905b2667904f10d598503f04c04ea00a681ff89a9c446d5763898430bd7a9dfebfe544e3ed3e639b362683a651e087626ffa63c0c2b3e0dd088b81b07f75e":"0a93b883cbd42998ae2e39aab342cb28":"":96:"5c37918edb7aa65b246fd5a6":"":"ff7b7b2f88b8c6f9f9bad7152874e995eea0ff1ce1ecd9b8d563642a37a31499f14d70f0dd835b7adf80928497f845fd8c2786cd53af25f8c9fe1bba24e3c3860162635bbed58f06cf6c9966bb9b570987a48329279bb84afb9e464bb4ad19ae6600175086e28929569027c5285d2ed97615e5a7dada40ba03c440861f524475":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,64) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a0b1a62e46e7712277fc711e19d0c0c865ee77b42ac964b7202dbcaf428086c2":"7dd7c0787fdbea4aacf929341659dcf4b75cbca8f92001e8b62a4d7b40272c5755fa9c445857db05328dc11ce5221f044f4b3dafbf0e2d72a1ad0d3e4c804148db578218690ccc620d8b97b4450ff83400a6caaa959617611446a6627138a4067be9ea410d4b0581022ab621928205b4a4480560fc4c2c3b39a2805684006f35":"e20957a49a27e247d00379850f934d6c":"":64:"c99751516620bf89":"":"9307620479f076c39f53965c87d20c2aff11c736c040dba74cd690d275591a5defc57a02f6806de82eb7051548589484364f6c9b91f233a87258ede1ee276cb2c93b4fc76f4d7e60cbd29ba2c54cb479c178fa462c1c2fb6eeb3f1df0edfb894c9222b994c4931dedf7c6e8ddecbde385ddf4481807f52322a47bf5ff7272991":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,64) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ffcc1c88fba1723b3ab57b458d9bffb98b878c967fb43b9db2ae0753d32a3bb1":"19b6dec86d93c466307de3a36c0791ed1010b1b9cf8d30347ae46e0f9283c9fda43da8cb491dd17cc4298b1f0b876d6a0f4bcbc9667fe34564bc08f8f7b67045057d19f4bf027bc839e590822fa09a5cef1af18e64a0116aa2a01a3f246c2b5272c18c9aa23efe674ba53d533ae8f0695cb78c1155cdc7a9d7fae2c4567dc07c":"d533c2170c5dc203512c81c34eff4077":"":64:"167ec8675e7f9e12":"":"0539287ac546fe5342e4c3c0ec07127dcd22899abfe8cdd6e89d08f1374d76e877bec4844d06e0a9f32d181c8d945ba16a54ce3725fae21d8245c070a4da0c646203d6b91325b665ab98c30295851c59265b4ab567b968b6e98536b7850738d92e9627b4c9c6f5d9ae2520944783d8f788a1aa11f3f5245660d41f388e26e0a1":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,64) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"55e94b339c3bafe068ef9cc30787cc6705850114976843777c92b4b331801650":"147cc7bc4008dadf1956520b5998d961499bdf3d8b168591adbfd99411ad7b34eb4b2a5c1bb0522b810fec12dd7c775784d7ecdc741e6dec8191361e6abf473b219221801951b4d5ffe955ab50eef9cffdfee65ba29ddfa943fb52d722825338c307870a48a35f51db340aa946c71904d03174b1e4a498238b9d631a6982c68d":"2e2b31214d61276a54daf2ccb98baa36":"":64:"5266e9c67c252164":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,32) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"13c9572bdef62510d84f2d415cc481cd1e71b9c1132b43e63b21ba4e16de9b39":"7c78e634dec811173ff3c4a9a48ae3ae794fbd2aefd4b31701777ff6fcb670744c592a1d298d319717870dca364b2a3562a4ffa422bf7173c4f7ea9b0edf675e948f8370ffd0fd0d5703a9d33e8f9f375b8b641a1b1eecd1692ad1d461a68d97f91f9087f213aff23db1246ee16f403969c238f99eed894658277da23ced11ee":"a8339ba505a14786ad05edfe8cebb8d0":"":32:"df3cab08":"":"91f9780daefd2c1010c458054ac6e35baa885cdd2c95e28e13f84451064e31e0739f27bf259cb376ab951e1c7048e1252f0849ccb5453fc97b319666ebbfbc7ef3055212a61582d1b69158f3b1629950a41bc756bded20498492ebc49a1535d1bd915e59c49b87ffebea2f4ad4516ecdd63fa5afda9cce9dc730d6ab2757384a":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,32) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"30a14ca53913acbb215b4e4159083106db3fff83cbedd1e5425f65af1e94f5dd":"8c5f73ee1544553b712ad7a14f31379c8d54a4e432fb6c5112436988d83c4e94954b0249b470538fb977b756fbee70b811d4dc047a869e207bb0b495f1e271d0034e912000e97594033e0dedde0591b297f8a84bafcc93a46268a5bba117b558f1c73513e971c80a7083e1718fc12d0cc0d996a8e09603d564f0b8e81eea28bc":"4f23f04904de76d6decd4bd380ff56b1":"":32:"18e92b96":"":"bb4b3f8061edd6fa418dd71fe22eb0528547050b3bfbaa1c74e82148470d557499ce856de3e988384c0a73671bf370e560d8fda96dabe4728b5f72a6f9efd5023b07a96a631cafdf2c878b2567104c466f82b89f429915cf3331845febcff008558f836b4c12d53e94d363eae43a50fc6cb36f4ca183be92ca5f299704e2c8cf":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,32) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e69f419140289ac25fb0e2ef9cc4f7e06777ac20f7d631918d1af0c8883b7d6a":"ff8dfa4e70490ea9c84cb894dc5d7e1b935ebcdea80a39c4161d4db42cbb269cc86abd381af15ec9a4a42ed18c1eed540decec19722df46f22aa06883297cb393fb23e4bb31a817e88357aa923c7ecbcf24c28a09f622dd21fa70c0a02193024fdcefeaa96cc1b50f81a65dfa9e1bb5126f0c9766a861eed096ec15fb07b0f81":"531248afdaaf1b86cf34d2394900afd9":"":32:"c6885cdd":"":"f75299e0ead3834fc7ebd4b2051541b598ad57cc908fdcd4324cf4ccf7dcf7b3f0737ad6c026399a8b1b6d3d50011b3c48ea2c89833b4b44c437677f230b75d36848781d4af14546894eecd873a2b1c3d2fcdd676b10bd55112038c0fdaa7b5598fe4db273a1b6744cba47189b7e2a973651bfc2aaa9e9abea4494047b957a80":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,128) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"404a5d1ac9e32f9caabffbfa485ce9c27edc9e5cde0f2aab4f32ce3121449b88":"b63ec4d28854b7fe2d4d13973f5bcb16f78494ce25cc2820de9d0dc1d8d91db1f19bc9e01cee8418c9e88a69b2f30cdbb0dbdbb50be71e1e666c111c126f2b7197c02f69a1b2ec5e1bf4062b2d0b22fb0fa1585b4e6286b29f6ac98d1b1319dd99851fa6921607077d2947140fdeeea145b56ea7b6af276c9f65393bc43ede33":"b6e6c078e6869df156faa9ac32f057c3":"6ebc75fc9304f2b139abc7d3f68b253228009c503a08b7be77852da9e1afbe72c9ab374740b0dc391fa4d7e17de6a0aa08c69e6f5c5f05411e71e70c69dfbcf693df84c30f7a8e6c7949ea1e734297c0ea3df9b7e905faa6bbdcaf1ff2625a39363308331d74892cf531cb3f6d7db31bbe9a039fca87100367747024f68c5b77":128:"94c1b9b70f9c48e7efd40ecab320c2d3":"":"56a0ac94f3ec7be2608154f779c434ee96db5ed4f5a6e1acfb32361ce04e16e1337be5978df06d7c4f6012385fb9d45bb397dc00f165883714b4a5b2f72f69c018ffa6d4420ad1b772e94575f035ad203be3d34b5b789a99389f295b43f004de3daaef7fa918712d3a23ca44329595e08da190e3678bc6ad9b500b9f885abe23":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,128) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b56f0c980acf7875cf7f27d53ad4a276adc126d0b93a5774ac4277eecad4309e":"2c94299e36b7c4a825ecbc5a7809061e0a6761764a5a655ffdb0c20e5c3fcb10f4e93c68aa0a38c2acc5d06f2b7c4ff4fcf814b551bfefa248dbe06a09a0f153213538a31fa7cf7d646b5b53908d8978f514c9c4d6d66f2b3738024b5f9c3fd86b6da0c818203183f4205f186ea44a54edb911b1a17c424c95852c8d271b2e93":"b004c049decfb43d6f3ec13c56f839ef":"b2045b97fbb52a5fc6ff03d74e59dd696f3f442c0b555add8e6d111f835df420f45e970c4b32a84f0c45ba3710b5cd574001862b073efa5c9c4bd50127b2ce72d2c736c5e2723956da5a0acb82041a609386d07b50551c1d1fa4678886bac54b0bd080cc5ef607dca2a0d6a1e71f0e3833678bf8560bc059dae370ec94d43af6":128:"fce7234f7f76b5d502fd2b96fc9b1ce7":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,128) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1c5027c36e6caa1b3e5e45fead32b5e3126ac41f106c491b0b3a7c16502f4fe6":"58f0ceaa31c0025d2e6bb58720cce4b64f5f6c657c847ae42936eb1e343fea397c8a8cf2f5ef02ffaec25f431900dcb0910cf32cea9eca3b78aed1c451c7af51066489f87b2a5f8cf28d6fdb6ce49d898b6167b590a3907be7618be11fb0922a3cfd18e73efef19e5cdc250fa33f61e3940c6482ae35f339e8c0a85a17379a4e":"3ee660f03858669e557e3effdd7df6bd":"93e803c79de6ad652def62cf3cd34f9addc9dd1774967a0f69e1d28361eb2cacc177c63c07657389ce23bbe65d73e0460946d31be495424655c7724eac044cafafe1540fcbd4218921367054e43e3d21e0fa6a0da9f8b20c5cdbd019c944a2d2ee6aa6760ee1131e58fec9da30790f5a873e792098a82ddf18c3813611d9242a":128:"ac33f5ffca9df4efc09271ff7a4f58e2":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,120) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"34c3019810d72b5e584f0758f2f5888a42729a33610aafa9824badade4136bbd":"22deef66cbb7db240c399b6c83407f090d6999ba25e560b2087fed0467904bb5c40cbaa05b8bf0ff5a77c53fa229478d8e0736414daf9c420417c391c9a523fd85954533f1304d81359bdcc2c4ac90d9f5f8a67a517d7f05ba0409b718159baf11cd9154e815d5745179beb59954a45a8676a375d5af7fae4d0da05c4ea91a13":"f315ea36c17fc57dab3a2737d687cd4f":"f33c5a3a9e546ad5b35e4febf2ae557ca767b55d93bb3c1cf62d862d112dbd26f8fe2a3f54d347c1bc30029e55118bab2662b99b984b8b8e2d76831f94e48587de2709e32f16c26695f07e654b703eba6428f30070e23ed40b61d04dd1430e33c629117d945d9c0e4d36c79a8b8ab555d85083a898e7e7fbeb64a45cc3511d99":120:"0bae9403888efb4d8ec97df604cd5d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,120) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"29397d98fc5a7f04b5c8b6aa3a1dd975b6e4678457ae7f0691eee40b5397503a":"0bbf1079cb5569c32257bc7e52371db46f3961b457402b816588243b4523543430d5ca56b52de6632724c51e6c3af310b28822c749a12bdd58dee58bbc3266631562a998ec3acdc8a2567a9f07f7f9759c3f50b1d1dcdd529256b80c0d227fc1fe8b58c62d1c643f1ac2996809fd061afcf4a9af184c14db9e63ec885c49de61":"885543a45fd1163e34ef9276145b0f8c":"d88beaa0664bcef178cbdbfab17ff526b5c0f8ad9543c6a312d93c336707fbf87c0448b07a550580953279f552f368225cc6971f1eecc718d6aad1729c8d8873081357752bd09d77075fa680cb2dc4139171e4a0aaa50b28c262c14fd10b8d799ca1c6641bb7dfdfdf3dea69aa2b9e4e4726dc18b0784afa4228e5ccb1eb2422":120:"7b334d7af54b916821f6136e977a1f":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,120) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7555dfcf354da07fd70f951d94ec1d86a635edfdb7929460207b2a39cc0cf4a3":"a1351cfffd1b0cbf80c3318cc432d3238cb647e996b7b53c527783594683f535950cd08788687c77226b2d3f095955884adc2e475ca1e1eab04e37d5e901ae8934a9d3a0cb37b80612ca25d989856dfa7607b03039b64d7dcd468204f03e0f2c55cb41c5367c56ca6c561425992b40e2d4f380b3d8419f681e88ebe2d4bdad36":"e1b30b6a47e8c21228e41a21b1a004f0":"bf986d3842378440f8924bb7f117d1a86888a666915a93ba65d486d14c580501e736d3418cebee572439318b21b6e4e504a7b075b8c2300c014e87e04fa842b6a2a3ebd9e6134b9ddd78e0a696223b1dc775f3288a6a9569c64b4d8fc5e04f2047c70115f692d2c2cefe7488de42ff862d7c0f542e58d69f0f8c9bf67ef48aea":120:"d8ef5438b7cf5dc11209a635ce1095":"":"95e8db7c8ecab8a60ceb49726153a7c5553cf571bc40515944d833485e19bf33cb954e2555943778040165a6cfffecef79eb7d82fef5a2f136f004bb5e7c35ae827fac3da292a185b5b8fc262012c05caeda5453ede3303cfeb0c890db1facadaa2895bdbb33265ada0bb46030607b6cf94f86961178e2e2deeb53c63900f1ec":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,112) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"bbeafe86c72ab0354b733b69b09e4d3462feb1658fe404004d81503f3a6e132f":"a033c2051e425d01d97d563572e42c5113860e5dedcd24c76e3e357559ba3250f1fc5d4a931a9d0900ac025400f0158621f0b1215b2907467bfc874bcabbb28e28de81fe1ee5b79985261c512afec2327c8c5957df90c9eb77950de4a4860b57a9e6e145ea15eb52da63f217f94a5c8e5fcb5d361b86e0e67637a450cdbcb06f":"ee1caba93cb549054ca29715a536393e":"e44b0e0d275ae7c38a7dc2f768e899c1c11a4c4cb5b5bd25cd2132e3ecbaa5a63654312603e1c5b393c0ce6253c55986ee45bb1daac78a26749d88928f9b9908690fc148a656b78e3595319432763efbcf6957c9b2150ccabfd4833d0dcee01758c5efb47321a948b379a2ec0abcd6b6cbf41a8883f0f5d5bf7b240cb35f0777":112:"a4809e072f93deb7b77c52427095":"":"e62adf9bbd92dd03cc5250251691f724c6ece1cb89d8c4daf31cc732a5420f6bedab71aab0238ba23bd7165ed1f692561ef457fd1d47413949405b6fc8e17922b17026d89d5830b383546ea516a56f3a1c45ec1251583ae880fa8985bd3dcc1d6a57b746971937bf370e76482238cc08c2c3b13258151e0a6475cc017f8a3d0e":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,112) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6ad06c88dd4f3becf35eed95bb859be2406a1803a66e4332a74c5f75c09b9a01":"2219c11672884b93d0290b6a7140feafe416461f1cdaf0b3aa64693d7db2eb10feae46aac7af549fa1b0abc78c11f8df7ee803ef70310fc3e67769f8b4bc64f81143a6ebf8bee9d386a8ede5d2cc0ed17985a3b7bb95191ef55e684690ccdc5ca504bc6eb28442b353861a034a43532c025f666e80be967a6b05b9dd3a91ff58":"07d8b4a6e77aef9018828b61e0fdf2a4":"cca1fd0278045dda80b847f0975b6cbf31e1910d2c99b4eb78c360d89133a1c52e66c5c3801824afc1f079d2b2b1c827199e83f680e59b9a7de9b15fa7b6848b5bf4e16a12ac1af4cf2b4d7bb45673c5e1241e9996440860a9204fc27cae46a991607bc5e7120d6c115ddcbdd02c022b262602139081e61eee4aba7193f13992":112:"e3ede170386e76321a575c095966":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,112) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"87bbf7c15689e8c99a5a32a8ba0dfebcfe1989159807428cdd1f382c3ea95178":"b77d3bf3b30b3e6e5c86cbfb7e5455f6480f423cc76834b4663d28d9f1eb5c40212634e3347668427f7848352ab789886f96682a568260bdaeb7de0aae2af36f5ae04f06c332b158d923706c1c6255c673feeadb6d30bfc901e60b92acd9ddd83ef98686c4d492f4a60e97af2541d470a6a6b21903441020ea7619cf28a06986":"2f19aa1f3a82a7398706953f01739da7":"590dbd230854aa2b5ac19fc3dc9453e5bb9637e47d97b92486a599bdafdfb27c3852e3d06a91429bb820eb12a5318ed8861ffe87d659c462ef167be22604facfa3afb601b2167989b9e3b2e5b59e7d07fda27ffccd450869d528410b0aff468f70cc10ef6723a74af6eebc1572c123a9b5a9aab748a31fa764716d3293ff5de7":112:"5c43fc4dc959fabeebb188dbf3a5":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,104) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"24095a66b6eb0320ca75e2ab78e8496a45f4b000fc43436904c3e386fb852ed2":"4690edc843e23d9d9b9a4dab8fa8193f8bf03897d3d29759e9dc9e0f8a970c0f5d4399b9f60461fe5cf439f9b0d54bbc075695e4d76b76298cc2b75bb3e0b516ee9ada93f77c4c002ba9fd163a1e4b377befb76c1e5ab8b3901f214c0a4c48bd2aa2f33560d46e2721a060d4671dc97633ff9bcd703bb0fbed9a4a2c259b53f3":"0955c1f0e271edca279e016074886f60":"f5160c75c449e6bb971e73b7d04ab9b9a85879f6eb2d67354af94a4f0ca339c0a03a5b9ede87a4ff6823b698113a38ae5327e6878c3ccc0e36d74fe07aa51c027c3b334812862bc660178f5d0f3e764c0b828a5e3f2e7d7a1185b7e79828304a7ad3ddcd724305484177e66f4f81e66afdc5bbee0ec174bff5eb3719482bd2d8":104:"75a31347598f09fceeea6736fe":"":"0dd2dca260325967267667ff3ccdc6d6b35648821a42090abba46282869bac4bdc20a8bee024bea18a07396c38dbb45d9481fedcc423a3928cfa78a2f0ae8eedb062add810bdbee77ddc26c29e4f9fda1ab336d04ef42947b05fbdb9bc4df79e37af951d19d6bf5e5cb34eef898f23642a9c4a9111ed0b7a08abeeefbbd45c23":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,104) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"086b77b5731f971f0bf5b8227361b216746daf8b08c583ad38f114a64aa7877b":"629317212ff8bd8a7676e4c00b81a9577de6397c832f99ac974fa2bbbccb6e3b8aa776db6922eed0b014bf3923799da7d9d0854c8817470e1e2f7fc7a572f9d0316ee60cde7ef025d59b897d29a6fee721aeb2f7bb44f9afb471e8a7b0b43a39b5497a3b4d6beb4b511f0cefa12ce5e6d843609d3e06999acfbee50a22ca1eee":"164058e5e425f9da40d22c9098a16204":"6633eae08a1df85f2d36e162f2d7ddd92b0c56b7477f3c6cdb9919d0e4b1e54ea7635c202dcf52d1c688afbbb15552adda32b4cd30aa462b367f02ded02e0d64eeee2a6b95462b191784143c25607fd08a23a2fbc75cf6bee294daf2042587fdd8fe3d22c3a242c624cf0a51a7c14db4f0f766ec437de4c83b64f23706a24437":104:"2eb6eb6d516ed4cf1778b4e378":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,104) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0f9e806b0d937268561c0eafbbdd14ec715b7e9cef4118d6eb28abbb91266745":"2ae4baef22ace26f464a9b0c75802303f2d7c0f9a1ed1d0180135189765bdd347fea0cc2b73ee7fbbf95ea1fda22597b8aad826f63e744069a9c349488b2cc1cf9372f423cc650302082125724730ae5a4d878e07385ddc99034c6b6b46748f02c80b179fe6406b1d33581950cb9bcd1d1ea1ec7b5becfd6c1f5b279412c433a":"8657996634e74d4689f292645f103a2e":"2ca253355e893e58cb1a900fbb62d61595de5c4186dc8a9129da3657a92b4a631bbdc3d5f86395385a9aa8557b67f886e3bb807620e558c93aea8e65826eadeb21544418ee40f5420c2d2b8270491be6fc2dcbfd12847fa350910dd615e9a1881bc2ced3b0ac3bde445b735e43c0c84f9d120ca5edd655779fc13c6f88b484f7":104:"83155ebb1a42112dd1c474f37b":"":"87d69fc3cbc757b2b57b180c6ba34db4e20dde19976bfb3d274d32e7cea13f0c7d9e840d59ce857718c985763b7639e448516ddbbda559457cd8cb364fa99addd5ba44ef45c11060d9be82b4ebe1f0711ac95433074649b6c08eeab539fdfc99c77498b420427e4d70e316111845793de1f67fb0d04e3389a8862f46f4582dc8":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,96) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c24c17911f6db4b3e37c46bcc6fa35efc1a55f7754f0bb99f2eea93398116447":"0bd92cb106867e25ad427ff6e5f384d2d0f432fc389852187fcc7b0bf9f6d11a102a872b99ed1ad9a05dab0f79fa634745535efed804ff42b0af8dad20ba44709391fb263f245e5a2c52d9ce904179633282f57a1229b0a9c4557a5c0aeda29bbc5a7a871fa8b62d58100c3722c21e51e3b3e913185235526e7a5a91c559717d":"5098cc52a69ee044197e2c000c2d4ab8":"9ad4dee311d854925fc7f10eca4f5dd4e6990cb2d4325da2ef25a9a23690f5c5590be285d33aaeba76506c59edec64b8c3ff8e62716d1c385fbce2a42bc7bd5d8e8584de1944543ab6f340c20911f8b7b3be1a1db18a4bb94119333339de95815cae09365b016edc184e11f3c5b851f1fa92b1b63cfa3872a127109c1294b677":96:"f7930e3fab74a91cb6543e72":"":"6124ede608d416baa5e653a898ca76e9f47f08403c1984feec112e670ded2226e0073f8881ab2161cfda541dccae19691285f7391a729f07aba18f340bb452c1da39cbe83cf476cfc105b64187e0d2227dd283dcba8b6a350f9956b18861fa131d3f00c034443e8f60e0fdfcfaabbed93381ae374a8bf66523d33646183e1379":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,96) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d267a8379260036ff3d1ec07a7b086ff75706bad12d37d9656f04776f3d8b85c":"80c68a330ef50e3e516681f1e535868b03466e7edbb86cb385d01db487da3dd3edad940fdc98d918b7db9b59f8d61369eee2928c88557306c4a13e366af0708d94cb90a15f1c3bc45544bdb05ff964da5e06c5ae965f20adb504620aed7bce2e82f4e408d00219c15ef85fae1ff13fea53deb78afa5f2a50edbd622446e4a894":"674dc34e8c74c51fa42aacd625a1bd5b":"6a9a8af732ae96d0b5a9730ad792e296150d59770a20a3fdbbc2a3a035a88ac445d64f37d684e22003c214b771c1995719da72f3ed24a96618284dd414f0cac364640b23c680dc80492a435c8ec10add53b0d9e3374f1cf5bfc663e3528fa2f6209846421ea6f481b7ecf57714f7bc2527edc4e0466b13e750dd4d4c0cc0cdfc":96:"bea660e963b08fc657741bc8":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,96) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c86cb637753010f639fa3aa3bff7c28b74f012ad6090f2a31b0801d086f183ad":"6b7858557e0fd0f957842fb30e8d54dedbc127eb4bbf9de319f731fa28a606df2c046a0bce8ecda4e75d3596e4e988efd6bc279aa005bc52fad92ba07f5b1dfda4cc417029f9778c88d6fe5341a0fd48893dcb7c68d0df310a060f2a5235aee422d380f7209bc0909b2aa7e876044056f0b915dab0bc13cbea5a3b86d40ca802":"87ff6e0bb313502fedf3d2696bff99b5":"2816f1132724f42e40deabab25e325b282f8c615a79e0c98c00d488ee56237537240234966565e46bfb0c50f2b10366d1589620e6e78bd90ade24d38a272f3fff53c09466aa2d3ef793d7f814a064b713821850a6e6a058f5139a1088347a9fa0f54e38abd51ddfc7ef040bf41d188f3f86c973551ced019812c1fc668649621":96:"7859f047f32b51833333accf":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,64) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2c31ca0cac3efe467168198f06beacf39565a6f57f82e1048a5c06a231315882":"65261d6e29b2369b1828a7cef2df9873d6e6057c499301afedd6cb65b5036ddb95f9e353fbf38e54c4f46f88164325b33620ce183beb2e411fbb89a0e0002e542fc161cad32a61ee6f1e1717e0b4dcd0340b116f795bc1009dbbc65bc31c9b549bf03c40bc204cd0d02ec884be907777ebeed8b527ec3af7cbb508193c0745de":"95cae6e85f33f3043182460589be3639":"67523751a9b1b643d00de4511b55e4268cb2d18e79e01a55fc7b677d529bd6400940fb25ea6ae135c1a816e61b69e90b966981aeda685934b107066e1467db78973492ad791e20aef430db3a047447141def8be6e6a9a15089607c3af9368cdb11b7b5fbf90691505d0c33664766945d387904e7089b915a3c28886ba1763bb5":64:"21309d0351cac45e":"":"1d5f2cb921f54aeb552b4304142facd49497837deb1f00d26fbeddbab922fd80b00dba782961f8fce84f1f7973e81eed6ee168b1760c575c891f40a1dae0fa1a08738025d13ef6e0b30be4f054d874f1b8a2427a19ebb071d98365c32316a88a68c2b40daf1ea831a64519ac3679acb4e04986ecc614ec673c498c6fee459e40":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,64) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ca9fa36ca2159dff9723f6cfdb13280446eb6bc3688043c7e2e2504184791596":"ac04c4293554cd832aa400c811cb202d815d6178aa1343b4628592b7f3ae45dc5f12ea47be4b43e1865f40b06ab67b3a9fb3644248a9b3efe131a8addb7447978bb51ccf749e75574fea60e8781677200af023b2f8c415f4e6d8c575a9e374916d9ec3a612b16e37beb589444b588e0b770d9f8e818ad83f83aa4ecf386d17a7":"d13ca73365e57114fc698ee60ba0ad84":"2aa510b7f1620bfce90080e0e25f5468dbc5314b50914e793b5278369c51ac017eace9fd15127fca5a726ad9e67bdee5af298988d9a57ec4bbc43d4eb849535eb10521ac7cd7ed647479a42876af2ebc9e2108b539febdaa9127c49bda1bda800f6034050b8576e944311dfbca59d64d259571b6d2ed5b2fc07127239b03f4b7":64:"2111d55d96a4d84d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,64) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2f802e838250064c15fdee28d7bd4872850355870847701ad9742b2d6eb4b0c0":"e2ca8c8d172ff90232879f510d1225af91bc323bdf636363c2903fcd1790692c8bcb03a1cccb18814678852c6b3a441552e541b843ee5e4f86a152fa73d05aea659fe08aa6428bb257eaa2a7b579fdc4022c1dec359a854253c1aefc983c5ede8c97517ea69fc4606e25f13ffb0f5f49160691454fbb74e704326738353525f7":"2dd550cfd97f8e1d8d31ba5537ae4710":"72b9630dda40306e785b961934c56e20948f8eac0e981f49787eb3dbd6e4607f7d08d10ca643746bf1efa7e5066993683d527a90f2d45ec9cf73113f1f17bb67958be669acd4e2927f1dacfde902cd3048056d7f6dfdd8630ff054efce4526db7c9321d6d2be2236f4d60e27b89d8ec94f65a06dc0953c8c4533a51b6a29bd2c":64:"bd6c8823c9005c85":"":"f6dd0b5f3d1a393a1837112962dba175a13c2d1e525ef95734caf34949d8b2d63b4fe5603226b5f632f2d7f927361ba639dc0e3c63414f45462342695916d5792133b4a24c7c4cbe2b97c712bf27ab62d3d68b3875d58ffe4b7c30a8171bff1a9e2f3995768faacda2ea9213ff35798b9e4513f6a87bd3f5a9d93e847e768359":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,32) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"84dd53ce0146cb71c32776033bb243098d78a22ac17f52a62a122f5653fb4e33":"68222bffa782dcfe4f328fc20eb520e75a9a5fedbe13ec7fcf0e82fba08bb87a8a8e02902638e32fe0e2294344b380797f8028426ffcc0531c739c884892394c48ff0779c5f5edf0a36a3fb8aa91213347774ec4bf0fe1049bd53746b13beef3c637169826c367056cb1aa0a3868e23f886a9c7b8015c26af9e40794662f6b21":"f0c90a1bca52f30fab3670df0d3beab0":"a3ea8032f36a5ca3d7a1088fd08ac50ae6bdc06ad3a534b773ac3e3d4a3d524499e56274a0062c58c3b0685cc850f4725e5c221af8f51c6df2bbd5fbcff4a93ba4c1054f7f9c67fd9285511a08d328d76a642f067227d378f95a1e67587b90251f9103ed3cacdb6bf69e0794e366d8b92d8de37b4e028de0778841f356ac044d":32:"b1ece9fb":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,32) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9bb36fe25e966a075ae2c3bb43b5877679ebc379d5123c8eda3fa0e30b95cae0":"fb3a4be643c10343251c6f0745aaa54349463f622ca04a792e9b4780866844b30aeef3269fc60cac0ea031c5f3780b535e15154f7c76eb4a371b8ae368550f3fa2ce693c34511ec96b839cac567f1b0de0e7e3116d729b45d1b16e453703a43db73f5d0c3e430f16b142420b5f0d26d72ac3dba543d7d813603b0bfdca3dd63e":"59869df4ef5754b406478a2fb608ee99":"ecd125682e8a8e26757c888b0c8b95dec5e7ed7ac991768f93e8af5bcf6f21ed4d4d38699ee7984ed13635fff72f938150157c9a27fcda121ffced7b492d2b18dad299cb6495ed5f68441aefc8219d2cf717d15d5cd2dbce4606fcf90fe45f3601127cf6acee210bd7df97309f773974a35bef1d33df984101c2fc9d4b55259e":32:"cb3f5338":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,32) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ca264e7caecad56ee31c8bf8dde9592f753a6299e76c60ac1e93cff3b3de8ce9":"8d03cf6fac31182ad3e6f32e4c823e3b421aef786d5651afafbf70ef14c00524ab814bc421b1d4181b4d3d82d6ae4e8032e43a6c4e0691184425b37320798f865c88b9b306466311d79e3e42076837474c37c9f6336ed777f05f70b0c7d72bd4348a4cd754d0f0c3e4587f9a18313ea2d2bace502a24ea417d3041b709a0471f":"4763a4e37b806a5f4510f69fd8c63571":"07daeba37a66ebe15f3d6451d1176f3a7107a302da6966680c425377e621fd71610d1fc9c95122da5bf85f83b24c4b783b1dcd6b508d41e22c09b5c43693d072869601fc7e3f5a51dbd3bc6508e8d095b9130fb6a7f2a043f3a432e7ce68b7de06c1379e6bab5a1a48823b76762051b4e707ddc3201eb36456e3862425cb011a":32:"3105dddb":"FAIL":"":0
 
 AES-GCM Bad IV (AES-256,128,0,0,32) #0
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_bad_parameters:MBEDTLS_CIPHER_ID_AES:MBEDTLS_GCM_DECRYPT:"ca264e7caecad56ee31c8bf8dde9592f753a6299e76c60ac1e93cff3b3de8ce9":"":"":"":32:MBEDTLS_ERR_GCM_BAD_INPUT
 
 AES-GCM Selftest
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_selftest:
diff --git a/tests/suites/test_suite_gcm.aes256_en.data b/tests/suites/test_suite_gcm.aes256_en.data
index e2d34ab..c0f33cb 100644
--- a/tests/suites/test_suite_gcm.aes256_en.data
+++ b/tests/suites/test_suite_gcm.aes256_en.data
@@ -1,679 +1,679 @@
 AES-GCM NIST Validation (AES-256,128,0,0,128) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"fb8094dd2eddb3d8004bb79134023ca2be4de9b668a9e4608abdf2130e8becb8":"":"491a14e13b591cf2f39da96b6882b5e5":"":"":128:"80883f2c925434a5edfcefd5b123d520":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,128) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"725313f4cb3f6a0d29cefc174b7e4f43cef11b761ef75e1995cb64c1306795f1":"":"27d1ed08aba23d79fc49ad8d92a2a0ea":"":"":128:"d5d6637ba35ef2ad88e9725f938d3d2d":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,128) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4e766584ce0e885e1bba1327e5335796de0831a40f74a5cec178081dd15bfd10":"":"cece0dea024ff47851af0500d146cbfe":"":"":128:"1abe16eeab56bd0fb1ab909b8d528771":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,120) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ce7f2207f83a952451e714ba3807ddb3ed67c2739a628980411aa68366b1f2f5":"":"652fd951ace288db397020687135a5d1":"":"":120:"985227b14de16722987a3d34976442":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,120) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"855f8fa4ec6a1206173509d504d0b29dfbfbfa9aa528254b189cd72e6ebc1c1f":"":"1ad1507e6463e4e2e1a63155ac0e638f":"":"":120:"693146a8b833f324c1d4cbeeb8c146":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,120) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ef8dd1294a85dd39e366f65e1076d53e046188c06c96b2c9e84ebc81f5c9f550":"":"9698a07447552d1a4ecd2b4c47858f06":"":"":120:"b00590cac6e398eeb3dcb98abe1912":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,112) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"25896e587570ff1823639e1e51e9c89192d551b573dd747e7c0c1c10916ece4c":"":"f0516457c09c372c358064eb6b470146":"":"":112:"5a7cadec600a180e696d946425b0":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,112) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"02fc9cfffbe72e7954182993088e09d24ea8cad91a8ca9a336d9f1fe4156486d":"":"0e189e162e097eb2060b30c46d9afa70":"":"":112:"7d3d5cc55e6182ec5413ef622d4f":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,112) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f24e3d631d8961d3d4b9912d4fa7a317db837a7b81cd52f90c703a4835c632e2":"":"510740bfa2562ce99ca3839229145a46":"":"":112:"1402ddc1854e5adb33664be85ad1":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,104) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"720ab5aceb80ff1f864379add9b0d63607227f7c3f58425dd6ec3d4cea3fe2ea":"":"58f2317afb64d894243c192ef5191300":"":"":104:"e8e772402cc6bfd96a140b24c1":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,104) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f57dd16fa92a8f8c09d8f13cb5b6633a43b8762e90c670232f55949cdfdf700c":"":"3b7c14ee357b3c6b0dc09e3209ab69f2":"":"":104:"43e609664e48ad1f5478087f24":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,104) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"87c17ab919a4bc0d50343c0bb282a969283c2ada25f9a96d2858c7f89bc5139a":"":"02813d3faf30d3e186d119e89fe36574":"":"":104:"d1a1f82a8462c783b15c92b57e":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,96) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"dd8d5b6c5c938c905c17eab9f5ab7cd68d27f3f09d75177119010d070b91e646":"":"1df1c3ad363c973bffe29975574ffdf6":"":"":96:"749ac7ffda825fc973475b83":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,96) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4d60a14cb789099c77b8991e7b0b40f787d3458f448501e8108e4d76110f94ef":"":"ca6b3485eb5dcd9dbfa7cffcdb22daa5":"":"":96:"3f868b6510d64098adc1d640":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,96) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"405b690717de993ad945d80159c2800848060de0b7d2b277efd0350a99ba609a":"":"63730acb957869f0c091f22d964cc6a3":"":"":96:"739688362337d61dab2591f0":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,64) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ab5563a387e72d7d10468c99df590e1de25ec10363aa90d1448a9ffcd1de6867":"":"c511406701bad20a2fa29b1e76924d2f":"":"":64:"390291ed142ba760":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,64) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"abef7c24daaa21f308a5af03df936ba3f70aa525190af0d959d6e50d836f4624":"":"e9f15950130b9524e2b09f77be39109a":"":"":64:"db2fb2b004bc8dc4":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,64) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"6ca630b0b6779a8de7a19e5279eac94bf29f76f8b0cf8ecf8f11c4f8eb04aa0d":"":"7373befc2c8007f42eef47be1086842f":"":"":64:"e2b8620bcc7472a8":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,32) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"acea7818a71df2c9840aef1c10ecbe2bac7e92216388416a2f36119a0745d883":"":"6d46aa39fb5a6117e9adf7ee72bc50ff":"":"":32:"fd5ff17b":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,32) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b301036d4b2b28b8a4502925986861eba2b67c24cb0c79c63fd62195d9b67506":"":"bb6f398e5aed51590e3df02f5419e44d":"":"":32:"47f3a906":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,32) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"89576d2aac554c8982c7df0053be9ab19f4bd80ba9f3dd433c1c054d68e68795":"":"aedbd482a401a7c12d4755077c8dd26e":"":"":32:"506fa18d":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,128) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"43c9e209da3c1971d986a45b92f2fa0d2d155183730d21d71ed8e2284ec308e3":"":"78bef655dfd8990b04d2a25678d7086d":"9d8c6734546797c581b9b1d0d4f05b27fe0539bd01655d2d1a8a1489cdf804228753d77272bf6ded19d47a6abd6281ea9591d4bcc1be222305fdf689c5faa4c11331cffbf42215469b81f61b40415d81cc37161e5c0258a67642b9b8ac627d6e39f43e485e1ff522ac742a07defa3569aeb59990cb44c4f3d952f8119ff1111d":"":128:"f15ddf938bbf52c2977adabaf4120de8":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,128) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"fbe2d52b7f50bf23a16ff8cd864215034fdfbf4d1506ca3c1ffb015653efe33a":"":"b155f8ab1a8c0327789cfb8310051f19":"ed8d14adf1c362bbaf0d569c8083278e8225f883d75d237a4abcd775a49780603e50c00a1b5b5946c085e57a749b4946f6aca96eda04ac9944a7d3d47adc88326ed30a34d879dd02fb88182f9e2deefaeee1c306b897539fa9075bda03ba07b4ffff71ce732ef3c4befac0f18c85a0652d34524ccb1a4747ab8f72ed1c24d8fc":"":128:"c5fe27ca90e5c8b321cc391ee7f1f796":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,128) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"8e888721514fd01fb67513cb56bfd29af67a9ce525e3e697af47450f02053161":"":"9f6bd4a93e4f3f2f5f4a7c2c5b4790bf":"867d50923967535ce6f00395930083523c22f373cfb6c8817764f5623cd60b555572404e54f2fe7083ef32b9a4593a1f70a736d6e8fe61b77def51f3b1d8f679d3a8d50d0aad49e51ec1eb4d4a25f13d14f3e5253555c73eac759e484c6131cc868b46c18b26acd040c3e1cb27afecba7b7fc3f5ff4883f4eafc26c7f3084751":"":128:"ea269094330b6926627889fcdb06aab4":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,120) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d8f82b07e7319ca607c9aa0352070ca883dd7b32af370a774f63b0270f44835a":"":"e89e4484497cb728f86585d8918b7fae":"42340d96e1852de3ed5e30eb4a05e1fb222480b450e2bf4e2cf0fb2a525eb6602ef43a896adc5c52ea5381c642b2175691c014e7a6dae91fa6ff5b95c18a2dd2e8838d3abd46ace0b305f3f22d30a0bd82a81bbf6753362b54b0624c76c0d753e30eb636365f0df7e1bf8bf130cf36062ec23f58a3f7ed0ae7bfbbd68460cd76":"":120:"b234b28917372374e7f304f1462b49":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,120) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b49b04a54a08d28b077ea54c18bfa53e916723e91453b47f88e399046b9b4dcc":"":"6276c577c530f91b434ce5719e1c59de":"6b73f996c49e368fc4d21816153aefb081509f9dc0916dbe4fdf77f39867a2bd617b8a75f39f515b1bc1454009d5247efcd90ba0d4a6743c6f12a929b666584f3b55254c32e2bab2321f94fa843dc5124c341dd509788a158191ee141eb0bc4e1b96f6987bafe664a0f9ac6d85c59cee9564a27bcc37dffae80c57fbf7e748ce":"":120:"69dd5bdeb15fdbc3a70c44b150f70e":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,120) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"398bb37bb991898c7dad7bf5930dbad20d121f68d5ec6c56ffe66f23c0c37f8e":"":"0c3bd55b54c1221b0cf25d88ea4dfe24":"4c48b929f31180e697ea6199cd96c47cecc95c9ed4c442d6a23ca3a23d4b4833601ac4bbcdbc333cd1b3a0cd90338e1c88ef8561fed7ad0f4f54120b76281958995c95e4c9daabff75d71e2d5770420211c341c6b062b6c8b31b8fe8990588fbad1e651a49b0badd9a8d8042206337a1f2aa980b3ba3b5ee8e3396a2b9150a34":"":120:"8528950bd5371681a78176ae1ea5dc":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,112) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"8e8f7c317b22dea8eabe7eaa87413a98ff56570720985b6743a5f9af56387cca":"":"3a9a5a839045723afdfb2d5df968bfcb":"a87d95f8f47e45a1c7c5c58d16055b52b3256c52713fd092bcd6cbc44e2c84669f23ca2a19e34163ee297f592f6054dbc88863a896c2217e93a660d55a6cd9588a7275d05649940d96815c7ddfa5fc4394c75349f05f1bcaff804095783726c0eceb79833a48cefd346b223f4e5401789684e5caeda187a323962a1f32f63f02":"":112:"faad6a9731430e148ace27214e68":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,112) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"67c95e57197f0e0bbaaa866d337fcc37f3a10dc55a059f5ea498de204d2fff61":"":"5f171d203c653a316cac43df99f4033a":"84f281b388ca18bc97323657a723a56260731234720b02b6dde00ea134bd84a1893bec38af80214c4da01b93958ab00f3b648c975371e565d5b6bf2a8f63c0f3cfcd557c9f63574390b6ae533085aca51fa9d46cd2478b7648b6dcbbac7e61197a425778debe351ac2110ba510a17e2c351ba75d5a755ef547cf9acc54650222":"":112:"9ea9c716e06a274d15a3595a0c41":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,112) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9143f00e31c72bd9fced31585d047f67f1004e6244c3d9c10c8ae005feeabc84":"":"e49cd6af9a2f0da2a7198317da92ab2f":"ab9193a155140d265aabfe2dd5efca7d3fa6129498532bccd77f09fa1a480702620b3ab53df91b01262122f1a6fc387b5fc55dadfcdb99ada83d4a5b0666c8526de309f41eb54d69b52595c43550a6bf7b4b8f0e0c48311b521762eaa567744c4c4704dd977f84068b59db98a67e33cc65302ba59360d600a22138c5ad3317f3":"":112:"8293e361fe0308a067f89aea393f":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,104) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d0ba180075c373116bb037907b512add00ba9a4693a8ecc14ca0d79adada90e3":"":"5c1501b19cce5404dccc9217ac8253b7":"3a161605ec0055c479dd48cdaeed5981b8b60fb7b7781cc4e580218c7014c3060a9f706e6e16cf4021e4d38deb512534b484ff23b701975bdf901146ccaece9c3ffbbeeb172cfb64a915ae0dbe7a082b9077776a387b58559a881b9b79b90aa28ad1ac0f2bece314169a2f79ea4c08389f7f7dd10ee2d9a844fee79e7bf38bcf":"":104:"0541262fddfd5d01ff0f3c2fb4":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,104) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"c975c7e59133c231d1b84c696761c413ba20aff7fb7d854c6947e65db3cc57b4":"":"d8fedda4cccaf6b0818edcfa7b1f03fa":"cb4cc9171367d6422abfaf2b4452da267eb9ccf1c4c97d21a0a125de486997832d16c7e412cb109eb9ac90c81dfe1a1dd9f79af7a14e91669b47f94e07d4e9bd645d9daa703b493179ca05ddd45433def98cf499ff11849cc88b58befbdd388728632469d8b28df4451fc671f4a3d69526a80c2e53e4fdee6300d27d97baf5f4":"":104:"77ac205d959ec10ae8cee13eed":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,104) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"a86ec688222c50c07274ed2d2c8ae6f883e25f8f95d404a7538fd83224199327":"":"99c73fdb8f97f225f7a17cf79c011112":"cf5f707de0357262c0997fa3ebfe6e07192df8db5f029e418989e85e6b71e186b00c612ecedbfe3c847e58081847f39697337ae7c815d2cd0263986d06bf3a5d2db4e986dbe69071fd4b80a580f5a2cf734fc56c6d70202ea3494f67539797252d87cd7646296932959c99797a0446532f264d3089dd5f4bcceaaa7289a54380":"":104:"c2093ad4705e613b09eee74057":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,96) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d3981f0aa1ed8cb369d9b0d7b0e529ec6089ff2d226c542885b1bff55276e891":"":"7331f91bd1a67c21c9dd336a2a922839":"406d9cf45fc8618d564154241dc9c006ecdcd847406e5a6e7127ac96e7bb93f4c339ff612c514b6f66df95a0845035d7535212a2aaeeb0ee512d1f4375c9a527e4e499389c2d7f7f7439c913ea91580e7303767b989c4d619df7888baf789efd489b08eda223f27da5e177cd704c638f5fc8bf1fecfcd1cab4f4adfbc9d1d8ba":"":96:"dbb7ec852c692c9a0e1a5acd":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,96) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"8436967f97c59ca73b760b73c6e088d1da4e76b712188ab4781d8d849505ae47":"":"9401dd0998914645668d06d518bfe7d7":"a5f40906177417097c19a0a21dbb457a694e173141837f695b09c8eb58ac2ce28aace4e59275b6266da9369a9905b389e968aefc64d78c7e1d2f034ef413d3458edcb955f5cd7971c28cd67dc9901ef3a2abc6121704bb5ecd87a6568d0506abbc87a2f10205dc8eb0cd1b5109158d0e743c2c3a342d60b8d55bbcb8d8507ed1":"":96:"dd6d988d352decc4e70375d8":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,96) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ce6b846bcedc6ae747e66e72cd9f7664e6cad9627ba5f1f1923f3d3a6ed590d1":"":"ac865ff8a6255e501b347a6650510d05":"1658b9f8469af1dfa60458cf8107db1edd1e4bba70a0bd23e13e1bba0d397abf51af8348f983fcdfcc8315ef1ffc9a26371377c62ddba08363bd2bf0ff7d0c3b603fad10be24ecee97b36d2255a8b2efc63f037123cef4bb4fe384aa0c58548b2f317c36ef3ef204b24769de6ba3e9d89e159e2bf1f9d79aeb3eb80c42eb255e":"":96:"7ee87acd138c558455fff063":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,64) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"0038ecf1407bbf0d73afa5e010769b71e8649c4249345dcf923ef9da0254c6af":"":"74c6b98fc6ced3a59bd9c42d31d71095":"467f483c71c3404fe7f09d6f6b6b64c3b7613a0dd32470cf24bc590d3994a48f3e8cd5dc19ea8ca7d5366ad7c5ad31cc9612dafedaea109dde2aedfe5fc2a0db2c903dd1dc1a13949720a10babf37fba5a0ed7cb5f3dc9eb5a4d8331f218e98763e7794b3e63705d414ef332160b0b1799f1ff5cbe129a75e5c4e0a4ed35e382":"":64:"62fe088d9129450b":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,64) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"19fc4c22151ee8515036c38bc5926c0e0bbd93db5d0fc522b2a6bf6298fed391":"":"9547f056c6fb9ef72b908f527cb500c1":"511b15c25b2a324159e71c3b8e47f52d3e71e5bc35e774c39067250f4494c9c4eb184ecbe8638de9418672d9ae2c6a0e7f54c017879ffb2a371de1639693d654a43cb86e94a7350508490191790d1265b99e7b3253838b302aae33590949a8761a3bb2aeb1ba798cddeb00a53daad05a33389d4a19269d65116a84f12dba5830":"":64:"04623912bb70810e":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,64) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"3b5d3b1920b5a105b148153ae1f1027c6d48bc99640ea853f5955fed4eb3d625":"":"9a4091c2eb7e88759bd9169fee303485":"aa680d07143ba49a9099d555105fc3cfcb898cec11ade96776dc9778cc50fe972e1e83c52c837b71e27f81d1577f9bd09afe2260dfd9a5d9dfbd3b8b09a346a2ab48647f5dd2ff43700aecce7fa6f4aeea6ea01b2463c4e82ec116e4d92b309c5879fb4e2ca820d0183a2057ae4ad96f38a7d50643a835511aedd0442b290be3":"":64:"033bfee6b228d59b":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,32) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f6c4ad8e27764157789252f4bc4a04145cb9721955330a2f6a2a3b65cacf22bc":"":"3de136cbd75061c888226efab136849d":"0f6951c127d6bc8970e2ad2799e26c7fb9ca31d223155f88374984b5660626c83276ffa6c160f75e0e1bcfa96616188f3945b15fc1b82a4e0ee44000a684b3c3840465aebe051208379ef3afe9f569ee94973d15f0a40c6f564fa4ba11d6e33cf8ae17854a9e12360a2b8495e2cceec463f5e3705c74069ba37ba6d725f458c0":"":32:"f658c689":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,32) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"30cd99fed9706c409e366d47fefc191f79bcc47a28be78f9890fd90d4864eb85":"":"8c7ce34691503bf14c776f8809f24e61":"4b6b10c2e2905ab356769b6453dd160a08e8623b0878fcc1c1d64822f0aea1f4f5b4698ded5d23ebafa11bc1e4ce9e5cd7d7c7b13de02d11a945ba8361b102ba49cdcfd6a416e3db774cd7bda024fccd1ad3087560dc15bbfe9b1a5c6c71fae17a329f104f6c2cba7eb6a7459535ca328146d0ccc0a9bd28a3d1c961947a3876":"":32:"7777c224":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,32) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9472f2452933dcfac4bb22831ce83c6a1ddf25ef8d2d3ba59d72b0d173a986e8":"":"18fb2c34b0955d712960009617d300ef":"d283dd75cd4689c266c8e0b4b6586278aa2583c7c41bf12bd1cfdef21d349acbbabc0a2204dc4130f922949206c4fbdce3786ab8614e32908838a13b6990453abf14b84f5812e6093644accdd35f7ad611ea15aefae28b3cf1fc5da410bcea4f0a50d377fdcceffe488805bc5a71fab019b12fa8725d6e7c91e6faf12fbaf493":"":32:"c53b16a1":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,128) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"e06d5319210f4107ea7267fa2e8183fcbf74fd3b0579b856577177d9cb307d42":"2b9179d21cb884581b0e4f462455167f1f7899717245d4aed3d8db5983daccccebfc2130a20c284563bea5997cc0438c83d8fa7bb9e3588efed285a0fcc31456dc9a3122b97bb22f7edc36973475925828c323565e417ec95190db63b21881016b5332f2e400bb4724c86a8ee0247149370ee5412f743dc6bf7ca5bcc31afa0f":"f2b0564705430bc672964b049115e122":"":"3fa342a76cb5d501e6a6fade14aab54a76620e4ea2287147d4ca2b9d62d2a643591e5df570ef474ee88ad22401c1059e3130a904e9bf359c4a6151ff2f3e4f78ef27a67d527da8e448b0ef5cdcfec85f3525e35f8d024540387e4cdcb1018c281a1af7d4a3688a0fec4d9f473c816f7d4c4c369f70d7dfe8f1b7fa4f581098a1":128:"18f186ed1ee1f4f8b29db495587d0ab0":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,128) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"0dfa834e98b6c51ee925dd9edc9be72c209ddcd9099ded57b533f2236895a229":"7f4e4f11091bf51976c0fc71ecbcd0985cdad2135549c818c09567801d8a9a42c719aab7dc2cb58a10b5067d14c52cabe6bb9b939e7b9cd395eaf10ba6a53fd2e6446e1e501440134e04e662ef7ebb1c9c78bbd3fd7cb9de8b985418be1b43ebb5d7902ccb4c299c325c8a7cc1de9174f544bc60828c1eebad49287caa4108a0":"a101b13b238cfac6964fd6a43daea5a7":"":"bc60d2047fd8712144e95cb8de1ffd9f13de7fda995f845b1a4246a4403f61ca896bd635a1570d2eb5b8740d365225c3310bf8cea3f5597826c65876b0cbcfa0e2181575be8e4dd222d236d8a8064a10a56262056906c1ac3c4e7100a92f3f00dab5a9ba139c72519b136d387da71fefe2564d9f1aa85b206a205267b4cfa538":128:"c4cc1dbd1b7ff2e36f9f9f64e2385b9e":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,128) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ce59144b114ac5587a7a8079dc0e26f1b203338bb3e4b1d1d987bddc24150a82":"bc7aa1b735a5f465cffeccd8dd4b0a33a571e9f006dc63b2a6f4df272a673bb2cc00e603248ab6be5627eebc10934fe4d1dc5cd120a475936eefa2c7bddea9f36c6c794d2c6bd2594094e56cac12d8f03e38f222a7ee4fc6c2adffe71c9c13003e301c31ff3a0405dde89bb213044d41782c4bb4eb3c262595d1c0e00522047c":"fdc5a40677110737febae4465b1a76cc":"":"084c31c8aef8c089867f6e0ce6e0aadafa3016c33c00ca520f28d45aac8f4d02a519b8ebafd13b9606ab9db4f2572f396091bc5a1d9910119ca662d476c2d875a4ab62d31ff5f875678f25a4775fa7fc85b1a3d442fb2c5047a3d349d56d85f85f172965e6477439045849a0b58014d9d442e2cae74709ed8594f0ec119d1d39":128:"4c39e0d17030a5f06ecd5f4c26e79b31":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,120) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"e7a6b459a5370ceec4d429bba9472a49db07697dc66dbc2f294d3e62ffc8aac1":"cb959e5611a636317feb5265d33b315c2f5af64159029f0032e338babbdb0a525ba6b92cb3be7db9f0077561e6cffe1247bad32dea8918f562dc3cd83225cdbcaed652b87c62fea8eff153638a3a14ef9f9a88bcc8c9a6b65fa9dcc53f63d1b14fb9bb0baf17e7bfb95690c25cca2c3097497e41f7e2299a8518d5d1c5f6264e":"92468d42ad377affa7e808d95d8c673a":"":"599dbc47e2f2e3b06b641c510b238417b01869f0e7d08619752f6d9f4b08585731deaeb439ff26e02d7e51b45ca5e3d4a779fe4cfc9572d1d6407f98de69a8fca60bf01d1a769130bb38a67933a2be3aa3ea1470d8f32a34dc863dc800feb7ef71588edd9489bd59a23685ff5358f9b562fc0bbad9e11db7a6fedbd79225539d":120:"e853262ed43e4d40fea6f3835d4381":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,120) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9818904a99e3d80c95dc71a16483ade1b9b8e7df638ce6a4c1d709a24416cbe9":"2c073cdc11a8d58fb55e1dadbbc0372dde86c387fa99c9249bd04cb2f2d239de01bec8c8771a9fb33664ee06ea81c37a824525664054173b63a2894d8d7ffc60b9e93052802478a189be5835d979a28ce7025b219add0622f97c9bcf3ecf629b56408ed002a141061320400409345e94a7a7e3906611305f96f2abc9d62cc435":"96a301ab6bc0309be9735bd21cc9e10d":"":"4876e449b0cac09a37bb7e4b8da238f4c699af9714ec4fcf21a07c5aee8783311a13149d837a949c594a472dda01e8b6c064755b6328e3ef8d6063f8d8f19cfda3147b563b0f5fb8556ace49cb0f872822a63b06f261b6970f7c18be19372a852beadf02288c0b4079587c0f8eab1858eeec11c6ba8d64448282068fddd8a63d":120:"e1e8b62ce427e5192348b1f09183c9":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,120) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9b34f137e3f37addad8a6573b8b6dac9a29e97db53c0a7610f37c72a0efaebfa":"c1e09c432c68a2c119aeb3b19c21180e3c8e428e12033f416a92862036f5e8a39a8893b10fe5476e388d079143ee0b79b183a3400db779cfbf1467d69887306b124a8578c173cd5308d4448eefcf1d57f117eb12bc28bd1d0ff5c3702139655197d7305bda70181c85376e1a90fb2c5b036d9ea5d318d3219132ea6c5edf7b7d":"50dddb2ebe4f8763509a63d07322277e":"":"793e1b06e1593b8c0ba13a38ff23afaa6007482262bc2d0de9fb910f349eff88d3dd05d56eb9a089eed801eae851676b7a401991b72bf45ac005c89e906a37ed7231df4aeeeb1fcf206ca1311117e7e7348faf1d58acc69c5702f802287083d3ed9e16cf87adcdfa1bb0c21c40c2102fd0def91985f92285e6ea1cdd550e7f50":120:"b3c6ae17274faaca657dcb172dc1fb":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,112) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"66b40e2e671bdf244b45644d1a5adc63011b32156ba9f5e03dffacc1a9165061":"985546ee12ba89d95988ad8a4153c4f9d3c91c0e3633a95b4f9b588bba0032006c93210514357c91d574b436da13dc9f68194a981e7b65eb79e56be9cf1dabfdf531407727c034a3c7743bb22aa02b26f159c2eff3c7ed52027de2e8b8b2fefb72c04fbf20a1ffe10d6dda790a9812cdbe9f2ed6706d7a2639e851a42870efb8":"4e090871e889b4be36db5e1df1ea283d":"":"f93eebffeddfd16b4618b893d57b459b704b894b38a5eaf6cce54026c80090be8328e12261e1b10e81c73ac8261c2982bb25603c12f5ffff5c70b2199515c17200db2d950a3f2064d7b362607adbf3686f27420ec15e18467e86faa1efa946a73c8888b8fdc825742b8fbec6e48cdabbb45f3cd2b6b6e536b6fbf3429aebe934":112:"ed88c856c41cac49f4767909ac79":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,112) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"18c5105a9651144ce965b4270398b982120b885850114571ef8e2cbc5d2f5e04":"00c5ea3d91248bfe30c5a6d26dbdf0609f977afcfa842b603c1061b2a473c9a79b421b2509550309e4be9c5015c51c6def9ee68c242f6e206b3027ce8e58b7ab96aaa50ced1d78c2dfcbc2589575bec2ce3b6a5066276fe7dca4f1118808d1e5cac062667053c15350289da03cd073377c2d66c01e3098ed01b75788c7e1f9e7":"a3a5f82748acc887e33328fd7f4ce1fd":"":"d91ed6886a269dc1eb0745dc4b97fc54cbea5e6857d10a303a3caf828b4e0e20bb742bca17021b7852d09a6d7d3a56ad82298c15a2082fed0e0e326bb16dd677ee262ead93a24147de3c07eb8a95b108abf17357155f1de79171689407b6545c9fdf8ab4486576490430c0e043e21e7c40ce88e752cb006cb3c59479a7e56cf7":112:"add4e086d612a119c6aae46ba9e5":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,112) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4667cabeb3a644e371cbbe9195413daab025cc6efc12298bfaea0dd9bc028f9f":"9772ec47f3cd26f091bf117e085f2394db258c2c460dc3b1402edcb60a8f70517f82aa669607b78c2ad79c662c3b376cee1b9f34c4ec5d15319c33de78a440e7f2a4108c3c9da51604adde2025ff1dc336c49279c13a7153931df675df0e78f17a4d72973311af74fe755c85c7869baf3896bb738925942dc67f1b6e690c9d48":"7e8927c69951d901494539ab95ac5906":"":"5d62fa69cfbfdec30193408dad15cf983ad707ee921068b817676eca9f70f9ca4623a8c113df5fba86131415f4ec546c7f1a94ff9d02cb8ddcf421c7cc85ed87ce712fcd8d5f45460749ced0d900fe0368c59b1c082bd5811c1a648a51768d5e4bfbc23cada3791f289d8b61fd494398be1ad9ee9ff471abb547000ac2c1a5d1":112:"0ae6bd5e8c25d1585e4d4c266048":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,104) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"3d58cd514de36ca7848aad1bf4d314b3b3415cae1ce9a169021ae84a67d4ab69":"e1c2e79e3f64c5c64f853ac9ba1a853fbf1bfd3001d48f7e73e0e97aa1b8ed1f1a7066178e75df688c5edb1c42e270ea38ab0e246c6a47fde4c3141436fe4b34beb9033ba7eebfc53cf1f6c8ae1794e9bb536152d196e1b96803316a05f1dcb9016c8b35bf4da06cd18da6243acc3a3dc641d3a1332b1915932ca89937cb0327":"4a1c2e7a3f9788c3c2fdd0dcc0cfe84b":"":"50d63c660a2b4f8e87276c5f58556cdf15d0fbb2c8ea5e3266d28c515643109aa7fc950d6d48f504dad52457e16576b581d37574574cd8b7ac12b7d59b819992c941a27e23ef9f257ed0c4ea4eda6c1f3b28b44decb63a92fae84c3556dcb9d6458e729dad6a7db9f7411690fce971b3b240f8f9979ed992f87d76e227fd7384":104:"ac842579bdd1ac77c84dffac2d":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,104) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b7e4cd80f03a7ed092c776b243dfad7776d9caf3e679939038e33ac94d8931de":"102e2d2c0d01dbc69733d2451d1ac1817d60418685d4ae8aa44e1ede1c1e08d2f71f0aef41a72bd9f052ea4a9a057330c95d964f8c3679b80fc9c0952b46f38e2ef055cb33703d686757400210fa5a39bc7e3bb9b8b9cc20c95d5607e2f10bb5501507680ef3aaad96553333b1d27bf2f7ac102c983eede2262a5c6237c1d754":"af160a983d674b7d19294f89c3c9307d":"":"6bdfae299d796ef36850327b091ba7bb02e29b643ca4c8bc199eb91ecbaf88426412cfd5570e0042cab735cc46ec648b0877955b3f9a5707d56c478aa77ae5510749beb1e44dbbb37791f18477123436a985e5e9f79fda0a057504847e4ecae841f24e1b53076d3efc6bdea2ebb336ee0e4b5e6ea973e3e50a27b5c2e6fee3e2":104:"fdf21e2ac356e507745a07fc96":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,104) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"3a0c46eacfe85cbc0c5f527b87cd075bdeb386d0ca6de816a87cfddcb8a87ae8":"6d1203dc8395e35a35e234203625ea9d37d1c009db2ac8b1d5b29021997b5421f1d172f4c9a7eb7dbb67f0002720fc412f5b1550c739a2d7ba4387a1f978bd548fe6169d9473893782b10fab99198cb8b4553dfe27583c017136fd8c95070d8d7f9a602d15248d38d728157a0b26404e662f9a5554d3e1582bc0e12f0054792f":"b1cde63ad2ad4b8a7bfb36ab78385c3d":"":"9de3a45c976d32ed2af5074ef13b1f86f35b1689b1c698b2e427d5dd62556eb14439f77cd8fcbe686a9a08a922e3f54a78e86fd284de493a740586360b63da09bc1d001777582969c679db54a0ddb8d7dfdb46750edc882804a1c00e417912b72b4cad54dffa1897eba6188b3e61ebf0c3dfab292c2686dcb9db3012e0788c7f":104:"641896daab917ea3c82524c194":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,96) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4d540e0ba27103667eb4511ce9d243592bccb8515ab59896c9922cb5f1b47a02":"d79f9b1c74e3141f188704c8d5bdaaf6083642be50d00f20c97b56646863895250d131e00db0ecf4f035d42f08cfe20f401c2d3062a38daa0b9e7c19fa7c5d344680aff48d506daa181451f6b34ed9099b9a5b39c0166e93ac4463c9ad51f48e3063b1c16793615336f55d516d079f6c510c2891b97aaa95e5f621e3b5202620":"a2ed37daa797522a39b01dd206d06514":"":"6a891bd289ec05990424a2775287f4725aecefe1ab21fa0ca643f37829cae9fcbbf805b883f807102ff12f1a85964df818057daedd41c7349ef32b24642186c45d2858c3260d5b90594969e26b691963ac7fbd2eb4eef466ae690ca274d9194dfc4df1c3baec02abc38fbfc0e2c7c4fcafed227d4f6607329f57ee439435c714":96:"9074ecf66bbd582318495158":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,96) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"151d7e4db9e21c87bef65c2ac6aab5b6b045b7dadaf6424644a91e04ba810585":"0984c5d3f68beba1db4e6ade429cb8954cccaba9fcf4d852897ef69f8483428932c8f18a891f54b68f7d49a03c57f7144d802eb996d233cec930d5eb19f43d0faf9c94a2d7aaca40c8066a2882481f521bb5f6ba15b213810da373817eab3d52b5dd143a1521239482fbf4a07fe68c3d35c90c6ce27b55e40abcf432a261dc58":"49e0e0d089e3574fa5a33c963b403ccd":"":"6938d8a7625d1291f249ef1e086bb030ccdc844a9271fee16db60e7acfe4aedd720de76345109d5e6849fd1576c0fe0c34e73dca4011f8565cffccef427198c927f19f63b821f43844d008ceee0566f0d8062d7860e92ebdf21dcde80039a04504cd8ee94874b2eeb038962a74ac9902d9d7ce09afdac7aa706bf3892de19531":96:"48d3a8116213f92bfbe86bfe":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,96) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"3e9615515ca45109316cc02bbf3a23406eeeab2092dc6614db76e4e047a3b023":"46c4c6bad0f21172094ae07a47fd76477b69ca75cc08970e8dbf7b8644d4bcdce96f9d15dd3fba5fba3f851af145652ad004ee525d180d2f3e03bc0ec1c0e8ffebc1474c342732b7247f657ba87ffcef9333857123f29c4976b048c89c24107529dc5dd69004fd176eb0ca6ddae1df7be7d28b3b9da976413588f20c1fff488a":"c1facf73da64e16e4acee3fdc3cc6b10":"":"4415dc96d3daf703d392ba1318254143a58870e691570ca6b1be6074dd9c1feae12c72f9314fc3d19b6affb59b642ade6c4e64b7c99f850bff781de193cc0a321a29356addcb0918a282e53801541b5b01383fa7624c36d1f67423f02d2b54f58deca582b7031d192a4d32bc154ae1149cb3c5b48538c803a8d01fa7cfc1683f":96:"322d8d1b475a7fd3d0c45609":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,64) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"52c1a14b4ed57cbfa317fe0db87528f4c5551deb9ffc88932589e3255b1d3477":"eb9081e19b63c94b5f3a696c5fc2c0b7f434e1574394d0b41dd67dfac28a73d4ba26c86b3728b2802fb9d0930c89586b09602900d33eddc5a00a4e98881b5acd5597aae9b80b1569ede74042948f2cd66c3eeae227ae10241df001c85dfe8a5fda0aa21142ecade76290dfdd4a27b6ff3a932dacc0b5f461501239ae8d6d5f41":"36d02604b5b24f49b08bb01053a23425":"":"12fbea9e2830ba28551b681c3c0b04ac242dbbde318f79e1cb52dba6bdde58f28f75f2fb378b89f53cef2534a72870a1f526b41619c4b9f811333e8ee639be1250a5c7e47ecbee215b6927ecffaf7d714327b2c4e8b362b1a4f018ff96f67557ca25799adfac04dd980e8e33f993051f975f14e05be8b7342578d0c9d45b237a":64:"01e6af272386cf1a":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,64) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4d08a07b3e94025523a4a6415029c8f9e11fbbfd72564964c53b8f56f865af0d":"4ac7c27b07a4aebe5caf1de0538d13a56e8c11bc73713bf78c7abbad3b9f6d690e00487267da108e2f2ae67c24b4657e77bb83e2d5e4b244cf34e924cf7bdb443f87ac8cdb374147449f8d06eb517a25dc86f03a389f34190aed5a7faace03ebf646fec2b173b2c15fd5cbe7c5affb6c3ee6d1cace8b00dd8f668a2336da5bfc":"98b745c7f231ba3515eddf68f7dc80f4":"":"337693c5c746d8fcdf7cd44d8f76a4db899402b891176e85b4c549c366ad709322874e986d6b939a350d2a0e3b77924d6d15454d882d1d3c94469d749a20d8f0116504cb31888a1e81d3abf25dbb7a7f9e7def26b9151ee649c059da1955f1716423c734dcd26a548844abb6b64c44383ec698e59361b6582c6883b77c338342":64:"7a9266c4e5ae48f1":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,64) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b9d9fc42b58deafe9bc9734f4129dcad34a2e55ee5ad8abcc3f7bc42dd2c0e05":"11dbcd6cd53d2af766a1b6e4af2bc8bac2811ef818da2d1f81c140ab6e0298e958fef033736bc6e0dccd660b9a3e4222bdf3f89a95b206785d22852201e6dd00b44232ef3c03393893813dccf1960410b50cf50602ead8bd246fad88e66c88b50821578004779b6c45c13d8211df1cfc0fb2d7a342f58e4f2f3623fd31b12c30":"67931493096f4550633c322622bc1376":"":"66ab6e7a547705d8ae8ac3cb9bc5fbbc18cd220f89aec7dfbf4f72e7bc59b483c50c9471523c3772efc5deee3a9c34c96b098842cc42f9b7d7c0d2530f45900eeb9502e4dd15363b0543c91765121fd82fcc9db88fe6a531b718c1fe94b96a27856d07707fced3021cca9cf4740833d47091797cc87f57f5388b48e2296ff352":64:"0de60d4126733404":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,32) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"97e736a63870546ec9c2325a8e367c8ea17a7ffa71f6cadd6909a5bb9eb12814":"608280a9dcbd6dd66100a9fdd00e6dac2183e32c945b2b4d255c048243bfea15aad1a10ff3eec0ba79c531239b489a5dc155dc2775519f8d3d2ed82fa7ac653fb7c77e0dfad1c175b6c69963f5c12ff9840f18e0202502e9d1e3b170965cd86ae411af20e6d69a608c99ca8dae3cb3bcce666841132a99429bcde490d9f0b6b5":"d35192b4d233507b70c6d32f8e224577":"":"568a0d584fc66c876b7beb9ef8709954a2c426fb8c1936b9024181ca2cd3a7684c412715c11eab80a181be0238e32a2b689e9db36a2ac87db651058080531e7b1110938dcb09615e385d7b224b11222469145f6fb5f4c0e87b08bb3006bc5b6d2ce0a15be7fc29b27c10c645afd9d8253c094fc0f775086bdf2adac265b474d7":32:"af18c065":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,32) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"6d05193cc0885f7b74057ead3a0738b74eb3118b1a7e74c5c941ce0011197122":"c58f51bad815a43a5705c311de4a846ea2a70cbdd2c30d709a2ae0ddf82b7c889dc599fb6e0328fad21555a99530be6deeeb5b1beb333322c2b747288e52fad008513f8040a4735cab3c8cf32c4e18bd57339c85cf5dd71e382067bee7e9ccaf68e767d77fb005a3b73a51acf942fc3b2c5c9eec6189d01a26c6ffb070165874":"5160b65bf7a2ccf77fa2e3e0b3866f26":"":"64dc5834a63be414c3714f1b34feddbacd568c6466cbd06f665aa269187a160db79306a53b629fedc1247bd892998fe3208b3105f6273676bbdbff6e254de332d02bc8842ef98d6b79994792eeb5be3a807452b14ae5b5027db81421cc22936ccaa7ae1b77a145462634e424ccf2dfaf001ed4477b804e204120a1416b449b8c":32:"364ef0b5":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,32) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"6e8006983712ddfedfebf95e6cc3b0aadc23077055e500ae49fae7705787f2e3":"e3ba14c4e39ebad925997649872b8331f1700c8f98f80e58d92c85a84f2a427094d9d771b276a0d35b17c0c030734399070a57345d4dcf082b96c7eb580618f7af8bdf036296e20379e74e29f905b52a0c46fe7d46201a075e7de7e1a523a0492c1f228102fdb89f019bcd4571e041c5d37159dc487ec139fa37d33142fc8082":"e36e39d787394f1401fc4b173e247db0":"":"4d5db4b65a1ca31f3d980cc30037b5d79d28280a31cc5d0274be77dad70dcd37f652f2ca999c9aecf08fd2a02d382457a277002a1a286ab66f9e437adee00c3bab04f831dd52147005a989606171b6017d28970c8986899fb58900e23d1bc6a9ac0bd4d8b5d6e3fcaebc9903923e68adae7d61cf929388e0e357c7223523d1ff":32:"d21637c0":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,128) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"cd8ec237009eab590dbd9b31e76513dfa3501701b1a706982944441d996e1839":"9eef7c9a0fa3e9a7fcc4b2f9d210a97d6653ded7913f2fb2de825a0dfd78ae1cca68c040f2328009fffe62937d630ee9d6e0e67bc12c38c0b3d035697d4c2311371aacf41cce0d523016ee436a47d93af0df77011131856d072c718c310f0995b71530d70a3da881481f46f21dda62e3e4c898bb9f819b22f816b7c4e2fb6729":"a3cae7aa59edb5f91ee21231002db8e2":"45fa52a0e8321d82caea95bd9506f7331923e2aa95e9238908f3ff30e17a96389dfea75e225e34e1605354eaaf999a950f469c6e2e8722da5ad9daded6722baca00e5d1b8e63266ad1b42cae161b9c089f4ffdfbbaa2f1fb0245d1a4c306d46e215e8c6c6ae37652a8f6016f92adb7695d40bde8c202ab9c2d70a96220b4b01b":"833d58f0bbd735c6164ecaa295e95ad1143c564d24817d5f6dded5d2d9b2bed2dc05da4a8a16e20fdf90f839370832f9ddc94e4e564db3ae647068537669b168cc418ea7d0e55b2bb8fd861f9f893a3fdba6aace498bc6afe400fea6b2a8c58924c71ce5db98cfce835161a5cf6187870aa32f522d406c52f91c30543ea6aa16":128:"c1df4ee60b10f79173032e9baaf04d3f":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,128) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"5f0b24f054f7455f5821fdc6e9ca728d680e8004fe59b131bb9c7cddb0effa51":"d406138587fbcb498e8ec37f0f3d7f6b2faa02e6880424e74cdba67ae3468b6823d37fd917a7fede6b34a2f0fc47c520e4088766ba82a989f0d8051a3a80cc8b1e3e1e2b1c6620b90e99b27e65951aeb3936263fc2f76c1c8effa742f53987f8a38c731a411fa53b9f6c81340e0d7ce395c4190b364d9188dc5923f3126546c3":"f52f7a2051047f45ec6183b7c66e8b98":"756cf485b6a8e672d90d930a653c69fdbf260d3ea18cd3d0c02175d3966a88b70ab8235d998b745a0eb6a5c92899f41e8c0b7aa4ec132c8cbb1bac97a45766a03923c9b93c2a055abd0127a83f81e6df603a375ca8cc1a2ee0a8b7fd226226b0b19bd2e81f73c34dfafa4fcea08dd93dd4ab7e4b437408af91bff566068a5f34":"e58a03f664003d0ef5bdb28931afd16e7747cff62dcc85bf4eed6e573ea973cf615e4ebee40f35d44e18e391b391e98dca5669a5b0abbfa67834836b122d1909b53acd50e053d5ca836894414bb865b1fb811d8af68b88b4a302fdedf27fdd27456e9aaf34a8d53c9c8587e75843e09776392dbb0501ef41359c01e8980e5221":128:"258492b9f549d1b90555eafbe5292806":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,128) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"6f50efb3946f6a6dfe63f12780f764bb6ebcf2127d3804610e11f0bd9b68ce0f":"bfc89d5049a5b4015c9eb64fdaf9fe9f4be7229e67c713a7b368f0550b3a5e12ba3a4399c64f60b7157e1b289b154a494deadecff0d0686ab44fae2a34ae4cb120a7f00268ab551f41c16a05f8999157be1103464127a8a9bccf736c32db045124178c90472e664d8e67a2ade0efe9a3b048c453d2fb5292dd8d29e62d52c5b5":"63c1192ab7fc75c17e7812fd960f296e":"335cc5c8fb5920b09e0263133eb481fd97f8d9f29db8689fb63034bc40959a176ccdca6725e1f94f822e4d871138fc39776fbe062f07bf80e5c8891c2e1007efeb77c158ced8d6c002b04442ed35c40a2187a59c02339c05762942208e3be964736a431017f472dfd5fdaf8fb8c645cdb684f9632057b9eb755253b4b75e3688":"ca974942ae0f4955ca0736218e4e356145c1ef42135b1142b55ccb3fc5caeec630eb50e69b5a6f97c11d4b604189b27496623bb0365ae69f4150e201e72bad8e7b883185588d0a31c44273bae87194b1610114a83ec47ba68a02e29891de43204977fcd0d551778335fc77fcfdf3fd63e9e5e0c02930a0321ffb093c521cd0ed":128:"2f11a01cb0ef8dcefad9233bec44d6f0":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,120) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ec566324ad9d4cd015821e2cd4ed4d3d507bdb3c65bd50acc85f690ef06740fa":"348d35768d7192415cbb92c5625f10edd79f24c56d4b821aaf80d7dc83e901ede6be94d1efe11a3acd16ac00aea8d0d4875c47522332fed11cdf0816b26978de431c89d2fe6d122b2d4980f1d53a97edc15e490a44e73cba9394ca4bbb871675c729c39de80d6678c71b1bd220e4647bfd20a7ddbefe2b7eec7276b87c92ba77":"95c8a544c4b94e9fbfd76e66f40bb975":"fa6f38f8e562a54bb2281dc9a7cbe0b981292fb00dc0053185550a300661852179d0f2beb4e7759b81316fbfead5c858e6fce73f3cd2c2462925dbb199a4e6c121d051b1b5ebf60e16d1e30f6973b19cf31830da30588fdfff6115a4a1f6d977a72583379a56055724581be5232b0d1b0ae88bab5d4a031b058bc8d03078dcd5":"8b4da79f3ae1ea35a80af2f52fc640055e6a3b92617ddfa79fe5d8a49f28ddf36a82a17ca0b3cdf1726700f7ffc09ae5b412d064fd52a90a76bacc74a0b89e38dc474e880a2b768ffa91fef34c47759a7b8fd7faa32a4fcb258349495e4438c7b2055a8f462729fa4e7223aa9b47087695e3aabf43afb32e272d536b257b748a":120:"b1faec277697add8f756391dd9c7f4":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,120) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"dd6aa4ff63efad53772e07e0fa7d6eda5e73be167620fd7c9f3997cf46cd25a9":"592b3a6f09841483770b767bed73498c286896d2ad3d8bd91f83f92f489b1e83b0456a54e067a79e1bf59eefc1d3bd35cecfba940811d06a06e9b8f774bfeff557bd7e3f0864cb6bd3f867efbe3f040d2384ae8e1a0e20ed38caa668159d3e33c4669478d00963a1152305aa2037a5e06cac52d84021234a7f5d46ab060bd03a":"6386e03bcb6ac98140ee0706b54c8492":"0ccdaa4f54cfea1026a4d26338b1e6d50a70b00c46147fe906c95f0a2fb5d92456ca3aa28a257c079eceb852b819e46646997df87b873bc567f69a2fae471df03b0e5b94511189eaeedd238a991b326963c46d53080f420ec9fd1a74145a0b155cbcc0b5e47fa69450c7eb447080e34868d640f923923b91a9e13a05c73550ca":"c1be540448f1e3f432a10b3cc1a913cc4046595f5a57bf57c9d856cdf381832e914088d3388199018ff26327e3001678ab363da9457ba2084f5aa81320f1a0343491e0b44424018765861c5db917ce14e91a77f7e805d7a97a17a288ee66567c5c01ee61dc46a9aa8b281438ed377b792e9539e311676f81c567339cf92b8e1e":120:"ce7e361713630ecaff81866c20fce6":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,120) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ad3990cd57ce4e95342cdca4f07d7e35d575eb19f224a7c821b1f5a8c54d4bc3":"732809c29b5eeda974039b122b875aec2823e082ef637294658cc54f9bca88eb7eea87a366234f89919975d0e7dd2f8ea83198d5a6e349149a016a4b177ba43df2f3ca28e27b8566591d225ac25dfd9ea431cf1fb3ea530d65dac93aad47764a6aef8ec6903b6d145ea9a2663034d2a320690b92afd8032084b754be97604382":"fd4ed75d861da2cc14fd1054976c8566":"ab44689839fdf47e887b70fc1b0422dbbe5c1b50f4e704f9a435967ba8b70cf1e144a025d37292f628f9f7dd9d05557b65340090503201e8cf2cea2d6a73ea4850bd0931b90fd4a4306ba84b8aec99fed47ca1b16daee6c95c97e4ba0dd1fb130cd13f5ef77c5af96f61fa05305a3aca3775e927f72f08fc34bc994e69abaad8":"f48721b08101b35cde1c4ce08a8ba0049185b9dd48b66ab9971fd67dee24f89b456e9ca19ac8a9b5b3b088cbd53898a8c2ac1129752fb7fc55a0c3e2e7266ff40f7a9d63ebc4ab65f47422fc17cbe07fcfda582fd1b8f50e840ae89837e84add8be17d4cac3d2be26bef4aa8438daec9d2b139e442f99c32f2789378c8029ad9":120:"da6da2af0fc14b591a86359b552e20":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,112) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"30823396ac90db573b6587676564d09fa680906bd6eaa6b8597e2e7549c9d848":"c55be5a0b8559e02de4667ba5656f7e46f5627af13fd34d327f6fbfc4f3a9273036fce2fb21232f8e2ed115b39b0ecb9a119c8fc17070bbe4e34d3544d7117ffda5e1ef05e063b5a8fceb23158d7824d6a1eb4d90a1d0360c6bd78fb24fdd4cfa35924beb4e090891d06f53fc52cdcaa6b8bba6772d549eb95b64ebf3756ae45":"496ac734afadcd54f1a4372ceb5645fc":"2d582131f7071e80cde1b11106b7d79bb208743de759d40b897efdab018f4eff1f91d2fe67e27af25a13f201bbe4446f20ac6b942ff7b32cf10ad1cea36945b67ac08b114fc616175a87437ee05f3a8b6566e9edfbc1beec0ed8696b5d5c41a25ac43bf3ce2920dd262233ab3405d46f523894dcbfb6c90b6e911ceb93bb7fa6":"c9da3df66111dcbabf731c6891eb698ac3283780f526e81383e201244efe4eca7a1c84a3bfa9ba5616afb15c1f1af0f3af2e071df6c1d34a343c3e3440f1a3e1b6620243d9e7d9a4dbda5981c3e876fd07f392d44bf3e0a4edbd884462ec2f71d36bde4a1b5792629da09a1fb01bfdbd532fbac71887a05a7077fc119a4638d4":112:"cec973a27c42e31b779a6a91aa34":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,112) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"815f2b2f0b1621aa198eef2761380f10ac9872a5adbdf6286bdf3386e56aae4e":"d16930c570414bb620e0eaa2e9b5d96e4424127e16461aaa5885c616a02ae974fb2890e73bade9ffa5066eb88a46ac7fcf258d55733d315951b1b71c5e3c13d78d60344ce921966297a0f6361cfeab03b346a7fa4f83a7a0eaf37576fa33a496102446f9f31b06ed91b51672c879cb18d4e38fa86e156d5b1dbff27925922470":"0843984bbaa565ca24f148e57a7d9c57":"1514b99c0ad3493c36fe1216d1a887a69ea0340101aebb03f60d7ed26893119e81e8b8c3f0bb4af5e10a3bf4edcf257473be9dcebb44a9d912f04d97a556ecf020c0bed7ccef2bfd5580f1fc74b706fea45f8c63d8de6f8deccc47a02dc86d3f0624e52f6f1dcd09de8000f2d98a4cc0896da6a564b92263673adf390ed909fa":"7506175acd64224b39f890e498ee5013bb46fc571dc2b125ed5891b8ce8bcf42342f015fd2df5f4b9cc220aab52386bf2247d4163951e86467633f96c28bdda166d778855a7f60465dd2983232c9e53d5f89432407807b0402a10f155f80055c339451a106ac54438ae4a945e60d5320eab0adad9a1e66d59b9d3cc53887811d":112:"28d9d780052b36dbe80a25d41d5b":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,112) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d1325ecedb8fc0fe449de558fbc11ddebef660e47aabb84edfe69837a6a9066c":"f9a4f7029feae5cf5bdb8385d6ad7d7da6a243c5026818e5a794c6cffb8dad3227964501c5a049b5a94a7ea2e24434e086800094118444c5a971bbe575324fb6b51c5939f81e78bb11d85d324742b462ce8d13584b3882617d0c94776f328a554f9d532b6515ade9fbbd2de1c12ab53671b7f7edaa7e20223f4c371c1f229568":"8aff702c40a8c974cf24bf3c645169a5":"9ec2e851dee3834d4843aafa740f3aac4cfb1e4d3a7e3e77349113f5200768c3e9dc37481d6292ebeebd2372db02ef8ac7180830c7187995c815d1d1520c3e2f8cf2a94993b18c828b53485073c8a845066772615b26d7a3d7d3e7d81ad1725797153f7ba5e313bdec582c5482adf76b31c871cd42a313018f40d7e23f1a7f33":"3a93663aab93c6cd236cba4db2c03942d9ebc669633936370c2834357e76f6555c34d40dfaab1e78a105da9092acdba8be89e2dbf72e89518d55e09eb2fa1ea7da505484ad4531dba3eb853d1ae1a477355ea9448067b0adbc782d64ec342c7cb781d9dd8dc2b14dc1c9ab5542b679782b8bb9b45ff6a4e36c513df169c8eddc":112:"7e682b0ddbe6c55091838616c352":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,104) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4b92242268e598ddcf3a5a0de26d74356693c4dbca354e44be401f3d6804ea1e":"72dc75bc4c8f5bbbd9c639fbdb34afbb84706404c9e67eaee1959aa4b51eac0db4f975cb3ed8d8ca27f72f61c8562ec953a7b8745826121a7016e60e877dcdb046f236af3826c1ddf5b929c5bd9a92b0d5c23cf8983bf2459ced6595882b3dd0cd25da7eba981bba122623dae22dbdce05cf4e5d82d2cc54eb4f68e9e8eff02b":"3c292bbcc16c94b0a263f4d22f328915":"167dfab08aac8350574693b31210138f6b99cfb61ba7ade2e2abffe2255837a913c9afe332e8fc4b2463310df46492e7d982dcb70fdda2a8b03911e6be9a5c5621d0ae8ecd1cb390910b6702aad33394c25d1160b86687e25bb6cdc4811e3158bb85ba75548329dacc19287d9c004a0473029b77ca290fc47c1f96d9583bcd67":"c2dd42ab9bf3fda78032f73cbf7d28dd8e32c582a3b7ee79795551f133234d62ea6571a466b8e1af0b3d354b71a6582c9c8013d5f8a2c34eb3e848360adac1d5005cede58eae7784f32a31c40eec5a3f03cc1e7263d8515b36225b3515ebcf8dca2a77172c797d347ed3921ca0bc73e8ae56347134a6a2a06ae084f1ebb7b0fe":104:"02fb002d8e4a1d11bb0f0b64d7":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,104) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"c5c50059a61692a8f1ffae1c616158c67d276dcd4a029ce197ed48567e5ff889":"ab7e13923e66d0f600accd2462af74192c3de6c718a27052ef7c1302239c7fb2413df7c662657ca18228575ed138bc54f31663df548618e98d64402feab529d5bf6a678431c714df1fe24ea80017f455a8312bb5b710df8dd3571970404a806ec493dcb1f3f1ac980663f0b9c9823e0d0304ed90689f70d4a24da7d8504c5b0b":"920d82c6b97a7bea121f64f83b75dc65":"a9bd57db2bbe83177287e5f614dab977071abfe0b538067f7d0c5acd59bfba95dfb725b8e1af4573ff10ce135148a3bab044552348378d5ff0c4f8be1aef7ed60bb9a374a6c7b8097d7c1804fdf078f212e63e9f11d7404ad0d1a9cb28d5ba199aec3a6c41b9e523b541ad38cea763159836ede6371357ab1aeaedaaf4481c29":"8f7e87e3ff4f7ccd1cedc1df125199cfb588339119a5ea5f9bdb918f89ca35f9dc16c6465fb25ea250eaaa8e7f00aca2199f92a2c244642bd15cbc9b62caa58115ef01d0b4a9e02527e035744b20892f79b07aa47b6c6db1332f82434764c43124b27148f2f611766781df8e4cc0b5ba99b858c13c233646dcb2b8749a194f08":104:"65da88676d2ab3f9c6d590eb80":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,104) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4c7cc3588436ad9e877de72578d30026d32746817ca7a8fb7df9870650aa48d8":"00c2845fc495b89f870bce714f8604a7e7a96ede92c4b9bdcf044c9a176f66a28761089c083d5e2d613c746711238477c0efdf475e18af99e88cf76d04d4e40495ea16c462801443cd7f69c5d36ac9f337e828c308f1d1938b1fac732274459827cf9806c1661a247167948a93eb6e998a4cea76bb825baa27e4180e52633bb3":"5e82285a3b332c693e427f9410564489":"9971b8e234fc3e1e9644545e383eb065e1866e2faa6513278d3972add5ec0e71b1558329fe1ee038a27919e43bfdac8cf08141ab540528f74f9d5bc8c400bb6ee7867e4dbc2aa081d9126ac374dc62b10004d0e233dc93376b93c0da415e7d3e09851f2084a99feeb25939e21893056870cefe7cdfaf49f728a91ea0eef605af":"ab7bac4ddede796576e1fc265c3c598055827be74dc7ed8ef172d00a648da56727767d68fcbe6c44e7272dc8cb15f03a26dc439178849b0e9ad6c7410dd4cca3f9ef40ec7c280042bbc199155c7341e88d35e5e8d0b42856e618c6c30e43d49506ccc3518585c951a3898409315e8b3b4d0adccdb561ddcf1b9d3b2cf3de9750":104:"2474c830c6ebe9c6dcb393a32d":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,96) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9d73aec506e022c0692892f6dbc3b4d41e86b97fb377c1956ee27b9c9ab3b32a":"f02bf60f10ed876a803a96e75f3fe17b4e355246135a0cd5497baad2a40a523c27e27bf848f0cb5d0c6428d08bec9590b17fca5e697990d2a6f7d21080ab614f378a07461e7a6207229e0a087e285841ef2f119cac7d8a2d3abbb1e7272a0d7dd493c8c4f797e160c36e086227ceae4923658365b2d3a3fbea11aa2fab3499cb":"bbacc081a6107364dcdac83abceddbfb":"77e1da090e4d3a892baf1afbc12a56201a4362d8f09cda5e9bdb23411e6908915301d66403acb3524898c1c51d6970a71878accd0048cb6cfbd4bf941c174ee05eca2c4a29f1c24e936d3a63cb6cfa710617af1bbb41d755b2f79e135db914a7dd00c590cf741078eb72c3ab559787213202dcc0a4734bdd612b917e372f0e61":"d78fa4024b8d073899ac09b8151c29b10a37793b76f04921bdc7dd3d2ef530a831e53cf6a7ddeec0e033ceeabb525bf5ef57bf9b3661ffb57d3bd4024252fa11dd569102c787c2d8489a1ad1290dca2e8edf82fbe6b5f83bcc0e888045b895e20c8556ee80430cc8640fc070491d2bb81a1209428938cd8e7a27e0e858029421":96:"2235d00a47d57cfbd383b69d":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,96) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"73198dfd92d26283637e451af6e26ff56e3b7d355ed7ab8b2059c1022e0ea904":"2471b3c4cc1d6884d333d1c998c7c441808ca884cb88173a225569e1689ef39e266e9ad381926adeafc2daccbdd3c9457ea1bdc3bb05168ef1eead1504d1d44dde34f96e1a7f2a5d3fb33cf5292d52fa9412800419570db0eb24fb74d55de202f5df74073c5a2eb9eb726393996eaeb32072bebb00593de41b97ecbab2554186":"e36403ce1acc63bf50b47387250ef533":"cad023cfb73d08e5b082c3061f3a6502a1c1d53038cfb19074d0ec26c9b272db93094147ef0ab2bdce440a2b3233bb0429add47601f011df679698264c0f81444aba14576a1a565e5c169f967c7571bfb32a2a4d7fcae897863d78964c5b1a040cc845494c0ad8ff4353317b28ca3798e6252d5015b58e99354ce6dfbe8b7a95":"32afd6d6fdab2019ce40771b5298aaadf753d1c4cb221f01e4dfc8b1968f898188fa4d448d8364510a7e68c7393168efb4b4ead1db1c254c5cea568a84a997a76dbc925a6c19a9092002629f1d9c52737005232e5c7620b95ed64741598a65a9ec95f2c97b6b78bd85380811c11386074b1e1e63b9a7e99d1cb2807bfaa17f0e":96:"e22deb1276a73e05feb1c6a0":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,96) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"1dcbd278480434135fb838ffcdc8e7716e95ea99a1cc36d544096dff9e9aeba0":"da3b8c9e4aa8443535b321c3e9bde3c6742cd9f228c971257430b27293ebeb635917d6cba976c81934c3077902911169e8c6197b2d56a046b7ff03b482c38172accac98aacc90076370df28bc8a2044c393c7541b7b69b0fb852746dcf3140ace4e76861975814d2b5966f7714fb6cfe3e4299d79182fc63a345067a0aa54d8b":"b737bcdee4ef83aa83f124cf7208a671":"49a544aae76b04e62211428a2cc3719e4451f3dbf9a23b6ac824fc472e95e38386d267415c1472a8b0707b0573b9eb2a39a5d5a13464947cc3a7a7dd3b7196f11e87ab5233944f7cea3f4d62b088febf8b82a44d4ca6148be1ba24905432b7ac2bb4ebaf22d3bce97ac2bd34158b6011fbac77ee1fa96ca0c9c9e0207044fbbd":"061b491b73f9250798a0fb1fdcd72a70eddc9cb48c1f10119387d45c50d5fbb8b85592a7977487e45342fddeb8d481eef3b99463972f66acb38fe04953c223c5f3e02611c8f33cb9ad7466860895fae585d40bc78ec14d1cf17b4c5b75e4d8c6341f1eaf80da4a78aaaa30d3bc8bff15f234aacbee4067a947e42275b12e0bdb":96:"b897da3061c77aab5eb54622":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,64) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2e00467f18536ea6b4d582b2480ebee883e4f56bd91af3ad7a47ceea3ece9acc":"d5334398318ade59e6bda5cfce8e11b25c9ccefa2f651eb16f66c03d84dcc900dc7c85e6d2b778b155ae4591af0698df7f3b8b9f64d4442ecc82035f7d8e71a5f61c515a963f2fba077f3cb8276e91b31b3f8aa193988a16a86ccaec4a688ad68b5146925ec21d55ded407709d34d140f37e1f87d955619453c3704e83918088":"aa6716e6b7107876a3321d807a810e11":"5606a0b77cc9020955c7efda33b7080e9c0e9fd374c4201b4324b3e6523b0407171141e8246d01292a34dc69331f7177d6b7238e16e0303e85741f9cea5698e42fc79217d9e141474068d6c192713c04b1ba3573e93480f69e4cbf72090d46d62d5b52e4a7613af8fcf0010d0024ea11c19cb04571c6d7045a1157cf81df18d1":"249119ace4e292ffdfebb433d5b57fa1518af3389eb832146c3adc2dc62fcc9121d7f6461a53ee107ce7edf362b365d8bc18e50cf9c328cb7c7aa7b4e8bfa07c34dc81c38fe0982bbc3b543485ea4b0ce5a76c988cdfcd241911cd66f5a5f9e0c97332bb0f3926117c0437470717c63957aeba1c55d96b1ff0f4d6045f908cd4":64:"70e986fced03ae67":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,64) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"a18240f6135e7b6eac071546ee58bb52394bc34ad4e91ee678b72e4514fddcf7":"02f288eea5588e7a011f4d91eca232af70f60ae3d9302cae5a8a58798c1b4e973e3b1d07695934ae871201682554ef6a5b94976c6a1aa73d354f1d65e3f025bb2a3f1e93009e822a87590dbfd1965904223049c5ac0da8596955199ff767b92df10d1f9c05c40bd8204846c719c5594000cabd87342f0447e4e466c3788723f8":"149da8186ca73941582532ede16edf3d":"4d46e1e87322ca84d5bb92d58670f644083db06bdffd99fab0055a62b64a30b5a5673a108f0b9f114d379d3fe63a1f63407881c5b5cb03142109c158af42a00eb24d3b1873edd2284a94a06b79d672bc8f13358f324af2622e9aa0da2b11e33567927e81aea24f3605168e602b532fa2cf9bde5f8cc0b51329e0930cf22e3752":"36cddac99e2673588ba783d3c085b9935626687a2dbac9ad10deb4867c577d6f80453266b2400afd773e4edeb743c32562e85f7f8f43dfd87b10a2dd79eddf6e580aeb4cea92ac21cf49ca97398cc23c02b0ca59257643fb2bc6462b9cf04658352d53c2ee50d87cc5ca2ecb722d950f0daecfa0b7c33aaa2c91dd8b093916cb":64:"73cbe40df3927e80":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,64) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4b64bded6c658090a85b5d889679c6a00579498aa82be1e3a628a1cd001e52a6":"182cd59dc1934199d2d2a2712157438c347e286f66b5a2b8b5149aa41ff7ba82adc3751be379741124dfcf05c531416a64f25f0d28abb6f7bf98c80762f0fa363da679437621dcf61bce43ef4d63178779d1a3ebffb82044d427ef522cbd2643cf1f5617a0f23103cd2a164a59f182b151f47b303c4eb7387ee5cb97cabdf985":"99aa6f359534da409a18540d82fb3026":"f55fd6255d8a188ce9a4a2727699ce16c8bc5c6adba88d94106038b74deb79c9d43bfaa47375148d843a5ce248d70193c8017196941b2d9e2dfd4375a3390c19d2f833b0b265dab30f26adee07ab0aeeb930dc3a9fbcf719a707fac724deb28dee2a6788b17fa3505290c2797c6dbf930b41eca1f6d54d75b820e62ec7023e93":"5a1211218174e60690334856483a3066e2e8d996fe8ab86d0f8fef09aba9ef0acff9d3e1e5cc27efb5464bc23bea9c778fc74206ae3a16e5fdbf99694ab7096f23c4b395d7a7b8d6675e56b5505ff62f52bf183bcc4433298296e41662d6519d9c1f0a5fb3140376c8890547eae72afe75c338ba97fad9f0184dd311bbdaf3cc":64:"8dbdc0746074b486":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,32) #0 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"cadef353122cec1fdbc236c0ab195fc4d732655cef444c00b6cba5c61e01c614":"a3d5e55fa3110a268cf1414a483adab6d58ec8762a6e6be81269c0369e8840333503bc3688c7be001cdb84d163fa1dfb05f3b01ffff31151f1af780c796822e3d564f785964a546bcc2a320d81a2bc61058652a8594ae9b9b0917400e08d4a99fa161376ac53cba54c92889fd3497e233aff4e12cd85d57375c7c89e92cdf5f5":"d765b5954e5b486885dc78ce6801516e":"ba0405745971eaec5d337fd22e0ad287551e7084f1c9c38231d675719e3980356e183a99a3c760ecf7a8ede5e0dac8d2bc13e135570ff6e91a854ea3b457263b0e77896fdf7bdf0b53c8276cfd1ea3e8e22450ff2665eacd24e5fb2be89373349fc9e2967763d43cbd7adc9a376b1b4ab956ddf8b1a56d9385fb7e861bc34df7":"9b99f984ae26f9cad5b3c8058757a0a5caef0fb86b8ecef0c1bca6b99bc72b0d5345a00ae75e37d4e651008bb733105d2172edaaf5bda4ad950a49de55a514e882a470dca7c7bbfddde40d38fef4e1f3864fd7e212bbc0383d0bc29ab2303c8935d49c35d7d73df2fba0daeb5f37f9ab0d541766da71b33da1018a3f287ba312":32:"c374cd77":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,32) #1 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"0cfc42773fe2d16a59da52234af5015271332344448c214a2b4a0bb53b07a0a0":"dfbf9eaa46c368b28ef50227db97f29b5d9ed599760bb83f5d52f92ef5522815d6952ebb0d9b4efe8844216d37510746caf8c775d2c862bad8d67effe109a0cbcdd14ba8e31fa420a475e55ac6b02908346ad1b064d5b6b869503e08d057ae65e9dc2a2a26345917b18d1b715a2372e8e114a071eced0c29cc9966d7205ae010":"45afb3ba2db9287f06cf48405764a955":"16d3ad553cc0fde3f32112bdb478450c65c854927b198914649a2820a9e3d01131b693765d40bd2bb74a50eb4cd7bc8dd8dbac9c6a61acaf5e4cf81570814b30a6a11877a8f9c5df342f70008cbf0576bd27a50bfaf6e22a40bd77435da16b666a06d172aa981bdcae0d25b8ab002c6c1994a356d3c3b7e4dd7b99892b0784f6":"e29db2c4bccef2dda828ce652791d424a86cd5790e6ece67bc029ba9520bd8f35a214a73d8b86564df0eccdb60eafee4170da2694eb563e5a854b25d7ba0a4c53465fdc15c6e267be2e54263f97aa3edbe2358f3d9b8d28997388a57aa427a239a74534393593196253de1c2946b7a437a00480ecb2eb08dbe55ca2b3641c36f":32:"39e01fa0":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,32) #2 [#1]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2a840df4be22c70786c873058d2a6e16dd9895cbfb55b9c9e98f958cfe62e65d":"313eddc53f3986927a261f498283b6dc4a39d26f98c7428127237d79a11c5e626e2e9cdb68f72aa3168ab23dfa2f5e03bc65a68d781f23fb9e295909cd9f0f3e5648cf82f3f6b3b509b0a333cb7d9f2b6e444c351a318f8f200a921ccb409def21b87bc55ec211a76a518350e6ee21d7379edd004b3bfd1ce9086b9c66d80ec1":"ebf155f7cf55e6aabdc1171c95c45293":"8abb8843de1766cfb8d6474496acda2f7a14e78a5e4c787ac89e6bc06cfd42173c35b3a75ddff644f4a58aa7502fedada38a7156457365b4c3c07bc12a8f9061331139b9a2b8d840829b876beb84f27d5a64093c270fe6c310ca3afe987bbc5ec4dc06358d5bf77c7b4e4fe4078c6d3ec28e9a281318da88949c478094c0065b":"769869a55754eb5d6d42e22a2b5271b38533fc0c79642e250347d34566eeca732e0565f80672054bd10cbd3067730dbc567039c730d8bc32a2bdaad09885651533a4f03174d4e6510547c1e1dd51be6070ab0ca0cceeaccf64a46d0ef87c0311bd09973f3b588a4dfb39c85086ea5d67dc531c287b83c161dcb25e07b671343f":32:"c364c089":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,128) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"461566cac74f9220df97c1ab2f8bb74189a634bc752f7f04526923d30506949c":"":"546d821e437371061cf3207f3d866c15":"":"":128:"44193072791c435d6e8ea7756a0bd7bf":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,128) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7736dbb38f1fe351a7fa101d91da62124c22ac02ee06b9413f56691067572f73":"":"5f01779e5e4471cd95a591f08445eb5b":"":"":128:"1a1f08c8f40b93e7b5a63008dff54777":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,128) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"eedcae924105c86190032650e2d66cf6927dd314de96a339db48e2081d19ad4a":"":"a39d400ee763a22d2a97c1983a8a06a6":"":"":128:"3b4294d34352743c4b48c40794047bea":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,120) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"714df4b69dc00067c4ab550f37ff72358b0a905dea2c01f00be28cec130313c2":"":"c46d63d6fead2cee03bd033fbc2e6478":"":"":120:"2a0271b0666889d2d0b34e82bf17d8":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,120) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"454021ece9a87a9543a1626820d39edd1eff3dca38a287d8fb68bd315a7a2677":"":"51de54b633a7c9f3b7b2c1e4b47d26a4":"":"":120:"114708102a434e3a30088b5944c272":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,120) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d7e90b539c99e8c2187ed72823258c1149890a69a9c0081ff8c66e1cdea9f2f6":"":"6dba3273560f30f118a2e0251f7b7d76":"":"":120:"5f45e00181cd2d7feb4723e0cdca24":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,112) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2948233eec9bf8adf7250b20d62df9219d30e314c5932383203805ff9f3dc5cf":"":"d6b8e723272e26922b78756d66e03432":"":"":112:"14c9a9a217a33d4c0b8e627641fe":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,112) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"c73fb5e732ebc1dc7c91ac25de0d01d427de12baf05ff251c04d3290d77c34d1":"":"c31220835b11d61920ae2c91e335907e":"":"":112:"9eb18097d3e6b6b7d5e161ae4e96":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,112) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"a46aff2121825814c603b258f71d47bd9c9d3db4c6fe0f900e0e99d36c8f8d66":"":"7cb5550a20d958490739be8a5c72440f":"":"":112:"8c76eebda0f1fd57f05a62c5f93d":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,104) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"61a612c76de551f794a146962d913f60fbd4431365b711217aaa4beaa115f726":"":"2d25462c90ad9a21073729e5efc99957":"":"":104:"e4d3b277dc9a107c0392ca1e5b":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,104) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4b233480239fabd2035a7c9207a8e1ab2da45a90a472b30848fe4b4757c628db":"":"50d45096afd0571e171e1ab1ffb3720f":"":"":104:"5393bc06b8c5ecef1264fd6084":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,104) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"dc051ac63e6b051594158399291ed101a3efbb1701b98819c4835a4863734371":"":"1f304d4d7f84ab560366215649b0a064":"":"":104:"1081dda9e0a793916dc82f7848":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,96) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"75f76df772af8e3019a4c1588a7d59925f80ce0d5647030f29548374e7bcc9e8":"":"d407264e09fbc853b131c8a9f808f1de":"":"":96:"d515522db52bb872a4d3f9d1":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,96) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"608d7592c094322b31d4583a430986bdf6aa639cc4b4a0b3903e588b45c38d38":"":"6a631952e4990ae6bdd51052eb407168":"":"":96:"eb8851cfdd4fc841173c4985":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,96) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"86a90631e5341e67dfa55e68b07522507b437fbab7f3e2e26cfc6e89ef9d2410":"":"67763ee1890e4bb430ac3c0dbc2af997":"":"":96:"c6d11901b53cf6b13ac03cc5":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,64) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b8d12783ba2548b499ea56e77491d2794057e05fd7af7da597241d91d832b33a":"":"0365436099fe57b4c027c7e58182e0b9":"":"":64:"41fc42d8c9999d8c":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,64) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"eb17c1bbcd356070ca58fc3899bb3751eea5b9f3663c8e51d32c1fc3060b7ac2":"":"aca76b23575d4ec1a52a3d7214a4da2f":"":"":64:"fbcfd13a2126b2af":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,64) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"916aea7c3283aadb60908ec747bcf82364c1827ec29bedcbadacbb9b935221c1":"":"e4aefe6f81872729ff5a3acf164922aa":"":"":64:"2035a7ce818b1eb4":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,32) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"47b4b7feb91582a2f6121d12fd465967352e58d9f3d1bf27478da39514510055":"":"137bc31639a8a5d6b3c410151078c662":"":"":32:"822955ba":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,32) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"8955cddce65978bd64ef5228308317a1ba6a9fbb5a80cf5905f3aed03058b797":"":"1370e72b56d97b9b9531ec02e2a5a937":"":"":32:"b2f779e8":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,32) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"7795d631f7e988bf53020d2b4607c04d1fab338a58b09484fe6659c500fd846b":"":"f3f5cc7c1ec0b7b113442269e478ed81":"":"":32:"e4e6dfcc":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,128) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f9aab5d2ea01b9dc35c728ae24e07c54e6d1452e49d9644776f65878199bc5e4":"":"96ec2252e51ebfb731b680729be73297":"983a102a67359f4eecac465b0d65908a487c98c593be89494a39b721728edc991726e1fba49607eed1f8ba75ae9ab82a1a95b65ebdf48d7ee3c4a2b56832f21a483d48c8400dea71537f4c459d1cfcf9d2cc97b32eb7c5146cbf44d7e5ac779e9be0ae758eafff2138d4c5370b8cb62d70ebb713dfd2fd7772fa250590609844":"":128:"766b6dcf491a5836ef90f47ac6ab91ec":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,128) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d713b33af57762f933d6abfecbac7fb0dc1e545dd7c01638b0e1510af719769a":"":"5da52833b6fc73c0e4b1403e1c3c10a2":"374dd4ebdfe74450abe26d9e53556092abe36f47bbb574e8184b4e0f64d16d99eaf0666fa3d9b0723c868cf6f77e641c47ac60f0ee13dd0c1046ef202e652b652f4b5de611989223b0acf1ead9b3537bba17ccf865a4a0fda1a20b00e3c828b9726bbd0b0e92fa8ed970eed50c885e6d69604278375af7b9ae47fbce4fed7d03":"":128:"6151956162348eb397e2b1077b61ee25":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,128) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"77a1e4ddfbe77a0ca3513fc654e7c41609cb974a306234add2fc77770a4a9e16":"":"30d6ec88433a6bdd7786dc4d3693bde8":"69beef4dbdcdf4e8eeb9bf8ae6caff8433949afc2ffef777e2b71a99fde974797dfed2254b959430ecc48db72cee16c7ef41fa4165ce4a0636ad4e40875d193a3c6c56a6bca5a55bce3a057a2d3ac223eba76e30e7415f00e6a7643fda9a1bf4d4b96ce597ffe30c3f780dd767cb5681bb7a3fd11668380e272bdd70e66f18b6":"":128:"d4a3c91e02a94fd183cb0c9de241c7d1":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,120) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"303930b8ba50f65a50c33eccd879990d5d87b569e46f1a59db54371fcbda7fd6":"":"2b2b28d8a5c94b6f7ee50e130268a078":"c2ff20441d96bae4d2d760dcbae636ca7e01d263c28db5faed201bdb39bcacc82ebdc943968aa0accd920d258709c270df65d46d3f09910d2ea701c018ec9a68af7fb3d76a9b360de266b2ac05e95c538417fec59cec1f07d47c03511751978baebd2e0e4f7483f7351b5e61c2a60138c97b751f6a8c8323970f6be05357aeb2":"":120:"b597491dfe599eaa414b71c54063ed":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,120) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"1e3b94f5883239c45ed4df6930c453c9ffd70b1c6cee845bbcfe6f29a762713b":"":"61155f27c629dcb6cf49b192b0b505d6":"5b7482e9b638cb23dba327cc08309bdb40d38100a407c36091457971bad3ab263efa8f36d8d04fdc4dea38369efe7ae5e8b9c190dad2688bda857e48dfd400748a359cfe1b2a3f3d5be7ae0f64a3f44738a7c7cf840a2e6b90ec43f8c9322c60dd91e4f27fa12197fab7ed092990879e964ce014f6be2a1ef70bfefe880a75d5":"":120:"7003f04d6b6d9dc794be27b9c5d5e5":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,120) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9080effb27994ef831689da10600e7a219db93d690647457702c217b08057eb3":"":"f45514696ff5ee1e6e5797f7bcff05c0":"5251f800f7c7106c008c0122971f0070d6325b7343a82fc35f3853d25c878215e7a929bf63cc8996f0ffb817174a351b71d691f23021f58777f962fd1d45ff849e4612e3304ae3303ace7b8ca1a43f54e662071c183a1695873f5567397587283433d1e76cec1103ee76f8e0472814424b8981caea1f624131fb7353afcd2cd2":"":120:"cfb6d9bccf0378fabae08fd230edc1":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,112) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"8c291f0ad78908377039f59591d0e305bdc915a3e5bfb0b4364e1af9946339c0":"":"a9830d5663418add5f3c0b1140967b06":"e43c04e1f7304c1d83235120e24429af8dc29dc94399474d06047fd09d61ddc682684776c81ef08d97f06db6e4cfb02daea728ec6ac637e1ecfdb5d48f0440d8d8ffee43146f58a396e5151701b0d61d5f713b2816d3f56d6ee19f038ccc36493d9ad1809a49aa5798e181679d82cba22b0b4e064f56af5ec05c012b132bda87":"":112:"275480889efe55c4b9a08cef720b":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,112) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"96c77c11a3336a41b61ffdc1724a80735bbe91dd4c741fdbcc36e21c53335852":"":"655502d70119326405d8cc0a2c7a572c":"c01034fc6b7708128fbf4d6ffa4b4b280a1493b9e1dd07079f509479b365f55ae9290689f1c4bdfa439344e3abb17f3fd3d5e2f8b317517747714a82f0a9ace04938591d3ade6d6095491a440322d347e8634008cc4fd8add7c1c4764afdb2b098b3f5604e449e8049a46b6192647d19cf88fa5ed1abab7f313b4285560cba44":"":112:"b4d581464c4bb23433699c418ddc":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,112) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"e2a3957393669278f052ff2df4e658e17f2fe32811e32b3f62a31a3938930764":"":"a6f5a1f1f1ac77a1cb010d2dd4325cbe":"ce9c268429ca9c35c958ca3e81935ec60166aea0be15975baf69103251efafd54cbcc0bed76a8b44a5b947199cd3c2dee6878dd14a5a491a4a3d45788405d0129354e59c047b5367f1158bcf4e066a276951d2586bafc3c11f8a982ca7c3ba4677a938498bd51171552ea032fe1bd85cfeaeb87e87168f7a28e979b08358f841":"":112:"cd5986df8e9761d52cb578e96b1b":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,104) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2b17652f7f04073afe9d9eb8b2615c7550968b9776b139fcc4f9b0300912cbdb":"":"9a8ac23ea74b292b7386138666a0fb60":"2732107241e6136f1dd28d233373079d75d6ac13828ae7afc751b6f9c57e77268c52ae91f4ab3016af2764597994573cd6b41f72e21b60ffbb3aafc9487ac19d0ffe8db2ae2c7505ae5963b032d1ee1bffb4c5bd88bb0c9a350ba26ee3eb8dc0a157955333e4f28c5ec7349c39229dff9f440da72909f2870aea873a76545ee8":"":104:"f7b94229439088142619a1a6bc":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,104) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"16fe502e20d6473ed9a27569b63a768ecd428738904cf0b337df510775804619":"":"431a8d78b91414737e7c6188328a6d37":"934bcacbac10ea4ff6ee94b17bd7379b88489fbf123bf496c78c9b6b02ee97dd62eedd05b8f44f4912764920129e711701628991a0009ebc7017a1a19b177ec9bc3b0f280eeefadfa310708dfe214428a184147b4523e66f2d62630d4a12fd3e366d27c3b7d1566553c9b434ed193db083160da1f241de190bcbd36f435e30f4":"":104:"1dd3e6d610f359cc4e98d36244":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,104) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ccc545fd330cf17e27d75582db28807ec972b897f812d6ed4726d2a18daac76a":"":"caf2f56584a59c42a51fdbfe4ad78f3c":"e85ae6b27778893f36f130694af0b40f62a05aa386b30fc415e292761cab36fdc39bf5687a513e25ed149414f059e706d8a719b7165044fcbd48c773eae546380b8e667b56824e23685173ad9015a9449bc1cd0b767981efe09da43a07bf1aeee08ba05d387b8a00199e18c874fb3a91f77ba448c3bff971593f94747fce9cbd":"":104:"5cf5c7ca6fbfee63854f3bcd15":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,96) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"8340d604770c778ee83d0fdd5703b1fb304c3bffeb6f4c65e2dd0e12c19bddcc":"":"c0a580465b1b2e8344f795a6578a5151":"799f228962ef87865dfcfa0addde7366de2e4aa78029dbc8d57d7e50fa7c74343458df3465103556a3bfc5ce217fbbb5b2835c9f76b70240b40fd605bcfa6b790d5985a8ba54354e0625263c628e8746c451504fc58a179f90f77f2b293d8dbf5582b031082025c806e60143da9ebb6133ac8367376d0572b32569ee799540ae":"":96:"318f56bd0f3832d043ef700a":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,96) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"74de45262fe09e12c9ee7100030352112a6532d1874cc6792b4da6950677eb2a":"":"9f7fc7367f9afdb67fd1afffac058e2a":"289ac6f5beecbbcbde5cb3b0fdf4a27ba237fca33719f774ed33a5fd35d7e49f76d3e88c53fd35561655c35469f3eefb5b2f776ff2799aab346522d3f003154e53f4ef075f016aaa500c76870e6659a5f9af197c9a8f5b9e0416ed894e868463cc4386a7442bb0c089a9ab84981313c01fec4fc0ba35829b3cf49c6447f56a4b":"":96:"bc1b8b94ff478d9e197551cd":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,96) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"441ec8afce630805d0ce98b200e59f5656a5ce19e5ef58241e6ef16cac7646b9":"":"a1cbeffaf55708c375dcfeb496b21f4e":"5a6ba5d3f5a7a4b317c6c716564c648f0e6bc6b0f9a4c27affca6d5af04b7b13d989b7a2cb42ce8eedd710be70c04c0e40977ca1c2f536aa70677038e737064fb0e23d3dd48bc00ebdd7f988f57141e164e3c18db81e9565a62e28c73770666ff3bfd725eebd98946fed02f31d500b0b7ab4dafeb14e8cc85731a87f50d95fae":"":96:"aa4bb3d555dabaaeb4d81fcd":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,64) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"d643111c973ffb7f56bfbf394eedac54be2c556963b181cf661ba144f7893a62":"":"4575b00b9af2195a0cc75855d396e4e8":"b2c53efe59c84c651979bcc1bc76b0bbf5e52b5c3115849abdbc469a063e2b1699bd292e5fcb3476e849c9edbe6ea14c2ab948ed7d21a21f69406621d3d412b043eaf813be722d92739a33a361ed8081c0eb00400c3c7d4e329f5ba4f7b75d534500f42f178048cf2e95b768ffed79c350f2ff72cb355abdb30af0a1363c0b4a":"":64:"9d1d182630d7aeee":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,64) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"91301ee0ca694ae6971ee705f53c7ec467f4c88257d6466f6f8159a8970384b9":"":"345fb57e88124a414828730a85f57871":"c13623824a204385f352388098f5e2db23426f00a73c60c1bf1047ce2c7cdf7f7cc8475781fe7075d1226ad18871e12f0156f35e6ce7032efe3bade1c807f9eedc720fff7a27a2f4690f904be9c99b54a65509eab60e97c4283596eeefa2b2517e95de7620382e3f780efa1dbf5d3908373adfe784a4faf298681e171bade4b3":"":64:"325d08c5b96068c1":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,64) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b6ba5c11daed7f868da9bfd7754d555a147a1ffd98c940c1cd5d136680e05c10":"":"b0c92b79d78547496d770678e1ce1552":"5b1ac8ff687f6fd2429dc90a8913f5826d143a16a372cca787845cea86d9b4778708bc0aa538f98e1031850f7c1d97fb64fe29adce6e1d51ca7f5203fc0358fe0bc54347e777dddfe04e3d7a66a1d1e2bdb8b8929e2100daf073845db5dc0b243819754c4c08f4fc3631d1cbd79ac7604746d677ff035930fcd6bd652e7864db":"":64:"b1819b6f2d788616":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,32) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"5fcae1759209e784dae5a8278b267c414a03ce7c803df1db7815b2910d10ce19":"":"24c5c349b3effebfd076c88a591b8301":"ca2778e39fffce7fbe8f912e69d55931848dd5ab0d1bd32e7b94af453251a47f5408ebacd7b50ddd1103fab1c72acc0a02f404c5661d8450746d781e2c0861b6974ade9ee2515da88b470f16d5f06007f35ce97cfc17fd015e438af39ca6127db240babe9c42ed5717715f14e72f0ef6ff4ce512de95a179e60d6393e73f216a":"":32:"8e59f30b":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,32) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"8d71a70fd58125b0da8dddf8d23ddbe0bc44743753bdf259448d58aae54775a6":"":"d15b02572dec98398ba9e68e1a463738":"81313be1eda9f27e01b30877ca90e825f55ef60b15548c45c786c44b024e7198f333be7ddd2c3f593a9b77b68e6a7ac4cfc015aeec66f4823d9be7152f02a533f375554309a4db0fea8e76255144458e488fd19106d9a9614e828ae306fe82af89e7981369b2259c49bae77f8ec2b1f169ef0449ad083d11907234b72ed2e464":"":32:"99df1b8d":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,32) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b52398c7c75e1b146cc9998eb203159925cf6fc0b1c993ba46528e2f8e8087f0":"":"afc9a60ab8448b77fb05e8410d0a26e8":"770b3782f0e3a19d7d6bb98fa3eb0b916928a2970701c0f4a372a0ecd63499444ae02fd269ddb7d92e11a9e11d0e0b8bc60096a4be79a1e063174b710c5d739d8d05ab5c8ba119ff40843cf8c5dc4e1bd6fcad8389de3b606284c902422108d85eb3589524776641b175946c9ade1465e0d1064c5ae073be90e3261878a9af98":"":32:"32d6b756":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,128) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"6793869513ac886ed66e5897bcfa263877d8465fc762b1ed929ba3d08615fdd5":"cda45e29f487f21b820e1af2c8e6d34a8bdf3f72d564a4625a6e06f9bae1c2eac3bbd5c5958fd75cf389a1a31391211745029dcd4cb2575f40ab04710a909b88c2d430cdee279f54cf7c0ff6638d1e0e631f526ee198cfd6e5cdf73d1a11b69de01d640f385fd829616cd2c0e78f09b5f64012e42dee9eb0245b72aba1404e0c":"a43de15dae25c606da1e7a4152f0df71":"":"385834c853772af70675b6be2d5087df84f88b6a303ea594a170e6dd0398ae270fcec61661ca373f4653d8dcc9e71767568c0fb03023b163bdc9ae8a08ea858cbb03b8182b4674147cb35ffda14a2f50ed9eb48d5351f00eb2fa433fdfed6f94833bcf656a7e350eb978a0aaf7a91674145f28f64693197a116b21328e273dca":128:"159ffdb05615941e11f0db46ac8f23de":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,128) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9f77c141b234907b38fb45f1b3602f3c29de1ed839bb7ba51f6192aa8baaa287":"96dcb74a78e99676a71673e3c9f94c34b34dad2748a6e42cc70ea50e41ef8b86b5992295d2cbc8d621fefce09e8948de7e696b9788377d598796afd002a82b628d9890db78359e1edc075cbc0d3f11d544bfdf5c8a838390cb856735942dff260189c00accfabf720e5fef1d9b7131a6b2b769f67374602d1a7ed9b899b2c398":"1b49005788148665cef20d8dcde41889":"":"b4ca59caaa94749317789b92257f2ef1dd3d9b1f4ee9540927a6ae7bf5bb0b348fcf25ba8ddda79a89d3174ac1713421291910c8926cfbb4ec1e59be7dd50e816ff586f165c605371ee6077ba4ac0ce10499f9a2a44866ce6319fce22652226164cc0a813c3147c4461dd0410e3701d4647d5a003090082e367cb9249cf1be47":128:"8048ae0c35a656fcaa2f4c1b6be250e2":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,128) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2419fd9dbe58655122ac1022956a023446b7f4756163769fc1b99eaf8fba1474":"93bc33dc647c7321152b12303f38937bd191ab3ce3b3a43a29f6853b33e415667d97192fcab2d1baa017042b301d03bae2f657505cc58e3aa4bd849d1ce85ede0e192a373a3894c41c54edbae29a209e16c87c81445d43968595297b50b55659f8b92d7282a2b3ca85e4b5d4ac4ff5062635103f2c7806fcc7378d5c2013be72":"94ef13dbfe9f362da35209f6d62b38a4":"":"3db23c161cf352ba267dab6a55f611eb5fff78a75288779a167cd0e4db6e75d21f11f4ff2928abcb1b46d82c2a0b1f647c60da61f9a72565f629b06a7b3fe96e4141a6886436859f610724bbe43fb99fac9b78b1e0138e2d57ce5fcfac1599bdba5701cb424535fad9ac482ab381eadca074e7376101b4b436f9c43ed760a0a6":128:"ecd4a7370096dc781c3eb3f7e5985ef1":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,120) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"08e11a8b4b24e63060c5002713725bb5b4a412f1d76eac13989738ce94e19642":"d5598f4e37274f3b617aa4f9cf6b8547b4eb1e0eac79f6eedd6cd5364f8891f66b8d0cb09f54777d461bbf92d6fd74b3fac412b77f2c48e1024cf09b83c1e71bb86f0a20f82d296883ffee62a4a192b184bc6d7ba0448c1519310c83b18c00e71153137afad14f096b43d454f205ba6b6c2ec162aa992cebf50735dd9bb37c7c":"c6f1e6a39cabda1089048b536e39cf67":"":"1fdaf0156456b6b2a68d66091bf2260792748acf3e7bbb7906af8e0df3b569a7c03ee3a48bdfdff7ccd52433d0bbe8c5fe30d93633bb9d591dfad7d81bf8efd4d4a3c5c0bf2ac9832f0a8687f16be640fcf9b19169c251f46b97167d95115acdee3d4443df416275f5597a52c17a4b8c4b723d4b35a7fd0b380fdebd44df8bd5":120:"cb9f4d4610c67acfe612af5508bb8c":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,120) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"da2dae0107c284ec2aaf6e7306959df1e92d3932b88954f119ab677c6b9dcdb5":"277675044caf1713109d4d3abf50c6fb67dc67f7fa584fb1a41c833feead03177cf4b42edac139807ede16eb1d9bed27db741f9542d437781405608de18418c9f7269ab3fd88f6a922a31eab5a3b8b2aa75ee4315fcea80c4954ea6613b1360b1c7c6b6da815e3f6e50f72b7e69c3b6cb3d154855e3f83cbd1947eb54018155a":"2005f79d55b12e6dfbab7fedecc50e2d":"":"c2aaab524d1738b5244af642bbd16b32ba954e69ae51acc804a6b0f89f6cb77ba2db2b0e109cda6036786f9cec5587b01e306ee8b3d588748c61ad7fce1266165729d0153ee189746b107ce15ced667279a484294725e120dc1803d2c751784436ab8ff1d5a537628ee35742d1917dc51f8cb46c2d6b983bdec502e99b85e5b5":120:"52b4d7f2cc44f0725ee903551f681d":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,120) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"637807b3e472e2287b09d5a3ee62f791a416419ba35e11c49b24dbadc209f0ba":"e91a0a7320329dabb0d0fd7f099a4d313724aeeebcffe6fcea5b00af27d258cf9774845d29aaf5dad634c6f087c3311b1c92775fda8df8820c91186da30dc79747be6ec6230f2c261063143f4fc89d94c7efc145e68bfdbd58fb14e856578ed57ee5b3cba2cc67dd6497f05d1570efa496b46f5bcbf82ff9c6a414f76fcf3f5c":"46909d8dba6c82b86c7a2aca3c9e71e0":"":"13b4ad9c51063a7f697f3fc68030144aee0aeef0b5a52c9d4920a7185b0452159cf13e64ca216ff16637d0946a75fb5da283fcd263dd7ef2c8f14cf75537742d1f0e48846fcdbf03bc343203f7c31cf61b36374033462a7b813f4dbe9386e57874591fde606fbc150d4916c339f1950b09b1911b1b9119c3ff4053e05910ffb2":120:"6a5c83f807401d1a9a3a2688289f61":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,112) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"33613dc6e029df0f3ab9ca66fa96cdeaa84c1261dd586723b1ce873545565f7a":"775862b39c2a509afd3470a56891fbb79bdb7dacfdb9ac72ba4730cb936d364e1aed3c92c01a018cfcd7953f751003934c15bdfdf2826e9947ea8e521f55fd2a04c75156e4910f38932c9732eb3e60423e849d34c55e3fd00b48d83028e3b4f35686016126ff16c942ec859d3c3aa2ee6d322a92dc9fa9b0247423416f5a4b47":"59484fbc27cdbd917bb55f815f9faab6":"":"069f80826dbee03e6a3437e7c6d16eb6022bd14827b8e45bd440d9b1a8ddae09999388ba0b1be0a6bafdb96f26dad523a3592fa610d5091f68380f4c1c3fa9ef7a0796ab183e8a82c2bf1f76300f98ce983eab7a93ddb18f1c10534fdb61ace83cae37e225930ab870a46285e733788e907255ca391945d409d2e53dd8a28390":112:"9f31f8f8459eb03dc3654caba5c2":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,112) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"75d8132f70ef3f2d8946d296c83014683eb2a4a58b555c0f48e4bfa5774d6672":"a5be88fd43dc761838f3a9c7d62923c38414fa61b3678313cbc8fa9c2e5effb6cad7d5be5f39a71a28ff327b68a69f7e6a6bcb90eccacaf3a8659aeb905dd3e38efe57f2bd0d19daacae238baa01a7051084da6598fc5a3783a18decefc8efc8d46c7b1887f87d6d70c909df49340bcc680832faac3dd23cab5bcd80553dd485":"5ff41f3e75c25cedda1b08a41b89c4b4":"":"959396b86913337f2b1fb19767b787c18f00661c5d601bc65e884e15ac8043081459e889453e906ee267cb5d04fbaf250144a56c820eca34469967c73daf50796184ecf74f3c054bfa63bdd0c32425a8e10546ac342bb8e38a186e42a403cb80110aefd5f2d0bcdd353daa4430b8e7ec2134925c454745e2f708cd0b90d9d672":112:"ca0889a0eb12995079cf9ba77019":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,112) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"8d44344d2ff9a02b1c75785bc84f16e4d23614bf43b2b9a87798b418e905c532":"e5689cef9f8258a748a615070fcbf40ed0b24c077e2f9a362cb536737ffbc5383bcafed278d4c5e0f3c83fdd5cde79483c2c178f6fef05ab50f2b8db680027a175bc6d702d249efcd6cbc425b736f1905307c9303a4bd8aca620b57e3bb4b68f2a515259b06cf5365b675edff3457e2e915d7da1e0802f7300b3d56c4644f4ad":"256a983cd6d6eb4e80b5c1d1cd2a9f21":"":"13eeadbecc4c9991e2aa0b1ca819572ef28517528320db970739a16994f82cd8b5bb53d889f298f65c63dcc07089dbf7e9d00612d2cc8220b5630ca0262a698836d906256896eea446f6de4506e558b4f20950528c8c397b6b5b04890204b77a163e46c80c96b3e268fd2754e0380e7330782d606c771d6085b34200a80335f0":112:"b33ab1e4029998e2566583dd550d":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,104) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"3999a6a394943be3d6e5732af5faf26caf483a3fd42c13b7f4f02132e93a990d":"8907e8832553264d7e92afa1595842ac661ddfec3f4294567faa0af61b3d0fdf76a922a2f3affb36b3b3b97f18d5172aec0b8f6f01239bb750c0fdd5da1e1244473cdfade83797037ca46d83123e6105c5c54071971f190da0c59821b0bf87242502bd19d19c7f463145bab0e687a18ffb2216c4a2ad2caf9488801c33c78c03":"76e2a5141d094b3a77765ba328f33576":"":"995189a396486b451db0167cf6990557287074def46eef872e6cfe1a297e256bdff2b71668ff0184eedf00ff1a3ec91358874718f0af88acf2bdb191e97332dc544d940412363840d4c03c7b2231852393c62d625093011ef314e4f755b1d0ee37690b4dfb55194a1465714cc3cbcdf93af39e666be0407508b8764f7ee95d3c":104:"87c8f61f459fd4a09d9ee8b331":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,104) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4359a62d54c43770c3a0d51da25cc32fd985d9b41c282887299d2e348aa25a36":"f020c9cafba399009bd920c3ffc165d4db47a9ee15ca8c1f51c65e306ccccd3f1d694071a3c765b5255eba6ef6a280f6095f8c195ebdfbee6968b57366e62e16d05b1768825ab7fe66300941270aa121b4fc02ab970ca6e32170cdbccb46fc548620fa1777049343b1600bfb1bdecec6682f0aa7244a0852adbc7aacedfba446":"5fefa85c958417b6bc8a61b5496fea93":"":"3b8f829aa1cc1532a434bfbbd25f42480311657215946b9216846704fd5da5e886ca9d130df466c3b58f5259102ea6b9ad756e9f484a38dd0ed289fea083ab99fefbc2747100071744f10e362351d4ffac6c7c1f5a49ef3c78e2dc667f6b3bfd0fec454c4e3139443da71e514540d7a228db193a4c35d639ec13c1198ee7f81e":104:"591db861b9060869edb228a324":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,104) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"0d798a357de5a686d06c329e451d7384bfbd462063fb8ea7d77a13dfa1f2aac2":"d920785bd7d7b1a2c9c20139380a6ac5f27a11b614ae110da14203146c2615d81e97649e95edb0eda71a0fa1589244ed42fd9449962a92942e38001ac64b212c7e06c113129712a01556577ae02325a26eb92581c0a690a894225e83ff1e36776f22b600508d6d96a0d1c55316b518df8d09769df5e8340cbeabaa0bf7752870":"50a003c0cb50ae8a3183cd640ea4c6f6":"":"9af6a5341cde4b7e1b88346ec481024b40ad95a51533cdd8e09e4809a20684f18eaf243e1df56f02ace9667264cc1c6af6b0914f154b332234f6468cc471ecb2078a9f81c17f4ade83d326b670795458d110e4c4b4cd7fe7f9f5f4d4fb23a038969e4ff4f74839b1edc270fc81fcdc8a0b15b9c2f0561567c471b783b4322ebf":104:"6c2f01264f9dbf29962122daff":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,96) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"29b01b6d15f6e68fc2e7079429dde5363888a6410191d603941bed272daef7ed":"123b6da306978f745d1dd86d7df32d9421523a7f329dd29ad98d2c309145844010295ef443a18d37ffe093080682fb96ba9c2c92105d35d77897b589e2abc7269aba8752c2a48c843bebad2c0fa281015ba85f5f709f6aee9b1d49236d5695f7f7d01554b193c89adcd1a91749138952cb3f0ec8b5f046328b3113aaa0715ef4":"cb4ac8373bcbf1b14cf2a6a6a16a422a":"":"caf71e09395d596d5a7b091c9e87ba6d522e974451e41f33f3e7ded554f24daa9da719e87793424eca9a3eb3972983354041091ba4b16c5c8c14913e1f6cbda09779188e9b5512917a0adf4b4344f119736ba6328897726a317989cddc66f16bab64707564bb0064fe6ab7b2b5cce143e94d4b6d739f58c47b6d4850697f8101":96:"f635ff3d8bfbfb49694e05ec":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,96) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f96d8cdcc21884e050f762c049930d78360b56cef5b99ae232c9a8c6e8fa89f7":"9cf05e5065531d2539d92ae76a43da1fa3614ffa4b1c73ddc2358f8d71345c01260060239edf629efc3650e0d13174af4294b6da0f39cc7fbecfa324afff89dd7d203416bd144c5e03df60a287fd4a8d54ef9b4b44b3d6de1d9de07418b8a34ec5c28cec3c5b2fb861583178a68ea0af89f2dfbfbd86f7cf1e572e1c8d4b0675":"5a7eb964b6bc9e75450b721b4d1f8f92":"":"566abaa23b8d464d6f107699453740e9e189254145c5132fe46989a6654de297398913daacb4083b29f7b31832079616e9a43c9c2878df1df451e49f1e629c8b9de2fb0e4ae9df48e3e8880f3f1ff5ace8842d2695e702dd1b7bfa7c25b0539b8c80d31ac91856796beced082c213e8be56efd646dae932f5bf503af46f491d8":96:"c049cce29c401d3d198773b6":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,96) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"253234c3dc9cb3d50a80598c5cde0e37b6b13bf834f3595a9458dee698a6d19b":"686ad2740bdad507ebe97aa5bdbef25b8b030c4cdcaccb0d3b675ca91279db3ea75aa222c0ae98f86c24b10038cbb4fe9f897e1145b2f58cd3e9120f9a5620f38aa1e1f63906f557ff4a4c3223f5bb13dca34f8a1c6419e24ea57d114c62fec6fb9eee58a16b9e6a6bd930aa6fedcfc591311250e7167d43cca5916d5beead27":"9d156414acb63d11cb34870b937c837d":"":"96abd56d2f8aefe6c687f035df46c3f952a9933b8a51698e47d973b7d47c65ca3ba2474cb419c84a4c3cefb49e78cee1443a8fbbdaaecf73e9059ef34ac5a0df3fc152ecde2286da8840ad4617fd6ebc1e126314204bdc0a17b958430eb9f727498ff1db17aabbdaf43acca0945342d2ba9346da5373b2372b3081605e895c99":96:"3d998e5be9df433da001a686":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,64) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"1054d48d52693d2797c80d3f10509d1c808f36a4d65e8fd968e5d56239f856bc":"a708e9d2d27ed4228e5b23d358561a77d684d855db9827be2bc102f2278f1961d3f056fb76f76204b2c96b916eb5e407f98e58edfed06de2388521832d97211d851d3e29658df738e3a15593b9db016d9e46fe9df98ce972d59f7058d484886ffaec7b9fd973c55644831241c1ce85bb478e83ccefd26b9718bfe910ac311ecc":"87611b936873b63abeaea990d6637a22":"":"94473e84659bc18eddcebe3112f55426f48ca4d670291fdedd42cc15a7415aa6795fb75b39434884eb266677e1fa7f530c6f3aaa733c0d9c06291bd7dff4c4e5857b2ee9e9f1f61a85571ad32dc9a3259017abe9eb5111e56df2913535669f3b2d722bd35fcdbd6541918885d9677cccaa902b9d3599cd4f0df1f35f4d11b8cf":64:"9bd7cfe1023448ac":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,64) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"a95dc5127b9cb1c82d558d5b24ae049e24447fd676a49350089951afe01dc797":"45f81fa4780a256c40a0efec9547310406904d8991bcf964aa35ec9af457e2a642c1343827839f1f4b42f2b226da351731f416a4b4151f07927c278b371404f027bb2058e1765b367f5433a43fa4153883351041db3f066ef284a3eabd584d1d0b1d594b4ce7b5bca1708fbc661d95a9ac0d77dc29547f022eedc582fc7158c3":"0b177d01993ec726fff082ec88c64a31":"":"16c77b7f541d2dc4e8d31da23e04f18f4254aa283e8cee5b776f3d9a27584f459d0747955efff8945f807209ddaa6421846647d4198534b244498fe13a9073d372171d1b2fc38af66204f3de04000c093ebe659173b8d78dcfb8ca9003d2cd44ed168e6aaf55a06f29e83ceb32b98bafb59f109599f88b5c0f0557bd2b28f03f":64:"19eb5f808d65989d":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,64) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"53d6393dd7ecc40f2d52460ecdb0607133ad843ef53f380cd3a2755bfa567abe":"72199c54dd5efb28c104e3b7210855506f6577d15c4eccdaa6a621a572e15f5845d648cf71b9fafef3411f6c1a664c7974fe71126a5cbab907e2caa342d8d7a05bc68a72c824896ec40e520e90b704dea441d22c5918f98803a88293384f64f92f11650c2cf4d3b062d30e14d149160742f59a473faf8fe00f4bdab9128c3281":"db7e93da21f0c9840c54c56e9c6ceba3":"":"5e83f559fa54926b731334f815783914530bbcc472d4bbd5e65908fb1c421442cb4c57329f2e4ba3d146a6499f34d8f1ec6d43e0cf98bdba923f404b914700edb235b08b0330097ea4162fd0baa1b7177ef0b29d5a6689bc56b8f975d6b6067ade4b8baf1d47a2eeb5b2ed28ebeded381d55d280cb2fb65ce4d82b69cce0594d":64:"4e65dde857a0f5c7":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,32) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"aa4a53c7764a254b06e1d8003810300b70f5729306effba9fb6210f97648a499":"19f3a8c298478d6868bf3b31785eb62e844c37200672e6ef1ecc05c616d981e02c333dbc3f86dbb7ab9ba40e9e57e133e6d1d595fcc6d8e9886a84517212669d5d7ce0f1383cb58681b92dc180c06caa1a7ac1ec974dcd7f2bca7ad2ab2789c9a3a487d64c484319bffa56d854a6d40c62b02d0c7898f641f106ff50d22a12e7":"c32288f97af9b6e31aa7e40d9ef8d016":"":"1fa6aec7a28767c8961363dc4264e6ab97014264f6fe1dda7e9db8646ce9a5463f69e91aad2fce696f9b641d75635bfb0f97ed2d7beaca944cf8bd9dbfffe77b5ae9fd032575e5333c7ce27538c609922843de87b960ebca7c2a2ef9702dd0c32f787b4d7df248fdf526d594a90bad0d6a8dffe212246c36db71e2d348326624":32:"1699444e":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,32) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f420b6ef96d9bfe46dcf18246ee230790a6fc854e730f1dd2d1ffd0e8b5c4776":"658a954d6c61d0d6f0e81a3c1cc65684483fdc95f280b6d4c964358596c25ca41c389932d74a1a3a17d041e89b7110ea315fadb3128c2c469c350bf9b4723aa9c8abd9065ebbd12c317bfb7090f09633f8c1184f0c4fbe10f5486dbfb847536c886f7d144ed07272a7e62fb523a04111e5ea9e1ab415fd17e72143006db14e9e":"4982f502a37eea8bcf316ced466c9fb1":"":"8630aa78aabe35d9360a44bb2094209b6f70d46d71e3949803cf54e33dafd54c6e49eda9e26dc5c0c1e34908f5281c8cb2a1aeee81186cf45d3eb22f486320c7ee0fb7bf3c211b232a8426e7e82f3e05881bf7d9454cddec7f28e5358cd0e9ea2e9cff938be044c1b21911d50b2ae23ab1aef377511ea657adcb560c34209f8b":32:"3aa91b73":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,32) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"50f3b822dfc70382d8695811e6b0a2896ea2bcd4d5268778cd484053c8a19288":"15bfb3a562ced63c92561a78374af40c88a08ce02392419e03d7543365c5b6525951ef2dec5927474a0ef85f519e5ef795881db3eafa765ec38e6be7b565a878c13d90c02889dc50cbe87081d9225a515504c7be15bf97f5d72a4d81f218a148a46fbd42983ab002fce0a54719bfe301bb761753cb330dc25be517b87d0428d9":"980810c11abd3aff43408ec9a69abcb3":"":"12632296f27eb2439009f6032a3f648370303dcebaac311b684de2496f399b271347b19e045c1060802f3f742b6c780d20b9d589cc082d7d0d580dfb7231171cfb612227fcdee7feae4f8defd34c89fb0d68570e782192a7bdd9a5464f35dc6a4282cf9cc3fdfac988d129eddf8e0795ccc24a113f872ada88834c974df8bc69":32:"32c1c4c5":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,128) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"29072ab5bad2c1425ca8dd0ae56f27e93f8d26b320b08f77b8bd3fa9d03edc6c":"3c7afc5cfc5a1e141587e93fef8427d4f21d892b983b7c9b6e9de3ee168837a1533847c8a2e2ab0706ac1474e9aa54ab57e7860bca9ebb83bd6d3ae26ca5387abdb9a60c4a9928484742a91294b13ab8f51eb4f599a30e9cb1894aca32a62a4c2793ee6793df473f43234c9eafb44d585a7d92a50aebef80c73c86ef67f5b5a4":"0201edf80475d2f969a90848f639528c":"4c8ff3edeaa68e47bbc8724b37822216d42e2669ca127da14b7b488fde31a49c7d357fb9aecc1991b3c6f63a4ce43959a22de70545e6aee8674d812ecaaef93ad03b5d4c99bdef6d52f21fc7fdbeb1c5629a76df59620aaefda81a8e73cebe4c646beffd7f4a98a5283cc7bc5e78b2a70f43e0cab0b7772e03a5f048ec75081a":"f3755aae6813e4e4b84a089ca1496564676655ba3c94e59c5f682adbbfed21e76aed0db78390258cf5fbf15f06c6b6468414cb6493c8b9b953b4954ecaf07ecaf8586ae001710d4069da6d21810bcdcbb831f7041cdbb984b7c55878598a6658883178dcc0fa03394519b8b9c3bed0e5c073429f5dd071a9184b015cbbbc62e1":128:"0549dd9f2a123bd6d58e5cd16c0624a1":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,128) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"aa9999af53720d0c1288fd3fe307a471160635287eebf41dd77c82d1f9cc9d61":"6ce6f2dc202750219e15a24e1ff0678ffdde55b27cdcab6da188bd5235a3bdc677f72f106579d02c2970d4542e4e2372886e1a6d74c596ce735f51f2ee6aff4d62bd24112ec7cd1adc7c660561f163170cdf047c241c53b8a5b2e03fde48c249a319bb90c2693c468c9dd136e94e05f067cd1d68244ce50be318ae0464b79acd":"6299d651a032bdf3a7e6b25ace660e30":"afab0a3d1960ac973ee2f4461dacd10d189412b37e572cad7888bb4d2453f1eefbd6725aadd5f982393dfa59c3cf1ee342dd91e1fbfab10a802e3a0eda226fde2686e7db1015405a3d33c921e5aa857bfda53ca3aed3ff0e18c289406740a7c5d9f86ce43db40c9032e98ab126c7c0364e2efc008312b7641d36503d183fa5a5":"a8059fe6ff711616afb591b5e5de497b3b7813f9de658c7b47cc3e7b07d0805c1ba05856d98341869b8394f3b5df2876ae19837edb3931eebeb0f26eb6c4a2ea78003d82a98111305208ccaceaf77e5d71996cca4f9a5eb712dd916b71455f741ec2dde51f56828667b7a2da015e1886fba71e496a542d94a38efbcb5353fb89":128:"2ff4d8d00400ad63a6ae7842eefb16eb":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,128) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"31721e5e3a748a7f7369f3dffc1cbb570ceac868ef9d1f29b944b7e86a26d273":"6afc1d22233a60c3e6851447de89152a0dbadcd87e35fc947ca4bc886f1f87549ea106b097e2655136833d06dfb879a85732298860c149c5e5ff03bb2a95d9cd3deeb8ffdf951ea5f97e32c1ed75271d2ea58d158ae6d568bf197d69130977e330ebfef33f222bfd5b56bc6b0382dc99c4f0e42b0aa7a117b43f96d43f6e02dd":"523247d56cc67c752b20eab7a28f85fe":"11eb41aeae3611f0de77bfa1221ef5b7d254faf893dbdaead926a61605f8a86f20f1fb84e0c5acd195143bc5a4f297bf729129f898a2013175b3db7004115a6120134d8e354afe36699a6c6618d739c805b5b91739df67de7667729f1d6eae1a0609897999d474be4d8b826df901c6f39d522570d38d2d1aa828382932a177b1":"39e7f32bb3e8436d97a1d86a22750768001fe3a805516d3f800352323afd221991105d12da69ce7430402fa7923958ad5ed85506b968c4dd89516d6e3d02e722db3954ce098ec3299ef4f2ed4a89f383408dceca9dabc6f8eefe5a1f80093961c29a94b222d1a04d2c1e453d2e02977f3dd77a4659e2bde2fdbba8e2829db4f1":128:"506883db674fa0417e0832efc040227c":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,120) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"100bd2bf9c8b24cc2e8d57697cd131c846b55ad6ff0b214c0de14104b465b58b":"81c3370da989f774c1962f60c57299747481bea0e6b91df846e6ef93cada977bc742ee33ce085ae33eb9f7393a0943b647205a7e1ffb2a6a803a1ce7a88902456d66612362962b97c7152b57f1d54de94a39f07c1a8098da4ea5e498d426b7036c642fbeebefda50b8c421a7a33b1a8499dc35011d80a51d34285824d6f01722":"363e8af6f38307ec126e466e7056cc45":"471f7e9a0b505b12996747ec9e32731f11911ee95d70795bbd1bba34cf782d4100ce30a85b23f9f817f30e8f314e1a23e101201c920ce12ce732cc3fe01c74a9ee8d3e1599aa22f2398c3265d4dbda626a8ff4262889009e087fbef6babe33d7300e5cfc4c0056f3562a913d2594fee8e44959cf728599a9d3e7ee4a9ecd6694":"9494d01966ac887b8295bde61f0e7d006ea7b5c984a29cf5d849194f35d7b0f6ddb3bbd9646d7b9b961c515179901d2b04cb7cf7b6c8736d1d472ae8bb9a6dc9194b03b3f5373551a5ae0c0f023967669c873f0acfb02c0ae3a384e70f7a7ca05861f257f36a2ad5fbb591473dfc3ae1264dca0e889e0ddbf93dadf75db2059b":120:"5c78d914cac78c514e275a244d0ea4":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,120) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"614dd1762deb5c726eadf0e6587f9f38fa63d16bca1926955404f1b9f83e241a":"1ae828a1693d3c24651ab8ba59fb1185d08e6cc4a964f30dac59cd81ff4bdfce8023ab1b6dffb594a4250d25f611763efb4152cd35b937ca11373d237f1f8b3c0e21b942beb1f4ffe5014198c9ff59896ddfbb55e69963e3ef6b03d3fa134977870cd6f3ac10bbf59bdcc9f103cc2d58f294ef5f007a9f903c7bada08cb454e6":"10d079a86894b0c17bfcc8ffc4ecf7bc":"c4035f80b6d2ea288afd4ddaec1eb232b78be5a86583fa85f791d546102c97ace9716c2702483d762c8e4eda12f3dd10a9a49a2d72cd4694fa794477b54b4367be6b548675aee4c351e3f66c7e113aecfbcc57b8bbab4a039f28488237c75313e62612847b915ef9b582e146b2bfabbfce576a984f5ce4be0e6bff5480584fc3":"bf5fb0445aab46aba504801d5356455f28c98f300670a731bdd0c901a1d5564aa31f5d467e5f80dadbfeca61d2bf72b570f3935ba04c45a2ff7994bac6cabf84db2a42cd5db2a4f160c97c76817cc5cb62d4006d895fcdb218c1464b5caaadbd1f61779938e9a84440615eae050cd6f1713cfbd695d78818b2af78157339e9d9":120:"6d815ee12813875ce74e3aed3c7b73":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,120) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"12e97fafff7d397ea34efc0a8528afcd51c1b2ccda680ae9049edc8359b78ec0":"9fbf0141cd50bd1b3ccaf137b808b698570642ab20c32120901622b34173d7ad119abca3c61bbf1e6dd5cb182a079f3e01b0e5263d984c6186f01792125dd6c47c30033008ca2e0377f990285094f652c55a348242dfaa59f76989fcf86033c8d9c0b2a526bf46cca207e055e1dbc7cf3d0b7a840c8fb5f85784c9e4563f71de":"8eb11abfe350c0d5a6b02477b44867e9":"0a830029d450e20aaef484d4abee9dadeabbd6feaf800b3a693b4746db059efb7d110405b45e45a9e5acf90957c154674dfb2c1cd787af371e01bafc4e8475d0268b969d25756a1121a519afa61f3d6ecded4e0640f0ddd471f5b8e82029fd2887df4e65af9580390b6924022e39acfede7530e5f0e54f0285ba565ff49af542":"067cd6ff8461ac80217ef70a91dcf6edb2fbdd31856815cf356fffa63ba3f5cb293d7f1ed32ae40248693617f27839a34e871fdde635c04d1e66743f730a06e2be25cafe1d67d804879fe38e009268ec50a0294da445c795742ff1e924170e4c2e0e9ef3bdc26c251f5537218d295d93d57baccc4dee6185c235d7ec5c9926a6":120:"931f44f10993c836e534a59c1aeb98":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,112) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"c732da000262de558bd3ea65e66e20e11605170c90b67708bda43f40abed74fe":"7d6c981c30ef87a46f53aecb4c97124fb94b45057635d5bf1d4f3a3bdb534e9ab62b4a425de9dc52537575ed9ff406cfbf75403d3d9cdbd9fcd520d62065f81483427fa27964642cc1a07822da0f6234a689eb30e8425d7709abfd18666c76c963eecef20503ee77c96802c120abea1428cc64a08fc20860527854fecc571a6c":"523dd34ea263c31c2215053986626d02":"f170556ac5d38f0661bae33e0826356c8488218903eba1bfa49b16882537ef78283fd9351f37f44a7687049a608c3ddcc82817d4ba96a40d05807a38ee3f2d5cb8b1121db61318fe22bfd3afb319e84c4e2f94570a92433db29bd2193485449c719a2c6030696f53ac729df90678eb018783b25740d806d1ef6980e10d396595":"3470d4544f7bfa3ac0627a56e66c56fa062188440834b9238bd20e89dfc701fe6cfe0bf4ea2387014bd83c63ab7c912e1c0dce7c2d92eaea155f886b574bc94a8f4f275dffe2d84173a05b99d8029c36dd3c35c12709d33f55c3bcd96e9a815f77a4fe8e50639d8f195a526486f1209d7bf7e86ac3dfc4a1d2cbddb6d330e5db":112:"5924f3ceff0207fc8ba8179a9925":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,112) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2684bccf2b845314a0c4b8b5a780f91aa7ed1177539122dc8717c14bb50e2dff":"1a4174d4e18ae0b6434f35dcd9c86cf158c42ce00ceb12f4356ec118d659820518c326a1b2ab92279d949f74c45219c660cb84fb6b10b14d56a501173fd3b129ac89db0de22874d92bec724e94751f91a817a42a28e8e15672172c0b0db4ead46b14d4bc21ad8f5ba1f9e7e0fcc867700681349b8102a208d76ae4ef7df5b56e":"8433b59b41fe0cdc5b30e4e87c5028ec":"280026eeebf05e26e84955e4a36352d4f97f3193dce0795d526d05645bf5d2eec4b92ee8dce54d78fd3fc3e36bc79d5bf9ee3b2699310a75dbc5007bdacb4dc88d06515995f8f5b1aa90cb8fc036b763a5e819db70c091802fb7f24b9c2a68ff194032fffc4ef798936aabccbb43f22a2bbd7e1ab9d0434d443dac4929b84193":"cc155e04472c0872d5ccf8910d34496f380954da7653a1e1d3c460fbbc791c9b82e35176e938b7e21eb4690ed9fca74ba45a03dac4abc4f625ffdfad02e1acccf18b5a1878f911fb6f6e09ce0d4c6a0bb87226e914879a1b3085c30e8328aa6e0d1c49c21b760b82e469981b40ea102f3998c81dd9799f484ab89b19396ab7e1":112:"5a80008e6da40c71b316b84ae284":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,112) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"484a33ba0b97c2887a86a1476f274e236eb37a72e05f9e74348248877ea99e98":"4d81cec14b398257a31ad1e3581c00d05e12b37b71260bdd95bc0b6981b614598ffbbb3ec4bb7deb5673a1020139877122f88504c9c53265706fe76623a9b488a3dfdd4cbc1b7b46c7fce9d7378e164964c0a377337a5c172e5e4de6206375164cd7beb0305d7a90f5c73e12f445326e1bc9ac5acd1bd4bcbe4662524891a2e9":"c3a5cc19aef6d64b656d66fad697b829":"30f276f96a50e17b452dcb5e1b4ab666dc7c4c72d0d9ab2abaf77eae2e3bab7dbe5ac005d7eac5480e1bae13646b59155528abdc148b3b71f06d017c4b12d64aa3990cc96941eaac14b60eb347e0be873de2b6fe2b86e2c2fc063b29511b70144ecd315b9491001b122701b9c8cc1d85427b6c60663ccd9d1fa84e1c2f609f36":"579fd8fb50d795b5b208c2d5b0a8b1804f754a30a1003025301655aebcda2d2ff30d29a16d0fb17a28401127750fc87c9e3aa08540817228b049c387253ea2359035b8063ab4bf54504ca5ad93b54b8ac5bd0c1ef3c6769fb1ed239bb76f3e0bc51d356aa91b494d22749c8e4cdb1629e93f7c6e46ff9145916c1275669ae5ba":112:"1c39aac1d5ffe7916a08ab2ce279":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,104) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"4a5f5321b515cfcde493148ee4c44c693b1979b3a3ba522a2a80e5d27c93fd1b":"962b8504feb57ae73e93c2e8962c9562f409c908e51f9904df1623eaa0c6b998db6ee8919d805b6ffcc37da51300c1ae16bca21f8f6f63af989a813ae8fe28c3fb012f003dab7e71b08d757799208806062d62b4ac937712409f9fafff3e3579a4d92d4437a6f0b263e1da7e4651e0a521be5f6f49ff5a0778f07bd5d3dac696":"c2cb0166046bad0cf0a107af83921d7a":"e48abfb657ab33f58eeda8c58a20e7e299bc3e7481f704c326529408580f9a5130cf6f7368502d20b03ba6c3b8f6f28c076a3ef7b8e987750dc972be953e712483e6f328da57e4b5c501fa7c720593eb89ff9644fbdc45478f80ee89f096694dcb44a9b3a6aca0904d4aa4e475b4b24771df9fd6ef9557f4f5c842ac241b212f":"11bd55d969603ff3d46355cb19c69557b99825a4c23eeafc8eed8422dab537c0fa9753191c49a6fd9e0d6760ed816a49e7f5704b5936a498544e2bbba7875c513c031f11527ca1b9b579960be6964fba9119dcece8205c174be07ebffada83375678de76fc012b0ee179787b4aa9fb6e2b459575260eb01f23786dc24d1d45ef":104:"36853a029b5163ca76c72d4fec":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,104) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"c8f7b7e6295fc8e33740bf2807caeaf4b90817cc3ef3d9f38f704d9f6164e41d":"4c26e489069b487ce9dc0e295d5e89760401185374041b0efca5bbf758e7d010ccbfe5999e2a817776aa8f49c1e5d43bcdade2989fe5be635dab54cb0e390a21b832b30f688857b9e09c346bcc5397e51cf71acbe1bfcaa1ecd7e87fe5dfde180d951922e60dd8203ff210c995eb54bb981f7e931f0b1f52dce0cf1b2eba503f":"903b2eeb9d0b3794acb7439d341cfe0d":"83e99497bfbe9393b065b0b18c13f99b67f1fdd724fd5d70cdccd2b8dd658499cb9f57e1a1fe39634ab0869182de085722a79eaabf057aac7b3f3230f51a2f9b48b49d592f02246dacbe915ff9d9a53f7e5332f7a9d89649050b075c07e5e74f281ca1a0dbe632c0aecf3b1911cd6ec4f8facc2777d0d14784bf5951a1c62c33":"63e2941bf4a13374627be66bdd4e57119149f81f4c1a8a321d27a4a79e7d61e2dcec9d7b13fcccf12f5b059cc209f8414ae81966462a266e92b4b3c25198ee240e0bc6f6197df1e24e8d4379fcae89e6240a7f9c7bab886e79990b846e98e4bacb8b3b17422249943e9973de42da5e38e4eb52830b1facce766b3389a5312476":104:"6e31c5db3146ae45ef5d50485e":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,104) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"dec062efc1bd2556b87a81143d025abbaa532c586d5ebb065859a2071f8f07e4":"02191bcb060e61827dbddac6c2961dbab8812cdc2ac77bf0275628e8e36bae18ad4deb77b2682ade0aef76afd4592173ba29dae4d0735963c803856eaa6f60a6c21785358e87f3c4a91e321c59e04c150297de873679194ba5ca857f7d91ffc358e73810d555ebd4dbd1fe4fbc4ffa4ff38e4b41db9af0a84fe9828708631469":"19abd0361443c3ac2a46f2606eeb1a69":"c3785e7c0095726fd1f3ca842057b0ea2baf9c3fe1119c2147609158a2039f26cedf8a44e046955ba7e7cad9f48cb49274fc53b109d7897e080af252e7dc64807c276bcf668d2cd505c9ce8e584609d293ebd2a4515bfbaf78c413d6e29dc90974db38b564ffe9a40d3955dba9f19b6f39bf942669cf80e4676d6c10df566ca1":"91a16c7fe029e3fddacf0809dde7d041c438977b89192e6fed7605d0133f3d9e810355d186432f6529bd2c4cb9dadb4fedf5128cb45e25a3a46bf74ed93f31349f64a69dbe86592d76e437947f1c1d7270d1cffe80afe10ae8523541961eacee1838c168a2ab76703ea4674a68a96b8a298a672ffc140e98e452d501fd57f000":104:"5b4071a4be0543aaa59b56de35":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,96) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9b7b700d978e33ae9311b206347f488e2832fad5ce7e6026ad5e24fb47104fcb":"37aef6e4200c6abc3d161daaf9dd6ede002ce8c63d9ed54e8ac56bdc8d36906bea663d2857d8d543166ba150827735ec78e37f92e682275e268d377b1880970df232162e55c9311882f889e7d183e5cf4972691c85f81c47e1224b9c97ee3963d75c6a032270ad6d713c999913f0b58a2d4f42b85a3b0b40541a31398cdfb4b0":"d0bbc284af767af9a31b863d66cb6138":"dfb87a65ab2d99d7d753042aa47448ad830e546d298d6ad52b85207bbb0cbe8cf3cdb12b3544f1fc228fdae04a241abf9e71de8ae14f2de2c261469c383c682e13582e07cddb1ed9bff1fd2aa0be7978096a914676dfbe7bec6edd927362f656ce1de86229bc511cfec4cda77a1e761e7ab8664e4df08cb820ebdb604c2cdbb0":"dcd5575d94fffc647d4c081e3ce03928651419a32ada2af02de2f58d68fa98eb1fd5ef671875719a9c65b9ecc69513408a79a0a5d57cabd04f8e651f5b8fc1ff42ce58d8a212ac2bcb83c5c53c542c282553a62b4e3d7d4f049ab13172739a0f46e0a2fd9aec54eb0c84141c6b341783754372df69d39e48cc24eb3d9ddb21a9":96:"4a7ac79db94b27469b92343a":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,96) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"ce15e61edd9320ceacbf3984d87c707159caa738e7e76285be00b5a95954b523":"8af4a7d92441ce931815fa4e24d69f66256fec7e62f79a029b684b5db304a46b2a3d3a7ee8d6b7ae38caa7de526d5c0f28dc65a0913a383b7ee1640cbe24997ba95b9b12fa1e9ce9f9100d883c16b6286dce17e381af15113f56197c97fe6b45be00a3df05045f476829d7b303211ac97cf989a18c16e27fbf23570d9d18f04b":"b1269c8495ea1469ff41d8154ae6765e":"0ad26a08a5cc2ec825347d7ffd5aac795eb68aa7e22970d991c863fa6d1fa720137aa5cde4e382625a0038e6ed72da3b5003c1b2a953c2b2138e0cf870cca4afb595c0451aa793fb0a2bc43834a0aca1e760590cca765ad672ead975993f82ae6765c5afbddc6062d7c4babebf650ab097db1a1d9a2a99e8fd2e0eb8a7b916f6":"ad0ab4e77257866e4a57cf44fa4049428e56a6e8b8fd47b4cd00bfce84fa8f5a43f1df2061b0a37311b4a1436bad0d61d52ced5e262ed41a7eb125d61cec2e3fbaa95e533b43f318048096ebc8466f0cd609bb5e7c3fc6e5701aace546618a170f88c0b7ed76b63759ca4e4b931a86ac379dd12ad2cba7d47a19a3ae7c242fb0":96:"fb1e988f9c97358a17e35e6f":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,96) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"aef24b8205d4085d978505f04724293c2819ef9f3f03a6c758078690fc4bf7c8":"db26453170db2f984312e0cf961d1a7df1154f0525c31f166be5c9f516736501f9f2dd8096a69b6441888ce27aaceacb0b365a38e4e01e2e34027c023206e814f22d46fd2fa69f87509ddced4b8852a76b2532b92f069b8c922ac13b2b7f19cb7c524657a4ee6e989cf2598bef674aa31576776853fb7f9a2704d6b3ee7fbcbb":"81456baa337c3dfd162d9c5f72a2e216":"484a5f4772643cf74ccdced0e5d80862f9300f26ae3139968649d3d7bb761b313f2ba63798b2040d397c3d1569285fee8498fd9254851c15b98af5bd351fa72e7d574c62ede0d728e1279e8b4e4784fd63ea7851e99d1d2356bcbf868528f8d0a90fc3b884ece631648d916ec97abadca1b0dd7670e6ad42245021570582ec7c":"da95c61cd2bb88fea78c059c254d2b949d4fc291c73ac178ace44c1e6a339f64931c857d3a7cb276a04993620adb6918dfd3f9083edad384a8e6c1d4799d526a1c969d8deb0e2667d6d06f559baf914b49fc463244528aa6522d19699065438d939521d7d7bb149835298f2054bcaae6d786f6dde133b640697a3d37c697579a":96:"bc1c1cbcad2e1a66ace079a2":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,64) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9685aea9aaebbd691e679779034729306d5887bee4c1f90f6ee3a397a0ff3ece":"ae3b2fa1e209f72c167eb16bc15b7669b87d4ab516e428157810b87a83e90d56e267bd4996522b5b22c2a349d3765ca27ea27057dd71f7c18ddd053033bd780b6cb689f48c383e9c717b9b265cb9e32c70c4a7d8fb933e986d996b5ad914cd645b74c47ac3a0de952ee3fc73ada83d896da7ca0b2a0b10e4f701fa13cba9ec50":"b1bc140531ae8c69e2ffc784e0988038":"294ff858fa6efc82ca3be4d05332bbb951a71a7ddfa4b78472e1582b445312eec11793d8d6e1e858d9cb078b5fc9083ac8a3e3bd82964cb07c08450567922299f68fd47663c7a77c29f2b5347f229301433d5a75263158a0d80095859e7e45476b99b23412046bfbe4eafff9f7820ba49919d2c987cf00c286c784e7669d8fe8":"6575128b576e68f7b3709e325b3d616783b42ff7f7631eb62b90cb0c8a86bd324756f43af53c33cbdaf9cf64ea94cf1b7fab5003f00c1d07f3fc8eb1931d759f9c43477ba22311a111488092c42b7786facf42b861a824cd1bcdc603a77d11253f15206a929a3e16e8737d080b8e5f0da8896226989a9964d72e491187250472":64:"f78c4dd37c06b197":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,64) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"3adf0da24394a98c7beae01d28f261a9cbd887aeeecc0c29e84540264d5a6bad":"8cf023d717b0f82f2b81750b53fb665c1c90f4740af4a3534b36b847df33ba5eec19eb24ead70a4b613a82572878216181d59b0c4c4df99be08d021cf182724d8ff5ec4e85884d0f69c16238fbbdbc5529ffcc4e418405e4e95139f79d3115a1ac56820cd39fc413ab72f7d447f947cb0541fc2be261f1246c0a786199013b22":"ad41288817577316df2d881ac93fcdef":"ad33ce922372fbe3531c0dece69f85f18eb1bbfb09a178403832308de0e54b1010db2636c4b7d9caa478138f61db5149c9fd7f3b45b7a1876729fe67622a37f0b322ef9cf6043b301a5d4c81e6f347d22bd3e40722059d3be945845c6b0629fbcfcaf885c7f393aa81f242c48c61a439574761ef6b671972cac664403250750e":"9d465e9c4228323946b1261892243d8455edb9eb8633d026d4033fa3965d20730979ba6952c0f6f2c5768f03c19256b64bc759d2e7b92424bbc668308504ba34384c2bb37baaf91a3a4f0952a050a3d69853141b49e86eda3bf0c4db4ebcd1c41e7f13eca20bf574a47ec45b8c98def17c0741805bf8f37923ba2b5221428578":64:"507618cec6d03964":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,64) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"9ef64b4132db54668568e2ae66ab61f62a820c7002a67a7e42006280a373feba":"4b96dce753273188c4cca3386a7415d5d9263757376e1f32797df47992e92e1bc0ab0833363b3acffde22602d4e47307bc8f252944414a15e1398693fd3b8bf4d8101cdcf70ce2c9de8cb7f5bb17cd83f09b1bc78ba07c34b9214e250c5940e9794199cb392309027d5ab4f32b51c533db6732024bd412f2cb0c5178d5296aa5":"07a86dbe2cce040eccdad79b3d211ecc":"af7a75748ee293015b600ca82ccc7718f4ecc20c3a2357ee02fb726330a0d79ca8bb97979bc0c89f4c60d7154f8bd29ba6ec5f2f4be286ea8a258cf6bd39b4f42d6db8e70c99ec3af26bb4d8003dc6fd0fdfbbc620d511d4d5f09ddf975a1663ac2979ae0978b0bc1e7bfcd660ae4ac7f1a8f6d8ee35752ed59a604f07dfda53":"e3e862146b6fb48b01ababc462dd560298eea7bfe5f3248e28a908d1de08c7e91fcf63922c394e7a51b64f4382225093e78598c050e588ff4ad38f3e83dc07b77ce569c6ab8f8a9cb0056b3155aa1503cebeb64c86d6d9cdbb178ea9a01a8ba33a1c48beb92ee4cf60e7dedf986019e19089cd186c98c229b0ff42c9e1aca571":64:"8614c216055c0660":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,32) #0 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"f14ac79f35bc5a685433eea5bb7fd69fc959aabda24cbd8b7795fb2e41f90ab0":"8a20da14819079960b77ed5e548d0aa0bdcffb752817c1abe4195e612cfbb58c8e5a8af69f75bad10ee8afdf0b0d5c46c4dc11c32bff16d5e7e82e77fd80e475c6a5a0be36718af232697ab22314306b8ee32484b3461da657710c06170e80a6a8844f898c2be29366c8430f2392d100ffd419603cbce406dc7315577e6e9ee2":"353e1d08edce44c966430513cb7a0383":"cb1dde4ff5a6867038c170192fc2d292f5bb349d5b9a903cf3d88c09ce78fb1f4a776ff7588a25abb5e5f6a44791d7296afef3f32ed31db1def37dd25be0570a204955121f9c65b79a3ea88fc452dbcb82719243c11bc27e3408adf802b6e8b4e701ee4e9dfd140cb3277bf605bd5fb757d2325f7805fc6f0d1ea5a6207fac5f":"49b5e4ea0421034c074cde67dd39a0310c3f31e8138672ba2ecc0777be542f1c6529836d5206b79dac83d96aab56787a35c584b31228f007f11630328c3f40a57be37487689ee5babb576e7d14ff0f1f1ba6e4be11637352a4336327681058b99df2e44f9772de4e0e456d2e34dec5eeb335b238e862841d166e0612cc0f18f3":32:"88aed643":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,32) #1 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"b55ac909e73989e310ae37d13c54bbd5a126f419a3b01a2ad8961d89bd247f81":"8a663e8b21a027c4a9545d145d42d9c67b4fcd5d0e39aa68822aedbd609e2c681f60e6315035321de739858b2b082bc05551fe9b8456c2e89c6151282c6068b915eae5762e4d6d765d667de58a315e061b3d60035ada50f59258eb6e2a1cd6b52eea7eb9d404fd96e71f19feff65b74a4b4f07061adf7c1b0e54e2ece7a2cd49":"9328abab0d3f63c75ddafd8559d96b4f":"cbae20aa1996abb62471aac91cd78080953fbe3b165d4c9435832ef1106e7e3424db8850f44a431c289ab4f2bbbea9e5c0c7aaf2e8de69c0ced176283662cadd280d8fda0c859551f0f90893ca57695c95803a1546826922ac78703d7ccae285b7ccd4bbab551756cccc6869dcf34b6af8d8b80c25c6fb1d2caa7f28161fb854":"457e13ff4eeaaae75d14bbf1bff91706c3168b9b146aed29dbe31b12ad90c1c158833be95701229ac6e4a13997e0a2d961d4a0021c4d8920ec54a9a935e5ea73b17e8fa60559df76bd07d966dfa7d86d1a77a313228b2ae7f66b5b696726c02af2c808bf75e0b9591a220e762f57c680ca68f20b2b5413b07731bbd49de039bf":32:"5de0434a":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,32) #2 [#2]
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"1477e189fb3546efac5cc144f25e132ffd0081be76e912e25cbce7ad63f1c2c4":"7bd3ea956f4b938ebe83ef9a75ddbda16717e924dd4e45202560bf5f0cffbffcdd23be3ae08ff30503d698ed08568ff6b3f6b9fdc9ea79c8e53a838cc8566a8b52ce7c21b2b067e778925a066c970a6c37b8a6cfc53145f24bf698c352078a7f0409b53196e00c619237454c190b970842bb6629c0def7f166d19565127cbce0":"c109f35893aff139db8ed51c85fee237":"8f7f9f71a4b2bb0aaf55fced4eb43c57415526162070919b5f8c08904942181820d5847dfd54d9ba707c5e893a888d5a38d0130f7f52c1f638b0119cf7bc5f2b68f51ff5168802e561dff2cf9c5310011c809eba002b2fa348718e8a5cb732056273cc7d01cce5f5837ab0b09b6c4c5321a7f30a3a3cd21f29da79fce3f3728b":"7841e3d78746f07e5614233df7175931e3c257e09ebd7b78545fae484d835ffe3db3825d3aa1e5cc1541fe6cac90769dc5aaeded0c148b5b4f397990eb34b39ee7881804e5a66ccc8d4afe907948780c4e646cc26479e1da874394cb3537a8f303e0aa13bd3cc36f6cc40438bcd41ef8b6a1cdee425175dcd17ee62611d09b02":32:"cb13ce59":0
 
 AES-GCM Bad IV (AES-256,128,0,0,32) #0
-depends_on:MBEDTLS_AES_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_CCM_GCM_CAN_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 gcm_bad_parameters:MBEDTLS_CIPHER_ID_AES:MBEDTLS_GCM_DECRYPT:"ca264e7caecad56ee31c8bf8dde9592f753a6299e76c60ac1e93cff3b3de8ce9":"":"":"":32:MBEDTLS_ERR_GCM_BAD_INPUT
 
 AES-GCM Selftest
-depends_on:MBEDTLS_AES_C
+depends_on:MBEDTLS_CCM_GCM_CAN_AES
 gcm_selftest:
diff --git a/tests/suites/test_suite_gcm.camellia.data b/tests/suites/test_suite_gcm.camellia.data
index 9b71d7c..0297806 100644
--- a/tests/suites/test_suite_gcm.camellia.data
+++ b/tests/suites/test_suite_gcm.camellia.data
@@ -1,215 +1,215 @@
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #1 (128-en)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"00000000000000000000000000000000":"":"000000000000000000000000":"":"":128:"f5574acc3148dfcb9015200631024df9":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #2 (128-en)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"00000000000000000000000000000000":"00000000000000000000000000000000":"000000000000000000000000":"":"defe3e0b5c54c94b4f2a0f5a46f6210d":128:"f672b94d192266c7c8c8dbb427cc989a":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #3 (128-en)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255":"cafebabefacedbaddecaf888":"":"d0d94a13b632f337a0cc9955b94fa020c815f903aab12f1efaf2fe9d90f729a6cccbfa986ef2ff2c33de418d9a2529091cf18fe652c1cfde13f8260614bab815":128:"86e318012dd8329dc9dae6a170f61b24":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #4 (128-en)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":"cafebabefacedbaddecaf888":"feedfacedeadbeeffeedfacedeadbeefabaddad2":"d0d94a13b632f337a0cc9955b94fa020c815f903aab12f1efaf2fe9d90f729a6cccbfa986ef2ff2c33de418d9a2529091cf18fe652c1cfde13f82606":128:"9f458869431576ea6a095456ec6b8101":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #5 (128-en)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":"cafebabefacedbad":"feedfacedeadbeeffeedfacedeadbeefabaddad2":"28fd7434d5cd424a5353818fc21a982460d20cf632eb1e6c4fbfca17d5abcf6a52111086162fe9570e7774c7a912aca3dfa10067ddaad40688645bdd":128:"e86f8f2e730c49d536f00fb5225d28b1":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #6 (128-en)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b":"feedfacedeadbeeffeedfacedeadbeefabaddad2":"2e582b8417c93f2ff4f6f7ee3c361e4496e710ee12433baa964987d02f42953e402e6f4af407fe08cd2f35123696014c34db19128df4056faebcd647":128:"ceae5569b2af8641572622731aed3e53":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #7 (192-en)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"000000000000000000000000000000000000000000000000":"":"000000000000000000000000":"":"":128:"ba9ae89fddce4b51131e17c4d65ce587":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #8 (192-en)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"000000000000000000000000000000000000000000000000":"00000000000000000000000000000000":"000000000000000000000000":"":"8f9c0aa2549714c88bb2665e8af86d41":128:"783cff5c5aca7197320658a74279ab37":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #9 (192-en)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255":"cafebabefacedbaddecaf888":"":"0f009e88410d84ad93c90d55efbe20ffa855492f4dfd0fb485c4f02f536feffbb4d967729e5c67f1de0750255cc500716ba483eb3b0a2bf607af28f6a60bb2e9":128:"8d645a0b0e48d3c3b60a014157cb49b4":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #10 (192-en)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":"cafebabefacedbaddecaf888":"feedfacedeadbeeffeedfacedeadbeefabaddad2":"0f009e88410d84ad93c90d55efbe20ffa855492f4dfd0fb485c4f02f536feffbb4d967729e5c67f1de0750255cc500716ba483eb3b0a2bf607af28f6":128:"01b15bb5ab6fac0c422014e91eacbf2b":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #11 (192-en)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":"cafebabefacedbad":"feedfacedeadbeeffeedfacedeadbeefabaddad2":"678b3dcb270faa206dc5f6fbb5014996e86d6f3e35cdcdfeb03b37b9b06ff4ff2682248823bd3c84124dc76af7bde3dd440c228b5efbc795dd80dfb6":128:"f876143d933214a5035ff0bb96ff650b":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #12 (192-en)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b":"feedfacedeadbeeffeedfacedeadbeefabaddad2":"9733ea567c3bad2259ccd63ef7012f5de709e50b1fdc31f1a16db02ede1b66f11dcc4d953f2d4d4671587b65882afbf9545fdb6deab22413d091b703":128:"4b72e520b2521e63d240ed5c903216fa":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #13 (256-en)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"0000000000000000000000000000000000000000000000000000000000000000":"":"000000000000000000000000":"":"":128:"9cdb269b5d293bc5db9c55b057d9b591":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #14 (256-en)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"0000000000000000000000000000000000000000000000000000000000000000":"00000000000000000000000000000000":"000000000000000000000000":"":"3d4b2cde666761ba5dfb305178e667fb":128:"284b63bb143c40ce100fb4dea6bb617b":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #15 (256-en)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255":"cafebabefacedbaddecaf888":"":"ad142c11579dd95e41f3c1f324dabc255864d920f1b65759d8f560d4948d447758dfdcf77aa9f62581c7ff572a037f810cb1a9c4b3ca6ed638179b776549e092":128:"c912686270a2b9966415fca3be75c468":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #16 (256-en)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":"cafebabefacedbaddecaf888":"feedfacedeadbeeffeedfacedeadbeefabaddad2":"ad142c11579dd95e41f3c1f324dabc255864d920f1b65759d8f560d4948d447758dfdcf77aa9f62581c7ff572a037f810cb1a9c4b3ca6ed638179b77":128:"4e4b178d8fe26fdc95e2e7246dd94bec":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #17 (256-en)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":"cafebabefacedbad":"feedfacedeadbeeffeedfacedeadbeefabaddad2":"6ca95fbb7d16577a9ef2fded94dc85b5d40c629f6bef2c649888e3cbb0ededc7810c04b12c2983bbbbc482e16e45c9215ae12c15c55f2f4809d06652":128:"e6472b8ebd331bfcc7c0fa63ce094461":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #18 (256-en)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b":"feedfacedeadbeeffeedfacedeadbeefabaddad2":"e0cddd7564d09c4dc522dd65949262bbf9dcdb07421cf67f3032becb7253c284a16e5bf0f556a308043f53fab9eebb526be7f7ad33d697ac77c67862":128:"5791883f822013f8bd136fc36fb9946b":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #1 (128-de)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"00000000000000000000000000000000":"":"000000000000000000000000":"":128:"f5574acc3148dfcb9015200631024df9":"":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #2 (128-de)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"00000000000000000000000000000000":"defe3e0b5c54c94b4f2a0f5a46f6210d":"000000000000000000000000":"":128:"f672b94d192266c7c8c8dbb427cc989a":"":"00000000000000000000000000000000":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #3 (128-de)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"d0d94a13b632f337a0cc9955b94fa020c815f903aab12f1efaf2fe9d90f729a6cccbfa986ef2ff2c33de418d9a2529091cf18fe652c1cfde13f8260614bab815":"cafebabefacedbaddecaf888":"":128:"86e318012dd8329dc9dae6a170f61b24":"":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #4 (128-de)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"d0d94a13b632f337a0cc9955b94fa020c815f903aab12f1efaf2fe9d90f729a6cccbfa986ef2ff2c33de418d9a2529091cf18fe652c1cfde13f82606":"cafebabefacedbaddecaf888":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"9f458869431576ea6a095456ec6b8101":"":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #5 (128-de)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"28fd7434d5cd424a5353818fc21a982460d20cf632eb1e6c4fbfca17d5abcf6a52111086162fe9570e7774c7a912aca3dfa10067ddaad40688645bdd":"cafebabefacedbad":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"e86f8f2e730c49d536f00fb5225d28b1":"":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #6 (128-de)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"2e582b8417c93f2ff4f6f7ee3c361e4496e710ee12433baa964987d02f42953e402e6f4af407fe08cd2f35123696014c34db19128df4056faebcd647":"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"ceae5569b2af8641572622731aed3e53":"":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #7 (192-de)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"000000000000000000000000000000000000000000000000":"":"000000000000000000000000":"":128:"ba9ae89fddce4b51131e17c4d65ce587":"":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #8 (192-de)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"000000000000000000000000000000000000000000000000":"8f9c0aa2549714c88bb2665e8af86d41":"000000000000000000000000":"":128:"783cff5c5aca7197320658a74279ab37":"":"00000000000000000000000000000000":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #9 (192-de)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"0f009e88410d84ad93c90d55efbe20ffa855492f4dfd0fb485c4f02f536feffbb4d967729e5c67f1de0750255cc500716ba483eb3b0a2bf607af28f6a60bb2e9":"cafebabefacedbaddecaf888":"":128:"8d645a0b0e48d3c3b60a014157cb49b4":"":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #10 (192-de)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"0f009e88410d84ad93c90d55efbe20ffa855492f4dfd0fb485c4f02f536feffbb4d967729e5c67f1de0750255cc500716ba483eb3b0a2bf607af28f6":"cafebabefacedbaddecaf888":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"01b15bb5ab6fac0c422014e91eacbf2b":"":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #11 (192-de)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"678b3dcb270faa206dc5f6fbb5014996e86d6f3e35cdcdfeb03b37b9b06ff4ff2682248823bd3c84124dc76af7bde3dd440c228b5efbc795dd80dfb6":"cafebabefacedbad":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"f876143d933214a5035ff0bb96ff650b":"":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #12 (192-de)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"9733ea567c3bad2259ccd63ef7012f5de709e50b1fdc31f1a16db02ede1b66f11dcc4d953f2d4d4671587b65882afbf9545fdb6deab22413d091b703":"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"4b72e520b2521e63d240ed5c903216fa":"":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #13 (256-de)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"0000000000000000000000000000000000000000000000000000000000000000":"":"000000000000000000000000":"":128:"9cdb269b5d293bc5db9c55b057d9b591":"":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #14 (256-de)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"0000000000000000000000000000000000000000000000000000000000000000":"3d4b2cde666761ba5dfb305178e667fb":"000000000000000000000000":"":128:"284b63bb143c40ce100fb4dea6bb617b":"":"00000000000000000000000000000000":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #15 (256-de)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"ad142c11579dd95e41f3c1f324dabc255864d920f1b65759d8f560d4948d447758dfdcf77aa9f62581c7ff572a037f810cb1a9c4b3ca6ed638179b776549e092":"cafebabefacedbaddecaf888":"":128:"c912686270a2b9966415fca3be75c468":"":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #16 (256-de)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"ad142c11579dd95e41f3c1f324dabc255864d920f1b65759d8f560d4948d447758dfdcf77aa9f62581c7ff572a037f810cb1a9c4b3ca6ed638179b77":"cafebabefacedbaddecaf888":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"4e4b178d8fe26fdc95e2e7246dd94bec":"":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #17 (256-de)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"6ca95fbb7d16577a9ef2fded94dc85b5d40c629f6bef2c649888e3cbb0ededc7810c04b12c2983bbbbc482e16e45c9215ae12c15c55f2f4809d06652":"cafebabefacedbad":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"e6472b8ebd331bfcc7c0fa63ce094461":"":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #18 (256-de)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"e0cddd7564d09c4dc522dd65949262bbf9dcdb07421cf67f3032becb7253c284a16e5bf0f556a308043f53fab9eebb526be7f7ad33d697ac77c67862":"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"5791883f822013f8bd136fc36fb9946b":"":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #1 (128-bad)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"00000000000000000000000000000000":"":"000000000000000000000000":"":128:"f5574acc3148dfcb9015200631024df8":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #2 (128-bad)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"00000000000000000000000000000000":"defe3e0b5c54c94b4f2a0f5a46f7210d":"000000000000000000000000":"":128:"f672b94d192266c7c8c8dbb427cc989a":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #3 (128-bad)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"d0d94a13b632f337a0cc9955b94fa020c815f903aab12f1efaf2fe9d90f729a6cccbfa986ef2ff2c33de418d9a2529091cf18fe652c1cfde13f8260614bab815":"cafebabefacedbaddecaf889":"":128:"86e318012dd8329dc9dae6a170f61b24":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #4 (128-bad)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"d0d94a13b632f337a0cc9955b94fa020c815f903aab12f1efaf2fe9d90f729a6cccbfa986ef2ff2c33de418d9a2529091cf18fe652c1cfde13f82606":"cafebabefacedbaddecaf888":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"9f458869431576ea6a095456ec6b8100":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #5 (128-bad)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"28fd7434d5cd424a5353818fc21a982460d20cf632eb1e6c4fbfca17d5abcf6a52111086162fe9570e7774c7a912aca3dfa10067ddaad40688645bdd":"cafebabefacedbad":"feedfadedeadbeeffeedfacedeadbeefabaddad2":128:"e86f8f2e730c49d536f00fb5225d28b1":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #6 (128-bad)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"2e582b8417c83f2ff4f6f7ee3c361e4496e710ee12433baa964987d02f42953e402e6f4af407fe08cd2f35123696014c34db19128df4056faebcd647":"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"ceae5569b2af8641572622731aed3e53":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #7 (192-bad)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"000000000000000000000000000000000000000000000000":"":"000000000000000000000000":"":128:"ba9ae89fddce4b51131e17c4d65ce586":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #8 (192-bad)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"000000000000000000000000000000000000000000000000":"8f9c0aa2549714c88bb2665e8af86d42":"000000000000000000000000":"":128:"783cff5c5aca7197320658a74279ab37":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #9 (192-bad)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"ffffe9928665731c6d6a8f9467308308feffe9928665731c":"0f009e88410d84ad93c90d55efbe20ffa855492f4dfd0fb485c4f02f536feffbb4d967729e5c67f1de0750255cc500716ba483eb3b0a2bf607af28f6a60bb2e9":"cafebabefacedbaddecaf888":"":128:"8d645a0b0e48d3c3b60a014157cb49b4":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #10 (192-bad)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"0f009e88410d84ad93c90d55efbe20ffa855492f4dfd0fb485c4f02f536feffbb4d967729e5c67f1de0750255cc500716ba483eb3b0a2bf607af28f6":"cafebabefacedbaddecaf888":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"11b15bb5ab6fac0c422014e91eacbf2b":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #11 (192-bad)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"678b3dcb270faa206dc5f6fbb5014996e86d6f3e35cdcdfeb03b37b9b06ff4ff2682248823bd3c84124dc76af7bde3dd440c228b5efbc795dd80dfb6":"cafebabefacedbad":"feedfacedeadbeeffeedfacedeadbeefabaddad3":128:"f876143d933214a5035ff0bb96ff650b":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #12 (192-bad)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"9733ea567c3bad2259ccd63ef7012f5de709e50b1fdc31f1a16db02ede1b66f11dcc4d953f2d4d4671587b65882afbf9545fdb6deab22413d091b703":"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a328a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"4b72e520b2521e63d240ed5c903216fa":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #13 (256-bad)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"0000000000000000000000000000000000000000000000000000000000000001":"":"000000000000000000000000":"":128:"9cdb269b5d293bc5db9c55b057d9b591":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #14 (256-bad)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"0000000000000000000000000000000000000000000000000000000000000000":"3d4b2cde666761ba5dfb305178e667fb":"000000000000000000000001":"":128:"284b63bb143c40ce100fb4dea6bb617b":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #15 (256-bad)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"ad142c11579dd95e41f3c1f324dabc255864d920f1b65759d8f560d4949d447758dfdcf77aa9f62581c7ff572a037f810cb1a9c4b3ca6ed638179b776549e092":"cafebabefacedbaddecaf888":"":128:"c912686270a2b9966415fca3be75c468":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #16 (256-bad)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"ad142c11579dd95e41f3c1f324dabc255864d920f1b65759d8f560d4948d447758dfdcf77aa9f62581c7ff572a037f810cb1a9c4b3ca6ed638179b77":"cafebabefacedbaddecaf888":"ffedfacedeadbeeffeedfacedeadbeefabaddad2":128:"4e4b178d8fe26fdc95e2e7246dd94bec":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #17 (256-bad)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"6ca95fbb7d16577a9ef2fded94dc85b5d40c629f6bef2c649888e3cbb0ededc7810c04b12c2983bbbbc482e16e45c9215ae12c15c55f2f4809d06652":"cafebabefacedbad":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"e6472b8ebd331bfcc7c0fa63ce094462":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #18 (256-bad)
-depends_on:MBEDTLS_CAMELLIA_C
+depends_on:MBEDTLS_CCM_GCM_CAN_CAMELLIA
 gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a9f9467308308feffe9928665731c6d6a8f9467308308":"e0cddd7564d09c4dc522dd65949262bbf9dcdb07421cf67f3032becb7253c284a16e5bf0f556a308043f53fab9eebb526be7f7ad33d697ac77c67862":"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"5791883f822013f8bd136fc36fb9946b":"FAIL":"":0
diff --git a/tests/suites/test_suite_gcm.function b/tests/suites/test_suite_gcm.function
index 747914f..8bb7b8b 100644
--- a/tests/suites/test_suite_gcm.function
+++ b/tests/suites/test_suite_gcm.function
@@ -153,6 +153,21 @@ exit:
     mbedtls_free(output);
 }
 
+static void gcm_reset_ctx(mbedtls_gcm_context *ctx, const uint8_t *key,
+                          size_t key_bits, const uint8_t *iv, size_t iv_len,
+                          int starts_ret)
+{
+    int mode = MBEDTLS_GCM_ENCRYPT;
+    mbedtls_cipher_id_t valid_cipher = MBEDTLS_CIPHER_ID_AES;
+
+    mbedtls_gcm_init(ctx);
+    TEST_EQUAL(mbedtls_gcm_setkey(ctx, valid_cipher, key, key_bits), 0);
+    TEST_EQUAL(starts_ret, mbedtls_gcm_starts(ctx, mode, iv, iv_len));
+exit:
+    /* empty */
+    return;
+}
+
 /* END_HEADER */
 
 /* BEGIN_DEPENDENCIES
@@ -171,6 +186,7 @@ void gcm_bad_parameters(int cipher_id, int direction,
     mbedtls_gcm_context ctx;
     size_t tag_len = tag_len_bits / 8;
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_gcm_init(&ctx);
 
     memset(output, 0x00, sizeof(output));
@@ -183,6 +199,7 @@ void gcm_bad_parameters(int cipher_id, int direction,
 
 exit:
     mbedtls_gcm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -200,6 +217,7 @@ void gcm_encrypt_and_tag(int cipher_id, data_t *key_str,
     size_t n1;
     size_t n1_add;
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_gcm_init(&ctx);
 
     memset(output, 0x00, 128);
@@ -230,6 +248,7 @@ void gcm_encrypt_and_tag(int cipher_id, data_t *key_str,
 
 exit:
     mbedtls_gcm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -247,6 +266,7 @@ void gcm_decrypt_and_verify(int cipher_id, data_t *key_str,
     size_t n1;
     size_t n1_add;
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_gcm_init(&ctx);
 
     memset(output, 0x00, 128);
@@ -287,6 +307,7 @@ void gcm_decrypt_and_verify(int cipher_id, data_t *key_str,
 
 exit:
     mbedtls_gcm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -300,6 +321,7 @@ void gcm_decrypt_and_verify_empty_cipher(int cipher_id,
 {
     mbedtls_gcm_context ctx;
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_gcm_init(&ctx);
 
     TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0);
@@ -308,6 +330,7 @@ void gcm_decrypt_and_verify_empty_cipher(int cipher_id,
                                cipher_update_calls);
 
     mbedtls_gcm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -322,6 +345,7 @@ void gcm_decrypt_and_verify_empty_ad(int cipher_id,
 {
     mbedtls_gcm_context ctx;
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_gcm_init(&ctx);
 
     TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0);
@@ -330,6 +354,7 @@ void gcm_decrypt_and_verify_empty_ad(int cipher_id,
                                ad_update_calls);
 
     mbedtls_gcm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -341,6 +366,7 @@ void gcm_decrypt_and_verify_no_ad_no_cipher(int cipher_id,
 {
     mbedtls_gcm_context ctx;
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_gcm_init(&ctx);
 
     TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0);
@@ -348,6 +374,7 @@ void gcm_decrypt_and_verify_no_ad_no_cipher(int cipher_id,
                           iv_str, tag_str);
 
     mbedtls_gcm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -361,6 +388,7 @@ void gcm_encrypt_and_tag_empty_cipher(int cipher_id,
 {
     mbedtls_gcm_context ctx;
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_gcm_init(&ctx);
 
     TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0);
@@ -370,6 +398,7 @@ void gcm_encrypt_and_tag_empty_cipher(int cipher_id,
 
 exit:
     mbedtls_gcm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -384,6 +413,7 @@ void gcm_encrypt_and_tag_empty_ad(int cipher_id,
 {
     mbedtls_gcm_context ctx;
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_gcm_init(&ctx);
 
     TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0);
@@ -393,6 +423,7 @@ void gcm_encrypt_and_tag_empty_ad(int cipher_id,
 
 exit:
     mbedtls_gcm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -404,6 +435,7 @@ void gcm_encrypt_and_verify_no_ad_no_cipher(int cipher_id,
 {
     mbedtls_gcm_context ctx;
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_gcm_init(&ctx);
 
     TEST_ASSERT(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8) == 0);
@@ -411,6 +443,7 @@ void gcm_encrypt_and_verify_no_ad_no_cipher(int cipher_id,
                           iv_str, tag_str);
 
     mbedtls_gcm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
 
@@ -444,6 +477,7 @@ void gcm_update_output_buffer_too_small(int cipher_id, int mode,
     size_t olen = 0;
     size_t output_len = input->len - 1;
 
+    BLOCK_CIPHER_PSA_INIT();
     mbedtls_gcm_init(&ctx);
     TEST_EQUAL(mbedtls_gcm_setkey(&ctx, cipher_id, key_str->x, key_str->len * 8), 0);
     TEST_EQUAL(0, mbedtls_gcm_starts(&ctx, mode, iv->x, iv->len));
@@ -455,12 +489,127 @@ void gcm_update_output_buffer_too_small(int cipher_id, int mode,
 exit:
     mbedtls_free(output);
     mbedtls_gcm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+/* NISP SP 800-38D, Section 5.2.1.1 requires that bit length of IV should
+ * satisfy 1 <= bit_len(IV) <= 2^64 - 1. */
+void gcm_invalid_iv_len(void)
+{
+    mbedtls_gcm_context ctx;
+    mbedtls_gcm_init(&ctx);
+    uint8_t b16[16] = { 0 };
+
+    BLOCK_CIPHER_PSA_INIT();
+
+    // Invalid IV length 0
+    gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, 0, MBEDTLS_ERR_GCM_BAD_INPUT);
+    mbedtls_gcm_free(&ctx);
+
+    // Only testable on platforms where sizeof(size_t) >= 8.
+#if SIZE_MAX >= UINT64_MAX
+    // Invalid IV length 2^61
+    gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, 1ULL << 61, MBEDTLS_ERR_GCM_BAD_INPUT);
+    mbedtls_gcm_free(&ctx);
+#endif
+
+    goto exit; /* To suppress error that exit is defined but not used */
+exit:
+    mbedtls_gcm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void gcm_add_len_too_long(void)
+{
+    // Only testable on platforms where sizeof(size_t) >= 8.
+#if SIZE_MAX >= UINT64_MAX
+    mbedtls_gcm_context ctx;
+    mbedtls_gcm_init(&ctx);
+    uint8_t b16[16] = { 0 };
+    BLOCK_CIPHER_PSA_INIT();
+
+    /* NISP SP 800-38D, Section 5.2.1.1 requires that bit length of AD should
+     * be <= 2^64 - 1, ie < 2^64. This is the minimum invalid length in bytes. */
+    uint64_t len_max = 1ULL << 61;
+
+    gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0);
+    // Feed AD that just exceeds the length limit
+    TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, len_max),
+               MBEDTLS_ERR_GCM_BAD_INPUT);
+    mbedtls_gcm_free(&ctx);
+
+    gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0);
+    // Feed AD that just exceeds the length limit in two calls
+    TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, 1), 0);
+    TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, len_max - 1),
+               MBEDTLS_ERR_GCM_BAD_INPUT);
+    mbedtls_gcm_free(&ctx);
+
+    gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0);
+    // Test if potential total AD length overflow is handled properly
+    TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, 1), 0);
+    TEST_EQUAL(mbedtls_gcm_update_ad(&ctx, b16, UINT64_MAX), MBEDTLS_ERR_GCM_BAD_INPUT);
+
+exit:
+    mbedtls_gcm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
+#endif
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void gcm_input_len_too_long(void)
+{
+    // Only testable on platforms where sizeof(size_t) >= 8
+#if SIZE_MAX >= UINT64_MAX
+    mbedtls_gcm_context ctx;
+    uint8_t b16[16] = { 0 };
+    uint8_t out[1];
+    size_t out_len;
+    mbedtls_gcm_init(&ctx);
+    BLOCK_CIPHER_PSA_INIT();
+
+    /* NISP SP 800-38D, Section 5.2.1.1 requires that bit length of input should
+     * be <= 2^39 - 256. This is the maximum valid length in bytes. */
+    uint64_t len_max = (1ULL << 36) - 32;
+
+    gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0);
+    // Feed input that just exceeds the length limit
+    TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, len_max + 1, out, len_max + 1,
+                                  &out_len),
+               MBEDTLS_ERR_GCM_BAD_INPUT);
+    mbedtls_gcm_free(&ctx);
+
+    gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0);
+    // Feed input that just exceeds the length limit in two calls
+    TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, 1, out, 1, &out_len), 0);
+    TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, len_max, out, len_max, &out_len),
+               MBEDTLS_ERR_GCM_BAD_INPUT);
+    mbedtls_gcm_free(&ctx);
+
+    gcm_reset_ctx(&ctx, b16, sizeof(b16) * 8, b16, sizeof(b16), 0);
+    // Test if potential total input length overflow is handled properly
+    TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, 1, out, 1, &out_len), 0);
+    TEST_EQUAL(mbedtls_gcm_update(&ctx, b16, UINT64_MAX, out, UINT64_MAX,
+                                  &out_len),
+               MBEDTLS_ERR_GCM_BAD_INPUT);
+
+exit:
+    mbedtls_gcm_free(&ctx);
+    BLOCK_CIPHER_PSA_DONE();
+#endif
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST:MBEDTLS_AES_C */
+/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST:MBEDTLS_CCM_GCM_CAN_AES */
 void gcm_selftest()
 {
+    BLOCK_CIPHER_PSA_INIT();
     TEST_ASSERT(mbedtls_gcm_self_test(1) == 0);
+    BLOCK_CIPHER_PSA_DONE();
 }
 /* END_CASE */
diff --git a/tests/suites/test_suite_gcm.misc.data b/tests/suites/test_suite_gcm.misc.data
index f22b7a3..108630e 100644
--- a/tests/suites/test_suite_gcm.misc.data
+++ b/tests/suites/test_suite_gcm.misc.data
@@ -1,2 +1,14 @@
 GCM - Invalid parameters
 gcm_invalid_param:
+
+GCM - Invalid IV length
+depends_on:MBEDTLS_GCM_C:MBEDTLS_CCM_GCM_CAN_AES
+gcm_invalid_iv_len:
+
+GCM - Additional data length too long
+depends_on:MBEDTLS_GCM_C:MBEDTLS_CCM_GCM_CAN_AES
+gcm_add_len_too_long:
+
+GCM - Input length too long
+depends_on:MBEDTLS_GCM_C:MBEDTLS_CCM_GCM_CAN_AES
+gcm_input_len_too_long:
diff --git a/tests/suites/test_suite_hmac_drbg.misc.data b/tests/suites/test_suite_hmac_drbg.misc.data
index 68866d7..d0650a9 100644
--- a/tests/suites/test_suite_hmac_drbg.misc.data
+++ b/tests/suites/test_suite_hmac_drbg.misc.data
@@ -3,7 +3,7 @@ depends_on:MBEDTLS_MD_CAN_SHA1
 hmac_drbg_entropy_usage:MBEDTLS_MD_SHA1
 
 HMAC_DRBG entropy usage SHA-224
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_entropy_usage:MBEDTLS_MD_SHA224
 
 HMAC_DRBG entropy usage SHA-256
@@ -11,7 +11,7 @@ depends_on:MBEDTLS_MD_CAN_SHA256
 hmac_drbg_entropy_usage:MBEDTLS_MD_SHA256
 
 HMAC_DRBG entropy usage SHA-384
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_entropy_usage:MBEDTLS_MD_SHA384
 
 HMAC_DRBG entropy usage SHA-512
@@ -23,7 +23,7 @@ depends_on:MBEDTLS_MD_CAN_SHA3_224
 hmac_drbg_entropy_usage:MBEDTLS_MD_SHA3_224
 
 HMAC_DRBG entropy usage SHA3-256
-depends_on:MBEDTLS_MD_CAN_SHA3_256
+depends_on:PSA_WANT_ALG_SHA3_256
 hmac_drbg_entropy_usage:MBEDTLS_MD_SHA3_256
 
 HMAC_DRBG entropy usage SHA3-384
@@ -31,44 +31,44 @@ depends_on:MBEDTLS_MD_CAN_SHA3_384
 hmac_drbg_entropy_usage:MBEDTLS_MD_SHA3_384
 
 HMAC_DRBG entropy usage SHA3-512
-depends_on:MBEDTLS_MD_CAN_SHA3_512
+depends_on:PSA_WANT_ALG_SHA3_512
 hmac_drbg_entropy_usage:MBEDTLS_MD_SHA3_512
 
 HMAC_DRBG write/update seed file SHA-1 [#1]
 depends_on:MBEDTLS_MD_CAN_SHA1
-hmac_drbg_seed_file:MBEDTLS_MD_SHA1:"data_files/hmac_drbg_seed":0
+hmac_drbg_seed_file:MBEDTLS_MD_SHA1:"../framework/data_files/hmac_drbg_seed":0
 
 HMAC_DRBG write/update seed file SHA-1 [#2]
 depends_on:MBEDTLS_MD_CAN_SHA1
 hmac_drbg_seed_file:MBEDTLS_MD_SHA1:"no_such_dir/file":MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR
 
 HMAC_DRBG write/update seed file SHA-224 [#1]
-depends_on:MBEDTLS_MD_CAN_SHA224
-hmac_drbg_seed_file:MBEDTLS_MD_SHA224:"data_files/hmac_drbg_seed":0
+depends_on:PSA_WANT_ALG_SHA_224
+hmac_drbg_seed_file:MBEDTLS_MD_SHA224:"../framework/data_files/hmac_drbg_seed":0
 
 HMAC_DRBG write/update seed file SHA-224 [#2]
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_seed_file:MBEDTLS_MD_SHA224:"no_such_dir/file":MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR
 
 HMAC_DRBG write/update seed file SHA-256 [#1]
 depends_on:MBEDTLS_MD_CAN_SHA256
-hmac_drbg_seed_file:MBEDTLS_MD_SHA256:"data_files/hmac_drbg_seed":0
+hmac_drbg_seed_file:MBEDTLS_MD_SHA256:"../framework/data_files/hmac_drbg_seed":0
 
 HMAC_DRBG write/update seed file SHA-256 [#2]
 depends_on:MBEDTLS_MD_CAN_SHA256
 hmac_drbg_seed_file:MBEDTLS_MD_SHA256:"no_such_dir/file":MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR
 
 HMAC_DRBG write/update seed file SHA-384 [#1]
-depends_on:MBEDTLS_MD_CAN_SHA384
-hmac_drbg_seed_file:MBEDTLS_MD_SHA384:"data_files/hmac_drbg_seed":0
+depends_on:PSA_WANT_ALG_SHA_384
+hmac_drbg_seed_file:MBEDTLS_MD_SHA384:"../framework/data_files/hmac_drbg_seed":0
 
 HMAC_DRBG write/update seed file SHA-384 [#2]
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_seed_file:MBEDTLS_MD_SHA384:"no_such_dir/file":MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR
 
 HMAC_DRBG write/update seed file SHA-512 [#1]
 depends_on:MBEDTLS_MD_CAN_SHA512
-hmac_drbg_seed_file:MBEDTLS_MD_SHA512:"data_files/hmac_drbg_seed":0
+hmac_drbg_seed_file:MBEDTLS_MD_SHA512:"../framework/data_files/hmac_drbg_seed":0
 
 HMAC_DRBG write/update seed file SHA-512 [#2]
 depends_on:MBEDTLS_MD_CAN_SHA512
@@ -76,34 +76,34 @@ hmac_drbg_seed_file:MBEDTLS_MD_SHA512:"no_such_dir/file":MBEDTLS_ERR_HMAC_DRBG_F
 
 HMAC_DRBG write/update seed file SHA3-224 [#1]
 depends_on:MBEDTLS_MD_CAN_SHA3_224
-hmac_drbg_seed_file:MBEDTLS_MD_SHA3_224:"data_files/hmac_drbg_seed":0
+hmac_drbg_seed_file:MBEDTLS_MD_SHA3_224:"../framework/data_files/hmac_drbg_seed":0
 
 HMAC_DRBG write/update seed file SHA3-224 [#2]
 depends_on:MBEDTLS_MD_CAN_SHA3_224
 hmac_drbg_seed_file:MBEDTLS_MD_SHA3_224:"no_such_dir/file":MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR
 
 HMAC_DRBG write/update seed file SHA3-256 [#1]
-depends_on:MBEDTLS_MD_CAN_SHA3_256
-hmac_drbg_seed_file:MBEDTLS_MD_SHA3_256:"data_files/hmac_drbg_seed":0
+depends_on:PSA_WANT_ALG_SHA3_256
+hmac_drbg_seed_file:MBEDTLS_MD_SHA3_256:"../framework/data_files/hmac_drbg_seed":0
 
 HMAC_DRBG write/update seed file SHA3-256 [#2]
-depends_on:MBEDTLS_MD_CAN_SHA3_256
+depends_on:PSA_WANT_ALG_SHA3_256
 hmac_drbg_seed_file:MBEDTLS_MD_SHA3_256:"no_such_dir/file":MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR
 
 HMAC_DRBG write/update seed file SHA3-384 [#1]
 depends_on:MBEDTLS_MD_CAN_SHA3_384
-hmac_drbg_seed_file:MBEDTLS_MD_SHA3_384:"data_files/hmac_drbg_seed":0
+hmac_drbg_seed_file:MBEDTLS_MD_SHA3_384:"../framework/data_files/hmac_drbg_seed":0
 
 HMAC_DRBG write/update seed file SHA3-384 [#2]
 depends_on:MBEDTLS_MD_CAN_SHA3_384
 hmac_drbg_seed_file:MBEDTLS_MD_SHA3_384:"no_such_dir/file":MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR
 
 HMAC_DRBG write/update seed file SHA3-512 [#1]
-depends_on:MBEDTLS_MD_CAN_SHA3_512
-hmac_drbg_seed_file:MBEDTLS_MD_SHA3_512:"data_files/hmac_drbg_seed":0
+depends_on:PSA_WANT_ALG_SHA3_512
+hmac_drbg_seed_file:MBEDTLS_MD_SHA3_512:"../framework/data_files/hmac_drbg_seed":0
 
 HMAC_DRBG write/update seed file SHA3-512 [#2]
-depends_on:MBEDTLS_MD_CAN_SHA3_512
+depends_on:PSA_WANT_ALG_SHA3_512
 hmac_drbg_seed_file:MBEDTLS_MD_SHA3_512:"no_such_dir/file":MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR
 
 HMAC_DRBG from buffer SHA-1
@@ -111,7 +111,7 @@ depends_on:MBEDTLS_MD_CAN_SHA1
 hmac_drbg_buf:MBEDTLS_MD_SHA1
 
 HMAC_DRBG from buffer SHA-224
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_buf:MBEDTLS_MD_SHA224
 
 HMAC_DRBG from buffer SHA-256
@@ -119,7 +119,7 @@ depends_on:MBEDTLS_MD_CAN_SHA256
 hmac_drbg_buf:MBEDTLS_MD_SHA256
 
 HMAC_DRBG from buffer SHA-384
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_buf:MBEDTLS_MD_SHA384
 
 HMAC_DRBG from buffer SHA-512
@@ -131,7 +131,7 @@ depends_on:MBEDTLS_MD_CAN_SHA3_224
 hmac_drbg_buf:MBEDTLS_MD_SHA3_224
 
 HMAC_DRBG from buffer SHA3-256
-depends_on:MBEDTLS_MD_CAN_SHA3_256
+depends_on:PSA_WANT_ALG_SHA3_256
 hmac_drbg_buf:MBEDTLS_MD_SHA3_256
 
 HMAC_DRBG from buffer SHA3-384
@@ -139,7 +139,7 @@ depends_on:MBEDTLS_MD_CAN_SHA3_384
 hmac_drbg_buf:MBEDTLS_MD_SHA3_384
 
 HMAC_DRBG from buffer SHA3-512
-depends_on:MBEDTLS_MD_CAN_SHA3_512
+depends_on:PSA_WANT_ALG_SHA3_512
 hmac_drbg_buf:MBEDTLS_MD_SHA3_512
 
 HMAC_DRBG self test
diff --git a/tests/suites/test_suite_hmac_drbg.no_reseed.data b/tests/suites/test_suite_hmac_drbg.no_reseed.data
index a6f50ad..5bc406c 100644
--- a/tests/suites/test_suite_hmac_drbg.no_reseed.data
+++ b/tests/suites/test_suite_hmac_drbg.no_reseed.data
@@ -239,243 +239,243 @@ depends_on:MBEDTLS_MD_CAN_SHA1
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA1:"3e325daab3301856044f416f250b6161e447e63d85ca084f":"a9d2a53dbd7ef4b9150dd0ed4d002e56":"4de6c923346d7adc16bbe89b9a184a79":"9e9e3412635aec6fcfb9d00da0c49fb3":"48ac8646b334e7434e5f73d60a8f6741e472baabe525257b78151c20872f331c169abe25faf800991f3d0a45c65e71261be0c8e14a1a8a6df9c6a80834a4f2237e23abd750f845ccbb4a46250ab1bb63"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,0) #0
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"a76e77a969ab92645181f0157802523746c34bf321867641051ed6ba39368033adc93d4e":"":"":"":"8925987db5566e60520f09bdddab488292bed92cd385e5b6fc223e1919640b4e34e34575033e56c0a8f608be21d3d221c67d39abec98d81312f3a2653d55ffbf44c337c82bed314c211be23ec394399ba351c4687dce649e7c2a1ba7b0b5dab125671b1bcf9008da65cad612d95ddc92"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,0) #1
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"65cdaa5ab147d0c79fdd02b24fc94d0e427f59ef9a31f447458c6befe0c2cde5a58c6b7d":"":"":"":"0d164682b5bb552a53a2a942373639d98576450ca632faebc15060691a4219467c5aa106034cd19a214a0a4f31d402e68c4c565f49b33b680d522ef25f541e8202be779730376fdcf5b7b58fd6ac959204a88f91008651d2c02ada82505f914d4d9b9aea7967784e5320e185e1248270"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,0) #2
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"650996f1477112af7604386be5ace78232904315d99d87d72a06709d331a6f930b447cf5":"":"":"":"d3341d7767cfd95640a107b3abaed7b4e1855b348e3ae5bcc53a0b0d49d4b4976837ec8f376f38327135578eca7ee583215bd5c79ebf499816f79afcc402ff1e9ffc4ad0f896761c9cff75050bf84baa194c355763b16b5d2648d480a2b48f22662685de39c7cee90aa0b6edf8062e42"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,0) #3
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"898640ce467201a53e7731bdfb572977f7eb3e49050bc1e367ca74bf0a27376d339d09f4":"":"":"":"4f5eea927023b4abab5d4d9944e84ca001ee081cbc21d4080e1534ee6d1d8a6f60361029ffa983bcc79b5d65d4aaaaaf98983de13ddde39a739f9d95878fb31f57f96184e5f2f3adf654a468c616237fcbc6b2c194e247178cb90294f631c449a01f1fe09c02587c460305be9fc71b5a"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,0) #4
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"fe405dd73956bf6ec875515eebd8c5ecd60553643da750914c83dfc93611d57390af7324":"":"":"":"d8ae0eb81913a190c439f8ffa56c06155a73f84b20608b2b2e9eab3061202cebad18ab8b3eba81672152c1c02ef573cd6e8623c392facb6a857425c6795cd7999c1e7f56f3fa9accca018076e0bfc106d075df98f5fb66f28933215e9276777dfc479e71a8d506a66197918d9b0f7a8f"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,0) #5
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"b06892f6f455afddc8eb60aae35b35a64f63b2aa85a2dae4ef489266f7bc354f72d68b71":"":"":"":"fc10c03fc37d3bd5fba6591a97f6354a9ed8ba2b6806744432851f43a3ce6418e39ccb417b8539e349acea588e2abe5da06147c9825c6e50a31f8589a57ca3bfb10f0da9c8e89fe2e372b5af1cf96e0fbeec5d99228770c41a76e587da7d8764d5f235f5d1d6188d84ae61c52c2164fb"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,0) #6
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"9174e174e9e031f62b2e19ae5c0bef22eed7d5598e6e73504759a2c15b05c2473a721d26":"":"":"":"1962f2d473b31a2576dbd78022f4eeb974641fa2e9cb582f03ab741929f51f0f4663129e68ddc242e1c2ceafacec3dccb97e09527aff46b948f0abcea1451699dc3ae4d3fb5e04c84337e17b504af2fb5f1aa6ec0033ddf138a188ee162c497526563a67da8015275d89f0e1e902b2ef"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,0) #7
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"eb1d45ba0d8951b7b1d7ce922b7d1f6e94da8b821940126c9da5b0b4382425930743a051":"":"":"":"306b1f733e6f69b6f26b7baa5441af4967a5cad8faad18029440aa989aef6024dbf3ba02dfc2c694dad6496ff760d72ae6914a4dcd5e3a443f4bcb14bf2b64986f35c32449f15e3084d46fadfa2ae213da6b26f787cef89b6a23084a929608a9f6acd8315808c29f8ae435a40202a012"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,0) #8
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"78cdc1567caf2ff529ef8e3475c0fbb09a48b687a544f7399f503948621f29686fb15216":"":"":"":"2367067d8ec189b0819eda34602768a0698b4b545c7d5214fad58c9787b89809b97f3af5f9349907d2954f8c0dccbdbe63cc019bde3a6fae10497ae57f33e91ed55b6fc4a83fe8a2463552796d5120da8066f7285a8388958817b1218e006d7fc617f453ad0f9217966a0731ba99f093"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,0) #9
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"25f9ee24ee25ad3d29a974f8f552b178cb292b847a6be80694213a6c0b33e25e29fd3ecc":"":"":"":"32fe251a619d164c217365b12a313a942b6a9c3df007751a5fa9f356412d1142c785c292e3dc9d0b1d77e080892e5d39b91c58fd142458c71182061920a0721db453a32fe7ffc8b2c20bf11894fa37d8f0e9463edd43a97f65362295119be03d5e06f617fdff6accaab8c4da72ac8f81"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,0) #10
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"0b644221788c266aae00a3b63a87f32ca96a6c32b116cd37caa4f75ff5d7e56be3b4e20f":"":"":"":"dc9245da77502cadd1a8ac4d1cf6a199c8e529deda10c87ab6c69ceea6fdef36d45f4d036021b93fe5b342c52fe1e71d81e617bebc58804af3109bab93dbb2e5c546e108bd0891710128b5e8e4a4f01df2003d038fec8cef426fad7f72dd5e091b4850e9bf4932d60deacb6e9ea3c5e6"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,0) #11
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"a6677badff70966a3cd2febaad7de7aa5849ba763789b20d0a39b6c569261b826cdb15e8":"":"":"":"e04838c970f5d7208a2a7310da893d65391666a5dc62d9ede71fc30816cfc3e8064ac59cc9aaf30283356078c812676ca20beb044a6d78db6c5ef9718a88559607f225002452c01459944433013cfffea84d6fe404fbbbc2d66bb50a2fa01d8a5d6e4ea9b402dc5256752461bf6fcb7f"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,0) #12
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"2301d8c053312db04882f4284cf8b47966c1c9b8c49de847d0c11f14c5f70ce19346562b":"":"":"":"b46246526b28f3ad7f6d8732ca3bfc40f005d97a519640a4ce728486d8bf830d661be5a97b11113e89096d9bf15cbef73ec28ac13e3fbeadc9bca500918bbe92ea23e131cc622dbffe2272db16ec5d4ca30e9bd986d1709ae22d10180514bcd11bd6218ea1fbaba101444945a17a4c4b"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,0) #13
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"78644ea1b0c4c55c4addeb476fc34471ea2c4393697aa4f170726010c443b8e1c4a6b3ea":"":"":"":"ef1b41bd03ee8460d55759db65a4c97758f48e3a09127be04c7ed08bbee5fa5cf119929df42c187e2a347a8df99c502b693a7ae41946f4918d84686880ae29d6d8fbbc4fccc9e295876a249cfa59effd331994e84717b4c76637df36beb960761880daab3d43376341439af2ce8e33cc"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,0) #14
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"71acb71235e88e3aa6d8bbf27ccef8ef28043ebe8663f7bcf49cb642b3d915cf03b90e65":"":"":"":"144aeb56a11cb648b5ec7d40c2816e368426690db55b559f5633f856b79efe5f784944144756825b8fd7bf98beb758efe2ac1f650d54fc436a4bcd7dfaf3a66c192a7629eea8a357eef24b117a6e7d578797980eaefcf9a961452c4c1315119ca960ad08764fe76e2462ae1a191baeca"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,0) #0
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"c5c89c26ac4ca8b1106ba90a8ef4d6d687dfd88743caa5fbafa4745d9c1f8371120b10c8":"":"d3483ae5f9ed97efd3f852e4a6f20f25c947a03f39a4b75c":"2cd523c5958cdf403caa61abe5c4739cdb9d40152f0e769a":"1fef4e6abc2778d1c3e3ce00fdb5eae1ebebdd5cff0a7087644c8565d1e8b876b2c05264ca81498468851fc7b9e5a2163a06f377d2ed754c095adc59dc015a77edd69e4eecbe48d9dc127eedfff5cc73ae38127ae3a518fe7fa5abd1a9c53eeaf144420873341e2efa3d81493c69b04e"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,0) #1
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"6860e44bf582db9818ffbe4c699d4218965c29f463d7a02fe1f36c8442b0a5d103def7a2":"":"e9f598357109e2a532dc980388b8a5991256166d67c3bc01":"58ebbf7402be041724701e5c0132abe604c11a62a9de1d2f":"52fad34b27113c146595a6740f505bc2d3edf6618975cb9c4a5155788eaf08b96d232610d9b4ee06264fd92f319df5a52b8f9e31b016a6c21d27d31d9d42bbb7588a7142f26ece3ddf211c8cf4530947adee302aa71c0d7fe9060c1b25f1c1f2e053598a7fb72c4db55fb1b02352d60a"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,0) #2
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"27b9f78ae07821f2b5625c8fc3a03ceec4fc8062be860c2db20403dd88a8751dcad56158":"":"1b6c848fce706abd73612dd3fd421c1c7ce9f4c2d0ecc670":"14a43645c1b6ae394f795af6ca2e9084e7e707f3f2cedd7a":"33c592017af545b3a9cf3419ce1c604e9c7c687ebf6418fbef47ec96e61f1951068eec9b60005d24574313f04ffc16c30872ec83e41e248e3d5c6951930d6a88b8931d5502d1142ce50676b3adf48453d1a008189658db8511d19a06ac97b4d5cfac19b54e8e6b899d501715f401ef85"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,0) #3
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"8d7cf5c2e360ef755c1e9f5b7a44a1e29f09cee7ca44e15925ffe9a47b2d55fd7750b356":"":"0e691c9a435939c615f0686eae88e090ba5c4b3f5e6e00c0":"1e3a452295617e5a9e6f78256d2781feeb3812753b4aad9a":"a307569d8adf3f7e6ee4567a5b2bd338badb9234e7b27c92429ffa75e4c56c0529fdc6c15df5d47c46e3d2eeadcf1b9e93a5dd6cde99a82f04b0d97f7a3bfd05c0e1d8370987222310ab18c980ce48b2679361c3d9011dd355a9b06337c054ee37913d5f4dd30d1fc942cd733a0fa5f8"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,0) #4
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"1a0d2c734918c539c1b306a464eb6b54f92e958e8636032aec23ba8ae817bec48384461f":"":"b8ad9e613a891fd0db89571fddda77827382e406cd3cdf7e":"1e172a708aa4ffa3618ff0d7b1f9ba341f4811507851dfb4":"674df1f3095d6c87bc54dd9b2aaa2c786bd50e4ddc02493745d820dad8552131fb3e389e99b0709478b65d4268f2a3b468a8447dc572a6ee024be6be9be9d428c12cc92894d15dd1c959d6222dc9ec30478c7a0b57f5bd8bd53868b98d7674738b54cf74100ae215693babb6db3b3890"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,0) #5
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"95a30a0ca779a4038ea920cccfa4cdd814ca17d560d53a75cf170f4712994f9bcb2efb74":"":"1da6c8726bbfa3c8bee6dcff6f76f2d55d60527c4f0db26b":"595ebd903a596a1f12175080185bd94c2336eb8dd29a387d":"317c19cf4a45b8cf3f645da084ada54d1b1f81379152424fddad22a6dc9bd22841e0c4c5a36bfb7879eafbd1a939121905a938ae034c7fc01afb56607e35f895f46f13e91ce4e8e75b6a87a1e5544e18eb194fd6754b06885ac05e332a05ed436e889965e405e0f2069b04b40ea0f635"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,0) #6
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"8af8930562510231a592a72587fa6ad7c234e133046965907642fbc785c0b86cba844f0f":"":"9ee7b221064966582dc836437b82386f5204a302a4179079":"473d917f5b66f0f6e3fb4670ba08c2cbd2ea765b46b10838":"5c2fc9cc7148dbe40a692b3636778eb80188949d198bba3e8355386b78b54bfb963f5f2d9202988da20ccbf336a7c737a66c90149b9e8e306477151c4d912f7c61e872de0d0e47701cbe765864de536d599946b8bd65e4d89d4e61deb53de9974fbbe634501800feea100fea573e2e50"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,0) #7
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"2b9554ecf94c7d647a4e117f43326cab54466eba56a09a52741b2445057c491935c067d2":"":"0144be6978dba85aa645d793c1881dc2deb1bd210811ec9e":"1cd265f3812568274b643954c70923a76dfcc9f123360111":"f7459b0c23966dc1a53e0c6406c9e78ebe728e3484224cd88b6b2ea554522e75eb4a1c8a3fdc66561426464f50b8d0ff95b266677d91776b344a820eb4fd7d554678300558011a7cd85d22e92dc8ec2c2fa15c6330ba157c3e71728304447c1ad4d64f3da4fbf26d92e1e7c58a1b289c"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,0) #8
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"335ede8603fcde78ea9869da2dbcab4a6e72f1b53439f3085d06b856e627411a9ce1c297":"":"ededc73fe268935c10832c463549f8204a29cf0fe00a4d87":"ef1b8a80dd49d2c263999ddc0d5a1d9205c1b1c66239fd80":"05bfe97c398b1e33ee1c547c0edb5b654b7060b76604195440d06dd2f614a398c6c43f1803893c4c8888bedecdf998367cf992301a25f24c263f5d36bbfc6fe8b839cad293b3617c1d2c60a814bda0359e3f717fa80fc7324af8827d438c88642754b39b10d18cf5bf42f11177a0bc6b"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,0) #9
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"9b0275d861117553ecd3c4d7cfe762f88df22c4c4190dac8e0be5872818e2dd765261d58":"":"cfc0b07082d514425b17ce3cb334ec62bc1b3be0be58ca4b":"d3c70ab5ff7a364a9e6dc75132ac67e0d373fa2df301afb5":"09fb41bcceb016e754795e1cce582f0cae91d7bb50245975eb75274819e1e4dcdfbc5e2f13fd26b9a9f9e945cd807ffec4e275681ea7bd33eae13efd8a01edbe02562e77b44b6312f416c3dd0be64f2bae0ba4b9bb36fc3a44841d21d8b3571c0ef644d88cf3cc3c851b256a15f4d716"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,0) #10
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"1981c3f9ca58fd10e8377a8d0eb3cf02102aab6f7a033af3135533d9fd850e29ecb8dc9b":"":"f9978ba41df22894ad5f3849c1bdf21f7bbc0128c782e79b":"b4d57de5e18d393273ee9f3ef9736599c6d639f437239219":"fee23db2fcc71624fb39f573e33a1490efc7230c27e9278188251634f9c045bcb26e79ece6a173491475ae44a957c4269570f5469234ca8b6873cc973c8d97178c58cec658a352bad0d4c6001cae5664258db59ad76eb6304d166267eafb46f4dd536a914fa6d1ac58317e7c557d4653"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,0) #11
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"c10d4e521350f7cd1853576d03c4bece3e58c8c740859e4e16979499ec1365fc073736a3":"":"78b245520153baacc66846e7a83a2a925f892d4c2ee63c0f":"c8ca7a33de5991d44d7ef7da2d3368cc2cdb93895c394d41":"f92c15f5833800b28dba2d134d4dcfc41abf72f5a700469551e8ccb83bdb0772d14d6b26ba6978169e3ddbe5f214d57930dfcad719bf10d306749246d2624bedd4a18d327b8ae6bee67cf0bfb5f649824bbd0440f042146b95a83e5845ced69a55ba055d5dfc7183c3bb28d61312d274"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,0) #12
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"7608b5617785995a1f7144ee5229e4f9c138e418bcc3b5e061a422e8cf875f58650e996d":"":"961c2d33039e60a2871e1f5b82097f6b1cb03836dba5f440":"b18cb52d3858ac5bf59f216a28c0ad49f3dc88c67b5870e0":"4b0313ae873ce5ebf08aec160416492e4c4c797a5017061ea42aefa0685ab19b74a7af11f019b9fb63072b797f7ea3354efd32c4abd1e866405a319ed2fa13fc81019d61326e70e503141b9c77b4879a45e9f36f101dbfff4359147282ef814888fee81640def25f551cee41d12609aa"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,0) #13
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"fef7a43fea2ff1a0f624086985e535778d7a73dbc47bc23e9da92edd5d2f273cdbbc0251":"":"836731a57497a69e31f8db4f729774ad65f31d968dbc55a8":"bcca96d808ba98bb50e90afe58fc88e95dc14c3e90c56004":"4f2c64ecd146689064fbf4fcffce2a2ab3910e72ec4faec277f7b9e9ed510381312b01f21650e175ebe9c45c11e977276f13be015243a0cd16a191abbac6462ba96e4e4a1120b28083da933419e8c8f03099906eb1ee012ae291104c6530f51b5e32e6631cab8ef5aad68c0045255ba9"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,0) #14
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"00197c70b2f0d3e98e4b387ec42a65c4106a1689ab5de61101ee76f4b5e530e7efeaf964":"":"03015311cddd0961ec7a74cb84d835c058a69b964f18a1c1":"5e0d99e0e7c57769a43ea771c467fb5e2df6d06dae035fd6":"72e8ca7666e440ac6a84ab6f7be7e00a536d77315b119b49e5544bf3ead564bd06740f09f6e20564542e0d597ac15a43b5fb5a0239a3362bc3a9efe1ce358ddd9d4f30b72e12ed9d78340c66b194beb4b12e973213931b9cfd0ccbdf540d2c36ce074e2beac7a4ddac59e06e4c7178d3"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,192) #0
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"c5c89c26ac4ca8b1106ba90a8ef4d6d687dfd88743caa5fbafa4745d9c1f8371120b10c8":"":"d3483ae5f9ed97efd3f852e4a6f20f25c947a03f39a4b75c":"2cd523c5958cdf403caa61abe5c4739cdb9d40152f0e769a":"1fef4e6abc2778d1c3e3ce00fdb5eae1ebebdd5cff0a7087644c8565d1e8b876b2c05264ca81498468851fc7b9e5a2163a06f377d2ed754c095adc59dc015a77edd69e4eecbe48d9dc127eedfff5cc73ae38127ae3a518fe7fa5abd1a9c53eeaf144420873341e2efa3d81493c69b04e"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,192) #1
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"6860e44bf582db9818ffbe4c699d4218965c29f463d7a02fe1f36c8442b0a5d103def7a2":"":"e9f598357109e2a532dc980388b8a5991256166d67c3bc01":"58ebbf7402be041724701e5c0132abe604c11a62a9de1d2f":"52fad34b27113c146595a6740f505bc2d3edf6618975cb9c4a5155788eaf08b96d232610d9b4ee06264fd92f319df5a52b8f9e31b016a6c21d27d31d9d42bbb7588a7142f26ece3ddf211c8cf4530947adee302aa71c0d7fe9060c1b25f1c1f2e053598a7fb72c4db55fb1b02352d60a"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,192) #2
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"27b9f78ae07821f2b5625c8fc3a03ceec4fc8062be860c2db20403dd88a8751dcad56158":"":"1b6c848fce706abd73612dd3fd421c1c7ce9f4c2d0ecc670":"14a43645c1b6ae394f795af6ca2e9084e7e707f3f2cedd7a":"33c592017af545b3a9cf3419ce1c604e9c7c687ebf6418fbef47ec96e61f1951068eec9b60005d24574313f04ffc16c30872ec83e41e248e3d5c6951930d6a88b8931d5502d1142ce50676b3adf48453d1a008189658db8511d19a06ac97b4d5cfac19b54e8e6b899d501715f401ef85"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,192) #3
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"8d7cf5c2e360ef755c1e9f5b7a44a1e29f09cee7ca44e15925ffe9a47b2d55fd7750b356":"":"0e691c9a435939c615f0686eae88e090ba5c4b3f5e6e00c0":"1e3a452295617e5a9e6f78256d2781feeb3812753b4aad9a":"a307569d8adf3f7e6ee4567a5b2bd338badb9234e7b27c92429ffa75e4c56c0529fdc6c15df5d47c46e3d2eeadcf1b9e93a5dd6cde99a82f04b0d97f7a3bfd05c0e1d8370987222310ab18c980ce48b2679361c3d9011dd355a9b06337c054ee37913d5f4dd30d1fc942cd733a0fa5f8"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,192) #4
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"1a0d2c734918c539c1b306a464eb6b54f92e958e8636032aec23ba8ae817bec48384461f":"":"b8ad9e613a891fd0db89571fddda77827382e406cd3cdf7e":"1e172a708aa4ffa3618ff0d7b1f9ba341f4811507851dfb4":"674df1f3095d6c87bc54dd9b2aaa2c786bd50e4ddc02493745d820dad8552131fb3e389e99b0709478b65d4268f2a3b468a8447dc572a6ee024be6be9be9d428c12cc92894d15dd1c959d6222dc9ec30478c7a0b57f5bd8bd53868b98d7674738b54cf74100ae215693babb6db3b3890"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,192) #5
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"95a30a0ca779a4038ea920cccfa4cdd814ca17d560d53a75cf170f4712994f9bcb2efb74":"":"1da6c8726bbfa3c8bee6dcff6f76f2d55d60527c4f0db26b":"595ebd903a596a1f12175080185bd94c2336eb8dd29a387d":"317c19cf4a45b8cf3f645da084ada54d1b1f81379152424fddad22a6dc9bd22841e0c4c5a36bfb7879eafbd1a939121905a938ae034c7fc01afb56607e35f895f46f13e91ce4e8e75b6a87a1e5544e18eb194fd6754b06885ac05e332a05ed436e889965e405e0f2069b04b40ea0f635"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,192) #6
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"8af8930562510231a592a72587fa6ad7c234e133046965907642fbc785c0b86cba844f0f":"":"9ee7b221064966582dc836437b82386f5204a302a4179079":"473d917f5b66f0f6e3fb4670ba08c2cbd2ea765b46b10838":"5c2fc9cc7148dbe40a692b3636778eb80188949d198bba3e8355386b78b54bfb963f5f2d9202988da20ccbf336a7c737a66c90149b9e8e306477151c4d912f7c61e872de0d0e47701cbe765864de536d599946b8bd65e4d89d4e61deb53de9974fbbe634501800feea100fea573e2e50"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,192) #7
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"2b9554ecf94c7d647a4e117f43326cab54466eba56a09a52741b2445057c491935c067d2":"":"0144be6978dba85aa645d793c1881dc2deb1bd210811ec9e":"1cd265f3812568274b643954c70923a76dfcc9f123360111":"f7459b0c23966dc1a53e0c6406c9e78ebe728e3484224cd88b6b2ea554522e75eb4a1c8a3fdc66561426464f50b8d0ff95b266677d91776b344a820eb4fd7d554678300558011a7cd85d22e92dc8ec2c2fa15c6330ba157c3e71728304447c1ad4d64f3da4fbf26d92e1e7c58a1b289c"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,192) #8
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"335ede8603fcde78ea9869da2dbcab4a6e72f1b53439f3085d06b856e627411a9ce1c297":"":"ededc73fe268935c10832c463549f8204a29cf0fe00a4d87":"ef1b8a80dd49d2c263999ddc0d5a1d9205c1b1c66239fd80":"05bfe97c398b1e33ee1c547c0edb5b654b7060b76604195440d06dd2f614a398c6c43f1803893c4c8888bedecdf998367cf992301a25f24c263f5d36bbfc6fe8b839cad293b3617c1d2c60a814bda0359e3f717fa80fc7324af8827d438c88642754b39b10d18cf5bf42f11177a0bc6b"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,192) #9
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"9b0275d861117553ecd3c4d7cfe762f88df22c4c4190dac8e0be5872818e2dd765261d58":"":"cfc0b07082d514425b17ce3cb334ec62bc1b3be0be58ca4b":"d3c70ab5ff7a364a9e6dc75132ac67e0d373fa2df301afb5":"09fb41bcceb016e754795e1cce582f0cae91d7bb50245975eb75274819e1e4dcdfbc5e2f13fd26b9a9f9e945cd807ffec4e275681ea7bd33eae13efd8a01edbe02562e77b44b6312f416c3dd0be64f2bae0ba4b9bb36fc3a44841d21d8b3571c0ef644d88cf3cc3c851b256a15f4d716"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,192) #10
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"1981c3f9ca58fd10e8377a8d0eb3cf02102aab6f7a033af3135533d9fd850e29ecb8dc9b":"":"f9978ba41df22894ad5f3849c1bdf21f7bbc0128c782e79b":"b4d57de5e18d393273ee9f3ef9736599c6d639f437239219":"fee23db2fcc71624fb39f573e33a1490efc7230c27e9278188251634f9c045bcb26e79ece6a173491475ae44a957c4269570f5469234ca8b6873cc973c8d97178c58cec658a352bad0d4c6001cae5664258db59ad76eb6304d166267eafb46f4dd536a914fa6d1ac58317e7c557d4653"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,192) #11
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"c10d4e521350f7cd1853576d03c4bece3e58c8c740859e4e16979499ec1365fc073736a3":"":"78b245520153baacc66846e7a83a2a925f892d4c2ee63c0f":"c8ca7a33de5991d44d7ef7da2d3368cc2cdb93895c394d41":"f92c15f5833800b28dba2d134d4dcfc41abf72f5a700469551e8ccb83bdb0772d14d6b26ba6978169e3ddbe5f214d57930dfcad719bf10d306749246d2624bedd4a18d327b8ae6bee67cf0bfb5f649824bbd0440f042146b95a83e5845ced69a55ba055d5dfc7183c3bb28d61312d274"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,192) #12
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"7608b5617785995a1f7144ee5229e4f9c138e418bcc3b5e061a422e8cf875f58650e996d":"":"961c2d33039e60a2871e1f5b82097f6b1cb03836dba5f440":"b18cb52d3858ac5bf59f216a28c0ad49f3dc88c67b5870e0":"4b0313ae873ce5ebf08aec160416492e4c4c797a5017061ea42aefa0685ab19b74a7af11f019b9fb63072b797f7ea3354efd32c4abd1e866405a319ed2fa13fc81019d61326e70e503141b9c77b4879a45e9f36f101dbfff4359147282ef814888fee81640def25f551cee41d12609aa"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,192) #13
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"fef7a43fea2ff1a0f624086985e535778d7a73dbc47bc23e9da92edd5d2f273cdbbc0251":"":"836731a57497a69e31f8db4f729774ad65f31d968dbc55a8":"bcca96d808ba98bb50e90afe58fc88e95dc14c3e90c56004":"4f2c64ecd146689064fbf4fcffce2a2ab3910e72ec4faec277f7b9e9ed510381312b01f21650e175ebe9c45c11e977276f13be015243a0cd16a191abbac6462ba96e4e4a1120b28083da933419e8c8f03099906eb1ee012ae291104c6530f51b5e32e6631cab8ef5aad68c0045255ba9"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,0,192) #14
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"00197c70b2f0d3e98e4b387ec42a65c4106a1689ab5de61101ee76f4b5e530e7efeaf964":"":"03015311cddd0961ec7a74cb84d835c058a69b964f18a1c1":"5e0d99e0e7c57769a43ea771c467fb5e2df6d06dae035fd6":"72e8ca7666e440ac6a84ab6f7be7e00a536d77315b119b49e5544bf3ead564bd06740f09f6e20564542e0d597ac15a43b5fb5a0239a3362bc3a9efe1ce358ddd9d4f30b72e12ed9d78340c66b194beb4b12e973213931b9cfd0ccbdf540d2c36ce074e2beac7a4ddac59e06e4c7178d3"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,192) #0
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"e4547261c9dda6bafe9fddf435a80ebc96354c7c2c8847c5d26c6e73a967bfc4ebaf8613":"42849dc8eec611eaa49252067fa60d7d7267d711dc35b576":"815f50fc233f157f96ad0627c355bce407b269dca91af661":"775a1c9da6f58d4eb95b27935ecc01dde31ff17ce2e4e65d":"25adb777523a80a6dbb6ac1fd08e02bfc4b4686cec5efe3ae9aa2d4469eae8c9c3693fdc8e0fc107720b7789ef7331e23fe3799412ec86857ffbba515a5af4d91013b2f17669421c822005b4747942790a11a24c4974f27d54de69727b0ed507b6a48a9d6c53f93e2f3d33df73dd643f"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,192) #1
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"06d677001d9b3c97fda4d09778aee3de131b4123696b109f81bb6b0d7fbcab3c5842bb83":"f99638d2d4365b662cd83ab4e6a7bbb624e6c72b7b38e81b":"20b7d56f6222bafeeeee59dbca1933d8086218891f3a9bfe":"9de4f2847fe239cb1a3df4b8ff64c25d7b0870f3c9ebe3a3":"e18ff19837ce21e68944659321311b8584dd515ed8a6a1f2b0ac06e69009c3d0cf0489af876201efad962cfd1ba54f540b94131d788d3fea797c4bc079593bc7932baa70abb145a355741a98c584f0fa3298b8310b01e1a6debf5359d7d02b1a6c663100acb56975450bec20e91b736b"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,192) #2
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"abd38c0465cdfe018f36ffbb7a0ee51d67675ab4f0f1d1e93418bb4cdf6499a371af4d3a":"9a07d5571d841e3c1a9eb3fb48cde3b3e080e1c2e0db6a6d":"a392f79022aebbec0c82b981293627d139dfb5232eb490b4":"f5ce1f6b1e6715c49bea42ff439fdecd9b3b7f2e578133cc":"885c54ad25992fc38260498d6f4d8c73d6159af5f7efef06174da03afcd8384cb28690fd9ded1d26e2dff74aee4dd0c47a0d99c6fc1ec8d8faccbdcf6fdb12a528564ad0d8131bcf5222d7e6c69c52da1acba01b721c98ac5a33725111f12f6d8100009d7cc9efb7ad8d7d95ea4e620d"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,192) #3
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"b52620e58e0b52b8eed0d6a6c5f4ff6c1483c61fc41dacf72bf475b37d068d061d1edcea":"ef0d233de00d24622b7d4ff4215aa720787fe80aaeb65d7a":"81b735acd3dcb13e65231c2d980fb40ca850370581f230d2":"b2302d024d92cdaed4b12f79b0aeb20c98b2321710fefab2":"ae94204670196baf740768f97b3a095134b384afea667fd90a77a16c8ae390a732ff49a3073a27db0f7a2c8ad5d7cb527d334a37abf0472f292a20f2a28e667d7c9e9f7b8fbdd177f36bf92d66223aee3f712b6c9b064e07ab96f6a77613ea55008fb4f8fbcb2f1ccbb0da75316c1faa"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,192) #4
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"2592a5ed86ff64b9b4c1fbb81222d1bfbc53f3a639571ecc356084058b8855237da15c50":"a626c51ec99e72431485d2ba027ed9cabcae7b86116abe4f":"c430876552d28776570923c6b74e42c3210f01104006bf11":"fe2ebc239690a4eb18a0b5e75d08831cc2eb07c982c63973":"005045ade7cc15467b5ea784649d9804540a842ffba4db8d44df4f44c69480bd4fe965b645aed09d62190daeb2693a2192aec3d71453a8218e4700201ab922ac35d241d95150b47cc7a051897be4d958f2da5c2ebbfceb1c550cb67b32ff83ce4fd845fd826a0d2469b506f5158765fa"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,192) #5
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"376785f5ff8a82ceb0aaeb010533cc1089059ec583c302b14bc47e2cb8c2711839ce7f68":"6d345e248339e893f75696c039ac47e5678696fd489a393c":"b0f3fa1131c3fdd5c7fd2de93931e45a66fa030422ac65db":"c66341e3f9fb82e3ba85f229fcb7d34457e4a6ba8396b548":"b92d17e1be94b0385a8cc3e16189811fef7b284a1b0b6b2520fde79af7826c745e746486a70cd8dd9930b163da75f7eea7c216e758d9ed6c745dcd7bde19bb9382c1f7c37cd15b703b884d7d452c255b25048a836844c5ff28aaacf733a52c28904b36e1b51729d7aed81d601c0872dd"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,192) #6
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"2cc2557582c5a90cd2ad0c4a5578eb0bbc9bde41b126e46d8e9c3563341ba238414eb628":"9d2fbb9153e3ffefae0770c79de10db069a5ff9f50e31787":"2e54e32539e27ef76ac1eeae2e30c2385647652e20903b39":"1f4e01255908c3c8049521f8972c01ede7dc76c425c59640":"7d6ccdfab33f322898c470be02d8257e0e952dd10f407b3a8eaeeba47c541d968d79eca29e15541c1505fe4f19a41797c9ca2280c06261fe9d0c58bab65d16f5794b57566b8795c38c7b43d4761c8fd107beb95147a0fe61ae8dc31e25eb2957e44c0463ca7c1b589ea587f0cae1428c"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,192) #7
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"e670f896326b76034e43cd85f6f6f11fe6582d3471a8eb88d37a2302de010aac0e556860":"5e218091abee1960ef81f4d5a80415e388bd0cc79bed70cf":"7cf84b9ff30dbd0f608fb21646d7c5b542fba50adb38d5df":"c1c4aabe7616a4c97a4dbdadb08a9b63c6e10cef8d463fd8":"d8fbd557fccf31829b5ee11b05d0353e725bff15fdaac94d21ce95d40eff55edd852b264b515ec6384e2d28d014e47a2df0d4f56a4ec79309b06affc62915e231d62d02bfc60220c72b7ca7ba5671f882839b791ef534e707a04e5274c1011f7941fe1075a5d06a47af9fb2f65c1f211"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,192) #8
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"0576bb2d4c663b781193509251e2f76b0a8bb792e79449600c2c154feb70cf33ca942508":"ad15e4fce9f4dea43c12ff9f9d50c963b335a01332541154":"3c8a4d6ab96cebf9d02b5663dcb0e0db23699623455cd4b5":"43d2d3a8d023fa1785ce4781a15eb20ad787685a47da08f0":"a68e648cb07da2eb795a8c898c8631e565f33c2fe9c35e686d6f85fef145446cb79bb6d17bdc8224bfe437468a9630ed03c517caf1226c278ae510c869d67d50b6bf1cb378a34035041f290d8dbc123650ab4fbe5cf6074ed0ba90e45d9a8ae08566ea3d3a00ee3741c8ec8f56dcc78c"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,192) #9
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"f597ce05b9a5b1cf3847bbd4171e5085384cc256f77ac61573b435726cbd538b93de9f55":"573cf859f8fea05f16c6d03cb4e524b91e917f39eeeb1d68":"2a842454870c3f7936f8036b453d219557ca341f261d2519":"7afd8cc269899acd88f5c55af29fb0c4ce678a0d8ebf924f":"8162c16c1ce3d5c6b7c96f0281f4220569a882277935752b86e7d3f54646b276cb77ed96da73799911fca3d19d34c1f0b21068a472afcb77410412eff2abd03c753a009ce02b0e995477546366020294eff0ef0da66f31a413313e2774ca04f09a4d5076e0e85ca97d5bb6faac4c0c27"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,192) #10
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"d5b5374fe143035c4fea41667bc8bc7d46000998cc82ab32a0040c705e01f9b354e8f16e":"ed8bb219e67515874c5b9e3f6ae6e4dfa9c42d1e69204e8b":"70f03fe6e78cc34ec1678b2708fcd8ae3300183ea15ccfc7":"9c641d7e73d1a2b819e113747d74a979b74c444ed36b7391":"d50df8e3e17c0f5e19673ba2097d1d0c4cf7a9def7465a5b91ac8d49ae1b6a821fe9efde841ec9064555c0e2d6cdfa41f1089f22a5c27090c5a136660d1af586a1e131a853f19bc3c8f4c79aa09e39c2f22b4456c667ec907e2a4124218665e7cce50399ae1e19ba9c2399f470444839"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,192) #11
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"74d7c8c9b170e59e4f128c8df1955838df5c8071a5e85439d71e785c68b37e10efb39c9a":"be3d54203a1078d051519137774d5d851e81be026155eb78":"23f7b6758d79de580ed3eb995fc173da74939837aa8d9eb4":"6f0d5a333ddea0d38362df0dc3ebaa2be2fe5825ddb0ce84":"4462fc32110b25b3797c5cafaad830e8a4346d9270fed98b30f1345a7a8dde19bf5365d6f3788e7f715feb2762af263839c8c8188908c61120743d977d71c51f6324d887bbda380fc07eff09a31c2332e7b1aa1692c59c3379db95fc21cf711c004c4d385fe14f48f2f2a31bcce6aaec"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,192) #12
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"eaf27c3f69279fd523c0c3a1da5fc4f01ed64c27ffcfe3c1c596482f5baae1434e8c687c":"b038829fc95dcba8645ce40a306491c893f48139ae30a071":"fbbf7abb8cc2612eeea6d9463efd55c47245e01713332bd6":"ccd7e81f529de1ff4e65fc63d34c262ffde7ee49e6707197":"96dfb7445057633b2f0deb69135d10d0a2dc53faa9cded55ddfb8edc63f5424f8fec7627597a30328177dde7963f76f9e5412b5b440256c6a3f0c7c7fa02ca49e19ea176abac013696e9d529f65e51d4a7348e42dd254bbf19d9632d6c875b8ecd7a4139f1bf020a159d2a30af8d645f"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,192) #13
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"319cbf2b11b37c831c654b6cec2570dc6d7abeeab185272a518eaef30faa5acf5c8b254d":"9effa141f7466b659eaa50c32c8e683c2640f54027ab6aa5":"63b3acc237588cdf41c0d4bef16c4890cf3d458fcf1de8ea":"573d6a7960aeccc3280a8aee4d72e587e9d196b7b270e329":"8a568086fdd9f01206a5aaee34d253bbc9339112d3170699b9a1392e97062d5d0f16240114dc1789269217c5b4b2974895b20903890f7dacfef46fa4a4d02891c70425ab3b42f53d72f852faf3713ac7b8207dc453279f4df345091b8bfeb54983095c2d190358293ba507bdfdc39b24"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-224,192+96,192,192) #14
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA224:"56f3f5b08da10ead0c986dd2ae5553e4b2eeeb47ad5d22197b12b89b4a871c51c0d85554":"96c8630a1f4187fb0794601cf51e7e333e71756a0421ff43":"875e5bc9548917a82b6dc95200d92bf4218dba7ab316a5fe":"4d3f5678b00d47bb9d0936486de60407eaf1282fda99f595":"90969961ef9283b9e600aead7985455e692db817165189665f498f219b1e5f277e586b237851305d5205548b565faeb02bb7b5f477c80ba94b0563e24d9309d2957a675848140f5601f698459db5899b20dda68f000ccb18dcd39dfae49955b8478fd50bb59d772045beb338622efa5a"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-256,256+128,0,0) #0
@@ -719,243 +719,243 @@ depends_on:MBEDTLS_MD_CAN_SHA256
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA256:"3d99f9b7ac3a2fbe9cf15d960bf41f5588fc4db1e0d2a5c9c0fe9059f03593fb411f504bb63a9b3afa7ffa1357bb48be":"0bb5ebd55981a25ba69164da49fa92f2871fd3fc65eb30d0f0d0b8d798a4f8f2":"288e948a551284eb3cb23e26299955c2fb8f063c132a92683c1615ecaed80f30":"d975b22f79e34acf5db25a2a167ef60a10682dd9964e15533d75f7fa9efc5dcb":"ee8d707eea9bc7080d58768c8c64a991606bb808600cafab834db8bc884f866941b4a7eb8d0334d876c0f1151bccc7ce8970593dad0c1809075ce6dbca54c4d4667227331eeac97f83ccb76901762f153c5e8562a8ccf12c8a1f2f480ec6f1975ac097a49770219107d4edea54fb5ee23a8403874929d073d7ef0526a647011a"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,0) #0
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"a1dc2dfeda4f3a1124e0e75ebfbe5f98cac11018221dda3fdcf8f9125d68447abae5ea27166540515268a493a96b5187":"":"":"":"228293e59b1e4545a4ff9f232616fc5108a1128debd0f7c20ace837ca105cbf24c0dac1f9847dafd0d0500721ffad3c684a992d110a549a264d14a8911c50be8cd6a7e8fac783ad95b24f64fd8cc4c8b649eac2b15b363e30df79541a6b8a1caac238949b46643694c85e1d5fcbcd9aaae6260acee660b8a79bea48e079ceb6a5eaf4993a82c3f1b758d7c53e3094eeac63dc255be6dcdcc2b51e5ca45d2b20684a5a8fa5806b96f8461ebf51bc515a7dd8c5475c0e70f2fd0faf7869a99ab6c"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,0) #1
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"067fa0e25d71ea392671c24f38ef782ab3587a7b3c77ea756f7bd496b445b7a3ce6acc722768ca0e03784b2217bc60e4":"":"":"":"16eaa49510ffad8cc21ec32858640a0d6f34cb03e8649022aa5c3f566b44e8ace7c3b056cf2a44b242de09ae21dba4275418933611875841b4f0944a8272848c5dc1aad685935e12511d5ee27e9162d4bb968afab53c4b338269c1c77da9d78617911ed4390cb20e88bf30b74fda66fe05df5537a759061d3ffd9231d811e8b34213f22ab0b0ddafff7749a40243a901c310776e09d2e529806d4d6f0655178953c16707519c3c19b9aaa0d09fb676a9d23525c8bc388053bfccfbc368e3eb04"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,0) #2
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"9f76503e84727297bc7056c7af917a1c98baa725295457db4fcf54ed09af7f15f39c46142b85a67b4b323594b7e97bde":"":"":"":"7d6a8bc5a7f057ceed6109bfac2486f80f81373b6b31d062aa1fad6d9eda5874867b9ef007ba5a92ba8f3fca624bfd9f7ee5770bbeb0391394fef783c16a7f003c06e5469bab03445bb28a2111def415d162e40472d3e5ae628c5c63170bb19f741c79a5331c883c12bca429f518bf71b14683a071b6c6e1e55d8c7a0f3942bc12a103556c49ca173e498b3b4a15027145cdaeb195bc8a7e1aa82ebdf6ecd516481a4d21f400d0d71b5894545888fee8beed80d3251647947f5abc4735b47fd0"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,0) #3
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"e242e5b3b49d87289fe02840dc742a2a6cd9490fe2cce581833dddb1edc0d103f987f5de5c68cd345c81b032ea55f36d":"":"":"":"3a858345dfaf00defdf6c83114b760ef53b131fbf14bcc4052cd948820eee78a11cbbd8f4baa308e1d187fced74cbf019c1080d9efffd93fda07df051433876d9900c1f9ad36ea1cb04989bb0c55fd6d01e46923f3bc8887ac00ebd4710212114165355361e240b04232df55a81add3fb363f0d4c9c5e3d313bc7caac7d49dca8517cedacf571fde9686ae93d901fb9b17097a638bb9899cfab0ebc9d1f8a43c2eed7c9f326a711d0f5b9cfc5166c9b561824cbd7775ec601ca712b3ddaaa05b"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,0) #4
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"42cc17365f5ea5fd22bdc4ade715e293064d6794d82bed5b77c4c107a73de1f76d759e4b191ba01e0ed5dea788ab018d":"":"":"":"de06dee8c8fe453aa03ac2546c39f5cda12412864d52ed5cbd0d4905dd226746d50d1af9fd3e1d90de0f16295cb7f6f4d3271ef00564709df4b05eb9f8adc0f8e8522b05b9f32c37d8526813898b9f71db57fc8328e3b79144482e8aa55c83934d6e097e43ec6d0bc32edaf8c0e6ca449b2e8388b32b286e2d4f85266b0605fb99d1a647565c95ff7857bcab73662b7218719189d792514edca2b1d0cdcd9b6347e132ef4c323da24ad5afd5ed6f96d27b0f879288e962fa0baca3d5b72b5c70"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,0) #5
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"d57024a230b825b241c206f7b55e2114461ecc9b75353f12ac1d9ad7e7871481fe401c320f74afdb07f566ea500b0628":"":"":"":"e8930bd55a0a5a6d83a9b3b2cde7085c2ae467ea4a2e65ca303697d492ca878bcb801769eb1b7ec564586ec8b36d350e192c4fbf03a98be0ddecf56d465914ba353ed7734d19a680fc4593d9234c4ac8c23b7dfa1e26b013f590cca43b9fef126121b4842496b11dea3ef5e981cb357341f03f92a546a62609236ded6f7d814456acc0596d555cbdc02cbd47dae2caa1897831ea464225922c6600a8bb92e711653067f83b21e1df054309858948c11a1399736fc8391c5b0fc35629abfa5650"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,0) #6
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"059ded79125b2d56d9d52bcc950bf608d1a2373515dafcc81efb6588005a5722d8f5f4181f9f2a316c93fdfbadf50e75":"":"":"":"db65d2000632c3d7009c227e99c210e5897f4d7edae608a242b5a4f17708613f8c19a4dd65d6bc3ca57737c9bfdcca068288eea49440af768d1fc977c32b065bb71aa3d8c4d77c9e8e8a6166f332a247978a6c41ed253a1b68ad934a3416b40344a681de28638f00b0a0ffb75514c3f62253372f809906043de35e4805b8e962e5eb957f04212835f802b2c0b3e76c7cf239c89adf31909cd6224d542d929f9b20a10ab99a7c631e4e6188fe2ba8f552c9c88fdadb528679fe950431641b8f37"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,0) #7
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"4630406b475b1263b6078e93e5d4282205958d94eb97d1e66b429fb69ec9fccd0dd9982c338df935e929c42fab66adaf":"":"":"":"5d80ec072f550981bcaac6787c0488cc470406249ec80f4bf11050630227f8b5ac6b3b369db237d7c24a0980dffe8d3abd9b64fd4efa492349bd4eb6902edb94553546110227d7de5a864ddae8b9fed8de9f0df9c596e39de903fda323ee6f788831452eb9e49c5eef3e058b5bf84f61f735a93e042bb9e458df6b25f42a6eb8fb03d437cfab757fab4990c721a757eaa5e9048208abbcce6e52f177b20dcf52f1fa551a92b68bcdb01680855b8f79131266378cd1f0c2a4141c9675f01d1e48"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,0) #8
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"6ea9c6f784f12a9707ceac8a7162ee5381dc893ee139f8f4b4d93db266829db4ae92bc52ff860d8ecdc9fc16bd070130":"":"":"":"234366f1591cfe244956f9496cdf446e0d390ba64beaa066945b1b4c5337dded2619dd2bd0133a5d612bab7c251ab79e3951cb134894c422553fc8cc7b3ccb29c20adbf52dda35af779142d7efc735342db2ee067649fda25f3e8a74f8e4f6620cf5a17cb943602609cafb85bdf482873efa4c74928cc0d69444b72aa6bc72694a3a21c6a721aa4e0fccab0a98aef375a37a3e8a15dccad13b6d70b3483581004642d879804aa00cba207b51affca43490bb98f67953265574366ec3829e67aa"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,0) #9
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"5c13056be92a7f71236fcfef460298acc8595dd474310727f5ccb9a7acb2254ac7226f86349e20e2aca737068ab0f2ce":"":"":"":"16d415eddefa4dc295a64adcbbcb8c6fe8c8f123c6b09dc08a56d723cff5978cc120fd0a68a2f4c202c220db372d3128ef52385d5786c12dfc6e60ecfc3461a09fa80453e2b1b6365eaeb4df602d192aacb25ab6b4a59689d4bf8d1c4c42a32779f62b06baca6461f154cf40901f5787c1aa2bf67cbfe7546ef5b2bdff20790d8c72d077d48c59c92d1af90a90ccfcdf643dd9d6cee0b1faf5f2f35cfd01d2077ced5e2d013ec1e09336dfab9d9e51ba9a3a2837306213bca2d79abf8dc3282c"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,0) #10
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"38f08a099fc2d405c32d1e0f867e5450d5ee0d53783c31de9ddeae46d962999da01f13a43320c715612cedb920cf12eb":"":"":"":"079ce7a5b540cae96c2883e95acde3039048a6c45a2d259cc648639e7205392d91fa3ee080e615f1e0741a0e536c9e05844651b93461bfc547fb452fec61f853e1bd6e08eabd0cf1c5f84f85eca9d42b53d1e5bae51be5fd35189e4f1c02b843c6361fccf4ca6648bf30a23ccb8ebc16fcf158746eb39cd96f19d46707c001e11c4e0e8ccbc89fec66c69fc92843b6bb2ee1cc7595b65ba89ccaccd6130a8417faf705e8e203e90ee64ae970c409389b5cd0ca80a4e40b642689741691b20621"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,0) #11
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"0863c868c32442a1a64095a71ab6ae2f9e61c119b58dfa4f34efd26593bbbf68bc407904c43300452dd4e61df47fa98f":"":"":"":"585334828cf531828fc7127fee0c926f85b8e71e8522ea921296dc62b83a09a00397cd45e0664d0f26fa24edd3e3d8ecef8fdd77ab22431d4066f0efaf3882c97f179a7060efe9e8cba5d8145bebd502c0e09ee791231d539983c08860d7783edb58440d193ed82bc77c27723381a0da45bb1fc2a609f8b73b90446e39869a5af5038aff603b44db9771113927a5297fdc3450eaa228e313afe43c31b0a95b476c5ca312b4f589f809749481722cea9990c02b647976aa6c6f02ce1e5e6ea6df"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,0) #12
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"a41ad223e41e2bb9c131ec945ca310600ab00c51f6e4fcddd803bd9ab9be8af5483373838894d32745a81ba9d6967751":"":"":"":"95ca31a7eeebdd2348cf1d43411d2c35faffdbcaed4052d50cf92f0e9d2e757686b72d631a56ca98b68215e7014cfed943abc1e13441c1d660f13adf2188d0975154e1b42a592a62a43b57f82cc21a428873a92fda83abe420efb5233140e4d6c7852cf81e85961fa5c606c5f33e06077f414b0f814cbbe50cc606bffbd474364e608825fdaaf5e74d862795539be8697e2ce05d71446881e3f65bb54ed95e941586988f6e0c34e1beef426696e9dbd9a214013d826a8c99a2a686d8402c583f"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,0) #13
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"62a26c1327c0ebf8b40691fb4c8f812e81f5474b0c7db70aa9424110fee3a05e41c0cf2e87210e34d0c6bffc269bf2ba":"":"":"":"6e20a00df1af37e6cc55e580ba21335111eb375395343618df7d630b9dc234496e3964cd45c5de34bda46a28964f6148704c30925feeaecae0574038434cd33c1dd943207a8dbdcd72dc9ecb76a25728b3c2a8ac13c1de3a126d7d43a46e12e0d0ca8991469e582b78ef6aa691b5a0e3e85cba7d7aea3c1e8e031674e85f5af36546eb2a0a28d4ffbaa316a9a6c944fce291cc0c235e8499882eb62b22b548ae07cf9430329e009f4443cb94f7a14e8661166b0d681dcec867205abed48145e9"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,0) #14
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"fd54cf77ed35022a3fd0dec88e58a207c8c069250066481388f12841d38ad98591f9c02a1d205cdbcdf4d93054fde5f5":"":"":"":"f6d5bf594f44a1c7c9954ae498fe993f67f4e67ef4e349509719b7fd597311f2c123889203d90f147a242cfa863c691dc74cfe7027de25860c67d8ecd06bcd22dfec34f6b6c838e5aab34d89624378fb5598b9f30add2e10bdc439dcb1535878cec90a7cf7251675ccfb9ee37932b1a07cd9b523c07eff45a5e14d888be830c5ab06dcd5032278bf9627ff20dbec322e84038bac3b46229425e954283c4e061383ffe9b0558c59b1ece2a167a4ee27dd59afeeb16b38fbdb3c415f34b1c83a75"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,256) #0
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"5e919d353357671566d2c6ab6e1acd46f47d0c878fe36114d7fea9fecb88a3a27efca9e3d1e1b09d7f16832f3af75141":"":"442f17cb3cb1482a19729bfd58f46f6ef16285554892c01b0718968d6e011082":"f9557c93eb841bfd7b5d4b71da928efcbe3f55e1870493ef90d16eb238380d65":"36902134f1989cfe7eb518a56c06aada98997d9bacd04aee21f879a57b515ca3b5e0c2d5fed05ca1a8b054e8c46b389d9d9186feb0abe8e2e60b3a267281cc5b4b7341116ced35a0e07bc2b0330bbfd8b07f07248fa6d8fc5c9df13445324162bdfa22a91ba71453ab123c92f91c70b8bd540b3b180b11ab45ae2c59e57c7c43dab7576594959a96eb502d182267c86576b1846ccee1a694cabdfb42e0c8214192efb502926fa3c27eed020b7cc8866a5af9d838a57e78bf7acd230e1f4d8361"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,256) #1
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"7a5d1efc9b7043060cabd67de7fe22740bcd6a8ceb355d69f118829a2b3c92006a5633e613f8769c1114b1822ffb5408":"":"f2ad962d992434468681c644587639901ff74e2bbdd8761961ec34edc4a0c36d":"75aae0d1bca9484c89fc4de3d1b34275ef0656775f3f8c96f2bbc50401aaa718":"5ca21af4b399db38f8b74a406aace69f994691f2765bb9c47b240000152739e059b163cd007de5f28bba17e485fcf9ff6f41f76e93998510e302282cbdbde09fe8b1a96187e57c9a3df94e2e748f20026476ca682dfa890b478f7a21f4927f74f99aedd9ae782ba10fcda1dc34c31b4f784722e01cc4679737276f56df23c5bd8c6985797b83c0ccde2b4c7a65c652745de7fc8a235ad7ed0f456f1e7568b2dad475f0bc46f02a7f35c05cfef9d0e2c773ff895e291a2cfc2424b106096d8864"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,256) #2
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"611586ee40cb3ca4a9238ce112a237449bba5422ac9b18ea53480875334d8fa026da9d96c4e87f94b2f9a7c261be3edb":"":"2f835c336a3aa0019b0bf940c24643bc8fca58c9cfa6509aa9241de9e0e1a046":"1911a59c5f2568860ae71e803688889dc44d14ffb0d93e324c39f32d95c1c3ea":"27bf42f50476d8a2cc23f455e9ef477cb8e9c90f2e97c8a483093ebf55b2aee02e0356cff919e2ec9811b42c73498a6c2b96aa5b761ef7e715cbf66ad2e3ff8a6c92419dbf2e653ce70a87b51e26d9f607eb25b45b91f947d0026a38977143c8bbd94076e663b9cee35505b48e453e7cca83e540975ae8a53f26390aa63aaf1e2669410cc83427eea09428776a2d520eebd170602c52dd491c98042018a0372a0b39cb565cbe5e474f927f91515a6a7444fdbe1d89d8ae2c2482a0deb8ff236d"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,256) #3
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"85b1e5da599efd4a20ffcefd4737fa3ea1d2b14be33861c2a4ac3ac2a49d3947b14cf18f4ff426cb6345f1a7653e9630":"":"cf5bbf98d8577077b0b84475dee0f0e9aa95eedd1d916507b5233b688bcc856c":"b333ec111e1e7d78c9ac916e420704832539d2db46aca3bdc4732e8ce72b5e80":"4773d32a9fba37acc6900f3ac70f6978ff1e40039d6e3286c264fb7fc59f1bfe0188c7979380c8922bdd0e363c8e09a49faef59ea85a9f0e400b94c74a8a50687e4e51e25266eabb86276f22628d0d2e19c5696cd221a9b80f94045d001ca4c20dc916ca0ff22c93a41fc822912dd7e247927fd45982e94d3d1fde77cbe78beecba830b753079326ae33274f13fb7cd875e85fb5e9e703e61cbd41bc4ad47d7b4d14afc873a39dd810ad8eed95adff8dce3adb7659b7c1d4e3f62403767940b4"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,256) #4
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"50f986f6efb413fba3e8e0beb84d4948c2db0661ab8e064d9fee8b3c2f0a910fc35d37512f88bdfcfde797a21a006e01":"":"37c7b08222ba63f2136bb28f5ec09b9a899b56371615be41bef49a0b640590e4":"4a1e34a5d60ca08e3e6c0f1b86547ba2d12fa293275e7d75f83a0b846daa48df":"e27738c6fae66125fcaf4e725a0881d5a450fb5b02a55057d6cb7babd91d502c4f4a8431a83352f47ea8e5fd7e815f5080d144318a1dcbc755e0b935785cd5397955da22e3ff633b34a64ac72b2e6b7c51e78ff553731e6e8da911d147a6e05b36b74898cac6d3171bc8650e445ffd19ede2aa8218be17671321c186465d852dd80d73290546b88ef7a978b41c4c549e9c7fc6ef86e47084778fb5aed5d41e794ee0e700b77c0314a307b10df69daba605f3fdbe2dec708ba0b20d6b650befbd"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,256) #5
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"641dbcbf99b61437c2bf65a13dc3e0324eb940335da123870d9429636dfc82979d0cc913c73e8a6321fc3eb9e973c0aa":"":"72580c11a87ce6b4207908aaf5bcaaa1bd217fce3e8bc0726568c64639b70767":"cf9f4527e074b72be735558dcaa1fc82f26ae286bf944b49649f769bf6faf49f":"345395723d048c2270c0eac990498689bcb862a4996e82995b4e7169e671eb03bb2242c4669c874c1aeaffec58aa653c7d7431abd1650f0cbce8cf5db8316693f3ed501fd9b48c1a44b34f7878aa386d65afc31f94f908a322b03d06c2a1074a03bd2b579cafb0f7cee6d6934588ae1ce9e4ed37b03737c553ca19af4b46b5e43767cee2e459ab91407df6cfd13a6f186abdb148b85a5f49bf92ac6674fb055c7fe123e9355a0d33de281c03a56f91891dd496dabfd6eaa6fff6c9cfb4e67c44"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,256) #6
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"b9c305ada943a64a2b00494e869f9a640173eb1c2518dd9be93abc3c93c7e6b5bd0627a199d15f77b188824df00d5997":"":"ffc6760f9af02d35666275c074eda03f53dbcb5690580bb25768a6566b328dfb":"f26f436a820ef71597b75134b8d9dca6e9a6afd9b429222a4c9c878f3b92716e":"e5413a234859511cd837312bb31aac4d31962c5f7f27aec47417f367ca99b8400a4287e60412fc356cb40d96ddf5cb801285ebca42b2f6fe4a711451c1574174c58dccb2cd3342b7092a196ac7d2881a08e7f5de939ccc8f4eedc8f867c81aa88655d96ae50f618279d5009ba2ac4b1df4e63030cc0ec3541b6a94bd9a2ae5d1fcf4d847114a783c997a7c6b9d549010bf7b649abef692cdea3aa8ada14574e0f78b7fcbe17b587ac14980e40264d6de030e429586593d5ce3ae571f95454dcf"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,256) #7
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"9875dbf59b760eab9998bf3341847910526d10071dc179f96081dd793a6001936881e7f39075cd382293a1aaa8c845d2":"":"1196583a99afe1d377b344585c8252a0690704b8f7a2b7582387ec91a60fd7e4":"20147a88e0f9f1e8caa8cb14488c9b5c38e5520a36ae913b4703d15af27218dd":"c808f6f296683d26208359a766fe61bc70ee8b6ed9ffb94ce269578fb5568fe2358d603638324b63b29bb36ae71a542e38ee69a2b93ad7e4a887a27a2852cdcd541a5fa6d0c8b087aa1185bd5788256e7d95c2aa2d5c11407b7bf762f416b01d8e747c45298f875200a2e67679d6d5ff7a7c0e50a010690b1920df1baf0afcfaee7ab0862004e23b5aa1ff47b8273d503bd74a54e7b39ac7e6d6fb0a594d30531cab8a67b22783470a65f24faba1c231b3ba45efae9f0be04e2338529cfec008"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,256) #8
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"ac92a6c791aba0406d6ea8255c3c0901eb711a424501c2c2c847076d78bdcfc3266b7c3bc578c7501daac6dda8366d4f":"":"13379a77d84a0c4cec95e62ac4c8a98ceede0d89b8bd317352a95300963415ed":"04d47ec89a3e1b7f22580167331225a00ff258da72446241a6c09c517ee4d48c":"c2e6528584c6dbec436ffec4075fd3aebe953fdc0b46b4b225a3c2886e60d21879e6ccce3746d881f6d80e33876afad439ab9f68fcc458492de12811fbd57ac49d868754da19279b4c0a38979201a588884def5677392dec97cafc94bccf8914d9f78575711bb6f2adf4116db91c8b54e36e9ac2f5e01caebd300acd7bd45eada69d20f1b4139013a8a614069315a1c99137a6f23e38f91c210e0c156c6fb498056e823dc41a05348ab43c2f6f4ce188d4e05a13d38f8025731ac1670949a040"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,256) #9
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"63954ac7a0f989a458d2b4a6b7013dd66683624584b545060bd03a57b92822ef422764bbbc35fa5d40d34145afe44bec":"":"7b25d875dfb03333cc27b9d4286d00a85ea5921f4b8a4717b957349eb3509053":"8b70d28c5c80086c0cbbd01337ad45297af271d4bafc764b0fc5705700cd419d":"297752e61c4ebc4e1c68391335e2cdb49b0f19dafe359e451f8158fb7958d32a98455a852002d8f05169f438816ae6fccba1eae4d1fdd7a1176b04831d7ce892f711ec825062ea1c6b12144bbd3a0aca7f92520ebb87ac6045d2ac3a4a74fa559926f0daceb59d44fdb39f5fc3b877f34241531e863c153286f3f1b2ba2db4e2c8e2344be40c2a7a8cd01daf168696ce19f83ddb64d50e2313e78c5dfcf077f25e5b4d6f687279119ce856d4131a63ad133cedd020881939bf70f82eabfe46db"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,256) #10
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"d0944e0a3f3604a588271c8eb65913ad9b07ee2b29620f8106ca70ec10aeb896bc9b2b519c77fec5fc419e953ceb0be5":"":"d58593f2488f0a292ab552dac006c94b20ff500dd57af32be808921a5ee251c1":"ea9e579c9dca67f07ffd67d2483ec1fac3d2ec22fefff73c7ac9f125888d7a4b":"ae736da6632a7d8bdcc9e279cb7d3f9101a8f7dddeff253277d1d99b45c76a1a5c193334e912c3dfdff1bc389b209c3b29359a4ca53765a1e40cb900c6055d8a285cf63ebec79b46019efe95d5199f215f11961f3319d225bf3d60734fbfbf3593ab105cec2a17e308af469b3220ef7f055675396d289e6f4f8009881c8a2b4e9de88d53ad13e8bed8b38be6d8988f615b4590fde3d91caf50a86eac3fbf29924743145803978d261132b5975a9f108499250314e098e57c56e2f9327307cff8"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,256) #11
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"1ef53464bc7a441227a27ea7b5c558dbb3f509aaf880213cdef7e8f6a1d287c173cd5b3148d46c48c83c5cad3ccc1f50":"":"b052a66992fd8a8cb02c593edfe4766fcbcd3505af29d698e1f4db398acf717d":"37333448311c2c6edee19aadb8f1036cb60cff2a945c1a0ea087713bff31e915":"4ea7054659cae1cc178ef431aebb64c2c8dda3a965ea940a84c00d9790e2e3a33521395cc4d49038994aa4c7dcaf0b52b44375d93b625ac2281991a85a5acebf3de552355e17b3528faf39d392fed981400f28540f5ca64a4d2eeb952c88856c8f7388a49611810941b46b1000ee4a8aaaadcd39944c4abca9110fd6580093f9303f86a6e129d56b5aeff5422c2261af33523cc6a174e0782e13a026c003c17430b8371bbfc3d51c3e06fbdc30769a278b109238bbe383cd5523053fe589b72e"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,256) #12
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"14148d69d583d4c1758c307e0eb0b762511165823fc54096f9da5513e87df53b96a7be8d31b8a38f24a82d846b0e13ef":"":"e05f81f6402c52dff5c221a2f191155bb56abe160ce7dc8a6bedfa029195a612":"214777e3faee7d953b5c796675e106d50cdc12836b3114d14447ae91cea3c1db":"eb0497b32af8a91ed3959c31b079b8cc5c39db3100913332fffbb6b1d5ebbcdc97d6e67c934f3336197c9b730d80995a7d7445e36cf3047cab22895f244cac803eabd001eb1ff5d5645a803c41ea6dde6c972b47de0372ce901667d03e2e02aa0a5aea809e0bdc7430440365908418ce6066c24191ace05d6a797ef9b94409989cacbb9d9ec31f3cf0112b72e1420b47e0c184a8aacc214d55a0d5e0869d09303e4014de0430c07380006ea75984e6c32b06067d7d7b931e2b74666b4b569f71"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,256) #13
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"27d47020acc3a80a55149fa0ef43f684843ba89fda4bff1c29d20baa2b21956780569b7fa0c4078d9ff71a3790f1be3f":"":"c03ea0b88e2f9b53f902b22746bf4dde09439c190a7a638e3cb990d86739dbed":"3ef05e71487cdbc209b5ab6e808e55f0a93bcc02df766b01c1c1ae5875b1023e":"3ee49e2a58d800d922cfb66284da84bbb5944c85f194d95f1156b673392132a430e47ae74f1ed7c1d0e632d8cb604c88777437d8f37e7d0428b834555a96800540bf5bce6f430328fd328baf4b22b7f8e663c1d8583bc0119248588840510e11203cf47dfc4f6cdf8344170a341fbb7d93999ba86be3fb94d9c03922fd3d75e3fd5b42365aa62606e352676b2a0c51fb030d8d5605e8ac6bac2b4f8417d8e060148e3d4ba67b31e5e704d866bc87741ba877d12b10e8a9b37f3feca908fe1fc4"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,0,256) #14
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"88b6550d49182ca7321d8015f780121223a93343dabaf21978ee2818e7bce6591d32b48eb4642069adcaa5986224e6d3":"":"809639f48ebf6756a530e1b6aad2036082b07b13ed3c13e80dc2b6ea56e70a04":"3395902e0004e584123bb6926f89954a5d03cc13c3c3e3b70fd0cbe975c339a7":"4a5a29bf725c8240ae6558641a6b8f2e584db031ef158124c4d1041fe56988fdaee91ca13925fee6d5e5748b26cc0275d45ef35abb56ad12e65aa6fe1d28a198f5aa7938fca4794c1a35f9a60a37c7360baf860efd20398c72a36b3c4805c67a185e2f099f034b80d04008c54d6a6e7ec727b1cace12e0119c171a02515ab18ea3d0a3463622dd88027b40567be96e5c301469b47d83f5a2056d1dc9341e0de101d6d5f1b78c61cc4a6bfd6f9184ebde7a97ccf53d393f26fd2afcae5ebedb7e"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,0) #0
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"2cd968bacda2bc314d2fb41fe43354fb761134eb19eec60431e2f36755b85126e3dedf2af9382a1e652143e952212d39":"59fa8235108821accbd3c14eaf76856d6a07f43383db4cc6038040b18810d53c":"":"":"06051ce6b2f1c34378e08caf8fe836201ff7ec2db8fc5a2519add2524d90470194b247af3a34a673298e57070b256f59fd098632768e2d55137d6c17b1a53fe45d6ed0e31d49e64820db145014e2f038b69b7220e042a8efc98985706ab9635451230a128aee801d4e3718ff59511c3f3ff1b20f109774a8ddc1fadf41afcc13d40096d997948857a894d0ef8b3235c3213ba85c50c2f3d61b0d104eccfcf36c35fe5e49e7602cb1533de12f0bec613a0ed9633821957e5b7cb32f60b7c02fa4"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,0) #1
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"023f5673dac29f62245510d0a866629c43c64bf35a0bad30f1270050876cfb1ce80b615a5a47ecb51217a46079e11fd3":"a6f797b155d6da01f5d155cb7291442e1b82d4190e93e279fe5b4aaa7d04ecc0":"":"":"507b824443af5db28f746229e03ab00c73cc3ee4956aa14b33eda00dd2b9b645c132dab7dcdbc659c8ba0e1a3575fe7dbc7cf9691f9b714acb1b33bef96943003c992f661e04fe9e8b9f648f4af9a58a45b08b8fa7fa3704e6bdc289abbe14a8c7e1747a52ac916c31ed079de0b900672e658a201279824d0d75ae35dbdd43aeab915653765d83e46f347fcb4fe3321fc28abd2d0d26a662661582ce21b6dc4ea6d1b236e9692a83c8ba0fb299157b80623ad4f448d25d57f537b10e5e30f80b"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,0) #2
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"96b5bc16ce0d101b90d54da6c4b3d85a70ee19d54cf4cde3d048afb5f758a6b52ea2c10c16feb71cedfab9bfa9e462f8":"2ff415e2432d2e6c4279910a5e56c0f5354a5af0099132d891943b4a8901ca6c":"":"":"ecebe717afe6dc08dbff3ed626bb06de0f9784283b70e378dec19d4fbb50e61b7be48ceb69851b2bb94641aec5027d53d314a96500a9bbb38a87c9aa42ebeb96a23cf29a0fbd5e48b399daa1b24dbdc85223f24b7d77332bb1a137ec709d27c008c709696cbe44bb2fc19fb10a2fad4ffd8a9d89492a939f2268d1557f44b6a64e2a57887830fd8bca1b6306aaedbd7f3f476b827995a1ed121388497edc7e639c87d092f6591a45b5647c6c091c15ed39f594b7fc4ae92331f96dd8e17be970"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,0) #3
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"364a833a283a3e0b8a5b681daa50df96d806d4b54828f2b016de5d88597e6287d98cba8fda464d21aa1cfb7b26b9b226":"35b0e7534014dc2d7eb0f20ff78a69d5548d0a64122d4936a6ed177fb3ec66a6":"":"":"df4c799cae37173a81c545d019ffa336ef2c039a5865af425e5b60bc3d7202f4bc1aac5a84022bf4088061abd5c39d0fb047ba80163eb5dc8b9dd515948f16915832c6f76b45acc25b9c01e7f70955c0eb51bf50f00b24bb8e7ff53bd7c051b53d8b1a837a17a00355d7eb21e43b2b5b249dadced37d06e7047c2fd12012705a59d051afd26245ce3a59acb4b996b718c7dc1ae964bf12b1db02fd6c06ac2fec6ee5deb02c2c830110e9bbbd3c778a136b646ce2a0738563555a89409c56b81e"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,0) #4
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"bb4d38c775acdeed663256abb747ec25182bc16efd0de02cb4b05e4ad4749c92be6f1e856e423a8f3bfb0c0f27ad8210":"21591e796b7e68e7913fefbef4872af9c062f21c8023c0dbf47e040c3aed3733":"":"":"12575776e1b9f54b0fbc39e85a77b6912160bace4f1e9f049e3a1c5bcb452cf9be42ea10c028c3cc249401ac236dd3baa53ff327735435f4869d3289bc9465ccf15f826e4e4fff099986bdde0d09bd12e3caddcf452eed6ca1206ae4561b84770a9cc6e962567304ef79d8d3608529a3b5e4067fa83c8c35a06f1855da5f5ea7eb106e4c60181d12ba00cfbf7eac60bda00571d95c45c9d75c43b42e27a238aa5e0f02bbd96cde59a2e572934a99d05c399ffdf15c65f173748734c51999a29e"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,0) #5
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"f9d041d24158f480600c3747cbfd868c3f7e9ac7f74b3760eae5320839e4f5130f8477d88b1d914c0d8b375d089a4c83":"b148049f4093f0032c7f105dae219aa9e3f70487ce3a6b6ecd99429f66be5406":"":"":"84c58bf473061da92fa8d56aab3a75598428f18dca504191a51746eb5fcad8f784eafac5ea81d636d579e330baf7db95c8d706432e9f585e84da090c0eb40dcd819bf10e0d5b8600150d186f732af50b431c596c920eca742e6555129fdf5df96b44005083d7a33087b150d63529bee4b6e1ed4189ae2d93cee8dc671d47c0e74ba04218dfe273484a4bb59a57743ea56843d516ff2c72ef9841996d31b0d6c5beef367a6b44cc84cf4d403a06b40406e4c9f47da401e3cf31412694e6164dcb"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,0) #6
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"c18f511ffc3479a59357c17c2fb3d1e0e6f0edda4c8b567f2413323c2037f2fd140fb0cf33eb59526d8c0dbd216939b5":"7387aa3b0b3d92afb29761d3d5ea16e32a68297b9ea6751e1d54c8612f6351c1":"":"":"949bf03868563c7d1498c69c327686682656374b2efdef6342e69a388229c580ca2217a9332d3ae77c2d1223f5dedf4b34ec50b79d5baa7283168ed7cbe71c6c3c9193bbe01b76e011c39d2d462017c2c74b7e698fa2140e16886a9ec0fc6c36decbae37537638ccf17777f1cfa49d2c2c7ba3aadd0a1565d61942de94aa6fa16ecafc2dafabc9082f23e75a0e2f8f79d1c0a15ce57fef7655f1a4fc6fc4d4a694bf6ca9e333959f35ad354524f614905c6a52ef8f524cdf01c5fadadf207772"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,0) #7
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"6b09295110384eb56726f61474bdc532fdace31ceadb5fc23d587356cfac74338ab6f9d89394b907edb646650865a3fc":"7cafcb4db31ab411c396015b8bbbc990607e08bd1cef3337dfa0e295ae024f9e":"":"":"e51bc5b3a6bb2a2667f5d62c2ff9902dd07b566870b4c14242627da7581449ec985739cdc2bb5ef036033fa798112ce20df06d46d61aad7121b8282fe7556bdd363cdabbf47184e55edd85ee0b7b0be17b9a7f822f4d8906465b525c16385d0899b6c27728ff2a600870aef65f58f9d3777e8987d86e59fdb69cd232e7289fc75cf2174304137f988a17b60c57af84cd8e556aaad458f511fc0b3009516435c0c60098f35fb6a4a90d90bc6071d38000703ef57cbc19d6b78a0f797f3ba044c9"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,0) #8
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"ec6d0f68240f5c47e822d9088364c6cd03ca53808162b4f06f5956da65290946f4d26653d079e50604f836c1d798243d":"b40b5737cc76c5f6d1df0f13bfbac7e26f92aa933125705b6197d9bedb11f2e1":"":"":"207833cf65599e1406ddaf3452f060c872099cbf7483f1f7f14033490f7258ca5fd7f5339f914498b6e61fa426cb872c880a9fda9b8ba590cd8006b990af7ad412f60c8b2ad969c2f9cb0e9d005943d4dd2dd7af9699046ce89d6405597716d43b9ad54641c2278b04b2bcc5b8ecbcd5e2044e4e6ec5a628605fcbd67249e813bb769d7df01b60404d030e69e9672b4fdeddf82a22042b83ca036578b69f9a0ad9702bcf95fe846705b49b0a0795dfbc4f671e0158ded6242bd8f8fbc2410c46"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,0) #9
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"df59ac224e4ba1b6dff348f17bcf9c5a94a3235a54f2799a6cae29d8654b79d18b09b444a28a7d537e1a2bc89e95abd8":"14a0a91e0cfd63ef5fcbe2e8c7a44bcf5769c9f95b6c50bbe9d3b48b82a09053":"":"":"656438e7738d441b9ac116361e9f26adc0e303da7889cf559841b3e44127318edd356051bd0b3ecea78feb2b928227921a0c183c9f56bfd11ef31b28da6c78f3891d8ae1804bc158fa56e8b7a1a46be4954de493ef65a7f9beb46949a323a04e944034db30b19cebd8b70bfc155882ddfaca1bd5acb981c2c1b3e0862c6234d13093ddbcdff15129d586fc24ea2fd20946fe45b467bbbc77a6b6973eb6ea02994607c657eec29e4c4b3915cb730db056babf1779127047b401e25f97f606063b"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,0) #10
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"8da1ad6810c1d6b7ead210e48f51c370d4520547a330a4d591e61a9847aa043463f69d1b237999fda9b5697f1e7aaa07":"291c536dac72409e31e71cafb1b5f55c14421b2c7a44d792cfdc663dc8f62692":"":"":"c2bff571554c26bbd4442fbb3b0f8eb4db09840337658a7425613e0fd4f96e60da39b250c3a77379a53325a56ec02248c4d67fb9154e3b0eb8972a3109aed531eccc027705b267d2b9c037da79860d76e5e980b5b30b7ea588fa221d24d973f6d4c625de65123e91613a1528cdee59993aa827f319a759412f20aad6c50fa79a3debeb346ad92809470daf228cf344e09f03c839a28d580a2b3d7050685ef51e95649aba7228a2f0c82a2dfd89cae6ce549e8b27fd46f02feb473645765018ef"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,0) #11
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"5e8d6571f514519de6c4c0a7cc5b85df616735b8dd09c3bed2377499aaabb296a9b2c94642da10e8fa737cdfb3129334":"6ae29c71b76fc48f14a3d731a0f6f276f73e7672eff631dbb1d22b06463bb236":"":"":"5cadc1264314fb4bc7ed7fa74bfa16aefa624bf2fd60c992d0cba10429c56e0028ebb430b1a1c6662a9b3c7f6de244ca000ae63db9570f1aa3e7ffb1e97a9d848021d8e632fedc037712a29abec4063b9d57c60738f0af0b1aab3844b03f7aacc65d38bec91a11b7c3bf8d970f01e00fed9dbbe9e2e499a21c72a7c5a22864125133ecb073a4c9f6d9fd46024f5c1ee7fa447209afa6ccef1f97ae77ca67fca5959dde209d2597f87af6e154408579cec42c69fa9b7cc075ee3e37ee3d91ad9f"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,0) #12
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"5c9481b2642855fac8931eccd1bd6c5a05b560a55f96d37e865f057a95812d81fe65c84c96a990eb7a302b58de723cb4":"b6a61b9a31207363d62c0b88f1632290f4f18feb41a6dedb85b7450ff9157016":"":"":"9cc77b68e1ac23fdd2e2a6ff697053f816bb48b39b1162f7aa3fdd2dd1867f68b13980c9e5989d4631b7983248501731326bd7bf6e967b3dee7d2d5625d3cc2e198623af9f77f86103491ebb4aefda5c333b51557b8f643e6d6c593fd7e27e4bccca13140f6129cbd024de076e4688567fd7e41dc7b2bd0bd9b3e966d5d3c461502221b52b001a4d2102894da04172efb900171a0eabab1fd134217580cfc33a0a94edc0bc132af91d048c6f5ea4e34ebc9686a99f81d19118ba4da63ae3df7a"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,0) #13
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"c43f883d0adc2b56984d4a497a8ad76813a01df5a0ba22b53144763b65c7bf3f6f722e4ceac59966a6e44ed898e6109b":"769bace2c263edb87101743673724ef67a935e1ae9cace87202b6015d20fd9ca":"":"":"ce61480953190453247d091838dd80117f7f85a7e9a1237c92edf10cfa26b423735788b1e89f33625480d9faae57112ee62c8e4840475a6a738018ad3fd4a77efdd8f15ffb621c429419b6adb20431fd35f9d62fb33d500b87beac4856aa4971eb89710576b609ecfe758f3682dd316e7ee9d6560b444c2446656c8941dca7d6eaa70fdf8a70f18386ee5d4c86738bc261c0e8e5f509dabffd0425a86858ea3c71de5be98570dabd80a37b4f7f954002727c0b712e58693603c23130a45e98df"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,0) #14
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"d083f7f8c65374627ddb51582b3a39e2bf074508d5f28ecce25787f386058de8afafaf2ad7e6449308e176be01edbc59":"ddb4ced192f52bdfa17aa82391f57142ac50e77f428fa191e298c23899611aad":"":"":"b978826b890ce8a264bf1ad1c486aaf5a80aa407428c0201dd047fa1b26e9ea9ff25a9149215b04c2f32b65e007e0059a8efe11481926925061c748678835c0066f596352123f0b883e0c6ab027da2486244da5e6033953af9e41eec02f15bebdb4e1215d964905e67c9e3945ec8177b8c4869efc70a165719b8e1f153c41744d44d3c56a15822d522e69bd277c0c0435fa93e5e1bc49bc9d02aee058a01a04580a6cad821e9f85cf764fc70dfae494cbfa924eab0eff7842e3541bc29156f6b"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,256) #0
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"c2feb900032f2cca98d3f60536f563d8ac9af5fb2e90dba36c371c0a1c58cf5e4a60f2be0fa13b8266b715be8aad128c":"8e6f9be0c692648072d19c750804b10e2ec313c8013abd363de7a467787859f2":"72f54ba3f8e71ad69a040bb8493283acfc8815f17dbcea220ecd68372a2dffae":"adce8157ef60482841dd2ac5ac512bf7649120c1dba81ea75f2a70b7512bb6f3":"e76e4326ac69ddbc6b2408c529b05a96425c65cc65671601191238e9434d2a0147f3a25ce9b6818774f5263c92459bca421d2b492f9a9c2971359baaa1426d6e2c36d8924f39d02ee2fb5502c4e0b206dbe9aeeacd508abe6c055d547b5f9f35de4fdc9c05a2c63ad699a3a7e265598b8f40a8a295d7376b88c49af9edc790b8a5ee221e19877616678e2a5135d7b3756109200439d9ec8bfe0cc5f3c334ca9c022ab9192d5d554dc7ae76af1dc06d814427f46a7cfa2dcc62f4777d07ebde7d"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,256) #1
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"ad500edbe28b9a4338b55451b81c652797eb48fba753c186ce0aa9ad02a84ea2c995b7ade6de0fb4ec97bcbd61b711d5":"5770c41832a4cdc4039a8c332a4b45e7a7b2dabb678ccd2e56452aabeab14925":"d8d5516d158b41cb9d66566b88064900af78183f765f2f72a19548fb797377b2":"60a3a01a72e6b3f33a0c236db08237e7d656bdf4bab1db57ae23b7305569dea5":"c5ac3df66bc664e8bf84c758c7926992f0e8a03cd3f3f5fb8277c85b4da526601e8131f9d205f35594e101a86fb83ccf4c1e98c8e609062256701ff2132e337cb7287f0ee2e8fe3ef11ae703d7efe52e63cf89119ced05950c55aae6c822b6b0a8e1b91b537e5bb2de165a4b5b43a1c41fbfd65fff9bc5329d303caca84f5d1fc6acacee622623ed5dde36aeda0816749557c924d6ed26cd80e456fd0ae2146477ccb63a203fe16ac1d0eb2d12b6a2cabb21d412422e95f2df8ccdc23b4ef0dc"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,256) #2
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"51a29bac53961792077e88ed3603d33bd1f51b3fdb2b5cd1ea131c6f643af65de81eb2e260396d2a69b4184c4eb98a15":"72e5285b92c4ea4458e8a2159687cd46e7df9c1f4513d8b72cc88be41c2e1522":"16a69f7aee34c567595f3d362ccbdbb7b9e9372c4b1729fbb80d9a089eee31a4":"825197262a43f6523182f0a91005d70b17d81c2bb692edfd02ab988130c7d5b9":"f63f531c242a295d7796c3b4844fc74821af5a53e0e7ae822cd8a7f9de91e6164164f3448fd7d18feafb97c9500e0625d501dcb3927e6fb39ef65dd9586d157076436452bd3066cb30d1f47dc0a3ffa5f2e9ab4e183018b40a82b39b0d170aa21b05600eefea906838b95456e04cf046808030a56951d2502c5eb6271228905ed08549bb171d6c0408d88250785f42e349ce1d9e74a6cd0360a008ec804e7ecdcb4d1fe24aa5a18cbb65f4de1619a29c6062b409a386ea6f43e60adb9ea3dd28"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,256) #3
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"b30ff9c6e5b6bd258f1cea0fd5ef9adb81fbec233ff2fab01e79b7422878b2e950604e10ab80ddceb9d2b968d0d37ba9":"e8acd4b380aace0b27572057eaa947e10e6b49516140139c74a1d4f472221dac":"1d2ded0003521e2ba6a4a3e732e0949c1d858fdf0925fedd9cfd7f603e0e692a":"688ac5e7b4400d962c106fd2ce712a1cda6a0b8ac5196ad727f9b882329a3d5a":"c5208fec1d67517311a42bec07782ceb247e9c818e4f5f3bd160c9e53d462b61884feb278cdc8f64e22f59d27dfa98d3a90da8c7c5ba28ca40bd0d18934595a376553d1a8a19de07a83e2e9db42748c982cbcbf4a975c20084ea9cc6c6a41b571faf66b364e4b7e4d32efc80c30b219da1c02a1ea02f6922adbc31a057f999605a2d827f10907835c2bdde4157d7bf2906a0ad27bb72f113c6ec4f23631a2b8517bbce91b560d90d73fbf0699bab21da23e27cfec513bb5e375f50108197d664"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,256) #4
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"56715dcbaa4f5bdbd157bdd950d1c1b46c1f4f8d7818ab321d72c0ff3c0a928064b0439f7bf021dcdc7febf2126e5432":"cd5547991b525f7795e075a59af1701375175bd760db99d316b91463f87f7f3c":"b2e4f02f1c14866f538eddab402356ff3b405abbb9154e88b98483a83be70f7c":"b8db321ab30285eee7f9e377ad62def6caada447d00a4ec882081daafe2ec009":"7ed8c2be58e3553eb65508377d63d7f24518d1a7235dd4c740bd987dd8bc1c1e3ca97a69a37dc9a270ad88989e4868e6cf8e4cf01703c0b1eb6aed8c3f8af431d819e68b6947ae134d360d87e33668cdef0e45e11f5cd79329ff95ed00e4a6952750f1574f489394b5fde3c6f07311a1e5d9c4e070a0943ef9d4a130a9e4b0a80c256e96ca5042961766874898ea0f772b78d1a33e866351a4eb425b822b5ad596cf249bce8ccd6dafb334b71a503fce2c8fa3fbac9943910ce5ff02ebbedde8"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,256) #5
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"1c60a31760019e6a571e2987e57e19adbc1accf3edd44e501061cbec331b197eb68d0fa8fa5e3071d6f8b7c9c0a3c35d":"d4d84dc7311096791dd9c9d7f2cd291071f877afd86b9644427482d09ac9df64":"6473f4430398d7e5a2d218bd05e6aedac1e317269df3e4705d56c22d6e7abb0f":"379649b56a46399b9ab5f3880e1a73993a58cf52821d3cac87890aa0e6322a94":"d34152fa12fa341d0326a525aa838558630013857747f02634d24e9deec2da12f52fb405e7f1b973dc2d982d26eb2ddb4b49c35a9308b06809171dc990a4248e6da0c329a259f495247b9fa8c73af06604db7b629168e34081696a043977dd29a3c0362d5895f9aac24bcba58dd74078ef6f8d33eac864f2e6cdc479da3d224bad8099d011e914b6ccc3631a7369586e18c71a4087de0d47a7c29a09c12438c7de2d4b47768f47685b742c25b860e716c31e2afe4ce6d92bc2fb9f34400602f9"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,256) #6
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"eeccce7f7edc52f0e2559250be36526cd1839151a77c59d527f66fa24ea4d86b3fb298c8d72b6a0a8e191b60259d1fc1":"26d35895723ba3d431991a0e6fb2154ae5bff7e58609c926ee3269afc5cd631f":"227b9a71a6c17ecbf627161fc627f8f6f1a28ce39772b7a3d36064e2cc6dc4d5":"eb59f780c5a955e1355dfe15cc4a4e90a6ec75584e63bd0de734399f47b95070":"78ac77657dc56b23e617a9b38168da945c1cf52b6062c2b10f1d7a3814d9b9efa5545da050b0db5a65a2d2d2e02fa12e97eb970fa8e83c524bc809d675e0db35c9762323f327f1edb9b534ce16d02519750b41ebe51f747e9da43fd1afc60e46c7aba72e15cc7a22fad19ed55189f287a14737483eb6b32d966c3e3969d8198f01f2ed841f20d7d2e156d6285a29e07f6d7fff42bd575806c4092522b03e0d1b8df0cc88f5b82d24a7fd0feff6ada03a60ef2541a4ab041a49aa973c7163bf94"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,256) #7
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"86f8104a081c9565dea5652f20145a068dadff125debf818262d8931cec6ba937fd5b51affcebee952fb67f29f197267":"c7ba5ff828855e6e78fa1732d63aac1f49701ff7ac1f3506e97941f998b4e9d2":"6917bca15db53a5359e5c4d30ab4d37fc6a1bc660faaf2e74864cb4aa52e0e02":"eea8db0cfc04f8de14d6053442b5b4f8733f822df4be5966a0de8b0f7d2036f6":"562b8b2fa3bb15cfc3f7e57f309e31b13c790c928ad6b32a005f5431c28576c5706c4ac0dc2c7a4435bebfa06571278f485932bd94382efcf727b300b230da9b9e9f377d2659ac75dd8247351d5ed8185effa0f255a2a2136e63717e0265d561a34c75ecee1c774c25e33fd938696825686acf9a419c1da3fa1ce8f695e231087aa0927dde6ab487dc61291ad4700c5c608fab1a418f6b30ff97b8b8f01ef8164287849a77b21be5d11d82d0c19056e07d59a30f6c576705c6cedcb9f22d3a8f"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,256) #8
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"0db6f73ab6d31ddf8f78d76961310d68f081c9e6d5985e1883978c2dec48d9f58875ab658b3a8b795bf464af9470a90c":"d886936ad36549a10b5dc5d6e21203abd75ad63f826794b4adaad45a70424c5f":"76993d3bcc32546430efa30e3b30acc34c7672b6e18c7e2e9a1f1cc26f7f7a22":"54c72cf3457e6f5f6b35dc14167fee9383c44c867f233ec9d81f187bce438c0f":"c3523894d273c85d605d39f5b89e3388afad8c20787897b903d8db7e3de7590340174be3abd7598daba7806ab934e0feca02bbe66282d469ec01476bad5ccba59fc14cd9549bf4af49641f4326b1052b179c89194d21bec0501c97ef2c24aaf045fd348b765910fe92c0039612e37baad2445b57d9db6c1e550adf6688a79b117f6b7a37e0209d89f194a1bfe1ff2e3b28f0454b383af8872f32322bd5313a3c9ca48d33eab7c3807bb98f8f402c43b99b2176f0b33be08c7e84c86b26e971ab"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,256) #9
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"3b1ffbfae6ec54a175a80a33c8768fb60f2af9ee2b8620c4e800a17fb9241ae47f77da414f67b5d7b24dd100355d2afb":"0d50cf61e2020a909ba6e36ba4d0a394579d3e4377cd4bf0068967e8d0fe7a78":"5d4efb3f6e6503c5d85a1c43398d0441ce8aefafaabe2f6d86988a24e033f502":"cfb6156a1b139abf21c73001240997ee1a8cad91a4bd777c0372c1e8fcfd3fac":"d3ef776c8d77fcc5e947bf53e0be11777e69c7dce138f24c1a3212d1b6b932580371479b7619fc82f029d92969628f810b54a8fdab8eba799e750945f3545f6a96226bc760ad736101516efff5d8581f5864b38c29885d39843a4adca17046e1e388c890542988797b576da64804eb4101638328d3f8bfa398ffaf83cb7290a2cfd39ead13290ae773a8958b33914ca02c8ff6a069aa25ac8b36f6f0f1dcd8f1c5fc838083a64ae7ae11b85be3a9fa80ed83949b622002e91776273fa32d6cfd"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,256) #10
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"19767ce1f18aea366539642fad400a03a675b2f3c0b1cfd49925e535b2c2779043c5a1c57ef550acae733729516aa62e":"6bfa882c1e895eeffbb85578182653c022a4703091529780c075cd482809b990":"11236df1dca3de6e3e3a57d2741d1b77f15f45b05beb47cc500100b31188a42d":"98708a88fafae56c4f6fa780c6c0e33ca8f2592983b5ae607146cd6e92204416":"b6514a3779dcef2c9ea0ed7ddfa808d045c5907314c358302ca32b2055987a38ef601637cdcf77b1b8f7eac479f8f18972013c2e1a6dfe612e8a586dc529ece486505534c0ff3dc0b2049a0e46d7ac504a1fdfaa9b08d9fa017c5803415fa391ba7eeb576fd6ddba4404feb46e7cde56e090dd280be5edba7d6df9c5ba7d3454bcbd4d443b08fb51a117c1d5916f225dcd6c1c3fe2b2880f4d42962befe3ab76bdc086e29381dd985206e3e00ce722c9c040af5ff4cd4a8183b446d91b310845"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,256) #11
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"f63292bab50668eb14b83975422a0c853fe55714a9edf9d8a817ba0b2f26ec40063a86ee3c79c694273342a02f68ecd0":"3c525956838e26b77b8cfc37f024ec398ed825076dbb749cf49a7d868c201e6d":"d9a41b47c3bf8743099dc8fd228f77dff01ae304761eaf57d751e11cf094bef1":"b790c37dbda20fbeafe9d1339a1151144253bdfbffe17ba87240eae49c606bf3":"3586b63315020b3ba1121314a0fa6c66d57de0ec44abeef7b7325e960832b7944cb0a81a747ee5c5d3163001536d3e5ad2ec869b0e5ceb14aee2e6915073619528c1421b59b80254dfc3cab0584898b0bca72c76ae25f52b7405b9dad38cb2b841e1d6a34fc5b277129db49928b2f6c0dd22900ee786ec128164ed12eb324b502499f1c5c89be2101901476b39c56034cc293e320e63a3e019186d4eaf9a098136e8c0ce7f6326f84ec95992dde2585ad3945a9534aa2954b8c15a48e3324d76"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,256) #12
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"3df74683f298ba48648714e384989145c1b84246736dc275636809d64c75ff603056e703c435eacf21c0bb152d9fc2a0":"371217ca2337db03c4d06714624fa11f90d5dc575bdbe12a457c610be066dc2b":"f26b9cac8df57a33e4b5868c36f2b9322994a98269dcbd7956b93d147dd0aa27":"0a6db86c3abdc39878045b8fc2d5f0f77a8e298efdacb4cb9f74762fc23b96fc":"ff5252b7a39460a73094b9d668b53d1932243caa885c0ecd850612fdbe7e46cb275d079bb75a6b050191282ccb11ef255d52cb763618c4b624560d79bb9a5bc99319783de43c152e7aa7c4cd879a75869285320a9b749c897bf07220cc1bef1edc494bffa6ab93dcf839dc15f6f2e508b9e216e2a1786b75abfb01bb7bdeda722b47af895f551670f9562d9f9b78e98ee7ea5c5ca4f836af5bf153925b2aec055eee8164edf3f7b72e24b1203cfae1834705f74cac8c6043a3c2abf6bdf28fc9"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,256) #13
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"53d70692f0f4dbda23d78660f0f08c7e70ca94441f1440348f76108874d13ea14652725abd1a94d315364416c90e662a":"6deee916ad660811cf05b5652f32df4e97f544ebb57762617359159cc9a425c2":"acda427eea1c8c6791be6e4d2b60be30302abc84d5c5a13be7d510004b8710c9":"d27d7f598a14205c45788665cd062135b6b65547d3188959e38ab675401d2b62":"f77f9de60e95da3f1d0d67b5dde29b31df59ce980ebdbad7b5e0a0051fee39e1d6fc4311f21efa016039bb05f3b009b223be6f2c007b468388a8a19bb468c7b82cc93dab3e160b2b72fda1240fcceea01c2638e9c8bd2d1ed9ff9b55bf69fba4b6ae8e694c150896ac6233b75567993f9a9adf25ca0f0835b9991ff4b8d3f4f1a3e4c5f9866d98b7a75196804f996492a61dbab5bf72f87658e2300a1b0777ef7f43ffe8962f6b6708d2d91dcdf6b430cfaacb3289f74cb0f67370bcc9af249c"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-384,256+128,256,256) #14
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_no_reseed:MBEDTLS_MD_SHA384:"85186650694f742c3f5f228f943788f05602d4827518908fd09a1fb445d8333db2d65f376d48c66eb9e0498999e1ff49":"499928c41841324749143be9cc769899c38d6f6e6933e56898896fabcd802931":"9574ca51f21865c2fb0efc75cc9d90ec5e9c43104979cd64d00ea5544ea01c96":"c0df840a18d7584b62c70b2f057bf824168edb673cb517cd9dac89a0fc80c9b4":"b31e50202f883a8563cf129a0d5f8a33abad79d8ec8a97167ed7fca778e5892480617cdf50b5e51547f7ec1bede35020a311572c61e33e9c82968e8f69586daea3dc19063bea56503f8ca482918d229949acd6f1c52cccdc5f7f4cd43602a72a5375f3aabfd2834ee0494823beada2daeccbed8d46984d1756fe2207ca92186b506115f6de7d840c0b3b658e4d422dbf07210f620c71545f74cdf39ff82de2b0b6b53fbfa0cf58014038184d34fc9617b71ccd22031b27a8fc5c7b338eeaf0fc"
 
 HMAC_DRBG NIST CAVS 14.3 No Reseed (SHA-512,256+128,0,0) #0
diff --git a/tests/suites/test_suite_hmac_drbg.nopr.data b/tests/suites/test_suite_hmac_drbg.nopr.data
index 07fb24b..f7f5ae7 100644
--- a/tests/suites/test_suite_hmac_drbg.nopr.data
+++ b/tests/suites/test_suite_hmac_drbg.nopr.data
@@ -239,243 +239,243 @@ depends_on:MBEDTLS_MD_CAN_SHA1
 hmac_drbg_nopr:MBEDTLS_MD_SHA1:"4e8227e8422d674cdb79e52cc30b7b84f81cc05b03339704dba3e731fc81949e679a4257c5fd68a7":"2d6e4af02acaf230bf746157ec624ba7":"deebb368a79c1788528b589056b1194b":"1dbbc7a131e98344fd748edc6fec11a0":"0266e8a066dcabaf6991c7a91e1c6e56":"e51fc833a60b099e56996a66820368f5332822c8f9dffe8459c80d2512d451e1669ecf6e562a1c295fa6981fa651fdd3d8d936c18f88d5844393a2a371aaac8f485cfe92926f1a54980500edc43a0a6c"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 0) #0
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"09effa3906a5e93d05530edc71e62b39c5e4da020537176c23823da52dbdbae8307656cdaf8f861471dba14533c880505874098917e338f20ef8d8a1":"":"":"":"":"d5de8a3388b11e45085f6d9a009462947631c4e74523080ccd03a0196aa56b63a93a2939f490e9456e9fce3e9000e58190991b9aed6d145ac18f65cf2b1c17eb021acc5256eb6a7e9023f62aed87d15ea4e4b328f265cc34adbc062d54524365cc9c5073a8371f35dc2f459e1d027515"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 0) #1
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"29a7071e686936e60c392061f71b68500dd6f11c563732fca9dec3b2f859e06a857fd94e3ca1817872d94c2b7c2f283a0d2d12a6443e95f7e700a910":"":"":"":"":"72c0f3cb7792bfebbc1ee6f65d40d118a6a1c4e04e589c8f70273b4c7b718c9df383658572b894838a311fc0aa2aa6258758b33783e192b0c3c1d322809375dc925a05605fed8c7e8fb878fb63c84ce639fd277d9955f91602a9f4777b7c3b15404c4e761ec8d466674e32136c7b8bdb"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 0) #2
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"abd3dafc85b23025792bcdaf9f410829d3201c1e8ca450e217e13ec2e3b744e8c54107174a6e69ad05f643ee5cec49cd47ea88c80b96a0944154b458":"":"":"":"":"152333e16b04283dfb8c43dbb3be43b5db2ec49a399facb65cebdf7ca3ed267792ba308cdb0649b0c19cb1126b144d5766b5afeca98036a1f85cd2cfe3b8071011b69b2aec382f8562d9dd4331a554f3a3ee632cff308488b30a7416be8bbdee7e250cd12f371d069a097e9eac43031a"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 0) #3
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"caa286c160d22af10922ee6088c269d0c963034e5fd2a85d2fc171d0c4ba0833b630a64ab09965f132a744656631bf2dd27430c7c2d1e59cdcf43a97":"":"":"":"":"4d6132b9ce70470dd36f551584ada639e74b85fb9bd3c3e350011d99f2dc0371f874e6b9d92eba3fceafe34e574c1441d0d476c475b704755a28733e31637962cae67e849bed18d77501383cdbc27ab6f60d5d8d26634ef39e2c60fcbb04a9bdda8bcfb9b2d3aeec12a21279ed553343"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 0) #4
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"f79156a2321ba930e15109501ead80a3b26c1747b7a9aeb922d1a9d474df64a1fc3483f10e88a7fcdde91dc06940c58bf4d747b5a9cd8cad2c2e9870":"":"":"":"":"1b3aeaff973b2e20cee947ff283277991842a22f45cce9d22c1705daa51a56ab43aaae1b51bad7a7363edc7b548a0cec6b376b925a6e35bc7dc3b4a33a7f3b57d66b1b35256908bd2d8f0495caf2539ba4475d766c21c2c2e4acff87fefb07c662eb344d9c99ed407165f8a09a22816a"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 0) #5
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"2dfeb70fc433426e23378d048b836f899cbff52d4a92c6d7d218e3aa54c06793339a752f86f03b7fcf89bef725339f16ab1cd28ec85c20594bbdf3be":"":"":"":"":"d403dd8a6f3a914933253db9cd043421e54243a34043f5ee11a3b6a627e25d944434eac22a00172caa607ebf7de55b4c4305c2b93428d5fb4cf0a649451ec7fc5da65c4894cf4d2f3d52e90993544237e5c58745441c9cb2e047513ff81d9cf980d8b12769c21cc8c06f6d583b8be3dd"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 0) #6
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"2c6ba987bb61c4131138bb8acd877763c2c7e1f86289a81b6b54d1d8b399b5a5ac7171c0c9c0b5943bd7f54bf72b20307834e971bb637b351a756823":"":"":"":"":"7ff01def84626825fc22a62cfe28f5f95403bb2618eff22529b6531aaf1032100944d5f9703496d165c5756c0aac55b1812a72940aa5317fb6a2944d124e7f65766f231b6bda06100c5ad0d1b37c488e0e9f11a6d8f7e4cf7337e04d094ea9de2db1bbecf40e0cc8d1fc1cf5a01cd081"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 0) #7
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"ba08acc3a00b9b40d2bad8cca4909d3bbec5471f78d0bf89a805d839b8b29fb753c9e5d3674365a7055a187a238ea1cd04f482d24d856b67eb54d71a":"":"":"":"":"9ec6ad840270051313c5825295a6f7527a8b1b9b3e7c867e5642a984b11911be60614e5737d3a0d109eea4223f0d2ee63cb19be702291a771b2e2c277f2d4559176fc5adccea52492e3d3ba7d17bad5b5f487d783639467997d7668ce2173ef777f9e31dbecb6ee716b5cedc8bc5098a"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 0) #8
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"95413345228eadb85b67674b9981af34bd6a4ae04866229921be928c06e6a6a6fde8d31a6a88f24d6a1114ccbe08ded9d7c50c3360bcb8908a615381":"":"":"":"":"d4dc08e36f94e88f8bfb1919c13186139591edc681affb61c421d32dfda69e507d59495bcadd39b73c4036ef440dc598e339473caba60e0770ac4729264b1dbfdaf32ca6d136ef6810a6660fa5cbac91940a28053c0fa405c7b6ca5e3f147b5e0096f36b67da9fce64247cfdaad70fc0"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 0) #9
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"9b6bb9589f41e8ed6969dbf1a3b3d242dd5e133711f72549334c74190e4efb1d0452016ed4fffca9561aaf219e6793bfb6fd3dd9500bd61e6a62db66":"":"":"":"":"cee02e4fe0980afe6ccbb1b0d80041ba9841461397494f0fae5188228fbe9822e3ffc5397b7caa29950d95536e7000e1249e5bb93a593e659a49689add16d2f5e02ff251c76716dc426010c2961a176bd63c29397f6e36cd4de2f2b11e1260b9f9a00bd49b4b6617fb056b82c92c471d"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 0) #10
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"f276ba0da08274a082f3b8ad989a713908873b742f96bbbf8c81b4e1a7e4857bc99aeceabe534c45105306b14860883cd56f2438a7812b43f0d911f7":"":"":"":"":"24dd3eea9a8e1f9929ebbbc2a68379caec77fb42531a97f7f3a75d16ad053799ffc25cace4f4553c271ae360eca1f5131ef87bf0390b26785880db0d92bb351e6e22409d600f6dab5cbb2278b8784e67a40be4d8ea6d994115c67b7224d721d1b3c7fc5b24e15f97eb3bbe33798d1bb8"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 0) #11
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"fa5ed9189f21d7e94764bddeff23050112868cfe35220b863e8112f691c57e6d6c4a91c752c5f0b37b97d5f3e383480054877f319a568b064e6562a4":"":"":"":"":"55eb5ef1248b5a34c741f2076ea5d568da630ce4720b7e2c86a9dd535b48faece2229866a36024fd4114249be4730e554b772d557ce3f8b9d4d86d91202582213a676a076b87f941351c7606a452816db5d0f8194825d402d2fe7ebb2815532091b3830a9616918bb0e3298faf037bf6"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 0) #12
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"d0c5003a6168163f707b25191b51211dc1ae361df1e069d0f284f66967aca4199809dc89368164213ae17285674e5574851582372fcae8cd2733bf4a":"":"":"":"":"24910e1a9304471d053af458bc3fdef527e8796e33133f5af005106b203e8fdefb274f1c0e8ff44e92c63bef3082c6e5607a7981a6076f1a1d15368f4330c7012509d5f61b4349224a87960bce9873725145f187aa931394c449f502d12b60655a0ab2a221134a51786c3683f9ffa2b2"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 0) #13
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"bf5b5d1c891f7a6f2dd3f4d486d693fbf67f49584b7f053aa96ddacd9fc0cdea0fab8209d8f4335820ce68bfa04899b63cda15242e9cd3f7acb1f103":"":"":"":"":"710c8b33ab034b50a29de657b93f3c71df4727a5219a474350c88b4e3974ffd0d3452e8c4d26f579e348f39cfe0d20045a70a866c5e16a0c22aa0d69b739f74cbe8b046bc14cf82b86498460bfb26af0771371c2750f7c59320c6f6fe1d04cfb40c048686b6c1b69dc641b8957c2c341"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 0) #14
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"525615164dce0dac5397b357546aad049dbe5982da2c215a233557553460f8505a3e7c8224af561190099ee21a06d62f9f00e282b32b486e8d0e338f":"":"":"":"":"3fe96c9b10c4c8e43cf3cd76ced4ad85ae576f32ea6671ef284f7c97491b72152a18a1060145e4f5e7c0c373c396cb4c8c0b6d625c1f0d2ae95b0691cb1c80a3dd5eaa21632a82aaa28e09a2bbdeff7fd8812fae46deae14bbb16da24d06878fc417b3554fb47b0ef9fe18d1b9d4f4ca"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 192) #0
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"ca81953d50430bfb09537a318a1a7b90a9200077abb721e55d9ac28946fbf75d9cebc81f11cf6d4db712a3b91d479e00ba30d736a763cbfe40b91448":"":"e50aa8bec96339cf2608bb82cf038d5fd6bf93e65271cb72":"5c5eed0d98c7fc7eb30acddfee002d5b99c965949d4e2095":"a1a7cbc79bfaf4571cd8020da094118d241b3f018ec823ba":"c8b7d9c15624ae018a8612edf6444354c45c6a788272281c16526c689a3dac36679e44d89c4acd7eb58ff40a577c3d1a9f4d0175feef9ac5674c115d5e4cd17f2369e0135e33b018bdc99e4099713ace986a145ef55e868f74846feb3592d44ca3ebba6044a928e9284b5ea75063ae81"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 192) #1
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"b96ca1202fa959ef55a683a9021068e14c75376e15d1f0394b1c091a8b6dd6b98b6f63747dae58c29186179b4155b868f5a81ca206a5086a5759b025":"":"a35096086c1fdeb1fb60dd84fa730eccedd53e5b127eecf9":"a3269fa749e55850d4aa9e466bced0beab2edf86b926c2ae":"29f6799f7c78fdfa2d0dbdde8381aec5af249556903f6313":"c63ea73e1ddc9d55bd64a63cf73f730136ab4f6d688a9cd56b945f9875ef4ff48cdbdd8b78b898486a685d8af8cccbc2a834a9804e566ee7138c7dbf488d263fbd387041f835ea46ad27cbd66721428ed5795f6ed044cdb17c8e7e3ecbf61dd68239e8fd644ae85776050afbaa06caf7"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 192) #2
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"59af1213cfcaeea29e31400ab6b30f108d4a9a77d3b370972d29032cdc612b7c360c41f16b0c9d794219300fe0551e0e66d634a4eec396c50ec9604c":"":"66ed9352bed73224d35508754aab68fcea10aac06d60e888":"198a3526a67a0ce31ad0348bbdfecede4f82d4203d1d5ca1":"03faa2f4c34577cd8b2ed53e10c68c83c1ebc8d877379178":"5e24f1a9083f13274ed1020ab6935222cca644d0920839c2b142e2780983204453d2e6c58518cb351188bc3e5e3b64015882130d745511f004cfb6b64831139e01ae5bba64b74f1a1ede7e220a6d29b1067d7c68ba3543f4dda2fc97a3dd23590c2c18b85662618462ba2c05231534b6"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 192) #3
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"e6cc94c72f37999f28b5fe350bff622b433ae19111786c747d954adaecba47abacfea8cdf5eab05e2f750c0a679cfb9c2c2c071461178a054af40967":"":"3032528703dd66e42c7b6b5881483eca41e9eea503852eda":"ce8c03b0a05982ceadb516b1fe513da2403a9e6dcd7a39f0":"3f7ccb55376f23dfac1dc13be617894931f9c13d15fd3dcb":"558656cad7da2ad87a7a29ec5e612addcca96d72ac7b224cde80ce386c6efda12113fe9aa8e511714a42edab53ea0289c75d34b42f2313ac366f51f5dd3f6968bbd4c09ebf840dfd03852dedc1e3b6209d932889cb04062c644482106cf8b7a237d2937840f0c4d752d52725b5590d15"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 192) #4
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"cd4dcc8fb50672611f19e0cc8adcf9285f9d76e7e28bcac34e931163f8057b9f86424e5d514a13c0a25bbb49ee485501ec5e21061e006ad1569d2610":"":"24480094a44067b86ef47db38ec3e62914351196358bd9d7":"c6ac3b879adb6c150a8ee44428c333574ed9b0d6806848d8":"92bdc1514d87daaa321655d56c6302878c2bde37700163e8":"21c51a1568aafb56af1fd424f6fa146113d14d6d63e1a24e3168130ebc10dd84925bc4077c41897aa8b3c73aeb5bcf392d496dedcb6487379bfb3e12bc07fcf5c196d59fcc1fa730e55c00edaa2bca7b1e32a40ba06500ed3dd7fcab361995319979a0fa9cdc406a4d20650814e8bfac"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 192) #5
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"fdca0039e8485a06e6a9afbde5b07a1bbe49e13659a2164034289639d23dcf3f9874b8fb1a1af8495b6b2129b88475cc529c96271bc1bbb5c7c2ea03":"":"841f765ed5f00be838a270730ce5926659cd7cd9d5b93ca5":"825fa13ed554973768aab55917cc880183c3ebb33a532305":"736e9de931198dd1c5f18a7da3887f685fbfa22b1d6ab638":"dd8596a62847a77da81818dbbeaf0393bd5e135069ba169f8987f01dc756689342cba61d87a79d4bce2311790069d10709c3a53df974c7d6793ae1298253f13ecdbb5680928579b73d73afdcd24a703dc9b391f303d8835ba1129c3d46237ede5e44732a74f8f23b60a3a45ce42f042a"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 192) #6
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"e246e3f95d89c166768aac69fc95fb49eec49aa633adb938ce1705b68987aeb0fae7f57b7e99e4f3e3e1b1db2d1fedf443bd2618e95193cefd905e1d":"":"130701f88cc1e7545980e6c6f6cc76b0336f089bb66cc347":"95533f4cc247c887d6a7cc0ca753009bf034ba95b7b1d3b2":"464fd16f011eb2986d9982879d79349a3ce4f5905bbfe832":"0d4e6b03af7a648337abec2efa585908af40e88d1f104b3e8c352aa29ac79fe8e448f36b0dfd701a1fc0f1d86dcab7e8a8ecada6ba218d9aaea1c40aa442ca51f3116ced3c9b8ba7546688ed4f3a1378f76b8a29ec763784fc82906dc0f688c5e60d59e6d5284fcd96f361bc5b285465"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 192) #7
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"cb0405e58270cecb34a9951adeb694c5513c499cf310f6a99985d4fb3973463e907705740e01aed4ca221d4b03ef30e69fd8dbfb4ea919a913800a1a":"":"0b57e688472e9a05baa3920417a2e8f9a9c12555fd0abc00":"cac05f79d9837c97bb39f751792624983c397fd288dd1d95":"344d2aa2b3bad1485429b66606bf215acb0a65bf2a318f6d":"b2a13d75ad389514149763199d711092a9b0e4f1e50809355cfefc1884a94f4d4a50ac5c5da0b4e9bd7537e413bb451fdd2fa77f1f894444cb5c81e4c43978ebfd96900a2c8986c885d0faf89a2ad5c6ef922dfba1b5219b0f3c4ac2095340c3b8bf0db037171b6545741c76217b2aa5"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 192) #8
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"e38ea7584fea31e48ab085c44f46b4cf68ff24b4a6b0b25867463e4a46ddc9a4de23f7272af1e9c4e0391aa9491ce7cdb5f96292e0d65cb9a9a4a3cc":"":"afe267e1491de3934054b8419b88b16731217eb4ee74c854":"bd0f3c43229a0ffc9e143e16738111e16d6a06ebf3eaa5b0":"23bd14ef8cf797cff7ff787df8ed8b87684fe7a9a33bf695":"c27a6ee5bab8f8e93783840e72894f3b024c7d3206a4a1869ce6fa8b5674bcbd24d4aab30f9866d797d850423c57684b7697913b9ef7bc0be933d0e21535bd50fea0feeb293985261fb9d4eb1ef97ab5ec6b691a08db4c8171e63745d14fb4c3a03c41f906daaa2877b7622b254f0449"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 192) #9
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"71dc625242dcb94e6ba2bd013beb2112cfca576774e102830503b7aeda24c2c9d862f5212975ccc019ad2ea0442595f74d1d37dbcba0719d8ea32ba1":"":"0fef9f0934bb4485bfab2431f8811d963ec7fa7953ffc213":"a6a7501c4a5a93c396ef8cc969ebd93cac1c30b4783a0617":"c58ea233f35a22fd9b01592c6026aa17922070b3604c7118":"a1452d85799b54370cff65fd6dd74b575199606cc8fa64880b26972c913c372010b4c3f4ce9b7b565a8f5305072404c7b9d70f7aef6e2709c1694eefae66ffa80f16eb4b91f8041f4487427e69daa437e183e83d3b9718ba6a23fb90365884899e0d2f0bef56b27249f65e1c00c5411a"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 192) #10
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"36c1e048d16f9d6035c6b62515afb929633f356fed6a654282663e2284fd4132116d21eef66d29629bc712965d960f18cf3f7dcbf8a3ccd61b5b5fb5":"":"93bb372b7ae1035de6f13b2a36c3ae5682b9a3ea8f444383":"9715b72e4755993762e11a93857f1d50a051e70d094339a5":"2f1e73945863b237f49d6d20d0999a0203f295b9a046dca2":"ca135891b47f27c26ac891df49c80d085f90c13d236a60f1372eefd81eafc5819f4ae5aee5b32d46681be01629b078ae965f67b81a5268ef0b303d09e048f4449f5aaa11af51f80151b4697b13700930167cdcb3b6e8260eeb8bec7f6a67a2050a6ea569c825d61d4858a1cd15f70fb3"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 192) #11
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"582425e13356e7a840cae9fa435b220af6a96fb53ac91e7ee22023cf6a0eef3923907883ae540be816e0631c894520b86e8c6adb8152e55cb6aed5ad":"":"227762e137f9eec6d2b3c63476b404dc5b0c68613a93034a":"fba72c01a9e51c93ac00c1232c717d32fd4d4c791556e716":"f5258bf318457769a93ef5b3ba95fa2753ad1c5c1b81a785":"c753a84ba7f41af2ab757ac1e4c9c450d2112767ff55a9af8f58edc05c2adcaef7b5bf696e5c64f71d5685593f254a87625065ee0df51ab4f7bba38faf5799c567d783fa047957f3f965571a7b4cb477566d1c434d6b2e22ae16fdf473a6c03057d934a7e25f0ea3537be97238d74bc4"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 192) #12
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"836f5d7521f26d884dc34af2ca56ab4a752ea18b909085a87cb6d07dba32b654390a25b68ea7ba8fb790271c712f387145052ca46cb40534355c1666":"":"99d9aec334666d7c399e453455ef6ae884c2173e12e31cf2":"d74d20dc22c55c35f0b66a464dfbe8f349616916fc726298":"407b0951404079fb3b54559c0286143d9cb18957bed7fb1d":"809f372d1af60ff972049193fe9f173684a2fc9828b60b32164c1b6738e1ba6aa12cf739287a74c6ad528a3ec00095b590b44705b4975236a0b7ea02c1213f0e830f275f53bb79efd98679c4766cad27738e6fb777e98cdd606b971fa60745289d5ef72a99e1919686a53a241fe36cf0"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 192) #13
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"e555ed6c7ab344fea68d73c6432e4e6da2e67d8b33ab79e5719a2def258a852d17d93212840583fe23900949c301a29fc92095f4716018144e64583b":"":"5262cccd138256fa8424801435d118f39b9aa1db4d11ca9f":"9b55d76b743bd7fc5700fde8ffca956c0ed6091df1a22aed":"f8c99af8029110c41a6a01fd2d3d12b7103aa39cbeea90c8":"d1ec06e38af7c6e0a70b73ac62bc3556183f99a47bfea0f0c4a59e7ba4b0718df5438e369ba14be84db40d5ffe8a1a5952edfb83f61ee4d984e3d2fa67f557aacc58291cc688fa29be530e66c228e68607e25c013473b4ffbcfeda721ee35f5dfc8809528eaddad8969ce719a411216f"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 0, 192) #14
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"12f2cabd3b6f640daaf27ed6cf6bd7d06e2ac372733c6971739e36afe2ba1ebf4e7e5e9f5591480e3fae752fa59bb99a1949bdeccf0c100f6afe886d":"":"7766c36e6583cc8e3c26a8058fa0923bfeb3ee22033f46c0":"63e60d1bba9aa29adc3f3b8a5db53f3b703c7ae69bcbc2f7":"f416f36717ba5f0a78125ca52ccd004b2f4f2dcdd401f595":"6196b2b4adff14a26d64f440b6c160210266d7f5b77d5e292e94b8c67bd9cc774274741e7c0c9a7ab21c31f1194ef4218ddcbbe94059042d22ef44ecfecef214a73db64505d46d5493d7475d0684fc0e431c5265c12b35310d4404b3c4db6029facbaec88b0c0ae9799e5af0aa49e842"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 0) #0
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"2c50da90a1f7987d5216950ea22689584b237647d96c1239f9251942f4d13d16f418b0cf7265b91c4ad97a7acbbda065a48bc1bc5c7a9ee1523c50e3":"a74c108fe870b91a2defa971fa1efcb7a209f293d29bb5ea":"":"":"":"8853eb47c4ada94a3d58a1b517784bccc8f831d02dd5239c740fd7caa3869c5ff7bbf522a78be2d510c49c496a6657a09f0ede00daee9fd77061b0f04e7342518dc6ec1f4a7ff99dd7c783882b58f5e8bc467516c6b85985fab65c6761d4fe756ffc27fd62cfb92778391a258d3b0b0e"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 0) #1
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"4606e3e19a8a53e8aba05d9d1fda1ddf15e7709aa2bae8b54efc4a14e734b45a5cbbad00a749d2bde540258de74ff8fe886d05570300af2086d0b9a2":"23ef5fbde4b270c084a745e0e299a5eba228a37074fd4f07":"":"":"":"8caf86df25de5cbc3749fee4b64fe041cf4ef2859e20704bb01abe126a90ead8cffc427c2f98aac400aab97184846125a2a66888dea9c8aa108e96e03b05bbd30e566fb90c661dc1990ebfe75f73f5b0de7be419c225bfcba3713805455dffbe5d6fcc98141743b59c2cbd70e78f5977"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 0) #2
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"08e2e2175fb34e4111179fc2580c05afa16d224440cc7eff24082beb16133a992fc4f4e2762634fbf68177dc3f11c4d057b71661ade56e7768ab9e6b":"0a4af33e2501ba409b132459ba97603888e727aca0a0cee0":"":"":"":"39c60b6d9f85cb69b2128bde86aca2b055e21ffd7716d789f834ecacc69a043893b09459991793571d3d8070f03382a11bd1c1bf38e86fae13a932c6dc82c540fab8c8eff478e598d3295663ab75ee8a56376c0d607fe43b74ac39479b8f694a3a13826b1b96344ec67b9eb0a5858eec"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 0) #3
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"b436ebeda1119de3fb2b2e532f7ebf59fac632a4d784d904f844bb73f2cade5a88d4790c8c1d5973fc73f6b7f929303b62d30b6818a25ddf705bdb9e":"07de5589726c49dc5a764de9b41bce74675e4ca3c71769a6":"":"":"":"2099fc754ecd19a19de8afd21d2ae2ce456c32d6ce7772a98e37ed47f54001f44fad8e9b591a70d3bb28f19bca22940321ba17c33193613b7b5be1ec54efa470b70cbd6be2931193c35cc73d80c139bb4e670e1a2cb74d3bedd3610e9d0f9d154372a70b608fef824c346fb16241b301"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 0) #4
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"4d3e993c296c66983b9c751d2c0aa2d519f801a764ac9f1fd8d86b57eb226bdd9f69efd9ad29bf16af483e7dc170f8af65c16426c2ab7c0fa9df0175":"52ae4cfe985348408d3678d60259a78369aac02953911e74":"":"":"":"bead2cfc29315133e6f5ba2e85bd7778dcf9908081032ee634f90b0124ed9371c9009419b9e2a409fe4abd6295cad57cddcb6042986cc98f2fafdff99f7cc1185f3ba0d5f1e5f5452ee5f9df03c0e8a4f8426ca246afafe81079c2f0d165b87056e7c8528e8cccac5f49d0bb5ccfbefc"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 0) #5
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"c7c4e18c56e9191ba43c967cebe48e55bf9aff4d6449c3e6a1f9846bfd7f92d535bb7386c0155cdc5aa2beec888de0d432f695ec79b1c78841ad941e":"c36a381b1b36e6ab00ea80557b5e7451ec9771101dc22580":"":"":"":"da74b23d309fc7cf7670d7feb6cb6ff4da1b763ae2e8616edeec12c71511f5a24b9c466532283f4151a902ffa5ae211d7c1efa84477b93fc393ac95522f3673f97aa9e379e48d198d5929684875150633fcf8a0918d2050551d8daa91887f3d2685737b6456d0c61c0a117413f193346"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 0) #6
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"78426f865483ffbcc6330db2ccd65bf8f247706cedf68d4cbcc289bacb1ef32e5caf05f28a21146a9b18e77b3a7ed0d24a0803c9af7264fe4e23d692":"e5026090f9806ff6f158c4a834588f6a39e9b4a44ef2dfa6":"":"":"":"111cd64a9950cc6f20a1b38811fce4a08929ca2654bed66c0cdebab0b81552826c06ef12ce463fc9c91c81a35d2ca0553905922b9a4975fa8fee2c7f9ffa9f2ed8cb2609f4b7d32a44927c7b5baa8f43dda137aba9b49a2b0394f7f67d37b7f71a5e4f4c151db6b96e8e4dd9cd0bd84d"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 0) #7
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"43ca11d53ad0198e4db5e136de8136bc461851a30ce59521f931ad0596d13365bd8297a68dd42b7dab7f40808b3ce6c12f14d4de741ce451b6637a10":"532b05891fe406ce72421013aceb434581be8a3a13549dfa":"":"":"":"4c42f791dc8322d779f9a1ed9a28b0cf352601a4ef6d74e4e822ee5d9eef06e700314acb7a47dcbb62805babdcfdd236e3022374defd44bbf747764f72fbfccae10893b54b29966aba448435987c22ace4c931d01dc945091860cae7744365bd9b619059b8b646b229878966049cf83f"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 0) #8
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"ddcb3024b681e30e16e05026d8e23977497fd0b2c0ac24017de2744edcb097d3a104d4e3c6b8adcb554746f9a43671f0692c01a8f89fa98ec3a54ac7":"bd9e41974f6627ac5bbb21ec690eece459e1dcedefb327f9":"":"":"":"741b2a8e82aa3ca9f3a609d05a6e2d570be463ef957f235344cdf9e0f89b3610951aa1ef0b9406785b75e59c2de8349d435e4db82fc2a4a8b94e366f4eb13c432fcf8fac08f0c7fdbe67a44e81706b53b460f78befb8cb6dd2a0ffd13c87df84f8a5197ed47158cee171e5323593df4e"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 0) #9
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"f81c4ba8605dc14072e2bda2d2ef64e71ad856061056b8d8374fff5a6fd9a54a814fd725bda8944037197492c52c62b97ea02df33325b35b91726839":"217137084f4519d046ec896144cf2c301baf911e1440852e":"":"":"":"14efd71fa13dfbd498bbe13ffa24e646d04ee0ef32c99c11004c3e9d8f748ac2f956f9899a72c8d97ae988d06275855f77a92bc30f1b957dbcfc93fffec3852715c239c5313e765affbed257d302b6d1b74977b8012522b69902adb86efc1ad768d99d657a5375dff720b4cad886877a"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 0) #10
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"8181fd2cc5f7ae2d4ed2c96b9511aeeef33e50ecf164afc4eddebaf76a96d97bfb40377959e1edc44d24df041749ec6239ff226e40d5a5feccdbeda6":"7d6ca5ab652a37cd79367d84299f1ff2c5a3c2331c77b98e":"":"":"":"5a2cac8110a24e1d8c5f8bff3e82857ec8cfcd469c316fa18b0f65a0d30866e49fed2a228121f50901dbbba561732c4fe82a98f341bbc0a397fd257a5f8a4a9122c991648b1a6507c82f866d26f9b22e0ee7c9a51c4d8e5104f0b4570043c9257bb9dd6f3730f1daf94f80baf8907acb"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 0) #11
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"a0ad012a978bed2268d05086b823f5d0dc9bb98ee03980d755bce968f9ac81db886a2a05b59df40d8346334a0276b73f528db03a118545acb7f2d70e":"1a8aca3c118f2bc0c2196df81ef22c267d20ed7c607cdae0":"":"":"":"b9dc0eb1e4aeb482dea1b4a5e6f6ef9636366face696811db2d912e9430b303f23ac95d65682694ef9513ac5b3e56a053b2e1a2ffbcb901c375cd122cab47d31fca5a0606daf8cc2e5e6e99b90fc8ab4fa67794caad91985cc92b2187dd2965be0980240d9be2fb1c4bf06e60f58f547"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 0) #12
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"f28b143468ab87794230cef4361d047236444180d0cfda58cbb9494cd1ad21be96297ff799011042013789a928f18831ffb0169126dd046c774a4fce":"ea7fc50e1eea3d84bffcbf83b240e921348b532e7b33f094":"":"":"":"5c22e92f25acaf98f55ff06e1bd80d382da754d1d33cffb6fca933583ba758200357551640c439770f77f843e9ce1e9a054f69588d76acb9cb92b7a2fa2903bc51391bd7001ccc1da67a4cce9e5dd08c2d489295c36de2c148ce27311d0789310de1cab2641e92f859b036383a8058a4"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 0) #13
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"b628cb448e477cb439a2de687861a992e738db6b2b25cc6c27aadfc3a0a640b3411de49c920407303e80abd7a1d4f45c4749980fe1550bff69518210":"d5f4f8266da9b7f17ac97734201544104a5c0acb53c6bf22":"":"":"":"34a834dbb7da0b6a2e2353bd9795bef369cdde4d172b3feae7b1d9fdfb0446454cfb1adeff423d0a143c33c0e0d8e7905bd1720889e8b1121f1ef82cf15443c2f9c8999c5573e7df60b52ef395ca1d1b60e7eb721c012c344d06b336d519fa2b7b6dfbed8383456504bd0b4893bf2ba2"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 0) #14
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"5c7c9690a1926a4580c691c2e5327e736d5c3aec0ce8f5d32d4946bc4b607f712a8759428b010ba1b268b0de64fc5eb32d3f7fa9b8d4f20fab45c72d":"0310b2d8b5655cbb0fc2041ad15a248a7b1f2ac78845e29b":"":"":"":"6f8b6df55d9d8acf87dc2af20b7f4512f9425987495f512975de8059135e7ebb8698cb0301a8816e7299e76053cb66051c8b35bd2b00b4695cff4847f168d2d60697495cd9007ab7dd74ee7f61ee90b7827543f624b7c1412bba3d6df1242e6ffd90534ed393341429fc00bd97d9bcb7"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 192) #0
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"96ae702af50c50c7c38818a5133938bd7ce51197fc78e21815b6c5a7ff9c0395d764159f707d5813e5bf47c1b8232b44a007bf7decfef499d758ed53":"e96554644097e9932585b7f4bb14d101f24c8b0376f38c05":"3f698a5f6f4fe67ef2ddf23bd5a67c1a2df4f3b19425fb85":"fe1f6a90fc0ed396bca21c0d40a1bb583eb63df78c98adac":"5942b56148f27dd5388f00caa47ffd4925e854237fe14454":"150b9260ce9aa419fe1860332ae7c9f42d9ada1649679b53f46bc9d20de3431186a54afb5df7b6269cdc05540a93fdd50a2cd3a862372d862841768df02846b057993dd6aa32f874b7220a5a1fd9cb573d720a54af5715cedfc16f0d9a467735e253b2b1a6e97421fcee1f2d670dec1a"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 192) #1
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"4834717f669d9b599f0ee526129057b5a7c5680724ae0459ceb0e0d4eda21e5fe92e63fd23f08f8a0b094a85f3f377fdf1018ada0c461b5a05c334e8":"870b7857dae97cd361a005c3005013e4dd55ca76e46b62bd":"522534ba1a09cf9abf29bde66ce1dacd0e273e8954eccafb":"45f54169665f59d92211f266892009958ee515f14d09581a":"4633819c2ae83c71059ec8ae41ed2c68cadf9b2085a5b8bb":"7afd6cfafd9a7bad155b59a8bb2094f76b915b93764e92858821d5c32ff4a29493788d3dc1627ffe7980950394349eba88b9c2f6869ac5086296366b6f4ee37e8529d291c9d962e30662423faf375b7820e0b650db03e3c99791d8042da790cce1a1997ea21441dba4b936bd8b393300"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 192) #2
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"f5d1d27eb344b63e907d82a2e57494b25dabcae440ac88738512d9602ac8bca243018f2495599e618dde0261e43ea38d45e7c09ccdc4bf3dd8e5c100":"12ff844e5c5bb3fd871feb37ab796002846ffaca5a741c54":"f642c19602754584afa3083f567d80fdcd1e5c29202ac3ad":"cb6dbad8ce1a5677b4825cca934336b936ccf841ff98d894":"c11fcc157c643a943e54274f1d942d998fd1ea0333e21588":"6f25ae8bf8c26d5f0b9d2a81acaf221790a09241b6e83c9e527c7784881d1f7398c2d7771174f92aab45134b4633ad96430df30b130ae34af52de90b425405959ba24a41685a04d2411e2f0e8564bf5bf3280cb6d75d0b910d06c73a625cd56646eebff14fcff81411c055921cdfb4c0"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 192) #3
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"49a10569d87a790d34bcc3c8fd77d075a1cef9eff337e8929b51bdb8d6c5df3ad31045684fd1dabb1fe6f052fc9886384fe43c0a7abc7adca043d35e":"34d6ad434a436a690e7644f0dc2207131148192ceb2e91b6":"8707328fc5a1721e4d72b23c2b8ca3c30ddd95664ac478aa":"82c8d83a9f5d5639a6a1ce26d244bd30dceb1cc978627e19":"2a53b0b80b29c7d071983b65ba835e4eda66bcfe7b3d90b5":"08e24ccaae3b44b7248b2d735af985dcadb84f74d202bca726de1cd663bb5ea1bb67c669126ac97218a9ca45491df90beb387615474249bba1afd4534be7a74c61fef308f13661ddfcce40f24b410cffb1cc3cbba2c6d20a5e4c4814d44bef07bb697cfcf1e9932e43349376dc04865d"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 192) #4
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"9a4232a59cc579867f8330c288a9218251030c00ebe50c9cd97d6cff6e49ad079df509644ec2ebe3ad4e515654af383da265d7b348dd4b89ddd49cbd":"b4498a32f664d4b489c2b47e67845d2d2bed5096e88f86de":"b8471ee87531817d81ee32578d27fa3a190df33561da7a2d":"2e74194aa62ef911599b37a51fa742817e3a4e6c254ec179":"afc7f13ae55e738cceb976ebdd01698de4d103db797f799b":"340c28cb7cf4c3e143dac3e133de864b1f458c76e3d47f3cbb6845f940be174b8819fc539f42005f4485fddc657f064c34873094e25a9bf7ec341a98cb97014a1d694b1694170ca5a8976e86f6e4e41232f526ec8536facd02394f492fbcc7c298ef0eddb3c5a148399ded7677366cf3"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 192) #5
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"b89744009793d2c118365b1d2f343d6b6c59374b41dbd805e793f27882467c5342015cf968b080a88a15fd6a7be3757b05313528525ab1e2cbd08ffd":"f3c02be0a880e194013c21b09b6703a61a7ccf7a73e8a541":"bca27f10060bb8d16d499b3f6ca05ed8462b51b0b43a1fd7":"eb6fcf75884be9112219d359013f45fcb1959ea971bd0bc8":"50a03bc3652f50cb9ed1167ea70ec1e74f896f81a8090216":"d2a529722365e7ff3e660964eeb27040a0e92a4d19bbe94592cfebad71047414676ca6ca72234f5127f313cb7f5be613b44d989fe141c9a0ec1f0b4d83c36e744cfb1c72c32a02b68c21d28832da008c57664046255ef18488ed750ec5e73b18eead939f932d2809f12939670c3c1033"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 192) #6
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"6d2918c15be7871cad99dc9e06f73253ef905d9705c4e4ec38664043b04f9a150fe5953bfa7aebd926be162b7edd72fdc14ff97e67dae6257ad654f4":"489243eaac215f76a573b92f0709d116bd3c817eb95c2c39":"0a84cad7a1cd21a5afe6557d7d2875d9c62183cbbf49a123":"0c14578ac9504902cb9aa654086246d113039f926a87b325":"1aaab1e3a29e144cec825d29c3f42dc945cf2772ed30cb5b":"33438ba4edd0c38db99f2b6a50b35dd89aecb3491990ec4e60460bb32eb0186ff9fdc973b1b0df23ae65da31b8af5a37a69f81ab3e577a4c2c31e51cfcc4e844b044fb597e937524f59a0019ad5120c460329c982fc93e8e7a4b4e1de5619103b23a7a579633fc925d147d8fb856a277"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 192) #7
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"1330c4aef54ff84387e0372f7c8d273cecf0af2ceb32ef6edb6a4f1ace802f3b95fa69cf578e2cda1d6060ec2554eb3152507387f325d8e26009bd80":"89d7bf8f5754cedc2e1a249f693e29276170f62c29c5edae":"a6b58f33d57570f4df05bbfb792a00087d331e17417e09ef":"f57fc701e4f8f5cc2181b5357824f932f6e07679ec0d3cc7":"586c4e8c5769156cbb54c025fb01aad0b61aa6238c231656":"0bcb6ad4f2acefb549c46271d5a4ed41d7decc095137e2044b60273388c6c6d79cb89016abcad1d6a138621720b71fc11ef82fae04026e08926e94042694a0c008f99281e03da580fbb6543aca2b4596d39699b97f1fe65ec60a70b88770eb825b716a10ce41383f31db596079a9d54e"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 192) #8
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"3f0564b9ceee32c8944c8f2bc4b4d2179b38acc880bdb91eed466b881e2cc21df77bc3901ab5ce5ecf029a066784503f80d1857979b09c4563944433":"5d54fc715556c20f5b2d01d6b0992f1c596e5ad77f81da75":"35cb6d07862fbab4f50038097cb463aadf14e519c8834651":"abb21e501e85ad1edc66108e3b88380fddf810b10b883317":"3c690cdd997dfa9c5677bee976fa93cac21f5bbf382f7f53":"bae872c9d221b1531f85c15f466b7a3af3fa9c9c6b72bb8f5dad77f3d12df52d10347ba5d6504cd0a285c3be578bb67f0a9f0137463dc01cdcb847e7853c5db4cbb6a115ebff7b80db0406baccb0e3e68a4a4a95364c2da29466e160fece7b8ddb65dfab000c66cc8109380a601d5ed9"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 192) #9
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"115c973d6df41ead464e22572dbe0761dcdb9aad930b2e55a5558075fb7c51c94efc5f8fe5dfe24d30175a89f1bbcf146037a07b324f572d0d4c27e4":"d3079ee3a3c9b2d69ee0fd316a6448bc7d8e3b730948c46d":"2348ee87bd5a3bb45d51a7b6a109043a9b6ee3db011dda28":"937fe1a7a790754bff99ad51782e8ef5b4928d0057b0c380":"3e89899f4aad241a9189ffa127c87c15b5e3bcfd80bc316d":"0ffc883aa19b3cbdeb39039fd3760160a93cd663b8b358e9fbb6300df164689303ee5f2489ab4ab2d522f6a33c93350eab553a2499b15f8ca198303ff45e946a06d8a40959f33a759c5381b3a59da22e68032abf3da3da6aadb410cb41f54b3146ce57f9bb5d28bc823e3e03c0294794"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 192) #10
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"c28541425a7cf33e29adaa91f326f216de89976031977f104f44fcbcdcf4579337434613801fe4661642392db29f15f0924566e72b596b23ff7b18d5":"44650a29972aa8521d6fb9dffeb15c00903a283f20ea9914":"43cf4de0276483be1382f3cecc6a803551a40602584cd84b":"03eaa10612895db8f66d50a2210d73d1f563c3ca929d9f54":"8d2b20abc4e8890c772bcaa05cb7b3eb5025ac4cacb5f7ce":"aed27ff8eb54a7d2787e73ed2a51877c1250c0d4eaf10aaddb30409624289a9b7742cdebba54218c7c448b57f209182e214014cd180916a8c125ad438af2e5f5ca5b00f9cf063f0c307560ed4378382b4572b97088f8d24e0bdf0fc3489f64074f1155fbb1163b54c93098b841257c30"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 192) #11
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"dfa52082afb4dd137cb5209f6771f04eda25794280983ba1d8cd2f3d7f9dee556ac26d8a5a368d29096ed643089b65e9ab17b5f58ec816570499fbff":"16ccfd20408082829aaf8a818885164581c9a1bd09e9fc12":"abe13d12a9f0133bdebe14785dfef5f08a133a6cb5c26a92":"485dad7804de594356cf3c571d5f22263c0b7cbd4dca1f1b":"5961f8177b6015ae0119d22e0a45a4aa1bcdc580f7e7f975":"ee48e57f1b5bd72c99c911d3353952c2c143689c3cd9b474a46e4ada83811efc67f2557d323723526809825aa338a80e833c95297d6b16490db633ac1f1648071c3ad4cdcea056c41b4eb157ffc83c3454b0cf001f1e01c31e48a61587381e293e6cff97270c1f157b069df3e591c2f9"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 192) #12
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"95f3a1aeacd07218a2ccee44c807f790e568e0032a42fdc7c8dc9a71f76bd725aa909ddbdf5457f1dc4e69746426a9c56fbec603867633ee36a7fe62":"658b7326cf6adbf7208d37cd69547805bc3f58fdd874e143":"d44350c7a668e64873ff97c31d79cb23b0f1620aed7c9d23":"dfefff80f10c3143b82de3392c395ab94ac8a2f4c0a30048":"a6d21a762aaaddcdbae9b9ecefbcb3149d514c94fe83eb21":"4f5e544491b72b84a0d0532d7f9ce01ec2de6a05ab5056fc75d8f73bbcac5ffc38e20745d0e8aa1eacdefea6dcbb92475b5cf9ce0a617e5603b7b9fe34f4f4cb04ade2db35cce1fd315140e3e4ab8472216c7cfdaf004181351f210b397c3147dcd279f6fc2ebd96050e996f77ad6ba1"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 192) #13
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"29a1897d6ea5de66e551f8c106f601e421ddd940812530df00f634682f249aebdaf86938c895c11f9fcb0bd1fcdb183b4f8cf86b3429a5372caafe1d":"d655a179edaf4b8381a9f6a332ed5b754dbf34f650d19867":"31c87be686b6f90f3d1b0ea90c541e16f3430292a5c4755f":"ed49403700cebec30d1057503be7baacbeb45bcdfd9a43a2":"952763380af3243c6c327f23cb74f8368919e0b6b9c25934":"fb29067bdb23c0f0153932523edf32d0e3c18e46616e07f39a4b78091eca90349f636ffcf26b68a4cd0902431f2ada91bcc86dc223db4aa7a42e7cb57a852095704a27f9f07962880a50d2ce16c125be1e8d4f54a0cc5eaf63150c32408db6f39b22fc93b853caaba9e49581f13a8815"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-224, 192, 192) #14
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_nopr:MBEDTLS_MD_SHA224:"387e31bcfffa51323a92d90713b438a1f4ded69707be3aa517e1e72d448abbdf0a17989b3de7c43c621e904f52db52ad823daabff9c10b3fca93acfa":"e08fff320a493d70ea4cc85a4cc604664a0deec8f6c7666d":"969cafc33e99964833c4d0f88f906f5429b5daa552f53bf0":"8d6e6f05301ef5cefba752f3d0ef58a25775d6b69f6c15a4":"72292aaa69fbef6f010fa4d5bb63d6d7a595395d79a8c110":"77ead908484044482da529f9a6f4ca6e6d8d49954d2e2d5c7dc455e03bebf484021673727bbc40adc8812600201b8c2de8e658191422b80d23502329c84c0ca061b212952fdb2ecf3106dd20e6455f1f231e1dad1cfbf2fa019dfe9c162a670ae20b252ae2e5a4ca0eaae1c679a7fd3b"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-256, 0, 0) #0
@@ -719,243 +719,243 @@ depends_on:MBEDTLS_MD_CAN_SHA256
 hmac_drbg_nopr:MBEDTLS_MD_SHA256:"1353f3543eb1134980e061fc4382394975dbc74f1f1ea5ecc02780a813ac5ee6cf584db2447afbe2c8fa0c15575ee391ba60219332a67b95d90ec9de6b8453d4c8af991ae9277461ff3af1b92fc985d3":"345b0cc016f2765a8c33fc24f1dcfa182cbe29d7eacbcdc9bcda988521458fc2":"6964b9b9842aec9c7ec2aad926d701f30eec76fe699265ae2a7765d716958069":"6a03c28a9365c558c33d3fdc7e5ebf0b4d32caac70df71403fd70ced09757528":"a58546c72a0b4d47c9bd6c19e7cf4ab73b2d7ba36c6c6dc08606f608795ebd29":"5b029ef68b6799868b04dc28dbea26bc2fa9fcc8c2b2795aafeed0127b7297fa19a4ef2ba60c42ff8259d5a759f92bd90fdfb27145e82d798bb3ab7fd60bfaefb7aefb116ca2a4fa8b01d96a03c47c8d987fdd33c460e560b138891278313bb619d0c3c6f9d7c5a37e88fce83e94943705c6ff68e00484e74ad4097b0c9e5f10"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 0) #0
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"096349506f3a7653d54db7ec1d09e93413edd175b6ddbeb00e56752a520ac8fffc7983b918acadaa71a67e1624f1b5024260a0495fdaba58aae41df82505012d480c8e4f751fd7ebc39f9becd694b2a3":"":"":"":"":"f4c7bec0c26cf3892d214549ac6f3d82f34c6966d4295099ee56166e879a70ecae130251facda351e903d877b6c5eab5153ce87ba6c7cf8bcc61cbd14cfbe34cf1ed43678aee69cd87b60e6bcb6ff48ebd44ce9e31982d8fe20aec34fa51d625f845f61056575969bf785c2ffab4dcc754f13de63423e94bad8d5e166d96a62a602d3ee4045df162028b89cac45e6207d9097f2b3ac0ab17729251985f276f1287f5c56cc9ba1a79fbdbb291f3a945fbfdbd63cf13b82ec91f7b1085b33279e3"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 0) #1
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"aece2087b713992ff49d3bf404dcda18403e015632ac03735fed29102cfea6ec1b574952687c9bad0e9aedcfc1da568be632162a83c802ab94f32bbd87f6cf4af1f2703f4a02af7d60e22383a770b9ac":"":"":"":"":"c0344807d5e3ea29fef73afb2b83dfe0aae186047fab6b603d8608df49476be18bf1f0f4707198fefa18804404887ea3c598d887e938440e1fbb8ed0a1a330cff84d952cc6405b12e7bf51b0c67d5e4896006dedb44637e393a97925890fd5176252f69d43920043844a91d0840844d89b8715052cec31e257c121d3fc0ee807b84afabee59624a00703f464b0079f12884a6e888ae4959c5423604f8ae2e6b57f4428e10b680cb74cf20417380dd5378449a24ef95d9438b0fee386badee962"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 0) #2
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"c39e77d579755aacd454ab7ca6528596c397f28bcd5467cc7e0fb47f398e875da83892a840381c1bc03b7a223e92904a714dff45759124fa33464a97d7f0d7fd2d1c6c21663d31fe80abdad59458c228":"":"":"":"":"10f8ec63a550c31ecdaf2fb1b373f71f18d146ea033dd65cec2ec0b73b55bb6f3fbb7136dd045e09c4073247f093493cf26b6683bc9ebc98025f75fa405fb8deecbffeb0236a33f0ed6c7600d992ce5a268c86085adadf68047178ed89d93d739351f892723d8d6e4f428946e4e6dad1d640a9c11de23ce9b793324e31dfacfd367d86855a28cc544f88b8a91506753fa061cefcb9d77bccc15a23a84dba644089ee03db8374fee91dc23af6672159b0d2db219ffd07390b69879910b5c336a5"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 0) #3
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"d2e8a25249ac850fd3b01f62cd1eae3dd94d38e724f8e2644b7bb510c37f203890242b11be773beb202e9ee93899b60a00ebf08db1648c8750b14d7b784cdf0a6d4e7cdc816469cbdc3a08d6d32503b7":"":"":"":"":"019f74eeef674ef100ba4a1835bddeb925fe6fffa97113dc00d7d8c0ed486a73e831561ae44c5bd90e189fbe2bb1bfb84f3e82ec8809699ee8c2fad80b464b6b344999c364868300c1edb065ae86109dc29516f2bdfe2a046ebc8725044c382d93990f1cba185f61f71fd22fbd076d727de32a6c1d2f430bed491c9d09eb6ee669a1dc4f8048c7be199c7cbb5aa4f14d1423c8a54763869f5dee947f776ef2543ebb88d3004739089efd86b7b22327ae952747068b35d4b3d86cac1debce3e41"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 0) #4
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"cffc6c44279e641856c39f14ed35440ea2f149c77459106f960caf910af21c109067c0f9445320adfc0aaf0c86120a38584747b4049588e5d93569fcecd358c51507bed59f96145bb8db6bfb4ade3a2e":"":"":"":"":"928d6d9f9128b0af64028d5d2e94414af9f8dddd353e4155f42a5d08f3e530930e01ec0dddf25d65de7f49de702791372c71fcaf5f20bdb24eb999752bfdfca28525b16308d46cefb0bc3b260490115778161db2faebbd687b940ba098e3d5be640565b81ed9d434b6861fbb4cf034ba77380562119aa3164dc53653d4e82ec84cf351c35b1b668343faf17f172eb4c0cc3999d7d24aaba58dedf11225336b5bd747825d2ae9100cf6da3276f26cec198e52edf9194162483aa4a45fa348d0cb"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 0) #5
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"3a1f0474c279548c086de9e12ed754c49a0322e6631f7f441c8024fea654bb6ce245c357b13ae94064d1b41c23e5e0496199e8ac9d535f8d95fcf85fdbd31eb33c20793f35075c412ba7213194a873fb":"":"":"":"":"954b58042d028abd00f7ce3d39fdb61e0cff6c40391ef8629e87101915771b8d0c7e24292751aab1219645743c6f54306866775e28b54818c759a6bf807c4982eddd4be5e22fe35a303cd503d122cc3fc5cffe50b03117457e2efc1fd91a9768964552116811b0e65856e8f8256681c722ea2652deaa2498025e84262a3fdd78bd33bc36c057e198327a33232ecd36501a0acf997d0149b4a833153b710b90c8722b232a574d22e7026a89a4d9cc3506cc9942705a162b34db9f49301a087dfe"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 0) #6
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"e5f4fa500982bdf8b023788f9a5532482b29b12e8ae776111adaa617a958ce8977873caee6e82c5098ae77287bde1d8295b8aa125923dd7f8e05df78adc29898836be76df7c5aafba6493b211cbf8b94":"":"":"":"":"5b3fc1a7ea418debe79994bc0a8c86f487ed2f320c34293db950a1a026c239b8da6226d1dea509a0fe76f5a811c9391a622343324c293a0090587c10193a2961e358d1e71c269827e0d44e93d87984f47acf5b4751c8c066156da1c44662af4826cdfb5f7cf98b1f0200d3a0d7b99fea7f1b17dee7acfa5baee8f95ae4e0bc050bee2eeea7c09baa729e6e02ed19476ba3f8f5a8c1660de0353df8723efcd98f5fcaa56f6eda77f2d15c76d26989aa998c4afdc53ffcde47dafba8fe5818e8ee"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 0) #7
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"b9444339a8738df6cfe95b6dc28980d02799b2ec5c8dba9ca98fa8075621a04172b0c9e414ea33c8bc4b3beeb536161cdb9a2a516f3e87bcc9f92ebbf4ac1a900559756903b72c4c1b5f9082d8b341f5":"":"":"":"":"09465004f009ed378f440c10fb122a265f464d373e7f1a1719c713f6bf38d28fb5447c269c127a0c10081533a847c0e19f4b640be0b1edf84d95025d56679e5880922f29c942e7284296a9309b4fab1b5bd9957d470db28d3d36a3585fd37573e8e3355d03690241d6f7211d8c6b054a813ba25f9cda76202d3270bf12f66d2e5ba5a946c7d28dd22d55d34a30a040aa9782d1e494603143d436cbb0212fa0df6d1bbf4f19818b99a68d9cb062aaee8fa05636fc60a072ec6e5ef24566c6b96a"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 0) #8
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"2aa822efa22d4cd65359107c46309033984b8e9c3ecb1b77078a09ad9ec746ef4f64b287bcc3064867b678f81ab209db3ee132a11f8c9246ce0a3d6deb3345f9b15e4cd048289991c64a21afc46ac98e":"":"":"":"":"7b79baf0126782bebf1794fb48633dc69ba88d63504d27a206d974854d446737da4ca1fc5bbc54368966b583dc441b105bb30b3be19f2778ed31564acf333b7c4cb1727480aa985afd80396866e10f6da31287cce07358d6308e56e3bbce8613bbf472aeaecb27e66305e34af593c8631508cf7d2c512df7c9b3ab04a4ede436b9d2e6919c03a525dceba10afbf6e8a641591d09e8a90543f1905b08537b8868337c774c20ed47df32d115a7f3306d808bb82d06bcbdc81042d0a16a3fc8d0b6"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 0) #9
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"a32ac0aaaee05d57cb3a626fd26854ef08a3ad42a3c688ec6a9f9b67bbff02f86df150db0de2e3612cf106d9f158fb570901e1efb12252666e7a680513cf22bc0172c4f8c0d8b2eecfa1d471c10c9ef8":"":"":"":"":"8271bd7aaa795b58d8f741bc207332335a68feb66ac9c3bfd5dac72f20807029f555c3bcac629d228c3a77d596d99c5d545a8dcdd0a2fb2a5eed5c3492618dab4f763ecd7c6580817c6a7acca42d81831bfc13f38ed56ed42055877c7f31dfad35a73eb2052f6f9183dfc89b5926680dc2aa85995d42a0c073c881f1ed332794a784553493bfd842225030e0056d76e52810236b17f6f067d1272372395ffe9c2df3145cc65ed2c6f2f121dfc6c1eb8fa6132b44ee0373c7c027af80383d4a7f"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 0) #10
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"c586e0f5999f107281dd5c7ca1ff88d4617b4fd1bb61313895dd4bede875c27b5b0e6c5ba15e8725eba8fa009406aa3d8b8b66f13e07c8918c0f3f55262debfbedfc641329e1fcd6442c245626cfd206":"":"":"":"":"9d4f4f688406d8e57d96369553ee39267a9df9020d7fa78b39e1f246675b70a8080cac5aa6967e78c55071241e20a9446a82507a215a6c5faa3a2ea3c05c12905558d98a8eef90c8abffe6cf8b874c5ef057e365fdf179438de6a78b4dcc075b41aace875a5dd35a44f2d2b17d6ef6aa91f79354931c4d487142f7ac2120fd78caa6c7ff5298729de16c0e8285d73a3c6a95ada99f329dc9aa0924b0059a6585853296789b7e1129432baef4bbd2240a8ef7b19046fba104a85d43aee0ebf021"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 0) #11
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"bcac6c2160455e7db38a9c94ebd329c1ac043b6ff607a9c76a86156974d30251b4f4b14e6cf01d407cb426ad61608d1599a6b7ba9402756bea2709cf3b162cbf040d0f5f38fc4584cb9cf4e6a7bb3984":"":"":"":"":"37d76ebbab0d4c8354086a5c5edd5aa6314a4770749d468b9e5d3454f2dbc9b25432f2d5d9f4b88bea7f9835edb22f8a7b09bd604703870abee1160369d0575bdd3847ee5fa93a9fe9aaaac0d436022f94d1b96655ab00feba1f40202425e51b084e372249fbc37f49410fc9d4d16173a9bc29181b62e342a8835f818d2647c45b6ce6c5b6f29add13d57e80513f767339575671bccdccdc9d093dbd72c91ba07d81c58ab5256b6744a94f0e75482e3848de891dabf384322d1419814cfe1590"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 0) #12
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"4b667d35a481779ad919956ca06e07366a974738c09a5685fa23b3fcc1a54260cd39d725a7f2661ea86a2d57cfcd2a91e08419476bdc5534df58c6c3b077d3acd27ace0472f91854c164de7f76a9b1ac":"":"":"":"":"c82e5e2fb08171c233670e9e5403b07c600be4e91ff5b57ae284c4d733139b56ece720e82d3f9ac185e37d0f44d5281224cb5f9d230dbdfcaf1756389fe752575a2764f6ae775d0a82f2eb1d901ab04b59b54b5fadb2acc9b9af3e829ef19571dc416752b1bb0935ea2f3ad69dc452285c2f08412b11794134ba3bda0a10425576e88ea7b069b74b436aca93fe9dd1dafc78da1227b13d70157f60c9bee644451f8765e4c8badddad6c779d6b42d4e8b5ba65269186b04c38db348ab5f7a4146"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 0) #13
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"c0db9453f84c2aa74bf93ef21b9e7802bb8995f6fa5e634cd4064ca2a0075319a969bad1345bb5432df63412807a646d2008394d83989cb4a506990f59f8da80e6b3a1df3fb8d726639d59cbaed1562f":"":"":"":"":"120bc268ca0d3f55d5aff5b360ca4d29a4b8ec5cb624f9674ef0a67b90bb70c238b94b2bf804fe74ca18f8364ff8b1e50b2315f8aa0c3fea663e93c80544284136de1d162e9078e9a074a50b493bcc7e0c83a0047199164a2d32133db57abb05b751a357abd3ad5298773be21c534f98645e94f0935afa53729462acbe55993b7d801bd6b0cbc8eeb5a1c5f0c0d690702f8de0a1a78dcca8862538201fafbefee55cd5be62afa8e5111c89f1f68d0f1760cecc86bf6675cb09b20e097bace037"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 0) #14
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"31836d292cb46aad594171e76237a3422844f62fb14d0cdf63ba587e73501051c7cbb280d4b46412e10927c9523bed1beeb5163737db7f910e444e5d5221c5469655fda4ab7218e63e1451f461b4fc70":"":"":"":"":"1cf3b49f28b791e7c81706fb1a870f1af134a0fb0d2aacfcd6e446caf0a91c04dc160f080ebd5503fb7c16ad9229bf0a7bffcaad07329d5bde4576870758a4bffebb6b5c309114688db8e59a55413b4b37689df38d72bc5358291bbcc0b05af487a33934ce626efde918d0ed5f2deb75a17bd8912a31dccd783354477fa850520c3b97b56c6d2b9e4a05d49bc36e6683271f2322c9a546fca88c502187a5f4a2035bf5c527aa312f16c357c37162d722510b52ff8357490a096692572cfd8b0f"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 256) #0
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"a0c341ddf73d9404177a5fde32cbe21319c318f35cc9afca9ad41a3b06e13491e843cc6afdf2bcd00ce77ff06ce3d8a54772c46baf142e569ecd9131d6185af3575bb62a41cb646bdcae8a7a9fe60cc5":"":"b83491ec1bd89f3fc84acf1aad6fbeb8ef6ab949f41adc6d0dedc53722c171fe":"b76cec3d6300ecc4a02e810296c7e70bd9b4e7121fc5e971cbb94337980fddbd":"2a25cb0ecf913749ad46b585c76097739a14ca7b59f1f3ce4f79bc8a4afd1378":"98c01d4527fd131cc327e9632104d9eee10407cd73ab607228d37b9b72ca2c987aa794804d505d072561ccd5016bd4189ac9e3db9187822877dd533347b5d2071818bb7683312e1e8806e9b73b021777f7f878bb7d304ec58ce92e5e36d3d05a7383dc77f3fe6eb84b615f3f290bf8a43c34ef5478a30a6ad616157c9d7dd046aa66b522bcef61c9d19382c32425d38ed3fc049e73035af1e8b97388de22c4dcba0bdc09fd36ab7eb3f67659cbd92b8d7f6d74b56fc8daf17068c65fb016e29f"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 256) #1
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"7817fe880c0a4224eaed0da5f3962727e4b3be567021d37d3b6d4cd779274378f1cdab91c4e7c1433dcdcd0afbe4b43c32a2b5ffc520ac3721bfd5352fed023d04439c176288521319b5e315b6e5e85a":"":"c7708c25003e6587fc8c8116c500d37299f5d5ffcad3405349351d4fed623874":"45f88f2df43c4b9c3d829b7cfe61904ddf658c16043271f01c5f06ad3ec7bc32":"883cfd717ad8466035e6d3f3c04813e21657ad62eeaca449785aeb0836ac94f8":"6e0633c532099ebf0b10d4ad35d78a48b82fbce37913e655484ae40e29772a25630a7ab37f1d0ecdce27773a2ce88521b171432c07c02269df1822d2b6cde0d9f768375d9c60e688f497fb7ae262cdd5f7e8b84b84411d619c36529b41576ac456a240ed94d750fa722db874098ef7200c74c3234a3e5f21fcbc2cb5d50c4297d1e70901b8936964ccd242098002f4c8ed7dbf49de8c2a924c737f248d46ac1469f676377ca52cba12f28d9b534504d6e8423b5404b7e14de954b4225bb53551"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 256) #2
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"f2bb6edec000982bfdb301d1d88a23ce840e496a4f595a662e4127571264f1d7e9e283c567f11e7e266459fa781c6fd95339015836ebd69aa42857010f44e8a72b81f501c96931fb491dc1192f6f6a27":"":"ecd5ea33146cb74a707eedb8df881eddb1797cbb7b16c16f8d741d23795774fc":"d410d6e2e848f2241ee45c9870064ac0217d97f59a8e80f6b5107ff0e4240bd0":"8a8c58fde3b8c9711757cb17e46587d0c5187f758d64478e9968604af0367136":"990b1f68152b3607f3011f8d04ea33a3e8fc479c8a6eaeb589133569048fe1284ab44d51bdcf4f0cd4c8d64f4c6337cdbe5f4f497ea90ee4204845bebca2ffde7831cf49892829322644c4e20a45a9885ff619bdf5e79ee53c26f47072e20a46d2b108d180d6ba5859a696f472bfaa80b2fcc7eda374a3f91ac0b06c9f13afac1af244a389cab4489d0ee04a0598f9c5168f39b40e7127dad9f20d69ede6cae7683b25ded1cf9d903541fb4b0a804d7c163ab068d22949f28a8f4e853e691e51"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 256) #3
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"6968f5b87019b4cdafcc9f3a89321f25ef5d8d70fd0781c9e3bb01b3ada18c8b61d9142b639aa75f5f9d798ca538475d09b121048e8a0cc4b2286efa12fa8b4b959938261a1ec8e607526b7a27931191":"":"fbe6b8af6685422eeeafc32327a99104b45ca5602513aed0a5c6235328e8a7a5":"04f137391e27caffecd4413c775117feda27cad839aa900ff2af47c700034b08":"f185925cc180e556a0703a5956ab6d846121f9d9cff97f65bbed3bc44904cb5f":"c8bbe16192bda74ef89d9859b248ac658896bd40b5491c90e923cab6815ec3d2126c62410370f5f44e01fbf1d1653064aed835604d5fd0633c8b71cdde6c831cd91d69e420db83e6d5d82c26c47a11f2ede616a2885a884835cf2142a6ae4cabe989700125df12902374bcce04f3fd78f034e50398d9bcf463dde6796627820c75a7efee82fe4e16375af57ad3154973042e0a92110ef745f468377f6cbec5fa1a1470eac80408f8e96d37248b100ef8476c2a85cccdfca5696ffefeeecda9e0"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 256) #4
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"e8e99ffcf08aad8e50386f5d079d79d3db783a74165c6126b42b3140f744a7c723541930c8c772adb62981dbef8d054ecdcf1c30228904bd7ba31798bfbbd64757aa251ac9a1ae8c20a050670feac59b":"":"546e04247d6cb5212a57b62f99e1cca767a5768cf79296f45f0db24732ba6368":"fd45f66c8dede41387373c38674605f3e075c9b7cfc66123a5478b8f8e3ab276":"39911a79c6edbbc805a50d2aa018742094177a8e216d647c64428c00169ab2d6":"871577ddf34b29e5caf132aa82e1d2f1586b76e39aab62acd02f6d4440908a772ac5f6fd48c5f55f1ebe0e76221ac46b834a8a4f5dd9958721ee053ba3aef1574ebd980a5da6a94693662717ee548af0f921421d1afb814e4d1799d351889d2a1bdd57570a913e428e6613b16e158c1cfed038f6578920d60db73dc10a40da9bc363a0206b4e7e49670eccea866efd9a05bc237042cf052f2a4140f9377e3c6792b88ea06323fcebb99c643fc1c3653758d6866cdb148837fb0fdf77de1564cf"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 256) #5
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"c7774e199b5a8c0b306ca236163249044ec2153dc89bd1c1459cfd40cc6069fd1921837aaa80f4dff34a97b4dd7e94c0143efa24f34924fa52abb4275a63cae7048a7fbb8b76300fa8d109f9561f1699":"":"1f437f758512071bd23d091c2b1ad8d51b99acc663e1d037fc5421092cbb1a45":"c622ac1071b50e4f899e4760cfed476adc013b6ff95c9b7be671f79cd2487ba5":"f973f45f75fb0d68e0bc5a723a72e722e6c8f3fea08d785141c78786da5101c6":"9475c697af430e94ed396c707bb7d5ee5bff18405131a0e898ed38065abc28ebdc1dc33d767c4dab69c846e3350bb414ef2d43798710958a6ff3e6b55de93c2ac31793a1dd4b07379e364ce72553323b9bcaa8839cbbbd347b4a82010b78967219b84c6fe9f9285ff741a0036aba6bfa7dd0d5a4ffc1936341b0e2a31082123b6d2af6740cb3ff43bb4a87ee74ef7eb06030745453d2ec225c8f31d214f1dead0f29af01ebfe90d2f8a8bf5e031242ebfcbd136b3e3db1f63a46f69a26d6159f"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 256) #6
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"898963d0237c58e4b7b6e894ab271555407d3ae8c1c4599f5f5490ad5701984a6e5ddd58d311b547f6fd2d4d67addb4ca6b86839b83978baef72b8cfbdd0cf180518af0e32e52ad4a73db460af05e187":"":"cbe5f14445cd310aecc97113232a0121ed2082f2c4152b4be68448f36c91b1f4":"efe0ef028e4179ae10b378bcda3d96056ff21d94404bfe022b563cb6690ad563":"98cf6a771c05f904b53ff9b12709d20bc3f1821385cf27ace7a4a584e73866c2":"5682b6bd667b45dcf16527a817852b52a7f5d0fa8c962f3dd3af63e7e71990da92b75e9fcf5de59b1565f525a734e978ba74dd80fe89a2e527960ce4207b9ca514d933676ad93e6dff5d57314a45889637a623eb7832854c3897faa511ed6dd246d2b8280e7d0524647d4bf7715b5546e0a9a1dec246b1680adea2eecdc354fb3122654102cd0bf94ac9333caef3fdc369e7649653352739783d048e08e8d231b332fa1558745e2ce89dd76d1dc442a71dc3d5eb7d3481558941e261f989b097"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 256) #7
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"426bfdd4ead656611ce49bfd9f213843c194bb6863534ebc258415148f457e6e685fcf539922aade348a2af678038610af676246632dd70920d661518d4dc5221381b2fbf1c2f3bfed01cbb930398095":"":"971785b18e244d03e25b9a80c2c2204f5bab6dcbcaec986342450eb9b376bb5e":"5de582cba43a610866578604c9f2a542831f41c277d50b324f4edf1e2e5d498b":"46e4c325d2c45e00a3c17ab35115b5370abbae61337eb2da4e6aa91f951f55e9":"f2e8be2e994b74a4945fedabb167778523865ed27826f9c26ca2b49bf32af1626ae62bfeaab13e9bc52a081f365062a5cdbed0872f6479cfec5a5e79171d97ea898e8d10ed71203882d1d7b7d28c5d59b8872985abc628e73622f616c4c0904ecb1e4518be8b4398662dff8806c3f43750cc9be95aaac2a4730f40323d63af157d13555d043c4d0d7cb53f202df282fdfc5544a234f71121e893814f4bfa926351c5e9427e90f1117a3bce7a16f0e08cd06c3d7c458f9d07ca3269e015733aa1"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 256) #8
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"ddfb3d1d93e977aecd08efbd71dd48168e67658d93596b742670ed7c8804bd3e730d34a80ca1fb4ad2471ee22461bbda670337d675a17721ac63c3793153830a26b1871b316a3e10e49c555f44719577":"":"390c53a5ec1db52996eb042f9a76e45f0bca76ef6ea31b4642f00658342e601d":"b5436e880c15f03c3bb846d90f3ee5fc5bf5393865a112a4317d724738f5dd25":"d193f932af858698ab086bda36d04dfdbfaf487fae4298b38fef97bccdf63f38":"bdf9e1ba1fbafdb8f4628098aefae4810ee7fd565d0d285ddc3840f8e24a9985c2de57edf5a511079ba6c952c95c626e296fd62f3579ad03db536238fe69158317c9c26d373816343505c60a48e07a00edff8fbfef0ce69ed176e5484d056af02a270bb6fce7bae0b223bfd98ad359d53b159f3295be3fd630a568d2363121c7021ec23b14693be48f5b55e06be3d729c2a80948194b1266da96317bc592362809409a7666d5c168125b99de26da741f17ca52d63685ee8d8260d45764fc78ea"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 256) #9
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"457e49a71da81a2a08bb19b97ba8e62ae4b5ad4ae64daf758a83a75506f9251149b2bd7180f69b9217346f8165b7cd8f100e0b1066e2877f5e5da21b037c2bbf178611dae627d9beaee64a9d0186462a":"":"c3181f694695c21405588f600ac33871b519e2b8e3b876424b32753da483d6ec":"68e717410f99ae13712175e402b51058b7625b7da27224414b472f9622d163d5":"f2cf13d05e853a13ed47c5d0eeb9c0416688050342f0d345ac1bb21d5ae675fe":"fc23aad02870885394ca831b72201d76cf736f08f6132b12178e8e3b016fef8d3bbb849e5d935ab732054ca701154e7d3e87d1b51b7392ccfaa19c4ad28638c67bd149ff67a93c09ee1fa5c2ef7bf9d40844baae79169e52e9990c93f099e036b63b000fb8ea67a13167b045c8f9163045beabe0575fef00b89fd90390b0124961698f4ad8884a1e1faf576de7a179c03221402279b31c93136b9436f9a07b5a67b1c199e7c6cbd0b5f53ee5bd0ef845243077c6eda0e021ac9219f6db5ad503"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 256) #10
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"79e96cc8e77d8fe72cd6c66becb52753cea28bf71680fa541f345b83be79973db4081201bf23c94d1828e9ca1e825ac18aedc5ceb87a4c1b0c333c88d97e0f12d61b338e5ace5e15f71283d31a1ea90f":"":"4304ccb2666b227c92e2b00659ce0b34dbb53451591e32914a60d6e6cbbbfdd6":"d6e74777c02252b0613357b9a582f4d8cd7e436daf1674a663561b62d8ee7143":"0de123897d5f090b52db88e4c0f9fe736ccf27c134b0f5eac61b200d15e07986":"55a369d136e2d903c179472eebfc45ae236994669c46cd318401bc662f38a1f714f78ac9f15c819d2bd876a7af51e6caecff3c650a3e661e5d137a354cb16aed5b1554545bde08c10baaa5bce22284083b43a6dd9941a37f1a18929ced61181c137e9e38c79d107465a5a12f2a2f37788c8e398ac48b2be944d6dd3562c05922c25569c26a1203fdd244920e6c268028dbcf6807c05bbf1559969981467a479d7117a91f210118c1159749a1dbce4d8a0d5f2f8232c5152cbaa6441865ac3a88"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 256) #11
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"b37180874dd4a7e08b1256966ed5845001b0773b5136956dca7194cd12a9d9e1f1dd35534f579307de11c1e64875e9377081de3095d83ced0ea3df2ee8d5be4daee545b431dc908bc10efc04db16ab4e":"":"d3c8aa88cc8d5b59af3685177cf3826cd675854deddcb9b501c40c4288cd9cdf":"6783f5bd86fe178e6a4d303342374ed32853925f143a5ad083c04a9c298feb99":"4774e5d062eda04b680d717f652d87bf5cf635f597287b76fc35e2d5ce593d08":"e478d45fd3eb6f4c398a0ec84f93ea6861f00666753c143506c5e417100077e2c4c9ece450d98c9372d68aeffe9e57ef9176d4084f9c6d02479b516942dd4792a90ffe1e4e49a8156bdd872f1f05facc06e71e581f919cd94fb97208515ba284fcd255ea6f1d1ebb7d351e1ceea1cdee631072d3fc3f4ef9d5fc57a9ca98c88b81003d858cb5be0a3520c34e52d3beeadf91388ec9a495b1fc7ff7a6799ab0af211abf52c15467274c04bd104df14033df000d8624acd253a6c954c0d89b7238"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 256) #12
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"2779f20c02d086d30d53dbd6e7396a35e677214650e39f2ae83077fad70c068005faef347e7f73efb53a92f0629e012c7e1246d07b4e1bea7008dd8ecc7546e3f0a6e0e950e083373fde3fd994e114a4":"":"55edb840b85b391d4f1940be52a3e3824119349c780811c570d2c88dbefcea16":"e83ef56f09f82af4dd91a0b887d3f182dccd973435b74b7b3c432b39a61fe720":"eb9f30f2886d0486c5240f43104e426b36aae0006c4b9c64dab1bb713bcef7e3":"68c3feda06172a191184e0bb77a8f3c9096048bf71ed95b20cba1b1726660900d7d9f97b7ac648c76b50b921c28eee3d401ba81c8a46fabf82301fda8ffe9d76bd93cb275638f7c2088cfde88620661eb844cf953cc141b31e946338a0203c8ae67c2af1330a53251818aebef893010f16a519fcf22060a9aa9c597f3409465cf3c9ccf753db8c0bd3b465b028adfc447e37b5129c17ae9e8bd01f762662c466491fe57384825c163ab8a26d67efdda01b053c19d3bc6545c3661f2ad1df1e33"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 256) #13
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"71c9fb2eb8cca98860f955a8bb3669c70b6f5374256da23fcbc4ffc2e90bc0a043b8ecbf1cb0c7b65a2cb7a47211541f2675512138964d0db8074727158bfb4f0d3c093f1e2c2bf697a48c2ebd27153b":"":"13b1d552e2c8c84f66961ac8c919166a248bc62fb896cff0b8b001cd7e147bd7":"27d626121ef579d9969809762c77068e4573af44b6e947a2892337a11404c133":"456ea206c38662750af39aed5fe0a39760f4dac85b83d7ccbc335f53a160a0c9":"464aee8af42ae68ee776780113805cade246b83a698c34bf4c92e5d81f28829ecdb808884bc7d784397f2b2f8c76a2e3517b53bcdc7257f44ec9357d014af4e8ddb44df98da72775567356f363fb85885f8f22505e5b5a80c824b4a0bc48029e3419d3d2f161b1469cead730cb123ca8387a2c8276635a91d0dcb2220797ae2702468587ac3a70b927625f3a6e2980d6fae6fddf4b380ca0d91eb4aee37b98644bdeac345f49523a241ca392972da02d70364f9401c21fcf39eeaf414a09fdfe"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 0, 256) #14
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"c9e54bcebbbdf44051e80b91cd10c87dc24267923350b6770406551a5069ea2255201f3f15bc3a2e4caaf0b45510f19db299a41db8d56ce993ade44323c455fb1a3f504124c35a9e907d9765e810c939":"":"2819b3ee279d57145ea1020ebc77c46031d69524a843158192e081f2ac91512b":"269ac853ccd332fef61330af7e80a33791ec44b6cbb83006e5ca0670597b35b1":"fdf031b1e0a8016bdf6a6ebb533dddaae1a3a5b14b9cf52a1a8028cc720b10c4":"a1c4c1d6e72dae5e4714bddf4a1cb8d01cff8a3973b12022011270c0de7ceb85ffb6a6aedfa54d0521ff33d748fdef8f29c52c7c414e692a30dfd0013776b58f58421605369c83d4d891a19c782a2d036f9638aba9e24b0eacdee87d4a8011699b638c287f0a12f11ede86a946be9c00d21a31584a2a0da536dcbf86e2df63be9a7b771999c9c7a6b748de713b7da757de2d731a8d980b75136b0fdc75ca7aef47cd36bb9370c5ca0ef81b9a04fdc78698720f68e5d54e1a777e557a1dfb4c22"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 0) #0
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"4d95f31b9606a5f6d04dff1d89b50becfd0882e6cf51c1c5d24ad843bc12d977eba4582c39d793a63eadb63f292568c7fc4270e6c9aec83186a20819a7d35e7f1155ea108794302d593c53ce9d25422b":"43bf6f32b3b5f580b54179e4102d063536e7c47681d6de3cfe88fd8ec66e4873":"":"":"":"e991d000b24ebdf838ba11f9849591b0029feff33604bc4d71acd94301f8d045eeb1f81f3a101a297403a35859113c099939638680d481c86067f54762892f82146f61cce7bc2c85d395348f3ea2aba6bb3e59dbcf8e41a81918b6cab304d44ea1e32573cd6936f38cdc11d3c2f96290cc27b0dfa3bbbafa9394acdf2f4435170b428563427c4b02ed25924226edf8d5a5eca4eec4aecf98ef2e6f75caa70bdd84877df2e637b7fad621c6170ca5bd86e21d0bb01cc90fe2e76353a9d5687bea"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 0) #1
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"1378443dfec3c03d36b16bacc480edfcb1a4a509c17cf4b35787dae3bc91ade6c113a1e0df927a4449ff9e2f4f1cd9a27b07f57ccd6777f6d6bbfc9655f0676d7b4f91712efd43315be7c7f30e51da89":"f67cd35afbc96756499c68a5ea19991cd1ad4880fdc13afaa817608a141e9646":"":"":"":"b32d9838b3f45e3c4b3ede1181bf0aadab96d22790d8536f5913fe95c3ec0179dd1c7ae69430bc8c68f4f30105199b785a11adf7abec007d18abcee2e65df5a211adfda35fed8b9389a61d2fad33fe020119e72c782a316f17f8a588239567315bda461f5f4518a1aece4d0ae028c153d67a8d4ce620e571faa0403c56bcaa864822e4d8ae6d14feafefccbe879ce4baeca70d436218e0eb3a62bf15c018fd4cf66a50e3d9d7cc9e4744e29e9c945eabf03a6a2c4ca57e582b60914417da57f6"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 0) #2
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"69e9396c58ed867eb52fcd046504922e2e9a9b059234cdd3f0a09eee9fdfd45dedf5d3860b25115f8a3d0e2f3f543890a23a5aa278f836577956944a098d18f05900d1b076d30ea745be745b9efc0dcc":"1b6e1bb613d199a5e6f1b5c2ed041cf6f6633e2ef4d50ecad89b28102bf70554":"":"":"":"ee09f7b24cdc6b51a8212ca00613633c1a5f044fa921bec31baf679f5ba66bfd723721a03e0f260a44ad5cc4c580080667a781427a34c3d2fdfaceb4b040ee675491c4dd0c0d13abbe81336384806e37f2729e7fd080fd57011b54b664d58534c831c90d182d4d955676938d484087b0086d2bf2737a912afb66101575ca2bc5acf845f4970bb1ce4441eb667d5096319d6282714a8a9708ef9964cadf596ac3e7b1ba18fdec7e2e22f5e6352e825e965a494cb880aae78477aa3bcba9428107"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 0) #3
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"d2f390fde0b50ea4afe6baf29a75e698fb0275c04c481df03910d238f4e72c6f63a6231df89123c2dbecfe0cb0313db34288f4143694ce2df2484d20884dbca097e35c3fd8ddee5273b53c1149bf5070":"2bc38d852d1ddee2e89b7174032d96c0b97f955e16bc61716c5c64248eb6232f":"":"":"":"e62346c72ef393a2904e982158992df4ccab03142c41d8d29c1454794926c48570eef34bd021d44cc9106401e9cbce6ddbb6c92257e89a787499d7f7a2dd527833307e02f44645ddbcb1303f1da95382c89805c76a2f12eb13d2b0205b7ec0ef21f596c98af608a2f2a2c5e3534e01a23ba25bd5fcba0481482e1ec8138fb1c86840060919d7620cb7b879d1096f64aecae1ea085a793a9f4dd665449ce73cb3036dd5f2a49138ce88c461a0a9e2f0c1fb8338f5eea53ab0a0ca8a8df9c315c4"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 0) #4
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"0cf86ffa1456c453b53305353ce43ad3ba44ebf4c6943cde8613cdc417ee9f6e759c0bf4676f1ebd05c519eb84dfcd3e379ce61016e48cccde24753878f7d8fd5da72518253b2f836f32e5b594d54ad6":"088c917f84679641f491aaf105eea0f02d0a8ae0b7add69645d1ef304c74b417":"":"":"":"79e71d9a974cb88d9022d35997032bb5fbf8f0daff411467217837a836aa44c493f868a333d1ebf66689895b53c9e01d58019dd1da2354fb966c88d2d6adbe66ac0b8901595a24dddba609478ec36e497f6fb6b4bcaa88b1e9a9c87088f66611446e8c2873e89ee1006b6d92d2eac54714fc6481e7782b38ed4b18d5f9714ae6a544110cb6063c8a9964c52a7026f52af448783c3427092e0339efd7d1a8522848a2faa8aa19c21363a537766c05505cb979269c73ee90679feaef8df13b6506"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 0) #5
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"7179c434bffa377d9b6821da9571667c8b962196f7d8aad062e75b6091a34a454e8f4d14a60fb5253ae373cf50edca93b8d2eb2075076ec8c7a42b7adbe7723a6ba8b51a55fadb16fc3a6fe9da020482":"bc1c39e646afc1bb62685b746007148494209a419b733e938c1a5d02e2350860":"":"":"":"3093a2e1f502d44d8be4f35b386774162f0e10870f9cd34e3b9d4e77c7ec7cd10cdfa0bf8228be96cb5741f069440a6b6f9ec155d88ba66b7fa84959c53d3574bf1cf9f1561006c776223b881dd396e9e9830af2c1b5f7457fc45e823b411c5c2ba3b11219aefe5508f75cbdb5e40edf6b1f61453541ac98dad9ed502bf1a8afa79604261c7a89e78cf2941d520e0c10bed18820da6c23a5ed1c0dffbb04cdcc9c3284d400644e9365c995d8c99eebf444f2cb051bb62f231301d31ea815c338"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 0) #6
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"b063333128a6ab4f433f151ae8aec4283ab6d1cbf4a69447850fa1a25930ec0f4204da52752a9bdc788c5cee6d8b92e1b8530dbe0c81b1d34037ee53f20758d5750d9863ed60c762ae2a8b4c973acc22":"067708b24df7a34811993d5c65d5348eea73e6c6680293afab5804b4328e7a96":"":"":"":"5f74a1d199f30fa22f2020baf036fc61b1cc2acaa80b48ddff1cf85fe5dd200a9afbd8bc51dd1829636fa335660f36d5d2a516e4c38e8ef0c3cad979e79e7e226b820634ef1d76ae81bc3e3807913eb0731b2e959c43afa83feb1d8da31dcdcb3dc3a4cf8f454c4ec41bbc822e58023f0d797c844bd8f20034b31d99579bff142cf53d2651d7a31b212d2b9d5705b048860d6c4e3f45ef1bf2d5e46433fec593b9f68be8b1e928ea04ddc4ce2fcecb737bb8f9d054c2ba5060fae5e5fc21a650"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 0) #7
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"e23fa0c86c8a7b99ba0d3ec3ca47349a57798c07587b666cc4ae1c9eff83b8cbffb49d1910bf05db3c7d0db7e27285ae9f6b4411d84364b27a66398f5b0a897ee2085526d3ac4f65e70800067d57a51e":"7ffdef21683a75484f6ac304801c213dc8cb7e3cf0f94c358a2e1ccc9969e834":"":"":"":"f952956cb8c528efe2c831c67b69e8aa7e79c013161497b9c55415fd40c7fae778a6fa82109a40dd72fb2f4d92e1cbc47f52d055485c99d893fbea1cf28dab35be1f162494cb79ea45c44a63a1685217cd3733dcfa88bb6de65c68f2390e479c0fcc6b398dc5498ac93002e7e7f360535d082c8e46386611075665060845c4f8bdee38c23d2f90d2b1d78217e865ecfb6df02498db837fe581c43382cd1d3a508b6dc052ef7c4d20349679db8d8bf8dedd763da8e5df775d133970be062a9ced"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 0) #8
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"4889013333cd1e2b3b8c4365bde690b66e06bcccbea25f04132a0962f13a7d458e823f5ec0ea091a07065593ca44fe49611602d165a35aacb352206844acdf41dc2c88b63b36912ae81875bfd3e098e3":"b4761d82a93e17d8a0a461ec8205932edf218157459a25a7f26ceddb59992192":"":"":"":"72aa3601986e6c970b8c2253118b8381264577e391e48bddff0cceeb5101975391a2c731f5611316b255c2a6c0554ed6cbf8acbbcd8609e3f99c3cec38aa060eedb863563442b7beb78f35221736c608a933aeb0d4a7cc050fbcca351cf780d42c5380284a6163520a80896ee7f71d2961d7629d673791f8fac10bd01d32d95e8efbd65381424c378bbf54b532a70c285d98bdbb559c9f37d6eae889b82d5006fba2892ae16acab103aff1b247711ef92dbc6e516c92e388fda4243808f95170"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 0) #9
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"cc32ef3ea3b0db89c69312cad56b1ddea73ba4c302b85ff3c6605d1899a96f49909c6a54d98baf096ea5bd46abc2535309676d9d6bb9917271bf8c86c8852e29bf3ff5b2fe56ac094fa35dcc51547f62":"cb80942bfbcd8f112ed601cb12a5ca52cc0f280522db11da92ac6c76be3932fd":"":"":"":"2c972cfe1537bae42ecc46b1b41a691350f6e63c202245347e91602b93a4cbd5c8829e5a4f63f7ee0e29adb69386e8b659dca2e6000aa03beab132db6dada8dc35ab68433671cf621fe4593018b1eafd3a2191507fe015e2a5694fdfe2c3182fada71d18c5fdeed065089862249c5508f055ebeceb9fcfe5d16e4479dc17e2b59b5a0aa31cf21fc6b5925569b0ca63d1a5cd268a4d409f1039d902556236fb06e61c1c054ed3798cbe4d8c2a7b2d18206212591174cec9da519fb876c583a20f"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 0) #10
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"142bff9332c48103221359040cda6632baa92cfbd1ae7f8b3d0e33d6a8193939d9d20d17fdf6edd1b3ca9ff600fe965746b0ba1b61e9aa5141edb77ade0f191b87f0b33c0f3620801a755dca02698883":"8dbbcf0c190783122aa6da6e05ec9d82ee29f8e74e59f8fe6eb9492fe410df6a":"":"":"":"2537a8638d5759201cbc225e844208c1d08443b055fafe23329aed5eb2d814703b0fdbd0a89c2d62f8f4ea7746905b9bd90706b734060c96e4e406675576bae84317bf36d8523babab72236b71fc6087dfcfcbe765de13cd1ed316f495e3bd08d780cd6a58849c929ef24b41e9561868158046ffe8d2a89d169ba31331611f0872c6d075b9938e5170a3b8612f9ecff4743c0db5ae365fdc2678ec262eed3b7c337e65dd1ff24a867574ee460bec7c374fc6b3fe9b0eb7bd9f5507ec5988d313"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 0) #11
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"821ed44bd793a4af223aebf52413ba5e0e231b2029b3d71475ac028d8c10f86d2382eb9c62bab540be847e22344704d339b798248d0bf2990c0621316e3c98ec07f05bba8887783adaebe8fcecc48fed":"8d2c8cdb2ddd6934271941f071ea47dfab869a5671dff9d424b916c1ccabb02d":"":"":"":"a5fcf13e4a6b9829ac30171920478a7878aeda658803f2e314f9ef8cf42c9c1933cbd8dfe5053abd30df644ca062070662f4b7e7851d28ff801cc4b878523b4610891abb29c095a70665de1199182fa193439665cb19cbdb00aaf3fd0fefaa2278194e79ebf652713a28c36f2cdb83f96c8eb1e85c9969381b52bc3444e8ad5d82c94964544b3e6649ae3f532d25a2e370e9fc8c77753239f130091c43720ffcd2bbcdb70a75223cfd9346091e8c056227f66648941552efaa5a0a369291e9ee"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 0) #12
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"977bad4c5d1d16a2439863af8bb6fdbc206ad0bf20c4036c044645962c36e2e853f0d702a54b70421a509c25de124f27e330eba581fc82efca522e43956187c9ee4f58f971e4b91ed51cc8aeea26fdc3":"51cb91cb7ff1b39e18aacc0baad20443522bf869f26d9d7182005b5cb1d018de":"":"":"":"df4acafbe4f28ee47acc5134ef665a50deb68de9b3c7e075b26d5731049f13ffd00cda05f612f20fd901ff127277f269c069607442ed9f7b41892711a72b83ac592048bfb28ab2c64c6b9f5eb4427450f4475b1c04dd4665998b638d06fe8f463e2f07ff46073003132b66a5d4d19a65bd08230d1db0234fbd09a98864f8ca824e7a0ca9f1d1662027a60c7e95382122674d88224fb192cfc129952ed6515912aded9c72a49a39a00f9f9a16abbd361b20a12b5f3c4de54012aeb1b42f6fa3bc"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 0) #13
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"3116ef07685eafff1c77f185fa840bb5627fb9a5d79f72f8007cdcdfbfefc56bb1769991d78e9e48fca4c97b01d720d1d3ea6fa6ffbe2569da94b6bb36cd34d72c37d0218b3d02c391e0653e286b24b8":"f138ca3ec867cb7ed7d5fdb0868d7470de5f802fdb941dc400ad524d9032e23a":"":"":"":"59f01ec06c97a49cc5de469cc2b39c28db7612029e0e24e3c2b24f92c0af2383bfb9a0dccbeefdaec4bbd2607dc582ee7eaae6a4ffab251404e3c59c95e5460ccc8d8dea4db73e924ccd7528708e1b6a9d62d485c93764686f93df6fb8a9ae86bbda1e038697b5485e27e0bac9a18126bff1e7b104401306cc424e783f55ebe9940176d7123ef58c9460e5fb8311f745fdccd39ce552547adccdcd853bfba87aeb87dfe8ae72080fb7b3e5c4718e743c9f576d7752e3db1fdb29f160bde115f3"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 0) #14
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"f5ba27c487a40dfe342fe18e7f9c72bebc1ea229c7634cce87defd7aa11448e3f584d1769f3e76a017430e6e9bae6bb6c79170925e1156275311d86d4a03cfe3dfbf85f80bbd70ea98af76220833a0be":"34fd124aad5a10b852b2fe8481cd0ec46dc2d02ed9583f6e282a4c908e319024":"":"":"":"977fa5b70f4ca3c04b6f495de3bfdb4b8aef93bd14c82653e30a00a4678c602aa889766ab7caa434d9c15bd68bd14e66cdc609289a691dbcb391611be66c2056f8e675de5db9b2e2f15e5a330d00a8886eb8b8eed4076306d443ca292d783fb056186aa86e1dc9f18a113e015e535dffea954319cd26e5572f4173766207ed7d9b8b2c42a741340c1850a07139c0b358cab942bec51b159e50f5aa9d8fbe7ca9d1d2127a98fbf0f8c3094bea4e3039f7f7ab083fc9d050e29e7d4cc2d3d44caf"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 256) #0
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"c4868db5c46fde0a10008838b5be62c349209fded42fab461b01e11723c8242a618faba54acba1e0afd4b27cbd731ed9d30016b5827dc2bfe4034c6654d69775fe98432b19e3da373213d939d391f54a":"135132cf2b8a57554bdc13c68e90dc434353e4f65a4d5ca07c3e0a13c62e7265":"a0bbd02f6aa71a06d1642ca2cc7cdc5e8857e431b176bcf1ecd20f041467bd2d":"93ee30a9e7a0e244aa91da62f2215c7233bdfc415740d2770780cbbad61b9ba2":"36d922cacca00ae89db8f0c1cae5a47d2de8e61ae09357ca431c28a07907fce1":"2aac4cebed080c68ef0dcff348506eca568180f7370c020deda1a4c9050ce94d4db90fd827165846d6dd6cb2031eec1634b0e7f3e0e89504e34d248e23a8fb31cd32ff39a486946b2940f54c968f96cfc508cd871c84e68458ca7dccabc6dcfb1e9fbef9a47caae14c5239c28686e0fc0942b0c847c9d8d987970c1c5f5f06eaa8385575dacb1e925c0ed85e13edbb9922083f9bbbb79405411ff5dfe70615685df1f1e49867d0b6ed69afe8ac5e76ffab6ff3d71b4dae998faf8c7d5bc6ae4d"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 256) #1
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"46c82cb81de474ae02cccfac1555d06e5dc44b6ef526e0e28356ffc8bc6c0fd0628d4d942834b94fc977609c8ec0a6392c0693130c6215d55e37da43d67def719051e99871db68128e245217d2aa3230":"5de51e3f49951bab36460724a63f046e75f6f610be7405f55016c93a59f1890a":"5dbb13f5b4eb275cb757513e6b8af6fefd7c9c9e0f5304fdd9b4c0968458f22b":"3ebceff3232e75c6beb79d97c78e93244a257f0772f82e234518c50e322630eb":"dc64e5a1fc7b32f0294db138dc131946e5602266f4cdf00037ffe513a44ff83c":"e3480544036a3684a88e23ff41a4bbd810f827021ca45e800aaaa36ed0b9bffcbbcc99a1ef1f1528b4bfe39514c7a390ba132d1681138c4b1b9f1a0fa1758837dde35d0f6c38683ba47a904937dc5ee3d3b75f909e5fb6311c6cda5e1121edc774e66092aa1dbde83e4680ff95c0bbc2946aa4d46770f247caa7b71bdefac9641ee99700fbd1e560f9f7fbd462ede64e009ced90c44c6ff03b890e16c79c7b8c959a27defa6f062168891977c637ec22ecfe20601d499443f1fb0ecc7d9505b7"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 256) #2
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"df8053def0260ae71f67e197ae8b547a228e9b67ba7909fc1cb3adca51058b15f6d5951f0b60c972d139b75dc44a3680127a84799fd7672e429f20876c175d135e5f894edc7a4da334eb8b73a334be61":"26890036a9b17d8e805c38568630e1c196091faad546ba8eb976f3aa031a8905":"40ea6bebb0cb94b7e527787e17ef9f7d3efb889fc1e47e49893ac5c4bba988c2":"090271c307b43b951c20ad3f081d2838df0936a4bbdc5eb6f2e16b1db482b1ac":"c203cc1a3af668e45653bab6b1aa39ba0669491a06d00cd39c97b777a8bfd4d7":"0d68d903c85c0172419dc9f782c5d67a0b3367d13cb2f734fed95c7fc082291edbf4fa83354c6588227e40bbff082be2dd276c264823a8f31ba18b00955d7a1fd612a2f37d824bc82cdec972d3f8384dfc78b51dca61e815766c877ef3d2113704c805a250aee7b55b849af048feb3536fe73ec4f0bee97006881d5eed8ea38ba1b8d16a3bcd91fda749b77d688997bff09f104a2d8cd8e133ea4aa764b237787358dadae1c25092cfe09f79efeb8eb6e20c39cafdceed90e602f221fe6b1d69"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 256) #3
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"b1a1b468e1d59716a23fb028e295588f17be6a79e589027237681fe9ce354860b1cc33918a64c8be171e595ee6a3b1ef46c2ef21df2815528482ab4c7a32449b97ac75a51dfa1c7e67a763f17e97bcd6":"77e5a3eb6ab38419f84b57997627c6bea79703c95bc1cd24ea73eba2edbed540":"52aa0be951816d21a2ede89f53913f6d5d70cc580a1cda8a49f8e49a6befa909":"5bd8e4ac61bdfe752b5a66cf2e048e812a8aeae8e20c3c8c43f31180e4b18303":"af5eab21e4dd9443b1b16f40413faebdb0e086991dd3c53c8a51bc434348311b":"d477404bcaf0ed53788354705f0fa9f46c4e2bef2cd94932b614b3c34e0b0c7c28d7483075c9745bfbd4e31e587fb1db77d557fcdfd3fea47da3f01e42635ed3fd87cf6c98a2f20aa833a1bb74a15b158e47841cebe53e4d5d8c85cae78ade156e025a7737aa9197b122e73a29ce0a881c7adc8ec228f4c14e56c722acb0165b1595f010266151801812c031efcee4a7739876777816af8baf4d29496912a012f1f33c07107b2db5ebd681722dfd76f3a58e9d7426e7fa75e326eaa416c5d820"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 256) #4
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"098b8c107fbf943bcdd2199dfd15f130a20d518e95dc81988748e1f0ecc5c45f74622ca2940807df86fb05f0aab4727525f19d1d3bda1f70825f3e1fcb18d29e8e410616c105fda9324f4617af39f021":"220bbf23394c3cef156f683d05739b76f37538a0d360600bd52f0076425b5f5f":"af88f076ab39db1dd0e7002bae187965cd144382a3d1ca7b1ecd65d346f7c090":"bab9d09dce5073d11fcdf9539501dc998b6fffa8a0716edcf583a7d7385ff41c":"caf8d4e10513e5ceacad6f9f145a6f79e5c245aed4965ae85e2e7c5914f97510":"f556494b3849d78b06ae75571f0b9c8c108885fcb041dbd7892bf639d8ff6c82e19e8ce2d5aeb58e8b964ce4f75976a0a9c7f3ec8373b83150b88d6c58ff9b810124d4ac62d955aa64d194afef2f77de6994642ec86cee40aa7a5591e99a63edbd8bbdb22fc3c2506beee6d507fe34fdb4d4f525dcbe30b5747ff920a13f9e230899ffffbc5615e994ee96a1bfd8890cf607379be1a39d173662d0967c9dfea33b14d78cc8818c2a1956197f85e92bc11133ac4f7657f2db20eceecae8ca636a"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 256) #5
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"f54e9df92752d30eec01c3756d569bdb39abcdedab80b0aacac76ab406723f480bb359a5fc6c7aeebb6719ab44114a75afd340af202be3ca30e4de794b826237105202dcff5d1291cdaf266673275825":"b69f77d5a08850a13f8e6d06847c4bec181ac0f6b720be3c06c0b67d44843c6e":"40f14c3340e7092b898758ea3c36750943acac7fbb6a83f0df3392f7936749cb":"5bcfb0786c447675032d2a32b304f25737de59cd07c84d3875c45475b15797d4":"656ab204e2c1834f346d89c37a30164db414827d83ca732c71ec71efa8182c28":"6eb8f276a8ff516f789d94d997f33c2e40b227776fae0681c83fde659462b72d37cd48c95899530ca072bf2470986ef29dfb193be7ee9ab3f8cde2317c9bf02a5f901ccb62bb665bc3a109eab7e3910888a522c765eb49b11d1ad0fbcc45abe3841e9bb4fc0e73188497cffba54f3ff82260767d0f70ea1668f45192e6719102e75aa5cc43084c50bdbd1ba491bb61ee9e5175092c1f50d56bfb68977a567e41c1e05d2d1523c198ded737079131fb12dcf847219d71fbedb5659411d7aff2bc"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 256) #6
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"2cc330b34c976c859936c21e2ad88bb60ff153e41131567f58ad34bff5c9cb418939fed56356af7fe215986a5d0ed8e9a078dcb1d3fcee6b99714eea3bfcefb37a344a69d414965539ddce9df239be2f":"bf531083f35066ebfaeabd67b82d392ef6b121e7d9603a5407c5bc74cd596023":"51f223dc461ac2df1c4877f65ca876d635d50939fa9dd586c176d8ab73c6d605":"ff9d6807d71ded1305d9e2cdc811dac2d73746b001b53ec8a5509c4ce0a07efa":"f5222c8966659974dd8a7244d2cee588b6c9a2700f338683fff9ccc45b6d3807":"981abda0e405c976435ec7f938570d911e5bbb32add52a8b94e528486e9dafae139eb15cc2b56fedfb9e4b2d10dbcaa5e6ab985be16c62b9b75a037684986843a7a0e3baabc34859253df2a053dcb0352a0554fd2d4530de0251b1b852d1d3b6e08548e215902ec8dc46ee89f3fc262c7a35aef8216b3def65bd56f0482a18a329f96863afd951307740fd8653d333f932940e2a87523afbc162c5c1d2bbe16f33a4b0ee0ec75bcfa6aee6d8348265938738be638f78506ab731d3e9ab345551"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 256) #7
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"b4e5aad9bf4fb03ded64e4bf40ecc6fe2214049bd5889a5aeea0bf47be8670d329e6ed04538dd6d207767c367406d482ba7ad29231fd944f00b8d9b762935b93819ec62e0ccfd48f619ac40c9c208304":"67826d2bf9651404d5df4db84ea64dcab10697ecb90c68041f421452109af3c3":"67d6983465facf33369eebe0be12dc65fe736969e8f41478e44ec25d461e4435":"65f97c99140c8c9ba2ce37710b06f822cc0eaa03589157a3b575bc9c423afc3f":"19c37886d613d24b0592ea0b3a465ec8f8a9229abde3fb5e0122032e1ac8dfc5":"05777487bc152260a852e1b31a091f8e929ed22d8a652a77e4391abce7efcf0570df3d466d56dc51ef14bbc55309c6831655ba97c6050e563083fd1f2fe65b43d0cf8762ef6598d967b473b68c4143287f70d096a6ea120e3c07f2a95b80b393ffeafac2d0309d349bff017a49b9ea547a5776b5c38b9e981ed0a4825853cafcdf0f17269b9df6189fabc30388a383e3c28949625ef3d59a2c371ef416ace8658adc0e0b0104f1acd4b349b91b660d64412168d3c9e29680a5e324e4d0ab9258"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 256) #8
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"27ae2120824f3d416bbea1f987440c507a4f01fed08a1be27e6ec16390c92c4f8dab04203543caa3981373fb991d855340c29baf439f23bfb599a5eeb95ec2059af24dd86c0825957ea8392ce3d980f1":"cd646b0d1971f249f4c4d1eaa17e60c311d813057e0b71819a503aa41e5c6b21":"90ee2d0bf06cb94190e6505a75d12dd77c266497dc99c5f89bde60be6789099e":"7d82b50cdfaab9b5d23fb6618b59dd28cf1a83c77ff2993d9f1edb87ed7bc388":"f7f728d8ef6af8c5e77cef1e837030a6aa5c12bc81423b0ecb07a2db95a32a28":"4b25aaf436eb600a103d3fae8e301d2755132b3de3c8b4c442129a88ebb3ab20c4d3a54078ecc4197994ff04bf0e460919978d47e45c7d10d76a1e63ae34624e2f64125ae1bef304efb1af688f20d8e212f6df4e11243a49177e4b6456010d784d0e4a94e75371a75c4050b27e48359549f8268dd2a2290ebde22282d96b2f38e3f06103dafae5f54f0019bfb013df39a76482ec7f878d26ef0e34c9c21e67fbcc3412aa0739e875da0e9ea1340592144eb232385fc7e605ecd10fee45524718"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 256) #9
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"dbd5f508e8226acb957bbc4914ab13810b9b5b2b51a1b55cd4ac60f6b6d4c370963448fd323968c27d97e005b1a079c9e3ba151887006c56593eca7809b23cb768f5b3701b456bdc85fb5672a81db2d9":"0cda5d501072cf482d3c56c49a3c929b423f6e15a3e835888b3a9873647ffddc":"d3f38ca5c0bbcef46976c6a5965a8493f714aa2c8a2c817576cbc0bd6652beb0":"20014421f9af259892f017dd5392cc973f103d4736f3866e66329e5e7704e0f8":"686aba6c9c6c221b2b4a7de766963e4d9880676e7e6ac8e644dd273fcee519bc":"b720c7c56e10c9e436036fa8e1f1d1c0c0b7246c28bd36e5f3e88f988684b95a01127bc64cbcf12b9689f718baa52042b0837fea791391ee2ae42e54acc571239e5b654486a025ac25f46f10280ecdc65ed098e65e07dc3870b17af8bfd58edba026dc12b4ff04830ef132d07dcd7c62f67172caf2620a204869a81e39809db7befa25c5ed8a74b6d306c21cfd3778180d444bd99314a430ff4ef6b7061832df9b82603d6a0f646b398e7dcd8bb33a7926bdfa085a450d3de68c1e8cb2ee4524"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 256) #10
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"7093224d6bcf0915eb75360ab4bb789c15834a371baa24deeceb33f86e8bfb46f4e34325ddcbee671f9e45f7887c1481238993ec4a309e10d3f8e3952c840d564644062534f985a6b4e38688d2c800a3":"e7cf1f32ba369cf5545ee672cd6746ea9a336de7039ecbb25419259eabdfa44c":"bb186a460387baae27c11aa8c65d6ee003577eac47b259254a933f82ac683250":"d823535ed974b7ff9f19dc38b9494aa99f88143e3383b5a183ec00c925bdfedf":"56548af797f4a07ec42273f895822d877a311bf1f8dd5c96fd8449732a13a921":"159c6923fb71f9670db4eef12dadd143ee701bec9b0f76b56e9b1b8c473eecc3e38cf06c8f3b0c3d49580e49caeac0fd48da5f53d0d3e9c829c253fac4e4f09730177a63e0e759f043169e91459c9cf959d2230c7b94be168cf4fa02588d78aefbc855d55e444d671a69d274c66ad1851c56c0d880416bcbad08523cefa2fb384dd0f9f188e8a601ce0a92d42faaed0a299d6a9c86958854712427b35e73a0817193b50f3557e66d64ad80fa9ff87427b7de5b7e6312d1d9988ba77be90d4cca"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 256) #11
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"ea96f8787458e505f5858e31bb85b6e335206f6d6d04bd9d333029193bd2a04e5f85ad152675ecc090119aff7720739bdbe34551ebbef10e822cd29e9ade1488c21fd9e798369d585d6f58168d509d94":"ba45df1a14e23361201a467d2cfb7a3dce3128069a8a59a9a388b8e31c48efb4":"d551272e5a60aa1232fcb4765e853de2ccec08941acc75188eca37120fa49aac":"c1b34347691ae9f1bf6be396e8b49aaedb38307526627399fc10c48748c3a7bc":"722c0efa445262f5800abf75e43d9daa44e3dcee7a7528f7313ee52fca9f1803":"e2f873758c4e71704d8545dd1eab51206ac11dfdb00dfd1ec9e53bdc7f6b57f5209727049d4d781059b0bc4b6091c9bdee947127b8c8f03f1ee5f3665720a4f6c6777682ef1937719052254aeb97e3a17b6b552bcbc9154551a7ed41d837a27b6c37b426508409b75236cc156dad89d896f25c54467fd45f9698a11c7ce01bfb1fe171e4d33faf73a30c8992c51a838e9c0537354371bf79146a79a6d42d4e987b9773377fbf384979690b2c04c332f22567fb0921c3e33088d3b011921fca6a"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 256) #12
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"92ac19b133398b7d8ddfba3c6046421b3618923241097b8f68b6c7430b6d232ae9ad8f864f358afa7cac72bbc4fd90f16ebc9c15913c11094bf7aaa510e6241face016a99ca08de6525a570bd1741dc7":"0517ea7410bde64edcc70df48f3c87f578b38b8c7087def16031e52760037df0":"439c97f62d6b7aadac64057c0003a41a44ee549f60afa92797ee7c9aebfc8164":"669d42f9901e029bce7584bbd22a13a74e6f6ba50441a2633773bf5ac745122a":"8bf3c1a08b2d8459df96d6abfa90725f1a735809da78bf99f7fded0230771804":"3b832a7f1df591bba571bf7662914b0e5a3b34d38228e377e4e7dcb4b9cb396ac268d71fbfd2e1a5cff4429feba36f55c7e45cdac49a5fc8a787292011c61f4f102bb9a5d9c8fe1cf047956f21c74987d80968d2e4cfa29bd92a35cb96dd372d9baaed8d31ba3462b42084dc1841a4042311abfe4b3358f56c9e0c69e233638d3be56d0d269cf110d5200759eceb63fdf3b0ad25937857d129b68f038fc73a842046cc7c45292d6ec3766aafbc22f1491774624751f2c50fee830e24a34a27b5"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 256) #13
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"7a346bd6d853803d07844ca348f3c4837fce3e3a727f712223da248cd82db6ed4a9710cd8b9f2e7b593cca42da7b1a1285a78d0c764b24c3e4b21d25919c5400b4adaf0684c787326c19010728bc6f94":"3e8de39ab206ed166b203c97103059e6a9317d47f7a76bf4511829cc2e27a4cc":"327976aef239b20833d36b7f352e8e6570f8f325b568975a661b54b8ada49128":"9419cdf1c59abc03013d7d443c734aff57a6d97c870a03762c50b459d38f5e09":"f2c9c49c76bd683d42dd9de9d45a97b78710f39f2ee482e877e3b0844647f9e1":"24a83991f9455a0410213cc138696cf4eece7b2caca0a627c6ce023b7f912c115768ab8aad0fb10e35591d370e0372fe020823365b5bbe713417bc2f050cbf86fd626caf91323271eeebd5f2aae36fd0aced63779565604ef2653a0770fe4e42649eceb6089bb7662ca3d744fe178f5ac5bc20ce7a90325497f55ffd9b25c59a6b82f07553c080f0c45fed23ce47d972605a2f603b72d09d608548a04031dd2bbae9ff898201e4460479548d70b176e917ff3e3683e49f3330cfa77a25cc48fe"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-384, 256, 256) #14
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_nopr:MBEDTLS_MD_SHA384:"2d8fb8796d8a1764f8c824c55b880c53d2205559afbdf1cecda3dc2d05bf001e6252076dac013c7094ae72ca80cafce2cab30a160ce49dbd646710bc429c163231d73fe0e121f8cef8c02f70598fa853":"feea8ae0b299d5f79315383d938bcf9b536d11e036b28056bcbbc7fcede21cfc":"1a0fc47fa95cdafd2036eb5314e0f56266e58abb0f03b5e679638945b1fbcd58":"30707f376333df203eafba7fc52b40d8f1d97521a71d579c8b8457ac1328cacc":"f179c19e45c4a4f3cad8b545d116ca29e45f322580b7fc9715313be53f047658":"eaf7523b910b653a305f9122363d96e17fd22ccb9b6158cc42aceea40c34eac73e496827dd5fe4312f102ba6aa7aee934d1f41609bf3e14c29aa3aca210e3cabe70744a09f4c180f3d1ddf8be0b530403c5238761226f2c2c7ae29b24439afd65d6d5a0aa8daa11abce36df02ce61d352ab08965122e16708731d72a9fb5de071c20c6cb039273498ff1588c901d997151edbbd41870031ee337b38233edfd78aab389fae2bd280e4bc85d1bd6655269c3359753b17fdac502c3a2e871149fbf"
 
 HMAC_DRBG NIST CAVS 14.3 PR False (SHA-512, 0, 0) #0
diff --git a/tests/suites/test_suite_hmac_drbg.pr.data b/tests/suites/test_suite_hmac_drbg.pr.data
index 72bddfb..6792cd6 100644
--- a/tests/suites/test_suite_hmac_drbg.pr.data
+++ b/tests/suites/test_suite_hmac_drbg.pr.data
@@ -239,243 +239,243 @@ depends_on:MBEDTLS_MD_CAN_SHA1
 hmac_drbg_pr:MBEDTLS_MD_SHA1:"567d3f4c0de396ed67569c070d87f2b535ec874e881418983ec42ceb295b7d312e715e46b96f9da5998f9cde45b1dc22db6d2d7bfd4f3930":"43c16ab49ca5174f907d7899ebd242e9":"6c0b479d9e847dfbeae230bd4601d0db":"0d5a2183c9f9ca6941f6a617892f5e47":"934fe82b0951b97dafc5ba16e87b0459691156b42ff2dbbbd8f6ed9b04be952af267c6a17fbfc86de91f9f07eed482a5362b176216a8963af485503ba93b2e82c03a3ee6225077d90cd961e24f6026f6"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 0) #0
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"f3a709bb47a36838cb998fb6986ff074c57932a669670570ff6cd1b202ee1da014a011f43fc02c51ffcb4048cc060763f2c58de2edd494275da14118c9cb7fd50475c66cc7e792406213a7d00cf7623d931a5947":"":"":"":"bbe3daefa61fe302bdaa6d4d379680acfd0d456b5d35f137c145b72626f2fcf39fdf7f3708d9e88c1710408a3d7ece3b0261ff538846fd5452149960215c0c22beafe6cd24a7c392d5845774b87528912c322119a2adf4d35a0ba61dd36ffc8a7e7475afec58ad4a8cf343afb677f087"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 0) #1
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"0f508c6330b9673e94861ae2057e200ae8f2b330b74634d79fe8a4c698211080db07e58b762a2387379f0c0e2d01b2ca40ef82fec35eb81a5493ccef709dbaa0b0e4494e460530062c8db7446bc6af2d852fd875":"":"":"":"583367bde003eb2061cdb6f51db9c6827cbcefbff0497ba823e112edbf7f2066fcffa3e92d1e8c531007783554e6aa8a633bc925690ca6d579fbedbf9cc4d6cb08133d0cf8d4c25fcd3b6fed95f00b1bb17477cf67b97a557e7da933bdc121481755f628fdf0f0b1189a097c7147169e"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 0) #2
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"9082871e73b098bbc58f324f12f6a83c321360c9f5b400d00a9bb865ef5265083d9309657c40ac94b579995902df0e2084eb4a6410cac605e482ea4abe5c8eb73bc63f68baaeaa56d47f7d74974d940555fd3861":"":"":"":"67c2fd4397af79297782af9baad2a26b993efa48c689a74531417ae102d4ea1d6a82cb0321aee3dc2572ad27299e81a7a77f1cf837119e746988f2ec60bb01eb2ac3d110a948c1c33e86833757e2670cc3947658f3b2d32ac59242f152e889d03d03056f0a265ee759d3a4488b55c63a"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 0) #3
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"4701f34326930cf93deaeb3a9c196e307a890c8ccf44a55f84593b3388a196238fdd97d201998ec734821998e7d6bef7b31fa2a81343918056c01d65f519c8576e4120a3d6b9ce28ccf57eeabd012d2c14e47045":"":"":"":"b499b86b0a25a0fc84a9a1b902972e2bb5aaf9b84f13804d6180491285b9316218cde0e73eacf722b5c664f4e618625ed35c5facbfca153cc184309754ecaad9c3678ce51ade96dfe3290e125d661e2afbdadfa73240c24939bc31d171712c7c987bfb434f1db6ed44b321bcd237f149"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 0) #4
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"a912b6755cd2d677d63268a5203739b0785d7d956738a596e269128a583921aacbba1adb7c6d1714c164143c8f44e76711965514651680235068476ab137d5962e5e5872f3b899d0e9ca5ae8fe71bdcfaef1d241":"":"":"":"0f410304b6d88e52c8d6039ca674a06c49a5fa1094cf341c4034e39990236d9e5bb8ebb6e59849e7df82e2d02981d8df21e4ba3381e606b99c16de62860a470109c0123c69ebaf970603f451f9e6acf83e1c5951c3cb87170ef319d9a791110aea0c0dae5623c287d4c454ec93227654"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 0) #5
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"54fb376707de02a1c385a3da78523485111a0a099066206f210ad848f29d3c270d2fd2f668cdd3a57cabed71f9d784c209259d1e4a3eee2046846a55a46965e495eb29725a86bd630dc43cd60ddb4fc93c59980d":"":"":"":"a2e3ab5390b5b79786ec7b434de48e45f590b85513106008479d8a3b7b236c884b0f871d8dee539c712509bd70de351f3881cd87c9cf77c1a9d8879986ff0f6678549c5c6acd15aeb6bbe653a9bc76829df2f194c5f6e8c7dd3058971ce15273a2d559c1ac60a0014e5e32352d6be2a1"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 0) #6
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"3a0c24b5a6106d28c02957538e76e96b3ececfa80ba4c7d01fe642a88fc822884cc36ac2703e8952ee635948715f78c542e6e3270f2757f1652474df4706490b18e649ffd95dc518a8b4259da193600af5d5bde1":"":"":"":"55dc24206aa59d34ea990ac6b31250f15ac056c8ecd52e159f3464c38e1f28840eec4c6423b0fd9971d11c5ab99225eda5d173c08f9439bb56eb1cc487fdaea934fa816f9c9e0d628f111cbe60a647e03892084f80775248d41cb587617671d99b508644476b66c1c96979e5061e025a"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 0) #7
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"ae7ff70bb69c964f05c99c0e7868210d567bcb5eb02db7708de162e6bbfd91fa17f30656420dad1ca69d356cbab80456cef922a9206f07d32c3f198c1a68e673c5583674bb1df1f2a69c554fdd3411c81a90c83f":"":"":"":"f1f3f79b1d7f988d4caf7308416f3d02371cc029a28eb4f0247c8625c4680a2dcbe9f3d56d92de6ee4d4031a254bda8a657bc147fb90c2f7783a8e3749b60633e5a921d015b846b3cb38830bc7554308af08ee8219e5acd1b699f1ac538930d257da4ef567ca570a7951bfb236d4d36b"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 0) #8
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"86704ad0286f88dbc60baebc2ed0571de7b5ab64bc8554ba8645557fa10159ec03cc9f6f299c1c3011c73b2563e571fc24f5b5b50b4bee514d7c808873ca804b147201ba7ed43430d89b066c04b00b0a17694523":"":"":"":"6b1a26d7d21308d217bc8988067ef3e21f5bc10d34e89937f2a89f8da256acef50b6ea7d9ea877bc1d15002b1766e9bc7fea3d681b147e42359ce29d6d4f8c73e7c29b9ec14277fce2f6a0c518d24aeada44990f7f92b0d1184ff96b20c76d506f6f9d963391abec5bc247a2ac6b24c7"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 0) #9
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"d0b30341b4fd48281f76a83d7de5769d05d5cb9e565b213c8e2bc8d4adcbae90107fc12fc1ed2a19f20beb563de8f05bc5c437637148154a12b1606bff071dbb366458b74a07a1c14114fab487772d436d4ce159":"":"":"":"fe2a7ced1965f013d475724eaa7d31b62740be411d899afa79f9fa6e73f18ebe0907f2f21388b6498cd365798f27f882a2c5c2744a9b25e8d351e77b9fa4471ceb1dd6c72fdef75977e4e4a246e24f56a615189e1b2a8d6782e8c5062b744a65ebe1f7c5fbcab333fdc155bfee300503"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 0) #10
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"4a1a697e41537f28b381e05f11ebc905bd66c2c1d905d8c0b78c10c26cdf547a1b6f85ff58f48298a11bba41e3ec015d41a24d9e335e6e13b06b84b9f56b3e803bac569dae2d74c444bb58b3a6344bfbb9eee765":"":"":"":"15060b2bc827dbeefa2170ade633b0f0075a4b9b03fc24f73522174be4e4b08b93b421fa98c7c5a445c3aafed47a2eeeed63f19ef4f67e7726d8ff84bd94daa3338e397d52abea4c7d1191e30f3e8a11864f10ff56b2dbefd860655d34cf63ea22bbb54dfd0c5f64284c303a2ba2f49e"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 0) #11
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"e80b8c8896557d596e192c3226347c336dae455b50bf32a78c61b9a98c949096be51538e293d338a464eae0eb18f1ab21f9903d07a8b98ea2ad7f41fe7ffdc4b4bd0fd06138a84dc5217cc8fe39b92f9558aa619":"":"":"":"55574491d07db3aff94dcb71f519cffe2f96ef57219262860c3c03f9a5b8a1eb88869e69587f8bc0693c9919bb277dc84fa55187c0dbb20101f0c4e301dcd2fe21664e5a2f0dda3eb4f11df3878c5becddbfc3ca032a17f740d424b99be0a9bedfd99907229ecccbf459f5495533560e"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 0) #12
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"5c25f02bef1f1319cb6868d836c9cbc182fd8d86ecd87bc5cba41c163710074e80d1a30ddfd0f5d88c6682292cd50c68966d15e6ff95e117d342d974ff074ee872719d15745da624f8503a6141b0ac4b887ead5f":"":"":"":"9c5204d5471c25203f1d9786d38f71081a872f1c56604dc7570caa5439f17cddb7feff01cadaac8e0f35e7a5433cbbcd2dd4f11cc7dd14f6af629fd72a3145db6924d2bdefc262662367b7258cff36172263460f4dd52dd08faed3460bbffe18eb10ff5b3c6a97faddf65b3e21ecc98c"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 0) #13
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"68b4e1ddfd16a1c1ecb0f4221306e77ad02b07993457eace086f66566afc5f12489633c605d11d53916eee96ed778d6d6518c5681f0fa9b0160da1c71740a94ab33310bc20a18710015af25d3d667c40dc619f34":"":"":"":"5c4c9b3276d546d3b6277a3a2089d4969146d833e0ace3e1ddbd9f79fa2158531f8bb26a28b08dc64bb1e610f13eb14c9fb23559dc2f38326e145ab509b9f69259a0d1a32f471d5abf154a2585288063845f99306f9bb875ccb0d32e9d49b42900257ebaa532e8ec223aea60abc9714d"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 0) #14
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"d5ee5e2e629ea17487e593914012575daa8baf2d0e9671e1b8aad16524dbdf7d04c11130cdc10e50c630ccb235579a72b6eb4502fe146aabdab62a085c820ea46bb9091054d75a892a83c3850da0a31c15e0d021":"":"":"":"e32c0798b2040620fbc5d2a44ec7fa8038444c1910fd4a24312c8c8eadb57a78606449cf05ac51a3bc4d58ce78742c1be3a0fab6e3f5ebc92b82b5d5d64ce29e8c2787ace0f4e718a7f6cb669a0a43ba1aee0d9aef55cb7c6f5dff57c8acfe883ffd8a496d44afe06803e4c9ff62df04"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 192) #0
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"6e531842b9b7fe2c0ee66899a1255135f784a2d5259c93ab3d63a5cb708e2e6cba955897d9b66c7fab274aa388a5db69713c86faa4a19709e9aab04638c670ffaa83806abf79a43e613e62cccafc637e1a1c0c14":"":"e628db057250fbc6fc5aba01b6c8b47062ec5632a8566730":"bd12e61e3d5218efb0c103dc49402800cfb863ec8925e76a":"037650ddf66ed42ea38cf44aaa94884effc5f831c593fb35886b5d601a58f74f868d89f2dba450b9c160e28f69fd24e30fb7a44189810e29afd0d11762d3ef07b4527f4134d6c53bdc9b024cebb6b40fbacd68b6acd4bb4d011d6705ce22f90d910ac4017d2426db7a48db3242161aa8"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 192) #1
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"3fadabd2d8879bd2298f53c54b573db2584655e08a83289cb58a4ff5170fdc30d71bb24efbb5a50def315dc69146111462e204289a64ce72767499f299c74c934f0007ddb34bf5183bc1e5afd8c15eebdebba882":"":"742f7022892c2123e62379e9367787302fd18dc3835de0bd":"b60325136fde7c858054983a977262b6390a48419725febe":"3bfa419f9bad259b871703681284c5396fa94a323d646ddbf5339398c4d8314a999c230894ac60bf231762acada672f58154a86f80a8c4e3bbc67132e22ef50c0377193cb0d13c7e2c97cb24ce5bb69c73be2e5cd3a07ca2b000b2d7eea940053156bf55d846181e3748a91c342e191f"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 192) #2
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"0784a499424dd1c2c13f765e9ed88d752fefa83cec61154f82b3fd645f642ff103db9c8d1c10b5979c56a22d58324669d4ace3994927222fa87fd049558a48adcbd6ad5a2380d2d927be57fffaae037bf8a34384":"":"9f853db57c3da0421914d2f71f9317817580c1de4ca43d50":"27071ad475b8541c1a80234bb2d110637fcf4b4e20e06a7a":"2c879a03bd719595211b526101fe85702161711c67a81184cc42c1f9da5761e853ff4b8d19deb95a2f3323d1cd58a2e066c66e7a30059732eba43a4bf3b22fffa5bea5161fd775160dc53d7cbb4c892bc122e4e0139f8f550219cf6fbccf55d16d8a4d8d7776aa143c00d9e7bd1c847a"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 192) #3
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"addb36bc9ad134c7b8fa54881db1b18e040de4f253be28efbd36b12bfcf4721b08c5833eb0a97c668c7adbc7f04a9e0299549126172e25b9e624282c8e63eccf358c0ef1a71f8fd0a8fc49451db7757eae344e48":"":"e32540418ef68c3dcca1e7a0546e5dc7d4c5e92019b8cb0f":"327e31a0619305c93e9b5eef87102d447d21e21e2d8c1cc2":"178bee4059af0282854c833e11e7bba923a1e2f1126fe8cd7e1694602c180802d67b845a88ff786147f22a74e6ffb0f8b86d352cec2714ff8f308b1f9705603faf5b04bea3c75c87c91d5e6cf7583b5c45eb5f5a74d2bac490c8415d2fe07726bc334c88e3fb7284058b006f82e89ae7"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 192) #4
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"412431badcf06f87551ec63c3860baf4b59667cb4753363d0f82fe7c968ea6f8bc5d015418adeae206005725dd9693af6f7060a2d5ba53f66dd49dc148de581737b67acd4bb70ff2f4cf20abc001ae1eb50cb75f":"":"d67f94a953e7e4e4bc0cbd517f963e599d68851cc333644a":"385281961ecf2d8175c0a718347d2132f059964c55f39f57":"357876e78a69cd4bc4e06b2c52ad28434520d54a4a310ee0eb026b87993514ba1442e25eb1ae22a3ce98529625d8db9b0e5b680d7e027523b0ba0184d3f2e4b9cdee027960ac1612295bcdbf570912ed05108541b97e3bb30ae0a122d74cb536e5db34b7d5ee5a042897d5d29fa3c126"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 192) #5
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"ae914c3d74acb6e2d9b8487927db7992b838ede73dc918b60bcc94f0f456f454a6d100c90e119342154bc3ddb059f48db3a8d7b7288eb42d0ceb07532a2a357d20506ead28d9bd4a127d437a657a61f5d30b04cf":"":"2afb537c13fee9c4103cc6abb11225046d94df2e9838f73f":"6a9f670cb49cd9ad98a17cc19d00d4766344108f0c86804b":"2ed0c4140420c6e3798a13f917cd998b2ce6f98bac27f0fdb09e2538f573caff16904edb371f98f50964b7de552e997007fcd267b36abed12cd95d9a08852a4ca862872edd32c707e7a60e11fe0a7db4c0d34f4c70ff16e5c75e6f5d7ffaec3be383b8790ef0ff3a0d9f79850c9749c0"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 192) #6
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"38a93c3ede148c91eb7f0cd327cbe8b27ff0e569bc5262aaf30b86d31be35f83b4ff50b84b5dfd649908d0c55cd5be7ad36d4f5f7f22cce066d3b589adef804bfaf52253a0e4c6bb03e000d649541e523ae52f1d":"":"e12c05f2bf463d24da9abe89301d2acefb7957dc1bab9ef8":"d70065fa713e2d691bf554a00d063222755e7204a3e53968":"3e5ad7e96c8cee899889640d8268cbea296aee96fca7bb60308bcdc08eed36bdc8a5b3126ed8be900577e60ec0f8b3d3014deec41ac650480e08dd3a425843b37fa5d1d621b5053ba4b2fc1804d407849a84e9eb5bfcf94f27c2a535e2756b8202ede1f18e81f65e3f7f51a064b401a4"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 192) #7
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"384d6f43e7d77a381bc6bfbfbfe1a17aa35525bef01be8aaf6c488c46517d9b94380c73d3fb45a4f1b4d70375021c7df78eadb61df5d9efc6e08fe2d81ffa65df33667c23e3cc5c89893988f04be1d3634ced443":"":"a0271fd2552e037568cc857a60a550db050680fc03904fce":"ec095cc9e3bc301071a901d0289b54aefc796bffad6fda8e":"aca2571a9cf6bcd10429e146e6e94d1ae43a00db28bee2b60eb6a1bc1cde3d452dd6e04617aae7a3f813feaddc0f8fd25890004607f45ec995df970e1a3abb17b416bdbf62b6ba5625a80cb100e2b87260a73ffe15d9e6f24abfe9e6f9ba66bdfbfe71380d832418e2a4b460dd7415f4"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 192) #8
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"98c8df867d234553e504fcdf807fb8bba51d23ac65dd8b160943bd45181764cf6df0049cad23e6aca490db57d12dc6c631604c943f153927d6d04af042e1da1b225eb8bdf4ee99dd405e3586acf8e44bb0184d68":"":"3338baea79c06f0d48ec2d47004e61c1c1e5056bf8bbecd3":"79007bfce109a682b746df074e87c845eebd665532867fa2":"ba7040193e38c4495971827fb1ddb747ea80cd0bb1fd6aaabf85ec1959c29eba8f818ef55aadadc8c34b6a7c00f210a899092b9704f2e03abf3e5e8fe6d127cac0436441d0a6f1b02a00e5fe948539c66a8c78e70f35cfeb600e1cc68c06553f47ca053b64a0534a028a73d0890034fe"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 192) #9
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"6150b7280b3105b86b66c2a39a1f0461cfbce17e746791afb241b298741454e174650ab1e7f08500bd7eb096e40d8114e5a60668636b6ff66d2622154b7d239eaefc9ab2aa3351eda2af4fe51de36e22e70235fb":"":"6ece8aa447d2cf51d8497e303c1a202e39e06bd723c847b7":"21d890666d2c8ce4440bb453f4284c3928650f8cf38576d7":"7554b8cc8e79330ae55575f9157cd10d8eeb58af30eeebe9daa021f4b55ce365fbdf3629be7547a89c78bb9df79d35179e5d2924aa032e60d5a00281f19ee2255c17a69345ed86bf36ecfd694be0405c8b6c077b43a8c8bbea603ddc632a1aea6771a6bc117dbdc365e2714bdaa8b377"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 192) #10
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"cb25eef7230ac2da249fe30ea94d3a3332147022bb2207aab4a50822b1564c24a047ebb46d57f45f6680f909629b43129876c75381e3b7c6d06887f68083fc423f06ecba159a90edd394cc0ca9473e9cd0f23c89":"":"2f30b005ea5d5965439bf15220b1c010e6c79306e700e6fe":"9937bf3edb3603cbbe190f3616b021fad652011854e6f6d0":"040a30b82981f71e4607c20c1f2d6e6854824c90b127517f65b6c7da99fd33dee32dc52bd0dbe902509c50492a88e5963b2b6e27d046334b356e5909f85763af2de70e93a89d6a00e2ef81ddd74f4a33d3f8406d05b383fda569a5a574fb5e3c0c86a5096e94174b79b2a4eadebccc2c"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 192) #11
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"1d7dbe4e83913bad3fa918262ab0f45cdb9e4e61667694f361ddecace06bf352b18dfab4c32bff9a013d3b92a2da8ed698168155ddc492f8ad5d65cda8eed212793cd9aec8acde7e00f952bb5d00c53c5c181e89":"":"f9c51ff8f264cae722734502f6799e4fc5bee773d31e3e31":"6a171a0a8801017a1d924f80fc5d9d6592b8b28a342f30de":"425024bd1d1a66d4527a3e8a8307b3206923bc1d693f5b7f9017f0d5527cd6591016758794ac89e2f682cb2d66f8d28f9a2f5ae2974a75f4d0de17dcd02e93bf29c69175fceba262378bafbe3eb7e3dabe974889306d0a2ebd0ad9d934c37b1ad89ac1fc28493e6b1f6f24620e40eaf7"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 192) #12
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"a6887fe41ed5a615eb030b31b86315d32d13dd5ad506566ea23ea3b162b8dd621129736c8dde31708a7fa4a4c606dc212b3440617111e94a5c6722c3a729d84d2e5858c23ba8bb249456a11d63dba9d4260a7213":"":"a52036daa8172111e89c8991ca818bdd711095a1602f2f15":"cba427a2b7bb64002e1da3159d643e002516bed279e0d442":"cf0f5881032606c21a8ea20adba6a72e176e968f10b08ab6d08f997b24fc2a24f2c5d44d1b99deb7db4f388dc8ac268f966a34c857cc5f43efc601674bc548ffeaee1c13415df6d0240835832cb75840b60711cb636f509dd9b87b698615959688e9afeffa50671ada05faa564c87ad5"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 192) #13
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"a563459889ca29b711086adfbf18f284fdd18601ff69916af1ce47510d33f205d4dcd0080f9dfedb2bc1e2e60fa0b9cae094102bc7a705cc223279e0fc3b0020b4facafc2b31b9bca92382f3810d5a4e3ef626a9":"":"5fc83f1f6dc0ad454bbacf2df366c803cc1d2fd46bf78d32":"1a9654667cfd6ad0aad9383be04ec1480a494262b3fee823":"cb45ce96a973728bdade51f91004ac09e155173769063b3fb4712493d8877f088127a3492588e99fef648a101cf1c238fdefd798dd4928b5bb3a851eed693f37d67360a28a2b27c4406e9ddefdffba662529b91a980bbe4eb381cf9734b336e2b64e7482e0328c2e2bf81e39edc30d97"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 0, 192) #14
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"886d098731abf3140d512e0d348a384d25372667fe7e4f0ce713b1d2eca7b2ad939b25af03f78edad75bf0ab95b4110710d0e12e714e03f7df35db59fc4ef2906cf36c6c8897b802200a83e60d16f7fb064abd2a":"":"a4f42d83a492db3fc053d1275c6f264706fa932955c3da62":"4505c0664e59bb4388020470838bb098c4ae1338c268adf2":"4f9c3c60ee32042735cc539b9a23d04c2bc6bcd68db04a58240305f165bccebbb98e0f4796b283a0d78bdaccfcc8daf19f21a72945be07996bbb0b606643c7753f76ee6371292d3e681468b714e16bc32db14ad6d777677137ebd3731186ea72b840b8c4ae79ecb2c61352ea056d2d6a"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 0) #0
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"a26af93571ba84b58e14e921a6bada73083ec17f21580a152703e1741392fc9ce6046f77d6eda5000f3225ef28425e30cec138a16b0ebd885fef074c6da2a7b126fcd1f056e3a5fd5627368c63681cc10fbf750b":"0627d10b1e5b4f0fff96d0c7e684deb9fb6a4e48959dbc29":"":"":"98d6bc7ec7cd72da4c750d9173518a9a17120fe9af10cd1a7d872fac505d9276c551b821a868cb8b4d8b10eb3b05845827717d2975814b5080a2f4aa50c5b112bd01b8652f2d1b56a88c6c891db5f3f40d1d1f0648d84e6ce2138c2c879884eb4847856198579eac759a065a5d384c46"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 0) #1
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"5fd08930ba404d13a7275227660869e7eff10e103548e6ea15f0816ea93b649f6aba408ac710c49eaddea0b4d1e219577e6f6ba4f193386228f6fdf9cdcc50d5bdcf6d1f249e9cae0a097bb341e2ba3581a3f2ca":"7a463958302109d5fb9fef1a232b5aea13ba58a60b70911c":"":"":"a1a5c9d90f9340c807efa2068c6a0b872a4ad51a7cf90e14b4797dd894361712fc9507bd61d8ba984ecf1345fa3cbcf3031e2bc4302354cdf3f615c3a1bf43f60a464698e250726c37a7a9a23e1ff7e8d96df03957e3a0b5e6c4c4fdbdcff487e467b12dbc21e07eb8a7c4cd7f779912"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 0) #2
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"625d6a509ec43c55bbec45b4244fa0bce24c74cc270851f2d32e4bb4f1961476af40088b5ea81f7a86efba78abdfb50be09e1a68851899e0e9acd95f77f16e8b0aea5a9bf29bc1a18d32158cf69c794f3f47fe61":"bcfa259c919f6e56c77914a272959cda6d2cafeaff87d91b":"":"":"b5bc1f03099547ce1a359bede1f9f3b76b38e8b9cc781fb3909899144f4d0a4ba93272552bfb0ddcda51165d0ca3eae47d10961a62692bd9edf2a9339c8ad14469f1834eee3c3fc1074cb1493054f84273e4adc73e5eec6cba284c5b7fd8005f10cb67b0fe16ae0b4ff30d50ca245c5d"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 0) #3
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"bc0c83de31217ff6b22c719de8c6653fcbd8aff7925f04624c76f586ed3bab324b64fa8a1ec14efa8d8d0b41eb6735d517f6c647ef8bedf3036a6ca90fa1d2c528722de33f76f7375711b6b4127b86fe096e72cd":"d7ef6b5dd09c08437313871078ac730c2f85a5abae6d6e24":"":"":"6d415afc0151c3cb426eb3b90c209feb726c01e28785678bb0b8d9143d4b7f31ae07e384816072e2df31350b133a8f4e3ee18f04b154d194513d9b072a695e52bf03eeb4c9a1df85dd6ef98d2453dc39390bc3a17f3ce499d9b182c89d0591dc3dbdb7aecb626b07f0ad2737bf8200b2"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 0) #4
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"caca2b8631502fbd8bec33e89066e77b97a57b09d21a92dcc7b65897e50d7a312f287932c529f6a6fd8be6fad5c467f6c15f9bc0f39653a6e4963c0d4c4baa9d6ad39f4ad2a1d6587377ec3898e63e02cc0c454f":"33691da7461d3355659c4ca927b4d3e3bbfd8e775b535538":"":"":"89abe8e656667299705c4c8b208f0fc400897397d15aa3574cf86c0a6415dd30ac5d7d8bc629d8ba52e6e5af63818475874266e98a43ab5d3085d2856950e8d487ea22e01f9ab7fe1862be1fdb9a97cc24eb9ad05beebb202716607e8b164cf63cacb92504e80e68e641af71ad6ee47d"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 0) #5
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"5d97de97d6f81a858ad6ae0262e58169b27c25adfc2bff506854e6bfd37f3a4d8c4b46cd78d0a76b0dc67e0d3f90fb04c2131bc31239defc8eabe9be0fc589a554a4b77fa79c64c03bbf87a32031530d99bbe397":"a0d8be30a0972002f21ce2d7cf3c8e84907c638e0093354d":"":"":"67536d7352a49a1a49110a1dc1b77dd1924be34123e027aea0ba6064ae0aa051d4470ccbf923e0c96c86f2d440f17f45b67c4c7785a6f5006bf0cadc13269540b2c59bb75f642e9668feb601fc60c18b94d65ebea0dfe5fb284e003a58837f9e9e120481ec2ba972c755c6a9134af683"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 0) #6
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"9ca7149b0c5ccb7a0f7ec5399c644dba98c418373460c59978d91db57ff714897ee71caf459c1dc164655140810992fa6cbbb708ba2e61053d5866ba6a1bbdbc639fd21be4383beb4a4d370e86d0e9739ef849ae":"2ade2ffc19de7fc94767193223aa1fb3461cb29d970c8f05":"":"":"b39d6db529fbb3c6a90d6b7057759c26a9fa26024d2b65e3bf459881ff0f88a5b93b87e0779635022cea81db313329b61613742cc82b52fff1a2e6e24ae0eebc0917d5e4573466e4aee3f0ee0053445566eaa080c3e701bc35d40ce5105b4b6572baa7b4c84a16e4aab501e6ef670164"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 0) #7
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"cc751171d828dba023f430b3f5a7134f733f4cc1ec76495e98a6dc2a627d97924716d7e6b043cf15c62ce8da1dda2a930c88d6d4d12ca992a501f773dff5d38e42f150f1c55ee358aba1e73cbebf465baf9fd0a6":"4ba50a75424970526022c7351831c58ee75f1e3aa0c47749":"":"":"8b387e55b9c10d0cc336f5445755c0b6dbe971bf69a04682b21c9303a66e093b7dccf33fc685765c6d2bcfa3020892ed09ce6ea3e3355b3bc16741f34d40b5c96bb085c1574801d14b4f71c97cf64e75dcc330fafa1d1e626822609a9af62c894dbdd56307ccf1ebbb7ec09d500096aa"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 0) #8
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"1f2ccd29bc38e8364a4beb0e89984b88d61dcd31d48e310ae691c0e146f495b9d8cf443ed12f3ad2da7c59c2a2f6b8df4e0202414791e106c1f879879b7a46ac207f45b5fed69c38309adf15dfd0dd75742c0df0":"e0c49aee71c4c060aac1bab1f438f9e2b0c96d710ebfef77":"":"":"593677f65ca4339c0dd8b1ae9278cc49adaef1cf889760b4631a379d82bc25123dfd2e1436d0b6b890d4155e3236fc1e2cef67d8bc0454099051e220d6925b37c47408fdacdfd54cab7be70f8b3b3dfc5a86f181dd559ff7182f225f7de87dd8bd69143be270ce76d2562c6e01ba4c4e"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 0) #9
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"f1bee9caecfd0397a6cd76f356ecacf1053981c64d315db4a51a244fe3b22ef997392f65dc13cf30f5b8f5edb7f8f55863a30156722536d02440e5f06e503795d2401775a560685f2ad3c98aaaa22726cd6ec45a":"9d42670ea4113ae02302cdcc660b497f3ffb19b9aca8babf":"":"":"78f31a24cda43acfbc4db7f17c57805a4b53353d668596247358b47e8f8deeaca312a7f9ce78832bc1da2d6b3727fcb847ca4feb1695a2edfd2ab24c486da125be1c1af4f78b749afdb57f97b4a8b892fd87228f116ba10fa739059581256de4fb865d1115c58284cb9850a24e5b7615"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 0) #10
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"17b3146ea3ac1afdca446275f3b7539a517766b90e2da2c4c85db4802943efcd8009a9ffdd054440da16edb641a050fce3f3cab3d5f03d550111daeaa8841a9c814def76eec9c4e910788c710562428a39cd0987":"f3831c1bc859fad452a76ce513575a23e8b790c90de4575c":"":"":"c6c85936cd52b5271a6e70410e0b9d960d76f3236b548cfd4fea26504ca8a78e58ee914c6cf248f30d7ee3547eedd3a4d9869b15e326c911aaecb7f0c221f8eb9208a9b355e4b1cc7926380d25bb776f3e89904943b3fdf306012fc95d06b3b7c44ef55c9eee675150b332e2181f2a32"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 0) #11
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"fabe526177dcd476be9950233ec56f9122a9b083e589c9264add302d4768c06020cf53e7708bc728582360cbf06a18de38e3da2642dd6751aa686dbf11734bd75a422571c9f2420915d7d79d9efea870e72d262d":"ba5858340e6a82b2ecfe1190215bd8da995ee8ef572eed8b":"":"":"10260dfc2f2322f530192e96a2396694dead62f9b206137108666cd199939184503da75598f54a89dff885a9856140b56687347c2c066a1593bfe02b8bd2cd93e939c424b33683a13678ba5f34df3f2f5f50b2a708d1d5a04683db00a607e2f80e5feb20086e3d64294e9732b0776c51"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 0) #12
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"b7c9a1d221fe10552bb0b799e18d12cffd1f76d6a1e6dc79a36584ac7e13c355b9323d0ef2f97fc2d8a26e6c37209a485963788aeab084e923a3794c63713c2ee288ba3a99f2d407adfc1b87ba64fcc5a7f98e4e":"e563f8c8318862c7117af8946823e8570ebc64b3de1b293e":"":"":"100c460c12e5ab12a72bd4351f7b608f5578060b262f21d735fe79d13c942035a76f001adfd39fe93caa22b6274bec282e640469d3f454d108991a1b73d8acb3d392732fc24cafb15fbe248441462bb2c1278883610ba28486ef82ec2ff3d20eb9601866c7dc4eaf44cdd73e5b5ac14f"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 0) #13
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"78e5d4818964d748282fa8dd386ea9c920c4fc5ddb9d2204a3f6285082b8065dd3944ce193722e973f8300783e37991e6c4a6286a1a0fe3703dd78ae951c88a0ce47b1a23d91e0926358221713670a78732d5470":"fa058586d35f0d74d2c473e005e7f8ddc33a1f6d5bc79d75":"":"":"6b603b098ca74b7fcf3c8f9b42dde5b3b51e84cab4f67f4d87bc6575ad4fa3f1e0ee27085f88e2a5ecf4f57f9ba92638e52941535806d2cd1b5aeb5b7c81b3d44d41cf5b8073b646a9cc1b0a9f7e183b082e9f2270acd928623e8a46b46257e1b827e8b88b55c88a3a3a067cfcb9b2b0"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 0) #14
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"50241739e3f08c910baea7f9ba481511b6ee5d69bb1a2dd34f3987a231cc25f39a1a966390e391a33dc21281372589e2a667cdbbe4267710d5244fd342c959b7272b39e5cdf67701d47665b61782541e94aa224f":"6a7d2f2dcfcae8a284802c97d77917e87c6cf8417c2b16bd":"":"":"4402afee12048c1c6a44624d2df026798930ec732884899ffd20d17f1c8d7c221cf5edac8679a21ee11b177ecfd61927d4ccbb175ee6b49cc6f371450904c2666aaf2e6cb36cd55cae3af772beb80955cf67b4e8be1fce11250a39693ecb7f8ac05aa23b949ac74bc9a67060cd60cc77"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 192) #0
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"c3005cdc5c5b7b25ed78c9684f3faf6278f9a9c5a9fb202014a29882e50b21e56ec8b7947fe871daec2626f32372123f44a8721ff4339e0a20f978ea27609eb495c2342e9ba719bbd2b44ff503db2322ada1c982":"c4506109937e0f9352fc881b0396b0a103626a15addfe525":"6ee49c76d138eaa3fc10cf411e0b8ad5488d77f74faacf13":"8825122b506dd6f3a58811fe6c9a7e9271a6e68dcdd590e2":"e818887ca1c84717e277baf00913d65ed58a8f90b8728080a03043bb2ab53f55fa605ba0cfab29b4cb694f6aae6594dedcbe6f74e1f7573c2944f3703b89a52789b0170077ea8e66d8299ba5cc139943ab96254065a27abca2098a85162fb01d294d8671b00206b7f784319384e01b3d"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 192) #1
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"9bf2ab19aa7e9ffc3461522f3cf85b3292b54bd3e1099a42dd6f5349d169d59a152b2dce675874b665fcff802260ea84b358f6fcf8011b511834e8447a73c1f675b7598d836dc9fbf40f1dd0f481f47f95f3ef4d":"38d7a2109c6fad9205abc22b9ff705b7f671c4bde5b662d4":"b46e928cb59eac0cbed65645767e96fd824fa95cb96a1cd7":"532c8d3748205cfaa826fba7f240e9926cd3811da8fd1a5a":"bc367839d1510316ac3ba17fb7bf633a6eb4b61dc0b03cf1cca564db8248ced0b47ccb36e730c0237b0812af30361b5dce662636b23f87d6ace82cd3e34d45a1133b35ff9b8bde8fb29fe82298820c0c87f0e30887ddb15c9644bfb12578f0878a710771ad22fe16935c66681378f5f8"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 192) #2
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"a3bfbed559c396b807ffa80409fc4e2c23ba952f64a41c07d3af5e5b78d8ef88171bd5022d3e02efefa644f4fddbe207e59397605a0408b0201f6a882def64d973c0714555d2c7e0a6fddf49558fd1328074ca79":"4c63bef79f71fa82168928619cd09b003aeb2ba2b04150d2":"c85bb368a82d57c70cd5ad6327187c8550f7c10380b2f030":"5d467e9c06ee058ca066dadd6f6ec6b0da59ecbaa4ddd12e":"1ce311c919c67e151b51ce3060384ca95c071a295f01e54349abaa2da8ef497ea1364454133d20f57da28985bfc6d1d2f58f84d144c85dbe3c9fd5e8958ce06f2f5ad5af7e16bf90ddb4a1e2947f78008467fcc38b5a082eb1612d68e36e3c0abfbfb3a321eef3754ac16c41f96bd635"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 192) #3
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"1b2c2419e85386716135b3c142d749f1f5bc23edbf8c0a1c53b72f474484c545761b21aeff05cdd35621d104ee393e791737c48c5a6e6b25b58c5c5be28ecf17c410c9c9c3c3aa2b6385f66759f31b61f9fe0286":"b69011f446e50880a15bb0dd00229f765bf77b2a40040109":"67eb63a168aad8712a0e7e0f162af7ac7893e902f1aa72cd":"23bb752e6232144630e3d3a6daaa1e58a5ca315f21fe1d8b":"cd8e6c6b8a1f7f98f5d796023fdd4f1da2d72eedb96a8e85cac661da24dd0a7810fa04be0491c69db7617712582b43ec4bf112d9e2932288f25b64fb7a2a09ac8747b8f71ce75e3c80b854336a0457b8013ec6dc1268b4c7e8f7d3422a4a5d432f8d9705d6a273a09b9f9273f4928c4f"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 192) #4
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"62d059e3ecb695167e93b3cfd77f96e681985ab5d68f15473a89f9cbc4012e1c090a5a9e65f738be938f44fd6cb157fd9b737d9389e4e56b6903d4d015f9d80d96336730fdf57787296d447ea91de7e686c7a81e":"d8f121b2bbdb8530c6315c63e0a52e383c163c033d3b0854":"830e2cab11331b761aed55db61681fffad3a61a1a06adfec":"c7783d7357ff30e88cfdbc90569daf03d3fec8caf89619ff":"e44c9b35d3b847a928748094ba6754d1c5de3cbe3d90d4e2bd0c0f19dc5aed7228c541044b2b14d7e67dcc148ab04abff7c22a8f1fdbec4d68ad24a7c4b0f0e507bd7f2b4845593363da484b481906fb7207844597238b9d40c14237004e275572aac6a6d84d151fa58abc0987e54e18"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 192) #5
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"fcf3887b4505f7a1273ad5b32e064ff51682bca23ed974ca981871a5b7f63e5ceee58131f9a01fa7c37ab14150c9323a03f694e463496c4159eb8e5d3ebc62f41264beb93098a42a3dd406b983e1fb040d108f93":"9b3e97eed077155cf181829233868d27eb773c398575dfb2":"75a75a15c622e69eba698a064b0b41c8bc80ef803df0f29e":"7b6a20a222a81dfa6fd164def816c2b6708bd4c761b2bb8f":"0b3d501f728d2f1d8b0d7dffda0160157b30d0d97932315f77022d1a6fb30d9a0ee4383f2f63377ac6e57b16b0c7480a6f5dd12ed3ec0bc6f104a26c86592daa3f68a499570703306e2c2448e784b67cd6efdb4ae64a2e8ffa5929e74c95b663c9b7fe891633f07d7b50f5f16e9fe567"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 192) #6
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"7a6a0774f2cb5ddce6b5242782fd3d7b5c7c7e31cb5fe95367c06f29a5488fa37feb34d689c646cdb162e258ad636a030ff74f6a7ff876417fb08f5c5decdcc98692538bebf9958c627ad8287633f98c587cdaec":"fb16aea72967c43b8803bcdd3e794911f6d53f2cb7946cee":"67d89947396322ca243e2c591a3adc8fd9f1ef448414fca8":"a0d568f4fce862e5e1b22acca29e60d7bc6cdcf6cc277794":"758b4685b0db1093eebde07ba11085a9dcab64c8d5adacda070fd2b292bec49240f25e158fc96cb1d0ecc9ebcccc360b981d140e3cdba54fc697313014450a9af29d9d55dcbc5bb9a38e4f10c6a3e41874d5c6688f22d0c5714301083cbbd0014880af0f7d088dabeb4e84a64f26d2b9"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 192) #7
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"19bbbbfcb755cd9dc000abfc03343ef64193141c3d3f43120f55674616e3d96b6086adf47c906981923c98ef7dd0fbb2f7af0ecbbd2de848f2b25cba8651b7e3aeaa0c59b605e6d4710a01406565ea30d0c4f68d":"e77cce9d26d283bb5d6e8300ad0f69df723324d23928c6f7":"0586c76051462d0483071213804385d01a07bcb27db05e06":"1c9363d0b3e9f42b6c722b8d62f9c633066587577fe766e3":"6d458079264d5f3940d098aae092690b7d04cd46d6d5dde753063b7194118ab67d3848459156b8f0216d85b5c583a1bfc000e68111be459743175fd114253cc24db72ecc978ff8620301ecbf18f42fc4697d91150649a8254a9850d5c28f9c4e187e409e496e2a659b2e79c06074c5c9"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 192) #8
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"c2b577bfd802b8f599ca14bdd5fe5003ee28ae69ca5c246df4f62d9e21a7793281c48f73ffea15f3c3d444ba48367fde04cdf6d62498b8afb24966a8662461015135cb55034a63571a032d3cd2c1e6cf4a6855ef":"f0de29d4530b4af75b8defe9b3b24dcb7ce0add4aed6f72d":"90ac05703a8e0c6057dd2d8b1a6f16f0059e7c70679919df":"16935f700de9fe529a2bbe811dccad430e27dbc60549c3e5":"56988f9328a91314e4b3ae027bc6f43a01fe471615f3a319afd9bb63f55b13e681ac0ae830d4d3057882fe247ca4decbb26af811282f59ee89ea38642e4ffad9bdfae44bcdbc3a289bf431e0bfc68148c12ced1853e698e74f74e24aa434937390fd41cb4e78f823a262900f2f44c1fa"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 192) #9
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"b5c4acc63ae5c68ca404bded2d36a391e8b2e9ef3b32eb598aa94fd6b5ede6c3d9c33ec77a195abb6f8cbcafb6c492a1d78f04439bdc442168d1eccc783d53a92e16b90ccbdb0284b383cb96af04e81728d1cda0":"b3e6df5e9ae10c63da4269de170550b92dde7c6e33af228e":"c9787b641b5c881dae53a69e2b3514ce2ea81e5879765bd1":"e4abedcfc4cc69da45467bf2bfb03d823abc19a746e3c582":"e14f46dcab0ba39965f170f01a07308090b051127685ada6601112aa236093f7a760530f856617d9e027c8279ef33d9fbc4b624ae26a277b9e6077ac71e2d2f101b84ebed007ddeddb4286aa4729cb3b28798387b757d8e99a7b6d2631601fe7ab4caad7983dede59b94f4c920ef1b29"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 192) #10
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"7302ea40e214308136b8427e601ad61132d195f870f2a861c7b8ce1f686bf325a155d0aae1211401bb844893dba2909060c76cf9cda757d9e2cb24f5602fedf6a7412f49497c82866a8c9b56e2bbaf912f760255":"58efaa77c9bf446ce8d3f3ce73b7d1f014bdeffea2a2fdde":"68f9eab1893186d7e5cf3a8c37bf1c229344abdceecd9de5":"a0d3bf1de632fb19ca5326d936f79aafe59a0e809b13f10c":"f2c6a717ab10a9cc89f6d3a07bf6077fa33c2e5d67475ebcdd1b895fd0067941ed3fd8f251352403c2680df2319a882f39a91f8ccb7df2c06a13037f057962e23b8ea0654ef9bfc19b6ec982e539ea6afcd1145cee582d27b708691354b4c397a51d004c61687c1c9c948576009002ee"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 192) #11
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"48ce334fcdeae603c54fc228461e7173681a8e8387e0c048c2acfdd6a78c955deb7dc25bea4e9924c4a2ae22d9fb6b227452addd0b6eda7769f9ceaaf2ca34568b3c198ebdcf5f6ed11f863097bd56f42d648862":"6bf4c173d264dce03e475fb3bde9fca2474877627bfb0c5d":"2a728f461ce1067dd38896002724b4967c1a9cfececd3437":"2b862cd7a94c1776b26022c27c0e4f2d199ccb782caae6dd":"07f80326ea781bd95efe729867d6c39465213bb698b5e486e6c5f27d3fac4fda3cfb7c831fe6291062d4db2aff59781efb4f4cf428236aad6a55111b969885a6b851d5462278d0863909a07796e5e0e8448fc0d674a4408cd9e91e98e3adcec2064ad37dcc566faa80149519f5ea261c"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 192) #12
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"b23c748a9c9d206ed4ce6b8bacb6f7e17cacf5649ea8d1e1144a96e977a4cb22c0f37139c3eedbcc8b9024c6f21412f1600fcde1488f95744446df7b6e21a858224b9294a75829a014697cc4b363c3ad0e152ca6":"325bdbd8c14b766d4a7ff0e14128585b21af76de7ca30ff1":"2e002a406bb8090eae6c950944a4d6768c89d43cc0d8bd17":"4828622ff56d0867bbad03bac51b8c939a5dfa33a362b129":"58cebdf4676a21ded5eba4dd19452f5dec909c589751879ea4249a4c9fef834d85dcfc95ada82f7fba1476451774036246d7a496d4d427f37647ebc10fc2e1125b0b71da1fa5f1479c5681e9d7acc9b88b527390734d943bff6a76c4b22bb4f6ac331f7710b95f6806fa35a29a2fa35f"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 192) #13
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"606f388e8ae35faf979434656144370991e89b7457ca5b55d5bf2b48fe8cb64f549f48a812edbbb4cff895efb21c90eb26c1db239ed72da43504a1e09c56fe144f2d09242f2670dbe2561456d938352125b19131":"5e039f38d6f9a9c4ecc67158f40d3c8de61808fd7476fbf7":"21c7d976da71bcde51a3b4bc1b9a79cc6c4ca51ec992e479":"bac1c5904816c3040eb532622f127ac3e28cd78ba68404a9":"5f951dd774bc1a0818b249ffc51348bf1f36aa4b9d6a3348d36df84b5d3e824adcdf8b87ffecfec13fe36ca354625ae8db8a69722254c3f6e7027b866c529f9bed25360e0cee7ce41f996d50d224a08e965e0e5dd67a77142e2a3de0d559b9dae8919ad0387ba5fdef699e42016d7291"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-224, 192, 192) #14
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 hmac_drbg_pr:MBEDTLS_MD_SHA224:"be16ca52551a6a0656c40539e3155eebbc416cbfe212101f8edc2f7118472907ae9b2b9574abe81257533115472610ab401d1ce1f8998884af43fa5776a59ae38c88631a066fa85d24dfc9b2547caae598cd0fa7":"ed000ad2e479513861014e8ff45a481a494af312d2dd5563":"feb295c74975f1e1c738988fc70b9d2603c7da93832154a1":"764705681b7781573af811fa7751dbc27d667af7a1e59dce":"ba4a0583d8d6c5b4216a0875cfad594485858dc7f9ef265d4ed0c0f0fbfcaaf5ae318df2d7fc530301813d9f49826030625f7ea02d0630b3573c486b1fa0ef4269cbfb6fb86675c11fb7c0570cf7ff4fc7affdb00625ac453c23c229a4ea5f540c66f031ab3462f7d12659eec990501f"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-256, 0, 0) #0
@@ -719,243 +719,243 @@ depends_on:MBEDTLS_MD_CAN_SHA256
 hmac_drbg_pr:MBEDTLS_MD_SHA256:"ef9292f4a7a67ac4d4eba48936391bb45f8810c2ab02ba424cc8e4add53d1c514611e3233cd8cc8f6d69494dc336cbe1cbc67c17520af442933a235c6aa6b8f98128c66fcdd77843ae32e06b7a31689c9a6a3c540a19081bcbe850278d50adfac3638ec8cf85148a0547d28d0a7025db":"f4a8721a2a873f8fe94e4b3e137e866c79212f9c14f89be156c47a5fbb9aaecb":"b38a6628647a02c0de5b7acb939d0d1896c9c730106c8667d810bd4866ebaee4":"366370899b2a0d6f049e7d820061599a675cba5d3bc82ad747fa731bead8efb3":"1947d468ae4fa4da7f45cfaf32d62a4369796e532f1b03b1495587e6bb95d8330f5b7c962a9b0a2b715d9def79194741870e5c47d15a7308843e10616b891fc9e5cab7db901e0f1efbe1217dd627c71b54c98cec0fe1b25a84caa56f0bde247a9d9183587742a38825234b6b6cc808afde36ef5e17bcdb2c72c7645949289369"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 0) #0
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"51ec4987ddacbcf6348e4a891fa571c6e3aec02879eb0181a121a4846344a687cdff9798761875320256e5a59bc94663faab8864cc0bb1e64343c0b978fcc0d6e84d0d17c1c1f4093fac3b4c01837c6b37d189d7608f0c335eb38fe1f43573e0c525093f60ef618bab297b8a4d9d8c16":"":"":"":"ade04730059471b1829bec8dfbb0ec708be7b4e77d688ce7cfba9ddde059a52f969407291440aa79492f827fe1a2f6568989fd36b4fd84e6699152536bff15388af319fb306f07de4309eb92ba3da5f7007948335993698d398bac42029912bec6ba39226c2bf238733b5081aa0a2ca392a719385184be619d9ca56771d8e3716a46cfb339f93ff48abe406ef788db2ada45ab5fcb7f689bd801a5ccad855b52cd4bf1d6e338f2c3eac94ce9fdd0dd06632d01ded3753e87957e8569a67eccad"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 0) #1
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"f8dfa70524d46f3545db3c687fe85a8ea35e32eda470b4e14b8b12f4e9c6bbf6c08efa9ae1df90ae6f14b895c342ae07b5e8d563199a141c34e709c6e743260b573f88186f40f800c4c0ec9f9fbeba49f103bfa2d62d7ed8fc9ff88cb1ddc5d4ca4d074e0053c069393d70a5b3f1df3e":"":"":"":"05f4e609b085d28958f5702eb7b99f2e0c7a80f095907abd5b7329628aa6dce2e2f8bdb7a2992261ea414e6434dc98162d02c51936542218a31c6072ed55c9ed83c79698de7ffd3835d5e4d0f3a0c2a70bef2b6c602d1e0cc814c71b2fb1a001fb83a0e2befdec7e4749629693629ea2397b299cdf491415dda446817dd7d28da431f95162de83d917f9e9325774e2f7ef02fe8067cf4bac47e2f61ba235b532af3aa95a6517e9f1286e065ccf9b3eefa6cab4c940c83ee9a11da55ee21c8d06"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 0) #2
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"7ab7da47ff7a95ebf2367de0a25c7885d80931447d2f5cc73ae7f66844910e481e05f53ca993b0266b7cde89960d681a3d3c568d9a6e35347cf52d2e0ff7ad1142983fd7d2c848674315ed3e009adb7154fde1f2d90019cac210dbfc06279d48fc7c2e900652b5cb638c1260acd896ea":"":"":"":"f00714df243103f54b4c0c516a7a631431dbefdecc30c09e8e834f09882100c1d0276273568cc6352c3028c156371389078236afe57d00edaa226262f1a7f6e0011ba48d4b8f089cd257b6b7cfe80ca2bbeee99635c277254546d4adbf046935791be21c48a7882ef6cb81f7bccdfcf9bc430d21cef1d788d4f4df6bd6ef5bcbf48e35f116d482d880f597bcbcfbbf68bc77f591bd7346d7a1085fbc1c2707c17bb288ce6bfb0a78a54731421762f18142975b8b3b79dec0d852dca80f1638b3"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 0) #3
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"40e83cb1fbbefb44426350916b0995fb6a1c5394f2fd625774459548cfab27f2f92e2e889d3deeb33dfd6c40f610b71b70387af8d70768c52b36bb2a59f3ad9a16be98c726c2d65af457b2f7d81c75fae82523c977cbdf6138b1cbe5a9b3ad402ba197a3009dba459d3f534ea143e5dc":"":"":"":"52cfd4a4741b6575578a1b7aab91a366341cfd483799ca08b851bb0dc2f2bf640e90c1406fd09fbf9166bd55d46aaaef38e0449b7187d019e68a3b98a7dd9cdac63ae9c966db4d901d37cc147835d017915902621216bc1835d70dc2101ae50e0541f796bd6bca2e53260ba3353e6aa4eee56f80aa329173e347d83d050ddeb465d8e1aa5450e6e7eb515a92fbcdfd8530f04fae3d1a41b13151a4827f0634d6e80424c1e934ce0e2077f5f31fd177e9a42acfcaa67d4043fd31a8ec72a39e6b"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 0) #4
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"39927d4fd0c3eba2044002e65b60d3994c3aad0c705bce2e9e41aca30a7c2f03e7b4968d8e729e868f5fd57b49a4b862b0bd169a4e2d77bd59745e778ca6fd762901ae3c0fcc48a0d6ee22bc8520ec450630055b3b66bdd2dde9f5215d241fa266d24342b50d42e2db5436a478c7ebaf":"":"":"":"96194dd1b6ac5efb3d4787bd1fb4c9cc32c29b67ee34369a7aad9a56f64f53526e9207c1d4c541c6e0df4960c54e10168284891841fe554adaa5012f325b3aea79fa4db8c36e67a0f914d9ab361d8ba0b3d6ca4904103f14a30a90dd6fd7c3f679c272dee7f01110f7229f4f5b6ed152a0149dc5a7185bf637d10899bca417cba8f919a2800d8a72d5575f0c174f98f77a1afad850334204e66156eff4572a6703aab50b850a8df498d1d96b1e2bc1ac34aa4399f3b13e97b4989539ca78e97a"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 0) #5
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"ad10dbbedf980a0c33576f7606e14785b2a903788b9b7cb4c29cf74a8bbec877999ca28c36c835b60680bab9005d8e4f341b97213fdb6a52e783d19850906cb643bcf48c291cd186ebcbf0a287e459d1795e29ffb0c7c84b0f6dfbe219b4f85d9fb893c0cf9134263a9e6a36c76d02a9":"":"":"":"5db269714c4ab774c2eb14eb95e9b60c6ccaa6e90f9f879e295cc007069dd231894cd8fe0c09bf748e26940160cd0cad75dd2e305ed1f2527ba857c42c3d0662d25cbbcfe342910498ced309cda1894a1186ab935fb614646d299ca56f86defdd0a0f52baee1b9b9be05df85a05c225475a7ce1cc58ebc488a4f57fd1f983881754dcfe3bd78cac529e9945c89383e331f0177e721644b3a8d82deef548d161e085cff59645a345cf7af3f3582bed5b81c7de7a6a216403bb88804f7d16ceec9"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 0) #6
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"e9506dd05bac4750f5d5b43e0663ecba6444455ab6f662802897a493ca11ff05f76045b621004f4a88fc6b1ba859ae795e4846f17c3b1c127a8ef16d32381e27eeca77ec062a8a8f811f5dd7f90737147f5fca2b7cc89009b0350292b88d1de5de94e1e82bd5f7bf2e06882a925977ce":"":"":"":"abc3d68bb9b0d29655ee2057a60e59fb84afbaf9c75ac5d146a9856384022e4873a6abb963d8795ded5ce33f8df9275f8ae4c3da0037973487348645415ed51458529bd7c4996128c943ddfa21484521fc645723802318ffd5191e957ec453a8e922d48b1e83681c1463a03c34175a5d610f8f3709b3044f45084f901704547e301f9807a7d92036e08a3eef791f67659816fcb28922b9b52e2a4a2e81cb848f9ae579cba346b0507e91f26b70d199acb6da5d3544b8caea762f6f30178636d8"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 0) #7
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"f1f00ebb7cb4bbb3b0a083a290d4d3cc4db53aa9eb3f2feb1d428cf6d8104bdc56b2a30e75782693d7565c5d1ad6edd6cc22967eeb5f159989c2ed7fdb62103c055456f5e1a3163bfa034c502ccbd9aa75385d4777d03a82606a890c89a207494d082becc22efad8fe69c367fa9e3350":"":"":"":"6b75aa14c129d011191b9016b089af15b806a494e8e763a7fe902479155704e1a92eab48ce29fd0f1e9d5a2014757c3cda6e021defdb91c796cbad709658edad6c8f7ab6aebe978d507459198e0719eec49b1926a7c4e33e34e8e366966e0e4e7f3ce0aed6e51d7804d803aab57257ff1250ae8b76bfc48a505d4600bccdd992d564b39c3519db0c7dd26f5dbabdf3c098735688aad1af8525e8a6a343835bed094708b78faa300c08600e638e6f24f4b2b78df0d747ffbb9521cc6786b9c89d"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 0) #8
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"1f3bade86f64dc0770dafd6a4900f61baf003c6dccec496856b7b08cb99db8f371f1c9606602ad397e0c757f56ec6176c04e832302fd6fbac3519af6d2cb9da5a85ee70efc19c7350145e904a7fa9d3199e1f6213999ee3bbdbcd1200b4dd4e7a8f112f3a37865e494bf8549349e9e78":"":"":"":"1a420c51052534d5d77347ed5751e44817824ed75467791c9717875dadcbceff2ffe024952958d4718b2b4028af83ecf363d57349a36476c0203fcdf4952794aa66b3692e7b0810ce060601817ad0794574b1ce12d6a7b6ec1d0b1e0acb2a6c453be81bf2d17e1fca7dc1c9ac5fe4a64069285a8cb9408051ba5ae4dc0c8897b4a216109b22ec56aace995a453f28dd7d2c38c7d44739b9f09ca0e52d62f204e7f4a09c3e231c8cdaf54f941e8d5565b25155be21cb316417a4c005f7e834d0e"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 0) #9
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"1b288c94a8aa7499850d7bf82177024f20e8ccd502b7b0f529c47185aad4eb82ca1efc0104f93cc35885e9894671b9d74fa8237f5d740fec09e90b88bc75124e564f1f198081d51c950dbef6a6ebb2b5e1aec008d8a5a4c692f6467c740f5026807bafc0710dc8e9197aee4372b429cf":"":"":"":"3daf72d94056e6c7138787004f40a4a0c81a244c8aa14c332675e977330b63315916d8fe6ba8f0aea5a22def342d4136d1d6c787b3a6c6c05a44ee1cf9b2d8911974974cbf7a14ed5b83fceb8dd8d3ed59194d3fb6cce579a97244091731a4c1ca1d6e4c9d2623a41de665ee3c8236e0da8710208cee948f248329781f40f6f4b4010508c219755b6df752b9523ed0c9644b17250bbc88b4338c688e97e952a924da894fc986f7e807fca4477be94dec993cd6910709d8032fd3a5b97612cd65"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 0) #10
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"1e1837b46486b6e65713327240bfac6c618e817787c277b995c92dbe03b9b01de8e100b303ce5bf5048dccfce4d240878ffd5ddcb6754292291d1a79ee1e62b6da6b23d7a83d0fe9e84757dcfa51d05709d54142b42dc876506876b136b6df34b485c0c129581972bcbc674b893ad61b":"":"":"":"23c258b93d4e9943783e88b244a52cde6747d8d7ff28b77e2ddfaa2edcbb29eaf41dc75cdc2c5b581b3a59fe20e705223bdd90e786f6c6498330ec9bd7ca7303e53c0b21abef1497210f8222850ca7f01e0af4fefd36d82e711fb17f581b951e949876a5ef0a212fb73af4d32f6bf9fe8c9e60849fd2311f3b5cb8a4abe856b3dd629fbac41e6dfb502d1894088fc52832cefff807555457c03ba7b7daaf02830d9ff8c9e8ed09ddbb68d6530af0cc5ae9383acd34c89ec189f5a97abbf3ed5d"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 0) #11
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"67b2a6e09bf31ecee8fe9c719491baf3c6efc0e27519155f99c94667d727420265254ee6d34c6b9c03414452d68929812f1d23aca44adfaf6b02f519dfc3f034bc32c1b763a129a97c7258e5e77ba69d6eb459be2cc96fd6150b6040babcc406143bdc2c1862c7bf6607b4be95f3151f":"":"":"":"d0f71e56e975e443bd7364eaffa9dbfb60a82bd0ea6405de0b1301911449ae6ac0dc8792acd2b0ca3e68c2abb982362eb2a7a8f95d2960579f9932070c9cd7abd57a36759b2c6f12e20dbda8a16a17c29b70f5bb8db0efa9451d9a349b9917b7bc39af6c6be8217e0a6fb52e6a4c46dfe41e6a9cfba84335d0254cad07557fd7aa3fea185c8c88a921ea665e410067395791785ebdf1793038ceef6c590e64af00ac4ce69ac3d0b497feb93b4fee7d55cf0fa40dd49ea748b33f038b5097578c"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 0) #12
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"379d0a38c8897a6524d6a59df4f09ba975c146be7a398c3cbde8c222fcf998102e98223b81dfca7fb5bc92b164afbaf50f58b8df04889dbd69acd59f7d5ac08f81984910ee20a4d58c51512a3ed893d7b736da894a0b52f75c5208d14f858dfd42290f4181b7aa249097b93fb2bceab8":"":"":"":"166f643609dcb8951161ca15b3660759b69da616b45761b8cfec01a8a7f51a0bb1cf256c9fabe69b29552f8e861cbb3160b905d24845d368a17ebf911a839384c3b3aa6c8dedf1fde12384ec9535ab9d008728978ca58ad88780cdc3d272d1dcf2059b9bdc0d2311812fb1b559e31f8e5a89efcb2b33c705555ee0efb23d2c4d312fe02b998eb78af85e3839963afd98c1c644ed4493c3f1af0cb210e660748cadcfc9ef85fa3b5fafe345756ca34e7b7f88d3aff8783e92da00dbead5d51f89"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 0) #13
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"96041c211e97d480d149e75c876886a78fee171e0f395a952a0e873af4dc22b46cdb68a60dd1d5753027e544643c5764cd65e202eb821804300ea618e8ff9785f3bf2fbf1b1048cd4450399e2f642af38bce41df8fde3208055e34d356b1aa1b0180673e8507af2035f75e9fe629f979":"":"":"":"51475ffba32991781b17e38ea58b08bde40f03b64824187b9506153f41c233f34dbdc52b63cfc71b120b4fe6c2866d11e9aaf44f82deddaf998caa56a4dd58a6ea2e8f5e3c4ec7fef73e5620cb6a77313a4bc0b135c57d18085010a4a026059c2abd4b6d2048393c5400341928f5ee6c5a063d679e185eb9be2834a1009d03d298b9abb09f993a8ede54bdc4d9a95c2af5552aed9fb02cf598a18b5cfe6c811d1ca4ed764d0756fdfcb5d03aac1ed80fc86595539c105da6b66a00a91caf44fd"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 0) #14
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"423cf6fb44605cf03e3063bceb92c156e38c5badfaac35593139df46d325242c84908baef2f824bf3ea66e74bb4127a0c5650c33f68b5d33502b1f55e06fe2c1169fb34688a09291d1e12e5390a73da125be4cf15692e3e6ad0ab6ffb22cf3f77b00333517ecb2239c9b81e59a72d087":"":"":"":"41f335cf727ffec9ebfe7cb348d11cdb4e5e49a9a047d8342a6656e5d235219a5d80715166698cc1f16e34f743811b820e6ea55c2bdd0db1b97ea2269fbf60c739feed818282f447bfe2bd0b9a7c479144f0016703aff450abbd87a50e5e5af0d2d9469175542737bd116de2a73acbb74d9f0077a227704f271fe0696f071914dcb9c0f0191fee35eb66248eb17991b538649457d5d5f9d4bb9cd81c33a14d2becce003c143c9cfe39ccac51048ef169f6a22143eca721d04f6e147749a44a75"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 256) #0
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"0b2307c32f34d3f3c3d6887fb17ff68b01f158ef07438a41cde27d2d6725277f33f60888aa32b9b7406f78f47bd877a1795496f759d693f3f8bbd65cb5b2562c4a8d4a717b6bb8eeabc4d8f56118a97d3787d3065f1e20e6d71a1dee563fdb2d56561128fa83d8602fe0da3e89b019e1":"":"16815bf5482abc969179152f79aa34a04c28d483e6ac81aae14f7e0e051a5662":"938c363df2740ba9ccd39168f9bbcd7d421566955f141e13ed039c4d86195392":"959517e0b27d461d678ba2dd528bfb7e844f7bf14a15fb176efabb3a5200ff2b373c7c0683f095798951dc7ffd62b172ed814954c44087fc7a6695a5a275bc8aecd3a2ca8ed631a9ebf5e1d1c515542c67f31e16fd3ebc7e2333c7dffcf385f0d6ebe16b9ed42994be9f83d0cc1e2b3b5773cd2963639ac74ce64a311ac0726014bcd213818cecf5d562cd1c5e97be4028f64400cff31fcd587a004cf60f03c6f3222e4dabae5c4bdef8819670f77f9227eaf55eba5238f90c4bea4f03588b66"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 256) #1
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"062f2aa7b48c983c1c6d00d06aa523a67d4e86e5bd266451bb286dcc5888f0f4940c3b022cc76d68e1706d62fea84d052a019b921335f69ed5dcd902632116759b68e09b531de276c9238faf3a9802806750454a5260bd808b796cb12116354b9a7ab9ce33f8dbd40ae7e74a07cfca02":"":"4a217bf136c3894ff7a3ca07eafafa286fafc8a827328b105b3a8aff28e49d14":"e433460e9414b21fc3d5e2705c08a21a36acde4458e24b78dcc51199b97c7a9a":"5c980247a1fa16ea086d54084281c5fd114777ed21478beee9edb175be7c4066b197065da5f4c15750783039eb4b5e2cd4ccdc2a45c49ce535f03a36657f218fc616b3e8ef0c84b78b0cd1c57477242bbddbbde098be573e20d6ddc76649d706e7f6c7ca3f44c845c2c9c9d316ac8b7389f7264c6f8cd6c56ca5503e5b37f52d19e8d47cc85a04a0196b9387433bca3c18dc30b47030fd297705101826840991eaf5b856a5ab75d2bbb70cb13e0dd1876802fc2bd776a518b9dcb9484c499644"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 256) #2
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"0fc79576bdba77a815108bc9cd2d168ee30f9ab76db70600ac95fc40c1f6b724068c12b99cb4928247e64b2ea8e75c728ccb3de18adfebe24ef99e14ad54bc1b3a486891b00b1c55172d16adb00ae58c9d8ae0fa9809245a56c9118048199767d35c026e6664773562af011c2ca7025d":"":"b0c200b6f8548643529fd414c693054d4fe04d8f76c3fb8ccc6992ffc25e6b19":"b91bf188cbaf4b01350d726585c6f3601a26b3654db2e2690a14f1989f83ad85":"7c64e503eea5b3df44dc0eb986188c312a0f5fe1f113239984608a69ccadce8a7c7f3136169e075b0c61812b1e74dfe6ab2e7d6f247f73859da5a1068c92ef8e6aedd94c3904b973ab887ca3c38de70b8b312e32a702710829ddf962f0e08779ed9770975536557e3f912ef0d5c4969202af50252117eca8182c30389c9b84fda95118f8c748f0b1752c1e58b8e0af530376aa34cd874cf49628bebbd7353ab4a5f64bbc8e3537762fd5556c680290b2c523153432a2e0df1658f2a5507a30a6"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 256) #3
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"ffde7e2726e89cce816ab3e22572fe31434f3181d0578d51161cc77305e2562b755008c7e4ccc8ec62806bdfbcd8508ae418fcb0b57a4d1007469ee3d959a07e949094b0a3e5af69aea3a90a222630978af9139027a656151225a2183b92e980fff9ba9876824bafcf18d63c916fe7ae":"":"bda1741b0b39d9248dd062870334e33cecde5c5f63a07a3030f98b021c6849fa":"1b5336fcbb0ed183e0f80cd31ede4f324997ffb842a83957f41d291612c55e8a":"61d542e4794e9bd4acefef4b325d954c8ec6a29138476ab1bb037507cf52c17edbd511579be5c232a67269ef42364cfb4e2aaefb31d9e8e260a04e51d95c2ed6c5e0f095efd92fbd36edcae4393659af6bb98b0b71b281e91e1df37c353987a6a9e259f2735fd16b8c1277df651b26ac3d9f292c9252be7fe09ab7851f515325a078cd69a7573a4810ab460c4c9e7604e54242ab956fe471e90f86613ece7372f1aa934a50dbd0457033843b887c279f14ad6b4960f401b7fb777253ca5e295f"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 256) #4
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"7946fe7ada4b545090d7647c99f71594fa094593115c23888146b27a7ccbfd77ce305c1ae4fddbb75a65dba4f0ea18897bb7e9aff3138ba030005a7d1c5802838ebb20848f8e81e7e8018cd0d0dd921243c094aa710f6b0b2ea004bd684799e3caed8c3c8944d5da995b88fa071d7526":"":"b29a506c7bc8b2282570223230664193216dd47f7d20ccdd35943a88c58c0503":"3a4c00cd2f278f0e82498d33fb6ae9e020f4d3793e832afc9864c0b7b6cda43c":"8c0667d913b13866c7eab98471109d966901fdc66fa4dff8996ce81ec5185ce374b118da34e07bd82833f20fa4e44ef159f9b0c47c046307a484b3f52822a596bcfb49b555ec8d481fb30e13dc9898f093d34cbb4d696d70161315c48def73bb1c8b4947c8ddab101d4918f5cc00b890b7450e4e10c17c46ea7f5e0a1df65a1fe74ad2577e592e7bddeadb246fa62cfa5bb8620220b18fff296a19a5a3ae6b833321ca779b7cb5b55658931610d8b7776087c41ee4d077400753681c7da5c5aa"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 256) #5
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"5459500d5a709b88bf067b4c390837eef5ae2e5f109c110a84cf32f561d26ddc567c5f4cf0f418cbc2a56d4325b2727f875cb1ceed3167136f0d93940417f616a3843b686ab4f5dd3d808801054c510fca5ea8fa0465f9d1afd8e0c68affa10f5af61e594e66b2bdb2372caa0712bff1":"":"eaec7b75ee03cdf0508c0ca171b005077954e2cec7230b0aedfe32a15cb1c855":"cdafe409b871625ab1b06a93c4d5a1f8196777370df18643f97050d7756adecd":"486aa4063b3840f0417034c65676d20da22c510d281bbf407855cb58a87ac9b33511d692315d88d27bd5d1ad5c35ec8b99018b5ca64897aff48544a5e578124ddc00f785deb60b0a60dc4873fa9a148da4dfa1557baa3aafa22680a40f650e4992d21e35fab3be5458dae13eb2caeddd8704d662b221bda01ac6329e2c451e865af9701a7ccb69c0ed0baeb226e6fbd2b871b99420949570bf5fc61c673aacb58feabdb304f870939d705426aae55cb3a2f3206c33abd453e077c4565c603a18"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 256) #6
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"7e74b0a5413ee2ad8de814ea1f556ca5c54c6f11159f1fbc78faa86a74c4871a11658e917fed348e779aae510d383290bc6c4f13391709f8aa9bd79f38f310e2ffbe7fb1be3e6e3aac9d879f1e5fb3eb1fe81675cbdd098cd287f66fb9b28d50e12a64b9e08f28a40ed446fc3a12585c":"":"d152b0aa1946cf177aafc7d47322f8c756831550ec79adb40f34681fd6b3840f":"152229388caf5dc50454c2514d9ff1a4b70e3d1d9b8b29a228d59ce67e8bc586":"a1e2046729e849482bd693e21779e18370a542e2fc7baedbed054476f35447e069bfda33fa2723ad425717c027e8b30d57dd2fca8cf268849358354478cd8bb42e8f9a737c2e3d5490991e4902a52e86d1bafc1751f5908a36afca2b6b4663ccc9f1aa46e857e2ee61e4dc19d154029da48d59519dde64410b1d7daeb5b7b93213cba1bb059637023f928f16e5944e0ed2ca07be3674fed6e0da72313b3cb80b7a2d6533fc8785587366ca1b6769db803d6d840c5d1b6c4589272a3fe9371b0f"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 256) #7
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"70b5cab63391c5777e4e60516b7095dea3cf26d72b27c19f5a08de6634306d992de4c3f70bf2849a4c3dbeafb163f5d50dcbbcc8e6f4bd973636da95d71d39d6ffc9e67332088bf906921b9c48a7e3de158740a9c0f29a7b69d5545e390030965e305ac1653958360d01607bcbc39fb9":"":"ab042d23accf9a9473b43e82683e30f436fa492ba4a8911e4ed2622d481e0cd1":"b707e2d5a5020d37656009713bb100c55819a98e220fbdfd921c6c0724ba7238":"f3f82b7aa0639bcabecefc7b07b3eecc9962884250fad11b9351226f138e06e3e953e052792d0127618a28aaaa1bf5374a06393c18a326f8d3471010f9840dd16ec997f53fb981aa2b689bf1cdbf265b4ab698f9e8e9c054255147e04654b8fb1d0fd3a0b64d3880ee6e9fa87e0184f6ba307f4d3fea651556e0baeeb75f308fa32925f8c55ae0f355f8db8495ec6c46003763ad4ef36590ec40239b5e8530aadaac931feefc8e392c550ad4d89f5b314a53a0633c7a93bc05b588273e6d1d56"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 256) #8
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"c17914dd6b73d65e5af112536f52b046d4963f9c9098c77d9dfe35ca7ee6366d4c0fed576ba4cd14caa3d0c406fffad2f0748362166975f5bcb9a395d568b8dbde3383c5654bd24f26890b21ee1f1cb10f3c93cf2df64cd764187c840590a54babc9c281de88ad1a1dbc2677fa8687f9":"":"4a61ee9349d53f8b3c1af36fe0a9303ef89705fd87e06e5f34b61e1350111279":"a9ad1cad4ca7a5af4bfb83680d4b914c23a6cd551e8b002c50f30be0d8693edf":"9ab30e3729dd8b2af987dcb793d7a3e1fc4ebcfe0a4ac976d91bd3897777effb210c8076e9fd135991e54abb4bb8c7b183a80ef37077692e519d38df4a04304fd83fe1d67d32147fe0a249a6c8bc603d99878039b873588c3781a193437f098094fd8c12945ef99036442c80cd1f544725040df980c548f0a675afaf62a1b7c225c9cdf0703e613c7a5d72c8b00d8ba199b8ecb48b6e0b0d103a3b0f57ff1a4b9189a20dedeac6eb26b1f66ea0c34ddded10af2b0133f4b5b95ac2239dd94919"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 256) #9
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"2aa5423270d0859a6e3aa3069a88f3ac4c30eda7f6e52aa891e4f995244a80d73d73f789561b00ceddf721ea59a7eda3157090ec192c578fc53d232c36453c5e8bc3c9c22f3aedb6a93f7aa63975d9bd3369cd518e570f6af0ab162e4c938d17dcd4f3ae46d7cd502ef73b2d40f50e2a":"":"32cae3ff757b79f2305a8b5f5fff5a77afb581faf5a3796c5ed7054d7c048017":"632eb6f1c827cf299f3403bf80af721fe5ff8245331f1ccfbb8f4e61ef5edadf":"1a85c36131a8c271d6c805233098bb29f9104e6254e0680c6e264a76f79ec17c7ac65c8a97610a0a7e5304b37d1ebdbe02cf9daa9e45b81d75d8c613afb974eb38dc49041eafa7462b4c272fdd3d7fd4b05b1e6142305ffd6fa634ddde90e273b51b02c0b68b823c77ddf3e93a2ab9436d0f4801f08a113eefeefefb9592683981423f83235f8e563ecdb4e44daa9afa5e1728204dde1bd254c7985e6d56897c570b0c6307fd49ae4dce18ea55eae846af2a5acaae17a71f8369b64f47b0e54d"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 256) #10
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"c69c61689d1f7763d43b22b6bc2262c377c62db60835114442fd5bd65c665705b5563b3b6e9e793d0f4128696eefc5ac603b3edb35b705ae39845cefdf8fde23f5479ae4f033442aa958e979c89bc41dde68d92f05b28c3644133d19788624bc970019a10f6b3c6c5b8dd22b0cee3e26":"":"15cd6984fab6ae7db72a4c099a064cdfbd141dce361fab0021872c91b1bb65ff":"86c295fcc7f9c2ec9fad377e0e4d0119334080f59fa68c21c19d7a1212dce03b":"97b971ec13db049ccd72bc597ebc2e33fe4da647d0f74855f242884d35dcf92d0349fdb3527c87c5431c10fa85569285096d3369bd1917c8c7c8650024acb88e5b17c42b50a75419e29757a9e1ae09053cf0b51dac437883cf3f5b1abb40a71f40d279bc9d596d0f59f4c70f81087b4446c402279f4486198ee3294d0a5f72eba7ba52cd552906371aeeedb47122bffb0d5ed27c3cbb86a6fc2d83ab4db7b6e1ee467dd1ec20dc15bcee168f2e200179714cfc04eac651a495a718e1ed985bfb"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 256) #11
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"4dcc7427dff46b7db7e2d3273e0605ce85c460cfd4269fce9ca3b10399b99e178b12f28786b9e3df457ac0015004844d6f6bef29ea562856ee82246d24982393f770d0b65d0ffc660d9d8359f10904fd8cbb76e648df60ec43237ff7dc46bc34920bba637a2c1643a53e8a88bb7bb97b":"":"4c0ab67b952186f2f85a0dbd4b2c1b0dd009dd794260ee7f321b2d2b3d994e09":"f5be66009b79f51f6aa0cd1a5a24a72c6a6c4263263cbcf80e8e0d514a2bbb1e":"211ca57a321cae2c6d1ad755ac924c92dd09bb1c6334ecc543ba78a18608479457bebda63f707fc28190b2d56e4cfd96d8c49fd146ace867236c57761ea28326e3d241d1dc35d7ca971df9d292f2563d33c5f32abe86367cf5f2f06628376752b353f72b501ffa94a50f146b8174cb7946ab8c8be382237334f37594418850a233c536d72763f10b06f728e3e60d3b4f0377d51b0de11d110a28b6fcb7c42b77e5f6b771c8e5d713a0f6c4d82ab2311cadf16b7cb441a417b2f595f32ea822ea"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 256) #12
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"b72f34bf8209a28168ae7692e4c7d6f19feab9346971b85fb9f377f6e4a77dfb370a10addae744ac03f2f277c85423945f486830cd410f26e22c23a136d41800850113339242e1a0550bef81a239a289a8d020c14298854f0b17abb0bc461ed6d39ab2d9cfb03b835916c2a8e93710a0":"":"e919d983beae4b687bb393d90ad4104146e86564845800ecf82085d5b269f1dc":"abc8b519db05c1de8794248c5741627cc00ee35a972ecdec045a0cc557a2d967":"9777504473adadade14eefc0279f8347bb178a36dbb5fb028f0315b4309fad4ef554bf34b04146ba4bc260a89cf78195ad1c23c6e473a14385c66ba2a1c005cdfe336999245f00ffeaa41dfa3d9e68294e5d676f01f213c6d2d8a69b43e36f2a568999c0a8c07e96d7daf90f3e2e668eb9fc8e5c812a49a39507d193eb7c95b947aafe658a1065efe9370cf81014e4ffd54efffe5f863e6e4b7d875565617d8b72854ecf09263c55d1c3f1a4f4862214fafe7f03da5572095a7befcfd8e6ee63"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 256) #13
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"35d5a6cae5aefdbc62f1efb638c15dda387a8f651810bf068a8d92601fd37e0efffd95196c09c668ddb05eef3de339222a0bd0d3b721a27e2f29be84a846c3964eb9a84cf69b214f612df3b414729df499da4d3ad8bf3613bdad3a70c73cae80556c16f8ab83adf0f2bc9391094bfd98":"":"cd603812a8444925993f2c1a0691bb4459faedd872f43852f9970675f579a1eb":"1441b6d4876b050fa4d969f1845d3f119cf5d8720c35da9c489000e6b7165db4":"259828d05b8e735fad69527cd2322f94e8e7ac2791607ccf2a74d070bf7d5574ffd8d6e447cb4e02bb15a87aa88d8f1667edc0905455b116ef7f08ce727d8f266965242e0042810f946e52acca6348d70e012d998322a18a2f3b4c4c6d6b66cfe65385312344e3eed14c6e7277eac9a4d09ddc5dcf8fcce6f79a23d34c80cb78aaaf1347ecce8c13efd450d59506513e62f527179b95b9b5d9df821c32538f8e1ccb17e911826e944ec44943ad8e726d54fa98ebc4d012d34a23771ba497ca2e"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 0, 256) #14
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"66abf17d907a134232faaff93bfe361223b5b773980cc261fd19caaca022fd0a081c11efee01fb1f7abd0145b32a51b3237d6ace877ca6392bcae2fd2aa5b865aabfb1d1d1da33f42319a088c8dbed1124a71d39e627d5efaa1e8f3e5f70114bb03b71ce54e4f8d34e838106b2467cca":"":"1e51f2b67538f84440912c6fa20fbf009100fc3008b5b8e1308d95e7ca53b460":"301f91c659f73b618cb46a4343772f1eee9fb4949ec6328109823749bd8b0b11":"34c532082926e6d530b3a58282eb4666ac7374e8befaa4999dfc9f409e40ff966652295d2940db97061800583bc7d47b053553ad29c89ee61803c1089d30592270d2927031353592d4aa71f59a4bf3f2147cb406322367544c38fa5a3c8ccb534bd884355b06145db62161260162091c795874a2e99e01292a2e39e107738818a211750f858edbe0c2ea4734ad14f1c45bcc9f733f027616926558587f7332be55044dfd6fcdb628ff7d7d581820a217bc64aa092e450722686e0cb291eca45b"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 0) #0
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"37dc21c72dc7c82d5e13c51ecaf5a8ae06402500d92caf96c0555a95069f4f0144a961ead5d6d9bc317afc8206202bddd57fc02a2a500df1fb5c4d9d8837b52a5220fdf068fe2b8b4bcc63fbc9bfc94c8e21d987e8b6cb0f4cd37b144c668f18b7a36ed4e9758ee7b96029aa0ab2196a":"41e3b89347bd035bde510ab8ff83d5fdcc9d5f2de648bdb468a714f2c1083c52":"":"":"a929ee23c5832e5ab93ccaa40bf775593d7d04a1a8411dfa07b4c8a2da2dc91b1bcb9c27a0ba5a7152ce5ded5f76cf6b83c04c0f8a4f6b43383ae3e7d497280c0f944be91b0bca6a56df2d00641bfc1ec549b538898e559407b076164278c0eb7afb6d6f4495a50d4da178c04b259d21bb745692d3bd186edf5bb3da6f66b4418fc3d9b085b0a6c1a5e54696272c305c4b8887595b391dd6ed8da03dc9fdb2728d8c40a2defd8af05ef1c443a72323f2e0b0d268109fb7e7ee70192fa06bc6c2"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 0) #1
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"0dcbeb660cff703e059913eebff4f639a24b611a078bae8f01320ea4af5e8e0ed93b8dc4e84d224036b5da645c147359c6123c54cc2367262a7594bc9a7dc69f76549ab803af66de8f253d338d48ab827b2b1918d636d6ec92bfd9123f1f5fb59b6c37eadca0ca7792e2b7932e1ddc33":"1debeed9ba5790437a6c56dd3c9e2f6df0912aa0ce2e57fa8eec9652e2eccfc1":"":"":"5bd815b3c3bb73a45dba72c68457ccc17212af905607d827e8b5ddbffa34a058ec360abbeb6c8ba16c770ae4826135ac7e4faf208da8b5fe3b26c16fa7c7ef4000c3dfe1b8b707dde64b415c671c4615d56e2648908e047ac978a389e346cebe9228daa7bcdf5e341f72c3c7ff74672edd60c7c6341726450ffbf9e3e7a16580e7e602f9ddd3f3556129052de05991907d81a87467ff5842c6e5dcff4543e24ee48149f16e9107a9aa40cbce367d4b76042d77ef1790b0a7701b2f04873d245f"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 0) #2
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"d9bd99128fe2771918afc6db6b2514eea0b617d9bd4599a238d9d99a7ce18995e8d85542f3f9dd89920b0f79b94d7f551fef4a330e9de24eb197bc75677bc13d8361104997af99ea2c6da03f4e71c89e03191bc5e320f057afee98e98facb99d15142c61ddd71666cdc38146fbc3ea4d":"eb701a9d119cc6dc0d735254067dfe161b1052ba3f93ab0d6bcc19cc0387027a":"":"":"67b86213a84778a9a38eb9913b9db8508b53ac0a81ff85dc78c966d638255f8f7c63ce06d4a66f5d9213ec2b32f7e63ce5dcf01b59d3b30433f0cf4c06c171d839953de913093ec845670b38ecacd81162dd73501b2e4c2d9dc69b97d49bd6d9f6250070ef6b360305fcc5ff392d1adad98d6bfda67d10b725c7cc8ef6b4fc206fde1871712b96dcbc2df4f08d79f1adf7fbb01bfd8f20e76956ed4b9dd1d7e5fb4f922ad2a529bd871490e741843d839e876c4b475e2fa140f28ac8d347a07b"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 0) #3
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"0de3fed3b363d20ec5018d4aeafb25c8e0e6aa42ee8b56843043f8d9c40b9bdc8ed427d29c469d8976a5b785d050f3d2e5eb287a064c54311bab32dcd5f240682babef59c6ffa602669f3ce4590b054e2550444f249b56666b7b2fbec29b33d1b29ee653e388f9fb54b00635ff526dd9":"82b6a44b0f35f946fa0fd4628738e61a0bdd421a8de73f3d2efa25216c789080":"":"":"1f7b951d147ddbf21fef9d4849044c44b757309da8f0244f71e4d8301e1fd50c5e46407f5bcbed83eaefdf8983c330dd0a67568e866b20b48c2bc97dc63a7c0d3eb60f2488b1eefdfaa7b8dd43132511b4a2ca80bc9e82851584ec4ae463444aadd3c8e6db2d4469ad9750e18a31337613975b3fa0629b9a22bccb235d20157a4427acd619324e881e68f5615c65e59a566a73e4ce9d484fc5b0b29137c4f339be84781cad67d17de03099b1d03ac45106c1f2eb5b380ec84392b7ba5c91df4c"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 0) #4
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"abdc2ac24ba7d92ed9f518d9576510969f8d22074bed9b7639299d2137532c50faa49b5e843f417693a2eebd0ffd3f27c0ad2d8bbfdb912ed4d1ec85165d4ae577a92b1affab63070e25dca8bb1b035c8bbc5d3a07b4fe094690e4a45b99f9e5bb6b0bfe823f3c2a148732fd43db5e5d":"8c7b18ce389664fb72e777e70b533ced4c04b0c290fdd45b86b6b95708d74187":"":"":"c3d1420055f71a43264ab8da92829fa1b8937346375349d2e256705d933a21352ddb4eeceb36cdeab38cae58da81bcbe6deafeca5d7f018a0514bbc285f436b574ffac2547d26a3f9aef21b66c1e70b45d372e4dc2281182ae94667e442f39e1b9b2fc2aee06ab306095a904614613b513cf1af5a9df12b996cbe88cc3b25401790034ad0622df43af4cdbf9cb681538c79189a8260cf9c35378955f2ea859faa78773854883cd94bde4c0f50d4c998c278e47787e3f74f3dbb98f710366d315"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 0) #5
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"d20353e175f4ebd0ef5fe77f7f6fbf5340ba07934828dd296c041a63de841002db0d21ecbfd5eda2bce80bed6f73c23d3f18900bcc02791ba9cae668fc33fc60ba84c6eb40afbbfff18be5c4960ce57ad67dfc8c1eabe61a299881c0f326f7093c1a232c80467772e707dbe75b5558d4":"f38f23461c471181a4179323aed247299df11ce145fbab9834b85b3cb42a10f5":"":"":"76a4994edba3d0d9ffee9ccb7e12a75e79c5ec1213f45ca4c50ad629ac533e5e6dbf58f8fac193755e74f9e7a75eedf89472e91d394e32eaed86efa4fb2f9e7fe4bec1d9c7a30fe9bd17c2cda73d136e752a9b818cee6f1262028031bc09cb81b89156138b571f03afa69dd388a807a8cbe9c4de66cad764114f9a4a6419ea70ccbbbff9dd774aea8a2d6b1d20d0a577c59953661f0a87b4d795c2626a025d733f43bb5cd1df37f5cf542c7c8b6bda061cf4693e0384060e63090415d7470cb0"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 0) #6
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"a58ca5154659ba58fc1b468c909c667e1b5087884c01ab15f86fb5a431e982c1c041be0aa014fb310019fff65f40ff13d4469b123223ae44f4f4ac0fb6877a7890f969d39047e39ab23882cd7838e16e64bc361fe18136471dea2e71a86ef2d9f8f7e1d24643d7df292409ff8cba0f13":"dc05980e40f07a02fdb150af580a7d195ba26f4fa72a1fe513ccc2cf6e4f699f":"":"":"6ad4543c218cb6aafe65e6a50c4f9ee9d5c7a3b9a0112bce262f49f5b0d20dab7225fd0acffa25165729d8fbba038eb65f7e72f136e5bb82e8d94698dd9b763c38f3041ccece3b04189aaabed79e4d4213e24218c5fccf5f9a0c3902875564431f4d670e6e60e1dbabcc4642c3ef895c115e28702927cb98d509f9341ac7ae2c6ef6c2dc4537e909c81a9804057b6e24fa63ec5edce835e624969a969e2c47c6dcb7e9bcb2bb8f344d2b9855a43e26c0606466887b28b67ffd7f99d374812d11"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 0) #7
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"9d6e99a11d63cab5aabb1462abef66bef31a2886cd172651bbf30f65b16fb8f3b93b5042a908510d8518330538a06253959da557d2b390c6fe0b7ac6b18591e5791d275c7e3d558690719d5967d026a80604a389946e2a55486b5c49c2984990a2e14824aa2922e6a59892c5e6d969fb":"af631e7990394889b84d851920ce8877934e706b780908a07211d45b247584a6":"":"":"9f33ba9083c7f4088c9505622cd5b4937b7189b0cbcdcf352c54ef72057594b8568cd4b13a4bfeb61261d27f5febbf2cbbf902a8d55f6bdf669238ae84b8abc58826841f7f62a0c5bd9f74125cecbf8e3b4c1ec88663114e7c248c41cce92e73b05eb3f826100c1b2683cbba985d2ab694b5de1ed8624628917ec9bb97733f337298c0459f198c7a138f1670dfac0d58f287b8244f0605f97406ef528099aa2ef290db202baa7fb221a8523344ad836c9a2bb25e1ff3fb4dc20f69ebc9f0fdd9"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 0) #8
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"df7c57519ae3914c75174b3107b7ddab95df936c5cd7c296b1cb1ea06249915cda22bac19ccf2d522137989d5a42549809277ba155d04b3353520f4b5c2f18120bb4b8442130db58e9d46a1a41f5627c40a6b65a4f9075460b7053202a6e5b12b9e07ae6ee9b4945d4235d0b736e88f2":"10a198b05830cff2fb4f5b0317c258129396edb943769292753095b58bc8fece":"":"":"17b9fc6419c17534ee16aacf32550cbf58ea1f073b8e72fb9ae6e94094e797f216703da428394a1da8236f725b191cbec11531a1f87946c70fb1440a55be7d7d18c9b5085d626dd0cd9b3bd63a9014e5d14eef636beb694dfa7f781e83f3c1b4fe5519ab1a505d1be5b812514f3a39814601db104afe5726086f6bacb61c00ab8210239b2891938e97fc53de069f18a6469999727a904403bc53c6c73c7b3a5f9f37f380563f1281cdaa1b4bb4a636f849717c307848748172ae0191997abda8"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 0) #9
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"2e403c307a03d766b61001842f85caf91a5eec97a49934547b2ce63411916495f3e102d333269e04381bbf140a28a2d61fa6a5f2286079619f4f4fafeb5c520c602d0ac3190fd500a3402e7c0647ac76c901e7c58e012cd6b9e83d2a969f0d0ae4e08ed5cb601fc72596a72b4854f246":"ff1d9eed8cf59f5708e41924cf13fd5d30ccb7dedce3062dfbb2c4bb4d36b65b":"":"":"e5e20f2cb063c1587583a381536aecbf0b0cb4400c99a74bbb6aa15f338b3e67187316865cf90e691d99466e34bd6612985575122c6c79848d4e2f26801d98e49c002f4063019394f4b3eee908f2d6b56749c260e56ece4e0431650a8bd9735879ee6c9bfaa5d44c07e7ff6978883c36597c31126386dafbbe035579819068bb060348629f74420bd411f2dc858d46dff0bb4f79946af96046da2c2cb32e0aaded4eb1ebc8748f277317f9ffb9aadac1bf5e6654ae7131d5ee0c765ff3d49d9e"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 0) #10
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"4b1240cedb84ee3f395317e177efcf03b0fb57be1e01e3c206170877a06ec2cc077e9751b4eec964a4422d010ef1487456fc16b3e6e7ccb8a06230144535274215f00afe175d394cb04518b630ba7255ada0c6676885801a8f503c55c38850de6f7904b40cf03fa195cd16ea2999347c":"9043ef3c775f32dce1902b9efdc481f61f29220eca53bb904155f2aacc3b3706":"":"":"4facd2fff1828b9f4a63f639503cf6533a4d242f316ef7168fba44b52b876056bb0fd040d5e331d2746169cdc88ccef74dcf6c642c1d1a0db4130f8be9ff88555de4c2a7a5824f005cccdfa6074df3385672eca57a45679d69dfec232cc8b1bca87f6f9c6cac2f630498d52449a5d1b328a6d2ac1a9054a0658be589bc277b7750ab5d647a73a15a059d72608f9d299d11f9fb417a37ddc1b52c8b8859c2949e5ebae650b9cf8b4fd771288e582dee38178b154e681eaf74d4d3f35daf00a309"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 0) #11
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"c2027d8c084e2c6fc5d535726312bc6362372872cd37bf07cc1c3870f3b59a970c62b84a10d1498b2e02027d854fd84dd615e29e7c204579968569386b6f08393322c4fb36da4398ec4881ca9c17905b7b2fa28722c98d404e93fbaadb165411d41256a0dfc806a19df0f526571c80f0":"8c5c93583dbba016531aecc1da7b010b9559785b2e8cf660ce17022f8d86be78":"":"":"54074cf184040f57716e9eef80ed0e006cd029b99ca568fd7639c4c1b0f7431933516830f5f87b157fdbbb2af7ab57f6faa26323f096c8e86136e49d833665a6cb3a22f7d5d38290c2e9a23c62dea6c51b958460b263566c5c0e4be9adcb1c123b55879f405f11b3c34c24852d33c64d6563ee46cad14ce08d5919ddbffdfaad0bef8d8ed9974f1d95917e2b108d9519b13c4f6929429d2dc44ecace7799839ffcae035904b576e71e92b0a89f39e3b3444b75ee0705419c3b3533c793605eb6"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 0) #12
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"02ef640b9f087fa48457918d7bd6e910d7379bdd89e1549118ec67880dc3c4be3ad95397b8fc88bfced5aa76941716bf4c26696e9540d759c8c6b8603d5c40df267056c79bd8a3497b77052e498953493eb853b56c41f3286c09f1ec88637f95a1cb7e6e0efd3acb8a8fa4de63d10727":"38e664b930fb072112e6d47bfc5538b0d48672a12769f3eb860243bbc1c5db75":"":"":"c399e8c39ab174fa8cabb7e73845d8d434dcebc21062edc69d02928b0de4471517496365bbd59062a43408215f5b0f35971f4c48077623860206e0e6af8de751e6fe45eb6648a66e8ac5e603043c5365be3015af858fa2709c6c7b1cd22701dbbf4ef27fa45e6d7f9df4e8a558517a38e26bdd82960db9a92a0deee98657ab514913f134cb9362756a78ae4afed3a6c89e86341a8fb20b5cdfcd56933363f83e8c55c69adbf8e8d7199bc4f93b72ae1c4d0939b564d98e7f052c66e1e0988ca5"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 0) #13
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"2f280ffe3306764839899faa89213139a40462039f4d9c55feaef6728c24cc636819357f6ea65badc8e493b99d5af1d995d14d81e39802711977d0a1c5783bfe3c290bc469bb9af520b0faa06f230fe6c4ba3804e39e3226f0731f09579e105d726b089d1c37c72e3faeb33768d3f20e":"e3d99860e8b1e9297c60b17904be8525be831d71dbd3f454f085d1758ebe7160":"":"":"45400ec700a4cf8309fbea94aa4fcbdd22c859e0f7defa746085a2f4ddb9db16efbb0c2fff798c99ff4e9e11986f4c330f3658e34a146f8d9071467228e3b0ea486cfbc81da3e739a301fe51b620d7d27fe9da0e4b875efe3c2bd0fde31f608015ad71cac9c95bce33e516c62fc45a9fc85a78c142416d7fbff3a83602dcce3add6301ca6b9be565e3cf06ad6f22855d57d9c184ed7214adc1bb014a1b6dafb86989283fa3a4be10c410442d761c98d2d3f94bb0d97ba1d5c8966eb47b0fe6ec"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 0) #14
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"8f3ddc4230f8320bd18cf078c04c62e248fcc326980301174617a9e54351c667ba4c31a4c0e7dbd7336c27c0b8a034f6fd947b0a21e580e6c2dbfbd44d01f5fb4a51dcd2199df9f1803f24c5e774f048815302e016aad33254d308c5457f368965c15b6204e191c2a252e4fe88dfb978":"9bfe9bc055b3215560cd285553372c47cca422fca574c0d22d7ce5f2dd40b084":"":"":"34f550231d31c1b3a3db331d341ada3b987120d94e431831eea67e8d208f9cf1800549d445fc7befbdcc2488cc7f4340560d574fcd2396e9ecc9a232f1015cfb26db451623fe47ec8bacee1756573e74e519adc62b23ce86fc191ea5e13da9c7a14496426c6c53dfa7c7ccdb67d6164dbe88cbbe7f48d4971993003ab24f3eff18bd52c2661992e8f8da93bfdd28f01fc32edb439ad130352463084041e9871c431ba26c676ecd7812991833113cbbe687651e93aeb22a6a44cffc7a3fb214b2"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 256) #0
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"8b285ce6b4da70c83fd72aab1b4be62101bf9b29e168726ea2f670aab0deaefc5da3404c494c6019ea33679e37cec308dab13e0cb060f66c1c83fc6fba46477d1a3c802edd7594db0b297dedb9ccbc800c817f05658fb9b4c99938ae2140160c4a16d548634a353bc285cb38d0e93243":"723c0f287db4af285c195cebb1104a106f22e8b243fdcd0566228ab5f227a9e3":"881a1874c800db068b5913d195058d0726458de3782ff530af1a761f9628547f":"0c27cf271bd7931d187ec6f56038519674468fa2e7e6f994904c9f1afa346939":"51e042dd56a193908c9018c25f1c1a8b5e2734b055c3b7fde6a8ba9ec2b959349df29295abb0a24b4715f98d31de0a369e6262c2b2cd49c5462b7ae284e921f5ad2ec013edc1611343c228683f4170f34a75854b1b656d226e294172d488c10a415f09dee70984b9c49e8d36863192301d1762145e0d9e94e99bd30ce8490438ed050f418cf4ba0b07fe90a82d1ccf38578d99edf0518c4a758a199db4d3533c4dbc55b1da19840b8f365a574aa01647819032dc0ad641388c2093ebd4ab5d99"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 256) #1
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"5b5c670d3e0e97a21cfd5bc3d038f0c3d2578cf3147f5545e5118a04c4eac727b50734939e2fd0aba704932ccaac42af316525e3fc5f1dd224131d65f8d44ff8420891c0af7c78f9cf766097fbf0f8bfdd131db1801275c28081e6063c0c4d6242f96e40fc513608289f378bc4f18518":"4cb0e590a1d575b6a2df9cb0243895263c894a990b6798424bea9ef199761d08":"feabcecf0648665b08a7c690add6ff75744de3916d5573145c35517808605beb":"fe81cf8978798311ee6d1c5d6145b3832d9ad1a1266fdac0f4fa230c631e9ba0":"62aa5e9b8a07bed2a5d3eef0c73bbc841bb8cbf544d32a2889806ba501c6768aca98c19b83fd4fb2cabf120c05716b9eac9b77d561ffdd69682308f80fcf1c78409f3b21749bf71abdb209660716a39c2562e8ae1b3478828bf35ec9d3f9712d95f49a36b9eaddaf1b249f023c36d09ff1b6f3df6d10e4e336763edef9501827d5171c507eec405bae52d56fd62f90f5c58a2f1a7310530df15ca6b7841a2871a37cae583e6b388978c118b9600840f5540af529bce0a24da8f906f601fc270f"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 256) #2
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"64cf47e52f758df802c2b37a4841c73a3228738d14b439a7d02b13fa3024715c744721e49f25a0e73e821f69786fe2d91ec1cce1d1cbf2dcbe5bdd2371c0a5df050841b6f07b1a2c0d064bc5e06ecf2ff9904928febe0bfaf3626df5bfb79fee1474cc8dfc3ae268570df2811bc3ba3b":"c3f0b0471d5273f40e74ccd71712071fa411b72b0f5a98c9eea9a5f7f176967e":"4df90039bbb54d8753b19ccb6250ffceb7279c05f6d69b5c47801c6fdeb1ddf8":"181d12bb126ea840bbf9e6ff5e68f8ef53f69071d223bff593a63e4e0c65ee1b":"8cec490ebe0b4837f040663de29e2c6dc801d7953cb2416d245ef66173e5d7baafbb77fd2c5ce69b4b8995bfe51f5f33cfffd9e9b1284fb8657bb7a3c26f5aac500cc7d3737fc81418c94d3db1a63f4922ca49803c04fdbc9488e21d9c4bc381c48bd9f7e5cd1ed6c6fa9e889e463dfc3a313812245a66be220266707a5358e25807ccb11f24780e5ef82c84a8803f72dbd21f55d96362d7cd8abbfd9d21f4e3dfac33326a4e538476508afd87e030d92328a91c91ffb16b054740dc3d0a2130"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 256) #3
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"690a8be904c75e41342c8e2548abde2e465612a632710179ccb9c1dab76c4615bdaeda1587772638a61747738b96cfc94879325d2cf1cc0269d877eab8aa233ba8d7f1ff44e9118a128bcd8cc687eef58940343d27ba1d800aed9e2e911a8c83b8460f9d72c7b92852cc178d3d0baf6a":"5dd031fb2df56c510b3cc3c02fdcf6cf3ffa4a881e7475a8631073b3ed5e3c62":"a0a861238b2b9ea03582eb4703bc33921b5376c27004710d416ff921d6e6fc60":"3cef66f75aa682ad5430bdf0f01dd1f2c3492fcacc6f80ab351cfacc1c6b6ce0":"92b337a3364059acfcaef789ac1ae09c9ed05fdf69f5d5da7a1c9b6962d3a3c71a4041dc234f7be58fdbb728f8f5fb10404558f21d9b4c818fcadf5d6bac8bcb044e5b2fbd26ee08398dc8904c271e8d3d184bbf61f77c62fd3c8f1cc1ee2f8c4620c513f3abf5e312b431e8608b29cdf528d892ff03bc0a9cbd202b9da1d052ae2bc2dd8723198a1b3017ade2803c3dc8733ac33ddbdcef7a9948d64f72da0716b32dc6eea224bd49a7349a1c32e8e325ac11e5fad8353cf85d9eb4b72b1954"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 256) #4
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"0eba7b06309f0dc4e2bfabea57e1d01a5a3e711398320925647008abf19cae194efbff93968c0a7d1c7623ee1e3987cd95c3dbd1b2ba94d0b2d416fe2f2f6faeab46646a378e931bb5daac049333129ce7e20e53117a0f68baf4c86a3ee5e787b02b53b1e0140430e77ca86f242d7f90":"69adc69e03cd113c34ae6b89c7c2fcfbe987e426da865f7c8e052da4bade343a":"729489cc7ba4f3f96f77ff365fd5380cd83cc7b17b150d327c5b7632f1cb0460":"59892fcf99ce719819774539ed4f10edb7cd35cd66969137a88ebe6336da90f9":"565e3e392a9f364df0b575d9444aac262f58ce12312d5ac9832ae6351b6aae0398e0bedd3074f57bd4e9f0e89a50d627ecfe11fe9aea09fce563eb34efd27610a3255f81f953bb3f222b15c019b9d812150f7a1f19126994c505d9ce5c948882a1f6c5cdbc7050461ccdbbb7aae597dab53a12ea6bfaa4d4710188d690fb0a0a34df7fb6bba949fd6a8565fded8e4832ff7f6b08a653a72b8b88782b8d77c1f217e8487163fdbddcc88a83d8bdad479ca75fdbcaf02250db39528456942119f1"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 256) #5
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"9dea5f271193aef61bd72c76a581d65eadc8002b258a4d548c7ad1cb587a5f681e9709eab5e146833b01a79a34c352aa642a7a376595347c0203a8a0456af4e9859aea62c887166b3483e0c7acdd5b99a1b1a466dc0709cc6ba133abe29ecf3f3150d664d04baef8854fd86a5d8cab19":"895e5039eeb3ea1d197614a683c84d7780ac8724192bd6c35fe81137bc23e4bd":"9e8669a67bf80c695889a7e875a9ad1954b91e4bddd0848313b4efb4b00b14fc":"2e93a8b96ae1966e2a052db0d5c2d5b76cd7cd23494bb1170a33a9ddf39b21ce":"71a0ea8b9884e979f4ed546cee3688ebc399b41be38578f15b99d9621de0da3e671182f6da612334edb8d3a6d5e34c2872e277942854350526c3e000834bbe18cd5f2f336bcfabb42c4aaeb19b8cefa3f7066a89593960fabba244812d15c5fa7a7281067c789745127ee2b63b14237136c54864bf86ab7c377414a7933b829fc3052e8c26c698459a83b1990c093305372aa608c967bfda719e98c4c177764b72d184586f7b63a8e75f78c9e5e1dc045c3eb5b30c7147c69100c2cf910d4f3a"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 256) #6
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"2b4c85aac528f5cf44e9018795a1e8f810220ce318aa174bed9db372602c00f68ac33625739f299241d1a8381372537bac392411a1d6849aa6610a177743afdf45cc524838fadf1b5feaaa9983ca79a4508b5e4a275514ef4c04c233c3dbbca32a00d0a1628323b91dacbe499c1ba928":"799a4b3c9f62c2f6aa9e91604e742dd06ff9f77b15d3799684e1dfcf029d807b":"1d15f59cb3e102d5ff47ad4c0aae13631ec4d300de4247137aec5b43e5aa4f79":"f43801851946f97208909f1ad0f79d6577eeda70067886b270f55d626d966fbe":"f05e50192528ba1185cb964324141c1d195f6e26c42164052a7b7244797c3084d48bc5e6e1a27e64562cf2fa36b4de30132a082de2f927059731d084e2042eb7720932ae8e1741f05f4c75079586924cc43a6cf3f5525e037b089674121c2741f836372f219a33bfcd910884abb166eeeed1840672663e0455b18bc7c9fcf20967b25dd77eb37e00d8fc40b0788c08280b0bd8878c504d982db4d3d2476f5fe6785b1959d1bfa2762c00efe436cd217b6d01adbf7da08d23254f1be1991d200a"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 256) #7
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"a716af9e058eedbe937ef79ee21cbaf4ac1ed0e2f4863eef4ca1e3e972f33326eb6ecfa7bc9bacd3d90215a3db843b24343edf7ada9e440a206df7f38f8cbd1d38159b8511f2a93d1f0b5ace8a89c0d823fe001656c3dde659874df88dd60056ced293cc49d64a71ee6b23199c9b20e6":"648aa30cb2687d857d309f702f6dae1f30edc824493d6e83a9e26d94f28948a2":"39c5a6514f3d399ac41b2640fd619312332fe053abf1b2a19472a58c28345347":"c912a1bb84f7aeeef79d73347097e09f6b8fb7ec593176cebbbb56af866bc309":"5387674cec52da2a9743b2556fa9874c0866e579079954cb357f17fc069c2e345c1ca80081040d620fba150c22eb1b8b2c7df082f637855c396ad6417fd383f8e93b7bd91693408e951b7572269c0ae65be8bcc9844f9fd8401e68f6fafdce195162154b34fdd5db8559dc11cfd3cbd3d391a45065761372f60c5182fe4cc162304061f86e666326c3332010fd388626cfa9ce1252982cae7b6eb1b8208c79b7b689aae9084fd180d00962fa4eea79f612ab7ec5fb51394f6f498528ad5860e7"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 256) #8
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"af405b42f8a67c349bc10d4d0b97f56cce433e1d34cebcc75c2850010d20cf74f61b23e1d2f964ad6c9a8d65c9f87749da279902d5c30fb67207d72be55451337f34aaa8e598b9ef55fd36224ebee4b5524a93f1513fc21fa984f0a76c2bcc98ddf39823d0a87d501b3515e3ee9fd4d6":"1cbd963d49b2553a9711687bc50743d820588049cf097c100739f857b3928fc0":"e0d336ea552a6dbc132f194ac9ab80a34a54f4d331a55a070dde6601d6d9084e":"91e882daaa304874fb0c063718984ac53e1f0716ca8c9210bdcdddc142c84082":"0acb19f2a65bf0e1d9f9561d8731fe0f0c178443f00faf427973ad45f2df4f4d21a4fdecdf96c34be28e389d8caed96b515ecb215ca915b38c715015e1b07949263fb65517ea4bcae361d76c418cd2c58d29010ea79b9420d1cedf937d3aaae7e29c2170ba88c8328664d884ace90e88c66200033d19ffd52f668b00b0df088b7942377c1aec37b3c304521c394ec749efbb252669e0c0415b8b04b995fc224903b0843fbaf0be1ce804c9f14a5e97afa70d0fca9cb708ad20388730aa9de020"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 256) #9
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"e9ecd00efafeba4fa9cbab22b1b5288c98a36ff1d6856592a288325968c31d7d88fd2be5c82d79413b33c1dbe972859822ca2c8a92e7812479c14fa292a627a8909c3a953a2758d42f22a18682ffa219aa9908e06f521be8fb59ad58e5651aa9d6b95983e23e54cd57dfc82b2077bf96":"adf1f50a295d88f68e8c07a180897d8e7b49f7cc6cb78a3b25ee10b0583a0f0b":"82de6a73568ade5e5b0d8ae37c40ff25e858a7055346020c5e47feddfef75680":"cd0e15d764d2355ac9f1cbd5ea519ed1756a3bfaa55e3783b738c03bdb42e371":"1e592e5003fc0f3f81a7aef2272527980cc5a9ac7286a621513b9c7ce2ea94fbfa255ef2654d673bb8cd13f3a033a7701304acbbe8d19b82a61d2e77e7251f98b0e28e1a694f9cba2c86c7c8cb20d9c2986e52052f701596e3c837af95b166cd227f2fc00edd3ea62b57f60262712b2f71479569c119cbce9d771f8a2cfdf832aa8d70e0a912978fb2bb33b27a185fb3a4caa3a18913aeab095ac088d14381802117af0cc1d97c06fe9730bebbff0adf2ffac5995d299e4defb0722bd93f0799"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 256) #10
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"898a6c47a5cff500ea0f5b18b5f0b4bcf7e75d6d7c92025f9920c666dbc1c5ffc48972e1d519428f8d61dfb5e300b48f2660ff53e1ffaa3950cffc50e17a874182236fbb555d35ced33302ef87b84c0ad31e87441ae365350452a39470567bc009871a3c9785bda4569af33d03d46f08":"9e16568a225b80e9011571f3b55102cf6362e26b8a60fd33680d4e6625738e5f":"b1c65d6e51ba043f63b4251ed58e9a8eebfc289f6285705f8ef44c202c9b4a22":"245ee741a2041eda22ce7053f8576c0a43eae868fd95ad7d58bb921c155b1b53":"b076210688b06ab6b57edf68126dcdfce82b6f9285ddec102ed60730aa7530863076186a3f7affbdd4ef081b7f5a32fb461bc5755ab4f860012631b74ae357fbc3cbd64f0eef8789c6c9dca894a41a005d272b4a57e761f91d221636d0ec7a49f10bb1b4264938604ff4dc7bc97eb799cea9e3e1d7a9b4bd66d88d244e22120bb311f502e66e60c5c9e42731ad320b23d6b06ae92a132b093ad924a1a7e08b5dccdc50e257bfdb63bf5705350588f61e93e4fc5042a2cad1bd6d9fbc82e875cf"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 256) #11
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"8e92836dc5e4bbf9598803efb0d3871e5418cf18f379479bbcbd9262558af6cb6d97e73decb8781c30f69b61c1f5c91a5ea1f10fb1eef74b480e583710d9a6a2e57f8cfc9d0215fa73d1ce9c1562f3cc34be187940cd317b69139ab9aa58d064b6bca59ee6460c3db4e8b57fab0186f1":"6d9afc769985218745235e5af280eb45cec81a2e920c284ed5c77105489e8f4b":"711672f2ca12e7d8f32445a87163bc00f5d0f52c2f6799ba513b68c07c350de5":"426aeab2cfa56cd3146c0eb9facfbc048a504eec3273256b5e4db3d66c89560f":"56325373099fc1dd194555c3a1e69358fc7f80fe6610412cb31c14cdc70c73a74d040746c6cf388fb9718e7446888c6162de73ac097c32f8b4b00dd7f115fed1821d3786baaa1f64885cb93c75531e99171f98d3c3576337c1c41c5bfe83f94cef2adebc88c0790398d4c071488699edd599797c1f8f394b3e00e66bc4b68a7cacd209695961713c3bf2c9a5c8589d935e171f775f366217e2634ddf0db5f01ab31760ebd9ed9724292bec89db06d0145fb824a76292a35f39b01a06c43510a6"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 256) #12
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"a4f1fd83e53a406163862260fb9e2ec64d4af74f5fa41ff56c07c791b6bb6abbdb203670b1849afbf0931206ad6393798ff06fba8dca3318c29d9161c0ec18ec5d7d66847b1a618bb0e4f69fa1331fd1db5d5fffdeec5a2e045c588dc95a5d5eac6d35502ebe2e6a57318f15af53e001":"39dd79397f91a97432e5124e7b9b85928f62c598ecd19626070a81a5a8ed564a":"985724541d44c8b865672759c8d36ded75c2189c2281731888a741b305eb4161":"e2dae75950e417c18f1c3e5fbd66b1cc9fa617aa695c9d03d8768b9e197fea80":"703ab1f6a5332f01fa788cf73922a9f6cf856319772eeab07b4795702562cde350a8cf9395976fd227b08134feb469ca34f675c9b6f176ad684a5b0d02b4c135a7174bf0604a1546e7d8d978ecfd8cb6ae5efce3b228dc95cb413b010732c3e7f9ef8e547a93540e5e4aaaa3b0e5a8f45b83bb11209a03883c54f41e494fcbc66c2d57c01002137567ea2f99f7a1ed6c4c6080bdaa299d18f57bb3b386278a78b2ef23a03043e850bd9fd742527c45308e5b910fc586f9f21de7022d02b1493b"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 256) #13
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"f331ebcdbc0d2dfbf54758680dd49dd0bd666d0505ef6ba1c4bbfb7dee62edc34ea9063632c8e6719bbe140c3c840aabd66e7702c384700921dc1838c6c5a832c650a474e74270c378abff021d60d1a1884939bbdc51c547c72c929c0c73ca7f78668d33fba197642be8ac2d41cefde4":"ec299e456cd1985a3f1022d5c05f0ef9040cc8b8297ba5e404d92a6d36c3578f":"954f464877f7258f99acbfb9adfe4eedc89da71ca82e3581fb5bad127b2069e7":"515f9e746c7407196610bbae963b9bc15b1658972a30e62be6f78caee1287e88":"5aa30a796d46e789c498352ade179f0cd3336418fbeafae0d10fbf7798917672288b3b2a12267fc0435d88b4e99809c1e3067f0d65c910b12a330334b6a23d6d30910d301438c2c999353e1f78019ba7b20eaf68b499ff1e88db0431312a66f35305c4f3c3a2750c95bbc07ccbdf1e4d123eec378b9be8894b597bcc029c664e59e2b3c23fd72841af0ddc9374ecef21885a0b54d13186dc0a66ed3c3caca9e41753813ae61015a952142bd4d7ebbaa3193598be1267be937745fb0de09aa70d"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-384, 256, 256) #14
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 hmac_drbg_pr:MBEDTLS_MD_SHA384:"d99ddbd82ce9937cda083e30b3da47a6e6ca08b8f59f2fc934bb3f78e748bb28cfabddb375efc5f2025a53fd073a89b0fbec391290863ad862aa56fe6d945044e879ca05c3c019313f810dd559fa0e682d6b77ff7e612c7c40cd5231eece4018c5b3c0d8181ab44703f7a04c0a1c7c5e":"ebc2193d4a97b97d298f1305b2f7a54dab466f7c4e444831651cac29a6c5bd88":"6826aad41f8ac29e272884cb6d21300c7b0b3ca37205e1720afaf9f716f337ec":"5a7434648de82a3552e12aff800093776ca3e86565b29c0b3ad6c0bc3180623f":"cfc79a89a0a55dc9c6c6eccdfab5a9935335e806b73bab7f5eff5f9fea6aa3f47bf31f06d987a94e2bc2a4a6144ebe94d6f5aa8fcaabbf86a37c8d412207864322d3057b89fef358740c5962cf9e7c37072847fcaa6db693a5238ef270e8414e2b29448bbcc37dceaa75479c2ac5fee2d6fe9ed68516f6dbd90135ddcae8a12d1c1595e0edc34ea2bf00bee7ae773c240c2bc1ed828b7ff91a676891173eec1dabeecb2184df9186c3bd833e349351481655bda91bc0f4e419fb78e426de6b39"
 
 HMAC_DRBG NIST CAVS 14.3 PR True (SHA-512, 0, 0) #0
diff --git a/tests/suites/test_suite_lmots.data b/tests/suites/test_suite_lmots.data
index 2737272..73a6f2f 100644
--- a/tests/suites/test_suite_lmots.data
+++ b/tests/suites/test_suite_lmots.data
@@ -17,7 +17,7 @@ LMOTS hsslms interop test #1
 # This test uses data from https://github.com/pmvr/python-hsslms due to the
 # limited amount of available test vectors for LMOTS, and few implementations
 # providing direct access to the underlying OTS signature scheme. The private
-# key is stored in data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv.
+# key is stored in ../framework/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv.
 # This test uses the same OTS key as the LMS hsslms interop test 1 (leaf 0 of
 # the LMS key), and the same message.
 #
@@ -28,7 +28,7 @@ LMOTS hsslms interop test #1
 # from hsslms import LMS_Priv, LM_OTS_Priv, LMS_ALGORITHM_TYPE, LMOTS_ALGORITHM_TYPE
 # import pickle
 #
-# with open('tests/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file:
+# with open('framework/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file:
 #     private_key = pickle.load(private_key_file)
 #
 # ots_private_key = LM_OTS_Priv(private_key.otstypecode, private_key.I, 0, private_key.SEED)
@@ -42,7 +42,7 @@ LMOTS hsslms interop test #2
 # This test uses data from https://github.com/pmvr/python-hsslms due to the
 # limited amount of available test vectors for LMOTS, and few implementations
 # providing direct access to the underlying OTS signature scheme. The private
-# key is stored in data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv.
+# key is stored in ../framework/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv.
 # This test uses the same OTS key as the LMS hsslms interop test 2 (leaf 1 of
 # the LMS key), and the same message.
 #
@@ -53,7 +53,7 @@ LMOTS hsslms interop test #2
 # from hsslms import LMS_Priv, LM_OTS_Priv, LMS_ALGORITHM_TYPE, LMOTS_ALGORITHM_TYPE
 # import pickle
 #
-# with open('tests/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file:
+# with open('framework/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file:
 #     private_key = pickle.load(private_key_file)
 #
 #ots_private_key = LM_OTS_Priv(private_key.otstypecode, private_key.I, 1, private_key.SEED)
@@ -67,7 +67,7 @@ LMOTS hsslms interop NULL-message test
 # This test uses data from https://github.com/pmvr/python-hsslms due to the
 # limited amount of available test vectors for LMOTS, and few implementations
 # providing direct access to the underlying OTS signature scheme. The private
-# key is stored in data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv.
+# key is stored in ../framework/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv.
 #
 # To produce another signature with this message and key (note that the actual
 # signature bytes will differ due to randomization):
@@ -76,7 +76,7 @@ LMOTS hsslms interop NULL-message test
 # from hsslms import LMS_Priv, LM_OTS_Priv, LMS_ALGORITHM_TYPE, LMOTS_ALGORITHM_TYPE
 # import pickle
 #
-# with open('tests/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file:
+# with open('framework/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file:
 #     private_key = pickle.load(private_key_file)
 #
 #ots_private_key = LM_OTS_Priv(private_key.otstypecode, private_key.I, 3, private_key.SEED)
diff --git a/tests/suites/test_suite_lmots.function b/tests/suites/test_suite_lmots.function
index 293287a..c81501c 100644
--- a/tests/suites/test_suite_lmots.function
+++ b/tests/suites/test_suite_lmots.function
@@ -37,6 +37,7 @@ void lmots_sign_verify_test(data_t *msg, data_t *key_id, int leaf_id,
 
     mbedtls_lmots_public_init(&pub_ctx);
     mbedtls_lmots_private_init(&priv_ctx);
+    USE_PSA_INIT();
 
     TEST_EQUAL(mbedtls_lmots_generate_private_key(&priv_ctx, MBEDTLS_LMOTS_SHA256_N32_W8,
                                                   key_id->x, leaf_id, seed->x, seed->len), 0);
@@ -48,6 +49,7 @@ void lmots_sign_verify_test(data_t *msg, data_t *key_id, int leaf_id,
 exit:
     mbedtls_lmots_public_free(&pub_ctx);
     mbedtls_lmots_private_free(&priv_ctx);
+    USE_PSA_DONE();
 }
 /* END_CASE */
 
@@ -60,6 +62,7 @@ void lmots_sign_verify_null_msg_test(data_t *key_id, int leaf_id, data_t *seed)
 
     mbedtls_lmots_public_init(&pub_ctx);
     mbedtls_lmots_private_init(&priv_ctx);
+    USE_PSA_INIT();
 
     TEST_EQUAL(mbedtls_lmots_generate_private_key(&priv_ctx, MBEDTLS_LMOTS_SHA256_N32_W8,
                                                   key_id->x, leaf_id, seed->x, seed->len), 0);
@@ -71,6 +74,7 @@ void lmots_sign_verify_null_msg_test(data_t *key_id, int leaf_id, data_t *seed)
 exit:
     mbedtls_lmots_public_free(&pub_ctx);
     mbedtls_lmots_private_free(&priv_ctx);
+    USE_PSA_DONE();
 }
 /* END_CASE */
 
@@ -83,6 +87,7 @@ void lmots_verify_test(data_t *msg, data_t *sig, data_t *pub_key,
     unsigned char *tmp_sig = NULL;
 
     mbedtls_lmots_public_init(&ctx);
+    USE_PSA_INIT();
 
     TEST_EQUAL(mbedtls_lmots_import_public_key(&ctx, pub_key->x, pub_key->len), 0);
 
@@ -137,6 +142,7 @@ void lmots_verify_test(data_t *msg, data_t *sig, data_t *pub_key,
 exit:
     mbedtls_free(tmp_sig);
     mbedtls_lmots_public_free(&ctx);
+    USE_PSA_DONE();
 }
 /* END_CASE */
 
@@ -149,6 +155,8 @@ void lmots_import_export_test(data_t *pub_key, int expected_import_rc)
     size_t exported_pub_key_size;
 
     mbedtls_lmots_public_init(&ctx);
+    USE_PSA_INIT();
+
     TEST_EQUAL(mbedtls_lmots_import_public_key(&ctx, pub_key->x, pub_key->len),
                expected_import_rc);
 
@@ -192,6 +200,7 @@ void lmots_import_export_test(data_t *pub_key, int expected_import_rc)
 exit:
     mbedtls_lmots_public_free(&ctx);
     mbedtls_free(exported_pub_key);
+    USE_PSA_DONE();
 }
 /* END_CASE */
 
@@ -202,6 +211,7 @@ void lmots_reuse_test(data_t *msg, data_t *key_id, int leaf_id, data_t *seed)
     unsigned char sig[MBEDTLS_LMOTS_SIG_LEN(MBEDTLS_LMOTS_SHA256_N32_W8)];
 
     mbedtls_lmots_private_init(&ctx);
+    USE_PSA_INIT();
     TEST_EQUAL(mbedtls_lmots_generate_private_key(&ctx, MBEDTLS_LMOTS_SHA256_N32_W8,
                                                   key_id->x, leaf_id, seed->x,
                                                   seed->len), 0);
@@ -217,6 +227,7 @@ void lmots_reuse_test(data_t *msg, data_t *key_id, int leaf_id, data_t *seed)
 
 exit:
     mbedtls_lmots_private_free(&ctx);
+    USE_PSA_DONE();
 }
 /* END_CASE */
 
@@ -233,6 +244,7 @@ void lmots_signature_leak_test(data_t *msg, data_t *key_id, int leaf_id,
     memset(sig, 0x7E, sizeof(sig));
 
     mbedtls_lmots_private_init(&ctx);
+    USE_PSA_INIT();
     TEST_EQUAL(mbedtls_lmots_generate_private_key(&ctx, MBEDTLS_LMOTS_SHA256_N32_W8,
                                                   key_id->x, leaf_id, seed->x,
                                                   seed->len), 0);
@@ -242,5 +254,6 @@ void lmots_signature_leak_test(data_t *msg, data_t *key_id, int leaf_id,
 exit:
     mbedtls_lmots_private_free(&ctx);
     mbedtls_lmots_sign_private_key_invalidated_hook = NULL;
+    USE_PSA_DONE();
 }
 /* END_CASE */
diff --git a/tests/suites/test_suite_lms.data b/tests/suites/test_suite_lms.data
index 7802a70..16ebd1d 100644
--- a/tests/suites/test_suite_lms.data
+++ b/tests/suites/test_suite_lms.data
@@ -11,7 +11,7 @@ lms_sign_verify_null_msg_test:"923a3c8e38c9b72e067996bfdaa36856"
 LMS pyhsslms interop test #1
 # This test uses data from https://github.com/russhousley/pyhsslms due to the
 # limited amount of available test vectors for LMS. The private key is stored in
-# data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv. Note that this signature
+# ../framework/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv. Note that this signature
 # uses leaf key 0, so must be the first signature generated by the key if the
 # signature is to be reproduced. Message data is random. Note that pyhsslms
 # stores public keys and signatures in HSS form, which appends a 4-byte "levels"
@@ -21,8 +21,8 @@ LMS pyhsslms interop test #1
 # To produce another signature with this message and key (note that the actual
 # signature bytes will differ due to randomization):
 # * pip3 install --user pyhsslms
-# * cp data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv tmp/lms.prv
-# * cp data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_pub tmp/lms.pub
+# * cp ../framework/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv tmp/lms.prv
+# * cp ../framework/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_pub tmp/lms.pub
 #
 # import pyhsslms
 #
@@ -51,7 +51,7 @@ lms_verify_test:"92d036bde8c45b8bb5dea2a072560b1e29fc4bb7dc4549ce90bccee8a6e962a
 LMS pyhsslms interop NULL-message test
 # This test uses data from https://github.com/russhousley/pyhsslms due to the limited
 # amount of available test vectors for LMS. The private key is stored in
-# data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv. Note that this signature
+# ../framework/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv. Note that this signature
 # uses leaf key 2, so must be the third signature generated by the key if the
 # signature is to be reproduced. Message data is random. Note that hash-sigs
 # stores public keys and signatures in HSS form, which appends a 4-byte
@@ -61,7 +61,7 @@ LMS pyhsslms interop NULL-message test
 # To produce another signature with this message and key (note that the actual
 # signature bytes will differ due to randomization):
 # * pip3 install --user pyhsslms
-# * cp data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv tmp/lms.prv
+# * cp ../framework/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv tmp/lms.prv
 # * touch message.bin (create empty message file)
 # * hsslms sign tmp/lms.prv message.bin (incorrect signature using leaf node 0)
 # * rm message.bin.sig
@@ -75,15 +75,15 @@ LMS pyhsslms interop NULL-message test
 # * touch message.bin (create empty message file)
 # * echo -n -e "\0\0\0\0" > message.bin.sig; cat sig.bin >> message.bin.sig (restore the
 #   HSS levels)
-# * cp data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8 tmp/lms.pub
+# * cp ../framework/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8 tmp/lms.pub
 # * hsslms verify tmp/lms message.bin
 lms_verify_test:"":"0000000200000004b219a0053b6bfe1988ade7b0a438c106262366cb6338eb6ccd161326b29076d3493e88ab5df10ab456ddbac63f9cc7bc626a832664861a61125963f6e4b1fc202b0d6421cb1307451614d4d0e9e4509bc3991ede829f3805531912af12028c33128212a6e0539a458da092e83dcced8ffb1d9280e76593a239d3e87858905d3b4ae3864cd55972f5610759bb7d929d24ae262a1e028f140e90aa7375e43032c0bc28fe5fc25d53a26f4f9e6de18da2f697f82e409308e5b316413df8e85487391c46e784f9303f133ed332c88e6d1467cebffd9547592e907ceba2992a0442410c7a87104697a4ab3483d9b2af9df574edf23811cec0e681246f07ac74e1ddf64a7f7abc72d0a23b70d5f7c9649188eec8644f2437951640af4f673e6bb7d36a10c5c4c857f518974929824011dc79f484107388b92762acb11839c7cafec7daabdbe651f500930386b403ccec90a507829c18df23a800250d412a82b4072c94de24da9fa25720f1ee433953fca2d9b38ffc5c8b6328e69bf928936218bd253cac5a7122b74639ed7f4085d27efda2a698aff4bce385b475470adb19ab2095b3979e74e63914ef5430094e2028440f4d2aa448bb41f1d4481ad76c9b6671f4a7aafdbea44316aa97993fa31c56c34f0acd6295cd2fca8be9ea6af2f4d656f89b113cb3b3ce35753bc0128629372fade890397c297ee4c22e735e2b5f3c7383ed154cf0941884136bc6e51f860803b963c145795c8f573ab43953d25c0837bb13adbcfc506795db26fbd7a277d9532a23b5c472628944a3dcfc424e42fc54b2ed2cc8166cb82e9364af9120881313c97e429bed15bd9d46fe407f229cbc6daf1442e42c57664a7e832a809364750396a0b134efccf9a31e1ef1fdd2279d1179a673feda330b9989681c94d69eb197b6c3048623e49c98cc7cfc8d845c17f9059e7f15b72af8680cad2591cc9c135b2044fe7df45b8b6ef6e8af85ddb677f0897ffbda8131fff0eba1f94200f435bc26cfe5093c63f547620efb3bf8f905fe4ca1c40e163dfb6432c4acf068540c2c81c0392d375e99e3960973447beceefbd437f51616f85236d75815c51073277cc7ceca622bb76236d05a830e024a231566fb07f6f4e3671bc7fd5e22e4da1f4d4f4e56a179325b2ea9e51d6484df0941e0b46bcf4148e98530e9b3641e351b67073ace8438fac6d9a19988af4d594048f12eac4bbaa73eb15d597b1fdbf34ce9410520d9dc4b6bb7a99a12dcdc530c49bb67ca942adecb7adf27456eba9a9b416bb98b25c8020f4c2507b74a9ddb94f197ea42f03500bde751c04ec2c6b427ce0f80322a6b356f0d9d26531843639c7c7938b83541c58fedd0398d81b93032cb4892903a5b1cfd205b333702e7f80c1461a15edd6058c2e08d8afe44e4c5bfd7d9ac2578b5a16b4c4e43bad5f7b22041de5a95c6f64422db270e1f616e379a034fb3c08cf892af6df8af91c2767eb76bcf018e35d66fbf4ac1e5a6a10033ea118f8cd2edf57c2288a93f2f85b6ff41283b029e5c7b04bdac33b5aa79bf799292a0a046b98e6d13a2bb53a970dd0a5784034600000006c3faf2b844e6f17384998ae0616755eb7578458b7096078a36f9e556a2a091be47c0f85ffd8ee916734855a6d116fa1431ad6cff45d2a8a7f6c122f4d492df32438681d0b95feb973125e4ee70ebe11699290b831e86571e36513a71f159d48ce563f6814cc2a89851d2520c5275b34cc83614cab14c0d197166580d800ee6b9004b8fd72daac8d73c36c1623c37be93ba49a06c4efde238a3a10a05daba5d4942f7de52648af2be31f33e723b3605346282f5d5e356c5d0004eea40fe0b80abf658f6c96c56319ab53d7fefb5879e0136d1cf320973a2f47c1ee3d21554910f09d17afac4607657c4309890957a4954bf86e2a8491ba37dd88b2c3fe3c7edebd767c400bc23e40d165b27133c726b90bc26cbb2a86a6aa400c47aa7ffc538388de8490b9349afa53b814ffe2a56ff16a496e9648284193754f989f6f12aeb6e":"0000000600000004d96bb26744d99ef624e32161c36d3d6efcdd0484e2b17a6dd183125be4b1af1cda931a91a3acb1151877c174f7943fd9":0
 
 LMS hash-sigs interop test #1
 # This test uses data from https://github.com/cisco/hash-sigs due to the
 # limited amount of available test vectors for LMS. The private key is stored in
-# data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv and
-# data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux. Note that this
+# ../framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv and
+# ../framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux. Note that this
 # signature uses leaf key 0, so must be the first signature generated by the key
 # if the signature is to be reproduced. Message data is random. Note that
 # hash-sigs stores public keys and signatures in HSS form, which appends a
@@ -93,8 +93,8 @@ LMS hash-sigs interop test #1
 # To produce another signature with this message and key (note that the actual
 # signature bytes will differ due to randomization):
 # * <download and build hash-sigs>
-# * cp data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv tmp/lms.prv
-# * cp data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux tmp/lms.aux
+# * cp ../framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv tmp/lms.prv
+# * cp ../framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux tmp/lms.aux
 # * <Save message in binary format>
 # * <hash-sigs>/demo sign tmp/lms message.bin
 # * cat message.bin.sig | xxd
@@ -103,15 +103,15 @@ LMS hash-sigs interop test #1
 # * Save message and signature in binary format
 # * echo -n -e "\0\0\0\0" > message.bin.sig; cat sig.bin >> message.bin.sig (restore the
 #   HSS levels)
-# * cp data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_pub tmp/lms.pub
+# * cp ../framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_pub tmp/lms.pub
 # * <hash-sigs/demo> verify tmp/lms message.bin
 lms_verify_test:"6b7439e31ef128c54f1536f745ff1246":"0000000000000004163fc2e3d3267d8c0d9fd9e7bb7a4eae84c3d98cd565de361edc426067960fc3201d9be1c30f4e4edce91844753aa13ff21e92648ac795b7c29dd6140962b5a1fb97b02570402a498a495044edcb26d1321c52e91c60cc3feb8f8e84fc77f97fb6e7afbfe4c2f2203d8d84303e2dd212b652e08a2e5a24a333df859cea3c5a547561f7ce6d182e2a3f2f018ef7e0578621916cff905c0713fa5f2bf73248ae6985aebc4086b79ebf71b8dcbb592eb61dc6303d06dbda88063690361b0dd25ea1c2c6b4d82dddbe11740864c65c228d67e9a1710506e585a748e7e02b36706e5cff83b3589613f07c636ab7784d6a8288d33e80f063165a2ddcbb0d7da815df8043dfa500c3e313c533bf6aec959237c923813d3109bdaeb195b1337f4cf21c1c863f6261dca411819603a3ea60cf34c81b462c4979b357da2bcdf3128343ca5a8a957e3ca4eebb914d743862e29ef48e43e7c5a7aaf7a2fe1251c309c65e9143dcfb298fa0d353084f60c0779e1a09b040f13c1025ec99402b844ff9996decf4b5f0d32a0858126ff293472aa93fbc2017d39fee93ff9f0ca2752b25cfa12542bf19cc1b8c102d65b70dccf760f26cb546742ce909d45345f802a985bae6a0f922a9c2a3dc992fae9f6f2fba0c52cad82564bde6ed8af880ee7a5eb5c6436611e5da1c690831bed34e3dd65acf2b8f496b6448e957afc16c48b6cd733bc84e3606a1d0609f08015c14b5619a2723f9b22950efc7ff7b733c299fcd84ed89c4d5cd43a9a54f25fc0fa1370d184f9e8011b60ba38dfca0eeeb56ae37a5823718c8210db20c2de13c39e43970b0b53b85b9cf9ea0dd025e7db558b463c683980fe59e0defde41afe825cfb8606ca861602a7fefd7506edc81b7ab4a1e0626e0bac1f99be118dbc1e291028fc73d0a0ea6559ae1dcf7477d64742c9bef88ef04b2ee4d392cf1efa23d8b05d11d2414e64f4540623e11bbf57fb8ae219331db0df459a9849f2700e6fa7ff4edb0fc01764949e279e84374e7a57fb5ee6221b2b72dbcf2ab9c988fe07d21e169b4338887129ac503cc6c0912787778d51b4b921cf7bb17d4028b7faf6c21dd616a1ac3b50d595ae0e3662e7faa16b9dec7694462c7fb8539ece0af33cc5a3dc33641b8827bf4751a708d7bf286cf2e795b8f45b76e1109abd908d0388d6ab8ecea67b187aabd80349e4bd286e3b6eeb3535cc9c343a39fe90cb443906b19d2483b4c93d0e35cd68d9f5523d5400a2b1708ba3361bd0757ed69b1da8845594edf053995b2d96bed8210aaab25fc34b2dd58004ce800360f24861e5912ac339ed0a78548e303e728a41e05c11d79013e3971eafa8034e63ecf1c842f0d9e735ff3b5badfd63ae07f051c94a9a867260b517e5c2c75e88e03d069bd39816a2255c90de81bb79622145b7469853a02eac45289fd9f9f40e2fccdd8ddb740469331f61badc1b7f6e0145dfe30141ad2f26ac8d7ff5125dc4dff1fec57629cea4f7de4401fc056e9a38ea028ac9c666ccd3f527947672408a759a5791d9efdeb1ff25392413728a03d4c641f4ce1542b6952e7595f1eecf1060000000671b0912d734442146e128d0029101ad34a6d2d586640235c828d427dfaffdb156771f06926678fa50aa7167684c1de108944b2c4a3358f5e926368009e4500a8d4d501124bc25a4c9b1cfb954503f4ae26c92221e39c680843ae55cfca972e139c82e2e4469a703a1866fa0e6d76636591f4ad07f7d1eaa19077660ad46a6f9d534970e6a49e24621b7c7c283253dd22fb24eb7819fab84bab88e42555d5437d5afe06615a7e0d103cc8595616690f1337f4345cf418724f07d0dc4d2c0899b691691f397202204ef34342b5725dc6adfe549ab0b887572ad38113c407f96fcdfeea0ffc4f333addfec296169e53e3c5b24797a20f3b2f043f5e96920de9927da466f09389d3e52a5665f380f68666a019c201e710ab4c168d5ac952a02d5909a6fcaf498a33e2124e6a828203744ee3fe70465adde0cfbccc1b4634541638ab":"0000000600000004e18760ef2c86192aee88579e376f35cd153419d622803a483e79f6d368629308a8ab6ff663c4f108b2033af290dcedfa":0
 
 LMS hash-sigs interop test #2
 # This test uses data from https://github.com/cisco/hash-sigs due to the
 # limited amount of available test vectors for LMS. The private key is stored in
-# data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv and
-# data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux. Note that this
+# ../framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv and
+# ../framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux. Note that this
 # signature uses leaf key 1, so must be the second signature generated by the key
 # if the signature is to be reproduced. Message data is random. Note that
 # hash-sigs stores public keys and signatures in HSS form, which appends a
@@ -121,8 +121,8 @@ LMS hash-sigs interop test #2
 # To produce another signature with this message and key (note that the actual
 # signature bytes will differ due to randomization):
 # * <download and build hash-sigs>
-# * cp data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv tmp/lms.prv
-# * cp data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux tmp/lms.aux
+# * cp ../framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv tmp/lms.prv
+# * cp ../framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux tmp/lms.aux
 # * <Save message in binary format>
 # * <hash-sigs>/demo sign tmp/lms message.bin (incorrect signature using leaf node 0)
 # * rm message.bin.sig
@@ -133,14 +133,14 @@ LMS hash-sigs interop test #2
 # * Save message and signature in binary format
 # * echo -n -e "\0\0\0\0" > message.bin.sig; cat sig.bin >> message.bin.sig (restore the
 #   HSS levels)
-# * cp data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_pub tmp/lms.pub
+# * cp ../framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_pub tmp/lms.pub
 # * <hash-sigs/demo> verify tmp/lms message.bin
 lms_verify_test:"0705ba8297c7b9fa5f08e37825ad24a0":"00000001000000040a432454b99750f7b703f0280f92818b0570d0267a423b377be7cf0561305d4ce987b9d8dbc1c3f8ba410bbe6b921406eb802688d2dd8a1a6fa4a124cbcae9b5a210f583a956384c06311953b038b4ad2c2808224fc3a6410cd3b89274371956bcd4253a251cba6409b09c822e1d29d7a037648a6f2562d0df6359a043622f256f5ac79736c08fc4185758ff002a8397e560d5812373946348afba2ccf2cc0f3ba741ec076d4587a54b8b625804b814c30540152a3dc843a590c94cc23ba857e4c458c8ab687b5b9b68837ee890454cc19bb5f42a1e6dc051803fab50b440067a903013f675a774b5d02cd56289518d65f869f22b2e2b58d499e9e3929ec5a9f5d6d6e03cf91486094aba7c88491cde35b81c175c40410bc402d20f0a73a4da844d3a1d47e57618b7f18fa5ac85e877b5faa1e0b6733c2d96b2970fdd6e606435e3ec50eafa88f84fb7512217aa4be5858a140f242603bda634d76c484a184298c4da903094468d032b88586fd2f35182405cd85115af6a0bbd431f2e44217a1691dd8887db91d3b97264ff552ae7dc110a3a111f2bf74ce42079055dfb8390a16d67f28b738f837aa7880f3134deabcf6ec74cdb521bff44df61c999bf7a8ddc43b64812cd4f3bfb15104867d5e585d1cbf99738e0df92660b3e9135a4377d1199b8b97362fc87ce3c99db3b8aba63ba35eb353e5ec79bcee82b9ccc1b4f7d1b8ce7e5f8813d007be3d0e45cb8e7173337a5a7c4d32ea5116e0fdbd7846ea1f366a531449c78cd7a16ce5bffcd6cccf54b7f249a74e0df6b07f6b48db42eb958ff18b06995368af0cadd82f44cf44e4b53f0993de5f06b289bee41cd25f90a9fbd1bfb1ab2451c96b07adcfb5210d291dd505ea30e5d30395c8d84eabccdd2c7d6f28a88f5e5d245a6980c57810cfe17c9a37ef5e79b7b9ca755d56a789d21985372bed42ae2830d81ebf0fad6c721bd1d3ee91ae363f40d386aac23e7c0db965539ce9bff38f0f24bec3227b5a24f4cd7fa71ca9d306faa3fc4726cdb6634f218897b79a4aed67a58799285104eed74703ec4af6d5738b27b4d6fb71e52c1149069483a7cca6c3fccbdff77312ff5c635d8b0ccd53dbaf7b498727f7c7a70d3fd1c3f217e2cbd0dfe91258acb7f79f53f56012a82da997ea777b76dac0472e5f9830a93fb09703b1c0e45cbfbf641de94fcc6c609f02a5b31ad5821ba6cd48829fc5e0c4ad78e11e4cac8efbb1b170c794b7b131b0c1c4e39fdef81db9e7acced5ec824aed0c4e6b57fd1add4191e87be1446c7c519eb671205ce8c5855ad7a2b9ff7a9cd5c45336f508d0f8d2c1152dc2656650bdaf8fced642f3a4d445b5fc49910bdbdc9635de0086ee9582a796ca9f6052de805f41dfbd3e94982a05cbd36bab583dd5b1586ddbb3b1a45f1a265bec062c1a50d220870c0c622d852e650a67f31e8eb3d19e964de0926712b7f429ad05024b8db51eb6702c39580f62f037388862251bf66f02edee9615a63957eab75b28501f9f26cecd09a5c949127c9a3095036667fce8e45ba75568d5160fa1725a9e0038145d948f437640dc4441000000066e8db13a9e79d10a4e067aad448a1847b5489a62cde3054ee1e5ff2e37549d516771f06926678fa50aa7167684c1de108944b2c4a3358f5e926368009e4500a8d4d501124bc25a4c9b1cfb954503f4ae26c92221e39c680843ae55cfca972e139c82e2e4469a703a1866fa0e6d76636591f4ad07f7d1eaa19077660ad46a6f9d534970e6a49e24621b7c7c283253dd22fb24eb7819fab84bab88e42555d5437d5afe06615a7e0d103cc8595616690f1337f4345cf418724f07d0dc4d2c0899b691691f397202204ef34342b5725dc6adfe549ab0b887572ad38113c407f96fcdfeea0ffc4f333addfec296169e53e3c5b24797a20f3b2f043f5e96920de9927da466f09389d3e52a5665f380f68666a019c201e710ab4c168d5ac952a02d5909a6fcaf498a33e2124e6a828203744ee3fe70465adde0cfbccc1b4634541638ab":"0000000600000004e18760ef2c86192aee88579e376f35cd153419d622803a483e79f6d368629308a8ab6ff663c4f108b2033af290dcedfa":0
 
 LMS hsslms interop test #1
 # This test uses data from https://github.com/pmvr/python-hsslms due to the
 # limited amount of available test vectors for LMS. The private key is stored in
-# data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv
+# ../framework/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv
 #
 # To produce another signature with this message and key (note that the actual
 # signature bytes will differ due to randomization):
@@ -149,7 +149,7 @@ LMS hsslms interop test #1
 # from hsslms import LMS_Priv, LMS_ALGORITHM_TYPE, LMOTS_ALGORITHM_TYPE
 # import pickle
 #
-# with open('tests/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file:
+# with open('framework/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file:
 #     private_key = pickle.load(private_key_file)
 #
 # public_key = private_key.gen_pub()
@@ -163,7 +163,7 @@ lms_verify_test:"60da1a17c88c59da8a730e6ca8effd37":"00000000000000041394a893e40b
 LMS hsslms interop test #2
 # This test uses data from https://github.com/pmvr/python-hsslms due to the
 # limited amount of available test vectors for LMS. The private key is stored in
-# data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv
+# ../framework/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv
 #
 # To produce another signature with this message and key (note that the actual
 # signature bytes will differ due to randomization):
@@ -172,7 +172,7 @@ LMS hsslms interop test #2
 # from hsslms import LMS_Priv, LMS_ALGORITHM_TYPE, LMOTS_ALGORITHM_TYPE
 # import pickle
 #
-# with open('tests/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file:
+# with open('framework/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file:
 #     private_key = pickle.load(private_key_file)
 #
 # public_key = private_key.gen_pub()
diff --git a/tests/suites/test_suite_lms.function b/tests/suites/test_suite_lms.function
index 7116f61..377efcd 100644
--- a/tests/suites/test_suite_lms.function
+++ b/tests/suites/test_suite_lms.function
@@ -17,6 +17,7 @@ void lms_sign_verify_test(data_t *msg, data_t *seed)
 
     mbedtls_lms_public_init(&pub_ctx);
     mbedtls_lms_private_init(&priv_ctx);
+    USE_PSA_INIT();
 
     /* Allocation failure isn't a test failure, since it likely just means
      * there's not enough memory to run the test.
@@ -38,6 +39,7 @@ void lms_sign_verify_test(data_t *msg, data_t *seed)
 exit:
     mbedtls_lms_public_free(&pub_ctx);
     mbedtls_lms_private_free(&priv_ctx);
+    USE_PSA_DONE();
 }
 /* END_CASE */
 
@@ -50,6 +52,7 @@ void lms_sign_verify_null_msg_test(data_t *seed)
 
     mbedtls_lms_public_init(&pub_ctx);
     mbedtls_lms_private_init(&priv_ctx);
+    USE_PSA_INIT();
 
     /* Allocation failure isn't a test failure, since it likely just means
      * there's not enough memory to run the test.
@@ -71,6 +74,7 @@ void lms_sign_verify_null_msg_test(data_t *seed)
 exit:
     mbedtls_lms_public_free(&pub_ctx);
     mbedtls_lms_private_free(&priv_ctx);
+    USE_PSA_DONE();
 }
 /* END_CASE */
 
@@ -83,6 +87,7 @@ void lms_verify_test(data_t *msg, data_t *sig, data_t *pub_key,
     unsigned char *tmp_sig = NULL;
 
     mbedtls_lms_public_init(&ctx);
+    USE_PSA_INIT();
 
     TEST_EQUAL(mbedtls_lms_import_public_key(&ctx, pub_key->x, pub_key->len), 0);
 
@@ -139,6 +144,7 @@ void lms_verify_test(data_t *msg, data_t *sig, data_t *pub_key,
 exit:
     mbedtls_free(tmp_sig);
     mbedtls_lms_public_free(&ctx);
+    USE_PSA_DONE();
 }
 /* END_CASE */
 
@@ -151,6 +157,7 @@ void lms_import_export_test(data_t *pub_key, int expected_import_rc)
     unsigned char *exported_pub_key = NULL;
 
     mbedtls_lms_public_init(&ctx);
+    USE_PSA_INIT();
     TEST_EQUAL(mbedtls_lms_import_public_key(&ctx, pub_key->x, pub_key->len),
                expected_import_rc);
 
@@ -194,5 +201,6 @@ void lms_import_export_test(data_t *pub_key, int expected_import_rc)
 exit:
     mbedtls_free(exported_pub_key);
     mbedtls_lms_public_free(&ctx);
+    USE_PSA_DONE();
 }
 /* END_CASE */
diff --git a/tests/suites/test_suite_md.data b/tests/suites/test_suite_md.data
index fb9b5ef..164fe4d 100644
--- a/tests/suites/test_suite_md.data
+++ b/tests/suites/test_suite_md.data
@@ -13,7 +13,7 @@ depends_on:MBEDTLS_MD_CAN_MD5
 md_info:MBEDTLS_MD_MD5:"MD5":16
 
 Information on RIPEMD160
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 md_info:MBEDTLS_MD_RIPEMD160:"RIPEMD160":20
 
 Information on SHA1
@@ -21,7 +21,7 @@ depends_on:MBEDTLS_MD_CAN_SHA1
 md_info:MBEDTLS_MD_SHA1:"SHA1":20
 
 Information on SHA224
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 md_info:MBEDTLS_MD_SHA224:"SHA224":28
 
 Information on SHA256
@@ -29,7 +29,7 @@ depends_on:MBEDTLS_MD_CAN_SHA256
 md_info:MBEDTLS_MD_SHA256:"SHA256":32
 
 Information on SHA384
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 md_info:MBEDTLS_MD_SHA384:"SHA384":48
 
 Information on SHA512
@@ -41,7 +41,7 @@ depends_on:MBEDTLS_MD_CAN_SHA3_224
 md_info:MBEDTLS_MD_SHA3_224:"SHA3-224":28
 
 Information on SHA3-256
-depends_on:MBEDTLS_MD_CAN_SHA3_256
+depends_on:PSA_WANT_ALG_SHA3_256
 md_info:MBEDTLS_MD_SHA3_256:"SHA3-256":32
 
 Information on SHA3-384
@@ -49,7 +49,7 @@ depends_on:MBEDTLS_MD_CAN_SHA3_384
 md_info:MBEDTLS_MD_SHA3_384:"SHA3-384":48
 
 Information on SHA3-512
-depends_on:MBEDTLS_MD_CAN_SHA3_512
+depends_on:PSA_WANT_ALG_SHA3_512
 md_info:MBEDTLS_MD_SHA3_512:"SHA3-512":64
 
 generic mbedtls_md5 Test vector RFC1321 #1
@@ -81,35 +81,35 @@ depends_on:MBEDTLS_MD_CAN_MD5
 md_text:MBEDTLS_MD_MD5:"12345678901234567890123456789012345678901234567890123456789012345678901234567890":"57edf4a22be3c955ac49da2e2107b67a"
 
 generic mbedtls_ripemd160 Test vector from paper #1
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 md_text:MBEDTLS_MD_RIPEMD160:"":"9c1185a5c5e9fc54612808977ee8f548b2258d31"
 
 generic mbedtls_ripemd160 Test vector from paper #2
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 md_text:MBEDTLS_MD_RIPEMD160:"a":"0bdc9d2d256b3ee9daae347be6f4dc835a467ffe"
 
 generic mbedtls_ripemd160 Test vector from paper #3
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 md_text:MBEDTLS_MD_RIPEMD160:"abc":"8eb208f7e05d987a9b044a8e98c6b087f15a0bfc"
 
 generic mbedtls_ripemd160 Test vector from paper #4
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 md_text:MBEDTLS_MD_RIPEMD160:"message digest":"5d0689ef49d2fae572b881b123a85ffa21595f36"
 
 generic mbedtls_ripemd160 Test vector from paper #5
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 md_text:MBEDTLS_MD_RIPEMD160:"abcdefghijklmnopqrstuvwxyz":"f71c27109c692c1b56bbdceb5b9d2865b3708dbc"
 
 generic mbedtls_ripemd160 Test vector from paper #6
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 md_text:MBEDTLS_MD_RIPEMD160:"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq":"12a053384a9c0c88e405a06c27dcf49ada62eb2b"
 
 generic mbedtls_ripemd160 Test vector from paper #7
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 md_text:MBEDTLS_MD_RIPEMD160:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789":"b0e20b6e3116640286ed3a87a5713079b21f5189"
 
 generic mbedtls_ripemd160 Test vector from paper #8
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 md_text:MBEDTLS_MD_RIPEMD160:"12345678901234567890123456789012345678901234567890123456789012345678901234567890":"9b752e45573d4b39f4dbd3323cab82bf63326bfb"
 
 generic mbedtls_sha3 SHA3-224 Test vector from CAVS 19.0 with Len = 8
@@ -117,7 +117,7 @@ depends_on:MBEDTLS_MD_CAN_SHA3_224
 md_hex:MBEDTLS_MD_SHA3_224:"01":"488286d9d32716e5881ea1ee51f36d3660d70f0db03b3f612ce9eda4"
 
 generic mbedtls_sha3 SHA3-256 Test vector from CAVS 19.0 with Len = 8
-depends_on:MBEDTLS_MD_CAN_SHA3_256
+depends_on:PSA_WANT_ALG_SHA3_256
 md_hex:MBEDTLS_MD_SHA3_256:"e9":"f0d04dd1e6cfc29a4460d521796852f25d9ef8d28b44ee91ff5b759d72c1e6d6"
 
 generic mbedtls_sha3 SHA3-384 Test vector from CAVS 19.0 with Len = 8
@@ -125,7 +125,7 @@ depends_on:MBEDTLS_MD_CAN_SHA3_384
 md_hex:MBEDTLS_MD_SHA3_384:"80":"7541384852e10ff10d5fb6a7213a4a6c15ccc86d8bc1068ac04f69277142944f4ee50d91fdc56553db06b2f5039c8ab7"
 
 generic mbedtls_sha3 SHA3-512 Test vector from CAVS 19.0 with Len = 8
-depends_on:MBEDTLS_MD_CAN_SHA3_512
+depends_on:PSA_WANT_ALG_SHA3_512
 md_hex:MBEDTLS_MD_SHA3_512:"e5":"150240baf95fb36f8ccb87a19a41767e7aed95125075a2b2dbba6e565e1ce8575f2b042b62e29a04e9440314a821c6224182964d8b557b16a492b3806f4c39c1"
 
 generic HMAC-MD5 Hash File OpenSSL test #1
@@ -173,31 +173,31 @@ depends_on:MBEDTLS_MD_CAN_MD5
 mbedtls_md_hmac:MBEDTLS_MD_MD5:16:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":"54657374205573696e67204c6172676572205468616e20426c6f636b2d53697a65204b657920616e64204c6172676572205468616e204f6e6520426c6f636b2d53697a652044617461":"6f630fad67cda0ee1fb1f562db3aa53e"
 
 generic HMAC-RIPEMD160 Test vector RFC 2286 #1
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 mbedtls_md_hmac:MBEDTLS_MD_RIPEMD160:20:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"4869205468657265":"24cb4bd67d20fc1a5d2ed7732dcc39377f0a5668"
 
 generic HMAC-RIPEMD160 Test vector RFC 2286 #2
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 mbedtls_md_hmac:MBEDTLS_MD_RIPEMD160:20:"4a656665":"7768617420646f2079612077616e7420666f72206e6f7468696e673f":"dda6c0213a485a9e24f4742064a7f033b43c4069"
 
 generic HMAC-RIPEMD160 Test vector RFC 2286 #3
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 mbedtls_md_hmac:MBEDTLS_MD_RIPEMD160:20:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":"dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd":"b0b105360de759960ab4f35298e116e295d8e7c1"
 
 generic HMAC-RIPEMD160 Test vector RFC 2286 #4
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 mbedtls_md_hmac:MBEDTLS_MD_RIPEMD160:20:"0102030405060708090a0b0c0d0e0f10111213141516171819":"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd":"d5ca862f4d21d5e610e18b4cf1beb97a4365ecf4"
 
 generic HMAC-RIPEMD160 Test vector RFC 2286 #5
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 mbedtls_md_hmac:MBEDTLS_MD_RIPEMD160:20:"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c":"546573742057697468205472756e636174696f6e":"7619693978f91d90539ae786500ff3d8e0518e39"
 
 generic HMAC-RIPEMD160 Test vector RFC 2286 #6
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 mbedtls_md_hmac:MBEDTLS_MD_RIPEMD160:20:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":"54657374205573696e67204c6172676572205468616e20426c6f636b2d53697a65204b6579202d2048617368204b6579204669727374":"6466ca07ac5eac29e1bd523e5ada7605b791fd8b"
 
 generic HMAC-RIPEMD160 Test vector RFC 2286 #7
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 mbedtls_md_hmac:MBEDTLS_MD_RIPEMD160:20:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":"54657374205573696e67204c6172676572205468616e20426c6f636b2d53697a65204b657920616e64204c6172676572205468616e204f6e6520426c6f636b2d53697a652044617461":"69ea60798d71616cce5fd0871e23754cd75d5a0a"
 
 generic multi step mbedtls_md5 Test vector RFC1321 #1
@@ -229,35 +229,35 @@ depends_on:MBEDTLS_MD_CAN_MD5
 md_text_multi:MBEDTLS_MD_MD5:"12345678901234567890123456789012345678901234567890123456789012345678901234567890":"57edf4a22be3c955ac49da2e2107b67a"
 
 generic multi step mbedtls_ripemd160 Test vector from paper #1
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 md_text_multi:MBEDTLS_MD_RIPEMD160:"":"9c1185a5c5e9fc54612808977ee8f548b2258d31"
 
 generic multi step mbedtls_ripemd160 Test vector from paper #2
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 md_text_multi:MBEDTLS_MD_RIPEMD160:"a":"0bdc9d2d256b3ee9daae347be6f4dc835a467ffe"
 
 generic multi step mbedtls_ripemd160 Test vector from paper #3
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 md_text_multi:MBEDTLS_MD_RIPEMD160:"abc":"8eb208f7e05d987a9b044a8e98c6b087f15a0bfc"
 
 generic multi step mbedtls_ripemd160 Test vector from paper #4
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 md_text_multi:MBEDTLS_MD_RIPEMD160:"message digest":"5d0689ef49d2fae572b881b123a85ffa21595f36"
 
 generic multi step mbedtls_ripemd160 Test vector from paper #5
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 md_text_multi:MBEDTLS_MD_RIPEMD160:"abcdefghijklmnopqrstuvwxyz":"f71c27109c692c1b56bbdceb5b9d2865b3708dbc"
 
 generic multi step mbedtls_ripemd160 Test vector from paper #6
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 md_text_multi:MBEDTLS_MD_RIPEMD160:"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq":"12a053384a9c0c88e405a06c27dcf49ada62eb2b"
 
 generic multi step mbedtls_ripemd160 Test vector from paper #7
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 md_text_multi:MBEDTLS_MD_RIPEMD160:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789":"b0e20b6e3116640286ed3a87a5713079b21f5189"
 
 generic multi step mbedtls_ripemd160 Test vector from paper #8
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 md_text_multi:MBEDTLS_MD_RIPEMD160:"12345678901234567890123456789012345678901234567890123456789012345678901234567890":"9b752e45573d4b39f4dbd3323cab82bf63326bfb"
 
 generic multi step mbedtls_sha3 SHA3-224 Test vector from CAVS 19.0 with Len = 48
@@ -265,7 +265,7 @@ depends_on:MBEDTLS_MD_CAN_SHA3_224
 md_hex_multi:MBEDTLS_MD_SHA3_224:"e7183e4d89c9":"650618f3b945c07de85b8478d69609647d5e2a432c6b15fbb3db91e4"
 
 generic multi step mbedtls_sha3 SHA3-256 Test vector from CAVS 19.0 with Len = 48
-depends_on:MBEDTLS_MD_CAN_SHA3_256
+depends_on:PSA_WANT_ALG_SHA3_256
 md_hex_multi:MBEDTLS_MD_SHA3_256:"e6fd42037f80":"2294f8d3834f24aa9037c431f8c233a66a57b23fa3de10530bbb6911f6e1850f"
 
 generic multi step mbedtls_sha3 SHA3-384 Test vector from CAVS 19.0 with Len = 48
@@ -273,7 +273,7 @@ depends_on:MBEDTLS_MD_CAN_SHA3_384
 md_hex_multi:MBEDTLS_MD_SHA3_384:"5a6659e9f0e7":"21b1f3f63b907f968821185a7fe30b16d47e1d6ee5b9c80be68947854de7a8ef4a03a6b2e4ec96abdd4fa29ab9796f28"
 
 generic multi step mbedtls_sha3 SHA3-512 Test vector from CAVS 19.0 with Len = 48
-depends_on:MBEDTLS_MD_CAN_SHA3_512
+depends_on:PSA_WANT_ALG_SHA3_512
 md_hex_multi:MBEDTLS_MD_SHA3_512:"71a986d2f662":"def6aac2b08c98d56a0501a8cb93f5b47d6322daf99e03255457c303326395f765576930f8571d89c01e727cc79c2d4497f85c45691b554e20da810c2bc865ef"
 
 generic multi step HMAC-MD5 Hash File OpenSSL test #1
@@ -317,68 +317,68 @@ depends_on:MBEDTLS_MD_CAN_MD5
 md_hmac_multi:MBEDTLS_MD_MD5:16:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":"54657374205573696e67204c6172676572205468616e20426c6f636b2d53697a65204b657920616e64204c6172676572205468616e204f6e6520426c6f636b2d53697a652044617461":"6f630fad67cda0ee1fb1f562db3aa53e"
 
 generic multi step HMAC-RIPEMD160 Test vector RFC 2286 #1
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 md_hmac_multi:MBEDTLS_MD_RIPEMD160:20:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"4869205468657265":"24cb4bd67d20fc1a5d2ed7732dcc39377f0a5668"
 
 generic multi step HMAC-RIPEMD160 Test vector RFC 2286 #2
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 md_hmac_multi:MBEDTLS_MD_RIPEMD160:20:"4a656665":"7768617420646f2079612077616e7420666f72206e6f7468696e673f":"dda6c0213a485a9e24f4742064a7f033b43c4069"
 
 generic multi step HMAC-RIPEMD160 Test vector RFC 2286 #3
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 md_hmac_multi:MBEDTLS_MD_RIPEMD160:20:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":"dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd":"b0b105360de759960ab4f35298e116e295d8e7c1"
 
 generic multi step HMAC-RIPEMD160 Test vector RFC 2286 #4
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 md_hmac_multi:MBEDTLS_MD_RIPEMD160:20:"0102030405060708090a0b0c0d0e0f10111213141516171819":"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd":"d5ca862f4d21d5e610e18b4cf1beb97a4365ecf4"
 
 generic multi step HMAC-RIPEMD160 Test vector RFC 2286 #5
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 md_hmac_multi:MBEDTLS_MD_RIPEMD160:20:"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c":"546573742057697468205472756e636174696f6e":"7619693978f91d90539ae786500ff3d8e0518e39"
 
 generic multi step HMAC-RIPEMD160 Test vector RFC 2286 #6
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 md_hmac_multi:MBEDTLS_MD_RIPEMD160:20:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":"54657374205573696e67204c6172676572205468616e20426c6f636b2d53697a65204b6579202d2048617368204b6579204669727374":"6466ca07ac5eac29e1bd523e5ada7605b791fd8b"
 
 generic multi step HMAC-RIPEMD160 Test vector RFC 2286 #7
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 md_hmac_multi:MBEDTLS_MD_RIPEMD160:20:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":"54657374205573696e67204c6172676572205468616e20426c6f636b2d53697a65204b657920616e64204c6172676572205468616e204f6e6520426c6f636b2d53697a652044617461":"69ea60798d71616cce5fd0871e23754cd75d5a0a"
 
 generic MD5 Hash file #1
 depends_on:MBEDTLS_MD_CAN_MD5
-mbedtls_md_file:MBEDTLS_MD_MD5:"data_files/hash_file_1":"52bcdc983c9ed64fc148a759b3c7a415"
+mbedtls_md_file:MBEDTLS_MD_MD5:"../framework/data_files/hash_file_1":"52bcdc983c9ed64fc148a759b3c7a415"
 
 generic MD5 Hash file #2
 depends_on:MBEDTLS_MD_CAN_MD5
-mbedtls_md_file:MBEDTLS_MD_MD5:"data_files/hash_file_2":"d17d466f15891df10542207ae78277f0"
+mbedtls_md_file:MBEDTLS_MD_MD5:"../framework/data_files/hash_file_2":"d17d466f15891df10542207ae78277f0"
 
 generic MD5 Hash file #3
 depends_on:MBEDTLS_MD_CAN_MD5
-mbedtls_md_file:MBEDTLS_MD_MD5:"data_files/hash_file_3":"d945bcc6200ea95d061a2a818167d920"
+mbedtls_md_file:MBEDTLS_MD_MD5:"../framework/data_files/hash_file_3":"d945bcc6200ea95d061a2a818167d920"
 
 generic MD5 Hash file #4
 depends_on:MBEDTLS_MD_CAN_MD5
-mbedtls_md_file:MBEDTLS_MD_MD5:"data_files/hash_file_4":"d41d8cd98f00b204e9800998ecf8427e"
+mbedtls_md_file:MBEDTLS_MD_MD5:"../framework/data_files/hash_file_4":"d41d8cd98f00b204e9800998ecf8427e"
 
 generic RIPEMD160 Hash file #0 (from paper)
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
-mbedtls_md_file:MBEDTLS_MD_RIPEMD160:"data_files/hash_file_5":"52783243c1697bdbe16d37f97f68f08325dc1528"
+depends_on:PSA_WANT_ALG_RIPEMD160
+mbedtls_md_file:MBEDTLS_MD_RIPEMD160:"../framework/data_files/hash_file_5":"52783243c1697bdbe16d37f97f68f08325dc1528"
 
 generic RIPEMD160 Hash file #1
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
-mbedtls_md_file:MBEDTLS_MD_RIPEMD160:"data_files/hash_file_1":"82f1d072f0ec0c2b353703a7b575a04c113af1a6"
+depends_on:PSA_WANT_ALG_RIPEMD160
+mbedtls_md_file:MBEDTLS_MD_RIPEMD160:"../framework/data_files/hash_file_1":"82f1d072f0ec0c2b353703a7b575a04c113af1a6"
 
 generic RIPEMD160 Hash file #2
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
-mbedtls_md_file:MBEDTLS_MD_RIPEMD160:"data_files/hash_file_2":"996fbc8b79206ba7393ebcd246584069b1c08f0f"
+depends_on:PSA_WANT_ALG_RIPEMD160
+mbedtls_md_file:MBEDTLS_MD_RIPEMD160:"../framework/data_files/hash_file_2":"996fbc8b79206ba7393ebcd246584069b1c08f0f"
 
 generic RIPEMD160 Hash file #3
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
-mbedtls_md_file:MBEDTLS_MD_RIPEMD160:"data_files/hash_file_3":"8653b46d65998fa8c8846efa17937e742533ae48"
+depends_on:PSA_WANT_ALG_RIPEMD160
+mbedtls_md_file:MBEDTLS_MD_RIPEMD160:"../framework/data_files/hash_file_3":"8653b46d65998fa8c8846efa17937e742533ae48"
 
 generic RIPEMD160 Hash file #4
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
-mbedtls_md_file:MBEDTLS_MD_RIPEMD160:"data_files/hash_file_4":"9c1185a5c5e9fc54612808977ee8f548b2258d31"
+depends_on:PSA_WANT_ALG_RIPEMD160
+mbedtls_md_file:MBEDTLS_MD_RIPEMD160:"../framework/data_files/hash_file_4":"9c1185a5c5e9fc54612808977ee8f548b2258d31"
 
 generic HMAC-SHA-1 Test Vector FIPS-198a #1
 depends_on:MBEDTLS_MD_CAN_SHA1
@@ -425,31 +425,31 @@ depends_on:MBEDTLS_MD_CAN_SHA1
 mbedtls_md_hmac:MBEDTLS_MD_SHA1:10:"1287e1565a57b547":"390ffdccc6171c11568d85b8f913e019bf4cd982ca9cd21ea730d41bdf3fcc0bc88ff48ba13a8f23deb2d96ec1033e7b2a58ca72b0c1e17bf03330db25d1e360fa6918009c4294bd1215b5ccd159a8f58bc3dc3d490eb7c3b9f887e8c98dbbb274a75373dcb695a59abd0219529d88518a96f92abc0bbcbda985c388f1fbbcc9":"d78ddf08077c7d9e2ba6"
 
 generic HMAC-SHA-224 Test Vector NIST CAVS #1
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 mbedtls_md_hmac:MBEDTLS_MD_SHA224:14:"e055eb756697ee573fd3214811a9f7fa":"3875847012ee42fe54a0027bdf38cca7021b83a2ed0503af69ef6c37c637bc1114fba40096c5947d736e19b7af3c68d95a4e3b8b073adbbb80f47e9db8f2d4f0018ddd847fabfdf9dd9b52c93e40458977725f6b7ba15f0816bb895cdf50401268f5d702b7e6a5f9faef57b8768c8a3fc14f9a4b3182b41d940e337d219b29ff":"40a453133361cc48da11baf616ee"
 
 generic HMAC-SHA-224 Test Vector NIST CAVS #2
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 mbedtls_md_hmac:MBEDTLS_MD_SHA224:14:"88e5258b55b1623385eb9632fa7c57d6":"ada76bb604be14326551701cf30e48a65eee80b44f0b9d4a07b1844543b7844a621097fdc99de57387458ae9354899b620d0617eabcaefa9eef3d413a33628054335ce656c26fa2986e0f111a6351096b283101ec7868871d770b370973c7405983f9756b3005a3eab492cfd0e7eb42e5c2e15fa6be8718c0a50acc4e5717230":"81c783af538015cef3c60095df53"
 
 generic HMAC-SHA-224 Test Vector NIST CAVS #3
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 mbedtls_md_hmac:MBEDTLS_MD_SHA224:14:"85d402d822114d31abf75526e2538705":"8020d8d98cc2e2298b32879c51c751e1dd5558fe2eabb8f158604297d6d072ce2261a1d6830b7cfe2617b57c7126f99c9476211d6161acd75d266da217ec8174b80484c9dc6f0448a0a036a3fc82e8bf54bdb71549368258d5d41f57978a4c266b92e8783ef66350215573d99be4089144b383ad8f3222bae8f3bf80ffb1bb2b":"2aa0340ac9deafe3be38129daca0"
 
 generic HMAC-SHA-224 Test Vector NIST CAVS #4
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 mbedtls_md_hmac:MBEDTLS_MD_SHA224:14:"545c6eecc5ee46fa17c59f91a94f81ae":"8fb7f3565593170152ddb2021874784e951977cfdd22f8b72a72a61320a8f2a35697b5e913f717805559b1af1861ee3ed42fb788481e4fd276b17bdbefcae7b4501dc5d20de5b7626dd5efdcd65294db4bdf682c33d9a9255c6435383fa5f1c886326a3acbc6bd50a33ab5b2dbb034ce0112d4e226bbcd57e3731a519aa1d784":"3eb566eac54c4a3a9ef092469f24"
 
 generic HMAC-SHA-224 Test Vector NIST CAVS #5
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 mbedtls_md_hmac:MBEDTLS_MD_SHA224:14:"4466ab4dc438841a9750c7f173dff02e":"2534c11c78c99cffaec8f722f04adc7045c7324d58ce98e37cfa94b6ed21ed7f58ce55379ef24b72d6d640ee9154f96c614734be9c408e225d7ba4cecc1179cc9f6e1808e1067aa8f244a99bd0c3267594c1887a40d167f8b7cf78db0d19f97b01fc50b8c86def490dfa7a5135002c33e71d77a8cce8ea0f93e0580439a33733":"59f44a9bbed4875b892d22d6b5ab"
 
 generic HMAC-SHA-224 Test Vector NIST CAVS #6
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 mbedtls_md_hmac:MBEDTLS_MD_SHA224:28:"0e3dd9bb5e4cf0f09a4c11600af56d8d":"f4589fa76c328ea25cf8bae582026ba40a59d45a546ff31cf80eb826088f69bb954c452c74586836416dee90a5255bc5d56d3b405b3705a5197045688b32fa984c3a3dfbdc9c2460a0b5e6312a624048bb6f170306535e9b371a3ab134a2642a230ad03d2c688cca80baeaee9a20e1d4c548b1cede29c6a45bf4df2c8c476f1a":"12175b93e3da4c58217145e4dc0a1cf142fab9319bb501e037b350ba"
 
 generic HMAC-SHA-224 Test Vector NIST CAVS #7
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 mbedtls_md_hmac:MBEDTLS_MD_SHA224:28:"cda5187b0c5dcb0f8e5a8beed2306584":"9011ae29b44c49b347487ce972965f16ade3c15be0856ce9c853a9739dba07e4f20d594ddc1dfe21560a65a4e458cfa17745575b915a30c7a9412ff8d1d689db9680dd2428c27588bb0dc92d2cd9445fe8f44b840a197c52c3c4333fff45533945134398df6436513cfab06c924046b8c795a5bd92e8d5f2de85bf306f2eed67":"4aaba92b40e2a600feab176eb9b292d814864195c03342aad6f67f08"
 
 generic HMAC-SHA-256 Test Vector NIST CAVS #1
@@ -477,27 +477,27 @@ depends_on:MBEDTLS_MD_CAN_SHA256
 mbedtls_md_hmac:MBEDTLS_MD_SHA256:24:"63cec6246aeb1b61":"c178db908a405fa88aa255b8cad22b4057016585f139ee930388b083d86062fa0b3ea1f23f8a43bd11bee8464bcbd19b5ab9f6a8038d5245516f8274d20c8ee3033a07b908da528fa00343bb595deed500cab9745c4cb6391c23300f0d3584b090b3326c4cfa342620b78f9f5b4f27f7307ed770643ec1764aeae3dcf1a3ec69":"64f3dd861b7c7d29fce9ae0ce9ed954b5d7141806ee9eec7"
 
 generic HMAC-SHA-384 Test Vector NIST CAVS #1
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 mbedtls_md_hmac:MBEDTLS_MD_SHA384:32:"91a7401817386948ca952f9a20ee55dc":"2fea5b91035d6d501f3a834fa178bff4e64b99a8450432dafd32e4466b0e1e7781166f8a73f7e036b3b0870920f559f47bd1400a1a906e85e0dcf00a6c26862e9148b23806680f285f1fe4f93cdaf924c181a965465739c14f2268c8be8b471847c74b222577a1310bcdc1a85ef1468aa1a3fd4031213c97324b7509c9050a3d":"6d7be9490058cf413cc09fd043c224c2ec4fa7859b13783000a9a593c9f75838"
 
 generic HMAC-SHA-384 Test Vector NIST CAVS #2
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 mbedtls_md_hmac:MBEDTLS_MD_SHA384:32:"d6cac19657061aa90a6da11cd2e9ea47":"9f482e4655173135dfaa22a11bbbe6af263db48716406c5aec162ba3c4b41cad4f5a91558377521191c7343118beee65982929802913d67b6de5c4bdc3d27299bd722219d5ad2efa5bdb9ff7b229fc4bbc3f60719320cf2e7a51cad1133d21bad2d80919b1836ef825308b7c51c6b7677ac782e2bc30007afba065681cbdd215":"f3d5f3c008175321aa7b2ea379eaa4f8b9dcc60f895ec8940b8162f80a7dfe9f"
 
 generic HMAC-SHA-384 Test Vector NIST CAVS #3
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 mbedtls_md_hmac:MBEDTLS_MD_SHA384:32:"e06366ad149b8442cd4c1abdddd0afde":"2d140a194c02a5598f69174834679b8371234a0d505491f1bd03e128dd91a8bca2fb812e9d5da71613b5b00952ea78bf450d5b7547dea79135925085c7d3e6f52009c51ca3d88c6c09e9d074b0ee110736e0ec9b478b93efb34d7bf1c41b54decec43eab077a3aa4998ede53f67b4ea36c266745f9643d5360bdc8337c70dabf":"c19c67eda6fe29f3667bee1c897c333ce7683094ae77e84b4c16378d290895a1"
 
 generic HMAC-SHA-384 Test Vector NIST CAVS #4
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 mbedtls_md_hmac:MBEDTLS_MD_SHA384:48:"01ac59f42f8bb91d1bd10fe6990d7a87":"3caf18c476edd5615f343ac7b7d3a9da9efade755672d5ba4b8ae8a7505539ea2c124ff755ec0457fbe49e43480b3c71e7f4742ec3693aad115d039f90222b030fdc9440313691716d5302005808c07627483b916fdf61983063c2eb1268f2deeef42fc790334456bc6bad256e31fc9066de7cc7e43d1321b1866db45e905622":"1985fa2163a5943fc5d92f1fe8831215e7e91f0bff5332bc713a072bdb3a8f9e5c5157463a3bfeb36231416e65973e64"
 
 generic HMAC-SHA-384 Test Vector NIST CAVS #5 [#1]
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 mbedtls_md_hmac:MBEDTLS_MD_SHA384:48:"fd74b9d9e102a3a80df1baf0cb35bace":"1a068917584813d1689ccbd0370c2114d537cdc8cc52bf6db16d5535f8f7d1ad0c850a9fa0cf62373ffbf7642b1f1e8164010d350721d798d9f99e9724830399c2fce26377e83d38845675457865c03d4a07d741a505ef028343eb29fd46d0f761f3792886998c1e5c32ac3bc7e6f08faed194b34f06eff4d5d4a5b42c481e0e":"a981eaf5de3d78b20ebd4414a4edd0657e3667cd808a0dbc430cf7252f73a5b24efa136039207bd59806897457d74e0c"
 
 generic HMAC-SHA-384 Test Vector NIST CAVS #5 [#2]
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 mbedtls_md_hmac:MBEDTLS_MD_SHA384:48:"9fe794f0e26b669fa5f6883149377c6c":"6010c9745e8f1d44cfdc99e7e0fd79bc4271944c2d1d84dba589073dfc4ca5eb98c59356f60cd87bef28aeb83a832bde339b2087daf942aa1f67876c5d5ed33924bed4143bc12a2be532ccaf64daa7e2bc3c8872b9823b0533b6f5159135effe8c61545536975d7c3a61ba7365ec35f165bc92b4d19eb9156ade17dfa1bb4161":"915ae61f8754698c2b6ef9629e93441f8541bd4258a5e05372d19136cfaefc0473b48d96119291b38eb1a3cb1982a986"
 
 generic HMAC-SHA-512 Test Vector NIST CAVS #1
@@ -541,19 +541,19 @@ depends_on:MBEDTLS_MD_CAN_SHA3_224
 mbedtls_md_hmac:MBEDTLS_MD_SHA3_224:14:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b":"53616d706c65206d65737361676520666f72206b65796c656e3c626c6f636b6c656e2c2077697468207472756e636174656420746167":"8569c54cbb00a9b78ff1b391b0e5"
 
 HMAC-SHA3-256: NIST example #1: keylen<blocklen
-depends_on:MBEDTLS_MD_CAN_SHA3_256
+depends_on:PSA_WANT_ALG_SHA3_256
 mbedtls_md_hmac:MBEDTLS_MD_SHA3_256:32:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f":"53616d706c65206d65737361676520666f72206b65796c656e3c626c6f636b6c656e":"4fe8e202c4f058e8dddc23d8c34e467343e23555e24fc2f025d598f558f67205"
 
 HMAC-SHA3-256: NIST example #2: keylen=blocklen
-depends_on:MBEDTLS_MD_CAN_SHA3_256
+depends_on:PSA_WANT_ALG_SHA3_256
 mbedtls_md_hmac:MBEDTLS_MD_SHA3_256:32:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f8081828384858687":"53616d706c65206d65737361676520666f72206b65796c656e3d626c6f636b6c656e":"68b94e2e538a9be4103bebb5aa016d47961d4d1aa906061313b557f8af2c3faa"
 
 HMAC-SHA3-256: NIST example #3: keylen>blocklen
-depends_on:MBEDTLS_MD_CAN_SHA3_256
+depends_on:PSA_WANT_ALG_SHA3_256
 mbedtls_md_hmac:MBEDTLS_MD_SHA3_256:32:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7":"53616d706c65206d65737361676520666f72206b65796c656e3e626c6f636b6c656e":"9bcf2c238e235c3ce88404e813bd2f3a97185ac6f238c63d6229a00b07974258"
 
 HMAC-SHA3-256: NIST example #4: keylen<blocklen, with truncated tag
-depends_on:MBEDTLS_MD_CAN_SHA3_256
+depends_on:PSA_WANT_ALG_SHA3_256
 mbedtls_md_hmac:MBEDTLS_MD_SHA3_256:16:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f":"53616d706c65206d65737361676520666f72206b65796c656e3c626c6f636b6c656e2c2077697468207472756e636174656420746167":"c8dc7148d8c1423aa549105dafdf9cad"
 
 HMAC-SHA3-384: NIST example #1: keylen<blocklen
@@ -573,19 +573,19 @@ depends_on:MBEDTLS_MD_CAN_SHA3_384
 mbedtls_md_hmac:MBEDTLS_MD_SHA3_384:24:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f":"53616d706c65206d65737361676520666f72206b65796c656e3c626c6f636b6c656e2c2077697468207472756e636174656420746167":"25f4bf53606e91af79d24a4bb1fd6aecd44414a30c8ebb0a"
 
 HMAC-SHA3-512: NIST example #1: keylen<blocklen
-depends_on:MBEDTLS_MD_CAN_SHA3_512
+depends_on:PSA_WANT_ALG_SHA3_512
 mbedtls_md_hmac:MBEDTLS_MD_SHA3_512:64:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f":"53616d706c65206d65737361676520666f72206b65796c656e3c626c6f636b6c656e":"4efd629d6c71bf86162658f29943b1c308ce27cdfa6db0d9c3ce81763f9cbce5f7ebe9868031db1a8f8eb7b6b95e5c5e3f657a8996c86a2f6527e307f0213196"
 
 HMAC-SHA3-512: NIST example #2: keylen=blocklen
-depends_on:MBEDTLS_MD_CAN_SHA3_512
+depends_on:PSA_WANT_ALG_SHA3_512
 mbedtls_md_hmac:MBEDTLS_MD_SHA3_512:64:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f4041424344454647":"53616d706c65206d65737361676520666f72206b65796c656e3d626c6f636b6c656e":"544e257ea2a3e5ea19a590e6a24b724ce6327757723fe2751b75bf007d80f6b360744bf1b7a88ea585f9765b47911976d3191cf83c039f5ffab0d29cc9d9b6da"
 
 HMAC-SHA3-512: NIST example #3: keylen>blocklen
-depends_on:MBEDTLS_MD_CAN_SHA3_512
+depends_on:PSA_WANT_ALG_SHA3_512
 mbedtls_md_hmac:MBEDTLS_MD_SHA3_512:64:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f8081828384858687":"53616d706c65206d65737361676520666f72206b65796c656e3e626c6f636b6c656e":"5f464f5e5b7848e3885e49b2c385f0694985d0e38966242dc4a5fe3fea4b37d46b65ceced5dcf59438dd840bab22269f0ba7febdb9fcf74602a35666b2a32915"
 
 HMAC-SHA3-512: NIST example #4: keylen<blocklen, with truncated tag
-depends_on:MBEDTLS_MD_CAN_SHA3_512
+depends_on:PSA_WANT_ALG_SHA3_512
 mbedtls_md_hmac:MBEDTLS_MD_SHA3_512:32:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f":"53616d706c65206d65737361676520666f72206b65796c656e3c626c6f636b6c656e2c2077697468207472756e636174656420746167":"7bb06d859257b25ce73ca700df34c5cbef5c898bac91029e0b27975d4e526a08"
 
 generic multi step HMAC-SHA-1 Test Vector FIPS-198a #1
@@ -633,31 +633,31 @@ depends_on:MBEDTLS_MD_CAN_SHA1
 md_hmac_multi:MBEDTLS_MD_SHA1:10:"1287e1565a57b547":"390ffdccc6171c11568d85b8f913e019bf4cd982ca9cd21ea730d41bdf3fcc0bc88ff48ba13a8f23deb2d96ec1033e7b2a58ca72b0c1e17bf03330db25d1e360fa6918009c4294bd1215b5ccd159a8f58bc3dc3d490eb7c3b9f887e8c98dbbb274a75373dcb695a59abd0219529d88518a96f92abc0bbcbda985c388f1fbbcc9":"d78ddf08077c7d9e2ba6"
 
 generic multi step HMAC-SHA-224 Test Vector NIST CAVS #1
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 md_hmac_multi:MBEDTLS_MD_SHA224:14:"e055eb756697ee573fd3214811a9f7fa":"3875847012ee42fe54a0027bdf38cca7021b83a2ed0503af69ef6c37c637bc1114fba40096c5947d736e19b7af3c68d95a4e3b8b073adbbb80f47e9db8f2d4f0018ddd847fabfdf9dd9b52c93e40458977725f6b7ba15f0816bb895cdf50401268f5d702b7e6a5f9faef57b8768c8a3fc14f9a4b3182b41d940e337d219b29ff":"40a453133361cc48da11baf616ee"
 
 generic multi step HMAC-SHA-224 Test Vector NIST CAVS #2
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 md_hmac_multi:MBEDTLS_MD_SHA224:14:"88e5258b55b1623385eb9632fa7c57d6":"ada76bb604be14326551701cf30e48a65eee80b44f0b9d4a07b1844543b7844a621097fdc99de57387458ae9354899b620d0617eabcaefa9eef3d413a33628054335ce656c26fa2986e0f111a6351096b283101ec7868871d770b370973c7405983f9756b3005a3eab492cfd0e7eb42e5c2e15fa6be8718c0a50acc4e5717230":"81c783af538015cef3c60095df53"
 
 generic multi step HMAC-SHA-224 Test Vector NIST CAVS #3
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 md_hmac_multi:MBEDTLS_MD_SHA224:14:"85d402d822114d31abf75526e2538705":"8020d8d98cc2e2298b32879c51c751e1dd5558fe2eabb8f158604297d6d072ce2261a1d6830b7cfe2617b57c7126f99c9476211d6161acd75d266da217ec8174b80484c9dc6f0448a0a036a3fc82e8bf54bdb71549368258d5d41f57978a4c266b92e8783ef66350215573d99be4089144b383ad8f3222bae8f3bf80ffb1bb2b":"2aa0340ac9deafe3be38129daca0"
 
 generic multi step HMAC-SHA-224 Test Vector NIST CAVS #4
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 md_hmac_multi:MBEDTLS_MD_SHA224:14:"545c6eecc5ee46fa17c59f91a94f81ae":"8fb7f3565593170152ddb2021874784e951977cfdd22f8b72a72a61320a8f2a35697b5e913f717805559b1af1861ee3ed42fb788481e4fd276b17bdbefcae7b4501dc5d20de5b7626dd5efdcd65294db4bdf682c33d9a9255c6435383fa5f1c886326a3acbc6bd50a33ab5b2dbb034ce0112d4e226bbcd57e3731a519aa1d784":"3eb566eac54c4a3a9ef092469f24"
 
 generic multi step HMAC-SHA-224 Test Vector NIST CAVS #5
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 md_hmac_multi:MBEDTLS_MD_SHA224:14:"4466ab4dc438841a9750c7f173dff02e":"2534c11c78c99cffaec8f722f04adc7045c7324d58ce98e37cfa94b6ed21ed7f58ce55379ef24b72d6d640ee9154f96c614734be9c408e225d7ba4cecc1179cc9f6e1808e1067aa8f244a99bd0c3267594c1887a40d167f8b7cf78db0d19f97b01fc50b8c86def490dfa7a5135002c33e71d77a8cce8ea0f93e0580439a33733":"59f44a9bbed4875b892d22d6b5ab"
 
 generic multi step HMAC-SHA-224 Test Vector NIST CAVS #6
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 md_hmac_multi:MBEDTLS_MD_SHA224:28:"0e3dd9bb5e4cf0f09a4c11600af56d8d":"f4589fa76c328ea25cf8bae582026ba40a59d45a546ff31cf80eb826088f69bb954c452c74586836416dee90a5255bc5d56d3b405b3705a5197045688b32fa984c3a3dfbdc9c2460a0b5e6312a624048bb6f170306535e9b371a3ab134a2642a230ad03d2c688cca80baeaee9a20e1d4c548b1cede29c6a45bf4df2c8c476f1a":"12175b93e3da4c58217145e4dc0a1cf142fab9319bb501e037b350ba"
 
 generic multi step HMAC-SHA-224 Test Vector NIST CAVS #7
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 md_hmac_multi:MBEDTLS_MD_SHA224:28:"cda5187b0c5dcb0f8e5a8beed2306584":"9011ae29b44c49b347487ce972965f16ade3c15be0856ce9c853a9739dba07e4f20d594ddc1dfe21560a65a4e458cfa17745575b915a30c7a9412ff8d1d689db9680dd2428c27588bb0dc92d2cd9445fe8f44b840a197c52c3c4333fff45533945134398df6436513cfab06c924046b8c795a5bd92e8d5f2de85bf306f2eed67":"4aaba92b40e2a600feab176eb9b292d814864195c03342aad6f67f08"
 
 generic multi step HMAC-SHA-256 Test Vector NIST CAVS #1
@@ -685,27 +685,27 @@ depends_on:MBEDTLS_MD_CAN_SHA256
 md_hmac_multi:MBEDTLS_MD_SHA256:24:"63cec6246aeb1b61":"c178db908a405fa88aa255b8cad22b4057016585f139ee930388b083d86062fa0b3ea1f23f8a43bd11bee8464bcbd19b5ab9f6a8038d5245516f8274d20c8ee3033a07b908da528fa00343bb595deed500cab9745c4cb6391c23300f0d3584b090b3326c4cfa342620b78f9f5b4f27f7307ed770643ec1764aeae3dcf1a3ec69":"64f3dd861b7c7d29fce9ae0ce9ed954b5d7141806ee9eec7"
 
 generic multi step HMAC-SHA-384 Test Vector NIST CAVS #1
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 md_hmac_multi:MBEDTLS_MD_SHA384:32:"91a7401817386948ca952f9a20ee55dc":"2fea5b91035d6d501f3a834fa178bff4e64b99a8450432dafd32e4466b0e1e7781166f8a73f7e036b3b0870920f559f47bd1400a1a906e85e0dcf00a6c26862e9148b23806680f285f1fe4f93cdaf924c181a965465739c14f2268c8be8b471847c74b222577a1310bcdc1a85ef1468aa1a3fd4031213c97324b7509c9050a3d":"6d7be9490058cf413cc09fd043c224c2ec4fa7859b13783000a9a593c9f75838"
 
 generic multi step HMAC-SHA-384 Test Vector NIST CAVS #2
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 md_hmac_multi:MBEDTLS_MD_SHA384:32:"d6cac19657061aa90a6da11cd2e9ea47":"9f482e4655173135dfaa22a11bbbe6af263db48716406c5aec162ba3c4b41cad4f5a91558377521191c7343118beee65982929802913d67b6de5c4bdc3d27299bd722219d5ad2efa5bdb9ff7b229fc4bbc3f60719320cf2e7a51cad1133d21bad2d80919b1836ef825308b7c51c6b7677ac782e2bc30007afba065681cbdd215":"f3d5f3c008175321aa7b2ea379eaa4f8b9dcc60f895ec8940b8162f80a7dfe9f"
 
 generic multi step HMAC-SHA-384 Test Vector NIST CAVS #3
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 md_hmac_multi:MBEDTLS_MD_SHA384:32:"e06366ad149b8442cd4c1abdddd0afde":"2d140a194c02a5598f69174834679b8371234a0d505491f1bd03e128dd91a8bca2fb812e9d5da71613b5b00952ea78bf450d5b7547dea79135925085c7d3e6f52009c51ca3d88c6c09e9d074b0ee110736e0ec9b478b93efb34d7bf1c41b54decec43eab077a3aa4998ede53f67b4ea36c266745f9643d5360bdc8337c70dabf":"c19c67eda6fe29f3667bee1c897c333ce7683094ae77e84b4c16378d290895a1"
 
 generic multi step HMAC-SHA-384 Test Vector NIST CAVS #4
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 md_hmac_multi:MBEDTLS_MD_SHA384:48:"01ac59f42f8bb91d1bd10fe6990d7a87":"3caf18c476edd5615f343ac7b7d3a9da9efade755672d5ba4b8ae8a7505539ea2c124ff755ec0457fbe49e43480b3c71e7f4742ec3693aad115d039f90222b030fdc9440313691716d5302005808c07627483b916fdf61983063c2eb1268f2deeef42fc790334456bc6bad256e31fc9066de7cc7e43d1321b1866db45e905622":"1985fa2163a5943fc5d92f1fe8831215e7e91f0bff5332bc713a072bdb3a8f9e5c5157463a3bfeb36231416e65973e64"
 
 generic multi step HMAC-SHA-384 Test Vector NIST CAVS #5 [#1]
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 md_hmac_multi:MBEDTLS_MD_SHA384:48:"fd74b9d9e102a3a80df1baf0cb35bace":"1a068917584813d1689ccbd0370c2114d537cdc8cc52bf6db16d5535f8f7d1ad0c850a9fa0cf62373ffbf7642b1f1e8164010d350721d798d9f99e9724830399c2fce26377e83d38845675457865c03d4a07d741a505ef028343eb29fd46d0f761f3792886998c1e5c32ac3bc7e6f08faed194b34f06eff4d5d4a5b42c481e0e":"a981eaf5de3d78b20ebd4414a4edd0657e3667cd808a0dbc430cf7252f73a5b24efa136039207bd59806897457d74e0c"
 
 generic multi step HMAC-SHA-384 Test Vector NIST CAVS #5 [#2]
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 md_hmac_multi:MBEDTLS_MD_SHA384:48:"9fe794f0e26b669fa5f6883149377c6c":"6010c9745e8f1d44cfdc99e7e0fd79bc4271944c2d1d84dba589073dfc4ca5eb98c59356f60cd87bef28aeb83a832bde339b2087daf942aa1f67876c5d5ed33924bed4143bc12a2be532ccaf64daa7e2bc3c8872b9823b0533b6f5159135effe8c61545536975d7c3a61ba7365ec35f165bc92b4d19eb9156ade17dfa1bb4161":"915ae61f8754698c2b6ef9629e93441f8541bd4258a5e05372d19136cfaefc0473b48d96119291b38eb1a3cb1982a986"
 
 generic multi step HMAC-SHA-512 Test Vector NIST CAVS #1
@@ -749,19 +749,19 @@ depends_on:MBEDTLS_MD_CAN_SHA3_224
 md_hmac_multi:MBEDTLS_MD_SHA3_224:14:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b":"53616d706c65206d65737361676520666f72206b65796c656e3c626c6f636b6c656e2c2077697468207472756e636174656420746167":"8569c54cbb00a9b78ff1b391b0e5"
 
 HMAC-SHA3-256 multi-step: NIST example #1: keylen<blocklen
-depends_on:MBEDTLS_MD_CAN_SHA3_256
+depends_on:PSA_WANT_ALG_SHA3_256
 md_hmac_multi:MBEDTLS_MD_SHA3_256:32:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f":"53616d706c65206d65737361676520666f72206b65796c656e3c626c6f636b6c656e":"4fe8e202c4f058e8dddc23d8c34e467343e23555e24fc2f025d598f558f67205"
 
 HMAC-SHA3-256 multi-step: NIST example #2: keylen=blocklen
-depends_on:MBEDTLS_MD_CAN_SHA3_256
+depends_on:PSA_WANT_ALG_SHA3_256
 md_hmac_multi:MBEDTLS_MD_SHA3_256:32:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f8081828384858687":"53616d706c65206d65737361676520666f72206b65796c656e3d626c6f636b6c656e":"68b94e2e538a9be4103bebb5aa016d47961d4d1aa906061313b557f8af2c3faa"
 
 HMAC-SHA3-256 multi-step: NIST example #3: keylen>blocklen
-depends_on:MBEDTLS_MD_CAN_SHA3_256
+depends_on:PSA_WANT_ALG_SHA3_256
 md_hmac_multi:MBEDTLS_MD_SHA3_256:32:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7":"53616d706c65206d65737361676520666f72206b65796c656e3e626c6f636b6c656e":"9bcf2c238e235c3ce88404e813bd2f3a97185ac6f238c63d6229a00b07974258"
 
 HMAC-SHA3-256 multi-step: NIST example #4: keylen<blocklen, with truncated tag
-depends_on:MBEDTLS_MD_CAN_SHA3_256
+depends_on:PSA_WANT_ALG_SHA3_256
 md_hmac_multi:MBEDTLS_MD_SHA3_256:16:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f":"53616d706c65206d65737361676520666f72206b65796c656e3c626c6f636b6c656e2c2077697468207472756e636174656420746167":"c8dc7148d8c1423aa549105dafdf9cad"
 
 HMAC-SHA3-384 multi-step: NIST example #1: keylen<blocklen
@@ -781,19 +781,19 @@ depends_on:MBEDTLS_MD_CAN_SHA3_384
 md_hmac_multi:MBEDTLS_MD_SHA3_384:24:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f":"53616d706c65206d65737361676520666f72206b65796c656e3c626c6f636b6c656e2c2077697468207472756e636174656420746167":"25f4bf53606e91af79d24a4bb1fd6aecd44414a30c8ebb0a"
 
 HMAC-SHA3-512 multi-step: NIST example #1: keylen<blocklen
-depends_on:MBEDTLS_MD_CAN_SHA3_512
+depends_on:PSA_WANT_ALG_SHA3_512
 md_hmac_multi:MBEDTLS_MD_SHA3_512:64:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f":"53616d706c65206d65737361676520666f72206b65796c656e3c626c6f636b6c656e":"4efd629d6c71bf86162658f29943b1c308ce27cdfa6db0d9c3ce81763f9cbce5f7ebe9868031db1a8f8eb7b6b95e5c5e3f657a8996c86a2f6527e307f0213196"
 
 HMAC-SHA3-512 multi-step: NIST example #2: keylen=blocklen
-depends_on:MBEDTLS_MD_CAN_SHA3_512
+depends_on:PSA_WANT_ALG_SHA3_512
 md_hmac_multi:MBEDTLS_MD_SHA3_512:64:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f4041424344454647":"53616d706c65206d65737361676520666f72206b65796c656e3d626c6f636b6c656e":"544e257ea2a3e5ea19a590e6a24b724ce6327757723fe2751b75bf007d80f6b360744bf1b7a88ea585f9765b47911976d3191cf83c039f5ffab0d29cc9d9b6da"
 
 HMAC-SHA3-512 multi-step: NIST example #3: keylen>blocklen
-depends_on:MBEDTLS_MD_CAN_SHA3_512
+depends_on:PSA_WANT_ALG_SHA3_512
 md_hmac_multi:MBEDTLS_MD_SHA3_512:64:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f8081828384858687":"53616d706c65206d65737361676520666f72206b65796c656e3e626c6f636b6c656e":"5f464f5e5b7848e3885e49b2c385f0694985d0e38966242dc4a5fe3fea4b37d46b65ceced5dcf59438dd840bab22269f0ba7febdb9fcf74602a35666b2a32915"
 
 HMAC-SHA3-512 multi-step: NIST example #4: keylen<blocklen, with truncated tag
-depends_on:MBEDTLS_MD_CAN_SHA3_512
+depends_on:PSA_WANT_ALG_SHA3_512
 md_hmac_multi:MBEDTLS_MD_SHA3_512:32:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f":"53616d706c65206d65737361676520666f72206b65796c656e3c626c6f636b6c656e2c2077697468207472756e636174656420746167":"7bb06d859257b25ce73ca700df34c5cbef5c898bac91029e0b27975d4e526a08"
 
 generic SHA-1 Test Vector NIST CAVS #1
@@ -837,31 +837,31 @@ depends_on:MBEDTLS_MD_CAN_SHA1
 md_hex:MBEDTLS_MD_SHA1:"8236153781bd2f1b81ffe0def1beb46f5a70191142926651503f1b3bb1016acdb9e7f7acced8dd168226f118ff664a01a8800116fd023587bfba52a2558393476f5fc69ce9c65001f23e70476d2cc81c97ea19caeb194e224339bcb23f77a83feac5096f9b3090c51a6ee6d204b735aa71d7e996d380b80822e4dfd43683af9c7442498cacbea64842dfda238cb099927c6efae07fdf7b23a4e4456e0152b24853fe0d5de4179974b2b9d4a1cdbefcbc01d8d311b5dda059136176ea698ab82acf20dd490be47130b1235cb48f8a6710473cfc923e222d94b582f9ae36d4ca2a32d141b8e8cc36638845fbc499bce17698c3fecae2572dbbd470552430d7ef30c238c2124478f1f780483839b4fb73d63a9460206824a5b6b65315b21e3c2f24c97ee7c0e78faad3df549c7ca8ef241876d9aafe9a309f6da352bec2caaa92ee8dca392899ba67dfed90aef33d41fc2494b765cb3e2422c8e595dabbfaca217757453fb322a13203f425f6073a9903e2dc5818ee1da737afc345f0057744e3a56e1681c949eb12273a3bfc20699e423b96e44bd1ff62e50a848a890809bfe1611c6787d3d741103308f849a790f9c015098286dbacfc34c1718b2c2b77e32194a75dda37954a320fa68764027852855a7e5b5274eb1e2cbcd27161d98b59ad245822015f48af82a45c0ed59be94f9af03d9736048570d6e3ef63b1770bc98dfb77de84b1bb1708d872b625d9ab9b06c18e5dbbf34399391f0f8aa26ec0dac7ff4cb8ec97b52bcb942fa6db2385dcd1b3b9d567aaeb425d567b0ebe267235651a1ed9bf78fd93d3c1dd077fe340bb04b00529c58f45124b717c168d07e9826e33376988bc5cf62845c2009980a4dfa69fbc7e5a0b1bb20a5958ca967aec68eb31dd8fccca9afcd30a26bab26279f1bf6724ff":"11863b483809ef88413ca9b0084ac4a5390640af"
 
 generic SHA-224 Test Vector NIST CAVS #1
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 md_hex:MBEDTLS_MD_SHA224:"":"d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f"
 
 generic SHA-224 Test Vector NIST CAVS #2
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 md_hex:MBEDTLS_MD_SHA224:"ff":"e33f9d75e6ae1369dbabf81b96b4591ae46bba30b591a6b6c62542b5"
 
 generic SHA-224 Test Vector NIST CAVS #3
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 md_hex:MBEDTLS_MD_SHA224:"984c":"2fa9df9157d9e027cfbc4c6a9df32e1adc0cbe2328ec2a63c5ae934e"
 
 generic SHA-224 Test Vector NIST CAVS #4
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 md_hex:MBEDTLS_MD_SHA224:"50efd0":"b5a9820413c2bf8211fbbf5df1337043b32fa4eafaf61a0c8e9ccede"
 
 generic SHA-224 Test Vector NIST CAVS #5
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 md_hex:MBEDTLS_MD_SHA224:"e5e09924":"fd19e74690d291467ce59f077df311638f1c3a46e510d0e49a67062d"
 
 generic SHA-224 Test Vector NIST CAVS #6
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 md_hex:MBEDTLS_MD_SHA224:"21ebecb914":"78f4a71c21c694499ce1c7866611b14ace70d905012c356323c7c713"
 
 generic SHA-224 Test Vector NIST CAVS #7
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 md_hex:MBEDTLS_MD_SHA224:"fc488947c1a7a589726b15436b4f3d9556262f98fc6422fc5cdf20f0fad7fe427a3491c86d101ffe6b7514f06268f65b2d269b0f69ad9a97847eff1c16a2438775eb7be6847ccf11cb8b2e8dcd6640b095b49c0693fe3cf4a66e2d9b7ad68bff14f3ad69abf49d0aba36cbe0535202deb6599a47225ef05beb351335cd7bc0f480d691198c7e71305ffd53b39d33242bb79cfd98bfd69e137b5d18b2b89ac9ace01c8dbdcf2533cce3682ecc52118de0c1062ec2126c2e657d6ea3d9e2398e705d4b0b1f1ceecb266dffc4f31bf42744fb1e938dc22a889919ee1e73f463f7871fed720519e32186264b7ef2a0e5d9a18e6c95c0781894f77967f048951dec3b4d892a38710b1e3436d3c29088eb8b3da1789c25db3d3bc6c26081206e7155d210a89b80ca6ea877c41ff9947c0f25625dcb118294a163501f6239c326661a958fd12da4cd15a899f8b88cc723589056eaec5aa04a4cf5dbb6f480f9660423ccf38c486e210707e0fb25e1f126ceb2616f63e147a647dab0af9ebe89d65458bf636154a46e4cab95f5ee62da2c7974cd14b90d3e4f99f81733e85b3c1d5da2b508d9b90f5eed7eff0d9c7649de62bee00375454fee4a39576a5bbfdae428e7f8097bdf7797f167686cb68407e49079e4611ff3402b6384ba7b7e522bd2bb11ce8fd02ea4c1604d163ac4f6dde50b8b1f593f7edaadeac0868ed97df690200680c25f0f5d85431a529e4f339089dcdeda105e4ee51dead704cdf5a605c55fb055c9b0e86b8ba1b564c0dea3eb790a595cb103cb292268b07c5e59371e1a7ef597cd4b22977a820694c9f9aeb55d9de3ef62b75d6e656e3336698d960a3787bf8cf5b926a7faeef52ae128bcb5dc9e66d94b016c7b8e034879171a2d91c381f57e6a815b63b5ee6a6d2ff435b49f14c963966960194430d78f8f87627a67757fb3532b289550894da6dce4817a4e07f4d56877a1102ffcc8befa5c9f8fca6a4574d93ff70376c8861e0f8108cf907fce77ecb49728f86f034f80224b9695682e0824462f76cdb1fd1af151337b0d85419047a7aa284791718a4860cd586f7824b95bc837b6fd4f9be5aade68456e20356aa4d943dac36bf8b67b9e8f9d01a00fcda74b798bafa746c661b010f75b59904b29d0c8041504811c4065f82cf2ead58d2f595cbd8bc3e7043f4d94577b373b7cfe16a36fe564f505c03b70cfeb5e5f411c79481338aa67e86b3f5a2e77c21e454c333ae3da943ab723ab5f4c940395319534a5575f64acba0d0ecc43f60221ed3badf7289c9b3a7b903a2d6c94e15fa4c310dc4fa7faa0c24f405160a1002dbef20e4105d481db982f7243f79400a6e4cd9753c4b9732a47575f504b20c328fe9add7f432a4f075829da07b53b695037dc51737d3cd731934df333cd1a53fcf65aa31baa450ca501a6fae26e322347e618c5a444d92e9fec5a8261ae38b98fee5be77c02cec09ddccd5b3de92036":"1302149d1e197c41813b054c942329d420e366530f5517b470e964fe"
 
 generic SHA-256 Test Vector NIST CAVS #1
@@ -893,35 +893,35 @@ depends_on:MBEDTLS_MD_CAN_SHA256
 md_hex:MBEDTLS_MD_SHA256:"8390cf0be07661cc7669aac54ce09a37733a629d45f5d983ef201f9b2d13800e555d9b1097fec3b783d7a50dcb5e2b644b96a1e9463f177cf34906bf388f366db5c2deee04a30e283f764a97c3b377a034fefc22c259214faa99babaff160ab0aaa7e2ccb0ce09c6b32fe08cbc474694375aba703fadbfa31cf685b30a11c57f3cf4edd321e57d3ae6ebb1133c8260e75b9224fa47a2bb205249add2e2e62f817491482ae152322be0900355cdcc8d42a98f82e961a0dc6f537b7b410eff105f59673bfb787bf042aa071f7af68d944d27371c64160fe9382772372516c230c1f45c0d6b6cca7f274b394da9402d3eafdf733994ec58ab22d71829a98399574d4b5908a447a5a681cb0dd50a31145311d92c22a16de1ead66a5499f2dceb4cae694772ce90762ef8336afec653aa9b1a1c4820b221136dfce80dce2ba920d88a530c9410d0a4e0358a3a11052e58dd73b0b179ef8f56fe3b5a2d117a73a0c38a1392b6938e9782e0d86456ee4884e3c39d4d75813f13633bc79baa07c0d2d555afbf207f52b7dca126d015aa2b9873b3eb065e90b9b065a5373fe1fb1b20d594327d19fba56cb81e7b6696605ffa56eba3c27a438697cc21b201fd7e09f18deea1b3ea2f0d1edc02df0e20396a145412cd6b13c32d2e605641c948b714aec30c0649dc44143511f35ab0fd5dd64c34d06fe86f3836dfe9edeb7f08cfc3bd40956826356242191f99f53473f32b0cc0cf9321d6c92a112e8db90b86ee9e87cc32d0343db01e32ce9eb782cb24efbbbeb440fe929e8f2bf8dfb1550a3a2e742e8b455a3e5730e9e6a7a9824d17acc0f72a7f67eae0f0970f8bde46dcdefaed3047cf807e7f00a42e5fd11d40f5e98533d7574425b7d2bc3b3845c443008b58980e768e464e17cc6f6b3939eee52f713963d07d8c4abf02448ef0b889c9671e2f8a436ddeeffcca7176e9bf9d1005ecd377f2fa67c23ed1f137e60bf46018a8bd613d038e883704fc26e798969df35ec7bbc6a4fe46d8910bd82fa3cded265d0a3b6d399e4251e4d8233daa21b5812fded6536198ff13aa5a1cd46a5b9a17a4ddc1d9f85544d1d1cc16f3df858038c8e071a11a7e157a85a6a8dc47e88d75e7009a8b26fdb73f33a2a70f1e0c259f8f9533b9b8f9af9288b7274f21baeec78d396f8bacdcc22471207d9b4efccd3fedc5c5a2214ff5e51c553f35e21ae696fe51e8df733a8e06f50f419e599e9f9e4b37ce643fc810faaa47989771509d69a110ac916261427026369a21263ac4460fb4f708f8ae28599856db7cb6a43ac8e03d64a9609807e76c5f312b9d1863bfa304e8953647648b4f4ab0ed995e":"4109cdbec3240ad74cc6c37f39300f70fede16e21efc77f7865998714aad0b5e"
 
 generic SHA-384 Test Vector NIST CAVS #1
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 md_hex:MBEDTLS_MD_SHA384:"":"38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b"
 
 generic SHA-384 Test Vector NIST CAVS #2
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 md_hex:MBEDTLS_MD_SHA384:"ab":"fb94d5be118865f6fcbc978b825da82cff188faec2f66cb84b2537d74b4938469854b0ca89e66fa2e182834736629f3d"
 
 generic SHA-384 Test Vector NIST CAVS #3
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 md_hex:MBEDTLS_MD_SHA384:"7c27":"3d80be467df86d63abb9ea1d3f9cb39cd19890e7f2c53a6200bedc5006842b35e820dc4e0ca90ca9b97ab23ef07080fc"
 
 generic SHA-384 Test Vector NIST CAVS #4
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 md_hex:MBEDTLS_MD_SHA384:"31f5ca":"78d54b943421fdf7ba90a7fb9637c2073aa480454bd841d39ff72f4511fc21fb67797b652c0c823229342873d3bef955"
 
 generic SHA-384 Test Vector NIST CAVS #5
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 md_hex:MBEDTLS_MD_SHA384:"7bdee3f8":"8bdafba0777ee446c3431c2d7b1fbb631089f71d2ca417abc1d230e1aba64ec2f1c187474a6f4077d372c14ad407f99a"
 
 generic SHA-384 Test Vector NIST CAVS #6
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 md_hex:MBEDTLS_MD_SHA384:"8f05604915":"504e414bf1db1060f14c8c799e25b1e0c4dcf1504ebbd129998f0ae283e6de86e0d3c7e879c73ec3b1836c3ee89c2649"
 
 generic SHA-384 Test Vector NIST CAVS #7
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 md_hex:MBEDTLS_MD_SHA384:"665da6eda214":"4c022f112010908848312f8b8f1072625fd5c105399d562ea1d56130619a7eac8dfc3748fd05ee37e4b690be9daa9980"
 
 generic SHA-384 Test Vector NIST CAVS #8
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 md_hex:MBEDTLS_MD_SHA384:"7f46ce506d593c4ed53c82edeb602037e0485befbee03f7f930fe532d18ff2a3f5fd6076672c8145a1bf40dd94f7abab47c9ae71c234213d2ad1069c2dac0b0ba15257ae672b8245960ae55bd50315c0097daa3a318745788d70d14706910809ca6e396237fe4934fa46f9ce782d66606d8bd6b2d283b1160513ce9c24e9f084b97891f99d4cdefc169a029e431ca772ba1bba426fce6f01d8e286014e5acc66b799e4db62bd4783322f8a32ff78e0de3957df50ce10871f4e0680df4e8ca3960af9bc6f4efa8eb3962d18f474eb178c3265cc46b8f2ff5ab1a7449fea297dfcfabfa01f28abbb7289bb354b691b5664ec6d098af51be19947ec5ba7ebd66380d1141953ba78d4aa5401679fa7b0a44db1981f864d3535c45afe4c61183d5b0ad51fae71ca07e34240283959f7530a32c70d95a088e501c230059f333b0670825009e7e22103ef22935830df1fac8ef877f5f3426dd54f7d1128dd871ad9a7d088f94c0e8712013295b8d69ae7623b880978c2d3c6ad26dc478f8dc47f5c0adcc618665dc3dc205a9071b2f2191e16cac5bd89bb59148fc719633752303aa08e518dbc389f0a5482caaa4c507b8729a6f3edd061efb39026cecc6399f51971cf7381d605e144a5928c8c2d1ad7467b05da2f202f4f3234e1aff19a0198a28685721c3d2d52311c721e3fdcbaf30214cdc3acff8c433880e104fb63f2df7ce69a97857819ba7ac00ac8eae1969764fde8f68cf8e0916d7e0c151147d4944f99f42ae50f30e1c79a42d2b6c5188d133d3cbbf69094027b354b295ccd0f7dc5a87d73638bd98ebfb00383ca0fa69cb8dcb35a12510e5e07ad8789047d0b63841a1bb928737e8b0a0c33254f47aa8bfbe3341a09c2b76dbcefa67e30df300d34f7b8465c4f869e51b6bcfe6cf68b238359a645036bf7f63f02924e087ce7457e483b6025a859903cb484574aa3b12cf946f32127d537c33bee3141b5db96d10a148c50ae045f287210757710d6846e04b202f79e87dd9a56bc6da15f84a77a7f63935e1dee00309cd276a8e7176cb04da6bb0e9009534438732cb42d008008853d38d19beba46e61006e30f7efd1bc7c2906b024e4ff898a1b58c448d68b43c6ab63f34f85b3ac6aa4475867e51b583844cb23829f4b30f4bdd817d88e2ef3e7b4fc0a624395b05ec5e8686082b24d29fef2b0d3c29e031d5f94f504b1d3df9361eb5ffbadb242e66c39a8094cfe62f85f639f3fd65fc8ae0c74a8f4c6e1d070b9183a434c722caaa0225f8bcd68614d6f0738ed62f8484ec96077d155c08e26c46be262a73e3551698bd70d8d5610cf37c4c306eed04ba6a040a9c3e6d7e15e8acda17f477c2484cf5c56b813313927be8387b1024f995e98fc87f1029091c01424bdc2b296c2eadb7d25b3e762a2fd0c2dcd1727ddf91db97c5984305265f3695a7f5472f2d72c94d68c27914f14f82aa8dd5fe4e2348b0ca967a3f98626a091552f5d0ffa2bf10350d23c996256c01fdeffb2c2c612519869f877e4929c6e95ff15040f1485e22ed14119880232fef3b57b3848f15b1766a5552879df8f06":"cba9e3eb12a6f83db11e8a6ff40d1049854ee094416bc527fea931d8585428a8ed6242ce81f6769b36e2123a5c23483e"
 
 generic SHA-512 Test Vector NIST CAVS #1
@@ -930,67 +930,67 @@ md_hex:MBEDTLS_MD_SHA512:"":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f
 
 generic SHA3-224 Hash file #1
 depends_on:MBEDTLS_MD_CAN_SHA3_224
-mbedtls_md_file:MBEDTLS_MD_SHA3_224:"data_files/hash_file_1":"320f1a9257d442178d90fda8987743a5e7bb5ed0b18bc7d66ee3633e"
+mbedtls_md_file:MBEDTLS_MD_SHA3_224:"../framework/data_files/hash_file_1":"320f1a9257d442178d90fda8987743a5e7bb5ed0b18bc7d66ee3633e"
 
 generic SHA3-224 Hash file #2
 depends_on:MBEDTLS_MD_CAN_SHA3_224
-mbedtls_md_file:MBEDTLS_MD_SHA3_224:"data_files/hash_file_2":"db06a96306b43677f0e3592a0fe1d276141fa7458b7be93197550442"
+mbedtls_md_file:MBEDTLS_MD_SHA3_224:"../framework/data_files/hash_file_2":"db06a96306b43677f0e3592a0fe1d276141fa7458b7be93197550442"
 
 generic SHA3-224 Hash file #3
 depends_on:MBEDTLS_MD_CAN_SHA3_224
-mbedtls_md_file:MBEDTLS_MD_SHA3_224:"data_files/hash_file_3":"0d125fdd48b0e322ca845402fbecb827053c9f324c58933be2e474a0"
+mbedtls_md_file:MBEDTLS_MD_SHA3_224:"../framework/data_files/hash_file_3":"0d125fdd48b0e322ca845402fbecb827053c9f324c58933be2e474a0"
 
 generic SHA3-224 Hash file #4
 depends_on:MBEDTLS_MD_CAN_SHA3_224
-mbedtls_md_file:MBEDTLS_MD_SHA3_224:"data_files/hash_file_4":"6b4e03423667dbb73b6e15454f0eb1abd4597f9a1b078e3f5b5a6bc7"
+mbedtls_md_file:MBEDTLS_MD_SHA3_224:"../framework/data_files/hash_file_4":"6b4e03423667dbb73b6e15454f0eb1abd4597f9a1b078e3f5b5a6bc7"
 
 generic SHA3-256 Hash file #1
-depends_on:MBEDTLS_MD_CAN_SHA3_256
-mbedtls_md_file:MBEDTLS_MD_SHA3_256:"data_files/hash_file_1":"f429826659dd9f313e6226ced5c841fe1b0e9dd16554392b694fa3000f1ae1e2"
+depends_on:PSA_WANT_ALG_SHA3_256
+mbedtls_md_file:MBEDTLS_MD_SHA3_256:"../framework/data_files/hash_file_1":"f429826659dd9f313e6226ced5c841fe1b0e9dd16554392b694fa3000f1ae1e2"
 
 generic SHA3-256 Hash file #2
-depends_on:MBEDTLS_MD_CAN_SHA3_256
-mbedtls_md_file:MBEDTLS_MD_SHA3_256:"data_files/hash_file_2":"3aed2fda8604dbec5a67710b4d4c89a90745e10ee633649e53e75c7e25d30152"
+depends_on:PSA_WANT_ALG_SHA3_256
+mbedtls_md_file:MBEDTLS_MD_SHA3_256:"../framework/data_files/hash_file_2":"3aed2fda8604dbec5a67710b4d4c89a90745e10ee633649e53e75c7e25d30152"
 
 generic SHA3-256 Hash file #3
-depends_on:MBEDTLS_MD_CAN_SHA3_256
-mbedtls_md_file:MBEDTLS_MD_SHA3_256:"data_files/hash_file_3":"c4b6492fd1c475c5e560545a2573b0efcd02d54ef4f63c9d8158dd87bed99d85"
+depends_on:PSA_WANT_ALG_SHA3_256
+mbedtls_md_file:MBEDTLS_MD_SHA3_256:"../framework/data_files/hash_file_3":"c4b6492fd1c475c5e560545a2573b0efcd02d54ef4f63c9d8158dd87bed99d85"
 
 generic SHA3-256 Hash file #4
-depends_on:MBEDTLS_MD_CAN_SHA3_256
-mbedtls_md_file:MBEDTLS_MD_SHA3_256:"data_files/hash_file_4":"a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a"
+depends_on:PSA_WANT_ALG_SHA3_256
+mbedtls_md_file:MBEDTLS_MD_SHA3_256:"../framework/data_files/hash_file_4":"a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a"
 
 generic SHA3-384 Hash file #1
 depends_on:MBEDTLS_MD_CAN_SHA3_384
-mbedtls_md_file:MBEDTLS_MD_SHA3_384:"data_files/hash_file_1":"06ab3677496658d3faad937f3f7887b3e925b480190544c612e76b88c5d21b4ca12691f27b8ef569d601925915cdf2a6"
+mbedtls_md_file:MBEDTLS_MD_SHA3_384:"../framework/data_files/hash_file_1":"06ab3677496658d3faad937f3f7887b3e925b480190544c612e76b88c5d21b4ca12691f27b8ef569d601925915cdf2a6"
 
 generic SHA3-384 Hash file #2
 depends_on:MBEDTLS_MD_CAN_SHA3_384
-mbedtls_md_file:MBEDTLS_MD_SHA3_384:"data_files/hash_file_2":"b5efc40db7af544bf3fb8c782f2db478dbb81aa83d2ef0e8bbdcf06371de7cc984aac5539c4c9244c1e6ebbb85e23983"
+mbedtls_md_file:MBEDTLS_MD_SHA3_384:"../framework/data_files/hash_file_2":"b5efc40db7af544bf3fb8c782f2db478dbb81aa83d2ef0e8bbdcf06371de7cc984aac5539c4c9244c1e6ebbb85e23983"
 
 generic SHA3-384 Hash file #3
 depends_on:MBEDTLS_MD_CAN_SHA3_384
-mbedtls_md_file:MBEDTLS_MD_SHA3_384:"data_files/hash_file_3":"0f08dc09cb39240e09b01e7f3ee3ce6b893bf393f52d2ac87083cef7d3a469fa99763e58b25306b0a2381d9bbdaa802f"
+mbedtls_md_file:MBEDTLS_MD_SHA3_384:"../framework/data_files/hash_file_3":"0f08dc09cb39240e09b01e7f3ee3ce6b893bf393f52d2ac87083cef7d3a469fa99763e58b25306b0a2381d9bbdaa802f"
 
 generic SHA3-384 Hash file #4
 depends_on:MBEDTLS_MD_CAN_SHA3_384
-mbedtls_md_file:MBEDTLS_MD_SHA3_384:"data_files/hash_file_4":"0c63a75b845e4f7d01107d852e4c2485c51a50aaaa94fc61995e71bbee983a2ac3713831264adb47fb6bd1e058d5f004"
+mbedtls_md_file:MBEDTLS_MD_SHA3_384:"../framework/data_files/hash_file_4":"0c63a75b845e4f7d01107d852e4c2485c51a50aaaa94fc61995e71bbee983a2ac3713831264adb47fb6bd1e058d5f004"
 
 generic SHA3-512 Hash file #1
-depends_on:MBEDTLS_MD_CAN_SHA3_512
-mbedtls_md_file:MBEDTLS_MD_SHA3_512:"data_files/hash_file_1":"7d43cbb75218110d7fcc227b6977e6f3b855184c646b679055897cba0cd445ec968430231866801c4f0993f8735cf46bc4858868423d31ca283a6f1ecf25c580"
+depends_on:PSA_WANT_ALG_SHA3_512
+mbedtls_md_file:MBEDTLS_MD_SHA3_512:"../framework/data_files/hash_file_1":"7d43cbb75218110d7fcc227b6977e6f3b855184c646b679055897cba0cd445ec968430231866801c4f0993f8735cf46bc4858868423d31ca283a6f1ecf25c580"
 
 generic SHA3-512 Hash file #2
-depends_on:MBEDTLS_MD_CAN_SHA3_512
-mbedtls_md_file:MBEDTLS_MD_SHA3_512:"data_files/hash_file_2":"212bd00cfc7f3a5b73b5b4772dd83562826207eba30ab00be2c886aef3841ef66eb25097091bfacb6d45dd4557489f91836c04c4f0d96e32ae96fb006d4b2ad6"
+depends_on:PSA_WANT_ALG_SHA3_512
+mbedtls_md_file:MBEDTLS_MD_SHA3_512:"../framework/data_files/hash_file_2":"212bd00cfc7f3a5b73b5b4772dd83562826207eba30ab00be2c886aef3841ef66eb25097091bfacb6d45dd4557489f91836c04c4f0d96e32ae96fb006d4b2ad6"
 
 generic SHA3-512 Hash file #3
-depends_on:MBEDTLS_MD_CAN_SHA3_512
-mbedtls_md_file:MBEDTLS_MD_SHA3_512:"data_files/hash_file_3":"a78a0266820e36f6fb26a0c8deb0b24108e209cc217852ed073904bc44ec586c5704c0a56de57f9906b8ced380fee6ac2bd432a93de7f39b23ed0aabdd7ae813"
+depends_on:PSA_WANT_ALG_SHA3_512
+mbedtls_md_file:MBEDTLS_MD_SHA3_512:"../framework/data_files/hash_file_3":"a78a0266820e36f6fb26a0c8deb0b24108e209cc217852ed073904bc44ec586c5704c0a56de57f9906b8ced380fee6ac2bd432a93de7f39b23ed0aabdd7ae813"
 
 generic SHA3-512 Hash file #4
-depends_on:MBEDTLS_MD_CAN_SHA3_512
-mbedtls_md_file:MBEDTLS_MD_SHA3_512:"data_files/hash_file_4":"a69f73cca23a9ac5c8b567dc185a756e97c982164fe25859e0d1dcc1475c80a615b2123af1f5f94c11e3e9402c3ac558f500199d95b6d3e301758586281dcd26"
+depends_on:PSA_WANT_ALG_SHA3_512
+mbedtls_md_file:MBEDTLS_MD_SHA3_512:"../framework/data_files/hash_file_4":"a69f73cca23a9ac5c8b567dc185a756e97c982164fe25859e0d1dcc1475c80a615b2123af1f5f94c11e3e9402c3ac558f500199d95b6d3e301758586281dcd26"
 
 generic SHA-512 Test Vector NIST CAVS #2
 depends_on:MBEDTLS_MD_CAN_SHA512
@@ -1061,31 +1061,31 @@ depends_on:MBEDTLS_MD_CAN_SHA1
 md_hex_multi:MBEDTLS_MD_SHA1:"8236153781bd2f1b81ffe0def1beb46f5a70191142926651503f1b3bb1016acdb9e7f7acced8dd168226f118ff664a01a8800116fd023587bfba52a2558393476f5fc69ce9c65001f23e70476d2cc81c97ea19caeb194e224339bcb23f77a83feac5096f9b3090c51a6ee6d204b735aa71d7e996d380b80822e4dfd43683af9c7442498cacbea64842dfda238cb099927c6efae07fdf7b23a4e4456e0152b24853fe0d5de4179974b2b9d4a1cdbefcbc01d8d311b5dda059136176ea698ab82acf20dd490be47130b1235cb48f8a6710473cfc923e222d94b582f9ae36d4ca2a32d141b8e8cc36638845fbc499bce17698c3fecae2572dbbd470552430d7ef30c238c2124478f1f780483839b4fb73d63a9460206824a5b6b65315b21e3c2f24c97ee7c0e78faad3df549c7ca8ef241876d9aafe9a309f6da352bec2caaa92ee8dca392899ba67dfed90aef33d41fc2494b765cb3e2422c8e595dabbfaca217757453fb322a13203f425f6073a9903e2dc5818ee1da737afc345f0057744e3a56e1681c949eb12273a3bfc20699e423b96e44bd1ff62e50a848a890809bfe1611c6787d3d741103308f849a790f9c015098286dbacfc34c1718b2c2b77e32194a75dda37954a320fa68764027852855a7e5b5274eb1e2cbcd27161d98b59ad245822015f48af82a45c0ed59be94f9af03d9736048570d6e3ef63b1770bc98dfb77de84b1bb1708d872b625d9ab9b06c18e5dbbf34399391f0f8aa26ec0dac7ff4cb8ec97b52bcb942fa6db2385dcd1b3b9d567aaeb425d567b0ebe267235651a1ed9bf78fd93d3c1dd077fe340bb04b00529c58f45124b717c168d07e9826e33376988bc5cf62845c2009980a4dfa69fbc7e5a0b1bb20a5958ca967aec68eb31dd8fccca9afcd30a26bab26279f1bf6724ff":"11863b483809ef88413ca9b0084ac4a5390640af"
 
 generic multi step SHA-224 Test Vector NIST CAVS #1
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 md_hex_multi:MBEDTLS_MD_SHA224:"":"d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f"
 
 generic multi step SHA-224 Test Vector NIST CAVS #2
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 md_hex_multi:MBEDTLS_MD_SHA224:"ff":"e33f9d75e6ae1369dbabf81b96b4591ae46bba30b591a6b6c62542b5"
 
 generic multi step SHA-224 Test Vector NIST CAVS #3
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 md_hex_multi:MBEDTLS_MD_SHA224:"984c":"2fa9df9157d9e027cfbc4c6a9df32e1adc0cbe2328ec2a63c5ae934e"
 
 generic multi step SHA-224 Test Vector NIST CAVS #4
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 md_hex_multi:MBEDTLS_MD_SHA224:"50efd0":"b5a9820413c2bf8211fbbf5df1337043b32fa4eafaf61a0c8e9ccede"
 
 generic multi step SHA-224 Test Vector NIST CAVS #5
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 md_hex_multi:MBEDTLS_MD_SHA224:"e5e09924":"fd19e74690d291467ce59f077df311638f1c3a46e510d0e49a67062d"
 
 generic multi step SHA-224 Test Vector NIST CAVS #6
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 md_hex_multi:MBEDTLS_MD_SHA224:"21ebecb914":"78f4a71c21c694499ce1c7866611b14ace70d905012c356323c7c713"
 
 generic multi step SHA-224 Test Vector NIST CAVS #7
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 md_hex_multi:MBEDTLS_MD_SHA224:"fc488947c1a7a589726b15436b4f3d9556262f98fc6422fc5cdf20f0fad7fe427a3491c86d101ffe6b7514f06268f65b2d269b0f69ad9a97847eff1c16a2438775eb7be6847ccf11cb8b2e8dcd6640b095b49c0693fe3cf4a66e2d9b7ad68bff14f3ad69abf49d0aba36cbe0535202deb6599a47225ef05beb351335cd7bc0f480d691198c7e71305ffd53b39d33242bb79cfd98bfd69e137b5d18b2b89ac9ace01c8dbdcf2533cce3682ecc52118de0c1062ec2126c2e657d6ea3d9e2398e705d4b0b1f1ceecb266dffc4f31bf42744fb1e938dc22a889919ee1e73f463f7871fed720519e32186264b7ef2a0e5d9a18e6c95c0781894f77967f048951dec3b4d892a38710b1e3436d3c29088eb8b3da1789c25db3d3bc6c26081206e7155d210a89b80ca6ea877c41ff9947c0f25625dcb118294a163501f6239c326661a958fd12da4cd15a899f8b88cc723589056eaec5aa04a4cf5dbb6f480f9660423ccf38c486e210707e0fb25e1f126ceb2616f63e147a647dab0af9ebe89d65458bf636154a46e4cab95f5ee62da2c7974cd14b90d3e4f99f81733e85b3c1d5da2b508d9b90f5eed7eff0d9c7649de62bee00375454fee4a39576a5bbfdae428e7f8097bdf7797f167686cb68407e49079e4611ff3402b6384ba7b7e522bd2bb11ce8fd02ea4c1604d163ac4f6dde50b8b1f593f7edaadeac0868ed97df690200680c25f0f5d85431a529e4f339089dcdeda105e4ee51dead704cdf5a605c55fb055c9b0e86b8ba1b564c0dea3eb790a595cb103cb292268b07c5e59371e1a7ef597cd4b22977a820694c9f9aeb55d9de3ef62b75d6e656e3336698d960a3787bf8cf5b926a7faeef52ae128bcb5dc9e66d94b016c7b8e034879171a2d91c381f57e6a815b63b5ee6a6d2ff435b49f14c963966960194430d78f8f87627a67757fb3532b289550894da6dce4817a4e07f4d56877a1102ffcc8befa5c9f8fca6a4574d93ff70376c8861e0f8108cf907fce77ecb49728f86f034f80224b9695682e0824462f76cdb1fd1af151337b0d85419047a7aa284791718a4860cd586f7824b95bc837b6fd4f9be5aade68456e20356aa4d943dac36bf8b67b9e8f9d01a00fcda74b798bafa746c661b010f75b59904b29d0c8041504811c4065f82cf2ead58d2f595cbd8bc3e7043f4d94577b373b7cfe16a36fe564f505c03b70cfeb5e5f411c79481338aa67e86b3f5a2e77c21e454c333ae3da943ab723ab5f4c940395319534a5575f64acba0d0ecc43f60221ed3badf7289c9b3a7b903a2d6c94e15fa4c310dc4fa7faa0c24f405160a1002dbef20e4105d481db982f7243f79400a6e4cd9753c4b9732a47575f504b20c328fe9add7f432a4f075829da07b53b695037dc51737d3cd731934df333cd1a53fcf65aa31baa450ca501a6fae26e322347e618c5a444d92e9fec5a8261ae38b98fee5be77c02cec09ddccd5b3de92036":"1302149d1e197c41813b054c942329d420e366530f5517b470e964fe"
 
 generic multi step SHA-256 Test Vector NIST CAVS #1
@@ -1117,35 +1117,35 @@ depends_on:MBEDTLS_MD_CAN_SHA256
 md_hex_multi:MBEDTLS_MD_SHA256:"8390cf0be07661cc7669aac54ce09a37733a629d45f5d983ef201f9b2d13800e555d9b1097fec3b783d7a50dcb5e2b644b96a1e9463f177cf34906bf388f366db5c2deee04a30e283f764a97c3b377a034fefc22c259214faa99babaff160ab0aaa7e2ccb0ce09c6b32fe08cbc474694375aba703fadbfa31cf685b30a11c57f3cf4edd321e57d3ae6ebb1133c8260e75b9224fa47a2bb205249add2e2e62f817491482ae152322be0900355cdcc8d42a98f82e961a0dc6f537b7b410eff105f59673bfb787bf042aa071f7af68d944d27371c64160fe9382772372516c230c1f45c0d6b6cca7f274b394da9402d3eafdf733994ec58ab22d71829a98399574d4b5908a447a5a681cb0dd50a31145311d92c22a16de1ead66a5499f2dceb4cae694772ce90762ef8336afec653aa9b1a1c4820b221136dfce80dce2ba920d88a530c9410d0a4e0358a3a11052e58dd73b0b179ef8f56fe3b5a2d117a73a0c38a1392b6938e9782e0d86456ee4884e3c39d4d75813f13633bc79baa07c0d2d555afbf207f52b7dca126d015aa2b9873b3eb065e90b9b065a5373fe1fb1b20d594327d19fba56cb81e7b6696605ffa56eba3c27a438697cc21b201fd7e09f18deea1b3ea2f0d1edc02df0e20396a145412cd6b13c32d2e605641c948b714aec30c0649dc44143511f35ab0fd5dd64c34d06fe86f3836dfe9edeb7f08cfc3bd40956826356242191f99f53473f32b0cc0cf9321d6c92a112e8db90b86ee9e87cc32d0343db01e32ce9eb782cb24efbbbeb440fe929e8f2bf8dfb1550a3a2e742e8b455a3e5730e9e6a7a9824d17acc0f72a7f67eae0f0970f8bde46dcdefaed3047cf807e7f00a42e5fd11d40f5e98533d7574425b7d2bc3b3845c443008b58980e768e464e17cc6f6b3939eee52f713963d07d8c4abf02448ef0b889c9671e2f8a436ddeeffcca7176e9bf9d1005ecd377f2fa67c23ed1f137e60bf46018a8bd613d038e883704fc26e798969df35ec7bbc6a4fe46d8910bd82fa3cded265d0a3b6d399e4251e4d8233daa21b5812fded6536198ff13aa5a1cd46a5b9a17a4ddc1d9f85544d1d1cc16f3df858038c8e071a11a7e157a85a6a8dc47e88d75e7009a8b26fdb73f33a2a70f1e0c259f8f9533b9b8f9af9288b7274f21baeec78d396f8bacdcc22471207d9b4efccd3fedc5c5a2214ff5e51c553f35e21ae696fe51e8df733a8e06f50f419e599e9f9e4b37ce643fc810faaa47989771509d69a110ac916261427026369a21263ac4460fb4f708f8ae28599856db7cb6a43ac8e03d64a9609807e76c5f312b9d1863bfa304e8953647648b4f4ab0ed995e":"4109cdbec3240ad74cc6c37f39300f70fede16e21efc77f7865998714aad0b5e"
 
 generic multi step SHA-384 Test Vector NIST CAVS #1
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 md_hex_multi:MBEDTLS_MD_SHA384:"":"38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b"
 
 generic multi step SHA-384 Test Vector NIST CAVS #2
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 md_hex_multi:MBEDTLS_MD_SHA384:"ab":"fb94d5be118865f6fcbc978b825da82cff188faec2f66cb84b2537d74b4938469854b0ca89e66fa2e182834736629f3d"
 
 generic multi step SHA-384 Test Vector NIST CAVS #3
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 md_hex_multi:MBEDTLS_MD_SHA384:"7c27":"3d80be467df86d63abb9ea1d3f9cb39cd19890e7f2c53a6200bedc5006842b35e820dc4e0ca90ca9b97ab23ef07080fc"
 
 generic multi step SHA-384 Test Vector NIST CAVS #4
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 md_hex_multi:MBEDTLS_MD_SHA384:"31f5ca":"78d54b943421fdf7ba90a7fb9637c2073aa480454bd841d39ff72f4511fc21fb67797b652c0c823229342873d3bef955"
 
 generic multi step SHA-384 Test Vector NIST CAVS #5
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 md_hex_multi:MBEDTLS_MD_SHA384:"7bdee3f8":"8bdafba0777ee446c3431c2d7b1fbb631089f71d2ca417abc1d230e1aba64ec2f1c187474a6f4077d372c14ad407f99a"
 
 generic multi step SHA-384 Test Vector NIST CAVS #6
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 md_hex_multi:MBEDTLS_MD_SHA384:"8f05604915":"504e414bf1db1060f14c8c799e25b1e0c4dcf1504ebbd129998f0ae283e6de86e0d3c7e879c73ec3b1836c3ee89c2649"
 
 generic multi step SHA-384 Test Vector NIST CAVS #7
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 md_hex_multi:MBEDTLS_MD_SHA384:"665da6eda214":"4c022f112010908848312f8b8f1072625fd5c105399d562ea1d56130619a7eac8dfc3748fd05ee37e4b690be9daa9980"
 
 generic multi step SHA-384 Test Vector NIST CAVS #8
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 md_hex_multi:MBEDTLS_MD_SHA384:"7f46ce506d593c4ed53c82edeb602037e0485befbee03f7f930fe532d18ff2a3f5fd6076672c8145a1bf40dd94f7abab47c9ae71c234213d2ad1069c2dac0b0ba15257ae672b8245960ae55bd50315c0097daa3a318745788d70d14706910809ca6e396237fe4934fa46f9ce782d66606d8bd6b2d283b1160513ce9c24e9f084b97891f99d4cdefc169a029e431ca772ba1bba426fce6f01d8e286014e5acc66b799e4db62bd4783322f8a32ff78e0de3957df50ce10871f4e0680df4e8ca3960af9bc6f4efa8eb3962d18f474eb178c3265cc46b8f2ff5ab1a7449fea297dfcfabfa01f28abbb7289bb354b691b5664ec6d098af51be19947ec5ba7ebd66380d1141953ba78d4aa5401679fa7b0a44db1981f864d3535c45afe4c61183d5b0ad51fae71ca07e34240283959f7530a32c70d95a088e501c230059f333b0670825009e7e22103ef22935830df1fac8ef877f5f3426dd54f7d1128dd871ad9a7d088f94c0e8712013295b8d69ae7623b880978c2d3c6ad26dc478f8dc47f5c0adcc618665dc3dc205a9071b2f2191e16cac5bd89bb59148fc719633752303aa08e518dbc389f0a5482caaa4c507b8729a6f3edd061efb39026cecc6399f51971cf7381d605e144a5928c8c2d1ad7467b05da2f202f4f3234e1aff19a0198a28685721c3d2d52311c721e3fdcbaf30214cdc3acff8c433880e104fb63f2df7ce69a97857819ba7ac00ac8eae1969764fde8f68cf8e0916d7e0c151147d4944f99f42ae50f30e1c79a42d2b6c5188d133d3cbbf69094027b354b295ccd0f7dc5a87d73638bd98ebfb00383ca0fa69cb8dcb35a12510e5e07ad8789047d0b63841a1bb928737e8b0a0c33254f47aa8bfbe3341a09c2b76dbcefa67e30df300d34f7b8465c4f869e51b6bcfe6cf68b238359a645036bf7f63f02924e087ce7457e483b6025a859903cb484574aa3b12cf946f32127d537c33bee3141b5db96d10a148c50ae045f287210757710d6846e04b202f79e87dd9a56bc6da15f84a77a7f63935e1dee00309cd276a8e7176cb04da6bb0e9009534438732cb42d008008853d38d19beba46e61006e30f7efd1bc7c2906b024e4ff898a1b58c448d68b43c6ab63f34f85b3ac6aa4475867e51b583844cb23829f4b30f4bdd817d88e2ef3e7b4fc0a624395b05ec5e8686082b24d29fef2b0d3c29e031d5f94f504b1d3df9361eb5ffbadb242e66c39a8094cfe62f85f639f3fd65fc8ae0c74a8f4c6e1d070b9183a434c722caaa0225f8bcd68614d6f0738ed62f8484ec96077d155c08e26c46be262a73e3551698bd70d8d5610cf37c4c306eed04ba6a040a9c3e6d7e15e8acda17f477c2484cf5c56b813313927be8387b1024f995e98fc87f1029091c01424bdc2b296c2eadb7d25b3e762a2fd0c2dcd1727ddf91db97c5984305265f3695a7f5472f2d72c94d68c27914f14f82aa8dd5fe4e2348b0ca967a3f98626a091552f5d0ffa2bf10350d23c996256c01fdeffb2c2c612519869f877e4929c6e95ff15040f1485e22ed14119880232fef3b57b3848f15b1766a5552879df8f06":"cba9e3eb12a6f83db11e8a6ff40d1049854ee094416bc527fea931d8585428a8ed6242ce81f6769b36e2123a5c23483e"
 
 generic multi step SHA-512 Test Vector NIST CAVS #1
@@ -1182,80 +1182,80 @@ md_hex_multi:MBEDTLS_MD_SHA512:"990d1ae71a62d7bda9bfdaa1762a68d296eee72a4cd946f2
 
 generic SHA1 Hash file #1
 depends_on:MBEDTLS_MD_CAN_SHA1
-mbedtls_md_file:MBEDTLS_MD_SHA1:"data_files/hash_file_1":"d21c965b1e768bd7a6aa6869f5f821901d255f9f"
+mbedtls_md_file:MBEDTLS_MD_SHA1:"../framework/data_files/hash_file_1":"d21c965b1e768bd7a6aa6869f5f821901d255f9f"
 
 generic SHA1 Hash file #2
 depends_on:MBEDTLS_MD_CAN_SHA1
-mbedtls_md_file:MBEDTLS_MD_SHA1:"data_files/hash_file_2":"353f34271f2aef49d23a8913d4a6bd82b2cecdc6"
+mbedtls_md_file:MBEDTLS_MD_SHA1:"../framework/data_files/hash_file_2":"353f34271f2aef49d23a8913d4a6bd82b2cecdc6"
 
 generic SHA1 Hash file #3
 depends_on:MBEDTLS_MD_CAN_SHA1
-mbedtls_md_file:MBEDTLS_MD_SHA1:"data_files/hash_file_3":"93640ed592076328096270c756db2fba9c486b35"
+mbedtls_md_file:MBEDTLS_MD_SHA1:"../framework/data_files/hash_file_3":"93640ed592076328096270c756db2fba9c486b35"
 
 generic SHA1 Hash file #4
 depends_on:MBEDTLS_MD_CAN_SHA1
-mbedtls_md_file:MBEDTLS_MD_SHA1:"data_files/hash_file_4":"da39a3ee5e6b4b0d3255bfef95601890afd80709"
+mbedtls_md_file:MBEDTLS_MD_SHA1:"../framework/data_files/hash_file_4":"da39a3ee5e6b4b0d3255bfef95601890afd80709"
 
 generic SHA-224 Hash file #1
-depends_on:MBEDTLS_MD_CAN_SHA224
-mbedtls_md_file:MBEDTLS_MD_SHA224:"data_files/hash_file_1":"8606da018870f0c16834a21bc3385704cb1683b9dbab04c5ddb90a48"
+depends_on:PSA_WANT_ALG_SHA_224
+mbedtls_md_file:MBEDTLS_MD_SHA224:"../framework/data_files/hash_file_1":"8606da018870f0c16834a21bc3385704cb1683b9dbab04c5ddb90a48"
 
 generic SHA-224 Hash file #2
-depends_on:MBEDTLS_MD_CAN_SHA224
-mbedtls_md_file:MBEDTLS_MD_SHA224:"data_files/hash_file_2":"733b2ab97b6f63f2e29b9a2089756d81e14c93fe4cc9615c0d5e8a03"
+depends_on:PSA_WANT_ALG_SHA_224
+mbedtls_md_file:MBEDTLS_MD_SHA224:"../framework/data_files/hash_file_2":"733b2ab97b6f63f2e29b9a2089756d81e14c93fe4cc9615c0d5e8a03"
 
 generic SHA-224 Hash file #3
-depends_on:MBEDTLS_MD_CAN_SHA224
-mbedtls_md_file:MBEDTLS_MD_SHA224:"data_files/hash_file_3":"e1df95867580e2cc2100e9565bf9c2e42c24fe5250c19efe33d1c4fe"
+depends_on:PSA_WANT_ALG_SHA_224
+mbedtls_md_file:MBEDTLS_MD_SHA224:"../framework/data_files/hash_file_3":"e1df95867580e2cc2100e9565bf9c2e42c24fe5250c19efe33d1c4fe"
 
 generic SHA-224 Hash file #4
-depends_on:MBEDTLS_MD_CAN_SHA224
-mbedtls_md_file:MBEDTLS_MD_SHA224:"data_files/hash_file_4":"d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f"
+depends_on:PSA_WANT_ALG_SHA_224
+mbedtls_md_file:MBEDTLS_MD_SHA224:"../framework/data_files/hash_file_4":"d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f"
 
 generic SHA-256 Hash file #1
 depends_on:MBEDTLS_MD_CAN_SHA256
-mbedtls_md_file:MBEDTLS_MD_SHA256:"data_files/hash_file_1":"975d0c620d3936886f8a3665e585a3e84aa0501f4225bf53029710242823e391"
+mbedtls_md_file:MBEDTLS_MD_SHA256:"../framework/data_files/hash_file_1":"975d0c620d3936886f8a3665e585a3e84aa0501f4225bf53029710242823e391"
 
 generic SHA-256 Hash file #2
 depends_on:MBEDTLS_MD_CAN_SHA256
-mbedtls_md_file:MBEDTLS_MD_SHA256:"data_files/hash_file_2":"11fcbf1baa36ca45745f10cc5467aee86f066f80ba2c46806d876bf783022ad2"
+mbedtls_md_file:MBEDTLS_MD_SHA256:"../framework/data_files/hash_file_2":"11fcbf1baa36ca45745f10cc5467aee86f066f80ba2c46806d876bf783022ad2"
 
 generic SHA-256 Hash file #3
 depends_on:MBEDTLS_MD_CAN_SHA256
-mbedtls_md_file:MBEDTLS_MD_SHA256:"data_files/hash_file_3":"9ae4b369f9f4f03b86505b46a5469542e00aaff7cf7417a71af6d6d0aba3b70c"
+mbedtls_md_file:MBEDTLS_MD_SHA256:"../framework/data_files/hash_file_3":"9ae4b369f9f4f03b86505b46a5469542e00aaff7cf7417a71af6d6d0aba3b70c"
 
 generic SHA-256 Hash file #4
 depends_on:MBEDTLS_MD_CAN_SHA256
-mbedtls_md_file:MBEDTLS_MD_SHA256:"data_files/hash_file_4":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
+mbedtls_md_file:MBEDTLS_MD_SHA256:"../framework/data_files/hash_file_4":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
 
 generic SHA-384 Hash file #1
-depends_on:MBEDTLS_MD_CAN_SHA384
-mbedtls_md_file:MBEDTLS_MD_SHA384:"data_files/hash_file_1":"e0a3e6259d6378001b54ef82f5dd087009c5fad86d8db226a9fe1d14ecbe33a6fc916e3a4b16f5f286424de15d5a8e0e"
+depends_on:PSA_WANT_ALG_SHA_384
+mbedtls_md_file:MBEDTLS_MD_SHA384:"../framework/data_files/hash_file_1":"e0a3e6259d6378001b54ef82f5dd087009c5fad86d8db226a9fe1d14ecbe33a6fc916e3a4b16f5f286424de15d5a8e0e"
 
 generic SHA-384 Hash file #2
-depends_on:MBEDTLS_MD_CAN_SHA384
-mbedtls_md_file:MBEDTLS_MD_SHA384:"data_files/hash_file_2":"eff727afc8495c92e2f370f97a317f93c3350324b0646b0f0e264708b3c97d3d332d3c5390e1e47130f5c92f1ef4b9cf"
+depends_on:PSA_WANT_ALG_SHA_384
+mbedtls_md_file:MBEDTLS_MD_SHA384:"../framework/data_files/hash_file_2":"eff727afc8495c92e2f370f97a317f93c3350324b0646b0f0e264708b3c97d3d332d3c5390e1e47130f5c92f1ef4b9cf"
 
 generic SHA-384 Hash file #3
-depends_on:MBEDTLS_MD_CAN_SHA384
-mbedtls_md_file:MBEDTLS_MD_SHA384:"data_files/hash_file_3":"6fc10ebda96a1ccf61777cac72f6034f92533d42052a4bf9f9d929c672973c71e5aeb1213268043c21527ac0f7f349c4"
+depends_on:PSA_WANT_ALG_SHA_384
+mbedtls_md_file:MBEDTLS_MD_SHA384:"../framework/data_files/hash_file_3":"6fc10ebda96a1ccf61777cac72f6034f92533d42052a4bf9f9d929c672973c71e5aeb1213268043c21527ac0f7f349c4"
 
 generic SHA-384 Hash file #4
-depends_on:MBEDTLS_MD_CAN_SHA384
-mbedtls_md_file:MBEDTLS_MD_SHA384:"data_files/hash_file_4":"38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b"
+depends_on:PSA_WANT_ALG_SHA_384
+mbedtls_md_file:MBEDTLS_MD_SHA384:"../framework/data_files/hash_file_4":"38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b"
 
 generic SHA-512 Hash file #1
 depends_on:MBEDTLS_MD_CAN_SHA512
-mbedtls_md_file:MBEDTLS_MD_SHA512:"data_files/hash_file_1":"d8207a2e1ff2b424f2c4163fe1b723c9bd42e464061eb411e8df730bcd24a7ab3956a6f3ff044a52eb2d262f9e4ca6b524092b544ab78f14d6f9c4cc8ddf335a"
+mbedtls_md_file:MBEDTLS_MD_SHA512:"../framework/data_files/hash_file_1":"d8207a2e1ff2b424f2c4163fe1b723c9bd42e464061eb411e8df730bcd24a7ab3956a6f3ff044a52eb2d262f9e4ca6b524092b544ab78f14d6f9c4cc8ddf335a"
 
 generic SHA-512 Hash file #2
 depends_on:MBEDTLS_MD_CAN_SHA512
-mbedtls_md_file:MBEDTLS_MD_SHA512:"data_files/hash_file_2":"ecbb7f0ed8a702b49f16ad3088bcc06ea93451912a7187db15f64d93517b09630b039293aed418d4a00695777b758b1f381548c2fd7b92ce5ed996b32c8734e7"
+mbedtls_md_file:MBEDTLS_MD_SHA512:"../framework/data_files/hash_file_2":"ecbb7f0ed8a702b49f16ad3088bcc06ea93451912a7187db15f64d93517b09630b039293aed418d4a00695777b758b1f381548c2fd7b92ce5ed996b32c8734e7"
 
 generic SHA-512 Hash file #3
 depends_on:MBEDTLS_MD_CAN_SHA512
-mbedtls_md_file:MBEDTLS_MD_SHA512:"data_files/hash_file_3":"7ccc9b2da71ffde9966c3ce44d7f20945fccf33b1fade4da152b021f1afcc7293382944aa6c09eac67af25f22026758e2bf6bed86ae2a43592677ee50f8eea41"
+mbedtls_md_file:MBEDTLS_MD_SHA512:"../framework/data_files/hash_file_3":"7ccc9b2da71ffde9966c3ce44d7f20945fccf33b1fade4da152b021f1afcc7293382944aa6c09eac67af25f22026758e2bf6bed86ae2a43592677ee50f8eea41"
 
 generic SHA-512 Hash file #4
 depends_on:MBEDTLS_MD_CAN_SHA512
-mbedtls_md_file:MBEDTLS_MD_SHA512:"data_files/hash_file_4":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e"
+mbedtls_md_file:MBEDTLS_MD_SHA512:"../framework/data_files/hash_file_4":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e"
diff --git a/tests/suites/test_suite_md.function b/tests/suites/test_suite_md.function
index 866ff58..2a885e2 100644
--- a/tests/suites/test_suite_md.function
+++ b/tests/suites/test_suite_md.function
@@ -1,6 +1,6 @@
 /* BEGIN_HEADER */
 #include "mbedtls/md.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
 
 #include "mbedtls/oid.h"
 #include "mbedtls/asn1.h"
diff --git a/tests/suites/test_suite_mps.function b/tests/suites/test_suite_mps.function
index 0b8434b..6751136 100644
--- a/tests/suites/test_suite_mps.function
+++ b/tests/suites/test_suite_mps.function
@@ -65,6 +65,8 @@ void mbedtls_mps_reader_no_pausing_single_step_single_round(int with_acc)
     /* Wrapup (lower layer) */
     TEST_ASSERT(mbedtls_mps_reader_reclaim(&rd, &paused) == 0);
     TEST_ASSERT(paused == 0);
+
+exit:
     mbedtls_mps_reader_free(&rd);
 }
 /* END_CASE */
@@ -119,6 +121,8 @@ void mbedtls_mps_reader_no_pausing_single_step_multiple_rounds(int with_acc)
     TEST_ASSERT(mbedtls_mps_reader_commit(&rd) == 0);
     /* Wrapup (lower layer) */
     TEST_ASSERT(mbedtls_mps_reader_reclaim(&rd, NULL) == 0);
+
+exit:
     mbedtls_mps_reader_free(&rd);
 }
 /* END_CASE */
@@ -170,6 +174,8 @@ void mbedtls_mps_reader_no_pausing_multiple_steps_single_round(int with_acc)
     TEST_ASSERT(mbedtls_mps_reader_commit(&rd) == 0);
     /* Wrapup (lower layer) */
     TEST_ASSERT(mbedtls_mps_reader_reclaim(&rd, NULL) == 0);
+
+exit:
     mbedtls_mps_reader_free(&rd);
 }
 /* END_CASE */
@@ -217,6 +223,8 @@ void mbedtls_mps_reader_no_pausing_multiple_steps_multiple_rounds(int with_acc)
     TEST_ASSERT(mbedtls_mps_reader_commit(&rd) == 0);
     /* Wrapup */
     TEST_ASSERT(mbedtls_mps_reader_reclaim(&rd, NULL) == 0);
+
+exit:
     mbedtls_mps_reader_free(&rd);
 }
 /* END_CASE */
@@ -250,6 +258,8 @@ void mbedtls_mps_reader_pausing_needed_disabled()
     /* Wrapup (lower layer) */
     TEST_ASSERT(mbedtls_mps_reader_reclaim(&rd, NULL) ==
                 MBEDTLS_ERR_MPS_READER_NEED_ACCUMULATOR);
+
+exit:
     mbedtls_mps_reader_free(&rd);
 }
 /* END_CASE */
@@ -297,6 +307,7 @@ void mbedtls_mps_reader_pausing_needed_buffer_too_small()
     TEST_ASSERT(mbedtls_mps_reader_get(&rd, 50, &tmp, &tmp_len) == 0);
     TEST_MEMORY_COMPARE(tmp, tmp_len, buf + 50, 50);
 
+exit:
     mbedtls_mps_reader_free(&rd);
 }
 /* END_CASE */
@@ -333,6 +344,7 @@ void mbedtls_mps_reader_reclaim_overflow()
     TEST_ASSERT(mbedtls_mps_reader_reclaim(&rd, NULL) ==
                 MBEDTLS_ERR_MPS_READER_ACCUMULATOR_TOO_SMALL);
 
+exit:
     mbedtls_mps_reader_free(&rd);
 }
 /* END_CASE */
@@ -458,6 +470,8 @@ void mbedtls_mps_reader_pausing(int option)
 
     /* Wrapup */
     TEST_ASSERT(mbedtls_mps_reader_reclaim(&rd, NULL) == 0);
+
+exit:
     mbedtls_mps_reader_free(&rd);
 }
 /* END_CASE */
@@ -562,6 +576,8 @@ void mbedtls_mps_reader_pausing_multiple_feeds(int option)
 
     /* Wrapup */
     TEST_ASSERT(mbedtls_mps_reader_reclaim(&rd, NULL) == 0);
+
+exit:
     mbedtls_mps_reader_free(&rd);
 }
 /* END_CASE */
@@ -623,6 +639,8 @@ void mbedtls_mps_reader_reclaim_data_left(int option)
     /* Wrapup */
     TEST_ASSERT(mbedtls_mps_reader_reclaim(&rd, NULL) ==
                 MBEDTLS_ERR_MPS_READER_DATA_LEFT);
+
+exit:
     mbedtls_mps_reader_free(&rd);
 }
 /* END_CASE */
@@ -795,6 +813,7 @@ void mbedtls_mps_reader_multiple_pausing(int option)
             break;
     }
 
+exit:
     mbedtls_mps_reader_free(&rd);
 }
 /* END_CASE */
@@ -951,6 +970,7 @@ void mbedtls_mps_reader_random_usage(int num_out_chunks,
         }
     }
 
+exit:
     /* Cleanup */
     mbedtls_mps_reader_free(&rd);
     mbedtls_free(incoming);
@@ -1103,6 +1123,7 @@ void mbedtls_reader_inconsistent_usage(int option)
         TEST_ASSERT(mbedtls_mps_reader_reclaim(&rd, NULL) == 0);
     }
 
+exit:
     /* Wrapup */
     mbedtls_mps_reader_free(&rd);
 }
@@ -1136,6 +1157,8 @@ void mbedtls_mps_reader_feed_empty()
 
     /* Wrapup */
     TEST_ASSERT(mbedtls_mps_reader_reclaim(&rd, NULL) == 0);
+
+exit:
     mbedtls_mps_reader_free(&rd);
 }
 /* END_CASE */
diff --git a/tests/suites/test_suite_oid.data b/tests/suites/test_suite_oid.data
index f8f1d43..be71915 100644
--- a/tests/suites/test_suite_oid.data
+++ b/tests/suites/test_suite_oid.data
@@ -67,7 +67,7 @@ depends_on:MBEDTLS_MD_CAN_SHA1
 oid_get_md_alg_id:"2b0e03021a":MBEDTLS_MD_SHA1
 
 OID hash id - id-sha224
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 oid_get_md_alg_id:"608648016503040204":MBEDTLS_MD_SHA224
 
 OID hash id - id-sha256
@@ -75,7 +75,7 @@ depends_on:MBEDTLS_MD_CAN_SHA256
 oid_get_md_alg_id:"608648016503040201":MBEDTLS_MD_SHA256
 
 OID hash id - id-sha384
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 oid_get_md_alg_id:"608648016503040202":MBEDTLS_MD_SHA384
 
 OID hash id - id-sha512
@@ -87,7 +87,7 @@ depends_on:MBEDTLS_MD_CAN_SHA3_224
 oid_get_md_alg_id:"608648016503040207":MBEDTLS_MD_SHA3_224
 
 OID hash id - id-sha3-256
-depends_on:MBEDTLS_MD_CAN_SHA3_256
+depends_on:PSA_WANT_ALG_SHA3_256
 oid_get_md_alg_id:"608648016503040208":MBEDTLS_MD_SHA3_256
 
 OID hash id - id-sha3-384
@@ -95,11 +95,11 @@ depends_on:MBEDTLS_MD_CAN_SHA3_384
 oid_get_md_alg_id:"608648016503040209":MBEDTLS_MD_SHA3_384
 
 OID hash id - id-sha3-512
-depends_on:MBEDTLS_MD_CAN_SHA3_512
+depends_on:PSA_WANT_ALG_SHA3_512
 oid_get_md_alg_id:"60864801650304020a":MBEDTLS_MD_SHA3_512
 
 OID hash id - id-ripemd160
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 oid_get_md_alg_id:"2b24030201":MBEDTLS_MD_RIPEMD160
 
 OID hash id - invalid oid
@@ -203,7 +203,7 @@ OID from numeric string - OID with overflowing subidentifier
 oid_from_numeric_string:"2.4294967216":MBEDTLS_ERR_ASN1_INVALID_DATA:""
 
 mbedtls_oid_get_md_hmac - RIPEMD160
-depends_on:MBEDTLS_MD_CAN_RIPEMD160
+depends_on:PSA_WANT_ALG_RIPEMD160
 mbedtls_oid_get_md_hmac:"2B06010505080104":MBEDTLS_MD_RIPEMD160
 
 mbedtls_oid_get_md_hmac - SHA1
@@ -211,7 +211,7 @@ depends_on:MBEDTLS_MD_CAN_SHA1
 mbedtls_oid_get_md_hmac:"2A864886F70D0207":MBEDTLS_MD_SHA1
 
 mbedtls_oid_get_md_hmac - SHA224
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 mbedtls_oid_get_md_hmac:"2A864886F70D0208":MBEDTLS_MD_SHA224
 
 mbedtls_oid_get_md_hmac - SHA256
@@ -219,7 +219,7 @@ depends_on:MBEDTLS_MD_CAN_SHA256
 mbedtls_oid_get_md_hmac:"2A864886F70D0209":MBEDTLS_MD_SHA256
 
 mbedtls_oid_get_md_hmac - SHA384
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 mbedtls_oid_get_md_hmac:"2A864886F70D020A":MBEDTLS_MD_SHA384
 
 mbedtls_oid_get_md_hmac - SHA512
@@ -231,7 +231,7 @@ depends_on:MBEDTLS_MD_CAN_SHA3_224
 mbedtls_oid_get_md_hmac:"60864801650304020D":MBEDTLS_MD_SHA3_224
 
 mbedtls_oid_get_md_hmac - SHA3_256
-depends_on:MBEDTLS_MD_CAN_SHA3_256
+depends_on:PSA_WANT_ALG_SHA3_256
 mbedtls_oid_get_md_hmac:"60864801650304020E":MBEDTLS_MD_SHA3_256
 
 mbedtls_oid_get_md_hmac - SHA3_384
@@ -239,5 +239,5 @@ depends_on:MBEDTLS_MD_CAN_SHA3_384
 mbedtls_oid_get_md_hmac:"60864801650304020F":MBEDTLS_MD_SHA3_384
 
 mbedtls_oid_get_md_hmac - SHA3_512
-depends_on:MBEDTLS_MD_CAN_SHA3_512
+depends_on:PSA_WANT_ALG_SHA3_512
 mbedtls_oid_get_md_hmac:"608648016503040210":MBEDTLS_MD_SHA3_512
diff --git a/tests/suites/test_suite_pem.data b/tests/suites/test_suite_pem.data
index a4dff45..007ba10 100644
--- a/tests/suites/test_suite_pem.data
+++ b/tests/suites/test_suite_pem.data
@@ -22,6 +22,9 @@ mbedtls_pem_write_buffer_lengths
 PEM read (unencrypted, valid)
 mbedtls_pem_read_buffer:"^":"$":"^\nTWJlZCBUTFM=\n$":"":0:"4d62656420544c53"
 
+PEM read (unencrypted, empty content)
+mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\n\n-----END EC PRIVATE KEY-----":"":MBEDTLS_ERR_PEM_BAD_INPUT_DATA:""
+
 PEM read (DES-EDE3-CBC + invalid iv)
 depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_DES_C
 mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-EDE3-CBC,00$":"pwd":MBEDTLS_ERR_PEM_INVALID_ENC_IV:""
@@ -49,3 +52,35 @@ mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KE
 PEM read (malformed PEM AES-128-CBC)
 depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC
 mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,AA94892A169FA426AA94892A169FA426\n\nMAAA\n-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH:""
+
+# The output sequence's length is not multiple of block size (16 bytes). This
+# proves that the pem_context->len value is properly updated based on the SEQUENCE
+# length read from the decoded ASN.1 data (i.e. extra padding, if any, is ignored).
+PEM read (valid EC key encoded with AES-128-CBC)
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC
+mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,151F851B6A7F3FBDAA5B7173117D0127\n\nLw+0OM+0Bwcl+ls/vxQbLrVshGc7bsNPvvtj2sJeMFFEq3V1mj/IO++0KK/CDhMH\nh6CZPsmgVOeM5uFpqYaq0fJbUduN2eDMWszWRm0SFkY=\n-----END EC PRIVATE KEY-----":"pwdpwd":0:"3041020101040f00d8023c809afd45e426d1a4dbe0ffa00706052b81040004a1220320000400da1ecfa53d528237625e119e2e0500d2eb671724f16deb6a63749516b7"
+
+# The text "hello world" together with some invalid padding data is encoded
+# with AES-128-CBC in order to test padding validation.
+# Since PBKDF1 isn't supported in OpenSSL, here's the steps:
+# 1. generate the key (password="password";  IV=0x3132333435363738 in hex or "12345678" as string)
+#       echo -n "password12345678" | openssl md5
+# 2. encode data
+#   echo -n -e "\x68\x65\x6c\x6c\x6f\x20\x77\x6f\x72\x6c\x64\x01\x02\x03\x04\x05" | openssl aes-128-cbc -e -base64 -p -K "bbb0ddff1b944b3cc68eaaeb7ac20099" -iv "3132333435363738" -nopad
+PEM read (AES-128-CBC, invalid padding data)
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC
+mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,31323334353637380000000000000000\n\n333hxynfxEdXrSHQfIabxQ==\n-----END EC PRIVATE KEY-----":"password":MBEDTLS_ERR_PEM_PASSWORD_MISMATCH:""
+
+# Padding data (0x11) is larger than AES block size (16).
+# Generated with:
+#   echo -n -e "\x68\x65\x6c\x6c\x6f\x20\x77\x6f\x72\x6c\x64\x11\x11\x11\x11\x11" | openssl aes-128-cbc -e -base64 -p -K "bbb0ddff1b944b3cc68eaaeb7ac20099" -iv "3132333435363738" -nopad
+PEM read (AES-128-CBC, padding data is larger than AES block length)
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC
+mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,31323334353637380000000000000000\n\n5wA/XVXHuMsQAAOGFQmK0g==\n-----END EC PRIVATE KEY-----":"password":MBEDTLS_ERR_PEM_PASSWORD_MISMATCH:""
+
+# Padding data (0x9) is larger than DES block size (8).
+# Generated with:
+#   echo -n -e "\x68\x65\x6c\x6c\x6f\x09\x09\x09" | openssl des-cbc -e -base64 -p -K "bbb0ddff1b944b3cc68eaaeb7ac20099" -iv "3132333435363738" -nopad
+PEM read (DES-CBC, padding data is larger than DES block length)
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC
+mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,3132333435363738\n\n6a+B2WineBM=\n-----END EC PRIVATE KEY-----":"password":MBEDTLS_ERR_PEM_PASSWORD_MISMATCH:""
diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data
index e697491..52a9f40 100644
--- a/tests/suites/test_suite_pk.data
+++ b/tests/suites/test_suite_pk.data
@@ -8,9 +8,23 @@ PK write valid parameters
 depends_on:MBEDTLS_RSA_C
 valid_parameters_pkwrite:"308204a20201000282010100a9021f3d406ad555538bfd36ee82652e15615e89bfb8e84590dbee881652d3f143504796125964876bfd2be046f973beddcf92e1915bed66a06f8929794580d0836ad54143775f397c09044782b0573970eda3ec15191ea8330847c10542a9fd4cc3b4dfdd061f4d1051406773130f40f86d81255f0ab153c6307e1539acf95aee7f929ea6055be7139785b52392d9d42406d50925897507dda61a8f3f0919bead652c64eb959bdcfe415e17a6da6c5b69cc02ba142c16249c4adccdd0f7526773f12da023fd7ef431ca2d70ca890b04db2ea64f706e9ecebd5889e253599e6e5a9265e2883f0c9419a3dde5e89d9513ed29dbab7012dc5aca6b17ab528254b10203010001028201001689f5e89142ae18a6ffb0513715a4b0b4a13b9e5b3729a2bd62d738c6e15cea7bf3a4d85ab2193a0628c9452bb1f0c1af8b132789df1c95e72778bf5330f5b0d915d242d5e0818e85001ed5fa93d1ce13455deb0a15438562e8e3c8d60ec1e4c9ebff9f2b36b9cde9332cc79f0d17a7ae79cc1353cd75409ad9b4b6d7ee3d82af6f3207656cf2ac98947c15c398db0cebf8dc3eef5398269480cdd09411b960273ae3f364da09af849f24aa87346c58618ea91d9d6cd1d3932c80dbfc1f0a4166a9036911999ca27761079f0ce02db02c1c909ff9b4278578d7bb1b54b2b7082fc9e864b6b394e331c0d11a9a68255565b6dd477f4119c5809839520700711102818100d7db987ad86de6a9b0749fb5da80bacde3bebd72dcc83f60a27db74f927ac3661386577bfce5b4a00ad024682401d6aad29713c8e223b53415305ca07559821099b187fdd1bad3dc4dec9da96f5fa6128331e8f7d89f1e1a788698d1a27256dc7cd392f04e531a9e38e7265bf4fd7eec01e7835e9b1a0dd8923e440381be1c2702818100c87025fff7a493c623404966fbc8b32ed164ca620ad1a0ad11ef42fd12118456017856a8b42e5d4ad36104e9dc9f8a2f3003c3957ffddb20e2f4e3fc3cf2cdddae01f57a56de4fd24b91ab6d3e5cc0e8af0473659594a6bbfdaacf958f19c8d508eac12d8977616af6877106288093d37904a139220c1bc278ea56edc086976702818043e708685c7cf5fa9b4f948e1856366d5e1f3a694f9a8e954f884c89f3823ac5798ee12657bfcaba2dac9c47464c6dc2fecc17a531be19da706fee336bb6e47b645dbc71d3eff9856bddeb1ac9b644ffbdd58d7ba9e1240f1faaf797ba8a4d58becbaf85789e1bd979fcfccc209d3db7f0416bc9eef09b3a6d86b8ce8199d4310281804f4b86ccffe49d0d8ace98fb63ea9f708b284ba483d130b6a75cb76cb4e4372d6b41774f20912319420ca4cbfc1b25a8cb5f01d6381f6ebc50ed3ef08010327f5ba2acc1ac7220b3fa6f7399314db2879b0db0b5647abd87abb01295815a5b086491b2c0d81c616ed67ef8a8ce0727f446711d7323d4147b5828a52143c43b4b028180540756beba83c20a0bda11d6dec706a71744ff28090cec079dffb507d82828038fe657f61496a20317f779cb683ce8196c29a6fe28839a282eef4de57773be56808b0c3e2ac7747e2b200b2fbf20b55258cd24622a1ce0099de098ab0855106ae087f08b0c8c346d81619400c1b4838e33ed9ff90f05db8fccf8fb7ab881ca12"
 
-PK utils: RSA Minimum key
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
-pk_utils:MBEDTLS_PK_RSA:MBEDTLS_RSA_GEN_KEY_MIN_BITS:MBEDTLS_RSA_GEN_KEY_MIN_BITS:(MBEDTLS_RSA_GEN_KEY_MIN_BITS /8):"RSA"
+PK utils: RSA 1024-bit
+depends_on:MBEDTLS_RSA_C
+pk_utils:MBEDTLS_PK_RSA:1024:1024:(1024 + 7) / 8:"RSA"
+
+# In the following 3 test cases we test a few different sizes that are not a
+# multiple of 8 and for which we have test data.
+PK utils: RSA 1026-bits
+depends_on:MBEDTLS_RSA_C
+pk_utils:MBEDTLS_PK_RSA:1026:1026:(1026 + 7) / 8:"RSA"
+
+PK utils: RSA 1028-bits
+depends_on:MBEDTLS_RSA_C
+pk_utils:MBEDTLS_PK_RSA:1028:1028:(1028 + 7) / 8:"RSA"
+
+PK utils: RSA 1030-bits
+depends_on:MBEDTLS_RSA_C
+pk_utils:MBEDTLS_PK_RSA:1030:1030:(1030 + 7) / 8:"RSA"
 
 PK utils: ECKEY SECP192R1
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP192R1
@@ -49,7 +63,7 @@ depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAV
 pk_psa_utils:0
 
 PK PSA utilities: RSA setup/free, info functions, unsupported operations
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_psa_utils:1
 
 PK can do ext: ECDSA(ANY)/NONE, invalid check STREAM_CIPHER
@@ -81,11 +95,11 @@ depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1
 pk_can_do_ext:1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_ALG_NONE:256:PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1
 
 PK can do ext: NONE/ECDSA(ANY_HASH), check ECDSA(SHA256)
-depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1
+depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_PSA_CRYPTO_C
 pk_can_do_ext:1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_NONE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):256:PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1
 
 PK can do ext: NONE/ECDSA(SHA256), check ECDSA(SHA256)
-depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1
+depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_PSA_CRYPTO_C
 pk_can_do_ext:1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_NONE:PSA_ALG_ECDSA(PSA_ALG_SHA_256):256:PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1
 
 PK can do ext: ECDSA(SHA256)/NONE, invalid check ECDSA(ANY)
@@ -133,159 +147,159 @@ depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1
 pk_can_do_ext:1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_KEY_USAGE_DERIVE|PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_ECDH:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):256:PSA_ALG_ECDH:PSA_KEY_USAGE_DERIVE|PSA_KEY_USAGE_SIGN_HASH:1
 
 PK can do ext: ECDH/ECDSA(ANY), check ECDSA(SHA256)+DERIVE|SIGN
-depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1
+depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_PSA_CRYPTO_C
 pk_can_do_ext:1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_KEY_USAGE_DERIVE|PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_ECDH:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):256:PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_KEY_USAGE_DERIVE|PSA_KEY_USAGE_SIGN_HASH:1
 
 PK can do ext: ECDH/ECDSA(ANY), check ECDSA(SHA256)+SIGN
-depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1
+depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_PSA_CRYPTO_C
 pk_can_do_ext:1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_KEY_USAGE_DERIVE|PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_ECDH:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):256:PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1
 
 PK can do ext: ECDH/ECDSA(ANY), check ECDSA(SHA256)+DERIVE
-depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1
+depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_PSA_CRYPTO_C
 pk_can_do_ext:1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_KEY_USAGE_DERIVE|PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_ECDH:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):256:PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_KEY_USAGE_DERIVE:1
 
 PK can do ext: RSA_PKCS1V15_SIGN(ANY)/NONE, check not allowed COPY usage
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_COPY:0
 
 PK can do ext: RSA_PKCS1V15_SIGN(ANY)/NONE, invalid check STREAM_CIPHER
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_STREAM_CIPHER:PSA_KEY_USAGE_SIGN_HASH:0
 
 PK can do ext: RSA_PKCS1V15_SIGN(ANY)/NONE, invalid check ECDSA(SHA256)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:0
 
 PK can do ext: RSA_PKCS1V15_SIGN(ANY)/NONE, invalid check ECDH
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH:0
 
 PK can do ext: RSA_PKCS1V15_SIGN(ANY)/NONE, invalid check RSA_PKCS1V15_CRYPT
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_SIGN_HASH:0
 
 PK can do ext: RSA_PKCS1V15_SIGN(ANY)/NONE, invalid check RSA_PSS(SHA256)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:0
 
 PK can do ext: RSA_PKCS1V15_SIGN(ANY)/NONE, check RSA_PKCS1V15_SIGN(SHA256)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1
 
 PK can do ext: RSA_PKCS1V15_SIGN(ANY)/NONE, check non-present usage
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_DERIVE:0
 
 PK can do ext: RSA_PKCS1V15_SIGN(SHA256)/NONE, check RSA_PKCS1V15_SIGN(SHA256)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1
 
 PK can do ext: NONE, RSA_PKCS1V15_SIGN(ANY), check RSA_PKCS1V15_SIGN(SHA256)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PSA_CRYPTO_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_NONE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1
 
 PK can do ext: NONE, RSA_PKCS1V15_SIGN(SHA256), check RSA_PKCS1V15_SIGN(SHA256)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PSA_CRYPTO_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_NONE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1
 
 PK can do ext: RSA_PKCS1V15_SIGN(SHA256)/NONE, invalid check RSA_PKCS1V15_SIGN(ANY)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_KEY_USAGE_SIGN_HASH:0
 
 PK can do ext: RSA_PKCS1V15_SIGN(SHA1)/NONE, invalid check RSA_PKCS1V15_SIGN(SHA256)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_1):PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:0
 
 PK can do ext: RSA_PSS(ANY)/NONE, invalid check STREAM_CIPHER
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_STREAM_CIPHER:PSA_KEY_USAGE_SIGN_HASH:0
 
 PK can do ext: RSA_PSS(ANY)/NONE, invalid check ECDSA(SHA256)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:0
 
 PK can do ext: RSA_PSS(ANY)/NONE, invalid check RSA_PKCS1V15_CRYPT
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_SIGN_HASH:0
 
 PK can do ext: RSA_PSS(ANY)/NONE, invalid check RSA_PKCS1V15_SIGN(SHA256)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:0
 
 PK can do ext: RSA_PSS(ANY)/NONE, check RSA_PSS(SHA256)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1
 
 PK can do ext: RSA_PSS(SHA256)/NONE, check RSA_PSS(SHA256)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_ALG_NONE:1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1
 
 PK can do ext: NONE, RSA_PSS(ANY), check RSA_PSS(SHA256)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PSA_CRYPTO_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_NONE:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1
 
 PK can do ext: NONE, RSA_PSS(SHA256), check RSA_PSS(SHA256)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PSA_CRYPTO_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_NONE:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1
 
 PK can do ext: RSA_PSS(SHA256)/NONE, invalid check RSA_PSS(ANY)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_ALG_NONE:1024:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):PSA_KEY_USAGE_SIGN_HASH:0
 
 PK can do ext: RSA_PSS(SHA1)/NONE, invalid check RSA_PSS(SHA256)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PSS(PSA_ALG_SHA_1):PSA_ALG_NONE:1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:0
 
 PK can do ext: RSA_PKCS1V15_SIGN_RAW/NONE, check RSA_PKCS1V15_SIGN_RAW
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_HASH:1
 
 PK can do ext: RSA_PKCS1V15_SIGN_RAW/NONE, invalid check RSA_PKCS1V15_SIGN(SHA256)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:0
 
 PK can do ext: RSA_PKCS1V15_CRYPT/NONE, invalid check STREAM_CIPHER
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:1024:PSA_ALG_STREAM_CIPHER:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT:0
 
 PK can do ext: RSA_PKCS1V15_CRYPT/NONE, invalid check ECDSA(SHA256)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:1024:PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT:0
 
 PK can do ext: RSA_PKCS1V15_CRYPT/NONE, invalid check ECDH
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:1024:PSA_ALG_ECDH:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT:0
 
 PK can do ext: RSA_PKCS1V15_CRYPT/NONE, invalid check RSA_PSS(SHA256)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT:0
 
 PK can do ext: RSA_PKCS1V15_CRYPT/NONE, invalid check RSA_PKCS1V15_SIGN(SHA256)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT:0
 
 PK can do ext: RSA_PKCS1V15_CRYPT/NONE, check RSA_PKCS1V15_CRYPT
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DECRYPT:1
 
 PK can do ext: RSA_PKCS1V15_CRYPT/RSA_PSS(ANY), check RSA_PKCS1V15_CRYPT
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PSA_CRYPTO_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT|PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):1024:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DECRYPT:1
 
 PK can do ext: RSA_PKCS1V15_CRYPT/RSA_PSS(ANY), check RSA_PSS(SHA256)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PSA_CRYPTO_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT|PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_DECRYPT:1
 
 PK can do ext: RSA_PKCS1V15_CRYPT/RSA_PSS(ANY), check non allowed ENCRYPT usage
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT|PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_ENCRYPT:0
 
 PK can do ext: RSA_PKCS1V15_SIGN(ANY)/RSA_PSS(ANY), check RSA_PSS(SHA256)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PSA_CRYPTO_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1
 
 PK can do ext: RSA_PKCS1V15_SIGN(ANY)/RSA_PSS(ANY), check RSA_PKCS1V15_SIGN(SHA256)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1
 
 PK can do ext: MBEDTLS_PK_ECKEY, check ECDSA(SHA256)
@@ -297,28 +311,48 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP256R1
 pk_can_do_ext:0:MBEDTLS_PK_ECKEY:0:0:0:MBEDTLS_ECP_DP_SECP256R1:PSA_ALG_ECDH:PSA_KEY_USAGE_DERIVE:1
 
 PK can do ext: MBEDTLS_PK_RSA, check RSA_PKCS1V15_SIGN(SHA256)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:0:MBEDTLS_PK_RSA:0:0:0:1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1
 
 PK can do ext: MBEDTLS_PK_RSA, check PSA_ALG_RSA_PKCS1V15_CRYPT
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:0:MBEDTLS_PK_RSA:0:0:0:1024:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DECRYPT:1
 
 PK can do ext: MBEDTLS_PK_RSA, check invalid PSA_KEY_USAGE_ENCRYPT
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:0:MBEDTLS_PK_RSA:0:0:0:1024:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_ENCRYPT:0
 
 PK can do ext: MBEDTLS_PK_RSA, check RSA_PSS(SHA256)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
+depends_on:MBEDTLS_RSA_C
 pk_can_do_ext:0:MBEDTLS_PK_RSA:0:0:0:1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1
 
-RSA verify test vector #1 (good)
+RSA verify test vector: PKCS1v1.5 (explicit), SHA1, good
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS1_V15
-pk_rsa_verify_test_vec:"6a8a1f225703fe39753c1017b43eec9e070a70b1":MBEDTLS_MD_SHA1:1024:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":"3":"5abc01f5de25b70867ff0c24e222c61f53c88daf42586fddcd56f3c4588f074be3c328056c063388688b6385a8167957c6e5355a510e005b8a851d69c96b36ec6036644078210e5d7d326f96365ee0648882921492bc7b753eb9c26cdbab37555f210df2ca6fec1b25b463d38b81c0dcea202022b04af5da58aa03d77be949b7":0
+pk_rsa_verify_test_vec:"6a8a1f225703fe39753c1017b43eec9e070a70b1":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:1024:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":"3":"5abc01f5de25b70867ff0c24e222c61f53c88daf42586fddcd56f3c4588f074be3c328056c063388688b6385a8167957c6e5355a510e005b8a851d69c96b36ec6036644078210e5d7d326f96365ee0648882921492bc7b753eb9c26cdbab37555f210df2ca6fec1b25b463d38b81c0dcea202022b04af5da58aa03d77be949b7":0
 
-RSA verify test vector #2 (bad)
+RSA verify test vector: PKCS1v1.5 (default), SHA1, good
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS1_V15
-pk_rsa_verify_test_vec:"9f294f0c7b32da6221a3ef83654322038e8968fa":MBEDTLS_MD_SHA1:1024:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":"3":"3203b7647fb7e345aa457681e5131777f1adc371f2fba8534928c4e52ef6206a856425d6269352ecbf64db2f6ad82397768cafdd8cd272e512d617ad67992226da6bc291c31404c17fd4b7e2beb20eff284a44f4d7af47fd6629e2c95809fa7f2241a04f70ac70d3271bb13258af1ed5c5988c95df7fa26603515791075feccd":MBEDTLS_ERR_RSA_VERIFY_FAILED
+pk_rsa_verify_test_vec:"6a8a1f225703fe39753c1017b43eec9e070a70b1":-1:MBEDTLS_MD_SHA1:1024:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":"3":"5abc01f5de25b70867ff0c24e222c61f53c88daf42586fddcd56f3c4588f074be3c328056c063388688b6385a8167957c6e5355a510e005b8a851d69c96b36ec6036644078210e5d7d326f96365ee0648882921492bc7b753eb9c26cdbab37555f210df2ca6fec1b25b463d38b81c0dcea202022b04af5da58aa03d77be949b7":0
+
+RSA verify test vector: PKCS1v1.5, SHA1, wrong signature
+depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS1_V15
+pk_rsa_verify_test_vec:"6a8a1f225703fe39753c1017b43eec9e070a70b1":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:1024:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":"3":"5abc01f5de25b70867ff0c24e222c61f53c88daf42586fddcd56f3c4588f074be3c328056c063388688b6385a8167957c6e5355a510e005b8a851d69c96b36ec6036644078210e5d7d326f96365ee0648882921492bc7b753eb9c26cdbab37555f210df2ca6fec1b25b463d38b81c0dcea202022b04af5da58aa03d77be949b8":MBEDTLS_ERR_RSA_VERIFY_FAILED
+
+RSA verify test vector: PSS, SHA1, good
+depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS1_V21
+pk_rsa_verify_test_vec:"37b66ae0445843353d47ecb0b4fd14c110e62d6a":MBEDTLS_RSA_PKCS_V21:MBEDTLS_MD_SHA1:1024:"a2ba40ee07e3b2bd2f02ce227f36a195024486e49c19cb41bbbdfbba98b22b0e577c2eeaffa20d883a76e65e394c69d4b3c05a1e8fadda27edb2a42bc000fe888b9b32c22d15add0cd76b3e7936e19955b220dd17d4ea904b1ec102b2e4de7751222aa99151024c7cb41cc5ea21d00eeb41f7c800834d2c6e06bce3bce7ea9a5":"010001":"8daa627d3de7595d63056c7ec659e54406f10610128baae821c8b2a0f3936d54dc3bdce46689f6b7951bb18e840542769718d5715d210d85efbb596192032c42be4c29972c856275eb6d5a45f05f51876fc6743deddd28caec9bb30ea99e02c3488269604fe497f74ccd7c7fca1671897123cbd30def5d54a2b5536ad90a747e":0
+
+RSA verify test vector: PSS, SHA1, wrong signature
+depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS1_V21
+pk_rsa_verify_test_vec:"37b66ae0445843353d47ecb0b4fd14c110e62d6a":MBEDTLS_RSA_PKCS_V21:MBEDTLS_MD_SHA1:1024:"a2ba40ee07e3b2bd2f02ce227f36a195024486e49c19cb41bbbdfbba98b22b0e577c2eeaffa20d883a76e65e394c69d4b3c05a1e8fadda27edb2a42bc000fe888b9b32c22d15add0cd76b3e7936e19955b220dd17d4ea904b1ec102b2e4de7751222aa99151024c7cb41cc5ea21d00eeb41f7c800834d2c6e06bce3bce7ea9a5":"010001":"8daa627d3de7595d63056c7ec659e54406f10610128baae821c8b2a0f3936d54dc3bdce46689f6b7951bb18e840542769718d5715d210d85efbb596192032c42be4c29972c856275eb6d5a45f05f51876fc6743deddd28caec9bb30ea99e02c3488269604fe497f74ccd7c7fca1671897123cbd30def5d54a2b5536ad90a747f":MBEDTLS_ERR_RSA_VERIFY_FAILED
+
+RSA verify test vector: PSS, SHA1, signature is PKCS1v1.5
+depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS1_V21
+pk_rsa_verify_test_vec:"6a8a1f225703fe39753c1017b43eec9e070a70b1":MBEDTLS_RSA_PKCS_V21:MBEDTLS_MD_SHA1:1024:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":"3":"5abc01f5de25b70867ff0c24e222c61f53c88daf42586fddcd56f3c4588f074be3c328056c063388688b6385a8167957c6e5355a510e005b8a851d69c96b36ec6036644078210e5d7d326f96365ee0648882921492bc7b753eb9c26cdbab37555f210df2ca6fec1b25b463d38b81c0dcea202022b04af5da58aa03d77be949b7":MBEDTLS_ERR_RSA_VERIFY_FAILED
+
+RSA verify test vector: PKCS1v1.5, SHA1, signature is PSS
+depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS1_V15
+pk_rsa_verify_test_vec:"37b66ae0445843353d47ecb0b4fd14c110e62d6a":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:1024:"a2ba40ee07e3b2bd2f02ce227f36a195024486e49c19cb41bbbdfbba98b22b0e577c2eeaffa20d883a76e65e394c69d4b3c05a1e8fadda27edb2a42bc000fe888b9b32c22d15add0cd76b3e7936e19955b220dd17d4ea904b1ec102b2e4de7751222aa99151024c7cb41cc5ea21d00eeb41f7c800834d2c6e06bce3bce7ea9a5":"010001":"8daa627d3de7595d63056c7ec659e54406f10610128baae821c8b2a0f3936d54dc3bdce46689f6b7951bb18e840542769718d5715d210d85efbb596192032c42be4c29972c856275eb6d5a45f05f51876fc6743deddd28caec9bb30ea99e02c3488269604fe497f74ccd7c7fca1671897123cbd30def5d54a2b5536ad90a747e":MBEDTLS_ERR_RSA_VERIFY_FAILED
 
 ECDSA verify test vector #1 (good)
 depends_on:MBEDTLS_ECP_HAVE_SECP192R1
@@ -370,59 +404,95 @@ pk_ec_test_vec:MBEDTLS_PK_ECKEY:MBEDTLS_ECP_DP_SECP256R1:"0437cc56d976091e5a723e
 
 ECDSA sign-verify: SECP192R1
 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP192R1
-pk_sign_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP192R1:0:0
+pk_sign_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP192R1:0:0:0:0
 
 ECDSA sign-verify: SECP256R1
 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1
-pk_sign_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP256R1:0:0
+pk_sign_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP256R1:0:0:0:0
 
 ECDSA sign-verify: SECP384R1
 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP384R1
-pk_sign_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP384R1:0:0
+pk_sign_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP384R1:0:0:0:0
 
 ECDSA sign-verify: SECP521R1
 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP521R1
-pk_sign_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP521R1:0:0
+pk_sign_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP521R1:0:0:0:0
 
 ECDSA sign-verify: BP256R1
 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_BP256R1
-pk_sign_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_BP256R1:0:0
+pk_sign_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_BP256R1:0:0:0:0
 
 ECDSA sign-verify: BP512R1
 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_BP512R1
-pk_sign_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_BP512R1:0:0
+pk_sign_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_BP512R1:0:0:0:0
 
 EC(DSA) sign-verify: SECP192R1
 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP192R1
-pk_sign_verify:MBEDTLS_PK_ECKEY:MBEDTLS_ECP_DP_SECP192R1:0:0
+pk_sign_verify:MBEDTLS_PK_ECKEY:MBEDTLS_ECP_DP_SECP192R1:0:0:0:0
 
 EC_DH (no) sign-verify: SECP192R1
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP192R1
-pk_sign_verify:MBEDTLS_PK_ECKEY_DH:MBEDTLS_ECP_DP_SECP192R1:MBEDTLS_ERR_PK_TYPE_MISMATCH:MBEDTLS_ERR_PK_TYPE_MISMATCH
+pk_sign_verify:MBEDTLS_PK_ECKEY_DH:MBEDTLS_ECP_DP_SECP192R1:0:0:MBEDTLS_ERR_PK_TYPE_MISMATCH:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+RSA sign-verify, PKCS1v1.5, SHA1
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1
+pk_sign_verify:MBEDTLS_PK_RSA:RSA_KEY_SIZE:MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:0:0
+
+RSA sign-verify, PKCS1v2.1, SHA1
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA1
+pk_sign_verify:MBEDTLS_PK_RSA:RSA_KEY_SIZE:MBEDTLS_RSA_PKCS_V21:MBEDTLS_MD_SHA1:0:0
 
-RSA sign-verify
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_GENPRIME:MBEDTLS_RSA_GEN_KEY_MIN_BITS >= 512
-pk_sign_verify:MBEDTLS_PK_RSA:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:0
+RSA sign-verify, PKCS1v1.5, SHA256
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256
+pk_sign_verify:MBEDTLS_PK_RSA:RSA_KEY_SIZE:MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA256:0:0
 
-RSA encrypt-decrypt test
+RSA sign-verify, PKCS1v2.1, SHA256
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256
+pk_sign_verify:MBEDTLS_PK_RSA:RSA_KEY_SIZE:MBEDTLS_RSA_PKCS_V21:MBEDTLS_MD_SHA256:0:0
+
+RSA encrypt-decrypt test PKCS1 v1.5
 depends_on:MBEDTLS_PKCS1_V15
-pk_rsa_encrypt_decrypt_test:"4E636AF98E40F3ADCFCCB698F4E80B9F":2048:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"3":0
+pk_rsa_encrypt_decrypt_test:"4E636AF98E40F3ADCFCCB698F4E80B9F":2048:MBEDTLS_RSA_PKCS_V15:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"3":0
+
+RSA encrypt-decrypt test PKCS1 v2.1
+depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA1
+pk_rsa_encrypt_decrypt_test:"4E636AF98E40F3ADCFCCB698F4E80B9F":2048:MBEDTLS_RSA_PKCS_V21:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"3":0
 
-RSA decrypt test vector #1
+RSA decrypt test vector - PKCS1v1.5
 depends_on:MBEDTLS_PKCS1_V15
-pk_rsa_decrypt_test_vec:"a42eda41e56235e666e7faaa77100197f657288a1bf183e4820f0c37ce2c456b960278d6003e0bbcd4be4a969f8e8fd9231e1f492414f00ed09844994c86ec32db7cde3bec7f0c3dbf6ae55baeb2712fa609f5fc3207a824eb3dace31849cd6a6084318523912bccb84cf42e3c6d6d1685131d69bb545acec827d2b0dfdd5568b7dcc4f5a11d6916583fefa689d367f8c9e1d95dcd2240895a9470b0c1730f97cd6e8546860bd254801769f54be96e16362ddcbf34d56035028890199e0f48db38642cb66a4181e028a6443a404fea284ce02b4614b683367d40874e505611d23142d49f06feea831d52d347b13610b413c4efc43a6de9f0b08d2a951dc503b6":2048:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"3":"4E636AF98E40F3ADCFCCB698F4E80B9F":0
+pk_rsa_decrypt_test_vec:"28818cb14236ad18f4527e7f1f7633e96cef021bc3234475d7f61e88702b6335b42a352ed3f3267ac7c3e9ba4af17e45096c63eefd8d9a7cb42dfc52fffb2f5b8afb305b46312c2eb50634123b4437a2287ac57b7509d59a583fb741989a49f32625e9267b4641a6607b7303d35c68489db53c8d387b620d0d46a852e72ea43c":1024:MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_NONE:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":"11":"d436e99569fd32a7c8a05bbc90d32c49":0
 
-RSA decrypt test vector #2
+RSA decrypt test vector - PKCS1v1.5, corrupted encrypted data
 depends_on:MBEDTLS_PKCS1_V15
-pk_rsa_decrypt_test_vec:"a42eda41e56235e666e7faaa77100197f657288a1bf183e4820f0c37ce2c456b960278d6003e0bbcd4be4a969f8e8fd9231e1f492414f00ed09844994c86ec32db7cde3bec7f0c3dbf6ae55baeb2712fa609f5fc3207a824eb3dace31849cd6a6084318523912bccb84cf42e3c6d6d1685131d69bb545acec827d2b0dfdd5568b7dcc4f5a11d6916583fefa689d367f8c9e1d95dcd2240895a9470b0c1730f97cd6e8546860bd254801769f54be96e16362ddcbf34d56035028890199e0f48db38642cb66a4181e028a6443a404feb284ce02b4614b683367d40874e505611d23142d49f06feea831d52d347b13610b413c4efc43a6de9f0b08d2a951dc503b6":2048:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"3":"4E636AF98E40F3ADCFCCB698F4E80B9F":MBEDTLS_ERR_RSA_INVALID_PADDING
+pk_rsa_decrypt_test_vec:"28818cb14236ad18f4527e7f1f7633e96cef021bc3234475d7f61e88702b6335b42a352ed3f3267ac7c3e9ba4af17e45096c63eefd8d9a7cb42dfc52fffb2f5b8afb305b46312c2eb50634123b4437a2287ac57b7509d59a583fb741989a49f32625e9267b4641a6607b7303d35c68489db53c8d387b620d0d46a852e72ea43d":1024:MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_NONE:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":"11":"d436e99569fd32a7c8a05bbc90d32c49":MBEDTLS_ERR_RSA_INVALID_PADDING
+
+RSA decrypt test vector - PKCS1v2.1
+depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA1
+pk_rsa_decrypt_test_vec:"1253e04dc0a5397bb44a7ab87e9bf2a039a33d1e996fc82a94ccd30074c95df763722017069e5268da5d1c0b4f872cf653c11df82314a67968dfeae28def04bb6d84b1c31d654a1970e5783bd6eb96a024c2ca2f4a90fe9f2ef5c9c140e5bb48da9536ad8700c84fc9130adea74e558d51a74ddf85d8b50de96838d6063e0955":1024:MBEDTLS_RSA_PKCS_V21:MBEDTLS_MD_SHA1:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":"11":"d436e99569fd32a7c8a05bbc90d32c49":0
+
+RSA decrypt test vector - PKCS1v2.1, corrupted encrypted data
+depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA1
+pk_rsa_decrypt_test_vec:"1253e04dc0a5397bb44a7ab87e9bf2a039a33d1e996fc82a94ccd30074c95df763722017069e5268da5d1c0b4f872cf653c11df82314a67968dfeae28def04bb6d84b1c31d654a1970e5783bd6eb96a024c2ca2f4a90fe9f2ef5c9c140e5bb48da9536ad8700c84fc9130adea74e558d51a74ddf85d8b50de96838d6063e0956":1024:MBEDTLS_RSA_PKCS_V21:MBEDTLS_MD_SHA1:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":"11":"d436e99569fd32a7c8a05bbc90d32c49":MBEDTLS_ERR_RSA_INVALID_PADDING
 
-RSA Opaque decrypt test vector #1
+RSA decrypt test vector - PKCS1v1.5, but data is PKCS1v2.1 encrypted
 depends_on:MBEDTLS_PKCS1_V15
-pk_wrap_rsa_decrypt_test_vec:"a42eda41e56235e666e7faaa77100197f657288a1bf183e4820f0c37ce2c456b960278d6003e0bbcd4be4a969f8e8fd9231e1f492414f00ed09844994c86ec32db7cde3bec7f0c3dbf6ae55baeb2712fa609f5fc3207a824eb3dace31849cd6a6084318523912bccb84cf42e3c6d6d1685131d69bb545acec827d2b0dfdd5568b7dcc4f5a11d6916583fefa689d367f8c9e1d95dcd2240895a9470b0c1730f97cd6e8546860bd254801769f54be96e16362ddcbf34d56035028890199e0f48db38642cb66a4181e028a6443a404fea284ce02b4614b683367d40874e505611d23142d49f06feea831d52d347b13610b413c4efc43a6de9f0b08d2a951dc503b6":2048:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"3":"4E636AF98E40F3ADCFCCB698F4E80B9F":0
+pk_rsa_decrypt_test_vec:"1253e04dc0a5397bb44a7ab87e9bf2a039a33d1e996fc82a94ccd30074c95df763722017069e5268da5d1c0b4f872cf653c11df82314a67968dfeae28def04bb6d84b1c31d654a1970e5783bd6eb96a024c2ca2f4a90fe9f2ef5c9c140e5bb48da9536ad8700c84fc9130adea74e558d51a74ddf85d8b50de96838d6063e0955":1024:MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_NONE:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":"11":"d436e99569fd32a7c8a05bbc90d32c49":MBEDTLS_ERR_RSA_INVALID_PADDING
 
-RSA Opaque decrypt test vector #2
+RSA decrypt test vector - PKCS1v2.1, but data is PKCS1v1.5 encrypted
+depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA1
+pk_rsa_decrypt_test_vec:"28818cb14236ad18f4527e7f1f7633e96cef021bc3234475d7f61e88702b6335b42a352ed3f3267ac7c3e9ba4af17e45096c63eefd8d9a7cb42dfc52fffb2f5b8afb305b46312c2eb50634123b4437a2287ac57b7509d59a583fb741989a49f32625e9267b4641a6607b7303d35c68489db53c8d387b620d0d46a852e72ea43c":1024:MBEDTLS_RSA_PKCS_V21:MBEDTLS_MD_SHA1:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":"11":"d436e99569fd32a7c8a05bbc90d32c49":MBEDTLS_ERR_RSA_INVALID_PADDING
+
+RSA Opaque PCKS1 v1.5 - decrypt test vector #1
 depends_on:MBEDTLS_PKCS1_V15
-pk_wrap_rsa_decrypt_test_vec:"a42eda41e56235e666e7faaa77100197f657288a1bf183e4820f0c37ce2c456b960278d6003e0bbcd4be4a969f8e8fd9231e1f492414f00ed09844994c86ec32db7cde3bec7f0c3dbf6ae55baeb2712fa609f5fc3207a824eb3dace31849cd6a6084318523912bccb84cf42e3c6d6d1685131d69bb545acec827d2b0dfdd5568b7dcc4f5a11d6916583fefa689d367f8c9e1d95dcd2240895a9470b0c1730f97cd6e8546860bd254801769f54be96e16362ddcbf34d56035028890199e0f48db38642cb66a4181e028a6443a404feb284ce02b4614b683367d40874e505611d23142d49f06feea831d52d347b13610b413c4efc43a6de9f0b08d2a951dc503b6":2048:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"3":"4E636AF98E40F3ADCFCCB698F4E80B9F":MBEDTLS_ERR_RSA_INVALID_PADDING
+pk_wrap_rsa_decrypt_test_vec:"a42eda41e56235e666e7faaa77100197f657288a1bf183e4820f0c37ce2c456b960278d6003e0bbcd4be4a969f8e8fd9231e1f492414f00ed09844994c86ec32db7cde3bec7f0c3dbf6ae55baeb2712fa609f5fc3207a824eb3dace31849cd6a6084318523912bccb84cf42e3c6d6d1685131d69bb545acec827d2b0dfdd5568b7dcc4f5a11d6916583fefa689d367f8c9e1d95dcd2240895a9470b0c1730f97cd6e8546860bd254801769f54be96e16362ddcbf34d56035028890199e0f48db38642cb66a4181e028a6443a404fea284ce02b4614b683367d40874e505611d23142d49f06feea831d52d347b13610b413c4efc43a6de9f0b08d2a951dc503b6":2048:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"3":MBEDTLS_RSA_PKCS_V15:"4E636AF98E40F3ADCFCCB698F4E80B9F":0
+
+RSA Opaque PCKS1 v2.1 - decrypt test vector #1
+depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA1
+pk_wrap_rsa_decrypt_test_vec:"1253e04dc0a5397bb44a7ab87e9bf2a039a33d1e996fc82a94ccd30074c95df763722017069e5268da5d1c0b4f872cf653c11df82314a67968dfeae28def04bb6d84b1c31d654a1970e5783bd6eb96a024c2ca2f4a90fe9f2ef5c9c140e5bb48da9536ad8700c84fc9130adea74e558d51a74ddf85d8b50de96838d6063e0955":1024:"eecfae81b1b9b3c908810b10a1b5600199eb9f44aef4fda493b81a9e3d84f632124ef0236e5d1e3b7e28fae7aa040a2d5b252176459d1f397541ba2a58fb6599":"c97fb1f027f453f6341233eaaad1d9353f6c42d08866b1d05a0f2035028b9d869840b41666b42e92ea0da3b43204b5cfce3352524d0416a5a441e700af461503":"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":"11":MBEDTLS_RSA_PKCS_V21:"d436e99569fd32a7c8a05bbc90d32c49":0
+
+RSA Opaque PCKS1 v1.5 - decrypt test vector #2
+depends_on:MBEDTLS_PKCS1_V15
+pk_wrap_rsa_decrypt_test_vec:"a42eda41e56235e666e7faaa77100197f657288a1bf183e4820f0c37ce2c456b960278d6003e0bbcd4be4a969f8e8fd9231e1f492414f00ed09844994c86ec32db7cde3bec7f0c3dbf6ae55baeb2712fa609f5fc3207a824eb3dace31849cd6a6084318523912bccb84cf42e3c6d6d1685131d69bb545acec827d2b0dfdd5568b7dcc4f5a11d6916583fefa689d367f8c9e1d95dcd2240895a9470b0c1730f97cd6e8546860bd254801769f54be96e16362ddcbf34d56035028890199e0f48db38642cb66a4181e028a6443a404feb284ce02b4614b683367d40874e505611d23142d49f06feea831d52d347b13610b413c4efc43a6de9f0b08d2a951dc503b6":2048:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"3":MBEDTLS_RSA_PKCS_V15:"4E636AF98E40F3ADCFCCB698F4E80B9F":MBEDTLS_ERR_RSA_INVALID_PADDING
 
 EC nocrypt
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS
@@ -437,7 +507,7 @@ depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN
 pk_ec_nocrypt:MBEDTLS_PK_ECDSA
 
 RSA_ALT consistency
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_GENPRIME:MBEDTLS_RSA_GEN_KEY_MIN_BITS >= 512
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
 pk_rsa_alt:
 
 Verify ext RSA #1 (PKCS1 v2.1, salt_len = ANY, OK)
@@ -526,23 +596,23 @@ pk_rsa_verify_ext_test_vec:"ae6e43dd387c25741e42fc3570cdfc52e4f51a2343294f3b677d
 
 Check pair #1 (EC, OK)
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_PEM_PARSE_C
-mbedtls_pk_check_pair:"data_files/ec_256_pub.pem":"data_files/ec_256_prv.pem":0
+mbedtls_pk_check_pair:"../framework/data_files/ec_256_pub.pem":"../framework/data_files/ec_256_prv.pem":0
 
 Check pair #2 (EC, bad)
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_PEM_PARSE_C
-mbedtls_pk_check_pair:"data_files/ec_256_pub.pem":"data_files/server5.key":MBEDTLS_ERR_ECP_BAD_INPUT_DATA
+mbedtls_pk_check_pair:"../framework/data_files/ec_256_pub.pem":"../framework/data_files/server5.key":MBEDTLS_ERR_ECP_BAD_INPUT_DATA
 
 Check pair #3 (RSA, OK)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PEM_PARSE_C
-mbedtls_pk_check_pair:"data_files/server1.pubkey":"data_files/server1.key":0
+mbedtls_pk_check_pair:"../framework/data_files/server1.pubkey":"../framework/data_files/server1.key":0
 
 Check pair #4 (RSA, bad)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PEM_PARSE_C
-mbedtls_pk_check_pair:"data_files/server1.pubkey":"data_files/server2.key":MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
+mbedtls_pk_check_pair:"../framework/data_files/server1.pubkey":"../framework/data_files/server2.key":MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
 
 Check pair #5 (RSA vs EC)
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_PEM_PARSE_C
-mbedtls_pk_check_pair:"data_files/ec_256_pub.pem":"data_files/server1.key":MBEDTLS_ERR_PK_TYPE_MISMATCH
+mbedtls_pk_check_pair:"../framework/data_files/ec_256_pub.pem":"../framework/data_files/server1.key":MBEDTLS_ERR_PK_TYPE_MISMATCH
 
 RSA hash_len overflow (size_t vs unsigned int)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_HAVE_INT64
@@ -582,101 +652,1023 @@ pk_sign_verify_restart:MBEDTLS_PK_ECKEY:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75
 
 PSA wrapped sign: SECP256R1
 depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1
-pk_psa_sign:MBEDTLS_ECP_DP_SECP256R1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256
+pk_psa_sign:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:0
 
 PSA wrapped sign: SECP384R1
 depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP384R1
-pk_psa_sign:MBEDTLS_ECP_DP_SECP384R1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):384
+pk_psa_sign:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):384:0
 
 PSA wrapped sign: SECP521R1
 depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP521R1
-pk_psa_sign:MBEDTLS_ECP_DP_SECP521R1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):521
+pk_psa_sign:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):521:0
 
 PSA wrapped sign: SECP192K1
 depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP192K1
-pk_psa_sign:MBEDTLS_ECP_DP_SECP192K1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1):192
+pk_psa_sign:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1):192:0
 
 ## Currently buggy: https://github.com/ARMmbed/mbed-crypto/issues/336
 # PSA wrapped sign: SECP224K1
 # depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP224K1
-# pk_psa_sign:MBEDTLS_ECP_DP_SECP224K1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1):224
+# pk_psa_sign:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1):224:0
 
 PSA wrapped sign: SECP256K1
 depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256K1
-pk_psa_sign:MBEDTLS_ECP_DP_SECP256K1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1):256
+pk_psa_sign:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1):256:0
 
 PSA wrapped sign: BP256R1
 depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_BP256R1
-pk_psa_sign:MBEDTLS_ECP_DP_BP256R1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):256
+pk_psa_sign:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):256:0
 
 PSA wrapped sign: BP384R1
 depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_BP384R1
-pk_psa_sign:MBEDTLS_ECP_DP_BP384R1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):384
+pk_psa_sign:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):384:0
 
 PSA wrapped sign: BP512R1
 depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_BP512R1
-pk_psa_sign:MBEDTLS_ECP_DP_BP512R1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):512
+pk_psa_sign:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):512:0
 
 PSA wrapped sign: RSA PKCS1 v1.5
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_GENPRIME:MBEDTLS_PK_WRITE_C
-pk_psa_sign:1024:PSA_KEY_TYPE_RSA_KEY_PAIR:1024
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+pk_psa_sign:PSA_KEY_TYPE_RSA_KEY_PAIR:1024:MBEDTLS_RSA_PKCS_V15
+
+PSA wrapped sign: RSA PKCS1 v2.1
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21
+pk_psa_sign:PSA_KEY_TYPE_RSA_KEY_PAIR:1024:MBEDTLS_RSA_PKCS_V21
 
-PK Sign ext:RSA2048,PK_RSA,MD_SHA256
-depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_RSA_GEN_KEY_MIN_BITS <= 2048
-pk_psa_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSA:MBEDTLS_MD_SHA256
+PK sign ext: RSA2048, PK_RSA, MD_SHA256
+depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
+pk_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSA:MBEDTLS_MD_SHA256
 
-PK Sign ext:RSA2048,PK_RSASSA_PSS,MD_SHA256
-depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_RSA_GEN_KEY_MIN_BITS <= 2048
-pk_psa_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256
+PK sign ext: RSA2048, PK_RSASSA_PSS, MD_SHA256
+depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
+pk_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256
 
-PK Sign ext:RSA2048,PK_RSA,MD_SHA384
-depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA384:MBEDTLS_RSA_C:MBEDTLS_RSA_GEN_KEY_MIN_BITS <= 2048
-pk_psa_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSA:MBEDTLS_MD_SHA384
+PK sign ext: RSA2048, PK_RSA, MD_SHA384
+depends_on:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_SHA_384:MBEDTLS_RSA_C
+pk_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSA:MBEDTLS_MD_SHA384
 
-PK Sign ext:RSA2048,PK_RSASSA_PSS,MD_SHA384
-depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA384:MBEDTLS_RSA_C:MBEDTLS_RSA_GEN_KEY_MIN_BITS <= 2048
-pk_psa_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA384
+PK sign ext: RSA2048, PK_RSASSA_PSS, MD_SHA384
+depends_on:MBEDTLS_PKCS1_V21:PSA_WANT_ALG_SHA_384:MBEDTLS_RSA_C
+pk_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA384
 
-PK Sign ext:RSA2048,PK_RSA,MD_SHA512
-depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C:MBEDTLS_RSA_GEN_KEY_MIN_BITS <= 2048
-pk_psa_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSA:MBEDTLS_MD_SHA512
+PK sign ext: RSA2048, PK_RSA, MD_SHA512
+depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C
+pk_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSA:MBEDTLS_MD_SHA512
 
-PK Sign ext:RSA2048,PK_RSASSA_PSS,MD_SHA512
-depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C:MBEDTLS_RSA_GEN_KEY_MIN_BITS <= 2048
-pk_psa_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA512
+PK sign ext: RSA2048, PK_RSASSA_PSS, MD_SHA512
+depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C
+pk_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA512
 
-PK Sign ext:SECP256R1,PK_ECDSA,MD_SHA256
+PK sign ext: SECP256R1, PK_ECDSA, MD_SHA256
 depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-pk_psa_sign_ext:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP256R1:MBEDTLS_PK_ECDSA:MBEDTLS_MD_SHA256
+pk_sign_ext:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP256R1:MBEDTLS_PK_ECDSA:MBEDTLS_MD_SHA256
 
-PK Sign ext:SECP384R1,PK_ECDSA,MD_SHA384
-depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA384
-pk_psa_sign_ext:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP384R1:MBEDTLS_PK_ECDSA:MBEDTLS_MD_SHA384
+PK sign ext: SECP384R1, PK_ECDSA, MD_SHA384
+depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP384R1:PSA_WANT_ALG_SHA_384
+pk_sign_ext:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP384R1:MBEDTLS_PK_ECDSA:MBEDTLS_MD_SHA384
 
-PK Sign ext:SECP521R1,PK_ECDSA,MD_SHA512
+PK sign ext: SECP521R1, PK_ECDSA, MD_SHA512
 depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP521R1:MBEDTLS_MD_CAN_SHA512
-pk_psa_sign_ext:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP521R1:MBEDTLS_PK_ECDSA:MBEDTLS_MD_SHA512
+pk_sign_ext:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP521R1:MBEDTLS_PK_ECDSA:MBEDTLS_MD_SHA512
 
-PK wrapped Sign ext:RSA2048,PK_RSA,MD_SHA256
+PSA wrapped sign ext: RSA2048, PK_RSA, MD_SHA256
 depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
 pk_psa_wrap_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSA:MBEDTLS_MD_SHA256
 
-PK wrapped Sign ext:RSA2048,PK_RSASSA_PSS,MD_SHA256
+PSA wrapped sign ext: RSA2048, PK_RSASSA_PSS, MD_SHA256
 depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
 pk_psa_wrap_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256
 
-PK wrapped Sign ext:RSA2048,PK_RSA,MD_SHA384
-depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA384:MBEDTLS_RSA_C
+PSA wrapped sign ext: RSA2048, PK_RSA, MD_SHA384
+depends_on:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_SHA_384:MBEDTLS_RSA_C
 pk_psa_wrap_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSA:MBEDTLS_MD_SHA384
 
-PK wrapped Sign ext:RSA2048,PK_RSASSA_PSS,MD_SHA384
-depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA384:MBEDTLS_RSA_C
+PSA wrapped sign ext: RSA2048, PK_RSASSA_PSS, MD_SHA384
+depends_on:MBEDTLS_PKCS1_V21:PSA_WANT_ALG_SHA_384:MBEDTLS_RSA_C
 pk_psa_wrap_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA384
 
-PK wrapped Sign ext:RSA2048,PK_RSA,MD_SHA512
+PSA wrapped sign ext: RSA2048, PK_RSA, MD_SHA512
 depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C
 pk_psa_wrap_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSA:MBEDTLS_MD_SHA512
 
-PK wrapped Sign ext:RSA2048,PK_RSASSA_PSS,MD_SHA512
+PSA wrapped sign ext: RSA2048, PK_RSASSA_PSS, MD_SHA512
 depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C
 pk_psa_wrap_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA512
+
+PSA attributes for pk: NONE (bad)
+pk_get_psa_attributes_fail:MBEDTLS_PK_NONE:FROM_PUBLIC:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_BAD_INPUT_DATA
+
+# There is a (negative) test for pk_type=MBEDTLS_PK_RSA_ALT in pk_rsa_alt().
+
+# Bad usage due to not specifying sign/crypt/derive.
+PSA attributes for pk: RSA usage=0 (bad)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PAIR:0:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+# Bad usage due to not specifying sign/crypt/derive.
+PSA attributes for pk: RSA usage=EXPORT (bad)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+# This usage could make sense, but is not currently supported.
+PSA attributes for pk: RSA usage=DECRYPT|EXPORT (bad)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+# Bad usage due to specifying more than one of sign/crypt/derive.
+PSA attributes for pk: RSA usage=DECRYPT|SIGN_MESSAGE (bad)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+# This usage could make sense, but is not currently supported.
+PSA attributes for pk: RSA usage=SIGN_MESSAGE|SIGN_HASH (bad)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+# This usage could make sense, but is not currently supported.
+PSA attributes for pk: RSA usage=SIGN_MESSAGE|VERIFY_MESSAGE (bad)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: RSA v15 pair DECRYPT
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_DECRYPT:1:PSA_ALG_RSA_PKCS1V15_CRYPT
+
+PSA attributes for pk: RSA v21 SHA-256 pair DECRYPT
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256
+pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA256:FROM_PAIR:PSA_KEY_USAGE_DECRYPT:1:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256)
+
+PSA attributes for pk: RSA v21 SHA-512 pair DECRYPT
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512
+pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA512:FROM_PAIR:PSA_KEY_USAGE_DECRYPT:1:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_512)
+
+PSA attributes for pk: RSA v15 pair->public ENCRYPT
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_PKCS1V15_CRYPT
+
+PSA attributes for pk: RSA v21 SHA-256 pair->public ENCRYPT
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256
+pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA256:FROM_PAIR:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256)
+
+PSA attributes for pk: RSA v21 SHA-512 pair->public ENCRYPT
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512
+pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA512:FROM_PAIR:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_512)
+
+PSA attributes for pk: RSA v15 public ENCRYPT
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_PKCS1V15_CRYPT
+
+PSA attributes for pk: RSA v21 SHA-256 public ENCRYPT
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256
+pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA256:FROM_PUBLIC:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256)
+
+PSA attributes for pk: RSA v21 SHA-512 public ENCRYPT
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512
+pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA512:FROM_PUBLIC:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_512)
+
+PSA attributes for pk: RSA v15 public DECRYPT (bad)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: RSA v15 pair SIGN_MESSAGE
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: RSA v21 SHA-256 pair SIGN_MESSAGE
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21
+pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:FROM_PAIR:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: RSA v15 pair SIGN_HASH
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: RSA v21 SHA-256 pair SIGN_HASH
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21
+pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:FROM_PAIR:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: RSA v15 pair->public VERIFY_MESSAGE
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: RSA v21 SHA-256 pair->public VERIFY_MESSAGE
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21
+pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:FROM_PAIR:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: RSA v15 pair->public VERIFY_HASH
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: RSA v21 SHA-256 pair->public VERIFY_HASH
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21
+pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:FROM_PAIR:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: RSA v15 public VERIFY_MESSAGE
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: RSA v21 SHA-256 public VERIFY_MESSAGE
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21
+pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: RSA v15 public VERIFY_HASH
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: RSA v21 SHA-256 public VERIFY_HASH
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21
+pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: RSA v15 public SIGN_MESSAGE (bad)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: RSA v15 public SIGN_HASH (bad)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: RSA v15 pair DERIVE (bad)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: RSA v15 public DERIVE (bad)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY pair DECRYPT (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH pair DECRYPT (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECDSA pair DECRYPT (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY public DECRYPT (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:FROM_PUBLIC:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH public DECRYPT (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECDSA public DECRYPT (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY pair ENCRYPT (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH pair ENCRYPT (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECDSA pair ENCRYPT (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY public ENCRYPT (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:FROM_PUBLIC:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH public ENCRYPT (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECDSA public ENCRYPT (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY pair DERIVE
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_DERIVE:1:PSA_ALG_ECDH
+
+PSA attributes for pk: ECKEY_DH pair DERIVE
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_USAGE_DERIVE:1:PSA_ALG_ECDH
+
+PSA attributes for pk: ECDSA pair DERIVE (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY public DERIVE (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:FROM_PUBLIC:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH public DERIVE (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECDSA public DERIVE (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY pair SIGN_MESSAGE
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: ECDSA pair SIGN_MESSAGE
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: ECKEY pair SIGN_HASH
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: ECDSA pair SIGN_HASH
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: ECKEY pair->public VERIFY_MESSAGE
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: ECDSA pair->public VERIFY_MESSAGE
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: ECKEY pair->public VERIFY_HASH
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: ECDSA pair->public VERIFY_HASH
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: ECKEY public VERIFY_MESSAGE
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes:MBEDTLS_PK_ECKEY:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: ECDSA public VERIFY_MESSAGE
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: ECKEY public VERIFY_HASH
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes:MBEDTLS_PK_ECKEY:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: ECDSA public VERIFY_HASH
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+PSA attributes for pk: ECKEY public SIGN_MESSAGE (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:FROM_PUBLIC:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECDSA public SIGN_MESSAGE (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY public SIGN_HASH (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY:FROM_PUBLIC:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECDSA public SIGN_HASH (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH pair SIGN_MESSAGE (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH pair SIGN_HASH (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH pair VERIFY_MESSAGE (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_USAGE_VERIFY_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH pair VERIFY_HASH (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_USAGE_VERIFY_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH public SIGN_MESSAGE (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH public SIGN_HASH (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH public VERIFY_MESSAGE (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: ECKEY_DH public VERIFY_HASH (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA attributes for pk: opaque RSA pair, 0 & SIGN_MESSAGE (bad policy)
+depends_on:MBEDTLS_RSA_C
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:0:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0
+
+PSA attributes for pk: opaque RSA pair, SIGN_MESSAGE & SIGN_MESSAGE
+depends_on:MBEDTLS_RSA_C
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE
+
+PSA attributes for pk: opaque RSA pair, SIGN|VERIFY & SIGN_MESSAGE
+depends_on:MBEDTLS_RSA_C
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE
+
+PSA attributes for pk: opaque RSA pair, SIGN|DECRYPT & SIGN_MESSAGE
+depends_on:MBEDTLS_RSA_C
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_DECRYPT
+
+# For a PK_OPAQUE key with a key pair type output,
+# mbedtls_pk_import_into_psa() requires the key to be copyable or exportable.
+# Try all combinations of COPY/not, EXPORT/not.
+PSA attributes for pk: opaque RSA pair, SIGN|... & SIGN_MESSAGE
+depends_on:MBEDTLS_RSA_C
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT
+
+PSA attributes for pk: opaque RSA pair, SIGN|EXPORT|... & SIGN_MESSAGE
+depends_on:MBEDTLS_RSA_C
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT
+
+PSA attributes for pk: opaque RSA pair, SIGN|COPY|... & SIGN_MESSAGE
+depends_on:MBEDTLS_RSA_C
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT
+
+PSA attributes for pk: opaque RSA pair, SIGN|COPY|EXPORT... & SIGN_MESSAGE
+depends_on:MBEDTLS_RSA_C
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT
+
+PSA attributes for pk: opaque RSA pair, SIGN_MESSAGE & SIGN_HASH (bad policy)
+depends_on:MBEDTLS_RSA_C
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0
+
+# For a PK_OPAQUE key, mbedtls_pk_get_psa_attributes() ignores the input
+# key's algorithm policy. Just this time, test with a few different algorithms.
+PSA attributes for pk: opaque RSA pair, SIGN_HASH & SIGN_HASH [0]
+depends_on:MBEDTLS_RSA_C
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE
+
+PSA attributes for pk: opaque RSA pair, SIGN_HASH & SIGN_HASH [raw]
+depends_on:MBEDTLS_RSA_C
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE
+
+PSA attributes for pk: opaque RSA pair, SIGN_HASH & SIGN_HASH [v15]
+depends_on:MBEDTLS_RSA_C
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE
+
+PSA attributes for pk: opaque RSA pair, SIGN_HASH & SIGN_HASH [PSS]
+depends_on:MBEDTLS_RSA_C
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE
+
+PSA attributes for pk: opaque RSA pair, 0 & DECRYPT (bad policy)
+depends_on:MBEDTLS_RSA_C
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:0:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0
+
+PSA attributes for pk: opaque RSA pair, DECRYPT & DECRYPT
+depends_on:MBEDTLS_RSA_C
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DECRYPT:0:1:PSA_KEY_USAGE_DECRYPT
+
+PSA attributes for pk: opaque RSA pair, DECRYPT|... & DECRYPT
+depends_on:MBEDTLS_RSA_C
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DECRYPT:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT
+
+PSA attributes for pk: opaque RSA pair, ... & DERIVE (bad)
+depends_on:MBEDTLS_RSA_C
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0
+
+PSA attributes for pk: opaque RSA pair, ... & EXPORT (bad)
+depends_on:MBEDTLS_RSA_C
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0
+
+PSA attributes for pk: opaque RSA pair->public, VERIFY_MESSAGE & VERIFY_MESSAGE
+depends_on:MBEDTLS_RSA_C
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_VERIFY_MESSAGE:0:0:PSA_KEY_USAGE_VERIFY_MESSAGE
+
+PSA attributes for pk: opaque RSA pair->public, VERIFY_HASH & VERIFY_HASH
+depends_on:MBEDTLS_RSA_C
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_VERIFY_HASH:0:0:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE
+
+PSA attributes for pk: opaque RSA pair->public, ENCRYPT & ENCRYPT
+depends_on:MBEDTLS_RSA_C
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_ENCRYPT:0:0:PSA_KEY_USAGE_ENCRYPT
+
+PSA attributes for pk: opaque ECC pair, 0 & SIGN_MESSAGE (bad policy)
+depends_on:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_HAVE_ECC_KEYS
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:0:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0
+
+PSA attributes for pk: opaque ECC pair, SIGN_MESSAGE & SIGN_MESSAGE
+depends_on:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_HAVE_ECC_KEYS
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE
+
+PSA attributes for pk: opaque ECC pair, SIGN|VERIFY & SIGN_MESSAGE
+depends_on:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_HAVE_ECC_KEYS
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE
+
+PSA attributes for pk: opaque ECC pair, SIGN|DECRYPT & SIGN_MESSAGE
+depends_on:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_HAVE_ECC_KEYS
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_DECRYPT:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_DECRYPT
+
+PSA attributes for pk: opaque ECC pair, SIGN|... & SIGN_MESSAGE
+depends_on:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_HAVE_ECC_KEYS
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT
+
+PSA attributes for pk: opaque ECC pair, SIGN_HASH & SIGN_HASH
+depends_on:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_HAVE_ECC_KEYS
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE
+
+PSA attributes for pk: opaque ECC pair, ... & DERIVE
+depends_on:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_HAVE_ECC_KEYS
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_KEY_USAGE_DERIVE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DERIVE
+
+PSA attributes for pk: opaque ECC pair, ... & DECRYPT (bad)
+depends_on:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_HAVE_ECC_KEYS
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0
+
+PSA attributes for pk: opaque ECC pair, ... & EXPORT (bad)
+depends_on:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_HAVE_ECC_KEYS
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_ECDH:PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0
+
+PSA attributes for pk: opaque ECC pair->public, VERIFY_MESSAGE & VERIFY_MESSAGE
+depends_on:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_HAVE_ECC_KEYS
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_VERIFY_MESSAGE:0:0:PSA_KEY_USAGE_VERIFY_MESSAGE
+
+PSA attributes for pk: opaque ECC pair->public, VERIFY_HASH & VERIFY_HASH
+depends_on:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_HAVE_ECC_KEYS
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_VERIFY_HASH:0:0:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE
+
+PSA attributes for pk: opaque ECC pair->public, ENCRYPT & ENCRYPT (bad)
+depends_on:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_HAVE_ECC_KEYS
+pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH:0:0
+
+PSA import into PSA: RSA pair to ECC (bad)
+depends_on:MBEDTLS_RSA_C
+pk_import_into_psa_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):0:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: RSA public to RSA pair (bad)
+depends_on:MBEDTLS_RSA_C
+pk_import_into_psa_fail:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_TYPE_RSA_KEY_PAIR:0:MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+
+# MBEDTLS_ERR_PK_INVALID_ALG is the error that results from our translation
+# of PSA errors. In this case MBEDTLS_ERR_PK_TYPE_MISMATCH would probably
+# be more appropriate. (Applies to all the RSA "different bits" test cases.)
+PSA import into PSA: RSA pair to different bits (bad)
+depends_on:MBEDTLS_RSA_C
+pk_import_into_psa_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE + 8:MBEDTLS_ERR_PK_INVALID_ALG
+
+PSA import into PSA: RSA public to different bits (bad)
+depends_on:MBEDTLS_RSA_C
+pk_import_into_psa_fail:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_TYPE_RSA_PUBLIC_KEY:RSA_KEY_SIZE + 8:MBEDTLS_ERR_PK_INVALID_ALG
+
+PSA import into PSA: RSA private to public, different bits (bad)
+depends_on:MBEDTLS_RSA_C
+pk_import_into_psa_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:RSA_KEY_SIZE + 8:MBEDTLS_ERR_PK_INVALID_ALG
+
+PSA import into PSA: ECKEY pair to RSA (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_TYPE_RSA_KEY_PAIR:0:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: ECKEY_DH pair to RSA (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_RSA_KEY_PAIR:0:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: ECDSA pair to RSA (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_TYPE_RSA_KEY_PAIR:0:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: ECKEY pair to different curve (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES
+pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: ECKEY_DH pair to different curve (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES
+pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: ECDSA pair to different curve (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: ECKEY pair to public, different curve (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES
+pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: ECKEY_DH pair to public, different curve (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES
+pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: ECDSA pair to public, different curve (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: ECKEY public to different curve (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES
+pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PUBLIC:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: ECKEY_DH public to different curve (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES
+pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: ECDSA public to different curve (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: ECKEY pair to different bits (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS
+pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: ECKEY_DH pair to different bits (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS
+pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: ECDSA pair to different bits (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: ECKEY public to different bits (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS
+pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PUBLIC:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: ECKEY_DH public to different bits (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS
+pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: ECDSA public to different bits (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: ECKEY private to public, different bits (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS
+pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: ECKEY_DH private to public, different bits (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS
+pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: ECDSA private to public, different bits (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PAIR:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS):MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: ECKEY public to pair (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_import_into_psa_fail:MBEDTLS_PK_ECKEY:FROM_PUBLIC:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: ECKEY_DH public to pair (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
+pk_import_into_psa_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: ECDSA public to pair (bad)
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PK_CAN_ECDSA_SOME
+pk_import_into_psa_fail:MBEDTLS_PK_ECDSA:FROM_PUBLIC:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):0:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: transparent -> volatile pair
+pk_import_into_psa_lifetime:0:0:1:0:0
+
+PSA import into PSA: transparent -> persistent pair
+pk_import_into_psa_lifetime:0:0:1:0:1
+
+PSA import into PSA: transparent -> volatile public
+pk_import_into_psa_lifetime:0:0:1:1:0
+
+PSA import into PSA: transparent -> persistent public
+pk_import_into_psa_lifetime:0:0:1:1:1
+
+PSA import into PSA: opaque volatile [export] -> volatile pair
+depends_on:MBEDTLS_USE_PSA_CRYPTO
+pk_import_into_psa_lifetime:1:0:1:0:0
+
+PSA import into PSA: opaque volatile [export] -> persistent pair
+depends_on:MBEDTLS_USE_PSA_CRYPTO
+pk_import_into_psa_lifetime:1:0:1:0:1
+
+PSA import into PSA: opaque volatile [export] -> volatile public
+depends_on:MBEDTLS_USE_PSA_CRYPTO
+pk_import_into_psa_lifetime:1:0:1:1:0
+
+PSA import into PSA: opaque volatile [export] -> persistent public
+depends_on:MBEDTLS_USE_PSA_CRYPTO
+pk_import_into_psa_lifetime:1:0:1:1:1
+
+PSA import into PSA: opaque volatile [copy] -> volatile pair
+depends_on:MBEDTLS_USE_PSA_CRYPTO
+pk_import_into_psa_lifetime:1:0:0:0:0
+
+PSA import into PSA: opaque volatile [copy] -> persistent pair
+depends_on:MBEDTLS_USE_PSA_CRYPTO
+pk_import_into_psa_lifetime:1:0:0:0:1
+
+PSA import into PSA: opaque volatile [copy] -> volatile public
+depends_on:MBEDTLS_USE_PSA_CRYPTO
+pk_import_into_psa_lifetime:1:0:0:1:0
+
+PSA import into PSA: opaque volatile [copy] -> persistent public
+depends_on:MBEDTLS_USE_PSA_CRYPTO
+pk_import_into_psa_lifetime:1:0:0:1:1
+
+PSA import into PSA: opaque persistent [export] -> volatile pair
+depends_on:MBEDTLS_USE_PSA_CRYPTO
+pk_import_into_psa_lifetime:1:1:1:0:0
+
+PSA import into PSA: opaque persistent [export] -> persistent pair
+depends_on:MBEDTLS_USE_PSA_CRYPTO
+pk_import_into_psa_lifetime:1:1:1:0:1
+
+PSA import into PSA: opaque persistent [export] -> volatile public
+depends_on:MBEDTLS_USE_PSA_CRYPTO
+pk_import_into_psa_lifetime:1:1:1:1:0
+
+PSA import into PSA: opaque persistent [export] -> persistent public
+depends_on:MBEDTLS_USE_PSA_CRYPTO
+pk_import_into_psa_lifetime:1:1:1:1:1
+
+PSA import into PSA: opaque persistent [copy] -> volatile pair
+depends_on:MBEDTLS_USE_PSA_CRYPTO
+pk_import_into_psa_lifetime:1:1:0:0:0
+
+PSA import into PSA: opaque persistent [copy] -> persistent pair
+depends_on:MBEDTLS_USE_PSA_CRYPTO
+pk_import_into_psa_lifetime:1:1:0:0:1
+
+PSA import into PSA: opaque persistent [copy] -> volatile public
+depends_on:MBEDTLS_USE_PSA_CRYPTO
+pk_import_into_psa_lifetime:1:1:0:1:0
+
+PSA import into PSA: opaque persistent [copy] -> persistent public
+depends_on:MBEDTLS_USE_PSA_CRYPTO
+pk_import_into_psa_lifetime:1:1:0:1:1
+
+PSA import into PSA: opaque RSA, COPY (ok)
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN
+pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0
+
+PSA import into PSA: opaque RSA, EXPORT (ok)
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN
+pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0
+
+PSA import into PSA: opaque RSA, no COPY/EXPORT (bad)
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN
+pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+# Detail that isn't precisely documented: since this copies the key,
+# the new key has the intersection of the usage flags.
+PSA import into PSA: opaque RSA, COPY|EXPORT, different usage (restricted)
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN
+pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0
+
+# Detail that isn't precisely documented: since this copies the key,
+# the new key has the intersection of the usage flags.
+PSA import into PSA: opaque RSA, COPY, different usage (restricted)
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN
+pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0
+
+# Detail that isn't precisely documented: since this exports the key,
+# the new key has all the requested usage flags.
+PSA import into PSA: opaque RSA, EXPORT, different usage (ok)
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN
+pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0
+
+PSA import into PSA: opaque RSA, COPY|EXPORT, different algorithm (ok)
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN
+pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):0
+
+PSA import into PSA: opaque RSA, COPY, different algorithm (bad)
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN
+pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: opaque RSA, EXPORT, different algorithm (ok)
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN
+pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):0
+
+PSA import into PSA: opaque RSA, implicit bits (ok)
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN
+pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:0:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0
+
+PSA import into PSA: opaque RSA, different bits (bad)
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN
+pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE + 8:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: opaque RSA, different type (bad)
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN
+pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:PSA_KEY_TYPE_HMAC:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: opaque RSA to public (ok)
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN
+pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_PUBLIC_KEY:RSA_KEY_SIZE:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0
+
+PSA import into PSA: opaque RSA to public, implicit bits (ok)
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN
+pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_PUBLIC_KEY:0:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0
+
+# MBEDTLS_ERR_PK_INVALID_ALG is the error that results from our translation
+# of PSA errors. In this case MBEDTLS_ERR_PK_TYPE_MISMATCH would probably
+# be more appropriate.
+PSA import into PSA: opaque RSA to public, different bits (bad)
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN
+pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_PUBLIC_KEY:RSA_KEY_SIZE + 8:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:MBEDTLS_ERR_PK_INVALID_ALG
+
+PSA import into PSA: opaque ECC, COPY (ok)
+depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA
+pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0
+
+PSA import into PSA: opaque ECC, EXPORT (ok)
+depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA
+pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0
+
+PSA import into PSA: opaque ECC, no COPY/EXPORT (bad)
+depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA
+pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+# Detail that isn't precisely documented: since this copies the key,
+# the new key has the intersection of the usage flags.
+PSA import into PSA: opaque ECC, COPY|EXPORT, different usage (restricted)
+depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA
+pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0
+
+# Detail that isn't precisely documented: since this copies the key,
+# the new key has the intersection of the usage flags.
+PSA import into PSA: opaque ECC, COPY, different usage (restricted)
+depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA
+pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0
+
+# Detail that isn't precisely documented: since this exports the key,
+# the new key has all the requested usage flags.
+PSA import into PSA: opaque ECC, EXPORT, different usage (ok)
+depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA
+pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0
+
+PSA import into PSA: opaque ECC, COPY|EXPORT, different algorithm (ok)
+depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA
+pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):0
+
+PSA import into PSA: opaque ECC, COPY, different algorithm (bad)
+depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA
+pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: opaque ECC, EXPORT, different algorithm (ok)
+depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA
+pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):0
+
+PSA import into PSA: opaque ECC, implicit bits (ok)
+depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA
+pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):0:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0
+
+PSA import into PSA: opaque ECC, different bits (bad)
+depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA
+pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS + 8:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: opaque ECC, different type (bad)
+depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA
+pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:PSA_KEY_TYPE_HMAC:MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: opaque ECC, different family (bad)
+depends_on:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:PSA_WANT_ALG_ECDSA
+pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+PSA import into PSA: opaque ECC to public (ok)
+depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA
+pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0
+
+PSA import into PSA: opaque ECC to public, implicit bits (ok)
+depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA
+pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):0:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0
+
+# MBEDTLS_ERR_PK_INVALID_ALG is the error that results from our translation
+# of PSA errors. In this case MBEDTLS_ERR_PK_TYPE_MISMATCH would probably
+# be more appropriate.
+PSA import into PSA: opaque ECC to public, different bits (bad)
+depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA
+pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS + 8:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):MBEDTLS_ERR_PK_INVALID_ALG
+
+PSA import into PSA: opaque ECC to public, different family (bad)
+depends_on:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:PSA_WANT_ALG_ECDSA
+pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:MBEDTLS_ERR_PK_TYPE_MISMATCH
+
+Copy from PSA: use wrong parameters
+pk_copy_from_psa_fail:
+
+# The following test is only possible for RSA keys and not for EC ones:
+# - for the former it is possible to have an accelerated RSA key in PSA while
+#   having RSA_C disabled. Since RSA path is guarded by RSA_C in mbedtls_pk_copy_from_psa(),
+#   any attempt to copy that key will fail.
+# - for the latter instead the guard is PK_HAVE_ECC_KEYS which is enabled as soon
+#   as there is any curve supported either builtin or in a driver. In a scenario
+#   in which a certain EC key is only available through a driver and not as
+#   builtin mbedtls_pk_copy_from_psa() uses functions that will all succeed
+#   and therefore it will succeed.
+Copy from PSA: accelerated key only, not available as built-in
+pk_copy_from_psa_builtin_fail:
+
+Copy from PSA: valid EC (SECP_R1_256 + ECDSA + ANY_HASH)
+depends_on:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_ALG_FOR_TEST
+pk_copy_from_psa_success:"587CF7C57EB7C6254CBF80CC59846521B4FBCBA8BC4B362A9B043F0DEB49CCA1":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)
+
+Copy from PSA: valid EC (SECP_R1_256 + ECDSA + SHA_256)
+depends_on:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256
+pk_copy_from_psa_success:"587CF7C57EB7C6254CBF80CC59846521B4FBCBA8BC4B362A9B043F0DEB49CCA1":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_ALG_ECDSA(PSA_ALG_SHA_256)
+
+Copy from PSA: valid EC (SECP_R1_256 + ECDSA + SHA_512)
+depends_on:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA512
+pk_copy_from_psa_success:"587CF7C57EB7C6254CBF80CC59846521B4FBCBA8BC4B362A9B043F0DEB49CCA1":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_ALG_ECDSA(PSA_ALG_SHA_512)
+
+Copy from PSA: valid EC (SECP_R1_256 + DET_ECDSA + ANY_HASH)
+depends_on:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_MD_ALG_FOR_TEST
+pk_copy_from_psa_success:"587CF7C57EB7C6254CBF80CC59846521B4FBCBA8BC4B362A9B043F0DEB49CCA1":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH)
+
+Copy from PSA: valid EC (SECP_R1_256 + DET_ECDSA + SHA_256)
+depends_on:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_MD_CAN_SHA256
+pk_copy_from_psa_success:"587CF7C57EB7C6254CBF80CC59846521B4FBCBA8BC4B362A9B043F0DEB49CCA1":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256)
+
+Copy from PSA: valid EC (SECP_R1_256 + DET_ECDSA + SHA_512)
+depends_on:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_MD_CAN_SHA512
+pk_copy_from_psa_success:"587CF7C57EB7C6254CBF80CC59846521B4FBCBA8BC4B362A9B043F0DEB49CCA1":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_512)
+
+Copy from PSA: valid EC (SECP_R1_256 + ECDSA_ANY)
+depends_on:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_ALG_FOR_TEST
+pk_copy_from_psa_success:"587CF7C57EB7C6254CBF80CC59846521B4FBCBA8BC4B362A9B043F0DEB49CCA1":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_ALG_ECDSA_ANY
+
+Copy from PSA: valid EC (SECP_R1_521 + ECDSA + SHA_256)
+depends_on:MBEDTLS_ECP_HAVE_SECP521R1:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256
+pk_copy_from_psa_success:"005dbb8e12240a62932b88cdd93c31cdd8873a2c15e40cc3c9f8e695b77fae015a44fe5267ef7868cb28cfb9579282fe060de44fe6de26f74a0d94afdaa870befbc5":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_ALG_ECDSA(PSA_ALG_SHA_256)
+
+Copy from PSA: valid EC (SECP_K1_256 + ECDSA + SHA_256)
+depends_on:MBEDTLS_ECP_HAVE_SECP256K1:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256
+pk_copy_from_psa_success:"7154f04fcc79ac9df1652dcf99031610592b2b27f74f5985690a987357ba0428":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1):PSA_ALG_ECDSA(PSA_ALG_SHA_256)
+
+# The key's algorithm only allows ECDH, but pk_copy_from_psa() ignores this information
+# when building the PK context.
+Copy from PSA: valid EC, wrong alg (SECP_R1_256 + ECDH)
+depends_on:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256
+pk_copy_from_psa_success:"587CF7C57EB7C6254CBF80CC59846521B4FBCBA8BC4B362A9B043F0DEB49CCA1":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_ALG_ECDH
+
+# The key's algorithm is absolutely wrong for an EC key, but pk_copy_from_psa()
+# ignores this information when building the PK context.
+Copy from PSA: valid EC, wrong alg (SECP_R1_256 + CMAC)
+depends_on:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256
+pk_copy_from_psa_success:"587CF7C57EB7C6254CBF80CC59846521B4FBCBA8BC4B362A9B043F0DEB49CCA1":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_ALG_CMAC
+
+Copy from PSA: valid RSA (PKCS1V15_SIGN + ANY_HASH)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_ALG_FOR_TEST
+pk_copy_from_psa_success:"308204a40201000282010100ef24d80f6b7a0f62ab2f750a8370c1c39781abe2f7ae5cbc698ebbc51067af68c8b02e5bfafe0b296a2fdca8ee5327bf3370bd26c529d173c4356d8ad51f606ac730e3be509d8535c9c51927222d6c4e770efec4d9b0bd11410e5e2e01e093700d358aab8292297483c65870ea6d4ca9299f4347790f6223480732726a97b34bb4d53cb3f188e3c97115b029fa9a2cce4c6d935977a90737ac8b2a2c5691ad928b22681ca05ee38ddba2278c854f51281c5e4856090aca59bf719a167e63bb932580ae2b599e1a297194696e637a919bc9d2caf214e59d46ed1a12e591b608f2031744111551430d9ac39082957ae1ce03a88068896701e6ce19a83890ff5761020301000102820100706fb53a02c13fcc9749d7d09a9e002c12e6bfc715c6a00961e3defab74cd896fe8c7f2f75e1cda3aa2e58a400718e65822d0671dd0f5d4ffdb7550a8a4b974c7cdccaa72745f864a2ba0daa6d9247b2d89d6f41644c89883c3b2222a5754e3cc7a91dcaa7b84acf6249763998aeccf558016e638352ad44835006f2ee94e691d0070ce561677f2a22a12f357bd762c57f80f1f4921f0f26b3ed758478d11086c182874355ef5039e8d854291b9ce7f8b284ec81f141b7255313507f5ea159d6b1c0ee176e7743d3c65d536e1e4aaf24089c1e00c8021012b8846a4971a0695030504ace362077e8b2fcb4fbdd70bfb734a3fe7d9e1a25bdd0cb0f2fcb56ecc502818100f8fdfbac1c033911b5a184980d081f700f4d450cebf18cbdc68f160a5abd580e6f8f5800fd0b60521dbe2d549e82617afe70d2ad004c2f45405d94e4418e8c2b8da6bcaa407bbfa5477b5a6fceccfcb99f51c6c16bd17202d997bdcaec83b870e3e101acc05e0754020ec207ef5ec9934ac81cd617af72cd94b2bb400eb2078302818100f5dfe74a548c04950178f50130d5aadbe5d1f4b52527c0bfad9aa0d73731fb24219cb5ea5c4b4fa56133d5ea9225fa7d0ccc9bdcc78b77303a2e73c17e9a46b9b09020604496a849f069d0d87713e06a5d374271b2629f5ba220506b606a101828d20da9fcfa3a7e75b135987260be6d37622fc3f4bf4fd2dfd9655da5ff0c4b02818100d4d797c959f0cf59fa1f65ceec64e32ad189c5daf3ddf9e747d28c8eb15e65e5812bd19896b6a0d1d126fe6cf54a92b5a6c71ef04feed001acb1d253044f2c3716d14f396201e6a30c65bfbb0fd65ebaf61bdb80ffff7c2c3f80dcf69813491907531231700770d0392a1066e411ecd201fce9d98149b32355572b85e889faad028181009d898bc165709d52f7b18f91e6bf508d3ab08ed12df04da0c2d40b7039ce4d72b61299c082c8424cdd7dfff71f13346ec12fac42069cc68e6108f86427012485bfaa6904258e3e5fb9a9a305bf2e3e21087eea94bcce51fabd63650397affd85ed49c1358480b3cfe90ad5234b4dcf555d220d26c9ff765ecfcc94152fd1be070281804bf77b4bae8386772de830cc75f2d1d4b8221b3f817208e08c002ac0549902677e4f0e7bce5ba1b3da74fbbe138758e6853b4a5b7bf0672bc1170c64fa502a5e24e3472db433b4e30761eab6ebb9e207235fd88b97b1b30e14f364b628219d6e17056543a4e29a4de1e41ad37927ce23d0442623744bc35a1874296960029044":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH)
+
+Copy from PSA: valid RSA (PKCS1V15_SIGN + SHA_256)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256
+pk_copy_from_psa_success:"308204a40201000282010100ef24d80f6b7a0f62ab2f750a8370c1c39781abe2f7ae5cbc698ebbc51067af68c8b02e5bfafe0b296a2fdca8ee5327bf3370bd26c529d173c4356d8ad51f606ac730e3be509d8535c9c51927222d6c4e770efec4d9b0bd11410e5e2e01e093700d358aab8292297483c65870ea6d4ca9299f4347790f6223480732726a97b34bb4d53cb3f188e3c97115b029fa9a2cce4c6d935977a90737ac8b2a2c5691ad928b22681ca05ee38ddba2278c854f51281c5e4856090aca59bf719a167e63bb932580ae2b599e1a297194696e637a919bc9d2caf214e59d46ed1a12e591b608f2031744111551430d9ac39082957ae1ce03a88068896701e6ce19a83890ff5761020301000102820100706fb53a02c13fcc9749d7d09a9e002c12e6bfc715c6a00961e3defab74cd896fe8c7f2f75e1cda3aa2e58a400718e65822d0671dd0f5d4ffdb7550a8a4b974c7cdccaa72745f864a2ba0daa6d9247b2d89d6f41644c89883c3b2222a5754e3cc7a91dcaa7b84acf6249763998aeccf558016e638352ad44835006f2ee94e691d0070ce561677f2a22a12f357bd762c57f80f1f4921f0f26b3ed758478d11086c182874355ef5039e8d854291b9ce7f8b284ec81f141b7255313507f5ea159d6b1c0ee176e7743d3c65d536e1e4aaf24089c1e00c8021012b8846a4971a0695030504ace362077e8b2fcb4fbdd70bfb734a3fe7d9e1a25bdd0cb0f2fcb56ecc502818100f8fdfbac1c033911b5a184980d081f700f4d450cebf18cbdc68f160a5abd580e6f8f5800fd0b60521dbe2d549e82617afe70d2ad004c2f45405d94e4418e8c2b8da6bcaa407bbfa5477b5a6fceccfcb99f51c6c16bd17202d997bdcaec83b870e3e101acc05e0754020ec207ef5ec9934ac81cd617af72cd94b2bb400eb2078302818100f5dfe74a548c04950178f50130d5aadbe5d1f4b52527c0bfad9aa0d73731fb24219cb5ea5c4b4fa56133d5ea9225fa7d0ccc9bdcc78b77303a2e73c17e9a46b9b09020604496a849f069d0d87713e06a5d374271b2629f5ba220506b606a101828d20da9fcfa3a7e75b135987260be6d37622fc3f4bf4fd2dfd9655da5ff0c4b02818100d4d797c959f0cf59fa1f65ceec64e32ad189c5daf3ddf9e747d28c8eb15e65e5812bd19896b6a0d1d126fe6cf54a92b5a6c71ef04feed001acb1d253044f2c3716d14f396201e6a30c65bfbb0fd65ebaf61bdb80ffff7c2c3f80dcf69813491907531231700770d0392a1066e411ecd201fce9d98149b32355572b85e889faad028181009d898bc165709d52f7b18f91e6bf508d3ab08ed12df04da0c2d40b7039ce4d72b61299c082c8424cdd7dfff71f13346ec12fac42069cc68e6108f86427012485bfaa6904258e3e5fb9a9a305bf2e3e21087eea94bcce51fabd63650397affd85ed49c1358480b3cfe90ad5234b4dcf555d220d26c9ff765ecfcc94152fd1be070281804bf77b4bae8386772de830cc75f2d1d4b8221b3f817208e08c002ac0549902677e4f0e7bce5ba1b3da74fbbe138758e6853b4a5b7bf0672bc1170c64fa502a5e24e3472db433b4e30761eab6ebb9e207235fd88b97b1b30e14f364b628219d6e17056543a4e29a4de1e41ad37927ce23d0442623744bc35a1874296960029044":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256)
+
+Copy from PSA: valid RSA (PKCS1V15_SIGN + SHA_512)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA512
+pk_copy_from_psa_success:"308204a40201000282010100ef24d80f6b7a0f62ab2f750a8370c1c39781abe2f7ae5cbc698ebbc51067af68c8b02e5bfafe0b296a2fdca8ee5327bf3370bd26c529d173c4356d8ad51f606ac730e3be509d8535c9c51927222d6c4e770efec4d9b0bd11410e5e2e01e093700d358aab8292297483c65870ea6d4ca9299f4347790f6223480732726a97b34bb4d53cb3f188e3c97115b029fa9a2cce4c6d935977a90737ac8b2a2c5691ad928b22681ca05ee38ddba2278c854f51281c5e4856090aca59bf719a167e63bb932580ae2b599e1a297194696e637a919bc9d2caf214e59d46ed1a12e591b608f2031744111551430d9ac39082957ae1ce03a88068896701e6ce19a83890ff5761020301000102820100706fb53a02c13fcc9749d7d09a9e002c12e6bfc715c6a00961e3defab74cd896fe8c7f2f75e1cda3aa2e58a400718e65822d0671dd0f5d4ffdb7550a8a4b974c7cdccaa72745f864a2ba0daa6d9247b2d89d6f41644c89883c3b2222a5754e3cc7a91dcaa7b84acf6249763998aeccf558016e638352ad44835006f2ee94e691d0070ce561677f2a22a12f357bd762c57f80f1f4921f0f26b3ed758478d11086c182874355ef5039e8d854291b9ce7f8b284ec81f141b7255313507f5ea159d6b1c0ee176e7743d3c65d536e1e4aaf24089c1e00c8021012b8846a4971a0695030504ace362077e8b2fcb4fbdd70bfb734a3fe7d9e1a25bdd0cb0f2fcb56ecc502818100f8fdfbac1c033911b5a184980d081f700f4d450cebf18cbdc68f160a5abd580e6f8f5800fd0b60521dbe2d549e82617afe70d2ad004c2f45405d94e4418e8c2b8da6bcaa407bbfa5477b5a6fceccfcb99f51c6c16bd17202d997bdcaec83b870e3e101acc05e0754020ec207ef5ec9934ac81cd617af72cd94b2bb400eb2078302818100f5dfe74a548c04950178f50130d5aadbe5d1f4b52527c0bfad9aa0d73731fb24219cb5ea5c4b4fa56133d5ea9225fa7d0ccc9bdcc78b77303a2e73c17e9a46b9b09020604496a849f069d0d87713e06a5d374271b2629f5ba220506b606a101828d20da9fcfa3a7e75b135987260be6d37622fc3f4bf4fd2dfd9655da5ff0c4b02818100d4d797c959f0cf59fa1f65ceec64e32ad189c5daf3ddf9e747d28c8eb15e65e5812bd19896b6a0d1d126fe6cf54a92b5a6c71ef04feed001acb1d253044f2c3716d14f396201e6a30c65bfbb0fd65ebaf61bdb80ffff7c2c3f80dcf69813491907531231700770d0392a1066e411ecd201fce9d98149b32355572b85e889faad028181009d898bc165709d52f7b18f91e6bf508d3ab08ed12df04da0c2d40b7039ce4d72b61299c082c8424cdd7dfff71f13346ec12fac42069cc68e6108f86427012485bfaa6904258e3e5fb9a9a305bf2e3e21087eea94bcce51fabd63650397affd85ed49c1358480b3cfe90ad5234b4dcf555d220d26c9ff765ecfcc94152fd1be070281804bf77b4bae8386772de830cc75f2d1d4b8221b3f817208e08c002ac0549902677e4f0e7bce5ba1b3da74fbbe138758e6853b4a5b7bf0672bc1170c64fa502a5e24e3472db433b4e30761eab6ebb9e207235fd88b97b1b30e14f364b628219d6e17056543a4e29a4de1e41ad37927ce23d0442623744bc35a1874296960029044":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_512)
+
+Copy from PSA: valid RSA (PKCS1V15_CRYPT)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_ALG_FOR_TEST
+pk_copy_from_psa_success:"308204a40201000282010100ef24d80f6b7a0f62ab2f750a8370c1c39781abe2f7ae5cbc698ebbc51067af68c8b02e5bfafe0b296a2fdca8ee5327bf3370bd26c529d173c4356d8ad51f606ac730e3be509d8535c9c51927222d6c4e770efec4d9b0bd11410e5e2e01e093700d358aab8292297483c65870ea6d4ca9299f4347790f6223480732726a97b34bb4d53cb3f188e3c97115b029fa9a2cce4c6d935977a90737ac8b2a2c5691ad928b22681ca05ee38ddba2278c854f51281c5e4856090aca59bf719a167e63bb932580ae2b599e1a297194696e637a919bc9d2caf214e59d46ed1a12e591b608f2031744111551430d9ac39082957ae1ce03a88068896701e6ce19a83890ff5761020301000102820100706fb53a02c13fcc9749d7d09a9e002c12e6bfc715c6a00961e3defab74cd896fe8c7f2f75e1cda3aa2e58a400718e65822d0671dd0f5d4ffdb7550a8a4b974c7cdccaa72745f864a2ba0daa6d9247b2d89d6f41644c89883c3b2222a5754e3cc7a91dcaa7b84acf6249763998aeccf558016e638352ad44835006f2ee94e691d0070ce561677f2a22a12f357bd762c57f80f1f4921f0f26b3ed758478d11086c182874355ef5039e8d854291b9ce7f8b284ec81f141b7255313507f5ea159d6b1c0ee176e7743d3c65d536e1e4aaf24089c1e00c8021012b8846a4971a0695030504ace362077e8b2fcb4fbdd70bfb734a3fe7d9e1a25bdd0cb0f2fcb56ecc502818100f8fdfbac1c033911b5a184980d081f700f4d450cebf18cbdc68f160a5abd580e6f8f5800fd0b60521dbe2d549e82617afe70d2ad004c2f45405d94e4418e8c2b8da6bcaa407bbfa5477b5a6fceccfcb99f51c6c16bd17202d997bdcaec83b870e3e101acc05e0754020ec207ef5ec9934ac81cd617af72cd94b2bb400eb2078302818100f5dfe74a548c04950178f50130d5aadbe5d1f4b52527c0bfad9aa0d73731fb24219cb5ea5c4b4fa56133d5ea9225fa7d0ccc9bdcc78b77303a2e73c17e9a46b9b09020604496a849f069d0d87713e06a5d374271b2629f5ba220506b606a101828d20da9fcfa3a7e75b135987260be6d37622fc3f4bf4fd2dfd9655da5ff0c4b02818100d4d797c959f0cf59fa1f65ceec64e32ad189c5daf3ddf9e747d28c8eb15e65e5812bd19896b6a0d1d126fe6cf54a92b5a6c71ef04feed001acb1d253044f2c3716d14f396201e6a30c65bfbb0fd65ebaf61bdb80ffff7c2c3f80dcf69813491907531231700770d0392a1066e411ecd201fce9d98149b32355572b85e889faad028181009d898bc165709d52f7b18f91e6bf508d3ab08ed12df04da0c2d40b7039ce4d72b61299c082c8424cdd7dfff71f13346ec12fac42069cc68e6108f86427012485bfaa6904258e3e5fb9a9a305bf2e3e21087eea94bcce51fabd63650397affd85ed49c1358480b3cfe90ad5234b4dcf555d220d26c9ff765ecfcc94152fd1be070281804bf77b4bae8386772de830cc75f2d1d4b8221b3f817208e08c002ac0549902677e4f0e7bce5ba1b3da74fbbe138758e6853b4a5b7bf0672bc1170c64fa502a5e24e3472db433b4e30761eab6ebb9e207235fd88b97b1b30e14f364b628219d6e17056543a4e29a4de1e41ad37927ce23d0442623744bc35a1874296960029044":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PKCS1V15_CRYPT
+
+Copy from PSA: valid RSA (OAEP + SHA_256)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256
+pk_copy_from_psa_success:"308204a40201000282010100ef24d80f6b7a0f62ab2f750a8370c1c39781abe2f7ae5cbc698ebbc51067af68c8b02e5bfafe0b296a2fdca8ee5327bf3370bd26c529d173c4356d8ad51f606ac730e3be509d8535c9c51927222d6c4e770efec4d9b0bd11410e5e2e01e093700d358aab8292297483c65870ea6d4ca9299f4347790f6223480732726a97b34bb4d53cb3f188e3c97115b029fa9a2cce4c6d935977a90737ac8b2a2c5691ad928b22681ca05ee38ddba2278c854f51281c5e4856090aca59bf719a167e63bb932580ae2b599e1a297194696e637a919bc9d2caf214e59d46ed1a12e591b608f2031744111551430d9ac39082957ae1ce03a88068896701e6ce19a83890ff5761020301000102820100706fb53a02c13fcc9749d7d09a9e002c12e6bfc715c6a00961e3defab74cd896fe8c7f2f75e1cda3aa2e58a400718e65822d0671dd0f5d4ffdb7550a8a4b974c7cdccaa72745f864a2ba0daa6d9247b2d89d6f41644c89883c3b2222a5754e3cc7a91dcaa7b84acf6249763998aeccf558016e638352ad44835006f2ee94e691d0070ce561677f2a22a12f357bd762c57f80f1f4921f0f26b3ed758478d11086c182874355ef5039e8d854291b9ce7f8b284ec81f141b7255313507f5ea159d6b1c0ee176e7743d3c65d536e1e4aaf24089c1e00c8021012b8846a4971a0695030504ace362077e8b2fcb4fbdd70bfb734a3fe7d9e1a25bdd0cb0f2fcb56ecc502818100f8fdfbac1c033911b5a184980d081f700f4d450cebf18cbdc68f160a5abd580e6f8f5800fd0b60521dbe2d549e82617afe70d2ad004c2f45405d94e4418e8c2b8da6bcaa407bbfa5477b5a6fceccfcb99f51c6c16bd17202d997bdcaec83b870e3e101acc05e0754020ec207ef5ec9934ac81cd617af72cd94b2bb400eb2078302818100f5dfe74a548c04950178f50130d5aadbe5d1f4b52527c0bfad9aa0d73731fb24219cb5ea5c4b4fa56133d5ea9225fa7d0ccc9bdcc78b77303a2e73c17e9a46b9b09020604496a849f069d0d87713e06a5d374271b2629f5ba220506b606a101828d20da9fcfa3a7e75b135987260be6d37622fc3f4bf4fd2dfd9655da5ff0c4b02818100d4d797c959f0cf59fa1f65ceec64e32ad189c5daf3ddf9e747d28c8eb15e65e5812bd19896b6a0d1d126fe6cf54a92b5a6c71ef04feed001acb1d253044f2c3716d14f396201e6a30c65bfbb0fd65ebaf61bdb80ffff7c2c3f80dcf69813491907531231700770d0392a1066e411ecd201fce9d98149b32355572b85e889faad028181009d898bc165709d52f7b18f91e6bf508d3ab08ed12df04da0c2d40b7039ce4d72b61299c082c8424cdd7dfff71f13346ec12fac42069cc68e6108f86427012485bfaa6904258e3e5fb9a9a305bf2e3e21087eea94bcce51fabd63650397affd85ed49c1358480b3cfe90ad5234b4dcf555d220d26c9ff765ecfcc94152fd1be070281804bf77b4bae8386772de830cc75f2d1d4b8221b3f817208e08c002ac0549902677e4f0e7bce5ba1b3da74fbbe138758e6853b4a5b7bf0672bc1170c64fa502a5e24e3472db433b4e30761eab6ebb9e207235fd88b97b1b30e14f364b628219d6e17056543a4e29a4de1e41ad37927ce23d0442623744bc35a1874296960029044":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256)
+
+Copy from PSA: valid RSA (OAEP + SHA_512)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512
+pk_copy_from_psa_success:"308204a40201000282010100ef24d80f6b7a0f62ab2f750a8370c1c39781abe2f7ae5cbc698ebbc51067af68c8b02e5bfafe0b296a2fdca8ee5327bf3370bd26c529d173c4356d8ad51f606ac730e3be509d8535c9c51927222d6c4e770efec4d9b0bd11410e5e2e01e093700d358aab8292297483c65870ea6d4ca9299f4347790f6223480732726a97b34bb4d53cb3f188e3c97115b029fa9a2cce4c6d935977a90737ac8b2a2c5691ad928b22681ca05ee38ddba2278c854f51281c5e4856090aca59bf719a167e63bb932580ae2b599e1a297194696e637a919bc9d2caf214e59d46ed1a12e591b608f2031744111551430d9ac39082957ae1ce03a88068896701e6ce19a83890ff5761020301000102820100706fb53a02c13fcc9749d7d09a9e002c12e6bfc715c6a00961e3defab74cd896fe8c7f2f75e1cda3aa2e58a400718e65822d0671dd0f5d4ffdb7550a8a4b974c7cdccaa72745f864a2ba0daa6d9247b2d89d6f41644c89883c3b2222a5754e3cc7a91dcaa7b84acf6249763998aeccf558016e638352ad44835006f2ee94e691d0070ce561677f2a22a12f357bd762c57f80f1f4921f0f26b3ed758478d11086c182874355ef5039e8d854291b9ce7f8b284ec81f141b7255313507f5ea159d6b1c0ee176e7743d3c65d536e1e4aaf24089c1e00c8021012b8846a4971a0695030504ace362077e8b2fcb4fbdd70bfb734a3fe7d9e1a25bdd0cb0f2fcb56ecc502818100f8fdfbac1c033911b5a184980d081f700f4d450cebf18cbdc68f160a5abd580e6f8f5800fd0b60521dbe2d549e82617afe70d2ad004c2f45405d94e4418e8c2b8da6bcaa407bbfa5477b5a6fceccfcb99f51c6c16bd17202d997bdcaec83b870e3e101acc05e0754020ec207ef5ec9934ac81cd617af72cd94b2bb400eb2078302818100f5dfe74a548c04950178f50130d5aadbe5d1f4b52527c0bfad9aa0d73731fb24219cb5ea5c4b4fa56133d5ea9225fa7d0ccc9bdcc78b77303a2e73c17e9a46b9b09020604496a849f069d0d87713e06a5d374271b2629f5ba220506b606a101828d20da9fcfa3a7e75b135987260be6d37622fc3f4bf4fd2dfd9655da5ff0c4b02818100d4d797c959f0cf59fa1f65ceec64e32ad189c5daf3ddf9e747d28c8eb15e65e5812bd19896b6a0d1d126fe6cf54a92b5a6c71ef04feed001acb1d253044f2c3716d14f396201e6a30c65bfbb0fd65ebaf61bdb80ffff7c2c3f80dcf69813491907531231700770d0392a1066e411ecd201fce9d98149b32355572b85e889faad028181009d898bc165709d52f7b18f91e6bf508d3ab08ed12df04da0c2d40b7039ce4d72b61299c082c8424cdd7dfff71f13346ec12fac42069cc68e6108f86427012485bfaa6904258e3e5fb9a9a305bf2e3e21087eea94bcce51fabd63650397affd85ed49c1358480b3cfe90ad5234b4dcf555d220d26c9ff765ecfcc94152fd1be070281804bf77b4bae8386772de830cc75f2d1d4b8221b3f817208e08c002ac0549902677e4f0e7bce5ba1b3da74fbbe138758e6853b4a5b7bf0672bc1170c64fa502a5e24e3472db433b4e30761eab6ebb9e207235fd88b97b1b30e14f364b628219d6e17056543a4e29a4de1e41ad37927ce23d0442623744bc35a1874296960029044":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_512)
+
+Copy from PSA: valid RSA (PSS_ANY_SALT + ANY_HASH)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_ALG_FOR_TEST
+pk_copy_from_psa_success:"308204a40201000282010100ef24d80f6b7a0f62ab2f750a8370c1c39781abe2f7ae5cbc698ebbc51067af68c8b02e5bfafe0b296a2fdca8ee5327bf3370bd26c529d173c4356d8ad51f606ac730e3be509d8535c9c51927222d6c4e770efec4d9b0bd11410e5e2e01e093700d358aab8292297483c65870ea6d4ca9299f4347790f6223480732726a97b34bb4d53cb3f188e3c97115b029fa9a2cce4c6d935977a90737ac8b2a2c5691ad928b22681ca05ee38ddba2278c854f51281c5e4856090aca59bf719a167e63bb932580ae2b599e1a297194696e637a919bc9d2caf214e59d46ed1a12e591b608f2031744111551430d9ac39082957ae1ce03a88068896701e6ce19a83890ff5761020301000102820100706fb53a02c13fcc9749d7d09a9e002c12e6bfc715c6a00961e3defab74cd896fe8c7f2f75e1cda3aa2e58a400718e65822d0671dd0f5d4ffdb7550a8a4b974c7cdccaa72745f864a2ba0daa6d9247b2d89d6f41644c89883c3b2222a5754e3cc7a91dcaa7b84acf6249763998aeccf558016e638352ad44835006f2ee94e691d0070ce561677f2a22a12f357bd762c57f80f1f4921f0f26b3ed758478d11086c182874355ef5039e8d854291b9ce7f8b284ec81f141b7255313507f5ea159d6b1c0ee176e7743d3c65d536e1e4aaf24089c1e00c8021012b8846a4971a0695030504ace362077e8b2fcb4fbdd70bfb734a3fe7d9e1a25bdd0cb0f2fcb56ecc502818100f8fdfbac1c033911b5a184980d081f700f4d450cebf18cbdc68f160a5abd580e6f8f5800fd0b60521dbe2d549e82617afe70d2ad004c2f45405d94e4418e8c2b8da6bcaa407bbfa5477b5a6fceccfcb99f51c6c16bd17202d997bdcaec83b870e3e101acc05e0754020ec207ef5ec9934ac81cd617af72cd94b2bb400eb2078302818100f5dfe74a548c04950178f50130d5aadbe5d1f4b52527c0bfad9aa0d73731fb24219cb5ea5c4b4fa56133d5ea9225fa7d0ccc9bdcc78b77303a2e73c17e9a46b9b09020604496a849f069d0d87713e06a5d374271b2629f5ba220506b606a101828d20da9fcfa3a7e75b135987260be6d37622fc3f4bf4fd2dfd9655da5ff0c4b02818100d4d797c959f0cf59fa1f65ceec64e32ad189c5daf3ddf9e747d28c8eb15e65e5812bd19896b6a0d1d126fe6cf54a92b5a6c71ef04feed001acb1d253044f2c3716d14f396201e6a30c65bfbb0fd65ebaf61bdb80ffff7c2c3f80dcf69813491907531231700770d0392a1066e411ecd201fce9d98149b32355572b85e889faad028181009d898bc165709d52f7b18f91e6bf508d3ab08ed12df04da0c2d40b7039ce4d72b61299c082c8424cdd7dfff71f13346ec12fac42069cc68e6108f86427012485bfaa6904258e3e5fb9a9a305bf2e3e21087eea94bcce51fabd63650397affd85ed49c1358480b3cfe90ad5234b4dcf555d220d26c9ff765ecfcc94152fd1be070281804bf77b4bae8386772de830cc75f2d1d4b8221b3f817208e08c002ac0549902677e4f0e7bce5ba1b3da74fbbe138758e6853b4a5b7bf0672bc1170c64fa502a5e24e3472db433b4e30761eab6ebb9e207235fd88b97b1b30e14f364b628219d6e17056543a4e29a4de1e41ad37927ce23d0442623744bc35a1874296960029044":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH)
+
+Copy from PSA: valid RSA (PSS_ANY_SALT + SHA_256)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256
+pk_copy_from_psa_success:"308204a40201000282010100ef24d80f6b7a0f62ab2f750a8370c1c39781abe2f7ae5cbc698ebbc51067af68c8b02e5bfafe0b296a2fdca8ee5327bf3370bd26c529d173c4356d8ad51f606ac730e3be509d8535c9c51927222d6c4e770efec4d9b0bd11410e5e2e01e093700d358aab8292297483c65870ea6d4ca9299f4347790f6223480732726a97b34bb4d53cb3f188e3c97115b029fa9a2cce4c6d935977a90737ac8b2a2c5691ad928b22681ca05ee38ddba2278c854f51281c5e4856090aca59bf719a167e63bb932580ae2b599e1a297194696e637a919bc9d2caf214e59d46ed1a12e591b608f2031744111551430d9ac39082957ae1ce03a88068896701e6ce19a83890ff5761020301000102820100706fb53a02c13fcc9749d7d09a9e002c12e6bfc715c6a00961e3defab74cd896fe8c7f2f75e1cda3aa2e58a400718e65822d0671dd0f5d4ffdb7550a8a4b974c7cdccaa72745f864a2ba0daa6d9247b2d89d6f41644c89883c3b2222a5754e3cc7a91dcaa7b84acf6249763998aeccf558016e638352ad44835006f2ee94e691d0070ce561677f2a22a12f357bd762c57f80f1f4921f0f26b3ed758478d11086c182874355ef5039e8d854291b9ce7f8b284ec81f141b7255313507f5ea159d6b1c0ee176e7743d3c65d536e1e4aaf24089c1e00c8021012b8846a4971a0695030504ace362077e8b2fcb4fbdd70bfb734a3fe7d9e1a25bdd0cb0f2fcb56ecc502818100f8fdfbac1c033911b5a184980d081f700f4d450cebf18cbdc68f160a5abd580e6f8f5800fd0b60521dbe2d549e82617afe70d2ad004c2f45405d94e4418e8c2b8da6bcaa407bbfa5477b5a6fceccfcb99f51c6c16bd17202d997bdcaec83b870e3e101acc05e0754020ec207ef5ec9934ac81cd617af72cd94b2bb400eb2078302818100f5dfe74a548c04950178f50130d5aadbe5d1f4b52527c0bfad9aa0d73731fb24219cb5ea5c4b4fa56133d5ea9225fa7d0ccc9bdcc78b77303a2e73c17e9a46b9b09020604496a849f069d0d87713e06a5d374271b2629f5ba220506b606a101828d20da9fcfa3a7e75b135987260be6d37622fc3f4bf4fd2dfd9655da5ff0c4b02818100d4d797c959f0cf59fa1f65ceec64e32ad189c5daf3ddf9e747d28c8eb15e65e5812bd19896b6a0d1d126fe6cf54a92b5a6c71ef04feed001acb1d253044f2c3716d14f396201e6a30c65bfbb0fd65ebaf61bdb80ffff7c2c3f80dcf69813491907531231700770d0392a1066e411ecd201fce9d98149b32355572b85e889faad028181009d898bc165709d52f7b18f91e6bf508d3ab08ed12df04da0c2d40b7039ce4d72b61299c082c8424cdd7dfff71f13346ec12fac42069cc68e6108f86427012485bfaa6904258e3e5fb9a9a305bf2e3e21087eea94bcce51fabd63650397affd85ed49c1358480b3cfe90ad5234b4dcf555d220d26c9ff765ecfcc94152fd1be070281804bf77b4bae8386772de830cc75f2d1d4b8221b3f817208e08c002ac0549902677e4f0e7bce5ba1b3da74fbbe138758e6853b4a5b7bf0672bc1170c64fa502a5e24e3472db433b4e30761eab6ebb9e207235fd88b97b1b30e14f364b628219d6e17056543a4e29a4de1e41ad37927ce23d0442623744bc35a1874296960029044":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256)
+
+Copy from PSA: valid RSA (PSS_ANY_SALT + SHA_512)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512
+pk_copy_from_psa_success:"308204a40201000282010100ef24d80f6b7a0f62ab2f750a8370c1c39781abe2f7ae5cbc698ebbc51067af68c8b02e5bfafe0b296a2fdca8ee5327bf3370bd26c529d173c4356d8ad51f606ac730e3be509d8535c9c51927222d6c4e770efec4d9b0bd11410e5e2e01e093700d358aab8292297483c65870ea6d4ca9299f4347790f6223480732726a97b34bb4d53cb3f188e3c97115b029fa9a2cce4c6d935977a90737ac8b2a2c5691ad928b22681ca05ee38ddba2278c854f51281c5e4856090aca59bf719a167e63bb932580ae2b599e1a297194696e637a919bc9d2caf214e59d46ed1a12e591b608f2031744111551430d9ac39082957ae1ce03a88068896701e6ce19a83890ff5761020301000102820100706fb53a02c13fcc9749d7d09a9e002c12e6bfc715c6a00961e3defab74cd896fe8c7f2f75e1cda3aa2e58a400718e65822d0671dd0f5d4ffdb7550a8a4b974c7cdccaa72745f864a2ba0daa6d9247b2d89d6f41644c89883c3b2222a5754e3cc7a91dcaa7b84acf6249763998aeccf558016e638352ad44835006f2ee94e691d0070ce561677f2a22a12f357bd762c57f80f1f4921f0f26b3ed758478d11086c182874355ef5039e8d854291b9ce7f8b284ec81f141b7255313507f5ea159d6b1c0ee176e7743d3c65d536e1e4aaf24089c1e00c8021012b8846a4971a0695030504ace362077e8b2fcb4fbdd70bfb734a3fe7d9e1a25bdd0cb0f2fcb56ecc502818100f8fdfbac1c033911b5a184980d081f700f4d450cebf18cbdc68f160a5abd580e6f8f5800fd0b60521dbe2d549e82617afe70d2ad004c2f45405d94e4418e8c2b8da6bcaa407bbfa5477b5a6fceccfcb99f51c6c16bd17202d997bdcaec83b870e3e101acc05e0754020ec207ef5ec9934ac81cd617af72cd94b2bb400eb2078302818100f5dfe74a548c04950178f50130d5aadbe5d1f4b52527c0bfad9aa0d73731fb24219cb5ea5c4b4fa56133d5ea9225fa7d0ccc9bdcc78b77303a2e73c17e9a46b9b09020604496a849f069d0d87713e06a5d374271b2629f5ba220506b606a101828d20da9fcfa3a7e75b135987260be6d37622fc3f4bf4fd2dfd9655da5ff0c4b02818100d4d797c959f0cf59fa1f65ceec64e32ad189c5daf3ddf9e747d28c8eb15e65e5812bd19896b6a0d1d126fe6cf54a92b5a6c71ef04feed001acb1d253044f2c3716d14f396201e6a30c65bfbb0fd65ebaf61bdb80ffff7c2c3f80dcf69813491907531231700770d0392a1066e411ecd201fce9d98149b32355572b85e889faad028181009d898bc165709d52f7b18f91e6bf508d3ab08ed12df04da0c2d40b7039ce4d72b61299c082c8424cdd7dfff71f13346ec12fac42069cc68e6108f86427012485bfaa6904258e3e5fb9a9a305bf2e3e21087eea94bcce51fabd63650397affd85ed49c1358480b3cfe90ad5234b4dcf555d220d26c9ff765ecfcc94152fd1be070281804bf77b4bae8386772de830cc75f2d1d4b8221b3f817208e08c002ac0549902677e4f0e7bce5ba1b3da74fbbe138758e6853b4a5b7bf0672bc1170c64fa502a5e24e3472db433b4e30761eab6ebb9e207235fd88b97b1b30e14f364b628219d6e17056543a4e29a4de1e41ad37927ce23d0442623744bc35a1874296960029044":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_512)
+
+Copy from PSA: valid RSA (PSS + ANY_HASH)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_ALG_FOR_TEST
+pk_copy_from_psa_success:"308204a40201000282010100ef24d80f6b7a0f62ab2f750a8370c1c39781abe2f7ae5cbc698ebbc51067af68c8b02e5bfafe0b296a2fdca8ee5327bf3370bd26c529d173c4356d8ad51f606ac730e3be509d8535c9c51927222d6c4e770efec4d9b0bd11410e5e2e01e093700d358aab8292297483c65870ea6d4ca9299f4347790f6223480732726a97b34bb4d53cb3f188e3c97115b029fa9a2cce4c6d935977a90737ac8b2a2c5691ad928b22681ca05ee38ddba2278c854f51281c5e4856090aca59bf719a167e63bb932580ae2b599e1a297194696e637a919bc9d2caf214e59d46ed1a12e591b608f2031744111551430d9ac39082957ae1ce03a88068896701e6ce19a83890ff5761020301000102820100706fb53a02c13fcc9749d7d09a9e002c12e6bfc715c6a00961e3defab74cd896fe8c7f2f75e1cda3aa2e58a400718e65822d0671dd0f5d4ffdb7550a8a4b974c7cdccaa72745f864a2ba0daa6d9247b2d89d6f41644c89883c3b2222a5754e3cc7a91dcaa7b84acf6249763998aeccf558016e638352ad44835006f2ee94e691d0070ce561677f2a22a12f357bd762c57f80f1f4921f0f26b3ed758478d11086c182874355ef5039e8d854291b9ce7f8b284ec81f141b7255313507f5ea159d6b1c0ee176e7743d3c65d536e1e4aaf24089c1e00c8021012b8846a4971a0695030504ace362077e8b2fcb4fbdd70bfb734a3fe7d9e1a25bdd0cb0f2fcb56ecc502818100f8fdfbac1c033911b5a184980d081f700f4d450cebf18cbdc68f160a5abd580e6f8f5800fd0b60521dbe2d549e82617afe70d2ad004c2f45405d94e4418e8c2b8da6bcaa407bbfa5477b5a6fceccfcb99f51c6c16bd17202d997bdcaec83b870e3e101acc05e0754020ec207ef5ec9934ac81cd617af72cd94b2bb400eb2078302818100f5dfe74a548c04950178f50130d5aadbe5d1f4b52527c0bfad9aa0d73731fb24219cb5ea5c4b4fa56133d5ea9225fa7d0ccc9bdcc78b77303a2e73c17e9a46b9b09020604496a849f069d0d87713e06a5d374271b2629f5ba220506b606a101828d20da9fcfa3a7e75b135987260be6d37622fc3f4bf4fd2dfd9655da5ff0c4b02818100d4d797c959f0cf59fa1f65ceec64e32ad189c5daf3ddf9e747d28c8eb15e65e5812bd19896b6a0d1d126fe6cf54a92b5a6c71ef04feed001acb1d253044f2c3716d14f396201e6a30c65bfbb0fd65ebaf61bdb80ffff7c2c3f80dcf69813491907531231700770d0392a1066e411ecd201fce9d98149b32355572b85e889faad028181009d898bc165709d52f7b18f91e6bf508d3ab08ed12df04da0c2d40b7039ce4d72b61299c082c8424cdd7dfff71f13346ec12fac42069cc68e6108f86427012485bfaa6904258e3e5fb9a9a305bf2e3e21087eea94bcce51fabd63650397affd85ed49c1358480b3cfe90ad5234b4dcf555d220d26c9ff765ecfcc94152fd1be070281804bf77b4bae8386772de830cc75f2d1d4b8221b3f817208e08c002ac0549902677e4f0e7bce5ba1b3da74fbbe138758e6853b4a5b7bf0672bc1170c64fa502a5e24e3472db433b4e30761eab6ebb9e207235fd88b97b1b30e14f364b628219d6e17056543a4e29a4de1e41ad37927ce23d0442623744bc35a1874296960029044":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH)
+
+Copy from PSA: valid RSA (PSS + SHA_256)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256
+pk_copy_from_psa_success:"308204a40201000282010100ef24d80f6b7a0f62ab2f750a8370c1c39781abe2f7ae5cbc698ebbc51067af68c8b02e5bfafe0b296a2fdca8ee5327bf3370bd26c529d173c4356d8ad51f606ac730e3be509d8535c9c51927222d6c4e770efec4d9b0bd11410e5e2e01e093700d358aab8292297483c65870ea6d4ca9299f4347790f6223480732726a97b34bb4d53cb3f188e3c97115b029fa9a2cce4c6d935977a90737ac8b2a2c5691ad928b22681ca05ee38ddba2278c854f51281c5e4856090aca59bf719a167e63bb932580ae2b599e1a297194696e637a919bc9d2caf214e59d46ed1a12e591b608f2031744111551430d9ac39082957ae1ce03a88068896701e6ce19a83890ff5761020301000102820100706fb53a02c13fcc9749d7d09a9e002c12e6bfc715c6a00961e3defab74cd896fe8c7f2f75e1cda3aa2e58a400718e65822d0671dd0f5d4ffdb7550a8a4b974c7cdccaa72745f864a2ba0daa6d9247b2d89d6f41644c89883c3b2222a5754e3cc7a91dcaa7b84acf6249763998aeccf558016e638352ad44835006f2ee94e691d0070ce561677f2a22a12f357bd762c57f80f1f4921f0f26b3ed758478d11086c182874355ef5039e8d854291b9ce7f8b284ec81f141b7255313507f5ea159d6b1c0ee176e7743d3c65d536e1e4aaf24089c1e00c8021012b8846a4971a0695030504ace362077e8b2fcb4fbdd70bfb734a3fe7d9e1a25bdd0cb0f2fcb56ecc502818100f8fdfbac1c033911b5a184980d081f700f4d450cebf18cbdc68f160a5abd580e6f8f5800fd0b60521dbe2d549e82617afe70d2ad004c2f45405d94e4418e8c2b8da6bcaa407bbfa5477b5a6fceccfcb99f51c6c16bd17202d997bdcaec83b870e3e101acc05e0754020ec207ef5ec9934ac81cd617af72cd94b2bb400eb2078302818100f5dfe74a548c04950178f50130d5aadbe5d1f4b52527c0bfad9aa0d73731fb24219cb5ea5c4b4fa56133d5ea9225fa7d0ccc9bdcc78b77303a2e73c17e9a46b9b09020604496a849f069d0d87713e06a5d374271b2629f5ba220506b606a101828d20da9fcfa3a7e75b135987260be6d37622fc3f4bf4fd2dfd9655da5ff0c4b02818100d4d797c959f0cf59fa1f65ceec64e32ad189c5daf3ddf9e747d28c8eb15e65e5812bd19896b6a0d1d126fe6cf54a92b5a6c71ef04feed001acb1d253044f2c3716d14f396201e6a30c65bfbb0fd65ebaf61bdb80ffff7c2c3f80dcf69813491907531231700770d0392a1066e411ecd201fce9d98149b32355572b85e889faad028181009d898bc165709d52f7b18f91e6bf508d3ab08ed12df04da0c2d40b7039ce4d72b61299c082c8424cdd7dfff71f13346ec12fac42069cc68e6108f86427012485bfaa6904258e3e5fb9a9a305bf2e3e21087eea94bcce51fabd63650397affd85ed49c1358480b3cfe90ad5234b4dcf555d220d26c9ff765ecfcc94152fd1be070281804bf77b4bae8386772de830cc75f2d1d4b8221b3f817208e08c002ac0549902677e4f0e7bce5ba1b3da74fbbe138758e6853b4a5b7bf0672bc1170c64fa502a5e24e3472db433b4e30761eab6ebb9e207235fd88b97b1b30e14f364b628219d6e17056543a4e29a4de1e41ad37927ce23d0442623744bc35a1874296960029044":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256)
+
+Copy from PSA: valid RSA (PSS + SHA_512)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512
+pk_copy_from_psa_success:"308204a40201000282010100ef24d80f6b7a0f62ab2f750a8370c1c39781abe2f7ae5cbc698ebbc51067af68c8b02e5bfafe0b296a2fdca8ee5327bf3370bd26c529d173c4356d8ad51f606ac730e3be509d8535c9c51927222d6c4e770efec4d9b0bd11410e5e2e01e093700d358aab8292297483c65870ea6d4ca9299f4347790f6223480732726a97b34bb4d53cb3f188e3c97115b029fa9a2cce4c6d935977a90737ac8b2a2c5691ad928b22681ca05ee38ddba2278c854f51281c5e4856090aca59bf719a167e63bb932580ae2b599e1a297194696e637a919bc9d2caf214e59d46ed1a12e591b608f2031744111551430d9ac39082957ae1ce03a88068896701e6ce19a83890ff5761020301000102820100706fb53a02c13fcc9749d7d09a9e002c12e6bfc715c6a00961e3defab74cd896fe8c7f2f75e1cda3aa2e58a400718e65822d0671dd0f5d4ffdb7550a8a4b974c7cdccaa72745f864a2ba0daa6d9247b2d89d6f41644c89883c3b2222a5754e3cc7a91dcaa7b84acf6249763998aeccf558016e638352ad44835006f2ee94e691d0070ce561677f2a22a12f357bd762c57f80f1f4921f0f26b3ed758478d11086c182874355ef5039e8d854291b9ce7f8b284ec81f141b7255313507f5ea159d6b1c0ee176e7743d3c65d536e1e4aaf24089c1e00c8021012b8846a4971a0695030504ace362077e8b2fcb4fbdd70bfb734a3fe7d9e1a25bdd0cb0f2fcb56ecc502818100f8fdfbac1c033911b5a184980d081f700f4d450cebf18cbdc68f160a5abd580e6f8f5800fd0b60521dbe2d549e82617afe70d2ad004c2f45405d94e4418e8c2b8da6bcaa407bbfa5477b5a6fceccfcb99f51c6c16bd17202d997bdcaec83b870e3e101acc05e0754020ec207ef5ec9934ac81cd617af72cd94b2bb400eb2078302818100f5dfe74a548c04950178f50130d5aadbe5d1f4b52527c0bfad9aa0d73731fb24219cb5ea5c4b4fa56133d5ea9225fa7d0ccc9bdcc78b77303a2e73c17e9a46b9b09020604496a849f069d0d87713e06a5d374271b2629f5ba220506b606a101828d20da9fcfa3a7e75b135987260be6d37622fc3f4bf4fd2dfd9655da5ff0c4b02818100d4d797c959f0cf59fa1f65ceec64e32ad189c5daf3ddf9e747d28c8eb15e65e5812bd19896b6a0d1d126fe6cf54a92b5a6c71ef04feed001acb1d253044f2c3716d14f396201e6a30c65bfbb0fd65ebaf61bdb80ffff7c2c3f80dcf69813491907531231700770d0392a1066e411ecd201fce9d98149b32355572b85e889faad028181009d898bc165709d52f7b18f91e6bf508d3ab08ed12df04da0c2d40b7039ce4d72b61299c082c8424cdd7dfff71f13346ec12fac42069cc68e6108f86427012485bfaa6904258e3e5fb9a9a305bf2e3e21087eea94bcce51fabd63650397affd85ed49c1358480b3cfe90ad5234b4dcf555d220d26c9ff765ecfcc94152fd1be070281804bf77b4bae8386772de830cc75f2d1d4b8221b3f817208e08c002ac0549902677e4f0e7bce5ba1b3da74fbbe138758e6853b4a5b7bf0672bc1170c64fa502a5e24e3472db433b4e30761eab6ebb9e207235fd88b97b1b30e14f364b628219d6e17056543a4e29a4de1e41ad37927ce23d0442623744bc35a1874296960029044":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PSS(PSA_ALG_SHA_512)
+
+Copy from PSA: valid RSA, PSA_ALG_NONE
+depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_ALG_FOR_TEST
+pk_copy_from_psa_success:"308204a40201000282010100ef24d80f6b7a0f62ab2f750a8370c1c39781abe2f7ae5cbc698ebbc51067af68c8b02e5bfafe0b296a2fdca8ee5327bf3370bd26c529d173c4356d8ad51f606ac730e3be509d8535c9c51927222d6c4e770efec4d9b0bd11410e5e2e01e093700d358aab8292297483c65870ea6d4ca9299f4347790f6223480732726a97b34bb4d53cb3f188e3c97115b029fa9a2cce4c6d935977a90737ac8b2a2c5691ad928b22681ca05ee38ddba2278c854f51281c5e4856090aca59bf719a167e63bb932580ae2b599e1a297194696e637a919bc9d2caf214e59d46ed1a12e591b608f2031744111551430d9ac39082957ae1ce03a88068896701e6ce19a83890ff5761020301000102820100706fb53a02c13fcc9749d7d09a9e002c12e6bfc715c6a00961e3defab74cd896fe8c7f2f75e1cda3aa2e58a400718e65822d0671dd0f5d4ffdb7550a8a4b974c7cdccaa72745f864a2ba0daa6d9247b2d89d6f41644c89883c3b2222a5754e3cc7a91dcaa7b84acf6249763998aeccf558016e638352ad44835006f2ee94e691d0070ce561677f2a22a12f357bd762c57f80f1f4921f0f26b3ed758478d11086c182874355ef5039e8d854291b9ce7f8b284ec81f141b7255313507f5ea159d6b1c0ee176e7743d3c65d536e1e4aaf24089c1e00c8021012b8846a4971a0695030504ace362077e8b2fcb4fbdd70bfb734a3fe7d9e1a25bdd0cb0f2fcb56ecc502818100f8fdfbac1c033911b5a184980d081f700f4d450cebf18cbdc68f160a5abd580e6f8f5800fd0b60521dbe2d549e82617afe70d2ad004c2f45405d94e4418e8c2b8da6bcaa407bbfa5477b5a6fceccfcb99f51c6c16bd17202d997bdcaec83b870e3e101acc05e0754020ec207ef5ec9934ac81cd617af72cd94b2bb400eb2078302818100f5dfe74a548c04950178f50130d5aadbe5d1f4b52527c0bfad9aa0d73731fb24219cb5ea5c4b4fa56133d5ea9225fa7d0ccc9bdcc78b77303a2e73c17e9a46b9b09020604496a849f069d0d87713e06a5d374271b2629f5ba220506b606a101828d20da9fcfa3a7e75b135987260be6d37622fc3f4bf4fd2dfd9655da5ff0c4b02818100d4d797c959f0cf59fa1f65ceec64e32ad189c5daf3ddf9e747d28c8eb15e65e5812bd19896b6a0d1d126fe6cf54a92b5a6c71ef04feed001acb1d253044f2c3716d14f396201e6a30c65bfbb0fd65ebaf61bdb80ffff7c2c3f80dcf69813491907531231700770d0392a1066e411ecd201fce9d98149b32355572b85e889faad028181009d898bc165709d52f7b18f91e6bf508d3ab08ed12df04da0c2d40b7039ce4d72b61299c082c8424cdd7dfff71f13346ec12fac42069cc68e6108f86427012485bfaa6904258e3e5fb9a9a305bf2e3e21087eea94bcce51fabd63650397affd85ed49c1358480b3cfe90ad5234b4dcf555d220d26c9ff765ecfcc94152fd1be070281804bf77b4bae8386772de830cc75f2d1d4b8221b3f817208e08c002ac0549902677e4f0e7bce5ba1b3da74fbbe138758e6853b4a5b7bf0672bc1170c64fa502a5e24e3472db433b4e30761eab6ebb9e207235fd88b97b1b30e14f364b628219d6e17056543a4e29a4de1e41ad37927ce23d0442623744bc35a1874296960029044":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_NONE
+
+# Key's algorithm is wrong for an RSA key, but pk_copy_from_psa() accepts
+# it anyway.
+Copy from PSA: valid RSA, wrong alg (CMAC)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_ALG_FOR_TEST
+pk_copy_from_psa_success:"308204a40201000282010100ef24d80f6b7a0f62ab2f750a8370c1c39781abe2f7ae5cbc698ebbc51067af68c8b02e5bfafe0b296a2fdca8ee5327bf3370bd26c529d173c4356d8ad51f606ac730e3be509d8535c9c51927222d6c4e770efec4d9b0bd11410e5e2e01e093700d358aab8292297483c65870ea6d4ca9299f4347790f6223480732726a97b34bb4d53cb3f188e3c97115b029fa9a2cce4c6d935977a90737ac8b2a2c5691ad928b22681ca05ee38ddba2278c854f51281c5e4856090aca59bf719a167e63bb932580ae2b599e1a297194696e637a919bc9d2caf214e59d46ed1a12e591b608f2031744111551430d9ac39082957ae1ce03a88068896701e6ce19a83890ff5761020301000102820100706fb53a02c13fcc9749d7d09a9e002c12e6bfc715c6a00961e3defab74cd896fe8c7f2f75e1cda3aa2e58a400718e65822d0671dd0f5d4ffdb7550a8a4b974c7cdccaa72745f864a2ba0daa6d9247b2d89d6f41644c89883c3b2222a5754e3cc7a91dcaa7b84acf6249763998aeccf558016e638352ad44835006f2ee94e691d0070ce561677f2a22a12f357bd762c57f80f1f4921f0f26b3ed758478d11086c182874355ef5039e8d854291b9ce7f8b284ec81f141b7255313507f5ea159d6b1c0ee176e7743d3c65d536e1e4aaf24089c1e00c8021012b8846a4971a0695030504ace362077e8b2fcb4fbdd70bfb734a3fe7d9e1a25bdd0cb0f2fcb56ecc502818100f8fdfbac1c033911b5a184980d081f700f4d450cebf18cbdc68f160a5abd580e6f8f5800fd0b60521dbe2d549e82617afe70d2ad004c2f45405d94e4418e8c2b8da6bcaa407bbfa5477b5a6fceccfcb99f51c6c16bd17202d997bdcaec83b870e3e101acc05e0754020ec207ef5ec9934ac81cd617af72cd94b2bb400eb2078302818100f5dfe74a548c04950178f50130d5aadbe5d1f4b52527c0bfad9aa0d73731fb24219cb5ea5c4b4fa56133d5ea9225fa7d0ccc9bdcc78b77303a2e73c17e9a46b9b09020604496a849f069d0d87713e06a5d374271b2629f5ba220506b606a101828d20da9fcfa3a7e75b135987260be6d37622fc3f4bf4fd2dfd9655da5ff0c4b02818100d4d797c959f0cf59fa1f65ceec64e32ad189c5daf3ddf9e747d28c8eb15e65e5812bd19896b6a0d1d126fe6cf54a92b5a6c71ef04feed001acb1d253044f2c3716d14f396201e6a30c65bfbb0fd65ebaf61bdb80ffff7c2c3f80dcf69813491907531231700770d0392a1066e411ecd201fce9d98149b32355572b85e889faad028181009d898bc165709d52f7b18f91e6bf508d3ab08ed12df04da0c2d40b7039ce4d72b61299c082c8424cdd7dfff71f13346ec12fac42069cc68e6108f86427012485bfaa6904258e3e5fb9a9a305bf2e3e21087eea94bcce51fabd63650397affd85ed49c1358480b3cfe90ad5234b4dcf555d220d26c9ff765ecfcc94152fd1be070281804bf77b4bae8386772de830cc75f2d1d4b8221b3f817208e08c002ac0549902677e4f0e7bce5ba1b3da74fbbe138758e6853b4a5b7bf0672bc1170c64fa502a5e24e3472db433b4e30761eab6ebb9e207235fd88b97b1b30e14f364b628219d6e17056543a4e29a4de1e41ad37927ce23d0442623744bc35a1874296960029044":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_CMAC
+
+Copy from PSA: non-exportable -> public, RSA
+depends_on:MBEDTLS_RSA_C
+pk_copy_public_from_psa:"308204a40201000282010100ef24d80f6b7a0f62ab2f750a8370c1c39781abe2f7ae5cbc698ebbc51067af68c8b02e5bfafe0b296a2fdca8ee5327bf3370bd26c529d173c4356d8ad51f606ac730e3be509d8535c9c51927222d6c4e770efec4d9b0bd11410e5e2e01e093700d358aab8292297483c65870ea6d4ca9299f4347790f6223480732726a97b34bb4d53cb3f188e3c97115b029fa9a2cce4c6d935977a90737ac8b2a2c5691ad928b22681ca05ee38ddba2278c854f51281c5e4856090aca59bf719a167e63bb932580ae2b599e1a297194696e637a919bc9d2caf214e59d46ed1a12e591b608f2031744111551430d9ac39082957ae1ce03a88068896701e6ce19a83890ff5761020301000102820100706fb53a02c13fcc9749d7d09a9e002c12e6bfc715c6a00961e3defab74cd896fe8c7f2f75e1cda3aa2e58a400718e65822d0671dd0f5d4ffdb7550a8a4b974c7cdccaa72745f864a2ba0daa6d9247b2d89d6f41644c89883c3b2222a5754e3cc7a91dcaa7b84acf6249763998aeccf558016e638352ad44835006f2ee94e691d0070ce561677f2a22a12f357bd762c57f80f1f4921f0f26b3ed758478d11086c182874355ef5039e8d854291b9ce7f8b284ec81f141b7255313507f5ea159d6b1c0ee176e7743d3c65d536e1e4aaf24089c1e00c8021012b8846a4971a0695030504ace362077e8b2fcb4fbdd70bfb734a3fe7d9e1a25bdd0cb0f2fcb56ecc502818100f8fdfbac1c033911b5a184980d081f700f4d450cebf18cbdc68f160a5abd580e6f8f5800fd0b60521dbe2d549e82617afe70d2ad004c2f45405d94e4418e8c2b8da6bcaa407bbfa5477b5a6fceccfcb99f51c6c16bd17202d997bdcaec83b870e3e101acc05e0754020ec207ef5ec9934ac81cd617af72cd94b2bb400eb2078302818100f5dfe74a548c04950178f50130d5aadbe5d1f4b52527c0bfad9aa0d73731fb24219cb5ea5c4b4fa56133d5ea9225fa7d0ccc9bdcc78b77303a2e73c17e9a46b9b09020604496a849f069d0d87713e06a5d374271b2629f5ba220506b606a101828d20da9fcfa3a7e75b135987260be6d37622fc3f4bf4fd2dfd9655da5ff0c4b02818100d4d797c959f0cf59fa1f65ceec64e32ad189c5daf3ddf9e747d28c8eb15e65e5812bd19896b6a0d1d126fe6cf54a92b5a6c71ef04feed001acb1d253044f2c3716d14f396201e6a30c65bfbb0fd65ebaf61bdb80ffff7c2c3f80dcf69813491907531231700770d0392a1066e411ecd201fce9d98149b32355572b85e889faad028181009d898bc165709d52f7b18f91e6bf508d3ab08ed12df04da0c2d40b7039ce4d72b61299c082c8424cdd7dfff71f13346ec12fac42069cc68e6108f86427012485bfaa6904258e3e5fb9a9a305bf2e3e21087eea94bcce51fabd63650397affd85ed49c1358480b3cfe90ad5234b4dcf555d220d26c9ff765ecfcc94152fd1be070281804bf77b4bae8386772de830cc75f2d1d4b8221b3f817208e08c002ac0549902677e4f0e7bce5ba1b3da74fbbe138758e6853b4a5b7bf0672bc1170c64fa502a5e24e3472db433b4e30761eab6ebb9e207235fd88b97b1b30e14f364b628219d6e17056543a4e29a4de1e41ad37927ce23d0442623744bc35a1874296960029044":PSA_KEY_TYPE_RSA_KEY_PAIR
+
+Copy from PSA: non-exportable -> public, SECP_R1_256
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP256R1
+pk_copy_public_from_psa:"587CF7C57EB7C6254CBF80CC59846521B4FBCBA8BC4B362A9B043F0DEB49CCA1":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)
+
+Copy from PSA: non-exportable -> public, Curve25519
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_CURVE25519
+pk_copy_public_from_psa:"a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY)
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index 881429c..10cd207 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -1,12 +1,15 @@
 /* BEGIN_HEADER */
 #include "mbedtls/pk.h"
+#include "mbedtls/psa_util.h"
 #include "pk_internal.h"
 
 /* For error codes */
 #include "mbedtls/asn1.h"
 #include "mbedtls/base64.h"
 #include "mbedtls/ecp.h"
+#include "mbedtls/error.h"
 #include "mbedtls/rsa.h"
+#include "rsa_internal.h"
 #include "pk_internal.h"
 
 #include <limits.h>
@@ -16,114 +19,453 @@
  * but the test code generator requires test case data to be valid C code
  * unconditionally (https://github.com/Mbed-TLS/mbedtls/issues/2023). */
 #include "psa/crypto.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
 
-/* Used for properly sizing the key buffer in pk_genkey_ec() */
-#include "psa_util_internal.h"
+#include "pkwrite.h"
 
-#define RSA_KEY_SIZE   MBEDTLS_RSA_GEN_KEY_MIN_BITS
-#define RSA_KEY_LEN   (MBEDTLS_RSA_GEN_KEY_MIN_BITS/8)
+#include <test/psa_exercise_key.h>
 
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-static int pk_genkey_ec(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id)
-{
-    psa_status_t status;
-    psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
-    size_t curve_bits;
-    psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(grp_id, &curve_bits);
-    int ret;
+/* Needed for the definition of MBEDTLS_PK_WRITE_PUBKEY_MAX_SIZE. */
+#include "pkwrite.h"
 
-    if (curve == 0) {
-        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-    }
+#if defined(MBEDTLS_RSA_C) ||                                           \
+    defined(MBEDTLS_PK_RSA_ALT_SUPPORT) ||                              \
+    defined(MBEDTLS_ECDSA_C) ||                                         \
+    defined(MBEDTLS_USE_PSA_CRYPTO)
+#define PK_CAN_SIGN_SOME
+#endif
 
-    psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
-    psa_set_key_bits(&key_attr, curve_bits);
-    psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT |
-                            PSA_KEY_USAGE_SIGN_HASH |
-                            PSA_KEY_USAGE_SIGN_MESSAGE);
-#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
-    psa_set_key_algorithm(&key_attr, PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH));
-#else
-    psa_set_key_algorithm(&key_attr, PSA_ALG_ECDSA(PSA_ALG_ANY_HASH));
+/* MBEDTLS_TEST_PK_PSA_SIGN is enabled when:
+ * - The build has PK_[PARSE/WRITE]_C for RSA or ECDSA signature.
+ * - The build has built-in ECC and ECDSA signature.
+ */
+#if (defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PK_WRITE_C) && \
+    (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PK_CAN_ECDSA_SIGN))) || \
+    (defined(MBEDTLS_ECP_C) && defined(MBEDTLS_PK_CAN_ECDSA_SIGN))
+#define MBEDTLS_TEST_PK_PSA_SIGN
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+/* Pick an elliptic curve that's supported by PSA. Note that the curve is
+ * not guaranteed to be supported by the ECP module.
+ *
+ * This should always find a curve if ECC is enabled in the build, except in
+ * one edge case: in a build with MBEDTLS_PSA_CRYPTO_CONFIG disabled and
+ * where the only legacy curve is secp224k1, which is not supported in PSA,
+ * PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY ends up enabled but PSA does not
+ * support any curve.
+ */
+
+/* First try all the curves that can do both ECDSA and ECDH, then try
+ * the ECDH-only curves. (There are no curves that can do ECDSA but not ECDH.)
+ * This way, if ECDSA is enabled then the curve that's selected here will
+ * be ECDSA-capable, and likewise for ECDH. */
+#if defined(PSA_WANT_ECC_SECP_R1_192)
+#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1
+#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 192
+#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP192R1
+#elif defined(PSA_WANT_ECC_SECP_R1_256)
+#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1
+#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 256
+#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP256R1
+#elif defined(PSA_WANT_ECC_SECP_K1_192)
+#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_K1
+#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 192
+#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP192K1
+#elif defined(PSA_WANT_ECC_SECP_K1_256)
+#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_K1
+#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 256
+#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP256K1
+#elif defined(PSA_WANT_ECC_SECP_R1_224)
+#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1
+#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 224
+#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP224R1
+#elif defined(PSA_WANT_ECC_SECP_R1_384)
+#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1
+#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 384
+#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP384R1
+#elif defined(PSA_WANT_ECC_SECP_R1_521)
+#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1
+#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 521
+#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP521R1
+#elif defined(PSA_WANT_ECC_SECP_K1_224)
+#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_K1
+#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 224
+#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP224K1
+#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
+#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_BRAINPOOL_P_R1
+#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 256
+#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_BP256R1
+#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
+#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_BRAINPOOL_P_R1
+#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 384
+#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_BP384R1
+#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
+#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_BRAINPOOL_P_R1
+#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 512
+#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_BP512R1
+#elif defined(PSA_WANT_ECC_MONTGOMERY_255)
+#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_MONTGOMERY
+#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 255
+#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_CURVE25519
+#elif defined(PSA_WANT_ECC_MONTGOMERY_448)
+#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_MONTGOMERY
+#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 448
+#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_CURVE448
+#endif /* curve selection */
+
+#if defined(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY)
+#define MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE
 #endif
 
-    status = psa_generate_key(&key_attr, &pk->priv_id);
-    if (status != PSA_SUCCESS) {
-        return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+/* Pick a second curve, for tests that need two supported curves of the
+ * same size. For simplicity, we only handle a subset of configurations,
+ * and both curves will support both ECDH and ECDSA. */
+#if defined(PSA_WANT_ECC_SECP_R1_192) && defined(PSA_WANT_ECC_SECP_K1_192)
+/* Identical redefinition of the ONE macros, to confirm that they have
+ * the values we expect here. */
+#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1
+#define MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY PSA_ECC_FAMILY_SECP_K1
+#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 192
+#define MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES
+#elif defined(PSA_WANT_ECC_SECP_R1_256) && defined(PSA_WANT_ECC_SECP_K1_256) && \
+    !defined(PSA_WANT_ECC_SECP_R1_192)
+#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1
+#define MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY PSA_ECC_FAMILY_SECP_K1
+#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 256
+#define MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES
+#endif
+
+/* Pick a second bit-size, for tests that need two supported curves of the
+ * same family. For simplicity, we only handle a subset of configurations,
+ * and both curves will support both ECDH and ECDSA. */
+#if defined(PSA_WANT_ECC_SECP_R1_192) && defined(PSA_WANT_ECC_SECP_R1_256)
+/* Identical redefinition of the ONE macros, to confirm that they have
+ * the values we expect here. */
+#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1
+#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 192
+#define MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS 256
+#define MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS
+#elif defined(PSA_WANT_ECC_SECP_R1_256) && defined(PSA_WANT_ECC_SECP_R1_384)
+#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1
+#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 256
+#define MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS 384
+#define MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS
+#endif
+
+#endif /* defined(MBEDTLS_PSA_CRYPTO_CLIENT) && defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) */
+
+/* Always define the macros so that we can use them in test data. */
+#if !defined(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY)
+#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY 0
+#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 0
+#define MBEDTLS_TEST_ECP_DP_ONE_CURVE 0
+#endif
+#if !defined(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY)
+#define MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY 0
+#endif
+#if !defined(MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS)
+#define MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS 0
+#endif
+
+/* Get an available MD alg to be used in sign/verify tests. */
+#if defined(MBEDTLS_MD_CAN_SHA1)
+#define MBEDTLS_MD_ALG_FOR_TEST         MBEDTLS_MD_SHA1
+#elif defined(PSA_WANT_ALG_SHA_224)
+#define MBEDTLS_MD_ALG_FOR_TEST         MBEDTLS_MD_SHA224
+#elif defined(MBEDTLS_MD_CAN_SHA256)
+#define MBEDTLS_MD_ALG_FOR_TEST         MBEDTLS_MD_SHA256
+#elif defined(PSA_WANT_ALG_SHA_384)
+#define MBEDTLS_MD_ALG_FOR_TEST         MBEDTLS_MD_SHA384
+#elif defined(MBEDTLS_MD_CAN_SHA512)
+#define MBEDTLS_MD_ALG_FOR_TEST         MBEDTLS_MD_SHA512
+#endif
+
+#include <../src/test_keys.h>
+
+/* Define an RSA key size we know it's present in predefined_key[] array. */
+#define RSA_KEY_SIZE   1024
+#define RSA_KEY_LEN   (RSA_KEY_SIZE/8)
+
+static int get_predefined_key_data(int is_ec, int group_id_or_keybits,
+                                   const unsigned char **key, size_t *key_len,
+                                   const unsigned char **pub_key, size_t *pub_key_len)
+{
+    size_t i;
+    struct predefined_key_element *predefined_key = NULL;
+
+    for (i = 0; i < ARRAY_LENGTH(predefined_keys); i++) {
+        if (is_ec) {
+            if (group_id_or_keybits == predefined_keys[i].group_id) {
+                predefined_key = &predefined_keys[i];
+            }
+        } else if (group_id_or_keybits == predefined_keys[i].keybits) {
+            predefined_key = &predefined_keys[i];
+        }
     }
 
-    status = psa_export_public_key(pk->priv_id, pk->pub_raw, sizeof(pk->pub_raw),
-                                   &pk->pub_raw_len);
-    if (status != PSA_SUCCESS) {
-        ret = MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
-        goto exit;
+    if (predefined_key != NULL) {
+        *key = predefined_key->priv_key;
+        *key_len = predefined_key->priv_key_len;
+        if (pub_key != NULL) {
+            *pub_key = predefined_key->pub_key;
+            *pub_key_len = predefined_key->pub_key_len;
+        }
+        return 0;
     }
 
-    pk->ec_family = curve;
-    pk->ec_bits = curve_bits;
+    TEST_FAIL("Unsupported key");
+    /* "exit" label is to make the compiler happy. */
+exit:
+    return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+}
 
-    return 0;
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+psa_status_t pk_psa_import_key(const unsigned char *key_data, size_t key_len,
+                               psa_key_type_t type, psa_key_usage_t usage,
+                               psa_algorithm_t alg, mbedtls_svc_key_id_t *key)
+{
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_status_t status;
+
+    *key = MBEDTLS_SVC_KEY_ID_INIT;
+
+    /* Note: psa_import_key() automatically determines the key's bit length
+     * from the provided key data. That's why psa_set_key_bits() is not used below. */
+    psa_set_key_usage_flags(&attributes, usage);
+    psa_set_key_algorithm(&attributes, alg);
+    psa_set_key_type(&attributes, type);
+    status = psa_import_key(&attributes, key_data, key_len, key);
+
+    return status;
+}
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+
+/** Setup the provided PK context.
+ *
+ * Predefined keys used for the setup are taken from "test/src/test_keys.h"
+ * which is automatically generated using "framework/scripts/generate_test_keys.py".
+ *
+ * \param pk               The PK object to fill. It must  have been initialized
+ *                         (mbedtls_pk_init()), but not setup (mbedtls_pk_setup()).
+ * \param pk_type          mbedtls_pk_type_t to use in the PK context.
+ * \param curve_or_keybits - For RSA keys, the key size in bits.
+ *                         - For EC keys, the curve (\c MBEDTLS_ECP_DP_xxx).
+ *
+ * \return                 0 on success or a negative value otherwise.
+ */
+static int pk_setup(mbedtls_pk_context *pk, mbedtls_pk_type_t pk_type, int curve_or_keybits)
+{
+    const unsigned char *key_data = NULL;
+    const unsigned char *pub_key_data = NULL;
+    size_t key_data_len = 0;
+    size_t pub_key_data_len = 0;
+    int ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+
+    TEST_EQUAL(mbedtls_pk_setup(pk, mbedtls_pk_info_from_type(pk_type)), 0);
+
+    if (pk_type == MBEDTLS_PK_RSA) {
+#if defined(MBEDTLS_RSA_C)
+        TEST_EQUAL(get_predefined_key_data(0, curve_or_keybits, &key_data, &key_data_len,
+                                           NULL, 0), 0);
+        TEST_EQUAL(mbedtls_rsa_parse_key(mbedtls_pk_rsa(*pk), key_data, key_data_len), 0);
+#else /* MBEDTLS_RSA_C */
+        TEST_FAIL("RSA keys not supported.");
+#endif /* MBEDTLS_RSA_C */
+    } else {
+        TEST_EQUAL(get_predefined_key_data(1, curve_or_keybits, &key_data, &key_data_len,
+                                           &pub_key_data, &pub_key_data_len), 0);
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+        pk->ec_family = mbedtls_ecc_group_to_psa(curve_or_keybits, &pk->ec_bits);
+        TEST_EQUAL(pk_psa_import_key(key_data, key_data_len,
+                                     PSA_KEY_TYPE_ECC_KEY_PAIR(pk->ec_family),
+                                     PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH |
+                                     PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE |
+                                     PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_COPY |
+                                     PSA_KEY_USAGE_EXPORT,
+                                     MBEDTLS_PK_PSA_ALG_ECDSA_MAYBE_DET(PSA_ALG_ANY_HASH),
+                                     &pk->priv_id), 0);
+        memcpy(pk->pub_raw, pub_key_data, pub_key_data_len);
+        pk->pub_raw_len = pub_key_data_len;
+#elif defined(MBEDTLS_ECP_C)
+        TEST_EQUAL(mbedtls_ecp_read_key(curve_or_keybits, mbedtls_pk_ec_rw(*pk),
+                                        key_data, key_data_len), 0);
+        TEST_EQUAL(mbedtls_ecp_point_read_binary(&(mbedtls_pk_ec_rw(*pk)->grp),
+                                                 &(mbedtls_pk_ec_rw(*pk)->Q),
+                                                 pub_key_data, pub_key_data_len), 0);
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA || MBEDTLS_ECP_C */
+        TEST_FAIL("EC keys not supported.");
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA || MBEDTLS_ECP_C */
+    }
+    /* Override pk_info. */
+    pk->pk_info = mbedtls_pk_info_from_type(pk_type);
+    ret = 0;
 
 exit:
-    status = psa_destroy_key(pk->priv_id);
-    return (ret != 0) ? ret : psa_pk_status_to_mbedtls(status);
+    return ret;
 }
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
 
-/** Generate a key of the desired type.
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+/** Create a PSA key of the desired type and properties.
  *
- * \param pk        The PK object to fill. It must have been initialized
- *                  with mbedtls_pk_setup().
- * \param parameter - For RSA keys, the key size in bits.
- *                  - For EC keys, the curve (\c MBEDTLS_ECP_DP_xxx).
+ * - For RSA and EC keys predefined key data is used (as in the pk_setup() above).
+ * - Other key types (ex: DH) are generated at runtime.
  *
- * \return          The status from the underlying type-specific key
- *                  generation function.
- * \return          -1 if the key type is not recognized.
+ * \param type                  PSA key type.
+ * \param bits                  PSA key bit size.
+ * \param usage                 PSA key usage flags.
+ * \param alg                   PSA key primary algorithm.
+ * \param enrollment_alg        PSA key enrollment algorithm.
+ * \param persistent_key_id     PSA key ID for persistent keys. Set to PSA_KEY_ID_NULL
+ *                              for volatile keys.
+ * \param[out] key              Identifier of the "generated" (actually imported) PSA key.
  */
-static int pk_genkey(mbedtls_pk_context *pk, int parameter)
+psa_status_t pk_psa_setup(psa_key_type_t type, size_t bits,
+                          psa_key_usage_t usage, psa_algorithm_t alg,
+                          psa_algorithm_t enrollment_alg,
+                          mbedtls_svc_key_id_t persistent_key_id,
+                          mbedtls_svc_key_id_t *key)
 {
-    ((void) pk);
-    (void) parameter;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_status_t status = PSA_ERROR_GENERIC_ERROR;
+    const unsigned char *key_data = NULL;
+    size_t key_data_size = 0;
+
+    *key = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_set_key_usage_flags(&attributes, usage);
+    psa_set_key_algorithm(&attributes, alg);
+    psa_set_key_enrollment_algorithm(&attributes, enrollment_alg);
+    psa_set_key_type(&attributes, type);
+    psa_set_key_bits(&attributes, bits);
+    if (!mbedtls_svc_key_id_is_null(persistent_key_id)) {
+        psa_set_key_id(&attributes, persistent_key_id);
+    }
 
-#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME)
-    if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_RSA) {
-        return mbedtls_rsa_gen_key(mbedtls_pk_rsa(*pk),
-                                   mbedtls_test_rnd_std_rand, NULL,
-                                   parameter, 3);
+    /* For EC and RSA keys we use predefined keys in order to:
+     * - speed up testing and
+     * - ease requirements/dependencies on test cases.
+     * For other keys (ex: DH) psa_generate_key() is used instead. */
+    if (PSA_KEY_TYPE_IS_RSA(type)) {
+        TEST_EQUAL(get_predefined_key_data(0, bits, &key_data, &key_data_size, NULL, 0), 0);
+    } else if (PSA_KEY_TYPE_IS_ECC(type)) {
+#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+        mbedtls_ecp_group_id grp_id;
+        grp_id = mbedtls_ecc_group_from_psa(PSA_KEY_TYPE_ECC_GET_FAMILY(type), bits);
+        TEST_EQUAL(get_predefined_key_data(1, grp_id, &key_data, &key_data_size, NULL, 0), 0);
+#else /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
+        TEST_FAIL("EC keys are not supported");
+#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
+    } else {
+        return psa_generate_key(&attributes, key);
     }
-#endif
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-    if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECKEY ||
-        mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECKEY_DH ||
-        mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECDSA) {
-        int ret;
-
-#if defined(MBEDTLS_ECP_C)
-        ret = mbedtls_ecp_group_load(&mbedtls_pk_ec_rw(*pk)->grp, parameter);
-        if (ret != 0) {
-            return ret;
-        }
-        return mbedtls_ecp_gen_keypair(&mbedtls_pk_ec_rw(*pk)->grp,
-                                       &mbedtls_pk_ec_rw(*pk)->d,
-                                       &mbedtls_pk_ec_rw(*pk)->Q,
-                                       mbedtls_test_rnd_std_rand, NULL);
-#endif /* MBEDTLS_ECP_C */
 
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
-        ret = pk_genkey_ec(pk, parameter);
-        if (ret != 0) {
-            return ret;
+    status = psa_import_key(&attributes, key_data, key_data_size, key);
+
+exit:
+    return status;
+}
+
+static psa_key_usage_t pk_get_psa_attributes_implied_usage(
+    psa_key_usage_t expected_usage)
+{
+    /* Usage implied universally */
+    if (expected_usage & PSA_KEY_USAGE_SIGN_HASH) {
+        expected_usage |= PSA_KEY_USAGE_SIGN_MESSAGE;
+    }
+    if (expected_usage & PSA_KEY_USAGE_VERIFY_HASH) {
+        expected_usage |= PSA_KEY_USAGE_VERIFY_MESSAGE;
+    }
+    /* Usage implied by mbedtls_pk_get_psa_attributes() */
+    if (expected_usage & PSA_KEY_USAGE_SIGN_HASH) {
+        expected_usage |= PSA_KEY_USAGE_VERIFY_HASH;
+    }
+    if (expected_usage & PSA_KEY_USAGE_SIGN_MESSAGE) {
+        expected_usage |= PSA_KEY_USAGE_VERIFY_MESSAGE;
+    }
+    if (expected_usage & PSA_KEY_USAGE_DECRYPT) {
+        expected_usage |= PSA_KEY_USAGE_ENCRYPT;
+    }
+    expected_usage |= PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY;
+    return expected_usage;
+}
+
+#define RSA_WRITE_PUBKEY_MAX_SIZE                                       \
+    PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS)
+#define ECP_WRITE_PUBKEY_MAX_SIZE                                       \
+    PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
+static int pk_public_same(const mbedtls_pk_context *pk1,
+                          const mbedtls_pk_context *pk2)
+{
+    int ok = 0;
+
+    mbedtls_pk_type_t type = mbedtls_pk_get_type(pk1);
+    TEST_EQUAL(type, mbedtls_pk_get_type(pk2));
+
+    switch (type) {
+#if defined(MBEDTLS_RSA_C)
+        case MBEDTLS_PK_RSA:
+        {
+            const mbedtls_rsa_context *rsa1 = mbedtls_pk_rsa(*pk1);
+            const mbedtls_rsa_context *rsa2 = mbedtls_pk_rsa(*pk2);
+            TEST_EQUAL(mbedtls_rsa_get_padding_mode(rsa1),
+                       mbedtls_rsa_get_padding_mode(rsa2));
+            TEST_EQUAL(mbedtls_rsa_get_md_alg(rsa1),
+                       mbedtls_rsa_get_md_alg(rsa2));
+            unsigned char buf1[RSA_WRITE_PUBKEY_MAX_SIZE];
+            unsigned char *p1 = buf1 + sizeof(buf1);
+            int len1 = mbedtls_rsa_write_pubkey(rsa1, buf1, &p1);
+            TEST_LE_U(0, len1);
+            unsigned char buf2[RSA_WRITE_PUBKEY_MAX_SIZE];
+            unsigned char *p2 = buf2 + sizeof(buf2);
+            int len2 = mbedtls_rsa_write_pubkey(rsa2, buf2, &p2);
+            TEST_LE_U(0, len2);
+            TEST_MEMORY_COMPARE(p1, len1, p2, len2);
+            break;
         }
+#endif /* MBEDTLS_RSA_C */
 
-        return 0;
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+        case MBEDTLS_PK_ECKEY:
+        case MBEDTLS_PK_ECKEY_DH:
+        case MBEDTLS_PK_ECDSA:
+        {
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+            TEST_MEMORY_COMPARE(pk1->pub_raw, pk1->pub_raw_len,
+                                pk2->pub_raw, pk2->pub_raw_len);
+            TEST_EQUAL(pk1->ec_family, pk2->ec_family);
+            TEST_EQUAL(pk1->ec_bits, pk2->ec_bits);
+
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+            const mbedtls_ecp_keypair *ec1 = mbedtls_pk_ec_ro(*pk1);
+            const mbedtls_ecp_keypair *ec2 = mbedtls_pk_ec_ro(*pk2);
+            TEST_EQUAL(mbedtls_ecp_keypair_get_group_id(ec1),
+                       mbedtls_ecp_keypair_get_group_id(ec2));
+            unsigned char buf1[ECP_WRITE_PUBKEY_MAX_SIZE];
+            size_t len1 = 99999991;
+            TEST_EQUAL(mbedtls_ecp_write_public_key(
+                           ec1, MBEDTLS_ECP_PF_UNCOMPRESSED,
+                           &len1, buf1, sizeof(buf1)), 0);
+            unsigned char buf2[ECP_WRITE_PUBKEY_MAX_SIZE];
+            size_t len2 = 99999992;
+            TEST_EQUAL(mbedtls_ecp_write_public_key(
+                           ec2, MBEDTLS_ECP_PF_UNCOMPRESSED,
+                           &len2, buf2, sizeof(buf2)), 0);
+            TEST_MEMORY_COMPARE(buf1, len1, buf2, len2);
 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+        }
+        break;
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
 
+        default:
+            TEST_FAIL("Unsupported pk type in pk_public_same");
     }
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-    return -1;
+
+    ok = 1;
+
+exit:
+    return ok;
 }
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
 
 #if defined(MBEDTLS_RSA_C)
 int mbedtls_rsa_decrypt_func(void *ctx, size_t *olen,
@@ -151,52 +493,150 @@ size_t mbedtls_rsa_key_len_func(void *ctx)
 }
 #endif /* MBEDTLS_RSA_C */
 
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
+typedef enum {
+    /* The values are compatible with thinking of "from pair" as a boolean. */
+    FROM_PUBLIC = 0,
+    FROM_PAIR = 1
+} from_pair_t;
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+static int pk_setup_for_type(mbedtls_pk_type_t pk_type, int want_pair,
+                             mbedtls_pk_context *pk, psa_key_type_t *psa_type)
+{
+    if (pk_type == MBEDTLS_PK_NONE) {
+        return 0;
+    }
+
+    switch (pk_type) {
+#if defined(MBEDTLS_RSA_C)
+        case MBEDTLS_PK_RSA:
+        {
+            *psa_type = PSA_KEY_TYPE_RSA_KEY_PAIR;
+            TEST_EQUAL(pk_setup(pk, pk_type, RSA_KEY_SIZE), 0);
+            if (!want_pair) {
+                mbedtls_rsa_context *rsa = mbedtls_pk_rsa(*pk);
+                mbedtls_mpi_free(&rsa->D);
+                mbedtls_mpi_free(&rsa->P);
+                mbedtls_mpi_free(&rsa->Q);
+            }
+            break;
+        }
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+        case MBEDTLS_PK_ECKEY:
+        case MBEDTLS_PK_ECKEY_DH:
+        case MBEDTLS_PK_ECDSA:
+        {
+            mbedtls_ecp_group_id grp_id = MBEDTLS_TEST_ECP_DP_ONE_CURVE;
+            size_t bits;
+            *psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(mbedtls_ecc_group_to_psa(grp_id, &bits));
+            TEST_EQUAL(pk_setup(pk, pk_type, grp_id), 0);
+            if (!want_pair) {
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+                psa_key_attributes_t pub_attributes = PSA_KEY_ATTRIBUTES_INIT;
+                psa_set_key_type(&pub_attributes,
+                                 PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(*psa_type));
+                psa_set_key_usage_flags(&pub_attributes,
+                                        PSA_KEY_USAGE_EXPORT |
+                                        PSA_KEY_USAGE_COPY |
+                                        PSA_KEY_USAGE_VERIFY_MESSAGE |
+                                        PSA_KEY_USAGE_VERIFY_HASH);
+                psa_set_key_algorithm(&pub_attributes, PSA_ALG_ECDSA_ANY);
+                PSA_ASSERT(psa_destroy_key(pk->priv_id));
+                pk->priv_id = MBEDTLS_SVC_KEY_ID_INIT;
+#else
+                mbedtls_ecp_keypair *ec = mbedtls_pk_ec_rw(*pk);
+                mbedtls_mpi_free(&ec->d);
+#endif
+            }
+            break;
+        }
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+        default:
+            TEST_FAIL("Unknown PK type in test data");
+            break;
+    }
+
+    if (!want_pair) {
+        *psa_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(*psa_type);
+    }
+    return 0;
 
-/*
- * Generate an ECC key using PSA and return the key identifier of that key,
- * or 0 if the key generation failed.
- * The key uses NIST P-256 and is usable for signing with SHA-256.
+exit:
+    return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
+}
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+/* Create a new PSA key which will contain only the public part of the private
+ * key which is provided in input. For this new key:
+ * - Type is the public counterpart of the private key.
+ * - Usage is the copied from the original private key, but the PSA_KEY_USAGE_EXPORT
+ *   flag is removed. This is to prove that mbedtls_pk_copy_from_psa() doesn't
+ *   require the key to have the EXPORT flag.
+ * - Algorithm is copied from the original key pair.
  */
-mbedtls_svc_key_id_t pk_psa_genkey_ecc(void)
+static mbedtls_svc_key_id_t psa_pub_key_from_priv(mbedtls_svc_key_id_t priv_id)
 {
-    mbedtls_svc_key_id_t key;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    const psa_key_type_t type =
-        PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1);
-    const size_t bits = 256;
+    psa_key_type_t type;
+    psa_algorithm_t alg;
+    psa_key_usage_t usage;
+    unsigned char pub_key_buf[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
+    size_t pub_key_len;
+    mbedtls_svc_key_id_t pub_key = MBEDTLS_SVC_KEY_ID_INIT;
+
+    /* Get attributes from the private key. */
+    PSA_ASSERT(psa_get_key_attributes(priv_id, &attributes));
+    type = psa_get_key_type(&attributes);
+    usage = psa_get_key_usage_flags(&attributes);
+    alg = psa_get_key_algorithm(&attributes);
+    psa_reset_key_attributes(&attributes);
+
+    /* Export the public key and then import it in a new slot. */
+    PSA_ASSERT(psa_export_public_key(priv_id, pub_key_buf, sizeof(pub_key_buf), &pub_key_len));
 
-    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
-    psa_set_key_algorithm(&attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256));
+    /* Notes:
+     * - psa_import_key() automatically determines the key's bit length
+     *   from the provided key data. That's why psa_set_key_bits() is not used
+     *   below.
+     */
+    type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type);
+    usage &= ~PSA_KEY_USAGE_EXPORT;
     psa_set_key_type(&attributes, type);
-    psa_set_key_bits(&attributes, bits);
-    PSA_ASSERT(psa_generate_key(&attributes, &key));
+    psa_set_key_usage_flags(&attributes, usage);
+    psa_set_key_algorithm(&attributes, alg);
+
+    PSA_ASSERT(psa_import_key(&attributes, pub_key_buf, pub_key_len, &pub_key));
 
 exit:
-    return key;
+    psa_reset_key_attributes(&attributes);
+    return pub_key;
 }
 
-/*
- * Generate an RSA key using PSA and return the key identifier of that key,
- * or 0 if the key generation failed.
- */
-mbedtls_svc_key_id_t pk_psa_genkey_rsa(void)
+/* Create a copy of a PSA key with same usage and algorithm policy and destroy
+ * the original one. */
+mbedtls_svc_key_id_t psa_copy_and_destroy(mbedtls_svc_key_id_t orig_key_id)
 {
-    mbedtls_svc_key_id_t key;
-    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    const psa_key_type_t type = PSA_KEY_TYPE_RSA_KEY_PAIR;
-    const size_t bits = 1024;
+    psa_key_attributes_t orig_attr = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_attributes_t new_attr = PSA_KEY_ATTRIBUTES_INIT;
+    mbedtls_svc_key_id_t new_key_id = MBEDTLS_SVC_KEY_ID_INIT;
 
-    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
-    psa_set_key_algorithm(&attributes, PSA_ALG_RSA_PKCS1V15_SIGN_RAW);
-    psa_set_key_type(&attributes, type);
-    psa_set_key_bits(&attributes, bits);
-    PSA_ASSERT(psa_generate_key(&attributes, &key));
+    PSA_ASSERT(psa_get_key_attributes(orig_key_id, &orig_attr));
+    psa_set_key_usage_flags(&new_attr, psa_get_key_usage_flags(&orig_attr));
+    psa_set_key_algorithm(&new_attr, psa_get_key_algorithm(&orig_attr));
+
+    PSA_ASSERT(psa_copy_key(orig_key_id, &new_attr, &new_key_id));
+    psa_destroy_key(orig_key_id);
 
 exit:
-    return key;
+    psa_reset_key_attributes(&orig_attr);
+    psa_reset_key_attributes(&new_attr);
+    return new_key_id;
 }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
 /* END_HEADER */
 
 /* BEGIN_DEPENDENCIES
@@ -208,7 +648,7 @@ exit:
 void pk_psa_utils(int key_is_rsa)
 {
     mbedtls_pk_context pk, pk2;
-    mbedtls_svc_key_id_t key;
+    mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
 
     const char * const name = "Opaque";
@@ -230,11 +670,15 @@ void pk_psa_utils(int key_is_rsa)
     mbedtls_pk_init(&pk);
 
     if (key_is_rsa) {
-        bitlen = 1024; /* hardcoded in genkey() */
-        key = pk_psa_genkey_rsa();
+        bitlen = 1024;
+        PSA_ASSERT(pk_psa_setup(PSA_KEY_TYPE_RSA_KEY_PAIR, 1024, PSA_KEY_USAGE_SIGN_HASH,
+                                PSA_ALG_RSA_PKCS1V15_SIGN_RAW, PSA_ALG_NONE,
+                                MBEDTLS_SVC_KEY_ID_INIT, &key));
     } else {
-        bitlen = 256; /* hardcoded in genkey() */
-        key = pk_psa_genkey_ecc();
+        bitlen = 256;
+        PSA_ASSERT(pk_psa_setup(PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1), 256,
+                                PSA_KEY_USAGE_SIGN_HASH, PSA_ALG_ECDSA(PSA_ALG_SHA_256),
+                                PSA_ALG_NONE, MBEDTLS_SVC_KEY_ID_INIT, &key));
     }
     if (mbedtls_svc_key_id_is_null(key)) {
         goto exit;
@@ -246,7 +690,7 @@ void pk_psa_utils(int key_is_rsa)
     TEST_ASSERT(strcmp(mbedtls_pk_get_name(&pk), name) == 0);
 
     TEST_ASSERT(mbedtls_pk_get_bitlen(&pk) == bitlen);
-    TEST_ASSERT(mbedtls_pk_get_len(&pk) == bitlen / 8);
+    TEST_ASSERT(mbedtls_pk_get_len(&pk) == (bitlen + 7) / 8);
 
     if (key_is_rsa) {
         TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_ECKEY) == 0);
@@ -308,7 +752,7 @@ exit:
 
 /* BEGIN_CASE depends_on:MBEDTLS_USE_PSA_CRYPTO */
 void pk_can_do_ext(int opaque_key, int key_type, int key_usage, int key_alg,
-                   int key_alg2, int parameter, int alg_check, int usage_check,
+                   int key_alg2, int curve_or_keybits, int alg_check, int usage_check,
                    int result)
 {
     mbedtls_pk_context pk;
@@ -319,16 +763,8 @@ void pk_can_do_ext(int opaque_key, int key_type, int key_usage, int key_alg,
     USE_PSA_INIT();
 
     if (opaque_key == 1) {
-        psa_set_key_usage_flags(&attributes, key_usage);
-        psa_set_key_algorithm(&attributes, key_alg);
-        if (key_alg2 != 0) {
-            psa_set_key_enrollment_algorithm(&attributes, key_alg2);
-        }
-        psa_set_key_type(&attributes, key_type);
-        psa_set_key_bits(&attributes, parameter);
-
-        PSA_ASSERT(psa_generate_key(&attributes, &key));
-
+        PSA_ASSERT(pk_psa_setup(key_type, curve_or_keybits, key_usage,
+                                key_alg, key_alg2, MBEDTLS_SVC_KEY_ID_INIT, &key));
         if (mbedtls_svc_key_id_is_null(key)) {
             goto exit;
         }
@@ -337,9 +773,7 @@ void pk_can_do_ext(int opaque_key, int key_type, int key_usage, int key_alg,
 
         TEST_EQUAL(mbedtls_pk_get_type(&pk), MBEDTLS_PK_OPAQUE);
     } else {
-        TEST_EQUAL(mbedtls_pk_setup(&pk,
-                                    mbedtls_pk_info_from_type(key_type)), 0);
-        TEST_EQUAL(pk_genkey(&pk, parameter), 0);
+        TEST_EQUAL(pk_setup(&pk, key_type, curve_or_keybits), 0);
         TEST_EQUAL(mbedtls_pk_get_type(&pk), key_type);
     }
 
@@ -396,6 +830,16 @@ void pk_invalid_param()
                                            buf, buf_size, &buf_size,
                                            NULL, NULL,
                                            NULL));
+    TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+               mbedtls_pk_sign_ext(pk_type, &ctx, MBEDTLS_MD_NONE,
+                                   NULL, buf_size,
+                                   buf, buf_size, &buf_size,
+                                   NULL, NULL));
+    TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+               mbedtls_pk_sign_ext(pk_type, &ctx, MBEDTLS_MD_SHA256,
+                                   NULL, 0,
+                                   buf, buf_size, &buf_size,
+                                   NULL, NULL));
 exit:
     mbedtls_pk_free(&ctx);
     USE_PSA_DONE();
@@ -432,14 +876,6 @@ void valid_parameters()
                                             NULL) ==
                 MBEDTLS_ERR_PK_BAD_INPUT_DATA);
 
-    TEST_ASSERT(mbedtls_pk_sign_restartable(&pk,
-                                            MBEDTLS_MD_NONE,
-                                            NULL, 0,
-                                            buf, sizeof(buf), &len,
-                                            mbedtls_test_rnd_std_rand, NULL,
-                                            NULL) ==
-                MBEDTLS_ERR_PK_BAD_INPUT_DATA);
-
     TEST_ASSERT(mbedtls_pk_sign(&pk,
                                 MBEDTLS_MD_NONE,
                                 NULL, 0,
@@ -447,6 +883,13 @@ void valid_parameters()
                                 mbedtls_test_rnd_std_rand, NULL) ==
                 MBEDTLS_ERR_PK_BAD_INPUT_DATA);
 
+    TEST_ASSERT(mbedtls_pk_sign_ext(MBEDTLS_PK_NONE, &pk,
+                                    MBEDTLS_MD_NONE,
+                                    NULL, 0,
+                                    buf, sizeof(buf), &len,
+                                    mbedtls_test_rnd_std_rand, NULL) ==
+                MBEDTLS_ERR_PK_BAD_INPUT_DATA);
+
     TEST_ASSERT(mbedtls_pk_verify_restartable(&pk,
                                               MBEDTLS_MD_NONE,
                                               NULL, 0,
@@ -491,7 +934,7 @@ void valid_parameters()
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:MBEDTLS_PK_WRITE_C */
+/* BEGIN_CASE depends_on:MBEDTLS_PK_WRITE_C:MBEDTLS_PK_PARSE_C */
 void valid_parameters_pkwrite(data_t *key_data)
 {
     mbedtls_pk_context pk;
@@ -525,15 +968,14 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void pk_utils(int type, int parameter, int bitlen, int len, char *name)
+void pk_utils(int type, int curve_or_keybits, int bitlen, int len, char *name)
 {
     mbedtls_pk_context pk;
 
     mbedtls_pk_init(&pk);
     USE_PSA_INIT();
 
-    TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(type)) == 0);
-    TEST_ASSERT(pk_genkey(&pk, parameter) == 0);
+    TEST_ASSERT(pk_setup(&pk, type, curve_or_keybits) == 0);
 
     TEST_ASSERT((int) mbedtls_pk_get_type(&pk) == type);
     TEST_ASSERT(mbedtls_pk_can_do(&pk, type));
@@ -553,6 +995,8 @@ void mbedtls_pk_check_pair(char *pub_file, char *prv_file, int ret)
     mbedtls_pk_context pub, prv, alt;
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     mbedtls_svc_key_id_t opaque_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_key_attributes_t opaque_key_attr = PSA_KEY_ATTRIBUTES_INIT;
+    int is_ec_key = 0;
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
     mbedtls_pk_init(&pub);
@@ -589,12 +1033,22 @@ void mbedtls_pk_check_pair(char *pub_file, char *prv_file, int ret)
     }
 #endif
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-    if (mbedtls_pk_get_type(&prv) == MBEDTLS_PK_ECKEY) {
-        TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&prv, &opaque_key_id,
-                                             PSA_ALG_ANY_HASH,
-                                             PSA_KEY_USAGE_EXPORT, 0), 0);
+    is_ec_key = (mbedtls_pk_get_type(&prv) == MBEDTLS_PK_ECKEY);
+    /* Turn the prv PK context into an opaque one.*/
+    TEST_EQUAL(mbedtls_pk_get_psa_attributes(&prv, PSA_KEY_USAGE_SIGN_HASH,
+                                             &opaque_key_attr), 0);
+    TEST_EQUAL(mbedtls_pk_import_into_psa(&prv, &opaque_key_attr, &opaque_key_id), 0);
+    mbedtls_pk_free(&prv);
+    mbedtls_pk_init(&prv);
+    TEST_EQUAL(mbedtls_pk_setup_opaque(&prv, opaque_key_id), 0);
+    /* Test check_pair() between the opaque key we just created and the public PK counterpart.
+     * Note: opaque EC keys support check_pair(), whereas RSA ones do not. */
+    if (is_ec_key) {
         TEST_EQUAL(mbedtls_pk_check_pair(&pub, &prv, mbedtls_test_rnd_std_rand,
                                          NULL), ret);
+    } else {
+        TEST_EQUAL(mbedtls_pk_check_pair(&pub, &prv, mbedtls_test_rnd_std_rand,
+                                         NULL), MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE);
     }
 #endif
 
@@ -610,9 +1064,9 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_RSA_C */
-void pk_rsa_verify_test_vec(data_t *message_str, int digest, int mod,
-                            char *input_N, char *input_E,
-                            data_t *result_str, int result)
+void pk_rsa_verify_test_vec(data_t *message_str, int padding, int digest,
+                            int mod, char *input_N, char *input_E,
+                            data_t *result_str, int expected_result)
 {
     mbedtls_rsa_context *rsa;
     mbedtls_pk_context pk;
@@ -627,28 +1081,54 @@ void pk_rsa_verify_test_vec(data_t *message_str, int digest, int mod,
 #endif
 
     mbedtls_pk_init(&pk);
-    USE_PSA_INIT();
+    MD_OR_USE_PSA_INIT();
 
     TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0);
     rsa = mbedtls_pk_rsa(pk);
 
-    rsa->len = mod / 8;
+    rsa->len = (mod + 7) / 8;
+    if (padding >= 0) {
+        TEST_EQUAL(mbedtls_rsa_set_padding(rsa, padding, MBEDTLS_MD_NONE), 0);
+    }
+
     TEST_ASSERT(mbedtls_test_read_mpi(&rsa->N, input_N) == 0);
     TEST_ASSERT(mbedtls_test_read_mpi(&rsa->E, input_E) == 0);
 
-    TEST_ASSERT(mbedtls_pk_verify(&pk, digest, message_str->x, 0,
-                                  result_str->x, mbedtls_pk_get_len(&pk)) == result);
+    int actual_result;
+    actual_result = mbedtls_pk_verify(&pk, digest, message_str->x, 0,
+                                      result_str->x, mbedtls_pk_get_len(&pk));
+#if !defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (actual_result == MBEDTLS_ERR_RSA_INVALID_PADDING &&
+        expected_result == MBEDTLS_ERR_RSA_VERIFY_FAILED) {
+        /* Tolerate INVALID_PADDING error for an invalid signature with
+         * the legacy API (but not with PSA). */
+    } else
+#endif
+    {
+        TEST_EQUAL(actual_result, expected_result);
+    }
 
-    TEST_ASSERT(mbedtls_pk_verify_restartable(&pk, digest, message_str->x, 0,
-                                              result_str->x, mbedtls_pk_get_len(
-                                                  &pk), rs_ctx) == result);
+    actual_result = mbedtls_pk_verify_restartable(&pk, digest, message_str->x, 0,
+                                                  result_str->x,
+                                                  mbedtls_pk_get_len(&pk),
+                                                  rs_ctx);
+#if !defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (actual_result == MBEDTLS_ERR_RSA_INVALID_PADDING &&
+        expected_result == MBEDTLS_ERR_RSA_VERIFY_FAILED) {
+        /* Tolerate INVALID_PADDING error for an invalid signature with
+         * the legacy API (but not with PSA). */
+    } else
+#endif
+    {
+        TEST_EQUAL(actual_result, expected_result);
+    }
 
 exit:
 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
     mbedtls_pk_restart_free(rs_ctx);
 #endif
     mbedtls_pk_free(&pk);
-    USE_PSA_DONE();
+    MD_OR_USE_PSA_DONE();
 }
 /* END_CASE */
 
@@ -672,7 +1152,7 @@ void pk_rsa_verify_ext_test_vec(data_t *message_str, int digest,
     TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0);
     rsa = mbedtls_pk_rsa(pk);
 
-    rsa->len = mod / 8;
+    rsa->len = (mod + 7) / 8;
     TEST_ASSERT(mbedtls_test_read_mpi(&rsa->N, input_N) == 0);
     TEST_ASSERT(mbedtls_test_read_mpi(&rsa->E, input_E) == 0);
 
@@ -836,8 +1316,9 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:MBEDTLS_MD_CAN_SHA256 */
-void pk_sign_verify(int type, int parameter, int sign_ret, int verify_ret)
+/* BEGIN_CASE depends_on:MBEDTLS_MD_CAN_SHA256:PK_CAN_SIGN_SOME */
+void pk_sign_verify(int type, int curve_or_keybits, int rsa_padding, int rsa_md_alg,
+                    int sign_ret, int verify_ret)
 {
     mbedtls_pk_context pk;
     size_t sig_len;
@@ -862,8 +1343,16 @@ void pk_sign_verify(int type, int parameter, int sign_ret, int verify_ret)
     memset(hash, 0x2a, sizeof(hash));
     memset(sig, 0, sizeof(sig));
 
-    TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(type)) == 0);
-    TEST_ASSERT(pk_genkey(&pk, parameter) == 0);
+    TEST_ASSERT(pk_setup(&pk, type, curve_or_keybits) == 0);
+
+#if defined(MBEDTLS_RSA_C)
+    if (type == MBEDTLS_PK_RSA) {
+        TEST_ASSERT(mbedtls_rsa_set_padding(mbedtls_pk_rsa(pk), rsa_padding, rsa_md_alg) == 0);
+    }
+#else
+    (void) rsa_padding;
+    (void) rsa_md_alg;
+#endif /* MBEDTLS_RSA_C */
 
     TEST_ASSERT(mbedtls_pk_sign_restartable(&pk, MBEDTLS_MD_SHA256,
                                             hash, hash_len,
@@ -926,7 +1415,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_RSA_C */
-void pk_rsa_encrypt_decrypt_test(data_t *message, int mod,
+void pk_rsa_encrypt_decrypt_test(data_t *message, int mod, int padding,
                                  char *input_P, char *input_Q,
                                  char *input_N, char *input_E,
                                  int ret)
@@ -941,7 +1430,7 @@ void pk_rsa_encrypt_decrypt_test(data_t *message, int mod,
     mbedtls_pk_init(&pk);
     mbedtls_mpi_init(&N); mbedtls_mpi_init(&P);
     mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E);
-    USE_PSA_INIT();
+    MD_OR_USE_PSA_INIT();
 
     memset(&rnd_info,  0, sizeof(mbedtls_test_rnd_pseudo_info));
     memset(output,     0, sizeof(output));
@@ -951,9 +1440,10 @@ void pk_rsa_encrypt_decrypt_test(data_t *message, int mod,
     /* init pk-rsa context */
     TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0);
     rsa = mbedtls_pk_rsa(pk);
+    mbedtls_rsa_set_padding(rsa, padding, MBEDTLS_MD_SHA1);
 
     /* load public key */
-    rsa->len = mod / 8;
+    rsa->len = (mod + 7) / 8;
     TEST_ASSERT(mbedtls_test_read_mpi(&rsa->N, input_N) == 0);
     TEST_ASSERT(mbedtls_test_read_mpi(&rsa->E, input_E) == 0);
 
@@ -970,6 +1460,7 @@ void pk_rsa_encrypt_decrypt_test(data_t *message, int mod,
     TEST_ASSERT(mbedtls_pk_setup(&pk,
                                  mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0);
     rsa = mbedtls_pk_rsa(pk);
+    mbedtls_rsa_set_padding(rsa, padding, MBEDTLS_MD_SHA1);
 
     /* load public key */
     TEST_ASSERT(mbedtls_test_read_mpi(&N, input_N) == 0);
@@ -979,9 +1470,12 @@ void pk_rsa_encrypt_decrypt_test(data_t *message, int mod,
     TEST_ASSERT(mbedtls_test_read_mpi(&P, input_P) == 0);
     TEST_ASSERT(mbedtls_test_read_mpi(&Q, input_Q) == 0);
     TEST_ASSERT(mbedtls_rsa_import(rsa, &N, &P, &Q, NULL, &E) == 0);
-    TEST_ASSERT(mbedtls_rsa_get_len(rsa) == (size_t) (mod / 8));
+    TEST_EQUAL(mbedtls_rsa_get_len(rsa), (mod + 7) / 8);
     TEST_ASSERT(mbedtls_rsa_complete(rsa) == 0);
 
+    TEST_EQUAL(mbedtls_pk_get_len(&pk), (mod + 7) / 8);
+    TEST_EQUAL(mbedtls_pk_get_bitlen(&pk), mod);
+
     memset(result, 0, sizeof(result));
     rlen = 0;
     TEST_ASSERT(mbedtls_pk_decrypt(&pk, output, olen,
@@ -996,12 +1490,12 @@ exit:
     mbedtls_mpi_free(&N); mbedtls_mpi_free(&P);
     mbedtls_mpi_free(&Q); mbedtls_mpi_free(&E);
     mbedtls_pk_free(&pk);
-    USE_PSA_DONE();
+    MD_OR_USE_PSA_DONE();
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_RSA_C */
-void pk_rsa_decrypt_test_vec(data_t *cipher, int mod,
+void pk_rsa_decrypt_test_vec(data_t *cipher, int mod, int padding, int md_alg,
                              char *input_P, char *input_Q,
                              char *input_N, char *input_E,
                              data_t *clear, int ret)
@@ -1016,7 +1510,7 @@ void pk_rsa_decrypt_test_vec(data_t *cipher, int mod,
     mbedtls_pk_init(&pk);
     mbedtls_mpi_init(&N); mbedtls_mpi_init(&P);
     mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E);
-    USE_PSA_INIT();
+    MD_OR_USE_PSA_INIT();
 
     memset(&rnd_info,  0, sizeof(mbedtls_test_rnd_pseudo_info));
 
@@ -1032,9 +1526,17 @@ void pk_rsa_decrypt_test_vec(data_t *cipher, int mod,
     TEST_ASSERT(mbedtls_test_read_mpi(&P, input_P) == 0);
     TEST_ASSERT(mbedtls_test_read_mpi(&Q, input_Q) == 0);
     TEST_ASSERT(mbedtls_rsa_import(rsa, &N, &P, &Q, NULL, &E) == 0);
-    TEST_ASSERT(mbedtls_rsa_get_len(rsa) == (size_t) (mod / 8));
+    TEST_EQUAL(mbedtls_rsa_get_len(rsa), (mod + 7) / 8);
     TEST_ASSERT(mbedtls_rsa_complete(rsa) == 0);
 
+    TEST_EQUAL(mbedtls_pk_get_bitlen(&pk), mod);
+    TEST_EQUAL(mbedtls_pk_get_len(&pk), (mod + 7) / 8);
+
+    /* set padding mode */
+    if (padding >= 0) {
+        TEST_EQUAL(mbedtls_rsa_set_padding(rsa, padding, md_alg), 0);
+    }
+
     /* decryption test */
     memset(output, 0, sizeof(output));
     olen = 0;
@@ -1050,7 +1552,7 @@ exit:
     mbedtls_mpi_free(&N); mbedtls_mpi_free(&P);
     mbedtls_mpi_free(&Q); mbedtls_mpi_free(&E);
     mbedtls_pk_free(&pk);
-    USE_PSA_DONE();
+    MD_OR_USE_PSA_DONE();
 }
 /* END_CASE */
 
@@ -1058,6 +1560,7 @@ exit:
 void pk_wrap_rsa_decrypt_test_vec(data_t *cipher, int mod,
                                   char *input_P, char *input_Q,
                                   char *input_N, char *input_E,
+                                  int padding_mode,
                                   data_t *clear, int ret)
 {
     unsigned char output[256];
@@ -1065,7 +1568,8 @@ void pk_wrap_rsa_decrypt_test_vec(data_t *cipher, int mod,
     mbedtls_mpi N, P, Q, E;
     mbedtls_rsa_context *rsa;
     mbedtls_pk_context pk;
-    mbedtls_svc_key_id_t key_id;
+    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
     size_t olen;
 
     mbedtls_pk_init(&pk);
@@ -1088,14 +1592,22 @@ void pk_wrap_rsa_decrypt_test_vec(data_t *cipher, int mod,
     TEST_EQUAL(mbedtls_test_read_mpi(&P, input_P), 0);
     TEST_EQUAL(mbedtls_test_read_mpi(&Q, input_Q), 0);
     TEST_EQUAL(mbedtls_rsa_import(rsa, &N, &P, &Q, NULL, &E), 0);
-    TEST_EQUAL(mbedtls_rsa_get_len(rsa), (size_t) (mod / 8));
+    TEST_EQUAL(mbedtls_rsa_get_len(rsa), (mod + 7) / 8);
     TEST_EQUAL(mbedtls_rsa_complete(rsa), 0);
 
+    /* Set padding mode */
+    if (padding_mode == MBEDTLS_RSA_PKCS_V21) {
+        TEST_EQUAL(mbedtls_rsa_set_padding(rsa, padding_mode, MBEDTLS_MD_SHA1), 0);
+    }
+
     /* Turn PK context into an opaque one. */
-    TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&pk, &key_id,
-                                         PSA_ALG_RSA_PKCS1V15_CRYPT,
-                                         PSA_KEY_USAGE_DECRYPT,
-                                         PSA_ALG_NONE), 0);
+    TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_DECRYPT, &key_attr), 0);
+    TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &key_attr, &key_id), 0);
+    mbedtls_pk_free(&pk);
+    mbedtls_pk_init(&pk);
+    TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0);
+
+    TEST_EQUAL(mbedtls_pk_get_bitlen(&pk), mod);
 
     /* decryption test */
     memset(output, 0, sizeof(output));
@@ -1164,22 +1676,31 @@ void pk_rsa_overflow()
     memset(hash, 0x2a, sizeof(hash));
     memset(sig, 0, sizeof(sig));
 
-    TEST_ASSERT(mbedtls_pk_setup(&pk,
-                                 mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0);
+    TEST_EQUAL(mbedtls_pk_setup(&pk,
+                                mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)), 0);
 
 #if defined(MBEDTLS_PKCS1_V21)
-    TEST_ASSERT(mbedtls_pk_verify_ext(MBEDTLS_PK_RSASSA_PSS, NULL, &pk,
-                                      MBEDTLS_MD_NONE, hash, hash_len, sig, sig_len) ==
-                MBEDTLS_ERR_PK_BAD_INPUT_DATA);
+    TEST_EQUAL(mbedtls_pk_verify_ext(MBEDTLS_PK_RSASSA_PSS, NULL, &pk,
+                                     MBEDTLS_MD_NONE, hash, hash_len, sig, sig_len),
+               MBEDTLS_ERR_PK_BAD_INPUT_DATA);
 #endif /* MBEDTLS_PKCS1_V21 */
 
-    TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_NONE, hash, hash_len,
-                                  sig, sig_len) == MBEDTLS_ERR_PK_BAD_INPUT_DATA);
+    TEST_EQUAL(mbedtls_pk_verify(&pk, MBEDTLS_MD_NONE, hash, hash_len,
+                                 sig, sig_len),
+               MBEDTLS_ERR_PK_BAD_INPUT_DATA);
 
-    TEST_ASSERT(mbedtls_pk_sign(&pk, MBEDTLS_MD_NONE, hash, hash_len,
-                                sig, sizeof(sig), &sig_len,
-                                mbedtls_test_rnd_std_rand, NULL)
-                == MBEDTLS_ERR_PK_BAD_INPUT_DATA);
+#if defined(MBEDTLS_PKCS1_V21)
+    TEST_EQUAL(mbedtls_pk_sign_ext(MBEDTLS_PK_RSASSA_PSS, &pk,
+                                   MBEDTLS_MD_NONE, hash, hash_len,
+                                   sig, sizeof(sig), &sig_len,
+                                   mbedtls_test_rnd_std_rand, NULL),
+               MBEDTLS_ERR_PK_BAD_INPUT_DATA);
+#endif /* MBEDTLS_PKCS1_V21 */
+
+    TEST_EQUAL(mbedtls_pk_sign(&pk, MBEDTLS_MD_NONE, hash, hash_len,
+                               sig, sizeof(sig), &sig_len,
+                               mbedtls_test_rnd_std_rand, NULL),
+               MBEDTLS_ERR_PK_BAD_INPUT_DATA);
 
 exit:
     mbedtls_pk_free(&pk);
@@ -1215,9 +1736,7 @@ void pk_rsa_alt()
     memset(test, 0, sizeof(test));
 
     /* Initialize PK RSA context with random key */
-    TEST_ASSERT(mbedtls_pk_setup(&rsa,
-                                 mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0);
-    TEST_ASSERT(pk_genkey(&rsa, RSA_KEY_SIZE) == 0);
+    TEST_ASSERT(pk_setup(&rsa, MBEDTLS_PK_RSA, RSA_KEY_SIZE) == 0);
 
     /* Extract key to the raw rsa context */
     TEST_ASSERT(mbedtls_rsa_copy(&raw, mbedtls_pk_rsa(rsa)) == 0);
@@ -1234,6 +1753,17 @@ void pk_rsa_alt()
     TEST_ASSERT(mbedtls_pk_get_type(&alt) == MBEDTLS_PK_RSA_ALT);
     TEST_ASSERT(strcmp(mbedtls_pk_get_name(&alt), "RSA-alt") == 0);
 
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    TEST_EQUAL(mbedtls_pk_get_psa_attributes(&alt,
+                                             PSA_KEY_USAGE_ENCRYPT,
+                                             &attributes),
+               MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE);
+    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    TEST_EQUAL(mbedtls_pk_import_into_psa(&alt, &attributes, &key_id),
+               MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE);
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+
     /* Test signature */
 #if SIZE_MAX > UINT_MAX
     TEST_ASSERT(mbedtls_pk_sign(&alt, MBEDTLS_MD_NONE, hash, SIZE_MAX,
@@ -1274,154 +1804,163 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_USE_PSA_CRYPTO */
-void pk_psa_sign(int parameter_arg,
-                 int psa_type_arg, int expected_bits_arg)
+/* BEGIN_CASE depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_PK_PSA_SIGN */
+void pk_psa_sign(int psa_type, int bits, int rsa_padding)
 {
     mbedtls_pk_context pk;
     unsigned char hash[32];
     unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
-    unsigned char pkey_legacy[200];
-    unsigned char pkey_psa[200];
-    unsigned char *pkey_legacy_start, *pkey_psa_start;
-    psa_algorithm_t alg_psa;
-    size_t sig_len, klen_legacy, klen_psa;
-    int ret;
-    mbedtls_svc_key_id_t key_id;
+    unsigned char legacy_pub_key[MBEDTLS_PK_WRITE_PUBKEY_MAX_SIZE];
+    unsigned char opaque_pub_key[MBEDTLS_PK_WRITE_PUBKEY_MAX_SIZE];
+    size_t sig_len, legacy_pub_key_len, opaque_pub_key_len;
+    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    psa_key_type_t expected_type = psa_type_arg;
-    size_t expected_bits = expected_bits_arg;
+#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PK_WRITE_C)
+    int ret;
+#endif /* MBEDTLS_RSA_C || MBEDTLS_PK_WRITE_C */
+#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
+    mbedtls_ecp_group_id ecp_grp_id = MBEDTLS_ECP_DP_NONE;
+#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
 
     /*
-     * This tests making signatures with a wrapped PSA key:
-     * - generate a fresh ECP/RSA legacy PK context
-     * - wrap it in a PK context and make a signature this way
-     * - extract the public key
-     * - parse it to a PK context and verify the signature this way
+     * Following checks are perfomed:
+     * - create an RSA/EC opaque context;
+     * - sign with opaque context for both EC and RSA keys;
+     * - [EC only] verify with opaque context;
+     * - verify that public keys of opaque and non-opaque contexts match;
+     * - verify with non-opaque context.
      */
 
     mbedtls_pk_init(&pk);
     USE_PSA_INIT();
 
-#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME)
-    if (PSA_KEY_TYPE_IS_RSA(psa_type_arg)) {
-        /* Create legacy RSA public/private key in PK context. */
-        TEST_ASSERT(mbedtls_pk_setup(&pk,
-                                     mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0);
-        TEST_ASSERT(mbedtls_rsa_gen_key(mbedtls_pk_rsa(pk),
-                                        mbedtls_test_rnd_std_rand, NULL,
-                                        parameter_arg, 3) == 0);
-        alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256);
-    } else
-#endif /* MBEDTLS_RSA_C && MBEDTLS_GENPRIME */
+    /* Create the legacy EC/RSA PK context. */
+#if defined(MBEDTLS_RSA_C)
+    if (PSA_KEY_TYPE_IS_RSA(psa_type)) {
+        TEST_EQUAL(pk_setup(&pk, MBEDTLS_PK_RSA, bits), 0);
+        TEST_EQUAL(mbedtls_rsa_set_padding(mbedtls_pk_rsa(pk), rsa_padding, MBEDTLS_MD_NONE), 0);
+    }
+#else /* MBEDTLS_RSA_C */
+    (void) rsa_padding;
+#endif /* MBEDTLS_RSA_C */
 #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
-    if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(psa_type_arg)) {
-        mbedtls_ecp_group_id grpid = parameter_arg;
-
-        /* Create legacy EC public/private key in PK context. */
-        TEST_ASSERT(mbedtls_pk_setup(&pk,
-                                     mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)) == 0);
-        TEST_ASSERT(pk_genkey(&pk, grpid) == 0);
-
-        alg_psa = PSA_ALG_ECDSA(PSA_ALG_SHA_256);
-    } else
-#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
-    {
-        (void) parameter_arg;
-        TEST_ASSUME(!"Opaque PK key not supported in this configuration");
+    if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(psa_type)) {
+        ecp_grp_id = mbedtls_ecc_group_from_psa(psa_type, bits);
+        TEST_ASSERT(pk_setup(&pk, MBEDTLS_PK_ECKEY, ecp_grp_id) == 0);
     }
+#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
 
-    /* Export underlying public key for re-importing in a legacy context. */
-#if defined(MBEDTLS_PK_WRITE_C)
-    ret = mbedtls_pk_write_pubkey_der(&pk, pkey_legacy,
-                                      sizeof(pkey_legacy));
+    /* Export public key from the non-opaque PK context we just created. */
+#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PK_WRITE_C)
+    ret = mbedtls_pk_write_pubkey_der(&pk, legacy_pub_key, sizeof(legacy_pub_key));
     TEST_ASSERT(ret >= 0);
-    klen_legacy = (size_t) ret;
-    /* mbedtls_pk_write_pubkey_der() writes backwards in the data buffer. */
-    pkey_legacy_start = pkey_legacy + sizeof(pkey_legacy) - klen_legacy;
-#else
-    ret = mbedtls_ecp_point_write_binary(&(mbedtls_pk_ec_ro(pk)->grp),
-                                         &(mbedtls_pk_ec_ro(pk)->Q),
-                                         MBEDTLS_ECP_PF_UNCOMPRESSED,
-                                         &klen_legacy, pkey_legacy,
-                                         sizeof(pkey_legacy));
-    TEST_EQUAL(ret, 0);
-    pkey_legacy_start = pkey_legacy;
-#endif /* MBEDTLS_PK_WRITE_C */
+    legacy_pub_key_len = (size_t) ret;
+    /* mbedtls_pk_write_pubkey_der() writes backwards in the data buffer so we
+     * shift data back to the beginning of the buffer. */
+    memmove(legacy_pub_key,
+            legacy_pub_key + sizeof(legacy_pub_key) - legacy_pub_key_len,
+            legacy_pub_key_len);
+#else /* MBEDTLS_PK_PARSE_C && MBEDTLS_PK_WRITE_C */
+#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
+    if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(psa_type)) {
+        TEST_EQUAL(mbedtls_ecp_point_write_binary(&(mbedtls_pk_ec_ro(pk)->grp),
+                                                  &(mbedtls_pk_ec_ro(pk)->Q),
+                                                  MBEDTLS_ECP_PF_UNCOMPRESSED,
+                                                  &legacy_pub_key_len, legacy_pub_key,
+                                                  sizeof(legacy_pub_key)), 0);
+    }
+#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
+#if defined(MBEDTLS_RSA_C)
+    if (PSA_KEY_TYPE_IS_RSA(psa_type)) {
+        unsigned char *end = legacy_pub_key + sizeof(legacy_pub_key);
+        ret = mbedtls_rsa_write_pubkey(mbedtls_pk_rsa(pk), legacy_pub_key, &end);
+        legacy_pub_key_len = (size_t) ret;
+        TEST_ASSERT(legacy_pub_key_len > 0);
+        /* mbedtls_rsa_write_pubkey() writes data backward in the buffer so
+         * we shift that to the origin of the buffer instead. */
+        memmove(legacy_pub_key, end, legacy_pub_key_len);
+    }
+#endif /* MBEDTLS_RSA_C */
+#endif /* MBEDTLS_PK_PARSE_C && MBEDTLS_PK_WRITE_C */
 
-    /* Turn PK context into an opaque one. */
-    TEST_ASSERT(mbedtls_pk_wrap_as_opaque(&pk, &key_id, alg_psa,
-                                          PSA_KEY_USAGE_SIGN_HASH,
-                                          PSA_ALG_NONE) == 0);
+    /* Turn the PK context into an opaque one. */
+    TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_SIGN_HASH, &attributes), 0);
+    TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &key_id), 0);
+    mbedtls_pk_free(&pk);
+    mbedtls_pk_init(&pk);
+    TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0);
 
     PSA_ASSERT(psa_get_key_attributes(key_id, &attributes));
-    TEST_EQUAL(psa_get_key_type(&attributes), expected_type);
-    TEST_EQUAL(psa_get_key_bits(&attributes), expected_bits);
-    TEST_EQUAL(psa_get_key_lifetime(&attributes),
-               PSA_KEY_LIFETIME_VOLATILE);
+    TEST_EQUAL(psa_get_key_type(&attributes), (psa_key_type_t) psa_type);
+    TEST_EQUAL(psa_get_key_bits(&attributes), (size_t) bits);
+    TEST_EQUAL(psa_get_key_lifetime(&attributes), PSA_KEY_LIFETIME_VOLATILE);
 
+    /* Sign with the opaque context. */
     memset(hash, 0x2a, sizeof(hash));
     memset(sig, 0, sizeof(sig));
-
     TEST_ASSERT(mbedtls_pk_sign(&pk, MBEDTLS_MD_SHA256,
                                 hash, sizeof(hash), sig, sizeof(sig), &sig_len,
                                 NULL, NULL) == 0);
     /* Only opaque EC keys support verification. */
-    if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(psa_type_arg)) {
+    if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(psa_type)) {
         TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256,
                                       hash, sizeof(hash), sig, sig_len) == 0);
     }
 
-    /* Export underlying public key for re-importing in a psa context. */
-#if defined(MBEDTLS_PK_WRITE_C)
-    ret = mbedtls_pk_write_pubkey_der(&pk, pkey_psa,
-                                      sizeof(pkey_psa));
+    /* Export public key from the opaque PK context. */
+#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PK_WRITE_C)
+    ret = mbedtls_pk_write_pubkey_der(&pk, opaque_pub_key, sizeof(opaque_pub_key));
     TEST_ASSERT(ret >= 0);
-    klen_psa = (size_t) ret;
+    opaque_pub_key_len = (size_t) ret;
     /* mbedtls_pk_write_pubkey_der() writes backwards in the data buffer. */
-    pkey_psa_start = pkey_psa + sizeof(pkey_psa) - klen_psa;
-#else
-    psa_status_t status;
-
-    status = psa_export_public_key(key_id, pkey_psa, sizeof(pkey_psa),
-                                   &klen_psa);
-    TEST_EQUAL(status, PSA_SUCCESS);
-    pkey_psa_start = pkey_psa;
-#endif /* MBEDTLS_PK_WRITE_C */
-
-    TEST_ASSERT(klen_psa == klen_legacy);
-    TEST_ASSERT(memcmp(pkey_psa_start, pkey_legacy_start, klen_psa) == 0);
-
+    memmove(opaque_pub_key,
+            opaque_pub_key + sizeof(opaque_pub_key) - opaque_pub_key_len,
+            opaque_pub_key_len);
+#else /* MBEDTLS_PK_PARSE_C && MBEDTLS_PK_WRITE_C */
+    TEST_EQUAL(psa_export_public_key(key_id, opaque_pub_key, sizeof(opaque_pub_key),
+                                     &opaque_pub_key_len), PSA_SUCCESS);
+#endif /* MBEDTLS_PK_PARSE_C && MBEDTLS_PK_WRITE_C */
+
+    /* Check that the public keys of opaque and non-opaque PK contexts match. */
+    TEST_EQUAL(opaque_pub_key_len, legacy_pub_key_len);
+    TEST_MEMORY_COMPARE(opaque_pub_key, opaque_pub_key_len, legacy_pub_key, legacy_pub_key_len);
+
+    /* Destroy the opaque PK context and the wrapped PSA key. */
     mbedtls_pk_free(&pk);
     TEST_ASSERT(PSA_SUCCESS == psa_destroy_key(key_id));
 
+    /* Create a new non-opaque PK context to verify the signature. */
     mbedtls_pk_init(&pk);
+#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PK_WRITE_C)
+    TEST_EQUAL(mbedtls_pk_parse_public_key(&pk, legacy_pub_key, legacy_pub_key_len), 0);
+#else /* MBEDTLS_PK_PARSE_C && MBEDTLS_PK_WRITE_C */
+#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
+    if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(psa_type)) {
+        TEST_EQUAL(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)), 0);
+        TEST_EQUAL(mbedtls_ecp_group_load(&(mbedtls_pk_ec_rw(pk)->grp), ecp_grp_id), 0);
+        TEST_EQUAL(mbedtls_ecp_point_read_binary(&(mbedtls_pk_ec_ro(pk)->grp),
+                                                 &(mbedtls_pk_ec_rw(pk)->Q),
+                                                 legacy_pub_key, legacy_pub_key_len), 0);
+    }
+#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
+#if defined(MBEDTLS_RSA_C)
+    if (PSA_KEY_TYPE_IS_RSA(psa_type)) {
+        TEST_EQUAL(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)), 0);
+        TEST_EQUAL(mbedtls_rsa_parse_pubkey(mbedtls_pk_rsa(pk), legacy_pub_key,
+                                            legacy_pub_key_len), 0);
+    }
+#endif /* MBEDTLS_RSA_C */
+#endif /* MBEDTLS_PK_PARSE_C && MBEDTLS_PK_WRITE_C */
 
-    /* If we used "pk_write" previously, then we go for a "pk_parse" here;
-     * otherwise if we went for "ecp_point_write_binary" then we'll go
-     * for a "ecp_point_read_binary" here. This allows to drop dependencies
-     * on "PK_WRITE" and "PK_PARSE" if required */
-#if defined(MBEDTLS_PK_WRITE_C) && defined(MBEDTLS_PK_PARSE_C)
-    TEST_EQUAL(mbedtls_pk_parse_public_key(&pk, pkey_legacy_start,
-                                           klen_legacy), 0);
-#else
-    TEST_EQUAL(mbedtls_pk_setup(&pk,
-                                mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)), 0);
-    TEST_EQUAL(mbedtls_ecp_group_load(
-                   &(mbedtls_pk_ec_rw(pk)->grp),
-                   (mbedtls_ecp_group_id) parameter_arg), 0);
-    TEST_EQUAL(mbedtls_ecp_point_read_binary(&(mbedtls_pk_ec_ro(pk)->grp),
-                                             &(mbedtls_pk_ec_rw(pk)->Q),
-                                             pkey_legacy_start, klen_legacy), 0);
-#endif
+#if defined(MBEDTLS_RSA_C)
+    if (PSA_KEY_TYPE_IS_RSA(psa_type)) {
+        TEST_EQUAL(mbedtls_rsa_set_padding(mbedtls_pk_rsa(pk), rsa_padding, MBEDTLS_MD_NONE), 0);
+    }
+#endif /* MBEDTLS_RSA_C */
     TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256,
                                   hash, sizeof(hash), sig, sig_len) == 0);
 
 exit:
-    /*
-     * Key attributes may have been returned by psa_get_key_attributes()
-     * thus reset them as required.
-     */
     psa_reset_key_attributes(&attributes);
 
     mbedtls_pk_free(&pk);
@@ -1429,14 +1968,13 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_GENPRIME */
-void pk_psa_sign_ext(int pk_type, int parameter, int key_pk_type, int md_alg)
+/* BEGIN_CASE */
+void pk_sign_ext(int pk_type, int curve_or_keybits, int key_pk_type, int md_alg)
 {
-    /* See the description of pk_genkey() for the description of the `parameter` argument. */
     mbedtls_pk_context pk;
     size_t sig_len;
     unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
-    unsigned char hash[PSA_HASH_MAX_SIZE];
+    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
     size_t hash_len = mbedtls_md_get_size_from_type(md_alg);
     void const *options = NULL;
     mbedtls_pk_rsassa_pss_options rsassa_pss_options;
@@ -1444,16 +1982,13 @@ void pk_psa_sign_ext(int pk_type, int parameter, int key_pk_type, int md_alg)
     memset(sig, 0, sizeof(sig));
 
     mbedtls_pk_init(&pk);
-    PSA_INIT();
-
-    TEST_ASSERT(mbedtls_pk_setup(&pk,
-                                 mbedtls_pk_info_from_type(pk_type)) == 0);
+    MD_OR_USE_PSA_INIT();
 
-    TEST_ASSERT(pk_genkey(&pk, parameter) == 0);
+    TEST_EQUAL(pk_setup(&pk, pk_type, curve_or_keybits), 0);
 
-    TEST_ASSERT(mbedtls_pk_sign_ext(key_pk_type, &pk, md_alg, hash, hash_len,
-                                    sig, sizeof(sig), &sig_len,
-                                    mbedtls_test_rnd_std_rand, NULL) == 0);
+    TEST_EQUAL(mbedtls_pk_sign_ext(key_pk_type, &pk, md_alg, hash, hash_len,
+                                   sig, sizeof(sig), &sig_len,
+                                   mbedtls_test_rnd_std_rand, NULL), 0);
 
     if (key_pk_type == MBEDTLS_PK_RSASSA_PSS) {
         rsassa_pss_options.mgf1_hash_id = md_alg;
@@ -1461,27 +1996,26 @@ void pk_psa_sign_ext(int pk_type, int parameter, int key_pk_type, int md_alg)
         rsassa_pss_options.expected_salt_len = hash_len;
         options = (const void *) &rsassa_pss_options;
     }
-    TEST_ASSERT(mbedtls_pk_verify_ext(key_pk_type, options, &pk, md_alg,
-                                      hash, hash_len, sig, sig_len) == 0);
+    TEST_EQUAL(mbedtls_pk_verify_ext(key_pk_type, options, &pk, md_alg,
+                                     hash, hash_len, sig, sig_len), 0);
 exit:
     mbedtls_pk_free(&pk);
-    PSA_DONE();
+    MD_OR_USE_PSA_DONE();
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_USE_PSA_CRYPTO */
-void pk_psa_wrap_sign_ext(int pk_type, int parameter, int key_pk_type, int md_alg)
+/* BEGIN_CASE depends_on:MBEDTLS_RSA_C:MBEDTLS_USE_PSA_CRYPTO */
+void pk_psa_wrap_sign_ext(int pk_type, int key_bits, int key_pk_type, int md_alg)
 {
-    /* See the description of mbedtls_rsa_gen_key() for the description of the `parameter` argument. */
     mbedtls_pk_context pk;
     size_t sig_len, pkey_len;
-    mbedtls_svc_key_id_t key_id;
+    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
     unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
     unsigned char pkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
     unsigned char *pkey_start;
     unsigned char hash[PSA_HASH_MAX_SIZE];
     psa_algorithm_t psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
-    psa_algorithm_t psa_alg;
     size_t hash_len = PSA_HASH_LENGTH(psa_md_alg);
     void const *options = NULL;
     mbedtls_pk_rsassa_pss_options rsassa_pss_options;
@@ -1492,45 +2026,71 @@ void pk_psa_wrap_sign_ext(int pk_type, int parameter, int key_pk_type, int md_al
 
     /* Create legacy RSA public/private key in PK context. */
     mbedtls_pk_init(&pk);
-    TEST_EQUAL(mbedtls_pk_setup(&pk,
-                                mbedtls_pk_info_from_type(pk_type)), 0);
-    TEST_EQUAL(mbedtls_rsa_gen_key(mbedtls_pk_rsa(pk),
-                                   mbedtls_test_rnd_std_rand, NULL,
-                                   parameter, 3), 0);
+    TEST_EQUAL(pk_setup(&pk, pk_type, key_bits), 0);
 
-    /* Export underlying public key for re-importing in a legacy context. */
-    ret = mbedtls_pk_write_pubkey_der(&pk, pkey, sizeof(pkey));
+    if (key_pk_type == MBEDTLS_PK_RSASSA_PSS) {
+        mbedtls_rsa_set_padding(mbedtls_pk_rsa(pk), MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_NONE);
+    }
+
+    /* Export underlying public key for re-importing in a legacy context.
+     * Note: mbedtls_rsa_write_key() writes backwards in the data buffer. */
+    pkey_start = pkey + sizeof(pkey);
+    ret = mbedtls_rsa_write_pubkey(mbedtls_pk_rsa(pk), pkey, &pkey_start);
     TEST_ASSERT(ret >= 0);
 
     pkey_len = (size_t) ret;
     /* mbedtls_pk_write_pubkey_der() writes backwards in the data buffer. */
     pkey_start = pkey + sizeof(pkey) - pkey_len;
 
-    if (key_pk_type == MBEDTLS_PK_RSA) {
-        psa_alg = PSA_ALG_RSA_PKCS1V15_SIGN(psa_md_alg);
-    } else if (key_pk_type == MBEDTLS_PK_RSASSA_PSS) {
-        psa_alg = PSA_ALG_RSA_PSS(psa_md_alg);
-    } else {
-        TEST_ASSUME(!"PK key type not supported in this configuration");
-    }
-
     /* Turn PK context into an opaque one. */
-    TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&pk, &key_id, psa_alg,
-                                         PSA_KEY_USAGE_SIGN_HASH,
-                                         PSA_ALG_NONE), 0);
+    TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0);
+    TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &key_attr, &key_id), 0);
+    mbedtls_pk_free(&pk);
+    mbedtls_pk_init(&pk);
+    TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0);
 
     memset(hash, 0x2a, sizeof(hash));
     memset(sig, 0, sizeof(sig));
 
+#if defined(MBEDTLS_PKCS1_V21)
+    /* Check that trying to use the wrong pk_type in sign_ext() results in a failure.
+     * The PSA key was setup to use PKCS1 v1.5 signature algorithm, but here we try
+     * to use it for PSS (PKCS1 v2.1) and it should fail. */
+    if (key_pk_type == MBEDTLS_PK_RSA) {
+        TEST_EQUAL(mbedtls_pk_sign_ext(MBEDTLS_PK_RSASSA_PSS, &pk, md_alg, hash, hash_len,
+                                       sig, sizeof(sig), &sig_len,
+                                       mbedtls_test_rnd_std_rand, NULL),
+                   MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
+    }
+#endif /* MBEDTLS_PKCS1_V21 */
+
+    /* Perform sign_ext() with the correct pk_type. */
     TEST_EQUAL(mbedtls_pk_sign_ext(key_pk_type, &pk, md_alg, hash, hash_len,
                                    sig, sizeof(sig), &sig_len,
                                    mbedtls_test_rnd_std_rand, NULL), 0);
 
+    /* verify_ext() is not supported when using an opaque context. */
+    if (key_pk_type == MBEDTLS_PK_RSASSA_PSS) {
+        mbedtls_pk_rsassa_pss_options pss_opts = {
+            .mgf1_hash_id = md_alg,
+            .expected_salt_len = MBEDTLS_RSA_SALT_LEN_ANY,
+        };
+        TEST_EQUAL(mbedtls_pk_verify_ext(key_pk_type, &pss_opts, &pk, md_alg,
+                                         hash, hash_len, sig, sig_len),
+                   MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE);
+    } else {
+        TEST_EQUAL(mbedtls_pk_verify_ext(key_pk_type, NULL, &pk, md_alg,
+                                         hash, hash_len, sig, sig_len),
+                   MBEDTLS_ERR_PK_TYPE_MISMATCH);
+    }
+
     mbedtls_pk_free(&pk);
     TEST_EQUAL(PSA_SUCCESS, psa_destroy_key(key_id));
 
     mbedtls_pk_init(&pk);
-    TEST_EQUAL(mbedtls_pk_parse_public_key(&pk, pkey_start, pkey_len), 0);
+    TEST_EQUAL(mbedtls_pk_setup(&pk,
+                                mbedtls_pk_info_from_type(pk_type)), 0);
+    TEST_EQUAL(mbedtls_rsa_parse_pubkey(mbedtls_pk_rsa(pk), pkey_start, pkey_len), 0);
 
     if (key_pk_type == MBEDTLS_PK_RSASSA_PSS) {
         rsassa_pss_options.mgf1_hash_id = md_alg;
@@ -1546,3 +2106,600 @@ exit:
     PSA_DONE();
 }
 /* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_CLIENT */
+void pk_get_psa_attributes(int pk_type, int from_pair,
+                           int usage_arg,
+                           int to_pair, int expected_alg)
+{
+    mbedtls_pk_context pk;
+    mbedtls_pk_init(&pk);
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_usage_t usage = usage_arg;
+    mbedtls_svc_key_id_t new_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+
+    PSA_INIT();
+
+    psa_key_type_t expected_psa_type = 0;
+    TEST_EQUAL(pk_setup_for_type(pk_type, from_pair,
+                                 &pk, &expected_psa_type), 0);
+    if (!to_pair) {
+        expected_psa_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(expected_psa_type);
+    }
+
+    psa_key_lifetime_t lifetime = PSA_KEY_LIFETIME_VOLATILE; //TODO: diversity
+    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; //TODO: diversity
+    psa_set_key_id(&attributes, key_id);
+    psa_set_key_lifetime(&attributes, lifetime);
+    psa_set_key_enrollment_algorithm(&attributes, 42);
+    psa_key_usage_t expected_usage = pk_get_psa_attributes_implied_usage(usage);
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    /* When the resulting algorithm is ECDSA, the compile-time configuration
+     * can cause it to be either deterministic or randomized ECDSA.
+     * Rather than have two near-identical sets of test data depending on
+     * the configuration, always use randomized in the test data and
+     * tweak the expected result here. */
+    if (expected_alg == PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)) {
+        expected_alg = PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH);
+    }
+#endif
+
+    TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, usage, &attributes), 0);
+
+    TEST_EQUAL(psa_get_key_lifetime(&attributes), lifetime);
+    TEST_ASSERT(mbedtls_svc_key_id_equal(psa_get_key_id(&attributes),
+                                         key_id));
+    TEST_EQUAL(psa_get_key_type(&attributes), expected_psa_type);
+    TEST_EQUAL(psa_get_key_bits(&attributes),
+               mbedtls_pk_get_bitlen(&pk));
+    TEST_EQUAL(psa_get_key_usage_flags(&attributes), expected_usage);
+    TEST_EQUAL(psa_get_key_algorithm(&attributes), expected_alg);
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+    TEST_EQUAL(psa_get_key_enrollment_algorithm(&attributes), PSA_ALG_NONE);
+#else /* MBEDTLS_PSA_CRYPTO_C */
+    TEST_EQUAL(psa_get_key_enrollment_algorithm(&attributes), 42);
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+
+    TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &new_key_id), 0);
+    if (!mbedtls_test_key_consistency_psa_pk(new_key_id, &pk)) {
+        goto exit;
+    }
+
+exit:
+    mbedtls_pk_free(&pk);
+    psa_reset_key_attributes(&attributes);
+    psa_destroy_key(new_key_id);
+    PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_CLIENT:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21 */
+void pk_rsa_v21_get_psa_attributes(int md_type, int from_pair,
+                                   int usage_arg,
+                                   int to_pair, int expected_alg)
+{
+    mbedtls_pk_context pk;
+    mbedtls_pk_init(&pk);
+    psa_key_usage_t usage = usage_arg;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    mbedtls_svc_key_id_t new_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+
+    PSA_INIT();
+
+    psa_key_type_t expected_psa_type = 0;
+    TEST_EQUAL(pk_setup_for_type(MBEDTLS_PK_RSA, from_pair,
+                                 &pk, &expected_psa_type), 0);
+    mbedtls_rsa_context *rsa = mbedtls_pk_rsa(pk);
+    TEST_EQUAL(mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V21, md_type), 0);
+    if (!to_pair) {
+        expected_psa_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(expected_psa_type);
+    }
+    psa_key_usage_t expected_usage = pk_get_psa_attributes_implied_usage(usage);
+
+    TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, usage, &attributes), 0);
+
+    TEST_EQUAL(psa_get_key_lifetime(&attributes), PSA_KEY_LIFETIME_VOLATILE);
+    TEST_ASSERT(mbedtls_svc_key_id_equal(psa_get_key_id(&attributes),
+                                         MBEDTLS_SVC_KEY_ID_INIT));
+    TEST_EQUAL(psa_get_key_type(&attributes), expected_psa_type);
+    TEST_EQUAL(psa_get_key_bits(&attributes),
+               mbedtls_pk_get_bitlen(&pk));
+    TEST_EQUAL(psa_get_key_usage_flags(&attributes), expected_usage);
+    TEST_EQUAL(psa_get_key_algorithm(&attributes), expected_alg);
+    TEST_EQUAL(psa_get_key_enrollment_algorithm(&attributes), PSA_ALG_NONE);
+
+    TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &new_key_id), 0);
+    if (!mbedtls_test_key_consistency_psa_pk(new_key_id, &pk)) {
+        goto exit;
+    }
+
+exit:
+    mbedtls_pk_free(&pk);
+    psa_reset_key_attributes(&attributes);
+    psa_destroy_key(new_key_id);
+    PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_CLIENT */
+void pk_get_psa_attributes_fail(int pk_type, int from_pair,
+                                int usage_arg,
+                                int expected_ret)
+{
+    mbedtls_pk_context pk;
+    mbedtls_pk_init(&pk);
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_usage_t usage = usage_arg;
+
+    PSA_INIT();
+
+    psa_key_type_t expected_psa_type;
+    TEST_EQUAL(pk_setup_for_type(pk_type, from_pair,
+                                 &pk, &expected_psa_type), 0);
+
+    TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, usage, &attributes),
+               expected_ret);
+
+exit:
+    mbedtls_pk_free(&pk);
+    psa_reset_key_attributes(&attributes);
+    PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_CLIENT:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PSA_CRYPTO_STORAGE_C */
+void pk_import_into_psa_lifetime(int from_opaque,
+                                 int from_persistent, /* when from opaque */
+                                 int from_exportable, /* when from opaque */
+                                 int to_public,
+                                 int to_persistent)
+{
+    mbedtls_pk_context pk;
+    mbedtls_pk_init(&pk);
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    mbedtls_svc_key_id_t old_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    mbedtls_svc_key_id_t new_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    mbedtls_svc_key_id_t expected_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_key_lifetime_t expected_lifetime = PSA_KEY_LIFETIME_VOLATILE;
+
+    PSA_INIT();
+
+    if (from_opaque) {
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+        psa_key_type_t from_psa_type =
+            PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY);
+        psa_key_usage_t psa_key_usage =
+            (from_exportable ? PSA_KEY_USAGE_EXPORT : PSA_KEY_USAGE_COPY) |
+            PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH;
+        mbedtls_svc_key_id_t persistent_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+
+        if (from_persistent) {
+            persistent_key_id = mbedtls_svc_key_id_make(0, 1);
+        }
+
+        PSA_ASSERT(pk_psa_setup(from_psa_type, MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS,
+                                psa_key_usage, PSA_ALG_ECDH, PSA_ALG_NONE,
+                                persistent_key_id, &old_key_id));
+        TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, old_key_id), 0);
+        psa_reset_key_attributes(&attributes);
+#else
+        (void) from_persistent;
+        (void) from_exportable;
+        TEST_FAIL("Attempted to test opaque key without opaque key support");
+#endif
+    } else {
+        psa_key_type_t psa_type_according_to_setup;
+        TEST_EQUAL(pk_setup_for_type(MBEDTLS_PK_ECKEY, 1,
+                                     &pk, &psa_type_according_to_setup), 0);
+    }
+
+    if (to_persistent) {
+        expected_key_id = mbedtls_svc_key_id_make(42, 2);
+        psa_set_key_id(&attributes, expected_key_id);
+        /* psa_set_key_id() sets the lifetime to PERSISTENT */
+        expected_lifetime = PSA_KEY_LIFETIME_PERSISTENT;
+    }
+
+    psa_key_usage_t to_usage =
+        to_public ? PSA_KEY_USAGE_VERIFY_HASH : PSA_KEY_USAGE_SIGN_HASH;
+    TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, to_usage,
+                                             &attributes), 0);
+    /* mbedtls_pk_get_psa_attributes() is specified to not modify
+     * the persistence attributes. */
+    TEST_EQUAL(psa_get_key_lifetime(&attributes), expected_lifetime);
+    TEST_EQUAL(MBEDTLS_SVC_KEY_ID_GET_KEY_ID(psa_get_key_id(&attributes)),
+               MBEDTLS_SVC_KEY_ID_GET_KEY_ID(expected_key_id));
+
+    TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &new_key_id), 0);
+    if (!mbedtls_test_key_consistency_psa_pk(new_key_id, &pk)) {
+        goto exit;
+    }
+
+    PSA_ASSERT(psa_get_key_attributes(new_key_id, &attributes));
+    TEST_EQUAL(psa_get_key_lifetime(&attributes), expected_lifetime);
+    /* Here expected_key_id=0 for a volatile key, but we expect
+     * attributes to contain a dynamically assigned key id which we
+     * can't predict. */
+    if (to_persistent) {
+        TEST_ASSERT(mbedtls_svc_key_id_equal(psa_get_key_id(&attributes),
+                                             expected_key_id));
+    }
+
+exit:
+    mbedtls_pk_free(&pk);
+    psa_reset_key_attributes(&attributes);
+    psa_destroy_key(old_key_id);
+    psa_destroy_key(new_key_id);
+    PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_USE_PSA_CRYPTO */
+void pk_get_psa_attributes_opaque(int from_type_arg, int from_bits_arg,
+                                  int from_usage_arg, int from_alg_arg,
+                                  int usage_arg,
+                                  int expected_ret,
+                                  int to_pair, int expected_usage_arg)
+{
+    mbedtls_pk_context pk;
+    mbedtls_pk_init(&pk);
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    mbedtls_svc_key_id_t old_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_key_type_t from_type = from_type_arg;
+    size_t bits = from_bits_arg;
+    psa_key_usage_t from_usage = from_usage_arg;
+    psa_algorithm_t alg = from_alg_arg;
+    psa_key_usage_t usage = usage_arg;
+    psa_key_usage_t expected_usage = expected_usage_arg;
+    mbedtls_svc_key_id_t new_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+
+    PSA_INIT();
+
+    PSA_ASSERT(pk_psa_setup(from_type, bits, from_usage, alg, 42,
+                            MBEDTLS_SVC_KEY_ID_INIT, &old_key_id));
+    TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, old_key_id), 0);
+
+    psa_key_type_t expected_psa_type =
+        to_pair ? from_type : PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(from_type);
+
+    TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, usage, &attributes),
+               expected_ret);
+
+    if (expected_ret == 0) {
+        TEST_EQUAL(psa_get_key_lifetime(&attributes), PSA_KEY_LIFETIME_VOLATILE);
+        TEST_ASSERT(mbedtls_svc_key_id_equal(psa_get_key_id(&attributes),
+                                             MBEDTLS_SVC_KEY_ID_INIT));
+        TEST_EQUAL(psa_get_key_type(&attributes), expected_psa_type);
+        TEST_EQUAL(psa_get_key_bits(&attributes), bits);
+        TEST_EQUAL(psa_get_key_usage_flags(&attributes), expected_usage);
+        TEST_EQUAL(psa_get_key_algorithm(&attributes), alg);
+        TEST_EQUAL(psa_get_key_enrollment_algorithm(&attributes), PSA_ALG_NONE);
+
+        int expected_import_ret = 0;
+        if (to_pair &&
+            !(from_usage & (PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT))) {
+            expected_import_ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
+        }
+        TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &new_key_id),
+                   expected_import_ret);
+        if (expected_import_ret == 0) {
+            if (!mbedtls_test_key_consistency_psa_pk(new_key_id, &pk)) {
+                goto exit;
+            }
+        }
+    }
+
+exit:
+    mbedtls_pk_free(&pk);
+    psa_destroy_key(old_key_id);
+    psa_destroy_key(new_key_id);
+    psa_reset_key_attributes(&attributes);
+    PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_CLIENT */
+void pk_import_into_psa_fail(int pk_type, int from_pair,
+                             int type_arg, int bits_arg,
+                             int expected_ret)
+{
+    mbedtls_pk_context pk;
+    mbedtls_pk_init(&pk);
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_type_t type = type_arg;
+    size_t bits = bits_arg;
+    mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(0, 42);
+
+    PSA_INIT();
+
+    psa_key_type_t expected_psa_type;
+    TEST_EQUAL(pk_setup_for_type(pk_type, from_pair,
+                                 &pk, &expected_psa_type), 0);
+
+    psa_set_key_type(&attributes, type);
+    psa_set_key_bits(&attributes, bits);
+
+    TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &key_id),
+               expected_ret);
+    TEST_ASSERT(mbedtls_svc_key_id_equal(key_id, MBEDTLS_SVC_KEY_ID_INIT));
+
+exit:
+    psa_destroy_key(key_id);
+    mbedtls_pk_free(&pk);
+    psa_reset_key_attributes(&attributes);
+    PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_USE_PSA_CRYPTO */
+void pk_import_into_psa_opaque(int from_type, int from_bits,
+                               int from_usage, int from_alg,
+                               int to_type, int to_bits,
+                               int to_usage, int to_alg,
+                               int expected_ret)
+{
+    mbedtls_pk_context pk;
+    mbedtls_pk_init(&pk);
+    psa_key_attributes_t from_attributes = PSA_KEY_ATTRIBUTES_INIT;
+    mbedtls_svc_key_id_t from_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_key_attributes_t to_attributes = PSA_KEY_ATTRIBUTES_INIT;
+    mbedtls_svc_key_id_t to_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_key_attributes_t actual_attributes = PSA_KEY_ATTRIBUTES_INIT;
+
+    PSA_INIT();
+
+    PSA_ASSERT(pk_psa_setup(from_type, from_bits, from_usage, from_alg, PSA_ALG_NONE,
+                            MBEDTLS_SVC_KEY_ID_INIT, &from_key_id));
+    TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, from_key_id), 0);
+
+    psa_set_key_type(&to_attributes, to_type);
+    psa_set_key_bits(&to_attributes, to_bits);
+    psa_set_key_usage_flags(&to_attributes, to_usage);
+    psa_set_key_algorithm(&to_attributes, to_alg);
+
+    TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &to_attributes, &to_key_id),
+               expected_ret);
+
+    if (expected_ret == 0) {
+        PSA_ASSERT(psa_get_key_attributes(to_key_id, &actual_attributes));
+        TEST_EQUAL(to_type, psa_get_key_type(&actual_attributes));
+        if (to_bits != 0) {
+            TEST_EQUAL(to_bits, psa_get_key_bits(&actual_attributes));
+        }
+        TEST_EQUAL(to_alg, psa_get_key_algorithm(&actual_attributes));
+        psa_key_usage_t expected_usage = to_usage;
+        if (expected_usage & PSA_KEY_USAGE_SIGN_HASH) {
+            expected_usage |= PSA_KEY_USAGE_SIGN_MESSAGE;
+        }
+        if (expected_usage & PSA_KEY_USAGE_VERIFY_HASH) {
+            expected_usage |= PSA_KEY_USAGE_VERIFY_MESSAGE;
+        }
+        TEST_EQUAL(expected_usage, psa_get_key_usage_flags(&actual_attributes));
+        if (!mbedtls_test_key_consistency_psa_pk(to_key_id, &pk)) {
+            goto exit;
+        }
+    } else {
+        TEST_ASSERT(mbedtls_svc_key_id_equal(to_key_id, MBEDTLS_SVC_KEY_ID_INIT));
+    }
+
+exit:
+    mbedtls_pk_free(&pk);
+    psa_destroy_key(from_key_id);
+    psa_destroy_key(to_key_id);
+    psa_reset_key_attributes(&from_attributes);
+    psa_reset_key_attributes(&to_attributes);
+    psa_reset_key_attributes(&actual_attributes);
+    PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_CLIENT*/
+void pk_copy_from_psa_fail(void)
+{
+    mbedtls_pk_context pk_ctx;
+    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+
+    mbedtls_pk_init(&pk_ctx);
+    PSA_INIT();
+
+    /* Null pk pointer. */
+    TEST_EQUAL(mbedtls_pk_copy_from_psa(key_id, NULL),
+               MBEDTLS_ERR_PK_BAD_INPUT_DATA);
+    TEST_EQUAL(mbedtls_pk_copy_public_from_psa(key_id, NULL),
+               MBEDTLS_ERR_PK_BAD_INPUT_DATA);
+
+    /* Invalid key ID. */
+    TEST_EQUAL(mbedtls_pk_copy_from_psa(mbedtls_svc_key_id_make(0, 0), &pk_ctx),
+               MBEDTLS_ERR_PK_BAD_INPUT_DATA);
+    TEST_EQUAL(mbedtls_pk_copy_public_from_psa(mbedtls_svc_key_id_make(0, 0), &pk_ctx),
+               MBEDTLS_ERR_PK_BAD_INPUT_DATA);
+
+#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE)
+    pk_psa_setup(PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919), 2048,
+                 PSA_KEY_USAGE_EXPORT, PSA_ALG_NONE, PSA_ALG_NONE,
+                 MBEDTLS_SVC_KEY_ID_INIT, &key_id);
+    TEST_EQUAL(mbedtls_pk_copy_from_psa(key_id, &pk_ctx), MBEDTLS_ERR_PK_BAD_INPUT_DATA);
+    TEST_EQUAL(mbedtls_pk_copy_public_from_psa(key_id, &pk_ctx), MBEDTLS_ERR_PK_BAD_INPUT_DATA);
+    psa_destroy_key(key_id);
+#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE */
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) && defined(PSA_WANT_ECC_SECP_R1_256)
+    /* Generate an EC key which cannot be exported. */
+    PSA_ASSERT(pk_psa_setup(PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1), 256,
+                            0, PSA_ALG_NONE, PSA_ALG_NONE, MBEDTLS_SVC_KEY_ID_INIT, &key_id));
+    TEST_EQUAL(mbedtls_pk_copy_from_psa(key_id, &pk_ctx), MBEDTLS_ERR_PK_TYPE_MISMATCH);
+    psa_destroy_key(key_id);
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS && PSA_WANT_ECC_SECP_R1_256 */
+
+exit:
+    mbedtls_pk_free(&pk_ctx);
+    psa_destroy_key(key_id);
+    PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_CLIENT:MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN:MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_BASIC:!MBEDTLS_RSA_C */
+void pk_copy_from_psa_builtin_fail()
+{
+    mbedtls_pk_context pk_ctx;
+    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+
+    mbedtls_pk_init(&pk_ctx);
+    PSA_INIT();
+
+    PSA_ASSERT(pk_psa_setup(PSA_KEY_TYPE_RSA_KEY_PAIR,
+                            PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS,
+                            PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_EXPORT,
+                            PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256),
+                            PSA_ALG_NONE,
+                            MBEDTLS_SVC_KEY_ID_INIT, &key_id));
+    TEST_EQUAL(mbedtls_pk_copy_from_psa(key_id, &pk_ctx), MBEDTLS_ERR_PK_BAD_INPUT_DATA);
+exit:
+    mbedtls_pk_free(&pk_ctx);
+    psa_destroy_key(key_id);
+    PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_CLIENT */
+void pk_copy_from_psa_success(data_t *priv_key_data, int key_type_arg,
+                              int key_alg_arg)
+{
+    psa_key_type_t key_type = key_type_arg;
+    psa_algorithm_t key_alg = key_alg_arg;
+    psa_key_usage_t key_usage = PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH |
+                                PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY;
+    mbedtls_pk_context pk_priv, pk_priv_copy_public, pk_pub, pk_pub_copy_public;
+    mbedtls_svc_key_id_t priv_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    mbedtls_svc_key_id_t pub_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+
+    mbedtls_pk_init(&pk_priv);
+    mbedtls_pk_init(&pk_priv_copy_public);
+    mbedtls_pk_init(&pk_pub);
+    mbedtls_pk_init(&pk_pub_copy_public);
+    PSA_INIT();
+
+    if (key_type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
+        key_usage |= PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT;
+    }
+
+    /* Create both a private key and its public counterpart in PSA. */
+    PSA_ASSERT(pk_psa_import_key(priv_key_data->x, priv_key_data->len,
+                                 key_type, key_usage, key_alg, &priv_key_id));
+    pub_key_id = psa_pub_key_from_priv(priv_key_id);
+
+    /* Create 4 PK contexts starting from the PSA keys we just created. */
+    TEST_EQUAL(mbedtls_pk_copy_from_psa(priv_key_id, &pk_priv), 0);
+    TEST_EQUAL(mbedtls_pk_copy_public_from_psa(priv_key_id, &pk_priv_copy_public), 0);
+    TEST_EQUAL(mbedtls_pk_copy_from_psa(pub_key_id, &pk_pub), 0);
+    TEST_EQUAL(mbedtls_pk_copy_public_from_psa(pub_key_id, &pk_pub_copy_public), 0);
+
+    /* Destroy both PSA keys to prove that generated PK contexts are independent
+     * from them. */
+    priv_key_id = psa_copy_and_destroy(priv_key_id);
+    pub_key_id = psa_copy_and_destroy(pub_key_id);
+
+    /* - Check that the generated PK contexts are of the correct type.
+     * - [Only for RSA] check that the padding mode is correct.
+     */
+    if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type)) {
+        TEST_EQUAL(mbedtls_pk_get_type(&pk_priv), MBEDTLS_PK_ECKEY);
+        TEST_EQUAL(mbedtls_pk_get_type(&pk_pub), MBEDTLS_PK_ECKEY);
+    } else {
+        TEST_EQUAL(mbedtls_pk_get_type(&pk_priv), MBEDTLS_PK_RSA);
+        TEST_EQUAL(mbedtls_pk_get_type(&pk_pub), MBEDTLS_PK_RSA);
+#if defined(MBEDTLS_RSA_C)
+        mbedtls_rsa_context *rsa_priv = mbedtls_pk_rsa(pk_priv);
+        mbedtls_rsa_context *rsa_pub = mbedtls_pk_rsa(pk_pub);
+        if (PSA_ALG_IS_RSA_OAEP(key_alg) || PSA_ALG_IS_RSA_PSS(key_alg)) {
+            TEST_EQUAL(mbedtls_rsa_get_padding_mode(rsa_priv), MBEDTLS_RSA_PKCS_V21);
+            TEST_EQUAL(mbedtls_rsa_get_padding_mode(rsa_pub), MBEDTLS_RSA_PKCS_V21);
+        } else {
+            TEST_EQUAL(mbedtls_rsa_get_padding_mode(rsa_priv), MBEDTLS_RSA_PKCS_V15);
+            TEST_EQUAL(mbedtls_rsa_get_padding_mode(rsa_pub), MBEDTLS_RSA_PKCS_V15);
+        }
+#endif /* MBEDTLS_RSA_C */
+    }
+
+    /* Check that generated private/public PK contexts form a valid private/public key pair. */
+    TEST_EQUAL(mbedtls_pk_check_pair(&pk_pub, &pk_priv, mbedtls_test_rnd_std_rand, NULL), 0);
+
+    /* Check consistency between copied PSA keys and generated PK contexts. */
+    TEST_EQUAL(mbedtls_test_key_consistency_psa_pk(priv_key_id, &pk_priv), 1);
+    TEST_EQUAL(mbedtls_test_key_consistency_psa_pk(priv_key_id, &pk_pub), 1);
+    TEST_EQUAL(mbedtls_test_key_consistency_psa_pk(pub_key_id, &pk_priv), 1);
+    TEST_EQUAL(mbedtls_test_key_consistency_psa_pk(pub_key_id, &pk_pub), 1);
+
+    /* Test that the keys from mbedtls_pk_copy_public_from_psa() are identical
+     * to the public keys from mbedtls_pk_copy_from_psa(). */
+    mbedtls_test_set_step(1);
+    TEST_ASSERT(pk_public_same(&pk_pub, &pk_priv_copy_public));
+    mbedtls_test_set_step(2);
+    TEST_ASSERT(pk_public_same(&pk_pub, &pk_pub_copy_public));
+
+exit:
+    mbedtls_pk_free(&pk_priv);
+    mbedtls_pk_free(&pk_priv_copy_public);
+    mbedtls_pk_free(&pk_pub);
+    mbedtls_pk_free(&pk_pub_copy_public);
+    psa_destroy_key(priv_key_id);
+    psa_destroy_key(pub_key_id);
+    PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_CLIENT*/
+void pk_copy_public_from_psa(data_t *priv_key_data, int key_type_arg)
+{
+    psa_key_type_t key_type = key_type_arg;
+    mbedtls_pk_context pk_from_exportable;
+    mbedtls_pk_init(&pk_from_exportable);
+    mbedtls_pk_context pk_from_non_exportable;
+    mbedtls_pk_init(&pk_from_non_exportable);
+    mbedtls_pk_context pk_private;
+    mbedtls_pk_init(&pk_private);
+    mbedtls_svc_key_id_t non_exportable_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    mbedtls_svc_key_id_t exportable_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+
+    PSA_INIT();
+
+    PSA_ASSERT(pk_psa_import_key(priv_key_data->x, priv_key_data->len,
+                                 key_type,
+                                 PSA_KEY_USAGE_EXPORT,
+                                 PSA_ALG_NONE,
+                                 &exportable_key_id));
+    PSA_ASSERT(pk_psa_import_key(priv_key_data->x, priv_key_data->len,
+                                 key_type,
+                                 0,
+                                 PSA_ALG_NONE,
+                                 &non_exportable_key_id));
+
+    TEST_EQUAL(mbedtls_pk_copy_public_from_psa(exportable_key_id,
+                                               &pk_from_exportable), 0);
+    TEST_EQUAL(mbedtls_pk_copy_public_from_psa(non_exportable_key_id,
+                                               &pk_from_non_exportable), 0);
+
+    /* Check that the non-exportable key really is non-exportable */
+    TEST_EQUAL(mbedtls_pk_copy_from_psa(non_exportable_key_id, &pk_private),
+               MBEDTLS_ERR_PK_TYPE_MISMATCH);
+
+    psa_destroy_key(exportable_key_id);
+    psa_destroy_key(non_exportable_key_id);
+
+    /* The goal of this test function is mostly to check that
+     * mbedtls_pk_copy_public_from_psa works with a non-exportable key pair.
+     * We check that the resulting key is the same as for an exportable
+     * key pair. We rely on pk_copy_from_psa_success tests to validate that
+     * the result is correct. */
+    TEST_ASSERT(pk_public_same(&pk_from_non_exportable, &pk_from_exportable));
+
+exit:
+    mbedtls_pk_free(&pk_from_non_exportable);
+    mbedtls_pk_free(&pk_from_exportable);
+    mbedtls_pk_free(&pk_private);
+    psa_destroy_key(exportable_key_id);
+    psa_destroy_key(non_exportable_key_id);
+    PSA_DONE();
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_pkcs12.function b/tests/suites/test_suite_pkcs12.function
index 1d0c287..2a5a5ba 100644
--- a/tests/suites/test_suite_pkcs12.function
+++ b/tests/suites/test_suite_pkcs12.function
@@ -69,7 +69,7 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:MBEDTLS_ASN1_PARSE_C */
+/* BEGIN_CASE depends_on:MBEDTLS_ASN1_PARSE_C:MBEDTLS_CIPHER_C */
 void pkcs12_pbe_encrypt(int params_tag, int cipher, int md, data_t *params_hex, data_t *pw,
                         data_t *data, int outsize, int ref_ret, data_t *ref_out)
 {
@@ -124,7 +124,7 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:MBEDTLS_ASN1_PARSE_C */
+/* BEGIN_CASE depends_on:MBEDTLS_ASN1_PARSE_C:MBEDTLS_CIPHER_C */
 void pkcs12_pbe_decrypt(int params_tag, int cipher, int md, data_t *params_hex, data_t *pw,
                         data_t *data, int outsize, int ref_ret, data_t *ref_out)
 {
diff --git a/tests/suites/test_suite_pkcs1_v15.function b/tests/suites/test_suite_pkcs1_v15.function
index 7113274..ed9f4f4 100644
--- a/tests/suites/test_suite_pkcs1_v15.function
+++ b/tests/suites/test_suite_pkcs1_v15.function
@@ -235,7 +235,6 @@ void pkcs1_v15_decode(data_t *input,
         size_t i;
         size_t count = 0;
 
-#if !defined(MBEDTLS_RSA_ALT)
         /* Check that the output in invalid cases is what the default
          * implementation currently does. Alternative implementations
          * may produce different output, so we only perform these precise
@@ -244,7 +243,7 @@ void pkcs1_v15_decode(data_t *input,
         for (i = 0; i < max_payload_length; i++) {
             TEST_ASSERT(final[i] == 0);
         }
-#endif
+
         /* Even in alternative implementations, the outputs must have
          * changed, otherwise it indicates at least a timing vulnerability
          * because no write to the outputs is performed in the bad case. */
diff --git a/tests/suites/test_suite_pkcs1_v21.data b/tests/suites/test_suite_pkcs1_v21.data
index 42450d9..dee54ab 100644
--- a/tests/suites/test_suite_pkcs1_v21.data
+++ b/tests/suites/test_suite_pkcs1_v21.data
@@ -1135,7 +1135,7 @@ depends_on:MBEDTLS_MD_CAN_SHA512
 pkcs1_rsassa_pss_verify:1048:"00c75d0f9fa17d1d24b939537a434017f390c6604444c35a13360d6b1fc986baf40159b84275d37b883278df5064dd9eb0f29b0d325acc790c4b59672737dbbf3acb88f5e2f2d54c919cafd072272c494591d52e158993315e71e2ca60b1c74feff8f3d77842b415d4e71734a498206a5cd9315c87b23e583e25eb4ca97056b45c96856d":"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:"353cef1c3aa58b0acc2f53c3aa01bf7d77a65ed9407df668fc29155b11845a72e987e3897cb902c7a4a0267038c1f16bef5df67da50f66a4993ceb4b7234f769":"653df9730e14e03f2ffb3374d6b75295aa4a52c38540b2d501adc1eb659a4d7a050769a3d11d0d5d6f3efb734200ade241fdc271c0f5eeed85b4bf00b2327bc8":"9442a8ec48f87ebc81cc1273b03e528e7643c9e2fcc60ed85827d9341c5a36e5c76059baa8e9891df437e44c4047a266b46bcaaad3de1f1d4d3576defff080b791b013491636187fc45a930b70a533ed92abfd168f050df91b4c35d68d160a243ce589807a7d32661fc18b9547cdc0fd86d33acd349c98b34fb016ddd1bff23c58170e":0
 
 RSASSA-PSS Signature RSA-1024, SHA-224, Salt Length 20
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 pkcs1_rsassa_pss_sign:1024:"e5563b145db6ff5a16280d3e80eff02f181dbd03324ef247f596a4d4a7b8daa32b9934e3c7f4dcf6a3105462dec63839638618418b51db02693fabb4e6838725":"d2a4ec0fa2226cde82da77653b072cd098535d3e90ed4d7224dcb8cb8b9314768dc517e22d7c8fa13f253daa7465a79956098aa4cc3a6e35e8b1fcc4f97e774f":"bcb47b2e0dafcba81ff2a2b5cb115ca7e757184c9d72bcdcda707a146b3b4e29989ddc660bd694865b932b71ca24a335cf4d339c719183e6222e4c9ea6875acd528a49ba21863fe08147c3a47e41990b51a03f77d22137f8d74c43a5a45f4e9e18a2d15db051dc89385db9cf8374b63a8cc88113710e6d8179075b7dc79ee76b":"010001":MBEDTLS_MD_SHA224:MBEDTLS_MD_SHA224:"1698b7da13806451366b9658e44e2c7dc15dc96c588c720c4d5f454c":"6f2841166a64471d4f0b8ed0dbb7db32161da13b":"53d859c9f10abf1c00284a4b55bf2bd84d8e313b4f3c35b8dec7bc3afe39b9b8a155418ead1931895769ce2340be2091f2385bbcf10d9e92bcf5d0e2960d10e792e7d865c64e50d19ffa13e52817d7d8d8db34392c2374a2e9b69184f92a4ad9b1b8bae99ca614d204b65a438e38dbbfc8c7cc44ed5677af70ce6c4f951f0244":20:0
 
 RSASSA-PSS Signature RSA-1024, SHA-256, Salt Length 20
@@ -1143,7 +1143,7 @@ depends_on:MBEDTLS_MD_CAN_SHA256
 pkcs1_rsassa_pss_sign:1024:"e5563b145db6ff5a16280d3e80eff02f181dbd03324ef247f596a4d4a7b8daa32b9934e3c7f4dcf6a3105462dec63839638618418b51db02693fabb4e6838725":"d2a4ec0fa2226cde82da77653b072cd098535d3e90ed4d7224dcb8cb8b9314768dc517e22d7c8fa13f253daa7465a79956098aa4cc3a6e35e8b1fcc4f97e774f":"bcb47b2e0dafcba81ff2a2b5cb115ca7e757184c9d72bcdcda707a146b3b4e29989ddc660bd694865b932b71ca24a335cf4d339c719183e6222e4c9ea6875acd528a49ba21863fe08147c3a47e41990b51a03f77d22137f8d74c43a5a45f4e9e18a2d15db051dc89385db9cf8374b63a8cc88113710e6d8179075b7dc79ee76b":"010001":MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:"0c37233c694cc81c4ca1027009269b64e9e32288e3522a2cd76da6613d8c5cd7":"6f2841166a64471d4f0b8ed0dbb7db32161da13b":"7b1d37278e549898d4084e2210c4a9961edfe7b5963550cca1904248c8681513539017820f0e9bd074b9f8a067b9fefff7f1fa20bf2d0c75015ff020b2210cc7f79034fedf68e8d44a007abf4dd82c26e8b00393723aea15abfbc22941c8cf79481718c008da713fb8f54cb3fca890bde1137314334b9b0a18515bfa48e5ccd0":20:0
 
 RSASSA-PSS Signature RSA-1024, SHA-384, Salt Length 20
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 pkcs1_rsassa_pss_sign:1024:"e5563b145db6ff5a16280d3e80eff02f181dbd03324ef247f596a4d4a7b8daa32b9934e3c7f4dcf6a3105462dec63839638618418b51db02693fabb4e6838725":"d2a4ec0fa2226cde82da77653b072cd098535d3e90ed4d7224dcb8cb8b9314768dc517e22d7c8fa13f253daa7465a79956098aa4cc3a6e35e8b1fcc4f97e774f":"bcb47b2e0dafcba81ff2a2b5cb115ca7e757184c9d72bcdcda707a146b3b4e29989ddc660bd694865b932b71ca24a335cf4d339c719183e6222e4c9ea6875acd528a49ba21863fe08147c3a47e41990b51a03f77d22137f8d74c43a5a45f4e9e18a2d15db051dc89385db9cf8374b63a8cc88113710e6d8179075b7dc79ee76b":"010001":MBEDTLS_MD_SHA384:MBEDTLS_MD_SHA384:"8e75cb3239b2b4ebf15bf74e8017340305c99d2fc1a97384257bf91cae15d57c80d7f78a487c3e16a5d1cf894da90fcb":"6f2841166a64471d4f0b8ed0dbb7db32161da13b":"8f16c807bef3ed6f74ee7ff5c360a5428c6c2f105178b58ff7d073e566dad6e7718d3129c768cd5a9666de2b6c947177b45709dc7cd0f43b0ba6fc75578e1196acc15ca3afe4a78c144cb6885c1cc815f7f98925bc04ad2ff20fc1068b045d9450e2a1dcf5a161ceabba2b0b66c7354fdb80fa1d729e5f976387f24a697a7e56":20:0
 
 RSASSA-PSS Signature RSA-1024, SHA-512, Salt Length 20
@@ -1151,7 +1151,7 @@ depends_on:MBEDTLS_MD_CAN_SHA512
 pkcs1_rsassa_pss_sign:1024:"e5563b145db6ff5a16280d3e80eff02f181dbd03324ef247f596a4d4a7b8daa32b9934e3c7f4dcf6a3105462dec63839638618418b51db02693fabb4e6838725":"d2a4ec0fa2226cde82da77653b072cd098535d3e90ed4d7224dcb8cb8b9314768dc517e22d7c8fa13f253daa7465a79956098aa4cc3a6e35e8b1fcc4f97e774f":"bcb47b2e0dafcba81ff2a2b5cb115ca7e757184c9d72bcdcda707a146b3b4e29989ddc660bd694865b932b71ca24a335cf4d339c719183e6222e4c9ea6875acd528a49ba21863fe08147c3a47e41990b51a03f77d22137f8d74c43a5a45f4e9e18a2d15db051dc89385db9cf8374b63a8cc88113710e6d8179075b7dc79ee76b":"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:"c3366c552451274a4042e4357447786cce3a25a8dbd8cf3c2f8a8ddc02161bda332bb45062f7c61b7aa7a88ed3b5d51b6103abcf1769642b11ab95f92fa39adf":"6f2841166a64471d4f0b8ed0dbb7db32161da13b":"a833ba31634f8773e4fe6ea0c69e1a23766a939d34b32fc78b774b22e46a646c25e6e1062d234ed48b1aba0f830529ff6afc296cc8dc207bbc15391623beac5f6c3db557ca49d0e42c962de95b5ff548cff970f5c73f439cfe82d3907be60240f56b6a4259cc96dfd8fe02a0bfa26e0223f68214428fff0ae40162198cc5cbd1":20:0
 
 RSASSA-PSS Signature RSA-1536, SHA-224, Salt Length 20
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 pkcs1_rsassa_pss_sign:1536:"d3bde85f8718388de38c7e157c7200366224fd446ab590fb31dfd8135d3c561426b9966c164912bf0cd6537e877d59bb21fa3d3c5a6115ce971018db6be1033f14a4bb5849ccb070eb83838394e9d0851f3a33c43f48935a01c31c6fea72a6dd":"c342842ed13979fe948de3d31c21e5d4407db5f08524a1d04221500901e44b95274cbb84d80575ef1514332e27b0244a4154a8b561125439772a3d2fc9db73f19679cb92f9c5b5388154b0180aa339ff0bbec819da8a84d2bb617542cf097a8d":"a180ac4b5186df0b7b1cb7a95746a5af411efa16d1aed12468de15b747a0ff32c215dd08a99287b7788e91542d9059940e4b610f741cb9c7a86b4aa0b45a7b38450b6ea25070f98e70bb7833aecd1834a8e591bea207ec55d403c76213bd9f700ce25adb265ad383c443ed7a87a57d7e5c6495c32f51ae0cc8784352cfc56f2029cdd323393a153193f41f0408cdcd5b344d20942413bd97c3b0c04ab584f685b0e796ce9b5a0cf64441f00ee7586c62fe8442d522f7c6e3f314f84d557039b9":"010001":MBEDTLS_MD_SHA224:MBEDTLS_MD_SHA224:"5c69f2cc59e63b6f9ee0c954d2b7db7e4d63b7e2347f8791f1353d31":"6f2841166a64471d4f0b8ed0dbb7db32161da13b":"1d85cec0da1a74825ab796480c6e1235808387106ac1411d68f313246c65040111d74a9a45ebae10ac7686fddf4a340c4f9d24685d708bbf7b0ab4563794f5f90e0405b5d7d56c998e996b8bde2b022ae45fecf29a21836fcf362042e77e13cbf67b8a4da3f1e378dfcab2143aa8b9a145c2ee7d593e31626baa47fe623a3c3f859bb63e9336e11c5ff398a6597623318e098230b09e553ba0a4257692a0bc0a1ce1c17b2d541b52d134627229c141d351c16f1bdfe33384a9e163ecaa13e2fa":20:0
 
 RSASSA-PSS Signature RSA-1536, SHA-256, Salt Length 20
@@ -1159,7 +1159,7 @@ depends_on:MBEDTLS_MD_CAN_SHA256
 pkcs1_rsassa_pss_sign:1536:"d3bde85f8718388de38c7e157c7200366224fd446ab590fb31dfd8135d3c561426b9966c164912bf0cd6537e877d59bb21fa3d3c5a6115ce971018db6be1033f14a4bb5849ccb070eb83838394e9d0851f3a33c43f48935a01c31c6fea72a6dd":"c342842ed13979fe948de3d31c21e5d4407db5f08524a1d04221500901e44b95274cbb84d80575ef1514332e27b0244a4154a8b561125439772a3d2fc9db73f19679cb92f9c5b5388154b0180aa339ff0bbec819da8a84d2bb617542cf097a8d":"a180ac4b5186df0b7b1cb7a95746a5af411efa16d1aed12468de15b747a0ff32c215dd08a99287b7788e91542d9059940e4b610f741cb9c7a86b4aa0b45a7b38450b6ea25070f98e70bb7833aecd1834a8e591bea207ec55d403c76213bd9f700ce25adb265ad383c443ed7a87a57d7e5c6495c32f51ae0cc8784352cfc56f2029cdd323393a153193f41f0408cdcd5b344d20942413bd97c3b0c04ab584f685b0e796ce9b5a0cf64441f00ee7586c62fe8442d522f7c6e3f314f84d557039b9":"010001":MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:"f19c43966938402a6e5145088e65ea888f3792373983d359a7e864864bc25e3c":"6f2841166a64471d4f0b8ed0dbb7db32161da13b":"8eb2ba2367b8f0b36b566c938b4d9948b4a0a87dd1c8300a160ec024ad0fa37174d1bba2ae6ee8c7fdbb4d172ac9615f1428599030a33515e2925a268b87c867242ccddcce6c9c03045eccbfee5eeb6e0ce2d89a9c51f40c1732927a6c7d283627dd87eca27270b117e658a3cc9d2ca7da46a76097213a7f3e2a58d7c9d306e796eee94809042bc6768d6cca4e003a40529bffa267914a232f315ddedd2768c60877bdcb05c8f2026179713084a0daf8b494959c347fb65a4414034d21c7a750":20:0
 
 RSASSA-PSS Signature RSA-1536, SHA-384, Salt Length 20
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 pkcs1_rsassa_pss_sign:1536:"d3bde85f8718388de38c7e157c7200366224fd446ab590fb31dfd8135d3c561426b9966c164912bf0cd6537e877d59bb21fa3d3c5a6115ce971018db6be1033f14a4bb5849ccb070eb83838394e9d0851f3a33c43f48935a01c31c6fea72a6dd":"c342842ed13979fe948de3d31c21e5d4407db5f08524a1d04221500901e44b95274cbb84d80575ef1514332e27b0244a4154a8b561125439772a3d2fc9db73f19679cb92f9c5b5388154b0180aa339ff0bbec819da8a84d2bb617542cf097a8d":"a180ac4b5186df0b7b1cb7a95746a5af411efa16d1aed12468de15b747a0ff32c215dd08a99287b7788e91542d9059940e4b610f741cb9c7a86b4aa0b45a7b38450b6ea25070f98e70bb7833aecd1834a8e591bea207ec55d403c76213bd9f700ce25adb265ad383c443ed7a87a57d7e5c6495c32f51ae0cc8784352cfc56f2029cdd323393a153193f41f0408cdcd5b344d20942413bd97c3b0c04ab584f685b0e796ce9b5a0cf64441f00ee7586c62fe8442d522f7c6e3f314f84d557039b9":"010001":MBEDTLS_MD_SHA384:MBEDTLS_MD_SHA384:"1412b9f046aeba0a7c63e744a4f30a3656d41300726e66d8825a1043f08285b7e6e250efcc9a0405c6da019d042a7e14":"6f2841166a64471d4f0b8ed0dbb7db32161da13b":"9fa4e64bab336017e19015ee7ea1e267bf426633fb2ac5f4d65bc754aba17f7a9f0f1ee2bf0a3b9f2dd354ed8eba596f5ca3e26495ef268658bd247474d3524b11a2953f591f8abb14ef4bcd44dadc36a41f9daef1bf88b7e441160278c8a39945524557b84ce5cdcb79eecbad63658e8470d8dc94b44aad1f04b05400ea04e5f959dd18f6f718311f6dfec98a7e1aaa7ba11771f61448b12d7901a2530e830dccc531fd0dbe222215b3f7b9dafa5fc20d5af15ab312b621d71b2106150a801b":20:0
 
 RSASSA-PSS Signature RSA-1536, SHA-512, Salt Length 20
@@ -1167,7 +1167,7 @@ depends_on:MBEDTLS_MD_CAN_SHA512
 pkcs1_rsassa_pss_sign:1536:"d3bde85f8718388de38c7e157c7200366224fd446ab590fb31dfd8135d3c561426b9966c164912bf0cd6537e877d59bb21fa3d3c5a6115ce971018db6be1033f14a4bb5849ccb070eb83838394e9d0851f3a33c43f48935a01c31c6fea72a6dd":"c342842ed13979fe948de3d31c21e5d4407db5f08524a1d04221500901e44b95274cbb84d80575ef1514332e27b0244a4154a8b561125439772a3d2fc9db73f19679cb92f9c5b5388154b0180aa339ff0bbec819da8a84d2bb617542cf097a8d":"a180ac4b5186df0b7b1cb7a95746a5af411efa16d1aed12468de15b747a0ff32c215dd08a99287b7788e91542d9059940e4b610f741cb9c7a86b4aa0b45a7b38450b6ea25070f98e70bb7833aecd1834a8e591bea207ec55d403c76213bd9f700ce25adb265ad383c443ed7a87a57d7e5c6495c32f51ae0cc8784352cfc56f2029cdd323393a153193f41f0408cdcd5b344d20942413bd97c3b0c04ab584f685b0e796ce9b5a0cf64441f00ee7586c62fe8442d522f7c6e3f314f84d557039b9":"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:"9a89e38ce0fe8b008f58c3c07621fcf18e76ca5d304f17fbb52d82d8368425ec305e20b70b839fcad3511a194e99e907e3f0e2a801c0b9cd4497c4a0bdf1ea49":"6f2841166a64471d4f0b8ed0dbb7db32161da13b":"32e688063ea24ccb2ca998fb7091877c103ce6576b11a175bc896af454042a5731b91c1c58b4d8e38f0619f6ddc8ced6b5397545f9571a4c90767593d11c00b75eb58a0ae4932265f0ab1790be2c83dff65357a301b3b3e2ee2e3683afe0b4b35ee8b6e58a96b4009c98d8faba75f86ffb548f0501884f3528d8eabad353e28d0132c4c01fa3af5dec922f02eff22020481615e4cd35b9eccfd711cb3b0d65af95c0637d79aaa2433f2854de3560adb284248bac8cbd4717317011a5159c93ed":20:0
 
 RSASSA-PSS Signature RSA-2048, SHA-224, Salt Length 20
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 pkcs1_rsassa_pss_sign:2048:"f7b664093cabf8334b1c0ff824564db5c13f941a279733893a7e5abed536d2b51a2beac80730b5194a0c722f57354ce4b7db447ea3286b1cd1c754548ea3c91a0df1bde3ff70820b63ef3c74a0119671d14db3e2603868a0d607a81bf14f3f41f810c3a24bf52a94f9b694078a556194dd0cb36c56a91846d3569096c631b61f":"e0a1111aa114d5b1702e34d29565d65320e05c21d794f38572ad28a60b2ffe50d0dd3df3fb5a0eef048ec50e144bfe52be30ebf2eaceec9f110a600bb0c2bcacf6b4dabec09b9387c89a8fde19de5ceec780be38dca846d795f82608cf2844e9bced8d81da2d9258c3ef412154f9e590a158ea0ad9180ac6a798614ba3410937":"d95b71c9dfee453ba1b1a7de2c1f0b0a67579ee91d1d3ad97e481829b86edac750c48e12a8cdb026c82f273dafc222009f0db3b08b2db10a69c4b2dddaaeceac1b0c862682eef294e579f55aab871bc0a7eeabc923c9e80dddc22ec0a27002aee6a5ba66397f412bbaf5fb4eaf66a1a0f82eaf6827198caf49b347258b1283e8cbb10da2837f6ecc3490c728fe927f44455a6f194f3776bf79151d9ad7e2daf770b37d12627cc0c5fb62484f46258d9ce2c11b26256d09cb412f8d8f8f1fe91bb94ac27de6d26a83a8439e51b35dbee46b3b8ff991d667bb53eeee85ff1652c8981f141d47c8205791cef5b32d718ddc082ed0dd542826416b2271064ef437a9":"010001":MBEDTLS_MD_SHA224:MBEDTLS_MD_SHA224:"b777a83dd25a4fa36a5ea663aa16403c67368e4711e8c121b01f83ac":"6f2841166a64471d4f0b8ed0dbb7db32161da13b":"cd1fe0acb89969ae139c178bfef1cc982993521b3a020ec847c89c0cc6c869d970f43f018d495b9e991457e7501a344c33c376fd2efcf05ad6eb2bd0b3c0e7cc3c88a4124398ca16585490a0817a36149cc82cdc01b20e9026261215dd06f9db4e13613c6a569c2187a0e00bc63c281149433ac7f061bd218e79f8eca9dd9c93ebc3cc013bf27aa0bf286e124593e76d3c7012f97ae1d0c4bf5823cf17fe76d505a54cef174add58ae616f47de825049e9916bf2ab7de4d443745763b0c314cfae3a6e57ad475cc5fae47cddcad7b526c2154a15f9ee8eab02f4c36f7a41d7a19b23c5996b627270ceb2c0dbed1a6b6dd2ff94868e073cb7b1a1fa3429e487ae":20:0
 
 RSASSA-PSS Signature RSA-2048, SHA-256, Salt Length 20
@@ -1175,7 +1175,7 @@ depends_on:MBEDTLS_MD_CAN_SHA256
 pkcs1_rsassa_pss_sign:2048:"f7b664093cabf8334b1c0ff824564db5c13f941a279733893a7e5abed536d2b51a2beac80730b5194a0c722f57354ce4b7db447ea3286b1cd1c754548ea3c91a0df1bde3ff70820b63ef3c74a0119671d14db3e2603868a0d607a81bf14f3f41f810c3a24bf52a94f9b694078a556194dd0cb36c56a91846d3569096c631b61f":"e0a1111aa114d5b1702e34d29565d65320e05c21d794f38572ad28a60b2ffe50d0dd3df3fb5a0eef048ec50e144bfe52be30ebf2eaceec9f110a600bb0c2bcacf6b4dabec09b9387c89a8fde19de5ceec780be38dca846d795f82608cf2844e9bced8d81da2d9258c3ef412154f9e590a158ea0ad9180ac6a798614ba3410937":"d95b71c9dfee453ba1b1a7de2c1f0b0a67579ee91d1d3ad97e481829b86edac750c48e12a8cdb026c82f273dafc222009f0db3b08b2db10a69c4b2dddaaeceac1b0c862682eef294e579f55aab871bc0a7eeabc923c9e80dddc22ec0a27002aee6a5ba66397f412bbaf5fb4eaf66a1a0f82eaf6827198caf49b347258b1283e8cbb10da2837f6ecc3490c728fe927f44455a6f194f3776bf79151d9ad7e2daf770b37d12627cc0c5fb62484f46258d9ce2c11b26256d09cb412f8d8f8f1fe91bb94ac27de6d26a83a8439e51b35dbee46b3b8ff991d667bb53eeee85ff1652c8981f141d47c8205791cef5b32d718ddc082ed0dd542826416b2271064ef437a9":"010001":MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:"b416e0843040b35277be7734bc23ac9e9eb47a7f57f55e94d826285c9c00100a":"6f2841166a64471d4f0b8ed0dbb7db32161da13b":"6375755eff8d48afb3263b3b96988a2afd181ba061793ea009783bb1599d03944d987620a2668ac9714d6f2a21f7e5200d63923f42cb32e63301c8de58c70a203910640da967d03f4f6292f6cb199759822790c0c5bcfb1d4faa59465c3db2ea1fffd5e543335632b74745bf1e18473c0a8b4a89def6b27edf0d7d735ee13f887041c9d8a91e62186a9a1e0b1afb48e577f6887ca61b7c1bb26b4a8e2cc464a9af03444b3da5bed08b73f1262bd3d61f4c78f49fac6a3bfc9e8548b4bbe64cce6a6090fc480efd1f36c18c10bc09be9d957a79f707a10577a1bf6e9e2d4849693fa58d8877c8f1e55181955d6c2b94b1d6d9401b5fb80cc32b358934fec2aedb":20:0
 
 RSASSA-PSS Signature RSA-2048, SHA-384, Salt Length 20
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 pkcs1_rsassa_pss_sign:2048:"f7b664093cabf8334b1c0ff824564db5c13f941a279733893a7e5abed536d2b51a2beac80730b5194a0c722f57354ce4b7db447ea3286b1cd1c754548ea3c91a0df1bde3ff70820b63ef3c74a0119671d14db3e2603868a0d607a81bf14f3f41f810c3a24bf52a94f9b694078a556194dd0cb36c56a91846d3569096c631b61f":"e0a1111aa114d5b1702e34d29565d65320e05c21d794f38572ad28a60b2ffe50d0dd3df3fb5a0eef048ec50e144bfe52be30ebf2eaceec9f110a600bb0c2bcacf6b4dabec09b9387c89a8fde19de5ceec780be38dca846d795f82608cf2844e9bced8d81da2d9258c3ef412154f9e590a158ea0ad9180ac6a798614ba3410937":"d95b71c9dfee453ba1b1a7de2c1f0b0a67579ee91d1d3ad97e481829b86edac750c48e12a8cdb026c82f273dafc222009f0db3b08b2db10a69c4b2dddaaeceac1b0c862682eef294e579f55aab871bc0a7eeabc923c9e80dddc22ec0a27002aee6a5ba66397f412bbaf5fb4eaf66a1a0f82eaf6827198caf49b347258b1283e8cbb10da2837f6ecc3490c728fe927f44455a6f194f3776bf79151d9ad7e2daf770b37d12627cc0c5fb62484f46258d9ce2c11b26256d09cb412f8d8f8f1fe91bb94ac27de6d26a83a8439e51b35dbee46b3b8ff991d667bb53eeee85ff1652c8981f141d47c8205791cef5b32d718ddc082ed0dd542826416b2271064ef437a9":"010001":MBEDTLS_MD_SHA384:MBEDTLS_MD_SHA384:"41f2bf25c2544062c78b59886eea442c884e4b9bb87f643abcb4d5c1c661a0fb0dd592107f6173438c34f67ec9f6c97a":"6f2841166a64471d4f0b8ed0dbb7db32161da13b":"b43d87deefa7df127a717f4065f831c58cd84bf78c916ba52ed32769abd541df52233b8583507c539b1d51e0437ab1a41e17fc1599b92aabdb5b040dc79027c60c9cc3ed3de36aeea28f20360635be5bf654d6c1b7fe6da77d0c45b9ea2802ad22eba182cbed95d33da7f78ac844f4891cebc0396caa2f8daaf55254fdafe98b5fe6c4dd3967d23ea99497060820e108e818cd0aa94e65770bde892c62233b96d87fe545162d6ba077f110274bddacb2a7cbf17d437bfe004b34c3ea24fb46e5ed9cce4de96b0694efd73832ec76e19e5a25c49c5843393ce6b919ea35e4d264e0a0855f518a63c008c183798ca612cd8f75688a09210413e0a23cafcf2d4158":20:0
 
 RSASSA-PSS Signature RSA-2048, SHA-512, Salt Length 20
@@ -1183,7 +1183,7 @@ depends_on:MBEDTLS_MD_CAN_SHA512
 pkcs1_rsassa_pss_sign:2048:"f7b664093cabf8334b1c0ff824564db5c13f941a279733893a7e5abed536d2b51a2beac80730b5194a0c722f57354ce4b7db447ea3286b1cd1c754548ea3c91a0df1bde3ff70820b63ef3c74a0119671d14db3e2603868a0d607a81bf14f3f41f810c3a24bf52a94f9b694078a556194dd0cb36c56a91846d3569096c631b61f":"e0a1111aa114d5b1702e34d29565d65320e05c21d794f38572ad28a60b2ffe50d0dd3df3fb5a0eef048ec50e144bfe52be30ebf2eaceec9f110a600bb0c2bcacf6b4dabec09b9387c89a8fde19de5ceec780be38dca846d795f82608cf2844e9bced8d81da2d9258c3ef412154f9e590a158ea0ad9180ac6a798614ba3410937":"d95b71c9dfee453ba1b1a7de2c1f0b0a67579ee91d1d3ad97e481829b86edac750c48e12a8cdb026c82f273dafc222009f0db3b08b2db10a69c4b2dddaaeceac1b0c862682eef294e579f55aab871bc0a7eeabc923c9e80dddc22ec0a27002aee6a5ba66397f412bbaf5fb4eaf66a1a0f82eaf6827198caf49b347258b1283e8cbb10da2837f6ecc3490c728fe927f44455a6f194f3776bf79151d9ad7e2daf770b37d12627cc0c5fb62484f46258d9ce2c11b26256d09cb412f8d8f8f1fe91bb94ac27de6d26a83a8439e51b35dbee46b3b8ff991d667bb53eeee85ff1652c8981f141d47c8205791cef5b32d718ddc082ed0dd542826416b2271064ef437a9":"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:"7641739d2f4fc0eba07e212218af4d77e78ae3a225ef253a7ec96215a1197e681a93fd534288cda156f216d21f02b2dc60b49c41874c26c0a2be0aca13babc53":"6f2841166a64471d4f0b8ed0dbb7db32161da13b":"2cdb0d5ea5f0aad1f7af8108bff56eec5c0dcd0522c5dc6ae4c6e0f66821cdf698ccfeace65fd6e47f95febd879e580e5ee648972cc265f9a117fc720db4f2545a432eae24a367b0aaa70a011ac8fdec94a95c3cd48cfa7102de8dc26c877e974688b3919de6cf06e27028995ac85da88cb3851a5761e17f215e5c593e13e481088c7d747ecb34d3ce61a5b56eb2a65be5363363294eb365f83c4c709644d857e2ccb14a5851724420fc81178144ef3f9e1138b5750eb7196eba3319d799c3494a7e399115a62b1ca4f1d5da079b495d35fd651a1de78d54000b06bdd3122d7404013f2ed8fdf8a7d012f9812b8e4c2e0b24192d5f899d70a3cc5c7e08c81be7":20:0
 
 RSASSA-PSS Signature RSA-3072, SHA-224, Salt Length 20
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 pkcs1_rsassa_pss_sign:3072:"ca7b50c5f65f2115fea7691f7d90c124866e774e68e9eb89306538956fc217593d46017b7dd7942d636e384a34c802a14d5fd9916798d7d6193ef1a29e2fdbefd955261496d8ac9713922d43bfc43a7a410752ccbc854cc85268f411e793f9b5279007bbcaca30fb16fd9033a6ea31566b4f2c27f0161107e2cd890bcf563a522ee0eb96a016e9007595a94172a4aeded11fadcb8ab5f03cd154f8b8e0e0666ff62b1ccda02599ea44bbfcfaea541a5ac26bf267a56a8177a50f6b87b460a54d":"c591723042d4b8737f4ef9dfeb40c6d62d439ee8688158a4be24c0ad130f851113cc53d776c63cd782b95ccfd266bdb2578b78439c121de34e8955a7fbd2c6ae1a1c37b24c12f5dce15175dd9e203a3abd5bf9e736b1fc183d10c4540c5cf2cbe26768e94c1eab2ba3008b32d6d50716699c6bfcbec5bbeb94a054dbcd16d10f74972ca5fe53256cd0ade8f502eceaed633414a9bdb623035a234f65c6662a23d792cc0eeb21a1f55ebca26ffa1c56c96fbb7d870fc3ffb181de8398238ab1b5":"9c43ef522cab18022297d3d70fa491d03b975b844b76cedba35d8d885ddb2825e31fd5c101bd9e9a215520bb8cdddeb6ab2cf2dc86065179477d80f733016929d7334cdfdf818c1378a4b9428fa1ee2e525321f905d0b949d3abc9e93d3f30b077795338bd55c28a1ced134bb2d575bfa44b2fd8cf1d5c54168a12a1d6c511f62ca973cdb704c233487e1fd39e5adc8870af352ec3c6a6a64152fc82a1c16ecc43d1d5817f76a1b46a5fab9db8923311edd3cc032fed7eb6252e77db69d7bf9ee35dc4ddd0fbdb9a76afe25a82f4495aa4f072cef9b1247cb368bcc8677565a47095242702e6341281f506805e20e8c89e9af28adff21c804c70cab10ee2fe5212ec07987d13e7d4b60529611e4d33a062d724cdfb16cdc48b964ba07dfa2620d5a8805d0be93380850c66f3fada059802a5946bfe3b0b10e19a8289ec01f6514abb883bb53c49dadbba42d412ea264c8a5122fda1ea9b742289642b0ea34ceb76ae8256a97845d37594cfbff8c7a4430176223bacc3bef395ceda13fd211c71":"010001":MBEDTLS_MD_SHA224:MBEDTLS_MD_SHA224:"f145387c7a70e478968e238037e8d561b1665e0e15ac547ed4a72ea1":"6f2841166a64471d4f0b8ed0dbb7db32161da13b":"7171c74df24272dfe6b34db78f24507a68062bd791f68796d5001be354de6fddab81e9252e151884f4cc1f3cd3e7760e263c0c34e63c557eb32c8336e0cef40855c5e279dbba3170da5a14ac60e4cc8d402633a383b88709f3306fb02708e39f3039e7e614edcb89609c8c71137de5211659a41e9e5682cfe0463f3bc97558d3bf77bd798976f09db69153123923835ac9bbd7648c2773e38b5228640fde6df005e9f44819eca31f41ccddbd45d61ae7e1ed0640f0736f52bf5fc1c62f5430de6a96d5aabccfcfef508ac299c7f3f0f7d222ef1f19b288273690b3275b68f874301afa95d243316284ed117bded69da11f5ce1435dd67717bae82ed468ff1b6ac7f2483397d310ffe91775189f671a82b493039d8c233830d20e290bc9be880a47f0b36bf2e1da2c1f23dafeb9f42d9f084feb808a98e894e8501937ba932594a6d202e20a0afddcef8fa48c1682d3179edebf8ea44ea1216a2f55c305cdf487249010909fa8a21d9ba9e3dbbeec046a823922390b7d902d77ec176bb447b05d":20:0
 
 RSASSA-PSS Signature RSA-3072, SHA-256, Salt Length 20
@@ -1191,7 +1191,7 @@ depends_on:MBEDTLS_MD_CAN_SHA256
 pkcs1_rsassa_pss_sign:3072:"ca7b50c5f65f2115fea7691f7d90c124866e774e68e9eb89306538956fc217593d46017b7dd7942d636e384a34c802a14d5fd9916798d7d6193ef1a29e2fdbefd955261496d8ac9713922d43bfc43a7a410752ccbc854cc85268f411e793f9b5279007bbcaca30fb16fd9033a6ea31566b4f2c27f0161107e2cd890bcf563a522ee0eb96a016e9007595a94172a4aeded11fadcb8ab5f03cd154f8b8e0e0666ff62b1ccda02599ea44bbfcfaea541a5ac26bf267a56a8177a50f6b87b460a54d":"c591723042d4b8737f4ef9dfeb40c6d62d439ee8688158a4be24c0ad130f851113cc53d776c63cd782b95ccfd266bdb2578b78439c121de34e8955a7fbd2c6ae1a1c37b24c12f5dce15175dd9e203a3abd5bf9e736b1fc183d10c4540c5cf2cbe26768e94c1eab2ba3008b32d6d50716699c6bfcbec5bbeb94a054dbcd16d10f74972ca5fe53256cd0ade8f502eceaed633414a9bdb623035a234f65c6662a23d792cc0eeb21a1f55ebca26ffa1c56c96fbb7d870fc3ffb181de8398238ab1b5":"9c43ef522cab18022297d3d70fa491d03b975b844b76cedba35d8d885ddb2825e31fd5c101bd9e9a215520bb8cdddeb6ab2cf2dc86065179477d80f733016929d7334cdfdf818c1378a4b9428fa1ee2e525321f905d0b949d3abc9e93d3f30b077795338bd55c28a1ced134bb2d575bfa44b2fd8cf1d5c54168a12a1d6c511f62ca973cdb704c233487e1fd39e5adc8870af352ec3c6a6a64152fc82a1c16ecc43d1d5817f76a1b46a5fab9db8923311edd3cc032fed7eb6252e77db69d7bf9ee35dc4ddd0fbdb9a76afe25a82f4495aa4f072cef9b1247cb368bcc8677565a47095242702e6341281f506805e20e8c89e9af28adff21c804c70cab10ee2fe5212ec07987d13e7d4b60529611e4d33a062d724cdfb16cdc48b964ba07dfa2620d5a8805d0be93380850c66f3fada059802a5946bfe3b0b10e19a8289ec01f6514abb883bb53c49dadbba42d412ea264c8a5122fda1ea9b742289642b0ea34ceb76ae8256a97845d37594cfbff8c7a4430176223bacc3bef395ceda13fd211c71":"010001":MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:"14ea4dca3559976c7d8943a51d69c1322c7860d496f742b9c0c2d03ce629613b":"6f2841166a64471d4f0b8ed0dbb7db32161da13b":"3a0622ddff5a0c1f5b545d684054e46211786a2e40627e0cb6795ea0d176f3c97e6536fb64c5eca7b28b7ac52e48e3d50b916d2fccb87d70cd8eda7c15c2308734254716e5b400592cc2e5e033ba27866cb14fefbdcbc35d5d85d4eee8ba6bc2da995e8ebcc27d50c48aa988bf45fde27311a9e2ec029d0fa6fa6d3efea460fc1a90e443d807d209a4c06bf3022d529ab2e4a877325fcccb3f86ac16200ab95628bf0c1c8c70f6fe1a9f288bbc0162a392f40ad1109cdbbaf03d9b2d514a60983874350be9aef886c3c481a66325f137aecb4c82a8a73046dbc1dd8598ffbdb828a3d638f9dd8139a768dcd8d30d79740ef345c1644d03e6fb86a46367f6d82a7a819057ae490e1b100b5842ed385845f379101e37ce604531c61de423df66200d45b7229662fd0ec3572593b09a5213ec14c1d7b2338ca9c763c0d18946f04eaaf57ea2ebc79e093f2fd4c64cb1c1a7f0e888dc2d87a15eb769f56dc180cfe1597cc3e4e1811d4e27852fa188c8fec4fc917d4724d33ce5f3211895cf7e8b8c":20:0
 
 RSASSA-PSS Signature RSA-3072, SHA-384, Salt Length 20
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 pkcs1_rsassa_pss_sign:3072:"ca7b50c5f65f2115fea7691f7d90c124866e774e68e9eb89306538956fc217593d46017b7dd7942d636e384a34c802a14d5fd9916798d7d6193ef1a29e2fdbefd955261496d8ac9713922d43bfc43a7a410752ccbc854cc85268f411e793f9b5279007bbcaca30fb16fd9033a6ea31566b4f2c27f0161107e2cd890bcf563a522ee0eb96a016e9007595a94172a4aeded11fadcb8ab5f03cd154f8b8e0e0666ff62b1ccda02599ea44bbfcfaea541a5ac26bf267a56a8177a50f6b87b460a54d":"c591723042d4b8737f4ef9dfeb40c6d62d439ee8688158a4be24c0ad130f851113cc53d776c63cd782b95ccfd266bdb2578b78439c121de34e8955a7fbd2c6ae1a1c37b24c12f5dce15175dd9e203a3abd5bf9e736b1fc183d10c4540c5cf2cbe26768e94c1eab2ba3008b32d6d50716699c6bfcbec5bbeb94a054dbcd16d10f74972ca5fe53256cd0ade8f502eceaed633414a9bdb623035a234f65c6662a23d792cc0eeb21a1f55ebca26ffa1c56c96fbb7d870fc3ffb181de8398238ab1b5":"9c43ef522cab18022297d3d70fa491d03b975b844b76cedba35d8d885ddb2825e31fd5c101bd9e9a215520bb8cdddeb6ab2cf2dc86065179477d80f733016929d7334cdfdf818c1378a4b9428fa1ee2e525321f905d0b949d3abc9e93d3f30b077795338bd55c28a1ced134bb2d575bfa44b2fd8cf1d5c54168a12a1d6c511f62ca973cdb704c233487e1fd39e5adc8870af352ec3c6a6a64152fc82a1c16ecc43d1d5817f76a1b46a5fab9db8923311edd3cc032fed7eb6252e77db69d7bf9ee35dc4ddd0fbdb9a76afe25a82f4495aa4f072cef9b1247cb368bcc8677565a47095242702e6341281f506805e20e8c89e9af28adff21c804c70cab10ee2fe5212ec07987d13e7d4b60529611e4d33a062d724cdfb16cdc48b964ba07dfa2620d5a8805d0be93380850c66f3fada059802a5946bfe3b0b10e19a8289ec01f6514abb883bb53c49dadbba42d412ea264c8a5122fda1ea9b742289642b0ea34ceb76ae8256a97845d37594cfbff8c7a4430176223bacc3bef395ceda13fd211c71":"010001":MBEDTLS_MD_SHA384:MBEDTLS_MD_SHA384:"bc9fb8fc6d4c6ce8865c758063e55639f98afc15e5d71f4f1ecf89d6fbb904aecc28126bd5e6b5a7f8f31729949dbf8a":"6f2841166a64471d4f0b8ed0dbb7db32161da13b":"3f90aeabfa9a5f00e241f3f65dfe61baf67c1356353042c3566edacb11c7649737e5adf94cfb05f2619aecc8895db45190fbdf35dab01144e207b6f0923927a6148d3f16eaad05e73bccb562dc087e2d82db3dce130a83e8303bd7c3447b3ae4d3700d4763ba6981d82618ac82a6e66423f294781a59b20cc978c79e2d5c103bfb9d47119294c3c85b1d3c45a36897d42e183514cc8edbbfa1be9ef17b78280b5b6214dad79d60db057f22506515b6843ce7d4dd6bd861a889b36164c325147baeed714d7a3f55ae51ef6e6d4ae9e862d677caba1a2df369c23d3ffe33dd42fe707e1fd8ba6283aaa0b570353b48a8e39ff72a09f700e024150ce87c044a3ec745b212ae81aa5743b981a8bb95deb6b3e15c2487f7900178d5840f8e794662706dcdb19bc0bdd56cb7fdf0e21d10b03adac41b749f31bd3e7c4d07d5d4ec8e79d424812b6e83f1c7b59779e58029f9b07da3e77795fcff6ae8bb098b1c00d1d2a5bc0cb005ef3d8aab63ddd883d38bacdc64307e911c6e51946744f361fe978d":20:0
 
 RSASSA-PSS Signature RSA-3072, SHA-512, Salt Length 20
@@ -1199,7 +1199,7 @@ depends_on:MBEDTLS_MD_CAN_SHA512
 pkcs1_rsassa_pss_sign:3072:"ca7b50c5f65f2115fea7691f7d90c124866e774e68e9eb89306538956fc217593d46017b7dd7942d636e384a34c802a14d5fd9916798d7d6193ef1a29e2fdbefd955261496d8ac9713922d43bfc43a7a410752ccbc854cc85268f411e793f9b5279007bbcaca30fb16fd9033a6ea31566b4f2c27f0161107e2cd890bcf563a522ee0eb96a016e9007595a94172a4aeded11fadcb8ab5f03cd154f8b8e0e0666ff62b1ccda02599ea44bbfcfaea541a5ac26bf267a56a8177a50f6b87b460a54d":"c591723042d4b8737f4ef9dfeb40c6d62d439ee8688158a4be24c0ad130f851113cc53d776c63cd782b95ccfd266bdb2578b78439c121de34e8955a7fbd2c6ae1a1c37b24c12f5dce15175dd9e203a3abd5bf9e736b1fc183d10c4540c5cf2cbe26768e94c1eab2ba3008b32d6d50716699c6bfcbec5bbeb94a054dbcd16d10f74972ca5fe53256cd0ade8f502eceaed633414a9bdb623035a234f65c6662a23d792cc0eeb21a1f55ebca26ffa1c56c96fbb7d870fc3ffb181de8398238ab1b5":"9c43ef522cab18022297d3d70fa491d03b975b844b76cedba35d8d885ddb2825e31fd5c101bd9e9a215520bb8cdddeb6ab2cf2dc86065179477d80f733016929d7334cdfdf818c1378a4b9428fa1ee2e525321f905d0b949d3abc9e93d3f30b077795338bd55c28a1ced134bb2d575bfa44b2fd8cf1d5c54168a12a1d6c511f62ca973cdb704c233487e1fd39e5adc8870af352ec3c6a6a64152fc82a1c16ecc43d1d5817f76a1b46a5fab9db8923311edd3cc032fed7eb6252e77db69d7bf9ee35dc4ddd0fbdb9a76afe25a82f4495aa4f072cef9b1247cb368bcc8677565a47095242702e6341281f506805e20e8c89e9af28adff21c804c70cab10ee2fe5212ec07987d13e7d4b60529611e4d33a062d724cdfb16cdc48b964ba07dfa2620d5a8805d0be93380850c66f3fada059802a5946bfe3b0b10e19a8289ec01f6514abb883bb53c49dadbba42d412ea264c8a5122fda1ea9b742289642b0ea34ceb76ae8256a97845d37594cfbff8c7a4430176223bacc3bef395ceda13fd211c71":"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:"c57911bf353ef106479bd0ac85a4f70b6d3298f8e5882c5d0bfb28cb6f27129ae53b4fab702ccd3d5457d5fd662d29f34b445e60fc5da3c0c943cee17b81e255":"6f2841166a64471d4f0b8ed0dbb7db32161da13b":"607b7731ecb232f9b8e9ea03be28cc1e948acc3ec12a1222ba0f63935440c3effeaf460d7066d260d174d0ed18a9193550000c2fa0119712fb1ab1e27b4e6f5f84be9b63a1ede17a01174060e2d9e46121cc5d10515a342a26649539341eb1b44b82e346a0102e7ca45be3149b5f1444bd7fdf43da441c59deb37da9a223bcd7a8244237bb5404ea532eb470e80891c0fe9403d12734100284e99cfd96de2ab4058529d91bf348c6cbdb7fcfeea3f9925e93efd6adb3ef6946008738f4577a49c42ac0203a2d982fd77cb421ae030b81b97dd04490605179626903471cf68835dd5e4ac41acfe54e048878df89db9c2de5f1e822266c325e0be0991c7f18cd3de4b2110e14f56100e45f8ba19edf917150c2074f379293f73cb587ff77ad63e4cbec9eeaed77ca90261b2813ae8e6533b09b223a68abe2beeec888088ff91fea5c63de3b55238aef018c368f98651572bc7b8cf3d14c15b24bb5534ae07a6c4c9d5ecd0b86961b550859036ba6fa8e50d06228d89bcc943581b26e302795d1e3":20:0
 
 RSASSA-PSS Signature RSA-4096, SHA-224, Salt Length 20
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 pkcs1_rsassa_pss_sign:4096:"f00102d29990fb36bf66dcab57fa4e05745e307c031fe6acb86df4e0487bcb8fd929e227b6e1090a48befbd642f432ea1b6cff26c1aed9f18c04f68170dc1857786faa086fa00b43e0272a1042ee53566cbb48a04f109420e3501cf56222f7a9b51a7ffe2b97a8ea71e791e0bfb259514f953473130dbe41a7978fc385150f8f78748b90538c8906e24759ce2106ede4ac40eb26776cff5abf227673407d0910a9c3f6464d48569f1b8faa62d0b3b7156b059441e1f701751339fa8dfd218c343050e8a88293b6be0407ab2534815eee742c574cbb7469998b23439a23ca4104f563883f5a35ab88d789dcba4073aebf2e1855abb839908874c1a10f150d56b7":"dda4491b56bdad20f032c8a61bc326995ee7353c3f1b4c1e677aeb4b028e45bf6566fb20f3e82bac4169a970787b8cbafb06edd24a9bebe52704f242f7203ec96aee9a9f5ee76e270191f82e3651da663b80d51688c2d40ffa932ce2302322503664ae0260617e7b79d13e4a1dec1784647d7571c1390e86294f20937740f93e0ff1bdb0c1ff648ef152022bf5f54bfcbf24564cbca7a130fb5f56be921fcc7a3ebd51114968274ab13bcc3986137eb6949eff0d42b596f7baec56c94a67a2ec0aeff18dc044cf9500b525dc98efb9992b13f81e1b0bf4c2ac1da91e67c0847cbdaf268ced549c2febd08b661140af9bf45458d13d4717eb61de86b555856ad5":"cfcae49f88b80dc12186d53c57162dbecba6e348094f9fb3743e39d99d5355d87e3efca9d488d39d705671e58634309cbd7cf53fccd52d9a84edb99ffdad0680e9ec826d625728370717b39321c7d4b6882785cf6884275f6c7b6d681bfa710593679e99b67d5bc28121dd603617dc8cfdb2557c2a04533893f593f0f7e59cbe6d46623d22642a7161a4c685b293c7edcc9aaec48e3810ec74a884a41108610d000b591fbf5da44b5501e63781264edf3c73706321ecf44d0e14b5932a2d69ca3d180c5cee86b4ccad850c766e0beb5f20e6b142055d551aeb453bd099eac67eb92cf13e34ef0d0e34fc599a6e5d4d14f74e08190c66c66ad3473de9ae8f53dd2c1c0c41f4b4a8d4690f4b77354c76e05ab76b7a6c7c9edf0955fee799a2bb42c86c6a06631398d38cceb71ec9aaa9a0fb83850f62342f3f781f9d453229b1a709bbce83a44c225ebffd4f518f94a7935f4669f65d02ff3defbbd1d5efd9191365808cdf9460371ede1eae735af03f21431239d5cd57cc0cc88fb3965d187eba98359409aaa944a7af8e85e20b67c43c82e78fa967fc0d629bcd7483d17dcaa25915571a15c3f0c730e81095139d71a28858dd9d83b65bf9c9273a8a40b12a2c87107a71f984818f7dc766374d31b4c3a1d284adb2a17f8ac85dbe3f58cf78b14c0fdce00a79daf348aa0557290ef5f9dd305c15fa73d40c6822b75fda13ec43":"010001":MBEDTLS_MD_SHA224:MBEDTLS_MD_SHA224:"bb21ead0163de468ab3580ab57c7959cc1db437d6f2f47a878dc19bc":"6f2841166a64471d4f0b8ed0dbb7db32161da13b":"3742d8a9627e2e10145c31a3548977f87f8019b1d9093c42f806c8df5ef7fad8330e2a05846c346cb64d9e8af2cd3806eb0df40cd097b3f8841525786ed53746498aa565f8945cf55e24944e8e3d86eb219f65c3385e1e7d45fe3a403773f3057bf22839d5903cd64c95a417c00b429ee068f0fe8ec17305a122979cabee8c3ad31b597da7c71fa1db3da842f7f7048f4396e1768197ccd84c5d9a0450d66f0bc88da7605cc8cdfe52bce60793704dafea504349ff14c481bea73dd761c848387d12f2d1b9227a959fec8b9eef0e9780cb6a427af946597d7e6059a07d50e878d7ae14eed8b571ac88e1c5d1a00d16c0de1c5148ec5781036676c6355e0cbca06346eebaf6c7de938cedd47a244f908ba1189bfbd97bd2667e8eba95e007a64b165dbfc4bf35878cd606732fd469f922ec141e5bc6a7d5c1875233cff612d336c28466c271764ef94e9c07e701923f1f68f39e2f003487dbe41d5505862eb4e90402e50f7b3cb918ef3eff893d0f00b203e2a511cfea4ca54c043ed0598d022c947cad5129fc47f5e79db97a0eea5afd7bb801a367a7bb8d929de1c12a54865e1e183ed926bb8da9d454c7a52b30cfcfe9ed3479799276f4a65b30f430e61fcf520e46e4eb9bea59ba064e7c9c72c9b58bf4ff633897d3ea46d989cec31ce4fc32e46e5a3d1805c35a30b387fb77afe20dba19be37252e40b252d346b69d3cf2":20:0
 
 RSASSA-PSS Signature RSA-4096, SHA-256, Salt Length 20
@@ -1207,7 +1207,7 @@ depends_on:MBEDTLS_MD_CAN_SHA256
 pkcs1_rsassa_pss_sign:4096:"f00102d29990fb36bf66dcab57fa4e05745e307c031fe6acb86df4e0487bcb8fd929e227b6e1090a48befbd642f432ea1b6cff26c1aed9f18c04f68170dc1857786faa086fa00b43e0272a1042ee53566cbb48a04f109420e3501cf56222f7a9b51a7ffe2b97a8ea71e791e0bfb259514f953473130dbe41a7978fc385150f8f78748b90538c8906e24759ce2106ede4ac40eb26776cff5abf227673407d0910a9c3f6464d48569f1b8faa62d0b3b7156b059441e1f701751339fa8dfd218c343050e8a88293b6be0407ab2534815eee742c574cbb7469998b23439a23ca4104f563883f5a35ab88d789dcba4073aebf2e1855abb839908874c1a10f150d56b7":"dda4491b56bdad20f032c8a61bc326995ee7353c3f1b4c1e677aeb4b028e45bf6566fb20f3e82bac4169a970787b8cbafb06edd24a9bebe52704f242f7203ec96aee9a9f5ee76e270191f82e3651da663b80d51688c2d40ffa932ce2302322503664ae0260617e7b79d13e4a1dec1784647d7571c1390e86294f20937740f93e0ff1bdb0c1ff648ef152022bf5f54bfcbf24564cbca7a130fb5f56be921fcc7a3ebd51114968274ab13bcc3986137eb6949eff0d42b596f7baec56c94a67a2ec0aeff18dc044cf9500b525dc98efb9992b13f81e1b0bf4c2ac1da91e67c0847cbdaf268ced549c2febd08b661140af9bf45458d13d4717eb61de86b555856ad5":"cfcae49f88b80dc12186d53c57162dbecba6e348094f9fb3743e39d99d5355d87e3efca9d488d39d705671e58634309cbd7cf53fccd52d9a84edb99ffdad0680e9ec826d625728370717b39321c7d4b6882785cf6884275f6c7b6d681bfa710593679e99b67d5bc28121dd603617dc8cfdb2557c2a04533893f593f0f7e59cbe6d46623d22642a7161a4c685b293c7edcc9aaec48e3810ec74a884a41108610d000b591fbf5da44b5501e63781264edf3c73706321ecf44d0e14b5932a2d69ca3d180c5cee86b4ccad850c766e0beb5f20e6b142055d551aeb453bd099eac67eb92cf13e34ef0d0e34fc599a6e5d4d14f74e08190c66c66ad3473de9ae8f53dd2c1c0c41f4b4a8d4690f4b77354c76e05ab76b7a6c7c9edf0955fee799a2bb42c86c6a06631398d38cceb71ec9aaa9a0fb83850f62342f3f781f9d453229b1a709bbce83a44c225ebffd4f518f94a7935f4669f65d02ff3defbbd1d5efd9191365808cdf9460371ede1eae735af03f21431239d5cd57cc0cc88fb3965d187eba98359409aaa944a7af8e85e20b67c43c82e78fa967fc0d629bcd7483d17dcaa25915571a15c3f0c730e81095139d71a28858dd9d83b65bf9c9273a8a40b12a2c87107a71f984818f7dc766374d31b4c3a1d284adb2a17f8ac85dbe3f58cf78b14c0fdce00a79daf348aa0557290ef5f9dd305c15fa73d40c6822b75fda13ec43":"010001":MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:"480aa96e4b3a710d9924a84998e46b7246e26671e7d11efa6c6ec34919eac963":"6f2841166a64471d4f0b8ed0dbb7db32161da13b":"2e512f73d198e623afe019bd4cea9192ff8b24ab555099d31bd52d705fc808229a269bf749c8061a3dc7ffae9ef7c6bdcd8c34910f92f0a0fcd6d73017ca3388ca5e99a1735e005ff5d5eade3ec0ea0c2436f0e78b197c2d999ba4351b9e37a09195504b63a42762bea22d307a0328fc9c80acdc28fc8f4050e25fbd5890233028f97ea3a2669ff4d5f4232c1e48571499af28ed6f5a92e7936de39d913e12c5cef51e25f90a1e903f3f60a6a9cddbc56564b146aca6af6236b899c2cb7223a6941f0beaa3aa787b2333e4f3e66b334b99b90825153ebd0095f27691880f44e4e77135f26df376e261adfe0d8354cfa15b49138d624d9f62a9751221ee0598097891c9864ad3651e89723bc9ec6086f571e199619ceb6720ab5a4998254cb807dce75a5a5203d38a9f5d56adee4239ff50cefe3e927eba91de7e1f8e1ae8b0505c077788372af7d8ef00735cc531fd46dbe86702ac49171f0a921f4626442ae960e972a5594ee3bcbfbf687cd96ed300aa9df1b9487607b5bae0f1abecbc1d2291fe93b9f8a091ffac8469b0f00ba561f0628f5e004ed1fd8713650e147c4b2cab7f4d69a4ad57b145c1e5e4c1412e86fbbda5a6096f66293203207e35098bf94dafff75ed094d10e6034cd22179d94655004fa4bf4de774807b6f5cd27d90255468cf01db7b6f82607df597f72d1f9c9c91d17740a14a4816ae65e63fde480d":20:0
 
 RSASSA-PSS Signature RSA-4096, SHA-384, Salt Length 20
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 pkcs1_rsassa_pss_sign:4096:"f00102d29990fb36bf66dcab57fa4e05745e307c031fe6acb86df4e0487bcb8fd929e227b6e1090a48befbd642f432ea1b6cff26c1aed9f18c04f68170dc1857786faa086fa00b43e0272a1042ee53566cbb48a04f109420e3501cf56222f7a9b51a7ffe2b97a8ea71e791e0bfb259514f953473130dbe41a7978fc385150f8f78748b90538c8906e24759ce2106ede4ac40eb26776cff5abf227673407d0910a9c3f6464d48569f1b8faa62d0b3b7156b059441e1f701751339fa8dfd218c343050e8a88293b6be0407ab2534815eee742c574cbb7469998b23439a23ca4104f563883f5a35ab88d789dcba4073aebf2e1855abb839908874c1a10f150d56b7":"dda4491b56bdad20f032c8a61bc326995ee7353c3f1b4c1e677aeb4b028e45bf6566fb20f3e82bac4169a970787b8cbafb06edd24a9bebe52704f242f7203ec96aee9a9f5ee76e270191f82e3651da663b80d51688c2d40ffa932ce2302322503664ae0260617e7b79d13e4a1dec1784647d7571c1390e86294f20937740f93e0ff1bdb0c1ff648ef152022bf5f54bfcbf24564cbca7a130fb5f56be921fcc7a3ebd51114968274ab13bcc3986137eb6949eff0d42b596f7baec56c94a67a2ec0aeff18dc044cf9500b525dc98efb9992b13f81e1b0bf4c2ac1da91e67c0847cbdaf268ced549c2febd08b661140af9bf45458d13d4717eb61de86b555856ad5":"cfcae49f88b80dc12186d53c57162dbecba6e348094f9fb3743e39d99d5355d87e3efca9d488d39d705671e58634309cbd7cf53fccd52d9a84edb99ffdad0680e9ec826d625728370717b39321c7d4b6882785cf6884275f6c7b6d681bfa710593679e99b67d5bc28121dd603617dc8cfdb2557c2a04533893f593f0f7e59cbe6d46623d22642a7161a4c685b293c7edcc9aaec48e3810ec74a884a41108610d000b591fbf5da44b5501e63781264edf3c73706321ecf44d0e14b5932a2d69ca3d180c5cee86b4ccad850c766e0beb5f20e6b142055d551aeb453bd099eac67eb92cf13e34ef0d0e34fc599a6e5d4d14f74e08190c66c66ad3473de9ae8f53dd2c1c0c41f4b4a8d4690f4b77354c76e05ab76b7a6c7c9edf0955fee799a2bb42c86c6a06631398d38cceb71ec9aaa9a0fb83850f62342f3f781f9d453229b1a709bbce83a44c225ebffd4f518f94a7935f4669f65d02ff3defbbd1d5efd9191365808cdf9460371ede1eae735af03f21431239d5cd57cc0cc88fb3965d187eba98359409aaa944a7af8e85e20b67c43c82e78fa967fc0d629bcd7483d17dcaa25915571a15c3f0c730e81095139d71a28858dd9d83b65bf9c9273a8a40b12a2c87107a71f984818f7dc766374d31b4c3a1d284adb2a17f8ac85dbe3f58cf78b14c0fdce00a79daf348aa0557290ef5f9dd305c15fa73d40c6822b75fda13ec43":"010001":MBEDTLS_MD_SHA384:MBEDTLS_MD_SHA384:"c6e4881e3f76394a6d8cfb1786e1757f78d66cf048ba1a8aaaa28be02430097e30d92e459257f8f571c6389d1d94b0d5":"6f2841166a64471d4f0b8ed0dbb7db32161da13b":"364ad106da2cec6ce94e141e16af855f6d6e31ac6d7bdb2649695645a3d7f176a9b55f60b861776d49077dcfda4db42bb584767606f90de7289e71f188ff139b138bbd24f7a7f50192a137f2c648e19fe78a836bd2a01d31b248857cd29dbf3d1251c2d4cb339f2ff78add26304fbc3e44f8a2f04b47dc754b984169fba4a091d70f956074880c709ee849a05f8f2dcffee09b221078e98b6e28a965a2d44fcde72c6b27ff0a3def818d80aaba17915d37ad1d72755548310062e73da15a8d2544b311060b404683c00394666dc3a890f60ec9d85b2d0fca8a76fc96c4cfd0e3c4a83594957bac42866c395f8feab3b40c9bc9a675f47a1cd62fc43ebe0fff2bbd239130bbbe5257c5c3756044eb2190db7a309cddc4ef410e9abccd0f93158e0edfab2f0a50e80d814a428f61c531b2b747e64feb41523c5802a53c374f35df21abe67a877d062f56a001b47ee6ab571b0bbe7141e0b49cfdc97a15dc19138863d140cc772074c12b3d751985b7852fe76932be1f44a165f4fe58a341d28c3f86924defab4cf2458ba4cc3fb92558511ceee6d91c672b24b8727b867132bf6b8d7af714ab668f06f046448c1e854ae98e59cf21f2b7370c9378ee0eb34b031f9f4795057557773af0f7fc18ddeec7e95c2ccdd5f66ed224d08fbdfb37995e87f4df9691e499d77afaa8d5b93f3275c43f69edbe37672cf192f94509df0a4e9b":20:0
 
 RSASSA-PSS Signature RSA-4096, SHA-512, Salt Length 20
@@ -1215,11 +1215,11 @@ depends_on:MBEDTLS_MD_CAN_SHA512
 pkcs1_rsassa_pss_sign:4096:"f00102d29990fb36bf66dcab57fa4e05745e307c031fe6acb86df4e0487bcb8fd929e227b6e1090a48befbd642f432ea1b6cff26c1aed9f18c04f68170dc1857786faa086fa00b43e0272a1042ee53566cbb48a04f109420e3501cf56222f7a9b51a7ffe2b97a8ea71e791e0bfb259514f953473130dbe41a7978fc385150f8f78748b90538c8906e24759ce2106ede4ac40eb26776cff5abf227673407d0910a9c3f6464d48569f1b8faa62d0b3b7156b059441e1f701751339fa8dfd218c343050e8a88293b6be0407ab2534815eee742c574cbb7469998b23439a23ca4104f563883f5a35ab88d789dcba4073aebf2e1855abb839908874c1a10f150d56b7":"dda4491b56bdad20f032c8a61bc326995ee7353c3f1b4c1e677aeb4b028e45bf6566fb20f3e82bac4169a970787b8cbafb06edd24a9bebe52704f242f7203ec96aee9a9f5ee76e270191f82e3651da663b80d51688c2d40ffa932ce2302322503664ae0260617e7b79d13e4a1dec1784647d7571c1390e86294f20937740f93e0ff1bdb0c1ff648ef152022bf5f54bfcbf24564cbca7a130fb5f56be921fcc7a3ebd51114968274ab13bcc3986137eb6949eff0d42b596f7baec56c94a67a2ec0aeff18dc044cf9500b525dc98efb9992b13f81e1b0bf4c2ac1da91e67c0847cbdaf268ced549c2febd08b661140af9bf45458d13d4717eb61de86b555856ad5":"cfcae49f88b80dc12186d53c57162dbecba6e348094f9fb3743e39d99d5355d87e3efca9d488d39d705671e58634309cbd7cf53fccd52d9a84edb99ffdad0680e9ec826d625728370717b39321c7d4b6882785cf6884275f6c7b6d681bfa710593679e99b67d5bc28121dd603617dc8cfdb2557c2a04533893f593f0f7e59cbe6d46623d22642a7161a4c685b293c7edcc9aaec48e3810ec74a884a41108610d000b591fbf5da44b5501e63781264edf3c73706321ecf44d0e14b5932a2d69ca3d180c5cee86b4ccad850c766e0beb5f20e6b142055d551aeb453bd099eac67eb92cf13e34ef0d0e34fc599a6e5d4d14f74e08190c66c66ad3473de9ae8f53dd2c1c0c41f4b4a8d4690f4b77354c76e05ab76b7a6c7c9edf0955fee799a2bb42c86c6a06631398d38cceb71ec9aaa9a0fb83850f62342f3f781f9d453229b1a709bbce83a44c225ebffd4f518f94a7935f4669f65d02ff3defbbd1d5efd9191365808cdf9460371ede1eae735af03f21431239d5cd57cc0cc88fb3965d187eba98359409aaa944a7af8e85e20b67c43c82e78fa967fc0d629bcd7483d17dcaa25915571a15c3f0c730e81095139d71a28858dd9d83b65bf9c9273a8a40b12a2c87107a71f984818f7dc766374d31b4c3a1d284adb2a17f8ac85dbe3f58cf78b14c0fdce00a79daf348aa0557290ef5f9dd305c15fa73d40c6822b75fda13ec43":"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:"ebbca26fb18da6226cc47dea14c57d9f3c935cb449462cc9446689577031ebc915fdd09cdb79d4703a53eb5dd447852f3bc72f974487ffb998cbe996d206c80c":"6f2841166a64471d4f0b8ed0dbb7db32161da13b":"6edfb6bfb20da2621e7ca0b8e13bfc3801d8bcb43ef3822be960b96a67d3e8afbbe2ef22e206b328ce99dd8f9758052d42a8ee93e16d8e160a50687e8ffce72d258610064ebde4c4cc2ab96c8e516ec2c1eed816c8e6ac537a0570c9eff81a38147bcd8f4747390676f9d755f613687ac59dbac14f69ca6e56a26727699fa11c200eb77339ead56fc6883acf9b92c6deb6f4d79f82ccdc493fedc6165f78c174adcf32941eeb237a4ae369dbbafb4553c98e413823f6f46da0d47d47a164b792aaf1324a8be4f01601bceb809f8c08f3458b1de2c6378cf93fb293212f6bd4a7b1fd1bfa14a1af29575a5ecc4281420179758e96b4465ec07f6cce4e5e5c2307d531e400e494725eb7dceb1d8dac1000d92f62f319534063c01aec9c6ec0c7675351f2883e462b0454db364f03700d6593c9be195fbea5800ebb81578c765409ac2c37f78fabe8783c5d324fa4dfabe4f192866e34037901615304237f08028a75f00a3904bea03219ef9dbfeb48d10ec59d481eb0429cfc9ae835cc578377e61023d5ceedfd3d0a05aceddb274c13782dda9299d6197519e14791208f8d86d63e0ab7fb42a1e14f8f37f49732e23d4b7d4f07cd0bc828649a12748e8d70f53683580bca87290992a349730370bbed6ed743e705759734872c54ff03c1a97037a7b9ee3c8c42d12c3ebe0c1bf3b42854d04a9177d1a24000bd388fa289fd77d5":20:0
 
 RSASSA-PSS Signature RSA-2048, SHA-224, Salt Length 15
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 pkcs1_rsassa_pss_sign:2048:"e28da1aa250390bc8fd27d6f601830febbdd5a309bcd5d1d3cebda111110851563d1fb4d141e8129bf25721aa144b104b7c5adbb8540f02a7402788ae72c93c9f59d6d1bcf1541c3354b5cd3dcb91e35ed100d78857cf2ab6ed04b2dc1cc81fa1307bb18c635fdacfb7f656d0b4743d9f487048a8aaf5d5ec6fd09a01b28d4b1":"dea1faf22b760cbfa9ba11a486edd9b9faee04f22f15abfff5b2c079a2c932cfa641660da16213adfbbb568ecbaac18511031f428cd3ae4e0bf01928a1db6360511c26501c7bda7bf4fc4cc792d79efb86ec15ba2fc82aa41bce08e0807859a41b57e9e3f15804c81bf8ed017dea62e53489f955949651ddcb1da5297465ac9f":"c5062b58d8539c765e1e5dbaf14cf75dd56c2e13105fecfd1a930bbb5948ff328f126abe779359ca59bca752c308d281573bc6178b6c0fef7dc445e4f826430437b9f9d790581de5749c2cb9cb26d42b2fee15b6b26f09c99670336423b86bc5bec71113157be2d944d7ff3eebffb28413143ea36755db0ae62ff5b724eecb3d316b6bac67e89cacd8171937e2ab19bd353a89acea8c36f81c89a620d5fd2effea896601c7f9daca7f033f635a3a943331d1b1b4f5288790b53af352f1121ca1bef205f40dc012c412b40bdd27585b946466d75f7ee0a7f9d549b4bece6f43ac3ee65fe7fd37123359d9f1a850ad450aaf5c94eb11dea3fc0fc6e9856b1805ef":"86c94f":MBEDTLS_MD_SHA224:MBEDTLS_MD_SHA224:"3be4397c9467ec90f5d5640834f6e9febee4ce2477aa3f385cab9435":"463729b3eaf43502d9cff129925681":"7e628bcbe6ff83a937b8961197d8bdbb322818aa8bdf30cdfb67ca6bf025ef6f09a99dba4c3ee2807d0b7c77776cfeff33b68d7e3fa859c4688626b2441897d26e5d6b559dd72a596e7dad7def9278419db375f7c67cee0740394502212ebdd4a6c8d3af6ee2fd696d8523de6908492b7cbf2254f15a348956c19840dc15a3d732ef862b62ede022290de3af11ca5e79a3392fff06f75aca8c88a2de1858b35a216d8f73fd70e9d67958ed39a6f8976fb94ec6e61f238a52f9d42241e8354f89e3ece94d6fa5bfbba1eeb70e1698bff31a685fbe799fb44efe21338ed6eea2129155aabc0943bc9f69a8e58897db6a8abcc2879d5d0c5d3e6dc5eb48cf16dac8":15:0
 
 RSASSA-PSS Signature RSA-2048, SHA-384, Salt Length 25
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 pkcs1_rsassa_pss_sign:2048:"e28da1aa250390bc8fd27d6f601830febbdd5a309bcd5d1d3cebda111110851563d1fb4d141e8129bf25721aa144b104b7c5adbb8540f02a7402788ae72c93c9f59d6d1bcf1541c3354b5cd3dcb91e35ed100d78857cf2ab6ed04b2dc1cc81fa1307bb18c635fdacfb7f656d0b4743d9f487048a8aaf5d5ec6fd09a01b28d4b1":"dea1faf22b760cbfa9ba11a486edd9b9faee04f22f15abfff5b2c079a2c932cfa641660da16213adfbbb568ecbaac18511031f428cd3ae4e0bf01928a1db6360511c26501c7bda7bf4fc4cc792d79efb86ec15ba2fc82aa41bce08e0807859a41b57e9e3f15804c81bf8ed017dea62e53489f955949651ddcb1da5297465ac9f":"c5062b58d8539c765e1e5dbaf14cf75dd56c2e13105fecfd1a930bbb5948ff328f126abe779359ca59bca752c308d281573bc6178b6c0fef7dc445e4f826430437b9f9d790581de5749c2cb9cb26d42b2fee15b6b26f09c99670336423b86bc5bec71113157be2d944d7ff3eebffb28413143ea36755db0ae62ff5b724eecb3d316b6bac67e89cacd8171937e2ab19bd353a89acea8c36f81c89a620d5fd2effea896601c7f9daca7f033f635a3a943331d1b1b4f5288790b53af352f1121ca1bef205f40dc012c412b40bdd27585b946466d75f7ee0a7f9d549b4bece6f43ac3ee65fe7fd37123359d9f1a850ad450aaf5c94eb11dea3fc0fc6e9856b1805ef":"86c94f":MBEDTLS_MD_SHA384:MBEDTLS_MD_SHA384:"1c389ed84b9f252bedde76a9a694986fa130906633047674c9a44e887f359e1cfc19d2d9a53a8fdfb2f826d813ca7a58":"b750587671afd76886e8ffb7865e78f706641b2e4251b48706":"2ca37a3d6abd28c1eaf9bde5e7ac17f1fa799ce1b4b899d19985c2ff7c8ba959fe54e5afb8bc4021a1f1c687eebb8cba800d1c51636b1f68dc3e48f63e2da6bc6d09c6668f68e508c5d8c19bef154759e2f89ade152717370a8944f537578296380d1fe6be809e8b113d2b9d89e6a46f5c333d4fd48770fc1ea1c548104575b84cf071042bfe5acf496392be8351a41c46a2cab0864c4c1c5b5e0c7b27e7b88c69f37ffa7e1a8cd98f343ac84a4ad67025a40ed8f664e9d630337de6e48bb2125e2552123609491f183afd92634487f0b2cf971f2626e88858879d45a29b0fefb66cd41b2e4e968385bd9fc8c7211976bc6bd3e1ad6df60856985a825f4726d2":25:0
 
 RSASSA-PSS Signature RSA-2048, SHA-512, Salt Length 30
@@ -1267,15 +1267,15 @@ depends_on:MBEDTLS_MD_CAN_SHA512
 pkcs1_rsassa_pss_sign:1024:"e5563b145db6ff5a16280d3e80eff02f181dbd03324ef247f596a4d4a7b8daa32b9934e3c7f4dcf6a3105462dec63839638618418b51db02693fabb4e6838725":"d2a4ec0fa2226cde82da77653b072cd098535d3e90ed4d7224dcb8cb8b9314768dc517e22d7c8fa13f253daa7465a79956098aa4cc3a6e35e8b1fcc4f97e774f":"bcb47b2e0dafcba81ff2a2b5cb115ca7e757184c9d72bcdcda707a146b3b4e29989ddc660bd694865b932b71ca24a335cf4d339c719183e6222e4c9ea6875acd528a49ba21863fe08147c3a47e41990b51a03f77d22137f8d74c43a5a45f4e9e18a2d15db051dc89385db9cf8374b63a8cc88113710e6d8179075b7dc79ee76b":"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:"c3366c552451274a4042e4357447786cce3a25a8dbd8cf3c2f8a8ddc02161bda332bb45062f7c61b7aa7a88ed3b5d51b6103abcf1769642b11ab95f92fa39adf":"6f2841166a64471d4f0b8ed0dbb7db32161da13b":"":63:MBEDTLS_ERR_RSA_BAD_INPUT_DATA
 
 RSASSA-PSS Signature RSA-3072, SHA-384, Salt Length 0
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 pkcs1_rsassa_pss_sign:3072:"ca7b50c5f65f2115fea7691f7d90c124866e774e68e9eb89306538956fc217593d46017b7dd7942d636e384a34c802a14d5fd9916798d7d6193ef1a29e2fdbefd955261496d8ac9713922d43bfc43a7a410752ccbc854cc85268f411e793f9b5279007bbcaca30fb16fd9033a6ea31566b4f2c27f0161107e2cd890bcf563a522ee0eb96a016e9007595a94172a4aeded11fadcb8ab5f03cd154f8b8e0e0666ff62b1ccda02599ea44bbfcfaea541a5ac26bf267a56a8177a50f6b87b460a54d":"c591723042d4b8737f4ef9dfeb40c6d62d439ee8688158a4be24c0ad130f851113cc53d776c63cd782b95ccfd266bdb2578b78439c121de34e8955a7fbd2c6ae1a1c37b24c12f5dce15175dd9e203a3abd5bf9e736b1fc183d10c4540c5cf2cbe26768e94c1eab2ba3008b32d6d50716699c6bfcbec5bbeb94a054dbcd16d10f74972ca5fe53256cd0ade8f502eceaed633414a9bdb623035a234f65c6662a23d792cc0eeb21a1f55ebca26ffa1c56c96fbb7d870fc3ffb181de8398238ab1b5":"9c43ef522cab18022297d3d70fa491d03b975b844b76cedba35d8d885ddb2825e31fd5c101bd9e9a215520bb8cdddeb6ab2cf2dc86065179477d80f733016929d7334cdfdf818c1378a4b9428fa1ee2e525321f905d0b949d3abc9e93d3f30b077795338bd55c28a1ced134bb2d575bfa44b2fd8cf1d5c54168a12a1d6c511f62ca973cdb704c233487e1fd39e5adc8870af352ec3c6a6a64152fc82a1c16ecc43d1d5817f76a1b46a5fab9db8923311edd3cc032fed7eb6252e77db69d7bf9ee35dc4ddd0fbdb9a76afe25a82f4495aa4f072cef9b1247cb368bcc8677565a47095242702e6341281f506805e20e8c89e9af28adff21c804c70cab10ee2fe5212ec07987d13e7d4b60529611e4d33a062d724cdfb16cdc48b964ba07dfa2620d5a8805d0be93380850c66f3fada059802a5946bfe3b0b10e19a8289ec01f6514abb883bb53c49dadbba42d412ea264c8a5122fda1ea9b742289642b0ea34ceb76ae8256a97845d37594cfbff8c7a4430176223bacc3bef395ceda13fd211c71":"010001":MBEDTLS_MD_SHA384:MBEDTLS_MD_SHA384:"bc9fb8fc6d4c6ce8865c758063e55639f98afc15e5d71f4f1ecf89d6fbb904aecc28126bd5e6b5a7f8f31729949dbf8a":"6f2841166a64471d4f0b8ed0dbb7db32161da13b":"9110b39c1ffc2d8a5f24e965e3985b06871c2be23e677bb3ea879b7b6b25c327ebdd9434387cfe5f64bcb6900a5c8395549e3681390583786b709257ff0ad90507a02ec6abb40e33dec80097322876a84ee98b1fe79ced62ba4f983bb9b52758bf9856098af527924ea83291762b179894f1fab6d8c9867b0244393fa32b5871836fa4446b247153bc117ccaf7cd51c5ec026bcaf9b634182cd19a0eb95ec40dd5e4274750c9ee3b1379fb339fa4ed8348b104936396355bea0a00337b83f47d2fd7e7353f3009752f970eebc1bbade601b912f7b0984bccc68941ed23bd31fcd23a7d0f2b0cfaabdb3d361969f485e5d198442661ee71eef258ae9fc27a19d995a5695c668f9ab78622486d6ccfe4ae11de9240588fafbc75f8bd0d04de5f2959c126b7c672eac8bb65031ea22ebb4a4e36c12f427d2dc4619eb30ef1c90ec951337a364566f0d2e32f311b425a68fd5277a85dc8d8041ab2a0165c39fd4e39160498d5eae98965e8745b77390e5ddeff0aeffc0fb18839455d524826a1f366":0:0
 
 RSASSA-PSS Signature RSA-3072, SHA-384, Salt Length max
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 pkcs1_rsassa_pss_sign:3072:"ca7b50c5f65f2115fea7691f7d90c124866e774e68e9eb89306538956fc217593d46017b7dd7942d636e384a34c802a14d5fd9916798d7d6193ef1a29e2fdbefd955261496d8ac9713922d43bfc43a7a410752ccbc854cc85268f411e793f9b5279007bbcaca30fb16fd9033a6ea31566b4f2c27f0161107e2cd890bcf563a522ee0eb96a016e9007595a94172a4aeded11fadcb8ab5f03cd154f8b8e0e0666ff62b1ccda02599ea44bbfcfaea541a5ac26bf267a56a8177a50f6b87b460a54d":"c591723042d4b8737f4ef9dfeb40c6d62d439ee8688158a4be24c0ad130f851113cc53d776c63cd782b95ccfd266bdb2578b78439c121de34e8955a7fbd2c6ae1a1c37b24c12f5dce15175dd9e203a3abd5bf9e736b1fc183d10c4540c5cf2cbe26768e94c1eab2ba3008b32d6d50716699c6bfcbec5bbeb94a054dbcd16d10f74972ca5fe53256cd0ade8f502eceaed633414a9bdb623035a234f65c6662a23d792cc0eeb21a1f55ebca26ffa1c56c96fbb7d870fc3ffb181de8398238ab1b5":"9c43ef522cab18022297d3d70fa491d03b975b844b76cedba35d8d885ddb2825e31fd5c101bd9e9a215520bb8cdddeb6ab2cf2dc86065179477d80f733016929d7334cdfdf818c1378a4b9428fa1ee2e525321f905d0b949d3abc9e93d3f30b077795338bd55c28a1ced134bb2d575bfa44b2fd8cf1d5c54168a12a1d6c511f62ca973cdb704c233487e1fd39e5adc8870af352ec3c6a6a64152fc82a1c16ecc43d1d5817f76a1b46a5fab9db8923311edd3cc032fed7eb6252e77db69d7bf9ee35dc4ddd0fbdb9a76afe25a82f4495aa4f072cef9b1247cb368bcc8677565a47095242702e6341281f506805e20e8c89e9af28adff21c804c70cab10ee2fe5212ec07987d13e7d4b60529611e4d33a062d724cdfb16cdc48b964ba07dfa2620d5a8805d0be93380850c66f3fada059802a5946bfe3b0b10e19a8289ec01f6514abb883bb53c49dadbba42d412ea264c8a5122fda1ea9b742289642b0ea34ceb76ae8256a97845d37594cfbff8c7a4430176223bacc3bef395ceda13fd211c71":"010001":MBEDTLS_MD_SHA384:MBEDTLS_MD_SHA384:"bc9fb8fc6d4c6ce8865c758063e55639f98afc15e5d71f4f1ecf89d6fbb904aecc28126bd5e6b5a7f8f31729949dbf8a":"6f2841166a64471d4f0b8ed0dbb7db32161da13b3fe26ee600cfb2d187384e529f280485cf84830af8cb015878cb7c4c74ad6ab38fd8998fa74b612e84af8123d785a8a60a2bb002f7b15a6f7cd6bbf18325a412fd3ea2a48903d30db2543089d9d82fe304dfe5fb903f6a0d1625fe994aa2ac47e04eeb6a51be770312a88cec80bbcf849ab57f2af4e9370a0e35a458d8509fb89e8b22ef499af25c427e48c2391747d3ccc6fdc1b035cbbe6a6f1742bfb6fb5d411d4c8bb73ee7f9bc2fbcf54603c813c9c6d479fb9f38650f4fa8ce05a32c47c078d278b7b97173e82d692e303141faf71573f2b5ab58c4fa009200a3be47633719dbeed24d61ba7acae8abfc2aa5f33f18e6f4c43eb8be3e4bbee1090544401e202ef06d90aae75a939256bd374afc5030f1146ea9d2acf4918dfe96d13eb5f16da55efd504657e3d8aea010f89c60288d74963746422bd7cf":"57a5511992b30d39e150b6a7a760a74136db0a24bc635f3a700a74f865a7c9c0ed2e2e196022a6d17ad7c2d3f12946828458015beffb0c0652de2cc9c3366aaeb7634c5d6ccbdf6c7c93b8feff21a7d2831ac3ee73fd98f9c972dcb833ac61323b77ec249db0e4fb9bf33c71aef9d2aaef40aafab2cb3870f0224c8d0c3ada2abb9d3dd601a038594d290177277a8b791ebcc211d7e5379323a633c62fe9cc2394bd7a977a604122ee9799e5368cc17e1af1795046e76899aa6e7be8f27b1a3e96daa81784d967e9a36cf1912936d7ae11f80aed79c27c53237e7fa009daf9240fb205f83e8c6f8f57d3c3520e0e60213a203432c18d92979b13555ce6eab075ddb38b6d820e378ac4e3afcb3d57e5c6d3c11f165745996fdb61e36b842c6ec81d6437073fe9fc96a4dbc3b188ca766a7f7ef786f39729cadcc5700fb0fffeca0eb0bc47243783f129917948df9bee23da83fadadfa87708e0a839a62965a5d2b9a7cd16b4675cef6afc8fbc2615d97d11ede47f4dfd83e74847dc184ccdc4fd":334:0
 
 RSASSA-PSS Signature RSA-3072, SHA-384, Salt Length max + 1
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 pkcs1_rsassa_pss_sign:3072:"ca7b50c5f65f2115fea7691f7d90c124866e774e68e9eb89306538956fc217593d46017b7dd7942d636e384a34c802a14d5fd9916798d7d6193ef1a29e2fdbefd955261496d8ac9713922d43bfc43a7a410752ccbc854cc85268f411e793f9b5279007bbcaca30fb16fd9033a6ea31566b4f2c27f0161107e2cd890bcf563a522ee0eb96a016e9007595a94172a4aeded11fadcb8ab5f03cd154f8b8e0e0666ff62b1ccda02599ea44bbfcfaea541a5ac26bf267a56a8177a50f6b87b460a54d":"c591723042d4b8737f4ef9dfeb40c6d62d439ee8688158a4be24c0ad130f851113cc53d776c63cd782b95ccfd266bdb2578b78439c121de34e8955a7fbd2c6ae1a1c37b24c12f5dce15175dd9e203a3abd5bf9e736b1fc183d10c4540c5cf2cbe26768e94c1eab2ba3008b32d6d50716699c6bfcbec5bbeb94a054dbcd16d10f74972ca5fe53256cd0ade8f502eceaed633414a9bdb623035a234f65c6662a23d792cc0eeb21a1f55ebca26ffa1c56c96fbb7d870fc3ffb181de8398238ab1b5":"9c43ef522cab18022297d3d70fa491d03b975b844b76cedba35d8d885ddb2825e31fd5c101bd9e9a215520bb8cdddeb6ab2cf2dc86065179477d80f733016929d7334cdfdf818c1378a4b9428fa1ee2e525321f905d0b949d3abc9e93d3f30b077795338bd55c28a1ced134bb2d575bfa44b2fd8cf1d5c54168a12a1d6c511f62ca973cdb704c233487e1fd39e5adc8870af352ec3c6a6a64152fc82a1c16ecc43d1d5817f76a1b46a5fab9db8923311edd3cc032fed7eb6252e77db69d7bf9ee35dc4ddd0fbdb9a76afe25a82f4495aa4f072cef9b1247cb368bcc8677565a47095242702e6341281f506805e20e8c89e9af28adff21c804c70cab10ee2fe5212ec07987d13e7d4b60529611e4d33a062d724cdfb16cdc48b964ba07dfa2620d5a8805d0be93380850c66f3fada059802a5946bfe3b0b10e19a8289ec01f6514abb883bb53c49dadbba42d412ea264c8a5122fda1ea9b742289642b0ea34ceb76ae8256a97845d37594cfbff8c7a4430176223bacc3bef395ceda13fd211c71":"010001":MBEDTLS_MD_SHA384:MBEDTLS_MD_SHA384:"bc9fb8fc6d4c6ce8865c758063e55639f98afc15e5d71f4f1ecf89d6fbb904aecc28126bd5e6b5a7f8f31729949dbf8a":"6f2841166a64471d4f0b8ed0dbb7db32161da13b":"":335:MBEDTLS_ERR_RSA_BAD_INPUT_DATA
 
 RSASSA-PSS Sign. RSA-520 SHA-512: Salt Len. 0, no possible salt size
diff --git a/tests/suites/test_suite_pkcs5.data b/tests/suites/test_suite_pkcs5.data
index f3ea553..1a782a6 100644
--- a/tests/suites/test_suite_pkcs5.data
+++ b/tests/suites/test_suite_pkcs5.data
@@ -19,23 +19,23 @@ depends_on:MBEDTLS_MD_CAN_SHA1
 pbkdf2_hmac:MBEDTLS_MD_SHA1:"7061737300776f7264":"7361006c74":4096:16:"56fa6aa75548099dcc37d7f03425e0c3"
 
 PBKDF2 Python hashlib Test Vector #1 (SHA224)
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 pbkdf2_hmac:MBEDTLS_MD_SHA224:"70617373776f7264":"73616c74":1:20:"3c198cbdb9464b7857966bd05b7bc92bc1cc4e6e"
 
 PBKDF2 Python hashlib Test Vector #2 (SHA224)
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 pbkdf2_hmac:MBEDTLS_MD_SHA224:"70617373776f7264":"73616c74":2:20:"93200ffa96c5776d38fa10abdf8f5bfc0054b971"
 
 PBKDF2 Python hashlib Test Vector #3 (SHA224)
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 pbkdf2_hmac:MBEDTLS_MD_SHA224:"70617373776f7264":"73616c74":4096:20:"218c453bf90635bd0a21a75d172703ff6108ef60"
 
 PBKDF2 Python hashlib Test Vector #5 (SHA224)
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 pbkdf2_hmac:MBEDTLS_MD_SHA224:"70617373776f726450415353574f524470617373776f7264":"73616c7453414c5473616c7453414c5473616c7453414c5473616c7453414c5473616c74":4096:25:"056c4ba438ded91fc14e0594e6f52b87e1f3690c0dc0fbc057"
 
 PBKDF2 Python hashlib Test Vector #6 (SHA224)
-depends_on:MBEDTLS_MD_CAN_SHA224
+depends_on:PSA_WANT_ALG_SHA_224
 pbkdf2_hmac:MBEDTLS_MD_SHA224:"7061737300776f7264":"7361006c74":4096:16:"9b4011b641f40a2a500a31d4a392d15c"
 
 PBKDF2 RFC 7914 Sec 11 Test Vector #1 (SHA256)
@@ -67,23 +67,23 @@ depends_on:MBEDTLS_MD_CAN_SHA256
 pbkdf2_hmac:MBEDTLS_MD_SHA256:"7061737300776f7264":"7361006c74":4096:16:"89b69d0516f829893c696226650a8687"
 
 PBKDF2 Python hashlib Test Vector #1 (SHA384)
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 pbkdf2_hmac:MBEDTLS_MD_SHA384:"70617373776f7264":"73616c74":1:20:"c0e14f06e49e32d73f9f52ddf1d0c5c719160923"
 
 PBKDF2 Python hashlib Test Vector #2 (SHA384)
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 pbkdf2_hmac:MBEDTLS_MD_SHA384:"70617373776f7264":"73616c74":2:20:"54f775c6d790f21930459162fc535dbf04a93918"
 
 PBKDF2 Python hashlib Test Vector #3 (SHA384)
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 pbkdf2_hmac:MBEDTLS_MD_SHA384:"70617373776f7264":"73616c74":4096:20:"559726be38db125bc85ed7895f6e3cf574c7a01c"
 
 PBKDF2 Python hashlib Test Vector #5 (SHA384)
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 pbkdf2_hmac:MBEDTLS_MD_SHA384:"70617373776f726450415353574f524470617373776f7264":"73616c7453414c5473616c7453414c5473616c7453414c5473616c7453414c5473616c74":4096:25:"819143ad66df9a552559b9e131c52ae6c5c1b0eed18f4d283b"
 
 PBKDF2 Python hashlib Test Vector #6 (SHA384)
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 pbkdf2_hmac:MBEDTLS_MD_SHA384:"7061737300776f7264":"7361006c74":4096:16:"a3f00ac8657e095f8e0823d232fc60b3"
 
 PBKDF2 Python hashlib Test Vector #1 (SHA512)
@@ -126,6 +126,18 @@ PBES2 Encrypt, pad=8 (PKCS7 padding disabled)
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_CIPHER_PADDING_PKCS7
 pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD702020800301406082A864886F70D030704088A4FCC9DCC394910":"70617373776f7264":"308187020100301306072A8648CE3D020106082A8648CE3D030107046D306B0201010420F12A1320760270A83CBFFD53F6031EF76A5D86C8A204F2C30CA9EBF51F0F0EA7A1440342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D5510101010101010101010101010101010":138:MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE:""
 
+PBES2 Encrypt, AES-128-CBC (OK, generated with OpenSSL)
+depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E0408010203040506070802022710301D060960864801650304010204102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629":96:0:"0c953c3a9be1502f4d1df1b82df9d99a61ebd2f60ed570d16b241f70b9e61f329174747d052efe5c39bec9d0f7404f84af242914e2ecb74e6e36e8b4147bd0a092a82df789aa3351e0de9f75b285ccb742806526771c8353ffb66176188b556e"
+
+PBES2 Encrypt, AES-192-CBC (OK, generated with OpenSSL)
+depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:MBEDTLS_CIPHER_PADDING_PKCS7
+pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302a06092A864886F70D01050C301d0408010203040506070802022710020118300a06082A864886F70D0209301D060960864801650304011604102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629":96:0:"7c648a9df9759ba49283c261269a71bc06d45f6c24ab6431d77b2ecec1fd6d1aa751bd05b1c026fc8ff91baeb1b1838aa0f825b23be79bc09331d0607181e234dfea4ab3cbf7997747516486b6865e85de95dc9b64d45462197c891b31af6c94"
+
+PBES2 Encrypt, AES-256-CBC (OK, generated with OpenSSL)
+depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:MBEDTLS_CIPHER_PADDING_PKCS7
+pbes2_encrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302706092A864886F70D01050C301a0408010203040506070802022710300a06082A864886F70D0209301D060960864801650304012A04102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629":96:0:"7077e6e8e679962c6feda69c704d58507d143cf77be284f773dfcaa4a5f5e7c1cd5527204916302d435071c01126f4aa76205ce61998d7b8fdf065a77d4a77634376b9968e4722c27f2ac85d79565ff4fca9204d3e4bc8c5bd53c1785bb6e566"
+
 PBES2 Decrypt (OK)
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC
 pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD702020800301406082A864886F70D030704088A4FCC9DCC394910":"70617373776f7264":"1B60098D4834CA752D37B430E70B7A085CFF86E21F4849F969DD1DF623342662443F8BD1252BF83CEF6917551B08EF55A69C8F2BFFC93BCB2DFE2E354DA28F896D1BD1BFB972A1251219A6EC7183B0A4CF2C4998449ED786CAE2138437289EB2203974000C38619DA57A4E685D29649284602BD1806131772DA11A682674DC22B2CF109128DDB7FD980E1C5741FC0DB7":144:0:"308187020100301306072A8648CE3D020106082A8648CE3D030107046D306B0201010420F12A1320760270A83CBFFD53F6031EF76A5D86C8A204F2C30CA9EBF51F0F0EA7A1440342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF"
@@ -142,6 +154,18 @@ PBES2 Decrypt (Invalid padding & PKCS7 padding enabled)
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
 pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD702020800301406082A864886F70D030704088A4FCC9DCC394910":"70617373776f7264":"1B60098D4834CA752D37B430E70B7A085CFF86E21F4849F969DD1DF623342662443F8BD1252BF83CEF6917551B08EF55A69C8F2BFFC93BCB2DFE2E354DA28F896D1BD1BFB972A1251219A6EC7183B0A4CF2C4998449ED786CAE2138437289EB2203974000C38619DA57A4E685D29649284602BD1806131772DA11A682674DC22B2CF109128DDB7FDA3488A7144097565":144:MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH:"308187020100301306072A8648CE3D020106082A8648CE3D030107046D306B0201010420F12A1320760270A83CBFFD53F6031EF76A5D86C8A204F2C30CA9EBF51F0F0EA7A1440342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF060606060607"
 
+PBES2 Decrypt AES-128-CBC (OK, generated with OpenSSL)
+depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC
+pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E0408010203040506070802022710301D060960864801650304010204102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"0c953c3a9be1502f4d1df1b82df9d99a61ebd2f60ed570d16b241f70b9e61f329174747d052efe5c39bec9d0f7404f84af242914e2ecb74e6e36e8b4147bd0a092a82df789aa3351e0de9f75b285ccb742806526771c8353ffb66176188b556e":96:0:"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629"
+
+PBES2 Decrypt AES-192-CBC (OK, generated with OpenSSL)
+depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302a06092A864886F70D01050C301d0408010203040506070802022710020118300a06082A864886F70D0209301D060960864801650304011604102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"7c648a9df9759ba49283c261269a71bc06d45f6c24ab6431d77b2ecec1fd6d1aa751bd05b1c026fc8ff91baeb1b1838aa0f825b23be79bc09331d0607181e234dfea4ab3cbf7997747516486b6865e85de95dc9b64d45462197c891b31af6c94":96:0:"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629"
+
+PBES2 Decrypt AES-256-CBC (OK, generated with OpenSSL)
+depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+pbes2_decrypt:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"302706092A864886F70D01050C301a0408010203040506070802022710300a06082A864886F70D0209301D060960864801650304012A04102F904F75B47B48A618068D79BD9A826C":"50617373776F726450617373776F726450617373776F7264":"7077e6e8e679962c6feda69c704d58507d143cf77be284f773dfcaa4a5f5e7c1cd5527204916302d435071c01126f4aa76205ce61998d7b8fdf065a77d4a77634376b9968e4722c27f2ac85d79565ff4fca9204d3e4bc8c5bd53c1785bb6e566":96:0:"5468697320697320612066696c6520746f20626520656e6372797074656420776974682050424553322c20776974682061206b65792067656e657261746564207573696e67206120707266202853484132353629"
+
 PBES2 Decrypt (bad params tag)
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_DES_C
 pbes2_decrypt:MBEDTLS_ASN1_SEQUENCE:"":"":"":0:MBEDTLS_ERR_PKCS5_INVALID_FORMAT + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG:""
diff --git a/tests/suites/test_suite_pkcs5.function b/tests/suites/test_suite_pkcs5.function
index 2b0b0c1..afe9f38 100644
--- a/tests/suites/test_suite_pkcs5.function
+++ b/tests/suites/test_suite_pkcs5.function
@@ -27,7 +27,7 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:MBEDTLS_ASN1_PARSE_C */
+/* BEGIN_CASE depends_on:MBEDTLS_ASN1_PARSE_C:MBEDTLS_CIPHER_C */
 void pbes2_encrypt(int params_tag, data_t *params_hex, data_t *pw,
                    data_t *data, int outsize, int ref_ret,
                    data_t *ref_out)
@@ -75,7 +75,7 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:MBEDTLS_ASN1_PARSE_C */
+/* BEGIN_CASE depends_on:MBEDTLS_ASN1_PARSE_C:MBEDTLS_CIPHER_C */
 void pbes2_decrypt(int params_tag, data_t *params_hex, data_t *pw,
                    data_t *data, int outsize, int ref_ret,
                    data_t *ref_out)
diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data
index d3b83cd..7c0b2ce 100644
--- a/tests/suites/test_suite_pkcs7.data
+++ b/tests/suites/test_suite_pkcs7.data
@@ -1,158 +1,158 @@
 PKCS7 Signed Data Parse Pass SHA256 #1
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha256.der":MBEDTLS_PKCS7_SIGNED_DATA
+pkcs7_parse:"../framework/data_files/pkcs7_data_cert_signed_sha256.der":MBEDTLS_PKCS7_SIGNED_DATA
 
 PKCS7 Signed Data Parse Pass SHA1 #2
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha1.der":MBEDTLS_PKCS7_SIGNED_DATA
+pkcs7_parse:"../framework/data_files/pkcs7_data_cert_signed_sha1.der":MBEDTLS_PKCS7_SIGNED_DATA
 
 PKCS7 Signed Data Parse Pass Without CERT #3
 depends_on:MBEDTLS_MD_CAN_SHA256
-pkcs7_parse:"data_files/pkcs7_data_without_cert_signed.der":MBEDTLS_PKCS7_SIGNED_DATA
+pkcs7_parse:"../framework/data_files/pkcs7_data_without_cert_signed.der":MBEDTLS_PKCS7_SIGNED_DATA
 
 PKCS7 Signed Data Parse with zero signers
 depends_on:MBEDTLS_MD_CAN_SHA256
-pkcs7_parse:"data_files/pkcs7_data_no_signers.der":MBEDTLS_PKCS7_SIGNED_DATA
+pkcs7_parse:"../framework/data_files/pkcs7_data_no_signers.der":MBEDTLS_PKCS7_SIGNED_DATA
 
 PKCS7 Signed Data Parse Fail with multiple certs #4
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-pkcs7_parse:"data_files/pkcs7_data_multiple_certs_signed.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE
+pkcs7_parse:"../framework/data_files/pkcs7_data_multiple_certs_signed.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE
 
 PKCS7 Signed Data Parse Fail with corrupted cert #5.0
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-pkcs7_parse:"data_files/pkcs7_data_signed_badcert.der":MBEDTLS_ERR_PKCS7_INVALID_CERT
+pkcs7_parse:"../framework/data_files/pkcs7_data_signed_badcert.der":MBEDTLS_ERR_PKCS7_INVALID_CERT
 
 PKCS7 Signed Data Parse Fail with disabled alg #5.1
 depends_on:MBEDTLS_RSA_C:!MBEDTLS_MD_CAN_SHA512
-pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha512.der":MBEDTLS_ERR_PKCS7_INVALID_ALG
+pkcs7_parse:"../framework/data_files/pkcs7_data_cert_signed_sha512.der":MBEDTLS_ERR_PKCS7_INVALID_ALG
 
 PKCS7 Parse Fail with Inlined Content Info #5.2
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-pkcs7_parse:"data_files/pkcs7_data_with_signature.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE
+pkcs7_parse:"../framework/data_files/pkcs7_data_with_signature.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE
 
 PKCS7 Signed Data Parse Fail with no RSA #5.3
 depends_on:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_RSA_C
-pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha256.der":MBEDTLS_ERR_PKCS7_INVALID_CERT
+pkcs7_parse:"../framework/data_files/pkcs7_data_cert_signed_sha256.der":MBEDTLS_ERR_PKCS7_INVALID_CERT
 
 PKCS7 Signed Data Parse Fail with corrupted signer info #6
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-pkcs7_parse:"data_files/pkcs7_data_signed_badsigner.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO,MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)
+pkcs7_parse:"../framework/data_files/pkcs7_data_signed_badsigner.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO,MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)
 
 PKCS7 Signed Data Parse Fail with corrupted signer info[1] invalid size #6.1
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-pkcs7_parse:"data_files/pkcs7_data_signed_badsigner1_badsize.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO
+pkcs7_parse:"../framework/data_files/pkcs7_data_signed_badsigner1_badsize.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO
 
 PKCS7 Signed Data Parse Fail with corrupted signer info[2] invalid size #6.2
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-pkcs7_parse:"data_files/pkcs7_data_signed_badsigner2_badsize.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO
+pkcs7_parse:"../framework/data_files/pkcs7_data_signed_badsigner2_badsize.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO
 
 PKCS7 Signed Data Parse Fail with corrupted signer info[1] unexpected tag #6.3
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-pkcs7_parse:"data_files/pkcs7_data_signed_badsigner1_badtag.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO,MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)
+pkcs7_parse:"../framework/data_files/pkcs7_data_signed_badsigner1_badtag.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO,MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)
 
 PKCS7 Signed Data Parse Fail with corrupted signer info[2] unexpected tag #6.4
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-pkcs7_parse:"data_files/pkcs7_data_signed_badsigner2_badtag.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO,MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)
+pkcs7_parse:"../framework/data_files/pkcs7_data_signed_badsigner2_badtag.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO,MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)
 
 PKCS7 Signed Data Parse Fail with corrupted signer info[1] fuzz bad #6.5
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-pkcs7_parse:"data_files/pkcs7_data_signed_badsigner1_fuzzbad.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO
+pkcs7_parse:"../framework/data_files/pkcs7_data_signed_badsigner1_fuzzbad.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO
 
 PKCS7 Signed Data Parse Fail with corrupted signer info[2] fuzz bad #6.6
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-pkcs7_parse:"data_files/pkcs7_data_signed_badsigner2_fuzzbad.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO
+pkcs7_parse:"../framework/data_files/pkcs7_data_signed_badsigner2_fuzzbad.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO
 
 PKCS7 Signed Data Parse Fail Version other than 1 #7
 depends_on:MBEDTLS_MD_CAN_SHA256
-pkcs7_parse:"data_files/pkcs7_data_cert_signed_v2.der":MBEDTLS_ERR_PKCS7_INVALID_VERSION
+pkcs7_parse:"../framework/data_files/pkcs7_data_cert_signed_v2.der":MBEDTLS_ERR_PKCS7_INVALID_VERSION
 
 PKCS7 Signed Data Parse Fail Encrypted Content #8
 depends_on:MBEDTLS_MD_CAN_SHA256
-pkcs7_parse:"data_files/pkcs7_data_cert_encrypted.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE
+pkcs7_parse:"../framework/data_files/pkcs7_data_cert_encrypted.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE
 
 PKCS7 Signed Data Verification Pass zero-len data
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256
-pkcs7_verify:"data_files/pkcs7_zerolendata_detached.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_zerolendata.bin":0:0
+pkcs7_verify:"../framework/data_files/pkcs7_zerolendata_detached.der":"../framework/data_files/pkcs7-rsa-sha256-1.der":"../framework/data_files/pkcs7_zerolendata.bin":0:0
 
 PKCS7 Signed Data Verification Fail zero-len data
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-pkcs7_verify:"data_files/pkcs7_zerolendata_detached.der":"data_files/pkcs7-rsa-sha256-2.der":"data_files/pkcs7_zerolendata.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED
+pkcs7_verify:"../framework/data_files/pkcs7_zerolendata_detached.der":"../framework/data_files/pkcs7-rsa-sha256-2.der":"../framework/data_files/pkcs7_zerolendata.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED
 
 PKCS7 Signed Data Verification Pass SHA256 #9
 depends_on:MBEDTLS_MD_CAN_SHA256
-pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin":0:0
+pkcs7_verify:"../framework/data_files/pkcs7_data_cert_signed_sha256.der":"../framework/data_files/pkcs7-rsa-sha256-1.der":"../framework/data_files/pkcs7_data.bin":0:0
 
 PKCS7 Signed Data Verification Pass SHA256 #9.1
 depends_on:MBEDTLS_MD_CAN_SHA256
-pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin":MBEDTLS_MD_SHA256:0
+pkcs7_verify:"../framework/data_files/pkcs7_data_cert_signed_sha256.der":"../framework/data_files/pkcs7-rsa-sha256-1.der":"../framework/data_files/pkcs7_data.bin":MBEDTLS_MD_SHA256:0
 
 PKCS7 Signed Data Verification Pass SHA1 #10
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256
-pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha1.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin":0:0
+pkcs7_verify:"../framework/data_files/pkcs7_data_cert_signed_sha1.der":"../framework/data_files/pkcs7-rsa-sha256-1.der":"../framework/data_files/pkcs7_data.bin":0:0
 
 PKCS7 Signed Data Verification Pass SHA512 #11
 depends_on:MBEDTLS_MD_CAN_SHA512:MBEDTLS_MD_CAN_SHA256
-pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha512.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin":0:0
+pkcs7_verify:"../framework/data_files/pkcs7_data_cert_signed_sha512.der":"../framework/data_files/pkcs7-rsa-sha256-1.der":"../framework/data_files/pkcs7_data.bin":0:0
 
 PKCS7 Signed Data Verification Fail because of different certificate #12
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-2.der":"data_files/pkcs7_data.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED
+pkcs7_verify:"../framework/data_files/pkcs7_data_cert_signed_sha256.der":"../framework/data_files/pkcs7-rsa-sha256-2.der":"../framework/data_files/pkcs7_data.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED
 
 PKCS7 Signed Data Verification Fail because of different data hash #13
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data_1.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED
+pkcs7_verify:"../framework/data_files/pkcs7_data_cert_signed_sha256.der":"../framework/data_files/pkcs7-rsa-sha256-1.der":"../framework/data_files/pkcs7_data_1.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED
 
 PKCS7 Signed Data Parse Failure Corrupt signerInfo.issuer #15.1
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-pkcs7_parse:"data_files/pkcs7_signerInfo_issuer_invalid_size.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO
+pkcs7_parse:"../framework/data_files/pkcs7_signerInfo_issuer_invalid_size.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO
 
 PKCS7 Signed Data Parse Failure Corrupt signerInfo.serial #15.2
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-pkcs7_parse:"data_files/pkcs7_signerInfo_serial_invalid_size.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO
+pkcs7_parse:"../framework/data_files/pkcs7_signerInfo_serial_invalid_size.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO
 
 PKCS7 Signed Data Parse Fail Corrupt signerInfos[2] (6213931373035520)
 depends_on:MBEDTLS_MD_CAN_SHA256
-pkcs7_parse:"data_files/pkcs7_signerInfo_2_invalid_tag.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO,  MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)
+pkcs7_parse:"../framework/data_files/pkcs7_signerInfo_2_invalid_tag.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO,  MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)
 
 PKCS7 Signed Data Parse Fail Corrupt signerInfos[1].issuerAndSerialNumber.serialNumber, after multi-element .name (4541044530479104)
 depends_on:MBEDTLS_MD_CAN_SHA256
-pkcs7_parse:"data_files/pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO
+pkcs7_parse:"../framework/data_files/pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO
 
 PKCS7 Only Signed Data Parse Pass #15
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-pkcs7_parse:"data_files/pkcs7_data_cert_signeddata_sha256.der":MBEDTLS_PKCS7_SIGNED_DATA
+pkcs7_parse:"../framework/data_files/pkcs7_data_cert_signeddata_sha256.der":MBEDTLS_PKCS7_SIGNED_DATA
 
 PKCS7 Signed Data Verify with multiple(2) signers #16.0
 depends_on:MBEDTLS_MD_CAN_SHA256
-pkcs7_verify:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":0:0
+pkcs7_verify:"../framework/data_files/pkcs7_data_multiple_signed.der":"../framework/data_files/pkcs7-rsa-sha256-1.crt ../framework/data_files/pkcs7-rsa-sha256-2.crt":"../framework/data_files/pkcs7_data.bin":0:0
 
 PKCS7 Signed Data Verify with multiple(3) signers #16.1
 depends_on:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_MEMORY_BUFFER_ALLOC_C
-pkcs7_verify:"data_files/pkcs7_data_3_signed.der":"data_files/pkcs7-rsa-sha256-1.crt data_files/pkcs7-rsa-sha256-2.crt data_files/pkcs7-rsa-sha256-3.crt":"data_files/pkcs7_data.bin":0:0
+pkcs7_verify:"../framework/data_files/pkcs7_data_3_signed.der":"../framework/data_files/pkcs7-rsa-sha256-1.crt ../framework/data_files/pkcs7-rsa-sha256-2.crt ../framework/data_files/pkcs7-rsa-sha256-3.crt":"../framework/data_files/pkcs7_data.bin":0:0
 
 PKCS7 Signed Data Hash Verify with multiple signers #17
 depends_on:MBEDTLS_MD_CAN_SHA256
-pkcs7_verify:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":MBEDTLS_MD_SHA256:0
+pkcs7_verify:"../framework/data_files/pkcs7_data_multiple_signed.der":"../framework/data_files/pkcs7-rsa-sha256-1.crt ../framework/data_files/pkcs7-rsa-sha256-2.crt":"../framework/data_files/pkcs7_data.bin":MBEDTLS_MD_SHA256:0
 
 PKCS7 Signed Data Hash Verify Fail with multiple signers #18
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA512
-pkcs7_verify:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":MBEDTLS_MD_SHA512:MBEDTLS_ERR_PKCS7_VERIFY_FAIL
+pkcs7_verify:"../framework/data_files/pkcs7_data_multiple_signed.der":"../framework/data_files/pkcs7-rsa-sha256-1.crt ../framework/data_files/pkcs7-rsa-sha256-2.crt":"../framework/data_files/pkcs7_data.bin":MBEDTLS_MD_SHA512:MBEDTLS_ERR_PKCS7_VERIFY_FAIL
 
 PKCS7 Signed Data Verify Pass Expired Cert #19 no TIME_DATE
 depends_on:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_HAVE_TIME_DATE
-pkcs7_verify:"data_files/pkcs7_data_rsa_expired.der":"data_files/pkcs7-rsa-expired.crt":"data_files/pkcs7_data.bin":0:0
+pkcs7_verify:"../framework/data_files/pkcs7_data_rsa_expired.der":"../framework/data_files/pkcs7-rsa-expired.crt":"../framework/data_files/pkcs7_data.bin":0:0
 
 PKCS7 Signed Data Verify Fail Expired Cert #19 have DATE_TIME
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_HAVE_TIME_DATE
-pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-expired.crt":"data_files/pkcs7_data.bin":0:MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID
+pkcs7_verify:"../framework/data_files/pkcs7_data_cert_signed_sha256.der":"../framework/data_files/pkcs7-rsa-expired.crt":"../framework/data_files/pkcs7_data.bin":0:MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID
 
 PKCS7 Signed Data Verify Fail Expired Cert #19 no DATE_TIME 1
 depends_on:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_HAVE_TIME_DATE:MBEDTLS_RSA_C
-pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-expired.crt":"data_files/pkcs7_data.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED
+pkcs7_verify:"../framework/data_files/pkcs7_data_cert_signed_sha256.der":"../framework/data_files/pkcs7-rsa-expired.crt":"../framework/data_files/pkcs7_data.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED
 
 PKCS7 Signed Data Verify Fail Expired Cert #19 no TIME_DATE 2
 depends_on:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_HAVE_TIME_DATE:MBEDTLS_RSA_C
-pkcs7_verify:"data_files/pkcs7_data_rsa_expired.der":"data_files/pkcs7-rsa-expired.crt":"data_files/pkcs7_data_1.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED
+pkcs7_verify:"../framework/data_files/pkcs7_data_rsa_expired.der":"../framework/data_files/pkcs7-rsa-expired.crt":"../framework/data_files/pkcs7_data_1.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED
 
 PKCS7 Parse Failure Invalid ASN1: Add null byte to start #20.0
 depends_on:MBEDTLS_MD_CAN_SHA256
diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function
index 65384a8..4c8bf23 100644
--- a/tests/suites/test_suite_pkcs7.function
+++ b/tests/suites/test_suite_pkcs7.function
@@ -4,6 +4,7 @@
 #include "mbedtls/x509.h"
 #include "mbedtls/x509_crt.h"
 #include "mbedtls/x509_crl.h"
+#include "x509_internal.h"
 #include "mbedtls/oid.h"
 #include "sys/types.h"
 #include "sys/stat.h"
diff --git a/tests/suites/test_suite_pkparse.data b/tests/suites/test_suite_pkparse.data
index f82dcb5..c6295b1 100644
--- a/tests/suites/test_suite_pkparse.data
+++ b/tests/suites/test_suite_pkparse.data
@@ -1,1118 +1,1160 @@
 Parse RSA Key #1 (No password when required)
-depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C
-pk_parse_keyfile_rsa:"data_files/test-ca.key":"NULL":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C
+pk_parse_keyfile_rsa:"../framework/data_files/test-ca.key":"NULL":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #2 (Correct password)
-depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C
-pk_parse_keyfile_rsa:"data_files/test-ca.key":"PolarSSLTest":0
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C
+pk_parse_keyfile_rsa:"../framework/data_files/test-ca.key":"PolarSSLTest":0
 
 Parse RSA Key #3 (Wrong password)
-depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C
-pk_parse_keyfile_rsa:"data_files/test-ca.key":"PolarSSLWRONG":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C
+pk_parse_keyfile_rsa:"../framework/data_files/test-ca.key":"PolarSSLWRONG":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #4 (DES Encrypted)
-depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_1024_des.pem":"testkey":0
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_1024_des.pem":"testkey":0
 
 Parse RSA Key #5 (3DES Encrypted)
-depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_1024_3des.pem":"testkey":0
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_1024_3des.pem":"testkey":0
 
 Parse RSA Key #6 (AES-128 Encrypted)
-depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_1024_aes128.pem":"testkey":0
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_1024_aes128.pem":"testkey":0
 
 Parse RSA Key #7 (AES-192 Encrypted)
-depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_1024_aes192.pem":"testkey":0
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_1024_aes192.pem":"testkey":0
 
 Parse RSA Key #8 (AES-256 Encrypted)
-depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_1024_aes256.pem":"testkey":0
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_1024_aes256.pem":"testkey":0
 
 Parse RSA Key #9 (2048-bit, DES Encrypted)
-depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_2048_des.pem":"testkey":0
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_2048_des.pem":"testkey":0
 
 Parse RSA Key #10 (2048-bit, 3DES Encrypted)
-depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_2048_3des.pem":"testkey":0
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_2048_3des.pem":"testkey":0
 
 Parse RSA Key #11 (2048-bit, AES-128 Encrypted)
-depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_2048_aes128.pem":"testkey":0
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_2048_aes128.pem":"testkey":0
 
 Parse RSA Key #12 (2048-bit, AES-192 Encrypted)
-depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_2048_aes192.pem":"testkey":0
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_2048_aes192.pem":"testkey":0
 
 Parse RSA Key #13 (2048-bit, AES-256 Encrypted)
-depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_2048_aes256.pem":"testkey":0
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_2048_aes256.pem":"testkey":0
 
 Parse RSA Key #14 (4096-bit, DES Encrypted)
-depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_4096_des.pem":"testkey":0
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_4096_des.pem":"testkey":0
 
 Parse RSA Key #15 (4096-bit, 3DES Encrypted)
-depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_4096_3des.pem":"testkey":0
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_4096_3des.pem":"testkey":0
 
 Parse RSA Key #16 (4096-bit, AES-128 Encrypted)
-depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_4096_aes128.pem":"testkey":0
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_4096_aes128.pem":"testkey":0
 
 Parse RSA Key #17 (4096-bit, AES-192 Encrypted)
-depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_4096_aes192.pem":"testkey":0
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_4096_aes192.pem":"testkey":0
 
 Parse RSA Key #18 (4096-bit, AES-256 Encrypted)
-depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_4096_aes256.pem":"testkey":0
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_4096_aes256.pem":"testkey":0
 
 Parse RSA Key #19 (PKCS#8 wrapped)
-depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_PEM_PARSE_C
-pk_parse_keyfile_rsa:"data_files/format_gen.key":"":0
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_PEM_PARSE_C
+pk_parse_keyfile_rsa:"../framework/data_files/format_gen.key":"":0
 
 Parse RSA Key #20 (PKCS#8 encrypted SHA1-3DES)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem":"PolarSSLTest":0
 
 Parse RSA Key #20.1 (PKCS#8 encrypted SHA1-3DES, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #20.2 (PKCS#8 encrypted SHA1-3DES, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #21 (PKCS#8 encrypted SHA1-3DES, 2048-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem":"PolarSSLTest":0
 
 Parse RSA Key #21.1 (PKCS#8 encrypted SHA1-3DES, 2048-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #21.2 (PKCS#8 encrypted SHA1-3DES, 2048-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #22 (PKCS#8 encrypted SHA1-3DES, 4096-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem":"PolarSSLTest":0
 
 Parse RSA Key #22.1 (PKCS#8 encrypted SHA1-3DES, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #22.2 (PKCS#8 encrypted SHA1-3DES, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #23 (PKCS#8 encrypted SHA1-3DES DER)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_3des.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_1024_3des.der":"PolarSSLTest":0
 
 Parse RSA Key #24 (PKCS#8 encrypted SHA1-3DES DER, 2048-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_3des.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_2048_3des.der":"PolarSSLTest":0
 
 Parse RSA Key #25 (PKCS#8 encrypted SHA1-3DES DER, 4096-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_3des.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_4096_3des.der":"PolarSSLTest":0
 
 Parse RSA Key #26 (PKCS#8 encrypted SHA1-2DES)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem":"PolarSSLTest":0
 
 Parse RSA Key #26.1 (PKCS#8 encrypted SHA1-2DES, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem":"PolarSLTest":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem":"PolarSLTest":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #26.2 (PKCS#8 encrypted SHA1-2DES, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #27 (PKCS#8 encrypted SHA1-2DES, 2048-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem":"PolarSSLTest":0
 
 Parse RSA Key #27.1 (PKCS#8 encrypted SHA1-2DES, 2048-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem":"PolarSLTest":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem":"PolarSLTest":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #27.2 (PKCS#8 encrypted SHA1-2DES, 2048-bit no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #28 (PKCS#8 encrypted SHA1-2DES, 4096-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem":"PolarSSLTest":0
 
 Parse RSA Key #28.1 (PKCS#8 encrypted SHA1-2DES, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem":"PolarSLTest":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem":"PolarSLTest":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #28.2 (PKCS#8 encrypted SHA1-2DES, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #29 (PKCS#8 encrypted SHA1-2DES DER)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_2des.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_1024_2des.der":"PolarSSLTest":0
 
 Parse RSA Key #30 (PKCS#8 encrypted SHA1-2DES DER, 2048-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_2des.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_2048_2des.der":"PolarSSLTest":0
 
 Parse RSA Key #31 (PKCS#8 encrypted SHA1-2DES DER, 4096-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_2des.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_4096_2des.der":"PolarSSLTest":0
 
 Parse RSA Key #38 (PKCS#8 encrypted v2 PBKDF2 3DES)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem":"PolarSSLTest":0
 
 Parse RSA Key #38.1 (PKCS#8 encrypted v2 PBKDF2 3DES, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #38.2 (PKCS#8 encrypted v2 PBKDF2 3DES, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #39 (PKCS#8 encrypted v2 PBKDF2 3DES, 2048-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem":"PolarSSLTest":0
 
 Parse RSA Key #39.1 (PKCS#8 encrypted v2 PBKDF2 3DES, 2048-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #39.2 (PKCS#8 encrypted v2 PBKDF2 3DES, 2048-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #40 (PKCS#8 encrypted v2 PBKDF2 3DES, 4096-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem":"PolarSSLTest":0
 
 Parse RSA Key #40.1 (PKCS#8 encrypted v2 PBKDF2 3DES, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #40.2 (PKCS#8 encrypted v2 PBKDF2 3DES, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #41 (PKCS#8 encrypted v2 PBKDF2 3DES DER)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der":"PolarSSLTest":0
 
 Parse RSA Key #41.1 (PKCS#8 encrypted v2 PBKDF2 3DES DER, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #41.2 (PKCS#8 encrypted v2 PBKDF2 3DES DER, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #42 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 2048-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der":"PolarSSLTest":0
 
 Parse RSA Key #42.1 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 2048-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #42.2 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 2048-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #43 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 4096-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der":"PolarSSLTest":0
 
 Parse RSA Key #43.1 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #43.2 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #44 (PKCS#8 encrypted v2 PBKDF2 DES)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem":"PolarSSLTest":0
 
 Parse RSA Key #44.1 (PKCS#8 encrypted v2 PBKDF2 DES, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #44.2 (PKCS#8 encrypted v2 PBKDF2 DES, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #45 (PKCS#8 encrypted v2 PBKDF2 DES, 2048-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem":"PolarSSLTest":0
 
 Parse RSA Key #45.1 (PKCS#8 encrypted v2 PBKDF2 DES, 2048-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #45.2 (PKCS#8 encrypted v2 PBKDF2 DES, 2048-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #46 (PKCS#8 encrypted v2 PBKDF2 DES, 4096-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem":"PolarSSLTest":0
 
 Parse RSA Key #46.1 (PKCS#8 encrypted v2 PBKDF2 DES, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #46.2 (PKCS#8 encrypted v2 PBKDF2 DES, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #47 (PKCS#8 encrypted v2 PBKDF2 DES DER)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der":"PolarSSLTest":0
 
 Parse RSA Key #47.1 (PKCS#8 encrypted v2 PBKDF2 DES DER, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #47.2 (PKCS#8 encrypted v2 PBKDF2 DES DER, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #48 (PKCS#8 encrypted v2 PBKDF2 DES DER, 2048-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der":"PolarSSLTest":0
 
 Parse RSA Key #48.1 (PKCS#8 encrypted v2 PBKDF2 DES DER, 2048-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #48.2 (PKCS#8 encrypted v2 PBKDF2 DES DER, 2048-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #49 (PKCS#8 encrypted v2 PBKDF2 DES DER, 4096-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der":"PolarSSLTest":0
 
 Parse RSA Key #49.1 (PKCS#8 encrypted v2 PBKDF2 DES DER, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #49.2 (PKCS#8 encrypted v2 PBKDF2 DES DER, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #50 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.pem":"PolarSSLTest":0
 
 Parse RSA Key #50.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #50.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #51 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 2048-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.pem":"PolarSSLTest":0
 
 Parse RSA Key #51.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 2048-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #51.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 2048-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #52 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 4096-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem":"PolarSSLTest":0
 
 Parse RSA Key #52.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #52.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #53 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.der":"PolarSSLTest":0
 
 Parse RSA Key #53.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #53.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #54 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 2048-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.der":"PolarSSLTest":0
 
 Parse RSA Key #54.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 2048-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #54.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 2048-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #55 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 4096-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der":"PolarSSLTest":0
 
 Parse RSA Key #55.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #55.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #56 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.pem":"PolarSSLTest":0
 
 Parse RSA Key #56.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #56.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #57 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 2048-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.pem":"PolarSSLTest":0
 
 Parse RSA Key #57.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 2048-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #57.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 2048-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #58 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 4096-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem":"PolarSSLTest":0
 
 Parse RSA Key #58.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #58.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #59 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.der":"PolarSSLTest":0
 
 Parse RSA Key #59.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #59.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #60 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 2048-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.der":"PolarSSLTest":0
 
 Parse RSA Key #60.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 2048-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #60.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 2048-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #61 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 4096-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der":"PolarSSLTest":0
 
 Parse RSA Key #61.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #61.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #62 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.pem":"PolarSSLTest":0
 
 Parse RSA Key #62.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #62.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #63 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 2048-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.pem":"PolarSSLTest":0
 
 Parse RSA Key #63.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 2048-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #63.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 2048-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #64 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 4096-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem":"PolarSSLTest":0
 
 Parse RSA Key #64.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #64.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #65 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.der":"PolarSSLTest":0
 
 Parse RSA Key #65.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #65.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #66 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 2048-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.der":"PolarSSLTest":0
 
 Parse RSA Key #66.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 2048-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #66.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 2048-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #67 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 4096-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der":"PolarSSLTest":0
 
 Parse RSA Key #68.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #68.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #69 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.pem":"PolarSSLTest":0
 
 Parse RSA Key #69.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #69.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #70 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 2048-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.pem":"PolarSSLTest":0
 
 Parse RSA Key #70.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 2048-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #70.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 2048-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #71 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 4096-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem":"PolarSSLTest":0
 
 Parse RSA Key #71.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #71.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #72 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.der":"PolarSSLTest":0
 
 Parse RSA Key #72.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #72.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #73 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 2048-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.der":"PolarSSLTest":0
 
 Parse RSA Key #73.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 2048-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #73.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 2048-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #74 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 4096-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der":"PolarSSLTest":0
 
 Parse RSA Key #74.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #74.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #75 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.pem":"PolarSSLTest":0
 
 Parse RSA Key #75.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #75.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #76 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 2048-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem":"PolarSSLTest":0
 
 Parse RSA Key #76.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 2048-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #76.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 2048-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #77 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 4096-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem":"PolarSSLTest":0
 
 Parse RSA Key #77.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #77.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #78 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.der":"PolarSSLTest":0
 
 Parse RSA Key #78.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #78.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #79 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 2048-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.der":"PolarSSLTest":0
 
 Parse RSA Key #79.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 2048-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #79.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 2048-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #80 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 4096-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der":"PolarSSLTest":0
 
 Parse RSA Key #80.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #80.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #81 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.pem":"PolarSSLTest":0
 
 Parse RSA Key #81.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #81.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #82 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 2048-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.pem":"PolarSSLTest":0
 
 Parse RSA Key #82.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 2048-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #82.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 2048-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #83 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 4096-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem":"PolarSSLTest":0
 
 Parse RSA Key #83.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #83.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #84 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.der":"PolarSSLTest":0
 
 Parse RSA Key #84.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #85.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #86 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 2048-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der":"PolarSSLTest":0
 
 Parse RSA Key #86.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 2048-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #86.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 2048-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #87 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 4096-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der":"PolarSSLTest":0
 
 Parse RSA Key #87.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #87.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #88 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.pem":"PolarSSLTest":0
 
 Parse RSA Key #88.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #88.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #89 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 2048-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.pem":"PolarSSLTest":0
 
 Parse RSA Key #89.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 2048-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #89.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 2048-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #90 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 4096-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem":"PolarSSLTest":0
 
 Parse RSA Key #90.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #90.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #91 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.der":"PolarSSLTest":0
 
 Parse RSA Key #91.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #91.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #92 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 2048-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.der":"PolarSSLTest":0
 
 Parse RSA Key #92.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 2048-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #92.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 2048-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #93 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 4096-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der":"PolarSSLTest":0
 
 Parse RSA Key #93.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #93.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #94 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.pem":"PolarSSLTest":0
 
 Parse RSA Key #94.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #94.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #95 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 2048-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.pem":"PolarSSLTest":0
 
 Parse RSA Key #95.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 2048-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #95.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 2048-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #96 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 4096-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem":"PolarSSLTest":0
 
 Parse RSA Key #96.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #96.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
 
 Parse RSA Key #97 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.der":"PolarSSLTest":0
 
 Parse RSA Key #97.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #97.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #98 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 2048-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.der":"PolarSSLTest":0
 
 Parse RSA Key #98.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 2048-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #98.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 2048-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse RSA Key #99 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 4096-bit)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der":"PolarSSLTest":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der":"PolarSSLTest":0
 
 Parse RSA Key #99.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
 
 Parse RSA Key #99.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+
+Parse RSA Key #99.3 (PKCS#8 encrypted v2 PBKDF2 AES-128-CBC hmacWithSHA384, 2048-bit)
+depends_on:MBEDTLS_AES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.pem":"PolarSSLTest":0
+
+Parse RSA Key #99.4 (PKCS#8 encrypted v2 PBKDF2 AES-192-CBC hmacWithSHA384, 2048-bit)
+depends_on:MBEDTLS_AES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.pem":"PolarSSLTest":0
+
+Parse RSA Key #99.5 (PKCS#8 encrypted v2 PBKDF2 AES-256-CBC hmacWithSHA384, 2048-bit)
+depends_on:MBEDTLS_AES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.pem":"PolarSSLTest":0
+
+Parse RSA Key #99.6 (PKCS#8 encrypted v2 PBKDF2 AES-128-CBC hmacWithSHA384 DER, 2048-bit)
+depends_on:MBEDTLS_AES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.der":"PolarSSLTest":0
+
+Parse RSA Key #99.7 (PKCS#8 encrypted v2 PBKDF2 AES-192-CBC hmacWithSHA384 DER, 2048-bit)
+depends_on:MBEDTLS_AES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.der":"PolarSSLTest":0
+
+Parse RSA Key #99.8 (PKCS#8 encrypted v2 PBKDF2 AES-256-CBC hmacWithSHA384 DER, 2048-bit)
+depends_on:MBEDTLS_AES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.der":"PolarSSLTest":0
+
+# Test keys with non-word-aligned sizes.
+# We use sizes that are large enough to exercise PKCS#1 v1.5 signature with
+# the largest supported hashes (SHA-512 and SHA3-512.)
+Parse RSA Key #100 (768-bit)
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_768_clear.der":"":0
+
+Parse RSA Key #100 (769-bit)
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_769_clear.der":"":0
+
+Parse RSA Key #100 (770-bit)
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_770_clear.der":"":0
+
+Parse RSA Key #100 (776-bit)
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_776_clear.der":"":0
+
+Parse RSA Key #100 (784-bit)
+pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_784_clear.der":"":0
 
 Parse Public RSA Key #1 (PKCS#8 wrapped)
 depends_on:MBEDTLS_PEM_PARSE_C
-pk_parse_public_keyfile_rsa:"data_files/rsa_pkcs8_2048_public.pem":0
+pk_parse_public_keyfile_rsa:"../framework/data_files/rsa_pkcs8_2048_public.pem":0
 
 Parse Public RSA Key #1 (PKCS#8 wrapped, DER)
-pk_parse_public_keyfile_rsa:"data_files/rsa_pkcs8_2048_public.der":0
+pk_parse_public_keyfile_rsa:"../framework/data_files/rsa_pkcs8_2048_public.der":0
 
 Parse Public RSA Key #3 (PKCS#1 wrapped)
 depends_on:MBEDTLS_PEM_PARSE_C
-pk_parse_public_keyfile_rsa:"data_files/rsa_pkcs1_2048_public.pem":0
+pk_parse_public_keyfile_rsa:"../framework/data_files/rsa_pkcs1_2048_public.pem":0
 
 Parse Public RSA Key #4 (PKCS#1 wrapped, DER)
-pk_parse_public_keyfile_rsa:"data_files/rsa_pkcs1_2048_public.der":0
+pk_parse_public_keyfile_rsa:"../framework/data_files/rsa_pkcs1_2048_public.der":0
 
 Parse Public EC Key #1 (RFC 5480, DER)
 depends_on:MBEDTLS_ECP_HAVE_SECP192R1
-pk_parse_public_keyfile_ec:"data_files/ec_pub.der":0
+pk_parse_public_keyfile_ec:"../framework/data_files/ec_pub.der":0
 
 Parse Public EC Key #2 (RFC 5480, PEM)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP192R1
-pk_parse_public_keyfile_ec:"data_files/ec_pub.pem":0
+pk_parse_public_keyfile_ec:"../framework/data_files/ec_pub.pem":0
 
 Parse Public EC Key #2a (RFC 5480, PEM, secp192r1, compressed)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_SECP192R1_ENABLED
-pk_parse_public_keyfile_ec:"data_files/ec_pub.comp.pem":0
+pk_parse_public_keyfile_ec:"../framework/data_files/ec_pub.comp.pem":0
 
 Parse Public EC Key #3 (RFC 5480, secp224r1)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP224R1
-pk_parse_public_keyfile_ec:"data_files/ec_224_pub.pem":0
+pk_parse_public_keyfile_ec:"../framework/data_files/ec_224_pub.pem":0
 
 # Compressed points parsing does not support MBEDTLS_ECP_DP_SECP224R1 and
 # MBEDTLS_ECP_DP_SECP224K1. Therefore a failure is expected in this case
 Parse Public EC Key #3a (RFC 5480, secp224r1, compressed)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_SECP224R1_ENABLED
-pk_parse_public_keyfile_ec:"data_files/ec_224_pub.comp.pem":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE
+pk_parse_public_keyfile_ec:"../framework/data_files/ec_224_pub.comp.pem":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE
 
 Parse Public EC Key #4 (RFC 5480, secp256r1)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP256R1
-pk_parse_public_keyfile_ec:"data_files/ec_256_pub.pem":0
+pk_parse_public_keyfile_ec:"../framework/data_files/ec_256_pub.pem":0
 
 Parse Public EC Key #4a (RFC 5480, secp256r1, compressed)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_SECP256R1_ENABLED
-pk_parse_public_keyfile_ec:"data_files/ec_256_pub.comp.pem":0
+pk_parse_public_keyfile_ec:"../framework/data_files/ec_256_pub.comp.pem":0
 
 Parse Public EC Key #5 (RFC 5480, secp384r1)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP384R1
-pk_parse_public_keyfile_ec:"data_files/ec_384_pub.pem":0
+pk_parse_public_keyfile_ec:"../framework/data_files/ec_384_pub.pem":0
 
 Parse Public EC Key #5a (RFC 5480, secp384r1, compressed)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-pk_parse_public_keyfile_ec:"data_files/ec_384_pub.comp.pem":0
+pk_parse_public_keyfile_ec:"../framework/data_files/ec_384_pub.comp.pem":0
 
 Parse Public EC Key #6 (RFC 5480, secp521r1)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP521R1
-pk_parse_public_keyfile_ec:"data_files/ec_521_pub.pem":0
+pk_parse_public_keyfile_ec:"../framework/data_files/ec_521_pub.pem":0
 
 Parse Public EC Key #6a (RFC 5480, secp521r1, compressed)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_SECP521R1_ENABLED
-pk_parse_public_keyfile_ec:"data_files/ec_521_pub.comp.pem":0
+pk_parse_public_keyfile_ec:"../framework/data_files/ec_521_pub.comp.pem":0
 
 Parse Public EC Key #7 (RFC 5480, brainpoolP256r1)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_BP256R1
-pk_parse_public_keyfile_ec:"data_files/ec_bp256_pub.pem":0
+pk_parse_public_keyfile_ec:"../framework/data_files/ec_bp256_pub.pem":0
 
 Parse Public EC Key #7a (RFC 5480, brainpoolP256r1, compressed)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_BP256R1_ENABLED
-pk_parse_public_keyfile_ec:"data_files/ec_bp256_pub.comp.pem":0
+pk_parse_public_keyfile_ec:"../framework/data_files/ec_bp256_pub.comp.pem":0
 
 Parse Public EC Key #8 (RFC 5480, brainpoolP384r1)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_BP384R1
-pk_parse_public_keyfile_ec:"data_files/ec_bp384_pub.pem":0
+pk_parse_public_keyfile_ec:"../framework/data_files/ec_bp384_pub.pem":0
 
 Parse Public EC Key #8a (RFC 5480, brainpoolP384r1, compressed)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_BP384R1_ENABLED
-pk_parse_public_keyfile_ec:"data_files/ec_bp384_pub.comp.pem":0
+pk_parse_public_keyfile_ec:"../framework/data_files/ec_bp384_pub.comp.pem":0
 
 Parse Public EC Key #9 (RFC 5480, brainpoolP512r1)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_BP512R1
-pk_parse_public_keyfile_ec:"data_files/ec_bp512_pub.pem":0
+pk_parse_public_keyfile_ec:"../framework/data_files/ec_bp512_pub.pem":0
 
 Parse Public EC Key #9a (RFC 5480, brainpoolP512r1, compressed)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_BP512R1_ENABLED
-pk_parse_public_keyfile_ec:"data_files/ec_bp512_pub.comp.pem":0
+pk_parse_public_keyfile_ec:"../framework/data_files/ec_bp512_pub.comp.pem":0
 
 Parse Public EC Key #10 (RFC 8410, DER, X25519)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_CURVE25519
-pk_parse_public_keyfile_ec:"data_files/ec_x25519_pub.der":0
+pk_parse_public_keyfile_ec:"../framework/data_files/ec_x25519_pub.der":0
 
 Parse Public EC Key #11 (RFC 8410, DER, X448)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_CURVE448
-pk_parse_public_keyfile_ec:"data_files/ec_x448_pub.der":0
+pk_parse_public_keyfile_ec:"../framework/data_files/ec_x448_pub.der":0
 
 Parse Public EC Key #12 (RFC 8410, PEM, X25519)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_CURVE25519
-pk_parse_public_keyfile_ec:"data_files/ec_x25519_pub.pem":0
+pk_parse_public_keyfile_ec:"../framework/data_files/ec_x25519_pub.pem":0
 
 Parse Public EC Key #13 (RFC 8410, PEM, X448)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_CURVE448
-pk_parse_public_keyfile_ec:"data_files/ec_x448_pub.pem":0
+pk_parse_public_keyfile_ec:"../framework/data_files/ec_x448_pub.pem":0
 
 Parse EC Key #1 (SEC1 DER)
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP192R1
-pk_parse_keyfile_ec:"data_files/ec_prv.sec1.der":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_prv.sec1.der":"NULL":0
 
 Parse EC Key #2 (SEC1 PEM)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP192R1
-pk_parse_keyfile_ec:"data_files/ec_prv.sec1.pem":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_prv.sec1.pem":"NULL":0
 
 Parse EC Key #2a (SEC1 PEM, secp192r1, compressed)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_SECP192R1_ENABLED
-pk_parse_keyfile_ec:"data_files/ec_prv.sec1.comp.pem":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_prv.sec1.comp.pem":"NULL":0
 
 Parse EC Key #3 (SEC1 PEM encrypted)
-depends_on:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP192R1:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA
-pk_parse_keyfile_ec:"data_files/ec_prv.sec1.pw.pem":"polar":0
+depends_on:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP192R1:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
+pk_parse_keyfile_ec:"../framework/data_files/ec_prv.sec1.pw.pem":"polar":0
 
 Parse EC Key #4 (PKCS8 DER)
 depends_on:MBEDTLS_ECP_HAVE_SECP192R1
-pk_parse_keyfile_ec:"data_files/ec_prv.pk8.der":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_prv.pk8.der":"NULL":0
 
 Parse EC Key #4a (PKCS8 DER, no public key)
 depends_on:MBEDTLS_ECP_HAVE_SECP256R1
-pk_parse_keyfile_ec:"data_files/ec_prv.pk8nopub.der":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_prv.pk8nopub.der":"NULL":0
 
 Parse EC Key #4b (PKCS8 DER, no public key, with parameters)
 depends_on:MBEDTLS_ECP_HAVE_SECP256R1
-pk_parse_keyfile_ec:"data_files/ec_prv.pk8nopubparam.der":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_prv.pk8nopubparam.der":"NULL":0
 
 Parse EC Key #4c (PKCS8 DER, with parameters)
 depends_on:MBEDTLS_ECP_HAVE_SECP256R1
-pk_parse_keyfile_ec:"data_files/ec_prv.pk8param.der":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_prv.pk8param.der":"NULL":0
 
 Parse EC Key #5 (PKCS8 PEM)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP192R1
-pk_parse_keyfile_ec:"data_files/ec_prv.pk8.pem":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_prv.pk8.pem":"NULL":0
 
 Parse EC Key #5a (PKCS8 PEM, no public key)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP256R1
-pk_parse_keyfile_ec:"data_files/ec_prv.pk8nopub.pem":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_prv.pk8nopub.pem":"NULL":0
 
 Parse EC Key #5b (PKCS8 PEM, no public key, with parameters)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP256R1
-pk_parse_keyfile_ec:"data_files/ec_prv.pk8nopubparam.pem":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_prv.pk8nopubparam.pem":"NULL":0
 
 Parse EC Key #5c (PKCS8 PEM, with parameters)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP256R1
-pk_parse_keyfile_ec:"data_files/ec_prv.pk8param.pem":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_prv.pk8param.pem":"NULL":0
 
 Parse EC Key #8 (SEC1 PEM, secp224r1)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP224R1
-pk_parse_keyfile_ec:"data_files/ec_224_prv.pem":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_224_prv.pem":"NULL":0
 
 Parse EC Key #8a (SEC1 PEM, secp224r1, compressed)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_SECP224R1_ENABLED
-pk_parse_keyfile_ec:"data_files/ec_224_prv.comp.pem":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_224_prv.comp.pem":"NULL":0
 
 Parse EC Key #9 (SEC1 PEM, secp256r1)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP256R1
-pk_parse_keyfile_ec:"data_files/ec_256_prv.pem":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_256_prv.pem":"NULL":0
 
 Parse EC Key #9a (SEC1 PEM, secp256r1, compressed)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_SECP256R1_ENABLED
-pk_parse_keyfile_ec:"data_files/ec_256_prv.comp.pem":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_256_prv.comp.pem":"NULL":0
 
 Parse EC Key #10 (SEC1 PEM, secp384r1)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP384R1
-pk_parse_keyfile_ec:"data_files/ec_384_prv.pem":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_384_prv.pem":"NULL":0
 
 Parse EC Key #10a (SEC1 PEM, secp384r1, compressed)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-pk_parse_keyfile_ec:"data_files/ec_384_prv.comp.pem":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_384_prv.comp.pem":"NULL":0
 
 Parse EC Key #11 (SEC1 PEM, secp521r1)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP521R1
-pk_parse_keyfile_ec:"data_files/ec_521_prv.pem":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_521_prv.pem":"NULL":0
 
 Parse EC Key #11a (SEC1 PEM, secp521r1, compressed)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_SECP521R1_ENABLED
-pk_parse_keyfile_ec:"data_files/ec_521_prv.comp.pem":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_521_prv.comp.pem":"NULL":0
 
 Parse EC Key #12 (SEC1 PEM, bp256r1)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_BP256R1
-pk_parse_keyfile_ec:"data_files/ec_bp256_prv.pem":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_bp256_prv.pem":"NULL":0
 
 Parse EC Key #12a (SEC1 PEM, bp256r1, compressed)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_BP256R1_ENABLED
-pk_parse_keyfile_ec:"data_files/ec_bp256_prv.comp.pem":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_bp256_prv.comp.pem":"NULL":0
 
 Parse EC Key #13 (SEC1 PEM, bp384r1)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_BP384R1
-pk_parse_keyfile_ec:"data_files/ec_bp384_prv.pem":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_bp384_prv.pem":"NULL":0
 
 Parse EC Key #13a (SEC1 PEM, bp384r1, compressed)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_BP384R1_ENABLED
-pk_parse_keyfile_ec:"data_files/ec_bp384_prv.comp.pem":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_bp384_prv.comp.pem":"NULL":0
 
 Parse EC Key #14 (SEC1 PEM, bp512r1)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_BP512R1
-pk_parse_keyfile_ec:"data_files/ec_bp512_prv.pem":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_bp512_prv.pem":"NULL":0
 
 Parse EC Key #14a (SEC1 PEM, bp512r1, compressed)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_BP512R1_ENABLED
-pk_parse_keyfile_ec:"data_files/ec_bp512_prv.comp.pem":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_bp512_prv.comp.pem":"NULL":0
 
 Parse EC Key #15 (SEC1 DER, secp256k1, SpecifiedECDomain)
 depends_on:MBEDTLS_ECP_DP_SECP256K1_ENABLED:MBEDTLS_PK_PARSE_EC_EXTENDED
-pk_parse_keyfile_ec:"data_files/ec_prv.specdom.der":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_prv.specdom.der":"NULL":0
 
 Parse EC Key #16 (RFC 8410, DER, X25519)
 depends_on:MBEDTLS_ECP_HAVE_CURVE25519
-pk_parse_keyfile_ec:"data_files/ec_x25519_prv.der":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_x25519_prv.der":"NULL":0
 
 Parse EC Key #17 (RFC 8410, DER, X448)
 depends_on:MBEDTLS_ECP_HAVE_CURVE448
-pk_parse_keyfile_ec:"data_files/ec_x448_prv.der":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_x448_prv.der":"NULL":0
 
 Parse EC Key #18 (RFC 8410, PEM, X25519)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_CURVE25519
-pk_parse_keyfile_ec:"data_files/ec_x25519_prv.pem":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_x25519_prv.pem":"NULL":0
 
 Parse EC Key #19 (RFC 8410, PEM, X448)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_CURVE448
-pk_parse_keyfile_ec:"data_files/ec_x448_prv.pem":"NULL":0
+pk_parse_keyfile_ec:"../framework/data_files/ec_x448_prv.pem":"NULL":0
 
 Key ASN1 (No data)
 pk_parse_key:"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
@@ -1120,78 +1162,6 @@ pk_parse_key:"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 Key ASN1 (First tag not Sequence)
 pk_parse_key:"020100":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
-Key ASN1 (RSAPrivateKey, incorrect version tag)
-depends_on:MBEDTLS_RSA_C
-pk_parse_key:"300100":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
-
-Key ASN1 (RSAPrivateKey, version tag missing)
-depends_on:MBEDTLS_RSA_C
-pk_parse_key:"3000":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
-
-Key ASN1 (RSAPrivateKey, invalid version)
-depends_on:MBEDTLS_RSA_C
-pk_parse_key:"3003020101":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
-
-Key ASN1 (RSAPrivateKey, correct version, incorrect tag)
-depends_on:MBEDTLS_RSA_C
-pk_parse_key:"300402010000":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
-
-Key ASN1 (RSAPrivateKey, correct format+values, minimal modulus size (128 bit))
-depends_on:MBEDTLS_RSA_C
-pk_parse_key:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":0
-
-Key ASN1 (RSAPrivateKey, correct format, modulus too small (127 bit))
-depends_on:MBEDTLS_RSA_C
-pk_parse_key:"30630201000211007c8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
-
-Key ASN1 (RSAPrivateKey, correct format, modulus even)
-depends_on:MBEDTLS_RSA_C
-pk_parse_key:"3063020100021100cc8ab070369ede72920e5a51523c857002030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
-
-Key ASN1 (RSAPrivateKey, correct format, d == 0)
-depends_on:MBEDTLS_RSA_C
-pk_parse_key:"30630201000211007c8ab070369ede72920e5a51523c8571020301000102110000000000000000000000000000000000020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
-
-Key ASN1 (RSAPrivateKey, correct format, d == p == q == 0)
-depends_on:MBEDTLS_RSA_C
-pk_parse_key:"3063020100021100cc8ab070369ede72920e5a51523c8571020301000102110000000000000000000000000000000000020900000000000000000002090000000000000000000209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
-
-Key ASN1 (RSAPrivateKey, correct values, trailing garbage)
-depends_on:MBEDTLS_RSA_C
-pk_parse_key:"3064020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c00":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
-
-Key ASN1 (RSAPrivateKey, correct values, n wrong tag)
-depends_on:MBEDTLS_RSA_C
-pk_parse_key:"3063020100FF1100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
-
-Key ASN1 (RSAPrivateKey, correct values, e wrong tag)
-depends_on:MBEDTLS_RSA_C
-pk_parse_key:"3063020100021100cc8ab070369ede72920e5a51523c8571FF030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
-
-Key ASN1 (RSAPrivateKey, correct values, d wrong tag)
-depends_on:MBEDTLS_RSA_C
-pk_parse_key:"3063020100021100cc8ab070369ede72920e5a51523c85710203010001FF11009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
-
-Key ASN1 (RSAPrivateKey, correct values, p wrong tag)
-depends_on:MBEDTLS_RSA_C
-pk_parse_key:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201FF0900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
-
-Key ASN1 (RSAPrivateKey, correct values, q wrong tag)
-depends_on:MBEDTLS_RSA_C
-pk_parse_key:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61FF0900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
-
-Key ASN1 (RSAPrivateKey, correct values, dp wrong tag)
-depends_on:MBEDTLS_RSA_C
-pk_parse_key:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a211FF09009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
-
-Key ASN1 (RSAPrivateKey, correct values, dq wrong tag)
-depends_on:MBEDTLS_RSA_C
-pk_parse_key:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401FF0813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
-
-Key ASN1 (RSAPrivateKey, correct values, qp wrong tag)
-depends_on:MBEDTLS_RSA_C
-pk_parse_key:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b7221FF08052b93d01747a87c":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
-
 Key ASN1 (ECPrivateKey, empty parameters)
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS
 pk_parse_key:"30070201010400a000":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
@@ -1220,11 +1190,11 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_CURVE25519
 pk_parse_key:"3072020101300506032b656e04220420b06d829655543a51cba36e53522bc0acfd60af59466555fb3e1e796872ab1a59a01f301d060a2a864886f70d01090914310f0c0d437572646c65204368616972738121009bc3b0e93d8233fe6a8ba6138948cc12a91362d5c2ed81584db05ab5419c9d11":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Key ASN1 (Encrypted key PKCS5, trailing garbage data)
-depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_CURVE25519:MBEDTLS_MD_CAN_SHA1:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_PKCS5_C
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_CURVE25519:MBEDTLS_MD_CAN_SHA1:MBEDTLS_CIPHER_C:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
 pk_parse_key_encrypted:"307C304006092A864886F70D01050D3033301B06092A864886F70D01050C300E04082ED7F24A1D516DD702020800301406082A864886F70D030704088A4FCC9DCC3949100438AD100BAC552FD0AE70BECAFA60F5E519B6180C77E8DB0B9ECC6F23FEDD30AB9BDCA2AF9F97BC470FC3A82DCA2364E22642DE0AF9275A82CB":"AAAAAAAAAAAAAAAAAA":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
 Key ASN1 (Encrypted key PKCS12, trailing garbage data)
-depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_CURVE25519:MBEDTLS_MD_CAN_SHA1:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_PKCS12_C
+depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_CURVE25519:MBEDTLS_MD_CAN_SHA1:MBEDTLS_CIPHER_C:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C
 pk_parse_key_encrypted:"3058301C060A2A864886F70D010C0103300E0409CCCCCCCCCCCCCCCCCC02010A04380A8CAF39C4FA001884D0583B323C5E70942444FBE1F650B92F8ADF4AD7BD5049B4748F53A2531139EBF253FE01E8FC925C82C759C944B4D0":"AAAAAAAAAAAAAAAAAA":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
 # From RFC8410 Appendix A but made into version 0
diff --git a/tests/suites/test_suite_pkparse.function b/tests/suites/test_suite_pkparse.function
index 64a3175..63ff092 100644
--- a/tests/suites/test_suite_pkparse.function
+++ b/tests/suites/test_suite_pkparse.function
@@ -6,10 +6,103 @@
 #include "mbedtls/psa_util.h"
 #include "pk_internal.h"
 
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+#include "test/psa_exercise_key.h"
+#endif
+
 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
 #define HAVE_mbedtls_pk_parse_key_pkcs8_encrypted_der
 #endif
 
+#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_FS_IO)
+static int test_psa_bridge(const mbedtls_pk_context *ctx,
+                           psa_key_usage_t usage_flag)
+{
+    switch (usage_flag) {
+        case PSA_KEY_USAGE_SIGN_HASH:
+            mbedtls_test_set_step(0);
+            break;
+        case PSA_KEY_USAGE_SIGN_MESSAGE:
+            mbedtls_test_set_step(1);
+            break;
+        case PSA_KEY_USAGE_DECRYPT:
+            mbedtls_test_set_step(2);
+            break;
+        case PSA_KEY_USAGE_DERIVE:
+            mbedtls_test_set_step(3);
+            break;
+        case PSA_KEY_USAGE_VERIFY_HASH:
+            mbedtls_test_set_step(4);
+            break;
+        case PSA_KEY_USAGE_VERIFY_MESSAGE:
+            mbedtls_test_set_step(5);
+            break;
+        case PSA_KEY_USAGE_ENCRYPT:
+            mbedtls_test_set_step(6);
+            break;
+    }
+
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    mbedtls_svc_key_id_t psa_key = MBEDTLS_SVC_KEY_ID_INIT;
+    int ok = 0;
+
+    TEST_EQUAL(mbedtls_pk_get_psa_attributes(ctx, usage_flag, &attributes), 0);
+    int ret = mbedtls_pk_import_into_psa(ctx, &attributes, &psa_key);
+    if (mbedtls_pk_get_type(ctx) == MBEDTLS_PK_RSA &&
+        mbedtls_pk_get_bitlen(ctx) % 8 != 0 &&
+        ret == MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE) {
+        /* There is a historical limitation with support for RSA keys in PSA:
+         * only byte-aligned sizes are supported.
+         * https://github.com/Mbed-TLS/mbedtls/issues/9048
+         * For now, for such keys, treat not-supported from PSA as a success.
+         */
+        ok = 1;
+        goto exit;
+    }
+    TEST_EQUAL(ret, 0);
+    if (!mbedtls_test_key_consistency_psa_pk(psa_key, ctx)) {
+        goto exit;
+    }
+
+    psa_algorithm_t exercise_usage = psa_get_key_usage_flags(&attributes);
+    psa_algorithm_t exercise_alg = psa_get_key_algorithm(&attributes);
+    if (mbedtls_test_can_exercise_psa_algorithm(exercise_alg)) {
+        TEST_ASSERT(mbedtls_test_psa_exercise_key(psa_key,
+                                                  exercise_usage,
+                                                  exercise_alg, 0));
+    }
+
+    mbedtls_test_set_step((unsigned long) -1);
+    ok = 1;
+
+exit:
+    psa_destroy_key(psa_key);
+    psa_reset_key_attributes(&attributes);
+    return ok;
+}
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+/* Whether a pk key can do ECDSA. Opaque keys are not supported since this
+ * test suite does not create opaque keys. */
+static int pk_can_ecdsa(const mbedtls_pk_context *ctx)
+{
+    /* Check whether we have an EC key. Unfortunately this also accepts
+     * keys on Montgomery curves, which can only do ECDH, so we'll have
+     * to dig further. */
+    if (!mbedtls_pk_can_do(ctx, MBEDTLS_PK_ECDSA)) {
+        return 0;
+    }
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+    return ctx->ec_family != PSA_ECC_FAMILY_MONTGOMERY;
+#elif defined(MBEDTLS_ECDSA_C)
+    return mbedtls_ecdsa_can_do(mbedtls_pk_ec_ro(*ctx)->grp.id);
+#else
+    return 0;
+#endif
+}
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+#endif /* MBEDTLS_PSA_CRYPTO_C &&  && MBEDTLS_FS_IO */
+
 /* END_HEADER */
 
 /* BEGIN_DEPENDENCIES
@@ -34,18 +127,32 @@ void pk_parse_keyfile_rsa(char *key_file, char *password, int result)
     res = mbedtls_pk_parse_keyfile(&ctx, key_file, pwd,
                                    mbedtls_test_rnd_std_rand, NULL);
 
-    TEST_ASSERT(res == result);
+    TEST_EQUAL(res, result);
 
     if (res == 0) {
         mbedtls_rsa_context *rsa;
         TEST_ASSERT(mbedtls_pk_can_do(&ctx, MBEDTLS_PK_RSA));
         rsa = mbedtls_pk_rsa(ctx);
-        TEST_ASSERT(mbedtls_rsa_check_privkey(rsa) == 0);
+        TEST_EQUAL(mbedtls_rsa_check_privkey(rsa), 0);
+
+        size_t bitlen = mbedtls_rsa_get_bitlen(rsa);
+        TEST_EQUAL(mbedtls_pk_get_bitlen(&ctx), bitlen);
+        TEST_EQUAL(mbedtls_pk_get_len(&ctx), (bitlen + 7) / 8);
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+        PSA_INIT();
+        TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_SIGN_HASH));
+        TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_SIGN_MESSAGE));
+        TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_DECRYPT));
+        TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_VERIFY_HASH));
+        TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_VERIFY_MESSAGE));
+        TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_ENCRYPT));
+#endif
     }
 
 exit:
     mbedtls_pk_free(&ctx);
-    MD_PSA_DONE();
+    PSA_DONE();
 }
 
 /* END_CASE */
@@ -61,18 +168,29 @@ void pk_parse_public_keyfile_rsa(char *key_file, int result)
 
     res = mbedtls_pk_parse_public_keyfile(&ctx, key_file);
 
-    TEST_ASSERT(res == result);
+    TEST_EQUAL(res, result);
 
     if (res == 0) {
         mbedtls_rsa_context *rsa;
         TEST_ASSERT(mbedtls_pk_can_do(&ctx, MBEDTLS_PK_RSA));
         rsa = mbedtls_pk_rsa(ctx);
-        TEST_ASSERT(mbedtls_rsa_check_pubkey(rsa) == 0);
+        TEST_EQUAL(mbedtls_rsa_check_pubkey(rsa), 0);
+
+        size_t bitlen = mbedtls_rsa_get_bitlen(rsa);
+        TEST_EQUAL(mbedtls_pk_get_bitlen(&ctx), bitlen);
+        TEST_EQUAL(mbedtls_pk_get_len(&ctx), (bitlen + 7) / 8);
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+        PSA_INIT();
+        TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_VERIFY_HASH));
+        TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_VERIFY_MESSAGE));
+        TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_ENCRYPT));
+#endif
     }
 
 exit:
     mbedtls_pk_free(&ctx);
-    MD_PSA_DONE();
+    PSA_DONE();
 }
 /* END_CASE */
 
@@ -83,11 +201,11 @@ void pk_parse_public_keyfile_ec(char *key_file, int result)
     int res;
 
     mbedtls_pk_init(&ctx);
-    USE_PSA_INIT();
+    MD_OR_USE_PSA_INIT();
 
     res = mbedtls_pk_parse_public_keyfile(&ctx, key_file);
 
-    TEST_ASSERT(res == result);
+    TEST_EQUAL(res, result);
 
     if (res == 0) {
         TEST_ASSERT(mbedtls_pk_can_do(&ctx, MBEDTLS_PK_ECKEY));
@@ -98,13 +216,21 @@ void pk_parse_public_keyfile_ec(char *key_file, int result)
 #else
         const mbedtls_ecp_keypair *eckey;
         eckey = mbedtls_pk_ec_ro(ctx);
-        TEST_ASSERT(mbedtls_ecp_check_pubkey(&eckey->grp, &eckey->Q) == 0);
+        TEST_EQUAL(mbedtls_ecp_check_pubkey(&eckey->grp, &eckey->Q), 0);
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+        PSA_INIT();
+        if (pk_can_ecdsa(&ctx)) {
+            TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_VERIFY_HASH));
+            TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_VERIFY_MESSAGE));
+        }
 #endif
     }
 
 exit:
     mbedtls_pk_free(&ctx);
-    USE_PSA_DONE();
+    PSA_DONE();
 }
 /* END_CASE */
 
@@ -115,26 +241,37 @@ void pk_parse_keyfile_ec(char *key_file, char *password, int result)
     int res;
 
     mbedtls_pk_init(&ctx);
-    USE_PSA_INIT();
+    MD_OR_USE_PSA_INIT();
 
     res = mbedtls_pk_parse_keyfile(&ctx, key_file, password,
                                    mbedtls_test_rnd_std_rand, NULL);
 
-    TEST_ASSERT(res == result);
+    TEST_EQUAL(res, result);
 
     if (res == 0) {
         TEST_ASSERT(mbedtls_pk_can_do(&ctx, MBEDTLS_PK_ECKEY));
-#if defined(MBEDTLS_ECP_C)
-        const mbedtls_ecp_keypair *eckey = mbedtls_pk_ec_ro(ctx);
-        TEST_ASSERT(mbedtls_ecp_check_privkey(&eckey->grp, &eckey->d) == 0);
-#else
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
         /* PSA keys are already checked on import so nothing to do here. */
+#else
+        const mbedtls_ecp_keypair *eckey = mbedtls_pk_ec_ro(ctx);
+        TEST_EQUAL(mbedtls_ecp_check_privkey(&eckey->grp, &eckey->d), 0);
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+        PSA_INIT();
+        TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_DERIVE));
+        if (pk_can_ecdsa(&ctx)) {
+            TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_SIGN_HASH));
+            TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_SIGN_MESSAGE));
+            TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_VERIFY_HASH));
+            TEST_ASSERT(test_psa_bridge(&ctx, PSA_KEY_USAGE_VERIFY_MESSAGE));
+        }
 #endif
     }
 
 exit:
     mbedtls_pk_free(&ctx);
-    USE_PSA_DONE();
+    PSA_DONE();
 }
 /* END_CASE */
 
diff --git a/tests/suites/test_suite_pkwrite.data b/tests/suites/test_suite_pkwrite.data
index d58226e..b1fb73b 100644
--- a/tests/suites/test_suite_pkwrite.data
+++ b/tests/suites/test_suite_pkwrite.data
@@ -1,155 +1,155 @@
 Public key write check RSA
 depends_on:MBEDTLS_RSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C
-pk_write_pubkey_check:"data_files/server1.pubkey":TEST_PEM
+pk_write_pubkey_check:"../framework/data_files/server1.pubkey":TEST_PEM
 
 Public key write check RSA (DER)
 depends_on:MBEDTLS_RSA_C
-pk_write_pubkey_check:"data_files/server1.pubkey.der":TEST_DER
+pk_write_pubkey_check:"../framework/data_files/server1.pubkey.der":TEST_DER
 
 Public key write check RSA 4096
 depends_on:MBEDTLS_RSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C
-pk_write_pubkey_check:"data_files/rsa4096_pub.pem":TEST_PEM
+pk_write_pubkey_check:"../framework/data_files/rsa4096_pub.pem":TEST_PEM
 
 Public key write check RSA 4096 (DER)
 depends_on:MBEDTLS_RSA_C
-pk_write_pubkey_check:"data_files/rsa4096_pub.der":TEST_DER
+pk_write_pubkey_check:"../framework/data_files/rsa4096_pub.der":TEST_DER
 
 Public key write check EC 192 bits
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_SECP192R1
-pk_write_pubkey_check:"data_files/ec_pub.pem":TEST_PEM
+pk_write_pubkey_check:"../framework/data_files/ec_pub.pem":TEST_PEM
 
 Public key write check EC 192 bits (DER)
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP192R1
-pk_write_pubkey_check:"data_files/ec_pub.der":TEST_DER
+pk_write_pubkey_check:"../framework/data_files/ec_pub.der":TEST_DER
 
 Public key write check EC 521 bits
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_SECP521R1
-pk_write_pubkey_check:"data_files/ec_521_pub.pem":TEST_PEM
+pk_write_pubkey_check:"../framework/data_files/ec_521_pub.pem":TEST_PEM
 
 Public key write check EC 521 bits (DER)
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP521R1
-pk_write_pubkey_check:"data_files/ec_521_pub.der":TEST_DER
+pk_write_pubkey_check:"../framework/data_files/ec_521_pub.der":TEST_DER
 
 Public key write check EC Brainpool 512 bits
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_BP512R1
-pk_write_pubkey_check:"data_files/ec_bp512_pub.pem":TEST_PEM
+pk_write_pubkey_check:"../framework/data_files/ec_bp512_pub.pem":TEST_PEM
 
 Public key write check EC Brainpool 512 bits (DER)
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_BP512R1
-pk_write_pubkey_check:"data_files/ec_bp512_pub.der":TEST_DER
+pk_write_pubkey_check:"../framework/data_files/ec_bp512_pub.der":TEST_DER
 
 Public key write check EC X25519
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_CURVE25519
-pk_write_pubkey_check:"data_files/ec_x25519_pub.pem":TEST_PEM
+pk_write_pubkey_check:"../framework/data_files/ec_x25519_pub.pem":TEST_PEM
 
 Public key write check EC X25519 (DER)
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_CURVE25519
-pk_write_pubkey_check:"data_files/ec_x25519_pub.der":TEST_DER
+pk_write_pubkey_check:"../framework/data_files/ec_x25519_pub.der":TEST_DER
 
 Public key write check EC X448
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_CURVE448
-pk_write_pubkey_check:"data_files/ec_x448_pub.pem":TEST_PEM
+pk_write_pubkey_check:"../framework/data_files/ec_x448_pub.pem":TEST_PEM
 
 Public key write check EC X448 (DER)
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_CURVE448
-pk_write_pubkey_check:"data_files/ec_x448_pub.der":TEST_DER
+pk_write_pubkey_check:"../framework/data_files/ec_x448_pub.der":TEST_DER
 
 Private key write check RSA
 depends_on:MBEDTLS_RSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C
-pk_write_key_check:"data_files/server1.key":TEST_PEM
+pk_write_key_check:"../framework/data_files/server1.key":TEST_PEM
 
 Private key write check RSA (DER)
 depends_on:MBEDTLS_RSA_C
-pk_write_key_check:"data_files/server1.key.der":TEST_DER
+pk_write_key_check:"../framework/data_files/server1.key.der":TEST_DER
 
 Private key write check RSA 4096
 depends_on:MBEDTLS_RSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C
-pk_write_key_check:"data_files/rsa4096_prv.pem":TEST_PEM
+pk_write_key_check:"../framework/data_files/rsa4096_prv.pem":TEST_PEM
 
 Private key write check RSA 4096 (DER)
 depends_on:MBEDTLS_RSA_C
-pk_write_key_check:"data_files/rsa4096_prv.der":TEST_DER
+pk_write_key_check:"../framework/data_files/rsa4096_prv.der":TEST_DER
 
 Private key write check EC 192 bits
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_SECP192R1
-pk_write_key_check:"data_files/ec_prv.sec1.pem":TEST_PEM
+pk_write_key_check:"../framework/data_files/ec_prv.sec1.pem":TEST_PEM
 
 Private key write check EC 192 bits (DER)
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP192R1
-pk_write_key_check:"data_files/ec_prv.sec1.der":TEST_DER
+pk_write_key_check:"../framework/data_files/ec_prv.sec1.der":TEST_DER
 
 Private key write check EC 256 bits (top bit set)
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_SECP256R1
-pk_write_key_check:"data_files/ec_256_long_prv.pem":TEST_PEM
+pk_write_key_check:"../framework/data_files/ec_256_long_prv.pem":TEST_PEM
 
 Private key write check EC 256 bits (top bit set) (DER)
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP256R1
-pk_write_key_check:"data_files/ec_256_long_prv.der":TEST_DER
+pk_write_key_check:"../framework/data_files/ec_256_long_prv.der":TEST_DER
 
 Private key write check EC 521 bits
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_SECP521R1
-pk_write_key_check:"data_files/ec_521_prv.pem":TEST_PEM
+pk_write_key_check:"../framework/data_files/ec_521_prv.pem":TEST_PEM
 
 Private key write check EC 521 bits (DER)
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP521R1
-pk_write_key_check:"data_files/ec_521_prv.der":TEST_DER
+pk_write_key_check:"../framework/data_files/ec_521_prv.der":TEST_DER
 
 Private key write check EC 521 bits (top byte is 0)
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_SECP521R1
-pk_write_key_check:"data_files/ec_521_short_prv.pem":TEST_PEM
+pk_write_key_check:"../framework/data_files/ec_521_short_prv.pem":TEST_PEM
 
 Private key write check EC 521 bits (top byte is 0) (DER)
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP521R1
-pk_write_key_check:"data_files/ec_521_short_prv.der":TEST_DER
+pk_write_key_check:"../framework/data_files/ec_521_short_prv.der":TEST_DER
 
 Private key write check EC Brainpool 512 bits
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_BP512R1
-pk_write_key_check:"data_files/ec_bp512_prv.pem":TEST_PEM
+pk_write_key_check:"../framework/data_files/ec_bp512_prv.pem":TEST_PEM
 
 Private key write check EC Brainpool 512 bits (DER)
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_BP512R1
-pk_write_key_check:"data_files/ec_bp512_prv.der":TEST_DER
+pk_write_key_check:"../framework/data_files/ec_bp512_prv.der":TEST_DER
 
 Private key write check EC X25519
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_CURVE25519
-pk_write_key_check:"data_files/ec_x25519_prv.pem":TEST_PEM
+pk_write_key_check:"../framework/data_files/ec_x25519_prv.pem":TEST_PEM
 
 Private key write check EC X25519 (DER)
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_CURVE25519
-pk_write_key_check:"data_files/ec_x25519_prv.der":TEST_DER
+pk_write_key_check:"../framework/data_files/ec_x25519_prv.der":TEST_DER
 
 Private key write check EC X448
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_CURVE448
-pk_write_key_check:"data_files/ec_x448_prv.pem":TEST_PEM
+pk_write_key_check:"../framework/data_files/ec_x448_prv.pem":TEST_PEM
 
 Private key write check EC X448 (DER)
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_CURVE448
-pk_write_key_check:"data_files/ec_x448_prv.der":TEST_DER
+pk_write_key_check:"../framework/data_files/ec_x448_prv.der":TEST_DER
 
 Derive public key RSA
 depends_on:MBEDTLS_RSA_C
-pk_write_public_from_private:"data_files/server1.key.der":"data_files/server1.pubkey.der"
+pk_write_public_from_private:"../framework/data_files/server1.key.der":"../framework/data_files/server1.pubkey.der"
 
 Derive public key RSA 4096
 depends_on:MBEDTLS_RSA_C
-pk_write_public_from_private:"data_files/rsa4096_prv.der":"data_files/rsa4096_pub.der"
+pk_write_public_from_private:"../framework/data_files/rsa4096_prv.der":"../framework/data_files/rsa4096_pub.der"
 
 Derive public key EC 192 bits
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP192R1
-pk_write_public_from_private:"data_files/ec_prv.sec1.der":"data_files/ec_pub.der"
+pk_write_public_from_private:"../framework/data_files/ec_prv.sec1.der":"../framework/data_files/ec_pub.der"
 
 Derive public key EC 521 bits
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP521R1
-pk_write_public_from_private:"data_files/ec_521_prv.der":"data_files/ec_521_pub.der"
+pk_write_public_from_private:"../framework/data_files/ec_521_prv.der":"../framework/data_files/ec_521_pub.der"
 
 Derive public key EC Brainpool 512 bits
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_BP512R1
-pk_write_public_from_private:"data_files/ec_bp512_prv.der":"data_files/ec_bp512_pub.der"
+pk_write_public_from_private:"../framework/data_files/ec_bp512_prv.der":"../framework/data_files/ec_bp512_pub.der"
 
 Derive public key EC X25519
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_CURVE25519
-pk_write_public_from_private:"data_files/ec_x25519_prv.der":"data_files/ec_x25519_pub.der"
+pk_write_public_from_private:"../framework/data_files/ec_x25519_prv.der":"../framework/data_files/ec_x25519_pub.der"
 
 Derive public key EC X448
 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_CURVE448
-pk_write_public_from_private:"data_files/ec_x448_prv.der":"data_files/ec_x448_pub.der"
+pk_write_public_from_private:"../framework/data_files/ec_x448_prv.der":"../framework/data_files/ec_x448_pub.der"
diff --git a/tests/suites/test_suite_pkwrite.function b/tests/suites/test_suite_pkwrite.function
index 730bb88..735c125 100644
--- a/tests/suites/test_suite_pkwrite.function
+++ b/tests/suites/test_suite_pkwrite.function
@@ -1,5 +1,5 @@
 /* BEGIN_HEADER */
-#include "mbedtls/pk.h"
+#include "pk_internal.h"
 #include "mbedtls/pem.h"
 #include "mbedtls/oid.h"
 #include "psa/crypto_sizes.h"
@@ -68,19 +68,18 @@ static int pk_write_any_key(mbedtls_pk_context *pk, unsigned char **p,
 static void pk_write_check_common(char *key_file, int is_public_key, int is_der)
 {
     mbedtls_pk_context key;
+    mbedtls_pk_init(&key);
     unsigned char *buf = NULL;
     unsigned char *check_buf = NULL;
     unsigned char *start_buf;
     size_t buf_len, check_buf_len;
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     mbedtls_svc_key_id_t opaque_id = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
     USE_PSA_INIT();
 
-    mbedtls_pk_init(&key);
-    USE_PSA_INIT();
-
     /* Note: if mbedtls_pk_load_file() successfully reads the file, then
        it also allocates check_buf, which should be freed on exit */
     TEST_EQUAL(mbedtls_pk_load_file(key_file, &check_buf, &check_buf_len), 0);
@@ -119,10 +118,13 @@ static void pk_write_check_common(char *key_file, int is_public_key, int is_der)
     /* Verify that pk_write works also for opaque private keys */
     if (!is_public_key) {
         memset(buf, 0, check_buf_len);
-        TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&key, &opaque_id,
-                                             PSA_ALG_NONE,
-                                             PSA_KEY_USAGE_EXPORT,
-                                             PSA_ALG_NONE), 0);
+        /* Turn the key PK context into an opaque one.
+         * Note: set some practical usage for the key to make get_psa_attributes() happy. */
+        TEST_EQUAL(mbedtls_pk_get_psa_attributes(&key, PSA_KEY_USAGE_SIGN_MESSAGE, &key_attr), 0);
+        TEST_EQUAL(mbedtls_pk_import_into_psa(&key, &key_attr, &opaque_id), 0);
+        mbedtls_pk_free(&key);
+        mbedtls_pk_init(&key);
+        TEST_EQUAL(mbedtls_pk_setup_opaque(&key, opaque_id), 0);
         start_buf = buf;
         buf_len = check_buf_len;
         TEST_EQUAL(pk_write_any_key(&key, &start_buf, &buf_len, is_public_key,
@@ -174,6 +176,7 @@ void pk_write_public_from_private(char *priv_key_file, char *pub_key_file)
     size_t pub_key_len = 0;
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     mbedtls_svc_key_id_t opaque_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
     mbedtls_pk_init(&priv_key);
@@ -196,9 +199,12 @@ void pk_write_public_from_private(char *priv_key_file, char *pub_key_file)
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     mbedtls_platform_zeroize(derived_key_raw, derived_key_len);
 
-    TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&priv_key, &opaque_key_id,
-                                         PSA_ALG_NONE, PSA_KEY_USAGE_EXPORT,
-                                         PSA_ALG_NONE), 0);
+    /* Turn the priv_key PK context into an opaque one. */
+    TEST_EQUAL(mbedtls_pk_get_psa_attributes(&priv_key, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0);
+    TEST_EQUAL(mbedtls_pk_import_into_psa(&priv_key, &key_attr, &opaque_key_id), 0);
+    mbedtls_pk_free(&priv_key);
+    mbedtls_pk_init(&priv_key);
+    TEST_EQUAL(mbedtls_pk_setup_opaque(&priv_key, opaque_key_id), 0);
 
     TEST_EQUAL(mbedtls_pk_write_pubkey_der(&priv_key, derived_key_raw,
                                            derived_key_len), pub_key_len);
diff --git a/tests/suites/test_suite_platform.data b/tests/suites/test_suite_platform.data
index 4d57450..653d254 100644
--- a/tests/suites/test_suite_platform.data
+++ b/tests/suites/test_suite_platform.data
@@ -6,4 +6,10 @@ Time: get seconds
 time_get_seconds:
 
 Check mbedtls_calloc overallocation
+# This test case exercises an integer overflow in calloc. Under Asan, with
+# a modern Clang, this triggers an ASan/MSan/TSan complaint. The complaint
+# can be avoided with e.g. ASAN_OPTIONS=allocator_may_return_null=1,
+# but this has to be set in the environment before the program starts,
+# and could hide other errors.
+depends_on:!MBEDTLS_TEST_HAVE_ASAN:!MBEDTLS_TEST_HAVE_MSAN:!MBEDTLS_TEST_HAVE_TSAN
 check_mbedtls_calloc_overallocation:SIZE_MAX/2:SIZE_MAX/2
diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index 7b19748..32c7274 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -104,9 +104,9 @@ PSA import/export RSA keypair: export buffer too small
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
 import_export:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0:1024:-1:PSA_ERROR_BUFFER_TOO_SMALL:1
 
-PSA import/export RSA keypair: trailing garbage ignored
+PSA import/export RSA keypair: trailing garbage rejected
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
-import_export:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b2400":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0:1024:-1:PSA_SUCCESS:0
+import_with_data:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b2400":PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_ERROR_INVALID_ARGUMENT
 
 PSA import/export RSA public key: good, 1024-bit, opaque
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:PSA_CRYPTO_DRIVER_TEST
@@ -156,9 +156,9 @@ PSA import/export RSA keypair: export buffer too small, opaque
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:PSA_CRYPTO_DRIVER_TEST
 import_export:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( PSA_KEY_PERSISTENCE_VOLATILE, TEST_DRIVER_LOCATION ):1024:-1:PSA_ERROR_BUFFER_TOO_SMALL:1
 
-PSA import/export RSA keypair: trailing garbage ignored, opaque
+PSA import/export RSA keypair: trailing garbage rejected, opaque
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:PSA_CRYPTO_DRIVER_TEST
-import_export:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b2400":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( PSA_KEY_PERSISTENCE_VOLATILE, TEST_DRIVER_LOCATION ):1024:-1:PSA_SUCCESS:0
+import_with_data:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b2400":PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_ERROR_INVALID_ARGUMENT
 
 PSA import RSA keypair: truncated
 depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
@@ -225,19 +225,19 @@ depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:P
 import_export:"3082025802010002818000cde684f1aee96917b89c8a0a72523cfce4686ed5a5fbd32abab12038fc75148e45314b7e31fe60d8258e7e78234a23df0f00cc20fd008b64cb5b0f4ced8c47aa048f767f859961adc22b3df14e63bd9e08c9707bbf4e0eba32b1cc35a020e7e815ca47e0d39601a80d683ab4a07f4d3a7acebaba6c87d25bce2d091ee115c50203010001028180009dd9c34411e769a540e7e9c03682abb4e95ad2d5c2297c6b7eb2fa5415dfa081adb42bff344ea36a31e8bb36593fa69e843f053fa916f8c6ae4c423fa4c1edbcfa7e8079bc19a738f4f861c198cf277d2c89fe3deab06db5a3a09f8d1622033a618fbfbab92b50a13f77cdb53b56d38bec4cdd8cbe65e8b30ab4e77565842102400eec9285833f973372458f354bff7d35bcb04f3b26f5b58a025887a966ca951b6667651a46034bbc99f9d688dfbcb4297a4d86824dd73abdfa7deeb232b1642902400dcbe74d51f3b93afe2a22e2be0c3c56911ef771fd8eb01f64d95d018315baf4144aeb957be95a77f17f2b8a12c2d3b87a1281f9c66d839fa603fbbe7381783d0240035398154a7c1227d580cbbb05859d532d0bdf9d3fc1e5052e20ad9c84dd02ff6884037527c5f44bc5c67a9b67c39824e6ae011d6a5c5f2b997a188a7fe22a810240076bf41ec5023e57bcd87ff1c7d89f30d65a793469f933478021ea056135f45f4ef74aaa1c8158b883422cf2d6cad5c83c6aee5ea65ecd5ab99d14f4cc000ee5024006d13905db5556627066596da3383458aea6ba5e2f94ccc5b922117a1ed3ae7a26c59e68c3885a41b366f1a5c8bff7ec8853ef8d32addb818141352b2da553dc":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( PSA_KEY_PERSISTENCE_VOLATILE, TEST_DRIVER_LOCATION ):1016:0:PSA_SUCCESS:1
 
 PSA import RSA public key: 1022-bit (not supported)
-depends_on:MBEDTLS_RSA_C
+depends_on:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
 import_with_data:"30818802818036e4b95f847dcd7a91b0972b7ba096e040ec04e42d59f733029fb2600b8ae9e4fd8ea76f3d7ec576288102285b612db7abc53770006046fef321172a6ad84053710d48528a8d51b6481db53c09e1524d6704b58bd30313016535eefe9bcff89eb599608daaa0a72ab7720af31486b51020421fdd3c6974cc445a78dd134450230203010001":PSA_KEY_TYPE_RSA_PUBLIC_KEY:0:PSA_ERROR_NOT_SUPPORTED
 
 PSA import RSA keypair: 1022-bit (not supported)
-depends_on:MBEDTLS_RSA_C
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
 import_with_data:"3082025802010002818036e4b95f847dcd7a91b0972b7ba096e040ec04e42d59f733029fb2600b8ae9e4fd8ea76f3d7ec576288102285b612db7abc53770006046fef321172a6ad84053710d48528a8d51b6481db53c09e1524d6704b58bd30313016535eefe9bcff89eb599608daaa0a72ab7720af31486b51020421fdd3c6974cc445a78dd1344502302030100010281800ad9700e01e8bf68ff4c90c4465dfa13fea0e76295d817349ccb257d382acf89b3d7b31e18606af4ac92baf3710426fe0b54225ddfa527c31218b3346e03a9cae5395a780ade880b996f4061fad65689393fc8e77f46a4c1a29b0450cdaaef0710e523cd1028abe1653d23f0d5ec805a629bdf1fc4c1c00737760e1714f6b7f102407d5e545484b546bd61972b446a04af0cf17b126a8872b977da5035ca82dd0e4fef1381a6480f60db07628348602f86ba89a271563d9a3fb613b9b39703498f9902407017641093065eed178ff848b5f8a2b502a187511db28549ea7646f3e7b3ea171f4c34c0ecf0566adc4d172c057be077a45fcf8019a36a4588c4de3b8c0a631b02407cc7fccbbae2eb2be80c9c8615b7dfbbd4469907ec13b44274cacd1f69ad38679b2021352e18106131327e54f5579893e6160714bd6fdfe60c30136e45595c51024055250f779f96f94873db82a808c24325e847b6b8212cd81e9ba118a8715ab2f8b96773b310c8477c88b76e609c11cb22569408d4afa4f836b57b85ac09e661fd02400e5fc5df9614c95d77e9bc2df63d48e7a08a0034174f0f745eef4413ee36d929f194557e6990e148b7438e949a41e92bc9d9136c3e6563904151a578a2f4fc1b":PSA_KEY_TYPE_RSA_KEY_PAIR:0:PSA_ERROR_NOT_SUPPORTED
 
 PSA import RSA public key: 1023-bit (not supported)
-depends_on:MBEDTLS_RSA_C
+depends_on:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
 import_with_data:"3081880281806c49704e91f3df44fc99e9b3c0fee5025cc04d09529a1dd05754f2da2751d7a9aa5a79f7070132f2c47b31963e37cd74675f9c93ee7c85a143fefe303e94d1ee0e4d30898d17ab3a229e8457ef21fd179039f748305babe7f134f6d58ce5d721a1a5da98f63503d2466c6a515e53494a41180a91e535bd5b55d4dce2c17419870203010001":PSA_KEY_TYPE_RSA_PUBLIC_KEY:0:PSA_ERROR_NOT_SUPPORTED
 
 PSA import RSA keypair: 1023-bit (not supported)
-depends_on:MBEDTLS_RSA_C
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
 import_with_data:"3082025a0201000281806c49704e91f3df44fc99e9b3c0fee5025cc04d09529a1dd05754f2da2751d7a9aa5a79f7070132f2c47b31963e37cd74675f9c93ee7c85a143fefe303e94d1ee0e4d30898d17ab3a229e8457ef21fd179039f748305babe7f134f6d58ce5d721a1a5da98f63503d2466c6a515e53494a41180a91e535bd5b55d4dce2c17419870203010001028180491b277413fb35efe82dace68b544a9dd6aa8917d329731955ec66ec3b0178fcf5a29196e1a6c093bf6c8064b36a8f0d9840a78003d11392754a70a77788975515a1442a6c806cafa2f07fe99cac78a86fa868888d654cec4baf205352cf8255acaa47e2455f23b58c0e5ae43fa297bbffe5b970caa80f71e82084fd35425479024100ef27f3fb2df90ac4910ed95fdde4877d09b0dc4e95079f12a7e2041300a8884a39372a1c79691338cd5c3965bcf3a24f2ce9e10de19d4cb87c7546d60ca0aa0d024073e9e1283475e9ab3075da0b005ca7c7b05e76325f8deb648238831c8353041d594307f784cd527cfee9187b997713d71c0ff98f01beac4d1a85583be52e90e302402f0c801e311c2677274671933f96fee4a56c6adaf6ccaa09c4875d5fd3a8542fadf3e14ffabea62e6d90302688b6b17ebc0a42e1353a79e66d6db102d9371e5d02406731ef3c8607fbf266806590a9cfd3a79a435ee355e2d9906fc6b4236c5f3a288ed178844a7d295512f49ed15b3d82325e4f729478af3262aa9bd083f273d49502410090a32c0e8ca3bcd4c66f092cdc369cd1abb4a05b9a6f0e65e5a51da1d96d5aca8c1525b3f11322c0588062fc8592ebf25b7950f918d39018e82b8acccc8f7e7a":PSA_KEY_TYPE_RSA_KEY_PAIR:0:PSA_ERROR_NOT_SUPPORTED
 
 PSA import/export EC secp224r1 key pair: good
@@ -496,178 +496,168 @@ PSA import/export RSA keypair: policy forbids export (sign), opaque
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:PSA_CRYPTO_DRIVER_TEST
 import_export:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( PSA_KEY_PERSISTENCE_VOLATILE, TEST_DRIVER_LOCATION ):1024:0:PSA_ERROR_NOT_PERMITTED:1
 
-# Test PEM import. Note that this is not a PSA feature, it's an Mbed TLS
-# extension which we may drop in the future.
-PSA import/export RSA public key: import PEM
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PEM_PARSE_C
-import_export:"2d2d2d2d2d424547494e205055424c4943204b45592d2d2d2d2d0a4d4947664d413047435371475349623344514542415155414134474e4144434269514b4267514376425830356275685074312f6274634b7850482f6c706c53710a69714a4843315165346636777353306c7835635255784a4a34524b574b41517475376242494e46454e5354765441357548596c57377249486576456a536433750a355553447641624378686c497a514b7941756557727232553036664c2b466e43775947634d6b79344b357a545474346d4f69712f2f6b637a384865476e6f5a670a3939614454615539615137336d46397277774944415141420a2d2d2d2d2d454e44205055424c4943204b45592d2d2d2d2d0a00":PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_KEY_USAGE_EXPORT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0:1024:0:PSA_SUCCESS:0
-
-PSA import/export RSA keypair: import PEM
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_PEM_PARSE_C
-import_export:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b2400":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0:1024:0:PSA_SUCCESS:0
-
 PSA import/export FFDH RFC7919 2048 key pair: good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_2048
 import_export:"2A45292441157B3C25572F76A5CDF960A7BDBF06731D783C5BF8920FB94CCC3D5DCCF86A3CB66B4E3AEDD23106222458ACF3F72C753CB67C2E19AD399566866FEBC16C3B4DC72773B4709047AE1AEC2D9107C2041B06B86A8F604465B26E0E753D6B10772798B3797232D950A36F2D4B33B04B36DE73AC6B8A7365015DF5745A1F892728B0CA947702C36E3BC646E72E23E80C345DBB014B7F93B36C80B4051F9A716D19B980861E86D62977466565462FBD3C1BB4EFD630DCCBEB351A7FA95602B7FE23903C7C7DC999950493BEC028AC42346858FAD969452DCF1DE9AD445F7F928D63B75FA86E8C1D722AB242D91995D3545A1791D72B0F384E74B45C7C01":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:2048:0:PSA_SUCCESS:1
 
 PSA import/export FFDH RFC7919 2048 public key: good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_2048
 import_export:"2898897F34E672DAE8E629C6AD5D525A8ECCF88CEEB2F7D456DBC726D4E4A473A57F530BB6A7A67D58A560C2FDF51C9E4826DB48F408150CEAFBD32766C03D277D611139AA9F4017B0125EEA089ECD906EA0854AC0A435507DEC05C3CF2F37F98ED987E13E4795BB44051F231753C9BA3023D1A9E969FD98AC21091F704F6AD5B49B2F95DE7FA0CC1B6D9FC1DAD308EB2D1B021D8EA99959BD0BBA3CD5AD33C4B4A608A74B42B6C0342CBCFE3F41ED0752389D7A982DE512514EEC4C6D1165D3C52485A02EF310E2A4C0B5197FADE3D6F768E81AA01926FEAE92040706A621676200F6F80B51D0B4CAC38A406778D81EF3CB68EAC2E9DC06ED8E47363CE260E0":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:2048:0:PSA_SUCCESS:1
 
 PSA import/export FFDH RFC7919 3072 key pair: good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_3072
 import_export:"A13B0B091871DE0F21FA9031BFFB6F37C485F0553B0468169A04AC0E2710185C9D8B5C5FB01C2846CEBA007298CB0F208DA2CF551C5098281EB4490647B733636EE14F6F4540EA05434AC258090A575D10EF9523AA4B545D27851878FAA04361D9412E3B55645A52BE03EE2E6DF0F83DBA295363E68F7307B5A19E205B655E6CFE005217D69B2F521A61CE23C286426D11A09768B5657A32E9965A49AE2BF4476582A278B7515B3B46F70368F324724ED4A1F36364AB4D6E3ADCA53142834353A9EB37747D26680A4B8D9A30BADACD172872BC677212B328B47B117901B4EA22C8760D7B727FFF276FA4E36082A0605E590F732F24468201DD05BF4A5710C546FAE1B153F8668D6E1A9707340B82493CADCC0721032E627DB9AD3D04124FAA19BB7FBD38FFA4416C05741C688F21B11C63508F5A3F50C219D1A4F46F0D3CC74EBD762A241C328F20C7169566E5E8E60B8F4442497B92A65FE69CD12E57BB4F44ED11A6075541B50FD95BB0224621193779873711B6616F6D9E31DE7D7369E963":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:3072:0:PSA_SUCCESS:1
 
 PSA import/export FFDH RFC7919 3072 public key: good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_3072
 import_export:"57214B78F3045CA8996F024B97AFCE32F3B8D24A0F1A6E37F83559C3B07270F830D9EEB40E22BE7D53C8215832C024DF8602815D087CFD546392EC338C2683FF2329BEA2236E94184037284C8A8FE6DC9F56BBEC47C887953FE2AF8700A96ED13B1DD50EA7065C2D102DE1CF037699C47A3A96CC561C5B7E1D5DCE028BB8CEB15EC9B6A8D7E12224B95D893DA596B0C198C0E07C566C7A008C2F260D358DA9D2C2EFD7182B6B03501321408791769D567FC61BE2F9BEF8D58A82AEEA857F088FF89075B0263074FF403EA94673AA2C4728ED966B23BDEB1A240BBEE9343548E02755579FFB158F9BBB11525C5081C0681A969BC6D828F74CF577FA27AEA68A5E56E8505688653590CB9CAA5D76B40BD113764141E1DD7BB09A24023C0EDE10D2C8826FACCD4EC7B2896FE6F2A1E9925C0DFBEB48A4501D57B23A2F6624772664472B5FA76AD952EEE3AABEE33897324DA167ABCD13504F85114A57CA038629437333F6B2D93F8776C8B4ACED82696BEFBE802B3281A2E1FB32A940A4A714C853":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:3072:0:PSA_SUCCESS:1
 
 PSA import/export FFDH RFC7919 4096 key pair: good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_4096
 import_export:"46EEB441AF38234285F3ED05BC650E370B051170543816366235B4460F6A45736145651F383B4C14AED4BC6E4A08AA1AFBEFBA457C2669362EFBF459F1447A64C25A502F8121362FF68D144BCE30592511FD902DD6338315447C21055DD9BC7AA8348445AF1E9B0C5B970500DABC792C004C897F32FD592CD383DC0B463A3E41E1357D6E5877CA1102A04C78EC3A8E5EACAFE04764D5003FFCA4D3510DF545679C104D53AA79904057FDEF019700081926A0F97686F8E45B8845827DE9FA4926071A1B0B7FD39648B72BA34B1917AC3855071A5EFCA7C45076F06833FD3B9E23ABC65F5DD1876E33D7F81750AB12E95C0385C85FAA7CF45BF14C271EE4BA454E02F4BE6DF3EC7316D0F5D32CAEA39F3558C27455CC9AA77EBC98E51CF4D2C1287714383F1396D51E8CD3C9419DB43136998EBA7A14194C3F86AF7B5CA1A8D50593ECE2073EDB1E28BABF813EE9F3FC653A83E37830B0EA71E62F9B09E549435601385925BE28B359915C2C3304BD210568A5A73582A95351E87767536B9966237696C767B86D3B00193D0659CE583C3D8508E37ED5D5EB75C22BFE65FC1C1B3EE96BC1144EFFC72799D14C7482FA7B0F631814672081C85023A35115F604F76E5E5CE778DD62D353DFF8F35498DFCA710D13BE45C6288F5E7D290E480E4B176B845142380E863A7B12083970ECF6E96D912F8E4CFA7FA0435790501107C65533":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:4096:0:PSA_SUCCESS:1
 
 PSA import/export FFDH RFC7919 4096 public key: good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_4096
 import_export:"BF50F1FDD8B6B5332047A808088E669F06D6CA71A59CB7CA9FB48EB47E1F179C531B15382D2D0382D18CD77E1A517BAA4175D59795898DABECCA469981E4C69EBC62B35936791F6B03E37EF39945B80503113C97474967AB4832EBD7E30ED4EFA47B49080D69B88FD7BD33847B7E6A7D0024AAD08C829CDAA44EC7C6E4013E6321DD64975E323A9779EE99FA7B210232F20B198A3AB6A0FAC525785777A084AB71EB58367C04FE456EA3EF260C1091FDC94781485784D110CB0EBCF4ADE74FBED11D59FC53CD66B3743603B06587DC47D4DBBE46CAABA2EA3190D0D859D3B5B8AC604F069D178E551E85AC26AD2BEBD22A27E9D517DEF70DBE15ECB5679881D522228377BDFDAC76677B4AEC68853EBA16D72087184ECA46DB62D4DCAADFDB9BF0029CD6C7711DD94ADEC835FE7145F371DAE027711DAC6820720CDFA2A61C97CFE84576B8C462A1FBA5C15F4E3AB55E10285A4F64B7124ECFEB5F517A065A0F1F8D7AA0E5189BDE525A34E7B17B78F15BECCD02CFF8AFB3DDFCF8809B6FD34683D7E87F3810C9658F1A4BD8495C163FB2F012E82CF22183361ABE0035C9A974386DF07886348BFA1F69BA35A77E3903741B9BF8B300D4BF67AB4A25D26EF8ECBD8965A398A2D38538C6BF59636622A404DCA0CCABE06395D209E24FE9DE738152E3A049FADEF4FE9585F84197383DF7AAC40DE842B2333A4C29855C25D40B3B":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:4096:0:PSA_SUCCESS:1
 
 PSA import/export FFDH RFC7919 6144 key pair: good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_6144
 import_export:"E4012A5FD17FB739867A475501A75212E2C1DA5376693759A1B5FC1523927D0DBF907037232C43416B4AA925D65A154FC1E13F72C7643E431C480A7799F09F66F8CA816E66E82E75B79A6D2C4DB6CB6D7532B020FBC69D7BBE80881A7778C66BEFD4F01450BD8E1DA05FFB59D8331C6E3281E67EDF3EF557A5800D4C1683105EB0BEAC112BFB5421172A637092808765A1648C7AB8DF5F06B612057360F5FC31DB0BA347215DAE18375012019CEDE239E8C1EC5B53981C7835DE8220E18C6E4AB9804B6DEC78F04C2E433A382FB3FB0DE73F8E48ECC3C252A62BC279D6147F5D3D815170468BBD53AF489B4B6F02386F25CAB22B54C9A8178585484DD5885F3D7FC4FD389DAFAB3D6809E72220298A33558F0B441E1CEC15811E8765319BAE0B3F799A2EB86E9966CD889145273B870A0B07B65E0367146608C8F554C587014CEFDF0433370B300DF43AFD59D71F937B23CFF25F9A66BF53AD34125960504450E0F17C275C7DAD24CF527C3F05BC2F53B046563C55D8C40CDA448F102F0B5475F287704A424E76335034DE2847177C0E606A6249D152650E78B22A1A9FE3FC7789C1FE74463BBC5FC71E840294C8B45349A2D045CFE679575950B61F3882D57806F2A9644D8BB3790FA268742AC19C44E7F1724DBDD67A4D8A11E114C7E3EF74195428725A645D54CC9F1F48CA9A7E2EAF3C2261A7E4AE58F9A5D223A1C4922BE932250C49DAB04CE8DB0E3A4A9D87551A2D165B618E3954E980844DA3EE1450A7C9F533B09F085038B7C923F06BC679808682279107804328EE9B7286782C0CDF92333D38900467B039C950C684A60AF5667F343B4BAA658E68967F0EBBA72695AF073A5A08B647D855265544EC291B01ED6420D2FBF878E5B0BC46EB1F8A2C1BD6A945CD8CCB0035BD11023603C0202E1B05551E3E964FD9F1D470D5E4FA08CFDD9E1F11A99E14C550C1024F642147A3B01E58EE3E5D75D5DC4D538243521526CF615C8616172448C8F81F1B36E110C161C109D6308F1F29F188375611C943313945670247AF0C9AFDF25E3226AA07D442A8057FAEAF251D463434EF18524A":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:6144:0:PSA_SUCCESS:1
 
 PSA import/export FFDH RFC7919 6144 public key: good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_6144
 import_export:"201757BBAC6FF53E1966C29822B5154F56E332DCE1370D3A117B380D9C63FBD98F027F434EFBE530581BB1A0ACEDF30D749854F6BFC3E2E9F24A75B9109DB1FC787BB2D1DEF56414E6585757C5F84394AE9D7DB98AAADB5BCE0E4E55397B54E5DFAEDFB8CA87E6CAF0FC40E77421129F8D020287E7BD0330F60A7B01257FE36E1270B27D39F96AA464AF60C9DF47979517D7E9F0F68F93138BDC06E8F6F0AB39C90DA731925D26E48C24383425B22244D092BB9D6E3192467A91B27F0073C507D0615C3042F7432903E83494C2214089BACEF60A2D670E9D0EA0DC2F882E6AB90EC26A0CC4F9ED3DAF3912304079AA2447573AC51AAD69F4DFA07A03780922B4C7BACB286767EF758454526319C92F1486FA75E63E8EB2CBCA2A11938FE0BC5A9B50584505E16A3C8E2A599F8E2192BEC986DA602AD980190955B4AC8EF86EAF6EAFCFF7438ACD4DF64E407E675C0A114E04A9360A4431B6C0AB249B023BE89A41DA36FDFAB0FA3247DD9280EC538F724C6AF8CECD22DA87E91959AC12B690175937B7DB09B12FEE5D018802A4E561AE4F671C5569C73E928BBD66A494BBEF7F0DE8F00FED7546068E7F82F6317106885F0138AFD399DF9A8FB83C345840129B485EAD2C570BDAC992515663FCF86769808DFEFB9426D6938E5799104F197D3A3BDFFF8C4BF5E736E8B78FDB01D6C61DEAC56BC9BC8073FD4BABCCFC6D15253CA7F9FBD06F41D3F490965671F778812F5237791223FF9A1E6DBE2DD318570786051A74E58FCD0AA1BAC8CEF0656A1AD230E0578F6EC60C275C7FBAF01053DFE093DF049531282BFE7E459236D9B7315DFDB72105BD2A1509238F1CC488F3CE8907C4F931EF89FAC9D6C7D624D6BE70169A283C97E95E28DA1B90A2311733565BB082BA845BE97EDAB6698EE25E35988149B61ED64F1F41D54CD2EECB8224A22C118666551067F607B5B5C569DC8AF082D3CF0782FFC638F149765F9BE50CC52C157A58936B3E0CAA89891C71F5B960A46020AC8B7F449C8753561812B9CE313A932D3F7FD7AEF526E6BA47FE569A180CB96C5C3081A73407B52D53C6FEE6886D":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:6144:0:PSA_SUCCESS:1
 
 PSA import/export FFDH RFC7919 8192 key pair: good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_8192
 import_export:"AE5FA06AE9400A03F48C0201F4BF53263185BA76D07AB16B74869F141AEB365EB162806840F7B97C12561F5C6B9EE27521009341E52672786E10CE1615447F30E4D17F1CA049643A8CFDAC3BF66FB93B6C5C4805287D4E63D5DC895535D993203F309908AC8ABC3A96F5EF4E72E7AF59B1DC9D014EECB5609E03045B5F3C3E6C372DC0639390065C53FC911269B27A5A630BB847C8823127839DB138146E3830087AEB2395F3D0147F0C1B26297A7E657A1A430DEE1CE93C3EBEFD155EECC2298E664D77CABBAA51555C7C65FAC2957CF238F9342A39063B2F9C291D3169923DD7C3C275C591196CA350421788A06077137ECF4C41544672E8DC9E634AAB8F30D4E44C4E3BD93076B35D0A0B37F00416035C621D37FBBB434B5E3D460BD64D41CCEE8C58CB6A586C3450CC264709D065B9874129720ECA3CA5F5920F47EE8E203CCA740EFA510F7541B1241D2E036E43258B1530704D4E3A5F6C0001FC4ED82535DF672602BD421884EF381D485D37734411890A6CCCD7009208C72318F6D558A8A508774666D12E50E6DA6EAB016B147D618D729B441835B7D7B85549501A4B66AF7021EB27857C9059EA301F37B24A5E364F39364F7D406625416B9A00C44730A18C35A7D66508C903320B552CA2651724B4422870320C517B7A0B4C031C692B2D7524D66AB3289460535C6F3EFE2E42378B2927691A008734D407EADC93206DCFEB2ED71AAF7696DEFE34EA307921735FC72B4DB6B70A3381936CD90E384D38DE3C07C4DA7D1DF945EA1796148C40FA29FB5D5F6B2B03311550082ACB87130742910BFA18821380F729791E66454E2289B41FD172A4046B6961374DB62944A7DD572DFFC9B413BCF42773EA14E3562633CF134429FC7AD4F176779302BB421B44AB716AD0752C7D3334648EA3721DB7862D37B1B4C75068B2AA6AF0646A3E758F456E61F894028679F67E6FB9404CC063C005B78E46079984C85FC7A55111B1A7C81A197CF258E60B975FD4307D3AEBEE965D5175F81621E7A67E92CCEE0A503FAD2ADEDBCE717CE1D16177727C3E2205CB6C51D348590A7537013D49765EBBA3BE0588A86B65CCECE87B732AEC3C395D3336349F9366638F567BAEEC782495972869E9084D7A1DA6B97055FBE86EA1979301B62A82501DA13A00523F5C1CD0A6742903ADD15F2670D956BB950B075422CA76485780554D62FA11A461772126334F47CA43CC731BD4F35F48381A341B17154D26492B6185819012D6BAD352AEF19646516E790E49E5BF0FE74ECA7C850D0D75AC74160B953B43211AA5355E967D6305B2E1FC1170A01E4D3715F706680C7F628D41594D8954532338B3F30B90EE2A2DB0C42C7AF348FF12E410F523F81BAD4F41ABF92488726C451E4FFC160BEFC518A44660256687164B2606DB65CA8F8B06EB08A75DFCC0AE387881224C":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:8192:0:PSA_SUCCESS:1
 
 PSA import/export FFDH RFC7919 8192 public key: good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_8192
 import_export:"3D1EB2C023E54A123420B9587F6985AFFCF6FE75A2F1768866CBAA10ABD5B7448409EFCE8786C0BD1D325FBAC47119A846C63103DAA8BC5FAF427C69D07AFE2FA0064A8BE9C33E30E6926A57850248EAAD8F0FA887452FF1467064DBE4041950CBFF55763AB58E1F2300C9B133E5D0FBD18604B93EC16BEA9CE340AC92B18DC188629A5D7FEC64601334CDBFEBD8126BE4743440C9A48F03F37298548C2EF226D44C296F440EB1E5F1128F203120ACE6C45D3CA992998CCF68C301CC4A32CF852FA4C2968C62D4016AF526FCD61A56F2BF479743D1EB62AD21120563BC1CE0D0791920BB89D82473F4DE75BCF6A728490F071899F683FCA10DCF6D9605749810A901F1FAAF96DC6AA0AF1CAFCF61E8A51E9E7A1BF5D9E5FDD6D63ED824CFD4016EF0782946F44E44B1B72B4CF9D4CE5E57A93EB738AEC084F02BBA52C385BCC013C720B0B98B78580AFFA84B0D204866B3FA39D73EECF1E0E6921D5484D929C1ADC7975741A308BCB060A43DF556F278F56CBDBDCE07F7CC8292FB27B3CDDB286E4B5A92552308DD8001F4BABC67C56B8DC6E5C4ED8FC4724A89441433EDD58C68E513E1940F5E6DB512574D7A37974E5739E28C03FECA3134AD8817E1A52BEBDCF2EE1F7DC66B09742005902A977DB0D617B8F6CFD75508F00225BE362D53BCA0AF4BE0D2DAD0A64054CA1204E31217F82D4F95315E54AEBF3BF98E2667A35A0017799C5479F369D8692317CABBB78C07D8314153D22110EA7617091ED755041A6E201F1FD76BC258DF84260369BBB2A1A13B5D266844A25E9A8F1D1279C349E0113CAAAB0A3D4510367E754980328B937CF7BEAABDBA39F4EA3CDE5C9BB6ECDA5BC44CC9EB6BEE6F2FF3698FA393DD4F85507415622CD7C0802240F7CE22F75F2DBA7CB7217352B34C57921B975BF2E73B6DA6A34C11192338C80B986AA3707DA64324056FE7EE2C0754045C7BC596B68FFCB501C186F89D618A76144C9CB35B59370D1D3E668F10A9EF6C851F6AD3FA9FA776E9391F3F143D7928F816EE4F56F756BF450E1B4F87A7B19EFB02850C45F6F7BCC87AA8FF27C474269EB53F3F1E28DD4D6BF1C6B16AD97F10418596D1A3EC5F664773FCA1E93743005C7230D5F8549DAEE3472418A648B91834BA7A19834B48D7E6DB57F7BD92887C366D78532A2497D9B9F35D598E79026F586D4DC1577FDA2B9DD5877A521EB9F3C87DFD77F5EC690519E04E702CE3A5203920A7B891F764CB0B2DDEE7EB01CC55EB45F1BECD4514540F10F03ABBA3E4D627DCEF89F1FADF26034C2D7C36E6776C7163D99BF5CADEFDB142A6CD631D3B58269F0116B1016633B7CD4752E2F636614ABDD27592734B8BFF08E155C350808C6072C42E46F2AEDD83EA6FFBF3EA5AA809B0F9DABF6CD8E2E0E1BC998AAAA0698F44B1819B0D7A19C2067F071A932D10F0281187":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:8192:0:PSA_SUCCESS:1
 
-PSA import/export FFDH RFC7919 2048 key pair: export not permitterd
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
+PSA import/export FFDH RFC7919 2048 key pair: export not permitted
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_2048
 import_export:"2A45292441157B3C25572F76A5CDF960A7BDBF06731D783C5BF8920FB94CCC3D5DCCF86A3CB66B4E3AEDD23106222458ACF3F72C753CB67C2E19AD399566866FEBC16C3B4DC72773B4709047AE1AEC2D9107C2041B06B86A8F604465B26E0E753D6B10772798B3797232D950A36F2D4B33B04B36DE73AC6B8A7365015DF5745A1F892728B0CA947702C36E3BC646E72E23E80C345DBB014B7F93B36C80B4051F9A716D19B980861E86D62977466565462FBD3C1BB4EFD630DCCBEB351A7FA95602B7FE23903C7C7DC999950493BEC028AC42346858FAD969452DCF1DE9AD445F7F928D63B75FA86E8C1D722AB242D91995D3545A1791D72B0F384E74B45C7C01":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:2048:0:PSA_ERROR_NOT_PERMITTED:1
 
 PSA import/export FFDH RFC7919 2040 key pair: import invalid key length
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_2048
 import_with_data:"2A45292441157B3C25572F76A5CDF960A7BDBF06731D783C5BF8920FB94CCC3D5DCCF86A3CB66B4E3AEDD23106222458ACF3F72C753CB67C2E19AD399566866FEBC16C3B4DC72773B4709047AE1AEC2D9107C2041B06B86A8F604465B26E0E753D6B10772798B3797232D950A36F2D4B33B04B36DE73AC6B8A7365015DF5745A1F892728B0CA947702C36E3BC646E72E23E80C345DBB014B7F93B36C80B4051F9A716D19B980861E86D62977466565462FBD3C1BB4EFD630DCCBEB351A7FA95602B7FE23903C7C7DC999950493BEC028AC42346858FAD969452DCF1DE9AD445F7F928D63B75FA86E8C1D722AB242D91995D3545A1791D72B0F384E74B45C7C":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):2048:PSA_ERROR_INVALID_ARGUMENT
 
 PSA import/export FFDH RFC7919 2040 public key: import invalid key length
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_2048
 import_with_data:"2898897F34E672DAE8E629C6AD5D525A8ECCF88CEEB2F7D456DBC726D4E4A473A57F530BB6A7A67D58A560C2FDF51C9E4826DB48F408150CEAFBD32766C03D277D611139AA9F4017B0125EEA089ECD906EA0854AC0A435507DEC05C3CF2F37F98ED987E13E4795BB44051F231753C9BA3023D1A9E969FD98AC21091F704F6AD5B49B2F95DE7FA0CC1B6D9FC1DAD308EB2D1B021D8EA99959BD0BBA3CD5AD33C4B4A608A74B42B6C0342CBCFE3F41ED0752389D7A982DE512514EEC4C6D1165D3C52485A02EF310E2A4C0B5197FADE3D6F768E81AA01926FEAE92040706A621676200F6F80B51D0B4CAC38A406778D81EF3CB68EAC2E9DC06ED8E47363CE260":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):2048:PSA_ERROR_INVALID_ARGUMENT
 
 PSA import/export FFDH RFC7919 3064 key pair: import invalid key length
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_3072
 import_with_data:"A13B0B091871DE0F21FA9031BFFB6F37C485F0553B0468169A04AC0E2710185C9D8B5C5FB01C2846CEBA007298CB0F208DA2CF551C5098281EB4490647B733636EE14F6F4540EA05434AC258090A575D10EF9523AA4B545D27851878FAA04361D9412E3B55645A52BE03EE2E6DF0F83DBA295363E68F7307B5A19E205B655E6CFE005217D69B2F521A61CE23C286426D11A09768B5657A32E9965A49AE2BF4476582A278B7515B3B46F70368F324724ED4A1F36364AB4D6E3ADCA53142834353A9EB37747D26680A4B8D9A30BADACD172872BC677212B328B47B117901B4EA22C8760D7B727FFF276FA4E36082A0605E590F732F24468201DD05BF4A5710C546FAE1B153F8668D6E1A9707340B82493CADCC0721032E627DB9AD3D04124FAA19BB7FBD38FFA4416C05741C688F21B11C63508F5A3F50C219D1A4F46F0D3CC74EBD762A241C328F20C7169566E5E8E60B8F4442497B92A65FE69CD12E57BB4F44ED11A6075541B50FD95BB0224621193779873711B6616F6D9E31DE7D7369E9":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):3072:PSA_ERROR_INVALID_ARGUMENT
 
 PSA import/export FFDH RFC7919 3064 public key: import invalid key length
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_3072
 import_with_data:"57214B78F3045CA8996F024B97AFCE32F3B8D24A0F1A6E37F83559C3B07270F830D9EEB40E22BE7D53C8215832C024DF8602815D087CFD546392EC338C2683FF2329BEA2236E94184037284C8A8FE6DC9F56BBEC47C887953FE2AF8700A96ED13B1DD50EA7065C2D102DE1CF037699C47A3A96CC561C5B7E1D5DCE028BB8CEB15EC9B6A8D7E12224B95D893DA596B0C198C0E07C566C7A008C2F260D358DA9D2C2EFD7182B6B03501321408791769D567FC61BE2F9BEF8D58A82AEEA857F088FF89075B0263074FF403EA94673AA2C4728ED966B23BDEB1A240BBEE9343548E02755579FFB158F9BBB11525C5081C0681A969BC6D828F74CF577FA27AEA68A5E56E8505688653590CB9CAA5D76B40BD113764141E1DD7BB09A24023C0EDE10D2C8826FACCD4EC7B2896FE6F2A1E9925C0DFBEB48A4501D57B23A2F6624772664472B5FA76AD952EEE3AABEE33897324DA167ABCD13504F85114A57CA038629437333F6B2D93F8776C8B4ACED82696BEFBE802B3281A2E1FB32A940A4A714C8":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):3072:PSA_ERROR_INVALID_ARGUMENT
 
 PSA import/export FFDH RFC7919 4088 key pair: import invalid key length
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_4096
 import_with_data:"46EEB441AF38234285F3ED05BC650E370B051170543816366235B4460F6A45736145651F383B4C14AED4BC6E4A08AA1AFBEFBA457C2669362EFBF459F1447A64C25A502F8121362FF68D144BCE30592511FD902DD6338315447C21055DD9BC7AA8348445AF1E9B0C5B970500DABC792C004C897F32FD592CD383DC0B463A3E41E1357D6E5877CA1102A04C78EC3A8E5EACAFE04764D5003FFCA4D3510DF545679C104D53AA79904057FDEF019700081926A0F97686F8E45B8845827DE9FA4926071A1B0B7FD39648B72BA34B1917AC3855071A5EFCA7C45076F06833FD3B9E23ABC65F5DD1876E33D7F81750AB12E95C0385C85FAA7CF45BF14C271EE4BA454E02F4BE6DF3EC7316D0F5D32CAEA39F3558C27455CC9AA77EBC98E51CF4D2C1287714383F1396D51E8CD3C9419DB43136998EBA7A14194C3F86AF7B5CA1A8D50593ECE2073EDB1E28BABF813EE9F3FC653A83E37830B0EA71E62F9B09E549435601385925BE28B359915C2C3304BD210568A5A73582A95351E87767536B9966237696C767B86D3B00193D0659CE583C3D8508E37ED5D5EB75C22BFE65FC1C1B3EE96BC1144EFFC72799D14C7482FA7B0F631814672081C85023A35115F604F76E5E5CE778DD62D353DFF8F35498DFCA710D13BE45C6288F5E7D290E480E4B176B845142380E863A7B12083970ECF6E96D912F8E4CFA7FA0435790501107C655":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):4096:PSA_ERROR_INVALID_ARGUMENT
 
 PSA import/export FFDH RFC7919 4088 public key: import invalid key length
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_4096
 import_with_data:"BF50F1FDD8B6B5332047A808088E669F06D6CA71A59CB7CA9FB48EB47E1F179C531B15382D2D0382D18CD77E1A517BAA4175D59795898DABECCA469981E4C69EBC62B35936791F6B03E37EF39945B80503113C97474967AB4832EBD7E30ED4EFA47B49080D69B88FD7BD33847B7E6A7D0024AAD08C829CDAA44EC7C6E4013E6321DD64975E323A9779EE99FA7B210232F20B198A3AB6A0FAC525785777A084AB71EB58367C04FE456EA3EF260C1091FDC94781485784D110CB0EBCF4ADE74FBED11D59FC53CD66B3743603B06587DC47D4DBBE46CAABA2EA3190D0D859D3B5B8AC604F069D178E551E85AC26AD2BEBD22A27E9D517DEF70DBE15ECB5679881D522228377BDFDAC76677B4AEC68853EBA16D72087184ECA46DB62D4DCAADFDB9BF0029CD6C7711DD94ADEC835FE7145F371DAE027711DAC6820720CDFA2A61C97CFE84576B8C462A1FBA5C15F4E3AB55E10285A4F64B7124ECFEB5F517A065A0F1F8D7AA0E5189BDE525A34E7B17B78F15BECCD02CFF8AFB3DDFCF8809B6FD34683D7E87F3810C9658F1A4BD8495C163FB2F012E82CF22183361ABE0035C9A974386DF07886348BFA1F69BA35A77E3903741B9BF8B300D4BF67AB4A25D26EF8ECBD8965A398A2D38538C6BF59636622A404DCA0CCABE06395D209E24FE9DE738152E3A049FADEF4FE9585F84197383DF7AAC40DE842B2333A4C29855C25D40B":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):4096:PSA_ERROR_INVALID_ARGUMENT
 
 PSA import/export FFDH RFC7919 6136 key pair: import invalid key length
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_6144
 import_with_data:"E4012A5FD17FB739867A475501A75212E2C1DA5376693759A1B5FC1523927D0DBF907037232C43416B4AA925D65A154FC1E13F72C7643E431C480A7799F09F66F8CA816E66E82E75B79A6D2C4DB6CB6D7532B020FBC69D7BBE80881A7778C66BEFD4F01450BD8E1DA05FFB59D8331C6E3281E67EDF3EF557A5800D4C1683105EB0BEAC112BFB5421172A637092808765A1648C7AB8DF5F06B612057360F5FC31DB0BA347215DAE18375012019CEDE239E8C1EC5B53981C7835DE8220E18C6E4AB9804B6DEC78F04C2E433A382FB3FB0DE73F8E48ECC3C252A62BC279D6147F5D3D815170468BBD53AF489B4B6F02386F25CAB22B54C9A8178585484DD5885F3D7FC4FD389DAFAB3D6809E72220298A33558F0B441E1CEC15811E8765319BAE0B3F799A2EB86E9966CD889145273B870A0B07B65E0367146608C8F554C587014CEFDF0433370B300DF43AFD59D71F937B23CFF25F9A66BF53AD34125960504450E0F17C275C7DAD24CF527C3F05BC2F53B046563C55D8C40CDA448F102F0B5475F287704A424E76335034DE2847177C0E606A6249D152650E78B22A1A9FE3FC7789C1FE74463BBC5FC71E840294C8B45349A2D045CFE679575950B61F3882D57806F2A9644D8BB3790FA268742AC19C44E7F1724DBDD67A4D8A11E114C7E3EF74195428725A645D54CC9F1F48CA9A7E2EAF3C2261A7E4AE58F9A5D223A1C4922BE932250C49DAB04CE8DB0E3A4A9D87551A2D165B618E3954E980844DA3EE1450A7C9F533B09F085038B7C923F06BC679808682279107804328EE9B7286782C0CDF92333D38900467B039C950C684A60AF5667F343B4BAA658E68967F0EBBA72695AF073A5A08B647D855265544EC291B01ED6420D2FBF878E5B0BC46EB1F8A2C1BD6A945CD8CCB0035BD11023603C0202E1B05551E3E964FD9F1D470D5E4FA08CFDD9E1F11A99E14C550C1024F642147A3B01E58EE3E5D75D5DC4D538243521526CF615C8616172448C8F81F1B36E110C161C109D6308F1F29F188375611C943313945670247AF0C9AFDF25E3226AA07D442A8057FAEAF251D463434EF1852":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):6144:PSA_ERROR_INVALID_ARGUMENT
 
 PSA import/export FFDH RFC7919 6136 public key: import invalid key length
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_6144
 import_with_data:"201757BBAC6FF53E1966C29822B5154F56E332DCE1370D3A117B380D9C63FBD98F027F434EFBE530581BB1A0ACEDF30D749854F6BFC3E2E9F24A75B9109DB1FC787BB2D1DEF56414E6585757C5F84394AE9D7DB98AAADB5BCE0E4E55397B54E5DFAEDFB8CA87E6CAF0FC40E77421129F8D020287E7BD0330F60A7B01257FE36E1270B27D39F96AA464AF60C9DF47979517D7E9F0F68F93138BDC06E8F6F0AB39C90DA731925D26E48C24383425B22244D092BB9D6E3192467A91B27F0073C507D0615C3042F7432903E83494C2214089BACEF60A2D670E9D0EA0DC2F882E6AB90EC26A0CC4F9ED3DAF3912304079AA2447573AC51AAD69F4DFA07A03780922B4C7BACB286767EF758454526319C92F1486FA75E63E8EB2CBCA2A11938FE0BC5A9B50584505E16A3C8E2A599F8E2192BEC986DA602AD980190955B4AC8EF86EAF6EAFCFF7438ACD4DF64E407E675C0A114E04A9360A4431B6C0AB249B023BE89A41DA36FDFAB0FA3247DD9280EC538F724C6AF8CECD22DA87E91959AC12B690175937B7DB09B12FEE5D018802A4E561AE4F671C5569C73E928BBD66A494BBEF7F0DE8F00FED7546068E7F82F6317106885F0138AFD399DF9A8FB83C345840129B485EAD2C570BDAC992515663FCF86769808DFEFB9426D6938E5799104F197D3A3BDFFF8C4BF5E736E8B78FDB01D6C61DEAC56BC9BC8073FD4BABCCFC6D15253CA7F9FBD06F41D3F490965671F778812F5237791223FF9A1E6DBE2DD318570786051A74E58FCD0AA1BAC8CEF0656A1AD230E0578F6EC60C275C7FBAF01053DFE093DF049531282BFE7E459236D9B7315DFDB72105BD2A1509238F1CC488F3CE8907C4F931EF89FAC9D6C7D624D6BE70169A283C97E95E28DA1B90A2311733565BB082BA845BE97EDAB6698EE25E35988149B61ED64F1F41D54CD2EECB8224A22C118666551067F607B5B5C569DC8AF082D3CF0782FFC638F149765F9BE50CC52C157A58936B3E0CAA89891C71F5B960A46020AC8B7F449C8753561812B9CE313A932D3F7FD7AEF526E6BA47FE569A180CB96C5C3081A73407B52D53C6FEE688":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):6144:PSA_ERROR_INVALID_ARGUMENT
 
 PSA import/export FFDH RFC7919 8184 key pair: import invalid key length
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_8192
 import_with_data:"AE5FA06AE9400A03F48C0201F4BF53263185BA76D07AB16B74869F141AEB365EB162806840F7B97C12561F5C6B9EE27521009341E52672786E10CE1615447F30E4D17F1CA049643A8CFDAC3BF66FB93B6C5C4805287D4E63D5DC895535D993203F309908AC8ABC3A96F5EF4E72E7AF59B1DC9D014EECB5609E03045B5F3C3E6C372DC0639390065C53FC911269B27A5A630BB847C8823127839DB138146E3830087AEB2395F3D0147F0C1B26297A7E657A1A430DEE1CE93C3EBEFD155EECC2298E664D77CABBAA51555C7C65FAC2957CF238F9342A39063B2F9C291D3169923DD7C3C275C591196CA350421788A06077137ECF4C41544672E8DC9E634AAB8F30D4E44C4E3BD93076B35D0A0B37F00416035C621D37FBBB434B5E3D460BD64D41CCEE8C58CB6A586C3450CC264709D065B9874129720ECA3CA5F5920F47EE8E203CCA740EFA510F7541B1241D2E036E43258B1530704D4E3A5F6C0001FC4ED82535DF672602BD421884EF381D485D37734411890A6CCCD7009208C72318F6D558A8A508774666D12E50E6DA6EAB016B147D618D729B441835B7D7B85549501A4B66AF7021EB27857C9059EA301F37B24A5E364F39364F7D406625416B9A00C44730A18C35A7D66508C903320B552CA2651724B4422870320C517B7A0B4C031C692B2D7524D66AB3289460535C6F3EFE2E42378B2927691A008734D407EADC93206DCFEB2ED71AAF7696DEFE34EA307921735FC72B4DB6B70A3381936CD90E384D38DE3C07C4DA7D1DF945EA1796148C40FA29FB5D5F6B2B03311550082ACB87130742910BFA18821380F729791E66454E2289B41FD172A4046B6961374DB62944A7DD572DFFC9B413BCF42773EA14E3562633CF134429FC7AD4F176779302BB421B44AB716AD0752C7D3334648EA3721DB7862D37B1B4C75068B2AA6AF0646A3E758F456E61F894028679F67E6FB9404CC063C005B78E46079984C85FC7A55111B1A7C81A197CF258E60B975FD4307D3AEBEE965D5175F81621E7A67E92CCEE0A503FAD2ADEDBCE717CE1D16177727C3E2205CB6C51D348590A7537013D49765EBBA3BE0588A86B65CCECE87B732AEC3C395D3336349F9366638F567BAEEC782495972869E9084D7A1DA6B97055FBE86EA1979301B62A82501DA13A00523F5C1CD0A6742903ADD15F2670D956BB950B075422CA76485780554D62FA11A461772126334F47CA43CC731BD4F35F48381A341B17154D26492B6185819012D6BAD352AEF19646516E790E49E5BF0FE74ECA7C850D0D75AC74160B953B43211AA5355E967D6305B2E1FC1170A01E4D3715F706680C7F628D41594D8954532338B3F30B90EE2A2DB0C42C7AF348FF12E410F523F81BAD4F41ABF92488726C451E4FFC160BEFC518A44660256687164B2606DB65CA8F8B06EB08A75DFCC0AE38788122":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):8192:PSA_ERROR_INVALID_ARGUMENT
 
 PSA import/export FFDH RFC7919 8184 public key: import invalid key length
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_8192
 import_with_data:"3D1EB2C023E54A123420B9587F6985AFFCF6FE75A2F1768866CBAA10ABD5B7448409EFCE8786C0BD1D325FBAC47119A846C63103DAA8BC5FAF427C69D07AFE2FA0064A8BE9C33E30E6926A57850248EAAD8F0FA887452FF1467064DBE4041950CBFF55763AB58E1F2300C9B133E5D0FBD18604B93EC16BEA9CE340AC92B18DC188629A5D7FEC64601334CDBFEBD8126BE4743440C9A48F03F37298548C2EF226D44C296F440EB1E5F1128F203120ACE6C45D3CA992998CCF68C301CC4A32CF852FA4C2968C62D4016AF526FCD61A56F2BF479743D1EB62AD21120563BC1CE0D0791920BB89D82473F4DE75BCF6A728490F071899F683FCA10DCF6D9605749810A901F1FAAF96DC6AA0AF1CAFCF61E8A51E9E7A1BF5D9E5FDD6D63ED824CFD4016EF0782946F44E44B1B72B4CF9D4CE5E57A93EB738AEC084F02BBA52C385BCC013C720B0B98B78580AFFA84B0D204866B3FA39D73EECF1E0E6921D5484D929C1ADC7975741A308BCB060A43DF556F278F56CBDBDCE07F7CC8292FB27B3CDDB286E4B5A92552308DD8001F4BABC67C56B8DC6E5C4ED8FC4724A89441433EDD58C68E513E1940F5E6DB512574D7A37974E5739E28C03FECA3134AD8817E1A52BEBDCF2EE1F7DC66B09742005902A977DB0D617B8F6CFD75508F00225BE362D53BCA0AF4BE0D2DAD0A64054CA1204E31217F82D4F95315E54AEBF3BF98E2667A35A0017799C5479F369D8692317CABBB78C07D8314153D22110EA7617091ED755041A6E201F1FD76BC258DF84260369BBB2A1A13B5D266844A25E9A8F1D1279C349E0113CAAAB0A3D4510367E754980328B937CF7BEAABDBA39F4EA3CDE5C9BB6ECDA5BC44CC9EB6BEE6F2FF3698FA393DD4F85507415622CD7C0802240F7CE22F75F2DBA7CB7217352B34C57921B975BF2E73B6DA6A34C11192338C80B986AA3707DA64324056FE7EE2C0754045C7BC596B68FFCB501C186F89D618A76144C9CB35B59370D1D3E668F10A9EF6C851F6AD3FA9FA776E9391F3F143D7928F816EE4F56F756BF450E1B4F87A7B19EFB02850C45F6F7BCC87AA8FF27C474269EB53F3F1E28DD4D6BF1C6B16AD97F10418596D1A3EC5F664773FCA1E93743005C7230D5F8549DAEE3472418A648B91834BA7A19834B48D7E6DB57F7BD92887C366D78532A2497D9B9F35D598E79026F586D4DC1577FDA2B9DD5877A521EB9F3C87DFD77F5EC690519E04E702CE3A5203920A7B891F764CB0B2DDEE7EB01CC55EB45F1BECD4514540F10F03ABBA3E4D627DCEF89F1FADF26034C2D7C36E6776C7163D99BF5CADEFDB142A6CD631D3B58269F0116B1016633B7CD4752E2F636614ABDD27592734B8BFF08E155C350808C6072C42E46F2AEDD83EA6FFBF3EA5AA809B0F9DABF6CD8E2E0E1BC998AAAA0698F44B1819B0D7A19C2067F071A932D10F02811":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):8192:PSA_ERROR_INVALID_ARGUMENT
 
 PSA import/export FFDH RFC7919 2048 key pair: export buffer to small
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_2048
 import_export:"2A45292441157B3C25572F76A5CDF960A7BDBF06731D783C5BF8920FB94CCC3D5DCCF86A3CB66B4E3AEDD23106222458ACF3F72C753CB67C2E19AD399566866FEBC16C3B4DC72773B4709047AE1AEC2D9107C2041B06B86A8F604465B26E0E753D6B10772798B3797232D950A36F2D4B33B04B36DE73AC6B8A7365015DF5745A1F892728B0CA947702C36E3BC646E72E23E80C345DBB014B7F93B36C80B4051F9A716D19B980861E86D62977466565462FBD3C1BB4EFD630DCCBEB351A7FA95602B7FE23903C7C7DC999950493BEC028AC42346858FAD969452DCF1DE9AD445F7F928D63B75FA86E8C1D722AB242D91995D3545A1791D72B0F384E74B45C7C01":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:2048:0:PSA_ERROR_BUFFER_TOO_SMALL:1
 
 PSA import/export FFDH RFC7919 2048 public key: export buffer to small
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_2048
 import_export:"2898897F34E672DAE8E629C6AD5D525A8ECCF88CEEB2F7D456DBC726D4E4A473A57F530BB6A7A67D58A560C2FDF51C9E4826DB48F408150CEAFBD32766C03D277D611139AA9F4017B0125EEA089ECD906EA0854AC0A435507DEC05C3CF2F37F98ED987E13E4795BB44051F231753C9BA3023D1A9E969FD98AC21091F704F6AD5B49B2F95DE7FA0CC1B6D9FC1DAD308EB2D1B021D8EA99959BD0BBA3CD5AD33C4B4A608A74B42B6C0342CBCFE3F41ED0752389D7A982DE512514EEC4C6D1165D3C52485A02EF310E2A4C0B5197FADE3D6F768E81AA01926FEAE92040706A621676200F6F80B51D0B4CAC38A406778D81EF3CB68EAC2E9DC06ED8E47363CE260E0":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:2048:0:PSA_ERROR_BUFFER_TOO_SMALL:1
 
 PSA import/export FFDH RFC7919 3072 key pair: export buffer to small
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_3072
 import_export:"A13B0B091871DE0F21FA9031BFFB6F37C485F0553B0468169A04AC0E2710185C9D8B5C5FB01C2846CEBA007298CB0F208DA2CF551C5098281EB4490647B733636EE14F6F4540EA05434AC258090A575D10EF9523AA4B545D27851878FAA04361D9412E3B55645A52BE03EE2E6DF0F83DBA295363E68F7307B5A19E205B655E6CFE005217D69B2F521A61CE23C286426D11A09768B5657A32E9965A49AE2BF4476582A278B7515B3B46F70368F324724ED4A1F36364AB4D6E3ADCA53142834353A9EB37747D26680A4B8D9A30BADACD172872BC677212B328B47B117901B4EA22C8760D7B727FFF276FA4E36082A0605E590F732F24468201DD05BF4A5710C546FAE1B153F8668D6E1A9707340B82493CADCC0721032E627DB9AD3D04124FAA19BB7FBD38FFA4416C05741C688F21B11C63508F5A3F50C219D1A4F46F0D3CC74EBD762A241C328F20C7169566E5E8E60B8F4442497B92A65FE69CD12E57BB4F44ED11A6075541B50FD95BB0224621193779873711B6616F6D9E31DE7D7369E963":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:3072:0:PSA_ERROR_BUFFER_TOO_SMALL:1
 
 PSA import/export FFDH RFC7919 3072 public key: export buffer to small
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_3072
 import_export:"57214B78F3045CA8996F024B97AFCE32F3B8D24A0F1A6E37F83559C3B07270F830D9EEB40E22BE7D53C8215832C024DF8602815D087CFD546392EC338C2683FF2329BEA2236E94184037284C8A8FE6DC9F56BBEC47C887953FE2AF8700A96ED13B1DD50EA7065C2D102DE1CF037699C47A3A96CC561C5B7E1D5DCE028BB8CEB15EC9B6A8D7E12224B95D893DA596B0C198C0E07C566C7A008C2F260D358DA9D2C2EFD7182B6B03501321408791769D567FC61BE2F9BEF8D58A82AEEA857F088FF89075B0263074FF403EA94673AA2C4728ED966B23BDEB1A240BBEE9343548E02755579FFB158F9BBB11525C5081C0681A969BC6D828F74CF577FA27AEA68A5E56E8505688653590CB9CAA5D76B40BD113764141E1DD7BB09A24023C0EDE10D2C8826FACCD4EC7B2896FE6F2A1E9925C0DFBEB48A4501D57B23A2F6624772664472B5FA76AD952EEE3AABEE33897324DA167ABCD13504F85114A57CA038629437333F6B2D93F8776C8B4ACED82696BEFBE802B3281A2E1FB32A940A4A714C853":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:3072:0:PSA_ERROR_BUFFER_TOO_SMALL:1
 
 PSA import/export FFDH RFC7919 4096 key pair: export buffer to small
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_4096
 import_export:"46EEB441AF38234285F3ED05BC650E370B051170543816366235B4460F6A45736145651F383B4C14AED4BC6E4A08AA1AFBEFBA457C2669362EFBF459F1447A64C25A502F8121362FF68D144BCE30592511FD902DD6338315447C21055DD9BC7AA8348445AF1E9B0C5B970500DABC792C004C897F32FD592CD383DC0B463A3E41E1357D6E5877CA1102A04C78EC3A8E5EACAFE04764D5003FFCA4D3510DF545679C104D53AA79904057FDEF019700081926A0F97686F8E45B8845827DE9FA4926071A1B0B7FD39648B72BA34B1917AC3855071A5EFCA7C45076F06833FD3B9E23ABC65F5DD1876E33D7F81750AB12E95C0385C85FAA7CF45BF14C271EE4BA454E02F4BE6DF3EC7316D0F5D32CAEA39F3558C27455CC9AA77EBC98E51CF4D2C1287714383F1396D51E8CD3C9419DB43136998EBA7A14194C3F86AF7B5CA1A8D50593ECE2073EDB1E28BABF813EE9F3FC653A83E37830B0EA71E62F9B09E549435601385925BE28B359915C2C3304BD210568A5A73582A95351E87767536B9966237696C767B86D3B00193D0659CE583C3D8508E37ED5D5EB75C22BFE65FC1C1B3EE96BC1144EFFC72799D14C7482FA7B0F631814672081C85023A35115F604F76E5E5CE778DD62D353DFF8F35498DFCA710D13BE45C6288F5E7D290E480E4B176B845142380E863A7B12083970ECF6E96D912F8E4CFA7FA0435790501107C65533":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:4096:0:PSA_ERROR_BUFFER_TOO_SMALL:1
 
 PSA import/export FFDH RFC7919 4096 public key: export buffer to small
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_4096
 import_export:"BF50F1FDD8B6B5332047A808088E669F06D6CA71A59CB7CA9FB48EB47E1F179C531B15382D2D0382D18CD77E1A517BAA4175D59795898DABECCA469981E4C69EBC62B35936791F6B03E37EF39945B80503113C97474967AB4832EBD7E30ED4EFA47B49080D69B88FD7BD33847B7E6A7D0024AAD08C829CDAA44EC7C6E4013E6321DD64975E323A9779EE99FA7B210232F20B198A3AB6A0FAC525785777A084AB71EB58367C04FE456EA3EF260C1091FDC94781485784D110CB0EBCF4ADE74FBED11D59FC53CD66B3743603B06587DC47D4DBBE46CAABA2EA3190D0D859D3B5B8AC604F069D178E551E85AC26AD2BEBD22A27E9D517DEF70DBE15ECB5679881D522228377BDFDAC76677B4AEC68853EBA16D72087184ECA46DB62D4DCAADFDB9BF0029CD6C7711DD94ADEC835FE7145F371DAE027711DAC6820720CDFA2A61C97CFE84576B8C462A1FBA5C15F4E3AB55E10285A4F64B7124ECFEB5F517A065A0F1F8D7AA0E5189BDE525A34E7B17B78F15BECCD02CFF8AFB3DDFCF8809B6FD34683D7E87F3810C9658F1A4BD8495C163FB2F012E82CF22183361ABE0035C9A974386DF07886348BFA1F69BA35A77E3903741B9BF8B300D4BF67AB4A25D26EF8ECBD8965A398A2D38538C6BF59636622A404DCA0CCABE06395D209E24FE9DE738152E3A049FADEF4FE9585F84197383DF7AAC40DE842B2333A4C29855C25D40B3B":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:4096:0:PSA_ERROR_BUFFER_TOO_SMALL:1
 
 PSA import/export FFDH RFC7919 6144 key pair: export buffer to small
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_6144
 import_export:"E4012A5FD17FB739867A475501A75212E2C1DA5376693759A1B5FC1523927D0DBF907037232C43416B4AA925D65A154FC1E13F72C7643E431C480A7799F09F66F8CA816E66E82E75B79A6D2C4DB6CB6D7532B020FBC69D7BBE80881A7778C66BEFD4F01450BD8E1DA05FFB59D8331C6E3281E67EDF3EF557A5800D4C1683105EB0BEAC112BFB5421172A637092808765A1648C7AB8DF5F06B612057360F5FC31DB0BA347215DAE18375012019CEDE239E8C1EC5B53981C7835DE8220E18C6E4AB9804B6DEC78F04C2E433A382FB3FB0DE73F8E48ECC3C252A62BC279D6147F5D3D815170468BBD53AF489B4B6F02386F25CAB22B54C9A8178585484DD5885F3D7FC4FD389DAFAB3D6809E72220298A33558F0B441E1CEC15811E8765319BAE0B3F799A2EB86E9966CD889145273B870A0B07B65E0367146608C8F554C587014CEFDF0433370B300DF43AFD59D71F937B23CFF25F9A66BF53AD34125960504450E0F17C275C7DAD24CF527C3F05BC2F53B046563C55D8C40CDA448F102F0B5475F287704A424E76335034DE2847177C0E606A6249D152650E78B22A1A9FE3FC7789C1FE74463BBC5FC71E840294C8B45349A2D045CFE679575950B61F3882D57806F2A9644D8BB3790FA268742AC19C44E7F1724DBDD67A4D8A11E114C7E3EF74195428725A645D54CC9F1F48CA9A7E2EAF3C2261A7E4AE58F9A5D223A1C4922BE932250C49DAB04CE8DB0E3A4A9D87551A2D165B618E3954E980844DA3EE1450A7C9F533B09F085038B7C923F06BC679808682279107804328EE9B7286782C0CDF92333D38900467B039C950C684A60AF5667F343B4BAA658E68967F0EBBA72695AF073A5A08B647D855265544EC291B01ED6420D2FBF878E5B0BC46EB1F8A2C1BD6A945CD8CCB0035BD11023603C0202E1B05551E3E964FD9F1D470D5E4FA08CFDD9E1F11A99E14C550C1024F642147A3B01E58EE3E5D75D5DC4D538243521526CF615C8616172448C8F81F1B36E110C161C109D6308F1F29F188375611C943313945670247AF0C9AFDF25E3226AA07D442A8057FAEAF251D463434EF18524A":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:6144:0:PSA_ERROR_BUFFER_TOO_SMALL:1
 
 PSA import/export FFDH RFC7919 6144 public key: export buffer to small
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_6144
 import_export:"201757BBAC6FF53E1966C29822B5154F56E332DCE1370D3A117B380D9C63FBD98F027F434EFBE530581BB1A0ACEDF30D749854F6BFC3E2E9F24A75B9109DB1FC787BB2D1DEF56414E6585757C5F84394AE9D7DB98AAADB5BCE0E4E55397B54E5DFAEDFB8CA87E6CAF0FC40E77421129F8D020287E7BD0330F60A7B01257FE36E1270B27D39F96AA464AF60C9DF47979517D7E9F0F68F93138BDC06E8F6F0AB39C90DA731925D26E48C24383425B22244D092BB9D6E3192467A91B27F0073C507D0615C3042F7432903E83494C2214089BACEF60A2D670E9D0EA0DC2F882E6AB90EC26A0CC4F9ED3DAF3912304079AA2447573AC51AAD69F4DFA07A03780922B4C7BACB286767EF758454526319C92F1486FA75E63E8EB2CBCA2A11938FE0BC5A9B50584505E16A3C8E2A599F8E2192BEC986DA602AD980190955B4AC8EF86EAF6EAFCFF7438ACD4DF64E407E675C0A114E04A9360A4431B6C0AB249B023BE89A41DA36FDFAB0FA3247DD9280EC538F724C6AF8CECD22DA87E91959AC12B690175937B7DB09B12FEE5D018802A4E561AE4F671C5569C73E928BBD66A494BBEF7F0DE8F00FED7546068E7F82F6317106885F0138AFD399DF9A8FB83C345840129B485EAD2C570BDAC992515663FCF86769808DFEFB9426D6938E5799104F197D3A3BDFFF8C4BF5E736E8B78FDB01D6C61DEAC56BC9BC8073FD4BABCCFC6D15253CA7F9FBD06F41D3F490965671F778812F5237791223FF9A1E6DBE2DD318570786051A74E58FCD0AA1BAC8CEF0656A1AD230E0578F6EC60C275C7FBAF01053DFE093DF049531282BFE7E459236D9B7315DFDB72105BD2A1509238F1CC488F3CE8907C4F931EF89FAC9D6C7D624D6BE70169A283C97E95E28DA1B90A2311733565BB082BA845BE97EDAB6698EE25E35988149B61ED64F1F41D54CD2EECB8224A22C118666551067F607B5B5C569DC8AF082D3CF0782FFC638F149765F9BE50CC52C157A58936B3E0CAA89891C71F5B960A46020AC8B7F449C8753561812B9CE313A932D3F7FD7AEF526E6BA47FE569A180CB96C5C3081A73407B52D53C6FEE6886D":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:6144:0:PSA_ERROR_BUFFER_TOO_SMALL:1
 
 PSA import/export FFDH RFC7919 8192 key pair: export buffer to small
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_8192
 import_export:"AE5FA06AE9400A03F48C0201F4BF53263185BA76D07AB16B74869F141AEB365EB162806840F7B97C12561F5C6B9EE27521009341E52672786E10CE1615447F30E4D17F1CA049643A8CFDAC3BF66FB93B6C5C4805287D4E63D5DC895535D993203F309908AC8ABC3A96F5EF4E72E7AF59B1DC9D014EECB5609E03045B5F3C3E6C372DC0639390065C53FC911269B27A5A630BB847C8823127839DB138146E3830087AEB2395F3D0147F0C1B26297A7E657A1A430DEE1CE93C3EBEFD155EECC2298E664D77CABBAA51555C7C65FAC2957CF238F9342A39063B2F9C291D3169923DD7C3C275C591196CA350421788A06077137ECF4C41544672E8DC9E634AAB8F30D4E44C4E3BD93076B35D0A0B37F00416035C621D37FBBB434B5E3D460BD64D41CCEE8C58CB6A586C3450CC264709D065B9874129720ECA3CA5F5920F47EE8E203CCA740EFA510F7541B1241D2E036E43258B1530704D4E3A5F6C0001FC4ED82535DF672602BD421884EF381D485D37734411890A6CCCD7009208C72318F6D558A8A508774666D12E50E6DA6EAB016B147D618D729B441835B7D7B85549501A4B66AF7021EB27857C9059EA301F37B24A5E364F39364F7D406625416B9A00C44730A18C35A7D66508C903320B552CA2651724B4422870320C517B7A0B4C031C692B2D7524D66AB3289460535C6F3EFE2E42378B2927691A008734D407EADC93206DCFEB2ED71AAF7696DEFE34EA307921735FC72B4DB6B70A3381936CD90E384D38DE3C07C4DA7D1DF945EA1796148C40FA29FB5D5F6B2B03311550082ACB87130742910BFA18821380F729791E66454E2289B41FD172A4046B6961374DB62944A7DD572DFFC9B413BCF42773EA14E3562633CF134429FC7AD4F176779302BB421B44AB716AD0752C7D3334648EA3721DB7862D37B1B4C75068B2AA6AF0646A3E758F456E61F894028679F67E6FB9404CC063C005B78E46079984C85FC7A55111B1A7C81A197CF258E60B975FD4307D3AEBEE965D5175F81621E7A67E92CCEE0A503FAD2ADEDBCE717CE1D16177727C3E2205CB6C51D348590A7537013D49765EBBA3BE0588A86B65CCECE87B732AEC3C395D3336349F9366638F567BAEEC782495972869E9084D7A1DA6B97055FBE86EA1979301B62A82501DA13A00523F5C1CD0A6742903ADD15F2670D956BB950B075422CA76485780554D62FA11A461772126334F47CA43CC731BD4F35F48381A341B17154D26492B6185819012D6BAD352AEF19646516E790E49E5BF0FE74ECA7C850D0D75AC74160B953B43211AA5355E967D6305B2E1FC1170A01E4D3715F706680C7F628D41594D8954532338B3F30B90EE2A2DB0C42C7AF348FF12E410F523F81BAD4F41ABF92488726C451E4FFC160BEFC518A44660256687164B2606DB65CA8F8B06EB08A75DFCC0AE387881224C":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:8192:0:PSA_ERROR_BUFFER_TOO_SMALL:1
 
 PSA import/export FFDH RFC7919 8192 public key: export buffer to small
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_8192
 import_export:"3D1EB2C023E54A123420B9587F6985AFFCF6FE75A2F1768866CBAA10ABD5B7448409EFCE8786C0BD1D325FBAC47119A846C63103DAA8BC5FAF427C69D07AFE2FA0064A8BE9C33E30E6926A57850248EAAD8F0FA887452FF1467064DBE4041950CBFF55763AB58E1F2300C9B133E5D0FBD18604B93EC16BEA9CE340AC92B18DC188629A5D7FEC64601334CDBFEBD8126BE4743440C9A48F03F37298548C2EF226D44C296F440EB1E5F1128F203120ACE6C45D3CA992998CCF68C301CC4A32CF852FA4C2968C62D4016AF526FCD61A56F2BF479743D1EB62AD21120563BC1CE0D0791920BB89D82473F4DE75BCF6A728490F071899F683FCA10DCF6D9605749810A901F1FAAF96DC6AA0AF1CAFCF61E8A51E9E7A1BF5D9E5FDD6D63ED824CFD4016EF0782946F44E44B1B72B4CF9D4CE5E57A93EB738AEC084F02BBA52C385BCC013C720B0B98B78580AFFA84B0D204866B3FA39D73EECF1E0E6921D5484D929C1ADC7975741A308BCB060A43DF556F278F56CBDBDCE07F7CC8292FB27B3CDDB286E4B5A92552308DD8001F4BABC67C56B8DC6E5C4ED8FC4724A89441433EDD58C68E513E1940F5E6DB512574D7A37974E5739E28C03FECA3134AD8817E1A52BEBDCF2EE1F7DC66B09742005902A977DB0D617B8F6CFD75508F00225BE362D53BCA0AF4BE0D2DAD0A64054CA1204E31217F82D4F95315E54AEBF3BF98E2667A35A0017799C5479F369D8692317CABBB78C07D8314153D22110EA7617091ED755041A6E201F1FD76BC258DF84260369BBB2A1A13B5D266844A25E9A8F1D1279C349E0113CAAAB0A3D4510367E754980328B937CF7BEAABDBA39F4EA3CDE5C9BB6ECDA5BC44CC9EB6BEE6F2FF3698FA393DD4F85507415622CD7C0802240F7CE22F75F2DBA7CB7217352B34C57921B975BF2E73B6DA6A34C11192338C80B986AA3707DA64324056FE7EE2C0754045C7BC596B68FFCB501C186F89D618A76144C9CB35B59370D1D3E668F10A9EF6C851F6AD3FA9FA776E9391F3F143D7928F816EE4F56F756BF450E1B4F87A7B19EFB02850C45F6F7BCC87AA8FF27C474269EB53F3F1E28DD4D6BF1C6B16AD97F10418596D1A3EC5F664773FCA1E93743005C7230D5F8549DAEE3472418A648B91834BA7A19834B48D7E6DB57F7BD92887C366D78532A2497D9B9F35D598E79026F586D4DC1577FDA2B9DD5877A521EB9F3C87DFD77F5EC690519E04E702CE3A5203920A7B891F764CB0B2DDEE7EB01CC55EB45F1BECD4514540F10F03ABBA3E4D627DCEF89F1FADF26034C2D7C36E6776C7163D99BF5CADEFDB142A6CD631D3B58269F0116B1016633B7CD4752E2F636614ABDD27592734B8BFF08E155C350808C6072C42E46F2AEDD83EA6FFBF3EA5AA809B0F9DABF6CD8E2E0E1BC998AAAA0698F44B1819B0D7A19C2067F071A932D10F0281187":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:8192:0:PSA_ERROR_BUFFER_TOO_SMALL:1
 
 PSA import/export-public FFDH RFC7919 public key 2048 good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_2048
 import_export_public_key:"2898897F34E672DAE8E629C6AD5D525A8ECCF88CEEB2F7D456DBC726D4E4A473A57F530BB6A7A67D58A560C2FDF51C9E4826DB48F408150CEAFBD32766C03D277D611139AA9F4017B0125EEA089ECD906EA0854AC0A435507DEC05C3CF2F37F98ED987E13E4795BB44051F231753C9BA3023D1A9E969FD98AC21091F704F6AD5B49B2F95DE7FA0CC1B6D9FC1DAD308EB2D1B021D8EA99959BD0BBA3CD5AD33C4B4A608A74B42B6C0342CBCFE3F41ED0752389D7A982DE512514EEC4C6D1165D3C52485A02EF310E2A4C0B5197FADE3D6F768E81AA01926FEAE92040706A621676200F6F80B51D0B4CAC38A406778D81EF3CB68EAC2E9DC06ED8E47363CE260E0":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"2898897F34E672DAE8E629C6AD5D525A8ECCF88CEEB2F7D456DBC726D4E4A473A57F530BB6A7A67D58A560C2FDF51C9E4826DB48F408150CEAFBD32766C03D277D611139AA9F4017B0125EEA089ECD906EA0854AC0A435507DEC05C3CF2F37F98ED987E13E4795BB44051F231753C9BA3023D1A9E969FD98AC21091F704F6AD5B49B2F95DE7FA0CC1B6D9FC1DAD308EB2D1B021D8EA99959BD0BBA3CD5AD33C4B4A608A74B42B6C0342CBCFE3F41ED0752389D7A982DE512514EEC4C6D1165D3C52485A02EF310E2A4C0B5197FADE3D6F768E81AA01926FEAE92040706A621676200F6F80B51D0B4CAC38A406778D81EF3CB68EAC2E9DC06ED8E47363CE260E0"
 
 PSA import/export-public FFDH RFC7919 key pair 2048 good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_2048
 import_export_public_key:"2A45292441157B3C25572F76A5CDF960A7BDBF06731D783C5BF8920FB94CCC3D5DCCF86A3CB66B4E3AEDD23106222458ACF3F72C753CB67C2E19AD399566866FEBC16C3B4DC72773B4709047AE1AEC2D9107C2041B06B86A8F604465B26E0E753D6B10772798B3797232D950A36F2D4B33B04B36DE73AC6B8A7365015DF5745A1F892728B0CA947702C36E3BC646E72E23E80C345DBB014B7F93B36C80B4051F9A716D19B980861E86D62977466565462FBD3C1BB4EFD630DCCBEB351A7FA95602B7FE23903C7C7DC999950493BEC028AC42346858FAD969452DCF1DE9AD445F7F928D63B75FA86E8C1D722AB242D91995D3545A1791D72B0F384E74B45C7C01":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"AA396C4E08F47E499243FF17B3E0D019415A52FB6E31FCA71B2B9F46FE84E3A611757DD414A21E1BE8A8FFD60479348245918F7D771EC4A78733F627F72CE0FE1717EE3950B4DB7982577A332CC66C3F3EEB79CD604568644FD3EDAE35A08F3C75C7A99E1A24CB8B56CF7D102984568C0D93BAB9C760F22BB2AC3BEE62E532010E6EEB5A3FB2ABE1EEE1562C1C8D9AC8F781B7283C846B435F4BD4F437EE4D60B97B6EF6ECE675F199E6A40EEFFDC8C65F2973B662782FD2069AEFC026560FA57DE67474AD1A5C8837FF0644F6D0E79161DE5AC38B4837818A5EC38D335D6ECCCC1F9FC676D3548BA30635C5DB24C02BF86977E401E47C3262B81C84C340D729"
 
 PSA import/export-public FFDH RFC7919 public key 3072 good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_3072
 import_export_public_key:"8B6C629D0251EAA04FF127A9E2D748D744813E6F158F7BA3E4BBC50F928F9EFD689A7DDDA44023F0177DBDA344B2A9B9FED648F911118EA3C4ADBB6D3B1A85880BA80DD28B6E6FBB766D1B6858618013AAFA5A8FD4290E7D52FFD75682CB0EDD99B7AD314F4F4780F00114C344BA0574AD59975DD4FB0A93A46F1BBE98A52C21735381BCB8D3886F0345C4ABDFAD2C1B877E910D64AB4F57CCB419E386E3C81BD09E5755F88E7EA724967AD1C2E8D7AC2B2417CD6B0EB9C1366B413A461BF3249316B71912496EBA269A38E90CB324BA06BEA3B555D5E0D62EF817B2503017AD3D120EAC0CD61FB0A5C71E1C50FEEC90F4CFB11890AF21C2F1EDB501B2BB44AE3CED3C64204033144F293F696FEE4468623B3EFA405C2C00B9CD040B52442DA32C3C23E33930E4129390A5BCD061198C75AFE7DA8FF0EADA0DE931A5233C7C46D36C02B855315084CCDA54BFD155CEEA2C0C17AFB80987C54680828E1B9B2F6D2BB5FA3F7E70455CE8B66AC2D54762BB6D76CF6CE345BCD6CD2AF6A56010F512":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"8B6C629D0251EAA04FF127A9E2D748D744813E6F158F7BA3E4BBC50F928F9EFD689A7DDDA44023F0177DBDA344B2A9B9FED648F911118EA3C4ADBB6D3B1A85880BA80DD28B6E6FBB766D1B6858618013AAFA5A8FD4290E7D52FFD75682CB0EDD99B7AD314F4F4780F00114C344BA0574AD59975DD4FB0A93A46F1BBE98A52C21735381BCB8D3886F0345C4ABDFAD2C1B877E910D64AB4F57CCB419E386E3C81BD09E5755F88E7EA724967AD1C2E8D7AC2B2417CD6B0EB9C1366B413A461BF3249316B71912496EBA269A38E90CB324BA06BEA3B555D5E0D62EF817B2503017AD3D120EAC0CD61FB0A5C71E1C50FEEC90F4CFB11890AF21C2F1EDB501B2BB44AE3CED3C64204033144F293F696FEE4468623B3EFA405C2C00B9CD040B52442DA32C3C23E33930E4129390A5BCD061198C75AFE7DA8FF0EADA0DE931A5233C7C46D36C02B855315084CCDA54BFD155CEEA2C0C17AFB80987C54680828E1B9B2F6D2BB5FA3F7E70455CE8B66AC2D54762BB6D76CF6CE345BCD6CD2AF6A56010F512"
 
 PSA import/export-public FFDH RFC7919 key pair 3072 good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_3072
 import_export_public_key:"c60a421e82deb778eb468760296ee4faa0b58ef058966fc457e8015185bb6c500677bf5a5a88bd8dedb5307ccc3c980a2bbe9a439c6b0c7af6c961e5b9c06f47212fc0e726da2f5bdd3542fba74e1dc2294caa1f363d942a92a391acd84aecd045a4a318db00785129ba171b31651b0e930eb8110a642dd63ef5ae1bb8c6e3b3971507c4057530d51ca14182e884974e20723dbfdd5778fa0ec78fbab26811c097f0dd291ccd7a6967caf5163fa04ba921448e1d3ec8de4ff3bc87dfdc35e53ba1bd4310fc9c98f68332ea0483ec051900e438fa3e5bcbf901771c740114922a7d9a74257befca7f9b62b2991ef6c58dbb1e516bb1ee18c8709f134ab7bb2077ec03356279a46f2978e6a89df22b0120223f6996c290607e98ecf14c36e2db62e80575329f4787ddc7b72856cbb0c4fa2dec9b391698832f559cbef49979c72e63cb3dad5d948f1c00219b47359fa75ec3fd352aa0223773e246c2fce492200b3a6e213e5e30d69cf3f56af43b0c09c0d647784b2f209c4fd1abb74b035d1ad4":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"c6dbc8151d22313ab19feea7be0f22f798ff9bec21e9da9b5020b6028395d4a3258f3db0cee7adda3f56864863d4c565498d59b205bcbcc3fc098d78efd4e6b4e09b97971c6fd00cd2fa63bb0b3c7380cc1c19fbb34d077fda61c4a71c254242aa5870786b5d0fd3cb179f64f737eb7ab83b57ca70f93955f49b43869ca2ea441650f48a516137229be2926b02129de4089c9d129df7d76848ecda1bcecda1cf95df195e8e388ee70fac0f1c4d9b38e745b067ee88b32e6d59cb159a95852f18b121f85fedfbb6a2c6962ed70cc1ae471813e1bdc053abacccd1eec79359a6f15ec55d92bbf3890b912fbbb2c029407e1493315394a290f4ce81c0d9dccfbab386b745145cb173b9e08f018d309200691b72acafb313cebf483ff8810080bce9516aa5382a18c3c10965a33176d93d8c51f83d6fca7f606200bb7c779a891fd65dd7ed6972f6835f4e94d928f89f1d0ee204b1ef073a761c65241a76f254695ac31842600aa0753c94e6c805c24ed101bbb26c96928db1166a91c7fea8bc3b90"
 
 PSA import/export-public FFDH RFC7919 public key 4096 good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_4096
 import_export_public_key:"BF50F1FDD8B6B5332047A808088E669F06D6CA71A59CB7CA9FB48EB47E1F179C531B15382D2D0382D18CD77E1A517BAA4175D59795898DABECCA469981E4C69EBC62B35936791F6B03E37EF39945B80503113C97474967AB4832EBD7E30ED4EFA47B49080D69B88FD7BD33847B7E6A7D0024AAD08C829CDAA44EC7C6E4013E6321DD64975E323A9779EE99FA7B210232F20B198A3AB6A0FAC525785777A084AB71EB58367C04FE456EA3EF260C1091FDC94781485784D110CB0EBCF4ADE74FBED11D59FC53CD66B3743603B06587DC47D4DBBE46CAABA2EA3190D0D859D3B5B8AC604F069D178E551E85AC26AD2BEBD22A27E9D517DEF70DBE15ECB5679881D522228377BDFDAC76677B4AEC68853EBA16D72087184ECA46DB62D4DCAADFDB9BF0029CD6C7711DD94ADEC835FE7145F371DAE027711DAC6820720CDFA2A61C97CFE84576B8C462A1FBA5C15F4E3AB55E10285A4F64B7124ECFEB5F517A065A0F1F8D7AA0E5189BDE525A34E7B17B78F15BECCD02CFF8AFB3DDFCF8809B6FD34683D7E87F3810C9658F1A4BD8495C163FB2F012E82CF22183361ABE0035C9A974386DF07886348BFA1F69BA35A77E3903741B9BF8B300D4BF67AB4A25D26EF8ECBD8965A398A2D38538C6BF59636622A404DCA0CCABE06395D209E24FE9DE738152E3A049FADEF4FE9585F84197383DF7AAC40DE842B2333A4C29855C25D40B3B":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"BF50F1FDD8B6B5332047A808088E669F06D6CA71A59CB7CA9FB48EB47E1F179C531B15382D2D0382D18CD77E1A517BAA4175D59795898DABECCA469981E4C69EBC62B35936791F6B03E37EF39945B80503113C97474967AB4832EBD7E30ED4EFA47B49080D69B88FD7BD33847B7E6A7D0024AAD08C829CDAA44EC7C6E4013E6321DD64975E323A9779EE99FA7B210232F20B198A3AB6A0FAC525785777A084AB71EB58367C04FE456EA3EF260C1091FDC94781485784D110CB0EBCF4ADE74FBED11D59FC53CD66B3743603B06587DC47D4DBBE46CAABA2EA3190D0D859D3B5B8AC604F069D178E551E85AC26AD2BEBD22A27E9D517DEF70DBE15ECB5679881D522228377BDFDAC76677B4AEC68853EBA16D72087184ECA46DB62D4DCAADFDB9BF0029CD6C7711DD94ADEC835FE7145F371DAE027711DAC6820720CDFA2A61C97CFE84576B8C462A1FBA5C15F4E3AB55E10285A4F64B7124ECFEB5F517A065A0F1F8D7AA0E5189BDE525A34E7B17B78F15BECCD02CFF8AFB3DDFCF8809B6FD34683D7E87F3810C9658F1A4BD8495C163FB2F012E82CF22183361ABE0035C9A974386DF07886348BFA1F69BA35A77E3903741B9BF8B300D4BF67AB4A25D26EF8ECBD8965A398A2D38538C6BF59636622A404DCA0CCABE06395D209E24FE9DE738152E3A049FADEF4FE9585F84197383DF7AAC40DE842B2333A4C29855C25D40B3B"
 
 PSA import/export-public FFDH RFC7919 key pair 4096 good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_4096
 import_export_public_key:"f085888f40e34d91c989fadcb9c3e8be8f4a270d75b90d78c9b3d7569e09662b7767d90112a4a339bc42e661bd0e464b26ba4eb07dee300dfdc38373ec17a5a4e86f3f4b5ae6c9700f8381ac93b564bc0b1ce64e03bb825aa21a8e87e572ccb13a5a7b2942e4b91a321c5b5cf87b8bad4042c5b8ba971870061f7bb0869e57205bd64ed41026d5093227eb9fc4abca6160376b9b9ebbf431b6cc7a362726f553ffcca07ab3fed69a60c1a3d6d7caf989c57dad04eae71dc7e5da1bd6a65d3f4509959f61741ad91b6bdc98c0cae835cea940048d325f1db5e6217b8a0c977741511c967330819115d325a6da3ac003b66364e52351b34de0e954d5df7301ac0c2772c461872b72c9c3bc810789d16d22f57fd57338487ff66fd01434fa08a57eb7b089686cda86c9dc9220e11409c5ecd7b2988c151ee24e19a5c5685b4824c60a29ee363e75f783d97a57cda08a9e2152769957163272b3d5e82cdcda71300566356c411dc01a2c24507693c819755568ea461b755e89e9ab150e243ae97d5878f58ba87be9a6bab3726e962f92e2305999cafd65aa32f486ccf2edea46ab4b4cd7e3130f2e69102e6a4d7104db2f9a66d0ddb4faa3ae34b3bac6007bdfc66541bc3f45db3eb730ba80e102850604fd64e3cf047825246264ad8e1e716aa44a99275aab9ebf0b26f703af7460a8e502088a311d7c571bf0905031ea6561a928":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"e0c2e35be32adb92560e6557d07ba9bab295792063a2724f9e381e9f2644423e73efeb074ddee70388444bc1a67edfe496a6c38eafff45ec500278f9b896a6fb1de4a59461e6fcf1de17867018e0c362876ae107fd4287383989a4ab41cd44844b103cf58085aa52b49527df433446fa5c4665037475e8f78c8d64d5d60a462603d292d02c539329e9d48c25e05083fa98fd6a513c84f0e2ced9121c2f5922559abb5e2fe3081e6bf2256d6043af211a70fe48e371bf683b953f199821fe0fbe924151dc772e72db53492ba5613bcf5661b7ed419fa02f332443be5f8b97908800077306abf6fd796afdbbdbc2badb21501ccee5ed67635b3cf37819f5d1db5370d77960ac0535a029b0af1bf634679367d35db0e7f38bbe0a022392efefc6b8ccf1e9f53bd7ac28012f6bf5e3701476606eb4649c64377b1e0c418840486bb4a286ebaf685449061ee375487e9e9164d0a7c9327c7b667b1933dc3adb11358e76457d594c19b88e8a689107c641d3503a7639159f3cdae7f58398204d29895e84fb82e192b796866c27d8373a36c5c062a445f6fd515e561d7c2328e7424057229689fe7851432f706f21e114f74d21ca3b01f1aa57d2743f28f8dbfa5ef5c584de2012d82ee978bb7cd713001237e76b5ee12e3cc51393cbcfe1717cefdf885022f18e66661097fe1ce91d0508e1931cf3774bd83d8f068711e09943b82355"
 
 PSA import/export-public FFDH RFC7919 public key 6144 good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_6144
 import_export_public_key:"201757BBAC6FF53E1966C29822B5154F56E332DCE1370D3A117B380D9C63FBD98F027F434EFBE530581BB1A0ACEDF30D749854F6BFC3E2E9F24A75B9109DB1FC787BB2D1DEF56414E6585757C5F84394AE9D7DB98AAADB5BCE0E4E55397B54E5DFAEDFB8CA87E6CAF0FC40E77421129F8D020287E7BD0330F60A7B01257FE36E1270B27D39F96AA464AF60C9DF47979517D7E9F0F68F93138BDC06E8F6F0AB39C90DA731925D26E48C24383425B22244D092BB9D6E3192467A91B27F0073C507D0615C3042F7432903E83494C2214089BACEF60A2D670E9D0EA0DC2F882E6AB90EC26A0CC4F9ED3DAF3912304079AA2447573AC51AAD69F4DFA07A03780922B4C7BACB286767EF758454526319C92F1486FA75E63E8EB2CBCA2A11938FE0BC5A9B50584505E16A3C8E2A599F8E2192BEC986DA602AD980190955B4AC8EF86EAF6EAFCFF7438ACD4DF64E407E675C0A114E04A9360A4431B6C0AB249B023BE89A41DA36FDFAB0FA3247DD9280EC538F724C6AF8CECD22DA87E91959AC12B690175937B7DB09B12FEE5D018802A4E561AE4F671C5569C73E928BBD66A494BBEF7F0DE8F00FED7546068E7F82F6317106885F0138AFD399DF9A8FB83C345840129B485EAD2C570BDAC992515663FCF86769808DFEFB9426D6938E5799104F197D3A3BDFFF8C4BF5E736E8B78FDB01D6C61DEAC56BC9BC8073FD4BABCCFC6D15253CA7F9FBD06F41D3F490965671F778812F5237791223FF9A1E6DBE2DD318570786051A74E58FCD0AA1BAC8CEF0656A1AD230E0578F6EC60C275C7FBAF01053DFE093DF049531282BFE7E459236D9B7315DFDB72105BD2A1509238F1CC488F3CE8907C4F931EF89FAC9D6C7D624D6BE70169A283C97E95E28DA1B90A2311733565BB082BA845BE97EDAB6698EE25E35988149B61ED64F1F41D54CD2EECB8224A22C118666551067F607B5B5C569DC8AF082D3CF0782FFC638F149765F9BE50CC52C157A58936B3E0CAA89891C71F5B960A46020AC8B7F449C8753561812B9CE313A932D3F7FD7AEF526E6BA47FE569A180CB96C5C3081A73407B52D53C6FEE6886D":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"201757BBAC6FF53E1966C29822B5154F56E332DCE1370D3A117B380D9C63FBD98F027F434EFBE530581BB1A0ACEDF30D749854F6BFC3E2E9F24A75B9109DB1FC787BB2D1DEF56414E6585757C5F84394AE9D7DB98AAADB5BCE0E4E55397B54E5DFAEDFB8CA87E6CAF0FC40E77421129F8D020287E7BD0330F60A7B01257FE36E1270B27D39F96AA464AF60C9DF47979517D7E9F0F68F93138BDC06E8F6F0AB39C90DA731925D26E48C24383425B22244D092BB9D6E3192467A91B27F0073C507D0615C3042F7432903E83494C2214089BACEF60A2D670E9D0EA0DC2F882E6AB90EC26A0CC4F9ED3DAF3912304079AA2447573AC51AAD69F4DFA07A03780922B4C7BACB286767EF758454526319C92F1486FA75E63E8EB2CBCA2A11938FE0BC5A9B50584505E16A3C8E2A599F8E2192BEC986DA602AD980190955B4AC8EF86EAF6EAFCFF7438ACD4DF64E407E675C0A114E04A9360A4431B6C0AB249B023BE89A41DA36FDFAB0FA3247DD9280EC538F724C6AF8CECD22DA87E91959AC12B690175937B7DB09B12FEE5D018802A4E561AE4F671C5569C73E928BBD66A494BBEF7F0DE8F00FED7546068E7F82F6317106885F0138AFD399DF9A8FB83C345840129B485EAD2C570BDAC992515663FCF86769808DFEFB9426D6938E5799104F197D3A3BDFFF8C4BF5E736E8B78FDB01D6C61DEAC56BC9BC8073FD4BABCCFC6D15253CA7F9FBD06F41D3F490965671F778812F5237791223FF9A1E6DBE2DD318570786051A74E58FCD0AA1BAC8CEF0656A1AD230E0578F6EC60C275C7FBAF01053DFE093DF049531282BFE7E459236D9B7315DFDB72105BD2A1509238F1CC488F3CE8907C4F931EF89FAC9D6C7D624D6BE70169A283C97E95E28DA1B90A2311733565BB082BA845BE97EDAB6698EE25E35988149B61ED64F1F41D54CD2EECB8224A22C118666551067F607B5B5C569DC8AF082D3CF0782FFC638F149765F9BE50CC52C157A58936B3E0CAA89891C71F5B960A46020AC8B7F449C8753561812B9CE313A932D3F7FD7AEF526E6BA47FE569A180CB96C5C3081A73407B52D53C6FEE6886D"
 
 PSA import/export-public FFDH RFC7919 key pair 6144 good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_6144
 import_export_public_key:"E4012A5FD17FB739867A475501A75212E2C1DA5376693759A1B5FC1523927D0DBF907037232C43416B4AA925D65A154FC1E13F72C7643E431C480A7799F09F66F8CA816E66E82E75B79A6D2C4DB6CB6D7532B020FBC69D7BBE80881A7778C66BEFD4F01450BD8E1DA05FFB59D8331C6E3281E67EDF3EF557A5800D4C1683105EB0BEAC112BFB5421172A637092808765A1648C7AB8DF5F06B612057360F5FC31DB0BA347215DAE18375012019CEDE239E8C1EC5B53981C7835DE8220E18C6E4AB9804B6DEC78F04C2E433A382FB3FB0DE73F8E48ECC3C252A62BC279D6147F5D3D815170468BBD53AF489B4B6F02386F25CAB22B54C9A8178585484DD5885F3D7FC4FD389DAFAB3D6809E72220298A33558F0B441E1CEC15811E8765319BAE0B3F799A2EB86E9966CD889145273B870A0B07B65E0367146608C8F554C587014CEFDF0433370B300DF43AFD59D71F937B23CFF25F9A66BF53AD34125960504450E0F17C275C7DAD24CF527C3F05BC2F53B046563C55D8C40CDA448F102F0B5475F287704A424E76335034DE2847177C0E606A6249D152650E78B22A1A9FE3FC7789C1FE74463BBC5FC71E840294C8B45349A2D045CFE679575950B61F3882D57806F2A9644D8BB3790FA268742AC19C44E7F1724DBDD67A4D8A11E114C7E3EF74195428725A645D54CC9F1F48CA9A7E2EAF3C2261A7E4AE58F9A5D223A1C4922BE932250C49DAB04CE8DB0E3A4A9D87551A2D165B618E3954E980844DA3EE1450A7C9F533B09F085038B7C923F06BC679808682279107804328EE9B7286782C0CDF92333D38900467B039C950C684A60AF5667F343B4BAA658E68967F0EBBA72695AF073A5A08B647D855265544EC291B01ED6420D2FBF878E5B0BC46EB1F8A2C1BD6A945CD8CCB0035BD11023603C0202E1B05551E3E964FD9F1D470D5E4FA08CFDD9E1F11A99E14C550C1024F642147A3B01E58EE3E5D75D5DC4D538243521526CF615C8616172448C8F81F1B36E110C161C109D6308F1F29F188375611C943313945670247AF0C9AFDF25E3226AA07D442A8057FAEAF251D463434EF18524A":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"201757BBAC6FF53E1966C29822B5154F56E332DCE1370D3A117B380D9C63FBD98F027F434EFBE530581BB1A0ACEDF30D749854F6BFC3E2E9F24A75B9109DB1FC787BB2D1DEF56414E6585757C5F84394AE9D7DB98AAADB5BCE0E4E55397B54E5DFAEDFB8CA87E6CAF0FC40E77421129F8D020287E7BD0330F60A7B01257FE36E1270B27D39F96AA464AF60C9DF47979517D7E9F0F68F93138BDC06E8F6F0AB39C90DA731925D26E48C24383425B22244D092BB9D6E3192467A91B27F0073C507D0615C3042F7432903E83494C2214089BACEF60A2D670E9D0EA0DC2F882E6AB90EC26A0CC4F9ED3DAF3912304079AA2447573AC51AAD69F4DFA07A03780922B4C7BACB286767EF758454526319C92F1486FA75E63E8EB2CBCA2A11938FE0BC5A9B50584505E16A3C8E2A599F8E2192BEC986DA602AD980190955B4AC8EF86EAF6EAFCFF7438ACD4DF64E407E675C0A114E04A9360A4431B6C0AB249B023BE89A41DA36FDFAB0FA3247DD9280EC538F724C6AF8CECD22DA87E91959AC12B690175937B7DB09B12FEE5D018802A4E561AE4F671C5569C73E928BBD66A494BBEF7F0DE8F00FED7546068E7F82F6317106885F0138AFD399DF9A8FB83C345840129B485EAD2C570BDAC992515663FCF86769808DFEFB9426D6938E5799104F197D3A3BDFFF8C4BF5E736E8B78FDB01D6C61DEAC56BC9BC8073FD4BABCCFC6D15253CA7F9FBD06F41D3F490965671F778812F5237791223FF9A1E6DBE2DD318570786051A74E58FCD0AA1BAC8CEF0656A1AD230E0578F6EC60C275C7FBAF01053DFE093DF049531282BFE7E459236D9B7315DFDB72105BD2A1509238F1CC488F3CE8907C4F931EF89FAC9D6C7D624D6BE70169A283C97E95E28DA1B90A2311733565BB082BA845BE97EDAB6698EE25E35988149B61ED64F1F41D54CD2EECB8224A22C118666551067F607B5B5C569DC8AF082D3CF0782FFC638F149765F9BE50CC52C157A58936B3E0CAA89891C71F5B960A46020AC8B7F449C8753561812B9CE313A932D3F7FD7AEF526E6BA47FE569A180CB96C5C3081A73407B52D53C6FEE6886D"
 
 PSA import/export-public FFDH RFC7919 public key 8192 good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY:PSA_WANT_DH_RFC7919_8192
 import_export_public_key:"3D1EB2C023E54A123420B9587F6985AFFCF6FE75A2F1768866CBAA10ABD5B7448409EFCE8786C0BD1D325FBAC47119A846C63103DAA8BC5FAF427C69D07AFE2FA0064A8BE9C33E30E6926A57850248EAAD8F0FA887452FF1467064DBE4041950CBFF55763AB58E1F2300C9B133E5D0FBD18604B93EC16BEA9CE340AC92B18DC188629A5D7FEC64601334CDBFEBD8126BE4743440C9A48F03F37298548C2EF226D44C296F440EB1E5F1128F203120ACE6C45D3CA992998CCF68C301CC4A32CF852FA4C2968C62D4016AF526FCD61A56F2BF479743D1EB62AD21120563BC1CE0D0791920BB89D82473F4DE75BCF6A728490F071899F683FCA10DCF6D9605749810A901F1FAAF96DC6AA0AF1CAFCF61E8A51E9E7A1BF5D9E5FDD6D63ED824CFD4016EF0782946F44E44B1B72B4CF9D4CE5E57A93EB738AEC084F02BBA52C385BCC013C720B0B98B78580AFFA84B0D204866B3FA39D73EECF1E0E6921D5484D929C1ADC7975741A308BCB060A43DF556F278F56CBDBDCE07F7CC8292FB27B3CDDB286E4B5A92552308DD8001F4BABC67C56B8DC6E5C4ED8FC4724A89441433EDD58C68E513E1940F5E6DB512574D7A37974E5739E28C03FECA3134AD8817E1A52BEBDCF2EE1F7DC66B09742005902A977DB0D617B8F6CFD75508F00225BE362D53BCA0AF4BE0D2DAD0A64054CA1204E31217F82D4F95315E54AEBF3BF98E2667A35A0017799C5479F369D8692317CABBB78C07D8314153D22110EA7617091ED755041A6E201F1FD76BC258DF84260369BBB2A1A13B5D266844A25E9A8F1D1279C349E0113CAAAB0A3D4510367E754980328B937CF7BEAABDBA39F4EA3CDE5C9BB6ECDA5BC44CC9EB6BEE6F2FF3698FA393DD4F85507415622CD7C0802240F7CE22F75F2DBA7CB7217352B34C57921B975BF2E73B6DA6A34C11192338C80B986AA3707DA64324056FE7EE2C0754045C7BC596B68FFCB501C186F89D618A76144C9CB35B59370D1D3E668F10A9EF6C851F6AD3FA9FA776E9391F3F143D7928F816EE4F56F756BF450E1B4F87A7B19EFB02850C45F6F7BCC87AA8FF27C474269EB53F3F1E28DD4D6BF1C6B16AD97F10418596D1A3EC5F664773FCA1E93743005C7230D5F8549DAEE3472418A648B91834BA7A19834B48D7E6DB57F7BD92887C366D78532A2497D9B9F35D598E79026F586D4DC1577FDA2B9DD5877A521EB9F3C87DFD77F5EC690519E04E702CE3A5203920A7B891F764CB0B2DDEE7EB01CC55EB45F1BECD4514540F10F03ABBA3E4D627DCEF89F1FADF26034C2D7C36E6776C7163D99BF5CADEFDB142A6CD631D3B58269F0116B1016633B7CD4752E2F636614ABDD27592734B8BFF08E155C350808C6072C42E46F2AEDD83EA6FFBF3EA5AA809B0F9DABF6CD8E2E0E1BC998AAAA0698F44B1819B0D7A19C2067F071A932D10F0281187":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"3D1EB2C023E54A123420B9587F6985AFFCF6FE75A2F1768866CBAA10ABD5B7448409EFCE8786C0BD1D325FBAC47119A846C63103DAA8BC5FAF427C69D07AFE2FA0064A8BE9C33E30E6926A57850248EAAD8F0FA887452FF1467064DBE4041950CBFF55763AB58E1F2300C9B133E5D0FBD18604B93EC16BEA9CE340AC92B18DC188629A5D7FEC64601334CDBFEBD8126BE4743440C9A48F03F37298548C2EF226D44C296F440EB1E5F1128F203120ACE6C45D3CA992998CCF68C301CC4A32CF852FA4C2968C62D4016AF526FCD61A56F2BF479743D1EB62AD21120563BC1CE0D0791920BB89D82473F4DE75BCF6A728490F071899F683FCA10DCF6D9605749810A901F1FAAF96DC6AA0AF1CAFCF61E8A51E9E7A1BF5D9E5FDD6D63ED824CFD4016EF0782946F44E44B1B72B4CF9D4CE5E57A93EB738AEC084F02BBA52C385BCC013C720B0B98B78580AFFA84B0D204866B3FA39D73EECF1E0E6921D5484D929C1ADC7975741A308BCB060A43DF556F278F56CBDBDCE07F7CC8292FB27B3CDDB286E4B5A92552308DD8001F4BABC67C56B8DC6E5C4ED8FC4724A89441433EDD58C68E513E1940F5E6DB512574D7A37974E5739E28C03FECA3134AD8817E1A52BEBDCF2EE1F7DC66B09742005902A977DB0D617B8F6CFD75508F00225BE362D53BCA0AF4BE0D2DAD0A64054CA1204E31217F82D4F95315E54AEBF3BF98E2667A35A0017799C5479F369D8692317CABBB78C07D8314153D22110EA7617091ED755041A6E201F1FD76BC258DF84260369BBB2A1A13B5D266844A25E9A8F1D1279C349E0113CAAAB0A3D4510367E754980328B937CF7BEAABDBA39F4EA3CDE5C9BB6ECDA5BC44CC9EB6BEE6F2FF3698FA393DD4F85507415622CD7C0802240F7CE22F75F2DBA7CB7217352B34C57921B975BF2E73B6DA6A34C11192338C80B986AA3707DA64324056FE7EE2C0754045C7BC596B68FFCB501C186F89D618A76144C9CB35B59370D1D3E668F10A9EF6C851F6AD3FA9FA776E9391F3F143D7928F816EE4F56F756BF450E1B4F87A7B19EFB02850C45F6F7BCC87AA8FF27C474269EB53F3F1E28DD4D6BF1C6B16AD97F10418596D1A3EC5F664773FCA1E93743005C7230D5F8549DAEE3472418A648B91834BA7A19834B48D7E6DB57F7BD92887C366D78532A2497D9B9F35D598E79026F586D4DC1577FDA2B9DD5877A521EB9F3C87DFD77F5EC690519E04E702CE3A5203920A7B891F764CB0B2DDEE7EB01CC55EB45F1BECD4514540F10F03ABBA3E4D627DCEF89F1FADF26034C2D7C36E6776C7163D99BF5CADEFDB142A6CD631D3B58269F0116B1016633B7CD4752E2F636614ABDD27592734B8BFF08E155C350808C6072C42E46F2AEDD83EA6FFBF3EA5AA809B0F9DABF6CD8E2E0E1BC998AAAA0698F44B1819B0D7A19C2067F071A932D10F0281187"
 
 PSA import/export-public FFDH RFC7919 key pair 8192 good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_DH_RFC7919_8192
 import_export_public_key:"AE5FA06AE9400A03F48C0201F4BF53263185BA76D07AB16B74869F141AEB365EB162806840F7B97C12561F5C6B9EE27521009341E52672786E10CE1615447F30E4D17F1CA049643A8CFDAC3BF66FB93B6C5C4805287D4E63D5DC895535D993203F309908AC8ABC3A96F5EF4E72E7AF59B1DC9D014EECB5609E03045B5F3C3E6C372DC0639390065C53FC911269B27A5A630BB847C8823127839DB138146E3830087AEB2395F3D0147F0C1B26297A7E657A1A430DEE1CE93C3EBEFD155EECC2298E664D77CABBAA51555C7C65FAC2957CF238F9342A39063B2F9C291D3169923DD7C3C275C591196CA350421788A06077137ECF4C41544672E8DC9E634AAB8F30D4E44C4E3BD93076B35D0A0B37F00416035C621D37FBBB434B5E3D460BD64D41CCEE8C58CB6A586C3450CC264709D065B9874129720ECA3CA5F5920F47EE8E203CCA740EFA510F7541B1241D2E036E43258B1530704D4E3A5F6C0001FC4ED82535DF672602BD421884EF381D485D37734411890A6CCCD7009208C72318F6D558A8A508774666D12E50E6DA6EAB016B147D618D729B441835B7D7B85549501A4B66AF7021EB27857C9059EA301F37B24A5E364F39364F7D406625416B9A00C44730A18C35A7D66508C903320B552CA2651724B4422870320C517B7A0B4C031C692B2D7524D66AB3289460535C6F3EFE2E42378B2927691A008734D407EADC93206DCFEB2ED71AAF7696DEFE34EA307921735FC72B4DB6B70A3381936CD90E384D38DE3C07C4DA7D1DF945EA1796148C40FA29FB5D5F6B2B03311550082ACB87130742910BFA18821380F729791E66454E2289B41FD172A4046B6961374DB62944A7DD572DFFC9B413BCF42773EA14E3562633CF134429FC7AD4F176779302BB421B44AB716AD0752C7D3334648EA3721DB7862D37B1B4C75068B2AA6AF0646A3E758F456E61F894028679F67E6FB9404CC063C005B78E46079984C85FC7A55111B1A7C81A197CF258E60B975FD4307D3AEBEE965D5175F81621E7A67E92CCEE0A503FAD2ADEDBCE717CE1D16177727C3E2205CB6C51D348590A7537013D49765EBBA3BE0588A86B65CCECE87B732AEC3C395D3336349F9366638F567BAEEC782495972869E9084D7A1DA6B97055FBE86EA1979301B62A82501DA13A00523F5C1CD0A6742903ADD15F2670D956BB950B075422CA76485780554D62FA11A461772126334F47CA43CC731BD4F35F48381A341B17154D26492B6185819012D6BAD352AEF19646516E790E49E5BF0FE74ECA7C850D0D75AC74160B953B43211AA5355E967D6305B2E1FC1170A01E4D3715F706680C7F628D41594D8954532338B3F30B90EE2A2DB0C42C7AF348FF12E410F523F81BAD4F41ABF92488726C451E4FFC160BEFC518A44660256687164B2606DB65CA8F8B06EB08A75DFCC0AE387881224C":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"3D1EB2C023E54A123420B9587F6985AFFCF6FE75A2F1768866CBAA10ABD5B7448409EFCE8786C0BD1D325FBAC47119A846C63103DAA8BC5FAF427C69D07AFE2FA0064A8BE9C33E30E6926A57850248EAAD8F0FA887452FF1467064DBE4041950CBFF55763AB58E1F2300C9B133E5D0FBD18604B93EC16BEA9CE340AC92B18DC188629A5D7FEC64601334CDBFEBD8126BE4743440C9A48F03F37298548C2EF226D44C296F440EB1E5F1128F203120ACE6C45D3CA992998CCF68C301CC4A32CF852FA4C2968C62D4016AF526FCD61A56F2BF479743D1EB62AD21120563BC1CE0D0791920BB89D82473F4DE75BCF6A728490F071899F683FCA10DCF6D9605749810A901F1FAAF96DC6AA0AF1CAFCF61E8A51E9E7A1BF5D9E5FDD6D63ED824CFD4016EF0782946F44E44B1B72B4CF9D4CE5E57A93EB738AEC084F02BBA52C385BCC013C720B0B98B78580AFFA84B0D204866B3FA39D73EECF1E0E6921D5484D929C1ADC7975741A308BCB060A43DF556F278F56CBDBDCE07F7CC8292FB27B3CDDB286E4B5A92552308DD8001F4BABC67C56B8DC6E5C4ED8FC4724A89441433EDD58C68E513E1940F5E6DB512574D7A37974E5739E28C03FECA3134AD8817E1A52BEBDCF2EE1F7DC66B09742005902A977DB0D617B8F6CFD75508F00225BE362D53BCA0AF4BE0D2DAD0A64054CA1204E31217F82D4F95315E54AEBF3BF98E2667A35A0017799C5479F369D8692317CABBB78C07D8314153D22110EA7617091ED755041A6E201F1FD76BC258DF84260369BBB2A1A13B5D266844A25E9A8F1D1279C349E0113CAAAB0A3D4510367E754980328B937CF7BEAABDBA39F4EA3CDE5C9BB6ECDA5BC44CC9EB6BEE6F2FF3698FA393DD4F85507415622CD7C0802240F7CE22F75F2DBA7CB7217352B34C57921B975BF2E73B6DA6A34C11192338C80B986AA3707DA64324056FE7EE2C0754045C7BC596B68FFCB501C186F89D618A76144C9CB35B59370D1D3E668F10A9EF6C851F6AD3FA9FA776E9391F3F143D7928F816EE4F56F756BF450E1B4F87A7B19EFB02850C45F6F7BCC87AA8FF27C474269EB53F3F1E28DD4D6BF1C6B16AD97F10418596D1A3EC5F664773FCA1E93743005C7230D5F8549DAEE3472418A648B91834BA7A19834B48D7E6DB57F7BD92887C366D78532A2497D9B9F35D598E79026F586D4DC1577FDA2B9DD5877A521EB9F3C87DFD77F5EC690519E04E702CE3A5203920A7B891F764CB0B2DDEE7EB01CC55EB45F1BECD4514540F10F03ABBA3E4D627DCEF89F1FADF26034C2D7C36E6776C7163D99BF5CADEFDB142A6CD631D3B58269F0116B1016633B7CD4752E2F636614ABDD27592734B8BFF08E155C350808C6072C42E46F2AEDD83EA6FFBF3EA5AA809B0F9DABF6CD8E2E0E1BC998AAAA0698F44B1819B0D7A19C2067F071A932D10F0281187"
 
 PSA import: reject raw data key of length 0
@@ -684,7 +674,7 @@ import_with_data:"":PSA_KEY_TYPE_RAW_DATA:8:PSA_ERROR_INVALID_ARGUMENT
 
 PSA import EC keypair: explicit bit-size=255 for secp256r1
 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
-import_with_data:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):255:PSA_ERROR_NOT_SUPPORTED
+import_with_data:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):255:PSA_ERROR_INVALID_ARGUMENT
 
 PSA import EC keypair: explicit bit-size=521 for secp521r1 (good)
 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_521
@@ -692,7 +682,7 @@ import_with_data:"01b1b6ad07bb79e7320da59860ea28e055284f6058f279de666e06d435d2af
 
 PSA import EC keypair: explicit bit-size=528 for secp521r1 (bad)
 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_521
-import_with_data:"01b1b6ad07bb79e7320da59860ea28e055284f6058f279de666e06d435d2af7bda28d99fa47b7dd0963e16b0073078ee8b8a38d966a582f46d19ff95df3ad9685aae":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):528:PSA_ERROR_NOT_SUPPORTED
+import_with_data:"01b1b6ad07bb79e7320da59860ea28e055284f6058f279de666e06d435d2af7bda28d99fa47b7dd0963e16b0073078ee8b8a38d966a582f46d19ff95df3ad9685aae":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):528:PSA_ERROR_INVALID_ARGUMENT
 
 PSA import EC keypair: explicit bit-size, DER format
 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
@@ -716,7 +706,7 @@ import_with_data:"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba0120
 
 PSA import EC keypair: implicit bit-size, not a valid length
 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
-import_with_data:"0123456789abcdef0123456789abcdef":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):0:PSA_ERROR_NOT_SUPPORTED
+import_with_data:"0123456789abcdef0123456789abcdef":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):0:PSA_ERROR_INVALID_ARGUMENT
 
 PSA import EC keypair: secp256r1, all-bits-zero (bad)
 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
@@ -765,11 +755,11 @@ PSA import large key: raw, 65536 bits (not supported)
 import_large_key:PSA_KEY_TYPE_RAW_DATA:8192:PSA_ERROR_NOT_SUPPORTED
 
 PSA import RSA key pair: maximum size exceeded
-depends_on:MBEDTLS_RSA_C
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
 import_rsa_made_up:PSA_VENDOR_RSA_MAX_KEY_BITS+8:1:PSA_ERROR_NOT_SUPPORTED
 
 PSA import RSA public key: maximum size exceeded
-depends_on:MBEDTLS_RSA_C
+depends_on:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
 import_rsa_made_up:PSA_VENDOR_RSA_MAX_KEY_BITS+8:0:PSA_ERROR_NOT_SUPPORTED
 
 PSA key policy: AES ECB
@@ -1025,35 +1015,39 @@ aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_AEAD_WITH_
 
 PSA key policy: asymmetric encryption, encrypt | decrypt
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
-asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT
+asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT:0
 
 PSA key policy: asymmetric encryption, wrong algorithm (v1.5/OAEP)
 depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
-asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256)
+asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256):0
 
 PSA key policy: asymmetric encryption, wrong algorithm (OAEP with different hash)
 depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_SHA_224:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
-asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_224):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256)
+asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_224):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256):0
 
 PSA key policy: asymmetric encryption, alg=0 in policy
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
-asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT
+asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT:0
 
 PSA key policy: asymmetric encryption, ANY_HASH in policy is not meaningful
 depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
-asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_OAEP(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256)
+asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_OAEP(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256):0
 
 PSA key policy: asymmetric encryption, encrypt but not decrypt
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
-asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT
+asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT:0
 
 PSA key policy: asymmetric encryption, decrypt but not encrypt
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
-asymmetric_encryption_key_policy:PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT
+asymmetric_encryption_key_policy:PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT:0
 
 PSA key policy: asymmetric encryption, neither encrypt nor decrypt
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
-asymmetric_encryption_key_policy:0:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT
+asymmetric_encryption_key_policy:0:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT:0
+
+PSA key policy: asymmetric encryption, opaque key, encrypt | decrypt
+depends_on:PSA_CRYPTO_DRIVER_TEST:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
+asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT:1
 
 PSA key policy: asymmetric signature, sign | verify hash, PKCS#1v1.5 SHA-256
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
@@ -2205,7 +2199,7 @@ depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES
 cipher_setup:PSA_KEY_TYPE_AES:"000102030405060708090a0b0c0d0e0f":PSA_ALG_CTR:PSA_SUCCESS
 
 PSA cipher setup: bad algorithm (unknown cipher algorithm)
-depends_on:MBEDTLS_AES_C
+depends_on:PSA_WANT_KEY_TYPE_AES
 cipher_setup:PSA_KEY_TYPE_AES:"000102030405060708090a0b0c0d0e0f":PSA_ALG_CATEGORY_CIPHER:PSA_ERROR_NOT_SUPPORTED
 
 PSA cipher setup: bad algorithm (not a cipher algorithm)
@@ -2213,12 +2207,12 @@ depends_on:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES
 cipher_setup:PSA_KEY_TYPE_AES:"000102030405060708090a0b0c0d0e0f":PSA_ALG_CMAC:PSA_ERROR_INVALID_ARGUMENT
 
 PSA cipher setup: invalid key type, CTR
-depends_on:MBEDTLS_CIPHER_MODE_CTR
+depends_on:PSA_WANT_ALG_CTR
 # Either INVALID_ARGUMENT or NOT_SUPPORTED would be reasonable here
 cipher_setup:PSA_KEY_TYPE_RAW_DATA:"000102030405060708090a0b0c0d0e0f":PSA_ALG_CTR:PSA_ERROR_NOT_SUPPORTED
 
 PSA cipher setup: incompatible key ChaCha20 for CTR
-depends_on:PSA_WANT_KEY_TYPE_CHACHA20:MBEDTLS_CIPHER_MODE_CTR
+depends_on:PSA_WANT_KEY_TYPE_CHACHA20:PSA_WANT_ALG_CTR
 # Either INVALID_ARGUMENT or NOT_SUPPORTED would be reasonable here
 cipher_setup:PSA_KEY_TYPE_CHACHA20:"000102030405060708090a0b0c0d0e0f10111213141516171819202122232425":PSA_ALG_CTR:PSA_ERROR_NOT_SUPPORTED
 
@@ -2267,15 +2261,15 @@ depends_on:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_KEY_TYPE_AES
 cipher_encrypt_fail:PSA_ALG_CBC_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"6bc1bee223":PSA_ERROR_INVALID_ARGUMENT
 
 PSA symmetric encrypt: AES-ECB, 0 bytes, good
-depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES
+depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 cipher_alg_without_iv:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"":""
 
 PSA symmetric encrypt: AES-ECB, 16 bytes, good
-depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES
+depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 cipher_alg_without_iv:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"6bc1bee22e409f96e93d7e117393172a":"3ad77bb40d7a3660a89ecaf32466ef97"
 
 PSA symmetric encrypt: AES-ECB, 32 bytes, good
-depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES
+depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 cipher_alg_without_iv:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"6bc1bee22e409f96e93d7e117393172a3ad77bb40d7a3660a89ecaf32466ef97":"3ad77bb40d7a3660a89ecaf32466ef972249a2638c6f1c755a84f9681a9f08c1"
 
 PSA symmetric encrypt: 2-key 3DES-ECB, 8 bytes, good
@@ -2411,27 +2405,27 @@ depends_on:PSA_WANT_ALG_CBC_PKCS7:PSA_WANT_KEY_TYPE_AES
 cipher_decrypt_fail:PSA_ALG_CBC_PKCS7:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"6bc1bee22e409f96e93d7e11739317":PSA_ERROR_INVALID_ARGUMENT
 
 PSA symmetric decrypt: AES-ECB, input too short (15 bytes)
-depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES
+depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 cipher_decrypt_fail:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"":"396ee84fb75fdbb5c2b13c7fe5a654":PSA_ERROR_INVALID_ARGUMENT
 
 PSA symmetric decrypt: AES-CBC-nopad, input too short (5 bytes)
 depends_on:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_KEY_TYPE_AES
 cipher_decrypt_fail:PSA_ALG_CBC_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"6bc1bee223":PSA_ERROR_INVALID_ARGUMENT
 
-PSA symmetric decrypt: CCM*-no-tag, input too short (15 bytes)
-depends_on:PSA_WANT_ALG_CCM_STAR_NO_TAG:MBEDTLS_AES_C
-cipher_decrypt_fail:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"19ebfde2d5468ba0a3031bde629b11fd":"5a8aa485c316e9":"2a2a2a2a2a2a2a2a":PSA_ERROR_INVALID_ARGUMENT
+PSA symmetric decrypt: CCM*-no-tag, input too short (12 bytes)
+depends_on:PSA_WANT_ALG_CCM_STAR_NO_TAG:PSA_WANT_KEY_TYPE_AES
+cipher_decrypt_fail:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"19ebfde2d5468ba0a3031bde629b11fd":"0102030405060708090a0b0c":"":PSA_ERROR_INVALID_ARGUMENT
 
 PSA symmetric decrypt: AES-ECB, 0 bytes, good
-depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES
+depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 cipher_decrypt:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"":"":""
 
 PSA symmetric decrypt: AES-ECB, 16 bytes, good
-depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES
+depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 cipher_decrypt:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"":"396ee84fb75fdbb5c2b13c7fe5a654aa":"63cecc46a382414d5fa7d2b79387437f"
 
 PSA symmetric decrypt: AES-ECB, 32 bytes, good
-depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES
+depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 cipher_decrypt:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"":"3ad77bb40d7a3660a89ecaf32466ef972249a2638c6f1c755a84f9681a9f08c1":"6bc1bee22e409f96e93d7e117393172a3ad77bb40d7a3660a89ecaf32466ef97"
 
 PSA symmetric decrypt: AES-CBC-nopad, 16 bytes, good
@@ -2470,10 +2464,26 @@ PSA symmetric decrypt: 3-key 3DES-ECB, 8 bytes, good
 depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_DES
 cipher_decrypt:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_DES:"01020407080b0d0ec1c2c4c7c8cbcdce31323437383b3d3e":"":"817ca7d69b80d86a":"c78e2b38139610e3"
 
-PSA symmetric decrypt: CCM*-no-tag, NIST DVPT AES-128 #15
+PSA symmetric decrypt: CCM*-no-tag, NIST DVPT AES-128 #15, 24 bytes
 depends_on:PSA_WANT_ALG_CCM_STAR_NO_TAG:PSA_WANT_KEY_TYPE_AES
 cipher_decrypt:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"90929a4b0ac65b350ad1591611fe4829":"5a8aa485c316e9403aff859fbb":"4bfe4e35784f0a65b545477e5e2f4bae0e1e6fa717eaf2cb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697"
 
+PSA symmetric decrypt: CCM*-no-tag, NIST DVPT AES-128 #15, 23 bytes
+depends_on:PSA_WANT_ALG_CCM_STAR_NO_TAG:PSA_WANT_KEY_TYPE_AES
+cipher_decrypt:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"90929a4b0ac65b350ad1591611fe4829":"5a8aa485c316e9403aff859fbb":"4bfe4e35784f0a65b545477e5e2f4bae0e1e6fa717eaf2":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad6"
+
+PSA symmetric decrypt: CCM*-no-tag, NIST DVPT AES-128 #15, 3 bytes
+depends_on:PSA_WANT_ALG_CCM_STAR_NO_TAG:PSA_WANT_KEY_TYPE_AES
+cipher_decrypt:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"90929a4b0ac65b350ad1591611fe4829":"5a8aa485c316e9403aff859fbb":"4bfe4e":"a16a2e"
+
+PSA symmetric decrypt: CCM*-no-tag, NIST DVPT AES-128 #15, 2 bytes
+depends_on:PSA_WANT_ALG_CCM_STAR_NO_TAG:PSA_WANT_KEY_TYPE_AES
+cipher_decrypt:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"90929a4b0ac65b350ad1591611fe4829":"5a8aa485c316e9403aff859fbb":"4bfe":"a16a"
+
+PSA symmetric decrypt: CCM*-no-tag, NIST DVPT AES-128 #15, 0 bytes
+depends_on:PSA_WANT_ALG_CCM_STAR_NO_TAG:PSA_WANT_KEY_TYPE_AES
+cipher_decrypt:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"90929a4b0ac65b350ad1591611fe4829":"5a8aa485c316e9403aff859fbb":"":""
+
 PSA symmetric decrypt: ChaCha20, RFC7539 keystream
 depends_on:PSA_WANT_ALG_STREAM_CIPHER:PSA_WANT_KEY_TYPE_CHACHA20
 # Keystream from RFC 7539 §2.4.2, with an extra 64-byte output block prepended
@@ -2487,15 +2497,15 @@ depends_on:PSA_WANT_ALG_STREAM_CIPHER:PSA_WANT_KEY_TYPE_CHACHA20
 cipher_decrypt:PSA_ALG_STREAM_CIPHER:PSA_KEY_TYPE_CHACHA20:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f":"000000000000004a00000000":"fb6d7b60e9e67669b607a9b94a606bdca678d44f0ebf24cbd623efd69cc2bdc0f615ac19d0366a8d00e3d6728f5ee01d61d74ab77edc17a7621f2268eea12e656e2e359a2568f98041ba0728dd0d6981e97e7aec1d4360c20a27afccfd9fae0bf91b65c5524733ab8f593dabcd62b3571639d624e65152ab8f530c359f0861d807ca0dbf500d6a6156a38e088a22b65e52bc514d16ccf806818ce91ab77937365af90bbf74a35be6b40b8eedf2785e42874d":"546865205246432037353339207465737420766563746f72207573657320636f756e7465723d312c2062757420505341207573657320636f756e7465723d302e4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e"
 
 PSA symmetric decrypt multipart: AES-ECB, 0 bytes, good
-depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES
+depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 cipher_decrypt_multipart:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"":"":0:0:0:"":PSA_SUCCESS
 
 PSA symmetric decrypt multipart: AES-ECB, 16 bytes, good
-depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES
+depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 cipher_decrypt_multipart:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"":"396ee84fb75fdbb5c2b13c7fe5a654aa":16:16:0:"63cecc46a382414d5fa7d2b79387437f":PSA_SUCCESS
 
 PSA symmetric decrypt multipart: AES-ECB, 32 bytes, good
-depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES
+depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 cipher_decrypt_multipart:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"":"3ad77bb40d7a3660a89ecaf32466ef972249a2638c6f1c755a84f9681a9f08c1":32:32:0:"6bc1bee22e409f96e93d7e117393172a3ad77bb40d7a3660a89ecaf32466ef97":PSA_SUCCESS
 
 PSA symmetric decrypt multipart: AES-CBC-nopad, 16 bytes, good
@@ -2519,7 +2529,7 @@ depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES
 cipher_decrypt_multipart:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"396ee84fb75fdbb5c2b13c7fe5a654aa":16:16:0:"dd3b5e5319b7591daab1e1a92687feb2":PSA_SUCCESS
 
 PSA symmetric decrypt multipart: AES-ECB, input too short (15 bytes)
-depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES
+depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 cipher_decrypt_multipart:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"":"396ee84fb75fdbb5c2b13c7fe5a654":0:0:0:"63cecc46a382414d5fa7d2b7938743":PSA_ERROR_INVALID_ARGUMENT
 
 PSA symmetric decrypt multipart: AES-CBC-nopad, input too short (5 bytes)
@@ -2551,7 +2561,7 @@ depends_on:PSA_WANT_ALG_CCM_STAR_NO_TAG:PSA_WANT_KEY_TYPE_AES
 cipher_decrypt_multipart:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"197afb02ffbd8f699dacae87094d5243":"5a8aa485c316e9403aff859fbb":"4a550134f94455979ec4bf89ad2bd80d25a77ae94e456134":10:10:14:"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697":PSA_SUCCESS
 
 PSA symmetric encrypt/decrypt: AES-ECB, 16 bytes, good
-depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES
+depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 cipher_verify_output:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"6bc1bee22e409f96e93d7e117393172a"
 
 PSA symmetric encrypt/decrypt: AES-CBC-nopad, 16 bytes, good
@@ -2663,15 +2673,15 @@ depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES
 cipher_encrypt_multipart:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"6bc1bee22e409f96e93d7e117393172a":16:16:0:"8f9408fe80a81d3e813da3c7b0b2bd32":PSA_SUCCESS
 
 PSA symmetric decryption multipart: AES-ECB, 16+16 bytes
-depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES
+depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 cipher_decrypt_multipart:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"":"3ad77bb40d7a3660a89ecaf32466ef9755ed5e9e066820fa52c729886d18854c":16:16:16:"6bc1bee22e409f96e93d7e117393172a5434f378a597bcef1389318c7fc865ef":PSA_SUCCESS
 
 PSA symmetric decryption multipart: AES-ECB, 11+21 bytes
-depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES
+depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 cipher_decrypt_multipart:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"":"3ad77bb40d7a3660a89ecaf32466ef9755ed5e9e066820fa52c729886d18854c":11:0:32:"6bc1bee22e409f96e93d7e117393172a5434f378a597bcef1389318c7fc865ef":PSA_SUCCESS
 
 PSA symmetric decryption multipart: AES-ECB, 28+4 bytes
-depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES
+depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 cipher_decrypt_multipart:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"":"3ad77bb40d7a3660a89ecaf32466ef9755ed5e9e066820fa52c729886d18854c":28:16:16:"6bc1bee22e409f96e93d7e117393172a5434f378a597bcef1389318c7fc865ef":PSA_SUCCESS
 
 PSA symmetric decryption multipart: AES-CBC-nopad, 7+9 bytes
@@ -2735,13 +2745,18 @@ depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES
 cipher_decrypt_multipart:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"6bc1bee22e409f96e93d7e117393172a":16:16:0:"8f9408fe80a81d3e813da3c7b0b2bd32":PSA_SUCCESS
 
 PSA symmetric encrypt/decrypt multipart: AES-ECB, 16 bytes, good
-depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES
+depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
 cipher_verify_output_multipart:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"6bc1bee22e409f96e93d7e117393172a":16
 
 PSA symmetric encrypt/decrypt multipart: AES-CBC-nopad, 16 bytes, good
 depends_on:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_KEY_TYPE_AES
 cipher_verify_output_multipart:PSA_ALG_CBC_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"6bc1bee22e409f96e93d7e117393172a":16
 
+# Encrypt 48 bytes total, initially 16. This forces both calls to update() to output data.
+PSA symmetric encrypt/decrypt multipart: AES-CBC-nopad, 48 bytes, good
+depends_on:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_KEY_TYPE_AES
+cipher_verify_output_multipart:PSA_ALG_CBC_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"6bc1bee22e409f96e93d7e117393172a6bc1bee22e409f96e93d7e117393172a6bc1bee22e409f96e93d7e117393172a":16
+
 PSA symmetric encrypt/decrypt multipart: AES-CBC-PKCS#7, 16 bytes
 depends_on:PSA_WANT_ALG_CBC_PKCS7:PSA_WANT_KEY_TYPE_AES
 cipher_verify_output_multipart:PSA_ALG_CBC_PKCS7:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"6bc1bee22e409f96e93d7e117393172a":16
@@ -2805,7 +2820,7 @@ depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES
 aead_encrypt_decrypt:PSA_KEY_TYPE_AES:"D7828D13B2B0BDC325A76236DF93CC6B":PSA_ALG_CCM:"000102030405060708090A0B":"EC46BB63B02520C33C49FD70":"B96B49E21D621741632875DB7F6C9243D2D7C2":PSA_SUCCESS
 
 PSA AEAD encrypt/decrypt: DES-CCM not supported
-depends_on:MBEDTLS_DES_C:MBEDTLS_CCM_C
+depends_on:PSA_WANT_KEY_TYPE_DES:PSA_WANT_ALG_CCM
 aead_encrypt_decrypt:PSA_KEY_TYPE_DES:"D7828D13B2B0BDC325A76236DF93CC6B":PSA_ALG_CCM:"000102030405060708090A0B":"EC46BB63B02520C33C49FD70":"B96B49E21D621741632875DB7F6C9243D2D7C2":PSA_ERROR_NOT_SUPPORTED
 
 PSA AEAD encrypt: AES-CCM, 23 bytes
@@ -3201,7 +3216,7 @@ depends_on:PSA_WANT_ALG_CHACHA20_POLY1305:PSA_WANT_KEY_TYPE_CHACHA20
 aead_decrypt:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_CHACHA20_POLY1305:"07000000404142434445464700":"":"a0784d7a4716f3feb4f64e7f4b39bf04":"":PSA_ERROR_INVALID_ARGUMENT
 
 PSA AEAD encrypt/decrypt: invalid algorithm (CTR)
-depends_on:MBEDTLS_AES_C:MBEDTLS_GCM_C
+depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM
 aead_encrypt_decrypt:PSA_KEY_TYPE_AES:"D7828D13B2B0BDC325A76236DF93CC6B":PSA_ALG_CTR:"000102030405060708090A0B0C0D0E0F":"":"":PSA_ERROR_INVALID_ARGUMENT
 
 PSA AEAD encrypt/decrypt: invalid algorithm (ChaCha20)
@@ -4284,6 +4299,50 @@ PSA import/exercise: TLS 1.2 PRF SHA-256
 depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PRF
 import_and_exercise_key:"c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0":PSA_KEY_TYPE_DERIVE:192:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256)
 
+PSA concurrently import/exercise same key: RSA keypair, PKCS#1 v1.5 raw
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
+concurrently_use_same_persistent_key:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:100
+
+PSA concurrently import/exercise same key: RSA keypair, PSS-SHA-256
+depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
+concurrently_use_same_persistent_key:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):100
+
+PSA concurrently import/exercise same key: RSA keypair, PSS-any-salt-SHA-256
+depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
+concurrently_use_same_persistent_key:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):100
+
+PSA concurrently import/exercise same key: RSA public key, PKCS#1 v1.5 raw
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
+concurrently_use_same_persistent_key:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_KEY_TYPE_RSA_PUBLIC_KEY:1024:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:100
+
+PSA concurrently import/exercise same key: RSA public key, PSS-SHA-256
+depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
+concurrently_use_same_persistent_key:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_KEY_TYPE_RSA_PUBLIC_KEY:1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):100
+
+PSA concurrently import/exercise same key: RSA public key, PSS-any-salt-SHA-256
+depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
+concurrently_use_same_persistent_key:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_KEY_TYPE_RSA_PUBLIC_KEY:1024:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):100
+
+PSA concurrently import/exercise same key: ECP SECP256R1 keypair, ECDSA
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
+concurrently_use_same_persistent_key:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_ALG_ECDSA_ANY:100
+
+PSA concurrently import/exercise same key: ECP SECP256R1 keypair, deterministic ECDSA
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
+concurrently_use_same_persistent_key:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):100
+
+PSA concurrently import/exercise same key: ECP SECP256R1 keypair, ECDH
+depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
+concurrently_use_same_persistent_key:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_ALG_ECDH:100
+
+PSA concurrently import/exercise same key: HKDF SHA-256
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
+concurrently_use_same_persistent_key:"c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0":PSA_KEY_TYPE_DERIVE:192:PSA_ALG_HKDF(PSA_ALG_SHA_256):100
+
+PSA concurrently import/exercise same key: TLS 1.2 PRF SHA-256
+depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PRF
+concurrently_use_same_persistent_key:"c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0":PSA_KEY_TYPE_DERIVE:192:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):100
+
 PSA sign hash: RSA PKCS#1 v1.5, raw
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
 sign_hash_deterministic:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN_RAW:"616263":"2c7744983f023ac7bb1c55529d83ed11a76a7898a1bb5ce191375a4aa7495a633d27879ff58eba5a57371c34feb1180e8b850d552476ebb5634df620261992f12ebee9097041dbbea85a42d45b344be5073ceb772ffc604954b9158ba81ec3dc4d9d65e3ab7aa318165f38c36f841f1c69cb1cfa494aa5cbb4d6c0efbafb043a"
@@ -4645,15 +4704,15 @@ depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_
 verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
 
 PSA verify hash: deterministic ECDSA SECP256R1 SHA-256
-depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
 verify_hash:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
 
 PSA verify hash: deterministic ECDSA SECP256R1 SHA-384
-depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_384
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_384
 verify_hash:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"dbf3b9a150a2ec12ec4b16ff7d37be2fe354a357cb267af4296ccfda3acca2d796989f63eb192e4c43a7ff0d0b7f493b1334dfb3c32375351debcdd532f41e13"
 
 PSA verify hash: deterministic ECDSA SECP384R1 SHA-256
-depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_384
 verify_hash:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04d9c662b50ba29ca47990450e043aeaf4f0c69b15676d112f622a71c93059af999691c5680d2b44d111579db12f4a413a2ed5c45fcfb67b5b63e00b91ebe59d09a6b1ac2c0c4282aa12317ed5914f999bc488bb132e8342cc36f2ca5e3379c747":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"bed412df472eef873fb0839f91a6867d1c6824d4c5781d4b851faa43c7df904d99dbdd28c0d2fd3a4a006e89d34993a120aff166deb4974e96449a7ffe93c66726ad9443b14b87330c86bdde3faff5fd1cbfdc9afe46f8090376f9664cb116b4"
 
 PSA vrfy hash int: ECDSA SECP256R1, good
@@ -4665,15 +4724,15 @@ depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_
 verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA vrfy hash: det ECDSA SECP256R1 SHA-256
-depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
 verify_hash_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA vrfy hash: det ECDSA SECP256R1 SHA-384
-depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_384
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_384
 verify_hash_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"dbf3b9a150a2ec12ec4b16ff7d37be2fe354a357cb267af4296ccfda3acca2d796989f63eb192e4c43a7ff0d0b7f493b1334dfb3c32375351debcdd532f41e13":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA vrfy hash: det ECDSA SECP384R1 SHA-256
-depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_384
 verify_hash_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04d9c662b50ba29ca47990450e043aeaf4f0c69b15676d112f622a71c93059af999691c5680d2b44d111579db12f4a413a2ed5c45fcfb67b5b63e00b91ebe59d09a6b1ac2c0c4282aa12317ed5914f999bc488bb132e8342cc36f2ca5e3379c747":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"bed412df472eef873fb0839f91a6867d1c6824d4c5781d4b851faa43c7df904d99dbdd28c0d2fd3a4a006e89d34993a120aff166deb4974e96449a7ffe93c66726ad9443b14b87330c86bdde3faff5fd1cbfdc9afe46f8090376f9664cb116b4":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
 
 PSA verify hash: ECDSA SECP256R1, wrong signature size (correct but ASN1-encoded)
@@ -5452,19 +5511,19 @@ depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY
 derive_input:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"c88f01f510d9ac3f70a292daa2316de544e9aab8afe84049c62a9c57862d1433":PSA_SUCCESS:0:UNUSED:"":UNUSED:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
 
 PSA key derivation: TLS12_ECJPAKE_TO_PMS, good input, output too short
-depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
+depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS:PSA_WANT_ALG_SHA_256
 derive_input:PSA_ALG_TLS12_ECJPAKE_TO_PMS:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_NONE:"04aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_SUCCESS:0:UNUSED:"":UNUSED:0:UNUSED:"":UNUSED:PSA_KEY_TYPE_NONE:PSA_ERROR_INVALID_ARGUMENT
 
 PSA key derivation: TLS12_ECJPAKE_TO_PMS, input[0]=0x02
-depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
+depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS:PSA_WANT_ALG_SHA_256
 derive_input:PSA_ALG_TLS12_ECJPAKE_TO_PMS:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_NONE:"02aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ERROR_INVALID_ARGUMENT:0:UNUSED:"":UNUSED:0:UNUSED:"":UNUSED:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
 
 PSA key derivation: TLS12_ECJPAKE_TO_PMS, input too short
-depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
+depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS:PSA_WANT_ALG_SHA_256
 derive_input:PSA_ALG_TLS12_ECJPAKE_TO_PMS:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_NONE:"04aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ERROR_INVALID_ARGUMENT:0:UNUSED:"":UNUSED:0:UNUSED:"":UNUSED:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
 
 PSA key derivation: TLS12_ECJPAKE_TO_PMS, input too long
-depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
+depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS:PSA_WANT_ALG_SHA_256
 derive_input:PSA_ALG_TLS12_ECJPAKE_TO_PMS:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_NONE:"04aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ERROR_INVALID_ARGUMENT:0:UNUSED:"":UNUSED:0:UNUSED:"":UNUSED:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
 
 PSA key derivation: PBKDF2-HMAC-SHA256, good case, direct output
@@ -6320,6 +6379,53 @@ PSA key derivation: HKDF-Expand SHA-1, request too much capacity
 depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_1
 derive_set_capacity:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_1):255 * PSA_HASH_LENGTH(PSA_ALG_SHA_1) + 1:PSA_ERROR_INVALID_ARGUMENT
 
+# TLS 1.2 PRF does not have a maximum capacity therefore
+# derive_set_capacity negative test case is not added
+
+PSA key derivation: TLS 1.2 PSK-to-MS SHA-256, request too much capacity
+depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS
+derive_set_capacity:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):48U + 1U:PSA_ERROR_INVALID_ARGUMENT
+
+PSA key derivation: TLS 1.2 PSK-to-MS SHA-384, request too much capacity
+depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_ALG_TLS12_PSK_TO_MS
+derive_set_capacity:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384):48U + 1U:PSA_ERROR_INVALID_ARGUMENT
+
+PSA key derivation: TLS 1.2 ECJPAKE-to-PMS, request too much capacity
+depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS:PSA_WANT_ALG_SHA_256
+derive_set_capacity:PSA_ALG_TLS12_ECJPAKE_TO_PMS:PSA_HASH_LENGTH(PSA_ALG_SHA_256) + 1:PSA_ERROR_INVALID_ARGUMENT
+
+PSA key derivation: PBKDF2-HMAC-SHA256, request too much capacity
+depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256:SIZE_MAX>=0xffffffffffffffff
+derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):4294967295ULL * PSA_HASH_LENGTH(PSA_ALG_SHA_256) + 1:PSA_ERROR_INVALID_ARGUMENT
+
+PSA key derivation: PBKDF2-HMAC-SHA512, request too much capacity
+depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_512:SIZE_MAX>=0xffffffffffffffff
+derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_512):4294967295ULL * PSA_HASH_LENGTH(PSA_ALG_SHA_512) + 1:PSA_ERROR_INVALID_ARGUMENT
+
+PSA key derivation: PBKDF2-AES-CMAC-PRF-128, request too much capacity
+depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES:SIZE_MAX>=0xffffffffffffffff
+derive_set_capacity:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:4294967295ULL * 16 + 1:PSA_ERROR_INVALID_ARGUMENT
+
+PSA key derivation: TLS 1.2 PRF SHA-256, request maximum capacity
+depends_on:PSA_WANT_ALG_TLS12_PRF:PSA_WANT_ALG_SHA_256
+derive_set_capacity:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):SIZE_MAX:PSA_SUCCESS
+
+PSA key derivation: TLS 1.2 PRF SHA-384, request maximum capacity
+depends_on:PSA_WANT_ALG_TLS12_PRF:PSA_WANT_ALG_SHA_384
+derive_set_capacity:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384):SIZE_MAX:PSA_SUCCESS
+
+PSA key derivation: PBKDF2-HMAC-SHA256, request maximum capacity
+depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256:SIZE_MAX>=0xffffffffffffffff
+derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):4294967295ULL * PSA_HASH_LENGTH(PSA_ALG_SHA_256):PSA_SUCCESS
+
+PSA key derivation: PBKDF2-HMAC-SHA512, request maximum capacity
+depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_512:SIZE_MAX>=0xffffffffffffffff
+derive_set_capacity:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_512):4294967295ULL * PSA_HASH_LENGTH(PSA_ALG_SHA_512):PSA_SUCCESS
+
+PSA key derivation: PBKDF2-AES-CMAC-PRF-128, request maximum capacity
+depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES:SIZE_MAX>=0xffffffffffffffff
+derive_set_capacity:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:4294967295ULL * 16:PSA_SUCCESS
+
 PSA key derivation: over capacity 42: output 42+1
 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
 derive_output:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:"000102030405060708090a0b0c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_INFO:"f0f1f2f3f4f5f6f7f8f9":PSA_SUCCESS:0:"":PSA_SUCCESS:"":42:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865":"ff":0:1:0
@@ -6516,17 +6622,69 @@ PSA key derivation: HKDF SHA-256, read maximum capacity minus 1
 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
 derive_full:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_256) - 1
 
+PSA key derivation: HKDF SHA-512, read maximum capacity minus 1
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_512
+derive_full:PSA_ALG_HKDF(PSA_ALG_SHA_512):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_512) - 1
+
 PSA key derivation: HKDF SHA-256, read maximum capacity
 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
 derive_full:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_256)
 
-PSA key derivation: TLS 1.2 PRF SHA-256, read maximum capacity minus 1
-depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PRF
-derive_full:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_256) - 1
+PSA key derivation: HKDF SHA-512, read maximum capacity
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_512
+derive_full:PSA_ALG_HKDF(PSA_ALG_SHA_512):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_512)
 
-PSA key derivation: TLS 1.2 PRF SHA-256, read maximum capacity
-depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PRF
-derive_full:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_256)
+PSA key derivation: HKDF-Extract SHA-256, read maximum capacity minus 1
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_full:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"":PSA_HASH_LENGTH(PSA_ALG_SHA_256) - 1
+
+PSA key derivation: HKDF-Extract SHA-512, read maximum capacity minus 1
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_512
+derive_full:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_512):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"":PSA_HASH_LENGTH(PSA_ALG_SHA_512) - 1
+
+PSA key derivation: HKDF-Extract SHA-256, read maximum capacity
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_256
+derive_full:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"":PSA_HASH_LENGTH(PSA_ALG_SHA_256)
+
+PSA key derivation: HKDF-Extract SHA-512, read maximum capacity
+depends_on:PSA_WANT_ALG_HKDF_EXTRACT:PSA_WANT_ALG_SHA_512
+derive_full:PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_512):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"":PSA_HASH_LENGTH(PSA_ALG_SHA_512)
+
+PSA key derivation: HKDF-Expand SHA-256, read maximum capacity minus 1
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_full:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_256) - 1
+
+PSA key derivation: HKDF-Expand SHA-512, read maximum capacity minus 1
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_512
+derive_full:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_512):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_512) - 1
+
+PSA key derivation: HKDF-Expand SHA-256, read maximum capacity
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_256
+derive_full:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_256)
+
+PSA key derivation: HKDF-Expand SHA-512, read maximum capacity
+depends_on:PSA_WANT_ALG_HKDF_EXPAND:PSA_WANT_ALG_SHA_512
+derive_full:PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_512):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"":"f0f1f2f3f4f5f6f7f8f9":255 * PSA_HASH_LENGTH(PSA_ALG_SHA_512)
+
+PSA key derivation: TLS 1.2 PSK-to-MS SHA-256, read maximum capacity minus 1
+depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS
+derive_full:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"01020304":"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":"6d617374657220736563726574":47
+
+PSA key derivation: TLS 1.2 PSK-to-MS SHA-384, read maximum capacity minus 1
+depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_ALG_TLS12_PSK_TO_MS
+derive_full:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384):"01020304":"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":"6d617374657220736563726574":47
+
+PSA key derivation: TLS 1.2 PSK-to-MS SHA-256, read maximum capacity
+depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS
+derive_full:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"01020304":"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":"6d617374657220736563726574":48
+
+PSA key derivation: TLS 1.2 PSK-to-MS SHA-384, read maximum capacity
+depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_ALG_TLS12_PSK_TO_MS
+derive_full:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384):"01020304":"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":"6d617374657220736563726574":48
+
+PSA key derivation: TLS 1.2 ECJPAKE-to-PMS, read maximum capacity
+depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS:PSA_WANT_ALG_SHA_256
+derive_full:PSA_ALG_TLS12_ECJPAKE_TO_PMS:"deadbeef":"0409fc1accc230a205e4a208e64a8f204291f581a12756392da4b8c0cf5ef02b950000000000000000000000000000000000000000000000000000000000000000":"":PSA_HASH_LENGTH(PSA_ALG_SHA_256)
 
 PSA key derivation: HKDF SHA-256, exercise AES128-CTR
 depends_on:PSA_WANT_ALG_CTR:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES
@@ -6630,7 +6788,7 @@ depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_ALG_H
 derive_key_exercise:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:"706173737764":"01":"73616c74":PSA_KEY_TYPE_HMAC:256:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_HMAC(PSA_ALG_SHA_256)
 
 PSA key derivation: HKDF-SHA-256 -> ECC secp256r1, exercise ECDSA
-depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_256:MBEDTLS_ECP_LIGHT
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256
 derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY
 
 PSA key derivation: HKDF-SHA-256 -> ECC curve25519, exercise ECDH
@@ -6678,11 +6836,11 @@ depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:!MBEDTLS
 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:256:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf"
 
 PSA key derivation: HKDF-SHA-256 -> ECC secp256r1
-depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_256:MBEDTLS_ECP_LIGHT
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256
 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5c0"
 
 PSA key derivation: HKDF-SHA-256 -> ECC secp256r1 (1 redraw)
-depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_256:MBEDTLS_ECP_LIGHT
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256
 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"4869212049276d20612074657374206b65792120486f772061726520796f753f":"":"e1ab5d0000000000":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:"46a5850b60ba10b0fd8e0feb8790e2819d46ea26fede564ff6dea94ef1945660"
 
 PSA key derivation: HKDF-SHA-256 -> raw (same input as secp256r1+redraw)
@@ -6690,17 +6848,17 @@ depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"4869212049276d20612074657374206b65792120486f772061726520796f753f":"":"e1ab5d0000000000":PSA_KEY_TYPE_RAW_DATA:256:"ffffffff55f60cea989fe02543c81b28aff09b5b51fdc43f91fe5c2511b0b9d9"
 
 PSA key derivation: HKDF-SHA-256 -> ECC secp384r1
-depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_384:MBEDTLS_ECP_LIGHT
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_384
 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):384:"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865b4b0a85a993c"
 
 # For secp521r1, the leading byte of the representation of the private key can
 # be either 0 or 1. Have one test case where it's 0 and one where it's 1.
 PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #0
-depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_521:MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_521:MBEDTLS_ECP_LIGHT
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_521
 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):521:"00b25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865b4b0a85a993b89b9b65683d60f0106d28fff039d0b6f3409"
 
 PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #1
-depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_521:MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_521:MBEDTLS_ECP_LIGHT
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_521
 derive_key_type:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8fa":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):521:"01122f37d10965c8455ecbd2bc73d5da5347d0ce772e54305d528295a64ffb7c567f5042e2d7e5803b407c08d1e110adcefc35564035d706582f723a2f76a32260da"
 
 # For Curve25519, test a few different outputs to exercise masking (last byte of input_2 variation).
@@ -6777,6 +6935,18 @@ PSA key derivation: PBKDF2-AES-CMAC-PRF-128-> AES-256
 depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 derive_key_type:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:"706173737764":"01":"73616c74":PSA_KEY_TYPE_AES:256:"28e288c6345bb5ecf7ca70274208a3ba0f1148b5868537d5e09d3ee6813b1f52"
 
+PSA key derivation: default params -> AES-128
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES
+derive_key_ext:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:0:"":PSA_SUCCESS:"3cb25f25faacd57a90434f64d0362f2a"
+
+PSA key derivation: params.flags=1 -> AES-128
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES
+derive_key_ext:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:1:"":PSA_ERROR_INVALID_ARGUMENT:""
+
+PSA key derivation: params.data non-empty -> AES-128
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES
+derive_key_ext:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:0:"2a":PSA_ERROR_INVALID_ARGUMENT:""
+
 PSA key derivation: invalid type (0)
 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_NONE:128:PSA_ERROR_NOT_SUPPORTED:0
@@ -6812,7 +6982,7 @@ depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):0:PSA_ERROR_INVALID_ARGUMENT:0
 
 PSA key derivation: bits=7 invalid for ECC SECP_R1 (ECC enabled)
-depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:MBEDTLS_ECP_LIGHT
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED
 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):7:PSA_ERROR_INVALID_ARGUMENT:0
 
@@ -6827,7 +6997,7 @@ depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1):0:PSA_ERROR_INVALID_ARGUMENT:0
 
 PSA key derivation: bits=7 invalid for ECC SECP_K1 (ECC enabled)
-depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:MBEDTLS_ECP_LIGHT
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED
 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1):7:PSA_ERROR_INVALID_ARGUMENT:0
 
@@ -6842,7 +7012,7 @@ depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R2):0:PSA_ERROR_INVALID_ARGUMENT:0
 
 PSA key derivation: bits=7 invalid for ECC SECP_R2 (ECC enabled)
-depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:MBEDTLS_ECP_LIGHT
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED
 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R2):7:PSA_ERROR_INVALID_ARGUMENT:0
 
@@ -6857,7 +7027,7 @@ depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1):0:PSA_ERROR_INVALID_ARGUMENT:0
 
 PSA key derivation: bits=7 invalid for ECC SECT_K1 (ECC enabled)
-depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:MBEDTLS_ECP_LIGHT
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED
 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1):7:PSA_ERROR_INVALID_ARGUMENT:0
 
@@ -6872,7 +7042,7 @@ depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1):0:PSA_ERROR_INVALID_ARGUMENT:0
 
 PSA key derivation: bits=7 invalid for ECC SECT_R1 (ECC enabled)
-depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:MBEDTLS_ECP_LIGHT
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED
 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1):7:PSA_ERROR_INVALID_ARGUMENT:0
 
@@ -6887,7 +7057,7 @@ depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R2):0:PSA_ERROR_INVALID_ARGUMENT:0
 
 PSA key derivation: bits=7 invalid for ECC SECT_R2 (ECC enabled)
-depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:MBEDTLS_ECP_LIGHT
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED
 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R2):7:PSA_ERROR_INVALID_ARGUMENT:0
 
@@ -6902,7 +7072,7 @@ depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):0:PSA_ERROR_INVALID_ARGUMENT:0
 
 PSA key derivation: bits=7 invalid for ECC BRAINPOOL_P_R1 (ECC enabled)
-depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:MBEDTLS_ECP_LIGHT
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
 # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED
 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):7:PSA_ERROR_INVALID_ARGUMENT:0
 
@@ -7080,35 +7250,35 @@ depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_
 raw_key_agreement:PSA_ALG_ECDH:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):"1c306a7ac2a0e2e0990b294470cba339e6453772b075811d8fad0d1d6927c120bb5ee8972b0d3e21374c9c921b09d1b0366f10b65173992d":"9b08f7cc31b7e3e67d22d5aea121074a273bd2b83de09c63faa73d2c22c5d9bbc836647241d953d40c5b12da88120d53177f80e532c41fa0":"07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d"
 
 PSA raw key agreement: FFDH 2048 bits
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_2048
 raw_key_agreement:PSA_ALG_FFDH:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"4bd2bd426bda18aa94501942095ffe5a9affed1535b942f3449bce8e90f9e57f512c8fdda496c3ac051d951be206365fb5dd03a7d7db5236b98ddfa68237a45ef4513b381a82863cdb6521b44e10aa45de28d040326c5d95e9399ae25f6cad681f1cbf8c71934b91d5c8765f56d3978544784f297aa60afadd824e4b9525867fea33d873c379e3e7bd48528ec89aa01691b57df1c87c871b955331697e6a64db0837e1d24c80e2770179a98cae9da54d21cc5af4cc7b713b04554e2cdf417d78f12e8c749a2669e036a5b89eda7b087eb911c629f16128ab04f0ee7a3a9bec5772cfc68bbd0b492a781b36d26c2ec1f83953e192247e52714c3f32f0635f698c":"6d34e084b8d0e253a894237be9977e1a821b556ed4bc01cda691a927885979b59e55a30daa2a707769474b760e9f1c10544b2ce74b26efa4f069e05ce70471bf6b7e6c08a16fa880930790204e8b482478de0682ce3f58450a4e15abc14d05e13ef773a10a3e8bf2219f8ab556c88dc2a301b362c2d4e94bf2f0006bb36d15a5096ed1342f3f111ccf123ceae9bdc7bc0cde5edc9f0203f35f8a98aff6d75975357733a429364ed3aca32acaf9f857ef751e0e246140eebdfc2b403b644e42c48922f7f6cdaa6a2ef9ddfa54fb83657492f9f9a2c8aa4831601f9b11663e94d968d8be6e121aee2c79156e44aaa650bb26083983a76cc5883538d4794855ded1":"718ab2b5da3bc6e7767a98fb2c172bd74003fae2acffbc9a53d9b358401c1c748da36cab277e9397bc5eeec3010321d0f882d959eb097adddc99745526b213e30dc0df9fb1e4cd3fc27bfb1d6e89c715373439a66b9a13aa1334c84799827c17be1c36c1bc02fe60ea698da790fe4d2af710a435a1aae7fb11cd2a90a17ad87dde4f154b325dc47d8ea107a29d10a3bfa17149a1f9e8a1f7b680bfdca90fb0913c0b681670d904de49d7d000d24060330d4d2e4a2381d78c49e272d313174218561ceeb37e2ef824905d0fa42d13d49a73018411aeb749f7f4fc765bdc6db58bcebd995d4c949b0061f20759e1263d8f9ba3fd56afda07c178997256bb7d5230"
 
 PSA raw key agreement: FFDH 2048 bits (shared secred with leading zeros)
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_2048
 raw_key_agreement:PSA_ALG_FFDH:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"9156de25da686a831ca0645bfb49df73e4a126ab864393e943b3d12b7ad32cbf21709268bf918c4e03e9a3b54bd230d88f1ceaa2810fae5fd4091d31e76153daaf0da9168a7b39fa85acf618622efd1f70d5866e518f256d0ff90a0c468c41a329fb1dd837b18a4300be0f25b108fe7210705cdc0436df84592c1a8b372c5028d67ed5231f846452c942a5f087b3830aa139b0b045a7ae38903497e4ddd0585ce20504ff70e13dbadf77a73d5514eb9c38feeae3cb773311b360f8304f67cf3f2282e4aad47f1494b5823ae2196a23ca426426bef427e4056df1f9144b20bf0b1f6da451f8eead38fdc5bb71074e4d43e21bc6fa787a681c0ef92c633d73b348":"8a73c0f5d874a2afb718efa66f78c80adf713562145a9f5a1df5f2bb9ead8827eb518a769dc089364768b27b2e49ca465ec7c0710b3054ae256aec25de72bd435b3ede0e17ab50cc8ed102fa6a83a9f09454e59e218b894ee130fbd772fb95a83aba29c6b270daba1f3842b2eae2ad1eafe7945888a55cb459547d6cb0b276d25218df8948a86e49f3fefae9c5b30ca8a7fd1bac1c3a5cb4dedfbcbb5c6e5bafbdf8ffcb37d245260d00658450fad1ced83b5afedc43def222c7196f0531e101b3a777e5f5141597fe8c093485d0c8cc752b03e7f551ef3648b1da330fe3ba5dbbb9f11c1a44ef6c0c9c492b6140391254abb7ae8d3e77b4655ab6dd155ba2a1":"00a376f5bed9c27cfa7fa6e01ecd4094b6a189a6184270ea22cb5b2649a6c4b33682e0625536f7d61722fe85381d8ead8b283496db84f8e6b2eb7c5b015eb15c9bfa5eae290612e2aef4014d6bdce902f5907f73f6722d827b73297d14aa677ed1b75bc26785bb32cf60bed1d9467b2ac069ebe48ee9196bdbaa4565f9cfbff3c31e812c58d65bd5b4c45751d1439930d2ea237030307623a0b149a21077397ec5e2c50610c01f76cdec43ff2f9177a0b3a2b18de2a787d42b6f8bdacdcce49a6884f38c5a729e54ce616da439fc9fd6d7d266188b79e40800f22b8c21adcb1f8ffd2f5225e3dc4c485dc4df8184c04f0dea3b2c3f9b04e42e229fe1a24a77ba"
 
 PSA raw key agreement: FFDH 3072 bits
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_3072
 raw_key_agreement:PSA_ALG_FFDH:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"c60a421e82deb778eb468760296ee4faa0b58ef058966fc457e8015185bb6c500677bf5a5a88bd8dedb5307ccc3c980a2bbe9a439c6b0c7af6c961e5b9c06f47212fc0e726da2f5bdd3542fba74e1dc2294caa1f363d942a92a391acd84aecd045a4a318db00785129ba171b31651b0e930eb8110a642dd63ef5ae1bb8c6e3b3971507c4057530d51ca14182e884974e20723dbfdd5778fa0ec78fbab26811c097f0dd291ccd7a6967caf5163fa04ba921448e1d3ec8de4ff3bc87dfdc35e53ba1bd4310fc9c98f68332ea0483ec051900e438fa3e5bcbf901771c740114922a7d9a74257befca7f9b62b2991ef6c58dbb1e516bb1ee18c8709f134ab7bb2077ec03356279a46f2978e6a89df22b0120223f6996c290607e98ecf14c36e2db62e80575329f4787ddc7b72856cbb0c4fa2dec9b391698832f559cbef49979c72e63cb3dad5d948f1c00219b47359fa75ec3fd352aa0223773e246c2fce492200b3a6e213e5e30d69cf3f56af43b0c09c0d647784b2f209c4fd1abb74b035d1ad4":"c9185bfe9b6379e0cbded54f23ed487b2a692c697cd1de74c739264ffb26a8d48aca7169c2b8716f493777e79e1a4517f79af50666e57fa821b5982a37aaf92d00805dc92df7afcd60256442264ff368e15012b847f85c7b4c3eacc4bf5c0c49f3018f19ec09a82c11c30cfcd60b07dd59e262e0387cd6473e2ec926af0bbf8d91f7b2dd6564cb5971dfaccf12c044f7c423f4e7309268925a03b51dde987906b40236046d2515e6be4524b27ee7675f2f58be2d2177f1624dab1118d265b8221969dc34686155d6c15390fd42c394ca2f7a3f403364a507b0a8c105c2f1022d321cf5621dfa7a28185856a26e952dc14ee4763fd1ea27b94284880fd86e2f1a6215aa3bff98bbe1b93d397a20647edcb38f043b9dd06f81c62e4caf74dae77b511977c07ccaac5fee2529e867b36bfa2e1488186bab1c7990fcd4c30ce7c9c536f6c3c2b9d2ac4065a4fa7577ff86dbb2df8eed95713e85457b4a52251aefe1bb1b4c8eda66002eeda7d28af37f00673dba3f9f57d1a416abdbeccf75a7a102":"ff5de4e90966aadab8299ddbf8169af2c0d8d0d99a17b4a2e62ff55b36a69fe4566a775970dd0c2904465884b75b67756b0d04b68838e80d8bc84a741cd67d735ba7aec9b55a30cce1df81203fd5deb57bbec027846eb010054b4d5b911041f721358fc8acfc9c5f06d76932f42103adcde97d5607d93303a94fa9f9caea7108ce67a9ce866ef11b2b4ea8c2acb27340735ee8c64e7516e17bff3cf3ede166767f30cada892997f6b5309fc2cca54364678b93d044b4d8e5570e1f64127fcc21d8724fff275290d803df5fa413ec2f5231ce75a58f14a467cb80cc3c4f1f0a4a62ecc17c65f2723d3f7f804b2a02c91adbfea1b2bbbc9cf9a38df29da92a71375447c81c55b8fb4086f71d57e3260da06e08393f6329aa35e673a75545dee66d01e0c7243412c6e2043a984849b67095be3fb3bf39fff291639c57e44fda5d7c1898327c40c1815e88efe0330b4481e462d30e235f607dc9e53d99521f527d65bf3edb4d0332d6d074e652e84a2ffc5d75d1734b55f3b446db122af2a502f8a0"
 
 PSA raw key agreement: FFDH 3072 bits (shared secred with leading zeros)
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_3072
 raw_key_agreement:PSA_ALG_FFDH:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"1c357f078144dbbf6815e798fbc6d98037a65bbd01961c6eb82d1f97bd0993132cfbba209e95e8a231e3bed2616b41119cc5a2f97d5da71ac2d6d0a6617a4e7b5d61857627cbfa57161de3aa6a2afac23f50e4a35dca1a82376879e695892a88323af1c0728eb1a76b2d3a1684df3f91ced0728f954d5349981cec5e309137f6d4e837d22f24a13fbd7985e2169b61aae812a68a1a4b3427b1e9f8612002b5fd711b9c9518c777c4e554a5109c9f079b929d5895df748a24d659d39e787076a1f1d9237a89b52c296644165d2625c541ff5052371093046f4b6abc28d3d2fbb4eb1cd2aa3d393a030f71c7050681b017febccd3bb947c6dbecf6fca28adb2a0f06e7cd9a6aa6eda160f0a3098bdd7a719f31beda56ffa0e26a212834d0da1f53e0739ef3ddbd119ff61b497d420585e3a8ea7cc3370829297da76edd3fb701d8efff6116dd87e6e542e82a76ab76cf5a75eb4638e817679fe06a5a3f04e67a101d154f4c2ccbf70b8bec0e5663fdd838ac0f4a4da02f0071e514b6c6d0ff3358":"17ec74c211f655be646c2f006056230208dcff38644efc429591562f3869f867e7b79cdfb3e426fef60ca77d9fc80ea39e21ec060321bab3c7820177eba4242d0cd9f0301e4da7146608409add169ed05dfda2702a437f3e2b8cd162a0e50da2682433d50c37cc1aeabc5c7cd8fdd359381a8d192af00d7f41b8c049b1e552b832224b40f9d85c4307f0b76b0e2605858fb33e594ac1d0c04d358209ad47133e76fa8dafd0f2370b1944a4780138618eaf66f6d4961c584aa7a34bcc1c78bbd15e7f5a2b8beaa8f66819dc04eabe08b24cabfe69e2b78a12470162ba6703bbbcf34890b8af761d36c33e3b72f631dbc5dd6f1fbafca18a8498623ea00bd9aa6b426da30e2ebc27075eb589b237d1dc54e215a6b6ec40220f14e320b72c5f702ee496b53a63edd5620294d9be88a862544c561b4e175ff3c094ab3adacc579334cb95fa2d29b17fa483ba50d6270b6478ce4f26b564bec6ae82a60e2c15456c4610b6567ba7d91218b59a670c517179d30d743751ae3c3e777ec1f29af890b2ec":"00abc3c15e3f8156a2785949d76c96c22fffb49b0701c29fb6711b51af0ce2851a8b469b4cb25750e2c35938f848f31f179470e3271eb6b8780ad5d757a2c1353f825baf55e5c76fbf4c73d2f0cdab409e8c4f85c3001da101cc97bea764c72e844cfad5f00cb8a81a5bfce5a4bf62b68ff2d13515064b17f23b7f6e6a65440856715d2696fa1957cc022b29e38fdbb8c2a0a54e22595ed66bc4c74c36d525b60900c7427274a9d60ea289a04715a677fb9c71eb1dbb38e30f30b2af8fa24f18a5a13e9f6ee83aeb4ec3f9452986399e2673ada70826b0a84cf446a21cce41e5119bf50798bc5fc9ffca9febe4ffc9d64f1b8abae11c7c8f5da0da2288b0f7a8aed286af03d06cdb1914fc50054bdd46c289c18b14297c4254b39ab5fd719264841b981c6531a80ebc8a59ebdfec9ae0413f3f9795622fad3bd34778e539ae104b8a85918401b10a3802a81db413bddac66f83b6428a33fe5c217a2d0feef50c8ef933d6e3d0f10d8b8630c52c89ae78385716efbfb855729ad0e5ef39828e6b"
 
 PSA raw key agreement: FFDH 4096 bits
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_4096
 raw_key_agreement:PSA_ALG_FFDH:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"f085888f40e34d91c989fadcb9c3e8be8f4a270d75b90d78c9b3d7569e09662b7767d90112a4a339bc42e661bd0e464b26ba4eb07dee300dfdc38373ec17a5a4e86f3f4b5ae6c9700f8381ac93b564bc0b1ce64e03bb825aa21a8e87e572ccb13a5a7b2942e4b91a321c5b5cf87b8bad4042c5b8ba971870061f7bb0869e57205bd64ed41026d5093227eb9fc4abca6160376b9b9ebbf431b6cc7a362726f553ffcca07ab3fed69a60c1a3d6d7caf989c57dad04eae71dc7e5da1bd6a65d3f4509959f61741ad91b6bdc98c0cae835cea940048d325f1db5e6217b8a0c977741511c967330819115d325a6da3ac003b66364e52351b34de0e954d5df7301ac0c2772c461872b72c9c3bc810789d16d22f57fd57338487ff66fd01434fa08a57eb7b089686cda86c9dc9220e11409c5ecd7b2988c151ee24e19a5c5685b4824c60a29ee363e75f783d97a57cda08a9e2152769957163272b3d5e82cdcda71300566356c411dc01a2c24507693c819755568ea461b755e89e9ab150e243ae97d5878f58ba87be9a6bab3726e962f92e2305999cafd65aa32f486ccf2edea46ab4b4cd7e3130f2e69102e6a4d7104db2f9a66d0ddb4faa3ae34b3bac6007bdfc66541bc3f45db3eb730ba80e102850604fd64e3cf047825246264ad8e1e716aa44a99275aab9ebf0b26f703af7460a8e502088a311d7c571bf0905031ea6561a928":"f614318e0c2cc96ef5b9cb576e411c7319f9ac4caa626307c110018ff7e5082894147a1989166983f181ffa0ed062d7561af3ad26ef7339faedbcc6d41d3b53bb71f21de285c83af911a9dfc68e6efe5e067b36a5e761dea0b243e5d9af351aea1cd22841062c6beaeac0e66138c9562e3efc922bddb2f2709075ee4356337597fe9bb16c5b21de3017d06a18e98b606931c6a1d96f60fd22c920dbf18210178f844c9c0646a779db31eed21c29dff3556fe6f608c6db80e86229fa05117c624094a7d0c106718e9534de55b469ed03dd545c80b2134f10a073fa1d6b366f46727f630685ca916c84d28417b1753af57248445f81573de06bfb17bf6f3f6e5e72723390719e881d54ce3a76a79e4c3cd78f293f5ca90ca31038c4ae0f6df379177a96ceb0e55a85669335dc634f67d138c40b58474dffa4695c017ff75db55b37d9627836fad1813a9dd13e61ad99b96a488cb49348e1e75aefbad5eac288387381e6d7908c16b42c8f071c24b518feb1b4d38a538e4346e0b88c526125ae5b2fcf8e0f42608f5c5ef47b6b225122d5b6c94c2cf42767ff3df1f29461d72b7fe4eb2273c857d18daf33ed0cce043a5c389d116ba02a9ba5c8140d11c52249019749417950f444529a635592b137d30ee6f15fee89695d99e5f322d2e94c00d43d24aa63e0e68c27566d19e211f7f24e1cb72940cc9dd0b0cf34f69f03ee32be7":"262392693c8ca0da404d0195742df69a6b87d22984765c91e3c9dbbc0293960cf1f9deb7a25998a91f8c6b9756224435fc143f31690af35eb211acffec542c8f8fbea3c9112d666639d40a699467bb195815b8b816363ca44baa4df22eca425fa9ab1471ddf045f4e252090663c1c536dd29623c324c7e18b694f83a6c655fb3d95d5a9831ccc9978f66916e95aff49d973f322e2b43f5632a19d79d615a56539aa2ec8f4441bbf4f8016f8c23407e371e9de212c6f1d7d3ca4093c2648451eef68c03aa251547e94046d5fbdffb5cdc0f713bc390111d6727fc1d11243046203ad6632d91c1df3efa77ce530ff26376a208349f2b18628422c9ae13ef84f4a15c1e05ce5fb92ff55547943db4727d091308deb85f54acb94d14411049924b79da131e736a9af42a3fa7139d0357925f430c6cd4330b01ff66f5f8cca26f4230d562f45d5f75bd6d133114449205263c5631f3d561e2ed81e6aa54376094757cbb6f6857c03574e9f6042dc80ea78be470b836c5371a3fae8c119f67c28f856fe70c2affb46574a4356e995a45bdf35e50a6f3a2556d3d1d7c42db8e63430933ffc4783d571908a1270a3cd20d87678cc288ccc183c7cd7512587536a8e15267dd5af0ad3b501ecebc0ecd9ecfd410ce356f9305e4a32cfcafa676da5b5a9ed9b13a5e4cfc06e87310ccdc3ed988699610d7d3125de13a8ac0b59f782859f0b1"
 
 PSA raw key agreement: FFDH 4096 bits (shared secred with leading zeros)
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_4096
 raw_key_agreement:PSA_ALG_FFDH:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"d39cf86d9d81011fc48d3bd489decd4cd520ba87e469b5899fae777109ff7b43c8c809814521a8d66ac33099c9bd2a8567a202c21a8b5457603ac1ce95ea9ae705efd69fb7c514295059938d818bb65b7c881d1ef9541346be2131143f51db13109e9a4fdff1ef2208839c89eb1c1d52018c77c33f5b7e73a747002997c75f4a3dcf15e7cd73938ece0cdefc9fcfa2c4b1c3416eb2fecc00ce328b0b2bead58493b3e8c25d3c0a675bf6ce2363917d1e74a7987a464709fcfcd1b512b67dc1023ade2cc027109169ffcb51625fbb0c607946a6009811be07047024bb6e517f388a99a08f2c73b7e0b779d8469797eb3153f2e5ddde2931a8f97c586e20c5e521b84d015a52f8e13d5fa34c32bc118b62d34cf157f1db40423f384a16a78c7e1569a5d754db6216f6412abfa7c440586c506d5be88d5172a311b8f16f70a06162dbab6ee09fea55c47f6538d3775d236cfa50824f5c8bafa44bcd9424aa620ef17466413f35aa6e6eb5c8d8a26a7ffd6e8bda2dc5ada4b296885635fc8a73933de059ff403fb0a322bf6daba24330a7be204c307f44260b4d34000d2142f79654360af82179f9d5e18e8f47c7d94a10fd077f011bdef578a2b57d5a382ca404f67fd3c59d95a3481f1311c7454bb45acba1e1c30acb6a9fbda70aea30a9ca76471dc46e504abae9a06eb9a8cfed83143cffef3c530b03185609a55484aaf9f677":"b7baa37aca4cd56e4107c3e428a7a568adbf678e741ad89f157f66803370618abfd8ec7c159d84a741c276ea119eaf2ec1bc4431a073d92de3dbca1287a37522b2ca4ef8c0a0fa76c1dd5f665d498ae62e5e2925b6d921d797d76d86e27ac8286643c19a2a2b1361fe7dd772766e9511127fd0cf92ad98099a9e1760ad969be0a7df4936f1b37455cbfe3a1ac9b3b83205594f018bb5f64970371d4e5396f4c5e8cf0cffaa4525ee811b39632551af470efc435fab26e3cbd643feb0113bf56fd4bced3ad743e55be2eaefa7d36833f56af570ff773a3a3cf649b1ef62fb300c4c5a70d70e4d6ba1ca405483f036092f5b9f94960306515fcd4a0d8a086d826c105924d05ce5ee3dd7c62d61d1a460772b169fd943824e0efffdde3f27439e112766780bca7b4c82a2c8fac1d18894fcbd40ea5f7f23aa27024870404cf1832cfa025df193f31aa275fc685fb348c321a2186adf32c9cd203cb4b1c49b8afffbfe11e1d443711a5a1da302fa0e52b5143e6ae7aa40ed4828d03a17443f04061f56c2d3b83298d617cd3a78cd84233dda83c4e541e9b98f0f4e7fed504f888ac929f0f3e00e3569e0f0aa95dd811297efa8af84c645d59bb6c2e968c1ba77772d858ff2d7448b65c723f6a87604ce938b670b612b3eebaa795593be2cac1d631c1b7d9baccb2cbebda6019eb42469ae4209a953f48c3cd438cd1b7b06c8c54819":"0053ad8c14e1ec87d76bf9127e084beaead313bf93f0f241442316af144097077da91c83d68c78692dd952036731624ec8ea8bf8bf85f7a278289f667bd5d92a6aa2e41337ee9e6089f8ead48ff7e179c80bedc10fa6e6e0c1511f33afe96f0890e6ef9b6f981f8337e60ada56ce0ed30ab1f6f8b72a3234cbc77db017c470d549173ae203cf73b4a5901a4edf713a866069bc7790e799becde1a088e8c3e3c41ac8f9c9abf8561af51f738577e183197c85e5d3ea5bfc6471577e7daa5cd3ed53f7e72849890d2d1f8ff0a830a1ce6283dd61e5e04b25183b42074e193cfde4ed2e35b25fb57715f74290a612d21e404394d9bc4116952cf962c14149287cf71d7c8bc26a9eac0231a0dfc4ed68fad9ceb195f82ca0012c8c9ff4350bb0a2da913af26fb0f0940541dc3ad788d3cc8512e0dfdf7e5f9604437492ed8b52c5b0eabfa04231a90abbf1b29298f33b55c4e94fe7af4aa94b572d4a7f4cd67de41b90f3224b9ce57d6656835560a8c8d22496d8dd15ac37866dc1b04cdbc23847e5f2bd8d1a5639c6e91612ceba11bd1125a75dbed89f01ba738bd27ca0a788fddcec35b823f986d5be1acc037f56d236eebedf8ec50e831f532194a62740ef45b49511abbe51b7179ec04b1aa752c0182dbef3e099579fdfe2624848bfa1c389a06039bff756d4cc0cb9cb4cc2fd382336afce62a20975409e0fc5a45e7a83416c"
 
 PSA raw key agreement: FFDH 6144 bits
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_6144
 raw_key_agreement:PSA_ALG_FFDH:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"bbaec0a6c20e67aa77bd9db1f682b20227d3e17944ccf9ea639e437202309c29dc876a8d209e81e59e1d7584284089c4ffb3356e28acca6c94164752e7e331cee7fccdb3d08604a5faaf91c02cab4ea6ad2926e28d1dee9fadd437b2b8a5116c689869c0972529e4c362aaa8427c95f42d8a60c1f38f9f672c837a097bcd1a8c068c11a33ce36517915dae1ba47e2646aef079e6c84b9656991ef0f6ceb9f7f95c97e7232cc5c41c0335aed99169133702cb8d95ef1e9eb5af583f3469a77277243fe61f16dd5b4f9f4972e3d30050f289f891daf8146ff87cf2845c419dfe2ca0525c5e2e8fc6566d7118fadaf0103b24319061f862e2584e5fba1063d55365b78379820d335ee924ac0871ceb3a2a339fba250011371b53426bab5f48e9704b7a9e77d14d5f6cafcfbdb45463e6935be31bc87eafd9b6d228a5b76c2baa6364f450a4ac557dd07ed4b1a13f5603e2b3bb270e831f0f2950f52c52d866fdaeb748a4cbb6f20b332795fffb8cf77a34ef75d8105973f1fdada6a3b050a28c12268104a8f1cce9a86ebce1749a97e9e5f00608229799aa5b7a356fca7b8bb5c7829cb18a136836bb37f5165deb89b33f0b69c473236025bc649d382d008fbc7c8c84390b9d86b173e45fa1e162e0eabd7914f2ec4c26d5350be064fc0d68bf16446188dd4a76ac1267a63b764070b48342a884891eeddbba95257348764c646aef160523af105a719aedb041a28b81516dbe89e80592f687eb341aff447a4165ac145889ae3e8a14c948c82b581b35d8f7d1c4f5e0f838773a472ad0025b1ca0b1c8bfe58c42079194b9aa9c5a1139472e7f917655a3ae297c9a8e3bfa6e108242a5ac01b92a9e94d7b51fbe2732d68f1ec5c12607add5e9bddbe5a4837e9fa16a66b5d83456df4f9febb14158dc5ea467b7cc288fe58f28cade38fa3d4c8864c3cb93bda6d39ad28f7dab8b8c0be34f675d268d82ba6a2e22ba49a5e7de5d08edae35ec17d1419288719a4f82dfb7aad6f7b68c4216c69b83af7438771622e48381841d1fcb6081d41b1b84eae37912b34dc8df1794bb47ad87f94d9c841aa98":"31b48495f611fd0205994fc523bfbc6b72949417f28392d30c1c98878bde0ca467ab6d6fe58522df9749154f95c9683f9590c295cd2b62ff9c59f2a71aaa3f7cb72761740cdcac8994c3623e8c07e2991dac60c2ccba818623013467cfca64f9a3b58523d4a4982571365db08aa9de048303c2a48d1c02c9aafc2ecd6eaae1c5bce8314503d0711d755b59134cbfc773250690121f58fc5171ea34fe88e753d5ab3da23e0557aa326b408c2f55aad2b6f40504509c2203f353bcb17e7b2c61fdcba04c3f8c136ef5d14c38ded6ff0455f59f3052b52b2d45f76a2c3b4b09af388a57ebd9d33393853b83b8033b6973cf662907e62380b66b4ce04b82ab8fcd35f40083a330587e27daa0f84c21fc5d04af03104785f85cb880ae61024cf6cfd1dc14149fdff6653968458fb5761cf2cbf8263e915099eb209d1d149bd7a5b4e48b108f07a1f7c17aa4cbf7b3aa25075956f93f127d46b6392834e7781e46f0e2d1ba14ce2f2d91f9db106bf94c7110ace1bf6105cd9351031e0ec7b52a599ae41256581c1379be5882c352c750709c1b8d37cd8d1442ae5547db0f5a1371eca211f028428572a0fcc4c0852ec1f9be4de14a32536087f520cdeaf54c52b203bb6ff0008b2099fb0e1dff4547563a71db416c5b97ef8e7677d8edd15a2ae75dc64b817117fe5e0478cfa1a18e15cb44cfcc990c5f01127b3906187c18562c876631a046a70015e84b6c553be23168e572cedb5912a6505ff8bb65722cc0e9556e967600711b8d8a8e414811c9809aa3e15f680fdbb2b2297e414824fda530b501b278c35f3f0f0ac61da3262de7b8aa44e31544c593c8521f8ce4921b8d7df7d7382c97718efd03650caa5620bc0e6fb9753dfe26c78b0b6a3231391b9324ee6b7c81b45e7e90e5573ab6cb263b114d78eaba7eb2bc668dd57b6eef126abcdf8355656beac58ddbaeb0551a4083fd5a2bd0e405d35737b7c3c6f0f0190403c13b57e3ef7b6b76206725758523ef98e4053fb8e05147a74577b61b0935dc5eb699945d3290e78bcc9015c9c3210ffed7d6e96c6c8202e46ad37155d07f3e8c2d9a":"ede0361026e81a9ad960f674de49449f12ee33c2dda7028c6b7fad7f8f8a7edc495621a6d13e47847873a954adfe7bb6a2ed7c9bc21f3b57458d9116ff4ed06cfca40e2002a70bca91a9a9e0475dd74be7d58453d3cc155ee0b0be20197e14674a7a6f8d903e211cbdbdad1e3383d0d1ae6b4d56837671589d8f151acb34bb4d1cdda55a0f9d1f70e80c61553fd0152bc871e930054efe763fdcd1f8fd1702afa61b3471e7a504612c58ab05ed581b34e2a884c5dd8d2aa919855351719e2cb290d00f0b161c104415f5579731072c1382508421c8d674113b2fe25a0e979455c8f145285ed3d32b744153d3ffab7625a3173440f026ecc62d9dd1bbdff6136f5d9d5245ff307eabfa91f6a10e7cf62a889975c0afd2f707eb8a43c2499c05029ca613edae2741f8e56b186a6390fbb0962323ed6c492620c1c8a24f9a89f15c00bd7263423e714db0fe0381556a15a8e4d1b7383d52fd524425e0200f9d410833330253306b1c23c15c08310bfc12b48131c120db8444d34dd951c5fd6df44e0eecbe92ad5f13641600db68d1d2c7d8ff460058c09d89d4febf2fcaacb40c900e19e4dc868a24ec61361c452541a0fb13da53d61b59806e0598985031e161a2e887420e4c6ce217587c72cd3a7b3085d2383112e1066277ed63e82ec16ac6dc7ce0ade255f30275b9798d4476f31d8d237c4d79b13da9dc6ceed7fe626e4da6eb6cfd234b8fdec4fd4520898b13a77aa034361c0d63edef55595e3e638b48c1c00e8c683c8cffd9fac2a33f73e04aff1f4624669057c7faf51f996e3d64bea3097b4810f99c8f078887be2440f67b249467eb26a03210b4d2baeaa8dc9746a14a6cfb45297e121eef8540eb438270403105c11ef4fed87127545b81e37ee1f942605a5a46253752351dee91d0a171031defa9dd20cbb942e3940fa43542f6fbcb0980f6ef2b36297527f7c0d47e36ea203ab924e937ca10e9d9e64c6419a061a300f86ffed0e2e72a1f73310efc00118dd315a6b01e19406471e071e4c153e2216d525195357fedf3d1f12d2c1ca659bbd1a6d1fa28b6bfb648deec17f8a894"
 
 PSA raw key agreement: FFDH 6144 bits (shared secred with leading zeros)
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_6144
 raw_key_agreement:PSA_ALG_FFDH:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"8bc903e9b5b0742e86d657f64082205c1d50268b8d1d9260e5474e8b686e63adfab13484cc24e35b6f43f5e998fcd7d92c4aece9eb30b0f51b7a2200911e6d38b41da23f04e37697b6a7ac053d15676b75538aefb6693be8eda8b7d07b7611fbc9673e98d8580131cd3462d8851ab00f5831497cb89b4fdfd597a4fc84a9fe1a28ca3ceb17b70334af2414fff73584f2a21fda89c10e2b23a4b454ea4cd6d901312e52a557d45b9350dc8e8b08eb31a73095f014efebf1336ea2c4938fd477f90da212c92eeba483d784b377514c3afb7e34f8dbd6d4ca281aa0bb9167d6d96894b225deccfee7453739becb849c1f381720a59836df967d6525876509515014e46b0a8b27afd304b5db238dfdbe14afb8fb1433b05a00654abede04978f84116e4e3e3a6bdc9ef558dbc1a9cc5c5ba1ee4bd8654845f04106d3b1b48b3208d109aa96609cad246e543d94683b8963e13597dc4aec21b0959e7e6d73efc91ff2b9b52f0e9189f0619264b9893f9289dd8e9bd6d3cbccf079ab8fbd525151e704bd517ee8f29505046620048a684883e6fb858ce7b9e72ea35ae4ad7ded04f39e37a3056b6b695ef2032cb5cf99e22ce5500ba0315aff86516c42b1288c94b46dc0548c7ba07c2b2ca8423b9ba4782c1d4626589ae2b325917484f8eda07f2071276d3fb78bb71a5c501396302eacd1b07b28487c580c5ec5be236e1ad4fcc434325b24a2409c236a85f7b9e0e66f6548a1814c519919d8215b0370b9b3256aa10a28a05f0d2265f6fa7842dfbc67c8f32e9fe12d0df647665ba9809349e5ef6911a4755330d004de03e598cbd7e2b80c259d9d66050177df8984263a7c53abb5ea3157945b727fbf1866649260e321a7ad5eaea41639b35ed6e98b74ab679eab93e5873857342fbb55cda604f57222555631741aa97d74b5eff885aa45ce5a25d34841aa0ea4ea317267e86c45f713c81c3de81cd6eb252053544a5dcacd9f7388704bda8acf83276975f03bffd403eaf199a7a1367d2e6b40c7d94e23679b6520eb40b5d61f5f56c6939f21a4f1dc00f13b5cdcaaf827c760a6e4a9c5601961":"b3795eb1aead05ed8b950e0a00fa12ac0ce4679e6f7715ffd8b5df04e5b068c82210482d3a377b224dc7aec1dfb7e4d635b9fbc22a5534b6a4cb50d3c39cd0dd5e0ec45ea69a3296b83ce89b5cc0c5e15e4934212e8c33ed23939912d0cd738eaa949f763450d5a07fb1540207065f1159a55af7f80bc48c49f88164cd4492b0020902c78295dacfe593fedc1914ddefebf45b5eccd6830681a80c853a3f2389798c391aab3baafd578ad0bf0dfe5b63fd05835e215c6850c0f61e48698053fec9281f0a11b45cc4e259b310a9720456c481031e0467401afeade395ab9b664d9fdb42f953aaf9fb6501c2e105868201ef26d58d31d473c676c751bd892a84a59441f92f7b6ba49a7e385b3d13f806e701a7c339d37e5596414631ed95908c7118f45250acb68f6f2d9ea4bfcb85dc75d21a03a5dc2b86d41cc55753a72a185ce94d20cb897f8759b4ba41e56fe9cf6edf7ee733581589b319e85300b7f479b093030e2d345584e2934dafddda62701404b628b2f25a15992b7ded6271fecb37b817316a908ede803285da3b57986196d59b164692384d469c09b4551b37862d588294a022db7deca641ae90f9a96d75612d55b673213419a450f7ccf78a2fdad291f6c905b5e1a0bbe90baec1c2706d7d81ea8f6d68d350004ea00f24009f6121650547e84b3edb66d969af206f5011ededee736eafe4100e4625ced482caf2cdf6b4465927d8fb138bebaeff652d6afa0fbfd03ea03cf70e80bd95ade41443b85bfa1c56f770f123ba3666412cc2c6997de49e90d7d9fa1722894d6c4f7dfa349e9a9c400eb59b4ce4f6a64763359ed1bf2327f552052070bd4bd2fc1a816e8eddf72645e7fb0ef10bf9c5dee2b386ee2258c99f8ec5b91d8e043b9411870c6f02d2df7863359e46e732e3ffc398993a232d812f934737c503f9d3532d4126c72d5dabf8ff9d6da214fb9571ad180935cb6d01ec1404c85346d9ca858adff2a8ae87ae2d9b99c3ea1557a801703bade1d349410304dfaca488cd5b90086dbee91d60c7dba504721fd54b38fa0835cf70b2f48837430476d5fe8349ad1f2f38":"00e17befd66905acec575c87804c61c047abc9a724db6337e34975980eb0395cf4da8c956c823fa23c52b901bb58a9d26eff282dc6a0f588d71a1636bb919ca1d564f400d7a8e909cc9c59cbaf18f09d5a2101a7afd32687657a3cd1b00148cc84411ff3f07609acc8c07eed678162d1d69280f1072674dfc1d6819d45d8710e2be12402b06b846d68f4088895ce64243f24156c1be33031dac21fb60916ebfdc3939a6bcb012c66c7ef748e30f43bcc08e13c5dea85703a4928166501bb1eec25e61ba5c187531bd982fb310e56656cadfe4f7f756c8b71062388d50cbb70a7d07220912891c4c736ef1ec6390d4bc12803f20c8f1ffa7f41996ce3c8ab792753165fc25d2c1b373f5664c38ed688b4d096a34bf2669e8245bb55ad4c0ad51206fd082969bef351c271b103aa1592889536a2b9ed18e02035a457735317bdca6b7f7104af64d30270c732cfff302d7b82c1a602f16194ea62290c1ed35e93911a62743b3d1bee83c01669320408f2219f2d53c926acf014150ab47ddcee73c6159b368ab26f4da25c5440f79fb898473bdc2b7c333cff7cc5f8332b43ba1a49c327bc5b5ad9459afabf5e9c8421cee51ec0a6821e7af83af0ba2857ef2dd1417b250e2e1e14045883a26e3c70404c53998daf94d8452ade76e0e886324cc6301cdd40d04be33c59ba11bb7e5ef62186647d3891b221bd955e109f5b9b3dc625b44cbc3359e8b2dc4b90171d4a0a47537e095e0108827b3228e6ba325e935a2eb2eb82985443c7691ac208d55ca8d7200adef6c9b9e224190f672efbba75554a4c72af539c70d0bb7af67ada46a2c46311a91bd67d7ce724581695f6b4b2c0a58cd23b84873a76556bf573e447fcf583395895600aca30340ba327b44df33b1aa5c51f515c542c37fd9dba35534f94383300c23ceb8426e46ada509e03dd06fc2ea3fc6b973ef02dd6cb6adc36d76158c21dd8975c0eaa3d50082b53d328acd5894a1229c27aabd513ff6d8de6e2e780ef8342182182f85a89e6697452166f4e012a6f3f137c8d2a5e279e1f490995d9618f177acfac9f16f65bb89c2087e7b5"
 
 PSA key agreement: ECDH SECP256R1 (RFC 5903) + HKDF-SHA-256: capacity=8160
@@ -7140,51 +7310,51 @@ depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY
 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"c88f01f510d9ac3f70a292daa2316de544e9aab8afe84049c62a9c57862d1433":"04d12dfb5289c8d4f81208b70270398c342296970a0bccb74c736fc7554494bf6356fbf3ca366cc23e8157854c13c58d6aac23f046ada30f8353e74f33039872ab":"3bf511eebadf44c1f7b0282a1262fe4ddd9da23bb1555cfda591ac46b088c4417883c010f6e37cd6942c63bd8a65d8648c736bf8330b539760e18db13888d992":""
 
 PSA key agreement: FFDH RFC7919 2048 key + HKDF-SHA256: read 256+0
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_2048
 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"4bd2bd426bda18aa94501942095ffe5a9affed1535b942f3449bce8e90f9e57f512c8fdda496c3ac051d951be206365fb5dd03a7d7db5236b98ddfa68237a45ef4513b381a82863cdb6521b44e10aa45de28d040326c5d95e9399ae25f6cad681f1cbf8c71934b91d5c8765f56d3978544784f297aa60afadd824e4b9525867fea33d873c379e3e7bd48528ec89aa01691b57df1c87c871b955331697e6a64db0837e1d24c80e2770179a98cae9da54d21cc5af4cc7b713b04554e2cdf417d78f12e8c749a2669e036a5b89eda7b087eb911c629f16128ab04f0ee7a3a9bec5772cfc68bbd0b492a781b36d26c2ec1f83953e192247e52714c3f32f0635f698c":"6d34e084b8d0e253a894237be9977e1a821b556ed4bc01cda691a927885979b59e55a30daa2a707769474b760e9f1c10544b2ce74b26efa4f069e05ce70471bf6b7e6c08a16fa880930790204e8b482478de0682ce3f58450a4e15abc14d05e13ef773a10a3e8bf2219f8ab556c88dc2a301b362c2d4e94bf2f0006bb36d15a5096ed1342f3f111ccf123ceae9bdc7bc0cde5edc9f0203f35f8a98aff6d75975357733a429364ed3aca32acaf9f857ef751e0e246140eebdfc2b403b644e42c48922f7f6cdaa6a2ef9ddfa54fb83657492f9f9a2c8aa4831601f9b11663e94d968d8be6e121aee2c79156e44aaa650bb26083983a76cc5883538d4794855ded1":"8f6f6b349b2c11a941882de0d6bd0dfde68d596c1f0b85d15cf94d651f99e1527e829d95fec5ffac32da6c5367785e735f126e1f2a326e8edcd6192452ce0ef7a11c541feb6b7b81bcb8c15a5db04ab407e8776426227ec335c2840c2a909d7914b158754dde8980dbdf607d63f0b9778f81df82836529b2e27f4a81a390bdbf848ee16817fa80d745bf93626ad0e19930fcde46a034a25f168c14e006a7d4e3cb2fce48797b5b2edb0a6c4995cf1ec0dc32d218a4b52d929ff1fa50b63af9b2c0e7045bbb7f7a0f976d1da8a2617294a67cd0f763e5bc50e1037ba5b49a02f3b1b5b6509bb0e2cfd67ff49da0e6fec01c06a219cb943151fa095bf5dda27ada":""
 
 PSA key agreement: FFDH RFC7919 2048 key + HKDF-SHA256: read 255+1
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_2048
 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"4bd2bd426bda18aa94501942095ffe5a9affed1535b942f3449bce8e90f9e57f512c8fdda496c3ac051d951be206365fb5dd03a7d7db5236b98ddfa68237a45ef4513b381a82863cdb6521b44e10aa45de28d040326c5d95e9399ae25f6cad681f1cbf8c71934b91d5c8765f56d3978544784f297aa60afadd824e4b9525867fea33d873c379e3e7bd48528ec89aa01691b57df1c87c871b955331697e6a64db0837e1d24c80e2770179a98cae9da54d21cc5af4cc7b713b04554e2cdf417d78f12e8c749a2669e036a5b89eda7b087eb911c629f16128ab04f0ee7a3a9bec5772cfc68bbd0b492a781b36d26c2ec1f83953e192247e52714c3f32f0635f698c":"6d34e084b8d0e253a894237be9977e1a821b556ed4bc01cda691a927885979b59e55a30daa2a707769474b760e9f1c10544b2ce74b26efa4f069e05ce70471bf6b7e6c08a16fa880930790204e8b482478de0682ce3f58450a4e15abc14d05e13ef773a10a3e8bf2219f8ab556c88dc2a301b362c2d4e94bf2f0006bb36d15a5096ed1342f3f111ccf123ceae9bdc7bc0cde5edc9f0203f35f8a98aff6d75975357733a429364ed3aca32acaf9f857ef751e0e246140eebdfc2b403b644e42c48922f7f6cdaa6a2ef9ddfa54fb83657492f9f9a2c8aa4831601f9b11663e94d968d8be6e121aee2c79156e44aaa650bb26083983a76cc5883538d4794855ded1":"8f6f6b349b2c11a941882de0d6bd0dfde68d596c1f0b85d15cf94d651f99e1527e829d95fec5ffac32da6c5367785e735f126e1f2a326e8edcd6192452ce0ef7a11c541feb6b7b81bcb8c15a5db04ab407e8776426227ec335c2840c2a909d7914b158754dde8980dbdf607d63f0b9778f81df82836529b2e27f4a81a390bdbf848ee16817fa80d745bf93626ad0e19930fcde46a034a25f168c14e006a7d4e3cb2fce48797b5b2edb0a6c4995cf1ec0dc32d218a4b52d929ff1fa50b63af9b2c0e7045bbb7f7a0f976d1da8a2617294a67cd0f763e5bc50e1037ba5b49a02f3b1b5b6509bb0e2cfd67ff49da0e6fec01c06a219cb943151fa095bf5dda27a":"da"
 
 PSA key agreement: FFDH RFC7919 2048 key + HKDF-SHA256: read 1+255
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_2048
 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"4bd2bd426bda18aa94501942095ffe5a9affed1535b942f3449bce8e90f9e57f512c8fdda496c3ac051d951be206365fb5dd03a7d7db5236b98ddfa68237a45ef4513b381a82863cdb6521b44e10aa45de28d040326c5d95e9399ae25f6cad681f1cbf8c71934b91d5c8765f56d3978544784f297aa60afadd824e4b9525867fea33d873c379e3e7bd48528ec89aa01691b57df1c87c871b955331697e6a64db0837e1d24c80e2770179a98cae9da54d21cc5af4cc7b713b04554e2cdf417d78f12e8c749a2669e036a5b89eda7b087eb911c629f16128ab04f0ee7a3a9bec5772cfc68bbd0b492a781b36d26c2ec1f83953e192247e52714c3f32f0635f698c":"6d34e084b8d0e253a894237be9977e1a821b556ed4bc01cda691a927885979b59e55a30daa2a707769474b760e9f1c10544b2ce74b26efa4f069e05ce70471bf6b7e6c08a16fa880930790204e8b482478de0682ce3f58450a4e15abc14d05e13ef773a10a3e8bf2219f8ab556c88dc2a301b362c2d4e94bf2f0006bb36d15a5096ed1342f3f111ccf123ceae9bdc7bc0cde5edc9f0203f35f8a98aff6d75975357733a429364ed3aca32acaf9f857ef751e0e246140eebdfc2b403b644e42c48922f7f6cdaa6a2ef9ddfa54fb83657492f9f9a2c8aa4831601f9b11663e94d968d8be6e121aee2c79156e44aaa650bb26083983a76cc5883538d4794855ded1":"8f":"6f6b349b2c11a941882de0d6bd0dfde68d596c1f0b85d15cf94d651f99e1527e829d95fec5ffac32da6c5367785e735f126e1f2a326e8edcd6192452ce0ef7a11c541feb6b7b81bcb8c15a5db04ab407e8776426227ec335c2840c2a909d7914b158754dde8980dbdf607d63f0b9778f81df82836529b2e27f4a81a390bdbf848ee16817fa80d745bf93626ad0e19930fcde46a034a25f168c14e006a7d4e3cb2fce48797b5b2edb0a6c4995cf1ec0dc32d218a4b52d929ff1fa50b63af9b2c0e7045bbb7f7a0f976d1da8a2617294a67cd0f763e5bc50e1037ba5b49a02f3b1b5b6509bb0e2cfd67ff49da0e6fec01c06a219cb943151fa095bf5dda27ada"
 
 PSA key agreement: FFDH RFC7919 3072 key + HKDF-SHA256: read 256+0
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_3072
 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"c60a421e82deb778eb468760296ee4faa0b58ef058966fc457e8015185bb6c500677bf5a5a88bd8dedb5307ccc3c980a2bbe9a439c6b0c7af6c961e5b9c06f47212fc0e726da2f5bdd3542fba74e1dc2294caa1f363d942a92a391acd84aecd045a4a318db00785129ba171b31651b0e930eb8110a642dd63ef5ae1bb8c6e3b3971507c4057530d51ca14182e884974e20723dbfdd5778fa0ec78fbab26811c097f0dd291ccd7a6967caf5163fa04ba921448e1d3ec8de4ff3bc87dfdc35e53ba1bd4310fc9c98f68332ea0483ec051900e438fa3e5bcbf901771c740114922a7d9a74257befca7f9b62b2991ef6c58dbb1e516bb1ee18c8709f134ab7bb2077ec03356279a46f2978e6a89df22b0120223f6996c290607e98ecf14c36e2db62e80575329f4787ddc7b72856cbb0c4fa2dec9b391698832f559cbef49979c72e63cb3dad5d948f1c00219b47359fa75ec3fd352aa0223773e246c2fce492200b3a6e213e5e30d69cf3f56af43b0c09c0d647784b2f209c4fd1abb74b035d1ad4":"c9185bfe9b6379e0cbded54f23ed487b2a692c697cd1de74c739264ffb26a8d48aca7169c2b8716f493777e79e1a4517f79af50666e57fa821b5982a37aaf92d00805dc92df7afcd60256442264ff368e15012b847f85c7b4c3eacc4bf5c0c49f3018f19ec09a82c11c30cfcd60b07dd59e262e0387cd6473e2ec926af0bbf8d91f7b2dd6564cb5971dfaccf12c044f7c423f4e7309268925a03b51dde987906b40236046d2515e6be4524b27ee7675f2f58be2d2177f1624dab1118d265b8221969dc34686155d6c15390fd42c394ca2f7a3f403364a507b0a8c105c2f1022d321cf5621dfa7a28185856a26e952dc14ee4763fd1ea27b94284880fd86e2f1a6215aa3bff98bbe1b93d397a20647edcb38f043b9dd06f81c62e4caf74dae77b511977c07ccaac5fee2529e867b36bfa2e1488186bab1c7990fcd4c30ce7c9c536f6c3c2b9d2ac4065a4fa7577ff86dbb2df8eed95713e85457b4a52251aefe1bb1b4c8eda66002eeda7d28af37f00673dba3f9f57d1a416abdbeccf75a7a102":"d9f28018a351a7483e40752ef75085e44eddc029a61f8702e4f33a0ff6d5153696a01ce519e7489f19abb13417800e9daed64bb366e08c706b75025d57c4a1e29717d8d2f28ec23a59ea667863b9ab0e8e5a01140df46df7f36aed84852f9b09bb0a8552a2454c936b50f1a9db290a039336e431bf3b58eeb1b6ca7eaac7dfca12a5cec02a648807cf14a112fc47ca1201133a39e0d361308a76aa313ca1e7d5118e27c7f2ee4aac78b29eccb8888ef1cf6a389df7ae25daef1c8c89184d1cce78a7d61831920b43b08122996090a0e790070d002a56227be45a06c070632e832901a71b3515c77439b094321da0b4b5f37ecdbec3a9f6f8a1635c5beec73dc6":""
 
 PSA key agreement: FFDH RFC7919 3072 key + HKDF-SHA256: read 255+1
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_3072
 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"c60a421e82deb778eb468760296ee4faa0b58ef058966fc457e8015185bb6c500677bf5a5a88bd8dedb5307ccc3c980a2bbe9a439c6b0c7af6c961e5b9c06f47212fc0e726da2f5bdd3542fba74e1dc2294caa1f363d942a92a391acd84aecd045a4a318db00785129ba171b31651b0e930eb8110a642dd63ef5ae1bb8c6e3b3971507c4057530d51ca14182e884974e20723dbfdd5778fa0ec78fbab26811c097f0dd291ccd7a6967caf5163fa04ba921448e1d3ec8de4ff3bc87dfdc35e53ba1bd4310fc9c98f68332ea0483ec051900e438fa3e5bcbf901771c740114922a7d9a74257befca7f9b62b2991ef6c58dbb1e516bb1ee18c8709f134ab7bb2077ec03356279a46f2978e6a89df22b0120223f6996c290607e98ecf14c36e2db62e80575329f4787ddc7b72856cbb0c4fa2dec9b391698832f559cbef49979c72e63cb3dad5d948f1c00219b47359fa75ec3fd352aa0223773e246c2fce492200b3a6e213e5e30d69cf3f56af43b0c09c0d647784b2f209c4fd1abb74b035d1ad4":"c9185bfe9b6379e0cbded54f23ed487b2a692c697cd1de74c739264ffb26a8d48aca7169c2b8716f493777e79e1a4517f79af50666e57fa821b5982a37aaf92d00805dc92df7afcd60256442264ff368e15012b847f85c7b4c3eacc4bf5c0c49f3018f19ec09a82c11c30cfcd60b07dd59e262e0387cd6473e2ec926af0bbf8d91f7b2dd6564cb5971dfaccf12c044f7c423f4e7309268925a03b51dde987906b40236046d2515e6be4524b27ee7675f2f58be2d2177f1624dab1118d265b8221969dc34686155d6c15390fd42c394ca2f7a3f403364a507b0a8c105c2f1022d321cf5621dfa7a28185856a26e952dc14ee4763fd1ea27b94284880fd86e2f1a6215aa3bff98bbe1b93d397a20647edcb38f043b9dd06f81c62e4caf74dae77b511977c07ccaac5fee2529e867b36bfa2e1488186bab1c7990fcd4c30ce7c9c536f6c3c2b9d2ac4065a4fa7577ff86dbb2df8eed95713e85457b4a52251aefe1bb1b4c8eda66002eeda7d28af37f00673dba3f9f57d1a416abdbeccf75a7a102":"d9f28018a351a7483e40752ef75085e44eddc029a61f8702e4f33a0ff6d5153696a01ce519e7489f19abb13417800e9daed64bb366e08c706b75025d57c4a1e29717d8d2f28ec23a59ea667863b9ab0e8e5a01140df46df7f36aed84852f9b09bb0a8552a2454c936b50f1a9db290a039336e431bf3b58eeb1b6ca7eaac7dfca12a5cec02a648807cf14a112fc47ca1201133a39e0d361308a76aa313ca1e7d5118e27c7f2ee4aac78b29eccb8888ef1cf6a389df7ae25daef1c8c89184d1cce78a7d61831920b43b08122996090a0e790070d002a56227be45a06c070632e832901a71b3515c77439b094321da0b4b5f37ecdbec3a9f6f8a1635c5beec73d":"c6"
 
 PSA key agreement: FFDH RFC7919 3072 key + HKDF-SHA256: read 1+255
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_3072
 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"c60a421e82deb778eb468760296ee4faa0b58ef058966fc457e8015185bb6c500677bf5a5a88bd8dedb5307ccc3c980a2bbe9a439c6b0c7af6c961e5b9c06f47212fc0e726da2f5bdd3542fba74e1dc2294caa1f363d942a92a391acd84aecd045a4a318db00785129ba171b31651b0e930eb8110a642dd63ef5ae1bb8c6e3b3971507c4057530d51ca14182e884974e20723dbfdd5778fa0ec78fbab26811c097f0dd291ccd7a6967caf5163fa04ba921448e1d3ec8de4ff3bc87dfdc35e53ba1bd4310fc9c98f68332ea0483ec051900e438fa3e5bcbf901771c740114922a7d9a74257befca7f9b62b2991ef6c58dbb1e516bb1ee18c8709f134ab7bb2077ec03356279a46f2978e6a89df22b0120223f6996c290607e98ecf14c36e2db62e80575329f4787ddc7b72856cbb0c4fa2dec9b391698832f559cbef49979c72e63cb3dad5d948f1c00219b47359fa75ec3fd352aa0223773e246c2fce492200b3a6e213e5e30d69cf3f56af43b0c09c0d647784b2f209c4fd1abb74b035d1ad4":"c9185bfe9b6379e0cbded54f23ed487b2a692c697cd1de74c739264ffb26a8d48aca7169c2b8716f493777e79e1a4517f79af50666e57fa821b5982a37aaf92d00805dc92df7afcd60256442264ff368e15012b847f85c7b4c3eacc4bf5c0c49f3018f19ec09a82c11c30cfcd60b07dd59e262e0387cd6473e2ec926af0bbf8d91f7b2dd6564cb5971dfaccf12c044f7c423f4e7309268925a03b51dde987906b40236046d2515e6be4524b27ee7675f2f58be2d2177f1624dab1118d265b8221969dc34686155d6c15390fd42c394ca2f7a3f403364a507b0a8c105c2f1022d321cf5621dfa7a28185856a26e952dc14ee4763fd1ea27b94284880fd86e2f1a6215aa3bff98bbe1b93d397a20647edcb38f043b9dd06f81c62e4caf74dae77b511977c07ccaac5fee2529e867b36bfa2e1488186bab1c7990fcd4c30ce7c9c536f6c3c2b9d2ac4065a4fa7577ff86dbb2df8eed95713e85457b4a52251aefe1bb1b4c8eda66002eeda7d28af37f00673dba3f9f57d1a416abdbeccf75a7a102":"d9":"f28018a351a7483e40752ef75085e44eddc029a61f8702e4f33a0ff6d5153696a01ce519e7489f19abb13417800e9daed64bb366e08c706b75025d57c4a1e29717d8d2f28ec23a59ea667863b9ab0e8e5a01140df46df7f36aed84852f9b09bb0a8552a2454c936b50f1a9db290a039336e431bf3b58eeb1b6ca7eaac7dfca12a5cec02a648807cf14a112fc47ca1201133a39e0d361308a76aa313ca1e7d5118e27c7f2ee4aac78b29eccb8888ef1cf6a389df7ae25daef1c8c89184d1cce78a7d61831920b43b08122996090a0e790070d002a56227be45a06c070632e832901a71b3515c77439b094321da0b4b5f37ecdbec3a9f6f8a1635c5beec73dc6"
 
 PSA key agreement: FFDH RFC7919 4096 key + HKDF-SHA256: read 256+0
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_4096
 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"f085888f40e34d91c989fadcb9c3e8be8f4a270d75b90d78c9b3d7569e09662b7767d90112a4a339bc42e661bd0e464b26ba4eb07dee300dfdc38373ec17a5a4e86f3f4b5ae6c9700f8381ac93b564bc0b1ce64e03bb825aa21a8e87e572ccb13a5a7b2942e4b91a321c5b5cf87b8bad4042c5b8ba971870061f7bb0869e57205bd64ed41026d5093227eb9fc4abca6160376b9b9ebbf431b6cc7a362726f553ffcca07ab3fed69a60c1a3d6d7caf989c57dad04eae71dc7e5da1bd6a65d3f4509959f61741ad91b6bdc98c0cae835cea940048d325f1db5e6217b8a0c977741511c967330819115d325a6da3ac003b66364e52351b34de0e954d5df7301ac0c2772c461872b72c9c3bc810789d16d22f57fd57338487ff66fd01434fa08a57eb7b089686cda86c9dc9220e11409c5ecd7b2988c151ee24e19a5c5685b4824c60a29ee363e75f783d97a57cda08a9e2152769957163272b3d5e82cdcda71300566356c411dc01a2c24507693c819755568ea461b755e89e9ab150e243ae97d5878f58ba87be9a6bab3726e962f92e2305999cafd65aa32f486ccf2edea46ab4b4cd7e3130f2e69102e6a4d7104db2f9a66d0ddb4faa3ae34b3bac6007bdfc66541bc3f45db3eb730ba80e102850604fd64e3cf047825246264ad8e1e716aa44a99275aab9ebf0b26f703af7460a8e502088a311d7c571bf0905031ea6561a928":"f614318e0c2cc96ef5b9cb576e411c7319f9ac4caa626307c110018ff7e5082894147a1989166983f181ffa0ed062d7561af3ad26ef7339faedbcc6d41d3b53bb71f21de285c83af911a9dfc68e6efe5e067b36a5e761dea0b243e5d9af351aea1cd22841062c6beaeac0e66138c9562e3efc922bddb2f2709075ee4356337597fe9bb16c5b21de3017d06a18e98b606931c6a1d96f60fd22c920dbf18210178f844c9c0646a779db31eed21c29dff3556fe6f608c6db80e86229fa05117c624094a7d0c106718e9534de55b469ed03dd545c80b2134f10a073fa1d6b366f46727f630685ca916c84d28417b1753af57248445f81573de06bfb17bf6f3f6e5e72723390719e881d54ce3a76a79e4c3cd78f293f5ca90ca31038c4ae0f6df379177a96ceb0e55a85669335dc634f67d138c40b58474dffa4695c017ff75db55b37d9627836fad1813a9dd13e61ad99b96a488cb49348e1e75aefbad5eac288387381e6d7908c16b42c8f071c24b518feb1b4d38a538e4346e0b88c526125ae5b2fcf8e0f42608f5c5ef47b6b225122d5b6c94c2cf42767ff3df1f29461d72b7fe4eb2273c857d18daf33ed0cce043a5c389d116ba02a9ba5c8140d11c52249019749417950f444529a635592b137d30ee6f15fee89695d99e5f322d2e94c00d43d24aa63e0e68c27566d19e211f7f24e1cb72940cc9dd0b0cf34f69f03ee32be7":"01ef64db547f29894000820395bbe27406c2c6482207d6bd3f517802b02726478627a4d965c9f062626ec5b6bea63abdfa71f6de07509edf1240d420d4f0ae3d439bfa6758d6831335688b5d78082f394ed26d171426ef7649363a951a789c463afe76d1cd55f58b4b7ab2db2ee8091e7b1f3148b2352fde97b9928bf417047e9eff62ad76ab117ba9fb35605a71973be36e71a4d2aec600255a75eba63983bd0750d5080d380d00d91248470b9850d3e8e5bb464732ddb838427c1685e337694774229a0d4ffec532220e75aa289bc9c62c0621851c4c4e7325a3eb02bd195ceb855dec066ed250238ee546fa45aa00661bbb8dddc006a40c976243af58de87":""
 
 PSA key agreement: FFDH RFC7919 4096 key + HKDF-SHA256: read 255+1
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_4096
 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"f085888f40e34d91c989fadcb9c3e8be8f4a270d75b90d78c9b3d7569e09662b7767d90112a4a339bc42e661bd0e464b26ba4eb07dee300dfdc38373ec17a5a4e86f3f4b5ae6c9700f8381ac93b564bc0b1ce64e03bb825aa21a8e87e572ccb13a5a7b2942e4b91a321c5b5cf87b8bad4042c5b8ba971870061f7bb0869e57205bd64ed41026d5093227eb9fc4abca6160376b9b9ebbf431b6cc7a362726f553ffcca07ab3fed69a60c1a3d6d7caf989c57dad04eae71dc7e5da1bd6a65d3f4509959f61741ad91b6bdc98c0cae835cea940048d325f1db5e6217b8a0c977741511c967330819115d325a6da3ac003b66364e52351b34de0e954d5df7301ac0c2772c461872b72c9c3bc810789d16d22f57fd57338487ff66fd01434fa08a57eb7b089686cda86c9dc9220e11409c5ecd7b2988c151ee24e19a5c5685b4824c60a29ee363e75f783d97a57cda08a9e2152769957163272b3d5e82cdcda71300566356c411dc01a2c24507693c819755568ea461b755e89e9ab150e243ae97d5878f58ba87be9a6bab3726e962f92e2305999cafd65aa32f486ccf2edea46ab4b4cd7e3130f2e69102e6a4d7104db2f9a66d0ddb4faa3ae34b3bac6007bdfc66541bc3f45db3eb730ba80e102850604fd64e3cf047825246264ad8e1e716aa44a99275aab9ebf0b26f703af7460a8e502088a311d7c571bf0905031ea6561a928":"f614318e0c2cc96ef5b9cb576e411c7319f9ac4caa626307c110018ff7e5082894147a1989166983f181ffa0ed062d7561af3ad26ef7339faedbcc6d41d3b53bb71f21de285c83af911a9dfc68e6efe5e067b36a5e761dea0b243e5d9af351aea1cd22841062c6beaeac0e66138c9562e3efc922bddb2f2709075ee4356337597fe9bb16c5b21de3017d06a18e98b606931c6a1d96f60fd22c920dbf18210178f844c9c0646a779db31eed21c29dff3556fe6f608c6db80e86229fa05117c624094a7d0c106718e9534de55b469ed03dd545c80b2134f10a073fa1d6b366f46727f630685ca916c84d28417b1753af57248445f81573de06bfb17bf6f3f6e5e72723390719e881d54ce3a76a79e4c3cd78f293f5ca90ca31038c4ae0f6df379177a96ceb0e55a85669335dc634f67d138c40b58474dffa4695c017ff75db55b37d9627836fad1813a9dd13e61ad99b96a488cb49348e1e75aefbad5eac288387381e6d7908c16b42c8f071c24b518feb1b4d38a538e4346e0b88c526125ae5b2fcf8e0f42608f5c5ef47b6b225122d5b6c94c2cf42767ff3df1f29461d72b7fe4eb2273c857d18daf33ed0cce043a5c389d116ba02a9ba5c8140d11c52249019749417950f444529a635592b137d30ee6f15fee89695d99e5f322d2e94c00d43d24aa63e0e68c27566d19e211f7f24e1cb72940cc9dd0b0cf34f69f03ee32be7":"01ef64db547f29894000820395bbe27406c2c6482207d6bd3f517802b02726478627a4d965c9f062626ec5b6bea63abdfa71f6de07509edf1240d420d4f0ae3d439bfa6758d6831335688b5d78082f394ed26d171426ef7649363a951a789c463afe76d1cd55f58b4b7ab2db2ee8091e7b1f3148b2352fde97b9928bf417047e9eff62ad76ab117ba9fb35605a71973be36e71a4d2aec600255a75eba63983bd0750d5080d380d00d91248470b9850d3e8e5bb464732ddb838427c1685e337694774229a0d4ffec532220e75aa289bc9c62c0621851c4c4e7325a3eb02bd195ceb855dec066ed250238ee546fa45aa00661bbb8dddc006a40c976243af58de":"87"
 
 PSA key agreement: FFDH RFC7919 4096 key + HKDF-SHA256: read 1+255
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_4096
 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"f085888f40e34d91c989fadcb9c3e8be8f4a270d75b90d78c9b3d7569e09662b7767d90112a4a339bc42e661bd0e464b26ba4eb07dee300dfdc38373ec17a5a4e86f3f4b5ae6c9700f8381ac93b564bc0b1ce64e03bb825aa21a8e87e572ccb13a5a7b2942e4b91a321c5b5cf87b8bad4042c5b8ba971870061f7bb0869e57205bd64ed41026d5093227eb9fc4abca6160376b9b9ebbf431b6cc7a362726f553ffcca07ab3fed69a60c1a3d6d7caf989c57dad04eae71dc7e5da1bd6a65d3f4509959f61741ad91b6bdc98c0cae835cea940048d325f1db5e6217b8a0c977741511c967330819115d325a6da3ac003b66364e52351b34de0e954d5df7301ac0c2772c461872b72c9c3bc810789d16d22f57fd57338487ff66fd01434fa08a57eb7b089686cda86c9dc9220e11409c5ecd7b2988c151ee24e19a5c5685b4824c60a29ee363e75f783d97a57cda08a9e2152769957163272b3d5e82cdcda71300566356c411dc01a2c24507693c819755568ea461b755e89e9ab150e243ae97d5878f58ba87be9a6bab3726e962f92e2305999cafd65aa32f486ccf2edea46ab4b4cd7e3130f2e69102e6a4d7104db2f9a66d0ddb4faa3ae34b3bac6007bdfc66541bc3f45db3eb730ba80e102850604fd64e3cf047825246264ad8e1e716aa44a99275aab9ebf0b26f703af7460a8e502088a311d7c571bf0905031ea6561a928":"f614318e0c2cc96ef5b9cb576e411c7319f9ac4caa626307c110018ff7e5082894147a1989166983f181ffa0ed062d7561af3ad26ef7339faedbcc6d41d3b53bb71f21de285c83af911a9dfc68e6efe5e067b36a5e761dea0b243e5d9af351aea1cd22841062c6beaeac0e66138c9562e3efc922bddb2f2709075ee4356337597fe9bb16c5b21de3017d06a18e98b606931c6a1d96f60fd22c920dbf18210178f844c9c0646a779db31eed21c29dff3556fe6f608c6db80e86229fa05117c624094a7d0c106718e9534de55b469ed03dd545c80b2134f10a073fa1d6b366f46727f630685ca916c84d28417b1753af57248445f81573de06bfb17bf6f3f6e5e72723390719e881d54ce3a76a79e4c3cd78f293f5ca90ca31038c4ae0f6df379177a96ceb0e55a85669335dc634f67d138c40b58474dffa4695c017ff75db55b37d9627836fad1813a9dd13e61ad99b96a488cb49348e1e75aefbad5eac288387381e6d7908c16b42c8f071c24b518feb1b4d38a538e4346e0b88c526125ae5b2fcf8e0f42608f5c5ef47b6b225122d5b6c94c2cf42767ff3df1f29461d72b7fe4eb2273c857d18daf33ed0cce043a5c389d116ba02a9ba5c8140d11c52249019749417950f444529a635592b137d30ee6f15fee89695d99e5f322d2e94c00d43d24aa63e0e68c27566d19e211f7f24e1cb72940cc9dd0b0cf34f69f03ee32be7":"01":"ef64db547f29894000820395bbe27406c2c6482207d6bd3f517802b02726478627a4d965c9f062626ec5b6bea63abdfa71f6de07509edf1240d420d4f0ae3d439bfa6758d6831335688b5d78082f394ed26d171426ef7649363a951a789c463afe76d1cd55f58b4b7ab2db2ee8091e7b1f3148b2352fde97b9928bf417047e9eff62ad76ab117ba9fb35605a71973be36e71a4d2aec600255a75eba63983bd0750d5080d380d00d91248470b9850d3e8e5bb464732ddb838427c1685e337694774229a0d4ffec532220e75aa289bc9c62c0621851c4c4e7325a3eb02bd195ceb855dec066ed250238ee546fa45aa00661bbb8dddc006a40c976243af58de87"
 
 PSA key agreement: FFDH RFC7919 6144 key + HKDF-SHA256: read 256+0
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_6144
 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"bbaec0a6c20e67aa77bd9db1f682b20227d3e17944ccf9ea639e437202309c29dc876a8d209e81e59e1d7584284089c4ffb3356e28acca6c94164752e7e331cee7fccdb3d08604a5faaf91c02cab4ea6ad2926e28d1dee9fadd437b2b8a5116c689869c0972529e4c362aaa8427c95f42d8a60c1f38f9f672c837a097bcd1a8c068c11a33ce36517915dae1ba47e2646aef079e6c84b9656991ef0f6ceb9f7f95c97e7232cc5c41c0335aed99169133702cb8d95ef1e9eb5af583f3469a77277243fe61f16dd5b4f9f4972e3d30050f289f891daf8146ff87cf2845c419dfe2ca0525c5e2e8fc6566d7118fadaf0103b24319061f862e2584e5fba1063d55365b78379820d335ee924ac0871ceb3a2a339fba250011371b53426bab5f48e9704b7a9e77d14d5f6cafcfbdb45463e6935be31bc87eafd9b6d228a5b76c2baa6364f450a4ac557dd07ed4b1a13f5603e2b3bb270e831f0f2950f52c52d866fdaeb748a4cbb6f20b332795fffb8cf77a34ef75d8105973f1fdada6a3b050a28c12268104a8f1cce9a86ebce1749a97e9e5f00608229799aa5b7a356fca7b8bb5c7829cb18a136836bb37f5165deb89b33f0b69c473236025bc649d382d008fbc7c8c84390b9d86b173e45fa1e162e0eabd7914f2ec4c26d5350be064fc0d68bf16446188dd4a76ac1267a63b764070b48342a884891eeddbba95257348764c646aef160523af105a719aedb041a28b81516dbe89e80592f687eb341aff447a4165ac145889ae3e8a14c948c82b581b35d8f7d1c4f5e0f838773a472ad0025b1ca0b1c8bfe58c42079194b9aa9c5a1139472e7f917655a3ae297c9a8e3bfa6e108242a5ac01b92a9e94d7b51fbe2732d68f1ec5c12607add5e9bddbe5a4837e9fa16a66b5d83456df4f9febb14158dc5ea467b7cc288fe58f28cade38fa3d4c8864c3cb93bda6d39ad28f7dab8b8c0be34f675d268d82ba6a2e22ba49a5e7de5d08edae35ec17d1419288719a4f82dfb7aad6f7b68c4216c69b83af7438771622e48381841d1fcb6081d41b1b84eae37912b34dc8df1794bb47ad87f94d9c841aa98":"31b48495f611fd0205994fc523bfbc6b72949417f28392d30c1c98878bde0ca467ab6d6fe58522df9749154f95c9683f9590c295cd2b62ff9c59f2a71aaa3f7cb72761740cdcac8994c3623e8c07e2991dac60c2ccba818623013467cfca64f9a3b58523d4a4982571365db08aa9de048303c2a48d1c02c9aafc2ecd6eaae1c5bce8314503d0711d755b59134cbfc773250690121f58fc5171ea34fe88e753d5ab3da23e0557aa326b408c2f55aad2b6f40504509c2203f353bcb17e7b2c61fdcba04c3f8c136ef5d14c38ded6ff0455f59f3052b52b2d45f76a2c3b4b09af388a57ebd9d33393853b83b8033b6973cf662907e62380b66b4ce04b82ab8fcd35f40083a330587e27daa0f84c21fc5d04af03104785f85cb880ae61024cf6cfd1dc14149fdff6653968458fb5761cf2cbf8263e915099eb209d1d149bd7a5b4e48b108f07a1f7c17aa4cbf7b3aa25075956f93f127d46b6392834e7781e46f0e2d1ba14ce2f2d91f9db106bf94c7110ace1bf6105cd9351031e0ec7b52a599ae41256581c1379be5882c352c750709c1b8d37cd8d1442ae5547db0f5a1371eca211f028428572a0fcc4c0852ec1f9be4de14a32536087f520cdeaf54c52b203bb6ff0008b2099fb0e1dff4547563a71db416c5b97ef8e7677d8edd15a2ae75dc64b817117fe5e0478cfa1a18e15cb44cfcc990c5f01127b3906187c18562c876631a046a70015e84b6c553be23168e572cedb5912a6505ff8bb65722cc0e9556e967600711b8d8a8e414811c9809aa3e15f680fdbb2b2297e414824fda530b501b278c35f3f0f0ac61da3262de7b8aa44e31544c593c8521f8ce4921b8d7df7d7382c97718efd03650caa5620bc0e6fb9753dfe26c78b0b6a3231391b9324ee6b7c81b45e7e90e5573ab6cb263b114d78eaba7eb2bc668dd57b6eef126abcdf8355656beac58ddbaeb0551a4083fd5a2bd0e405d35737b7c3c6f0f0190403c13b57e3ef7b6b76206725758523ef98e4053fb8e05147a74577b61b0935dc5eb699945d3290e78bcc9015c9c3210ffed7d6e96c6c8202e46ad37155d07f3e8c2d9a":"105d324ec021d57640dee474c442f3a25390de6ff13175f70fad977003bd78fcdfeda87d2a5cc8447b9729990b11e7949c6ebb37a2d3c2fa69a85d79d216a6a489c8c5186576c112ca94c1bce156b819fb010a4168e8c91e777b87dceb0de4f1828c45297e3b513f4ff57bfb874a7c0d3cd709332922394bcddbc0bf959668810ce1ec8dbff662ea620b9ee7186cdde9845185ea87ded242fbffb7f526d875b6b1dbd09a4008b4d2c1034621a75efd6140c7d6fc883d79f7c3b7f7ae21b74e62a9c26f682c9dd48cacdc7f0c4ec5eb32a5c505aa5949d4008ece502bca5612f84ae73164acd2d3399cc9aee5cf615de62dd31c63a407f5c988b5c61a124ce08c":""
 
 PSA key agreement: FFDH RFC7919 6144 key + HKDF-SHA256: read 255+1
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_6144
 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"bbaec0a6c20e67aa77bd9db1f682b20227d3e17944ccf9ea639e437202309c29dc876a8d209e81e59e1d7584284089c4ffb3356e28acca6c94164752e7e331cee7fccdb3d08604a5faaf91c02cab4ea6ad2926e28d1dee9fadd437b2b8a5116c689869c0972529e4c362aaa8427c95f42d8a60c1f38f9f672c837a097bcd1a8c068c11a33ce36517915dae1ba47e2646aef079e6c84b9656991ef0f6ceb9f7f95c97e7232cc5c41c0335aed99169133702cb8d95ef1e9eb5af583f3469a77277243fe61f16dd5b4f9f4972e3d30050f289f891daf8146ff87cf2845c419dfe2ca0525c5e2e8fc6566d7118fadaf0103b24319061f862e2584e5fba1063d55365b78379820d335ee924ac0871ceb3a2a339fba250011371b53426bab5f48e9704b7a9e77d14d5f6cafcfbdb45463e6935be31bc87eafd9b6d228a5b76c2baa6364f450a4ac557dd07ed4b1a13f5603e2b3bb270e831f0f2950f52c52d866fdaeb748a4cbb6f20b332795fffb8cf77a34ef75d8105973f1fdada6a3b050a28c12268104a8f1cce9a86ebce1749a97e9e5f00608229799aa5b7a356fca7b8bb5c7829cb18a136836bb37f5165deb89b33f0b69c473236025bc649d382d008fbc7c8c84390b9d86b173e45fa1e162e0eabd7914f2ec4c26d5350be064fc0d68bf16446188dd4a76ac1267a63b764070b48342a884891eeddbba95257348764c646aef160523af105a719aedb041a28b81516dbe89e80592f687eb341aff447a4165ac145889ae3e8a14c948c82b581b35d8f7d1c4f5e0f838773a472ad0025b1ca0b1c8bfe58c42079194b9aa9c5a1139472e7f917655a3ae297c9a8e3bfa6e108242a5ac01b92a9e94d7b51fbe2732d68f1ec5c12607add5e9bddbe5a4837e9fa16a66b5d83456df4f9febb14158dc5ea467b7cc288fe58f28cade38fa3d4c8864c3cb93bda6d39ad28f7dab8b8c0be34f675d268d82ba6a2e22ba49a5e7de5d08edae35ec17d1419288719a4f82dfb7aad6f7b68c4216c69b83af7438771622e48381841d1fcb6081d41b1b84eae37912b34dc8df1794bb47ad87f94d9c841aa98":"31b48495f611fd0205994fc523bfbc6b72949417f28392d30c1c98878bde0ca467ab6d6fe58522df9749154f95c9683f9590c295cd2b62ff9c59f2a71aaa3f7cb72761740cdcac8994c3623e8c07e2991dac60c2ccba818623013467cfca64f9a3b58523d4a4982571365db08aa9de048303c2a48d1c02c9aafc2ecd6eaae1c5bce8314503d0711d755b59134cbfc773250690121f58fc5171ea34fe88e753d5ab3da23e0557aa326b408c2f55aad2b6f40504509c2203f353bcb17e7b2c61fdcba04c3f8c136ef5d14c38ded6ff0455f59f3052b52b2d45f76a2c3b4b09af388a57ebd9d33393853b83b8033b6973cf662907e62380b66b4ce04b82ab8fcd35f40083a330587e27daa0f84c21fc5d04af03104785f85cb880ae61024cf6cfd1dc14149fdff6653968458fb5761cf2cbf8263e915099eb209d1d149bd7a5b4e48b108f07a1f7c17aa4cbf7b3aa25075956f93f127d46b6392834e7781e46f0e2d1ba14ce2f2d91f9db106bf94c7110ace1bf6105cd9351031e0ec7b52a599ae41256581c1379be5882c352c750709c1b8d37cd8d1442ae5547db0f5a1371eca211f028428572a0fcc4c0852ec1f9be4de14a32536087f520cdeaf54c52b203bb6ff0008b2099fb0e1dff4547563a71db416c5b97ef8e7677d8edd15a2ae75dc64b817117fe5e0478cfa1a18e15cb44cfcc990c5f01127b3906187c18562c876631a046a70015e84b6c553be23168e572cedb5912a6505ff8bb65722cc0e9556e967600711b8d8a8e414811c9809aa3e15f680fdbb2b2297e414824fda530b501b278c35f3f0f0ac61da3262de7b8aa44e31544c593c8521f8ce4921b8d7df7d7382c97718efd03650caa5620bc0e6fb9753dfe26c78b0b6a3231391b9324ee6b7c81b45e7e90e5573ab6cb263b114d78eaba7eb2bc668dd57b6eef126abcdf8355656beac58ddbaeb0551a4083fd5a2bd0e405d35737b7c3c6f0f0190403c13b57e3ef7b6b76206725758523ef98e4053fb8e05147a74577b61b0935dc5eb699945d3290e78bcc9015c9c3210ffed7d6e96c6c8202e46ad37155d07f3e8c2d9a":"105d324ec021d57640dee474c442f3a25390de6ff13175f70fad977003bd78fcdfeda87d2a5cc8447b9729990b11e7949c6ebb37a2d3c2fa69a85d79d216a6a489c8c5186576c112ca94c1bce156b819fb010a4168e8c91e777b87dceb0de4f1828c45297e3b513f4ff57bfb874a7c0d3cd709332922394bcddbc0bf959668810ce1ec8dbff662ea620b9ee7186cdde9845185ea87ded242fbffb7f526d875b6b1dbd09a4008b4d2c1034621a75efd6140c7d6fc883d79f7c3b7f7ae21b74e62a9c26f682c9dd48cacdc7f0c4ec5eb32a5c505aa5949d4008ece502bca5612f84ae73164acd2d3399cc9aee5cf615de62dd31c63a407f5c988b5c61a124ce0":"8c"
 
 PSA key agreement: FFDH RFC7919 6144 key + HKDF-SHA256: read 1+255
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_DH_RFC7919_6144
 key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"bbaec0a6c20e67aa77bd9db1f682b20227d3e17944ccf9ea639e437202309c29dc876a8d209e81e59e1d7584284089c4ffb3356e28acca6c94164752e7e331cee7fccdb3d08604a5faaf91c02cab4ea6ad2926e28d1dee9fadd437b2b8a5116c689869c0972529e4c362aaa8427c95f42d8a60c1f38f9f672c837a097bcd1a8c068c11a33ce36517915dae1ba47e2646aef079e6c84b9656991ef0f6ceb9f7f95c97e7232cc5c41c0335aed99169133702cb8d95ef1e9eb5af583f3469a77277243fe61f16dd5b4f9f4972e3d30050f289f891daf8146ff87cf2845c419dfe2ca0525c5e2e8fc6566d7118fadaf0103b24319061f862e2584e5fba1063d55365b78379820d335ee924ac0871ceb3a2a339fba250011371b53426bab5f48e9704b7a9e77d14d5f6cafcfbdb45463e6935be31bc87eafd9b6d228a5b76c2baa6364f450a4ac557dd07ed4b1a13f5603e2b3bb270e831f0f2950f52c52d866fdaeb748a4cbb6f20b332795fffb8cf77a34ef75d8105973f1fdada6a3b050a28c12268104a8f1cce9a86ebce1749a97e9e5f00608229799aa5b7a356fca7b8bb5c7829cb18a136836bb37f5165deb89b33f0b69c473236025bc649d382d008fbc7c8c84390b9d86b173e45fa1e162e0eabd7914f2ec4c26d5350be064fc0d68bf16446188dd4a76ac1267a63b764070b48342a884891eeddbba95257348764c646aef160523af105a719aedb041a28b81516dbe89e80592f687eb341aff447a4165ac145889ae3e8a14c948c82b581b35d8f7d1c4f5e0f838773a472ad0025b1ca0b1c8bfe58c42079194b9aa9c5a1139472e7f917655a3ae297c9a8e3bfa6e108242a5ac01b92a9e94d7b51fbe2732d68f1ec5c12607add5e9bddbe5a4837e9fa16a66b5d83456df4f9febb14158dc5ea467b7cc288fe58f28cade38fa3d4c8864c3cb93bda6d39ad28f7dab8b8c0be34f675d268d82ba6a2e22ba49a5e7de5d08edae35ec17d1419288719a4f82dfb7aad6f7b68c4216c69b83af7438771622e48381841d1fcb6081d41b1b84eae37912b34dc8df1794bb47ad87f94d9c841aa98":"31b48495f611fd0205994fc523bfbc6b72949417f28392d30c1c98878bde0ca467ab6d6fe58522df9749154f95c9683f9590c295cd2b62ff9c59f2a71aaa3f7cb72761740cdcac8994c3623e8c07e2991dac60c2ccba818623013467cfca64f9a3b58523d4a4982571365db08aa9de048303c2a48d1c02c9aafc2ecd6eaae1c5bce8314503d0711d755b59134cbfc773250690121f58fc5171ea34fe88e753d5ab3da23e0557aa326b408c2f55aad2b6f40504509c2203f353bcb17e7b2c61fdcba04c3f8c136ef5d14c38ded6ff0455f59f3052b52b2d45f76a2c3b4b09af388a57ebd9d33393853b83b8033b6973cf662907e62380b66b4ce04b82ab8fcd35f40083a330587e27daa0f84c21fc5d04af03104785f85cb880ae61024cf6cfd1dc14149fdff6653968458fb5761cf2cbf8263e915099eb209d1d149bd7a5b4e48b108f07a1f7c17aa4cbf7b3aa25075956f93f127d46b6392834e7781e46f0e2d1ba14ce2f2d91f9db106bf94c7110ace1bf6105cd9351031e0ec7b52a599ae41256581c1379be5882c352c750709c1b8d37cd8d1442ae5547db0f5a1371eca211f028428572a0fcc4c0852ec1f9be4de14a32536087f520cdeaf54c52b203bb6ff0008b2099fb0e1dff4547563a71db416c5b97ef8e7677d8edd15a2ae75dc64b817117fe5e0478cfa1a18e15cb44cfcc990c5f01127b3906187c18562c876631a046a70015e84b6c553be23168e572cedb5912a6505ff8bb65722cc0e9556e967600711b8d8a8e414811c9809aa3e15f680fdbb2b2297e414824fda530b501b278c35f3f0f0ac61da3262de7b8aa44e31544c593c8521f8ce4921b8d7df7d7382c97718efd03650caa5620bc0e6fb9753dfe26c78b0b6a3231391b9324ee6b7c81b45e7e90e5573ab6cb263b114d78eaba7eb2bc668dd57b6eef126abcdf8355656beac58ddbaeb0551a4083fd5a2bd0e405d35737b7c3c6f0f0190403c13b57e3ef7b6b76206725758523ef98e4053fb8e05147a74577b61b0935dc5eb699945d3290e78bcc9015c9c3210ffed7d6e96c6c8202e46ad37155d07f3e8c2d9a":"10":"5d324ec021d57640dee474c442f3a25390de6ff13175f70fad977003bd78fcdfeda87d2a5cc8447b9729990b11e7949c6ebb37a2d3c2fa69a85d79d216a6a489c8c5186576c112ca94c1bce156b819fb010a4168e8c91e777b87dceb0de4f1828c45297e3b513f4ff57bfb874a7c0d3cd709332922394bcddbc0bf959668810ce1ec8dbff662ea620b9ee7186cdde9845185ea87ded242fbffb7f526d875b6b1dbd09a4008b4d2c1034621a75efd6140c7d6fc883d79f7c3b7f7ae21b74e62a9c26f682c9dd48cacdc7f0c4ec5eb32a5c505aa5949d4008ece502bca5612f84ae73164acd2d3399cc9aee5cf615de62dd31c63a407f5c988b5c61a124ce08c"
 
 PSA generate random: 0 bytes
@@ -7326,58 +7496,264 @@ PSA generate key: ECC, Curve448, good
 depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_MONTGOMERY_448
 generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):448:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_SUCCESS:0
 
-PSA generate key: RSA, default e
-generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"":PSA_SUCCESS
-
-PSA generate key: RSA, e=3
-generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"03":PSA_SUCCESS
-
-PSA generate key: RSA, e=65537
-generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"010001":PSA_SUCCESS
-
-PSA generate key: RSA, e=513
-generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"0201":PSA_SUCCESS
-
-PSA generate key: RSA, e=1
-generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"01":PSA_ERROR_INVALID_ARGUMENT
-
-PSA generate key: RSA, e=2
-generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"01":PSA_ERROR_INVALID_ARGUMENT
-
 PSA generate key: FFDH, 2048 bits, good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:PSA_WANT_DH_RFC7919_2048
 generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):2048:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0
 
 PSA generate key: FFDH, 3072 bits, good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:PSA_WANT_DH_RFC7919_3072
 generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):3072:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0
 
 PSA generate key: FFDH, 4096 bits, good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:PSA_WANT_DH_RFC7919_4096
 generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):4096:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0
 
 PSA generate key: FFDH, 6144 bits, good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:PSA_WANT_DH_RFC7919_6144
 generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):6144:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0
 
 PSA generate key: FFDH, 8192 bits, good
-depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:PSA_WANT_DH_RFC7919_8192
 generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):8192:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0
 
 PSA generate key: FFDH, 1024 bits, invalid bits
 depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE
 generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):1024:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_ERROR_NOT_SUPPORTED:0
 
+PSA generate key ext: RSA, params.flags=1
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
+generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:1:"":PSA_ERROR_INVALID_ARGUMENT
+
+PSA generate key ext: RSA, empty e
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
+generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"":PSA_SUCCESS
+
+PSA generate key ext: RSA, e=3
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
+generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"03":PSA_SUCCESS
+
+PSA generate key ext: RSA, e=3 with leading zeros
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
+generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"000003":PSA_SUCCESS
+
+# TODO: currently errors with NOT_SUPPORTED because e is converted to an int
+# and the conversion errors out if there are too many digits without checking
+# for leading zeros. This is a very minor bug. Re-enable this test when this
+# bug is fixed.
+#PSA generate key ext: RSA, e=3 with many leading zeros
+#depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
+#generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"0000000000000000000000000000000003":PSA_SUCCESS
+
+PSA generate key ext: RSA, e=513
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
+generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"0201":PSA_SUCCESS
+
+PSA generate key ext: RSA, e=65537
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
+generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"010001":PSA_SUCCESS
+
+PSA generate key ext: RSA, e=2^31-1
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:INT_MAX>=0x7fffffff
+generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"7fffffff":PSA_SUCCESS
+
+PSA generate key ext: RSA, e=2^31+3 (too large for built-in RSA)
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE:INT_MAX<=0x7fffffff
+generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"80000003":PSA_ERROR_NOT_SUPPORTED
+
+PSA generate key ext: RSA, e=2^64+3 (too large for built-in RSA)
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE:INT_MAX<=0xffffffffffffffff
+generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"010000000000000003":PSA_ERROR_NOT_SUPPORTED
+
+PSA generate key ext: RSA, e=1
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE
+generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"01":PSA_ERROR_INVALID_ARGUMENT
+
+PSA generate key ext: RSA, e=0
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE
+generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"00":PSA_ERROR_INVALID_ARGUMENT
+
+PSA generate key ext: RSA, e=2
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE
+generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"02":PSA_ERROR_INVALID_ARGUMENT
+
+# Check that with a driver, we reject a custom e as unsupported,
+# as opposed to silently using the default e.
+# When we add proper driver support, remove this test case and remove
+# the dependency on MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE from
+# the positive/invalid_argument test cases.
+PSA generate key ext: RSA, e=3 with driver and no fallback (not yet supported)
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE
+generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"03":PSA_ERROR_NOT_SUPPORTED
+
+PSA generate key ext: ECC, flags=0
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH
+generate_key_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:0:"":PSA_SUCCESS
+
+PSA generate key ext: ECC, flags=1
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH
+generate_key_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:1:"":PSA_ERROR_INVALID_ARGUMENT
+
+PSA generate key ext: ECC, params.data non-empty
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH
+generate_key_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:0:"2a":PSA_ERROR_INVALID_ARGUMENT
+
+PSA concurrent key generation: bad type (RSA public key)
+depends_on:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_EXPORT:0:PSA_ERROR_INVALID_ARGUMENT:0:8:5
+
+PSA concurrent key generation: raw data, 0 bits: invalid argument
+depends_on:MBEDTLS_THREADING_PTHREAD
+# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED
+concurrently_generate_keys:PSA_KEY_TYPE_RAW_DATA:0:PSA_KEY_USAGE_EXPORT:0:PSA_ERROR_INVALID_ARGUMENT:0:8:5
+
+PSA concurrent key generation: raw data, 7 bits: invalid argument
+depends_on:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_RAW_DATA:7:PSA_KEY_USAGE_EXPORT:0:PSA_ERROR_INVALID_ARGUMENT:0:8:5
+
+PSA concurrent key generation: raw data, 8 bits
+depends_on:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0:PSA_SUCCESS:0:8:5
+
+PSA concurrent key generation- raw data, 9 bits: invalid argument
+depends_on:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_RAW_DATA:9:PSA_KEY_USAGE_EXPORT:0:PSA_ERROR_INVALID_ARGUMENT:0:8:5
+
+PSA concurrent key generation: raw data, (MBEDTLS_CTR_DRBG_MAX_REQUEST + 1) * 8 bits
+depends_on:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_RAW_DATA:(MBEDTLS_CTR_DRBG_MAX_REQUEST + 1) * 8:PSA_KEY_USAGE_EXPORT:0:PSA_SUCCESS:0:8:5
+
+PSA concurrent key generation: raw data, (2 * MBEDTLS_CTR_DRBG_MAX_REQUEST + 1) * 8 bits
+depends_on:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_RAW_DATA:(2 * MBEDTLS_CTR_DRBG_MAX_REQUEST + 1) * 8:PSA_KEY_USAGE_EXPORT:0:PSA_SUCCESS:0:8:5
+
+PSA concurrent key generation: raw data, 65528 bits (large key, ok if it fits)
+depends_on:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_RAW_DATA:65528:PSA_KEY_USAGE_EXPORT:0:PSA_SUCCESS:1:8:5
+
+PSA concurrent key generation: raw data, 65536 bits (not supported)
+depends_on:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_RAW_DATA:65536:PSA_KEY_USAGE_EXPORT:0:PSA_ERROR_NOT_SUPPORTED:0:8:5
+
+PSA concurrent key generation: AES, 128 bits, CTR
+depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CTR:PSA_SUCCESS:0:8:5
+
+PSA concurrent key generation: AES, 128 bits, GCM
+depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_GCM:PSA_SUCCESS:0:8:5
+
+PSA concurrent key generation: DES, 64 bits, CBC-nopad
+depends_on:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_KEY_TYPE_DES:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_DES:64:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CBC_NO_PADDING:PSA_SUCCESS:0:8:5
+
+PSA concurrent key generation: DES, 128 bits, CBC-nopad
+depends_on:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_KEY_TYPE_DES:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_DES:128:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CBC_NO_PADDING:PSA_SUCCESS:0:8:5
+
+PSA concurrent key generation: DES, 192 bits, CBC-nopad
+depends_on:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_KEY_TYPE_DES:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_DES:192:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CBC_NO_PADDING:PSA_SUCCESS:0:8:5
+
+PSA concurrent key generation: invalid key size: AES, 64 bits
+depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_AES:64:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CTR:PSA_ERROR_INVALID_ARGUMENT:0:8:5
+
+PSA concurrent key generation: RSA, minimum allowed key size, good, sign (PKCS#1 v1.5)
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS > 128:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_SUCCESS:0:8:5
+
+PSA concurrent key generation: RSA, 1032 bits, good, sign (PKCS#1 v1.5)
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS <= 1032:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_RSA_KEY_PAIR:1032:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_SUCCESS:0:8:5
+
+PSA concurrent key generation: RSA, 1024 bits, good, sign (PSS SHA-256)
+depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS <= 1024:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_SUCCESS:0:8:5
+
+PSA concurrent key generation: RSA, 1024 bits, good, sign (PSS-any-salt SHA-256)
+depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS <= 1024:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):PSA_SUCCESS:0:8:5
+
+PSA concurrent key generation: RSA, minimum allowed key size, good, encrypt (PKCS#1 v1.5)
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS >= 256:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS <= 2048:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_SUCCESS:0:8:5
+
+PSA concurrent key generation: RSA, 1024 bits, good, encrypt (OAEP SHA-256)
+depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS <= 1024:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256):PSA_SUCCESS:0:8:5
+
+PSA concurrent key generation: RSA, 0 bits: invalid
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_THREADING_PTHREAD
+# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED
+concurrently_generate_keys:PSA_KEY_TYPE_RSA_KEY_PAIR:0:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ERROR_INVALID_ARGUMENT:0:8:5
+
+PSA concurrent key generation: RSA, size not multiple of 8: not supported
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS + 62:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ERROR_NOT_SUPPORTED:0:8:5
+
+PSA concurrent key generation: RSA, size not multiple of 2: not supported
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS + 63:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ERROR_NOT_SUPPORTED:0:8:5
+
+PSA concurrent key generation: RSA, maximum size exceeded
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_MAX_KEY_BITS+8:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ERROR_NOT_SUPPORTED:0:8:5
+
+PSA concurrent key generation: ECC, SECP256R1, good
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY:PSA_SUCCESS:0:8:5
+
+PSA concurrent key generation: ECC, SECP256R1, incorrect bit size
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_THREADING_PTHREAD
+# INVALID_ARGUMENT would make more sense, but our code as currently structured
+# doesn't fully relate the curve with its size.
+concurrently_generate_keys:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):128:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY:PSA_ERROR_NOT_SUPPORTED:0:8:5
+
+PSA concurrent key generation: ECC, Curve25519, good
+depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_MONTGOMERY_255:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_SUCCESS:0:8:5
+
+PSA concurrent key generation: ECC, Curve448, good
+depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_MONTGOMERY_448:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):448:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_SUCCESS:0:8:5
+
+PSA concurrent key generation: FFDH, 2048 bits, good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:PSA_WANT_DH_RFC7919_2048:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):2048:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0:8:5
+
+PSA concurrent key generation: FFDH, 3072 bits, good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:PSA_WANT_DH_RFC7919_3072:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):3072:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0:8:5
+
+PSA concurrent key generation: FFDH, 4096 bits, good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:PSA_WANT_DH_RFC7919_4096:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):4096:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0:8:5
+
+PSA concurrent key generation: FFDH, 6144 bits, good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:PSA_WANT_DH_RFC7919_6144:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):6144:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0:8:5
+
+PSA concurrent key generation: FFDH, 8192 bits, good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:PSA_WANT_DH_RFC7919_8192:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):8192:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0:8:5
+
+PSA concurrent key generation: FFDH, 1024 bits, invalid bits
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:MBEDTLS_THREADING_PTHREAD
+concurrently_generate_keys:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):1024:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_ERROR_NOT_SUPPORTED:0:8:5
+
+Key production parameters initializers
+key_production_parameters_init:
+
 PSA import persistent key: raw data, 8 bits
-depends_on:MBEDTLS_PK_C:MBEDTLS_PSA_CRYPTO_STORAGE_C
+depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C
 persistent_key_load_key_from_storage:"2a":PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0:IMPORT_KEY
 
 PSA import persistent key: AES, 128 bits, exportable
-depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PK_C:MBEDTLS_PSA_CRYPTO_STORAGE_C
+depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_CRYPTO_STORAGE_C
 persistent_key_load_key_from_storage:"2b7e151628aed2a6abf7158809cf4f3c":PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_CTR:IMPORT_KEY
 
 PSA import persistent key: AES, 128 bits, non-exportable
-depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PK_C:MBEDTLS_PSA_CRYPTO_STORAGE_C
+depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_CRYPTO_STORAGE_C
 persistent_key_load_key_from_storage:"2b7e151628aed2a6abf7158809cf4f3c":PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CTR:IMPORT_KEY
 
 PSA generate persistent key: raw data, 8 bits, exportable
@@ -7406,3 +7782,62 @@ persistent_key_load_key_from_storage:"":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY
 
 PSA derive persistent key: HKDF SHA-256, exportable
 persistent_key_load_key_from_storage:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_TYPE_RAW_DATA:1024:PSA_KEY_USAGE_EXPORT:0:DERIVE_KEY
+
+ECP group ID <-> PSA family - SECP192R1
+depends_on:PSA_WANT_ECC_SECP_R1_192
+ecc_conversion_functions:MBEDTLS_ECP_DP_SECP192R1:PSA_ECC_FAMILY_SECP_R1:192
+
+ECP group ID <-> PSA family - SECP224R1
+depends_on:PSA_WANT_ECC_SECP_R1_224
+ecc_conversion_functions:MBEDTLS_ECP_DP_SECP224R1:PSA_ECC_FAMILY_SECP_R1:224
+
+ECP group ID <-> PSA family - SECP256R1
+depends_on:PSA_WANT_ECC_SECP_R1_256
+ecc_conversion_functions:MBEDTLS_ECP_DP_SECP256R1:PSA_ECC_FAMILY_SECP_R1:256
+
+ECP group ID <-> PSA family - SECP384R1
+depends_on:PSA_WANT_ECC_SECP_R1_384
+ecc_conversion_functions:MBEDTLS_ECP_DP_SECP384R1:PSA_ECC_FAMILY_SECP_R1:384
+
+ECP group ID <-> PSA family - SECP521R1
+depends_on:PSA_WANT_ECC_SECP_R1_521
+ecc_conversion_functions:MBEDTLS_ECP_DP_SECP521R1:PSA_ECC_FAMILY_SECP_R1:521
+
+ECP group ID <-> PSA family - BP256R1
+depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_256
+ecc_conversion_functions:MBEDTLS_ECP_DP_BP256R1:PSA_ECC_FAMILY_BRAINPOOL_P_R1:256
+
+ECP group ID <-> PSA family - BP384R1
+depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_384
+ecc_conversion_functions:MBEDTLS_ECP_DP_BP384R1:PSA_ECC_FAMILY_BRAINPOOL_P_R1:384
+
+ECP group ID <-> PSA family - BP512R1
+depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512
+ecc_conversion_functions:MBEDTLS_ECP_DP_BP512R1:PSA_ECC_FAMILY_BRAINPOOL_P_R1:512
+
+ECP group ID <-> PSA family - CURVE25519
+depends_on:PSA_WANT_ECC_MONTGOMERY_255
+ecc_conversion_functions:MBEDTLS_ECP_DP_CURVE25519:PSA_ECC_FAMILY_MONTGOMERY:255
+
+ECP group ID <-> PSA family - SECP192K1
+depends_on:PSA_WANT_ECC_SECP_K1_192
+ecc_conversion_functions:MBEDTLS_ECP_DP_SECP192K1:PSA_ECC_FAMILY_SECP_K1:192
+
+ECP group ID <-> PSA family - SECP224K1
+depends_on:PSA_WANT_ECC_SECP_K1_224
+ecc_conversion_functions:MBEDTLS_ECP_DP_SECP224K1:PSA_ECC_FAMILY_SECP_K1:224
+
+ECP group ID <-> PSA family - SECP256K1
+depends_on:PSA_WANT_ECC_SECP_K1_256
+ecc_conversion_functions:MBEDTLS_ECP_DP_SECP256K1:PSA_ECC_FAMILY_SECP_K1:256
+
+ECP group ID <-> PSA family - CURVE448
+depends_on:PSA_WANT_ECC_MONTGOMERY_448
+ecc_conversion_functions:MBEDTLS_ECP_DP_CURVE448:PSA_ECC_FAMILY_MONTGOMERY:448
+
+ECP group ID <-> PSA family - Null values
+ecc_conversion_functions:MBEDTLS_ECP_DP_NONE:0:0
+
+ECP group ID <-> PSA family - Wrong values
+ecc_conversion_functions_fail
+
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 2dfc7a4..0c8552b 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -6,6 +6,8 @@
 #include "mbedtls/oid.h"
 #include "common.h"
 
+#include "mbedtls/psa_util.h"
+
 /* For MBEDTLS_CTR_DRBG_MAX_REQUEST, knowing that psa_generate_random()
  * uses mbedtls_ctr_drbg internally. */
 #include "mbedtls/ctr_drbg.h"
@@ -13,7 +15,6 @@
 #include "psa/crypto.h"
 #include "psa_crypto_slot_management.h"
 
-/* For psa_can_do_hash() */
 #include "psa_crypto_core.h"
 
 #include "test/asn1_helpers.h"
@@ -26,6 +27,10 @@
 #define TEST_DRIVER_LOCATION 0x7fffff
 #endif
 
+#if defined(MBEDTLS_THREADING_PTHREAD)
+#include "mbedtls/threading.h"
+#endif
+
 /* If this comes up, it's a bug in the test code or in the test data. */
 #define UNUSED 0xdeadbeef
 
@@ -741,37 +746,37 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
             /* Server first round Output */
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_g1_len));
+                                       buffer_length - buffer0_off, &s_g1_len));
             TEST_EQUAL(s_g1_len, expected_size_key_share);
             s_g1_off = buffer0_off;
             buffer0_off += s_g1_len;
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_x1_pk_len));
+                                       buffer_length - buffer0_off, &s_x1_pk_len));
             TEST_EQUAL(s_x1_pk_len, expected_size_zk_public);
             s_x1_pk_off = buffer0_off;
             buffer0_off += s_x1_pk_len;
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_x1_pr_len));
+                                       buffer_length - buffer0_off, &s_x1_pr_len));
             TEST_LE_U(s_x1_pr_len, max_expected_size_zk_proof);
             s_x1_pr_off = buffer0_off;
             buffer0_off += s_x1_pr_len;
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_g2_len));
+                                       buffer_length - buffer0_off, &s_g2_len));
             TEST_EQUAL(s_g2_len, expected_size_key_share);
             s_g2_off = buffer0_off;
             buffer0_off += s_g2_len;
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_x2_pk_len));
+                                       buffer_length - buffer0_off, &s_x2_pk_len));
             TEST_EQUAL(s_x2_pk_len, expected_size_zk_public);
             s_x2_pk_off = buffer0_off;
             buffer0_off += s_x2_pk_len;
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_x2_pr_len));
+                                       buffer_length - buffer0_off, &s_x2_pr_len));
             TEST_LE_U(s_x2_pr_len, max_expected_size_zk_proof);
             s_x2_pr_off = buffer0_off;
             buffer0_off += s_x2_pr_len;
@@ -861,37 +866,37 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
             /* Client first round Output */
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_g1_len));
+                                       buffer_length - buffer1_off, &c_g1_len));
             TEST_EQUAL(c_g1_len, expected_size_key_share);
             c_g1_off = buffer1_off;
             buffer1_off += c_g1_len;
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_x1_pk_len));
+                                       buffer_length - buffer1_off, &c_x1_pk_len));
             TEST_EQUAL(c_x1_pk_len, expected_size_zk_public);
             c_x1_pk_off = buffer1_off;
             buffer1_off += c_x1_pk_len;
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_x1_pr_len));
+                                       buffer_length - buffer1_off, &c_x1_pr_len));
             TEST_LE_U(c_x1_pr_len, max_expected_size_zk_proof);
             c_x1_pr_off = buffer1_off;
             buffer1_off += c_x1_pr_len;
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_g2_len));
+                                       buffer_length - buffer1_off, &c_g2_len));
             TEST_EQUAL(c_g2_len, expected_size_key_share);
             c_g2_off = buffer1_off;
             buffer1_off += c_g2_len;
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_x2_pk_len));
+                                       buffer_length - buffer1_off, &c_x2_pk_len));
             TEST_EQUAL(c_x2_pk_len, expected_size_zk_public);
             c_x2_pk_off = buffer1_off;
             buffer1_off += c_x2_pk_len;
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_x2_pr_len));
+                                       buffer_length - buffer1_off, &c_x2_pr_len));
             TEST_LE_U(c_x2_pr_len, max_expected_size_zk_proof);
             c_x2_pr_off = buffer1_off;
             buffer1_off += c_x2_pr_len;
@@ -1039,19 +1044,19 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
 
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_a_len));
+                                       buffer_length - buffer0_off, &s_a_len));
             TEST_EQUAL(s_a_len, expected_size_key_share);
             s_a_off = buffer0_off;
             buffer0_off += s_a_len;
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_x2s_pk_len));
+                                       buffer_length - buffer0_off, &s_x2s_pk_len));
             TEST_EQUAL(s_x2s_pk_len, expected_size_zk_public);
             s_x2s_pk_off = buffer0_off;
             buffer0_off += s_x2s_pk_len;
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_x2s_pr_len));
+                                       buffer_length - buffer0_off, &s_x2s_pr_len));
             TEST_LE_U(s_x2s_pr_len, max_expected_size_zk_proof);
             s_x2s_pr_off = buffer0_off;
             buffer0_off += s_x2s_pr_len;
@@ -1104,19 +1109,19 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
 
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_a_len));
+                                       buffer_length - buffer1_off, &c_a_len));
             TEST_EQUAL(c_a_len, expected_size_key_share);
             c_a_off = buffer1_off;
             buffer1_off += c_a_len;
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_x2s_pk_len));
+                                       buffer_length - buffer1_off, &c_x2s_pk_len));
             TEST_EQUAL(c_x2s_pk_len, expected_size_zk_public);
             c_x2s_pk_off = buffer1_off;
             buffer1_off += c_x2s_pk_len;
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_x2s_pr_len));
+                                       buffer_length - buffer1_off, &c_x2s_pr_len));
             TEST_LE_U(c_x2s_pr_len, max_expected_size_zk_proof);
             c_x2s_pr_off = buffer1_off;
             buffer1_off += c_x2s_pr_len;
@@ -1253,6 +1258,264 @@ static void interruptible_signverify_get_minmax_completes(uint32_t max_ops,
 }
 #endif /* MBEDTLS_ECP_RESTARTABLE */
 
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
+static int rsa_test_e(mbedtls_svc_key_id_t key,
+                      size_t bits,
+                      const data_t *e_arg)
+{
+    uint8_t *exported = NULL;
+    size_t exported_size =
+        PSA_EXPORT_KEY_OUTPUT_SIZE(PSA_KEY_TYPE_RSA_PUBLIC_KEY, bits);
+    size_t exported_length = SIZE_MAX;
+    int ok = 0;
+
+    TEST_CALLOC(exported, exported_size);
+    PSA_ASSERT(psa_export_public_key(key,
+                                     exported, exported_size,
+                                     &exported_length));
+    uint8_t *p = exported;
+    uint8_t *end = exported + exported_length;
+    size_t len;
+    /*   RSAPublicKey ::= SEQUENCE {
+     *      modulus            INTEGER,    -- n
+     *      publicExponent     INTEGER  }  -- e
+     */
+    TEST_EQUAL(0, mbedtls_asn1_get_tag(&p, end, &len,
+                                       MBEDTLS_ASN1_SEQUENCE |
+                                       MBEDTLS_ASN1_CONSTRUCTED));
+    TEST_ASSERT(mbedtls_test_asn1_skip_integer(&p, end, bits, bits, 1));
+    TEST_EQUAL(0, mbedtls_asn1_get_tag(&p, end, &len,
+                                       MBEDTLS_ASN1_INTEGER));
+    if (len >= 1 && p[0] == 0) {
+        ++p;
+        --len;
+    }
+    if (e_arg->len == 0) {
+        TEST_EQUAL(len, 3);
+        TEST_EQUAL(p[0], 1);
+        TEST_EQUAL(p[1], 0);
+        TEST_EQUAL(p[2], 1);
+    } else {
+        const uint8_t *expected = e_arg->x;
+        size_t expected_len = e_arg->len;
+        while (expected_len > 0 && *expected == 0) {
+            ++expected;
+            --expected_len;
+        }
+        TEST_MEMORY_COMPARE(p, len, expected, expected_len);
+    }
+    ok = 1;
+
+exit:
+    mbedtls_free(exported);
+    return ok;
+}
+#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE */
+
+static int setup_key_production_parameters(
+    psa_key_production_parameters_t **params, size_t *params_data_length,
+    int flags_arg, const data_t *params_data)
+{
+    *params_data_length = params_data->len;
+    /* If there are N bytes of padding at the end of
+     * psa_key_production_parameters_t, then it's enough to allocate
+     * MIN(sizeof(psa_key_production_parameters_t),
+     *     offsetof(psa_key_production_parameters_t, data) + params_data_length).
+     *
+     * For simplicity, here, we allocate up to N more bytes than necessary.
+     * In practice, the current layout of psa_key_production_parameters_t
+     * makes padding extremely unlikely, so we don't worry about testing
+     * that the library code doesn't try to access these extra N bytes.
+     */
+    *params = mbedtls_calloc(1, sizeof(**params) + *params_data_length);
+    TEST_ASSERT(*params != NULL);
+    (*params)->flags = (uint32_t) flags_arg;
+    memcpy((*params)->data, params_data->x, params_data->len);
+    return 1;
+exit:
+    return 0;
+}
+
+#if defined(MBEDTLS_THREADING_PTHREAD)
+
+typedef struct same_key_context {
+    data_t *data;
+    mbedtls_svc_key_id_t key;
+    psa_key_attributes_t *attributes;
+    int type;
+    int bits;
+    /* The following two parameters are used to ensure that when multiple
+     * threads attempt to load/destroy the key, exactly one thread succeeds. */
+    int key_loaded;
+    mbedtls_threading_mutex_t MBEDTLS_PRIVATE(key_loaded_mutex);
+}
+same_key_context;
+
+/* Attempt to import the key in ctx. This handles any valid error codes
+ * and reports an error for any invalid codes. This function also insures
+ * that once imported by some thread, all threads can use the key. */
+void *thread_import_key(void *ctx)
+{
+    mbedtls_svc_key_id_t returned_key_id;
+    same_key_context *skc = (struct same_key_context *) ctx;
+    psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
+
+    /* Import the key, exactly one thread must succeed. */
+    psa_status_t status = psa_import_key(skc->attributes, skc->data->x,
+                                         skc->data->len, &returned_key_id);
+    switch (status) {
+        case PSA_SUCCESS:
+            if (mbedtls_mutex_lock(&skc->key_loaded_mutex) == 0) {
+                if (skc->key_loaded) {
+                    mbedtls_mutex_unlock(&skc->key_loaded_mutex);
+                    /* More than one thread has succeeded, report a failure. */
+                    TEST_FAIL("The same key has been loaded into the key store multiple times.");
+                }
+                skc->key_loaded = 1;
+                mbedtls_mutex_unlock(&skc->key_loaded_mutex);
+            }
+            break;
+        case PSA_ERROR_INSUFFICIENT_MEMORY:
+            /* If all of the key slots are reserved when a thread
+             * locks the mutex to reserve a new slot, it will return
+             * PSA_ERROR_INSUFFICIENT_MEMORY; this is correct behaviour.
+             * There is a chance for this to occur here when the number of
+             * threads running this function is larger than the number of
+             * free key slots. Each thread reserves an empty key slot,
+             * unlocks the mutex, then relocks it to finalize key creation.
+             * It is at that point where the thread sees that the key
+             * already exists, releases the reserved slot,
+             * and returns PSA_ERROR_ALREADY_EXISTS.
+             * There is no guarantee that the key is loaded upon this return
+             * code, so we can't test the key information. Just stop this
+             * thread from executing, note that this is not an error. */
+            goto exit;
+            break;
+        case PSA_ERROR_ALREADY_EXISTS:
+            /* The key has been loaded by a different thread. */
+            break;
+        default:
+            PSA_ASSERT(status);
+    }
+    /* At this point the key must exist, test the key information. */
+    status = psa_get_key_attributes(skc->key, &got_attributes);
+    if (status == PSA_ERROR_INSUFFICIENT_MEMORY) {
+        /* This is not a test failure. The following sequence of events
+         * causes this to occur:
+         * 1: This thread successfuly imports a persistent key skc->key.
+         * 2: N threads reserve an empty key slot in psa_import_key,
+         *    where N is equal to the number of free key slots.
+         * 3: A final thread attempts to reserve an empty key slot, kicking
+         *    skc->key (which has no registered readers) out of its slot.
+         * 4: This thread calls psa_get_key_attributes(skc->key,...):
+         *    it sees that skc->key is not in a slot, attempts to load it and
+         *    finds that there are no free slots.
+         * This thread returns PSA_ERROR_INSUFFICIENT_MEMORY.
+         *
+         * The PSA spec allows this behaviour, it is an unavoidable consequence
+         * of allowing persistent keys to be kicked out of the key store while
+         * they are still valid. */
+        goto exit;
+    }
+    PSA_ASSERT(status);
+    TEST_EQUAL(psa_get_key_type(&got_attributes), skc->type);
+    TEST_EQUAL(psa_get_key_bits(&got_attributes), skc->bits);
+
+exit:
+    /* Key attributes may have been returned by psa_get_key_attributes(),
+     * reset them as required. */
+    psa_reset_key_attributes(&got_attributes);
+    return NULL;
+}
+
+void *thread_use_and_destroy_key(void *ctx)
+{
+    same_key_context *skc = (struct same_key_context *) ctx;
+
+    /* Do something with the key according
+     * to its type and permitted usage. */
+    TEST_ASSERT(mbedtls_test_psa_exercise_key(skc->key,
+                                              skc->attributes->policy.usage,
+                                              skc->attributes->policy.alg, 1));
+
+    psa_status_t status = psa_destroy_key(skc->key);
+    if (status == PSA_SUCCESS) {
+        if (mbedtls_mutex_lock(&skc->key_loaded_mutex) == 0) {
+            /* Ensure that we are the only thread to succeed. */
+            if (skc->key_loaded != 1) {
+                mbedtls_mutex_unlock(&skc->key_loaded_mutex);
+                TEST_FAIL("The same key has been destroyed multiple times.");
+            }
+            skc->key_loaded = 0;
+            mbedtls_mutex_unlock(&skc->key_loaded_mutex);
+        }
+    } else {
+        TEST_EQUAL(status, PSA_ERROR_INVALID_HANDLE);
+    }
+
+exit:
+    return NULL;
+}
+
+typedef struct generate_key_context {
+    psa_key_type_t type;
+    psa_key_usage_t usage;
+    size_t bits;
+    psa_algorithm_t alg;
+    psa_status_t expected_status;
+    psa_key_attributes_t *attributes;
+    int is_large_key;
+    int reps;
+}
+generate_key_context;
+void *thread_generate_key(void *ctx)
+{
+    mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
+    generate_key_context *gkc = (struct generate_key_context *) ctx;
+
+    /* If there are race conditions, it is likely the case that they do not
+     * arise every time the code runs. We repeat the code to increase the
+     * chance that any race conditions will be hit. */
+    for (int n = 0; n < gkc->reps; n++) {
+        /* Generate a key */
+        psa_status_t status = psa_generate_key(gkc->attributes, &key);
+
+        if (gkc->is_large_key > 0) {
+            TEST_ASSUME(status != PSA_ERROR_INSUFFICIENT_MEMORY);
+        }
+
+        TEST_EQUAL(status, gkc->expected_status);
+        if (gkc->expected_status != PSA_SUCCESS) {
+            PSA_ASSERT(psa_destroy_key(key));
+            goto exit;
+        }
+
+        /* Test the key information */
+        PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
+        TEST_EQUAL(psa_get_key_type(&got_attributes), gkc->type);
+        TEST_EQUAL(psa_get_key_bits(&got_attributes), gkc->bits);
+
+        /* Do something with the key according
+         * to its type and permitted usage. */
+        if (!mbedtls_test_psa_exercise_key(key, gkc->usage, gkc->alg, 0)) {
+            psa_destroy_key(key);
+            goto exit;
+        }
+        psa_reset_key_attributes(&got_attributes);
+
+        PSA_ASSERT(psa_destroy_key(key));
+    }
+exit:
+    /*
+     * Key attributes may have been returned by psa_get_key_attributes()
+     * thus reset them as required.
+     */
+    psa_reset_key_attributes(&got_attributes);
+    return NULL;
+}
+#endif /* MBEDTLS_THREADING_PTHREAD */
+
 /* END_HEADER */
 
 /* BEGIN_DEPENDENCIES
@@ -1571,7 +1834,7 @@ void import_export(data_t *data,
      * this doesn't directly validate the implementation, but it still helps
      * by cross-validating the test data with the sanity check code. */
     if (!psa_key_lifetime_is_external(lifetime)) {
-        if (!mbedtls_test_psa_exercise_key(key, usage_arg, 0)) {
+        if (!mbedtls_test_psa_exercise_key(key, usage_arg, 0, 0)) {
             goto exit;
         }
     }
@@ -1680,6 +1943,78 @@ exit:
 }
 /* END_CASE */
 
+
+#if defined(MBEDTLS_THREADING_PTHREAD)
+/* BEGIN_CASE depends_on:MBEDTLS_THREADING_PTHREAD:MBEDTLS_PSA_CRYPTO_STORAGE_C */
+void concurrently_use_same_persistent_key(data_t *data,
+                                          int type_arg,
+                                          int bits_arg,
+                                          int alg_arg,
+                                          int thread_count_arg)
+{
+    size_t thread_count = (size_t) thread_count_arg;
+    mbedtls_test_thread_t *threads = NULL;
+    mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(1, 1);
+    same_key_context skc;
+    skc.data = data;
+    skc.key = key_id;
+    skc.type = type_arg;
+    skc.bits = bits_arg;
+    skc.key_loaded = 0;
+    mbedtls_mutex_init(&skc.key_loaded_mutex);
+    psa_key_usage_t usage = mbedtls_test_psa_usage_to_exercise(skc.type, alg_arg);
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+
+    PSA_ASSERT(psa_crypto_init());
+
+    psa_set_key_id(&attributes, key_id);
+    psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_PERSISTENT);
+    psa_set_key_usage_flags(&attributes, usage);
+    psa_set_key_algorithm(&attributes, alg_arg);
+    psa_set_key_type(&attributes, type_arg);
+    psa_set_key_bits(&attributes, bits_arg);
+    skc.attributes = &attributes;
+
+    TEST_CALLOC(threads, sizeof(mbedtls_test_thread_t) * thread_count);
+
+    /* Test that when multiple threads import the same key,
+     * exactly one thread succeeds and the rest fail with valid errors.
+     * Also test that all threads can use the key as soon as it has been
+     * imported. */
+    for (size_t i = 0; i < thread_count; i++) {
+        TEST_EQUAL(
+            mbedtls_test_thread_create(&threads[i], thread_import_key,
+                                       (void *) &skc), 0);
+    }
+
+    /* Join threads. */
+    for (size_t i = 0; i < thread_count; i++) {
+        TEST_EQUAL(mbedtls_test_thread_join(&threads[i]), 0);
+    }
+
+    /* Test that when multiple threads use and destroy a key no corruption
+     * occurs, and exactly one thread succeeds when destroying the key. */
+    for (size_t i = 0; i < thread_count; i++) {
+        TEST_EQUAL(
+            mbedtls_test_thread_create(&threads[i], thread_use_and_destroy_key,
+                                       (void *) &skc), 0);
+    }
+
+    /* Join threads. */
+    for (size_t i = 0; i < thread_count; i++) {
+        TEST_EQUAL(mbedtls_test_thread_join(&threads[i]), 0);
+    }
+    /* Ensure that one thread succeeded in destroying the key. */
+    TEST_ASSERT(!skc.key_loaded);
+exit:
+    psa_reset_key_attributes(&attributes);
+    mbedtls_mutex_free(&skc.key_loaded_mutex);
+    mbedtls_free(threads);
+    PSA_DONE();
+}
+/* END_CASE */
+#endif
+
 /* BEGIN_CASE */
 void import_and_exercise_key(data_t *data,
                              int type_arg,
@@ -1709,7 +2044,7 @@ void import_and_exercise_key(data_t *data,
     TEST_EQUAL(psa_get_key_bits(&got_attributes), bits);
 
     /* Do something with the key according to its type and permitted usage. */
-    if (!mbedtls_test_psa_exercise_key(key, usage, alg)) {
+    if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) {
         goto exit;
     }
 
@@ -2107,7 +2442,8 @@ void asymmetric_encryption_key_policy(int policy_usage_arg,
                                       int policy_alg,
                                       int key_type,
                                       data_t *key_data,
-                                      int exercise_alg)
+                                      int exercise_alg,
+                                      int use_opaque_key)
 {
     mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
@@ -2124,6 +2460,11 @@ void asymmetric_encryption_key_policy(int policy_usage_arg,
     psa_set_key_algorithm(&attributes, policy_alg);
     psa_set_key_type(&attributes, key_type);
 
+    if (use_opaque_key) {
+        psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
+                                 PSA_KEY_PERSISTENCE_VOLATILE, TEST_DRIVER_LOCATION));
+    }
+
     PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
                               &key));
 
@@ -2340,7 +2681,7 @@ void agreement_key_policy(int policy_usage,
                               &key));
 
     PSA_ASSERT(psa_key_derivation_setup(&operation, exercise_alg));
-    status = mbedtls_test_psa_key_agreement_with_self(&operation, key);
+    status = mbedtls_test_psa_key_agreement_with_self(&operation, key, 0);
 
     TEST_EQUAL(status, expected_status);
 
@@ -2379,10 +2720,10 @@ void key_policy_alg2(int key_type_arg, data_t *key_data,
     TEST_EQUAL(psa_get_key_algorithm(&got_attributes), alg);
     TEST_EQUAL(psa_get_key_enrollment_algorithm(&got_attributes), alg2);
 
-    if (!mbedtls_test_psa_exercise_key(key, usage, alg)) {
+    if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) {
         goto exit;
     }
-    if (!mbedtls_test_psa_exercise_key(key, usage, alg2)) {
+    if (!mbedtls_test_psa_exercise_key(key, usage, alg2, 0)) {
         goto exit;
     }
 
@@ -2422,7 +2763,7 @@ void raw_agreement_key_policy(int policy_usage,
     PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
                               &key));
 
-    status = mbedtls_test_psa_raw_key_agreement_with_self(exercise_alg, key);
+    status = mbedtls_test_psa_raw_key_agreement_with_self(exercise_alg, key, 0);
 
     TEST_EQUAL(status, expected_status);
 
@@ -2513,10 +2854,10 @@ void copy_success(int source_usage_arg,
     }
 
     if (!psa_key_lifetime_is_external(target_lifetime)) {
-        if (!mbedtls_test_psa_exercise_key(target_key, expected_usage, expected_alg)) {
+        if (!mbedtls_test_psa_exercise_key(target_key, expected_usage, expected_alg, 0)) {
             goto exit;
         }
-        if (!mbedtls_test_psa_exercise_key(target_key, expected_usage, expected_alg2)) {
+        if (!mbedtls_test_psa_exercise_key(target_key, expected_usage, expected_alg2, 0)) {
             goto exit;
         }
     }
@@ -4608,7 +4949,8 @@ void cipher_verify_output_multipart(int alg_arg,
     PSA_ASSERT(psa_cipher_update(&operation1,
                                  input->x + first_part_size,
                                  input->len - first_part_size,
-                                 output1, output1_buffer_size,
+                                 output1 + output1_length,
+                                 output1_buffer_size - output1_length,
                                  &function_output_length));
     TEST_LE_U(function_output_length,
               PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type,
@@ -4654,7 +4996,8 @@ void cipher_verify_output_multipart(int alg_arg,
     PSA_ASSERT(psa_cipher_update(&operation2,
                                  output1 + first_part_size,
                                  output1_length - first_part_size,
-                                 output2, output2_buffer_size,
+                                 output2 + output2_length,
+                                 output2_buffer_size - output2_length,
                                  &function_output_length));
     TEST_LE_U(function_output_length,
               PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type,
@@ -5122,7 +5465,9 @@ void aead_multipart_generate_nonce(int key_type_arg, data_t *key_data,
     psa_key_type_t key_type = key_type_arg;
     psa_algorithm_t alg = alg_arg;
     psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
-    uint8_t nonce_buffer[PSA_AEAD_NONCE_MAX_SIZE];
+    /* Some tests try to get more than the maximum nonce length,
+     * so allocate double. */
+    uint8_t nonce_buffer[PSA_AEAD_NONCE_MAX_SIZE * 2];
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
     psa_status_t status = PSA_ERROR_GENERIC_ERROR;
     psa_status_t expected_status = expected_status_arg;
@@ -7639,8 +7984,7 @@ void interruptible_signverify_hash_edgecase_tests(int key_type_arg,
      * no reliance on external buffers. */
     psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
 
-    input_buffer = mbedtls_calloc(1, input_data->len);
-    TEST_ASSERT(input_buffer != NULL);
+    TEST_CALLOC(input_buffer, input_data->len);
 
     memcpy(input_buffer, input_data->x, input_data->len);
 
@@ -7657,8 +8001,7 @@ void interruptible_signverify_hash_edgecase_tests(int key_type_arg,
 
     PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
 
-    input_buffer = mbedtls_calloc(1, input_data->len);
-    TEST_ASSERT(input_buffer != NULL);
+    TEST_CALLOC(input_buffer, input_data->len);
 
     memcpy(input_buffer, input_data->x, input_data->len);
 
@@ -7683,6 +8026,7 @@ exit:
 
     psa_destroy_key(key);
     mbedtls_free(signature);
+    mbedtls_free(input_buffer);
     PSA_DONE();
 }
 /* END_CASE */
@@ -8452,7 +8796,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void derive_set_capacity(int alg_arg, int capacity_arg,
+void derive_set_capacity(int alg_arg, int64_t capacity_arg,
                          int expected_status_arg)
 {
     psa_algorithm_t alg = alg_arg;
@@ -8532,7 +8876,7 @@ void derive_input(int alg_arg,
                 // When taking a private key as secret input, use key agreement
                 // to add the shared secret to the derivation
                 TEST_EQUAL(mbedtls_test_psa_key_agreement_with_self(
-                               &operation, keys[i]),
+                               &operation, keys[i], 0),
                            expected_statuses[i]);
             } else {
                 TEST_EQUAL(psa_key_derivation_input_key(&operation, steps[i],
@@ -8631,7 +8975,7 @@ void derive_over_capacity(int alg_arg)
     if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, key, alg,
                                                     input1, input1_length,
                                                     input2, input2_length,
-                                                    capacity)) {
+                                                    capacity, 0)) {
         goto exit;
     }
 
@@ -8933,7 +9277,7 @@ void derive_full(int alg_arg,
     psa_algorithm_t alg = alg_arg;
     size_t requested_capacity = requested_capacity_arg;
     psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
-    unsigned char output_buffer[16];
+    unsigned char output_buffer[32];
     size_t expected_capacity = requested_capacity;
     size_t current_capacity;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
@@ -8950,7 +9294,7 @@ void derive_full(int alg_arg,
     if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, key, alg,
                                                     input1->x, input1->len,
                                                     input2->x, input2->len,
-                                                    requested_capacity)) {
+                                                    requested_capacity, 0)) {
         goto exit;
     }
 
@@ -9067,7 +9411,7 @@ void derive_key_exercise(int alg_arg,
     if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, base_key, alg,
                                                     input1->x, input1->len,
                                                     input2->x, input2->len,
-                                                    capacity)) {
+                                                    capacity, 0)) {
         goto exit;
     }
 
@@ -9084,7 +9428,7 @@ void derive_key_exercise(int alg_arg,
     TEST_EQUAL(psa_get_key_bits(&got_attributes), derived_bits);
 
     /* Exercise the derived key. */
-    if (!mbedtls_test_psa_exercise_key(derived_key, derived_usage, derived_alg)) {
+    if (!mbedtls_test_psa_exercise_key(derived_key, derived_usage, derived_alg, 0)) {
         goto exit;
     }
 
@@ -9137,7 +9481,7 @@ void derive_key_export(int alg_arg,
     if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, base_key, alg,
                                                     input1->x, input1->len,
                                                     input2->x, input2->len,
-                                                    capacity)) {
+                                                    capacity, 0)) {
         goto exit;
     }
 
@@ -9150,7 +9494,7 @@ void derive_key_export(int alg_arg,
     if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, base_key, alg,
                                                     input1->x, input1->len,
                                                     input2->x, input2->len,
-                                                    capacity)) {
+                                                    capacity, 0)) {
         goto exit;
     }
 
@@ -9221,7 +9565,7 @@ void derive_key_type(int alg_arg,
             &operation, base_key, alg,
             input1->x, input1->len,
             input2->x, input2->len,
-            PSA_KEY_DERIVATION_UNLIMITED_CAPACITY) == 0) {
+            PSA_KEY_DERIVATION_UNLIMITED_CAPACITY, 0) == 0) {
         goto exit;
     }
 
@@ -9248,6 +9592,81 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
+void derive_key_ext(int alg_arg,
+                    data_t *key_data,
+                    data_t *input1,
+                    data_t *input2,
+                    int key_type_arg, int bits_arg,
+                    int flags_arg,
+                    data_t *params_data,
+                    psa_status_t expected_status,
+                    data_t *expected_export)
+{
+    mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT;
+    mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT;
+    const psa_algorithm_t alg = alg_arg;
+    const psa_key_type_t key_type = key_type_arg;
+    const size_t bits = bits_arg;
+    psa_key_production_parameters_t *params = NULL;
+    size_t params_data_length = 0;
+    psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
+    const size_t export_buffer_size =
+        PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, bits);
+    uint8_t *export_buffer = NULL;
+    psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT;
+    size_t export_length;
+
+    TEST_CALLOC(export_buffer, export_buffer_size);
+    PSA_ASSERT(psa_crypto_init());
+
+    psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE);
+    psa_set_key_algorithm(&base_attributes, alg);
+    psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE);
+    PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len,
+                              &base_key));
+
+    if (mbedtls_test_psa_setup_key_derivation_wrap(
+            &operation, base_key, alg,
+            input1->x, input1->len,
+            input2->x, input2->len,
+            PSA_KEY_DERIVATION_UNLIMITED_CAPACITY, 0) == 0) {
+        goto exit;
+    }
+
+    psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT);
+    psa_set_key_algorithm(&derived_attributes, 0);
+    psa_set_key_type(&derived_attributes, key_type);
+    psa_set_key_bits(&derived_attributes, bits);
+    if (!setup_key_production_parameters(&params, &params_data_length,
+                                         flags_arg, params_data)) {
+        goto exit;
+    }
+
+    TEST_EQUAL(psa_key_derivation_output_key_ext(&derived_attributes, &operation,
+                                                 params, params_data_length,
+                                                 &derived_key),
+               expected_status);
+
+    if (expected_status == PSA_SUCCESS) {
+        PSA_ASSERT(psa_export_key(derived_key,
+                                  export_buffer, export_buffer_size,
+                                  &export_length));
+        TEST_MEMORY_COMPARE(export_buffer, export_length,
+                            expected_export->x, expected_export->len);
+    }
+
+exit:
+    mbedtls_free(export_buffer);
+    mbedtls_free(params);
+    psa_key_derivation_abort(&operation);
+    psa_destroy_key(base_key);
+    psa_destroy_key(derived_key);
+    PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
 void derive_key(int alg_arg,
                 data_t *key_data, data_t *input1, data_t *input2,
                 int type_arg, int bits_arg,
@@ -9275,7 +9694,7 @@ void derive_key(int alg_arg,
     if (!mbedtls_test_psa_setup_key_derivation_wrap(&operation, base_key, alg,
                                                     input1->x, input1->len,
                                                     input2->x, input2->len,
-                                                    SIZE_MAX)) {
+                                                    SIZE_MAX, 0)) {
         goto exit;
     }
 
@@ -9480,6 +9899,45 @@ exit:
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
+void ecc_conversion_functions(int grp_id_arg, int psa_family_arg, int bits_arg)
+{
+    mbedtls_ecp_group_id grp_id = grp_id_arg;
+    psa_ecc_family_t ecc_family = psa_family_arg;
+    size_t bits = bits_arg;
+    size_t bits_tmp;
+
+    TEST_EQUAL(ecc_family, mbedtls_ecc_group_to_psa(grp_id, &bits_tmp));
+    TEST_EQUAL(bits, bits_tmp);
+    TEST_EQUAL(grp_id, mbedtls_ecc_group_from_psa(ecc_family, bits));
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
+void ecc_conversion_functions_fail()
+{
+    size_t bits;
+
+    /* Invalid legacy curve identifiers. */
+    TEST_EQUAL(0, mbedtls_ecc_group_to_psa(MBEDTLS_ECP_DP_MAX, &bits));
+    TEST_EQUAL(0, bits);
+    TEST_EQUAL(0, mbedtls_ecc_group_to_psa(MBEDTLS_ECP_DP_NONE, &bits));
+    TEST_EQUAL(0, bits);
+
+    /* Invalid PSA EC family. */
+    TEST_EQUAL(MBEDTLS_ECP_DP_NONE, mbedtls_ecc_group_from_psa(0, 192));
+    /* Invalid bit-size for a valid EC family. */
+    TEST_EQUAL(MBEDTLS_ECP_DP_NONE, mbedtls_ecc_group_from_psa(PSA_ECC_FAMILY_SECP_R1, 512));
+
+    /* Twisted-Edward curves are not supported yet. */
+    TEST_EQUAL(MBEDTLS_ECP_DP_NONE,
+               mbedtls_ecc_group_from_psa(PSA_ECC_FAMILY_TWISTED_EDWARDS, 255));
+    TEST_EQUAL(MBEDTLS_ECP_DP_NONE,
+               mbedtls_ecc_group_from_psa(PSA_ECC_FAMILY_TWISTED_EDWARDS, 448));
+}
+/* END_CASE */
+
+
 /* BEGIN_CASE */
 void key_agreement_output(int alg_arg,
                           int our_key_type_arg, data_t *our_key_data,
@@ -9584,6 +10042,59 @@ exit:
 }
 /* END_CASE */
 
+#if defined MBEDTLS_THREADING_PTHREAD
+
+/* BEGIN_CASE depends_on:MBEDTLS_THREADING_PTHREAD */
+void concurrently_generate_keys(int type_arg,
+                                int bits_arg,
+                                int usage_arg,
+                                int alg_arg,
+                                int expected_status_arg,
+                                int is_large_key_arg,
+                                int arg_thread_count,
+                                int reps_arg)
+{
+    size_t thread_count = (size_t) arg_thread_count;
+    mbedtls_test_thread_t *threads = NULL;
+    generate_key_context gkc;
+    gkc.type = type_arg;
+    gkc.usage = usage_arg;
+    gkc.bits = bits_arg;
+    gkc.alg = alg_arg;
+    gkc.expected_status = expected_status_arg;
+    gkc.is_large_key = is_large_key_arg;
+    gkc.reps = reps_arg;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+
+    PSA_ASSERT(psa_crypto_init());
+
+    psa_set_key_usage_flags(&attributes, usage_arg);
+    psa_set_key_algorithm(&attributes, alg_arg);
+    psa_set_key_type(&attributes, type_arg);
+    psa_set_key_bits(&attributes, bits_arg);
+    gkc.attributes = &attributes;
+
+    TEST_CALLOC(threads, sizeof(mbedtls_test_thread_t) * thread_count);
+
+    /* Split threads to generate key then destroy key. */
+    for (size_t i = 0; i < thread_count; i++) {
+        TEST_EQUAL(
+            mbedtls_test_thread_create(&threads[i], thread_generate_key,
+                                       (void *) &gkc), 0);
+    }
+
+    /* Join threads. */
+    for (size_t i = 0; i < thread_count; i++) {
+        TEST_EQUAL(mbedtls_test_thread_join(&threads[i]), 0);
+    }
+
+exit:
+    mbedtls_free(threads);
+    PSA_DONE();
+}
+/* END_CASE */
+#endif
+
 /* BEGIN_CASE */
 void generate_key(int type_arg,
                   int bits_arg,
@@ -9625,7 +10136,7 @@ void generate_key(int type_arg,
     TEST_EQUAL(psa_get_key_bits(&got_attributes), bits);
 
     /* Do something with the key according to its type and permitted usage. */
-    if (!mbedtls_test_psa_exercise_key(key, usage, alg)) {
+    if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) {
         goto exit;
     }
 
@@ -9641,111 +10152,85 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_ALG_RSA_PKCS1V15_SIGN */
-void generate_key_rsa(int bits_arg,
-                      data_t *e_arg,
+/* BEGIN_CASE */
+void generate_key_ext(int type_arg,
+                      int bits_arg,
+                      int usage_arg,
+                      int alg_arg,
+                      int flags_arg,
+                      data_t *params_data,
                       int expected_status_arg)
 {
     mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
-    psa_key_type_t type = PSA_KEY_TYPE_RSA_KEY_PAIR;
+    psa_key_type_t type = type_arg;
+    psa_key_usage_t usage = usage_arg;
     size_t bits = bits_arg;
-    psa_key_usage_t usage = PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT;
-    psa_algorithm_t alg = PSA_ALG_RSA_PKCS1V15_SIGN_RAW;
+    psa_algorithm_t alg = alg_arg;
     psa_status_t expected_status = expected_status_arg;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    uint8_t *exported = NULL;
-    size_t exported_size =
-        PSA_EXPORT_KEY_OUTPUT_SIZE(PSA_KEY_TYPE_RSA_PUBLIC_KEY, bits);
-    size_t exported_length = SIZE_MAX;
-    uint8_t *e_read_buffer = NULL;
-    int is_default_public_exponent = 0;
-    size_t e_read_size = PSA_KEY_DOMAIN_PARAMETERS_SIZE(type, bits);
-    size_t e_read_length = SIZE_MAX;
-
-    if (e_arg->len == 0 ||
-        (e_arg->len == 3 &&
-         e_arg->x[0] == 1 && e_arg->x[1] == 0 && e_arg->x[2] == 1)) {
-        is_default_public_exponent = 1;
-        e_read_size = 0;
-    }
-    TEST_CALLOC(e_read_buffer, e_read_size);
-    TEST_CALLOC(exported, exported_size);
+    psa_key_production_parameters_t *params = NULL;
+    size_t params_data_length = 0;
+    psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
 
     PSA_ASSERT(psa_crypto_init());
 
     psa_set_key_usage_flags(&attributes, usage);
     psa_set_key_algorithm(&attributes, alg);
-    PSA_ASSERT(psa_set_key_domain_parameters(&attributes, type,
-                                             e_arg->x, e_arg->len));
+    psa_set_key_type(&attributes, type);
     psa_set_key_bits(&attributes, bits);
 
+    if (!setup_key_production_parameters(&params, &params_data_length,
+                                         flags_arg, params_data)) {
+        goto exit;
+    }
+
     /* Generate a key */
-    TEST_EQUAL(psa_generate_key(&attributes, &key), expected_status);
+    psa_status_t status = psa_generate_key_ext(&attributes,
+                                               params, params_data_length,
+                                               &key);
+
+    TEST_EQUAL(status, expected_status);
     if (expected_status != PSA_SUCCESS) {
         goto exit;
     }
 
     /* Test the key information */
-    PSA_ASSERT(psa_get_key_attributes(key, &attributes));
-    TEST_EQUAL(psa_get_key_type(&attributes), type);
-    TEST_EQUAL(psa_get_key_bits(&attributes), bits);
-    PSA_ASSERT(psa_get_key_domain_parameters(&attributes,
-                                             e_read_buffer, e_read_size,
-                                             &e_read_length));
-    if (is_default_public_exponent) {
-        TEST_EQUAL(e_read_length, 0);
-    } else {
-        TEST_MEMORY_COMPARE(e_read_buffer, e_read_length, e_arg->x, e_arg->len);
+    PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
+    TEST_EQUAL(psa_get_key_type(&got_attributes), type);
+    TEST_EQUAL(psa_get_key_bits(&got_attributes), bits);
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
+    if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
+        TEST_ASSERT(rsa_test_e(key, bits, params_data));
     }
+#endif
 
     /* Do something with the key according to its type and permitted usage. */
-    if (!mbedtls_test_psa_exercise_key(key, usage, alg)) {
+    if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) {
         goto exit;
     }
 
-    /* Export the key and check the public exponent. */
-    PSA_ASSERT(psa_export_public_key(key,
-                                     exported, exported_size,
-                                     &exported_length));
-    {
-        uint8_t *p = exported;
-        uint8_t *end = exported + exported_length;
-        size_t len;
-        /*   RSAPublicKey ::= SEQUENCE {
-         *      modulus            INTEGER,    -- n
-         *      publicExponent     INTEGER  }  -- e
-         */
-        TEST_EQUAL(0, mbedtls_asn1_get_tag(&p, end, &len,
-                                           MBEDTLS_ASN1_SEQUENCE |
-                                           MBEDTLS_ASN1_CONSTRUCTED));
-        TEST_ASSERT(mbedtls_test_asn1_skip_integer(&p, end, bits, bits, 1));
-        TEST_EQUAL(0, mbedtls_asn1_get_tag(&p, end, &len,
-                                           MBEDTLS_ASN1_INTEGER));
-        if (len >= 1 && p[0] == 0) {
-            ++p;
-            --len;
-        }
-        if (e_arg->len == 0) {
-            TEST_EQUAL(len, 3);
-            TEST_EQUAL(p[0], 1);
-            TEST_EQUAL(p[1], 0);
-            TEST_EQUAL(p[2], 1);
-        } else {
-            TEST_MEMORY_COMPARE(p, len, e_arg->x, e_arg->len);
-        }
-    }
-
 exit:
     /*
-     * Key attributes may have been returned by psa_get_key_attributes() or
-     * set by psa_set_key_domain_parameters() thus reset them as required.
+     * Key attributes may have been returned by psa_get_key_attributes()
+     * thus reset them as required.
      */
-    psa_reset_key_attributes(&attributes);
-
+    psa_reset_key_attributes(&got_attributes);
+    mbedtls_free(params);
     psa_destroy_key(key);
     PSA_DONE();
-    mbedtls_free(e_read_buffer);
-    mbedtls_free(exported);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void key_production_parameters_init()
+{
+    psa_key_production_parameters_t init = PSA_KEY_PRODUCTION_PARAMETERS_INIT;
+    psa_key_production_parameters_t zero;
+    memset(&zero, 0, sizeof(zero));
+
+    TEST_EQUAL(init.flags, 0);
+    TEST_EQUAL(zero.flags, 0);
 }
 /* END_CASE */
 
@@ -9872,7 +10357,7 @@ void persistent_key_load_key_from_storage(data_t *data,
     }
 
     /* Do something with the key according to its type and permitted usage. */
-    if (!mbedtls_test_psa_exercise_key(key, usage_flags, alg)) {
+    if (!mbedtls_test_psa_exercise_key(key, usage_flags, alg, 0)) {
         goto exit;
     }
 
diff --git a/tests/suites/test_suite_psa_crypto_attributes.function b/tests/suites/test_suite_psa_crypto_attributes.function
index c933cb7..bc7adb4 100644
--- a/tests/suites/test_suite_psa_crypto_attributes.function
+++ b/tests/suites/test_suite_psa_crypto_attributes.function
@@ -20,6 +20,8 @@ void attributes_set_get(int owner_id_arg, int id_arg, int lifetime_arg,
     psa_key_type_t type = type_arg;
     size_t bits = bits_arg;
 
+    USE_PSA_INIT();
+
     TEST_EQUAL(
         MBEDTLS_SVC_KEY_ID_GET_KEY_ID(psa_get_key_id(&attributes)), 0);
     TEST_EQUAL(
@@ -56,6 +58,8 @@ void attributes_set_get(int owner_id_arg, int id_arg, int lifetime_arg,
     TEST_EQUAL(psa_get_key_algorithm(&attributes), 0);
     TEST_EQUAL(psa_get_key_type(&attributes), 0);
     TEST_EQUAL(psa_get_key_bits(&attributes), 0);
+
+    USE_PSA_DONE();
 }
 /* END_CASE */
 
diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.data b/tests/suites/test_suite_psa_crypto_driver_wrappers.data
index 54558f0..54e0892 100644
--- a/tests/suites/test_suite_psa_crypto_driver_wrappers.data
+++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.data
@@ -15,35 +15,35 @@ depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC
 sign_hash:PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_FAMILY_SECP_R1 ):PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):PSA_SUCCESS:"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"000102030405060708090A0B0C0D0E0F":1:PSA_SUCCESS
 
 sign_hash transparent driver: in driver RSA PKCS#1 v1.5, raw
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
 sign_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_SUCCESS:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"616263":"2c7744983f023ac7bb1c55529d83ed11a76a7898a1bb5ce191375a4aa7495a633d27879ff58eba5a57371c34feb1180e8b850d552476ebb5634df620261992f12ebee9097041dbbea85a42d45b344be5073ceb772ffc604954b9158ba81ec3dc4d9d65e3ab7aa318165f38c36f841f1c69cb1cfa494aa5cbb4d6c0efbafb043a":0:PSA_SUCCESS
 
 sign_hash transparent driver: fallback RSA PKCS#1 v1.5, raw
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT
 sign_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_ERROR_NOT_SUPPORTED:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"616263":"2c7744983f023ac7bb1c55529d83ed11a76a7898a1bb5ce191375a4aa7495a633d27879ff58eba5a57371c34feb1180e8b850d552476ebb5634df620261992f12ebee9097041dbbea85a42d45b344be5073ceb772ffc604954b9158ba81ec3dc4d9d65e3ab7aa318165f38c36f841f1c69cb1cfa494aa5cbb4d6c0efbafb043a":0:PSA_SUCCESS
 
 sign_hash transparent driver: error RSA PKCS#1 v1.5, raw
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
 sign_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_ERROR_GENERIC_ERROR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"616263":"2c7744983f023ac7bb1c55529d83ed11a76a7898a1bb5ce191375a4aa7495a633d27879ff58eba5a57371c34feb1180e8b850d552476ebb5634df620261992f12ebee9097041dbbea85a42d45b344be5073ceb772ffc604954b9158ba81ec3dc4d9d65e3ab7aa318165f38c36f841f1c69cb1cfa494aa5cbb4d6c0efbafb043a":0:PSA_ERROR_GENERIC_ERROR
 
 sign_hash transparent driver: fake RSA PKCS#1 v1.5, raw
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
 sign_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_SUCCESS:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"616263":"2c7744983f023ac7bb1c55529d83ed11a76a7898a1bb5ce191375a4aa7495a633d27879ff58eba5a57371c34feb1180e8b850d552476ebb5634df620261992f12ebee9097041dbbea85a42d45b344be5073ceb772ffc604954b9158ba81ec3dc4d9d65e3ab7aa318165f38c36f841f1c69cb1cfa494aa5cbb4d6c0efbafb043a":1:PSA_SUCCESS
 
 sign_hash transparent driver: in driver RSA PKCS#1 v1.5 SHA-256
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
 sign_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_SUCCESS:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":0:PSA_SUCCESS
 
 sign_hash transparent driver: fallback RSA PKCS#1 v1.5 SHA-256
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT
 sign_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ERROR_NOT_SUPPORTED:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":0:PSA_SUCCESS
 
 sign_hash transparent driver: error RSA PKCS#1 v1.5 SHA-256
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
 sign_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ERROR_GENERIC_ERROR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":0:PSA_ERROR_GENERIC_ERROR
 
 sign_hash transparent driver: fake RSA PKCS#1 v1.5 SHA-256
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
 sign_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_SUCCESS:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":1:PSA_SUCCESS
 
 verify_hash transparent driver: in driver ECDSA SECP256R1 SHA-256
@@ -71,27 +71,27 @@ depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_
 verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_FAMILY_SECP_R1 ):PSA_KEY_TYPE_ECC_PUBLIC_KEY( PSA_ECC_FAMILY_SECP_R1 ):PSA_ALG_ECDSA( PSA_ALG_SHA_256 ):PSA_ERROR_GENERIC_ERROR:1:"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_GENERIC_ERROR
 
 verify_hash transparent driver: in driver Key Pair RSA PKCS#1 v1.5 raw
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
 verify_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_SUCCESS:0:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"616263":"2c7744983f023ac7bb1c55529d83ed11a76a7898a1bb5ce191375a4aa7495a633d27879ff58eba5a57371c34feb1180e8b850d552476ebb5634df620261992f12ebee9097041dbbea85a42d45b344be5073ceb772ffc604954b9158ba81ec3dc4d9d65e3ab7aa318165f38c36f841f1c69cb1cfa494aa5cbb4d6c0efbafb043a":PSA_SUCCESS
 
 verify_hash transparent driver: fallback Key Pair RSA PKCS#1 v1.5 raw
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT
 verify_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_ERROR_NOT_SUPPORTED:0:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"616263":"2c7744983f023ac7bb1c55529d83ed11a76a7898a1bb5ce191375a4aa7495a633d27879ff58eba5a57371c34feb1180e8b850d552476ebb5634df620261992f12ebee9097041dbbea85a42d45b344be5073ceb772ffc604954b9158ba81ec3dc4d9d65e3ab7aa318165f38c36f841f1c69cb1cfa494aa5cbb4d6c0efbafb043a":PSA_SUCCESS
 
 verify_hash transparent driver: error Key Pair RSA PKCS#1 v1.5 raw
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
 verify_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_ERROR_GENERIC_ERROR:0:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"616263":"2c7744983f023ac7bb1c55529d83ed11a76a7898a1bb5ce191375a4aa7495a633d27879ff58eba5a57371c34feb1180e8b850d552476ebb5634df620261992f12ebee9097041dbbea85a42d45b344be5073ceb772ffc604954b9158ba81ec3dc4d9d65e3ab7aa318165f38c36f841f1c69cb1cfa494aa5cbb4d6c0efbafb043a":PSA_ERROR_GENERIC_ERROR
 
 verify_hash transparent driver: in driver Key Pair RSA PKCS#1 v1.5 SHA-256
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
 verify_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_SUCCESS:0:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":PSA_SUCCESS
 
 verify_hash transparent driver: fallback Key Pair RSA PKCS#1 v1.5 SHA-256
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT
 verify_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ERROR_NOT_SUPPORTED:0:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":PSA_SUCCESS
 
 verify_hash transparent driver: error Key Pair RSA PKCS#1 v1.5 SHA-256
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
 verify_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ERROR_GENERIC_ERROR:0:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":PSA_ERROR_GENERIC_ERROR
 
 verify_hash transparent driver: in driver Public Key RSA PKCS#1 v1.5 SHA-256
@@ -99,35 +99,35 @@ depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE
 verify_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_SUCCESS:1:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":PSA_SUCCESS
 
 verify_hash transparent driver: fallback Public Key RSA PKCS#1 v1.5 SHA-256
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT
 verify_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ERROR_NOT_SUPPORTED:1:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":PSA_SUCCESS
 
 verify_hash transparent driver: error Public Key RSA PKCS#1 v1.5 SHA-256
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
 verify_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ERROR_GENERIC_ERROR:1:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":PSA_ERROR_GENERIC_ERROR
 
 verify_hash transparent driver: in driver Public Key RSA-1024 PSS SHA-256
-depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
 verify_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_SUCCESS:1:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"6b201c50637962338d1b218c1d26f031205a0e3c47bc4c54856aa037e5a332d2981e80a51648e902e46046e5507a255c4c73f5ff40d5a54c0a11d2eca7804e1767b20ea12c945a23f5473181d379689c1ba634a2c47c0a8ec90c922ca6466ae9e9fb92871c9043b5858ae34828bceb4ead82db8f21a18ebe1d95b469bbdef1df":PSA_SUCCESS
 
 verify_hash transparent driver: fallback Public Key RSA-1024 PSS SHA-256
-depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT
+depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT
 verify_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_ERROR_NOT_SUPPORTED:1:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"6b201c50637962338d1b218c1d26f031205a0e3c47bc4c54856aa037e5a332d2981e80a51648e902e46046e5507a255c4c73f5ff40d5a54c0a11d2eca7804e1767b20ea12c945a23f5473181d379689c1ba634a2c47c0a8ec90c922ca6466ae9e9fb92871c9043b5858ae34828bceb4ead82db8f21a18ebe1d95b469bbdef1df":PSA_SUCCESS
 
 verify_hash transparent driver: error Public Key RSA-1024 PSS SHA-256
-depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
 verify_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_ERROR_GENERIC_ERROR:1:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"6b201c50637962338d1b218c1d26f031205a0e3c47bc4c54856aa037e5a332d2981e80a51648e902e46046e5507a255c4c73f5ff40d5a54c0a11d2eca7804e1767b20ea12c945a23f5473181d379689c1ba634a2c47c0a8ec90c922ca6466ae9e9fb92871c9043b5858ae34828bceb4ead82db8f21a18ebe1d95b469bbdef1df":PSA_ERROR_GENERIC_ERROR
 
 verify_hash transparent driver: in driver Public Key RSA-1024 PSS-any-salt SHA-256
-depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
 verify_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):PSA_SUCCESS:1:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"6b201c50637962338d1b218c1d26f031205a0e3c47bc4c54856aa037e5a332d2981e80a51648e902e46046e5507a255c4c73f5ff40d5a54c0a11d2eca7804e1767b20ea12c945a23f5473181d379689c1ba634a2c47c0a8ec90c922ca6466ae9e9fb92871c9043b5858ae34828bceb4ead82db8f21a18ebe1d95b469bbdef1df":PSA_SUCCESS
 
 verify_hash transparent driver: fallback Public Key RSA-1024 PSS-any-salt SHA-256
-depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT
+depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT
 verify_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):PSA_ERROR_NOT_SUPPORTED:1:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"6b201c50637962338d1b218c1d26f031205a0e3c47bc4c54856aa037e5a332d2981e80a51648e902e46046e5507a255c4c73f5ff40d5a54c0a11d2eca7804e1767b20ea12c945a23f5473181d379689c1ba634a2c47c0a8ec90c922ca6466ae9e9fb92871c9043b5858ae34828bceb4ead82db8f21a18ebe1d95b469bbdef1df":PSA_SUCCESS
 
 verify_hash transparent driver: error Public Key RSA-1024 PSS-any-salt SHA-256
-depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
 verify_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):PSA_ERROR_GENERIC_ERROR:1:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"6b201c50637962338d1b218c1d26f031205a0e3c47bc4c54856aa037e5a332d2981e80a51648e902e46046e5507a255c4c73f5ff40d5a54c0a11d2eca7804e1767b20ea12c945a23f5473181d379689c1ba634a2c47c0a8ec90c922ca6466ae9e9fb92871c9043b5858ae34828bceb4ead82db8f21a18ebe1d95b469bbdef1df":PSA_ERROR_GENERIC_ERROR
 
 sign_message transparent driver: calculate in driver ECDSA SECP256R1 SHA-256
@@ -147,19 +147,19 @@ depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC
 sign_message:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):PSA_SUCCESS:"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":"616263":"000102030405060708090A0B0C0D0E0F":1:PSA_SUCCESS
 
 sign_message transparent driver: calculate in driver RSA PKCS#1 v1.5 SHA-256
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
 sign_message:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_SUCCESS:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"616263":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":0:PSA_SUCCESS
 
 sign_message transparent driver: fallback RSA PKCS#1 v1.5 SHA-256
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT
 sign_message:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ERROR_NOT_SUPPORTED:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"616263":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":0:PSA_SUCCESS
 
 sign_message transparent driver: error RSA PKCS#1 v1.5 SHA-256
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
 sign_message:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ERROR_GENERIC_ERROR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"616263":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":0:PSA_ERROR_GENERIC_ERROR
 
 sign_message transparent driver: fake RSA PKCS#1 v1.5 SHA-256
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
 sign_message:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_SUCCESS:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"616263":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":1:PSA_SUCCESS
 
 verify_message transparent driver: calculate in driver ECDSA SECP256R1 SHA-256
@@ -187,61 +187,62 @@ depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_
 verify_message:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_ERROR_GENERIC_ERROR:1:"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":"616263":"36e5b5a7da1c9c265dc447de3a5a704fcb8c03f7a3749dde48d84c9bf736fc1ed48d8b3660e7d3cbc6b1870730b7ce2a043f69e37ccb340b98d1e65184e03548":PSA_ERROR_GENERIC_ERROR
 
 verify_message transparent driver: calculate in driver RSA PKCS#1 v1.5 SHA-256
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
 verify_message:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_SUCCESS:0:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"616263":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":PSA_SUCCESS
 
 verify_message transparent driver: fallback RSA PKCS#1 v1.5 SHA-256
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT
 verify_message:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ERROR_NOT_SUPPORTED:0:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"616263":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":PSA_SUCCESS
 
 verify_message transparent driver: error RSA PKCS#1 v1.5 SHA-256
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
 verify_message:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ERROR_GENERIC_ERROR:0:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"616263":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":PSA_ERROR_GENERIC_ERROR
 
 verify_message transparent driver: calculate in driver Public Key RSA PKCS#1 v1.5 SHA-256
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
 verify_message:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_SUCCESS:1:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":"616263":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":PSA_SUCCESS
 
 verify_message transparent driver: fallback Public Key RSA PKCS#1 v1.5 SHA-256
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT
 verify_message:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ERROR_NOT_SUPPORTED:1:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":"616263":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":PSA_SUCCESS
 
 verify_message transparent driver: error Public Key RSA PKCS#1 v1.5 SHA-256
-depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
 verify_message:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ERROR_GENERIC_ERROR:1:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":"616263":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":PSA_ERROR_GENERIC_ERROR
 
 verify_message transparent driver: calculate in driver Public Key RSA PSS SHA-256
-depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
 verify_message:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_SUCCESS:1:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":"29b65db0936b7fe408bda672077b0bc5e176177ba9a550fb548c292f7b4af1bb6475e0a979ba43dd644780801fabe5b62a1359cf7692918f30013e90c2362235765abc2078905d13b345dd689bf15e4e94ca51535d12f0675d5f13e9f254ba7696f0096d62deb023d106e9a96a5da3162bead6a745c8b9000868d2f9a447d5c5":PSA_SUCCESS
 
 verify_message transparent driver: fallback Public Key RSA PSS SHA-256
-depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS
+depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS
 verify_message:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_ERROR_NOT_SUPPORTED:1:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":"29b65db0936b7fe408bda672077b0bc5e176177ba9a550fb548c292f7b4af1bb6475e0a979ba43dd644780801fabe5b62a1359cf7692918f30013e90c2362235765abc2078905d13b345dd689bf15e4e94ca51535d12f0675d5f13e9f254ba7696f0096d62deb023d106e9a96a5da3162bead6a745c8b9000868d2f9a447d5c5":PSA_SUCCESS
 
 verify_message transparent driver: error Public Key RSA PSS SHA-256
-depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
 verify_message:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_ERROR_GENERIC_ERROR:1:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":"29b65db0936b7fe408bda672077b0bc5e176177ba9a550fb548c292f7b4af1bb6475e0a979ba43dd644780801fabe5b62a1359cf7692918f30013e90c2362235765abc2078905d13b345dd689bf15e4e94ca51535d12f0675d5f13e9f254ba7696f0096d62deb023d106e9a96a5da3162bead6a745c8b9000868d2f9a447d5c5":PSA_ERROR_GENERIC_ERROR
 
 verify_message transparent driver: calculate in driver Public Key RSA PSS-any-salt SHA-256
-depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
 verify_message:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):PSA_SUCCESS:1:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":"6b65e1fdc900dce8a2b82130ae8ccfac27b6d0eb5f2c0c1085b80f34ceaaf064c8ff237e74a24a3c6fb7a842f172e5146315616281bbbeeae90febaab139a212decf1c68923f2a48e242b1fd72105e3a3f2329c30d78abe8673335ad08c5ba1aa515360bb5660050f1994bb08d3dd17e3407a379403bafa4e229b3c851283f6d":PSA_SUCCESS
 
 verify_message transparent driver: fallback Public Key RSA PSS-any-salt SHA-256
-depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS
+depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS
 verify_message:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):PSA_ERROR_NOT_SUPPORTED:1:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":"6b65e1fdc900dce8a2b82130ae8ccfac27b6d0eb5f2c0c1085b80f34ceaaf064c8ff237e74a24a3c6fb7a842f172e5146315616281bbbeeae90febaab139a212decf1c68923f2a48e242b1fd72105e3a3f2329c30d78abe8673335ad08c5ba1aa515360bb5660050f1994bb08d3dd17e3407a379403bafa4e229b3c851283f6d":PSA_SUCCESS
 
 verify_message transparent driver: error Public Key RSA PSS-any-salt SHA-256
-depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_MD_C
+depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
 verify_message:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):PSA_ERROR_GENERIC_ERROR:1:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":"6b65e1fdc900dce8a2b82130ae8ccfac27b6d0eb5f2c0c1085b80f34ceaaf064c8ff237e74a24a3c6fb7a842f172e5146315616281bbbeeae90febaab139a212decf1c68923f2a48e242b1fd72105e3a3f2329c30d78abe8673335ad08c5ba1aa515360bb5660050f1994bb08d3dd17e3407a379403bafa4e229b3c851283f6d":PSA_ERROR_GENERIC_ERROR
 
 generate_ec_key through transparent driver: fake
 generate_ec_key:PSA_SUCCESS:"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_SUCCESS
 
 generate_ec_key through transparent driver: in-driver
+depends_on:MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE
 generate_ec_key:PSA_SUCCESS:"":PSA_SUCCESS
 
 generate_ec_key through transparent driver: fallback
-depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE
+depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_256
 generate_ec_key:PSA_ERROR_NOT_SUPPORTED:"":PSA_SUCCESS
 
 generate_ec_key through transparent driver: fallback not available
@@ -340,11 +341,11 @@ depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES
 cipher_encrypt_multipart:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"6bc1bee22e409f96e93d7e11739317":15:15:0:"8f9408fe80a81d3e813da3c7b0b2bd":0:PSA_SUCCESS:PSA_SUCCESS
 
 PSA symmetric encrypt multipart: AES-CTR, 16 bytes, fallback
-depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_CIPHER
+depends_on:MBEDTLS_PSA_BUILTIN_ALG_CTR:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES
 cipher_encrypt_multipart:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"6bc1bee22e409f96e93d7e117393172a":16:16:0:"8f9408fe80a81d3e813da3c7b0b2bd32":0:PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS
 
 PSA symmetric encrypt multipart: AES-CTR, 15 bytes, fallback
-depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_CIPHER
+depends_on:MBEDTLS_PSA_BUILTIN_ALG_CTR:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES
 cipher_encrypt_multipart:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"6bc1bee22e409f96e93d7e11739317":15:15:0:"8f9408fe80a81d3e813da3c7b0b2bd":0:PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS
 
 PSA symmetric encrypt multipart: AES-CTR, 16 bytes, fake
@@ -372,7 +373,7 @@ depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES
 cipher_decrypt_multipart:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"396ee84fb75fdbb5c2b13c7fe5a654aa":16:16:0:"dd3b5e5319b7591daab1e1a92687feb2":0:PSA_SUCCESS:PSA_SUCCESS
 
 PSA symmetric decrypt multipart: AES-CTR, 16 bytes, fallback
-depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_CIPHER
+depends_on:MBEDTLS_PSA_BUILTIN_ALG_CTR:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES
 cipher_decrypt_multipart:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"396ee84fb75fdbb5c2b13c7fe5a654aa":16:16:0:"dd3b5e5319b7591daab1e1a92687feb2":0:PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS
 
 PSA symmetric decrypt multipart: AES-CTR, 16 bytes, fake
@@ -460,7 +461,7 @@ depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES
 aead_encrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6d80e8bf80f4a46cab06d4313f0db9be9":PSA_SUCCESS
 
 PSA AEAD encrypt: AES-CCM, 24 bytes, fallback
-depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
+depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_ALG_CCM
 aead_encrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6d80e8bf80f4a46cab06d4313f0db9be9":PSA_ERROR_NOT_SUPPORTED
 
 PSA AEAD encrypt: AES-CCM, 24 bytes, INSUFFICIENT_MEMORY
@@ -472,7 +473,7 @@ depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES
 aead_encrypt:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_GCM:"00e440846db73a490573deaf3728c94f":"a3cfcb832e935eb5bc3812583b3a1b2e82920c07fda3668a35d939d8f11379bb606d39e6416b2ef336fffb15aec3f47a71e191f4ff6c56ff15913562619765b26ae094713d60bab6ab82bfc36edaaf8c7ce2cf5906554dcc5933acdb9cb42c1d24718efdc4a09256020b024b224cfe602772bd688c6c8f1041a46f7ec7d51208":"5431d93278c35cfcd7ffa9ce2de5c6b922edffd5055a9eaa5b54cae088db007cf2d28efaf9edd1569341889073e87c0a88462d77016744be62132fd14a243ed6e30e12cd2f7d08a8daeec161691f3b27d4996df8745d74402ee208e4055615a8cb069d495cf5146226490ac615d7b17ab39fb4fdd098e4e7ee294d34c1312826":"3b6de52f6e582d317f904ee768895bd4d0790912efcf27b58651d0eb7eb0b2f07222c6ffe9f7e127d98ccb132025b098a67dc0ec0083235e9f83af1ae1297df4319547cbcb745cebed36abc1f32a059a05ede6c00e0da097521ead901ad6a73be20018bda4c323faa135169e21581e5106ac20853642e9d6b17f1dd925c872814365847fe0b7b7fbed325953df344a96":PSA_SUCCESS
 
 PSA AEAD encrypt, AES-GCM, 128 bytes #1, fallback
-depends_on:MBEDTLS_AES_C:MBEDTLS_GCM_C
+depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_ALG_GCM
 aead_encrypt:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_GCM:"00e440846db73a490573deaf3728c94f":"a3cfcb832e935eb5bc3812583b3a1b2e82920c07fda3668a35d939d8f11379bb606d39e6416b2ef336fffb15aec3f47a71e191f4ff6c56ff15913562619765b26ae094713d60bab6ab82bfc36edaaf8c7ce2cf5906554dcc5933acdb9cb42c1d24718efdc4a09256020b024b224cfe602772bd688c6c8f1041a46f7ec7d51208":"5431d93278c35cfcd7ffa9ce2de5c6b922edffd5055a9eaa5b54cae088db007cf2d28efaf9edd1569341889073e87c0a88462d77016744be62132fd14a243ed6e30e12cd2f7d08a8daeec161691f3b27d4996df8745d74402ee208e4055615a8cb069d495cf5146226490ac615d7b17ab39fb4fdd098e4e7ee294d34c1312826":"3b6de52f6e582d317f904ee768895bd4d0790912efcf27b58651d0eb7eb0b2f07222c6ffe9f7e127d98ccb132025b098a67dc0ec0083235e9f83af1ae1297df4319547cbcb745cebed36abc1f32a059a05ede6c00e0da097521ead901ad6a73be20018bda4c323faa135169e21581e5106ac20853642e9d6b17f1dd925c872814365847fe0b7b7fbed325953df344a96":PSA_ERROR_NOT_SUPPORTED
 
 PSA AEAD encrypt, AES-GCM, 128 bytes #1, INSUFFICIENT_MEMORY
@@ -484,7 +485,7 @@ depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES
 aead_decrypt:PSA_KEY_TYPE_AES:"D7828D13B2B0BDC325A76236DF93CC6B":PSA_ALG_CCM:"00412B4EA9CDBE3C9696766CFA":"0BE1A88BACE018B1":"4CB97F86A2A4689A877947AB8091EF5386A6FFBDD080F8120333D1FCB691F3406CBF531F83A4D8":"08E8CF97D820EA258460E96AD9CF5289054D895CEAC47C":PSA_SUCCESS
 
 PSA AEAD decrypt: AES-CCM, 39 bytes, fallback
-depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
+depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_ALG_CCM
 aead_decrypt:PSA_KEY_TYPE_AES:"D7828D13B2B0BDC325A76236DF93CC6B":PSA_ALG_CCM:"00412B4EA9CDBE3C9696766CFA":"0BE1A88BACE018B1":"4CB97F86A2A4689A877947AB8091EF5386A6FFBDD080F8120333D1FCB691F3406CBF531F83A4D8":"08E8CF97D820EA258460E96AD9CF5289054D895CEAC47C":PSA_ERROR_NOT_SUPPORTED
 
 PSA AEAD decrypt: AES-CCM, 39 bytes, INSUFFICIENT_MEMORY
@@ -496,7 +497,7 @@ depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES
 aead_decrypt:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_GCM:"00e440846db73a490573deaf3728c94f":"a3cfcb832e935eb5bc3812583b3a1b2e82920c07fda3668a35d939d8f11379bb606d39e6416b2ef336fffb15aec3f47a71e191f4ff6c56ff15913562619765b26ae094713d60bab6ab82bfc36edaaf8c7ce2cf5906554dcc5933acdb9cb42c1d24718efdc4a09256020b024b224cfe602772bd688c6c8f1041a46f7ec7d51208":"3b6de52f6e582d317f904ee768895bd4d0790912efcf27b58651d0eb7eb0b2f07222c6ffe9f7e127d98ccb132025b098a67dc0ec0083235e9f83af1ae1297df4319547cbcb745cebed36abc1f32a059a05ede6c00e0da097521ead901ad6a73be20018bda4c323faa135169e21581e5106ac20853642e9d6b17f1dd925c872814365847fe0b7b7fbed325953df344a96":"5431d93278c35cfcd7ffa9ce2de5c6b922edffd5055a9eaa5b54cae088db007cf2d28efaf9edd1569341889073e87c0a88462d77016744be62132fd14a243ed6e30e12cd2f7d08a8daeec161691f3b27d4996df8745d74402ee208e4055615a8cb069d495cf5146226490ac615d7b17ab39fb4fdd098e4e7ee294d34c1312826":PSA_SUCCESS
 
 PSA AEAD decrypt, AES-GCM, 144 bytes #1, fallback
-depends_on:MBEDTLS_AES_C:MBEDTLS_GCM_C
+depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_ALG_GCM
 aead_decrypt:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_GCM:"00e440846db73a490573deaf3728c94f":"a3cfcb832e935eb5bc3812583b3a1b2e82920c07fda3668a35d939d8f11379bb606d39e6416b2ef336fffb15aec3f47a71e191f4ff6c56ff15913562619765b26ae094713d60bab6ab82bfc36edaaf8c7ce2cf5906554dcc5933acdb9cb42c1d24718efdc4a09256020b024b224cfe602772bd688c6c8f1041a46f7ec7d51208":"3b6de52f6e582d317f904ee768895bd4d0790912efcf27b58651d0eb7eb0b2f07222c6ffe9f7e127d98ccb132025b098a67dc0ec0083235e9f83af1ae1297df4319547cbcb745cebed36abc1f32a059a05ede6c00e0da097521ead901ad6a73be20018bda4c323faa135169e21581e5106ac20853642e9d6b17f1dd925c872814365847fe0b7b7fbed325953df344a96":"5431d93278c35cfcd7ffa9ce2de5c6b922edffd5055a9eaa5b54cae088db007cf2d28efaf9edd1569341889073e87c0a88462d77016744be62132fd14a243ed6e30e12cd2f7d08a8daeec161691f3b27d4996df8745d74402ee208e4055615a8cb069d495cf5146226490ac615d7b17ab39fb4fdd098e4e7ee294d34c1312826":PSA_ERROR_NOT_SUPPORTED
 
 PSA AEAD decrypt, AES-GCM, 144 bytes #1, INSUFFICIENT_MEMORY
@@ -536,7 +537,7 @@ depends_on:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_ACCEL_ALG_CMAC
 mac_sign:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":PSA_ALG_CMAC:"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411":"dfa66747de9ae63030ca32611497c827":PSA_SUCCESS
 
 PSA MAC sign, fallback: CMAC-AES-128
-depends_on:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_ALG_CMAC
+depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_ALG_CMAC
 mac_sign:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":PSA_ALG_CMAC:"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411":"dfa66747de9ae63030ca32611497c827":PSA_ERROR_NOT_SUPPORTED
 
 PSA MAC sign, driver reports error: CMAC-AES-128
@@ -576,7 +577,7 @@ depends_on:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_ACCEL_ALG_CMAC
 mac_verify:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":PSA_ALG_CMAC:"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411":"dfa66747de9ae63030ca32611497c827":PSA_SUCCESS
 
 PSA MAC verify, fallback: CMAC-AES-128
-depends_on:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_ALG_CMAC
+depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_ALG_CMAC
 mac_verify:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":PSA_ALG_CMAC:"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411":"dfa66747de9ae63030ca32611497c827":PSA_ERROR_NOT_SUPPORTED
 
 PSA MAC verify, driver reports error: CMAC-AES-128
@@ -802,7 +803,7 @@ depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES
 aead_encrypt_setup:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_GCM:"00e440846db73a490573deaf3728c94f":"a3cfcb832e935eb5bc3812583b3a1b2e82920c07fda3668a35d939d8f11379bb606d39e6416b2ef336fffb15aec3f47a71e191f4ff6c56ff15913562619765b26ae094713d60bab6ab82bfc36edaaf8c7ce2cf5906554dcc5933acdb9cb42c1d24718efdc4a09256020b024b224cfe602772bd688c6c8f1041a46f7ec7d51208":"5431d93278c35cfcd7ffa9ce2de5c6b922edffd5055a9eaa5b54cae088db007cf2d28efaf9edd1569341889073e87c0a88462d77016744be62132fd14a243ed6e30e12cd2f7d08a8daeec161691f3b27d4996df8745d74402ee208e4055615a8cb069d495cf5146226490ac615d7b17ab39fb4fdd098e4e7ee294d34c1312826":"3b6de52f6e582d317f904ee768895bd4d0790912efcf27b58651d0eb7eb0b2f07222c6ffe9f7e127d98ccb132025b098a67dc0ec0083235e9f83af1ae1297df4319547cbcb745cebed36abc1f32a059a05ede6c00e0da097521ead901ad6a73be20018bda4c323faa135169e21581e5106ac20853642e9d6b17f1dd925c87281":"4365847fe0b7b7fbed325953df344a96":PSA_SUCCESS:PSA_SUCCESS
 
 PSA AEAD encrypt setup, AES-GCM, 128 bytes #1, fallback
-depends_on:MBEDTLS_AES_C:MBEDTLS_GCM_C
+depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_ALG_GCM
 aead_encrypt_setup:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_GCM:"00e440846db73a490573deaf3728c94f":"a3cfcb832e935eb5bc3812583b3a1b2e82920c07fda3668a35d939d8f11379bb606d39e6416b2ef336fffb15aec3f47a71e191f4ff6c56ff15913562619765b26ae094713d60bab6ab82bfc36edaaf8c7ce2cf5906554dcc5933acdb9cb42c1d24718efdc4a09256020b024b224cfe602772bd688c6c8f1041a46f7ec7d51208":"5431d93278c35cfcd7ffa9ce2de5c6b922edffd5055a9eaa5b54cae088db007cf2d28efaf9edd1569341889073e87c0a88462d77016744be62132fd14a243ed6e30e12cd2f7d08a8daeec161691f3b27d4996df8745d74402ee208e4055615a8cb069d495cf5146226490ac615d7b17ab39fb4fdd098e4e7ee294d34c1312826":"3b6de52f6e582d317f904ee768895bd4d0790912efcf27b58651d0eb7eb0b2f07222c6ffe9f7e127d98ccb132025b098a67dc0ec0083235e9f83af1ae1297df4319547cbcb745cebed36abc1f32a059a05ede6c00e0da097521ead901ad6a73be20018bda4c323faa135169e21581e5106ac20853642e9d6b17f1dd925c87281":"4365847fe0b7b7fbed325953df344a96":PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS
 
 PSA AEAD encrypt setup, AES-GCM, 128 bytes #1, INSUFFICIENT_MEMORY
@@ -814,7 +815,7 @@ depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES
 aead_decrypt_setup:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_GCM:"00e440846db73a490573deaf3728c94f":"a3cfcb832e935eb5bc3812583b3a1b2e82920c07fda3668a35d939d8f11379bb606d39e6416b2ef336fffb15aec3f47a71e191f4ff6c56ff15913562619765b26ae094713d60bab6ab82bfc36edaaf8c7ce2cf5906554dcc5933acdb9cb42c1d24718efdc4a09256020b024b224cfe602772bd688c6c8f1041a46f7ec7d51208":"3b6de52f6e582d317f904ee768895bd4d0790912efcf27b58651d0eb7eb0b2f07222c6ffe9f7e127d98ccb132025b098a67dc0ec0083235e9f83af1ae1297df4319547cbcb745cebed36abc1f32a059a05ede6c00e0da097521ead901ad6a73be20018bda4c323faa135169e21581e5106ac20853642e9d6b17f1dd925c87281":"4365847fe0b7b7fbed325953df344a96":"5431d93278c35cfcd7ffa9ce2de5c6b922edffd5055a9eaa5b54cae088db007cf2d28efaf9edd1569341889073e87c0a88462d77016744be62132fd14a243ed6e30e12cd2f7d08a8daeec161691f3b27d4996df8745d74402ee208e4055615a8cb069d495cf5146226490ac615d7b17ab39fb4fdd098e4e7ee294d34c1312826":PSA_SUCCESS:PSA_SUCCESS
 
 PSA AEAD decrypt setup, AES-GCM, 144 bytes #1, fallback
-depends_on:MBEDTLS_AES_C:MBEDTLS_GCM_C
+depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_ALG_GCM
 aead_decrypt_setup:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_GCM:"00e440846db73a490573deaf3728c94f":"a3cfcb832e935eb5bc3812583b3a1b2e82920c07fda3668a35d939d8f11379bb606d39e6416b2ef336fffb15aec3f47a71e191f4ff6c56ff15913562619765b26ae094713d60bab6ab82bfc36edaaf8c7ce2cf5906554dcc5933acdb9cb42c1d24718efdc4a09256020b024b224cfe602772bd688c6c8f1041a46f7ec7d51208":"3b6de52f6e582d317f904ee768895bd4d0790912efcf27b58651d0eb7eb0b2f07222c6ffe9f7e127d98ccb132025b098a67dc0ec0083235e9f83af1ae1297df4319547cbcb745cebed36abc1f32a059a05ede6c00e0da097521ead901ad6a73be20018bda4c323faa135169e21581e5106ac20853642e9d6b17f1dd925c87281":"4365847fe0b7b7fbed325953df344a96":"5431d93278c35cfcd7ffa9ce2de5c6b922edffd5055a9eaa5b54cae088db007cf2d28efaf9edd1569341889073e87c0a88462d77016744be62132fd14a243ed6e30e12cd2f7d08a8daeec161691f3b27d4996df8745d74402ee208e4055615a8cb069d495cf5146226490ac615d7b17ab39fb4fdd098e4e7ee294d34c1312826":PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS
 
 PSA AEAD decrypt setup, AES-GCM, 144 bytes #1, insufficient memory
diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function
index 1d96f72..e7925dd 100644
--- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function
+++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function
@@ -57,7 +57,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
             /* Server first round Output */
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_g1_len));
+                                       buffer_length - buffer0_off, &s_g1_len));
             TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total,
                        pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count);
             TEST_EQUAL(s_g1_len, expected_size_key_share);
@@ -65,7 +65,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
             buffer0_off += s_g1_len;
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_x1_pk_len));
+                                       buffer_length - buffer0_off, &s_x1_pk_len));
             TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total,
                        pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count);
             TEST_EQUAL(s_x1_pk_len, expected_size_zk_public);
@@ -73,7 +73,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
             buffer0_off += s_x1_pk_len;
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_x1_pr_len));
+                                       buffer_length - buffer0_off, &s_x1_pr_len));
             TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total,
                        pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count);
             TEST_LE_U(s_x1_pr_len, max_expected_size_zk_proof);
@@ -81,7 +81,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
             buffer0_off += s_x1_pr_len;
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_g2_len));
+                                       buffer_length - buffer0_off, &s_g2_len));
             TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total,
                        pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count);
             TEST_EQUAL(s_g2_len, expected_size_key_share);
@@ -89,7 +89,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
             buffer0_off += s_g2_len;
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_x2_pk_len));
+                                       buffer_length - buffer0_off, &s_x2_pk_len));
             TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total,
                        pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count);
             TEST_EQUAL(s_x2_pk_len, expected_size_zk_public);
@@ -97,7 +97,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
             buffer0_off += s_x2_pk_len;
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_x2_pr_len));
+                                       buffer_length - buffer0_off, &s_x2_pr_len));
             TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total,
                        pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count);
             TEST_LE_U(s_x2_pr_len, max_expected_size_zk_proof);
@@ -154,7 +154,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
             /* Client first round Output */
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_g1_len));
+                                       buffer_length - buffer1_off, &c_g1_len));
             TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total,
                        pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count);
             TEST_EQUAL(c_g1_len, expected_size_key_share);
@@ -162,7 +162,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
             buffer1_off += c_g1_len;
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_x1_pk_len));
+                                       buffer_length - buffer1_off, &c_x1_pk_len));
             TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total,
                        pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count);
             TEST_EQUAL(c_x1_pk_len, expected_size_zk_public);
@@ -170,7 +170,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
             buffer1_off += c_x1_pk_len;
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_x1_pr_len));
+                                       buffer_length - buffer1_off, &c_x1_pr_len));
             TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total,
                        pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count);
             TEST_LE_U(c_x1_pr_len, max_expected_size_zk_proof);
@@ -178,7 +178,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
             buffer1_off += c_x1_pr_len;
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_g2_len));
+                                       buffer_length - buffer1_off, &c_g2_len));
             TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total,
                        pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count);
             TEST_EQUAL(c_g2_len, expected_size_key_share);
@@ -186,7 +186,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
             buffer1_off += c_g2_len;
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_x2_pk_len));
+                                       buffer_length - buffer1_off, &c_x2_pk_len));
             TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total,
                        pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count);
             TEST_EQUAL(c_x2_pk_len, expected_size_zk_public);
@@ -194,7 +194,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
             buffer1_off += c_x2_pk_len;
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_x2_pr_len));
+                                       buffer_length - buffer1_off, &c_x2_pr_len));
             TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total,
                        pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count);
             TEST_LE_U(c_x2_pr_len, max_expected_size_zk_proof);
@@ -290,7 +290,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
 
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_a_len));
+                                       buffer_length - buffer0_off, &s_a_len));
             TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total,
                        pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count);
             TEST_EQUAL(s_a_len, expected_size_key_share);
@@ -298,7 +298,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
             buffer0_off += s_a_len;
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_x2s_pk_len));
+                                       buffer_length - buffer0_off, &s_x2s_pk_len));
             TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total,
                        pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count);
             TEST_EQUAL(s_x2s_pk_len, expected_size_zk_public);
@@ -306,7 +306,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
             buffer0_off += s_x2s_pk_len;
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_x2s_pr_len));
+                                       buffer_length - buffer0_off, &s_x2s_pr_len));
             TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total,
                        pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count);
             TEST_LE_U(s_x2s_pr_len, max_expected_size_zk_proof);
@@ -341,7 +341,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
 
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_a_len));
+                                       buffer_length - buffer1_off, &c_a_len));
             TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total,
                        pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count);
             TEST_EQUAL(c_a_len, expected_size_key_share);
@@ -349,7 +349,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
             buffer1_off += c_a_len;
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_x2s_pk_len));
+                                       buffer_length - buffer1_off, &c_x2s_pk_len));
             TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total,
                        pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count);
             TEST_EQUAL(c_x2s_pk_len, expected_size_zk_public);
@@ -357,7 +357,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
             buffer1_off += c_x2s_pk_len;
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_x2s_pr_len));
+                                       buffer_length - buffer1_off, &c_x2s_pr_len));
             TEST_EQUAL(mbedtls_test_driver_pake_hooks.hits.total,
                        pake_in_driver ? pake_expected_hit_count++ : pake_expected_hit_count);
             TEST_LE_U(c_x2s_pr_len, max_expected_size_zk_proof);
@@ -748,7 +748,7 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE */
+/* BEGIN_CASE depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE */
 void generate_ec_key(int force_status_arg,
                      data_t *fake_output,
                      int expected_status_arg)
@@ -782,13 +782,14 @@ void generate_ec_key(int force_status_arg,
                 fake_output->len;
     }
 
+    PSA_ASSERT(psa_crypto_init());
+
     mbedtls_test_driver_key_management_hooks.hits = 0;
+    mbedtls_test_driver_key_management_hooks.hits_generate_key = 0;
     mbedtls_test_driver_key_management_hooks.forced_status = force_status;
 
-    PSA_ASSERT(psa_crypto_init());
-
     actual_status = psa_generate_key(&attributes, &key);
-    TEST_EQUAL(mbedtls_test_driver_key_management_hooks.hits, 1);
+    TEST_EQUAL(mbedtls_test_driver_key_management_hooks.hits_generate_key, 1);
     TEST_EQUAL(actual_status, expected_status);
 
     if (actual_status == PSA_SUCCESS) {
@@ -845,10 +846,10 @@ void validate_key(int force_status_arg,
     psa_set_key_bits(&attributes, 0);
     psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT);
 
-    mbedtls_test_driver_key_management_hooks.forced_status = force_status;
-
     PSA_ASSERT(psa_crypto_init());
 
+    mbedtls_test_driver_key_management_hooks.hits = 0;
+    mbedtls_test_driver_key_management_hooks.forced_status = force_status;
     actual_status = psa_import_key(&attributes, key_input->x, key_input->len, &key);
     TEST_EQUAL(mbedtls_test_driver_key_management_hooks.hits, 1);
     TEST_EQUAL(actual_status, expected_status);
@@ -906,6 +907,7 @@ void export_key(int force_status_arg,
     }
 
     mbedtls_test_driver_key_management_hooks.hits = 0;
+    mbedtls_test_driver_key_management_hooks.hits_export_public_key = 0;
     mbedtls_test_driver_key_management_hooks.forced_status = force_status;
 
     if (PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(output_key_type)) {
@@ -923,7 +925,7 @@ void export_key(int force_status_arg,
 
     if (PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(output_key_type) &&
         !PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(input_key_type)) {
-        TEST_EQUAL(mbedtls_test_driver_key_management_hooks.hits, 1);
+        TEST_EQUAL(mbedtls_test_driver_key_management_hooks.hits_export_public_key, 1);
     }
 
     if (actual_status == PSA_SUCCESS) {
@@ -1059,9 +1061,11 @@ void cipher_encrypt_validation(int alg_arg,
     PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
                               &key));
 
+    mbedtls_test_driver_cipher_hooks.hits = 0;
+    mbedtls_test_driver_cipher_hooks.hits_encrypt = 0;
     PSA_ASSERT(psa_cipher_encrypt(key, alg, input->x, input->len, output1,
                                   output1_buffer_size, &output1_length));
-    TEST_EQUAL(mbedtls_test_driver_cipher_hooks.hits, 1);
+    TEST_EQUAL(mbedtls_test_driver_cipher_hooks.hits_encrypt, 1);
     mbedtls_test_driver_cipher_hooks.hits = 0;
 
     PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
@@ -1161,6 +1165,7 @@ void cipher_encrypt_multipart(int alg_arg,
     PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
                               &key));
 
+    mbedtls_test_driver_cipher_hooks.hits = 0;
     PSA_ASSERT(psa_cipher_encrypt_setup(&operation, key, alg));
     TEST_EQUAL(mbedtls_test_driver_cipher_hooks.hits, 1);
     mbedtls_test_driver_cipher_hooks.hits = 0;
@@ -1289,6 +1294,7 @@ void cipher_decrypt_multipart(int alg_arg,
     PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
                               &key));
 
+    mbedtls_test_driver_cipher_hooks.hits = 0;
     PSA_ASSERT(psa_cipher_decrypt_setup(&operation, key, alg));
     TEST_EQUAL(mbedtls_test_driver_cipher_hooks.hits, 1);
     mbedtls_test_driver_cipher_hooks.hits = 0;
@@ -1414,6 +1420,7 @@ void cipher_decrypt(int alg_arg,
         mbedtls_test_driver_cipher_hooks.forced_output_length = expected_output->len;
     }
 
+    mbedtls_test_driver_cipher_hooks.hits = 0;
     status = psa_cipher_decrypt(key, alg, input, input_buffer_size, output,
                                 output_buffer_size, &output_length);
     TEST_EQUAL(mbedtls_test_driver_cipher_hooks.hits, 1);
@@ -1468,32 +1475,28 @@ void cipher_entry_points(int alg_arg, int key_type_arg,
      * First test that if we don't force a driver error, encryption is
      * successful, then force driver error.
      */
+    mbedtls_test_driver_cipher_hooks.hits = 0;
+    mbedtls_test_driver_cipher_hooks.hits_encrypt = 0;
     status = psa_cipher_encrypt(
         key, alg, input->x, input->len,
         output, output_buffer_size, &function_output_length);
-    TEST_EQUAL(mbedtls_test_driver_cipher_hooks.hits, 1);
+    TEST_EQUAL(mbedtls_test_driver_cipher_hooks.hits_encrypt, 1);
     TEST_EQUAL(status, PSA_SUCCESS);
     mbedtls_test_driver_cipher_hooks.hits = 0;
 
-    mbedtls_test_driver_cipher_hooks.forced_status = PSA_ERROR_GENERIC_ERROR;
+    mbedtls_test_driver_cipher_hooks.forced_status_encrypt = PSA_ERROR_GENERIC_ERROR;
     /* Set the output buffer in a given state. */
     for (size_t i = 0; i < output_buffer_size; i++) {
         output[i] = 0xa5;
     }
 
+    mbedtls_test_driver_cipher_hooks.hits_encrypt = 0;
     status = psa_cipher_encrypt(
         key, alg, input->x, input->len,
         output, output_buffer_size, &function_output_length);
-    TEST_EQUAL(mbedtls_test_driver_cipher_hooks.hits, 1);
+    TEST_EQUAL(mbedtls_test_driver_cipher_hooks.hits_encrypt, 1);
     TEST_EQUAL(status, PSA_ERROR_GENERIC_ERROR);
-    /*
-     * Check that the output buffer is still in the same state.
-     * This will fail if the output buffer is used by the core to pass the IV
-     * it generated to the driver (and is not restored).
-     */
-    for (size_t i = 0; i < output_buffer_size; i++) {
-        TEST_EQUAL(output[i], 0xa5);
-    }
+
     mbedtls_test_driver_cipher_hooks.hits = 0;
 
     /* Test setup call, encrypt */
@@ -1545,25 +1548,18 @@ void cipher_entry_points(int alg_arg, int key_type_arg,
     TEST_EQUAL(mbedtls_test_driver_cipher_hooks.hits, 1);
     TEST_EQUAL(status, mbedtls_test_driver_cipher_hooks.forced_status);
     mbedtls_test_driver_cipher_hooks.hits = 0;
+    mbedtls_test_driver_cipher_hooks.hits_set_iv = 0;
 
-    mbedtls_test_driver_cipher_hooks.forced_status = PSA_ERROR_GENERIC_ERROR;
+    mbedtls_test_driver_cipher_hooks.forced_status_set_iv = PSA_ERROR_GENERIC_ERROR;
     /* Set the output buffer in a given state. */
     for (size_t i = 0; i < 16; i++) {
         output[i] = 0xa5;
     }
 
     status = psa_cipher_generate_iv(&operation, output, 16, &function_output_length);
-    /* When generating the IV fails, it should call abort too */
-    TEST_EQUAL(mbedtls_test_driver_cipher_hooks.hits, 2);
-    TEST_EQUAL(status, mbedtls_test_driver_cipher_hooks.forced_status);
-    /*
-     * Check that the output buffer is still in the same state.
-     * This will fail if the output buffer is used by the core to pass the IV
-     * it generated to the driver (and is not restored).
-     */
-    for (size_t i = 0; i < 16; i++) {
-        TEST_EQUAL(output[i], 0xa5);
-    }
+    TEST_EQUAL(mbedtls_test_driver_cipher_hooks.hits_set_iv, 1);
+    TEST_EQUAL(status, mbedtls_test_driver_cipher_hooks.forced_status_set_iv);
+    mbedtls_test_driver_cipher_hooks.forced_status_set_iv = PSA_SUCCESS;
     /* Failure should prevent further operations from executing on the driver */
     mbedtls_test_driver_cipher_hooks.hits = 0;
     status = psa_cipher_update(&operation,
diff --git a/tests/suites/test_suite_psa_crypto_hash.function b/tests/suites/test_suite_psa_crypto_hash.function
index 20167fd..c7c72f4 100644
--- a/tests/suites/test_suite_psa_crypto_hash.function
+++ b/tests/suites/test_suite_psa_crypto_hash.function
@@ -6,7 +6,7 @@
 /* END_HEADER */
 
 /* BEGIN_DEPENDENCIES
- * depends_on:MBEDTLS_PSA_CRYPTO_C
+ * depends_on:MBEDTLS_PSA_CRYPTO_CLIENT
  * END_DEPENDENCIES
  */
 
@@ -35,7 +35,7 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on: MBEDTLS_PSA_CRYPTO_C */
 void hmac(int alg_arg, char *input, data_t *expected_mac)
 {
     psa_algorithm_t alg = PSA_ALG_HMAC(alg_arg);
diff --git a/tests/suites/test_suite_psa_crypto_init.data b/tests/suites/test_suite_psa_crypto_init.data
index 8c5b41d..147d03f 100644
--- a/tests/suites/test_suite_psa_crypto_init.data
+++ b/tests/suites/test_suite_psa_crypto_init.data
@@ -10,6 +10,9 @@ deinit_without_init:0
 PSA deinit twice
 deinit_without_init:1
 
+PSA threaded init checks
+psa_threaded_init:100
+
 No random without init
 validate_module_init_generate_random:0
 
diff --git a/tests/suites/test_suite_psa_crypto_init.function b/tests/suites/test_suite_psa_crypto_init.function
index 7a43432..9ff33a6 100644
--- a/tests/suites/test_suite_psa_crypto_init.function
+++ b/tests/suites/test_suite_psa_crypto_init.function
@@ -1,6 +1,7 @@
 /* BEGIN_HEADER */
 #include <stdint.h>
 
+#include "psa_crypto_core.h"
 /* Some tests in this module configure entropy sources. */
 #include "psa_crypto_invasive.h"
 
@@ -112,6 +113,59 @@ static void custom_entropy_init(mbedtls_entropy_context *ctx)
 
 #endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
 
+#if defined MBEDTLS_THREADING_PTHREAD
+
+typedef struct {
+    int do_init;
+} thread_psa_init_ctx_t;
+
+static void *thread_psa_init_function(void *ctx)
+{
+    thread_psa_init_ctx_t *init_context = (thread_psa_init_ctx_t *) ctx;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    uint8_t random[10] = { 0 };
+
+    if (init_context->do_init) {
+        PSA_ASSERT(psa_crypto_init());
+    }
+
+    /* If this is a test only thread, then we can assume PSA is being started
+     * up on another thread and thus we cannot know whether the following tests
+     * will be successful or not. These checks are still useful, however even
+     * without checking the return codes as they may show up race conditions on
+     * the flags they check under TSAN.*/
+
+    /* Test getting if drivers are initialised. */
+    int can_do = psa_can_do_hash(PSA_ALG_NONE);
+
+    if (init_context->do_init) {
+        TEST_ASSERT(can_do == 1);
+    }
+
+#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+
+    /* Test getting global_data.rng_state. */
+    status = mbedtls_psa_crypto_configure_entropy_sources(NULL, NULL);
+
+    if (init_context->do_init) {
+        /* Bad state due to entropy sources already being setup in
+         * psa_crypto_init() */
+        TEST_EQUAL(status, PSA_ERROR_BAD_STATE);
+    }
+#endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
+
+    /* Test using the PSA RNG ony if we know PSA is up and running. */
+    if (init_context->do_init) {
+        status = psa_generate_random(random, sizeof(random));
+
+        TEST_EQUAL(status, PSA_SUCCESS);
+    }
+
+exit:
+    return NULL;
+}
+#endif /* defined MBEDTLS_THREADING_PTHREAD */
+
 /* END_HEADER */
 
 /* BEGIN_DEPENDENCIES
@@ -154,6 +208,67 @@ void deinit_without_init(int count)
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_THREADING_PTHREAD */
+void psa_threaded_init(int arg_thread_count)
+{
+    thread_psa_init_ctx_t init_context;
+    thread_psa_init_ctx_t init_context_2;
+
+    size_t thread_count = (size_t) arg_thread_count;
+    mbedtls_test_thread_t *threads = NULL;
+
+    TEST_CALLOC(threads, sizeof(mbedtls_test_thread_t) * thread_count);
+
+    init_context.do_init = 1;
+
+    /* Test initialising PSA and testing certain protected globals on multiple
+     * threads. */
+    for (size_t i = 0; i < thread_count; i++) {
+        TEST_EQUAL(
+            mbedtls_test_thread_create(&threads[i],
+                                       thread_psa_init_function,
+                                       (void *) &init_context),
+            0);
+    }
+
+    for (size_t i = 0; i < thread_count; i++) {
+        TEST_EQUAL(mbedtls_test_thread_join(&threads[i]), 0);
+    }
+
+    PSA_DONE();
+
+    init_context_2.do_init = 0;
+
+    /* Test initialising PSA whilst also testing flags on other threads. */
+    for (size_t i = 0; i < thread_count; i++) {
+
+        if (i & 1) {
+
+            TEST_EQUAL(
+                mbedtls_test_thread_create(&threads[i],
+                                           thread_psa_init_function,
+                                           (void *) &init_context),
+                0);
+        } else {
+            TEST_EQUAL(
+                mbedtls_test_thread_create(&threads[i],
+                                           thread_psa_init_function,
+                                           (void *) &init_context_2),
+                0);
+        }
+    }
+
+    for (size_t i = 0; i < thread_count; i++) {
+        TEST_EQUAL(mbedtls_test_thread_join(&threads[i]), 0);
+    }
+exit:
+
+    PSA_DONE();
+
+    mbedtls_free(threads);
+}
+/* END_CASE */
+
 /* BEGIN_CASE */
 void validate_module_init_generate_random(int count)
 {
diff --git a/tests/suites/test_suite_psa_crypto_memory.data b/tests/suites/test_suite_psa_crypto_memory.data
new file mode 100644
index 0000000..2a828f5
--- /dev/null
+++ b/tests/suites/test_suite_psa_crypto_memory.data
@@ -0,0 +1,62 @@
+PSA input buffer copy: straightforward copy
+copy_input:20:20:PSA_SUCCESS
+
+PSA input buffer copy: copy buffer larger than required
+copy_input:10:20:PSA_SUCCESS
+
+PSA input buffer copy: copy buffer too small
+copy_input:20:10:PSA_ERROR_CORRUPTION_DETECTED
+
+PSA input buffer copy: zero-length source buffer
+copy_input:0:10:PSA_SUCCESS
+
+PSA input buffer copy: zero-length both buffers
+copy_input:0:0:PSA_SUCCESS
+
+PSA output buffer copy: straightforward copy
+copy_output:20:20:PSA_SUCCESS
+
+PSA output buffer copy: output buffer larger than required
+copy_output:10:20:PSA_SUCCESS
+
+PSA output buffer copy: output buffer too small
+copy_output:20:10:PSA_ERROR_BUFFER_TOO_SMALL
+
+PSA output buffer copy: zero-length source buffer
+copy_output:0:10:PSA_SUCCESS
+
+PSA output buffer copy: zero-length both buffers
+copy_output:0:0:PSA_SUCCESS
+
+PSA crypto local input alloc
+local_input_alloc:200:PSA_SUCCESS
+
+PSA crypto local input alloc, NULL buffer
+local_input_alloc:0:PSA_SUCCESS
+
+PSA crypto local input free
+local_input_free:200
+
+PSA crypto local input free, NULL buffer
+local_input_free:0
+
+PSA crypto local input round-trip
+local_input_round_trip
+
+PSA crypto local output alloc
+local_output_alloc:200:PSA_SUCCESS
+
+PSA crypto local output alloc, NULL buffer
+local_output_alloc:0:PSA_SUCCESS
+
+PSA crypto local output free
+local_output_free:200:0:PSA_SUCCESS
+
+PSA crypto local output free, NULL buffer
+local_output_free:0:0:PSA_SUCCESS
+
+PSA crypto local output free, NULL original buffer
+local_output_free:200:1:PSA_ERROR_CORRUPTION_DETECTED
+
+PSA crypto local output round-trip
+local_output_round_trip
diff --git a/tests/suites/test_suite_psa_crypto_memory.function b/tests/suites/test_suite_psa_crypto_memory.function
new file mode 100644
index 0000000..55c0092
--- /dev/null
+++ b/tests/suites/test_suite_psa_crypto_memory.function
@@ -0,0 +1,258 @@
+/* BEGIN_HEADER */
+#include <stdint.h>
+
+#include "common.h"
+
+#include "psa/crypto.h"
+
+#include "psa_crypto_core.h"
+#include "psa_crypto_invasive.h"
+
+#include "test/psa_crypto_helpers.h"
+#include "test/memory.h"
+
+/* Helper to fill a buffer with a data pattern. The pattern is not
+ * important, it just allows a basic check that the correct thing has
+ * been written, in a way that will detect an error in offset. */
+static void fill_buffer_pattern(uint8_t *buffer, size_t len)
+{
+    for (size_t i = 0; i < len; i++) {
+        buffer[i] = (uint8_t) (i % 256);
+    }
+}
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_TEST_HOOKS
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE */
+void copy_input(int src_len, int dst_len, psa_status_t exp_status)
+{
+    uint8_t *src_buffer = NULL;
+    uint8_t *dst_buffer = NULL;
+    psa_status_t status;
+
+    TEST_CALLOC(src_buffer, src_len);
+    TEST_CALLOC(dst_buffer, dst_len);
+
+    fill_buffer_pattern(src_buffer, src_len);
+
+    status = psa_crypto_copy_input(src_buffer, src_len, dst_buffer, dst_len);
+    TEST_EQUAL(status, exp_status);
+
+    if (exp_status == PSA_SUCCESS) {
+        MBEDTLS_TEST_MEMORY_UNPOISON(src_buffer, src_len);
+        /* Note: We compare the first src_len bytes of each buffer, as this is what was copied. */
+        TEST_MEMORY_COMPARE(src_buffer, src_len, dst_buffer, src_len);
+    }
+
+exit:
+    mbedtls_free(src_buffer);
+    mbedtls_free(dst_buffer);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void copy_output(int src_len, int dst_len, psa_status_t exp_status)
+{
+    uint8_t *src_buffer = NULL;
+    uint8_t *dst_buffer = NULL;
+    psa_status_t status;
+
+    TEST_CALLOC(src_buffer, src_len);
+    TEST_CALLOC(dst_buffer, dst_len);
+
+    fill_buffer_pattern(src_buffer, src_len);
+
+    status = psa_crypto_copy_output(src_buffer, src_len, dst_buffer, dst_len);
+    TEST_EQUAL(status, exp_status);
+
+    if (exp_status == PSA_SUCCESS) {
+        MBEDTLS_TEST_MEMORY_UNPOISON(dst_buffer, dst_len);
+        /* Note: We compare the first src_len bytes of each buffer, as this is what was copied. */
+        TEST_MEMORY_COMPARE(src_buffer, src_len, dst_buffer, src_len);
+    }
+
+exit:
+    mbedtls_free(src_buffer);
+    mbedtls_free(dst_buffer);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void local_input_alloc(int input_len, psa_status_t exp_status)
+{
+    uint8_t *input = NULL;
+    psa_crypto_local_input_t local_input;
+    psa_status_t status;
+
+    local_input.buffer = NULL;
+
+    TEST_CALLOC(input, input_len);
+    fill_buffer_pattern(input, input_len);
+
+    status = psa_crypto_local_input_alloc(input, input_len, &local_input);
+    TEST_EQUAL(status, exp_status);
+
+    if (exp_status == PSA_SUCCESS) {
+        MBEDTLS_TEST_MEMORY_UNPOISON(input, input_len);
+        if (input_len != 0) {
+            TEST_ASSERT(local_input.buffer != input);
+        }
+        TEST_MEMORY_COMPARE(input, input_len,
+                            local_input.buffer, local_input.length);
+    }
+
+exit:
+    mbedtls_free(local_input.buffer);
+    mbedtls_free(input);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void local_input_free(int input_len)
+{
+    psa_crypto_local_input_t local_input;
+
+    local_input.buffer = NULL;
+    local_input.length = input_len;
+    TEST_CALLOC(local_input.buffer, local_input.length);
+
+    psa_crypto_local_input_free(&local_input);
+
+    TEST_ASSERT(local_input.buffer == NULL);
+    TEST_EQUAL(local_input.length, 0);
+
+exit:
+    mbedtls_free(local_input.buffer);
+    local_input.buffer = NULL;
+    local_input.length = 0;
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void local_input_round_trip()
+{
+    psa_crypto_local_input_t local_input;
+    uint8_t input[200];
+    psa_status_t status;
+
+    fill_buffer_pattern(input, sizeof(input));
+
+    status = psa_crypto_local_input_alloc(input, sizeof(input), &local_input);
+    TEST_EQUAL(status, PSA_SUCCESS);
+
+    MBEDTLS_TEST_MEMORY_UNPOISON(input, sizeof(input));
+    TEST_MEMORY_COMPARE(local_input.buffer, local_input.length,
+                        input, sizeof(input));
+    TEST_ASSERT(local_input.buffer != input);
+
+    psa_crypto_local_input_free(&local_input);
+    TEST_ASSERT(local_input.buffer == NULL);
+    TEST_EQUAL(local_input.length, 0);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void local_output_alloc(int output_len, psa_status_t exp_status)
+{
+    uint8_t *output = NULL;
+    psa_crypto_local_output_t local_output;
+    psa_status_t status;
+
+    local_output.buffer = NULL;
+
+    TEST_CALLOC(output, output_len);
+
+    status = psa_crypto_local_output_alloc(output, output_len, &local_output);
+    TEST_EQUAL(status, exp_status);
+
+    if (exp_status == PSA_SUCCESS) {
+        TEST_ASSERT(local_output.original == output);
+        TEST_EQUAL(local_output.length, output_len);
+    }
+
+exit:
+    mbedtls_free(local_output.buffer);
+    local_output.original = NULL;
+    local_output.buffer = NULL;
+    local_output.length = 0;
+    mbedtls_free(output);
+    output = NULL;
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void local_output_free(int output_len, int original_is_null,
+                       psa_status_t exp_status)
+{
+    uint8_t *output = NULL;
+    uint8_t *buffer_copy_for_comparison = NULL;
+    psa_crypto_local_output_t local_output = PSA_CRYPTO_LOCAL_OUTPUT_INIT;
+    psa_status_t status;
+
+    if (!original_is_null) {
+        TEST_CALLOC(output, output_len);
+    }
+    TEST_CALLOC(buffer_copy_for_comparison, output_len);
+    TEST_CALLOC(local_output.buffer, output_len);
+    local_output.length = output_len;
+    local_output.original = output;
+
+    if (local_output.length != 0) {
+        fill_buffer_pattern(local_output.buffer, local_output.length);
+        memcpy(buffer_copy_for_comparison, local_output.buffer, local_output.length);
+    }
+
+    status = psa_crypto_local_output_free(&local_output);
+    TEST_EQUAL(status, exp_status);
+
+    if (exp_status == PSA_SUCCESS) {
+        MBEDTLS_TEST_MEMORY_UNPOISON(output, output_len);
+        TEST_ASSERT(local_output.buffer == NULL);
+        TEST_EQUAL(local_output.length, 0);
+        TEST_MEMORY_COMPARE(buffer_copy_for_comparison, output_len,
+                            output, output_len);
+    }
+
+exit:
+    mbedtls_free(output);
+    mbedtls_free(buffer_copy_for_comparison);
+    mbedtls_free(local_output.buffer);
+    local_output.length = 0;
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void local_output_round_trip()
+{
+    psa_crypto_local_output_t local_output;
+    uint8_t output[200];
+    uint8_t *buffer_copy_for_comparison = NULL;
+    psa_status_t status;
+
+    status = psa_crypto_local_output_alloc(output, sizeof(output), &local_output);
+    TEST_EQUAL(status, PSA_SUCCESS);
+    TEST_ASSERT(local_output.buffer != output);
+
+    /* Simulate the function generating output */
+    fill_buffer_pattern(local_output.buffer, local_output.length);
+
+    TEST_CALLOC(buffer_copy_for_comparison, local_output.length);
+    memcpy(buffer_copy_for_comparison, local_output.buffer, local_output.length);
+
+    psa_crypto_local_output_free(&local_output);
+    TEST_ASSERT(local_output.buffer == NULL);
+    TEST_EQUAL(local_output.length, 0);
+
+    MBEDTLS_TEST_MEMORY_UNPOISON(output, sizeof(output));
+    /* Check that the buffer was correctly copied back */
+    TEST_MEMORY_COMPARE(output, sizeof(output),
+                        buffer_copy_for_comparison, sizeof(output));
+
+exit:
+    mbedtls_free(buffer_copy_for_comparison);
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_psa_crypto_metadata.data b/tests/suites/test_suite_psa_crypto_metadata.data
index b1672ec..4a25036 100644
--- a/tests/suites/test_suite_psa_crypto_metadata.data
+++ b/tests/suites/test_suite_psa_crypto_metadata.data
@@ -71,19 +71,19 @@ depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_512
 hmac_algorithm:PSA_ALG_HMAC( PSA_ALG_SHA_512 ):64:128
 
 MAC: CBC_MAC-AES-128
-depends_on:PSA_WANT_ALG_CBC_MAC:PSA_WANT_KEY_TYPE_AES:MBEDTLS_CIPHER_C
+depends_on:PSA_WANT_ALG_CBC_MAC:PSA_WANT_KEY_TYPE_AES
 mac_algorithm:PSA_ALG_CBC_MAC:ALG_IS_BLOCK_CIPHER_MAC:16:PSA_KEY_TYPE_AES:128
 
 MAC: CBC_MAC-AES-192
-depends_on:PSA_WANT_ALG_CBC_MAC:PSA_WANT_KEY_TYPE_AES:MBEDTLS_CIPHER_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_CBC_MAC:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mac_algorithm:PSA_ALG_CBC_MAC:ALG_IS_BLOCK_CIPHER_MAC:16:PSA_KEY_TYPE_AES:192
 
 MAC: CBC_MAC-AES-256
-depends_on:PSA_WANT_ALG_CBC_MAC:PSA_WANT_KEY_TYPE_AES:MBEDTLS_CIPHER_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_CBC_MAC:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 mac_algorithm:PSA_ALG_CBC_MAC:ALG_IS_BLOCK_CIPHER_MAC:16:PSA_KEY_TYPE_AES:256
 
 MAC: CBC_MAC-3DES
-depends_on:PSA_WANT_ALG_CBC_MAC:PSA_WANT_KEY_TYPE_DES:MBEDTLS_CIPHER_C
+depends_on:PSA_WANT_ALG_CBC_MAC:PSA_WANT_KEY_TYPE_DES
 mac_algorithm:PSA_ALG_CBC_MAC:ALG_IS_BLOCK_CIPHER_MAC:8:PSA_KEY_TYPE_DES:192
 
 MAC: CMAC-AES-128
@@ -107,31 +107,31 @@ depends_on:PSA_WANT_ALG_STREAM_CIPHER
 cipher_algorithm:PSA_ALG_STREAM_CIPHER:ALG_IS_STREAM_CIPHER
 
 Cipher: CTR
-depends_on:PSA_WANT_ALG_CTR:MBEDTLS_CIPHER_C
+depends_on:PSA_WANT_ALG_CTR
 cipher_algorithm:PSA_ALG_CTR:ALG_IS_STREAM_CIPHER
 
 Cipher: CFB
-depends_on:PSA_WANT_ALG_CFB:MBEDTLS_CIPHER_C
+depends_on:PSA_WANT_ALG_CFB
 cipher_algorithm:PSA_ALG_CFB:ALG_IS_STREAM_CIPHER
 
 Cipher: OFB
-depends_on:PSA_WANT_ALG_OFB:MBEDTLS_CIPHER_C
+depends_on:PSA_WANT_ALG_OFB
 cipher_algorithm:PSA_ALG_OFB:ALG_IS_STREAM_CIPHER
 
 Cipher: ECB-nopad
-depends_on:PSA_WANT_ALG_ECB_NO_PADDING:MBEDTLS_CIPHER_C
+depends_on:PSA_WANT_ALG_ECB_NO_PADDING
 cipher_algorithm:PSA_ALG_ECB_NO_PADDING:0
 
 Cipher: CBC-nopad
-depends_on:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_CIPHER_C
+depends_on:PSA_WANT_ALG_CBC_NO_PADDING
 cipher_algorithm:PSA_ALG_CBC_NO_PADDING:0
 
 Cipher: CBC-PKCS#7
-depends_on:PSA_WANT_ALG_CBC_PKCS7:MBEDTLS_CIPHER_C
+depends_on:PSA_WANT_ALG_CBC_PKCS7
 cipher_algorithm:PSA_ALG_CBC_PKCS7:0
 
 Cipher: XTS
-depends_on:PSA_WANT_ALG_XTS:MBEDTLS_CIPHER_C
+depends_on:PSA_WANT_ALG_XTS
 cipher_algorithm:PSA_ALG_XTS:0
 
 Cipher: CCM*
diff --git a/tests/suites/test_suite_psa_crypto_op_fail.function b/tests/suites/test_suite_psa_crypto_op_fail.function
index 20942bf..9878237 100644
--- a/tests/suites/test_suite_psa_crypto_op_fail.function
+++ b/tests/suites/test_suite_psa_crypto_op_fail.function
@@ -359,9 +359,9 @@ void key_agreement_fail(int key_type_arg, data_t *key_data,
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
     mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
     uint8_t public_key[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE] = { 0 };
-    size_t public_key_length = SIZE_MAX;
+    size_t public_key_length = 0;
     uint8_t output[PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE] = { 0 };
-    size_t length = SIZE_MAX;
+    size_t length = 0;
     psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
 
     PSA_INIT();
diff --git a/tests/suites/test_suite_psa_crypto_pake.data b/tests/suites/test_suite_psa_crypto_pake.data
index baebded..f81bb53 100644
--- a/tests/suites/test_suite_psa_crypto_pake.data
+++ b/tests/suites/test_suite_psa_crypto_pake.data
@@ -74,7 +74,7 @@ PSA PAKE: invalid input
 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
 ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:"client":"server":1:ERR_INJECT_EMPTY_IO_BUFFER:PSA_ERROR_INVALID_ARGUMENT
 
-PSA PAKE: unkown input step
+PSA PAKE: unknown input step
 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
 ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:"client":"server":1:ERR_INJECT_UNKNOWN_STEP:PSA_ERROR_INVALID_ARGUMENT
 
@@ -94,7 +94,7 @@ PSA PAKE: invalid output
 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
 ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:"client":"server":0:ERR_INJECT_EMPTY_IO_BUFFER:PSA_ERROR_INVALID_ARGUMENT
 
-PSA PAKE: unkown output step
+PSA PAKE: unknown output step
 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
 ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:"client":"server":0:ERR_INJECT_UNKNOWN_STEP:PSA_ERROR_INVALID_ARGUMENT
 
@@ -211,19 +211,19 @@ depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WA
 ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_SERVER_ZK_PROOF:PSA_ERROR_DATA_INVALID:1
 
 PSA PAKE: inject ERR_INJECT_EXTRA_OUTPUT
-depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
 ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_EXTRA_OUTPUT:PSA_ERROR_BAD_STATE:0
 
 PSA PAKE: inject ERR_INJECT_EXTRA_INPUT
-depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
 ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:"abcdef":ERR_INJECT_EXTRA_INPUT:PSA_ERROR_BAD_STATE:0
 
 PSA PAKE: inject ERR_INJECT_EXTRA_OUTPUT_AT_END
-depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
 ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:"abcdef":ERR_INJECT_EXTRA_OUTPUT_AT_END:PSA_ERROR_BAD_STATE:1
 
 PSA PAKE: inject ERR_INJECT_EXTRA_INPUT_AT_END
-depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
 ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_EXTRA_INPUT_AT_END:PSA_ERROR_BAD_STATE:1
 
 PSA PAKE: ecjpake size macros
diff --git a/tests/suites/test_suite_psa_crypto_pake.function b/tests/suites/test_suite_psa_crypto_pake.function
index 96c1195..1cc69a7 100644
--- a/tests/suites/test_suite_psa_crypto_pake.function
+++ b/tests/suites/test_suite_psa_crypto_pake.function
@@ -44,7 +44,7 @@ typedef enum {
     ERR_INJECT_EXTRA_INPUT,
     ERR_INJECT_EXTRA_OUTPUT_AT_END,
     ERR_INJECT_EXTRA_INPUT_AT_END,
-    /* erros issued from the .data file */
+    /* errors issued from the .data file */
     ERR_IN_SETUP,
     ERR_IN_SET_USER,
     ERR_IN_SET_PEER,
@@ -59,9 +59,11 @@ typedef enum {
     PAKE_ROUND_TWO
 } pake_round_t;
 
+#if defined(PSA_WANT_ALG_JPAKE)
 /* The only two JPAKE user/peer identifiers supported for the time being. */
 static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' };
 static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' };
+#endif
 
 /*
  * Inject an error on the specified buffer ONLY it this is the correct stage.
@@ -145,7 +147,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
             /* Server first round Output */
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_g1_len));
+                                       buffer_length - buffer0_off, &s_g1_len));
             TEST_EQUAL(s_g1_len, expected_size_key_share);
             DO_ROUND_CONDITIONAL_INJECT(
                 ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1,
@@ -154,7 +156,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
 
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_x1_pk_len));
+                                       buffer_length - buffer0_off, &s_x1_pk_len));
             TEST_EQUAL(s_x1_pk_len, expected_size_zk_public);
             DO_ROUND_CONDITIONAL_INJECT(
                 ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART1,
@@ -163,7 +165,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
 
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_x1_pr_len));
+                                       buffer_length - buffer0_off, &s_x1_pr_len));
             TEST_LE_U(s_x1_pr_len, max_expected_size_zk_proof);
             DO_ROUND_CONDITIONAL_INJECT(
                 ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART1,
@@ -172,7 +174,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
 
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_g2_len));
+                                       buffer_length - buffer0_off, &s_g2_len));
             TEST_EQUAL(s_g2_len, expected_size_key_share);
             DO_ROUND_CONDITIONAL_INJECT(
                 ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART2,
@@ -181,7 +183,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
 
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_x2_pk_len));
+                                       buffer_length - buffer0_off, &s_x2_pk_len));
             TEST_EQUAL(s_x2_pk_len, expected_size_zk_public);
             DO_ROUND_CONDITIONAL_INJECT(
                 ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART2,
@@ -190,7 +192,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
 
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_x2_pr_len));
+                                       buffer_length - buffer0_off, &s_x2_pr_len));
             TEST_LE_U(s_x2_pr_len, max_expected_size_zk_proof);
             DO_ROUND_CONDITIONAL_INJECT(
                 ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2,
@@ -201,7 +203,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
             DO_ROUND_CONDITIONAL_CHECK_FAILURE(
                 ERR_INJECT_EXTRA_OUTPUT,
                 psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE,
-                                buffer0 + s_g2_off, 512 - s_g2_off, &extra_output_len));
+                                buffer0 + s_g2_off, buffer_length - s_g2_off, &extra_output_len));
             (void) extra_output_len;
             /*
              * When injecting errors in inputs, the implementation is
@@ -258,7 +260,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
             /* Client first round Output */
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_g1_len));
+                                       buffer_length - buffer1_off, &c_g1_len));
             TEST_EQUAL(c_g1_len, expected_size_key_share);
             DO_ROUND_CONDITIONAL_INJECT(
                 ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART1,
@@ -267,7 +269,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
 
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_x1_pk_len));
+                                       buffer_length - buffer1_off, &c_x1_pk_len));
             TEST_EQUAL(c_x1_pk_len, expected_size_zk_public);
             DO_ROUND_CONDITIONAL_INJECT(
                 ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART1,
@@ -276,7 +278,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
 
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_x1_pr_len));
+                                       buffer_length - buffer1_off, &c_x1_pr_len));
             TEST_LE_U(c_x1_pr_len, max_expected_size_zk_proof);
             DO_ROUND_CONDITIONAL_INJECT(
                 ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART1,
@@ -285,7 +287,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
 
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_g2_len));
+                                       buffer_length - buffer1_off, &c_g2_len));
             TEST_EQUAL(c_g2_len, expected_size_key_share);
             DO_ROUND_CONDITIONAL_INJECT(
                 ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART2,
@@ -294,7 +296,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
 
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_x2_pk_len));
+                                       buffer_length - buffer1_off, &c_x2_pk_len));
             TEST_EQUAL(c_x2_pk_len, expected_size_zk_public);
             DO_ROUND_CONDITIONAL_INJECT(
                 ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART2,
@@ -303,7 +305,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
 
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_x2_pr_len));
+                                       buffer_length - buffer1_off, &c_x2_pr_len));
             TEST_LE_U(c_x2_pr_len, max_expected_size_zk_proof);
             DO_ROUND_CONDITIONAL_INJECT(
                 ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART2,
@@ -389,7 +391,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
 
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_KEY_SHARE,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_a_len));
+                                       buffer_length - buffer0_off, &s_a_len));
             TEST_EQUAL(s_a_len, expected_size_key_share);
             DO_ROUND_CONDITIONAL_INJECT(
                 ERR_INJECT_ROUND2_SERVER_KEY_SHARE,
@@ -398,7 +400,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
 
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PUBLIC,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_x2s_pk_len));
+                                       buffer_length - buffer0_off, &s_x2s_pk_len));
             TEST_EQUAL(s_x2s_pk_len, expected_size_zk_public);
             DO_ROUND_CONDITIONAL_INJECT(
                 ERR_INJECT_ROUND2_SERVER_ZK_PUBLIC,
@@ -407,7 +409,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
 
             PSA_ASSERT(psa_pake_output(server, PSA_PAKE_STEP_ZK_PROOF,
                                        buffer0 + buffer0_off,
-                                       512 - buffer0_off, &s_x2s_pr_len));
+                                       buffer_length - buffer0_off, &s_x2s_pr_len));
             TEST_LE_U(s_x2s_pr_len, max_expected_size_zk_proof);
             DO_ROUND_CONDITIONAL_INJECT(
                 ERR_INJECT_ROUND2_SERVER_ZK_PROOF,
@@ -443,7 +445,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
 
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_a_len));
+                                       buffer_length - buffer1_off, &c_a_len));
             TEST_EQUAL(c_a_len, expected_size_key_share);
             DO_ROUND_CONDITIONAL_INJECT(
                 ERR_INJECT_ROUND2_CLIENT_KEY_SHARE,
@@ -452,7 +454,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
 
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PUBLIC,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_x2s_pk_len));
+                                       buffer_length - buffer1_off, &c_x2s_pk_len));
             TEST_EQUAL(c_x2s_pk_len, expected_size_zk_public);
             DO_ROUND_CONDITIONAL_INJECT(
                 ERR_INJECT_ROUND2_CLIENT_ZK_PUBLIC,
@@ -461,7 +463,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
 
             PSA_ASSERT(psa_pake_output(client, PSA_PAKE_STEP_ZK_PROOF,
                                        buffer1 + buffer1_off,
-                                       512 - buffer1_off, &c_x2s_pr_len));
+                                       buffer_length - buffer1_off, &c_x2s_pr_len));
             TEST_LE_U(c_x2s_pr_len, max_expected_size_zk_proof);
             DO_ROUND_CONDITIONAL_INJECT(
                 ERR_INJECT_ROUND2_CLIENT_ZK_PROOF,
@@ -473,7 +475,7 @@ static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
                 DO_ROUND_CONDITIONAL_CHECK_FAILURE(
                     ERR_INJECT_EXTRA_OUTPUT_AT_END,
                     psa_pake_output(client, PSA_PAKE_STEP_KEY_SHARE,
-                                    buffer1 + c_a_off, 512 - c_a_off,
+                                    buffer1 + c_a_off, buffer_length - c_a_off,
                                     &extra_output_at_end_len));
                 (void) extra_output_at_end_len;
             }
diff --git a/tests/suites/test_suite_psa_crypto_persistent_key.data b/tests/suites/test_suite_psa_crypto_persistent_key.data
index 3a35505..133e726 100644
--- a/tests/suites/test_suite_psa_crypto_persistent_key.data
+++ b/tests/suites/test_suite_psa_crypto_persistent_key.data
@@ -42,87 +42,87 @@ Save larger than maximum-size persistent raw key
 save_large_persistent_key:PSA_CRYPTO_MAX_STORAGE_SIZE + 1:PSA_ERROR_NOT_SUPPORTED
 
 Persistent key destroy
-depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:MBEDTLS_PK_C
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
 persistent_key_destroy:2:1:0:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RAW_DATA:"deadbeef"
 
 Persistent key destroy after restart
-depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:MBEDTLS_PK_C
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
 persistent_key_destroy:17:1:1:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RAW_DATA:"deadbeef"
 
 Persistent key import (RSA)
-depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:MBEDTLS_PK_C
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
 persistent_key_import:256:1:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":0:PSA_SUCCESS
 
 Persistent key import with restart (RSA)
-depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:MBEDTLS_PK_C
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
 persistent_key_import:256:1:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":1:PSA_SUCCESS
 
 Persistent key import (RSA) invalid key id (VENDOR_MIN)
-depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:MBEDTLS_PK_C
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
 persistent_key_import:256:PSA_KEY_ID_VENDOR_MIN:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":0:PSA_ERROR_INVALID_ARGUMENT
 
 Persistent key import (RSA) invalid key id (VOLATILE_MIN)
-depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:MBEDTLS_PK_C
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
 persistent_key_import:256:PSA_KEY_ID_VOLATILE_MIN:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":0:PSA_ERROR_INVALID_ARGUMENT
 
 Persistent key import (RSA) invalid key id (VENDOR_MAX)
-depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:MBEDTLS_PK_C
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
 persistent_key_import:256:PSA_KEY_ID_VENDOR_MAX:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":0:PSA_ERROR_INVALID_ARGUMENT
 
 Persistent key import garbage data, should fail
-depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:MBEDTLS_PK_C
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
 persistent_key_import:256:1:PSA_KEY_TYPE_RSA_KEY_PAIR:"11111111":0:PSA_ERROR_INVALID_ARGUMENT
 
 import/export persistent raw key: 1 byte
 import_export_persistent_key:"2a":PSA_KEY_TYPE_RAW_DATA:8:0:0
 
 import/export persistent key RSA public key: good, 1024-bit
-depends_on:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_C
+depends_on:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
 import_export_persistent_key:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_KEY_TYPE_RSA_PUBLIC_KEY:1024:0:0
 
 import/export persistent key RSA keypair: good, 1024-bit
-depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_PK_C
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
 import_export_persistent_key:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEY_PAIR:1024:0:0
 
 import/export persistent raw key file not exist: 1 byte
 import_export_persistent_key:"2a":PSA_KEY_TYPE_RAW_DATA:8:0:1
 
 import/export persistent key RSA public key file not exist: 1024-bit
-depends_on:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_C
+depends_on:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
 import_export_persistent_key:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_KEY_TYPE_RSA_PUBLIC_KEY:1024:0:1
 
 import/export persistent key RSA keypair file not exist: 1024-bit
-depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_PK_C
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
 import_export_persistent_key:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEY_PAIR:1024:0:1
 
 import/export-persistent symmetric key: 16 bytes
-depends_on:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PK_C
+depends_on:PSA_WANT_KEY_TYPE_AES
 import_export_persistent_key:"2b7e151628aed2a6abf7158809cf4f3c":PSA_KEY_TYPE_AES:128:0:0
 
 import/export persistent raw key with restart: 1 byte
 import_export_persistent_key:"2a":PSA_KEY_TYPE_RAW_DATA:8:1:0
 
 import/export persistent key RSA public key with restart: good, 1024-bit
-depends_on:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_C
+depends_on:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
 import_export_persistent_key:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_KEY_TYPE_RSA_PUBLIC_KEY:1024:1:0
 
 import/export persistent key RSA keypair with restart: good, 1024-bit
-depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_PK_C
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
 import_export_persistent_key:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEY_PAIR:1024:1:0
 
 import/export persistent raw key file not exist with restart: 1 byte
 import_export_persistent_key:"2a":PSA_KEY_TYPE_RAW_DATA:8:1:1
 
 import/export persistent key RSA public key file not exist with restart: 1024-bit
-depends_on:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_C
+depends_on:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
 import_export_persistent_key:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_KEY_TYPE_RSA_PUBLIC_KEY:1024:1:1
 
 import/export persistent key RSA keypair file not exist with restart: 1024-bit
-depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:MBEDTLS_PK_C
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
 import_export_persistent_key:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEY_PAIR:1024:1:1
 
 import/export-persistent symmetric key with restart: 16 bytes
-depends_on:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PK_C
+depends_on:PSA_WANT_KEY_TYPE_AES
 import_export_persistent_key:"2b7e151628aed2a6abf7158809cf4f3c":PSA_KEY_TYPE_AES:128:1:0
 
 Destroy invalid id: 0
diff --git a/tests/suites/test_suite_psa_crypto_persistent_key.function b/tests/suites/test_suite_psa_crypto_persistent_key.function
index a48114f..ea8cb6b 100644
--- a/tests/suites/test_suite_psa_crypto_persistent_key.function
+++ b/tests/suites/test_suite_psa_crypto_persistent_key.function
@@ -17,8 +17,6 @@
 #include "psa_crypto_slot_management.h"
 #include "psa_crypto_storage.h"
 
-#include "mbedtls/md.h"
-
 #define PSA_KEY_STORAGE_MAGIC_HEADER "PSA\0KEY"
 #define PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH (sizeof(PSA_KEY_STORAGE_MAGIC_HEADER))
 
@@ -63,7 +61,7 @@ void format_storage_data_check(data_t *key_data,
 
     TEST_CALLOC(file_data, file_data_length);
     psa_format_key_data_for_storage(key_data->x, key_data->len,
-                                    &attributes.core,
+                                    &attributes,
                                     file_data);
 
     TEST_MEMORY_COMPARE(expected_file_data->x, expected_file_data->len,
@@ -92,7 +90,7 @@ void parse_storage_data_check(data_t *file_data,
 
     status = psa_parse_key_data_from_storage(file_data->x, file_data->len,
                                              &key_data, &key_data_length,
-                                             &attributes.core);
+                                             &attributes);
 
     TEST_EQUAL(status, expected_status);
     if (status != PSA_SUCCESS) {
diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal.function b/tests/suites/test_suite_psa_crypto_se_driver_hal.function
index 9c5ef23..37a72d9 100644
--- a/tests/suites/test_suite_psa_crypto_se_driver_hal.function
+++ b/tests/suites/test_suite_psa_crypto_se_driver_hal.function
@@ -13,6 +13,19 @@
 #include "psa/internal_trusted_storage.h"
 #endif
 
+/* Same in library/psa_crypto.c */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) ||          \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) ||  \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
+#define BUILTIN_ALG_ANY_HKDF 1
+#endif
+#if defined(BUILTIN_ALG_ANY_HKDF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) || \
+    defined(PSA_HAVE_SOFT_PBKDF2)
+#define AT_LEAST_ONE_BUILTIN_KDF
+#endif
 
 /****************************************************************/
 /* Test driver helpers */
@@ -720,7 +733,7 @@ static int smoke_test_key(mbedtls_svc_key_id_t key)
                                         buffer, sizeof(buffer), NULL, 0,
                                         buffer, sizeof(buffer), &length));
 
-#if defined(PSA_WANT_ALG_SHA_256)
+#if defined(PSA_WANT_ALG_SHA_256) && defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
     /* Try the key in a plain key derivation. */
     PSA_ASSERT(psa_key_derivation_setup(&derivation_operation,
                                         PSA_ALG_HKDF(PSA_ALG_SHA_256)));
@@ -753,7 +766,9 @@ static int smoke_test_key(mbedtls_svc_key_id_t key)
                          alg, key, buffer, length,
                          buffer, sizeof(buffer), &length));
     }
-#endif /* PSA_WANT_ALG_SHA_256 */
+#else
+    (void) derivation_operation;
+#endif /* PSA_WANT_ALG_SHA_256 && MBEDTLS_PSA_BUILTIN_ALG_HKDF */
 
     ok = 1;
 
@@ -952,7 +967,7 @@ void key_creation_import_export(int lifetime_arg, int min_slot, int restart)
     psa_set_key_slot_number(&attributes, min_slot);
 
     if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) {
-        attributes.core.id = returned_id;
+        attributes.id = returned_id;
     } else {
         psa_set_key_id(&attributes, returned_id);
     }
@@ -1297,7 +1312,7 @@ void sign_verify(int flow,
     mbedtls_svc_key_id_t returned_id;
     mbedtls_svc_key_id_t sw_key = MBEDTLS_SVC_KEY_ID_INIT;
     psa_key_attributes_t sw_attributes = PSA_KEY_ATTRIBUTES_INIT;
-    psa_key_attributes_t drv_attributes;
+    psa_key_attributes_t drv_attributes = PSA_KEY_ATTRIBUTES_INIT;
     uint8_t signature[PSA_SIGNATURE_MAX_SIZE];
     size_t signature_length;
 
diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function
index 6f28f93..b6d3a34 100644
--- a/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function
+++ b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function
@@ -359,19 +359,19 @@ void mock_import(int mock_alloc_return_value,
 
     if (mock_alloc_return_value == PSA_SUCCESS) {
         TEST_ASSERT(mbedtls_svc_key_id_equal(
-                        mock_import_data.attributes.core.id, id));
+                        mock_import_data.attributes.id, id));
     } else {
         TEST_ASSERT(MBEDTLS_SVC_KEY_ID_GET_KEY_ID(
-                        mock_import_data.attributes.core.id) == 0);
+                        mock_import_data.attributes.id) == 0);
         TEST_ASSERT(MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(
-                        mock_import_data.attributes.core.id) == 0);
+                        mock_import_data.attributes.id) == 0);
     }
 
-    TEST_ASSERT(mock_import_data.attributes.core.lifetime ==
+    TEST_ASSERT(mock_import_data.attributes.lifetime ==
                 (mock_alloc_return_value == PSA_SUCCESS ? lifetime : 0));
-    TEST_ASSERT(mock_import_data.attributes.core.policy.usage ==
+    TEST_ASSERT(mock_import_data.attributes.policy.usage ==
                 (mock_alloc_return_value == PSA_SUCCESS ? PSA_KEY_USAGE_EXPORT : 0));
-    TEST_ASSERT(mock_import_data.attributes.core.type ==
+    TEST_ASSERT(mock_import_data.attributes.type ==
                 (mock_alloc_return_value == PSA_SUCCESS ? PSA_KEY_TYPE_RAW_DATA : 0));
 
     if (expected_result == PSA_SUCCESS) {
@@ -474,19 +474,19 @@ void mock_generate(int mock_alloc_return_value,
 
     if (mock_alloc_return_value == PSA_SUCCESS) {
         TEST_ASSERT(mbedtls_svc_key_id_equal(
-                        mock_generate_data.attributes.core.id, id));
+                        mock_generate_data.attributes.id, id));
     } else {
         TEST_ASSERT(MBEDTLS_SVC_KEY_ID_GET_KEY_ID(
-                        mock_generate_data.attributes.core.id) == 0);
+                        mock_generate_data.attributes.id) == 0);
         TEST_ASSERT(MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(
-                        mock_generate_data.attributes.core.id) == 0);
+                        mock_generate_data.attributes.id) == 0);
     }
 
-    TEST_ASSERT(mock_generate_data.attributes.core.lifetime ==
+    TEST_ASSERT(mock_generate_data.attributes.lifetime ==
                 (mock_alloc_return_value == PSA_SUCCESS ? lifetime : 0));
-    TEST_ASSERT(mock_generate_data.attributes.core.policy.usage ==
+    TEST_ASSERT(mock_generate_data.attributes.policy.usage ==
                 (mock_alloc_return_value == PSA_SUCCESS ? PSA_KEY_USAGE_EXPORT : 0));
-    TEST_ASSERT(mock_generate_data.attributes.core.type ==
+    TEST_ASSERT(mock_generate_data.attributes.type ==
                 (mock_alloc_return_value == PSA_SUCCESS ? PSA_KEY_TYPE_RAW_DATA : 0));
 
     if (expected_result == PSA_SUCCESS) {
diff --git a/tests/suites/test_suite_psa_crypto_slot_management.function b/tests/suites/test_suite_psa_crypto_slot_management.function
index 5bd12eb..94f26f6 100644
--- a/tests/suites/test_suite_psa_crypto_slot_management.function
+++ b/tests/suites/test_suite_psa_crypto_slot_management.function
@@ -142,7 +142,6 @@ void transient_slot_lifecycle(int owner_id_arg,
 
 #if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
     {
-        psa_key_handle_t handle;
         mbedtls_svc_key_id_t key_with_invalid_owner =
             mbedtls_svc_key_id_make(owner_id + 1,
                                     MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key));
@@ -150,8 +149,8 @@ void transient_slot_lifecycle(int owner_id_arg,
         TEST_ASSERT(mbedtls_key_owner_id_equal(
                         owner_id,
                         MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(key)));
-        TEST_EQUAL(psa_open_key(key_with_invalid_owner, &handle),
-                   PSA_ERROR_DOES_NOT_EXIST);
+        TEST_EQUAL(psa_get_key_attributes(key_with_invalid_owner, &attributes),
+                   PSA_ERROR_INVALID_HANDLE);
     }
 #endif
 
@@ -459,7 +458,7 @@ void create_fail(int lifetime_arg, int id_arg,
          * PSA key attributes APIs thus accessing to the attributes
          * directly.
          */
-        attributes.core.id = id;
+        attributes.id = id;
     } else {
         psa_set_key_id(&attributes, id);
     }
@@ -747,19 +746,12 @@ void invalid_handle(int handle_construction,
              * MBEDTLS_SVC_KEY_ID_GET_KEY_ID( valid_handle ) is a volatile
              * key identifier as the imported key is a volatile key. Volatile
              * key identifiers are in the range from PSA_KEY_ID_VOLATILE_MIN
-             * to PSA_KEY_ID_VOLATILE_MAX included. Thus pick a key identifier
-             * in the range from PSA_KEY_ID_VOLATILE_MIN to
-             * PSA_KEY_ID_VOLATILE_MAX different from
-             * MBEDTLS_SVC_KEY_ID_GET_KEY_ID( valid_handle ) to build an
-             * unopened and thus invalid identifier.
+             * to PSA_KEY_ID_VOLATILE_MAX included. It is very unlikely that
+             * all IDs are used up to the last one, so pick
+             * PSA_KEY_ID_VOLATILE_MAX to build an unopened and thus invalid
+             * identifier.
              */
-
-            if (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(valid_handle) ==
-                PSA_KEY_ID_VOLATILE_MIN) {
-                key_id = PSA_KEY_ID_VOLATILE_MIN + 1;
-            } else {
-                key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(valid_handle) - 1;
-            }
+            key_id = PSA_KEY_ID_VOLATILE_MAX;
 
             invalid_handle =
                 mbedtls_svc_key_id_make(0, key_id);
@@ -939,11 +931,16 @@ void non_reusable_key_slots_integrity_in_case_of_key_slot_starvation()
     mbedtls_svc_key_id_t persistent_key2 = MBEDTLS_SVC_KEY_ID_INIT;
     mbedtls_svc_key_id_t returned_key_id = MBEDTLS_SVC_KEY_ID_INIT;
     mbedtls_svc_key_id_t *keys = NULL;
+    mbedtls_psa_stats_t psa_key_slots_stats;
+    size_t available_key_slots = 0;
 
     TEST_ASSERT(MBEDTLS_PSA_KEY_SLOT_COUNT >= 1);
 
-    TEST_CALLOC(keys, MBEDTLS_PSA_KEY_SLOT_COUNT);
     PSA_ASSERT(psa_crypto_init());
+    mbedtls_psa_get_stats(&psa_key_slots_stats);
+    available_key_slots = psa_key_slots_stats.empty_slots;
+
+    TEST_CALLOC(keys, available_key_slots);
 
     psa_set_key_usage_flags(&attributes,
                             PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY);
@@ -962,10 +959,10 @@ void non_reusable_key_slots_integrity_in_case_of_key_slot_starvation()
     TEST_ASSERT(mbedtls_svc_key_id_equal(returned_key_id, persistent_key));
 
     /*
-     * Create MBEDTLS_PSA_KEY_SLOT_COUNT volatile keys
+     * Create the maximum available number of volatile keys
      */
     psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_VOLATILE);
-    for (i = 0; i < MBEDTLS_PSA_KEY_SLOT_COUNT; i++) {
+    for (i = 0; i < available_key_slots; i++) {
         PSA_ASSERT(psa_import_key(&attributes,
                                   (uint8_t *) &i, sizeof(i),
                                   &keys[i]));
@@ -984,18 +981,18 @@ void non_reusable_key_slots_integrity_in_case_of_key_slot_starvation()
      * Check we can export the volatile key created last and that it has the
      * expected value. Then, destroy it.
      */
-    PSA_ASSERT(psa_export_key(keys[MBEDTLS_PSA_KEY_SLOT_COUNT - 1],
+    PSA_ASSERT(psa_export_key(keys[available_key_slots - 1],
                               exported, sizeof(exported),
                               &exported_length));
-    i = MBEDTLS_PSA_KEY_SLOT_COUNT - 1;
+    i = available_key_slots - 1;
     TEST_MEMORY_COMPARE(exported, exported_length, (uint8_t *) &i, sizeof(i));
-    PSA_ASSERT(psa_destroy_key(keys[MBEDTLS_PSA_KEY_SLOT_COUNT - 1]));
+    PSA_ASSERT(psa_destroy_key(keys[available_key_slots - 1]));
 
     /*
      * Check that we can now access the persistent key again.
      */
     PSA_ASSERT(psa_get_key_attributes(persistent_key, &attributes));
-    TEST_ASSERT(mbedtls_svc_key_id_equal(attributes.core.id,
+    TEST_ASSERT(mbedtls_svc_key_id_equal(attributes.id,
                                          persistent_key));
 
     /*
@@ -1012,7 +1009,7 @@ void non_reusable_key_slots_integrity_in_case_of_key_slot_starvation()
      * Check we can export the remaining volatile keys and that they have the
      * expected values.
      */
-    for (i = 0; i < (MBEDTLS_PSA_KEY_SLOT_COUNT - 1); i++) {
+    for (i = 0; i < (available_key_slots - 1); i++) {
         PSA_ASSERT(psa_export_key(keys[i],
                                   exported, sizeof(exported),
                                   &exported_length));
diff --git a/tests/suites/test_suite_psa_crypto_storage_format.function b/tests/suites/test_suite_psa_crypto_storage_format.function
index 116f4cd..efaaba5 100644
--- a/tests/suites/test_suite_psa_crypto_storage_format.function
+++ b/tests/suites/test_suite_psa_crypto_storage_format.function
@@ -82,77 +82,6 @@ static int is_accelerated_rsa(psa_algorithm_t alg)
     (void) alg;
     return 0;
 }
-
-/* Whether the algorithm is implemented as a builtin, i.e. not accelerated,
- * and calls mbedtls_md() functions that require the hash algorithm to
- * also be built-in. */
-static int is_builtin_calling_md(psa_algorithm_t alg)
-{
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
-    if (PSA_ALG_IS_RSA_PSS(alg))
-#if defined(MBEDTLS_MD_C)
-    { return 1; }
-#else
-    { return 0; }
-#endif
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
-    if (PSA_ALG_IS_RSA_OAEP(alg))
-#if defined(MBEDTLS_MD_C)
-    { return 1; }
-#else
-    { return 0; }
-#endif
-#endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
-    if (PSA_ALG_IS_DETERMINISTIC_ECDSA(alg)) {
-        return 1;
-    }
-#endif
-    (void) alg;
-    return 0;
-}
-
-static int has_builtin_hash(psa_algorithm_t alg)
-{
-#if !defined(MBEDTLS_MD5_C)
-    if (alg == PSA_ALG_MD5) {
-        return 0;
-    }
-#endif
-#if !defined(MBEDTLS_RIPEMD160_C)
-    if (alg == PSA_ALG_RIPEMD160) {
-        return 0;
-    }
-#endif
-#if !defined(MBEDTLS_SHA1_C)
-    if (alg == PSA_ALG_SHA_1) {
-        return 0;
-    }
-#endif
-#if !defined(MBEDTLS_SHA224_C)
-    if (alg == PSA_ALG_SHA_224) {
-        return 0;
-    }
-#endif
-#if !defined(MBEDTLS_SHA256_C)
-    if (alg == PSA_ALG_SHA_256) {
-        return 0;
-    }
-#endif
-#if !defined(MBEDTLS_SHA384_C)
-    if (alg == PSA_ALG_SHA_384) {
-        return 0;
-    }
-#endif
-#if !defined(MBEDTLS_SHA512_C)
-    if (alg == PSA_ALG_SHA_512) {
-        return 0;
-    }
-#endif
-    (void) alg;
-    return 1;
-}
 #endif
 
 /* Mbed TLS doesn't support certain combinations of key type and algorithm
@@ -193,24 +122,11 @@ static int can_exercise(const psa_key_attributes_t *attributes)
         return 0;
     }
 #endif
+
     if (is_accelerated_rsa(alg) &&
         (hash_alg == PSA_ALG_RIPEMD160 || hash_alg == PSA_ALG_SHA_384)) {
         return 0;
     }
-#if defined(MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP)
-    if (PSA_ALG_IS_RSA_OAEP(alg) &&
-        (hash_alg == PSA_ALG_RIPEMD160 || hash_alg == PSA_ALG_SHA_384)) {
-        return 0;
-    }
-#endif
-
-    /* The built-in implementation of asymmetric algorithms that use a
-     * hash internally only dispatch to the internal md module, not to
-     * PSA. Until this is supported, don't try to actually perform
-     * operations when the operation is built-in and the hash isn't.  */
-    if (is_builtin_calling_md(alg) && !has_builtin_hash(hash_alg)) {
-        return 0;
-    }
 #endif /* MBEDTLS_TEST_LIBTESTDRIVER1 */
 
     (void) key_type;
@@ -271,7 +187,7 @@ static int test_read_key(const psa_key_attributes_t *expected_attributes,
         TEST_ASSERT(mbedtls_test_psa_exercise_key(
                         key_id,
                         psa_get_key_usage_flags(expected_attributes),
-                        psa_get_key_algorithm(expected_attributes)));
+                        psa_get_key_algorithm(expected_attributes), 0));
     }
 
 
diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data
new file mode 100644
index 0000000..807007b
--- /dev/null
+++ b/tests/suites/test_suite_psa_crypto_util.data
@@ -0,0 +1,167 @@
+ECDSA Raw -> DER, 256bit, Success
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0
+
+ECDSA Raw -> DER, 256bit, DER buffer too small
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"304402201111111111111111111111111111111111111111111111111111111111111111022022222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL
+
+ECDSA Raw -> DER, 256bit, Null r
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_raw_to_der:256:"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA
+
+ECDSA Raw -> DER, 256bit, Null s
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA
+
+ECDSA Raw -> DER, 256bit, r with MSb set
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_raw_to_der:256:"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0
+
+ECDSA Raw -> DER, 256bit, s with MSb set
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111111A222222222222222222222222222222222222222222222222222222222222222":"304502201111111111111111111111111111111111111111111111111111111111111111022100A222222222222222222222222222222222222222222222222222222222222222":0
+
+ECDSA Raw -> DER, 256bit, both r and s with MSb set
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_raw_to_der:256:"A111111111111111111111111111111111111111111111111111111111111111A222222222222222222222222222222222222222222222222222222222222222":"3046022100A111111111111111111111111111111111111111111111111111111111111111022100A222222222222222222222222222222222222222222222222222222222222222":0
+
+ECDSA Raw -> DER, 256bit, r and s only 1 byte of data
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_raw_to_der:256:"00000000000000000000000000000000000000000000000000000000000000110000000000000000000000000000000000000000000000000000000000000022":"3006020111020122":0
+
+ECDSA Raw -> DER, 256bit, r and s only 1 byte of data with MSb set
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_raw_to_der:256:"000000000000000000000000000000000000000000000000000000000000009100000000000000000000000000000000000000000000000000000000000000A2":"300802020091020200A2":0
+
+ECDSA Raw -> DER, 256bit, Invalid raw signature (r 1 byte shorter)
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA
+
+ECDSA Raw -> DER, 256bit, Invalid raw signature (r and s 1 byte shorter)
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA
+
+ECDSA Raw -> DER, 256bit, Invalid raw signature (r 1 byte longer)
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA
+
+ECDSA Raw -> DER, 256bit, Invalid raw signature (r and s 1 byte longer)
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA
+
+ECDSA DER -> Raw, 256bit, Success
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0
+
+ECDSA DER -> Raw, 256bit, Raw buffer too small
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL
+
+ECDSA DER -> Raw, 256bit, Wrong sequence tag
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_der_to_raw:256:"40440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+ECDSA DER -> Raw, 256bit, Invalid sequence length
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_der_to_raw:256:"30ff0220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_LENGTH
+
+ECDSA DER -> Raw, 256bit, Wrong integer tag
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_der_to_raw:256:"30440120111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+ECDSA DER -> Raw, 256bit, Wrong r integer length (1 byte smaller than the actual size)
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_der_to_raw:256:"30440219111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+ECDSA DER -> Raw, 256bit, Wrong r integer length (1 byte larger than the actual size)
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_der_to_raw:256:"30440221111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA
+
+ECDSA DER -> Raw, 256bit, Wrong s integer length (1 byte smaller than the actual size)
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102192222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+
+ECDSA DER -> Raw, 256bit, Wrong s integer length (1 byte larger than the actual size)
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102212222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA
+
+ECDSA DER -> Raw, 256bit, r size 1 byte larger than allowed for output raw coordinate
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_der_to_raw:256:"3045022111111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA
+
+ECDSA DER -> Raw, 256bit, r with MSb set
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_der_to_raw:256:"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0
+
+ECDSA DER -> Raw, 256bit, Invalid r all zeros
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_der_to_raw:256:"30440220000000000000000000000000000000000000000000000000000000000000000002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA
+
+ECDSA DER -> Raw, 256bit, Invalid s all zeros
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102200000000000000000000000000000000000000000000000000000000000000000":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_ERR_ASN1_INVALID_DATA
+
+ECDSA DER -> Raw, 256bit, Valid r only 1 zero byte
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_der_to_raw:256:"302502010002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":0
+
+ECDSA DER -> Raw, 256bit, Valid s only 1 zero byte
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_der_to_raw:256:"302502201111111111111111111111111111111111111111111111111111111111111111020100":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":0
+
+ECDSA DER -> Raw, 256bit, Invalid 0-length r
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_der_to_raw:256:"3024020002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA
+
+ECDSA DER -> Raw, 256bit, Invalid 0-length s
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_der_to_raw:256:"3024022011111111111111111111111111111111111111111111111111111111111111110200":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_ERR_ASN1_INVALID_DATA
+
+ECDSA DER -> Raw, 256bit, Invalid r 2 leading zeros
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_der_to_raw:256:"3027020300000102202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA
+
+ECDSA DER -> Raw, 256bit, Invalid s 2 leading zeros
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_der_to_raw:256:"3027022011111111111111111111111111111111111111111111111111111111111111110203000001":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_ERR_ASN1_INVALID_DATA
+
+ECDSA DER -> Raw, 256bit, Invalid r: MSb set without leading zero
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_der_to_raw:256:"30440220911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA
+
+# 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes.
+ECDSA Raw -> DER, 512bit, Success
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 512
+ecdsa_raw_to_der:512:"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"308184024011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0
+
+# 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes.
+ECDSA DER -> Raw, 512bit, Success
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 512
+ecdsa_der_to_raw:512:"308184024011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0
+
+# 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes.
+ECDSA Raw -> DER, 521bit, Success
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 521
+ecdsa_raw_to_der:521:"011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818802420111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0
+
+# 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes.
+ECDSA DER -> Raw, 521bit, Success
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 521
+ecdsa_der_to_raw:521:"30818802420111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0
+
+ECDSA Raw -> DER, 256bit, Incremental DER buffer sizes
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_raw_to_der_incremental:256:"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222"
+
+ECDSA Raw -> DER, 512bit, Incremental DER buffer sizes
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 512
+ecdsa_raw_to_der_incremental:512:"9111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818502410091111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222"
+
+ECDSA Raw -> DER, 521bit, Incremental DER buffer sizes
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 521
+ecdsa_raw_to_der_incremental:521:"011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818802420111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222"
+
+ECDSA Raw -> DER, 256bit, DER buffer of minimal length (1 byte per integer)
+depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
+ecdsa_raw_to_der_incremental:256:"00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002":"3006020101020102"
diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function
new file mode 100644
index 0000000..2d8915e
--- /dev/null
+++ b/tests/suites/test_suite_psa_crypto_util.function
@@ -0,0 +1,91 @@
+/* BEGIN_HEADER */
+#include <test/helpers.h>
+#include <mbedtls/psa_util.h>
+/* END_HEADER */
+
+/* BEGIN_CASE depends_on:MBEDTLS_PSA_UTIL_HAVE_ECDSA */
+void ecdsa_raw_to_der(int key_bits, data_t *input, data_t *exp_result, int exp_ret)
+{
+    unsigned char *tmp_buf = NULL;
+    size_t tmp_buf_len = exp_result->len;
+    size_t ret_len;
+
+    TEST_CALLOC(tmp_buf, tmp_buf_len);
+
+    TEST_EQUAL(mbedtls_ecdsa_raw_to_der(key_bits, input->x, input->len,
+                                        tmp_buf, tmp_buf_len, &ret_len), exp_ret);
+
+    if (exp_ret == 0) {
+        ASSERT_COMPARE(exp_result->x, exp_result->len, tmp_buf, ret_len);
+    }
+
+exit:
+    mbedtls_free(tmp_buf);
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_PSA_UTIL_HAVE_ECDSA */
+void ecdsa_raw_to_der_incremental(int key_bits, data_t *input, data_t *exp_result)
+{
+    unsigned char *tmp_buf = NULL;
+    size_t ret_len;
+    size_t i;
+
+    /* Test with an output buffer smaller than required (expexted to fail). */
+    for (i = 1; i < exp_result->len; i++) {
+        TEST_CALLOC(tmp_buf, i);
+        TEST_ASSERT(mbedtls_ecdsa_raw_to_der(key_bits, input->x, input->len,
+                                             tmp_buf, i, &ret_len) != 0);
+        mbedtls_free(tmp_buf);
+        tmp_buf = NULL;
+    }
+    /* Test with an output buffer larger/equal than required (expexted to
+     * succeed). */
+    for (i = exp_result->len; i < (2 * exp_result->len); i++) {
+        TEST_CALLOC(tmp_buf, i);
+        TEST_ASSERT(mbedtls_ecdsa_raw_to_der(key_bits, input->x, input->len,
+                                             tmp_buf, i, &ret_len) == 0);
+        mbedtls_free(tmp_buf);
+        tmp_buf = NULL;
+    }
+
+exit:
+    mbedtls_free(tmp_buf);
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_PSA_UTIL_HAVE_ECDSA */
+void ecdsa_der_to_raw(int key_bits, data_t *input, data_t *exp_result, int exp_ret)
+{
+    unsigned char *in_buf = NULL;
+    size_t in_buf_len;
+    unsigned char *out_buf = NULL;
+    size_t out_buf_len = exp_result->len;
+    size_t ret_len;
+
+    TEST_CALLOC(out_buf, out_buf_len);
+
+    /* Verify that parsing of truncated input always fails. */
+    for (in_buf_len = 1; in_buf_len < input->len; in_buf_len++) {
+        /* We alloc a copy of input buffer with limited length so that sanitizers
+         * can detect overreads. */
+        TEST_CALLOC(in_buf, in_buf_len);
+        memcpy(in_buf, input->x, in_buf_len);
+        TEST_ASSERT(mbedtls_ecdsa_der_to_raw(key_bits, in_buf, in_buf_len,
+                                             out_buf, out_buf_len, &ret_len) != 0);
+        mbedtls_free(in_buf);
+        in_buf = NULL;
+    }
+
+    TEST_EQUAL(mbedtls_ecdsa_der_to_raw(key_bits, input->x, input->len,
+                                        out_buf, out_buf_len, &ret_len), exp_ret);
+
+    if (exp_ret == 0) {
+        ASSERT_COMPARE(exp_result->x, exp_result->len, out_buf, ret_len);
+    }
+
+exit:
+    mbedtls_free(in_buf);
+    mbedtls_free(out_buf);
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_random.function b/tests/suites/test_suite_random.function
index 58cddb7..155b8e7 100644
--- a/tests/suites/test_suite_random.function
+++ b/tests/suites/test_suite_random.function
@@ -26,7 +26,12 @@ void random_twice_with_ctr_drbg()
     unsigned char output1[OUTPUT_SIZE];
     unsigned char output2[OUTPUT_SIZE];
 
+#if defined(MBEDTLS_AES_C)
     MD_PSA_INIT();
+#else
+    USE_PSA_INIT();
+#endif
+
 
     /* First round */
     mbedtls_entropy_init(&entropy);
@@ -56,7 +61,11 @@ void random_twice_with_ctr_drbg()
 exit:
     mbedtls_ctr_drbg_free(&drbg);
     mbedtls_entropy_free(&entropy);
+#if defined(MBEDTLS_AES_C)
     MD_PSA_DONE();
+#else
+    USE_PSA_DONE();
+#endif
 }
 /* END_CASE */
 
diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data
index 0a60f31..8123f13 100644
--- a/tests/suites/test_suite_rsa.data
+++ b/tests/suites/test_suite_rsa.data
@@ -21,7 +21,7 @@ depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"6a8a1f225703fe39753c1017b43eec9e070a70b1":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:1024:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":"3":"5abc01f5de25b70867ff0c24e222c61f53c88daf42586fddcd56f3c4588f074be3c328056c063388688b6385a8167957c6e5355a510e005b8a851d69c96b36ec6036644078210e5d7d326f96365ee0648882921492bc7b753eb9c26cdbab37555f210df2ca6fec1b25b463d38b81c0dcea202022b04af5da58aa03d77be949b7":0
 
 RSA PKCS1 Verify v1.5 CAVS #4
-depends_on:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS1_V15
+depends_on:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"693c1ac1a3fc23157b4a854f886b6b8d18e28b321b8382a93dcf2426":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA224:1024:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":"3":"3bb7b1c5f3391de4549e2e96fd33afa4d647dd90e321d9d576f3808e32213e948b697ef4fd2dd12923de6ec3ffd625078a57f86af38dc07052bb50547c616ed51fa1352b3ab66788408168d21263ef2d3388d567d2ce8cf674f45491ab2b0319d47be1266bda39e343b2a38ea2d6aaaee6c4465aee1d7bb33e93a1c40a8e3ae4":0
 
 RSA PKCS1 Verify v1.5 CAVS #5
@@ -29,11 +29,11 @@ depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"944d593f3e31817d712038dbf88a17c1772b135c34c66b236daf9a7413c2a8af":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA256:1024:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":"3":"7b5fba70ec5b521638f182bcab39cec30b76e7bc017bdbd1059658a9a1db0969ab482dce32f3e9865952f0a0de0978272c951e3c015328ea3758f47029a379ab4200550fba58f11d51264878406fc717d5f7b72b3582946f16a7e5314a220881fc820f7d29949710273421533d8ac0a449dc6d0fd1a21c22444edd1c0d5b44d3":0
 
 RSA PKCS1 Verify v1.5 CAVS #6
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS1_V15
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"5a3b396a237f5460a9c8d40628e4bc324d046d0bf3ad6417db59ff3904513a79297d51656ab6c70cc07f08b8eefd2f15":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA384:1024:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":"3":"38fc4f6f0430bb3ea9f470a4c0f5cebdabac4dbeb3b9c99d4168e7b00f5eb294ec0ece1908eded1f3e14f1e69d10f9feb425bda0c998af945ef864298a60a675f0bb5c540a7be3f534d5faddff974eea8bffe182a44e2ee1f4f653e71967a11869ee1a850edb03cb44a340378cb7a1bc9616d3649b78002b390a05a7e54edec6":0
 
 RSA PKCS1 Verify v1.5 CAVS #7
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS1_V15
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS1_V15
 # Bad padding after performing the public key operation
 mbedtls_rsa_pkcs1_verify:"900ada01bc5536ee88ee7f2b95d15e2e6353bc3de0ef9610f8e6deb736c30623b961eda17f316229c013bb4696fc7346":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA384:1024:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":"3":"d93a878c1ce86571590b0e43794b3edb23552797c4b8c9e3da4fe1cc4ac0566acd3b10541fe9a7a79f5ea4892d3069ca6903efb5c40c47eb8a9c781eb4249281d40c3d96aae16da1bb4daaece6a26eca5f41c062b4124a64fc9d340cba5ab0d1f5affff6515a87f0933774fd4322d2fa497cd6f708a429ca56dcb1fd3db623d0":MBEDTLS_ERR_RSA_VERIFY_FAILED
 
@@ -50,7 +50,7 @@ depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"f0571d8513c4ff68dc68c605dfe856f27bdfed91":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:1024:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":"10001":"dd82b7be791c454fbbf6f1de47cbe585a687e4e8bbae0b6e2a77f8ca4efd06d71498f9a74b931bd59c377e71daf708a624c51303f377006c676487bad57f7067b09b7bb94a6189119ab8cf7321c321b2dc7df565bfbec833a28b86625fb5fd6a035d4ed79ff0f9aee9fa78935eec65069439ee449d7f5249cdae6fdd6d8c2a63":MBEDTLS_ERR_RSA_VERIFY_FAILED
 
 RSA PKCS1 Verify v1.5 CAVS #11
-depends_on:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS1_V15
+depends_on:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"16d8bbe3323f26b66f1513e1ffc0ff2cd823747a3cc1534fdb1de304":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA224:1024:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":"10001":"d8ef7bdc0f111b1249d5ad6515b6fe37f2ff327f493832f1385c10e975c07b0266497716fcb84f5039cd60f5a050614fde27f354a6c45e8a7d74f9821e2f301500ac1953feafeb9d98cf88d2c928413f337813135c66abfc3dc7a4d80655d925bf96f21872ca2b3a2684b976ca768fe37feae20a69eeec3cc8f1de0db34b3462":0
 
 RSA PKCS1 Verify v1.5 CAVS #12
@@ -58,7 +58,7 @@ depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"63030cef0e2d4067573222bef3a3f83e7c98ec4c2d21780a7438673ad48bfe29":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA256:1024:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":"10001":"52111f4798da3c11b3c74394358348ab0fc797bde99080f238d33a69b04b08ac2bd767b33872473943e23af27ca32fd568a43a8c7d6cc55b4fbb380212fdfcb60487e20694d4287e233efdf7b04737c0037a592d03077801828b051998c42b9f9e2420063331d5b2349918a64d8b65b21a2011ee7318fcef48aced95b8ddf501":0
 
 RSA PKCS1 Verify v1.5 CAVS #13
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS1_V15
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"b6a6dcf38a14037e598508fcff07f8da0e3f00538961cb159402f60442cbaf8d8abec885c4f0017018e2c2f45f3b076d":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA384:1024:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":"10001":"d5dcd27c74e040ea86f106b63d3275fa7b7e98d2dd701f38ec15fc7301b72df127f6d3bd5571253a0b9e0e719d7d522893896941a1aeccc697912282b5308d829b91905b5dd7b7e1b8fe27e2bd4003b09dfe7fe295f8a43c076c0cb52f2aac067e87de7ffe3a275d21a870c3dfc9b1d06d7f018667de9eb187bdf53d282e5d8b":0
 
 RSA PKCS1 Verify v1.5 CAVS #14
@@ -70,7 +70,7 @@ depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"1340fc324c96aa313425ecfa971297f2cddca172":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:1536:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":"3":"1f7938b20a9cd8bb8ca26bad9e79ea92373174203f3ab212a06de34a9a3e14e102d19a8878c28a2fc8083a97c06b19c1ae62678289d5d071a904aed1d364655d9e2d16480a6fd18f4c8edf204844a34d573b1b988b82d495caefd9298c1635083e196a11f4a7df6a7e3cc4db7b9642e7682d22ec7038c3bad791e1365fe8836976092460e6df749dc032baf1e026684f55936beb9369845c53c3d217941c1f8d8f54a32333a4c049c3f2d527125778032f5d390040d1d4cce83dc353ce250152":0
 
 RSA PKCS1 Verify v1.5 CAVS #16
-depends_on:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS1_V15
+depends_on:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"64d856065bbe1590ed1cc1e2ad048641b3aedbfe13ea2f9df2270b74":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA224:1536:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":"3":"339dce3a1937669d9fb14c4f652378861fd5adc4da88eaf833b16020b55a24ddc83b7ae3395a9a49b426bb9a4170cb765b02652faa9594b457aeefdae4f802e93d8e65c687ddc723701465a5ef19249ed5d2617b5121c58557b34eb99a663bbcf4453a6e1db5d88723de449fcf58ca8ef514daf08cfdc71be155bb3d0724df0c0a6fd5aa7737433cc376640b9b8b4c7ddd09776bae0245729cddb56e36f28edad6aecaed0821ec8d843a96348e722bf0a84cf060a793a2179f054138f907d0c3":0
 
 RSA PKCS1 Verify v1.5 CAVS #17
@@ -78,7 +78,7 @@ depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"7743dd578de944491852bfddfdeb0d239eb8d3d40a3315b8a028854627dd0ff7":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA256:1536:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":"3":"8117a6897e14c183737661cf5741350a84ae00495cd9ee8fb033582e559f79701ab424706660515ee5821a69a6850647ec641676a625d1a3899932aaa52161fbc0c0a825db82fde0585b3c9b9c16de43e26da6a30fe5a601dae68bded1e29ec34557b5f6962efb10b9450d6f096655f68e8499cfa16a0adeb9075e7b91851fef84243132d08273d35d01ad89c17e1e6e4deaf1cb233050b275fa9d2cae57e9e1a0e23139267040aa39b6abd8f10fa1cec38ce2183573ddc11626fc262e1a0ced":0
 
 RSA PKCS1 Verify v1.5 CAVS #18
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS1_V15
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"c293af20d96cc76b460fe8d4a7f02bf6e131750cadeaa898c7c2086a70ee9021986e408e896fbfdde338cbc9ab5ab94e":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA384:1536:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":"3":"6b49553ed964ae196a41ea281f4d2a250ce7d1e7434e45cf6a82f7bed17554f39c3f0241e0364702fcb87475eb0c0839ffd2180890fa05b4bbf31bbfa4bf5119dea0c9f88e1e9617fcdadabc6fa1945136cc66e039b905d78ed365c5806d38aec88b3edfb86c05ff446dbfd51d7cd75cbf8d3b85154c783765386f51637532221f52429db5612dcc034968bb8feab7dc6f5ed1f2feb557f6dd49c980296117be2c4195ec7b6101ea767df9d16a56fc9709b49308a54dab63dbc4d609f959ce17":0
 
 RSA PKCS1 Verify v1.5 CAVS #19
@@ -94,11 +94,11 @@ depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"a827c0785f663e39a08106f8036fd669d05b345c":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:1536:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":"10001":"a142b0d9456f8f4772675265a08613a66c416bd1ae712975c69d9ca5fb8c1be9c24359a04fd15460bf6136a8a11f13e3ce2de2171524f10cb715f0d71e3db15281ab99eadbe86cf8c5c518162c638ef27a4f7bfb4a1a3873f3c384a5b1c3b4966c837b9d8d192ac34e03943b7ae191355aa1ff3b9cd041bb2668f1f81cf0d015b3d3608cd9ac79398212c0f132f1bd45d47768b999fcf3c05fe2069593ceecedc851a7fc465abcfef0fabba9b9460153f6ba8723a5c6e766c83a446aef3ee327":MBEDTLS_ERR_RSA_VERIFY_FAILED
 
 RSA PKCS1 Verify v1.5 CAVS #22
-depends_on:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS1_V15
+depends_on:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"e5979f65ad7572ed4b0bc3a5fcad893a142a73379a1a16b45570d77d":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA224:1536:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":"10001":"0676e64daaa18f4af46e9dfbe234db389b8a527b0fe1db97eb7f404e3155226cba70d318800f83160fa1aa19916e5c09f079331079f18cb8ab1a4b884cb28501824974f683ed2b9babae9f8c15bea30802805c6b2152119764811bbf5f3994d2e97fa2fe8c5ab15a23c14d7ae56be00eaa8bc26678481ff5ba59b0acfb0e43341bff9fc638e5625480a73dbc5d8d13bd2b9e64037c6b79df0c60869980c6a22ec46f80fb859cb4ee5d2032ac1fe538cfd85c70a7f33b4af50a93395917c2cfb6":MBEDTLS_ERR_RSA_VERIFY_FAILED
 
 RSA PKCS1 Verify v1.5 CAVS #23
-depends_on:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS1_V15
+depends_on:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"7af156b6b8089300a6d8cd3f32176c4c619135f4eced14dcfd633d2e":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA224:1536:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":"10001":"5e08f399258e6de075b67a0a6a822ceb21b1eb7a0342eca6a4295739f644547dee3456243cf32bd6ea6f357c88632508457130f3dae04f7806efaed43d1d501e16c961dfbd6c71a42b480e95c7027f8275063d05a9aac3eef0520867b9896ebe8ec358f7d121beb4e61ddfdc3dcd835dfe265f2ba68d300ef566ed1284f9f3d7b1af363ed47bfa2e5f0492925444df7e5fcb1e79e690c746117650b543a5e82c39553552f0f44e617b5cf773c533050f4129e893ac22af69b1eb9afb4b5ba5f5":0
 
 RSA PKCS1 Verify v1.5 CAVS #24
@@ -106,7 +106,7 @@ depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"f5f493fc1dfc2221e2a5d61d8fc88480ec03b1fddec8b14d1d77c558859659db":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA256:1536:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":"10001":"a003ae9cf0704d58763b214f20446ecc4099c566f25384e28d0dd6540c58705fc8d0bfe1ceaa06096ed1e230146edb82056e39e6727abec09f25e44079b6ce1ca2c6a540dec7aa34444d7d435f41e5fca9b0bba62759ae2780638e5160e031bb60409c2e85674ac7a776b444b37b9d7f4dbaa557e88b8562a584f2dbe90729b241aede95dfcc7e05b10deef06255cb89f0e7ccff23354818756a1f8bb9f00fd18f6cd22ca1b4bfc38027562bb37562c77c7883b5d735170d75521195fd3f2bd3":0
 
 RSA PKCS1 Verify v1.5 CAVS #25
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS1_V15
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"d8758fac95ed9177581c1eb690c5fad797f47e798c4a92706dd57eb038af9dbfa02c0b964c301053bb50ac8fc652d564":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA384:1536:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":"10001":"2c6b301852cc55a993a933e2c080eb9dabfe19e9dc3571066caeabed1492d3501cd838de1c01784932df7a5ad5bbfb48c78f53a45f76e9812d046f23bd968495ef7e981e5add4acfc538fe33a5205de74bb37d3d9b6b87b2d174e85a73f216fd67d5738fc469dff7ea6b852e8dd08bc8df036597372d4d51185e6f47a45fbe1b9bdb06a4018783425ec95294de41f27235ad3b3263a890b8b62b17410a9bb08673393ff205a866ee2057e99c6517c6bbc84f8d87717b83d6f64de7ee215e1e8d":0
 
 RSA PKCS1 Verify v1.5 CAVS #26
@@ -118,7 +118,7 @@ depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"46ba38d521ffa6fc01bd69512008fd557785c783":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:1536:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":"11":"180caf03781b391aacebe5b3f5e1d3b01c68a00df4ecfb6c4bf14217aed7cfca0adac099ec1d6e1f0b43b09b86788533fee6691d773807af0df6cc3bbdde3cf34bf5b848fa59c8bc10227cc3eba3452a85e0520fccdb2d8d32dd99672d302756a2d7f7f2693db3a48be17bd34d9d891f4ba44449c5bad1de91b788f524500a7703cccbaa77b9fe8791f5c8aa7b8f055336f28fcfc01733712e33cfb3d33fe71ddb9ced2a31931ec38007f5ad4a0d19acc428124b0e5ee6e0746fb33c1a4d90c8":0
 
 RSA PKCS1 Verify v1.5 CAVS #28
-depends_on:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS1_V15
+depends_on:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"807ca5785542d26b3d1615209ab0ad3ff5f58707fe25f986abc19c0a":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA224:1536:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":"11":"8c846e75e32ce5f9964bdd8f6dcf1d2996a646b233bcf1bd6394e13e856691b89bedd18290a0f9f7c90dca307271b3108e795340490513b25e6789e93722c65ec064b4c43457295a31d1f07dd605e133fd6eaafc58cda132df2939f5f693e0205af34550afaa137f3e482885e50dfb48333a15c0821e7a19642acdddc6fea3c7487c691246a2b083dac439889d5ae741b7e08c47937530b4b069f1a260cd07fe4a0ddd530ab11534fb805e9b562118ee0e97932966008aadfc83f3b8a10de8ee":0
 
 RSA PKCS1 Verify v1.5 CAVS #29
@@ -130,11 +130,11 @@ depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"db7e6ef51ffecd9c1cb88078275c362c0e36730860a33a0802c4a9237467d48d":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA256:1536:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":"3":"a202c33eb831b9d8e818b6c3bcdb42818e1d9c22a06ddd73a17a21e49d18cda44df349a066477cae068e1a5d2b518b0885e889ef796ca9e6f42a69ac755b8a6405fbaef93fe0130d98de35d689addfee3eecd26658903f774bda481c3f40ee0e9569a3c3e2da7ad576c7de82159d933e36fa29cfef99367005e34ab5082d80f48276d37dabc88dbb023bd01585329d2ccf417f78ec508aaa29751007d31f1669296b981d44c8fa99130c5df7a071725b496859314aaf9baf0ebc780355914249":MBEDTLS_ERR_RSA_VERIFY_FAILED
 
 RSA PKCS1 Verify v1.5 CAVS #31
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS1_V15
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"810b988d9966877681759634c332d6099cf905c7cd57c871b9e3399730fe4ef8cd1d3c7391ec4def78d4624b384664c4":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA384:1536:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":"10001":"402631f3cddfb02cc4d9cb58ef1ab6726bd787a50e12e98567c9702bfdf47af85904aec5a2f6c5df9a10f08f90f93728eb090ae2ac21ded9f38faecd8195f3eb3d4107521b1cee956e7a214245b038adae912fa35ec97cb3bdc41352e8aaff80173561284cb740f999a3cd6653a6c3d5a3f911a416f41e2155083982c99eb5998a0a74d77f1ae999d901ee24a7f2c424179a3f92b07dc0b3498c1884e60677bee0175e810b426c4ad008d2743cd19b00b33177bf8be3fed7f7406e1bce0c2ea3":MBEDTLS_ERR_RSA_VERIFY_FAILED
 
 RSA PKCS1 Verify v1.5 CAVS #32
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS1_V15
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"cc43d91a2ae21a1a1fe7e51801f48f5a2f21ff4827d79cf6193e7610e2a5d9881f21577dcd100b2b5d087d936f867960":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA384:1536:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":"11":"57edd0560df9840a25c28ff6d254e432395a5cd2d92248b3b44d7eab0fc65b3c4e545a916a8e90ce89745119db9ec9799aa8890f5250fb589cfc12dac1b6e406a39bc3b3663892da5354ba453cbd5e4c89bdce82d0ffe97052a03a5c3308819c1139ebc780c13cf6dc1477faf734abcb1db3fafaed6f22885c9c0222ff5deacb8cc6d027f2e959c3075011b382e88c4b27b83b4f2e6fda022e331c3602d19f5ac7bccfe95ea1e93d736dbd918ae5b1f468cd0b5b536a2f918d5e27a0757e75b7":0
 
 RSA PKCS1 Verify v1.5 CAVS #33
@@ -205,19 +205,19 @@ depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"8cfd7c2f07a94aea1ff222dc9b80c58a946c975470ff2d2d3fbdb45eac1efa5c":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA256:2048:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"3":"5aee2b9dbc02a6a2d87ff64a64165dc0b9ce70c79bab2d287939e2601c3223e0493988d5468731ae4edc7d5f5d449335c204fdb0e192c1915c9d694d3a61c3be14df79c4b34d6ac73707829024d263c94f9107fa93f3783de3965522336e18d1e01a142b5103451bb97839eaf2f44703a63050a36b78aef4072ea1a8daaaf1a2918fc03ee957a9c09efdc6287bcb4d6aec4723290294b249b3e3dc63157b560ad9c867323a73ebeb360cc9e482111643b0d86c4e33dcf170155590f0eba7d170789e84de336b7fe2f6cf485ddca94607a4ff379fc49d375c730249dd1a210e7dccd763d1c23c7532e769c6aa88e38e8654ff90f7b34df4c07ba90e89099ec1ed":MBEDTLS_ERR_RSA_VERIFY_FAILED
 
 RSA PKCS1 Sign #3 (SHA224, 2048 bits RSA)
-depends_on:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS1_V15
+depends_on:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_sign:"32f339fe33f10a0fa152bf9659cdf7a0e4b741444ea31a85d40ed4bb":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA224:2048:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"3":"9d768b8b31421f9d9ced890aafaf8b3468656419049ed268f6e1992066f45dc3e4cd349e8c5ed5a06e4ef5badaba064ba94907dfedf3d708becaf44ae9b27c3866d329311ba93e8ddc7fc284fba05d1bb84fb1e060a5b76b7fa515cfcd2c8144474623672703cac1e15ff4fdf8ef19d365c51ba86e60f4cbbcd07f956060625751bfbecc47945646459cadaddd900603a8149a93b31a6d432e1da1a67eb765f5b2f0bd1adb9af12d731c7b02931b42dbbfd8c7cecde76b817e96f664147a2c5091c6ce4dc562c5f57159d6f9dc9ba2daa212db56677839621bd4805dde62955fb2d0cc2c448109d10ecc6206ea81f0a02e1646471358f3ec146cd3c75f2d390b":0
 
 RSA PKCS1 Sign #3 Verify
-depends_on:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS1_V15
+depends_on:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"32f339fe33f10a0fa152bf9659cdf7a0e4b741444ea31a85d40ed4bb":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA224:2048:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"3":"9d768b8b31421f9d9ced890aafaf8b3468656419049ed268f6e1992066f45dc3e4cd349e8c5ed5a06e4ef5badaba064ba94907dfedf3d708becaf44ae9b27c3866d329311ba93e8ddc7fc284fba05d1bb84fb1e060a5b76b7fa515cfcd2c8144474623672703cac1e15ff4fdf8ef19d365c51ba86e60f4cbbcd07f956060625751bfbecc47945646459cadaddd900603a8149a93b31a6d432e1da1a67eb765f5b2f0bd1adb9af12d731c7b02931b42dbbfd8c7cecde76b817e96f664147a2c5091c6ce4dc562c5f57159d6f9dc9ba2daa212db56677839621bd4805dde62955fb2d0cc2c448109d10ecc6206ea81f0a02e1646471358f3ec146cd3c75f2d390b":0
 
 RSA PKCS1 Sign #4 (SHA384, 2048 bits RSA)
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS1_V15
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_sign:"7fccca8778575cf67d95d44e6825128e2ba5155f7cc91d968a923dbac35bc04b4d45bf6fd0009144ef9d70898948eeec":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA384:2048:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"3":"40dcc96822e5612eb33f1dca247a35109ba3845c7a3d556a60e656624bf1c103d94686ca7379e9e329ccd1b19b52bfd48b608df9f59a96a82d3feb0101096dbcb80e46da543b4c982ac6bb1717f24f9fe3f76b7154492b47525be1ddcaf4631d33481531be8f3e685837b40bdf4a02827d79f6a32374147174680f51c8e0d8eed9d5c445a563a7bce9ef4236e7cfdc12b2223ef457c3e8ccc6dd65cc23e977a1f03f5ef584feb9af00efc71a701f9d413b0290af17692cb821a1e863d5778e174b1130659f30583f434f09cb1212471a41dd65c102de64a194b6ae3e43cd75928049db78042c58e980aff3ea2774e42845bcf217410a118cf5deeaa64224dbc8":0
 
 RSA PKCS1 Sign #4 Verify
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS1_V15
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"7fccca8778575cf67d95d44e6825128e2ba5155f7cc91d968a923dbac35bc04b4d45bf6fd0009144ef9d70898948eeec":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA384:2048:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"3":"40dcc96822e5612eb33f1dca247a35109ba3845c7a3d556a60e656624bf1c103d94686ca7379e9e329ccd1b19b52bfd48b608df9f59a96a82d3feb0101096dbcb80e46da543b4c982ac6bb1717f24f9fe3f76b7154492b47525be1ddcaf4631d33481531be8f3e685837b40bdf4a02827d79f6a32374147174680f51c8e0d8eed9d5c445a563a7bce9ef4236e7cfdc12b2223ef457c3e8ccc6dd65cc23e977a1f03f5ef584feb9af00efc71a701f9d413b0290af17692cb821a1e863d5778e174b1130659f30583f434f09cb1212471a41dd65c102de64a194b6ae3e43cd75928049db78042c58e980aff3ea2774e42845bcf217410a118cf5deeaa64224dbc8":0
 
 RSA PKCS1 Sign #7 (MD5, 2048 bits RSA)
@@ -249,11 +249,11 @@ depends_on:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e93d04198d48466b8da7445f25bfa19db2844edd5c8f539cf772cc132b483169d390db28a43bc4ee0f038f6568ffc87447746cb72fefac2d6d90ee3143a915ac4688028805905a68eb8f8a96674b093c495eddd8704461eaa2b345efbb2ad6930acd8023f870":MBEDTLS_RSA_PKCS_V15:255:2048:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"3":"3bcf673c3b27f6e2ece4bb97c7a37161e6c6ee7419ef366efc3cfee0f15f415ff6d9d4390937386c6fec1771acba73f24ec6b0469ea8b88083f0b4e1b6069d7bf286e67cf94182a548663137e82a6e09c35de2c27779da0503f1f5bedfebadf2a875f17763a0564df4a6d945a5a3e46bc90fb692af3a55106aafc6b577587456ff8d49cfd5c299d7a2b776dbe4c1ae777b0f64aa3bab27689af32d6cc76157c7dc6900a3469e18a7d9b6bfe4951d1105a08864575e4f4ec05b3e053f9b7a2d5653ae085e50a63380d6bdd6f58ab378d7e0a2be708c559849891317089ab04c82d8bc589ea088b90b11dea5cf85856ff7e609cc1adb1d403beead4c126ff29021":MBEDTLS_ERR_RSA_BAD_INPUT_DATA
 
 RSA PKCS1 Sign #10 (RIPEMD160, 2048 bits RSA)
-depends_on:MBEDTLS_MD_CAN_RIPEMD160:MBEDTLS_PKCS1_V15
+depends_on:PSA_WANT_ALG_RIPEMD160:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_sign:"8eb208f7e05d987a9b044a8e98c6b087f15a0bfc":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_RIPEMD160:2048:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"3":"aa2d9f88334d61bed74317ba549b1463600a9219801240cca5c11b9cdda29373172a28151313fb2cf73bb68af167e4ec645b6f065028802afbcfbc10e6c2c824e3c4d50c7181193b93734832170f0c5d3dd9ba5808f0e2a5c16b3d0df90defefef8e8fde5906962d42a2f0d62d7f81977f367f436f10c8b1183ccf6676953f7219445938f725d0cb62efbabf092de531642863b381e2694f2bf544ff6a4fefa7b37cdbf6292dbedcacf6e57d6f206ce5df0fd2771f9f64818f59a0ab7a5f003b368dc3eb51ab9409a0ec4e43f45281ee9a560664de88965ab207e256303d9dcb8233ed6ad0a5ad7f81e2f8c7a196dc81e2c8b6dde8a77fb6cfd1e5477ece9df8":0
 
 RSA PKCS1 Verify #10 (RIPEMD160, 2048 bits RSA)
-depends_on:MBEDTLS_MD_CAN_RIPEMD160:MBEDTLS_PKCS1_V15
+depends_on:PSA_WANT_ALG_RIPEMD160:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"8eb208f7e05d987a9b044a8e98c6b087f15a0bfc":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_RIPEMD160:2048:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"3":"aa2d9f88334d61bed74317ba549b1463600a9219801240cca5c11b9cdda29373172a28151313fb2cf73bb68af167e4ec645b6f065028802afbcfbc10e6c2c824e3c4d50c7181193b93734832170f0c5d3dd9ba5808f0e2a5c16b3d0df90defefef8e8fde5906962d42a2f0d62d7f81977f367f436f10c8b1183ccf6676953f7219445938f725d0cb62efbabf092de531642863b381e2694f2bf544ff6a4fefa7b37cdbf6292dbedcacf6e57d6f206ce5df0fd2771f9f64818f59a0ab7a5f003b368dc3eb51ab9409a0ec4e43f45281ee9a560664de88965ab207e256303d9dcb8233ed6ad0a5ad7f81e2f8c7a196dc81e2c8b6dde8a77fb6cfd1e5477ece9df8":0
 
 RSA PKCS1 Encrypt #1
@@ -468,58 +468,160 @@ RSA Deduce Moduli, corrupted
 mbedtls_rsa_deduce_primes:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":1:MBEDTLS_ERR_MPI_BAD_INPUT_DATA
 
 RSA Import (N,P,Q,D,E)
-mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":0:1:0:0
+mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":2048:0:1:0:0
 
 RSA Import (N,P,Q,D,E), inconsistent
-mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC3672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":0:1:MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:0
+mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC3672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":2048:0:1:MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:0
 
 RSA Import (N,P,Q,D,E), successive
-mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":1:1:0:0
+mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":2048:1:1:0:0
 
 RSA Import (N,P,Q,D,E), successive, inconsistent
-mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC3672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":1:1:MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:0
+mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC3672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":2048:1:1:MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:0
 
 RSA Import (-,P,Q,D,E)
-mbedtls_rsa_import:"":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":0:1:0:0
+mbedtls_rsa_import:"":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":2048:0:1:0:0
 
 RSA Import (-,P,Q,D,E), successive
-mbedtls_rsa_import:"":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":1:1:0:0
+mbedtls_rsa_import:"":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":2048:1:1:0:0
 
 RSA Import (N,-,-,D,E)
-mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":0:1:0:0
+mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":2048:0:1:0:0
 
 RSA Import (N,-,-,D,E), successive
-mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":1:1:0:0
+mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"3":2048:1:1:0:0
 
 RSA Import (N,P,Q,-,E)
-mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"":"3":0:1:0:0
+mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"":"3":2048:0:1:0:0
 
 RSA Import (N,P,Q,-,E), successive
-mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"":"3":1:1:0:0
+mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"":"3":2048:1:1:0:0
 
 RSA Import (-,P,Q,-,E)
-mbedtls_rsa_import:"":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"":"3":0:1:0:0
+mbedtls_rsa_import:"":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"":"3":2048:0:1:0:0
 
 RSA Import (-,P,Q,-,E), successive
-mbedtls_rsa_import:"":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"":"3":1:1:0:0
+mbedtls_rsa_import:"":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"":"3":2048:1:1:0:0
 
 RSA Import (N,-,Q,-,E)
-mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"":"3":0:1:0:MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"":"3":2048:0:1:0:MBEDTLS_ERR_RSA_BAD_INPUT_DATA
 
 RSA Import (N,-,Q,-,E), successive
-mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"":"3":1:1:0:MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"":"3":2048:1:1:0:MBEDTLS_ERR_RSA_BAD_INPUT_DATA
 
 RSA Import (N,-,-,-,E), complete public key
-mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"":"":"3":0:0:0:0
+mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"":"":"3":2048:0:0:0:0
 
 RSA Import (N,-,-,-,E), complete public key, successive
-mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"":"":"3":1:0:0:0
+mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"":"":"3":2048:1:0:0:0
 
 RSA Import (N,-,-,-,E), complete public key, corrupted
-mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"":"":"4":0:0:MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:0
+mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"":"":"4":2048:0:0:MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:0
 
 RSA Import (N,-,-,-,E), complete public key, successive, corrupted
-mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"":"":"4":1:0:MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:0
+mbedtls_rsa_import:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"":"":"":"4":2048:1:0:MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:0
+
+RSA Import (N,P,Q,D,E) 512-bit complete pair
+mbedtls_rsa_import:"cbc23c9751d5b0dc4f7ea5f871d6e31d7fb8a414eacfa006cf9c782385ce177b2a41b52cd80ddf75c4f14ffb679c388b4d0fe828413c2b8dd651e5039b2e14b3":"fbf724e9d31cb074dd117e96c4f9ad8ff6b4fe6dc72c7b9bc5af370c0833314d":"cf057bde49ab3cc354d731c03925e4cb34d7ecc41335948bca6d3438a0e35dff":"5705d006f8a68170b66aeacb9f231dc0bd89c85a3ea70a3b9e73bf43bca3f69699bfd123ec6fc533d3163dc8645d1e45342ad38b110659e96656f4763ec318f1":"10001":512:0:1:0:0
+
+RSA Import (N,-,-,-,E) 512-bit public
+mbedtls_rsa_import:"cbc23c9751d5b0dc4f7ea5f871d6e31d7fb8a414eacfa006cf9c782385ce177b2a41b52cd80ddf75c4f14ffb679c388b4d0fe828413c2b8dd651e5039b2e14b3":"":"":"":"10001":512:0:0:0:0
+
+RSA Import (N,P,Q,D,E) 513-bit complete pair
+mbedtls_rsa_import:"16798857c4718f9367a715b29038d042ea41686a457279db149d4da54146262305da39b02b764f2b56902e4c45425c2c3f404da82f86d8ed3b067da70899c5149":"18486f2d2df61d10ebe578caff5142047cae635909946b57c33028d35e4abac0b":"ecefea558b614138e773e1cd25380e49a910d6dd4b584457c1bfabf86922f87b":"1c3dbb460e6364b725989f7b321f3213e3a92d3bdce86c970ee05ba13cd4993758140f790489b61188c26354a6b372d32081750cecb84db563ec5724d78388ad":"10001":513:0:1:0:0
+
+RSA Import (N,-,-,-,E) 513-bit public
+mbedtls_rsa_import:"16798857c4718f9367a715b29038d042ea41686a457279db149d4da54146262305da39b02b764f2b56902e4c45425c2c3f404da82f86d8ed3b067da70899c5149":"":"":"":"10001":513:0:0:0:0
+
+RSA Import (N,P,Q,D,E) 514-bit complete pair
+mbedtls_rsa_import:"32f54232899f45a415e7a7728fc744703f4b4466e56d7d6900f125950bb9a42082d2f0162ce1ac9949da5be37af8c20178d79d8ac1ab860d5ed55b14f49d064ab":"1d2cc9d59be8079457a5f28c3e74d1d4c7763acc1a7e725dff09198a5b99d35cf":"1bf23921dfe89a0f681bf10fd27fd2bc914f8888b8addb1d102255e586827b665":"1d9f13ebecb3f8f7790440020831fd4682846e2ea20f13678674a7340caccd0b37ccaf79b7d4005adafb7e6f84e0ff7bbe28a27fd7337cdf100fe63afe967419":"10001":514:0:1:0:0
+
+RSA Import (N,-,-,-,E) 514-bit public
+mbedtls_rsa_import:"32f54232899f45a415e7a7728fc744703f4b4466e56d7d6900f125950bb9a42082d2f0162ce1ac9949da5be37af8c20178d79d8ac1ab860d5ed55b14f49d064ab":"":"":"":"10001":514:0:0:0:0
+
+RSA Import (N,P,Q,D,E) 515-bit complete pair
+mbedtls_rsa_import:"5f47dbe0d15f66c13ce0ff8af2edc7942ef4ff8b6b6e49ef5518ce3754efb5270204cb727c3f325b4a51dc02688eae0a6bfd7549854a7ede8b31f0e4adb835f85":"30c23bf1faf7515ed3e63abcda5b88b6387d213854da798e6662afb09441f192f":"1f4419ac839887606a8d299bc430f8e48f8984ae81982eaf03775fbe1a347bd8b":"5e8416fece5337c84acedb5007a98e4855c85d52fd2ffb91b9b590a2dcd3a8bc88e6e61573daa526a1b37ebae41401e6811d0d1e5458f1a5074178fb274a275a5":"10001":515:0:1:0:0
+
+RSA Import (N,-,-,-,E) 515-bit public
+mbedtls_rsa_import:"5f47dbe0d15f66c13ce0ff8af2edc7942ef4ff8b6b6e49ef5518ce3754efb5270204cb727c3f325b4a51dc02688eae0a6bfd7549854a7ede8b31f0e4adb835f85":"":"":"":"10001":515:0:0:0:0
+
+RSA Import (N,P,Q,D,E) 516-bit complete pair
+mbedtls_rsa_import:"bcc54a5a10ef1a3241c60aeec9c5ec54cd63407ee2b69748ad5ec53d1a3d7fea540811ba0eed19574cad6dca28691e2711fdf0e76d2bc6eec508e7a864ee13b03":"3a83434f8995a87a977f0e15e9b39f55551968a5f3cbaf6f7e0f177215c3a69bb":"339e4b5aef4912382ee5f6dd82c2cb5255e604279477ca22ed0b02cab66a75b59":"60a460bc5b8f0dca4d0226f6b9362b17ff4ea0e6550b45c85f79f560a2de796e35d51da40d1eae356cca05626a3686cee2dbcaa5b71b76ffa0cb313fb4a412f1":"10001":516:0:1:0:0
+
+RSA Import (N,-,-,-,E) 516-bit public
+mbedtls_rsa_import:"bcc54a5a10ef1a3241c60aeec9c5ec54cd63407ee2b69748ad5ec53d1a3d7fea540811ba0eed19574cad6dca28691e2711fdf0e76d2bc6eec508e7a864ee13b03":"":"":"":"10001":516:0:0:0:0
+
+RSA Import (N,P,Q,D,E) 517-bit complete pair
+mbedtls_rsa_import:"1a7b2e3d43f1b3e060d2f598939d0542178feac3310be308f4fd05872ec91048ea79543c0b00e5f61ec8b577ffa33c26bb74c2bc079033f006e6af59ec15cef529":"72e502be06a9fcb3ef64801055d10ecf8ec2b4a9429423813760e4258cf575373":"3b00e49f541091dce4940c9a36f203d195a81c7812111d9a89fc5971f363085f3":"19297286444925e1ce1ea5be94845ebaae28d1a926b164c8de008d8025b46704d77326956f97ceaadc3ebb74f94edbe1b7df5236693e7bb97cdd77b4569420fd01":"10001":517:0:1:0:0
+
+RSA Import (N,-,-,-,E) 517-bit public
+mbedtls_rsa_import:"1a7b2e3d43f1b3e060d2f598939d0542178feac3310be308f4fd05872ec91048ea79543c0b00e5f61ec8b577ffa33c26bb74c2bc079033f006e6af59ec15cef529":"":"":"":"10001":517:0:0:0:0
+
+RSA Import (N,P,Q,D,E) 518-bit complete pair
+mbedtls_rsa_import:"31defca6f97dac931fea5bd182c801b6512065929b327443dad9421379e15b37e33a6d3b11e51bd6905c9df9ec15980e91f10c34607749085456e85c1aad9cae1d":"725f1a4b37008897949b12bc9ba249d60d2df673b5a5367f9b490e79cc798446d":"6fa09a0615754b14f9aa4b5613e60e6d4988437c25b97fc056cb4841931902271":"1bcd08df3439e0d86b7444173966b1bda6dffe7f89d0c88b83169605316e75615c84cf7ea7c9cb16204e67329584d56f1840d247e4b392b627622d2101a2af2781":"10001":518:0:1:0:0
+
+RSA Import (N,-,-,-,E) 518-bit public
+mbedtls_rsa_import:"31defca6f97dac931fea5bd182c801b6512065929b327443dad9421379e15b37e33a6d3b11e51bd6905c9df9ec15980e91f10c34607749085456e85c1aad9cae1d":"":"":"":"10001":518:0:0:0:0
+
+RSA Import (N,P,Q,D,E) 519-bit complete pair
+mbedtls_rsa_import:"6de4c503dd2e6d74d6dbc95bdd85b177f3737c3da6b00860db6585d1026ae043450888773afd259ee52e7c70de86a1d805dec0d201b2cd9d91e5e1f323020b47b5":"f4c3d0904f80c3ee121aa94edda195415ddd21e4503ebbaf294993a649f896251":"72f01bc834d3eae97dea004f8af566b6030362fb3eb1063211d1dd699ece87225":"8361ce69203631864e99d5d28eb517c760b7e101941740ed0b6004ec2d07b9b6982132c9cff11ef49f715b04b6d76edd0e936b05efb4acf2cfdf6ea58f1149b41":"10001":519:0:1:0:0
+
+RSA Import (N,-,-,-,E) 519-bit public
+mbedtls_rsa_import:"6de4c503dd2e6d74d6dbc95bdd85b177f3737c3da6b00860db6585d1026ae043450888773afd259ee52e7c70de86a1d805dec0d201b2cd9d91e5e1f323020b47b5":"":"":"":"10001":519:0:0:0:0
+
+RSA Import (N,P,Q,D,E) 520-bit complete pair
+mbedtls_rsa_import:"c27fbd5b63f60f14b6fbbda29444aa6639cef01ec2b89b607ca0e5cf64f4f8ea41131c8c2a0204099b2030c8b155553404464fb351a7b44e77138412164997de31":"feb75ab38c05618105c1d7f1459475520cb64d8b477804f6f48b2bcc44ca6c147":"c37ab0c657015601027454c1e45d4abc85f7177d0757312b2811d4dc46f1b60c7":"4b4d2365a79cd317e5042fd62aeb2ec1a72dec1f2caa4655a3cab34e893aa2c81c06e18bd79a0d247dc109ab540c7eb6bf8ef27f02de66e4d8dc511bff7ce33c15":"10001":520:0:1:0:0
+
+RSA Import (N,-,-,-,E) 520-bit public
+mbedtls_rsa_import:"c27fbd5b63f60f14b6fbbda29444aa6639cef01ec2b89b607ca0e5cf64f4f8ea41131c8c2a0204099b2030c8b155553404464fb351a7b44e77138412164997de31":"":"":"":"10001":520:0:0:0:0
+
+RSA Import (N,P,Q,D,E) 521-bit complete pair
+mbedtls_rsa_import:"1993ce720408e69a459c96df92b90040b88b0f7234c46b96413d177ed08e562c9b7ed7c1fb351cafc4028d3d9a9792e35ddb8a3770cc5cf7011f778f78e75ff60af":"1f2d345a210b5f085447d9534abe78d77e820dddbb24b2eb334b7c6ba91634a0f9":"d205f332807775231b96e06f47e7c0cec8981f41c6b6e6a96eafdbc40773b20e7":"15ec8c594efc122ecadc9eb6a59dce89aba607676db3b044eb46e28ce15820a5b984349a7b74a9f86c17a8503f29c0cc5b3f68790653bce30d8b0a5ba7730a16b1":"10001":521:0:1:0:0
+
+RSA Import (N,-,-,-,E) 521-bit public
+mbedtls_rsa_import:"1993ce720408e69a459c96df92b90040b88b0f7234c46b96413d177ed08e562c9b7ed7c1fb351cafc4028d3d9a9792e35ddb8a3770cc5cf7011f778f78e75ff60af":"":"":"":"10001":521:0:0:0:0
+
+RSA Import (N,P,Q,D,E) 522-bit complete pair
+mbedtls_rsa_import:"2eeccbdf4fb0385fefd27583bdc9ac8b99e57fd6acf0c71010ae65ee0531dbf45686bb737a2a64124ab2f695a73394f7d5dd2ba7a668d872684cb49e12a7d6a49ad":"1c5785f5108bb49e43ee0b3d7261eb0efe10334ac101893a59d67e79fb3f640951":"1a7da635573970c989ca4aaa051d3a51641eed09516f8200d15effb86c3082a39d":"1e2042a744c6f2fa8cc28655a5140425c010fa68fdb0bb6c51f95551619e68034d128406fa6fc7ccd5d35a493ee8ecf98b9e987fed18353ff7e0d50ae0b65f2b841":"10001":522:0:1:0:0
+
+RSA Import (N,-,-,-,E) 522-bit public
+mbedtls_rsa_import:"2eeccbdf4fb0385fefd27583bdc9ac8b99e57fd6acf0c71010ae65ee0531dbf45686bb737a2a64124ab2f695a73394f7d5dd2ba7a668d872684cb49e12a7d6a49ad":"":"":"":"10001":522:0:0:0:0
+
+RSA Import (N,P,Q,D,E) 523-bit complete pair
+mbedtls_rsa_import:"6a8c9774b37c37d6f6c95aaf60ab27ebb426a26cd6b22fa44fe1e09f4fa47abeac2d1f84aaff436ef3f07801c617a1f990ca4ece42388d1493723ee9768730d8799":"36f10cb3d7fa6af6616991827dd988fd0687761243126e563a24977d95b3075855":"1f0771656d359a2d4907ded0e0471e27242a59f89e30a4e21fc3cffb5da3dd4635":"4cafcdde87c452e85c0d06410dc1826509ef789dff5496279bfb05d183dfed1c452fda00deb3b345fc31cd255aa1c7e2f19e50191793a7b16e6340f0723e0d5ad11":"10001":523:0:1:0:0
+
+RSA Import (N,-,-,-,E) 523-bit public
+mbedtls_rsa_import:"6a8c9774b37c37d6f6c95aaf60ab27ebb426a26cd6b22fa44fe1e09f4fa47abeac2d1f84aaff436ef3f07801c617a1f990ca4ece42388d1493723ee9768730d8799":"":"":"":"10001":523:0:0:0:0
+
+RSA Import (N,P,Q,D,E) 524-bit complete pair
+mbedtls_rsa_import:"c04c05bc77eca9c05702402622b3855ac150a737132c66d6900dc8f512e752f32ce3c777d51da5cca9105b7f8f57da571cec42a450d49e43ea359538acb3610dacf":"3f78102778bec177c9bb4f313a29afbb9c2d0089539f57aeb2976b59d17b1de699":"3079f8628b827258bb785cd0bb40623207ecf6194e65871571bf004bf0c537f5a7":"9c161921de060fd3bbcc6bdd8895474d5f54e425e43e4a4b272ac94f844498241d41f7ee7a6b90775cf5a73b3ce3015b15620494130e9198550cb3f07bdba184ac1":"10001":524:0:1:0:0
+
+RSA Import (N,-,-,-,E) 524-bit public
+mbedtls_rsa_import:"c04c05bc77eca9c05702402622b3855ac150a737132c66d6900dc8f512e752f32ce3c777d51da5cca9105b7f8f57da571cec42a450d49e43ea359538acb3610dacf":"":"":"":"10001":524:0:0:0:0
+
+RSA Import (N,P,Q,D,E) 525-bit complete pair
+mbedtls_rsa_import:"18197b4f054a0347a8e81576cf16fdb5d22ce9bb71b11df029c30e047b418ebb4b2d759f8c72f9b24a79b46ddeeeadb17b197911442f6e7bf3ea2106752e901c64fb":"676ee11f6bb61d7094148bb326d0267eb7a105549d72d360707001af8e03ecc6dd":"3ba5a5ba28f8adee0883947963c037e3a2c9e557b3edc5cca35b155e63ed3ae1b7":"d75e61ecbe87c0e817427d0f57874fb224a7dbe79912114ac6ecb1c8bafa146512b1b728d2d860e96fd283ae981ebb3272647841cdd254a5e1f075eb17df596e2c9":"10001":525:0:1:0:0
+
+RSA Import (N,-,-,-,E) 525-bit public
+mbedtls_rsa_import:"18197b4f054a0347a8e81576cf16fdb5d22ce9bb71b11df029c30e047b418ebb4b2d759f8c72f9b24a79b46ddeeeadb17b197911442f6e7bf3ea2106752e901c64fb":"":"":"":"10001":525:0:0:0:0
+
+RSA Import (N,P,Q,D,E) 526-bit complete pair
+mbedtls_rsa_import:"2de74b63625125b31a3d4ae2719d74dae2a0dacb84f220c295e8fea55080b3bacad98593ef3dd710a949b84498ba59ac0353f8e6cd4355e9bfc0ddef8ef25ce41309":"766d695ac399679b33cdc68e7bf9b604d922dee04fa60a4aa2fab3263a8b323109":"633a53fef2f6b08daddd9e496625819753284b72f41290dcc8db82e55746555201":"1ff9c25614a29a344cceed5f17edaafcde69567ff6b80382089328ef57488fea49d3e660180107bb0b1770005d814216dbd493fd7aae4891fb2320226615d67e4001":"10001":526:0:1:0:0
+
+RSA Import (N,-,-,-,E) 526-bit public
+mbedtls_rsa_import:"2de74b63625125b31a3d4ae2719d74dae2a0dacb84f220c295e8fea55080b3bacad98593ef3dd710a949b84498ba59ac0353f8e6cd4355e9bfc0ddef8ef25ce41309":"":"":"":"10001":526:0:0:0:0
+
+RSA Import (N,P,Q,D,E) 527-bit complete pair
+mbedtls_rsa_import:"54e6bb611922620e32e0e402446e3a2b8eb1be1f44a750a833ac56635a2aca00fa20cdddf6d185e60623da0ba4dd33011d5df7f7f69d95c98c4ca7fddde08ec209db":"d36b6f6e6828bc2cb35b9b5ecca60ea4d33406b11ff4fafc3b439f3fa9c521733b":"66cdc1ad01f31f5eeafff4774bf4ba95ccb58a5afae6744b560e7181f8b0a119e1":"32e1d958f7044939f33a1ecc5110b2a21a31e21cc13b793665499ab88e78687a2eb19a570263370532aac0c418867027c6275b604899b26f9913a10aaacb7895ddc1":"10001":527:0:1:0:0
+
+RSA Import (N,-,-,-,E) 527-bit public
+mbedtls_rsa_import:"54e6bb611922620e32e0e402446e3a2b8eb1be1f44a750a833ac56635a2aca00fa20cdddf6d185e60623da0ba4dd33011d5df7f7f69d95c98c4ca7fddde08ec209db":"":"":"":"10001":527:0:0:0:0
+
+RSA Import (N,P,Q,D,E) 528-bit complete pair
+mbedtls_rsa_import:"d158d6f8bf79fd0721ad50c08ada2f023bec6970a43cc709dba277046d6e2cfd65b72239c7856c7aea7d40906c4880ce828dc4906d364600cd2dd62a284c9ebfcb59":"ebdbfc4ea38f0dac4032c21663be46d045ce4bec7e6d2d773980fd92ca6aaf0f73":"e33947ec6dccc2ca956495f34923b00a490fdfef67b5332d6f084dccf58191af03":"b2e7b0373e337b1848207c5d3f8c7c15f5adf0e1f1897b33a27e7225d77b0b79b4928fd89ca267c7b334fa39949397a8870a204c9b9e98037bfd8716f0dec4802d3d":"10001":528:0:1:0:0
+
+RSA Import (N,-,-,-,E) 528-bit public
+mbedtls_rsa_import:"d158d6f8bf79fd0721ad50c08ada2f023bec6970a43cc709dba277046d6e2cfd65b72239c7856c7aea7d40906c4880ce828dc4906d364600cd2dd62a284c9ebfcb59":"":"":"":"10001":528:0:0:0:0
 
 RSA Import Raw (N,P,Q,D,E), complete private key
 mbedtls_rsa_import_raw:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":"03":0:1:0:0
@@ -615,3 +717,120 @@ rsa_pkcs1_encrypt_bad_rng:"4E636AF98E40F3ADCFCCB698F4E80B9F":MBEDTLS_RSA_PKCS_V1
 RSA Selftest
 depends_on:MBEDTLS_SELF_TEST
 rsa_selftest:
+
+RSA parse/write PKCS#1 private key - 1024 bits
+rsa_parse_write_pkcs1_key:0:"3082025d020100028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb702030100010281801e97247066217ff6303881341a259c4bcd3e147f87f1a714045e80a06b541847e2ce54a78801d21b302fd33f616d6ed7cfa8a262ef5e23257a1642b5fc5a61577f7dba2324e687a10b25751c78996e72d5a8c3bc4e33e4a2a96b2b44b6685e85c37200a34381269250b59f65468ea4288713c4ae3e0e064e524a53a5d7e1ec91024100cbd11d9aad72bfb8db4e6bc7c6910661b3f38fbfa368d6dba0cd6c9aa3a716c03fa374bf8b2e7ba73a216d6ded9468fbaa3d130ee376190cc41ef30419a7da1d024100c7c0e189209483f36ee00a67474960c6ddf0d3a63ca0c76955fe9f358435a5e5318c35397c4245042e0dfabf8decedfd36e4d211349b8ecc4c1baac83f30d4e3024008e692f2644cb48eb01516a3dcca0c8b4bbe81328f424ecfbc8ffc042ccd6932f014854eb017519315f8cbbc973979f4339503360d3ce50f27a96a576d7f65090241009c9b4ef74870c7a6b215ba7250446a385fc6b0d8d30da669a23f172948f71a923f2f528738316894a75ad46d1be3568ec05bd38a23b995d1fc1570e6c00c13cb0241008716c9fa7d2295f34f5849b7c593d1adcec72556ed1044cd79c868c890620b143874a8208a65b7c5e235ccaae4c2492107af513fb2cbb682a3e8119af028f7a8"
+
+RSA parse/write PKCS#1 public key - 1024 bits
+rsa_parse_write_pkcs1_key:1:"308189028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001"
+
+RSA parse/write PKCS#1 private key - 2048 bits
+rsa_parse_write_pkcs1_key:0:"308204a40201000282010100dcabfd25f3b7d67155e5c2520518570e95754ef883a973f94b2b0fb2d7ad733a3b0976c6314770eaf728304ee61e0dfe91811fc4a8219fbc3687cb3cfca54b58804d1ed4de985dc827374cb31b7b23225e130858d6b812dee6a356a8f8d211ba0930d0ec38193cee0a186f4a760cc3aa40e1d04fe4a14506ed279a9080aedd2676a4026bcb1ee24b2c00853bffcc04b5fb3e542626c2b2c54a62f3d6e01df95544fdf85c22cc0846275cb9cdfe73876e94e532ced0bca9876de74ff1edc9c8ac89aa8586aa34ca6f44c972d1e73aaddae168a5e67ec69cd14f206155e6e1161e7aa6754e947d5d26ee5f8789598a79ea4ff0263e2b8bf90641320771955007d102030100010282010100d25c964f769d3aad0210ac04da5c90a9136b27e41a47108a86d0beff6341330640bf4dddb39e82134b97a12da58ae3165988f94ad4687148cfc6f5c4e6a7804316d3eddf496f807f4c7b17ffe9e3a1e3a2408c857bf32ff2137584284242a7a96c1780229f7bd7aca82d10f2afc48d4620e1e35e35fa52be3e97b16dad6e84dbdfab4e7e21c7c2e5e5cd1c936f6c221e806bd14afa77b3eefc62e984aa2d391da408aaec0dbd2eade3023ebac77e3416cd67491d60053d317c6c8665be5c33961c379309d37d0a653d1859a6abfe195644d474739dbc44f62e623505f9460d9d8defafb12f4149d5baaf798f1345f565430cd7c096c24ca8d02d13fe90c20c5102818100f116cfdbfc0d5b3528cbfada1b21d4292ff188d41a4b22e658a9e29f610adf5fcb3329b0f567ba5029195fd648d06cc2174638f2f18ff0e0251e283e0a0b1f792751925efb617af3405083245c673dae77edc811fd668769d28ac1bee36261658a32f56a5e1b9b9e4f4fa7da55adeeb08c92f1de89f6186bd9c6d1e721638d2d02818100ea51e8798225e4ee77aa08e2f5ee0f8b847edd4c34d9bf7b8cf339b61d5bd22d504c5ab5f17572850f39018736474a449186e783dfda35da95902c8eaaec4bebb8ab6c057c678f37cd53fc1a12e5ace83d2a44d72195d565b3e8c12f89f2523fe37e52adbafde783be361fcd1f021aaaabf860febd8c5726c7089622ccca73b50281807d8248b7d76204a78a13970650b5adc3bb67dcb9beee7abebc4dc4e3001c2ee9a9d97accdb1523137431f78890e3a09af28ee63ae3b2f1cd5ec57261c9ccbc97cff651630d2f5458aa94bf910061e6e49b1eb8d754ba39a8c7a8e0f04564041c5e73e4fb78fe9a673216dfe57451563fa70f20c79fbef43bc166160463877609028180693b0fa44206b2a145ac5f014e60f32a3cfe9c73b4e8754e0f26cc2c35531f38aa6f1fedc5da70ebc0c261255003041f771b96ad6ac29c9ce5be31c4808e4e2a366d05be10f89121065d49428c6a0914e32330774ce5f5480f5be02671551a0b07279c09d9885d8894cbc9cc5cb89d3138b9fb156c1ab2a8ff89a3a34d453e6102818100aff57dd813fd064d8d1a5e8c7ea7e534dff6963a9b5b1c4da12219268c0500288901bbd36edb8071679bcd9d0d8deacfaa52e4b3659f4a69a5c5322f104524f83eb4b94bf6f02b5ad7c2ccd9bc5688f4e18ff2a70ae7638a83f2f87d8ecc9e0eebf2283f809670c8a0b79e1a576a6c9c04d4d71b75647c818a23873cdc0d77bf"
+
+RSA parse/write PKCS#1 public key - 2048 bits
+rsa_parse_write_pkcs1_key:1:"3082010a0282010100dcabfd25f3b7d67155e5c2520518570e95754ef883a973f94b2b0fb2d7ad733a3b0976c6314770eaf728304ee61e0dfe91811fc4a8219fbc3687cb3cfca54b58804d1ed4de985dc827374cb31b7b23225e130858d6b812dee6a356a8f8d211ba0930d0ec38193cee0a186f4a760cc3aa40e1d04fe4a14506ed279a9080aedd2676a4026bcb1ee24b2c00853bffcc04b5fb3e542626c2b2c54a62f3d6e01df95544fdf85c22cc0846275cb9cdfe73876e94e532ced0bca9876de74ff1edc9c8ac89aa8586aa34ca6f44c972d1e73aaddae168a5e67ec69cd14f206155e6e1161e7aa6754e947d5d26ee5f8789598a79ea4ff0263e2b8bf90641320771955007d10203010001"
+
+RSA parse private key - incorrect version tag
+rsa_parse_pkcs1_key:0:"300100":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+RSA parse private key - version tag missing
+rsa_parse_pkcs1_key:0:"3000":MBEDTLS_ERR_ASN1_OUT_OF_DATA
+
+RSA parse private key - invalid version
+rsa_parse_pkcs1_key:0:"3003020101":MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+
+RSA parse private key - correct version, incorrect tag
+rsa_parse_pkcs1_key:0:"300402010000":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+RSA parse private key - correct format+values, minimal modulus size (128 bit)
+rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":0
+
+RSA parse private key - missing SEQUENCE
+rsa_parse_pkcs1_key:0:"020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+RSA parse private key - correct format, modulus too small (127 bit)
+rsa_parse_pkcs1_key:0:"30630201000211007c8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
+
+RSA parse private key - correct format, modulus even
+rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c857002030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+
+RSA parse private key - correct format, d == 0
+rsa_parse_pkcs1_key:0:"30630201000211007c8ab070369ede72920e5a51523c8571020301000102110000000000000000000000000000000000020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+
+RSA parse private key - correct format, d == p == q == 0
+rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c8571020301000102110000000000000000000000000000000000020900000000000000000002090000000000000000000209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+
+RSA parse private key - correct values, extra integer inside the SEQUENCE
+rsa_parse_pkcs1_key:0:"3066020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c020100":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+
+RSA parse private key - correct values, extra integer outside the SEQUENCE
+rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c020100":MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+
+RSA parse private key - correct values, n wrong tag
+rsa_parse_pkcs1_key:0:"3063020100FF1100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+RSA parse private key - correct values, e wrong tag
+rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c8571FF030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+RSA parse private key - correct values, d wrong tag
+rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c85710203010001FF11009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+RSA parse private key - correct values, p wrong tag
+rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201FF0900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+RSA parse private key - correct values, q wrong tag
+rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61FF0900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+RSA parse private key - correct values, dp wrong tag
+rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a211FF09009471f14c26428401020813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+RSA parse private key - correct values, dq wrong tag
+rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401FF0813425f060c4b72210208052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+RSA parse private key - correct values, qp wrong tag
+rsa_parse_pkcs1_key:0:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b7221FF08052b93d01747a87c":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+RSA parse public key - missing SEQUENCE
+rsa_parse_pkcs1_key:1:"028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+RSA parse public key - wrong initial tag
+rsa_parse_pkcs1_key:1:"318189028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+RSA parse public key - wrong modulus tag
+rsa_parse_pkcs1_key:1:"308189038181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+RSA parse public key - wrong public exponent tag
+rsa_parse_pkcs1_key:1:"308189028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70303010001":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+RSA parse public key - modulus 0
+rsa_parse_pkcs1_key:1:"3081890281810000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000203010001":MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+
+RSA parse public key - public exponent 0
+rsa_parse_pkcs1_key:1:"308189028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203000000":MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+
+RSA parse public key - wrong sequence length
+rsa_parse_pkcs1_key:1:"308188028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001":MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+
+RSA parse public key - wrong modulus length
+rsa_parse_pkcs1_key:1:"308189028180009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+RSA parse public key - wrong public exponent length
+rsa_parse_pkcs1_key:1:"308189028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70202010001":MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+
+RSA parse public key - missing modulus
+rsa_parse_pkcs1_key:1:"30050203010001":MBEDTLS_ERR_ASN1_OUT_OF_DATA
+
+RSA parse public key - missing public exponent
+rsa_parse_pkcs1_key:1:"308184028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb7":MBEDTLS_ERR_ASN1_OUT_OF_DATA
+
+RSA parse public key - correct values, extra integer inside the SEQUENCE
+rsa_parse_pkcs1_key:1:"30818c028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001020100":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+
+RSA parse public key - correct values, extra integer outside the SEQUENCE
+rsa_parse_pkcs1_key:1:"308189028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001020100":MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+
+RSA priv key write - incremental output buffer size
+rsa_key_write_incremental:0:"3063020100021100cc8ab070369ede72920e5a51523c857102030100010211009a6318982a7231de1894c54aa4909201020900f3058fd8dc484d61020900d7770dbd8b78a2110209009471f14c26428401020813425f060c4b72210208052b93d01747a87c"
+
+RSA priv public key write - incremental output buffer size
+rsa_key_write_incremental:1:"308189028181009f091e6968b474f76f0e9c237c1d895996ae704b4f6d706acec8d2daac6209bf524aa3f658d0283adba1077f6cbe92e425dcde52290b239cade91be86c88425434986806e85734e159768f3dfea932baaa9409d25bace8ee9dce0cdde0903207299de575ae60feccf0daf82334ab83638539b0da74072f253acea8afc8e66bb70203010001"
diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function
index 37bed6d..e824529 100644
--- a/tests/suites/test_suite_rsa.function
+++ b/tests/suites/test_suite_rsa.function
@@ -1,6 +1,7 @@
 /* BEGIN_HEADER */
 #include "mbedtls/rsa.h"
 #include "rsa_alt_helpers.h"
+#include "rsa_internal.h"
 /* END_HEADER */
 
 /* BEGIN_DEPENDENCIES
@@ -182,7 +183,8 @@ void mbedtls_rsa_pkcs1_sign(data_t *message_str, int padding_mode,
     TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0);
 
     TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, &P, &Q, NULL, &E) == 0);
-    TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) (mod / 8));
+    TEST_EQUAL(mbedtls_rsa_get_len(&ctx), (size_t) ((mod + 7) / 8));
+    TEST_EQUAL(mbedtls_rsa_get_bitlen(&ctx), (size_t) mod);
     TEST_ASSERT(mbedtls_rsa_complete(&ctx) == 0);
     TEST_ASSERT(mbedtls_rsa_check_privkey(&ctx) == 0);
 
@@ -220,7 +222,8 @@ void mbedtls_rsa_pkcs1_verify(data_t *message_str, int padding_mode,
     TEST_ASSERT(mbedtls_test_read_mpi(&N, input_N) == 0);
     TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0);
     TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, NULL, NULL, NULL, &E) == 0);
-    TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) (mod / 8));
+    TEST_EQUAL(mbedtls_rsa_get_len(&ctx), (size_t) ((mod + 7) / 8));
+    TEST_EQUAL(mbedtls_rsa_get_bitlen(&ctx), (size_t) mod);
     TEST_ASSERT(mbedtls_rsa_check_pubkey(&ctx) == 0);
 
     TEST_ASSERT(mbedtls_rsa_pkcs1_verify(&ctx, digest, message_str->len, message_str->x,
@@ -261,7 +264,8 @@ void rsa_pkcs1_sign_raw(data_t *hash_result,
     TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0);
 
     TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, &P, &Q, NULL, &E) == 0);
-    TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) (mod / 8));
+    TEST_EQUAL(mbedtls_rsa_get_len(&ctx), (size_t) ((mod + 7) / 8));
+    TEST_EQUAL(mbedtls_rsa_get_bitlen(&ctx), (size_t) mod);
     TEST_ASSERT(mbedtls_rsa_complete(&ctx) == 0);
     TEST_ASSERT(mbedtls_rsa_check_privkey(&ctx) == 0);
 
@@ -304,7 +308,8 @@ void rsa_pkcs1_verify_raw(data_t *hash_result,
     TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0);
 
     TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, NULL, NULL, NULL, &E) == 0);
-    TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) (mod / 8));
+    TEST_EQUAL(mbedtls_rsa_get_len(&ctx), (size_t) ((mod + 7) / 8));
+    TEST_EQUAL(mbedtls_rsa_get_bitlen(&ctx), (size_t) mod);
     TEST_ASSERT(mbedtls_rsa_check_pubkey(&ctx) == 0);
 
 
@@ -340,7 +345,8 @@ void mbedtls_rsa_pkcs1_encrypt(data_t *message_str, int padding_mode,
     TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0);
 
     TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, NULL, NULL, NULL, &E) == 0);
-    TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) (mod / 8));
+    TEST_EQUAL(mbedtls_rsa_get_len(&ctx), (size_t) ((mod + 7) / 8));
+    TEST_EQUAL(mbedtls_rsa_get_bitlen(&ctx), (size_t) mod);
     TEST_ASSERT(mbedtls_rsa_check_pubkey(&ctx) == 0);
 
 
@@ -381,7 +387,8 @@ void rsa_pkcs1_encrypt_bad_rng(data_t *message_str, int padding_mode,
     TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0);
 
     TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, NULL, NULL, NULL, &E) == 0);
-    TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) (mod / 8));
+    TEST_EQUAL(mbedtls_rsa_get_len(&ctx), (size_t) ((mod + 7) / 8));
+    TEST_EQUAL(mbedtls_rsa_get_bitlen(&ctx), (size_t) mod);
     TEST_ASSERT(mbedtls_rsa_check_pubkey(&ctx) == 0);
 
 
@@ -431,7 +438,8 @@ void mbedtls_rsa_pkcs1_decrypt(data_t *message_str, int padding_mode,
     TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0);
 
     TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, &P, &Q, NULL, &E) == 0);
-    TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) (mod / 8));
+    TEST_EQUAL(mbedtls_rsa_get_len(&ctx), (size_t) ((mod + 7) / 8));
+    TEST_EQUAL(mbedtls_rsa_get_bitlen(&ctx), (size_t) mod);
     TEST_ASSERT(mbedtls_rsa_complete(&ctx) == 0);
     TEST_ASSERT(mbedtls_rsa_check_privkey(&ctx) == 0);
 
@@ -476,8 +484,9 @@ void mbedtls_rsa_public(data_t *message_str, int mod,
     TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, NULL, NULL, NULL, &E) == 0);
 
     /* Check test data consistency */
-    TEST_ASSERT(message_str->len == (size_t) (mod / 8));
-    TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) (mod / 8));
+    TEST_EQUAL(message_str->len, (size_t) ((mod + 7) / 8));
+    TEST_EQUAL(mbedtls_rsa_get_len(&ctx), (size_t) ((mod + 7) / 8));
+    TEST_EQUAL(mbedtls_rsa_get_bitlen(&ctx), (size_t) mod);
     TEST_ASSERT(mbedtls_rsa_check_pubkey(&ctx) == 0);
 
     TEST_ASSERT(mbedtls_rsa_public(&ctx, message_str->x, output) == result);
@@ -536,8 +545,9 @@ void mbedtls_rsa_private(data_t *message_str, int mod,
     TEST_ASSERT(mbedtls_rsa_import(&ctx, &N, &P, &Q, NULL, &E) == 0);
 
     /* Check test data consistency */
-    TEST_ASSERT(message_str->len == (size_t) (mod / 8));
-    TEST_ASSERT(mbedtls_rsa_get_len(&ctx) == (size_t) (mod / 8));
+    TEST_EQUAL(message_str->len, (size_t) ((mod + 7) / 8));
+    TEST_EQUAL(mbedtls_rsa_get_len(&ctx), (size_t) ((mod + 7) / 8));
+    TEST_EQUAL(mbedtls_rsa_get_bitlen(&ctx), (size_t) mod);
     TEST_ASSERT(mbedtls_rsa_complete(&ctx) == 0);
     TEST_ASSERT(mbedtls_rsa_check_privkey(&ctx) == 0);
 
@@ -850,6 +860,7 @@ void mbedtls_rsa_import(char *input_N,
                         char *input_Q,
                         char *input_D,
                         char *input_E,
+                        int bitlen,
                         int successive,
                         int is_priv,
                         int res_check,
@@ -935,6 +946,9 @@ void mbedtls_rsa_import(char *input_N,
     /* On expected success, perform some public and private
      * key operations to check if the key is working properly. */
     if (res_complete == 0) {
+        TEST_EQUAL(mbedtls_rsa_get_bitlen(&ctx), bitlen);
+        TEST_EQUAL(mbedtls_rsa_get_len(&ctx), (bitlen + 7) / 8);
+
         if (is_priv) {
             TEST_ASSERT(mbedtls_rsa_check_privkey(&ctx) == res_check);
         } else {
@@ -1371,6 +1385,112 @@ exit:
 }
 /* END_CASE */
 
+/* BEGIN_CASE */
+void rsa_parse_pkcs1_key(int is_public, data_t *input, int exp_ret_val)
+{
+    mbedtls_rsa_context rsa_ctx;
+
+    mbedtls_rsa_init(&rsa_ctx);
+
+    if (is_public) {
+        TEST_EQUAL(mbedtls_rsa_parse_pubkey(&rsa_ctx, input->x, input->len), exp_ret_val);
+    } else {
+        TEST_EQUAL(mbedtls_rsa_parse_key(&rsa_ctx, input->x, input->len), exp_ret_val);
+    }
+
+exit:
+    mbedtls_rsa_free(&rsa_ctx);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void rsa_parse_write_pkcs1_key(int is_public, data_t *input)
+{
+    mbedtls_rsa_context rsa_ctx;
+    unsigned char *output_buf = NULL;
+    unsigned char *output_end, *output_p;
+    size_t output_len;
+
+    mbedtls_rsa_init(&rsa_ctx);
+
+    TEST_CALLOC(output_buf, input->len);
+    output_end = output_buf + input->len;
+    output_p = output_end;
+
+    /* Parse the key and write it back to output_buf. */
+    if (is_public) {
+        TEST_EQUAL(mbedtls_rsa_parse_pubkey(&rsa_ctx, input->x, input->len), 0);
+        TEST_EQUAL(mbedtls_rsa_write_pubkey(&rsa_ctx, output_buf, &output_p), input->len);
+    } else {
+        TEST_EQUAL(mbedtls_rsa_parse_key(&rsa_ctx, input->x, input->len), 0);
+        TEST_EQUAL(mbedtls_rsa_write_key(&rsa_ctx, output_buf, &output_p), input->len);
+    }
+    output_len = output_end - output_p;
+
+    /* Check that the written key matches with the one provided in input. */
+    TEST_MEMORY_COMPARE(output_p, output_len, input->x, input->len);
+
+exit:
+    mbedtls_free(output_buf);
+    mbedtls_rsa_free(&rsa_ctx);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void rsa_key_write_incremental(int is_public, data_t *input)
+{
+    mbedtls_rsa_context rsa_ctx;
+    unsigned char *buf = NULL, *end, *p;
+    size_t i, written_data;
+
+    mbedtls_rsa_init(&rsa_ctx);
+
+    /* This is supposed to succeed as the real target of this test are the
+     * write attempt below. */
+    if (is_public) {
+        TEST_EQUAL(mbedtls_rsa_parse_pubkey(&rsa_ctx, input->x, input->len), 0);
+    } else {
+        TEST_EQUAL(mbedtls_rsa_parse_key(&rsa_ctx, input->x, input->len), 0);
+    }
+
+    /* Test with an output buffer smaller than required. */
+    for (i = 1; i < input->len; i++) {
+        TEST_CALLOC(buf, i);
+        end = buf + i;
+        p = end;
+        /* We don't care much about the return value as long as it fails. */
+        if (is_public) {
+            TEST_ASSERT(mbedtls_rsa_write_pubkey(&rsa_ctx, buf, &p) != 0);
+        } else {
+            TEST_ASSERT(mbedtls_rsa_write_key(&rsa_ctx, buf, &p) != 0);
+        }
+        mbedtls_free(buf);
+        buf = NULL;
+    }
+
+    /* Test with an output buffer equal or larger than what it is strictly required. */
+    for (i = input->len; i < (2 * input->len); i++) {
+        TEST_CALLOC(buf, i);
+        end = buf + i;
+        p = end;
+        /* This time all write functions must succeed. */
+        if (is_public) {
+            TEST_ASSERT(mbedtls_rsa_write_pubkey(&rsa_ctx, buf, &p) > 0);
+        } else {
+            TEST_ASSERT(mbedtls_rsa_write_key(&rsa_ctx, buf, &p) > 0);
+        }
+        written_data = (end - p);
+        TEST_MEMORY_COMPARE(p, written_data, input->x, input->len);
+        mbedtls_free(buf);
+        buf = NULL;
+    }
+
+exit:
+    mbedtls_free(buf);
+    mbedtls_rsa_free(&rsa_ctx);
+}
+/* END_CASE */
+
 /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
 void rsa_selftest()
 {
diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index faf44e4..e4cdcc9 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -117,7 +117,7 @@ depends_on:MBEDTLS_SSL_PROTO_TLS1_2
 move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_SERVER_HELLO:1
 
 TLS 1.2:Move client handshake to SERVER_CERTIFICATE
-depends_on:MBEDTLS_SSP_PROTO_TLS1_2:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
 move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_SERVER_CERTIFICATE:1
 
 TLS 1.2:Move client handshake to SERVER_KEY_EXCHANGE
@@ -365,27 +365,27 @@ depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE
 handshake_version:0:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_VERSION_TLS1_3
 
 Handshake, ECDHE-RSA-WITH-AES-256-GCM-SHA384
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_cipher:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:0
 
 Handshake, RSA-WITH-AES-128-CCM
-depends_on:MBEDTLS_CCM_C:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+depends_on:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_SSL_HAVE_AES:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 handshake_cipher:"TLS-RSA-WITH-AES-128-CCM":MBEDTLS_PK_RSA:0
 
 Handshake, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_cipher:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_PK_RSA:0
 
 Handshake, ECDHE-ECDSA-WITH-AES-256-CCM
-depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_cipher:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:0
 
 Handshake, ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_CAMELLIA_C:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
 handshake_cipher:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:0
 
 Handshake, PSK-WITH-AES-128-CBC-SHA
-depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
 handshake_psk_cipher:"TLS-PSK-WITH-AES-128-CBC-SHA":MBEDTLS_PK_RSA:"abc123":0
 
 DTLS Handshake, tls1_2
@@ -393,27 +393,27 @@ depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_CAN_HANDLE_RS
 handshake_version:1:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_VERSION_TLS1_2
 
 DTLS Handshake, ECDHE-RSA-WITH-AES-256-GCM-SHA384
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_SSL_PROTO_DTLS:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_SSL_PROTO_DTLS:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_cipher:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:1
 
 DTLS Handshake, RSA-WITH-AES-128-CCM
-depends_on:MBEDTLS_CCM_C:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+depends_on:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_SSL_HAVE_AES:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 handshake_cipher:"TLS-RSA-WITH-AES-128-CCM":MBEDTLS_PK_RSA:1
 
 DTLS Handshake, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_cipher:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_PK_RSA:1
 
 DTLS Handshake, ECDHE-ECDSA-WITH-AES-256-CCM
-depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_cipher:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:1
 
 DTLS Handshake, ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
 handshake_cipher:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:1
 
 DTLS Handshake, PSK-WITH-AES-128-CBC-SHA
-depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_MD_CAN_SHA1:MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_MD_CAN_SHA1:MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
 handshake_psk_cipher:"TLS-PSK-WITH-AES-128-CBC-SHA":MBEDTLS_PK_RSA:"abc123":1
 
 DTLS Handshake with serialization, tls1_2
@@ -437,143 +437,143 @@ depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE
 handshake_version:0:MBEDTLS_SSL_VERSION_UNKNOWN:MBEDTLS_SSL_VERSION_UNKNOWN:MBEDTLS_SSL_VERSION_UNKNOWN:MBEDTLS_SSL_VERSION_UNKNOWN:MBEDTLS_SSL_VERSION_TLS1_3
 
 Handshake, select RSA-WITH-AES-256-CBC-SHA256, non-opaque
-depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_PK_RSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
 
 Handshake, select RSA-WITH-AES-256-CBC-SHA256, opaque
-depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:0:MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
 
 Handshake, select RSA-WITH-AES-256-CBC-SHA256, opaque, bad alg
-depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
 
 Handshake, select RSA-WITH-AES-256-CBC-SHA256, opaque, bad usage
-depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
 
 Handshake, select RSA-PSK-WITH-AES-256-CBC-SHA384, non-opaque
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-RSA-PSK-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_RSA:"abc123":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
 
 Handshake, select RSA-PSK-WITH-AES-256-CBC-SHA384, opaque
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-RSA-PSK-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_RSA:"abc123":PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:0:MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
 
 Handshake, select RSA-PSK-WITH-AES-256-CBC-SHA384, opaque, bad alg
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-RSA-PSK-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_RSA:"abc123":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
 
 Handshake, select RSA-PSK-WITH-AES-256-CBC-SHA384, opaque, bad usage
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-RSA-PSK-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_RSA:"abc123":PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
 
 Handshake, select RSA-PSK-WITH-AES-256-CBC-SHA384, opaque, no psk
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-RSA-PSK-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
 
 Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, non-opaque
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
 
 Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, opaque, PSA_ALG_ANY_HASH
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
 
 Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, opaque, PSA_ALG_SHA_384
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_384):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
 
 Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, opaque, invalid alg
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
 
 Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, opaque, bad alg
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
 
 Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, opaque, bad usage
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
 
 Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, non-opaque
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 
 Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, PSA_ALG_ANY_HASH
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 
 Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, PSA_ALG_SHA_384
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_384):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 
 Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, invalid alg
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
 
 Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, bad alg
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
 
 Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, bad usage
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_RSA_C:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
 
 Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, non-opaque
-depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
 
 Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, PSA_ALG_ANY_HASH
-depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
 
 Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, PSA_ALG_SHA_256
-depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
 
 Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, bad alg
-depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
 
 Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, bad usage
-depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
 
 Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, non-opaque
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
 
 Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:0:MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
 
 Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque, bad alg
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
 
 Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque, bad usage
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
 
 Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, non-opaque
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_CAMELLIA_C:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
 handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
 
 Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, PSA_ALG_ANY_HASH
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_CAMELLIA_C:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PSA_CRYPTO_C
 handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH|PSA_KEY_USAGE_DERIVE:0:MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
 
 Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, PSA_ALG_SHA_384
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_CAMELLIA_C:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTSL_PSA_CRYPTO_C
 handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_SHA_384):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH|PSA_KEY_USAGE_DERIVE:0:MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
 
 Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, missing alg
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_CAMELLIA_C:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
 handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH|PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
 
 Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, missing usage
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_CAMELLIA_C:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
 handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
 
 Sending app data via TLS, MFL=512 without fragmentation
@@ -710,147 +710,147 @@ DTLS legacy break handshake renegotiation with MFL=4096
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:""
 
 DTLS no legacy renegotiation with MFL=512, ECDHE-RSA-WITH-AES-256-GCM-SHA384
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
 
 DTLS no legacy renegotiation with MFL=1024, ECDHE-RSA-WITH-AES-256-GCM-SHA384
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
 
 DTLS no legacy renegotiation with MFL=2048, ECDHE-RSA-WITH-AES-256-GCM-SHA384
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
 
 DTLS no legacy renegotiation with MFL=4096, ECDHE-RSA-WITH-AES-256-GCM-SHA384
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
 
 DTLS legacy allow renegotiation with MFL=512, ECDHE-RSA-WITH-AES-256-GCM-SHA384
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
 
 DTLS legacy allow renegotiation with MFL=1024, ECDHE-RSA-WITH-AES-256-GCM-SHA384
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
 
 DTLS legacy allow renegotiation with MFL=2048, ECDHE-RSA-WITH-AES-256-GCM-SHA384
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
 
 DTLS legacy allow renegotiation with MFL=4096, ECDHE-RSA-WITH-AES-256-GCM-SHA384
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
 
 DTLS legacy break handshake renegotiation with MFL=512, ECDHE-RSA-WITH-AES-256-GCM-SHA384
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
 
 DTLS legacy break handshake renegotiation with MFL=1024, ECDHE-RSA-WITH-AES-256-GCM-SHA384
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
 
 DTLS legacy break handshake renegotiation with MFL=2048, ECDHE-RSA-WITH-AES-256-GCM-SHA384
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
 
 DTLS legacy break handshake renegotiation with MFL=4096, ECDHE-RSA-WITH-AES-256-GCM-SHA384
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_GCM:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
 
 DTLS no legacy renegotiation with MFL=512, RSA-WITH-AES-128-CCM
-depends_on:MBEDTLS_CCM_C:MBEDTLS_AES_C:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+depends_on:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_SSL_HAVE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-RSA-WITH-AES-128-CCM"
 
 DTLS no legacy renegotiation with MFL=1024, RSA-WITH-AES-128-CCM
-depends_on:MBEDTLS_CCM_C:MBEDTLS_AES_C:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+depends_on:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_SSL_HAVE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-RSA-WITH-AES-128-CCM"
 
 DTLS no legacy renegotiation with MFL=2048, RSA-WITH-AES-128-CCM
-depends_on:MBEDTLS_CCM_C:MBEDTLS_AES_C:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+depends_on:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_SSL_HAVE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-RSA-WITH-AES-128-CCM"
 
 DTLS no legacy renegotiation with MFL=4096, RSA-WITH-AES-128-CCM
-depends_on:MBEDTLS_CCM_C:MBEDTLS_AES_C:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+depends_on:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_SSL_HAVE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-RSA-WITH-AES-128-CCM"
 
 DTLS legacy allow renegotiation with MFL=512, RSA-WITH-AES-128-CCM
-depends_on:MBEDTLS_CCM_C:MBEDTLS_AES_C:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+depends_on:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_SSL_HAVE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-RSA-WITH-AES-128-CCM"
 
 DTLS legacy allow renegotiation with MFL=1024, RSA-WITH-AES-128-CCM
-depends_on:MBEDTLS_CCM_C:MBEDTLS_AES_C:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+depends_on:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_SSL_HAVE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-RSA-WITH-AES-128-CCM"
 
 DTLS legacy allow renegotiation with MFL=2048, RSA-WITH-AES-128-CCM
-depends_on:MBEDTLS_CCM_C:MBEDTLS_AES_C:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+depends_on:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_SSL_HAVE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-RSA-WITH-AES-128-CCM"
 
 DTLS legacy allow renegotiation with MFL=4096, RSA-WITH-AES-128-CCM
-depends_on:MBEDTLS_CCM_C:MBEDTLS_AES_C:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+depends_on:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_SSL_HAVE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-RSA-WITH-AES-128-CCM"
 
 DTLS legacy break handshake renegotiation with MFL=512, RSA-WITH-AES-128-CCM
-depends_on:MBEDTLS_CCM_C:MBEDTLS_AES_C:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+depends_on:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_SSL_HAVE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-RSA-WITH-AES-128-CCM"
 
 DTLS legacy break handshake renegotiation with MFL=1024, RSA-WITH-AES-128-CCM
-depends_on:MBEDTLS_CCM_C:MBEDTLS_AES_C:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+depends_on:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_SSL_HAVE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-RSA-WITH-AES-128-CCM"
 
 DTLS legacy break handshake renegotiation with MFL=2048, RSA-WITH-AES-128-CCM
-depends_on:MBEDTLS_CCM_C:MBEDTLS_AES_C:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+depends_on:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_SSL_HAVE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-RSA-WITH-AES-128-CCM"
 
 DTLS legacy break handshake renegotiation with MFL=4096, RSA-WITH-AES-128-CCM
-depends_on:MBEDTLS_CCM_C:MBEDTLS_AES_C:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+depends_on:MBEDTLS_SSL_HAVE_CCM:MBEDTLS_SSL_HAVE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-RSA-WITH-AES-128-CCM"
 
 DTLS no legacy renegotiation with MFL=512, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
 
 DTLS no legacy renegotiation with MFL=1024, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
 
 DTLS no legacy renegotiation with MFL=2048, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
 
 DTLS no legacy renegotiation with MFL=4096, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
 
 DTLS legacy allow renegotiation with MFL=512, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
 
 DTLS legacy allow renegotiation with MFL=1024, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
 
 DTLS legacy allow renegotiation with MFL=2048, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
 
 DTLS legacy allow renegotiation with MFL=4096, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
 
 DTLS legacy break handshake renegotiation with MFL=512, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
 
 DTLS legacy break handshake renegotiation with MFL=1024, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
 
 DTLS legacy break handshake renegotiation with MFL=2048, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
 
 DTLS legacy break handshake renegotiation with MFL=4096, DHE-RSA-WITH-AES-256-CBC-SHA256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
 
 SSL DTLS replay: initial state, seqnum 0
@@ -930,859 +930,867 @@ depends_on:MBEDTLS_SSL_PROTO_TLS1_2
 ssl_session_serialize_version_check:0:0:0:1:0:MBEDTLS_SSL_VERSION_TLS1_2
 
 TLS 1.3: CLI: session serialization: Wrong major version
-depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SESSION_TICKETS
 ssl_session_serialize_version_check:1:0:0:0:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3
 
 TLS 1.3: CLI: session serialization: Wrong minor version
-depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SESSION_TICKETS
 ssl_session_serialize_version_check:0:1:0:0:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3
 
 TLS 1.3: CLI: session serialization: Wrong patch version
-depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SESSION_TICKETS
 ssl_session_serialize_version_check:0:0:1:0:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3
 
 TLS 1.3: CLI: session serialization: Wrong config
-depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SESSION_TICKETS
 ssl_session_serialize_version_check:0:0:0:1:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3
 
 TLS 1.3: SRV: session serialization: Wrong major version
-depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_SESSION_TICKETS
 ssl_session_serialize_version_check:1:0:0:0:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_VERSION_TLS1_3
 
 TLS 1.3: SRV: session serialization: Wrong minor version
-depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_SESSION_TICKETS
 ssl_session_serialize_version_check:0:1:0:0:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_VERSION_TLS1_3
 
 TLS 1.3: SRV: session serialization: Wrong patch version
-depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_SESSION_TICKETS
 ssl_session_serialize_version_check:0:0:1:0:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_VERSION_TLS1_3
 
 TLS 1.3: SRV: session serialization: Wrong config
-depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_SESSION_TICKETS
 ssl_session_serialize_version_check:0:0:0:1:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_VERSION_TLS1_3
 
+Test Session id & Ciphersuite accessors TLS 1.2
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2
+ssl_session_id_accessors_check:MBEDTLS_SSL_VERSION_TLS1_2
+
+Test Session id & Ciphersuite accessors TLS 1.3
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3
+ssl_session_id_accessors_check:MBEDTLS_SSL_VERSION_TLS1_3
+
 Record crypt, AES-128-CBC, 1.2, SHA-384
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-128-CBC, 1.2, SHA-384, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-128-CBC, 1.2, SHA-384, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, AES-128-CBC, 1.2, SHA-384, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-128-CBC, 1.2, SHA-384, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-128-CBC, 1.2, SHA-384, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, AES-128-CBC, 1.2, SHA-256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-128-CBC, 1.2, SHA-256, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-128-CBC, 1.2, SHA-256, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, AES-128-CBC, 1.2, SHA-256, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-128-CBC, 1.2, SHA-256, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-128-CBC, 1.2, SHA-256, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, AES-128-CBC, 1.2, SHA-1
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-128-CBC, 1.2, SHA-1, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-128-CBC, 1.2, SHA-1, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, AES-128-CBC, 1.2, SHA-1, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-128-CBC, 1.2, SHA-1, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-128-CBC, 1.2, SHA-1, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, AES-128-CBC, 1.2, MD5
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-128-CBC, 1.2, MD5, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-128-CBC, 1.2, MD5, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, AES-128-CBC, 1.2, MD5, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-128-CBC, 1.2, MD5, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-128-CBC, 1.2, MD5, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, AES-256-CBC, 1.2, SHA-384
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-256-CBC, 1.2, SHA-384, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-256-CBC, 1.2, SHA-384, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, AES-256-CBC, 1.2, SHA-384, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-256-CBC, 1.2, SHA-384, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-256-CBC, 1.2, SHA-384, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, AES-256-CBC, 1.2, SHA-256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-256-CBC, 1.2, SHA-256, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-256-CBC, 1.2, SHA-256, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, AES-256-CBC, 1.2, SHA-256, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-256-CBC, 1.2, SHA-256, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-256-CBC, 1.2, SHA-256, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, AES-256-CBC, 1.2, SHA-1
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-256-CBC, 1.2, SHA-1, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-256-CBC, 1.2, SHA-1, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, AES-256-CBC, 1.2, SHA-1, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-256-CBC, 1.2, SHA-1, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-256-CBC, 1.2, SHA-1, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, AES-256-CBC, 1.2, MD5
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-256-CBC, 1.2, MD5, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-256-CBC, 1.2, MD5, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, AES-256-CBC, 1.2, MD5, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-256-CBC, 1.2, MD5, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-256-CBC, 1.2, MD5, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, ARIA-128-CBC, 1.2, SHA-384
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, ARIA-128-CBC, 1.2, SHA-384, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, ARIA-128-CBC, 1.2, SHA-384, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, ARIA-128-CBC, 1.2, SHA-384, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, ARIA-128-CBC, 1.2, SHA-384, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, ARIA-128-CBC, 1.2, SHA-384, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, ARIA-128-CBC, 1.2, SHA-256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, ARIA-128-CBC, 1.2, SHA-256, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, ARIA-128-CBC, 1.2, SHA-256, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, ARIA-128-CBC, 1.2, SHA-256, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, ARIA-128-CBC, 1.2, SHA-256, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, ARIA-128-CBC, 1.2, SHA-256, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, ARIA-128-CBC, 1.2, SHA-1
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, ARIA-128-CBC, 1.2, SHA-1, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, ARIA-128-CBC, 1.2, SHA-1, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, ARIA-128-CBC, 1.2, SHA-1, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, ARIA-128-CBC, 1.2, SHA-1, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, ARIA-128-CBC, 1.2, SHA-1, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, ARIA-128-CBC, 1.2, MD5
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, ARIA-128-CBC, 1.2, MD5, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, ARIA-128-CBC, 1.2, MD5, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, ARIA-128-CBC, 1.2, MD5, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, ARIA-128-CBC, 1.2, MD5, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, ARIA-128-CBC, 1.2, MD5, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, ARIA-256-CBC, 1.2, SHA-384
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, ARIA-256-CBC, 1.2, SHA-384, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, ARIA-256-CBC, 1.2, SHA-384, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, ARIA-256-CBC, 1.2, SHA-384, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, ARIA-256-CBC, 1.2, SHA-384, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, ARIA-256-CBC, 1.2, SHA-384, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, ARIA-256-CBC, 1.2, SHA-256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, ARIA-256-CBC, 1.2, SHA-256, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, ARIA-256-CBC, 1.2, SHA-256, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, ARIA-256-CBC, 1.2, SHA-256, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, ARIA-256-CBC, 1.2, SHA-256, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, ARIA-256-CBC, 1.2, SHA-256, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, ARIA-256-CBC, 1.2, SHA-1
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, ARIA-256-CBC, 1.2, SHA-1, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, ARIA-256-CBC, 1.2, SHA-1, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, ARIA-256-CBC, 1.2, SHA-1, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, ARIA-256-CBC, 1.2, SHA-1, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, ARIA-256-CBC, 1.2, SHA-1, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, ARIA-256-CBC, 1.2, MD5
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, ARIA-256-CBC, 1.2, MD5, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, ARIA-256-CBC, 1.2, MD5, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, ARIA-256-CBC, 1.2, MD5, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, ARIA-256-CBC, 1.2, MD5, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, ARIA-256-CBC, 1.2, MD5, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-128-CBC, 1.2, SHA-384
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-128-CBC, 1.2, SHA-384, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-128-CBC, 1.2, SHA-384, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-128-CBC, 1.2, SHA-384, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-128-CBC, 1.2, SHA-384, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-128-CBC, 1.2, SHA-384, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-128-CBC, 1.2, SHA-256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-128-CBC, 1.2, SHA-256, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-128-CBC, 1.2, SHA-256, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-128-CBC, 1.2, SHA-256, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-128-CBC, 1.2, SHA-256, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-128-CBC, 1.2, SHA-256, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-128-CBC, 1.2, SHA-1
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-128-CBC, 1.2, SHA-1, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-128-CBC, 1.2, SHA-1, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-128-CBC, 1.2, SHA-1, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-128-CBC, 1.2, SHA-1, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-128-CBC, 1.2, SHA-1, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-128-CBC, 1.2, MD5
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-128-CBC, 1.2, MD5, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-128-CBC, 1.2, MD5, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-128-CBC, 1.2, MD5, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-128-CBC, 1.2, MD5, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-128-CBC, 1.2, MD5, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-256-CBC, 1.2, SHA-384
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-256-CBC, 1.2, SHA-384, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-256-CBC, 1.2, SHA-384, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-256-CBC, 1.2, SHA-384, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-256-CBC, 1.2, SHA-384, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-256-CBC, 1.2, SHA-384, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-256-CBC, 1.2, SHA-256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-256-CBC, 1.2, SHA-256, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-256-CBC, 1.2, SHA-256, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-256-CBC, 1.2, SHA-256, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-256-CBC, 1.2, SHA-256, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-256-CBC, 1.2, SHA-256, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-256-CBC, 1.2, SHA-1
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-256-CBC, 1.2, SHA-1, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-256-CBC, 1.2, SHA-1, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-256-CBC, 1.2, SHA-1, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-256-CBC, 1.2, SHA-1, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-256-CBC, 1.2, SHA-1, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-256-CBC, 1.2, MD5
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-256-CBC, 1.2, MD5, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-256-CBC, 1.2, MD5, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-256-CBC, 1.2, MD5, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-256-CBC, 1.2, MD5, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-256-CBC, 1.2, MD5, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, AES-128-GCM, 1.2
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-128-GCM, 1.3
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_3:0:0
 
 Record crypt, AES-128-GCM, 1.2, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-128-GCM, 1.2, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, AES-192-GCM, 1.2
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_192_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-192-GCM, 1.3
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_GCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_HAVE_GCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_192_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_3:0:0
 
 Record crypt, AES-192-GCM, 1.2, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_192_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-192-GCM, 1.2, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_192_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, AES-256-GCM, 1.2
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-256-GCM, 1.3
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_GCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_HAVE_GCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_3:0:0
 
 Record crypt, AES-256-GCM, 1.2, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-256-GCM, 1.2, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-128-GCM, 1.2
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-128-GCM, 1.2, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-128-GCM, 1.2, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-192-GCM, 1.2
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_192_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-192-GCM, 1.2, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_192_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-192-GCM, 1.2, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_192_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-256-GCM, 1.2
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-256-GCM, 1.2, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-256-GCM, 1.2, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, AES-128-CCM, 1.2
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-128-CCM, 1.3
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_3:0:0
 
 Record crypt, AES-128-CCM, 1.2, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-128-CCM, 1.2, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, AES-128-CCM, 1.2, short tag
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-128-CCM, 1.2, short tag, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-128-CCM, 1.2, short tag, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, AES-192-CCM, 1.2
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_192_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-192-CCM, 1.3
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_192_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_3:0:0
 
 Record crypt, AES-192-CCM, 1.2, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_192_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-192-CCM, 1.2, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_192_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, AES-192-CCM, 1.2, short tag
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_192_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-192-CCM, 1.2, short tag, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_192_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-192-CCM, 1.2, short tag, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_192_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, AES-256-CCM, 1.2
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-256-CCM, 1.3
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_3:0:0
 
 Record crypt, AES-256-CCM, 1.2, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-256-CCM, 1.2, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, AES-256-CCM, 1.2, short tag
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, AES-256-CCM, 1.2, short tag, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, AES-256-CCM, 1.2, short tag, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-128-CCM, 1.2
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-128-CCM, 1.2, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-128-CCM, 1.2, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-128-CCM, 1.2, short tag
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-128-CCM, 1.2, short tag, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-128-CCM, 1.2, short tag, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_128_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-192-CCM, 1.2
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_192_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-192-CCM, 1.2, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_192_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-192-CCM, 1.2, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_192_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-192-CCM, 1.2, short tag
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_192_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-192-CCM, 1.2, short tag, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_192_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-192-CCM, 1.2, short tag, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_192_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-256-CCM, 1.2
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-256-CCM, 1.2, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-256-CCM, 1.2, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, CAMELLIA-256-CCM, 1.2, short tag
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, CAMELLIA-256-CCM, 1.2, short tag, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, CAMELLIA-256-CCM, 1.2, short tag, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record:MBEDTLS_CIPHER_CAMELLIA_256_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, NULL cipher, 1.2, SHA-384
-depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, NULL cipher, 1.2, SHA-384, EtM
-depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, NULL cipher, 1.2, SHA-256
@@ -1810,851 +1818,851 @@ depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD
 ssl_crypt_record:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, ChachaPoly
-depends_on:MBEDTLS_CHACHAPOLY_C:MBEDTLS_SSL_PROTO_TLS1_2
+depends_on:MBEDTLS_SSL_HAVE_CHACHAPOLY:MBEDTLS_SSL_PROTO_TLS1_2
 ssl_crypt_record:MBEDTLS_CIPHER_CHACHA20_POLY1305:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, ChachaPoly, 1.3
-depends_on:MBEDTLS_CHACHAPOLY_C:MBEDTLS_SSL_PROTO_TLS1_3
+depends_on:MBEDTLS_SSL_HAVE_CHACHAPOLY:MBEDTLS_SSL_PROTO_TLS1_3
 ssl_crypt_record:MBEDTLS_CIPHER_CHACHA20_POLY1305:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_3:0:0
 
 Record crypt, little space, ChachaPoly
-depends_on:MBEDTLS_CHACHAPOLY_C:MBEDTLS_SSL_PROTO_TLS1_2
+depends_on:MBEDTLS_SSL_HAVE_CHACHAPOLY:MBEDTLS_SSL_PROTO_TLS1_2
 ssl_crypt_record_small:MBEDTLS_CIPHER_CHACHA20_POLY1305:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, ChachaPoly, 1.3
-depends_on:MBEDTLS_CHACHAPOLY_C:MBEDTLS_SSL_PROTO_TLS1_3
+depends_on:MBEDTLS_SSL_HAVE_CHACHAPOLY:MBEDTLS_SSL_PROTO_TLS1_3
 ssl_crypt_record_small:MBEDTLS_CIPHER_CHACHA20_POLY1305:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_3:0:0
 
 Record crypt, little space, ChachaPoly, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CHACHAPOLY_C:MBEDTLS_SSL_PROTO_TLS1_2
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CHACHAPOLY:MBEDTLS_SSL_PROTO_TLS1_2
 ssl_crypt_record_small:MBEDTLS_CIPHER_CHACHA20_POLY1305:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, ChachaPoly, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CHACHAPOLY_C:MBEDTLS_SSL_PROTO_TLS1_2
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CHACHAPOLY:MBEDTLS_SSL_PROTO_TLS1_2
 ssl_crypt_record_small:MBEDTLS_CIPHER_CHACHA20_POLY1305:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-128-CBC, 1.2, SHA-384
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-128-CBC, 1.2, SHA-384, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-128-CBC, 1.2, SHA-384, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-128-CBC, 1.2, SHA-384, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-128-CBC, 1.2, SHA-384, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-128-CBC, 1.2, SHA-384, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-128-CBC, 1.2, SHA-256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-128-CBC, 1.2, SHA-256, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-128-CBC, 1.2, SHA-256, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-128-CBC, 1.2, SHA-256, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-128-CBC, 1.2, SHA-256, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-128-CBC, 1.2, SHA-256, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-128-CBC, 1.2, SHA-1
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-128-CBC, 1.2, SHA-1, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-128-CBC, 1.2, SHA-1, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-128-CBC, 1.2, SHA-1, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-128-CBC, 1.2, SHA-1, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-128-CBC, 1.2, SHA-1, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-128-CBC, 1.2, MD5
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-128-CBC, 1.2, MD5, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-128-CBC, 1.2, MD5, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-128-CBC, 1.2, MD5, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-128-CBC, 1.2, MD5, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-128-CBC, 1.2, MD5, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-256-CBC, 1.2, SHA-384
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-256-CBC, 1.2, SHA-384, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-256-CBC, 1.2, SHA-384, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-256-CBC, 1.2, SHA-384, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-256-CBC, 1.2, SHA-384, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-256-CBC, 1.2, SHA-384, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-256-CBC, 1.2, SHA-256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-256-CBC, 1.2, SHA-256, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-256-CBC, 1.2, SHA-256, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-256-CBC, 1.2, SHA-256, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-256-CBC, 1.2, SHA-256, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-256-CBC, 1.2, SHA-256, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-256-CBC, 1.2, SHA-1
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-256-CBC, 1.2, SHA-1, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-256-CBC, 1.2, SHA-1, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-256-CBC, 1.2, SHA-1, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-256-CBC, 1.2, SHA-1, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-256-CBC, 1.2, SHA-1, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-256-CBC, 1.2, MD5
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-256-CBC, 1.2, MD5, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-256-CBC, 1.2, MD5, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-256-CBC, 1.2, MD5, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-256-CBC, 1.2, MD5, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-256-CBC, 1.2, MD5, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, ARIA-128-CBC, 1.2, SHA-384
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, ARIA-128-CBC, 1.2, SHA-384, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, ARIA-128-CBC, 1.2, SHA-384, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, ARIA-128-CBC, 1.2, SHA-384, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, ARIA-128-CBC, 1.2, SHA-384, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, ARIA-128-CBC, 1.2, SHA-384, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, ARIA-128-CBC, 1.2, SHA-256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, ARIA-128-CBC, 1.2, SHA-256, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, ARIA-128-CBC, 1.2, SHA-256, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, ARIA-128-CBC, 1.2, SHA-256, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, ARIA-128-CBC, 1.2, SHA-256, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, ARIA-128-CBC, 1.2, SHA-256, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, ARIA-128-CBC, 1.2, SHA-1
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, ARIA-128-CBC, 1.2, SHA-1, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, ARIA-128-CBC, 1.2, SHA-1, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, ARIA-128-CBC, 1.2, SHA-1, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, ARIA-128-CBC, 1.2, SHA-1, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, ARIA-128-CBC, 1.2, SHA-1, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, ARIA-128-CBC, 1.2, MD5
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, ARIA-128-CBC, 1.2, MD5, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, ARIA-128-CBC, 1.2, MD5, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, ARIA-128-CBC, 1.2, MD5, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, ARIA-128-CBC, 1.2, MD5, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, ARIA-128-CBC, 1.2, MD5, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, ARIA-256-CBC, 1.2, SHA-384
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, ARIA-256-CBC, 1.2, SHA-384, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, ARIA-256-CBC, 1.2, SHA-384, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, ARIA-256-CBC, 1.2, SHA-384, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, ARIA-256-CBC, 1.2, SHA-384, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, ARIA-256-CBC, 1.2, SHA-384, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, ARIA-256-CBC, 1.2, SHA-256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, ARIA-256-CBC, 1.2, SHA-256, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, ARIA-256-CBC, 1.2, SHA-256, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, ARIA-256-CBC, 1.2, SHA-256, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, ARIA-256-CBC, 1.2, SHA-256, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, ARIA-256-CBC, 1.2, SHA-256, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, ARIA-256-CBC, 1.2, SHA-1
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, ARIA-256-CBC, 1.2, SHA-1, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, ARIA-256-CBC, 1.2, SHA-1, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, ARIA-256-CBC, 1.2, SHA-1, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, ARIA-256-CBC, 1.2, SHA-1, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, ARIA-256-CBC, 1.2, SHA-1, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, ARIA-256-CBC, 1.2, MD5
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, ARIA-256-CBC, 1.2, MD5, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, ARIA-256-CBC, 1.2, MD5, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, ARIA-256-CBC, 1.2, MD5, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, ARIA-256-CBC, 1.2, MD5, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, ARIA-256-CBC, 1.2, MD5, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ARIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_ARIA_256_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-128-CBC, 1.2, SHA-384
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-128-CBC, 1.2, SHA-384, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-128-CBC, 1.2, SHA-384, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-128-CBC, 1.2, SHA-384, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-128-CBC, 1.2, SHA-384, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-128-CBC, 1.2, SHA-384, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-128-CBC, 1.2, SHA-256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-128-CBC, 1.2, SHA-256, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-128-CBC, 1.2, SHA-256, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-128-CBC, 1.2, SHA-256, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-128-CBC, 1.2, SHA-256, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-128-CBC, 1.2, SHA-256, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-128-CBC, 1.2, SHA-1
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-128-CBC, 1.2, SHA-1, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-128-CBC, 1.2, SHA-1, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-128-CBC, 1.2, SHA-1, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-128-CBC, 1.2, SHA-1, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-128-CBC, 1.2, SHA-1, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-128-CBC, 1.2, MD5
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-128-CBC, 1.2, MD5, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-128-CBC, 1.2, MD5, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-128-CBC, 1.2, MD5, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-128-CBC, 1.2, MD5, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-128-CBC, 1.2, MD5, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-256-CBC, 1.2, SHA-384
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-256-CBC, 1.2, SHA-384, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-256-CBC, 1.2, SHA-384, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-256-CBC, 1.2, SHA-384, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-256-CBC, 1.2, SHA-384, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-256-CBC, 1.2, SHA-384, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-256-CBC, 1.2, SHA-256
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-256-CBC, 1.2, SHA-256, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-256-CBC, 1.2, SHA-256, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA256:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-256-CBC, 1.2, SHA-256, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-256-CBC, 1.2, SHA-256, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-256-CBC, 1.2, SHA-256, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA256:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-256-CBC, 1.2, SHA-1
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-256-CBC, 1.2, SHA-1, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-256-CBC, 1.2, SHA-1, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA1:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-256-CBC, 1.2, SHA-1, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-256-CBC, 1.2, SHA-1, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-256-CBC, 1.2, SHA-1, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA1:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_SHA1:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-256-CBC, 1.2, MD5
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-256-CBC, 1.2, MD5, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-256-CBC, 1.2, MD5, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-256-CBC, 1.2, MD5, EtM
-depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-256-CBC, 1.2, MD5, EtM, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-256-CBC, 1.2, MD5, EtM, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_MD5:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CBC:MBEDTLS_MD_MD5:1:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-128-GCM, 1.2
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-128-GCM, 1.3
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_3:0:0
 
 Record crypt, little space, AES-128-GCM, 1.2, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-128-GCM, 1.2, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-192-GCM, 1.2
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_192_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-192-GCM, 1.3
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_GCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_HAVE_GCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_192_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_3:0:0
 
 Record crypt, little space, AES-192-GCM, 1.2, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_192_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-192-GCM, 1.2, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_192_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-256-GCM, 1.2
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-256-GCM, 1.3
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_GCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_HAVE_GCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_3:0:0
 
 Record crypt, little space, AES-256-GCM, 1.2, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-256-GCM, 1.2, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-128-GCM, 1.2
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-128-GCM, 1.2, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-128-GCM, 1.2, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-192-GCM, 1.2
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_192_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-192-GCM, 1.2, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_192_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-192-GCM, 1.2, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_192_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-256-GCM, 1.2
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-256-GCM, 1.2, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-256-GCM, 1.2, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_GCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-128-CCM, 1.2
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-128-CCM, 1.3
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_3:0:0
 
 Record crypt, little space, AES-128-CCM, 1.2, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-128-CCM, 1.2, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-128-CCM, 1.2, short tag
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-128-CCM, 1.2, short tag, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-128-CCM, 1.2, short tag, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-192-CCM, 1.2
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_192_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-192-CCM, 1.3
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_192_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_3:0:0
 
 Record crypt, little space, AES-192-CCM, 1.2, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_192_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-192-CCM, 1.2, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_192_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-192-CCM, 1.2, short tag
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_192_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-192-CCM, 1.2, short tag, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_192_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-192-CCM, 1.2, short tag, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_192_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-256-CCM, 1.2
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-256-CCM, 1.3
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_3:0:0
 
 Record crypt, little space, AES-256-CCM, 1.2, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-256-CCM, 1.2, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, AES-256-CCM, 1.2, short tag
-depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, AES-256-CCM, 1.2, short tag, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, AES-256-CCM, 1.2, short tag, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-128-CCM, 1.2
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-128-CCM, 1.2, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-128-CCM, 1.2, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-128-CCM, 1.2, short tag
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-128-CCM, 1.2, short tag, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-128-CCM, 1.2, short tag, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_128_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-192-CCM, 1.2
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_192_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-192-CCM, 1.2, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_192_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-192-CCM, 1.2, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_192_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-192-CCM, 1.2, short tag
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_192_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-192-CCM, 1.2, short tag, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_192_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-192-CCM, 1.2, short tag, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_192_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-256-CCM, 1.2
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-256-CCM, 1.2, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-256-CCM, 1.2, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, CAMELLIA-256-CCM, 1.2, short tag
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, CAMELLIA-256-CCM, 1.2, short tag, CID 4+4
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:4
 
 Record crypt, little space, CAMELLIA-256-CCM, 1.2, short tag, CID 4+0
-depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C
+depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HAVE_CCM
 ssl_crypt_record_small:MBEDTLS_CIPHER_CAMELLIA_256_CCM:MBEDTLS_MD_MD5:0:1:MBEDTLS_SSL_VERSION_TLS1_2:4:0
 
 Record crypt, little space, NULL cipher, 1.2, SHA-384
-depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384
 ssl_crypt_record_small:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, NULL cipher, 1.2, SHA-384, EtM
-depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
+depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_ENCRYPT_THEN_MAC
 ssl_crypt_record_small:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_SHA384:1:0:MBEDTLS_SSL_VERSION_TLS1_2:0:0
 
 Record crypt, little space, NULL cipher, 1.2, SHA-256
@@ -2923,7 +2931,7 @@ SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE
 ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
 
 SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_SHA384
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_SSL_PROTO_TLS1_2
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_SSL_PROTO_TLS1_2
 ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_SHA384:"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"test tls_prf label":"a4206a36eef93f496611c2b7806625c3":0
 
 SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_SHA256
@@ -2931,7 +2939,7 @@ depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_SSL_PROTO_TLS1_2
 ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_SHA256:"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"test tls_prf label":"7f9998393198a02c8d731ccc2ef90b2c":0
 
 SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_SHA384 SHA-384 not enabled
-depends_on:!MBEDTLS_MD_CAN_SHA384
+depends_on:!PSA_WANT_ALG_SHA_384
 ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_SHA384:"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"test tls_prf label":"a4206a36eef93f496611c2b7806625c3":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
 
 SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_SHA256 SHA-256 not enabled
@@ -2952,18 +2960,18 @@ ssl_serialize_session_save_load:1023:"":0:MBEDTLS_SSL_VERSION_TLS1_2
 
 Session serialization, save-load: no ticket, cert
 depends_on:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_FS_IO:MBEDTLS_SSL_PROTO_TLS1_2
-ssl_serialize_session_save_load:0:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
+ssl_serialize_session_save_load:0:"../framework/data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
 
 Session serialization, save-load: small ticket, cert
 depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_FS_IO:MBEDTLS_SSL_PROTO_TLS1_2
-ssl_serialize_session_save_load:42:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
+ssl_serialize_session_save_load:42:"../framework/data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
 
 Session serialization, save-load: large ticket, cert
 depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_FS_IO:MBEDTLS_SSL_PROTO_TLS1_2
-ssl_serialize_session_save_load:1023:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
+ssl_serialize_session_save_load:1023:"../framework/data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
 
 TLS 1.3: CLI: Session serialization, save-load: no ticket
-depends_on:MBEDTLS_SSL_PROTO_TLS1_3
+depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_PROTO_TLS1_3
 ssl_serialize_session_save_load:0:"":MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3
 
 TLS 1.3: CLI: Session serialization, save-load: small ticket
@@ -2992,15 +3000,15 @@ ssl_serialize_session_load_save:1023:"":0:MBEDTLS_SSL_VERSION_TLS1_2
 
 Session serialization, load-save: no ticket, cert
 depends_on:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_FS_IO:MBEDTLS_SSL_PROTO_TLS1_2
-ssl_serialize_session_load_save:0:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
+ssl_serialize_session_load_save:0:"../framework/data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
 
 Session serialization, load-save: small ticket, cert
 depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_FS_IO
-ssl_serialize_session_load_save:42:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
+ssl_serialize_session_load_save:42:"../framework/data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
 
 Session serialization, load-save: large ticket, cert
 depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_FS_IO
-ssl_serialize_session_load_save:1023:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
+ssl_serialize_session_load_save:1023:"../framework/data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
 
 TLS 1.3: CLI: Session serialization, load-save: no ticket
 depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_PROTO_TLS1_3
@@ -3032,15 +3040,15 @@ ssl_serialize_session_save_buf_size:1023:"":0:MBEDTLS_SSL_VERSION_TLS1_2
 
 Session serialization, save buffer size: no ticket, cert
 depends_on:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_FS_IO:MBEDTLS_SSL_PROTO_TLS1_2
-ssl_serialize_session_save_buf_size:0:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
+ssl_serialize_session_save_buf_size:0:"../framework/data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
 
 Session serialization, save buffer size: small ticket, cert
 depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_FS_IO
-ssl_serialize_session_save_buf_size:42:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
+ssl_serialize_session_save_buf_size:42:"../framework/data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
 
 Session serialization, save buffer size: large ticket, cert
 depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_FS_IO
-ssl_serialize_session_save_buf_size:1023:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
+ssl_serialize_session_save_buf_size:1023:"../framework/data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
 
 TLS 1.3: CLI: Session serialization, save buffer size: no ticket
 depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_PROTO_TLS1_3
@@ -3072,18 +3080,18 @@ ssl_serialize_session_load_buf_size:1023:"":0:MBEDTLS_SSL_VERSION_TLS1_2
 
 Session serialization, load buffer size: no ticket, cert
 depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_FS_IO
-ssl_serialize_session_load_buf_size:0:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
+ssl_serialize_session_load_buf_size:0:"../framework/data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
 
 Session serialization, load buffer size: small ticket, cert
 depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_FS_IO
-ssl_serialize_session_load_buf_size:42:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
+ssl_serialize_session_load_buf_size:42:"../framework/data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
 
 Session serialization, load buffer size: large ticket, cert
 depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_FS_IO
-ssl_serialize_session_load_buf_size:1023:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
+ssl_serialize_session_load_buf_size:1023:"../framework/data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
 
 TLS 1.3: CLI: Session serialization, load buffer size: no ticket
-depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C
 ssl_serialize_session_load_buf_size:0:"":MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3
 
 TLS 1.3: CLI: Session serialization, load buffer size: small ticket
@@ -3095,7 +3103,7 @@ depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_
 ssl_serialize_session_load_buf_size:1023:"":MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3
 
 TLS 1.3: SRV: Session serialization, load buffer size
-depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_SRV_C
 ssl_serialize_session_load_buf_size:0:"":MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_VERSION_TLS1_3
 
 Test configuration of groups for DHE through mbedtls_ssl_conf_curves()
@@ -3270,3 +3278,106 @@ ssl_ecjpake_set_password:1
 
 Test Elliptic curves' info parsing
 elliptic_curve_get_properties
+
+TLS 1.3 resume session with ticket
+tls13_resume_session_with_ticket
+
+TLS 1.3 read early data, early data accepted
+tls13_read_early_data:TEST_EARLY_DATA_ACCEPTED
+
+TLS 1.3 read early data, no early data indication
+tls13_read_early_data:TEST_EARLY_DATA_NO_INDICATION_SENT
+
+TLS 1.3 read early data, server rejects early data
+tls13_read_early_data:TEST_EARLY_DATA_SERVER_REJECTS
+
+TLS 1.3 read early data, discard after HRR
+tls13_read_early_data:TEST_EARLY_DATA_HRR
+
+TLS 1.3 cli, early data, same ALPN
+depends_on:MBEDTLS_SSL_ALPN
+tls13_read_early_data:TEST_EARLY_DATA_SAME_ALPN
+
+TLS 1.3 cli, early data, different ALPN
+depends_on:MBEDTLS_SSL_ALPN
+tls13_read_early_data:TEST_EARLY_DATA_DIFF_ALPN
+
+TLS 1.3 cli, early data, no initial ALPN
+depends_on:MBEDTLS_SSL_ALPN
+tls13_read_early_data:TEST_EARLY_DATA_NO_INITIAL_ALPN
+
+TLS 1.3 cli, early data, no later ALPN
+depends_on:MBEDTLS_SSL_ALPN
+tls13_read_early_data:TEST_EARLY_DATA_NO_LATER_ALPN
+
+TLS 1.3 cli, early data state, early data accepted
+tls13_cli_early_data_state:TEST_EARLY_DATA_ACCEPTED
+
+TLS 1.3 cli, early data state, no early data indication
+tls13_cli_early_data_state:TEST_EARLY_DATA_NO_INDICATION_SENT
+
+TLS 1.3 cli, early data state, server rejects early data
+tls13_cli_early_data_state:TEST_EARLY_DATA_SERVER_REJECTS
+
+TLS 1.3 cli, early data state, hello retry request
+tls13_cli_early_data_state:TEST_EARLY_DATA_HRR
+
+TLS 1.3 write early data, early data accepted
+tls13_write_early_data:TEST_EARLY_DATA_ACCEPTED
+
+TLS 1.3 write early data, no early data indication
+tls13_write_early_data:TEST_EARLY_DATA_NO_INDICATION_SENT
+
+TLS 1.3 write early data, server rejects early data
+tls13_write_early_data:TEST_EARLY_DATA_SERVER_REJECTS
+
+TLS 1.3 write early data, hello retry request
+tls13_write_early_data:TEST_EARLY_DATA_HRR
+
+TLS 1.3 cli, maximum early data size, default size
+tls13_cli_max_early_data_size:-1
+
+TLS 1.3 cli, maximum early data size, zero
+tls13_cli_max_early_data_size:0
+
+TLS 1.3 cli, maximum early data size, very small but not 0
+tls13_cli_max_early_data_size:3
+
+TLS 1.3 cli, maximum early data size, 93
+tls13_cli_max_early_data_size:93
+
+TLS 1.3 srv, max early data size, dflt, wsz=96
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:-1:96
+
+TLS 1.3 srv, max early data size, dflt, wsz=128
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:-1:128
+
+TLS 1.3 srv, max early data size, 3, wsz=2
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:3:2
+
+TLS 1.3 srv, max early data size, 3, wsz=3
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:3:3
+
+TLS 1.3 srv, max early data size, 98, wsz=23
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:98:23
+
+TLS 1.3 srv, max early data size, 98, wsz=49
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:98:49
+
+TLS 1.3 srv, max early data size, server rejects, dflt, wsz=128
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:-1:128
+
+TLS 1.3 srv, max early data size, server rejects, 3, wsz=3
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:3:3
+
+TLS 1.3 srv, max early data size, server rejects, 98, wsz=49
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:98:49
+
+TLS 1.3 srv, max early data size, HRR, dflt, wsz=128
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:-1:128
+
+TLS 1.3 srv, max early data size, HRR, 3, wsz=3
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:3:3
+
+TLS 1.3 srv, max early data size, HRR, 98, wsz=49
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:97:0
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index eb2407d..8125e58 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -12,6 +12,57 @@
 
 #define SSL_MESSAGE_QUEUE_INIT      { NULL, 0, 0, 0 }
 
+/* Mnemonics for the early data test scenarios */
+#define TEST_EARLY_DATA_ACCEPTED 0
+#define TEST_EARLY_DATA_NO_INDICATION_SENT 1
+#define TEST_EARLY_DATA_SERVER_REJECTS 2
+#define TEST_EARLY_DATA_HRR 3
+#define TEST_EARLY_DATA_SAME_ALPN 4
+#define TEST_EARLY_DATA_DIFF_ALPN 5
+#define TEST_EARLY_DATA_NO_INITIAL_ALPN 6
+#define TEST_EARLY_DATA_NO_LATER_ALPN 7
+
+#if (!defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \
+    defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) && \
+    defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_DEBUG_C) && \
+    defined(MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE) && \
+    defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) && \
+    defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) && \
+    defined(MBEDTLS_MD_CAN_SHA256) && \
+    defined(MBEDTLS_ECP_HAVE_SECP256R1) && defined(MBEDTLS_ECP_HAVE_SECP384R1) && \
+    defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+/*
+ * Test function to write early data for negative tests where
+ * mbedtls_ssl_write_early_data() cannot be used.
+ */
+static int write_early_data(mbedtls_ssl_context *ssl,
+                            unsigned char *buf, size_t len)
+{
+    int ret = mbedtls_ssl_get_max_out_record_payload(ssl);
+
+    TEST_ASSERT(ret > 0);
+    TEST_LE_U(len, (size_t) ret);
+
+    ret = mbedtls_ssl_flush_output(ssl);
+    TEST_EQUAL(ret, 0);
+    TEST_EQUAL(ssl->out_left, 0);
+
+    ssl->out_msglen = len;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
+    if (len > 0) {
+        memcpy(ssl->out_msg, buf, len);
+    }
+
+    ret = mbedtls_ssl_write_record(ssl, 1);
+    TEST_EQUAL(ret, 0);
+
+    ret = len;
+
+exit:
+    return ret;
+}
+#endif
+
 /* END_HEADER */
 
 /* BEGIN_DEPENDENCIES
@@ -24,6 +75,7 @@ void test_callback_buffer_sanity()
 {
     enum { MSGLEN = 10 };
     mbedtls_test_ssl_buffer buf;
+    mbedtls_test_ssl_buffer_init(&buf);
     unsigned char input[MSGLEN];
     unsigned char output[MSGLEN];
 
@@ -43,8 +95,6 @@ void test_callback_buffer_sanity()
 
     /* Make sure calling put and get on a buffer that hasn't been set up results
      * in error. */
-    mbedtls_test_ssl_buffer_init(&buf);
-
     TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, input, sizeof(input))
                 == -1);
     TEST_ASSERT(mbedtls_test_ssl_buffer_get(&buf, output, sizeof(output))
@@ -1126,6 +1176,8 @@ void ssl_dtls_replay(data_t *prevs, data_t *new, int ret)
                                             MBEDTLS_SSL_IS_CLIENT,
                                             MBEDTLS_SSL_TRANSPORT_DATAGRAM,
                                             MBEDTLS_SSL_PRESET_DEFAULT) == 0);
+    mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
+
     TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
 
     /* Read previous record numbers */
@@ -1146,21 +1198,21 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
-void ssl_set_hostname_twice(char *hostname0, char *hostname1)
+void ssl_set_hostname_twice(char *input_hostname0, char *input_hostname1)
 {
-    const char *hostname;
+    const char *output_hostname;
     mbedtls_ssl_context ssl;
 
     mbedtls_ssl_init(&ssl);
     USE_PSA_INIT();
 
-    TEST_ASSERT(mbedtls_ssl_set_hostname(&ssl, hostname0) == 0);
-    hostname = mbedtls_ssl_get_hostname(&ssl);
-    TEST_ASSERT(strcmp(hostname0, hostname) == 0);
+    TEST_ASSERT(mbedtls_ssl_set_hostname(&ssl, input_hostname0) == 0);
+    output_hostname = mbedtls_ssl_get_hostname(&ssl);
+    TEST_ASSERT(strcmp(input_hostname0, output_hostname) == 0);
 
-    TEST_ASSERT(mbedtls_ssl_set_hostname(&ssl, hostname1) == 0);
-    hostname = mbedtls_ssl_get_hostname(&ssl);
-    TEST_ASSERT(strcmp(hostname1, hostname) == 0);
+    TEST_ASSERT(mbedtls_ssl_set_hostname(&ssl, input_hostname1) == 0);
+    output_hostname = mbedtls_ssl_get_hostname(&ssl);
+    TEST_ASSERT(strcmp(input_hostname1, output_hostname) == 0);
 
 exit:
     mbedtls_ssl_free(&ssl);
@@ -1200,7 +1252,7 @@ void ssl_crypt_record(int cipher_type, int hash_id,
 
     TEST_ASSERT(ret == 0);
 
-    TEST_ASSERT((buf = mbedtls_calloc(1, buflen)) != NULL);
+    TEST_CALLOC(buf, buflen);
 
     while (num_records-- > 0) {
         mbedtls_ssl_transform *t_dec, *t_enc;
@@ -1354,7 +1406,7 @@ void ssl_crypt_record_small(int cipher_type, int hash_id,
 
     TEST_ASSERT(ret == 0);
 
-    TEST_ASSERT((buf = mbedtls_calloc(1, buflen)) != NULL);
+    TEST_CALLOC(buf, buflen);
 
     for (mode = 1; mode <= 3; mode++) {
         seen_success = 0;
@@ -1787,7 +1839,9 @@ void ssl_tls13_record_protection(int ciphersuite,
 {
     mbedtls_ssl_key_set keys;
     mbedtls_ssl_transform transform_send;
+    mbedtls_ssl_transform_init(&transform_send);
     mbedtls_ssl_transform transform_recv;
+    mbedtls_ssl_transform_init(&transform_recv);
     mbedtls_record rec;
     unsigned char *buf = NULL;
     size_t buf_len;
@@ -1818,8 +1872,6 @@ void ssl_tls13_record_protection(int ciphersuite,
     keys.key_len = server_write_key->len;
     keys.iv_len  = server_write_iv->len;
 
-    mbedtls_ssl_transform_init(&transform_recv);
-    mbedtls_ssl_transform_init(&transform_send);
     MD_OR_USE_PSA_INIT();
 
     TEST_ASSERT(mbedtls_ssl_tls13_populate_transform(
@@ -1942,23 +1994,27 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file,
     USE_PSA_INIT();
 
     /* Prepare a dummy session to work on */
-    ((void) endpoint_type);
     ((void) tls_version);
+    ((void) ticket_len);
+    ((void) crt_file);
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
     if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
         TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session(
                         &original, 0, endpoint_type) == 0);
-    } else
+    }
 #endif
-    {
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
         TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session(
-                        &original, ticket_len, crt_file) == 0);
+                        &original, ticket_len, endpoint_type, crt_file) == 0);
     }
+#endif
 
     /* Serialize it */
     TEST_ASSERT(mbedtls_ssl_session_save(&original, NULL, 0, &len)
                 == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
-    TEST_ASSERT((buf = mbedtls_calloc(1, len)) != NULL);
+    TEST_CALLOC(buf, len);
     TEST_ASSERT(mbedtls_ssl_session_save(&original, buf, len, &len)
                 == 0);
 
@@ -1969,9 +2025,16 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file,
      * Make sure both session structures are identical
      */
 #if defined(MBEDTLS_HAVE_TIME)
-    TEST_ASSERT(original.start == restored.start);
+    if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
+        TEST_ASSERT(original.start == restored.start);
+    }
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C)
+    TEST_ASSERT(original.ticket_creation_time == restored.ticket_creation_time);
 #endif
+#endif /* MBEDTLS_HAVE_TIME */
+
     TEST_ASSERT(original.tls_version == restored.tls_version);
+    TEST_ASSERT(original.endpoint == restored.endpoint);
     TEST_ASSERT(original.ciphersuite == restored.ciphersuite);
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
     if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
@@ -2030,8 +2093,7 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file,
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
     if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
-        TEST_ASSERT(original.endpoint == restored.endpoint);
-        TEST_ASSERT(original.ciphersuite == restored.ciphersuite);
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
         TEST_ASSERT(original.ticket_age_add == restored.ticket_age_add);
         TEST_ASSERT(original.ticket_flags == restored.ticket_flags);
         TEST_ASSERT(original.resumption_key_len == restored.resumption_key_len);
@@ -2042,15 +2104,26 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file,
                                restored.resumption_key,
                                original.resumption_key_len) == 0);
         }
-#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_SRV_C)
         if (endpoint_type == MBEDTLS_SSL_IS_SERVER) {
-            TEST_ASSERT(original.start == restored.start);
-        }
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
+            TEST_ASSERT(original.ticket_alpn != NULL);
+            TEST_ASSERT(restored.ticket_alpn != NULL);
+            TEST_MEMORY_COMPARE(original.ticket_alpn, strlen(original.ticket_alpn),
+                                restored.ticket_alpn, strlen(restored.ticket_alpn));
 #endif
-#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+        }
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
         if (endpoint_type == MBEDTLS_SSL_IS_CLIENT) {
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
 #if defined(MBEDTLS_HAVE_TIME)
-            TEST_ASSERT(original.ticket_received == restored.ticket_received);
+            TEST_ASSERT(original.ticket_reception_time == restored.ticket_reception_time);
 #endif
             TEST_ASSERT(original.ticket_lifetime == restored.ticket_lifetime);
             TEST_ASSERT(original.ticket_len == restored.ticket_len);
@@ -2061,12 +2134,27 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file,
                                    restored.ticket,
                                    original.ticket_len) == 0);
             }
-
-        }
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+            TEST_ASSERT(original.hostname != NULL);
+            TEST_ASSERT(restored.hostname != NULL);
+            TEST_MEMORY_COMPARE(original.hostname, strlen(original.hostname),
+                                restored.hostname, strlen(restored.hostname));
 #endif
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+        }
+#endif /* MBEDTLS_SSL_CLI_C */
     }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+    TEST_ASSERT(
+        original.max_early_data_size == restored.max_early_data_size);
+#endif
+
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+    TEST_ASSERT(original.record_size_limit == restored.record_size_limit);
+#endif
+
 exit:
     mbedtls_ssl_session_free(&original);
     mbedtls_ssl_session_free(&restored);
@@ -2090,17 +2178,27 @@ void ssl_serialize_session_load_save(int ticket_len, char *crt_file,
     USE_PSA_INIT();
 
     /* Prepare a dummy session to work on */
-    ((void) endpoint_type);
-    ((void) tls_version);
+    ((void) ticket_len);
+    ((void) crt_file);
+
+    switch (tls_version) {
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
-        TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session(
-                        &session, 0, endpoint_type) == 0);
-    } else
+        case MBEDTLS_SSL_VERSION_TLS1_3:
+            TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session(
+                            &session, 0, endpoint_type) == 0);
+            break;
 #endif
-    {
-        TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session(
-                        &session, ticket_len, crt_file) == 0);
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        case MBEDTLS_SSL_VERSION_TLS1_2:
+            TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session(
+                            &session, ticket_len, endpoint_type, crt_file) == 0);
+            break;
+#endif
+        default:
+            /* should never happen */
+            TEST_ASSERT(0);
+            break;
     }
 
     /* Get desired buffer size for serializing */
@@ -2153,18 +2251,28 @@ void ssl_serialize_session_save_buf_size(int ticket_len, char *crt_file,
     USE_PSA_INIT();
 
     /* Prepare dummy session and get serialized size */
-    ((void) endpoint_type);
-    ((void) tls_version);
+    ((void) ticket_len);
+    ((void) crt_file);
+
+    switch (tls_version) {
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
-        TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session(
-                        &session, 0, endpoint_type) == 0);
-    } else
+        case MBEDTLS_SSL_VERSION_TLS1_3:
+            TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session(
+                            &session, 0, endpoint_type) == 0);
+            break;
 #endif
-    {
-        TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session(
-                        &session, ticket_len, crt_file) == 0);
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        case MBEDTLS_SSL_VERSION_TLS1_2:
+            TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session(
+                            &session, ticket_len, endpoint_type, crt_file) == 0);
+            break;
+#endif
+        default:
+            /* should never happen */
+            TEST_ASSERT(0);
+            break;
     }
+
     TEST_ASSERT(mbedtls_ssl_session_save(&session, NULL, 0, &good_len)
                 == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
 
@@ -2172,7 +2280,8 @@ void ssl_serialize_session_save_buf_size(int ticket_len, char *crt_file,
     for (bad_len = 1; bad_len < good_len; bad_len++) {
         /* Allocate exact size so that asan/valgrind can detect any overwrite */
         mbedtls_free(buf);
-        TEST_ASSERT((buf = mbedtls_calloc(1, bad_len)) != NULL);
+        buf = NULL;
+        TEST_CALLOC(buf, bad_len);
         TEST_ASSERT(mbedtls_ssl_session_save(&session, buf, bad_len,
                                              &test_len)
                     == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
@@ -2201,21 +2310,33 @@ void ssl_serialize_session_load_buf_size(int ticket_len, char *crt_file,
     USE_PSA_INIT();
 
     /* Prepare serialized session data */
-    ((void) endpoint_type);
-    ((void) tls_version);
+    ((void) ticket_len);
+    ((void) crt_file);
+
+    switch (tls_version) {
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
-        TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session(
-                        &session, 0, endpoint_type) == 0);
-    } else
+        case MBEDTLS_SSL_VERSION_TLS1_3:
+            TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session(
+                            &session, 0, endpoint_type) == 0);
+            break;
 #endif
-    {
-        TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session(
-                        &session, ticket_len, crt_file) == 0);
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        case MBEDTLS_SSL_VERSION_TLS1_2:
+            TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session(
+                            &session, ticket_len, endpoint_type, crt_file) == 0);
+            break;
+#endif
+
+        default:
+            /* should never happen */
+            TEST_ASSERT(0);
+            break;
     }
+
     TEST_ASSERT(mbedtls_ssl_session_save(&session, NULL, 0, &good_len)
                 == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
-    TEST_ASSERT((good_buf = mbedtls_calloc(1, good_len)) != NULL);
+    TEST_CALLOC(good_buf, good_len);
     TEST_ASSERT(mbedtls_ssl_session_save(&session, good_buf, good_len,
                                          &good_len) == 0);
     mbedtls_ssl_session_free(&session);
@@ -2224,8 +2345,8 @@ void ssl_serialize_session_load_buf_size(int ticket_len, char *crt_file,
     for (bad_len = 0; bad_len < good_len; bad_len++) {
         /* Allocate exact size so that asan/valgrind can detect any overread */
         mbedtls_free(bad_buf);
-        bad_buf = mbedtls_calloc(1, bad_len ? bad_len : 1);
-        TEST_ASSERT(bad_buf != NULL);
+        bad_buf = NULL;
+        TEST_CALLOC_NONNULL(bad_buf, bad_len);
         memcpy(bad_buf, good_buf, bad_len);
 
         TEST_ASSERT(mbedtls_ssl_session_load(&session, bad_buf, bad_len)
@@ -2260,17 +2381,26 @@ void ssl_session_serialize_version_check(int corrupt_major,
 
     mbedtls_ssl_session_init(&session);
     USE_PSA_INIT();
-    ((void) endpoint_type);
-    ((void) tls_version);
+
+    switch (tls_version) {
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
-        TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session(
-                        &session, 0, endpoint_type) == 0);
-    } else
+        case MBEDTLS_SSL_VERSION_TLS1_3:
+            TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session(
+                            &session, 0, endpoint_type) == 0);
+            break;
 #endif
-    TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session(
-                    &session, 0, NULL) == 0);
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        case MBEDTLS_SSL_VERSION_TLS1_2:
+            TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session(
+                            &session, 0, endpoint_type, NULL) == 0);
 
+            break;
+#endif
+        default:
+            /* should never happen */
+            TEST_ASSERT(0);
+            break;
+    }
 
     /* Infer length of serialized session. */
     TEST_ASSERT(mbedtls_ssl_session_save(&session,
@@ -2291,7 +2421,7 @@ void ssl_session_serialize_version_check(int corrupt_major,
      * corrupt them bit-by-bit. */
     for (cur_byte = 0; cur_byte < sizeof(should_corrupt_byte); cur_byte++) {
         int cur_bit;
-        unsigned char * const byte = &serialized_session[cur_byte];
+        unsigned char *const byte = &serialized_session[cur_byte];
 
         if (should_corrupt_byte[cur_byte] == 0) {
             continue;
@@ -2317,6 +2447,54 @@ exit:
 }
 /* END_CASE */
 
+/* BEGIN_CASE */
+void ssl_session_id_accessors_check(int tls_version)
+{
+    mbedtls_ssl_session session;
+    int ciphersuite_id;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+
+    mbedtls_ssl_session_init(&session);
+    USE_PSA_INIT();
+
+    switch (tls_version) {
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+        case MBEDTLS_SSL_VERSION_TLS1_3:
+            ciphersuite_id = MBEDTLS_TLS1_3_AES_128_GCM_SHA256;
+            TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session(
+                            &session, 0, MBEDTLS_SSL_IS_SERVER) == 0);
+            break;
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        case MBEDTLS_SSL_VERSION_TLS1_2:
+            ciphersuite_id = MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256;
+            TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session(
+                            &session, 0, MBEDTLS_SSL_IS_SERVER, NULL) == 0);
+
+            break;
+#endif
+        default:
+            /* should never happen */
+            TEST_ASSERT(0);
+            break;
+    }
+    TEST_ASSERT(*mbedtls_ssl_session_get_id(&session) == session.id);
+    TEST_ASSERT(mbedtls_ssl_session_get_id_len(&session) == session.id_len);
+    /* mbedtls_test_ssl_tls1x_populate_session sets a mock suite-id of 0xabcd */
+    TEST_ASSERT(mbedtls_ssl_session_get_ciphersuite_id(&session) == 0xabcd);
+
+    /* Test setting a reference id for tls1.3 and tls1.2 */
+    ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite_id);
+    if (ciphersuite_info != NULL) {
+        TEST_ASSERT(mbedtls_ssl_ciphersuite_get_id(ciphersuite_info) == ciphersuite_id);
+    }
+
+exit:
+    mbedtls_ssl_session_free(&session);
+    USE_PSA_DONE();
+}
+/* END_CASE */
+
 /* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256 */
 void mbedtls_endpoint_sanity(int endpoint_type)
 {
@@ -2330,7 +2508,7 @@ void mbedtls_endpoint_sanity(int endpoint_type)
     MD_OR_USE_PSA_INIT();
 
     ret = mbedtls_test_ssl_endpoint_init(NULL, endpoint_type, &options,
-                                         NULL, NULL, NULL, NULL);
+                                         NULL, NULL, NULL);
     TEST_ASSERT(MBEDTLS_ERR_SSL_BAD_INPUT_DATA == ret);
 
     ret = mbedtls_test_ssl_endpoint_certificate_init(NULL, options.pk_alg,
@@ -2338,7 +2516,7 @@ void mbedtls_endpoint_sanity(int endpoint_type)
     TEST_ASSERT(MBEDTLS_ERR_SSL_BAD_INPUT_DATA == ret);
 
     ret = mbedtls_test_ssl_endpoint_init(&ep, endpoint_type, &options,
-                                         NULL, NULL, NULL, NULL);
+                                         NULL, NULL, NULL);
     TEST_ASSERT(ret == 0);
 
 exit:
@@ -2382,14 +2560,14 @@ void move_handshake_to_state(int endpoint_type, int tls_version, int state, int
     mbedtls_platform_zeroize(&second_ep, sizeof(second_ep));
 
     ret = mbedtls_test_ssl_endpoint_init(&base_ep, endpoint_type, &options,
-                                         NULL, NULL, NULL, NULL);
+                                         NULL, NULL, NULL);
     TEST_ASSERT(ret == 0);
 
     ret = mbedtls_test_ssl_endpoint_init(
         &second_ep,
         (endpoint_type == MBEDTLS_SSL_IS_SERVER) ?
         MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER,
-        &options, NULL, NULL, NULL, NULL);
+        &options, NULL, NULL, NULL);
 
     TEST_ASSERT(ret == 0);
 
@@ -2583,7 +2761,7 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_AES_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_DEBUG_C:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_SSL_HAVE_AES:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_DEBUG_C:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
 void handshake_fragmentation(int mfl,
                              int expected_srv_hs_fragmentation,
                              int expected_cli_hs_fragmentation)
@@ -2817,6 +2995,7 @@ void conf_version(int endpoint, int transport,
     mbedtls_ssl_conf_transport(&conf, transport);
     mbedtls_ssl_conf_min_tls_version(&conf, min_tls_version);
     mbedtls_ssl_conf_max_tls_version(&conf, max_tls_version);
+    mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
 
     TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == expected_ssl_setup_result);
     TEST_EQUAL(mbedtls_ssl_conf_get_endpoint(
@@ -2858,6 +3037,8 @@ void conf_curve()
     mbedtls_ssl_init(&ssl);
     MD_OR_USE_PSA_INIT();
 
+    mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
+
     TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
 
     TEST_ASSERT(ssl.handshake != NULL && ssl.handshake->group_list != NULL);
@@ -2889,6 +3070,7 @@ void conf_group()
     mbedtls_ssl_config conf;
     mbedtls_ssl_config_init(&conf);
 
+    mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
     mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
     mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
 
@@ -2942,11 +3124,10 @@ void force_bad_session_id_len()
 
     TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&client, MBEDTLS_SSL_IS_CLIENT,
                                                &options, NULL, NULL,
-                                               NULL, NULL) == 0);
+                                               NULL) == 0);
 
     TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER,
-                                               &options, NULL, NULL, NULL,
-                                               NULL) == 0);
+                                               &options, NULL, NULL, NULL) == 0);
 
     mbedtls_debug_set_threshold(1);
     mbedtls_ssl_conf_dbg(&server.conf, options.srv_log_fun,
@@ -2998,6 +3179,7 @@ void cookie_parsing(data_t *cookie, int exp_ret)
                                            MBEDTLS_SSL_TRANSPORT_DATAGRAM,
                                            MBEDTLS_SSL_PRESET_DEFAULT),
                0);
+    mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
 
     TEST_EQUAL(mbedtls_ssl_setup(&ssl, &conf), 0);
     TEST_EQUAL(mbedtls_ssl_check_dtls_clihlo_cookie(&ssl, ssl.cli_id,
@@ -3052,6 +3234,7 @@ void cid_sanity()
                                             MBEDTLS_SSL_TRANSPORT_STREAM,
                                             MBEDTLS_SSL_PRESET_DEFAULT)
                 == 0);
+    mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
 
     TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
 
@@ -3114,14 +3297,16 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_SOME */
+/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_SOME */
 void raw_key_agreement_fail(int bad_server_ecdhe_key)
 {
     enum { BUFFSIZE = 17000 };
     mbedtls_test_ssl_endpoint client, server;
     mbedtls_psa_stats_t stats;
     size_t free_slots_before = -1;
-    mbedtls_test_handshake_test_options options;
+    mbedtls_test_handshake_test_options client_options, server_options;
+    mbedtls_test_init_handshake_options(&client_options);
+    mbedtls_test_init_handshake_options(&server_options);
 
     uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
                                        MBEDTLS_SSL_IANA_TLS_GROUP_NONE };
@@ -3129,22 +3314,22 @@ void raw_key_agreement_fail(int bad_server_ecdhe_key)
     mbedtls_platform_zeroize(&client, sizeof(client));
     mbedtls_platform_zeroize(&server, sizeof(server));
 
-    mbedtls_test_init_handshake_options(&options);
-    options.pk_alg = MBEDTLS_PK_ECDSA;
-    options.server_min_version = MBEDTLS_SSL_VERSION_TLS1_2;
-    options.server_max_version = MBEDTLS_SSL_VERSION_TLS1_2;
-
     /* Client side, force SECP256R1 to make one key bitflip fail
      * the raw key agreement. Flipping the first byte makes the
      * required 0x04 identifier invalid. */
+    client_options.pk_alg = MBEDTLS_PK_ECDSA;
+    client_options.group_list = iana_tls_group_list;
     TEST_EQUAL(mbedtls_test_ssl_endpoint_init(&client, MBEDTLS_SSL_IS_CLIENT,
-                                              &options, NULL, NULL,
-                                              NULL, iana_tls_group_list), 0);
+                                              &client_options, NULL, NULL,
+                                              NULL), 0);
 
     /* Server side */
+    server_options.pk_alg = MBEDTLS_PK_ECDSA;
+    server_options.server_min_version = MBEDTLS_SSL_VERSION_TLS1_2;
+    server_options.server_max_version = MBEDTLS_SSL_VERSION_TLS1_2;
     TEST_EQUAL(mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER,
-                                              &options, NULL, NULL,
-                                              NULL, NULL), 0);
+                                              &server_options, NULL, NULL,
+                                              NULL), 0);
 
     TEST_EQUAL(mbedtls_test_mock_socket_connect(&(client.socket),
                                                 &(server.socket),
@@ -3180,7 +3365,8 @@ void raw_key_agreement_fail(int bad_server_ecdhe_key)
 exit:
     mbedtls_test_ssl_endpoint_free(&client, NULL);
     mbedtls_test_ssl_endpoint_free(&server, NULL);
-    mbedtls_test_free_handshake_options(&options);
+    mbedtls_test_free_handshake_options(&client_options);
+    mbedtls_test_free_handshake_options(&server_options);
 
     MD_OR_USE_PSA_DONE();
 }
@@ -3209,15 +3395,13 @@ void tls13_server_certificate_msg_invalid_vector_len()
 
     client_options.pk_alg = MBEDTLS_PK_ECDSA;
     ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
-                                         &client_options, NULL, NULL, NULL,
-                                         NULL);
+                                         &client_options, NULL, NULL, NULL);
     TEST_EQUAL(ret, 0);
 
     mbedtls_test_init_handshake_options(&server_options);
     server_options.pk_alg = MBEDTLS_PK_ECDSA;
     ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
-                                         &server_options, NULL, NULL, NULL,
-                                         NULL);
+                                         &server_options, NULL, NULL, NULL);
     TEST_EQUAL(ret, 0);
 
     ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
@@ -3309,6 +3493,7 @@ void ssl_ecjpake_set_password(int use_opaque_arg)
                                            MBEDTLS_SSL_IS_CLIENT,
                                            MBEDTLS_SSL_TRANSPORT_STREAM,
                                            MBEDTLS_SSL_PRESET_DEFAULT), 0);
+    mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
 
     TEST_EQUAL(mbedtls_ssl_setup(&ssl, &conf), 0);
 
@@ -3440,3 +3625,1413 @@ exit:
     MD_OR_USE_PSA_DONE();
 }
 /* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
+void tls13_resume_session_with_ticket()
+{
+    int ret = -1;
+    mbedtls_test_ssl_endpoint client_ep, server_ep;
+    mbedtls_test_handshake_test_options client_options;
+    mbedtls_test_handshake_test_options server_options;
+    mbedtls_ssl_session saved_session;
+
+    mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
+    mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
+    mbedtls_test_init_handshake_options(&client_options);
+    mbedtls_test_init_handshake_options(&server_options);
+    mbedtls_ssl_session_init(&saved_session);
+
+    PSA_INIT();
+
+    /*
+     * Run first handshake to get a ticket from the server.
+     */
+    client_options.pk_alg = MBEDTLS_PK_ECDSA;
+    server_options.pk_alg = MBEDTLS_PK_ECDSA;
+
+    ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options,
+                                        &saved_session);
+    TEST_EQUAL(ret, 0);
+
+    /*
+     * Prepare for handshake with the ticket.
+     */
+    ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
+                                         &client_options, NULL, NULL, NULL);
+    TEST_EQUAL(ret, 0);
+
+    ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
+                                         &server_options, NULL, NULL, NULL);
+    TEST_EQUAL(ret, 0);
+
+    mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
+                                        mbedtls_test_ticket_write,
+                                        mbedtls_test_ticket_parse,
+                                        NULL);
+    TEST_EQUAL(ret, 0);
+
+    ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
+                                           &(server_ep.socket), 1024);
+    TEST_EQUAL(ret, 0);
+
+    ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
+    TEST_EQUAL(ret, 0);
+
+    /*
+     * Handshake with ticket.
+     *
+     * Run the handshake up to MBEDTLS_SSL_HANDSHAKE_WRAPUP and not
+     * MBEDTLS_SSL_HANDSHAKE_OVER to preserve handshake data for the checks
+     * below.
+     */
+    TEST_EQUAL(mbedtls_test_move_handshake_to_state(
+                   &(server_ep.ssl), &(client_ep.ssl),
+                   MBEDTLS_SSL_HANDSHAKE_WRAPUP), 0);
+
+    TEST_EQUAL(server_ep.ssl.handshake->resume, 1);
+    TEST_EQUAL(server_ep.ssl.handshake->new_session_tickets_count, 1);
+    TEST_EQUAL(server_ep.ssl.handshake->key_exchange_mode,
+               MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
+
+exit:
+    mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
+    mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
+    mbedtls_test_free_handshake_options(&client_options);
+    mbedtls_test_free_handshake_options(&server_options);
+    mbedtls_ssl_session_free(&saved_session);
+    PSA_DONE();
+}
+/* END_CASE */
+
+/*
+ * The !MBEDTLS_SSL_PROTO_TLS1_2 dependency of tls13_read_early_data() below is
+ * a temporary workaround to not run the test in Windows-2013 where there is
+ * an issue with mbedtls_vsnprintf().
+ */
+/* BEGIN_CASE depends_on:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
+void tls13_read_early_data(int scenario)
+{
+    int ret = -1;
+    unsigned char buf[64];
+    const char *early_data = "This is early data.";
+    size_t early_data_len = strlen(early_data);
+    mbedtls_test_ssl_endpoint client_ep, server_ep;
+    mbedtls_test_handshake_test_options client_options;
+    mbedtls_test_handshake_test_options server_options;
+    mbedtls_ssl_session saved_session;
+    mbedtls_test_ssl_log_pattern server_pattern = { NULL, 0 };
+    uint16_t group_list[3] = {
+        MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
+        MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
+        MBEDTLS_SSL_IANA_TLS_GROUP_NONE
+    };
+
+    mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
+    mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
+    mbedtls_test_init_handshake_options(&client_options);
+    mbedtls_test_init_handshake_options(&server_options);
+    mbedtls_ssl_session_init(&saved_session);
+
+    PSA_INIT();
+
+    /*
+     * Run first handshake to get a ticket from the server.
+     */
+
+    client_options.pk_alg = MBEDTLS_PK_ECDSA;
+    client_options.group_list = group_list;
+    client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
+    server_options.pk_alg = MBEDTLS_PK_ECDSA;
+    server_options.group_list = group_list;
+    server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
+
+#if defined(MBEDTLS_SSL_ALPN)
+    switch (scenario) {
+        case TEST_EARLY_DATA_SAME_ALPN:
+        case TEST_EARLY_DATA_DIFF_ALPN:
+        case TEST_EARLY_DATA_NO_LATER_ALPN:
+            client_options.alpn_list[0] = "ALPNExample";
+            client_options.alpn_list[1] = NULL;
+            server_options.alpn_list[0] = "ALPNExample";
+            server_options.alpn_list[1] = NULL;
+            break;
+    }
+#endif
+
+    ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options,
+                                        &saved_session);
+    TEST_EQUAL(ret, 0);
+
+    /*
+     * Prepare for handshake with the ticket.
+     */
+    switch (scenario) {
+        case TEST_EARLY_DATA_ACCEPTED:
+            break;
+
+        case TEST_EARLY_DATA_NO_INDICATION_SENT:
+            client_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
+            break;
+
+        case TEST_EARLY_DATA_SERVER_REJECTS:
+            mbedtls_debug_set_threshold(3);
+            server_pattern.pattern =
+                "EarlyData: deprotect and discard app data records.";
+            server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
+            break;
+
+        case TEST_EARLY_DATA_HRR:
+            mbedtls_debug_set_threshold(3);
+            server_pattern.pattern =
+                "EarlyData: Ignore application message before 2nd ClientHello";
+            server_options.group_list = group_list + 1;
+            break;
+#if defined(MBEDTLS_SSL_ALPN)
+        case TEST_EARLY_DATA_SAME_ALPN:
+            client_options.alpn_list[0] = "ALPNExample";
+            client_options.alpn_list[1] = NULL;
+            server_options.alpn_list[0] = "ALPNExample";
+            server_options.alpn_list[1] = NULL;
+            break;
+        case TEST_EARLY_DATA_DIFF_ALPN:
+        case TEST_EARLY_DATA_NO_INITIAL_ALPN:
+            client_options.alpn_list[0] = "ALPNExample2";
+            client_options.alpn_list[1] = NULL;
+            server_options.alpn_list[0] = "ALPNExample2";
+            server_options.alpn_list[1] = NULL;
+            mbedtls_debug_set_threshold(3);
+            server_pattern.pattern =
+                "EarlyData: rejected, the selected ALPN is different "
+                "from the one associated with the pre-shared key.";
+            break;
+        case TEST_EARLY_DATA_NO_LATER_ALPN:
+            client_options.alpn_list[0] = NULL;
+            server_options.alpn_list[0] = NULL;
+            mbedtls_debug_set_threshold(3);
+            server_pattern.pattern =
+                "EarlyData: rejected, the selected ALPN is different "
+                "from the one associated with the pre-shared key.";
+            break;
+#endif
+
+        default:
+            TEST_FAIL("Unknown scenario.");
+    }
+
+    ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
+                                         &client_options, NULL, NULL, NULL);
+    TEST_EQUAL(ret, 0);
+
+    server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer;
+    server_options.srv_log_obj = &server_pattern;
+    ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
+                                         &server_options, NULL, NULL, NULL);
+    TEST_EQUAL(ret, 0);
+
+    mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
+                                        mbedtls_test_ticket_write,
+                                        mbedtls_test_ticket_parse,
+                                        NULL);
+
+    ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
+                                           &(server_ep.socket), 1024);
+    TEST_EQUAL(ret, 0);
+
+    ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
+    TEST_EQUAL(ret, 0);
+
+    /*
+     * Handshake with ticket and send early data.
+     */
+    TEST_EQUAL(mbedtls_test_move_handshake_to_state(
+                   &(client_ep.ssl), &(server_ep.ssl),
+                   MBEDTLS_SSL_SERVER_HELLO), 0);
+
+    ret = mbedtls_ssl_write_early_data(&(client_ep.ssl),
+                                       (unsigned char *) early_data,
+                                       early_data_len);
+
+    if (client_ep.ssl.early_data_state !=
+        MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT) {
+        TEST_EQUAL(ret, early_data_len);
+    } else {
+        TEST_EQUAL(ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
+    }
+
+    ret = mbedtls_test_move_handshake_to_state(
+        &(server_ep.ssl), &(client_ep.ssl),
+        MBEDTLS_SSL_HANDSHAKE_WRAPUP);
+
+    switch (scenario) {
+        case TEST_EARLY_DATA_ACCEPTED:
+#if defined(MBEDTLS_SSL_ALPN)
+        case TEST_EARLY_DATA_SAME_ALPN:
+#endif
+            TEST_EQUAL(ret, MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA);
+            TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 1);
+            TEST_EQUAL(mbedtls_ssl_read_early_data(&(server_ep.ssl),
+                                                   buf, sizeof(buf)), early_data_len);
+            TEST_MEMORY_COMPARE(buf, early_data_len, early_data, early_data_len);
+            break;
+
+        case TEST_EARLY_DATA_NO_INDICATION_SENT:
+            TEST_EQUAL(ret, 0);
+            TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 0);
+            break;
+
+        case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
+        case TEST_EARLY_DATA_HRR:
+#if defined(MBEDTLS_SSL_ALPN)
+        case TEST_EARLY_DATA_DIFF_ALPN:
+        case TEST_EARLY_DATA_NO_INITIAL_ALPN:
+        case TEST_EARLY_DATA_NO_LATER_ALPN:
+#endif
+            TEST_EQUAL(ret, 0);
+            TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 0);
+            TEST_EQUAL(server_pattern.counter, 1);
+            break;
+
+        default:
+            TEST_FAIL("Unknown scenario.");
+    }
+
+    TEST_EQUAL(mbedtls_test_move_handshake_to_state(
+                   &(server_ep.ssl), &(client_ep.ssl),
+                   MBEDTLS_SSL_HANDSHAKE_OVER), 0);
+
+exit:
+    mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
+    mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
+    mbedtls_test_free_handshake_options(&client_options);
+    mbedtls_test_free_handshake_options(&server_options);
+    mbedtls_ssl_session_free(&saved_session);
+    mbedtls_debug_set_threshold(0);
+    PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
+void tls13_cli_early_data_state(int scenario)
+{
+    int ret = -1;
+    mbedtls_test_ssl_endpoint client_ep, server_ep;
+    mbedtls_test_handshake_test_options client_options;
+    mbedtls_test_handshake_test_options server_options;
+    mbedtls_ssl_session saved_session;
+    uint16_t group_list[3] = {
+        MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
+        MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
+        MBEDTLS_SSL_IANA_TLS_GROUP_NONE
+    };
+    uint8_t client_random[MBEDTLS_CLIENT_HELLO_RANDOM_LEN];
+
+    mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
+    mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
+    mbedtls_test_init_handshake_options(&client_options);
+    mbedtls_test_init_handshake_options(&server_options);
+    mbedtls_ssl_session_init(&saved_session);
+
+    PSA_INIT();
+
+    /*
+     * Run first handshake to get a ticket from the server.
+     */
+    client_options.pk_alg = MBEDTLS_PK_ECDSA;
+    client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
+    server_options.pk_alg = MBEDTLS_PK_ECDSA;
+    server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
+    if (scenario == TEST_EARLY_DATA_HRR) {
+        client_options.group_list = group_list;
+        server_options.group_list = group_list;
+    }
+
+    ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options,
+                                        &saved_session);
+    TEST_EQUAL(ret, 0);
+
+    /*
+     * Prepare for handshake with the ticket.
+     */
+    switch (scenario) {
+        case TEST_EARLY_DATA_ACCEPTED:
+            break;
+
+        case TEST_EARLY_DATA_NO_INDICATION_SENT:
+            client_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
+            break;
+
+        case TEST_EARLY_DATA_SERVER_REJECTS:
+            server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
+            break;
+
+        case TEST_EARLY_DATA_HRR:
+            server_options.group_list = group_list + 1;
+            break;
+
+        default:
+            TEST_FAIL("Unknown scenario.");
+    }
+
+    ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
+                                         &client_options, NULL, NULL, NULL);
+    TEST_EQUAL(ret, 0);
+
+    ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
+                                         &server_options, NULL, NULL, NULL);
+    TEST_EQUAL(ret, 0);
+
+    mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
+                                        mbedtls_test_ticket_write,
+                                        mbedtls_test_ticket_parse,
+                                        NULL);
+
+    ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
+                                           &(server_ep.socket), 1024);
+    TEST_EQUAL(ret, 0);
+
+    ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
+    TEST_EQUAL(ret, 0);
+
+    /*
+     * Go through the handshake sequence, state by state, checking the early
+     * data status each time.
+     */
+    do {
+        int state = client_ep.ssl.state;
+
+        /* Progress the handshake from at least one state */
+        while (client_ep.ssl.state == state) {
+            ret = mbedtls_ssl_handshake_step(&(client_ep.ssl));
+            TEST_ASSERT((ret == 0) ||
+                        (ret == MBEDTLS_ERR_SSL_WANT_READ) ||
+                        (ret == MBEDTLS_ERR_SSL_WANT_WRITE));
+            if (client_ep.ssl.state != state) {
+                break;
+            }
+            ret = mbedtls_ssl_handshake_step(&(server_ep.ssl));
+            TEST_ASSERT((ret == 0) ||
+                        (ret == MBEDTLS_ERR_SSL_WANT_READ) ||
+                        (ret == MBEDTLS_ERR_SSL_WANT_WRITE));
+        }
+
+        if (client_ep.ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER) {
+            TEST_EQUAL(mbedtls_ssl_get_early_data_status(&(client_ep.ssl)),
+                       MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+        }
+
+        switch (client_ep.ssl.state) {
+            case MBEDTLS_SSL_CLIENT_HELLO:
+                switch (scenario) {
+                    case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
+                    case TEST_EARLY_DATA_NO_INDICATION_SENT: /* Intentional fallthrough */
+                    case TEST_EARLY_DATA_SERVER_REJECTS:
+                        TEST_EQUAL(client_ep.ssl.early_data_state,
+                                   MBEDTLS_SSL_EARLY_DATA_STATE_IDLE);
+                        break;
+
+                    case TEST_EARLY_DATA_HRR:
+                        if (!client_ep.ssl.handshake->hello_retry_request_flag) {
+                            TEST_EQUAL(client_ep.ssl.early_data_state,
+                                       MBEDTLS_SSL_EARLY_DATA_STATE_IDLE);
+                        } else {
+                            TEST_EQUAL(client_ep.ssl.early_data_state,
+                                       MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
+                        }
+                        break;
+
+                    default:
+                        TEST_FAIL("Unknown scenario.");
+                }
+                break;
+
+            case MBEDTLS_SSL_SERVER_HELLO:
+                switch (scenario) {
+                    case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
+                    case TEST_EARLY_DATA_SERVER_REJECTS:
+                        TEST_EQUAL(client_ep.ssl.early_data_state,
+                                   MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE);
+                        break;
+
+                    case TEST_EARLY_DATA_NO_INDICATION_SENT:
+                        TEST_EQUAL(client_ep.ssl.early_data_state,
+                                   MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT);
+                        break;
+
+                    case TEST_EARLY_DATA_HRR:
+                        if (!client_ep.ssl.handshake->hello_retry_request_flag) {
+                            TEST_EQUAL(client_ep.ssl.early_data_state,
+                                       MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE);
+                            memcpy(client_random,
+                                   client_ep.ssl.handshake->randbytes,
+                                   MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
+                        } else {
+                            TEST_EQUAL(client_ep.ssl.early_data_state,
+                                       MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
+                            TEST_MEMORY_COMPARE(client_random,
+                                                MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
+                                                client_ep.ssl.handshake->randbytes,
+                                                MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
+                        }
+                        break;
+
+                    default:
+                        TEST_FAIL("Unknown scenario.");
+                }
+                break;
+
+            case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
+                switch (scenario) {
+                    case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
+                    case TEST_EARLY_DATA_SERVER_REJECTS:
+                        TEST_EQUAL(client_ep.ssl.early_data_state,
+                                   MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE);
+                        break;
+
+                    case TEST_EARLY_DATA_NO_INDICATION_SENT:
+                        TEST_EQUAL(client_ep.ssl.early_data_state,
+                                   MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT);
+                        break;
+
+                    case TEST_EARLY_DATA_HRR:
+                        TEST_EQUAL(client_ep.ssl.early_data_state,
+                                   MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
+                        break;
+
+                    default:
+                        TEST_FAIL("Unknown scenario.");
+                }
+                break;
+
+            case MBEDTLS_SSL_SERVER_FINISHED:
+                switch (scenario) {
+                    case TEST_EARLY_DATA_ACCEPTED:
+                        TEST_EQUAL(client_ep.ssl.early_data_state,
+                                   MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED);
+                        break;
+
+                    case TEST_EARLY_DATA_NO_INDICATION_SENT:
+                        TEST_EQUAL(client_ep.ssl.early_data_state,
+                                   MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT);
+                        break;
+
+                    case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
+                    case TEST_EARLY_DATA_HRR:
+                        TEST_EQUAL(client_ep.ssl.early_data_state,
+                                   MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
+                        break;
+
+                    default:
+                        TEST_FAIL("Unknown scenario.");
+                }
+                break;
+
+            case MBEDTLS_SSL_END_OF_EARLY_DATA:
+                TEST_EQUAL(scenario, TEST_EARLY_DATA_ACCEPTED);
+                TEST_EQUAL(client_ep.ssl.early_data_state,
+                           MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED);
+                break;
+
+            case MBEDTLS_SSL_CLIENT_CERTIFICATE:
+                switch (scenario) {
+                    case TEST_EARLY_DATA_ACCEPTED:
+                        TEST_EQUAL(client_ep.ssl.early_data_state,
+                                   MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED);
+                        break;
+
+                    case TEST_EARLY_DATA_NO_INDICATION_SENT:
+                        TEST_EQUAL(client_ep.ssl.early_data_state,
+                                   MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT);
+                        break;
+
+                    case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
+                    case TEST_EARLY_DATA_HRR:
+                        TEST_EQUAL(client_ep.ssl.early_data_state,
+                                   MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
+                        break;
+
+                    default:
+                        TEST_FAIL("Unknown scenario.");
+                }
+                break;
+
+            case MBEDTLS_SSL_CLIENT_FINISHED:
+                switch (scenario) {
+                    case TEST_EARLY_DATA_ACCEPTED:
+                        TEST_EQUAL(client_ep.ssl.early_data_state,
+                                   MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED);
+                        break;
+
+                    case TEST_EARLY_DATA_NO_INDICATION_SENT:
+                        TEST_EQUAL(client_ep.ssl.early_data_state,
+                                   MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT);
+                        break;
+
+                    case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
+                    case TEST_EARLY_DATA_HRR:
+                        TEST_EQUAL(client_ep.ssl.early_data_state,
+                                   MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
+                        break;
+
+                    default:
+                        TEST_FAIL("Unknown scenario.");
+                }
+                break;
+
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+            case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:
+                switch (scenario) {
+                    case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
+                    case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
+                    case TEST_EARLY_DATA_HRR:
+                        TEST_EQUAL(client_ep.ssl.early_data_state,
+                                   MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT);
+                        break;
+
+                    default:
+                        TEST_FAIL("Unexpected or unknown scenario.");
+                }
+                break;
+
+            case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
+                TEST_ASSERT(scenario == TEST_EARLY_DATA_HRR);
+                TEST_EQUAL(client_ep.ssl.early_data_state,
+                           MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
+                break;
+
+            case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
+                switch (scenario) {
+                    case TEST_EARLY_DATA_NO_INDICATION_SENT:
+                        TEST_EQUAL(client_ep.ssl.early_data_state,
+                                   MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT);
+                        break;
+
+                    case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
+                    case TEST_EARLY_DATA_HRR:
+                        TEST_EQUAL(client_ep.ssl.early_data_state,
+                                   MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
+                        break;
+
+                    default:
+                        TEST_FAIL("Unexpected or unknown scenario.");
+                }
+                break;
+#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
+
+            case MBEDTLS_SSL_FLUSH_BUFFERS: /* Intentional fallthrough */
+            case MBEDTLS_SSL_HANDSHAKE_WRAPUP: /* Intentional fallthrough */
+            case MBEDTLS_SSL_HANDSHAKE_OVER:
+                switch (scenario) {
+                    case TEST_EARLY_DATA_ACCEPTED:
+                        TEST_EQUAL(client_ep.ssl.early_data_state,
+                                   MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED);
+                        break;
+
+                    case TEST_EARLY_DATA_NO_INDICATION_SENT:
+                        TEST_EQUAL(client_ep.ssl.early_data_state,
+                                   MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT);
+                        break;
+
+                    case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
+                    case TEST_EARLY_DATA_HRR:
+                        TEST_EQUAL(client_ep.ssl.early_data_state,
+                                   MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
+                        break;
+
+                    default:
+                        TEST_FAIL("Unknown scenario.");
+                }
+                break;
+
+            default:
+                TEST_FAIL("Unexpected state.");
+        }
+    } while (client_ep.ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER);
+
+    ret = mbedtls_ssl_get_early_data_status(&(client_ep.ssl));
+    switch (scenario) {
+        case TEST_EARLY_DATA_ACCEPTED:
+            TEST_EQUAL(ret, MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED);
+            break;
+
+        case TEST_EARLY_DATA_NO_INDICATION_SENT:
+            TEST_EQUAL(ret, MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_INDICATED);
+            break;
+
+        case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
+        case TEST_EARLY_DATA_HRR:
+            TEST_EQUAL(ret, MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED);
+            break;
+
+        default:
+            TEST_FAIL("Unknown scenario.");
+    }
+
+    ret = mbedtls_ssl_get_early_data_status(&(server_ep.ssl));
+    TEST_EQUAL(ret, MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
+
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+    TEST_EQUAL(client_ep.ssl.handshake->ccs_sent, 1);
+#endif
+
+exit:
+    mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
+    mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
+    mbedtls_test_free_handshake_options(&client_options);
+    mbedtls_test_free_handshake_options(&server_options);
+    mbedtls_ssl_session_free(&saved_session);
+    PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
+void tls13_write_early_data(int scenario)
+{
+    int ret = -1;
+    mbedtls_test_ssl_endpoint client_ep, server_ep;
+    mbedtls_test_handshake_test_options client_options;
+    mbedtls_test_handshake_test_options server_options;
+    mbedtls_ssl_session saved_session;
+    uint16_t group_list[3] = {
+        MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
+        MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
+        MBEDTLS_SSL_IANA_TLS_GROUP_NONE
+    };
+    int beyond_first_hello = 0;
+
+    mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
+    mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
+    mbedtls_test_init_handshake_options(&client_options);
+    mbedtls_test_init_handshake_options(&server_options);
+    mbedtls_ssl_session_init(&saved_session);
+
+    PSA_INIT();
+
+    /*
+     * Run first handshake to get a ticket from the server.
+     */
+    client_options.pk_alg = MBEDTLS_PK_ECDSA;
+    client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
+    server_options.pk_alg = MBEDTLS_PK_ECDSA;
+    server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
+    if (scenario == TEST_EARLY_DATA_HRR) {
+        client_options.group_list = group_list;
+        server_options.group_list = group_list;
+    }
+
+    ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options,
+                                        &saved_session);
+    TEST_EQUAL(ret, 0);
+
+    /*
+     * Prepare for handshake with the ticket.
+     */
+    switch (scenario) {
+        case TEST_EARLY_DATA_ACCEPTED:
+            break;
+
+        case TEST_EARLY_DATA_NO_INDICATION_SENT:
+            client_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
+            break;
+
+        case TEST_EARLY_DATA_SERVER_REJECTS:
+            server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
+            break;
+
+        case TEST_EARLY_DATA_HRR:
+            /*
+             * Remove server support for the group negotiated in
+             * mbedtls_test_get_tls13_ticket() forcing a HelloRetryRequest.
+             */
+            server_options.group_list = group_list + 1;
+            break;
+
+        default:
+            TEST_FAIL("Unknown scenario.");
+    }
+
+    ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
+                                         &client_options, NULL, NULL, NULL);
+    TEST_EQUAL(ret, 0);
+
+    ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
+                                         &server_options, NULL, NULL, NULL);
+    TEST_EQUAL(ret, 0);
+
+    mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
+                                        mbedtls_test_ticket_write,
+                                        mbedtls_test_ticket_parse,
+                                        NULL);
+
+    ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
+                                           &(server_ep.socket), 1024);
+    TEST_EQUAL(ret, 0);
+
+    ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
+    TEST_EQUAL(ret, 0);
+
+    /*
+     * Run handshakes going one state further in the handshake sequence at each
+     * loop up to the point where we reach the MBEDTLS_SSL_HANDSHAKE_OVER
+     * state. For each reached handshake state, check the result of the call
+     * to mbedtls_ssl_write_early_data(), make sure we can complete the
+     * handshake successfully and then reset the connection to restart the
+     * handshake from scratch.
+     */
+    do {
+        int client_state = client_ep.ssl.state;
+        int previous_client_state;
+        const char *early_data_string = "This is early data.";
+        const unsigned char *early_data = (const unsigned char *) early_data_string;
+        size_t early_data_len = strlen(early_data_string);
+        int write_early_data_ret, read_early_data_ret;
+        unsigned char read_buf[64];
+
+        write_early_data_ret = mbedtls_ssl_write_early_data(&(client_ep.ssl),
+                                                            early_data,
+                                                            early_data_len);
+
+        if (scenario == TEST_EARLY_DATA_NO_INDICATION_SENT) {
+            TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
+            TEST_EQUAL(client_ep.ssl.state, client_state);
+            goto complete_handshake;
+        }
+
+        switch (client_state) {
+            case MBEDTLS_SSL_HELLO_REQUEST: /* Intentional fallthrough */
+            case MBEDTLS_SSL_CLIENT_HELLO:
+                switch (scenario) {
+                    case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
+                    case TEST_EARLY_DATA_SERVER_REJECTS:
+                        TEST_EQUAL(write_early_data_ret, early_data_len);
+                        TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO);
+                        break;
+
+                    case TEST_EARLY_DATA_HRR:
+                        if (!client_ep.ssl.handshake->hello_retry_request_flag) {
+                            TEST_EQUAL(write_early_data_ret, early_data_len);
+                            TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO);
+                        } else {
+                            beyond_first_hello = 1;
+                            TEST_EQUAL(write_early_data_ret,
+                                       MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
+                            TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_CLIENT_HELLO);
+                        }
+                        break;
+
+                    default:
+                        TEST_FAIL("Unknown scenario.");
+                }
+                break;
+
+            case MBEDTLS_SSL_SERVER_HELLO:
+                switch (scenario) {
+                    case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
+                    case TEST_EARLY_DATA_SERVER_REJECTS:
+                        TEST_EQUAL(write_early_data_ret, early_data_len);
+                        TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO);
+                        break;
+
+                    case TEST_EARLY_DATA_HRR:
+                        if (!client_ep.ssl.handshake->hello_retry_request_flag) {
+                            TEST_EQUAL(write_early_data_ret, early_data_len);
+                            TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO);
+                        } else {
+                            TEST_EQUAL(write_early_data_ret,
+                                       MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
+                            TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO);
+                        }
+                        break;
+
+                    default:
+                        TEST_FAIL("Unknown scenario.");
+                }
+                break;
+
+            case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
+                switch (scenario) {
+                    case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
+                    case TEST_EARLY_DATA_SERVER_REJECTS:
+                        TEST_EQUAL(write_early_data_ret, early_data_len);
+                        TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
+                        break;
+
+                    case TEST_EARLY_DATA_HRR:
+                        TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
+                        TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
+                        break;
+
+                    default:
+                        TEST_FAIL("Unknown scenario.");
+                }
+                break;
+
+            case MBEDTLS_SSL_SERVER_FINISHED:
+                switch (scenario) {
+                    case TEST_EARLY_DATA_ACCEPTED:
+                        TEST_EQUAL(write_early_data_ret, early_data_len);
+                        TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_FINISHED);
+                        break;
+
+                    case TEST_EARLY_DATA_SERVER_REJECTS:
+                        TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
+                        TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_FINISHED);
+                        break;
+
+                    case TEST_EARLY_DATA_HRR:
+                        TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
+                        TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_FINISHED);
+                        break;
+
+                    default:
+                        TEST_FAIL("Unknown scenario.");
+                }
+                break;
+
+            case MBEDTLS_SSL_END_OF_EARLY_DATA:
+                TEST_EQUAL(scenario, TEST_EARLY_DATA_ACCEPTED);
+                TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
+                TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_END_OF_EARLY_DATA);
+                break;
+
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+            case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:
+                switch (scenario) {
+                    case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
+                    case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
+                    case TEST_EARLY_DATA_HRR:
+                        TEST_EQUAL(write_early_data_ret, early_data_len);
+                        TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO);
+                        break;
+                    default:
+                        TEST_FAIL("Unknown scenario.");
+                }
+                break;
+
+            case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
+                TEST_EQUAL(scenario, TEST_EARLY_DATA_HRR);
+                TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
+                TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO);
+                break;
+
+            case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
+                switch (scenario) {
+                    case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
+                    case TEST_EARLY_DATA_HRR:
+                        TEST_EQUAL(write_early_data_ret,
+                                   MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
+                        TEST_EQUAL(client_ep.ssl.state,
+                                   MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED);
+                        break;
+                    default:
+                        TEST_FAIL("Unexpected or unknown scenario.");
+                }
+                break;
+#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
+
+            case MBEDTLS_SSL_CLIENT_CERTIFICATE: /* Intentional fallthrough */
+            case MBEDTLS_SSL_CLIENT_FINISHED: /* Intentional fallthrough */
+            case MBEDTLS_SSL_FLUSH_BUFFERS: /* Intentional fallthrough */
+            case MBEDTLS_SSL_HANDSHAKE_WRAPUP: /* Intentional fallthrough */
+            case MBEDTLS_SSL_HANDSHAKE_OVER:
+                switch (scenario) {
+                    case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
+                    case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
+                    case TEST_EARLY_DATA_HRR:
+                        TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
+                        TEST_EQUAL(client_ep.ssl.state, client_state);
+                        break;
+                    default:
+                        TEST_FAIL("Unknown scenario.");
+                }
+                break;
+
+            default:
+                TEST_FAIL("Unexpected state.");
+        }
+
+complete_handshake:
+        do {
+            ret = mbedtls_test_move_handshake_to_state(
+                &(server_ep.ssl), &(client_ep.ssl),
+                MBEDTLS_SSL_HANDSHAKE_OVER);
+
+            if (ret == MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA) {
+                read_early_data_ret = mbedtls_ssl_read_early_data(
+                    &(server_ep.ssl), read_buf, sizeof(read_buf));
+
+                TEST_EQUAL(read_early_data_ret, early_data_len);
+            }
+        } while (ret == MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA);
+
+        TEST_EQUAL(ret, 0);
+        TEST_EQUAL(mbedtls_test_move_handshake_to_state(
+                       &(client_ep.ssl), &(server_ep.ssl),
+                       MBEDTLS_SSL_HANDSHAKE_OVER), 0);
+
+        mbedtls_test_mock_socket_close(&(client_ep.socket));
+        mbedtls_test_mock_socket_close(&(server_ep.socket));
+
+        ret = mbedtls_ssl_session_reset(&(client_ep.ssl));
+        TEST_EQUAL(ret, 0);
+
+        ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
+        TEST_EQUAL(ret, 0);
+
+        ret = mbedtls_ssl_session_reset(&(server_ep.ssl));
+        TEST_EQUAL(ret, 0);
+
+        ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
+                                               &(server_ep.socket), 1024);
+        TEST_EQUAL(ret, 0);
+
+        previous_client_state = client_state;
+        if (previous_client_state == MBEDTLS_SSL_HANDSHAKE_OVER) {
+            break;
+        }
+
+        /* In case of HRR scenario, once we have been through it, move over
+         * the first ClientHello and ServerHello otherwise we just keep playing
+         * this first part of the handshake with HRR.
+         */
+        if ((scenario == TEST_EARLY_DATA_HRR) && (beyond_first_hello)) {
+            TEST_ASSERT(mbedtls_test_move_handshake_to_state(
+                            &(client_ep.ssl), &(server_ep.ssl),
+                            MBEDTLS_SSL_SERVER_HELLO) == 0);
+            TEST_ASSERT(mbedtls_test_move_handshake_to_state(
+                            &(client_ep.ssl), &(server_ep.ssl),
+                            MBEDTLS_SSL_CLIENT_HELLO) == 0);
+        }
+
+        TEST_EQUAL(mbedtls_test_move_handshake_to_state(
+                       &(client_ep.ssl), &(server_ep.ssl),
+                       previous_client_state), 0);
+
+        /* Progress the handshake from at least one state */
+        while (client_ep.ssl.state == previous_client_state) {
+            ret = mbedtls_ssl_handshake_step(&(client_ep.ssl));
+            TEST_ASSERT((ret == 0) ||
+                        (ret == MBEDTLS_ERR_SSL_WANT_READ) ||
+                        (ret == MBEDTLS_ERR_SSL_WANT_WRITE));
+            if (client_ep.ssl.state != previous_client_state) {
+                break;
+            }
+            ret = mbedtls_ssl_handshake_step(&(server_ep.ssl));
+            TEST_ASSERT((ret == 0) ||
+                        (ret == MBEDTLS_ERR_SSL_WANT_READ) ||
+                        (ret == MBEDTLS_ERR_SSL_WANT_WRITE));
+        }
+    } while (1);
+
+exit:
+    mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
+    mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
+    mbedtls_test_free_handshake_options(&client_options);
+    mbedtls_test_free_handshake_options(&server_options);
+    mbedtls_ssl_session_free(&saved_session);
+    PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
+void tls13_cli_max_early_data_size(int max_early_data_size_arg)
+{
+    int ret = -1;
+    mbedtls_test_ssl_endpoint client_ep, server_ep;
+    mbedtls_test_handshake_test_options client_options;
+    mbedtls_test_handshake_test_options server_options;
+    mbedtls_ssl_session saved_session;
+    unsigned char *buf = NULL;
+    uint32_t buf_size = 64;
+    uint32_t max_early_data_size;
+    uint32_t written_early_data_size = 0;
+    uint32_t read_early_data_size = 0;
+
+    mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
+    mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
+    mbedtls_test_init_handshake_options(&client_options);
+    mbedtls_test_init_handshake_options(&server_options);
+    mbedtls_ssl_session_init(&saved_session);
+
+    PSA_INIT();
+    TEST_CALLOC(buf, buf_size);
+
+    /*
+     * Run first handshake to get a ticket from the server.
+     */
+
+    client_options.pk_alg = MBEDTLS_PK_ECDSA;
+    client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
+    server_options.pk_alg = MBEDTLS_PK_ECDSA;
+    server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
+    server_options.max_early_data_size = max_early_data_size_arg;
+
+    ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options,
+                                        &saved_session);
+    TEST_EQUAL(ret, 0);
+
+    /*
+     * Prepare for handshake with the ticket.
+     */
+    ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
+                                         &client_options, NULL, NULL, NULL);
+    TEST_EQUAL(ret, 0);
+
+    ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
+                                         &server_options, NULL, NULL, NULL);
+    TEST_EQUAL(ret, 0);
+
+    mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
+                                        mbedtls_test_ticket_write,
+                                        mbedtls_test_ticket_parse,
+                                        NULL);
+
+    max_early_data_size = saved_session.max_early_data_size;
+    /*
+     * (max_early_data_size + 1024) for the size of the socket buffers for the
+     * server one to be able to contain the maximum number of early data bytes
+     * plus the first flight of client messages. Needed because we cannot
+     * initiate the handshake on server side before doing all the calls to
+     * mbedtls_ssl_write_early_data() we want to test. See below for more
+     * information.
+     */
+    ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
+                                           &(server_ep.socket),
+                                           max_early_data_size + 1024);
+    TEST_EQUAL(ret, 0);
+
+    /* If our server is configured with max_early_data_size equal to zero, it
+     * does not set the MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA flag for
+     * the tickets it creates. To be able to test early data with a ticket
+     * allowing early data in its flags but with max_early_data_size equal to
+     * zero (case supported by our client) tweak the ticket flags here.
+     */
+    if (max_early_data_size == 0) {
+        saved_session.ticket_flags |= MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA;
+    }
+
+    ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
+    TEST_EQUAL(ret, 0);
+
+    while (written_early_data_size < max_early_data_size) {
+        uint32_t remaining = max_early_data_size - written_early_data_size;
+
+        for (size_t i = 0; i < buf_size; i++) {
+            buf[i] = (unsigned char) (written_early_data_size + i);
+        }
+
+        ret = mbedtls_ssl_write_early_data(&(client_ep.ssl),
+                                           buf,
+                                           buf_size);
+
+        if (buf_size <= remaining) {
+            TEST_EQUAL(ret, buf_size);
+        } else {
+            TEST_EQUAL(ret, remaining);
+        }
+        written_early_data_size += buf_size;
+    }
+    TEST_EQUAL(client_ep.ssl.total_early_data_size, max_early_data_size);
+
+    ret = mbedtls_ssl_write_early_data(&(client_ep.ssl), buf, 1);
+    TEST_EQUAL(ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
+    TEST_EQUAL(client_ep.ssl.total_early_data_size, max_early_data_size);
+    TEST_EQUAL(client_ep.ssl.early_data_state,
+               MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE);
+
+    /*
+     * Now, check data on server side. It is not done in the previous loop as
+     * in the first call to mbedtls_ssl_handshake(), the server ends up sending
+     * its Finished message and then in the following call to
+     * mbedtls_ssl_write_early_data() we go past the early data writing window
+     * and we cannot test multiple calls to the API is this writing window.
+     */
+    while (read_early_data_size < max_early_data_size) {
+        ret = mbedtls_ssl_handshake(&(server_ep.ssl));
+        TEST_EQUAL(ret, MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA);
+
+        ret = mbedtls_ssl_read_early_data(&(server_ep.ssl),
+                                          buf,
+                                          buf_size);
+        TEST_ASSERT(ret > 0);
+
+        for (size_t i = 0; i < (size_t) ret; i++) {
+            TEST_EQUAL(buf[i], (unsigned char) (read_early_data_size + i));
+        }
+
+        read_early_data_size += ret;
+    }
+    TEST_EQUAL(read_early_data_size, max_early_data_size);
+
+    ret = mbedtls_ssl_handshake(&(server_ep.ssl));
+    TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ);
+
+    TEST_ASSERT(mbedtls_test_move_handshake_to_state(
+                    &(client_ep.ssl), &(server_ep.ssl), MBEDTLS_SSL_HANDSHAKE_OVER)
+                ==  0);
+
+exit:
+    mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
+    mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
+    mbedtls_test_free_handshake_options(&client_options);
+    mbedtls_test_free_handshake_options(&server_options);
+    mbedtls_ssl_session_free(&saved_session);
+    mbedtls_free(buf);
+    PSA_DONE();
+}
+/* END_CASE */
+
+/*
+ * The !MBEDTLS_SSL_PROTO_TLS1_2 dependency of tls13_early_data() below is
+ * a temporary workaround to not run the test in Windows-2013 where there is
+ * an issue with mbedtls_vsnprintf().
+ */
+/* BEGIN_CASE depends_on:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
+void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, int write_size_arg)
+{
+    int ret = -1;
+    mbedtls_test_ssl_endpoint client_ep, server_ep;
+    mbedtls_test_handshake_test_options client_options;
+    mbedtls_test_handshake_test_options server_options;
+    mbedtls_ssl_session saved_session;
+    mbedtls_test_ssl_log_pattern server_pattern = { NULL, 0 };
+    uint16_t group_list[3] = {
+        MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
+        MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
+        MBEDTLS_SSL_IANA_TLS_GROUP_NONE
+    };
+    char pattern[128];
+    unsigned char *buf_write = NULL;
+    uint32_t write_size = (uint32_t) write_size_arg;
+    unsigned char *buf_read = NULL;
+    uint32_t read_size;
+    uint32_t expanded_early_data_chunk_size = 0;
+    uint32_t written_early_data_size = 0;
+    uint32_t max_early_data_size;
+
+    mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
+    mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
+    mbedtls_test_init_handshake_options(&client_options);
+    mbedtls_test_init_handshake_options(&server_options);
+    mbedtls_ssl_session_init(&saved_session);
+    PSA_INIT();
+
+    TEST_CALLOC(buf_write, write_size);
+
+    /*
+     * Allocate a smaller buffer for early data reading to exercise the reading
+     * of data in one record in multiple calls.
+     */
+    read_size = (write_size / 2) + 1;
+    TEST_CALLOC(buf_read, read_size);
+
+    /*
+     * Run first handshake to get a ticket from the server.
+     */
+
+    client_options.pk_alg = MBEDTLS_PK_ECDSA;
+    client_options.group_list = group_list;
+    client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
+    server_options.pk_alg = MBEDTLS_PK_ECDSA;
+    server_options.group_list = group_list;
+    server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
+    server_options.max_early_data_size = max_early_data_size_arg;
+
+    ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options,
+                                        &saved_session);
+    TEST_EQUAL(ret, 0);
+
+    /*
+     * Prepare for handshake with the ticket.
+     */
+    server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer;
+    server_options.srv_log_obj = &server_pattern;
+    server_pattern.pattern = pattern;
+
+    switch (scenario) {
+        case TEST_EARLY_DATA_ACCEPTED:
+            break;
+
+        case TEST_EARLY_DATA_SERVER_REJECTS:
+            server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
+            ret = mbedtls_snprintf(pattern, sizeof(pattern),
+                                   "EarlyData: deprotect and discard app data records.");
+            TEST_ASSERT(ret < (int) sizeof(pattern));
+            mbedtls_debug_set_threshold(3);
+            break;
+
+        case TEST_EARLY_DATA_HRR:
+            /*
+             * Remove server support for the group negotiated in
+             * mbedtls_test_get_tls13_ticket() forcing an HelloRetryRequest.
+             */
+            server_options.group_list = group_list + 1;
+            ret = mbedtls_snprintf(
+                pattern, sizeof(pattern),
+                "EarlyData: Ignore application message before 2nd ClientHello");
+            TEST_ASSERT(ret < (int) sizeof(pattern));
+            mbedtls_debug_set_threshold(3);
+            break;
+
+        default:
+            TEST_FAIL("Unknown scenario.");
+    }
+
+    ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
+                                         &client_options, NULL, NULL, NULL);
+    TEST_EQUAL(ret, 0);
+
+    ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
+                                         &server_options, NULL, NULL, NULL);
+    TEST_EQUAL(ret, 0);
+
+    mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
+                                        mbedtls_test_ticket_write,
+                                        mbedtls_test_ticket_parse,
+                                        NULL);
+
+    ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
+                                           &(server_ep.socket), 1024);
+    TEST_EQUAL(ret, 0);
+
+    max_early_data_size = saved_session.max_early_data_size;
+
+    ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
+    TEST_EQUAL(ret, 0);
+
+    /*
+     * Start an handshake based on the ticket up to the point where early data
+     * can be sent from client side. Then send in a loop as much early data as
+     * possible without going over the maximum permitted size for the ticket.
+     * Finally, do a last writting to go past that maximum permitted size and
+     * check that we detect it.
+     */
+    TEST_EQUAL(mbedtls_test_move_handshake_to_state(
+                   &(client_ep.ssl), &(server_ep.ssl),
+                   MBEDTLS_SSL_SERVER_HELLO), 0);
+
+    TEST_ASSERT(client_ep.ssl.early_data_state !=
+                MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT);
+
+    ret = mbedtls_ssl_handshake(&(server_ep.ssl));
+    TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ);
+
+    /*
+     * Write and if possible read as much as possible chunks of write_size
+     * bytes data without getting over the max_early_data_size limit.
+     */
+    do {
+        uint32_t read_early_data_size = 0;
+
+        /*
+         * The contents of the early data are not very important, write a
+         * pattern that varies byte-by-byte and is different for every chunk of
+         * early data.
+         */
+        if ((written_early_data_size + write_size) > max_early_data_size) {
+            break;
+        }
+
+        /*
+         * If the server rejected early data, base the determination of when
+         * to stop the loop on the expanded size (padding and encryption
+         * expansion) of early data on server side and the number of early data
+         * received so far by the server (multiple of the expanded size).
+         */
+        if ((expanded_early_data_chunk_size != 0) &&
+            ((server_ep.ssl.total_early_data_size +
+              expanded_early_data_chunk_size) > max_early_data_size)) {
+            break;
+        }
+
+        for (size_t i = 0; i < write_size; i++) {
+            buf_write[i] = (unsigned char) (written_early_data_size + i);
+        }
+
+        ret = write_early_data(&(client_ep.ssl), buf_write, write_size);
+        TEST_EQUAL(ret, write_size);
+        written_early_data_size += write_size;
+
+        switch (scenario) {
+            case TEST_EARLY_DATA_ACCEPTED:
+                while (read_early_data_size < write_size) {
+                    ret = mbedtls_ssl_handshake(&(server_ep.ssl));
+                    TEST_EQUAL(ret, MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA);
+
+                    ret = mbedtls_ssl_read_early_data(&(server_ep.ssl),
+                                                      buf_read, read_size);
+                    TEST_ASSERT(ret > 0);
+
+                    TEST_MEMORY_COMPARE(buf_read, ret,
+                                        buf_write + read_early_data_size, ret);
+                    read_early_data_size += ret;
+
+                    TEST_EQUAL(server_ep.ssl.total_early_data_size,
+                               written_early_data_size);
+                }
+                break;
+
+            case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
+            case TEST_EARLY_DATA_HRR:
+                ret = mbedtls_ssl_handshake(&(server_ep.ssl));
+                /*
+                 * In this write loop we try to always stay below the
+                 * max_early_data_size limit but if max_early_data_size is very
+                 * small we may exceed the max_early_data_size limit on the
+                 * first write. In TEST_EARLY_DATA_SERVER_REJECTS/
+                 * TEST_EARLY_DATA_HRR scenario, this is for sure the case if
+                 * max_early_data_size is smaller than the smallest possible
+                 * inner content/protected record. Take into account this
+                 * possibility here but only for max_early_data_size values
+                 * that are close to write_size. Below, '1' is for the inner
+                 * type byte and '16' is to take into account some AEAD
+                 * expansion (tag, ...).
+                 */
+                if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE) {
+                    if (scenario == TEST_EARLY_DATA_SERVER_REJECTS) {
+                        TEST_LE_U(max_early_data_size,
+                                  write_size + 1 +
+                                  MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY);
+                    } else {
+                        TEST_LE_U(max_early_data_size,
+                                  write_size + 1 + 16 +
+                                  MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY);
+                    }
+                    goto exit;
+                }
+
+                TEST_ASSERT(ret == MBEDTLS_ERR_SSL_WANT_READ);
+
+                TEST_EQUAL(server_pattern.counter, 1);
+                server_pattern.counter = 0;
+                if (expanded_early_data_chunk_size == 0) {
+                    expanded_early_data_chunk_size = server_ep.ssl.total_early_data_size;
+                }
+                break;
+        }
+        TEST_LE_U(server_ep.ssl.total_early_data_size, max_early_data_size);
+    } while (1);
+
+    mbedtls_debug_set_threshold(3);
+    ret = write_early_data(&(client_ep.ssl), buf_write, write_size);
+    TEST_EQUAL(ret, write_size);
+
+    ret = mbedtls_snprintf(pattern, sizeof(pattern),
+                           "EarlyData: Too much early data received");
+    TEST_ASSERT(ret < (int) sizeof(pattern));
+
+    ret = mbedtls_ssl_handshake(&(server_ep.ssl));
+    TEST_EQUAL(ret, MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+    TEST_EQUAL(server_pattern.counter, 1);
+
+exit:
+    mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
+    mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
+    mbedtls_test_free_handshake_options(&client_options);
+    mbedtls_test_free_handshake_options(&server_options);
+    mbedtls_ssl_session_free(&saved_session);
+    mbedtls_free(buf_write);
+    mbedtls_free(buf_read);
+    mbedtls_debug_set_threshold(0);
+    PSA_DONE();
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_ssl_decrypt.function b/tests/suites/test_suite_ssl_decrypt.function
index ad94a58..35f0adb 100644
--- a/tests/suites/test_suite_ssl_decrypt.function
+++ b/tests/suites/test_suite_ssl_decrypt.function
@@ -120,7 +120,7 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2 */
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2 */
 void ssl_decrypt_non_etm_cbc(int cipher_type, int hash_id, int trunc_hmac,
                              int length_selector)
 {
diff --git a/tests/suites/test_suite_ssl_decrypt.misc.data b/tests/suites/test_suite_ssl_decrypt.misc.data
index f663b26..10bb56d 100644
--- a/tests/suites/test_suite_ssl_decrypt.misc.data
+++ b/tests/suites/test_suite_ssl_decrypt.misc.data
@@ -11,389 +11,389 @@ depends_on:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_null:MBEDTLS_MD_SHA256
 
 Decrypt null cipher, SHA-384
-depends_on:MBEDTLS_MD_CAN_SHA384
+depends_on:PSA_WANT_ALG_SHA_384
 ssl_decrypt_null:MBEDTLS_MD_SHA384
 
 Decrypt CBC !EtM, AES MD5 !trunc, empty plaintext, minpad
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_MD5
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:-1
 
 Decrypt CBC !EtM, AES MD5 !trunc, empty plaintext, maxpad
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_MD5
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:-2
 
 Decrypt CBC !EtM, AES MD5 !trunc, padlen=0
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_MD5
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:0
 
 Decrypt CBC !EtM, AES MD5 !trunc, padlen=240
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_MD5
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:240
 
 Decrypt CBC !EtM, AES MD5 !trunc, padlen=1
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_MD5
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:1
 
 Decrypt CBC !EtM, AES MD5 !trunc, padlen=241
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_MD5
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:241
 
 Decrypt CBC !EtM, AES MD5 !trunc, padlen=15
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_MD5
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:15
 
 Decrypt CBC !EtM, AES MD5 !trunc, padlen=255
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_MD5
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:255
 
 Decrypt CBC !EtM, AES SHA1 !trunc, empty plaintext, minpad
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA1
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:-1
 
 Decrypt CBC !EtM, AES SHA1 !trunc, empty plaintext, maxpad
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA1
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:-2
 
 Decrypt CBC !EtM, AES SHA1 !trunc, padlen=0
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA1
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:0
 
 Decrypt CBC !EtM, AES SHA1 !trunc, padlen=240
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA1
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:240
 
 Decrypt CBC !EtM, AES SHA1 !trunc, padlen=1
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA1
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:1
 
 Decrypt CBC !EtM, AES SHA1 !trunc, padlen=241
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA1
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:241
 
 Decrypt CBC !EtM, AES SHA1 !trunc, padlen=15
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA1
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:15
 
 Decrypt CBC !EtM, AES SHA1 !trunc, padlen=255
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA1
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:255
 
 Decrypt CBC !EtM, AES SHA256 !trunc, empty plaintext, minpad
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:-1
 
 Decrypt CBC !EtM, AES SHA256 !trunc, empty plaintext, maxpad
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:-2
 
 Decrypt CBC !EtM, AES SHA256 !trunc, padlen=0
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0
 
 Decrypt CBC !EtM, AES SHA256 !trunc, padlen=240
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:240
 
 Decrypt CBC !EtM, AES SHA256 !trunc, padlen=1
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:1
 
 Decrypt CBC !EtM, AES SHA256 !trunc, padlen=241
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:241
 
 Decrypt CBC !EtM, AES SHA256 !trunc, padlen=15
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:15
 
 Decrypt CBC !EtM, AES SHA256 !trunc, padlen=255
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:255
 
 Decrypt CBC !EtM, AES SHA384 !trunc, empty plaintext, minpad
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:PSA_WANT_ALG_SHA_384
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:-1
 
 Decrypt CBC !EtM, AES SHA384 !trunc, empty plaintext, maxpad
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:PSA_WANT_ALG_SHA_384
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:-2
 
 Decrypt CBC !EtM, AES SHA384 !trunc, padlen=0
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:PSA_WANT_ALG_SHA_384
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:0
 
 Decrypt CBC !EtM, AES SHA384 !trunc, padlen=240
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:PSA_WANT_ALG_SHA_384
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:240
 
 Decrypt CBC !EtM, AES SHA384 !trunc, padlen=1
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:PSA_WANT_ALG_SHA_384
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:1
 
 Decrypt CBC !EtM, AES SHA384 !trunc, padlen=241
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:PSA_WANT_ALG_SHA_384
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:241
 
 Decrypt CBC !EtM, AES SHA384 !trunc, padlen=15
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:PSA_WANT_ALG_SHA_384
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:15
 
 Decrypt CBC !EtM, AES SHA384 !trunc, padlen=255
-depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_HAVE_CBC:PSA_WANT_ALG_SHA_384
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:255
 
 Decrypt CBC !EtM, ARIA MD5 !trunc, empty plaintext, minpad
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_MD5
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:-1
 
 Decrypt CBC !EtM, ARIA MD5 !trunc, empty plaintext, maxpad
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_MD5
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:-2
 
 Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=0
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_MD5
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:0
 
 Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=240
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_MD5
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:240
 
 Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=1
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_MD5
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:1
 
 Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=241
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_MD5
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:241
 
 Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=15
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_MD5
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:15
 
 Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=255
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_MD5
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:255
 
 Decrypt CBC !EtM, ARIA SHA1 !trunc, empty plaintext, minpad
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA1
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:-1
 
 Decrypt CBC !EtM, ARIA SHA1 !trunc, empty plaintext, maxpad
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA1
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:-2
 
 Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=0
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA1
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:0
 
 Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=240
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA1
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:240
 
 Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=1
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA1
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:1
 
 Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=241
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA1
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:241
 
 Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=15
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA1
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:15
 
 Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=255
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA1
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:255
 
 Decrypt CBC !EtM, ARIA SHA256 !trunc, empty plaintext, minpad
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:-1
 
 Decrypt CBC !EtM, ARIA SHA256 !trunc, empty plaintext, maxpad
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:-2
 
 Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=0
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:0
 
 Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=240
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:240
 
 Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=1
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:1
 
 Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=241
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:241
 
 Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=15
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:15
 
 Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=255
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:255
 
 Decrypt CBC !EtM, ARIA SHA384 !trunc, empty plaintext, minpad
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:PSA_WANT_ALG_SHA_384
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:-1
 
 Decrypt CBC !EtM, ARIA SHA384 !trunc, empty plaintext, maxpad
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:PSA_WANT_ALG_SHA_384
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:-2
 
 Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=0
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:PSA_WANT_ALG_SHA_384
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:0
 
 Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=240
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:PSA_WANT_ALG_SHA_384
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:240
 
 Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=1
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:PSA_WANT_ALG_SHA_384
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:1
 
 Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=241
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:PSA_WANT_ALG_SHA_384
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:241
 
 Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=15
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:PSA_WANT_ALG_SHA_384
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:15
 
 Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=255
-depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_ARIA:MBEDTLS_SSL_HAVE_CBC:PSA_WANT_ALG_SHA_384
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:255
 
 Decrypt CBC !EtM, CAMELLIA MD5 !trunc, empty plaintext, minpad
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_MD5
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:-1
 
 Decrypt CBC !EtM, CAMELLIA MD5 !trunc, empty plaintext, maxpad
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_MD5
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:-2
 
 Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=0
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_MD5
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:0
 
 Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=240
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_MD5
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:240
 
 Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=1
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_MD5
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:1
 
 Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=241
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_MD5
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:241
 
 Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=15
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_MD5
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:15
 
 Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=255
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_MD5
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_MD5
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:255
 
 Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, empty plaintext, minpad
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA1
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:-1
 
 Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, empty plaintext, maxpad
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA1
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:-2
 
 Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=0
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA1
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:0
 
 Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=240
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA1
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:240
 
 Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=1
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA1
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:1
 
 Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=241
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA1
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:241
 
 Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=15
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA1
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:15
 
 Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=255
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA1
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA1
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:255
 
 Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, empty plaintext, minpad
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:-1
 
 Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, empty plaintext, maxpad
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:-2
 
 Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=0
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:0
 
 Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=240
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:240
 
 Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=1
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:1
 
 Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=241
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:241
 
 Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=15
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:15
 
 Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=255
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA256
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:255
 
 Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, empty plaintext, minpad
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:PSA_WANT_ALG_SHA_384
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:-1
 
 Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, empty plaintext, maxpad
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:PSA_WANT_ALG_SHA_384
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:-2
 
 Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=0
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:PSA_WANT_ALG_SHA_384
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:0
 
 Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=240
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:PSA_WANT_ALG_SHA_384
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:240
 
 Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=1
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:PSA_WANT_ALG_SHA_384
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:1
 
 Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=241
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:PSA_WANT_ALG_SHA_384
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:241
 
 Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=15
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:PSA_WANT_ALG_SHA_384
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:15
 
 Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=255
-depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD_CAN_SHA384
+depends_on:MBEDTLS_SSL_HAVE_CAMELLIA:MBEDTLS_SSL_HAVE_CBC:PSA_WANT_ALG_SHA_384
 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:255
diff --git a/tests/suites/test_suite_test_helpers.data b/tests/suites/test_suite_test_helpers.data
new file mode 100644
index 0000000..1d221d7
--- /dev/null
+++ b/tests/suites/test_suite_test_helpers.data
@@ -0,0 +1,23 @@
+Memory poison+unpoison: offset=0 len=42
+memory_poison_unpoison:0:42
+
+Memory poison+unpoison: offset=0 len=1
+memory_poison_unpoison:0:1
+
+Memory poison+unpoison: offset=0 len=2
+memory_poison_unpoison:0:2
+
+Memory poison+unpoison: offset=1 len=1
+memory_poison_unpoison:1:1
+
+Memory poison+unpoison: offset=1 len=2
+memory_poison_unpoison:1:2
+
+Memory poison+unpoison: offset=7 len=1
+memory_poison_unpoison:7:1
+
+Memory poison+unpoison: offset=7 len=2
+memory_poison_unpoison:7:2
+
+Memory poison+unpoison: offset=0 len=0
+memory_poison_unpoison:0:0
diff --git a/tests/suites/test_suite_test_helpers.function b/tests/suites/test_suite_test_helpers.function
new file mode 100644
index 0000000..8c5d5ad
--- /dev/null
+++ b/tests/suites/test_suite_test_helpers.function
@@ -0,0 +1,40 @@
+/* BEGIN_HEADER */
+
+/* Test some parts of the test framework. */
+
+#include <test/helpers.h>
+#include <test/memory.h>
+
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES */
+
+/* END_DEPENDENCIES */
+
+/* BEGIN_CASE depends_on:MBEDTLS_TEST_MEMORY_CAN_POISON */
+/* Test that poison+unpoison leaves the memory accessible. */
+/* We can't test that poisoning makes the memory inaccessible:
+ * there's no sane way to catch an Asan/Valgrind complaint.
+ * That negative testing is done in programs/test/metatest.c. */
+void memory_poison_unpoison(int align, int size)
+{
+    unsigned char *buf = NULL;
+    const size_t buffer_size = align + size;
+    TEST_CALLOC(buf, buffer_size);
+
+    for (size_t i = 0; i < buffer_size; i++) {
+        buf[i] = (unsigned char) (i & 0xff);
+    }
+
+    const unsigned char *start = buf == NULL ? NULL : buf + align;
+    mbedtls_test_memory_poison(start, (size_t) size);
+    mbedtls_test_memory_unpoison(start, (size_t) size);
+
+    for (size_t i = 0; i < buffer_size; i++) {
+        TEST_EQUAL(buf[i], (unsigned char) (i & 0xff));
+    }
+
+exit:
+    mbedtls_free(buf);
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data
index 11c41b0..0edee96 100644
--- a/tests/suites/test_suite_version.data
+++ b/tests/suites/test_suite_version.data
@@ -1,8 +1,8 @@
 Check compile time library version
-check_compiletime_version:"3.5.0"
+check_compiletime_version:"3.6.0"
 
 Check runtime library version
-check_runtime_version:"3.5.0"
+check_runtime_version:"3.6.0"
 
 Check for MBEDTLS_VERSION_C
 check_feature:"MBEDTLS_VERSION_C":0
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 4b75f17..7c7a878 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -1,410 +1,410 @@
 X509 CRT information #1
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/parse_input/server1.crt":"cert. version     \: 3\nserial number     \: 01\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued  on        \: 2019-02-10 14\:44\:06\nexpires on        \: 2029-02-10 14\:44\:06\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"../framework/data_files/parse_input/server1.crt":"cert. version     \: 3\nserial number     \: 01\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued  on        \: 2019-02-10 14\:44\:06\nexpires on        \: 2029-02-10 14\:44\:06\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
 
 X509 CRT information #1 (DER)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/parse_input/server1.crt.der":"cert. version     \: 3\nserial number     \: 01\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued  on        \: 2019-02-10 14\:44\:06\nexpires on        \: 2029-02-10 14\:44\:06\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"../framework/data_files/parse_input/server1.crt.der":"cert. version     \: 3\nserial number     \: 01\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued  on        \: 2019-02-10 14\:44\:06\nexpires on        \: 2029-02-10 14\:44\:06\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
 
 X509 CRT information #2
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/parse_input/server2.crt":"cert. version     \: 3\nserial number     \: 02\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2019-02-10 14\:44\:06\nexpires on        \: 2029-02-10 14\:44\:06\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"../framework/data_files/parse_input/server2.crt":"cert. version     \: 3\nserial number     \: 02\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2019-02-10 14\:44\:06\nexpires on        \: 2029-02-10 14\:44\:06\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
 
 X509 CRT information #2 (DER)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/parse_input/server2.crt.der":"cert. version     \: 3\nserial number     \: 02\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2019-02-10 14\:44\:06\nexpires on        \: 2029-02-10 14\:44\:06\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"../framework/data_files/parse_input/server2.crt.der":"cert. version     \: 3\nserial number     \: 02\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2019-02-10 14\:44\:06\nexpires on        \: 2029-02-10 14\:44\:06\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
 
 X509 CRT information #3
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/parse_input/test-ca.crt":"cert. version     \: 3\nserial number     \: 03\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued  on        \: 2019-02-10 14\:44\:00\nexpires on        \: 2029-02-10 14\:44\:00\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=true\n"
+x509_cert_info:"../framework/data_files/parse_input/test-ca.crt":"cert. version     \: 3\nserial number     \: 03\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued  on        \: 2019-02-10 14\:44\:00\nexpires on        \: 2029-02-10 14\:44\:00\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=true\n"
 
 X509 CRT information #3 (DER)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/parse_input/test-ca.crt.der":"cert. version     \: 3\nserial number     \: 03\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued  on        \: 2019-02-10 14\:44\:00\nexpires on        \: 2029-02-10 14\:44\:00\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=true\n"
+x509_cert_info:"../framework/data_files/parse_input/test-ca.crt.der":"cert. version     \: 3\nserial number     \: 03\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued  on        \: 2019-02-10 14\:44\:00\nexpires on        \: 2029-02-10 14\:44\:00\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=true\n"
 
 X509 CRT information MD5 Digest
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_MD5
-x509_cert_info:"data_files/parse_input/cert_md5.crt":"cert. version     \: 3\nserial number     \: 06\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Cert MD5\nissued  on        \: 2000-01-01 12\:12\:12\nexpires on        \: 2030-01-01 12\:12\:12\nsigned using      \: RSA with MD5\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"../framework/data_files/parse_input/cert_md5.crt":"cert. version     \: 3\nserial number     \: 06\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Cert MD5\nissued  on        \: 2000-01-01 12\:12\:12\nexpires on        \: 2030-01-01 12\:12\:12\nsigned using      \: RSA with MD5\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
 
 X509 CRT information SHA1 Digest
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/parse_input/cert_sha1.crt":"cert. version     \: 3\nserial number     \: 07\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA1\nissued  on        \: 2019-02-10 14\:44\:06\nexpires on        \: 2029-02-10 14\:44\:06\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"../framework/data_files/parse_input/cert_sha1.crt":"cert. version     \: 3\nserial number     \: 07\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA1\nissued  on        \: 2019-02-10 14\:44\:06\nexpires on        \: 2029-02-10 14\:44\:06\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
 
 X509 CRT information SHA224 Digest
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA224
-x509_cert_info:"data_files/parse_input/cert_sha224.crt":"cert. version     \: 3\nserial number     \: 08\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA224\nissued  on        \: 2019-02-10 14\:44\:06\nexpires on        \: 2029-02-10 14\:44\:06\nsigned using      \: RSA with SHA-224\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_224
+x509_cert_info:"../framework/data_files/parse_input/cert_sha224.crt":"cert. version     \: 3\nserial number     \: 08\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA224\nissued  on        \: 2019-02-10 14\:44\:06\nexpires on        \: 2029-02-10 14\:44\:06\nsigned using      \: RSA with SHA-224\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
 
 X509 CRT information SHA256 Digest
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/parse_input/cert_sha256.crt":"cert. version     \: 3\nserial number     \: 09\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA256\nissued  on        \: 2019-02-10 14\:44\:06\nexpires on        \: 2029-02-10 14\:44\:06\nsigned using      \: RSA with SHA-256\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"../framework/data_files/parse_input/cert_sha256.crt":"cert. version     \: 3\nserial number     \: 09\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA256\nissued  on        \: 2019-02-10 14\:44\:06\nexpires on        \: 2029-02-10 14\:44\:06\nsigned using      \: RSA with SHA-256\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
 
 X509 CRT information SHA384 Digest
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA384
-x509_cert_info:"data_files/parse_input/cert_sha384.crt":"cert. version     \: 3\nserial number     \: 0A\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA384\nissued  on        \: 2019-02-10 14\:44\:06\nexpires on        \: 2029-02-10 14\:44\:06\nsigned using      \: RSA with SHA-384\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_384
+x509_cert_info:"../framework/data_files/parse_input/cert_sha384.crt":"cert. version     \: 3\nserial number     \: 0A\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA384\nissued  on        \: 2019-02-10 14\:44\:06\nexpires on        \: 2029-02-10 14\:44\:06\nsigned using      \: RSA with SHA-384\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
 
 X509 CRT information SHA512 Digest
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA512
-x509_cert_info:"data_files/parse_input/cert_sha512.crt":"cert. version     \: 3\nserial number     \: 0B\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA512\nissued  on        \: 2019-02-10 14\:44\:06\nexpires on        \: 2029-02-10 14\:44\:06\nsigned using      \: RSA with SHA-512\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"../framework/data_files/parse_input/cert_sha512.crt":"cert. version     \: 3\nserial number     \: 0B\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA512\nissued  on        \: 2019-02-10 14\:44\:06\nexpires on        \: 2029-02-10 14\:44\:06\nsigned using      \: RSA with SHA-512\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
 
 X509 CRT information RSA-PSS, SHA1 Digest
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/parse_input/server9.crt":"cert. version     \: 3\nserial number     \: 16\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2014-01-20 13\:38\:16\nexpires on        \: 2024-01-18 13\:38\:16\nsigned using      \: RSASSA-PSS (SHA1, MGF1-SHA1, 0xEA)\nRSA key size      \: 1024 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"../framework/data_files/parse_input/server9.crt":"cert. version     \: 3\nserial number     \: 16\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2014-01-20 13\:38\:16\nexpires on        \: 2024-01-18 13\:38\:16\nsigned using      \: RSASSA-PSS (SHA1, MGF1-SHA1, 0xEA)\nRSA key size      \: 1024 bits\nbasic constraints \: CA=false\n"
 
 X509 CRT information RSA-PSS, SHA224 Digest
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA224
-x509_cert_info:"data_files/parse_input/server9-sha224.crt":"cert. version     \: 3\nserial number     \: 17\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2014-01-20 13\:57\:36\nexpires on        \: 2024-01-18 13\:57\:36\nsigned using      \: RSASSA-PSS (SHA224, MGF1-SHA224, 0xE2)\nRSA key size      \: 1024 bits\nbasic constraints \: CA=false\n"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_224
+x509_cert_info:"../framework/data_files/parse_input/server9-sha224.crt":"cert. version     \: 3\nserial number     \: 17\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2014-01-20 13\:57\:36\nexpires on        \: 2024-01-18 13\:57\:36\nsigned using      \: RSASSA-PSS (SHA224, MGF1-SHA224, 0xE2)\nRSA key size      \: 1024 bits\nbasic constraints \: CA=false\n"
 
 X509 CRT information RSA-PSS, SHA256 Digest
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/parse_input/server9-sha256.crt":"cert. version     \: 3\nserial number     \: 18\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2014-01-20 13\:57\:45\nexpires on        \: 2024-01-18 13\:57\:45\nsigned using      \: RSASSA-PSS (SHA256, MGF1-SHA256, 0xDE)\nRSA key size      \: 1024 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"../framework/data_files/parse_input/server9-sha256.crt":"cert. version     \: 3\nserial number     \: 18\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2014-01-20 13\:57\:45\nexpires on        \: 2024-01-18 13\:57\:45\nsigned using      \: RSASSA-PSS (SHA256, MGF1-SHA256, 0xDE)\nRSA key size      \: 1024 bits\nbasic constraints \: CA=false\n"
 
 X509 CRT information RSA-PSS, SHA384 Digest
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA384
-x509_cert_info:"data_files/parse_input/server9-sha384.crt":"cert. version     \: 3\nserial number     \: 19\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2014-01-20 13\:57\:58\nexpires on        \: 2024-01-18 13\:57\:58\nsigned using      \: RSASSA-PSS (SHA384, MGF1-SHA384, 0xCE)\nRSA key size      \: 1024 bits\nbasic constraints \: CA=false\n"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_384
+x509_cert_info:"../framework/data_files/parse_input/server9-sha384.crt":"cert. version     \: 3\nserial number     \: 19\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2014-01-20 13\:57\:58\nexpires on        \: 2024-01-18 13\:57\:58\nsigned using      \: RSASSA-PSS (SHA384, MGF1-SHA384, 0xCE)\nRSA key size      \: 1024 bits\nbasic constraints \: CA=false\n"
 
 X509 CRT information RSA-PSS, SHA512 Digest
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA512
-x509_cert_info:"data_files/parse_input/server9-sha512.crt":"cert. version     \: 3\nserial number     \: 1A\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2014-01-20 13\:58\:12\nexpires on        \: 2024-01-18 13\:58\:12\nsigned using      \: RSASSA-PSS (SHA512, MGF1-SHA512, 0xBE)\nRSA key size      \: 1024 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"../framework/data_files/parse_input/server9-sha512.crt":"cert. version     \: 3\nserial number     \: 1A\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2014-01-20 13\:58\:12\nexpires on        \: 2024-01-18 13\:58\:12\nsigned using      \: RSASSA-PSS (SHA512, MGF1-SHA512, 0xBE)\nRSA key size      \: 1024 bits\nbasic constraints \: CA=false\n"
 
 X509 CRT information EC, SHA1 Digest
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/parse_input/server5-sha1.crt":"cert. version     \: 3\nserial number     \: 12\nissuer name       \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2013-09-24 16\:21\:27\nexpires on        \: 2023-09-22 16\:21\:27\nsigned using      \: ECDSA with SHA1\nEC key size       \: 256 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"../framework/data_files/parse_input/server5-sha1.crt":"cert. version     \: 3\nserial number     \: 12\nissuer name       \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2013-09-24 16\:21\:27\nexpires on        \: 2023-09-22 16\:21\:27\nsigned using      \: ECDSA with SHA1\nEC key size       \: 256 bits\nbasic constraints \: CA=false\n"
 
 X509 CRT information EC, SHA224 Digest
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA224
-x509_cert_info:"data_files/parse_input/server5-sha224.crt":"cert. version     \: 3\nserial number     \: 13\nissuer name       \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2013-09-24 16\:21\:27\nexpires on        \: 2023-09-22 16\:21\:27\nsigned using      \: ECDSA with SHA224\nEC key size       \: 256 bits\nbasic constraints \: CA=false\n"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:PSA_WANT_ALG_SHA_224
+x509_cert_info:"../framework/data_files/parse_input/server5-sha224.crt":"cert. version     \: 3\nserial number     \: 13\nissuer name       \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2013-09-24 16\:21\:27\nexpires on        \: 2023-09-22 16\:21\:27\nsigned using      \: ECDSA with SHA224\nEC key size       \: 256 bits\nbasic constraints \: CA=false\n"
 
 X509 CRT information EC, SHA256 Digest
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/parse_input/server5.crt":"cert. version     \: 3\nserial number     \: 09\nissuer name       \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2013-09-24 15\:52\:04\nexpires on        \: 2023-09-22 15\:52\:04\nsigned using      \: ECDSA with SHA256\nEC key size       \: 256 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"../framework/data_files/parse_input/server5.crt":"cert. version     \: 3\nserial number     \: 09\nissuer name       \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2013-09-24 15\:52\:04\nexpires on        \: 2023-09-22 15\:52\:04\nsigned using      \: ECDSA with SHA256\nEC key size       \: 256 bits\nbasic constraints \: CA=false\n"
 
 X509 CRT information EC, SHA384 Digest
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA384
-x509_cert_info:"data_files/parse_input/server5-sha384.crt":"cert. version     \: 3\nserial number     \: 14\nissuer name       \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2013-09-24 16\:21\:27\nexpires on        \: 2023-09-22 16\:21\:27\nsigned using      \: ECDSA with SHA384\nEC key size       \: 256 bits\nbasic constraints \: CA=false\n"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:PSA_WANT_ALG_SHA_384
+x509_cert_info:"../framework/data_files/parse_input/server5-sha384.crt":"cert. version     \: 3\nserial number     \: 14\nissuer name       \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2013-09-24 16\:21\:27\nexpires on        \: 2023-09-22 16\:21\:27\nsigned using      \: ECDSA with SHA384\nEC key size       \: 256 bits\nbasic constraints \: CA=false\n"
 
 X509 CRT information EC, SHA512 Digest
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA512
-x509_cert_info:"data_files/parse_input/server5-sha512.crt":"cert. version     \: 3\nserial number     \: 15\nissuer name       \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2013-09-24 16\:21\:27\nexpires on        \: 2023-09-22 16\:21\:27\nsigned using      \: ECDSA with SHA512\nEC key size       \: 256 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"../framework/data_files/parse_input/server5-sha512.crt":"cert. version     \: 3\nserial number     \: 15\nissuer name       \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2013-09-24 16\:21\:27\nexpires on        \: 2023-09-22 16\:21\:27\nsigned using      \: ECDSA with SHA512\nEC key size       \: 256 bits\nbasic constraints \: CA=false\n"
 
 X509 CRT information EC, SHA256 Digest, hardware module name SAN
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/parse_input/server5-othername.crt.der":"cert. version     \: 3\nserial number     \: 4D\nissuer name       \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nsubject name      \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nissued  on        \: 2023-06-20 09\:04\:43\nexpires on        \: 2033-06-17 09\:04\:43\nsigned using      \: ECDSA with SHA256\nEC key size       \: 256 bits\nsubject alt name  \:\n    otherName \:\n        hardware module name \:\n            hardware type          \: 1.3.6.1.4.1.17.3\n            hardware serial number \: 313233343536\n"
+x509_cert_info:"../framework/data_files/parse_input/server5-othername.crt.der":"cert. version     \: 3\nserial number     \: 4D\nissuer name       \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nsubject name      \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nissued  on        \: 2023-06-20 09\:04\:43\nexpires on        \: 2033-06-17 09\:04\:43\nsigned using      \: ECDSA with SHA256\nEC key size       \: 256 bits\nsubject alt name  \:\n    otherName \:\n        hardware module name \:\n            hardware type          \: 1.3.6.1.4.1.17.3\n            hardware serial number \: 313233343536\n"
 
 X509 CRT information EC, SHA256 Digest, binary hardware module name SAN
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/parse_input/server5-nonprintable_othername.crt.der":"cert. version     \: 3\nserial number     \: 4D\nissuer name       \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nsubject name      \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nissued  on        \: 2023-06-20 09\:49\:20\nexpires on        \: 2033-06-17 09\:49\:20\nsigned using      \: ECDSA with SHA256\nEC key size       \: 256 bits\nsubject alt name  \:\n    otherName \:\n        hardware module name \:\n            hardware type          \: 1.3.6.1.4.1.17.3\n            hardware serial number \: 3132338081008180333231\n"
+x509_cert_info:"../framework/data_files/parse_input/server5-nonprintable_othername.crt.der":"cert. version     \: 3\nserial number     \: 4D\nissuer name       \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nsubject name      \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nissued  on        \: 2023-06-20 09\:49\:20\nexpires on        \: 2033-06-17 09\:49\:20\nsigned using      \: ECDSA with SHA256\nEC key size       \: 256 bits\nsubject alt name  \:\n    otherName \:\n        hardware module name \:\n            hardware type          \: 1.3.6.1.4.1.17.3\n            hardware serial number \: 3132338081008180333231\n"
 
 X509 CRT information EC, SHA256 Digest, directoryName SAN
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/parse_input/server5-directoryname.crt.der":"cert. version     \: 3\nserial number     \: 4D\nissuer name       \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nsubject name      \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nissued  on        \: 2023-01-10 16\:59\:29\nexpires on        \: 2033-01-07 16\:59\:29\nsigned using      \: ECDSA with SHA256\nEC key size       \: 256 bits\nsubject alt name  \:\n    directoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n"
+x509_cert_info:"../framework/data_files/parse_input/server5-directoryname.crt.der":"cert. version     \: 3\nserial number     \: 4D\nissuer name       \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nsubject name      \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nissued  on        \: 2023-01-10 16\:59\:29\nexpires on        \: 2033-01-07 16\:59\:29\nsigned using      \: ECDSA with SHA256\nEC key size       \: 256 bits\nsubject alt name  \:\n    directoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n"
 
 X509 CRT information EC, SHA256 Digest, two directoryName SANs
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/parse_input/server5-two-directorynames.crt.der":"cert. version     \: 3\nserial number     \: 4D\nissuer name       \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nsubject name      \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nissued  on        \: 2023-01-12 10\:34\:11\nexpires on        \: 2033-01-09 10\:34\:11\nsigned using      \: ECDSA with SHA256\nEC key size       \: 256 bits\nsubject alt name  \:\n    directoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n    directoryName \: O=MALFORM_ME\n"
+x509_cert_info:"../framework/data_files/parse_input/server5-two-directorynames.crt.der":"cert. version     \: 3\nserial number     \: 4D\nissuer name       \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nsubject name      \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nissued  on        \: 2023-01-12 10\:34\:11\nexpires on        \: 2033-01-09 10\:34\:11\nsigned using      \: ECDSA with SHA256\nEC key size       \: 256 bits\nsubject alt name  \:\n    directoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n    directoryName \: O=MALFORM_ME\n"
 
 X509 CRT information EC, SHA256 Digest, Wisun Fan device
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/parse_input/server5-fan.crt.der":"cert. version     \: 3\nserial number     \: 4D\nissuer name       \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nsubject name      \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nissued  on        \: 2023-06-20 09\:49\:35\nexpires on        \: 2033-06-17 09\:49\:35\nsigned using      \: ECDSA with SHA256\nEC key size       \: 256 bits\next key usage     \: Wi-SUN Alliance Field Area Network (FAN)\n"
+x509_cert_info:"../framework/data_files/parse_input/server5-fan.crt.der":"cert. version     \: 3\nserial number     \: 4D\nissuer name       \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nsubject name      \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nissued  on        \: 2023-06-20 09\:49\:35\nexpires on        \: 2033-06-17 09\:49\:35\nsigned using      \: ECDSA with SHA256\nEC key size       \: 256 bits\next key usage     \: Wi-SUN Alliance Field Area Network (FAN)\n"
 
 X509 CRT information, NS Cert Type
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/parse_input/server1.cert_type.crt":"cert. version     \: 3\nserial number     \: 01\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued  on        \: 2019-02-10 14\:44\:06\nexpires on        \: 2029-02-10 14\:44\:06\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\ncert. type        \: SSL Server\n"
+x509_cert_info:"../framework/data_files/parse_input/server1.cert_type.crt":"cert. version     \: 3\nserial number     \: 01\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued  on        \: 2019-02-10 14\:44\:06\nexpires on        \: 2029-02-10 14\:44\:06\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\ncert. type        \: SSL Server\n"
 
 X509 CRT information, Key Usage
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/parse_input/server1.key_usage.crt":"cert. version     \: 3\nserial number     \: 01\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued  on        \: 2019-02-10 14\:44\:06\nexpires on        \: 2029-02-10 14\:44\:06\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
+x509_cert_info:"../framework/data_files/parse_input/server1.key_usage.crt":"cert. version     \: 3\nserial number     \: 01\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued  on        \: 2019-02-10 14\:44\:06\nexpires on        \: 2029-02-10 14\:44\:06\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
 
 X509 CRT information, Key Usage with decipherOnly
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/parse_input/keyUsage.decipherOnly.crt":"cert. version     \: 3\nserial number     \: 9B\:13\:CE\:4C\:A5\:6F\:DE\:52\nissuer name       \: C=GB, L=Cambridge, O=Default Company Ltd\nsubject name      \: C=GB, L=Cambridge, O=Default Company Ltd\nissued  on        \: 2015-05-12 10\:36\:55\nexpires on        \: 2018-05-11 10\:36\:55\nsigned using      \: RSA with SHA1\nRSA key size      \: 1024 bits\nbasic constraints \: CA=false\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment, Decipher Only\n"
+x509_cert_info:"../framework/data_files/parse_input/keyUsage.decipherOnly.crt":"cert. version     \: 3\nserial number     \: 9B\:13\:CE\:4C\:A5\:6F\:DE\:52\nissuer name       \: C=GB, L=Cambridge, O=Default Company Ltd\nsubject name      \: C=GB, L=Cambridge, O=Default Company Ltd\nissued  on        \: 2015-05-12 10\:36\:55\nexpires on        \: 2018-05-11 10\:36\:55\nsigned using      \: RSA with SHA1\nRSA key size      \: 1024 bits\nbasic constraints \: CA=false\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment, Decipher Only\n"
 
 X509 CRT information, Subject Alt Name
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/parse_input/cert_example_multi.crt":"cert. version     \: 3\nserial number     \: 11\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=www.example.com\nissued  on        \: 2019-07-10 11\:27\:52\nexpires on        \: 2029-07-10 11\:27\:52\nsigned using      \: RSA with SHA-256\nRSA key size      \: 1024 bits\nsubject alt name  \:\n    dNSName \: example.com\n    dNSName \: example.net\n    dNSName \: *.example.org\n"
+x509_cert_info:"../framework/data_files/parse_input/cert_example_multi.crt":"cert. version     \: 3\nserial number     \: 11\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=www.example.com\nissued  on        \: 2019-07-10 11\:27\:52\nexpires on        \: 2029-07-10 11\:27\:52\nsigned using      \: RSA with SHA-256\nRSA key size      \: 1024 bits\nsubject alt name  \:\n    dNSName \: example.com\n    dNSName \: example.net\n    dNSName \: *.example.org\n"
 
 X509 CRT information, Multiple different Subject Alt Name
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/parse_input/multiple_san.crt":"cert. version     \: 3\nserial number     \: 04\nissuer name       \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nsubject name      \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nissued  on        \: 2019-04-22 16\:10\:48\nexpires on        \: 2029-04-19 16\:10\:48\nsigned using      \: ECDSA with SHA256\nEC key size       \: 256 bits\nsubject alt name  \:\n    dNSName \: example.com\n    otherName \:\n        hardware module name \:\n            hardware type          \: 1.3.6.1.4.1.17.3\n            hardware serial number \: 313233343536\n    dNSName \: example.net\n    dNSName \: *.example.org\n"
+x509_cert_info:"../framework/data_files/parse_input/multiple_san.crt":"cert. version     \: 3\nserial number     \: 04\nissuer name       \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nsubject name      \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nissued  on        \: 2019-04-22 16\:10\:48\nexpires on        \: 2029-04-19 16\:10\:48\nsigned using      \: ECDSA with SHA256\nEC key size       \: 256 bits\nsubject alt name  \:\n    dNSName \: example.com\n    otherName \:\n        hardware module name \:\n            hardware type          \: 1.3.6.1.4.1.17.3\n            hardware serial number \: 313233343536\n    dNSName \: example.net\n    dNSName \: *.example.org\n"
 
 X509 CRT information, Subject Alt Name + Key Usage
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/parse_input/cert_example_multi_nocn.crt":"cert. version     \: 3\nserial number     \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name       \: C=NL\nsubject name      \: C=NL\nissued  on        \: 2014-01-22 10\:04\:33\nexpires on        \: 2024-01-22 10\:04\:33\nsigned using      \: RSA with SHA1\nRSA key size      \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name  \:\n    dNSName \: www.shotokan-braunschweig.de\n    dNSName \: www.massimo-abate.eu\n    iPAddress \: 192.168.1.1\n    iPAddress \: 192.168.69.144\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
+x509_cert_info:"../framework/data_files/parse_input/cert_example_multi_nocn.crt":"cert. version     \: 3\nserial number     \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name       \: C=NL\nsubject name      \: C=NL\nissued  on        \: 2014-01-22 10\:04\:33\nexpires on        \: 2024-01-22 10\:04\:33\nsigned using      \: RSA with SHA1\nRSA key size      \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name  \:\n    dNSName \: www.shotokan-braunschweig.de\n    dNSName \: www.massimo-abate.eu\n    iPAddress \: 192.168.1.1\n    iPAddress \: 192.168.69.144\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
 
 X509 CRT information, Subject Alt Name with uniformResourceIdentifier
 depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/parse_input/rsa_single_san_uri.crt.der":"cert. version     \: 3\nserial number     \: 6F\:75\:EB\:E9\:6D\:25\:BC\:88\:82\:62\:A3\:E0\:68\:A7\:37\:3B\:EC\:75\:8F\:9C\nissuer name       \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name      \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued  on        \: 2023-02-14 10\:38\:05\nexpires on        \: 2043-02-09 10\:38\:05\nsigned using      \: RSA with SHA-256\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name  \:\n    uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
+x509_cert_info:"../framework/data_files/parse_input/rsa_single_san_uri.crt.der":"cert. version     \: 3\nserial number     \: 6F\:75\:EB\:E9\:6D\:25\:BC\:88\:82\:62\:A3\:E0\:68\:A7\:37\:3B\:EC\:75\:8F\:9C\nissuer name       \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name      \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued  on        \: 2023-02-14 10\:38\:05\nexpires on        \: 2043-02-09 10\:38\:05\nsigned using      \: RSA with SHA-256\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name  \:\n    uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
 
 X509 CRT information, Subject Alt Name with two uniformResourceIdentifiers
 depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/parse_input/rsa_multiple_san_uri.crt.der":"cert. version     \: 3\nserial number     \: 08\:E2\:93\:18\:91\:26\:D8\:46\:88\:90\:10\:4F\:B5\:86\:CB\:C4\:78\:E6\:EA\:0D\nissuer name       \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name      \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued  on        \: 2023-02-14 10\:37\:50\nexpires on        \: 2043-02-09 10\:37\:50\nsigned using      \: RSA with SHA-256\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name  \:\n    uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\n    uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-abcde1234567\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
+x509_cert_info:"../framework/data_files/parse_input/rsa_multiple_san_uri.crt.der":"cert. version     \: 3\nserial number     \: 08\:E2\:93\:18\:91\:26\:D8\:46\:88\:90\:10\:4F\:B5\:86\:CB\:C4\:78\:E6\:EA\:0D\nissuer name       \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name      \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued  on        \: 2023-02-14 10\:37\:50\nexpires on        \: 2043-02-09 10\:37\:50\nsigned using      \: RSA with SHA-256\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name  \:\n    uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\n    uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-abcde1234567\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
 
 X509 CRT information, RSA Certificate Policy any
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/parse_input/test-ca-any_policy.crt":"cert. version     \: 3\nserial number     \: 00\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued  on        \: 2019-03-21 16\:40\:59\nexpires on        \: 2029-03-21 16\:40\:59\nsigned using      \: RSA with SHA-256\nRSA key size      \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n"
+x509_cert_info:"../framework/data_files/parse_input/test-ca-any_policy.crt":"cert. version     \: 3\nserial number     \: 00\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued  on        \: 2019-03-21 16\:40\:59\nexpires on        \: 2029-03-21 16\:40\:59\nsigned using      \: RSA with SHA-256\nRSA key size      \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n"
 
 X509 CRT information, ECDSA Certificate Policy any
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/parse_input/test-ca-any_policy_ec.crt":"cert. version     \: 3\nserial number     \: 00\nissuer name       \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name      \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued  on        \: 2019-03-25 09\:02\:45\nexpires on        \: 2029-03-25 09\:02\:45\nsigned using      \: ECDSA with SHA256\nEC key size       \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n"
+x509_cert_info:"../framework/data_files/parse_input/test-ca-any_policy_ec.crt":"cert. version     \: 3\nserial number     \: 00\nissuer name       \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name      \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued  on        \: 2019-03-25 09\:02\:45\nexpires on        \: 2029-03-25 09\:02\:45\nsigned using      \: ECDSA with SHA256\nEC key size       \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n"
 
 X509 CRT information, RSA Certificate Policy any with qualifier
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/parse_input/test-ca-any_policy_with_qualifier.crt":"cert. version     \: 3\nserial number     \: 00\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued  on        \: 2019-04-28 13\:14\:31\nexpires on        \: 2029-04-28 13\:14\:31\nsigned using      \: RSA with SHA-256\nRSA key size      \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n"
+x509_cert_info:"../framework/data_files/parse_input/test-ca-any_policy_with_qualifier.crt":"cert. version     \: 3\nserial number     \: 00\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued  on        \: 2019-04-28 13\:14\:31\nexpires on        \: 2029-04-28 13\:14\:31\nsigned using      \: RSA with SHA-256\nRSA key size      \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n"
 
 X509 CRT information, ECDSA Certificate Policy any with qualifier
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/parse_input/test-ca-any_policy_with_qualifier_ec.crt":"cert. version     \: 3\nserial number     \: 00\nissuer name       \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name      \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued  on        \: 2019-04-28 10\:16\:05\nexpires on        \: 2029-04-28 10\:16\:05\nsigned using      \: ECDSA with SHA256\nEC key size       \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n"
+x509_cert_info:"../framework/data_files/parse_input/test-ca-any_policy_with_qualifier_ec.crt":"cert. version     \: 3\nserial number     \: 00\nissuer name       \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name      \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued  on        \: 2019-04-28 10\:16\:05\nexpires on        \: 2029-04-28 10\:16\:05\nsigned using      \: ECDSA with SHA256\nEC key size       \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n"
 
 X509 CRT information, RSA Certificate multiple Policies
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/parse_input/test-ca-multi_policy.crt":"cert. version     \: 3\nserial number     \: 00\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued  on        \: 2019-04-28 12\:59\:19\nexpires on        \: 2029-04-28 12\:59\:19\nsigned using      \: RSA with SHA-256\nRSA key size      \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: ???, Any Policy\n"
+x509_cert_info:"../framework/data_files/parse_input/test-ca-multi_policy.crt":"cert. version     \: 3\nserial number     \: 00\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued  on        \: 2019-04-28 12\:59\:19\nexpires on        \: 2029-04-28 12\:59\:19\nsigned using      \: RSA with SHA-256\nRSA key size      \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: ???, Any Policy\n"
 
 X509 CRT information, ECDSA Certificate multiple Policies
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/parse_input/test-ca-multi_policy_ec.crt":"cert. version     \: 3\nserial number     \: 00\nissuer name       \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name      \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued  on        \: 2019-04-28 12\:59\:51\nexpires on        \: 2029-04-28 12\:59\:51\nsigned using      \: ECDSA with SHA256\nEC key size       \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: ???, Any Policy\n"
+x509_cert_info:"../framework/data_files/parse_input/test-ca-multi_policy_ec.crt":"cert. version     \: 3\nserial number     \: 00\nissuer name       \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name      \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued  on        \: 2019-04-28 12\:59\:51\nexpires on        \: 2029-04-28 12\:59\:51\nsigned using      \: ECDSA with SHA256\nEC key size       \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: ???, Any Policy\n"
 
 X509 CRT information, RSA Certificate unsupported policy
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/parse_input/test-ca-unsupported_policy.crt":"cert. version     \: 3\nserial number     \: 00\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued  on        \: 2019-04-28 13\:00\:13\nexpires on        \: 2029-04-28 13\:00\:13\nsigned using      \: RSA with SHA-256\nRSA key size      \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: ???\n"
+x509_cert_info:"../framework/data_files/parse_input/test-ca-unsupported_policy.crt":"cert. version     \: 3\nserial number     \: 00\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued  on        \: 2019-04-28 13\:00\:13\nexpires on        \: 2029-04-28 13\:00\:13\nsigned using      \: RSA with SHA-256\nRSA key size      \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: ???\n"
 
 X509 CRT information, ECDSA Certificate unsupported policy
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/parse_input/test-ca-unsupported_policy_ec.crt":"cert. version     \: 3\nserial number     \: 00\nissuer name       \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name      \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued  on        \: 2019-04-28 13\:00\:19\nexpires on        \: 2029-04-28 13\:00\:19\nsigned using      \: ECDSA with SHA256\nEC key size       \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: ???\n"
+x509_cert_info:"../framework/data_files/parse_input/test-ca-unsupported_policy_ec.crt":"cert. version     \: 3\nserial number     \: 00\nissuer name       \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name      \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued  on        \: 2019-04-28 13\:00\:19\nexpires on        \: 2029-04-28 13\:00\:19\nsigned using      \: ECDSA with SHA256\nEC key size       \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: ???\n"
 
 X509 CRT information, Key Usage + Extended Key Usage
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/parse_input/server1.ext_ku.crt":"cert. version     \: 3\nserial number     \: 21\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued  on        \: 2014-04-01 14\:44\:43\nexpires on        \: 2024-03-29 14\:44\:43\nsigned using      \: RSA with SHA-256\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\next key usage     \: TLS Web Server Authentication\n"
+x509_cert_info:"../framework/data_files/parse_input/server1.ext_ku.crt":"cert. version     \: 3\nserial number     \: 21\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued  on        \: 2014-04-01 14\:44\:43\nexpires on        \: 2024-03-29 14\:44\:43\nsigned using      \: RSA with SHA-256\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\next key usage     \: TLS Web Server Authentication\n"
 
 X509 CRT information RSA signed by EC
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME
-x509_cert_info:"data_files/parse_input/server4.crt":"cert. version     \: 3\nserial number     \: 08\nissuer name       \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2013-09-24 15\:52\:04\nexpires on        \: 2023-09-22 15\:52\:04\nsigned using      \: ECDSA with SHA256\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"../framework/data_files/parse_input/server4.crt":"cert. version     \: 3\nserial number     \: 08\nissuer name       \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2013-09-24 15\:52\:04\nexpires on        \: 2023-09-22 15\:52\:04\nsigned using      \: ECDSA with SHA256\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
 
 X509 CRT information EC signed by RSA
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP192R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C
-x509_cert_info:"data_files/parse_input/server3.crt":"cert. version     \: 3\nserial number     \: 0D\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2013-08-09 09\:17\:03\nexpires on        \: 2023-08-07 09\:17\:03\nsigned using      \: RSA with SHA1\nEC key size       \: 192 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"../framework/data_files/parse_input/server3.crt":"cert. version     \: 3\nserial number     \: 0D\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2013-08-09 09\:17\:03\nexpires on        \: 2023-08-07 09\:17\:03\nsigned using      \: RSA with SHA1\nEC key size       \: 192 bits\nbasic constraints \: CA=false\n"
 
 X509 CRT information Bitstring in subject name
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/parse_input/bitstring-in-dn.pem":"cert. version     \: 3\nserial number     \: 02\nissuer name       \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name      \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=#030B0037313031303132323535\nissued  on        \: 2015-03-11 12\:06\:51\nexpires on        \: 2025-03-08 12\:06\:51\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name  \:\n    rfc822Name \: client@example.com\next key usage     \: TLS Web Client Authentication\n"
+x509_cert_info:"../framework/data_files/parse_input/bitstring-in-dn.pem":"cert. version     \: 3\nserial number     \: 02\nissuer name       \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name      \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=#030B0037313031303132323535\nissued  on        \: 2015-03-11 12\:06\:51\nexpires on        \: 2025-03-08 12\:06\:51\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name  \:\n    rfc822Name \: client@example.com\next key usage     \: TLS Web Client Authentication\n"
 
 X509 CRT information Non-ASCII string in issuer name and subject name
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/parse_input/non-ascii-string-in-issuer.crt":"cert. version     \: 3\nserial number     \: 05\:E6\:53\:E7\:1B\:74\:F0\:B5\:D3\:84\:6D\:0C\:6D\:DC\:FA\:3F\:A4\:5A\:2B\:E0\nissuer name       \: C=JP, ST=Tokyo, O=\\C3\\A3\\C2\\83\\C2\\86\\C3\\A3\\C2\\82\\C2\\B9\\C3\\A3\\C2\\83\\C2\\88 Ltd, CN=\\C3\\A3\\C2\\83\\C2\\86\\C3\\A3\\C2\\82\\C2\\B9\\C3\\A3\\C2\\83\\C2\\88 CA\nsubject name      \: C=JP, ST=Tokyo, O=\\C3\\A3\\C2\\83\\C2\\86\\C3\\A3\\C2\\82\\C2\\B9\\C3\\A3\\C2\\83\\C2\\88 Ltd, CN=\\C3\\A3\\C2\\83\\C2\\86\\C3\\A3\\C2\\82\\C2\\B9\\C3\\A3\\C2\\83\\C2\\88 CA\nissued  on        \: 2020-05-20 16\:17\:23\nexpires on        \: 2020-06-19 16\:17\:23\nsigned using      \: RSA with SHA-256\nRSA key size      \: 2048 bits\nbasic constraints \: CA=true\n"
+x509_cert_info:"../framework/data_files/parse_input/non-ascii-string-in-issuer.crt":"cert. version     \: 3\nserial number     \: 05\:E6\:53\:E7\:1B\:74\:F0\:B5\:D3\:84\:6D\:0C\:6D\:DC\:FA\:3F\:A4\:5A\:2B\:E0\nissuer name       \: C=JP, ST=Tokyo, O=\\C3\\A3\\C2\\83\\C2\\86\\C3\\A3\\C2\\82\\C2\\B9\\C3\\A3\\C2\\83\\C2\\88 Ltd, CN=\\C3\\A3\\C2\\83\\C2\\86\\C3\\A3\\C2\\82\\C2\\B9\\C3\\A3\\C2\\83\\C2\\88 CA\nsubject name      \: C=JP, ST=Tokyo, O=\\C3\\A3\\C2\\83\\C2\\86\\C3\\A3\\C2\\82\\C2\\B9\\C3\\A3\\C2\\83\\C2\\88 Ltd, CN=\\C3\\A3\\C2\\83\\C2\\86\\C3\\A3\\C2\\82\\C2\\B9\\C3\\A3\\C2\\83\\C2\\88 CA\nissued  on        \: 2020-05-20 16\:17\:23\nexpires on        \: 2020-06-19 16\:17\:23\nsigned using      \: RSA with SHA-256\nRSA key size      \: 2048 bits\nbasic constraints \: CA=true\n"
 
 X509 CRT information Parsing IPv4 and IPv6 IP names
 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C
-x509_cert_info:"data_files/server5-tricky-ip-san.crt.der":"cert. version     \: 3\nserial number     \: 4D\nissuer name       \: C=UK, O=Mbed TLS, CN=Mbed TLS Tricky IP SAN\nsubject name      \: C=UK, O=Mbed TLS, CN=Mbed TLS Tricky IP SAN\nissued  on        \: 2023-06-05 11\:30\:36\nexpires on        \: 2033-06-02 11\:30\:36\nsigned using      \: ECDSA with SHA256\nEC key size       \: 256 bits\nsubject alt name  \:\n    iPAddress \: 97.98.99.100\n    iPAddress \: 6162\:6364\:2E65\:7861\:6D70\:6C65\:2E63\:6F6D\n"
+x509_cert_info:"../framework/data_files/server5-tricky-ip-san.crt.der":"cert. version     \: 3\nserial number     \: 4D\nissuer name       \: C=UK, O=Mbed TLS, CN=Mbed TLS Tricky IP SAN\nsubject name      \: C=UK, O=Mbed TLS, CN=Mbed TLS Tricky IP SAN\nissued  on        \: 2023-06-05 11\:30\:36\nexpires on        \: 2033-06-02 11\:30\:36\nsigned using      \: ECDSA with SHA256\nEC key size       \: 256 bits\nsubject alt name  \:\n    iPAddress \: 97.98.99.100\n    iPAddress \: 6162\:6364\:2E65\:7861\:6D70\:6C65\:2E63\:6F6D\n"
 
 X509 SAN parsing otherName
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-x509_parse_san:"data_files/parse_input/server5-othername.crt.der":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\n":0
+x509_parse_san:"../framework/data_files/parse_input/server5-othername.crt.der":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\n":0
 
 X509 SAN parsing binary otherName
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-x509_parse_san:"data_files/parse_input/server5-nonprintable_othername.crt.der":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 3132338081008180333231\n":0
+x509_parse_san:"../framework/data_files/parse_input/server5-nonprintable_othername.crt.der":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 3132338081008180333231\n":0
 
 X509 SAN parsing directoryName
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-x509_parse_san:"data_files/parse_input/server5-directoryname.crt.der":"type \: 4\ndirectoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n":0
+x509_parse_san:"../framework/data_files/parse_input/server5-directoryname.crt.der":"type \: 4\ndirectoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n":0
 
 X509 SAN parsing directoryName, seq malformed
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-x509_parse_san:"data_files/parse_input/server5-directoryname-seq-malformed.crt.der":"":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+x509_parse_san:"../framework/data_files/parse_input/server5-directoryname-seq-malformed.crt.der":"":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 SAN parsing two directoryNames, second DN OID malformed
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-x509_parse_san:"data_files/parse_input/server5-second-directoryname-oid-malformed.crt.der":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+x509_parse_san:"../framework/data_files/parse_input/server5-second-directoryname-oid-malformed.crt.der":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 SAN parsing dNSName
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_parse_san:"data_files/parse_input/cert_example_multi.crt":"type \: 2\ndNSName \: example.com\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n":0
+x509_parse_san:"../framework/data_files/parse_input/cert_example_multi.crt":"type \: 2\ndNSName \: example.com\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n":0
 
 X509 SAN parsing  Multiple different types
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-x509_parse_san:"data_files/parse_input/multiple_san.crt":"type \: 2\ndNSName \: example.com\ntype \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n":0
+x509_parse_san:"../framework/data_files/parse_input/multiple_san.crt":"type \: 2\ndNSName \: example.com\ntype \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n":0
 
 X509 SAN parsing, no subject alt name
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME
-x509_parse_san:"data_files/parse_input/server4.crt":"":0
+x509_parse_san:"../framework/data_files/parse_input/server4.crt":"":0
 
 X509 SAN parsing, unsupported otherName name
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-x509_parse_san:"data_files/parse_input/server5-unsupported_othername.crt.der":"":0
+x509_parse_san:"../framework/data_files/parse_input/server5-unsupported_othername.crt.der":"":0
 
 X509 SAN parsing rfc822Name
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_parse_san:"data_files/parse_input/test_cert_rfc822name.crt.der":"type \: 1\nrfc822Name \: my@other.address\ntype \: 1\nrfc822Name \: second@other.address\n":0
+x509_parse_san:"../framework/data_files/parse_input/test_cert_rfc822name.crt.der":"type \: 1\nrfc822Name \: my@other.address\ntype \: 1\nrfc822Name \: second@other.address\n":0
 
 X509 CRT information Parsing IP (invalid data)
 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C
-x509_parse_san:"data_files/server5-tricky-ip-san-malformed-len.crt.der":"":MBEDTLS_ERR_X509_BAD_INPUT_DATA
+x509_parse_san:"../framework/data_files/server5-tricky-ip-san-malformed-len.crt.der":"":MBEDTLS_ERR_X509_BAD_INPUT_DATA
 
 X509 CRL information #1
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/parse_input/crl_expired.pem":"CRL version   \: 1\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2011-02-20 10\:24\:19\nnext update   \: 2011-02-20 11\:24\:19\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using  \: RSA with SHA1\n"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C
+mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl_expired.pem":"CRL version   \: 1\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2011-02-20 10\:24\:19\nnext update   \: 2011-02-20 11\:24\:19\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using  \: RSA with SHA1\n"
 
 X509 CRL Information MD5 Digest
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_MD5:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/parse_input/crl_md5.pem":"CRL version   \: 1\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2011-02-12 14\:44\:07\nnext update   \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using  \: RSA with MD5\n"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_MD5:MBEDTLS_RSA_C
+mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl_md5.pem":"CRL version   \: 1\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2011-02-12 14\:44\:07\nnext update   \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using  \: RSA with MD5\n"
 
 X509 CRL Information SHA1 Digest
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/parse_input/crl_sha1.pem":"CRL version   \: 1\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2011-02-12 14\:44\:07\nnext update   \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using  \: RSA with SHA1\n"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C
+mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl_sha1.pem":"CRL version   \: 1\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2011-02-12 14\:44\:07\nnext update   \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using  \: RSA with SHA1\n"
 
 X509 CRL Information SHA224 Digest
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/parse_input/crl_sha224.pem":"CRL version   \: 1\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2011-02-12 14\:44\:07\nnext update   \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using  \: RSA with SHA-224\n"
+depends_on:MBEDTLS_PEM_PARSE_C:PSA_WANT_ALG_SHA_224:MBEDTLS_RSA_C
+mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl_sha224.pem":"CRL version   \: 1\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2011-02-12 14\:44\:07\nnext update   \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using  \: RSA with SHA-224\n"
 
 X509 CRL Information SHA256 Digest
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/parse_input/crl_sha256.pem":"CRL version   \: 1\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2011-02-12 14\:44\:07\nnext update   \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using  \: RSA with SHA-256\n"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
+mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl_sha256.pem":"CRL version   \: 1\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2011-02-12 14\:44\:07\nnext update   \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using  \: RSA with SHA-256\n"
 
 X509 CRL Information SHA384 Digest
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/parse_input/crl_sha384.pem":"CRL version   \: 1\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2011-02-12 14\:44\:07\nnext update   \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using  \: RSA with SHA-384\n"
+depends_on:MBEDTLS_PEM_PARSE_C:PSA_WANT_ALG_SHA_384:MBEDTLS_RSA_C
+mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl_sha384.pem":"CRL version   \: 1\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2011-02-12 14\:44\:07\nnext update   \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using  \: RSA with SHA-384\n"
 
 X509 CRL Information SHA512 Digest
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/parse_input/crl_sha512.pem":"CRL version   \: 1\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2011-02-12 14\:44\:07\nnext update   \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using  \: RSA with SHA-512\n"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C
+mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl_sha512.pem":"CRL version   \: 1\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2011-02-12 14\:44\:07\nnext update   \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using  \: RSA with SHA-512\n"
 
 X509 CRL information RSA-PSS, SHA1 Digest
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/parse_input/crl-rsa-pss-sha1.pem":"CRL version   \: 2\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2014-01-20 13\:46\:35\nnext update   \: 2024-01-18 13\:46\:35\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using  \: RSASSA-PSS (SHA1, MGF1-SHA1, 0xEA)\n"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1
+mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-rsa-pss-sha1.pem":"CRL version   \: 2\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2014-01-20 13\:46\:35\nnext update   \: 2024-01-18 13\:46\:35\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using  \: RSASSA-PSS (SHA1, MGF1-SHA1, 0xEA)\n"
 
 X509 CRL information RSA-PSS, SHA224 Digest
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA224:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/parse_input/crl-rsa-pss-sha224.pem":"CRL version   \: 2\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2014-01-20 13\:56\:06\nnext update   \: 2024-01-18 13\:56\:06\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using  \: RSASSA-PSS (SHA224, MGF1-SHA224, 0xE2)\n"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_224
+mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-rsa-pss-sha224.pem":"CRL version   \: 2\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2014-01-20 13\:56\:06\nnext update   \: 2024-01-18 13\:56\:06\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using  \: RSASSA-PSS (SHA224, MGF1-SHA224, 0xE2)\n"
 
 X509 CRL information RSA-PSS, SHA256 Digest
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/parse_input/crl-rsa-pss-sha256.pem":"CRL version   \: 2\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2014-01-20 13\:56\:16\nnext update   \: 2024-01-18 13\:56\:16\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using  \: RSASSA-PSS (SHA256, MGF1-SHA256, 0xDE)\n"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA256
+mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-rsa-pss-sha256.pem":"CRL version   \: 2\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2014-01-20 13\:56\:16\nnext update   \: 2024-01-18 13\:56\:16\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using  \: RSASSA-PSS (SHA256, MGF1-SHA256, 0xDE)\n"
 
 X509 CRL information RSA-PSS, SHA384 Digest
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA384:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/parse_input/crl-rsa-pss-sha384.pem":"CRL version   \: 2\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2014-01-20 13\:56\:28\nnext update   \: 2024-01-18 13\:56\:28\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using  \: RSASSA-PSS (SHA384, MGF1-SHA384, 0xCE)\n"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_384
+mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-rsa-pss-sha384.pem":"CRL version   \: 2\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2014-01-20 13\:56\:28\nnext update   \: 2024-01-18 13\:56\:28\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using  \: RSASSA-PSS (SHA384, MGF1-SHA384, 0xCE)\n"
 
 X509 CRL information RSA-PSS, SHA512 Digest
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA512:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/parse_input/crl-rsa-pss-sha512.pem":"CRL version   \: 2\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2014-01-20 13\:56\:38\nnext update   \: 2024-01-18 13\:56\:38\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using  \: RSASSA-PSS (SHA512, MGF1-SHA512, 0xBE)\n"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA512
+mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-rsa-pss-sha512.pem":"CRL version   \: 2\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2014-01-20 13\:56\:38\nnext update   \: 2024-01-18 13\:56\:38\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using  \: RSASSA-PSS (SHA512, MGF1-SHA512, 0xBE)\n"
 
 X509 CRL Information EC, SHA1 Digest
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PK_CAN_ECDSA_SOME:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/parse_input/crl-ec-sha1.pem":"CRL version   \: 2\nissuer name   \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update   \: 2013-09-24 16\:31\:08\nnext update   \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using  \: ECDSA with SHA1\n"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PK_CAN_ECDSA_SOME
+mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-ec-sha1.pem":"CRL version   \: 2\nissuer name   \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update   \: 2013-09-24 16\:31\:08\nnext update   \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using  \: ECDSA with SHA1\n"
 
 X509 CRL Information EC, SHA224 Digest
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PK_CAN_ECDSA_SOME:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/parse_input/crl-ec-sha224.pem":"CRL version   \: 2\nissuer name   \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update   \: 2013-09-24 16\:31\:08\nnext update   \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using  \: ECDSA with SHA224\n"
+depends_on:MBEDTLS_PEM_PARSE_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PK_CAN_ECDSA_SOME
+mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-ec-sha224.pem":"CRL version   \: 2\nissuer name   \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update   \: 2013-09-24 16\:31\:08\nnext update   \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using  \: ECDSA with SHA224\n"
 
 X509 CRL Information EC, SHA256 Digest
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/parse_input/crl-ec-sha256.pem":"CRL version   \: 2\nissuer name   \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update   \: 2013-09-24 16\:31\:08\nnext update   \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using  \: ECDSA with SHA256\n"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME
+mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-ec-sha256.pem":"CRL version   \: 2\nissuer name   \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update   \: 2013-09-24 16\:31\:08\nnext update   \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using  \: ECDSA with SHA256\n"
 
 X509 CRL Information EC, SHA384 Digest
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PK_CAN_ECDSA_SOME:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/parse_input/crl-ec-sha384.pem":"CRL version   \: 2\nissuer name   \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update   \: 2013-09-24 16\:31\:08\nnext update   \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using  \: ECDSA with SHA384\n"
+depends_on:MBEDTLS_PEM_PARSE_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PK_CAN_ECDSA_SOME
+mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-ec-sha384.pem":"CRL version   \: 2\nissuer name   \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update   \: 2013-09-24 16\:31\:08\nnext update   \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using  \: ECDSA with SHA384\n"
 
 X509 CRL Information EC, SHA512 Digest
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PK_CAN_ECDSA_SOME:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/parse_input/crl-ec-sha512.pem":"CRL version   \: 2\nissuer name   \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update   \: 2013-09-24 16\:31\:08\nnext update   \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using  \: ECDSA with SHA512\n"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PK_CAN_ECDSA_SOME
+mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-ec-sha512.pem":"CRL version   \: 2\nissuer name   \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update   \: 2013-09-24 16\:31\:08\nnext update   \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using  \: ECDSA with SHA512\n"
 
 X509 CRL Malformed Input (trailing spaces at end of file)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PK_CAN_ECDSA_VERIFY
-mbedtls_x509_crl_parse:"data_files/parse_input/crl-malformed-trailing-spaces.pem":MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT
+mbedtls_x509_crl_parse:"../framework/data_files/parse_input/crl-malformed-trailing-spaces.pem":MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT
 
 X509 CRL Unsupported critical extension (issuingDistributionPoint)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-mbedtls_x509_crl_parse:"data_files/parse_input/crl-idp.pem":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_crl_parse:"../framework/data_files/parse_input/crl-idp.pem":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CRL Unsupported non-critical extension (issuingDistributionPoint)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-mbedtls_x509_crl_parse:"data_files/parse_input/crl-idpnc.pem":0
+mbedtls_x509_crl_parse:"../framework/data_files/parse_input/crl-idpnc.pem":0
 
 X509 CSR Information RSA with MD5
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_MD5:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/parse_input/server1.req.md5":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using  \: RSA with MD5\nRSA key size  \: 2048 bits\n"
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/server1.req.md5":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using  \: RSA with MD5\nRSA key size  \: 2048 bits\n"
 
 X509 CSR Information RSA with SHA1
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/parse_input/server1.req.sha1":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using  \: RSA with SHA1\nRSA key size  \: 2048 bits\n"
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/server1.req.sha1":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using  \: RSA with SHA1\nRSA key size  \: 2048 bits\n"
 
 X509 CSR Information RSA with SHA224
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/parse_input/server1.req.sha224":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using  \: RSA with SHA-224\nRSA key size  \: 2048 bits\n"
+depends_on:MBEDTLS_PEM_PARSE_C:PSA_WANT_ALG_SHA_224:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/server1.req.sha224":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using  \: RSA with SHA-224\nRSA key size  \: 2048 bits\n"
 
-X509 CSR Information RSA with SHA-256
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTS_X509_INFO
-mbedtls_x509_csr_info:"data_files/parse_input/server1.req.sha256":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using  \: RSA with SHA-256\nRSA key size  \: 2048 bits\n"
+X509 CSR Information RSA with SHA256
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/server1.req.sha256":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using  \: RSA with SHA-256\nRSA key size  \: 2048 bits\n"
 
 X509 CSR Information RSA with SHA384
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/parse_input/server1.req.sha384":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using  \: RSA with SHA-384\nRSA key size  \: 2048 bits\n"
+depends_on:MBEDTLS_PEM_PARSE_C:PSA_WANT_ALG_SHA_384:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/server1.req.sha384":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using  \: RSA with SHA-384\nRSA key size  \: 2048 bits\n"
 
 X509 CSR Information RSA with SHA512
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/parse_input/server1.req.sha512":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using  \: RSA with SHA-512\nRSA key size  \: 2048 bits\n"
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/server1.req.sha512":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using  \: RSA with SHA-512\nRSA key size  \: 2048 bits\n"
 
-X509 CSR Information RSA with SHA-256, containing commas
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTS_X509_INFO
-mbedtls_x509_csr_info:"data_files/parse_input/server1.req.commas.sha256":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL\\, Commas, CN=PolarSSL Server 1\nsigned using  \: RSA with SHA-256\nRSA key size  \: 2048 bits\n"
+X509 CSR Information RSA with SHA256, containing commas
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/server1.req.commas.sha256":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL\\, Commas, CN=PolarSSL Server 1\nsigned using  \: RSA with SHA-256\nRSA key size  \: 2048 bits\n"
 
 X509 CSR Information EC with SHA1
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/parse_input/server5.req.sha1":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nsigned using  \: ECDSA with SHA1\nEC key size   \: 256 bits\n\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/server5.req.sha1":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nsigned using  \: ECDSA with SHA1\nEC key size   \: 256 bits\n\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
 
 X509 CSR Information EC with SHA224
-depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA224:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/parse_input/server5.req.sha224":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nsigned using  \: ECDSA with SHA224\nEC key size   \: 256 bits\n\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
+depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP256R1:PSA_WANT_ALG_SHA_224:!MBEDTLS_X509_REMOVE_INFO
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/server5.req.sha224":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nsigned using  \: ECDSA with SHA224\nEC key size   \: 256 bits\n\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
 
 X509 CSR Information EC with SHA256
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/parse_input/server5.req.sha256":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nsigned using  \: ECDSA with SHA256\nEC key size   \: 256 bits\n\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/server5.req.sha256":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nsigned using  \: ECDSA with SHA256\nEC key size   \: 256 bits\n\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
 
 X509 CSR Information EC with SHA384
-depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA384:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/parse_input/server5.req.sha384":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nsigned using  \: ECDSA with SHA384\nEC key size   \: 256 bits\n\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
+depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP256R1:PSA_WANT_ALG_SHA_384:!MBEDTLS_X509_REMOVE_INFO
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/server5.req.sha384":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nsigned using  \: ECDSA with SHA384\nEC key size   \: 256 bits\n\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
 
 X509 CSR Information EC with SHA512
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA512:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/parse_input/server5.req.sha512":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nsigned using  \: ECDSA with SHA512\nEC key size   \: 256 bits\n\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/server5.req.sha512":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nsigned using  \: ECDSA with SHA512\nEC key size   \: 256 bits\n\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
 
 X509 CSR Information RSA-PSS with SHA1
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/parse_input/server9.req.sha1":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nsigned using  \: RSASSA-PSS (SHA1, MGF1-SHA1, 0x6A)\nRSA key size  \: 1024 bits\n\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/server9.req.sha1":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nsigned using  \: RSASSA-PSS (SHA1, MGF1-SHA1, 0x6A)\nRSA key size  \: 1024 bits\n\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
 
 X509 CSR Information RSA-PSS with SHA224
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA224:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/parse_input/server9.req.sha224":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nsigned using  \: RSASSA-PSS (SHA224, MGF1-SHA224, 0x62)\nRSA key size  \: 1024 bits\n\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_224:!MBEDTLS_X509_REMOVE_INFO
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/server9.req.sha224":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nsigned using  \: RSASSA-PSS (SHA224, MGF1-SHA224, 0x62)\nRSA key size  \: 1024 bits\n\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
 
 X509 CSR Information RSA-PSS with SHA256
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/parse_input/server9.req.sha256":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nsigned using  \: RSASSA-PSS (SHA256, MGF1-SHA256, 0x5E)\nRSA key size  \: 1024 bits\n\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/server9.req.sha256":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nsigned using  \: RSASSA-PSS (SHA256, MGF1-SHA256, 0x5E)\nRSA key size  \: 1024 bits\n\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
 
 X509 CSR Information RSA-PSS with SHA384
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA384:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/parse_input/server9.req.sha384":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nsigned using  \: RSASSA-PSS (SHA384, MGF1-SHA384, 0x4E)\nRSA key size  \: 1024 bits\n\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_384:!MBEDTLS_X509_REMOVE_INFO
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/server9.req.sha384":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nsigned using  \: RSASSA-PSS (SHA384, MGF1-SHA384, 0x4E)\nRSA key size  \: 1024 bits\n\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
 
 X509 CSR Information RSA-PSS with SHA512
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA512:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/parse_input/server9.req.sha512":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nsigned using  \: RSASSA-PSS (SHA512, MGF1-SHA512, 0x3E)\nRSA key size  \: 1024 bits\n\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/server9.req.sha512":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nsigned using  \: RSASSA-PSS (SHA512, MGF1-SHA512, 0x3E)\nRSA key size  \: 1024 bits\n\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n"
 
-X509 CSR Information RSA with SHA-256 - Microsoft header
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_info:"data_files/parse_input/server1-ms.req.sha256":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using  \: RSA with SHA-256\nRSA key size  \: 2048 bits\n"
+X509 CSR Information RSA with SHA256 - Microsoft header
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/server1-ms.req.sha256":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using  \: RSA with SHA-256\nRSA key size  \: 2048 bits\n"
 
 X509 CSR Information v3 extensions #1 (all)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/parse_input/test_csr_v3_all.csr.der":"CSR version   \: 1\nsubject name  \: CN=etcd\nsigned using  \: RSA with SHA-256\nRSA key size  \: 1024 bits\n\nsubject alt name  \:\n    otherName \:\n        hardware module name \:\n            hardware type          \: 1.3.6.1.4.1.17.3\n            hardware serial number \: 3132338081008180333231\ncert. type        \: SSL Client\nkey usage         \: CRL Sign\n"
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/test_csr_v3_all.csr.der":"CSR version   \: 1\nsubject name  \: CN=etcd\nsigned using  \: RSA with SHA-256\nRSA key size  \: 1024 bits\n\nsubject alt name  \:\n    otherName \:\n        hardware module name \:\n            hardware type          \: 1.3.6.1.4.1.17.3\n            hardware serial number \: 3132338081008180333231\ncert. type        \: SSL Client\nkey usage         \: CRL Sign\n"
 
 X509 CSR Information v3 extensions #2 (nsCertType only)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/parse_input/test_csr_v3_nsCertType.csr.der":"CSR version   \: 1\nsubject name  \: CN=etcd\nsigned using  \: RSA with SHA-256\nRSA key size  \: 1024 bits\n\ncert. type        \: SSL Server\n"
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/test_csr_v3_nsCertType.csr.der":"CSR version   \: 1\nsubject name  \: CN=etcd\nsigned using  \: RSA with SHA-256\nRSA key size  \: 1024 bits\n\ncert. type        \: SSL Server\n"
 
 X509 CSR Information v3 extensions #3 (subjectAltName only)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/parse_input/test_csr_v3_subjectAltName.csr.der":"CSR version   \: 1\nsubject name  \: CN=etcd\nsigned using  \: RSA with SHA-256\nRSA key size  \: 1024 bits\n\nsubject alt name  \:\n    dNSName \: example.com\n    dNSName \: example.net\n    dNSName \: *.example.org\n"
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/test_csr_v3_subjectAltName.csr.der":"CSR version   \: 1\nsubject name  \: CN=etcd\nsigned using  \: RSA with SHA-256\nRSA key size  \: 1024 bits\n\nsubject alt name  \:\n    dNSName \: example.com\n    dNSName \: example.net\n    dNSName \: *.example.org\n"
 
 X509 CSR Information v3 extensions #4 (keyUsage only)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/parse_input/test_csr_v3_keyUsage.csr.der":"CSR version   \: 1\nsubject name  \: CN=etcd\nsigned using  \: RSA with SHA-256\nRSA key size  \: 1024 bits\n\nkey usage         \: Digital Signature, Key Encipherment\n"
+mbedtls_x509_csr_info:"../framework/data_files/parse_input/test_csr_v3_keyUsage.csr.der":"CSR version   \: 1\nsubject name  \: CN=etcd\nsigned using  \: RSA with SHA-256\nRSA key size  \: 1024 bits\n\nkey usage         \: Digital Signature, Key Encipherment\n"
 
 X509 Verify Information: empty
 x509_verify_info:0:"":""
@@ -429,55 +429,55 @@ x509_verify_info:MBEDTLS_X509_BADCERT_EXPIRED | MBEDTLS_X509_BADCRL_EXPIRED:"  !
 
 X509 Get Distinguished Name #1
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_dn_gets:"data_files/server1.crt":"subject":"C=NL, O=PolarSSL, CN=PolarSSL Server 1"
+mbedtls_x509_dn_gets:"../framework/data_files/server1.crt":"subject":"C=NL, O=PolarSSL, CN=PolarSSL Server 1"
 
 X509 Get Distinguished Name #2
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_dn_gets:"data_files/server1.crt":"issuer":"C=NL, O=PolarSSL, CN=PolarSSL Test CA"
+mbedtls_x509_dn_gets:"../framework/data_files/server1.crt":"issuer":"C=NL, O=PolarSSL, CN=PolarSSL Test CA"
 
 X509 Get Distinguished Name #3
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_dn_gets:"data_files/server2.crt":"subject":"C=NL, O=PolarSSL, CN=localhost"
+mbedtls_x509_dn_gets:"../framework/data_files/server2.crt":"subject":"C=NL, O=PolarSSL, CN=localhost"
 
 X509 Get Distinguished Name #4
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_dn_gets:"data_files/server2.crt":"issuer":"C=NL, O=PolarSSL, CN=PolarSSL Test CA"
+mbedtls_x509_dn_gets:"../framework/data_files/server2.crt":"issuer":"C=NL, O=PolarSSL, CN=PolarSSL Test CA"
 
 X509 Get Distinguished Name #5
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_dn_gets:"data_files/server1.commas.crt":"subject":"C=NL, O=PolarSSL\\, Commas, CN=PolarSSL Server 1"
+mbedtls_x509_dn_gets:"../framework/data_files/server1.commas.crt":"subject":"C=NL, O=PolarSSL\\, Commas, CN=PolarSSL Server 1"
 
 X509 Get Distinguished Name #6
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_dn_gets:"data_files/server1.hashsymbol.crt":"subject":"C=NL, O=\\#PolarSSL, CN=PolarSSL Server 1"
+mbedtls_x509_dn_gets:"../framework/data_files/server1.hashsymbol.crt":"subject":"C=NL, O=\\#PolarSSL, CN=PolarSSL Server 1"
 
 X509 Get Distinguished Name #7
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_dn_gets:"data_files/server1.spaces.crt":"subject":"C=NL, O=\\ PolarSSL\\ , CN=PolarSSL Server 1"
+mbedtls_x509_dn_gets:"../framework/data_files/server1.spaces.crt":"subject":"C=NL, O=\\ PolarSSL\\ , CN=PolarSSL Server 1"
 
 X509 Get Distinguished Name #8
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_dn_gets:"data_files/server1.asciichars.crt":"subject":"C=NL, O=\\E6\\9E\\81\\E5\\9C\\B0SSL, CN=PolarSSL Server 1"
+mbedtls_x509_dn_gets:"../framework/data_files/server1.asciichars.crt":"subject":"C=NL, O=\\E6\\9E\\81\\E5\\9C\\B0SSL, CN=PolarSSL Server 1"
 
 X509 Get Modified DN #1
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_dn_gets_subject_replace:"data_files/server1.crt":"Modified":"C=NL, O=Modified, CN=PolarSSL Server 1":0
+mbedtls_x509_dn_gets_subject_replace:"../framework/data_files/server1.crt":"Modified":"C=NL, O=Modified, CN=PolarSSL Server 1":0
 
 X509 Get Modified DN #2 Name exactly 255 bytes
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_dn_gets_subject_replace:"data_files/server1.crt":"123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345":"C=NL, O=123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345, CN=PolarSSL Server 1":0
+mbedtls_x509_dn_gets_subject_replace:"../framework/data_files/server1.crt":"123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345":"C=NL, O=123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345, CN=PolarSSL Server 1":0
 
 X509 Get Modified DN #3 Name exceeds 255 bytes
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_dn_gets_subject_replace:"data_files/server1.crt":"1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456":"":MBEDTLS_ERR_X509_BUFFER_TOO_SMALL
+mbedtls_x509_dn_gets_subject_replace:"../framework/data_files/server1.crt":"1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456":"":MBEDTLS_ERR_X509_BUFFER_TOO_SMALL
 
 X509 Get Modified DN #4 Name exactly 255 bytes, with comma requiring escaping
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_dn_gets_subject_replace:"data_files/server1.crt":"1234567890,1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234":"":MBEDTLS_ERR_X509_BUFFER_TOO_SMALL
+mbedtls_x509_dn_gets_subject_replace:"../framework/data_files/server1.crt":"1234567890,1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234":"":MBEDTLS_ERR_X509_BUFFER_TOO_SMALL
 
 X509 Get Modified DN #5 Name exactly 255 bytes, ending with comma requiring escaping
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_dn_gets_subject_replace:"data_files/server1.crt":"12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234,":"":MBEDTLS_ERR_X509_BUFFER_TOO_SMALL
+mbedtls_x509_dn_gets_subject_replace:"../framework/data_files/server1.crt":"12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234,":"":MBEDTLS_ERR_X509_BUFFER_TOO_SMALL
 
 X509 Get Next DN #1 No Multivalue RDNs
 mbedtls_x509_dn_get_next:"C=NL, O=PolarSSL, CN=PolarSSL Server 1":0:"C O CN":3:"C=NL, O=PolarSSL, CN=PolarSSL Server 1"
@@ -533,551 +533,551 @@ mbedtls_x509_get_name:"310B3009060355040613024E4C3111300F060355040A0C08506F6C617
 
 X509 Time Expired #1
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_time_is_past:"data_files/server1.crt":"valid_from":1
+mbedtls_x509_time_is_past:"../framework/data_files/server1.crt":"valid_from":1
 
 X509 Time Expired #2
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_time_is_past:"data_files/server1.crt":"valid_to":0
+mbedtls_x509_time_is_past:"../framework/data_files/server1.crt":"valid_to":0
 
 X509 Time Expired #3
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_time_is_past:"data_files/server2.crt":"valid_from":1
+mbedtls_x509_time_is_past:"../framework/data_files/server2.crt":"valid_from":1
 
 X509 Time Expired #4
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_time_is_past:"data_files/server2.crt":"valid_to":0
+mbedtls_x509_time_is_past:"../framework/data_files/server2.crt":"valid_to":0
 
 X509 Time Expired #5
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_time_is_past:"data_files/test-ca.crt":"valid_from":1
+mbedtls_x509_time_is_past:"../framework/data_files/test-ca.crt":"valid_from":1
 
 X509 Time Expired #6
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_time_is_past:"data_files/test-ca.crt":"valid_to":0
+mbedtls_x509_time_is_past:"../framework/data_files/test-ca.crt":"valid_to":0
 
 X509 Time Future #1
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA256
-mbedtls_x509_time_is_future:"data_files/server5.crt":"valid_from":0
+mbedtls_x509_time_is_future:"../framework/data_files/server5.crt":"valid_from":0
 
 X509 Time Future #2
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA256
-mbedtls_x509_time_is_future:"data_files/server5.crt":"valid_to":1
+mbedtls_x509_time_is_future:"../framework/data_files/server5.crt":"valid_to":1
 
 X509 Time Future #3
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA256
-mbedtls_x509_time_is_future:"data_files/server5-future.crt":"valid_from":1
+mbedtls_x509_time_is_future:"../framework/data_files/server5-future.crt":"valid_from":1
 
 X509 Time Future #4
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA256
-mbedtls_x509_time_is_future:"data_files/server5-future.crt":"valid_to":1
+mbedtls_x509_time_is_future:"../framework/data_files/server5-future.crt":"valid_to":1
 
 X509 Time Future #5
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA256
-mbedtls_x509_time_is_future:"data_files/test-ca2.crt":"valid_from":0
+mbedtls_x509_time_is_future:"../framework/data_files/test-ca2.crt":"valid_from":0
 
 X509 Time Future #6
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA256
-mbedtls_x509_time_is_future:"data_files/test-ca2.crt":"valid_to":1
+mbedtls_x509_time_is_future:"../framework/data_files/test-ca2.crt":"valid_to":1
 
 X509 CRT verification #1 (Revoked Cert, Expired CRL, no CN)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL"
+x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL"
 
 X509 CRT verification #1a (Revoked Cert, Future CRL, no CN)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL"
+x509_verify:"../framework/data_files/server6.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-future.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL"
 
 X509 CRT verification #2 (Revoked Cert, Expired CRL)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Server 1":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL"
+x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl_expired.pem":"PolarSSL Server 1":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL"
 
 X509 CRT verification #2a (Revoked Cert, Future CRL)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"localhost":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL"
+x509_verify:"../framework/data_files/server6.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-future.pem":"localhost":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL"
 
 X509 CRT verification #3 (Revoked Cert, Future CRL, CN Mismatch)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
+x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl_expired.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
 
 X509 CRT verification #3a (Revoked Cert, Expired CRL, CN Mismatch)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
+x509_verify:"../framework/data_files/server6.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-future.pem":"Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
 
 X509 CRT verification #4 (Valid Cert, Expired CRL)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server2.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL"
+x509_verify:"../framework/data_files/server2.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL"
 
 X509 CRT verification #4a (Revoked Cert, Future CRL)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL"
+x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-future.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL"
 
 X509 CRT verification #5 (Revoked Cert)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
+x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
 
 X509 CRT verification #5' (Revoked Cert, differing DN string formats #1)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server1.crt":"data_files/test-ca_utf8.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
+x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca_utf8.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
 
 X509 CRT verification #5'' (Revoked Cert, differing DN string formats #2)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server1.crt":"data_files/test-ca_printable.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
+x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca_printable.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
 
 X509 CRT verification #5''' (Revoked Cert, differing upper and lower case)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server1.crt":"data_files/test-ca_uppercase.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
+x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca_uppercase.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
 
 X509 CRT verification #6 (Revoked Cert)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Server 1":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
+x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"PolarSSL Server 1":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
 
 X509 CRT verification #7 (Revoked Cert, CN Mismatch)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
+x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
 
 X509 CRT verification #8 (Valid Cert)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #8a (Expired Cert)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server5-expired.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_EXPIRED:"compat":"NULL"
+x509_verify:"../framework/data_files/server5-expired.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_EXPIRED:"compat":"NULL"
 
 X509 CRT verification #8b (Future Cert)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server5-future.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_FUTURE:"compat":"NULL"
+x509_verify:"../framework/data_files/server5-future.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_FUTURE:"compat":"NULL"
 
 X509 CRT verification #8c (Expired Cert, longer chain)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server7-expired.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_EXPIRED:"compat":"NULL"
+x509_verify:"../framework/data_files/server7-expired.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_EXPIRED:"compat":"NULL"
 
 X509 CRT verification #8d (Future Cert, longer chain)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server7-future.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_FUTURE:"compat":"NULL"
+x509_verify:"../framework/data_files/server7-future.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_FUTURE:"compat":"NULL"
 
 X509 CRT verification #9 (Not trusted Cert)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
+x509_verify:"../framework/data_files/server2.crt":"../framework/data_files/server1.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
 
 X509 CRT verification #10 (Not trusted Cert, Expired CRL)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
+x509_verify:"../framework/data_files/server2.crt":"../framework/data_files/server1.crt":"../framework/data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
 
 X509 CRT verification #13 (Valid Cert MD5 Digest, MD5 forbidden)
 depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_md5.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD:"compat":"NULL"
+x509_verify:"../framework/data_files/cert_md5.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD:"compat":"NULL"
 
 X509 CRT verification #13 (Valid Cert MD5 Digest, MD5 allowed)
 depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_md5.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"all":"NULL"
+x509_verify:"../framework/data_files/cert_md5.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":0:0:"all":"NULL"
 
 X509 CRT verification #14 (Valid Cert SHA1 Digest explicitly allowed in profile)
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/cert_sha1.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #14 (Valid Cert SHA1 Digest forbidden in default profile)
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_BAD_MD | MBEDTLS_X509_BADCERT_BAD_MD:"":"NULL"
+x509_verify:"../framework/data_files/cert_sha1.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_BAD_MD | MBEDTLS_X509_BADCERT_BAD_MD:"":"NULL"
 
 X509 CRT verification #15 (Valid Cert SHA224 Digest)
-depends_on:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_sha224.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
+depends_on:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+x509_verify:"../framework/data_files/cert_sha224.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #16 (Valid Cert SHA256 Digest)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_sha256.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/cert_sha256.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #17 (Valid Cert SHA384 Digest)
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_sha384.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+x509_verify:"../framework/data_files/cert_sha384.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #18 (Valid Cert SHA512 Digest)
 depends_on:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/cert_sha512.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #19 (Valid Cert, denying callback)
 depends_on:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_OTHER:"compat":"verify_none"
+x509_verify:"../framework/data_files/cert_sha512.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_OTHER:"compat":"verify_none"
 
 X509 CRT verification #19 (Not trusted Cert, allowing callback)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":0:0:"compat":"verify_all"
+x509_verify:"../framework/data_files/server2.crt":"../framework/data_files/server1.crt":"../framework/data_files/crl_expired.pem":"NULL":0:0:"compat":"verify_all"
 
 X509 CRT verification #21 (domain matching wildcard certificate, case insensitive)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.ExAmPlE.com":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/cert_example_wildcard.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"mail.ExAmPlE.com":0:0:"compat":"NULL"
 
 X509 CRT verification #22 (domain not matching wildcard certificate)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
+x509_verify:"../framework/data_files/cert_example_wildcard.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"mail.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
 
 X509 CRT verification #23 (domain not matching wildcard certificate)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
+x509_verify:"../framework/data_files/cert_example_wildcard.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
 
 X509 CRT verification #24 (domain matching CN of multi certificate)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
+x509_verify:"../framework/data_files/cert_example_multi.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"www.example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
 
 X509 CRT verification #25 (domain matching multi certificate)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.net":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/cert_example_multi.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"example.net":0:0:"compat":"NULL"
 
 X509 CRT verification #26 (domain not matching multi certificate)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
+x509_verify:"../framework/data_files/cert_example_multi.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
 
 X509 CRT verification #27.1 (domain not matching multi certificate: suffix)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"xample.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
+x509_verify:"../framework/data_files/cert_example_multi.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"xample.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
 
 X509 CRT verification #27.2 (domain not matching multi certificate: head junk)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"bexample.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
+x509_verify:"../framework/data_files/cert_example_multi.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"bexample.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
 
 X509 CRT verification #28 (domain not matching wildcard in multi certificate)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.org":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
+x509_verify:"../framework/data_files/cert_example_multi.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"example.org":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
 
 X509 CRT verification #29 (domain matching wildcard in multi certificate)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.org":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/cert_example_multi.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"mail.example.org":0:0:"compat":"NULL"
 
 X509 CRT verification #30 (domain matching multi certificate without CN)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.shotokan-braunschweig.de":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
+x509_verify:"../framework/data_files/cert_example_multi_nocn.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"www.shotokan-braunschweig.de":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
 
 X509 CRT verification #31 (domain not matching multi certificate without CN)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH + MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
+x509_verify:"../framework/data_files/cert_example_multi_nocn.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH + MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
 
 X509 CRT verification #32 (Valid, EC cert, RSA CA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP192R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/server3.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server3.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #33 (Valid, RSA cert, EC CA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECP_HAVE_SECP384R1
-x509_verify:"data_files/server4.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server4.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #34 (Valid, EC cert, EC CA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1
-x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #35 (Revoked, EC CA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
+x509_verify:"../framework/data_files/server6.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
 
 X509 CRT verification #36 (Valid, EC CA, SHA1 Digest)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/server5-sha1.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server5-sha1.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #37 (Valid, EC CA, SHA224 Digest)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA224
-x509_verify:"data_files/server5-sha224.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:PSA_WANT_ALG_SHA_224
+x509_verify:"../framework/data_files/server5-sha224.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #38 (Valid, EC CA, SHA384 Digest)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA384:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1
-x509_verify:"data_files/server5-sha384.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:PSA_WANT_ALG_SHA_384:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1
+x509_verify:"../framework/data_files/server5-sha384.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #39 (Valid, EC CA, SHA512 Digest)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA512:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1
-x509_verify:"data_files/server5-sha512.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server5-sha512.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #40 (Valid, depth 0, RSA, CA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/test-ca.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/test-ca.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #41 (Valid, depth 0, EC, CA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256
-x509_verify:"data_files/test-ca2.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/test-ca2.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #42 (Depth 0, not CA, RSA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/server2.crt":"data_files/server2.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
+x509_verify:"../framework/data_files/server2.crt":"../framework/data_files/server2.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
 
 X509 CRT verification #43 (Depth 0, not CA, EC)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-x509_verify:"data_files/server5.crt":"data_files/server5.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
+x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/server5.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
 
 X509 CRT verification #44 (Corrupted signature, EC)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256
-x509_verify:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
+x509_verify:"../framework/data_files/server5-badsign.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
 
 X509 CRT verification #45 (Corrupted signature, RSA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/server2-badsign.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
+x509_verify:"../framework/data_files/server2-badsign.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
 
 X509 CRT verification #45b (Corrupted signature, intermediate CA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256
-x509_verify:"data_files/server7-badsign.crt":"data_files/test-ca2.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
+x509_verify:"../framework/data_files/server7-badsign.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
 
 X509 CRT verification #46 (Valid, depth 2, EC-RSA-EC)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256
-x509_verify:"data_files/server7_int-ca.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server7_int-ca.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #47 (Untrusted, depth 2, EC-RSA-EC)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256
-x509_verify:"data_files/server7_int-ca.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
+x509_verify:"../framework/data_files/server7_int-ca.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
 
 X509 CRT verification #48 (Missing intermediate CA, EC-RSA-EC)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256
-x509_verify:"data_files/server7.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
+x509_verify:"../framework/data_files/server7.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
 
 X509 CRT verification #49 (Valid, depth 2, RSA-EC-RSA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/server8_int-ca2.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server8_int-ca2.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #50 (Valid, multiple CAs)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256
-x509_verify:"data_files/server2.crt":"data_files/test-ca_cat12.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server2.crt":"../framework/data_files/test-ca_cat12.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #51 (Valid, multiple CAs, reverse order)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256
-x509_verify:"data_files/server2.crt":"data_files/test-ca_cat21.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server2.crt":"../framework/data_files/test-ca_cat21.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #52 (CA keyUsage valid)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1
-x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt_crl.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.ku-crt_crl.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #53 (CA keyUsage missing cRLSign)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1
-x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_NOT_TRUSTED:"compat":"NULL"
+x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.ku-crt.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_NOT_TRUSTED:"compat":"NULL"
 
 X509 CRT verification #54 (CA keyUsage missing cRLSign, no CRL)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C
-x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.ku-crt.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #55 (CA keyUsage missing keyCertSign)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1
-x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crl.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
+x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.ku-crl.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
 
 X509 CRT verification #56 (CA keyUsage plain wrong)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1
-x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-ds.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
+x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.ku-ds.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
 
 X509 CRT verification #57 (Valid, RSASSA-PSS, SHA-1)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server9.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #58 (Valid, RSASSA-PSS, SHA-224)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA224:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/server9-sha224.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha224.pem":"NULL":0:0:"compat":"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_224:MBEDTLS_MD_CAN_SHA1
+x509_verify:"../framework/data_files/server9-sha224.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha224.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #59 (Valid, RSASSA-PSS, SHA-256)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/server9-sha256.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha256.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server9-sha256.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha256.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #60 (Valid, RSASSA-PSS, SHA-384)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA384:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/server9-sha384.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha384.pem":"NULL":0:0:"compat":"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_384:MBEDTLS_MD_CAN_SHA1
+x509_verify:"../framework/data_files/server9-sha384.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha384.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #61 (Valid, RSASSA-PSS, SHA-512)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA512:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/server9-sha512.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha512.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server9-sha512.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha512.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #62 (Revoked, RSASSA-PSS, SHA-1)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
+x509_verify:"../framework/data_files/server9.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
 
 X509 CRT verification #63 (Revoked, RSASSA-PSS, SHA-1, CRL badsign)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1-badsign.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_NOT_TRUSTED:"compat":"NULL"
+x509_verify:"../framework/data_files/server9.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1-badsign.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_NOT_TRUSTED:"compat":"NULL"
 
 X509 CRT verification #64 (Valid, RSASSA-PSS, SHA-1, not top)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/server9-with-ca.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server9-with-ca.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #65 (RSASSA-PSS, SHA1, bad cert signature)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/server9-badsign.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
+x509_verify:"../framework/data_files/server9-badsign.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
 
 X509 CRT verification #66 (RSASSA-PSS, SHA1, no RSA CA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256
-x509_verify:"data_files/server9.crt":"data_files/test-ca2.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
+x509_verify:"../framework/data_files/server9.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
 
 X509 CRT verification #67 (Valid, RSASSA-PSS, all defaults)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/server9-defaults.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server9-defaults.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #68 (RSASSA-PSS, wrong salt_len, !USE_PSA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_USE_PSA_CRYPTO
-x509_verify:"data_files/server9-bad-saltlen.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
+x509_verify:"../framework/data_files/server9-bad-saltlen.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
 
 X509 CRT verification #68 (RSASSA-PSS, wrong salt_len, USE_PSA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1:MBEDTLS_USE_PSA_CRYPTO
-x509_verify:"data_files/server9-bad-saltlen.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server9-bad-saltlen.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #69 (RSASSA-PSS, wrong mgf_hash)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA224:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/server9-bad-mgfhash.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA256:PSA_WANT_ALG_SHA_224:MBEDTLS_MD_CAN_SHA1
+x509_verify:"../framework/data_files/server9-bad-mgfhash.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
 
 X509 CRT verification #70 (v1 trusted CA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/server1-v1.crt":"data_files/test-ca-v1.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server1-v1.crt":"../framework/data_files/test-ca-v1.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #71 (v1 trusted CA, other)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/server2-v1.crt":"data_files/server1-v1.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server2-v1.crt":"../framework/data_files/server1-v1.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #72 (v1 chain)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/server2-v1-chain.crt":"data_files/test-ca-v1.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
+x509_verify:"../framework/data_files/server2-v1-chain.crt":"../framework/data_files/test-ca-v1.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
 
 X509 CRT verification #73 (selfsigned trusted without CA bit)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C
-x509_verify:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server5-selfsigned.crt":"../framework/data_files/server5-selfsigned.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #74 (signed by selfsigned trusted without CA bit)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C
-x509_verify:"data_files/server6-ss-child.crt":"data_files/server5-selfsigned.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
+x509_verify:"../framework/data_files/server6-ss-child.crt":"../framework/data_files/server5-selfsigned.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
 
 X509 CRT verification #75 (encoding mismatch)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/enco-cert-utf8str.pem":"data_files/enco-ca-prstr.pem":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/enco-cert-utf8str.pem":"../framework/data_files/enco-ca-prstr.pem":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #76 (multiple CRLs, not revoked)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/server5.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ec-rsa.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca_cat12.crt":"../framework/data_files/crl_cat_ec-rsa.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #77 (multiple CRLs, revoked)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server6.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ec-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
+x509_verify:"../framework/data_files/server6.crt":"../framework/data_files/test-ca_cat12.crt":"../framework/data_files/crl_cat_ec-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
 
 X509 CRT verification #78 (multiple CRLs, revoked by second)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server6.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_rsa-ec.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
+x509_verify:"../framework/data_files/server6.crt":"../framework/data_files/test-ca_cat12.crt":"../framework/data_files/crl_cat_rsa-ec.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
 
 X509 CRT verification #79 (multiple CRLs, revoked by future)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server6.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ecfut-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED|MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL"
+x509_verify:"../framework/data_files/server6.crt":"../framework/data_files/test-ca_cat12.crt":"../framework/data_files/crl_cat_ecfut-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED|MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL"
 
 X509 CRT verification #80 (multiple CRLs, first future, revoked by second)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server1.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ecfut-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
+x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca_cat12.crt":"../framework/data_files/crl_cat_ecfut-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
 
 X509 CRT verification #81 (multiple CRLs, none relevant)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/enco-cert-utf8str.pem":"data_files/enco-ca-prstr.pem":"data_files/crl_cat_rsa-ec.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/enco-cert-utf8str.pem":"../framework/data_files/enco-ca-prstr.pem":"../framework/data_files/crl_cat_rsa-ec.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #82 (Not yet valid CA and valid CA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256
-x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-future-present.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2_cat-future-present.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #83 (valid CA and Not yet valid CA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256
-x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-present-future.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2_cat-present-future.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #84 (valid CA and Not yet valid CA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256
-x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-present-past.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2_cat-present-past.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #85 (Not yet valid CA and valid CA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256
-x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-past-present.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2_cat-past-present.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #86 (Not yet valid CA and invalid CA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-future-invalid.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_FUTURE:"compat":"NULL"
+x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2_cat-future-invalid.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_FUTURE:"compat":"NULL"
 
 X509 CRT verification #87 (Expired CA and invalid CA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-past-invalid.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_EXPIRED:"compat":"NULL"
+x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2_cat-past-invalid.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_EXPIRED:"compat":"NULL"
 
 X509 CRT verification #88 (Spurious cert in the chain)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/server7_spurious_int-ca.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server7_spurious_int-ca.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #89 (Spurious cert later in the chain)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/server10_int3_spurious_int-ca2.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server10_int3_spurious_int-ca2.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #90 (EE with same name as trusted root)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/server5-ss-forgeca.crt":"data_files/test-int-ca3.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"":"NULL"
+x509_verify:"../framework/data_files/server5-ss-forgeca.crt":"../framework/data_files/test-int-ca3.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"":"NULL"
 
 X509 CRT verification #91 (same CA with good then bad key)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY
-x509_verify:"data_files/server1.crt":"data_files/test-ca-good-alt.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca-good-alt.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #91 (same CA with bad then good key)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY
-x509_verify:"data_files/server1.crt":"data_files/test-ca-alt-good.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
+x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca-alt-good.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #92 (bad name, allowing callback)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1
-x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"globalhost":0:0:"":"verify_all"
+x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"globalhost":0:0:"":"verify_all"
 
 X509 CRT verification #93 (Suite B invalid, EC cert, RSA CA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP192R1:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/server3.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY|MBEDTLS_X509_BADCRL_BAD_MD|MBEDTLS_X509_BADCRL_BAD_PK:"suite_b":"NULL"
+x509_verify:"../framework/data_files/server3.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY|MBEDTLS_X509_BADCRL_BAD_MD|MBEDTLS_X509_BADCRL_BAD_PK:"suite_b":"NULL"
 
 X509 CRT verification #94 (Suite B invalid, RSA cert, EC CA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_PKCS1_V15:MBEDTLS_ECP_HAVE_SECP384R1
-x509_verify:"data_files/server4.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_PK:"suite_b":"NULL"
+x509_verify:"../framework/data_files/server4.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_PK:"suite_b":"NULL"
 
 X509 CRT verification #95 (Suite B Valid, EC cert, EC CA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1
-x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"suite_b":"NULL"
+x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"suite_b":"NULL"
 
 X509 CRT verification #96 (next profile Invalid Cert SHA224 Digest)
-depends_on:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/cert_sha224.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCRL_BAD_MD:"next":"NULL"
+depends_on:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1
+x509_verify:"../framework/data_files/cert_sha224.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCRL_BAD_MD:"next":"NULL"
 
 X509 CRT verification #97 (next profile Valid Cert SHA256 Digest)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA1
-x509_verify:"data_files/cert_sha256.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"next":"NULL"
+x509_verify:"../framework/data_files/cert_sha256.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"next":"NULL"
 
 X509 CRT verification #98 (Revoked Cert, revocation date in the future, _with_ MBEDTLS_HAVE_TIME_DATE)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl-futureRevocationDate.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED|MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL"
+x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-futureRevocationDate.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED|MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL"
 
 X509 CRT verification #99 (Revoked Cert, revocation date in the future, _without_ MBEDTLS_HAVE_TIME_DATE)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_HAVE_TIME_DATE
-x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl-futureRevocationDate.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
+x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-futureRevocationDate.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
 
 X509 CRT verification: domain identical to IPv4 in SubjectAltName
 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C
-x509_verify:"data_files/server5-tricky-ip-san.crt.der":"data_files/server5-tricky-ip-san.crt.der":"data_files/crl_sha256.pem":"abcd":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL"
+x509_verify:"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/crl_sha256.pem":"abcd":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL"
 
 X509 CRT verification: domain identical to IPv6 in SubjectAltName
 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C
-x509_verify:"data_files/server5-tricky-ip-san.crt.der":"data_files/server5-tricky-ip-san.crt.der":"data_files/crl_sha256.pem":"abcd.example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL"
+x509_verify:"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/crl_sha256.pem":"abcd.example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL"
 
 X509 CRT verification: matching IPv4 in SubjectAltName
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C
-x509_verify:"data_files/server5-tricky-ip-san.crt.der":"data_files/server5-tricky-ip-san.crt.der":"data_files/crl_sha256.pem":"97.98.99.100":0:0:"":"NULL"
+x509_verify:"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/crl_sha256.pem":"97.98.99.100":0:0:"":"NULL"
 
 X509 CRT verification: mismatching IPv4 in SubjectAltName
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C
-x509_verify:"data_files/server5-tricky-ip-san.crt.der":"data_files/server5-tricky-ip-san.crt.der":"data_files/crl_sha256.pem":"7.8.9.10":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL"
+x509_verify:"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/crl_sha256.pem":"7.8.9.10":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL"
 
 X509 CRT verification: IPv4 with trailing data in SubjectAltName
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C
-x509_verify:"data_files/server5-tricky-ip-san.crt.der":"data_files/server5-tricky-ip-san.crt.der":"data_files/crl_sha256.pem":"97.98.99.100?":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL"
+x509_verify:"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/crl_sha256.pem":"97.98.99.100?":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL"
 
 X509 CRT verification: matching IPv6 in SubjectAltName
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C
-x509_verify:"data_files/server5-tricky-ip-san.crt.der":"data_files/server5-tricky-ip-san.crt.der":"data_files/crl_sha256.pem":"6162\:6364\:2E65\:7861\:6D70\:6C65\:2E63\:6F6D":0:0:"":"NULL"
+x509_verify:"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/crl_sha256.pem":"6162\:6364\:2E65\:7861\:6D70\:6C65\:2E63\:6F6D":0:0:"":"NULL"
 
 X509 CRT verification: mismatching IPv6 in SubjectAltName
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C
-x509_verify:"data_files/server5-tricky-ip-san.crt.der":"data_files/server5-tricky-ip-san.crt.der":"data_files/crl_sha256.pem":"6162\:6364\:\:6F6D":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL"
+x509_verify:"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/crl_sha256.pem":"6162\:6364\:\:6F6D":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL"
 
 X509 CRT verification: matching URI in SubjectAltName
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C
-x509_verify:"data_files/rsa_single_san_uri.crt.der":"data_files/rsa_single_san_uri.crt.der":"data_files/crl_sha256.pem":"urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c":0:0:"":"NULL"
+x509_verify:"../framework/data_files/rsa_single_san_uri.crt.der":"../framework/data_files/rsa_single_san_uri.crt.der":"../framework/data_files/crl_sha256.pem":"urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c":0:0:"":"NULL"
 
 X509 CRT verification: URI with trailing data in SubjectAltName
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C
-x509_verify:"data_files/rsa_single_san_uri.crt.der":"data_files/rsa_single_san_uri.crt.der":"data_files/crl_sha256.pem":"urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609cz":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL"
+x509_verify:"../framework/data_files/rsa_single_san_uri.crt.der":"../framework/data_files/rsa_single_san_uri.crt.der":"../framework/data_files/crl_sha256.pem":"urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609cz":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL"
 
 X509 CRT verification: URI with preceding data in SubjectAltName
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C
-x509_verify:"data_files/rsa_single_san_uri.crt.der":"data_files/rsa_single_san_uri.crt.der":"data_files/crl_sha256.pem":"zurn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL"
+x509_verify:"../framework/data_files/rsa_single_san_uri.crt.der":"../framework/data_files/rsa_single_san_uri.crt.der":"../framework/data_files/crl_sha256.pem":"zurn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL"
 
 X509 CRT verification: URI with bad data in SubjectAltName
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C
-x509_verify:"data_files/rsa_single_san_uri.crt.der":"data_files/rsa_single_san_uri.crt.der":"data_files/crl_sha256.pem":"bad\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL"
+x509_verify:"../framework/data_files/rsa_single_san_uri.crt.der":"../framework/data_files/rsa_single_san_uri.crt.der":"../framework/data_files/crl_sha256.pem":"bad\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL"
 
 X509 CRT parse CN: IPv4 valid address
 x509_crt_parse_cn_inet_pton:"10.10.10.10":"0A0A0A0A":4
@@ -1180,91 +1180,91 @@ x509_crt_parse_cn_inet_pton:"\:\:1.2.3.4\:ffff":"":0
 
 X509 CRT verification with ca callback: failure
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
-x509_verify_ca_cb_failure:"data_files/server1.crt":"data_files/test-ca.crt":"NULL":MBEDTLS_ERR_X509_FATAL_ERROR
+x509_verify_ca_cb_failure:"../framework/data_files/server1.crt":"../framework/data_files/test-ca.crt":"NULL":MBEDTLS_ERR_X509_FATAL_ERROR
 
 X509 CRT verification callback: bad name
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1
-x509_verify_callback:"data_files/server5.crt":"data_files/test-ca2.crt":"globalhost":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 1 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 0 - serial 09 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000004\n"
+x509_verify_callback:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":"globalhost":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 1 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 0 - serial 09 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000004\n"
 
 X509 CRT verification callback: trusted EE cert
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1
-x509_verify_callback:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":"NULL":0:"depth 0 - serial 53\:A2\:CB\:4B\:12\:4E\:AD\:83\:7D\:A8\:94\:B2 - subject CN=selfsigned, OU=testing, O=PolarSSL, C=NL - flags 0x00000000\n"
+x509_verify_callback:"../framework/data_files/server5-selfsigned.crt":"../framework/data_files/server5-selfsigned.crt":"NULL":0:"depth 0 - serial 53\:A2\:CB\:4B\:12\:4E\:AD\:83\:7D\:A8\:94\:B2 - subject CN=selfsigned, OU=testing, O=PolarSSL, C=NL - flags 0x00000000\n"
 
 X509 CRT verification callback: trusted EE cert, expired
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_HAVE_TIME_DATE
-x509_verify_callback:"data_files/server5-ss-expired.crt":"data_files/server5-ss-expired.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 0 - serial D8\:64\:61\:05\:E3\:A3\:CD\:78 - subject C=UK, O=mbed TLS, OU=testsuite, CN=localhost - flags 0x00000001\n"
+x509_verify_callback:"../framework/data_files/server5-ss-expired.crt":"../framework/data_files/server5-ss-expired.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 0 - serial D8\:64\:61\:05\:E3\:A3\:CD\:78 - subject C=UK, O=mbed TLS, OU=testsuite, CN=localhost - flags 0x00000001\n"
 
 X509 CRT verification callback: simple
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify_callback:"data_files/server1.crt":"data_files/test-ca.crt":"NULL":0:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n"
+x509_verify_callback:"../framework/data_files/server1.crt":"../framework/data_files/test-ca.crt":"NULL":0:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n"
 
 X509 CRT verification callback: simple, EE expired
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE
-x509_verify_callback:"data_files/server5-expired.crt":"data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 1 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 0 - serial 1E - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000001\n"
+x509_verify_callback:"../framework/data_files/server5-expired.crt":"../framework/data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 1 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 0 - serial 1E - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000001\n"
 
 X509 CRT verification callback: simple, root expired
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE
-x509_verify_callback:"data_files/server5.crt":"data_files/test-ca2-expired.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 1 - serial 01 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000001\ndepth 0 - serial 09 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n"
+x509_verify_callback:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2-expired.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 1 - serial 01 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000001\ndepth 0 - serial 09 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n"
 
 X509 CRT verification callback: two trusted roots
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256
-x509_verify_callback:"data_files/server1.crt":"data_files/test-ca_cat12.crt":"NULL":0:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n"
+x509_verify_callback:"../framework/data_files/server1.crt":"../framework/data_files/test-ca_cat12.crt":"NULL":0:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n"
 
 X509 CRT verification callback: two trusted roots, reversed order
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256
-x509_verify_callback:"data_files/server1.crt":"data_files/test-ca_cat21.crt":"NULL":0:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n"
+x509_verify_callback:"../framework/data_files/server1.crt":"../framework/data_files/test-ca_cat21.crt":"NULL":0:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n"
 
 X509 CRT verification callback: root included
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256
-x509_verify_callback:"data_files/server1_ca.crt":"data_files/test-ca_cat21.crt":"NULL":0:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n"
+x509_verify_callback:"../framework/data_files/server1_ca.crt":"../framework/data_files/test-ca_cat21.crt":"NULL":0:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n"
 
 X509 CRT verification callback: intermediate ca
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1
-x509_verify_callback:"data_files/server7_int-ca.crt":"data_files/test-ca_cat12.crt":"NULL":0:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n"
+x509_verify_callback:"../framework/data_files/server7_int-ca.crt":"../framework/data_files/test-ca_cat12.crt":"NULL":0:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n"
 
 X509 CRT verification callback: intermediate ca, root included
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1
-x509_verify_callback:"data_files/server7_int-ca_ca2.crt":"data_files/test-ca_cat12.crt":"NULL":0:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n"
+x509_verify_callback:"../framework/data_files/server7_int-ca_ca2.crt":"../framework/data_files/test-ca_cat12.crt":"NULL":0:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n"
 
 X509 CRT verification callback: intermediate ca trusted
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256
-x509_verify_callback:"data_files/server7_int-ca_ca2.crt":"data_files/test-int-ca.crt":"NULL":0:"depth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n"
+x509_verify_callback:"../framework/data_files/server7_int-ca_ca2.crt":"../framework/data_files/test-int-ca.crt":"NULL":0:"depth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n"
 
 X509 CRT verification callback: intermediate ca, EE expired
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE
-x509_verify_callback:"data_files/server7-expired.crt":"data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000001\n"
+x509_verify_callback:"../framework/data_files/server7-expired.crt":"../framework/data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000001\n"
 
 X509 CRT verification callback: intermediate ca, int expired
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE
-x509_verify_callback:"data_files/server7_int-ca-exp.crt":"data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000001\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n"
+x509_verify_callback:"../framework/data_files/server7_int-ca-exp.crt":"../framework/data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000001\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n"
 
 X509 CRT verification callback: intermediate ca, root expired
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE
-x509_verify_callback:"data_files/server7_int-ca.crt":"data_files/test-ca2-expired.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 2 - serial 01 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000001\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n"
+x509_verify_callback:"../framework/data_files/server7_int-ca.crt":"../framework/data_files/test-ca2-expired.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 2 - serial 01 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000001\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n"
 
 X509 CRT verification callback: two intermediates
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1
-x509_verify_callback:"data_files/server10_int3_int-ca2.crt":"data_files/test-ca_cat21.crt":"NULL":0:"depth 3 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA - flags 0x00000000\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3 - flags 0x00000000\ndepth 0 - serial 4B - subject CN=localhost - flags 0x00000000\n"
+x509_verify_callback:"../framework/data_files/server10_int3_int-ca2.crt":"../framework/data_files/test-ca_cat21.crt":"NULL":0:"depth 3 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA - flags 0x00000000\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3 - flags 0x00000000\ndepth 0 - serial 4B - subject CN=localhost - flags 0x00000000\n"
 
 X509 CRT verification callback: two intermediates, root included
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1
-x509_verify_callback:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca_cat21.crt":"NULL":0:"depth 3 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA - flags 0x00000000\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3 - flags 0x00000000\ndepth 0 - serial 4B - subject CN=localhost - flags 0x00000000\n"
+x509_verify_callback:"../framework/data_files/server10_int3_int-ca2_ca.crt":"../framework/data_files/test-ca_cat21.crt":"NULL":0:"depth 3 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA - flags 0x00000000\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3 - flags 0x00000000\ndepth 0 - serial 4B - subject CN=localhost - flags 0x00000000\n"
 
 X509 CRT verification callback: two intermediates, top int trusted
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256
-x509_verify_callback:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":"NULL":0:"depth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA - flags 0x00000000\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3 - flags 0x00000000\ndepth 0 - serial 4B - subject CN=localhost - flags 0x00000000\n"
+x509_verify_callback:"../framework/data_files/server10_int3_int-ca2.crt":"../framework/data_files/test-int-ca2.crt":"NULL":0:"depth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA - flags 0x00000000\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3 - flags 0x00000000\ndepth 0 - serial 4B - subject CN=localhost - flags 0x00000000\n"
 
 X509 CRT verification callback: two intermediates, low int trusted
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1
-x509_verify_callback:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-int-ca3.crt":"NULL":0:"depth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3 - flags 0x00000000\ndepth 0 - serial 4B - subject CN=localhost - flags 0x00000000\n"
+x509_verify_callback:"../framework/data_files/server10_int3_int-ca2_ca.crt":"../framework/data_files/test-int-ca3.crt":"NULL":0:"depth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3 - flags 0x00000000\ndepth 0 - serial 4B - subject CN=localhost - flags 0x00000000\n"
 
 X509 CRT verification callback: no intermediate, bad signature
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1
-x509_verify_callback:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 0 - serial 09 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000008\n"
+x509_verify_callback:"../framework/data_files/server5-badsign.crt":"../framework/data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 0 - serial 09 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000008\n"
 
 X509 CRT verification callback: one intermediate, bad signature
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256
-x509_verify_callback:"data_files/server7-badsign.crt":"data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000008\n"
+x509_verify_callback:"../framework/data_files/server7-badsign.crt":"../framework/data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000008\n"
 
 X509 CRT ASN1 (Empty Certificate)
 x509parse_crt:"":"":MBEDTLS_ERR_X509_INVALID_FORMAT
@@ -1774,7 +1774,7 @@ x509parse_crt:"307d3068a0030201008204deadbeef300d06092a864886f70d01010b0500300c3
 
 X509 CRT ASN1 (TBS, inv SubPubKeyInfo, inv internal bitstring length)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509parse_crt:"308180306ba0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743015300d06092A864886F70D0101010500030400300000300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+x509parse_crt:"308180306ba0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743015300d06092A864886F70D0101010500030400300000300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY
 
 X509 CRT ASN1 (TBS, inv SubPubKeyInfo, inv internal bitstring tag)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
@@ -2063,11 +2063,11 @@ x509parse_crt:"3081b030819aa0030201028204deadbeef300d06092a864886f70d01010b05003
 
 X509 CRT ASN1 (inv extBasicConstraint, pathlen is INT_MAX)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_crt_parse_file:"data_files/parse_input/server1_pathlen_int_max.crt":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_INVALID_LENGTH:0
+mbedtls_x509_crt_parse_file:"../framework/data_files/parse_input/server1_pathlen_int_max.crt":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_INVALID_LENGTH:0
 
 X509 CRT ASN1 (pathlen is INT_MAX-1)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_crt_parse_file:"data_files/parse_input/server1_pathlen_int_max-1.crt":0:1
+mbedtls_x509_crt_parse_file:"../framework/data_files/parse_input/server1_pathlen_int_max-1.crt":0:1
 
 X509 CRT ASN1 (TBS, inv extBasicConstraint, pathlen inv length encoding)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
@@ -2468,35 +2468,35 @@ X509 CRL ASN1 (TBSCertList, sig_oid1 id unknown)
 x509parse_crl:"30143012020100300d06092a864886f70d01010f0500":"":MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG
 
 X509 CRL ASN1 (TBSCertList, sig_oid1 correct, issuer missing)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_224
 x509parse_crl:"30143012020100300d06092a864886f70d01010e0500":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 CRL ASN1 (TBSCertList, issuer set missing)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_224
 x509parse_crl:"30163014020100300d06092a864886f70d01010e05003000":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 CRL ASN1 (TBSCertList, correct issuer, thisUpdate missing)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_224
 x509parse_crl:"30253023020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344":"":MBEDTLS_ERR_X509_INVALID_DATE + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 CRL ASN1 (TBSCertList, correct thisUpdate, nextUpdate missing, entries length missing)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_224
 x509parse_crl:"30343032020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c30393031303130303030303030":"":MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 CRL ASN1 (TBSCertList, entries present, invalid sig_alg)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_224
 x509parse_crl:"304a3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c30383132333132333539353900":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CRL ASN1 (TBSCertList, entries present, date in entry invalid)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_224
 x509parse_crl:"304a3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd190c30383132333132333539353900":"":MBEDTLS_ERR_X509_INVALID_DATE + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CRL ASN1 (TBSCertList, sig_alg present, sig_alg does not match)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_224
 x509parse_crl:"30583047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c303831323331323335393539300d06092a864886f70d01010d0500":"":MBEDTLS_ERR_X509_SIG_MISMATCH
 
 X509 CRL ASN1 (TBSCertList, sig present, len mismatch)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_224
 x509parse_crl:"305d3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c303831323331323335393539300d06092a864886f70d01010e05000302000100":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
 # 305c
@@ -2518,43 +2518,43 @@ x509parse_crl:"305d3047020100300d06092a864886f70d01010e0500300f310d300b060355040
 #  03020001                               signatureValue BIT STRING
 # The subsequent TBSCertList negative tests remove or modify some elements.
 X509 CRL ASN1 (TBSCertList, sig present)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA224:!MBEDTLS_X509_REMOVE_INFO
+depends_on:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_224:!MBEDTLS_X509_REMOVE_INFO
 x509parse_crl:"305c3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c303831323331323335393539300d06092a864886f70d01010e050003020001":"CRL version   \: 1\nissuer name   \: CN=ABCD\nthis update   \: 2009-01-01 00\:00\:00\nnext update   \: 0000-00-00 00\:00\:00\nRevoked certificates\:\nserial number\: AB\:CD revocation date\: 2008-12-31 23\:59\:59\nsigned using  \: RSA with SHA-224\n":0
 
 X509 CRL ASN1 (TBSCertList, signatureValue missing)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_224
 x509parse_crl:"30583047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c303831323331323335393539300d06092a864886f70d01010e0500":"":MBEDTLS_ERR_X509_INVALID_SIGNATURE + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 CRL ASN1 (TBSCertList, signatureAlgorithm missing)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_224
 x509parse_crl:"30493047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c303831323331323335393539":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 CRL ASN1 (TBSCertList, single empty entry at end)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_224
 x509parse_crl:"30373035020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c30393031303130303030303030023000":"":MBEDTLS_ERR_X509_INVALID_SERIAL + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 CRL ASN1 (TBSCertList, good entry then empty entry at end)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_224
 x509parse_crl:"304b3049020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301630128202abcd170c3038313233313233353935393000":"":MBEDTLS_ERR_X509_INVALID_SERIAL + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 CRL ASN1 (TBSCertList, missing time in entry)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_224
 x509parse_crl:"304e3039020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030300630048202abcd300d06092a864886f70d01010e050003020001":"":MBEDTLS_ERR_X509_INVALID_DATE + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 CRL ASN1 (TBSCertList, missing time in entry at end)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_224
 x509parse_crl:"303b3039020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030300630048202abcd":"":MBEDTLS_ERR_X509_INVALID_DATE + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 CRL ASN1 (TBSCertList, invalid tag for time in entry)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_224
 x509parse_crl:"305c3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd190c303831323331323335393539300d06092a864886f70d01010e050003020001":"":MBEDTLS_ERR_X509_INVALID_DATE + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CRL ASN1 (TBSCertList, invalid tag for serial)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA224
+depends_on:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_224
 x509parse_crl:"305c3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128402abcd170c303831323331323335393539300d06092a864886f70d01010e050003020001":"":MBEDTLS_ERR_X509_INVALID_SERIAL + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CRL ASN1 (TBSCertList, no entries)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA224:!MBEDTLS_X509_REMOVE_INFO
+depends_on:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_224:!MBEDTLS_X509_REMOVE_INFO
 x509parse_crl:"30463031020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030300d06092a864886f70d01010e050003020001":"CRL version   \: 1\nissuer name   \: CN=ABCD\nthis update   \: 2009-01-01 00\:00\:00\nnext update   \: 0000-00-00 00\:00\:00\nRevoked certificates\:\nsigned using  \: RSA with SHA-224\n":0
 
 X509 CRL ASN1 (invalid version 2)
@@ -2588,146 +2588,146 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_X509
 x509parse_crl:"308201b330819c020101300d06092a864886f70d01010b0500303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341170d3138303331343037333134385a170d3238303331343037333134385aa02d302b30290603551d1c010100041f301da01ba0198617687474703a2f2f706b692e6578616d706c652e636f6d2f300d06092a864886f70d01010b05000382010100b3fbe9d586eaf4b8ff60cf8edae06a85135db78f78198498719725b5b403c0b803c2c150f52faae7306d6a7871885dc2e9dc83a164bac7263776474ef642b660040b35a1410ac291ac8f6f18ab85e7fd6e22bd1af1c41ca95cf2448f6e2b42a018493dfc03c6b6aa1b9e3fe7b76af2182fb2121db4166bf0167d6f379c5a58adee5082423434d97be2909f5e7488053f996646db10dd49782626da53ad8eada01813c031b2bacdb0203bc017aac1735951a11d013ee4d1d5f7143ccbebf2371e66a1bec6e1febe69148f50784eef8adbb66664c96196d7e0c0bcdc807f447b54e058f37642a3337995bfbcd332208bd6016936705c82263eabd7affdba92fae3":"CRL version   \: 2\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2018-03-14 07\:31\:48\nnext update   \: 2028-03-14 07\:31\:48\nRevoked certificates\:\nsigned using  \: RSA with SHA-256\n":0
 
 X509 CRT parse file dir3/Readme
-mbedtls_x509_crt_parse_file:"data_files/dir3/Readme":MBEDTLS_ERR_X509_INVALID_FORMAT:0
+mbedtls_x509_crt_parse_file:"../framework/data_files/dir3/Readme":MBEDTLS_ERR_X509_INVALID_FORMAT:0
 
 X509 CRT parse file dir3/test-ca.crt
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C
-mbedtls_x509_crt_parse_file:"data_files/dir3/test-ca.crt":0:1
+mbedtls_x509_crt_parse_file:"../framework/data_files/dir3/test-ca.crt":0:1
 
 X509 CRT parse file dir3/test-ca2.crt
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP384R1
-mbedtls_x509_crt_parse_file:"data_files/dir3/test-ca2.crt":0:1
+mbedtls_x509_crt_parse_file:"../framework/data_files/dir3/test-ca2.crt":0:1
 
 # The parse_path tests are known to fail when compiled for a 32-bit architecture
 # and run via qemu-user on Linux on a 64-bit host. This is due to a known
 # bug in Qemu: https://gitlab.com/qemu-project/qemu/-/issues/263
 X509 CRT parse path #1 (one cert)
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C
-mbedtls_x509_crt_parse_path:"data_files/dir1":0:1
+mbedtls_x509_crt_parse_path:"../framework/data_files/dir1":0:1
 
 X509 CRT parse path #2 (two certs)
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP384R1
-mbedtls_x509_crt_parse_path:"data_files/dir2":0:2
+mbedtls_x509_crt_parse_path:"../framework/data_files/dir2":0:2
 
 X509 CRT parse path #3 (two certs, one non-cert)
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP384R1
-mbedtls_x509_crt_parse_path:"data_files/dir3":1:2
+mbedtls_x509_crt_parse_path:"../framework/data_files/dir3":1:2
 
 X509 CRT verify long chain (max intermediate CA, trusted)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1
-mbedtls_x509_crt_verify_max:"data_files/dir-maxpath/00.crt":"data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA:0:0
+mbedtls_x509_crt_verify_max:"../framework/data_files/dir-maxpath/00.crt":"../framework/data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA:0:0
 
 X509 CRT verify long chain (max intermediate CA, untrusted)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1
-mbedtls_x509_crt_verify_max:"data_files/test-ca2.crt":"data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA-1:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED
+mbedtls_x509_crt_verify_max:"../framework/data_files/test-ca2.crt":"../framework/data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA-1:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED
 
 X509 CRT verify long chain (max intermediate CA + 1)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1
-mbedtls_x509_crt_verify_max:"data_files/dir-maxpath/00.crt":"data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA+1:MBEDTLS_ERR_X509_FATAL_ERROR:-1
+mbedtls_x509_crt_verify_max:"../framework/data_files/dir-maxpath/00.crt":"../framework/data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA+1:MBEDTLS_ERR_X509_FATAL_ERROR:-1
 
 X509 CRT verify chain #1 (zero pathlen intermediate)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_crt_verify_chain:"data_files/dir4/cert14.crt data_files/dir4/cert13.crt data_files/dir4/cert12.crt":"data_files/dir4/cert11.crt":MBEDTLS_X509_BADCERT_NOT_TRUSTED:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"":0
+mbedtls_x509_crt_verify_chain:"../framework/data_files/dir4/cert14.crt ../framework/data_files/dir4/cert13.crt ../framework/data_files/dir4/cert12.crt":"../framework/data_files/dir4/cert11.crt":MBEDTLS_X509_BADCERT_NOT_TRUSTED:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"":0
 
 X509 CRT verify chain #2 (zero pathlen root)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_crt_verify_chain:"data_files/dir4/cert23.crt data_files/dir4/cert22.crt":"data_files/dir4/cert21.crt":MBEDTLS_X509_BADCERT_NOT_TRUSTED:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"":0
+mbedtls_x509_crt_verify_chain:"../framework/data_files/dir4/cert23.crt ../framework/data_files/dir4/cert22.crt":"../framework/data_files/dir4/cert21.crt":MBEDTLS_X509_BADCERT_NOT_TRUSTED:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"":0
 
 X509 CRT verify chain #3 (nonzero pathlen root)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_crt_verify_chain:"data_files/dir4/cert34.crt data_files/dir4/cert33.crt data_files/dir4/cert32.crt":"data_files/dir4/cert31.crt":MBEDTLS_X509_BADCERT_NOT_TRUSTED:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"":0
+mbedtls_x509_crt_verify_chain:"../framework/data_files/dir4/cert34.crt ../framework/data_files/dir4/cert33.crt ../framework/data_files/dir4/cert32.crt":"../framework/data_files/dir4/cert31.crt":MBEDTLS_X509_BADCERT_NOT_TRUSTED:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"":0
 
 X509 CRT verify chain #4 (nonzero pathlen intermediate)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_crt_verify_chain:"data_files/dir4/cert45.crt data_files/dir4/cert44.crt data_files/dir4/cert43.crt data_files/dir4/cert42.crt":"data_files/dir4/cert41.crt":MBEDTLS_X509_BADCERT_NOT_TRUSTED:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"":0
+mbedtls_x509_crt_verify_chain:"../framework/data_files/dir4/cert45.crt ../framework/data_files/dir4/cert44.crt ../framework/data_files/dir4/cert43.crt ../framework/data_files/dir4/cert42.crt":"../framework/data_files/dir4/cert41.crt":MBEDTLS_X509_BADCERT_NOT_TRUSTED:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"":0
 
 X509 CRT verify chain #5 (nonzero maxpathlen intermediate)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-mbedtls_x509_crt_verify_chain:"data_files/dir4/cert54.crt data_files/dir4/cert53.crt data_files/dir4/cert52.crt":"data_files/dir4/cert51.crt":0:0:"":0
+mbedtls_x509_crt_verify_chain:"../framework/data_files/dir4/cert54.crt ../framework/data_files/dir4/cert53.crt ../framework/data_files/dir4/cert52.crt":"../framework/data_files/dir4/cert51.crt":0:0:"":0
 
 X509 CRT verify chain #6 (nonzero maxpathlen root)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-mbedtls_x509_crt_verify_chain:"data_files/dir4/cert63.crt data_files/dir4/cert62.crt":"data_files/dir4/cert61.crt":0:0:"":0
+mbedtls_x509_crt_verify_chain:"../framework/data_files/dir4/cert63.crt ../framework/data_files/dir4/cert62.crt":"../framework/data_files/dir4/cert61.crt":0:0:"":0
 
 X509 CRT verify chain #7 (maxpathlen root, self signed in path)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-mbedtls_x509_crt_verify_chain:"data_files/dir4/cert74.crt data_files/dir4/cert73.crt data_files/dir4/cert72.crt":"data_files/dir4/cert71.crt":0:0:"":0
+mbedtls_x509_crt_verify_chain:"../framework/data_files/dir4/cert74.crt ../framework/data_files/dir4/cert73.crt ../framework/data_files/dir4/cert72.crt":"../framework/data_files/dir4/cert71.crt":0:0:"":0
 
 X509 CRT verify chain #8 (self signed maxpathlen root)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-mbedtls_x509_crt_verify_chain:"data_files/dir4/cert61.crt data_files/dir4/cert63.crt data_files/dir4/cert62.crt":"data_files/dir4/cert61.crt":0:0:"":0
+mbedtls_x509_crt_verify_chain:"../framework/data_files/dir4/cert61.crt ../framework/data_files/dir4/cert63.crt ../framework/data_files/dir4/cert62.crt":"../framework/data_files/dir4/cert61.crt":0:0:"":0
 
 X509 CRT verify chain #9 (zero pathlen first intermediate, valid)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1
-mbedtls_x509_crt_verify_chain:"data_files/dir4/cert83.crt data_files/dir4/cert82.crt":"data_files/dir4/cert81.crt":0:0:"":0
+mbedtls_x509_crt_verify_chain:"../framework/data_files/dir4/cert83.crt ../framework/data_files/dir4/cert82.crt":"../framework/data_files/dir4/cert81.crt":0:0:"":0
 
 X509 CRT verify chain #10 (zero pathlen root, valid)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1
-mbedtls_x509_crt_verify_chain:"data_files/dir4/cert92.crt":"data_files/dir4/cert91.crt":0:0:"":0
+mbedtls_x509_crt_verify_chain:"../framework/data_files/dir4/cert92.crt":"../framework/data_files/dir4/cert91.crt":0:0:"":0
 
 X509 CRT verify chain #11 (valid chain, missing profile)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1
-mbedtls_x509_crt_verify_chain:"data_files/dir4/cert92.crt":"data_files/dir4/cert91.crt":-1:MBEDTLS_ERR_X509_BAD_INPUT_DATA:"nonesuch":0
+mbedtls_x509_crt_verify_chain:"../framework/data_files/dir4/cert92.crt":"../framework/data_files/dir4/cert91.crt":-1:MBEDTLS_ERR_X509_BAD_INPUT_DATA:"nonesuch":0
 
 X509 CRT verify chain #12 (suiteb profile, RSA root)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP192R1:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_crt_verify_chain:"data_files/server3.crt":"data_files/test-ca.crt":MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"suiteb":0
+mbedtls_x509_crt_verify_chain:"../framework/data_files/server3.crt":"../framework/data_files/test-ca.crt":MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"suiteb":0
 
 X509 CRT verify chain #13 (RSA only profile, EC root)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1
-mbedtls_x509_crt_verify_chain:"data_files/server4.crt":"data_files/test-ca2.crt":MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"rsa3072":0
+mbedtls_x509_crt_verify_chain:"../framework/data_files/server4.crt":"../framework/data_files/test-ca2.crt":MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"rsa3072":0
 
 X509 CRT verify chain #13 (RSA only profile, EC trusted EE)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1
-mbedtls_x509_crt_verify_chain:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"rsa3072":0
+mbedtls_x509_crt_verify_chain:"../framework/data_files/server5-selfsigned.crt":"../framework/data_files/server5-selfsigned.crt":MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"rsa3072":0
 
 X509 CRT verify chain #14 (RSA-3072 profile, root key too small)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_crt_verify_chain:"data_files/server1.crt":"data_files/test-ca.crt":MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"rsa3072":0
+mbedtls_x509_crt_verify_chain:"../framework/data_files/server1.crt":"../framework/data_files/test-ca.crt":MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"rsa3072":0
 
 X509 CRT verify chain #15 (suiteb profile, rsa intermediate)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_ECP_HAVE_SECP256R1
-mbedtls_x509_crt_verify_chain:"data_files/server7.crt data_files/test-int-ca.crt":"data_files/test-ca2.crt":MBEDTLS_X509_BADCERT_BAD_PK:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"suiteb":0
+mbedtls_x509_crt_verify_chain:"../framework/data_files/server7.crt ../framework/data_files/test-int-ca.crt":"../framework/data_files/test-ca2.crt":MBEDTLS_X509_BADCERT_BAD_PK:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"suiteb":0
 
 X509 CRT verify chain #16 (RSA-only profile, EC intermediate)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA1
-mbedtls_x509_crt_verify_chain:"data_files/server8.crt data_files/test-int-ca2.crt":"data_files/test-ca.crt":MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"rsa3072":0
+mbedtls_x509_crt_verify_chain:"../framework/data_files/server8.crt ../framework/data_files/test-int-ca2.crt":"../framework/data_files/test-ca.crt":MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"rsa3072":0
 
 X509 CRT verify chain #17 (SHA-512 profile)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1
-mbedtls_x509_crt_verify_chain:"data_files/server7.crt data_files/test-int-ca.crt":"data_files/test-ca2.crt":MBEDTLS_X509_BADCERT_BAD_MD:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"sha512":0
+mbedtls_x509_crt_verify_chain:"../framework/data_files/server7.crt ../framework/data_files/test-int-ca.crt":"../framework/data_files/test-ca2.crt":MBEDTLS_X509_BADCERT_BAD_MD:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"sha512":0
 
 X509 CRT verify chain #18 (len=1, vrfy fatal on depth 1)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA512
-mbedtls_x509_crt_verify_chain:"data_files/server5.crt":"data_files/test-ca2.crt":-1:-2:"":2
+mbedtls_x509_crt_verify_chain:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":-1:-2:"":2
 
 X509 CRT verify chain #19 (len=0, vrfy fatal on depth 0)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA512
-mbedtls_x509_crt_verify_chain:"data_files/server5.crt":"data_files/test-ca2.crt":-1:-1:"":1
+mbedtls_x509_crt_verify_chain:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":-1:-1:"":1
 
 X509 CRT verify chain #20 (len=1, vrfy fatal on depth 0)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA512:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C
-mbedtls_x509_crt_verify_chain:"data_files/server5.crt":"data_files/test-ca.crt":-1:-1:"":1
+mbedtls_x509_crt_verify_chain:"../framework/data_files/server5.crt":"../framework/data_files/test-ca.crt":-1:-1:"":1
 
 X509 CRT verify chain #21 (len=3, vrfy fatal on depth 3)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1:MBEDTLS_ECP_HAVE_SECP384R1
-mbedtls_x509_crt_verify_chain:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca.crt":-1:-4:"":8
+mbedtls_x509_crt_verify_chain:"../framework/data_files/server10_int3_int-ca2_ca.crt":"../framework/data_files/test-ca.crt":-1:-4:"":8
 
 X509 CRT verify chain #22 (len=3, vrfy fatal on depth 2)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_ECP_HAVE_SECP384R1
-mbedtls_x509_crt_verify_chain:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca.crt":-1:-3:"":4
+mbedtls_x509_crt_verify_chain:"../framework/data_files/server10_int3_int-ca2_ca.crt":"../framework/data_files/test-ca.crt":-1:-3:"":4
 
 X509 CRT verify chain #23 (len=3, vrfy fatal on depth 1)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_ECP_HAVE_SECP384R1
-mbedtls_x509_crt_verify_chain:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca.crt":-1:-2:"":2
+mbedtls_x509_crt_verify_chain:"../framework/data_files/server10_int3_int-ca2_ca.crt":"../framework/data_files/test-ca.crt":-1:-2:"":2
 
 X509 CRT verify chain #24 (len=3, vrfy fatal on depth 0)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_ECP_HAVE_SECP384R1
-mbedtls_x509_crt_verify_chain:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca.crt":-1:-1:"":1
+mbedtls_x509_crt_verify_chain:"../framework/data_files/server10_int3_int-ca2_ca.crt":"../framework/data_files/test-ca.crt":-1:-1:"":1
 
 X509 CRT verify chain #25 (len=3, vrfy fatal on depth 3, untrusted)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_ECP_HAVE_SECP384R1
-mbedtls_x509_crt_verify_chain:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca2.crt":-1:-4:"":8
+mbedtls_x509_crt_verify_chain:"../framework/data_files/server10_int3_int-ca2_ca.crt":"../framework/data_files/test-ca2.crt":-1:-4:"":8
 
 X509 OID description #1
 x509_oid_desc:"2b06010505070301":"TLS Web Server Authentication"
@@ -2755,75 +2755,75 @@ x509_oid_numstr:"2a8648f9f8f7f6f5f4f3f2f1f001":"":100:MBEDTLS_ERR_ASN1_INVALID_D
 
 X509 CRT keyUsage #1 (no extension, expected KU)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_check_key_usage:"data_files/server1.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0
+x509_check_key_usage:"../framework/data_files/server1.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0
 
 X509 CRT keyUsage #2 (no extension, surprising KU)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_check_key_usage:"data_files/server1.crt":MBEDTLS_X509_KU_KEY_CERT_SIGN:0
+x509_check_key_usage:"../framework/data_files/server1.crt":MBEDTLS_X509_KU_KEY_CERT_SIGN:0
 
 X509 CRT keyUsage #3 (extension present, no KU)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_check_key_usage:"data_files/server1.key_usage.crt":0:0
+x509_check_key_usage:"../framework/data_files/server1.key_usage.crt":0:0
 
 X509 CRT keyUsage #4 (extension present, single KU present)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_check_key_usage:"data_files/server1.key_usage.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE:0
+x509_check_key_usage:"../framework/data_files/server1.key_usage.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE:0
 
 X509 CRT keyUsage #5 (extension present, single KU absent)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_check_key_usage:"data_files/server1.key_usage.crt":MBEDTLS_X509_KU_KEY_CERT_SIGN:MBEDTLS_ERR_X509_BAD_INPUT_DATA
+x509_check_key_usage:"../framework/data_files/server1.key_usage.crt":MBEDTLS_X509_KU_KEY_CERT_SIGN:MBEDTLS_ERR_X509_BAD_INPUT_DATA
 
 X509 CRT keyUsage #6 (extension present, combined KU present)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_check_key_usage:"data_files/server1.key_usage.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0
+x509_check_key_usage:"../framework/data_files/server1.key_usage.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0
 
 X509 CRT keyUsage #7 (extension present, combined KU both absent)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_check_key_usage:"data_files/server1.key_usage.crt":MBEDTLS_X509_KU_KEY_CERT_SIGN|MBEDTLS_X509_KU_CRL_SIGN:MBEDTLS_ERR_X509_BAD_INPUT_DATA
+x509_check_key_usage:"../framework/data_files/server1.key_usage.crt":MBEDTLS_X509_KU_KEY_CERT_SIGN|MBEDTLS_X509_KU_CRL_SIGN:MBEDTLS_ERR_X509_BAD_INPUT_DATA
 
 X509 CRT keyUsage #8 (extension present, combined KU one absent)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_check_key_usage:"data_files/server1.key_usage.crt":MBEDTLS_X509_KU_KEY_ENCIPHERMENT|MBEDTLS_X509_KU_KEY_AGREEMENT:MBEDTLS_ERR_X509_BAD_INPUT_DATA
+x509_check_key_usage:"../framework/data_files/server1.key_usage.crt":MBEDTLS_X509_KU_KEY_ENCIPHERMENT|MBEDTLS_X509_KU_KEY_AGREEMENT:MBEDTLS_ERR_X509_BAD_INPUT_DATA
 
 X509 CRT keyUsage #9 (extension present, decOnly allowed absent)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_check_key_usage:"data_files/server1.key_usage.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT|MBEDTLS_X509_KU_DECIPHER_ONLY:0
+x509_check_key_usage:"../framework/data_files/server1.key_usage.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT|MBEDTLS_X509_KU_DECIPHER_ONLY:0
 
 X509 CRT keyUsage #10 (extension present, decOnly non-allowed present)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_check_key_usage:"data_files/keyUsage.decipherOnly.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT:MBEDTLS_ERR_X509_BAD_INPUT_DATA
+x509_check_key_usage:"../framework/data_files/keyUsage.decipherOnly.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT:MBEDTLS_ERR_X509_BAD_INPUT_DATA
 
 X509 CRT keyUsage #11 (extension present, decOnly allowed present)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_check_key_usage:"data_files/keyUsage.decipherOnly.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT|MBEDTLS_X509_KU_DECIPHER_ONLY:0
+x509_check_key_usage:"../framework/data_files/keyUsage.decipherOnly.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT|MBEDTLS_X509_KU_DECIPHER_ONLY:0
 
 X509 CRT extendedKeyUsage #1 (no extension, serverAuth)
 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-x509_check_extended_key_usage:"data_files/server5.crt":"2b06010505070301":0
+x509_check_extended_key_usage:"../framework/data_files/server5.crt":"2b06010505070301":0
 
 X509 CRT extendedKeyUsage #2 (single value, present)
 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-x509_check_extended_key_usage:"data_files/server5.eku-srv.crt":"2b06010505070301":0
+x509_check_extended_key_usage:"../framework/data_files/server5.eku-srv.crt":"2b06010505070301":0
 
 X509 CRT extendedKeyUsage #3 (single value, absent)
 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-x509_check_extended_key_usage:"data_files/server5.eku-cli.crt":"2b06010505070301":MBEDTLS_ERR_X509_BAD_INPUT_DATA
+x509_check_extended_key_usage:"../framework/data_files/server5.eku-cli.crt":"2b06010505070301":MBEDTLS_ERR_X509_BAD_INPUT_DATA
 
 X509 CRT extendedKeyUsage #4 (two values, first)
 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-x509_check_extended_key_usage:"data_files/server5.eku-srv_cli.crt":"2b06010505070301":0
+x509_check_extended_key_usage:"../framework/data_files/server5.eku-srv_cli.crt":"2b06010505070301":0
 
 X509 CRT extendedKeyUsage #5 (two values, second)
 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-x509_check_extended_key_usage:"data_files/server5.eku-srv_cli.crt":"2b06010505070302":0
+x509_check_extended_key_usage:"../framework/data_files/server5.eku-srv_cli.crt":"2b06010505070302":0
 
 X509 CRT extendedKeyUsage #6 (two values, other)
 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-x509_check_extended_key_usage:"data_files/server5.eku-srv_cli.crt":"2b06010505070303":MBEDTLS_ERR_X509_BAD_INPUT_DATA
+x509_check_extended_key_usage:"../framework/data_files/server5.eku-srv_cli.crt":"2b06010505070303":MBEDTLS_ERR_X509_BAD_INPUT_DATA
 
 X509 CRT extendedKeyUsage #7 (any, random)
 depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-x509_check_extended_key_usage:"data_files/server5.eku-cs_any.crt":"2b060105050703ff":0
+x509_check_extended_key_usage:"../framework/data_files/server5.eku-cs_any.crt":"2b060105050703ff":0
 
 X509 RSASSA-PSS parameters ASN1 (good, all defaults)
 x509_parse_rsassa_pss_params:"":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:0
@@ -2940,6 +2940,26 @@ X509 CSR ASN.1 (OK)
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_X509_REMOVE_INFO
 mbedtls_x509_csr_parse:"308201183081bf0201003034310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c31123010060355040313096c6f63616c686f73743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa029302706092a864886f70d01090e311a301830090603551d1304023000300b0603551d0f0404030205e0300906072a8648ce3d04010349003046022100b49fd8c8f77abfa871908dfbe684a08a793d0f490a43d86fcf2086e4f24bb0c2022100f829d5ccd3742369299e6294394717c4b723a0f68b44e831b6e6c3bcabf97243":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nsigned using  \: ECDSA with SHA1\nEC key size   \: 256 bits\n\nkey usage         \: Digital Signature, Non Repudiation, Key Encipherment\n":0
 
+X509 CSR ASN.1 (Unsupported critical extension, critical=true)
+depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_X509_REMOVE_INFO
+mbedtls_x509_csr_parse:"308201233081cb02010030413119301706035504030c1053656c66207369676e65642074657374310b300906035504061302444531173015060355040a0c0e41757468437274444220546573743059301306072a8648ce3d020106082a8648ce3d03010703420004c11ebb9951848a436ca2c8a73382f24bbb6c28a92e401d4889b0c361f377b92a8b0497ff2f5a5f6057ae85f704ab1850bef075914f68ed3aeb15a1ff1ebc0dc6a028302606092a864886f70d01090e311930173015060b2b0601040183890c8622020101ff0403010101300a06082a8648ce3d040302034700304402200c4108fd098525993d3fd5b113f0a1ead8750852baf55a2f8e670a22cabc0ba1022034db93a0fcb993912adcf2ea8cb4b66389af30e264d43c0daea03255e45d2ccc":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+X509 CSR ASN.1 (Unsupported non-critical extension, critical=false)
+depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_X509_REMOVE_INFO
+mbedtls_x509_csr_parse:"308201243081cb02010030413119301706035504030c1053656c66207369676e65642074657374310b300906035504061302444531173015060355040a0c0e41757468437274444220546573743059301306072a8648ce3d020106082a8648ce3d03010703420004b5e718a7df6b21912733e77c42f266b8283e6cae7adf8afd56b990c1c6232ea0a2a46097c218353bc948444aea3d00423e84802e28c48099641fe9977cdfb505a028302606092a864886f70d01090e311930173015060b2b0601040183890c8622020101000403010101300a06082a8648ce3d0403020348003045022100f0ba9a0846ad0a7cefd0a61d5fc92194dc06037a44158de2d0c569912c058d430220421f27a9f249c1687e2fa34db3f543c8512fd925dfe5ae00867f13963ffd4f8d":"CSR version   \: 1\nsubject name  \: CN=Self signed test, C=DE, O=AuthCrtDB Test\nsigned using  \: ECDSA with SHA256\nEC key size   \: 256 bits\n":0
+
+X509 CSR ASN.1 (Unsupported non-critical extension, critical undefined)
+depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_X509_REMOVE_INFO
+mbedtls_x509_csr_parse:"308201223081c802010030413119301706035504030c1053656c66207369676e65642074657374310b300906035504061302444531173015060355040a0c0e41757468437274444220546573743059301306072a8648ce3d020106082a8648ce3d030107034200045f94b28d133418833bf10c442d91306459d3925e7cea06ebb9220932e7de116fb671c5d2d6c0a3784a12897217aef8432e7228fcea0ab016bdb67b67ced4c612a025302306092a864886f70d01090e311630143012060b2b0601040183890c8622020403010101300a06082a8648ce3d04030203490030460221009b1e8b25775c18525e96753e1ed55875f8d62f026c5b7f70eb5037ad27dc92de022100ba1dfe14de6af6a603f763563fd046b1cd3714b54d6daf5d8a72076497f11014":"CSR version   \: 1\nsubject name  \: CN=Self signed test, C=DE, O=AuthCrtDB Test\nsigned using  \: ECDSA with SHA256\nEC key size   \: 256 bits\n":0
+
+X509 CSR ASN.1 (Unsupported critical extension accepted by callback, critical=true)
+depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_X509_REMOVE_INFO
+mbedtls_x509_csr_parse_with_ext_cb:"308201233081cb02010030413119301706035504030c1053656c66207369676e65642074657374310b300906035504061302444531173015060355040a0c0e41757468437274444220546573743059301306072a8648ce3d020106082a8648ce3d03010703420004c11ebb9951848a436ca2c8a73382f24bbb6c28a92e401d4889b0c361f377b92a8b0497ff2f5a5f6057ae85f704ab1850bef075914f68ed3aeb15a1ff1ebc0dc6a028302606092a864886f70d01090e311930173015060b2b0601040183890c8622020101ff0403010101300a06082a8648ce3d040302034700304402200c4108fd098525993d3fd5b113f0a1ead8750852baf55a2f8e670a22cabc0ba1022034db93a0fcb993912adcf2ea8cb4b66389af30e264d43c0daea03255e45d2ccc":"CSR version   \: 1\nsubject name  \: CN=Self signed test, C=DE, O=AuthCrtDB Test\nsigned using  \: ECDSA with SHA256\nEC key size   \: 256 bits\n":0:1
+
+X509 CSR ASN.1 (Unsupported critical extension rejected by callback, critical=true)
+depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_X509_REMOVE_INFO
+mbedtls_x509_csr_parse_with_ext_cb:"308201233081cb02010030413119301706035504030c1053656c66207369676e65642074657374310b300906035504061302444531173015060355040a0c0e41757468437274444220546573743059301306072a8648ce3d020106082a8648ce3d03010703420004c11ebb9951848a436ca2c8a73382f24bbb6c28a92e401d4889b0c361f377b92a8b0497ff2f5a5f6057ae85f704ab1850bef075914f68ed3aeb15a1ff1ebc0dc6a028302606092a864886f70d01090e311930173015060b2b0601040183890c8622020101ff0403010101300a06082a8648ce3d040302034700304402200c4108fd098525993d3fd5b113f0a1ead8750852baf55a2f8e670a22cabc0ba1022034db93a0fcb993912adcf2ea8cb4b66389af30e264d43c0daea03255e45d2ccc":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG:0
+
 X509 CSR ASN.1 (bad first tag)
 mbedtls_x509_csr_parse:"3100":"":MBEDTLS_ERR_X509_INVALID_FORMAT
 
@@ -3030,110 +3050,122 @@ X509 CSR ASN.1 (invalid version overflow)
 mbedtls_x509_csr_parse:"3008300602047fffffff":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION
 
 # Used test_csr_v3_all.csr.der as a base for malforming CSR extenstions/attributes
-# Please see makefile for data_files to check malformation details (test_csr_v3_all_malformed_xxx.csr files)
+# Please see makefile for ../framework/data_files to check malformation details (test_csr_v3_all_malformed_xxx.csr files)
 X509 CSR ASN.1 (attributes: invalid sequence tag)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CSR ASN.1 (attributes: invalid attribute id)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_id_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_id_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CSR ASN.1 (attributes: not extension request)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request.csr.der":"CSR version   \: 1\nsubject name  \: CN=etcd\nsigned using  \: RSA with SHA-256\nRSA key size  \: 1024 bits\n":0
+mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request.csr.der":"CSR version   \: 1\nsubject name  \: CN=etcd\nsigned using  \: RSA with SHA-256\nRSA key size  \: 1024 bits\n":0
 
 X509 CSR ASN.1 (attributes: invalid extenstion request set tag)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CSR ASN.1 (attributes: invalid extenstion request sequence tag)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CSR ASN.1 (attributes: invalid len (len > data))
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
+mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 CSR ASN.1 (attributes: invalid len (len < data))
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
 X509 CSR ASN.1 (attributes: extension request invalid len (len > data))
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
+mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 CSR ASN.1 (attributes: extension request invalid len (len < data))
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
+mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 CSR ASN.1 (extensions: invalid sequence tag)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CSR ASN.1 (extensions: invalid extension id tag)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extension_id_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_extension_id_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CSR ASN.1 (extensions: invalid extension data tag)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extension_data_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_extension_data_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CSR ASN.1 (extensions: invalid extension data len (len > data))
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extension_data_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
+mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_extension_data_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 CSR ASN.1 (extensions: invalid extension data len (len < data))
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extension_data_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_extension_data_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
 X509 CSR ASN.1 (extensions: invalid extension key usage bitstream tag)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CSR ASN.1 (extensions: invalid extension subject alt name sequence tag)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CSR ASN.1 (extensions: invalid extension ns cert bitstream tag)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CSR ASN.1 (extensions: duplicated extension)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_duplicated_extension.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_INVALID_DATA
+mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_duplicated_extension.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_INVALID_DATA
 
 X509 CSR ASN.1 (extensions: invalid extension type data)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extension_type_oid.csr.der":"CSR version   \: 1\nsubject name  \: CN=etcd\nsigned using  \: RSA with SHA-256\nRSA key size  \: 1024 bits\n\ncert. type        \: SSL Client\nkey usage         \: CRL Sign\n":0
+mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_extension_type_oid.csr.der":"CSR version   \: 1\nsubject name  \: CN=etcd\nsigned using  \: RSA with SHA-256\nRSA key size  \: 1024 bits\n\ncert. type        \: SSL Client\nkey usage         \: CRL Sign\n":0
 
 X509 File parse (no issues)
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_crt_parse_file:"data_files/parse_input/server7_int-ca.crt":0:2
+mbedtls_x509_crt_parse_file:"../framework/data_files/parse_input/server7_int-ca.crt":0:2
 
 X509 File parse (extra space in one certificate)
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_crt_parse_file:"data_files/parse_input/server7_pem_space.crt":1:1
+mbedtls_x509_crt_parse_file:"../framework/data_files/parse_input/server7_pem_space.crt":1:1
 
 X509 File parse (all certificates fail)
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_RSA_C
-mbedtls_x509_crt_parse_file:"data_files/parse_input/server7_all_space.crt":MBEDTLS_ERR_PEM_INVALID_DATA + MBEDTLS_ERR_BASE64_INVALID_CHARACTER:0
+mbedtls_x509_crt_parse_file:"../framework/data_files/parse_input/server7_all_space.crt":MBEDTLS_ERR_PEM_INVALID_DATA + MBEDTLS_ERR_BASE64_INVALID_CHARACTER:0
 
 X509 File parse (trailing spaces, OK)
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_crt_parse_file:"data_files/parse_input/server7_trailing_space.crt":0:2
+mbedtls_x509_crt_parse_file:"../framework/data_files/parse_input/server7_trailing_space.crt":0:2
 
 X509 File parse (Algorithm Params Tag mismatch)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_crt_parse_file:"data_files/parse_input/cli-rsa-sha256-badalg.crt.der":MBEDTLS_ERR_X509_SIG_MISMATCH:0
+mbedtls_x509_crt_parse_file:"../framework/data_files/parse_input/cli-rsa-sha256-badalg.crt.der":MBEDTLS_ERR_X509_SIG_MISMATCH:0
 
 X509 File parse (does not conform to RFC 5480 / RFC 5758 - AlgorithmIdentifier's parameters field is present, mbedTLS generated before bugfix, OK)
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-x509parse_crt_file:"data_files/parse_input/server5-non-compliant.crt":0
+x509parse_crt_file:"../framework/data_files/parse_input/server5-non-compliant.crt":0
 
 X509 File parse (conforms to RFC 5480 / RFC 5758 - AlgorithmIdentifier's parameters field must be absent for ECDSA)
 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
-x509parse_crt_file:"data_files/parse_input/server5.crt":0
+x509parse_crt_file:"../framework/data_files/parse_input/server5.crt":0
+
+X509 File parse & read the ca_istrue field (Not Set)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1
+mbedtls_x509_get_ca_istrue:"../framework/data_files/parse_input/server1.crt":0
+
+X509 File parse & read the ca_istrue field (Set)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1
+mbedtls_x509_get_ca_istrue:"../framework/data_files/test-ca.crt":1
+
+X509 File parse & read the ca_istrue field (Legacy Certificate)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256
+mbedtls_x509_get_ca_istrue:"../framework/data_files/server1-v1.crt":MBEDTLS_ERR_X509_INVALID_EXTENSIONS
 
 X509 Get time (UTC no issues)
 depends_on:MBEDTLS_X509_USE_C
@@ -3249,91 +3281,91 @@ x509_get_time:MBEDTLS_ASN1_GENERALIZED_TIME:"19910229000000Z":MBEDTLS_ERR_X509_I
 
 X509 CRT verify restart: trusted EE, max_ops=0 (disabled)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1
-x509_verify_restart:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":0:0:0:0:0
+x509_verify_restart:"../framework/data_files/server5-selfsigned.crt":"../framework/data_files/server5-selfsigned.crt":0:0:0:0:0
 
 X509 CRT verify restart: trusted EE, max_ops=1
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1
-x509_verify_restart:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":0:0:1:0:0
+x509_verify_restart:"../framework/data_files/server5-selfsigned.crt":"../framework/data_files/server5-selfsigned.crt":0:0:1:0:0
 
 X509 CRT verify restart: no intermediate, max_ops=0 (disabled)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1
-x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:0:0:0
+x509_verify_restart:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":0:0:0:0:0
 
 X509 CRT verify restart: no intermediate, max_ops=1
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1
-x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:1:100:10000
+x509_verify_restart:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":0:0:1:100:10000
 
 X509 CRT verify restart: no intermediate, max_ops=40000
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1
-x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:40000:0:0
+x509_verify_restart:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":0:0:40000:0:0
 
 X509 CRT verify restart: no intermediate, max_ops=500
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1
-x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:500:20:80
+x509_verify_restart:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":0:0:500:20:80
 
 X509 CRT verify restart: no intermediate, badsign, max_ops=0 (disabled)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1
-x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0
+x509_verify_restart:"../framework/data_files/server5-badsign.crt":"../framework/data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0
 
 X509 CRT verify restart: no intermediate, badsign, max_ops=1
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1
-x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:1:100:10000
+x509_verify_restart:"../framework/data_files/server5-badsign.crt":"../framework/data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:1:100:10000
 
 X509 CRT verify restart: no intermediate, badsign, max_ops=40000
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1
-x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:40000:0:0
+x509_verify_restart:"../framework/data_files/server5-badsign.crt":"../framework/data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:40000:0:0
 
 X509 CRT verify restart: no intermediate, badsign, max_ops=500
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1
-x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:20:80
+x509_verify_restart:"../framework/data_files/server5-badsign.crt":"../framework/data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:20:80
 
 X509 CRT verify restart: one int, max_ops=0 (disabled)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C
-x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:0:0:0
+x509_verify_restart:"../framework/data_files/server10_int3_int-ca2.crt":"../framework/data_files/test-int-ca2.crt":0:0:0:0:0
 
 X509 CRT verify restart: one int, max_ops=1
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C
-x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:1:100:10000
+x509_verify_restart:"../framework/data_files/server10_int3_int-ca2.crt":"../framework/data_files/test-int-ca2.crt":0:0:1:100:10000
 
 X509 CRT verify restart: one int, max_ops=30000
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C
-x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:30000:0:0
+x509_verify_restart:"../framework/data_files/server10_int3_int-ca2.crt":"../framework/data_files/test-int-ca2.crt":0:0:30000:0:0
 
 X509 CRT verify restart: one int, max_ops=500
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C
-x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:500:25:100
+x509_verify_restart:"../framework/data_files/server10_int3_int-ca2.crt":"../framework/data_files/test-int-ca2.crt":0:0:500:25:100
 
 X509 CRT verify restart: one int, EE badsign, max_ops=0 (disabled)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C
-x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0
+x509_verify_restart:"../framework/data_files/server10-bs_int3.pem":"../framework/data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0
 
 X509 CRT verify restart: one int, EE badsign, max_ops=1
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C
-x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:1:100:10000
+x509_verify_restart:"../framework/data_files/server10-bs_int3.pem":"../framework/data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:1:100:10000
 
 X509 CRT verify restart: one int, EE badsign, max_ops=30000
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C
-x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:30000:0:0
+x509_verify_restart:"../framework/data_files/server10-bs_int3.pem":"../framework/data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:30000:0:0
 
 X509 CRT verify restart: one int, EE badsign, max_ops=500
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C
-x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:25:100
+x509_verify_restart:"../framework/data_files/server10-bs_int3.pem":"../framework/data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:25:100
 
 X509 CRT verify restart: one int, int badsign, max_ops=0 (disabled)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C
-x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0
+x509_verify_restart:"../framework/data_files/server10_int3-bs.pem":"../framework/data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0
 
 X509 CRT verify restart: one int, int badsign, max_ops=1
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C
-x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:1:100:10000
+x509_verify_restart:"../framework/data_files/server10_int3-bs.pem":"../framework/data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:1:100:10000
 
 X509 CRT verify restart: one int, int badsign, max_ops=30000
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C
-x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:30000:0:0
+x509_verify_restart:"../framework/data_files/server10_int3-bs.pem":"../framework/data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:30000:0:0
 
 X509 CRT verify restart: one int, int badsign, max_ops=500
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C
-x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:25:100
+x509_verify_restart:"../framework/data_files/server10_int3-bs.pem":"../framework/data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:25:100
 
 X509 ext types accessor: ext type present
 depends_on:MBEDTLS_X509_CRT_PARSE_C
@@ -3345,65 +3377,65 @@ x509_accessor_ext_types:MBEDTLS_X509_EXT_KEY_USAGE:MBEDTLS_X509_EXT_SUBJECT_ALT_
 
 X509 CRT parse Subject Key Id - Correct Subject Key ID
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-x509_crt_parse_subjectkeyid:"data_files/authorityKeyId_subjectKeyId.crt.der":"A505E864B8DCDF600F50124D60A864AF4D8B4393":0
+x509_crt_parse_subjectkeyid:"../framework/data_files/authorityKeyId_subjectKeyId.crt.der":"A505E864B8DCDF600F50124D60A864AF4D8B4393":0
 
 X509 CRT parse Subject Key Id - Wrong OCTET_STRING tag
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-x509_crt_parse_subjectkeyid:"data_files/authorityKeyId_subjectKeyId_tag_malformed.crt.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+x509_crt_parse_subjectkeyid:"../framework/data_files/authorityKeyId_subjectKeyId_tag_malformed.crt.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CRT parse Subject Key Id - Wrong OCTET_STRING length
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-x509_crt_parse_subjectkeyid:"data_files/authorityKeyId_subjectKeyId_tag_len_malformed.crt.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+x509_crt_parse_subjectkeyid:"../framework/data_files/authorityKeyId_subjectKeyId_tag_len_malformed.crt.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
 X509 CRT parse Authority Key Id - Correct Authority Key ID
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_subjectKeyId.crt.der":"A505E864B8DCDF600F50124D60A864AF4D8B4393":"C=NL, OU=PolarSSL, CN=PolarSSL Test CA":"680430CD074DE63FCDC051260FD042C2B512B6BA":0
+x509_crt_parse_authoritykeyid:"../framework/data_files/authorityKeyId_subjectKeyId.crt.der":"A505E864B8DCDF600F50124D60A864AF4D8B4393":"C=NL, OU=PolarSSL, CN=PolarSSL Test CA":"680430CD074DE63FCDC051260FD042C2B512B6BA":0
 
 X509 CRT parse Authority Key Id - Correct Authority Key ID (no keyid)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_no_keyid.crt.der":"":"C=NL, OU=PolarSSL, CN=PolarSSL Test CA":"680430CD074DE63FCDC051260FD042C2B512B6BA":0
+x509_crt_parse_authoritykeyid:"../framework/data_files/authorityKeyId_no_keyid.crt.der":"":"C=NL, OU=PolarSSL, CN=PolarSSL Test CA":"680430CD074DE63FCDC051260FD042C2B512B6BA":0
 
 X509 CRT parse Authority Key Id - Correct Authority Key ID (no issuer)
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_no_issuer.crt.der":"A505E864B8DCDF600F50124D60A864AF4D8B4393":"":"":0
+x509_crt_parse_authoritykeyid:"../framework/data_files/authorityKeyId_no_issuer.crt.der":"A505E864B8DCDF600F50124D60A864AF4D8B4393":"":"":0
 
 X509 CRT parse Authority Key Id - no Authority Key ID
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_no_authorityKeyId.crt.der":"":"":"":0
+x509_crt_parse_authoritykeyid:"../framework/data_files/authorityKeyId_no_authorityKeyId.crt.der":"":"":"":0
 
 X509 CRT parse Authority Key Id - Wrong Length
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_subjectKeyId_length_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+x509_crt_parse_authoritykeyid:"../framework/data_files/authorityKeyId_subjectKeyId_length_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
 X509 CRT parse Authority Key Id - Wrong Sequence tag
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_subjectKeyId_sequence_tag_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+x509_crt_parse_authoritykeyid:"../framework/data_files/authorityKeyId_subjectKeyId_sequence_tag_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CRT parse Authority Key Id - Wrong KeyId Tag
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_subjectKeyId_keyid_tag_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+x509_crt_parse_authoritykeyid:"../framework/data_files/authorityKeyId_subjectKeyId_keyid_tag_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CRT parse Authority Key Id - Wrong KeyId Tag Length
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_subjectKeyId_keyid_tag_len_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_INVALID_LENGTH
+x509_crt_parse_authoritykeyid:"../framework/data_files/authorityKeyId_subjectKeyId_keyid_tag_len_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_INVALID_LENGTH
 
 X509 CRT parse Authority Key Id - Wrong Issuer Tag
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_subjectKeyId_issuer_tag1_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+x509_crt_parse_authoritykeyid:"../framework/data_files/authorityKeyId_subjectKeyId_issuer_tag1_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CRT parse Authority Key Id - Wrong DirectoryName tag in issuer field
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_subjectKeyId_issuer_tag2_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+x509_crt_parse_authoritykeyid:"../framework/data_files/authorityKeyId_subjectKeyId_issuer_tag2_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CRT parse Authority Key Id - Wrong Serial Number Tag
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_subjectKeyId_sn_tag_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+x509_crt_parse_authoritykeyid:"../framework/data_files/authorityKeyId_subjectKeyId_sn_tag_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CRT parse Authority Key Id - Wrong Serial Number Tag length
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_subjectKeyId_sn_len_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+x509_crt_parse_authoritykeyid:"../framework/data_files/authorityKeyId_subjectKeyId_sn_len_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
 # clusterfuzz-testcase-minimized-fuzz_x509crt-6666050834661376: test for bad sequence of names in authorityCertIssuer (see issue #7576)
 X509 CRT parse Authority Key Id - Wrong Issuer sequence
 depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_RSA_C
-x509_crt_parse_authoritykeyid:"data_files/clusterfuzz-testcase-minimized-fuzz_x509crt-6666050834661376.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
+x509_crt_parse_authoritykeyid:"../framework/data_files/clusterfuzz-testcase-minimized-fuzz_x509crt-6666050834661376.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 114bd52..ba71c8f 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -4,6 +4,7 @@
 #include "mbedtls/x509_crt.h"
 #include "mbedtls/x509_crl.h"
 #include "mbedtls/x509_csr.h"
+#include "x509_internal.h"
 #include "mbedtls/pem.h"
 #include "mbedtls/oid.h"
 #include "mbedtls/base64.h"
@@ -14,7 +15,7 @@
 #if MBEDTLS_X509_MAX_INTERMEDIATE_CA > 19
 #error "The value of MBEDTLS_X509_MAX_INTERMEDIATE_C is larger \
     than the current threshold 19. To test larger values, please \
-    adapt the script tests/data_files/dir-max/long.sh."
+    adapt the script framework/data_files/dir-max/long.sh."
 #endif
 
 /* Test-only profile allowing all digests, PK algorithms, and curves. */
@@ -250,7 +251,8 @@ int verify_parse_san(mbedtls_x509_subject_alternative_name *san,
 
                 ret = mbedtls_oid_get_numeric_string(p,
                                                      n,
-                                                     &san->san.other_name.value.hardware_module_name.oid);
+                                                     &san->san.other_name.value.hardware_module_name
+                                                     .oid);
                 MBEDTLS_X509_SAFE_SNPRINTF;
 
                 ret = mbedtls_snprintf(p, n, ", hardware serial number : ");
@@ -413,6 +415,35 @@ int parse_crt_ext_cb(void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf
     }
 }
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_X509_CSR_PARSE_C)
+int parse_csr_ext_accept_cb(void *p_ctx, mbedtls_x509_csr const *csr, mbedtls_x509_buf const *oid,
+                            int critical, const unsigned char *cp, const unsigned char *end)
+{
+    (void) p_ctx;
+    (void) csr;
+    (void) oid;
+    (void) critical;
+    (void) cp;
+    (void) end;
+
+    return 0;
+}
+
+int parse_csr_ext_reject_cb(void *p_ctx, mbedtls_x509_csr const *csr, mbedtls_x509_buf const *oid,
+                            int critical, const unsigned char *cp, const unsigned char *end)
+{
+    (void) p_ctx;
+    (void) csr;
+    (void) oid;
+    (void) critical;
+    (void) cp;
+    (void) end;
+
+    return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+                             MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+}
+#endif /* MBEDTLS_X509_CSR_PARSE_C */
 /* END_HEADER */
 
 /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */
@@ -729,7 +760,7 @@ void x509_verify(char *crt_file, char *ca_file, char *crl_file,
 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
     /* CRLs aren't supported with CA callbacks, so skip the CA callback
      * version of the test if CRLs are in use. */
-    if (crl_file == NULL || strcmp(crl_file, "") == 0) {
+    if (strcmp(crl_file, "") == 0) {
         flags = 0;
 
         res = mbedtls_x509_crt_verify_with_ca_cb(&crt,
@@ -928,15 +959,17 @@ void mbedtls_x509_dn_get_next(char *name_str,
     int ret = 0, i;
     size_t len = 0, out_size;
     mbedtls_asn1_named_data *names = NULL;
-    mbedtls_x509_name parsed, *parsed_cur;
+    mbedtls_x509_name parsed;
+    memset(&parsed, 0, sizeof(parsed));
+    mbedtls_x509_name *parsed_cur;
     // Size of buf is maximum required for test cases
-    unsigned char buf[80], *out = NULL, *c;
+    unsigned char buf[80] = { 0 };
+    unsigned char *out = NULL;
+    unsigned char *c = buf + sizeof(buf);
     const char *short_name;
 
     USE_PSA_INIT();
-    memset(&parsed, 0, sizeof(parsed));
-    memset(buf, 0, sizeof(buf));
-    c = buf + sizeof(buf);
+
     // Additional size required for trailing space
     out_size = strlen(expected_oids) + 2;
     TEST_CALLOC(out, out_size);
@@ -1050,6 +1083,21 @@ exit:
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_FS_IO */
+void mbedtls_x509_get_ca_istrue(char *crt_file, int result)
+{
+    mbedtls_x509_crt   crt;
+    mbedtls_x509_crt_init(&crt);
+    USE_PSA_INIT();
+
+    TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0);
+    TEST_EQUAL(mbedtls_x509_crt_get_ca_istrue(&crt), result);
+exit:
+    mbedtls_x509_crt_free(&crt);
+    USE_PSA_DONE();
+}
+/* END_CASE */
+
 /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */
 void x509parse_crt(data_t *buf, char *result_str, int result)
 {
@@ -1245,6 +1293,36 @@ exit:
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CSR_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */
+void mbedtls_x509_csr_parse_with_ext_cb(data_t *csr_der, char *ref_out, int ref_ret, int accept)
+{
+    mbedtls_x509_csr csr;
+    char my_out[1000];
+    int my_ret;
+
+    mbedtls_x509_csr_init(&csr);
+    USE_PSA_INIT();
+
+    memset(my_out, 0, sizeof(my_out));
+
+    my_ret = mbedtls_x509_csr_parse_der_with_ext_cb(&csr, csr_der->x, csr_der->len,
+                                                    accept ? parse_csr_ext_accept_cb :
+                                                    parse_csr_ext_reject_cb,
+                                                    NULL);
+    TEST_EQUAL(my_ret, ref_ret);
+
+    if (ref_ret == 0) {
+        size_t my_out_len = mbedtls_x509_csr_info(my_out, sizeof(my_out), "", &csr);
+        TEST_EQUAL(my_out_len, strlen(ref_out));
+        TEST_EQUAL(strcmp(my_out, ref_out), 0);
+    }
+
+exit:
+    mbedtls_x509_csr_free(&csr);
+    USE_PSA_DONE();
+}
+/* END_CASE */
+
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CSR_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */
 void mbedtls_x509_csr_parse_file(char *csr_file, char *ref_out, int ref_ret)
 {
diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data
index 0f19028..d7867bb 100644
--- a/tests/suites/test_suite_x509write.data
+++ b/tests/suites/test_suite_x509write.data
@@ -1,170 +1,170 @@
 Certificate Request check Server1 SHA1
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha1":MBEDTLS_MD_SHA1:0:0:0:0:0
+x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.sha1":MBEDTLS_MD_SHA1:0:0:0:0:0
 
 Certificate Request check Server1 SHA224
-depends_on:MBEDTLS_MD_CAN_SHA224:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha224":MBEDTLS_MD_SHA224:0:0:0:0:0
+depends_on:PSA_WANT_ALG_SHA_224:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.sha224":MBEDTLS_MD_SHA224:0:0:0:0:0
 
 Certificate Request check Server1 SHA256
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha256":MBEDTLS_MD_SHA256:0:0:0:0:0
+x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.sha256":MBEDTLS_MD_SHA256:0:0:0:0:0
 
 Certificate Request check Server1 SHA384
-depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha384":MBEDTLS_MD_SHA384:0:0:0:0:0
+depends_on:PSA_WANT_ALG_SHA_384:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.sha384":MBEDTLS_MD_SHA384:0:0:0:0:0
 
 Certificate Request check Server1 SHA512
 depends_on:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha512":MBEDTLS_MD_SHA512:0:0:0:0:0
+x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.sha512":MBEDTLS_MD_SHA512:0:0:0:0:0
 
 Certificate Request check Server1 MD5
 depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.md5":MBEDTLS_MD_MD5:0:0:0:0:0
+x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.md5":MBEDTLS_MD_MD5:0:0:0:0:0
 
 Certificate Request check Server1 key_usage
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0:0
+x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.key_usage":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0:0
 
 Certificate Request check opaque Server1 key_usage
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check_opaque:"data_files/server1.key":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:0
+x509_csr_check_opaque:"../framework/data_files/server1.key":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:0
 
 Certificate Request check Server1 key_usage empty
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage_empty":MBEDTLS_MD_SHA1:0:1:0:0:0
+x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.key_usage_empty":MBEDTLS_MD_SHA1:0:1:0:0:0
 
 Certificate Request check Server1 ns_cert_type
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0
+x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.cert_type":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0
 
 Certificate Request check Server1 ns_cert_type empty
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type_empty":MBEDTLS_MD_SHA1:0:0:0:1:0
+x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.cert_type_empty":MBEDTLS_MD_SHA1:0:0:0:1:0
 
 Certificate Request check Server1 key_usage + ns_cert_type
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0
+x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0
 
 Certificate Request check Server5 ECDSA, key_usage
 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_HAVE_SECP256R1
-x509_csr_check:"data_files/server5.key":"data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:1:0:0:0
+x509_csr_check:"../framework/data_files/server5.key":"../framework/data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:1:0:0:0
 
 Certificate Request check Server1, set_extension
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha256.ext":MBEDTLS_MD_SHA256:0:0:0:0:1
+x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.sha256.ext":MBEDTLS_MD_SHA256:0:0:0:0:1
 
 Certificate Request check opaque Server5 ECDSA, key_usage
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1
-x509_csr_check_opaque:"data_files/server5.key":MBEDTLS_MD_SHA256:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:0
+x509_csr_check_opaque:"../framework/data_files/server5.key":MBEDTLS_MD_SHA256:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:0
 
 Certificate write check Server1 SHA1
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.crt":0:0:"data_files/test-ca.crt":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.crt":0:0:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server1 SHA1, not before 1970
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"19700210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"19700210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server1 SHA1, not after 2050
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server1 SHA1, not before 1970, not after 2050
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"19700210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"19700210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server1 SHA1, not before 2050, not after 2059
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20500210144406":"20590210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20500210144406":"20590210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server1 SHA1, key_usage
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"data_files/server1.key_usage.crt":0:0:"data_files/test-ca.crt":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"../framework/data_files/server1.key_usage.crt":0:0:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server1 SHA1, one ext_key_usage
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:"serverAuth":0:0:1:-1:"data_files/server1.key_ext_usage.crt":0:0:"data_files/test-ca.crt":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:"serverAuth":0:0:1:-1:"../framework/data_files/server1.key_ext_usage.crt":0:0:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server1 SHA1, two ext_key_usages
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:"codeSigning,timeStamping":0:0:1:-1:"data_files/server1.key_ext_usages.crt":0:0:"data_files/test-ca.crt":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:"codeSigning,timeStamping":0:0:1:-1:"../framework/data_files/server1.key_ext_usages.crt":0:0:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server1 SHA1, ns_cert_type
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":0:0:"data_files/test-ca.crt":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"../framework/data_files/server1.cert_type.crt":0:0:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server1 SHA1, version 1
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0:0:"data_files/test-ca.crt":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"../framework/data_files/server1.v1.crt":0:0:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server1 SHA1, CA
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.ca.crt":0:1:"data_files/test-ca.crt":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.ca.crt":0:1:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server1 SHA1, RSA_ALT
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"data_files/server1.noauthid.crt":1:0:"data_files/test-ca.crt":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"../framework/data_files/server1.noauthid.crt":1:0:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server1 SHA1, RSA_ALT, key_usage
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1:0:"data_files/test-ca.crt":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:0:-1:"../framework/data_files/server1.key_usage_noauthid.crt":1:0:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server1 SHA1, RSA_ALT, ns_cert_type
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0:-1:"data_files/server1.cert_type_noauthid.crt":1:0:"data_files/test-ca.crt":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0:-1:"../framework/data_files/server1.cert_type_noauthid.crt":1:0:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server1 SHA1, RSA_ALT, version 1
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1:0:"data_files/test-ca.crt":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:MBEDTLS_X509_CRT_VERSION_1:"../framework/data_files/server1.v1.crt":1:0:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server1 SHA1, RSA_ALT, CA
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"data_files/server1.ca_noauthid.crt":1:1:"data_files/test-ca.crt":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"../framework/data_files/server1.ca_noauthid.crt":1:1:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server1 SHA1, Opaque
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.crt":2:0:"data_files/test-ca.crt":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.crt":2:0:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server1 SHA1, Opaque, key_usage
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"data_files/server1.key_usage.crt":2:0:"data_files/test-ca.crt":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"../framework/data_files/server1.key_usage.crt":2:0:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server1 SHA1, Opaque, ns_cert_type
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":2:0:"data_files/test-ca.crt":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"../framework/data_files/server1.cert_type.crt":2:0:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server1 SHA1, Opaque, version 1
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":2:0:"data_files/test-ca.crt":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"../framework/data_files/server1.v1.crt":2:0:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server1 SHA1, Opaque, CA
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.ca.crt":2:1:"data_files/test-ca.crt":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.ca.crt":2:1:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server1 SHA1, Full length serial
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"112233445566778899aabbccddeeff0011223344":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.long_serial.crt":0:0:"data_files/test-ca.crt":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"112233445566778899aabbccddeeff0011223344":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.long_serial.crt":0:0:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server1 SHA1, Serial starting with 0x80
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"8011223344":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.80serial.crt":0:0:"data_files/test-ca.crt":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"8011223344":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.80serial.crt":0:0:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server1 SHA1, All 0xFF full length serial
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"ffffffffffffffffffffffffffffffff":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.long_serial_FF.crt":0:0:"data_files/test-ca.crt":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"ffffffffffffffffffffffffffffffff":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.long_serial_FF.crt":0:0:"../framework/data_files/test-ca.crt":0
 
 Certificate write check Server5 ECDSA
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_ECP_HAVE_SECP256R1
-x509_crt_check:"data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"data_files/server5.crt":0:0:"data_files/test-ca2.crt":0
+x509_crt_check:"../framework/data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"../framework/data_files/server5.crt":0:0:"../framework/data_files/test-ca2.crt":0
 
 Certificate write check Server5 ECDSA, Opaque
 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_USE_PSA_CRYPTO
-x509_crt_check:"data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"":2:0:"data_files/test-ca2.crt":0
+x509_crt_check:"../framework/data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"":2:0:"../framework/data_files/test-ca2.crt":0
 
 Certificate write check Server1 SHA1, SubjectAltNames
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.allSubjectAltNames.crt":0:0:"data_files/test-ca.crt":1
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.allSubjectAltNames.crt":0:0:"../framework/data_files/test-ca.crt":1
 
 X509 String to Names #1
 mbedtls_x509_string_to_names:"C=NL,O=Offspark\\, Inc., OU=PolarSSL":"C=NL, O=Offspark\\, Inc., OU=PolarSSL":0:0
@@ -265,3 +265,6 @@ mbedtls_x509_string_to_names:"C=NL, 2.5.4.10.234.532=#0C084F6666737061726B, OU=P
 
 Check max serial length
 x509_set_serial_check:
+
+Check max extension length
+x509_set_extension_length_check:
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index a7ed262..1db7e1c 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -2,12 +2,13 @@
 #include "mbedtls/bignum.h"
 #include "mbedtls/x509_crt.h"
 #include "mbedtls/x509_csr.h"
+#include "x509_internal.h"
 #include "mbedtls/pem.h"
 #include "mbedtls/oid.h"
 #include "mbedtls/rsa.h"
 #include "mbedtls/asn1write.h"
 #include "mbedtls/pk.h"
-#include "md_psa.h"
+#include "mbedtls/psa_util.h"
 
 #if defined(MBEDTLS_RSA_C)
 int mbedtls_rsa_decrypt_func(void *ctx, size_t *olen,
@@ -283,7 +284,7 @@ void x509_csr_check_opaque(char *key_file, int md_type, int key_usage,
 {
     mbedtls_pk_context key;
     mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
-    psa_algorithm_t md_alg_psa, alg_psa;
+    psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
     mbedtls_x509write_csr req;
     unsigned char buf[4096];
     int ret;
@@ -296,24 +297,16 @@ void x509_csr_check_opaque(char *key_file, int md_type, int key_usage,
 
     memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info));
 
-    md_alg_psa = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) md_type);
-    TEST_ASSERT(md_alg_psa != MBEDTLS_MD_NONE);
-
     mbedtls_pk_init(&key);
     TEST_ASSERT(mbedtls_pk_parse_keyfile(&key, key_file, NULL,
                                          mbedtls_test_rnd_std_rand, NULL) == 0);
 
-    if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_ECKEY) {
-        alg_psa = PSA_ALG_ECDSA(md_alg_psa);
-    } else if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_RSA) {
-        alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN(md_alg_psa);
-    } else {
-        TEST_ASSUME(!"PK key type not supported in this configuration");
-    }
-
-    TEST_ASSERT(mbedtls_pk_wrap_as_opaque(&key, &key_id, alg_psa,
-                                          PSA_KEY_USAGE_SIGN_HASH,
-                                          PSA_ALG_NONE) == 0);
+    /* Turn the PK context into an opaque one. */
+    TEST_EQUAL(mbedtls_pk_get_psa_attributes(&key, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0);
+    TEST_EQUAL(mbedtls_pk_import_into_psa(&key, &key_attr, &key_id), 0);
+    mbedtls_pk_free(&key);
+    mbedtls_pk_init(&key);
+    TEST_EQUAL(mbedtls_pk_setup_opaque(&key, key_id), 0);
 
     mbedtls_x509write_csr_set_md_alg(&req, md_type);
     mbedtls_x509write_csr_set_key(&req, &key);
@@ -372,6 +365,7 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd,
     mbedtls_test_rnd_pseudo_info rnd_info;
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
 #endif
     mbedtls_pk_type_t issuer_key_type;
     mbedtls_x509_san_list san_ip;
@@ -450,24 +444,14 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd,
 #endif
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-    /* For Opaque PK contexts, wrap key as an Opaque RSA context. */
+    /* Turn the issuer PK context into an opaque one. */
     if (pk_wrap == 2) {
-        psa_algorithm_t alg_psa, md_alg_psa;
-
-        md_alg_psa = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) md_type);
-        TEST_ASSERT(md_alg_psa != MBEDTLS_MD_NONE);
-
-        if (mbedtls_pk_get_type(&issuer_key) == MBEDTLS_PK_ECKEY) {
-            alg_psa = PSA_ALG_ECDSA(md_alg_psa);
-        } else if (mbedtls_pk_get_type(&issuer_key) == MBEDTLS_PK_RSA) {
-            alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN(md_alg_psa);
-        } else {
-            TEST_ASSUME(!"PK key type not supported in this configuration");
-        }
-
-        TEST_ASSERT(mbedtls_pk_wrap_as_opaque(&issuer_key, &key_id, alg_psa,
-                                              PSA_KEY_USAGE_SIGN_HASH,
-                                              PSA_ALG_NONE) == 0);
+        TEST_EQUAL(mbedtls_pk_get_psa_attributes(&issuer_key, PSA_KEY_USAGE_SIGN_HASH,
+                                                 &key_attr), 0);
+        TEST_EQUAL(mbedtls_pk_import_into_psa(&issuer_key, &key_attr, &key_id), 0);
+        mbedtls_pk_free(&issuer_key);
+        mbedtls_pk_init(&issuer_key);
+        TEST_EQUAL(mbedtls_pk_setup_opaque(&issuer_key, key_id), 0);
     }
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
@@ -665,13 +649,15 @@ void x509_set_serial_check()
     mbedtls_x509write_cert ctx;
     uint8_t invalid_serial[MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN + 1];
 
+#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C)
+    mbedtls_mpi serial_mpi;
+    mbedtls_mpi_init(&serial_mpi);
+#endif
+
     USE_PSA_INIT();
     memset(invalid_serial, 0x01, sizeof(invalid_serial));
 
 #if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C)
-    mbedtls_mpi serial_mpi;
-
-    mbedtls_mpi_init(&serial_mpi);
     TEST_EQUAL(mbedtls_mpi_read_binary(&serial_mpi, invalid_serial,
                                        sizeof(invalid_serial)), 0);
     TEST_EQUAL(mbedtls_x509write_crt_set_serial(&ctx, &serial_mpi),
@@ -699,16 +685,16 @@ void mbedtls_x509_string_to_names(char *name, char *parsed_name,
     int ret;
     size_t len = 0;
     mbedtls_asn1_named_data *names = NULL;
-    mbedtls_x509_name parsed, *parsed_cur, *parsed_prv;
-    unsigned char buf[1024], out[1024], *c;
+    mbedtls_x509_name parsed;
+    memset(&parsed, 0, sizeof(parsed));
+    mbedtls_x509_name *parsed_cur = NULL;
+    mbedtls_x509_name *parsed_prv = NULL;
+    unsigned char buf[1024] = { 0 };
+    unsigned char out[1024] = { 0 };
+    unsigned char *c = buf + sizeof(buf);
 
     USE_PSA_INIT();
 
-    memset(&parsed, 0, sizeof(parsed));
-    memset(out, 0, sizeof(out));
-    memset(buf, 0, sizeof(buf));
-    c = buf + sizeof(buf);
-
     ret = mbedtls_x509_string_to_names(&names, name);
     TEST_EQUAL(ret, result);
 
@@ -750,3 +736,24 @@ exit:
     USE_PSA_DONE();
 }
 /* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CSR_WRITE_C */
+void x509_set_extension_length_check()
+{
+    int ret = 0;
+
+    mbedtls_x509write_csr ctx;
+    mbedtls_x509write_csr_init(&ctx);
+
+    unsigned char buf[EXT_KEY_USAGE_TMP_BUF_MAX_LENGTH] = { 0 };
+    unsigned char *p = buf + sizeof(buf);
+
+    ret = mbedtls_x509_set_extension(&(ctx.MBEDTLS_PRIVATE(extensions)),
+                                     MBEDTLS_OID_EXTENDED_KEY_USAGE,
+                                     MBEDTLS_OID_SIZE(MBEDTLS_OID_EXTENDED_KEY_USAGE),
+                                     0,
+                                     p,
+                                     SIZE_MAX);
+    TEST_ASSERT(MBEDTLS_ERR_X509_BAD_INPUT_DATA == ret);
+}
+/* END_CASE */
diff --git a/3rdparty/everest/.gitignore b/tf-psa-crypto/.gitignore
index f3c7a7c..f3c7a7c 100644
--- a/3rdparty/everest/.gitignore
+++ b/tf-psa-crypto/.gitignore
diff --git a/tf-psa-crypto/CMakeLists.txt b/tf-psa-crypto/CMakeLists.txt
new file mode 100644
index 0000000..1dc9f9f
--- /dev/null
+++ b/tf-psa-crypto/CMakeLists.txt
@@ -0,0 +1,40 @@
+#
+# CMake build system design considerations:
+#
+# - Include directories:
+#   + Do not define include directories globally using the include_directories
+#     command but rather at the target level using the
+#     target_include_directories command. That way, it is easier to guarantee
+#     that targets are built using the proper list of include directories.
+#   + Use the PUBLIC and PRIVATE keywords to specify the scope of include
+#     directories. That way, a target linking to a library (using the
+#     target_link_libraries command) inherits from the library PUBLIC include
+#     directories and not from the PRIVATE ones.
+# - TF_PSA_CRYPTO_TARGET_PREFIX: CMake targets are designed to be alterable by
+#   calling CMake in order to avoid target name clashes, via the use of
+#   TF_PSA_CRYPTO_TARGET_PREFIX. The value of this variable is prefixed to the
+#   tfpsacrypto and apidoc targets.
+#
+
+# We specify a minimum requirement of 3.10.2, but for now use 3.5.1 here
+# until our infrastructure catches up.
+cmake_minimum_required(VERSION 3.5.1)
+
+# https://cmake.org/cmake/help/latest/policy/CMP0011.html
+# Setting this policy is required in CMake >= 3.18.0, otherwise a warning is generated. The OLD
+# policy setting is deprecated, and will be removed in future versions.
+cmake_policy(SET CMP0011 NEW)
+# https://cmake.org/cmake/help/latest/policy/CMP0012.html
+# Setting the CMP0012 policy to NEW is required for FindPython3 to work with CMake 3.18.2
+# (there is a bug in this particular version), otherwise, setting the CMP0012 policy is required
+# for CMake versions >= 3.18.3 otherwise a deprecated warning is generated. The OLD policy setting
+# is deprecated and will be removed in future versions.
+cmake_policy(SET CMP0012 NEW)
+
+if(LIB_INSTALL_DIR)
+    set(CMAKE_INSTALL_LIBDIR "${LIB_INSTALL_DIR}")
+endif()
+
+add_subdirectory(include)
+add_subdirectory(core)
+add_subdirectory(drivers)
diff --git a/tf-psa-crypto/core/.gitignore b/tf-psa-crypto/core/.gitignore
new file mode 100644
index 0000000..70d9d04
--- /dev/null
+++ b/tf-psa-crypto/core/.gitignore
@@ -0,0 +1,4 @@
+###START_GENERATED_FILES###
+/psa_crypto_driver_wrappers.h
+/psa_crypto_driver_wrappers_no_static.c
+###END_GENERATED_FILES###
diff --git a/tests/data_files/base64/empty.txt b/tf-psa-crypto/core/CMakeLists.txt
index e69de29..e69de29 100644
--- a/tests/data_files/base64/empty.txt
+++ b/tf-psa-crypto/core/CMakeLists.txt
diff --git a/tf-psa-crypto/core/alignment.h b/tf-psa-crypto/core/alignment.h
new file mode 100644
index 0000000..a17001d
--- /dev/null
+++ b/tf-psa-crypto/core/alignment.h
@@ -0,0 +1,684 @@
+/**
+ * \file alignment.h
+ *
+ * \brief Utility code for dealing with unaligned memory accesses
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_LIBRARY_ALIGNMENT_H
+#define MBEDTLS_LIBRARY_ALIGNMENT_H
+
+#include <stdint.h>
+#include <string.h>
+#include <stdlib.h>
+
+/*
+ * Define MBEDTLS_EFFICIENT_UNALIGNED_ACCESS for architectures where unaligned memory
+ * accesses are known to be efficient.
+ *
+ * All functions defined here will behave correctly regardless, but might be less
+ * efficient when this is not defined.
+ */
+#if defined(__ARM_FEATURE_UNALIGNED) \
+    || defined(MBEDTLS_ARCH_IS_X86) || defined(MBEDTLS_ARCH_IS_X64) \
+    || defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
+/*
+ * __ARM_FEATURE_UNALIGNED is defined where appropriate by armcc, gcc 7, clang 9
+ * (and later versions) for Arm v7 and later; all x86 platforms should have
+ * efficient unaligned access.
+ *
+ * https://learn.microsoft.com/en-us/cpp/build/arm64-windows-abi-conventions?view=msvc-170#alignment
+ * specifies that on Windows-on-Arm64, unaligned access is safe (except for uncached
+ * device memory).
+ */
+#define MBEDTLS_EFFICIENT_UNALIGNED_ACCESS
+#endif
+
+#if defined(__IAR_SYSTEMS_ICC__) && \
+    (defined(MBEDTLS_ARCH_IS_ARM64) || defined(MBEDTLS_ARCH_IS_ARM32) \
+    || defined(__ICCRX__) || defined(__ICCRL78__) || defined(__ICCRISCV__))
+#pragma language=save
+#pragma language=extended
+#define MBEDTLS_POP_IAR_LANGUAGE_PRAGMA
+/* IAR recommend this technique for accessing unaligned data in
+ * https://www.iar.com/knowledge/support/technical-notes/compiler/accessing-unaligned-data
+ * This results in a single load / store instruction (if unaligned access is supported).
+ * According to that document, this is only supported on certain architectures.
+ */
+    #define UINT_UNALIGNED
+typedef uint16_t __packed mbedtls_uint16_unaligned_t;
+typedef uint32_t __packed mbedtls_uint32_unaligned_t;
+typedef uint64_t __packed mbedtls_uint64_unaligned_t;
+#elif defined(MBEDTLS_COMPILER_IS_GCC) && (MBEDTLS_GCC_VERSION >= 40504) && \
+    ((MBEDTLS_GCC_VERSION < 60300) || (!defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)))
+/*
+ * gcc may generate a branch to memcpy for calls like `memcpy(dest, src, 4)` rather than
+ * generating some LDR or LDRB instructions (similar for stores).
+ *
+ * This is architecture dependent: x86-64 seems fine even with old gcc; 32-bit Arm
+ * is affected. To keep it simple, we enable for all architectures.
+ *
+ * For versions of gcc < 5.4.0 this issue always happens.
+ * For gcc < 6.3.0, this issue happens at -O0
+ * For all versions, this issue happens iff unaligned access is not supported.
+ *
+ * For gcc 4.x, this implementation will generate byte-by-byte loads even if unaligned access is
+ * supported, which is correct but not optimal.
+ *
+ * For performance (and code size, in some cases), we want to avoid the branch and just generate
+ * some inline load/store instructions since the access is small and constant-size.
+ *
+ * The manual states:
+ * "The packed attribute specifies that a variable or structure field should have the smallest
+ *  possible alignment—one byte for a variable"
+ * https://gcc.gnu.org/onlinedocs/gcc-4.5.4/gcc/Variable-Attributes.html
+ *
+ * Previous implementations used __attribute__((__aligned__(1)), but had issues with a gcc bug:
+ * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94662
+ *
+ * Tested with several versions of GCC from 4.5.0 up to 13.2.0
+ * We don't enable for older than 4.5.0 as this has not been tested.
+ */
+ #define UINT_UNALIGNED_STRUCT
+typedef struct {
+    uint16_t x;
+} __attribute__((packed)) mbedtls_uint16_unaligned_t;
+typedef struct {
+    uint32_t x;
+} __attribute__((packed)) mbedtls_uint32_unaligned_t;
+typedef struct {
+    uint64_t x;
+} __attribute__((packed)) mbedtls_uint64_unaligned_t;
+ #endif
+
+/*
+ * We try to force mbedtls_(get|put)_unaligned_uintXX to be always inline, because this results
+ * in code that is both smaller and faster. IAR and gcc both benefit from this when optimising
+ * for size.
+ */
+
+/**
+ * Read the unsigned 16 bits integer from the given address, which need not
+ * be aligned.
+ *
+ * \param   p pointer to 2 bytes of data
+ * \return  Data at the given address
+ */
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+static inline uint16_t mbedtls_get_unaligned_uint16(const void *p)
+{
+    uint16_t r;
+#if defined(UINT_UNALIGNED)
+    mbedtls_uint16_unaligned_t *p16 = (mbedtls_uint16_unaligned_t *) p;
+    r = *p16;
+#elif defined(UINT_UNALIGNED_STRUCT)
+    mbedtls_uint16_unaligned_t *p16 = (mbedtls_uint16_unaligned_t *) p;
+    r = p16->x;
+#else
+    memcpy(&r, p, sizeof(r));
+#endif
+    return r;
+}
+
+/**
+ * Write the unsigned 16 bits integer to the given address, which need not
+ * be aligned.
+ *
+ * \param   p pointer to 2 bytes of data
+ * \param   x data to write
+ */
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+static inline void mbedtls_put_unaligned_uint16(void *p, uint16_t x)
+{
+#if defined(UINT_UNALIGNED)
+    mbedtls_uint16_unaligned_t *p16 = (mbedtls_uint16_unaligned_t *) p;
+    *p16 = x;
+#elif defined(UINT_UNALIGNED_STRUCT)
+    mbedtls_uint16_unaligned_t *p16 = (mbedtls_uint16_unaligned_t *) p;
+    p16->x = x;
+#else
+    memcpy(p, &x, sizeof(x));
+#endif
+}
+
+/**
+ * Read the unsigned 32 bits integer from the given address, which need not
+ * be aligned.
+ *
+ * \param   p pointer to 4 bytes of data
+ * \return  Data at the given address
+ */
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+static inline uint32_t mbedtls_get_unaligned_uint32(const void *p)
+{
+    uint32_t r;
+#if defined(UINT_UNALIGNED)
+    mbedtls_uint32_unaligned_t *p32 = (mbedtls_uint32_unaligned_t *) p;
+    r = *p32;
+#elif defined(UINT_UNALIGNED_STRUCT)
+    mbedtls_uint32_unaligned_t *p32 = (mbedtls_uint32_unaligned_t *) p;
+    r = p32->x;
+#else
+    memcpy(&r, p, sizeof(r));
+#endif
+    return r;
+}
+
+/**
+ * Write the unsigned 32 bits integer to the given address, which need not
+ * be aligned.
+ *
+ * \param   p pointer to 4 bytes of data
+ * \param   x data to write
+ */
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+static inline void mbedtls_put_unaligned_uint32(void *p, uint32_t x)
+{
+#if defined(UINT_UNALIGNED)
+    mbedtls_uint32_unaligned_t *p32 = (mbedtls_uint32_unaligned_t *) p;
+    *p32 = x;
+#elif defined(UINT_UNALIGNED_STRUCT)
+    mbedtls_uint32_unaligned_t *p32 = (mbedtls_uint32_unaligned_t *) p;
+    p32->x = x;
+#else
+    memcpy(p, &x, sizeof(x));
+#endif
+}
+
+/**
+ * Read the unsigned 64 bits integer from the given address, which need not
+ * be aligned.
+ *
+ * \param   p pointer to 8 bytes of data
+ * \return  Data at the given address
+ */
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+static inline uint64_t mbedtls_get_unaligned_uint64(const void *p)
+{
+    uint64_t r;
+#if defined(UINT_UNALIGNED)
+    mbedtls_uint64_unaligned_t *p64 = (mbedtls_uint64_unaligned_t *) p;
+    r = *p64;
+#elif defined(UINT_UNALIGNED_STRUCT)
+    mbedtls_uint64_unaligned_t *p64 = (mbedtls_uint64_unaligned_t *) p;
+    r = p64->x;
+#else
+    memcpy(&r, p, sizeof(r));
+#endif
+    return r;
+}
+
+/**
+ * Write the unsigned 64 bits integer to the given address, which need not
+ * be aligned.
+ *
+ * \param   p pointer to 8 bytes of data
+ * \param   x data to write
+ */
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+static inline void mbedtls_put_unaligned_uint64(void *p, uint64_t x)
+{
+#if defined(UINT_UNALIGNED)
+    mbedtls_uint64_unaligned_t *p64 = (mbedtls_uint64_unaligned_t *) p;
+    *p64 = x;
+#elif defined(UINT_UNALIGNED_STRUCT)
+    mbedtls_uint64_unaligned_t *p64 = (mbedtls_uint64_unaligned_t *) p;
+    p64->x = x;
+#else
+    memcpy(p, &x, sizeof(x));
+#endif
+}
+
+#if defined(MBEDTLS_POP_IAR_LANGUAGE_PRAGMA)
+#pragma language=restore
+#endif
+
+/** Byte Reading Macros
+ *
+ * Given a multi-byte integer \p x, MBEDTLS_BYTE_n retrieves the n-th
+ * byte from x, where byte 0 is the least significant byte.
+ */
+#define MBEDTLS_BYTE_0(x) ((uint8_t) ((x)         & 0xff))
+#define MBEDTLS_BYTE_1(x) ((uint8_t) (((x) >>  8) & 0xff))
+#define MBEDTLS_BYTE_2(x) ((uint8_t) (((x) >> 16) & 0xff))
+#define MBEDTLS_BYTE_3(x) ((uint8_t) (((x) >> 24) & 0xff))
+#define MBEDTLS_BYTE_4(x) ((uint8_t) (((x) >> 32) & 0xff))
+#define MBEDTLS_BYTE_5(x) ((uint8_t) (((x) >> 40) & 0xff))
+#define MBEDTLS_BYTE_6(x) ((uint8_t) (((x) >> 48) & 0xff))
+#define MBEDTLS_BYTE_7(x) ((uint8_t) (((x) >> 56) & 0xff))
+
+/*
+ * Detect GCC built-in byteswap routines
+ */
+#if defined(__GNUC__) && defined(__GNUC_PREREQ)
+#if __GNUC_PREREQ(4, 8)
+#define MBEDTLS_BSWAP16 __builtin_bswap16
+#endif /* __GNUC_PREREQ(4,8) */
+#if __GNUC_PREREQ(4, 3)
+#define MBEDTLS_BSWAP32 __builtin_bswap32
+#define MBEDTLS_BSWAP64 __builtin_bswap64
+#endif /* __GNUC_PREREQ(4,3) */
+#endif /* defined(__GNUC__) && defined(__GNUC_PREREQ) */
+
+/*
+ * Detect Clang built-in byteswap routines
+ */
+#if defined(__clang__) && defined(__has_builtin)
+#if __has_builtin(__builtin_bswap16) && !defined(MBEDTLS_BSWAP16)
+#define MBEDTLS_BSWAP16 __builtin_bswap16
+#endif /* __has_builtin(__builtin_bswap16) */
+#if __has_builtin(__builtin_bswap32) && !defined(MBEDTLS_BSWAP32)
+#define MBEDTLS_BSWAP32 __builtin_bswap32
+#endif /* __has_builtin(__builtin_bswap32) */
+#if __has_builtin(__builtin_bswap64) && !defined(MBEDTLS_BSWAP64)
+#define MBEDTLS_BSWAP64 __builtin_bswap64
+#endif /* __has_builtin(__builtin_bswap64) */
+#endif /* defined(__clang__) && defined(__has_builtin) */
+
+/*
+ * Detect MSVC built-in byteswap routines
+ */
+#if defined(_MSC_VER)
+#if !defined(MBEDTLS_BSWAP16)
+#define MBEDTLS_BSWAP16 _byteswap_ushort
+#endif
+#if !defined(MBEDTLS_BSWAP32)
+#define MBEDTLS_BSWAP32 _byteswap_ulong
+#endif
+#if !defined(MBEDTLS_BSWAP64)
+#define MBEDTLS_BSWAP64 _byteswap_uint64
+#endif
+#endif /* defined(_MSC_VER) */
+
+/* Detect armcc built-in byteswap routine */
+#if defined(__ARMCC_VERSION) && (__ARMCC_VERSION >= 410000) && !defined(MBEDTLS_BSWAP32)
+#if defined(__ARM_ACLE)  /* ARM Compiler 6 - earlier versions don't need a header */
+#include <arm_acle.h>
+#endif
+#define MBEDTLS_BSWAP32 __rev
+#endif
+
+/* Detect IAR built-in byteswap routine */
+#if defined(__IAR_SYSTEMS_ICC__)
+#if defined(__ARM_ACLE)
+#include <arm_acle.h>
+#define MBEDTLS_BSWAP16(x) ((uint16_t) __rev16((uint32_t) (x)))
+#define MBEDTLS_BSWAP32 __rev
+#define MBEDTLS_BSWAP64 __revll
+#endif
+#endif
+
+/*
+ * Where compiler built-ins are not present, fall back to C code that the
+ * compiler may be able to detect and transform into the relevant bswap or
+ * similar instruction.
+ */
+#if !defined(MBEDTLS_BSWAP16)
+static inline uint16_t mbedtls_bswap16(uint16_t x)
+{
+    return
+        (x & 0x00ff) << 8 |
+        (x & 0xff00) >> 8;
+}
+#define MBEDTLS_BSWAP16 mbedtls_bswap16
+#endif /* !defined(MBEDTLS_BSWAP16) */
+
+#if !defined(MBEDTLS_BSWAP32)
+static inline uint32_t mbedtls_bswap32(uint32_t x)
+{
+    return
+        (x & 0x000000ff) << 24 |
+        (x & 0x0000ff00) <<  8 |
+        (x & 0x00ff0000) >>  8 |
+        (x & 0xff000000) >> 24;
+}
+#define MBEDTLS_BSWAP32 mbedtls_bswap32
+#endif /* !defined(MBEDTLS_BSWAP32) */
+
+#if !defined(MBEDTLS_BSWAP64)
+static inline uint64_t mbedtls_bswap64(uint64_t x)
+{
+    return
+        (x & 0x00000000000000ffULL) << 56 |
+        (x & 0x000000000000ff00ULL) << 40 |
+        (x & 0x0000000000ff0000ULL) << 24 |
+        (x & 0x00000000ff000000ULL) <<  8 |
+        (x & 0x000000ff00000000ULL) >>  8 |
+        (x & 0x0000ff0000000000ULL) >> 24 |
+        (x & 0x00ff000000000000ULL) >> 40 |
+        (x & 0xff00000000000000ULL) >> 56;
+}
+#define MBEDTLS_BSWAP64 mbedtls_bswap64
+#endif /* !defined(MBEDTLS_BSWAP64) */
+
+#if !defined(__BYTE_ORDER__)
+
+#if defined(__LITTLE_ENDIAN__)
+/* IAR defines __xxx_ENDIAN__, but not __BYTE_ORDER__ */
+#define MBEDTLS_IS_BIG_ENDIAN 0
+#elif defined(__BIG_ENDIAN__)
+#define MBEDTLS_IS_BIG_ENDIAN 1
+#else
+static const uint16_t mbedtls_byte_order_detector = { 0x100 };
+#define MBEDTLS_IS_BIG_ENDIAN (*((unsigned char *) (&mbedtls_byte_order_detector)) == 0x01)
+#endif
+
+#else
+
+#if (__BYTE_ORDER__) == (__ORDER_BIG_ENDIAN__)
+#define MBEDTLS_IS_BIG_ENDIAN 1
+#else
+#define MBEDTLS_IS_BIG_ENDIAN 0
+#endif
+
+#endif /* !defined(__BYTE_ORDER__) */
+
+/**
+ * Get the unsigned 32 bits integer corresponding to four bytes in
+ * big-endian order (MSB first).
+ *
+ * \param   data    Base address of the memory to get the four bytes from.
+ * \param   offset  Offset from \p data of the first and most significant
+ *                  byte of the four bytes to build the 32 bits unsigned
+ *                  integer from.
+ */
+#define MBEDTLS_GET_UINT32_BE(data, offset)                                \
+    ((MBEDTLS_IS_BIG_ENDIAN)                                               \
+        ? mbedtls_get_unaligned_uint32((data) + (offset))                  \
+        : MBEDTLS_BSWAP32(mbedtls_get_unaligned_uint32((data) + (offset))) \
+    )
+
+/**
+ * Put in memory a 32 bits unsigned integer in big-endian order.
+ *
+ * \param   n       32 bits unsigned integer to put in memory.
+ * \param   data    Base address of the memory where to put the 32
+ *                  bits unsigned integer in.
+ * \param   offset  Offset from \p data where to put the most significant
+ *                  byte of the 32 bits unsigned integer \p n.
+ */
+#define MBEDTLS_PUT_UINT32_BE(n, data, offset)                                   \
+    {                                                                            \
+        if (MBEDTLS_IS_BIG_ENDIAN)                                               \
+        {                                                                        \
+            mbedtls_put_unaligned_uint32((data) + (offset), (uint32_t) (n));     \
+        }                                                                        \
+        else                                                                     \
+        {                                                                        \
+            mbedtls_put_unaligned_uint32((data) + (offset), MBEDTLS_BSWAP32((uint32_t) (n))); \
+        }                                                                        \
+    }
+
+/**
+ * Get the unsigned 32 bits integer corresponding to four bytes in
+ * little-endian order (LSB first).
+ *
+ * \param   data    Base address of the memory to get the four bytes from.
+ * \param   offset  Offset from \p data of the first and least significant
+ *                  byte of the four bytes to build the 32 bits unsigned
+ *                  integer from.
+ */
+#define MBEDTLS_GET_UINT32_LE(data, offset)                                \
+    ((MBEDTLS_IS_BIG_ENDIAN)                                               \
+        ? MBEDTLS_BSWAP32(mbedtls_get_unaligned_uint32((data) + (offset))) \
+        : mbedtls_get_unaligned_uint32((data) + (offset))                  \
+    )
+
+
+/**
+ * Put in memory a 32 bits unsigned integer in little-endian order.
+ *
+ * \param   n       32 bits unsigned integer to put in memory.
+ * \param   data    Base address of the memory where to put the 32
+ *                  bits unsigned integer in.
+ * \param   offset  Offset from \p data where to put the least significant
+ *                  byte of the 32 bits unsigned integer \p n.
+ */
+#define MBEDTLS_PUT_UINT32_LE(n, data, offset)                                   \
+    {                                                                            \
+        if (MBEDTLS_IS_BIG_ENDIAN)                                               \
+        {                                                                        \
+            mbedtls_put_unaligned_uint32((data) + (offset), MBEDTLS_BSWAP32((uint32_t) (n))); \
+        }                                                                        \
+        else                                                                     \
+        {                                                                        \
+            mbedtls_put_unaligned_uint32((data) + (offset), ((uint32_t) (n)));   \
+        }                                                                        \
+    }
+
+/**
+ * Get the unsigned 16 bits integer corresponding to two bytes in
+ * little-endian order (LSB first).
+ *
+ * \param   data    Base address of the memory to get the two bytes from.
+ * \param   offset  Offset from \p data of the first and least significant
+ *                  byte of the two bytes to build the 16 bits unsigned
+ *                  integer from.
+ */
+#define MBEDTLS_GET_UINT16_LE(data, offset)                                \
+    ((MBEDTLS_IS_BIG_ENDIAN)                                               \
+        ? MBEDTLS_BSWAP16(mbedtls_get_unaligned_uint16((data) + (offset))) \
+        : mbedtls_get_unaligned_uint16((data) + (offset))                  \
+    )
+
+/**
+ * Put in memory a 16 bits unsigned integer in little-endian order.
+ *
+ * \param   n       16 bits unsigned integer to put in memory.
+ * \param   data    Base address of the memory where to put the 16
+ *                  bits unsigned integer in.
+ * \param   offset  Offset from \p data where to put the least significant
+ *                  byte of the 16 bits unsigned integer \p n.
+ */
+#define MBEDTLS_PUT_UINT16_LE(n, data, offset)                                   \
+    {                                                                            \
+        if (MBEDTLS_IS_BIG_ENDIAN)                                               \
+        {                                                                        \
+            mbedtls_put_unaligned_uint16((data) + (offset), MBEDTLS_BSWAP16((uint16_t) (n))); \
+        }                                                                        \
+        else                                                                     \
+        {                                                                        \
+            mbedtls_put_unaligned_uint16((data) + (offset), (uint16_t) (n));     \
+        }                                                                        \
+    }
+
+/**
+ * Get the unsigned 16 bits integer corresponding to two bytes in
+ * big-endian order (MSB first).
+ *
+ * \param   data    Base address of the memory to get the two bytes from.
+ * \param   offset  Offset from \p data of the first and most significant
+ *                  byte of the two bytes to build the 16 bits unsigned
+ *                  integer from.
+ */
+#define MBEDTLS_GET_UINT16_BE(data, offset)                                \
+    ((MBEDTLS_IS_BIG_ENDIAN)                                               \
+        ? mbedtls_get_unaligned_uint16((data) + (offset))                  \
+        : MBEDTLS_BSWAP16(mbedtls_get_unaligned_uint16((data) + (offset))) \
+    )
+
+/**
+ * Put in memory a 16 bits unsigned integer in big-endian order.
+ *
+ * \param   n       16 bits unsigned integer to put in memory.
+ * \param   data    Base address of the memory where to put the 16
+ *                  bits unsigned integer in.
+ * \param   offset  Offset from \p data where to put the most significant
+ *                  byte of the 16 bits unsigned integer \p n.
+ */
+#define MBEDTLS_PUT_UINT16_BE(n, data, offset)                                   \
+    {                                                                            \
+        if (MBEDTLS_IS_BIG_ENDIAN)                                               \
+        {                                                                        \
+            mbedtls_put_unaligned_uint16((data) + (offset), (uint16_t) (n));     \
+        }                                                                        \
+        else                                                                     \
+        {                                                                        \
+            mbedtls_put_unaligned_uint16((data) + (offset), MBEDTLS_BSWAP16((uint16_t) (n))); \
+        }                                                                        \
+    }
+
+/**
+ * Get the unsigned 24 bits integer corresponding to three bytes in
+ * big-endian order (MSB first).
+ *
+ * \param   data    Base address of the memory to get the three bytes from.
+ * \param   offset  Offset from \p data of the first and most significant
+ *                  byte of the three bytes to build the 24 bits unsigned
+ *                  integer from.
+ */
+#define MBEDTLS_GET_UINT24_BE(data, offset)        \
+    (                                              \
+        ((uint32_t) (data)[(offset)] << 16)        \
+        | ((uint32_t) (data)[(offset) + 1] << 8)   \
+        | ((uint32_t) (data)[(offset) + 2])        \
+    )
+
+/**
+ * Put in memory a 24 bits unsigned integer in big-endian order.
+ *
+ * \param   n       24 bits unsigned integer to put in memory.
+ * \param   data    Base address of the memory where to put the 24
+ *                  bits unsigned integer in.
+ * \param   offset  Offset from \p data where to put the most significant
+ *                  byte of the 24 bits unsigned integer \p n.
+ */
+#define MBEDTLS_PUT_UINT24_BE(n, data, offset)                \
+    {                                                         \
+        (data)[(offset)] = MBEDTLS_BYTE_2(n);                 \
+        (data)[(offset) + 1] = MBEDTLS_BYTE_1(n);             \
+        (data)[(offset) + 2] = MBEDTLS_BYTE_0(n);             \
+    }
+
+/**
+ * Get the unsigned 24 bits integer corresponding to three bytes in
+ * little-endian order (LSB first).
+ *
+ * \param   data    Base address of the memory to get the three bytes from.
+ * \param   offset  Offset from \p data of the first and least significant
+ *                  byte of the three bytes to build the 24 bits unsigned
+ *                  integer from.
+ */
+#define MBEDTLS_GET_UINT24_LE(data, offset)               \
+    (                                                     \
+        ((uint32_t) (data)[(offset)])                     \
+        | ((uint32_t) (data)[(offset) + 1] <<  8)         \
+        | ((uint32_t) (data)[(offset) + 2] << 16)         \
+    )
+
+/**
+ * Put in memory a 24 bits unsigned integer in little-endian order.
+ *
+ * \param   n       24 bits unsigned integer to put in memory.
+ * \param   data    Base address of the memory where to put the 24
+ *                  bits unsigned integer in.
+ * \param   offset  Offset from \p data where to put the least significant
+ *                  byte of the 24 bits unsigned integer \p n.
+ */
+#define MBEDTLS_PUT_UINT24_LE(n, data, offset)                \
+    {                                                         \
+        (data)[(offset)] = MBEDTLS_BYTE_0(n);                 \
+        (data)[(offset) + 1] = MBEDTLS_BYTE_1(n);             \
+        (data)[(offset) + 2] = MBEDTLS_BYTE_2(n);             \
+    }
+
+/**
+ * Get the unsigned 64 bits integer corresponding to eight bytes in
+ * big-endian order (MSB first).
+ *
+ * \param   data    Base address of the memory to get the eight bytes from.
+ * \param   offset  Offset from \p data of the first and most significant
+ *                  byte of the eight bytes to build the 64 bits unsigned
+ *                  integer from.
+ */
+#define MBEDTLS_GET_UINT64_BE(data, offset)                                \
+    ((MBEDTLS_IS_BIG_ENDIAN)                                               \
+        ? mbedtls_get_unaligned_uint64((data) + (offset))                  \
+        : MBEDTLS_BSWAP64(mbedtls_get_unaligned_uint64((data) + (offset))) \
+    )
+
+/**
+ * Put in memory a 64 bits unsigned integer in big-endian order.
+ *
+ * \param   n       64 bits unsigned integer to put in memory.
+ * \param   data    Base address of the memory where to put the 64
+ *                  bits unsigned integer in.
+ * \param   offset  Offset from \p data where to put the most significant
+ *                  byte of the 64 bits unsigned integer \p n.
+ */
+#define MBEDTLS_PUT_UINT64_BE(n, data, offset)                                   \
+    {                                                                            \
+        if (MBEDTLS_IS_BIG_ENDIAN)                                               \
+        {                                                                        \
+            mbedtls_put_unaligned_uint64((data) + (offset), (uint64_t) (n));     \
+        }                                                                        \
+        else                                                                     \
+        {                                                                        \
+            mbedtls_put_unaligned_uint64((data) + (offset), MBEDTLS_BSWAP64((uint64_t) (n))); \
+        }                                                                        \
+    }
+
+/**
+ * Get the unsigned 64 bits integer corresponding to eight bytes in
+ * little-endian order (LSB first).
+ *
+ * \param   data    Base address of the memory to get the eight bytes from.
+ * \param   offset  Offset from \p data of the first and least significant
+ *                  byte of the eight bytes to build the 64 bits unsigned
+ *                  integer from.
+ */
+#define MBEDTLS_GET_UINT64_LE(data, offset)                                \
+    ((MBEDTLS_IS_BIG_ENDIAN)                                               \
+        ? MBEDTLS_BSWAP64(mbedtls_get_unaligned_uint64((data) + (offset))) \
+        : mbedtls_get_unaligned_uint64((data) + (offset))                  \
+    )
+
+/**
+ * Put in memory a 64 bits unsigned integer in little-endian order.
+ *
+ * \param   n       64 bits unsigned integer to put in memory.
+ * \param   data    Base address of the memory where to put the 64
+ *                  bits unsigned integer in.
+ * \param   offset  Offset from \p data where to put the least significant
+ *                  byte of the 64 bits unsigned integer \p n.
+ */
+#define MBEDTLS_PUT_UINT64_LE(n, data, offset)                                   \
+    {                                                                            \
+        if (MBEDTLS_IS_BIG_ENDIAN)                                               \
+        {                                                                        \
+            mbedtls_put_unaligned_uint64((data) + (offset), MBEDTLS_BSWAP64((uint64_t) (n))); \
+        }                                                                        \
+        else                                                                     \
+        {                                                                        \
+            mbedtls_put_unaligned_uint64((data) + (offset), (uint64_t) (n));     \
+        }                                                                        \
+    }
+
+#endif /* MBEDTLS_LIBRARY_ALIGNMENT_H */
diff --git a/tf-psa-crypto/core/common.h b/tf-psa-crypto/core/common.h
new file mode 100644
index 0000000..3936ffd
--- /dev/null
+++ b/tf-psa-crypto/core/common.h
@@ -0,0 +1,435 @@
+/**
+ * \file common.h
+ *
+ * \brief Utility macros for internal use in the library
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_LIBRARY_COMMON_H
+#define MBEDTLS_LIBRARY_COMMON_H
+
+#include "mbedtls/build_info.h"
+#include "alignment.h"
+
+#include <assert.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stddef.h>
+
+#if defined(__ARM_NEON)
+#include <arm_neon.h>
+#define MBEDTLS_HAVE_NEON_INTRINSICS
+#elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
+#include <arm64_neon.h>
+#define MBEDTLS_HAVE_NEON_INTRINSICS
+#endif
+
+/** Helper to define a function as static except when building invasive tests.
+ *
+ * If a function is only used inside its own source file and should be
+ * declared `static` to allow the compiler to optimize for code size,
+ * but that function has unit tests, define it with
+ * ```
+ * MBEDTLS_STATIC_TESTABLE int mbedtls_foo(...) { ... }
+ * ```
+ * and declare it in a header in the `library/` directory with
+ * ```
+ * #if defined(MBEDTLS_TEST_HOOKS)
+ * int mbedtls_foo(...);
+ * #endif
+ * ```
+ */
+#if defined(MBEDTLS_TEST_HOOKS)
+#define MBEDTLS_STATIC_TESTABLE
+#else
+#define MBEDTLS_STATIC_TESTABLE static
+#endif
+
+#if defined(MBEDTLS_TEST_HOOKS)
+extern void (*mbedtls_test_hook_test_fail)(const char *test, int line, const char *file);
+#define MBEDTLS_TEST_HOOK_TEST_ASSERT(TEST) \
+    do { \
+        if ((!(TEST)) && ((*mbedtls_test_hook_test_fail) != NULL)) \
+        { \
+            (*mbedtls_test_hook_test_fail)( #TEST, __LINE__, __FILE__); \
+        } \
+    } while (0)
+#else
+#define MBEDTLS_TEST_HOOK_TEST_ASSERT(TEST)
+#endif /* defined(MBEDTLS_TEST_HOOKS) */
+
+/** \def ARRAY_LENGTH
+ * Return the number of elements of a static or stack array.
+ *
+ * \param array         A value of array (not pointer) type.
+ *
+ * \return The number of elements of the array.
+ */
+/* A correct implementation of ARRAY_LENGTH, but which silently gives
+ * a nonsensical result if called with a pointer rather than an array. */
+#define ARRAY_LENGTH_UNSAFE(array)            \
+    (sizeof(array) / sizeof(*(array)))
+
+#if defined(__GNUC__)
+/* Test if arg and &(arg)[0] have the same type. This is true if arg is
+ * an array but not if it's a pointer. */
+#define IS_ARRAY_NOT_POINTER(arg)                                     \
+    (!__builtin_types_compatible_p(__typeof__(arg),                \
+                                   __typeof__(&(arg)[0])))
+/* A compile-time constant with the value 0. If `const_expr` is not a
+ * compile-time constant with a nonzero value, cause a compile-time error. */
+#define STATIC_ASSERT_EXPR(const_expr)                                \
+    (0 && sizeof(struct { unsigned int STATIC_ASSERT : 1 - 2 * !(const_expr); }))
+
+/* Return the scalar value `value` (possibly promoted). This is a compile-time
+ * constant if `value` is. `condition` must be a compile-time constant.
+ * If `condition` is false, arrange to cause a compile-time error. */
+#define STATIC_ASSERT_THEN_RETURN(condition, value)   \
+    (STATIC_ASSERT_EXPR(condition) ? 0 : (value))
+
+#define ARRAY_LENGTH(array)                                           \
+    (STATIC_ASSERT_THEN_RETURN(IS_ARRAY_NOT_POINTER(array),         \
+                               ARRAY_LENGTH_UNSAFE(array)))
+
+#else
+/* If we aren't sure the compiler supports our non-standard tricks,
+ * fall back to the unsafe implementation. */
+#define ARRAY_LENGTH(array) ARRAY_LENGTH_UNSAFE(array)
+#endif
+/** Allow library to access its structs' private members.
+ *
+ * Although structs defined in header files are publicly available,
+ * their members are private and should not be accessed by the user.
+ */
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
+
+/**
+ * \brief       Securely zeroize a buffer then free it.
+ *
+ *              Similar to making consecutive calls to
+ *              \c mbedtls_platform_zeroize() and \c mbedtls_free(), but has
+ *              code size savings, and potential for optimisation in the future.
+ *
+ *              Guaranteed to be a no-op if \p buf is \c NULL and \p len is 0.
+ *
+ * \param buf   Buffer to be zeroized then freed.
+ * \param len   Length of the buffer in bytes
+ */
+void mbedtls_zeroize_and_free(void *buf, size_t len);
+
+/** Return an offset into a buffer.
+ *
+ * This is just the addition of an offset to a pointer, except that this
+ * function also accepts an offset of 0 into a buffer whose pointer is null.
+ * (`p + n` has undefined behavior when `p` is null, even when `n == 0`.
+ * A null pointer is a valid buffer pointer when the size is 0, for example
+ * as the result of `malloc(0)` on some platforms.)
+ *
+ * \param p     Pointer to a buffer of at least n bytes.
+ *              This may be \p NULL if \p n is zero.
+ * \param n     An offset in bytes.
+ * \return      Pointer to offset \p n in the buffer \p p.
+ *              Note that this is only a valid pointer if the size of the
+ *              buffer is at least \p n + 1.
+ */
+static inline unsigned char *mbedtls_buffer_offset(
+    unsigned char *p, size_t n)
+{
+    return p == NULL ? NULL : p + n;
+}
+
+/** Return an offset into a read-only buffer.
+ *
+ * Similar to mbedtls_buffer_offset(), but for const pointers.
+ *
+ * \param p     Pointer to a buffer of at least n bytes.
+ *              This may be \p NULL if \p n is zero.
+ * \param n     An offset in bytes.
+ * \return      Pointer to offset \p n in the buffer \p p.
+ *              Note that this is only a valid pointer if the size of the
+ *              buffer is at least \p n + 1.
+ */
+static inline const unsigned char *mbedtls_buffer_offset_const(
+    const unsigned char *p, size_t n)
+{
+    return p == NULL ? NULL : p + n;
+}
+
+/* Always inline mbedtls_xor() for similar reasons as mbedtls_xor_no_simd(). */
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+/**
+ * Perform a fast block XOR operation, such that
+ * r[i] = a[i] ^ b[i] where 0 <= i < n
+ *
+ * \param   r Pointer to result (buffer of at least \p n bytes). \p r
+ *            may be equal to either \p a or \p b, but behaviour when
+ *            it overlaps in other ways is undefined.
+ * \param   a Pointer to input (buffer of at least \p n bytes)
+ * \param   b Pointer to input (buffer of at least \p n bytes)
+ * \param   n Number of bytes to process.
+ *
+ * \note      Depending on the situation, it may be faster to use either mbedtls_xor() or
+ *            mbedtls_xor_no_simd() (these are functionally equivalent).
+ *            If the result is used immediately after the xor operation in non-SIMD code (e.g, in
+ *            AES-CBC), there may be additional latency to transfer the data from SIMD to scalar
+ *            registers, and in this case, mbedtls_xor_no_simd() may be faster. In other cases where
+ *            the result is not used immediately (e.g., in AES-CTR), mbedtls_xor() may be faster.
+ *            For targets without SIMD support, they will behave the same.
+ */
+static inline void mbedtls_xor(unsigned char *r,
+                               const unsigned char *a,
+                               const unsigned char *b,
+                               size_t n)
+{
+    size_t i = 0;
+#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)
+#if defined(MBEDTLS_HAVE_NEON_INTRINSICS) && \
+    (!(defined(MBEDTLS_COMPILER_IS_GCC) && MBEDTLS_GCC_VERSION < 70300))
+    /* Old GCC versions generate a warning here, so disable the NEON path for these compilers */
+    for (; (i + 16) <= n; i += 16) {
+        uint8x16_t v1 = vld1q_u8(a + i);
+        uint8x16_t v2 = vld1q_u8(b + i);
+        uint8x16_t x = veorq_u8(v1, v2);
+        vst1q_u8(r + i, x);
+    }
+#if defined(__IAR_SYSTEMS_ICC__)
+    /* This if statement helps some compilers (e.g., IAR) optimise out the byte-by-byte tail case
+     * where n is a constant multiple of 16.
+     * For other compilers (e.g. recent gcc and clang) it makes no difference if n is a compile-time
+     * constant, and is a very small perf regression if n is not a compile-time constant. */
+    if (n % 16 == 0) {
+        return;
+    }
+#endif
+#elif defined(MBEDTLS_ARCH_IS_X64) || defined(MBEDTLS_ARCH_IS_ARM64)
+    /* This codepath probably only makes sense on architectures with 64-bit registers */
+    for (; (i + 8) <= n; i += 8) {
+        uint64_t x = mbedtls_get_unaligned_uint64(a + i) ^ mbedtls_get_unaligned_uint64(b + i);
+        mbedtls_put_unaligned_uint64(r + i, x);
+    }
+#if defined(__IAR_SYSTEMS_ICC__)
+    if (n % 8 == 0) {
+        return;
+    }
+#endif
+#else
+    for (; (i + 4) <= n; i += 4) {
+        uint32_t x = mbedtls_get_unaligned_uint32(a + i) ^ mbedtls_get_unaligned_uint32(b + i);
+        mbedtls_put_unaligned_uint32(r + i, x);
+    }
+#if defined(__IAR_SYSTEMS_ICC__)
+    if (n % 4 == 0) {
+        return;
+    }
+#endif
+#endif
+#endif
+    for (; i < n; i++) {
+        r[i] = a[i] ^ b[i];
+    }
+}
+
+/* Always inline mbedtls_xor_no_simd() as we see significant perf regressions when it does not get
+ * inlined (e.g., observed about 3x perf difference in gcm_mult_largetable with gcc 7 - 12) */
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+/**
+ * Perform a fast block XOR operation, such that
+ * r[i] = a[i] ^ b[i] where 0 <= i < n
+ *
+ * In some situations, this can perform better than mbedtls_xor() (e.g., it's about 5%
+ * better in AES-CBC).
+ *
+ * \param   r Pointer to result (buffer of at least \p n bytes). \p r
+ *            may be equal to either \p a or \p b, but behaviour when
+ *            it overlaps in other ways is undefined.
+ * \param   a Pointer to input (buffer of at least \p n bytes)
+ * \param   b Pointer to input (buffer of at least \p n bytes)
+ * \param   n Number of bytes to process.
+ *
+ * \note      Depending on the situation, it may be faster to use either mbedtls_xor() or
+ *            mbedtls_xor_no_simd() (these are functionally equivalent).
+ *            If the result is used immediately after the xor operation in non-SIMD code (e.g, in
+ *            AES-CBC), there may be additional latency to transfer the data from SIMD to scalar
+ *            registers, and in this case, mbedtls_xor_no_simd() may be faster. In other cases where
+ *            the result is not used immediately (e.g., in AES-CTR), mbedtls_xor() may be faster.
+ *            For targets without SIMD support, they will behave the same.
+ */
+static inline void mbedtls_xor_no_simd(unsigned char *r,
+                                       const unsigned char *a,
+                                       const unsigned char *b,
+                                       size_t n)
+{
+    size_t i = 0;
+#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)
+#if defined(MBEDTLS_ARCH_IS_X64) || defined(MBEDTLS_ARCH_IS_ARM64)
+    /* This codepath probably only makes sense on architectures with 64-bit registers */
+    for (; (i + 8) <= n; i += 8) {
+        uint64_t x = mbedtls_get_unaligned_uint64(a + i) ^ mbedtls_get_unaligned_uint64(b + i);
+        mbedtls_put_unaligned_uint64(r + i, x);
+    }
+#if defined(__IAR_SYSTEMS_ICC__)
+    /* This if statement helps some compilers (e.g., IAR) optimise out the byte-by-byte tail case
+     * where n is a constant multiple of 8.
+     * For other compilers (e.g. recent gcc and clang) it makes no difference if n is a compile-time
+     * constant, and is a very small perf regression if n is not a compile-time constant. */
+    if (n % 8 == 0) {
+        return;
+    }
+#endif
+#else
+    for (; (i + 4) <= n; i += 4) {
+        uint32_t x = mbedtls_get_unaligned_uint32(a + i) ^ mbedtls_get_unaligned_uint32(b + i);
+        mbedtls_put_unaligned_uint32(r + i, x);
+    }
+#if defined(__IAR_SYSTEMS_ICC__)
+    if (n % 4 == 0) {
+        return;
+    }
+#endif
+#endif
+#endif
+    for (; i < n; i++) {
+        r[i] = a[i] ^ b[i];
+    }
+}
+
+/* Fix MSVC C99 compatible issue
+ *      MSVC support __func__ from visual studio 2015( 1900 )
+ *      Use MSVC predefine macro to avoid name check fail.
+ */
+#if (defined(_MSC_VER) && (_MSC_VER <= 1900))
+#define /*no-check-names*/ __func__ __FUNCTION__
+#endif
+
+/* Define `asm` for compilers which don't define it. */
+/* *INDENT-OFF* */
+#ifndef asm
+#if defined(__IAR_SYSTEMS_ICC__)
+#define asm __asm
+#else
+#define asm __asm__
+#endif
+#endif
+/* *INDENT-ON* */
+
+/*
+ * Define the constraint used for read-only pointer operands to aarch64 asm.
+ *
+ * This is normally the usual "r", but for aarch64_32 (aka ILP32,
+ * as found in watchos), "p" is required to avoid warnings from clang.
+ *
+ * Note that clang does not recognise '+p' or '=p', and armclang
+ * does not recognise 'p' at all. Therefore, to update a pointer from
+ * aarch64 assembly, it is necessary to use something like:
+ *
+ * uintptr_t uptr = (uintptr_t) ptr;
+ * asm( "ldr x4, [%x0], #8" ... : "+r" (uptr) : : )
+ * ptr = (void*) uptr;
+ *
+ * Note that the "x" in "%x0" is neccessary; writing "%0" will cause warnings.
+ */
+#if defined(__aarch64__) && defined(MBEDTLS_HAVE_ASM)
+#if UINTPTR_MAX == 0xfffffffful
+/* ILP32: Specify the pointer operand slightly differently, as per #7787. */
+#define MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT "p"
+#elif UINTPTR_MAX == 0xfffffffffffffffful
+/* Normal case (64-bit pointers): use "r" as the constraint for pointer operands to asm */
+#define MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT "r"
+#else
+#error "Unrecognised pointer size for aarch64"
+#endif
+#endif
+
+/* Always provide a static assert macro, so it can be used unconditionally.
+ * It will expand to nothing on some systems.
+ * Can be used outside functions (but don't add a trailing ';' in that case:
+ * the semicolon is included here to avoid triggering -Wextra-semi when
+ * MBEDTLS_STATIC_ASSERT() expands to nothing).
+ * Can't use the C11-style `defined(static_assert)` on FreeBSD, since it
+ * defines static_assert even with -std=c99, but then complains about it.
+ */
+#if defined(static_assert) && !defined(__FreeBSD__)
+#define MBEDTLS_STATIC_ASSERT(expr, msg)    static_assert(expr, msg);
+#else
+#define MBEDTLS_STATIC_ASSERT(expr, msg)
+#endif
+
+#if defined(__has_builtin)
+#define MBEDTLS_HAS_BUILTIN(x) __has_builtin(x)
+#else
+#define MBEDTLS_HAS_BUILTIN(x) 0
+#endif
+
+/* Define compiler branch hints */
+#if MBEDTLS_HAS_BUILTIN(__builtin_expect)
+#define MBEDTLS_LIKELY(x)       __builtin_expect(!!(x), 1)
+#define MBEDTLS_UNLIKELY(x)     __builtin_expect(!!(x), 0)
+#else
+#define MBEDTLS_LIKELY(x)       x
+#define MBEDTLS_UNLIKELY(x)     x
+#endif
+
+/* MBEDTLS_ASSUME may be used to provide additional information to the compiler
+ * which can result in smaller code-size. */
+#if MBEDTLS_HAS_BUILTIN(__builtin_assume)
+/* clang provides __builtin_assume */
+#define MBEDTLS_ASSUME(x)       __builtin_assume(x)
+#elif MBEDTLS_HAS_BUILTIN(__builtin_unreachable)
+/* gcc and IAR can use __builtin_unreachable */
+#define MBEDTLS_ASSUME(x)       do { if (!(x)) __builtin_unreachable(); } while (0)
+#elif defined(_MSC_VER)
+/* Supported by MSVC since VS 2005 */
+#define MBEDTLS_ASSUME(x)       __assume(x)
+#else
+#define MBEDTLS_ASSUME(x)       do { } while (0)
+#endif
+
+/* For gcc -Os, override with -O2 for a given function.
+ *
+ * This will not affect behaviour for other optimisation settings, e.g. -O0.
+ */
+#if defined(MBEDTLS_COMPILER_IS_GCC) && defined(__OPTIMIZE_SIZE__)
+#define MBEDTLS_OPTIMIZE_FOR_PERFORMANCE __attribute__((optimize("-O2")))
+#else
+#define MBEDTLS_OPTIMIZE_FOR_PERFORMANCE
+#endif
+
+/* Suppress compiler warnings for unused functions and variables. */
+#if !defined(MBEDTLS_MAYBE_UNUSED) && defined(__has_attribute)
+#    if __has_attribute(unused)
+#        define MBEDTLS_MAYBE_UNUSED __attribute__((unused))
+#    endif
+#endif
+#if !defined(MBEDTLS_MAYBE_UNUSED) && defined(__GNUC__)
+#    define MBEDTLS_MAYBE_UNUSED __attribute__((unused))
+#endif
+#if !defined(MBEDTLS_MAYBE_UNUSED) && defined(__IAR_SYSTEMS_ICC__) && defined(__VER__)
+/* IAR does support __attribute__((unused)), but only if the -e flag (extended language support)
+ * is given; the pragma always works.
+ * Unfortunately the pragma affects the rest of the file where it is used, but this is harmless.
+ * Check for version 5.2 or later - this pragma may be supported by earlier versions, but I wasn't
+ * able to find documentation).
+ */
+#    if (__VER__ >= 5020000)
+#        define MBEDTLS_MAYBE_UNUSED _Pragma("diag_suppress=Pe177")
+#    endif
+#endif
+#if !defined(MBEDTLS_MAYBE_UNUSED) && defined(_MSC_VER)
+#    define MBEDTLS_MAYBE_UNUSED __pragma(warning(suppress:4189))
+#endif
+#if !defined(MBEDTLS_MAYBE_UNUSED)
+#    define MBEDTLS_MAYBE_UNUSED
+#endif
+
+#endif /* MBEDTLS_LIBRARY_COMMON_H */
diff --git a/tf-psa-crypto/core/psa_crypto.c b/tf-psa-crypto/core/psa_crypto.c
new file mode 100644
index 0000000..8100afc
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto.c
@@ -0,0 +1,9171 @@
+/*
+ *  PSA crypto layer on top of Mbed TLS crypto
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+#include "psa_crypto_core_common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+#include "check_crypto_config.h"
+#endif
+
+#include "psa/crypto.h"
+#include "psa/crypto_values.h"
+
+#include "psa_crypto_cipher.h"
+#include "psa_crypto_core.h"
+#include "psa_crypto_invasive.h"
+#include "psa_crypto_driver_wrappers.h"
+#include "psa_crypto_driver_wrappers_no_static.h"
+#include "psa_crypto_ecp.h"
+#include "psa_crypto_ffdh.h"
+#include "psa_crypto_hash.h"
+#include "psa_crypto_mac.h"
+#include "psa_crypto_rsa.h"
+#include "psa_crypto_ecp.h"
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+#include "psa_crypto_se.h"
+#endif
+#include "psa_crypto_slot_management.h"
+/* Include internal declarations that are useful for implementing persistently
+ * stored keys. */
+#include "psa_crypto_storage.h"
+
+#include "psa_crypto_random_impl.h"
+
+#include <stdlib.h>
+#include <string.h>
+#include "mbedtls/platform.h"
+
+#include "mbedtls/aes.h"
+#include "mbedtls/asn1.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/bignum.h"
+#include "mbedtls/camellia.h"
+#include "mbedtls/chacha20.h"
+#include "mbedtls/chachapoly.h"
+#include "mbedtls/cipher.h"
+#include "mbedtls/ccm.h"
+#include "mbedtls/cmac.h"
+#include "mbedtls/constant_time.h"
+#include "mbedtls/des.h"
+#include "mbedtls/ecdh.h"
+#include "mbedtls/ecp.h"
+#include "mbedtls/entropy.h"
+#include "mbedtls/error.h"
+#include "mbedtls/gcm.h"
+#include "mbedtls/md5.h"
+#include "mbedtls/pk.h"
+#include "pk_wrap.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "mbedtls/ripemd160.h"
+#include "mbedtls/rsa.h"
+#include "mbedtls/sha1.h"
+#include "mbedtls/sha256.h"
+#include "mbedtls/sha512.h"
+#include "mbedtls/psa_util.h"
+#include "mbedtls/threading.h"
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) ||          \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) ||  \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
+#define BUILTIN_ALG_ANY_HKDF 1
+#endif
+
+/****************************************************************/
+/* Global data, support functions and library management */
+/****************************************************************/
+
+static int key_type_is_raw_bytes(psa_key_type_t type)
+{
+    return PSA_KEY_TYPE_IS_UNSTRUCTURED(type);
+}
+
+/* Values for psa_global_data_t::rng_state */
+#define RNG_NOT_INITIALIZED 0
+#define RNG_INITIALIZED 1
+#define RNG_SEEDED 2
+
+/* IDs for PSA crypto subsystems. Starts at 1 to catch potential uninitialized
+ * variables as arguments. */
+typedef enum {
+    PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS = 1,
+    PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS,
+    PSA_CRYPTO_SUBSYSTEM_RNG,
+    PSA_CRYPTO_SUBSYSTEM_TRANSACTION,
+} mbedtls_psa_crypto_subsystem;
+
+/* Initialization flags for global_data::initialized */
+#define PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED    0x01
+#define PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED          0x02
+#define PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED        0x04
+
+#define PSA_CRYPTO_SUBSYSTEM_ALL_INITIALISED                ( \
+        PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED | \
+        PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED | \
+        PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED)
+
+typedef struct {
+    uint8_t initialized;
+    uint8_t rng_state;
+    mbedtls_psa_random_context_t rng;
+} psa_global_data_t;
+
+static psa_global_data_t global_data;
+
+static uint8_t psa_get_initialized(void)
+{
+    uint8_t initialized;
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+    initialized = global_data.rng_state == RNG_SEEDED;
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_unlock(&mbedtls_threading_psa_rngdata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+    initialized =
+        (initialized && (global_data.initialized == PSA_CRYPTO_SUBSYSTEM_ALL_INITIALISED));
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+    return initialized;
+}
+
+static uint8_t psa_get_drivers_initialized(void)
+{
+    uint8_t initialized;
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+    initialized = (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED) != 0;
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+    return initialized;
+}
+
+#define GUARD_MODULE_INITIALIZED        \
+    if (psa_get_initialized() == 0)     \
+    return PSA_ERROR_BAD_STATE;
+
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+
+/* Declare a local copy of an input buffer and a variable that will be used
+ * to store a pointer to the start of the buffer.
+ *
+ * Note: This macro must be called before any operations which may jump to
+ * the exit label, so that the local input copy object is safe to be freed.
+ *
+ * Assumptions:
+ * - input is the name of a pointer to the buffer to be copied
+ * - The name LOCAL_INPUT_COPY_OF_input is unused in the current scope
+ * - input_copy_name is a name that is unused in the current scope
+ */
+#define LOCAL_INPUT_DECLARE(input, input_copy_name) \
+    psa_crypto_local_input_t LOCAL_INPUT_COPY_OF_##input = PSA_CRYPTO_LOCAL_INPUT_INIT; \
+    const uint8_t *input_copy_name = NULL;
+
+/* Allocate a copy of the buffer input and set the pointer input_copy to
+ * point to the start of the copy.
+ *
+ * Assumptions:
+ * - psa_status_t status exists
+ * - An exit label is declared
+ * - input is the name of a pointer to the buffer to be copied
+ * - LOCAL_INPUT_DECLARE(input, input_copy) has previously been called
+ */
+#define LOCAL_INPUT_ALLOC(input, length, input_copy) \
+    status = psa_crypto_local_input_alloc(input, length, \
+                                          &LOCAL_INPUT_COPY_OF_##input); \
+    if (status != PSA_SUCCESS) { \
+        goto exit; \
+    } \
+    input_copy = LOCAL_INPUT_COPY_OF_##input.buffer;
+
+/* Free the local input copy allocated previously by LOCAL_INPUT_ALLOC()
+ *
+ * Assumptions:
+ * - input_copy is the name of the input copy pointer set by LOCAL_INPUT_ALLOC()
+ * - input is the name of the original buffer that was copied
+ */
+#define LOCAL_INPUT_FREE(input, input_copy) \
+    input_copy = NULL; \
+    psa_crypto_local_input_free(&LOCAL_INPUT_COPY_OF_##input);
+
+/* Declare a local copy of an output buffer and a variable that will be used
+ * to store a pointer to the start of the buffer.
+ *
+ * Note: This macro must be called before any operations which may jump to
+ * the exit label, so that the local output copy object is safe to be freed.
+ *
+ * Assumptions:
+ * - output is the name of a pointer to the buffer to be copied
+ * - The name LOCAL_OUTPUT_COPY_OF_output is unused in the current scope
+ * - output_copy_name is a name that is unused in the current scope
+ */
+#define LOCAL_OUTPUT_DECLARE(output, output_copy_name) \
+    psa_crypto_local_output_t LOCAL_OUTPUT_COPY_OF_##output = PSA_CRYPTO_LOCAL_OUTPUT_INIT; \
+    uint8_t *output_copy_name = NULL;
+
+/* Allocate a copy of the buffer output and set the pointer output_copy to
+ * point to the start of the copy.
+ *
+ * Assumptions:
+ * - psa_status_t status exists
+ * - An exit label is declared
+ * - output is the name of a pointer to the buffer to be copied
+ * - LOCAL_OUTPUT_DECLARE(output, output_copy) has previously been called
+ */
+#define LOCAL_OUTPUT_ALLOC(output, length, output_copy) \
+    status = psa_crypto_local_output_alloc(output, length, \
+                                           &LOCAL_OUTPUT_COPY_OF_##output); \
+    if (status != PSA_SUCCESS) { \
+        goto exit; \
+    } \
+    output_copy = LOCAL_OUTPUT_COPY_OF_##output.buffer;
+
+/* Free the local output copy allocated previously by LOCAL_OUTPUT_ALLOC()
+ * after first copying back its contents to the original buffer.
+ *
+ * Assumptions:
+ * - psa_status_t status exists
+ * - output_copy is the name of the output copy pointer set by LOCAL_OUTPUT_ALLOC()
+ * - output is the name of the original buffer that was copied
+ */
+#define LOCAL_OUTPUT_FREE(output, output_copy) \
+    output_copy = NULL; \
+    do { \
+        psa_status_t local_output_status; \
+        local_output_status = psa_crypto_local_output_free(&LOCAL_OUTPUT_COPY_OF_##output); \
+        if (local_output_status != PSA_SUCCESS) { \
+            /* Since this error case is an internal error, it's more serious than \
+             * any existing error code and so it's fine to overwrite the existing \
+             * status. */ \
+            status = local_output_status; \
+        } \
+    } while (0)
+#else /* !MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS */
+#define LOCAL_INPUT_DECLARE(input, input_copy_name) \
+    const uint8_t *input_copy_name = NULL;
+#define LOCAL_INPUT_ALLOC(input, length, input_copy) \
+    input_copy = input;
+#define LOCAL_INPUT_FREE(input, input_copy) \
+    input_copy = NULL;
+#define LOCAL_OUTPUT_DECLARE(output, output_copy_name) \
+    uint8_t *output_copy_name = NULL;
+#define LOCAL_OUTPUT_ALLOC(output, length, output_copy) \
+    output_copy = output;
+#define LOCAL_OUTPUT_FREE(output, output_copy) \
+    output_copy = NULL;
+#endif /* !MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS */
+
+
+int psa_can_do_hash(psa_algorithm_t hash_alg)
+{
+    (void) hash_alg;
+    return psa_get_drivers_initialized();
+}
+
+int psa_can_do_cipher(psa_key_type_t key_type, psa_algorithm_t cipher_alg)
+{
+    (void) key_type;
+    (void) cipher_alg;
+    return psa_get_drivers_initialized();
+}
+
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) ||       \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) ||     \
+    defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE)
+static int psa_is_dh_key_size_valid(size_t bits)
+{
+    switch (bits) {
+#if defined(PSA_WANT_DH_RFC7919_2048)
+        case 2048:
+            return 1;
+#endif /* PSA_WANT_DH_RFC7919_2048 */
+#if defined(PSA_WANT_DH_RFC7919_3072)
+        case 3072:
+            return 1;
+#endif /* PSA_WANT_DH_RFC7919_3072 */
+#if defined(PSA_WANT_DH_RFC7919_4096)
+        case 4096:
+            return 1;
+#endif /* PSA_WANT_DH_RFC7919_4096 */
+#if defined(PSA_WANT_DH_RFC7919_6144)
+        case 6144:
+            return 1;
+#endif /* PSA_WANT_DH_RFC7919_6144 */
+#if defined(PSA_WANT_DH_RFC7919_8192)
+        case 8192:
+            return 1;
+#endif /* PSA_WANT_DH_RFC7919_8192 */
+        default:
+            return 0;
+    }
+}
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT ||
+          MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY ||
+          PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE */
+
+psa_status_t mbedtls_to_psa_error(int ret)
+{
+    /* Mbed TLS error codes can combine a high-level error code and a
+     * low-level error code. The low-level error usually reflects the
+     * root cause better, so dispatch on that preferably. */
+    int low_level_ret = -(-ret & 0x007f);
+    switch (low_level_ret != 0 ? low_level_ret : ret) {
+        case 0:
+            return PSA_SUCCESS;
+
+#if defined(MBEDTLS_AES_C)
+        case MBEDTLS_ERR_AES_INVALID_KEY_LENGTH:
+        case MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH:
+            return PSA_ERROR_NOT_SUPPORTED;
+        case MBEDTLS_ERR_AES_BAD_INPUT_DATA:
+            return PSA_ERROR_INVALID_ARGUMENT;
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_ASN1_WRITE_C)
+        case MBEDTLS_ERR_ASN1_OUT_OF_DATA:
+        case MBEDTLS_ERR_ASN1_UNEXPECTED_TAG:
+        case MBEDTLS_ERR_ASN1_INVALID_LENGTH:
+        case MBEDTLS_ERR_ASN1_LENGTH_MISMATCH:
+        case MBEDTLS_ERR_ASN1_INVALID_DATA:
+            return PSA_ERROR_INVALID_ARGUMENT;
+        case MBEDTLS_ERR_ASN1_ALLOC_FAILED:
+            return PSA_ERROR_INSUFFICIENT_MEMORY;
+        case MBEDTLS_ERR_ASN1_BUF_TOO_SMALL:
+            return PSA_ERROR_BUFFER_TOO_SMALL;
+#endif
+
+#if defined(MBEDTLS_CAMELLIA_C)
+        case MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA:
+        case MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH:
+            return PSA_ERROR_NOT_SUPPORTED;
+#endif
+
+#if defined(MBEDTLS_CCM_C)
+        case MBEDTLS_ERR_CCM_BAD_INPUT:
+            return PSA_ERROR_INVALID_ARGUMENT;
+        case MBEDTLS_ERR_CCM_AUTH_FAILED:
+            return PSA_ERROR_INVALID_SIGNATURE;
+#endif
+
+#if defined(MBEDTLS_CHACHA20_C)
+        case MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA:
+            return PSA_ERROR_INVALID_ARGUMENT;
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+        case MBEDTLS_ERR_CHACHAPOLY_BAD_STATE:
+            return PSA_ERROR_BAD_STATE;
+        case MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED:
+            return PSA_ERROR_INVALID_SIGNATURE;
+#endif
+
+#if defined(MBEDTLS_CIPHER_C)
+        case MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE:
+            return PSA_ERROR_NOT_SUPPORTED;
+        case MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA:
+            return PSA_ERROR_INVALID_ARGUMENT;
+        case MBEDTLS_ERR_CIPHER_ALLOC_FAILED:
+            return PSA_ERROR_INSUFFICIENT_MEMORY;
+        case MBEDTLS_ERR_CIPHER_INVALID_PADDING:
+            return PSA_ERROR_INVALID_PADDING;
+        case MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED:
+            return PSA_ERROR_INVALID_ARGUMENT;
+        case MBEDTLS_ERR_CIPHER_AUTH_FAILED:
+            return PSA_ERROR_INVALID_SIGNATURE;
+        case MBEDTLS_ERR_CIPHER_INVALID_CONTEXT:
+            return PSA_ERROR_CORRUPTION_DETECTED;
+#endif
+
+#if !(defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) ||      \
+            defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE))
+        /* Only check CTR_DRBG error codes if underlying mbedtls_xxx
+         * functions are passed a CTR_DRBG instance. */
+        case MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED:
+            return PSA_ERROR_INSUFFICIENT_ENTROPY;
+        case MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG:
+        case MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG:
+            return PSA_ERROR_NOT_SUPPORTED;
+        case MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR:
+            return PSA_ERROR_INSUFFICIENT_ENTROPY;
+#endif
+
+#if defined(MBEDTLS_DES_C)
+        case MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH:
+            return PSA_ERROR_NOT_SUPPORTED;
+#endif
+
+        case MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED:
+        case MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE:
+        case MBEDTLS_ERR_ENTROPY_SOURCE_FAILED:
+            return PSA_ERROR_INSUFFICIENT_ENTROPY;
+
+#if defined(MBEDTLS_GCM_C)
+        case MBEDTLS_ERR_GCM_AUTH_FAILED:
+            return PSA_ERROR_INVALID_SIGNATURE;
+        case MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL:
+            return PSA_ERROR_BUFFER_TOO_SMALL;
+        case MBEDTLS_ERR_GCM_BAD_INPUT:
+            return PSA_ERROR_INVALID_ARGUMENT;
+#endif
+
+#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) &&        \
+            defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE)
+        /* Only check HMAC_DRBG error codes if underlying mbedtls_xxx
+         * functions are passed a HMAC_DRBG instance. */
+        case MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED:
+            return PSA_ERROR_INSUFFICIENT_ENTROPY;
+        case MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG:
+        case MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG:
+            return PSA_ERROR_NOT_SUPPORTED;
+        case MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR:
+            return PSA_ERROR_INSUFFICIENT_ENTROPY;
+#endif
+
+#if defined(MBEDTLS_MD_LIGHT)
+        case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE:
+            return PSA_ERROR_NOT_SUPPORTED;
+        case MBEDTLS_ERR_MD_BAD_INPUT_DATA:
+            return PSA_ERROR_INVALID_ARGUMENT;
+        case MBEDTLS_ERR_MD_ALLOC_FAILED:
+            return PSA_ERROR_INSUFFICIENT_MEMORY;
+#if defined(MBEDTLS_FS_IO)
+        case MBEDTLS_ERR_MD_FILE_IO_ERROR:
+            return PSA_ERROR_STORAGE_FAILURE;
+#endif
+#endif
+
+#if defined(MBEDTLS_BIGNUM_C)
+#if defined(MBEDTLS_FS_IO)
+        case MBEDTLS_ERR_MPI_FILE_IO_ERROR:
+            return PSA_ERROR_STORAGE_FAILURE;
+#endif
+        case MBEDTLS_ERR_MPI_BAD_INPUT_DATA:
+            return PSA_ERROR_INVALID_ARGUMENT;
+        case MBEDTLS_ERR_MPI_INVALID_CHARACTER:
+            return PSA_ERROR_INVALID_ARGUMENT;
+        case MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL:
+            return PSA_ERROR_BUFFER_TOO_SMALL;
+        case MBEDTLS_ERR_MPI_NEGATIVE_VALUE:
+            return PSA_ERROR_INVALID_ARGUMENT;
+        case MBEDTLS_ERR_MPI_DIVISION_BY_ZERO:
+            return PSA_ERROR_INVALID_ARGUMENT;
+        case MBEDTLS_ERR_MPI_NOT_ACCEPTABLE:
+            return PSA_ERROR_INVALID_ARGUMENT;
+        case MBEDTLS_ERR_MPI_ALLOC_FAILED:
+            return PSA_ERROR_INSUFFICIENT_MEMORY;
+#endif
+
+#if defined(MBEDTLS_PK_C)
+        case MBEDTLS_ERR_PK_ALLOC_FAILED:
+            return PSA_ERROR_INSUFFICIENT_MEMORY;
+        case MBEDTLS_ERR_PK_TYPE_MISMATCH:
+        case MBEDTLS_ERR_PK_BAD_INPUT_DATA:
+            return PSA_ERROR_INVALID_ARGUMENT;
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) || defined(MBEDTLS_FS_IO) || \
+            defined(MBEDTLS_PSA_ITS_FILE_C)
+        case MBEDTLS_ERR_PK_FILE_IO_ERROR:
+            return PSA_ERROR_STORAGE_FAILURE;
+#endif
+        case MBEDTLS_ERR_PK_KEY_INVALID_VERSION:
+        case MBEDTLS_ERR_PK_KEY_INVALID_FORMAT:
+            return PSA_ERROR_INVALID_ARGUMENT;
+        case MBEDTLS_ERR_PK_UNKNOWN_PK_ALG:
+            return PSA_ERROR_NOT_SUPPORTED;
+        case MBEDTLS_ERR_PK_PASSWORD_REQUIRED:
+        case MBEDTLS_ERR_PK_PASSWORD_MISMATCH:
+            return PSA_ERROR_NOT_PERMITTED;
+        case MBEDTLS_ERR_PK_INVALID_PUBKEY:
+            return PSA_ERROR_INVALID_ARGUMENT;
+        case MBEDTLS_ERR_PK_INVALID_ALG:
+        case MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE:
+        case MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE:
+            return PSA_ERROR_NOT_SUPPORTED;
+        case MBEDTLS_ERR_PK_SIG_LEN_MISMATCH:
+            return PSA_ERROR_INVALID_SIGNATURE;
+        case MBEDTLS_ERR_PK_BUFFER_TOO_SMALL:
+            return PSA_ERROR_BUFFER_TOO_SMALL;
+#endif
+
+        case MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED:
+            return PSA_ERROR_HARDWARE_FAILURE;
+        case MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
+            return PSA_ERROR_NOT_SUPPORTED;
+
+#if defined(MBEDTLS_RSA_C)
+        case MBEDTLS_ERR_RSA_BAD_INPUT_DATA:
+            return PSA_ERROR_INVALID_ARGUMENT;
+        case MBEDTLS_ERR_RSA_INVALID_PADDING:
+            return PSA_ERROR_INVALID_PADDING;
+        case MBEDTLS_ERR_RSA_KEY_GEN_FAILED:
+            return PSA_ERROR_HARDWARE_FAILURE;
+        case MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:
+            return PSA_ERROR_INVALID_ARGUMENT;
+        case MBEDTLS_ERR_RSA_PUBLIC_FAILED:
+        case MBEDTLS_ERR_RSA_PRIVATE_FAILED:
+            return PSA_ERROR_CORRUPTION_DETECTED;
+        case MBEDTLS_ERR_RSA_VERIFY_FAILED:
+            return PSA_ERROR_INVALID_SIGNATURE;
+        case MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE:
+            return PSA_ERROR_BUFFER_TOO_SMALL;
+        case MBEDTLS_ERR_RSA_RNG_FAILED:
+            return PSA_ERROR_INSUFFICIENT_ENTROPY;
+#endif
+
+#if defined(MBEDTLS_ECP_LIGHT)
+        case MBEDTLS_ERR_ECP_BAD_INPUT_DATA:
+        case MBEDTLS_ERR_ECP_INVALID_KEY:
+            return PSA_ERROR_INVALID_ARGUMENT;
+        case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL:
+            return PSA_ERROR_BUFFER_TOO_SMALL;
+        case MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE:
+            return PSA_ERROR_NOT_SUPPORTED;
+        case MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH:
+        case MBEDTLS_ERR_ECP_VERIFY_FAILED:
+            return PSA_ERROR_INVALID_SIGNATURE;
+        case MBEDTLS_ERR_ECP_ALLOC_FAILED:
+            return PSA_ERROR_INSUFFICIENT_MEMORY;
+        case MBEDTLS_ERR_ECP_RANDOM_FAILED:
+            return PSA_ERROR_INSUFFICIENT_ENTROPY;
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+        case MBEDTLS_ERR_ECP_IN_PROGRESS:
+            return PSA_OPERATION_INCOMPLETE;
+#endif
+#endif
+
+        case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED:
+            return PSA_ERROR_CORRUPTION_DETECTED;
+
+        default:
+            return PSA_ERROR_GENERIC_ERROR;
+    }
+}
+
+/**
+ * \brief                       For output buffers which contain "tags"
+ *                              (outputs that may be checked for validity like
+ *                              hashes, MACs and signatures), fill the unused
+ *                              part of the output buffer (the whole buffer on
+ *                              error, the trailing part on success) with
+ *                              something that isn't a valid tag (barring an
+ *                              attack on the tag and deliberately-crafted
+ *                              input), in case the caller doesn't check the
+ *                              return status properly.
+ *
+ * \param output_buffer         Pointer to buffer to wipe. May not be NULL
+ *                              unless \p output_buffer_size is zero.
+ * \param status                Status of function called to generate
+ *                              output_buffer originally
+ * \param output_buffer_size    Size of output buffer. If zero, \p output_buffer
+ *                              could be NULL.
+ * \param output_buffer_length  Length of data written to output_buffer, must be
+ *                              less than \p output_buffer_size
+ */
+static void psa_wipe_tag_output_buffer(uint8_t *output_buffer, psa_status_t status,
+                                       size_t output_buffer_size, size_t output_buffer_length)
+{
+    size_t offset = 0;
+
+    if (output_buffer_size == 0) {
+        /* If output_buffer_size is 0 then we have nothing to do. We must not
+           call memset because output_buffer may be NULL in this case */
+        return;
+    }
+
+    if (status == PSA_SUCCESS) {
+        offset = output_buffer_length;
+    }
+
+    memset(output_buffer + offset, '!', output_buffer_size - offset);
+}
+
+
+psa_status_t psa_validate_unstructured_key_bit_size(psa_key_type_t type,
+                                                    size_t bits)
+{
+    /* Check that the bit size is acceptable for the key type */
+    switch (type) {
+        case PSA_KEY_TYPE_RAW_DATA:
+        case PSA_KEY_TYPE_HMAC:
+        case PSA_KEY_TYPE_DERIVE:
+        case PSA_KEY_TYPE_PASSWORD:
+        case PSA_KEY_TYPE_PASSWORD_HASH:
+            break;
+#if defined(PSA_WANT_KEY_TYPE_AES)
+        case PSA_KEY_TYPE_AES:
+            if (bits != 128 && bits != 192 && bits != 256) {
+                return PSA_ERROR_INVALID_ARGUMENT;
+            }
+            break;
+#endif
+#if defined(PSA_WANT_KEY_TYPE_ARIA)
+        case PSA_KEY_TYPE_ARIA:
+            if (bits != 128 && bits != 192 && bits != 256) {
+                return PSA_ERROR_INVALID_ARGUMENT;
+            }
+            break;
+#endif
+#if defined(PSA_WANT_KEY_TYPE_CAMELLIA)
+        case PSA_KEY_TYPE_CAMELLIA:
+            if (bits != 128 && bits != 192 && bits != 256) {
+                return PSA_ERROR_INVALID_ARGUMENT;
+            }
+            break;
+#endif
+#if defined(PSA_WANT_KEY_TYPE_DES)
+        case PSA_KEY_TYPE_DES:
+            if (bits != 64 && bits != 128 && bits != 192) {
+                return PSA_ERROR_INVALID_ARGUMENT;
+            }
+            break;
+#endif
+#if defined(PSA_WANT_KEY_TYPE_CHACHA20)
+        case PSA_KEY_TYPE_CHACHA20:
+            if (bits != 256) {
+                return PSA_ERROR_INVALID_ARGUMENT;
+            }
+            break;
+#endif
+        default:
+            return PSA_ERROR_NOT_SUPPORTED;
+    }
+    if (bits % 8 != 0) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    return PSA_SUCCESS;
+}
+
+/** Check whether a given key type is valid for use with a given MAC algorithm
+ *
+ * Upon successful return of this function, the behavior of #PSA_MAC_LENGTH
+ * when called with the validated \p algorithm and \p key_type is well-defined.
+ *
+ * \param[in] algorithm     The specific MAC algorithm (can be wildcard).
+ * \param[in] key_type      The key type of the key to be used with the
+ *                          \p algorithm.
+ *
+ * \retval #PSA_SUCCESS
+ *         The \p key_type is valid for use with the \p algorithm
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The \p key_type is not valid for use with the \p algorithm
+ */
+MBEDTLS_STATIC_TESTABLE psa_status_t psa_mac_key_can_do(
+    psa_algorithm_t algorithm,
+    psa_key_type_t key_type)
+{
+    if (PSA_ALG_IS_HMAC(algorithm)) {
+        if (key_type == PSA_KEY_TYPE_HMAC) {
+            return PSA_SUCCESS;
+        }
+    }
+
+    if (PSA_ALG_IS_BLOCK_CIPHER_MAC(algorithm)) {
+        /* Check that we're calling PSA_BLOCK_CIPHER_BLOCK_LENGTH with a cipher
+         * key. */
+        if ((key_type & PSA_KEY_TYPE_CATEGORY_MASK) ==
+            PSA_KEY_TYPE_CATEGORY_SYMMETRIC) {
+            /* PSA_BLOCK_CIPHER_BLOCK_LENGTH returns 1 for stream ciphers and
+             * the block length (larger than 1) for block ciphers. */
+            if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) > 1) {
+                return PSA_SUCCESS;
+            }
+        }
+    }
+
+    return PSA_ERROR_INVALID_ARGUMENT;
+}
+
+psa_status_t psa_allocate_buffer_to_slot(psa_key_slot_t *slot,
+                                         size_t buffer_length)
+{
+    if (slot->key.data != NULL) {
+        return PSA_ERROR_ALREADY_EXISTS;
+    }
+
+    slot->key.data = mbedtls_calloc(1, buffer_length);
+    if (slot->key.data == NULL) {
+        return PSA_ERROR_INSUFFICIENT_MEMORY;
+    }
+
+    slot->key.bytes = buffer_length;
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_copy_key_material_into_slot(psa_key_slot_t *slot,
+                                             const uint8_t *data,
+                                             size_t data_length)
+{
+    psa_status_t status = psa_allocate_buffer_to_slot(slot,
+                                                      data_length);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    memcpy(slot->key.data, data, data_length);
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_import_key_into_slot(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data, size_t data_length,
+    uint8_t *key_buffer, size_t key_buffer_size,
+    size_t *key_buffer_length, size_t *bits)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_type_t type = attributes->type;
+
+    /* zero-length keys are never supported. */
+    if (data_length == 0) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    if (key_type_is_raw_bytes(type)) {
+        *bits = PSA_BYTES_TO_BITS(data_length);
+
+        status = psa_validate_unstructured_key_bit_size(attributes->type,
+                                                        *bits);
+        if (status != PSA_SUCCESS) {
+            return status;
+        }
+
+        /* Copy the key material. */
+        memcpy(key_buffer, data, data_length);
+        *key_buffer_length = data_length;
+        (void) key_buffer_size;
+
+        return PSA_SUCCESS;
+    } else if (PSA_KEY_TYPE_IS_ASYMMETRIC(type)) {
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \
+        defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY)
+        if (PSA_KEY_TYPE_IS_DH(type)) {
+            if (psa_is_dh_key_size_valid(PSA_BYTES_TO_BITS(data_length)) == 0) {
+                return PSA_ERROR_NOT_SUPPORTED;
+            }
+            return mbedtls_psa_ffdh_import_key(attributes,
+                                               data, data_length,
+                                               key_buffer, key_buffer_size,
+                                               key_buffer_length,
+                                               bits);
+        }
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) */
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
+        defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
+        if (PSA_KEY_TYPE_IS_ECC(type)) {
+            return mbedtls_psa_ecp_import_key(attributes,
+                                              data, data_length,
+                                              key_buffer, key_buffer_size,
+                                              key_buffer_length,
+                                              bits);
+        }
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
+#if (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \
+        defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || \
+        defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
+        if (PSA_KEY_TYPE_IS_RSA(type)) {
+            return mbedtls_psa_rsa_import_key(attributes,
+                                              data, data_length,
+                                              key_buffer, key_buffer_size,
+                                              key_buffer_length,
+                                              bits);
+        }
+#endif /* (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) &&
+           defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+    }
+
+    return PSA_ERROR_NOT_SUPPORTED;
+}
+
+/** Calculate the intersection of two algorithm usage policies.
+ *
+ * Return 0 (which allows no operation) on incompatibility.
+ */
+static psa_algorithm_t psa_key_policy_algorithm_intersection(
+    psa_key_type_t key_type,
+    psa_algorithm_t alg1,
+    psa_algorithm_t alg2)
+{
+    /* Common case: both sides actually specify the same policy. */
+    if (alg1 == alg2) {
+        return alg1;
+    }
+    /* If the policies are from the same hash-and-sign family, check
+     * if one is a wildcard. If so the other has the specific algorithm. */
+    if (PSA_ALG_IS_SIGN_HASH(alg1) &&
+        PSA_ALG_IS_SIGN_HASH(alg2) &&
+        (alg1 & ~PSA_ALG_HASH_MASK) == (alg2 & ~PSA_ALG_HASH_MASK)) {
+        if (PSA_ALG_SIGN_GET_HASH(alg1) == PSA_ALG_ANY_HASH) {
+            return alg2;
+        }
+        if (PSA_ALG_SIGN_GET_HASH(alg2) == PSA_ALG_ANY_HASH) {
+            return alg1;
+        }
+    }
+    /* If the policies are from the same AEAD family, check whether
+     * one of them is a minimum-tag-length wildcard. Calculate the most
+     * restrictive tag length. */
+    if (PSA_ALG_IS_AEAD(alg1) && PSA_ALG_IS_AEAD(alg2) &&
+        (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg1, 0) ==
+         PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg2, 0))) {
+        size_t alg1_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg1);
+        size_t alg2_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg2);
+        size_t restricted_len = alg1_len > alg2_len ? alg1_len : alg2_len;
+
+        /* If both are wildcards, return most restrictive wildcard */
+        if (((alg1 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
+            ((alg2 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0)) {
+            return PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(
+                alg1, restricted_len);
+        }
+        /* If only one is a wildcard, return specific algorithm if compatible. */
+        if (((alg1 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
+            (alg1_len <= alg2_len)) {
+            return alg2;
+        }
+        if (((alg2 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
+            (alg2_len <= alg1_len)) {
+            return alg1;
+        }
+    }
+    /* If the policies are from the same MAC family, check whether one
+     * of them is a minimum-MAC-length policy. Calculate the most
+     * restrictive tag length. */
+    if (PSA_ALG_IS_MAC(alg1) && PSA_ALG_IS_MAC(alg2) &&
+        (PSA_ALG_FULL_LENGTH_MAC(alg1) ==
+         PSA_ALG_FULL_LENGTH_MAC(alg2))) {
+        /* Validate the combination of key type and algorithm. Since the base
+         * algorithm of alg1 and alg2 are the same, we only need this once. */
+        if (PSA_SUCCESS != psa_mac_key_can_do(alg1, key_type)) {
+            return 0;
+        }
+
+        /* Get the (exact or at-least) output lengths for both sides of the
+         * requested intersection. None of the currently supported algorithms
+         * have an output length dependent on the actual key size, so setting it
+         * to a bogus value of 0 is currently OK.
+         *
+         * Note that for at-least-this-length wildcard algorithms, the output
+         * length is set to the shortest allowed length, which allows us to
+         * calculate the most restrictive tag length for the intersection. */
+        size_t alg1_len = PSA_MAC_LENGTH(key_type, 0, alg1);
+        size_t alg2_len = PSA_MAC_LENGTH(key_type, 0, alg2);
+        size_t restricted_len = alg1_len > alg2_len ? alg1_len : alg2_len;
+
+        /* If both are wildcards, return most restrictive wildcard */
+        if (((alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
+            ((alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0)) {
+            return PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(alg1, restricted_len);
+        }
+
+        /* If only one is an at-least-this-length policy, the intersection would
+         * be the other (fixed-length) policy as long as said fixed length is
+         * equal to or larger than the shortest allowed length. */
+        if ((alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) {
+            return (alg1_len <= alg2_len) ? alg2 : 0;
+        }
+        if ((alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) {
+            return (alg2_len <= alg1_len) ? alg1 : 0;
+        }
+
+        /* If none of them are wildcards, check whether they define the same tag
+         * length. This is still possible here when one is default-length and
+         * the other specific-length. Ensure to always return the
+         * specific-length version for the intersection. */
+        if (alg1_len == alg2_len) {
+            return PSA_ALG_TRUNCATED_MAC(alg1, alg1_len);
+        }
+    }
+    /* If the policies are incompatible, allow nothing. */
+    return 0;
+}
+
+static int psa_key_algorithm_permits(psa_key_type_t key_type,
+                                     psa_algorithm_t policy_alg,
+                                     psa_algorithm_t requested_alg)
+{
+    /* Common case: the policy only allows requested_alg. */
+    if (requested_alg == policy_alg) {
+        return 1;
+    }
+    /* If policy_alg is a hash-and-sign with a wildcard for the hash,
+     * and requested_alg is the same hash-and-sign family with any hash,
+     * then requested_alg is compliant with policy_alg. */
+    if (PSA_ALG_IS_SIGN_HASH(requested_alg) &&
+        PSA_ALG_SIGN_GET_HASH(policy_alg) == PSA_ALG_ANY_HASH) {
+        return (policy_alg & ~PSA_ALG_HASH_MASK) ==
+               (requested_alg & ~PSA_ALG_HASH_MASK);
+    }
+    /* If policy_alg is a wildcard AEAD algorithm of the same base as
+     * the requested algorithm, check the requested tag length to be
+     * equal-length or longer than the wildcard-specified length. */
+    if (PSA_ALG_IS_AEAD(policy_alg) &&
+        PSA_ALG_IS_AEAD(requested_alg) &&
+        (PSA_ALG_AEAD_WITH_SHORTENED_TAG(policy_alg, 0) ==
+         PSA_ALG_AEAD_WITH_SHORTENED_TAG(requested_alg, 0)) &&
+        ((policy_alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0)) {
+        return PSA_ALG_AEAD_GET_TAG_LENGTH(policy_alg) <=
+               PSA_ALG_AEAD_GET_TAG_LENGTH(requested_alg);
+    }
+    /* If policy_alg is a MAC algorithm of the same base as the requested
+     * algorithm, check whether their MAC lengths are compatible. */
+    if (PSA_ALG_IS_MAC(policy_alg) &&
+        PSA_ALG_IS_MAC(requested_alg) &&
+        (PSA_ALG_FULL_LENGTH_MAC(policy_alg) ==
+         PSA_ALG_FULL_LENGTH_MAC(requested_alg))) {
+        /* Validate the combination of key type and algorithm. Since the policy
+         * and requested algorithms are the same, we only need this once. */
+        if (PSA_SUCCESS != psa_mac_key_can_do(policy_alg, key_type)) {
+            return 0;
+        }
+
+        /* Get both the requested output length for the algorithm which is to be
+         * verified, and the default output length for the base algorithm.
+         * Note that none of the currently supported algorithms have an output
+         * length dependent on actual key size, so setting it to a bogus value
+         * of 0 is currently OK. */
+        size_t requested_output_length = PSA_MAC_LENGTH(
+            key_type, 0, requested_alg);
+        size_t default_output_length = PSA_MAC_LENGTH(
+            key_type, 0,
+            PSA_ALG_FULL_LENGTH_MAC(requested_alg));
+
+        /* If the policy is default-length, only allow an algorithm with
+         * a declared exact-length matching the default. */
+        if (PSA_MAC_TRUNCATED_LENGTH(policy_alg) == 0) {
+            return requested_output_length == default_output_length;
+        }
+
+        /* If the requested algorithm is default-length, allow it if the policy
+         * length exactly matches the default length. */
+        if (PSA_MAC_TRUNCATED_LENGTH(requested_alg) == 0 &&
+            PSA_MAC_TRUNCATED_LENGTH(policy_alg) == default_output_length) {
+            return 1;
+        }
+
+        /* If policy_alg is an at-least-this-length wildcard MAC algorithm,
+         * check for the requested MAC length to be equal to or longer than the
+         * minimum allowed length. */
+        if ((policy_alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) {
+            return PSA_MAC_TRUNCATED_LENGTH(policy_alg) <=
+                   requested_output_length;
+        }
+    }
+    /* If policy_alg is a generic key agreement operation, then using it for
+     * a key derivation with that key agreement should also be allowed. This
+     * behaviour is expected to be defined in a future specification version. */
+    if (PSA_ALG_IS_RAW_KEY_AGREEMENT(policy_alg) &&
+        PSA_ALG_IS_KEY_AGREEMENT(requested_alg)) {
+        return PSA_ALG_KEY_AGREEMENT_GET_BASE(requested_alg) ==
+               policy_alg;
+    }
+    /* If it isn't explicitly permitted, it's forbidden. */
+    return 0;
+}
+
+/** Test whether a policy permits an algorithm.
+ *
+ * The caller must test usage flags separately.
+ *
+ * \note This function requires providing the key type for which the policy is
+ *       being validated, since some algorithm policy definitions (e.g. MAC)
+ *       have different properties depending on what kind of cipher it is
+ *       combined with.
+ *
+ * \retval PSA_SUCCESS                  When \p alg is a specific algorithm
+ *                                      allowed by the \p policy.
+ * \retval PSA_ERROR_INVALID_ARGUMENT   When \p alg is not a specific algorithm
+ * \retval PSA_ERROR_NOT_PERMITTED      When \p alg is a specific algorithm, but
+ *                                      the \p policy does not allow it.
+ */
+static psa_status_t psa_key_policy_permits(const psa_key_policy_t *policy,
+                                           psa_key_type_t key_type,
+                                           psa_algorithm_t alg)
+{
+    /* '0' is not a valid algorithm */
+    if (alg == 0) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    /* A requested algorithm cannot be a wildcard. */
+    if (PSA_ALG_IS_WILDCARD(alg)) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    if (psa_key_algorithm_permits(key_type, policy->alg, alg) ||
+        psa_key_algorithm_permits(key_type, policy->alg2, alg)) {
+        return PSA_SUCCESS;
+    } else {
+        return PSA_ERROR_NOT_PERMITTED;
+    }
+}
+
+/** Restrict a key policy based on a constraint.
+ *
+ * \note This function requires providing the key type for which the policy is
+ *       being restricted, since some algorithm policy definitions (e.g. MAC)
+ *       have different properties depending on what kind of cipher it is
+ *       combined with.
+ *
+ * \param[in] key_type      The key type for which to restrict the policy
+ * \param[in,out] policy    The policy to restrict.
+ * \param[in] constraint    The policy constraint to apply.
+ *
+ * \retval #PSA_SUCCESS
+ *         \c *policy contains the intersection of the original value of
+ *         \c *policy and \c *constraint.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \c key_type, \c *policy and \c *constraint are incompatible.
+ *         \c *policy is unchanged.
+ */
+static psa_status_t psa_restrict_key_policy(
+    psa_key_type_t key_type,
+    psa_key_policy_t *policy,
+    const psa_key_policy_t *constraint)
+{
+    psa_algorithm_t intersection_alg =
+        psa_key_policy_algorithm_intersection(key_type, policy->alg,
+                                              constraint->alg);
+    psa_algorithm_t intersection_alg2 =
+        psa_key_policy_algorithm_intersection(key_type, policy->alg2,
+                                              constraint->alg2);
+    if (intersection_alg == 0 && policy->alg != 0 && constraint->alg != 0) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+    if (intersection_alg2 == 0 && policy->alg2 != 0 && constraint->alg2 != 0) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+    policy->usage &= constraint->usage;
+    policy->alg = intersection_alg;
+    policy->alg2 = intersection_alg2;
+    return PSA_SUCCESS;
+}
+
+/** Get the description of a key given its identifier and policy constraints
+ *  and lock it.
+ *
+ * The key must have allow all the usage flags set in \p usage. If \p alg is
+ * nonzero, the key must allow operations with this algorithm. If \p alg is
+ * zero, the algorithm is not checked.
+ *
+ * In case of a persistent key, the function loads the description of the key
+ * into a key slot if not already done.
+ *
+ * On success, the returned key slot has been registered for reading.
+ * It is the responsibility of the caller to then unregister
+ * once they have finished reading the contents of the slot.
+ * The caller unregisters by calling psa_unregister_read() or
+ * psa_unregister_read_under_mutex(). psa_unregister_read() must be called
+ * if and only if the caller already holds the global key slot mutex
+ * (when mutexes are enabled). psa_unregister_read_under_mutex() encapsulates
+ * the unregister with mutex lock and unlock operations.
+ */
+static psa_status_t psa_get_and_lock_key_slot_with_policy(
+    mbedtls_svc_key_id_t key,
+    psa_key_slot_t **p_slot,
+    psa_key_usage_t usage,
+    psa_algorithm_t alg)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot = NULL;
+
+    status = psa_get_and_lock_key_slot(key, p_slot);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+    slot = *p_slot;
+
+    /* Enforce that usage policy for the key slot contains all the flags
+     * required by the usage parameter. There is one exception: public
+     * keys can always be exported, so we treat public key objects as
+     * if they had the export flag. */
+    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type)) {
+        usage &= ~PSA_KEY_USAGE_EXPORT;
+    }
+
+    if ((slot->attr.policy.usage & usage) != usage) {
+        status = PSA_ERROR_NOT_PERMITTED;
+        goto error;
+    }
+
+    /* Enforce that the usage policy permits the requested algorithm. */
+    if (alg != 0) {
+        status = psa_key_policy_permits(&slot->attr.policy,
+                                        slot->attr.type,
+                                        alg);
+        if (status != PSA_SUCCESS) {
+            goto error;
+        }
+    }
+
+    return PSA_SUCCESS;
+
+error:
+    *p_slot = NULL;
+    psa_unregister_read_under_mutex(slot);
+
+    return status;
+}
+
+/** Get a key slot containing a transparent key and lock it.
+ *
+ * A transparent key is a key for which the key material is directly
+ * available, as opposed to a key in a secure element and/or to be used
+ * by a secure element.
+ *
+ * This is a temporary function that may be used instead of
+ * psa_get_and_lock_key_slot_with_policy() when there is no opaque key support
+ * for a cryptographic operation.
+ *
+ * On success, the returned key slot has been registered for reading.
+ * It is the responsibility of the caller to then unregister
+ * once they have finished reading the contents of the slot.
+ * The caller unregisters by calling psa_unregister_read() or
+ * psa_unregister_read_under_mutex(). psa_unregister_read() must be called
+ * if and only if the caller already holds the global key slot mutex
+ * (when mutexes are enabled). psa_unregister_read_under_mutex() encapsulates
+ * psa_unregister_read() with mutex lock and unlock operations.
+ */
+static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy(
+    mbedtls_svc_key_id_t key,
+    psa_key_slot_t **p_slot,
+    psa_key_usage_t usage,
+    psa_algorithm_t alg)
+{
+    psa_status_t status = psa_get_and_lock_key_slot_with_policy(key, p_slot,
+                                                                usage, alg);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    if (psa_key_lifetime_is_external((*p_slot)->attr.lifetime)) {
+        psa_unregister_read_under_mutex(*p_slot);
+        *p_slot = NULL;
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_remove_key_data_from_memory(psa_key_slot_t *slot)
+{
+    if (slot->key.data != NULL) {
+        mbedtls_zeroize_and_free(slot->key.data, slot->key.bytes);
+    }
+
+    slot->key.data = NULL;
+    slot->key.bytes = 0;
+
+    return PSA_SUCCESS;
+}
+
+/** Completely wipe a slot in memory, including its policy.
+ * Persistent storage is not affected. */
+psa_status_t psa_wipe_key_slot(psa_key_slot_t *slot)
+{
+    psa_status_t status = psa_remove_key_data_from_memory(slot);
+
+    /*
+     * As the return error code may not be handled in case of multiple errors,
+     * do our best to report an unexpected amount of registered readers or
+     * an unexpected state.
+     * Assert with MBEDTLS_TEST_HOOK_TEST_ASSERT that the slot is valid for
+     * wiping.
+     * if the MBEDTLS_TEST_HOOKS configuration option is enabled and the
+     * function is called as part of the execution of a test suite, the
+     * execution of the test suite is stopped in error if the assertion fails.
+     */
+    switch (slot->state) {
+        case PSA_SLOT_FULL:
+        /* In this state psa_wipe_key_slot() must only be called if the
+         * caller is the last reader. */
+        case PSA_SLOT_PENDING_DELETION:
+            /* In this state psa_wipe_key_slot() must only be called if the
+             * caller is the last reader. */
+            if (slot->registered_readers != 1) {
+                MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->registered_readers == 1);
+                status = PSA_ERROR_CORRUPTION_DETECTED;
+            }
+            break;
+        case PSA_SLOT_FILLING:
+            /* In this state registered_readers must be 0. */
+            if (slot->registered_readers != 0) {
+                MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->registered_readers == 0);
+                status = PSA_ERROR_CORRUPTION_DETECTED;
+            }
+            break;
+        case PSA_SLOT_EMPTY:
+            /* The slot is already empty, it cannot be wiped. */
+            MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->state != PSA_SLOT_EMPTY);
+            status = PSA_ERROR_CORRUPTION_DETECTED;
+            break;
+        default:
+            /* The slot's state is invalid. */
+            status = PSA_ERROR_CORRUPTION_DETECTED;
+    }
+
+    /* Multipart operations may still be using the key. This is safe
+     * because all multipart operation objects are independent from
+     * the key slot: if they need to access the key after the setup
+     * phase, they have a copy of the key. Note that this means that
+     * key material can linger until all operations are completed. */
+    /* At this point, key material and other type-specific content has
+     * been wiped. Clear remaining metadata. We can call memset and not
+     * zeroize because the metadata is not particularly sensitive.
+     * This memset also sets the slot's state to PSA_SLOT_EMPTY. */
+    memset(slot, 0, sizeof(*slot));
+    return status;
+}
+
+psa_status_t psa_destroy_key(mbedtls_svc_key_id_t key)
+{
+    psa_key_slot_t *slot;
+    psa_status_t status; /* status of the last operation */
+    psa_status_t overall_status = PSA_SUCCESS;
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    psa_se_drv_table_entry_t *driver;
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+    if (mbedtls_svc_key_id_is_null(key)) {
+        return PSA_SUCCESS;
+    }
+
+    /*
+     * Get the description of the key in a key slot, and register to read it.
+     * In the case of a persistent key, this will load the key description
+     * from persistent memory if not done yet.
+     * We cannot avoid this loading as without it we don't know if
+     * the key is operated by an SE or not and this information is needed by
+     * the current implementation. */
+    status = psa_get_and_lock_key_slot(key, &slot);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    /* We cannot unlock between setting the state to PENDING_DELETION
+     * and destroying the key in storage, as otherwise another thread
+     * could load the key into a new slot and the key will not be
+     * fully destroyed. */
+    PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(
+                                    &mbedtls_threading_key_slot_mutex));
+
+    if (slot->state == PSA_SLOT_PENDING_DELETION) {
+        /* Another thread has destroyed the key between us locking the slot
+         * and us gaining the mutex. Unregister from the slot,
+         * and report that the key does not exist. */
+        status = psa_unregister_read(slot);
+
+        PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+                                  &mbedtls_threading_key_slot_mutex));
+        return (status == PSA_SUCCESS) ? PSA_ERROR_INVALID_HANDLE : status;
+    }
+#endif
+    /* Set the key slot containing the key description's state to
+     * PENDING_DELETION. This stops new operations from registering
+     * to read the slot. Current readers can safely continue to access
+     * the key within the slot; the last registered reader will
+     * automatically wipe the slot when they call psa_unregister_read().
+     * If the key is persistent, we can now delete the copy of the key
+     * from memory. If the key is opaque, we require the driver to
+     * deal with the deletion. */
+    overall_status = psa_key_slot_state_transition(slot, PSA_SLOT_FULL,
+                                                   PSA_SLOT_PENDING_DELETION);
+
+    if (overall_status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    if (PSA_KEY_LIFETIME_IS_READ_ONLY(slot->attr.lifetime)) {
+        /* Refuse the destruction of a read-only key (which may or may not work
+         * if we attempt it, depending on whether the key is merely read-only
+         * by policy or actually physically read-only).
+         * Just do the best we can, which is to wipe the copy in memory
+         * (done in this function's cleanup code). */
+        overall_status = PSA_ERROR_NOT_PERMITTED;
+        goto exit;
+    }
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    driver = psa_get_se_driver_entry(slot->attr.lifetime);
+    if (driver != NULL) {
+        /* For a key in a secure element, we need to do three things:
+         * remove the key file in internal storage, destroy the
+         * key inside the secure element, and update the driver's
+         * persistent data. Start a transaction that will encompass these
+         * three actions. */
+        psa_crypto_prepare_transaction(PSA_CRYPTO_TRANSACTION_DESTROY_KEY);
+        psa_crypto_transaction.key.lifetime = slot->attr.lifetime;
+        psa_crypto_transaction.key.slot = psa_key_slot_get_slot_number(slot);
+        psa_crypto_transaction.key.id = slot->attr.id;
+        status = psa_crypto_save_transaction();
+        if (status != PSA_SUCCESS) {
+            (void) psa_crypto_stop_transaction();
+            /* We should still try to destroy the key in the secure
+             * element and the key metadata in storage. This is especially
+             * important if the error is that the storage is full.
+             * But how to do it exactly without risking an inconsistent
+             * state after a reset?
+             * https://github.com/ARMmbed/mbed-crypto/issues/215
+             */
+            overall_status = status;
+            goto exit;
+        }
+
+        status = psa_destroy_se_key(driver,
+                                    psa_key_slot_get_slot_number(slot));
+        if (overall_status == PSA_SUCCESS) {
+            overall_status = status;
+        }
+    }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+    if (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
+        /* Destroy the copy of the persistent key from storage.
+         * The slot will still hold a copy of the key until the last reader
+         * unregisters. */
+        status = psa_destroy_persistent_key(slot->attr.id);
+        if (overall_status == PSA_SUCCESS) {
+            overall_status = status;
+        }
+    }
+#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    if (driver != NULL) {
+        status = psa_save_se_persistent_data(driver);
+        if (overall_status == PSA_SUCCESS) {
+            overall_status = status;
+        }
+        status = psa_crypto_stop_transaction();
+        if (overall_status == PSA_SUCCESS) {
+            overall_status = status;
+        }
+    }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+exit:
+    /* Unregister from reading the slot. If we are the last active reader
+     * then this will wipe the slot. */
+    status = psa_unregister_read(slot);
+    /* Prioritize CORRUPTION_DETECTED from unregistering over
+     * a storage error. */
+    if (status != PSA_SUCCESS) {
+        overall_status = status;
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    /* Don't overwrite existing errors if the unlock fails. */
+    status = overall_status;
+    PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+                              &mbedtls_threading_key_slot_mutex));
+#endif
+
+    return overall_status;
+}
+
+/** Retrieve all the publicly-accessible attributes of a key.
+ */
+psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key,
+                                    psa_key_attributes_t *attributes)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+    psa_reset_key_attributes(attributes);
+
+    status = psa_get_and_lock_key_slot_with_policy(key, &slot, 0, 0);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    *attributes = slot->attr;
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    if (psa_get_se_driver_entry(slot->attr.lifetime) != NULL) {
+        psa_set_key_slot_number(attributes,
+                                psa_key_slot_get_slot_number(slot));
+    }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+    return psa_unregister_read_under_mutex(slot);
+}
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+psa_status_t psa_get_key_slot_number(
+    const psa_key_attributes_t *attributes,
+    psa_key_slot_number_t *slot_number)
+{
+    if (attributes->has_slot_number) {
+        *slot_number = attributes->slot_number;
+        return PSA_SUCCESS;
+    } else {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+}
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+static psa_status_t psa_export_key_buffer_internal(const uint8_t *key_buffer,
+                                                   size_t key_buffer_size,
+                                                   uint8_t *data,
+                                                   size_t data_size,
+                                                   size_t *data_length)
+{
+    if (key_buffer_size > data_size) {
+        return PSA_ERROR_BUFFER_TOO_SMALL;
+    }
+    memcpy(data, key_buffer, key_buffer_size);
+    memset(data + key_buffer_size, 0,
+           data_size - key_buffer_size);
+    *data_length = key_buffer_size;
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_export_key_internal(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length)
+{
+    psa_key_type_t type = attributes->type;
+
+    if (key_type_is_raw_bytes(type) ||
+        PSA_KEY_TYPE_IS_RSA(type)   ||
+        PSA_KEY_TYPE_IS_ECC(type)   ||
+        PSA_KEY_TYPE_IS_DH(type)) {
+        return psa_export_key_buffer_internal(
+            key_buffer, key_buffer_size,
+            data, data_size, data_length);
+    } else {
+        /* This shouldn't happen in the reference implementation, but
+           it is valid for a special-purpose implementation to omit
+           support for exporting certain key types. */
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+}
+
+psa_status_t psa_export_key(mbedtls_svc_key_id_t key,
+                            uint8_t *data_external,
+                            size_t data_size,
+                            size_t *data_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+    LOCAL_OUTPUT_DECLARE(data_external, data);
+
+    /* Reject a zero-length output buffer now, since this can never be a
+     * valid key representation. This way we know that data must be a valid
+     * pointer and we can do things like memset(data, ..., data_size). */
+    if (data_size == 0) {
+        return PSA_ERROR_BUFFER_TOO_SMALL;
+    }
+
+    /* Set the key to empty now, so that even when there are errors, we always
+     * set data_length to a value between 0 and data_size. On error, setting
+     * the key to empty is a good choice because an empty key representation is
+     * unlikely to be accepted anywhere. */
+    *data_length = 0;
+
+    /* Export requires the EXPORT flag. There is an exception for public keys,
+     * which don't require any flag, but
+     * psa_get_and_lock_key_slot_with_policy() takes care of this.
+     */
+    status = psa_get_and_lock_key_slot_with_policy(key, &slot,
+                                                   PSA_KEY_USAGE_EXPORT, 0);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    LOCAL_OUTPUT_ALLOC(data_external, data_size, data);
+
+    status = psa_driver_wrapper_export_key(&slot->attr,
+                                           slot->key.data, slot->key.bytes,
+                                           data, data_size, data_length);
+
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+    unlock_status = psa_unregister_read_under_mutex(slot);
+
+    LOCAL_OUTPUT_FREE(data_external, data);
+    return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+psa_status_t psa_export_public_key_internal(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    uint8_t *data,
+    size_t data_size,
+    size_t *data_length)
+{
+    psa_key_type_t type = attributes->type;
+
+    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type) &&
+        (PSA_KEY_TYPE_IS_RSA(type) || PSA_KEY_TYPE_IS_ECC(type) ||
+         PSA_KEY_TYPE_IS_DH(type))) {
+        /* Exporting public -> public */
+        return psa_export_key_buffer_internal(
+            key_buffer, key_buffer_size,
+            data, data_size, data_length);
+    } else if (PSA_KEY_TYPE_IS_RSA(type)) {
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || \
+        defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
+        return mbedtls_psa_rsa_export_public_key(attributes,
+                                                 key_buffer,
+                                                 key_buffer_size,
+                                                 data,
+                                                 data_size,
+                                                 data_length);
+#else
+        /* We don't know how to convert a private RSA key to public. */
+        return PSA_ERROR_NOT_SUPPORTED;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+    } else if (PSA_KEY_TYPE_IS_ECC(type)) {
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
+        defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
+        return mbedtls_psa_ecp_export_public_key(attributes,
+                                                 key_buffer,
+                                                 key_buffer_size,
+                                                 data,
+                                                 data_size,
+                                                 data_length);
+#else
+        /* We don't know how to convert a private ECC key to public */
+        return PSA_ERROR_NOT_SUPPORTED;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
+    } else if (PSA_KEY_TYPE_IS_DH(type)) {
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \
+        defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY)
+        return mbedtls_psa_ffdh_export_public_key(attributes,
+                                                  key_buffer,
+                                                  key_buffer_size,
+                                                  data, data_size,
+                                                  data_length);
+#else
+        return PSA_ERROR_NOT_SUPPORTED;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) */
+    } else {
+        (void) key_buffer;
+        (void) key_buffer_size;
+        (void) data;
+        (void) data_size;
+        (void) data_length;
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+}
+
+psa_status_t psa_export_public_key(mbedtls_svc_key_id_t key,
+                                   uint8_t *data_external,
+                                   size_t data_size,
+                                   size_t *data_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+    LOCAL_OUTPUT_DECLARE(data_external, data);
+
+    /* Reject a zero-length output buffer now, since this can never be a
+     * valid key representation. This way we know that data must be a valid
+     * pointer and we can do things like memset(data, ..., data_size). */
+    if (data_size == 0) {
+        return PSA_ERROR_BUFFER_TOO_SMALL;
+    }
+
+    /* Set the key to empty now, so that even when there are errors, we always
+     * set data_length to a value between 0 and data_size. On error, setting
+     * the key to empty is a good choice because an empty key representation is
+     * unlikely to be accepted anywhere. */
+    *data_length = 0;
+
+    /* Exporting a public key doesn't require a usage flag. */
+    status = psa_get_and_lock_key_slot_with_policy(key, &slot, 0, 0);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    LOCAL_OUTPUT_ALLOC(data_external, data_size, data);
+
+    if (!PSA_KEY_TYPE_IS_ASYMMETRIC(slot->attr.type)) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    status = psa_driver_wrapper_export_public_key(
+        &slot->attr, slot->key.data, slot->key.bytes,
+        data, data_size, data_length);
+
+exit:
+    unlock_status = psa_unregister_read_under_mutex(slot);
+
+    LOCAL_OUTPUT_FREE(data_external, data);
+    return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+/** Validate that a key policy is internally well-formed.
+ *
+ * This function only rejects invalid policies. It does not validate the
+ * consistency of the policy with respect to other attributes of the key
+ * such as the key type.
+ */
+static psa_status_t psa_validate_key_policy(const psa_key_policy_t *policy)
+{
+    if ((policy->usage & ~(PSA_KEY_USAGE_EXPORT |
+                           PSA_KEY_USAGE_COPY |
+                           PSA_KEY_USAGE_ENCRYPT |
+                           PSA_KEY_USAGE_DECRYPT |
+                           PSA_KEY_USAGE_SIGN_MESSAGE |
+                           PSA_KEY_USAGE_VERIFY_MESSAGE |
+                           PSA_KEY_USAGE_SIGN_HASH |
+                           PSA_KEY_USAGE_VERIFY_HASH |
+                           PSA_KEY_USAGE_VERIFY_DERIVATION |
+                           PSA_KEY_USAGE_DERIVE)) != 0) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    return PSA_SUCCESS;
+}
+
+/** Validate the internal consistency of key attributes.
+ *
+ * This function only rejects invalid attribute values. If does not
+ * validate the consistency of the attributes with any key data that may
+ * be involved in the creation of the key.
+ *
+ * Call this function early in the key creation process.
+ *
+ * \param[in] attributes    Key attributes for the new key.
+ * \param[out] p_drv        On any return, the driver for the key, if any.
+ *                          NULL for a transparent key.
+ *
+ */
+static psa_status_t psa_validate_key_attributes(
+    const psa_key_attributes_t *attributes,
+    psa_se_drv_table_entry_t **p_drv)
+{
+    psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
+    psa_key_lifetime_t lifetime = psa_get_key_lifetime(attributes);
+    mbedtls_svc_key_id_t key = psa_get_key_id(attributes);
+
+    status = psa_validate_key_location(lifetime, p_drv);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    status = psa_validate_key_persistence(lifetime);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) {
+        if (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key) != 0) {
+            return PSA_ERROR_INVALID_ARGUMENT;
+        }
+    } else {
+        if (!psa_is_valid_key_id(psa_get_key_id(attributes), 0)) {
+            return PSA_ERROR_INVALID_ARGUMENT;
+        }
+    }
+
+    status = psa_validate_key_policy(&attributes->policy);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    /* Refuse to create overly large keys.
+     * Note that this doesn't trigger on import if the attributes don't
+     * explicitly specify a size (so psa_get_key_bits returns 0), so
+     * psa_import_key() needs its own checks. */
+    if (psa_get_key_bits(attributes) > PSA_MAX_KEY_BITS) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    return PSA_SUCCESS;
+}
+
+/** Prepare a key slot to receive key material.
+ *
+ * This function allocates a key slot and sets its metadata.
+ *
+ * If this function fails, call psa_fail_key_creation().
+ *
+ * This function is intended to be used as follows:
+ * -# Call psa_start_key_creation() to allocate a key slot, prepare
+ *    it with the specified attributes, and in case of a volatile key assign it
+ *    a volatile key identifier.
+ * -# Populate the slot with the key material.
+ * -# Call psa_finish_key_creation() to finalize the creation of the slot.
+ * In case of failure at any step, stop the sequence and call
+ * psa_fail_key_creation().
+ *
+ * On success, the key slot's state is PSA_SLOT_FILLING.
+ * It is the responsibility of the caller to change the slot's state to
+ * PSA_SLOT_EMPTY/FULL once key creation has finished.
+ *
+ * \param method            An identification of the calling function.
+ * \param[in] attributes    Key attributes for the new key.
+ * \param[out] p_slot       On success, a pointer to the prepared slot.
+ * \param[out] p_drv        On any return, the driver for the key, if any.
+ *                          NULL for a transparent key.
+ *
+ * \retval #PSA_SUCCESS
+ *         The key slot is ready to receive key material.
+ * \return If this function fails, the key slot is an invalid state.
+ *         You must call psa_fail_key_creation() to wipe and free the slot.
+ */
+static psa_status_t psa_start_key_creation(
+    psa_key_creation_method_t method,
+    const psa_key_attributes_t *attributes,
+    psa_key_slot_t **p_slot,
+    psa_se_drv_table_entry_t **p_drv)
+{
+    psa_status_t status;
+    psa_key_id_t volatile_key_id;
+    psa_key_slot_t *slot;
+
+    (void) method;
+    *p_drv = NULL;
+
+    status = psa_validate_key_attributes(attributes, p_drv);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    PSA_THREADING_CHK_RET(mbedtls_mutex_lock(
+                              &mbedtls_threading_key_slot_mutex));
+#endif
+    status = psa_reserve_free_key_slot(&volatile_key_id, p_slot);
+#if defined(MBEDTLS_THREADING_C)
+    PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+                              &mbedtls_threading_key_slot_mutex));
+#endif
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+    slot = *p_slot;
+
+    /* We're storing the declared bit-size of the key. It's up to each
+     * creation mechanism to verify that this information is correct.
+     * It's automatically correct for mechanisms that use the bit-size as
+     * an input (generate, device) but not for those where the bit-size
+     * is optional (import, copy). In case of a volatile key, assign it the
+     * volatile key identifier associated to the slot returned to contain its
+     * definition. */
+
+    slot->attr = *attributes;
+    if (PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
+#if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
+        slot->attr.id = volatile_key_id;
+#else
+        slot->attr.id.key_id = volatile_key_id;
+#endif
+    }
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    /* For a key in a secure element, we need to do three things
+     * when creating or registering a persistent key:
+     * create the key file in internal storage, create the
+     * key inside the secure element, and update the driver's
+     * persistent data. This is done by starting a transaction that will
+     * encompass these three actions.
+     * For registering a volatile key, we just need to find an appropriate
+     * slot number inside the SE. Since the key is designated volatile, creating
+     * a transaction is not required. */
+    /* The first thing to do is to find a slot number for the new key.
+     * We save the slot number in persistent storage as part of the
+     * transaction data. It will be needed to recover if the power
+     * fails during the key creation process, to clean up on the secure
+     * element side after restarting. Obtaining a slot number from the
+     * secure element driver updates its persistent state, but we do not yet
+     * save the driver's persistent state, so that if the power fails,
+     * we can roll back to a state where the key doesn't exist. */
+    if (*p_drv != NULL) {
+        psa_key_slot_number_t slot_number;
+        status = psa_find_se_slot_for_key(attributes, method, *p_drv,
+                                          &slot_number);
+        if (status != PSA_SUCCESS) {
+            return status;
+        }
+
+        if (!PSA_KEY_LIFETIME_IS_VOLATILE(attributes->lifetime)) {
+            psa_crypto_prepare_transaction(PSA_CRYPTO_TRANSACTION_CREATE_KEY);
+            psa_crypto_transaction.key.lifetime = slot->attr.lifetime;
+            psa_crypto_transaction.key.slot = slot_number;
+            psa_crypto_transaction.key.id = slot->attr.id;
+            status = psa_crypto_save_transaction();
+            if (status != PSA_SUCCESS) {
+                (void) psa_crypto_stop_transaction();
+                return status;
+            }
+        }
+
+        status = psa_copy_key_material_into_slot(
+            slot, (uint8_t *) (&slot_number), sizeof(slot_number));
+        if (status != PSA_SUCCESS) {
+            return status;
+        }
+    }
+
+    if (*p_drv == NULL && method == PSA_KEY_CREATION_REGISTER) {
+        /* Key registration only makes sense with a secure element. */
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+    return PSA_SUCCESS;
+}
+
+/** Finalize the creation of a key once its key material has been set.
+ *
+ * This entails writing the key to persistent storage.
+ *
+ * If this function fails, call psa_fail_key_creation().
+ * See the documentation of psa_start_key_creation() for the intended use
+ * of this function.
+ *
+ * If the finalization succeeds, the function sets the key slot's state to
+ * PSA_SLOT_FULL, and the key slot can no longer be accessed as part of the
+ * key creation process.
+ *
+ * \param[in,out] slot  Pointer to the slot with key material.
+ * \param[in] driver    The secure element driver for the key,
+ *                      or NULL for a transparent key.
+ * \param[out] key      On success, identifier of the key. Note that the
+ *                      key identifier is also stored in the key slot.
+ *
+ * \retval #PSA_SUCCESS
+ *         The key was successfully created.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_ALREADY_EXISTS \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ *
+ * \return If this function fails, the key slot is an invalid state.
+ *         You must call psa_fail_key_creation() to wipe and free the slot.
+ */
+static psa_status_t psa_finish_key_creation(
+    psa_key_slot_t *slot,
+    psa_se_drv_table_entry_t *driver,
+    mbedtls_svc_key_id_t *key)
+{
+    psa_status_t status = PSA_SUCCESS;
+    (void) slot;
+    (void) driver;
+
+#if defined(MBEDTLS_THREADING_C)
+    PSA_THREADING_CHK_RET(mbedtls_mutex_lock(
+                              &mbedtls_threading_key_slot_mutex));
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+    if (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+        if (driver != NULL) {
+            psa_se_key_data_storage_t data;
+            psa_key_slot_number_t slot_number =
+                psa_key_slot_get_slot_number(slot);
+
+            MBEDTLS_STATIC_ASSERT(sizeof(slot_number) ==
+                                  sizeof(data.slot_number),
+                                  "Slot number size does not match psa_se_key_data_storage_t");
+
+            memcpy(&data.slot_number, &slot_number, sizeof(slot_number));
+            status = psa_save_persistent_key(&slot->attr,
+                                             (uint8_t *) &data,
+                                             sizeof(data));
+        } else
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+        {
+            /* Key material is saved in export representation in the slot, so
+             * just pass the slot buffer for storage. */
+            status = psa_save_persistent_key(&slot->attr,
+                                             slot->key.data,
+                                             slot->key.bytes);
+        }
+    }
+#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    /* Finish the transaction for a key creation. This does not
+     * happen when registering an existing key. Detect this case
+     * by checking whether a transaction is in progress (actual
+     * creation of a persistent key in a secure element requires a transaction,
+     * but registration or volatile key creation doesn't use one). */
+    if (driver != NULL &&
+        psa_crypto_transaction.unknown.type == PSA_CRYPTO_TRANSACTION_CREATE_KEY) {
+        status = psa_save_se_persistent_data(driver);
+        if (status != PSA_SUCCESS) {
+            psa_destroy_persistent_key(slot->attr.id);
+
+#if defined(MBEDTLS_THREADING_C)
+            PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+                                      &mbedtls_threading_key_slot_mutex));
+#endif
+            return status;
+        }
+        status = psa_crypto_stop_transaction();
+    }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+    if (status == PSA_SUCCESS) {
+        *key = slot->attr.id;
+        status = psa_key_slot_state_transition(slot, PSA_SLOT_FILLING,
+                                               PSA_SLOT_FULL);
+        if (status != PSA_SUCCESS) {
+            *key = MBEDTLS_SVC_KEY_ID_INIT;
+        }
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+                              &mbedtls_threading_key_slot_mutex));
+#endif
+    return status;
+}
+
+/** Abort the creation of a key.
+ *
+ * You may call this function after calling psa_start_key_creation(),
+ * or after psa_finish_key_creation() fails. In other circumstances, this
+ * function may not clean up persistent storage.
+ * See the documentation of psa_start_key_creation() for the intended use
+ * of this function. Sets the slot's state to PSA_SLOT_EMPTY.
+ *
+ * \param[in,out] slot  Pointer to the slot with key material.
+ * \param[in] driver    The secure element driver for the key,
+ *                      or NULL for a transparent key.
+ */
+static void psa_fail_key_creation(psa_key_slot_t *slot,
+                                  psa_se_drv_table_entry_t *driver)
+{
+    (void) driver;
+
+    if (slot == NULL) {
+        return;
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    /* If the lock operation fails we still wipe the slot.
+     * Operations will no longer work after a failed lock,
+     * but we still need to wipe the slot of confidential data. */
+    mbedtls_mutex_lock(&mbedtls_threading_key_slot_mutex);
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    /* TODO: If the key has already been created in the secure
+     * element, and the failure happened later (when saving metadata
+     * to internal storage), we need to destroy the key in the secure
+     * element.
+     * https://github.com/ARMmbed/mbed-crypto/issues/217
+     */
+
+    /* Abort the ongoing transaction if any (there may not be one if
+     * the creation process failed before starting one, or if the
+     * key creation is a registration of a key in a secure element).
+     * Earlier functions must already have done what it takes to undo any
+     * partial creation. All that's left is to update the transaction data
+     * itself. */
+    (void) psa_crypto_stop_transaction();
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+    psa_wipe_key_slot(slot);
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_unlock(&mbedtls_threading_key_slot_mutex);
+#endif
+}
+
+/** Validate optional attributes during key creation.
+ *
+ * Some key attributes are optional during key creation. If they are
+ * specified in the attributes structure, check that they are consistent
+ * with the data in the slot.
+ *
+ * This function should be called near the end of key creation, after
+ * the slot in memory is fully populated but before saving persistent data.
+ */
+static psa_status_t psa_validate_optional_attributes(
+    const psa_key_slot_t *slot,
+    const psa_key_attributes_t *attributes)
+{
+    if (attributes->type != 0) {
+        if (attributes->type != slot->attr.type) {
+            return PSA_ERROR_INVALID_ARGUMENT;
+        }
+    }
+
+    if (attributes->bits != 0) {
+        if (attributes->bits != slot->attr.bits) {
+            return PSA_ERROR_INVALID_ARGUMENT;
+        }
+    }
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
+                            const uint8_t *data_external,
+                            size_t data_length,
+                            mbedtls_svc_key_id_t *key)
+{
+    psa_status_t status;
+    LOCAL_INPUT_DECLARE(data_external, data);
+    psa_key_slot_t *slot = NULL;
+    psa_se_drv_table_entry_t *driver = NULL;
+    size_t bits;
+    size_t storage_size = data_length;
+
+    *key = MBEDTLS_SVC_KEY_ID_INIT;
+
+    /* Reject zero-length symmetric keys (including raw data key objects).
+     * This also rejects any key which might be encoded as an empty string,
+     * which is never valid. */
+    if (data_length == 0) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    /* Ensure that the bytes-to-bits conversion cannot overflow. */
+    if (data_length > SIZE_MAX / 8) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    LOCAL_INPUT_ALLOC(data_external, data_length, data);
+
+    status = psa_start_key_creation(PSA_KEY_CREATION_IMPORT, attributes,
+                                    &slot, &driver);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    /* In the case of a transparent key or an opaque key stored in local
+     * storage ( thus not in the case of importing a key in a secure element
+     * with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a
+     * buffer to hold the imported key material. */
+    if (slot->key.data == NULL) {
+        if (psa_key_lifetime_is_external(attributes->lifetime)) {
+            status = psa_driver_wrapper_get_key_buffer_size_from_key_data(
+                attributes, data, data_length, &storage_size);
+            if (status != PSA_SUCCESS) {
+                goto exit;
+            }
+        }
+        status = psa_allocate_buffer_to_slot(slot, storage_size);
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+    }
+
+    bits = slot->attr.bits;
+    status = psa_driver_wrapper_import_key(attributes,
+                                           data, data_length,
+                                           slot->key.data,
+                                           slot->key.bytes,
+                                           &slot->key.bytes, &bits);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    if (slot->attr.bits == 0) {
+        slot->attr.bits = (psa_key_bits_t) bits;
+    } else if (bits != slot->attr.bits) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    /* Enforce a size limit, and in particular ensure that the bit
+     * size fits in its representation type.*/
+    if (bits > PSA_MAX_KEY_BITS) {
+        status = PSA_ERROR_NOT_SUPPORTED;
+        goto exit;
+    }
+    status = psa_validate_optional_attributes(slot, attributes);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_finish_key_creation(slot, driver, key);
+exit:
+    LOCAL_INPUT_FREE(data_external, data);
+    if (status != PSA_SUCCESS) {
+        psa_fail_key_creation(slot, driver);
+    }
+
+    return status;
+}
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+psa_status_t mbedtls_psa_register_se_key(
+    const psa_key_attributes_t *attributes)
+{
+    psa_status_t status;
+    psa_key_slot_t *slot = NULL;
+    psa_se_drv_table_entry_t *driver = NULL;
+    mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+
+    /* Leaving attributes unspecified is not currently supported.
+     * It could make sense to query the key type and size from the
+     * secure element, but not all secure elements support this
+     * and the driver HAL doesn't currently support it. */
+    if (psa_get_key_type(attributes) == PSA_KEY_TYPE_NONE) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+    if (psa_get_key_bits(attributes) == 0) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    status = psa_start_key_creation(PSA_KEY_CREATION_REGISTER, attributes,
+                                    &slot, &driver);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_finish_key_creation(slot, driver, &key);
+
+exit:
+    if (status != PSA_SUCCESS) {
+        psa_fail_key_creation(slot, driver);
+    }
+
+    /* Registration doesn't keep the key in RAM. */
+    psa_close_key(key);
+    return status;
+}
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+psa_status_t psa_copy_key(mbedtls_svc_key_id_t source_key,
+                          const psa_key_attributes_t *specified_attributes,
+                          mbedtls_svc_key_id_t *target_key)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *source_slot = NULL;
+    psa_key_slot_t *target_slot = NULL;
+    psa_key_attributes_t actual_attributes = *specified_attributes;
+    psa_se_drv_table_entry_t *driver = NULL;
+    size_t storage_size = 0;
+
+    *target_key = MBEDTLS_SVC_KEY_ID_INIT;
+
+    status = psa_get_and_lock_key_slot_with_policy(
+        source_key, &source_slot, PSA_KEY_USAGE_COPY, 0);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_validate_optional_attributes(source_slot,
+                                              specified_attributes);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    /* The target key type and number of bits have been validated by
+     * psa_validate_optional_attributes() to be either equal to zero or
+     * equal to the ones of the source key. So it is safe to inherit
+     * them from the source key now."
+     * */
+    actual_attributes.bits = source_slot->attr.bits;
+    actual_attributes.type = source_slot->attr.type;
+
+
+    status = psa_restrict_key_policy(source_slot->attr.type,
+                                     &actual_attributes.policy,
+                                     &source_slot->attr.policy);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_start_key_creation(PSA_KEY_CREATION_COPY, &actual_attributes,
+                                    &target_slot, &driver);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+    if (PSA_KEY_LIFETIME_GET_LOCATION(target_slot->attr.lifetime) !=
+        PSA_KEY_LIFETIME_GET_LOCATION(source_slot->attr.lifetime)) {
+        /*
+         * If the source and target keys are stored in different locations,
+         * the source key would need to be exported as plaintext and re-imported
+         * in the other location. This has security implications which have not
+         * been fully mapped. For now, this can be achieved through
+         * appropriate API invocations from the application, if needed.
+         * */
+        status = PSA_ERROR_NOT_SUPPORTED;
+        goto exit;
+    }
+    /*
+     * When the source and target keys are within the same location,
+     * - For transparent keys it is a blind copy without any driver invocation,
+     * - For opaque keys this translates to an invocation of the drivers'
+     *   copy_key entry point through the dispatch layer.
+     * */
+    if (psa_key_lifetime_is_external(actual_attributes.lifetime)) {
+        status = psa_driver_wrapper_get_key_buffer_size(&actual_attributes,
+                                                        &storage_size);
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+
+        status = psa_allocate_buffer_to_slot(target_slot, storage_size);
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+
+        status = psa_driver_wrapper_copy_key(&actual_attributes,
+                                             source_slot->key.data,
+                                             source_slot->key.bytes,
+                                             target_slot->key.data,
+                                             target_slot->key.bytes,
+                                             &target_slot->key.bytes);
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+    } else {
+        status = psa_copy_key_material_into_slot(target_slot,
+                                                 source_slot->key.data,
+                                                 source_slot->key.bytes);
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+    }
+    status = psa_finish_key_creation(target_slot, driver, target_key);
+exit:
+    if (status != PSA_SUCCESS) {
+        psa_fail_key_creation(target_slot, driver);
+    }
+
+    unlock_status = psa_unregister_read_under_mutex(source_slot);
+
+    return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+
+
+/****************************************************************/
+/* Message digests */
+/****************************************************************/
+
+psa_status_t psa_hash_abort(psa_hash_operation_t *operation)
+{
+    /* Aborting a non-active operation is allowed */
+    if (operation->id == 0) {
+        return PSA_SUCCESS;
+    }
+
+    psa_status_t status = psa_driver_wrapper_hash_abort(operation);
+    operation->id = 0;
+
+    return status;
+}
+
+psa_status_t psa_hash_setup(psa_hash_operation_t *operation,
+                            psa_algorithm_t alg)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    /* A context must be freshly initialized before it can be set up. */
+    if (operation->id != 0) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    if (!PSA_ALG_IS_HASH(alg)) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    /* Ensure all of the context is zeroized, since PSA_HASH_OPERATION_INIT only
+     * directly zeroes the int-sized dummy member of the context union. */
+    memset(&operation->ctx, 0, sizeof(operation->ctx));
+
+    status = psa_driver_wrapper_hash_setup(operation, alg);
+
+exit:
+    if (status != PSA_SUCCESS) {
+        psa_hash_abort(operation);
+    }
+
+    return status;
+}
+
+psa_status_t psa_hash_update(psa_hash_operation_t *operation,
+                             const uint8_t *input_external,
+                             size_t input_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    LOCAL_INPUT_DECLARE(input_external, input);
+
+    if (operation->id == 0) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    /* Don't require hash implementations to behave correctly on a
+     * zero-length input, which may have an invalid pointer. */
+    if (input_length == 0) {
+        return PSA_SUCCESS;
+    }
+
+    LOCAL_INPUT_ALLOC(input_external, input_length, input);
+    status = psa_driver_wrapper_hash_update(operation, input, input_length);
+
+exit:
+    if (status != PSA_SUCCESS) {
+        psa_hash_abort(operation);
+    }
+
+    LOCAL_INPUT_FREE(input_external, input);
+    return status;
+}
+
+static psa_status_t psa_hash_finish_internal(psa_hash_operation_t *operation,
+                                             uint8_t *hash,
+                                             size_t hash_size,
+                                             size_t *hash_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    *hash_length = 0;
+    if (operation->id == 0) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    status = psa_driver_wrapper_hash_finish(
+        operation, hash, hash_size, hash_length);
+    psa_hash_abort(operation);
+
+    return status;
+}
+
+psa_status_t psa_hash_finish(psa_hash_operation_t *operation,
+                             uint8_t *hash_external,
+                             size_t hash_size,
+                             size_t *hash_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    LOCAL_OUTPUT_DECLARE(hash_external, hash);
+
+    LOCAL_OUTPUT_ALLOC(hash_external, hash_size, hash);
+    status = psa_hash_finish_internal(operation, hash, hash_size, hash_length);
+
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+    LOCAL_OUTPUT_FREE(hash_external, hash);
+    return status;
+}
+
+psa_status_t psa_hash_verify(psa_hash_operation_t *operation,
+                             const uint8_t *hash_external,
+                             size_t hash_length)
+{
+    uint8_t actual_hash[PSA_HASH_MAX_SIZE];
+    size_t actual_hash_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    LOCAL_INPUT_DECLARE(hash_external, hash);
+
+    status = psa_hash_finish_internal(
+        operation,
+        actual_hash, sizeof(actual_hash),
+        &actual_hash_length);
+
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    if (actual_hash_length != hash_length) {
+        status = PSA_ERROR_INVALID_SIGNATURE;
+        goto exit;
+    }
+
+    LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
+    if (mbedtls_ct_memcmp(hash, actual_hash, actual_hash_length) != 0) {
+        status = PSA_ERROR_INVALID_SIGNATURE;
+    }
+
+exit:
+    mbedtls_platform_zeroize(actual_hash, sizeof(actual_hash));
+    if (status != PSA_SUCCESS) {
+        psa_hash_abort(operation);
+    }
+    LOCAL_INPUT_FREE(hash_external, hash);
+    return status;
+}
+
+psa_status_t psa_hash_compute(psa_algorithm_t alg,
+                              const uint8_t *input_external, size_t input_length,
+                              uint8_t *hash_external, size_t hash_size,
+                              size_t *hash_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    LOCAL_INPUT_DECLARE(input_external, input);
+    LOCAL_OUTPUT_DECLARE(hash_external, hash);
+
+    *hash_length = 0;
+    if (!PSA_ALG_IS_HASH(alg)) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    LOCAL_INPUT_ALLOC(input_external, input_length, input);
+    LOCAL_OUTPUT_ALLOC(hash_external, hash_size, hash);
+    status = psa_driver_wrapper_hash_compute(alg, input, input_length,
+                                             hash, hash_size, hash_length);
+
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+    LOCAL_INPUT_FREE(input_external, input);
+    LOCAL_OUTPUT_FREE(hash_external, hash);
+    return status;
+}
+
+psa_status_t psa_hash_compare(psa_algorithm_t alg,
+                              const uint8_t *input_external, size_t input_length,
+                              const uint8_t *hash_external, size_t hash_length)
+{
+    uint8_t actual_hash[PSA_HASH_MAX_SIZE];
+    size_t actual_hash_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    LOCAL_INPUT_DECLARE(input_external, input);
+    LOCAL_INPUT_DECLARE(hash_external, hash);
+
+    if (!PSA_ALG_IS_HASH(alg)) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        return status;
+    }
+
+    LOCAL_INPUT_ALLOC(input_external, input_length, input);
+    status = psa_driver_wrapper_hash_compute(
+        alg, input, input_length,
+        actual_hash, sizeof(actual_hash),
+        &actual_hash_length);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+    if (actual_hash_length != hash_length) {
+        status = PSA_ERROR_INVALID_SIGNATURE;
+        goto exit;
+    }
+
+    LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
+    if (mbedtls_ct_memcmp(hash, actual_hash, actual_hash_length) != 0) {
+        status = PSA_ERROR_INVALID_SIGNATURE;
+    }
+
+exit:
+    mbedtls_platform_zeroize(actual_hash, sizeof(actual_hash));
+
+    LOCAL_INPUT_FREE(input_external, input);
+    LOCAL_INPUT_FREE(hash_external, hash);
+
+    return status;
+}
+
+psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation,
+                            psa_hash_operation_t *target_operation)
+{
+    if (source_operation->id == 0 ||
+        target_operation->id != 0) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    psa_status_t status = psa_driver_wrapper_hash_clone(source_operation,
+                                                        target_operation);
+    if (status != PSA_SUCCESS) {
+        psa_hash_abort(target_operation);
+    }
+
+    return status;
+}
+
+
+/****************************************************************/
+/* MAC */
+/****************************************************************/
+
+psa_status_t psa_mac_abort(psa_mac_operation_t *operation)
+{
+    /* Aborting a non-active operation is allowed */
+    if (operation->id == 0) {
+        return PSA_SUCCESS;
+    }
+
+    psa_status_t status = psa_driver_wrapper_mac_abort(operation);
+    operation->mac_size = 0;
+    operation->is_sign = 0;
+    operation->id = 0;
+
+    return status;
+}
+
+static psa_status_t psa_mac_finalize_alg_and_key_validation(
+    psa_algorithm_t alg,
+    const psa_key_attributes_t *attributes,
+    uint8_t *mac_size)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_type_t key_type = psa_get_key_type(attributes);
+    size_t key_bits = psa_get_key_bits(attributes);
+
+    if (!PSA_ALG_IS_MAC(alg)) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    /* Validate the combination of key type and algorithm */
+    status = psa_mac_key_can_do(alg, key_type);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    /* Get the output length for the algorithm and key combination */
+    *mac_size = PSA_MAC_LENGTH(key_type, key_bits, alg);
+
+    if (*mac_size < 4) {
+        /* A very short MAC is too short for security since it can be
+         * brute-forced. Ancient protocols with 32-bit MACs do exist,
+         * so we make this our minimum, even though 32 bits is still
+         * too small for security. */
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    if (*mac_size > PSA_MAC_LENGTH(key_type, key_bits,
+                                   PSA_ALG_FULL_LENGTH_MAC(alg))) {
+        /* It's impossible to "truncate" to a larger length than the full length
+         * of the algorithm. */
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    if (*mac_size > PSA_MAC_MAX_SIZE) {
+        /* PSA_MAC_LENGTH returns the correct length even for a MAC algorithm
+         * that is disabled in the compile-time configuration. The result can
+         * therefore be larger than PSA_MAC_MAX_SIZE, which does take the
+         * configuration into account. In this case, force a return of
+         * PSA_ERROR_NOT_SUPPORTED here. Otherwise psa_mac_verify(), or
+         * psa_mac_compute(mac_size=PSA_MAC_MAX_SIZE), would return
+         * PSA_ERROR_BUFFER_TOO_SMALL for an unsupported algorithm whose MAC size
+         * is larger than PSA_MAC_MAX_SIZE, which is misleading and which breaks
+         * systematically generated tests. */
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    return PSA_SUCCESS;
+}
+
+static psa_status_t psa_mac_setup(psa_mac_operation_t *operation,
+                                  mbedtls_svc_key_id_t key,
+                                  psa_algorithm_t alg,
+                                  int is_sign)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot = NULL;
+
+    /* A context must be freshly initialized before it can be set up. */
+    if (operation->id != 0) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    status = psa_get_and_lock_key_slot_with_policy(
+        key,
+        &slot,
+        is_sign ? PSA_KEY_USAGE_SIGN_MESSAGE : PSA_KEY_USAGE_VERIFY_MESSAGE,
+        alg);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_mac_finalize_alg_and_key_validation(alg, &slot->attr,
+                                                     &operation->mac_size);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    operation->is_sign = is_sign;
+    /* Dispatch the MAC setup call with validated input */
+    if (is_sign) {
+        status = psa_driver_wrapper_mac_sign_setup(operation,
+                                                   &slot->attr,
+                                                   slot->key.data,
+                                                   slot->key.bytes,
+                                                   alg);
+    } else {
+        status = psa_driver_wrapper_mac_verify_setup(operation,
+                                                     &slot->attr,
+                                                     slot->key.data,
+                                                     slot->key.bytes,
+                                                     alg);
+    }
+
+exit:
+    if (status != PSA_SUCCESS) {
+        psa_mac_abort(operation);
+    }
+
+    unlock_status = psa_unregister_read_under_mutex(slot);
+
+    return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
+                                mbedtls_svc_key_id_t key,
+                                psa_algorithm_t alg)
+{
+    return psa_mac_setup(operation, key, alg, 1);
+}
+
+psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
+                                  mbedtls_svc_key_id_t key,
+                                  psa_algorithm_t alg)
+{
+    return psa_mac_setup(operation, key, alg, 0);
+}
+
+psa_status_t psa_mac_update(psa_mac_operation_t *operation,
+                            const uint8_t *input_external,
+                            size_t input_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    LOCAL_INPUT_DECLARE(input_external, input);
+
+    if (operation->id == 0) {
+        status = PSA_ERROR_BAD_STATE;
+        return status;
+    }
+
+    /* Don't require hash implementations to behave correctly on a
+     * zero-length input, which may have an invalid pointer. */
+    if (input_length == 0) {
+        status = PSA_SUCCESS;
+        return status;
+    }
+
+    LOCAL_INPUT_ALLOC(input_external, input_length, input);
+    status = psa_driver_wrapper_mac_update(operation, input, input_length);
+
+    if (status != PSA_SUCCESS) {
+        psa_mac_abort(operation);
+    }
+
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+    LOCAL_INPUT_FREE(input_external, input);
+
+    return status;
+}
+
+psa_status_t psa_mac_sign_finish(psa_mac_operation_t *operation,
+                                 uint8_t *mac_external,
+                                 size_t mac_size,
+                                 size_t *mac_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
+    LOCAL_OUTPUT_DECLARE(mac_external, mac);
+    LOCAL_OUTPUT_ALLOC(mac_external, mac_size, mac);
+
+    if (operation->id == 0) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    if (!operation->is_sign) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    /* Sanity check. This will guarantee that mac_size != 0 (and so mac != NULL)
+     * once all the error checks are done. */
+    if (operation->mac_size == 0) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    if (mac_size < operation->mac_size) {
+        status = PSA_ERROR_BUFFER_TOO_SMALL;
+        goto exit;
+    }
+
+
+    status = psa_driver_wrapper_mac_sign_finish(operation,
+                                                mac, operation->mac_size,
+                                                mac_length);
+
+exit:
+    /* In case of success, set the potential excess room in the output buffer
+     * to an invalid value, to avoid potentially leaking a longer MAC.
+     * In case of error, set the output length and content to a safe default,
+     * such that in case the caller misses an error check, the output would be
+     * an unachievable MAC.
+     */
+    if (status != PSA_SUCCESS) {
+        *mac_length = mac_size;
+        operation->mac_size = 0;
+    }
+
+    if (mac != NULL) {
+        psa_wipe_tag_output_buffer(mac, status, mac_size, *mac_length);
+    }
+
+    abort_status = psa_mac_abort(operation);
+    LOCAL_OUTPUT_FREE(mac_external, mac);
+
+    return status == PSA_SUCCESS ? abort_status : status;
+}
+
+psa_status_t psa_mac_verify_finish(psa_mac_operation_t *operation,
+                                   const uint8_t *mac_external,
+                                   size_t mac_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
+    LOCAL_INPUT_DECLARE(mac_external, mac);
+
+    if (operation->id == 0) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    if (operation->is_sign) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    if (operation->mac_size != mac_length) {
+        status = PSA_ERROR_INVALID_SIGNATURE;
+        goto exit;
+    }
+
+    LOCAL_INPUT_ALLOC(mac_external, mac_length, mac);
+    status = psa_driver_wrapper_mac_verify_finish(operation,
+                                                  mac, mac_length);
+
+exit:
+    abort_status = psa_mac_abort(operation);
+    LOCAL_INPUT_FREE(mac_external, mac);
+
+    return status == PSA_SUCCESS ? abort_status : status;
+}
+
+static psa_status_t psa_mac_compute_internal(mbedtls_svc_key_id_t key,
+                                             psa_algorithm_t alg,
+                                             const uint8_t *input,
+                                             size_t input_length,
+                                             uint8_t *mac,
+                                             size_t mac_size,
+                                             size_t *mac_length,
+                                             int is_sign)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+    uint8_t operation_mac_size = 0;
+
+    status = psa_get_and_lock_key_slot_with_policy(
+        key,
+        &slot,
+        is_sign ? PSA_KEY_USAGE_SIGN_MESSAGE : PSA_KEY_USAGE_VERIFY_MESSAGE,
+        alg);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_mac_finalize_alg_and_key_validation(alg, &slot->attr,
+                                                     &operation_mac_size);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    if (mac_size < operation_mac_size) {
+        status = PSA_ERROR_BUFFER_TOO_SMALL;
+        goto exit;
+    }
+
+    status = psa_driver_wrapper_mac_compute(
+        &slot->attr,
+        slot->key.data, slot->key.bytes,
+        alg,
+        input, input_length,
+        mac, operation_mac_size, mac_length);
+
+exit:
+    /* In case of success, set the potential excess room in the output buffer
+     * to an invalid value, to avoid potentially leaking a longer MAC.
+     * In case of error, set the output length and content to a safe default,
+     * such that in case the caller misses an error check, the output would be
+     * an unachievable MAC.
+     */
+    if (status != PSA_SUCCESS) {
+        *mac_length = mac_size;
+        operation_mac_size = 0;
+    }
+
+    psa_wipe_tag_output_buffer(mac, status, mac_size, *mac_length);
+
+    unlock_status = psa_unregister_read_under_mutex(slot);
+
+    return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+psa_status_t psa_mac_compute(mbedtls_svc_key_id_t key,
+                             psa_algorithm_t alg,
+                             const uint8_t *input_external,
+                             size_t input_length,
+                             uint8_t *mac_external,
+                             size_t mac_size,
+                             size_t *mac_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    LOCAL_INPUT_DECLARE(input_external, input);
+    LOCAL_OUTPUT_DECLARE(mac_external, mac);
+
+    LOCAL_INPUT_ALLOC(input_external, input_length, input);
+    LOCAL_OUTPUT_ALLOC(mac_external, mac_size, mac);
+    status = psa_mac_compute_internal(key, alg,
+                                      input, input_length,
+                                      mac, mac_size, mac_length, 1);
+
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+    LOCAL_INPUT_FREE(input_external, input);
+    LOCAL_OUTPUT_FREE(mac_external, mac);
+
+    return status;
+}
+
+psa_status_t psa_mac_verify(mbedtls_svc_key_id_t key,
+                            psa_algorithm_t alg,
+                            const uint8_t *input_external,
+                            size_t input_length,
+                            const uint8_t *mac_external,
+                            size_t mac_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    uint8_t actual_mac[PSA_MAC_MAX_SIZE];
+    size_t actual_mac_length;
+    LOCAL_INPUT_DECLARE(input_external, input);
+    LOCAL_INPUT_DECLARE(mac_external, mac);
+
+    LOCAL_INPUT_ALLOC(input_external, input_length, input);
+    status = psa_mac_compute_internal(key, alg,
+                                      input, input_length,
+                                      actual_mac, sizeof(actual_mac),
+                                      &actual_mac_length, 0);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    if (mac_length != actual_mac_length) {
+        status = PSA_ERROR_INVALID_SIGNATURE;
+        goto exit;
+    }
+
+    LOCAL_INPUT_ALLOC(mac_external, mac_length, mac);
+    if (mbedtls_ct_memcmp(mac, actual_mac, actual_mac_length) != 0) {
+        status = PSA_ERROR_INVALID_SIGNATURE;
+        goto exit;
+    }
+
+exit:
+    mbedtls_platform_zeroize(actual_mac, sizeof(actual_mac));
+    LOCAL_INPUT_FREE(input_external, input);
+    LOCAL_INPUT_FREE(mac_external, mac);
+
+    return status;
+}
+
+/****************************************************************/
+/* Asymmetric cryptography */
+/****************************************************************/
+
+static psa_status_t psa_sign_verify_check_alg(int input_is_message,
+                                              psa_algorithm_t alg)
+{
+    if (input_is_message) {
+        if (!PSA_ALG_IS_SIGN_MESSAGE(alg)) {
+            return PSA_ERROR_INVALID_ARGUMENT;
+        }
+
+        if (PSA_ALG_IS_SIGN_HASH(alg)) {
+            if (!PSA_ALG_IS_HASH(PSA_ALG_SIGN_GET_HASH(alg))) {
+                return PSA_ERROR_INVALID_ARGUMENT;
+            }
+        }
+    } else {
+        if (!PSA_ALG_IS_SIGN_HASH(alg)) {
+            return PSA_ERROR_INVALID_ARGUMENT;
+        }
+    }
+
+    return PSA_SUCCESS;
+}
+
+static psa_status_t psa_sign_internal(mbedtls_svc_key_id_t key,
+                                      int input_is_message,
+                                      psa_algorithm_t alg,
+                                      const uint8_t *input,
+                                      size_t input_length,
+                                      uint8_t *signature,
+                                      size_t signature_size,
+                                      size_t *signature_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+    *signature_length = 0;
+
+    status = psa_sign_verify_check_alg(input_is_message, alg);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    /* Immediately reject a zero-length signature buffer. This guarantees
+     * that signature must be a valid pointer. (On the other hand, the input
+     * buffer can in principle be empty since it doesn't actually have
+     * to be a hash.) */
+    if (signature_size == 0) {
+        return PSA_ERROR_BUFFER_TOO_SMALL;
+    }
+
+    status = psa_get_and_lock_key_slot_with_policy(
+        key, &slot,
+        input_is_message ? PSA_KEY_USAGE_SIGN_MESSAGE :
+        PSA_KEY_USAGE_SIGN_HASH,
+        alg);
+
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    if (input_is_message) {
+        status = psa_driver_wrapper_sign_message(
+            &slot->attr, slot->key.data, slot->key.bytes,
+            alg, input, input_length,
+            signature, signature_size, signature_length);
+    } else {
+
+        status = psa_driver_wrapper_sign_hash(
+            &slot->attr, slot->key.data, slot->key.bytes,
+            alg, input, input_length,
+            signature, signature_size, signature_length);
+    }
+
+
+exit:
+    psa_wipe_tag_output_buffer(signature, status, signature_size,
+                               *signature_length);
+
+    unlock_status = psa_unregister_read_under_mutex(slot);
+
+    return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+static psa_status_t psa_verify_internal(mbedtls_svc_key_id_t key,
+                                        int input_is_message,
+                                        psa_algorithm_t alg,
+                                        const uint8_t *input,
+                                        size_t input_length,
+                                        const uint8_t *signature,
+                                        size_t signature_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+    status = psa_sign_verify_check_alg(input_is_message, alg);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    status = psa_get_and_lock_key_slot_with_policy(
+        key, &slot,
+        input_is_message ? PSA_KEY_USAGE_VERIFY_MESSAGE :
+        PSA_KEY_USAGE_VERIFY_HASH,
+        alg);
+
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    if (input_is_message) {
+        status = psa_driver_wrapper_verify_message(
+            &slot->attr, slot->key.data, slot->key.bytes,
+            alg, input, input_length,
+            signature, signature_length);
+    } else {
+        status = psa_driver_wrapper_verify_hash(
+            &slot->attr, slot->key.data, slot->key.bytes,
+            alg, input, input_length,
+            signature, signature_length);
+    }
+
+    unlock_status = psa_unregister_read_under_mutex(slot);
+
+    return (status == PSA_SUCCESS) ? unlock_status : status;
+
+}
+
+psa_status_t psa_sign_message_builtin(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    psa_algorithm_t alg,
+    const uint8_t *input,
+    size_t input_length,
+    uint8_t *signature,
+    size_t signature_size,
+    size_t *signature_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    if (PSA_ALG_IS_SIGN_HASH(alg)) {
+        size_t hash_length;
+        uint8_t hash[PSA_HASH_MAX_SIZE];
+
+        status = psa_driver_wrapper_hash_compute(
+            PSA_ALG_SIGN_GET_HASH(alg),
+            input, input_length,
+            hash, sizeof(hash), &hash_length);
+
+        if (status != PSA_SUCCESS) {
+            return status;
+        }
+
+        return psa_driver_wrapper_sign_hash(
+            attributes, key_buffer, key_buffer_size,
+            alg, hash, hash_length,
+            signature, signature_size, signature_length);
+    }
+
+    return PSA_ERROR_NOT_SUPPORTED;
+}
+
+psa_status_t psa_sign_message(mbedtls_svc_key_id_t key,
+                              psa_algorithm_t alg,
+                              const uint8_t *input_external,
+                              size_t input_length,
+                              uint8_t *signature_external,
+                              size_t signature_size,
+                              size_t *signature_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    LOCAL_INPUT_DECLARE(input_external, input);
+    LOCAL_OUTPUT_DECLARE(signature_external, signature);
+
+    LOCAL_INPUT_ALLOC(input_external, input_length, input);
+    LOCAL_OUTPUT_ALLOC(signature_external, signature_size, signature);
+    status = psa_sign_internal(key, 1, alg, input, input_length, signature,
+                               signature_size, signature_length);
+
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+    LOCAL_INPUT_FREE(input_external, input);
+    LOCAL_OUTPUT_FREE(signature_external, signature);
+    return status;
+}
+
+psa_status_t psa_verify_message_builtin(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    psa_algorithm_t alg,
+    const uint8_t *input,
+    size_t input_length,
+    const uint8_t *signature,
+    size_t signature_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    if (PSA_ALG_IS_SIGN_HASH(alg)) {
+        size_t hash_length;
+        uint8_t hash[PSA_HASH_MAX_SIZE];
+
+        status = psa_driver_wrapper_hash_compute(
+            PSA_ALG_SIGN_GET_HASH(alg),
+            input, input_length,
+            hash, sizeof(hash), &hash_length);
+
+        if (status != PSA_SUCCESS) {
+            return status;
+        }
+
+        return psa_driver_wrapper_verify_hash(
+            attributes, key_buffer, key_buffer_size,
+            alg, hash, hash_length,
+            signature, signature_length);
+    }
+
+    return PSA_ERROR_NOT_SUPPORTED;
+}
+
+psa_status_t psa_verify_message(mbedtls_svc_key_id_t key,
+                                psa_algorithm_t alg,
+                                const uint8_t *input_external,
+                                size_t input_length,
+                                const uint8_t *signature_external,
+                                size_t signature_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    LOCAL_INPUT_DECLARE(input_external, input);
+    LOCAL_INPUT_DECLARE(signature_external, signature);
+
+    LOCAL_INPUT_ALLOC(input_external, input_length, input);
+    LOCAL_INPUT_ALLOC(signature_external, signature_length, signature);
+    status = psa_verify_internal(key, 1, alg, input, input_length, signature,
+                                 signature_length);
+
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+    LOCAL_INPUT_FREE(input_external, input);
+    LOCAL_INPUT_FREE(signature_external, signature);
+
+    return status;
+}
+
+psa_status_t psa_sign_hash_builtin(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    uint8_t *signature, size_t signature_size, size_t *signature_length)
+{
+    if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
+        if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||
+            PSA_ALG_IS_RSA_PSS(alg)) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
+            defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
+            return mbedtls_psa_rsa_sign_hash(
+                attributes,
+                key_buffer, key_buffer_size,
+                alg, hash, hash_length,
+                signature, signature_size, signature_length);
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
+        } else {
+            return PSA_ERROR_INVALID_ARGUMENT;
+        }
+    } else if (PSA_KEY_TYPE_IS_ECC(attributes->type)) {
+        if (PSA_ALG_IS_ECDSA(alg)) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+            defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+            return mbedtls_psa_ecdsa_sign_hash(
+                attributes,
+                key_buffer, key_buffer_size,
+                alg, hash, hash_length,
+                signature, signature_size, signature_length);
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+        } else {
+            return PSA_ERROR_INVALID_ARGUMENT;
+        }
+    }
+
+    (void) key_buffer;
+    (void) key_buffer_size;
+    (void) hash;
+    (void) hash_length;
+    (void) signature;
+    (void) signature_size;
+    (void) signature_length;
+
+    return PSA_ERROR_NOT_SUPPORTED;
+}
+
+psa_status_t psa_sign_hash(mbedtls_svc_key_id_t key,
+                           psa_algorithm_t alg,
+                           const uint8_t *hash_external,
+                           size_t hash_length,
+                           uint8_t *signature_external,
+                           size_t signature_size,
+                           size_t *signature_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    LOCAL_INPUT_DECLARE(hash_external, hash);
+    LOCAL_OUTPUT_DECLARE(signature_external, signature);
+
+    LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
+    LOCAL_OUTPUT_ALLOC(signature_external, signature_size, signature);
+    status = psa_sign_internal(key, 0, alg, hash, hash_length, signature,
+                               signature_size, signature_length);
+
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+    LOCAL_INPUT_FREE(hash_external, hash);
+    LOCAL_OUTPUT_FREE(signature_external, signature);
+
+    return status;
+}
+
+psa_status_t psa_verify_hash_builtin(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length)
+{
+    if (PSA_KEY_TYPE_IS_RSA(attributes->type)) {
+        if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||
+            PSA_ALG_IS_RSA_PSS(alg)) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
+            defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
+            return mbedtls_psa_rsa_verify_hash(
+                attributes,
+                key_buffer, key_buffer_size,
+                alg, hash, hash_length,
+                signature, signature_length);
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
+        } else {
+            return PSA_ERROR_INVALID_ARGUMENT;
+        }
+    } else if (PSA_KEY_TYPE_IS_ECC(attributes->type)) {
+        if (PSA_ALG_IS_ECDSA(alg)) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+            defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+            return mbedtls_psa_ecdsa_verify_hash(
+                attributes,
+                key_buffer, key_buffer_size,
+                alg, hash, hash_length,
+                signature, signature_length);
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+        } else {
+            return PSA_ERROR_INVALID_ARGUMENT;
+        }
+    }
+
+    (void) key_buffer;
+    (void) key_buffer_size;
+    (void) hash;
+    (void) hash_length;
+    (void) signature;
+    (void) signature_length;
+
+    return PSA_ERROR_NOT_SUPPORTED;
+}
+
+psa_status_t psa_verify_hash(mbedtls_svc_key_id_t key,
+                             psa_algorithm_t alg,
+                             const uint8_t *hash_external,
+                             size_t hash_length,
+                             const uint8_t *signature_external,
+                             size_t signature_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    LOCAL_INPUT_DECLARE(hash_external, hash);
+    LOCAL_INPUT_DECLARE(signature_external, signature);
+
+    LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
+    LOCAL_INPUT_ALLOC(signature_external, signature_length, signature);
+    status = psa_verify_internal(key, 0, alg, hash, hash_length, signature,
+                                 signature_length);
+
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+    LOCAL_INPUT_FREE(hash_external, hash);
+    LOCAL_INPUT_FREE(signature_external, signature);
+
+    return status;
+}
+
+psa_status_t psa_asymmetric_encrypt(mbedtls_svc_key_id_t key,
+                                    psa_algorithm_t alg,
+                                    const uint8_t *input_external,
+                                    size_t input_length,
+                                    const uint8_t *salt_external,
+                                    size_t salt_length,
+                                    uint8_t *output_external,
+                                    size_t output_size,
+                                    size_t *output_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+    LOCAL_INPUT_DECLARE(input_external, input);
+    LOCAL_INPUT_DECLARE(salt_external, salt);
+    LOCAL_OUTPUT_DECLARE(output_external, output);
+
+    (void) input;
+    (void) input_length;
+    (void) salt;
+    (void) output;
+    (void) output_size;
+
+    *output_length = 0;
+
+    if (!PSA_ALG_IS_RSA_OAEP(alg) && salt_length != 0) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    status = psa_get_and_lock_key_slot_with_policy(
+        key, &slot, PSA_KEY_USAGE_ENCRYPT, alg);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+    if (!(PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type) ||
+          PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type))) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    LOCAL_INPUT_ALLOC(input_external, input_length, input);
+    LOCAL_INPUT_ALLOC(salt_external, salt_length, salt);
+    LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
+
+    status = psa_driver_wrapper_asymmetric_encrypt(
+        &slot->attr, slot->key.data, slot->key.bytes,
+        alg, input, input_length, salt, salt_length,
+        output, output_size, output_length);
+exit:
+    unlock_status = psa_unregister_read_under_mutex(slot);
+
+    LOCAL_INPUT_FREE(input_external, input);
+    LOCAL_INPUT_FREE(salt_external, salt);
+    LOCAL_OUTPUT_FREE(output_external, output);
+
+    return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+psa_status_t psa_asymmetric_decrypt(mbedtls_svc_key_id_t key,
+                                    psa_algorithm_t alg,
+                                    const uint8_t *input_external,
+                                    size_t input_length,
+                                    const uint8_t *salt_external,
+                                    size_t salt_length,
+                                    uint8_t *output_external,
+                                    size_t output_size,
+                                    size_t *output_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+    LOCAL_INPUT_DECLARE(input_external, input);
+    LOCAL_INPUT_DECLARE(salt_external, salt);
+    LOCAL_OUTPUT_DECLARE(output_external, output);
+
+    (void) input;
+    (void) input_length;
+    (void) salt;
+    (void) output;
+    (void) output_size;
+
+    *output_length = 0;
+
+    if (!PSA_ALG_IS_RSA_OAEP(alg) && salt_length != 0) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    status = psa_get_and_lock_key_slot_with_policy(
+        key, &slot, PSA_KEY_USAGE_DECRYPT, alg);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+    if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    LOCAL_INPUT_ALLOC(input_external, input_length, input);
+    LOCAL_INPUT_ALLOC(salt_external, salt_length, salt);
+    LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
+
+    status = psa_driver_wrapper_asymmetric_decrypt(
+        &slot->attr, slot->key.data, slot->key.bytes,
+        alg, input, input_length, salt, salt_length,
+        output, output_size, output_length);
+
+exit:
+    unlock_status = psa_unregister_read_under_mutex(slot);
+
+    LOCAL_INPUT_FREE(input_external, input);
+    LOCAL_INPUT_FREE(salt_external, salt);
+    LOCAL_OUTPUT_FREE(output_external, output);
+
+    return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+/****************************************************************/
+/* Asymmetric interruptible cryptography                        */
+/****************************************************************/
+
+static uint32_t psa_interruptible_max_ops = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
+
+void psa_interruptible_set_max_ops(uint32_t max_ops)
+{
+    psa_interruptible_max_ops = max_ops;
+}
+
+uint32_t psa_interruptible_get_max_ops(void)
+{
+    return psa_interruptible_max_ops;
+}
+
+uint32_t psa_sign_hash_get_num_ops(
+    const psa_sign_hash_interruptible_operation_t *operation)
+{
+    return operation->num_ops;
+}
+
+uint32_t psa_verify_hash_get_num_ops(
+    const psa_verify_hash_interruptible_operation_t *operation)
+{
+    return operation->num_ops;
+}
+
+static psa_status_t psa_sign_hash_abort_internal(
+    psa_sign_hash_interruptible_operation_t *operation)
+{
+    if (operation->id == 0) {
+        /* The object has (apparently) been initialized but it is not (yet)
+         * in use. It's ok to call abort on such an object, and there's
+         * nothing to do. */
+        return PSA_SUCCESS;
+    }
+
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    status = psa_driver_wrapper_sign_hash_abort(operation);
+
+    operation->id = 0;
+
+    /* Do not clear either the error_occurred or num_ops elements here as they
+     * only want to be cleared by the application calling abort, not by abort
+     * being called at completion of an operation. */
+
+    return status;
+}
+
+psa_status_t psa_sign_hash_start(
+    psa_sign_hash_interruptible_operation_t *operation,
+    mbedtls_svc_key_id_t key, psa_algorithm_t alg,
+    const uint8_t *hash_external, size_t hash_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+    LOCAL_INPUT_DECLARE(hash_external, hash);
+
+    /* Check that start has not been previously called, or operation has not
+     * previously errored. */
+    if (operation->id != 0 || operation->error_occurred) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    status = psa_sign_verify_check_alg(0, alg);
+    if (status != PSA_SUCCESS) {
+        operation->error_occurred = 1;
+        return status;
+    }
+
+    status = psa_get_and_lock_key_slot_with_policy(key, &slot,
+                                                   PSA_KEY_USAGE_SIGN_HASH,
+                                                   alg);
+
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
+
+    /* Ensure ops count gets reset, in case of operation re-use. */
+    operation->num_ops = 0;
+
+    status = psa_driver_wrapper_sign_hash_start(operation, &slot->attr,
+                                                slot->key.data,
+                                                slot->key.bytes, alg,
+                                                hash, hash_length);
+exit:
+
+    if (status != PSA_SUCCESS) {
+        operation->error_occurred = 1;
+        psa_sign_hash_abort_internal(operation);
+    }
+
+    unlock_status = psa_unregister_read_under_mutex(slot);
+
+    if (unlock_status != PSA_SUCCESS) {
+        operation->error_occurred = 1;
+    }
+
+    LOCAL_INPUT_FREE(hash_external, hash);
+
+    return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+
+psa_status_t psa_sign_hash_complete(
+    psa_sign_hash_interruptible_operation_t *operation,
+    uint8_t *signature_external, size_t signature_size,
+    size_t *signature_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    LOCAL_OUTPUT_DECLARE(signature_external, signature);
+
+    *signature_length = 0;
+
+    /* Check that start has been called first, and that operation has not
+     * previously errored. */
+    if (operation->id == 0 || operation->error_occurred) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    /* Immediately reject a zero-length signature buffer. This guarantees that
+     * signature must be a valid pointer. */
+    if (signature_size == 0) {
+        status = PSA_ERROR_BUFFER_TOO_SMALL;
+        goto exit;
+    }
+
+    LOCAL_OUTPUT_ALLOC(signature_external, signature_size, signature);
+
+    status = psa_driver_wrapper_sign_hash_complete(operation, signature,
+                                                   signature_size,
+                                                   signature_length);
+
+    /* Update ops count with work done. */
+    operation->num_ops = psa_driver_wrapper_sign_hash_get_num_ops(operation);
+
+exit:
+
+    if (signature != NULL) {
+        psa_wipe_tag_output_buffer(signature, status, signature_size,
+                                   *signature_length);
+    }
+
+    if (status != PSA_OPERATION_INCOMPLETE) {
+        if (status != PSA_SUCCESS) {
+            operation->error_occurred = 1;
+        }
+
+        psa_sign_hash_abort_internal(operation);
+    }
+
+    LOCAL_OUTPUT_FREE(signature_external, signature);
+
+    return status;
+}
+
+psa_status_t psa_sign_hash_abort(
+    psa_sign_hash_interruptible_operation_t *operation)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    status = psa_sign_hash_abort_internal(operation);
+
+    /* We clear the number of ops done here, so that it is not cleared when
+     * the operation fails or succeeds, only on manual abort. */
+    operation->num_ops = 0;
+
+    /* Likewise, failure state. */
+    operation->error_occurred = 0;
+
+    return status;
+}
+
+static psa_status_t psa_verify_hash_abort_internal(
+    psa_verify_hash_interruptible_operation_t *operation)
+{
+    if (operation->id == 0) {
+        /* The object has (apparently) been initialized but it is not (yet)
+         * in use. It's ok to call abort on such an object, and there's
+         * nothing to do. */
+        return PSA_SUCCESS;
+    }
+
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    status = psa_driver_wrapper_verify_hash_abort(operation);
+
+    operation->id = 0;
+
+    /* Do not clear either the error_occurred or num_ops elements here as they
+     * only want to be cleared by the application calling abort, not by abort
+     * being called at completion of an operation. */
+
+    return status;
+}
+
+psa_status_t psa_verify_hash_start(
+    psa_verify_hash_interruptible_operation_t *operation,
+    mbedtls_svc_key_id_t key, psa_algorithm_t alg,
+    const uint8_t *hash_external, size_t hash_length,
+    const uint8_t *signature_external, size_t signature_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+    LOCAL_INPUT_DECLARE(hash_external, hash);
+    LOCAL_INPUT_DECLARE(signature_external, signature);
+
+    /* Check that start has not been previously called, or operation has not
+     * previously errored. */
+    if (operation->id != 0 || operation->error_occurred) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    status = psa_sign_verify_check_alg(0, alg);
+    if (status != PSA_SUCCESS) {
+        operation->error_occurred = 1;
+        return status;
+    }
+
+    status = psa_get_and_lock_key_slot_with_policy(key, &slot,
+                                                   PSA_KEY_USAGE_VERIFY_HASH,
+                                                   alg);
+
+    if (status != PSA_SUCCESS) {
+        operation->error_occurred = 1;
+        return status;
+    }
+
+    LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
+    LOCAL_INPUT_ALLOC(signature_external, signature_length, signature);
+
+    /* Ensure ops count gets reset, in case of operation re-use. */
+    operation->num_ops = 0;
+
+    status = psa_driver_wrapper_verify_hash_start(operation, &slot->attr,
+                                                  slot->key.data,
+                                                  slot->key.bytes,
+                                                  alg, hash, hash_length,
+                                                  signature, signature_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+
+    if (status != PSA_SUCCESS) {
+        operation->error_occurred = 1;
+        psa_verify_hash_abort_internal(operation);
+    }
+
+    unlock_status = psa_unregister_read_under_mutex(slot);
+
+    if (unlock_status != PSA_SUCCESS) {
+        operation->error_occurred = 1;
+    }
+
+    LOCAL_INPUT_FREE(hash_external, hash);
+    LOCAL_INPUT_FREE(signature_external, signature);
+
+    return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+psa_status_t psa_verify_hash_complete(
+    psa_verify_hash_interruptible_operation_t *operation)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    /* Check that start has been called first, and that operation has not
+     * previously errored. */
+    if (operation->id == 0 || operation->error_occurred) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    status = psa_driver_wrapper_verify_hash_complete(operation);
+
+    /* Update ops count with work done. */
+    operation->num_ops = psa_driver_wrapper_verify_hash_get_num_ops(
+        operation);
+
+exit:
+
+    if (status != PSA_OPERATION_INCOMPLETE) {
+        if (status != PSA_SUCCESS) {
+            operation->error_occurred = 1;
+        }
+
+        psa_verify_hash_abort_internal(operation);
+    }
+
+    return status;
+}
+
+psa_status_t psa_verify_hash_abort(
+    psa_verify_hash_interruptible_operation_t *operation)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    status = psa_verify_hash_abort_internal(operation);
+
+    /* We clear the number of ops done here, so that it is not cleared when
+     * the operation fails or succeeds, only on manual abort. */
+    operation->num_ops = 0;
+
+    /* Likewise, failure state. */
+    operation->error_occurred = 0;
+
+    return status;
+}
+
+/****************************************************************/
+/* Asymmetric interruptible cryptography internal               */
+/* implementations                                              */
+/****************************************************************/
+
+void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops)
+{
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
+
+    /* Internal implementation uses zero to indicate infinite number max ops,
+     * therefore avoid this value, and set to minimum possible. */
+    if (max_ops == 0) {
+        max_ops = 1;
+    }
+
+    mbedtls_ecp_set_max_ops(max_ops);
+#else
+    (void) max_ops;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+        * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+uint32_t mbedtls_psa_sign_hash_get_num_ops(
+    const mbedtls_psa_sign_hash_interruptible_operation_t *operation)
+{
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
+
+    return operation->num_ops;
+#else
+    (void) operation;
+    return 0;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+        * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+uint32_t mbedtls_psa_verify_hash_get_num_ops(
+    const mbedtls_psa_verify_hash_interruptible_operation_t *operation)
+{
+    #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
+
+    return operation->num_ops;
+#else
+    (void) operation;
+    return 0;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+        * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_sign_hash_start(
+    mbedtls_psa_sign_hash_interruptible_operation_t *operation,
+    const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+    size_t key_buffer_size, psa_algorithm_t alg,
+    const uint8_t *hash, size_t hash_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    size_t required_hash_length;
+
+    if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    if (!PSA_ALG_IS_ECDSA(alg)) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
+
+    mbedtls_ecdsa_restart_init(&operation->restart_ctx);
+
+    /* Ensure num_ops is zero'ed in case of context re-use. */
+    operation->num_ops = 0;
+
+    status = mbedtls_psa_ecp_load_representation(attributes->type,
+                                                 attributes->bits,
+                                                 key_buffer,
+                                                 key_buffer_size,
+                                                 &operation->ctx);
+
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    operation->coordinate_bytes = PSA_BITS_TO_BYTES(
+        operation->ctx->grp.nbits);
+
+    psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
+    operation->md_alg = mbedtls_md_type_from_psa_alg(hash_alg);
+    operation->alg = alg;
+
+    /* We only need to store the same length of hash as the private key size
+     * here, it would be truncated by the internal implementation anyway. */
+    required_hash_length = (hash_length < operation->coordinate_bytes ?
+                            hash_length : operation->coordinate_bytes);
+
+    if (required_hash_length > sizeof(operation->hash)) {
+        /* Shouldn't happen, but better safe than sorry. */
+        return PSA_ERROR_CORRUPTION_DETECTED;
+    }
+
+    memcpy(operation->hash, hash, required_hash_length);
+    operation->hash_length = required_hash_length;
+
+    return PSA_SUCCESS;
+
+#else
+    (void) operation;
+    (void) key_buffer;
+    (void) key_buffer_size;
+    (void) alg;
+    (void) hash;
+    (void) hash_length;
+    (void) status;
+    (void) required_hash_length;
+
+    return PSA_ERROR_NOT_SUPPORTED;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+        * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_sign_hash_complete(
+    mbedtls_psa_sign_hash_interruptible_operation_t *operation,
+    uint8_t *signature, size_t signature_size,
+    size_t *signature_length)
+{
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
+
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi r;
+    mbedtls_mpi s;
+
+    mbedtls_mpi_init(&r);
+    mbedtls_mpi_init(&s);
+
+    /* Ensure max_ops is set to the current value (or default). */
+    mbedtls_psa_interruptible_set_max_ops(psa_interruptible_get_max_ops());
+
+    if (signature_size < 2 * operation->coordinate_bytes) {
+        status = PSA_ERROR_BUFFER_TOO_SMALL;
+        goto exit;
+    }
+
+    if (PSA_ALG_ECDSA_IS_DETERMINISTIC(operation->alg)) {
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+        status = mbedtls_to_psa_error(
+            mbedtls_ecdsa_sign_det_restartable(&operation->ctx->grp,
+                                               &r,
+                                               &s,
+                                               &operation->ctx->d,
+                                               operation->hash,
+                                               operation->hash_length,
+                                               operation->md_alg,
+                                               mbedtls_psa_get_random,
+                                               MBEDTLS_PSA_RANDOM_STATE,
+                                               &operation->restart_ctx));
+#else /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+        status = PSA_ERROR_NOT_SUPPORTED;
+        goto exit;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+    } else {
+        status = mbedtls_to_psa_error(
+            mbedtls_ecdsa_sign_restartable(&operation->ctx->grp,
+                                           &r,
+                                           &s,
+                                           &operation->ctx->d,
+                                           operation->hash,
+                                           operation->hash_length,
+                                           mbedtls_psa_get_random,
+                                           MBEDTLS_PSA_RANDOM_STATE,
+                                           mbedtls_psa_get_random,
+                                           MBEDTLS_PSA_RANDOM_STATE,
+                                           &operation->restart_ctx));
+    }
+
+    /* Hide the fact that the restart context only holds a delta of number of
+     * ops done during the last operation, not an absolute value. */
+    operation->num_ops += operation->restart_ctx.ecp.ops_done;
+
+    if (status == PSA_SUCCESS) {
+        status =  mbedtls_to_psa_error(
+            mbedtls_mpi_write_binary(&r,
+                                     signature,
+                                     operation->coordinate_bytes)
+            );
+
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+
+        status =  mbedtls_to_psa_error(
+            mbedtls_mpi_write_binary(&s,
+                                     signature +
+                                     operation->coordinate_bytes,
+                                     operation->coordinate_bytes)
+            );
+
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+
+        *signature_length = operation->coordinate_bytes * 2;
+
+        status = PSA_SUCCESS;
+    }
+
+exit:
+
+    mbedtls_mpi_free(&r);
+    mbedtls_mpi_free(&s);
+    return status;
+
+ #else
+
+    (void) operation;
+    (void) signature;
+    (void) signature_size;
+    (void) signature_length;
+
+    return PSA_ERROR_NOT_SUPPORTED;
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+        * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_sign_hash_abort(
+    mbedtls_psa_sign_hash_interruptible_operation_t *operation)
+{
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
+
+    if (operation->ctx) {
+        mbedtls_ecdsa_free(operation->ctx);
+        mbedtls_free(operation->ctx);
+        operation->ctx = NULL;
+    }
+
+    mbedtls_ecdsa_restart_free(&operation->restart_ctx);
+
+    operation->num_ops = 0;
+
+    return PSA_SUCCESS;
+
+#else
+
+    (void) operation;
+
+    return PSA_ERROR_NOT_SUPPORTED;
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+        * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_verify_hash_start(
+    mbedtls_psa_verify_hash_interruptible_operation_t *operation,
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg,
+    const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    size_t coordinate_bytes = 0;
+    size_t required_hash_length = 0;
+
+    if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    if (!PSA_ALG_IS_ECDSA(alg)) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
+
+    mbedtls_ecdsa_restart_init(&operation->restart_ctx);
+    mbedtls_mpi_init(&operation->r);
+    mbedtls_mpi_init(&operation->s);
+
+    /* Ensure num_ops is zero'ed in case of context re-use. */
+    operation->num_ops = 0;
+
+    status = mbedtls_psa_ecp_load_representation(attributes->type,
+                                                 attributes->bits,
+                                                 key_buffer,
+                                                 key_buffer_size,
+                                                 &operation->ctx);
+
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    coordinate_bytes = PSA_BITS_TO_BYTES(operation->ctx->grp.nbits);
+
+    if (signature_length != 2 * coordinate_bytes) {
+        return PSA_ERROR_INVALID_SIGNATURE;
+    }
+
+    status = mbedtls_to_psa_error(
+        mbedtls_mpi_read_binary(&operation->r,
+                                signature,
+                                coordinate_bytes));
+
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    status = mbedtls_to_psa_error(
+        mbedtls_mpi_read_binary(&operation->s,
+                                signature +
+                                coordinate_bytes,
+                                coordinate_bytes));
+
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    status = mbedtls_psa_ecp_load_public_part(operation->ctx);
+
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    /* We only need to store the same length of hash as the private key size
+     * here, it would be truncated by the internal implementation anyway. */
+    required_hash_length = (hash_length < coordinate_bytes ? hash_length :
+                            coordinate_bytes);
+
+    if (required_hash_length > sizeof(operation->hash)) {
+        /* Shouldn't happen, but better safe than sorry. */
+        return PSA_ERROR_CORRUPTION_DETECTED;
+    }
+
+    memcpy(operation->hash, hash, required_hash_length);
+    operation->hash_length = required_hash_length;
+
+    return PSA_SUCCESS;
+#else
+    (void) operation;
+    (void) key_buffer;
+    (void) key_buffer_size;
+    (void) alg;
+    (void) hash;
+    (void) hash_length;
+    (void) signature;
+    (void) signature_length;
+    (void) status;
+    (void) coordinate_bytes;
+    (void) required_hash_length;
+
+    return PSA_ERROR_NOT_SUPPORTED;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+        * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_verify_hash_complete(
+    mbedtls_psa_verify_hash_interruptible_operation_t *operation)
+{
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
+
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    /* Ensure max_ops is set to the current value (or default). */
+    mbedtls_psa_interruptible_set_max_ops(psa_interruptible_get_max_ops());
+
+    status = mbedtls_to_psa_error(
+        mbedtls_ecdsa_verify_restartable(&operation->ctx->grp,
+                                         operation->hash,
+                                         operation->hash_length,
+                                         &operation->ctx->Q,
+                                         &operation->r,
+                                         &operation->s,
+                                         &operation->restart_ctx));
+
+    /* Hide the fact that the restart context only holds a delta of number of
+     * ops done during the last operation, not an absolute value. */
+    operation->num_ops += operation->restart_ctx.ecp.ops_done;
+
+    return status;
+#else
+    (void) operation;
+
+    return PSA_ERROR_NOT_SUPPORTED;
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+        * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_verify_hash_abort(
+    mbedtls_psa_verify_hash_interruptible_operation_t *operation)
+{
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
+
+    if (operation->ctx) {
+        mbedtls_ecdsa_free(operation->ctx);
+        mbedtls_free(operation->ctx);
+        operation->ctx = NULL;
+    }
+
+    mbedtls_ecdsa_restart_free(&operation->restart_ctx);
+
+    operation->num_ops = 0;
+
+    mbedtls_mpi_free(&operation->r);
+    mbedtls_mpi_free(&operation->s);
+
+    return PSA_SUCCESS;
+
+#else
+    (void) operation;
+
+    return PSA_ERROR_NOT_SUPPORTED;
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+        * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+static psa_status_t psa_generate_random_internal(uint8_t *output,
+                                                 size_t output_size)
+{
+    GUARD_MODULE_INITIALIZED;
+
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+
+    psa_status_t status;
+    size_t output_length = 0;
+    status = mbedtls_psa_external_get_random(&global_data.rng,
+                                             output, output_size,
+                                             &output_length);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+    /* Breaking up a request into smaller chunks is currently not supported
+     * for the external RNG interface. */
+    if (output_length != output_size) {
+        return PSA_ERROR_INSUFFICIENT_ENTROPY;
+    }
+    return PSA_SUCCESS;
+
+#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+
+    while (output_size > 0) {
+        int ret = MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
+        size_t request_size =
+            (output_size > MBEDTLS_PSA_RANDOM_MAX_REQUEST ?
+             MBEDTLS_PSA_RANDOM_MAX_REQUEST :
+             output_size);
+#if defined(MBEDTLS_CTR_DRBG_C)
+        ret = mbedtls_ctr_drbg_random(&global_data.rng.drbg, output, request_size);
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+        ret = mbedtls_hmac_drbg_random(&global_data.rng.drbg, output, request_size);
+#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */
+        if (ret != 0) {
+            return mbedtls_to_psa_error(ret);
+        }
+        output_size -= request_size;
+        output += request_size;
+    }
+    return PSA_SUCCESS;
+#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+}
+
+
+/****************************************************************/
+/* Symmetric cryptography */
+/****************************************************************/
+
+static psa_status_t psa_cipher_setup(psa_cipher_operation_t *operation,
+                                     mbedtls_svc_key_id_t key,
+                                     psa_algorithm_t alg,
+                                     mbedtls_operation_t cipher_operation)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot = NULL;
+    psa_key_usage_t usage = (cipher_operation == MBEDTLS_ENCRYPT ?
+                             PSA_KEY_USAGE_ENCRYPT :
+                             PSA_KEY_USAGE_DECRYPT);
+
+    /* A context must be freshly initialized before it can be set up. */
+    if (operation->id != 0) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    if (!PSA_ALG_IS_CIPHER(alg)) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    status = psa_get_and_lock_key_slot_with_policy(key, &slot, usage, alg);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    /* Initialize the operation struct members, except for id. The id member
+     * is used to indicate to psa_cipher_abort that there are resources to free,
+     * so we only set it (in the driver wrapper) after resources have been
+     * allocated/initialized. */
+    operation->iv_set = 0;
+    if (alg == PSA_ALG_ECB_NO_PADDING) {
+        operation->iv_required = 0;
+    } else {
+        operation->iv_required = 1;
+    }
+    operation->default_iv_length = PSA_CIPHER_IV_LENGTH(slot->attr.type, alg);
+
+    /* Try doing the operation through a driver before using software fallback. */
+    if (cipher_operation == MBEDTLS_ENCRYPT) {
+        status = psa_driver_wrapper_cipher_encrypt_setup(operation,
+                                                         &slot->attr,
+                                                         slot->key.data,
+                                                         slot->key.bytes,
+                                                         alg);
+    } else {
+        status = psa_driver_wrapper_cipher_decrypt_setup(operation,
+                                                         &slot->attr,
+                                                         slot->key.data,
+                                                         slot->key.bytes,
+                                                         alg);
+    }
+
+exit:
+    if (status != PSA_SUCCESS) {
+        psa_cipher_abort(operation);
+    }
+
+    unlock_status = psa_unregister_read_under_mutex(slot);
+
+    return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
+                                      mbedtls_svc_key_id_t key,
+                                      psa_algorithm_t alg)
+{
+    return psa_cipher_setup(operation, key, alg, MBEDTLS_ENCRYPT);
+}
+
+psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
+                                      mbedtls_svc_key_id_t key,
+                                      psa_algorithm_t alg)
+{
+    return psa_cipher_setup(operation, key, alg, MBEDTLS_DECRYPT);
+}
+
+psa_status_t psa_cipher_generate_iv(psa_cipher_operation_t *operation,
+                                    uint8_t *iv_external,
+                                    size_t iv_size,
+                                    size_t *iv_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    size_t default_iv_length = 0;
+
+    LOCAL_OUTPUT_DECLARE(iv_external, iv);
+
+    if (operation->id == 0) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    if (operation->iv_set || !operation->iv_required) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    default_iv_length = operation->default_iv_length;
+    if (iv_size < default_iv_length) {
+        status = PSA_ERROR_BUFFER_TOO_SMALL;
+        goto exit;
+    }
+
+    if (default_iv_length > PSA_CIPHER_IV_MAX_SIZE) {
+        status = PSA_ERROR_GENERIC_ERROR;
+        goto exit;
+    }
+
+    LOCAL_OUTPUT_ALLOC(iv_external, default_iv_length, iv);
+
+    status = psa_generate_random_internal(iv, default_iv_length);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_driver_wrapper_cipher_set_iv(operation,
+                                              iv, default_iv_length);
+
+exit:
+    if (status == PSA_SUCCESS) {
+        *iv_length = default_iv_length;
+        operation->iv_set = 1;
+    } else {
+        *iv_length = 0;
+        psa_cipher_abort(operation);
+        if (iv != NULL) {
+            mbedtls_platform_zeroize(iv, default_iv_length);
+        }
+    }
+
+    LOCAL_OUTPUT_FREE(iv_external, iv);
+    return status;
+}
+
+psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation,
+                               const uint8_t *iv_external,
+                               size_t iv_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    LOCAL_INPUT_DECLARE(iv_external, iv);
+
+    if (operation->id == 0) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    if (operation->iv_set || !operation->iv_required) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    if (iv_length > PSA_CIPHER_IV_MAX_SIZE) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    LOCAL_INPUT_ALLOC(iv_external, iv_length, iv);
+
+    status = psa_driver_wrapper_cipher_set_iv(operation,
+                                              iv,
+                                              iv_length);
+
+exit:
+    if (status == PSA_SUCCESS) {
+        operation->iv_set = 1;
+    } else {
+        psa_cipher_abort(operation);
+    }
+
+    LOCAL_INPUT_FREE(iv_external, iv);
+
+    return status;
+}
+
+psa_status_t psa_cipher_update(psa_cipher_operation_t *operation,
+                               const uint8_t *input_external,
+                               size_t input_length,
+                               uint8_t *output_external,
+                               size_t output_size,
+                               size_t *output_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    LOCAL_INPUT_DECLARE(input_external, input);
+    LOCAL_OUTPUT_DECLARE(output_external, output);
+
+    if (operation->id == 0) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    if (operation->iv_required && !operation->iv_set) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    LOCAL_INPUT_ALLOC(input_external, input_length, input);
+    LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
+
+    status = psa_driver_wrapper_cipher_update(operation,
+                                              input,
+                                              input_length,
+                                              output,
+                                              output_size,
+                                              output_length);
+
+exit:
+    if (status != PSA_SUCCESS) {
+        psa_cipher_abort(operation);
+    }
+
+    LOCAL_INPUT_FREE(input_external, input);
+    LOCAL_OUTPUT_FREE(output_external, output);
+
+    return status;
+}
+
+psa_status_t psa_cipher_finish(psa_cipher_operation_t *operation,
+                               uint8_t *output_external,
+                               size_t output_size,
+                               size_t *output_length)
+{
+    psa_status_t status = PSA_ERROR_GENERIC_ERROR;
+
+    LOCAL_OUTPUT_DECLARE(output_external, output);
+
+    if (operation->id == 0) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    if (operation->iv_required && !operation->iv_set) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
+
+    status = psa_driver_wrapper_cipher_finish(operation,
+                                              output,
+                                              output_size,
+                                              output_length);
+
+exit:
+    if (status == PSA_SUCCESS) {
+        status = psa_cipher_abort(operation);
+    } else {
+        *output_length = 0;
+        (void) psa_cipher_abort(operation);
+    }
+
+    LOCAL_OUTPUT_FREE(output_external, output);
+
+    return status;
+}
+
+psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation)
+{
+    if (operation->id == 0) {
+        /* The object has (apparently) been initialized but it is not (yet)
+         * in use. It's ok to call abort on such an object, and there's
+         * nothing to do. */
+        return PSA_SUCCESS;
+    }
+
+    psa_driver_wrapper_cipher_abort(operation);
+
+    operation->id = 0;
+    operation->iv_set = 0;
+    operation->iv_required = 0;
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_cipher_encrypt(mbedtls_svc_key_id_t key,
+                                psa_algorithm_t alg,
+                                const uint8_t *input_external,
+                                size_t input_length,
+                                uint8_t *output_external,
+                                size_t output_size,
+                                size_t *output_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot = NULL;
+    uint8_t local_iv[PSA_CIPHER_IV_MAX_SIZE];
+    size_t default_iv_length = 0;
+
+    LOCAL_INPUT_DECLARE(input_external, input);
+    LOCAL_OUTPUT_DECLARE(output_external, output);
+
+    if (!PSA_ALG_IS_CIPHER(alg)) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    status = psa_get_and_lock_key_slot_with_policy(key, &slot,
+                                                   PSA_KEY_USAGE_ENCRYPT,
+                                                   alg);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    default_iv_length = PSA_CIPHER_IV_LENGTH(slot->attr.type, alg);
+    if (default_iv_length > PSA_CIPHER_IV_MAX_SIZE) {
+        status = PSA_ERROR_GENERIC_ERROR;
+        goto exit;
+    }
+
+    if (default_iv_length > 0) {
+        if (output_size < default_iv_length) {
+            status = PSA_ERROR_BUFFER_TOO_SMALL;
+            goto exit;
+        }
+
+        status = psa_generate_random_internal(local_iv, default_iv_length);
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+    }
+
+    LOCAL_INPUT_ALLOC(input_external, input_length, input);
+    LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
+
+    status = psa_driver_wrapper_cipher_encrypt(
+        &slot->attr, slot->key.data, slot->key.bytes,
+        alg, local_iv, default_iv_length, input, input_length,
+        psa_crypto_buffer_offset(output, default_iv_length),
+        output_size - default_iv_length, output_length);
+
+exit:
+    unlock_status = psa_unregister_read_under_mutex(slot);
+    if (status == PSA_SUCCESS) {
+        status = unlock_status;
+    }
+
+    if (status == PSA_SUCCESS) {
+        if (default_iv_length > 0) {
+            memcpy(output, local_iv, default_iv_length);
+        }
+        *output_length += default_iv_length;
+    } else {
+        *output_length = 0;
+    }
+
+    LOCAL_INPUT_FREE(input_external, input);
+    LOCAL_OUTPUT_FREE(output_external, output);
+
+    return status;
+}
+
+psa_status_t psa_cipher_decrypt(mbedtls_svc_key_id_t key,
+                                psa_algorithm_t alg,
+                                const uint8_t *input_external,
+                                size_t input_length,
+                                uint8_t *output_external,
+                                size_t output_size,
+                                size_t *output_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot = NULL;
+
+    LOCAL_INPUT_DECLARE(input_external, input);
+    LOCAL_OUTPUT_DECLARE(output_external, output);
+
+    if (!PSA_ALG_IS_CIPHER(alg)) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    status = psa_get_and_lock_key_slot_with_policy(key, &slot,
+                                                   PSA_KEY_USAGE_DECRYPT,
+                                                   alg);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    if (input_length < PSA_CIPHER_IV_LENGTH(slot->attr.type, alg)) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    LOCAL_INPUT_ALLOC(input_external, input_length, input);
+    LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
+
+    status = psa_driver_wrapper_cipher_decrypt(
+        &slot->attr, slot->key.data, slot->key.bytes,
+        alg, input, input_length,
+        output, output_size, output_length);
+
+exit:
+    unlock_status = psa_unregister_read_under_mutex(slot);
+    if (status == PSA_SUCCESS) {
+        status = unlock_status;
+    }
+
+    if (status != PSA_SUCCESS) {
+        *output_length = 0;
+    }
+
+    LOCAL_INPUT_FREE(input_external, input);
+    LOCAL_OUTPUT_FREE(output_external, output);
+
+    return status;
+}
+
+
+/****************************************************************/
+/* AEAD */
+/****************************************************************/
+
+/* Helper function to get the base algorithm from its variants. */
+static psa_algorithm_t psa_aead_get_base_algorithm(psa_algorithm_t alg)
+{
+    return PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(alg);
+}
+
+/* Helper function to perform common nonce length checks. */
+static psa_status_t psa_aead_check_nonce_length(psa_algorithm_t alg,
+                                                size_t nonce_length)
+{
+    psa_algorithm_t base_alg = psa_aead_get_base_algorithm(alg);
+
+    switch (base_alg) {
+#if defined(PSA_WANT_ALG_GCM)
+        case PSA_ALG_GCM:
+            /* Not checking max nonce size here as GCM spec allows almost
+             * arbitrarily large nonces. Please note that we do not generally
+             * recommend the usage of nonces of greater length than
+             * PSA_AEAD_NONCE_MAX_SIZE, as large nonces are hashed to a shorter
+             * size, which can then lead to collisions if you encrypt a very
+             * large number of messages.*/
+            if (nonce_length != 0) {
+                return PSA_SUCCESS;
+            }
+            break;
+#endif /* PSA_WANT_ALG_GCM */
+#if defined(PSA_WANT_ALG_CCM)
+        case PSA_ALG_CCM:
+            if (nonce_length >= 7 && nonce_length <= 13) {
+                return PSA_SUCCESS;
+            }
+            break;
+#endif /* PSA_WANT_ALG_CCM */
+#if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
+        case PSA_ALG_CHACHA20_POLY1305:
+            if (nonce_length == 12) {
+                return PSA_SUCCESS;
+            } else if (nonce_length == 8) {
+                return PSA_ERROR_NOT_SUPPORTED;
+            }
+            break;
+#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
+        default:
+            (void) nonce_length;
+            return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    return PSA_ERROR_INVALID_ARGUMENT;
+}
+
+static psa_status_t psa_aead_check_algorithm(psa_algorithm_t alg)
+{
+    if (!PSA_ALG_IS_AEAD(alg) || PSA_ALG_IS_WILDCARD(alg)) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key,
+                              psa_algorithm_t alg,
+                              const uint8_t *nonce_external,
+                              size_t nonce_length,
+                              const uint8_t *additional_data_external,
+                              size_t additional_data_length,
+                              const uint8_t *plaintext_external,
+                              size_t plaintext_length,
+                              uint8_t *ciphertext_external,
+                              size_t ciphertext_size,
+                              size_t *ciphertext_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+    LOCAL_INPUT_DECLARE(nonce_external, nonce);
+    LOCAL_INPUT_DECLARE(additional_data_external, additional_data);
+    LOCAL_INPUT_DECLARE(plaintext_external, plaintext);
+    LOCAL_OUTPUT_DECLARE(ciphertext_external, ciphertext);
+
+    *ciphertext_length = 0;
+
+    status = psa_aead_check_algorithm(alg);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    status = psa_get_and_lock_key_slot_with_policy(
+        key, &slot, PSA_KEY_USAGE_ENCRYPT, alg);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    LOCAL_INPUT_ALLOC(nonce_external, nonce_length, nonce);
+    LOCAL_INPUT_ALLOC(additional_data_external, additional_data_length, additional_data);
+    LOCAL_INPUT_ALLOC(plaintext_external, plaintext_length, plaintext);
+    LOCAL_OUTPUT_ALLOC(ciphertext_external, ciphertext_size, ciphertext);
+
+    status = psa_aead_check_nonce_length(alg, nonce_length);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_driver_wrapper_aead_encrypt(
+        &slot->attr, slot->key.data, slot->key.bytes,
+        alg,
+        nonce, nonce_length,
+        additional_data, additional_data_length,
+        plaintext, plaintext_length,
+        ciphertext, ciphertext_size, ciphertext_length);
+
+    if (status != PSA_SUCCESS && ciphertext_size != 0) {
+        memset(ciphertext, 0, ciphertext_size);
+    }
+
+exit:
+    LOCAL_INPUT_FREE(nonce_external, nonce);
+    LOCAL_INPUT_FREE(additional_data_external, additional_data);
+    LOCAL_INPUT_FREE(plaintext_external, plaintext);
+    LOCAL_OUTPUT_FREE(ciphertext_external, ciphertext);
+
+    psa_unregister_read_under_mutex(slot);
+
+    return status;
+}
+
+psa_status_t psa_aead_decrypt(mbedtls_svc_key_id_t key,
+                              psa_algorithm_t alg,
+                              const uint8_t *nonce_external,
+                              size_t nonce_length,
+                              const uint8_t *additional_data_external,
+                              size_t additional_data_length,
+                              const uint8_t *ciphertext_external,
+                              size_t ciphertext_length,
+                              uint8_t *plaintext_external,
+                              size_t plaintext_size,
+                              size_t *plaintext_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+    LOCAL_INPUT_DECLARE(nonce_external, nonce);
+    LOCAL_INPUT_DECLARE(additional_data_external, additional_data);
+    LOCAL_INPUT_DECLARE(ciphertext_external, ciphertext);
+    LOCAL_OUTPUT_DECLARE(plaintext_external, plaintext);
+
+    *plaintext_length = 0;
+
+    status = psa_aead_check_algorithm(alg);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    status = psa_get_and_lock_key_slot_with_policy(
+        key, &slot, PSA_KEY_USAGE_DECRYPT, alg);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    LOCAL_INPUT_ALLOC(nonce_external, nonce_length, nonce);
+    LOCAL_INPUT_ALLOC(additional_data_external, additional_data_length,
+                      additional_data);
+    LOCAL_INPUT_ALLOC(ciphertext_external, ciphertext_length, ciphertext);
+    LOCAL_OUTPUT_ALLOC(plaintext_external, plaintext_size, plaintext);
+
+    status = psa_aead_check_nonce_length(alg, nonce_length);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_driver_wrapper_aead_decrypt(
+        &slot->attr, slot->key.data, slot->key.bytes,
+        alg,
+        nonce, nonce_length,
+        additional_data, additional_data_length,
+        ciphertext, ciphertext_length,
+        plaintext, plaintext_size, plaintext_length);
+
+    if (status != PSA_SUCCESS && plaintext_size != 0) {
+        memset(plaintext, 0, plaintext_size);
+    }
+
+exit:
+    LOCAL_INPUT_FREE(nonce_external, nonce);
+    LOCAL_INPUT_FREE(additional_data_external, additional_data);
+    LOCAL_INPUT_FREE(ciphertext_external, ciphertext);
+    LOCAL_OUTPUT_FREE(plaintext_external, plaintext);
+
+    psa_unregister_read_under_mutex(slot);
+
+    return status;
+}
+
+static psa_status_t psa_validate_tag_length(psa_algorithm_t alg)
+{
+    const uint8_t tag_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg);
+
+    switch (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0)) {
+#if defined(PSA_WANT_ALG_CCM)
+        case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0):
+            /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.*/
+            if (tag_len < 4 || tag_len > 16 || tag_len % 2) {
+                return PSA_ERROR_INVALID_ARGUMENT;
+            }
+            break;
+#endif /* PSA_WANT_ALG_CCM */
+
+#if defined(PSA_WANT_ALG_GCM)
+        case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0):
+            /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16. */
+            if (tag_len != 4 && tag_len != 8 && (tag_len < 12 || tag_len > 16)) {
+                return PSA_ERROR_INVALID_ARGUMENT;
+            }
+            break;
+#endif /* PSA_WANT_ALG_GCM */
+
+#if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
+        case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0):
+            /* We only support the default tag length. */
+            if (tag_len != 16) {
+                return PSA_ERROR_INVALID_ARGUMENT;
+            }
+            break;
+#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
+
+        default:
+            (void) tag_len;
+            return PSA_ERROR_NOT_SUPPORTED;
+    }
+    return PSA_SUCCESS;
+}
+
+/* Set the key for a multipart authenticated operation. */
+static psa_status_t psa_aead_setup(psa_aead_operation_t *operation,
+                                   int is_encrypt,
+                                   mbedtls_svc_key_id_t key,
+                                   psa_algorithm_t alg)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot = NULL;
+    psa_key_usage_t key_usage = 0;
+
+    status = psa_aead_check_algorithm(alg);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    if (operation->id != 0) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    if (operation->nonce_set || operation->lengths_set ||
+        operation->ad_started || operation->body_started) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    if (is_encrypt) {
+        key_usage = PSA_KEY_USAGE_ENCRYPT;
+    } else {
+        key_usage = PSA_KEY_USAGE_DECRYPT;
+    }
+
+    status = psa_get_and_lock_key_slot_with_policy(key, &slot, key_usage,
+                                                   alg);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    if ((status = psa_validate_tag_length(alg)) != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    if (is_encrypt) {
+        status = psa_driver_wrapper_aead_encrypt_setup(operation,
+                                                       &slot->attr,
+                                                       slot->key.data,
+                                                       slot->key.bytes,
+                                                       alg);
+    } else {
+        status = psa_driver_wrapper_aead_decrypt_setup(operation,
+                                                       &slot->attr,
+                                                       slot->key.data,
+                                                       slot->key.bytes,
+                                                       alg);
+    }
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    operation->key_type = psa_get_key_type(&slot->attr);
+
+exit:
+    unlock_status = psa_unregister_read_under_mutex(slot);
+
+    if (status == PSA_SUCCESS) {
+        status = unlock_status;
+        operation->alg = psa_aead_get_base_algorithm(alg);
+        operation->is_encrypt = is_encrypt;
+    } else {
+        psa_aead_abort(operation);
+    }
+
+    return status;
+}
+
+/* Set the key for a multipart authenticated encryption operation. */
+psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
+                                    mbedtls_svc_key_id_t key,
+                                    psa_algorithm_t alg)
+{
+    return psa_aead_setup(operation, 1, key, alg);
+}
+
+/* Set the key for a multipart authenticated decryption operation. */
+psa_status_t psa_aead_decrypt_setup(psa_aead_operation_t *operation,
+                                    mbedtls_svc_key_id_t key,
+                                    psa_algorithm_t alg)
+{
+    return psa_aead_setup(operation, 0, key, alg);
+}
+
+static psa_status_t psa_aead_set_nonce_internal(psa_aead_operation_t *operation,
+                                                const uint8_t *nonce,
+                                                size_t nonce_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    if (operation->id == 0) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    if (operation->nonce_set) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    status = psa_aead_check_nonce_length(operation->alg, nonce_length);
+    if (status != PSA_SUCCESS) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    status = psa_driver_wrapper_aead_set_nonce(operation, nonce,
+                                               nonce_length);
+
+exit:
+    if (status == PSA_SUCCESS) {
+        operation->nonce_set = 1;
+    } else {
+        psa_aead_abort(operation);
+    }
+
+    return status;
+}
+
+/* Generate a random nonce / IV for multipart AEAD operation */
+psa_status_t psa_aead_generate_nonce(psa_aead_operation_t *operation,
+                                     uint8_t *nonce_external,
+                                     size_t nonce_size,
+                                     size_t *nonce_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    uint8_t local_nonce[PSA_AEAD_NONCE_MAX_SIZE];
+    size_t required_nonce_size = 0;
+
+    LOCAL_OUTPUT_DECLARE(nonce_external, nonce);
+    LOCAL_OUTPUT_ALLOC(nonce_external, nonce_size, nonce);
+
+    *nonce_length = 0;
+
+    if (operation->id == 0) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    if (operation->nonce_set || !operation->is_encrypt) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    /* For CCM, this size may not be correct according to the PSA
+     * specification. The PSA Crypto 1.0.1 specification states:
+     *
+     * CCM encodes the plaintext length pLen in L octets, with L the smallest
+     * integer >= 2 where pLen < 2^(8L). The nonce length is then 15 - L bytes.
+     *
+     * However this restriction that L has to be the smallest integer is not
+     * applied in practice, and it is not implementable here since the
+     * plaintext length may or may not be known at this time. */
+    required_nonce_size = PSA_AEAD_NONCE_LENGTH(operation->key_type,
+                                                operation->alg);
+    if (nonce_size < required_nonce_size) {
+        status = PSA_ERROR_BUFFER_TOO_SMALL;
+        goto exit;
+    }
+
+    status = psa_generate_random_internal(local_nonce, required_nonce_size);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_aead_set_nonce_internal(operation, local_nonce,
+                                         required_nonce_size);
+
+exit:
+    if (status == PSA_SUCCESS) {
+        memcpy(nonce, local_nonce, required_nonce_size);
+        *nonce_length = required_nonce_size;
+    } else {
+        psa_aead_abort(operation);
+    }
+
+    LOCAL_OUTPUT_FREE(nonce_external, nonce);
+
+    return status;
+}
+
+/* Set the nonce for a multipart authenticated encryption or decryption
+   operation.*/
+psa_status_t psa_aead_set_nonce(psa_aead_operation_t *operation,
+                                const uint8_t *nonce_external,
+                                size_t nonce_length)
+{
+    psa_status_t status;
+
+    LOCAL_INPUT_DECLARE(nonce_external, nonce);
+    LOCAL_INPUT_ALLOC(nonce_external, nonce_length, nonce);
+
+    status = psa_aead_set_nonce_internal(operation, nonce, nonce_length);
+
+/* Exit label is only needed for buffer copying, prevent unused warnings. */
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+
+    LOCAL_INPUT_FREE(nonce_external, nonce);
+
+    return status;
+}
+
+/* Declare the lengths of the message and additional data for multipart AEAD. */
+psa_status_t psa_aead_set_lengths(psa_aead_operation_t *operation,
+                                  size_t ad_length,
+                                  size_t plaintext_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    if (operation->id == 0) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    if (operation->lengths_set || operation->ad_started ||
+        operation->body_started) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    switch (operation->alg) {
+#if defined(PSA_WANT_ALG_GCM)
+        case PSA_ALG_GCM:
+            /* Lengths can only be too large for GCM if size_t is bigger than 32
+             * bits. Without the guard this code will generate warnings on 32bit
+             * builds. */
+#if SIZE_MAX > UINT32_MAX
+            if (((uint64_t) ad_length) >> 61 != 0 ||
+                ((uint64_t) plaintext_length) > 0xFFFFFFFE0ull) {
+                status = PSA_ERROR_INVALID_ARGUMENT;
+                goto exit;
+            }
+#endif
+            break;
+#endif /* PSA_WANT_ALG_GCM */
+#if defined(PSA_WANT_ALG_CCM)
+        case PSA_ALG_CCM:
+            if (ad_length > 0xFF00) {
+                status = PSA_ERROR_INVALID_ARGUMENT;
+                goto exit;
+            }
+            break;
+#endif /* PSA_WANT_ALG_CCM */
+#if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
+        case PSA_ALG_CHACHA20_POLY1305:
+            /* No length restrictions for ChaChaPoly. */
+            break;
+#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
+        default:
+            break;
+    }
+
+    status = psa_driver_wrapper_aead_set_lengths(operation, ad_length,
+                                                 plaintext_length);
+
+exit:
+    if (status == PSA_SUCCESS) {
+        operation->ad_remaining = ad_length;
+        operation->body_remaining = plaintext_length;
+        operation->lengths_set = 1;
+    } else {
+        psa_aead_abort(operation);
+    }
+
+    return status;
+}
+
+/* Pass additional data to an active multipart AEAD operation. */
+psa_status_t psa_aead_update_ad(psa_aead_operation_t *operation,
+                                const uint8_t *input_external,
+                                size_t input_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    LOCAL_INPUT_DECLARE(input_external, input);
+    LOCAL_INPUT_ALLOC(input_external, input_length, input);
+
+    if (operation->id == 0) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    if (!operation->nonce_set || operation->body_started) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    /* No input to add (zero length), nothing to do. */
+    if (input_length == 0) {
+        status = PSA_SUCCESS;
+        goto exit;
+    }
+
+    if (operation->lengths_set) {
+        if (operation->ad_remaining < input_length) {
+            status = PSA_ERROR_INVALID_ARGUMENT;
+            goto exit;
+        }
+
+        operation->ad_remaining -= input_length;
+    }
+#if defined(PSA_WANT_ALG_CCM)
+    else if (operation->alg == PSA_ALG_CCM) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+#endif /* PSA_WANT_ALG_CCM */
+
+    status = psa_driver_wrapper_aead_update_ad(operation, input,
+                                               input_length);
+
+exit:
+    if (status == PSA_SUCCESS) {
+        operation->ad_started = 1;
+    } else {
+        psa_aead_abort(operation);
+    }
+
+    LOCAL_INPUT_FREE(input_external, input);
+
+    return status;
+}
+
+/* Encrypt or decrypt a message fragment in an active multipart AEAD
+   operation.*/
+psa_status_t psa_aead_update(psa_aead_operation_t *operation,
+                             const uint8_t *input_external,
+                             size_t input_length,
+                             uint8_t *output_external,
+                             size_t output_size,
+                             size_t *output_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+
+    LOCAL_INPUT_DECLARE(input_external, input);
+    LOCAL_OUTPUT_DECLARE(output_external, output);
+
+    LOCAL_INPUT_ALLOC(input_external, input_length, input);
+    LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
+
+    *output_length = 0;
+
+    if (operation->id == 0) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    if (!operation->nonce_set) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    if (operation->lengths_set) {
+        /* Additional data length was supplied, but not all the additional
+           data was supplied.*/
+        if (operation->ad_remaining != 0) {
+            status = PSA_ERROR_INVALID_ARGUMENT;
+            goto exit;
+        }
+
+        /* Too much data provided. */
+        if (operation->body_remaining < input_length) {
+            status = PSA_ERROR_INVALID_ARGUMENT;
+            goto exit;
+        }
+
+        operation->body_remaining -= input_length;
+    }
+#if defined(PSA_WANT_ALG_CCM)
+    else if (operation->alg == PSA_ALG_CCM) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+#endif /* PSA_WANT_ALG_CCM */
+
+    status = psa_driver_wrapper_aead_update(operation, input, input_length,
+                                            output, output_size,
+                                            output_length);
+
+exit:
+    if (status == PSA_SUCCESS) {
+        operation->body_started = 1;
+    } else {
+        psa_aead_abort(operation);
+    }
+
+    LOCAL_INPUT_FREE(input_external, input);
+    LOCAL_OUTPUT_FREE(output_external, output);
+
+    return status;
+}
+
+static psa_status_t psa_aead_final_checks(const psa_aead_operation_t *operation)
+{
+    if (operation->id == 0 || !operation->nonce_set) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    if (operation->lengths_set && (operation->ad_remaining != 0 ||
+                                   operation->body_remaining != 0)) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    return PSA_SUCCESS;
+}
+
+/* Finish encrypting a message in a multipart AEAD operation. */
+psa_status_t psa_aead_finish(psa_aead_operation_t *operation,
+                             uint8_t *ciphertext_external,
+                             size_t ciphertext_size,
+                             size_t *ciphertext_length,
+                             uint8_t *tag_external,
+                             size_t tag_size,
+                             size_t *tag_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    LOCAL_OUTPUT_DECLARE(ciphertext_external, ciphertext);
+    LOCAL_OUTPUT_DECLARE(tag_external, tag);
+
+    LOCAL_OUTPUT_ALLOC(ciphertext_external, ciphertext_size, ciphertext);
+    LOCAL_OUTPUT_ALLOC(tag_external, tag_size, tag);
+
+    *ciphertext_length = 0;
+    *tag_length = tag_size;
+
+    status = psa_aead_final_checks(operation);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    if (!operation->is_encrypt) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    status = psa_driver_wrapper_aead_finish(operation, ciphertext,
+                                            ciphertext_size,
+                                            ciphertext_length,
+                                            tag, tag_size, tag_length);
+
+exit:
+
+
+    /* In case the operation fails and the user fails to check for failure or
+     * the zero tag size, make sure the tag is set to something implausible.
+     * Even if the operation succeeds, make sure we clear the rest of the
+     * buffer to prevent potential leakage of anything previously placed in
+     * the same buffer.*/
+    psa_wipe_tag_output_buffer(tag, status, tag_size, *tag_length);
+
+    psa_aead_abort(operation);
+
+    LOCAL_OUTPUT_FREE(ciphertext_external, ciphertext);
+    LOCAL_OUTPUT_FREE(tag_external, tag);
+
+    return status;
+}
+
+/* Finish authenticating and decrypting a message in a multipart AEAD
+   operation.*/
+psa_status_t psa_aead_verify(psa_aead_operation_t *operation,
+                             uint8_t *plaintext_external,
+                             size_t plaintext_size,
+                             size_t *plaintext_length,
+                             const uint8_t *tag_external,
+                             size_t tag_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    LOCAL_OUTPUT_DECLARE(plaintext_external, plaintext);
+    LOCAL_INPUT_DECLARE(tag_external, tag);
+
+    LOCAL_OUTPUT_ALLOC(plaintext_external, plaintext_size, plaintext);
+    LOCAL_INPUT_ALLOC(tag_external, tag_length, tag);
+
+    *plaintext_length = 0;
+
+    status = psa_aead_final_checks(operation);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    if (operation->is_encrypt) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    status = psa_driver_wrapper_aead_verify(operation, plaintext,
+                                            plaintext_size,
+                                            plaintext_length,
+                                            tag, tag_length);
+
+exit:
+    psa_aead_abort(operation);
+
+    LOCAL_OUTPUT_FREE(plaintext_external, plaintext);
+    LOCAL_INPUT_FREE(tag_external, tag);
+
+    return status;
+}
+
+/* Abort an AEAD operation. */
+psa_status_t psa_aead_abort(psa_aead_operation_t *operation)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    if (operation->id == 0) {
+        /* The object has (apparently) been initialized but it is not (yet)
+         * in use. It's ok to call abort on such an object, and there's
+         * nothing to do. */
+        return PSA_SUCCESS;
+    }
+
+    status = psa_driver_wrapper_aead_abort(operation);
+
+    memset(operation, 0, sizeof(*operation));
+
+    return status;
+}
+
+/****************************************************************/
+/* Generators */
+/****************************************************************/
+
+#if defined(BUILTIN_ALG_ANY_HKDF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) || \
+    defined(PSA_HAVE_SOFT_PBKDF2)
+#define AT_LEAST_ONE_BUILTIN_KDF
+#endif /* At least one builtin KDF */
+
+#if defined(BUILTIN_ALG_ANY_HKDF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+static psa_status_t psa_key_derivation_start_hmac(
+    psa_mac_operation_t *operation,
+    psa_algorithm_t hash_alg,
+    const uint8_t *hmac_key,
+    size_t hmac_key_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
+    psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(hmac_key_length));
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
+
+    operation->is_sign = 1;
+    operation->mac_size = PSA_HASH_LENGTH(hash_alg);
+
+    status = psa_driver_wrapper_mac_sign_setup(operation,
+                                               &attributes,
+                                               hmac_key, hmac_key_length,
+                                               PSA_ALG_HMAC(hash_alg));
+
+    psa_reset_key_attributes(&attributes);
+    return status;
+}
+#endif /* KDF algorithms reliant on HMAC */
+
+#define HKDF_STATE_INIT 0 /* no input yet */
+#define HKDF_STATE_STARTED 1 /* got salt */
+#define HKDF_STATE_KEYED 2 /* got key */
+#define HKDF_STATE_OUTPUT 3 /* output started */
+
+static psa_algorithm_t psa_key_derivation_get_kdf_alg(
+    const psa_key_derivation_operation_t *operation)
+{
+    if (PSA_ALG_IS_KEY_AGREEMENT(operation->alg)) {
+        return PSA_ALG_KEY_AGREEMENT_GET_KDF(operation->alg);
+    } else {
+        return operation->alg;
+    }
+}
+
+psa_status_t psa_key_derivation_abort(psa_key_derivation_operation_t *operation)
+{
+    psa_status_t status = PSA_SUCCESS;
+    psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
+    if (kdf_alg == 0) {
+        /* The object has (apparently) been initialized but it is not
+         * in use. It's ok to call abort on such an object, and there's
+         * nothing to do. */
+    } else
+#if defined(BUILTIN_ALG_ANY_HKDF)
+    if (PSA_ALG_IS_ANY_HKDF(kdf_alg)) {
+        mbedtls_free(operation->ctx.hkdf.info);
+        status = psa_mac_abort(&operation->ctx.hkdf.hmac);
+    } else
+#endif /* BUILTIN_ALG_ANY_HKDF */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+    if (PSA_ALG_IS_TLS12_PRF(kdf_alg) ||
+        /* TLS-1.2 PSK-to-MS KDF uses the same core as TLS-1.2 PRF */
+        PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
+        if (operation->ctx.tls12_prf.secret != NULL) {
+            mbedtls_zeroize_and_free(operation->ctx.tls12_prf.secret,
+                                     operation->ctx.tls12_prf.secret_length);
+        }
+
+        if (operation->ctx.tls12_prf.seed != NULL) {
+            mbedtls_zeroize_and_free(operation->ctx.tls12_prf.seed,
+                                     operation->ctx.tls12_prf.seed_length);
+        }
+
+        if (operation->ctx.tls12_prf.label != NULL) {
+            mbedtls_zeroize_and_free(operation->ctx.tls12_prf.label,
+                                     operation->ctx.tls12_prf.label_length);
+        }
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+        if (operation->ctx.tls12_prf.other_secret != NULL) {
+            mbedtls_zeroize_and_free(operation->ctx.tls12_prf.other_secret,
+                                     operation->ctx.tls12_prf.other_secret_length);
+        }
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+        status = PSA_SUCCESS;
+
+        /* We leave the fields Ai and output_block to be erased safely by the
+         * mbedtls_platform_zeroize() in the end of this function. */
+    } else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
+    if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
+        mbedtls_platform_zeroize(operation->ctx.tls12_ecjpake_to_pms.data,
+                                 sizeof(operation->ctx.tls12_ecjpake_to_pms.data));
+    } else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) */
+#if defined(PSA_HAVE_SOFT_PBKDF2)
+    if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
+        if (operation->ctx.pbkdf2.salt != NULL) {
+            mbedtls_zeroize_and_free(operation->ctx.pbkdf2.salt,
+                                     operation->ctx.pbkdf2.salt_length);
+        }
+
+        status = PSA_SUCCESS;
+    } else
+#endif /* defined(PSA_HAVE_SOFT_PBKDF2) */
+    {
+        status = PSA_ERROR_BAD_STATE;
+    }
+    mbedtls_platform_zeroize(operation, sizeof(*operation));
+    return status;
+}
+
+psa_status_t psa_key_derivation_get_capacity(const psa_key_derivation_operation_t *operation,
+                                             size_t *capacity)
+{
+    if (operation->alg == 0) {
+        /* This is a blank key derivation operation. */
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    *capacity = operation->capacity;
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_key_derivation_set_capacity(psa_key_derivation_operation_t *operation,
+                                             size_t capacity)
+{
+    if (operation->alg == 0) {
+        return PSA_ERROR_BAD_STATE;
+    }
+    if (capacity > operation->capacity) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+    operation->capacity = capacity;
+    return PSA_SUCCESS;
+}
+
+#if defined(BUILTIN_ALG_ANY_HKDF)
+/* Read some bytes from an HKDF-based operation. */
+static psa_status_t psa_key_derivation_hkdf_read(psa_hkdf_key_derivation_t *hkdf,
+                                                 psa_algorithm_t kdf_alg,
+                                                 uint8_t *output,
+                                                 size_t output_length)
+{
+    psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(kdf_alg);
+    uint8_t hash_length = PSA_HASH_LENGTH(hash_alg);
+    size_t hmac_output_length;
+    psa_status_t status;
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
+    const uint8_t last_block = PSA_ALG_IS_HKDF_EXTRACT(kdf_alg) ? 0 : 0xff;
+#else
+    const uint8_t last_block = 0xff;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
+
+    if (hkdf->state < HKDF_STATE_KEYED ||
+        (!hkdf->info_set
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
+         && !PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
+        )) {
+        return PSA_ERROR_BAD_STATE;
+    }
+    hkdf->state = HKDF_STATE_OUTPUT;
+
+    while (output_length != 0) {
+        /* Copy what remains of the current block */
+        uint8_t n = hash_length - hkdf->offset_in_block;
+        if (n > output_length) {
+            n = (uint8_t) output_length;
+        }
+        memcpy(output, hkdf->output_block + hkdf->offset_in_block, n);
+        output += n;
+        output_length -= n;
+        hkdf->offset_in_block += n;
+        if (output_length == 0) {
+            break;
+        }
+        /* We can't be wanting more output after the last block, otherwise
+         * the capacity check in psa_key_derivation_output_bytes() would have
+         * prevented this call. It could happen only if the operation
+         * object was corrupted or if this function is called directly
+         * inside the library. */
+        if (hkdf->block_number == last_block) {
+            return PSA_ERROR_BAD_STATE;
+        }
+
+        /* We need a new block */
+        ++hkdf->block_number;
+        hkdf->offset_in_block = 0;
+
+        status = psa_key_derivation_start_hmac(&hkdf->hmac,
+                                               hash_alg,
+                                               hkdf->prk,
+                                               hash_length);
+        if (status != PSA_SUCCESS) {
+            return status;
+        }
+
+        if (hkdf->block_number != 1) {
+            status = psa_mac_update(&hkdf->hmac,
+                                    hkdf->output_block,
+                                    hash_length);
+            if (status != PSA_SUCCESS) {
+                return status;
+            }
+        }
+        status = psa_mac_update(&hkdf->hmac,
+                                hkdf->info,
+                                hkdf->info_length);
+        if (status != PSA_SUCCESS) {
+            return status;
+        }
+        status = psa_mac_update(&hkdf->hmac,
+                                &hkdf->block_number, 1);
+        if (status != PSA_SUCCESS) {
+            return status;
+        }
+        status = psa_mac_sign_finish(&hkdf->hmac,
+                                     hkdf->output_block,
+                                     sizeof(hkdf->output_block),
+                                     &hmac_output_length);
+        if (status != PSA_SUCCESS) {
+            return status;
+        }
+    }
+
+    return PSA_SUCCESS;
+}
+#endif /* BUILTIN_ALG_ANY_HKDF */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+static psa_status_t psa_key_derivation_tls12_prf_generate_next_block(
+    psa_tls12_prf_key_derivation_t *tls12_prf,
+    psa_algorithm_t alg)
+{
+    psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(alg);
+    uint8_t hash_length = PSA_HASH_LENGTH(hash_alg);
+    psa_mac_operation_t hmac = PSA_MAC_OPERATION_INIT;
+    size_t hmac_output_length;
+    psa_status_t status, cleanup_status;
+
+    /* We can't be wanting more output after block 0xff, otherwise
+     * the capacity check in psa_key_derivation_output_bytes() would have
+     * prevented this call. It could happen only if the operation
+     * object was corrupted or if this function is called directly
+     * inside the library. */
+    if (tls12_prf->block_number == 0xff) {
+        return PSA_ERROR_CORRUPTION_DETECTED;
+    }
+
+    /* We need a new block */
+    ++tls12_prf->block_number;
+    tls12_prf->left_in_block = hash_length;
+
+    /* Recall the definition of the TLS-1.2-PRF from RFC 5246:
+     *
+     * PRF(secret, label, seed) = P_<hash>(secret, label + seed)
+     *
+     * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
+     *                        HMAC_hash(secret, A(2) + seed) +
+     *                        HMAC_hash(secret, A(3) + seed) + ...
+     *
+     * A(0) = seed
+     * A(i) = HMAC_hash(secret, A(i-1))
+     *
+     * The `psa_tls12_prf_key_derivation` structure saves the block
+     * `HMAC_hash(secret, A(i) + seed)` from which the output
+     * is currently extracted as `output_block` and where i is
+     * `block_number`.
+     */
+
+    status = psa_key_derivation_start_hmac(&hmac,
+                                           hash_alg,
+                                           tls12_prf->secret,
+                                           tls12_prf->secret_length);
+    if (status != PSA_SUCCESS) {
+        goto cleanup;
+    }
+
+    /* Calculate A(i) where i = tls12_prf->block_number. */
+    if (tls12_prf->block_number == 1) {
+        /* A(1) = HMAC_hash(secret, A(0)), where A(0) = seed. (The RFC overloads
+         * the variable seed and in this instance means it in the context of the
+         * P_hash function, where seed = label + seed.) */
+        status = psa_mac_update(&hmac,
+                                tls12_prf->label,
+                                tls12_prf->label_length);
+        if (status != PSA_SUCCESS) {
+            goto cleanup;
+        }
+        status = psa_mac_update(&hmac,
+                                tls12_prf->seed,
+                                tls12_prf->seed_length);
+        if (status != PSA_SUCCESS) {
+            goto cleanup;
+        }
+    } else {
+        /* A(i) = HMAC_hash(secret, A(i-1)) */
+        status = psa_mac_update(&hmac, tls12_prf->Ai, hash_length);
+        if (status != PSA_SUCCESS) {
+            goto cleanup;
+        }
+    }
+
+    status = psa_mac_sign_finish(&hmac,
+                                 tls12_prf->Ai, hash_length,
+                                 &hmac_output_length);
+    if (hmac_output_length != hash_length) {
+        status = PSA_ERROR_CORRUPTION_DETECTED;
+    }
+    if (status != PSA_SUCCESS) {
+        goto cleanup;
+    }
+
+    /* Calculate HMAC_hash(secret, A(i) + label + seed). */
+    status = psa_key_derivation_start_hmac(&hmac,
+                                           hash_alg,
+                                           tls12_prf->secret,
+                                           tls12_prf->secret_length);
+    if (status != PSA_SUCCESS) {
+        goto cleanup;
+    }
+    status = psa_mac_update(&hmac, tls12_prf->Ai, hash_length);
+    if (status != PSA_SUCCESS) {
+        goto cleanup;
+    }
+    status = psa_mac_update(&hmac, tls12_prf->label, tls12_prf->label_length);
+    if (status != PSA_SUCCESS) {
+        goto cleanup;
+    }
+    status = psa_mac_update(&hmac, tls12_prf->seed, tls12_prf->seed_length);
+    if (status != PSA_SUCCESS) {
+        goto cleanup;
+    }
+    status = psa_mac_sign_finish(&hmac,
+                                 tls12_prf->output_block, hash_length,
+                                 &hmac_output_length);
+    if (status != PSA_SUCCESS) {
+        goto cleanup;
+    }
+
+
+cleanup:
+    cleanup_status = psa_mac_abort(&hmac);
+    if (status == PSA_SUCCESS && cleanup_status != PSA_SUCCESS) {
+        status = cleanup_status;
+    }
+
+    return status;
+}
+
+static psa_status_t psa_key_derivation_tls12_prf_read(
+    psa_tls12_prf_key_derivation_t *tls12_prf,
+    psa_algorithm_t alg,
+    uint8_t *output,
+    size_t output_length)
+{
+    psa_algorithm_t hash_alg = PSA_ALG_TLS12_PRF_GET_HASH(alg);
+    uint8_t hash_length = PSA_HASH_LENGTH(hash_alg);
+    psa_status_t status;
+    uint8_t offset, length;
+
+    switch (tls12_prf->state) {
+        case PSA_TLS12_PRF_STATE_LABEL_SET:
+            tls12_prf->state = PSA_TLS12_PRF_STATE_OUTPUT;
+            break;
+        case PSA_TLS12_PRF_STATE_OUTPUT:
+            break;
+        default:
+            return PSA_ERROR_BAD_STATE;
+    }
+
+    while (output_length != 0) {
+        /* Check if we have fully processed the current block. */
+        if (tls12_prf->left_in_block == 0) {
+            status = psa_key_derivation_tls12_prf_generate_next_block(tls12_prf,
+                                                                      alg);
+            if (status != PSA_SUCCESS) {
+                return status;
+            }
+
+            continue;
+        }
+
+        if (tls12_prf->left_in_block > output_length) {
+            length = (uint8_t) output_length;
+        } else {
+            length = tls12_prf->left_in_block;
+        }
+
+        offset = hash_length - tls12_prf->left_in_block;
+        memcpy(output, tls12_prf->output_block + offset, length);
+        output += length;
+        output_length -= length;
+        tls12_prf->left_in_block -= length;
+    }
+
+    return PSA_SUCCESS;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF ||
+        * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
+static psa_status_t psa_key_derivation_tls12_ecjpake_to_pms_read(
+    psa_tls12_ecjpake_to_pms_t *ecjpake,
+    uint8_t *output,
+    size_t output_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    size_t output_size = 0;
+
+    if (output_length != 32) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    status = psa_hash_compute(PSA_ALG_SHA_256, ecjpake->data,
+                              PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE, output, output_length,
+                              &output_size);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    if (output_size != output_length) {
+        return PSA_ERROR_GENERIC_ERROR;
+    }
+
+    return PSA_SUCCESS;
+}
+#endif
+
+#if defined(PSA_HAVE_SOFT_PBKDF2)
+static psa_status_t psa_key_derivation_pbkdf2_generate_block(
+    psa_pbkdf2_key_derivation_t *pbkdf2,
+    psa_algorithm_t prf_alg,
+    uint8_t prf_output_length,
+    psa_key_attributes_t *attributes)
+{
+    psa_status_t status;
+    psa_mac_operation_t mac_operation = PSA_MAC_OPERATION_INIT;
+    size_t mac_output_length;
+    uint8_t U_i[PSA_MAC_MAX_SIZE];
+    uint8_t *U_accumulator = pbkdf2->output_block;
+    uint64_t i;
+    uint8_t block_counter[4];
+
+    mac_operation.is_sign = 1;
+    mac_operation.mac_size = prf_output_length;
+    MBEDTLS_PUT_UINT32_BE(pbkdf2->block_number, block_counter, 0);
+
+    status = psa_driver_wrapper_mac_sign_setup(&mac_operation,
+                                               attributes,
+                                               pbkdf2->password,
+                                               pbkdf2->password_length,
+                                               prf_alg);
+    if (status != PSA_SUCCESS) {
+        goto cleanup;
+    }
+    status = psa_mac_update(&mac_operation, pbkdf2->salt, pbkdf2->salt_length);
+    if (status != PSA_SUCCESS) {
+        goto cleanup;
+    }
+    status = psa_mac_update(&mac_operation, block_counter, sizeof(block_counter));
+    if (status != PSA_SUCCESS) {
+        goto cleanup;
+    }
+    status = psa_mac_sign_finish(&mac_operation, U_i, sizeof(U_i),
+                                 &mac_output_length);
+    if (status != PSA_SUCCESS) {
+        goto cleanup;
+    }
+
+    if (mac_output_length != prf_output_length) {
+        status = PSA_ERROR_CORRUPTION_DETECTED;
+        goto cleanup;
+    }
+
+    memcpy(U_accumulator, U_i, prf_output_length);
+
+    for (i = 1; i < pbkdf2->input_cost; i++) {
+        /* We are passing prf_output_length as mac_size because the driver
+         * function directly sets mac_output_length as mac_size upon success.
+         * See https://github.com/Mbed-TLS/mbedtls/issues/7801 */
+        status = psa_driver_wrapper_mac_compute(attributes,
+                                                pbkdf2->password,
+                                                pbkdf2->password_length,
+                                                prf_alg, U_i, prf_output_length,
+                                                U_i, prf_output_length,
+                                                &mac_output_length);
+        if (status != PSA_SUCCESS) {
+            goto cleanup;
+        }
+
+        mbedtls_xor(U_accumulator, U_accumulator, U_i, prf_output_length);
+    }
+
+cleanup:
+    /* Zeroise buffers to clear sensitive data from memory. */
+    mbedtls_platform_zeroize(U_i, PSA_MAC_MAX_SIZE);
+    return status;
+}
+
+static psa_status_t psa_key_derivation_pbkdf2_read(
+    psa_pbkdf2_key_derivation_t *pbkdf2,
+    psa_algorithm_t kdf_alg,
+    uint8_t *output,
+    size_t output_length)
+{
+    psa_status_t status;
+    psa_algorithm_t prf_alg;
+    uint8_t prf_output_length;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(pbkdf2->password_length));
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
+
+    if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
+        prf_alg = PSA_ALG_HMAC(PSA_ALG_PBKDF2_HMAC_GET_HASH(kdf_alg));
+        prf_output_length = PSA_HASH_LENGTH(prf_alg);
+        psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
+    } else if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
+        prf_alg = PSA_ALG_CMAC;
+        prf_output_length = PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC);
+        psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
+    } else {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    switch (pbkdf2->state) {
+        case PSA_PBKDF2_STATE_PASSWORD_SET:
+            /* Initially we need a new block so bytes_used is equal to block size*/
+            pbkdf2->bytes_used = prf_output_length;
+            pbkdf2->state = PSA_PBKDF2_STATE_OUTPUT;
+            break;
+        case PSA_PBKDF2_STATE_OUTPUT:
+            break;
+        default:
+            return PSA_ERROR_BAD_STATE;
+    }
+
+    while (output_length != 0) {
+        uint8_t n = prf_output_length - pbkdf2->bytes_used;
+        if (n > output_length) {
+            n = (uint8_t) output_length;
+        }
+        memcpy(output, pbkdf2->output_block + pbkdf2->bytes_used, n);
+        output += n;
+        output_length -= n;
+        pbkdf2->bytes_used += n;
+
+        if (output_length == 0) {
+            break;
+        }
+
+        /* We need a new block */
+        pbkdf2->bytes_used = 0;
+        pbkdf2->block_number++;
+
+        status = psa_key_derivation_pbkdf2_generate_block(pbkdf2, prf_alg,
+                                                          prf_output_length,
+                                                          &attributes);
+        if (status != PSA_SUCCESS) {
+            return status;
+        }
+    }
+
+    return PSA_SUCCESS;
+}
+#endif /* PSA_HAVE_SOFT_PBKDF2 */
+
+psa_status_t psa_key_derivation_output_bytes(
+    psa_key_derivation_operation_t *operation,
+    uint8_t *output_external,
+    size_t output_length)
+{
+    psa_status_t status;
+    LOCAL_OUTPUT_DECLARE(output_external, output);
+
+    psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
+
+    if (operation->alg == 0) {
+        /* This is a blank operation. */
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    if (output_length == 0 && operation->capacity == 0) {
+        /* Edge case: this is a finished operation, and 0 bytes
+         * were requested. The right error in this case could
+         * be either INSUFFICIENT_CAPACITY or BAD_STATE. Return
+         * INSUFFICIENT_CAPACITY, which is right for a finished
+         * operation, for consistency with the case when
+         * output_length > 0. */
+        return PSA_ERROR_INSUFFICIENT_DATA;
+    }
+
+    LOCAL_OUTPUT_ALLOC(output_external, output_length, output);
+    if (output_length > operation->capacity) {
+        operation->capacity = 0;
+        /* Go through the error path to wipe all confidential data now
+         * that the operation object is useless. */
+        status = PSA_ERROR_INSUFFICIENT_DATA;
+        goto exit;
+    }
+
+    operation->capacity -= output_length;
+
+#if defined(BUILTIN_ALG_ANY_HKDF)
+    if (PSA_ALG_IS_ANY_HKDF(kdf_alg)) {
+        status = psa_key_derivation_hkdf_read(&operation->ctx.hkdf, kdf_alg,
+                                              output, output_length);
+    } else
+#endif /* BUILTIN_ALG_ANY_HKDF */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+    if (PSA_ALG_IS_TLS12_PRF(kdf_alg) ||
+        PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
+        status = psa_key_derivation_tls12_prf_read(&operation->ctx.tls12_prf,
+                                                   kdf_alg, output,
+                                                   output_length);
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF ||
+        * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
+    if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
+        status = psa_key_derivation_tls12_ecjpake_to_pms_read(
+            &operation->ctx.tls12_ecjpake_to_pms, output, output_length);
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
+#if defined(PSA_HAVE_SOFT_PBKDF2)
+    if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
+        status = psa_key_derivation_pbkdf2_read(&operation->ctx.pbkdf2, kdf_alg,
+                                                output, output_length);
+    } else
+#endif /* PSA_HAVE_SOFT_PBKDF2 */
+
+    {
+        (void) kdf_alg;
+        status = PSA_ERROR_BAD_STATE;
+        LOCAL_OUTPUT_FREE(output_external, output);
+
+        return status;
+    }
+
+exit:
+    if (status != PSA_SUCCESS) {
+        /* Preserve the algorithm upon errors, but clear all sensitive state.
+         * This allows us to differentiate between exhausted operations and
+         * blank operations, so we can return PSA_ERROR_BAD_STATE on blank
+         * operations. */
+        psa_algorithm_t alg = operation->alg;
+        psa_key_derivation_abort(operation);
+        operation->alg = alg;
+        if (output != NULL) {
+            memset(output, '!', output_length);
+        }
+    }
+
+    LOCAL_OUTPUT_FREE(output_external, output);
+    return status;
+}
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
+static void psa_des_set_key_parity(uint8_t *data, size_t data_size)
+{
+    if (data_size >= 8) {
+        mbedtls_des_key_set_parity(data);
+    }
+    if (data_size >= 16) {
+        mbedtls_des_key_set_parity(data + 8);
+    }
+    if (data_size >= 24) {
+        mbedtls_des_key_set_parity(data + 16);
+    }
+}
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */
+
+/*
+ * ECC keys on a Weierstrass elliptic curve require the generation
+ * of a private key which is an integer
+ * in the range [1, N - 1], where N is the boundary of the private key domain:
+ * N is the prime p for Diffie-Hellman, or the order of the
+ * curve’s base point for ECC.
+ *
+ * Let m be the bit size of N, such that 2^m > N >= 2^(m-1).
+ * This function generates the private key using the following process:
+ *
+ * 1. Draw a byte string of length ceiling(m/8) bytes.
+ * 2. If m is not a multiple of 8, set the most significant
+ *    (8 * ceiling(m/8) - m) bits of the first byte in the string to zero.
+ * 3. Convert the string to integer k by decoding it as a big-endian byte string.
+ * 4. If k > N - 2, discard the result and return to step 1.
+ * 5. Output k + 1 as the private key.
+ *
+ * This method allows compliance to NIST standards, specifically the methods titled
+ * Key-Pair Generation by Testing Candidates in the following publications:
+ * - NIST Special Publication 800-56A: Recommendation for Pair-Wise Key-Establishment
+ *   Schemes Using Discrete Logarithm Cryptography [SP800-56A] §5.6.1.1.4 for
+ *   Diffie-Hellman keys.
+ *
+ * - [SP800-56A] §5.6.1.2.2 or FIPS Publication 186-4: Digital Signature
+ *   Standard (DSS) [FIPS186-4] §B.4.2 for elliptic curve keys.
+ *
+ * Note: Function allocates memory for *data buffer, so given *data should be
+ *       always NULL.
+ */
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
+static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper(
+    psa_key_slot_t *slot,
+    size_t bits,
+    psa_key_derivation_operation_t *operation,
+    uint8_t **data
+    )
+{
+    unsigned key_out_of_range = 1;
+    mbedtls_mpi k;
+    mbedtls_mpi diff_N_2;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    size_t m;
+    size_t m_bytes;
+
+    mbedtls_mpi_init(&k);
+    mbedtls_mpi_init(&diff_N_2);
+
+    psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(
+        slot->attr.type);
+    mbedtls_ecp_group_id grp_id =
+        mbedtls_ecc_group_from_psa(curve, bits);
+
+    if (grp_id == MBEDTLS_ECP_DP_NONE) {
+        ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+        goto cleanup;
+    }
+
+    mbedtls_ecp_group ecp_group;
+    mbedtls_ecp_group_init(&ecp_group);
+
+    MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&ecp_group, grp_id));
+
+    /* N is the boundary of the private key domain (ecp_group.N). */
+    /* Let m be the bit size of N. */
+    m = ecp_group.nbits;
+
+    m_bytes = PSA_BITS_TO_BYTES(m);
+
+    /* Calculate N - 2 - it will be needed later. */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&diff_N_2, &ecp_group.N, 2));
+
+    /* Note: This function is always called with *data == NULL and it
+     * allocates memory for the data buffer. */
+    *data = mbedtls_calloc(1, m_bytes);
+    if (*data == NULL) {
+        ret = MBEDTLS_ERR_ASN1_ALLOC_FAILED;
+        goto cleanup;
+    }
+
+    while (key_out_of_range) {
+        /* 1. Draw a byte string of length ceiling(m/8) bytes. */
+        if ((status = psa_key_derivation_output_bytes(operation, *data, m_bytes)) != 0) {
+            goto cleanup;
+        }
+
+        /* 2. If m is not a multiple of 8 */
+        if (m % 8 != 0) {
+            /* Set the most significant
+             * (8 * ceiling(m/8) - m) bits of the first byte in
+             * the string to zero.
+             */
+            uint8_t clear_bit_mask = (1 << (m % 8)) - 1;
+            (*data)[0] &= clear_bit_mask;
+        }
+
+        /* 3. Convert the string to integer k by decoding it as a
+         *    big-endian byte string.
+         */
+        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&k, *data, m_bytes));
+
+        /* 4. If k > N - 2, discard the result and return to step 1.
+         *    Result of comparison is returned. When it indicates error
+         *    then this function is called again.
+         */
+        MBEDTLS_MPI_CHK(mbedtls_mpi_lt_mpi_ct(&diff_N_2, &k, &key_out_of_range));
+    }
+
+    /* 5. Output k + 1 as the private key. */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&k, &k, 1));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&k, *data, m_bytes));
+cleanup:
+    if (ret != 0) {
+        status = mbedtls_to_psa_error(ret);
+    }
+    if (status != PSA_SUCCESS) {
+        mbedtls_free(*data);
+        *data = NULL;
+    }
+    mbedtls_mpi_free(&k);
+    mbedtls_mpi_free(&diff_N_2);
+    return status;
+}
+
+/* ECC keys on a Montgomery elliptic curve draws a byte string whose length
+ * is determined by the curve, and sets the mandatory bits accordingly. That is:
+ *
+ * - Curve25519 (PSA_ECC_FAMILY_MONTGOMERY, 255 bits):
+ *   draw a 32-byte string and process it as specified in
+ *   Elliptic Curves for Security [RFC7748] §5.
+ *
+ * - Curve448 (PSA_ECC_FAMILY_MONTGOMERY, 448 bits):
+ *   draw a 56-byte string and process it as specified in [RFC7748] §5.
+ *
+ * Note: Function allocates memory for *data buffer, so given *data should be
+ *       always NULL.
+ */
+
+static psa_status_t psa_generate_derived_ecc_key_montgomery_helper(
+    size_t bits,
+    psa_key_derivation_operation_t *operation,
+    uint8_t **data
+    )
+{
+    size_t output_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    switch (bits) {
+        case 255:
+            output_length = 32;
+            break;
+        case 448:
+            output_length = 56;
+            break;
+        default:
+            return PSA_ERROR_INVALID_ARGUMENT;
+            break;
+    }
+
+    *data = mbedtls_calloc(1, output_length);
+
+    if (*data == NULL) {
+        return PSA_ERROR_INSUFFICIENT_MEMORY;
+    }
+
+    status = psa_key_derivation_output_bytes(operation, *data, output_length);
+
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    switch (bits) {
+        case 255:
+            (*data)[0] &= 248;
+            (*data)[31] &= 127;
+            (*data)[31] |= 64;
+            break;
+        case 448:
+            (*data)[0] &= 252;
+            (*data)[55] |= 128;
+            break;
+        default:
+            return PSA_ERROR_CORRUPTION_DETECTED;
+            break;
+    }
+
+    return status;
+}
+#else /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE */
+static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper(
+    psa_key_slot_t *slot, size_t bits,
+    psa_key_derivation_operation_t *operation, uint8_t **data)
+{
+    (void) slot;
+    (void) bits;
+    (void) operation;
+    (void) data;
+    return PSA_ERROR_NOT_SUPPORTED;
+}
+
+static psa_status_t psa_generate_derived_ecc_key_montgomery_helper(
+    size_t bits, psa_key_derivation_operation_t *operation, uint8_t **data)
+{
+    (void) bits;
+    (void) operation;
+    (void) data;
+    return PSA_ERROR_NOT_SUPPORTED;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE */
+#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE */
+
+static psa_status_t psa_generate_derived_key_internal(
+    psa_key_slot_t *slot,
+    size_t bits,
+    psa_key_derivation_operation_t *operation)
+{
+    uint8_t *data = NULL;
+    size_t bytes = PSA_BITS_TO_BYTES(bits);
+    size_t storage_size = bytes;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type)) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
+    if (PSA_KEY_TYPE_IS_ECC(slot->attr.type)) {
+        psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(slot->attr.type);
+        if (PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) {
+            /* Weierstrass elliptic curve */
+            status = psa_generate_derived_ecc_key_weierstrass_helper(slot, bits, operation, &data);
+            if (status != PSA_SUCCESS) {
+                goto exit;
+            }
+        } else {
+            /* Montgomery elliptic curve */
+            status = psa_generate_derived_ecc_key_montgomery_helper(bits, operation, &data);
+            if (status != PSA_SUCCESS) {
+                goto exit;
+            }
+        }
+    } else
+#endif /* defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) ||
+          defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE) */
+    if (key_type_is_raw_bytes(slot->attr.type)) {
+        if (bits % 8 != 0) {
+            return PSA_ERROR_INVALID_ARGUMENT;
+        }
+        data = mbedtls_calloc(1, bytes);
+        if (data == NULL) {
+            return PSA_ERROR_INSUFFICIENT_MEMORY;
+        }
+
+        status = psa_key_derivation_output_bytes(operation, data, bytes);
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
+        if (slot->attr.type == PSA_KEY_TYPE_DES) {
+            psa_des_set_key_parity(data, bytes);
+        }
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) */
+    } else {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    slot->attr.bits = (psa_key_bits_t) bits;
+
+    if (psa_key_lifetime_is_external(slot->attr.lifetime)) {
+        status = psa_driver_wrapper_get_key_buffer_size(&slot->attr,
+                                                        &storage_size);
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+    }
+    status = psa_allocate_buffer_to_slot(slot, storage_size);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_driver_wrapper_import_key(&slot->attr,
+                                           data, bytes,
+                                           slot->key.data,
+                                           slot->key.bytes,
+                                           &slot->key.bytes, &bits);
+    if (bits != slot->attr.bits) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+exit:
+    mbedtls_free(data);
+    return status;
+}
+
+static const psa_key_production_parameters_t default_production_parameters =
+    PSA_KEY_PRODUCTION_PARAMETERS_INIT;
+
+int psa_key_production_parameters_are_default(
+    const psa_key_production_parameters_t *params,
+    size_t params_data_length)
+{
+    if (params->flags != 0) {
+        return 0;
+    }
+    if (params_data_length != 0) {
+        return 0;
+    }
+    return 1;
+}
+
+psa_status_t psa_key_derivation_output_key_ext(
+    const psa_key_attributes_t *attributes,
+    psa_key_derivation_operation_t *operation,
+    const psa_key_production_parameters_t *params,
+    size_t params_data_length,
+    mbedtls_svc_key_id_t *key)
+{
+    psa_status_t status;
+    psa_key_slot_t *slot = NULL;
+    psa_se_drv_table_entry_t *driver = NULL;
+
+    *key = MBEDTLS_SVC_KEY_ID_INIT;
+
+    /* Reject any attempt to create a zero-length key so that we don't
+     * risk tripping up later, e.g. on a malloc(0) that returns NULL. */
+    if (psa_get_key_bits(attributes) == 0) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    if (!psa_key_production_parameters_are_default(params, params_data_length)) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    if (operation->alg == PSA_ALG_NONE) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    if (!operation->can_output_key) {
+        return PSA_ERROR_NOT_PERMITTED;
+    }
+
+    status = psa_start_key_creation(PSA_KEY_CREATION_DERIVE, attributes,
+                                    &slot, &driver);
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    if (driver != NULL) {
+        /* Deriving a key in a secure element is not implemented yet. */
+        status = PSA_ERROR_NOT_SUPPORTED;
+    }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+    if (status == PSA_SUCCESS) {
+        status = psa_generate_derived_key_internal(slot,
+                                                   attributes->bits,
+                                                   operation);
+    }
+    if (status == PSA_SUCCESS) {
+        status = psa_finish_key_creation(slot, driver, key);
+    }
+    if (status != PSA_SUCCESS) {
+        psa_fail_key_creation(slot, driver);
+    }
+
+    return status;
+}
+
+psa_status_t psa_key_derivation_output_key(
+    const psa_key_attributes_t *attributes,
+    psa_key_derivation_operation_t *operation,
+    mbedtls_svc_key_id_t *key)
+{
+    return psa_key_derivation_output_key_ext(attributes, operation,
+                                             &default_production_parameters, 0,
+                                             key);
+}
+
+
+/****************************************************************/
+/* Key derivation */
+/****************************************************************/
+
+#if defined(AT_LEAST_ONE_BUILTIN_KDF)
+static int is_kdf_alg_supported(psa_algorithm_t kdf_alg)
+{
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
+    if (PSA_ALG_IS_HKDF(kdf_alg)) {
+        return 1;
+    }
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
+    if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
+        return 1;
+    }
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
+    if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) {
+        return 1;
+    }
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF)
+    if (PSA_ALG_IS_TLS12_PRF(kdf_alg)) {
+        return 1;
+    }
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+    if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
+        return 1;
+    }
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
+    if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
+        return 1;
+    }
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
+    if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
+        return 1;
+    }
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128)
+    if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
+        return 1;
+    }
+#endif
+    return 0;
+}
+
+static psa_status_t psa_hash_try_support(psa_algorithm_t alg)
+{
+    psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
+    psa_status_t status = psa_hash_setup(&operation, alg);
+    psa_hash_abort(&operation);
+    return status;
+}
+
+static psa_status_t psa_key_derivation_set_maximum_capacity(
+    psa_key_derivation_operation_t *operation,
+    psa_algorithm_t kdf_alg)
+{
+#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS)
+    if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
+        operation->capacity = PSA_HASH_LENGTH(PSA_ALG_SHA_256);
+        return PSA_SUCCESS;
+    }
+#endif
+#if defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128)
+    if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
+#if (SIZE_MAX > UINT32_MAX)
+        operation->capacity = UINT32_MAX * (size_t) PSA_MAC_LENGTH(
+            PSA_KEY_TYPE_AES,
+            128U,
+            PSA_ALG_CMAC);
+#else
+        operation->capacity = SIZE_MAX;
+#endif
+        return PSA_SUCCESS;
+    }
+#endif /* PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 */
+
+    /* After this point, if kdf_alg is not valid then value of hash_alg may be
+     * invalid or meaningless but it does not affect this function */
+    psa_algorithm_t hash_alg = PSA_ALG_GET_HASH(kdf_alg);
+    size_t hash_size = PSA_HASH_LENGTH(hash_alg);
+    if (hash_size == 0) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    /* Make sure that hash_alg is a supported hash algorithm. Otherwise
+     * we might fail later, which is somewhat unfriendly and potentially
+     * risk-prone. */
+    psa_status_t status = psa_hash_try_support(hash_alg);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+#if defined(PSA_WANT_ALG_HKDF)
+    if (PSA_ALG_IS_HKDF(kdf_alg)) {
+        operation->capacity = 255 * hash_size;
+    } else
+#endif
+#if defined(PSA_WANT_ALG_HKDF_EXTRACT)
+    if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
+        operation->capacity = hash_size;
+    } else
+#endif
+#if defined(PSA_WANT_ALG_HKDF_EXPAND)
+    if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) {
+        operation->capacity = 255 * hash_size;
+    } else
+#endif
+#if defined(PSA_WANT_ALG_TLS12_PRF)
+    if (PSA_ALG_IS_TLS12_PRF(kdf_alg) &&
+        (hash_alg == PSA_ALG_SHA_256 || hash_alg == PSA_ALG_SHA_384)) {
+        operation->capacity = SIZE_MAX;
+    } else
+#endif
+#if defined(PSA_WANT_ALG_TLS12_PSK_TO_MS)
+    if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg) &&
+        (hash_alg == PSA_ALG_SHA_256 || hash_alg == PSA_ALG_SHA_384)) {
+        /* Master Secret is always 48 bytes
+         * https://datatracker.ietf.org/doc/html/rfc5246.html#section-8.1 */
+        operation->capacity = 48U;
+    } else
+#endif
+#if defined(PSA_WANT_ALG_PBKDF2_HMAC)
+    if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
+#if (SIZE_MAX > UINT32_MAX)
+        operation->capacity = UINT32_MAX * hash_size;
+#else
+        operation->capacity = SIZE_MAX;
+#endif
+    } else
+#endif /* PSA_WANT_ALG_PBKDF2_HMAC */
+    {
+        (void) hash_size;
+        status = PSA_ERROR_NOT_SUPPORTED;
+    }
+    return status;
+}
+
+static psa_status_t psa_key_derivation_setup_kdf(
+    psa_key_derivation_operation_t *operation,
+    psa_algorithm_t kdf_alg)
+{
+    /* Make sure that operation->ctx is properly zero-initialised. (Macro
+     * initialisers for this union leave some bytes unspecified.) */
+    memset(&operation->ctx, 0, sizeof(operation->ctx));
+
+    /* Make sure that kdf_alg is a supported key derivation algorithm. */
+    if (!is_kdf_alg_supported(kdf_alg)) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    psa_status_t status = psa_key_derivation_set_maximum_capacity(operation,
+                                                                  kdf_alg);
+    return status;
+}
+
+static psa_status_t psa_key_agreement_try_support(psa_algorithm_t alg)
+{
+#if defined(PSA_WANT_ALG_ECDH)
+    if (alg == PSA_ALG_ECDH) {
+        return PSA_SUCCESS;
+    }
+#endif
+#if defined(PSA_WANT_ALG_FFDH)
+    if (alg == PSA_ALG_FFDH) {
+        return PSA_SUCCESS;
+    }
+#endif
+    (void) alg;
+    return PSA_ERROR_NOT_SUPPORTED;
+}
+
+static int psa_key_derivation_allows_free_form_secret_input(
+    psa_algorithm_t kdf_alg)
+{
+#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS)
+    if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
+        return 0;
+    }
+#endif
+    (void) kdf_alg;
+    return 1;
+}
+#endif /* AT_LEAST_ONE_BUILTIN_KDF */
+
+psa_status_t psa_key_derivation_setup(psa_key_derivation_operation_t *operation,
+                                      psa_algorithm_t alg)
+{
+    psa_status_t status;
+
+    if (operation->alg != 0) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    if (PSA_ALG_IS_RAW_KEY_AGREEMENT(alg)) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    } else if (PSA_ALG_IS_KEY_AGREEMENT(alg)) {
+#if defined(AT_LEAST_ONE_BUILTIN_KDF)
+        psa_algorithm_t kdf_alg = PSA_ALG_KEY_AGREEMENT_GET_KDF(alg);
+        psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE(alg);
+        status = psa_key_agreement_try_support(ka_alg);
+        if (status != PSA_SUCCESS) {
+            return status;
+        }
+        if (!psa_key_derivation_allows_free_form_secret_input(kdf_alg)) {
+            return PSA_ERROR_INVALID_ARGUMENT;
+        }
+        status = psa_key_derivation_setup_kdf(operation, kdf_alg);
+#else
+        return PSA_ERROR_NOT_SUPPORTED;
+#endif /* AT_LEAST_ONE_BUILTIN_KDF */
+    } else if (PSA_ALG_IS_KEY_DERIVATION(alg)) {
+#if defined(AT_LEAST_ONE_BUILTIN_KDF)
+        status = psa_key_derivation_setup_kdf(operation, alg);
+#else
+        return PSA_ERROR_NOT_SUPPORTED;
+#endif /* AT_LEAST_ONE_BUILTIN_KDF */
+    } else {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    if (status == PSA_SUCCESS) {
+        operation->alg = alg;
+    }
+    return status;
+}
+
+#if defined(BUILTIN_ALG_ANY_HKDF)
+static psa_status_t psa_hkdf_input(psa_hkdf_key_derivation_t *hkdf,
+                                   psa_algorithm_t kdf_alg,
+                                   psa_key_derivation_step_t step,
+                                   const uint8_t *data,
+                                   size_t data_length)
+{
+    psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(kdf_alg);
+    psa_status_t status;
+    switch (step) {
+        case PSA_KEY_DERIVATION_INPUT_SALT:
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
+            if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) {
+                return PSA_ERROR_INVALID_ARGUMENT;
+            }
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */
+            if (hkdf->state != HKDF_STATE_INIT) {
+                return PSA_ERROR_BAD_STATE;
+            } else {
+                status = psa_key_derivation_start_hmac(&hkdf->hmac,
+                                                       hash_alg,
+                                                       data, data_length);
+                if (status != PSA_SUCCESS) {
+                    return status;
+                }
+                hkdf->state = HKDF_STATE_STARTED;
+                return PSA_SUCCESS;
+            }
+        case PSA_KEY_DERIVATION_INPUT_SECRET:
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
+            if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) {
+                /* We shouldn't be in different state as HKDF_EXPAND only allows
+                 * two inputs: SECRET (this case) and INFO which does not modify
+                 * the state. It could happen only if the hkdf
+                 * object was corrupted. */
+                if (hkdf->state != HKDF_STATE_INIT) {
+                    return PSA_ERROR_BAD_STATE;
+                }
+
+                /* Allow only input that fits expected prk size */
+                if (data_length != PSA_HASH_LENGTH(hash_alg)) {
+                    return PSA_ERROR_INVALID_ARGUMENT;
+                }
+
+                memcpy(hkdf->prk, data, data_length);
+            } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */
+            {
+                /* HKDF: If no salt was provided, use an empty salt.
+                 * HKDF-EXTRACT: salt is mandatory. */
+                if (hkdf->state == HKDF_STATE_INIT) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
+                    if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
+                        return PSA_ERROR_BAD_STATE;
+                    }
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
+                    status = psa_key_derivation_start_hmac(&hkdf->hmac,
+                                                           hash_alg,
+                                                           NULL, 0);
+                    if (status != PSA_SUCCESS) {
+                        return status;
+                    }
+                    hkdf->state = HKDF_STATE_STARTED;
+                }
+                if (hkdf->state != HKDF_STATE_STARTED) {
+                    return PSA_ERROR_BAD_STATE;
+                }
+                status = psa_mac_update(&hkdf->hmac,
+                                        data, data_length);
+                if (status != PSA_SUCCESS) {
+                    return status;
+                }
+                status = psa_mac_sign_finish(&hkdf->hmac,
+                                             hkdf->prk,
+                                             sizeof(hkdf->prk),
+                                             &data_length);
+                if (status != PSA_SUCCESS) {
+                    return status;
+                }
+            }
+
+            hkdf->state = HKDF_STATE_KEYED;
+            hkdf->block_number = 0;
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
+            if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
+                /* The only block of output is the PRK. */
+                memcpy(hkdf->output_block, hkdf->prk, PSA_HASH_LENGTH(hash_alg));
+                hkdf->offset_in_block = 0;
+            } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
+            {
+                /* Block 0 is empty, and the next block will be
+                 * generated by psa_key_derivation_hkdf_read(). */
+                hkdf->offset_in_block = PSA_HASH_LENGTH(hash_alg);
+            }
+
+            return PSA_SUCCESS;
+        case PSA_KEY_DERIVATION_INPUT_INFO:
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
+            if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
+                return PSA_ERROR_INVALID_ARGUMENT;
+            }
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
+            if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg) &&
+                hkdf->state == HKDF_STATE_INIT) {
+                return PSA_ERROR_BAD_STATE;
+            }
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
+            if (hkdf->state == HKDF_STATE_OUTPUT) {
+                return PSA_ERROR_BAD_STATE;
+            }
+            if (hkdf->info_set) {
+                return PSA_ERROR_BAD_STATE;
+            }
+            hkdf->info_length = data_length;
+            if (data_length != 0) {
+                hkdf->info = mbedtls_calloc(1, data_length);
+                if (hkdf->info == NULL) {
+                    return PSA_ERROR_INSUFFICIENT_MEMORY;
+                }
+                memcpy(hkdf->info, data, data_length);
+            }
+            hkdf->info_set = 1;
+            return PSA_SUCCESS;
+        default:
+            return PSA_ERROR_INVALID_ARGUMENT;
+    }
+}
+#endif /* BUILTIN_ALG_ANY_HKDF */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+static psa_status_t psa_tls12_prf_set_seed(psa_tls12_prf_key_derivation_t *prf,
+                                           const uint8_t *data,
+                                           size_t data_length)
+{
+    if (prf->state != PSA_TLS12_PRF_STATE_INIT) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    if (data_length != 0) {
+        prf->seed = mbedtls_calloc(1, data_length);
+        if (prf->seed == NULL) {
+            return PSA_ERROR_INSUFFICIENT_MEMORY;
+        }
+
+        memcpy(prf->seed, data, data_length);
+        prf->seed_length = data_length;
+    }
+
+    prf->state = PSA_TLS12_PRF_STATE_SEED_SET;
+
+    return PSA_SUCCESS;
+}
+
+static psa_status_t psa_tls12_prf_set_key(psa_tls12_prf_key_derivation_t *prf,
+                                          const uint8_t *data,
+                                          size_t data_length)
+{
+    if (prf->state != PSA_TLS12_PRF_STATE_SEED_SET &&
+        prf->state != PSA_TLS12_PRF_STATE_OTHER_KEY_SET) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    if (data_length != 0) {
+        prf->secret = mbedtls_calloc(1, data_length);
+        if (prf->secret == NULL) {
+            return PSA_ERROR_INSUFFICIENT_MEMORY;
+        }
+
+        memcpy(prf->secret, data, data_length);
+        prf->secret_length = data_length;
+    }
+
+    prf->state = PSA_TLS12_PRF_STATE_KEY_SET;
+
+    return PSA_SUCCESS;
+}
+
+static psa_status_t psa_tls12_prf_set_label(psa_tls12_prf_key_derivation_t *prf,
+                                            const uint8_t *data,
+                                            size_t data_length)
+{
+    if (prf->state != PSA_TLS12_PRF_STATE_KEY_SET) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    if (data_length != 0) {
+        prf->label = mbedtls_calloc(1, data_length);
+        if (prf->label == NULL) {
+            return PSA_ERROR_INSUFFICIENT_MEMORY;
+        }
+
+        memcpy(prf->label, data, data_length);
+        prf->label_length = data_length;
+    }
+
+    prf->state = PSA_TLS12_PRF_STATE_LABEL_SET;
+
+    return PSA_SUCCESS;
+}
+
+static psa_status_t psa_tls12_prf_input(psa_tls12_prf_key_derivation_t *prf,
+                                        psa_key_derivation_step_t step,
+                                        const uint8_t *data,
+                                        size_t data_length)
+{
+    switch (step) {
+        case PSA_KEY_DERIVATION_INPUT_SEED:
+            return psa_tls12_prf_set_seed(prf, data, data_length);
+        case PSA_KEY_DERIVATION_INPUT_SECRET:
+            return psa_tls12_prf_set_key(prf, data, data_length);
+        case PSA_KEY_DERIVATION_INPUT_LABEL:
+            return psa_tls12_prf_set_label(prf, data, data_length);
+        default:
+            return PSA_ERROR_INVALID_ARGUMENT;
+    }
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) ||
+        * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+static psa_status_t psa_tls12_prf_psk_to_ms_set_key(
+    psa_tls12_prf_key_derivation_t *prf,
+    const uint8_t *data,
+    size_t data_length)
+{
+    psa_status_t status;
+    const size_t pms_len = (prf->state == PSA_TLS12_PRF_STATE_OTHER_KEY_SET ?
+                            4 + data_length + prf->other_secret_length :
+                            4 + 2 * data_length);
+
+    if (data_length > PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    uint8_t *pms = mbedtls_calloc(1, pms_len);
+    if (pms == NULL) {
+        return PSA_ERROR_INSUFFICIENT_MEMORY;
+    }
+    uint8_t *cur = pms;
+
+    /* pure-PSK:
+     * Quoting RFC 4279, Section 2:
+     *
+     * The premaster secret is formed as follows: if the PSK is N octets
+     * long, concatenate a uint16 with the value N, N zero octets, a second
+     * uint16 with the value N, and the PSK itself.
+     *
+     * mixed-PSK:
+     * In a DHE-PSK, RSA-PSK, ECDHE-PSK the premaster secret is formed as
+     * follows: concatenate a uint16 with the length of the other secret,
+     * the other secret itself, uint16 with the length of PSK, and the
+     * PSK itself.
+     * For details please check:
+     * - RFC 4279, Section 4 for the definition of RSA-PSK,
+     * - RFC 4279, Section 3 for the definition of DHE-PSK,
+     * - RFC 5489 for the definition of ECDHE-PSK.
+     */
+
+    if (prf->state == PSA_TLS12_PRF_STATE_OTHER_KEY_SET) {
+        *cur++ = MBEDTLS_BYTE_1(prf->other_secret_length);
+        *cur++ = MBEDTLS_BYTE_0(prf->other_secret_length);
+        if (prf->other_secret_length != 0) {
+            memcpy(cur, prf->other_secret, prf->other_secret_length);
+            mbedtls_platform_zeroize(prf->other_secret, prf->other_secret_length);
+            cur += prf->other_secret_length;
+        }
+    } else {
+        *cur++ = MBEDTLS_BYTE_1(data_length);
+        *cur++ = MBEDTLS_BYTE_0(data_length);
+        memset(cur, 0, data_length);
+        cur += data_length;
+    }
+
+    *cur++ = MBEDTLS_BYTE_1(data_length);
+    *cur++ = MBEDTLS_BYTE_0(data_length);
+    memcpy(cur, data, data_length);
+    cur += data_length;
+
+    status = psa_tls12_prf_set_key(prf, pms, (size_t) (cur - pms));
+
+    mbedtls_zeroize_and_free(pms, pms_len);
+    return status;
+}
+
+static psa_status_t psa_tls12_prf_psk_to_ms_set_other_key(
+    psa_tls12_prf_key_derivation_t *prf,
+    const uint8_t *data,
+    size_t data_length)
+{
+    if (prf->state != PSA_TLS12_PRF_STATE_SEED_SET) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    if (data_length != 0) {
+        prf->other_secret = mbedtls_calloc(1, data_length);
+        if (prf->other_secret == NULL) {
+            return PSA_ERROR_INSUFFICIENT_MEMORY;
+        }
+
+        memcpy(prf->other_secret, data, data_length);
+        prf->other_secret_length = data_length;
+    } else {
+        prf->other_secret_length = 0;
+    }
+
+    prf->state = PSA_TLS12_PRF_STATE_OTHER_KEY_SET;
+
+    return PSA_SUCCESS;
+}
+
+static psa_status_t psa_tls12_prf_psk_to_ms_input(
+    psa_tls12_prf_key_derivation_t *prf,
+    psa_key_derivation_step_t step,
+    const uint8_t *data,
+    size_t data_length)
+{
+    switch (step) {
+        case PSA_KEY_DERIVATION_INPUT_SECRET:
+            return psa_tls12_prf_psk_to_ms_set_key(prf,
+                                                   data, data_length);
+            break;
+        case PSA_KEY_DERIVATION_INPUT_OTHER_SECRET:
+            return psa_tls12_prf_psk_to_ms_set_other_key(prf,
+                                                         data,
+                                                         data_length);
+            break;
+        default:
+            return psa_tls12_prf_input(prf, step, data, data_length);
+            break;
+
+    }
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
+static psa_status_t psa_tls12_ecjpake_to_pms_input(
+    psa_tls12_ecjpake_to_pms_t *ecjpake,
+    psa_key_derivation_step_t step,
+    const uint8_t *data,
+    size_t data_length)
+{
+    if (data_length != PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE ||
+        step != PSA_KEY_DERIVATION_INPUT_SECRET) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    /* Check if the passed point is in an uncompressed form */
+    if (data[0] != 0x04) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    /* Only K.X has to be extracted - bytes 1 to 32 inclusive. */
+    memcpy(ecjpake->data, data + 1, PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE);
+
+    return PSA_SUCCESS;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
+
+#if defined(PSA_HAVE_SOFT_PBKDF2)
+static psa_status_t psa_pbkdf2_set_input_cost(
+    psa_pbkdf2_key_derivation_t *pbkdf2,
+    psa_key_derivation_step_t step,
+    uint64_t data)
+{
+    if (step != PSA_KEY_DERIVATION_INPUT_COST) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    if (pbkdf2->state != PSA_PBKDF2_STATE_INIT) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    if (data > PSA_VENDOR_PBKDF2_MAX_ITERATIONS) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    if (data == 0) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    pbkdf2->input_cost = data;
+    pbkdf2->state = PSA_PBKDF2_STATE_INPUT_COST_SET;
+
+    return PSA_SUCCESS;
+}
+
+static psa_status_t psa_pbkdf2_set_salt(psa_pbkdf2_key_derivation_t *pbkdf2,
+                                        const uint8_t *data,
+                                        size_t data_length)
+{
+    if (pbkdf2->state == PSA_PBKDF2_STATE_INPUT_COST_SET) {
+        pbkdf2->state = PSA_PBKDF2_STATE_SALT_SET;
+    } else if (pbkdf2->state == PSA_PBKDF2_STATE_SALT_SET) {
+        /* Appending to existing salt. No state change. */
+    } else {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    if (data_length == 0) {
+        /* Appending an empty string, nothing to do. */
+    } else {
+        uint8_t *next_salt;
+
+        next_salt = mbedtls_calloc(1, data_length + pbkdf2->salt_length);
+        if (next_salt == NULL) {
+            return PSA_ERROR_INSUFFICIENT_MEMORY;
+        }
+
+        if (pbkdf2->salt_length != 0) {
+            memcpy(next_salt, pbkdf2->salt, pbkdf2->salt_length);
+        }
+        memcpy(next_salt + pbkdf2->salt_length, data, data_length);
+        pbkdf2->salt_length += data_length;
+        mbedtls_free(pbkdf2->salt);
+        pbkdf2->salt = next_salt;
+    }
+    return PSA_SUCCESS;
+}
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
+static psa_status_t psa_pbkdf2_hmac_set_password(psa_algorithm_t hash_alg,
+                                                 const uint8_t *input,
+                                                 size_t input_len,
+                                                 uint8_t *output,
+                                                 size_t *output_len)
+{
+    psa_status_t status = PSA_SUCCESS;
+    if (input_len > PSA_HASH_BLOCK_LENGTH(hash_alg)) {
+        return psa_hash_compute(hash_alg, input, input_len, output,
+                                PSA_HMAC_MAX_HASH_BLOCK_SIZE, output_len);
+    } else if (input_len > 0) {
+        memcpy(output, input, input_len);
+    }
+    *output_len = PSA_HASH_BLOCK_LENGTH(hash_alg);
+    return status;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128)
+static psa_status_t psa_pbkdf2_cmac_set_password(const uint8_t *input,
+                                                 size_t input_len,
+                                                 uint8_t *output,
+                                                 size_t *output_len)
+{
+    psa_status_t status = PSA_SUCCESS;
+    if (input_len != PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC)) {
+        psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+        uint8_t zeros[16] = { 0 };
+        psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
+        psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(sizeof(zeros)));
+        psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
+        /* Passing PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC) as
+         * mac_size as the driver function sets mac_output_length = mac_size
+         * on success. See https://github.com/Mbed-TLS/mbedtls/issues/7801 */
+        status = psa_driver_wrapper_mac_compute(&attributes,
+                                                zeros, sizeof(zeros),
+                                                PSA_ALG_CMAC, input, input_len,
+                                                output,
+                                                PSA_MAC_LENGTH(PSA_KEY_TYPE_AES,
+                                                               128U,
+                                                               PSA_ALG_CMAC),
+                                                output_len);
+    } else {
+        memcpy(output, input, input_len);
+        *output_len = PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC);
+    }
+    return status;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128 */
+
+static psa_status_t psa_pbkdf2_set_password(psa_pbkdf2_key_derivation_t *pbkdf2,
+                                            psa_algorithm_t kdf_alg,
+                                            const uint8_t *data,
+                                            size_t data_length)
+{
+    psa_status_t status = PSA_SUCCESS;
+    if (pbkdf2->state != PSA_PBKDF2_STATE_SALT_SET) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
+    if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
+        psa_algorithm_t hash_alg = PSA_ALG_PBKDF2_HMAC_GET_HASH(kdf_alg);
+        status = psa_pbkdf2_hmac_set_password(hash_alg, data, data_length,
+                                              pbkdf2->password,
+                                              &pbkdf2->password_length);
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128)
+    if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
+        status = psa_pbkdf2_cmac_set_password(data, data_length,
+                                              pbkdf2->password,
+                                              &pbkdf2->password_length);
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128 */
+    {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    pbkdf2->state = PSA_PBKDF2_STATE_PASSWORD_SET;
+
+    return status;
+}
+
+static psa_status_t psa_pbkdf2_input(psa_pbkdf2_key_derivation_t *pbkdf2,
+                                     psa_algorithm_t kdf_alg,
+                                     psa_key_derivation_step_t step,
+                                     const uint8_t *data,
+                                     size_t data_length)
+{
+    switch (step) {
+        case PSA_KEY_DERIVATION_INPUT_SALT:
+            return psa_pbkdf2_set_salt(pbkdf2, data, data_length);
+        case PSA_KEY_DERIVATION_INPUT_PASSWORD:
+            return psa_pbkdf2_set_password(pbkdf2, kdf_alg, data, data_length);
+        default:
+            return PSA_ERROR_INVALID_ARGUMENT;
+    }
+}
+#endif /* PSA_HAVE_SOFT_PBKDF2 */
+
+/** Check whether the given key type is acceptable for the given
+ * input step of a key derivation.
+ *
+ * Secret inputs must have the type #PSA_KEY_TYPE_DERIVE.
+ * Non-secret inputs must have the type #PSA_KEY_TYPE_RAW_DATA.
+ * Both secret and non-secret inputs can alternatively have the type
+ * #PSA_KEY_TYPE_NONE, which is never the type of a key object, meaning
+ * that the input was passed as a buffer rather than via a key object.
+ */
+static int psa_key_derivation_check_input_type(
+    psa_key_derivation_step_t step,
+    psa_key_type_t key_type)
+{
+    switch (step) {
+        case PSA_KEY_DERIVATION_INPUT_SECRET:
+            if (key_type == PSA_KEY_TYPE_DERIVE) {
+                return PSA_SUCCESS;
+            }
+            if (key_type == PSA_KEY_TYPE_NONE) {
+                return PSA_SUCCESS;
+            }
+            break;
+        case PSA_KEY_DERIVATION_INPUT_OTHER_SECRET:
+            if (key_type == PSA_KEY_TYPE_DERIVE) {
+                return PSA_SUCCESS;
+            }
+            if (key_type == PSA_KEY_TYPE_NONE) {
+                return PSA_SUCCESS;
+            }
+            break;
+        case PSA_KEY_DERIVATION_INPUT_LABEL:
+        case PSA_KEY_DERIVATION_INPUT_SALT:
+        case PSA_KEY_DERIVATION_INPUT_INFO:
+        case PSA_KEY_DERIVATION_INPUT_SEED:
+            if (key_type == PSA_KEY_TYPE_RAW_DATA) {
+                return PSA_SUCCESS;
+            }
+            if (key_type == PSA_KEY_TYPE_NONE) {
+                return PSA_SUCCESS;
+            }
+            break;
+        case PSA_KEY_DERIVATION_INPUT_PASSWORD:
+            if (key_type == PSA_KEY_TYPE_PASSWORD) {
+                return PSA_SUCCESS;
+            }
+            if (key_type == PSA_KEY_TYPE_DERIVE) {
+                return PSA_SUCCESS;
+            }
+            if (key_type == PSA_KEY_TYPE_NONE) {
+                return PSA_SUCCESS;
+            }
+            break;
+    }
+    return PSA_ERROR_INVALID_ARGUMENT;
+}
+
+static psa_status_t psa_key_derivation_input_internal(
+    psa_key_derivation_operation_t *operation,
+    psa_key_derivation_step_t step,
+    psa_key_type_t key_type,
+    const uint8_t *data,
+    size_t data_length)
+{
+    psa_status_t status;
+    psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
+
+    status = psa_key_derivation_check_input_type(step, key_type);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+#if defined(BUILTIN_ALG_ANY_HKDF)
+    if (PSA_ALG_IS_ANY_HKDF(kdf_alg)) {
+        status = psa_hkdf_input(&operation->ctx.hkdf, kdf_alg,
+                                step, data, data_length);
+    } else
+#endif /* BUILTIN_ALG_ANY_HKDF */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF)
+    if (PSA_ALG_IS_TLS12_PRF(kdf_alg)) {
+        status = psa_tls12_prf_input(&operation->ctx.tls12_prf,
+                                     step, data, data_length);
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+    if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
+        status = psa_tls12_prf_psk_to_ms_input(&operation->ctx.tls12_prf,
+                                               step, data, data_length);
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
+    if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
+        status = psa_tls12_ecjpake_to_pms_input(
+            &operation->ctx.tls12_ecjpake_to_pms, step, data, data_length);
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
+#if defined(PSA_HAVE_SOFT_PBKDF2)
+    if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
+        status = psa_pbkdf2_input(&operation->ctx.pbkdf2, kdf_alg,
+                                  step, data, data_length);
+    } else
+#endif /* PSA_HAVE_SOFT_PBKDF2 */
+    {
+        /* This can't happen unless the operation object was not initialized */
+        (void) data;
+        (void) data_length;
+        (void) kdf_alg;
+        return PSA_ERROR_BAD_STATE;
+    }
+
+exit:
+    if (status != PSA_SUCCESS) {
+        psa_key_derivation_abort(operation);
+    }
+    return status;
+}
+
+static psa_status_t psa_key_derivation_input_integer_internal(
+    psa_key_derivation_operation_t *operation,
+    psa_key_derivation_step_t step,
+    uint64_t value)
+{
+    psa_status_t status;
+    psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
+
+#if defined(PSA_HAVE_SOFT_PBKDF2)
+    if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
+        status = psa_pbkdf2_set_input_cost(
+            &operation->ctx.pbkdf2, step, value);
+    } else
+#endif /* PSA_HAVE_SOFT_PBKDF2 */
+    {
+        (void) step;
+        (void) value;
+        (void) kdf_alg;
+        status = PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    if (status != PSA_SUCCESS) {
+        psa_key_derivation_abort(operation);
+    }
+    return status;
+}
+
+psa_status_t psa_key_derivation_input_bytes(
+    psa_key_derivation_operation_t *operation,
+    psa_key_derivation_step_t step,
+    const uint8_t *data_external,
+    size_t data_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    LOCAL_INPUT_DECLARE(data_external, data);
+
+    LOCAL_INPUT_ALLOC(data_external, data_length, data);
+
+    status = psa_key_derivation_input_internal(operation, step,
+                                               PSA_KEY_TYPE_NONE,
+                                               data, data_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+    LOCAL_INPUT_FREE(data_external, data);
+    return status;
+}
+
+psa_status_t psa_key_derivation_input_integer(
+    psa_key_derivation_operation_t *operation,
+    psa_key_derivation_step_t step,
+    uint64_t value)
+{
+    return psa_key_derivation_input_integer_internal(operation, step, value);
+}
+
+psa_status_t psa_key_derivation_input_key(
+    psa_key_derivation_operation_t *operation,
+    psa_key_derivation_step_t step,
+    mbedtls_svc_key_id_t key)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+    status = psa_get_and_lock_transparent_key_slot_with_policy(
+        key, &slot, PSA_KEY_USAGE_DERIVE, operation->alg);
+    if (status != PSA_SUCCESS) {
+        psa_key_derivation_abort(operation);
+        return status;
+    }
+
+    /* Passing a key object as a SECRET or PASSWORD input unlocks the
+     * permission to output to a key object. */
+    if (step == PSA_KEY_DERIVATION_INPUT_SECRET ||
+        step == PSA_KEY_DERIVATION_INPUT_PASSWORD) {
+        operation->can_output_key = 1;
+    }
+
+    status = psa_key_derivation_input_internal(operation,
+                                               step, slot->attr.type,
+                                               slot->key.data,
+                                               slot->key.bytes);
+
+    unlock_status = psa_unregister_read_under_mutex(slot);
+
+    return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+
+
+/****************************************************************/
+/* Key agreement */
+/****************************************************************/
+
+psa_status_t psa_key_agreement_raw_builtin(const psa_key_attributes_t *attributes,
+                                           const uint8_t *key_buffer,
+                                           size_t key_buffer_size,
+                                           psa_algorithm_t alg,
+                                           const uint8_t *peer_key,
+                                           size_t peer_key_length,
+                                           uint8_t *shared_secret,
+                                           size_t shared_secret_size,
+                                           size_t *shared_secret_length)
+{
+    switch (alg) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
+        case PSA_ALG_ECDH:
+            return mbedtls_psa_key_agreement_ecdh(attributes, key_buffer,
+                                                  key_buffer_size, alg,
+                                                  peer_key, peer_key_length,
+                                                  shared_secret,
+                                                  shared_secret_size,
+                                                  shared_secret_length);
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_FFDH)
+        case PSA_ALG_FFDH:
+            return mbedtls_psa_ffdh_key_agreement(attributes,
+                                                  peer_key,
+                                                  peer_key_length,
+                                                  key_buffer,
+                                                  key_buffer_size,
+                                                  shared_secret,
+                                                  shared_secret_size,
+                                                  shared_secret_length);
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_FFDH */
+
+        default:
+            (void) attributes;
+            (void) key_buffer;
+            (void) key_buffer_size;
+            (void) peer_key;
+            (void) peer_key_length;
+            (void) shared_secret;
+            (void) shared_secret_size;
+            (void) shared_secret_length;
+            return PSA_ERROR_NOT_SUPPORTED;
+    }
+}
+
+/** Internal function for raw key agreement
+ *  Calls the driver wrapper which will hand off key agreement task
+ *  to the driver's implementation if a driver is present.
+ *  Fallback specified in the driver wrapper is built-in raw key agreement
+ *  (psa_key_agreement_raw_builtin).
+ */
+static psa_status_t psa_key_agreement_raw_internal(psa_algorithm_t alg,
+                                                   psa_key_slot_t *private_key,
+                                                   const uint8_t *peer_key,
+                                                   size_t peer_key_length,
+                                                   uint8_t *shared_secret,
+                                                   size_t shared_secret_size,
+                                                   size_t *shared_secret_length)
+{
+    if (!PSA_ALG_IS_RAW_KEY_AGREEMENT(alg)) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    return psa_driver_wrapper_key_agreement(&private_key->attr,
+                                            private_key->key.data,
+                                            private_key->key.bytes, alg,
+                                            peer_key, peer_key_length,
+                                            shared_secret,
+                                            shared_secret_size,
+                                            shared_secret_length);
+}
+
+/* Note that if this function fails, you must call psa_key_derivation_abort()
+ * to potentially free embedded data structures and wipe confidential data.
+ */
+static psa_status_t psa_key_agreement_internal(psa_key_derivation_operation_t *operation,
+                                               psa_key_derivation_step_t step,
+                                               psa_key_slot_t *private_key,
+                                               const uint8_t *peer_key,
+                                               size_t peer_key_length)
+{
+    psa_status_t status;
+    uint8_t shared_secret[PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE] = { 0 };
+    size_t shared_secret_length = 0;
+    psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE(operation->alg);
+
+    /* Step 1: run the secret agreement algorithm to generate the shared
+     * secret. */
+    status = psa_key_agreement_raw_internal(ka_alg,
+                                            private_key,
+                                            peer_key, peer_key_length,
+                                            shared_secret,
+                                            sizeof(shared_secret),
+                                            &shared_secret_length);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    /* Step 2: set up the key derivation to generate key material from
+     * the shared secret. A shared secret is permitted wherever a key
+     * of type DERIVE is permitted. */
+    status = psa_key_derivation_input_internal(operation, step,
+                                               PSA_KEY_TYPE_DERIVE,
+                                               shared_secret,
+                                               shared_secret_length);
+exit:
+    mbedtls_platform_zeroize(shared_secret, shared_secret_length);
+    return status;
+}
+
+psa_status_t psa_key_derivation_key_agreement(psa_key_derivation_operation_t *operation,
+                                              psa_key_derivation_step_t step,
+                                              mbedtls_svc_key_id_t private_key,
+                                              const uint8_t *peer_key_external,
+                                              size_t peer_key_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+    LOCAL_INPUT_DECLARE(peer_key_external, peer_key);
+
+    if (!PSA_ALG_IS_KEY_AGREEMENT(operation->alg)) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+    status = psa_get_and_lock_transparent_key_slot_with_policy(
+        private_key, &slot, PSA_KEY_USAGE_DERIVE, operation->alg);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    LOCAL_INPUT_ALLOC(peer_key_external, peer_key_length, peer_key);
+    status = psa_key_agreement_internal(operation, step,
+                                        slot,
+                                        peer_key, peer_key_length);
+
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+    if (status != PSA_SUCCESS) {
+        psa_key_derivation_abort(operation);
+    } else {
+        /* If a private key has been added as SECRET, we allow the derived
+         * key material to be used as a key in PSA Crypto. */
+        if (step == PSA_KEY_DERIVATION_INPUT_SECRET) {
+            operation->can_output_key = 1;
+        }
+    }
+
+    unlock_status = psa_unregister_read_under_mutex(slot);
+    LOCAL_INPUT_FREE(peer_key_external, peer_key);
+
+    return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+psa_status_t psa_raw_key_agreement(psa_algorithm_t alg,
+                                   mbedtls_svc_key_id_t private_key,
+                                   const uint8_t *peer_key_external,
+                                   size_t peer_key_length,
+                                   uint8_t *output_external,
+                                   size_t output_size,
+                                   size_t *output_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot = NULL;
+    size_t expected_length;
+    LOCAL_INPUT_DECLARE(peer_key_external, peer_key);
+    LOCAL_OUTPUT_DECLARE(output_external, output);
+    LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
+
+    if (!PSA_ALG_IS_KEY_AGREEMENT(alg)) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+    status = psa_get_and_lock_transparent_key_slot_with_policy(
+        private_key, &slot, PSA_KEY_USAGE_DERIVE, alg);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    /* PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() is in general an upper bound
+     * for the output size. The PSA specification only guarantees that this
+     * function works if output_size >= PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(...),
+     * but it might be nice to allow smaller buffers if the output fits.
+     * At the time of writing this comment, with only ECDH implemented,
+     * PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() is exact so the point is moot.
+     * If FFDH is implemented, PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() can easily
+     * be exact for it as well. */
+    expected_length =
+        PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(slot->attr.type, slot->attr.bits);
+    if (output_size < expected_length) {
+        status = PSA_ERROR_BUFFER_TOO_SMALL;
+        goto exit;
+    }
+
+    LOCAL_INPUT_ALLOC(peer_key_external, peer_key_length, peer_key);
+    status = psa_key_agreement_raw_internal(alg, slot,
+                                            peer_key, peer_key_length,
+                                            output, output_size,
+                                            output_length);
+
+exit:
+    /* Check for successful allocation of output,
+     * with an unsuccessful status. */
+    if (output != NULL && status != PSA_SUCCESS) {
+        /* If an error happens and is not handled properly, the output
+         * may be used as a key to protect sensitive data. Arrange for such
+         * a key to be random, which is likely to result in decryption or
+         * verification errors. This is better than filling the buffer with
+         * some constant data such as zeros, which would result in the data
+         * being protected with a reproducible, easily knowable key.
+         */
+        psa_generate_random_internal(output, output_size);
+        *output_length = output_size;
+    }
+
+    if (output == NULL) {
+        /* output allocation failed. */
+        *output_length = 0;
+    }
+
+    unlock_status = psa_unregister_read_under_mutex(slot);
+
+    LOCAL_INPUT_FREE(peer_key_external, peer_key);
+    LOCAL_OUTPUT_FREE(output_external, output);
+    return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+
+/****************************************************************/
+/* Random generation */
+/****************************************************************/
+
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
+#include "entropy_poll.h"
+#endif
+
+/** Initialize the PSA random generator.
+ *
+ *  Note: the mbedtls_threading_psa_rngdata_mutex should be held when calling
+ *  this function if mutexes are enabled.
+ */
+static void mbedtls_psa_random_init(mbedtls_psa_random_context_t *rng)
+{
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+    memset(rng, 0, sizeof(*rng));
+#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+
+    /* Set default configuration if
+     * mbedtls_psa_crypto_configure_entropy_sources() hasn't been called. */
+    if (rng->entropy_init == NULL) {
+        rng->entropy_init = mbedtls_entropy_init;
+    }
+    if (rng->entropy_free == NULL) {
+        rng->entropy_free = mbedtls_entropy_free;
+    }
+
+    rng->entropy_init(&rng->entropy);
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY) && \
+    defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
+    /* The PSA entropy injection feature depends on using NV seed as an entropy
+     * source. Add NV seed as an entropy source for PSA entropy injection. */
+    mbedtls_entropy_add_source(&rng->entropy,
+                               mbedtls_nv_seed_poll, NULL,
+                               MBEDTLS_ENTROPY_BLOCK_SIZE,
+                               MBEDTLS_ENTROPY_SOURCE_STRONG);
+#endif
+
+    mbedtls_psa_drbg_init(&rng->drbg);
+#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+}
+
+/** Deinitialize the PSA random generator.
+ *
+ *  Note: the mbedtls_threading_psa_rngdata_mutex should be held when calling
+ *  this function if mutexes are enabled.
+ */
+static void mbedtls_psa_random_free(mbedtls_psa_random_context_t *rng)
+{
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+    memset(rng, 0, sizeof(*rng));
+#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+    mbedtls_psa_drbg_free(&rng->drbg);
+    rng->entropy_free(&rng->entropy);
+#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+}
+
+/** Seed the PSA random generator.
+ */
+static psa_status_t mbedtls_psa_random_seed(mbedtls_psa_random_context_t *rng)
+{
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+    /* Do nothing: the external RNG seeds itself. */
+    (void) rng;
+    return PSA_SUCCESS;
+#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+    const unsigned char drbg_seed[] = "PSA";
+    int ret = mbedtls_psa_drbg_seed(&rng->drbg, &rng->entropy,
+                                    drbg_seed, sizeof(drbg_seed) - 1);
+    return mbedtls_to_psa_error(ret);
+#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+}
+
+psa_status_t psa_generate_random(uint8_t *output_external,
+                                 size_t output_size)
+{
+    psa_status_t status;
+
+    LOCAL_OUTPUT_DECLARE(output_external, output);
+    LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
+
+    status = psa_generate_random_internal(output, output_size);
+
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+    LOCAL_OUTPUT_FREE(output_external, output);
+    return status;
+}
+
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
+psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
+                                        size_t seed_size)
+{
+    if (psa_get_initialized()) {
+        return PSA_ERROR_NOT_PERMITTED;
+    }
+
+    if (((seed_size < MBEDTLS_ENTROPY_MIN_PLATFORM) ||
+         (seed_size < MBEDTLS_ENTROPY_BLOCK_SIZE)) ||
+        (seed_size > MBEDTLS_ENTROPY_MAX_SEED_SIZE)) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    return mbedtls_psa_storage_inject_entropy(seed, seed_size);
+}
+#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
+
+/** Validate the key type and size for key generation
+ *
+ * \param  type  The key type
+ * \param  bits  The number of bits of the key
+ *
+ * \retval #PSA_SUCCESS
+ *         The key type and size are valid.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The size in bits of the key is not valid.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         The type and/or the size in bits of the key or the combination of
+ *         the two is not supported.
+ */
+static psa_status_t psa_validate_key_type_and_size_for_key_generation(
+    psa_key_type_t type, size_t bits)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    if (key_type_is_raw_bytes(type)) {
+        status = psa_validate_unstructured_key_bit_size(type, bits);
+        if (status != PSA_SUCCESS) {
+            return status;
+        }
+    } else
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
+    if (PSA_KEY_TYPE_IS_RSA(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
+        if (bits > PSA_VENDOR_RSA_MAX_KEY_BITS) {
+            return PSA_ERROR_NOT_SUPPORTED;
+        }
+        if (bits < PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS) {
+            return PSA_ERROR_NOT_SUPPORTED;
+        }
+
+        /* Accept only byte-aligned keys, for the same reasons as
+         * in psa_import_rsa_key(). */
+        if (bits % 8 != 0) {
+            return PSA_ERROR_NOT_SUPPORTED;
+        }
+    } else
+#endif /* defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) */
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
+    if (PSA_KEY_TYPE_IS_ECC(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
+        /* To avoid empty block, return successfully here. */
+        return PSA_SUCCESS;
+    } else
+#endif /* defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) */
+
+#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE)
+    if (PSA_KEY_TYPE_IS_DH(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
+        if (psa_is_dh_key_size_valid(bits) == 0) {
+            return PSA_ERROR_NOT_SUPPORTED;
+        }
+    } else
+#endif /* defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE) */
+    {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_generate_key_internal(
+    const psa_key_attributes_t *attributes,
+    const psa_key_production_parameters_t *params, size_t params_data_length,
+    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_type_t type = attributes->type;
+
+    /* Only used for RSA */
+    (void) params;
+    (void) params_data_length;
+
+    if (key_type_is_raw_bytes(type)) {
+        status = psa_generate_random_internal(key_buffer, key_buffer_size);
+        if (status != PSA_SUCCESS) {
+            return status;
+        }
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
+        if (type == PSA_KEY_TYPE_DES) {
+            psa_des_set_key_parity(key_buffer, key_buffer_size);
+        }
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */
+    } else
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
+    if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
+        return mbedtls_psa_rsa_generate_key(attributes,
+                                            params, params_data_length,
+                                            key_buffer,
+                                            key_buffer_size,
+                                            key_buffer_length);
+    } else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE) */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
+    if (PSA_KEY_TYPE_IS_ECC(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
+        return mbedtls_psa_ecp_generate_key(attributes,
+                                            key_buffer,
+                                            key_buffer_size,
+                                            key_buffer_length);
+    } else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE) */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE)
+    if (PSA_KEY_TYPE_IS_DH(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
+        return mbedtls_psa_ffdh_generate_key(attributes,
+                                             key_buffer,
+                                             key_buffer_size,
+                                             key_buffer_length);
+    } else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE) */
+    {
+        (void) key_buffer_length;
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes,
+                                  const psa_key_production_parameters_t *params,
+                                  size_t params_data_length,
+                                  mbedtls_svc_key_id_t *key)
+{
+    psa_status_t status;
+    psa_key_slot_t *slot = NULL;
+    psa_se_drv_table_entry_t *driver = NULL;
+    size_t key_buffer_size;
+
+    *key = MBEDTLS_SVC_KEY_ID_INIT;
+
+    /* Reject any attempt to create a zero-length key so that we don't
+     * risk tripping up later, e.g. on a malloc(0) that returns NULL. */
+    if (psa_get_key_bits(attributes) == 0) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    /* Reject any attempt to create a public key. */
+    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(attributes->type)) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
+    if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
+        if (params->flags != 0) {
+            return PSA_ERROR_INVALID_ARGUMENT;
+        }
+    } else
+#endif
+    if (!psa_key_production_parameters_are_default(params, params_data_length)) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    status = psa_start_key_creation(PSA_KEY_CREATION_GENERATE, attributes,
+                                    &slot, &driver);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    /* In the case of a transparent key or an opaque key stored in local
+     * storage ( thus not in the case of generating a key in a secure element
+     * with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a
+     * buffer to hold the generated key material. */
+    if (slot->key.data == NULL) {
+        if (PSA_KEY_LIFETIME_GET_LOCATION(attributes->lifetime) ==
+            PSA_KEY_LOCATION_LOCAL_STORAGE) {
+            status = psa_validate_key_type_and_size_for_key_generation(
+                attributes->type, attributes->bits);
+            if (status != PSA_SUCCESS) {
+                goto exit;
+            }
+
+            key_buffer_size = PSA_EXPORT_KEY_OUTPUT_SIZE(
+                attributes->type,
+                attributes->bits);
+        } else {
+            status = psa_driver_wrapper_get_key_buffer_size(
+                attributes, &key_buffer_size);
+            if (status != PSA_SUCCESS) {
+                goto exit;
+            }
+        }
+
+        status = psa_allocate_buffer_to_slot(slot, key_buffer_size);
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+    }
+
+    status = psa_driver_wrapper_generate_key(attributes,
+                                             params, params_data_length,
+                                             slot->key.data, slot->key.bytes,
+                                             &slot->key.bytes);
+    if (status != PSA_SUCCESS) {
+        psa_remove_key_data_from_memory(slot);
+    }
+
+exit:
+    if (status == PSA_SUCCESS) {
+        status = psa_finish_key_creation(slot, driver, key);
+    }
+    if (status != PSA_SUCCESS) {
+        psa_fail_key_creation(slot, driver);
+    }
+
+    return status;
+}
+
+psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
+                              mbedtls_svc_key_id_t *key)
+{
+    return psa_generate_key_ext(attributes,
+                                &default_production_parameters, 0,
+                                key);
+}
+
+/****************************************************************/
+/* Module setup */
+/****************************************************************/
+
+#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+psa_status_t mbedtls_psa_crypto_configure_entropy_sources(
+    void (* entropy_init)(mbedtls_entropy_context *ctx),
+    void (* entropy_free)(mbedtls_entropy_context *ctx))
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+    if (global_data.rng_state != RNG_NOT_INITIALIZED) {
+        status = PSA_ERROR_BAD_STATE;
+    } else {
+        global_data.rng.entropy_init = entropy_init;
+        global_data.rng.entropy_free = entropy_free;
+        status = PSA_SUCCESS;
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_unlock(&mbedtls_threading_psa_rngdata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+    return status;
+}
+#endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
+
+void mbedtls_psa_crypto_free(void)
+{
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+    /* Nothing to do to free transaction. */
+    if (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED) {
+        global_data.initialized &= ~PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED;
+    }
+
+    if (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED) {
+        psa_wipe_all_key_slots();
+        global_data.initialized &= ~PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED;
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+    if (global_data.rng_state != RNG_NOT_INITIALIZED) {
+        mbedtls_psa_random_free(&global_data.rng);
+    }
+    global_data.rng_state = RNG_NOT_INITIALIZED;
+    mbedtls_platform_zeroize(&global_data.rng, sizeof(global_data.rng));
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_unlock(&mbedtls_threading_psa_rngdata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+    /* Terminate drivers */
+    if (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED) {
+        psa_driver_wrapper_free();
+        global_data.initialized &= ~PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED;
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+}
+
+#if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
+/** Recover a transaction that was interrupted by a power failure.
+ *
+ * This function is called during initialization, before psa_crypto_init()
+ * returns. If this function returns a failure status, the initialization
+ * fails.
+ */
+static psa_status_t psa_crypto_recover_transaction(
+    const psa_crypto_transaction_t *transaction)
+{
+    switch (transaction->unknown.type) {
+        case PSA_CRYPTO_TRANSACTION_CREATE_KEY:
+        case PSA_CRYPTO_TRANSACTION_DESTROY_KEY:
+        /* TODO - fall through to the failure case until this
+         * is implemented.
+         * https://github.com/ARMmbed/mbed-crypto/issues/218
+         */
+        default:
+            /* We found an unsupported transaction in the storage.
+             * We don't know what state the storage is in. Give up. */
+            return PSA_ERROR_DATA_INVALID;
+    }
+}
+#endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */
+
+static psa_status_t mbedtls_psa_crypto_init_subsystem(mbedtls_psa_crypto_subsystem subsystem)
+{
+    psa_status_t status = PSA_SUCCESS;
+    uint8_t driver_wrappers_initialized = 0;
+
+    switch (subsystem) {
+        case PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS:
+
+#if defined(MBEDTLS_THREADING_C)
+            PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex));
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+            if (!(global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED)) {
+                /* Init drivers */
+                status = psa_driver_wrapper_init();
+
+                /* Drivers need shutdown regardless of startup errors. */
+                global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED;
+
+
+            }
+#if defined(MBEDTLS_THREADING_C)
+            PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
+                                            &mbedtls_threading_psa_globaldata_mutex));
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+            break;
+
+        case PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS:
+
+#if defined(MBEDTLS_THREADING_C)
+            PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex));
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+            if (!(global_data.initialized & PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED)) {
+                status = psa_initialize_key_slots();
+
+                /* Need to wipe keys even if initialization fails. */
+                global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED;
+
+            }
+#if defined(MBEDTLS_THREADING_C)
+            PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
+                                            &mbedtls_threading_psa_globaldata_mutex));
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+            break;
+
+        case PSA_CRYPTO_SUBSYSTEM_RNG:
+
+#if defined(MBEDTLS_THREADING_C)
+            PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex));
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+            driver_wrappers_initialized =
+                (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED);
+
+#if defined(MBEDTLS_THREADING_C)
+            PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
+                                            &mbedtls_threading_psa_globaldata_mutex));
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+            /* Need to use separate mutex here, as initialisation can require
+             * testing of init flags, which requires locking the global data
+             * mutex. */
+#if defined(MBEDTLS_THREADING_C)
+            PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex));
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+            /* Initialize and seed the random generator. */
+            if (global_data.rng_state == RNG_NOT_INITIALIZED && driver_wrappers_initialized) {
+                mbedtls_psa_random_init(&global_data.rng);
+                global_data.rng_state = RNG_INITIALIZED;
+
+                status = mbedtls_psa_random_seed(&global_data.rng);
+                if (status == PSA_SUCCESS) {
+                    global_data.rng_state = RNG_SEEDED;
+                }
+            }
+
+#if defined(MBEDTLS_THREADING_C)
+            PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
+                                            &mbedtls_threading_psa_rngdata_mutex));
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+            break;
+
+        case PSA_CRYPTO_SUBSYSTEM_TRANSACTION:
+
+#if defined(MBEDTLS_THREADING_C)
+            PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex));
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+            if (!(global_data.initialized & PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED)) {
+#if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
+                status = psa_crypto_load_transaction();
+                if (status == PSA_SUCCESS) {
+                    status = psa_crypto_recover_transaction(&psa_crypto_transaction);
+                    if (status == PSA_SUCCESS) {
+                        global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED;
+                    }
+                    status = psa_crypto_stop_transaction();
+                } else if (status == PSA_ERROR_DOES_NOT_EXIST) {
+                    /* There's no transaction to complete. It's all good. */
+                    global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED;
+                    status = PSA_SUCCESS;
+                }
+#else /* defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS) */
+                global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED;
+                status = PSA_SUCCESS;
+#endif /* defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS) */
+            }
+
+#if defined(MBEDTLS_THREADING_C)
+            PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
+                                            &mbedtls_threading_psa_globaldata_mutex));
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+            break;
+
+        default:
+            status = PSA_ERROR_CORRUPTION_DETECTED;
+    }
+
+    /* Exit label only required when using threading macros. */
+#if defined(MBEDTLS_THREADING_C)
+exit:
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+    return status;
+}
+
+psa_status_t psa_crypto_init(void)
+{
+    psa_status_t status;
+
+    /* Double initialization is explicitly allowed. Early out if everything is
+     * done. */
+    if (psa_get_initialized()) {
+        return PSA_SUCCESS;
+    }
+
+    status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_RNG);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_TRANSACTION);
+
+exit:
+
+    if (status != PSA_SUCCESS) {
+        mbedtls_psa_crypto_free();
+    }
+
+    return status;
+}
+
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t psa_crypto_driver_pake_get_password_len(
+    const psa_crypto_driver_pake_inputs_t *inputs,
+    size_t *password_len)
+{
+    if (inputs->password_len == 0) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    *password_len = inputs->password_len;
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_crypto_driver_pake_get_password(
+    const psa_crypto_driver_pake_inputs_t *inputs,
+    uint8_t *buffer, size_t buffer_size, size_t *buffer_length)
+{
+    if (inputs->password_len == 0) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    if (buffer_size < inputs->password_len) {
+        return PSA_ERROR_BUFFER_TOO_SMALL;
+    }
+
+    memcpy(buffer, inputs->password, inputs->password_len);
+    *buffer_length = inputs->password_len;
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_crypto_driver_pake_get_user_len(
+    const psa_crypto_driver_pake_inputs_t *inputs,
+    size_t *user_len)
+{
+    if (inputs->user_len == 0) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    *user_len = inputs->user_len;
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_crypto_driver_pake_get_user(
+    const psa_crypto_driver_pake_inputs_t *inputs,
+    uint8_t *user_id, size_t user_id_size, size_t *user_id_len)
+{
+    if (inputs->user_len == 0) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    if (user_id_size < inputs->user_len) {
+        return PSA_ERROR_BUFFER_TOO_SMALL;
+    }
+
+    memcpy(user_id, inputs->user, inputs->user_len);
+    *user_id_len = inputs->user_len;
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_crypto_driver_pake_get_peer_len(
+    const psa_crypto_driver_pake_inputs_t *inputs,
+    size_t *peer_len)
+{
+    if (inputs->peer_len == 0) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    *peer_len = inputs->peer_len;
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_crypto_driver_pake_get_peer(
+    const psa_crypto_driver_pake_inputs_t *inputs,
+    uint8_t *peer_id, size_t peer_id_size, size_t *peer_id_length)
+{
+    if (inputs->peer_len == 0) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    if (peer_id_size < inputs->peer_len) {
+        return PSA_ERROR_BUFFER_TOO_SMALL;
+    }
+
+    memcpy(peer_id, inputs->peer, inputs->peer_len);
+    *peer_id_length = inputs->peer_len;
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_crypto_driver_pake_get_cipher_suite(
+    const psa_crypto_driver_pake_inputs_t *inputs,
+    psa_pake_cipher_suite_t *cipher_suite)
+{
+    if (inputs->cipher_suite.algorithm == PSA_ALG_NONE) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    *cipher_suite = inputs->cipher_suite;
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_pake_setup(
+    psa_pake_operation_t *operation,
+    const psa_pake_cipher_suite_t *cipher_suite)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    if (operation->stage != PSA_PAKE_OPERATION_STAGE_SETUP) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    if (PSA_ALG_IS_PAKE(cipher_suite->algorithm) == 0 ||
+        PSA_ALG_IS_HASH(cipher_suite->hash) == 0) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    memset(&operation->data.inputs, 0, sizeof(operation->data.inputs));
+
+    operation->alg = cipher_suite->algorithm;
+    operation->primitive = PSA_PAKE_PRIMITIVE(cipher_suite->type,
+                                              cipher_suite->family, cipher_suite->bits);
+    operation->data.inputs.cipher_suite = *cipher_suite;
+
+#if defined(PSA_WANT_ALG_JPAKE)
+    if (operation->alg == PSA_ALG_JPAKE) {
+        psa_jpake_computation_stage_t *computation_stage =
+            &operation->computation_stage.jpake;
+
+        memset(computation_stage, 0, sizeof(*computation_stage));
+        computation_stage->step = PSA_PAKE_STEP_KEY_SHARE;
+    } else
+#endif /* PSA_WANT_ALG_JPAKE */
+    {
+        status = PSA_ERROR_NOT_SUPPORTED;
+        goto exit;
+    }
+
+    operation->stage = PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS;
+
+    return PSA_SUCCESS;
+exit:
+    psa_pake_abort(operation);
+    return status;
+}
+
+psa_status_t psa_pake_set_password_key(
+    psa_pake_operation_t *operation,
+    mbedtls_svc_key_id_t password)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot = NULL;
+    psa_key_type_t type;
+
+    if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    status = psa_get_and_lock_key_slot_with_policy(password, &slot,
+                                                   PSA_KEY_USAGE_DERIVE,
+                                                   operation->alg);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    type = psa_get_key_type(&slot->attr);
+
+    if (type != PSA_KEY_TYPE_PASSWORD &&
+        type != PSA_KEY_TYPE_PASSWORD_HASH) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    operation->data.inputs.password = mbedtls_calloc(1, slot->key.bytes);
+    if (operation->data.inputs.password == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto exit;
+    }
+
+    memcpy(operation->data.inputs.password, slot->key.data, slot->key.bytes);
+    operation->data.inputs.password_len = slot->key.bytes;
+    operation->data.inputs.attributes = slot->attr;
+
+exit:
+    if (status != PSA_SUCCESS) {
+        psa_pake_abort(operation);
+    }
+    unlock_status = psa_unregister_read_under_mutex(slot);
+    return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+psa_status_t psa_pake_set_user(
+    psa_pake_operation_t *operation,
+    const uint8_t *user_id_external,
+    size_t user_id_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    LOCAL_INPUT_DECLARE(user_id_external, user_id);
+
+    if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    if (user_id_len == 0) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    if (operation->data.inputs.user_len != 0) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    operation->data.inputs.user = mbedtls_calloc(1, user_id_len);
+    if (operation->data.inputs.user == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto exit;
+    }
+
+    LOCAL_INPUT_ALLOC(user_id_external, user_id_len, user_id);
+
+    memcpy(operation->data.inputs.user, user_id, user_id_len);
+    operation->data.inputs.user_len = user_id_len;
+
+    status = PSA_SUCCESS;
+
+exit:
+    LOCAL_INPUT_FREE(user_id_external, user_id);
+    if (status != PSA_SUCCESS) {
+        psa_pake_abort(operation);
+    }
+    return status;
+}
+
+psa_status_t psa_pake_set_peer(
+    psa_pake_operation_t *operation,
+    const uint8_t *peer_id_external,
+    size_t peer_id_len)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    LOCAL_INPUT_DECLARE(peer_id_external, peer_id);
+
+    if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    if (peer_id_len == 0) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    if (operation->data.inputs.peer_len != 0) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    operation->data.inputs.peer = mbedtls_calloc(1, peer_id_len);
+    if (operation->data.inputs.peer == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto exit;
+    }
+
+    LOCAL_INPUT_ALLOC(peer_id_external, peer_id_len, peer_id);
+
+    memcpy(operation->data.inputs.peer, peer_id, peer_id_len);
+    operation->data.inputs.peer_len = peer_id_len;
+
+    status = PSA_SUCCESS;
+
+exit:
+    LOCAL_INPUT_FREE(peer_id_external, peer_id);
+    if (status != PSA_SUCCESS) {
+        psa_pake_abort(operation);
+    }
+    return status;
+}
+
+psa_status_t psa_pake_set_role(
+    psa_pake_operation_t *operation,
+    psa_pake_role_t role)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    switch (operation->alg) {
+#if defined(PSA_WANT_ALG_JPAKE)
+        case PSA_ALG_JPAKE:
+            if (role == PSA_PAKE_ROLE_NONE) {
+                return PSA_SUCCESS;
+            }
+            status = PSA_ERROR_INVALID_ARGUMENT;
+            break;
+#endif
+        default:
+            (void) role;
+            status = PSA_ERROR_NOT_SUPPORTED;
+            goto exit;
+    }
+exit:
+    psa_pake_abort(operation);
+    return status;
+}
+
+/* Auxiliary function to convert core computation stage to single driver step. */
+#if defined(PSA_WANT_ALG_JPAKE)
+static psa_crypto_driver_pake_step_t convert_jpake_computation_stage_to_driver_step(
+    psa_jpake_computation_stage_t *stage)
+{
+    psa_crypto_driver_pake_step_t key_share_step;
+    if (stage->round == PSA_JPAKE_FIRST) {
+        int is_x1;
+
+        if (stage->io_mode == PSA_JPAKE_OUTPUT) {
+            is_x1 = (stage->outputs < 1);
+        } else {
+            is_x1 = (stage->inputs < 1);
+        }
+
+        key_share_step = is_x1 ?
+                         PSA_JPAKE_X1_STEP_KEY_SHARE :
+                         PSA_JPAKE_X2_STEP_KEY_SHARE;
+    } else if (stage->round == PSA_JPAKE_SECOND) {
+        key_share_step = (stage->io_mode == PSA_JPAKE_OUTPUT) ?
+                         PSA_JPAKE_X2S_STEP_KEY_SHARE :
+                         PSA_JPAKE_X4S_STEP_KEY_SHARE;
+    } else {
+        return PSA_JPAKE_STEP_INVALID;
+    }
+    return (psa_crypto_driver_pake_step_t) (key_share_step + stage->step - PSA_PAKE_STEP_KEY_SHARE);
+}
+#endif /* PSA_WANT_ALG_JPAKE */
+
+static psa_status_t psa_pake_complete_inputs(
+    psa_pake_operation_t *operation)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    /* Create copy of the inputs on stack as inputs share memory
+       with the driver context which will be setup by the driver. */
+    psa_crypto_driver_pake_inputs_t inputs = operation->data.inputs;
+
+    if (inputs.password_len == 0) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    if (operation->alg == PSA_ALG_JPAKE) {
+        if (inputs.user_len == 0 || inputs.peer_len == 0) {
+            return PSA_ERROR_BAD_STATE;
+        }
+    }
+
+    /* Clear driver context */
+    mbedtls_platform_zeroize(&operation->data, sizeof(operation->data));
+
+    status = psa_driver_wrapper_pake_setup(operation, &inputs);
+
+    /* Driver is responsible for creating its own copy of the password. */
+    mbedtls_zeroize_and_free(inputs.password, inputs.password_len);
+
+    /* User and peer are translated to role. */
+    mbedtls_free(inputs.user);
+    mbedtls_free(inputs.peer);
+
+    if (status == PSA_SUCCESS) {
+#if defined(PSA_WANT_ALG_JPAKE)
+        if (operation->alg == PSA_ALG_JPAKE) {
+            operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION;
+        } else
+#endif /* PSA_WANT_ALG_JPAKE */
+        {
+            status = PSA_ERROR_NOT_SUPPORTED;
+        }
+    }
+    return status;
+}
+
+#if defined(PSA_WANT_ALG_JPAKE)
+static psa_status_t psa_jpake_prologue(
+    psa_pake_operation_t *operation,
+    psa_pake_step_t step,
+    psa_jpake_io_mode_t io_mode)
+{
+    if (step != PSA_PAKE_STEP_KEY_SHARE &&
+        step != PSA_PAKE_STEP_ZK_PUBLIC &&
+        step != PSA_PAKE_STEP_ZK_PROOF) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    psa_jpake_computation_stage_t *computation_stage =
+        &operation->computation_stage.jpake;
+
+    if (computation_stage->round != PSA_JPAKE_FIRST &&
+        computation_stage->round != PSA_JPAKE_SECOND) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    /* Check that the step we are given is the one we were expecting */
+    if (step != computation_stage->step) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    if (step == PSA_PAKE_STEP_KEY_SHARE &&
+        computation_stage->inputs == 0 &&
+        computation_stage->outputs == 0) {
+        /* Start of the round, so function decides whether we are inputting
+         * or outputting */
+        computation_stage->io_mode = io_mode;
+    } else if (computation_stage->io_mode != io_mode) {
+        /* Middle of the round so the mode we are in must match the function
+         * called by the user */
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    return PSA_SUCCESS;
+}
+
+static psa_status_t psa_jpake_epilogue(
+    psa_pake_operation_t *operation,
+    psa_jpake_io_mode_t io_mode)
+{
+    psa_jpake_computation_stage_t *stage =
+        &operation->computation_stage.jpake;
+
+    if (stage->step == PSA_PAKE_STEP_ZK_PROOF) {
+        /* End of an input/output */
+        if (io_mode == PSA_JPAKE_INPUT) {
+            stage->inputs++;
+            if (stage->inputs == PSA_JPAKE_EXPECTED_INPUTS(stage->round)) {
+                stage->io_mode = PSA_JPAKE_OUTPUT;
+            }
+        }
+        if (io_mode == PSA_JPAKE_OUTPUT) {
+            stage->outputs++;
+            if (stage->outputs == PSA_JPAKE_EXPECTED_OUTPUTS(stage->round)) {
+                stage->io_mode = PSA_JPAKE_INPUT;
+            }
+        }
+        if (stage->inputs == PSA_JPAKE_EXPECTED_INPUTS(stage->round) &&
+            stage->outputs == PSA_JPAKE_EXPECTED_OUTPUTS(stage->round)) {
+            /* End of a round, move to the next round */
+            stage->inputs = 0;
+            stage->outputs = 0;
+            stage->round++;
+        }
+        stage->step = PSA_PAKE_STEP_KEY_SHARE;
+    } else {
+        stage->step++;
+    }
+    return PSA_SUCCESS;
+}
+
+#endif /* PSA_WANT_ALG_JPAKE */
+
+psa_status_t psa_pake_output(
+    psa_pake_operation_t *operation,
+    psa_pake_step_t step,
+    uint8_t *output_external,
+    size_t output_size,
+    size_t *output_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_crypto_driver_pake_step_t driver_step = PSA_JPAKE_STEP_INVALID;
+    LOCAL_OUTPUT_DECLARE(output_external, output);
+    *output_length = 0;
+
+    if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
+        status = psa_pake_complete_inputs(operation);
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+    }
+
+    if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    if (output_size == 0) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    switch (operation->alg) {
+#if defined(PSA_WANT_ALG_JPAKE)
+        case PSA_ALG_JPAKE:
+            status = psa_jpake_prologue(operation, step, PSA_JPAKE_OUTPUT);
+            if (status != PSA_SUCCESS) {
+                goto exit;
+            }
+            driver_step = convert_jpake_computation_stage_to_driver_step(
+                &operation->computation_stage.jpake);
+            break;
+#endif /* PSA_WANT_ALG_JPAKE */
+        default:
+            (void) step;
+            status = PSA_ERROR_NOT_SUPPORTED;
+            goto exit;
+    }
+
+    LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
+
+    status = psa_driver_wrapper_pake_output(operation, driver_step,
+                                            output, output_size, output_length);
+
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    switch (operation->alg) {
+#if defined(PSA_WANT_ALG_JPAKE)
+        case PSA_ALG_JPAKE:
+            status = psa_jpake_epilogue(operation, PSA_JPAKE_OUTPUT);
+            if (status != PSA_SUCCESS) {
+                goto exit;
+            }
+            break;
+#endif /* PSA_WANT_ALG_JPAKE */
+        default:
+            status = PSA_ERROR_NOT_SUPPORTED;
+            goto exit;
+    }
+
+exit:
+    LOCAL_OUTPUT_FREE(output_external, output);
+    if (status != PSA_SUCCESS) {
+        psa_pake_abort(operation);
+    }
+    return status;
+}
+
+psa_status_t psa_pake_input(
+    psa_pake_operation_t *operation,
+    psa_pake_step_t step,
+    const uint8_t *input_external,
+    size_t input_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_crypto_driver_pake_step_t driver_step = PSA_JPAKE_STEP_INVALID;
+    const size_t max_input_length = (size_t) PSA_PAKE_INPUT_SIZE(operation->alg,
+                                                                 operation->primitive,
+                                                                 step);
+    LOCAL_INPUT_DECLARE(input_external, input);
+
+    if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
+        status = psa_pake_complete_inputs(operation);
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+    }
+
+    if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) {
+        status =  PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+    if (input_length == 0 || input_length > max_input_length) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    switch (operation->alg) {
+#if defined(PSA_WANT_ALG_JPAKE)
+        case PSA_ALG_JPAKE:
+            status = psa_jpake_prologue(operation, step, PSA_JPAKE_INPUT);
+            if (status != PSA_SUCCESS) {
+                goto exit;
+            }
+            driver_step = convert_jpake_computation_stage_to_driver_step(
+                &operation->computation_stage.jpake);
+            break;
+#endif /* PSA_WANT_ALG_JPAKE */
+        default:
+            (void) step;
+            status = PSA_ERROR_NOT_SUPPORTED;
+            goto exit;
+    }
+
+    LOCAL_INPUT_ALLOC(input_external, input_length, input);
+    status = psa_driver_wrapper_pake_input(operation, driver_step,
+                                           input, input_length);
+
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    switch (operation->alg) {
+#if defined(PSA_WANT_ALG_JPAKE)
+        case PSA_ALG_JPAKE:
+            status = psa_jpake_epilogue(operation, PSA_JPAKE_INPUT);
+            if (status != PSA_SUCCESS) {
+                goto exit;
+            }
+            break;
+#endif /* PSA_WANT_ALG_JPAKE */
+        default:
+            status = PSA_ERROR_NOT_SUPPORTED;
+            goto exit;
+    }
+
+exit:
+    LOCAL_INPUT_FREE(input_external, input);
+    if (status != PSA_SUCCESS) {
+        psa_pake_abort(operation);
+    }
+    return status;
+}
+
+psa_status_t psa_pake_get_implicit_key(
+    psa_pake_operation_t *operation,
+    psa_key_derivation_operation_t *output)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
+    uint8_t shared_key[MBEDTLS_PSA_JPAKE_BUFFER_SIZE];
+    size_t shared_key_len = 0;
+
+    if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) {
+        status = PSA_ERROR_BAD_STATE;
+        goto exit;
+    }
+
+#if defined(PSA_WANT_ALG_JPAKE)
+    if (operation->alg == PSA_ALG_JPAKE) {
+        psa_jpake_computation_stage_t *computation_stage =
+            &operation->computation_stage.jpake;
+        if (computation_stage->round != PSA_JPAKE_FINISHED) {
+            status = PSA_ERROR_BAD_STATE;
+            goto exit;
+        }
+    } else
+#endif /* PSA_WANT_ALG_JPAKE */
+    {
+        status = PSA_ERROR_NOT_SUPPORTED;
+        goto exit;
+    }
+
+    status = psa_driver_wrapper_pake_get_implicit_key(operation,
+                                                      shared_key,
+                                                      sizeof(shared_key),
+                                                      &shared_key_len);
+
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_key_derivation_input_bytes(output,
+                                            PSA_KEY_DERIVATION_INPUT_SECRET,
+                                            shared_key,
+                                            shared_key_len);
+
+    mbedtls_platform_zeroize(shared_key, sizeof(shared_key));
+exit:
+    abort_status = psa_pake_abort(operation);
+    return status == PSA_SUCCESS ? abort_status : status;
+}
+
+psa_status_t psa_pake_abort(
+    psa_pake_operation_t *operation)
+{
+    psa_status_t status = PSA_SUCCESS;
+
+    if (operation->stage == PSA_PAKE_OPERATION_STAGE_COMPUTATION) {
+        status = psa_driver_wrapper_pake_abort(operation);
+    }
+
+    if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
+        if (operation->data.inputs.password != NULL) {
+            mbedtls_zeroize_and_free(operation->data.inputs.password,
+                                     operation->data.inputs.password_len);
+        }
+        if (operation->data.inputs.user != NULL) {
+            mbedtls_free(operation->data.inputs.user);
+        }
+        if (operation->data.inputs.peer != NULL) {
+            mbedtls_free(operation->data.inputs.peer);
+        }
+    }
+    memset(operation, 0, sizeof(psa_pake_operation_t));
+
+    return status;
+}
+#endif /* PSA_WANT_ALG_SOME_PAKE */
+
+/* Memory copying test hooks. These are called before input copy, after input
+ * copy, before output copy and after output copy, respectively.
+ * They are used by memory-poisoning tests to temporarily unpoison buffers
+ * while they are copied. */
+#if defined(MBEDTLS_TEST_HOOKS)
+void (*psa_input_pre_copy_hook)(const uint8_t *input, size_t input_len) = NULL;
+void (*psa_input_post_copy_hook)(const uint8_t *input, size_t input_len) = NULL;
+void (*psa_output_pre_copy_hook)(const uint8_t *output, size_t output_len) = NULL;
+void (*psa_output_post_copy_hook)(const uint8_t *output, size_t output_len) = NULL;
+#endif
+
+/** Copy from an input buffer to a local copy.
+ *
+ * \param[in] input             Pointer to input buffer.
+ * \param[in] input_len         Length of the input buffer.
+ * \param[out] input_copy       Pointer to a local copy in which to store the input data.
+ * \param[out] input_copy_len   Length of the local copy buffer.
+ * \return                      #PSA_SUCCESS, if the buffer was successfully
+ *                              copied.
+ * \return                      #PSA_ERROR_CORRUPTION_DETECTED, if the local
+ *                              copy is too small to hold contents of the
+ *                              input buffer.
+ */
+MBEDTLS_STATIC_TESTABLE
+psa_status_t psa_crypto_copy_input(const uint8_t *input, size_t input_len,
+                                   uint8_t *input_copy, size_t input_copy_len)
+{
+    if (input_len > input_copy_len) {
+        return PSA_ERROR_CORRUPTION_DETECTED;
+    }
+
+#if defined(MBEDTLS_TEST_HOOKS)
+    if (psa_input_pre_copy_hook != NULL) {
+        psa_input_pre_copy_hook(input, input_len);
+    }
+#endif
+
+    if (input_len > 0) {
+        memcpy(input_copy, input, input_len);
+    }
+
+#if defined(MBEDTLS_TEST_HOOKS)
+    if (psa_input_post_copy_hook != NULL) {
+        psa_input_post_copy_hook(input, input_len);
+    }
+#endif
+
+    return PSA_SUCCESS;
+}
+
+/** Copy from a local output buffer into a user-supplied one.
+ *
+ * \param[in] output_copy       Pointer to a local buffer containing the output.
+ * \param[in] output_copy_len   Length of the local buffer.
+ * \param[out] output           Pointer to user-supplied output buffer.
+ * \param[out] output_len       Length of the user-supplied output buffer.
+ * \return                      #PSA_SUCCESS, if the buffer was successfully
+ *                              copied.
+ * \return                      #PSA_ERROR_BUFFER_TOO_SMALL, if the
+ *                              user-supplied output buffer is too small to
+ *                              hold the contents of the local buffer.
+ */
+MBEDTLS_STATIC_TESTABLE
+psa_status_t psa_crypto_copy_output(const uint8_t *output_copy, size_t output_copy_len,
+                                    uint8_t *output, size_t output_len)
+{
+    if (output_len < output_copy_len) {
+        return PSA_ERROR_BUFFER_TOO_SMALL;
+    }
+
+#if defined(MBEDTLS_TEST_HOOKS)
+    if (psa_output_pre_copy_hook != NULL) {
+        psa_output_pre_copy_hook(output, output_len);
+    }
+#endif
+
+    if (output_copy_len > 0) {
+        memcpy(output, output_copy, output_copy_len);
+    }
+
+#if defined(MBEDTLS_TEST_HOOKS)
+    if (psa_output_post_copy_hook != NULL) {
+        psa_output_post_copy_hook(output, output_len);
+    }
+#endif
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_crypto_local_input_alloc(const uint8_t *input, size_t input_len,
+                                          psa_crypto_local_input_t *local_input)
+{
+    psa_status_t status;
+
+    *local_input = PSA_CRYPTO_LOCAL_INPUT_INIT;
+
+    if (input_len == 0) {
+        return PSA_SUCCESS;
+    }
+
+    local_input->buffer = mbedtls_calloc(input_len, 1);
+    if (local_input->buffer == NULL) {
+        /* Since we dealt with the zero-length case above, we know that
+         * a NULL return value means a failure of allocation. */
+        return PSA_ERROR_INSUFFICIENT_MEMORY;
+    }
+    /* From now on, we must free local_input->buffer on error. */
+
+    local_input->length = input_len;
+
+    status = psa_crypto_copy_input(input, input_len,
+                                   local_input->buffer, local_input->length);
+    if (status != PSA_SUCCESS) {
+        goto error;
+    }
+
+    return PSA_SUCCESS;
+
+error:
+    mbedtls_free(local_input->buffer);
+    local_input->buffer = NULL;
+    local_input->length = 0;
+    return status;
+}
+
+void psa_crypto_local_input_free(psa_crypto_local_input_t *local_input)
+{
+    mbedtls_free(local_input->buffer);
+    local_input->buffer = NULL;
+    local_input->length = 0;
+}
+
+psa_status_t psa_crypto_local_output_alloc(uint8_t *output, size_t output_len,
+                                           psa_crypto_local_output_t *local_output)
+{
+    *local_output = PSA_CRYPTO_LOCAL_OUTPUT_INIT;
+
+    if (output_len == 0) {
+        return PSA_SUCCESS;
+    }
+    local_output->buffer = mbedtls_calloc(output_len, 1);
+    if (local_output->buffer == NULL) {
+        /* Since we dealt with the zero-length case above, we know that
+         * a NULL return value means a failure of allocation. */
+        return PSA_ERROR_INSUFFICIENT_MEMORY;
+    }
+    local_output->length = output_len;
+    local_output->original = output;
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_crypto_local_output_free(psa_crypto_local_output_t *local_output)
+{
+    psa_status_t status;
+
+    if (local_output->buffer == NULL) {
+        local_output->length = 0;
+        return PSA_SUCCESS;
+    }
+    if (local_output->original == NULL) {
+        /* We have an internal copy but nothing to copy back to. */
+        return PSA_ERROR_CORRUPTION_DETECTED;
+    }
+
+    status = psa_crypto_copy_output(local_output->buffer, local_output->length,
+                                    local_output->original, local_output->length);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    mbedtls_free(local_output->buffer);
+    local_output->buffer = NULL;
+    local_output->length = 0;
+
+    return PSA_SUCCESS;
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/tf-psa-crypto/core/psa_crypto_aead.c b/tf-psa-crypto/core/psa_crypto_aead.c
new file mode 100644
index 0000000..a201985
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_aead.c
@@ -0,0 +1,649 @@
+/*
+ *  PSA AEAD entry points
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#include "psa_crypto_aead.h"
+#include "psa_crypto_core.h"
+#include "psa_crypto_cipher.h"
+
+#include <string.h>
+#include "mbedtls/platform.h"
+
+#include "mbedtls/ccm.h"
+#include "mbedtls/chachapoly.h"
+#include "mbedtls/cipher.h"
+#include "mbedtls/gcm.h"
+#include "mbedtls/error.h"
+
+static psa_status_t psa_aead_setup(
+    mbedtls_psa_aead_operation_t *operation,
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    psa_algorithm_t alg)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_cipher_id_t cipher_id;
+    mbedtls_cipher_mode_t mode;
+    size_t key_bits = attributes->bits;
+    (void) key_buffer_size;
+
+    status = mbedtls_cipher_values_from_psa(alg, attributes->type,
+                                            &key_bits, &mode, &cipher_id);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    switch (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0)) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
+        case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0):
+            operation->alg = PSA_ALG_CCM;
+            /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.
+             * The call to mbedtls_ccm_encrypt_and_tag or
+             * mbedtls_ccm_auth_decrypt will validate the tag length. */
+            if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(attributes->type) != 16) {
+                return PSA_ERROR_INVALID_ARGUMENT;
+            }
+
+            mbedtls_ccm_init(&operation->ctx.ccm);
+            status = mbedtls_to_psa_error(
+                mbedtls_ccm_setkey(&operation->ctx.ccm, cipher_id,
+                                   key_buffer, (unsigned int) key_bits));
+            if (status != PSA_SUCCESS) {
+                return status;
+            }
+            break;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
+        case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0):
+            operation->alg = PSA_ALG_GCM;
+            /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16.
+             * The call to mbedtls_gcm_crypt_and_tag or
+             * mbedtls_gcm_auth_decrypt will validate the tag length. */
+            if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(attributes->type) != 16) {
+                return PSA_ERROR_INVALID_ARGUMENT;
+            }
+
+            mbedtls_gcm_init(&operation->ctx.gcm);
+            status = mbedtls_to_psa_error(
+                mbedtls_gcm_setkey(&operation->ctx.gcm, cipher_id,
+                                   key_buffer, (unsigned int) key_bits));
+            if (status != PSA_SUCCESS) {
+                return status;
+            }
+            break;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
+        case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0):
+            operation->alg = PSA_ALG_CHACHA20_POLY1305;
+            /* We only support the default tag length. */
+            if (alg != PSA_ALG_CHACHA20_POLY1305) {
+                return PSA_ERROR_NOT_SUPPORTED;
+            }
+
+            mbedtls_chachapoly_init(&operation->ctx.chachapoly);
+            status = mbedtls_to_psa_error(
+                mbedtls_chachapoly_setkey(&operation->ctx.chachapoly,
+                                          key_buffer));
+            if (status != PSA_SUCCESS) {
+                return status;
+            }
+            break;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
+
+        default:
+            (void) status;
+            (void) key_buffer;
+            return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    operation->key_type = psa_get_key_type(attributes);
+
+    operation->tag_length = PSA_ALG_AEAD_GET_TAG_LENGTH(alg);
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t mbedtls_psa_aead_encrypt(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg,
+    const uint8_t *nonce, size_t nonce_length,
+    const uint8_t *additional_data, size_t additional_data_length,
+    const uint8_t *plaintext, size_t plaintext_length,
+    uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_psa_aead_operation_t operation = MBEDTLS_PSA_AEAD_OPERATION_INIT;
+    uint8_t *tag;
+
+    status = psa_aead_setup(&operation, attributes, key_buffer,
+                            key_buffer_size, alg);
+
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    /* For all currently supported modes, the tag is at the end of the
+     * ciphertext. */
+    if (ciphertext_size < (plaintext_length + operation.tag_length)) {
+        status = PSA_ERROR_BUFFER_TOO_SMALL;
+        goto exit;
+    }
+    tag = ciphertext + plaintext_length;
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
+    if (operation.alg == PSA_ALG_CCM) {
+        status = mbedtls_to_psa_error(
+            mbedtls_ccm_encrypt_and_tag(&operation.ctx.ccm,
+                                        plaintext_length,
+                                        nonce, nonce_length,
+                                        additional_data,
+                                        additional_data_length,
+                                        plaintext, ciphertext,
+                                        tag, operation.tag_length));
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
+    if (operation.alg == PSA_ALG_GCM) {
+        status = mbedtls_to_psa_error(
+            mbedtls_gcm_crypt_and_tag(&operation.ctx.gcm,
+                                      MBEDTLS_GCM_ENCRYPT,
+                                      plaintext_length,
+                                      nonce, nonce_length,
+                                      additional_data, additional_data_length,
+                                      plaintext, ciphertext,
+                                      operation.tag_length, tag));
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
+    if (operation.alg == PSA_ALG_CHACHA20_POLY1305) {
+        if (operation.tag_length != 16) {
+            status = PSA_ERROR_NOT_SUPPORTED;
+            goto exit;
+        }
+        status = mbedtls_to_psa_error(
+            mbedtls_chachapoly_encrypt_and_tag(&operation.ctx.chachapoly,
+                                               plaintext_length,
+                                               nonce,
+                                               additional_data,
+                                               additional_data_length,
+                                               plaintext,
+                                               ciphertext,
+                                               tag));
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
+    {
+        (void) tag;
+        (void) nonce;
+        (void) nonce_length;
+        (void) additional_data;
+        (void) additional_data_length;
+        (void) plaintext;
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    if (status == PSA_SUCCESS) {
+        *ciphertext_length = plaintext_length + operation.tag_length;
+    }
+
+exit:
+    mbedtls_psa_aead_abort(&operation);
+
+    return status;
+}
+
+/* Locate the tag in a ciphertext buffer containing the encrypted data
+ * followed by the tag. Return the length of the part preceding the tag in
+ * *plaintext_length. This is the size of the plaintext in modes where
+ * the encrypted data has the same size as the plaintext, such as
+ * CCM and GCM. */
+static psa_status_t psa_aead_unpadded_locate_tag(size_t tag_length,
+                                                 const uint8_t *ciphertext,
+                                                 size_t ciphertext_length,
+                                                 size_t plaintext_size,
+                                                 const uint8_t **p_tag)
+{
+    size_t payload_length;
+    if (tag_length > ciphertext_length) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+    payload_length = ciphertext_length - tag_length;
+    if (payload_length > plaintext_size) {
+        return PSA_ERROR_BUFFER_TOO_SMALL;
+    }
+    *p_tag = ciphertext + payload_length;
+    return PSA_SUCCESS;
+}
+
+psa_status_t mbedtls_psa_aead_decrypt(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg,
+    const uint8_t *nonce, size_t nonce_length,
+    const uint8_t *additional_data, size_t additional_data_length,
+    const uint8_t *ciphertext, size_t ciphertext_length,
+    uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_psa_aead_operation_t operation = MBEDTLS_PSA_AEAD_OPERATION_INIT;
+    const uint8_t *tag = NULL;
+
+    status = psa_aead_setup(&operation, attributes, key_buffer,
+                            key_buffer_size, alg);
+
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_aead_unpadded_locate_tag(operation.tag_length,
+                                          ciphertext, ciphertext_length,
+                                          plaintext_size, &tag);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
+    if (operation.alg == PSA_ALG_CCM) {
+        status = mbedtls_to_psa_error(
+            mbedtls_ccm_auth_decrypt(&operation.ctx.ccm,
+                                     ciphertext_length - operation.tag_length,
+                                     nonce, nonce_length,
+                                     additional_data,
+                                     additional_data_length,
+                                     ciphertext, plaintext,
+                                     tag, operation.tag_length));
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
+    if (operation.alg == PSA_ALG_GCM) {
+        status = mbedtls_to_psa_error(
+            mbedtls_gcm_auth_decrypt(&operation.ctx.gcm,
+                                     ciphertext_length - operation.tag_length,
+                                     nonce, nonce_length,
+                                     additional_data,
+                                     additional_data_length,
+                                     tag, operation.tag_length,
+                                     ciphertext, plaintext));
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
+    if (operation.alg == PSA_ALG_CHACHA20_POLY1305) {
+        if (operation.tag_length != 16) {
+            status = PSA_ERROR_NOT_SUPPORTED;
+            goto exit;
+        }
+        status = mbedtls_to_psa_error(
+            mbedtls_chachapoly_auth_decrypt(&operation.ctx.chachapoly,
+                                            ciphertext_length - operation.tag_length,
+                                            nonce,
+                                            additional_data,
+                                            additional_data_length,
+                                            tag,
+                                            ciphertext,
+                                            plaintext));
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
+    {
+        (void) nonce;
+        (void) nonce_length;
+        (void) additional_data;
+        (void) additional_data_length;
+        (void) plaintext;
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    if (status == PSA_SUCCESS) {
+        *plaintext_length = ciphertext_length - operation.tag_length;
+    }
+
+exit:
+    mbedtls_psa_aead_abort(&operation);
+
+    if (status == PSA_SUCCESS) {
+        *plaintext_length = ciphertext_length - operation.tag_length;
+    }
+    return status;
+}
+
+/* Set the key and algorithm for a multipart authenticated encryption
+ * operation. */
+psa_status_t mbedtls_psa_aead_encrypt_setup(
+    mbedtls_psa_aead_operation_t *operation,
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    psa_algorithm_t alg)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    status = psa_aead_setup(operation, attributes, key_buffer,
+                            key_buffer_size, alg);
+
+    if (status == PSA_SUCCESS) {
+        operation->is_encrypt = 1;
+    }
+
+    return status;
+}
+
+/* Set the key and algorithm for a multipart authenticated decryption
+ * operation. */
+psa_status_t mbedtls_psa_aead_decrypt_setup(
+    mbedtls_psa_aead_operation_t *operation,
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    psa_algorithm_t alg)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    status = psa_aead_setup(operation, attributes, key_buffer,
+                            key_buffer_size, alg);
+
+    if (status == PSA_SUCCESS) {
+        operation->is_encrypt = 0;
+    }
+
+    return status;
+}
+
+/* Set a nonce for the multipart AEAD operation*/
+psa_status_t mbedtls_psa_aead_set_nonce(
+    mbedtls_psa_aead_operation_t *operation,
+    const uint8_t *nonce,
+    size_t nonce_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
+    if (operation->alg == PSA_ALG_GCM) {
+        status = mbedtls_to_psa_error(
+            mbedtls_gcm_starts(&operation->ctx.gcm,
+                               operation->is_encrypt ?
+                               MBEDTLS_GCM_ENCRYPT : MBEDTLS_GCM_DECRYPT,
+                               nonce,
+                               nonce_length));
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
+    if (operation->alg == PSA_ALG_CCM) {
+        status = mbedtls_to_psa_error(
+            mbedtls_ccm_starts(&operation->ctx.ccm,
+                               operation->is_encrypt ?
+                               MBEDTLS_CCM_ENCRYPT : MBEDTLS_CCM_DECRYPT,
+                               nonce,
+                               nonce_length));
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
+    if (operation->alg == PSA_ALG_CHACHA20_POLY1305) {
+        /* Note - ChaChaPoly allows an 8 byte nonce, but we would have to
+         * allocate a buffer in the operation, copy the nonce to it and pad
+         * it, so for now check the nonce is 12 bytes, as
+         * mbedtls_chachapoly_starts() assumes it can read 12 bytes from the
+         * passed in buffer. */
+        if (nonce_length != 12) {
+            return PSA_ERROR_INVALID_ARGUMENT;
+        }
+
+        status = mbedtls_to_psa_error(
+            mbedtls_chachapoly_starts(&operation->ctx.chachapoly,
+                                      nonce,
+                                      operation->is_encrypt ?
+                                      MBEDTLS_CHACHAPOLY_ENCRYPT :
+                                      MBEDTLS_CHACHAPOLY_DECRYPT));
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
+    {
+        (void) operation;
+        (void) nonce;
+        (void) nonce_length;
+
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    return status;
+}
+
+/* Declare the lengths of the message and additional data for AEAD. */
+psa_status_t mbedtls_psa_aead_set_lengths(
+    mbedtls_psa_aead_operation_t *operation,
+    size_t ad_length,
+    size_t plaintext_length)
+{
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
+    if (operation->alg == PSA_ALG_CCM) {
+        return mbedtls_to_psa_error(
+            mbedtls_ccm_set_lengths(&operation->ctx.ccm,
+                                    ad_length,
+                                    plaintext_length,
+                                    operation->tag_length));
+
+    }
+#else /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
+    (void) operation;
+    (void) ad_length;
+    (void) plaintext_length;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
+
+    return PSA_SUCCESS;
+}
+
+/* Pass additional data to an active multipart AEAD operation. */
+psa_status_t mbedtls_psa_aead_update_ad(
+    mbedtls_psa_aead_operation_t *operation,
+    const uint8_t *input,
+    size_t input_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
+    if (operation->alg == PSA_ALG_GCM) {
+        status = mbedtls_to_psa_error(
+            mbedtls_gcm_update_ad(&operation->ctx.gcm, input, input_length));
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
+    if (operation->alg == PSA_ALG_CCM) {
+        status = mbedtls_to_psa_error(
+            mbedtls_ccm_update_ad(&operation->ctx.ccm, input, input_length));
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
+    if (operation->alg == PSA_ALG_CHACHA20_POLY1305) {
+        status = mbedtls_to_psa_error(
+            mbedtls_chachapoly_update_aad(&operation->ctx.chachapoly,
+                                          input,
+                                          input_length));
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
+    {
+        (void) operation;
+        (void) input;
+        (void) input_length;
+
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    return status;
+}
+
+/* Encrypt or decrypt a message fragment in an active multipart AEAD
+ * operation.*/
+psa_status_t mbedtls_psa_aead_update(
+    mbedtls_psa_aead_operation_t *operation,
+    const uint8_t *input,
+    size_t input_length,
+    uint8_t *output,
+    size_t output_size,
+    size_t *output_length)
+{
+    size_t update_output_length;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    update_output_length = input_length;
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
+    if (operation->alg == PSA_ALG_GCM) {
+        status =  mbedtls_to_psa_error(
+            mbedtls_gcm_update(&operation->ctx.gcm,
+                               input, input_length,
+                               output, output_size,
+                               &update_output_length));
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
+    if (operation->alg == PSA_ALG_CCM) {
+        if (output_size < input_length) {
+            return PSA_ERROR_BUFFER_TOO_SMALL;
+        }
+
+        status = mbedtls_to_psa_error(
+            mbedtls_ccm_update(&operation->ctx.ccm,
+                               input, input_length,
+                               output, output_size,
+                               &update_output_length));
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
+    if (operation->alg == PSA_ALG_CHACHA20_POLY1305) {
+        if (output_size < input_length) {
+            return PSA_ERROR_BUFFER_TOO_SMALL;
+        }
+
+        status = mbedtls_to_psa_error(
+            mbedtls_chachapoly_update(&operation->ctx.chachapoly,
+                                      input_length,
+                                      input,
+                                      output));
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
+    {
+        (void) operation;
+        (void) input;
+        (void) output;
+        (void) output_size;
+
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    if (status == PSA_SUCCESS) {
+        *output_length = update_output_length;
+    }
+
+    return status;
+}
+
+/* Finish encrypting a message in a multipart AEAD operation. */
+psa_status_t mbedtls_psa_aead_finish(
+    mbedtls_psa_aead_operation_t *operation,
+    uint8_t *ciphertext,
+    size_t ciphertext_size,
+    size_t *ciphertext_length,
+    uint8_t *tag,
+    size_t tag_size,
+    size_t *tag_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    size_t finish_output_size = 0;
+
+    if (tag_size < operation->tag_length) {
+        return PSA_ERROR_BUFFER_TOO_SMALL;
+    }
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
+    if (operation->alg == PSA_ALG_GCM) {
+        status =  mbedtls_to_psa_error(
+            mbedtls_gcm_finish(&operation->ctx.gcm,
+                               ciphertext, ciphertext_size, ciphertext_length,
+                               tag, operation->tag_length));
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
+    if (operation->alg == PSA_ALG_CCM) {
+        /* tag must be big enough to store a tag of size passed into set
+         * lengths. */
+        if (tag_size < operation->tag_length) {
+            return PSA_ERROR_BUFFER_TOO_SMALL;
+        }
+
+        status = mbedtls_to_psa_error(
+            mbedtls_ccm_finish(&operation->ctx.ccm,
+                               tag, operation->tag_length));
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
+    if (operation->alg == PSA_ALG_CHACHA20_POLY1305) {
+        /* Belt and braces. Although the above tag_size check should have
+         * already done this, if we later start supporting smaller tag sizes
+         * for chachapoly, then passing a tag buffer smaller than 16 into here
+         * could cause a buffer overflow, so better safe than sorry. */
+        if (tag_size < 16) {
+            return PSA_ERROR_BUFFER_TOO_SMALL;
+        }
+
+        status = mbedtls_to_psa_error(
+            mbedtls_chachapoly_finish(&operation->ctx.chachapoly,
+                                      tag));
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
+    {
+        (void) ciphertext;
+        (void) ciphertext_size;
+        (void) ciphertext_length;
+        (void) tag;
+        (void) tag_size;
+        (void) tag_length;
+
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    if (status == PSA_SUCCESS) {
+        /* This will be zero for all supported algorithms currently, but left
+         * here for future support. */
+        *ciphertext_length = finish_output_size;
+        *tag_length = operation->tag_length;
+    }
+
+    return status;
+}
+
+/* Abort an AEAD operation */
+psa_status_t mbedtls_psa_aead_abort(
+    mbedtls_psa_aead_operation_t *operation)
+{
+    switch (operation->alg) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
+        case PSA_ALG_CCM:
+            mbedtls_ccm_free(&operation->ctx.ccm);
+            break;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
+        case PSA_ALG_GCM:
+            mbedtls_gcm_free(&operation->ctx.gcm);
+            break;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
+        case PSA_ALG_CHACHA20_POLY1305:
+            mbedtls_chachapoly_free(&operation->ctx.chachapoly);
+            break;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
+    }
+
+    operation->is_encrypt = 0;
+
+    return PSA_SUCCESS;
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/tf-psa-crypto/core/psa_crypto_aead.h b/tf-psa-crypto/core/psa_crypto_aead.h
new file mode 100644
index 0000000..a339219
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_aead.h
@@ -0,0 +1,499 @@
+/*
+ *  PSA AEAD driver entry points
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_AEAD_H
+#define PSA_CRYPTO_AEAD_H
+
+#include <psa/crypto.h>
+
+/**
+ * \brief Process an authenticated encryption operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       aead_encrypt entry point. This function behaves as an aead_encrypt
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in]  attributes         The attributes of the key to use for the
+ *                                operation.
+ * \param[in]  key_buffer         The buffer containing the key context.
+ * \param      key_buffer_size    Size of the \p key_buffer buffer in bytes.
+ * \param      alg                The AEAD algorithm to compute.
+ * \param[in]  nonce              Nonce or IV to use.
+ * \param      nonce_length       Size of the nonce buffer in bytes. This must
+ *                                be appropriate for the selected algorithm.
+ *                                The default nonce size is
+ *                                PSA_AEAD_NONCE_LENGTH(key_type, alg) where
+ *                                key_type is the type of key.
+ * \param[in]  additional_data    Additional data that will be authenticated
+ *                                but not encrypted.
+ * \param      additional_data_length  Size of additional_data in bytes.
+ * \param[in]  plaintext          Data that will be authenticated and encrypted.
+ * \param      plaintext_length   Size of plaintext in bytes.
+ * \param[out] ciphertext         Output buffer for the authenticated and
+ *                                encrypted data. The additional data is not
+ *                                part of this output. For algorithms where the
+ *                                encrypted data and the authentication tag are
+ *                                defined as separate outputs, the
+ *                                authentication tag is appended to the
+ *                                encrypted data.
+ * \param      ciphertext_size    Size of the ciphertext buffer in bytes. This
+ *                                must be appropriate for the selected algorithm
+ *                                and key:
+ *                                - A sufficient output size is
+ *                                  PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg,
+ *                                  plaintext_length) where key_type is the type
+ *                                  of key.
+ *                                - PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(
+ *                                  plaintext_length) evaluates to the maximum
+ *                                  ciphertext size of any supported AEAD
+ *                                  encryption.
+ * \param[out] ciphertext_length  On success, the size of the output in the
+ *                                ciphertext buffer.
+ *
+ * \retval #PSA_SUCCESS Success.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         ciphertext_size is too small.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_aead_encrypt(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg,
+    const uint8_t *nonce, size_t nonce_length,
+    const uint8_t *additional_data, size_t additional_data_length,
+    const uint8_t *plaintext, size_t plaintext_length,
+    uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length);
+
+/**
+ * \brief Process an authenticated decryption operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       aead_decrypt entry point. This function behaves as an aead_decrypt
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in]  attributes         The attributes of the key to use for the
+ *                                operation.
+ * \param[in]  key_buffer         The buffer containing the key context.
+ * \param      key_buffer_size    Size of the \p key_buffer buffer in bytes.
+ * \param      alg                The AEAD algorithm to compute.
+ * \param[in]  nonce              Nonce or IV to use.
+ * \param      nonce_length       Size of the nonce buffer in bytes. This must
+ *                                be appropriate for the selected algorithm.
+ *                                The default nonce size is
+ *                                PSA_AEAD_NONCE_LENGTH(key_type, alg) where
+ *                                key_type is the type of key.
+ * \param[in]  additional_data    Additional data that has been authenticated
+ *                                but not encrypted.
+ * \param      additional_data_length  Size of additional_data in bytes.
+ * \param[in]  ciphertext         Data that has been authenticated and
+ *                                encrypted. For algorithms where the encrypted
+ *                                data and the authentication tag are defined
+ *                                as separate inputs, the buffer contains
+ *                                encrypted data followed by the authentication
+ *                                tag.
+ * \param      ciphertext_length  Size of ciphertext in bytes.
+ * \param[out] plaintext          Output buffer for the decrypted data.
+ * \param      plaintext_size     Size of the plaintext buffer in bytes. This
+ *                                must be appropriate for the selected algorithm
+ *                                and key:
+ *                                - A sufficient output size is
+ *                                  PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg,
+ *                                  ciphertext_length) where key_type is the
+ *                                  type of key.
+ *                                - PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(
+ *                                  ciphertext_length) evaluates to the maximum
+ *                                  plaintext size of any supported AEAD
+ *                                  decryption.
+ * \param[out] plaintext_length   On success, the size of the output in the
+ *                                plaintext buffer.
+ *
+ * \retval #PSA_SUCCESS Success.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The cipher is not authentic.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         plaintext_size is too small.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_aead_decrypt(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg,
+    const uint8_t *nonce, size_t nonce_length,
+    const uint8_t *additional_data, size_t additional_data_length,
+    const uint8_t *ciphertext, size_t ciphertext_length,
+    uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length);
+
+/** Set the key for a multipart authenticated encryption operation.
+ *
+ *  \note The signature of this function is that of a PSA driver
+ *       aead_encrypt_setup entry point. This function behaves as an
+ *       aead_encrypt_setup entry point as defined in the PSA driver interface
+ *       specification for transparent drivers.
+ *
+ * If an error occurs at any step after a call to
+ * mbedtls_psa_aead_encrypt_setup(), the operation is reset by the PSA core by a
+ * call to mbedtls_psa_aead_abort(). The PSA core may call
+ * mbedtls_psa_aead_abort() at any time after the operation has been
+ * initialized, and is required to when the operation is no longer needed.
+ *
+ * \param[in,out] operation     The operation object to set up. It must have
+ *                              been initialized as per the documentation for
+ *                              #mbedtls_psa_aead_operation_t and not yet in
+ *                              use.
+ * \param[in]  attributes       The attributes of the key to use for the
+ *                              operation.
+ * \param[in]  key_buffer       The buffer containing the key context.
+ * \param      key_buffer_size  Size of the \p key_buffer buffer in bytes.
+                                It must be consistent with the size in bits
+                                recorded in \p attributes.
+ * \param alg                   The AEAD algorithm to compute
+ *                              (\c PSA_ALG_XXX value such that
+ *                              #PSA_ALG_IS_AEAD(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         An invalid block length was supplied.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ *         Failed to allocate memory for key material
+ */
+psa_status_t mbedtls_psa_aead_encrypt_setup(
+    mbedtls_psa_aead_operation_t *operation,
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    psa_algorithm_t alg);
+
+/** Set the key for a multipart authenticated decryption operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       aead_decrypt_setup entry point. This function behaves as an
+ *       aead_decrypt_setup entry point as defined in the PSA driver interface
+ *       specification for transparent drivers.
+ *
+ * If an error occurs at any step after a call to
+ * mbedtls_psa_aead_decrypt_setup(), the PSA core resets the operation by a
+ * call to mbedtls_psa_aead_abort(). The PSA core may call
+ * mbedtls_psa_aead_abort() at any time after the operation has been
+ * initialized, and is required to when the operation is no longer needed.
+ *
+ * \param[in,out] operation     The operation object to set up. It must have
+ *                              been initialized as per the documentation for
+ *                              #mbedtls_psa_aead_operation_t and not yet in
+ *                              use.
+ * \param[in]  attributes       The attributes of the key to use for the
+ *                              operation.
+ * \param[in]  key_buffer       The buffer containing the key context.
+ * \param      key_buffer_size  Size of the \p key_buffer buffer in bytes.
+                                It must be consistent with the size in bits
+                                recorded in \p attributes.
+ * \param alg                   The AEAD algorithm to compute
+ *                              (\c PSA_ALG_XXX value such that
+ *                              #PSA_ALG_IS_AEAD(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         An invalid block length was supplied.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ *         Failed to allocate memory for key material
+ */
+psa_status_t mbedtls_psa_aead_decrypt_setup(
+    mbedtls_psa_aead_operation_t *operation,
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    psa_algorithm_t alg);
+
+/** Set the nonce for an authenticated encryption or decryption operation.
+ *
+ * \note The signature of this function is that of a PSA driver aead_set_nonce
+ *       entry point. This function behaves as an aead_set_nonce entry point as
+ *       defined in the PSA driver interface specification for transparent
+ *       drivers.
+ *
+ * This function sets the nonce for the authenticated
+ * encryption or decryption operation.
+ *
+ * The PSA core calls mbedtls_psa_aead_encrypt_setup() or
+ * mbedtls_psa_aead_decrypt_setup() before calling this function.
+ *
+ * If this function returns an error status, the PSA core will call
+ * mbedtls_psa_aead_abort().
+ *
+ * \param[in,out] operation     Active AEAD operation.
+ * \param[in] nonce             Buffer containing the nonce to use.
+ * \param nonce_length          Size of the nonce in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The size of \p nonce is not acceptable for the chosen algorithm.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         Algorithm previously set is not supported in this configuration of
+ *         the library.
+ */
+psa_status_t mbedtls_psa_aead_set_nonce(
+    mbedtls_psa_aead_operation_t *operation,
+    const uint8_t *nonce,
+    size_t nonce_length);
+
+/** Declare the lengths of the message and additional data for AEAD.
+ *
+ * \note The signature of this function is that of a PSA driver aead_set_lengths
+ *       entry point. This function behaves as an aead_set_lengths entry point
+ *       as defined in the PSA driver interface specification for transparent
+ *       drivers.
+ *
+ * The PSA core calls this function before calling mbedtls_psa_aead_update_ad()
+ * or mbedtls_psa_aead_update() if the algorithm for the operation requires it.
+ * If the algorithm does not require it, calling this function is optional, but
+ * if this function is called then the implementation must enforce the lengths.
+ *
+ * The PSA core may call this function before or after setting the nonce with
+ * mbedtls_psa_aead_set_nonce().
+ *
+ * - For #PSA_ALG_CCM, calling this function is required.
+ * - For the other AEAD algorithms defined in this specification, calling
+ *   this function is not required.
+ *
+ * If this function returns an error status, the PSA core calls
+ * mbedtls_psa_aead_abort().
+ *
+ * \param[in,out] operation     Active AEAD operation.
+ * \param ad_length             Size of the non-encrypted additional
+ *                              authenticated data in bytes.
+ * \param plaintext_length      Size of the plaintext to encrypt in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         At least one of the lengths is not acceptable for the chosen
+ *         algorithm.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         Algorithm previously set is not supported in this configuration of
+ *         the library.
+ */
+psa_status_t mbedtls_psa_aead_set_lengths(
+    mbedtls_psa_aead_operation_t *operation,
+    size_t ad_length,
+    size_t plaintext_length);
+
+/** Pass additional data to an active AEAD operation.
+ *
+ *  \note The signature of this function is that of a PSA driver
+ *       aead_update_ad entry point. This function behaves as an aead_update_ad
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * Additional data is authenticated, but not encrypted.
+ *
+ * The PSA core can call this function multiple times to pass successive
+ * fragments of the additional data. It will not call this function after
+ * passing data to encrypt or decrypt with mbedtls_psa_aead_update().
+ *
+ * Before calling this function, the PSA core will:
+ *    1. Call either mbedtls_psa_aead_encrypt_setup() or
+ *       mbedtls_psa_aead_decrypt_setup().
+ *    2. Set the nonce with mbedtls_psa_aead_set_nonce().
+ *
+ * If this function returns an error status, the PSA core will call
+ * mbedtls_psa_aead_abort().
+ *
+ * \param[in,out] operation     Active AEAD operation.
+ * \param[in] input             Buffer containing the fragment of
+ *                              additional data.
+ * \param input_length          Size of the \p input buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         Algorithm previously set is not supported in this configuration of
+ *         the library.
+ */
+psa_status_t mbedtls_psa_aead_update_ad(
+    mbedtls_psa_aead_operation_t *operation,
+    const uint8_t *input,
+    size_t input_length);
+
+/** Encrypt or decrypt a message fragment in an active AEAD operation.
+ *
+ *  \note The signature of this function is that of a PSA driver
+ *       aead_update entry point. This function behaves as an aead_update entry
+ *       point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * Before calling this function, the PSA core will:
+ *    1. Call either mbedtls_psa_aead_encrypt_setup() or
+ *       mbedtls_psa_aead_decrypt_setup(). The choice of setup function
+ *       determines whether this function encrypts or decrypts its input.
+ *    2. Set the nonce with mbedtls_psa_aead_set_nonce().
+ *    3. Call mbedtls_psa_aead_update_ad() to pass all the additional data.
+ *
+ * If this function returns an error status, the PSA core will call
+ * mbedtls_psa_aead_abort().
+ *
+ * This function does not require the input to be aligned to any
+ * particular block boundary. If the implementation can only process
+ * a whole block at a time, it must consume all the input provided, but
+ * it may delay the end of the corresponding output until a subsequent
+ * call to mbedtls_psa_aead_update(), mbedtls_psa_aead_finish() provides
+ * sufficient input. The amount of data that can be delayed in this way is
+ * bounded by #PSA_AEAD_UPDATE_OUTPUT_SIZE.
+ *
+ * \param[in,out] operation     Active AEAD operation.
+ * \param[in] input             Buffer containing the message fragment to
+ *                              encrypt or decrypt.
+ * \param input_length          Size of the \p input buffer in bytes.
+ * \param[out] output           Buffer where the output is to be written.
+ * \param output_size           Size of the \p output buffer in bytes.
+ *                              This must be appropriate for the selected
+ *                                algorithm and key:
+ *                                - A sufficient output size is
+ *                                  #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type,
+ *                                  \c alg, \p input_length) where
+ *                                  \c key_type is the type of key and \c alg is
+ *                                  the algorithm that were used to set up the
+ *                                  operation.
+ *                                - #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p
+ *                                  input_length) evaluates to the maximum
+ *                                  output size of any supported AEAD
+ *                                  algorithm.
+ * \param[out] output_length    On success, the number of bytes
+ *                              that make up the returned output.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ *
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p output buffer is too small.
+ *         #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, \c alg, \p input_length) or
+ *         #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length) can be used to
+ *         determine the required buffer size.
+ */
+psa_status_t mbedtls_psa_aead_update(
+    mbedtls_psa_aead_operation_t *operation,
+    const uint8_t *input,
+    size_t input_length,
+    uint8_t *output,
+    size_t output_size,
+    size_t *output_length);
+
+/** Finish encrypting a message in an AEAD operation.
+ *
+ *  \note The signature of this function is that of a PSA driver
+ *       aead_finish entry point. This function behaves as an aead_finish entry
+ *       point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * The operation must have been set up by the PSA core with
+ * mbedtls_psa_aead_encrypt_setup().
+ *
+ * This function finishes the authentication of the additional data
+ * formed by concatenating the inputs passed to preceding calls to
+ * mbedtls_psa_aead_update_ad() with the plaintext formed by concatenating the
+ * inputs passed to preceding calls to mbedtls_psa_aead_update().
+ *
+ * This function has two output buffers:
+ * - \p ciphertext contains trailing ciphertext that was buffered from
+ *   preceding calls to mbedtls_psa_aead_update().
+ * - \p tag contains the authentication tag.
+ *
+ * Whether or not this function returns successfully, the PSA core subsequently
+ * calls mbedtls_psa_aead_abort() to deactivate the operation.
+ *
+ * \param[in,out] operation     Active AEAD operation.
+ * \param[out] ciphertext       Buffer where the last part of the ciphertext
+ *                              is to be written.
+ * \param ciphertext_size       Size of the \p ciphertext buffer in bytes.
+ *                              This must be appropriate for the selected
+ *                              algorithm and key:
+ *                              - A sufficient output size is
+ *                                #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type,
+ *                                \c alg) where \c key_type is the type of key
+ *                                and \c alg is the algorithm that were used to
+ *                                set up the operation.
+ *                              - #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE evaluates to
+ *                                the maximum output size of any supported AEAD
+ *                                algorithm.
+ * \param[out] ciphertext_length On success, the number of bytes of
+ *                              returned ciphertext.
+ * \param[out] tag              Buffer where the authentication tag is
+ *                              to be written.
+ * \param tag_size              Size of the \p tag buffer in bytes.
+ *                              This must be appropriate for the selected
+ *                              algorithm and key:
+ *                              - The exact tag size is #PSA_AEAD_TAG_LENGTH(\c
+ *                                key_type, \c key_bits, \c alg) where
+ *                                \c key_type and \c key_bits are the type and
+ *                                bit-size of the key, and \c alg are the
+ *                                algorithm that were used in the call to
+ *                                mbedtls_psa_aead_encrypt_setup().
+ *                              - #PSA_AEAD_TAG_MAX_SIZE evaluates to the
+ *                                maximum tag size of any supported AEAD
+ *                                algorithm.
+ * \param[out] tag_length       On success, the number of bytes
+ *                              that make up the returned tag.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p tag buffer is too small.
+ *         #PSA_AEAD_TAG_LENGTH(\c key_type, key_bits, \c alg) or
+ *         #PSA_AEAD_TAG_MAX_SIZE can be used to determine the required \p tag
+ *         buffer size.
+ */
+psa_status_t mbedtls_psa_aead_finish(
+    mbedtls_psa_aead_operation_t *operation,
+    uint8_t *ciphertext,
+    size_t ciphertext_size,
+    size_t *ciphertext_length,
+    uint8_t *tag,
+    size_t tag_size,
+    size_t *tag_length);
+
+/** Abort an AEAD operation.
+ *
+ *  \note The signature of this function is that of a PSA driver
+ *       aead_abort entry point. This function behaves as an aead_abort entry
+ *       point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * Aborting an operation frees all associated resources except for the
+ * \p operation structure itself. Once aborted, the operation object
+ * can be reused for another operation by the PSA core by it calling
+ * mbedtls_psa_aead_encrypt_setup() or mbedtls_psa_aead_decrypt_setup() again.
+ *
+ * The PSA core may call this function any time after the operation object has
+ * been initialized as described in #mbedtls_psa_aead_operation_t.
+ *
+ * In particular, calling mbedtls_psa_aead_abort() after the operation has been
+ * terminated by a call to mbedtls_psa_aead_abort() or
+ * mbedtls_psa_aead_finish() is safe and has no effect.
+ *
+ * \param[in,out] operation     Initialized AEAD operation.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ */
+psa_status_t mbedtls_psa_aead_abort(
+    mbedtls_psa_aead_operation_t *operation);
+
+#endif /* PSA_CRYPTO_AEAD_H */
diff --git a/tf-psa-crypto/core/psa_crypto_cipher.c b/tf-psa-crypto/core/psa_crypto_cipher.c
new file mode 100644
index 0000000..3216c94
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_cipher.c
@@ -0,0 +1,724 @@
+/*
+ *  PSA cipher driver entry points
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#include "psa_crypto_cipher.h"
+#include "psa_crypto_core.h"
+#include "psa_crypto_random_impl.h"
+
+#include "mbedtls/cipher.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+/* mbedtls_cipher_values_from_psa() below only checks if the proper build symbols
+ * are enabled, but it does not provide any compatibility check between them
+ * (i.e. if the specified key works with the specified algorithm). This helper
+ * function is meant to provide this support.
+ * mbedtls_cipher_info_from_psa() might be used for the same purpose, but it
+ * requires CIPHER_C to be enabled.
+ */
+static psa_status_t mbedtls_cipher_validate_values(
+    psa_algorithm_t alg,
+    psa_key_type_t key_type)
+{
+    /* Reduce code size - hinting to the compiler about what it can assume allows the compiler to
+       eliminate bits of the logic below. */
+#if !defined(PSA_WANT_KEY_TYPE_AES)
+    MBEDTLS_ASSUME(key_type != PSA_KEY_TYPE_AES);
+#endif
+#if !defined(PSA_WANT_KEY_TYPE_ARIA)
+    MBEDTLS_ASSUME(key_type != PSA_KEY_TYPE_ARIA);
+#endif
+#if !defined(PSA_WANT_KEY_TYPE_CAMELLIA)
+    MBEDTLS_ASSUME(key_type != PSA_KEY_TYPE_CAMELLIA);
+#endif
+#if !defined(PSA_WANT_KEY_TYPE_CHACHA20)
+    MBEDTLS_ASSUME(key_type != PSA_KEY_TYPE_CHACHA20);
+#endif
+#if !defined(PSA_WANT_KEY_TYPE_DES)
+    MBEDTLS_ASSUME(key_type != PSA_KEY_TYPE_DES);
+#endif
+#if !defined(PSA_WANT_ALG_CCM)
+    MBEDTLS_ASSUME(alg != PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0));
+#endif
+#if !defined(PSA_WANT_ALG_GCM)
+    MBEDTLS_ASSUME(alg != PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0));
+#endif
+#if !defined(PSA_WANT_ALG_STREAM_CIPHER)
+    MBEDTLS_ASSUME(alg != PSA_ALG_STREAM_CIPHER);
+#endif
+#if !defined(PSA_WANT_ALG_CHACHA20_POLY1305)
+    MBEDTLS_ASSUME(alg != PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0));
+#endif
+#if !defined(PSA_WANT_ALG_CCM_STAR_NO_TAG)
+    MBEDTLS_ASSUME(alg != PSA_ALG_CCM_STAR_NO_TAG);
+#endif
+#if !defined(PSA_WANT_ALG_CTR)
+    MBEDTLS_ASSUME(alg != PSA_ALG_CTR);
+#endif
+#if !defined(PSA_WANT_ALG_CFB)
+    MBEDTLS_ASSUME(alg != PSA_ALG_CFB);
+#endif
+#if !defined(PSA_WANT_ALG_OFB)
+    MBEDTLS_ASSUME(alg != PSA_ALG_OFB);
+#endif
+#if !defined(PSA_WANT_ALG_XTS)
+    MBEDTLS_ASSUME(alg != PSA_ALG_XTS);
+#endif
+#if !defined(PSA_WANT_ALG_ECB_NO_PADDING)
+    MBEDTLS_ASSUME(alg != PSA_ALG_ECB_NO_PADDING);
+#endif
+#if !defined(PSA_WANT_ALG_CBC_NO_PADDING)
+    MBEDTLS_ASSUME(alg != PSA_ALG_CBC_NO_PADDING);
+#endif
+#if !defined(PSA_WANT_ALG_CBC_PKCS7)
+    MBEDTLS_ASSUME(alg != PSA_ALG_CBC_PKCS7);
+#endif
+#if !defined(PSA_WANT_ALG_CMAC)
+    MBEDTLS_ASSUME(alg != PSA_ALG_CMAC);
+#endif
+
+    if (alg == PSA_ALG_STREAM_CIPHER ||
+        alg == PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0)) {
+        if (key_type == PSA_KEY_TYPE_CHACHA20) {
+            return PSA_SUCCESS;
+        }
+    }
+
+    if (alg == PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0) ||
+        alg == PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0) ||
+        alg == PSA_ALG_CCM_STAR_NO_TAG) {
+        if (key_type == PSA_KEY_TYPE_AES ||
+            key_type == PSA_KEY_TYPE_ARIA ||
+            key_type == PSA_KEY_TYPE_CAMELLIA) {
+            return PSA_SUCCESS;
+        }
+    }
+
+    if (alg == PSA_ALG_CTR ||
+        alg == PSA_ALG_CFB ||
+        alg == PSA_ALG_OFB ||
+        alg == PSA_ALG_XTS ||
+        alg == PSA_ALG_ECB_NO_PADDING ||
+        alg == PSA_ALG_CBC_NO_PADDING ||
+        alg == PSA_ALG_CBC_PKCS7 ||
+        alg == PSA_ALG_CMAC) {
+        if (key_type == PSA_KEY_TYPE_AES ||
+            key_type == PSA_KEY_TYPE_ARIA ||
+            key_type == PSA_KEY_TYPE_DES ||
+            key_type == PSA_KEY_TYPE_CAMELLIA) {
+            return PSA_SUCCESS;
+        }
+    }
+
+    return PSA_ERROR_NOT_SUPPORTED;
+}
+
+psa_status_t mbedtls_cipher_values_from_psa(
+    psa_algorithm_t alg,
+    psa_key_type_t key_type,
+    size_t *key_bits,
+    mbedtls_cipher_mode_t *mode,
+    mbedtls_cipher_id_t *cipher_id)
+{
+    mbedtls_cipher_id_t cipher_id_tmp;
+    /* Only DES modifies key_bits */
+#if !defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
+    (void) key_bits;
+#endif
+
+    if (PSA_ALG_IS_AEAD(alg)) {
+        alg = PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0);
+    }
+
+    if (PSA_ALG_IS_CIPHER(alg) || PSA_ALG_IS_AEAD(alg)) {
+        switch (alg) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER)
+            case PSA_ALG_STREAM_CIPHER:
+                *mode = MBEDTLS_MODE_STREAM;
+                break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CTR)
+            case PSA_ALG_CTR:
+                *mode = MBEDTLS_MODE_CTR;
+                break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CFB)
+            case PSA_ALG_CFB:
+                *mode = MBEDTLS_MODE_CFB;
+                break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_OFB)
+            case PSA_ALG_OFB:
+                *mode = MBEDTLS_MODE_OFB;
+                break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING)
+            case PSA_ALG_ECB_NO_PADDING:
+                *mode = MBEDTLS_MODE_ECB;
+                break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING)
+            case PSA_ALG_CBC_NO_PADDING:
+                *mode = MBEDTLS_MODE_CBC;
+                break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7)
+            case PSA_ALG_CBC_PKCS7:
+                *mode = MBEDTLS_MODE_CBC;
+                break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG)
+            case PSA_ALG_CCM_STAR_NO_TAG:
+                *mode = MBEDTLS_MODE_CCM_STAR_NO_TAG;
+                break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
+            case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0):
+                *mode = MBEDTLS_MODE_CCM;
+                break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
+            case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0):
+                *mode = MBEDTLS_MODE_GCM;
+                break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
+            case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0):
+                *mode = MBEDTLS_MODE_CHACHAPOLY;
+                break;
+#endif
+            default:
+                return PSA_ERROR_NOT_SUPPORTED;
+        }
+    } else if (alg == PSA_ALG_CMAC) {
+        *mode = MBEDTLS_MODE_ECB;
+    } else {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    switch (key_type) {
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES)
+        case PSA_KEY_TYPE_AES:
+            cipher_id_tmp = MBEDTLS_CIPHER_ID_AES;
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARIA)
+        case PSA_KEY_TYPE_ARIA:
+            cipher_id_tmp = MBEDTLS_CIPHER_ID_ARIA;
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
+        case PSA_KEY_TYPE_DES:
+            /* key_bits is 64 for Single-DES, 128 for two-key Triple-DES,
+             * and 192 for three-key Triple-DES. */
+            if (*key_bits == 64) {
+                cipher_id_tmp = MBEDTLS_CIPHER_ID_DES;
+            } else {
+                cipher_id_tmp = MBEDTLS_CIPHER_ID_3DES;
+            }
+            /* mbedtls doesn't recognize two-key Triple-DES as an algorithm,
+             * but two-key Triple-DES is functionally three-key Triple-DES
+             * with K1=K3, so that's how we present it to mbedtls. */
+            if (*key_bits == 128) {
+                *key_bits = 192;
+            }
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_CAMELLIA)
+        case PSA_KEY_TYPE_CAMELLIA:
+            cipher_id_tmp = MBEDTLS_CIPHER_ID_CAMELLIA;
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20)
+        case PSA_KEY_TYPE_CHACHA20:
+            cipher_id_tmp = MBEDTLS_CIPHER_ID_CHACHA20;
+            break;
+#endif
+        default:
+            return PSA_ERROR_NOT_SUPPORTED;
+    }
+    if (cipher_id != NULL) {
+        *cipher_id = cipher_id_tmp;
+    }
+
+    return mbedtls_cipher_validate_values(alg, key_type);
+}
+
+#if defined(MBEDTLS_CIPHER_C)
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa(
+    psa_algorithm_t alg,
+    psa_key_type_t key_type,
+    size_t key_bits,
+    mbedtls_cipher_id_t *cipher_id)
+{
+    mbedtls_cipher_mode_t mode;
+    psa_status_t status;
+    mbedtls_cipher_id_t cipher_id_tmp = MBEDTLS_CIPHER_ID_NONE;
+
+    status = mbedtls_cipher_values_from_psa(alg, key_type, &key_bits, &mode, &cipher_id_tmp);
+    if (status != PSA_SUCCESS) {
+        return NULL;
+    }
+    if (cipher_id != NULL) {
+        *cipher_id = cipher_id_tmp;
+    }
+
+    return mbedtls_cipher_info_from_values(cipher_id_tmp, (int) key_bits, mode);
+}
+#endif /* MBEDTLS_CIPHER_C */
+
+#if defined(MBEDTLS_PSA_BUILTIN_CIPHER)
+
+static psa_status_t psa_cipher_setup(
+    mbedtls_psa_cipher_operation_t *operation,
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg,
+    mbedtls_operation_t cipher_operation)
+{
+    int ret = 0;
+    size_t key_bits;
+    const mbedtls_cipher_info_t *cipher_info = NULL;
+    psa_key_type_t key_type = attributes->type;
+
+    (void) key_buffer_size;
+
+    mbedtls_cipher_init(&operation->ctx.cipher);
+
+    operation->alg = alg;
+    key_bits = attributes->bits;
+    cipher_info = mbedtls_cipher_info_from_psa(alg, key_type,
+                                               key_bits, NULL);
+    if (cipher_info == NULL) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    ret = mbedtls_cipher_setup(&operation->ctx.cipher, cipher_info);
+    if (ret != 0) {
+        goto exit;
+    }
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
+    if (key_type == PSA_KEY_TYPE_DES && key_bits == 128) {
+        /* Two-key Triple-DES is 3-key Triple-DES with K1=K3 */
+        uint8_t keys[24];
+        memcpy(keys, key_buffer, 16);
+        memcpy(keys + 16, key_buffer, 8);
+        ret = mbedtls_cipher_setkey(&operation->ctx.cipher,
+                                    keys,
+                                    192, cipher_operation);
+    } else
+#endif
+    {
+        ret = mbedtls_cipher_setkey(&operation->ctx.cipher, key_buffer,
+                                    (int) key_bits, cipher_operation);
+    }
+    if (ret != 0) {
+        goto exit;
+    }
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7)
+    switch (alg) {
+        case PSA_ALG_CBC_NO_PADDING:
+            ret = mbedtls_cipher_set_padding_mode(&operation->ctx.cipher,
+                                                  MBEDTLS_PADDING_NONE);
+            break;
+        case PSA_ALG_CBC_PKCS7:
+            ret = mbedtls_cipher_set_padding_mode(&operation->ctx.cipher,
+                                                  MBEDTLS_PADDING_PKCS7);
+            break;
+        default:
+            /* The algorithm doesn't involve padding. */
+            ret = 0;
+            break;
+    }
+    if (ret != 0) {
+        goto exit;
+    }
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING ||
+          MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7 */
+
+    operation->block_length = (PSA_ALG_IS_STREAM_CIPHER(alg) ? 1 :
+                               PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type));
+    operation->iv_length = PSA_CIPHER_IV_LENGTH(key_type, alg);
+
+exit:
+    return mbedtls_to_psa_error(ret);
+}
+
+psa_status_t mbedtls_psa_cipher_encrypt_setup(
+    mbedtls_psa_cipher_operation_t *operation,
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg)
+{
+    return psa_cipher_setup(operation, attributes,
+                            key_buffer, key_buffer_size,
+                            alg, MBEDTLS_ENCRYPT);
+}
+
+psa_status_t mbedtls_psa_cipher_decrypt_setup(
+    mbedtls_psa_cipher_operation_t *operation,
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg)
+{
+    return psa_cipher_setup(operation, attributes,
+                            key_buffer, key_buffer_size,
+                            alg, MBEDTLS_DECRYPT);
+}
+
+psa_status_t mbedtls_psa_cipher_set_iv(
+    mbedtls_psa_cipher_operation_t *operation,
+    const uint8_t *iv, size_t iv_length)
+{
+    if (iv_length != operation->iv_length) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    return mbedtls_to_psa_error(
+        mbedtls_cipher_set_iv(&operation->ctx.cipher,
+                              iv, iv_length));
+}
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING)
+/** Process input for which the algorithm is set to ECB mode.
+ *
+ * This requires manual processing, since the PSA API is defined as being
+ * able to process arbitrary-length calls to psa_cipher_update() with ECB mode,
+ * but the underlying mbedtls_cipher_update only takes full blocks.
+ *
+ * \param ctx           The mbedtls cipher context to use. It must have been
+ *                      set up for ECB.
+ * \param[in] input     The input plaintext or ciphertext to process.
+ * \param input_length  The number of bytes to process from \p input.
+ *                      This does not need to be aligned to a block boundary.
+ *                      If there is a partial block at the end of the input,
+ *                      it is stored in \p ctx for future processing.
+ * \param output        The buffer where the output is written. It must be
+ *                      at least `BS * floor((p + input_length) / BS)` bytes
+ *                      long, where `p` is the number of bytes in the
+ *                      unprocessed partial block in \p ctx (with
+ *                      `0 <= p <= BS - 1`) and `BS` is the block size.
+ * \param output_length On success, the number of bytes written to \p output.
+ *                      \c 0 on error.
+ *
+ * \return #PSA_SUCCESS or an error from a hardware accelerator
+ */
+static psa_status_t psa_cipher_update_ecb(
+    mbedtls_cipher_context_t *ctx,
+    const uint8_t *input,
+    size_t input_length,
+    uint8_t *output,
+    size_t *output_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    size_t block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
+    size_t internal_output_length = 0;
+    *output_length = 0;
+
+    if (input_length == 0) {
+        status = PSA_SUCCESS;
+        goto exit;
+    }
+
+    if (ctx->unprocessed_len > 0) {
+        /* Fill up to block size, and run the block if there's a full one. */
+        size_t bytes_to_copy = block_size - ctx->unprocessed_len;
+
+        if (input_length < bytes_to_copy) {
+            bytes_to_copy = input_length;
+        }
+
+        memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]),
+               input, bytes_to_copy);
+        input_length -= bytes_to_copy;
+        input += bytes_to_copy;
+        ctx->unprocessed_len += bytes_to_copy;
+
+        if (ctx->unprocessed_len == block_size) {
+            status = mbedtls_to_psa_error(
+                mbedtls_cipher_update(ctx,
+                                      ctx->unprocessed_data,
+                                      block_size,
+                                      output, &internal_output_length));
+
+            if (status != PSA_SUCCESS) {
+                goto exit;
+            }
+
+            output += internal_output_length;
+            *output_length += internal_output_length;
+            ctx->unprocessed_len = 0;
+        }
+    }
+
+    while (input_length >= block_size) {
+        /* Run all full blocks we have, one by one */
+        status = mbedtls_to_psa_error(
+            mbedtls_cipher_update(ctx, input,
+                                  block_size,
+                                  output, &internal_output_length));
+
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+
+        input_length -= block_size;
+        input += block_size;
+
+        output += internal_output_length;
+        *output_length += internal_output_length;
+    }
+
+    if (input_length > 0) {
+        /* Save unprocessed bytes for later processing */
+        memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]),
+               input, input_length);
+        ctx->unprocessed_len += input_length;
+    }
+
+    status = PSA_SUCCESS;
+
+exit:
+    return status;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING */
+
+psa_status_t mbedtls_psa_cipher_update(
+    mbedtls_psa_cipher_operation_t *operation,
+    const uint8_t *input, size_t input_length,
+    uint8_t *output, size_t output_size, size_t *output_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    size_t expected_output_size;
+
+    if (!PSA_ALG_IS_STREAM_CIPHER(operation->alg)) {
+        /* Take the unprocessed partial block left over from previous
+         * update calls, if any, plus the input to this call. Remove
+         * the last partial block, if any. You get the data that will be
+         * output in this call. */
+        expected_output_size =
+            (operation->ctx.cipher.unprocessed_len + input_length)
+            / operation->block_length * operation->block_length;
+    } else {
+        expected_output_size = input_length;
+    }
+
+    if (output_size < expected_output_size) {
+        return PSA_ERROR_BUFFER_TOO_SMALL;
+    }
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING)
+    if (operation->alg == PSA_ALG_ECB_NO_PADDING) {
+        /* mbedtls_cipher_update has an API inconsistency: it will only
+         * process a single block at a time in ECB mode. Abstract away that
+         * inconsistency here to match the PSA API behaviour. */
+        status = psa_cipher_update_ecb(&operation->ctx.cipher,
+                                       input,
+                                       input_length,
+                                       output,
+                                       output_length);
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING */
+    if (input_length == 0) {
+        /* There is no input, nothing to be done */
+        *output_length = 0;
+        status = PSA_SUCCESS;
+    } else {
+        status = mbedtls_to_psa_error(
+            mbedtls_cipher_update(&operation->ctx.cipher, input,
+                                  input_length, output, output_length));
+
+        if (*output_length > output_size) {
+            return PSA_ERROR_CORRUPTION_DETECTED;
+        }
+    }
+
+    return status;
+}
+
+psa_status_t mbedtls_psa_cipher_finish(
+    mbedtls_psa_cipher_operation_t *operation,
+    uint8_t *output, size_t output_size, size_t *output_length)
+{
+    psa_status_t status = PSA_ERROR_GENERIC_ERROR;
+    uint8_t temp_output_buffer[MBEDTLS_MAX_BLOCK_LENGTH];
+
+    if (operation->ctx.cipher.unprocessed_len != 0) {
+        if (operation->alg == PSA_ALG_ECB_NO_PADDING ||
+            operation->alg == PSA_ALG_CBC_NO_PADDING) {
+            status = PSA_ERROR_INVALID_ARGUMENT;
+            goto exit;
+        }
+    }
+
+    status = mbedtls_to_psa_error(
+        mbedtls_cipher_finish(&operation->ctx.cipher,
+                              temp_output_buffer,
+                              output_length));
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    if (*output_length == 0) {
+        ; /* Nothing to copy. Note that output may be NULL in this case. */
+    } else if (output_size >= *output_length) {
+        memcpy(output, temp_output_buffer, *output_length);
+    } else {
+        status = PSA_ERROR_BUFFER_TOO_SMALL;
+    }
+
+exit:
+    mbedtls_platform_zeroize(temp_output_buffer,
+                             sizeof(temp_output_buffer));
+
+    return status;
+}
+
+psa_status_t mbedtls_psa_cipher_abort(
+    mbedtls_psa_cipher_operation_t *operation)
+{
+    /* Sanity check (shouldn't happen: operation->alg should
+     * always have been initialized to a valid value). */
+    if (!PSA_ALG_IS_CIPHER(operation->alg)) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    mbedtls_cipher_free(&operation->ctx.cipher);
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t mbedtls_psa_cipher_encrypt(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    psa_algorithm_t alg,
+    const uint8_t *iv,
+    size_t iv_length,
+    const uint8_t *input,
+    size_t input_length,
+    uint8_t *output,
+    size_t output_size,
+    size_t *output_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_psa_cipher_operation_t operation = MBEDTLS_PSA_CIPHER_OPERATION_INIT;
+    size_t update_output_length, finish_output_length;
+
+    status = mbedtls_psa_cipher_encrypt_setup(&operation, attributes,
+                                              key_buffer, key_buffer_size,
+                                              alg);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    if (iv_length > 0) {
+        status = mbedtls_psa_cipher_set_iv(&operation, iv, iv_length);
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+    }
+
+    status = mbedtls_psa_cipher_update(&operation, input, input_length,
+                                       output, output_size,
+                                       &update_output_length);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = mbedtls_psa_cipher_finish(
+        &operation,
+        mbedtls_buffer_offset(output, update_output_length),
+        output_size - update_output_length, &finish_output_length);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    *output_length = update_output_length + finish_output_length;
+
+exit:
+    if (status == PSA_SUCCESS) {
+        status = mbedtls_psa_cipher_abort(&operation);
+    } else {
+        mbedtls_psa_cipher_abort(&operation);
+    }
+
+    return status;
+}
+
+psa_status_t mbedtls_psa_cipher_decrypt(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    psa_algorithm_t alg,
+    const uint8_t *input,
+    size_t input_length,
+    uint8_t *output,
+    size_t output_size,
+    size_t *output_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_psa_cipher_operation_t operation = MBEDTLS_PSA_CIPHER_OPERATION_INIT;
+    size_t olength, accumulated_length;
+
+    status = mbedtls_psa_cipher_decrypt_setup(&operation, attributes,
+                                              key_buffer, key_buffer_size,
+                                              alg);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    if (operation.iv_length > 0) {
+        status = mbedtls_psa_cipher_set_iv(&operation,
+                                           input, operation.iv_length);
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+    }
+
+    status = mbedtls_psa_cipher_update(
+        &operation,
+        mbedtls_buffer_offset_const(input, operation.iv_length),
+        input_length - operation.iv_length,
+        output, output_size, &olength);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    accumulated_length = olength;
+
+    status = mbedtls_psa_cipher_finish(
+        &operation,
+        mbedtls_buffer_offset(output, accumulated_length),
+        output_size - accumulated_length, &olength);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    *output_length = accumulated_length + olength;
+
+exit:
+    if (status == PSA_SUCCESS) {
+        status = mbedtls_psa_cipher_abort(&operation);
+    } else {
+        mbedtls_psa_cipher_abort(&operation);
+    }
+
+    return status;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_CIPHER */
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/tf-psa-crypto/core/psa_crypto_cipher.h b/tf-psa-crypto/core/psa_crypto_cipher.h
new file mode 100644
index 0000000..cc56585
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_cipher.h
@@ -0,0 +1,316 @@
+/*
+ *  PSA cipher driver entry points and associated auxiliary functions
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_CIPHER_H
+#define PSA_CRYPTO_CIPHER_H
+
+#include <mbedtls/cipher.h>
+#include <psa/crypto.h>
+
+/** Get Mbed TLS cipher information given the cipher algorithm PSA identifier
+ *  as well as the PSA type and size of the key to be used with the cipher
+ *  algorithm.
+ *
+ * \param[in]      alg          PSA cipher algorithm identifier
+ * \param[in]      key_type     PSA key type
+ * \param[in,out]  key_bits     Size of the key in bits. The value provided in input
+ *                              might be updated if necessary.
+ * \param[out]     mode         Mbed TLS cipher mode
+ * \param[out]     cipher_id    Mbed TLS cipher algorithm identifier
+ *
+ * \return  On success \c PSA_SUCCESS is returned and key_bits, mode and cipher_id
+ *          are properly updated.
+ *          \c PSA_ERROR_NOT_SUPPORTED is returned if the cipher algorithm is not
+ *          supported.
+ */
+
+psa_status_t mbedtls_cipher_values_from_psa(psa_algorithm_t alg, psa_key_type_t key_type,
+                                            size_t *key_bits, mbedtls_cipher_mode_t *mode,
+                                            mbedtls_cipher_id_t *cipher_id);
+
+#if defined(MBEDTLS_CIPHER_C)
+/** Get Mbed TLS cipher information given the cipher algorithm PSA identifier
+ *  as well as the PSA type and size of the key to be used with the cipher
+ *  algorithm.
+ *
+ * \param       alg        PSA cipher algorithm identifier
+ * \param       key_type   PSA key type
+ * \param       key_bits   Size of the key in bits
+ * \param[out]  cipher_id  Mbed TLS cipher algorithm identifier
+ *
+ * \return  The Mbed TLS cipher information of the cipher algorithm.
+ *          \c NULL if the PSA cipher algorithm is not supported.
+ */
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa(
+    psa_algorithm_t alg, psa_key_type_t key_type, size_t key_bits,
+    mbedtls_cipher_id_t *cipher_id);
+#endif /* MBEDTLS_CIPHER_C */
+
+/**
+ * \brief Set the key for a multipart symmetric encryption operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       cipher_encrypt_setup entry point. This function behaves as a
+ *       cipher_encrypt_setup entry point as defined in the PSA driver
+ *       interface specification for transparent drivers.
+ *
+ * \param[in,out] operation     The operation object to set up. It has been
+ *                              initialized as per the documentation for
+ *                              #psa_cipher_operation_t and not yet in use.
+ * \param[in] attributes        The attributes of the key to use for the
+ *                              operation.
+ * \param[in] key_buffer        The buffer containing the key context.
+ * \param[in] key_buffer_size   Size of the \p key_buffer buffer in bytes.
+ * \param[in] alg               The cipher algorithm to compute
+ *                              (\c PSA_ALG_XXX value such that
+ *                              #PSA_ALG_IS_CIPHER(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_cipher_encrypt_setup(
+    mbedtls_psa_cipher_operation_t *operation,
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg);
+
+/**
+ * \brief Set the key for a multipart symmetric decryption operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       cipher_decrypt_setup entry point. This function behaves as a
+ *       cipher_decrypt_setup entry point as defined in the PSA driver
+ *       interface specification for transparent drivers.
+ *
+ * \param[in,out] operation     The operation object to set up. It has been
+ *                              initialized as per the documentation for
+ *                              #psa_cipher_operation_t and not yet in use.
+ * \param[in] attributes        The attributes of the key to use for the
+ *                              operation.
+ * \param[in] key_buffer        The buffer containing the key context.
+ * \param[in] key_buffer_size   Size of the \p key_buffer buffer in bytes.
+ * \param[in] alg               The cipher algorithm to compute
+ *                              (\c PSA_ALG_XXX value such that
+ *                              #PSA_ALG_IS_CIPHER(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_cipher_decrypt_setup(
+    mbedtls_psa_cipher_operation_t *operation,
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg);
+
+/** Set the IV for a symmetric encryption or decryption operation.
+ *
+ * This function sets the IV (initialization vector), nonce
+ * or initial counter value for the encryption or decryption operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       cipher_set_iv entry point. This function behaves as a
+ *       cipher_set_iv entry point as defined in the PSA driver
+ *       interface specification for transparent drivers.
+ *
+ * \param[in,out] operation     Active cipher operation.
+ * \param[in] iv                Buffer containing the IV to use.
+ * \param[in] iv_length         Size of the IV in bytes. It is guaranteed by
+ *                              the core to be less or equal to
+ *                              PSA_CIPHER_IV_MAX_SIZE.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The size of \p iv is not acceptable for the chosen algorithm,
+ *         or the chosen algorithm does not use an IV.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t mbedtls_psa_cipher_set_iv(
+    mbedtls_psa_cipher_operation_t *operation,
+    const uint8_t *iv, size_t iv_length);
+
+/** Encrypt or decrypt a message fragment in an active cipher operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       cipher_update entry point. This function behaves as a
+ *       cipher_update entry point as defined in the PSA driver
+ *       interface specification for transparent drivers.
+ *
+ * \param[in,out] operation     Active cipher operation.
+ * \param[in] input             Buffer containing the message fragment to
+ *                              encrypt or decrypt.
+ * \param[in] input_length      Size of the \p input buffer in bytes.
+ * \param[out] output           Buffer where the output is to be written.
+ * \param[in]  output_size      Size of the \p output buffer in bytes.
+ * \param[out] output_length    On success, the number of bytes
+ *                              that make up the returned output.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p output buffer is too small.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t mbedtls_psa_cipher_update(
+    mbedtls_psa_cipher_operation_t *operation,
+    const uint8_t *input, size_t input_length,
+    uint8_t *output, size_t output_size, size_t *output_length);
+
+/** Finish encrypting or decrypting a message in a cipher operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       cipher_finish entry point. This function behaves as a
+ *       cipher_finish entry point as defined in the PSA driver
+ *       interface specification for transparent drivers.
+ *
+ * \param[in,out] operation     Active cipher operation.
+ * \param[out] output           Buffer where the output is to be written.
+ * \param[in]  output_size      Size of the \p output buffer in bytes.
+ * \param[out] output_length    On success, the number of bytes
+ *                              that make up the returned output.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The total input size passed to this operation is not valid for
+ *         this particular algorithm. For example, the algorithm is a based
+ *         on block cipher and requires a whole number of blocks, but the
+ *         total input size is not a multiple of the block size.
+ * \retval #PSA_ERROR_INVALID_PADDING
+ *         This is a decryption operation for an algorithm that includes
+ *         padding, and the ciphertext does not contain valid padding.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p output buffer is too small.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t mbedtls_psa_cipher_finish(
+    mbedtls_psa_cipher_operation_t *operation,
+    uint8_t *output, size_t output_size, size_t *output_length);
+
+/** Abort a cipher operation.
+ *
+ * Aborting an operation frees all associated resources except for the
+ * \p operation structure itself. Once aborted, the operation object
+ * can be reused for another operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       cipher_abort entry point. This function behaves as a
+ *       cipher_abort entry point as defined in the PSA driver
+ *       interface specification for transparent drivers.
+ *
+ * \param[in,out] operation     Initialized cipher operation.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ */
+psa_status_t mbedtls_psa_cipher_abort(mbedtls_psa_cipher_operation_t *operation);
+
+/** Encrypt a message using a symmetric cipher.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       cipher_encrypt entry point. This function behaves as a
+ *       cipher_encrypt entry point as defined in the PSA driver
+ *       interface specification for transparent drivers.
+ *
+ * \param[in] attributes        The attributes of the key to use for the
+ *                              operation.
+ * \param[in] key_buffer        The buffer containing the key context.
+ * \param[in] key_buffer_size   Size of the \p key_buffer buffer in bytes.
+ * \param[in] alg               The cipher algorithm to compute
+ *                              (\c PSA_ALG_XXX value such that
+ *                              #PSA_ALG_IS_CIPHER(\p alg) is true).
+ * \param[in] iv                Buffer containing the IV for encryption. The
+ *                              IV has been generated by the core.
+ * \param[in] iv_length         Size of the \p iv in bytes.
+ * \param[in] input             Buffer containing the message to encrypt.
+ * \param[in] input_length      Size of the \p input buffer in bytes.
+ * \param[in,out] output        Buffer where the output is to be written.
+ * \param[in]  output_size      Size of the \p output buffer in bytes.
+ * \param[out] output_length    On success, the number of bytes that make up
+ *                              the returned output. Initialized to zero
+ *                              by the core.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p output buffer is too small.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The size \p iv_length is not acceptable for the chosen algorithm,
+ *         or the chosen algorithm does not use an IV.
+ *         The total input size passed to this operation is not valid for
+ *         this particular algorithm. For example, the algorithm is a based
+ *         on block cipher and requires a whole number of blocks, but the
+ *         total input size is not a multiple of the block size.
+ * \retval #PSA_ERROR_INVALID_PADDING
+ *         This is a decryption operation for an algorithm that includes
+ *         padding, and the ciphertext does not contain valid padding.
+ */
+psa_status_t mbedtls_psa_cipher_encrypt(const psa_key_attributes_t *attributes,
+                                        const uint8_t *key_buffer,
+                                        size_t key_buffer_size,
+                                        psa_algorithm_t alg,
+                                        const uint8_t *iv,
+                                        size_t iv_length,
+                                        const uint8_t *input,
+                                        size_t input_length,
+                                        uint8_t *output,
+                                        size_t output_size,
+                                        size_t *output_length);
+
+/** Decrypt a message using a symmetric cipher.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       cipher_decrypt entry point. This function behaves as a
+ *       cipher_decrypt entry point as defined in the PSA driver
+ *       interface specification for transparent drivers.
+ *
+ * \param[in]  attributes       The attributes of the key to use for the
+ *                              operation.
+ * \param[in]  key_buffer       The buffer containing the key context.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[in]  alg              The cipher algorithm to compute
+ *                              (\c PSA_ALG_XXX value such that
+ *                              #PSA_ALG_IS_CIPHER(\p alg) is true).
+ * \param[in]  input            Buffer containing the iv and the ciphertext.
+ * \param[in]  input_length     Size of the \p input buffer in bytes.
+ * \param[out] output           Buffer where the output is to be written.
+ * \param[in]  output_size      Size of the \p output buffer in bytes.
+ * \param[out] output_length    On success, the number of bytes that make up
+ *                              the returned output. Initialized to zero
+ *                              by the core.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p output buffer is too small.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The size of \p iv is not acceptable for the chosen algorithm,
+ *         or the chosen algorithm does not use an IV.
+ *         The total input size passed to this operation is not valid for
+ *         this particular algorithm. For example, the algorithm is a based
+ *         on block cipher and requires a whole number of blocks, but the
+ *         total input size is not a multiple of the block size.
+ * \retval #PSA_ERROR_INVALID_PADDING
+ *         This is a decryption operation for an algorithm that includes
+ *         padding, and the ciphertext does not contain valid padding.
+ */
+psa_status_t mbedtls_psa_cipher_decrypt(const psa_key_attributes_t *attributes,
+                                        const uint8_t *key_buffer,
+                                        size_t key_buffer_size,
+                                        psa_algorithm_t alg,
+                                        const uint8_t *input,
+                                        size_t input_length,
+                                        uint8_t *output,
+                                        size_t output_size,
+                                        size_t *output_length);
+
+#endif /* PSA_CRYPTO_CIPHER_H */
diff --git a/tf-psa-crypto/core/psa_crypto_client.c b/tf-psa-crypto/core/psa_crypto_client.c
new file mode 100644
index 0000000..72f671d
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_client.c
@@ -0,0 +1,22 @@
+/*
+ *  PSA crypto client code
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+#include "psa/crypto.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+
+#include <string.h>
+#include "mbedtls/platform.h"
+
+void psa_reset_key_attributes(psa_key_attributes_t *attributes)
+{
+    memset(attributes, 0, sizeof(*attributes));
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
diff --git a/tf-psa-crypto/core/psa_crypto_core.h b/tf-psa-crypto/core/psa_crypto_core.h
new file mode 100644
index 0000000..9462d2e
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_core.h
@@ -0,0 +1,957 @@
+/*
+ *  PSA crypto core internal interfaces
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_CORE_H
+#define PSA_CRYPTO_CORE_H
+
+/*
+ * Include the build-time configuration information header. Here, we do not
+ * include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which
+ * is basically just an alias to it. This is to ease the maintenance of the
+ * TF-PSA-Crypto repository which has a different build system and
+ * configuration.
+ */
+#include "psa/build_info.h"
+
+#include "psa/crypto.h"
+#include "psa/crypto_se_driver.h"
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+/**
+ * Tell if PSA is ready for this hash.
+ *
+ * \note            For now, only checks the state of the driver subsystem,
+ *                  not the algorithm. Might do more in the future.
+ *
+ * \param hash_alg  The hash algorithm (ignored for now).
+ *
+ * \return 1 if the driver subsytem is ready, 0 otherwise.
+ */
+int psa_can_do_hash(psa_algorithm_t hash_alg);
+
+/**
+ * Tell if PSA is ready for this cipher.
+ *
+ * \note            For now, only checks the state of the driver subsystem,
+ *                  not the algorithm. Might do more in the future.
+ *
+ * \param cipher_alg  The cipher algorithm (ignored for now).
+ *
+ * \return 1 if the driver subsytem is ready, 0 otherwise.
+ */
+int psa_can_do_cipher(psa_key_type_t key_type, psa_algorithm_t cipher_alg);
+
+typedef enum {
+    PSA_SLOT_EMPTY = 0,
+    PSA_SLOT_FILLING,
+    PSA_SLOT_FULL,
+    PSA_SLOT_PENDING_DELETION,
+} psa_key_slot_state_t;
+
+/** The data structure representing a key slot, containing key material
+ * and metadata for one key.
+ */
+typedef struct {
+    psa_key_attributes_t attr;
+
+    /*
+     * The current state of the key slot, as described in
+     * docs/architecture/psa-thread-safety/psa-thread-safety.md.
+     *
+     * Library functions can modify the state of a key slot by calling
+     * psa_key_slot_state_transition.
+     *
+     * The state variable is used to help determine whether library functions
+     * which operate on the slot succeed. For example, psa_finish_key_creation,
+     * which transfers the state of a slot from PSA_SLOT_FILLING to
+     * PSA_SLOT_FULL, must fail with error code PSA_ERROR_CORRUPTION_DETECTED
+     * if the state of the slot is not PSA_SLOT_FILLING.
+     *
+     * Library functions which traverse the array of key slots only consider
+     * slots that are in a suitable state for the function.
+     * For example, psa_get_and_lock_key_slot_in_memory, which finds a slot
+     * containing a given key ID, will only check slots whose state variable is
+     * PSA_SLOT_FULL. */
+    psa_key_slot_state_t state;
+
+    /*
+     * Number of functions registered as reading the material in the key slot.
+     *
+     * Library functions must not write directly to registered_readers
+     *
+     * A function must call psa_register_read(slot) before reading the current
+     * contents of the slot for an operation.
+     * They then must call psa_unregister_read(slot) once they have finished
+     * reading the current contents of the slot. If the key slot mutex is not
+     * held (when mutexes are enabled), this call must be done via a call to
+     * psa_unregister_read_under_mutex(slot).
+     * A function must call psa_key_slot_has_readers(slot) to check if
+     * the slot is in use for reading.
+     *
+     * This counter is used to prevent resetting the key slot while the library
+     * may access it. For example, such control is needed in the following
+     * scenarios:
+     * . In case of key slot starvation, all key slots contain the description
+     *   of a key, and the library asks for the description of a persistent
+     *   key not present in the key slots, the key slots currently accessed by
+     *   the library cannot be reclaimed to free a key slot to load the
+     *   persistent key.
+     * . In case of a multi-threaded application where one thread asks to close
+     *   or purge or destroy a key while it is in use by the library through
+     *   another thread. */
+    size_t registered_readers;
+
+    /* Dynamically allocated key data buffer.
+     * Format as specified in psa_export_key(). */
+    struct key_data {
+        uint8_t *data;
+        size_t bytes;
+    } key;
+} psa_key_slot_t;
+
+#if defined(MBEDTLS_THREADING_C)
+
+/** Perform a mutex operation and return immediately upon failure.
+ *
+ * Returns PSA_ERROR_SERVICE_FAILURE if the operation fails
+ * and status was PSA_SUCCESS.
+ *
+ * Assumptions:
+ *  psa_status_t status exists.
+ *  f is a mutex operation which returns 0 upon success.
+ */
+#define PSA_THREADING_CHK_RET(f)                       \
+    do                                                 \
+    {                                                  \
+        if ((f) != 0) {                                \
+            if (status == PSA_SUCCESS) {               \
+                return PSA_ERROR_SERVICE_FAILURE;      \
+            }                                          \
+            return status;                             \
+        }                                              \
+    } while (0);
+
+/** Perform a mutex operation and goto exit on failure.
+ *
+ * Sets status to PSA_ERROR_SERVICE_FAILURE if status was PSA_SUCCESS.
+ *
+ * Assumptions:
+ *  psa_status_t status exists.
+ *  Label exit: exists.
+ *  f is a mutex operation which returns 0 upon success.
+ */
+#define PSA_THREADING_CHK_GOTO_EXIT(f)                 \
+    do                                                 \
+    {                                                  \
+        if ((f) != 0) {                                \
+            if (status == PSA_SUCCESS) {               \
+                status = PSA_ERROR_SERVICE_FAILURE;    \
+            }                                          \
+            goto exit;                                 \
+        }                                              \
+    } while (0);
+#endif
+
+/** Test whether a key slot has any registered readers.
+ * If multi-threading is enabled, the caller must hold the
+ * global key slot mutex.
+ *
+ * \param[in] slot      The key slot to test.
+ *
+ * \return 1 if the slot has any registered readers, 0 otherwise.
+ */
+static inline int psa_key_slot_has_readers(const psa_key_slot_t *slot)
+{
+    return slot->registered_readers > 0;
+}
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+/** Get the SE slot number of a key from the key slot storing its description.
+ *
+ * \param[in]  slot  The key slot to query. This must be a key slot storing
+ *                   the description of a key of a dynamically registered
+ *                   secure element, otherwise the behaviour is undefined.
+ */
+static inline psa_key_slot_number_t psa_key_slot_get_slot_number(
+    const psa_key_slot_t *slot)
+{
+    return *((psa_key_slot_number_t *) (slot->key.data));
+}
+#endif
+
+/** Completely wipe a slot in memory, including its policy.
+ *
+ * Persistent storage is not affected.
+ * Sets the slot's state to PSA_SLOT_EMPTY.
+ * If multi-threading is enabled, the caller must hold the
+ * global key slot mutex.
+ *
+ * \param[in,out] slot  The key slot to wipe.
+ *
+ * \retval #PSA_SUCCESS
+ *         The slot has been successfully wiped.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ *         The slot's state was PSA_SLOT_FULL or PSA_SLOT_PENDING_DELETION, and
+ *         the amount of registered readers was not equal to 1. Or,
+ *         the slot's state was PSA_SLOT_EMPTY. Or,
+ *         the slot's state was PSA_SLOT_FILLING, and the amount
+ *         of registered readers was not equal to 0.
+ */
+psa_status_t psa_wipe_key_slot(psa_key_slot_t *slot);
+
+/** Try to allocate a buffer to an empty key slot.
+ *
+ * \param[in,out] slot          Key slot to attach buffer to.
+ * \param[in] buffer_length     Requested size of the buffer.
+ *
+ * \retval #PSA_SUCCESS
+ *         The buffer has been successfully allocated.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ *         Not enough memory was available for allocation.
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ *         Trying to allocate a buffer to a non-empty key slot.
+ */
+psa_status_t psa_allocate_buffer_to_slot(psa_key_slot_t *slot,
+                                         size_t buffer_length);
+
+/** Wipe key data from a slot. Preserves metadata such as the policy. */
+psa_status_t psa_remove_key_data_from_memory(psa_key_slot_t *slot);
+
+/** Copy key data (in export format) into an empty key slot.
+ *
+ * This function assumes that the slot does not contain
+ * any key material yet. On failure, the slot content is unchanged.
+ *
+ * \param[in,out] slot          Key slot to copy the key into.
+ * \param[in] data              Buffer containing the key material.
+ * \param data_length           Size of the key buffer.
+ *
+ * \retval #PSA_SUCCESS
+ *         The key has been copied successfully.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ *         Not enough memory was available for allocation of the
+ *         copy buffer.
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ *         There was other key material already present in the slot.
+ */
+psa_status_t psa_copy_key_material_into_slot(psa_key_slot_t *slot,
+                                             const uint8_t *data,
+                                             size_t data_length);
+
+/** Convert an Mbed TLS error code to a PSA error code
+ *
+ * \note This function is provided solely for the convenience of
+ *       Mbed TLS and may be removed at any time without notice.
+ *
+ * \param ret           An Mbed TLS-thrown error code
+ *
+ * \return              The corresponding PSA error code
+ */
+psa_status_t mbedtls_to_psa_error(int ret);
+
+/** Import a key in binary format.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       import_key entry point. This function behaves as an import_key
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in]  attributes       The attributes for the key to import.
+ * \param[in]  data             The buffer containing the key data in import
+ *                              format.
+ * \param[in]  data_length      Size of the \p data buffer in bytes.
+ * \param[out] key_buffer       The buffer to contain the key data in output
+ *                              format upon successful return.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes. This
+ *                              size is greater or equal to \p data_length.
+ * \param[out] key_buffer_length  The length of the data written in \p
+ *                                key_buffer in bytes.
+ * \param[out] bits             The key size in number of bits.
+ *
+ * \retval #PSA_SUCCESS  The key was imported successfully.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The key data is not correctly formatted.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t psa_import_key_into_slot(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data, size_t data_length,
+    uint8_t *key_buffer, size_t key_buffer_size,
+    size_t *key_buffer_length, size_t *bits);
+
+/** Export a key in binary format
+ *
+ * \note The signature of this function is that of a PSA driver export_key
+ *       entry point. This function behaves as an export_key entry point as
+ *       defined in the PSA driver interface specification.
+ *
+ * \param[in]  attributes       The attributes for the key to export.
+ * \param[in]  key_buffer       Material or context of the key to export.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[out] data             Buffer where the key data is to be written.
+ * \param[in]  data_size        Size of the \p data buffer in bytes.
+ * \param[out] data_length      On success, the number of bytes written in
+ *                              \p data
+ *
+ * \retval #PSA_SUCCESS  The key was exported successfully.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t psa_export_key_internal(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length);
+
+/** Export a public key or the public part of a key pair in binary format.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       export_public_key entry point. This function behaves as an
+ *       export_public_key entry point as defined in the PSA driver interface
+ *       specification.
+ *
+ * \param[in]  attributes       The attributes for the key to export.
+ * \param[in]  key_buffer       Material or context of the key to export.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[out] data             Buffer where the key data is to be written.
+ * \param[in]  data_size        Size of the \p data buffer in bytes.
+ * \param[out] data_length      On success, the number of bytes written in
+ *                              \p data
+ *
+ * \retval #PSA_SUCCESS  The public key was exported successfully.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t psa_export_public_key_internal(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length);
+
+/** Whether a key production parameters structure is the default.
+ *
+ * Calls to a key generation driver with non-default production parameters
+ * require a driver supporting custom production parameters.
+ *
+ * \param[in] params            The key production parameters to check.
+ * \param params_data_length    Size of `params->data` in bytes.
+ */
+int psa_key_production_parameters_are_default(
+    const psa_key_production_parameters_t *params,
+    size_t params_data_length);
+
+/**
+ * \brief Generate a key.
+ *
+ * \note The signature of the function is that of a PSA driver generate_key
+ *       entry point.
+ *
+ * \param[in]  attributes         The attributes for the key to generate.
+ * \param[in]  params             The production parameters from
+ *                                psa_generate_key_ext().
+ * \param      params_data_length The size of `params->data` in bytes.
+ * \param[out] key_buffer         Buffer where the key data is to be written.
+ * \param[in]  key_buffer_size    Size of \p key_buffer in bytes.
+ * \param[out] key_buffer_length  On success, the number of bytes written in
+ *                                \p key_buffer.
+ *
+ * \retval #PSA_SUCCESS
+ *         The key was generated successfully.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         Key size in bits or type not supported.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of \p key_buffer is too small.
+ */
+psa_status_t psa_generate_key_internal(const psa_key_attributes_t *attributes,
+                                       const psa_key_production_parameters_t *params,
+                                       size_t params_data_length,
+                                       uint8_t *key_buffer,
+                                       size_t key_buffer_size,
+                                       size_t *key_buffer_length);
+
+/** Sign a message with a private key. For hash-and-sign algorithms,
+ *  this includes the hashing step.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       sign_message entry point. This function behaves as a sign_message
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \note This function will call the driver for psa_sign_hash
+ *       and go through driver dispatch again.
+ *
+ * \param[in]  attributes       The attributes of the key to use for the
+ *                              operation.
+ * \param[in]  key_buffer       The buffer containing the key context.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[in]  alg              A signature algorithm that is compatible with
+ *                              the type of the key.
+ * \param[in]  input            The input message to sign.
+ * \param[in]  input_length     Size of the \p input buffer in bytes.
+ * \param[out] signature        Buffer where the signature is to be written.
+ * \param[in]  signature_size   Size of the \p signature buffer in bytes.
+ * \param[out] signature_length On success, the number of bytes
+ *                              that make up the returned signature value.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p signature buffer is too small. You can
+ *         determine a sufficient buffer size by calling
+ *         #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ *         where \c key_type and \c key_bits are the type and bit-size
+ *         respectively of the key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ */
+psa_status_t psa_sign_message_builtin(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *input, size_t input_length,
+    uint8_t *signature, size_t signature_size, size_t *signature_length);
+
+/** Verify the signature of a message with a public key, using
+ *  a hash-and-sign verification algorithm.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       verify_message entry point. This function behaves as a verify_message
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \note This function will call the driver for psa_verify_hash
+ *       and go through driver dispatch again.
+ *
+ * \param[in]  attributes       The attributes of the key to use for the
+ *                              operation.
+ * \param[in]  key_buffer       The buffer containing the key context.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[in]  alg              A signature algorithm that is compatible with
+ *                              the type of the key.
+ * \param[in]  input            The message whose signature is to be verified.
+ * \param[in]  input_length     Size of the \p input buffer in bytes.
+ * \param[in]  signature        Buffer containing the signature to verify.
+ * \param[in]  signature_length Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The signature is valid.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The calculation was performed successfully, but the passed
+ *         signature is not a valid signature.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t psa_verify_message_builtin(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *input, size_t input_length,
+    const uint8_t *signature, size_t signature_length);
+
+/** Sign an already-calculated hash with a private key.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       sign_hash entry point. This function behaves as a sign_hash
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in]  attributes       The attributes of the key to use for the
+ *                              operation.
+ * \param[in]  key_buffer       The buffer containing the key context.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[in]  alg              A signature algorithm that is compatible with
+ *                              the type of the key.
+ * \param[in]  hash             The hash or message to sign.
+ * \param[in]  hash_length      Size of the \p hash buffer in bytes.
+ * \param[out] signature        Buffer where the signature is to be written.
+ * \param[in]  signature_size   Size of the \p signature buffer in bytes.
+ * \param[out] signature_length On success, the number of bytes
+ *                              that make up the returned signature value.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p signature buffer is too small. You can
+ *         determine a sufficient buffer size by calling
+ *         #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ *         where \c key_type and \c key_bits are the type and bit-size
+ *         respectively of the key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ */
+psa_status_t psa_sign_hash_builtin(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    uint8_t *signature, size_t signature_size, size_t *signature_length);
+
+/**
+ * \brief Verify the signature a hash or short message using a public key.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       verify_hash entry point. This function behaves as a verify_hash
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in]  attributes       The attributes of the key to use for the
+ *                              operation.
+ * \param[in]  key_buffer       The buffer containing the key context.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[in]  alg              A signature algorithm that is compatible with
+ *                              the type of the key.
+ * \param[in]  hash             The hash or message whose signature is to be
+ *                              verified.
+ * \param[in]  hash_length      Size of the \p hash buffer in bytes.
+ * \param[in]  signature        Buffer containing the signature to verify.
+ * \param[in]  signature_length Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The signature is valid.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The calculation was performed successfully, but the passed
+ *         signature is not a valid signature.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t psa_verify_hash_builtin(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length);
+
+/**
+ * \brief Validate the key bit size for unstructured keys.
+ *
+ * \note  Check that the bit size is acceptable for a given key type for
+ *        unstructured keys.
+ *
+ * \param[in]  type  The key type
+ * \param[in]  bits  The number of bits of the key
+ *
+ * \retval #PSA_SUCCESS
+ *         The key type and size are valid.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The size in bits of the key is not valid.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         The type and/or the size in bits of the key or the combination of
+ *         the two is not supported.
+ */
+psa_status_t psa_validate_unstructured_key_bit_size(psa_key_type_t type,
+                                                    size_t bits);
+
+/** Perform a key agreement and return the raw shared secret, using
+    built-in raw key agreement functions.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       key_agreement entry point. This function behaves as a key_agreement
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in]  attributes           The attributes of the key to use for the
+ *                                  operation.
+ * \param[in]  key_buffer           The buffer containing the private key
+ *                                  context.
+ * \param[in]  key_buffer_size      Size of the \p key_buffer buffer in
+ *                                  bytes.
+ * \param[in]  alg                  A key agreement algorithm that is
+ *                                  compatible with the type of the key.
+ * \param[in]  peer_key             The buffer containing the key context
+ *                                  of the peer's public key.
+ * \param[in]  peer_key_length      Size of the \p peer_key buffer in
+ *                                  bytes.
+ * \param[out] shared_secret        The buffer to which the shared secret
+ *                                  is to be written.
+ * \param[in]  shared_secret_size   Size of the \p shared_secret buffer in
+ *                                  bytes.
+ * \param[out] shared_secret_length On success, the number of bytes that make
+ *                                  up the returned shared secret.
+ * \retval #PSA_SUCCESS
+ *         Success. Shared secret successfully calculated.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p alg is not a key agreement algorithm, or
+ *         \p private_key is not compatible with \p alg,
+ *         or \p peer_key is not valid for \p alg or not compatible with
+ *         \p private_key.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         \p shared_secret_size is too small
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not a supported key agreement algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE \emptydescription
+ */
+psa_status_t psa_key_agreement_raw_builtin(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    psa_algorithm_t alg,
+    const uint8_t *peer_key,
+    size_t peer_key_length,
+    uint8_t *shared_secret,
+    size_t shared_secret_size,
+    size_t *shared_secret_length);
+
+/**
+ * \brief Set the maximum number of ops allowed to be executed by an
+ *        interruptible function in a single call.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       interruptible_set_max_ops entry point. This function behaves as an
+ *       interruptible_set_max_ops entry point as defined in the PSA driver
+ *       interface specification for transparent drivers.
+ *
+ * \param[in]  max_ops          The maximum number of ops to be executed in a
+ *                              single call, this can be a number from 0 to
+ *                              #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0
+ *                              is obviously the least amount of work done per
+ *                              call.
+ */
+void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops);
+
+/**
+ * \brief Get the maximum number of ops allowed to be executed by an
+ *        interruptible function in a single call.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       interruptible_get_max_ops entry point. This function behaves as an
+ *       interruptible_get_max_ops entry point as defined in the PSA driver
+ *       interface specification for transparent drivers.
+ *
+ * \return                      Maximum number of ops allowed to be executed
+ *                              by an interruptible function in a single call.
+ */
+uint32_t mbedtls_psa_interruptible_get_max_ops(void);
+
+/**
+ * \brief Get the number of ops that a hash signing operation has taken for the
+ *        previous call. If no call or work has taken place, this will return
+ *        zero.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       sign_hash_get_num_ops entry point. This function behaves as an
+ *       sign_hash_get_num_ops entry point as defined in the PSA driver
+ *       interface specification for transparent drivers.
+ *
+ * \param   operation           The \c
+ *                              mbedtls_psa_sign_hash_interruptible_operation_t
+ *                              to use. This must be initialized first.
+ *
+ * \return                      Number of ops that were completed
+ *                              in the last call to \c
+ *                              mbedtls_psa_sign_hash_complete().
+ */
+uint32_t mbedtls_psa_sign_hash_get_num_ops(
+    const mbedtls_psa_sign_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief Get the number of ops that a hash verification operation has taken for
+ *        the previous call. If no call or work has taken place, this will
+ *        return zero.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       verify_hash_get_num_ops entry point. This function behaves as an
+ *       verify_hash_get_num_ops entry point as defined in the PSA driver
+ *       interface specification for transparent drivers.
+ *
+ * \param   operation           The \c
+ *                              mbedtls_psa_verify_hash_interruptible_operation_t
+ *                              to use. This must be initialized first.
+ *
+ * \return                      Number of ops that were completed
+ *                              in the last call to \c
+ *                              mbedtls_psa_verify_hash_complete().
+ */
+uint32_t mbedtls_psa_verify_hash_get_num_ops(
+    const mbedtls_psa_verify_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief  Start signing a hash or short message with a private key, in an
+ *         interruptible manner.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       sign_hash_start entry point. This function behaves as a
+ *       sign_hash_start entry point as defined in the PSA driver interface
+ *       specification for transparent drivers.
+ *
+ * \param[in]  operation        The \c
+ *                              mbedtls_psa_sign_hash_interruptible_operation_t
+ *                              to use. This must be initialized first.
+ * \param[in]  attributes       The attributes of the key to use for the
+ *                              operation.
+ * \param[in]  key_buffer       The buffer containing the key context.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[in]  alg              A signature algorithm that is compatible with
+ *                              the type of the key.
+ * \param[in] hash              The hash or message to sign.
+ * \param hash_length           Size of the \p hash buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The operation started successfully - call \c psa_sign_hash_complete()
+ *         with the same context to complete the operation
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         An unsupported, incorrectly formatted or incorrect type of key was
+ *         used.
+ * \retval #PSA_ERROR_NOT_SUPPORTED Either no internal interruptible operations
+ *         are currently supported, or the key type is currently unsupported.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ *         There was insufficient memory to load the key representation.
+ */
+psa_status_t mbedtls_psa_sign_hash_start(
+    mbedtls_psa_sign_hash_interruptible_operation_t *operation,
+    const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+    size_t key_buffer_size, psa_algorithm_t alg,
+    const uint8_t *hash, size_t hash_length);
+
+/**
+ * \brief Continue and eventually complete the action of signing a hash or
+ *        short message with a private key, in an interruptible manner.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       sign_hash_complete entry point. This function behaves as a
+ *       sign_hash_complete entry point as defined in the PSA driver interface
+ *       specification for transparent drivers.
+ *
+ * \param[in]  operation        The \c
+ *                              mbedtls_psa_sign_hash_interruptible_operation_t
+ *                              to use. This must be initialized first.
+ *
+ * \param[out] signature        Buffer where the signature is to be written.
+ * \param signature_size        Size of the \p signature buffer in bytes. This
+ *                              must be appropriate for the selected
+ *                              algorithm and key.
+ * \param[out] signature_length On success, the number of bytes that make up
+ *                              the returned signature value.
+ *
+ * \retval #PSA_SUCCESS
+ *         Operation completed successfully
+ *
+ * \retval #PSA_OPERATION_INCOMPLETE
+ *         Operation was interrupted due to the setting of \c
+ *         psa_interruptible_set_max_ops(), there is still work to be done,
+ *         please call this function again with the same operation object.
+ *
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p signature buffer is too small. You can
+ *         determine a sufficient buffer size by calling
+ *         #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ *         where \c key_type and \c key_bits are the type and bit-size
+ *         respectively of \p key.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ */
+psa_status_t mbedtls_psa_sign_hash_complete(
+    mbedtls_psa_sign_hash_interruptible_operation_t *operation,
+    uint8_t *signature, size_t signature_size,
+    size_t *signature_length);
+
+/**
+ * \brief Abort a sign hash operation.
+ *
+ * \note The signature of this function is that of a PSA driver sign_hash_abort
+ *       entry point. This function behaves as a sign_hash_abort entry point as
+ *       defined in the PSA driver interface specification for transparent
+ *       drivers.
+ *
+ * \param[in]  operation        The \c
+ *                              mbedtls_psa_sign_hash_interruptible_operation_t
+ *                              to abort.
+ *
+ * \retval #PSA_SUCCESS
+ *         The operation was aborted successfully.
+ */
+psa_status_t mbedtls_psa_sign_hash_abort(
+    mbedtls_psa_sign_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief  Start reading and verifying a hash or short message, in an
+ *         interruptible manner.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       verify_hash_start entry point. This function behaves as a
+ *       verify_hash_start entry point as defined in the PSA driver interface
+ *       specification for transparent drivers.
+ *
+ * \param[in]  operation        The \c
+ *                              mbedtls_psa_verify_hash_interruptible_operation_t
+ *                              to use. This must be initialized first.
+ * \param[in]  attributes       The attributes of the key to use for the
+ *                              operation.
+ * \param[in]  key_buffer       The buffer containing the key context.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[in]  alg              A signature algorithm that is compatible with
+ *                              the type of the key.
+ * \param[in] hash              The hash whose signature is to be verified.
+ * \param hash_length           Size of the \p hash buffer in bytes.
+ * \param[in] signature         Buffer containing the signature to verify.
+ * \param signature_length      Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The operation started successfully - call \c psa_sign_hash_complete()
+ *         with the same context to complete the operation
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         An unsupported or incorrect type of key was used.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *        Either no internal interruptible operations are currently supported,
+ *         or the key type is currently unsupported.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ *        There was insufficient memory either to load the key representation,
+ *        or to prepare the operation.
+ */
+psa_status_t mbedtls_psa_verify_hash_start(
+    mbedtls_psa_verify_hash_interruptible_operation_t *operation,
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg,
+    const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length);
+
+/**
+ * \brief Continue and eventually complete the action of signing a hash or
+ *        short message with a private key, in an interruptible manner.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       sign_hash_complete entry point. This function behaves as a
+ *       sign_hash_complete entry point as defined in the PSA driver interface
+ *       specification for transparent drivers.
+ *
+ * \param[in]  operation        The \c
+ *                              mbedtls_psa_sign_hash_interruptible_operation_t
+ *                              to use. This must be initialized first.
+ *
+ * \retval #PSA_SUCCESS
+ *         Operation completed successfully, and the passed signature is valid.
+ *
+ * \retval #PSA_OPERATION_INCOMPLETE
+ *         Operation was interrupted due to the setting of \c
+ *         psa_interruptible_set_max_ops(), there is still work to be done,
+ *         please call this function again with the same operation object.
+ *
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The calculation was performed successfully, but the passed
+ *         signature is not a valid signature.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t mbedtls_psa_verify_hash_complete(
+    mbedtls_psa_verify_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief Abort a verify signed hash operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       verify_hash_abort entry point. This function behaves as a
+ *       verify_hash_abort entry point as defined in the PSA driver interface
+ *       specification for transparent drivers.
+ *
+ * \param[in]  operation        The \c
+ *                              mbedtls_psa_verify_hash_interruptible_operation_t
+ *                              to abort.
+ *
+ * \retval #PSA_SUCCESS
+ *         The operation was aborted successfully.
+ */
+psa_status_t mbedtls_psa_verify_hash_abort(
+    mbedtls_psa_verify_hash_interruptible_operation_t *operation);
+
+typedef struct psa_crypto_local_input_s {
+    uint8_t *buffer;
+    size_t length;
+} psa_crypto_local_input_t;
+
+#define PSA_CRYPTO_LOCAL_INPUT_INIT ((psa_crypto_local_input_t) { NULL, 0 })
+
+/** Allocate a local copy of an input buffer and copy the contents into it.
+ *
+ * \param[in] input             Pointer to input buffer.
+ * \param[in] input_len         Length of the input buffer.
+ * \param[out] local_input      Pointer to a psa_crypto_local_input_t struct
+ *                              containing a local input copy.
+ * \return                      #PSA_SUCCESS, if the buffer was successfully
+ *                              copied.
+ * \return                      #PSA_ERROR_INSUFFICIENT_MEMORY, if a copy of
+ *                              the buffer cannot be allocated.
+ */
+psa_status_t psa_crypto_local_input_alloc(const uint8_t *input, size_t input_len,
+                                          psa_crypto_local_input_t *local_input);
+
+/** Free a local copy of an input buffer.
+ *
+ * \param[in] local_input       Pointer to a psa_crypto_local_input_t struct
+ *                              populated by a previous call to
+ *                              psa_crypto_local_input_alloc().
+ */
+void psa_crypto_local_input_free(psa_crypto_local_input_t *local_input);
+
+typedef struct psa_crypto_local_output_s {
+    uint8_t *original;
+    uint8_t *buffer;
+    size_t length;
+} psa_crypto_local_output_t;
+
+#define PSA_CRYPTO_LOCAL_OUTPUT_INIT ((psa_crypto_local_output_t) { NULL, NULL, 0 })
+
+/** Allocate a local copy of an output buffer.
+ *
+ * \note                        This does not copy any data from the original
+ *                              output buffer but only allocates a buffer
+ *                              whose contents will be copied back to the
+ *                              original in a future call to
+ *                              psa_crypto_local_output_free().
+ *
+ * \param[in] output            Pointer to output buffer.
+ * \param[in] output_len        Length of the output buffer.
+ * \param[out] local_output     Pointer to a psa_crypto_local_output_t struct to
+ *                              populate with the local output copy.
+ * \return                      #PSA_SUCCESS, if the buffer was successfully
+ *                              copied.
+ * \return                      #PSA_ERROR_INSUFFICIENT_MEMORY, if a copy of
+ *                              the buffer cannot be allocated.
+ */
+psa_status_t psa_crypto_local_output_alloc(uint8_t *output, size_t output_len,
+                                           psa_crypto_local_output_t *local_output);
+
+/** Copy from a local copy of an output buffer back to the original, then
+ *  free the local copy.
+ *
+ * \param[in] local_output      Pointer to a psa_crypto_local_output_t struct
+ *                              populated by a previous call to
+ *                              psa_crypto_local_output_alloc().
+ * \return                      #PSA_SUCCESS, if the local output was
+ *                              successfully copied back to the original.
+ * \return                      #PSA_ERROR_CORRUPTION_DETECTED, if the output
+ *                              could not be copied back to the original.
+ */
+psa_status_t psa_crypto_local_output_free(psa_crypto_local_output_t *local_output);
+
+#endif /* PSA_CRYPTO_CORE_H */
diff --git a/tf-psa-crypto/core/psa_crypto_core_common.h b/tf-psa-crypto/core/psa_crypto_core_common.h
new file mode 100644
index 0000000..98fce2c
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_core_common.h
@@ -0,0 +1,52 @@
+/**
+ * \file psa_crypto_core_common.h
+ *
+ * \brief Utility macros for internal use in the PSA cryptography core.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_CORE_COMMON_H
+#define PSA_CRYPTO_CORE_COMMON_H
+
+/** Return an offset into a buffer.
+ *
+ * This is just the addition of an offset to a pointer, except that this
+ * function also accepts an offset of 0 into a buffer whose pointer is null.
+ * (`p + n` has undefined behavior when `p` is null, even when `n == 0`.
+ * A null pointer is a valid buffer pointer when the size is 0, for example
+ * as the result of `malloc(0)` on some platforms.)
+ *
+ * \param p     Pointer to a buffer of at least n bytes.
+ *              This may be \p NULL if \p n is zero.
+ * \param n     An offset in bytes.
+ * \return      Pointer to offset \p n in the buffer \p p.
+ *              Note that this is only a valid pointer if the size of the
+ *              buffer is at least \p n + 1.
+ */
+static inline unsigned char *psa_crypto_buffer_offset(
+    unsigned char *p, size_t n)
+{
+    return p == NULL ? NULL : p + n;
+}
+
+/** Return an offset into a read-only buffer.
+ *
+ * Similar to mbedtls_buffer_offset(), but for const pointers.
+ *
+ * \param p     Pointer to a buffer of at least n bytes.
+ *              This may be \p NULL if \p n is zero.
+ * \param n     An offset in bytes.
+ * \return      Pointer to offset \p n in the buffer \p p.
+ *              Note that this is only a valid pointer if the size of the
+ *              buffer is at least \p n + 1.
+ */
+static inline const unsigned char *psa_crypto_buffer_offset_const(
+    const unsigned char *p, size_t n)
+{
+    return p == NULL ? NULL : p + n;
+}
+
+#endif /* PSA_CRYPTO_CORE_COMMON_H */
diff --git a/tf-psa-crypto/core/psa_crypto_driver_wrappers_no_static.h b/tf-psa-crypto/core/psa_crypto_driver_wrappers_no_static.h
new file mode 100644
index 0000000..cd617f6
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_driver_wrappers_no_static.h
@@ -0,0 +1,31 @@
+/*
+ *  Function signatures for functionality that can be provided by
+ *  cryptographic accelerators.
+ */
+/*  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_DRIVER_WRAPPERS_NO_STATIC_H
+#define PSA_CRYPTO_DRIVER_WRAPPERS_NO_STATIC_H
+
+#include "psa/crypto.h"
+#include "psa/crypto_driver_common.h"
+
+psa_status_t psa_driver_wrapper_export_public_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length);
+
+psa_status_t psa_driver_wrapper_get_key_buffer_size(
+    const psa_key_attributes_t *attributes,
+    size_t *key_buffer_size);
+
+psa_status_t psa_driver_wrapper_get_builtin_key(
+    psa_drv_slot_number_t slot_number,
+    psa_key_attributes_t *attributes,
+    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length);
+
+#endif /* PSA_CRYPTO_DRIVER_WRAPPERS_NO_STATIC_H */
+
+/* End of automatically generated file. */
diff --git a/tf-psa-crypto/core/psa_crypto_ecp.c b/tf-psa-crypto/core/psa_crypto_ecp.c
new file mode 100644
index 0000000..95baff6
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_ecp.c
@@ -0,0 +1,596 @@
+/*
+ *  PSA ECP layer on top of Mbed TLS crypto
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#include <psa/crypto.h>
+#include "psa_crypto_core.h"
+#include "psa_crypto_ecp.h"
+#include "psa_crypto_random_impl.h"
+#include "mbedtls/psa_util.h"
+
+#include <stdlib.h>
+#include <string.h>
+#include "mbedtls/platform.h"
+
+#include <mbedtls/ecdsa.h>
+#include <mbedtls/ecdh.h>
+#include <mbedtls/ecp.h>
+#include <mbedtls/error.h>
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
+/* Helper function to verify if the provided EC's family and key bit size are valid.
+ *
+ * Note: "bits" parameter is used both as input and output and it might be updated
+ *       in case provided input value is not multiple of 8 ("sloppy" bits).
+ */
+static int check_ecc_parameters(psa_ecc_family_t family, size_t *bits)
+{
+    switch (family) {
+        case PSA_ECC_FAMILY_SECP_R1:
+            switch (*bits) {
+                case 192:
+                case 224:
+                case 256:
+                case 384:
+                case 521:
+                    return PSA_SUCCESS;
+                case 528:
+                    *bits = 521;
+                    return PSA_SUCCESS;
+            }
+            break;
+
+        case PSA_ECC_FAMILY_BRAINPOOL_P_R1:
+            switch (*bits) {
+                case 256:
+                case 384:
+                case 512:
+                    return PSA_SUCCESS;
+            }
+            break;
+
+        case PSA_ECC_FAMILY_MONTGOMERY:
+            switch (*bits) {
+                case 448:
+                case 255:
+                    return PSA_SUCCESS;
+                case 256:
+                    *bits = 255;
+                    return PSA_SUCCESS;
+            }
+            break;
+
+        case PSA_ECC_FAMILY_SECP_K1:
+            switch (*bits) {
+                case 192:
+                /* secp224k1 is not and will not be supported in PSA (#3541). */
+                case 256:
+                    return PSA_SUCCESS;
+            }
+            break;
+    }
+
+    return PSA_ERROR_INVALID_ARGUMENT;
+}
+
+psa_status_t mbedtls_psa_ecp_load_representation(
+    psa_key_type_t type, size_t curve_bits,
+    const uint8_t *data, size_t data_length,
+    mbedtls_ecp_keypair **p_ecp)
+{
+    mbedtls_ecp_group_id grp_id = MBEDTLS_ECP_DP_NONE;
+    psa_status_t status;
+    mbedtls_ecp_keypair *ecp = NULL;
+    size_t curve_bytes = data_length;
+    int explicit_bits = (curve_bits != 0);
+
+    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type) &&
+        PSA_KEY_TYPE_ECC_GET_FAMILY(type) != PSA_ECC_FAMILY_MONTGOMERY) {
+        /* A Weierstrass public key is represented as:
+         * - The byte 0x04;
+         * - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
+         * - `y_P` as a `ceiling(m/8)`-byte string, big-endian.
+         * So its data length is 2m+1 where m is the curve size in bits.
+         */
+        if ((data_length & 1) == 0) {
+            return PSA_ERROR_INVALID_ARGUMENT;
+        }
+        curve_bytes = data_length / 2;
+
+        /* Montgomery public keys are represented in compressed format, meaning
+         * their curve_bytes is equal to the amount of input. */
+
+        /* Private keys are represented in uncompressed private random integer
+         * format, meaning their curve_bytes is equal to the amount of input. */
+    }
+
+    if (explicit_bits) {
+        /* With an explicit bit-size, the data must have the matching length. */
+        if (curve_bytes != PSA_BITS_TO_BYTES(curve_bits)) {
+            return PSA_ERROR_INVALID_ARGUMENT;
+        }
+    } else {
+        /* We need to infer the bit-size from the data. Since the only
+         * information we have is the length in bytes, the value of curve_bits
+         * at this stage is rounded up to the nearest multiple of 8. */
+        curve_bits = PSA_BYTES_TO_BITS(curve_bytes);
+    }
+
+    /* Allocate and initialize a key representation. */
+    ecp = mbedtls_calloc(1, sizeof(mbedtls_ecp_keypair));
+    if (ecp == NULL) {
+        return PSA_ERROR_INSUFFICIENT_MEMORY;
+    }
+    mbedtls_ecp_keypair_init(ecp);
+
+    status = check_ecc_parameters(PSA_KEY_TYPE_ECC_GET_FAMILY(type), &curve_bits);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    /* Load the group. */
+    grp_id = mbedtls_ecc_group_from_psa(PSA_KEY_TYPE_ECC_GET_FAMILY(type),
+                                        curve_bits);
+    if (grp_id == MBEDTLS_ECP_DP_NONE) {
+        status = PSA_ERROR_NOT_SUPPORTED;
+        goto exit;
+    }
+
+    status = mbedtls_to_psa_error(
+        mbedtls_ecp_group_load(&ecp->grp, grp_id));
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    /* Load the key material. */
+    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
+        /* Load the public value. */
+        status = mbedtls_to_psa_error(
+            mbedtls_ecp_point_read_binary(&ecp->grp, &ecp->Q,
+                                          data,
+                                          data_length));
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+
+        /* Check that the point is on the curve. */
+        status = mbedtls_to_psa_error(
+            mbedtls_ecp_check_pubkey(&ecp->grp, &ecp->Q));
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+    } else {
+        /* Load and validate the secret value. */
+        status = mbedtls_to_psa_error(
+            mbedtls_ecp_read_key(ecp->grp.id,
+                                 ecp,
+                                 data,
+                                 data_length));
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+    }
+
+    *p_ecp = ecp;
+exit:
+    if (status != PSA_SUCCESS) {
+        mbedtls_ecp_keypair_free(ecp);
+        mbedtls_free(ecp);
+    }
+
+    return status;
+}
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
+
+psa_status_t mbedtls_psa_ecp_import_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data, size_t data_length,
+    uint8_t *key_buffer, size_t key_buffer_size,
+    size_t *key_buffer_length, size_t *bits)
+{
+    psa_status_t status;
+    mbedtls_ecp_keypair *ecp = NULL;
+
+    /* Parse input */
+    status = mbedtls_psa_ecp_load_representation(attributes->type,
+                                                 attributes->bits,
+                                                 data,
+                                                 data_length,
+                                                 &ecp);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    if (PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type) ==
+        PSA_ECC_FAMILY_MONTGOMERY) {
+        *bits = ecp->grp.nbits + 1;
+    } else {
+        *bits = ecp->grp.nbits;
+    }
+
+    /* Re-export the data to PSA export format. There is currently no support
+     * for other input formats then the export format, so this is a 1-1
+     * copy operation. */
+    status = mbedtls_psa_ecp_export_key(attributes->type,
+                                        ecp,
+                                        key_buffer,
+                                        key_buffer_size,
+                                        key_buffer_length);
+exit:
+    /* Always free the PK object (will also free contained ECP context) */
+    mbedtls_ecp_keypair_free(ecp);
+    mbedtls_free(ecp);
+
+    return status;
+}
+
+psa_status_t mbedtls_psa_ecp_export_key(psa_key_type_t type,
+                                        mbedtls_ecp_keypair *ecp,
+                                        uint8_t *data,
+                                        size_t data_size,
+                                        size_t *data_length)
+{
+    psa_status_t status;
+
+    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
+        /* Check whether the public part is loaded */
+        if (mbedtls_ecp_is_zero(&ecp->Q)) {
+            /* Calculate the public key */
+            status = mbedtls_to_psa_error(
+                mbedtls_ecp_mul(&ecp->grp, &ecp->Q, &ecp->d, &ecp->grp.G,
+                                mbedtls_psa_get_random,
+                                MBEDTLS_PSA_RANDOM_STATE));
+            if (status != PSA_SUCCESS) {
+                return status;
+            }
+        }
+
+        status = mbedtls_to_psa_error(
+            mbedtls_ecp_point_write_binary(&ecp->grp, &ecp->Q,
+                                           MBEDTLS_ECP_PF_UNCOMPRESSED,
+                                           data_length,
+                                           data,
+                                           data_size));
+        if (status != PSA_SUCCESS) {
+            memset(data, 0, data_size);
+        }
+
+        return status;
+    } else {
+        status = mbedtls_to_psa_error(
+            mbedtls_ecp_write_key_ext(ecp, data_length, data, data_size));
+        return status;
+    }
+}
+
+psa_status_t mbedtls_psa_ecp_export_public_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_keypair *ecp = NULL;
+
+    status = mbedtls_psa_ecp_load_representation(
+        attributes->type, attributes->bits,
+        key_buffer, key_buffer_size, &ecp);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    status = mbedtls_psa_ecp_export_key(
+        PSA_KEY_TYPE_ECC_PUBLIC_KEY(
+            PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type)),
+        ecp, data, data_size, data_length);
+
+    mbedtls_ecp_keypair_free(ecp);
+    mbedtls_free(ecp);
+
+    return status;
+}
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
+psa_status_t mbedtls_psa_ecp_generate_key(
+    const psa_key_attributes_t *attributes,
+    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(
+        attributes->type);
+    mbedtls_ecp_group_id grp_id =
+        mbedtls_ecc_group_from_psa(curve, attributes->bits);
+
+    const mbedtls_ecp_curve_info *curve_info =
+        mbedtls_ecp_curve_info_from_grp_id(grp_id);
+    mbedtls_ecp_keypair ecp;
+
+    if (grp_id == MBEDTLS_ECP_DP_NONE || curve_info == NULL) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    mbedtls_ecp_keypair_init(&ecp);
+    ret = mbedtls_ecp_gen_key(grp_id, &ecp,
+                              mbedtls_psa_get_random,
+                              MBEDTLS_PSA_RANDOM_STATE);
+    if (ret != 0) {
+        mbedtls_ecp_keypair_free(&ecp);
+        return mbedtls_to_psa_error(ret);
+    }
+
+    status = mbedtls_to_psa_error(
+        mbedtls_ecp_write_key_ext(&ecp, key_buffer_length,
+                                  key_buffer, key_buffer_size));
+
+    mbedtls_ecp_keypair_free(&ecp);
+
+    return status;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE */
+
+/****************************************************************/
+/* ECDSA sign/verify */
+/****************************************************************/
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+psa_status_t mbedtls_psa_ecdsa_sign_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    uint8_t *signature, size_t signature_size, size_t *signature_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_keypair *ecp = NULL;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t curve_bytes;
+    mbedtls_mpi r, s;
+
+    status = mbedtls_psa_ecp_load_representation(attributes->type,
+                                                 attributes->bits,
+                                                 key_buffer,
+                                                 key_buffer_size,
+                                                 &ecp);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    curve_bytes = PSA_BITS_TO_BYTES(ecp->grp.pbits);
+    mbedtls_mpi_init(&r);
+    mbedtls_mpi_init(&s);
+
+    if (signature_size < 2 * curve_bytes) {
+        ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+        goto cleanup;
+    }
+
+    if (PSA_ALG_ECDSA_IS_DETERMINISTIC(alg)) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+        psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
+        mbedtls_md_type_t md_alg = mbedtls_md_type_from_psa_alg(hash_alg);
+        MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_det_ext(
+                            &ecp->grp, &r, &s,
+                            &ecp->d, hash,
+                            hash_length, md_alg,
+                            mbedtls_psa_get_random,
+                            MBEDTLS_PSA_RANDOM_STATE));
+#else
+        ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+        goto cleanup;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+    } else {
+        (void) alg;
+        MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign(&ecp->grp, &r, &s, &ecp->d,
+                                           hash, hash_length,
+                                           mbedtls_psa_get_random,
+                                           MBEDTLS_PSA_RANDOM_STATE));
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&r,
+                                             signature,
+                                             curve_bytes));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&s,
+                                             signature + curve_bytes,
+                                             curve_bytes));
+cleanup:
+    mbedtls_mpi_free(&r);
+    mbedtls_mpi_free(&s);
+    if (ret == 0) {
+        *signature_length = 2 * curve_bytes;
+    }
+
+    mbedtls_ecp_keypair_free(ecp);
+    mbedtls_free(ecp);
+
+    return mbedtls_to_psa_error(ret);
+}
+
+psa_status_t mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp)
+{
+    int ret = 0;
+
+    /* Check whether the public part is loaded. If not, load it. */
+    if (mbedtls_ecp_is_zero(&ecp->Q)) {
+        ret = mbedtls_ecp_mul(&ecp->grp, &ecp->Q,
+                              &ecp->d, &ecp->grp.G,
+                              mbedtls_psa_get_random,
+                              MBEDTLS_PSA_RANDOM_STATE);
+    }
+
+    return mbedtls_to_psa_error(ret);
+}
+
+psa_status_t mbedtls_psa_ecdsa_verify_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_keypair *ecp = NULL;
+    size_t curve_bytes;
+    mbedtls_mpi r, s;
+
+    (void) alg;
+
+    status = mbedtls_psa_ecp_load_representation(attributes->type,
+                                                 attributes->bits,
+                                                 key_buffer,
+                                                 key_buffer_size,
+                                                 &ecp);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    curve_bytes = PSA_BITS_TO_BYTES(ecp->grp.pbits);
+    mbedtls_mpi_init(&r);
+    mbedtls_mpi_init(&s);
+
+    if (signature_length != 2 * curve_bytes) {
+        status = PSA_ERROR_INVALID_SIGNATURE;
+        goto cleanup;
+    }
+
+    status = mbedtls_to_psa_error(mbedtls_mpi_read_binary(&r,
+                                                          signature,
+                                                          curve_bytes));
+    if (status != PSA_SUCCESS) {
+        goto cleanup;
+    }
+
+    status = mbedtls_to_psa_error(mbedtls_mpi_read_binary(&s,
+                                                          signature + curve_bytes,
+                                                          curve_bytes));
+    if (status != PSA_SUCCESS) {
+        goto cleanup;
+    }
+
+    status = mbedtls_psa_ecp_load_public_part(ecp);
+    if (status != PSA_SUCCESS) {
+        goto cleanup;
+    }
+
+    status = mbedtls_to_psa_error(mbedtls_ecdsa_verify(&ecp->grp, hash,
+                                                       hash_length, &ecp->Q,
+                                                       &r, &s));
+cleanup:
+    mbedtls_mpi_free(&r);
+    mbedtls_mpi_free(&s);
+    mbedtls_ecp_keypair_free(ecp);
+    mbedtls_free(ecp);
+
+    return status;
+}
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+
+/****************************************************************/
+/* ECDH Key Agreement */
+/****************************************************************/
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
+psa_status_t mbedtls_psa_key_agreement_ecdh(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *peer_key, size_t peer_key_length,
+    uint8_t *shared_secret, size_t shared_secret_size,
+    size_t *shared_secret_length)
+{
+    psa_status_t status;
+    if (!PSA_KEY_TYPE_IS_ECC_KEY_PAIR(attributes->type) ||
+        !PSA_ALG_IS_ECDH(alg)) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+    mbedtls_ecp_keypair *ecp = NULL;
+    status = mbedtls_psa_ecp_load_representation(
+        attributes->type,
+        attributes->bits,
+        key_buffer,
+        key_buffer_size,
+        &ecp);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+    mbedtls_ecp_keypair *their_key = NULL;
+    mbedtls_ecdh_context ecdh;
+    size_t bits = 0;
+    psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(ecp->grp.id, &bits);
+    mbedtls_ecdh_init(&ecdh);
+
+    status = mbedtls_psa_ecp_load_representation(
+        PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve),
+        bits,
+        peer_key,
+        peer_key_length,
+        &their_key);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = mbedtls_to_psa_error(
+        mbedtls_ecdh_get_params(&ecdh, their_key, MBEDTLS_ECDH_THEIRS));
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+    status = mbedtls_to_psa_error(
+        mbedtls_ecdh_get_params(&ecdh, ecp, MBEDTLS_ECDH_OURS));
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = mbedtls_to_psa_error(
+        mbedtls_ecdh_calc_secret(&ecdh,
+                                 shared_secret_length,
+                                 shared_secret, shared_secret_size,
+                                 mbedtls_psa_get_random,
+                                 MBEDTLS_PSA_RANDOM_STATE));
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+    if (PSA_BITS_TO_BYTES(bits) != *shared_secret_length) {
+        status = PSA_ERROR_CORRUPTION_DETECTED;
+    }
+exit:
+    if (status != PSA_SUCCESS) {
+        mbedtls_platform_zeroize(shared_secret, shared_secret_size);
+    }
+    mbedtls_ecdh_free(&ecdh);
+    mbedtls_ecp_keypair_free(their_key);
+    mbedtls_free(their_key);
+    mbedtls_ecp_keypair_free(ecp);
+    mbedtls_free(ecp);
+    return status;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
+
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/tf-psa-crypto/core/psa_crypto_ecp.h b/tf-psa-crypto/core/psa_crypto_ecp.h
new file mode 100644
index 0000000..a9f5d59
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_ecp.h
@@ -0,0 +1,267 @@
+/*
+ *  PSA ECP layer on top of Mbed TLS crypto
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_ECP_H
+#define PSA_CRYPTO_ECP_H
+
+#include <psa/crypto.h>
+#include <mbedtls/ecp.h>
+
+/** Load the contents of a key buffer into an internal ECP representation
+ *
+ * \param[in] type          The type of key contained in \p data.
+ * \param[in] curve_bits    The nominal bit-size of the curve.
+ *                          It must be consistent with the representation
+ *                          passed in \p data.
+ *                          This can be 0, in which case the bit-size
+ *                          is inferred from \p data_length (which is possible
+ *                          for all key types and representation formats
+ *                          formats that are currently supported or will
+ *                          be in the foreseeable future).
+ * \param[in] data          The buffer from which to load the representation.
+ * \param[in] data_length   The size in bytes of \p data.
+ * \param[out] p_ecp        Returns a pointer to an ECP context on success.
+ *                          The caller is responsible for freeing both the
+ *                          contents of the context and the context itself
+ *                          when done.
+ */
+psa_status_t mbedtls_psa_ecp_load_representation(psa_key_type_t type,
+                                                 size_t curve_bits,
+                                                 const uint8_t *data,
+                                                 size_t data_length,
+                                                 mbedtls_ecp_keypair **p_ecp);
+
+/** Load the public part of an internal ECP, if required.
+ *
+ * \param ecp               The ECP context to load the public part for.
+ *
+ * \return PSA_SUCCESS on success, otherwise an MPI error.
+ */
+
+psa_status_t mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp);
+
+/** Import an ECP key in binary format.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       import_key entry point. This function behaves as an import_key
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in]  attributes       The attributes for the key to import.
+ * \param[in]  data             The buffer containing the key data in import
+ *                              format.
+ * \param[in]  data_length      Size of the \p data buffer in bytes.
+ * \param[out] key_buffer       The buffer containing the key data in output
+ *                              format.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes. This
+ *                              size is greater or equal to \p data_length.
+ * \param[out] key_buffer_length  The length of the data written in \p
+ *                                key_buffer in bytes.
+ * \param[out] bits             The key size in number of bits.
+ *
+ * \retval #PSA_SUCCESS  The ECP key was imported successfully.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The key data is not correctly formatted.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_ecp_import_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data, size_t data_length,
+    uint8_t *key_buffer, size_t key_buffer_size,
+    size_t *key_buffer_length, size_t *bits);
+
+/** Export an ECP key to export representation
+ *
+ * \param[in] type          The type of key (public/private) to export
+ * \param[in] ecp           The internal ECP representation from which to export
+ * \param[out] data         The buffer to export to
+ * \param[in] data_size     The length of the buffer to export to
+ * \param[out] data_length  The amount of bytes written to \p data
+ */
+psa_status_t mbedtls_psa_ecp_export_key(psa_key_type_t type,
+                                        mbedtls_ecp_keypair *ecp,
+                                        uint8_t *data,
+                                        size_t data_size,
+                                        size_t *data_length);
+
+/** Export an ECP public key or the public part of an ECP key pair in binary
+ *  format.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       export_public_key entry point. This function behaves as an
+ *       export_public_key entry point as defined in the PSA driver interface
+ *       specification.
+ *
+ * \param[in]  attributes       The attributes for the key to export.
+ * \param[in]  key_buffer       Material or context of the key to export.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[out] data             Buffer where the key data is to be written.
+ * \param[in]  data_size        Size of the \p data buffer in bytes.
+ * \param[out] data_length      On success, the number of bytes written in
+ *                              \p data
+ *
+ * \retval #PSA_SUCCESS  The ECP public key was exported successfully.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t mbedtls_psa_ecp_export_public_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length);
+
+/**
+ * \brief Generate an ECP key.
+ *
+ * \note The signature of the function is that of a PSA driver generate_key
+ *       entry point.
+ *
+ * \param[in]  attributes         The attributes for the ECP key to generate.
+ * \param[out] key_buffer         Buffer where the key data is to be written.
+ * \param[in]  key_buffer_size    Size of \p key_buffer in bytes.
+ * \param[out] key_buffer_length  On success, the number of bytes written in
+ *                                \p key_buffer.
+ *
+ * \retval #PSA_SUCCESS
+ *         The key was successfully generated.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         Key length or type not supported.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of \p key_buffer is too small.
+ */
+psa_status_t mbedtls_psa_ecp_generate_key(
+    const psa_key_attributes_t *attributes,
+    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length);
+
+/** Sign an already-calculated hash with ECDSA.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       sign_hash entry point. This function behaves as a sign_hash
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in]  attributes       The attributes of the ECC key to use for the
+ *                              operation.
+ * \param[in]  key_buffer       The buffer containing the ECC key context.
+ *                              format.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[in]  alg              Randomized or deterministic ECDSA algorithm.
+ * \param[in]  hash             The hash or message to sign.
+ * \param[in]  hash_length      Size of the \p hash buffer in bytes.
+ * \param[out] signature        Buffer where the signature is to be written.
+ * \param[in]  signature_size   Size of the \p signature buffer in bytes.
+ * \param[out] signature_length On success, the number of bytes
+ *                              that make up the returned signature value.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p signature buffer is too small. You can
+ *         determine a sufficient buffer size by calling
+ *         #PSA_SIGN_OUTPUT_SIZE(\c PSA_KEY_TYPE_ECC_KEY_PAIR, \c key_bits,
+ *         \p alg) where \c key_bits is the bit-size of the ECC key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ */
+psa_status_t mbedtls_psa_ecdsa_sign_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    uint8_t *signature, size_t signature_size, size_t *signature_length);
+
+/**
+ * \brief Verify an ECDSA hash or short message signature.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       verify_hash entry point. This function behaves as a verify_hash
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in]  attributes       The attributes of the ECC key to use for the
+ *                              operation.
+ * \param[in]  key_buffer       The buffer containing the ECC key context.
+ *                              format.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[in]  alg              Randomized or deterministic ECDSA algorithm.
+ * \param[in]  hash             The hash or message whose signature is to be
+ *                              verified.
+ * \param[in]  hash_length      Size of the \p hash buffer in bytes.
+ * \param[in]  signature        Buffer containing the signature to verify.
+ * \param[in]  signature_length Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The signature is valid.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The calculation was performed successfully, but the passed
+ *         signature is not a valid signature.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t mbedtls_psa_ecdsa_verify_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length);
+
+
+/** Perform a key agreement and return the raw ECDH shared secret.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       key_agreement entry point. This function behaves as a key_agreement
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in]  attributes           The attributes of the key to use for the
+ *                                  operation.
+ * \param[in]  key_buffer           The buffer containing the private key
+ *                                  context.
+ * \param[in]  key_buffer_size      Size of the \p key_buffer buffer in
+ *                                  bytes.
+ * \param[in]  alg                  A key agreement algorithm that is
+ *                                  compatible with the type of the key.
+ * \param[in]  peer_key             The buffer containing the key context
+ *                                  of the peer's public key.
+ * \param[in]  peer_key_length      Size of the \p peer_key buffer in
+ *                                  bytes.
+ * \param[out] shared_secret        The buffer to which the shared secret
+ *                                  is to be written.
+ * \param[in]  shared_secret_size   Size of the \p shared_secret buffer in
+ *                                  bytes.
+ * \param[out] shared_secret_length On success, the number of bytes that make
+ *                                  up the returned shared secret.
+ * \retval #PSA_SUCCESS
+ *         Success. Shared secret successfully calculated.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p alg is not a key agreement algorithm, or
+ *         \p private_key is not compatible with \p alg,
+ *         or \p peer_key is not valid for \p alg or not compatible with
+ *         \p private_key.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         \p shared_secret_size is too small
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not a supported key agreement algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_key_agreement_ecdh(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *peer_key, size_t peer_key_length,
+    uint8_t *shared_secret, size_t shared_secret_size,
+    size_t *shared_secret_length);
+#endif /* PSA_CRYPTO_ECP_H */
diff --git a/tf-psa-crypto/core/psa_crypto_ffdh.c b/tf-psa-crypto/core/psa_crypto_ffdh.c
new file mode 100644
index 0000000..ae38f6d
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_ffdh.c
@@ -0,0 +1,321 @@
+/*
+ *  PSA FFDH layer on top of Mbed TLS crypto
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+/* This header is only needed because it defines
+ * MBEDTLS_DHM_RFC7919_FFDHEXXXX_[P|G]_BIN symbols that are used in
+ * mbedtls_psa_ffdh_set_prime_generator(). Apart from that, this module
+ * only uses bignum functions for arithmetic. */
+#include <mbedtls/dhm.h>
+
+#include <psa/crypto.h>
+#include "psa_crypto_core.h"
+#include "psa_crypto_ffdh.h"
+#include "psa_crypto_random_impl.h"
+#include "mbedtls/platform.h"
+#include "mbedtls/error.h"
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) ||   \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE) ||   \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_FFDH)
+static psa_status_t mbedtls_psa_ffdh_set_prime_generator(size_t key_size,
+                                                         mbedtls_mpi *P,
+                                                         mbedtls_mpi *G)
+{
+    const unsigned char *dhm_P = NULL;
+    const unsigned char *dhm_G = NULL;
+    size_t dhm_size_P = 0;
+    size_t dhm_size_G = 0;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (P == NULL && G == NULL) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048)
+    static const unsigned char dhm_P_2048[] =
+        MBEDTLS_DHM_RFC7919_FFDHE2048_P_BIN;
+    static const unsigned char dhm_G_2048[] =
+        MBEDTLS_DHM_RFC7919_FFDHE2048_G_BIN;
+#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 */
+#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072)
+    static const unsigned char dhm_P_3072[] =
+        MBEDTLS_DHM_RFC7919_FFDHE3072_P_BIN;
+    static const unsigned char dhm_G_3072[] =
+        MBEDTLS_DHM_RFC7919_FFDHE3072_G_BIN;
+#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 */
+#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096)
+    static const unsigned char dhm_P_4096[] =
+        MBEDTLS_DHM_RFC7919_FFDHE4096_P_BIN;
+    static const unsigned char dhm_G_4096[] =
+        MBEDTLS_DHM_RFC7919_FFDHE4096_G_BIN;
+#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 */
+#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144)
+    static const unsigned char dhm_P_6144[] =
+        MBEDTLS_DHM_RFC7919_FFDHE6144_P_BIN;
+    static const unsigned char dhm_G_6144[] =
+        MBEDTLS_DHM_RFC7919_FFDHE6144_G_BIN;
+#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 */
+#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192)
+    static const unsigned char dhm_P_8192[] =
+        MBEDTLS_DHM_RFC7919_FFDHE8192_P_BIN;
+    static const unsigned char dhm_G_8192[] =
+        MBEDTLS_DHM_RFC7919_FFDHE8192_G_BIN;
+#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 */
+
+    switch (key_size) {
+#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048)
+        case sizeof(dhm_P_2048):
+            dhm_P = dhm_P_2048;
+            dhm_G = dhm_G_2048;
+            dhm_size_P = sizeof(dhm_P_2048);
+            dhm_size_G = sizeof(dhm_G_2048);
+            break;
+#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 */
+#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072)
+        case sizeof(dhm_P_3072):
+            dhm_P = dhm_P_3072;
+            dhm_G = dhm_G_3072;
+            dhm_size_P = sizeof(dhm_P_3072);
+            dhm_size_G = sizeof(dhm_G_3072);
+            break;
+#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 */
+#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096)
+        case sizeof(dhm_P_4096):
+            dhm_P = dhm_P_4096;
+            dhm_G = dhm_G_4096;
+            dhm_size_P = sizeof(dhm_P_4096);
+            dhm_size_G = sizeof(dhm_G_4096);
+            break;
+#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 */
+#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144)
+        case sizeof(dhm_P_6144):
+            dhm_P = dhm_P_6144;
+            dhm_G = dhm_G_6144;
+            dhm_size_P = sizeof(dhm_P_6144);
+            dhm_size_G = sizeof(dhm_G_6144);
+            break;
+#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 */
+#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192)
+        case sizeof(dhm_P_8192):
+            dhm_P = dhm_P_8192;
+            dhm_G = dhm_G_8192;
+            dhm_size_P = sizeof(dhm_P_8192);
+            dhm_size_G = sizeof(dhm_G_8192);
+            break;
+#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 */
+        default:
+            return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    if (P != NULL) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(P, dhm_P,
+                                                dhm_size_P));
+    }
+    if (G != NULL) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(G, dhm_G,
+                                                dhm_size_G));
+    }
+
+cleanup:
+    if (ret != 0) {
+        return mbedtls_to_psa_error(ret);
+    }
+
+    return PSA_SUCCESS;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT ||
+          MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE ||
+          MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY ||
+          MBEDTLS_PSA_BUILTIN_ALG_FFDH */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY)
+psa_status_t mbedtls_psa_ffdh_export_public_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    uint8_t *data,
+    size_t data_size,
+    size_t *data_length)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi GX, G, X, P;
+    psa_key_type_t type = attributes->type;
+
+    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
+        if (key_buffer_size > data_size) {
+            return PSA_ERROR_BUFFER_TOO_SMALL;
+        }
+        memcpy(data, key_buffer, key_buffer_size);
+        memset(data + key_buffer_size, 0,
+               data_size - key_buffer_size);
+        *data_length = key_buffer_size;
+        return PSA_SUCCESS;
+    }
+
+    mbedtls_mpi_init(&GX); mbedtls_mpi_init(&G);
+    mbedtls_mpi_init(&X); mbedtls_mpi_init(&P);
+
+    size_t key_len = PSA_BITS_TO_BYTES(attributes->bits);
+
+    status = mbedtls_psa_ffdh_set_prime_generator(key_len, &P, &G);
+
+    if (status != PSA_SUCCESS) {
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&X, key_buffer,
+                                            key_buffer_size));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&GX, &G, &X, &P, NULL));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&GX, data, key_len));
+
+    *data_length = key_len;
+
+    ret = 0;
+cleanup:
+    mbedtls_mpi_free(&P); mbedtls_mpi_free(&G);
+    mbedtls_mpi_free(&X); mbedtls_mpi_free(&GX);
+
+    if (status == PSA_SUCCESS && ret != 0) {
+        status = mbedtls_to_psa_error(ret);
+    }
+
+    return status;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT ||
+          MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE)
+psa_status_t mbedtls_psa_ffdh_generate_key(
+    const psa_key_attributes_t *attributes,
+    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
+{
+    mbedtls_mpi X, P;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi_init(&P); mbedtls_mpi_init(&X);
+    (void) attributes;
+
+    status = mbedtls_psa_ffdh_set_prime_generator(key_buffer_size, &P, NULL);
+
+    if (status != PSA_SUCCESS) {
+        goto cleanup;
+    }
+
+    /* RFC7919: Traditional finite field Diffie-Hellman has each peer choose their
+        secret exponent from the range [2, P-2].
+        Select random value in range [3, P-1] and decrease it by 1. */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_random(&X, 3, &P, mbedtls_psa_get_random,
+                                       MBEDTLS_PSA_RANDOM_STATE));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&X, &X, 1));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&X, key_buffer, key_buffer_size));
+    *key_buffer_length = key_buffer_size;
+
+cleanup:
+    mbedtls_mpi_free(&P); mbedtls_mpi_free(&X);
+    if (status == PSA_SUCCESS && ret != 0) {
+        return mbedtls_to_psa_error(ret);
+    }
+
+    return status;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT)
+psa_status_t mbedtls_psa_ffdh_import_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data, size_t data_length,
+    uint8_t *key_buffer, size_t key_buffer_size,
+    size_t *key_buffer_length, size_t *bits)
+{
+    (void) attributes;
+
+    if (key_buffer_size < data_length) {
+        return PSA_ERROR_BUFFER_TOO_SMALL;
+    }
+    memcpy(key_buffer, data, data_length);
+    *key_buffer_length = data_length;
+    *bits = PSA_BYTES_TO_BITS(data_length);
+
+    return PSA_SUCCESS;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_FFDH)
+psa_status_t mbedtls_psa_ffdh_key_agreement(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *peer_key,
+    size_t peer_key_length,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    uint8_t *shared_secret,
+    size_t shared_secret_size,
+    size_t *shared_secret_length)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi P, G, X, GY, K;
+    const size_t calculated_shared_secret_size = peer_key_length;
+
+    if (peer_key_length != key_buffer_size ||
+        calculated_shared_secret_size > shared_secret_size) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    if (!PSA_KEY_TYPE_IS_DH_KEY_PAIR(psa_get_key_type(attributes))) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    mbedtls_mpi_init(&P); mbedtls_mpi_init(&G);
+    mbedtls_mpi_init(&X); mbedtls_mpi_init(&GY);
+    mbedtls_mpi_init(&K);
+
+    status = mbedtls_psa_ffdh_set_prime_generator(
+        PSA_BITS_TO_BYTES(attributes->bits), &P, &G);
+
+    if (status != PSA_SUCCESS) {
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&X, key_buffer,
+                                            key_buffer_size));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&GY, peer_key,
+                                            peer_key_length));
+
+    /* Calculate shared secret public key: K = G^(XY) mod P = GY^X mod P */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&K, &GY, &X, &P, NULL));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&K, shared_secret,
+                                             calculated_shared_secret_size));
+
+    *shared_secret_length = calculated_shared_secret_size;
+
+    ret = 0;
+
+cleanup:
+    mbedtls_mpi_free(&P); mbedtls_mpi_free(&G);
+    mbedtls_mpi_free(&X); mbedtls_mpi_free(&GY);
+    mbedtls_mpi_free(&K);
+
+    if (status == PSA_SUCCESS && ret != 0) {
+        status = mbedtls_to_psa_error(ret);
+    }
+
+    return status;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_FFDH */
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/tf-psa-crypto/core/psa_crypto_ffdh.h b/tf-psa-crypto/core/psa_crypto_ffdh.h
new file mode 100644
index 0000000..79accd1
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_ffdh.h
@@ -0,0 +1,131 @@
+/*
+ *  PSA FFDH layer on top of Mbed TLS crypto
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_FFDH_H
+#define PSA_CRYPTO_FFDH_H
+
+#include <psa/crypto.h>
+
+/** Perform a key agreement and return the FFDH shared secret.
+ *
+ * \param[in]  attributes           The attributes of the key to use for the
+ *                                  operation.
+ * \param[in]  peer_key             The buffer containing the key context
+ *                                  of the peer's public key.
+ * \param[in]  peer_key_length      Size of the \p peer_key buffer in
+ *                                  bytes.
+ * \param[in]  key_buffer           The buffer containing the private key
+ *                                  context.
+ * \param[in]  key_buffer_size      Size of the \p key_buffer buffer in
+ *                                  bytes.
+ * \param[out] shared_secret        The buffer to which the shared secret
+ *                                  is to be written.
+ * \param[in]  shared_secret_size   Size of the \p shared_secret buffer in
+ *                                  bytes.
+ * \param[out] shared_secret_length On success, the number of bytes that make
+ *                                  up the returned shared secret.
+ * \retval #PSA_SUCCESS
+ *         Success. Shared secret successfully calculated.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key_buffer_size, \p peer_key_length, \p shared_secret_size
+ *         do not match
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY   \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED   \emptydescription
+ */
+psa_status_t mbedtls_psa_ffdh_key_agreement(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *peer_key,
+    size_t peer_key_length,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    uint8_t *shared_secret,
+    size_t shared_secret_size,
+    size_t *shared_secret_length);
+
+/** Export a public key or the public part of a DH key pair in binary format.
+ *
+ * \param[in]  attributes       The attributes for the key to export.
+ * \param[in]  key_buffer       Material or context of the key to export.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[out] data             Buffer where the key data is to be written.
+ * \param[in]  data_size        Size of the \p data buffer in bytes.
+ * \param[out] data_length      On success, the number of bytes written in
+ *                              \p data
+ *
+ * \retval #PSA_SUCCESS  The public key was exported successfully.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of \p key_buffer is too small.
+ * \retval #PSA_ERROR_NOT_PERMITTED         \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY   \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED   \emptydescription
+ */
+psa_status_t mbedtls_psa_ffdh_export_public_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    uint8_t *data,
+    size_t data_size,
+    size_t *data_length);
+
+/**
+ * \brief Generate DH key.
+ *
+ * \note The signature of the function is that of a PSA driver generate_key
+ *       entry point.
+ *
+ * \param[in]  attributes         The attributes for the key to generate.
+ * \param[out] key_buffer         Buffer where the key data is to be written.
+ * \param[in]  key_buffer_size    Size of \p key_buffer in bytes.
+ * \param[out] key_buffer_length  On success, the number of bytes written in
+ *                                \p key_buffer.
+ *
+ * \retval #PSA_SUCCESS
+ *         The key was generated successfully.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         Key size in bits is invalid.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of \p key_buffer is too small.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY   \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED   \emptydescription
+ */
+psa_status_t mbedtls_psa_ffdh_generate_key(
+    const psa_key_attributes_t *attributes,
+    uint8_t *key_buffer,
+    size_t key_buffer_size,
+    size_t *key_buffer_length);
+
+/**
+ * \brief Import DH key.
+ *
+ * \note The signature of the function is that of a PSA driver import_key
+ *       entry point.
+ *
+ * \param[in]  attributes       The attributes for the key to import.
+ * \param[in]  data             The buffer containing the key data in import
+ *                              format.
+ * \param[in]  data_length      Size of the \p data buffer in bytes.
+ * \param[out] key_buffer       The buffer containing the key data in output
+ *                              format.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes. This
+ *                              size is greater or equal to \p data_length.
+ * \param[out] key_buffer_length  The length of the data written in \p
+ *                                key_buffer in bytes.
+ * \param[out] bits             The key size in number of bits.
+ *
+ * \retval #PSA_SUCCESS
+ *         The key was generated successfully.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of \p key_buffer is too small.
+ */
+psa_status_t mbedtls_psa_ffdh_import_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data, size_t data_length,
+    uint8_t *key_buffer, size_t key_buffer_size,
+    size_t *key_buffer_length, size_t *bits);
+
+#endif /* PSA_CRYPTO_FFDH_H */
diff --git a/tf-psa-crypto/core/psa_crypto_hash.c b/tf-psa-crypto/core/psa_crypto_hash.c
new file mode 100644
index 0000000..eeb7666
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_hash.c
@@ -0,0 +1,470 @@
+/*
+ *  PSA hashing layer on top of Mbed TLS software crypto
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#include <psa/crypto.h>
+#include "psa_crypto_core.h"
+#include "psa_crypto_hash.h"
+
+#include <mbedtls/error.h>
+#include <string.h>
+
+#if defined(MBEDTLS_PSA_BUILTIN_HASH)
+psa_status_t mbedtls_psa_hash_abort(
+    mbedtls_psa_hash_operation_t *operation)
+{
+    switch (operation->alg) {
+        case 0:
+            /* The object has (apparently) been initialized but it is not
+             * in use. It's ok to call abort on such an object, and there's
+             * nothing to do. */
+            break;
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
+        case PSA_ALG_MD5:
+            mbedtls_md5_free(&operation->ctx.md5);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
+        case PSA_ALG_RIPEMD160:
+            mbedtls_ripemd160_free(&operation->ctx.ripemd160);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
+        case PSA_ALG_SHA_1:
+            mbedtls_sha1_free(&operation->ctx.sha1);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
+        case PSA_ALG_SHA_224:
+            mbedtls_sha256_free(&operation->ctx.sha256);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
+        case PSA_ALG_SHA_256:
+            mbedtls_sha256_free(&operation->ctx.sha256);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
+        case PSA_ALG_SHA_384:
+            mbedtls_sha512_free(&operation->ctx.sha512);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
+        case PSA_ALG_SHA_512:
+            mbedtls_sha512_free(&operation->ctx.sha512);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224)
+        case PSA_ALG_SHA3_224:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256)
+        case PSA_ALG_SHA3_256:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384)
+        case PSA_ALG_SHA3_384:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+        case PSA_ALG_SHA3_512:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
+            defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
+            defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
+            defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+            mbedtls_sha3_free(&operation->ctx.sha3);
+            break;
+#endif
+        default:
+            return PSA_ERROR_BAD_STATE;
+    }
+    operation->alg = 0;
+    return PSA_SUCCESS;
+}
+
+psa_status_t mbedtls_psa_hash_setup(
+    mbedtls_psa_hash_operation_t *operation,
+    psa_algorithm_t alg)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    /* A context must be freshly initialized before it can be set up. */
+    if (operation->alg != 0) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    switch (alg) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
+        case PSA_ALG_MD5:
+            mbedtls_md5_init(&operation->ctx.md5);
+            ret = mbedtls_md5_starts(&operation->ctx.md5);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
+        case PSA_ALG_RIPEMD160:
+            mbedtls_ripemd160_init(&operation->ctx.ripemd160);
+            ret = mbedtls_ripemd160_starts(&operation->ctx.ripemd160);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
+        case PSA_ALG_SHA_1:
+            mbedtls_sha1_init(&operation->ctx.sha1);
+            ret = mbedtls_sha1_starts(&operation->ctx.sha1);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
+        case PSA_ALG_SHA_224:
+            mbedtls_sha256_init(&operation->ctx.sha256);
+            ret = mbedtls_sha256_starts(&operation->ctx.sha256, 1);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
+        case PSA_ALG_SHA_256:
+            mbedtls_sha256_init(&operation->ctx.sha256);
+            ret = mbedtls_sha256_starts(&operation->ctx.sha256, 0);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
+        case PSA_ALG_SHA_384:
+            mbedtls_sha512_init(&operation->ctx.sha512);
+            ret = mbedtls_sha512_starts(&operation->ctx.sha512, 1);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
+        case PSA_ALG_SHA_512:
+            mbedtls_sha512_init(&operation->ctx.sha512);
+            ret = mbedtls_sha512_starts(&operation->ctx.sha512, 0);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224)
+        case PSA_ALG_SHA3_224:
+            mbedtls_sha3_init(&operation->ctx.sha3);
+            ret = mbedtls_sha3_starts(&operation->ctx.sha3, MBEDTLS_SHA3_224);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256)
+        case PSA_ALG_SHA3_256:
+            mbedtls_sha3_init(&operation->ctx.sha3);
+            ret = mbedtls_sha3_starts(&operation->ctx.sha3, MBEDTLS_SHA3_256);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384)
+        case PSA_ALG_SHA3_384:
+            mbedtls_sha3_init(&operation->ctx.sha3);
+            ret = mbedtls_sha3_starts(&operation->ctx.sha3, MBEDTLS_SHA3_384);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+        case PSA_ALG_SHA3_512:
+            mbedtls_sha3_init(&operation->ctx.sha3);
+            ret = mbedtls_sha3_starts(&operation->ctx.sha3, MBEDTLS_SHA3_512);
+            break;
+#endif
+        default:
+            return PSA_ALG_IS_HASH(alg) ?
+                   PSA_ERROR_NOT_SUPPORTED :
+                   PSA_ERROR_INVALID_ARGUMENT;
+    }
+    if (ret == 0) {
+        operation->alg = alg;
+    } else {
+        mbedtls_psa_hash_abort(operation);
+    }
+    return mbedtls_to_psa_error(ret);
+}
+
+psa_status_t mbedtls_psa_hash_clone(
+    const mbedtls_psa_hash_operation_t *source_operation,
+    mbedtls_psa_hash_operation_t *target_operation)
+{
+    switch (source_operation->alg) {
+        case 0:
+            return PSA_ERROR_BAD_STATE;
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
+        case PSA_ALG_MD5:
+            mbedtls_md5_clone(&target_operation->ctx.md5,
+                              &source_operation->ctx.md5);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
+        case PSA_ALG_RIPEMD160:
+            mbedtls_ripemd160_clone(&target_operation->ctx.ripemd160,
+                                    &source_operation->ctx.ripemd160);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
+        case PSA_ALG_SHA_1:
+            mbedtls_sha1_clone(&target_operation->ctx.sha1,
+                               &source_operation->ctx.sha1);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
+        case PSA_ALG_SHA_224:
+            mbedtls_sha256_clone(&target_operation->ctx.sha256,
+                                 &source_operation->ctx.sha256);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
+        case PSA_ALG_SHA_256:
+            mbedtls_sha256_clone(&target_operation->ctx.sha256,
+                                 &source_operation->ctx.sha256);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
+        case PSA_ALG_SHA_384:
+            mbedtls_sha512_clone(&target_operation->ctx.sha512,
+                                 &source_operation->ctx.sha512);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
+        case PSA_ALG_SHA_512:
+            mbedtls_sha512_clone(&target_operation->ctx.sha512,
+                                 &source_operation->ctx.sha512);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224)
+        case PSA_ALG_SHA3_224:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256)
+        case PSA_ALG_SHA3_256:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384)
+        case PSA_ALG_SHA3_384:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+        case PSA_ALG_SHA3_512:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
+            defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
+            defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
+            defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+            mbedtls_sha3_clone(&target_operation->ctx.sha3,
+                               &source_operation->ctx.sha3);
+            break;
+#endif
+        default:
+            (void) source_operation;
+            (void) target_operation;
+            return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    target_operation->alg = source_operation->alg;
+    return PSA_SUCCESS;
+}
+
+psa_status_t mbedtls_psa_hash_update(
+    mbedtls_psa_hash_operation_t *operation,
+    const uint8_t *input,
+    size_t input_length)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    switch (operation->alg) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
+        case PSA_ALG_MD5:
+            ret = mbedtls_md5_update(&operation->ctx.md5,
+                                     input, input_length);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
+        case PSA_ALG_RIPEMD160:
+            ret = mbedtls_ripemd160_update(&operation->ctx.ripemd160,
+                                           input, input_length);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
+        case PSA_ALG_SHA_1:
+            ret = mbedtls_sha1_update(&operation->ctx.sha1,
+                                      input, input_length);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
+        case PSA_ALG_SHA_224:
+            ret = mbedtls_sha256_update(&operation->ctx.sha256,
+                                        input, input_length);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
+        case PSA_ALG_SHA_256:
+            ret = mbedtls_sha256_update(&operation->ctx.sha256,
+                                        input, input_length);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
+        case PSA_ALG_SHA_384:
+            ret = mbedtls_sha512_update(&operation->ctx.sha512,
+                                        input, input_length);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
+        case PSA_ALG_SHA_512:
+            ret = mbedtls_sha512_update(&operation->ctx.sha512,
+                                        input, input_length);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224)
+        case PSA_ALG_SHA3_224:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256)
+        case PSA_ALG_SHA3_256:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384)
+        case PSA_ALG_SHA3_384:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+        case PSA_ALG_SHA3_512:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+    ret = mbedtls_sha3_update(&operation->ctx.sha3,
+                              input, input_length);
+    break;
+#endif
+        default:
+            (void) input;
+            (void) input_length;
+            return PSA_ERROR_BAD_STATE;
+    }
+
+    return mbedtls_to_psa_error(ret);
+}
+
+psa_status_t mbedtls_psa_hash_finish(
+    mbedtls_psa_hash_operation_t *operation,
+    uint8_t *hash,
+    size_t hash_size,
+    size_t *hash_length)
+{
+    psa_status_t status;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t actual_hash_length = PSA_HASH_LENGTH(operation->alg);
+
+    /* Fill the output buffer with something that isn't a valid hash
+     * (barring an attack on the hash and deliberately-crafted input),
+     * in case the caller doesn't check the return status properly. */
+    *hash_length = hash_size;
+    /* If hash_size is 0 then hash may be NULL and then the
+     * call to memset would have undefined behavior. */
+    if (hash_size != 0) {
+        memset(hash, '!', hash_size);
+    }
+
+    if (hash_size < actual_hash_length) {
+        status = PSA_ERROR_BUFFER_TOO_SMALL;
+        goto exit;
+    }
+
+    switch (operation->alg) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
+        case PSA_ALG_MD5:
+            ret = mbedtls_md5_finish(&operation->ctx.md5, hash);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
+        case PSA_ALG_RIPEMD160:
+            ret = mbedtls_ripemd160_finish(&operation->ctx.ripemd160, hash);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
+        case PSA_ALG_SHA_1:
+            ret = mbedtls_sha1_finish(&operation->ctx.sha1, hash);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
+        case PSA_ALG_SHA_224:
+            ret = mbedtls_sha256_finish(&operation->ctx.sha256, hash);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
+        case PSA_ALG_SHA_256:
+            ret = mbedtls_sha256_finish(&operation->ctx.sha256, hash);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
+        case PSA_ALG_SHA_384:
+            ret = mbedtls_sha512_finish(&operation->ctx.sha512, hash);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
+        case PSA_ALG_SHA_512:
+            ret = mbedtls_sha512_finish(&operation->ctx.sha512, hash);
+            break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224)
+        case PSA_ALG_SHA3_224:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256)
+        case PSA_ALG_SHA3_256:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384)
+        case PSA_ALG_SHA3_384:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+        case PSA_ALG_SHA3_512:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+    ret = mbedtls_sha3_finish(&operation->ctx.sha3, hash, hash_size);
+    break;
+#endif
+        default:
+            (void) hash;
+            return PSA_ERROR_BAD_STATE;
+    }
+    status = mbedtls_to_psa_error(ret);
+
+exit:
+    if (status == PSA_SUCCESS) {
+        *hash_length = actual_hash_length;
+    }
+    return status;
+}
+
+psa_status_t mbedtls_psa_hash_compute(
+    psa_algorithm_t alg,
+    const uint8_t *input,
+    size_t input_length,
+    uint8_t *hash,
+    size_t hash_size,
+    size_t *hash_length)
+{
+    mbedtls_psa_hash_operation_t operation = MBEDTLS_PSA_HASH_OPERATION_INIT;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    *hash_length = hash_size;
+    status = mbedtls_psa_hash_setup(&operation, alg);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+    status = mbedtls_psa_hash_update(&operation, input, input_length);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+    status = mbedtls_psa_hash_finish(&operation, hash, hash_size, hash_length);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+exit:
+    abort_status = mbedtls_psa_hash_abort(&operation);
+    if (status == PSA_SUCCESS) {
+        return abort_status;
+    } else {
+        return status;
+    }
+
+}
+#endif /* MBEDTLS_PSA_BUILTIN_HASH */
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/tf-psa-crypto/core/psa_crypto_hash.h b/tf-psa-crypto/core/psa_crypto_hash.h
new file mode 100644
index 0000000..0a7be80
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_hash.h
@@ -0,0 +1,211 @@
+/*
+ *  PSA hashing layer on top of Mbed TLS software crypto
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_HASH_H
+#define PSA_CRYPTO_HASH_H
+
+#include <psa/crypto.h>
+
+/** Calculate the hash (digest) of a message using Mbed TLS routines.
+ *
+ * \note The signature of this function is that of a PSA driver hash_compute
+ *       entry point. This function behaves as a hash_compute entry point as
+ *       defined in the PSA driver interface specification for transparent
+ *       drivers.
+ *
+ * \param alg               The hash algorithm to compute (\c PSA_ALG_XXX value
+ *                          such that #PSA_ALG_IS_HASH(\p alg) is true).
+ * \param[in] input         Buffer containing the message to hash.
+ * \param input_length      Size of the \p input buffer in bytes.
+ * \param[out] hash         Buffer where the hash is to be written.
+ * \param hash_size         Size of the \p hash buffer in bytes.
+ * \param[out] hash_length  On success, the number of bytes
+ *                          that make up the hash value. This is always
+ *                          #PSA_HASH_LENGTH(\p alg).
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         \p hash_size is too small
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_hash_compute(
+    psa_algorithm_t alg,
+    const uint8_t *input,
+    size_t input_length,
+    uint8_t *hash,
+    size_t hash_size,
+    size_t *hash_length);
+
+/** Set up a multipart hash operation using Mbed TLS routines.
+ *
+ * \note The signature of this function is that of a PSA driver hash_setup
+ *       entry point. This function behaves as a hash_setup entry point as
+ *       defined in the PSA driver interface specification for transparent
+ *       drivers.
+ *
+ * If an error occurs at any step after a call to mbedtls_psa_hash_setup(), the
+ * operation will need to be reset by a call to mbedtls_psa_hash_abort(). The
+ * core may call mbedtls_psa_hash_abort() at any time after the operation
+ * has been initialized.
+ *
+ * After a successful call to mbedtls_psa_hash_setup(), the core must
+ * eventually terminate the operation. The following events terminate an
+ * operation:
+ * - A successful call to mbedtls_psa_hash_finish() or mbedtls_psa_hash_verify().
+ * - A call to mbedtls_psa_hash_abort().
+ *
+ * \param[in,out] operation The operation object to set up. It must have
+ *                          been initialized to all-zero and not yet be in use.
+ * \param alg               The hash algorithm to compute (\c PSA_ALG_XXX value
+ *                          such that #PSA_ALG_IS_HASH(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be inactive).
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_hash_setup(
+    mbedtls_psa_hash_operation_t *operation,
+    psa_algorithm_t alg);
+
+/** Clone an Mbed TLS hash operation.
+ *
+ * \note The signature of this function is that of a PSA driver hash_clone
+ *       entry point. This function behaves as a hash_clone entry point as
+ *       defined in the PSA driver interface specification for transparent
+ *       drivers.
+ *
+ * This function copies the state of an ongoing hash operation to
+ * a new operation object. In other words, this function is equivalent
+ * to calling mbedtls_psa_hash_setup() on \p target_operation with the same
+ * algorithm that \p source_operation was set up for, then
+ * mbedtls_psa_hash_update() on \p target_operation with the same input that
+ * that was passed to \p source_operation. After this function returns, the
+ * two objects are independent, i.e. subsequent calls involving one of
+ * the objects do not affect the other object.
+ *
+ * \param[in] source_operation      The active hash operation to clone.
+ * \param[in,out] target_operation  The operation object to set up.
+ *                                  It must be initialized but not active.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The \p source_operation state is not valid (it must be active).
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The \p target_operation state is not valid (it must be inactive).
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t mbedtls_psa_hash_clone(
+    const mbedtls_psa_hash_operation_t *source_operation,
+    mbedtls_psa_hash_operation_t *target_operation);
+
+/** Add a message fragment to a multipart Mbed TLS hash operation.
+ *
+ * \note The signature of this function is that of a PSA driver hash_update
+ *       entry point. This function behaves as a hash_update entry point as
+ *       defined in the PSA driver interface specification for transparent
+ *       drivers.
+ *
+ * The application must call mbedtls_psa_hash_setup() before calling this function.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling mbedtls_psa_hash_abort().
+ *
+ * \param[in,out] operation Active hash operation.
+ * \param[in] input         Buffer containing the message fragment to hash.
+ * \param input_length      Size of the \p input buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active).
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_hash_update(
+    mbedtls_psa_hash_operation_t *operation,
+    const uint8_t *input,
+    size_t input_length);
+
+/** Finish the calculation of the Mbed TLS-calculated hash of a message.
+ *
+ * \note The signature of this function is that of a PSA driver hash_finish
+ *       entry point. This function behaves as a hash_finish entry point as
+ *       defined in the PSA driver interface specification for transparent
+ *       drivers.
+ *
+ * The application must call mbedtls_psa_hash_setup() before calling this function.
+ * This function calculates the hash of the message formed by concatenating
+ * the inputs passed to preceding calls to mbedtls_psa_hash_update().
+ *
+ * When this function returns successfully, the operation becomes inactive.
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling mbedtls_psa_hash_abort().
+ *
+ * \param[in,out] operation     Active hash operation.
+ * \param[out] hash             Buffer where the hash is to be written.
+ * \param hash_size             Size of the \p hash buffer in bytes.
+ * \param[out] hash_length      On success, the number of bytes
+ *                              that make up the hash value. This is always
+ *                              #PSA_HASH_LENGTH(\c alg) where \c alg is the
+ *                              hash algorithm that is calculated.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active).
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p hash buffer is too small. You can determine a
+ *         sufficient buffer size by calling #PSA_HASH_LENGTH(\c alg)
+ *         where \c alg is the hash algorithm that is calculated.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_hash_finish(
+    mbedtls_psa_hash_operation_t *operation,
+    uint8_t *hash,
+    size_t hash_size,
+    size_t *hash_length);
+
+/** Abort an Mbed TLS hash operation.
+ *
+ * \note The signature of this function is that of a PSA driver hash_abort
+ *       entry point. This function behaves as a hash_abort entry point as
+ *       defined in the PSA driver interface specification for transparent
+ *       drivers.
+ *
+ * Aborting an operation frees all associated resources except for the
+ * \p operation structure itself. Once aborted, the operation object
+ * can be reused for another operation by calling
+ * mbedtls_psa_hash_setup() again.
+ *
+ * You may call this function any time after the operation object has
+ * been initialized by one of the methods described in #psa_hash_operation_t.
+ *
+ * In particular, calling mbedtls_psa_hash_abort() after the operation has been
+ * terminated by a call to mbedtls_psa_hash_abort(), mbedtls_psa_hash_finish() or
+ * mbedtls_psa_hash_verify() is safe and has no effect.
+ *
+ * \param[in,out] operation     Initialized hash operation.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_hash_abort(
+    mbedtls_psa_hash_operation_t *operation);
+
+#endif /* PSA_CRYPTO_HASH_H */
diff --git a/tf-psa-crypto/core/psa_crypto_invasive.h b/tf-psa-crypto/core/psa_crypto_invasive.h
new file mode 100644
index 0000000..51c90c6
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_invasive.h
@@ -0,0 +1,92 @@
+/**
+ * \file psa_crypto_invasive.h
+ *
+ * \brief PSA cryptography module: invasive interfaces for test only.
+ *
+ * The interfaces in this file are intended for testing purposes only.
+ * They MUST NOT be made available to clients over IPC in integrations
+ * with isolation, and they SHOULD NOT be made available in library
+ * integrations except when building the library for testing.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_INVASIVE_H
+#define PSA_CRYPTO_INVASIVE_H
+
+/*
+ * Include the build-time configuration information header. Here, we do not
+ * include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which
+ * is basically just an alias to it. This is to ease the maintenance of the
+ * TF-PSA-Crypto repository which has a different build system and
+ * configuration.
+ */
+#include "psa/build_info.h"
+
+#include "psa/crypto.h"
+#include "common.h"
+
+#include "mbedtls/entropy.h"
+
+#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+/** \brief Configure entropy sources.
+ *
+ * This function may only be called before a call to psa_crypto_init(),
+ * or after a call to mbedtls_psa_crypto_free() and before any
+ * subsequent call to psa_crypto_init().
+ *
+ * This function is only intended for test purposes. The functionality
+ * it provides is also useful for system integrators, but
+ * system integrators should configure entropy drivers instead of
+ * breaking through to the Mbed TLS API.
+ *
+ * \param entropy_init  Function to initialize the entropy context
+ *                      and set up the desired entropy sources.
+ *                      It is called by psa_crypto_init().
+ *                      By default this is mbedtls_entropy_init().
+ *                      This function cannot report failures directly.
+ *                      To indicate a failure, set the entropy context
+ *                      to a state where mbedtls_entropy_func() will
+ *                      return an error.
+ * \param entropy_free  Function to free the entropy context
+ *                      and associated resources.
+ *                      It is called by mbedtls_psa_crypto_free().
+ *                      By default this is mbedtls_entropy_free().
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The caller does not have the permission to configure
+ *         entropy sources.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has already been initialized.
+ */
+psa_status_t mbedtls_psa_crypto_configure_entropy_sources(
+    void (* entropy_init)(mbedtls_entropy_context *ctx),
+    void (* entropy_free)(mbedtls_entropy_context *ctx));
+#endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
+
+#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_PSA_CRYPTO_C)
+psa_status_t psa_mac_key_can_do(
+    psa_algorithm_t algorithm,
+    psa_key_type_t key_type);
+
+psa_status_t psa_crypto_copy_input(const uint8_t *input, size_t input_len,
+                                   uint8_t *input_copy, size_t input_copy_len);
+
+psa_status_t psa_crypto_copy_output(const uint8_t *output_copy, size_t output_copy_len,
+                                    uint8_t *output, size_t output_len);
+
+/*
+ * Test hooks to use for memory unpoisoning/poisoning in copy functions.
+ */
+extern void (*psa_input_pre_copy_hook)(const uint8_t *input, size_t input_len);
+extern void (*psa_input_post_copy_hook)(const uint8_t *input, size_t input_len);
+extern void (*psa_output_pre_copy_hook)(const uint8_t *output, size_t output_len);
+extern void (*psa_output_post_copy_hook)(const uint8_t *output, size_t output_len);
+
+#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_PSA_CRYPTO_C */
+
+#endif /* PSA_CRYPTO_INVASIVE_H */
diff --git a/tf-psa-crypto/core/psa_crypto_its.h b/tf-psa-crypto/core/psa_crypto_its.h
new file mode 100644
index 0000000..877063b
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_its.h
@@ -0,0 +1,131 @@
+/** \file psa_crypto_its.h
+ * \brief Interface of trusted storage that crypto is built on.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_ITS_H
+#define PSA_CRYPTO_ITS_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include <psa/crypto_types.h>
+#include <psa/crypto_values.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** \brief Flags used when creating a data entry
+ */
+typedef uint32_t psa_storage_create_flags_t;
+
+/** \brief A type for UIDs used for identifying data
+ */
+typedef uint64_t psa_storage_uid_t;
+
+#define PSA_STORAGE_FLAG_NONE        0         /**< No flags to pass */
+#define PSA_STORAGE_FLAG_WRITE_ONCE (1 << 0) /**< The data associated with the uid will not be able to be modified or deleted. Intended to be used to set bits in `psa_storage_create_flags_t`*/
+
+/**
+ * \brief A container for metadata associated with a specific uid
+ */
+struct psa_storage_info_t {
+    uint32_t size;                  /**< The size of the data associated with a uid **/
+    psa_storage_create_flags_t flags;    /**< The flags set when the uid was created **/
+};
+
+/** Flag indicating that \ref psa_storage_create and \ref psa_storage_set_extended are supported */
+#define PSA_STORAGE_SUPPORT_SET_EXTENDED (1 << 0)
+
+#define PSA_ITS_API_VERSION_MAJOR  1  /**< The major version number of the PSA ITS API. It will be incremented on significant updates that may include breaking changes */
+#define PSA_ITS_API_VERSION_MINOR  1  /**< The minor version number of the PSA ITS API. It will be incremented in small updates that are unlikely to include breaking changes */
+
+/**
+ * \brief create a new or modify an existing uid/value pair
+ *
+ * \param[in] uid           the identifier for the data
+ * \param[in] data_length   The size in bytes of the data in `p_data`
+ * \param[in] p_data        A buffer containing the data
+ * \param[in] create_flags  The flags that the data will be stored with
+ *
+ * \return      A status indicating the success/failure of the operation
+ *
+ * \retval      #PSA_SUCCESS                     The operation completed successfully
+ * \retval      #PSA_ERROR_NOT_PERMITTED         The operation failed because the provided `uid` value was already created with PSA_STORAGE_FLAG_WRITE_ONCE
+ * \retval      #PSA_ERROR_NOT_SUPPORTED         The operation failed because one or more of the flags provided in `create_flags` is not supported or is not valid
+ * \retval      #PSA_ERROR_INSUFFICIENT_STORAGE  The operation failed because there was insufficient space on the storage medium
+ * \retval      #PSA_ERROR_STORAGE_FAILURE       The operation failed because the physical storage has failed (Fatal error)
+ * \retval      #PSA_ERROR_INVALID_ARGUMENT      The operation failed because one of the provided pointers(`p_data`)
+ *                                               is invalid, for example is `NULL` or references memory the caller cannot access
+ */
+psa_status_t psa_its_set(psa_storage_uid_t uid,
+                         uint32_t data_length,
+                         const void *p_data,
+                         psa_storage_create_flags_t create_flags);
+
+/**
+ * \brief Retrieve the value associated with a provided uid
+ *
+ * \param[in] uid               The uid value
+ * \param[in] data_offset       The starting offset of the data requested
+ * \param[in] data_length       the amount of data requested (and the minimum allocated size of the `p_data` buffer)
+ * \param[out] p_data           The buffer where the data will be placed upon successful completion
+ * \param[out] p_data_length    The amount of data returned in the p_data buffer
+ *
+ *
+ * \return      A status indicating the success/failure of the operation
+ *
+ * \retval      #PSA_SUCCESS                 The operation completed successfully
+ * \retval      #PSA_ERROR_DOES_NOT_EXIST    The operation failed because the provided `uid` value was not found in the storage
+ * \retval      #PSA_ERROR_STORAGE_FAILURE   The operation failed because the physical storage has failed (Fatal error)
+ * \retval      #PSA_ERROR_DATA_CORRUPT      The operation failed because stored data has been corrupted
+ * \retval      #PSA_ERROR_INVALID_ARGUMENT  The operation failed because one of the provided pointers(`p_data`, `p_data_length`)
+ *                                           is invalid. For example is `NULL` or references memory the caller cannot access.
+ *                                           In addition, this can also happen if an invalid offset was provided.
+ */
+psa_status_t psa_its_get(psa_storage_uid_t uid,
+                         uint32_t data_offset,
+                         uint32_t data_length,
+                         void *p_data,
+                         size_t *p_data_length);
+
+/**
+ * \brief Retrieve the metadata about the provided uid
+ *
+ * \param[in] uid           The uid value
+ * \param[out] p_info       A pointer to the `psa_storage_info_t` struct that will be populated with the metadata
+ *
+ * \return      A status indicating the success/failure of the operation
+ *
+ * \retval      #PSA_SUCCESS                 The operation completed successfully
+ * \retval      #PSA_ERROR_DOES_NOT_EXIST    The operation failed because the provided uid value was not found in the storage
+ * \retval      #PSA_ERROR_DATA_CORRUPT      The operation failed because stored data has been corrupted
+ * \retval      #PSA_ERROR_INVALID_ARGUMENT  The operation failed because one of the provided pointers(`p_info`)
+ *                                           is invalid, for example is `NULL` or references memory the caller cannot access
+ */
+psa_status_t psa_its_get_info(psa_storage_uid_t uid,
+                              struct psa_storage_info_t *p_info);
+
+/**
+ * \brief Remove the provided key and its associated data from the storage
+ *
+ * \param[in] uid   The uid value
+ *
+ * \return  A status indicating the success/failure of the operation
+ *
+ * \retval      #PSA_SUCCESS                  The operation completed successfully
+ * \retval      #PSA_ERROR_DOES_NOT_EXIST     The operation failed because the provided key value was not found in the storage
+ * \retval      #PSA_ERROR_NOT_PERMITTED      The operation failed because the provided key value was created with PSA_STORAGE_FLAG_WRITE_ONCE
+ * \retval      #PSA_ERROR_STORAGE_FAILURE    The operation failed because the physical storage has failed (Fatal error)
+ */
+psa_status_t psa_its_remove(psa_storage_uid_t uid);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* PSA_CRYPTO_ITS_H */
diff --git a/tf-psa-crypto/core/psa_crypto_mac.c b/tf-psa-crypto/core/psa_crypto_mac.c
new file mode 100644
index 0000000..8fe6218
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_mac.c
@@ -0,0 +1,496 @@
+/*
+ *  PSA MAC layer on top of Mbed TLS software crypto
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#include <psa/crypto.h>
+#include "psa_crypto_core.h"
+#include "psa_crypto_cipher.h"
+#include "psa_crypto_mac.h"
+#include <mbedtls/md.h>
+
+#include <mbedtls/error.h>
+#include "mbedtls/constant_time.h"
+#include <string.h>
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
+static psa_status_t psa_hmac_abort_internal(
+    mbedtls_psa_hmac_operation_t *hmac)
+{
+    mbedtls_platform_zeroize(hmac->opad, sizeof(hmac->opad));
+    return psa_hash_abort(&hmac->hash_ctx);
+}
+
+static psa_status_t psa_hmac_setup_internal(
+    mbedtls_psa_hmac_operation_t *hmac,
+    const uint8_t *key,
+    size_t key_length,
+    psa_algorithm_t hash_alg)
+{
+    uint8_t ipad[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
+    size_t i;
+    size_t hash_size = PSA_HASH_LENGTH(hash_alg);
+    size_t block_size = PSA_HASH_BLOCK_LENGTH(hash_alg);
+    psa_status_t status;
+
+    hmac->alg = hash_alg;
+
+    /* Sanity checks on block_size, to guarantee that there won't be a buffer
+     * overflow below. This should never trigger if the hash algorithm
+     * is implemented correctly. */
+    /* The size checks against the ipad and opad buffers cannot be written
+     * `block_size > sizeof( ipad ) || block_size > sizeof( hmac->opad )`
+     * because that triggers -Wlogical-op on GCC 7.3. */
+    if (block_size > sizeof(ipad)) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+    if (block_size > sizeof(hmac->opad)) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+    if (block_size < hash_size) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    if (key_length > block_size) {
+        status = psa_hash_compute(hash_alg, key, key_length,
+                                  ipad, sizeof(ipad), &key_length);
+        if (status != PSA_SUCCESS) {
+            goto cleanup;
+        }
+    }
+    /* A 0-length key is not commonly used in HMAC when used as a MAC,
+     * but it is permitted. It is common when HMAC is used in HKDF, for
+     * example. Don't call `memcpy` in the 0-length because `key` could be
+     * an invalid pointer which would make the behavior undefined. */
+    else if (key_length != 0) {
+        memcpy(ipad, key, key_length);
+    }
+
+    /* ipad contains the key followed by garbage. Xor and fill with 0x36
+     * to create the ipad value. */
+    for (i = 0; i < key_length; i++) {
+        ipad[i] ^= 0x36;
+    }
+    memset(ipad + key_length, 0x36, block_size - key_length);
+
+    /* Copy the key material from ipad to opad, flipping the requisite bits,
+     * and filling the rest of opad with the requisite constant. */
+    for (i = 0; i < key_length; i++) {
+        hmac->opad[i] = ipad[i] ^ 0x36 ^ 0x5C;
+    }
+    memset(hmac->opad + key_length, 0x5C, block_size - key_length);
+
+    status = psa_hash_setup(&hmac->hash_ctx, hash_alg);
+    if (status != PSA_SUCCESS) {
+        goto cleanup;
+    }
+
+    status = psa_hash_update(&hmac->hash_ctx, ipad, block_size);
+
+cleanup:
+    mbedtls_platform_zeroize(ipad, sizeof(ipad));
+
+    return status;
+}
+
+static psa_status_t psa_hmac_update_internal(
+    mbedtls_psa_hmac_operation_t *hmac,
+    const uint8_t *data,
+    size_t data_length)
+{
+    return psa_hash_update(&hmac->hash_ctx, data, data_length);
+}
+
+static psa_status_t psa_hmac_finish_internal(
+    mbedtls_psa_hmac_operation_t *hmac,
+    uint8_t *mac,
+    size_t mac_size)
+{
+    uint8_t tmp[PSA_HASH_MAX_SIZE];
+    psa_algorithm_t hash_alg = hmac->alg;
+    size_t hash_size = 0;
+    size_t block_size = PSA_HASH_BLOCK_LENGTH(hash_alg);
+    psa_status_t status;
+
+    status = psa_hash_finish(&hmac->hash_ctx, tmp, sizeof(tmp), &hash_size);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+    /* From here on, tmp needs to be wiped. */
+
+    status = psa_hash_setup(&hmac->hash_ctx, hash_alg);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_hash_update(&hmac->hash_ctx, hmac->opad, block_size);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_hash_update(&hmac->hash_ctx, tmp, hash_size);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_hash_finish(&hmac->hash_ctx, tmp, sizeof(tmp), &hash_size);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    memcpy(mac, tmp, mac_size);
+
+exit:
+    mbedtls_platform_zeroize(tmp, hash_size);
+    return status;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
+static psa_status_t cmac_setup(mbedtls_psa_mac_operation_t *operation,
+                               const psa_key_attributes_t *attributes,
+                               const uint8_t *key_buffer)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+#if defined(PSA_WANT_KEY_TYPE_DES)
+    /* Mbed TLS CMAC does not accept 3DES with only two keys, nor does it accept
+     * to do CMAC with pure DES, so return NOT_SUPPORTED here. */
+    if (psa_get_key_type(attributes) == PSA_KEY_TYPE_DES &&
+        (psa_get_key_bits(attributes) == 64 ||
+         psa_get_key_bits(attributes) == 128)) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+#endif
+
+    const mbedtls_cipher_info_t *cipher_info =
+        mbedtls_cipher_info_from_psa(
+            PSA_ALG_CMAC,
+            psa_get_key_type(attributes),
+            psa_get_key_bits(attributes),
+            NULL);
+
+    if (cipher_info == NULL) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    ret = mbedtls_cipher_setup(&operation->ctx.cmac, cipher_info);
+    if (ret != 0) {
+        goto exit;
+    }
+
+    ret = mbedtls_cipher_cmac_starts(&operation->ctx.cmac,
+                                     key_buffer,
+                                     psa_get_key_bits(attributes));
+exit:
+    return mbedtls_to_psa_error(ret);
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
+
+/* Initialize this driver's MAC operation structure. Once this function has been
+ * called, mbedtls_psa_mac_abort can run and will do the right thing. */
+static psa_status_t mac_init(
+    mbedtls_psa_mac_operation_t *operation,
+    psa_algorithm_t alg)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    operation->alg = alg;
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
+    if (PSA_ALG_FULL_LENGTH_MAC(operation->alg) == PSA_ALG_CMAC) {
+        mbedtls_cipher_init(&operation->ctx.cmac);
+        status = PSA_SUCCESS;
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
+    if (PSA_ALG_IS_HMAC(operation->alg)) {
+        /* We'll set up the hash operation later in psa_hmac_setup_internal. */
+        operation->ctx.hmac.alg = 0;
+        status = PSA_SUCCESS;
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
+    {
+        (void) operation;
+        status = PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    if (status != PSA_SUCCESS) {
+        memset(operation, 0, sizeof(*operation));
+    }
+    return status;
+}
+
+psa_status_t mbedtls_psa_mac_abort(mbedtls_psa_mac_operation_t *operation)
+{
+    if (operation->alg == 0) {
+        /* The object has (apparently) been initialized but it is not
+         * in use. It's ok to call abort on such an object, and there's
+         * nothing to do. */
+        return PSA_SUCCESS;
+    } else
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
+    if (PSA_ALG_FULL_LENGTH_MAC(operation->alg) == PSA_ALG_CMAC) {
+        mbedtls_cipher_free(&operation->ctx.cmac);
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
+    if (PSA_ALG_IS_HMAC(operation->alg)) {
+        psa_hmac_abort_internal(&operation->ctx.hmac);
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
+    {
+        /* Sanity check (shouldn't happen: operation->alg should
+         * always have been initialized to a valid value). */
+        goto bad_state;
+    }
+
+    operation->alg = 0;
+
+    return PSA_SUCCESS;
+
+bad_state:
+    /* If abort is called on an uninitialized object, we can't trust
+     * anything. Wipe the object in case it contains confidential data.
+     * This may result in a memory leak if a pointer gets overwritten,
+     * but it's too late to do anything about this. */
+    memset(operation, 0, sizeof(*operation));
+    return PSA_ERROR_BAD_STATE;
+}
+
+static psa_status_t psa_mac_setup(mbedtls_psa_mac_operation_t *operation,
+                                  const psa_key_attributes_t *attributes,
+                                  const uint8_t *key_buffer,
+                                  size_t key_buffer_size,
+                                  psa_algorithm_t alg)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    /* A context must be freshly initialized before it can be set up. */
+    if (operation->alg != 0) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    status = mac_init(operation, alg);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
+    if (PSA_ALG_FULL_LENGTH_MAC(alg) == PSA_ALG_CMAC) {
+        /* Key buffer size for CMAC is dictated by the key bits set on the
+         * attributes, and previously validated by the core on key import. */
+        (void) key_buffer_size;
+        status = cmac_setup(operation, attributes, key_buffer);
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
+    if (PSA_ALG_IS_HMAC(alg)) {
+        status = psa_hmac_setup_internal(&operation->ctx.hmac,
+                                         key_buffer,
+                                         key_buffer_size,
+                                         PSA_ALG_HMAC_GET_HASH(alg));
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
+    {
+        (void) attributes;
+        (void) key_buffer;
+        (void) key_buffer_size;
+        status = PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    if (status != PSA_SUCCESS) {
+        mbedtls_psa_mac_abort(operation);
+    }
+
+    return status;
+}
+
+psa_status_t mbedtls_psa_mac_sign_setup(
+    mbedtls_psa_mac_operation_t *operation,
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    psa_algorithm_t alg)
+{
+    return psa_mac_setup(operation, attributes,
+                         key_buffer, key_buffer_size, alg);
+}
+
+psa_status_t mbedtls_psa_mac_verify_setup(
+    mbedtls_psa_mac_operation_t *operation,
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    psa_algorithm_t alg)
+{
+    return psa_mac_setup(operation, attributes,
+                         key_buffer, key_buffer_size, alg);
+}
+
+psa_status_t mbedtls_psa_mac_update(
+    mbedtls_psa_mac_operation_t *operation,
+    const uint8_t *input,
+    size_t input_length)
+{
+    if (operation->alg == 0) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
+    if (PSA_ALG_FULL_LENGTH_MAC(operation->alg) == PSA_ALG_CMAC) {
+        return mbedtls_to_psa_error(
+            mbedtls_cipher_cmac_update(&operation->ctx.cmac,
+                                       input, input_length));
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
+    if (PSA_ALG_IS_HMAC(operation->alg)) {
+        return psa_hmac_update_internal(&operation->ctx.hmac,
+                                        input, input_length);
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
+    {
+        /* This shouldn't happen if `operation` was initialized by
+         * a setup function. */
+        (void) input;
+        (void) input_length;
+        return PSA_ERROR_BAD_STATE;
+    }
+}
+
+static psa_status_t psa_mac_finish_internal(
+    mbedtls_psa_mac_operation_t *operation,
+    uint8_t *mac, size_t mac_size)
+{
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
+    if (PSA_ALG_FULL_LENGTH_MAC(operation->alg) == PSA_ALG_CMAC) {
+        uint8_t tmp[PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE];
+        int ret = mbedtls_cipher_cmac_finish(&operation->ctx.cmac, tmp);
+        if (ret == 0) {
+            memcpy(mac, tmp, mac_size);
+        }
+        mbedtls_platform_zeroize(tmp, sizeof(tmp));
+        return mbedtls_to_psa_error(ret);
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
+    if (PSA_ALG_IS_HMAC(operation->alg)) {
+        return psa_hmac_finish_internal(&operation->ctx.hmac,
+                                        mac, mac_size);
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
+    {
+        /* This shouldn't happen if `operation` was initialized by
+         * a setup function. */
+        (void) operation;
+        (void) mac;
+        (void) mac_size;
+        return PSA_ERROR_BAD_STATE;
+    }
+}
+
+psa_status_t mbedtls_psa_mac_sign_finish(
+    mbedtls_psa_mac_operation_t *operation,
+    uint8_t *mac,
+    size_t mac_size,
+    size_t *mac_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    if (operation->alg == 0) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    status = psa_mac_finish_internal(operation, mac, mac_size);
+    if (status == PSA_SUCCESS) {
+        *mac_length = mac_size;
+    }
+
+    return status;
+}
+
+psa_status_t mbedtls_psa_mac_verify_finish(
+    mbedtls_psa_mac_operation_t *operation,
+    const uint8_t *mac,
+    size_t mac_length)
+{
+    uint8_t actual_mac[PSA_MAC_MAX_SIZE];
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    if (operation->alg == 0) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+    /* Consistency check: requested MAC length fits our local buffer */
+    if (mac_length > sizeof(actual_mac)) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    status = psa_mac_finish_internal(operation, actual_mac, mac_length);
+    if (status != PSA_SUCCESS) {
+        goto cleanup;
+    }
+
+    if (mbedtls_ct_memcmp(mac, actual_mac, mac_length) != 0) {
+        status = PSA_ERROR_INVALID_SIGNATURE;
+    }
+
+cleanup:
+    mbedtls_platform_zeroize(actual_mac, sizeof(actual_mac));
+
+    return status;
+}
+
+psa_status_t mbedtls_psa_mac_compute(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    psa_algorithm_t alg,
+    const uint8_t *input,
+    size_t input_length,
+    uint8_t *mac,
+    size_t mac_size,
+    size_t *mac_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_psa_mac_operation_t operation = MBEDTLS_PSA_MAC_OPERATION_INIT;
+
+    status = psa_mac_setup(&operation,
+                           attributes, key_buffer, key_buffer_size,
+                           alg);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    if (input_length > 0) {
+        status = mbedtls_psa_mac_update(&operation, input, input_length);
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+    }
+
+    status = psa_mac_finish_internal(&operation, mac, mac_size);
+    if (status == PSA_SUCCESS) {
+        *mac_length = mac_size;
+    }
+
+exit:
+    mbedtls_psa_mac_abort(&operation);
+
+    return status;
+}
+
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC || MBEDTLS_PSA_BUILTIN_ALG_CMAC */
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/tf-psa-crypto/core/psa_crypto_mac.h b/tf-psa-crypto/core/psa_crypto_mac.h
new file mode 100644
index 0000000..2f614bc
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_mac.h
@@ -0,0 +1,264 @@
+/*
+ *  PSA MAC layer on top of Mbed TLS software crypto
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_MAC_H
+#define PSA_CRYPTO_MAC_H
+
+#include <psa/crypto.h>
+
+/** Calculate the MAC (message authentication code) of a message using Mbed TLS.
+ *
+ * \note The signature of this function is that of a PSA driver mac_compute
+ *       entry point. This function behaves as a mac_compute entry point as
+ *       defined in the PSA driver interface specification for transparent
+ *       drivers.
+ *
+ * \param[in] attributes        The attributes of the key to use for the
+ *                              operation.
+ * \param[in] key_buffer        The buffer containing the key to use for
+ *                              computing the MAC. This buffer contains the key
+ *                              in export representation as defined by
+ *                              psa_export_key() (i.e. the raw key bytes).
+ * \param key_buffer_size       Size of the \p key_buffer buffer in bytes.
+ * \param alg                   The MAC algorithm to use (\c PSA_ALG_XXX value
+ *                              such that #PSA_ALG_IS_MAC(\p alg) is true).
+ * \param[in] input             Buffer containing the input message.
+ * \param input_length          Size of the \p input buffer in bytes.
+ * \param[out] mac              Buffer where the MAC value is to be written.
+ * \param mac_size              Size of the \p mac buffer in bytes.
+ * \param[out] mac_length       On success, the number of bytes
+ *                              that make up the MAC value.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         \p mac_size is too small
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_mac_compute(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    psa_algorithm_t alg,
+    const uint8_t *input,
+    size_t input_length,
+    uint8_t *mac,
+    size_t mac_size,
+    size_t *mac_length);
+
+/** Set up a multipart MAC calculation operation using Mbed TLS.
+ *
+ * \note The signature of this function is that of a PSA driver mac_sign_setup
+ *       entry point. This function behaves as a mac_sign_setup entry point as
+ *       defined in the PSA driver interface specification for transparent
+ *       drivers.
+ *
+ * \param[in,out] operation     The operation object to set up. It must have
+ *                              been initialized and not yet in use.
+ * \param[in] attributes        The attributes of the key to use for the
+ *                              operation.
+ * \param[in] key_buffer        The buffer containing the key to use for
+ *                              computing the MAC. This buffer contains the key
+ *                              in export representation as defined by
+ *                              psa_export_key() (i.e. the raw key bytes).
+ * \param key_buffer_size       Size of the \p key_buffer buffer in bytes.
+ * \param alg                   The MAC algorithm to use (\c PSA_ALG_XXX value
+ *                              such that #PSA_ALG_IS_MAC(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be inactive).
+ */
+psa_status_t mbedtls_psa_mac_sign_setup(
+    mbedtls_psa_mac_operation_t *operation,
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    psa_algorithm_t alg);
+
+/** Set up a multipart MAC verification operation using Mbed TLS.
+ *
+ * \note The signature of this function is that of a PSA driver mac_verify_setup
+ *       entry point. This function behaves as a mac_verify_setup entry point as
+ *       defined in the PSA driver interface specification for transparent
+ *       drivers.
+ *
+ * \param[in,out] operation     The operation object to set up. It must have
+ *                              been initialized and not yet in use.
+ * \param[in] attributes        The attributes of the key to use for the
+ *                              operation.
+ * \param[in] key_buffer        The buffer containing the key to use for
+ *                              computing the MAC. This buffer contains the key
+ *                              in export representation as defined by
+ *                              psa_export_key() (i.e. the raw key bytes).
+ * \param key_buffer_size       Size of the \p key_buffer buffer in bytes.
+ * \param alg                   The MAC algorithm to use (\c PSA_ALG_XXX value
+ *                              such that #PSA_ALG_IS_MAC(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be inactive).
+ */
+psa_status_t mbedtls_psa_mac_verify_setup(
+    mbedtls_psa_mac_operation_t *operation,
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    psa_algorithm_t alg);
+
+/** Add a message fragment to a multipart MAC operation using Mbed TLS.
+ *
+ * \note The signature of this function is that of a PSA driver mac_update
+ *       entry point. This function behaves as a mac_update entry point as
+ *       defined in the PSA driver interface specification for transparent
+ *       drivers.
+ *
+ * The PSA core calls mbedtls_psa_mac_sign_setup() or
+ * mbedtls_psa_mac_verify_setup() before calling this function.
+ *
+ * If this function returns an error status, the PSA core aborts the
+ * operation by calling mbedtls_psa_mac_abort().
+ *
+ * \param[in,out] operation Active MAC operation.
+ * \param[in] input         Buffer containing the message fragment to add to
+ *                          the MAC calculation.
+ * \param input_length      Size of the \p input buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active).
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_mac_update(
+    mbedtls_psa_mac_operation_t *operation,
+    const uint8_t *input,
+    size_t input_length);
+
+/** Finish the calculation of the MAC of a message using Mbed TLS.
+ *
+ * \note The signature of this function is that of a PSA driver mac_sign_finish
+ *       entry point. This function behaves as a mac_sign_finish entry point as
+ *       defined in the PSA driver interface specification for transparent
+ *       drivers.
+ *
+ * The PSA core calls mbedtls_psa_mac_sign_setup() before calling this function.
+ * This function calculates the MAC of the message formed by concatenating
+ * the inputs passed to preceding calls to mbedtls_psa_mac_update().
+ *
+ * Whether this function returns successfully or not, the PSA core subsequently
+ * aborts the operation by calling mbedtls_psa_mac_abort().
+ *
+ * \param[in,out] operation Active MAC operation.
+ * \param[out] mac          Buffer where the MAC value is to be written.
+ * \param mac_size          Output size requested for the MAC algorithm. The PSA
+ *                          core guarantees this is a valid MAC length for the
+ *                          algorithm and key combination passed to
+ *                          mbedtls_psa_mac_sign_setup(). It also guarantees the
+ *                          \p mac buffer is large enough to contain the
+ *                          requested output size.
+ * \param[out] mac_length   On success, the number of bytes output to buffer
+ *                          \p mac, which will be equal to the requested length
+ *                          \p mac_size.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be an active mac sign
+ *         operation).
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p mac buffer is too small. A sufficient buffer size
+ *         can be determined by calling PSA_MAC_LENGTH().
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_mac_sign_finish(
+    mbedtls_psa_mac_operation_t *operation,
+    uint8_t *mac,
+    size_t mac_size,
+    size_t *mac_length);
+
+/** Finish the calculation of the MAC of a message and compare it with
+ * an expected value using Mbed TLS.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       mac_verify_finish entry point. This function behaves as a
+ *       mac_verify_finish entry point as defined in the PSA driver interface
+ *       specification for transparent drivers.
+ *
+ * The PSA core calls mbedtls_psa_mac_verify_setup() before calling this
+ * function. This function calculates the MAC of the message formed by
+ * concatenating the inputs passed to preceding calls to
+ * mbedtls_psa_mac_update(). It then compares the calculated MAC with the
+ * expected MAC passed as a parameter to this function.
+ *
+ * Whether this function returns successfully or not, the PSA core subsequently
+ * aborts the operation by calling mbedtls_psa_mac_abort().
+ *
+ * \param[in,out] operation Active MAC operation.
+ * \param[in] mac           Buffer containing the expected MAC value.
+ * \param mac_length        Length in bytes of the expected MAC value. The PSA
+ *                          core guarantees that this length is a valid MAC
+ *                          length for the algorithm and key combination passed
+ *                          to mbedtls_psa_mac_verify_setup().
+ *
+ * \retval #PSA_SUCCESS
+ *         The expected MAC is identical to the actual MAC of the message.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The MAC of the message was calculated successfully, but it
+ *         differs from the expected MAC.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be an active mac verify
+ *         operation).
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_mac_verify_finish(
+    mbedtls_psa_mac_operation_t *operation,
+    const uint8_t *mac,
+    size_t mac_length);
+
+/** Abort a MAC operation using Mbed TLS.
+ *
+ * Aborting an operation frees all associated resources except for the
+ * \p operation structure itself. Once aborted, the operation object
+ * can be reused for another operation by calling
+ * mbedtls_psa_mac_sign_setup() or mbedtls_psa_mac_verify_setup() again.
+ *
+ * The PSA core may call this function any time after the operation object has
+ * been initialized by one of the methods described in
+ * #mbedtls_psa_mac_operation_t.
+ *
+ * In particular, calling mbedtls_psa_mac_abort() after the operation has been
+ * terminated by a call to mbedtls_psa_mac_abort(),
+ * mbedtls_psa_mac_sign_finish() or mbedtls_psa_mac_verify_finish() is safe and
+ * has no effect.
+ *
+ * \param[in,out] operation Initialized MAC operation.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_mac_abort(
+    mbedtls_psa_mac_operation_t *operation);
+
+#endif /* PSA_CRYPTO_MAC_H */
diff --git a/tf-psa-crypto/core/psa_crypto_pake.c b/tf-psa-crypto/core/psa_crypto_pake.c
new file mode 100644
index 0000000..9ac2e8c
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_pake.c
@@ -0,0 +1,571 @@
+/*
+ *  PSA PAKE layer on top of Mbed TLS software crypto
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#include <psa/crypto.h>
+#include "psa_crypto_core.h"
+#include "psa_crypto_pake.h"
+#include "psa_crypto_slot_management.h"
+
+#include <mbedtls/ecjpake.h>
+#include "psa_util_internal.h"
+
+#include <mbedtls/platform.h>
+#include <mbedtls/error.h>
+#include <string.h>
+
+/*
+ * State sequence:
+ *
+ *   psa_pake_setup()
+ *   |
+ *   |-- In any order:
+ *   |   | psa_pake_set_password_key()
+ *   |   | psa_pake_set_user()
+ *   |   | psa_pake_set_peer()
+ *   |   | psa_pake_set_role()
+ *   |
+ *   |--- In any order: (First round input before or after first round output)
+ *   |   |
+ *   |   |------ In Order
+ *   |   |       | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE)
+ *   |   |       | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC)
+ *   |   |       | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF)
+ *   |   |       | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE)
+ *   |   |       | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC)
+ *   |   |       | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF)
+ *   |   |
+ *   |   |------ In Order:
+ *   |           | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE)
+ *   |           | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC)
+ *   |           | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF)
+ *   |           | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE)
+ *   |           | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC)
+ *   |           | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF)
+ *   |
+ *   |--- In any order: (Second round input before or after second round output)
+ *   |   |
+ *   |   |------ In Order
+ *   |   |       | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE)
+ *   |   |       | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC)
+ *   |   |       | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF)
+ *   |   |
+ *   |   |------ In Order:
+ *   |           | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE)
+ *   |           | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC)
+ *   |           | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF)
+ *   |
+ *   psa_pake_get_implicit_key()
+ *   psa_pake_abort()
+ */
+
+/*
+ * Possible sequence of calls to implementation:
+ *
+ * |--- In any order:
+ * |   |
+ * |   |------ In Order
+ * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X1_STEP_KEY_SHARE)
+ * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X1_STEP_ZK_PUBLIC)
+ * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X1_STEP_ZK_PROOF)
+ * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X2_STEP_KEY_SHARE)
+ * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X2_STEP_ZK_PUBLIC)
+ * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X2_STEP_ZK_PROOF)
+ * |   |
+ * |   |------ In Order:
+ * |           | mbedtls_psa_pake_input(PSA_JPAKE_X1_STEP_KEY_SHARE)
+ * |           | mbedtls_psa_pake_input(PSA_JPAKE_X1_STEP_ZK_PUBLIC)
+ * |           | mbedtls_psa_pake_input(PSA_JPAKE_X1_STEP_ZK_PROOF)
+ * |           | mbedtls_psa_pake_input(PSA_JPAKE_X2_STEP_KEY_SHARE)
+ * |           | mbedtls_psa_pake_input(PSA_JPAKE_X2_STEP_ZK_PUBLIC)
+ * |           | mbedtls_psa_pake_input(PSA_JPAKE_X2_STEP_ZK_PROOF)
+ * |
+ * |--- In any order:
+ * |   |
+ * |   |------ In Order
+ * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X2S_STEP_KEY_SHARE)
+ * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X2S_STEP_ZK_PUBLIC)
+ * |   |       | mbedtls_psa_pake_output(PSA_JPAKE_X2S_STEP_ZK_PROOF)
+ * |   |
+ * |   |------ In Order:
+ * |           | mbedtls_psa_pake_input(PSA_JPAKE_X4S_STEP_KEY_SHARE)
+ * |           | mbedtls_psa_pake_input(PSA_JPAKE_X4S_STEP_ZK_PUBLIC)
+ * |           | mbedtls_psa_pake_input(PSA_JPAKE_X4S_STEP_ZK_PROOF)
+ */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
+static psa_status_t mbedtls_ecjpake_to_psa_error(int ret)
+{
+    switch (ret) {
+        case MBEDTLS_ERR_MPI_BAD_INPUT_DATA:
+        case MBEDTLS_ERR_ECP_BAD_INPUT_DATA:
+        case MBEDTLS_ERR_ECP_INVALID_KEY:
+        case MBEDTLS_ERR_ECP_VERIFY_FAILED:
+            return PSA_ERROR_DATA_INVALID;
+        case MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL:
+        case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL:
+            return PSA_ERROR_BUFFER_TOO_SMALL;
+        case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE:
+            return PSA_ERROR_NOT_SUPPORTED;
+        case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED:
+            return PSA_ERROR_CORRUPTION_DETECTED;
+        default:
+            return PSA_ERROR_GENERIC_ERROR;
+    }
+}
+#endif
+
+#if defined(MBEDTLS_PSA_BUILTIN_PAKE)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
+static psa_status_t psa_pake_ecjpake_setup(mbedtls_psa_pake_operation_t *operation)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    mbedtls_ecjpake_init(&operation->ctx.jpake);
+
+    ret = mbedtls_ecjpake_setup(&operation->ctx.jpake,
+                                operation->role,
+                                MBEDTLS_MD_SHA256,
+                                MBEDTLS_ECP_DP_SECP256R1,
+                                operation->password,
+                                operation->password_len);
+
+    mbedtls_platform_zeroize(operation->password, operation->password_len);
+
+    if (ret != 0) {
+        return mbedtls_ecjpake_to_psa_error(ret);
+    }
+
+    return PSA_SUCCESS;
+}
+#endif
+
+/* The only two JPAKE user/peer identifiers supported in built-in implementation. */
+static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' };
+static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' };
+
+psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation,
+                                    const psa_crypto_driver_pake_inputs_t *inputs)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    size_t user_len = 0, peer_len = 0, password_len = 0;
+    uint8_t *peer = NULL, *user = NULL;
+    size_t actual_user_len = 0, actual_peer_len = 0, actual_password_len = 0;
+    psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
+
+    status = psa_crypto_driver_pake_get_password_len(inputs, &password_len);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    status = psa_crypto_driver_pake_get_user_len(inputs, &user_len);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    status = psa_crypto_driver_pake_get_peer_len(inputs, &peer_len);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    status = psa_crypto_driver_pake_get_cipher_suite(inputs, &cipher_suite);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    operation->password = mbedtls_calloc(1, password_len);
+    if (operation->password == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto error;
+    }
+
+    user = mbedtls_calloc(1, user_len);
+    if (user == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto error;
+    }
+
+    peer = mbedtls_calloc(1, peer_len);
+    if (peer == NULL) {
+        status = PSA_ERROR_INSUFFICIENT_MEMORY;
+        goto error;
+    }
+
+    status = psa_crypto_driver_pake_get_password(inputs, operation->password,
+                                                 password_len, &actual_password_len);
+    if (status != PSA_SUCCESS) {
+        goto error;
+    }
+
+    status = psa_crypto_driver_pake_get_user(inputs, user,
+                                             user_len, &actual_user_len);
+    if (status != PSA_SUCCESS) {
+        goto error;
+    }
+
+    status = psa_crypto_driver_pake_get_peer(inputs, peer,
+                                             peer_len, &actual_peer_len);
+    if (status != PSA_SUCCESS) {
+        goto error;
+    }
+
+    operation->password_len = actual_password_len;
+    operation->alg = cipher_suite.algorithm;
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
+    if (cipher_suite.algorithm == PSA_ALG_JPAKE) {
+        if (cipher_suite.type != PSA_PAKE_PRIMITIVE_TYPE_ECC ||
+            cipher_suite.family != PSA_ECC_FAMILY_SECP_R1 ||
+            cipher_suite.bits != 256 ||
+            cipher_suite.hash != PSA_ALG_SHA_256) {
+            status = PSA_ERROR_NOT_SUPPORTED;
+            goto error;
+        }
+
+        const size_t user_peer_len = sizeof(jpake_client_id); // client and server have the same length
+        if (actual_user_len != user_peer_len ||
+            actual_peer_len != user_peer_len) {
+            status = PSA_ERROR_NOT_SUPPORTED;
+            goto error;
+        }
+
+        if (memcmp(user, jpake_client_id, actual_user_len) == 0 &&
+            memcmp(peer, jpake_server_id, actual_peer_len) == 0) {
+            operation->role = MBEDTLS_ECJPAKE_CLIENT;
+        } else
+        if (memcmp(user, jpake_server_id, actual_user_len) == 0 &&
+            memcmp(peer, jpake_client_id, actual_peer_len) == 0) {
+            operation->role = MBEDTLS_ECJPAKE_SERVER;
+        } else {
+            status = PSA_ERROR_NOT_SUPPORTED;
+            goto error;
+        }
+
+        operation->buffer_length = 0;
+        operation->buffer_offset = 0;
+
+        status = psa_pake_ecjpake_setup(operation);
+        if (status != PSA_SUCCESS) {
+            goto error;
+        }
+
+        /* Role has been set, release user/peer buffers. */
+        mbedtls_free(user); mbedtls_free(peer);
+
+        return PSA_SUCCESS;
+    } else
+#else
+    (void) operation;
+    (void) inputs;
+#endif
+    { status = PSA_ERROR_NOT_SUPPORTED; }
+
+error:
+    mbedtls_free(user); mbedtls_free(peer);
+    /* In case of failure of the setup of a multipart operation, the PSA driver interface
+     * specifies that the core does not call any other driver entry point thus does not
+     * call mbedtls_psa_pake_abort(). Therefore call it here to do the needed clean
+     * up like freeing the memory that may have been allocated to store the password.
+     */
+    mbedtls_psa_pake_abort(operation);
+    return status;
+}
+
+static psa_status_t mbedtls_psa_pake_output_internal(
+    mbedtls_psa_pake_operation_t *operation,
+    psa_crypto_driver_pake_step_t step,
+    uint8_t *output,
+    size_t output_size,
+    size_t *output_length)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t length;
+    (void) step; // Unused parameter
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
+    /*
+     * The PSA CRYPTO PAKE and Mbed TLS JPAKE API have a different
+     * handling of output sequencing.
+     *
+     * The Mbed TLS JPAKE API outputs the whole X1+X2 and X2S steps data
+     * at once, on the other side the PSA CRYPTO PAKE api requires
+     * the KEY_SHARE/ZP_PUBLIC/ZK_PROOF parts of X1, X2 & X2S to be
+     * retrieved in sequence.
+     *
+     * In order to achieve API compatibility, the whole X1+X2 or X2S steps
+     * data is stored in an intermediate buffer at first step output call,
+     * and data is sliced down by parsing the ECPoint records in order
+     * to return the right parts on each step.
+     */
+    if (operation->alg == PSA_ALG_JPAKE) {
+        /* Initialize & write round on KEY_SHARE sequences */
+        if (step == PSA_JPAKE_X1_STEP_KEY_SHARE) {
+            ret = mbedtls_ecjpake_write_round_one(&operation->ctx.jpake,
+                                                  operation->buffer,
+                                                  sizeof(operation->buffer),
+                                                  &operation->buffer_length,
+                                                  mbedtls_psa_get_random,
+                                                  MBEDTLS_PSA_RANDOM_STATE);
+            if (ret != 0) {
+                return mbedtls_ecjpake_to_psa_error(ret);
+            }
+
+            operation->buffer_offset = 0;
+        } else if (step == PSA_JPAKE_X2S_STEP_KEY_SHARE) {
+            ret = mbedtls_ecjpake_write_round_two(&operation->ctx.jpake,
+                                                  operation->buffer,
+                                                  sizeof(operation->buffer),
+                                                  &operation->buffer_length,
+                                                  mbedtls_psa_get_random,
+                                                  MBEDTLS_PSA_RANDOM_STATE);
+            if (ret != 0) {
+                return mbedtls_ecjpake_to_psa_error(ret);
+            }
+
+            operation->buffer_offset = 0;
+        }
+
+        /*
+         * mbedtls_ecjpake_write_round_xxx() outputs thing in the format
+         * defined by draft-cragie-tls-ecjpake-01 section 7. The summary is
+         * that the data for each step is prepended with a length byte, and
+         * then they're concatenated. Additionally, the server's second round
+         * output is prepended with a 3-bytes ECParameters structure.
+         *
+         * In PSA, we output each step separately, and don't prepend the
+         * output with a length byte, even less a curve identifier, as that
+         * information is already available.
+         */
+        if (step == PSA_JPAKE_X2S_STEP_KEY_SHARE &&
+            operation->role == MBEDTLS_ECJPAKE_SERVER) {
+            /* Skip ECParameters, with is 3 bytes (RFC 8422) */
+            operation->buffer_offset += 3;
+        }
+
+        /* Read the length byte then move past it to the data */
+        length = operation->buffer[operation->buffer_offset];
+        operation->buffer_offset += 1;
+
+        if (operation->buffer_offset + length > operation->buffer_length) {
+            return PSA_ERROR_DATA_CORRUPT;
+        }
+
+        if (output_size < length) {
+            return PSA_ERROR_BUFFER_TOO_SMALL;
+        }
+
+        memcpy(output,
+               operation->buffer + operation->buffer_offset,
+               length);
+        *output_length = length;
+
+        operation->buffer_offset += length;
+
+        /* Reset buffer after ZK_PROOF sequence */
+        if ((step == PSA_JPAKE_X2_STEP_ZK_PROOF) ||
+            (step == PSA_JPAKE_X2S_STEP_ZK_PROOF)) {
+            mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer));
+            operation->buffer_length = 0;
+            operation->buffer_offset = 0;
+        }
+
+        return PSA_SUCCESS;
+    } else
+#else
+    (void) step;
+    (void) output;
+    (void) output_size;
+    (void) output_length;
+#endif
+    { return PSA_ERROR_NOT_SUPPORTED; }
+}
+
+psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation,
+                                     psa_crypto_driver_pake_step_t step,
+                                     uint8_t *output,
+                                     size_t output_size,
+                                     size_t *output_length)
+{
+    psa_status_t status = mbedtls_psa_pake_output_internal(
+        operation, step, output, output_size, output_length);
+
+    return status;
+}
+
+static psa_status_t mbedtls_psa_pake_input_internal(
+    mbedtls_psa_pake_operation_t *operation,
+    psa_crypto_driver_pake_step_t step,
+    const uint8_t *input,
+    size_t input_length)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    (void) step; // Unused parameter
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
+    /*
+     * The PSA CRYPTO PAKE and Mbed TLS JPAKE API have a different
+     * handling of input sequencing.
+     *
+     * The Mbed TLS JPAKE API takes the whole X1+X2 or X4S steps data
+     * at once as input, on the other side the PSA CRYPTO PAKE api requires
+     * the KEY_SHARE/ZP_PUBLIC/ZK_PROOF parts of X1, X2 & X4S to be
+     * given in sequence.
+     *
+     * In order to achieve API compatibility, each X1+X2 or X4S step data
+     * is stored sequentially in an intermediate buffer and given to the
+     * Mbed TLS JPAKE API on the last step.
+     *
+     * This causes any input error to be only detected on the last step.
+     */
+    if (operation->alg == PSA_ALG_JPAKE) {
+        /*
+         * Copy input to local buffer and format it as the Mbed TLS API
+         * expects, i.e. as defined by draft-cragie-tls-ecjpake-01 section 7.
+         * The summary is that the data for each step is prepended with a
+         * length byte, and then they're concatenated. Additionally, the
+         * server's second round output is prepended with a 3-bytes
+         * ECParameters structure - which means we have to prepend that when
+         * we're a client.
+         */
+        if (step == PSA_JPAKE_X4S_STEP_KEY_SHARE &&
+            operation->role == MBEDTLS_ECJPAKE_CLIENT) {
+            /* We only support secp256r1. */
+            /* This is the ECParameters structure defined by RFC 8422. */
+            unsigned char ecparameters[3] = {
+                3, /* named_curve */
+                0, 23 /* secp256r1 */
+            };
+
+            if (operation->buffer_length + sizeof(ecparameters) >
+                sizeof(operation->buffer)) {
+                return PSA_ERROR_BUFFER_TOO_SMALL;
+            }
+
+            memcpy(operation->buffer + operation->buffer_length,
+                   ecparameters, sizeof(ecparameters));
+            operation->buffer_length += sizeof(ecparameters);
+        }
+
+        /*
+         * The core checks that input_length is smaller than
+         * PSA_PAKE_INPUT_MAX_SIZE.
+         * Thus no risk of integer overflow here.
+         */
+        if (operation->buffer_length + input_length + 1 > sizeof(operation->buffer)) {
+            return PSA_ERROR_BUFFER_TOO_SMALL;
+        }
+
+        /* Write the length byte */
+        operation->buffer[operation->buffer_length] = (uint8_t) input_length;
+        operation->buffer_length += 1;
+
+        /* Finally copy the data */
+        memcpy(operation->buffer + operation->buffer_length,
+               input, input_length);
+        operation->buffer_length += input_length;
+
+        /* Load buffer at each last round ZK_PROOF */
+        if (step == PSA_JPAKE_X2_STEP_ZK_PROOF) {
+            ret = mbedtls_ecjpake_read_round_one(&operation->ctx.jpake,
+                                                 operation->buffer,
+                                                 operation->buffer_length);
+
+            mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer));
+            operation->buffer_length = 0;
+
+            if (ret != 0) {
+                return mbedtls_ecjpake_to_psa_error(ret);
+            }
+        } else if (step == PSA_JPAKE_X4S_STEP_ZK_PROOF) {
+            ret = mbedtls_ecjpake_read_round_two(&operation->ctx.jpake,
+                                                 operation->buffer,
+                                                 operation->buffer_length);
+
+            mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer));
+            operation->buffer_length = 0;
+
+            if (ret != 0) {
+                return mbedtls_ecjpake_to_psa_error(ret);
+            }
+        }
+
+        return PSA_SUCCESS;
+    } else
+#else
+    (void) step;
+    (void) input;
+    (void) input_length;
+#endif
+    { return PSA_ERROR_NOT_SUPPORTED; }
+}
+
+psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation,
+                                    psa_crypto_driver_pake_step_t step,
+                                    const uint8_t *input,
+                                    size_t input_length)
+{
+    psa_status_t status = mbedtls_psa_pake_input_internal(
+        operation, step, input, input_length);
+
+    return status;
+}
+
+psa_status_t mbedtls_psa_pake_get_implicit_key(
+    mbedtls_psa_pake_operation_t *operation,
+    uint8_t *output, size_t output_size,
+    size_t *output_length)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
+    if (operation->alg == PSA_ALG_JPAKE) {
+        ret = mbedtls_ecjpake_write_shared_key(&operation->ctx.jpake,
+                                               output,
+                                               output_size,
+                                               output_length,
+                                               mbedtls_psa_get_random,
+                                               MBEDTLS_PSA_RANDOM_STATE);
+        if (ret != 0) {
+            return mbedtls_ecjpake_to_psa_error(ret);
+        }
+
+        return PSA_SUCCESS;
+    } else
+#else
+    (void) output;
+#endif
+    { return PSA_ERROR_NOT_SUPPORTED; }
+}
+
+psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation)
+{
+    mbedtls_zeroize_and_free(operation->password, operation->password_len);
+    operation->password = NULL;
+    operation->password_len = 0;
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
+    if (operation->alg == PSA_ALG_JPAKE) {
+        operation->role = MBEDTLS_ECJPAKE_NONE;
+        mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer));
+        operation->buffer_length = 0;
+        operation->buffer_offset = 0;
+        mbedtls_ecjpake_free(&operation->ctx.jpake);
+    }
+#endif
+
+    operation->alg = PSA_ALG_NONE;
+
+    return PSA_SUCCESS;
+}
+
+#endif /* MBEDTLS_PSA_BUILTIN_PAKE */
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/tf-psa-crypto/core/psa_crypto_pake.h b/tf-psa-crypto/core/psa_crypto_pake.h
new file mode 100644
index 0000000..3d3ee0c
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_pake.h
@@ -0,0 +1,159 @@
+/*
+ *  PSA PAKE layer on top of Mbed TLS software crypto
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_PAKE_H
+#define PSA_CRYPTO_PAKE_H
+
+#include <psa/crypto.h>
+
+/** Set the session information for a password-authenticated key exchange.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       pake_setup entry point. This function behaves as a pake_setup
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in,out] operation     The operation object to set up. It must have
+ *                              been initialized but not set up yet.
+ * \param[in] inputs            Inputs required for PAKE operation (role, password,
+ *                              key lifetime, cipher suite)
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         The algorithm in \p cipher_suite is not a supported PAKE algorithm,
+ *         or the PAKE primitive in \p cipher_suite is not supported or not
+ *         compatible with the PAKE algorithm, or the hash algorithm in
+ *         \p cipher_suite is not supported or not compatible with the PAKE
+ *         algorithm and primitive.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY   \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED   \emptydescription
+ */
+psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation,
+                                    const psa_crypto_driver_pake_inputs_t *inputs);
+
+
+/** Get output for a step of a password-authenticated key exchange.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       pake_output entry point. This function behaves as a pake_output
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in,out] operation    Active PAKE operation.
+ * \param step                 The step of the algorithm for which the output is
+ *                             requested.
+ * \param[out] output          Buffer where the output is to be written in the
+ *                             format appropriate for this driver \p step. Refer to
+ *                             the documentation of psa_crypto_driver_pake_step_t for
+ *                             more information.
+ * \param output_size          Size of the \p output buffer in bytes. This must
+ *                             be at least #PSA_PAKE_OUTPUT_SIZE(\p alg, \p
+ *                             primitive, \p step) where \p alg and
+ *                             \p primitive are the PAKE algorithm and primitive
+ *                             in the operation's cipher suite, and \p step is
+ *                             the output step.
+ *
+ * \param[out] output_length   On success, the number of bytes of the returned
+ *                             output.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p output buffer is too small.
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY  \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED   \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT          \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID          \emptydescription
+ */
+psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation,
+                                     psa_crypto_driver_pake_step_t step,
+                                     uint8_t *output,
+                                     size_t output_size,
+                                     size_t *output_length);
+
+/** Provide input for a step of a password-authenticated key exchange.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       pake_input entry point. This function behaves as a pake_input
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \note The core checks that input_length is smaller than PSA_PAKE_INPUT_MAX_SIZE.
+ *
+ * \param[in,out] operation    Active PAKE operation.
+ * \param step                 The driver step for which the input is provided.
+ * \param[in] input            Buffer containing the input in the format
+ *                             appropriate for this \p step. Refer to the
+ *                             documentation of psa_crypto_driver_pake_step_t
+ *                             for more information.
+ * \param input_length         Size of the \p input buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The verification fails for a zero-knowledge input step.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         the \p input is not valid for the \p operation's algorithm, cipher suite
+ *         or \p step.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         the \p input is not supported for the \p operation's algorithm, cipher
+ *         suite or \p step.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY   \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED   \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT          \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID          \emptydescription
+ */
+psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation,
+                                    psa_crypto_driver_pake_step_t step,
+                                    const uint8_t *input,
+                                    size_t input_length);
+
+/** Get implicitly confirmed shared secret from a PAKE.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       pake_get_implicit_key entry point. This function behaves as a
+ *       pake_get_implicit_key entry point as defined in the PSA driver
+ *       interface specification for transparent drivers.
+ *
+ * \param[in,out] operation    Active PAKE operation.
+ * \param[out] output          Output buffer for implicit key.
+ * \param      output_size     Size of the output buffer in bytes.
+ * \param[out] output_length   On success, the number of bytes of the implicit key.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         Input from a PAKE is not supported by the algorithm in the \p output
+ *         key derivation operation.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY   \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED   \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT          \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID          \emptydescription
+ */
+psa_status_t mbedtls_psa_pake_get_implicit_key(
+    mbedtls_psa_pake_operation_t *operation,
+    uint8_t *output, size_t output_size,
+    size_t *output_length);
+
+/** Abort a PAKE operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       pake_abort entry point. This function behaves as a pake_abort
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in,out] operation    The operation to abort.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED   \emptydescription
+ */
+psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation);
+
+#endif /* PSA_CRYPTO_PAKE_H */
diff --git a/tf-psa-crypto/core/psa_crypto_random_impl.h b/tf-psa-crypto/core/psa_crypto_random_impl.h
new file mode 100644
index 0000000..533fb2e
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_random_impl.h
@@ -0,0 +1,135 @@
+/** \file psa_crypto_random_impl.h
+ *
+ * \brief PSA crypto random generator implementation abstraction.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_RANDOM_IMPL_H
+#define PSA_CRYPTO_RANDOM_IMPL_H
+
+#include "psa_util_internal.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+
+typedef mbedtls_psa_external_random_context_t mbedtls_psa_random_context_t;
+
+#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+
+#include "mbedtls/entropy.h"
+
+/* Choose a DRBG based on configuration and availability */
+#if defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE)
+
+#include "mbedtls/hmac_drbg.h"
+
+#elif defined(MBEDTLS_CTR_DRBG_C)
+
+#include "mbedtls/ctr_drbg.h"
+
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+
+#include "mbedtls/hmac_drbg.h"
+#if defined(MBEDTLS_MD_CAN_SHA512) && defined(MBEDTLS_MD_CAN_SHA256)
+#include <limits.h>
+#if SIZE_MAX > 0xffffffff
+/* Looks like a 64-bit system, so prefer SHA-512. */
+#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA512
+#else
+/* Looks like a 32-bit system, so prefer SHA-256. */
+#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256
+#endif
+#elif defined(MBEDTLS_MD_CAN_SHA512)
+#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA512
+#elif defined(MBEDTLS_MD_CAN_SHA256)
+#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256
+#else
+#error "No hash algorithm available for HMAC_DBRG."
+#endif
+
+#else /* !MBEDTLS_PSA_HMAC_DRBG_MD_TYPE && !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
+
+#error "No DRBG module available for the psa_crypto module."
+
+#endif /* !MBEDTLS_PSA_HMAC_DRBG_MD_TYPE && !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
+
+#if defined(MBEDTLS_CTR_DRBG_C)
+#include "mbedtls/ctr_drbg.h"
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+#include "mbedtls/hmac_drbg.h"
+#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */
+
+/* The maximum number of bytes that mbedtls_psa_get_random() is expected to return. */
+#if defined(MBEDTLS_CTR_DRBG_C)
+#define MBEDTLS_PSA_RANDOM_MAX_REQUEST MBEDTLS_CTR_DRBG_MAX_REQUEST
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+#define MBEDTLS_PSA_RANDOM_MAX_REQUEST MBEDTLS_HMAC_DRBG_MAX_REQUEST
+#endif
+
+#if defined(MBEDTLS_CTR_DRBG_C)
+typedef mbedtls_ctr_drbg_context            mbedtls_psa_drbg_context_t;
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+typedef mbedtls_hmac_drbg_context           mbedtls_psa_drbg_context_t;
+#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */
+
+typedef struct {
+    void (* entropy_init)(mbedtls_entropy_context *ctx);
+    void (* entropy_free)(mbedtls_entropy_context *ctx);
+    mbedtls_entropy_context entropy;
+    mbedtls_psa_drbg_context_t drbg;
+} mbedtls_psa_random_context_t;
+
+/** Initialize the PSA DRBG.
+ *
+ * \param p_rng        Pointer to the Mbed TLS DRBG state.
+ */
+static inline void mbedtls_psa_drbg_init(mbedtls_psa_drbg_context_t *p_rng)
+{
+#if defined(MBEDTLS_CTR_DRBG_C)
+    mbedtls_ctr_drbg_init(p_rng);
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+    mbedtls_hmac_drbg_init(p_rng);
+#endif
+}
+
+/** Deinitialize the PSA DRBG.
+ *
+ * \param p_rng        Pointer to the Mbed TLS DRBG state.
+ */
+static inline void mbedtls_psa_drbg_free(mbedtls_psa_drbg_context_t *p_rng)
+{
+#if defined(MBEDTLS_CTR_DRBG_C)
+    mbedtls_ctr_drbg_free(p_rng);
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+    mbedtls_hmac_drbg_free(p_rng);
+#endif
+}
+
+/** Seed the PSA DRBG.
+ *
+ * \param entropy       An entropy context to read the seed from.
+ * \param custom        The personalization string.
+ *                      This can be \c NULL, in which case the personalization
+ *                      string is empty regardless of the value of \p len.
+ * \param len           The length of the personalization string.
+ *
+ * \return              \c 0 on success.
+ * \return              An Mbed TLS error code (\c MBEDTLS_ERR_xxx) on failure.
+ */
+static inline int mbedtls_psa_drbg_seed(mbedtls_psa_drbg_context_t *drbg_ctx,
+                                        mbedtls_entropy_context *entropy,
+                                        const unsigned char *custom, size_t len)
+{
+#if defined(MBEDTLS_CTR_DRBG_C)
+    return mbedtls_ctr_drbg_seed(drbg_ctx, mbedtls_entropy_func, entropy, custom, len);
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+    const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE);
+    return mbedtls_hmac_drbg_seed(drbg_ctx, md_info, mbedtls_entropy_func, entropy, custom, len);
+#endif
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+
+#endif /* PSA_CRYPTO_RANDOM_IMPL_H */
diff --git a/tf-psa-crypto/core/psa_crypto_rsa.c b/tf-psa-crypto/core/psa_crypto_rsa.c
new file mode 100644
index 0000000..2f613b3
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_rsa.c
@@ -0,0 +1,706 @@
+/*
+ *  PSA RSA layer on top of Mbed TLS crypto
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#include <psa/crypto.h>
+#include "psa/crypto_values.h"
+#include "psa_crypto_core.h"
+#include "psa_crypto_random_impl.h"
+#include "psa_crypto_rsa.h"
+#include "psa_crypto_hash.h"
+#include "mbedtls/psa_util.h"
+
+#include <stdlib.h>
+#include <string.h>
+#include "mbedtls/platform.h"
+
+#include <mbedtls/rsa.h>
+#include <mbedtls/error.h>
+#include "rsa_internal.h"
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
+
+/* Mbed TLS doesn't support non-byte-aligned key sizes (i.e. key sizes
+ * that are not a multiple of 8) well. For example, there is only
+ * mbedtls_rsa_get_len(), which returns a number of bytes, and no
+ * way to return the exact bit size of a key.
+ * To keep things simple, reject non-byte-aligned key sizes. */
+static psa_status_t psa_check_rsa_key_byte_aligned(
+    const mbedtls_rsa_context *rsa)
+{
+    mbedtls_mpi n;
+    psa_status_t status;
+    mbedtls_mpi_init(&n);
+    status = mbedtls_to_psa_error(
+        mbedtls_rsa_export(rsa, &n, NULL, NULL, NULL, NULL));
+    if (status == PSA_SUCCESS) {
+        if (mbedtls_mpi_bitlen(&n) % 8 != 0) {
+            status = PSA_ERROR_NOT_SUPPORTED;
+        }
+    }
+    mbedtls_mpi_free(&n);
+    return status;
+}
+
+psa_status_t mbedtls_psa_rsa_load_representation(
+    psa_key_type_t type, const uint8_t *data, size_t data_length,
+    mbedtls_rsa_context **p_rsa)
+{
+    psa_status_t status;
+    size_t bits;
+
+    *p_rsa = mbedtls_calloc(1, sizeof(mbedtls_rsa_context));
+    if (*p_rsa == NULL) {
+        return PSA_ERROR_INSUFFICIENT_MEMORY;
+    }
+    mbedtls_rsa_init(*p_rsa);
+
+    /* Parse the data. */
+    if (PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
+        status = mbedtls_to_psa_error(mbedtls_rsa_parse_key(*p_rsa, data, data_length));
+    } else {
+        status = mbedtls_to_psa_error(mbedtls_rsa_parse_pubkey(*p_rsa, data, data_length));
+    }
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    /* The size of an RSA key doesn't have to be a multiple of 8. Mbed TLS
+     * supports non-byte-aligned key sizes, but not well. For example,
+     * mbedtls_rsa_get_len() returns the key size in bytes, not in bits. */
+    bits = PSA_BYTES_TO_BITS(mbedtls_rsa_get_len(*p_rsa));
+    if (bits > PSA_VENDOR_RSA_MAX_KEY_BITS) {
+        status = PSA_ERROR_NOT_SUPPORTED;
+        goto exit;
+    }
+    status = psa_check_rsa_key_byte_aligned(*p_rsa);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+exit:
+    return status;
+}
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+
+#if (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
+psa_status_t mbedtls_psa_rsa_import_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data, size_t data_length,
+    uint8_t *key_buffer, size_t key_buffer_size,
+    size_t *key_buffer_length, size_t *bits)
+{
+    psa_status_t status;
+    mbedtls_rsa_context *rsa = NULL;
+
+    /* Parse input */
+    status = mbedtls_psa_rsa_load_representation(attributes->type,
+                                                 data,
+                                                 data_length,
+                                                 &rsa);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    *bits = (psa_key_bits_t) PSA_BYTES_TO_BITS(mbedtls_rsa_get_len(rsa));
+
+    /* Re-export the data to PSA export format, such that we can store export
+     * representation in the key slot. Export representation in case of RSA is
+     * the smallest representation that's allowed as input, so a straight-up
+     * allocation of the same size as the input buffer will be large enough. */
+    status = mbedtls_psa_rsa_export_key(attributes->type,
+                                        rsa,
+                                        key_buffer,
+                                        key_buffer_size,
+                                        key_buffer_length);
+exit:
+    /* Always free the RSA object */
+    mbedtls_rsa_free(rsa);
+    mbedtls_free(rsa);
+
+    return status;
+}
+#endif /* (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) &&
+        *  defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
+psa_status_t mbedtls_psa_rsa_export_key(psa_key_type_t type,
+                                        mbedtls_rsa_context *rsa,
+                                        uint8_t *data,
+                                        size_t data_size,
+                                        size_t *data_length)
+{
+    int ret;
+    uint8_t *end = data + data_size;
+
+    /* PSA Crypto API defines the format of an RSA key as a DER-encoded
+     * representation of the non-encrypted PKCS#1 RSAPrivateKey for a
+     * private key and of the RFC3279 RSAPublicKey for a public key. */
+    if (PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
+        ret = mbedtls_rsa_write_key(rsa, data, &end);
+    } else {
+        ret = mbedtls_rsa_write_pubkey(rsa, data, &end);
+    }
+
+    if (ret < 0) {
+        /* Clean up in case pk_write failed halfway through. */
+        memset(data, 0, data_size);
+        return mbedtls_to_psa_error(ret);
+    }
+
+    /* The mbedtls_pk_xxx functions write to the end of the buffer.
+     * Move the data to the beginning and erase remaining data
+     * at the original location. */
+    if (2 * (size_t) ret <= data_size) {
+        memcpy(data, data + data_size - ret, ret);
+        memset(data + data_size - ret, 0, ret);
+    } else if ((size_t) ret < data_size) {
+        memmove(data, data + data_size - ret, ret);
+        memset(data + ret, 0, data_size - ret);
+    }
+
+    *data_length = ret;
+    return PSA_SUCCESS;
+}
+
+psa_status_t mbedtls_psa_rsa_export_public_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_rsa_context *rsa = NULL;
+
+    status = mbedtls_psa_rsa_load_representation(
+        attributes->type, key_buffer, key_buffer_size, &rsa);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    status = mbedtls_psa_rsa_export_key(PSA_KEY_TYPE_RSA_PUBLIC_KEY,
+                                        rsa,
+                                        data,
+                                        data_size,
+                                        data_length);
+
+    mbedtls_rsa_free(rsa);
+    mbedtls_free(rsa);
+
+    return status;
+}
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
+static psa_status_t psa_rsa_read_exponent(const uint8_t *e_bytes,
+                                          size_t e_length,
+                                          int *exponent)
+{
+    size_t i;
+    uint32_t acc = 0;
+
+    /* Mbed TLS encodes the public exponent as an int. For simplicity, only
+     * support values that fit in a 32-bit integer, which is larger than
+     * int on just about every platform anyway. */
+    if (e_length > sizeof(acc)) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+    for (i = 0; i < e_length; i++) {
+        acc = (acc << 8) | e_bytes[i];
+    }
+    if (acc > INT_MAX) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+    *exponent = acc;
+    return PSA_SUCCESS;
+}
+
+psa_status_t mbedtls_psa_rsa_generate_key(
+    const psa_key_attributes_t *attributes,
+    const psa_key_production_parameters_t *params, size_t params_data_length,
+    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
+{
+    psa_status_t status;
+    mbedtls_rsa_context rsa;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    int exponent = 65537;
+
+    if (params_data_length != 0) {
+        status = psa_rsa_read_exponent(params->data, params_data_length,
+                                       &exponent);
+        if (status != PSA_SUCCESS) {
+            return status;
+        }
+    }
+
+    mbedtls_rsa_init(&rsa);
+    ret = mbedtls_rsa_gen_key(&rsa,
+                              mbedtls_psa_get_random,
+                              MBEDTLS_PSA_RANDOM_STATE,
+                              (unsigned int) attributes->bits,
+                              exponent);
+    if (ret != 0) {
+        return mbedtls_to_psa_error(ret);
+    }
+
+    status = mbedtls_psa_rsa_export_key(attributes->type,
+                                        &rsa, key_buffer, key_buffer_size,
+                                        key_buffer_length);
+    mbedtls_rsa_free(&rsa);
+
+    return status;
+}
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE) */
+
+/****************************************************************/
+/* Sign/verify hashes */
+/****************************************************************/
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
+
+/* Decode the hash algorithm from alg and store the mbedtls encoding in
+ * md_alg. Verify that the hash length is acceptable. */
+static psa_status_t psa_rsa_decode_md_type(psa_algorithm_t alg,
+                                           size_t hash_length,
+                                           mbedtls_md_type_t *md_alg)
+{
+    psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
+    *md_alg = mbedtls_md_type_from_psa_alg(hash_alg);
+
+    /* The Mbed TLS RSA module uses an unsigned int for hash length
+     * parameters. Validate that it fits so that we don't risk an
+     * overflow later. */
+#if SIZE_MAX > UINT_MAX
+    if (hash_length > UINT_MAX) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+#endif
+
+    /* For signatures using a hash, the hash length must be correct. */
+    if (alg != PSA_ALG_RSA_PKCS1V15_SIGN_RAW) {
+        if (*md_alg == MBEDTLS_MD_NONE) {
+            return PSA_ERROR_NOT_SUPPORTED;
+        }
+        if (mbedtls_md_get_size_from_type(*md_alg) != hash_length) {
+            return PSA_ERROR_INVALID_ARGUMENT;
+        }
+    }
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t mbedtls_psa_rsa_sign_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    uint8_t *signature, size_t signature_size, size_t *signature_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_rsa_context *rsa = NULL;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_md_type_t md_alg;
+
+    status = mbedtls_psa_rsa_load_representation(attributes->type,
+                                                 key_buffer,
+                                                 key_buffer_size,
+                                                 &rsa);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    status = psa_rsa_decode_md_type(alg, hash_length, &md_alg);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    if (signature_size < mbedtls_rsa_get_len(rsa)) {
+        status = PSA_ERROR_BUFFER_TOO_SMALL;
+        goto exit;
+    }
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN)
+    if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg)) {
+        ret = mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V15,
+                                      MBEDTLS_MD_NONE);
+        if (ret == 0) {
+            ret = mbedtls_rsa_pkcs1_sign(rsa,
+                                         mbedtls_psa_get_random,
+                                         MBEDTLS_PSA_RANDOM_STATE,
+                                         md_alg,
+                                         (unsigned int) hash_length,
+                                         hash,
+                                         signature);
+        }
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
+    if (PSA_ALG_IS_RSA_PSS(alg)) {
+        ret = mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V21, md_alg);
+
+        if (ret == 0) {
+            ret = mbedtls_rsa_rsassa_pss_sign(rsa,
+                                              mbedtls_psa_get_random,
+                                              MBEDTLS_PSA_RANDOM_STATE,
+                                              MBEDTLS_MD_NONE,
+                                              (unsigned int) hash_length,
+                                              hash,
+                                              signature);
+        }
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS */
+    {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    if (ret == 0) {
+        *signature_length = mbedtls_rsa_get_len(rsa);
+    }
+    status = mbedtls_to_psa_error(ret);
+
+exit:
+    mbedtls_rsa_free(rsa);
+    mbedtls_free(rsa);
+
+    return status;
+}
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
+static int rsa_pss_expected_salt_len(psa_algorithm_t alg,
+                                     const mbedtls_rsa_context *rsa,
+                                     size_t hash_length)
+{
+    if (PSA_ALG_IS_RSA_PSS_ANY_SALT(alg)) {
+        return MBEDTLS_RSA_SALT_LEN_ANY;
+    }
+    /* Otherwise: standard salt length, i.e. largest possible salt length
+     * up to the hash length. */
+    int klen = (int) mbedtls_rsa_get_len(rsa);   // known to fit
+    int hlen = (int) hash_length; // known to fit
+    int room = klen - 2 - hlen;
+    if (room < 0) {
+        return 0;  // there is no valid signature in this case anyway
+    } else if (room > hlen) {
+        return hlen;
+    } else {
+        return room;
+    }
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS */
+
+psa_status_t mbedtls_psa_rsa_verify_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    mbedtls_rsa_context *rsa = NULL;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_md_type_t md_alg;
+
+    status = mbedtls_psa_rsa_load_representation(attributes->type,
+                                                 key_buffer,
+                                                 key_buffer_size,
+                                                 &rsa);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_rsa_decode_md_type(alg, hash_length, &md_alg);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    if (signature_length != mbedtls_rsa_get_len(rsa)) {
+        status = PSA_ERROR_INVALID_SIGNATURE;
+        goto exit;
+    }
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN)
+    if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg)) {
+        ret = mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V15,
+                                      MBEDTLS_MD_NONE);
+        if (ret == 0) {
+            ret = mbedtls_rsa_pkcs1_verify(rsa,
+                                           md_alg,
+                                           (unsigned int) hash_length,
+                                           hash,
+                                           signature);
+        }
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
+    if (PSA_ALG_IS_RSA_PSS(alg)) {
+        ret = mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V21, md_alg);
+        if (ret == 0) {
+            int slen = rsa_pss_expected_salt_len(alg, rsa, hash_length);
+            ret = mbedtls_rsa_rsassa_pss_verify_ext(rsa,
+                                                    md_alg,
+                                                    (unsigned) hash_length,
+                                                    hash,
+                                                    md_alg,
+                                                    slen,
+                                                    signature);
+        }
+    } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS */
+    {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    /* Mbed TLS distinguishes "invalid padding" from "valid padding but
+     * the rest of the signature is invalid". This has little use in
+     * practice and PSA doesn't report this distinction. */
+    status = (ret == MBEDTLS_ERR_RSA_INVALID_PADDING) ?
+             PSA_ERROR_INVALID_SIGNATURE :
+             mbedtls_to_psa_error(ret);
+
+exit:
+    mbedtls_rsa_free(rsa);
+    mbedtls_free(rsa);
+
+    return status;
+}
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
+
+/****************************************************************/
+/* Asymmetric cryptography */
+/****************************************************************/
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
+static int psa_rsa_oaep_set_padding_mode(psa_algorithm_t alg,
+                                         mbedtls_rsa_context *rsa)
+{
+    psa_algorithm_t hash_alg = PSA_ALG_RSA_OAEP_GET_HASH(alg);
+    mbedtls_md_type_t md_alg = mbedtls_md_type_from_psa_alg(hash_alg);
+
+    /* Just to get the error status right, as rsa_set_padding() doesn't
+     * distinguish between "bad RSA algorithm" and "unknown hash". */
+    if (mbedtls_md_info_from_type(md_alg) == NULL) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    return mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V21, md_alg);
+}
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */
+
+psa_status_t mbedtls_psa_asymmetric_encrypt(const psa_key_attributes_t *attributes,
+                                            const uint8_t *key_buffer,
+                                            size_t key_buffer_size,
+                                            psa_algorithm_t alg,
+                                            const uint8_t *input,
+                                            size_t input_length,
+                                            const uint8_t *salt,
+                                            size_t salt_length,
+                                            uint8_t *output,
+                                            size_t output_size,
+                                            size_t *output_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    (void) key_buffer;
+    (void) key_buffer_size;
+    (void) input;
+    (void) input_length;
+    (void) salt;
+    (void) salt_length;
+    (void) output;
+    (void) output_size;
+    (void) output_length;
+
+    if (PSA_KEY_TYPE_IS_RSA(attributes->type)) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
+        defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
+        mbedtls_rsa_context *rsa = NULL;
+        status = mbedtls_psa_rsa_load_representation(attributes->type,
+                                                     key_buffer,
+                                                     key_buffer_size,
+                                                     &rsa);
+        if (status != PSA_SUCCESS) {
+            goto rsa_exit;
+        }
+
+        if (output_size < mbedtls_rsa_get_len(rsa)) {
+            status = PSA_ERROR_BUFFER_TOO_SMALL;
+            goto rsa_exit;
+        }
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */
+        if (alg == PSA_ALG_RSA_PKCS1V15_CRYPT) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT)
+            status = mbedtls_to_psa_error(
+                mbedtls_rsa_pkcs1_encrypt(rsa,
+                                          mbedtls_psa_get_random,
+                                          MBEDTLS_PSA_RANDOM_STATE,
+                                          input_length,
+                                          input,
+                                          output));
+#else
+            status = PSA_ERROR_NOT_SUPPORTED;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT */
+        } else
+        if (PSA_ALG_IS_RSA_OAEP(alg)) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
+            status = mbedtls_to_psa_error(
+                psa_rsa_oaep_set_padding_mode(alg, rsa));
+            if (status != PSA_SUCCESS) {
+                goto rsa_exit;
+            }
+
+            status = mbedtls_to_psa_error(
+                mbedtls_rsa_rsaes_oaep_encrypt(rsa,
+                                               mbedtls_psa_get_random,
+                                               MBEDTLS_PSA_RANDOM_STATE,
+                                               salt, salt_length,
+                                               input_length,
+                                               input,
+                                               output));
+#else
+            status = PSA_ERROR_NOT_SUPPORTED;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP */
+        } else {
+            status = PSA_ERROR_INVALID_ARGUMENT;
+        }
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
+        defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
+rsa_exit:
+        if (status == PSA_SUCCESS) {
+            *output_length = mbedtls_rsa_get_len(rsa);
+        }
+
+        mbedtls_rsa_free(rsa);
+        mbedtls_free(rsa);
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */
+    } else {
+        status = PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    return status;
+}
+
+psa_status_t mbedtls_psa_asymmetric_decrypt(const psa_key_attributes_t *attributes,
+                                            const uint8_t *key_buffer,
+                                            size_t key_buffer_size,
+                                            psa_algorithm_t alg,
+                                            const uint8_t *input,
+                                            size_t input_length,
+                                            const uint8_t *salt,
+                                            size_t salt_length,
+                                            uint8_t *output,
+                                            size_t output_size,
+                                            size_t *output_length)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    (void) key_buffer;
+    (void) key_buffer_size;
+    (void) input;
+    (void) input_length;
+    (void) salt;
+    (void) salt_length;
+    (void) output;
+    (void) output_size;
+    (void) output_length;
+
+    *output_length = 0;
+
+    if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
+        defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
+        mbedtls_rsa_context *rsa = NULL;
+        status = mbedtls_psa_rsa_load_representation(attributes->type,
+                                                     key_buffer,
+                                                     key_buffer_size,
+                                                     &rsa);
+        if (status != PSA_SUCCESS) {
+            goto rsa_exit;
+        }
+
+        if (input_length != mbedtls_rsa_get_len(rsa)) {
+            status = PSA_ERROR_INVALID_ARGUMENT;
+            goto rsa_exit;
+        }
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */
+
+        if (alg == PSA_ALG_RSA_PKCS1V15_CRYPT) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT)
+            status = mbedtls_to_psa_error(
+                mbedtls_rsa_pkcs1_decrypt(rsa,
+                                          mbedtls_psa_get_random,
+                                          MBEDTLS_PSA_RANDOM_STATE,
+                                          output_length,
+                                          input,
+                                          output,
+                                          output_size));
+#else
+            status = PSA_ERROR_NOT_SUPPORTED;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT */
+        } else
+        if (PSA_ALG_IS_RSA_OAEP(alg)) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
+            status = mbedtls_to_psa_error(
+                psa_rsa_oaep_set_padding_mode(alg, rsa));
+            if (status != PSA_SUCCESS) {
+                goto rsa_exit;
+            }
+
+            status = mbedtls_to_psa_error(
+                mbedtls_rsa_rsaes_oaep_decrypt(rsa,
+                                               mbedtls_psa_get_random,
+                                               MBEDTLS_PSA_RANDOM_STATE,
+                                               salt, salt_length,
+                                               output_length,
+                                               input,
+                                               output,
+                                               output_size));
+#else
+            status = PSA_ERROR_NOT_SUPPORTED;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP */
+        } else {
+            status = PSA_ERROR_INVALID_ARGUMENT;
+        }
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
+        defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
+rsa_exit:
+        mbedtls_rsa_free(rsa);
+        mbedtls_free(rsa);
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */
+    } else {
+        status = PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    return status;
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/tf-psa-crypto/core/psa_crypto_rsa.h b/tf-psa-crypto/core/psa_crypto_rsa.h
new file mode 100644
index 0000000..ffeef26
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_rsa.h
@@ -0,0 +1,327 @@
+/*
+ *  PSA RSA layer on top of Mbed TLS crypto
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_RSA_H
+#define PSA_CRYPTO_RSA_H
+
+#include <psa/crypto.h>
+#include <mbedtls/rsa.h>
+
+/** Load the contents of a key buffer into an internal RSA representation
+ *
+ * \param[in] type          The type of key contained in \p data.
+ * \param[in] data          The buffer from which to load the representation.
+ * \param[in] data_length   The size in bytes of \p data.
+ * \param[out] p_rsa        Returns a pointer to an RSA context on success.
+ *                          The caller is responsible for freeing both the
+ *                          contents of the context and the context itself
+ *                          when done.
+ */
+psa_status_t mbedtls_psa_rsa_load_representation(psa_key_type_t type,
+                                                 const uint8_t *data,
+                                                 size_t data_length,
+                                                 mbedtls_rsa_context **p_rsa);
+
+/** Import an RSA key in binary format.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       import_key entry point. This function behaves as an import_key
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in]  attributes       The attributes for the key to import.
+ * \param[in]  data             The buffer containing the key data in import
+ *                              format.
+ * \param[in]  data_length      Size of the \p data buffer in bytes.
+ * \param[out] key_buffer       The buffer containing the key data in output
+ *                              format.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes. This
+ *                              size is greater or equal to \p data_length.
+ * \param[out] key_buffer_length  The length of the data written in \p
+ *                                key_buffer in bytes.
+ * \param[out] bits             The key size in number of bits.
+ *
+ * \retval #PSA_SUCCESS  The RSA key was imported successfully.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The key data is not correctly formatted.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_rsa_import_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data, size_t data_length,
+    uint8_t *key_buffer, size_t key_buffer_size,
+    size_t *key_buffer_length, size_t *bits);
+
+/** Export an RSA key to export representation
+ *
+ * \param[in] type          The type of key (public/private) to export
+ * \param[in] rsa           The internal RSA representation from which to export
+ * \param[out] data         The buffer to export to
+ * \param[in] data_size     The length of the buffer to export to
+ * \param[out] data_length  The amount of bytes written to \p data
+ */
+psa_status_t mbedtls_psa_rsa_export_key(psa_key_type_t type,
+                                        mbedtls_rsa_context *rsa,
+                                        uint8_t *data,
+                                        size_t data_size,
+                                        size_t *data_length);
+
+/** Export a public RSA key or the public part of an RSA key pair in binary
+ *  format.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       export_public_key entry point. This function behaves as an
+ *       export_public_key entry point as defined in the PSA driver interface
+ *       specification.
+ *
+ * \param[in]  attributes       The attributes for the key to export.
+ * \param[in]  key_buffer       Material or context of the key to export.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[out] data             Buffer where the key data is to be written.
+ * \param[in]  data_size        Size of the \p data buffer in bytes.
+ * \param[out] data_length      On success, the number of bytes written in
+ *                              \p data.
+ *
+ * \retval #PSA_SUCCESS  The RSA public key was exported successfully.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t mbedtls_psa_rsa_export_public_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    uint8_t *data, size_t data_size, size_t *data_length);
+
+/**
+ * \brief Generate an RSA key.
+ *
+ * \note The signature of the function is that of a PSA driver generate_key
+ *       entry point.
+ *
+ * \param[in]  attributes         The attributes for the RSA key to generate.
+ * \param[in]  params             Production parameters for the key
+ *                                generation. This function only uses
+ *                                `params->data`,
+ *                                which contains the public exponent.
+ *                                This can be a null pointer if
+ *                                \c params_data_length is 0.
+ * \param params_data_length      Length of `params->data` in bytes.
+ *                                This can be 0, in which case the
+ *                                public exponent will be 65537.
+ * \param[out] key_buffer         Buffer where the key data is to be written.
+ * \param[in]  key_buffer_size    Size of \p key_buffer in bytes.
+ * \param[out] key_buffer_length  On success, the number of bytes written in
+ *                                \p key_buffer.
+ *
+ * \retval #PSA_SUCCESS
+ *         The key was successfully generated.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         Key length or type not supported.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of \p key_buffer is too small.
+ */
+psa_status_t mbedtls_psa_rsa_generate_key(
+    const psa_key_attributes_t *attributes,
+    const psa_key_production_parameters_t *params, size_t params_data_length,
+    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length);
+
+/** Sign an already-calculated hash with an RSA private key.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       sign_hash entry point. This function behaves as a sign_hash
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in]  attributes       The attributes of the RSA key to use for the
+ *                              operation.
+ * \param[in]  key_buffer       The buffer containing the RSA key context.
+ *                              format.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[in]  alg              A signature algorithm that is compatible with
+ *                              an RSA key.
+ * \param[in]  hash             The hash or message to sign.
+ * \param[in]  hash_length      Size of the \p hash buffer in bytes.
+ * \param[out] signature        Buffer where the signature is to be written.
+ * \param[in]  signature_size   Size of the \p signature buffer in bytes.
+ * \param[out] signature_length On success, the number of bytes
+ *                              that make up the returned signature value.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p signature buffer is too small. You can
+ *         determine a sufficient buffer size by calling
+ *         #PSA_SIGN_OUTPUT_SIZE(\c PSA_KEY_TYPE_RSA_KEY_PAIR, \c key_bits,
+ *         \p alg) where \c key_bits is the bit-size of the RSA key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ */
+psa_status_t mbedtls_psa_rsa_sign_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    uint8_t *signature, size_t signature_size, size_t *signature_length);
+
+/**
+ * \brief Verify the signature a hash or short message using a public RSA key.
+ *
+ * \note The signature of this function is that of a PSA driver
+ *       verify_hash entry point. This function behaves as a verify_hash
+ *       entry point as defined in the PSA driver interface specification for
+ *       transparent drivers.
+ *
+ * \param[in]  attributes       The attributes of the RSA key to use for the
+ *                              operation.
+ * \param[in]  key_buffer       The buffer containing the RSA key context.
+ *                              format.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[in]  alg              A signature algorithm that is compatible with
+ *                              an RSA key.
+ * \param[in]  hash             The hash or message whose signature is to be
+ *                              verified.
+ * \param[in]  hash_length      Size of the \p hash buffer in bytes.
+ * \param[in]  signature        Buffer containing the signature to verify.
+ * \param[in]  signature_length Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The signature is valid.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The calculation was performed successfully, but the passed
+ *         signature is not a valid signature.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t mbedtls_psa_rsa_verify_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer, size_t key_buffer_size,
+    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length);
+
+/**
+ * \brief Encrypt a short message with a public key.
+ *
+ * \param attributes            The attributes for the key to import.
+ * \param key_buffer            Buffer where the key data is to be written.
+ * \param key_buffer_size       Size of the \p key_buffer buffer in bytes.
+ * \param input_length          Size of the \p input buffer in bytes.
+ * \param[in] salt              A salt or label, if supported by the
+ *                              encryption algorithm.
+ *                              If the algorithm does not support a
+ *                              salt, pass \c NULL.
+ *                              If the algorithm supports an optional
+ *                              salt and you do not want to pass a salt,
+ *                              pass \c NULL.
+ *
+ *                              - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is
+ *                                supported.
+ * \param salt_length           Size of the \p salt buffer in bytes.
+ *                              If \p salt is \c NULL, pass 0.
+ * \param[out] output           Buffer where the encrypted message is to
+ *                              be written.
+ * \param output_size           Size of the \p output buffer in bytes.
+ * \param[out] output_length    On success, the number of bytes
+ *                              that make up the returned output.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p output buffer is too small. You can
+ *         determine a sufficient buffer size by calling
+ *         #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ *         where \c key_type and \c key_bits are the type and bit-size
+ *         respectively of \p key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t mbedtls_psa_asymmetric_encrypt(const psa_key_attributes_t *attributes,
+                                            const uint8_t *key_buffer,
+                                            size_t key_buffer_size,
+                                            psa_algorithm_t alg,
+                                            const uint8_t *input,
+                                            size_t input_length,
+                                            const uint8_t *salt,
+                                            size_t salt_length,
+                                            uint8_t *output,
+                                            size_t output_size,
+                                            size_t *output_length);
+
+/**
+ * \brief Decrypt a short message with a private key.
+ *
+ * \param attributes            The attributes for the key to import.
+ * \param key_buffer            Buffer where the key data is to be written.
+ * \param key_buffer_size       Size of the \p key_buffer buffer in bytes.
+ * \param[in] input             The message to decrypt.
+ * \param input_length          Size of the \p input buffer in bytes.
+ * \param[in] salt              A salt or label, if supported by the
+ *                              encryption algorithm.
+ *                              If the algorithm does not support a
+ *                              salt, pass \c NULL.
+ *                              If the algorithm supports an optional
+ *                              salt and you do not want to pass a salt,
+ *                              pass \c NULL.
+ *
+ *                              - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is
+ *                                supported.
+ * \param salt_length           Size of the \p salt buffer in bytes.
+ *                              If \p salt is \c NULL, pass 0.
+ * \param[out] output           Buffer where the decrypted message is to
+ *                              be written.
+ * \param output_size           Size of the \c output buffer in bytes.
+ * \param[out] output_length    On success, the number of bytes
+ *                              that make up the returned output.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p output buffer is too small. You can
+ *         determine a sufficient buffer size by calling
+ *         #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ *         where \c key_type and \c key_bits are the type and bit-size
+ *         respectively of \p key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_INVALID_PADDING \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t mbedtls_psa_asymmetric_decrypt(const psa_key_attributes_t *attributes,
+                                            const uint8_t *key_buffer,
+                                            size_t key_buffer_size,
+                                            psa_algorithm_t alg,
+                                            const uint8_t *input,
+                                            size_t input_length,
+                                            const uint8_t *salt,
+                                            size_t salt_length,
+                                            uint8_t *output,
+                                            size_t output_size,
+                                            size_t *output_length);
+
+#endif /* PSA_CRYPTO_RSA_H */
diff --git a/tf-psa-crypto/core/psa_crypto_se.c b/tf-psa-crypto/core/psa_crypto_se.c
new file mode 100644
index 0000000..7a36a4f
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_se.c
@@ -0,0 +1,373 @@
+/*
+ *  PSA crypto support for secure element drivers
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+
+#include <stdint.h>
+#include <string.h>
+
+#include "psa/crypto_se_driver.h"
+
+#include "psa_crypto_se.h"
+
+#if defined(MBEDTLS_PSA_ITS_FILE_C)
+#include "psa_crypto_its.h"
+#else /* Native ITS implementation */
+#include "psa/error.h"
+#include "psa/internal_trusted_storage.h"
+#endif
+
+#include "mbedtls/platform.h"
+
+
+
+/****************************************************************/
+/* Driver lookup */
+/****************************************************************/
+
+/* This structure is identical to psa_drv_se_context_t declared in
+ * `crypto_se_driver.h`, except that some parts are writable here
+ * (non-const, or pointer to non-const). */
+typedef struct {
+    void *persistent_data;
+    size_t persistent_data_size;
+    uintptr_t transient_data;
+} psa_drv_se_internal_context_t;
+
+struct psa_se_drv_table_entry_s {
+    psa_key_location_t location;
+    const psa_drv_se_t *methods;
+    union {
+        psa_drv_se_internal_context_t internal;
+        psa_drv_se_context_t context;
+    } u;
+};
+
+static psa_se_drv_table_entry_t driver_table[PSA_MAX_SE_DRIVERS];
+
+psa_se_drv_table_entry_t *psa_get_se_driver_entry(
+    psa_key_lifetime_t lifetime)
+{
+    size_t i;
+    psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(lifetime);
+    /* In the driver table, location=0 means an entry that isn't used.
+     * No driver has a location of 0 because it's a reserved value
+     * (which designates transparent keys). Make sure we never return
+     * a driver entry for location 0. */
+    if (location == 0) {
+        return NULL;
+    }
+    for (i = 0; i < PSA_MAX_SE_DRIVERS; i++) {
+        if (driver_table[i].location == location) {
+            return &driver_table[i];
+        }
+    }
+    return NULL;
+}
+
+const psa_drv_se_t *psa_get_se_driver_methods(
+    const psa_se_drv_table_entry_t *driver)
+{
+    return driver->methods;
+}
+
+psa_drv_se_context_t *psa_get_se_driver_context(
+    psa_se_drv_table_entry_t *driver)
+{
+    return &driver->u.context;
+}
+
+int psa_get_se_driver(psa_key_lifetime_t lifetime,
+                      const psa_drv_se_t **p_methods,
+                      psa_drv_se_context_t **p_drv_context)
+{
+    psa_se_drv_table_entry_t *driver = psa_get_se_driver_entry(lifetime);
+    if (p_methods != NULL) {
+        *p_methods = (driver ? driver->methods : NULL);
+    }
+    if (p_drv_context != NULL) {
+        *p_drv_context = (driver ? &driver->u.context : NULL);
+    }
+    return driver != NULL;
+}
+
+
+
+/****************************************************************/
+/* Persistent data management */
+/****************************************************************/
+
+static psa_status_t psa_get_se_driver_its_file_uid(
+    const psa_se_drv_table_entry_t *driver,
+    psa_storage_uid_t *uid)
+{
+    if (driver->location > PSA_MAX_SE_LOCATION) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    /* ITS file sizes are limited to 32 bits. */
+    if (driver->u.internal.persistent_data_size > UINT32_MAX) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    /* See the documentation of PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE. */
+    *uid = PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE + driver->location;
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_load_se_persistent_data(
+    const psa_se_drv_table_entry_t *driver)
+{
+    psa_status_t status;
+    psa_storage_uid_t uid;
+    size_t length;
+
+    status = psa_get_se_driver_its_file_uid(driver, &uid);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    /* Read the amount of persistent data that the driver requests.
+     * If the data in storage is larger, it is truncated. If the data
+     * in storage is smaller, silently keep what is already at the end
+     * of the output buffer. */
+    /* psa_get_se_driver_its_file_uid ensures that the size_t
+     * persistent_data_size is in range, but compilers don't know that,
+     * so cast to reassure them. */
+    return psa_its_get(uid, 0,
+                       (uint32_t) driver->u.internal.persistent_data_size,
+                       driver->u.internal.persistent_data,
+                       &length);
+}
+
+psa_status_t psa_save_se_persistent_data(
+    const psa_se_drv_table_entry_t *driver)
+{
+    psa_status_t status;
+    psa_storage_uid_t uid;
+
+    status = psa_get_se_driver_its_file_uid(driver, &uid);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    /* psa_get_se_driver_its_file_uid ensures that the size_t
+     * persistent_data_size is in range, but compilers don't know that,
+     * so cast to reassure them. */
+    return psa_its_set(uid,
+                       (uint32_t) driver->u.internal.persistent_data_size,
+                       driver->u.internal.persistent_data,
+                       0);
+}
+
+psa_status_t psa_destroy_se_persistent_data(psa_key_location_t location)
+{
+    psa_storage_uid_t uid;
+    if (location > PSA_MAX_SE_LOCATION) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+    uid = PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE + location;
+    return psa_its_remove(uid);
+}
+
+psa_status_t psa_find_se_slot_for_key(
+    const psa_key_attributes_t *attributes,
+    psa_key_creation_method_t method,
+    psa_se_drv_table_entry_t *driver,
+    psa_key_slot_number_t *slot_number)
+{
+    psa_status_t status;
+    psa_key_location_t key_location =
+        PSA_KEY_LIFETIME_GET_LOCATION(psa_get_key_lifetime(attributes));
+
+    /* If the location is wrong, it's a bug in the library. */
+    if (driver->location != key_location) {
+        return PSA_ERROR_CORRUPTION_DETECTED;
+    }
+
+    /* If the driver doesn't support key creation in any way, give up now. */
+    if (driver->methods->key_management == NULL) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    if (psa_get_key_slot_number(attributes, slot_number) == PSA_SUCCESS) {
+        /* The application wants to use a specific slot. Allow it if
+         * the driver supports it. On a system with isolation,
+         * the crypto service must check that the application is
+         * permitted to request this slot. */
+        psa_drv_se_validate_slot_number_t p_validate_slot_number =
+            driver->methods->key_management->p_validate_slot_number;
+        if (p_validate_slot_number == NULL) {
+            return PSA_ERROR_NOT_SUPPORTED;
+        }
+        status = p_validate_slot_number(&driver->u.context,
+                                        driver->u.internal.persistent_data,
+                                        attributes, method,
+                                        *slot_number);
+    } else if (method == PSA_KEY_CREATION_REGISTER) {
+        /* The application didn't specify a slot number. This doesn't
+         * make sense when registering a slot. */
+        return PSA_ERROR_INVALID_ARGUMENT;
+    } else {
+        /* The application didn't tell us which slot to use. Let the driver
+         * choose. This is the normal case. */
+        psa_drv_se_allocate_key_t p_allocate =
+            driver->methods->key_management->p_allocate;
+        if (p_allocate == NULL) {
+            return PSA_ERROR_NOT_SUPPORTED;
+        }
+        status = p_allocate(&driver->u.context,
+                            driver->u.internal.persistent_data,
+                            attributes, method,
+                            slot_number);
+    }
+    return status;
+}
+
+psa_status_t psa_destroy_se_key(psa_se_drv_table_entry_t *driver,
+                                psa_key_slot_number_t slot_number)
+{
+    psa_status_t status;
+    psa_status_t storage_status;
+    /* Normally a missing method would mean that the action is not
+     * supported. But psa_destroy_key() is not supposed to return
+     * PSA_ERROR_NOT_SUPPORTED: if you can create a key, you should
+     * be able to destroy it. The only use case for a driver that
+     * does not have a way to destroy keys at all is if the keys are
+     * locked in a read-only state: we can use the keys but not
+     * destroy them. Hence, if the driver doesn't support destroying
+     * keys, it's really a lack of permission. */
+    if (driver->methods->key_management == NULL ||
+        driver->methods->key_management->p_destroy == NULL) {
+        return PSA_ERROR_NOT_PERMITTED;
+    }
+    status = driver->methods->key_management->p_destroy(
+        &driver->u.context,
+        driver->u.internal.persistent_data,
+        slot_number);
+    storage_status = psa_save_se_persistent_data(driver);
+    return status == PSA_SUCCESS ? storage_status : status;
+}
+
+psa_status_t psa_init_all_se_drivers(void)
+{
+    size_t i;
+    for (i = 0; i < PSA_MAX_SE_DRIVERS; i++) {
+        psa_se_drv_table_entry_t *driver = &driver_table[i];
+        if (driver->location == 0) {
+            continue; /* skipping unused entry */
+        }
+        const psa_drv_se_t *methods = psa_get_se_driver_methods(driver);
+        if (methods->p_init != NULL) {
+            psa_status_t status = methods->p_init(
+                &driver->u.context,
+                driver->u.internal.persistent_data,
+                driver->location);
+            if (status != PSA_SUCCESS) {
+                return status;
+            }
+            status = psa_save_se_persistent_data(driver);
+            if (status != PSA_SUCCESS) {
+                return status;
+            }
+        }
+    }
+    return PSA_SUCCESS;
+}
+
+
+
+/****************************************************************/
+/* Driver registration */
+/****************************************************************/
+
+psa_status_t psa_register_se_driver(
+    psa_key_location_t location,
+    const psa_drv_se_t *methods)
+{
+    size_t i;
+    psa_status_t status;
+
+    if (methods->hal_version != PSA_DRV_SE_HAL_VERSION) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+    /* Driver table entries are 0-initialized. 0 is not a valid driver
+     * location because it means a transparent key. */
+    MBEDTLS_STATIC_ASSERT(PSA_KEY_LOCATION_LOCAL_STORAGE == 0,
+                          "Secure element support requires 0 to mean a local key");
+
+    if (location == PSA_KEY_LOCATION_LOCAL_STORAGE) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+    if (location > PSA_MAX_SE_LOCATION) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    for (i = 0; i < PSA_MAX_SE_DRIVERS; i++) {
+        if (driver_table[i].location == 0) {
+            break;
+        }
+        /* Check that location isn't already in use up to the first free
+         * entry. Since entries are created in order and never deleted,
+         * there can't be a used entry after the first free entry. */
+        if (driver_table[i].location == location) {
+            return PSA_ERROR_ALREADY_EXISTS;
+        }
+    }
+    if (i == PSA_MAX_SE_DRIVERS) {
+        return PSA_ERROR_INSUFFICIENT_MEMORY;
+    }
+
+    driver_table[i].location = location;
+    driver_table[i].methods = methods;
+    driver_table[i].u.internal.persistent_data_size =
+        methods->persistent_data_size;
+
+    if (methods->persistent_data_size != 0) {
+        driver_table[i].u.internal.persistent_data =
+            mbedtls_calloc(1, methods->persistent_data_size);
+        if (driver_table[i].u.internal.persistent_data == NULL) {
+            status = PSA_ERROR_INSUFFICIENT_MEMORY;
+            goto error;
+        }
+        /* Load the driver's persistent data. On first use, the persistent
+         * data does not exist in storage, and is initialized to
+         * all-bits-zero by the calloc call just above. */
+        status = psa_load_se_persistent_data(&driver_table[i]);
+        if (status != PSA_SUCCESS && status != PSA_ERROR_DOES_NOT_EXIST) {
+            goto error;
+        }
+    }
+
+    return PSA_SUCCESS;
+
+error:
+    memset(&driver_table[i], 0, sizeof(driver_table[i]));
+    return status;
+}
+
+void psa_unregister_all_se_drivers(void)
+{
+    size_t i;
+    for (i = 0; i < PSA_MAX_SE_DRIVERS; i++) {
+        if (driver_table[i].u.internal.persistent_data != NULL) {
+            mbedtls_free(driver_table[i].u.internal.persistent_data);
+        }
+    }
+    memset(driver_table, 0, sizeof(driver_table));
+}
+
+
+
+/****************************************************************/
+/* The end */
+/****************************************************************/
+
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
diff --git a/tf-psa-crypto/core/psa_crypto_se.h b/tf-psa-crypto/core/psa_crypto_se.h
new file mode 100644
index 0000000..e0bd5ac
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_se.h
@@ -0,0 +1,192 @@
+/*
+ *  PSA crypto support for secure element drivers
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_SE_H
+#define PSA_CRYPTO_SE_H
+
+/*
+ * Include the build-time configuration information header. Here, we do not
+ * include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which
+ * is basically just an alias to it. This is to ease the maintenance of the
+ * TF-PSA-Crypto repository which has a different build system and
+ * configuration.
+ */
+#include "psa/build_info.h"
+
+#include "psa/crypto.h"
+#include "psa/crypto_se_driver.h"
+
+/** The maximum location value that this implementation supports
+ * for a secure element.
+ *
+ * This is not a characteristic that each PSA implementation has, but a
+ * limitation of the current implementation due to the constraints imposed
+ * by storage. See #PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE.
+ *
+ * The minimum location value for a secure element is 1, like on any
+ * PSA implementation (0 means a transparent key).
+ */
+#define PSA_MAX_SE_LOCATION 255
+
+/** The base of the range of ITS file identifiers for secure element
+ * driver persistent data.
+ *
+ * We use a slice of the implementation reserved range 0xffff0000..0xffffffff,
+ * specifically the range 0xfffffe00..0xfffffeff. The length of this range
+ * drives the value of #PSA_MAX_SE_LOCATION. The identifier 0xfffffe00 is
+ * actually not used since it corresponds to #PSA_KEY_LOCATION_LOCAL_STORAGE
+ * which doesn't have a driver.
+ */
+#define PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE ((psa_key_id_t) 0xfffffe00)
+
+/** The maximum number of registered secure element driver locations. */
+#define PSA_MAX_SE_DRIVERS 4
+
+/** Unregister all secure element drivers.
+ *
+ * \warning Do not call this function while the library is in the initialized
+ *          state. This function is only intended to be called at the end
+ *          of mbedtls_psa_crypto_free().
+ */
+void psa_unregister_all_se_drivers(void);
+
+/** Initialize all secure element drivers.
+ *
+ * Called from psa_crypto_init().
+ */
+psa_status_t psa_init_all_se_drivers(void);
+
+/** A structure that describes a registered secure element driver.
+ *
+ * A secure element driver table entry contains a pointer to the
+ * driver's method table as well as the driver context structure.
+ */
+typedef struct psa_se_drv_table_entry_s psa_se_drv_table_entry_t;
+
+/** Return the secure element driver information for a lifetime value.
+ *
+ * \param lifetime              The lifetime value to query.
+ * \param[out] p_methods        On output, if there is a driver,
+ *                              \c *methods points to its method table.
+ *                              Otherwise \c *methods is \c NULL.
+ * \param[out] p_drv_context    On output, if there is a driver,
+ *                              \c *drv_context points to its context
+ *                              structure.
+ *                              Otherwise \c *drv_context is \c NULL.
+ *
+ * \retval 1
+ *         \p lifetime corresponds to a registered driver.
+ * \retval 0
+ *         \p lifetime does not correspond to a registered driver.
+ */
+int psa_get_se_driver(psa_key_lifetime_t lifetime,
+                      const psa_drv_se_t **p_methods,
+                      psa_drv_se_context_t **p_drv_context);
+
+/** Return the secure element driver table entry for a lifetime value.
+ *
+ * \param lifetime      The lifetime value to query.
+ *
+ * \return The driver table entry for \p lifetime, or
+ *         \p NULL if \p lifetime does not correspond to a registered driver.
+ */
+psa_se_drv_table_entry_t *psa_get_se_driver_entry(
+    psa_key_lifetime_t lifetime);
+
+/** Return the method table for a secure element driver.
+ *
+ * \param[in] driver    The driver table entry to access, or \c NULL.
+ *
+ * \return The driver's method table.
+ *         \c NULL if \p driver is \c NULL.
+ */
+const psa_drv_se_t *psa_get_se_driver_methods(
+    const psa_se_drv_table_entry_t *driver);
+
+/** Return the context of a secure element driver.
+ *
+ * \param[in] driver    The driver table entry to access, or \c NULL.
+ *
+ * \return A pointer to the driver context.
+ *         \c NULL if \p driver is \c NULL.
+ */
+psa_drv_se_context_t *psa_get_se_driver_context(
+    psa_se_drv_table_entry_t *driver);
+
+/** Find a free slot for a key that is to be created.
+ *
+ * This function calls the relevant method in the driver to find a suitable
+ * slot for a key with the given attributes.
+ *
+ * \param[in] attributes    Metadata about the key that is about to be created.
+ * \param[in] driver        The driver table entry to query.
+ * \param[out] slot_number  On success, a slot number that is free in this
+ *                          secure element.
+ */
+psa_status_t psa_find_se_slot_for_key(
+    const psa_key_attributes_t *attributes,
+    psa_key_creation_method_t method,
+    psa_se_drv_table_entry_t *driver,
+    psa_key_slot_number_t *slot_number);
+
+/** Destroy a key in a secure element.
+ *
+ * This function calls the relevant driver method to destroy a key
+ * and updates the driver's persistent data.
+ */
+psa_status_t psa_destroy_se_key(psa_se_drv_table_entry_t *driver,
+                                psa_key_slot_number_t slot_number);
+
+/** Load the persistent data of a secure element driver.
+ *
+ * \param driver        The driver table entry containing the persistent
+ *                      data to load from storage.
+ *
+ * \return #PSA_SUCCESS
+ * \return #PSA_ERROR_NOT_SUPPORTED
+ * \return #PSA_ERROR_DOES_NOT_EXIST
+ * \return #PSA_ERROR_STORAGE_FAILURE
+ * \return #PSA_ERROR_DATA_CORRUPT
+ * \return #PSA_ERROR_INVALID_ARGUMENT
+ */
+psa_status_t psa_load_se_persistent_data(
+    const psa_se_drv_table_entry_t *driver);
+
+/** Save the persistent data of a secure element driver.
+ *
+ * \param[in] driver    The driver table entry containing the persistent
+ *                      data to save to storage.
+ *
+ * \return #PSA_SUCCESS
+ * \return #PSA_ERROR_NOT_SUPPORTED
+ * \return #PSA_ERROR_NOT_PERMITTED
+ * \return #PSA_ERROR_NOT_SUPPORTED
+ * \return #PSA_ERROR_INSUFFICIENT_STORAGE
+ * \return #PSA_ERROR_STORAGE_FAILURE
+ * \return #PSA_ERROR_INVALID_ARGUMENT
+ */
+psa_status_t psa_save_se_persistent_data(
+    const psa_se_drv_table_entry_t *driver);
+
+/** Destroy the persistent data of a secure element driver.
+ *
+ * This is currently only used for testing.
+ *
+ * \param[in] location  The location identifier for the driver whose
+ *                      persistent data is to be erased.
+ */
+psa_status_t psa_destroy_se_persistent_data(psa_key_location_t location);
+
+
+/** The storage representation of a key whose data is in a secure element.
+ */
+typedef struct {
+    uint8_t slot_number[sizeof(psa_key_slot_number_t)];
+} psa_se_key_data_storage_t;
+
+#endif /* PSA_CRYPTO_SE_H */
diff --git a/tf-psa-crypto/core/psa_crypto_slot_management.c b/tf-psa-crypto/core/psa_crypto_slot_management.c
new file mode 100644
index 0000000..9986a44
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_slot_management.c
@@ -0,0 +1,690 @@
+/*
+ *  PSA crypto layer on top of Mbed TLS crypto
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#include "psa/crypto.h"
+
+#include "psa_crypto_core.h"
+#include "psa_crypto_driver_wrappers_no_static.h"
+#include "psa_crypto_slot_management.h"
+#include "psa_crypto_storage.h"
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+#include "psa_crypto_se.h"
+#endif
+
+#include <stdlib.h>
+#include <string.h>
+#include "mbedtls/platform.h"
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+typedef struct {
+    psa_key_slot_t key_slots[MBEDTLS_PSA_KEY_SLOT_COUNT];
+    uint8_t key_slots_initialized;
+} psa_global_data_t;
+
+static psa_global_data_t global_data;
+
+static uint8_t psa_get_key_slots_initialized(void)
+{
+    uint8_t initialized;
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+    initialized = global_data.key_slots_initialized;
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+    return initialized;
+}
+
+int psa_is_valid_key_id(mbedtls_svc_key_id_t key, int vendor_ok)
+{
+    psa_key_id_t key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key);
+
+    if ((PSA_KEY_ID_USER_MIN <= key_id) &&
+        (key_id <= PSA_KEY_ID_USER_MAX)) {
+        return 1;
+    }
+
+    if (vendor_ok &&
+        (PSA_KEY_ID_VENDOR_MIN <= key_id) &&
+        (key_id <= PSA_KEY_ID_VENDOR_MAX)) {
+        return 1;
+    }
+
+    return 0;
+}
+
+/** Get the description in memory of a key given its identifier and lock it.
+ *
+ * The descriptions of volatile keys and loaded persistent keys are
+ * stored in key slots. This function returns a pointer to the key slot
+ * containing the description of a key given its identifier.
+ *
+ * The function searches the key slots containing the description of the key
+ * with \p key identifier. The function does only read accesses to the key
+ * slots. The function does not load any persistent key thus does not access
+ * any storage.
+ *
+ * For volatile key identifiers, only one key slot is queried as a volatile
+ * key with identifier key_id can only be stored in slot of index
+ * ( key_id - #PSA_KEY_ID_VOLATILE_MIN ).
+ *
+ * On success, the function locks the key slot. It is the responsibility of
+ * the caller to unlock the key slot when it does not access it anymore.
+ *
+ * If multi-threading is enabled, the caller must hold the
+ * global key slot mutex.
+ *
+ * \param key           Key identifier to query.
+ * \param[out] p_slot   On success, `*p_slot` contains a pointer to the
+ *                      key slot containing the description of the key
+ *                      identified by \p key.
+ *
+ * \retval #PSA_SUCCESS
+ *         The pointer to the key slot containing the description of the key
+ *         identified by \p key was returned.
+ * \retval #PSA_ERROR_INVALID_HANDLE
+ *         \p key is not a valid key identifier.
+ * \retval #PSA_ERROR_DOES_NOT_EXIST
+ *         There is no key with key identifier \p key in the key slots.
+ */
+static psa_status_t psa_get_and_lock_key_slot_in_memory(
+    mbedtls_svc_key_id_t key, psa_key_slot_t **p_slot)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_id_t key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key);
+    size_t slot_idx;
+    psa_key_slot_t *slot = NULL;
+
+    if (psa_key_id_is_volatile(key_id)) {
+        slot = &global_data.key_slots[key_id - PSA_KEY_ID_VOLATILE_MIN];
+
+        /* Check if both the PSA key identifier key_id and the owner
+         * identifier of key match those of the key slot. */
+        if ((slot->state == PSA_SLOT_FULL) &&
+            (mbedtls_svc_key_id_equal(key, slot->attr.id))) {
+            status = PSA_SUCCESS;
+        } else {
+            status = PSA_ERROR_DOES_NOT_EXIST;
+        }
+    } else {
+        if (!psa_is_valid_key_id(key, 1)) {
+            return PSA_ERROR_INVALID_HANDLE;
+        }
+
+        for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) {
+            slot = &global_data.key_slots[slot_idx];
+            /* Only consider slots which are in a full state. */
+            if ((slot->state == PSA_SLOT_FULL) &&
+                (mbedtls_svc_key_id_equal(key, slot->attr.id))) {
+                break;
+            }
+        }
+        status = (slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT) ?
+                 PSA_SUCCESS : PSA_ERROR_DOES_NOT_EXIST;
+    }
+
+    if (status == PSA_SUCCESS) {
+        status = psa_register_read(slot);
+        if (status == PSA_SUCCESS) {
+            *p_slot = slot;
+        }
+    }
+
+    return status;
+}
+
+psa_status_t psa_initialize_key_slots(void)
+{
+    /* Nothing to do: program startup and psa_wipe_all_key_slots() both
+     * guarantee that the key slots are initialized to all-zero, which
+     * means that all the key slots are in a valid, empty state. The global
+     * data mutex is already held when calling this function, so no need to
+     * lock it here, to set the flag. */
+    global_data.key_slots_initialized = 1;
+    return PSA_SUCCESS;
+}
+
+void psa_wipe_all_key_slots(void)
+{
+    size_t slot_idx;
+
+    for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) {
+        psa_key_slot_t *slot = &global_data.key_slots[slot_idx];
+        slot->registered_readers = 1;
+        slot->state = PSA_SLOT_PENDING_DELETION;
+        (void) psa_wipe_key_slot(slot);
+    }
+    /* The global data mutex is already held when calling this function. */
+    global_data.key_slots_initialized = 0;
+}
+
+psa_status_t psa_reserve_free_key_slot(psa_key_id_t *volatile_key_id,
+                                       psa_key_slot_t **p_slot)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    size_t slot_idx;
+    psa_key_slot_t *selected_slot, *unused_persistent_key_slot;
+
+    if (!psa_get_key_slots_initialized()) {
+        status = PSA_ERROR_BAD_STATE;
+        goto error;
+    }
+
+    selected_slot = unused_persistent_key_slot = NULL;
+    for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) {
+        psa_key_slot_t *slot = &global_data.key_slots[slot_idx];
+        if (slot->state == PSA_SLOT_EMPTY) {
+            selected_slot = slot;
+            break;
+        }
+
+        if ((unused_persistent_key_slot == NULL) &&
+            (slot->state == PSA_SLOT_FULL) &&
+            (!psa_key_slot_has_readers(slot)) &&
+            (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime))) {
+            unused_persistent_key_slot = slot;
+        }
+    }
+
+    /*
+     * If there is no unused key slot and there is at least one unlocked key
+     * slot containing the description of a persistent key, recycle the first
+     * such key slot we encountered. If we later need to operate on the
+     * persistent key we are evicting now, we will reload its description from
+     * storage.
+     */
+    if ((selected_slot == NULL) &&
+        (unused_persistent_key_slot != NULL)) {
+        selected_slot = unused_persistent_key_slot;
+        psa_register_read(selected_slot);
+        status = psa_wipe_key_slot(selected_slot);
+        if (status != PSA_SUCCESS) {
+            goto error;
+        }
+    }
+
+    if (selected_slot != NULL) {
+        status = psa_key_slot_state_transition(selected_slot, PSA_SLOT_EMPTY,
+                                               PSA_SLOT_FILLING);
+        if (status != PSA_SUCCESS) {
+            goto error;
+        }
+
+        *volatile_key_id = PSA_KEY_ID_VOLATILE_MIN +
+                           ((psa_key_id_t) (selected_slot - global_data.key_slots));
+        *p_slot = selected_slot;
+
+        return PSA_SUCCESS;
+    }
+    status = PSA_ERROR_INSUFFICIENT_MEMORY;
+
+error:
+    *p_slot = NULL;
+    *volatile_key_id = 0;
+
+    return status;
+}
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+static psa_status_t psa_load_persistent_key_into_slot(psa_key_slot_t *slot)
+{
+    psa_status_t status = PSA_SUCCESS;
+    uint8_t *key_data = NULL;
+    size_t key_data_length = 0;
+
+    status = psa_load_persistent_key(&slot->attr,
+                                     &key_data, &key_data_length);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    /* Special handling is required for loading keys associated with a
+     * dynamically registered SE interface. */
+    const psa_drv_se_t *drv;
+    psa_drv_se_context_t *drv_context;
+    if (psa_get_se_driver(slot->attr.lifetime, &drv, &drv_context)) {
+        psa_se_key_data_storage_t *data;
+
+        if (key_data_length != sizeof(*data)) {
+            status = PSA_ERROR_DATA_INVALID;
+            goto exit;
+        }
+        data = (psa_se_key_data_storage_t *) key_data;
+        status = psa_copy_key_material_into_slot(
+            slot, data->slot_number, sizeof(data->slot_number));
+        goto exit;
+    }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+    status = psa_copy_key_material_into_slot(slot, key_data, key_data_length);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+exit:
+    psa_free_persistent_key_data(key_data, key_data_length);
+    return status;
+}
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
+
+#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
+
+static psa_status_t psa_load_builtin_key_into_slot(psa_key_slot_t *slot)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_lifetime_t lifetime = PSA_KEY_LIFETIME_VOLATILE;
+    psa_drv_slot_number_t slot_number = 0;
+    size_t key_buffer_size = 0;
+    size_t key_buffer_length = 0;
+
+    if (!psa_key_id_is_builtin(
+            MBEDTLS_SVC_KEY_ID_GET_KEY_ID(slot->attr.id))) {
+        return PSA_ERROR_DOES_NOT_EXIST;
+    }
+
+    /* Check the platform function to see whether this key actually exists */
+    status = mbedtls_psa_platform_get_builtin_key(
+        slot->attr.id, &lifetime, &slot_number);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    /* Set required key attributes to ensure get_builtin_key can retrieve the
+     * full attributes. */
+    psa_set_key_id(&attributes, slot->attr.id);
+    psa_set_key_lifetime(&attributes, lifetime);
+
+    /* Get the full key attributes from the driver in order to be able to
+     * calculate the required buffer size. */
+    status = psa_driver_wrapper_get_builtin_key(
+        slot_number, &attributes,
+        NULL, 0, NULL);
+    if (status != PSA_ERROR_BUFFER_TOO_SMALL) {
+        /* Builtin keys cannot be defined by the attributes alone */
+        if (status == PSA_SUCCESS) {
+            status = PSA_ERROR_CORRUPTION_DETECTED;
+        }
+        return status;
+    }
+
+    /* If the key should exist according to the platform, then ask the driver
+     * what its expected size is. */
+    status = psa_driver_wrapper_get_key_buffer_size(&attributes,
+                                                    &key_buffer_size);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    /* Allocate a buffer of the required size and load the builtin key directly
+     * into the (now properly sized) slot buffer. */
+    status = psa_allocate_buffer_to_slot(slot, key_buffer_size);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    status = psa_driver_wrapper_get_builtin_key(
+        slot_number, &attributes,
+        slot->key.data, slot->key.bytes, &key_buffer_length);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    /* Copy actual key length and core attributes into the slot on success */
+    slot->key.bytes = key_buffer_length;
+    slot->attr = attributes;
+exit:
+    if (status != PSA_SUCCESS) {
+        psa_remove_key_data_from_memory(slot);
+    }
+    return status;
+}
+#endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
+
+psa_status_t psa_get_and_lock_key_slot(mbedtls_svc_key_id_t key,
+                                       psa_key_slot_t **p_slot)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+    *p_slot = NULL;
+    if (!psa_get_key_slots_initialized()) {
+        return PSA_ERROR_BAD_STATE;
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    /* We need to set status as success, otherwise CORRUPTION_DETECTED
+     * would be returned if the lock fails. */
+    status = PSA_SUCCESS;
+    /* If the key is persistent and not loaded, we cannot unlock the mutex
+     * between checking if the key is loaded and setting the slot as FULL,
+     * as otherwise another thread may load and then destroy the key
+     * in the meantime. */
+    PSA_THREADING_CHK_RET(mbedtls_mutex_lock(
+                              &mbedtls_threading_key_slot_mutex));
+#endif
+    /*
+     * On success, the pointer to the slot is passed directly to the caller
+     * thus no need to unlock the key slot here.
+     */
+    status = psa_get_and_lock_key_slot_in_memory(key, p_slot);
+    if (status != PSA_ERROR_DOES_NOT_EXIST) {
+#if defined(MBEDTLS_THREADING_C)
+        PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+                                  &mbedtls_threading_key_slot_mutex));
+#endif
+        return status;
+    }
+
+    /* Loading keys from storage requires support for such a mechanism */
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) || \
+    defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
+    psa_key_id_t volatile_key_id;
+
+    status = psa_reserve_free_key_slot(&volatile_key_id, p_slot);
+    if (status != PSA_SUCCESS) {
+#if defined(MBEDTLS_THREADING_C)
+        PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+                                  &mbedtls_threading_key_slot_mutex));
+#endif
+        return status;
+    }
+
+    (*p_slot)->attr.id = key;
+    (*p_slot)->attr.lifetime = PSA_KEY_LIFETIME_PERSISTENT;
+
+    status = PSA_ERROR_DOES_NOT_EXIST;
+#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
+    /* Load keys in the 'builtin' range through their own interface */
+    status = psa_load_builtin_key_into_slot(*p_slot);
+#endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+    if (status == PSA_ERROR_DOES_NOT_EXIST) {
+        status = psa_load_persistent_key_into_slot(*p_slot);
+    }
+#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
+
+    if (status != PSA_SUCCESS) {
+        psa_wipe_key_slot(*p_slot);
+
+        /* If the key does not exist, we need to return
+         * PSA_ERROR_INVALID_HANDLE. */
+        if (status == PSA_ERROR_DOES_NOT_EXIST) {
+            status = PSA_ERROR_INVALID_HANDLE;
+        }
+    } else {
+        /* Add implicit usage flags. */
+        psa_extend_key_usage_flags(&(*p_slot)->attr.policy.usage);
+
+        psa_key_slot_state_transition((*p_slot), PSA_SLOT_FILLING,
+                                      PSA_SLOT_FULL);
+        status = psa_register_read(*p_slot);
+    }
+
+#else /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
+    status = PSA_ERROR_INVALID_HANDLE;
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
+
+    if (status != PSA_SUCCESS) {
+        *p_slot = NULL;
+    }
+#if defined(MBEDTLS_THREADING_C)
+    PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+                              &mbedtls_threading_key_slot_mutex));
+#endif
+    return status;
+}
+
+psa_status_t psa_unregister_read(psa_key_slot_t *slot)
+{
+    if (slot == NULL) {
+        return PSA_SUCCESS;
+    }
+    if ((slot->state != PSA_SLOT_FULL) &&
+        (slot->state != PSA_SLOT_PENDING_DELETION)) {
+        return PSA_ERROR_CORRUPTION_DETECTED;
+    }
+
+    /* If we are the last reader and the slot is marked for deletion,
+     * we must wipe the slot here. */
+    if ((slot->state == PSA_SLOT_PENDING_DELETION) &&
+        (slot->registered_readers == 1)) {
+        return psa_wipe_key_slot(slot);
+    }
+
+    if (psa_key_slot_has_readers(slot)) {
+        slot->registered_readers--;
+        return PSA_SUCCESS;
+    }
+
+    /*
+     * As the return error code may not be handled in case of multiple errors,
+     * do our best to report if there are no registered readers. Assert with
+     * MBEDTLS_TEST_HOOK_TEST_ASSERT that there are registered readers:
+     * if the MBEDTLS_TEST_HOOKS configuration option is enabled and
+     * the function is called as part of the execution of a test suite, the
+     * execution of the test suite is stopped in error if the assertion fails.
+     */
+    MBEDTLS_TEST_HOOK_TEST_ASSERT(psa_key_slot_has_readers(slot));
+    return PSA_ERROR_CORRUPTION_DETECTED;
+}
+
+psa_status_t psa_unregister_read_under_mutex(psa_key_slot_t *slot)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+#if defined(MBEDTLS_THREADING_C)
+    /* We need to set status as success, otherwise CORRUPTION_DETECTED
+     * would be returned if the lock fails. */
+    status = PSA_SUCCESS;
+    PSA_THREADING_CHK_RET(mbedtls_mutex_lock(
+                              &mbedtls_threading_key_slot_mutex));
+#endif
+    status = psa_unregister_read(slot);
+#if defined(MBEDTLS_THREADING_C)
+    PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+                              &mbedtls_threading_key_slot_mutex));
+#endif
+    return status;
+}
+
+psa_status_t psa_validate_key_location(psa_key_lifetime_t lifetime,
+                                       psa_se_drv_table_entry_t **p_drv)
+{
+    if (psa_key_lifetime_is_external(lifetime)) {
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+        /* Check whether a driver is registered against this lifetime */
+        psa_se_drv_table_entry_t *driver = psa_get_se_driver_entry(lifetime);
+        if (driver != NULL) {
+            if (p_drv != NULL) {
+                *p_drv = driver;
+            }
+            return PSA_SUCCESS;
+        }
+#else /* MBEDTLS_PSA_CRYPTO_SE_C */
+        (void) p_drv;
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+        /* Key location for external keys gets checked by the wrapper */
+        return PSA_SUCCESS;
+    } else {
+        /* Local/internal keys are always valid */
+        return PSA_SUCCESS;
+    }
+}
+
+psa_status_t psa_validate_key_persistence(psa_key_lifetime_t lifetime)
+{
+    if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) {
+        /* Volatile keys are always supported */
+        return PSA_SUCCESS;
+    } else {
+        /* Persistent keys require storage support */
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+        if (PSA_KEY_LIFETIME_IS_READ_ONLY(lifetime)) {
+            return PSA_ERROR_INVALID_ARGUMENT;
+        } else {
+            return PSA_SUCCESS;
+        }
+#else /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
+        return PSA_ERROR_NOT_SUPPORTED;
+#endif /* !MBEDTLS_PSA_CRYPTO_STORAGE_C */
+    }
+}
+
+psa_status_t psa_open_key(mbedtls_svc_key_id_t key, psa_key_handle_t *handle)
+{
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) || \
+    defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
+    psa_status_t status;
+    psa_key_slot_t *slot;
+
+    status = psa_get_and_lock_key_slot(key, &slot);
+    if (status != PSA_SUCCESS) {
+        *handle = PSA_KEY_HANDLE_INIT;
+        if (status == PSA_ERROR_INVALID_HANDLE) {
+            status = PSA_ERROR_DOES_NOT_EXIST;
+        }
+
+        return status;
+    }
+
+    *handle = key;
+
+    return psa_unregister_read_under_mutex(slot);
+
+#else /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
+    (void) key;
+    *handle = PSA_KEY_HANDLE_INIT;
+    return PSA_ERROR_NOT_SUPPORTED;
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
+}
+
+psa_status_t psa_close_key(psa_key_handle_t handle)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+    if (psa_key_handle_is_null(handle)) {
+        return PSA_SUCCESS;
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    /* We need to set status as success, otherwise CORRUPTION_DETECTED
+     * would be returned if the lock fails. */
+    status = PSA_SUCCESS;
+    PSA_THREADING_CHK_RET(mbedtls_mutex_lock(
+                              &mbedtls_threading_key_slot_mutex));
+#endif
+    status = psa_get_and_lock_key_slot_in_memory(handle, &slot);
+    if (status != PSA_SUCCESS) {
+        if (status == PSA_ERROR_DOES_NOT_EXIST) {
+            status = PSA_ERROR_INVALID_HANDLE;
+        }
+#if defined(MBEDTLS_THREADING_C)
+        PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+                                  &mbedtls_threading_key_slot_mutex));
+#endif
+        return status;
+    }
+
+    if (slot->registered_readers == 1) {
+        status = psa_wipe_key_slot(slot);
+    } else {
+        status = psa_unregister_read(slot);
+    }
+#if defined(MBEDTLS_THREADING_C)
+    PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+                              &mbedtls_threading_key_slot_mutex));
+#endif
+
+    return status;
+}
+
+psa_status_t psa_purge_key(mbedtls_svc_key_id_t key)
+{
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    psa_key_slot_t *slot;
+
+#if defined(MBEDTLS_THREADING_C)
+    /* We need to set status as success, otherwise CORRUPTION_DETECTED
+     * would be returned if the lock fails. */
+    status = PSA_SUCCESS;
+    PSA_THREADING_CHK_RET(mbedtls_mutex_lock(
+                              &mbedtls_threading_key_slot_mutex));
+#endif
+    status = psa_get_and_lock_key_slot_in_memory(key, &slot);
+    if (status != PSA_SUCCESS) {
+#if defined(MBEDTLS_THREADING_C)
+        PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+                                  &mbedtls_threading_key_slot_mutex));
+#endif
+        return status;
+    }
+
+    if ((!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) &&
+        (slot->registered_readers == 1)) {
+        status = psa_wipe_key_slot(slot);
+    } else {
+        status = psa_unregister_read(slot);
+    }
+#if defined(MBEDTLS_THREADING_C)
+    PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+                              &mbedtls_threading_key_slot_mutex));
+#endif
+
+    return status;
+}
+
+void mbedtls_psa_get_stats(mbedtls_psa_stats_t *stats)
+{
+    size_t slot_idx;
+
+    memset(stats, 0, sizeof(*stats));
+
+    for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) {
+        const psa_key_slot_t *slot = &global_data.key_slots[slot_idx];
+        if (psa_key_slot_has_readers(slot)) {
+            ++stats->locked_slots;
+        }
+        if (slot->state == PSA_SLOT_EMPTY) {
+            ++stats->empty_slots;
+            continue;
+        }
+        if (PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
+            ++stats->volatile_slots;
+        } else {
+            psa_key_id_t id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(slot->attr.id);
+            ++stats->persistent_slots;
+            if (id > stats->max_open_internal_key_id) {
+                stats->max_open_internal_key_id = id;
+            }
+        }
+        if (PSA_KEY_LIFETIME_GET_LOCATION(slot->attr.lifetime) !=
+            PSA_KEY_LOCATION_LOCAL_STORAGE) {
+            psa_key_id_t id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(slot->attr.id);
+            ++stats->external_slots;
+            if (id > stats->max_open_external_key_id) {
+                stats->max_open_external_key_id = id;
+            }
+        }
+    }
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/tf-psa-crypto/core/psa_crypto_slot_management.h b/tf-psa-crypto/core/psa_crypto_slot_management.h
new file mode 100644
index 0000000..a84be7d
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_slot_management.h
@@ -0,0 +1,288 @@
+/*
+ *  PSA crypto layer on top of Mbed TLS crypto
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_SLOT_MANAGEMENT_H
+#define PSA_CRYPTO_SLOT_MANAGEMENT_H
+
+#include "psa/crypto.h"
+#include "psa_crypto_core.h"
+#include "psa_crypto_se.h"
+
+/** Range of volatile key identifiers.
+ *
+ *  The last #MBEDTLS_PSA_KEY_SLOT_COUNT identifiers of the implementation
+ *  range of key identifiers are reserved for volatile key identifiers.
+ *  A volatile key identifier is equal to #PSA_KEY_ID_VOLATILE_MIN plus the
+ *  index of the key slot containing the volatile key definition.
+ */
+
+/** The minimum value for a volatile key identifier.
+ */
+#define PSA_KEY_ID_VOLATILE_MIN  (PSA_KEY_ID_VENDOR_MAX - \
+                                  MBEDTLS_PSA_KEY_SLOT_COUNT + 1)
+
+/** The maximum value for a volatile key identifier.
+ */
+#define PSA_KEY_ID_VOLATILE_MAX  PSA_KEY_ID_VENDOR_MAX
+
+/** Test whether a key identifier is a volatile key identifier.
+ *
+ * \param key_id  Key identifier to test.
+ *
+ * \retval 1
+ *         The key identifier is a volatile key identifier.
+ * \retval 0
+ *         The key identifier is not a volatile key identifier.
+ */
+static inline int psa_key_id_is_volatile(psa_key_id_t key_id)
+{
+    return (key_id >= PSA_KEY_ID_VOLATILE_MIN) &&
+           (key_id <= PSA_KEY_ID_VOLATILE_MAX);
+}
+
+/** Get the description of a key given its identifier and lock it.
+ *
+ * The descriptions of volatile keys and loaded persistent keys are stored in
+ * key slots. This function returns a pointer to the key slot containing the
+ * description of a key given its identifier.
+ *
+ * In case of a persistent key, the function loads the description of the key
+ * into a key slot if not already done.
+ *
+ * On success, the returned key slot has been registered for reading.
+ * It is the responsibility of the caller to call psa_unregister_read(slot)
+ * when they have finished reading the contents of the slot.
+ *
+ * On failure, `*p_slot` is set to NULL. This ensures that it is always valid
+ * to call psa_unregister_read on the returned slot.
+ *
+ * \param key           Key identifier to query.
+ * \param[out] p_slot   On success, `*p_slot` contains a pointer to the
+ *                      key slot containing the description of the key
+ *                      identified by \p key.
+ *
+ * \retval #PSA_SUCCESS
+ *         \p *p_slot contains a pointer to the key slot containing the
+ *         description of the key identified by \p key.
+ *         The key slot counter has been incremented.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been initialized.
+ * \retval #PSA_ERROR_INVALID_HANDLE
+ *         \p key is not a valid key identifier.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ *         \p key is a persistent key identifier. The implementation does not
+ *         have sufficient resources to load the persistent key. This can be
+ *         due to a lack of empty key slot, or available memory.
+ * \retval #PSA_ERROR_DOES_NOT_EXIST
+ *         There is no key with key identifier \p key.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ */
+psa_status_t psa_get_and_lock_key_slot(mbedtls_svc_key_id_t key,
+                                       psa_key_slot_t **p_slot);
+
+/** Initialize the key slot structures.
+ *
+ * \retval #PSA_SUCCESS
+ *         Currently this function always succeeds.
+ */
+psa_status_t psa_initialize_key_slots(void);
+
+/** Delete all data from key slots in memory.
+ * This function is not thread safe, it wipes every key slot regardless of
+ * state and reader count. It should only be called when no slot is in use.
+ *
+ * This does not affect persistent storage. */
+void psa_wipe_all_key_slots(void);
+
+/** Find a free key slot and reserve it to be filled with a key.
+ *
+ * This function finds a key slot that is free,
+ * sets its state to PSA_SLOT_FILLING and then returns the slot.
+ *
+ * On success, the key slot's state is PSA_SLOT_FILLING.
+ * It is the responsibility of the caller to change the slot's state to
+ * PSA_SLOT_EMPTY/FULL once key creation has finished.
+ *
+ * If multi-threading is enabled, the caller must hold the
+ * global key slot mutex.
+ *
+ * \param[out] volatile_key_id   On success, volatile key identifier
+ *                               associated to the returned slot.
+ * \param[out] p_slot            On success, a pointer to the slot.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ *         There were no free key slots.
+ * \retval #PSA_ERROR_BAD_STATE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ *         This function attempted to operate on a key slot which was in an
+ *         unexpected state.
+ */
+psa_status_t psa_reserve_free_key_slot(psa_key_id_t *volatile_key_id,
+                                       psa_key_slot_t **p_slot);
+
+/** Change the state of a key slot.
+ *
+ * This function changes the state of the key slot from expected_state to
+ * new state. If the state of the slot was not expected_state, the state is
+ * unchanged.
+ *
+ * If multi-threading is enabled, the caller must hold the
+ * global key slot mutex.
+ *
+ * \param[in] slot            The key slot.
+ * \param[in] expected_state  The current state of the slot.
+ * \param[in] new_state       The new state of the slot.
+ *
+ * \retval #PSA_SUCCESS
+               The key slot's state variable is new_state.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ *             The slot's state was not expected_state.
+ */
+static inline psa_status_t psa_key_slot_state_transition(
+    psa_key_slot_t *slot, psa_key_slot_state_t expected_state,
+    psa_key_slot_state_t new_state)
+{
+    if (slot->state != expected_state) {
+        return PSA_ERROR_CORRUPTION_DETECTED;
+    }
+    slot->state = new_state;
+    return PSA_SUCCESS;
+}
+
+/** Register as a reader of a key slot.
+ *
+ * This function increments the key slot registered reader counter by one.
+ * If multi-threading is enabled, the caller must hold the
+ * global key slot mutex.
+ *
+ * \param[in] slot  The key slot.
+ *
+ * \retval #PSA_SUCCESS
+               The key slot registered reader counter was incremented.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ *             The reader counter already reached its maximum value and was not
+ *             increased, or the slot's state was not PSA_SLOT_FULL.
+ */
+static inline psa_status_t psa_register_read(psa_key_slot_t *slot)
+{
+    if ((slot->state != PSA_SLOT_FULL) ||
+        (slot->registered_readers >= SIZE_MAX)) {
+        return PSA_ERROR_CORRUPTION_DETECTED;
+    }
+    slot->registered_readers++;
+
+    return PSA_SUCCESS;
+}
+
+/** Unregister from reading a key slot.
+ *
+ * This function decrements the key slot registered reader counter by one.
+ * If the state of the slot is PSA_SLOT_PENDING_DELETION,
+ * and there is only one registered reader (the caller),
+ * this function will call psa_wipe_key_slot().
+ * If multi-threading is enabled, the caller must hold the
+ * global key slot mutex.
+ *
+ * \note To ease the handling of errors in retrieving a key slot
+ *       a NULL input pointer is valid, and the function returns
+ *       successfully without doing anything in that case.
+ *
+ * \param[in] slot  The key slot.
+ * \retval #PSA_SUCCESS
+ *             \p slot is NULL or the key slot reader counter has been
+ *             decremented (and potentially wiped) successfully.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ *             The slot's state was neither PSA_SLOT_FULL nor
+ *             PSA_SLOT_PENDING_DELETION.
+ *             Or a wipe was attempted and the slot's state was not
+ *             PSA_SLOT_PENDING_DELETION.
+ *             Or registered_readers was equal to 0.
+ */
+psa_status_t psa_unregister_read(psa_key_slot_t *slot);
+
+/** Wrap a call to psa_unregister_read in the global key slot mutex.
+ *
+ * If threading is disabled, this simply calls psa_unregister_read.
+ *
+ * \note To ease the handling of errors in retrieving a key slot
+ *       a NULL input pointer is valid, and the function returns
+ *       successfully without doing anything in that case.
+ *
+ * \param[in] slot  The key slot.
+ * \retval #PSA_SUCCESS
+ *             \p slot is NULL or the key slot reader counter has been
+ *             decremented (and potentially wiped) successfully.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ *             The slot's state was neither PSA_SLOT_FULL nor
+ *             PSA_SLOT_PENDING_DELETION.
+ *             Or a wipe was attempted and the slot's state was not
+ *             PSA_SLOT_PENDING_DELETION.
+ *             Or registered_readers was equal to 0.
+ */
+psa_status_t psa_unregister_read_under_mutex(psa_key_slot_t *slot);
+
+/** Test whether a lifetime designates a key in an external cryptoprocessor.
+ *
+ * \param lifetime      The lifetime to test.
+ *
+ * \retval 1
+ *         The lifetime designates an external key. There should be a
+ *         registered driver for this lifetime, otherwise the key cannot
+ *         be created or manipulated.
+ * \retval 0
+ *         The lifetime designates a key that is volatile or in internal
+ *         storage.
+ */
+static inline int psa_key_lifetime_is_external(psa_key_lifetime_t lifetime)
+{
+    return PSA_KEY_LIFETIME_GET_LOCATION(lifetime)
+           != PSA_KEY_LOCATION_LOCAL_STORAGE;
+}
+
+/** Validate a key's location.
+ *
+ * This function checks whether the key's attributes point to a location that
+ * is known to the PSA Core, and returns the driver function table if the key
+ * is to be found in an external location.
+ *
+ * \param[in] lifetime      The key lifetime attribute.
+ * \param[out] p_drv        On success, when a key is located in external
+ *                          storage, returns a pointer to the driver table
+ *                          associated with the key's storage location.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ */
+psa_status_t psa_validate_key_location(psa_key_lifetime_t lifetime,
+                                       psa_se_drv_table_entry_t **p_drv);
+
+/** Validate the persistence of a key.
+ *
+ * \param[in] lifetime  The key lifetime attribute.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED The key is persistent but persistent keys
+ *             are not supported.
+ */
+psa_status_t psa_validate_key_persistence(psa_key_lifetime_t lifetime);
+
+/** Validate a key identifier.
+ *
+ * \param[in] key           The key identifier.
+ * \param[in] vendor_ok     Non-zero to indicate that key identifiers in the
+ *                          vendor range are allowed, volatile key identifiers
+ *                          excepted \c 0 otherwise.
+ *
+ * \retval <> 0 if the key identifier is valid, 0 otherwise.
+ */
+int psa_is_valid_key_id(mbedtls_svc_key_id_t key, int vendor_ok);
+
+#endif /* PSA_CRYPTO_SLOT_MANAGEMENT_H */
diff --git a/tf-psa-crypto/core/psa_crypto_storage.c b/tf-psa-crypto/core/psa_crypto_storage.c
new file mode 100644
index 0000000..7d1317b
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_storage.c
@@ -0,0 +1,481 @@
+/*
+ *  PSA persistent key storage
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+
+#include <stdlib.h>
+#include <string.h>
+
+#include "psa/crypto.h"
+#include "psa_crypto_storage.h"
+#include "mbedtls/platform_util.h"
+
+#if defined(MBEDTLS_PSA_ITS_FILE_C)
+#include "psa_crypto_its.h"
+#else /* Native ITS implementation */
+#include "psa/error.h"
+#include "psa/internal_trusted_storage.h"
+#endif
+
+#include "mbedtls/platform.h"
+
+
+
+/****************************************************************/
+/* Key storage */
+/****************************************************************/
+
+/* Determine a file name (ITS file identifier) for the given key identifier.
+ * The file name must be distinct from any file that is used for a purpose
+ * other than storing a key. Currently, the only such file is the random seed
+ * file whose name is PSA_CRYPTO_ITS_RANDOM_SEED_UID and whose value is
+ * 0xFFFFFF52. */
+static psa_storage_uid_t psa_its_identifier_of_slot(mbedtls_svc_key_id_t key)
+{
+#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
+    /* Encode the owner in the upper 32 bits. This means that if
+     * owner values are nonzero (as they are on a PSA platform),
+     * no key file will ever have a value less than 0x100000000, so
+     * the whole range 0..0xffffffff is available for non-key files. */
+    uint32_t unsigned_owner_id = MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(key);
+    return ((uint64_t) unsigned_owner_id << 32) |
+           MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key);
+#else
+    /* Use the key id directly as a file name.
+     * psa_is_key_id_valid() in psa_crypto_slot_management.c
+     * is responsible for ensuring that key identifiers do not have a
+     * value that is reserved for non-key files. */
+    return key;
+#endif
+}
+
+/**
+ * \brief Load persistent data for the given key slot number.
+ *
+ * This function reads data from a storage backend and returns the data in a
+ * buffer.
+ *
+ * \param key               Persistent identifier of the key to be loaded. This
+ *                          should be an occupied storage location.
+ * \param[out] data         Buffer where the data is to be written.
+ * \param data_size         Size of the \c data buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription
+ */
+static psa_status_t psa_crypto_storage_load(
+    const mbedtls_svc_key_id_t key, uint8_t *data, size_t data_size)
+{
+    psa_status_t status;
+    psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
+    struct psa_storage_info_t data_identifier_info;
+    size_t data_length = 0;
+
+    status = psa_its_get_info(data_identifier, &data_identifier_info);
+    if (status  != PSA_SUCCESS) {
+        return status;
+    }
+
+    status = psa_its_get(data_identifier, 0, (uint32_t) data_size, data, &data_length);
+    if (data_size  != data_length) {
+        return PSA_ERROR_DATA_INVALID;
+    }
+
+    return status;
+}
+
+int psa_is_key_present_in_storage(const mbedtls_svc_key_id_t key)
+{
+    psa_status_t ret;
+    psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
+    struct psa_storage_info_t data_identifier_info;
+
+    ret = psa_its_get_info(data_identifier, &data_identifier_info);
+
+    if (ret == PSA_ERROR_DOES_NOT_EXIST) {
+        return 0;
+    }
+    return 1;
+}
+
+/**
+ * \brief Store persistent data for the given key slot number.
+ *
+ * This function stores the given data buffer to a persistent storage.
+ *
+ * \param key           Persistent identifier of the key to be stored. This
+ *                      should be an unoccupied storage location.
+ * \param[in] data      Buffer containing the data to be stored.
+ * \param data_length   The number of bytes
+ *                      that make up the data.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_ALREADY_EXISTS \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ */
+static psa_status_t psa_crypto_storage_store(const mbedtls_svc_key_id_t key,
+                                             const uint8_t *data,
+                                             size_t data_length)
+{
+    psa_status_t status;
+    psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
+    struct psa_storage_info_t data_identifier_info;
+
+    if (psa_is_key_present_in_storage(key) == 1) {
+        return PSA_ERROR_ALREADY_EXISTS;
+    }
+
+    status = psa_its_set(data_identifier, (uint32_t) data_length, data, 0);
+    if (status != PSA_SUCCESS) {
+        return PSA_ERROR_DATA_INVALID;
+    }
+
+    status = psa_its_get_info(data_identifier, &data_identifier_info);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    if (data_identifier_info.size != data_length) {
+        status = PSA_ERROR_DATA_INVALID;
+        goto exit;
+    }
+
+exit:
+    if (status != PSA_SUCCESS) {
+        /* Remove the file in case we managed to create it but something
+         * went wrong. It's ok if the file doesn't exist. If the file exists
+         * but the removal fails, we're already reporting an error so there's
+         * nothing else we can do. */
+        (void) psa_its_remove(data_identifier);
+    }
+    return status;
+}
+
+psa_status_t psa_destroy_persistent_key(const mbedtls_svc_key_id_t key)
+{
+    psa_status_t ret;
+    psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
+    struct psa_storage_info_t data_identifier_info;
+
+    ret = psa_its_get_info(data_identifier, &data_identifier_info);
+    if (ret == PSA_ERROR_DOES_NOT_EXIST) {
+        return PSA_SUCCESS;
+    }
+
+    if (psa_its_remove(data_identifier) != PSA_SUCCESS) {
+        return PSA_ERROR_DATA_INVALID;
+    }
+
+    ret = psa_its_get_info(data_identifier, &data_identifier_info);
+    if (ret != PSA_ERROR_DOES_NOT_EXIST) {
+        return PSA_ERROR_DATA_INVALID;
+    }
+
+    return PSA_SUCCESS;
+}
+
+/**
+ * \brief Get data length for given key slot number.
+ *
+ * \param key               Persistent identifier whose stored data length
+ *                          is to be obtained.
+ * \param[out] data_length  The number of bytes that make up the data.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ */
+static psa_status_t psa_crypto_storage_get_data_length(
+    const mbedtls_svc_key_id_t key,
+    size_t *data_length)
+{
+    psa_status_t status;
+    psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
+    struct psa_storage_info_t data_identifier_info;
+
+    status = psa_its_get_info(data_identifier, &data_identifier_info);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    *data_length = (size_t) data_identifier_info.size;
+
+    return PSA_SUCCESS;
+}
+
+/**
+ * Persistent key storage magic header.
+ */
+#define PSA_KEY_STORAGE_MAGIC_HEADER "PSA\0KEY"
+#define PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH (sizeof(PSA_KEY_STORAGE_MAGIC_HEADER))
+
+typedef struct {
+    uint8_t magic[PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH];
+    uint8_t version[4];
+    uint8_t lifetime[sizeof(psa_key_lifetime_t)];
+    uint8_t type[2];
+    uint8_t bits[2];
+    uint8_t policy[sizeof(psa_key_policy_t)];
+    uint8_t data_len[4];
+    uint8_t key_data[];
+} psa_persistent_key_storage_format;
+
+void psa_format_key_data_for_storage(const uint8_t *data,
+                                     const size_t data_length,
+                                     const psa_key_attributes_t *attr,
+                                     uint8_t *storage_data)
+{
+    psa_persistent_key_storage_format *storage_format =
+        (psa_persistent_key_storage_format *) storage_data;
+
+    memcpy(storage_format->magic, PSA_KEY_STORAGE_MAGIC_HEADER,
+           PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH);
+    MBEDTLS_PUT_UINT32_LE(0, storage_format->version, 0);
+    MBEDTLS_PUT_UINT32_LE(attr->lifetime, storage_format->lifetime, 0);
+    MBEDTLS_PUT_UINT16_LE((uint16_t) attr->type, storage_format->type, 0);
+    MBEDTLS_PUT_UINT16_LE((uint16_t) attr->bits, storage_format->bits, 0);
+    MBEDTLS_PUT_UINT32_LE(attr->policy.usage, storage_format->policy, 0);
+    MBEDTLS_PUT_UINT32_LE(attr->policy.alg, storage_format->policy, sizeof(uint32_t));
+    MBEDTLS_PUT_UINT32_LE(attr->policy.alg2, storage_format->policy, 2 * sizeof(uint32_t));
+    MBEDTLS_PUT_UINT32_LE(data_length, storage_format->data_len, 0);
+    memcpy(storage_format->key_data, data, data_length);
+}
+
+static psa_status_t check_magic_header(const uint8_t *data)
+{
+    if (memcmp(data, PSA_KEY_STORAGE_MAGIC_HEADER,
+               PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH) != 0) {
+        return PSA_ERROR_DATA_INVALID;
+    }
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_parse_key_data_from_storage(const uint8_t *storage_data,
+                                             size_t storage_data_length,
+                                             uint8_t **key_data,
+                                             size_t *key_data_length,
+                                             psa_key_attributes_t *attr)
+{
+    psa_status_t status;
+    const psa_persistent_key_storage_format *storage_format =
+        (const psa_persistent_key_storage_format *) storage_data;
+    uint32_t version;
+
+    if (storage_data_length < sizeof(*storage_format)) {
+        return PSA_ERROR_DATA_INVALID;
+    }
+
+    status = check_magic_header(storage_data);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    version = MBEDTLS_GET_UINT32_LE(storage_format->version, 0);
+    if (version != 0) {
+        return PSA_ERROR_DATA_INVALID;
+    }
+
+    *key_data_length = MBEDTLS_GET_UINT32_LE(storage_format->data_len, 0);
+    if (*key_data_length > (storage_data_length - sizeof(*storage_format)) ||
+        *key_data_length > PSA_CRYPTO_MAX_STORAGE_SIZE) {
+        return PSA_ERROR_DATA_INVALID;
+    }
+
+    if (*key_data_length == 0) {
+        *key_data = NULL;
+    } else {
+        *key_data = mbedtls_calloc(1, *key_data_length);
+        if (*key_data == NULL) {
+            return PSA_ERROR_INSUFFICIENT_MEMORY;
+        }
+        memcpy(*key_data, storage_format->key_data, *key_data_length);
+    }
+
+    attr->lifetime = MBEDTLS_GET_UINT32_LE(storage_format->lifetime, 0);
+    attr->type = MBEDTLS_GET_UINT16_LE(storage_format->type, 0);
+    attr->bits = MBEDTLS_GET_UINT16_LE(storage_format->bits, 0);
+    attr->policy.usage = MBEDTLS_GET_UINT32_LE(storage_format->policy, 0);
+    attr->policy.alg = MBEDTLS_GET_UINT32_LE(storage_format->policy, sizeof(uint32_t));
+    attr->policy.alg2 = MBEDTLS_GET_UINT32_LE(storage_format->policy, 2 * sizeof(uint32_t));
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_save_persistent_key(const psa_key_attributes_t *attr,
+                                     const uint8_t *data,
+                                     const size_t data_length)
+{
+    size_t storage_data_length;
+    uint8_t *storage_data;
+    psa_status_t status;
+
+    /* All keys saved to persistent storage always have a key context */
+    if (data == NULL || data_length == 0) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    if (data_length > PSA_CRYPTO_MAX_STORAGE_SIZE) {
+        return PSA_ERROR_INSUFFICIENT_STORAGE;
+    }
+    storage_data_length = data_length + sizeof(psa_persistent_key_storage_format);
+
+    storage_data = mbedtls_calloc(1, storage_data_length);
+    if (storage_data == NULL) {
+        return PSA_ERROR_INSUFFICIENT_MEMORY;
+    }
+
+    psa_format_key_data_for_storage(data, data_length, attr, storage_data);
+
+    status = psa_crypto_storage_store(attr->id,
+                                      storage_data, storage_data_length);
+
+    mbedtls_zeroize_and_free(storage_data, storage_data_length);
+
+    return status;
+}
+
+void psa_free_persistent_key_data(uint8_t *key_data, size_t key_data_length)
+{
+    mbedtls_zeroize_and_free(key_data, key_data_length);
+}
+
+psa_status_t psa_load_persistent_key(psa_key_attributes_t *attr,
+                                     uint8_t **data,
+                                     size_t *data_length)
+{
+    psa_status_t status = PSA_SUCCESS;
+    uint8_t *loaded_data;
+    size_t storage_data_length = 0;
+    mbedtls_svc_key_id_t key = attr->id;
+
+    status = psa_crypto_storage_get_data_length(key, &storage_data_length);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    loaded_data = mbedtls_calloc(1, storage_data_length);
+
+    if (loaded_data == NULL) {
+        return PSA_ERROR_INSUFFICIENT_MEMORY;
+    }
+
+    status = psa_crypto_storage_load(key, loaded_data, storage_data_length);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_parse_key_data_from_storage(loaded_data, storage_data_length,
+                                             data, data_length, attr);
+
+    /* All keys saved to persistent storage always have a key context */
+    if (status == PSA_SUCCESS &&
+        (*data == NULL || *data_length == 0)) {
+        status = PSA_ERROR_STORAGE_FAILURE;
+    }
+
+exit:
+    mbedtls_zeroize_and_free(loaded_data, storage_data_length);
+    return status;
+}
+
+
+
+/****************************************************************/
+/* Transactions */
+/****************************************************************/
+
+#if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
+
+psa_crypto_transaction_t psa_crypto_transaction;
+
+psa_status_t psa_crypto_save_transaction(void)
+{
+    struct psa_storage_info_t p_info;
+    psa_status_t status;
+    status = psa_its_get_info(PSA_CRYPTO_ITS_TRANSACTION_UID, &p_info);
+    if (status == PSA_SUCCESS) {
+        /* This shouldn't happen: we're trying to start a transaction while
+         * there is still a transaction that hasn't been replayed. */
+        return PSA_ERROR_CORRUPTION_DETECTED;
+    } else if (status != PSA_ERROR_DOES_NOT_EXIST) {
+        return status;
+    }
+    return psa_its_set(PSA_CRYPTO_ITS_TRANSACTION_UID,
+                       sizeof(psa_crypto_transaction),
+                       &psa_crypto_transaction,
+                       0);
+}
+
+psa_status_t psa_crypto_load_transaction(void)
+{
+    psa_status_t status;
+    size_t length;
+    status = psa_its_get(PSA_CRYPTO_ITS_TRANSACTION_UID, 0,
+                         sizeof(psa_crypto_transaction),
+                         &psa_crypto_transaction, &length);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+    if (length != sizeof(psa_crypto_transaction)) {
+        return PSA_ERROR_DATA_INVALID;
+    }
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_crypto_stop_transaction(void)
+{
+    psa_status_t status = psa_its_remove(PSA_CRYPTO_ITS_TRANSACTION_UID);
+    /* Whether or not updating the storage succeeded, the transaction is
+     * finished now. It's too late to go back, so zero out the in-memory
+     * data. */
+    memset(&psa_crypto_transaction, 0, sizeof(psa_crypto_transaction));
+    return status;
+}
+
+#endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */
+
+
+
+/****************************************************************/
+/* Random generator state */
+/****************************************************************/
+
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
+psa_status_t mbedtls_psa_storage_inject_entropy(const unsigned char *seed,
+                                                size_t seed_size)
+{
+    psa_status_t status;
+    struct psa_storage_info_t p_info;
+
+    status = psa_its_get_info(PSA_CRYPTO_ITS_RANDOM_SEED_UID, &p_info);
+
+    if (PSA_ERROR_DOES_NOT_EXIST == status) { /* No seed exists */
+        status = psa_its_set(PSA_CRYPTO_ITS_RANDOM_SEED_UID, seed_size, seed, 0);
+    } else if (PSA_SUCCESS == status) {
+        /* You should not be here. Seed needs to be injected only once */
+        status = PSA_ERROR_NOT_PERMITTED;
+    }
+    return status;
+}
+#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
+
+
+
+/****************************************************************/
+/* The end */
+/****************************************************************/
+
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
diff --git a/tf-psa-crypto/core/psa_crypto_storage.h b/tf-psa-crypto/core/psa_crypto_storage.h
new file mode 100644
index 0000000..d7f5b18
--- /dev/null
+++ b/tf-psa-crypto/core/psa_crypto_storage.h
@@ -0,0 +1,385 @@
+/**
+ * \file psa_crypto_storage.h
+ *
+ * \brief PSA cryptography module: Mbed TLS key storage
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_STORAGE_H
+#define PSA_CRYPTO_STORAGE_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include "psa/crypto.h"
+#include "psa/crypto_se_driver.h"
+
+#include <stdint.h>
+#include <string.h>
+
+/* Limit the maximum key size in storage. This should have no effect
+ * since the key size is limited in memory. */
+#define PSA_CRYPTO_MAX_STORAGE_SIZE (PSA_BITS_TO_BYTES(PSA_MAX_KEY_BITS))
+/* Sanity check: a file size must fit in 32 bits. Allow a generous
+ * 64kB of metadata. */
+#if PSA_CRYPTO_MAX_STORAGE_SIZE > 0xffff0000
+#error "PSA_CRYPTO_MAX_STORAGE_SIZE > 0xffff0000"
+#endif
+
+/** The maximum permitted persistent slot number.
+ *
+ * In Mbed Crypto 0.1.0b:
+ * - Using the file backend, all key ids are ok except 0.
+ * - Using the ITS backend, all key ids are ok except 0xFFFFFF52
+ *   (#PSA_CRYPTO_ITS_RANDOM_SEED_UID) for which the file contains the
+ *   device's random seed (if this feature is enabled).
+ * - Only key ids from 1 to #MBEDTLS_PSA_KEY_SLOT_COUNT are actually used.
+ *
+ * Since we need to preserve the random seed, avoid using that key slot.
+ * Reserve a whole range of key slots just in case something else comes up.
+ *
+ * This limitation will probably become moot when we implement client
+ * separation for key storage.
+ */
+#define PSA_MAX_PERSISTENT_KEY_IDENTIFIER PSA_KEY_ID_VENDOR_MAX
+
+/**
+ * \brief Checks if persistent data is stored for the given key slot number
+ *
+ * This function checks if any key data or metadata exists for the key slot in
+ * the persistent storage.
+ *
+ * \param key           Persistent identifier to check.
+ *
+ * \retval 0
+ *         No persistent data present for slot number
+ * \retval 1
+ *         Persistent data present for slot number
+ */
+int psa_is_key_present_in_storage(const mbedtls_svc_key_id_t key);
+
+/**
+ * \brief Format key data and metadata and save to a location for given key
+ *        slot.
+ *
+ * This function formats the key data and metadata and saves it to a
+ * persistent storage backend. The storage location corresponding to the
+ * key slot must be empty, otherwise this function will fail. This function
+ * should be called after loading the key into an internal slot to ensure the
+ * persistent key is not saved into a storage location corresponding to an
+ * already occupied non-persistent key, as well as ensuring the key data is
+ * validated.
+ *
+ * Note: This function will only succeed for key buffers which are not
+ * empty. If passed a NULL pointer or zero-length, the function will fail
+ * with #PSA_ERROR_INVALID_ARGUMENT.
+ *
+ * \param[in] attr          The attributes of the key to save.
+ *                          The key identifier field in the attributes
+ *                          determines the key's location.
+ * \param[in] data          Buffer containing the key data.
+ * \param data_length       The number of bytes that make up the key data.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_ALREADY_EXISTS \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ */
+psa_status_t psa_save_persistent_key(const psa_key_attributes_t *attr,
+                                     const uint8_t *data,
+                                     const size_t data_length);
+
+/**
+ * \brief Parses key data and metadata and load persistent key for given
+ * key slot number.
+ *
+ * This function reads from a storage backend, parses the key data and
+ * metadata and writes them to the appropriate output parameters.
+ *
+ * Note: This function allocates a buffer and returns a pointer to it through
+ * the data parameter. On successful return, the pointer is guaranteed to be
+ * valid and the buffer contains at least one byte of data.
+ * psa_free_persistent_key_data() must be called on the data buffer
+ * afterwards to zeroize and free this buffer.
+ *
+ * \param[in,out] attr      On input, the key identifier field identifies
+ *                          the key to load. Other fields are ignored.
+ *                          On success, the attribute structure contains
+ *                          the key metadata that was loaded from storage.
+ * \param[out] data         Pointer to an allocated key data buffer on return.
+ * \param[out] data_length  The number of bytes that make up the key data.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription
+ */
+psa_status_t psa_load_persistent_key(psa_key_attributes_t *attr,
+                                     uint8_t **data,
+                                     size_t *data_length);
+
+/**
+ * \brief Remove persistent data for the given key slot number.
+ *
+ * \param key           Persistent identifier of the key to remove
+ *                      from persistent storage.
+ *
+ * \retval #PSA_SUCCESS
+ *         The key was successfully removed,
+ *         or the key did not exist.
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ */
+psa_status_t psa_destroy_persistent_key(const mbedtls_svc_key_id_t key);
+
+/**
+ * \brief Free the temporary buffer allocated by psa_load_persistent_key().
+ *
+ * This function must be called at some point after psa_load_persistent_key()
+ * to zeroize and free the memory allocated to the buffer in that function.
+ *
+ * \param key_data        Buffer for the key data.
+ * \param key_data_length Size of the key data buffer.
+ *
+ */
+void psa_free_persistent_key_data(uint8_t *key_data, size_t key_data_length);
+
+/**
+ * \brief Formats key data and metadata for persistent storage
+ *
+ * \param[in] data          Buffer containing the key data.
+ * \param data_length       Length of the key data buffer.
+ * \param[in] attr          The core attributes of the key.
+ * \param[out] storage_data Output buffer for the formatted data.
+ *
+ */
+void psa_format_key_data_for_storage(const uint8_t *data,
+                                     const size_t data_length,
+                                     const psa_key_attributes_t *attr,
+                                     uint8_t *storage_data);
+
+/**
+ * \brief Parses persistent storage data into key data and metadata
+ *
+ * \param[in] storage_data     Buffer for the storage data.
+ * \param storage_data_length  Length of the storage data buffer
+ * \param[out] key_data        On output, pointer to a newly allocated buffer
+ *                             containing the key data. This must be freed
+ *                             using psa_free_persistent_key_data()
+ * \param[out] key_data_length Length of the key data buffer
+ * \param[out] attr            On success, the attribute structure is filled
+ *                             with the loaded key metadata.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ */
+psa_status_t psa_parse_key_data_from_storage(const uint8_t *storage_data,
+                                             size_t storage_data_length,
+                                             uint8_t **key_data,
+                                             size_t *key_data_length,
+                                             psa_key_attributes_t *attr);
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+/** This symbol is defined if transaction support is required. */
+#define PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS 1
+#endif
+
+#if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
+
+/** The type of transaction that is in progress.
+ */
+/* This is an integer type rather than an enum for two reasons: to support
+ * unknown values when loading a transaction file, and to ensure that the
+ * type has a known size.
+ */
+typedef uint16_t psa_crypto_transaction_type_t;
+
+/** No transaction is in progress.
+ *
+ * This has the value 0, so zero-initialization sets a transaction's type to
+ * this value.
+ */
+#define PSA_CRYPTO_TRANSACTION_NONE             ((psa_crypto_transaction_type_t) 0x0000)
+
+/** A key creation transaction.
+ *
+ * This is only used for keys in an external cryptoprocessor (secure element).
+ * Keys in RAM or in internal storage are created atomically in storage
+ * (simple file creation), so they do not need a transaction mechanism.
+ */
+#define PSA_CRYPTO_TRANSACTION_CREATE_KEY       ((psa_crypto_transaction_type_t) 0x0001)
+
+/** A key destruction transaction.
+ *
+ * This is only used for keys in an external cryptoprocessor (secure element).
+ * Keys in RAM or in internal storage are destroyed atomically in storage
+ * (simple file deletion), so they do not need a transaction mechanism.
+ */
+#define PSA_CRYPTO_TRANSACTION_DESTROY_KEY      ((psa_crypto_transaction_type_t) 0x0002)
+
+/** Transaction data.
+ *
+ * This type is designed to be serialized by writing the memory representation
+ * and reading it back on the same device.
+ *
+ * \note The transaction mechanism is not thread-safe. There can only be one
+ *       single active transaction at a time.
+ *       The transaction object is #psa_crypto_transaction.
+ *
+ * \note If an API call starts a transaction, it must complete this transaction
+ *       before returning to the application.
+ *
+ * The lifetime of a transaction is the following (note that only one
+ * transaction may be active at a time):
+ *
+ * -# Call psa_crypto_prepare_transaction() to initialize the transaction
+ *    object in memory and declare the type of transaction that is starting.
+ * -# Fill in the type-specific fields of #psa_crypto_transaction.
+ * -# Call psa_crypto_save_transaction() to start the transaction. This
+ *    saves the transaction data to internal storage.
+ * -# Perform the work of the transaction by modifying files, contacting
+ *    external entities, or whatever needs doing. Note that the transaction
+ *    may be interrupted by a power failure, so you need to have a way
+ *    recover from interruptions either by undoing what has been done
+ *    so far or by resuming where you left off.
+ * -# If there are intermediate stages in the transaction, update
+ *    the fields of #psa_crypto_transaction and call
+ *    psa_crypto_save_transaction() again when each stage is reached.
+ * -# When the transaction is over, call psa_crypto_stop_transaction() to
+ *    remove the transaction data in storage and in memory.
+ *
+ * If the system crashes while a transaction is in progress, psa_crypto_init()
+ * calls psa_crypto_load_transaction() and takes care of completing or
+ * rewinding the transaction. This is done in psa_crypto_recover_transaction()
+ * in psa_crypto.c. If you add a new type of transaction, be
+ * sure to add code for it in psa_crypto_recover_transaction().
+ */
+typedef union {
+    /* Each element of this union must have the following properties
+     * to facilitate serialization and deserialization:
+     *
+     * - The element is a struct.
+     * - The first field of the struct is `psa_crypto_transaction_type_t type`.
+     * - Elements of the struct are arranged such a way that there is
+     *   no padding.
+     */
+    struct psa_crypto_transaction_unknown_s {
+        psa_crypto_transaction_type_t type;
+        uint16_t unused1;
+        uint32_t unused2;
+        uint64_t unused3;
+        uint64_t unused4;
+    } unknown;
+    /* ::type is #PSA_CRYPTO_TRANSACTION_CREATE_KEY or
+     * #PSA_CRYPTO_TRANSACTION_DESTROY_KEY. */
+    struct psa_crypto_transaction_key_s {
+        psa_crypto_transaction_type_t type;
+        uint16_t unused1;
+        psa_key_lifetime_t lifetime;
+        psa_key_slot_number_t slot;
+        mbedtls_svc_key_id_t id;
+    } key;
+} psa_crypto_transaction_t;
+
+/** The single active transaction.
+ */
+extern psa_crypto_transaction_t psa_crypto_transaction;
+
+/** Prepare for a transaction.
+ *
+ * There must not be an ongoing transaction.
+ *
+ * \param type          The type of transaction to start.
+ */
+static inline void psa_crypto_prepare_transaction(
+    psa_crypto_transaction_type_t type)
+{
+    psa_crypto_transaction.unknown.type = type;
+}
+
+/** Save the transaction data to storage.
+ *
+ * You may call this function multiple times during a transaction to
+ * atomically update the transaction state.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ */
+psa_status_t psa_crypto_save_transaction(void);
+
+/** Load the transaction data from storage, if any.
+ *
+ * This function is meant to be called from psa_crypto_init() to recover
+ * in case a transaction was interrupted by a system crash.
+ *
+ * \retval #PSA_SUCCESS
+ *         The data about the ongoing transaction has been loaded to
+ *         #psa_crypto_transaction.
+ * \retval #PSA_ERROR_DOES_NOT_EXIST
+ *         There is no ongoing transaction.
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ */
+psa_status_t psa_crypto_load_transaction(void);
+
+/** Indicate that the current transaction is finished.
+ *
+ * Call this function at the very end of transaction processing.
+ * This function does not "commit" or "abort" the transaction: the storage
+ * subsystem has no concept of "commit" and "abort", just saving and
+ * removing the transaction information in storage.
+ *
+ * This function erases the transaction data in storage (if any) and
+ * resets the transaction data in memory.
+ *
+ * \retval #PSA_SUCCESS
+ *         There was transaction data in storage.
+ * \retval #PSA_ERROR_DOES_NOT_EXIST
+ *         There was no transaction data in storage.
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ *         It was impossible to determine whether there was transaction data
+ *         in storage, or the transaction data could not be erased.
+ */
+psa_status_t psa_crypto_stop_transaction(void);
+
+/** The ITS file identifier for the transaction data.
+ *
+ * 0xffffffNN = special file; 0x74 = 't' for transaction.
+ */
+#define PSA_CRYPTO_ITS_TRANSACTION_UID ((psa_key_id_t) 0xffffff74)
+
+#endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */
+
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
+/** Backend side of mbedtls_psa_inject_entropy().
+ *
+ * This function stores the supplied data into the entropy seed file.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The entropy seed file already exists.
+ */
+psa_status_t mbedtls_psa_storage_inject_entropy(const unsigned char *seed,
+                                                size_t seed_size);
+#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* PSA_CRYPTO_STORAGE_H */
diff --git a/tf-psa-crypto/core/psa_its_file.c b/tf-psa-crypto/core/psa_its_file.c
new file mode 100644
index 0000000..9567137
--- /dev/null
+++ b/tf-psa-crypto/core/psa_its_file.c
@@ -0,0 +1,254 @@
+/*
+ *  PSA ITS simulator over stdio files.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_ITS_FILE_C)
+
+#include "mbedtls/platform.h"
+
+#if defined(_WIN32)
+#include <windows.h>
+#endif
+
+#include "psa_crypto_its.h"
+
+#include <limits.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+
+#if !defined(PSA_ITS_STORAGE_PREFIX)
+#define PSA_ITS_STORAGE_PREFIX ""
+#endif
+
+#define PSA_ITS_STORAGE_FILENAME_PATTERN "%08x%08x"
+#define PSA_ITS_STORAGE_SUFFIX ".psa_its"
+#define PSA_ITS_STORAGE_FILENAME_LENGTH         \
+    (sizeof(PSA_ITS_STORAGE_PREFIX) - 1 +    /*prefix without terminating 0*/ \
+     16 +  /*UID (64-bit number in hex)*/                               \
+     sizeof(PSA_ITS_STORAGE_SUFFIX) - 1 +    /*suffix without terminating 0*/ \
+     1 /*terminating null byte*/)
+#define PSA_ITS_STORAGE_TEMP \
+    PSA_ITS_STORAGE_PREFIX "tempfile" PSA_ITS_STORAGE_SUFFIX
+
+/* The maximum value of psa_storage_info_t.size */
+#define PSA_ITS_MAX_SIZE 0xffffffff
+
+#define PSA_ITS_MAGIC_STRING "PSA\0ITS\0"
+#define PSA_ITS_MAGIC_LENGTH 8
+
+/* As rename fails on Windows if the new filepath already exists,
+ * use MoveFileExA with the MOVEFILE_REPLACE_EXISTING flag instead.
+ * Returns 0 on success, nonzero on failure. */
+#if defined(_WIN32)
+#define rename_replace_existing(oldpath, newpath) \
+    (!MoveFileExA(oldpath, newpath, MOVEFILE_REPLACE_EXISTING))
+#else
+#define rename_replace_existing(oldpath, newpath) rename(oldpath, newpath)
+#endif
+
+typedef struct {
+    uint8_t magic[PSA_ITS_MAGIC_LENGTH];
+    uint8_t size[sizeof(uint32_t)];
+    uint8_t flags[sizeof(psa_storage_create_flags_t)];
+} psa_its_file_header_t;
+
+static void psa_its_fill_filename(psa_storage_uid_t uid, char *filename)
+{
+    /* Break up the UID into two 32-bit pieces so as not to rely on
+     * long long support in snprintf. */
+    mbedtls_snprintf(filename, PSA_ITS_STORAGE_FILENAME_LENGTH,
+                     "%s" PSA_ITS_STORAGE_FILENAME_PATTERN "%s",
+                     PSA_ITS_STORAGE_PREFIX,
+                     (unsigned) (uid >> 32),
+                     (unsigned) (uid & 0xffffffff),
+                     PSA_ITS_STORAGE_SUFFIX);
+}
+
+static psa_status_t psa_its_read_file(psa_storage_uid_t uid,
+                                      struct psa_storage_info_t *p_info,
+                                      FILE **p_stream)
+{
+    char filename[PSA_ITS_STORAGE_FILENAME_LENGTH];
+    psa_its_file_header_t header;
+    size_t n;
+
+    *p_stream = NULL;
+    psa_its_fill_filename(uid, filename);
+    *p_stream = fopen(filename, "rb");
+    if (*p_stream == NULL) {
+        return PSA_ERROR_DOES_NOT_EXIST;
+    }
+
+    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+    mbedtls_setbuf(*p_stream, NULL);
+
+    n = fread(&header, 1, sizeof(header), *p_stream);
+    if (n != sizeof(header)) {
+        return PSA_ERROR_DATA_CORRUPT;
+    }
+    if (memcmp(header.magic, PSA_ITS_MAGIC_STRING,
+               PSA_ITS_MAGIC_LENGTH) != 0) {
+        return PSA_ERROR_DATA_CORRUPT;
+    }
+
+    p_info->size  = MBEDTLS_GET_UINT32_LE(header.size, 0);
+    p_info->flags = MBEDTLS_GET_UINT32_LE(header.flags, 0);
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_its_get_info(psa_storage_uid_t uid,
+                              struct psa_storage_info_t *p_info)
+{
+    psa_status_t status;
+    FILE *stream = NULL;
+    status = psa_its_read_file(uid, p_info, &stream);
+    if (stream != NULL) {
+        fclose(stream);
+    }
+    return status;
+}
+
+psa_status_t psa_its_get(psa_storage_uid_t uid,
+                         uint32_t data_offset,
+                         uint32_t data_length,
+                         void *p_data,
+                         size_t *p_data_length)
+{
+    psa_status_t status;
+    FILE *stream = NULL;
+    size_t n;
+    struct psa_storage_info_t info;
+
+    status = psa_its_read_file(uid, &info, &stream);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+    status = PSA_ERROR_INVALID_ARGUMENT;
+    if (data_offset + data_length < data_offset) {
+        goto exit;
+    }
+#if SIZE_MAX < 0xffffffff
+    if (data_offset + data_length > SIZE_MAX) {
+        goto exit;
+    }
+#endif
+    if (data_offset + data_length > info.size) {
+        goto exit;
+    }
+
+    status = PSA_ERROR_STORAGE_FAILURE;
+#if LONG_MAX < 0xffffffff
+    while (data_offset > LONG_MAX) {
+        if (fseek(stream, LONG_MAX, SEEK_CUR) != 0) {
+            goto exit;
+        }
+        data_offset -= LONG_MAX;
+    }
+#endif
+    if (fseek(stream, data_offset, SEEK_CUR) != 0) {
+        goto exit;
+    }
+    n = fread(p_data, 1, data_length, stream);
+    if (n != data_length) {
+        goto exit;
+    }
+    status = PSA_SUCCESS;
+    if (p_data_length != NULL) {
+        *p_data_length = n;
+    }
+
+exit:
+    if (stream != NULL) {
+        fclose(stream);
+    }
+    return status;
+}
+
+psa_status_t psa_its_set(psa_storage_uid_t uid,
+                         uint32_t data_length,
+                         const void *p_data,
+                         psa_storage_create_flags_t create_flags)
+{
+    if (uid == 0) {
+        return PSA_ERROR_INVALID_HANDLE;
+    }
+
+    psa_status_t status = PSA_ERROR_STORAGE_FAILURE;
+    char filename[PSA_ITS_STORAGE_FILENAME_LENGTH];
+    FILE *stream = NULL;
+    psa_its_file_header_t header;
+    size_t n;
+
+    memcpy(header.magic, PSA_ITS_MAGIC_STRING, PSA_ITS_MAGIC_LENGTH);
+    MBEDTLS_PUT_UINT32_LE(data_length, header.size, 0);
+    MBEDTLS_PUT_UINT32_LE(create_flags, header.flags, 0);
+
+    psa_its_fill_filename(uid, filename);
+    stream = fopen(PSA_ITS_STORAGE_TEMP, "wb");
+
+    if (stream == NULL) {
+        goto exit;
+    }
+
+    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+    mbedtls_setbuf(stream, NULL);
+
+    status = PSA_ERROR_INSUFFICIENT_STORAGE;
+    n = fwrite(&header, 1, sizeof(header), stream);
+    if (n != sizeof(header)) {
+        goto exit;
+    }
+    if (data_length != 0) {
+        n = fwrite(p_data, 1, data_length, stream);
+        if (n != data_length) {
+            goto exit;
+        }
+    }
+    status = PSA_SUCCESS;
+
+exit:
+    if (stream != NULL) {
+        int ret = fclose(stream);
+        if (status == PSA_SUCCESS && ret != 0) {
+            status = PSA_ERROR_INSUFFICIENT_STORAGE;
+        }
+    }
+    if (status == PSA_SUCCESS) {
+        if (rename_replace_existing(PSA_ITS_STORAGE_TEMP, filename) != 0) {
+            status = PSA_ERROR_STORAGE_FAILURE;
+        }
+    }
+    /* The temporary file may still exist, but only in failure cases where
+     * we're already reporting an error. So there's nothing we can do on
+     * failure. If the function succeeded, and in some error cases, the
+     * temporary file doesn't exist and so remove() is expected to fail.
+     * Thus we just ignore the return status of remove(). */
+    (void) remove(PSA_ITS_STORAGE_TEMP);
+    return status;
+}
+
+psa_status_t psa_its_remove(psa_storage_uid_t uid)
+{
+    char filename[PSA_ITS_STORAGE_FILENAME_LENGTH];
+    FILE *stream;
+    psa_its_fill_filename(uid, filename);
+    stream = fopen(filename, "rb");
+    if (stream == NULL) {
+        return PSA_ERROR_DOES_NOT_EXIST;
+    }
+    fclose(stream);
+    if (remove(filename) != 0) {
+        return PSA_ERROR_STORAGE_FAILURE;
+    }
+    return PSA_SUCCESS;
+}
+
+#endif /* MBEDTLS_PSA_ITS_FILE_C */
diff --git a/tf-psa-crypto/core/psa_util.c b/tf-psa-crypto/core/psa_util.c
new file mode 100644
index 0000000..4ccc5b0
--- /dev/null
+++ b/tf-psa-crypto/core/psa_util.c
@@ -0,0 +1,602 @@
+/*
+ *  PSA hashing layer on top of Mbed TLS software crypto
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+/* This is needed for MBEDTLS_ERR_XXX macros */
+#include <mbedtls/error.h>
+
+#if defined(MBEDTLS_ASN1_WRITE_C)
+#include <mbedtls/asn1write.h>
+#include <psa/crypto_sizes.h>
+#endif
+
+#include "psa_util_internal.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+
+#include <psa/crypto.h>
+
+#if defined(MBEDTLS_MD_LIGHT)
+#include <mbedtls/md.h>
+#endif
+#if defined(MBEDTLS_LMS_C)
+#include <mbedtls/lms.h>
+#endif
+#if defined(MBEDTLS_SSL_TLS_C) && \
+    (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
+#include <mbedtls/ssl.h>
+#endif
+#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) ||    \
+    defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
+#include <mbedtls/rsa.h>
+#endif
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
+    defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+#include <mbedtls/ecp.h>
+#endif
+#if defined(MBEDTLS_PK_C)
+#include <mbedtls/pk.h>
+#endif
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+#include <mbedtls/cipher.h>
+#endif
+#include <mbedtls/entropy.h>
+
+/* PSA_SUCCESS is kept at the top of each error table since
+ * it's the most common status when everything functions properly. */
+#if defined(MBEDTLS_MD_LIGHT)
+const mbedtls_error_pair_t psa_to_md_errors[] =
+{
+    { PSA_SUCCESS,                     0 },
+    { PSA_ERROR_NOT_SUPPORTED,         MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE },
+    { PSA_ERROR_INVALID_ARGUMENT,      MBEDTLS_ERR_MD_BAD_INPUT_DATA },
+    { PSA_ERROR_INSUFFICIENT_MEMORY,   MBEDTLS_ERR_MD_ALLOC_FAILED }
+};
+#endif
+
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+const mbedtls_error_pair_t psa_to_cipher_errors[] =
+{
+    { PSA_SUCCESS,                     0 },
+    { PSA_ERROR_NOT_SUPPORTED,         MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE },
+    { PSA_ERROR_INVALID_ARGUMENT,      MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA },
+    { PSA_ERROR_INSUFFICIENT_MEMORY,   MBEDTLS_ERR_CIPHER_ALLOC_FAILED }
+};
+#endif
+
+#if defined(MBEDTLS_LMS_C)
+const mbedtls_error_pair_t psa_to_lms_errors[] =
+{
+    { PSA_SUCCESS,                     0 },
+    { PSA_ERROR_BUFFER_TOO_SMALL,      MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL },
+    { PSA_ERROR_INVALID_ARGUMENT,      MBEDTLS_ERR_LMS_BAD_INPUT_DATA }
+};
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C) && \
+    (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
+const mbedtls_error_pair_t psa_to_ssl_errors[] =
+{
+    { PSA_SUCCESS,                     0 },
+    { PSA_ERROR_INSUFFICIENT_MEMORY,   MBEDTLS_ERR_SSL_ALLOC_FAILED },
+    { PSA_ERROR_NOT_SUPPORTED,         MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE },
+    { PSA_ERROR_INVALID_SIGNATURE,     MBEDTLS_ERR_SSL_INVALID_MAC },
+    { PSA_ERROR_INVALID_ARGUMENT,      MBEDTLS_ERR_SSL_BAD_INPUT_DATA },
+    { PSA_ERROR_BAD_STATE,             MBEDTLS_ERR_SSL_INTERNAL_ERROR },
+    { PSA_ERROR_BUFFER_TOO_SMALL,      MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL }
+};
+#endif
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) ||    \
+    defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
+const mbedtls_error_pair_t psa_to_pk_rsa_errors[] =
+{
+    { PSA_SUCCESS,                     0 },
+    { PSA_ERROR_NOT_PERMITTED,         MBEDTLS_ERR_RSA_BAD_INPUT_DATA },
+    { PSA_ERROR_INVALID_ARGUMENT,      MBEDTLS_ERR_RSA_BAD_INPUT_DATA },
+    { PSA_ERROR_INVALID_HANDLE,        MBEDTLS_ERR_RSA_BAD_INPUT_DATA },
+    { PSA_ERROR_BUFFER_TOO_SMALL,      MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE },
+    { PSA_ERROR_INSUFFICIENT_ENTROPY,  MBEDTLS_ERR_RSA_RNG_FAILED },
+    { PSA_ERROR_INVALID_SIGNATURE,     MBEDTLS_ERR_RSA_VERIFY_FAILED },
+    { PSA_ERROR_INVALID_PADDING,       MBEDTLS_ERR_RSA_INVALID_PADDING }
+};
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
+    defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+const mbedtls_error_pair_t psa_to_pk_ecdsa_errors[] =
+{
+    { PSA_SUCCESS,                     0 },
+    { PSA_ERROR_NOT_PERMITTED,         MBEDTLS_ERR_ECP_BAD_INPUT_DATA },
+    { PSA_ERROR_INVALID_ARGUMENT,      MBEDTLS_ERR_ECP_BAD_INPUT_DATA },
+    { PSA_ERROR_INVALID_HANDLE,        MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE },
+    { PSA_ERROR_BUFFER_TOO_SMALL,      MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL },
+    { PSA_ERROR_INSUFFICIENT_ENTROPY,  MBEDTLS_ERR_ECP_RANDOM_FAILED },
+    { PSA_ERROR_INVALID_SIGNATURE,     MBEDTLS_ERR_ECP_VERIFY_FAILED }
+};
+#endif
+
+int psa_generic_status_to_mbedtls(psa_status_t status)
+{
+    switch (status) {
+        case PSA_SUCCESS:
+            return 0;
+        case PSA_ERROR_NOT_SUPPORTED:
+            return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
+        case PSA_ERROR_CORRUPTION_DETECTED:
+            return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+        case PSA_ERROR_COMMUNICATION_FAILURE:
+        case PSA_ERROR_HARDWARE_FAILURE:
+            return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
+        case PSA_ERROR_NOT_PERMITTED:
+        default:
+            return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
+    }
+}
+
+int psa_status_to_mbedtls(psa_status_t status,
+                          const mbedtls_error_pair_t *local_translations,
+                          size_t local_errors_num,
+                          int (*fallback_f)(psa_status_t))
+{
+    for (size_t i = 0; i < local_errors_num; i++) {
+        if (status == local_translations[i].psa_status) {
+            return local_translations[i].mbedtls_error;
+        }
+    }
+    return fallback_f(status);
+}
+
+#if defined(MBEDTLS_PK_C)
+int psa_pk_status_to_mbedtls(psa_status_t status)
+{
+    switch (status) {
+        case PSA_ERROR_INVALID_HANDLE:
+            return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+        case PSA_ERROR_BUFFER_TOO_SMALL:
+            return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
+        case PSA_ERROR_NOT_SUPPORTED:
+            return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+        case PSA_ERROR_INVALID_ARGUMENT:
+            return MBEDTLS_ERR_PK_INVALID_ALG;
+        case PSA_ERROR_NOT_PERMITTED:
+            return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+        case PSA_ERROR_INSUFFICIENT_MEMORY:
+            return MBEDTLS_ERR_PK_ALLOC_FAILED;
+        case PSA_ERROR_BAD_STATE:
+            return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+        case PSA_ERROR_DATA_CORRUPT:
+        case PSA_ERROR_DATA_INVALID:
+        case PSA_ERROR_STORAGE_FAILURE:
+            return MBEDTLS_ERR_PK_FILE_IO_ERROR;
+        default:
+            return psa_generic_status_to_mbedtls(status);
+    }
+}
+#endif /* MBEDTLS_PK_C */
+
+/****************************************************************/
+/* Key management */
+/****************************************************************/
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+psa_ecc_family_t mbedtls_ecc_group_to_psa(mbedtls_ecp_group_id grpid,
+                                          size_t *bits)
+{
+    switch (grpid) {
+#if defined(MBEDTLS_ECP_HAVE_SECP192R1)
+        case MBEDTLS_ECP_DP_SECP192R1:
+            *bits = 192;
+            return PSA_ECC_FAMILY_SECP_R1;
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP224R1)
+        case MBEDTLS_ECP_DP_SECP224R1:
+            *bits = 224;
+            return PSA_ECC_FAMILY_SECP_R1;
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP256R1)
+        case MBEDTLS_ECP_DP_SECP256R1:
+            *bits = 256;
+            return PSA_ECC_FAMILY_SECP_R1;
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP384R1)
+        case MBEDTLS_ECP_DP_SECP384R1:
+            *bits = 384;
+            return PSA_ECC_FAMILY_SECP_R1;
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP521R1)
+        case MBEDTLS_ECP_DP_SECP521R1:
+            *bits = 521;
+            return PSA_ECC_FAMILY_SECP_R1;
+#endif
+#if defined(MBEDTLS_ECP_HAVE_BP256R1)
+        case MBEDTLS_ECP_DP_BP256R1:
+            *bits = 256;
+            return PSA_ECC_FAMILY_BRAINPOOL_P_R1;
+#endif
+#if defined(MBEDTLS_ECP_HAVE_BP384R1)
+        case MBEDTLS_ECP_DP_BP384R1:
+            *bits = 384;
+            return PSA_ECC_FAMILY_BRAINPOOL_P_R1;
+#endif
+#if defined(MBEDTLS_ECP_HAVE_BP512R1)
+        case MBEDTLS_ECP_DP_BP512R1:
+            *bits = 512;
+            return PSA_ECC_FAMILY_BRAINPOOL_P_R1;
+#endif
+#if defined(MBEDTLS_ECP_HAVE_CURVE25519)
+        case MBEDTLS_ECP_DP_CURVE25519:
+            *bits = 255;
+            return PSA_ECC_FAMILY_MONTGOMERY;
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP192K1)
+        case MBEDTLS_ECP_DP_SECP192K1:
+            *bits = 192;
+            return PSA_ECC_FAMILY_SECP_K1;
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP224K1)
+    /* secp224k1 is not and will not be supported in PSA (#3541). */
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP256K1)
+        case MBEDTLS_ECP_DP_SECP256K1:
+            *bits = 256;
+            return PSA_ECC_FAMILY_SECP_K1;
+#endif
+#if defined(MBEDTLS_ECP_HAVE_CURVE448)
+        case MBEDTLS_ECP_DP_CURVE448:
+            *bits = 448;
+            return PSA_ECC_FAMILY_MONTGOMERY;
+#endif
+        default:
+            *bits = 0;
+            return 0;
+    }
+}
+
+mbedtls_ecp_group_id mbedtls_ecc_group_from_psa(psa_ecc_family_t family,
+                                                size_t bits)
+{
+    switch (family) {
+        case PSA_ECC_FAMILY_SECP_R1:
+            switch (bits) {
+#if defined(PSA_WANT_ECC_SECP_R1_192)
+                case 192:
+                    return MBEDTLS_ECP_DP_SECP192R1;
+#endif
+#if defined(PSA_WANT_ECC_SECP_R1_224)
+                case 224:
+                    return MBEDTLS_ECP_DP_SECP224R1;
+#endif
+#if defined(PSA_WANT_ECC_SECP_R1_256)
+                case 256:
+                    return MBEDTLS_ECP_DP_SECP256R1;
+#endif
+#if defined(PSA_WANT_ECC_SECP_R1_384)
+                case 384:
+                    return MBEDTLS_ECP_DP_SECP384R1;
+#endif
+#if defined(PSA_WANT_ECC_SECP_R1_521)
+                case 521:
+                    return MBEDTLS_ECP_DP_SECP521R1;
+#endif
+            }
+            break;
+
+        case PSA_ECC_FAMILY_BRAINPOOL_P_R1:
+            switch (bits) {
+#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
+                case 256:
+                    return MBEDTLS_ECP_DP_BP256R1;
+#endif
+#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
+                case 384:
+                    return MBEDTLS_ECP_DP_BP384R1;
+#endif
+#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
+                case 512:
+                    return MBEDTLS_ECP_DP_BP512R1;
+#endif
+            }
+            break;
+
+        case PSA_ECC_FAMILY_MONTGOMERY:
+            switch (bits) {
+#if defined(PSA_WANT_ECC_MONTGOMERY_255)
+                case 255:
+                    return MBEDTLS_ECP_DP_CURVE25519;
+#endif
+#if defined(PSA_WANT_ECC_MONTGOMERY_448)
+                case 448:
+                    return MBEDTLS_ECP_DP_CURVE448;
+#endif
+            }
+            break;
+
+        case PSA_ECC_FAMILY_SECP_K1:
+            switch (bits) {
+#if defined(PSA_WANT_ECC_SECP_K1_192)
+                case 192:
+                    return MBEDTLS_ECP_DP_SECP192K1;
+#endif
+#if defined(PSA_WANT_ECC_SECP_K1_224)
+            /* secp224k1 is not and will not be supported in PSA (#3541). */
+#endif
+#if defined(PSA_WANT_ECC_SECP_K1_256)
+                case 256:
+                    return MBEDTLS_ECP_DP_SECP256K1;
+#endif
+            }
+            break;
+    }
+
+    return MBEDTLS_ECP_DP_NONE;
+}
+#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
+
+/* Wrapper function allowing the classic API to use the PSA RNG.
+ *
+ * `mbedtls_psa_get_random(MBEDTLS_PSA_RANDOM_STATE, ...)` calls
+ * `psa_generate_random(...)`. The state parameter is ignored since the
+ * PSA API doesn't support passing an explicit state.
+ */
+int mbedtls_psa_get_random(void *p_rng,
+                           unsigned char *output,
+                           size_t output_size)
+{
+    /* This function takes a pointer to the RNG state because that's what
+     * classic mbedtls functions using an RNG expect. The PSA RNG manages
+     * its own state internally and doesn't let the caller access that state.
+     * So we just ignore the state parameter, and in practice we'll pass
+     * NULL. */
+    (void) p_rng;
+    psa_status_t status = psa_generate_random(output, output_size);
+    if (status == PSA_SUCCESS) {
+        return 0;
+    } else {
+        return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+    }
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+
+#if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA)
+
+/**
+ * \brief  Convert a single raw coordinate to DER ASN.1 format. The output der
+ *         buffer is filled backward (i.e. starting from its end).
+ *
+ * \param raw_buf           Buffer containing the raw coordinate to be
+ *                          converted.
+ * \param raw_len           Length of raw_buf in bytes. This must be > 0.
+ * \param der_buf_start     Pointer to the beginning of the buffer which
+ *                          will be filled with the DER converted data.
+ * \param der_buf_end       End of the buffer used to store the DER output.
+ *
+ * \return                  On success, the amount of data (in bytes) written to
+ *                          the DER buffer.
+ * \return                  MBEDTLS_ERR_ASN1_BUF_TOO_SMALL if the provided der
+ *                          buffer is too small to contain all the converted data.
+ * \return                  MBEDTLS_ERR_ASN1_INVALID_DATA if the input raw
+ *                          coordinate is null (i.e. all zeros).
+ *
+ * \warning                 Raw and der buffer must not be overlapping.
+ */
+static int convert_raw_to_der_single_int(const unsigned char *raw_buf, size_t raw_len,
+                                         unsigned char *der_buf_start,
+                                         unsigned char *der_buf_end)
+{
+    unsigned char *p = der_buf_end;
+    int len;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    /* ASN.1 DER encoding requires minimal length, so skip leading 0s.
+     * Provided input MPIs should not be 0, but as a failsafe measure, still
+     * detect that and return error in case. */
+    while (*raw_buf == 0x00) {
+        ++raw_buf;
+        --raw_len;
+        if (raw_len == 0) {
+            return MBEDTLS_ERR_ASN1_INVALID_DATA;
+        }
+    }
+    len = (int) raw_len;
+
+    /* Copy the raw coordinate to the end of der_buf. */
+    if ((p - der_buf_start) < len) {
+        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+    }
+    p -= len;
+    memcpy(p, raw_buf, len);
+
+    /* If MSb is 1, ASN.1 requires that we prepend a 0. */
+    if (*p & 0x80) {
+        if ((p - der_buf_start) < 1) {
+            return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+        }
+        --p;
+        *p = 0x00;
+        ++len;
+    }
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, der_buf_start, len));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, der_buf_start, MBEDTLS_ASN1_INTEGER));
+
+    return len;
+}
+
+int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_len,
+                             unsigned char *der, size_t der_size, size_t *der_len)
+{
+    unsigned char r[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
+    unsigned char s[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
+    const size_t coordinate_len = PSA_BITS_TO_BYTES(bits);
+    size_t len = 0;
+    unsigned char *p = der + der_size;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (raw_len != (2 * coordinate_len)) {
+        return MBEDTLS_ERR_ASN1_INVALID_DATA;
+    }
+
+    /* Since raw and der buffers might overlap, dump r and s before starting
+     * the conversion. */
+    memcpy(r, raw, coordinate_len);
+    memcpy(s, raw + coordinate_len, coordinate_len);
+
+    /* der buffer will initially be written starting from its end so we pick s
+     * first and then r. */
+    ret = convert_raw_to_der_single_int(s, coordinate_len, der, p);
+    if (ret < 0) {
+        return ret;
+    }
+    p -= ret;
+    len += ret;
+
+    ret = convert_raw_to_der_single_int(r, coordinate_len, der, p);
+    if (ret < 0) {
+        return ret;
+    }
+    p -= ret;
+    len += ret;
+
+    /* Add ASN.1 header (len + tag). */
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, der, len));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, der,
+                                                     MBEDTLS_ASN1_CONSTRUCTED |
+                                                     MBEDTLS_ASN1_SEQUENCE));
+
+    /* memmove the content of der buffer to its beginnig. */
+    memmove(der, p, len);
+    *der_len = len;
+
+    return 0;
+}
+
+/**
+ * \brief Convert a single integer from ASN.1 DER format to raw.
+ *
+ * \param der               Buffer containing the DER integer value to be
+ *                          converted.
+ * \param der_len           Length of the der buffer in bytes.
+ * \param raw               Output buffer that will be filled with the
+ *                          converted data. This should be at least
+ *                          coordinate_size bytes and it must be zeroed before
+ *                          calling this function.
+ * \param coordinate_size   Size (in bytes) of a single coordinate in raw
+ *                          format.
+ *
+ * \return                  On success, the amount of DER data parsed from the
+ *                          provided der buffer.
+ * \return                  MBEDTLS_ERR_ASN1_UNEXPECTED_TAG if the integer tag
+ *                          is missing in the der buffer.
+ * \return                  MBEDTLS_ERR_ASN1_LENGTH_MISMATCH if the integer
+ *                          is null (i.e. all zeros) or if the output raw buffer
+ *                          is too small to contain the converted raw value.
+ *
+ * \warning                 Der and raw buffers must not be overlapping.
+ */
+static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len,
+                                         unsigned char *raw, size_t coordinate_size)
+{
+    unsigned char *p = der;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t unpadded_len, padding_len = 0;
+
+    /* Get the length of ASN.1 element (i.e. the integer we need to parse). */
+    ret = mbedtls_asn1_get_tag(&p, p + der_len, &unpadded_len,
+                               MBEDTLS_ASN1_INTEGER);
+    if (ret != 0) {
+        return ret;
+    }
+
+    /* It's invalid to have:
+     * - unpadded_len == 0.
+     * - MSb set without a leading 0x00 (leading 0x00 is checked below). */
+    if (((unpadded_len == 0) || (*p & 0x80) != 0)) {
+        return MBEDTLS_ERR_ASN1_INVALID_DATA;
+    }
+
+    /* Skip possible leading zero */
+    if (*p == 0x00) {
+        p++;
+        unpadded_len--;
+        /* It is not allowed to have more than 1 leading zero.
+         * Ignore the case in which unpadded_len = 0 because that's a 0 encoded
+         * in ASN.1 format (i.e. 020100). */
+        if ((unpadded_len > 0) && (*p == 0x00)) {
+            return MBEDTLS_ERR_ASN1_INVALID_DATA;
+        }
+    }
+
+    if (unpadded_len > coordinate_size) {
+        /* Parsed number is longer than the maximum expected value. */
+        return MBEDTLS_ERR_ASN1_INVALID_DATA;
+    }
+    padding_len = coordinate_size - unpadded_len;
+    /* raw buffer was already zeroed by the calling function so zero-padding
+     * operation is skipped here. */
+    memcpy(raw + padding_len, p, unpadded_len);
+    p += unpadded_len;
+
+    return (int) (p - der);
+}
+
+int mbedtls_ecdsa_der_to_raw(size_t bits, const unsigned char *der, size_t der_len,
+                             unsigned char *raw, size_t raw_size, size_t *raw_len)
+{
+    unsigned char raw_tmp[PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE];
+    unsigned char *p = (unsigned char *) der;
+    size_t data_len;
+    size_t coordinate_size = PSA_BITS_TO_BYTES(bits);
+    int ret;
+
+    /* The output raw buffer should be at least twice the size of a raw
+     * coordinate in order to store r and s. */
+    if (raw_size < coordinate_size * 2) {
+        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+    }
+
+    /* Check that the provided input DER buffer has the right header. */
+    ret = mbedtls_asn1_get_tag(&p, der + der_len, &data_len,
+                               MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
+    if (ret != 0) {
+        return ret;
+    }
+
+    memset(raw_tmp, 0, 2 * coordinate_size);
+
+    /* Extract r */
+    ret = convert_der_to_raw_single_int(p, data_len, raw_tmp, coordinate_size);
+    if (ret < 0) {
+        return ret;
+    }
+    p += ret;
+    data_len -= ret;
+
+    /* Extract s */
+    ret = convert_der_to_raw_single_int(p, data_len, raw_tmp + coordinate_size,
+                                        coordinate_size);
+    if (ret < 0) {
+        return ret;
+    }
+    p += ret;
+    data_len -= ret;
+
+    /* Check that we consumed all the input der data. */
+    if ((size_t) (p - der) != der_len) {
+        return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+    }
+
+    memcpy(raw, raw_tmp, 2 * coordinate_size);
+    *raw_len = 2 * coordinate_size;
+
+    return 0;
+}
+
+#endif /* MBEDTLS_PSA_UTIL_HAVE_ECDSA */
diff --git a/tf-psa-crypto/core/psa_util_internal.h b/tf-psa-crypto/core/psa_util_internal.h
new file mode 100644
index 0000000..70a08a0
--- /dev/null
+++ b/tf-psa-crypto/core/psa_util_internal.h
@@ -0,0 +1,100 @@
+/**
+ * \file psa_util_internal.h
+ *
+ * \brief Internal utility functions for use of PSA Crypto.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_PSA_UTIL_INTERNAL_H
+#define MBEDTLS_PSA_UTIL_INTERNAL_H
+
+/* Include the public header so that users only need one include. */
+#include "mbedtls/psa_util.h"
+
+#include "psa/crypto.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+
+/*************************************************************************
+ * FFDH
+ ************************************************************************/
+
+#define MBEDTLS_PSA_MAX_FFDH_PUBKEY_LENGTH \
+    PSA_KEY_EXPORT_FFDH_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_FFDH_MAX_KEY_BITS)
+
+/*************************************************************************
+ * ECC
+ ************************************************************************/
+
+#define MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH \
+    PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
+
+#define MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH \
+    PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
+
+/*************************************************************************
+ * Error translation
+ ************************************************************************/
+
+typedef struct {
+    /* Error codes used by PSA crypto are in -255..-128, fitting in 16 bits. */
+    int16_t psa_status;
+    /* Error codes used by Mbed TLS are in one of the ranges
+     * -127..-1 (low-level) or -32767..-4096 (high-level with a low-level
+     * code optionally added), fitting in 16 bits. */
+    int16_t mbedtls_error;
+} mbedtls_error_pair_t;
+
+#if defined(MBEDTLS_MD_LIGHT)
+extern const mbedtls_error_pair_t psa_to_md_errors[4];
+#endif
+
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+extern const mbedtls_error_pair_t psa_to_cipher_errors[4];
+#endif
+
+#if defined(MBEDTLS_LMS_C)
+extern const mbedtls_error_pair_t psa_to_lms_errors[3];
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
+extern const mbedtls_error_pair_t psa_to_ssl_errors[7];
+#endif
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) ||    \
+    defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
+extern const mbedtls_error_pair_t psa_to_pk_rsa_errors[8];
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
+    defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+extern const mbedtls_error_pair_t psa_to_pk_ecdsa_errors[7];
+#endif
+
+/* Generic fallback function for error translation,
+ * when the received state was not module-specific. */
+int psa_generic_status_to_mbedtls(psa_status_t status);
+
+/* This function iterates over provided local error translations,
+ * and if no match was found - calls the fallback error translation function. */
+int psa_status_to_mbedtls(psa_status_t status,
+                          const mbedtls_error_pair_t *local_translations,
+                          size_t local_errors_num,
+                          int (*fallback_f)(psa_status_t));
+
+/* The second out of three-stage error handling functions of the pk module,
+ * acts as a fallback after RSA / ECDSA error translation, and if no match
+ * is found, it itself calls psa_generic_status_to_mbedtls. */
+int psa_pk_status_to_mbedtls(psa_status_t status);
+
+/* Utility macro to shorten the defines of error translator in modules. */
+#define PSA_TO_MBEDTLS_ERR_LIST(status, error_list, fallback_f)       \
+    psa_status_to_mbedtls(status, error_list,                         \
+                          sizeof(error_list)/sizeof(error_list[0]),   \
+                          fallback_f)
+
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+#endif /* MBEDTLS_PSA_UTIL_INTERNAL_H */
diff --git a/tf-psa-crypto/drivers/CMakeLists.txt b/tf-psa-crypto/drivers/CMakeLists.txt
new file mode 100644
index 0000000..517b6df
--- /dev/null
+++ b/tf-psa-crypto/drivers/CMakeLists.txt
@@ -0,0 +1,3 @@
+add_subdirectory(builtin)
+add_subdirectory(everest)
+add_subdirectory(p256-m)
diff --git a/tf-psa-crypto/drivers/builtin/CMakeLists.txt b/tf-psa-crypto/drivers/builtin/CMakeLists.txt
new file mode 100644
index 0000000..febd4f0
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/CMakeLists.txt
@@ -0,0 +1 @@
+add_subdirectory(src)
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/aes.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/aes.h
new file mode 100644
index 0000000..a07c8a5
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/aes.h
@@ -0,0 +1,627 @@
+/**
+ * \file aes.h
+ *
+ * \brief   This file contains AES definitions and functions.
+ *
+ *          The Advanced Encryption Standard (AES) specifies a FIPS-approved
+ *          cryptographic algorithm that can be used to protect electronic
+ *          data.
+ *
+ *          The AES algorithm is a symmetric block cipher that can
+ *          encrypt and decrypt information. For more information, see
+ *          <em>FIPS Publication 197: Advanced Encryption Standard</em> and
+ *          <em>ISO/IEC 18033-2:2006: Information technology -- Security
+ *          techniques -- Encryption algorithms -- Part 2: Asymmetric
+ *          ciphers</em>.
+ *
+ *          The AES-XTS block mode is standardized by NIST SP 800-38E
+ *          <https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38e.pdf>
+ *          and described in detail by IEEE P1619
+ *          <https://ieeexplore.ieee.org/servlet/opac?punumber=4375278>.
+ */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_AES_H
+#define MBEDTLS_AES_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+#include "mbedtls/platform_util.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+/* aesni.c relies on these values! */
+#define MBEDTLS_AES_ENCRYPT     1 /**< AES encryption. */
+#define MBEDTLS_AES_DECRYPT     0 /**< AES decryption. */
+
+/* Error codes in range 0x0020-0x0022 */
+/** Invalid key length. */
+#define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH                -0x0020
+/** Invalid data input length. */
+#define MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH              -0x0022
+
+/* Error codes in range 0x0021-0x0025 */
+/** Invalid input data. */
+#define MBEDTLS_ERR_AES_BAD_INPUT_DATA                    -0x0021
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_AES_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief The AES context-type definition.
+ */
+typedef struct mbedtls_aes_context {
+    int MBEDTLS_PRIVATE(nr);                     /*!< The number of rounds. */
+    size_t MBEDTLS_PRIVATE(rk_offset);           /*!< The offset in array elements to AES
+                                                    round keys in the buffer. */
+#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    uint32_t MBEDTLS_PRIVATE(buf)[44];           /*!< Aligned data buffer to hold
+                                                    10 round keys for 128-bit case. */
+#else
+    uint32_t MBEDTLS_PRIVATE(buf)[68];           /*!< Unaligned data buffer. This buffer can
+                                                    hold 32 extra Bytes, which can be used for
+                                                    simplifying key expansion in the 256-bit
+                                                    case by generating an extra round key. */
+#endif /* MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+}
+mbedtls_aes_context;
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/**
+ * \brief The AES XTS context-type definition.
+ */
+typedef struct mbedtls_aes_xts_context {
+    mbedtls_aes_context MBEDTLS_PRIVATE(crypt); /*!< The AES context to use for AES block
+                                                   encryption or decryption. */
+    mbedtls_aes_context MBEDTLS_PRIVATE(tweak); /*!< The AES context used for tweak
+                                                   computation. */
+} mbedtls_aes_xts_context;
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#else  /* MBEDTLS_AES_ALT */
+#include "aes_alt.h"
+#endif /* MBEDTLS_AES_ALT */
+
+/**
+ * \brief          This function initializes the specified AES context.
+ *
+ *                 It must be the first API called before using
+ *                 the context.
+ *
+ * \param ctx      The AES context to initialize. This must not be \c NULL.
+ */
+void mbedtls_aes_init(mbedtls_aes_context *ctx);
+
+/**
+ * \brief          This function releases and clears the specified AES context.
+ *
+ * \param ctx      The AES context to clear.
+ *                 If this is \c NULL, this function does nothing.
+ *                 Otherwise, the context must have been at least initialized.
+ */
+void mbedtls_aes_free(mbedtls_aes_context *ctx);
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/**
+ * \brief          This function initializes the specified AES XTS context.
+ *
+ *                 It must be the first API called before using
+ *                 the context.
+ *
+ * \param ctx      The AES XTS context to initialize. This must not be \c NULL.
+ */
+void mbedtls_aes_xts_init(mbedtls_aes_xts_context *ctx);
+
+/**
+ * \brief          This function releases and clears the specified AES XTS context.
+ *
+ * \param ctx      The AES XTS context to clear.
+ *                 If this is \c NULL, this function does nothing.
+ *                 Otherwise, the context must have been at least initialized.
+ */
+void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx);
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+/**
+ * \brief          This function sets the encryption key.
+ *
+ * \param ctx      The AES context to which the key should be bound.
+ *                 It must be initialized.
+ * \param key      The encryption key.
+ *                 This must be a readable buffer of size \p keybits bits.
+ * \param keybits  The size of data passed in bits. Valid options are:
+ *                 <ul><li>128 bits</li>
+ *                 <li>192 bits</li>
+ *                 <li>256 bits</li></ul>
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
+                           unsigned int keybits);
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+/**
+ * \brief          This function sets the decryption key.
+ *
+ * \param ctx      The AES context to which the key should be bound.
+ *                 It must be initialized.
+ * \param key      The decryption key.
+ *                 This must be a readable buffer of size \p keybits bits.
+ * \param keybits  The size of data passed. Valid options are:
+ *                 <ul><li>128 bits</li>
+ *                 <li>192 bits</li>
+ *                 <li>256 bits</li></ul>
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
+                           unsigned int keybits);
+#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/**
+ * \brief          This function prepares an XTS context for encryption and
+ *                 sets the encryption key.
+ *
+ * \param ctx      The AES XTS context to which the key should be bound.
+ *                 It must be initialized.
+ * \param key      The encryption key. This is comprised of the XTS key1
+ *                 concatenated with the XTS key2.
+ *                 This must be a readable buffer of size \p keybits bits.
+ * \param keybits  The size of \p key passed in bits. Valid options are:
+ *                 <ul><li>256 bits (each of key1 and key2 is a 128-bit key)</li>
+ *                 <li>512 bits (each of key1 and key2 is a 256-bit key)</li></ul>
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context *ctx,
+                               const unsigned char *key,
+                               unsigned int keybits);
+
+/**
+ * \brief          This function prepares an XTS context for decryption and
+ *                 sets the decryption key.
+ *
+ * \param ctx      The AES XTS context to which the key should be bound.
+ *                 It must be initialized.
+ * \param key      The decryption key. This is comprised of the XTS key1
+ *                 concatenated with the XTS key2.
+ *                 This must be a readable buffer of size \p keybits bits.
+ * \param keybits  The size of \p key passed in bits. Valid options are:
+ *                 <ul><li>256 bits (each of key1 and key2 is a 128-bit key)</li>
+ *                 <li>512 bits (each of key1 and key2 is a 256-bit key)</li></ul>
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context *ctx,
+                               const unsigned char *key,
+                               unsigned int keybits);
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+/**
+ * \brief          This function performs an AES single-block encryption or
+ *                 decryption operation.
+ *
+ *                 It performs the operation defined in the \p mode parameter
+ *                 (encrypt or decrypt), on the input data buffer defined in
+ *                 the \p input parameter.
+ *
+ *                 mbedtls_aes_init(), and either mbedtls_aes_setkey_enc() or
+ *                 mbedtls_aes_setkey_dec() must be called before the first
+ *                 call to this API with the same context.
+ *
+ * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
+ * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
+ *                 #MBEDTLS_AES_DECRYPT.
+ * \param input    The buffer holding the input data.
+ *                 It must be readable and at least \c 16 Bytes long.
+ * \param output   The buffer where the output data will be written.
+ *                 It must be writeable and at least \c 16 Bytes long.
+
+ * \return         \c 0 on success.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx,
+                          int mode,
+                          const unsigned char input[16],
+                          unsigned char output[16]);
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief  This function performs an AES-CBC encryption or decryption operation
+ *         on full blocks.
+ *
+ *         It performs the operation defined in the \p mode
+ *         parameter (encrypt/decrypt), on the input data buffer defined in
+ *         the \p input parameter.
+ *
+ *         It can be called as many times as needed, until all the input
+ *         data is processed. mbedtls_aes_init(), and either
+ *         mbedtls_aes_setkey_enc() or mbedtls_aes_setkey_dec() must be called
+ *         before the first call to this API with the same context.
+ *
+ * \note   This function operates on full blocks, that is, the input size
+ *         must be a multiple of the AES block size of \c 16 Bytes.
+ *
+ * \note   Upon exit, the content of the IV is updated so that you can
+ *         call the same function again on the next
+ *         block(s) of data and get the same result as if it was
+ *         encrypted in one call. This allows a "streaming" usage.
+ *         If you need to retain the contents of the IV, you should
+ *         either save it manually or use the cipher module instead.
+ *
+ *
+ * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
+ * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
+ *                 #MBEDTLS_AES_DECRYPT.
+ * \param length   The length of the input data in Bytes. This must be a
+ *                 multiple of the block size (\c 16 Bytes).
+ * \param iv       Initialization vector (updated after use).
+ *                 It must be a readable and writeable buffer of \c 16 Bytes.
+ * \param input    The buffer holding the input data.
+ *                 It must be readable and of size \p length Bytes.
+ * \param output   The buffer holding the output data.
+ *                 It must be writeable and of size \p length Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
+ *                 on failure.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx,
+                          int mode,
+                          size_t length,
+                          unsigned char iv[16],
+                          const unsigned char *input,
+                          unsigned char *output);
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/**
+ * \brief      This function performs an AES-XTS encryption or decryption
+ *             operation for an entire XTS data unit.
+ *
+ *             AES-XTS encrypts or decrypts blocks based on their location as
+ *             defined by a data unit number. The data unit number must be
+ *             provided by \p data_unit.
+ *
+ *             NIST SP 800-38E limits the maximum size of a data unit to 2^20
+ *             AES blocks. If the data unit is larger than this, this function
+ *             returns #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH.
+ *
+ * \param ctx          The AES XTS context to use for AES XTS operations.
+ *                     It must be initialized and bound to a key.
+ * \param mode         The AES operation: #MBEDTLS_AES_ENCRYPT or
+ *                     #MBEDTLS_AES_DECRYPT.
+ * \param length       The length of a data unit in Bytes. This can be any
+ *                     length between 16 bytes and 2^24 bytes inclusive
+ *                     (between 1 and 2^20 block cipher blocks).
+ * \param data_unit    The address of the data unit encoded as an array of 16
+ *                     bytes in little-endian format. For disk encryption, this
+ *                     is typically the index of the block device sector that
+ *                     contains the data.
+ * \param input        The buffer holding the input data (which is an entire
+ *                     data unit). This function reads \p length Bytes from \p
+ *                     input.
+ * \param output       The buffer holding the output data (which is an entire
+ *                     data unit). This function writes \p length Bytes to \p
+ *                     output.
+ *
+ * \return             \c 0 on success.
+ * \return             #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH if \p length is
+ *                     smaller than an AES block in size (16 Bytes) or if \p
+ *                     length is larger than 2^20 blocks (16 MiB).
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_aes_crypt_xts(mbedtls_aes_xts_context *ctx,
+                          int mode,
+                          size_t length,
+                          const unsigned char data_unit[16],
+                          const unsigned char *input,
+                          unsigned char *output);
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/**
+ * \brief This function performs an AES-CFB128 encryption or decryption
+ *        operation.
+ *
+ *        It performs the operation defined in the \p mode
+ *        parameter (encrypt or decrypt), on the input data buffer
+ *        defined in the \p input parameter.
+ *
+ *        For CFB, you must set up the context with mbedtls_aes_setkey_enc(),
+ *        regardless of whether you are performing an encryption or decryption
+ *        operation, that is, regardless of the \p mode parameter. This is
+ *        because CFB mode uses the same key schedule for encryption and
+ *        decryption.
+ *
+ * \note  Upon exit, the content of the IV is updated so that you can
+ *        call the same function again on the next
+ *        block(s) of data and get the same result as if it was
+ *        encrypted in one call. This allows a "streaming" usage.
+ *        If you need to retain the contents of the
+ *        IV, you must either save it manually or use the cipher
+ *        module instead.
+ *
+ *
+ * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
+ * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
+ *                 #MBEDTLS_AES_DECRYPT.
+ * \param length   The length of the input data in Bytes.
+ * \param iv_off   The offset in IV (updated after use).
+ *                 It must point to a valid \c size_t.
+ * \param iv       The initialization vector (updated after use).
+ *                 It must be a readable and writeable buffer of \c 16 Bytes.
+ * \param input    The buffer holding the input data.
+ *                 It must be readable and of size \p length Bytes.
+ * \param output   The buffer holding the output data.
+ *                 It must be writeable and of size \p length Bytes.
+ *
+ * \return         \c 0 on success.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_aes_crypt_cfb128(mbedtls_aes_context *ctx,
+                             int mode,
+                             size_t length,
+                             size_t *iv_off,
+                             unsigned char iv[16],
+                             const unsigned char *input,
+                             unsigned char *output);
+
+/**
+ * \brief This function performs an AES-CFB8 encryption or decryption
+ *        operation.
+ *
+ *        It performs the operation defined in the \p mode
+ *        parameter (encrypt/decrypt), on the input data buffer defined
+ *        in the \p input parameter.
+ *
+ *        Due to the nature of CFB, you must use the same key schedule for
+ *        both encryption and decryption operations. Therefore, you must
+ *        use the context initialized with mbedtls_aes_setkey_enc() for
+ *        both #MBEDTLS_AES_ENCRYPT and #MBEDTLS_AES_DECRYPT.
+ *
+ * \note  Upon exit, the content of the IV is updated so that you can
+ *        call the same function again on the next
+ *        block(s) of data and get the same result as if it was
+ *        encrypted in one call. This allows a "streaming" usage.
+ *        If you need to retain the contents of the
+ *        IV, you should either save it manually or use the cipher
+ *        module instead.
+ *
+ *
+ * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
+ * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
+ *                 #MBEDTLS_AES_DECRYPT
+ * \param length   The length of the input data.
+ * \param iv       The initialization vector (updated after use).
+ *                 It must be a readable and writeable buffer of \c 16 Bytes.
+ * \param input    The buffer holding the input data.
+ *                 It must be readable and of size \p length Bytes.
+ * \param output   The buffer holding the output data.
+ *                 It must be writeable and of size \p length Bytes.
+ *
+ * \return         \c 0 on success.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_aes_crypt_cfb8(mbedtls_aes_context *ctx,
+                           int mode,
+                           size_t length,
+                           unsigned char iv[16],
+                           const unsigned char *input,
+                           unsigned char *output);
+#endif /*MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+/**
+ * \brief       This function performs an AES-OFB (Output Feedback Mode)
+ *              encryption or decryption operation.
+ *
+ *              For OFB, you must set up the context with
+ *              mbedtls_aes_setkey_enc(), regardless of whether you are
+ *              performing an encryption or decryption operation. This is
+ *              because OFB mode uses the same key schedule for encryption and
+ *              decryption.
+ *
+ *              The OFB operation is identical for encryption or decryption,
+ *              therefore no operation mode needs to be specified.
+ *
+ * \note        Upon exit, the content of iv, the Initialisation Vector, is
+ *              updated so that you can call the same function again on the next
+ *              block(s) of data and get the same result as if it was encrypted
+ *              in one call. This allows a "streaming" usage, by initialising
+ *              iv_off to 0 before the first call, and preserving its value
+ *              between calls.
+ *
+ *              For non-streaming use, the iv should be initialised on each call
+ *              to a unique value, and iv_off set to 0 on each call.
+ *
+ *              If you need to retain the contents of the initialisation vector,
+ *              you must either save it manually or use the cipher module
+ *              instead.
+ *
+ * \warning     For the OFB mode, the initialisation vector must be unique
+ *              every encryption operation. Reuse of an initialisation vector
+ *              will compromise security.
+ *
+ * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
+ * \param length   The length of the input data.
+ * \param iv_off   The offset in IV (updated after use).
+ *                 It must point to a valid \c size_t.
+ * \param iv       The initialization vector (updated after use).
+ *                 It must be a readable and writeable buffer of \c 16 Bytes.
+ * \param input    The buffer holding the input data.
+ *                 It must be readable and of size \p length Bytes.
+ * \param output   The buffer holding the output data.
+ *                 It must be writeable and of size \p length Bytes.
+ *
+ * \return         \c 0 on success.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_aes_crypt_ofb(mbedtls_aes_context *ctx,
+                          size_t length,
+                          size_t *iv_off,
+                          unsigned char iv[16],
+                          const unsigned char *input,
+                          unsigned char *output);
+
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/**
+ * \brief      This function performs an AES-CTR encryption or decryption
+ *             operation.
+ *
+ *             Due to the nature of CTR, you must use the same key schedule
+ *             for both encryption and decryption operations. Therefore, you
+ *             must use the context initialized with mbedtls_aes_setkey_enc()
+ *             for both #MBEDTLS_AES_ENCRYPT and #MBEDTLS_AES_DECRYPT.
+ *
+ * \warning    You must never reuse a nonce value with the same key. Doing so
+ *             would void the encryption for the two messages encrypted with
+ *             the same nonce and key.
+ *
+ *             There are two common strategies for managing nonces with CTR:
+ *
+ *             1. You can handle everything as a single message processed over
+ *             successive calls to this function. In that case, you want to
+ *             set \p nonce_counter and \p nc_off to 0 for the first call, and
+ *             then preserve the values of \p nonce_counter, \p nc_off and \p
+ *             stream_block across calls to this function as they will be
+ *             updated by this function.
+ *
+ *             With this strategy, you must not encrypt more than 2**128
+ *             blocks of data with the same key.
+ *
+ *             2. You can encrypt separate messages by dividing the \p
+ *             nonce_counter buffer in two areas: the first one used for a
+ *             per-message nonce, handled by yourself, and the second one
+ *             updated by this function internally.
+ *
+ *             For example, you might reserve the first 12 bytes for the
+ *             per-message nonce, and the last 4 bytes for internal use. In that
+ *             case, before calling this function on a new message you need to
+ *             set the first 12 bytes of \p nonce_counter to your chosen nonce
+ *             value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
+ *             stream_block to be ignored). That way, you can encrypt at most
+ *             2**96 messages of up to 2**32 blocks each with the same key.
+ *
+ *             The per-message nonce (or information sufficient to reconstruct
+ *             it) needs to be communicated with the ciphertext and must be unique.
+ *             The recommended way to ensure uniqueness is to use a message
+ *             counter. An alternative is to generate random nonces, but this
+ *             limits the number of messages that can be securely encrypted:
+ *             for example, with 96-bit random nonces, you should not encrypt
+ *             more than 2**32 messages with the same key.
+ *
+ *             Note that for both strategies, sizes are measured in blocks and
+ *             that an AES block is 16 bytes.
+ *
+ * \warning    Upon return, \p stream_block contains sensitive data. Its
+ *             content must not be written to insecure storage and should be
+ *             securely discarded as soon as it's no longer needed.
+ *
+ * \param ctx              The AES context to use for encryption or decryption.
+ *                         It must be initialized and bound to a key.
+ * \param length           The length of the input data.
+ * \param nc_off           The offset in the current \p stream_block, for
+ *                         resuming within the current cipher stream. The
+ *                         offset pointer should be 0 at the start of a stream.
+ *                         It must point to a valid \c size_t.
+ * \param nonce_counter    The 128-bit nonce and counter.
+ *                         It must be a readable-writeable buffer of \c 16 Bytes.
+ * \param stream_block     The saved stream block for resuming. This is
+ *                         overwritten by the function.
+ *                         It must be a readable-writeable buffer of \c 16 Bytes.
+ * \param input            The buffer holding the input data.
+ *                         It must be readable and of size \p length Bytes.
+ * \param output           The buffer holding the output data.
+ *                         It must be writeable and of size \p length Bytes.
+ *
+ * \return                 \c 0 on success.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_aes_crypt_ctr(mbedtls_aes_context *ctx,
+                          size_t length,
+                          size_t *nc_off,
+                          unsigned char nonce_counter[16],
+                          unsigned char stream_block[16],
+                          const unsigned char *input,
+                          unsigned char *output);
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+/**
+ * \brief           Internal AES block encryption function. This is only
+ *                  exposed to allow overriding it using
+ *                  \c MBEDTLS_AES_ENCRYPT_ALT.
+ *
+ * \param ctx       The AES context to use for encryption.
+ * \param input     The plaintext block.
+ * \param output    The output (ciphertext) block.
+ *
+ * \return          \c 0 on success.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_internal_aes_encrypt(mbedtls_aes_context *ctx,
+                                 const unsigned char input[16],
+                                 unsigned char output[16]);
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+/**
+ * \brief           Internal AES block decryption function. This is only
+ *                  exposed to allow overriding it using see
+ *                  \c MBEDTLS_AES_DECRYPT_ALT.
+ *
+ * \param ctx       The AES context to use for decryption.
+ * \param input     The ciphertext block.
+ * \param output    The output (plaintext) block.
+ *
+ * \return          \c 0 on success.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx,
+                                 const unsigned char input[16],
+                                 unsigned char output[16]);
+#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_aes_self_test(int verbose);
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* aes.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/aria.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/aria.h
new file mode 100644
index 0000000..c685fc3
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/aria.h
@@ -0,0 +1,343 @@
+/**
+ * \file aria.h
+ *
+ * \brief ARIA block cipher
+ *
+ *        The ARIA algorithm is a symmetric block cipher that can encrypt and
+ *        decrypt information. It is defined by the Korean Agency for
+ *        Technology and Standards (KATS) in <em>KS X 1213:2004</em> (in
+ *        Korean, but see http://210.104.33.10/ARIA/index-e.html in English)
+ *        and also described by the IETF in <em>RFC 5794</em>.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_ARIA_H
+#define MBEDTLS_ARIA_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "mbedtls/platform_util.h"
+
+#define MBEDTLS_ARIA_ENCRYPT     1 /**< ARIA encryption. */
+#define MBEDTLS_ARIA_DECRYPT     0 /**< ARIA decryption. */
+
+#define MBEDTLS_ARIA_BLOCKSIZE   16 /**< ARIA block size in bytes. */
+#define MBEDTLS_ARIA_MAX_ROUNDS  16 /**< Maximum number of rounds in ARIA. */
+#define MBEDTLS_ARIA_MAX_KEYSIZE 32 /**< Maximum size of an ARIA key in bytes. */
+
+/** Bad input data. */
+#define MBEDTLS_ERR_ARIA_BAD_INPUT_DATA -0x005C
+
+/** Invalid data input length. */
+#define MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH -0x005E
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_ARIA_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief The ARIA context-type definition.
+ */
+typedef struct mbedtls_aria_context {
+    unsigned char MBEDTLS_PRIVATE(nr);           /*!< The number of rounds (12, 14 or 16) */
+    /*! The ARIA round keys. */
+    uint32_t MBEDTLS_PRIVATE(rk)[MBEDTLS_ARIA_MAX_ROUNDS + 1][MBEDTLS_ARIA_BLOCKSIZE / 4];
+}
+mbedtls_aria_context;
+
+#else  /* MBEDTLS_ARIA_ALT */
+#include "aria_alt.h"
+#endif /* MBEDTLS_ARIA_ALT */
+
+/**
+ * \brief          This function initializes the specified ARIA context.
+ *
+ *                 It must be the first API called before using
+ *                 the context.
+ *
+ * \param ctx      The ARIA context to initialize. This must not be \c NULL.
+ */
+void mbedtls_aria_init(mbedtls_aria_context *ctx);
+
+/**
+ * \brief          This function releases and clears the specified ARIA context.
+ *
+ * \param ctx      The ARIA context to clear. This may be \c NULL, in which
+ *                 case this function returns immediately. If it is not \c NULL,
+ *                 it must point to an initialized ARIA context.
+ */
+void mbedtls_aria_free(mbedtls_aria_context *ctx);
+
+/**
+ * \brief          This function sets the encryption key.
+ *
+ * \param ctx      The ARIA context to which the key should be bound.
+ *                 This must be initialized.
+ * \param key      The encryption key. This must be a readable buffer
+ *                 of size \p keybits Bits.
+ * \param keybits  The size of \p key in Bits. Valid options are:
+ *                 <ul><li>128 bits</li>
+ *                 <li>192 bits</li>
+ *                 <li>256 bits</li></ul>
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
+                            const unsigned char *key,
+                            unsigned int keybits);
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+/**
+ * \brief          This function sets the decryption key.
+ *
+ * \param ctx      The ARIA context to which the key should be bound.
+ *                 This must be initialized.
+ * \param key      The decryption key. This must be a readable buffer
+ *                 of size \p keybits Bits.
+ * \param keybits  The size of data passed. Valid options are:
+ *                 <ul><li>128 bits</li>
+ *                 <li>192 bits</li>
+ *                 <li>256 bits</li></ul>
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
+                            const unsigned char *key,
+                            unsigned int keybits);
+#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
+
+/**
+ * \brief          This function performs an ARIA single-block encryption or
+ *                 decryption operation.
+ *
+ *                 It performs encryption or decryption (depending on whether
+ *                 the key was set for encryption on decryption) on the input
+ *                 data buffer defined in the \p input parameter.
+ *
+ *                 mbedtls_aria_init(), and either mbedtls_aria_setkey_enc() or
+ *                 mbedtls_aria_setkey_dec() must be called before the first
+ *                 call to this API with the same context.
+ *
+ * \param ctx      The ARIA context to use for encryption or decryption.
+ *                 This must be initialized and bound to a key.
+ * \param input    The 16-Byte buffer holding the input data.
+ * \param output   The 16-Byte buffer holding the output data.
+
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
+                           const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
+                           unsigned char output[MBEDTLS_ARIA_BLOCKSIZE]);
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief  This function performs an ARIA-CBC encryption or decryption operation
+ *         on full blocks.
+ *
+ *         It performs the operation defined in the \p mode
+ *         parameter (encrypt/decrypt), on the input data buffer defined in
+ *         the \p input parameter.
+ *
+ *         It can be called as many times as needed, until all the input
+ *         data is processed. mbedtls_aria_init(), and either
+ *         mbedtls_aria_setkey_enc() or mbedtls_aria_setkey_dec() must be called
+ *         before the first call to this API with the same context.
+ *
+ * \note   This function operates on aligned blocks, that is, the input size
+ *         must be a multiple of the ARIA block size of 16 Bytes.
+ *
+ * \note   Upon exit, the content of the IV is updated so that you can
+ *         call the same function again on the next
+ *         block(s) of data and get the same result as if it was
+ *         encrypted in one call. This allows a "streaming" usage.
+ *         If you need to retain the contents of the IV, you should
+ *         either save it manually or use the cipher module instead.
+ *
+ *
+ * \param ctx      The ARIA context to use for encryption or decryption.
+ *                 This must be initialized and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_ARIA_ENCRYPT for encryption, or
+ *                 #MBEDTLS_ARIA_DECRYPT for decryption.
+ * \param length   The length of the input data in Bytes. This must be a
+ *                 multiple of the block size (16 Bytes).
+ * \param iv       Initialization vector (updated after use).
+ *                 This must be a readable buffer of size 16 Bytes.
+ * \param input    The buffer holding the input data. This must
+ *                 be a readable buffer of length \p length Bytes.
+ * \param output   The buffer holding the output data. This must
+ *                 be a writable buffer of length \p length Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
+                           int mode,
+                           size_t length,
+                           unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+                           const unsigned char *input,
+                           unsigned char *output);
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/**
+ * \brief This function performs an ARIA-CFB128 encryption or decryption
+ *        operation.
+ *
+ *        It performs the operation defined in the \p mode
+ *        parameter (encrypt or decrypt), on the input data buffer
+ *        defined in the \p input parameter.
+ *
+ *        For CFB, you must set up the context with mbedtls_aria_setkey_enc(),
+ *        regardless of whether you are performing an encryption or decryption
+ *        operation, that is, regardless of the \p mode parameter. This is
+ *        because CFB mode uses the same key schedule for encryption and
+ *        decryption.
+ *
+ * \note  Upon exit, the content of the IV is updated so that you can
+ *        call the same function again on the next
+ *        block(s) of data and get the same result as if it was
+ *        encrypted in one call. This allows a "streaming" usage.
+ *        If you need to retain the contents of the
+ *        IV, you must either save it manually or use the cipher
+ *        module instead.
+ *
+ *
+ * \param ctx      The ARIA context to use for encryption or decryption.
+ *                 This must be initialized and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_ARIA_ENCRYPT for encryption, or
+ *                 #MBEDTLS_ARIA_DECRYPT for decryption.
+ * \param length   The length of the input data \p input in Bytes.
+ * \param iv_off   The offset in IV (updated after use).
+ *                 This must not be larger than 15.
+ * \param iv       The initialization vector (updated after use).
+ *                 This must be a readable buffer of size 16 Bytes.
+ * \param input    The buffer holding the input data. This must
+ *                 be a readable buffer of length \p length Bytes.
+ * \param output   The buffer holding the output data. This must
+ *                 be a writable buffer of length \p length Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
+                              int mode,
+                              size_t length,
+                              size_t *iv_off,
+                              unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+                              const unsigned char *input,
+                              unsigned char *output);
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/**
+ * \brief      This function performs an ARIA-CTR encryption or decryption
+ *             operation.
+ *
+ *             Due to the nature of CTR, you must use the same key schedule
+ *             for both encryption and decryption operations. Therefore, you
+ *             must use the context initialized with mbedtls_aria_setkey_enc()
+ *             for both #MBEDTLS_ARIA_ENCRYPT and #MBEDTLS_ARIA_DECRYPT.
+ *
+ * \warning    You must never reuse a nonce value with the same key. Doing so
+ *             would void the encryption for the two messages encrypted with
+ *             the same nonce and key.
+ *
+ *             There are two common strategies for managing nonces with CTR:
+ *
+ *             1. You can handle everything as a single message processed over
+ *             successive calls to this function. In that case, you want to
+ *             set \p nonce_counter and \p nc_off to 0 for the first call, and
+ *             then preserve the values of \p nonce_counter, \p nc_off and \p
+ *             stream_block across calls to this function as they will be
+ *             updated by this function.
+ *
+ *             With this strategy, you must not encrypt more than 2**128
+ *             blocks of data with the same key.
+ *
+ *             2. You can encrypt separate messages by dividing the \p
+ *             nonce_counter buffer in two areas: the first one used for a
+ *             per-message nonce, handled by yourself, and the second one
+ *             updated by this function internally.
+ *
+ *             For example, you might reserve the first 12 bytes for the
+ *             per-message nonce, and the last 4 bytes for internal use. In that
+ *             case, before calling this function on a new message you need to
+ *             set the first 12 bytes of \p nonce_counter to your chosen nonce
+ *             value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
+ *             stream_block to be ignored). That way, you can encrypt at most
+ *             2**96 messages of up to 2**32 blocks each with the same key.
+ *
+ *             The per-message nonce (or information sufficient to reconstruct
+ *             it) needs to be communicated with the ciphertext and must be unique.
+ *             The recommended way to ensure uniqueness is to use a message
+ *             counter. An alternative is to generate random nonces, but this
+ *             limits the number of messages that can be securely encrypted:
+ *             for example, with 96-bit random nonces, you should not encrypt
+ *             more than 2**32 messages with the same key.
+ *
+ *             Note that for both strategies, sizes are measured in blocks and
+ *             that an ARIA block is 16 bytes.
+ *
+ * \warning    Upon return, \p stream_block contains sensitive data. Its
+ *             content must not be written to insecure storage and should be
+ *             securely discarded as soon as it's no longer needed.
+ *
+ * \param ctx              The ARIA context to use for encryption or decryption.
+ *                         This must be initialized and bound to a key.
+ * \param length           The length of the input data \p input in Bytes.
+ * \param nc_off           The offset in Bytes in the current \p stream_block,
+ *                         for resuming within the current cipher stream. The
+ *                         offset pointer should be \c 0 at the start of a
+ *                         stream. This must not be larger than \c 15 Bytes.
+ * \param nonce_counter    The 128-bit nonce and counter. This must point to
+ *                         a read/write buffer of length \c 16 bytes.
+ * \param stream_block     The saved stream block for resuming. This must
+ *                         point to a read/write buffer of length \c 16 bytes.
+ *                         This is overwritten by the function.
+ * \param input            The buffer holding the input data. This must
+ *                         be a readable buffer of length \p length Bytes.
+ * \param output           The buffer holding the output data. This must
+ *                         be a writable buffer of length \p length Bytes.
+ *
+ * \return                 \c 0 on success.
+ * \return                 A negative error code on failure.
+ */
+int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
+                           size_t length,
+                           size_t *nc_off,
+                           unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
+                           unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
+                           const unsigned char *input,
+                           unsigned char *output);
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine.
+ *
+ * \return         \c 0 on success, or \c 1 on failure.
+ */
+int mbedtls_aria_self_test(int verbose);
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* aria.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/asn1.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/asn1.h
new file mode 100644
index 0000000..ff019f4
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/asn1.h
@@ -0,0 +1,642 @@
+/**
+ * \file asn1.h
+ *
+ * \brief Generic ASN.1 parsing
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_ASN1_H
+#define MBEDTLS_ASN1_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+#include "mbedtls/platform_util.h"
+
+#include <stddef.h>
+
+#if defined(MBEDTLS_BIGNUM_C)
+#include "mbedtls/bignum.h"
+#endif
+
+/**
+ * \addtogroup asn1_module
+ * \{
+ */
+
+/**
+ * \name ASN1 Error codes
+ * These error codes are combined with other error codes for
+ * higher error granularity.
+ * e.g. X.509 and PKCS #7 error codes
+ * ASN1 is a standard to specify data structures.
+ * \{
+ */
+/** Out of data when parsing an ASN1 data structure. */
+#define MBEDTLS_ERR_ASN1_OUT_OF_DATA                      -0x0060
+/** ASN1 tag was of an unexpected value. */
+#define MBEDTLS_ERR_ASN1_UNEXPECTED_TAG                   -0x0062
+/** Error when trying to determine the length or invalid length. */
+#define MBEDTLS_ERR_ASN1_INVALID_LENGTH                   -0x0064
+/** Actual length differs from expected length. */
+#define MBEDTLS_ERR_ASN1_LENGTH_MISMATCH                  -0x0066
+/** Data is invalid. */
+#define MBEDTLS_ERR_ASN1_INVALID_DATA                     -0x0068
+/** Memory allocation failed */
+#define MBEDTLS_ERR_ASN1_ALLOC_FAILED                     -0x006A
+/** Buffer too small when writing ASN.1 data structure. */
+#define MBEDTLS_ERR_ASN1_BUF_TOO_SMALL                    -0x006C
+
+/** \} name ASN1 Error codes */
+
+/**
+ * \name DER constants
+ * These constants comply with the DER encoded ASN.1 type tags.
+ * DER encoding uses hexadecimal representation.
+ * An example DER sequence is:\n
+ * - 0x02 -- tag indicating INTEGER
+ * - 0x01 -- length in octets
+ * - 0x05 -- value
+ * Such sequences are typically read into \c ::mbedtls_x509_buf.
+ * \{
+ */
+#define MBEDTLS_ASN1_BOOLEAN                 0x01
+#define MBEDTLS_ASN1_INTEGER                 0x02
+#define MBEDTLS_ASN1_BIT_STRING              0x03
+#define MBEDTLS_ASN1_OCTET_STRING            0x04
+#define MBEDTLS_ASN1_NULL                    0x05
+#define MBEDTLS_ASN1_OID                     0x06
+#define MBEDTLS_ASN1_ENUMERATED              0x0A
+#define MBEDTLS_ASN1_UTF8_STRING             0x0C
+#define MBEDTLS_ASN1_SEQUENCE                0x10
+#define MBEDTLS_ASN1_SET                     0x11
+#define MBEDTLS_ASN1_PRINTABLE_STRING        0x13
+#define MBEDTLS_ASN1_T61_STRING              0x14
+#define MBEDTLS_ASN1_IA5_STRING              0x16
+#define MBEDTLS_ASN1_UTC_TIME                0x17
+#define MBEDTLS_ASN1_GENERALIZED_TIME        0x18
+#define MBEDTLS_ASN1_UNIVERSAL_STRING        0x1C
+#define MBEDTLS_ASN1_BMP_STRING              0x1E
+#define MBEDTLS_ASN1_PRIMITIVE               0x00
+#define MBEDTLS_ASN1_CONSTRUCTED             0x20
+#define MBEDTLS_ASN1_CONTEXT_SPECIFIC        0x80
+
+/* Slightly smaller way to check if tag is a string tag
+ * compared to canonical implementation. */
+#define MBEDTLS_ASN1_IS_STRING_TAG(tag)                                \
+    ((unsigned int) (tag) < 32u && (                                   \
+         ((1u << (tag)) & ((1u << MBEDTLS_ASN1_BMP_STRING)       |     \
+                           (1u << MBEDTLS_ASN1_UTF8_STRING)      |     \
+                           (1u << MBEDTLS_ASN1_T61_STRING)       |     \
+                           (1u << MBEDTLS_ASN1_IA5_STRING)       |     \
+                           (1u << MBEDTLS_ASN1_UNIVERSAL_STRING) |     \
+                           (1u << MBEDTLS_ASN1_PRINTABLE_STRING))) != 0))
+
+/*
+ * Bit masks for each of the components of an ASN.1 tag as specified in
+ * ITU X.690 (08/2015), section 8.1 "General rules for encoding",
+ * paragraph 8.1.2.2:
+ *
+ * Bit  8     7   6   5          1
+ *     +-------+-----+------------+
+ *     | Class | P/C | Tag number |
+ *     +-------+-----+------------+
+ */
+#define MBEDTLS_ASN1_TAG_CLASS_MASK          0xC0
+#define MBEDTLS_ASN1_TAG_PC_MASK             0x20
+#define MBEDTLS_ASN1_TAG_VALUE_MASK          0x1F
+
+/** \} name DER constants */
+
+/** Returns the size of the binary string, without the trailing \\0 */
+#define MBEDTLS_OID_SIZE(x) (sizeof(x) - 1)
+
+/**
+ * Compares an mbedtls_asn1_buf structure to a reference OID.
+ *
+ * Only works for 'defined' oid_str values (MBEDTLS_OID_HMAC_SHA1), you cannot use a
+ * 'unsigned char *oid' here!
+ */
+#define MBEDTLS_OID_CMP(oid_str, oid_buf)                                   \
+    ((MBEDTLS_OID_SIZE(oid_str) != (oid_buf)->len) ||                \
+     memcmp((oid_str), (oid_buf)->p, (oid_buf)->len) != 0)
+
+#define MBEDTLS_OID_CMP_RAW(oid_str, oid_buf, oid_buf_len)              \
+    ((MBEDTLS_OID_SIZE(oid_str) != (oid_buf_len)) ||             \
+     memcmp((oid_str), (oid_buf), (oid_buf_len)) != 0)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \name Functions to parse ASN.1 data structures
+ * \{
+ */
+
+/**
+ * Type-length-value structure that allows for ASN1 using DER.
+ */
+typedef struct mbedtls_asn1_buf {
+    int tag;                /**< ASN1 type, e.g. MBEDTLS_ASN1_UTF8_STRING. */
+    size_t len;             /**< ASN1 length, in octets. */
+    unsigned char *p;       /**< ASN1 data, e.g. in ASCII. */
+}
+mbedtls_asn1_buf;
+
+/**
+ * Container for ASN1 bit strings.
+ */
+typedef struct mbedtls_asn1_bitstring {
+    size_t len;                 /**< ASN1 length, in octets. */
+    unsigned char unused_bits;  /**< Number of unused bits at the end of the string */
+    unsigned char *p;           /**< Raw ASN1 data for the bit string */
+}
+mbedtls_asn1_bitstring;
+
+/**
+ * Container for a sequence of ASN.1 items
+ */
+typedef struct mbedtls_asn1_sequence {
+    mbedtls_asn1_buf buf;                   /**< Buffer containing the given ASN.1 item. */
+
+    /** The next entry in the sequence.
+     *
+     * The details of memory management for sequences are not documented and
+     * may change in future versions. Set this field to \p NULL when
+     * initializing a structure, and do not modify it except via Mbed TLS
+     * library functions.
+     */
+    struct mbedtls_asn1_sequence *next;
+}
+mbedtls_asn1_sequence;
+
+/**
+ * Container for a sequence or list of 'named' ASN.1 data items
+ */
+typedef struct mbedtls_asn1_named_data {
+    mbedtls_asn1_buf oid;                   /**< The object identifier. */
+    mbedtls_asn1_buf val;                   /**< The named value. */
+
+    /** The next entry in the sequence.
+     *
+     * The details of memory management for named data sequences are not
+     * documented and may change in future versions. Set this field to \p NULL
+     * when initializing a structure, and do not modify it except via Mbed TLS
+     * library functions.
+     */
+    struct mbedtls_asn1_named_data *next;
+
+    /** Merge next item into the current one?
+     *
+     * This field exists for the sake of Mbed TLS's X.509 certificate parsing
+     * code and may change in future versions of the library.
+     */
+    unsigned char MBEDTLS_PRIVATE(next_merged);
+}
+mbedtls_asn1_named_data;
+
+#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C) || \
+    defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA)
+/**
+ * \brief       Get the length of an ASN.1 element.
+ *              Updates the pointer to immediately behind the length.
+ *
+ * \param p     On entry, \c *p points to the first byte of the length,
+ *              i.e. immediately after the tag.
+ *              On successful completion, \c *p points to the first byte
+ *              after the length, i.e. the first byte of the content.
+ *              On error, the value of \c *p is undefined.
+ * \param end   End of data.
+ * \param len   On successful completion, \c *len contains the length
+ *              read from the ASN.1 input.
+ *
+ * \return      0 if successful.
+ * \return      #MBEDTLS_ERR_ASN1_OUT_OF_DATA if the ASN.1 element
+ *              would end beyond \p end.
+ * \return      #MBEDTLS_ERR_ASN1_INVALID_LENGTH if the length is unparsable.
+ */
+int mbedtls_asn1_get_len(unsigned char **p,
+                         const unsigned char *end,
+                         size_t *len);
+
+/**
+ * \brief       Get the tag and length of the element.
+ *              Check for the requested tag.
+ *              Updates the pointer to immediately behind the tag and length.
+ *
+ * \param p     On entry, \c *p points to the start of the ASN.1 element.
+ *              On successful completion, \c *p points to the first byte
+ *              after the length, i.e. the first byte of the content.
+ *              On error, the value of \c *p is undefined.
+ * \param end   End of data.
+ * \param len   On successful completion, \c *len contains the length
+ *              read from the ASN.1 input.
+ * \param tag   The expected tag.
+ *
+ * \return      0 if successful.
+ * \return      #MBEDTLS_ERR_ASN1_UNEXPECTED_TAG if the data does not start
+ *              with the requested tag.
+ * \return      #MBEDTLS_ERR_ASN1_OUT_OF_DATA if the ASN.1 element
+ *              would end beyond \p end.
+ * \return      #MBEDTLS_ERR_ASN1_INVALID_LENGTH if the length is unparsable.
+ */
+int mbedtls_asn1_get_tag(unsigned char **p,
+                         const unsigned char *end,
+                         size_t *len, int tag);
+#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA */
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+/**
+ * \brief       Retrieve a boolean ASN.1 tag and its value.
+ *              Updates the pointer to immediately behind the full tag.
+ *
+ * \param p     On entry, \c *p points to the start of the ASN.1 element.
+ *              On successful completion, \c *p points to the first byte
+ *              beyond the ASN.1 element.
+ *              On error, the value of \c *p is undefined.
+ * \param end   End of data.
+ * \param val   On success, the parsed value (\c 0 or \c 1).
+ *
+ * \return      0 if successful.
+ * \return      An ASN.1 error code if the input does not start with
+ *              a valid ASN.1 BOOLEAN.
+ */
+int mbedtls_asn1_get_bool(unsigned char **p,
+                          const unsigned char *end,
+                          int *val);
+
+/**
+ * \brief       Retrieve an integer ASN.1 tag and its value.
+ *              Updates the pointer to immediately behind the full tag.
+ *
+ * \param p     On entry, \c *p points to the start of the ASN.1 element.
+ *              On successful completion, \c *p points to the first byte
+ *              beyond the ASN.1 element.
+ *              On error, the value of \c *p is undefined.
+ * \param end   End of data.
+ * \param val   On success, the parsed value.
+ *
+ * \return      0 if successful.
+ * \return      An ASN.1 error code if the input does not start with
+ *              a valid ASN.1 INTEGER.
+ * \return      #MBEDTLS_ERR_ASN1_INVALID_LENGTH if the parsed value does
+ *              not fit in an \c int.
+ */
+int mbedtls_asn1_get_int(unsigned char **p,
+                         const unsigned char *end,
+                         int *val);
+
+/**
+ * \brief       Retrieve an enumerated ASN.1 tag and its value.
+ *              Updates the pointer to immediately behind the full tag.
+ *
+ * \param p     On entry, \c *p points to the start of the ASN.1 element.
+ *              On successful completion, \c *p points to the first byte
+ *              beyond the ASN.1 element.
+ *              On error, the value of \c *p is undefined.
+ * \param end   End of data.
+ * \param val   On success, the parsed value.
+ *
+ * \return      0 if successful.
+ * \return      An ASN.1 error code if the input does not start with
+ *              a valid ASN.1 ENUMERATED.
+ * \return      #MBEDTLS_ERR_ASN1_INVALID_LENGTH if the parsed value does
+ *              not fit in an \c int.
+ */
+int mbedtls_asn1_get_enum(unsigned char **p,
+                          const unsigned char *end,
+                          int *val);
+
+/**
+ * \brief       Retrieve a bitstring ASN.1 tag and its value.
+ *              Updates the pointer to immediately behind the full tag.
+ *
+ * \param p     On entry, \c *p points to the start of the ASN.1 element.
+ *              On successful completion, \c *p is equal to \p end.
+ *              On error, the value of \c *p is undefined.
+ * \param end   End of data.
+ * \param bs    On success, ::mbedtls_asn1_bitstring information about
+ *              the parsed value.
+ *
+ * \return      0 if successful.
+ * \return      #MBEDTLS_ERR_ASN1_LENGTH_MISMATCH if the input contains
+ *              extra data after a valid BIT STRING.
+ * \return      An ASN.1 error code if the input does not start with
+ *              a valid ASN.1 BIT STRING.
+ */
+int mbedtls_asn1_get_bitstring(unsigned char **p, const unsigned char *end,
+                               mbedtls_asn1_bitstring *bs);
+
+/**
+ * \brief       Retrieve a bitstring ASN.1 tag without unused bits and its
+ *              value.
+ *              Updates the pointer to the beginning of the bit/octet string.
+ *
+ * \param p     On entry, \c *p points to the start of the ASN.1 element.
+ *              On successful completion, \c *p points to the first byte
+ *              of the content of the BIT STRING.
+ *              On error, the value of \c *p is undefined.
+ * \param end   End of data.
+ * \param len   On success, \c *len is the length of the content in bytes.
+ *
+ * \return      0 if successful.
+ * \return      #MBEDTLS_ERR_ASN1_INVALID_DATA if the input starts with
+ *              a valid BIT STRING with a nonzero number of unused bits.
+ * \return      An ASN.1 error code if the input does not start with
+ *              a valid ASN.1 BIT STRING.
+ */
+int mbedtls_asn1_get_bitstring_null(unsigned char **p,
+                                    const unsigned char *end,
+                                    size_t *len);
+
+/**
+ * \brief       Parses and splits an ASN.1 "SEQUENCE OF <tag>".
+ *              Updates the pointer to immediately behind the full sequence tag.
+ *
+ * This function allocates memory for the sequence elements. You can free
+ * the allocated memory with mbedtls_asn1_sequence_free().
+ *
+ * \note        On error, this function may return a partial list in \p cur.
+ *              You must set `cur->next = NULL` before calling this function!
+ *              Otherwise it is impossible to distinguish a previously non-null
+ *              pointer from a pointer to an object allocated by this function.
+ *
+ * \note        If the sequence is empty, this function does not modify
+ *              \c *cur. If the sequence is valid and non-empty, this
+ *              function sets `cur->buf.tag` to \p tag. This allows
+ *              callers to distinguish between an empty sequence and
+ *              a one-element sequence.
+ *
+ * \param p     On entry, \c *p points to the start of the ASN.1 element.
+ *              On successful completion, \c *p is equal to \p end.
+ *              On error, the value of \c *p is undefined.
+ * \param end   End of data.
+ * \param cur   A ::mbedtls_asn1_sequence which this function fills.
+ *              When this function returns, \c *cur is the head of a linked
+ *              list. Each node in this list is allocated with
+ *              mbedtls_calloc() apart from \p cur itself, and should
+ *              therefore be freed with mbedtls_free().
+ *              The list describes the content of the sequence.
+ *              The head of the list (i.e. \c *cur itself) describes the
+ *              first element, `*cur->next` describes the second element, etc.
+ *              For each element, `buf.tag == tag`, `buf.len` is the length
+ *              of the content of the content of the element, and `buf.p`
+ *              points to the first byte of the content (i.e. immediately
+ *              past the length of the element).
+ *              Note that list elements may be allocated even on error.
+ * \param tag   Each element of the sequence must have this tag.
+ *
+ * \return      0 if successful.
+ * \return      #MBEDTLS_ERR_ASN1_LENGTH_MISMATCH if the input contains
+ *              extra data after a valid SEQUENCE OF \p tag.
+ * \return      #MBEDTLS_ERR_ASN1_UNEXPECTED_TAG if the input starts with
+ *              an ASN.1 SEQUENCE in which an element has a tag that
+ *              is different from \p tag.
+ * \return      #MBEDTLS_ERR_ASN1_ALLOC_FAILED if a memory allocation failed.
+ * \return      An ASN.1 error code if the input does not start with
+ *              a valid ASN.1 SEQUENCE.
+ */
+int mbedtls_asn1_get_sequence_of(unsigned char **p,
+                                 const unsigned char *end,
+                                 mbedtls_asn1_sequence *cur,
+                                 int tag);
+/**
+ * \brief          Free a heap-allocated linked list presentation of
+ *                 an ASN.1 sequence, including the first element.
+ *
+ * There are two common ways to manage the memory used for the representation
+ * of a parsed ASN.1 sequence:
+ * - Allocate a head node `mbedtls_asn1_sequence *head` with mbedtls_calloc().
+ *   Pass this node as the `cur` argument to mbedtls_asn1_get_sequence_of().
+ *   When you have finished processing the sequence,
+ *   call mbedtls_asn1_sequence_free() on `head`.
+ * - Allocate a head node `mbedtls_asn1_sequence *head` in any manner,
+ *   for example on the stack. Make sure that `head->next == NULL`.
+ *   Pass `head` as the `cur` argument to mbedtls_asn1_get_sequence_of().
+ *   When you have finished processing the sequence,
+ *   call mbedtls_asn1_sequence_free() on `head->cur`,
+ *   then free `head` itself in the appropriate manner.
+ *
+ * \param seq      The address of the first sequence component. This may
+ *                 be \c NULL, in which case this functions returns
+ *                 immediately.
+ */
+void mbedtls_asn1_sequence_free(mbedtls_asn1_sequence *seq);
+
+/**
+ * \brief                Traverse an ASN.1 SEQUENCE container and
+ *                       call a callback for each entry.
+ *
+ * This function checks that the input is a SEQUENCE of elements that
+ * each have a "must" tag, and calls a callback function on the elements
+ * that have a "may" tag.
+ *
+ * For example, to validate that the input is a SEQUENCE of `tag1` and call
+ * `cb` on each element, use
+ * ```
+ * mbedtls_asn1_traverse_sequence_of(&p, end, 0xff, tag1, 0, 0, cb, ctx);
+ * ```
+ *
+ * To validate that the input is a SEQUENCE of ANY and call `cb` on
+ * each element, use
+ * ```
+ * mbedtls_asn1_traverse_sequence_of(&p, end, 0, 0, 0, 0, cb, ctx);
+ * ```
+ *
+ * To validate that the input is a SEQUENCE of CHOICE {NULL, OCTET STRING}
+ * and call `cb` on each element that is an OCTET STRING, use
+ * ```
+ * mbedtls_asn1_traverse_sequence_of(&p, end, 0xfe, 0x04, 0xff, 0x04, cb, ctx);
+ * ```
+ *
+ * The callback is called on the elements with a "may" tag from left to
+ * right. If the input is not a valid SEQUENCE of elements with a "must" tag,
+ * the callback is called on the elements up to the leftmost point where
+ * the input is invalid.
+ *
+ * \warning              This function is still experimental and may change
+ *                       at any time.
+ *
+ * \param p              The address of the pointer to the beginning of
+ *                       the ASN.1 SEQUENCE header. This is updated to
+ *                       point to the end of the ASN.1 SEQUENCE container
+ *                       on a successful invocation.
+ * \param end            The end of the ASN.1 SEQUENCE container.
+ * \param tag_must_mask  A mask to be applied to the ASN.1 tags found within
+ *                       the SEQUENCE before comparing to \p tag_must_val.
+ * \param tag_must_val   The required value of each ASN.1 tag found in the
+ *                       SEQUENCE, after masking with \p tag_must_mask.
+ *                       Mismatching tags lead to an error.
+ *                       For example, a value of \c 0 for both \p tag_must_mask
+ *                       and \p tag_must_val means that every tag is allowed,
+ *                       while a value of \c 0xFF for \p tag_must_mask means
+ *                       that \p tag_must_val is the only allowed tag.
+ * \param tag_may_mask   A mask to be applied to the ASN.1 tags found within
+ *                       the SEQUENCE before comparing to \p tag_may_val.
+ * \param tag_may_val    The desired value of each ASN.1 tag found in the
+ *                       SEQUENCE, after masking with \p tag_may_mask.
+ *                       Mismatching tags will be silently ignored.
+ *                       For example, a value of \c 0 for \p tag_may_mask and
+ *                       \p tag_may_val means that any tag will be considered,
+ *                       while a value of \c 0xFF for \p tag_may_mask means
+ *                       that all tags with value different from \p tag_may_val
+ *                       will be ignored.
+ * \param cb             The callback to trigger for each component
+ *                       in the ASN.1 SEQUENCE that matches \p tag_may_val.
+ *                       The callback function is called with the following
+ *                       parameters:
+ *                       - \p ctx.
+ *                       - The tag of the current element.
+ *                       - A pointer to the start of the current element's
+ *                         content inside the input.
+ *                       - The length of the content of the current element.
+ *                       If the callback returns a non-zero value,
+ *                       the function stops immediately,
+ *                       forwarding the callback's return value.
+ * \param ctx            The context to be passed to the callback \p cb.
+ *
+ * \return               \c 0 if successful the entire ASN.1 SEQUENCE
+ *                       was traversed without parsing or callback errors.
+ * \return               #MBEDTLS_ERR_ASN1_LENGTH_MISMATCH if the input
+ *                       contains extra data after a valid SEQUENCE
+ *                       of elements with an accepted tag.
+ * \return               #MBEDTLS_ERR_ASN1_UNEXPECTED_TAG if the input starts
+ *                       with an ASN.1 SEQUENCE in which an element has a tag
+ *                       that is not accepted.
+ * \return               An ASN.1 error code if the input does not start with
+ *                       a valid ASN.1 SEQUENCE.
+ * \return               A non-zero error code forwarded from the callback
+ *                       \p cb in case the latter returns a non-zero value.
+ */
+int mbedtls_asn1_traverse_sequence_of(
+    unsigned char **p,
+    const unsigned char *end,
+    unsigned char tag_must_mask, unsigned char tag_must_val,
+    unsigned char tag_may_mask, unsigned char tag_may_val,
+    int (*cb)(void *ctx, int tag,
+              unsigned char *start, size_t len),
+    void *ctx);
+
+#if defined(MBEDTLS_BIGNUM_C)
+/**
+ * \brief       Retrieve an integer ASN.1 tag and its value.
+ *              Updates the pointer to immediately behind the full tag.
+ *
+ * \param p     On entry, \c *p points to the start of the ASN.1 element.
+ *              On successful completion, \c *p points to the first byte
+ *              beyond the ASN.1 element.
+ *              On error, the value of \c *p is undefined.
+ * \param end   End of data.
+ * \param X     On success, the parsed value.
+ *
+ * \return      0 if successful.
+ * \return      An ASN.1 error code if the input does not start with
+ *              a valid ASN.1 INTEGER.
+ * \return      #MBEDTLS_ERR_ASN1_INVALID_LENGTH if the parsed value does
+ *              not fit in an \c int.
+ * \return      An MPI error code if the parsed value is too large.
+ */
+int mbedtls_asn1_get_mpi(unsigned char **p,
+                         const unsigned char *end,
+                         mbedtls_mpi *X);
+#endif /* MBEDTLS_BIGNUM_C */
+
+/**
+ * \brief       Retrieve an AlgorithmIdentifier ASN.1 sequence.
+ *              Updates the pointer to immediately behind the full
+ *              AlgorithmIdentifier.
+ *
+ * \param p     On entry, \c *p points to the start of the ASN.1 element.
+ *              On successful completion, \c *p points to the first byte
+ *              beyond the AlgorithmIdentifier element.
+ *              On error, the value of \c *p is undefined.
+ * \param end   End of data.
+ * \param alg   The buffer to receive the OID.
+ * \param params The buffer to receive the parameters.
+ *              This is zeroized if there are no parameters.
+ *
+ * \return      0 if successful or a specific ASN.1 or MPI error code.
+ */
+int mbedtls_asn1_get_alg(unsigned char **p,
+                         const unsigned char *end,
+                         mbedtls_asn1_buf *alg, mbedtls_asn1_buf *params);
+
+/**
+ * \brief       Retrieve an AlgorithmIdentifier ASN.1 sequence with NULL or no
+ *              params.
+ *              Updates the pointer to immediately behind the full
+ *              AlgorithmIdentifier.
+ *
+ * \param p     On entry, \c *p points to the start of the ASN.1 element.
+ *              On successful completion, \c *p points to the first byte
+ *              beyond the AlgorithmIdentifier element.
+ *              On error, the value of \c *p is undefined.
+ * \param end   End of data.
+ * \param alg   The buffer to receive the OID.
+ *
+ * \return      0 if successful or a specific ASN.1 or MPI error code.
+ */
+int mbedtls_asn1_get_alg_null(unsigned char **p,
+                              const unsigned char *end,
+                              mbedtls_asn1_buf *alg);
+
+/**
+ * \brief       Find a specific named_data entry in a sequence or list based on
+ *              the OID.
+ *
+ * \param list  The list to seek through
+ * \param oid   The OID to look for
+ * \param len   Size of the OID
+ *
+ * \return      NULL if not found, or a pointer to the existing entry.
+ */
+const mbedtls_asn1_named_data *mbedtls_asn1_find_named_data(const mbedtls_asn1_named_data *list,
+                                                            const char *oid, size_t len);
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+/**
+ * \brief       Free a mbedtls_asn1_named_data entry
+ *
+ * \deprecated  This function is deprecated and will be removed in a
+ *              future version of the library.
+ *              Please use mbedtls_asn1_free_named_data_list()
+ *              or mbedtls_asn1_free_named_data_list_shallow().
+ *
+ * \param entry The named data entry to free.
+ *              This function calls mbedtls_free() on
+ *              `entry->oid.p` and `entry->val.p`.
+ */
+void MBEDTLS_DEPRECATED mbedtls_asn1_free_named_data(mbedtls_asn1_named_data *entry);
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief       Free all entries in a mbedtls_asn1_named_data list.
+ *
+ * \param head  Pointer to the head of the list of named data entries to free.
+ *              This function calls mbedtls_free() on
+ *              `entry->oid.p` and `entry->val.p` and then on `entry`
+ *              for each list entry, and sets \c *head to \c NULL.
+ */
+void mbedtls_asn1_free_named_data_list(mbedtls_asn1_named_data **head);
+
+/**
+ * \brief       Free all shallow entries in a mbedtls_asn1_named_data list,
+ *              but do not free internal pointer targets.
+ *
+ * \param name  Head of the list of named data entries to free.
+ *              This function calls mbedtls_free() on each list element.
+ */
+void mbedtls_asn1_free_named_data_list_shallow(mbedtls_asn1_named_data *name);
+
+/** \} name Functions to parse ASN.1 data structures */
+/** \} addtogroup asn1_module */
+
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* asn1.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/asn1write.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/asn1write.h
new file mode 100644
index 0000000..0c5a85a
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/asn1write.h
@@ -0,0 +1,390 @@
+/**
+ * \file asn1write.h
+ *
+ * \brief ASN.1 buffer writing functionality
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_ASN1_WRITE_H
+#define MBEDTLS_ASN1_WRITE_H
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/asn1.h"
+
+#define MBEDTLS_ASN1_CHK_ADD(g, f)                      \
+    do                                                  \
+    {                                                   \
+        if ((ret = (f)) < 0)                         \
+        return ret;                              \
+        else                                            \
+        (g) += ret;                                 \
+    } while (0)
+
+#define MBEDTLS_ASN1_CHK_CLEANUP_ADD(g, f)                      \
+    do                                                  \
+    {                                                   \
+        if ((ret = (f)) < 0)                         \
+        goto cleanup;                              \
+        else                                            \
+        (g) += ret;                                 \
+    } while (0)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_ASN1_WRITE_C) || defined(MBEDTLS_X509_USE_C) || \
+    defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA)
+/**
+ * \brief           Write a length field in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param len       The length value to write.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_len(unsigned char **p, const unsigned char *start,
+                           size_t len);
+/**
+ * \brief           Write an ASN.1 tag in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param tag       The tag to write.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_tag(unsigned char **p, const unsigned char *start,
+                           unsigned char tag);
+#endif /* MBEDTLS_ASN1_WRITE_C || MBEDTLS_X509_USE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA*/
+
+#if defined(MBEDTLS_ASN1_WRITE_C)
+/**
+ * \brief           Write raw buffer data.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param buf       The data buffer to write.
+ * \param size      The length of the data buffer.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_raw_buffer(unsigned char **p, const unsigned char *start,
+                                  const unsigned char *buf, size_t size);
+
+#if defined(MBEDTLS_BIGNUM_C)
+/**
+ * \brief           Write an arbitrary-precision number (#MBEDTLS_ASN1_INTEGER)
+ *                  in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param X         The MPI to write.
+ *                  It must be non-negative.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_mpi(unsigned char **p, const unsigned char *start,
+                           const mbedtls_mpi *X);
+#endif /* MBEDTLS_BIGNUM_C */
+
+/**
+ * \brief           Write a NULL tag (#MBEDTLS_ASN1_NULL) with zero data
+ *                  in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_null(unsigned char **p, const unsigned char *start);
+
+/**
+ * \brief           Write an OID tag (#MBEDTLS_ASN1_OID) and data
+ *                  in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param oid       The OID to write.
+ * \param oid_len   The length of the OID.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_oid(unsigned char **p, const unsigned char *start,
+                           const char *oid, size_t oid_len);
+
+/**
+ * \brief           Write an AlgorithmIdentifier sequence in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param oid       The OID of the algorithm to write.
+ * \param oid_len   The length of the algorithm's OID.
+ * \param par_len   The length of the parameters, which must be already written.
+ *                  If 0, NULL parameters are added
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_algorithm_identifier(unsigned char **p,
+                                            const unsigned char *start,
+                                            const char *oid, size_t oid_len,
+                                            size_t par_len);
+
+/**
+ * \brief           Write an AlgorithmIdentifier sequence in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param oid       The OID of the algorithm to write.
+ * \param oid_len   The length of the algorithm's OID.
+ * \param par_len   The length of the parameters, which must be already written.
+ * \param has_par   If there are any parameters. If 0, par_len must be 0. If 1
+ *                  and \p par_len is 0, NULL parameters are added.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_algorithm_identifier_ext(unsigned char **p,
+                                                const unsigned char *start,
+                                                const char *oid, size_t oid_len,
+                                                size_t par_len, int has_par);
+
+/**
+ * \brief           Write a boolean tag (#MBEDTLS_ASN1_BOOLEAN) and value
+ *                  in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param boolean   The boolean value to write, either \c 0 or \c 1.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_bool(unsigned char **p, const unsigned char *start,
+                            int boolean);
+
+/**
+ * \brief           Write an int tag (#MBEDTLS_ASN1_INTEGER) and value
+ *                  in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param val       The integer value to write.
+ *                  It must be non-negative.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_int(unsigned char **p, const unsigned char *start, int val);
+
+/**
+ * \brief           Write an enum tag (#MBEDTLS_ASN1_ENUMERATED) and value
+ *                  in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param val       The integer value to write.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_enum(unsigned char **p, const unsigned char *start, int val);
+
+/**
+ * \brief           Write a string in ASN.1 format using a specific
+ *                  string encoding tag.
+
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param tag       The string encoding tag to write, e.g.
+ *                  #MBEDTLS_ASN1_UTF8_STRING.
+ * \param text      The string to write.
+ * \param text_len  The length of \p text in bytes (which might
+ *                  be strictly larger than the number of characters).
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_tagged_string(unsigned char **p, const unsigned char *start,
+                                     int tag, const char *text,
+                                     size_t text_len);
+
+/**
+ * \brief           Write a string in ASN.1 format using the PrintableString
+ *                  string encoding tag (#MBEDTLS_ASN1_PRINTABLE_STRING).
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param text      The string to write.
+ * \param text_len  The length of \p text in bytes (which might
+ *                  be strictly larger than the number of characters).
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_printable_string(unsigned char **p,
+                                        const unsigned char *start,
+                                        const char *text, size_t text_len);
+
+/**
+ * \brief           Write a UTF8 string in ASN.1 format using the UTF8String
+ *                  string encoding tag (#MBEDTLS_ASN1_UTF8_STRING).
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param text      The string to write.
+ * \param text_len  The length of \p text in bytes (which might
+ *                  be strictly larger than the number of characters).
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_utf8_string(unsigned char **p, const unsigned char *start,
+                                   const char *text, size_t text_len);
+
+/**
+ * \brief           Write a string in ASN.1 format using the IA5String
+ *                  string encoding tag (#MBEDTLS_ASN1_IA5_STRING).
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param text      The string to write.
+ * \param text_len  The length of \p text in bytes (which might
+ *                  be strictly larger than the number of characters).
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_ia5_string(unsigned char **p, const unsigned char *start,
+                                  const char *text, size_t text_len);
+
+/**
+ * \brief           Write a bitstring tag (#MBEDTLS_ASN1_BIT_STRING) and
+ *                  value in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param buf       The bitstring to write.
+ * \param bits      The total number of bits in the bitstring.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_bitstring(unsigned char **p, const unsigned char *start,
+                                 const unsigned char *buf, size_t bits);
+
+/**
+ * \brief           This function writes a named bitstring tag
+ *                  (#MBEDTLS_ASN1_BIT_STRING) and value in ASN.1 format.
+ *
+ *                  As stated in RFC 5280 Appendix B, trailing zeroes are
+ *                  omitted when encoding named bitstrings in DER.
+ *
+ * \note            This function works backwards within the data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer which is used for bounds-checking.
+ * \param buf       The bitstring to write.
+ * \param bits      The total number of bits in the bitstring.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_named_bitstring(unsigned char **p,
+                                       const unsigned char *start,
+                                       const unsigned char *buf,
+                                       size_t bits);
+
+/**
+ * \brief           Write an octet string tag (#MBEDTLS_ASN1_OCTET_STRING)
+ *                  and value in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param buf       The buffer holding the data to write.
+ * \param size      The length of the data buffer \p buf.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_octet_string(unsigned char **p, const unsigned char *start,
+                                    const unsigned char *buf, size_t size);
+
+/**
+ * \brief           Create or find a specific named_data entry for writing in a
+ *                  sequence or list based on the OID. If not already in there,
+ *                  a new entry is added to the head of the list.
+ *                  Warning: Destructive behaviour for the val data!
+ *
+ * \param list      The pointer to the location of the head of the list to seek
+ *                  through (will be updated in case of a new entry).
+ * \param oid       The OID to look for.
+ * \param oid_len   The size of the OID.
+ * \param val       The associated data to store. If this is \c NULL,
+ *                  no data is copied to the new or existing buffer.
+ * \param val_len   The minimum length of the data buffer needed.
+ *                  If this is 0, do not allocate a buffer for the associated
+ *                  data.
+ *                  If the OID was already present, enlarge, shrink or free
+ *                  the existing buffer to fit \p val_len.
+ *
+ * \return          A pointer to the new / existing entry on success.
+ * \return          \c NULL if there was a memory allocation error.
+ */
+mbedtls_asn1_named_data *mbedtls_asn1_store_named_data(mbedtls_asn1_named_data **list,
+                                                       const char *oid, size_t oid_len,
+                                                       const unsigned char *val,
+                                                       size_t val_len);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_ASN1_WRITE_C */
+
+#endif /* MBEDTLS_ASN1_WRITE_H */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/base64.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/base64.h
new file mode 100644
index 0000000..8f459b7
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/base64.h
@@ -0,0 +1,82 @@
+/**
+ * \file base64.h
+ *
+ * \brief RFC 1521 base64 encoding/decoding
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_BASE64_H
+#define MBEDTLS_BASE64_H
+
+#include "mbedtls/build_info.h"
+
+#include <stddef.h>
+
+/** Output buffer too small. */
+#define MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL               -0x002A
+/** Invalid character in input. */
+#define MBEDTLS_ERR_BASE64_INVALID_CHARACTER              -0x002C
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Encode a buffer into base64 format
+ *
+ * \param dst      destination buffer
+ * \param dlen     size of the destination buffer
+ * \param olen     number of bytes written
+ * \param src      source buffer
+ * \param slen     amount of data to be encoded
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL.
+ *                 *olen is always updated to reflect the amount
+ *                 of data that has (or would have) been written.
+ *                 If that length cannot be represented, then no data is
+ *                 written to the buffer and *olen is set to the maximum
+ *                 length representable as a size_t.
+ *
+ * \note           Call this function with dlen = 0 to obtain the
+ *                 required buffer size in *olen
+ */
+int mbedtls_base64_encode(unsigned char *dst, size_t dlen, size_t *olen,
+                          const unsigned char *src, size_t slen);
+
+/**
+ * \brief          Decode a base64-formatted buffer
+ *
+ * \param dst      destination buffer (can be NULL for checking size)
+ * \param dlen     size of the destination buffer
+ * \param olen     number of bytes written
+ * \param src      source buffer
+ * \param slen     amount of data to be decoded
+ *
+ * \return         0 if successful, MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL, or
+ *                 MBEDTLS_ERR_BASE64_INVALID_CHARACTER if the input data is
+ *                 not correct. *olen is always updated to reflect the amount
+ *                 of data that has (or would have) been written.
+ *
+ * \note           Call this function with *dst = NULL or dlen = 0 to obtain
+ *                 the required buffer size in *olen
+ */
+int mbedtls_base64_decode(unsigned char *dst, size_t dlen, size_t *olen,
+                          const unsigned char *src, size_t slen);
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_base64_self_test(int verbose);
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* base64.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/bignum.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/bignum.h
new file mode 100644
index 0000000..71d7b97
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/bignum.h
@@ -0,0 +1,1084 @@
+/**
+ * \file bignum.h
+ *
+ * \brief Multi-precision integer library
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_BIGNUM_H
+#define MBEDTLS_BIGNUM_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+/** An error occurred while reading from or writing to a file. */
+#define MBEDTLS_ERR_MPI_FILE_IO_ERROR                     -0x0002
+/** Bad input parameters to function. */
+#define MBEDTLS_ERR_MPI_BAD_INPUT_DATA                    -0x0004
+/** There is an invalid character in the digit string. */
+#define MBEDTLS_ERR_MPI_INVALID_CHARACTER                 -0x0006
+/** The buffer is too small to write to. */
+#define MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL                  -0x0008
+/** The input arguments are negative or result in illegal output. */
+#define MBEDTLS_ERR_MPI_NEGATIVE_VALUE                    -0x000A
+/** The input argument for division is zero, which is not allowed. */
+#define MBEDTLS_ERR_MPI_DIVISION_BY_ZERO                  -0x000C
+/** The input arguments are not acceptable. */
+#define MBEDTLS_ERR_MPI_NOT_ACCEPTABLE                    -0x000E
+/** Memory allocation failed. */
+#define MBEDTLS_ERR_MPI_ALLOC_FAILED                      -0x0010
+
+#define MBEDTLS_MPI_CHK(f)       \
+    do                           \
+    {                            \
+        if ((ret = (f)) != 0) \
+        goto cleanup;        \
+    } while (0)
+
+/*
+ * Maximum size MPIs are allowed to grow to in number of limbs.
+ */
+#define MBEDTLS_MPI_MAX_LIMBS                             10000
+
+#if !defined(MBEDTLS_MPI_WINDOW_SIZE)
+/*
+ * Maximum window size used for modular exponentiation. Default: 3
+ * Minimum value: 1. Maximum value: 6.
+ *
+ * Result is an array of ( 2 ** MBEDTLS_MPI_WINDOW_SIZE ) MPIs used
+ * for the sliding window calculation. (So 8 by default)
+ *
+ * Reduction in size, reduces speed.
+ */
+#define MBEDTLS_MPI_WINDOW_SIZE                           3        /**< Maximum window size used. */
+#endif /* !MBEDTLS_MPI_WINDOW_SIZE */
+
+#if !defined(MBEDTLS_MPI_MAX_SIZE)
+/*
+ * Maximum size of MPIs allowed in bits and bytes for user-MPIs.
+ * ( Default: 512 bytes => 4096 bits, Maximum tested: 2048 bytes => 16384 bits )
+ *
+ * Note: Calculations can temporarily result in larger MPIs. So the number
+ * of limbs required (MBEDTLS_MPI_MAX_LIMBS) is higher.
+ */
+#define MBEDTLS_MPI_MAX_SIZE                              1024     /**< Maximum number of bytes for usable MPIs. */
+#endif /* !MBEDTLS_MPI_MAX_SIZE */
+
+#define MBEDTLS_MPI_MAX_BITS                              (8 * MBEDTLS_MPI_MAX_SIZE)      /**< Maximum number of bits for usable MPIs. */
+
+/*
+ * When reading from files with mbedtls_mpi_read_file() and writing to files with
+ * mbedtls_mpi_write_file() the buffer should have space
+ * for a (short) label, the MPI (in the provided radix), the newline
+ * characters and the '\0'.
+ *
+ * By default we assume at least a 10 char label, a minimum radix of 10
+ * (decimal) and a maximum of 4096 bit numbers (1234 decimal chars).
+ * Autosized at compile time for at least a 10 char label, a minimum radix
+ * of 10 (decimal) for a number of MBEDTLS_MPI_MAX_BITS size.
+ *
+ * This used to be statically sized to 1250 for a maximum of 4096 bit
+ * numbers (1234 decimal chars).
+ *
+ * Calculate using the formula:
+ *  MBEDTLS_MPI_RW_BUFFER_SIZE = ceil(MBEDTLS_MPI_MAX_BITS / ln(10) * ln(2)) +
+ *                                LabelSize + 6
+ */
+#define MBEDTLS_MPI_MAX_BITS_SCALE100          (100 * MBEDTLS_MPI_MAX_BITS)
+#define MBEDTLS_LN_2_DIV_LN_10_SCALE100                 332
+#define MBEDTLS_MPI_RW_BUFFER_SIZE             (((MBEDTLS_MPI_MAX_BITS_SCALE100 + \
+                                                  MBEDTLS_LN_2_DIV_LN_10_SCALE100 - 1) / \
+                                                 MBEDTLS_LN_2_DIV_LN_10_SCALE100) + 10 + 6)
+
+/*
+ * Define the base integer type, architecture-wise.
+ *
+ * 32 or 64-bit integer types can be forced regardless of the underlying
+ * architecture by defining MBEDTLS_HAVE_INT32 or MBEDTLS_HAVE_INT64
+ * respectively and undefining MBEDTLS_HAVE_ASM.
+ *
+ * Double-width integers (e.g. 128-bit in 64-bit architectures) can be
+ * disabled by defining MBEDTLS_NO_UDBL_DIVISION.
+ */
+#if !defined(MBEDTLS_HAVE_INT32)
+    #if defined(_MSC_VER) && defined(_M_AMD64)
+/* Always choose 64-bit when using MSC */
+        #if !defined(MBEDTLS_HAVE_INT64)
+            #define MBEDTLS_HAVE_INT64
+        #endif /* !MBEDTLS_HAVE_INT64 */
+typedef  int64_t mbedtls_mpi_sint;
+typedef uint64_t mbedtls_mpi_uint;
+#define MBEDTLS_MPI_UINT_MAX                UINT64_MAX
+    #elif defined(__GNUC__) && (                         \
+    defined(__amd64__) || defined(__x86_64__)     || \
+    defined(__ppc64__) || defined(__powerpc64__)  || \
+    defined(__ia64__)  || defined(__alpha__)      || \
+    (defined(__sparc__) && defined(__arch64__)) || \
+    defined(__s390x__) || defined(__mips64)       || \
+    defined(__aarch64__))
+        #if !defined(MBEDTLS_HAVE_INT64)
+            #define MBEDTLS_HAVE_INT64
+        #endif /* MBEDTLS_HAVE_INT64 */
+typedef  int64_t mbedtls_mpi_sint;
+typedef uint64_t mbedtls_mpi_uint;
+#define MBEDTLS_MPI_UINT_MAX                UINT64_MAX
+        #if !defined(MBEDTLS_NO_UDBL_DIVISION)
+/* mbedtls_t_udbl defined as 128-bit unsigned int */
+typedef unsigned int mbedtls_t_udbl __attribute__((mode(TI)));
+            #define MBEDTLS_HAVE_UDBL
+        #endif /* !MBEDTLS_NO_UDBL_DIVISION */
+    #elif defined(__ARMCC_VERSION) && defined(__aarch64__)
+/*
+ * __ARMCC_VERSION is defined for both armcc and armclang and
+ * __aarch64__ is only defined by armclang when compiling 64-bit code
+ */
+        #if !defined(MBEDTLS_HAVE_INT64)
+            #define MBEDTLS_HAVE_INT64
+        #endif /* !MBEDTLS_HAVE_INT64 */
+typedef  int64_t mbedtls_mpi_sint;
+typedef uint64_t mbedtls_mpi_uint;
+#define MBEDTLS_MPI_UINT_MAX                UINT64_MAX
+        #if !defined(MBEDTLS_NO_UDBL_DIVISION)
+/* mbedtls_t_udbl defined as 128-bit unsigned int */
+typedef __uint128_t mbedtls_t_udbl;
+            #define MBEDTLS_HAVE_UDBL
+        #endif /* !MBEDTLS_NO_UDBL_DIVISION */
+    #elif defined(MBEDTLS_HAVE_INT64)
+/* Force 64-bit integers with unknown compiler */
+typedef  int64_t mbedtls_mpi_sint;
+typedef uint64_t mbedtls_mpi_uint;
+#define MBEDTLS_MPI_UINT_MAX                UINT64_MAX
+    #endif
+#endif /* !MBEDTLS_HAVE_INT32 */
+
+#if !defined(MBEDTLS_HAVE_INT64)
+/* Default to 32-bit compilation */
+    #if !defined(MBEDTLS_HAVE_INT32)
+        #define MBEDTLS_HAVE_INT32
+    #endif /* !MBEDTLS_HAVE_INT32 */
+typedef  int32_t mbedtls_mpi_sint;
+typedef uint32_t mbedtls_mpi_uint;
+#define MBEDTLS_MPI_UINT_MAX                UINT32_MAX
+    #if !defined(MBEDTLS_NO_UDBL_DIVISION)
+typedef uint64_t mbedtls_t_udbl;
+        #define MBEDTLS_HAVE_UDBL
+    #endif /* !MBEDTLS_NO_UDBL_DIVISION */
+#endif /* !MBEDTLS_HAVE_INT64 */
+
+/*
+ * Sanity check that exactly one of MBEDTLS_HAVE_INT32 or MBEDTLS_HAVE_INT64 is defined,
+ * so that code elsewhere doesn't have to check.
+ */
+#if (!(defined(MBEDTLS_HAVE_INT32) || defined(MBEDTLS_HAVE_INT64))) || \
+    (defined(MBEDTLS_HAVE_INT32) && defined(MBEDTLS_HAVE_INT64))
+#error "Only 32-bit or 64-bit limbs are supported in bignum"
+#endif
+
+/** \typedef mbedtls_mpi_uint
+ * \brief The type of machine digits in a bignum, called _limbs_.
+ *
+ * This is always an unsigned integer type with no padding bits. The size
+ * is platform-dependent.
+ */
+
+/** \typedef mbedtls_mpi_sint
+ * \brief The signed type corresponding to #mbedtls_mpi_uint.
+ *
+ * This is always an signed integer type with no padding bits. The size
+ * is platform-dependent.
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          MPI structure
+ */
+typedef struct mbedtls_mpi {
+    /** Pointer to limbs.
+     *
+     * This may be \c NULL if \c n is 0.
+     */
+    mbedtls_mpi_uint *MBEDTLS_PRIVATE(p);
+
+    /** Sign: -1 if the mpi is negative, 1 otherwise.
+     *
+     * The number 0 must be represented with `s = +1`. Although many library
+     * functions treat all-limbs-zero as equivalent to a valid representation
+     * of 0 regardless of the sign bit, there are exceptions, so bignum
+     * functions and external callers must always set \c s to +1 for the
+     * number zero.
+     *
+     * Note that this implies that calloc() or `... = {0}` does not create
+     * a valid MPI representation. You must call mbedtls_mpi_init().
+     */
+    signed short MBEDTLS_PRIVATE(s);
+
+    /** Total number of limbs in \c p.  */
+    unsigned short MBEDTLS_PRIVATE(n);
+    /* Make sure that MBEDTLS_MPI_MAX_LIMBS fits in n.
+     * Use the same limit value on all platforms so that we don't have to
+     * think about different behavior on the rare platforms where
+     * unsigned short can store values larger than the minimum required by
+     * the C language, which is 65535.
+     */
+#if MBEDTLS_MPI_MAX_LIMBS > 65535
+#error "MBEDTLS_MPI_MAX_LIMBS > 65535 is not supported"
+#endif
+}
+mbedtls_mpi;
+
+/**
+ * \brief           Initialize an MPI context.
+ *
+ *                  This makes the MPI ready to be set or freed,
+ *                  but does not define a value for the MPI.
+ *
+ * \param X         The MPI context to initialize. This must not be \c NULL.
+ */
+void mbedtls_mpi_init(mbedtls_mpi *X);
+
+/**
+ * \brief          This function frees the components of an MPI context.
+ *
+ * \param X        The MPI context to be cleared. This may be \c NULL,
+ *                 in which case this function is a no-op. If it is
+ *                 not \c NULL, it must point to an initialized MPI.
+ */
+void mbedtls_mpi_free(mbedtls_mpi *X);
+
+/**
+ * \brief          Enlarge an MPI to the specified number of limbs.
+ *
+ * \note           This function does nothing if the MPI is
+ *                 already large enough.
+ *
+ * \param X        The MPI to grow. It must be initialized.
+ * \param nblimbs  The target number of limbs.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
+ */
+int mbedtls_mpi_grow(mbedtls_mpi *X, size_t nblimbs);
+
+/**
+ * \brief          This function resizes an MPI downwards, keeping at least the
+ *                 specified number of limbs.
+ *
+ *                 If \c X is smaller than \c nblimbs, it is resized up
+ *                 instead.
+ *
+ * \param X        The MPI to shrink. This must point to an initialized MPI.
+ * \param nblimbs  The minimum number of limbs to keep.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ *                 (this can only happen when resizing up).
+ * \return         Another negative error code on other kinds of failure.
+ */
+int mbedtls_mpi_shrink(mbedtls_mpi *X, size_t nblimbs);
+
+/**
+ * \brief          Make a copy of an MPI.
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param Y        The source MPI. This must point to an initialized MPI.
+ *
+ * \note           The limb-buffer in the destination MPI is enlarged
+ *                 if necessary to hold the value in the source MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
+ */
+int mbedtls_mpi_copy(mbedtls_mpi *X, const mbedtls_mpi *Y);
+
+/**
+ * \brief          Swap the contents of two MPIs.
+ *
+ * \param X        The first MPI. It must be initialized.
+ * \param Y        The second MPI. It must be initialized.
+ */
+void mbedtls_mpi_swap(mbedtls_mpi *X, mbedtls_mpi *Y);
+
+/**
+ * \brief          Perform a safe conditional copy of MPI which doesn't
+ *                 reveal whether the condition was true or not.
+ *
+ * \param X        The MPI to conditionally assign to. This must point
+ *                 to an initialized MPI.
+ * \param Y        The MPI to be assigned from. This must point to an
+ *                 initialized MPI.
+ * \param assign   The condition deciding whether to perform the
+ *                 assignment or not. Must be either 0 or 1:
+ *                 * \c 1: Perform the assignment `X = Y`.
+ *                 * \c 0: Keep the original value of \p X.
+ *
+ * \note           This function is equivalent to
+ *                      `if( assign ) mbedtls_mpi_copy( X, Y );`
+ *                 except that it avoids leaking any information about whether
+ *                 the assignment was done or not (the above code may leak
+ *                 information through branch prediction and/or memory access
+ *                 patterns analysis).
+ *
+ * \warning        If \p assign is neither 0 nor 1, the result of this function
+ *                 is indeterminate, and the resulting value in \p X might be
+ *                 neither its original value nor the value in \p Y.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
+ */
+int mbedtls_mpi_safe_cond_assign(mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned char assign);
+
+/**
+ * \brief          Perform a safe conditional swap which doesn't
+ *                 reveal whether the condition was true or not.
+ *
+ * \param X        The first MPI. This must be initialized.
+ * \param Y        The second MPI. This must be initialized.
+ * \param swap     The condition deciding whether to perform
+ *                 the swap or not. Must be either 0 or 1:
+ *                 * \c 1: Swap the values of \p X and \p Y.
+ *                 * \c 0: Keep the original values of \p X and \p Y.
+ *
+ * \note           This function is equivalent to
+ *                      if( swap ) mbedtls_mpi_swap( X, Y );
+ *                 except that it avoids leaking any information about whether
+ *                 the swap was done or not (the above code may leak
+ *                 information through branch prediction and/or memory access
+ *                 patterns analysis).
+ *
+ * \warning        If \p swap is neither 0 nor 1, the result of this function
+ *                 is indeterminate, and both \p X and \p Y might end up with
+ *                 values different to either of the original ones.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
+ *
+ */
+int mbedtls_mpi_safe_cond_swap(mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char swap);
+
+/**
+ * \brief          Store integer value in MPI.
+ *
+ * \param X        The MPI to set. This must be initialized.
+ * \param z        The value to use.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
+ */
+int mbedtls_mpi_lset(mbedtls_mpi *X, mbedtls_mpi_sint z);
+
+/**
+ * \brief          Get a specific bit from an MPI.
+ *
+ * \param X        The MPI to query. This must be initialized.
+ * \param pos      Zero-based index of the bit to query.
+ *
+ * \return         \c 0 or \c 1 on success, depending on whether bit \c pos
+ *                 of \c X is unset or set.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_mpi_get_bit(const mbedtls_mpi *X, size_t pos);
+
+/**
+ * \brief          Modify a specific bit in an MPI.
+ *
+ * \note           This function will grow the target MPI if necessary to set a
+ *                 bit to \c 1 in a not yet existing limb. It will not grow if
+ *                 the bit should be set to \c 0.
+ *
+ * \param X        The MPI to modify. This must be initialized.
+ * \param pos      Zero-based index of the bit to modify.
+ * \param val      The desired value of bit \c pos: \c 0 or \c 1.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
+ */
+int mbedtls_mpi_set_bit(mbedtls_mpi *X, size_t pos, unsigned char val);
+
+/**
+ * \brief          Return the number of bits of value \c 0 before the
+ *                 least significant bit of value \c 1.
+ *
+ * \note           This is the same as the zero-based index of
+ *                 the least significant bit of value \c 1.
+ *
+ * \param X        The MPI to query.
+ *
+ * \return         The number of bits of value \c 0 before the least significant
+ *                 bit of value \c 1 in \p X.
+ */
+size_t mbedtls_mpi_lsb(const mbedtls_mpi *X);
+
+/**
+ * \brief          Return the number of bits up to and including the most
+ *                 significant bit of value \c 1.
+ *
+ * * \note         This is same as the one-based index of the most
+ *                 significant bit of value \c 1.
+ *
+ * \param X        The MPI to query. This must point to an initialized MPI.
+ *
+ * \return         The number of bits up to and including the most
+ *                 significant bit of value \c 1.
+ */
+size_t mbedtls_mpi_bitlen(const mbedtls_mpi *X);
+
+/**
+ * \brief          Return the total size of an MPI value in bytes.
+ *
+ * \param X        The MPI to use. This must point to an initialized MPI.
+ *
+ * \note           The value returned by this function may be less than
+ *                 the number of bytes used to store \p X internally.
+ *                 This happens if and only if there are trailing bytes
+ *                 of value zero.
+ *
+ * \return         The least number of bytes capable of storing
+ *                 the absolute value of \p X.
+ */
+size_t mbedtls_mpi_size(const mbedtls_mpi *X);
+
+/**
+ * \brief          Import an MPI from an ASCII string.
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param radix    The numeric base of the input string.
+ * \param s        Null-terminated string buffer.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_mpi_read_string(mbedtls_mpi *X, int radix, const char *s);
+
+/**
+ * \brief          Export an MPI to an ASCII string.
+ *
+ * \param X        The source MPI. This must point to an initialized MPI.
+ * \param radix    The numeric base of the output string.
+ * \param buf      The buffer to write the string to. This must be writable
+ *                 buffer of length \p buflen Bytes.
+ * \param buflen   The available size in Bytes of \p buf.
+ * \param olen     The address at which to store the length of the string
+ *                 written, including the  final \c NULL byte. This must
+ *                 not be \c NULL.
+ *
+ * \note           You can call this function with `buflen == 0` to obtain the
+ *                 minimum required buffer size in `*olen`.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if the target buffer \p buf
+ *                 is too small to hold the value of \p X in the desired base.
+ *                 In this case, `*olen` is nonetheless updated to contain the
+ *                 size of \p buf required for a successful call.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_write_string(const mbedtls_mpi *X, int radix,
+                             char *buf, size_t buflen, size_t *olen);
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief          Read an MPI from a line in an opened file.
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param radix    The numeric base of the string representation used
+ *                 in the source line.
+ * \param fin      The input file handle to use. This must not be \c NULL.
+ *
+ * \note           On success, this function advances the file stream
+ *                 to the end of the current line or to EOF.
+ *
+ *                 The function returns \c 0 on an empty line.
+ *
+ *                 Leading whitespaces are ignored, as is a
+ *                 '0x' prefix for radix \c 16.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if the file read buffer
+ *                 is too small.
+ * \return         Another negative error code on failure.
+ */
+int mbedtls_mpi_read_file(mbedtls_mpi *X, int radix, FILE *fin);
+
+/**
+ * \brief          Export an MPI into an opened file.
+ *
+ * \param p        A string prefix to emit prior to the MPI data.
+ *                 For example, this might be a label, or "0x" when
+ *                 printing in base \c 16. This may be \c NULL if no prefix
+ *                 is needed.
+ * \param X        The source MPI. This must point to an initialized MPI.
+ * \param radix    The numeric base to be used in the emitted string.
+ * \param fout     The output file handle. This may be \c NULL, in which case
+ *                 the output is written to \c stdout.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_mpi_write_file(const char *p, const mbedtls_mpi *X,
+                           int radix, FILE *fout);
+#endif /* MBEDTLS_FS_IO */
+
+/**
+ * \brief          Import an MPI from unsigned big endian binary data.
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param buf      The input buffer. This must be a readable buffer of length
+ *                 \p buflen Bytes.
+ * \param buflen   The length of the input buffer \p buf in Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_read_binary(mbedtls_mpi *X, const unsigned char *buf,
+                            size_t buflen);
+
+/**
+ * \brief          Import X from unsigned binary data, little endian
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param buf      The input buffer. This must be a readable buffer of length
+ *                 \p buflen Bytes.
+ * \param buflen   The length of the input buffer \p buf in Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_read_binary_le(mbedtls_mpi *X,
+                               const unsigned char *buf, size_t buflen);
+
+/**
+ * \brief          Export X into unsigned binary data, big endian.
+ *                 Always fills the whole buffer, which will start with zeros
+ *                 if the number is smaller.
+ *
+ * \param X        The source MPI. This must point to an initialized MPI.
+ * \param buf      The output buffer. This must be a writable buffer of length
+ *                 \p buflen Bytes.
+ * \param buflen   The size of the output buffer \p buf in Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p buf isn't
+ *                 large enough to hold the value of \p X.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_write_binary(const mbedtls_mpi *X, unsigned char *buf,
+                             size_t buflen);
+
+/**
+ * \brief          Export X into unsigned binary data, little endian.
+ *                 Always fills the whole buffer, which will end with zeros
+ *                 if the number is smaller.
+ *
+ * \param X        The source MPI. This must point to an initialized MPI.
+ * \param buf      The output buffer. This must be a writable buffer of length
+ *                 \p buflen Bytes.
+ * \param buflen   The size of the output buffer \p buf in Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p buf isn't
+ *                 large enough to hold the value of \p X.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_write_binary_le(const mbedtls_mpi *X,
+                                unsigned char *buf, size_t buflen);
+
+/**
+ * \brief          Perform a left-shift on an MPI: X <<= count
+ *
+ * \param X        The MPI to shift. This must point to an initialized MPI.
+ *                 The MPI pointed by \p X may be resized to fit
+ *                 the resulting number.
+ * \param count    The number of bits to shift by.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_shift_l(mbedtls_mpi *X, size_t count);
+
+/**
+ * \brief          Perform a right-shift on an MPI: X >>= count
+ *
+ * \param X        The MPI to shift. This must point to an initialized MPI.
+ * \param count    The number of bits to shift by.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_shift_r(mbedtls_mpi *X, size_t count);
+
+/**
+ * \brief          Compare the absolute values of two MPIs.
+ *
+ * \param X        The left-hand MPI. This must point to an initialized MPI.
+ * \param Y        The right-hand MPI. This must point to an initialized MPI.
+ *
+ * \return         \c 1 if `|X|` is greater than `|Y|`.
+ * \return         \c -1 if `|X|` is lesser than `|Y|`.
+ * \return         \c 0 if `|X|` is equal to `|Y|`.
+ */
+int mbedtls_mpi_cmp_abs(const mbedtls_mpi *X, const mbedtls_mpi *Y);
+
+/**
+ * \brief          Compare two MPIs.
+ *
+ * \param X        The left-hand MPI. This must point to an initialized MPI.
+ * \param Y        The right-hand MPI. This must point to an initialized MPI.
+ *
+ * \return         \c 1 if \p X is greater than \p Y.
+ * \return         \c -1 if \p X is lesser than \p Y.
+ * \return         \c 0 if \p X is equal to \p Y.
+ */
+int mbedtls_mpi_cmp_mpi(const mbedtls_mpi *X, const mbedtls_mpi *Y);
+
+/**
+ * \brief          Check if an MPI is less than the other in constant time.
+ *
+ * \param X        The left-hand MPI. This must point to an initialized MPI
+ *                 with the same allocated length as Y.
+ * \param Y        The right-hand MPI. This must point to an initialized MPI
+ *                 with the same allocated length as X.
+ * \param ret      The result of the comparison:
+ *                 \c 1 if \p X is less than \p Y.
+ *                 \c 0 if \p X is greater than or equal to \p Y.
+ *
+ * \return         0 on success.
+ * \return         MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the allocated length of
+ *                 the two input MPIs is not the same.
+ */
+int mbedtls_mpi_lt_mpi_ct(const mbedtls_mpi *X, const mbedtls_mpi *Y,
+                          unsigned *ret);
+
+/**
+ * \brief          Compare an MPI with an integer.
+ *
+ * \param X        The left-hand MPI. This must point to an initialized MPI.
+ * \param z        The integer value to compare \p X to.
+ *
+ * \return         \c 1 if \p X is greater than \p z.
+ * \return         \c -1 if \p X is lesser than \p z.
+ * \return         \c 0 if \p X is equal to \p z.
+ */
+int mbedtls_mpi_cmp_int(const mbedtls_mpi *X, mbedtls_mpi_sint z);
+
+/**
+ * \brief          Perform an unsigned addition of MPIs: X = |A| + |B|
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first summand. This must point to an initialized MPI.
+ * \param B        The second summand. This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_add_abs(mbedtls_mpi *X, const mbedtls_mpi *A,
+                        const mbedtls_mpi *B);
+
+/**
+ * \brief          Perform an unsigned subtraction of MPIs: X = |A| - |B|
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The minuend. This must point to an initialized MPI.
+ * \param B        The subtrahend. This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p B is greater than \p A.
+ * \return         Another negative error code on different kinds of failure.
+ *
+ */
+int mbedtls_mpi_sub_abs(mbedtls_mpi *X, const mbedtls_mpi *A,
+                        const mbedtls_mpi *B);
+
+/**
+ * \brief          Perform a signed addition of MPIs: X = A + B
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first summand. This must point to an initialized MPI.
+ * \param B        The second summand. This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_add_mpi(mbedtls_mpi *X, const mbedtls_mpi *A,
+                        const mbedtls_mpi *B);
+
+/**
+ * \brief          Perform a signed subtraction of MPIs: X = A - B
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The minuend. This must point to an initialized MPI.
+ * \param B        The subtrahend. This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_sub_mpi(mbedtls_mpi *X, const mbedtls_mpi *A,
+                        const mbedtls_mpi *B);
+
+/**
+ * \brief          Perform a signed addition of an MPI and an integer: X = A + b
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first summand. This must point to an initialized MPI.
+ * \param b        The second summand.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_add_int(mbedtls_mpi *X, const mbedtls_mpi *A,
+                        mbedtls_mpi_sint b);
+
+/**
+ * \brief          Perform a signed subtraction of an MPI and an integer:
+ *                 X = A - b
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The minuend. This must point to an initialized MPI.
+ * \param b        The subtrahend.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_sub_int(mbedtls_mpi *X, const mbedtls_mpi *A,
+                        mbedtls_mpi_sint b);
+
+/**
+ * \brief          Perform a multiplication of two MPIs: X = A * B
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first factor. This must point to an initialized MPI.
+ * \param B        The second factor. This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ *
+ */
+int mbedtls_mpi_mul_mpi(mbedtls_mpi *X, const mbedtls_mpi *A,
+                        const mbedtls_mpi *B);
+
+/**
+ * \brief          Perform a multiplication of an MPI with an unsigned integer:
+ *                 X = A * b
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first factor. This must point to an initialized MPI.
+ * \param b        The second factor.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ *
+ */
+int mbedtls_mpi_mul_int(mbedtls_mpi *X, const mbedtls_mpi *A,
+                        mbedtls_mpi_uint b);
+
+/**
+ * \brief          Perform a division with remainder of two MPIs:
+ *                 A = Q * B + R
+ *
+ * \param Q        The destination MPI for the quotient.
+ *                 This may be \c NULL if the value of the
+ *                 quotient is not needed. This must not alias A or B.
+ * \param R        The destination MPI for the remainder value.
+ *                 This may be \c NULL if the value of the
+ *                 remainder is not needed. This must not alias A or B.
+ * \param A        The dividend. This must point to an initialized MPI.
+ * \param B        The divisor. This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p B equals zero.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_div_mpi(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
+                        const mbedtls_mpi *B);
+
+/**
+ * \brief          Perform a division with remainder of an MPI by an integer:
+ *                 A = Q * b + R
+ *
+ * \param Q        The destination MPI for the quotient.
+ *                 This may be \c NULL if the value of the
+ *                 quotient is not needed.  This must not alias A.
+ * \param R        The destination MPI for the remainder value.
+ *                 This may be \c NULL if the value of the
+ *                 remainder is not needed.  This must not alias A.
+ * \param A        The dividend. This must point to an initialized MPi.
+ * \param b        The divisor.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p b equals zero.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_div_int(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
+                        mbedtls_mpi_sint b);
+
+/**
+ * \brief          Perform a modular reduction. R = A mod B
+ *
+ * \param R        The destination MPI for the residue value.
+ *                 This must point to an initialized MPI.
+ * \param A        The MPI to compute the residue of.
+ *                 This must point to an initialized MPI.
+ * \param B        The base of the modular reduction.
+ *                 This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p B equals zero.
+ * \return         #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p B is negative.
+ * \return         Another negative error code on different kinds of failure.
+ *
+ */
+int mbedtls_mpi_mod_mpi(mbedtls_mpi *R, const mbedtls_mpi *A,
+                        const mbedtls_mpi *B);
+
+/**
+ * \brief          Perform a modular reduction with respect to an integer.
+ *                 r = A mod b
+ *
+ * \param r        The address at which to store the residue.
+ *                 This must not be \c NULL.
+ * \param A        The MPI to compute the residue of.
+ *                 This must point to an initialized MPi.
+ * \param b        The integer base of the modular reduction.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p b equals zero.
+ * \return         #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p b is negative.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A,
+                        mbedtls_mpi_sint b);
+
+/**
+ * \brief          Perform a sliding-window exponentiation: X = A^E mod N
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ *                 This must not alias E or N.
+ * \param A        The base of the exponentiation.
+ *                 This must point to an initialized MPI.
+ * \param E        The exponent MPI. This must point to an initialized MPI.
+ * \param N        The base for the modular reduction. This must point to an
+ *                 initialized MPI.
+ * \param prec_RR  A helper MPI depending solely on \p N which can be used to
+ *                 speed-up multiple modular exponentiations for the same value
+ *                 of \p N. This may be \c NULL. If it is not \c NULL, it must
+ *                 point to an initialized MPI. If it hasn't been used after
+ *                 the call to mbedtls_mpi_init(), this function will compute
+ *                 the helper value and store it in \p prec_RR for reuse on
+ *                 subsequent calls to this function. Otherwise, the function
+ *                 will assume that \p prec_RR holds the helper value set by a
+ *                 previous call to mbedtls_mpi_exp_mod(), and reuse it.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \c N is negative or
+ *                 even, or if \c E is negative.
+ * \return         Another negative error code on different kinds of failures.
+ *
+ */
+int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
+                        const mbedtls_mpi *E, const mbedtls_mpi *N,
+                        mbedtls_mpi *prec_RR);
+
+/**
+ * \brief          Fill an MPI with a number of random bytes.
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param size     The number of random bytes to generate.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG parameter to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on failure.
+ *
+ * \note           The bytes obtained from the RNG are interpreted
+ *                 as a big-endian representation of an MPI; this can
+ *                 be relevant in applications like deterministic ECDSA.
+ */
+int mbedtls_mpi_fill_random(mbedtls_mpi *X, size_t size,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng);
+
+/** Generate a random number uniformly in a range.
+ *
+ * This function generates a random number between \p min inclusive and
+ * \p N exclusive.
+ *
+ * The procedure complies with RFC 6979 §3.3 (deterministic ECDSA)
+ * when the RNG is a suitably parametrized instance of HMAC_DRBG
+ * and \p min is \c 1.
+ *
+ * \note           There are `N - min` possible outputs. The lower bound
+ *                 \p min can be reached, but the upper bound \p N cannot.
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param min      The minimum value to return.
+ *                 It must be nonnegative.
+ * \param N        The upper bound of the range, exclusive.
+ *                 In other words, this is one plus the maximum value to return.
+ *                 \p N must be strictly larger than \p min.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG parameter to be passed to \p f_rng.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p min or \p N is invalid
+ *                 or if they are incompatible.
+ * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if the implementation was
+ *                 unable to find a suitable value within a limited number
+ *                 of attempts. This has a negligible probability if \p N
+ *                 is significantly larger than \p min, which is the case
+ *                 for all usual cryptographic applications.
+ * \return         Another negative error code on failure.
+ */
+int mbedtls_mpi_random(mbedtls_mpi *X,
+                       mbedtls_mpi_sint min,
+                       const mbedtls_mpi *N,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng);
+
+/**
+ * \brief          Compute the greatest common divisor: G = gcd(A, B)
+ *
+ * \param G        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first operand. This must point to an initialized MPI.
+ * \param B        The second operand. This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_gcd(mbedtls_mpi *G, const mbedtls_mpi *A,
+                    const mbedtls_mpi *B);
+
+/**
+ * \brief          Compute the modular inverse: X = A^-1 mod N
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The MPI to calculate the modular inverse of. This must point
+ *                 to an initialized MPI.
+ * \param N        The base of the modular inversion. This must point to an
+ *                 initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p N is less than
+ *                 or equal to one.
+ * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p A has no modular
+ *                 inverse with respect to \p N.
+ */
+int mbedtls_mpi_inv_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
+                        const mbedtls_mpi *N);
+
+/**
+ * \brief          Miller-Rabin primality test.
+ *
+ * \warning        If \p X is potentially generated by an adversary, for example
+ *                 when validating cryptographic parameters that you didn't
+ *                 generate yourself and that are supposed to be prime, then
+ *                 \p rounds should be at least the half of the security
+ *                 strength of the cryptographic algorithm. On the other hand,
+ *                 if \p X is chosen uniformly or non-adversarially (as is the
+ *                 case when mbedtls_mpi_gen_prime calls this function), then
+ *                 \p rounds can be much lower.
+ *
+ * \param X        The MPI to check for primality.
+ *                 This must point to an initialized MPI.
+ * \param rounds   The number of bases to perform the Miller-Rabin primality
+ *                 test for. The probability of returning 0 on a composite is
+ *                 at most 2<sup>-2*\p rounds </sup>.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG parameter to be passed to \p f_rng.
+ *                 This may be \c NULL if \p f_rng doesn't use
+ *                 a context parameter.
+ *
+ * \return         \c 0 if successful, i.e. \p X is probably prime.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p X is not prime.
+ * \return         Another negative error code on other kinds of failure.
+ */
+int mbedtls_mpi_is_prime_ext(const mbedtls_mpi *X, int rounds,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng);
+/**
+ * \brief Flags for mbedtls_mpi_gen_prime()
+ *
+ * Each of these flags is a constraint on the result X returned by
+ * mbedtls_mpi_gen_prime().
+ */
+typedef enum {
+    MBEDTLS_MPI_GEN_PRIME_FLAG_DH =      0x0001, /**< (X-1)/2 is prime too */
+    MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR = 0x0002, /**< lower error rate from 2<sup>-80</sup> to 2<sup>-128</sup> */
+} mbedtls_mpi_gen_prime_flag_t;
+
+/**
+ * \brief          Generate a prime number.
+ *
+ * \param X        The destination MPI to store the generated prime in.
+ *                 This must point to an initialized MPi.
+ * \param nbits    The required size of the destination MPI in bits.
+ *                 This must be between \c 3 and #MBEDTLS_MPI_MAX_BITS.
+ * \param flags    A mask of flags of type #mbedtls_mpi_gen_prime_flag_t.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG parameter to be passed to \p f_rng.
+ *                 This may be \c NULL if \p f_rng doesn't use
+ *                 a context parameter.
+ *
+ * \return         \c 0 if successful, in which case \p X holds a
+ *                 probably prime number.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if `nbits` is not between
+ *                 \c 3 and #MBEDTLS_MPI_MAX_BITS.
+ */
+int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int flags,
+                          int (*f_rng)(void *, unsigned char *, size_t),
+                          void *p_rng);
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_mpi_self_test(int verbose);
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* bignum.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/block_cipher.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/block_cipher.h
new file mode 100644
index 0000000..3f60f6f
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/block_cipher.h
@@ -0,0 +1,76 @@
+/**
+ * \file block_cipher.h
+ *
+ * \brief Internal abstraction layer.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_BLOCK_CIPHER_H
+#define MBEDTLS_BLOCK_CIPHER_H
+
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#if defined(MBEDTLS_AES_C)
+#include "mbedtls/aes.h"
+#endif
+#if defined(MBEDTLS_ARIA_C)
+#include "mbedtls/aria.h"
+#endif
+#if defined(MBEDTLS_CAMELLIA_C)
+#include "mbedtls/camellia.h"
+#endif
+
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+#include "psa/crypto_types.h"
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef enum {
+    MBEDTLS_BLOCK_CIPHER_ID_NONE = 0,  /**< Unset. */
+    MBEDTLS_BLOCK_CIPHER_ID_AES,       /**< The AES cipher. */
+    MBEDTLS_BLOCK_CIPHER_ID_CAMELLIA,  /**< The Camellia cipher. */
+    MBEDTLS_BLOCK_CIPHER_ID_ARIA,      /**< The Aria cipher. */
+} mbedtls_block_cipher_id_t;
+
+/**
+ * Used internally to indicate whether a context uses legacy or PSA.
+ *
+ * Internal use only.
+ */
+typedef enum {
+    MBEDTLS_BLOCK_CIPHER_ENGINE_LEGACY = 0,
+    MBEDTLS_BLOCK_CIPHER_ENGINE_PSA,
+} mbedtls_block_cipher_engine_t;
+
+typedef struct {
+    mbedtls_block_cipher_id_t MBEDTLS_PRIVATE(id);
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+    mbedtls_block_cipher_engine_t MBEDTLS_PRIVATE(engine);
+    mbedtls_svc_key_id_t MBEDTLS_PRIVATE(psa_key_id);
+#endif
+    union {
+        unsigned dummy; /* Make the union non-empty even with no supported algorithms. */
+#if defined(MBEDTLS_AES_C)
+        mbedtls_aes_context MBEDTLS_PRIVATE(aes);
+#endif
+#if defined(MBEDTLS_ARIA_C)
+        mbedtls_aria_context MBEDTLS_PRIVATE(aria);
+#endif
+#if defined(MBEDTLS_CAMELLIA_C)
+        mbedtls_camellia_context MBEDTLS_PRIVATE(camellia);
+#endif
+    } MBEDTLS_PRIVATE(ctx);
+} mbedtls_block_cipher_context_t;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_BLOCK_CIPHER_H */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/camellia.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/camellia.h
new file mode 100644
index 0000000..557f472
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/camellia.h
@@ -0,0 +1,305 @@
+/**
+ * \file camellia.h
+ *
+ * \brief Camellia block cipher
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_CAMELLIA_H
+#define MBEDTLS_CAMELLIA_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "mbedtls/platform_util.h"
+
+#define MBEDTLS_CAMELLIA_ENCRYPT     1
+#define MBEDTLS_CAMELLIA_DECRYPT     0
+
+/** Bad input data. */
+#define MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA -0x0024
+
+/** Invalid data input length. */
+#define MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH -0x0026
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_CAMELLIA_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          CAMELLIA context structure
+ */
+typedef struct mbedtls_camellia_context {
+    int MBEDTLS_PRIVATE(nr);                     /*!<  number of rounds  */
+    uint32_t MBEDTLS_PRIVATE(rk)[68];            /*!<  CAMELLIA round keys    */
+}
+mbedtls_camellia_context;
+
+#else  /* MBEDTLS_CAMELLIA_ALT */
+#include "camellia_alt.h"
+#endif /* MBEDTLS_CAMELLIA_ALT */
+
+/**
+ * \brief          Initialize a CAMELLIA context.
+ *
+ * \param ctx      The CAMELLIA context to be initialized.
+ *                 This must not be \c NULL.
+ */
+void mbedtls_camellia_init(mbedtls_camellia_context *ctx);
+
+/**
+ * \brief          Clear a CAMELLIA context.
+ *
+ * \param ctx      The CAMELLIA context to be cleared. This may be \c NULL,
+ *                 in which case this function returns immediately. If it is not
+ *                 \c NULL, it must be initialized.
+ */
+void mbedtls_camellia_free(mbedtls_camellia_context *ctx);
+
+/**
+ * \brief          Perform a CAMELLIA key schedule operation for encryption.
+ *
+ * \param ctx      The CAMELLIA context to use. This must be initialized.
+ * \param key      The encryption key to use. This must be a readable buffer
+ *                 of size \p keybits Bits.
+ * \param keybits  The length of \p key in Bits. This must be either \c 128,
+ *                 \c 192 or \c 256.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx,
+                                const unsigned char *key,
+                                unsigned int keybits);
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+/**
+ * \brief          Perform a CAMELLIA key schedule operation for decryption.
+ *
+ * \param ctx      The CAMELLIA context to use. This must be initialized.
+ * \param key      The decryption key. This must be a readable buffer
+ *                 of size \p keybits Bits.
+ * \param keybits  The length of \p key in Bits. This must be either \c 128,
+ *                 \c 192 or \c 256.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_camellia_setkey_dec(mbedtls_camellia_context *ctx,
+                                const unsigned char *key,
+                                unsigned int keybits);
+#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
+
+/**
+ * \brief          Perform a CAMELLIA-ECB block encryption/decryption operation.
+ *
+ * \param ctx      The CAMELLIA context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ * \param input    The input block. This must be a readable buffer
+ *                 of size \c 16 Bytes.
+ * \param output   The output block. This must be a writable buffer
+ *                 of size \c 16 Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_camellia_crypt_ecb(mbedtls_camellia_context *ctx,
+                               int mode,
+                               const unsigned char input[16],
+                               unsigned char output[16]);
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief          Perform a CAMELLIA-CBC buffer encryption/decryption operation.
+ *
+ * \note           Upon exit, the content of the IV is updated so that you can
+ *                 call the function same function again on the following
+ *                 block(s) of data and get the same result as if it was
+ *                 encrypted in one call. This allows a "streaming" usage.
+ *                 If on the other hand you need to retain the contents of the
+ *                 IV, you should either save it manually or use the cipher
+ *                 module instead.
+ *
+ * \param ctx      The CAMELLIA context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ * \param length   The length in Bytes of the input data \p input.
+ *                 This must be a multiple of \c 16 Bytes.
+ * \param iv       The initialization vector. This must be a read/write buffer
+ *                 of length \c 16 Bytes. It is updated to allow streaming
+ *                 use as explained above.
+ * \param input    The buffer holding the input data. This must point to a
+ *                 readable buffer of length \p length Bytes.
+ * \param output   The buffer holding the output data. This must point to a
+ *                 writable buffer of length \p length Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_camellia_crypt_cbc(mbedtls_camellia_context *ctx,
+                               int mode,
+                               size_t length,
+                               unsigned char iv[16],
+                               const unsigned char *input,
+                               unsigned char *output);
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/**
+ * \brief          Perform a CAMELLIA-CFB128 buffer encryption/decryption
+ *                 operation.
+ *
+ * \note           Due to the nature of CFB mode, you should use the same
+ *                 key for both encryption and decryption. In particular, calls
+ *                 to this function should be preceded by a key-schedule via
+ *                 mbedtls_camellia_setkey_enc() regardless of whether \p mode
+ *                 is #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ *
+ * \note           Upon exit, the content of the IV is updated so that you can
+ *                 call the function same function again on the following
+ *                 block(s) of data and get the same result as if it was
+ *                 encrypted in one call. This allows a "streaming" usage.
+ *                 If on the other hand you need to retain the contents of the
+ *                 IV, you should either save it manually or use the cipher
+ *                 module instead.
+ *
+ * \param ctx      The CAMELLIA context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ * \param length   The length of the input data \p input. Any value is allowed.
+ * \param iv_off   The current offset in the IV. This must be smaller
+ *                 than \c 16 Bytes. It is updated after this call to allow
+ *                 the aforementioned streaming usage.
+ * \param iv       The initialization vector. This must be a read/write buffer
+ *                 of length \c 16 Bytes. It is updated after this call to
+ *                 allow the aforementioned streaming usage.
+ * \param input    The buffer holding the input data. This must be a readable
+ *                 buffer of size \p length Bytes.
+ * \param output   The buffer to hold the output data. This must be a writable
+ *                 buffer of length \p length Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context *ctx,
+                                  int mode,
+                                  size_t length,
+                                  size_t *iv_off,
+                                  unsigned char iv[16],
+                                  const unsigned char *input,
+                                  unsigned char *output);
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/**
+ * \brief      Perform a CAMELLIA-CTR buffer encryption/decryption operation.
+ *
+ * *note       Due to the nature of CTR mode, you should use the same
+ *             key for both encryption and decryption. In particular, calls
+ *             to this function should be preceded by a key-schedule via
+ *             mbedtls_camellia_setkey_enc() regardless of whether the mode
+ *             is #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ *
+ * \warning    You must never reuse a nonce value with the same key. Doing so
+ *             would void the encryption for the two messages encrypted with
+ *             the same nonce and key.
+ *
+ *             There are two common strategies for managing nonces with CTR:
+ *
+ *             1. You can handle everything as a single message processed over
+ *             successive calls to this function. In that case, you want to
+ *             set \p nonce_counter and \p nc_off to 0 for the first call, and
+ *             then preserve the values of \p nonce_counter, \p nc_off and \p
+ *             stream_block across calls to this function as they will be
+ *             updated by this function.
+ *
+ *             With this strategy, you must not encrypt more than 2**128
+ *             blocks of data with the same key.
+ *
+ *             2. You can encrypt separate messages by dividing the \p
+ *             nonce_counter buffer in two areas: the first one used for a
+ *             per-message nonce, handled by yourself, and the second one
+ *             updated by this function internally.
+ *
+ *             For example, you might reserve the first \c 12 Bytes for the
+ *             per-message nonce, and the last \c 4 Bytes for internal use.
+ *             In that case, before calling this function on a new message you
+ *             need to set the first \c 12 Bytes of \p nonce_counter to your
+ *             chosen nonce value, the last four to \c 0, and \p nc_off to \c 0
+ *             (which will cause \p stream_block to be ignored). That way, you
+ *             can encrypt at most \c 2**96 messages of up to \c 2**32 blocks
+ *             each  with the same key.
+ *
+ *             The per-message nonce (or information sufficient to reconstruct
+ *             it) needs to be communicated with the ciphertext and must be
+ *             unique. The recommended way to ensure uniqueness is to use a
+ *             message counter. An alternative is to generate random nonces,
+ *             but this limits the number of messages that can be securely
+ *             encrypted: for example, with 96-bit random nonces, you should
+ *             not encrypt more than 2**32 messages with the same key.
+ *
+ *             Note that for both strategies, sizes are measured in blocks and
+ *             that a CAMELLIA block is \c 16 Bytes.
+ *
+ * \warning    Upon return, \p stream_block contains sensitive data. Its
+ *             content must not be written to insecure storage and should be
+ *             securely discarded as soon as it's no longer needed.
+ *
+ * \param ctx           The CAMELLIA context to use. This must be initialized
+ *                      and bound to a key.
+ * \param length        The length of the input data \p input in Bytes.
+ *                      Any value is allowed.
+ * \param nc_off        The offset in the current \p stream_block (for resuming
+ *                      within current cipher stream). The offset pointer to
+ *                      should be \c 0 at the start of a stream. It is updated
+ *                      at the end of this call.
+ * \param nonce_counter The 128-bit nonce and counter. This must be a read/write
+ *                      buffer of length \c 16 Bytes.
+ * \param stream_block  The saved stream-block for resuming. This must be a
+ *                      read/write buffer of length \c 16 Bytes.
+ * \param input         The input data stream. This must be a readable buffer of
+ *                      size \p length Bytes.
+ * \param output        The output data stream. This must be a writable buffer
+ *                      of size \p length Bytes.
+ *
+ * \return              \c 0 if successful.
+ * \return              A negative error code on failure.
+ */
+int mbedtls_camellia_crypt_ctr(mbedtls_camellia_context *ctx,
+                               size_t length,
+                               size_t *nc_off,
+                               unsigned char nonce_counter[16],
+                               unsigned char stream_block[16],
+                               const unsigned char *input,
+                               unsigned char *output);
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_camellia_self_test(int verbose);
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* camellia.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/ccm.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/ccm.h
new file mode 100644
index 0000000..1da57c9
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/ccm.h
@@ -0,0 +1,526 @@
+/**
+ * \file ccm.h
+ *
+ * \brief This file provides an API for the CCM authenticated encryption
+ *        mode for block ciphers.
+ *
+ * CCM combines Counter mode encryption with CBC-MAC authentication
+ * for 128-bit block ciphers.
+ *
+ * Input to CCM includes the following elements:
+ * <ul><li>Payload - data that is both authenticated and encrypted.</li>
+ * <li>Associated data (Adata) - data that is authenticated but not
+ * encrypted, For example, a header.</li>
+ * <li>Nonce - A unique value that is assigned to the payload and the
+ * associated data.</li></ul>
+ *
+ * Definition of CCM:
+ * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
+ * RFC 3610 "Counter with CBC-MAC (CCM)"
+ *
+ * Related:
+ * RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
+ *
+ * Definition of CCM*:
+ * IEEE 802.15.4 - IEEE Standard for Local and metropolitan area networks
+ * Integer representation is fixed most-significant-octet-first order and
+ * the representation of octets is most-significant-bit-first order. This is
+ * consistent with RFC 3610.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_CCM_H
+#define MBEDTLS_CCM_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/cipher.h"
+
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+#include "mbedtls/block_cipher.h"
+#endif
+
+#define MBEDTLS_CCM_DECRYPT       0
+#define MBEDTLS_CCM_ENCRYPT       1
+#define MBEDTLS_CCM_STAR_DECRYPT  2
+#define MBEDTLS_CCM_STAR_ENCRYPT  3
+
+/** Bad input parameters to the function. */
+#define MBEDTLS_ERR_CCM_BAD_INPUT       -0x000D
+/** Authenticated decryption failed. */
+#define MBEDTLS_ERR_CCM_AUTH_FAILED     -0x000F
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_CCM_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief    The CCM context-type definition. The CCM context is passed
+ *           to the APIs called.
+ */
+typedef struct mbedtls_ccm_context {
+    unsigned char MBEDTLS_PRIVATE(y)[16];    /*!< The Y working buffer */
+    unsigned char MBEDTLS_PRIVATE(ctr)[16];  /*!< The counter buffer */
+    size_t MBEDTLS_PRIVATE(plaintext_len);   /*!< Total plaintext length */
+    size_t MBEDTLS_PRIVATE(add_len);         /*!< Total authentication data length */
+    size_t MBEDTLS_PRIVATE(tag_len);         /*!< Total tag length */
+    size_t MBEDTLS_PRIVATE(processed);       /*!< Track how many bytes of input data
+                                                  were processed (chunked input).
+                                                  Used independently for both auth data
+                                                  and plaintext/ciphertext.
+                                                  This variable is set to zero after
+                                                  auth data input is finished. */
+    unsigned int MBEDTLS_PRIVATE(q);         /*!< The Q working value */
+    unsigned int MBEDTLS_PRIVATE(mode);      /*!< The operation to perform:
+                                              #MBEDTLS_CCM_ENCRYPT or
+                                              #MBEDTLS_CCM_DECRYPT or
+                                              #MBEDTLS_CCM_STAR_ENCRYPT or
+                                              #MBEDTLS_CCM_STAR_DECRYPT. */
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+    mbedtls_block_cipher_context_t MBEDTLS_PRIVATE(block_cipher_ctx);    /*!< The cipher context used. */
+#else
+    mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx);    /*!< The cipher context used. */
+#endif
+    int MBEDTLS_PRIVATE(state);              /*!< Working value holding context's
+                                                  state. Used for chunked data input */
+}
+mbedtls_ccm_context;
+
+#else  /* MBEDTLS_CCM_ALT */
+#include "ccm_alt.h"
+#endif /* MBEDTLS_CCM_ALT */
+
+/**
+ * \brief           This function initializes the specified CCM context,
+ *                  to make references valid, and prepare the context
+ *                  for mbedtls_ccm_setkey() or mbedtls_ccm_free().
+ *
+ * \param ctx       The CCM context to initialize. This must not be \c NULL.
+ */
+void mbedtls_ccm_init(mbedtls_ccm_context *ctx);
+
+/**
+ * \brief           This function initializes the CCM context set in the
+ *                  \p ctx parameter and sets the encryption key.
+ *
+ * \param ctx       The CCM context to initialize. This must be an initialized
+ *                  context.
+ * \param cipher    The 128-bit block cipher to use.
+ * \param key       The encryption key. This must not be \c NULL.
+ * \param keybits   The key size in bits. This must be acceptable by the cipher.
+ *
+ * \return          \c 0 on success.
+ * \return          A CCM or cipher-specific error code on failure.
+ */
+int mbedtls_ccm_setkey(mbedtls_ccm_context *ctx,
+                       mbedtls_cipher_id_t cipher,
+                       const unsigned char *key,
+                       unsigned int keybits);
+
+/**
+ * \brief   This function releases and clears the specified CCM context
+ *          and underlying cipher sub-context.
+ *
+ * \param ctx       The CCM context to clear. If this is \c NULL, the function
+ *                  has no effect. Otherwise, this must be initialized.
+ */
+void mbedtls_ccm_free(mbedtls_ccm_context *ctx);
+
+/**
+ * \brief           This function encrypts a buffer using CCM.
+ *
+ * \note            The tag is written to a separate buffer. To concatenate
+ *                  the \p tag with the \p output, as done in <em>RFC-3610:
+ *                  Counter with CBC-MAC (CCM)</em>, use
+ *                  \p tag = \p output + \p length, and make sure that the
+ *                  output buffer is at least \p length + \p tag_len wide.
+ *
+ * \param ctx       The CCM context to use for encryption. This must be
+ *                  initialized and bound to a key.
+ * \param length    The length of the input data in Bytes.
+ * \param iv        The initialization vector (nonce). This must be a readable
+ *                  buffer of at least \p iv_len Bytes.
+ * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ *                  or 13. The length L of the message length field is
+ *                  15 - \p iv_len.
+ * \param ad        The additional data field. If \p ad_len is greater than
+ *                  zero, \p ad must be a readable buffer of at least that
+ *                  length.
+ * \param ad_len    The length of additional data in Bytes.
+ *                  This must be less than `2^16 - 2^8`.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, \p input must be a readable buffer of at least
+ *                  that length.
+ * \param output    The buffer holding the output data. If \p length is greater
+ *                  than zero, \p output must be a writable buffer of at least
+ *                  that length.
+ * \param tag       The buffer holding the authentication field. This must be a
+ *                  writable buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the authentication field to generate in Bytes:
+ *                  4, 6, 8, 10, 12, 14 or 16.
+ *
+ * \return          \c 0 on success.
+ * \return          A CCM or cipher-specific error code on failure.
+ */
+int mbedtls_ccm_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,
+                                const unsigned char *iv, size_t iv_len,
+                                const unsigned char *ad, size_t ad_len,
+                                const unsigned char *input, unsigned char *output,
+                                unsigned char *tag, size_t tag_len);
+
+/**
+ * \brief           This function encrypts a buffer using CCM*.
+ *
+ * \note            The tag is written to a separate buffer. To concatenate
+ *                  the \p tag with the \p output, as done in <em>RFC-3610:
+ *                  Counter with CBC-MAC (CCM)</em>, use
+ *                  \p tag = \p output + \p length, and make sure that the
+ *                  output buffer is at least \p length + \p tag_len wide.
+ *
+ * \note            When using this function in a variable tag length context,
+ *                  the tag length has to be encoded into the \p iv passed to
+ *                  this function.
+ *
+ * \param ctx       The CCM context to use for encryption. This must be
+ *                  initialized and bound to a key.
+ * \param length    The length of the input data in Bytes.
+ *                  For tag length = 0, input length is ignored.
+ * \param iv        The initialization vector (nonce). This must be a readable
+ *                  buffer of at least \p iv_len Bytes.
+ * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ *                  or 13. The length L of the message length field is
+ *                  15 - \p iv_len.
+ * \param ad        The additional data field. This must be a readable buffer of
+ *                  at least \p ad_len Bytes.
+ * \param ad_len    The length of additional data in Bytes.
+ *                  This must be less than 2^16 - 2^8.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, \p input must be a readable buffer of at least
+ *                  that length.
+ * \param output    The buffer holding the output data. If \p length is greater
+ *                  than zero, \p output must be a writable buffer of at least
+ *                  that length.
+ * \param tag       The buffer holding the authentication field. This must be a
+ *                  writable buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the authentication field to generate in Bytes:
+ *                  0, 4, 6, 8, 10, 12, 14 or 16.
+ *
+ * \warning         Passing \c 0 as \p tag_len means that the message is no
+ *                  longer authenticated.
+ *
+ * \return          \c 0 on success.
+ * \return          A CCM or cipher-specific error code on failure.
+ */
+int mbedtls_ccm_star_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,
+                                     const unsigned char *iv, size_t iv_len,
+                                     const unsigned char *ad, size_t ad_len,
+                                     const unsigned char *input, unsigned char *output,
+                                     unsigned char *tag, size_t tag_len);
+
+/**
+ * \brief           This function performs a CCM authenticated decryption of a
+ *                  buffer.
+ *
+ * \param ctx       The CCM context to use for decryption. This must be
+ *                  initialized and bound to a key.
+ * \param length    The length of the input data in Bytes.
+ * \param iv        The initialization vector (nonce). This must be a readable
+ *                  buffer of at least \p iv_len Bytes.
+ * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ *                  or 13. The length L of the message length field is
+ *                  15 - \p iv_len.
+ * \param ad        The additional data field. This must be a readable buffer
+ *                  of at least that \p ad_len Bytes..
+ * \param ad_len    The length of additional data in Bytes.
+ *                  This must be less than 2^16 - 2^8.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, \p input must be a readable buffer of at least
+ *                  that length.
+ * \param output    The buffer holding the output data. If \p length is greater
+ *                  than zero, \p output must be a writable buffer of at least
+ *                  that length.
+ * \param tag       The buffer holding the authentication field. This must be a
+ *                  readable buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the authentication field to generate in Bytes:
+ *                  4, 6, 8, 10, 12, 14 or 16.
+ *
+ * \return          \c 0 on success. This indicates that the message is authentic.
+ * \return          #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match.
+ * \return          A cipher-specific error code on calculation failure.
+ */
+int mbedtls_ccm_auth_decrypt(mbedtls_ccm_context *ctx, size_t length,
+                             const unsigned char *iv, size_t iv_len,
+                             const unsigned char *ad, size_t ad_len,
+                             const unsigned char *input, unsigned char *output,
+                             const unsigned char *tag, size_t tag_len);
+
+/**
+ * \brief           This function performs a CCM* authenticated decryption of a
+ *                  buffer.
+ *
+ * \note            When using this function in a variable tag length context,
+ *                  the tag length has to be decoded from \p iv and passed to
+ *                  this function as \p tag_len. (\p tag needs to be adjusted
+ *                  accordingly.)
+ *
+ * \param ctx       The CCM context to use for decryption. This must be
+ *                  initialized and bound to a key.
+ * \param length    The length of the input data in Bytes.
+ *                  For tag length = 0, input length is ignored.
+ * \param iv        The initialization vector (nonce). This must be a readable
+ *                  buffer of at least \p iv_len Bytes.
+ * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ *                  or 13. The length L of the message length field is
+ *                  15 - \p iv_len.
+ * \param ad        The additional data field. This must be a readable buffer of
+ *                  at least that \p ad_len Bytes.
+ * \param ad_len    The length of additional data in Bytes.
+ *                  This must be less than 2^16 - 2^8.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, \p input must be a readable buffer of at least
+ *                  that length.
+ * \param output    The buffer holding the output data. If \p length is greater
+ *                  than zero, \p output must be a writable buffer of at least
+ *                  that length.
+ * \param tag       The buffer holding the authentication field. This must be a
+ *                  readable buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the authentication field in Bytes.
+ *                  0, 4, 6, 8, 10, 12, 14 or 16.
+ *
+ * \warning         Passing \c 0 as \p tag_len means that the message is nos
+ *                  longer authenticated.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match.
+ * \return          A cipher-specific error code on calculation failure.
+ */
+int mbedtls_ccm_star_auth_decrypt(mbedtls_ccm_context *ctx, size_t length,
+                                  const unsigned char *iv, size_t iv_len,
+                                  const unsigned char *ad, size_t ad_len,
+                                  const unsigned char *input, unsigned char *output,
+                                  const unsigned char *tag, size_t tag_len);
+
+/**
+ * \brief           This function starts a CCM encryption or decryption
+ *                  operation.
+ *
+ *                  This function and mbedtls_ccm_set_lengths() must be called
+ *                  before calling mbedtls_ccm_update_ad() or
+ *                  mbedtls_ccm_update(). This function can be called before
+ *                  or after mbedtls_ccm_set_lengths().
+ *
+ * \note            This function is not implemented in Mbed TLS yet.
+ *
+ * \param ctx       The CCM context. This must be initialized.
+ * \param mode      The operation to perform: #MBEDTLS_CCM_ENCRYPT or
+ *                  #MBEDTLS_CCM_DECRYPT or #MBEDTLS_CCM_STAR_ENCRYPT or
+ *                  #MBEDTLS_CCM_STAR_DECRYPT.
+ * \param iv        The initialization vector. This must be a readable buffer
+ *                  of at least \p iv_len Bytes.
+ * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ *                  or 13. The length L of the message length field is
+ *                  15 - \p iv_len.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CCM_BAD_INPUT on failure:
+ *                  \p ctx is in an invalid state,
+ *                  \p mode is invalid,
+ *                  \p iv_len is invalid (lower than \c 7 or greater than
+ *                  \c 13).
+ */
+int mbedtls_ccm_starts(mbedtls_ccm_context *ctx,
+                       int mode,
+                       const unsigned char *iv,
+                       size_t iv_len);
+
+/**
+ * \brief           This function declares the lengths of the message
+ *                  and additional data for a CCM encryption or decryption
+ *                  operation.
+ *
+ *                  This function and mbedtls_ccm_starts() must be called
+ *                  before calling mbedtls_ccm_update_ad() or
+ *                  mbedtls_ccm_update(). This function can be called before
+ *                  or after mbedtls_ccm_starts().
+ *
+ * \note            This function is not implemented in Mbed TLS yet.
+ *
+ * \param ctx       The CCM context. This must be initialized.
+ * \param total_ad_len   The total length of additional data in bytes.
+ *                       This must be less than `2^16 - 2^8`.
+ * \param plaintext_len  The length in bytes of the plaintext to encrypt or
+ *                       result of the decryption (thus not encompassing the
+ *                       additional data that are not encrypted).
+ * \param tag_len   The length of the tag to generate in Bytes:
+ *                  4, 6, 8, 10, 12, 14 or 16.
+ *                  For CCM*, zero is also valid.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CCM_BAD_INPUT on failure:
+ *                  \p ctx is in an invalid state,
+ *                  \p total_ad_len is greater than \c 0xFF00.
+ */
+int mbedtls_ccm_set_lengths(mbedtls_ccm_context *ctx,
+                            size_t total_ad_len,
+                            size_t plaintext_len,
+                            size_t tag_len);
+
+/**
+ * \brief           This function feeds an input buffer as associated data
+ *                  (authenticated but not encrypted data) in a CCM
+ *                  encryption or decryption operation.
+ *
+ *                  You may call this function zero, one or more times
+ *                  to pass successive parts of the additional data. The
+ *                  lengths \p ad_len of the data parts should eventually add
+ *                  up exactly to the total length of additional data
+ *                  \c total_ad_len passed to mbedtls_ccm_set_lengths(). You
+ *                  may not call this function after calling
+ *                  mbedtls_ccm_update().
+ *
+ * \note            This function is not implemented in Mbed TLS yet.
+ *
+ * \param ctx       The CCM context. This must have been started with
+ *                  mbedtls_ccm_starts(), the lengths of the message and
+ *                  additional data must have been declared with
+ *                  mbedtls_ccm_set_lengths() and this must not have yet
+ *                  received any input with mbedtls_ccm_update().
+ * \param ad        The buffer holding the additional data, or \c NULL
+ *                  if \p ad_len is \c 0.
+ * \param ad_len    The length of the additional data. If \c 0,
+ *                  \p ad may be \c NULL.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CCM_BAD_INPUT on failure:
+ *                  \p ctx is in an invalid state,
+ *                  total input length too long.
+ */
+int mbedtls_ccm_update_ad(mbedtls_ccm_context *ctx,
+                          const unsigned char *ad,
+                          size_t ad_len);
+
+/**
+ * \brief           This function feeds an input buffer into an ongoing CCM
+ *                  encryption or decryption operation.
+ *
+ *                  You may call this function zero, one or more times
+ *                  to pass successive parts of the input: the plaintext to
+ *                  encrypt, or the ciphertext (not including the tag) to
+ *                  decrypt. After the last part of the input, call
+ *                  mbedtls_ccm_finish(). The lengths \p input_len of the
+ *                  data parts should eventually add up exactly to the
+ *                  plaintext length \c plaintext_len passed to
+ *                  mbedtls_ccm_set_lengths().
+ *
+ *                  This function may produce output in one of the following
+ *                  ways:
+ *                  - Immediate output: the output length is always equal
+ *                    to the input length.
+ *                  - Buffered output: except for the last part of input data,
+ *                    the output consists of a whole number of 16-byte blocks.
+ *                    If the total input length so far (not including
+ *                    associated data) is 16 \* *B* + *A* with *A* < 16 then
+ *                    the total output length is 16 \* *B*.
+ *                    For the last part of input data, the output length is
+ *                    equal to the input length plus the number of bytes (*A*)
+ *                    buffered in the previous call to the function (if any).
+ *                    The function uses the plaintext length
+ *                    \c plaintext_len passed to mbedtls_ccm_set_lengths()
+ *                    to detect the last part of input data.
+ *
+ *                  In particular:
+ *                  - It is always correct to call this function with
+ *                    \p output_size >= \p input_len + 15.
+ *                  - If \p input_len is a multiple of 16 for all the calls
+ *                    to this function during an operation (not necessary for
+ *                    the last one) then it is correct to use \p output_size
+ *                    =\p input_len.
+ *
+ * \note            This function is not implemented in Mbed TLS yet.
+ *
+ * \param ctx           The CCM context. This must have been started with
+ *                      mbedtls_ccm_starts() and the lengths of the message and
+ *                      additional data must have been declared with
+ *                      mbedtls_ccm_set_lengths().
+ * \param input         The buffer holding the input data. If \p input_len
+ *                      is greater than zero, this must be a readable buffer
+ *                      of at least \p input_len bytes.
+ * \param input_len     The length of the input data in bytes.
+ * \param output        The buffer for the output data. If \p output_size
+ *                      is greater than zero, this must be a writable buffer of
+ *                      at least \p output_size bytes.
+ * \param output_size   The size of the output buffer in bytes.
+ *                      See the function description regarding the output size.
+ * \param output_len    On success, \p *output_len contains the actual
+ *                      length of the output written in \p output.
+ *                      On failure, the content of \p *output_len is
+ *                      unspecified.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_CCM_BAD_INPUT on failure:
+ *                 \p ctx is in an invalid state,
+ *                 total input length too long,
+ *                 or \p output_size too small.
+ */
+int mbedtls_ccm_update(mbedtls_ccm_context *ctx,
+                       const unsigned char *input, size_t input_len,
+                       unsigned char *output, size_t output_size,
+                       size_t *output_len);
+
+/**
+ * \brief           This function finishes the CCM operation and generates
+ *                  the authentication tag.
+ *
+ *                  It wraps up the CCM stream, and generates the
+ *                  tag. The tag can have a maximum length of 16 Bytes.
+ *
+ * \note            This function is not implemented in Mbed TLS yet.
+ *
+ * \param ctx       The CCM context. This must have been started with
+ *                  mbedtls_ccm_starts() and the lengths of the message and
+ *                  additional data must have been declared with
+ *                  mbedtls_ccm_set_lengths().
+ * \param tag       The buffer for holding the tag. If \p tag_len is greater
+ *                  than zero, this must be a writable buffer of at least \p
+ *                  tag_len Bytes.
+ * \param tag_len   The length of the tag. Must match the tag length passed to
+ *                  mbedtls_ccm_set_lengths() function.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CCM_BAD_INPUT on failure:
+ *                  \p ctx is in an invalid state,
+ *                  invalid value of \p tag_len,
+ *                  the total amount of additional data passed to
+ *                  mbedtls_ccm_update_ad() was lower than the total length of
+ *                  additional data \c total_ad_len passed to
+ *                  mbedtls_ccm_set_lengths(),
+ *                  the total amount of input data passed to
+ *                  mbedtls_ccm_update() was lower than the plaintext length
+ *                  \c plaintext_len passed to mbedtls_ccm_set_lengths().
+ */
+int mbedtls_ccm_finish(mbedtls_ccm_context *ctx,
+                       unsigned char *tag, size_t tag_len);
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_CCM_GCM_CAN_AES)
+/**
+ * \brief          The CCM checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_ccm_self_test(int verbose);
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CCM_H */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/chacha20.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/chacha20.h
new file mode 100644
index 0000000..680fe36
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/chacha20.h
@@ -0,0 +1,202 @@
+/**
+ * \file chacha20.h
+ *
+ * \brief   This file contains ChaCha20 definitions and functions.
+ *
+ *          ChaCha20 is a stream cipher that can encrypt and decrypt
+ *          information. ChaCha was created by Daniel Bernstein as a variant of
+ *          its Salsa cipher https://cr.yp.to/chacha/chacha-20080128.pdf
+ *          ChaCha20 is the variant with 20 rounds, that was also standardized
+ *          in RFC 7539.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_CHACHA20_H
+#define MBEDTLS_CHACHA20_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include <stdint.h>
+#include <stddef.h>
+
+/** Invalid input parameter(s). */
+#define MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA         -0x0051
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_CHACHA20_ALT)
+
+typedef struct mbedtls_chacha20_context {
+    uint32_t MBEDTLS_PRIVATE(state)[16];          /*! The state (before round operations). */
+    uint8_t  MBEDTLS_PRIVATE(keystream8)[64];     /*! Leftover keystream bytes. */
+    size_t MBEDTLS_PRIVATE(keystream_bytes_used); /*! Number of keystream bytes already used. */
+}
+mbedtls_chacha20_context;
+
+#else  /* MBEDTLS_CHACHA20_ALT */
+#include "chacha20_alt.h"
+#endif /* MBEDTLS_CHACHA20_ALT */
+
+/**
+ * \brief           This function initializes the specified ChaCha20 context.
+ *
+ *                  It must be the first API called before using
+ *                  the context.
+ *
+ *                  It is usually followed by calls to
+ *                  \c mbedtls_chacha20_setkey() and
+ *                  \c mbedtls_chacha20_starts(), then one or more calls to
+ *                  to \c mbedtls_chacha20_update(), and finally to
+ *                  \c mbedtls_chacha20_free().
+ *
+ * \param ctx       The ChaCha20 context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_chacha20_init(mbedtls_chacha20_context *ctx);
+
+/**
+ * \brief           This function releases and clears the specified
+ *                  ChaCha20 context.
+ *
+ * \param ctx       The ChaCha20 context to clear. This may be \c NULL,
+ *                  in which case this function is a no-op. If it is not
+ *                  \c NULL, it must point to an initialized context.
+ *
+ */
+void mbedtls_chacha20_free(mbedtls_chacha20_context *ctx);
+
+/**
+ * \brief           This function sets the encryption/decryption key.
+ *
+ * \note            After using this function, you must also call
+ *                  \c mbedtls_chacha20_starts() to set a nonce before you
+ *                  start encrypting/decrypting data with
+ *                  \c mbedtls_chacha_update().
+ *
+ * \param ctx       The ChaCha20 context to which the key should be bound.
+ *                  It must be initialized.
+ * \param key       The encryption/decryption key. This must be \c 32 Bytes
+ *                  in length.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or key is NULL.
+ */
+int mbedtls_chacha20_setkey(mbedtls_chacha20_context *ctx,
+                            const unsigned char key[32]);
+
+/**
+ * \brief           This function sets the nonce and initial counter value.
+ *
+ * \note            A ChaCha20 context can be re-used with the same key by
+ *                  calling this function to change the nonce.
+ *
+ * \warning         You must never use the same nonce twice with the same key.
+ *                  This would void any confidentiality guarantees for the
+ *                  messages encrypted with the same nonce and key.
+ *
+ * \param ctx       The ChaCha20 context to which the nonce should be bound.
+ *                  It must be initialized and bound to a key.
+ * \param nonce     The nonce. This must be \c 12 Bytes in size.
+ * \param counter   The initial counter value. This is usually \c 0.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or nonce is
+ *                  NULL.
+ */
+int mbedtls_chacha20_starts(mbedtls_chacha20_context *ctx,
+                            const unsigned char nonce[12],
+                            uint32_t counter);
+
+/**
+ * \brief           This function encrypts or decrypts data.
+ *
+ *                  Since ChaCha20 is a stream cipher, the same operation is
+ *                  used for encrypting and decrypting data.
+ *
+ * \note            The \p input and \p output pointers must either be equal or
+ *                  point to non-overlapping buffers.
+ *
+ * \note            \c mbedtls_chacha20_setkey() and
+ *                  \c mbedtls_chacha20_starts() must be called at least once
+ *                  to setup the context before this function can be called.
+ *
+ * \note            This function can be called multiple times in a row in
+ *                  order to encrypt of decrypt data piecewise with the same
+ *                  key and nonce.
+ *
+ * \param ctx       The ChaCha20 context to use for encryption or decryption.
+ *                  It must be initialized and bound to a key and nonce.
+ * \param size      The length of the input data in Bytes.
+ * \param input     The buffer holding the input data.
+ *                  This pointer can be \c NULL if `size == 0`.
+ * \param output    The buffer holding the output data.
+ *                  This must be able to hold \p size Bytes.
+ *                  This pointer can be \c NULL if `size == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chacha20_update(mbedtls_chacha20_context *ctx,
+                            size_t size,
+                            const unsigned char *input,
+                            unsigned char *output);
+
+/**
+ * \brief           This function encrypts or decrypts data with ChaCha20 and
+ *                  the given key and nonce.
+ *
+ *                  Since ChaCha20 is a stream cipher, the same operation is
+ *                  used for encrypting and decrypting data.
+ *
+ * \warning         You must never use the same (key, nonce) pair more than
+ *                  once. This would void any confidentiality guarantees for
+ *                  the messages encrypted with the same nonce and key.
+ *
+ * \note            The \p input and \p output pointers must either be equal or
+ *                  point to non-overlapping buffers.
+ *
+ * \param key       The encryption/decryption key.
+ *                  This must be \c 32 Bytes in length.
+ * \param nonce     The nonce. This must be \c 12 Bytes in size.
+ * \param counter   The initial counter value. This is usually \c 0.
+ * \param size      The length of the input data in Bytes.
+ * \param input     The buffer holding the input data.
+ *                  This pointer can be \c NULL if `size == 0`.
+ * \param output    The buffer holding the output data.
+ *                  This must be able to hold \p size Bytes.
+ *                  This pointer can be \c NULL if `size == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chacha20_crypt(const unsigned char key[32],
+                           const unsigned char nonce[12],
+                           uint32_t counter,
+                           size_t size,
+                           const unsigned char *input,
+                           unsigned char *output);
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief           The ChaCha20 checkup routine.
+ *
+ * \return          \c 0 on success.
+ * \return          \c 1 on failure.
+ */
+int mbedtls_chacha20_self_test(int verbose);
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CHACHA20_H */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/chachapoly.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/chachapoly.h
new file mode 100644
index 0000000..3dc21e3
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/chachapoly.h
@@ -0,0 +1,342 @@
+/**
+ * \file chachapoly.h
+ *
+ * \brief   This file contains the AEAD-ChaCha20-Poly1305 definitions and
+ *          functions.
+ *
+ *          ChaCha20-Poly1305 is an algorithm for Authenticated Encryption
+ *          with Associated Data (AEAD) that can be used to encrypt and
+ *          authenticate data. It is based on ChaCha20 and Poly1305 by Daniel
+ *          Bernstein and was standardized in RFC 7539.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_CHACHAPOLY_H
+#define MBEDTLS_CHACHAPOLY_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+/* for shared error codes */
+#include "mbedtls/poly1305.h"
+
+/** The requested operation is not permitted in the current state. */
+#define MBEDTLS_ERR_CHACHAPOLY_BAD_STATE            -0x0054
+/** Authenticated decryption failed: data was not authentic. */
+#define MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED          -0x0056
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef enum {
+    MBEDTLS_CHACHAPOLY_ENCRYPT,     /**< The mode value for performing encryption. */
+    MBEDTLS_CHACHAPOLY_DECRYPT      /**< The mode value for performing decryption. */
+}
+mbedtls_chachapoly_mode_t;
+
+#if !defined(MBEDTLS_CHACHAPOLY_ALT)
+
+#include "mbedtls/chacha20.h"
+
+typedef struct mbedtls_chachapoly_context {
+    mbedtls_chacha20_context MBEDTLS_PRIVATE(chacha20_ctx);  /**< The ChaCha20 context. */
+    mbedtls_poly1305_context MBEDTLS_PRIVATE(poly1305_ctx);  /**< The Poly1305 context. */
+    uint64_t MBEDTLS_PRIVATE(aad_len);                       /**< The length (bytes) of the Additional Authenticated Data. */
+    uint64_t MBEDTLS_PRIVATE(ciphertext_len);                /**< The length (bytes) of the ciphertext. */
+    int MBEDTLS_PRIVATE(state);                              /**< The current state of the context. */
+    mbedtls_chachapoly_mode_t MBEDTLS_PRIVATE(mode);         /**< Cipher mode (encrypt or decrypt). */
+}
+mbedtls_chachapoly_context;
+
+#else /* !MBEDTLS_CHACHAPOLY_ALT */
+#include "chachapoly_alt.h"
+#endif /* !MBEDTLS_CHACHAPOLY_ALT */
+
+/**
+ * \brief           This function initializes the specified ChaCha20-Poly1305 context.
+ *
+ *                  It must be the first API called before using
+ *                  the context. It must be followed by a call to
+ *                  \c mbedtls_chachapoly_setkey() before any operation can be
+ *                  done, and to \c mbedtls_chachapoly_free() once all
+ *                  operations with that context have been finished.
+ *
+ *                  In order to encrypt or decrypt full messages at once, for
+ *                  each message you should make a single call to
+ *                  \c mbedtls_chachapoly_crypt_and_tag() or
+ *                  \c mbedtls_chachapoly_auth_decrypt().
+ *
+ *                  In order to encrypt messages piecewise, for each
+ *                  message you should make a call to
+ *                  \c mbedtls_chachapoly_starts(), then 0 or more calls to
+ *                  \c mbedtls_chachapoly_update_aad(), then 0 or more calls to
+ *                  \c mbedtls_chachapoly_update(), then one call to
+ *                  \c mbedtls_chachapoly_finish().
+ *
+ * \warning         Decryption with the piecewise API is discouraged! Always
+ *                  use \c mbedtls_chachapoly_auth_decrypt() when possible!
+ *
+ *                  If however this is not possible because the data is too
+ *                  large to fit in memory, you need to:
+ *
+ *                  - call \c mbedtls_chachapoly_starts() and (if needed)
+ *                  \c mbedtls_chachapoly_update_aad() as above,
+ *                  - call \c mbedtls_chachapoly_update() multiple times and
+ *                  ensure its output (the plaintext) is NOT used in any other
+ *                  way than placing it in temporary storage at this point,
+ *                  - call \c mbedtls_chachapoly_finish() to compute the
+ *                  authentication tag and compared it in constant time to the
+ *                  tag received with the ciphertext.
+ *
+ *                  If the tags are not equal, you must immediately discard
+ *                  all previous outputs of \c mbedtls_chachapoly_update(),
+ *                  otherwise you can now safely use the plaintext.
+ *
+ * \param ctx       The ChachaPoly context to initialize. Must not be \c NULL.
+ */
+void mbedtls_chachapoly_init(mbedtls_chachapoly_context *ctx);
+
+/**
+ * \brief           This function releases and clears the specified
+ *                  ChaCha20-Poly1305 context.
+ *
+ * \param ctx       The ChachaPoly context to clear. This may be \c NULL, in which
+ *                  case this function is a no-op.
+ */
+void mbedtls_chachapoly_free(mbedtls_chachapoly_context *ctx);
+
+/**
+ * \brief           This function sets the ChaCha20-Poly1305
+ *                  symmetric encryption key.
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to which the key should be
+ *                  bound. This must be initialized.
+ * \param key       The \c 256 Bit (\c 32 Bytes) key.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chachapoly_setkey(mbedtls_chachapoly_context *ctx,
+                              const unsigned char key[32]);
+
+/**
+ * \brief           This function starts a ChaCha20-Poly1305 encryption or
+ *                  decryption operation.
+ *
+ * \warning         You must never use the same nonce twice with the same key.
+ *                  This would void any confidentiality and authenticity
+ *                  guarantees for the messages encrypted with the same nonce
+ *                  and key.
+ *
+ * \note            If the context is being used for AAD only (no data to
+ *                  encrypt or decrypt) then \p mode can be set to any value.
+ *
+ * \warning         Decryption with the piecewise API is discouraged, see the
+ *                  warning on \c mbedtls_chachapoly_init().
+ *
+ * \param ctx       The ChaCha20-Poly1305 context. This must be initialized
+ *                  and bound to a key.
+ * \param nonce     The nonce/IV to use for the message.
+ *                  This must be a readable buffer of length \c 12 Bytes.
+ * \param mode      The operation to perform: #MBEDTLS_CHACHAPOLY_ENCRYPT or
+ *                  #MBEDTLS_CHACHAPOLY_DECRYPT (discouraged, see warning).
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chachapoly_starts(mbedtls_chachapoly_context *ctx,
+                              const unsigned char nonce[12],
+                              mbedtls_chachapoly_mode_t mode);
+
+/**
+ * \brief           This function feeds additional data to be authenticated
+ *                  into an ongoing ChaCha20-Poly1305 operation.
+ *
+ *                  The Additional Authenticated Data (AAD), also called
+ *                  Associated Data (AD) is only authenticated but not
+ *                  encrypted nor included in the encrypted output. It is
+ *                  usually transmitted separately from the ciphertext or
+ *                  computed locally by each party.
+ *
+ * \note            This function is called before data is encrypted/decrypted.
+ *                  I.e. call this function to process the AAD before calling
+ *                  \c mbedtls_chachapoly_update().
+ *
+ *                  You may call this function multiple times to process
+ *                  an arbitrary amount of AAD. It is permitted to call
+ *                  this function 0 times, if no AAD is used.
+ *
+ *                  This function cannot be called any more if data has
+ *                  been processed by \c mbedtls_chachapoly_update(),
+ *                  or if the context has been finished.
+ *
+ * \warning         Decryption with the piecewise API is discouraged, see the
+ *                  warning on \c mbedtls_chachapoly_init().
+ *
+ * \param ctx       The ChaCha20-Poly1305 context. This must be initialized
+ *                  and bound to a key.
+ * \param aad_len   The length in Bytes of the AAD. The length has no
+ *                  restrictions.
+ * \param aad       Buffer containing the AAD.
+ *                  This pointer can be \c NULL if `aad_len == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
+ *                  if \p ctx or \p aad are NULL.
+ * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
+ *                  if the operations has not been started or has been
+ *                  finished, or if the AAD has been finished.
+ */
+int mbedtls_chachapoly_update_aad(mbedtls_chachapoly_context *ctx,
+                                  const unsigned char *aad,
+                                  size_t aad_len);
+
+/**
+ * \brief           Thus function feeds data to be encrypted or decrypted
+ *                  into an on-going ChaCha20-Poly1305
+ *                  operation.
+ *
+ *                  The direction (encryption or decryption) depends on the
+ *                  mode that was given when calling
+ *                  \c mbedtls_chachapoly_starts().
+ *
+ *                  You may call this function multiple times to process
+ *                  an arbitrary amount of data. It is permitted to call
+ *                  this function 0 times, if no data is to be encrypted
+ *                  or decrypted.
+ *
+ * \warning         Decryption with the piecewise API is discouraged, see the
+ *                  warning on \c mbedtls_chachapoly_init().
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to use. This must be initialized.
+ * \param len       The length (in bytes) of the data to encrypt or decrypt.
+ * \param input     The buffer containing the data to encrypt or decrypt.
+ *                  This pointer can be \c NULL if `len == 0`.
+ * \param output    The buffer to where the encrypted or decrypted data is
+ *                  written. This must be able to hold \p len bytes.
+ *                  This pointer can be \c NULL if `len == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
+ *                  if the operation has not been started or has been
+ *                  finished.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_chachapoly_update(mbedtls_chachapoly_context *ctx,
+                              size_t len,
+                              const unsigned char *input,
+                              unsigned char *output);
+
+/**
+ * \brief           This function finished the ChaCha20-Poly1305 operation and
+ *                  generates the MAC (authentication tag).
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to use. This must be initialized.
+ * \param mac       The buffer to where the 128-bit (16 bytes) MAC is written.
+ *
+ * \warning         Decryption with the piecewise API is discouraged, see the
+ *                  warning on \c mbedtls_chachapoly_init().
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
+ *                  if the operation has not been started or has been
+ *                  finished.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_chachapoly_finish(mbedtls_chachapoly_context *ctx,
+                              unsigned char mac[16]);
+
+/**
+ * \brief           This function performs a complete ChaCha20-Poly1305
+ *                  authenticated encryption with the previously-set key.
+ *
+ * \note            Before using this function, you must set the key with
+ *                  \c mbedtls_chachapoly_setkey().
+ *
+ * \warning         You must never use the same nonce twice with the same key.
+ *                  This would void any confidentiality and authenticity
+ *                  guarantees for the messages encrypted with the same nonce
+ *                  and key.
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to use (holds the key).
+ *                  This must be initialized.
+ * \param length    The length (in bytes) of the data to encrypt or decrypt.
+ * \param nonce     The 96-bit (12 bytes) nonce/IV to use.
+ * \param aad       The buffer containing the additional authenticated
+ *                  data (AAD). This pointer can be \c NULL if `aad_len == 0`.
+ * \param aad_len   The length (in bytes) of the AAD data to process.
+ * \param input     The buffer containing the data to encrypt or decrypt.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ * \param output    The buffer to where the encrypted or decrypted data
+ *                  is written. This pointer can be \c NULL if `ilen == 0`.
+ * \param tag       The buffer to where the computed 128-bit (16 bytes) MAC
+ *                  is written. This must not be \c NULL.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chachapoly_encrypt_and_tag(mbedtls_chachapoly_context *ctx,
+                                       size_t length,
+                                       const unsigned char nonce[12],
+                                       const unsigned char *aad,
+                                       size_t aad_len,
+                                       const unsigned char *input,
+                                       unsigned char *output,
+                                       unsigned char tag[16]);
+
+/**
+ * \brief           This function performs a complete ChaCha20-Poly1305
+ *                  authenticated decryption with the previously-set key.
+ *
+ * \note            Before using this function, you must set the key with
+ *                  \c mbedtls_chachapoly_setkey().
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to use (holds the key).
+ * \param length    The length (in Bytes) of the data to decrypt.
+ * \param nonce     The \c 96 Bit (\c 12 bytes) nonce/IV to use.
+ * \param aad       The buffer containing the additional authenticated data (AAD).
+ *                  This pointer can be \c NULL if `aad_len == 0`.
+ * \param aad_len   The length (in bytes) of the AAD data to process.
+ * \param tag       The buffer holding the authentication tag.
+ *                  This must be a readable buffer of length \c 16 Bytes.
+ * \param input     The buffer containing the data to decrypt.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ * \param output    The buffer to where the decrypted data is written.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED
+ *                  if the data was not authentic.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_chachapoly_auth_decrypt(mbedtls_chachapoly_context *ctx,
+                                    size_t length,
+                                    const unsigned char nonce[12],
+                                    const unsigned char *aad,
+                                    size_t aad_len,
+                                    const unsigned char tag[16],
+                                    const unsigned char *input,
+                                    unsigned char *output);
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief           The ChaCha20-Poly1305 checkup routine.
+ *
+ * \return          \c 0 on success.
+ * \return          \c 1 on failure.
+ */
+int mbedtls_chachapoly_self_test(int verbose);
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CHACHAPOLY_H */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/cipher.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/cipher.h
new file mode 100644
index 0000000..1dc31c9
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/cipher.h
@@ -0,0 +1,1173 @@
+/**
+ * \file cipher.h
+ *
+ * \brief This file contains an abstraction interface for use with the cipher
+ * primitives provided by the library. It provides a common interface to all of
+ * the available cipher operations.
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_CIPHER_H
+#define MBEDTLS_CIPHER_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include <stddef.h>
+#include "mbedtls/platform_util.h"
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+#define MBEDTLS_CIPHER_MODE_AEAD
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#define MBEDTLS_CIPHER_MODE_WITH_PADDING
+#endif
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER) || \
+    defined(MBEDTLS_CHACHA20_C)
+#define MBEDTLS_CIPHER_MODE_STREAM
+#endif
+
+/** The selected feature is not available. */
+#define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE  -0x6080
+/** Bad input parameters. */
+#define MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA       -0x6100
+/** Failed to allocate memory. */
+#define MBEDTLS_ERR_CIPHER_ALLOC_FAILED         -0x6180
+/** Input data contains invalid padding and is rejected. */
+#define MBEDTLS_ERR_CIPHER_INVALID_PADDING      -0x6200
+/** Decryption of block requires a full block. */
+#define MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED  -0x6280
+/** Authentication failed (for AEAD modes). */
+#define MBEDTLS_ERR_CIPHER_AUTH_FAILED          -0x6300
+/** The context is invalid. For example, because it was freed. */
+#define MBEDTLS_ERR_CIPHER_INVALID_CONTEXT      -0x6380
+
+#define MBEDTLS_CIPHER_VARIABLE_IV_LEN     0x01    /**< Cipher accepts IVs of variable length. */
+#define MBEDTLS_CIPHER_VARIABLE_KEY_LEN    0x02    /**< Cipher accepts keys of variable length. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief     Supported cipher types.
+ *
+ * \warning   DES/3DES are considered weak ciphers and their use
+ *            constitutes a security risk. We recommend considering stronger
+ *            ciphers instead.
+ */
+typedef enum {
+    MBEDTLS_CIPHER_ID_NONE = 0,  /**< Placeholder to mark the end of cipher ID lists. */
+    MBEDTLS_CIPHER_ID_NULL,      /**< The identity cipher, treated as a stream cipher. */
+    MBEDTLS_CIPHER_ID_AES,       /**< The AES cipher. */
+    MBEDTLS_CIPHER_ID_DES,       /**< The DES cipher. \warning DES is considered weak. */
+    MBEDTLS_CIPHER_ID_3DES,      /**< The Triple DES cipher. \warning 3DES is considered weak. */
+    MBEDTLS_CIPHER_ID_CAMELLIA,  /**< The Camellia cipher. */
+    MBEDTLS_CIPHER_ID_ARIA,      /**< The Aria cipher. */
+    MBEDTLS_CIPHER_ID_CHACHA20,  /**< The ChaCha20 cipher. */
+} mbedtls_cipher_id_t;
+
+/**
+ * \brief     Supported {cipher type, cipher mode} pairs.
+ *
+ * \warning   DES/3DES are considered weak ciphers and their use
+ *            constitutes a security risk. We recommend considering stronger
+ *            ciphers instead.
+ */
+typedef enum {
+    MBEDTLS_CIPHER_NONE = 0,             /**< Placeholder to mark the end of cipher-pair lists. */
+    MBEDTLS_CIPHER_NULL,                 /**< The identity stream cipher. */
+    MBEDTLS_CIPHER_AES_128_ECB,          /**< AES cipher with 128-bit ECB mode. */
+    MBEDTLS_CIPHER_AES_192_ECB,          /**< AES cipher with 192-bit ECB mode. */
+    MBEDTLS_CIPHER_AES_256_ECB,          /**< AES cipher with 256-bit ECB mode. */
+    MBEDTLS_CIPHER_AES_128_CBC,          /**< AES cipher with 128-bit CBC mode. */
+    MBEDTLS_CIPHER_AES_192_CBC,          /**< AES cipher with 192-bit CBC mode. */
+    MBEDTLS_CIPHER_AES_256_CBC,          /**< AES cipher with 256-bit CBC mode. */
+    MBEDTLS_CIPHER_AES_128_CFB128,       /**< AES cipher with 128-bit CFB128 mode. */
+    MBEDTLS_CIPHER_AES_192_CFB128,       /**< AES cipher with 192-bit CFB128 mode. */
+    MBEDTLS_CIPHER_AES_256_CFB128,       /**< AES cipher with 256-bit CFB128 mode. */
+    MBEDTLS_CIPHER_AES_128_CTR,          /**< AES cipher with 128-bit CTR mode. */
+    MBEDTLS_CIPHER_AES_192_CTR,          /**< AES cipher with 192-bit CTR mode. */
+    MBEDTLS_CIPHER_AES_256_CTR,          /**< AES cipher with 256-bit CTR mode. */
+    MBEDTLS_CIPHER_AES_128_GCM,          /**< AES cipher with 128-bit GCM mode. */
+    MBEDTLS_CIPHER_AES_192_GCM,          /**< AES cipher with 192-bit GCM mode. */
+    MBEDTLS_CIPHER_AES_256_GCM,          /**< AES cipher with 256-bit GCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_ECB,     /**< Camellia cipher with 128-bit ECB mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_ECB,     /**< Camellia cipher with 192-bit ECB mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_ECB,     /**< Camellia cipher with 256-bit ECB mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_CBC,     /**< Camellia cipher with 128-bit CBC mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_CBC,     /**< Camellia cipher with 192-bit CBC mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_CBC,     /**< Camellia cipher with 256-bit CBC mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_CFB128,  /**< Camellia cipher with 128-bit CFB128 mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_CFB128,  /**< Camellia cipher with 192-bit CFB128 mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_CFB128,  /**< Camellia cipher with 256-bit CFB128 mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_CTR,     /**< Camellia cipher with 128-bit CTR mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_CTR,     /**< Camellia cipher with 192-bit CTR mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_CTR,     /**< Camellia cipher with 256-bit CTR mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_GCM,     /**< Camellia cipher with 128-bit GCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_GCM,     /**< Camellia cipher with 192-bit GCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_GCM,     /**< Camellia cipher with 256-bit GCM mode. */
+    MBEDTLS_CIPHER_DES_ECB,              /**< DES cipher with ECB mode. \warning DES is considered weak. */
+    MBEDTLS_CIPHER_DES_CBC,              /**< DES cipher with CBC mode. \warning DES is considered weak. */
+    MBEDTLS_CIPHER_DES_EDE_ECB,          /**< DES cipher with EDE ECB mode. \warning 3DES is considered weak. */
+    MBEDTLS_CIPHER_DES_EDE_CBC,          /**< DES cipher with EDE CBC mode. \warning 3DES is considered weak. */
+    MBEDTLS_CIPHER_DES_EDE3_ECB,         /**< DES cipher with EDE3 ECB mode. \warning 3DES is considered weak. */
+    MBEDTLS_CIPHER_DES_EDE3_CBC,         /**< DES cipher with EDE3 CBC mode. \warning 3DES is considered weak. */
+    MBEDTLS_CIPHER_AES_128_CCM,          /**< AES cipher with 128-bit CCM mode. */
+    MBEDTLS_CIPHER_AES_192_CCM,          /**< AES cipher with 192-bit CCM mode. */
+    MBEDTLS_CIPHER_AES_256_CCM,          /**< AES cipher with 256-bit CCM mode. */
+    MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG, /**< AES cipher with 128-bit CCM_STAR_NO_TAG mode. */
+    MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG, /**< AES cipher with 192-bit CCM_STAR_NO_TAG mode. */
+    MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG, /**< AES cipher with 256-bit CCM_STAR_NO_TAG mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_CCM,     /**< Camellia cipher with 128-bit CCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_CCM,     /**< Camellia cipher with 192-bit CCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_CCM,     /**< Camellia cipher with 256-bit CCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG, /**< Camellia cipher with 128-bit CCM_STAR_NO_TAG mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG, /**< Camellia cipher with 192-bit CCM_STAR_NO_TAG mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG, /**< Camellia cipher with 256-bit CCM_STAR_NO_TAG mode. */
+    MBEDTLS_CIPHER_ARIA_128_ECB,         /**< Aria cipher with 128-bit key and ECB mode. */
+    MBEDTLS_CIPHER_ARIA_192_ECB,         /**< Aria cipher with 192-bit key and ECB mode. */
+    MBEDTLS_CIPHER_ARIA_256_ECB,         /**< Aria cipher with 256-bit key and ECB mode. */
+    MBEDTLS_CIPHER_ARIA_128_CBC,         /**< Aria cipher with 128-bit key and CBC mode. */
+    MBEDTLS_CIPHER_ARIA_192_CBC,         /**< Aria cipher with 192-bit key and CBC mode. */
+    MBEDTLS_CIPHER_ARIA_256_CBC,         /**< Aria cipher with 256-bit key and CBC mode. */
+    MBEDTLS_CIPHER_ARIA_128_CFB128,      /**< Aria cipher with 128-bit key and CFB-128 mode. */
+    MBEDTLS_CIPHER_ARIA_192_CFB128,      /**< Aria cipher with 192-bit key and CFB-128 mode. */
+    MBEDTLS_CIPHER_ARIA_256_CFB128,      /**< Aria cipher with 256-bit key and CFB-128 mode. */
+    MBEDTLS_CIPHER_ARIA_128_CTR,         /**< Aria cipher with 128-bit key and CTR mode. */
+    MBEDTLS_CIPHER_ARIA_192_CTR,         /**< Aria cipher with 192-bit key and CTR mode. */
+    MBEDTLS_CIPHER_ARIA_256_CTR,         /**< Aria cipher with 256-bit key and CTR mode. */
+    MBEDTLS_CIPHER_ARIA_128_GCM,         /**< Aria cipher with 128-bit key and GCM mode. */
+    MBEDTLS_CIPHER_ARIA_192_GCM,         /**< Aria cipher with 192-bit key and GCM mode. */
+    MBEDTLS_CIPHER_ARIA_256_GCM,         /**< Aria cipher with 256-bit key and GCM mode. */
+    MBEDTLS_CIPHER_ARIA_128_CCM,         /**< Aria cipher with 128-bit key and CCM mode. */
+    MBEDTLS_CIPHER_ARIA_192_CCM,         /**< Aria cipher with 192-bit key and CCM mode. */
+    MBEDTLS_CIPHER_ARIA_256_CCM,         /**< Aria cipher with 256-bit key and CCM mode. */
+    MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG, /**< Aria cipher with 128-bit key and CCM_STAR_NO_TAG mode. */
+    MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG, /**< Aria cipher with 192-bit key and CCM_STAR_NO_TAG mode. */
+    MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG, /**< Aria cipher with 256-bit key and CCM_STAR_NO_TAG mode. */
+    MBEDTLS_CIPHER_AES_128_OFB,          /**< AES 128-bit cipher in OFB mode. */
+    MBEDTLS_CIPHER_AES_192_OFB,          /**< AES 192-bit cipher in OFB mode. */
+    MBEDTLS_CIPHER_AES_256_OFB,          /**< AES 256-bit cipher in OFB mode. */
+    MBEDTLS_CIPHER_AES_128_XTS,          /**< AES 128-bit cipher in XTS block mode. */
+    MBEDTLS_CIPHER_AES_256_XTS,          /**< AES 256-bit cipher in XTS block mode. */
+    MBEDTLS_CIPHER_CHACHA20,             /**< ChaCha20 stream cipher. */
+    MBEDTLS_CIPHER_CHACHA20_POLY1305,    /**< ChaCha20-Poly1305 AEAD cipher. */
+    MBEDTLS_CIPHER_AES_128_KW,           /**< AES cipher with 128-bit NIST KW mode. */
+    MBEDTLS_CIPHER_AES_192_KW,           /**< AES cipher with 192-bit NIST KW mode. */
+    MBEDTLS_CIPHER_AES_256_KW,           /**< AES cipher with 256-bit NIST KW mode. */
+    MBEDTLS_CIPHER_AES_128_KWP,          /**< AES cipher with 128-bit NIST KWP mode. */
+    MBEDTLS_CIPHER_AES_192_KWP,          /**< AES cipher with 192-bit NIST KWP mode. */
+    MBEDTLS_CIPHER_AES_256_KWP,          /**< AES cipher with 256-bit NIST KWP mode. */
+} mbedtls_cipher_type_t;
+
+/** Supported cipher modes. */
+typedef enum {
+    MBEDTLS_MODE_NONE = 0,               /**< None.                        */
+    MBEDTLS_MODE_ECB,                    /**< The ECB cipher mode.         */
+    MBEDTLS_MODE_CBC,                    /**< The CBC cipher mode.         */
+    MBEDTLS_MODE_CFB,                    /**< The CFB cipher mode.         */
+    MBEDTLS_MODE_OFB,                    /**< The OFB cipher mode.         */
+    MBEDTLS_MODE_CTR,                    /**< The CTR cipher mode.         */
+    MBEDTLS_MODE_GCM,                    /**< The GCM cipher mode.         */
+    MBEDTLS_MODE_STREAM,                 /**< The stream cipher mode.      */
+    MBEDTLS_MODE_CCM,                    /**< The CCM cipher mode.         */
+    MBEDTLS_MODE_CCM_STAR_NO_TAG,        /**< The CCM*-no-tag cipher mode. */
+    MBEDTLS_MODE_XTS,                    /**< The XTS cipher mode.         */
+    MBEDTLS_MODE_CHACHAPOLY,             /**< The ChaCha-Poly cipher mode. */
+    MBEDTLS_MODE_KW,                     /**< The SP800-38F KW mode */
+    MBEDTLS_MODE_KWP,                    /**< The SP800-38F KWP mode */
+} mbedtls_cipher_mode_t;
+
+/** Supported cipher padding types. */
+typedef enum {
+    MBEDTLS_PADDING_PKCS7 = 0,     /**< PKCS7 padding (default).        */
+    MBEDTLS_PADDING_ONE_AND_ZEROS, /**< ISO/IEC 7816-4 padding.         */
+    MBEDTLS_PADDING_ZEROS_AND_LEN, /**< ANSI X.923 padding.             */
+    MBEDTLS_PADDING_ZEROS,         /**< Zero padding (not reversible). */
+    MBEDTLS_PADDING_NONE,          /**< Never pad (full blocks only).   */
+} mbedtls_cipher_padding_t;
+
+/** Type of operation. */
+typedef enum {
+    MBEDTLS_OPERATION_NONE = -1,
+    MBEDTLS_DECRYPT = 0,
+    MBEDTLS_ENCRYPT,
+} mbedtls_operation_t;
+
+enum {
+    /** Undefined key length. */
+    MBEDTLS_KEY_LENGTH_NONE = 0,
+    /** Key length, in bits (including parity), for DES keys. \warning DES is considered weak. */
+    MBEDTLS_KEY_LENGTH_DES  = 64,
+    /** Key length in bits, including parity, for DES in two-key EDE. \warning 3DES is considered weak. */
+    MBEDTLS_KEY_LENGTH_DES_EDE = 128,
+    /** Key length in bits, including parity, for DES in three-key EDE. \warning 3DES is considered weak. */
+    MBEDTLS_KEY_LENGTH_DES_EDE3 = 192,
+};
+
+/** Maximum length of any IV, in Bytes. */
+/* This should ideally be derived automatically from list of ciphers.
+ * This should be kept in sync with MBEDTLS_SSL_MAX_IV_LENGTH defined
+ * in library/ssl_misc.h. */
+#define MBEDTLS_MAX_IV_LENGTH      16
+
+/** Maximum block size of any cipher, in Bytes. */
+/* This should ideally be derived automatically from list of ciphers.
+ * This should be kept in sync with MBEDTLS_SSL_MAX_BLOCK_LENGTH defined
+ * in library/ssl_misc.h. */
+#define MBEDTLS_MAX_BLOCK_LENGTH   16
+
+/** Maximum key length, in Bytes. */
+/* This should ideally be derived automatically from list of ciphers.
+ * For now, only check whether XTS is enabled which uses 64 Byte keys,
+ * and use 32 Bytes as an upper bound for the maximum key length otherwise.
+ * This should be kept in sync with MBEDTLS_SSL_MAX_BLOCK_LENGTH defined
+ * in library/ssl_misc.h, which however deliberately ignores the case of XTS
+ * since the latter isn't used in SSL/TLS. */
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+#define MBEDTLS_MAX_KEY_LENGTH     64
+#else
+#define MBEDTLS_MAX_KEY_LENGTH     32
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+/**
+ * Base cipher information (opaque struct).
+ */
+typedef struct mbedtls_cipher_base_t mbedtls_cipher_base_t;
+
+/**
+ * CMAC context (opaque struct).
+ */
+typedef struct mbedtls_cmac_context_t mbedtls_cmac_context_t;
+
+/**
+ * Cipher information. Allows calling cipher functions
+ * in a generic way.
+ *
+ * \note        The library does not support custom cipher info structures,
+ *              only built-in structures returned by the functions
+ *              mbedtls_cipher_info_from_string(),
+ *              mbedtls_cipher_info_from_type(),
+ *              mbedtls_cipher_info_from_values(),
+ *              mbedtls_cipher_info_from_psa().
+ *
+ * \note        Some fields store a value that has been right-shifted to save
+ *              code-size, so should not be used directly. The accessor
+ *              functions adjust for this and return the "natural" value.
+ */
+typedef struct mbedtls_cipher_info_t {
+    /** Name of the cipher. */
+    const char *MBEDTLS_PRIVATE(name);
+
+    /** The block size, in bytes. */
+    unsigned int MBEDTLS_PRIVATE(block_size) : 5;
+
+    /** IV or nonce size, in bytes (right shifted by #MBEDTLS_IV_SIZE_SHIFT).
+     * For ciphers that accept variable IV sizes,
+     * this is the recommended size.
+     */
+    unsigned int MBEDTLS_PRIVATE(iv_size) : 3;
+
+    /** The cipher key length, in bits (right shifted by #MBEDTLS_KEY_BITLEN_SHIFT).
+     * This is the default length for variable sized ciphers.
+     * Includes parity bits for ciphers like DES.
+     */
+    unsigned int MBEDTLS_PRIVATE(key_bitlen) : 4;
+
+    /** The cipher mode (as per mbedtls_cipher_mode_t).
+     * For example, MBEDTLS_MODE_CBC.
+     */
+    unsigned int MBEDTLS_PRIVATE(mode) : 4;
+
+    /** Full cipher identifier (as per mbedtls_cipher_type_t).
+     * For example, MBEDTLS_CIPHER_AES_256_CBC.
+     *
+     * This could be 7 bits, but 8 bits retains byte alignment for the
+     * next field, which reduces code size to access that field.
+     */
+    unsigned int MBEDTLS_PRIVATE(type) : 8;
+
+    /** Bitflag comprised of MBEDTLS_CIPHER_VARIABLE_IV_LEN and
+     *  MBEDTLS_CIPHER_VARIABLE_KEY_LEN indicating whether the
+     *  cipher supports variable IV or variable key sizes, respectively.
+     */
+    unsigned int MBEDTLS_PRIVATE(flags) : 2;
+
+    /** Index to LUT for base cipher information and functions. */
+    unsigned int MBEDTLS_PRIVATE(base_idx) : 5;
+
+} mbedtls_cipher_info_t;
+
+/* For internal use only.
+ * These are used to more compactly represent the fields above. */
+#define MBEDTLS_KEY_BITLEN_SHIFT  6
+#define MBEDTLS_IV_SIZE_SHIFT     2
+/**
+ * Generic cipher context.
+ */
+typedef struct mbedtls_cipher_context_t {
+    /** Information about the associated cipher. */
+    const mbedtls_cipher_info_t *MBEDTLS_PRIVATE(cipher_info);
+
+    /** Key length to use. */
+    int MBEDTLS_PRIVATE(key_bitlen);
+
+    /** Operation that the key of the context has been
+     * initialized for.
+     */
+    mbedtls_operation_t MBEDTLS_PRIVATE(operation);
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+    /** Padding functions to use, if relevant for
+     * the specific cipher mode.
+     */
+    void(*MBEDTLS_PRIVATE(add_padding))(unsigned char *output, size_t olen, size_t data_len);
+    int(*MBEDTLS_PRIVATE(get_padding))(unsigned char *input, size_t ilen, size_t *data_len);
+#endif
+
+    /** Buffer for input that has not been processed yet. */
+    unsigned char MBEDTLS_PRIVATE(unprocessed_data)[MBEDTLS_MAX_BLOCK_LENGTH];
+
+    /** Number of Bytes that have not been processed yet. */
+    size_t MBEDTLS_PRIVATE(unprocessed_len);
+
+    /** Current IV or NONCE_COUNTER for CTR-mode, data unit (or sector) number
+     * for XTS-mode. */
+    unsigned char MBEDTLS_PRIVATE(iv)[MBEDTLS_MAX_IV_LENGTH];
+
+    /** IV size in Bytes, for ciphers with variable-length IVs. */
+    size_t MBEDTLS_PRIVATE(iv_size);
+
+    /** The cipher-specific context. */
+    void *MBEDTLS_PRIVATE(cipher_ctx);
+
+#if defined(MBEDTLS_CMAC_C)
+    /** CMAC-specific context. */
+    mbedtls_cmac_context_t *MBEDTLS_PRIVATE(cmac_ctx);
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+    /** Indicates whether the cipher operations should be performed
+     *  by Mbed TLS' own crypto library or an external implementation
+     *  of the PSA Crypto API.
+     *  This is unset if the cipher context was established through
+     *  mbedtls_cipher_setup(), and set if it was established through
+     *  mbedtls_cipher_setup_psa().
+     */
+    unsigned char MBEDTLS_PRIVATE(psa_enabled);
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+} mbedtls_cipher_context_t;
+
+/**
+ * \brief This function retrieves the list of ciphers supported
+ *        by the generic cipher module.
+ *
+ *        For any cipher identifier in the returned list, you can
+ *        obtain the corresponding generic cipher information structure
+ *        via mbedtls_cipher_info_from_type(), which can then be used
+ *        to prepare a cipher context via mbedtls_cipher_setup().
+ *
+ *
+ * \return      A statically-allocated array of cipher identifiers
+ *              of type cipher_type_t. The last entry is zero.
+ */
+const int *mbedtls_cipher_list(void);
+
+/**
+ * \brief               This function retrieves the cipher-information
+ *                      structure associated with the given cipher name.
+ *
+ * \param cipher_name   Name of the cipher to search for. This must not be
+ *                      \c NULL.
+ *
+ * \return              The cipher information structure associated with the
+ *                      given \p cipher_name.
+ * \return              \c NULL if the associated cipher information is not found.
+ */
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(const char *cipher_name);
+
+/**
+ * \brief               This function retrieves the cipher-information
+ *                      structure associated with the given cipher type.
+ *
+ * \param cipher_type   Type of the cipher to search for.
+ *
+ * \return              The cipher information structure associated with the
+ *                      given \p cipher_type.
+ * \return              \c NULL if the associated cipher information is not found.
+ */
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(const mbedtls_cipher_type_t cipher_type);
+
+/**
+ * \brief               This function retrieves the cipher-information
+ *                      structure associated with the given cipher ID,
+ *                      key size and mode.
+ *
+ * \param cipher_id     The ID of the cipher to search for. For example,
+ *                      #MBEDTLS_CIPHER_ID_AES.
+ * \param key_bitlen    The length of the key in bits.
+ * \param mode          The cipher mode. For example, #MBEDTLS_MODE_CBC.
+ *
+ * \return              The cipher information structure associated with the
+ *                      given \p cipher_id.
+ * \return              \c NULL if the associated cipher information is not found.
+ */
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(const mbedtls_cipher_id_t cipher_id,
+                                                             int key_bitlen,
+                                                             const mbedtls_cipher_mode_t mode);
+
+/**
+ * \brief               Retrieve the identifier for a cipher info structure.
+ *
+ * \param[in] info      The cipher info structure to query.
+ *                      This may be \c NULL.
+ *
+ * \return              The full cipher identifier (\c MBEDTLS_CIPHER_xxx).
+ * \return              #MBEDTLS_CIPHER_NONE if \p info is \c NULL.
+ */
+static inline mbedtls_cipher_type_t mbedtls_cipher_info_get_type(
+    const mbedtls_cipher_info_t *info)
+{
+    if (info == NULL) {
+        return MBEDTLS_CIPHER_NONE;
+    } else {
+        return (mbedtls_cipher_type_t) info->MBEDTLS_PRIVATE(type);
+    }
+}
+
+/**
+ * \brief               Retrieve the operation mode for a cipher info structure.
+ *
+ * \param[in] info      The cipher info structure to query.
+ *                      This may be \c NULL.
+ *
+ * \return              The cipher mode (\c MBEDTLS_MODE_xxx).
+ * \return              #MBEDTLS_MODE_NONE if \p info is \c NULL.
+ */
+static inline mbedtls_cipher_mode_t mbedtls_cipher_info_get_mode(
+    const mbedtls_cipher_info_t *info)
+{
+    if (info == NULL) {
+        return MBEDTLS_MODE_NONE;
+    } else {
+        return (mbedtls_cipher_mode_t) info->MBEDTLS_PRIVATE(mode);
+    }
+}
+
+/**
+ * \brief               Retrieve the key size for a cipher info structure.
+ *
+ * \param[in] info      The cipher info structure to query.
+ *                      This may be \c NULL.
+ *
+ * \return              The key length in bits.
+ *                      For variable-sized ciphers, this is the default length.
+ *                      For DES, this includes the parity bits.
+ * \return              \c 0 if \p info is \c NULL.
+ */
+static inline size_t mbedtls_cipher_info_get_key_bitlen(
+    const mbedtls_cipher_info_t *info)
+{
+    if (info == NULL) {
+        return 0;
+    } else {
+        return ((size_t) info->MBEDTLS_PRIVATE(key_bitlen)) << MBEDTLS_KEY_BITLEN_SHIFT;
+    }
+}
+
+/**
+ * \brief               Retrieve the human-readable name for a
+ *                      cipher info structure.
+ *
+ * \param[in] info      The cipher info structure to query.
+ *                      This may be \c NULL.
+ *
+ * \return              The cipher name, which is a human readable string,
+ *                      with static storage duration.
+ * \return              \c NULL if \p info is \c NULL.
+ */
+static inline const char *mbedtls_cipher_info_get_name(
+    const mbedtls_cipher_info_t *info)
+{
+    if (info == NULL) {
+        return NULL;
+    } else {
+        return info->MBEDTLS_PRIVATE(name);
+    }
+}
+
+/**
+ * \brief       This function returns the size of the IV or nonce
+ *              for the cipher info structure, in bytes.
+ *
+ * \param info  The cipher info structure. This may be \c NULL.
+ *
+ * \return      The recommended IV size.
+ * \return      \c 0 for ciphers not using an IV or a nonce.
+ * \return      \c 0 if \p info is \c NULL.
+ */
+static inline size_t mbedtls_cipher_info_get_iv_size(
+    const mbedtls_cipher_info_t *info)
+{
+    if (info == NULL) {
+        return 0;
+    }
+
+    return ((size_t) info->MBEDTLS_PRIVATE(iv_size)) << MBEDTLS_IV_SIZE_SHIFT;
+}
+
+/**
+ * \brief        This function returns the block size of the given
+ *               cipher info structure in bytes.
+ *
+ * \param info   The cipher info structure. This may be \c NULL.
+ *
+ * \return       The block size of the cipher.
+ * \return       \c 1 if the cipher is a stream cipher.
+ * \return       \c 0 if \p info is \c NULL.
+ */
+static inline size_t mbedtls_cipher_info_get_block_size(
+    const mbedtls_cipher_info_t *info)
+{
+    if (info == NULL) {
+        return 0;
+    }
+
+    return (size_t) (info->MBEDTLS_PRIVATE(block_size));
+}
+
+/**
+ * \brief        This function returns a non-zero value if the key length for
+ *               the given cipher is variable.
+ *
+ * \param info   The cipher info structure. This may be \c NULL.
+ *
+ * \return       Non-zero if the key length is variable, \c 0 otherwise.
+ * \return       \c 0 if the given pointer is \c NULL.
+ */
+static inline int mbedtls_cipher_info_has_variable_key_bitlen(
+    const mbedtls_cipher_info_t *info)
+{
+    if (info == NULL) {
+        return 0;
+    }
+
+    return info->MBEDTLS_PRIVATE(flags) & MBEDTLS_CIPHER_VARIABLE_KEY_LEN;
+}
+
+/**
+ * \brief        This function returns a non-zero value if the IV size for
+ *               the given cipher is variable.
+ *
+ * \param info   The cipher info structure. This may be \c NULL.
+ *
+ * \return       Non-zero if the IV size is variable, \c 0 otherwise.
+ * \return       \c 0 if the given pointer is \c NULL.
+ */
+static inline int mbedtls_cipher_info_has_variable_iv_size(
+    const mbedtls_cipher_info_t *info)
+{
+    if (info == NULL) {
+        return 0;
+    }
+
+    return info->MBEDTLS_PRIVATE(flags) & MBEDTLS_CIPHER_VARIABLE_IV_LEN;
+}
+
+/**
+ * \brief               This function initializes a \p ctx as NONE.
+ *
+ * \param ctx           The context to be initialized. This must not be \c NULL.
+ */
+void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx);
+
+/**
+ * \brief               This function frees and clears the cipher-specific
+ *                      context of \p ctx. Freeing \p ctx itself remains the
+ *                      responsibility of the caller.
+ *
+ * \param ctx           The context to be freed. If this is \c NULL, the
+ *                      function has no effect, otherwise this must point to an
+ *                      initialized context.
+ */
+void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx);
+
+
+/**
+ * \brief               This function prepares a cipher context for
+ *                      use with the given cipher primitive.
+ *
+ * \note                After calling this function, you should call
+ *                      mbedtls_cipher_setkey() and, if the mode uses padding,
+ *                      mbedtls_cipher_set_padding_mode(), then for each
+ *                      message to encrypt or decrypt with this key, either:
+ *                      - mbedtls_cipher_crypt() for one-shot processing with
+ *                      non-AEAD modes;
+ *                      - mbedtls_cipher_auth_encrypt_ext() or
+ *                      mbedtls_cipher_auth_decrypt_ext() for one-shot
+ *                      processing with AEAD modes or NIST_KW;
+ *                      - for multi-part processing, see the documentation of
+ *                      mbedtls_cipher_reset().
+ *
+ * \param ctx           The context to prepare. This must be initialized by
+ *                      a call to mbedtls_cipher_init() first.
+ * \param cipher_info   The cipher to use.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              #MBEDTLS_ERR_CIPHER_ALLOC_FAILED if allocation of the
+ *                      cipher-specific context fails.
+ */
+int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx,
+                         const mbedtls_cipher_info_t *cipher_info);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+/**
+ * \brief               This function initializes a cipher context for
+ *                      PSA-based use with the given cipher primitive.
+ *
+ * \deprecated          This function is deprecated and will be removed in a
+ *                      future version of the library.
+ *                      Please use psa_aead_xxx() / psa_cipher_xxx() directly
+ *                      instead.
+ *
+ * \note                See #MBEDTLS_USE_PSA_CRYPTO for information on PSA.
+ *
+ * \param ctx           The context to initialize. May not be \c NULL.
+ * \param cipher_info   The cipher to use.
+ * \param taglen        For AEAD ciphers, the length in bytes of the
+ *                      authentication tag to use. Subsequent uses of
+ *                      mbedtls_cipher_auth_encrypt_ext() or
+ *                      mbedtls_cipher_auth_decrypt_ext() must provide
+ *                      the same tag length.
+ *                      For non-AEAD ciphers, the value must be \c 0.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              #MBEDTLS_ERR_CIPHER_ALLOC_FAILED if allocation of the
+ *                      cipher-specific context fails.
+ */
+int MBEDTLS_DEPRECATED mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx,
+                                                const mbedtls_cipher_info_t *cipher_info,
+                                                size_t taglen);
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+/**
+ * \brief        This function returns the block size of the given cipher
+ *               in bytes.
+ *
+ * \param ctx    The context of the cipher.
+ *
+ * \return       The block size of the underlying cipher.
+ * \return       \c 1 if the cipher is a stream cipher.
+ * \return       \c 0 if \p ctx has not been initialized.
+ */
+static inline unsigned int mbedtls_cipher_get_block_size(
+    const mbedtls_cipher_context_t *ctx)
+{
+    if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
+        return 0;
+    }
+
+    return (unsigned int) ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(block_size);
+}
+
+/**
+ * \brief        This function returns the mode of operation for
+ *               the cipher. For example, MBEDTLS_MODE_CBC.
+ *
+ * \param ctx    The context of the cipher. This must be initialized.
+ *
+ * \return       The mode of operation.
+ * \return       #MBEDTLS_MODE_NONE if \p ctx has not been initialized.
+ */
+static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode(
+    const mbedtls_cipher_context_t *ctx)
+{
+    if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
+        return MBEDTLS_MODE_NONE;
+    }
+
+    return (mbedtls_cipher_mode_t) ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(mode);
+}
+
+/**
+ * \brief       This function returns the size of the IV or nonce
+ *              of the cipher, in Bytes.
+ *
+ * \param ctx   The context of the cipher. This must be initialized.
+ *
+ * \return      The recommended IV size if no IV has been set.
+ * \return      \c 0 for ciphers not using an IV or a nonce.
+ * \return      The actual size if an IV has been set.
+ */
+static inline int mbedtls_cipher_get_iv_size(
+    const mbedtls_cipher_context_t *ctx)
+{
+    if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
+        return 0;
+    }
+
+    if (ctx->MBEDTLS_PRIVATE(iv_size) != 0) {
+        return (int) ctx->MBEDTLS_PRIVATE(iv_size);
+    }
+
+    return (int) (((int) ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(iv_size)) <<
+                  MBEDTLS_IV_SIZE_SHIFT);
+}
+
+/**
+ * \brief               This function returns the type of the given cipher.
+ *
+ * \param ctx           The context of the cipher. This must be initialized.
+ *
+ * \return              The type of the cipher.
+ * \return              #MBEDTLS_CIPHER_NONE if \p ctx has not been initialized.
+ */
+static inline mbedtls_cipher_type_t mbedtls_cipher_get_type(
+    const mbedtls_cipher_context_t *ctx)
+{
+    if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
+        return MBEDTLS_CIPHER_NONE;
+    }
+
+    return (mbedtls_cipher_type_t) ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(type);
+}
+
+/**
+ * \brief               This function returns the name of the given cipher
+ *                      as a string.
+ *
+ * \param ctx           The context of the cipher. This must be initialized.
+ *
+ * \return              The name of the cipher.
+ * \return              NULL if \p ctx has not been not initialized.
+ */
+static inline const char *mbedtls_cipher_get_name(
+    const mbedtls_cipher_context_t *ctx)
+{
+    if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
+        return 0;
+    }
+
+    return ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(name);
+}
+
+/**
+ * \brief               This function returns the key length of the cipher.
+ *
+ * \param ctx           The context of the cipher. This must be initialized.
+ *
+ * \return              The key length of the cipher in bits.
+ * \return              #MBEDTLS_KEY_LENGTH_NONE if \p ctx has not been
+ *                      initialized.
+ */
+static inline int mbedtls_cipher_get_key_bitlen(
+    const mbedtls_cipher_context_t *ctx)
+{
+    if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
+        return MBEDTLS_KEY_LENGTH_NONE;
+    }
+
+    return (int) ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(key_bitlen) <<
+           MBEDTLS_KEY_BITLEN_SHIFT;
+}
+
+/**
+ * \brief          This function returns the operation of the given cipher.
+ *
+ * \param ctx      The context of the cipher. This must be initialized.
+ *
+ * \return         The type of operation: #MBEDTLS_ENCRYPT or #MBEDTLS_DECRYPT.
+ * \return         #MBEDTLS_OPERATION_NONE if \p ctx has not been initialized.
+ */
+static inline mbedtls_operation_t mbedtls_cipher_get_operation(
+    const mbedtls_cipher_context_t *ctx)
+{
+    if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
+        return MBEDTLS_OPERATION_NONE;
+    }
+
+    return ctx->MBEDTLS_PRIVATE(operation);
+}
+
+/**
+ * \brief               This function sets the key to use with the given context.
+ *
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a cipher information structure.
+ * \param key           The key to use. This must be a readable buffer of at
+ *                      least \p key_bitlen Bits.
+ * \param key_bitlen    The key length to use, in Bits.
+ * \param operation     The operation that the key will be used for:
+ *                      #MBEDTLS_ENCRYPT or #MBEDTLS_DECRYPT.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
+                          const unsigned char *key,
+                          int key_bitlen,
+                          const mbedtls_operation_t operation);
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+/**
+ * \brief               This function sets the padding mode, for cipher modes
+ *                      that use padding.
+ *
+ *
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a cipher information structure.
+ * \param mode          The padding mode.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
+ *                      if the selected padding mode is not supported.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if the cipher mode
+ *                      does not support padding.
+ */
+int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx,
+                                    mbedtls_cipher_padding_t mode);
+#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
+
+/**
+ * \brief           This function sets the initialization vector (IV)
+ *                  or nonce.
+ *
+ * \note            Some ciphers do not use IVs nor nonce. For these
+ *                  ciphers, this function has no effect.
+ *
+ * \note            For #MBEDTLS_CIPHER_CHACHA20, the nonce length must
+ *                  be 12, and the initial counter value is 0.
+ *
+ * \note            For #MBEDTLS_CIPHER_CHACHA20_POLY1305, the nonce length
+ *                  must be 12.
+ *
+ * \param ctx       The generic cipher context. This must be initialized and
+ *                  bound to a cipher information structure.
+ * \param iv        The IV to use, or NONCE_COUNTER for CTR-mode ciphers. This
+ *                  must be a readable buffer of at least \p iv_len Bytes.
+ * \param iv_len    The IV length for ciphers with variable-size IV.
+ *                  This parameter is discarded by ciphers with fixed-size IV.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                  parameter-verification failure.
+ */
+int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
+                          const unsigned char *iv,
+                          size_t iv_len);
+
+/**
+ * \brief         This function resets the cipher state.
+ *
+ * \note          With non-AEAD ciphers, the order of calls for each message
+ *                is as follows:
+ *                1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce.
+ *                2. mbedtls_cipher_reset()
+ *                3. mbedtls_cipher_update() one or more times
+ *                4. mbedtls_cipher_finish()
+ *                .
+ *                This sequence can be repeated to encrypt or decrypt multiple
+ *                messages with the same key.
+ *
+ * \note          With AEAD ciphers, the order of calls for each message
+ *                is as follows:
+ *                1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce.
+ *                2. mbedtls_cipher_reset()
+ *                3. mbedtls_cipher_update_ad()
+ *                4. mbedtls_cipher_update() one or more times
+ *                5. mbedtls_cipher_finish()
+ *                6. mbedtls_cipher_check_tag() (for decryption) or
+ *                mbedtls_cipher_write_tag() (for encryption).
+ *                .
+ *                This sequence can be repeated to encrypt or decrypt multiple
+ *                messages with the same key.
+ *
+ * \param ctx     The generic cipher context. This must be bound to a key.
+ *
+ * \return        \c 0 on success.
+ * \return        #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                parameter-verification failure.
+ */
+int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx);
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+/**
+ * \brief               This function adds additional data for AEAD ciphers.
+ *                      Currently supported with GCM and ChaCha20+Poly1305.
+ *
+ * \param ctx           The generic cipher context. This must be initialized.
+ * \param ad            The additional data to use. This must be a readable
+ *                      buffer of at least \p ad_len Bytes.
+ * \param ad_len        The length of \p ad in Bytes.
+ *
+ * \return              \c 0 on success.
+ * \return              A specific error code on failure.
+ */
+int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx,
+                             const unsigned char *ad, size_t ad_len);
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
+
+/**
+ * \brief               The generic cipher update function. It encrypts or
+ *                      decrypts using the given cipher context. Writes as
+ *                      many block-sized blocks of data as possible to output.
+ *                      Any data that cannot be written immediately is either
+ *                      added to the next block, or flushed when
+ *                      mbedtls_cipher_finish() is called.
+ *                      Exception: For MBEDTLS_MODE_ECB, expects a single block
+ *                      in size. For example, 16 Bytes for AES.
+ *
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a key.
+ * \param input         The buffer holding the input data. This must be a
+ *                      readable buffer of at least \p ilen Bytes.
+ * \param ilen          The length of the input data.
+ * \param output        The buffer for the output data. This must be able to
+ *                      hold at least `ilen + block_size`. This must not be the
+ *                      same buffer as \p input.
+ * \param olen          The length of the output data, to be updated with the
+ *                      actual number of Bytes written. This must not be
+ *                      \c NULL.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              #MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE on an
+ *                      unsupported mode for a cipher.
+ * \return              A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx,
+                          const unsigned char *input,
+                          size_t ilen, unsigned char *output,
+                          size_t *olen);
+
+/**
+ * \brief               The generic cipher finalization function. If data still
+ *                      needs to be flushed from an incomplete block, the data
+ *                      contained in it is padded to the size of
+ *                      the last block, and written to the \p output buffer.
+ *
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a key.
+ * \param output        The buffer to write data to. This needs to be a writable
+ *                      buffer of at least block_size Bytes.
+ * \param olen          The length of the data written to the \p output buffer.
+ *                      This may not be \c NULL.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption
+ *                      expecting a full block but not receiving one.
+ * \return              #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding
+ *                      while decrypting.
+ * \return              A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
+                          unsigned char *output, size_t *olen);
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+/**
+ * \brief               This function writes a tag for AEAD ciphers.
+ *                      Currently supported with GCM and ChaCha20+Poly1305.
+ *                      This must be called after mbedtls_cipher_finish().
+ *
+ * \param ctx           The generic cipher context. This must be initialized,
+ *                      bound to a key, and have just completed a cipher
+ *                      operation through mbedtls_cipher_finish() the tag for
+ *                      which should be written.
+ * \param tag           The buffer to write the tag to. This must be a writable
+ *                      buffer of at least \p tag_len Bytes.
+ * \param tag_len       The length of the tag to write.
+ *
+ * \return              \c 0 on success.
+ * \return              A specific error code on failure.
+ */
+int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx,
+                             unsigned char *tag, size_t tag_len);
+
+/**
+ * \brief               This function checks the tag for AEAD ciphers.
+ *                      Currently supported with GCM and ChaCha20+Poly1305.
+ *                      This must be called after mbedtls_cipher_finish().
+ *
+ * \param ctx           The generic cipher context. This must be initialized.
+ * \param tag           The buffer holding the tag. This must be a readable
+ *                      buffer of at least \p tag_len Bytes.
+ * \param tag_len       The length of the tag to check.
+ *
+ * \return              \c 0 on success.
+ * \return              A specific error code on failure.
+ */
+int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx,
+                             const unsigned char *tag, size_t tag_len);
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
+
+/**
+ * \brief               The generic all-in-one encryption/decryption function,
+ *                      for all ciphers except AEAD constructs.
+ *
+ * \param ctx           The generic cipher context. This must be initialized.
+ * \param iv            The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
+ *                      This must be a readable buffer of at least \p iv_len
+ *                      Bytes.
+ * \param iv_len        The IV length for ciphers with variable-size IV.
+ *                      This parameter is discarded by ciphers with fixed-size
+ *                      IV.
+ * \param input         The buffer holding the input data. This must be a
+ *                      readable buffer of at least \p ilen Bytes.
+ * \param ilen          The length of the input data in Bytes.
+ * \param output        The buffer for the output data. This must be able to
+ *                      hold at least `ilen + block_size`. This must not be the
+ *                      same buffer as \p input.
+ * \param olen          The length of the output data, to be updated with the
+ *                      actual number of Bytes written. This must not be
+ *                      \c NULL.
+ *
+ * \note                Some ciphers do not use IVs nor nonce. For these
+ *                      ciphers, use \p iv = NULL and \p iv_len = 0.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption
+ *                      expecting a full block but not receiving one.
+ * \return              #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding
+ *                      while decrypting.
+ * \return              A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *input, size_t ilen,
+                         unsigned char *output, size_t *olen);
+
+#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
+/**
+ * \brief               The authenticated encryption (AEAD/NIST_KW) function.
+ *
+ * \note                For AEAD modes, the tag will be appended to the
+ *                      ciphertext, as recommended by RFC 5116.
+ *                      (NIST_KW doesn't have a separate tag.)
+ *
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a key, with an AEAD algorithm or NIST_KW.
+ * \param iv            The nonce to use. This must be a readable buffer of
+ *                      at least \p iv_len Bytes and may be \c NULL if \p
+ *                      iv_len is \c 0.
+ * \param iv_len        The length of the nonce. For AEAD ciphers, this must
+ *                      satisfy the constraints imposed by the cipher used.
+ *                      For NIST_KW, this must be \c 0.
+ * \param ad            The additional data to authenticate. This must be a
+ *                      readable buffer of at least \p ad_len Bytes, and may
+ *                      be \c NULL is \p ad_len is \c 0.
+ * \param ad_len        The length of \p ad. For NIST_KW, this must be \c 0.
+ * \param input         The buffer holding the input data. This must be a
+ *                      readable buffer of at least \p ilen Bytes, and may be
+ *                      \c NULL if \p ilen is \c 0.
+ * \param ilen          The length of the input data.
+ * \param output        The buffer for the output data. This must be a
+ *                      writable buffer of at least \p output_len Bytes, and
+ *                      must not be \c NULL.
+ * \param output_len    The length of the \p output buffer in Bytes. For AEAD
+ *                      ciphers, this must be at least \p ilen + \p tag_len.
+ *                      For NIST_KW, this must be at least \p ilen + 8
+ *                      (rounded up to a multiple of 8 if KWP is used);
+ *                      \p ilen + 15 is always a safe value.
+ * \param olen          This will be filled with the actual number of Bytes
+ *                      written to the \p output buffer. This must point to a
+ *                      writable object of type \c size_t.
+ * \param tag_len       The desired length of the authentication tag. For AEAD
+ *                      ciphers, this must match the constraints imposed by
+ *                      the cipher used, and in particular must not be \c 0.
+ *                      For NIST_KW, this must be \c 0.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t *ctx,
+                                    const unsigned char *iv, size_t iv_len,
+                                    const unsigned char *ad, size_t ad_len,
+                                    const unsigned char *input, size_t ilen,
+                                    unsigned char *output, size_t output_len,
+                                    size_t *olen, size_t tag_len);
+
+/**
+ * \brief               The authenticated encryption (AEAD/NIST_KW) function.
+ *
+ * \note                If the data is not authentic, then the output buffer
+ *                      is zeroed out to prevent the unauthentic plaintext being
+ *                      used, making this interface safer.
+ *
+ * \note                For AEAD modes, the tag must be appended to the
+ *                      ciphertext, as recommended by RFC 5116.
+ *                      (NIST_KW doesn't have a separate tag.)
+ *
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a key, with an AEAD algorithm or NIST_KW.
+ * \param iv            The nonce to use. This must be a readable buffer of
+ *                      at least \p iv_len Bytes and may be \c NULL if \p
+ *                      iv_len is \c 0.
+ * \param iv_len        The length of the nonce. For AEAD ciphers, this must
+ *                      satisfy the constraints imposed by the cipher used.
+ *                      For NIST_KW, this must be \c 0.
+ * \param ad            The additional data to authenticate. This must be a
+ *                      readable buffer of at least \p ad_len Bytes, and may
+ *                      be \c NULL is \p ad_len is \c 0.
+ * \param ad_len        The length of \p ad. For NIST_KW, this must be \c 0.
+ * \param input         The buffer holding the input data. This must be a
+ *                      readable buffer of at least \p ilen Bytes, and may be
+ *                      \c NULL if \p ilen is \c 0.
+ * \param ilen          The length of the input data. For AEAD ciphers this
+ *                      must be at least \p tag_len. For NIST_KW this must be
+ *                      at least \c 8.
+ * \param output        The buffer for the output data. This must be a
+ *                      writable buffer of at least \p output_len Bytes, and
+ *                      may be \c NULL if \p output_len is \c 0.
+ * \param output_len    The length of the \p output buffer in Bytes. For AEAD
+ *                      ciphers, this must be at least \p ilen - \p tag_len.
+ *                      For NIST_KW, this must be at least \p ilen - 8.
+ * \param olen          This will be filled with the actual number of Bytes
+ *                      written to the \p output buffer. This must point to a
+ *                      writable object of type \c size_t.
+ * \param tag_len       The actual length of the authentication tag. For AEAD
+ *                      ciphers, this must match the constraints imposed by
+ *                      the cipher used, and in particular must not be \c 0.
+ *                      For NIST_KW, this must be \c 0.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              #MBEDTLS_ERR_CIPHER_AUTH_FAILED if data is not authentic.
+ * \return              A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t *ctx,
+                                    const unsigned char *iv, size_t iv_len,
+                                    const unsigned char *ad, size_t ad_len,
+                                    const unsigned char *input, size_t ilen,
+                                    unsigned char *output, size_t output_len,
+                                    size_t *olen, size_t tag_len);
+#endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CIPHER_H */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/cmac.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/cmac.h
new file mode 100644
index 0000000..97b86fc
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/cmac.h
@@ -0,0 +1,246 @@
+/**
+ * \file cmac.h
+ *
+ * \brief This file contains CMAC definitions and functions.
+ *
+ * The Cipher-based Message Authentication Code (CMAC) Mode for
+ * Authentication is defined in <em>RFC-4493: The AES-CMAC Algorithm</em>.
+ * It is supported with AES and DES.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_CMAC_H
+#define MBEDTLS_CMAC_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/cipher.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define MBEDTLS_AES_BLOCK_SIZE          16
+#define MBEDTLS_DES3_BLOCK_SIZE         8
+
+/* We don't support Camellia or ARIA in this module */
+#if defined(MBEDTLS_AES_C)
+#define MBEDTLS_CMAC_MAX_BLOCK_SIZE      16  /**< The longest block used by CMAC is that of AES. */
+#else
+#define MBEDTLS_CMAC_MAX_BLOCK_SIZE      8   /**< The longest block used by CMAC is that of 3DES. */
+#endif
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+/** The longest block supported by the cipher module.
+ *
+ * \deprecated
+ * For the maximum block size of a cipher supported by the CMAC module,
+ * use #MBEDTLS_CMAC_MAX_BLOCK_SIZE.
+ * For the maximum block size of a cipher supported by the cipher module,
+ * use #MBEDTLS_MAX_BLOCK_LENGTH.
+ */
+/* Before Mbed TLS 3.5, this was the maximum block size supported by the CMAC
+ * module, so it didn't take Camellia or ARIA into account. Since the name
+ * of the macro doesn't even convey "CMAC", this was misleading. Now the size
+ * is sufficient for any cipher, but the name is defined in cmac.h for
+ * backward compatibility. */
+#define MBEDTLS_CIPHER_BLKSIZE_MAX MBEDTLS_MAX_BLOCK_LENGTH
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+#if !defined(MBEDTLS_CMAC_ALT)
+
+/**
+ * The CMAC context structure.
+ */
+struct mbedtls_cmac_context_t {
+    /** The internal state of the CMAC algorithm.  */
+    unsigned char       MBEDTLS_PRIVATE(state)[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
+
+    /** Unprocessed data - either data that was not block aligned and is still
+     *  pending processing, or the final block. */
+    unsigned char       MBEDTLS_PRIVATE(unprocessed_block)[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
+
+    /** The length of data pending processing. */
+    size_t              MBEDTLS_PRIVATE(unprocessed_len);
+};
+
+#else  /* !MBEDTLS_CMAC_ALT */
+#include "cmac_alt.h"
+#endif /* !MBEDTLS_CMAC_ALT */
+
+/**
+ * \brief               This function starts a new CMAC computation
+ *                      by setting the CMAC key, and preparing to authenticate
+ *                      the input data.
+ *                      It must be called with an initialized cipher context.
+ *
+ *                      Once this function has completed, data can be supplied
+ *                      to the CMAC computation by calling
+ *                      mbedtls_cipher_cmac_update().
+ *
+ *                      To start a CMAC computation using the same key as a previous
+ *                      CMAC computation, use mbedtls_cipher_cmac_finish().
+ *
+ * \note                When the CMAC implementation is supplied by an alternate
+ *                      implementation (through #MBEDTLS_CMAC_ALT), some ciphers
+ *                      may not be supported by that implementation, and thus
+ *                      return an error. Alternate implementations must support
+ *                      AES-128 and AES-256, and may support AES-192 and 3DES.
+ *
+ * \param ctx           The cipher context used for the CMAC operation, initialized
+ *                      as one of the following types: MBEDTLS_CIPHER_AES_128_ECB,
+ *                      MBEDTLS_CIPHER_AES_192_ECB, MBEDTLS_CIPHER_AES_256_ECB,
+ *                      or MBEDTLS_CIPHER_DES_EDE3_ECB.
+ * \param key           The CMAC key.
+ * \param keybits       The length of the CMAC key in bits.
+ *                      Must be supported by the cipher.
+ *
+ * \return              \c 0 on success.
+ * \return              A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_cmac_starts(mbedtls_cipher_context_t *ctx,
+                               const unsigned char *key, size_t keybits);
+
+/**
+ * \brief               This function feeds an input buffer into an ongoing CMAC
+ *                      computation.
+ *
+ *                      The CMAC computation must have previously been started
+ *                      by calling mbedtls_cipher_cmac_starts() or
+ *                      mbedtls_cipher_cmac_reset().
+ *
+ *                      Call this function as many times as needed to input the
+ *                      data to be authenticated.
+ *                      Once all of the required data has been input,
+ *                      call mbedtls_cipher_cmac_finish() to obtain the result
+ *                      of the CMAC operation.
+ *
+ * \param ctx           The cipher context used for the CMAC operation.
+ * \param input         The buffer holding the input data.
+ * \param ilen          The length of the input data.
+ *
+ * \return             \c 0 on success.
+ * \return             #MBEDTLS_ERR_MD_BAD_INPUT_DATA
+ *                     if parameter verification fails.
+ */
+int mbedtls_cipher_cmac_update(mbedtls_cipher_context_t *ctx,
+                               const unsigned char *input, size_t ilen);
+
+/**
+ * \brief               This function finishes an ongoing CMAC operation, and
+ *                      writes the result to the output buffer.
+ *
+ *                      It should be followed either by
+ *                      mbedtls_cipher_cmac_reset(), which starts another CMAC
+ *                      operation with the same key, or mbedtls_cipher_free(),
+ *                      which clears the cipher context.
+ *
+ * \param ctx           The cipher context used for the CMAC operation.
+ * \param output        The output buffer for the CMAC checksum result.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA
+ *                      if parameter verification fails.
+ */
+int mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t *ctx,
+                               unsigned char *output);
+
+/**
+ * \brief               This function starts a new CMAC operation with the same
+ *                      key as the previous one.
+ *
+ *                      It should be called after finishing the previous CMAC
+ *                      operation with mbedtls_cipher_cmac_finish().
+ *                      After calling this function,
+ *                      call mbedtls_cipher_cmac_update() to supply the new
+ *                      CMAC operation with data.
+ *
+ * \param ctx           The cipher context used for the CMAC operation.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA
+ *                      if parameter verification fails.
+ */
+int mbedtls_cipher_cmac_reset(mbedtls_cipher_context_t *ctx);
+
+/**
+ * \brief               This function calculates the full generic CMAC
+ *                      on the input buffer with the provided key.
+ *
+ *                      The function allocates the context, performs the
+ *                      calculation, and frees the context.
+ *
+ *                      The CMAC result is calculated as
+ *                      output = generic CMAC(cmac key, input buffer).
+ *
+ * \note                When the CMAC implementation is supplied by an alternate
+ *                      implementation (through #MBEDTLS_CMAC_ALT), some ciphers
+ *                      may not be supported by that implementation, and thus
+ *                      return an error. Alternate implementations must support
+ *                      AES-128 and AES-256, and may support AES-192 and 3DES.
+ *
+ * \param cipher_info   The cipher information.
+ * \param key           The CMAC key.
+ * \param keylen        The length of the CMAC key in bits.
+ * \param input         The buffer holding the input data.
+ * \param ilen          The length of the input data.
+ * \param output        The buffer for the generic CMAC result.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA
+ *                      if parameter verification fails.
+ */
+int mbedtls_cipher_cmac(const mbedtls_cipher_info_t *cipher_info,
+                        const unsigned char *key, size_t keylen,
+                        const unsigned char *input, size_t ilen,
+                        unsigned char *output);
+
+#if defined(MBEDTLS_AES_C)
+/**
+ * \brief           This function implements the AES-CMAC-PRF-128 pseudorandom
+ *                  function, as defined in
+ *                  <em>RFC-4615: The Advanced Encryption Standard-Cipher-based
+ *                  Message Authentication Code-Pseudo-Random Function-128
+ *                  (AES-CMAC-PRF-128) Algorithm for the Internet Key
+ *                  Exchange Protocol (IKE).</em>
+ *
+ * \param key       The key to use.
+ * \param key_len   The key length in Bytes.
+ * \param input     The buffer holding the input data.
+ * \param in_len    The length of the input data in Bytes.
+ * \param output    The buffer holding the generated 16 Bytes of
+ *                  pseudorandom output.
+ *
+ * \return          \c 0 on success.
+ */
+int mbedtls_aes_cmac_prf_128(const unsigned char *key, size_t key_len,
+                             const unsigned char *input, size_t in_len,
+                             unsigned char output[16]);
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_SELF_TEST) && (defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C))
+/**
+ * \brief          The CMAC checkup routine.
+ *
+ * \note           In case the CMAC routines are provided by an alternative
+ *                 implementation (i.e. #MBEDTLS_CMAC_ALT is defined), the
+ *                 checkup routine will succeed even if the implementation does
+ *                 not support the less widely used AES-192 or 3DES primitives.
+ *                 The self-test requires at least AES-128 and AES-256 to be
+ *                 supported by the underlying implementation.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_cmac_self_test(int verbose);
+#endif /* MBEDTLS_SELF_TEST && ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CMAC_H */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/config_adjust_legacy_from_psa.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/config_adjust_legacy_from_psa.h
new file mode 100644
index 0000000..04bdae6
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/config_adjust_legacy_from_psa.h
@@ -0,0 +1,892 @@
+/**
+ * \file mbedtls/config_adjust_legacy_from_psa.h
+ * \brief Adjust PSA configuration: activate legacy implementations
+ *
+ * This is an internal header. Do not include it directly.
+ *
+ * When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, activate legacy implementations
+ * of cryptographic mechanisms as needed to fulfill the needs of the PSA
+ * configuration. Generally speaking, we activate a legacy mechanism if
+ * it's needed for a requested PSA mechanism and there is no PSA driver
+ * for it.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_FROM_PSA_H
+#define MBEDTLS_CONFIG_ADJUST_LEGACY_FROM_PSA_H
+
+#if !defined(MBEDTLS_CONFIG_FILES_READ)
+#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \
+    "up to and including runtime errors such as buffer overflows. " \
+    "If you're trying to fix a complaint from check_config.h, just remove " \
+    "it from your configuration file: since Mbed TLS 3.0, it is included " \
+    "automatically at the right point."
+#endif /* */
+
+/* Define appropriate ACCEL macros for the p256-m driver.
+ * In the future, those should be generated from the drivers JSON description.
+ */
+#if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)
+#define MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256
+#define MBEDTLS_PSA_ACCEL_ALG_ECDSA
+#define MBEDTLS_PSA_ACCEL_ALG_ECDH
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE
+#endif
+
+/*
+ * ECC: support for a feature is controlled by a triplet or a pair:
+ * (curve, key_type public/basic, alg) or (curve, key_type_<action>).
+ *
+ * A triplet/pair is accelerated if all of is components are accelerated;
+ * otherwise each component needs to be built in.
+ *
+ * We proceed in two passes:
+ * 1. Check if acceleration is complete for curves, key types, algs.
+ * 2. Then enable built-ins for each thing that's either not accelerated of
+ * doesn't have complete acceleration of the other triplet/pair components.
+ *
+ * Note: this needs psa/crypto_adjust_keypair_types.h to have been included
+ * already, so that we know the full set of key types that are requested.
+ */
+
+/* ECC: curves: is acceleration complete? */
+#if (defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) && \
+    !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_256)) || \
+    (defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) && \
+    !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_384)) || \
+    (defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) && \
+    !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_512)) || \
+    (defined(PSA_WANT_ECC_SECP_R1_192) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192)) || \
+    (defined(PSA_WANT_ECC_SECP_R1_224) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224)) || \
+    (defined(PSA_WANT_ECC_SECP_R1_256) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256)) || \
+    (defined(PSA_WANT_ECC_SECP_R1_384) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384)) || \
+    (defined(PSA_WANT_ECC_SECP_R1_521) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521)) || \
+    (defined(PSA_WANT_ECC_SECP_K1_192) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192)) || \
+    (defined(PSA_WANT_ECC_SECP_K1_224) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224)) || \
+    (defined(PSA_WANT_ECC_SECP_K1_256) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256))
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
+#endif
+
+#if (defined(PSA_WANT_ECC_MONTGOMERY_255) && !defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255)) || \
+    (defined(PSA_WANT_ECC_MONTGOMERY_448) && !defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448))
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
+#endif
+
+/* ECC: algs: is acceleration complete? */
+#if (defined(PSA_WANT_ALG_ECDH) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDH)) || \
+    (defined(PSA_WANT_ALG_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA)) || \
+    (defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && \
+    !defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA)) || \
+    (defined(PSA_WANT_ALG_JPAKE) && !defined(MBEDTLS_PSA_ACCEL_ALG_JPAKE))
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS
+#endif
+
+/* ECC: key types: is acceleration complete? */
+#if (defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)) || \
+    (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC))
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC
+#endif
+
+/* Special case: we don't support cooked key derivation in drivers yet */
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
+#undef MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE
+#endif
+
+/* Note: the condition about key derivation is always true as DERIVE can't be
+ * accelerated yet */
+#if (defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)) || \
+    (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC)) || \
+    (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT)) || \
+    (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT)) || \
+    (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE)) || \
+    (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE))
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
+#endif
+
+/* ECC: curves: enable built-ins as needed.
+ *
+ * We need the curve built-in:
+ * - if it's not accelerated, or
+ * - if there's a key type with missing acceleration, or
+ * - if there's a alg with missing acceleration.
+ */
+#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_256) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_256 1
+#define MBEDTLS_ECP_DP_BP256R1_ENABLED
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_BRAINPOOL_P_R1_256 */
+
+#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_384) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_384 1
+#define MBEDTLS_ECP_DP_BP384R1_ENABLED
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_BRAINPOOL_P_R1_384 */
+
+#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_512) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_512 1
+#define MBEDTLS_ECP_DP_BP512R1_ENABLED
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_BRAINPOOL_P_R1_512 */
+
+#if defined(PSA_WANT_ECC_MONTGOMERY_255)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_255 1
+#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_MONTGOMERY_255 */
+
+#if defined(PSA_WANT_ECC_MONTGOMERY_448)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_448 1
+#define MBEDTLS_ECP_DP_CURVE448_ENABLED
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_MONTGOMERY_448 */
+
+#if defined(PSA_WANT_ECC_SECP_R1_192)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_192 1
+#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_SECP_R1_192 */
+
+#if defined(PSA_WANT_ECC_SECP_R1_224)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_224 1
+#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_SECP_R1_224 */
+
+#if defined(PSA_WANT_ECC_SECP_R1_256)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_256 1
+#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_SECP_R1_256 */
+
+#if defined(PSA_WANT_ECC_SECP_R1_384)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_384 1
+#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_SECP_R1_384 */
+
+#if defined(PSA_WANT_ECC_SECP_R1_521)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_521 1
+#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_SECP_R1_521 */
+
+#if defined(PSA_WANT_ECC_SECP_K1_192)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_192 1
+#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_SECP_K1_192 */
+
+#if defined(PSA_WANT_ECC_SECP_K1_224)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_224 1
+#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
+/* https://github.com/Mbed-TLS/mbedtls/issues/3541 */
+#error "SECP224K1 is buggy via the PSA API in Mbed TLS."
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_SECP_K1_224 */
+
+#if defined(PSA_WANT_ECC_SECP_K1_256)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_256 1
+#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_SECP_K1_256 */
+
+/* ECC: algs: enable built-ins as needed.
+ *
+ * We need the alg built-in:
+ * - if it's not accelerated, or
+ * - if there's a relevant curve (see below) with missing acceleration, or
+ * - if there's a key type among (public, basic) with missing acceleration.
+ *
+ * Relevant curves are:
+ * - all curves for ECDH
+ * - Weierstrass curves for (deterministic) ECDSA
+ * - secp256r1 for EC J-PAKE
+ */
+#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC)
+#define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA 1
+#define MBEDTLS_ECDSA_DETERMINISTIC
+#define MBEDTLS_HMAC_DRBG_C
+#define MBEDTLS_MD_C
+#define MBEDTLS_ECDSA_C
+#define MBEDTLS_ECP_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_ASN1_WRITE_C
+#endif /* missing accel */
+#endif /* PSA_WANT_ALG_DETERMINISTIC_ECDSA */
+
+#if defined(PSA_WANT_ALG_ECDH)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDH) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC)
+#define MBEDTLS_PSA_BUILTIN_ALG_ECDH 1
+#define MBEDTLS_ECDH_C
+#define MBEDTLS_ECP_C
+#define MBEDTLS_BIGNUM_C
+#endif /* missing accel */
+#endif /* PSA_WANT_ALG_ECDH */
+
+#if defined(PSA_WANT_ALG_ECDSA)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC)
+#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA 1
+#define MBEDTLS_ECDSA_C
+#define MBEDTLS_ECP_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_ASN1_WRITE_C
+#endif /* missing accel */
+#endif /* PSA_WANT_ALG_ECDSA */
+
+#if defined(PSA_WANT_ALG_JPAKE)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_JPAKE) || \
+    !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC)
+#define MBEDTLS_PSA_BUILTIN_PAKE 1
+#define MBEDTLS_PSA_BUILTIN_ALG_JPAKE 1
+#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_ECP_C
+#define MBEDTLS_ECJPAKE_C
+#endif /* missing accel */
+#endif /* PSA_WANT_ALG_JPAKE */
+
+/* ECC: key types: enable built-ins as needed.
+ *
+ * We need the key type built-in:
+ * - if it's not accelerated, or
+ * - if there's a curve with missing acceleration, or
+ * - only for public/basic: if there's an alg with missing acceleration.
+ */
+#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY 1
+#endif /* missing accel */
+#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC 1
+#endif /* missing accel */
+#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC */
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1
+#endif /* missing accel */
+#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT */
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT 1
+#endif /* missing accel */
+#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT */
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
+#endif /* missing accel */
+#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE */
+
+/* Note: the condition is always true as DERIVE can't be accelerated yet */
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1
+#endif /* missing accel */
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
+#define MBEDTLS_ECP_LIGHT
+#define MBEDTLS_BIGNUM_C
+#endif
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
+#define MBEDTLS_ECP_C
+#define MBEDTLS_BIGNUM_C
+#endif
+
+/* End of ECC section */
+
+/*
+ * DH key types follow the same pattern used above for EC keys. They are defined
+ * by a triplet (group, key_type, alg). A triplet is accelerated if all its
+ * component are accelerated, otherwise each component needs to be builtin.
+ */
+
+/* DH: groups: is acceleration complete? */
+#if (defined(PSA_WANT_DH_RFC7919_2048) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_2048)) || \
+    (defined(PSA_WANT_DH_RFC7919_3072) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_3072)) || \
+    (defined(PSA_WANT_DH_RFC7919_4096) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_4096)) || \
+    (defined(PSA_WANT_DH_RFC7919_6144) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_6144)) || \
+    (defined(PSA_WANT_DH_RFC7919_8192) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_8192))
+#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS
+#endif
+
+/* DH: algs: is acceleration complete? */
+#if defined(PSA_WANT_ALG_FFDH) && !defined(MBEDTLS_PSA_ACCEL_ALG_FFDH)
+#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS
+#endif
+
+/* DH: key types: is acceleration complete? */
+#if (defined(PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY)) || \
+    (defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_BASIC)) || \
+    (defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_IMPORT)) || \
+    (defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_EXPORT)) || \
+    (defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_GENERATE))
+#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES
+#endif
+
+#if defined(PSA_WANT_DH_RFC7919_2048)
+#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_2048) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES)
+#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 1
+#endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 */
+#endif /* PSA_WANT_DH_RFC7919_2048 */
+
+#if defined(PSA_WANT_DH_RFC7919_3072)
+#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_3072) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES)
+#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 1
+#endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 */
+#endif /* PSA_WANT_DH_RFC7919_3072 */
+
+#if defined(PSA_WANT_DH_RFC7919_4096)
+#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_4096) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES)
+#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 1
+#endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 */
+#endif /* PSA_WANT_DH_RFC7919_4096 */
+
+#if defined(PSA_WANT_DH_RFC7919_6144)
+#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_6144) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES)
+#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 1
+#endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 */
+#endif /* PSA_WANT_DH_RFC7919_6144 */
+
+#if defined(PSA_WANT_DH_RFC7919_8192)
+#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_8192) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES)
+#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 1
+#endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 */
+#endif /* PSA_WANT_DH_RFC7919_8192 */
+
+#if defined(PSA_WANT_ALG_FFDH)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_FFDH) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES)
+#define MBEDTLS_PSA_BUILTIN_ALG_FFDH 1
+#define MBEDTLS_BIGNUM_C
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_FFDH */
+#endif /* PSA_WANT_ALG_FFDH */
+
+#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_IMPORT */
+#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT */
+
+#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_EXPORT */
+#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT */
+
+#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_GENERATE)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_GENERATE */
+#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE */
+
+#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_BASIC) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_BASIC 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_BASIC */
+#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC */
+
+#if defined(PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY 1
+#define MBEDTLS_BIGNUM_C
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY */
+#endif /* PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY */
+
+/* End of DH section */
+
+#if defined(PSA_WANT_ALG_HKDF)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF)
+/*
+ * The PSA implementation has its own implementation of HKDF, separate from
+ * hkdf.c. No need to enable MBEDTLS_HKDF_C here.
+ */
+#define MBEDTLS_PSA_BUILTIN_ALG_HKDF 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF */
+#endif /* PSA_WANT_ALG_HKDF */
+
+#if defined(PSA_WANT_ALG_HKDF_EXTRACT)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT)
+/*
+ * The PSA implementation has its own implementation of HKDF, separate from
+ * hkdf.c. No need to enable MBEDTLS_HKDF_C here.
+ */
+#define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT */
+#endif /* PSA_WANT_ALG_HKDF_EXTRACT */
+
+#if defined(PSA_WANT_ALG_HKDF_EXPAND)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND)
+/*
+ * The PSA implementation has its own implementation of HKDF, separate from
+ * hkdf.c. No need to enable MBEDTLS_HKDF_C here.
+ */
+#define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND */
+#endif /* PSA_WANT_ALG_HKDF_EXPAND */
+
+#if defined(PSA_WANT_ALG_HMAC)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC)
+#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_HMAC */
+#endif /* PSA_WANT_ALG_HMAC */
+
+#if defined(PSA_WANT_ALG_MD5) && !defined(MBEDTLS_PSA_ACCEL_ALG_MD5)
+#define MBEDTLS_PSA_BUILTIN_ALG_MD5 1
+#define MBEDTLS_MD5_C
+#endif
+
+#if defined(PSA_WANT_ALG_RIPEMD160) && !defined(MBEDTLS_PSA_ACCEL_ALG_RIPEMD160)
+#define MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160 1
+#define MBEDTLS_RIPEMD160_C
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_OAEP)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP)
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP 1
+#define MBEDTLS_RSA_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_PKCS1_V21
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP */
+#endif /* PSA_WANT_ALG_RSA_OAEP */
+
+#if defined(PSA_WANT_ALG_RSA_PKCS1V15_CRYPT)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT)
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT 1
+#define MBEDTLS_RSA_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_PKCS1_V15
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT */
+#endif /* PSA_WANT_ALG_RSA_PKCS1V15_CRYPT */
+
+#if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN)
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN 1
+#define MBEDTLS_RSA_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_PKCS1_V15
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN */
+#endif /* PSA_WANT_ALG_RSA_PKCS1V15_SIGN */
+
+#if defined(PSA_WANT_ALG_RSA_PSS)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS)
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS 1
+#define MBEDTLS_RSA_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_PKCS1_V21
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_PSS */
+#endif /* PSA_WANT_ALG_RSA_PSS */
+
+#if defined(PSA_WANT_ALG_SHA_1) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_1)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_1 1
+#define MBEDTLS_SHA1_C
+#endif
+
+#if defined(PSA_WANT_ALG_SHA_224) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_224)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_224 1
+#define MBEDTLS_SHA224_C
+#endif
+
+#if defined(PSA_WANT_ALG_SHA_256) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_256)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_256 1
+#define MBEDTLS_SHA256_C
+#endif
+
+#if defined(PSA_WANT_ALG_SHA_384) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_384)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_384 1
+#define MBEDTLS_SHA384_C
+#endif
+
+#if defined(PSA_WANT_ALG_SHA_512) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_512)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_512 1
+#define MBEDTLS_SHA512_C
+#endif
+
+#if defined(PSA_WANT_ALG_SHA3_224) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_224)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_224 1
+#define MBEDTLS_SHA3_C
+#endif
+
+#if defined(PSA_WANT_ALG_SHA3_256) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_256)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_256 1
+#define MBEDTLS_SHA3_C
+#endif
+
+#if defined(PSA_WANT_ALG_SHA3_384) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_384)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_384 1
+#define MBEDTLS_SHA3_C
+#endif
+
+#if defined(PSA_WANT_ALG_SHA3_512) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_512)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_512 1
+#define MBEDTLS_SHA3_C
+#endif
+
+#if defined(PSA_WANT_ALG_PBKDF2_HMAC)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_HMAC)
+#define MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC 1
+#define PSA_HAVE_SOFT_PBKDF2_HMAC 1
+#endif /* !MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
+#endif /* PSA_WANT_ALG_PBKDF2_HMAC */
+
+#if defined(PSA_WANT_ALG_TLS12_PRF)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF)
+#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF */
+#endif /* PSA_WANT_ALG_TLS12_PRF */
+
+#if defined(PSA_WANT_ALG_TLS12_PSK_TO_MS)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS)
+#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS */
+#endif /* PSA_WANT_ALG_TLS12_PSK_TO_MS */
+
+#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_ECJPAKE_TO_PMS)
+#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_TLS12_ECJPAKE_TO_PMS */
+#endif /* PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS */
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_IMPORT)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_IMPORT */
+#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT */
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_EXPORT)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_EXPORT */
+#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT */
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1
+#define MBEDTLS_GENPRIME
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE */
+#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE */
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_BASIC)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_BASIC 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_BASIC */
+#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY 1
+#define MBEDTLS_RSA_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_ASN1_WRITE_C
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY */
+#endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY */
+
+/* If any of the block modes are requested that don't have an
+ * associated HW assist, define PSA_HAVE_SOFT_BLOCK_MODE for checking
+ * in the block cipher key types. */
+#if (defined(PSA_WANT_ALG_CTR) && !defined(MBEDTLS_PSA_ACCEL_ALG_CTR)) || \
+    (defined(PSA_WANT_ALG_CFB) && !defined(MBEDTLS_PSA_ACCEL_ALG_CFB)) || \
+    (defined(PSA_WANT_ALG_OFB) && !defined(MBEDTLS_PSA_ACCEL_ALG_OFB)) || \
+    (defined(PSA_WANT_ALG_ECB_NO_PADDING) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING)) || \
+    (defined(PSA_WANT_ALG_CBC_NO_PADDING) && !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING)) || \
+    (defined(PSA_WANT_ALG_CBC_PKCS7) && !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7)) || \
+    (defined(PSA_WANT_ALG_CMAC) && !defined(MBEDTLS_PSA_ACCEL_ALG_CMAC))
+#define PSA_HAVE_SOFT_BLOCK_MODE 1
+#endif
+
+#if defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_AES_CMAC_PRF_128)
+#define MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128 1
+#define PSA_HAVE_SOFT_PBKDF2_CMAC 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_PBKDF2_AES_CMAC_PRF_128 */
+#endif /* PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 */
+
+#if defined(PSA_WANT_KEY_TYPE_AES)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES)
+#define PSA_HAVE_SOFT_KEY_TYPE_AES 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_AES */
+#if defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
+    defined(PSA_HAVE_SOFT_BLOCK_MODE)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES 1
+#define MBEDTLS_AES_C
+#endif /* PSA_HAVE_SOFT_KEY_TYPE_AES || PSA_HAVE_SOFT_BLOCK_MODE */
+#endif /* PSA_WANT_KEY_TYPE_AES */
+
+#if defined(PSA_WANT_KEY_TYPE_ARIA)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA)
+#define PSA_HAVE_SOFT_KEY_TYPE_ARIA 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA */
+#if defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
+    defined(PSA_HAVE_SOFT_BLOCK_MODE)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARIA 1
+#define MBEDTLS_ARIA_C
+#endif /* PSA_HAVE_SOFT_KEY_TYPE_ARIA || PSA_HAVE_SOFT_BLOCK_MODE */
+#endif /* PSA_WANT_KEY_TYPE_ARIA */
+
+#if defined(PSA_WANT_KEY_TYPE_CAMELLIA)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA)
+#define PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA */
+#if defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA) || \
+    defined(PSA_HAVE_SOFT_BLOCK_MODE)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CAMELLIA 1
+#define MBEDTLS_CAMELLIA_C
+#endif /* PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA || PSA_HAVE_SOFT_BLOCK_MODE */
+#endif /* PSA_WANT_KEY_TYPE_CAMELLIA */
+
+#if defined(PSA_WANT_KEY_TYPE_DES)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DES)
+#define PSA_HAVE_SOFT_KEY_TYPE_DES 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DES */
+#if defined(PSA_HAVE_SOFT_KEY_TYPE_DES) || \
+    defined(PSA_HAVE_SOFT_BLOCK_MODE)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES 1
+#define MBEDTLS_DES_C
+#endif /*PSA_HAVE_SOFT_KEY_TYPE_DES || PSA_HAVE_SOFT_BLOCK_MODE */
+#endif /* PSA_WANT_KEY_TYPE_DES */
+
+#if defined(PSA_WANT_ALG_STREAM_CIPHER)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_STREAM_CIPHER)
+#define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1
+#endif /* MBEDTLS_PSA_ACCEL_ALG_STREAM_CIPHER */
+#endif /* PSA_WANT_ALG_STREAM_CIPHER */
+
+#if defined(PSA_WANT_KEY_TYPE_CHACHA20)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20 1
+#define MBEDTLS_CHACHA20_C
+#endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20 */
+#endif /* PSA_WANT_KEY_TYPE_CHACHA20 */
+
+/* If any of the software block ciphers are selected, define
+ * PSA_HAVE_SOFT_BLOCK_CIPHER, which can be used in any of these
+ * situations. */
+#if defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_DES) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA)
+#define PSA_HAVE_SOFT_BLOCK_CIPHER 1
+#endif
+
+#if defined(PSA_WANT_ALG_CBC_MAC)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_MAC)
+#error "CBC-MAC is not yet supported via the PSA API in Mbed TLS."
+#define MBEDTLS_PSA_BUILTIN_ALG_CBC_MAC 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_CBC_MAC */
+#endif /* PSA_WANT_ALG_CBC_MAC */
+
+#if defined(PSA_WANT_ALG_CMAC)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_CMAC) || \
+    defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
+#define MBEDTLS_PSA_BUILTIN_ALG_CMAC 1
+#define MBEDTLS_CMAC_C
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_CMAC */
+#endif /* PSA_WANT_ALG_CMAC */
+
+#if defined(PSA_HAVE_SOFT_PBKDF2_HMAC) || \
+    defined(PSA_HAVE_SOFT_PBKDF2_CMAC)
+#define PSA_HAVE_SOFT_PBKDF2 1
+#endif /* PSA_HAVE_SOFT_PBKDF2_HMAC || PSA_HAVE_SOFT_PBKDF2_CMAC */
+
+#if defined(PSA_WANT_ALG_CTR)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_CTR) || \
+    defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
+#define MBEDTLS_PSA_BUILTIN_ALG_CTR 1
+#define MBEDTLS_CIPHER_MODE_CTR
+#endif
+#endif /* PSA_WANT_ALG_CTR */
+
+#if defined(PSA_WANT_ALG_CFB)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_CFB) || \
+    defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
+#define MBEDTLS_PSA_BUILTIN_ALG_CFB 1
+#define MBEDTLS_CIPHER_MODE_CFB
+#endif
+#endif /* PSA_WANT_ALG_CFB */
+
+#if defined(PSA_WANT_ALG_OFB)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_OFB) || \
+    defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
+#define MBEDTLS_PSA_BUILTIN_ALG_OFB 1
+#define MBEDTLS_CIPHER_MODE_OFB
+#endif
+#endif /* PSA_WANT_ALG_OFB */
+
+#if defined(PSA_WANT_ALG_ECB_NO_PADDING) &&     \
+    !defined(MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING)
+#define MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING 1
+#endif
+
+#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING) || \
+    defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
+#define MBEDTLS_CIPHER_MODE_CBC
+#define MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING 1
+#endif
+#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
+
+#if defined(PSA_WANT_ALG_CBC_PKCS7)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7) || \
+    defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
+#define MBEDTLS_CIPHER_MODE_CBC
+#define MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7 1
+#define MBEDTLS_CIPHER_PADDING_PKCS7
+#endif
+#endif /* PSA_WANT_ALG_CBC_PKCS7 */
+
+#if defined(PSA_WANT_ALG_CCM)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_CCM) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA)
+#define MBEDTLS_PSA_BUILTIN_ALG_CCM 1
+#define MBEDTLS_CCM_C
+#endif
+#endif /* PSA_WANT_ALG_CCM */
+
+#if defined(PSA_WANT_ALG_CCM_STAR_NO_TAG)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_CCM_STAR_NO_TAG) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA)
+#define MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG 1
+#define MBEDTLS_CCM_C
+#endif
+#endif /* PSA_WANT_ALG_CCM_STAR_NO_TAG */
+
+#if defined(PSA_WANT_ALG_GCM)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_GCM) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA)
+#define MBEDTLS_PSA_BUILTIN_ALG_GCM 1
+#define MBEDTLS_GCM_C
+#endif
+#endif /* PSA_WANT_ALG_GCM */
+
+#if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_CHACHA20_POLY1305)
+#if defined(PSA_WANT_KEY_TYPE_CHACHA20)
+#define MBEDTLS_CHACHAPOLY_C
+#define MBEDTLS_CHACHA20_C
+#define MBEDTLS_POLY1305_C
+#define MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 1
+#endif /* PSA_WANT_KEY_TYPE_CHACHA20 */
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_CHACHA20_POLY1305 */
+#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
+
+#endif /* MBEDTLS_CONFIG_ADJUST_LEGACY_FROM_PSA_H */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/config_adjust_psa_superset_legacy.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/config_adjust_psa_superset_legacy.h
new file mode 100644
index 0000000..ef65cce
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/config_adjust_psa_superset_legacy.h
@@ -0,0 +1,152 @@
+/**
+ * \file mbedtls/config_adjust_psa_superset_legacy.h
+ * \brief Adjust PSA configuration: automatic enablement from legacy
+ *
+ * This is an internal header. Do not include it directly.
+ *
+ * To simplify some edge cases, we automatically enable certain cryptographic
+ * mechanisms in the PSA API if they are enabled in the legacy API. The general
+ * idea is that if legacy module M uses mechanism A internally, and A has
+ * both a legacy and a PSA implementation, we enable A through PSA whenever
+ * it's enabled through legacy. This facilitates the transition to PSA
+ * implementations of A for users of M.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_CONFIG_ADJUST_PSA_SUPERSET_LEGACY_H
+#define MBEDTLS_CONFIG_ADJUST_PSA_SUPERSET_LEGACY_H
+
+#if !defined(MBEDTLS_CONFIG_FILES_READ)
+#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \
+    "up to and including runtime errors such as buffer overflows. " \
+    "If you're trying to fix a complaint from check_config.h, just remove " \
+    "it from your configuration file: since Mbed TLS 3.0, it is included " \
+    "automatically at the right point."
+#endif /* */
+
+/****************************************************************/
+/* Hashes that are built in are also enabled in PSA.
+ * This simplifies dependency declarations especially
+ * for modules that obey MBEDTLS_USE_PSA_CRYPTO. */
+/****************************************************************/
+
+#if defined(MBEDTLS_MD5_C)
+#define PSA_WANT_ALG_MD5 1
+#endif
+
+#if defined(MBEDTLS_RIPEMD160_C)
+#define PSA_WANT_ALG_RIPEMD160 1
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+#define PSA_WANT_ALG_SHA_1 1
+#endif
+
+#if defined(MBEDTLS_SHA224_C)
+#define PSA_WANT_ALG_SHA_224 1
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+#define PSA_WANT_ALG_SHA_256 1
+#endif
+
+#if defined(MBEDTLS_SHA384_C)
+#define PSA_WANT_ALG_SHA_384 1
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+#define PSA_WANT_ALG_SHA_512 1
+#endif
+
+#if defined(MBEDTLS_SHA3_C)
+#define PSA_WANT_ALG_SHA3_224 1
+#define PSA_WANT_ALG_SHA3_256 1
+#define PSA_WANT_ALG_SHA3_384 1
+#define PSA_WANT_ALG_SHA3_512 1
+#endif
+
+/* Ensure that the PSA's supported curves (PSA_WANT_ECC_xxx) are always a
+ * superset of the builtin ones (MBEDTLS_ECP_DP_xxx). */
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+#if !defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
+#define PSA_WANT_ECC_BRAINPOOL_P_R1_256 1
+#endif /* PSA_WANT_ECC_BRAINPOOL_P_R1_256 */
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+#if !defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
+#define PSA_WANT_ECC_BRAINPOOL_P_R1_384 1
+#endif /* PSA_WANT_ECC_BRAINPOOL_P_R1_384 */
+#endif /*MBEDTLS_ECP_DP_BP384R1_ENABLED  */
+
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+#if !defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
+#define PSA_WANT_ECC_BRAINPOOL_P_R1_512 1
+#endif /* PSA_WANT_ECC_BRAINPOOL_P_R1_512 */
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+#if !defined(PSA_WANT_ECC_MONTGOMERY_255)
+#define PSA_WANT_ECC_MONTGOMERY_255 1
+#endif /* PSA_WANT_ECC_MONTGOMERY_255 */
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+#if !defined(PSA_WANT_ECC_MONTGOMERY_448)
+#define PSA_WANT_ECC_MONTGOMERY_448 1
+#endif /* PSA_WANT_ECC_MONTGOMERY_448 */
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+#if !defined(PSA_WANT_ECC_SECP_R1_192)
+#define PSA_WANT_ECC_SECP_R1_192 1
+#endif /* PSA_WANT_ECC_SECP_R1_192 */
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+#if !defined(PSA_WANT_ECC_SECP_R1_224)
+#define PSA_WANT_ECC_SECP_R1_224 1
+#endif /* PSA_WANT_ECC_SECP_R1_224 */
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+#if !defined(PSA_WANT_ECC_SECP_R1_256)
+#define PSA_WANT_ECC_SECP_R1_256 1
+#endif /* PSA_WANT_ECC_SECP_R1_256 */
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+#if !defined(PSA_WANT_ECC_SECP_R1_384)
+#define PSA_WANT_ECC_SECP_R1_384 1
+#endif /* PSA_WANT_ECC_SECP_R1_384 */
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+#if !defined(PSA_WANT_ECC_SECP_R1_521)
+#define PSA_WANT_ECC_SECP_R1_521 1
+#endif /* PSA_WANT_ECC_SECP_R1_521 */
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+#if !defined(PSA_WANT_ECC_SECP_K1_192)
+#define PSA_WANT_ECC_SECP_K1_192 1
+#endif /* PSA_WANT_ECC_SECP_K1_192 */
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+/* SECP224K1 is buggy via the PSA API (https://github.com/Mbed-TLS/mbedtls/issues/3541) */
+#if 0 && defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+#if !defined(PSA_WANT_ECC_SECP_K1_224)
+#define PSA_WANT_ECC_SECP_K1_224 1
+#endif /* PSA_WANT_ECC_SECP_K1_224 */
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+#if !defined(PSA_WANT_ECC_SECP_K1_256)
+#define PSA_WANT_ECC_SECP_K1_256 1
+#endif /* PSA_WANT_ECC_SECP_K1_256 */
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+#endif /* MBEDTLS_CONFIG_ADJUST_PSA_SUPERSET_LEGACY_H */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/config_psa.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/config_psa.h
new file mode 100644
index 0000000..5f3d0f3
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/config_psa.h
@@ -0,0 +1,61 @@
+/**
+ * \file mbedtls/config_psa.h
+ * \brief PSA crypto configuration options (set of defines)
+ *
+ *  This set of compile-time options takes settings defined in
+ *  include/mbedtls/mbedtls_config.h and include/psa/crypto_config.h and uses
+ *  those definitions to define symbols used in the library code.
+ *
+ *  Users and integrators should not edit this file, please edit
+ *  include/mbedtls/mbedtls_config.h for MBEDTLS_XXX settings or
+ *  include/psa/crypto_config.h for PSA_WANT_XXX settings.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_CONFIG_PSA_H
+#define MBEDTLS_CONFIG_PSA_H
+
+#include "psa/crypto_legacy.h"
+
+#include "psa/crypto_adjust_config_synonyms.h"
+
+#include "psa/crypto_adjust_config_dependencies.h"
+
+#include "mbedtls/config_adjust_psa_superset_legacy.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+
+/* Require built-in implementations based on PSA requirements */
+
+/* We need this to have a complete list of requirements
+ * before we deduce what built-ins are required. */
+#include "psa/crypto_adjust_config_key_pair_types.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+/* If we are implementing PSA crypto ourselves, then we want to enable the
+ * required built-ins. Otherwise, PSA features will be provided by the server. */
+#include "mbedtls/config_adjust_legacy_from_psa.h"
+#endif
+
+#else /* MBEDTLS_PSA_CRYPTO_CONFIG */
+
+/* Infer PSA requirements from Mbed TLS capabilities */
+
+#include "mbedtls/config_adjust_psa_from_legacy.h"
+
+/* Hopefully the file above will have enabled keypair symbols in a consistent
+ * way, but including this here fixes them if that wasn't the case. */
+#include "psa/crypto_adjust_config_key_pair_types.h"
+
+#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */
+
+#if defined(PSA_WANT_ALG_JPAKE)
+#define PSA_WANT_ALG_SOME_PAKE 1
+#endif
+
+#include "psa/crypto_adjust_auto_enabled.h"
+
+#endif /* MBEDTLS_CONFIG_PSA_H */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/constant_time.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/constant_time.h
new file mode 100644
index 0000000..d31bff6
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/constant_time.h
@@ -0,0 +1,36 @@
+/**
+ *  Constant-time functions
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_CONSTANT_TIME_H
+#define MBEDTLS_CONSTANT_TIME_H
+
+#include <stddef.h>
+
+/** Constant-time buffer comparison without branches.
+ *
+ * This is equivalent to the standard memcmp function, but is likely to be
+ * compiled to code using bitwise operations rather than a branch, such that
+ * the time taken is constant w.r.t. the data pointed to by \p a and \p b,
+ * and w.r.t. whether \p a and \p b are equal or not. It is not constant-time
+ * w.r.t. \p n .
+ *
+ * This function can be used to write constant-time code by replacing branches
+ * with bit operations using masks.
+ *
+ * \param a     Pointer to the first buffer, containing at least \p n bytes. May not be NULL.
+ * \param b     Pointer to the second buffer, containing at least \p n bytes. May not be NULL.
+ * \param n     The number of bytes to compare.
+ *
+ * \return      Zero if the contents of the two buffers are the same,
+ *              otherwise non-zero.
+ */
+int mbedtls_ct_memcmp(const void *a,
+                      const void *b,
+                      size_t n);
+
+#endif /* MBEDTLS_CONSTANT_TIME_H */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/ctr_drbg.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/ctr_drbg.h
new file mode 100644
index 0000000..c00756d
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/ctr_drbg.h
@@ -0,0 +1,582 @@
+/**
+ * \file ctr_drbg.h
+ *
+ * \brief    This file contains definitions and functions for the
+ *           CTR_DRBG pseudorandom generator.
+ *
+ * CTR_DRBG is a standardized way of building a PRNG from a block-cipher
+ * in counter mode operation, as defined in <em>NIST SP 800-90A:
+ * Recommendation for Random Number Generation Using Deterministic Random
+ * Bit Generators</em>.
+ *
+ * The Mbed TLS implementation of CTR_DRBG uses AES-256 (default) or AES-128
+ * (if \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled at compile time)
+ * as the underlying block cipher, with a derivation function.
+ *
+ * The security strength as defined in NIST SP 800-90A is
+ * 128 bits when AES-128 is used (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY enabled)
+ * and 256 bits otherwise, provided that #MBEDTLS_CTR_DRBG_ENTROPY_LEN is
+ * kept at its default value (and not overridden in mbedtls_config.h) and that the
+ * DRBG instance is set up with default parameters.
+ * See the documentation of mbedtls_ctr_drbg_seed() for more
+ * information.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_CTR_DRBG_H
+#define MBEDTLS_CTR_DRBG_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+/* In case AES_C is defined then it is the primary option for backward
+ * compatibility purposes. If that's not available, PSA is used instead */
+#if defined(MBEDTLS_AES_C)
+#include "mbedtls/aes.h"
+#else
+#include "psa/crypto.h"
+#endif
+
+#include "entropy.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+/** The entropy source failed. */
+#define MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED        -0x0034
+/** The requested random buffer length is too big. */
+#define MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG              -0x0036
+/** The input (entropy + additional data) is too large. */
+#define MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG                -0x0038
+/** Read or write error in file. */
+#define MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR                -0x003A
+
+#define MBEDTLS_CTR_DRBG_BLOCKSIZE          16 /**< The block size used by the cipher. */
+
+#if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
+#define MBEDTLS_CTR_DRBG_KEYSIZE            16
+/**< The key size in bytes used by the cipher.
+ *
+ * Compile-time choice: 16 bytes (128 bits)
+ * because #MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled.
+ */
+#else
+#define MBEDTLS_CTR_DRBG_KEYSIZE            32
+/**< The key size in bytes used by the cipher.
+ *
+ * Compile-time choice: 32 bytes (256 bits)
+ * because \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled.
+ */
+#endif
+
+#define MBEDTLS_CTR_DRBG_KEYBITS            (MBEDTLS_CTR_DRBG_KEYSIZE * 8)   /**< The key size for the DRBG operation, in bits. */
+#define MBEDTLS_CTR_DRBG_SEEDLEN            (MBEDTLS_CTR_DRBG_KEYSIZE + MBEDTLS_CTR_DRBG_BLOCKSIZE)   /**< The seed length, calculated as (counter + AES key). */
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in mbedtls_config.h or define them using the compiler command
+ * line.
+ * \{
+ */
+
+/** \def MBEDTLS_CTR_DRBG_ENTROPY_LEN
+ *
+ * \brief The amount of entropy used per seed by default, in bytes.
+ */
+#if !defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN)
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+/** This is 48 bytes because the entropy module uses SHA-512.
+ */
+#define MBEDTLS_CTR_DRBG_ENTROPY_LEN        48
+
+#else /* MBEDTLS_ENTROPY_SHA512_ACCUMULATOR */
+
+/** This is 32 bytes because the entropy module uses SHA-256.
+ */
+#if !defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
+/** \warning To achieve a 256-bit security strength, you must pass a nonce
+ *           to mbedtls_ctr_drbg_seed().
+ */
+#endif /* !defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY) */
+#define MBEDTLS_CTR_DRBG_ENTROPY_LEN        32
+#endif /* MBEDTLS_ENTROPY_SHA512_ACCUMULATOR */
+#endif /* !defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) */
+
+#if !defined(MBEDTLS_CTR_DRBG_RESEED_INTERVAL)
+#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL    10000
+/**< The interval before reseed is performed by default. */
+#endif
+
+#if !defined(MBEDTLS_CTR_DRBG_MAX_INPUT)
+#define MBEDTLS_CTR_DRBG_MAX_INPUT          256
+/**< The maximum number of additional input Bytes. */
+#endif
+
+#if !defined(MBEDTLS_CTR_DRBG_MAX_REQUEST)
+#define MBEDTLS_CTR_DRBG_MAX_REQUEST        1024
+/**< The maximum number of requested Bytes per call. */
+#endif
+
+#if !defined(MBEDTLS_CTR_DRBG_MAX_SEED_INPUT)
+#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT     384
+/**< The maximum size of seed or reseed buffer in bytes. */
+#endif
+
+/** \} name SECTION: Module settings */
+
+#define MBEDTLS_CTR_DRBG_PR_OFF             0
+/**< Prediction resistance is disabled. */
+#define MBEDTLS_CTR_DRBG_PR_ON              1
+/**< Prediction resistance is enabled. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if MBEDTLS_CTR_DRBG_ENTROPY_LEN >= MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2
+/** The default length of the nonce read from the entropy source.
+ *
+ * This is \c 0 because a single read from the entropy source is sufficient
+ * to include a nonce.
+ * See the documentation of mbedtls_ctr_drbg_seed() for more information.
+ */
+#define MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN 0
+#else
+/** The default length of the nonce read from the entropy source.
+ *
+ * This is half of the default entropy length because a single read from
+ * the entropy source does not provide enough material to form a nonce.
+ * See the documentation of mbedtls_ctr_drbg_seed() for more information.
+ */
+#define MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN (MBEDTLS_CTR_DRBG_ENTROPY_LEN + 1) / 2
+#endif
+
+#if !defined(MBEDTLS_AES_C)
+typedef struct mbedtls_ctr_drbg_psa_context {
+    mbedtls_svc_key_id_t key_id;
+    psa_cipher_operation_t operation;
+} mbedtls_ctr_drbg_psa_context;
+#endif
+
+/**
+ * \brief          The CTR_DRBG context structure.
+ */
+typedef struct mbedtls_ctr_drbg_context {
+    unsigned char MBEDTLS_PRIVATE(counter)[16];  /*!< The counter (V). */
+    int MBEDTLS_PRIVATE(reseed_counter);         /*!< The reseed counter.
+                                                  * This is the number of requests that have
+                                                  * been made since the last (re)seeding,
+                                                  * minus one.
+                                                  * Before the initial seeding, this field
+                                                  * contains the amount of entropy in bytes
+                                                  * to use as a nonce for the initial seeding,
+                                                  * or -1 if no nonce length has been explicitly
+                                                  * set (see mbedtls_ctr_drbg_set_nonce_len()).
+                                                  */
+    int MBEDTLS_PRIVATE(prediction_resistance);  /*!< This determines whether prediction
+                                                    resistance is enabled, that is
+                                                    whether to systematically reseed before
+                                                    each random generation. */
+    size_t MBEDTLS_PRIVATE(entropy_len);         /*!< The amount of entropy grabbed on each
+                                                    seed or reseed operation, in bytes. */
+    int MBEDTLS_PRIVATE(reseed_interval);        /*!< The reseed interval.
+                                                  * This is the maximum number of requests
+                                                  * that can be made between reseedings. */
+
+#if defined(MBEDTLS_AES_C)
+    mbedtls_aes_context MBEDTLS_PRIVATE(aes_ctx);        /*!< The AES context. */
+#else
+    mbedtls_ctr_drbg_psa_context MBEDTLS_PRIVATE(psa_ctx); /*!< The PSA context. */
+#endif
+
+    /*
+     * Callbacks (Entropy)
+     */
+    int(*MBEDTLS_PRIVATE(f_entropy))(void *, unsigned char *, size_t);
+    /*!< The entropy callback function. */
+
+    void *MBEDTLS_PRIVATE(p_entropy);            /*!< The context for the entropy function. */
+
+#if defined(MBEDTLS_THREADING_C)
+    /* Invariant: the mutex is initialized if and only if f_entropy != NULL.
+     * This means that the mutex is initialized during the initial seeding
+     * in mbedtls_ctr_drbg_seed() and freed in mbedtls_ctr_drbg_free().
+     *
+     * Note that this invariant may change without notice. Do not rely on it
+     * and do not access the mutex directly in application code.
+     */
+    mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex);
+#endif
+}
+mbedtls_ctr_drbg_context;
+
+/**
+ * \brief               This function initializes the CTR_DRBG context,
+ *                      and prepares it for mbedtls_ctr_drbg_seed()
+ *                      or mbedtls_ctr_drbg_free().
+ *
+ * \note                The reseed interval is
+ *                      #MBEDTLS_CTR_DRBG_RESEED_INTERVAL by default.
+ *                      You can override it by calling
+ *                      mbedtls_ctr_drbg_set_reseed_interval().
+ *
+ * \param ctx           The CTR_DRBG context to initialize.
+ */
+void mbedtls_ctr_drbg_init(mbedtls_ctr_drbg_context *ctx);
+
+/**
+ * \brief               This function seeds and sets up the CTR_DRBG
+ *                      entropy source for future reseeds.
+ *
+ * A typical choice for the \p f_entropy and \p p_entropy parameters is
+ * to use the entropy module:
+ * - \p f_entropy is mbedtls_entropy_func();
+ * - \p p_entropy is an instance of ::mbedtls_entropy_context initialized
+ *   with mbedtls_entropy_init() (which registers the platform's default
+ *   entropy sources).
+ *
+ * The entropy length is #MBEDTLS_CTR_DRBG_ENTROPY_LEN by default.
+ * You can override it by calling mbedtls_ctr_drbg_set_entropy_len().
+ *
+ * The entropy nonce length is:
+ * - \c 0 if the entropy length is at least 3/2 times the entropy length,
+ *   which guarantees that the security strength is the maximum permitted
+ *   by the key size and entropy length according to NIST SP 800-90A §10.2.1;
+ * - Half the entropy length otherwise.
+ * You can override it by calling mbedtls_ctr_drbg_set_nonce_len().
+ * With the default entropy length, the entropy nonce length is
+ * #MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN.
+ *
+ * You can provide a nonce and personalization string in addition to the
+ * entropy source, to make this instantiation as unique as possible.
+ * See SP 800-90A §8.6.7 for more details about nonces.
+ *
+ * The _seed_material_ value passed to the derivation function in
+ * the CTR_DRBG Instantiate Process described in NIST SP 800-90A §10.2.1.3.2
+ * is the concatenation of the following strings:
+ * - A string obtained by calling \p f_entropy function for the entropy
+ *   length.
+ */
+#if MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN == 0
+/**
+ * - If mbedtls_ctr_drbg_set_nonce_len() has been called, a string
+ *   obtained by calling \p f_entropy function for the specified length.
+ */
+#else
+/**
+ * - A string obtained by calling \p f_entropy function for the entropy nonce
+ *   length. If the entropy nonce length is \c 0, this function does not
+ *   make a second call to \p f_entropy.
+ */
+#endif
+#if defined(MBEDTLS_THREADING_C)
+/**
+ * \note                When Mbed TLS is built with threading support,
+ *                      after this function returns successfully,
+ *                      it is safe to call mbedtls_ctr_drbg_random()
+ *                      from multiple threads. Other operations, including
+ *                      reseeding, are not thread-safe.
+ */
+#endif /* MBEDTLS_THREADING_C */
+/**
+ * - The \p custom string.
+ *
+ * \note                To achieve the nominal security strength permitted
+ *                      by CTR_DRBG, the entropy length must be:
+ *                      - at least 16 bytes for a 128-bit strength
+ *                      (maximum achievable strength when using AES-128);
+ *                      - at least 32 bytes for a 256-bit strength
+ *                      (maximum achievable strength when using AES-256).
+ *
+ *                      In addition, if you do not pass a nonce in \p custom,
+ *                      the sum of the entropy length
+ *                      and the entropy nonce length must be:
+ *                      - at least 24 bytes for a 128-bit strength
+ *                      (maximum achievable strength when using AES-128);
+ *                      - at least 48 bytes for a 256-bit strength
+ *                      (maximum achievable strength when using AES-256).
+ *
+ * \param ctx           The CTR_DRBG context to seed.
+ *                      It must have been initialized with
+ *                      mbedtls_ctr_drbg_init().
+ *                      After a successful call to mbedtls_ctr_drbg_seed(),
+ *                      you may not call mbedtls_ctr_drbg_seed() again on
+ *                      the same context unless you call
+ *                      mbedtls_ctr_drbg_free() and mbedtls_ctr_drbg_init()
+ *                      again first.
+ *                      After a failed call to mbedtls_ctr_drbg_seed(),
+ *                      you must call mbedtls_ctr_drbg_free().
+ * \param f_entropy     The entropy callback, taking as arguments the
+ *                      \p p_entropy context, the buffer to fill, and the
+ *                      length of the buffer.
+ *                      \p f_entropy is always called with a buffer size
+ *                      less than or equal to the entropy length.
+ * \param p_entropy     The entropy context to pass to \p f_entropy.
+ * \param custom        The personalization string.
+ *                      This can be \c NULL, in which case the personalization
+ *                      string is empty regardless of the value of \p len.
+ * \param len           The length of the personalization string.
+ *                      This must be at most
+ *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT
+ *                      - #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure.
+ */
+int mbedtls_ctr_drbg_seed(mbedtls_ctr_drbg_context *ctx,
+                          int (*f_entropy)(void *, unsigned char *, size_t),
+                          void *p_entropy,
+                          const unsigned char *custom,
+                          size_t len);
+
+/**
+ * \brief               This function resets CTR_DRBG context to the state immediately
+ *                      after initial call of mbedtls_ctr_drbg_init().
+ *
+ * \param ctx           The CTR_DRBG context to clear.
+ */
+void mbedtls_ctr_drbg_free(mbedtls_ctr_drbg_context *ctx);
+
+/**
+ * \brief               This function turns prediction resistance on or off.
+ *                      The default value is off.
+ *
+ * \note                If enabled, entropy is gathered at the beginning of
+ *                      every call to mbedtls_ctr_drbg_random_with_add()
+ *                      or mbedtls_ctr_drbg_random().
+ *                      Only use this if your entropy source has sufficient
+ *                      throughput.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param resistance    #MBEDTLS_CTR_DRBG_PR_ON or #MBEDTLS_CTR_DRBG_PR_OFF.
+ */
+void mbedtls_ctr_drbg_set_prediction_resistance(mbedtls_ctr_drbg_context *ctx,
+                                                int resistance);
+
+/**
+ * \brief               This function sets the amount of entropy grabbed on each
+ *                      seed or reseed.
+ *
+ * The default value is #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
+ *
+ * \note                The security strength of CTR_DRBG is bounded by the
+ *                      entropy length. Thus:
+ *                      - When using AES-256
+ *                        (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled,
+ *                        which is the default),
+ *                        \p len must be at least 32 (in bytes)
+ *                        to achieve a 256-bit strength.
+ *                      - When using AES-128
+ *                        (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled)
+ *                        \p len must be at least 16 (in bytes)
+ *                        to achieve a 128-bit strength.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param len           The amount of entropy to grab, in bytes.
+ *                      This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT
+ *                      and at most the maximum length accepted by the
+ *                      entropy function that is set in the context.
+ */
+void mbedtls_ctr_drbg_set_entropy_len(mbedtls_ctr_drbg_context *ctx,
+                                      size_t len);
+
+/**
+ * \brief               This function sets the amount of entropy grabbed
+ *                      as a nonce for the initial seeding.
+ *
+ * Call this function before calling mbedtls_ctr_drbg_seed() to read
+ * a nonce from the entropy source during the initial seeding.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param len           The amount of entropy to grab for the nonce, in bytes.
+ *                      This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT
+ *                      and at most the maximum length accepted by the
+ *                      entropy function that is set in the context.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if \p len is
+ *                      more than #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED
+ *                      if the initial seeding has already taken place.
+ */
+int mbedtls_ctr_drbg_set_nonce_len(mbedtls_ctr_drbg_context *ctx,
+                                   size_t len);
+
+/**
+ * \brief               This function sets the reseed interval.
+ *
+ * The reseed interval is the number of calls to mbedtls_ctr_drbg_random()
+ * or mbedtls_ctr_drbg_random_with_add() after which the entropy function
+ * is called again.
+ *
+ * The default value is #MBEDTLS_CTR_DRBG_RESEED_INTERVAL.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param interval      The reseed interval.
+ */
+void mbedtls_ctr_drbg_set_reseed_interval(mbedtls_ctr_drbg_context *ctx,
+                                          int interval);
+
+/**
+ * \brief               This function reseeds the CTR_DRBG context, that is
+ *                      extracts data from the entropy source.
+ *
+ * \note                This function is not thread-safe. It is not safe
+ *                      to call this function if another thread might be
+ *                      concurrently obtaining random numbers from the same
+ *                      context or updating or reseeding the same context.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param additional    Additional data to add to the state. Can be \c NULL.
+ * \param len           The length of the additional data.
+ *                      This must be less than
+ *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len
+ *                      where \c entropy_len is the entropy length
+ *                      configured for the context.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure.
+ */
+int mbedtls_ctr_drbg_reseed(mbedtls_ctr_drbg_context *ctx,
+                            const unsigned char *additional, size_t len);
+
+/**
+ * \brief              This function updates the state of the CTR_DRBG context.
+ *
+ * \note                This function is not thread-safe. It is not safe
+ *                      to call this function if another thread might be
+ *                      concurrently obtaining random numbers from the same
+ *                      context or updating or reseeding the same context.
+ *
+ * \param ctx          The CTR_DRBG context.
+ * \param additional   The data to update the state with. This must not be
+ *                     \c NULL unless \p add_len is \c 0.
+ * \param add_len      Length of \p additional in bytes. This must be at
+ *                     most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
+ *
+ * \return             \c 0 on success.
+ * \return             #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if
+ *                     \p add_len is more than
+ *                     #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
+ * \return             An error from the underlying AES cipher on failure.
+ */
+int mbedtls_ctr_drbg_update(mbedtls_ctr_drbg_context *ctx,
+                            const unsigned char *additional,
+                            size_t add_len);
+
+/**
+ * \brief   This function updates a CTR_DRBG instance with additional
+ *          data and uses it to generate random data.
+ *
+ * This function automatically reseeds if the reseed counter is exceeded
+ * or prediction resistance is enabled.
+ *
+ * \note                This function is not thread-safe. It is not safe
+ *                      to call this function if another thread might be
+ *                      concurrently obtaining random numbers from the same
+ *                      context or updating or reseeding the same context.
+ *
+ * \param p_rng         The CTR_DRBG context. This must be a pointer to a
+ *                      #mbedtls_ctr_drbg_context structure.
+ * \param output        The buffer to fill.
+ * \param output_len    The length of the buffer in bytes.
+ * \param additional    Additional data to update. Can be \c NULL, in which
+ *                      case the additional data is empty regardless of
+ *                      the value of \p add_len.
+ * \param add_len       The length of the additional data
+ *                      if \p additional is not \c NULL.
+ *                      This must be less than #MBEDTLS_CTR_DRBG_MAX_INPUT
+ *                      and less than
+ *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len
+ *                      where \c entropy_len is the entropy length
+ *                      configured for the context.
+ *
+ * \return    \c 0 on success.
+ * \return    #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
+ *            #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure.
+ */
+int mbedtls_ctr_drbg_random_with_add(void *p_rng,
+                                     unsigned char *output, size_t output_len,
+                                     const unsigned char *additional, size_t add_len);
+
+/**
+ * \brief   This function uses CTR_DRBG to generate random data.
+ *
+ * This function automatically reseeds if the reseed counter is exceeded
+ * or prediction resistance is enabled.
+ */
+#if defined(MBEDTLS_THREADING_C)
+/**
+ * \note                When Mbed TLS is built with threading support,
+ *                      it is safe to call mbedtls_ctr_drbg_random()
+ *                      from multiple threads. Other operations, including
+ *                      reseeding, are not thread-safe.
+ */
+#endif /* MBEDTLS_THREADING_C */
+/**
+ * \param p_rng         The CTR_DRBG context. This must be a pointer to a
+ *                      #mbedtls_ctr_drbg_context structure.
+ * \param output        The buffer to fill.
+ * \param output_len    The length of the buffer in bytes.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
+ *                      #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure.
+ */
+int mbedtls_ctr_drbg_random(void *p_rng,
+                            unsigned char *output, size_t output_len);
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief               This function writes a seed file.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param path          The name of the file.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on reseed
+ *                      failure.
+ */
+int mbedtls_ctr_drbg_write_seed_file(mbedtls_ctr_drbg_context *ctx, const char *path);
+
+/**
+ * \brief               This function reads and updates a seed file. The seed
+ *                      is added to this instance.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param path          The name of the file.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on
+ *                      reseed failure.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if the existing
+ *                      seed file is too large.
+ */
+int mbedtls_ctr_drbg_update_seed_file(mbedtls_ctr_drbg_context *ctx, const char *path);
+#endif /* MBEDTLS_FS_IO */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief               The CTR_DRBG checkup routine.
+ *
+ * \return              \c 0 on success.
+ * \return              \c 1 on failure.
+ */
+int mbedtls_ctr_drbg_self_test(int verbose);
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ctr_drbg.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/des.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/des.h
new file mode 100644
index 0000000..2b097a1
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/des.h
@@ -0,0 +1,385 @@
+/**
+ * \file des.h
+ *
+ * \brief DES block cipher
+ *
+ * \warning   DES/3DES are considered weak ciphers and their use constitutes a
+ *            security risk. We recommend considering stronger ciphers
+ *            instead.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ */
+#ifndef MBEDTLS_DES_H
+#define MBEDTLS_DES_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+#include "mbedtls/platform_util.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_DES_ENCRYPT     1
+#define MBEDTLS_DES_DECRYPT     0
+
+/** The data input has an invalid length. */
+#define MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH              -0x0032
+
+#define MBEDTLS_DES_KEY_SIZE    8
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_DES_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          DES context structure
+ *
+ * \warning        DES/3DES are considered weak ciphers and their use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+typedef struct mbedtls_des_context {
+    uint32_t MBEDTLS_PRIVATE(sk)[32];            /*!<  DES subkeys       */
+}
+mbedtls_des_context;
+
+/**
+ * \brief          Triple-DES context structure
+ *
+ * \warning        DES/3DES are considered weak ciphers and their use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+typedef struct mbedtls_des3_context {
+    uint32_t MBEDTLS_PRIVATE(sk)[96];            /*!<  3DES subkeys      */
+}
+mbedtls_des3_context;
+
+#else  /* MBEDTLS_DES_ALT */
+#include "des_alt.h"
+#endif /* MBEDTLS_DES_ALT */
+
+/**
+ * \brief          Initialize DES context
+ *
+ * \param ctx      DES context to be initialized
+ *
+ * \warning        DES/3DES are considered weak ciphers and their use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+void mbedtls_des_init(mbedtls_des_context *ctx);
+
+/**
+ * \brief          Clear DES context
+ *
+ * \param ctx      DES context to be cleared
+ *
+ * \warning        DES/3DES are considered weak ciphers and their use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+void mbedtls_des_free(mbedtls_des_context *ctx);
+
+/**
+ * \brief          Initialize Triple-DES context
+ *
+ * \param ctx      DES3 context to be initialized
+ *
+ * \warning        DES/3DES are considered weak ciphers and their use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+void mbedtls_des3_init(mbedtls_des3_context *ctx);
+
+/**
+ * \brief          Clear Triple-DES context
+ *
+ * \param ctx      DES3 context to be cleared
+ *
+ * \warning        DES/3DES are considered weak ciphers and their use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+void mbedtls_des3_free(mbedtls_des3_context *ctx);
+
+/**
+ * \brief          Set key parity on the given key to odd.
+ *
+ *                 DES keys are 56 bits long, but each byte is padded with
+ *                 a parity bit to allow verification.
+ *
+ * \param key      8-byte secret key
+ *
+ * \warning        DES/3DES are considered weak ciphers and their use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+void mbedtls_des_key_set_parity(unsigned char key[MBEDTLS_DES_KEY_SIZE]);
+
+/**
+ * \brief          Check that key parity on the given key is odd.
+ *
+ *                 DES keys are 56 bits long, but each byte is padded with
+ *                 a parity bit to allow verification.
+ *
+ * \param key      8-byte secret key
+ *
+ * \return         0 is parity was ok, 1 if parity was not correct.
+ *
+ * \warning        DES/3DES are considered weak ciphers and their use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_des_key_check_key_parity(const unsigned char key[MBEDTLS_DES_KEY_SIZE]);
+
+/**
+ * \brief          Check that key is not a weak or semi-weak DES key
+ *
+ * \param key      8-byte secret key
+ *
+ * \return         0 if no weak key was found, 1 if a weak key was identified.
+ *
+ * \warning        DES/3DES are considered weak ciphers and their use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_des_key_check_weak(const unsigned char key[MBEDTLS_DES_KEY_SIZE]);
+
+/**
+ * \brief          DES key schedule (56-bit, encryption)
+ *
+ * \param ctx      DES context to be initialized
+ * \param key      8-byte secret key
+ *
+ * \return         0
+ *
+ * \warning        DES/3DES are considered weak ciphers and their use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_des_setkey_enc(mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE]);
+
+/**
+ * \brief          DES key schedule (56-bit, decryption)
+ *
+ * \param ctx      DES context to be initialized
+ * \param key      8-byte secret key
+ *
+ * \return         0
+ *
+ * \warning        DES/3DES are considered weak ciphers and their use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_des_setkey_dec(mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE]);
+
+/**
+ * \brief          Triple-DES key schedule (112-bit, encryption)
+ *
+ * \param ctx      3DES context to be initialized
+ * \param key      16-byte secret key
+ *
+ * \return         0
+ *
+ * \warning        DES/3DES are considered weak ciphers and their use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_des3_set2key_enc(mbedtls_des3_context *ctx,
+                             const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2]);
+
+/**
+ * \brief          Triple-DES key schedule (112-bit, decryption)
+ *
+ * \param ctx      3DES context to be initialized
+ * \param key      16-byte secret key
+ *
+ * \return         0
+ *
+ * \warning        DES/3DES are considered weak ciphers and their use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_des3_set2key_dec(mbedtls_des3_context *ctx,
+                             const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2]);
+
+/**
+ * \brief          Triple-DES key schedule (168-bit, encryption)
+ *
+ * \param ctx      3DES context to be initialized
+ * \param key      24-byte secret key
+ *
+ * \return         0
+ *
+ * \warning        DES/3DES are considered weak ciphers and their use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_des3_set3key_enc(mbedtls_des3_context *ctx,
+                             const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3]);
+
+/**
+ * \brief          Triple-DES key schedule (168-bit, decryption)
+ *
+ * \param ctx      3DES context to be initialized
+ * \param key      24-byte secret key
+ *
+ * \return         0
+ *
+ * \warning        DES/3DES are considered weak ciphers and their use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_des3_set3key_dec(mbedtls_des3_context *ctx,
+                             const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3]);
+
+/**
+ * \brief          DES-ECB block encryption/decryption
+ *
+ * \param ctx      DES context
+ * \param input    64-bit input block
+ * \param output   64-bit output block
+ *
+ * \return         0 if successful
+ *
+ * \warning        DES/3DES are considered weak ciphers and their use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_des_crypt_ecb(mbedtls_des_context *ctx,
+                          const unsigned char input[8],
+                          unsigned char output[8]);
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief          DES-CBC buffer encryption/decryption
+ *
+ * \note           Upon exit, the content of the IV is updated so that you can
+ *                 call the function same function again on the following
+ *                 block(s) of data and get the same result as if it was
+ *                 encrypted in one call. This allows a "streaming" usage.
+ *                 If on the other hand you need to retain the contents of the
+ *                 IV, you should either save it manually or use the cipher
+ *                 module instead.
+ *
+ * \param ctx      DES context
+ * \param mode     MBEDTLS_DES_ENCRYPT or MBEDTLS_DES_DECRYPT
+ * \param length   length of the input data
+ * \param iv       initialization vector (updated after use)
+ * \param input    buffer holding the input data
+ * \param output   buffer holding the output data
+ *
+ * \warning        DES/3DES are considered weak ciphers and their use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_des_crypt_cbc(mbedtls_des_context *ctx,
+                          int mode,
+                          size_t length,
+                          unsigned char iv[8],
+                          const unsigned char *input,
+                          unsigned char *output);
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+/**
+ * \brief          3DES-ECB block encryption/decryption
+ *
+ * \param ctx      3DES context
+ * \param input    64-bit input block
+ * \param output   64-bit output block
+ *
+ * \return         0 if successful
+ *
+ * \warning        DES/3DES are considered weak ciphers and their use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_des3_crypt_ecb(mbedtls_des3_context *ctx,
+                           const unsigned char input[8],
+                           unsigned char output[8]);
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief          3DES-CBC buffer encryption/decryption
+ *
+ * \note           Upon exit, the content of the IV is updated so that you can
+ *                 call the function same function again on the following
+ *                 block(s) of data and get the same result as if it was
+ *                 encrypted in one call. This allows a "streaming" usage.
+ *                 If on the other hand you need to retain the contents of the
+ *                 IV, you should either save it manually or use the cipher
+ *                 module instead.
+ *
+ * \param ctx      3DES context
+ * \param mode     MBEDTLS_DES_ENCRYPT or MBEDTLS_DES_DECRYPT
+ * \param length   length of the input data
+ * \param iv       initialization vector (updated after use)
+ * \param input    buffer holding the input data
+ * \param output   buffer holding the output data
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH
+ *
+ * \warning        DES/3DES are considered weak ciphers and their use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_des3_crypt_cbc(mbedtls_des3_context *ctx,
+                           int mode,
+                           size_t length,
+                           unsigned char iv[8],
+                           const unsigned char *input,
+                           unsigned char *output);
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+/**
+ * \brief          Internal function for key expansion.
+ *                 (Only exposed to allow overriding it,
+ *                 see MBEDTLS_DES_SETKEY_ALT)
+ *
+ * \param SK       Round keys
+ * \param key      Base key
+ *
+ * \warning        DES/3DES are considered weak ciphers and their use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+void mbedtls_des_setkey(uint32_t SK[32],
+                        const unsigned char key[MBEDTLS_DES_KEY_SIZE]);
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_des_self_test(int verbose);
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* des.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/dhm.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/dhm.h
new file mode 100644
index 0000000..0143405
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/dhm.h
@@ -0,0 +1,966 @@
+/**
+ * \file dhm.h
+ *
+ * \brief   This file contains Diffie-Hellman-Merkle (DHM) key exchange
+ *          definitions and functions.
+ *
+ * Diffie-Hellman-Merkle (DHM) key exchange is defined in
+ * <em>RFC-2631: Diffie-Hellman Key Agreement Method</em> and
+ * <em>Public-Key Cryptography Standards (PKCS) #3: Diffie
+ * Hellman Key Agreement Standard</em>.
+ *
+ * <em>RFC-3526: More Modular Exponential (MODP) Diffie-Hellman groups for
+ * Internet Key Exchange (IKE)</em> defines a number of standardized
+ * Diffie-Hellman groups for IKE.
+ *
+ * <em>RFC-5114: Additional Diffie-Hellman Groups for Use with IETF
+ * Standards</em> defines a number of standardized Diffie-Hellman
+ * groups that can be used.
+ *
+ * \warning  The security of the DHM key exchange relies on the proper choice
+ *           of prime modulus - optimally, it should be a safe prime. The usage
+ *           of non-safe primes both decreases the difficulty of the underlying
+ *           discrete logarithm problem and can lead to small subgroup attacks
+ *           leaking private exponent bits when invalid public keys are used
+ *           and not detected. This is especially relevant if the same DHM
+ *           parameters are reused for multiple key exchanges as in static DHM,
+ *           while the criticality of small-subgroup attacks is lower for
+ *           ephemeral DHM.
+ *
+ * \warning  For performance reasons, the code does neither perform primality
+ *           nor safe primality tests, nor the expensive checks for invalid
+ *           subgroups. Moreover, even if these were performed, non-standardized
+ *           primes cannot be trusted because of the possibility of backdoors
+ *           that can't be effectively checked for.
+ *
+ * \warning  Diffie-Hellman-Merkle is therefore a security risk when not using
+ *           standardized primes generated using a trustworthy ("nothing up
+ *           my sleeve") method, such as the RFC 3526 / 7919 primes. In the TLS
+ *           protocol, DH parameters need to be negotiated, so using the default
+ *           primes systematically is not always an option. If possible, use
+ *           Elliptic Curve Diffie-Hellman (ECDH), which has better performance,
+ *           and for which the TLS protocol mandates the use of standard
+ *           parameters.
+ *
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_DHM_H
+#define MBEDTLS_DHM_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+#include "mbedtls/bignum.h"
+
+/*
+ * DHM Error codes
+ */
+/** Bad input parameters. */
+#define MBEDTLS_ERR_DHM_BAD_INPUT_DATA                    -0x3080
+/** Reading of the DHM parameters failed. */
+#define MBEDTLS_ERR_DHM_READ_PARAMS_FAILED                -0x3100
+/** Making of the DHM parameters failed. */
+#define MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED                -0x3180
+/** Reading of the public values failed. */
+#define MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED                -0x3200
+/** Making of the public value failed. */
+#define MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED                -0x3280
+/** Calculation of the DHM secret failed. */
+#define MBEDTLS_ERR_DHM_CALC_SECRET_FAILED                -0x3300
+/** The ASN.1 data is not formatted correctly. */
+#define MBEDTLS_ERR_DHM_INVALID_FORMAT                    -0x3380
+/** Allocation of memory failed. */
+#define MBEDTLS_ERR_DHM_ALLOC_FAILED                      -0x3400
+/** Read or write of file failed. */
+#define MBEDTLS_ERR_DHM_FILE_IO_ERROR                     -0x3480
+/** Setting the modulus and generator failed. */
+#define MBEDTLS_ERR_DHM_SET_GROUP_FAILED                  -0x3580
+
+/** Which parameter to access in mbedtls_dhm_get_value(). */
+typedef enum {
+    MBEDTLS_DHM_PARAM_P,  /*!<  The prime modulus. */
+    MBEDTLS_DHM_PARAM_G,  /*!<  The generator. */
+    MBEDTLS_DHM_PARAM_X,  /*!<  Our secret value. */
+    MBEDTLS_DHM_PARAM_GX, /*!<  Our public key = \c G^X mod \c P. */
+    MBEDTLS_DHM_PARAM_GY, /*!<  The public key of the peer = \c G^Y mod \c P. */
+    MBEDTLS_DHM_PARAM_K,  /*!<  The shared secret = \c G^(XY) mod \c P. */
+} mbedtls_dhm_parameter;
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          The DHM context structure.
+ */
+typedef struct mbedtls_dhm_context {
+    mbedtls_mpi MBEDTLS_PRIVATE(P);      /*!<  The prime modulus. */
+    mbedtls_mpi MBEDTLS_PRIVATE(G);      /*!<  The generator. */
+    mbedtls_mpi MBEDTLS_PRIVATE(X);      /*!<  Our secret value. */
+    mbedtls_mpi MBEDTLS_PRIVATE(GX);     /*!<  Our public key = \c G^X mod \c P. */
+    mbedtls_mpi MBEDTLS_PRIVATE(GY);     /*!<  The public key of the peer = \c G^Y mod \c P. */
+    mbedtls_mpi MBEDTLS_PRIVATE(K);      /*!<  The shared secret = \c G^(XY) mod \c P. */
+    mbedtls_mpi MBEDTLS_PRIVATE(RP);     /*!<  The cached value = \c R^2 mod \c P. */
+    mbedtls_mpi MBEDTLS_PRIVATE(Vi);     /*!<  The blinding value. */
+    mbedtls_mpi MBEDTLS_PRIVATE(Vf);     /*!<  The unblinding value. */
+    mbedtls_mpi MBEDTLS_PRIVATE(pX);     /*!<  The previous \c X. */
+}
+mbedtls_dhm_context;
+
+/**
+ * \brief          This function initializes the DHM context.
+ *
+ * \param ctx      The DHM context to initialize.
+ */
+void mbedtls_dhm_init(mbedtls_dhm_context *ctx);
+
+/**
+ * \brief          This function parses the DHM parameters in a
+ *                 TLS ServerKeyExchange handshake message
+ *                 (DHM modulus, generator, and public key).
+ *
+ * \note           In a TLS handshake, this is the how the client
+ *                 sets up its DHM context from the server's public
+ *                 DHM key material.
+ *
+ * \param ctx      The DHM context to use. This must be initialized.
+ * \param p        On input, *p must be the start of the input buffer.
+ *                 On output, *p is updated to point to the end of the data
+ *                 that has been read. On success, this is the first byte
+ *                 past the end of the ServerKeyExchange parameters.
+ *                 On error, this is the point at which an error has been
+ *                 detected, which is usually not useful except to debug
+ *                 failures.
+ * \param end      The end of the input buffer.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
+ */
+int mbedtls_dhm_read_params(mbedtls_dhm_context *ctx,
+                            unsigned char **p,
+                            const unsigned char *end);
+
+/**
+ * \brief          This function generates a DHM key pair and exports its
+ *                 public part together with the DHM parameters in the format
+ *                 used in a TLS ServerKeyExchange handshake message.
+ *
+ * \note           This function assumes that the DHM parameters \c ctx->P
+ *                 and \c ctx->G have already been properly set. For that, use
+ *                 mbedtls_dhm_set_group() below in conjunction with
+ *                 mbedtls_mpi_read_binary() and mbedtls_mpi_read_string().
+ *
+ * \note           In a TLS handshake, this is the how the server generates
+ *                 and exports its DHM key material.
+ *
+ * \param ctx      The DHM context to use. This must be initialized
+ *                 and have the DHM parameters set. It may or may not
+ *                 already have imported the peer's public key.
+ * \param x_size   The private key size in Bytes.
+ * \param olen     The address at which to store the number of Bytes
+ *                 written on success. This must not be \c NULL.
+ * \param output   The destination buffer. This must be a writable buffer of
+ *                 sufficient size to hold the reduced binary presentation of
+ *                 the modulus, the generator and the public key, each wrapped
+ *                 with a 2-byte length field. It is the responsibility of the
+ *                 caller to ensure that enough space is available. Refer to
+ *                 mbedtls_mpi_size() to computing the byte-size of an MPI.
+ * \param f_rng    The RNG function. Must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng doesn't need a context parameter.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
+ */
+int mbedtls_dhm_make_params(mbedtls_dhm_context *ctx, int x_size,
+                            unsigned char *output, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng);
+
+/**
+ * \brief          This function sets the prime modulus and generator.
+ *
+ * \note           This function can be used to set \c ctx->P, \c ctx->G
+ *                 in preparation for mbedtls_dhm_make_params().
+ *
+ * \param ctx      The DHM context to configure. This must be initialized.
+ * \param P        The MPI holding the DHM prime modulus. This must be
+ *                 an initialized MPI.
+ * \param G        The MPI holding the DHM generator. This must be an
+ *                 initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
+ */
+int mbedtls_dhm_set_group(mbedtls_dhm_context *ctx,
+                          const mbedtls_mpi *P,
+                          const mbedtls_mpi *G);
+
+/**
+ * \brief          This function imports the raw public value of the peer.
+ *
+ * \note           In a TLS handshake, this is the how the server imports
+ *                 the Client's public DHM key.
+ *
+ * \param ctx      The DHM context to use. This must be initialized and have
+ *                 its DHM parameters set, e.g. via mbedtls_dhm_set_group().
+ *                 It may or may not already have generated its own private key.
+ * \param input    The input buffer containing the \c G^Y value of the peer.
+ *                 This must be a readable buffer of size \p ilen Bytes.
+ * \param ilen     The size of the input buffer \p input in Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
+ */
+int mbedtls_dhm_read_public(mbedtls_dhm_context *ctx,
+                            const unsigned char *input, size_t ilen);
+
+/**
+ * \brief          This function creates a DHM key pair and exports
+ *                 the raw public key in big-endian format.
+ *
+ * \note           The destination buffer is always fully written
+ *                 so as to contain a big-endian representation of G^X mod P.
+ *                 If it is larger than \c ctx->len, it is padded accordingly
+ *                 with zero-bytes at the beginning.
+ *
+ * \param ctx      The DHM context to use. This must be initialized and
+ *                 have the DHM parameters set. It may or may not already
+ *                 have imported the peer's public key.
+ * \param x_size   The private key size in Bytes.
+ * \param output   The destination buffer. This must be a writable buffer of
+ *                 size \p olen Bytes.
+ * \param olen     The length of the destination buffer. This must be at least
+ *                 equal to `ctx->len` (the size of \c P).
+ * \param f_rng    The RNG function. This must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
+ *                 if \p f_rng doesn't need a context argument.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
+ */
+int mbedtls_dhm_make_public(mbedtls_dhm_context *ctx, int x_size,
+                            unsigned char *output, size_t olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng);
+
+/**
+ * \brief          This function derives and exports the shared secret
+ *                 \c (G^Y)^X mod \c P.
+ *
+ * \note           If \p f_rng is not \c NULL, it is used to blind the input as
+ *                 a countermeasure against timing attacks. Blinding is used
+ *                 only if our private key \c X is re-used, and not used
+ *                 otherwise. We recommend always passing a non-NULL
+ *                 \p f_rng argument.
+ *
+ * \param ctx           The DHM context to use. This must be initialized
+ *                      and have its own private key generated and the peer's
+ *                      public key imported.
+ * \param output        The buffer to write the generated shared key to. This
+ *                      must be a writable buffer of size \p output_size Bytes.
+ * \param output_size   The size of the destination buffer. This must be at
+ *                      least the size of \c ctx->len (the size of \c P).
+ * \param olen          On exit, holds the actual number of Bytes written.
+ * \param f_rng         The RNG function. Must not be \c NULL. Used for
+ *                      blinding.
+ * \param p_rng         The RNG context to be passed to \p f_rng. This may be
+ *                      \c NULL if \p f_rng doesn't need a context parameter.
+ *
+ * \return              \c 0 on success.
+ * \return              An \c MBEDTLS_ERR_DHM_XXX error code on failure.
+ */
+int mbedtls_dhm_calc_secret(mbedtls_dhm_context *ctx,
+                            unsigned char *output, size_t output_size, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng);
+
+/**
+ * \brief          This function returns the size of the prime modulus in bits.
+ *
+ * \param ctx      The DHM context to query.
+ *
+ * \return         The size of the prime modulus in bits,
+ *                 i.e. the number n such that 2^(n-1) <= P < 2^n.
+ */
+size_t mbedtls_dhm_get_bitlen(const mbedtls_dhm_context *ctx);
+
+/**
+ * \brief          This function returns the size of the prime modulus in bytes.
+ *
+ * \param ctx      The DHM context to query.
+ *
+ * \return         The size of the prime modulus in bytes,
+ *                 i.e. the number n such that 2^(8*(n-1)) <= P < 2^(8*n).
+ */
+size_t mbedtls_dhm_get_len(const mbedtls_dhm_context *ctx);
+
+/**
+ * \brief          This function copies a parameter of a DHM key.
+ *
+ * \param ctx      The DHM context to query.
+ * \param param    The parameter to copy.
+ * \param dest     The MPI object to copy the value into. It must be
+ *                 initialized.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_DHM_BAD_INPUT_DATA if \p param is invalid.
+ * \return         An \c MBEDTLS_ERR_MPI_XXX error code if the copy fails.
+ */
+int mbedtls_dhm_get_value(const mbedtls_dhm_context *ctx,
+                          mbedtls_dhm_parameter param,
+                          mbedtls_mpi *dest);
+
+/**
+ * \brief          This function frees and clears the components
+ *                 of a DHM context.
+ *
+ * \param ctx      The DHM context to free and clear. This may be \c NULL,
+ *                 in which case this function is a no-op. If it is not \c NULL,
+ *                 it must point to an initialized DHM context.
+ */
+void mbedtls_dhm_free(mbedtls_dhm_context *ctx);
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+/**
+ * \brief             This function parses DHM parameters in PEM or DER format.
+ *
+ * \param dhm         The DHM context to import the DHM parameters into.
+ *                    This must be initialized.
+ * \param dhmin       The input buffer. This must be a readable buffer of
+ *                    length \p dhminlen Bytes.
+ * \param dhminlen    The size of the input buffer \p dhmin, including the
+ *                    terminating \c NULL Byte for PEM data.
+ *
+ * \return            \c 0 on success.
+ * \return            An \c MBEDTLS_ERR_DHM_XXX or \c MBEDTLS_ERR_PEM_XXX error
+ *                    code on failure.
+ */
+int mbedtls_dhm_parse_dhm(mbedtls_dhm_context *dhm, const unsigned char *dhmin,
+                          size_t dhminlen);
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief          This function loads and parses DHM parameters from a file.
+ *
+ * \param dhm      The DHM context to load the parameters to.
+ *                 This must be initialized.
+ * \param path     The filename to read the DHM parameters from.
+ *                 This must not be \c NULL.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX or \c MBEDTLS_ERR_PEM_XXX
+ *                 error code on failure.
+ */
+int mbedtls_dhm_parse_dhmfile(mbedtls_dhm_context *dhm, const char *path);
+#endif /* MBEDTLS_FS_IO */
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          The DMH checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_dhm_self_test(int verbose);
+
+#endif /* MBEDTLS_SELF_TEST */
+#ifdef __cplusplus
+}
+#endif
+
+/**
+ * RFC 3526, RFC 5114 and RFC 7919 standardize a number of
+ * Diffie-Hellman groups, some of which are included here
+ * for use within the SSL/TLS module and the user's convenience
+ * when configuring the Diffie-Hellman parameters by hand
+ * through \c mbedtls_ssl_conf_dh_param.
+ *
+ * The following lists the source of the above groups in the standards:
+ * - RFC 5114 section 2.2:  2048-bit MODP Group with 224-bit Prime Order Subgroup
+ * - RFC 3526 section 3:    2048-bit MODP Group
+ * - RFC 3526 section 4:    3072-bit MODP Group
+ * - RFC 3526 section 5:    4096-bit MODP Group
+ * - RFC 7919 section A.1:  ffdhe2048
+ * - RFC 7919 section A.2:  ffdhe3072
+ * - RFC 7919 section A.3:  ffdhe4096
+ * - RFC 7919 section A.4:  ffdhe6144
+ * - RFC 7919 section A.5:  ffdhe8192
+ *
+ * The constants with suffix "_p" denote the chosen prime moduli, while
+ * the constants with suffix "_g" denote the chosen generator
+ * of the associated prime field.
+ *
+ * The constants further suffixed with "_bin" are provided in binary format,
+ * while all other constants represent null-terminated strings holding the
+ * hexadecimal presentation of the respective numbers.
+ *
+ * The primes from RFC 3526 and RFC 7919 have been generating by the following
+ * trust-worthy procedure:
+ * - Fix N in { 2048, 3072, 4096, 6144, 8192 } and consider the N-bit number
+ *   the first and last 64 bits are all 1, and the remaining N - 128 bits of
+ *   which are 0x7ff...ff.
+ * - Add the smallest multiple of the first N - 129 bits of the binary expansion
+ *   of pi (for RFC 5236) or e (for RFC 7919) to this intermediate bit-string
+ *   such that the resulting integer is a safe-prime.
+ * - The result is the respective RFC 3526 / 7919 prime, and the corresponding
+ *   generator is always chosen to be 2 (which is a square for these prime,
+ *   hence the corresponding subgroup has order (p-1)/2 and avoids leaking a
+ *   bit in the private exponent).
+ *
+ */
+
+/*
+ * Trustworthy DHM parameters in binary form
+ */
+
+#define MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN {        \
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+        0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, \
+        0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, \
+        0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, \
+        0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, \
+        0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, \
+        0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, \
+        0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, \
+        0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, \
+        0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, \
+        0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, \
+        0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, \
+        0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, \
+        0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, \
+        0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, \
+        0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, \
+        0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, \
+        0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, \
+        0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, \
+        0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, \
+        0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, \
+        0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, \
+        0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, \
+        0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, \
+        0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, \
+        0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, \
+        0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, \
+        0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, \
+        0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, \
+        0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, \
+        0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, \
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC3526_MODP_3072_P_BIN {       \
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+        0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, \
+        0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, \
+        0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, \
+        0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, \
+        0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, \
+        0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, \
+        0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, \
+        0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, \
+        0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, \
+        0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, \
+        0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, \
+        0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, \
+        0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, \
+        0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, \
+        0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, \
+        0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, \
+        0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, \
+        0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, \
+        0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, \
+        0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, \
+        0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, \
+        0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, \
+        0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, \
+        0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, \
+        0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, \
+        0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, \
+        0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, \
+        0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, \
+        0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, \
+        0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, \
+        0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, \
+        0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, \
+        0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, \
+        0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, \
+        0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, \
+        0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, \
+        0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, \
+        0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, \
+        0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, \
+        0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, \
+        0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, \
+        0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, \
+        0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, \
+        0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, \
+        0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, \
+        0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x3A, 0xD2, 0xCA, \
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC3526_MODP_3072_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC3526_MODP_4096_P_BIN  {       \
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,  \
+        0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,  \
+        0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,  \
+        0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,  \
+        0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22,  \
+        0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,  \
+        0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B,  \
+        0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37,  \
+        0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,  \
+        0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6,  \
+        0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B,  \
+        0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,  \
+        0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5,  \
+        0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6,  \
+        0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,  \
+        0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05,  \
+        0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A,  \
+        0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,  \
+        0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96,  \
+        0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB,  \
+        0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,  \
+        0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04,  \
+        0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C,  \
+        0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,  \
+        0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03,  \
+        0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F,  \
+        0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,  \
+        0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18,  \
+        0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5,  \
+        0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,  \
+        0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D,  \
+        0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33,  \
+        0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64,  \
+        0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A,  \
+        0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D,  \
+        0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7,  \
+        0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7,  \
+        0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D,  \
+        0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B,  \
+        0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64,  \
+        0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64,  \
+        0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C,  \
+        0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C,  \
+        0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2,  \
+        0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31,  \
+        0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E,  \
+        0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01,  \
+        0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7,  \
+        0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26,  \
+        0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C,  \
+        0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA,  \
+        0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8,  \
+        0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9,  \
+        0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6,  \
+        0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D,  \
+        0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2,  \
+        0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED,  \
+        0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF,  \
+        0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C,  \
+        0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9,  \
+        0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1,  \
+        0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F,  \
+        0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x06, 0x31, 0x99,  \
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC3526_MODP_4096_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE2048_P_BIN {        \
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+        0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+        0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+        0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+        0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+        0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+        0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+        0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+        0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+        0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+        0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+        0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+        0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+        0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+        0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+        0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+        0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+        0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+        0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+        0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+        0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+        0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+        0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+        0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+        0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+        0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+        0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+        0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+        0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+        0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+        0x88, 0x6B, 0x42, 0x38, 0x61, 0x28, 0x5C, 0x97, \
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE2048_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE3072_P_BIN { \
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+        0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+        0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+        0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+        0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+        0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+        0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+        0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+        0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+        0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+        0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+        0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+        0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+        0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+        0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+        0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+        0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+        0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+        0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+        0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+        0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+        0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+        0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+        0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+        0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+        0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+        0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+        0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+        0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+        0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+        0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \
+        0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \
+        0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \
+        0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \
+        0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \
+        0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \
+        0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \
+        0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \
+        0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \
+        0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \
+        0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \
+        0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \
+        0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \
+        0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \
+        0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \
+        0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \
+        0x25, 0xE4, 0x1D, 0x2B, 0x66, 0xC6, 0x2E, 0x37, \
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE3072_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE4096_P_BIN {        \
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+        0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+        0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+        0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+        0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+        0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+        0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+        0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+        0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+        0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+        0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+        0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+        0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+        0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+        0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+        0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+        0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+        0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+        0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+        0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+        0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+        0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+        0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+        0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+        0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+        0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+        0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+        0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+        0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+        0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+        0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \
+        0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \
+        0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \
+        0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \
+        0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \
+        0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \
+        0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \
+        0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \
+        0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \
+        0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \
+        0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \
+        0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \
+        0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \
+        0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \
+        0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \
+        0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \
+        0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, \
+        0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, \
+        0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, \
+        0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, \
+        0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, \
+        0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, \
+        0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, \
+        0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, \
+        0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, \
+        0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, \
+        0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, \
+        0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, \
+        0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, \
+        0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, \
+        0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, \
+        0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, \
+        0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x65, 0x5F, 0x6A, \
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE4096_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE6144_P_BIN {        \
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+        0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+        0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+        0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+        0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+        0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+        0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+        0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+        0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+        0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+        0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+        0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+        0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+        0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+        0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+        0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+        0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+        0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+        0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+        0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+        0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+        0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+        0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+        0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+        0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+        0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+        0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+        0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+        0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+        0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+        0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \
+        0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \
+        0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \
+        0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \
+        0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \
+        0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \
+        0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \
+        0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \
+        0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \
+        0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \
+        0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \
+        0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \
+        0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \
+        0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \
+        0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \
+        0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \
+        0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, \
+        0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, \
+        0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, \
+        0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, \
+        0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, \
+        0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, \
+        0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, \
+        0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, \
+        0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, \
+        0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, \
+        0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, \
+        0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, \
+        0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, \
+        0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, \
+        0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, \
+        0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, \
+        0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02, \
+        0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A, \
+        0x4E, 0x67, 0x7D, 0x2C, 0x38, 0x53, 0x2A, 0x3A, \
+        0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6, \
+        0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8, \
+        0x91, 0x7B, 0xDD, 0x64, 0xB1, 0xC0, 0xFD, 0x4C, \
+        0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A, \
+        0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71, \
+        0x9B, 0x1F, 0x5C, 0x3E, 0x4E, 0x46, 0x04, 0x1F, \
+        0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77, \
+        0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10, \
+        0xB8, 0x55, 0x32, 0x2E, 0xDB, 0x63, 0x40, 0xD8, \
+        0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3, \
+        0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E, \
+        0x7F, 0xB2, 0x9F, 0x8C, 0x18, 0x30, 0x23, 0xC3, \
+        0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4, \
+        0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1, \
+        0x94, 0xC6, 0x65, 0x1E, 0x77, 0xCA, 0xF9, 0x92, \
+        0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6, \
+        0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82, \
+        0x0A, 0xE8, 0xDB, 0x58, 0x47, 0xA6, 0x7C, 0xBE, \
+        0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C, \
+        0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E, \
+        0x62, 0x29, 0x2C, 0x31, 0x15, 0x62, 0xA8, 0x46, \
+        0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A, \
+        0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17, \
+        0x8C, 0xCF, 0x2D, 0xD5, 0xCA, 0xCE, 0xF4, 0x03, \
+        0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04, \
+        0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6, \
+        0x3F, 0xDD, 0x4A, 0x8E, 0x9A, 0xDB, 0x1E, 0x69, \
+        0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1, \
+        0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4, \
+        0xA4, 0x0E, 0x32, 0x9C, 0xD0, 0xE4, 0x0E, 0x65, \
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE6144_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE8192_P_BIN {        \
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+        0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+        0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+        0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+        0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+        0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+        0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+        0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+        0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+        0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+        0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+        0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+        0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+        0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+        0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+        0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+        0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+        0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+        0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+        0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+        0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+        0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+        0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+        0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+        0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+        0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+        0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+        0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+        0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+        0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+        0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \
+        0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \
+        0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \
+        0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \
+        0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \
+        0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \
+        0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \
+        0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \
+        0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \
+        0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \
+        0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \
+        0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \
+        0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \
+        0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \
+        0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \
+        0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \
+        0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, \
+        0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, \
+        0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, \
+        0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, \
+        0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, \
+        0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, \
+        0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, \
+        0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, \
+        0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, \
+        0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, \
+        0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, \
+        0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, \
+        0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, \
+        0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, \
+        0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, \
+        0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, \
+        0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02, \
+        0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A, \
+        0x4E, 0x67, 0x7D, 0x2C, 0x38, 0x53, 0x2A, 0x3A, \
+        0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6, \
+        0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8, \
+        0x91, 0x7B, 0xDD, 0x64, 0xB1, 0xC0, 0xFD, 0x4C, \
+        0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A, \
+        0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71, \
+        0x9B, 0x1F, 0x5C, 0x3E, 0x4E, 0x46, 0x04, 0x1F, \
+        0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77, \
+        0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10, \
+        0xB8, 0x55, 0x32, 0x2E, 0xDB, 0x63, 0x40, 0xD8, \
+        0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3, \
+        0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E, \
+        0x7F, 0xB2, 0x9F, 0x8C, 0x18, 0x30, 0x23, 0xC3, \
+        0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4, \
+        0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1, \
+        0x94, 0xC6, 0x65, 0x1E, 0x77, 0xCA, 0xF9, 0x92, \
+        0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6, \
+        0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82, \
+        0x0A, 0xE8, 0xDB, 0x58, 0x47, 0xA6, 0x7C, 0xBE, \
+        0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C, \
+        0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E, \
+        0x62, 0x29, 0x2C, 0x31, 0x15, 0x62, 0xA8, 0x46, \
+        0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A, \
+        0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17, \
+        0x8C, 0xCF, 0x2D, 0xD5, 0xCA, 0xCE, 0xF4, 0x03, \
+        0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04, \
+        0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6, \
+        0x3F, 0xDD, 0x4A, 0x8E, 0x9A, 0xDB, 0x1E, 0x69, \
+        0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1, \
+        0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4, \
+        0xA4, 0x0E, 0x32, 0x9C, 0xCF, 0xF4, 0x6A, 0xAA, \
+        0x36, 0xAD, 0x00, 0x4C, 0xF6, 0x00, 0xC8, 0x38, \
+        0x1E, 0x42, 0x5A, 0x31, 0xD9, 0x51, 0xAE, 0x64, \
+        0xFD, 0xB2, 0x3F, 0xCE, 0xC9, 0x50, 0x9D, 0x43, \
+        0x68, 0x7F, 0xEB, 0x69, 0xED, 0xD1, 0xCC, 0x5E, \
+        0x0B, 0x8C, 0xC3, 0xBD, 0xF6, 0x4B, 0x10, 0xEF, \
+        0x86, 0xB6, 0x31, 0x42, 0xA3, 0xAB, 0x88, 0x29, \
+        0x55, 0x5B, 0x2F, 0x74, 0x7C, 0x93, 0x26, 0x65, \
+        0xCB, 0x2C, 0x0F, 0x1C, 0xC0, 0x1B, 0xD7, 0x02, \
+        0x29, 0x38, 0x88, 0x39, 0xD2, 0xAF, 0x05, 0xE4, \
+        0x54, 0x50, 0x4A, 0xC7, 0x8B, 0x75, 0x82, 0x82, \
+        0x28, 0x46, 0xC0, 0xBA, 0x35, 0xC3, 0x5F, 0x5C, \
+        0x59, 0x16, 0x0C, 0xC0, 0x46, 0xFD, 0x82, 0x51, \
+        0x54, 0x1F, 0xC6, 0x8C, 0x9C, 0x86, 0xB0, 0x22, \
+        0xBB, 0x70, 0x99, 0x87, 0x6A, 0x46, 0x0E, 0x74, \
+        0x51, 0xA8, 0xA9, 0x31, 0x09, 0x70, 0x3F, 0xEE, \
+        0x1C, 0x21, 0x7E, 0x6C, 0x38, 0x26, 0xE5, 0x2C, \
+        0x51, 0xAA, 0x69, 0x1E, 0x0E, 0x42, 0x3C, 0xFC, \
+        0x99, 0xE9, 0xE3, 0x16, 0x50, 0xC1, 0x21, 0x7B, \
+        0x62, 0x48, 0x16, 0xCD, 0xAD, 0x9A, 0x95, 0xF9, \
+        0xD5, 0xB8, 0x01, 0x94, 0x88, 0xD9, 0xC0, 0xA0, \
+        0xA1, 0xFE, 0x30, 0x75, 0xA5, 0x77, 0xE2, 0x31, \
+        0x83, 0xF8, 0x1D, 0x4A, 0x3F, 0x2F, 0xA4, 0x57, \
+        0x1E, 0xFC, 0x8C, 0xE0, 0xBA, 0x8A, 0x4F, 0xE8, \
+        0xB6, 0x85, 0x5D, 0xFE, 0x72, 0xB0, 0xA6, 0x6E, \
+        0xDE, 0xD2, 0xFB, 0xAB, 0xFB, 0xE5, 0x8A, 0x30, \
+        0xFA, 0xFA, 0xBE, 0x1C, 0x5D, 0x71, 0xA8, 0x7E, \
+        0x2F, 0x74, 0x1E, 0xF8, 0xC1, 0xFE, 0x86, 0xFE, \
+        0xA6, 0xBB, 0xFD, 0xE5, 0x30, 0x67, 0x7F, 0x0D, \
+        0x97, 0xD1, 0x1D, 0x49, 0xF7, 0xA8, 0x44, 0x3D, \
+        0x08, 0x22, 0xE5, 0x06, 0xA9, 0xF4, 0x61, 0x4E, \
+        0x01, 0x1E, 0x2A, 0x94, 0x83, 0x8F, 0xF8, 0x8C, \
+        0xD6, 0x8C, 0x8B, 0xB7, 0xC5, 0xC6, 0x42, 0x4C, \
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE8192_G_BIN { 0x02 }
+
+#endif /* dhm.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/ecdh.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/ecdh.h
new file mode 100644
index 0000000..a0909d6
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/ecdh.h
@@ -0,0 +1,454 @@
+/**
+ * \file ecdh.h
+ *
+ * \brief This file contains ECDH definitions and functions.
+ *
+ * The Elliptic Curve Diffie-Hellman (ECDH) protocol is an anonymous
+ * key agreement protocol allowing two parties to establish a shared
+ * secret over an insecure channel. Each party must have an
+ * elliptic-curve public–private key pair.
+ *
+ * For more information, see <em>NIST SP 800-56A Rev. 2: Recommendation for
+ * Pair-Wise Key Establishment Schemes Using Discrete Logarithm
+ * Cryptography</em>.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_ECDH_H
+#define MBEDTLS_ECDH_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/ecp.h"
+
+/*
+ * Mbed TLS supports two formats for ECDH contexts (#mbedtls_ecdh_context
+ * defined in `ecdh.h`). For most applications, the choice of format makes
+ * no difference, since all library functions can work with either format,
+ * except that the new format is incompatible with MBEDTLS_ECP_RESTARTABLE.
+
+ * The new format used when this option is disabled is smaller
+ * (56 bytes on a 32-bit platform). In future versions of the library, it
+ * will support alternative implementations of ECDH operations.
+ * The new format is incompatible with applications that access
+ * context fields directly and with restartable ECP operations.
+ */
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+#define MBEDTLS_ECDH_LEGACY_CONTEXT
+#else
+#undef MBEDTLS_ECDH_LEGACY_CONTEXT
+#endif
+
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+#undef MBEDTLS_ECDH_LEGACY_CONTEXT
+#include "everest/everest.h"
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Defines the source of the imported EC key.
+ */
+typedef enum {
+    MBEDTLS_ECDH_OURS,   /**< Our key. */
+    MBEDTLS_ECDH_THEIRS, /**< The key of the peer. */
+} mbedtls_ecdh_side;
+
+#if !defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+/**
+ * Defines the ECDH implementation used.
+ *
+ * Later versions of the library may add new variants, therefore users should
+ * not make any assumptions about them.
+ */
+typedef enum {
+    MBEDTLS_ECDH_VARIANT_NONE = 0,   /*!< Implementation not defined. */
+    MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0,/*!< The default Mbed TLS implementation */
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+    MBEDTLS_ECDH_VARIANT_EVEREST     /*!< Everest implementation */
+#endif
+} mbedtls_ecdh_variant;
+
+/**
+ * The context used by the default ECDH implementation.
+ *
+ * Later versions might change the structure of this context, therefore users
+ * should not make any assumptions about the structure of
+ * mbedtls_ecdh_context_mbed.
+ */
+typedef struct mbedtls_ecdh_context_mbed {
+    mbedtls_ecp_group MBEDTLS_PRIVATE(grp);   /*!< The elliptic curve used. */
+    mbedtls_mpi MBEDTLS_PRIVATE(d);           /*!< The private key. */
+    mbedtls_ecp_point MBEDTLS_PRIVATE(Q);     /*!< The public key. */
+    mbedtls_ecp_point MBEDTLS_PRIVATE(Qp);    /*!< The value of the public key of the peer. */
+    mbedtls_mpi MBEDTLS_PRIVATE(z);           /*!< The shared secret. */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_ctx MBEDTLS_PRIVATE(rs); /*!< The restart context for EC computations. */
+#endif
+} mbedtls_ecdh_context_mbed;
+#endif
+
+/**
+ *
+ * \warning         Performing multiple operations concurrently on the same
+ *                  ECDSA context is not supported; objects of this type
+ *                  should not be shared between multiple threads.
+ * \brief           The ECDH context structure.
+ */
+typedef struct mbedtls_ecdh_context {
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    mbedtls_ecp_group MBEDTLS_PRIVATE(grp);   /*!< The elliptic curve used. */
+    mbedtls_mpi MBEDTLS_PRIVATE(d);           /*!< The private key. */
+    mbedtls_ecp_point MBEDTLS_PRIVATE(Q);     /*!< The public key. */
+    mbedtls_ecp_point MBEDTLS_PRIVATE(Qp);    /*!< The value of the public key of the peer. */
+    mbedtls_mpi MBEDTLS_PRIVATE(z);           /*!< The shared secret. */
+    int MBEDTLS_PRIVATE(point_format);        /*!< The format of point export in TLS messages. */
+    mbedtls_ecp_point MBEDTLS_PRIVATE(Vi);    /*!< The blinding value. */
+    mbedtls_ecp_point MBEDTLS_PRIVATE(Vf);    /*!< The unblinding value. */
+    mbedtls_mpi MBEDTLS_PRIVATE(_d);          /*!< The previous \p d. */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    int MBEDTLS_PRIVATE(restart_enabled);        /*!< The flag for restartable mode. */
+    mbedtls_ecp_restart_ctx MBEDTLS_PRIVATE(rs); /*!< The restart context for EC computations. */
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+#else
+    uint8_t MBEDTLS_PRIVATE(point_format);       /*!< The format of point export in TLS messages
+                                                    as defined in RFC 4492. */
+    mbedtls_ecp_group_id MBEDTLS_PRIVATE(grp_id);/*!< The elliptic curve used. */
+    mbedtls_ecdh_variant MBEDTLS_PRIVATE(var);   /*!< The ECDH implementation/structure used. */
+    union {
+        mbedtls_ecdh_context_mbed   MBEDTLS_PRIVATE(mbed_ecdh);
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+        mbedtls_ecdh_context_everest MBEDTLS_PRIVATE(everest_ecdh);
+#endif
+    } MBEDTLS_PRIVATE(ctx);                      /*!< Implementation-specific context. The
+                                                    context in use is specified by the \c var
+                                                    field. */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    uint8_t MBEDTLS_PRIVATE(restart_enabled);    /*!< The flag for restartable mode. Functions of
+                                                    an alternative implementation not supporting
+                                                    restartable mode must return
+                                                    MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED error
+                                                    if this flag is set. */
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+#endif /* MBEDTLS_ECDH_LEGACY_CONTEXT */
+}
+mbedtls_ecdh_context;
+
+/**
+ * \brief          Return the ECP group for provided context.
+ *
+ * \note           To access group specific fields, users should use
+ *                 `mbedtls_ecp_curve_info_from_grp_id` or
+ *                 `mbedtls_ecp_group_load` on the extracted `group_id`.
+ *
+ * \param ctx      The ECDH context to parse. This must not be \c NULL.
+ *
+ * \return         The \c mbedtls_ecp_group_id of the context.
+ */
+mbedtls_ecp_group_id mbedtls_ecdh_get_grp_id(mbedtls_ecdh_context *ctx);
+
+/**
+ * \brief          Check whether a given group can be used for ECDH.
+ *
+ * \param gid      The ECP group ID to check.
+ *
+ * \return         \c 1 if the group can be used, \c 0 otherwise
+ */
+int mbedtls_ecdh_can_do(mbedtls_ecp_group_id gid);
+
+/**
+ * \brief           This function generates an ECDH keypair on an elliptic
+ *                  curve.
+ *
+ *                  This function performs the first of two core computations
+ *                  implemented during the ECDH key exchange. The second core
+ *                  computation is performed by mbedtls_ecdh_compute_shared().
+ *
+ * \see             ecp.h
+ *
+ * \param grp       The ECP group to use. This must be initialized and have
+ *                  domain parameters loaded, for example through
+ *                  mbedtls_ecp_load() or mbedtls_ecp_tls_read_group().
+ * \param d         The destination MPI (private key).
+ *                  This must be initialized.
+ * \param Q         The destination point (public key).
+ *                  This must be initialized.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL in case \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX or
+ *                  \c MBEDTLS_MPI_XXX error code on failure.
+ */
+int mbedtls_ecdh_gen_public(mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng);
+
+/**
+ * \brief           This function computes the shared secret.
+ *
+ *                  This function performs the second of two core computations
+ *                  implemented during the ECDH key exchange. The first core
+ *                  computation is performed by mbedtls_ecdh_gen_public().
+ *
+ * \see             ecp.h
+ *
+ * \note            If \p f_rng is not NULL, it is used to implement
+ *                  countermeasures against side-channel attacks.
+ *                  For more information, see mbedtls_ecp_mul().
+ *
+ * \param grp       The ECP group to use. This must be initialized and have
+ *                  domain parameters loaded, for example through
+ *                  mbedtls_ecp_load() or mbedtls_ecp_tls_read_group().
+ * \param z         The destination MPI (shared secret).
+ *                  This must be initialized.
+ * \param Q         The public key from another party.
+ *                  This must be initialized.
+ * \param d         Our secret exponent (private key).
+ *                  This must be initialized.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng is \c NULL or doesn't need a
+ *                  context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX or
+ *                  \c MBEDTLS_MPI_XXX error code on failure.
+ */
+int mbedtls_ecdh_compute_shared(mbedtls_ecp_group *grp, mbedtls_mpi *z,
+                                const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
+                                int (*f_rng)(void *, unsigned char *, size_t),
+                                void *p_rng);
+
+/**
+ * \brief           This function initializes an ECDH context.
+ *
+ * \param ctx       The ECDH context to initialize. This must not be \c NULL.
+ */
+void mbedtls_ecdh_init(mbedtls_ecdh_context *ctx);
+
+/**
+ * \brief           This function sets up the ECDH context with the information
+ *                  given.
+ *
+ *                  This function should be called after mbedtls_ecdh_init() but
+ *                  before mbedtls_ecdh_make_params(). There is no need to call
+ *                  this function before mbedtls_ecdh_read_params().
+ *
+ *                  This is the first function used by a TLS server for ECDHE
+ *                  ciphersuites.
+ *
+ * \param ctx       The ECDH context to set up. This must be initialized.
+ * \param grp_id    The group id of the group to set up the context for.
+ *
+ * \return          \c 0 on success.
+ */
+int mbedtls_ecdh_setup(mbedtls_ecdh_context *ctx,
+                       mbedtls_ecp_group_id grp_id);
+
+/**
+ * \brief           This function frees a context.
+ *
+ * \param ctx       The context to free. This may be \c NULL, in which
+ *                  case this function does nothing. If it is not \c NULL,
+ *                  it must point to an initialized ECDH context.
+ */
+void mbedtls_ecdh_free(mbedtls_ecdh_context *ctx);
+
+/**
+ * \brief           This function generates an EC key pair and exports its
+ *                  in the format used in a TLS ServerKeyExchange handshake
+ *                  message.
+ *
+ *                  This is the second function used by a TLS server for ECDHE
+ *                  ciphersuites. (It is called after mbedtls_ecdh_setup().)
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDH context to use. This must be initialized
+ *                  and bound to a group, for example via mbedtls_ecdh_setup().
+ * \param olen      The address at which to store the number of Bytes written.
+ * \param buf       The destination buffer. This must be a writable buffer of
+ *                  length \p blen Bytes.
+ * \param blen      The length of the destination buffer \p buf in Bytes.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL in case \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ */
+int mbedtls_ecdh_make_params(mbedtls_ecdh_context *ctx, size_t *olen,
+                             unsigned char *buf, size_t blen,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng);
+
+/**
+ * \brief           This function parses the ECDHE parameters in a
+ *                  TLS ServerKeyExchange handshake message.
+ *
+ * \note            In a TLS handshake, this is the how the client
+ *                  sets up its ECDHE context from the server's public
+ *                  ECDHE key material.
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDHE context to use. This must be initialized.
+ * \param buf       On input, \c *buf must be the start of the input buffer.
+ *                  On output, \c *buf is updated to point to the end of the
+ *                  data that has been read. On success, this is the first byte
+ *                  past the end of the ServerKeyExchange parameters.
+ *                  On error, this is the point at which an error has been
+ *                  detected, which is usually not useful except to debug
+ *                  failures.
+ * \param end       The end of the input buffer.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ *
+ */
+int mbedtls_ecdh_read_params(mbedtls_ecdh_context *ctx,
+                             const unsigned char **buf,
+                             const unsigned char *end);
+
+/**
+ * \brief           This function sets up an ECDH context from an EC key.
+ *
+ *                  It is used by clients and servers in place of the
+ *                  ServerKeyEchange for static ECDH, and imports ECDH
+ *                  parameters from the EC key information of a certificate.
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDH context to set up. This must be initialized.
+ * \param key       The EC key to use. This must be initialized.
+ * \param side      Defines the source of the key. Possible values are:
+ *                  - #MBEDTLS_ECDH_OURS: The key is ours.
+ *                  - #MBEDTLS_ECDH_THEIRS: The key is that of the peer.
+ *
+ * \return          \c 0 on success.
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ *
+ */
+int mbedtls_ecdh_get_params(mbedtls_ecdh_context *ctx,
+                            const mbedtls_ecp_keypair *key,
+                            mbedtls_ecdh_side side);
+
+/**
+ * \brief           This function generates a public key and exports it
+ *                  as a TLS ClientKeyExchange payload.
+ *
+ *                  This is the second function used by a TLS client for ECDH(E)
+ *                  ciphersuites.
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDH context to use. This must be initialized
+ *                  and bound to a group, the latter usually by
+ *                  mbedtls_ecdh_read_params().
+ * \param olen      The address at which to store the number of Bytes written.
+ *                  This must not be \c NULL.
+ * \param buf       The destination buffer. This must be a writable buffer
+ *                  of length \p blen Bytes.
+ * \param blen      The size of the destination buffer \p buf in Bytes.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL in case \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ */
+int mbedtls_ecdh_make_public(mbedtls_ecdh_context *ctx, size_t *olen,
+                             unsigned char *buf, size_t blen,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng);
+
+/**
+ * \brief       This function parses and processes the ECDHE payload of a
+ *              TLS ClientKeyExchange message.
+ *
+ *              This is the third function used by a TLS server for ECDH(E)
+ *              ciphersuites. (It is called after mbedtls_ecdh_setup() and
+ *              mbedtls_ecdh_make_params().)
+ *
+ * \see         ecp.h
+ *
+ * \param ctx   The ECDH context to use. This must be initialized
+ *              and bound to a group, for example via mbedtls_ecdh_setup().
+ * \param buf   The pointer to the ClientKeyExchange payload. This must
+ *              be a readable buffer of length \p blen Bytes.
+ * \param blen  The length of the input buffer \p buf in Bytes.
+ *
+ * \return      \c 0 on success.
+ * \return      An \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ */
+int mbedtls_ecdh_read_public(mbedtls_ecdh_context *ctx,
+                             const unsigned char *buf, size_t blen);
+
+/**
+ * \brief           This function derives and exports the shared secret.
+ *
+ *                  This is the last function used by both TLS client
+ *                  and servers.
+ *
+ * \note            If \p f_rng is not NULL, it is used to implement
+ *                  countermeasures against side-channel attacks.
+ *                  For more information, see mbedtls_ecp_mul().
+ *
+ * \see             ecp.h
+
+ * \param ctx       The ECDH context to use. This must be initialized
+ *                  and have its own private key generated and the peer's
+ *                  public key imported.
+ * \param olen      The address at which to store the total number of
+ *                  Bytes written on success. This must not be \c NULL.
+ * \param buf       The buffer to write the generated shared key to. This
+ *                  must be a writable buffer of size \p blen Bytes.
+ * \param blen      The length of the destination buffer \p buf in Bytes.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG context. This may be \c NULL if \p f_rng
+ *                  doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ */
+int mbedtls_ecdh_calc_secret(mbedtls_ecdh_context *ctx, size_t *olen,
+                             unsigned char *buf, size_t blen,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           This function enables restartable EC computations for this
+ *                  context.  (Default: disabled.)
+ *
+ * \see             \c mbedtls_ecp_set_max_ops()
+ *
+ * \note            It is not possible to safely disable restartable
+ *                  computations once enabled, except by free-ing the context,
+ *                  which cancels possible in-progress operations.
+ *
+ * \param ctx       The ECDH context to use. This must be initialized.
+ */
+void mbedtls_ecdh_enable_restart(mbedtls_ecdh_context *ctx);
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ecdh.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/ecdsa.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/ecdsa.h
new file mode 100644
index 0000000..2ecf349
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/ecdsa.h
@@ -0,0 +1,671 @@
+/**
+ * \file ecdsa.h
+ *
+ * \brief This file contains ECDSA definitions and functions.
+ *
+ * The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in
+ * <em>Standards for Efficient Cryptography Group (SECG):
+ * SEC1 Elliptic Curve Cryptography</em>.
+ * The use of ECDSA for TLS is defined in <em>RFC-4492: Elliptic Curve
+ * Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)</em>.
+ *
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_ECDSA_H
+#define MBEDTLS_ECDSA_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/ecp.h"
+#include "mbedtls/md.h"
+
+/**
+ * \brief           Maximum ECDSA signature size for a given curve bit size
+ *
+ * \param bits      Curve size in bits
+ * \return          Maximum signature size in bytes
+ *
+ * \note            This macro returns a compile-time constant if its argument
+ *                  is one. It may evaluate its argument multiple times.
+ */
+/*
+ *     Ecdsa-Sig-Value ::= SEQUENCE {
+ *         r       INTEGER,
+ *         s       INTEGER
+ *     }
+ *
+ * For each of r and s, the value (V) may include an extra initial "0" bit.
+ */
+#define MBEDTLS_ECDSA_MAX_SIG_LEN(bits)                               \
+    (/*T,L of SEQUENCE*/ ((bits) >= 61 * 8 ? 3 : 2) +              \
+     /*T,L of r,s*/ 2 * (((bits) >= 127 * 8 ? 3 : 2) +     \
+                         /*V of r,s*/ ((bits) + 8) / 8))
+
+/** The maximal size of an ECDSA signature in Bytes. */
+#define MBEDTLS_ECDSA_MAX_LEN  MBEDTLS_ECDSA_MAX_SIG_LEN(MBEDTLS_ECP_MAX_BITS)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief           The ECDSA context structure.
+ *
+ * \warning         Performing multiple operations concurrently on the same
+ *                  ECDSA context is not supported; objects of this type
+ *                  should not be shared between multiple threads.
+ *
+ * \note            pk_wrap module assumes that "ecdsa_context" is identical
+ *                  to "ecp_keypair" (see for example structure
+ *                  "mbedtls_eckey_info" where ECDSA sign/verify functions
+ *                  are used also for EC key)
+ */
+typedef mbedtls_ecp_keypair mbedtls_ecdsa_context;
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+
+/**
+ * \brief           Internal restart context for ecdsa_verify()
+ *
+ * \note            Opaque struct, defined in ecdsa.c
+ */
+typedef struct mbedtls_ecdsa_restart_ver mbedtls_ecdsa_restart_ver_ctx;
+
+/**
+ * \brief           Internal restart context for ecdsa_sign()
+ *
+ * \note            Opaque struct, defined in ecdsa.c
+ */
+typedef struct mbedtls_ecdsa_restart_sig mbedtls_ecdsa_restart_sig_ctx;
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+/**
+ * \brief           Internal restart context for ecdsa_sign_det()
+ *
+ * \note            Opaque struct, defined in ecdsa.c
+ */
+typedef struct mbedtls_ecdsa_restart_det mbedtls_ecdsa_restart_det_ctx;
+#endif
+
+/**
+ * \brief           General context for resuming ECDSA operations
+ */
+typedef struct {
+    mbedtls_ecp_restart_ctx MBEDTLS_PRIVATE(ecp);        /*!<  base context for ECP restart and
+                                                            shared administrative info    */
+    mbedtls_ecdsa_restart_ver_ctx *MBEDTLS_PRIVATE(ver); /*!<  ecdsa_verify() sub-context    */
+    mbedtls_ecdsa_restart_sig_ctx *MBEDTLS_PRIVATE(sig); /*!<  ecdsa_sign() sub-context      */
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    mbedtls_ecdsa_restart_det_ctx *MBEDTLS_PRIVATE(det); /*!<  ecdsa_sign_det() sub-context  */
+#endif
+} mbedtls_ecdsa_restart_ctx;
+
+#else /* MBEDTLS_ECP_RESTARTABLE */
+
+/* Now we can declare functions that take a pointer to that */
+typedef void mbedtls_ecdsa_restart_ctx;
+
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+/**
+ * \brief          This function checks whether a given group can be used
+ *                 for ECDSA.
+ *
+ * \param gid      The ECP group ID to check.
+ *
+ * \return         \c 1 if the group can be used, \c 0 otherwise
+ */
+int mbedtls_ecdsa_can_do(mbedtls_ecp_group_id gid);
+
+/**
+ * \brief           This function computes the ECDSA signature of a
+ *                  previously-hashed message.
+ *
+ * \note            The deterministic version implemented in
+ *                  mbedtls_ecdsa_sign_det_ext() is usually preferred.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated
+ *                  as defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.3, step 5.
+ *
+ * \see             ecp.h
+ *
+ * \param grp       The context for the elliptic curve to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param r         The MPI context in which to store the first part
+ *                  the signature. This must be initialized.
+ * \param s         The MPI context in which to store the second part
+ *                  the signature. This must be initialized.
+ * \param d         The private signing key. This must be initialized.
+ * \param buf       The content to be signed. This is usually the hash of
+ *                  the original data to be signed. This must be a readable
+ *                  buffer of length \p blen Bytes. It may be \c NULL if
+ *                  \p blen is zero.
+ * \param blen      The length of \p buf in Bytes.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng doesn't need a context parameter.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX
+ *                  or \c MBEDTLS_MPI_XXX error code on failure.
+ */
+int mbedtls_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
+                       const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+                       int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+/**
+ * \brief           This function computes the ECDSA signature of a
+ *                  previously-hashed message, deterministic version.
+ *
+ *                  For more information, see <em>RFC-6979: Deterministic
+ *                  Usage of the Digital Signature Algorithm (DSA) and Elliptic
+ *                  Curve Digital Signature Algorithm (ECDSA)</em>.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.3, step 5.
+ *
+ * \see             ecp.h
+ *
+ * \param grp           The context for the elliptic curve to use.
+ *                      This must be initialized and have group parameters
+ *                      set, for example through mbedtls_ecp_group_load().
+ * \param r             The MPI context in which to store the first part
+ *                      the signature. This must be initialized.
+ * \param s             The MPI context in which to store the second part
+ *                      the signature. This must be initialized.
+ * \param d             The private signing key. This must be initialized
+ *                      and setup, for example through mbedtls_ecp_gen_privkey().
+ * \param buf           The hashed content to be signed. This must be a readable
+ *                      buffer of length \p blen Bytes. It may be \c NULL if
+ *                      \p blen is zero.
+ * \param blen          The length of \p buf in Bytes.
+ * \param md_alg        The hash algorithm used to hash the original data.
+ * \param f_rng_blind   The RNG function used for blinding. This must not be
+ *                      \c NULL.
+ * \param p_rng_blind   The RNG context to be passed to \p f_rng_blind. This
+ *                      may be \c NULL if \p f_rng_blind doesn't need a context
+ *                      parameter.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
+ *                  error code on failure.
+ */
+int mbedtls_ecdsa_sign_det_ext(mbedtls_ecp_group *grp, mbedtls_mpi *r,
+                               mbedtls_mpi *s, const mbedtls_mpi *d,
+                               const unsigned char *buf, size_t blen,
+                               mbedtls_md_type_t md_alg,
+                               int (*f_rng_blind)(void *, unsigned char *, size_t),
+                               void *p_rng_blind);
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+#if !defined(MBEDTLS_ECDSA_SIGN_ALT)
+/**
+ * \brief               This function computes the ECDSA signature of a
+ *                      previously-hashed message, in a restartable way.
+ *
+ * \note                The deterministic version implemented in
+ *                      mbedtls_ecdsa_sign_det_restartable() is usually
+ *                      preferred.
+ *
+ * \note                This function is like \c mbedtls_ecdsa_sign() but
+ *                      it can return early and restart according to the
+ *                      limit set with \c mbedtls_ecp_set_max_ops() to
+ *                      reduce blocking.
+ *
+ * \note                If the bitlength of the message hash is larger
+ *                      than the bitlength of the group order, then the
+ *                      hash is truncated as defined in <em>Standards for
+ *                      Efficient Cryptography Group (SECG): SEC1 Elliptic
+ *                      Curve Cryptography</em>, section 4.1.3, step 5.
+ *
+ * \see                 ecp.h
+ *
+ * \param grp           The context for the elliptic curve to use.
+ *                      This must be initialized and have group parameters
+ *                      set, for example through mbedtls_ecp_group_load().
+ * \param r             The MPI context in which to store the first part
+ *                      the signature. This must be initialized.
+ * \param s             The MPI context in which to store the second part
+ *                      the signature. This must be initialized.
+ * \param d             The private signing key. This must be initialized
+ *                      and setup, for example through
+ *                      mbedtls_ecp_gen_privkey().
+ * \param buf           The hashed content to be signed. This must be a readable
+ *                      buffer of length \p blen Bytes. It may be \c NULL if
+ *                      \p blen is zero.
+ * \param blen          The length of \p buf in Bytes.
+ * \param f_rng         The RNG function. This must not be \c NULL.
+ * \param p_rng         The RNG context to be passed to \p f_rng. This may be
+ *                      \c NULL if \p f_rng doesn't need a context parameter.
+ * \param f_rng_blind   The RNG function used for blinding. This must not be
+ *                      \c NULL.
+ * \param p_rng_blind   The RNG context to be passed to \p f_rng. This may be
+ *                      \c NULL if \p f_rng doesn't need a context parameter.
+ * \param rs_ctx        The restart context to use. This may be \c NULL
+ *                      to disable restarting. If it is not \c NULL, it
+ *                      must point to an initialized restart context.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                      operations was reached: see \c
+ *                      mbedtls_ecp_set_max_ops().
+ * \return              Another \c MBEDTLS_ERR_ECP_XXX, \c
+ *                      MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX
+ *                      error code on failure.
+ */
+int mbedtls_ecdsa_sign_restartable(
+    mbedtls_ecp_group *grp,
+    mbedtls_mpi *r, mbedtls_mpi *s,
+    const mbedtls_mpi *d,
+    const unsigned char *buf, size_t blen,
+    int (*f_rng)(void *, unsigned char *, size_t),
+    void *p_rng,
+    int (*f_rng_blind)(void *, unsigned char *, size_t),
+    void *p_rng_blind,
+    mbedtls_ecdsa_restart_ctx *rs_ctx);
+
+#endif /* !MBEDTLS_ECDSA_SIGN_ALT */
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+
+/**
+ * \brief               This function computes the ECDSA signature of a
+ *                      previously-hashed message, in a restartable way.
+ *
+ * \note                This function is like \c
+ *                      mbedtls_ecdsa_sign_det_ext() but it can return
+ *                      early and restart according to the limit set with
+ *                      \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \note                If the bitlength of the message hash is larger
+ *                      than the bitlength of the group order, then the
+ *                      hash is truncated as defined in <em>Standards for
+ *                      Efficient Cryptography Group (SECG): SEC1 Elliptic
+ *                      Curve Cryptography</em>, section 4.1.3, step 5.
+ *
+ * \see                 ecp.h
+ *
+ * \param grp           The context for the elliptic curve to use.
+ *                      This must be initialized and have group parameters
+ *                      set, for example through mbedtls_ecp_group_load().
+ * \param r             The MPI context in which to store the first part
+ *                      the signature. This must be initialized.
+ * \param s             The MPI context in which to store the second part
+ *                      the signature. This must be initialized.
+ * \param d             The private signing key. This must be initialized
+ *                      and setup, for example through
+ *                      mbedtls_ecp_gen_privkey().
+ * \param buf           The hashed content to be signed. This must be a readable
+ *                      buffer of length \p blen Bytes. It may be \c NULL if
+ *                      \p blen is zero.
+ * \param blen          The length of \p buf in Bytes.
+ * \param md_alg        The hash algorithm used to hash the original data.
+ * \param f_rng_blind   The RNG function used for blinding. This must not be
+ *                      \c NULL.
+ * \param p_rng_blind   The RNG context to be passed to \p f_rng_blind. This may be
+ *                      \c NULL if \p f_rng_blind doesn't need a context parameter.
+ * \param rs_ctx        The restart context to use. This may be \c NULL
+ *                      to disable restarting. If it is not \c NULL, it
+ *                      must point to an initialized restart context.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                      operations was reached: see \c
+ *                      mbedtls_ecp_set_max_ops().
+ * \return              Another \c MBEDTLS_ERR_ECP_XXX, \c
+ *                      MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX
+ *                      error code on failure.
+ */
+int mbedtls_ecdsa_sign_det_restartable(
+    mbedtls_ecp_group *grp,
+    mbedtls_mpi *r, mbedtls_mpi *s,
+    const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+    mbedtls_md_type_t md_alg,
+    int (*f_rng_blind)(void *, unsigned char *, size_t),
+    void *p_rng_blind,
+    mbedtls_ecdsa_restart_ctx *rs_ctx);
+
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+/**
+ * \brief           This function verifies the ECDSA signature of a
+ *                  previously-hashed message.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.4, step 3.
+ *
+ * \see             ecp.h
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param buf       The hashed content that was signed. This must be a readable
+ *                  buffer of length \p blen Bytes. It may be \c NULL if
+ *                  \p blen is zero.
+ * \param blen      The length of \p buf in Bytes.
+ * \param Q         The public key to use for verification. This must be
+ *                  initialized and setup.
+ * \param r         The first integer of the signature.
+ *                  This must be initialized.
+ * \param s         The second integer of the signature.
+ *                  This must be initialized.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
+ *                  error code on failure.
+ */
+int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp,
+                         const unsigned char *buf, size_t blen,
+                         const mbedtls_ecp_point *Q, const mbedtls_mpi *r,
+                         const mbedtls_mpi *s);
+
+#if !defined(MBEDTLS_ECDSA_VERIFY_ALT)
+/**
+ * \brief           This function verifies the ECDSA signature of a
+ *                  previously-hashed message, in a restartable manner
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.4, step 3.
+ *
+ * \see             ecp.h
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param buf       The hashed content that was signed. This must be a readable
+ *                  buffer of length \p blen Bytes. It may be \c NULL if
+ *                  \p blen is zero.
+ * \param blen      The length of \p buf in Bytes.
+ * \param Q         The public key to use for verification. This must be
+ *                  initialized and setup.
+ * \param r         The first integer of the signature.
+ *                  This must be initialized.
+ * \param s         The second integer of the signature.
+ *                  This must be initialized.
+ * \param rs_ctx    The restart context to use. This may be \c NULL to disable
+ *                  restarting. If it is not \c NULL, it must point to an
+ *                  initialized restart context.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
+ *                  error code on failure.
+ */
+int mbedtls_ecdsa_verify_restartable(mbedtls_ecp_group *grp,
+                                     const unsigned char *buf, size_t blen,
+                                     const mbedtls_ecp_point *Q,
+                                     const mbedtls_mpi *r,
+                                     const mbedtls_mpi *s,
+                                     mbedtls_ecdsa_restart_ctx *rs_ctx);
+
+#endif /* !MBEDTLS_ECDSA_VERIFY_ALT */
+
+/**
+ * \brief           This function computes the ECDSA signature and writes it
+ *                  to a buffer, serialized as defined in <em>RFC-4492:
+ *                  Elliptic Curve Cryptography (ECC) Cipher Suites for
+ *                  Transport Layer Security (TLS)</em>.
+ *
+ * \warning         It is not thread-safe to use the same context in
+ *                  multiple threads.
+ *
+ * \note            The deterministic version is used if
+ *                  #MBEDTLS_ECDSA_DETERMINISTIC is defined. For more
+ *                  information, see <em>RFC-6979: Deterministic Usage
+ *                  of the Digital Signature Algorithm (DSA) and Elliptic
+ *                  Curve Digital Signature Algorithm (ECDSA)</em>.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.3, step 5.
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDSA context to use. This must be initialized
+ *                  and have a group and private key bound to it, for example
+ *                  via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
+ * \param md_alg    The message digest that was used to hash the message.
+ * \param hash      The message hash to be signed. This must be a readable
+ *                  buffer of length \p hlen Bytes.
+ * \param hlen      The length of the hash \p hash in Bytes.
+ * \param sig       The buffer to which to write the signature. This must be a
+ *                  writable buffer of length at least twice as large as the
+ *                  size of the curve used, plus 9. For example, 73 Bytes if
+ *                  a 256-bit curve is used. A buffer length of
+ *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
+ * \param sig_size  The size of the \p sig buffer in bytes.
+ * \param slen      The address at which to store the actual length of
+ *                  the signature written. Must not be \c NULL.
+ * \param f_rng     The RNG function. This must not be \c NULL if
+ *                  #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise,
+ *                  it is used only for blinding and may be set to \c NULL, but
+ *                  doing so is DEPRECATED.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng is \c NULL or doesn't use a context.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
+ *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_ecdsa_write_signature(mbedtls_ecdsa_context *ctx,
+                                  mbedtls_md_type_t md_alg,
+                                  const unsigned char *hash, size_t hlen,
+                                  unsigned char *sig, size_t sig_size, size_t *slen,
+                                  int (*f_rng)(void *, unsigned char *, size_t),
+                                  void *p_rng);
+
+/**
+ * \brief           This function computes the ECDSA signature and writes it
+ *                  to a buffer, in a restartable way.
+ *
+ * \see             \c mbedtls_ecdsa_write_signature()
+ *
+ * \note            This function is like \c mbedtls_ecdsa_write_signature()
+ *                  but it can return early and restart according to the limit
+ *                  set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param ctx       The ECDSA context to use. This must be initialized
+ *                  and have a group and private key bound to it, for example
+ *                  via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
+ * \param md_alg    The message digest that was used to hash the message.
+ * \param hash      The message hash to be signed. This must be a readable
+ *                  buffer of length \p hlen Bytes.
+ * \param hlen      The length of the hash \p hash in Bytes.
+ * \param sig       The buffer to which to write the signature. This must be a
+ *                  writable buffer of length at least twice as large as the
+ *                  size of the curve used, plus 9. For example, 73 Bytes if
+ *                  a 256-bit curve is used. A buffer length of
+ *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
+ * \param sig_size  The size of the \p sig buffer in bytes.
+ * \param slen      The address at which to store the actual length of
+ *                  the signature written. Must not be \c NULL.
+ * \param f_rng     The RNG function. This must not be \c NULL if
+ *                  #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise,
+ *                  it is unused and may be set to \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng is \c NULL or doesn't use a context.
+ * \param rs_ctx    The restart context to use. This may be \c NULL to disable
+ *                  restarting. If it is not \c NULL, it must point to an
+ *                  initialized restart context.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
+ *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_ecdsa_write_signature_restartable(mbedtls_ecdsa_context *ctx,
+                                              mbedtls_md_type_t md_alg,
+                                              const unsigned char *hash, size_t hlen,
+                                              unsigned char *sig, size_t sig_size, size_t *slen,
+                                              int (*f_rng)(void *, unsigned char *, size_t),
+                                              void *p_rng,
+                                              mbedtls_ecdsa_restart_ctx *rs_ctx);
+
+/**
+ * \brief           This function reads and verifies an ECDSA signature.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.4, step 3.
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDSA context to use. This must be initialized
+ *                  and have a group and public key bound to it.
+ * \param hash      The message hash that was signed. This must be a readable
+ *                  buffer of length \p hlen Bytes.
+ * \param hlen      The size of the hash \p hash.
+ * \param sig       The signature to read and verify. This must be a readable
+ *                  buffer of length \p slen Bytes.
+ * \param slen      The size of \p sig in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid.
+ * \return          #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid
+ *                  signature in \p sig, but its length is less than \p siglen.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX
+ *                  error code on failure for any other reason.
+ */
+int mbedtls_ecdsa_read_signature(mbedtls_ecdsa_context *ctx,
+                                 const unsigned char *hash, size_t hlen,
+                                 const unsigned char *sig, size_t slen);
+
+/**
+ * \brief           This function reads and verifies an ECDSA signature,
+ *                  in a restartable way.
+ *
+ * \see             \c mbedtls_ecdsa_read_signature()
+ *
+ * \note            This function is like \c mbedtls_ecdsa_read_signature()
+ *                  but it can return early and restart according to the limit
+ *                  set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param ctx       The ECDSA context to use. This must be initialized
+ *                  and have a group and public key bound to it.
+ * \param hash      The message hash that was signed. This must be a readable
+ *                  buffer of length \p hlen Bytes.
+ * \param hlen      The size of the hash \p hash.
+ * \param sig       The signature to read and verify. This must be a readable
+ *                  buffer of length \p slen Bytes.
+ * \param slen      The size of \p sig in Bytes.
+ * \param rs_ctx    The restart context to use. This may be \c NULL to disable
+ *                  restarting. If it is not \c NULL, it must point to an
+ *                  initialized restart context.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid.
+ * \return          #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid
+ *                  signature in \p sig, but its length is less than \p siglen.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX
+ *                  error code on failure for any other reason.
+ */
+int mbedtls_ecdsa_read_signature_restartable(mbedtls_ecdsa_context *ctx,
+                                             const unsigned char *hash, size_t hlen,
+                                             const unsigned char *sig, size_t slen,
+                                             mbedtls_ecdsa_restart_ctx *rs_ctx);
+
+/**
+ * \brief          This function generates an ECDSA keypair on the given curve.
+ *
+ * \see            ecp.h
+ *
+ * \param ctx      The ECDSA context to store the keypair in.
+ *                 This must be initialized.
+ * \param gid      The elliptic curve to use. One of the various
+ *                 \c MBEDTLS_ECP_DP_XXX macros depending on configuration.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_ECP_XXX code on failure.
+ */
+int mbedtls_ecdsa_genkey(mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
+                         int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
+
+/**
+ * \brief           This function sets up an ECDSA context from an EC key pair.
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDSA context to setup. This must be initialized.
+ * \param key       The EC key to use. This must be initialized and hold
+ *                  a private-public key pair or a public key. In the former
+ *                  case, the ECDSA context may be used for signature creation
+ *                  and verification after this call. In the latter case, it
+ *                  may be used for signature verification.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX code on failure.
+ */
+int mbedtls_ecdsa_from_keypair(mbedtls_ecdsa_context *ctx,
+                               const mbedtls_ecp_keypair *key);
+
+/**
+ * \brief           This function initializes an ECDSA context.
+ *
+ * \param ctx       The ECDSA context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_ecdsa_init(mbedtls_ecdsa_context *ctx);
+
+/**
+ * \brief           This function frees an ECDSA context.
+ *
+ * \param ctx       The ECDSA context to free. This may be \c NULL,
+ *                  in which case this function does nothing. If it
+ *                  is not \c NULL, it must be initialized.
+ */
+void mbedtls_ecdsa_free(mbedtls_ecdsa_context *ctx);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Initialize a restart context.
+ *
+ * \param ctx       The restart context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_ecdsa_restart_init(mbedtls_ecdsa_restart_ctx *ctx);
+
+/**
+ * \brief           Free the components of a restart context.
+ *
+ * \param ctx       The restart context to free. This may be \c NULL,
+ *                  in which case this function does nothing. If it
+ *                  is not \c NULL, it must be initialized.
+ */
+void mbedtls_ecdsa_restart_free(mbedtls_ecdsa_restart_ctx *ctx);
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ecdsa.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/ecjpake.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/ecjpake.h
new file mode 100644
index 0000000..a75a8ec
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/ecjpake.h
@@ -0,0 +1,293 @@
+/**
+ * \file ecjpake.h
+ *
+ * \brief Elliptic curve J-PAKE
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_ECJPAKE_H
+#define MBEDTLS_ECJPAKE_H
+#include "mbedtls/private_access.h"
+
+/*
+ * J-PAKE is a password-authenticated key exchange that allows deriving a
+ * strong shared secret from a (potentially low entropy) pre-shared
+ * passphrase, with forward secrecy and mutual authentication.
+ * https://en.wikipedia.org/wiki/Password_Authenticated_Key_Exchange_by_Juggling
+ *
+ * This file implements the Elliptic Curve variant of J-PAKE,
+ * as defined in Chapter 7.4 of the Thread v1.0 Specification,
+ * available to members of the Thread Group http://threadgroup.org/
+ *
+ * As the J-PAKE algorithm is inherently symmetric, so is our API.
+ * Each party needs to send its first round message, in any order, to the
+ * other party, then each sends its second round message, in any order.
+ * The payloads are serialized in a way suitable for use in TLS, but could
+ * also be use outside TLS.
+ */
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/ecp.h"
+#include "mbedtls/md.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Roles in the EC J-PAKE exchange
+ */
+typedef enum {
+    MBEDTLS_ECJPAKE_CLIENT = 0,         /**< Client                         */
+    MBEDTLS_ECJPAKE_SERVER,             /**< Server                         */
+    MBEDTLS_ECJPAKE_NONE,               /**< Undefined                      */
+} mbedtls_ecjpake_role;
+
+/**
+ * EC J-PAKE context structure.
+ *
+ * J-PAKE is a symmetric protocol, except for the identifiers used in
+ * Zero-Knowledge Proofs, and the serialization of the second message
+ * (KeyExchange) as defined by the Thread spec.
+ *
+ * In order to benefit from this symmetry, we choose a different naming
+ * convention from the Thread v1.0 spec. Correspondence is indicated in the
+ * description as a pair C: client name, S: server name
+ */
+typedef struct mbedtls_ecjpake_context {
+    mbedtls_md_type_t MBEDTLS_PRIVATE(md_type);          /**< Hash to use                    */
+    mbedtls_ecp_group MBEDTLS_PRIVATE(grp);              /**< Elliptic curve                 */
+    mbedtls_ecjpake_role MBEDTLS_PRIVATE(role);          /**< Are we client or server?       */
+    int MBEDTLS_PRIVATE(point_format);                   /**< Format for point export        */
+
+    mbedtls_ecp_point MBEDTLS_PRIVATE(Xm1);              /**< My public key 1   C: X1, S: X3 */
+    mbedtls_ecp_point MBEDTLS_PRIVATE(Xm2);              /**< My public key 2   C: X2, S: X4 */
+    mbedtls_ecp_point MBEDTLS_PRIVATE(Xp1);              /**< Peer public key 1 C: X3, S: X1 */
+    mbedtls_ecp_point MBEDTLS_PRIVATE(Xp2);              /**< Peer public key 2 C: X4, S: X2 */
+    mbedtls_ecp_point MBEDTLS_PRIVATE(Xp);               /**< Peer public key   C: Xs, S: Xc */
+
+    mbedtls_mpi MBEDTLS_PRIVATE(xm1);                    /**< My private key 1  C: x1, S: x3 */
+    mbedtls_mpi MBEDTLS_PRIVATE(xm2);                    /**< My private key 2  C: x2, S: x4 */
+
+    mbedtls_mpi MBEDTLS_PRIVATE(s);                      /**< Pre-shared secret (passphrase) */
+} mbedtls_ecjpake_context;
+
+/**
+ * \brief           Initialize an ECJPAKE context.
+ *
+ * \param ctx       The ECJPAKE context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_ecjpake_init(mbedtls_ecjpake_context *ctx);
+
+/**
+ * \brief           Set up an ECJPAKE context for use.
+ *
+ * \note            Currently the only values for hash/curve allowed by the
+ *                  standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1.
+ *
+ * \param ctx       The ECJPAKE context to set up. This must be initialized.
+ * \param role      The role of the caller. This must be either
+ *                  #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER.
+ * \param hash      The identifier of the hash function to use,
+ *                  for example #MBEDTLS_MD_SHA256.
+ * \param curve     The identifier of the elliptic curve to use,
+ *                  for example #MBEDTLS_ECP_DP_SECP256R1.
+ * \param secret    The pre-shared secret (passphrase). This must be
+ *                  a readable not empty buffer of length \p len Bytes. It need
+ *                  only be valid for the duration of this call.
+ * \param len       The length of the pre-shared secret \p secret.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_setup(mbedtls_ecjpake_context *ctx,
+                          mbedtls_ecjpake_role role,
+                          mbedtls_md_type_t hash,
+                          mbedtls_ecp_group_id curve,
+                          const unsigned char *secret,
+                          size_t len);
+
+/**
+ * \brief               Set the point format for future reads and writes.
+ *
+ * \param ctx           The ECJPAKE context to configure.
+ * \param point_format  The point format to use:
+ *                      #MBEDTLS_ECP_PF_UNCOMPRESSED (default)
+ *                      or #MBEDTLS_ECP_PF_COMPRESSED.
+ *
+ * \return              \c 0 if successful.
+ * \return              #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p point_format
+ *                      is invalid.
+ */
+int mbedtls_ecjpake_set_point_format(mbedtls_ecjpake_context *ctx,
+                                     int point_format);
+
+/**
+ * \brief           Check if an ECJPAKE context is ready for use.
+ *
+ * \param ctx       The ECJPAKE context to check. This must be
+ *                  initialized.
+ *
+ * \return          \c 0 if the context is ready for use.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise.
+ */
+int mbedtls_ecjpake_check(const mbedtls_ecjpake_context *ctx);
+
+/**
+ * \brief           Generate and write the first round message
+ *                  (TLS: contents of the Client/ServerHello extension,
+ *                  excluding extension type and length bytes).
+ *
+ * \param ctx       The ECJPAKE context to use. This must be
+ *                  initialized and set up.
+ * \param buf       The buffer to write the contents to. This must be a
+ *                  writable buffer of length \p len Bytes.
+ * \param len       The length of \p buf in Bytes.
+ * \param olen      The address at which to store the total number
+ *                  of Bytes written to \p buf. This must not be \c NULL.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG parameter to be passed to \p f_rng. This
+ *                  may be \c NULL if \p f_rng doesn't use a context.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_write_round_one(mbedtls_ecjpake_context *ctx,
+                                    unsigned char *buf, size_t len, size_t *olen,
+                                    int (*f_rng)(void *, unsigned char *, size_t),
+                                    void *p_rng);
+
+/**
+ * \brief           Read and process the first round message
+ *                  (TLS: contents of the Client/ServerHello extension,
+ *                  excluding extension type and length bytes).
+ *
+ * \param ctx       The ECJPAKE context to use. This must be initialized
+ *                  and set up.
+ * \param buf       The buffer holding the first round message. This must
+ *                  be a readable buffer of length \p len Bytes.
+ * \param len       The length in Bytes of \p buf.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_read_round_one(mbedtls_ecjpake_context *ctx,
+                                   const unsigned char *buf,
+                                   size_t len);
+
+/**
+ * \brief           Generate and write the second round message
+ *                  (TLS: contents of the Client/ServerKeyExchange).
+ *
+ * \param ctx       The ECJPAKE context to use. This must be initialized,
+ *                  set up, and already have performed round one.
+ * \param buf       The buffer to write the round two contents to.
+ *                  This must be a writable buffer of length \p len Bytes.
+ * \param len       The size of \p buf in Bytes.
+ * \param olen      The address at which to store the total number of Bytes
+ *                  written to \p buf. This must not be \c NULL.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG parameter to be passed to \p f_rng. This
+ *                  may be \c NULL if \p f_rng doesn't use a context.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_write_round_two(mbedtls_ecjpake_context *ctx,
+                                    unsigned char *buf, size_t len, size_t *olen,
+                                    int (*f_rng)(void *, unsigned char *, size_t),
+                                    void *p_rng);
+
+/**
+ * \brief           Read and process the second round message
+ *                  (TLS: contents of the Client/ServerKeyExchange).
+ *
+ * \param ctx       The ECJPAKE context to use. This must be initialized
+ *                  and set up and already have performed round one.
+ * \param buf       The buffer holding the second round message. This must
+ *                  be a readable buffer of length \p len Bytes.
+ * \param len       The length in Bytes of \p buf.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_read_round_two(mbedtls_ecjpake_context *ctx,
+                                   const unsigned char *buf,
+                                   size_t len);
+
+/**
+ * \brief           Derive the shared secret
+ *                  (TLS: Pre-Master Secret).
+ *
+ * \param ctx       The ECJPAKE context to use. This must be initialized,
+ *                  set up and have performed both round one and two.
+ * \param buf       The buffer to write the derived secret to. This must
+ *                  be a writable buffer of length \p len Bytes.
+ * \param len       The length of \p buf in Bytes.
+ * \param olen      The address at which to store the total number of Bytes
+ *                  written to \p buf. This must not be \c NULL.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG parameter to be passed to \p f_rng. This
+ *                  may be \c NULL if \p f_rng doesn't use a context.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_derive_secret(mbedtls_ecjpake_context *ctx,
+                                  unsigned char *buf, size_t len, size_t *olen,
+                                  int (*f_rng)(void *, unsigned char *, size_t),
+                                  void *p_rng);
+
+/**
+ * \brief           Write the shared key material to be passed to a Key
+ *                  Derivation Function as described in RFC8236.
+ *
+ * \param ctx       The ECJPAKE context to use. This must be initialized,
+ *                  set up and have performed both round one and two.
+ * \param buf       The buffer to write the derived secret to. This must
+ *                  be a writable buffer of length \p len Bytes.
+ * \param len       The length of \p buf in Bytes.
+ * \param olen      The address at which to store the total number of bytes
+ *                  written to \p buf. This must not be \c NULL.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG parameter to be passed to \p f_rng. This
+ *                  may be \c NULL if \p f_rng doesn't use a context.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_write_shared_key(mbedtls_ecjpake_context *ctx,
+                                     unsigned char *buf, size_t len, size_t *olen,
+                                     int (*f_rng)(void *, unsigned char *, size_t),
+                                     void *p_rng);
+
+/**
+ * \brief           This clears an ECJPAKE context and frees any
+ *                  embedded data structure.
+ *
+ * \param ctx       The ECJPAKE context to free. This may be \c NULL,
+ *                  in which case this function does nothing. If it is not
+ *                  \c NULL, it must point to an initialized ECJPAKE context.
+ */
+void mbedtls_ecjpake_free(mbedtls_ecjpake_context *ctx);
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if a test failed
+ */
+int mbedtls_ecjpake_self_test(int verbose);
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+
+#endif /* ecjpake.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/ecp.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/ecp.h
new file mode 100644
index 0000000..d7a3c66
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/ecp.h
@@ -0,0 +1,1515 @@
+/**
+ * \file ecp.h
+ *
+ * \brief This file provides an API for Elliptic Curves over GF(P) (ECP).
+ *
+ * The use of ECP in cryptography and TLS is defined in
+ * <em>Standards for Efficient Cryptography Group (SECG): SEC1
+ * Elliptic Curve Cryptography</em> and
+ * <em>RFC-4492: Elliptic Curve Cryptography (ECC) Cipher Suites
+ * for Transport Layer Security (TLS)</em>.
+ *
+ * <em>RFC-2409: The Internet Key Exchange (IKE)</em> defines ECP
+ * group types.
+ *
+ */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_ECP_H
+#define MBEDTLS_ECP_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+#include "mbedtls/platform_util.h"
+
+#include "mbedtls/bignum.h"
+
+/*
+ * ECP error codes
+ */
+/** Bad input parameters to function. */
+#define MBEDTLS_ERR_ECP_BAD_INPUT_DATA                    -0x4F80
+/** The buffer is too small to write to. */
+#define MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL                  -0x4F00
+/** The requested feature is not available, for example, the requested curve is not supported. */
+#define MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE               -0x4E80
+/** The signature is not valid. */
+#define MBEDTLS_ERR_ECP_VERIFY_FAILED                     -0x4E00
+/** Memory allocation failed. */
+#define MBEDTLS_ERR_ECP_ALLOC_FAILED                      -0x4D80
+/** Generation of random value, such as ephemeral key, failed. */
+#define MBEDTLS_ERR_ECP_RANDOM_FAILED                     -0x4D00
+/** Invalid private or public key. */
+#define MBEDTLS_ERR_ECP_INVALID_KEY                       -0x4C80
+/** The buffer contains a valid signature followed by more data. */
+#define MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH                  -0x4C00
+/** Operation in progress, call again with the same parameters to continue. */
+#define MBEDTLS_ERR_ECP_IN_PROGRESS                       -0x4B00
+
+/* Flags indicating whether to include code that is specific to certain
+ * types of curves. These flags are for internal library use only. */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+#define MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+#define MBEDTLS_ECP_MONTGOMERY_ENABLED
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Domain-parameter identifiers: curve, subgroup, and generator.
+ *
+ * \note Only curves over prime fields are supported.
+ *
+ * \warning This library does not support validation of arbitrary domain
+ * parameters. Therefore, only standardized domain parameters from trusted
+ * sources should be used. See mbedtls_ecp_group_load().
+ */
+/* Note: when adding a new curve:
+ * - Add it at the end of this enum, otherwise you'll break the ABI by
+ *   changing the numerical value for existing curves.
+ * - Increment MBEDTLS_ECP_DP_MAX below if needed.
+ * - Update the calculation of MBEDTLS_ECP_MAX_BITS below.
+ * - Add the corresponding MBEDTLS_ECP_DP_xxx_ENABLED macro definition to
+ *   mbedtls_config.h.
+ * - List the curve as a dependency of MBEDTLS_ECP_C and
+ *   MBEDTLS_ECDSA_C if supported in check_config.h.
+ * - Add the curve to the appropriate curve type macro
+ *   MBEDTLS_ECP_yyy_ENABLED above.
+ * - Add the necessary definitions to ecp_curves.c.
+ * - Add the curve to the ecp_supported_curves array in ecp.c.
+ * - Add the curve to applicable profiles in x509_crt.c.
+ * - Add the curve to applicable presets in ssl_tls.c.
+ */
+typedef enum {
+    MBEDTLS_ECP_DP_NONE = 0,       /*!< Curve not defined. */
+    MBEDTLS_ECP_DP_SECP192R1,      /*!< Domain parameters for the 192-bit curve defined by FIPS 186-4 and SEC1. */
+    MBEDTLS_ECP_DP_SECP224R1,      /*!< Domain parameters for the 224-bit curve defined by FIPS 186-4 and SEC1. */
+    MBEDTLS_ECP_DP_SECP256R1,      /*!< Domain parameters for the 256-bit curve defined by FIPS 186-4 and SEC1. */
+    MBEDTLS_ECP_DP_SECP384R1,      /*!< Domain parameters for the 384-bit curve defined by FIPS 186-4 and SEC1. */
+    MBEDTLS_ECP_DP_SECP521R1,      /*!< Domain parameters for the 521-bit curve defined by FIPS 186-4 and SEC1. */
+    MBEDTLS_ECP_DP_BP256R1,        /*!< Domain parameters for 256-bit Brainpool curve. */
+    MBEDTLS_ECP_DP_BP384R1,        /*!< Domain parameters for 384-bit Brainpool curve. */
+    MBEDTLS_ECP_DP_BP512R1,        /*!< Domain parameters for 512-bit Brainpool curve. */
+    MBEDTLS_ECP_DP_CURVE25519,     /*!< Domain parameters for Curve25519. */
+    MBEDTLS_ECP_DP_SECP192K1,      /*!< Domain parameters for 192-bit "Koblitz" curve. */
+    MBEDTLS_ECP_DP_SECP224K1,      /*!< Domain parameters for 224-bit "Koblitz" curve. */
+    MBEDTLS_ECP_DP_SECP256K1,      /*!< Domain parameters for 256-bit "Koblitz" curve. */
+    MBEDTLS_ECP_DP_CURVE448,       /*!< Domain parameters for Curve448. */
+} mbedtls_ecp_group_id;
+
+/**
+ * The number of supported curves, plus one for #MBEDTLS_ECP_DP_NONE.
+ */
+#define MBEDTLS_ECP_DP_MAX     14
+
+/*
+ * Curve types
+ */
+typedef enum {
+    MBEDTLS_ECP_TYPE_NONE = 0,
+    MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS,    /* y^2 = x^3 + a x + b      */
+    MBEDTLS_ECP_TYPE_MONTGOMERY,           /* y^2 = x^3 + a x^2 + x    */
+} mbedtls_ecp_curve_type;
+
+/**
+ * Curve information, for use by other modules.
+ *
+ * The fields of this structure are part of the public API and can be
+ * accessed directly by applications. Future versions of the library may
+ * add extra fields or reorder existing fields.
+ */
+typedef struct mbedtls_ecp_curve_info {
+    mbedtls_ecp_group_id grp_id;    /*!< An internal identifier. */
+    uint16_t tls_id;                /*!< The TLS NamedCurve identifier. */
+    uint16_t bit_size;              /*!< The curve size in bits. */
+    const char *name;               /*!< A human-friendly name. */
+} mbedtls_ecp_curve_info;
+
+/**
+ * \brief           The ECP point structure, in Jacobian coordinates.
+ *
+ * \note            All functions expect and return points satisfying
+ *                  the following condition: <code>Z == 0</code> or
+ *                  <code>Z == 1</code>. Other values of \p Z are
+ *                  used only by internal functions.
+ *                  The point is zero, or "at infinity", if <code>Z == 0</code>.
+ *                  Otherwise, \p X and \p Y are its standard (affine)
+ *                  coordinates.
+ */
+typedef struct mbedtls_ecp_point {
+    mbedtls_mpi MBEDTLS_PRIVATE(X);          /*!< The X coordinate of the ECP point. */
+    mbedtls_mpi MBEDTLS_PRIVATE(Y);          /*!< The Y coordinate of the ECP point. */
+    mbedtls_mpi MBEDTLS_PRIVATE(Z);          /*!< The Z coordinate of the ECP point. */
+}
+mbedtls_ecp_point;
+
+/**
+ * \brief           The ECP group structure.
+ *
+ * We consider two types of curve equations:
+ * <ul><li>Short Weierstrass: <code>y^2 = x^3 + A x + B mod P</code>
+ * (SEC1 + RFC-4492)</li>
+ * <li>Montgomery: <code>y^2 = x^3 + A x^2 + x mod P</code> (Curve25519,
+ * Curve448)</li></ul>
+ * In both cases, the generator (\p G) for a prime-order subgroup is fixed.
+ *
+ * For Short Weierstrass, this subgroup is the whole curve, and its
+ * cardinality is denoted by \p N. Our code requires that \p N is an
+ * odd prime as mbedtls_ecp_mul() requires an odd number, and
+ * mbedtls_ecdsa_sign() requires that it is prime for blinding purposes.
+ *
+ * The default implementation only initializes \p A without setting it to the
+ * authentic value for curves with <code>A = -3</code>(SECP256R1, etc), in which
+ * case you need to load \p A by yourself when using domain parameters directly,
+ * for example:
+ * \code
+ * mbedtls_mpi_init(&A);
+ * mbedtls_ecp_group_init(&grp);
+ * CHECK_RETURN(mbedtls_ecp_group_load(&grp, grp_id));
+ * if (mbedtls_ecp_group_a_is_minus_3(&grp)) {
+ *     CHECK_RETURN(mbedtls_mpi_sub_int(&A, &grp.P, 3));
+ * } else {
+ *     CHECK_RETURN(mbedtls_mpi_copy(&A, &grp.A));
+ * }
+ *
+ * do_something_with_a(&A);
+ *
+ * cleanup:
+ * mbedtls_mpi_free(&A);
+ * mbedtls_ecp_group_free(&grp);
+ * \endcode
+ *
+ * For Montgomery curves, we do not store \p A, but <code>(A + 2) / 4</code>,
+ * which is the quantity used in the formulas. Additionally, \p nbits is
+ * not the size of \p N but the required size for private keys.
+ *
+ * If \p modp is NULL, reduction modulo \p P is done using a generic algorithm.
+ * Otherwise, \p modp must point to a function that takes an \p mbedtls_mpi in the
+ * range of <code>0..2^(2*pbits)-1</code>, and transforms it in-place to an integer
+ * which is congruent mod \p P to the given MPI, and is close enough to \p pbits
+ * in size, so that it may be efficiently brought in the 0..P-1 range by a few
+ * additions or subtractions. Therefore, it is only an approximative modular
+ * reduction. It must return 0 on success and non-zero on failure.
+ *
+ * \note        Alternative implementations of the ECP module must obey the
+ *              following constraints.
+ *              * Group IDs must be distinct: if two group structures have
+ *                the same ID, then they must be identical.
+ *              * The fields \c id, \c P, \c A, \c B, \c G, \c N,
+ *                \c pbits and \c nbits must have the same type and semantics
+ *                as in the built-in implementation.
+ *                They must be available for reading, but direct modification
+ *                of these fields does not need to be supported.
+ *                They do not need to be at the same offset in the structure.
+ */
+typedef struct mbedtls_ecp_group {
+    mbedtls_ecp_group_id id;    /*!< An internal group identifier. */
+    mbedtls_mpi P;              /*!< The prime modulus of the base field. */
+    mbedtls_mpi A;              /*!< For Short Weierstrass: \p A in the equation. Note that
+                                     \p A is not set to the authentic value in some cases.
+                                     Refer to detailed description of ::mbedtls_ecp_group if
+                                     using domain parameters in the structure.
+                                     For Montgomery curves: <code>(A + 2) / 4</code>. */
+    mbedtls_mpi B;              /*!< For Short Weierstrass: \p B in the equation.
+                                     For Montgomery curves: unused. */
+    mbedtls_ecp_point G;        /*!< The generator of the subgroup used. */
+    mbedtls_mpi N;              /*!< The order of \p G. */
+    size_t pbits;               /*!< The number of bits in \p P.*/
+    size_t nbits;               /*!< For Short Weierstrass: The number of bits in \p P.
+                                     For Montgomery curves: the number of bits in the
+                                     private keys. */
+    /* End of public fields */
+
+    unsigned int MBEDTLS_PRIVATE(h);             /*!< \internal 1 if the constants are static. */
+    int(*MBEDTLS_PRIVATE(modp))(mbedtls_mpi *);  /*!< The function for fast pseudo-reduction
+                                                    mod \p P (see above).*/
+    int(*MBEDTLS_PRIVATE(t_pre))(mbedtls_ecp_point *, void *);   /*!< Unused. */
+    int(*MBEDTLS_PRIVATE(t_post))(mbedtls_ecp_point *, void *);  /*!< Unused. */
+    void *MBEDTLS_PRIVATE(t_data);               /*!< Unused. */
+    mbedtls_ecp_point *MBEDTLS_PRIVATE(T);       /*!< Pre-computed points for ecp_mul_comb(). */
+    size_t MBEDTLS_PRIVATE(T_size);              /*!< The number of dynamic allocated pre-computed points. */
+}
+mbedtls_ecp_group;
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in mbedtls_config.h, or define them using the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_ECP_WINDOW_SIZE)
+/*
+ * Maximum "window" size used for point multiplication.
+ * Default: a point where higher memory usage yields diminishing performance
+ *          returns.
+ * Minimum value: 2. Maximum value: 7.
+ *
+ * Result is an array of at most ( 1 << ( MBEDTLS_ECP_WINDOW_SIZE - 1 ) )
+ * points used for point multiplication. This value is directly tied to EC
+ * peak memory usage, so decreasing it by one should roughly cut memory usage
+ * by two (if large curves are in use).
+ *
+ * Reduction in size may reduce speed, but larger curves are impacted first.
+ * Sample performances (in ECDHE handshakes/s, with FIXED_POINT_OPTIM = 1):
+ *      w-size:     6       5       4       3       2
+ *      521       145     141     135     120      97
+ *      384       214     209     198     177     146
+ *      256       320     320     303     262     226
+ *      224       475     475     453     398     342
+ *      192       640     640     633     587     476
+ */
+#define MBEDTLS_ECP_WINDOW_SIZE    4   /**< The maximum window size used. */
+#endif /* MBEDTLS_ECP_WINDOW_SIZE */
+
+#if !defined(MBEDTLS_ECP_FIXED_POINT_OPTIM)
+/*
+ * Trade code size for speed on fixed-point multiplication.
+ *
+ * This speeds up repeated multiplication of the generator (that is, the
+ * multiplication in ECDSA signatures, and half of the multiplications in
+ * ECDSA verification and ECDHE) by a factor roughly 3 to 4.
+ *
+ * For each n-bit Short Weierstrass curve that is enabled, this adds 4n bytes
+ * of code size if n < 384 and 8n otherwise.
+ *
+ * Change this value to 0 to reduce code size.
+ */
+#define MBEDTLS_ECP_FIXED_POINT_OPTIM  1   /**< Enable fixed-point speed-up. */
+#endif /* MBEDTLS_ECP_FIXED_POINT_OPTIM */
+
+/** \} name SECTION: Module settings */
+
+/**
+ * The maximum size of the groups, that is, of \c N and \c P.
+ */
+#if !defined(MBEDTLS_ECP_LIGHT)
+/* Dummy definition to help code that has optional ECP support and
+ * defines an MBEDTLS_ECP_MAX_BYTES-sized array unconditionally. */
+#define MBEDTLS_ECP_MAX_BITS 1
+/* Note: the curves must be listed in DECREASING size! */
+#elif defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 521
+#elif defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 512
+#elif defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 448
+#elif defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 384
+#elif defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 384
+#elif defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 256
+#elif defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 256
+#elif defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 256
+#elif defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 255
+#elif defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 225 // n is slightly above 2^224
+#elif defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 224
+#elif defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 192
+#elif defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 192
+#else /* !MBEDTLS_ECP_LIGHT */
+#error "Missing definition of MBEDTLS_ECP_MAX_BITS"
+#endif /* !MBEDTLS_ECP_LIGHT */
+
+#define MBEDTLS_ECP_MAX_BYTES    ((MBEDTLS_ECP_MAX_BITS + 7) / 8)
+#define MBEDTLS_ECP_MAX_PT_LEN   (2 * MBEDTLS_ECP_MAX_BYTES + 1)
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+
+/**
+ * \brief           Internal restart context for multiplication
+ *
+ * \note            Opaque struct
+ */
+typedef struct mbedtls_ecp_restart_mul mbedtls_ecp_restart_mul_ctx;
+
+/**
+ * \brief           Internal restart context for ecp_muladd()
+ *
+ * \note            Opaque struct
+ */
+typedef struct mbedtls_ecp_restart_muladd mbedtls_ecp_restart_muladd_ctx;
+
+/**
+ * \brief           General context for resuming ECC operations
+ */
+typedef struct {
+    unsigned MBEDTLS_PRIVATE(ops_done);                  /*!<  current ops count             */
+    unsigned MBEDTLS_PRIVATE(depth);                     /*!<  call depth (0 = top-level)    */
+    mbedtls_ecp_restart_mul_ctx *MBEDTLS_PRIVATE(rsm);   /*!<  ecp_mul_comb() sub-context    */
+    mbedtls_ecp_restart_muladd_ctx *MBEDTLS_PRIVATE(ma); /*!<  ecp_muladd() sub-context      */
+} mbedtls_ecp_restart_ctx;
+
+/*
+ * Operation counts for restartable functions
+ */
+#define MBEDTLS_ECP_OPS_CHK   3 /*!< basic ops count for ecp_check_pubkey()  */
+#define MBEDTLS_ECP_OPS_DBL   8 /*!< basic ops count for ecp_double_jac()    */
+#define MBEDTLS_ECP_OPS_ADD  11 /*!< basic ops count for see ecp_add_mixed() */
+#define MBEDTLS_ECP_OPS_INV 120 /*!< empirical equivalent for mpi_mod_inv()  */
+
+/**
+ * \brief           Internal; for restartable functions in other modules.
+ *                  Check and update basic ops budget.
+ *
+ * \param grp       Group structure
+ * \param rs_ctx    Restart context
+ * \param ops       Number of basic ops to do
+ *
+ * \return          \c 0 if doing \p ops basic ops is still allowed,
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS otherwise.
+ */
+int mbedtls_ecp_check_budget(const mbedtls_ecp_group *grp,
+                             mbedtls_ecp_restart_ctx *rs_ctx,
+                             unsigned ops);
+
+/* Utility macro for checking and updating ops budget */
+#define MBEDTLS_ECP_BUDGET(ops)   \
+    MBEDTLS_MPI_CHK(mbedtls_ecp_check_budget(grp, rs_ctx, \
+                                             (unsigned) (ops)));
+
+#else /* MBEDTLS_ECP_RESTARTABLE */
+
+#define MBEDTLS_ECP_BUDGET(ops)     /* no-op; for compatibility */
+
+/* We want to declare restartable versions of existing functions anyway */
+typedef void mbedtls_ecp_restart_ctx;
+
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+/**
+ * \brief    The ECP key-pair structure.
+ *
+ * A generic key-pair that may be used for ECDSA and fixed ECDH, for example.
+ *
+ * \note    Members are deliberately in the same order as in the
+ *          ::mbedtls_ecdsa_context structure.
+ */
+typedef struct mbedtls_ecp_keypair {
+    mbedtls_ecp_group MBEDTLS_PRIVATE(grp);      /*!<  Elliptic curve and base point     */
+    mbedtls_mpi MBEDTLS_PRIVATE(d);              /*!<  our secret value                  */
+    mbedtls_ecp_point MBEDTLS_PRIVATE(Q);        /*!<  our public value                  */
+}
+mbedtls_ecp_keypair;
+
+/**
+ * The uncompressed point format for Short Weierstrass curves
+ * (MBEDTLS_ECP_DP_SECP_XXX and MBEDTLS_ECP_DP_BP_XXX).
+ */
+#define MBEDTLS_ECP_PF_UNCOMPRESSED    0
+/**
+ * The compressed point format for Short Weierstrass curves
+ * (MBEDTLS_ECP_DP_SECP_XXX and MBEDTLS_ECP_DP_BP_XXX).
+ *
+ * \warning     While this format is supported for all concerned curves for
+ *              writing, when it comes to parsing, it is not supported for all
+ *              curves. Specifically, parsing compressed points on
+ *              MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1 is not
+ *              supported.
+ */
+#define MBEDTLS_ECP_PF_COMPRESSED      1
+
+/*
+ * Some other constants from RFC 4492
+ */
+#define MBEDTLS_ECP_TLS_NAMED_CURVE    3   /**< The named_curve of ECCurveType. */
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Set the maximum number of basic operations done in a row.
+ *
+ *                  If more operations are needed to complete a computation,
+ *                  #MBEDTLS_ERR_ECP_IN_PROGRESS will be returned by the
+ *                  function performing the computation. It is then the
+ *                  caller's responsibility to either call again with the same
+ *                  parameters until it returns 0 or an error code; or to free
+ *                  the restart context if the operation is to be aborted.
+ *
+ *                  It is strictly required that all input parameters and the
+ *                  restart context be the same on successive calls for the
+ *                  same operation, but output parameters need not be the
+ *                  same; they must not be used until the function finally
+ *                  returns 0.
+ *
+ *                  This only applies to functions whose documentation
+ *                  mentions they may return #MBEDTLS_ERR_ECP_IN_PROGRESS (or
+ *                  #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS for functions in the
+ *                  SSL module). For functions that accept a "restart context"
+ *                  argument, passing NULL disables restart and makes the
+ *                  function equivalent to the function with the same name
+ *                  with \c _restartable removed. For functions in the ECDH
+ *                  module, restart is disabled unless the function accepts
+ *                  an "ECDH context" argument and
+ *                  mbedtls_ecdh_enable_restart() was previously called on
+ *                  that context. For function in the SSL module, restart is
+ *                  only enabled for specific sides and key exchanges
+ *                  (currently only for clients and ECDHE-ECDSA).
+ *
+ * \warning         Using the PSA interruptible interfaces with keys in local
+ *                  storage and no accelerator driver will also call this
+ *                  function to set the values specified via those interfaces,
+ *                  overwriting values previously set. Care should be taken if
+ *                  mixing these two interfaces.
+ *
+ * \param max_ops   Maximum number of basic operations done in a row.
+ *                  Default: 0 (unlimited).
+ *                  Lower (non-zero) values mean ECC functions will block for
+ *                  a lesser maximum amount of time.
+ *
+ * \note            A "basic operation" is defined as a rough equivalent of a
+ *                  multiplication in GF(p) for the NIST P-256 curve.
+ *                  As an indication, with default settings, a scalar
+ *                  multiplication (full run of \c mbedtls_ecp_mul()) is:
+ *                  - about 3300 basic operations for P-256
+ *                  - about 9400 basic operations for P-384
+ *
+ * \note            Very low values are not always respected: sometimes
+ *                  functions need to block for a minimum number of
+ *                  operations, and will do so even if max_ops is set to a
+ *                  lower value.  That minimum depends on the curve size, and
+ *                  can be made lower by decreasing the value of
+ *                  \c MBEDTLS_ECP_WINDOW_SIZE.  As an indication, here is the
+ *                  lowest effective value for various curves and values of
+ *                  that parameter (w for short):
+ *                          w=6     w=5     w=4     w=3     w=2
+ *                  P-256   208     208     160     136     124
+ *                  P-384   682     416     320     272     248
+ *                  P-521  1364     832     640     544     496
+ *
+ * \note            This setting is currently ignored by Curve25519.
+ */
+void mbedtls_ecp_set_max_ops(unsigned max_ops);
+
+/**
+ * \brief           Check if restart is enabled (max_ops != 0)
+ *
+ * \return          \c 0 if \c max_ops == 0 (restart disabled)
+ * \return          \c 1 otherwise (restart enabled)
+ */
+int mbedtls_ecp_restart_is_enabled(void);
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+/*
+ * Get the type of a curve
+ */
+mbedtls_ecp_curve_type mbedtls_ecp_get_type(const mbedtls_ecp_group *grp);
+
+/**
+ * \brief           This function retrieves the information defined in
+ *                  mbedtls_ecp_curve_info() for all supported curves.
+ *
+ * \note            This function returns information about all curves
+ *                  supported by the library. Some curves may not be
+ *                  supported for all algorithms. Call mbedtls_ecdh_can_do()
+ *                  or mbedtls_ecdsa_can_do() to check if a curve is
+ *                  supported for ECDH or ECDSA.
+ *
+ * \return          A statically allocated array. The last entry is 0.
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list(void);
+
+/**
+ * \brief           This function retrieves the list of internal group
+ *                  identifiers of all supported curves in the order of
+ *                  preference.
+ *
+ * \note            This function returns information about all curves
+ *                  supported by the library. Some curves may not be
+ *                  supported for all algorithms. Call mbedtls_ecdh_can_do()
+ *                  or mbedtls_ecdsa_can_do() to check if a curve is
+ *                  supported for ECDH or ECDSA.
+ *
+ * \return          A statically allocated array,
+ *                  terminated with MBEDTLS_ECP_DP_NONE.
+ */
+const mbedtls_ecp_group_id *mbedtls_ecp_grp_id_list(void);
+
+/**
+ * \brief           This function retrieves curve information from an internal
+ *                  group identifier.
+ *
+ * \param grp_id    An \c MBEDTLS_ECP_DP_XXX value.
+ *
+ * \return          The associated curve information on success.
+ * \return          NULL on failure.
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_grp_id(mbedtls_ecp_group_id grp_id);
+
+/**
+ * \brief           This function retrieves curve information from a TLS
+ *                  NamedCurve value.
+ *
+ * \param tls_id    An \c MBEDTLS_ECP_DP_XXX value.
+ *
+ * \return          The associated curve information on success.
+ * \return          NULL on failure.
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_tls_id(uint16_t tls_id);
+
+/**
+ * \brief           This function retrieves curve information from a
+ *                  human-readable name.
+ *
+ * \param name      The human-readable name.
+ *
+ * \return          The associated curve information on success.
+ * \return          NULL on failure.
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name(const char *name);
+
+/**
+ * \brief           This function initializes a point as zero.
+ *
+ * \param pt        The point to initialize.
+ */
+void mbedtls_ecp_point_init(mbedtls_ecp_point *pt);
+
+/**
+ * \brief           This function initializes an ECP group context
+ *                  without loading any domain parameters.
+ *
+ * \note            After this function is called, domain parameters
+ *                  for various ECP groups can be loaded through the
+ *                  mbedtls_ecp_group_load() or mbedtls_ecp_tls_read_group()
+ *                  functions.
+ */
+void mbedtls_ecp_group_init(mbedtls_ecp_group *grp);
+
+/**
+ * \brief           This function initializes a key pair as an invalid one.
+ *
+ * \param key       The key pair to initialize.
+ */
+void mbedtls_ecp_keypair_init(mbedtls_ecp_keypair *key);
+
+/**
+ * \brief           This function frees the components of a point.
+ *
+ * \param pt        The point to free.
+ */
+void mbedtls_ecp_point_free(mbedtls_ecp_point *pt);
+
+/**
+ * \brief           This function frees the components of an ECP group.
+ *
+ * \param grp       The group to free. This may be \c NULL, in which
+ *                  case this function returns immediately. If it is not
+ *                  \c NULL, it must point to an initialized ECP group.
+ */
+void mbedtls_ecp_group_free(mbedtls_ecp_group *grp);
+
+/**
+ * \brief           This function frees the components of a key pair.
+ *
+ * \param key       The key pair to free. This may be \c NULL, in which
+ *                  case this function returns immediately. If it is not
+ *                  \c NULL, it must point to an initialized ECP key pair.
+ */
+void mbedtls_ecp_keypair_free(mbedtls_ecp_keypair *key);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Initialize a restart context.
+ *
+ * \param ctx       The restart context to initialize. This must
+ *                  not be \c NULL.
+ */
+void mbedtls_ecp_restart_init(mbedtls_ecp_restart_ctx *ctx);
+
+/**
+ * \brief           Free the components of a restart context.
+ *
+ * \param ctx       The restart context to free. This may be \c NULL, in which
+ *                  case this function returns immediately. If it is not
+ *                  \c NULL, it must point to an initialized restart context.
+ */
+void mbedtls_ecp_restart_free(mbedtls_ecp_restart_ctx *ctx);
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+/**
+ * \brief           This function copies the contents of point \p Q into
+ *                  point \p P.
+ *
+ * \param P         The destination point. This must be initialized.
+ * \param Q         The source point. This must be initialized.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code for other kinds of failure.
+ */
+int mbedtls_ecp_copy(mbedtls_ecp_point *P, const mbedtls_ecp_point *Q);
+
+/**
+ * \brief           This function copies the contents of group \p src into
+ *                  group \p dst.
+ *
+ * \param dst       The destination group. This must be initialized.
+ * \param src       The source group. This must be initialized.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_group_copy(mbedtls_ecp_group *dst,
+                           const mbedtls_ecp_group *src);
+
+/**
+ * \brief           This function sets a point to the point at infinity.
+ *
+ * \param pt        The point to set. This must be initialized.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_set_zero(mbedtls_ecp_point *pt);
+
+/**
+ * \brief           This function checks if a point is the point at infinity.
+ *
+ * \param pt        The point to test. This must be initialized.
+ *
+ * \return          \c 1 if the point is zero.
+ * \return          \c 0 if the point is non-zero.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecp_is_zero(mbedtls_ecp_point *pt);
+
+/**
+ * \brief           This function compares two points.
+ *
+ * \note            This assumes that the points are normalized. Otherwise,
+ *                  they may compare as "not equal" even if they are.
+ *
+ * \param P         The first point to compare. This must be initialized.
+ * \param Q         The second point to compare. This must be initialized.
+ *
+ * \return          \c 0 if the points are equal.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the points are not equal.
+ */
+int mbedtls_ecp_point_cmp(const mbedtls_ecp_point *P,
+                          const mbedtls_ecp_point *Q);
+
+/**
+ * \brief           This function imports a non-zero point from two ASCII
+ *                  strings.
+ *
+ * \param P         The destination point. This must be initialized.
+ * \param radix     The numeric base of the input.
+ * \param x         The first affine coordinate, as a null-terminated string.
+ * \param y         The second affine coordinate, as a null-terminated string.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_MPI_XXX error code on failure.
+ */
+int mbedtls_ecp_point_read_string(mbedtls_ecp_point *P, int radix,
+                                  const char *x, const char *y);
+
+/**
+ * \brief           This function exports a point into unsigned binary data.
+ *
+ * \param grp       The group to which the point should belong.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param P         The point to export. This must be initialized.
+ * \param format    The point format. This must be either
+ *                  #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED.
+ *                  (For groups without these formats, this parameter is
+ *                  ignored. But it still has to be either of the above
+ *                  values.)
+ * \param olen      The address at which to store the length of
+ *                  the output in Bytes. This must not be \c NULL.
+ * \param buf       The output buffer. This must be a writable buffer
+ *                  of length \p buflen Bytes.
+ * \param buflen    The length of the output buffer \p buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer
+ *                  is too small to hold the point.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format
+ *                  or the export for the given group is not implemented.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_point_write_binary(const mbedtls_ecp_group *grp,
+                                   const mbedtls_ecp_point *P,
+                                   int format, size_t *olen,
+                                   unsigned char *buf, size_t buflen);
+
+/**
+ * \brief           This function imports a point from unsigned binary data.
+ *
+ * \note            This function does not check that the point actually
+ *                  belongs to the given group, see mbedtls_ecp_check_pubkey()
+ *                  for that.
+ *
+ * \note            For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for
+ *                  limitations.
+ *
+ * \param grp       The group to which the point should belong.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param P         The destination context to import the point to.
+ *                  This must be initialized.
+ * \param buf       The input buffer. This must be a readable buffer
+ *                  of length \p ilen Bytes.
+ * \param ilen      The length of the input buffer \p buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the import for the
+ *                  given group is not implemented.
+ */
+int mbedtls_ecp_point_read_binary(const mbedtls_ecp_group *grp,
+                                  mbedtls_ecp_point *P,
+                                  const unsigned char *buf, size_t ilen);
+
+/**
+ * \brief           This function imports a point from a TLS ECPoint record.
+ *
+ * \note            On function return, \p *buf is updated to point immediately
+ *                  after the ECPoint record.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param pt        The destination point.
+ * \param buf       The address of the pointer to the start of the input buffer.
+ * \param len       The length of the buffer.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_MPI_XXX error code on initialization
+ *                  failure.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
+ */
+int mbedtls_ecp_tls_read_point(const mbedtls_ecp_group *grp,
+                               mbedtls_ecp_point *pt,
+                               const unsigned char **buf, size_t len);
+
+/**
+ * \brief           This function exports a point as a TLS ECPoint record
+ *                  defined in RFC 4492, Section 5.4.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param pt        The point to be exported. This must be initialized.
+ * \param format    The point format to use. This must be either
+ *                  #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED.
+ * \param olen      The address at which to store the length in Bytes
+ *                  of the data written.
+ * \param buf       The target buffer. This must be a writable buffer of
+ *                  length \p blen Bytes.
+ * \param blen      The length of the target buffer \p buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid.
+ * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the target buffer
+ *                  is too small to hold the exported point.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_tls_write_point(const mbedtls_ecp_group *grp,
+                                const mbedtls_ecp_point *pt,
+                                int format, size_t *olen,
+                                unsigned char *buf, size_t blen);
+
+/**
+ * \brief           This function sets up an ECP group context
+ *                  from a standardized set of domain parameters.
+ *
+ * \note            The index should be a value of the NamedCurve enum,
+ *                  as defined in <em>RFC-4492: Elliptic Curve Cryptography
+ *                  (ECC) Cipher Suites for Transport Layer Security (TLS)</em>,
+ *                  usually in the form of an \c MBEDTLS_ECP_DP_XXX macro.
+ *
+ * \param grp       The group context to setup. This must be initialized.
+ * \param id        The identifier of the domain parameter set to load.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p id doesn't
+ *                  correspond to a known group.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_group_load(mbedtls_ecp_group *grp, mbedtls_ecp_group_id id);
+
+/**
+ * \brief           This function sets up an ECP group context from a TLS
+ *                  ECParameters record as defined in RFC 4492, Section 5.4.
+ *
+ * \note            The read pointer \p buf is updated to point right after
+ *                  the ECParameters record on exit.
+ *
+ * \param grp       The group context to setup. This must be initialized.
+ * \param buf       The address of the pointer to the start of the input buffer.
+ * \param len       The length of the input buffer \c *buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not
+ *                  recognized.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_tls_read_group(mbedtls_ecp_group *grp,
+                               const unsigned char **buf, size_t len);
+
+/**
+ * \brief           This function extracts an elliptic curve group ID from a
+ *                  TLS ECParameters record as defined in RFC 4492, Section 5.4.
+ *
+ * \note            The read pointer \p buf is updated to point right after
+ *                  the ECParameters record on exit.
+ *
+ * \param grp       The address at which to store the group id.
+ *                  This must not be \c NULL.
+ * \param buf       The address of the pointer to the start of the input buffer.
+ * \param len       The length of the input buffer \c *buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not
+ *                  recognized.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_tls_read_group_id(mbedtls_ecp_group_id *grp,
+                                  const unsigned char **buf,
+                                  size_t len);
+/**
+ * \brief           This function exports an elliptic curve as a TLS
+ *                  ECParameters record as defined in RFC 4492, Section 5.4.
+ *
+ * \param grp       The ECP group to be exported.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param olen      The address at which to store the number of Bytes written.
+ *                  This must not be \c NULL.
+ * \param buf       The buffer to write to. This must be a writable buffer
+ *                  of length \p blen Bytes.
+ * \param blen      The length of the output buffer \p buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output
+ *                  buffer is too small to hold the exported group.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_tls_write_group(const mbedtls_ecp_group *grp,
+                                size_t *olen,
+                                unsigned char *buf, size_t blen);
+
+/**
+ * \brief           This function performs a scalar multiplication of a point
+ *                  by an integer: \p R = \p m * \p P.
+ *
+ *                  It is not thread-safe to use same group in multiple threads.
+ *
+ * \note            To prevent timing attacks, this function
+ *                  executes the exact same sequence of base-field
+ *                  operations for any valid \p m. It avoids any if-branch or
+ *                  array index depending on the value of \p m. It also uses
+ *                  \p f_rng to randomize some intermediate results.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param R         The point in which to store the result of the calculation.
+ *                  This must be initialized.
+ * \param m         The integer by which to multiply. This must be initialized.
+ * \param P         The point to multiply. This must be initialized.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be \c
+ *                  NULL if \p f_rng doesn't need a context.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private
+ *                  key, or \p P is not a valid public key.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_mul(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                    const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
+
+/**
+ * \brief           This function performs multiplication of a point by
+ *                  an integer: \p R = \p m * \p P in a restartable way.
+ *
+ * \see             mbedtls_ecp_mul()
+ *
+ * \note            This function does the same as \c mbedtls_ecp_mul(), but
+ *                  it can return early and restart according to the limit set
+ *                  with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param R         The point in which to store the result of the calculation.
+ *                  This must be initialized.
+ * \param m         The integer by which to multiply. This must be initialized.
+ * \param P         The point to multiply. This must be initialized.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be \c
+ *                  NULL if \p f_rng doesn't need a context.
+ * \param rs_ctx    The restart context (NULL disables restart).
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private
+ *                  key, or \p P is not a valid public key.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_mul_restartable(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                                const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                                mbedtls_ecp_restart_ctx *rs_ctx);
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+/**
+ * \brief           This function checks if domain parameter A of the curve is
+ *                  \c -3.
+ *
+ * \note            This function is only defined for short Weierstrass curves.
+ *                  It may not be included in builds without any short
+ *                  Weierstrass curve.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ *
+ * \return          \c 1 if <code>A = -3</code>.
+ * \return          \c 0 Otherwise.
+ */
+static inline int mbedtls_ecp_group_a_is_minus_3(const mbedtls_ecp_group *grp)
+{
+    return grp->A.MBEDTLS_PRIVATE(p) == NULL;
+}
+
+/**
+ * \brief           This function performs multiplication and addition of two
+ *                  points by integers: \p R = \p m * \p P + \p n * \p Q
+ *
+ *                  It is not thread-safe to use same group in multiple threads.
+ *
+ * \note            In contrast to mbedtls_ecp_mul(), this function does not
+ *                  guarantee a constant execution flow and timing.
+ *
+ * \note            This function is only defined for short Weierstrass curves.
+ *                  It may not be included in builds without any short
+ *                  Weierstrass curve.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param R         The point in which to store the result of the calculation.
+ *                  This must be initialized.
+ * \param m         The integer by which to multiply \p P.
+ *                  This must be initialized.
+ * \param P         The point to multiply by \p m. This must be initialized.
+ * \param n         The integer by which to multiply \p Q.
+ *                  This must be initialized.
+ * \param Q         The point to be multiplied by \p n.
+ *                  This must be initialized.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not
+ *                  valid private keys, or \p P or \p Q are not valid public
+ *                  keys.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not
+ *                  designate a short Weierstrass curve.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_muladd(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                       const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+                       const mbedtls_mpi *n, const mbedtls_ecp_point *Q);
+
+/**
+ * \brief           This function performs multiplication and addition of two
+ *                  points by integers: \p R = \p m * \p P + \p n * \p Q in a
+ *                  restartable way.
+ *
+ * \see             \c mbedtls_ecp_muladd()
+ *
+ * \note            This function works the same as \c mbedtls_ecp_muladd(),
+ *                  but it can return early and restart according to the limit
+ *                  set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \note            This function is only defined for short Weierstrass curves.
+ *                  It may not be included in builds without any short
+ *                  Weierstrass curve.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param R         The point in which to store the result of the calculation.
+ *                  This must be initialized.
+ * \param m         The integer by which to multiply \p P.
+ *                  This must be initialized.
+ * \param P         The point to multiply by \p m. This must be initialized.
+ * \param n         The integer by which to multiply \p Q.
+ *                  This must be initialized.
+ * \param Q         The point to be multiplied by \p n.
+ *                  This must be initialized.
+ * \param rs_ctx    The restart context (NULL disables restart).
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not
+ *                  valid private keys, or \p P or \p Q are not valid public
+ *                  keys.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not
+ *                  designate a short Weierstrass curve.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_muladd_restartable(
+    mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+    const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+    const mbedtls_mpi *n, const mbedtls_ecp_point *Q,
+    mbedtls_ecp_restart_ctx *rs_ctx);
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+
+/**
+ * \brief           This function checks that a point is a valid public key
+ *                  on this curve.
+ *
+ *                  It only checks that the point is non-zero, has
+ *                  valid coordinates and lies on the curve. It does not verify
+ *                  that it is indeed a multiple of \c G. This additional
+ *                  check is computationally more expensive, is not required
+ *                  by standards, and should not be necessary if the group
+ *                  used has a small cofactor. In particular, it is useless for
+ *                  the NIST groups which all have a cofactor of 1.
+ *
+ * \note            This function uses bare components rather than an
+ *                  ::mbedtls_ecp_keypair structure, to ease use with other
+ *                  structures, such as ::mbedtls_ecdh_context or
+ *                  ::mbedtls_ecdsa_context.
+ *
+ * \param grp       The ECP group the point should belong to.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param pt        The point to check. This must be initialized.
+ *
+ * \return          \c 0 if the point is a valid public key.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not
+ *                  a valid public key for the given curve.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_check_pubkey(const mbedtls_ecp_group *grp,
+                             const mbedtls_ecp_point *pt);
+
+/**
+ * \brief           This function checks that an \c mbedtls_mpi is a
+ *                  valid private key for this curve.
+ *
+ * \note            This function uses bare components rather than an
+ *                  ::mbedtls_ecp_keypair structure to ease use with other
+ *                  structures, such as ::mbedtls_ecdh_context or
+ *                  ::mbedtls_ecdsa_context.
+ *
+ * \param grp       The ECP group the private key should belong to.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param d         The integer to check. This must be initialized.
+ *
+ * \return          \c 0 if the point is a valid private key.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not a valid
+ *                  private key for the given curve.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_check_privkey(const mbedtls_ecp_group *grp,
+                              const mbedtls_mpi *d);
+
+/**
+ * \brief           This function generates a private key.
+ *
+ * \param grp       The ECP group to generate a private key for.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param d         The destination MPI (secret part). This must be initialized.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG parameter to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
+ *                  on failure.
+ */
+int mbedtls_ecp_gen_privkey(const mbedtls_ecp_group *grp,
+                            mbedtls_mpi *d,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng);
+
+/**
+ * \brief           This function generates a keypair with a configurable base
+ *                  point.
+ *
+ * \note            This function uses bare components rather than an
+ *                  ::mbedtls_ecp_keypair structure to ease use with other
+ *                  structures, such as ::mbedtls_ecdh_context or
+ *                  ::mbedtls_ecdsa_context.
+ *
+ * \param grp       The ECP group to generate a key pair for.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param G         The base point to use. This must be initialized
+ *                  and belong to \p grp. It replaces the default base
+ *                  point \c grp->G used by mbedtls_ecp_gen_keypair().
+ * \param d         The destination MPI (secret part).
+ *                  This must be initialized.
+ * \param Q         The destination point (public part).
+ *                  This must be initialized.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may
+ *                  be \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
+ *                  on failure.
+ */
+int mbedtls_ecp_gen_keypair_base(mbedtls_ecp_group *grp,
+                                 const mbedtls_ecp_point *G,
+                                 mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng);
+
+/**
+ * \brief           This function generates an ECP keypair.
+ *
+ * \note            This function uses bare components rather than an
+ *                  ::mbedtls_ecp_keypair structure to ease use with other
+ *                  structures, such as ::mbedtls_ecdh_context or
+ *                  ::mbedtls_ecdsa_context.
+ *
+ * \param grp       The ECP group to generate a key pair for.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param d         The destination MPI (secret part).
+ *                  This must be initialized.
+ * \param Q         The destination point (public part).
+ *                  This must be initialized.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may
+ *                  be \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
+ *                  on failure.
+ */
+int mbedtls_ecp_gen_keypair(mbedtls_ecp_group *grp, mbedtls_mpi *d,
+                            mbedtls_ecp_point *Q,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng);
+
+/**
+ * \brief           This function generates an ECP key.
+ *
+ * \param grp_id    The ECP group identifier.
+ * \param key       The destination key. This must be initialized.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may
+ *                  be \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
+ *                  on failure.
+ */
+int mbedtls_ecp_gen_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
+                        int (*f_rng)(void *, unsigned char *, size_t),
+                        void *p_rng);
+
+/** \brief          Set the public key in a key pair object.
+ *
+ * \note            This function does not check that the point actually
+ *                  belongs to the given group. Call mbedtls_ecp_check_pubkey()
+ *                  on \p Q before calling this function to check that.
+ *
+ * \note            This function does not check that the public key matches
+ *                  the private key that is already in \p key, if any.
+ *                  To check the consistency of the resulting key pair object,
+ *                  call mbedtls_ecp_check_pub_priv() after setting both
+ *                  the public key and the private key.
+ *
+ * \param grp_id    The ECP group identifier.
+ * \param key       The key pair object. It must be initialized.
+ *                  If its group has already been set, it must match \p grp_id.
+ *                  If its group has not been set, it will be set to \p grp_id.
+ *                  If the public key has already been set, it is overwritten.
+ * \param Q         The public key to copy. This must be a point on the
+ *                  curve indicated by \p grp_id.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p key does not
+ *                  match \p grp_id.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for
+ *                  the group is not implemented.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_set_public_key(mbedtls_ecp_group_id grp_id,
+                               mbedtls_ecp_keypair *key,
+                               const mbedtls_ecp_point *Q);
+
+/**
+ * \brief           This function reads an elliptic curve private key.
+ *
+ * \note            This function does not set the public key in the
+ *                  key pair object. Without a public key, the key pair object
+ *                  cannot be used with operations that require the public key.
+ *                  Call mbedtls_ecp_keypair_calc_public() to set the public
+ *                  key from the private key. Alternatively, you can call
+ *                  mbedtls_ecp_set_public_key() to set the public key part,
+ *                  and then optionally mbedtls_ecp_check_pub_priv() to check
+ *                  that the private and public parts are consistent.
+ *
+ * \note            If a public key has already been set in the key pair
+ *                  object, this function does not check that it is consistent
+ *                  with the private key. Call mbedtls_ecp_check_pub_priv()
+ *                  after setting both the public key and the private key
+ *                  to make that check.
+ *
+ * \param grp_id    The ECP group identifier.
+ * \param key       The destination key.
+ * \param buf       The buffer containing the binary representation of the
+ *                  key. (Big endian integer for Weierstrass curves, byte
+ *                  string for Montgomery curves.)
+ * \param buflen    The length of the buffer in bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY error if the key is
+ *                  invalid.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for
+ *                  the group is not implemented.
+ * \return          Another negative error code on different kinds of failure.
+ */
+int mbedtls_ecp_read_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
+                         const unsigned char *buf, size_t buflen);
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+/**
+ * \brief           This function exports an elliptic curve private key.
+ *
+ * \deprecated      Note that although this function accepts an output
+ *                  buffer that is smaller or larger than the key, most key
+ *                  import interfaces require the output to have exactly
+ *                  key's nominal length. It is generally simplest to
+ *                  pass the key's nominal length as \c buflen, after
+ *                  checking that the output buffer is large enough.
+ *                  See the description of the \p buflen parameter for
+ *                  how to calculate the nominal length.
+ *                  To avoid this difficulty, use mbedtls_ecp_write_key_ext()
+ *                  instead.
+ *                  mbedtls_ecp_write_key() is deprecated and will be
+ *                  removed in a future version of the library.
+ *
+ * \note            If the private key was not set in \p key,
+ *                  the output is unspecified. Future versions
+ *                  may return an error in that case.
+ *
+ * \param key       The private key.
+ * \param buf       The output buffer for containing the binary representation
+ *                  of the key.
+ *                  For Weierstrass curves, this is the big-endian
+ *                  representation, padded with null bytes at the beginning
+ *                  to reach \p buflen bytes.
+ *                  For Montgomery curves, this is the standard byte string
+ *                  representation (which is little-endian), padded with
+ *                  null bytes at the end to reach \p buflen bytes.
+ * \param buflen    The total length of the buffer in bytes.
+ *                  The length of the output is
+ *                  (`grp->nbits` + 7) / 8 bytes
+ *                  where `grp->nbits` is the private key size in bits.
+ *                  For Weierstrass keys, if the output buffer is smaller,
+ *                  leading zeros are trimmed to fit if possible. For
+ *                  Montgomery keys, the output buffer must always be large
+ *                  enough for the nominal length.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL or
+ *                  #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if the \p key
+ *                  representation is larger than the available space in \p buf.
+ * \return          Another negative error code on different kinds of failure.
+ */
+int MBEDTLS_DEPRECATED mbedtls_ecp_write_key(mbedtls_ecp_keypair *key,
+                                             unsigned char *buf, size_t buflen);
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief           This function exports an elliptic curve private key.
+ *
+ * \param key       The private key.
+ * \param olen      On success, the length of the private key.
+ *                  This is always (`grp->nbits` + 7) / 8 bytes
+ *                  where `grp->nbits` is the private key size in bits.
+ * \param buf       The output buffer for containing the binary representation
+ *                  of the key.
+ * \param buflen    The total length of the buffer in bytes.
+ *                  #MBEDTLS_ECP_MAX_BYTES is always sufficient.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the \p key
+ *                  representation is larger than the available space in \p buf.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if no private key is
+ *                  set in \p key.
+ * \return          Another negative error code on different kinds of failure.
+ */
+int mbedtls_ecp_write_key_ext(const mbedtls_ecp_keypair *key,
+                              size_t *olen, unsigned char *buf, size_t buflen);
+
+/**
+ * \brief           This function exports an elliptic curve public key.
+ *
+ * \note            If the public key was not set in \p key,
+ *                  the output is unspecified. Future versions
+ *                  may return an error in that case.
+ *
+ * \param key       The public key.
+ * \param format    The point format. This must be either
+ *                  #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED.
+ *                  (For groups without these formats, this parameter is
+ *                  ignored. But it still has to be either of the above
+ *                  values.)
+ * \param olen      The address at which to store the length of
+ *                  the output in Bytes. This must not be \c NULL.
+ * \param buf       The output buffer. This must be a writable buffer
+ *                  of length \p buflen Bytes.
+ * \param buflen    The length of the output buffer \p buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer
+ *                  is too small to hold the point.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format
+ *                  or the export for the given group is not implemented.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_write_public_key(const mbedtls_ecp_keypair *key,
+                                 int format, size_t *olen,
+                                 unsigned char *buf, size_t buflen);
+
+/**
+ * \brief           This function checks that the keypair objects
+ *                  \p pub and \p prv have the same group and the
+ *                  same public point, and that the private key in
+ *                  \p prv is consistent with the public key.
+ *
+ * \param pub       The keypair structure holding the public key. This
+ *                  must be initialized. If it contains a private key, that
+ *                  part is ignored.
+ * \param prv       The keypair structure holding the full keypair.
+ *                  This must be initialized.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be \c
+ *                  NULL if \p f_rng doesn't need a context.
+ *
+ * \return          \c 0 on success, meaning that the keys are valid and match.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the keys are invalid or do not match.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX
+ *                  error code on calculation failure.
+ */
+int mbedtls_ecp_check_pub_priv(
+    const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv,
+    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
+
+/** \brief          Calculate the public key from a private key in a key pair.
+ *
+ * \param key       A keypair structure. It must have a private key set.
+ *                  If the public key is set, it will be overwritten.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be \c
+ *                  NULL if \p f_rng doesn't need a context.
+ *
+ * \return          \c 0 on success. The key pair object can be used for
+ *                  operations that require the public key.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX
+ *                  error code on calculation failure.
+ */
+int mbedtls_ecp_keypair_calc_public(
+    mbedtls_ecp_keypair *key,
+    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
+
+/** \brief          Query the group that a key pair belongs to.
+ *
+ * \param key       The key pair to query.
+ *
+ * \return          The group ID for the group registered in the key pair
+ *                  object.
+ *                  This is \c MBEDTLS_ECP_DP_NONE if no group has been set
+ *                  in the key pair object.
+ */
+mbedtls_ecp_group_id mbedtls_ecp_keypair_get_group_id(
+    const mbedtls_ecp_keypair *key);
+
+/**
+ * \brief           This function exports generic key-pair parameters.
+ *
+ *                  Each of the output parameters can be a null pointer
+ *                  if you do not need that parameter.
+ *
+ * \note            If the private key or the public key was not set in \p key,
+ *                  the corresponding output is unspecified. Future versions
+ *                  may return an error in that case.
+ *
+ * \param key       The key pair to export from.
+ * \param grp       Slot for exported ECP group.
+ *                  It must either be null or point to an initialized ECP group.
+ * \param d         Slot for the exported secret value.
+ *                  It must either be null or point to an initialized mpi.
+ * \param Q         Slot for the exported public value.
+ *                  It must either be null or point to an initialized ECP point.
+ *
+ * \return          \c 0 on success,
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if key id doesn't
+ *                  correspond to a known group.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_export(const mbedtls_ecp_keypair *key, mbedtls_ecp_group *grp,
+                       mbedtls_mpi *d, mbedtls_ecp_point *Q);
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          The ECP checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_ecp_self_test(int verbose);
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ecp.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/entropy.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/entropy.h
new file mode 100644
index 0000000..20fd687
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/entropy.h
@@ -0,0 +1,273 @@
+/**
+ * \file entropy.h
+ *
+ * \brief Entropy accumulator implementation
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_ENTROPY_H
+#define MBEDTLS_ENTROPY_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include <stddef.h>
+
+#include "md.h"
+
+#if defined(MBEDTLS_MD_CAN_SHA512) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256)
+#define MBEDTLS_ENTROPY_SHA512_ACCUMULATOR
+#define MBEDTLS_ENTROPY_MD  MBEDTLS_MD_SHA512
+#define MBEDTLS_ENTROPY_BLOCK_SIZE      64      /**< Block size of entropy accumulator (SHA-512) */
+#else
+#if defined(MBEDTLS_MD_CAN_SHA256)
+#define MBEDTLS_ENTROPY_SHA256_ACCUMULATOR
+#define MBEDTLS_ENTROPY_MD  MBEDTLS_MD_SHA256
+#define MBEDTLS_ENTROPY_BLOCK_SIZE      32      /**< Block size of entropy accumulator (SHA-256) */
+#endif
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+
+/** Critical entropy source failure. */
+#define MBEDTLS_ERR_ENTROPY_SOURCE_FAILED                 -0x003C
+/** No more sources can be added. */
+#define MBEDTLS_ERR_ENTROPY_MAX_SOURCES                   -0x003E
+/** No sources have been added to poll. */
+#define MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED            -0x0040
+/** No strong sources have been added to poll. */
+#define MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE              -0x003D
+/** Read/write error in file. */
+#define MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR                 -0x003F
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in mbedtls_config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_ENTROPY_MAX_SOURCES)
+#define MBEDTLS_ENTROPY_MAX_SOURCES     20      /**< Maximum number of sources supported */
+#endif
+
+#if !defined(MBEDTLS_ENTROPY_MAX_GATHER)
+#define MBEDTLS_ENTROPY_MAX_GATHER      128     /**< Maximum amount requested from entropy sources */
+#endif
+
+/** \} name SECTION: Module settings */
+
+#define MBEDTLS_ENTROPY_MAX_SEED_SIZE   1024    /**< Maximum size of seed we read from seed file */
+#define MBEDTLS_ENTROPY_SOURCE_MANUAL   MBEDTLS_ENTROPY_MAX_SOURCES
+
+#define MBEDTLS_ENTROPY_SOURCE_STRONG   1       /**< Entropy source is strong   */
+#define MBEDTLS_ENTROPY_SOURCE_WEAK     0       /**< Entropy source is weak     */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief           Entropy poll callback pointer
+ *
+ * \param data      Callback-specific data pointer
+ * \param output    Data to fill
+ * \param len       Maximum size to provide
+ * \param olen      The actual amount of bytes put into the buffer (Can be 0)
+ *
+ * \return          0 if no critical failures occurred,
+ *                  MBEDTLS_ERR_ENTROPY_SOURCE_FAILED otherwise
+ */
+typedef int (*mbedtls_entropy_f_source_ptr)(void *data, unsigned char *output, size_t len,
+                                            size_t *olen);
+
+/**
+ * \brief           Entropy source state
+ */
+typedef struct mbedtls_entropy_source_state {
+    mbedtls_entropy_f_source_ptr    MBEDTLS_PRIVATE(f_source);   /**< The entropy source callback */
+    void *MBEDTLS_PRIVATE(p_source);             /**< The callback data pointer */
+    size_t          MBEDTLS_PRIVATE(size);       /**< Amount received in bytes */
+    size_t          MBEDTLS_PRIVATE(threshold);  /**< Minimum bytes required before release */
+    int             MBEDTLS_PRIVATE(strong);     /**< Is the source strong? */
+}
+mbedtls_entropy_source_state;
+
+/**
+ * \brief           Entropy context structure
+ */
+typedef struct mbedtls_entropy_context {
+    mbedtls_md_context_t  MBEDTLS_PRIVATE(accumulator);
+    int MBEDTLS_PRIVATE(accumulator_started); /* 0 after init.
+                                               * 1 after the first update.
+                                               * -1 after free. */
+    int             MBEDTLS_PRIVATE(source_count); /* Number of entries used in source. */
+    mbedtls_entropy_source_state    MBEDTLS_PRIVATE(source)[MBEDTLS_ENTROPY_MAX_SOURCES];
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex);    /*!< mutex                  */
+#endif
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+    int MBEDTLS_PRIVATE(initial_entropy_run);
+#endif
+}
+mbedtls_entropy_context;
+
+#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+/**
+ * \brief           Platform-specific entropy poll callback
+ */
+int mbedtls_platform_entropy_poll(void *data,
+                                  unsigned char *output, size_t len, size_t *olen);
+#endif
+
+/**
+ * \brief           Initialize the context
+ *
+ * \param ctx       Entropy context to initialize
+ */
+void mbedtls_entropy_init(mbedtls_entropy_context *ctx);
+
+/**
+ * \brief           Free the data in the context
+ *
+ * \param ctx       Entropy context to free
+ */
+void mbedtls_entropy_free(mbedtls_entropy_context *ctx);
+
+/**
+ * \brief           Adds an entropy source to poll
+ *                  (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param ctx       Entropy context
+ * \param f_source  Entropy function
+ * \param p_source  Function data
+ * \param threshold Minimum required from source before entropy is released
+ *                  ( with mbedtls_entropy_func() ) (in bytes)
+ * \param strong    MBEDTLS_ENTROPY_SOURCE_STRONG or
+ *                  MBEDTLS_ENTROPY_SOURCE_WEAK.
+ *                  At least one strong source needs to be added.
+ *                  Weaker sources (such as the cycle counter) can be used as
+ *                  a complement.
+ *
+ * \return          0 if successful or MBEDTLS_ERR_ENTROPY_MAX_SOURCES
+ */
+int mbedtls_entropy_add_source(mbedtls_entropy_context *ctx,
+                               mbedtls_entropy_f_source_ptr f_source, void *p_source,
+                               size_t threshold, int strong);
+
+/**
+ * \brief           Trigger an extra gather poll for the accumulator
+ *                  (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param ctx       Entropy context
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
+ */
+int mbedtls_entropy_gather(mbedtls_entropy_context *ctx);
+
+/**
+ * \brief           Retrieve entropy from the accumulator
+ *                  (Maximum length: MBEDTLS_ENTROPY_BLOCK_SIZE)
+ *                  (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param data      Entropy context
+ * \param output    Buffer to fill
+ * \param len       Number of bytes desired, must be at most MBEDTLS_ENTROPY_BLOCK_SIZE
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
+ */
+int mbedtls_entropy_func(void *data, unsigned char *output, size_t len);
+
+/**
+ * \brief           Add data to the accumulator manually
+ *                  (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param ctx       Entropy context
+ * \param data      Data to add
+ * \param len       Length of data
+ *
+ * \return          0 if successful
+ */
+int mbedtls_entropy_update_manual(mbedtls_entropy_context *ctx,
+                                  const unsigned char *data, size_t len);
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+/**
+ * \brief           Trigger an update of the seed file in NV by using the
+ *                  current entropy pool.
+ *
+ * \param ctx       Entropy context
+ *
+ * \return          0 if successful
+ */
+int mbedtls_entropy_update_nv_seed(mbedtls_entropy_context *ctx);
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief               Write a seed file
+ *
+ * \param ctx           Entropy context
+ * \param path          Name of the file
+ *
+ * \return              0 if successful,
+ *                      MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR on file error, or
+ *                      MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
+ */
+int mbedtls_entropy_write_seed_file(mbedtls_entropy_context *ctx, const char *path);
+
+/**
+ * \brief               Read and update a seed file. Seed is added to this
+ *                      instance. No more than MBEDTLS_ENTROPY_MAX_SEED_SIZE bytes are
+ *                      read from the seed file. The rest is ignored.
+ *
+ * \param ctx           Entropy context
+ * \param path          Name of the file
+ *
+ * \return              0 if successful,
+ *                      MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR on file error,
+ *                      MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
+ */
+int mbedtls_entropy_update_seed_file(mbedtls_entropy_context *ctx, const char *path);
+#endif /* MBEDTLS_FS_IO */
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine
+ *
+ *                 This module self-test also calls the entropy self-test,
+ *                 mbedtls_entropy_source_self_test();
+ *
+ * \return         0 if successful, or 1 if a test failed
+ */
+int mbedtls_entropy_self_test(int verbose);
+
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+/**
+ * \brief          Checkup routine
+ *
+ *                 Verifies the integrity of the hardware entropy source
+ *                 provided by the function 'mbedtls_hardware_poll()'.
+ *
+ *                 Note this is the only hardware entropy source that is known
+ *                 at link time, and other entropy sources configured
+ *                 dynamically at runtime by the function
+ *                 mbedtls_entropy_add_source() will not be tested.
+ *
+ * \return         0 if successful, or 1 if a test failed
+ */
+int mbedtls_entropy_source_self_test(int verbose);
+#endif /* MBEDTLS_ENTROPY_HARDWARE_ALT */
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* entropy.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/error.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/error.h
new file mode 100644
index 0000000..d101dee
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/error.h
@@ -0,0 +1,200 @@
+/**
+ * \file error.h
+ *
+ * \brief Error to string translation
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_ERROR_H
+#define MBEDTLS_ERROR_H
+
+#include "mbedtls/build_info.h"
+
+#include <stddef.h>
+
+/**
+ * Error code layout.
+ *
+ * Currently we try to keep all error codes within the negative space of 16
+ * bits signed integers to support all platforms (-0x0001 - -0x7FFF). In
+ * addition we'd like to give two layers of information on the error if
+ * possible.
+ *
+ * For that purpose the error codes are segmented in the following manner:
+ *
+ * 16 bit error code bit-segmentation
+ *
+ * 1 bit  - Unused (sign bit)
+ * 3 bits - High level module ID
+ * 5 bits - Module-dependent error code
+ * 7 bits - Low level module errors
+ *
+ * For historical reasons, low-level error codes are divided in even and odd,
+ * even codes were assigned first, and -1 is reserved for other errors.
+ *
+ * Low-level module errors (0x0002-0x007E, 0x0001-0x007F)
+ *
+ * Module   Nr  Codes assigned
+ * ERROR     2  0x006E          0x0001
+ * MPI       7  0x0002-0x0010
+ * GCM       3  0x0012-0x0016   0x0013-0x0013
+ * THREADING 3  0x001A-0x001E
+ * AES       5  0x0020-0x0022   0x0021-0x0025
+ * CAMELLIA  3  0x0024-0x0026   0x0027-0x0027
+ * BASE64    2  0x002A-0x002C
+ * OID       1  0x002E-0x002E   0x000B-0x000B
+ * DES       2  0x0032-0x0032   0x0033-0x0033
+ * CTR_DBRG  4  0x0034-0x003A
+ * ENTROPY   3  0x003C-0x0040   0x003D-0x003F
+ * NET      13  0x0042-0x0052   0x0043-0x0049
+ * ARIA      4  0x0058-0x005E
+ * ASN1      7  0x0060-0x006C
+ * CMAC      1  0x007A-0x007A
+ * PBKDF2    1  0x007C-0x007C
+ * HMAC_DRBG 4                  0x0003-0x0009
+ * CCM       3                  0x000D-0x0011
+ * MD5       1                  0x002F-0x002F
+ * RIPEMD160 1                  0x0031-0x0031
+ * SHA1      1                  0x0035-0x0035 0x0073-0x0073
+ * SHA256    1                  0x0037-0x0037 0x0074-0x0074
+ * SHA512    1                  0x0039-0x0039 0x0075-0x0075
+ * SHA-3     1                  0x0076-0x0076
+ * CHACHA20  3                  0x0051-0x0055
+ * POLY1305  3                  0x0057-0x005B
+ * CHACHAPOLY 2 0x0054-0x0056
+ * PLATFORM  2  0x0070-0x0072
+ * LMS       5  0x0011-0x0019
+ *
+ * High-level module nr (3 bits - 0x0...-0x7...)
+ * Name      ID  Nr of Errors
+ * PEM       1   9
+ * PKCS#12   1   4 (Started from top)
+ * X509      2   20
+ * PKCS5     2   4 (Started from top)
+ * DHM       3   11
+ * PK        3   15 (Started from top)
+ * RSA       4   11
+ * ECP       4   10 (Started from top)
+ * MD        5   5
+ * HKDF      5   1 (Started from top)
+ * PKCS7     5   12 (Started from 0x5300)
+ * SSL       5   2 (Started from 0x5F00)
+ * CIPHER    6   8 (Started from 0x6080)
+ * SSL       6   22 (Started from top, plus 0x6000)
+ * SSL       7   20 (Started from 0x7000, gaps at
+ *                   0x7380, 0x7900-0x7980, 0x7A80-0x7E80)
+ *
+ * Module dependent error code (5 bits 0x.00.-0x.F8.)
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** Generic error */
+#define MBEDTLS_ERR_ERROR_GENERIC_ERROR       -0x0001
+/** This is a bug in the library */
+#define MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED -0x006E
+
+/** Hardware accelerator failed */
+#define MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED     -0x0070
+/** The requested feature is not supported by the platform */
+#define MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED -0x0072
+
+/**
+ * \brief Combines a high-level and low-level error code together.
+ *
+ *        Wrapper macro for mbedtls_error_add(). See that function for
+ *        more details.
+ */
+#define MBEDTLS_ERROR_ADD(high, low) \
+    mbedtls_error_add(high, low, __FILE__, __LINE__)
+
+#if defined(MBEDTLS_TEST_HOOKS)
+/**
+ * \brief Testing hook called before adding/combining two error codes together.
+ *        Only used when invasive testing is enabled via MBEDTLS_TEST_HOOKS.
+ */
+extern void (*mbedtls_test_hook_error_add)(int, int, const char *, int);
+#endif
+
+/**
+ * \brief Combines a high-level and low-level error code together.
+ *
+ *        This function can be called directly however it is usually
+ *        called via the #MBEDTLS_ERROR_ADD macro.
+ *
+ *        While a value of zero is not a negative error code, it is still an
+ *        error code (that denotes success) and can be combined with both a
+ *        negative error code or another value of zero.
+ *
+ * \note  When invasive testing is enabled via #MBEDTLS_TEST_HOOKS, also try to
+ *        call \link mbedtls_test_hook_error_add \endlink.
+ *
+ * \param high      high-level error code. See error.h for more details.
+ * \param low       low-level error code. See error.h for more details.
+ * \param file      file where this error code addition occurred.
+ * \param line      line where this error code addition occurred.
+ */
+static inline int mbedtls_error_add(int high, int low,
+                                    const char *file, int line)
+{
+#if defined(MBEDTLS_TEST_HOOKS)
+    if (*mbedtls_test_hook_error_add != NULL) {
+        (*mbedtls_test_hook_error_add)(high, low, file, line);
+    }
+#endif
+    (void) file;
+    (void) line;
+
+    return high + low;
+}
+
+/**
+ * \brief Translate an Mbed TLS error code into a string representation.
+ *        The result is truncated if necessary and always includes a
+ *        terminating null byte.
+ *
+ * \param errnum    error code
+ * \param buffer    buffer to place representation in
+ * \param buflen    length of the buffer
+ */
+void mbedtls_strerror(int errnum, char *buffer, size_t buflen);
+
+/**
+ * \brief Translate the high-level part of an Mbed TLS error code into a string
+ *        representation.
+ *
+ * This function returns a const pointer to an un-modifiable string. The caller
+ * must not try to modify the string. It is intended to be used mostly for
+ * logging purposes.
+ *
+ * \param error_code    error code
+ *
+ * \return The string representation of the error code, or \c NULL if the error
+ *         code is unknown.
+ */
+const char *mbedtls_high_level_strerr(int error_code);
+
+/**
+ * \brief Translate the low-level part of an Mbed TLS error code into a string
+ *        representation.
+ *
+ * This function returns a const pointer to an un-modifiable string. The caller
+ * must not try to modify the string. It is intended to be used mostly for
+ * logging purposes.
+ *
+ * \param error_code    error code
+ *
+ * \return The string representation of the error code, or \c NULL if the error
+ *         code is unknown.
+ */
+const char *mbedtls_low_level_strerr(int error_code);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* error.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/gcm.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/gcm.h
new file mode 100644
index 0000000..98faa43
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/gcm.h
@@ -0,0 +1,384 @@
+/**
+ * \file gcm.h
+ *
+ * \brief This file contains GCM definitions and functions.
+ *
+ * The Galois/Counter Mode (GCM) for 128-bit block ciphers is defined
+ * in <em>D. McGrew, J. Viega, The Galois/Counter Mode of Operation
+ * (GCM), Natl. Inst. Stand. Technol.</em>
+ *
+ * For more information on GCM, see <em>NIST SP 800-38D: Recommendation for
+ * Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</em>.
+ *
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_GCM_H
+#define MBEDTLS_GCM_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/cipher.h"
+
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+#include "mbedtls/block_cipher.h"
+#endif
+
+#include <stdint.h>
+
+#define MBEDTLS_GCM_ENCRYPT     1
+#define MBEDTLS_GCM_DECRYPT     0
+
+/** Authenticated decryption failed. */
+#define MBEDTLS_ERR_GCM_AUTH_FAILED                       -0x0012
+/** Bad input parameters to function. */
+#define MBEDTLS_ERR_GCM_BAD_INPUT                         -0x0014
+/** An output buffer is too small. */
+#define MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL                  -0x0016
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_GCM_ALT)
+
+#if defined(MBEDTLS_GCM_LARGE_TABLE)
+#define MBEDTLS_GCM_HTABLE_SIZE 256
+#else
+#define MBEDTLS_GCM_HTABLE_SIZE 16
+#endif
+
+/**
+ * \brief          The GCM context structure.
+ */
+typedef struct mbedtls_gcm_context {
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+    mbedtls_block_cipher_context_t MBEDTLS_PRIVATE(block_cipher_ctx);  /*!< The cipher context used. */
+#else
+    mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx);    /*!< The cipher context used. */
+#endif
+    uint64_t MBEDTLS_PRIVATE(H)[MBEDTLS_GCM_HTABLE_SIZE][2]; /*!< Precalculated HTable. */
+    uint64_t MBEDTLS_PRIVATE(len);                           /*!< The total length of the encrypted data. */
+    uint64_t MBEDTLS_PRIVATE(add_len);                       /*!< The total length of the additional data. */
+    unsigned char MBEDTLS_PRIVATE(base_ectr)[16];            /*!< The first ECTR for tag. */
+    unsigned char MBEDTLS_PRIVATE(y)[16];                    /*!< The Y working value. */
+    unsigned char MBEDTLS_PRIVATE(buf)[16];                  /*!< The buf working value. */
+    unsigned char MBEDTLS_PRIVATE(mode);                     /*!< The operation to perform:
+                                                              #MBEDTLS_GCM_ENCRYPT or
+                                                              #MBEDTLS_GCM_DECRYPT. */
+    unsigned char MBEDTLS_PRIVATE(acceleration);             /*!< The acceleration to use. */
+}
+mbedtls_gcm_context;
+
+#else  /* !MBEDTLS_GCM_ALT */
+#include "gcm_alt.h"
+#endif /* !MBEDTLS_GCM_ALT */
+
+/**
+ * \brief           This function initializes the specified GCM context,
+ *                  to make references valid, and prepares the context
+ *                  for mbedtls_gcm_setkey() or mbedtls_gcm_free().
+ *
+ *                  The function does not bind the GCM context to a particular
+ *                  cipher, nor set the key. For this purpose, use
+ *                  mbedtls_gcm_setkey().
+ *
+ * \param ctx       The GCM context to initialize. This must not be \c NULL.
+ */
+void mbedtls_gcm_init(mbedtls_gcm_context *ctx);
+
+/**
+ * \brief           This function associates a GCM context with a
+ *                  cipher algorithm and a key.
+ *
+ * \param ctx       The GCM context. This must be initialized.
+ * \param cipher    The 128-bit block cipher to use.
+ * \param key       The encryption key. This must be a readable buffer of at
+ *                  least \p keybits bits.
+ * \param keybits   The key size in bits. Valid options are:
+ *                  <ul><li>128 bits</li>
+ *                  <li>192 bits</li>
+ *                  <li>256 bits</li></ul>
+ *
+ * \return          \c 0 on success.
+ * \return          A cipher-specific error code on failure.
+ */
+int mbedtls_gcm_setkey(mbedtls_gcm_context *ctx,
+                       mbedtls_cipher_id_t cipher,
+                       const unsigned char *key,
+                       unsigned int keybits);
+
+/**
+ * \brief           This function performs GCM encryption or decryption of a buffer.
+ *
+ * \note            For encryption, the output buffer can be the same as the
+ *                  input buffer. For decryption, the output buffer cannot be
+ *                  the same as input buffer. If the buffers overlap, the output
+ *                  buffer must trail at least 8 Bytes behind the input buffer.
+ *
+ * \warning         When this function performs a decryption, it outputs the
+ *                  authentication tag and does not verify that the data is
+ *                  authentic. You should use this function to perform encryption
+ *                  only. For decryption, use mbedtls_gcm_auth_decrypt() instead.
+ *
+ * \param ctx       The GCM context to use for encryption or decryption. This
+ *                  must be initialized.
+ * \param mode      The operation to perform:
+ *                  - #MBEDTLS_GCM_ENCRYPT to perform authenticated encryption.
+ *                    The ciphertext is written to \p output and the
+ *                    authentication tag is written to \p tag.
+ *                  - #MBEDTLS_GCM_DECRYPT to perform decryption.
+ *                    The plaintext is written to \p output and the
+ *                    authentication tag is written to \p tag.
+ *                    Note that this mode is not recommended, because it does
+ *                    not verify the authenticity of the data. For this reason,
+ *                    you should use mbedtls_gcm_auth_decrypt() instead of
+ *                    calling this function in decryption mode.
+ * \param length    The length of the input data, which is equal to the length
+ *                  of the output data.
+ * \param iv        The initialization vector. This must be a readable buffer of
+ *                  at least \p iv_len Bytes.
+ * \param iv_len    The length of the IV.
+ * \param add       The buffer holding the additional data. This must be of at
+ *                  least that size in Bytes.
+ * \param add_len   The length of the additional data.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, this must be a readable buffer of at least that
+ *                  size in Bytes.
+ * \param output    The buffer for holding the output data. If \p length is greater
+ *                  than zero, this must be a writable buffer of at least that
+ *                  size in Bytes.
+ * \param tag_len   The length of the tag to generate.
+ * \param tag       The buffer for holding the tag. This must be a writable
+ *                  buffer of at least \p tag_len Bytes.
+ *
+ * \return          \c 0 if the encryption or decryption was performed
+ *                  successfully. Note that in #MBEDTLS_GCM_DECRYPT mode,
+ *                  this does not indicate that the data is authentic.
+ * \return          #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are
+ *                  not valid or a cipher-specific error code if the encryption
+ *                  or decryption failed.
+ */
+int mbedtls_gcm_crypt_and_tag(mbedtls_gcm_context *ctx,
+                              int mode,
+                              size_t length,
+                              const unsigned char *iv,
+                              size_t iv_len,
+                              const unsigned char *add,
+                              size_t add_len,
+                              const unsigned char *input,
+                              unsigned char *output,
+                              size_t tag_len,
+                              unsigned char *tag);
+
+/**
+ * \brief           This function performs a GCM authenticated decryption of a
+ *                  buffer.
+ *
+ * \note            For decryption, the output buffer cannot be the same as
+ *                  input buffer. If the buffers overlap, the output buffer
+ *                  must trail at least 8 Bytes behind the input buffer.
+ *
+ * \param ctx       The GCM context. This must be initialized.
+ * \param length    The length of the ciphertext to decrypt, which is also
+ *                  the length of the decrypted plaintext.
+ * \param iv        The initialization vector. This must be a readable buffer
+ *                  of at least \p iv_len Bytes.
+ * \param iv_len    The length of the IV.
+ * \param add       The buffer holding the additional data. This must be of at
+ *                  least that size in Bytes.
+ * \param add_len   The length of the additional data.
+ * \param tag       The buffer holding the tag to verify. This must be a
+ *                  readable buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the tag to verify.
+ * \param input     The buffer holding the ciphertext. If \p length is greater
+ *                  than zero, this must be a readable buffer of at least that
+ *                  size.
+ * \param output    The buffer for holding the decrypted plaintext. If \p length
+ *                  is greater than zero, this must be a writable buffer of at
+ *                  least that size.
+ *
+ * \return          \c 0 if successful and authenticated.
+ * \return          #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match.
+ * \return          #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are
+ *                  not valid or a cipher-specific error code if the decryption
+ *                  failed.
+ */
+int mbedtls_gcm_auth_decrypt(mbedtls_gcm_context *ctx,
+                             size_t length,
+                             const unsigned char *iv,
+                             size_t iv_len,
+                             const unsigned char *add,
+                             size_t add_len,
+                             const unsigned char *tag,
+                             size_t tag_len,
+                             const unsigned char *input,
+                             unsigned char *output);
+
+/**
+ * \brief           This function starts a GCM encryption or decryption
+ *                  operation.
+ *
+ * \param ctx       The GCM context. This must be initialized.
+ * \param mode      The operation to perform: #MBEDTLS_GCM_ENCRYPT or
+ *                  #MBEDTLS_GCM_DECRYPT.
+ * \param iv        The initialization vector. This must be a readable buffer of
+ *                  at least \p iv_len Bytes.
+ * \param iv_len    The length of the IV.
+ *
+ * \return          \c 0 on success.
+ */
+int mbedtls_gcm_starts(mbedtls_gcm_context *ctx,
+                       int mode,
+                       const unsigned char *iv,
+                       size_t iv_len);
+
+/**
+ * \brief           This function feeds an input buffer as associated data
+ *                  (authenticated but not encrypted data) in a GCM
+ *                  encryption or decryption operation.
+ *
+ *                  Call this function after mbedtls_gcm_starts() to pass
+ *                  the associated data. If the associated data is empty,
+ *                  you do not need to call this function. You may not
+ *                  call this function after calling mbedtls_cipher_update().
+ *
+ * \param ctx       The GCM context. This must have been started with
+ *                  mbedtls_gcm_starts() and must not have yet received
+ *                  any input with mbedtls_gcm_update().
+ * \param add       The buffer holding the additional data, or \c NULL
+ *                  if \p add_len is \c 0.
+ * \param add_len   The length of the additional data. If \c 0,
+ *                  \p add may be \c NULL.
+ *
+ * \return          \c 0 on success.
+ */
+int mbedtls_gcm_update_ad(mbedtls_gcm_context *ctx,
+                          const unsigned char *add,
+                          size_t add_len);
+
+/**
+ * \brief           This function feeds an input buffer into an ongoing GCM
+ *                  encryption or decryption operation.
+ *
+ *                  You may call this function zero, one or more times
+ *                  to pass successive parts of the input: the plaintext to
+ *                  encrypt, or the ciphertext (not including the tag) to
+ *                  decrypt. After the last part of the input, call
+ *                  mbedtls_gcm_finish().
+ *
+ *                  This function may produce output in one of the following
+ *                  ways:
+ *                  - Immediate output: the output length is always equal
+ *                    to the input length.
+ *                  - Buffered output: the output consists of a whole number
+ *                    of 16-byte blocks. If the total input length so far
+ *                    (not including associated data) is 16 \* *B* + *A*
+ *                    with *A* < 16 then the total output length is 16 \* *B*.
+ *
+ *                  In particular:
+ *                  - It is always correct to call this function with
+ *                    \p output_size >= \p input_length + 15.
+ *                  - If \p input_length is a multiple of 16 for all the calls
+ *                    to this function during an operation, then it is
+ *                    correct to use \p output_size = \p input_length.
+ *
+ * \note            For decryption, the output buffer cannot be the same as
+ *                  input buffer. If the buffers overlap, the output buffer
+ *                  must trail at least 8 Bytes behind the input buffer.
+ *
+ * \param ctx           The GCM context. This must be initialized.
+ * \param input         The buffer holding the input data. If \p input_length
+ *                      is greater than zero, this must be a readable buffer
+ *                      of at least \p input_length bytes.
+ * \param input_length  The length of the input data in bytes.
+ * \param output        The buffer for the output data. If \p output_size
+ *                      is greater than zero, this must be a writable buffer of
+ *                      of at least \p output_size bytes.
+ * \param output_size   The size of the output buffer in bytes.
+ *                      See the function description regarding the output size.
+ * \param output_length On success, \p *output_length contains the actual
+ *                      length of the output written in \p output.
+ *                      On failure, the content of \p *output_length is
+ *                      unspecified.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_GCM_BAD_INPUT on failure:
+ *                 total input length too long,
+ *                 unsupported input/output buffer overlap detected,
+ *                 or \p output_size too small.
+ */
+int mbedtls_gcm_update(mbedtls_gcm_context *ctx,
+                       const unsigned char *input, size_t input_length,
+                       unsigned char *output, size_t output_size,
+                       size_t *output_length);
+
+/**
+ * \brief           This function finishes the GCM operation and generates
+ *                  the authentication tag.
+ *
+ *                  It wraps up the GCM stream, and generates the
+ *                  tag. The tag can have a maximum length of 16 Bytes.
+ *
+ * \param ctx       The GCM context. This must be initialized.
+ * \param tag       The buffer for holding the tag. This must be a writable
+ *                  buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the tag to generate. This must be at least
+ *                  four.
+ * \param output    The buffer for the final output.
+ *                  If \p output_size is nonzero, this must be a writable
+ *                  buffer of at least \p output_size bytes.
+ * \param output_size  The size of the \p output buffer in bytes.
+ *                  This must be large enough for the output that
+ *                  mbedtls_gcm_update() has not produced. In particular:
+ *                  - If mbedtls_gcm_update() produces immediate output,
+ *                    or if the total input size is a multiple of \c 16,
+ *                    then mbedtls_gcm_finish() never produces any output,
+ *                    so \p output_size can be \c 0.
+ *                  - \p output_size never needs to be more than \c 15.
+ * \param output_length On success, \p *output_length contains the actual
+ *                      length of the output written in \p output.
+ *                      On failure, the content of \p *output_length is
+ *                      unspecified.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_GCM_BAD_INPUT on failure:
+ *                  invalid value of \p tag_len,
+ *                  or \p output_size too small.
+ */
+int mbedtls_gcm_finish(mbedtls_gcm_context *ctx,
+                       unsigned char *output, size_t output_size,
+                       size_t *output_length,
+                       unsigned char *tag, size_t tag_len);
+
+/**
+ * \brief           This function clears a GCM context and the underlying
+ *                  cipher sub-context.
+ *
+ * \param ctx       The GCM context to clear. If this is \c NULL, the call has
+ *                  no effect. Otherwise, this must be initialized.
+ */
+void mbedtls_gcm_free(mbedtls_gcm_context *ctx);
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          The GCM checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_gcm_self_test(int verbose);
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+
+#endif /* gcm.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/hmac_drbg.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/hmac_drbg.h
new file mode 100644
index 0000000..18b1b75
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/hmac_drbg.h
@@ -0,0 +1,434 @@
+/**
+ * \file hmac_drbg.h
+ *
+ * \brief The HMAC_DRBG pseudorandom generator.
+ *
+ * This module implements the HMAC_DRBG pseudorandom generator described
+ * in <em>NIST SP 800-90A: Recommendation for Random Number Generation Using
+ * Deterministic Random Bit Generators</em>.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_HMAC_DRBG_H
+#define MBEDTLS_HMAC_DRBG_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/md.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+/*
+ * Error codes
+ */
+/** Too many random requested in single call. */
+#define MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG              -0x0003
+/** Input too large (Entropy + additional). */
+#define MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG                -0x0005
+/** Read/write error in file. */
+#define MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR                -0x0007
+/** The entropy source failed. */
+#define MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED        -0x0009
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in mbedtls_config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_HMAC_DRBG_RESEED_INTERVAL)
+#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL   10000   /**< Interval before reseed is performed by default */
+#endif
+
+#if !defined(MBEDTLS_HMAC_DRBG_MAX_INPUT)
+#define MBEDTLS_HMAC_DRBG_MAX_INPUT         256     /**< Maximum number of additional input bytes */
+#endif
+
+#if !defined(MBEDTLS_HMAC_DRBG_MAX_REQUEST)
+#define MBEDTLS_HMAC_DRBG_MAX_REQUEST       1024    /**< Maximum number of requested bytes per call */
+#endif
+
+#if !defined(MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT)
+#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT    384     /**< Maximum size of (re)seed buffer */
+#endif
+
+/** \} name SECTION: Module settings */
+
+#define MBEDTLS_HMAC_DRBG_PR_OFF   0   /**< No prediction resistance       */
+#define MBEDTLS_HMAC_DRBG_PR_ON    1   /**< Prediction resistance enabled  */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * HMAC_DRBG context.
+ */
+typedef struct mbedtls_hmac_drbg_context {
+    /* Working state: the key K is not stored explicitly,
+     * but is implied by the HMAC context */
+    mbedtls_md_context_t MBEDTLS_PRIVATE(md_ctx);                    /*!< HMAC context (inc. K)  */
+    unsigned char MBEDTLS_PRIVATE(V)[MBEDTLS_MD_MAX_SIZE];  /*!< V in the spec          */
+    int MBEDTLS_PRIVATE(reseed_counter);                     /*!< reseed counter         */
+
+    /* Administrative state */
+    size_t MBEDTLS_PRIVATE(entropy_len);         /*!< entropy bytes grabbed on each (re)seed */
+    int MBEDTLS_PRIVATE(prediction_resistance);  /*!< enable prediction resistance (Automatic
+                                                    reseed before every random generation) */
+    int MBEDTLS_PRIVATE(reseed_interval);        /*!< reseed interval   */
+
+    /* Callbacks */
+    int(*MBEDTLS_PRIVATE(f_entropy))(void *, unsigned char *, size_t);  /*!< entropy function */
+    void *MBEDTLS_PRIVATE(p_entropy);            /*!< context for the entropy function        */
+
+#if defined(MBEDTLS_THREADING_C)
+    /* Invariant: the mutex is initialized if and only if
+     * md_ctx->md_info != NULL. This means that the mutex is initialized
+     * during the initial seeding in mbedtls_hmac_drbg_seed() or
+     * mbedtls_hmac_drbg_seed_buf() and freed in mbedtls_ctr_drbg_free().
+     *
+     * Note that this invariant may change without notice. Do not rely on it
+     * and do not access the mutex directly in application code.
+     */
+    mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex);
+#endif
+} mbedtls_hmac_drbg_context;
+
+/**
+ * \brief               HMAC_DRBG context initialization.
+ *
+ * This function makes the context ready for mbedtls_hmac_drbg_seed(),
+ * mbedtls_hmac_drbg_seed_buf() or mbedtls_hmac_drbg_free().
+ *
+ * \note                The reseed interval is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL
+ *                      by default. Override this value by calling
+ *                      mbedtls_hmac_drbg_set_reseed_interval().
+ *
+ * \param ctx           HMAC_DRBG context to be initialized.
+ */
+void mbedtls_hmac_drbg_init(mbedtls_hmac_drbg_context *ctx);
+
+/**
+ * \brief               HMAC_DRBG initial seeding.
+ *
+ * Set the initial seed and set up the entropy source for future reseeds.
+ *
+ * A typical choice for the \p f_entropy and \p p_entropy parameters is
+ * to use the entropy module:
+ * - \p f_entropy is mbedtls_entropy_func();
+ * - \p p_entropy is an instance of ::mbedtls_entropy_context initialized
+ *   with mbedtls_entropy_init() (which registers the platform's default
+ *   entropy sources).
+ *
+ * You can provide a personalization string in addition to the
+ * entropy source, to make this instantiation as unique as possible.
+ *
+ * \note                By default, the security strength as defined by NIST is:
+ *                      - 128 bits if \p md_info is SHA-1;
+ *                      - 192 bits if \p md_info is SHA-224;
+ *                      - 256 bits if \p md_info is SHA-256, SHA-384 or SHA-512.
+ *                      Note that SHA-256 is just as efficient as SHA-224.
+ *                      The security strength can be reduced if a smaller
+ *                      entropy length is set with
+ *                      mbedtls_hmac_drbg_set_entropy_len().
+ *
+ * \note                The default entropy length is the security strength
+ *                      (converted from bits to bytes). You can override
+ *                      it by calling mbedtls_hmac_drbg_set_entropy_len().
+ *
+ * \note                During the initial seeding, this function calls
+ *                      the entropy source to obtain a nonce
+ *                      whose length is half the entropy length.
+ */
+#if defined(MBEDTLS_THREADING_C)
+/**
+ * \note                When Mbed TLS is built with threading support,
+ *                      after this function returns successfully,
+ *                      it is safe to call mbedtls_hmac_drbg_random()
+ *                      from multiple threads. Other operations, including
+ *                      reseeding, are not thread-safe.
+ */
+#endif /* MBEDTLS_THREADING_C */
+/**
+ * \param ctx           HMAC_DRBG context to be seeded.
+ * \param md_info       MD algorithm to use for HMAC_DRBG.
+ * \param f_entropy     The entropy callback, taking as arguments the
+ *                      \p p_entropy context, the buffer to fill, and the
+ *                      length of the buffer.
+ *                      \p f_entropy is always called with a length that is
+ *                      less than or equal to the entropy length.
+ * \param p_entropy     The entropy context to pass to \p f_entropy.
+ * \param custom        The personalization string.
+ *                      This can be \c NULL, in which case the personalization
+ *                      string is empty regardless of the value of \p len.
+ * \param len           The length of the personalization string.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT
+ *                      and also at most
+ *                      #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \c entropy_len * 3 / 2
+ *                      where \c entropy_len is the entropy length
+ *                      described above.
+ *
+ * \return              \c 0 if successful.
+ * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is
+ *                      invalid.
+ * \return              #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough
+ *                      memory to allocate context data.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+ *                      if the call to \p f_entropy failed.
+ */
+int mbedtls_hmac_drbg_seed(mbedtls_hmac_drbg_context *ctx,
+                           const mbedtls_md_info_t *md_info,
+                           int (*f_entropy)(void *, unsigned char *, size_t),
+                           void *p_entropy,
+                           const unsigned char *custom,
+                           size_t len);
+
+/**
+ * \brief               Initialisation of simplified HMAC_DRBG (never reseeds).
+ *
+ * This function is meant for use in algorithms that need a pseudorandom
+ * input such as deterministic ECDSA.
+ */
+#if defined(MBEDTLS_THREADING_C)
+/**
+ * \note                When Mbed TLS is built with threading support,
+ *                      after this function returns successfully,
+ *                      it is safe to call mbedtls_hmac_drbg_random()
+ *                      from multiple threads. Other operations, including
+ *                      reseeding, are not thread-safe.
+ */
+#endif /* MBEDTLS_THREADING_C */
+/**
+ * \param ctx           HMAC_DRBG context to be initialised.
+ * \param md_info       MD algorithm to use for HMAC_DRBG.
+ * \param data          Concatenation of the initial entropy string and
+ *                      the additional data.
+ * \param data_len      Length of \p data in bytes.
+ *
+ * \return              \c 0 if successful. or
+ * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is
+ *                      invalid.
+ * \return              #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough
+ *                      memory to allocate context data.
+ */
+int mbedtls_hmac_drbg_seed_buf(mbedtls_hmac_drbg_context *ctx,
+                               const mbedtls_md_info_t *md_info,
+                               const unsigned char *data, size_t data_len);
+
+/**
+ * \brief               This function turns prediction resistance on or off.
+ *                      The default value is off.
+ *
+ * \note                If enabled, entropy is gathered at the beginning of
+ *                      every call to mbedtls_hmac_drbg_random_with_add()
+ *                      or mbedtls_hmac_drbg_random().
+ *                      Only use this if your entropy source has sufficient
+ *                      throughput.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param resistance    #MBEDTLS_HMAC_DRBG_PR_ON or #MBEDTLS_HMAC_DRBG_PR_OFF.
+ */
+void mbedtls_hmac_drbg_set_prediction_resistance(mbedtls_hmac_drbg_context *ctx,
+                                                 int resistance);
+
+/**
+ * \brief               This function sets the amount of entropy grabbed on each
+ *                      seed or reseed.
+ *
+ * See the documentation of mbedtls_hmac_drbg_seed() for the default value.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param len           The amount of entropy to grab, in bytes.
+ */
+void mbedtls_hmac_drbg_set_entropy_len(mbedtls_hmac_drbg_context *ctx,
+                                       size_t len);
+
+/**
+ * \brief               Set the reseed interval.
+ *
+ * The reseed interval is the number of calls to mbedtls_hmac_drbg_random()
+ * or mbedtls_hmac_drbg_random_with_add() after which the entropy function
+ * is called again.
+ *
+ * The default value is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param interval      The reseed interval.
+ */
+void mbedtls_hmac_drbg_set_reseed_interval(mbedtls_hmac_drbg_context *ctx,
+                                           int interval);
+
+/**
+ * \brief               This function updates the state of the HMAC_DRBG context.
+ *
+ * \note                This function is not thread-safe. It is not safe
+ *                      to call this function if another thread might be
+ *                      concurrently obtaining random numbers from the same
+ *                      context or updating or reseeding the same context.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param additional    The data to update the state with.
+ *                      If this is \c NULL, there is no additional data.
+ * \param add_len       Length of \p additional in bytes.
+ *                      Unused if \p additional is \c NULL.
+ *
+ * \return              \c 0 on success, or an error from the underlying
+ *                      hash calculation.
+ */
+int mbedtls_hmac_drbg_update(mbedtls_hmac_drbg_context *ctx,
+                             const unsigned char *additional, size_t add_len);
+
+/**
+ * \brief               This function reseeds the HMAC_DRBG context, that is
+ *                      extracts data from the entropy source.
+ *
+ * \note                This function is not thread-safe. It is not safe
+ *                      to call this function if another thread might be
+ *                      concurrently obtaining random numbers from the same
+ *                      context or updating or reseeding the same context.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param additional    Additional data to add to the state.
+ *                      If this is \c NULL, there is no additional data
+ *                      and \p len should be \c 0.
+ * \param len           The length of the additional data.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT
+ *                      and also at most
+ *                      #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \c entropy_len
+ *                      where \c entropy_len is the entropy length
+ *                      (see mbedtls_hmac_drbg_set_entropy_len()).
+ *
+ * \return              \c 0 if successful.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+ *                      if a call to the entropy function failed.
+ */
+int mbedtls_hmac_drbg_reseed(mbedtls_hmac_drbg_context *ctx,
+                             const unsigned char *additional, size_t len);
+
+/**
+ * \brief   This function updates an HMAC_DRBG instance with additional
+ *          data and uses it to generate random data.
+ *
+ * This function automatically reseeds if the reseed counter is exceeded
+ * or prediction resistance is enabled.
+ *
+ * \note                This function is not thread-safe. It is not safe
+ *                      to call this function if another thread might be
+ *                      concurrently obtaining random numbers from the same
+ *                      context or updating or reseeding the same context.
+ *
+ * \param p_rng         The HMAC_DRBG context. This must be a pointer to a
+ *                      #mbedtls_hmac_drbg_context structure.
+ * \param output        The buffer to fill.
+ * \param output_len    The length of the buffer in bytes.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
+ * \param additional    Additional data to update with.
+ *                      If this is \c NULL, there is no additional data
+ *                      and \p add_len should be \c 0.
+ * \param add_len       The length of the additional data.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT.
+ *
+ * \return              \c 0 if successful.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+ *                      if a call to the entropy source failed.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if
+ *                      \p output_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if
+ *                      \p add_len > #MBEDTLS_HMAC_DRBG_MAX_INPUT.
+ */
+int mbedtls_hmac_drbg_random_with_add(void *p_rng,
+                                      unsigned char *output, size_t output_len,
+                                      const unsigned char *additional,
+                                      size_t add_len);
+
+/**
+ * \brief   This function uses HMAC_DRBG to generate random data.
+ *
+ * This function automatically reseeds if the reseed counter is exceeded
+ * or prediction resistance is enabled.
+ */
+#if defined(MBEDTLS_THREADING_C)
+/**
+ * \note                When Mbed TLS is built with threading support,
+ *                      it is safe to call mbedtls_ctr_drbg_random()
+ *                      from multiple threads. Other operations, including
+ *                      reseeding, are not thread-safe.
+ */
+#endif /* MBEDTLS_THREADING_C */
+/**
+ * \param p_rng         The HMAC_DRBG context. This must be a pointer to a
+ *                      #mbedtls_hmac_drbg_context structure.
+ * \param output        The buffer to fill.
+ * \param out_len       The length of the buffer in bytes.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
+ *
+ * \return              \c 0 if successful.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+ *                      if a call to the entropy source failed.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if
+ *                      \p out_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
+ */
+int mbedtls_hmac_drbg_random(void *p_rng, unsigned char *output, size_t out_len);
+
+/**
+ * \brief               This function resets HMAC_DRBG context to the state immediately
+ *                      after initial call of mbedtls_hmac_drbg_init().
+ *
+ * \param ctx           The HMAC_DRBG context to free.
+ */
+void mbedtls_hmac_drbg_free(mbedtls_hmac_drbg_context *ctx);
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief               This function writes a seed file.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param path          The name of the file.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on reseed
+ *                      failure.
+ */
+int mbedtls_hmac_drbg_write_seed_file(mbedtls_hmac_drbg_context *ctx, const char *path);
+
+/**
+ * \brief               This function reads and updates a seed file. The seed
+ *                      is added to this instance.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param path          The name of the file.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on
+ *                      reseed failure.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if the existing
+ *                      seed file is too large.
+ */
+int mbedtls_hmac_drbg_update_seed_file(mbedtls_hmac_drbg_context *ctx, const char *path);
+#endif /* MBEDTLS_FS_IO */
+
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief               The HMAC_DRBG Checkup routine.
+ *
+ * \return              \c 0 if successful.
+ * \return              \c 1 if the test failed.
+ */
+int mbedtls_hmac_drbg_self_test(int verbose);
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* hmac_drbg.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/lms.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/lms.h
new file mode 100644
index 0000000..95fce21
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/lms.h
@@ -0,0 +1,440 @@
+/**
+ * \file lms.h
+ *
+ * \brief This file provides an API for the LMS post-quantum-safe stateful-hash
+          public-key signature scheme as defined in RFC8554 and NIST.SP.200-208.
+ *        This implementation currently only supports a single parameter set
+ *        MBEDTLS_LMS_SHA256_M32_H10 in order to reduce complexity. This is one
+ *        of the signature schemes recommended by the IETF draft SUIT standard
+ *        for IOT firmware upgrades (RFC9019).
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_LMS_H
+#define MBEDTLS_LMS_H
+
+#include <stdint.h>
+#include <stddef.h>
+
+#include "mbedtls/private_access.h"
+#include "mbedtls/build_info.h"
+
+#define MBEDTLS_ERR_LMS_BAD_INPUT_DATA   -0x0011 /**< Bad data has been input to an LMS function */
+#define MBEDTLS_ERR_LMS_OUT_OF_PRIVATE_KEYS -0x0013 /**< Specified LMS key has utilised all of its private keys */
+#define MBEDTLS_ERR_LMS_VERIFY_FAILED    -0x0015 /**< LMS signature verification failed */
+#define MBEDTLS_ERR_LMS_ALLOC_FAILED     -0x0017 /**< LMS failed to allocate space for a private key */
+#define MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL -0x0019 /**< Input/output buffer is too small to contain requited data */
+
+/* Currently only defined for SHA256, 32 is the max hash output size */
+#define MBEDTLS_LMOTS_N_HASH_LEN_MAX           (32u)
+#define MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX    (34u)
+#define MBEDTLS_LMOTS_N_HASH_LEN(type)         ((type) == MBEDTLS_LMOTS_SHA256_N32_W8 ? 32u : 0)
+#define MBEDTLS_LMOTS_I_KEY_ID_LEN             (16u)
+#define MBEDTLS_LMOTS_Q_LEAF_ID_LEN            (4u)
+#define MBEDTLS_LMOTS_TYPE_LEN                 (4u)
+#define MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(type)  ((type) == MBEDTLS_LMOTS_SHA256_N32_W8 ? 34u : 0)
+#define MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(type) (MBEDTLS_LMOTS_N_HASH_LEN(type))
+
+#define MBEDTLS_LMOTS_SIG_LEN(type) (MBEDTLS_LMOTS_TYPE_LEN + \
+                                     MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(type) + \
+                                     (MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(type) * \
+                                      MBEDTLS_LMOTS_N_HASH_LEN(type)))
+
+
+#define MBEDTLS_LMS_TYPE_LEN            (4)
+#define MBEDTLS_LMS_H_TREE_HEIGHT(type) ((type) == MBEDTLS_LMS_SHA256_M32_H10 ? 10u : 0)
+
+/* The length of a hash output, Currently only implemented for SHA256.
+ * Max is 32 bytes.
+ */
+#define MBEDTLS_LMS_M_NODE_BYTES(type) ((type) == MBEDTLS_LMS_SHA256_M32_H10 ? 32 : 0)
+#define MBEDTLS_LMS_M_NODE_BYTES_MAX 32
+
+#define MBEDTLS_LMS_SIG_LEN(type, otstype) (MBEDTLS_LMOTS_Q_LEAF_ID_LEN + \
+                                            MBEDTLS_LMOTS_SIG_LEN(otstype) + \
+                                            MBEDTLS_LMS_TYPE_LEN + \
+                                            (MBEDTLS_LMS_H_TREE_HEIGHT(type) * \
+                                             MBEDTLS_LMS_M_NODE_BYTES(type)))
+
+#define MBEDTLS_LMS_PUBLIC_KEY_LEN(type) (MBEDTLS_LMS_TYPE_LEN + \
+                                          MBEDTLS_LMOTS_TYPE_LEN + \
+                                          MBEDTLS_LMOTS_I_KEY_ID_LEN + \
+                                          MBEDTLS_LMS_M_NODE_BYTES(type))
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** The Identifier of the LMS parameter set, as per
+ * https://www.iana.org/assignments/leighton-micali-signatures/leighton-micali-signatures.xhtml
+ * We are only implementing a subset of the types, particularly H10, for the sake of simplicity.
+ */
+typedef enum {
+    MBEDTLS_LMS_SHA256_M32_H10 = 0x6,
+} mbedtls_lms_algorithm_type_t;
+
+/** The Identifier of the LMOTS parameter set, as per
+ *  https://www.iana.org/assignments/leighton-micali-signatures/leighton-micali-signatures.xhtml.
+ *  We are only implementing a subset of the types, particularly N32_W8, for the sake of simplicity.
+ */
+typedef enum {
+    MBEDTLS_LMOTS_SHA256_N32_W8 = 4
+} mbedtls_lmots_algorithm_type_t;
+
+/** LMOTS parameters structure.
+ *
+ * This contains the metadata associated with an LMOTS key, detailing the
+ * algorithm type, the key ID, and the leaf identifier should be key be part of
+ * a LMS key.
+ */
+typedef struct {
+    unsigned char MBEDTLS_PRIVATE(I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN]); /*!< The key
+                                                                                    identifier. */
+    unsigned char MBEDTLS_PRIVATE(q_leaf_identifier[MBEDTLS_LMOTS_Q_LEAF_ID_LEN]); /*!< Which
+                                                                                      leaf of the LMS key this is.
+                                                                                      0 if the key is not part of an LMS key. */
+    mbedtls_lmots_algorithm_type_t MBEDTLS_PRIVATE(type); /*!< The LM-OTS key type identifier as
+                                                               per IANA. Only SHA256_N32_W8 is
+                                                               currently supported. */
+} mbedtls_lmots_parameters_t;
+
+/** LMOTS public context structure.
+ *
+ * A LMOTS public key is a hash output, and the applicable parameter set.
+ *
+ * The context must be initialized before it is used. A public key must either
+ * be imported or generated from a private context.
+ *
+ * \dot
+ * digraph lmots_public_t {
+ *   UNINITIALIZED -> INIT [label="init"];
+ *   HAVE_PUBLIC_KEY -> INIT [label="free"];
+ *   INIT -> HAVE_PUBLIC_KEY [label="import_public_key"];
+ *   INIT -> HAVE_PUBLIC_KEY [label="calculate_public_key from private key"];
+ *   HAVE_PUBLIC_KEY -> HAVE_PUBLIC_KEY [label="export_public_key"];
+ * }
+ * \enddot
+ */
+typedef struct {
+    mbedtls_lmots_parameters_t MBEDTLS_PRIVATE(params);
+    unsigned char MBEDTLS_PRIVATE(public_key)[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+    unsigned char MBEDTLS_PRIVATE(have_public_key); /*!< Whether the context contains a public key.
+                                                       Boolean values only. */
+} mbedtls_lmots_public_t;
+
+#if defined(MBEDTLS_LMS_PRIVATE)
+/** LMOTS private context structure.
+ *
+ * A LMOTS private key is one hash output for each of digit of the digest +
+ * checksum, and the applicable parameter set.
+ *
+ * The context must be initialized before it is used. A public key must either
+ * be imported or generated from a private context.
+ *
+ * \dot
+ * digraph lmots_public_t {
+ *   UNINITIALIZED -> INIT [label="init"];
+ *   HAVE_PRIVATE_KEY -> INIT [label="free"];
+ *   INIT -> HAVE_PRIVATE_KEY [label="generate_private_key"];
+ *   HAVE_PRIVATE_KEY -> INIT [label="sign"];
+ * }
+ * \enddot
+ */
+typedef struct {
+    mbedtls_lmots_parameters_t MBEDTLS_PRIVATE(params);
+    unsigned char MBEDTLS_PRIVATE(private_key)[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][
+        MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+    unsigned char MBEDTLS_PRIVATE(have_private_key); /*!< Whether the context contains a private key.
+                                                        Boolean values only. */
+} mbedtls_lmots_private_t;
+#endif /* defined(MBEDTLS_LMS_PRIVATE) */
+
+
+/** LMS parameters structure.
+ *
+ * This contains the metadata associated with an LMS key, detailing the
+ * algorithm type, the type of the underlying OTS algorithm, and the key ID.
+ */
+typedef struct {
+    unsigned char MBEDTLS_PRIVATE(I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN]); /*!< The key
+                                                                                    identifier. */
+    mbedtls_lmots_algorithm_type_t MBEDTLS_PRIVATE(otstype); /*!< The LM-OTS key type identifier as
+                                                                per IANA. Only SHA256_N32_W8 is
+                                                                currently supported. */
+    mbedtls_lms_algorithm_type_t MBEDTLS_PRIVATE(type); /*!< The LMS key type identifier as per
+                                                             IANA. Only SHA256_M32_H10 is currently
+                                                             supported. */
+} mbedtls_lms_parameters_t;
+
+/** LMS public context structure.
+ *
+ * A LMS public key is the hash output that is the root of the Merkle tree, and
+ * the applicable parameter set
+ *
+ * The context must be initialized before it is used. A public key must either
+ * be imported or generated from a private context.
+ *
+ * \dot
+ * digraph lms_public_t {
+ *   UNINITIALIZED -> INIT [label="init"];
+ *   HAVE_PUBLIC_KEY -> INIT [label="free"];
+ *   INIT -> HAVE_PUBLIC_KEY [label="import_public_key"];
+ *   INIT -> HAVE_PUBLIC_KEY [label="calculate_public_key from private key"];
+ *   HAVE_PUBLIC_KEY -> HAVE_PUBLIC_KEY [label="export_public_key"];
+ * }
+ * \enddot
+ */
+typedef struct {
+    mbedtls_lms_parameters_t MBEDTLS_PRIVATE(params);
+    unsigned char MBEDTLS_PRIVATE(T_1_pub_key)[MBEDTLS_LMS_M_NODE_BYTES_MAX]; /*!< The public key, in
+                                                                                 the form of the Merkle tree root node. */
+    unsigned char MBEDTLS_PRIVATE(have_public_key); /*!< Whether the context contains a public key.
+                                                       Boolean values only. */
+} mbedtls_lms_public_t;
+
+
+#if defined(MBEDTLS_LMS_PRIVATE)
+/** LMS private context structure.
+ *
+ * A LMS private key is a set of LMOTS private keys, an index to the next usable
+ * key, and the applicable parameter set.
+ *
+ * The context must be initialized before it is used. A public key must either
+ * be imported or generated from a private context.
+ *
+ * \dot
+ * digraph lms_public_t {
+ *   UNINITIALIZED -> INIT [label="init"];
+ *   HAVE_PRIVATE_KEY -> INIT [label="free"];
+ *   INIT -> HAVE_PRIVATE_KEY [label="generate_private_key"];
+ * }
+ * \enddot
+ */
+typedef struct {
+    mbedtls_lms_parameters_t MBEDTLS_PRIVATE(params);
+    uint32_t MBEDTLS_PRIVATE(q_next_usable_key); /*!< The index of the next OTS key that has not
+                                                      been used. */
+    mbedtls_lmots_private_t *MBEDTLS_PRIVATE(ots_private_keys); /*!< The private key material. One OTS key
+                                                                   for each leaf node in the Merkle tree. NULL
+                                                                   when have_private_key is 0 and non-NULL otherwise.
+                                                                   is 2^MBEDTLS_LMS_H_TREE_HEIGHT(type) in length. */
+    mbedtls_lmots_public_t *MBEDTLS_PRIVATE(ots_public_keys); /*!< The OTS key public keys, used to
+                                                                   build the Merkle tree. NULL
+                                                                   when have_private_key is 0 and
+                                                                   non-NULL otherwise.
+                                                                   Is 2^MBEDTLS_LMS_H_TREE_HEIGHT(type)
+                                                                   in length. */
+    unsigned char MBEDTLS_PRIVATE(have_private_key); /*!< Whether the context contains a private key.
+                                                        Boolean values only. */
+} mbedtls_lms_private_t;
+#endif /* defined(MBEDTLS_LMS_PRIVATE) */
+
+/**
+ * \brief                    This function initializes an LMS public context
+ *
+ * \param ctx                The uninitialized LMS context that will then be
+ *                           initialized.
+ */
+void mbedtls_lms_public_init(mbedtls_lms_public_t *ctx);
+
+/**
+ * \brief                    This function uninitializes an LMS public context
+ *
+ * \param ctx                The initialized LMS context that will then be
+ *                           uninitialized.
+ */
+void mbedtls_lms_public_free(mbedtls_lms_public_t *ctx);
+
+/**
+ * \brief                    This function imports an LMS public key into a
+ *                           public LMS context.
+ *
+ * \note                     Before this function is called, the context must
+ *                           have been initialized.
+ *
+ * \note                     See IETF RFC8554 for details of the encoding of
+ *                           this public key.
+ *
+ * \param ctx                The initialized LMS context store the key in.
+ * \param key                The buffer from which the key will be read.
+ *                           #MBEDTLS_LMS_PUBLIC_KEY_LEN bytes will be read from
+ *                           this.
+ * \param key_size           The size of the key being imported.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_lms_import_public_key(mbedtls_lms_public_t *ctx,
+                                  const unsigned char *key, size_t key_size);
+
+/**
+ * \brief                    This function exports an LMS public key from a
+ *                           LMS public context that already contains a public
+ *                           key.
+ *
+ * \note                     Before this function is called, the context must
+ *                           have been initialized and the context must contain
+ *                           a public key.
+ *
+ * \note                     See IETF RFC8554 for details of the encoding of
+ *                           this public key.
+ *
+ * \param ctx                The initialized LMS public context that contains
+ *                           the public key.
+ * \param key                The buffer into which the key will be output. Must
+ *                           be at least #MBEDTLS_LMS_PUBLIC_KEY_LEN in size.
+ * \param key_size           The size of the key buffer.
+ * \param key_len            If not NULL, will be written with the size of the
+ *                           key.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_lms_export_public_key(const mbedtls_lms_public_t *ctx,
+                                  unsigned char *key, size_t key_size,
+                                  size_t *key_len);
+
+/**
+ * \brief                    This function verifies a LMS signature, using a
+ *                           LMS context that contains a public key.
+ *
+ * \note                     Before this function is called, the context must
+ *                           have been initialized and must contain a public key
+ *                           (either by import or generation).
+ *
+ * \param ctx                The initialized LMS public context from which the
+ *                           public key will be read.
+ * \param msg                The buffer from which the message will be read.
+ * \param msg_size           The size of the message that will be read.
+ * \param sig                The buf from which the signature will be read.
+ *                           #MBEDTLS_LMS_SIG_LEN bytes will be read from
+ *                           this.
+ * \param sig_size           The size of the signature to be verified.
+ *
+ * \return         \c 0 on successful verification.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_lms_verify(const mbedtls_lms_public_t *ctx,
+                       const unsigned char *msg, size_t msg_size,
+                       const unsigned char *sig, size_t sig_size);
+
+#if defined(MBEDTLS_LMS_PRIVATE)
+/**
+ * \brief                    This function initializes an LMS private context
+ *
+ * \param ctx                The uninitialized LMS private context that will
+ *                           then be initialized. */
+void mbedtls_lms_private_init(mbedtls_lms_private_t *ctx);
+
+/**
+ * \brief                    This function uninitializes an LMS private context
+ *
+ * \param ctx                The initialized LMS private context that will then
+ *                           be uninitialized.
+ */
+void mbedtls_lms_private_free(mbedtls_lms_private_t *ctx);
+
+/**
+ * \brief                    This function generates an LMS private key, and
+ *                           stores in into an LMS private context.
+ *
+ * \warning                  This function is **not intended for use in
+ *                           production**, due to as-yet unsolved problems with
+ *                           handling stateful keys. The API for this function
+ *                           may change considerably in future versions.
+ *
+ * \note                     The seed must have at least 256 bits of entropy.
+ *
+ * \param ctx                The initialized LMOTS context to generate the key
+ *                           into.
+ * \param type               The LMS parameter set identifier.
+ * \param otstype            The LMOTS parameter set identifier.
+ * \param f_rng              The RNG function to be used to generate the key ID.
+ * \param p_rng              The RNG context to be passed to f_rng
+ * \param seed               The seed used to deterministically generate the
+ *                           key.
+ * \param seed_size          The length of the seed.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_lms_generate_private_key(mbedtls_lms_private_t *ctx,
+                                     mbedtls_lms_algorithm_type_t type,
+                                     mbedtls_lmots_algorithm_type_t otstype,
+                                     int (*f_rng)(void *, unsigned char *, size_t),
+                                     void *p_rng, const unsigned char *seed,
+                                     size_t seed_size);
+
+/**
+ * \brief                    This function calculates an LMS public key from a
+ *                           LMS context that already contains a private key.
+ *
+ * \note                     Before this function is called, the context must
+ *                           have been initialized and the context must contain
+ *                           a private key.
+ *
+ * \param ctx                The initialized LMS public context to calculate the key
+ *                           from and store it into.
+ *
+ * \param priv_ctx           The LMS private context to read the private key
+ *                           from. This must have been initialized and contain a
+ *                           private key.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_lms_calculate_public_key(mbedtls_lms_public_t *ctx,
+                                     const mbedtls_lms_private_t *priv_ctx);
+
+/**
+ * \brief                    This function creates a LMS signature, using a
+ *                           LMS context that contains unused private keys.
+ *
+ * \warning                  This function is **not intended for use in
+ *                           production**, due to as-yet unsolved problems with
+ *                           handling stateful keys. The API for this function
+ *                           may change considerably in future versions.
+ *
+ * \note                     Before this function is called, the context must
+ *                           have been initialized and must contain a private
+ *                           key.
+ *
+ * \note                     Each of the LMOTS private keys inside a LMS private
+ *                           key can only be used once. If they are reused, then
+ *                           attackers may be able to forge signatures with that
+ *                           key. This is all handled transparently, but it is
+ *                           important to not perform copy operations on LMS
+ *                           contexts that contain private key material.
+ *
+ * \param ctx                The initialized LMS private context from which the
+ *                           private key will be read.
+ * \param f_rng              The RNG function to be used for signature
+ *                           generation.
+ * \param p_rng              The RNG context to be passed to f_rng
+ * \param msg                The buffer from which the message will be read.
+ * \param msg_size           The size of the message that will be read.
+ * \param sig                The buf into which the signature will be stored.
+ *                           Must be at least #MBEDTLS_LMS_SIG_LEN in size.
+ * \param sig_size           The size of the buffer the signature will be
+ *                           written into.
+ * \param sig_len            If not NULL, will be written with the size of the
+ *                           signature.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_lms_sign(mbedtls_lms_private_t *ctx,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng, const unsigned char *msg,
+                     unsigned int msg_size, unsigned char *sig, size_t sig_size,
+                     size_t *sig_len);
+#endif /* defined(MBEDTLS_LMS_PRIVATE) */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_LMS_H */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/md.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/md.h
new file mode 100644
index 0000000..52946e6
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/md.h
@@ -0,0 +1,526 @@
+/**
+ * \file md.h
+ *
+ * \brief   This file contains the generic functions for message-digest
+ *          (hashing) and HMAC.
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_MD_H
+#define MBEDTLS_MD_H
+#include "mbedtls/private_access.h"
+
+#include <stddef.h>
+
+#include "mbedtls/build_info.h"
+#include "mbedtls/platform_util.h"
+
+/** The selected feature is not available. */
+#define MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE                -0x5080
+/** Bad input parameters to function. */
+#define MBEDTLS_ERR_MD_BAD_INPUT_DATA                     -0x5100
+/** Failed to allocate memory. */
+#define MBEDTLS_ERR_MD_ALLOC_FAILED                       -0x5180
+/** Opening or reading of file failed. */
+#define MBEDTLS_ERR_MD_FILE_IO_ERROR                      -0x5200
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief     Supported message digests.
+ *
+ * \warning   MD5 and SHA-1 are considered weak message digests and
+ *            their use constitutes a security risk. We recommend considering
+ *            stronger message digests instead.
+ *
+ */
+/* Note: these are aligned with the definitions of PSA_ALG_ macros for hashes,
+ * in order to enable an efficient implementation of conversion functions.
+ * This is tested by md_to_from_psa() in test_suite_md. */
+typedef enum {
+    MBEDTLS_MD_NONE=0,    /**< None. */
+    MBEDTLS_MD_MD5=0x03,       /**< The MD5 message digest. */
+    MBEDTLS_MD_RIPEMD160=0x04, /**< The RIPEMD-160 message digest. */
+    MBEDTLS_MD_SHA1=0x05,      /**< The SHA-1 message digest. */
+    MBEDTLS_MD_SHA224=0x08,    /**< The SHA-224 message digest. */
+    MBEDTLS_MD_SHA256=0x09,    /**< The SHA-256 message digest. */
+    MBEDTLS_MD_SHA384=0x0a,    /**< The SHA-384 message digest. */
+    MBEDTLS_MD_SHA512=0x0b,    /**< The SHA-512 message digest. */
+    MBEDTLS_MD_SHA3_224=0x10,  /**< The SHA3-224 message digest. */
+    MBEDTLS_MD_SHA3_256=0x11,  /**< The SHA3-256 message digest. */
+    MBEDTLS_MD_SHA3_384=0x12,  /**< The SHA3-384 message digest. */
+    MBEDTLS_MD_SHA3_512=0x13,  /**< The SHA3-512 message digest. */
+} mbedtls_md_type_t;
+
+/* Note: this should always be >= PSA_HASH_MAX_SIZE
+ * in all builds with both CRYPTO_C and MD_LIGHT.
+ *
+ * This is to make things easier for modules such as TLS that may define a
+ * buffer size using MD_MAX_SIZE in a part of the code that's common to PSA
+ * and legacy, then assume the buffer's size is PSA_HASH_MAX_SIZE in another
+ * part of the code based on PSA.
+ */
+#if defined(MBEDTLS_MD_CAN_SHA512) || defined(PSA_WANT_ALG_SHA3_512)
+#define MBEDTLS_MD_MAX_SIZE         64  /* longest known is SHA512 */
+#elif defined(PSA_WANT_ALG_SHA_384) || defined(MBEDTLS_MD_CAN_SHA3_384)
+#define MBEDTLS_MD_MAX_SIZE         48  /* longest known is SHA384 */
+#elif defined(MBEDTLS_MD_CAN_SHA256) || defined(PSA_WANT_ALG_SHA3_256)
+#define MBEDTLS_MD_MAX_SIZE         32  /* longest known is SHA256 */
+#elif defined(PSA_WANT_ALG_SHA_224) || defined(MBEDTLS_MD_CAN_SHA3_224)
+#define MBEDTLS_MD_MAX_SIZE         28  /* longest known is SHA224 */
+#else
+#define MBEDTLS_MD_MAX_SIZE         20  /* longest known is SHA1 or RIPE MD-160
+                                           or smaller (MD5 and earlier) */
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA3_224)
+#define MBEDTLS_MD_MAX_BLOCK_SIZE         144 /* the longest known is SHA3-224 */
+#elif defined(PSA_WANT_ALG_SHA3_256)
+#define MBEDTLS_MD_MAX_BLOCK_SIZE         136
+#elif defined(MBEDTLS_MD_CAN_SHA512) || defined(PSA_WANT_ALG_SHA_384)
+#define MBEDTLS_MD_MAX_BLOCK_SIZE         128
+#elif defined(MBEDTLS_MD_CAN_SHA3_384)
+#define MBEDTLS_MD_MAX_BLOCK_SIZE         104
+#elif defined(PSA_WANT_ALG_SHA3_512)
+#define MBEDTLS_MD_MAX_BLOCK_SIZE         72
+#else
+#define MBEDTLS_MD_MAX_BLOCK_SIZE         64
+#endif
+
+/**
+ * Opaque struct.
+ *
+ * Constructed using either #mbedtls_md_info_from_string or
+ * #mbedtls_md_info_from_type.
+ *
+ * Fields can be accessed with #mbedtls_md_get_size,
+ * #mbedtls_md_get_type and #mbedtls_md_get_name.
+ */
+/* Defined internally in library/md_wrap.h. */
+typedef struct mbedtls_md_info_t mbedtls_md_info_t;
+
+/**
+ * Used internally to indicate whether a context uses legacy or PSA.
+ *
+ * Internal use only.
+ */
+typedef enum {
+    MBEDTLS_MD_ENGINE_LEGACY = 0,
+    MBEDTLS_MD_ENGINE_PSA,
+} mbedtls_md_engine_t;
+
+/**
+ * The generic message-digest context.
+ */
+typedef struct mbedtls_md_context_t {
+    /** Information about the associated message digest. */
+    const mbedtls_md_info_t *MBEDTLS_PRIVATE(md_info);
+
+#if defined(MBEDTLS_MD_SOME_PSA)
+    /** Are hash operations dispatched to PSA or legacy? */
+    mbedtls_md_engine_t MBEDTLS_PRIVATE(engine);
+#endif
+
+    /** The digest-specific context (legacy) or the PSA operation. */
+    void *MBEDTLS_PRIVATE(md_ctx);
+
+#if defined(MBEDTLS_MD_C)
+    /** The HMAC part of the context. */
+    void *MBEDTLS_PRIVATE(hmac_ctx);
+#endif
+} mbedtls_md_context_t;
+
+/**
+ * \brief           This function returns the message-digest information
+ *                  associated with the given digest type.
+ *
+ * \param md_type   The type of digest to search for.
+ *
+ * \return          The message-digest information associated with \p md_type.
+ * \return          NULL if the associated message-digest information is not found.
+ */
+const mbedtls_md_info_t *mbedtls_md_info_from_type(mbedtls_md_type_t md_type);
+
+/**
+ * \brief           This function initializes a message-digest context without
+ *                  binding it to a particular message-digest algorithm.
+ *
+ *                  This function should always be called first. It prepares the
+ *                  context for mbedtls_md_setup() for binding it to a
+ *                  message-digest algorithm.
+ */
+void mbedtls_md_init(mbedtls_md_context_t *ctx);
+
+/**
+ * \brief           This function clears the internal structure of \p ctx and
+ *                  frees any embedded internal structure, but does not free
+ *                  \p ctx itself.
+ *
+ *                  If you have called mbedtls_md_setup() on \p ctx, you must
+ *                  call mbedtls_md_free() when you are no longer using the
+ *                  context.
+ *                  Calling this function if you have previously
+ *                  called mbedtls_md_init() and nothing else is optional.
+ *                  You must not call this function if you have not called
+ *                  mbedtls_md_init().
+ */
+void mbedtls_md_free(mbedtls_md_context_t *ctx);
+
+
+/**
+ * \brief           This function selects the message digest algorithm to use,
+ *                  and allocates internal structures.
+ *
+ *                  It should be called after mbedtls_md_init() or
+ *                  mbedtls_md_free(). Makes it necessary to call
+ *                  mbedtls_md_free() later.
+ *
+ * \param ctx       The context to set up.
+ * \param md_info   The information structure of the message-digest algorithm
+ *                  to use.
+ * \param hmac      Defines if HMAC is used. 0: HMAC is not used (saves some memory),
+ *                  or non-zero: HMAC is used with this context.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ * \return          #MBEDTLS_ERR_MD_ALLOC_FAILED on memory-allocation failure.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_md_setup(mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info, int hmac);
+
+/**
+ * \brief           This function clones the state of a message-digest
+ *                  context.
+ *
+ * \note            You must call mbedtls_md_setup() on \c dst before calling
+ *                  this function.
+ *
+ * \note            The two contexts must have the same type,
+ *                  for example, both are SHA-256.
+ *
+ * \warning         This function clones the message-digest state, not the
+ *                  HMAC state.
+ *
+ * \param dst       The destination context.
+ * \param src       The context to be cloned.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification failure.
+ * \return          #MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE if both contexts are
+ *                  not using the same engine. This can be avoided by moving
+ *                  the call to psa_crypto_init() before the first call to
+ *                  mbedtls_md_setup().
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_md_clone(mbedtls_md_context_t *dst,
+                     const mbedtls_md_context_t *src);
+
+/**
+ * \brief           This function extracts the message-digest size from the
+ *                  message-digest information structure.
+ *
+ * \param md_info   The information structure of the message-digest algorithm
+ *                  to use.
+ *
+ * \return          The size of the message-digest output in Bytes.
+ */
+unsigned char mbedtls_md_get_size(const mbedtls_md_info_t *md_info);
+
+/**
+ * \brief           This function gives the message-digest size associated to
+ *                  message-digest type.
+ *
+ * \param md_type   The message-digest type.
+ *
+ * \return          The size of the message-digest output in Bytes,
+ *                  or 0 if the message-digest type is not known.
+ */
+static inline unsigned char mbedtls_md_get_size_from_type(mbedtls_md_type_t md_type)
+{
+    return mbedtls_md_get_size(mbedtls_md_info_from_type(md_type));
+}
+
+/**
+ * \brief           This function extracts the message-digest type from the
+ *                  message-digest information structure.
+ *
+ * \param md_info   The information structure of the message-digest algorithm
+ *                  to use.
+ *
+ * \return          The type of the message digest.
+ */
+mbedtls_md_type_t mbedtls_md_get_type(const mbedtls_md_info_t *md_info);
+
+/**
+ * \brief           This function starts a message-digest computation.
+ *
+ *                  You must call this function after setting up the context
+ *                  with mbedtls_md_setup(), and before passing data with
+ *                  mbedtls_md_update().
+ *
+ * \param ctx       The generic message-digest context.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_md_starts(mbedtls_md_context_t *ctx);
+
+/**
+ * \brief           This function feeds an input buffer into an ongoing
+ *                  message-digest computation.
+ *
+ *                  You must call mbedtls_md_starts() before calling this
+ *                  function. You may call this function multiple times.
+ *                  Afterwards, call mbedtls_md_finish().
+ *
+ * \param ctx       The generic message-digest context.
+ * \param input     The buffer holding the input data.
+ * \param ilen      The length of the input data.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_md_update(mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen);
+
+/**
+ * \brief           This function finishes the digest operation,
+ *                  and writes the result to the output buffer.
+ *
+ *                  Call this function after a call to mbedtls_md_starts(),
+ *                  followed by any number of calls to mbedtls_md_update().
+ *                  Afterwards, you may either clear the context with
+ *                  mbedtls_md_free(), or call mbedtls_md_starts() to reuse
+ *                  the context for another digest operation with the same
+ *                  algorithm.
+ *
+ * \param ctx       The generic message-digest context.
+ * \param output    The buffer for the generic message-digest checksum result.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_md_finish(mbedtls_md_context_t *ctx, unsigned char *output);
+
+/**
+ * \brief          This function calculates the message-digest of a buffer,
+ *                 with respect to a configurable message-digest algorithm
+ *                 in a single call.
+ *
+ *                 The result is calculated as
+ *                 Output = message_digest(input buffer).
+ *
+ * \param md_info  The information structure of the message-digest algorithm
+ *                 to use.
+ * \param input    The buffer holding the data.
+ * \param ilen     The length of the input data.
+ * \param output   The generic message-digest checksum result.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                 failure.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_md(const mbedtls_md_info_t *md_info, const unsigned char *input, size_t ilen,
+               unsigned char *output);
+
+/**
+ * \brief           This function returns the list of digests supported by the
+ *                  generic digest module.
+ *
+ * \note            The list starts with the strongest available hashes.
+ *
+ * \return          A statically allocated array of digests. Each element
+ *                  in the returned list is an integer belonging to the
+ *                  message-digest enumeration #mbedtls_md_type_t.
+ *                  The last entry is 0.
+ */
+const int *mbedtls_md_list(void);
+
+/**
+ * \brief           This function returns the message-digest information
+ *                  associated with the given digest name.
+ *
+ * \param md_name   The name of the digest to search for.
+ *
+ * \return          The message-digest information associated with \p md_name.
+ * \return          NULL if the associated message-digest information is not found.
+ */
+const mbedtls_md_info_t *mbedtls_md_info_from_string(const char *md_name);
+
+/**
+ * \brief           This function returns the name of the message digest for
+ *                  the message-digest information structure given.
+ *
+ * \param md_info   The information structure of the message-digest algorithm
+ *                  to use.
+ *
+ * \return          The name of the message digest.
+ */
+const char *mbedtls_md_get_name(const mbedtls_md_info_t *md_info);
+
+/**
+ * \brief           This function returns the message-digest information
+ *                  from the given context.
+ *
+ * \param ctx       The context from which to extract the information.
+ *                  This must be initialized (or \c NULL).
+ *
+ * \return          The message-digest information associated with \p ctx.
+ * \return          \c NULL if \p ctx is \c NULL.
+ */
+const mbedtls_md_info_t *mbedtls_md_info_from_ctx(
+    const mbedtls_md_context_t *ctx);
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief          This function calculates the message-digest checksum
+ *                 result of the contents of the provided file.
+ *
+ *                 The result is calculated as
+ *                 Output = message_digest(file contents).
+ *
+ * \param md_info  The information structure of the message-digest algorithm
+ *                 to use.
+ * \param path     The input file name.
+ * \param output   The generic message-digest checksum result.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_MD_FILE_IO_ERROR on an I/O error accessing
+ *                 the file pointed by \p path.
+ * \return         #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info was NULL.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_md_file(const mbedtls_md_info_t *md_info, const char *path,
+                    unsigned char *output);
+#endif /* MBEDTLS_FS_IO */
+
+/**
+ * \brief           This function sets the HMAC key and prepares to
+ *                  authenticate a new message.
+ *
+ *                  Call this function after mbedtls_md_setup(), to use
+ *                  the MD context for an HMAC calculation, then call
+ *                  mbedtls_md_hmac_update() to provide the input data, and
+ *                  mbedtls_md_hmac_finish() to get the HMAC value.
+ *
+ * \param ctx       The message digest context containing an embedded HMAC
+ *                  context.
+ * \param key       The HMAC secret key.
+ * \param keylen    The length of the HMAC key in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_md_hmac_starts(mbedtls_md_context_t *ctx, const unsigned char *key,
+                           size_t keylen);
+
+/**
+ * \brief           This function feeds an input buffer into an ongoing HMAC
+ *                  computation.
+ *
+ *                  Call mbedtls_md_hmac_starts() or mbedtls_md_hmac_reset()
+ *                  before calling this function.
+ *                  You may call this function multiple times to pass the
+ *                  input piecewise.
+ *                  Afterwards, call mbedtls_md_hmac_finish().
+ *
+ * \param ctx       The message digest context containing an embedded HMAC
+ *                  context.
+ * \param input     The buffer holding the input data.
+ * \param ilen      The length of the input data.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_md_hmac_update(mbedtls_md_context_t *ctx, const unsigned char *input,
+                           size_t ilen);
+
+/**
+ * \brief           This function finishes the HMAC operation, and writes
+ *                  the result to the output buffer.
+ *
+ *                  Call this function after mbedtls_md_hmac_starts() and
+ *                  mbedtls_md_hmac_update() to get the HMAC value. Afterwards
+ *                  you may either call mbedtls_md_free() to clear the context,
+ *                  or call mbedtls_md_hmac_reset() to reuse the context with
+ *                  the same HMAC key.
+ *
+ * \param ctx       The message digest context containing an embedded HMAC
+ *                  context.
+ * \param output    The generic HMAC checksum result.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_md_hmac_finish(mbedtls_md_context_t *ctx, unsigned char *output);
+
+/**
+ * \brief           This function prepares to authenticate a new message with
+ *                  the same key as the previous HMAC operation.
+ *
+ *                  You may call this function after mbedtls_md_hmac_finish().
+ *                  Afterwards call mbedtls_md_hmac_update() to pass the new
+ *                  input.
+ *
+ * \param ctx       The message digest context containing an embedded HMAC
+ *                  context.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_md_hmac_reset(mbedtls_md_context_t *ctx);
+
+/**
+ * \brief          This function calculates the full generic HMAC
+ *                 on the input buffer with the provided key.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The HMAC result is calculated as
+ *                 output = generic HMAC(hmac key, input buffer).
+ *
+ * \param md_info  The information structure of the message-digest algorithm
+ *                 to use.
+ * \param key      The HMAC secret key.
+ * \param keylen   The length of the HMAC secret key in Bytes.
+ * \param input    The buffer holding the input data.
+ * \param ilen     The length of the input data.
+ * \param output   The generic HMAC result.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                 failure.
+ */
+MBEDTLS_CHECK_RETURN_TYPICAL
+int mbedtls_md_hmac(const mbedtls_md_info_t *md_info, const unsigned char *key, size_t keylen,
+                    const unsigned char *input, size_t ilen,
+                    unsigned char *output);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_MD_H */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/md5.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/md5.h
new file mode 100644
index 0000000..6bf0754
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/md5.h
@@ -0,0 +1,190 @@
+/**
+ * \file md5.h
+ *
+ * \brief MD5 message digest algorithm (hash function)
+ *
+ * \warning   MD5 is considered a weak message digest and its use constitutes a
+ *            security risk. We recommend considering stronger message
+ *            digests instead.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_MD5_H
+#define MBEDTLS_MD5_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_MD5_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          MD5 context structure
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+typedef struct mbedtls_md5_context {
+    uint32_t MBEDTLS_PRIVATE(total)[2];          /*!< number of bytes processed  */
+    uint32_t MBEDTLS_PRIVATE(state)[4];          /*!< intermediate digest state  */
+    unsigned char MBEDTLS_PRIVATE(buffer)[64];   /*!< data block being processed */
+}
+mbedtls_md5_context;
+
+#else  /* MBEDTLS_MD5_ALT */
+#include "md5_alt.h"
+#endif /* MBEDTLS_MD5_ALT */
+
+/**
+ * \brief          Initialize MD5 context
+ *
+ * \param ctx      MD5 context to be initialized
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md5_init(mbedtls_md5_context *ctx);
+
+/**
+ * \brief          Clear MD5 context
+ *
+ * \param ctx      MD5 context to be cleared
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md5_free(mbedtls_md5_context *ctx);
+
+/**
+ * \brief          Clone (the state of) an MD5 context
+ *
+ * \param dst      The destination context
+ * \param src      The context to be cloned
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md5_clone(mbedtls_md5_context *dst,
+                       const mbedtls_md5_context *src);
+
+/**
+ * \brief          MD5 context setup
+ *
+ * \param ctx      context to be initialized
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md5_starts(mbedtls_md5_context *ctx);
+
+/**
+ * \brief          MD5 process buffer
+ *
+ * \param ctx      MD5 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md5_update(mbedtls_md5_context *ctx,
+                       const unsigned char *input,
+                       size_t ilen);
+
+/**
+ * \brief          MD5 final digest
+ *
+ * \param ctx      MD5 context
+ * \param output   MD5 checksum result
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md5_finish(mbedtls_md5_context *ctx,
+                       unsigned char output[16]);
+
+/**
+ * \brief          MD5 process data block (internal use only)
+ *
+ * \param ctx      MD5 context
+ * \param data     buffer holding one block of data
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_internal_md5_process(mbedtls_md5_context *ctx,
+                                 const unsigned char data[64]);
+
+/**
+ * \brief          Output = MD5( input buffer )
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   MD5 checksum result
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md5(const unsigned char *input,
+                size_t ilen,
+                unsigned char output[16]);
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md5_self_test(int verbose);
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_md5.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/memory_buffer_alloc.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/memory_buffer_alloc.h
new file mode 100644
index 0000000..b527d9b
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/memory_buffer_alloc.h
@@ -0,0 +1,142 @@
+/**
+ * \file memory_buffer_alloc.h
+ *
+ * \brief Buffer-based memory allocator
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_MEMORY_BUFFER_ALLOC_H
+#define MBEDTLS_MEMORY_BUFFER_ALLOC_H
+
+#include "mbedtls/build_info.h"
+
+#include <stddef.h>
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in mbedtls_config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_MEMORY_ALIGN_MULTIPLE)
+#define MBEDTLS_MEMORY_ALIGN_MULTIPLE       4 /**< Align on multiples of this value */
+#endif
+
+/** \} name SECTION: Module settings */
+
+#define MBEDTLS_MEMORY_VERIFY_NONE         0
+#define MBEDTLS_MEMORY_VERIFY_ALLOC        (1 << 0)
+#define MBEDTLS_MEMORY_VERIFY_FREE         (1 << 1)
+#define MBEDTLS_MEMORY_VERIFY_ALWAYS       (MBEDTLS_MEMORY_VERIFY_ALLOC | \
+                                            MBEDTLS_MEMORY_VERIFY_FREE)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief   Initialize use of stack-based memory allocator.
+ *          The stack-based allocator does memory management inside the
+ *          presented buffer and does not call calloc() and free().
+ *          It sets the global mbedtls_calloc() and mbedtls_free() pointers
+ *          to its own functions.
+ *          (Provided mbedtls_calloc() and mbedtls_free() are thread-safe if
+ *           MBEDTLS_THREADING_C is defined)
+ *
+ * \note    This code is not optimized and provides a straight-forward
+ *          implementation of a stack-based memory allocator.
+ *
+ * \param buf   buffer to use as heap
+ * \param len   size of the buffer
+ */
+void mbedtls_memory_buffer_alloc_init(unsigned char *buf, size_t len);
+
+/**
+ * \brief   Free the mutex for thread-safety and clear remaining memory
+ */
+void mbedtls_memory_buffer_alloc_free(void);
+
+/**
+ * \brief   Determine when the allocator should automatically verify the state
+ *          of the entire chain of headers / meta-data.
+ *          (Default: MBEDTLS_MEMORY_VERIFY_NONE)
+ *
+ * \param verify    One of MBEDTLS_MEMORY_VERIFY_NONE, MBEDTLS_MEMORY_VERIFY_ALLOC,
+ *                  MBEDTLS_MEMORY_VERIFY_FREE or MBEDTLS_MEMORY_VERIFY_ALWAYS
+ */
+void mbedtls_memory_buffer_set_verify(int verify);
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+/**
+ * \brief   Print out the status of the allocated memory (primarily for use
+ *          after a program should have de-allocated all memory)
+ *          Prints out a list of 'still allocated' blocks and their stack
+ *          trace if MBEDTLS_MEMORY_BACKTRACE is defined.
+ */
+void mbedtls_memory_buffer_alloc_status(void);
+
+/**
+ * \brief   Get the number of alloc/free so far.
+ *
+ * \param alloc_count   Number of allocations.
+ * \param free_count    Number of frees.
+ */
+void mbedtls_memory_buffer_alloc_count_get(size_t *alloc_count, size_t *free_count);
+
+/**
+ * \brief   Get the peak heap usage so far
+ *
+ * \param max_used      Peak number of bytes in use or committed. This
+ *                      includes bytes in allocated blocks too small to split
+ *                      into smaller blocks but larger than the requested size.
+ * \param max_blocks    Peak number of blocks in use, including free and used
+ */
+void mbedtls_memory_buffer_alloc_max_get(size_t *max_used, size_t *max_blocks);
+
+/**
+ * \brief   Reset peak statistics
+ */
+void mbedtls_memory_buffer_alloc_max_reset(void);
+
+/**
+ * \brief   Get the current heap usage
+ *
+ * \param cur_used      Current number of bytes in use or committed. This
+ *                      includes bytes in allocated blocks too small to split
+ *                      into smaller blocks but larger than the requested size.
+ * \param cur_blocks    Current number of blocks in use, including free and used
+ */
+void mbedtls_memory_buffer_alloc_cur_get(size_t *cur_used, size_t *cur_blocks);
+#endif /* MBEDTLS_MEMORY_DEBUG */
+
+/**
+ * \brief   Verifies that all headers in the memory buffer are correct
+ *          and contain sane values. Helps debug buffer-overflow errors.
+ *
+ *          Prints out first failure if MBEDTLS_MEMORY_DEBUG is defined.
+ *          Prints out full header information if MBEDTLS_MEMORY_DEBUG
+ *          is defined. (Includes stack trace information for each block if
+ *          MBEDTLS_MEMORY_BACKTRACE is defined as well).
+ *
+ * \return             0 if verified, 1 otherwise
+ */
+int mbedtls_memory_buffer_alloc_verify(void);
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if a test failed
+ */
+int mbedtls_memory_buffer_alloc_self_test(int verbose);
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* memory_buffer_alloc.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/nist_kw.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/nist_kw.h
new file mode 100644
index 0000000..d353f3d
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/nist_kw.h
@@ -0,0 +1,166 @@
+/**
+ * \file nist_kw.h
+ *
+ * \brief This file provides an API for key wrapping (KW) and key wrapping with
+ *        padding (KWP) as defined in NIST SP 800-38F.
+ *        https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
+ *
+ *        Key wrapping specifies a deterministic authenticated-encryption mode
+ *        of operation, according to <em>NIST SP 800-38F: Recommendation for
+ *        Block Cipher Modes of Operation: Methods for Key Wrapping</em>. Its
+ *        purpose is to protect cryptographic keys.
+ *
+ *        Its equivalent is RFC 3394 for KW, and RFC 5649 for KWP.
+ *        https://tools.ietf.org/html/rfc3394
+ *        https://tools.ietf.org/html/rfc5649
+ *
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_NIST_KW_H
+#define MBEDTLS_NIST_KW_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/cipher.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef enum {
+    MBEDTLS_KW_MODE_KW = 0,
+    MBEDTLS_KW_MODE_KWP = 1
+} mbedtls_nist_kw_mode_t;
+
+#if !defined(MBEDTLS_NIST_KW_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief    The key wrapping context-type definition. The key wrapping context is passed
+ *           to the APIs called.
+ *
+ * \note     The definition of this type may change in future library versions.
+ *           Don't make any assumptions on this context!
+ */
+typedef struct {
+    mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx);    /*!< The cipher context used. */
+} mbedtls_nist_kw_context;
+
+#else  /* MBEDTLS_NIST_key wrapping_ALT */
+#include "nist_kw_alt.h"
+#endif /* MBEDTLS_NIST_KW_ALT */
+
+/**
+ * \brief           This function initializes the specified key wrapping context
+ *                  to make references valid and prepare the context
+ *                  for mbedtls_nist_kw_setkey() or mbedtls_nist_kw_free().
+ *
+ * \param ctx       The key wrapping context to initialize.
+ *
+ */
+void mbedtls_nist_kw_init(mbedtls_nist_kw_context *ctx);
+
+/**
+ * \brief           This function initializes the key wrapping context set in the
+ *                  \p ctx parameter and sets the encryption key.
+ *
+ * \param ctx       The key wrapping context.
+ * \param cipher    The 128-bit block cipher to use. Only AES is supported.
+ * \param key       The Key Encryption Key (KEK).
+ * \param keybits   The KEK size in bits. This must be acceptable by the cipher.
+ * \param is_wrap   Specify whether the operation within the context is wrapping or unwrapping
+ *
+ * \return          \c 0 on success.
+ * \return          \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for any invalid input.
+ * \return          \c MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE for 128-bit block ciphers
+ *                  which are not supported.
+ * \return          cipher-specific error code on failure of the underlying cipher.
+ */
+int mbedtls_nist_kw_setkey(mbedtls_nist_kw_context *ctx,
+                           mbedtls_cipher_id_t cipher,
+                           const unsigned char *key,
+                           unsigned int keybits,
+                           const int is_wrap);
+
+/**
+ * \brief   This function releases and clears the specified key wrapping context
+ *          and underlying cipher sub-context.
+ *
+ * \param ctx       The key wrapping context to clear.
+ */
+void mbedtls_nist_kw_free(mbedtls_nist_kw_context *ctx);
+
+/**
+ * \brief           This function encrypts a buffer using key wrapping.
+ *
+ * \param ctx       The key wrapping context to use for encryption.
+ * \param mode      The key wrapping mode to use (MBEDTLS_KW_MODE_KW or MBEDTLS_KW_MODE_KWP)
+ * \param input     The buffer holding the input data.
+ * \param in_len    The length of the input data in Bytes.
+ *                  The input uses units of 8 Bytes called semiblocks.
+ *                  <ul><li>For KW mode: a multiple of 8 bytes between 16 and 2^57-8 inclusive. </li>
+ *                  <li>For KWP mode: any length between 1 and 2^32-1 inclusive.</li></ul>
+ * \param[out] output    The buffer holding the output data.
+ *                  <ul><li>For KW mode: Must be at least 8 bytes larger than \p in_len.</li>
+ *                  <li>For KWP mode: Must be at least 8 bytes larger rounded up to a multiple of
+ *                  8 bytes for KWP (15 bytes at most).</li></ul>
+ * \param[out] out_len The number of bytes written to the output buffer. \c 0 on failure.
+ * \param[in] out_size The capacity of the output buffer.
+ *
+ * \return          \c 0 on success.
+ * \return          \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for invalid input length.
+ * \return          cipher-specific error code on failure of the underlying cipher.
+ */
+int mbedtls_nist_kw_wrap(mbedtls_nist_kw_context *ctx, mbedtls_nist_kw_mode_t mode,
+                         const unsigned char *input, size_t in_len,
+                         unsigned char *output, size_t *out_len, size_t out_size);
+
+/**
+ * \brief           This function decrypts a buffer using key wrapping.
+ *
+ * \param ctx       The key wrapping context to use for decryption.
+ * \param mode      The key wrapping mode to use (MBEDTLS_KW_MODE_KW or MBEDTLS_KW_MODE_KWP)
+ * \param input     The buffer holding the input data.
+ * \param in_len    The length of the input data in Bytes.
+ *                  The input uses units of 8 Bytes called semiblocks.
+ *                  The input must be a multiple of semiblocks.
+ *                  <ul><li>For KW mode: a multiple of 8 bytes between 24 and 2^57 inclusive. </li>
+ *                  <li>For KWP mode: a multiple of 8 bytes between 16 and 2^32 inclusive.</li></ul>
+ * \param[out] output    The buffer holding the output data.
+ *                  The output buffer's minimal length is 8 bytes shorter than \p in_len.
+ * \param[out] out_len The number of bytes written to the output buffer. \c 0 on failure.
+ *                  For KWP mode, the length could be up to 15 bytes shorter than \p in_len,
+ *                  depending on how much padding was added to the data.
+ * \param[in] out_size The capacity of the output buffer.
+ *
+ * \return          \c 0 on success.
+ * \return          \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for invalid input length.
+ * \return          \c MBEDTLS_ERR_CIPHER_AUTH_FAILED for verification failure of the ciphertext.
+ * \return          cipher-specific error code on failure of the underlying cipher.
+ */
+int mbedtls_nist_kw_unwrap(mbedtls_nist_kw_context *ctx, mbedtls_nist_kw_mode_t mode,
+                           const unsigned char *input, size_t in_len,
+                           unsigned char *output, size_t *out_len, size_t out_size);
+
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+/**
+ * \brief          The key wrapping checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_nist_kw_self_test(int verbose);
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_NIST_KW_H */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/oid.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/oid.h
new file mode 100644
index 0000000..fdc25eb
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/oid.h
@@ -0,0 +1,727 @@
+/**
+ * \file oid.h
+ *
+ * \brief Object Identifier (OID) database
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_OID_H
+#define MBEDTLS_OID_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/asn1.h"
+#include "mbedtls/pk.h"
+
+#include <stddef.h>
+
+#if defined(MBEDTLS_CIPHER_C)
+#include "mbedtls/cipher.h"
+#endif
+
+#include "mbedtls/md.h"
+
+/** OID is not found. */
+#define MBEDTLS_ERR_OID_NOT_FOUND                         -0x002E
+/** output buffer is too small */
+#define MBEDTLS_ERR_OID_BUF_TOO_SMALL                     -0x000B
+
+/* This is for the benefit of X.509, but defined here in order to avoid
+ * having a "backwards" include of x.509.h here */
+/*
+ * X.509 extension types (internal, arbitrary values for bitsets)
+ */
+#define MBEDTLS_OID_X509_EXT_AUTHORITY_KEY_IDENTIFIER    (1 << 0)
+#define MBEDTLS_OID_X509_EXT_SUBJECT_KEY_IDENTIFIER      (1 << 1)
+#define MBEDTLS_OID_X509_EXT_KEY_USAGE                   (1 << 2)
+#define MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES        (1 << 3)
+#define MBEDTLS_OID_X509_EXT_POLICY_MAPPINGS             (1 << 4)
+#define MBEDTLS_OID_X509_EXT_SUBJECT_ALT_NAME            (1 << 5)
+#define MBEDTLS_OID_X509_EXT_ISSUER_ALT_NAME             (1 << 6)
+#define MBEDTLS_OID_X509_EXT_SUBJECT_DIRECTORY_ATTRS     (1 << 7)
+#define MBEDTLS_OID_X509_EXT_BASIC_CONSTRAINTS           (1 << 8)
+#define MBEDTLS_OID_X509_EXT_NAME_CONSTRAINTS            (1 << 9)
+#define MBEDTLS_OID_X509_EXT_POLICY_CONSTRAINTS          (1 << 10)
+#define MBEDTLS_OID_X509_EXT_EXTENDED_KEY_USAGE          (1 << 11)
+#define MBEDTLS_OID_X509_EXT_CRL_DISTRIBUTION_POINTS     (1 << 12)
+#define MBEDTLS_OID_X509_EXT_INIHIBIT_ANYPOLICY          (1 << 13)
+#define MBEDTLS_OID_X509_EXT_FRESHEST_CRL                (1 << 14)
+#define MBEDTLS_OID_X509_EXT_NS_CERT_TYPE                (1 << 16)
+
+/*
+ * Maximum number of OID components allowed
+ */
+#define MBEDTLS_OID_MAX_COMPONENTS              128
+
+/*
+ * Top level OID tuples
+ */
+#define MBEDTLS_OID_ISO_MEMBER_BODIES           "\x2a"          /* {iso(1) member-body(2)} */
+#define MBEDTLS_OID_ISO_IDENTIFIED_ORG          "\x2b"          /* {iso(1) identified-organization(3)} */
+#define MBEDTLS_OID_ISO_CCITT_DS                "\x55"          /* {joint-iso-ccitt(2) ds(5)} */
+#define MBEDTLS_OID_ISO_ITU_COUNTRY             "\x60"          /* {joint-iso-itu-t(2) country(16)} */
+
+/*
+ * ISO Member bodies OID parts
+ */
+#define MBEDTLS_OID_COUNTRY_US                  "\x86\x48"      /* {us(840)} */
+#define MBEDTLS_OID_ORG_RSA_DATA_SECURITY       "\x86\xf7\x0d"  /* {rsadsi(113549)} */
+#define MBEDTLS_OID_RSA_COMPANY                 MBEDTLS_OID_ISO_MEMBER_BODIES MBEDTLS_OID_COUNTRY_US \
+        MBEDTLS_OID_ORG_RSA_DATA_SECURITY                                 /* {iso(1) member-body(2) us(840) rsadsi(113549)} */
+#define MBEDTLS_OID_ORG_ANSI_X9_62              "\xce\x3d" /* ansi-X9-62(10045) */
+#define MBEDTLS_OID_ANSI_X9_62                  MBEDTLS_OID_ISO_MEMBER_BODIES MBEDTLS_OID_COUNTRY_US \
+        MBEDTLS_OID_ORG_ANSI_X9_62
+
+/*
+ * ISO Identified organization OID parts
+ */
+#define MBEDTLS_OID_ORG_DOD                     "\x06"          /* {dod(6)} */
+#define MBEDTLS_OID_ORG_OIW                     "\x0e"
+#define MBEDTLS_OID_OIW_SECSIG                  MBEDTLS_OID_ORG_OIW "\x03"
+#define MBEDTLS_OID_OIW_SECSIG_ALG              MBEDTLS_OID_OIW_SECSIG "\x02"
+#define MBEDTLS_OID_OIW_SECSIG_SHA1             MBEDTLS_OID_OIW_SECSIG_ALG "\x1a"
+#define MBEDTLS_OID_ORG_THAWTE                  "\x65"          /* thawte(101) */
+#define MBEDTLS_OID_THAWTE                      MBEDTLS_OID_ISO_IDENTIFIED_ORG \
+        MBEDTLS_OID_ORG_THAWTE
+#define MBEDTLS_OID_ORG_CERTICOM                "\x81\x04"  /* certicom(132) */
+#define MBEDTLS_OID_CERTICOM                    MBEDTLS_OID_ISO_IDENTIFIED_ORG \
+        MBEDTLS_OID_ORG_CERTICOM
+#define MBEDTLS_OID_ORG_TELETRUST               "\x24" /* teletrust(36) */
+#define MBEDTLS_OID_TELETRUST                   MBEDTLS_OID_ISO_IDENTIFIED_ORG \
+        MBEDTLS_OID_ORG_TELETRUST
+
+/*
+ * ISO ITU OID parts
+ */
+#define MBEDTLS_OID_ORGANIZATION                "\x01"          /* {organization(1)} */
+#define MBEDTLS_OID_ISO_ITU_US_ORG              MBEDTLS_OID_ISO_ITU_COUNTRY MBEDTLS_OID_COUNTRY_US \
+        MBEDTLS_OID_ORGANIZATION                                                                                            /* {joint-iso-itu-t(2) country(16) us(840) organization(1)} */
+
+#define MBEDTLS_OID_ORG_GOV                     "\x65"          /* {gov(101)} */
+#define MBEDTLS_OID_GOV                         MBEDTLS_OID_ISO_ITU_US_ORG MBEDTLS_OID_ORG_GOV /* {joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)} */
+
+#define MBEDTLS_OID_ORG_NETSCAPE                "\x86\xF8\x42"  /* {netscape(113730)} */
+#define MBEDTLS_OID_NETSCAPE                    MBEDTLS_OID_ISO_ITU_US_ORG MBEDTLS_OID_ORG_NETSCAPE /* Netscape OID {joint-iso-itu-t(2) country(16) us(840) organization(1) netscape(113730)} */
+
+/* ISO arc for standard certificate and CRL extensions */
+#define MBEDTLS_OID_ID_CE                       MBEDTLS_OID_ISO_CCITT_DS "\x1D" /**< id-ce OBJECT IDENTIFIER  ::=  {joint-iso-ccitt(2) ds(5) 29} */
+
+#define MBEDTLS_OID_NIST_ALG                    MBEDTLS_OID_GOV "\x03\x04" /** { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) */
+
+/**
+ * Private Internet Extensions
+ * { iso(1) identified-organization(3) dod(6) internet(1)
+ *                      security(5) mechanisms(5) pkix(7) }
+ */
+#define MBEDTLS_OID_INTERNET                    MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_ORG_DOD \
+    "\x01"
+#define MBEDTLS_OID_PKIX                        MBEDTLS_OID_INTERNET "\x05\x05\x07"
+
+/*
+ * Arc for standard naming attributes
+ */
+#define MBEDTLS_OID_AT                          MBEDTLS_OID_ISO_CCITT_DS "\x04" /**< id-at OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 4} */
+#define MBEDTLS_OID_AT_CN                       MBEDTLS_OID_AT "\x03" /**< id-at-commonName AttributeType:= {id-at 3} */
+#define MBEDTLS_OID_AT_SUR_NAME                 MBEDTLS_OID_AT "\x04" /**< id-at-surName AttributeType:= {id-at 4} */
+#define MBEDTLS_OID_AT_SERIAL_NUMBER            MBEDTLS_OID_AT "\x05" /**< id-at-serialNumber AttributeType:= {id-at 5} */
+#define MBEDTLS_OID_AT_COUNTRY                  MBEDTLS_OID_AT "\x06" /**< id-at-countryName AttributeType:= {id-at 6} */
+#define MBEDTLS_OID_AT_LOCALITY                 MBEDTLS_OID_AT "\x07" /**< id-at-locality AttributeType:= {id-at 7} */
+#define MBEDTLS_OID_AT_STATE                    MBEDTLS_OID_AT "\x08" /**< id-at-state AttributeType:= {id-at 8} */
+#define MBEDTLS_OID_AT_ORGANIZATION             MBEDTLS_OID_AT "\x0A" /**< id-at-organizationName AttributeType:= {id-at 10} */
+#define MBEDTLS_OID_AT_ORG_UNIT                 MBEDTLS_OID_AT "\x0B" /**< id-at-organizationalUnitName AttributeType:= {id-at 11} */
+#define MBEDTLS_OID_AT_TITLE                    MBEDTLS_OID_AT "\x0C" /**< id-at-title AttributeType:= {id-at 12} */
+#define MBEDTLS_OID_AT_POSTAL_ADDRESS           MBEDTLS_OID_AT "\x10" /**< id-at-postalAddress AttributeType:= {id-at 16} */
+#define MBEDTLS_OID_AT_POSTAL_CODE              MBEDTLS_OID_AT "\x11" /**< id-at-postalCode AttributeType:= {id-at 17} */
+#define MBEDTLS_OID_AT_GIVEN_NAME               MBEDTLS_OID_AT "\x2A" /**< id-at-givenName AttributeType:= {id-at 42} */
+#define MBEDTLS_OID_AT_INITIALS                 MBEDTLS_OID_AT "\x2B" /**< id-at-initials AttributeType:= {id-at 43} */
+#define MBEDTLS_OID_AT_GENERATION_QUALIFIER     MBEDTLS_OID_AT "\x2C" /**< id-at-generationQualifier AttributeType:= {id-at 44} */
+#define MBEDTLS_OID_AT_UNIQUE_IDENTIFIER        MBEDTLS_OID_AT "\x2D" /**< id-at-uniqueIdentifier AttributeType:= {id-at 45} */
+#define MBEDTLS_OID_AT_DN_QUALIFIER             MBEDTLS_OID_AT "\x2E" /**< id-at-dnQualifier AttributeType:= {id-at 46} */
+#define MBEDTLS_OID_AT_PSEUDONYM                MBEDTLS_OID_AT "\x41" /**< id-at-pseudonym AttributeType:= {id-at 65} */
+
+#define MBEDTLS_OID_UID                         "\x09\x92\x26\x89\x93\xF2\x2C\x64\x01\x01" /** id-domainComponent AttributeType:= {itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) pilotAttributeType(1) uid(1)} */
+#define MBEDTLS_OID_DOMAIN_COMPONENT            "\x09\x92\x26\x89\x93\xF2\x2C\x64\x01\x19" /** id-domainComponent AttributeType:= {itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) pilotAttributeType(1) domainComponent(25)} */
+
+/*
+ * OIDs for standard certificate extensions
+ */
+#define MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER    MBEDTLS_OID_ID_CE "\x23" /**< id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 35 } */
+#define MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER      MBEDTLS_OID_ID_CE "\x0E" /**< id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 14 } */
+#define MBEDTLS_OID_KEY_USAGE                   MBEDTLS_OID_ID_CE "\x0F" /**< id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 } */
+#define MBEDTLS_OID_CERTIFICATE_POLICIES        MBEDTLS_OID_ID_CE "\x20" /**< id-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-ce 32 } */
+#define MBEDTLS_OID_POLICY_MAPPINGS             MBEDTLS_OID_ID_CE "\x21" /**< id-ce-policyMappings OBJECT IDENTIFIER ::=  { id-ce 33 } */
+#define MBEDTLS_OID_SUBJECT_ALT_NAME            MBEDTLS_OID_ID_CE "\x11" /**< id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 } */
+#define MBEDTLS_OID_ISSUER_ALT_NAME             MBEDTLS_OID_ID_CE "\x12" /**< id-ce-issuerAltName OBJECT IDENTIFIER ::=  { id-ce 18 } */
+#define MBEDTLS_OID_SUBJECT_DIRECTORY_ATTRS     MBEDTLS_OID_ID_CE "\x09" /**< id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::=  { id-ce 9 } */
+#define MBEDTLS_OID_BASIC_CONSTRAINTS           MBEDTLS_OID_ID_CE "\x13" /**< id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 } */
+#define MBEDTLS_OID_NAME_CONSTRAINTS            MBEDTLS_OID_ID_CE "\x1E" /**< id-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-ce 30 } */
+#define MBEDTLS_OID_POLICY_CONSTRAINTS          MBEDTLS_OID_ID_CE "\x24" /**< id-ce-policyConstraints OBJECT IDENTIFIER ::=  { id-ce 36 } */
+#define MBEDTLS_OID_EXTENDED_KEY_USAGE          MBEDTLS_OID_ID_CE "\x25" /**< id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 } */
+#define MBEDTLS_OID_CRL_DISTRIBUTION_POINTS     MBEDTLS_OID_ID_CE "\x1F" /**< id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::=  { id-ce 31 } */
+#define MBEDTLS_OID_INIHIBIT_ANYPOLICY          MBEDTLS_OID_ID_CE "\x36" /**< id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::=  { id-ce 54 } */
+#define MBEDTLS_OID_FRESHEST_CRL                MBEDTLS_OID_ID_CE "\x2E" /**< id-ce-freshestCRL OBJECT IDENTIFIER ::=  { id-ce 46 } */
+
+/*
+ * Certificate policies
+ */
+#define MBEDTLS_OID_ANY_POLICY              MBEDTLS_OID_CERTIFICATE_POLICIES "\x00" /**< anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificatePolicies 0 } */
+
+/*
+ * Netscape certificate extensions
+ */
+#define MBEDTLS_OID_NS_CERT                 MBEDTLS_OID_NETSCAPE "\x01"
+#define MBEDTLS_OID_NS_CERT_TYPE            MBEDTLS_OID_NS_CERT  "\x01"
+#define MBEDTLS_OID_NS_BASE_URL             MBEDTLS_OID_NS_CERT  "\x02"
+#define MBEDTLS_OID_NS_REVOCATION_URL       MBEDTLS_OID_NS_CERT  "\x03"
+#define MBEDTLS_OID_NS_CA_REVOCATION_URL    MBEDTLS_OID_NS_CERT  "\x04"
+#define MBEDTLS_OID_NS_RENEWAL_URL          MBEDTLS_OID_NS_CERT  "\x07"
+#define MBEDTLS_OID_NS_CA_POLICY_URL        MBEDTLS_OID_NS_CERT  "\x08"
+#define MBEDTLS_OID_NS_SSL_SERVER_NAME      MBEDTLS_OID_NS_CERT  "\x0C"
+#define MBEDTLS_OID_NS_COMMENT              MBEDTLS_OID_NS_CERT  "\x0D"
+#define MBEDTLS_OID_NS_DATA_TYPE            MBEDTLS_OID_NETSCAPE "\x02"
+#define MBEDTLS_OID_NS_CERT_SEQUENCE        MBEDTLS_OID_NS_DATA_TYPE "\x05"
+
+/*
+ * OIDs for CRL extensions
+ */
+#define MBEDTLS_OID_PRIVATE_KEY_USAGE_PERIOD    MBEDTLS_OID_ID_CE "\x10"
+#define MBEDTLS_OID_CRL_NUMBER                  MBEDTLS_OID_ID_CE "\x14" /**< id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } */
+
+/*
+ * X.509 v3 Extended key usage OIDs
+ */
+#define MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE      MBEDTLS_OID_EXTENDED_KEY_USAGE "\x00" /**< anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } */
+
+#define MBEDTLS_OID_KP                          MBEDTLS_OID_PKIX "\x03" /**< id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } */
+#define MBEDTLS_OID_SERVER_AUTH                 MBEDTLS_OID_KP "\x01" /**< id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } */
+#define MBEDTLS_OID_CLIENT_AUTH                 MBEDTLS_OID_KP "\x02" /**< id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } */
+#define MBEDTLS_OID_CODE_SIGNING                MBEDTLS_OID_KP "\x03" /**< id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } */
+#define MBEDTLS_OID_EMAIL_PROTECTION            MBEDTLS_OID_KP "\x04" /**< id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } */
+#define MBEDTLS_OID_TIME_STAMPING               MBEDTLS_OID_KP "\x08" /**< id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } */
+#define MBEDTLS_OID_OCSP_SIGNING                MBEDTLS_OID_KP "\x09" /**< id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } */
+
+/**
+ * Wi-SUN Alliance Field Area Network
+ * { iso(1) identified-organization(3) dod(6) internet(1)
+ *                      private(4) enterprise(1) WiSUN(45605) FieldAreaNetwork(1) }
+ */
+#define MBEDTLS_OID_WISUN_FAN                   MBEDTLS_OID_INTERNET "\x04\x01\x82\xe4\x25\x01"
+
+#define MBEDTLS_OID_ON                          MBEDTLS_OID_PKIX "\x08" /**< id-on OBJECT IDENTIFIER ::= { id-pkix 8 } */
+#define MBEDTLS_OID_ON_HW_MODULE_NAME           MBEDTLS_OID_ON "\x04" /**< id-on-hardwareModuleName OBJECT IDENTIFIER ::= { id-on 4 } */
+
+/*
+ * PKCS definition OIDs
+ */
+
+#define MBEDTLS_OID_PKCS                MBEDTLS_OID_RSA_COMPANY "\x01" /**< pkcs OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) 1 } */
+#define MBEDTLS_OID_PKCS1               MBEDTLS_OID_PKCS "\x01" /**< pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } */
+#define MBEDTLS_OID_PKCS5               MBEDTLS_OID_PKCS "\x05" /**< pkcs-5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 5 } */
+#define MBEDTLS_OID_PKCS7               MBEDTLS_OID_PKCS "\x07" /**< pkcs-7 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 7 } */
+#define MBEDTLS_OID_PKCS9               MBEDTLS_OID_PKCS "\x09" /**< pkcs-9 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } */
+#define MBEDTLS_OID_PKCS12              MBEDTLS_OID_PKCS "\x0c" /**< pkcs-12 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 12 } */
+
+/*
+ * PKCS#1 OIDs
+ */
+#define MBEDTLS_OID_PKCS1_RSA           MBEDTLS_OID_PKCS1 "\x01" /**< rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } */
+#define MBEDTLS_OID_PKCS1_MD5           MBEDTLS_OID_PKCS1 "\x04" /**< md5WithRSAEncryption ::= { pkcs-1 4 } */
+#define MBEDTLS_OID_PKCS1_SHA1          MBEDTLS_OID_PKCS1 "\x05" /**< sha1WithRSAEncryption ::= { pkcs-1 5 } */
+#define MBEDTLS_OID_PKCS1_SHA224        MBEDTLS_OID_PKCS1 "\x0e" /**< sha224WithRSAEncryption ::= { pkcs-1 14 } */
+#define MBEDTLS_OID_PKCS1_SHA256        MBEDTLS_OID_PKCS1 "\x0b" /**< sha256WithRSAEncryption ::= { pkcs-1 11 } */
+#define MBEDTLS_OID_PKCS1_SHA384        MBEDTLS_OID_PKCS1 "\x0c" /**< sha384WithRSAEncryption ::= { pkcs-1 12 } */
+#define MBEDTLS_OID_PKCS1_SHA512        MBEDTLS_OID_PKCS1 "\x0d" /**< sha512WithRSAEncryption ::= { pkcs-1 13 } */
+
+#define MBEDTLS_OID_RSA_SHA_OBS         "\x2B\x0E\x03\x02\x1D"
+
+#define MBEDTLS_OID_PKCS9_EMAIL         MBEDTLS_OID_PKCS9 "\x01" /**< emailAddress AttributeType ::= { pkcs-9 1 } */
+
+/* RFC 4055 */
+#define MBEDTLS_OID_RSASSA_PSS          MBEDTLS_OID_PKCS1 "\x0a" /**< id-RSASSA-PSS ::= { pkcs-1 10 } */
+#define MBEDTLS_OID_MGF1                MBEDTLS_OID_PKCS1 "\x08" /**< id-mgf1 ::= { pkcs-1 8 } */
+
+/*
+ * Digest algorithms
+ */
+#define MBEDTLS_OID_DIGEST_ALG_MD5              MBEDTLS_OID_RSA_COMPANY "\x02\x05" /**< id-mbedtls_md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 5 } */
+#define MBEDTLS_OID_DIGEST_ALG_SHA1             MBEDTLS_OID_ISO_IDENTIFIED_ORG \
+        MBEDTLS_OID_OIW_SECSIG_SHA1                                                                        /**< id-mbedtls_sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 26 } */
+#define MBEDTLS_OID_DIGEST_ALG_SHA224           MBEDTLS_OID_NIST_ALG "\x02\x04" /**< id-sha224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 4 } */
+#define MBEDTLS_OID_DIGEST_ALG_SHA256           MBEDTLS_OID_NIST_ALG "\x02\x01" /**< id-mbedtls_sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 } */
+
+#define MBEDTLS_OID_DIGEST_ALG_SHA384           MBEDTLS_OID_NIST_ALG "\x02\x02" /**< id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 } */
+
+#define MBEDTLS_OID_DIGEST_ALG_SHA512           MBEDTLS_OID_NIST_ALG "\x02\x03" /**< id-mbedtls_sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 } */
+
+#define MBEDTLS_OID_DIGEST_ALG_RIPEMD160        MBEDTLS_OID_TELETRUST "\x03\x02\x01" /**< id-ripemd160 OBJECT IDENTIFIER :: { iso(1) identified-organization(3) teletrust(36) algorithm(3) hashAlgorithm(2) ripemd160(1) } */
+
+#define MBEDTLS_OID_DIGEST_ALG_SHA3_224         MBEDTLS_OID_NIST_ALG "\x02\x07" /**< id-sha3-224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) sha3-224(7) } */
+
+#define MBEDTLS_OID_DIGEST_ALG_SHA3_256         MBEDTLS_OID_NIST_ALG "\x02\x08" /**< id-sha3-256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) sha3-256(8) } */
+
+#define MBEDTLS_OID_DIGEST_ALG_SHA3_384         MBEDTLS_OID_NIST_ALG "\x02\x09" /**< id-sha3-384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) sha3-384(9) } */
+
+#define MBEDTLS_OID_DIGEST_ALG_SHA3_512         MBEDTLS_OID_NIST_ALG "\x02\x0a" /**< id-sha3-512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) sha3-512(10) } */
+
+
+#define MBEDTLS_OID_HMAC_SHA1                   MBEDTLS_OID_RSA_COMPANY "\x02\x07" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 7 } */
+
+#define MBEDTLS_OID_HMAC_SHA224                 MBEDTLS_OID_RSA_COMPANY "\x02\x08" /**< id-hmacWithSHA224 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 8 } */
+
+#define MBEDTLS_OID_HMAC_SHA256                 MBEDTLS_OID_RSA_COMPANY "\x02\x09" /**< id-hmacWithSHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 9 } */
+
+#define MBEDTLS_OID_HMAC_SHA384                 MBEDTLS_OID_RSA_COMPANY "\x02\x0A" /**< id-hmacWithSHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 10 } */
+
+#define MBEDTLS_OID_HMAC_SHA512                 MBEDTLS_OID_RSA_COMPANY "\x02\x0B" /**< id-hmacWithSHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 11 } */
+
+#define MBEDTLS_OID_HMAC_SHA3_224               MBEDTLS_OID_NIST_ALG "\x02\x0d" /**< id-hmacWithSHA3-512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) hmacWithSHA3-224(13) } */
+
+#define MBEDTLS_OID_HMAC_SHA3_256               MBEDTLS_OID_NIST_ALG "\x02\x0e" /**< id-hmacWithSHA3-512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) hmacWithSHA3-256(14) } */
+
+#define MBEDTLS_OID_HMAC_SHA3_384               MBEDTLS_OID_NIST_ALG "\x02\x0f" /**< id-hmacWithSHA3-512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) hmacWithSHA3-384(15) } */
+
+#define MBEDTLS_OID_HMAC_SHA3_512               MBEDTLS_OID_NIST_ALG "\x02\x10" /**< id-hmacWithSHA3-512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) hmacWithSHA3-512(16) } */
+
+#define MBEDTLS_OID_HMAC_RIPEMD160              MBEDTLS_OID_INTERNET "\x05\x05\x08\x01\x04" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= {iso(1) iso-identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) ipsec(8) isakmpOakley(1) hmacRIPEMD160(4)} */
+
+/*
+ * Encryption algorithms,
+ * the following standardized object identifiers are specified at
+ * https://datatracker.ietf.org/doc/html/rfc8018#appendix-C.
+ */
+#define MBEDTLS_OID_DES_CBC                     MBEDTLS_OID_ISO_IDENTIFIED_ORG \
+        MBEDTLS_OID_OIW_SECSIG_ALG "\x07"                                                                        /**< desCBC OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 7 } */
+#define MBEDTLS_OID_DES_EDE3_CBC                MBEDTLS_OID_RSA_COMPANY "\x03\x07" /**< des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) -- us(840) rsadsi(113549) encryptionAlgorithm(3) 7 } */
+#define MBEDTLS_OID_AES                         MBEDTLS_OID_NIST_ALG "\x01" /** aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } */
+#define MBEDTLS_OID_AES_128_CBC                 MBEDTLS_OID_AES "\x02" /** aes128-cbc-pad OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) aes(1) aes128-CBC-PAD(2) } */
+#define MBEDTLS_OID_AES_192_CBC                 MBEDTLS_OID_AES "\x16" /** aes192-cbc-pad OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) aes(1) aes192-CBC-PAD(22) } */
+#define MBEDTLS_OID_AES_256_CBC                 MBEDTLS_OID_AES "\x2a" /** aes256-cbc-pad OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) aes(1) aes256-CBC-PAD(42) } */
+
+/*
+ * Key Wrapping algorithms
+ */
+/*
+ * RFC 5649
+ */
+#define MBEDTLS_OID_AES128_KW                   MBEDTLS_OID_AES "\x05" /** id-aes128-wrap     OBJECT IDENTIFIER ::= { aes 5 } */
+#define MBEDTLS_OID_AES128_KWP                  MBEDTLS_OID_AES "\x08" /** id-aes128-wrap-pad OBJECT IDENTIFIER ::= { aes 8 } */
+#define MBEDTLS_OID_AES192_KW                   MBEDTLS_OID_AES "\x19" /** id-aes192-wrap     OBJECT IDENTIFIER ::= { aes 25 } */
+#define MBEDTLS_OID_AES192_KWP                  MBEDTLS_OID_AES "\x1c" /** id-aes192-wrap-pad OBJECT IDENTIFIER ::= { aes 28 } */
+#define MBEDTLS_OID_AES256_KW                   MBEDTLS_OID_AES "\x2d" /** id-aes256-wrap     OBJECT IDENTIFIER ::= { aes 45 } */
+#define MBEDTLS_OID_AES256_KWP                  MBEDTLS_OID_AES "\x30" /** id-aes256-wrap-pad OBJECT IDENTIFIER ::= { aes 48 } */
+/*
+ * PKCS#5 OIDs
+ */
+#define MBEDTLS_OID_PKCS5_PBKDF2                MBEDTLS_OID_PKCS5 "\x0c" /**< id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12} */
+#define MBEDTLS_OID_PKCS5_PBES2                 MBEDTLS_OID_PKCS5 "\x0d" /**< id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13} */
+#define MBEDTLS_OID_PKCS5_PBMAC1                MBEDTLS_OID_PKCS5 "\x0e" /**< id-PBMAC1 OBJECT IDENTIFIER ::= {pkcs-5 14} */
+
+/*
+ * PKCS#5 PBES1 algorithms
+ */
+#define MBEDTLS_OID_PKCS5_PBE_MD5_DES_CBC       MBEDTLS_OID_PKCS5 "\x03" /**< pbeWithMD5AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 3} */
+#define MBEDTLS_OID_PKCS5_PBE_MD5_RC2_CBC       MBEDTLS_OID_PKCS5 "\x06" /**< pbeWithMD5AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 6} */
+#define MBEDTLS_OID_PKCS5_PBE_SHA1_DES_CBC      MBEDTLS_OID_PKCS5 "\x0a" /**< pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10} */
+#define MBEDTLS_OID_PKCS5_PBE_SHA1_RC2_CBC      MBEDTLS_OID_PKCS5 "\x0b" /**< pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11} */
+
+/*
+ * PKCS#7 OIDs
+ */
+#define MBEDTLS_OID_PKCS7_DATA                        MBEDTLS_OID_PKCS7 "\x01" /**< Content type is Data OBJECT IDENTIFIER ::= {pkcs-7 1} */
+#define MBEDTLS_OID_PKCS7_SIGNED_DATA                 MBEDTLS_OID_PKCS7 "\x02" /**< Content type is Signed Data OBJECT IDENTIFIER ::= {pkcs-7 2} */
+#define MBEDTLS_OID_PKCS7_ENVELOPED_DATA              MBEDTLS_OID_PKCS7 "\x03" /**< Content type is Enveloped Data OBJECT IDENTIFIER ::= {pkcs-7 3} */
+#define MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA   MBEDTLS_OID_PKCS7 "\x04" /**< Content type is Signed and Enveloped Data OBJECT IDENTIFIER ::= {pkcs-7 4} */
+#define MBEDTLS_OID_PKCS7_DIGESTED_DATA               MBEDTLS_OID_PKCS7 "\x05" /**< Content type is Digested Data OBJECT IDENTIFIER ::= {pkcs-7 5} */
+#define MBEDTLS_OID_PKCS7_ENCRYPTED_DATA              MBEDTLS_OID_PKCS7 "\x06" /**< Content type is Encrypted Data OBJECT IDENTIFIER ::= {pkcs-7 6} */
+
+/*
+ * PKCS#8 OIDs
+ */
+#define MBEDTLS_OID_PKCS9_CSR_EXT_REQ           MBEDTLS_OID_PKCS9 "\x0e" /**< extensionRequest OBJECT IDENTIFIER ::= {pkcs-9 14} */
+
+/*
+ * PKCS#12 PBE OIDs
+ */
+#define MBEDTLS_OID_PKCS12_PBE                      MBEDTLS_OID_PKCS12 "\x01" /**< pkcs-12PbeIds OBJECT IDENTIFIER ::= {pkcs-12 1} */
+
+#define MBEDTLS_OID_PKCS12_PBE_SHA1_DES3_EDE_CBC    MBEDTLS_OID_PKCS12_PBE "\x03" /**< pbeWithSHAAnd3-KeyTripleDES-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 3} */
+#define MBEDTLS_OID_PKCS12_PBE_SHA1_DES2_EDE_CBC    MBEDTLS_OID_PKCS12_PBE "\x04" /**< pbeWithSHAAnd2-KeyTripleDES-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 4} */
+#define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_128_CBC     MBEDTLS_OID_PKCS12_PBE "\x05" /**< pbeWithSHAAnd128BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 5} */
+#define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_40_CBC      MBEDTLS_OID_PKCS12_PBE "\x06" /**< pbeWithSHAAnd40BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 6} */
+
+/*
+ * EC key algorithms from RFC 5480
+ */
+
+/* id-ecPublicKey OBJECT IDENTIFIER ::= {
+ *       iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } */
+#define MBEDTLS_OID_EC_ALG_UNRESTRICTED         MBEDTLS_OID_ANSI_X9_62 "\x02\01"
+
+/*   id-ecDH OBJECT IDENTIFIER ::= {
+ *     iso(1) identified-organization(3) certicom(132)
+ *     schemes(1) ecdh(12) } */
+#define MBEDTLS_OID_EC_ALG_ECDH                 MBEDTLS_OID_CERTICOM "\x01\x0c"
+
+/*
+ * ECParameters namedCurve identifiers, from RFC 5480, RFC 5639, and SEC2
+ */
+
+/* secp192r1 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) prime(1) 1 } */
+#define MBEDTLS_OID_EC_GRP_SECP192R1        MBEDTLS_OID_ANSI_X9_62 "\x03\x01\x01"
+
+/* secp224r1 OBJECT IDENTIFIER ::= {
+ *   iso(1) identified-organization(3) certicom(132) curve(0) 33 } */
+#define MBEDTLS_OID_EC_GRP_SECP224R1        MBEDTLS_OID_CERTICOM "\x00\x21"
+
+/* secp256r1 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) prime(1) 7 } */
+#define MBEDTLS_OID_EC_GRP_SECP256R1        MBEDTLS_OID_ANSI_X9_62 "\x03\x01\x07"
+
+/* secp384r1 OBJECT IDENTIFIER ::= {
+ *   iso(1) identified-organization(3) certicom(132) curve(0) 34 } */
+#define MBEDTLS_OID_EC_GRP_SECP384R1        MBEDTLS_OID_CERTICOM "\x00\x22"
+
+/* secp521r1 OBJECT IDENTIFIER ::= {
+ *   iso(1) identified-organization(3) certicom(132) curve(0) 35 } */
+#define MBEDTLS_OID_EC_GRP_SECP521R1        MBEDTLS_OID_CERTICOM "\x00\x23"
+
+/* secp192k1 OBJECT IDENTIFIER ::= {
+ *   iso(1) identified-organization(3) certicom(132) curve(0) 31 } */
+#define MBEDTLS_OID_EC_GRP_SECP192K1        MBEDTLS_OID_CERTICOM "\x00\x1f"
+
+/* secp224k1 OBJECT IDENTIFIER ::= {
+ *   iso(1) identified-organization(3) certicom(132) curve(0) 32 } */
+#define MBEDTLS_OID_EC_GRP_SECP224K1        MBEDTLS_OID_CERTICOM "\x00\x20"
+
+/* secp256k1 OBJECT IDENTIFIER ::= {
+ *   iso(1) identified-organization(3) certicom(132) curve(0) 10 } */
+#define MBEDTLS_OID_EC_GRP_SECP256K1        MBEDTLS_OID_CERTICOM "\x00\x0a"
+
+/* RFC 5639 4.1
+ * ecStdCurvesAndGeneration OBJECT IDENTIFIER::= {iso(1)
+ * identified-organization(3) teletrust(36) algorithm(3) signature-
+ * algorithm(3) ecSign(2) 8}
+ * ellipticCurve OBJECT IDENTIFIER ::= {ecStdCurvesAndGeneration 1}
+ * versionOne OBJECT IDENTIFIER ::= {ellipticCurve 1} */
+#define MBEDTLS_OID_EC_BRAINPOOL_V1         MBEDTLS_OID_TELETRUST "\x03\x03\x02\x08\x01\x01"
+
+/* brainpoolP256r1 OBJECT IDENTIFIER ::= {versionOne 7} */
+#define MBEDTLS_OID_EC_GRP_BP256R1          MBEDTLS_OID_EC_BRAINPOOL_V1 "\x07"
+
+/* brainpoolP384r1 OBJECT IDENTIFIER ::= {versionOne 11} */
+#define MBEDTLS_OID_EC_GRP_BP384R1          MBEDTLS_OID_EC_BRAINPOOL_V1 "\x0B"
+
+/* brainpoolP512r1 OBJECT IDENTIFIER ::= {versionOne 13} */
+#define MBEDTLS_OID_EC_GRP_BP512R1          MBEDTLS_OID_EC_BRAINPOOL_V1 "\x0D"
+
+/*
+ * SEC1 C.1
+ *
+ * prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 }
+ * id-fieldType OBJECT IDENTIFIER ::= { ansi-X9-62 fieldType(1)}
+ */
+#define MBEDTLS_OID_ANSI_X9_62_FIELD_TYPE   MBEDTLS_OID_ANSI_X9_62 "\x01"
+#define MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD  MBEDTLS_OID_ANSI_X9_62_FIELD_TYPE "\x01"
+
+/*
+ * ECDSA signature identifiers, from RFC 5480
+ */
+#define MBEDTLS_OID_ANSI_X9_62_SIG          MBEDTLS_OID_ANSI_X9_62 "\x04" /* signatures(4) */
+#define MBEDTLS_OID_ANSI_X9_62_SIG_SHA2     MBEDTLS_OID_ANSI_X9_62_SIG "\x03" /* ecdsa-with-SHA2(3) */
+
+/* ecdsa-with-SHA1 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1 } */
+#define MBEDTLS_OID_ECDSA_SHA1              MBEDTLS_OID_ANSI_X9_62_SIG "\x01"
+
+/* ecdsa-with-SHA224 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
+ *   ecdsa-with-SHA2(3) 1 } */
+#define MBEDTLS_OID_ECDSA_SHA224            MBEDTLS_OID_ANSI_X9_62_SIG_SHA2 "\x01"
+
+/* ecdsa-with-SHA256 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
+ *   ecdsa-with-SHA2(3) 2 } */
+#define MBEDTLS_OID_ECDSA_SHA256            MBEDTLS_OID_ANSI_X9_62_SIG_SHA2 "\x02"
+
+/* ecdsa-with-SHA384 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
+ *   ecdsa-with-SHA2(3) 3 } */
+#define MBEDTLS_OID_ECDSA_SHA384            MBEDTLS_OID_ANSI_X9_62_SIG_SHA2 "\x03"
+
+/* ecdsa-with-SHA512 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
+ *   ecdsa-with-SHA2(3) 4 } */
+#define MBEDTLS_OID_ECDSA_SHA512            MBEDTLS_OID_ANSI_X9_62_SIG_SHA2 "\x04"
+
+/*
+ * EC key algorithms from RFC 8410
+ */
+
+#define MBEDTLS_OID_X25519                  MBEDTLS_OID_THAWTE "\x6e" /**< id-X25519    OBJECT IDENTIFIER ::= { 1 3 101 110 } */
+#define MBEDTLS_OID_X448                    MBEDTLS_OID_THAWTE "\x6f" /**< id-X448      OBJECT IDENTIFIER ::= { 1 3 101 111 } */
+#define MBEDTLS_OID_ED25519                 MBEDTLS_OID_THAWTE "\x70" /**< id-Ed25519   OBJECT IDENTIFIER ::= { 1 3 101 112 } */
+#define MBEDTLS_OID_ED448                   MBEDTLS_OID_THAWTE "\x71" /**< id-Ed448     OBJECT IDENTIFIER ::= { 1 3 101 113 } */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief Base OID descriptor structure
+ */
+typedef struct mbedtls_oid_descriptor_t {
+    const char *MBEDTLS_PRIVATE(asn1);               /*!< OID ASN.1 representation       */
+    size_t MBEDTLS_PRIVATE(asn1_len);                /*!< length of asn1                 */
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
+    const char *MBEDTLS_PRIVATE(name);               /*!< official name (e.g. from RFC)  */
+    const char *MBEDTLS_PRIVATE(description);        /*!< human friendly description     */
+#endif
+} mbedtls_oid_descriptor_t;
+
+/**
+ * \brief           Translate an ASN.1 OID into its numeric representation
+ *                  (e.g. "\x2A\x86\x48\x86\xF7\x0D" into "1.2.840.113549")
+ *
+ * \param buf       buffer to put representation in
+ * \param size      size of the buffer
+ * \param oid       OID to translate
+ *
+ * \return          Length of the string written (excluding final NULL) or
+ *                  MBEDTLS_ERR_OID_BUF_TOO_SMALL in case of error
+ */
+int mbedtls_oid_get_numeric_string(char *buf, size_t size, const mbedtls_asn1_buf *oid);
+
+/**
+ * \brief           Translate a string containing a dotted-decimal
+ *                  representation of an ASN.1 OID into its encoded form
+ *                  (e.g. "1.2.840.113549" into "\x2A\x86\x48\x86\xF7\x0D").
+ *                  On success, this function allocates oid->buf from the
+ *                  heap. It must be freed by the caller using mbedtls_free().
+ *
+ * \param oid       #mbedtls_asn1_buf to populate with the DER-encoded OID
+ * \param oid_str   string representation of the OID to parse
+ * \param size      length of the OID string, not including any null terminator
+ *
+ * \return          0 if successful
+ * \return          #MBEDTLS_ERR_ASN1_INVALID_DATA if \p oid_str does not
+ *                  represent a valid OID
+ * \return          #MBEDTLS_ERR_ASN1_ALLOC_FAILED if the function fails to
+ *                  allocate oid->buf
+ */
+int mbedtls_oid_from_numeric_string(mbedtls_asn1_buf *oid, const char *oid_str, size_t size);
+
+/**
+ * \brief          Translate an X.509 extension OID into local values
+ *
+ * \param oid      OID to use
+ * \param ext_type place to store the extension type
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_x509_ext_type(const mbedtls_asn1_buf *oid, int *ext_type);
+
+/**
+ * \brief          Translate an X.509 attribute type OID into the short name
+ *                 (e.g. the OID for an X520 Common Name into "CN")
+ *
+ * \param oid      OID to use
+ * \param short_name    place to store the string pointer
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_attr_short_name(const mbedtls_asn1_buf *oid, const char **short_name);
+
+/**
+ * \brief          Translate PublicKeyAlgorithm OID into pk_type
+ *
+ * \param oid      OID to use
+ * \param pk_alg   place to store public key algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_pk_alg(const mbedtls_asn1_buf *oid, mbedtls_pk_type_t *pk_alg);
+
+/**
+ * \brief          Translate pk_type into PublicKeyAlgorithm OID
+ *
+ * \param pk_alg   Public key type to look for
+ * \param oid      place to store ASN.1 OID string pointer
+ * \param olen     length of the OID
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_oid_by_pk_alg(mbedtls_pk_type_t pk_alg,
+                                  const char **oid, size_t *olen);
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+/**
+ * \brief          Translate NamedCurve OID into an EC group identifier
+ *
+ * \param oid      OID to use
+ * \param grp_id   place to store group id
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_ec_grp(const mbedtls_asn1_buf *oid, mbedtls_ecp_group_id *grp_id);
+
+/**
+ * \brief          Translate EC group identifier into NamedCurve OID
+ *
+ * \param grp_id   EC group identifier
+ * \param oid      place to store ASN.1 OID string pointer
+ * \param olen     length of the OID
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_oid_by_ec_grp(mbedtls_ecp_group_id grp_id,
+                                  const char **oid, size_t *olen);
+
+/**
+ * \brief          Translate AlgorithmIdentifier OID into an EC group identifier,
+ *                 for curves that are directly encoded at this level
+ *
+ * \param oid      OID to use
+ * \param grp_id   place to store group id
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_ec_grp_algid(const mbedtls_asn1_buf *oid, mbedtls_ecp_group_id *grp_id);
+
+/**
+ * \brief          Translate EC group identifier into AlgorithmIdentifier OID,
+ *                 for curves that are directly encoded at this level
+ *
+ * \param grp_id   EC group identifier
+ * \param oid      place to store ASN.1 OID string pointer
+ * \param olen     length of the OID
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_oid_by_ec_grp_algid(mbedtls_ecp_group_id grp_id,
+                                        const char **oid, size_t *olen);
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+/**
+ * \brief          Translate SignatureAlgorithm OID into md_type and pk_type
+ *
+ * \param oid      OID to use
+ * \param md_alg   place to store message digest algorithm
+ * \param pk_alg   place to store public key algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_sig_alg(const mbedtls_asn1_buf *oid,
+                            mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg);
+
+/**
+ * \brief          Translate SignatureAlgorithm OID into description
+ *
+ * \param oid      OID to use
+ * \param desc     place to store string pointer
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_sig_alg_desc(const mbedtls_asn1_buf *oid, const char **desc);
+
+/**
+ * \brief          Translate md_type and pk_type into SignatureAlgorithm OID
+ *
+ * \param md_alg   message digest algorithm
+ * \param pk_alg   public key algorithm
+ * \param oid      place to store ASN.1 OID string pointer
+ * \param olen     length of the OID
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_oid_by_sig_alg(mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
+                                   const char **oid, size_t *olen);
+
+/**
+ * \brief          Translate hmac algorithm OID into md_type
+ *
+ * \param oid      OID to use
+ * \param md_hmac  place to store message hmac algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_md_hmac(const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_hmac);
+
+/**
+ * \brief          Translate hash algorithm OID into md_type
+ *
+ * \param oid      OID to use
+ * \param md_alg   place to store message digest algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_md_alg(const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg);
+
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
+/**
+ * \brief          Translate Extended Key Usage OID into description
+ *
+ * \param oid      OID to use
+ * \param desc     place to store string pointer
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_extended_key_usage(const mbedtls_asn1_buf *oid, const char **desc);
+#endif
+
+/**
+ * \brief          Translate certificate policies OID into description
+ *
+ * \param oid      OID to use
+ * \param desc     place to store string pointer
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_certificate_policies(const mbedtls_asn1_buf *oid, const char **desc);
+
+/**
+ * \brief          Translate md_type into hash algorithm OID
+ *
+ * \param md_alg   message digest algorithm
+ * \param oid      place to store ASN.1 OID string pointer
+ * \param olen     length of the OID
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_oid_by_md(mbedtls_md_type_t md_alg, const char **oid, size_t *olen);
+
+#if defined(MBEDTLS_CIPHER_C)
+/**
+ * \brief          Translate encryption algorithm OID into cipher_type
+ *
+ * \param oid           OID to use
+ * \param cipher_alg    place to store cipher algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_cipher_alg(const mbedtls_asn1_buf *oid, mbedtls_cipher_type_t *cipher_alg);
+
+#if defined(MBEDTLS_PKCS12_C)
+/**
+ * \brief          Translate PKCS#12 PBE algorithm OID into md_type and
+ *                 cipher_type
+ *
+ * \param oid           OID to use
+ * \param md_alg        place to store message digest algorithm
+ * \param cipher_alg    place to store cipher algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_pkcs12_pbe_alg(const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg,
+                                   mbedtls_cipher_type_t *cipher_alg);
+#endif /* MBEDTLS_PKCS12_C */
+#endif /* MBEDTLS_CIPHER_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* oid.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/pem.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/pem.h
new file mode 100644
index 0000000..3c6a28d
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/pem.h
@@ -0,0 +1,160 @@
+/**
+ * \file pem.h
+ *
+ * \brief Privacy Enhanced Mail (PEM) decoding
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_PEM_H
+#define MBEDTLS_PEM_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include <stddef.h>
+
+/**
+ * \name PEM Error codes
+ * These error codes are returned in case of errors reading the
+ * PEM data.
+ * \{
+ */
+/** No PEM header or footer found. */
+#define MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT          -0x1080
+/** PEM string is not as expected. */
+#define MBEDTLS_ERR_PEM_INVALID_DATA                      -0x1100
+/** Failed to allocate memory. */
+#define MBEDTLS_ERR_PEM_ALLOC_FAILED                      -0x1180
+/** RSA IV is not in hex-format. */
+#define MBEDTLS_ERR_PEM_INVALID_ENC_IV                    -0x1200
+/** Unsupported key encryption algorithm. */
+#define MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG                   -0x1280
+/** Private key password can't be empty. */
+#define MBEDTLS_ERR_PEM_PASSWORD_REQUIRED                 -0x1300
+/** Given private key password does not allow for correct decryption. */
+#define MBEDTLS_ERR_PEM_PASSWORD_MISMATCH                 -0x1380
+/** Unavailable feature, e.g. hashing/encryption combination. */
+#define MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE               -0x1400
+/** Bad input parameters to function. */
+#define MBEDTLS_ERR_PEM_BAD_INPUT_DATA                    -0x1480
+/** \} name PEM Error codes */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+/**
+ * \brief       PEM context structure
+ */
+typedef struct mbedtls_pem_context {
+    unsigned char *MBEDTLS_PRIVATE(buf);     /*!< buffer for decoded data             */
+    size_t MBEDTLS_PRIVATE(buflen);          /*!< length of the buffer                */
+    unsigned char *MBEDTLS_PRIVATE(info);    /*!< buffer for extra header information */
+}
+mbedtls_pem_context;
+
+/**
+ * \brief       PEM context setup
+ *
+ * \param ctx   context to be initialized
+ */
+void mbedtls_pem_init(mbedtls_pem_context *ctx);
+
+/**
+ * \brief       Read a buffer for PEM information and store the resulting
+ *              data into the specified context buffers.
+ *
+ * \param ctx       context to use
+ * \param header    header string to seek and expect
+ * \param footer    footer string to seek and expect
+ * \param data      source data to look in (must be nul-terminated)
+ * \param pwd       password for decryption (can be NULL)
+ * \param pwdlen    length of password
+ * \param use_len   destination for total length used from data buffer. It is
+ *                  set after header is correctly read, so unless you get
+ *                  MBEDTLS_ERR_PEM_BAD_INPUT_DATA or
+ *                  MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT, use_len is
+ *                  the length to skip.
+ *
+ * \note            Attempts to check password correctness by verifying if
+ *                  the decrypted text starts with an ASN.1 sequence of
+ *                  appropriate length
+ *
+ * \note            \c mbedtls_pem_free must be called on PEM context before
+ *                  the PEM context can be reused in another call to
+ *                  \c mbedtls_pem_read_buffer
+ *
+ * \return          0 on success, or a specific PEM error code
+ */
+int mbedtls_pem_read_buffer(mbedtls_pem_context *ctx, const char *header, const char *footer,
+                            const unsigned char *data,
+                            const unsigned char *pwd,
+                            size_t pwdlen, size_t *use_len);
+
+/**
+ * \brief       Get the pointer to the decoded binary data in a PEM context.
+ *
+ * \param ctx       PEM context to access.
+ * \param buflen    On success, this will contain the length of the binary data.
+ *                  This must be a valid (non-null) pointer.
+ *
+ * \return          A pointer to the decoded binary data.
+ *
+ * \note            The returned pointer remains valid only until \p ctx is
+                    modified or freed.
+ */
+static inline const unsigned char *mbedtls_pem_get_buffer(mbedtls_pem_context *ctx, size_t *buflen)
+{
+    *buflen = ctx->MBEDTLS_PRIVATE(buflen);
+    return ctx->MBEDTLS_PRIVATE(buf);
+}
+
+
+/**
+ * \brief       PEM context memory freeing
+ *
+ * \param ctx   context to be freed
+ */
+void mbedtls_pem_free(mbedtls_pem_context *ctx);
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+/**
+ * \brief           Write a buffer of PEM information from a DER encoded
+ *                  buffer.
+ *
+ * \param header    The header string to write.
+ * \param footer    The footer string to write.
+ * \param der_data  The DER data to encode.
+ * \param der_len   The length of the DER data \p der_data in Bytes.
+ * \param buf       The buffer to write to.
+ * \param buf_len   The length of the output buffer \p buf in Bytes.
+ * \param olen      The address at which to store the total length written
+ *                  or required (if \p buf_len is not enough).
+ *
+ * \note            You may pass \c NULL for \p buf and \c 0 for \p buf_len
+ *                  to request the length of the resulting PEM buffer in
+ *                  `*olen`.
+ *
+ * \note            This function may be called with overlapping \p der_data
+ *                  and \p buf buffers.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL if \p buf isn't large
+ *                  enough to hold the PEM buffer. In  this case, `*olen` holds
+ *                  the required minimum size of \p buf.
+ * \return          Another PEM or BASE64 error code on other kinds of failure.
+ */
+int mbedtls_pem_write_buffer(const char *header, const char *footer,
+                             const unsigned char *der_data, size_t der_len,
+                             unsigned char *buf, size_t buf_len, size_t *olen);
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* pem.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/pk.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/pk.h
new file mode 100644
index 0000000..52f4cc6
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/pk.h
@@ -0,0 +1,1296 @@
+/**
+ * \file pk.h
+ *
+ * \brief Public Key abstraction layer
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_PK_H
+#define MBEDTLS_PK_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/md.h"
+
+#if defined(MBEDTLS_RSA_C)
+#include "mbedtls/rsa.h"
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/ecp.h"
+#endif
+
+#if defined(MBEDTLS_ECDSA_C)
+#include "mbedtls/ecdsa.h"
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+#include "psa/crypto.h"
+#endif
+
+/** Memory allocation failed. */
+#define MBEDTLS_ERR_PK_ALLOC_FAILED        -0x3F80
+/** Type mismatch, eg attempt to encrypt with an ECDSA key */
+#define MBEDTLS_ERR_PK_TYPE_MISMATCH       -0x3F00
+/** Bad input parameters to function. */
+#define MBEDTLS_ERR_PK_BAD_INPUT_DATA      -0x3E80
+/** Read/write of file failed. */
+#define MBEDTLS_ERR_PK_FILE_IO_ERROR       -0x3E00
+/** Unsupported key version */
+#define MBEDTLS_ERR_PK_KEY_INVALID_VERSION -0x3D80
+/** Invalid key tag or value. */
+#define MBEDTLS_ERR_PK_KEY_INVALID_FORMAT  -0x3D00
+/** Key algorithm is unsupported (only RSA and EC are supported). */
+#define MBEDTLS_ERR_PK_UNKNOWN_PK_ALG      -0x3C80
+/** Private key password can't be empty. */
+#define MBEDTLS_ERR_PK_PASSWORD_REQUIRED   -0x3C00
+/** Given private key password does not allow for correct decryption. */
+#define MBEDTLS_ERR_PK_PASSWORD_MISMATCH   -0x3B80
+/** The pubkey tag or value is invalid (only RSA and EC are supported). */
+#define MBEDTLS_ERR_PK_INVALID_PUBKEY      -0x3B00
+/** The algorithm tag or value is invalid. */
+#define MBEDTLS_ERR_PK_INVALID_ALG         -0x3A80
+/** Elliptic curve is unsupported (only NIST curves are supported). */
+#define MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE -0x3A00
+/** Unavailable feature, e.g. RSA disabled for RSA key. */
+#define MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE -0x3980
+/** The buffer contains a valid signature followed by more data. */
+#define MBEDTLS_ERR_PK_SIG_LEN_MISMATCH    -0x3900
+/** The output buffer is too small. */
+#define MBEDTLS_ERR_PK_BUFFER_TOO_SMALL    -0x3880
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Public key types
+ */
+typedef enum {
+    MBEDTLS_PK_NONE=0,
+    MBEDTLS_PK_RSA,
+    MBEDTLS_PK_ECKEY,
+    MBEDTLS_PK_ECKEY_DH,
+    MBEDTLS_PK_ECDSA,
+    MBEDTLS_PK_RSA_ALT,
+    MBEDTLS_PK_RSASSA_PSS,
+    MBEDTLS_PK_OPAQUE,
+} mbedtls_pk_type_t;
+
+/**
+ * \brief           Options for RSASSA-PSS signature verification.
+ *                  See \c mbedtls_rsa_rsassa_pss_verify_ext()
+ */
+typedef struct mbedtls_pk_rsassa_pss_options {
+    /** The digest to use for MGF1 in PSS.
+     *
+     * \note When #MBEDTLS_USE_PSA_CRYPTO is enabled and #MBEDTLS_RSA_C is
+     *       disabled, this must be equal to the \c md_alg argument passed
+     *       to mbedtls_pk_verify_ext(). In a future version of the library,
+     *       this constraint may apply whenever #MBEDTLS_USE_PSA_CRYPTO is
+     *       enabled regardless of the status of #MBEDTLS_RSA_C.
+     */
+    mbedtls_md_type_t mgf1_hash_id;
+
+    /** The expected length of the salt, in bytes. This may be
+     * #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length.
+     *
+     * \note When #MBEDTLS_USE_PSA_CRYPTO is enabled, only
+     *       #MBEDTLS_RSA_SALT_LEN_ANY is valid. Any other value may be
+     *       ignored (allowing any salt length).
+     */
+    int expected_salt_len;
+
+} mbedtls_pk_rsassa_pss_options;
+
+/**
+ * \brief           Maximum size of a signature made by mbedtls_pk_sign().
+ */
+/* We need to set MBEDTLS_PK_SIGNATURE_MAX_SIZE to the maximum signature
+ * size among the supported signature types. Do it by starting at 0,
+ * then incrementally increasing to be large enough for each supported
+ * signature mechanism.
+ *
+ * The resulting value can be 0, for example if MBEDTLS_ECDH_C is enabled
+ * (which allows the pk module to be included) but neither MBEDTLS_ECDSA_C
+ * nor MBEDTLS_RSA_C nor any opaque signature mechanism (PSA or RSA_ALT).
+ */
+#define MBEDTLS_PK_SIGNATURE_MAX_SIZE 0
+
+#if (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PK_RSA_ALT_SUPPORT)) && \
+    MBEDTLS_MPI_MAX_SIZE > MBEDTLS_PK_SIGNATURE_MAX_SIZE
+/* For RSA, the signature can be as large as the bignum module allows.
+ * For RSA_ALT, the signature size is not necessarily tied to what the
+ * bignum module can do, but in the absence of any specific setting,
+ * we use that (rsa_alt_sign_wrap in library/pk_wrap.h will check). */
+#undef MBEDTLS_PK_SIGNATURE_MAX_SIZE
+#define MBEDTLS_PK_SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
+#endif
+
+#if defined(MBEDTLS_ECDSA_C) &&                                 \
+    MBEDTLS_ECDSA_MAX_LEN > MBEDTLS_PK_SIGNATURE_MAX_SIZE
+/* For ECDSA, the ecdsa module exports a constant for the maximum
+ * signature size. */
+#undef MBEDTLS_PK_SIGNATURE_MAX_SIZE
+#define MBEDTLS_PK_SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if PSA_SIGNATURE_MAX_SIZE > MBEDTLS_PK_SIGNATURE_MAX_SIZE
+/* PSA_SIGNATURE_MAX_SIZE is the maximum size of a signature made
+ * through the PSA API in the PSA representation. */
+#undef MBEDTLS_PK_SIGNATURE_MAX_SIZE
+#define MBEDTLS_PK_SIGNATURE_MAX_SIZE PSA_SIGNATURE_MAX_SIZE
+#endif
+
+#if PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE + 11 > MBEDTLS_PK_SIGNATURE_MAX_SIZE
+/* The Mbed TLS representation is different for ECDSA signatures:
+ * PSA uses the raw concatenation of r and s,
+ * whereas Mbed TLS uses the ASN.1 representation (SEQUENCE of two INTEGERs).
+ * Add the overhead of ASN.1: up to (1+2) + 2 * (1+2+1) for the
+ * types, lengths (represented by up to 2 bytes), and potential leading
+ * zeros of the INTEGERs and the SEQUENCE. */
+#undef MBEDTLS_PK_SIGNATURE_MAX_SIZE
+#define MBEDTLS_PK_SIGNATURE_MAX_SIZE (PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE + 11)
+#endif
+#endif /* defined(MBEDTLS_USE_PSA_CRYPTO) */
+
+/* Internal helper to define which fields in the pk_context structure below
+ * should be used for EC keys: legacy ecp_keypair or the raw (PSA friendly)
+ * format. It should be noted that this only affects how data is stored, not
+ * which functions are used for various operations. The overall picture looks
+ * like this:
+ * - if USE_PSA is not defined and ECP_C is defined then use ecp_keypair data
+ *   structure and legacy functions
+ * - if USE_PSA is defined and
+ *     - if ECP_C then use ecp_keypair structure, convert data to a PSA friendly
+ *       format and use PSA functions
+ *     - if !ECP_C then use new raw data and PSA functions directly.
+ *
+ * The main reason for the "intermediate" (USE_PSA + ECP_C) above is that as long
+ * as ECP_C is defined mbedtls_pk_ec() gives the user a read/write access to the
+ * ecp_keypair structure inside the pk_context so they can modify it using
+ * ECP functions which are not under PK module's control.
+ */
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) && \
+    !defined(MBEDTLS_ECP_C)
+#define MBEDTLS_PK_USE_PSA_EC_DATA
+#endif
+
+/**
+ * \brief           Types for interfacing with the debug module
+ */
+typedef enum {
+    MBEDTLS_PK_DEBUG_NONE = 0,
+    MBEDTLS_PK_DEBUG_MPI,
+    MBEDTLS_PK_DEBUG_ECP,
+    MBEDTLS_PK_DEBUG_PSA_EC,
+} mbedtls_pk_debug_type;
+
+/**
+ * \brief           Item to send to the debug module
+ */
+typedef struct mbedtls_pk_debug_item {
+    mbedtls_pk_debug_type MBEDTLS_PRIVATE(type);
+    const char *MBEDTLS_PRIVATE(name);
+    void *MBEDTLS_PRIVATE(value);
+} mbedtls_pk_debug_item;
+
+/** Maximum number of item send for debugging, plus 1 */
+#define MBEDTLS_PK_DEBUG_MAX_ITEMS 3
+
+/**
+ * \brief           Public key information and operations
+ *
+ * \note        The library does not support custom pk info structures,
+ *              only built-in structures returned by
+ *              mbedtls_cipher_info_from_type().
+ */
+typedef struct mbedtls_pk_info_t mbedtls_pk_info_t;
+
+#define MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN \
+    PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
+/**
+ * \brief           Public key container
+ */
+typedef struct mbedtls_pk_context {
+    const mbedtls_pk_info_t *MBEDTLS_PRIVATE(pk_info);    /**< Public key information         */
+    void *MBEDTLS_PRIVATE(pk_ctx);                        /**< Underlying public key context  */
+    /* The following field is used to store the ID of a private key in the
+     * following cases:
+     * - opaque key when MBEDTLS_USE_PSA_CRYPTO is defined
+     * - normal key when MBEDTLS_PK_USE_PSA_EC_DATA is defined. In this case:
+     *    - the pk_ctx above is not not used to store the private key anymore.
+     *      Actually that field not populated at all in this case because also
+     *      the public key will be stored in raw format as explained below
+     *    - this ID is used for all private key operations (ex: sign, check
+     *      key pair, key write, etc) using PSA functions
+     *
+     * Note: this private key storing solution only affects EC keys, not the
+     *       other ones. The latters still use the pk_ctx to store their own
+     *       context. */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    mbedtls_svc_key_id_t MBEDTLS_PRIVATE(priv_id);      /**< Key ID for opaque keys */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+    /* The following fields are meant for storing the public key in raw format
+     * which is handy for:
+     * - easily importing it into the PSA context
+     * - reducing the ECP module dependencies in the PK one.
+     *
+     * When MBEDTLS_PK_USE_PSA_EC_DATA is enabled:
+     * - the pk_ctx above is not used anymore for storing the public key
+     *   inside the ecp_keypair structure
+     * - the following fields are used for all public key operations: signature
+     *   verify, key pair check and key write.
+     * - For a key pair, priv_id contains the private key. For a public key,
+     *   priv_id is null.
+     * Of course, when MBEDTLS_PK_USE_PSA_EC_DATA is not enabled, the legacy
+     * ecp_keypair structure is used for storing the public key and performing
+     * all the operations.
+     *
+     * Note: This new public key storing solution only works for EC keys, not
+     *       other ones. The latters still use pk_ctx to store their own
+     *       context.
+     */
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+    uint8_t MBEDTLS_PRIVATE(pub_raw)[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN]; /**< Raw public key   */
+    size_t MBEDTLS_PRIVATE(pub_raw_len);            /**< Valid bytes in "pub_raw" */
+    psa_ecc_family_t MBEDTLS_PRIVATE(ec_family);    /**< EC family of pk */
+    size_t MBEDTLS_PRIVATE(ec_bits);                /**< Curve's bits of pk */
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+} mbedtls_pk_context;
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Context for resuming operations
+ */
+typedef struct {
+    const mbedtls_pk_info_t *MBEDTLS_PRIVATE(pk_info);    /**< Public key information         */
+    void *MBEDTLS_PRIVATE(rs_ctx);                        /**< Underlying restart context     */
+} mbedtls_pk_restart_ctx;
+#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+/* Now we can declare functions that take a pointer to that */
+typedef void mbedtls_pk_restart_ctx;
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+/**
+ * \brief           Types for RSA-alt abstraction
+ */
+typedef int (*mbedtls_pk_rsa_alt_decrypt_func)(void *ctx, size_t *olen,
+                                               const unsigned char *input, unsigned char *output,
+                                               size_t output_max_len);
+typedef int (*mbedtls_pk_rsa_alt_sign_func)(void *ctx,
+                                            int (*f_rng)(void *, unsigned char *, size_t),
+                                            void *p_rng,
+                                            mbedtls_md_type_t md_alg, unsigned int hashlen,
+                                            const unsigned char *hash, unsigned char *sig);
+typedef size_t (*mbedtls_pk_rsa_alt_key_len_func)(void *ctx);
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+
+/**
+ * \brief           Return information associated with the given PK type
+ *
+ * \param pk_type   PK type to search for.
+ *
+ * \return          The PK info associated with the type or NULL if not found.
+ */
+const mbedtls_pk_info_t *mbedtls_pk_info_from_type(mbedtls_pk_type_t pk_type);
+
+/**
+ * \brief           Initialize a #mbedtls_pk_context (as NONE).
+ *
+ * \param ctx       The context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_pk_init(mbedtls_pk_context *ctx);
+
+/**
+ * \brief           Free the components of a #mbedtls_pk_context.
+ *
+ * \param ctx       The context to clear. It must have been initialized.
+ *                  If this is \c NULL, this function does nothing.
+ *
+ * \note            For contexts that have been set up with
+ *                  mbedtls_pk_setup_opaque(), this does not free the underlying
+ *                  PSA key and you still need to call psa_destroy_key()
+ *                  independently if you want to destroy that key.
+ */
+void mbedtls_pk_free(mbedtls_pk_context *ctx);
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Initialize a restart context
+ *
+ * \param ctx       The context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_pk_restart_init(mbedtls_pk_restart_ctx *ctx);
+
+/**
+ * \brief           Free the components of a restart context
+ *
+ * \param ctx       The context to clear. It must have been initialized.
+ *                  If this is \c NULL, this function does nothing.
+ */
+void mbedtls_pk_restart_free(mbedtls_pk_restart_ctx *ctx);
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+/**
+ * \brief           Initialize a PK context with the information given
+ *                  and allocates the type-specific PK subcontext.
+ *
+ * \param ctx       Context to initialize. It must not have been set
+ *                  up yet (type #MBEDTLS_PK_NONE).
+ * \param info      Information to use
+ *
+ * \return          0 on success,
+ *                  MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input,
+ *                  MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure.
+ *
+ * \note            For contexts holding an RSA-alt key, use
+ *                  \c mbedtls_pk_setup_rsa_alt() instead.
+ */
+int mbedtls_pk_setup(mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/**
+ * \brief Initialize a PK context to wrap a PSA key.
+ *
+ * This function creates a PK context which wraps a PSA key. The PSA wrapped
+ * key must be an EC or RSA key pair (DH is not suported in the PK module).
+ *
+ * Under the hood PSA functions will be used to perform the required
+ * operations and, based on the key type, used algorithms will be:
+ * * EC:
+ *     * verify, verify_ext, sign, sign_ext: ECDSA.
+ * * RSA:
+ *     * sign, decrypt: use the primary algorithm in the wrapped PSA key;
+ *     * sign_ext: RSA PSS if the pk_type is #MBEDTLS_PK_RSASSA_PSS, otherwise
+ *       it falls back to the sign() case;
+ *     * verify, verify_ext, encrypt: not supported.
+ *
+ * In order for the above operations to succeed, the policy of the wrapped PSA
+ * key must allow the specified algorithm.
+ *
+ * Opaque PK contexts wrapping an EC keys also support \c mbedtls_pk_check_pair(),
+ * whereas RSA ones do not.
+ *
+ * \warning The PSA wrapped key must remain valid as long as the wrapping PK
+ *          context is in use, that is at least between the point this function
+ *          is called and the point mbedtls_pk_free() is called on this context.
+ *
+ * \param ctx The context to initialize. It must be empty (type NONE).
+ * \param key The PSA key to wrap, which must hold an ECC or RSA key pair.
+ *
+ * \return    \c 0 on success.
+ * \return    #MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input (context already
+ *            used, invalid key identifier).
+ * \return    #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the key is not an ECC or
+ *            RSA key pair.
+ * \return    #MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure.
+ */
+int mbedtls_pk_setup_opaque(mbedtls_pk_context *ctx,
+                            const mbedtls_svc_key_id_t key);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+/**
+ * \brief           Initialize an RSA-alt context
+ *
+ * \param ctx       Context to initialize. It must not have been set
+ *                  up yet (type #MBEDTLS_PK_NONE).
+ * \param key       RSA key pointer
+ * \param decrypt_func  Decryption function
+ * \param sign_func     Signing function
+ * \param key_len_func  Function returning key length in bytes
+ *
+ * \return          0 on success, or MBEDTLS_ERR_PK_BAD_INPUT_DATA if the
+ *                  context wasn't already initialized as RSA_ALT.
+ *
+ * \note            This function replaces \c mbedtls_pk_setup() for RSA-alt.
+ */
+int mbedtls_pk_setup_rsa_alt(mbedtls_pk_context *ctx, void *key,
+                             mbedtls_pk_rsa_alt_decrypt_func decrypt_func,
+                             mbedtls_pk_rsa_alt_sign_func sign_func,
+                             mbedtls_pk_rsa_alt_key_len_func key_len_func);
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+
+/**
+ * \brief           Get the size in bits of the underlying key
+ *
+ * \param ctx       The context to query. It must have been initialized.
+ *
+ * \return          Key size in bits, or 0 on error
+ */
+size_t mbedtls_pk_get_bitlen(const mbedtls_pk_context *ctx);
+
+/**
+ * \brief           Get the length in bytes of the underlying key
+ *
+ * \param ctx       The context to query. It must have been initialized.
+ *
+ * \return          Key length in bytes, or 0 on error
+ */
+static inline size_t mbedtls_pk_get_len(const mbedtls_pk_context *ctx)
+{
+    return (mbedtls_pk_get_bitlen(ctx) + 7) / 8;
+}
+
+/**
+ * \brief           Tell if a context can do the operation given by type
+ *
+ * \param ctx       The context to query. It must have been initialized.
+ * \param type      The desired type.
+ *
+ * \return          1 if the context can do operations on the given type.
+ * \return          0 if the context cannot do the operations on the given
+ *                  type. This is always the case for a context that has
+ *                  been initialized but not set up, or that has been
+ *                  cleared with mbedtls_pk_free().
+ */
+int mbedtls_pk_can_do(const mbedtls_pk_context *ctx, mbedtls_pk_type_t type);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/**
+ * \brief           Tell if context can do the operation given by PSA algorithm
+ *
+ * \param ctx       The context to query. It must have been initialized.
+ * \param alg       PSA algorithm to check against, the following are allowed:
+ *                  PSA_ALG_RSA_PKCS1V15_SIGN(hash),
+ *                  PSA_ALG_RSA_PSS(hash),
+ *                  PSA_ALG_RSA_PKCS1V15_CRYPT,
+ *                  PSA_ALG_ECDSA(hash),
+ *                  PSA_ALG_ECDH, where hash is a specific hash.
+ * \param usage     PSA usage flag to check against, must be composed of:
+ *                  PSA_KEY_USAGE_SIGN_HASH
+ *                  PSA_KEY_USAGE_DECRYPT
+ *                  PSA_KEY_USAGE_DERIVE.
+ *                  Context key must match all passed usage flags.
+ *
+ * \warning         Since the set of allowed algorithms and usage flags may be
+ *                  expanded in the future, the return value \c 0 should not
+ *                  be taken in account for non-allowed algorithms and usage
+ *                  flags.
+ *
+ * \return          1 if the context can do operations on the given type.
+ * \return          0 if the context cannot do the operations on the given
+ *                  type, for non-allowed algorithms and usage flags, or
+ *                  for a context that has been initialized but not set up
+ *                  or that has been cleared with mbedtls_pk_free().
+ */
+int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg,
+                          psa_key_usage_t usage);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+/**
+ * \brief           Determine valid PSA attributes that can be used to
+ *                  import a key into PSA.
+ *
+ * The attributes determined by this function are suitable
+ * for calling mbedtls_pk_import_into_psa() to create
+ * a PSA key with the same key material.
+ *
+ * The typical flow of operations involving this function is
+ * ```
+ * psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ * int ret = mbedtls_pk_get_psa_attributes(pk, &attributes);
+ * if (ret != 0) ...; // error handling omitted
+ * // Tweak attributes if desired
+ * psa_key_id_t key_id = 0;
+ * ret = mbedtls_pk_import_into_psa(pk, &attributes, &key_id);
+ * if (ret != 0) ...; // error handling omitted
+ * ```
+ *
+ * \note            This function does not support RSA-alt contexts
+ *                  (set up with mbedtls_pk_setup_rsa_alt()).
+ *
+ * \param[in] pk    The PK context to use. It must have been set up.
+ *                  It can either contain a key pair or just a public key.
+ * \param usage     A single `PSA_KEY_USAGE_xxx` flag among the following:
+ *                  - #PSA_KEY_USAGE_DECRYPT: \p pk must contain a
+ *                    key pair. The output \p attributes will contain a
+ *                    key pair type, and the usage policy will allow
+ *                    #PSA_KEY_USAGE_ENCRYPT as well as
+ *                    #PSA_KEY_USAGE_DECRYPT.
+ *                  - #PSA_KEY_USAGE_DERIVE: \p pk must contain a
+ *                    key pair. The output \p attributes will contain a
+ *                    key pair type.
+ *                  - #PSA_KEY_USAGE_ENCRYPT: The output
+ *                    \p attributes will contain a public key type.
+ *                  - #PSA_KEY_USAGE_SIGN_HASH: \p pk must contain a
+ *                    key pair. The output \p attributes will contain a
+ *                    key pair type, and the usage policy will allow
+ *                    #PSA_KEY_USAGE_VERIFY_HASH as well as
+ *                    #PSA_KEY_USAGE_SIGN_HASH.
+ *                  - #PSA_KEY_USAGE_SIGN_MESSAGE: \p pk must contain a
+ *                    key pair. The output \p attributes will contain a
+ *                    key pair type, and the usage policy will allow
+ *                    #PSA_KEY_USAGE_VERIFY_MESSAGE as well as
+ *                    #PSA_KEY_USAGE_SIGN_MESSAGE.
+ *                  - #PSA_KEY_USAGE_VERIFY_HASH: The output
+ *                    \p attributes will contain a public key type.
+ *                  - #PSA_KEY_USAGE_VERIFY_MESSAGE: The output
+ *                    \p attributes will contain a public key type.
+ * \param[out] attributes
+ *                  On success, valid attributes to import the key into PSA.
+ *                  - The lifetime and key identifier are unchanged. If the
+ *                    attribute structure was initialized or reset before
+ *                    calling this function, this will result in a volatile
+ *                    key. Call psa_set_key_identifier() before or after this
+ *                    function if you wish to create a persistent key. Call
+ *                    psa_set_key_lifetime() before or after this function if
+ *                    you wish to import the key in a secure element.
+ *                  - The key type and bit-size are determined by the contents
+ *                    of the PK context. If the PK context contains a key
+ *                    pair, the key type can be either a key pair type or
+ *                    the corresponding public key type, depending on
+ *                    \p usage. If the PK context contains a public key,
+ *                    the key type is a public key type.
+ *                  - The key's policy is determined by the key type and
+ *                    the \p usage parameter. The usage always allows
+ *                    \p usage, exporting and copying the key, and
+ *                    possibly other permissions as documented for the
+ *                    \p usage parameter.
+ *                    The permitted algorithm policy is determined as follows
+ *                    based on the #mbedtls_pk_type_t type of \p pk,
+ *                    the chosen \p usage and other factors:
+ *                      - #MBEDTLS_PK_RSA whose underlying
+ *                        #mbedtls_rsa_context has the padding mode
+ *                        #MBEDTLS_RSA_PKCS_V15:
+ *                        #PSA_ALG_RSA_PKCS1V15_SIGN(#PSA_ALG_ANY_HASH)
+ *                        if \p usage is SIGN/VERIFY, and
+ *                        #PSA_ALG_RSA_PKCS1V15_CRYPT
+ *                        if \p usage is ENCRYPT/DECRYPT.
+ *                      - #MBEDTLS_PK_RSA whose underlying
+ *                        #mbedtls_rsa_context has the padding mode
+ *                        #MBEDTLS_RSA_PKCS_V21 and the digest type
+ *                        corresponding to the PSA algorithm \c hash:
+ *                        #PSA_ALG_RSA_PSS_ANY_SALT(#PSA_ALG_ANY_HASH)
+ *                        if \p usage is SIGN/VERIFY, and
+ *                        #PSA_ALG_RSA_OAEP(\c hash)
+ *                        if \p usage is ENCRYPT/DECRYPT.
+ *                      - #MBEDTLS_PK_RSA_ALT: not supported.
+ *                      - #MBEDTLS_PK_ECDSA or #MBEDTLS_PK_ECKEY
+ *                        if \p usage is SIGN/VERIFY:
+ *                        #PSA_ALG_DETERMINISTIC_ECDSA(#PSA_ALG_ANY_HASH)
+ *                        if #MBEDTLS_ECDSA_DETERMINISTIC is enabled,
+ *                        otherwise #PSA_ALG_ECDSA(#PSA_ALG_ANY_HASH).
+ *                      - #MBEDTLS_PK_ECKEY_DH or #MBEDTLS_PK_ECKEY
+ *                        if \p usage is DERIVE:
+ *                        #PSA_ALG_ECDH.
+ *                      - #MBEDTLS_PK_OPAQUE: same as the primary algorithm
+ *                        set for the underlying PSA key, except that
+ *                        sign/decrypt flags are removed if the type is
+ *                        set to a public key type.
+ *                        The underlying key must allow \p usage.
+ *                        Note that the enrollment algorithm set with
+ *                        psa_set_key_enrollment_algorithm() is not copied.
+ *
+ * \return          0 on success.
+ *                  #MBEDTLS_ERR_PK_TYPE_MISMATCH if \p pk does not contain
+ *                  a key of the type identified in \p attributes.
+ *                  Another error code on other failures.
+ */
+int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk,
+                                  psa_key_usage_t usage,
+                                  psa_key_attributes_t *attributes);
+
+/**
+ * \brief           Import a key into the PSA key store.
+ *
+ * This function is equivalent to calling psa_import_key()
+ * with the key material from \p pk.
+ *
+ * The typical way to use this function is:
+ * -# Call mbedtls_pk_get_psa_attributes() to obtain
+ *    attributes for the given key.
+ * -# If desired, modify the attributes, for example:
+ *     - To create a persistent key, call
+ *       psa_set_key_identifier() and optionally
+ *       psa_set_key_lifetime().
+ *     - To import only the public part of a key pair:
+ *
+ *           psa_set_key_type(&attributes,
+ *                            PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(
+ *                                psa_get_key_type(&attributes)));
+ *     - Restrict the key usage if desired.
+ * -# Call mbedtls_pk_import_into_psa().
+ *
+ * \note            This function does not support RSA-alt contexts
+ *                  (set up with mbedtls_pk_setup_rsa_alt()).
+ *
+ * \param[in] pk    The PK context to use. It must have been set up.
+ *                  It can either contain a key pair or just a public key.
+ * \param[in] attributes
+ *                  The attributes to use for the new key. They must be
+ *                  compatible with \p pk. In particular, the key type
+ *                  must match the content of \p pk.
+ *                  If \p pk contains a key pair, the key type in
+ *                  attributes can be either the key pair type or the
+ *                  corresponding public key type (to import only the
+ *                  public part).
+ * \param[out] key_id
+ *                  On success, the identifier of the newly created key.
+ *                  On error, this is #MBEDTLS_SVC_KEY_ID_INIT.
+ *
+ * \return          0 on success.
+ *                  #MBEDTLS_ERR_PK_TYPE_MISMATCH if \p pk does not contain
+ *                  a key of the type identified in \p attributes.
+ *                  Another error code on other failures.
+ */
+int mbedtls_pk_import_into_psa(const mbedtls_pk_context *pk,
+                               const psa_key_attributes_t *attributes,
+                               mbedtls_svc_key_id_t *key_id);
+
+/**
+ * \brief           Create a PK context starting from a key stored in PSA.
+ *                  This key:
+ *                  - must be exportable and
+ *                  - must be an RSA or EC key pair or public key (FFDH is not supported in PK).
+ *
+ *                  The resulting PK object will be a transparent type:
+ *                  - #MBEDTLS_PK_RSA for RSA keys or
+ *                  - #MBEDTLS_PK_ECKEY for EC keys.
+ *
+ *                  Once this functions returns the PK object will be completely
+ *                  independent from the original PSA key that it was generated
+ *                  from.
+ *                  Calling mbedtls_pk_sign(), mbedtls_pk_verify(),
+ *                  mbedtls_pk_encrypt(), mbedtls_pk_decrypt() on the resulting
+ *                  PK context will perform the corresponding algorithm for that
+ *                  PK context type.
+ *                  * For ECDSA, the choice of deterministic vs randomized will
+ *                    be based on the compile-time setting #MBEDTLS_ECDSA_DETERMINISTIC.
+ *                  * For an RSA key, the output PK context will allow both
+ *                    encrypt/decrypt and sign/verify regardless of the original
+ *                    key's policy.
+ *                    The original key's policy determines the output key's padding
+ *                    mode: PCKS1 v2.1 is set if the PSA key policy is OAEP or PSS,
+ *                    otherwise PKCS1 v1.5 is set.
+ *
+ * \param key_id    The key identifier of the key stored in PSA.
+ * \param pk        The PK context that will be filled. It must be initialized,
+ *                  but not set up.
+ *
+ * \return          0 on success.
+ * \return          #MBEDTLS_ERR_PK_BAD_INPUT_DATA in case the provided input
+ *                  parameters are not correct.
+ */
+int mbedtls_pk_copy_from_psa(mbedtls_svc_key_id_t key_id, mbedtls_pk_context *pk);
+
+/**
+ * \brief           Create a PK context for the public key of a PSA key.
+ *
+ *                  The key must be an RSA or ECC key. It can be either a
+ *                  public key or a key pair, and only the public key is copied.
+ *                  The resulting PK object will be a transparent type:
+ *                  - #MBEDTLS_PK_RSA for RSA keys or
+ *                  - #MBEDTLS_PK_ECKEY for EC keys.
+ *
+ *                  Once this functions returns the PK object will be completely
+ *                  independent from the original PSA key that it was generated
+ *                  from.
+ *                  Calling mbedtls_pk_verify() or
+ *                  mbedtls_pk_encrypt() on the resulting
+ *                  PK context will perform the corresponding algorithm for that
+ *                  PK context type.
+ *
+ *                  For an RSA key, the output PK context will allow both
+ *                  encrypt and verify regardless of the original key's policy.
+ *                  The original key's policy determines the output key's padding
+ *                  mode: PCKS1 v2.1 is set if the PSA key policy is OAEP or PSS,
+ *                  otherwise PKCS1 v1.5 is set.
+ *
+ * \param key_id    The key identifier of the key stored in PSA.
+ * \param pk        The PK context that will be filled. It must be initialized,
+ *                  but not set up.
+ *
+ * \return          0 on success.
+ * \return          MBEDTLS_ERR_PK_BAD_INPUT_DATA in case the provided input
+ *                  parameters are not correct.
+ */
+int mbedtls_pk_copy_public_from_psa(mbedtls_svc_key_id_t key_id, mbedtls_pk_context *pk);
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+
+/**
+ * \brief           Verify signature (including padding if relevant).
+ *
+ * \param ctx       The PK context to use. It must have been set up.
+ * \param md_alg    Hash algorithm used.
+ *                  This can be #MBEDTLS_MD_NONE if the signature algorithm
+ *                  does not rely on a hash algorithm (non-deterministic
+ *                  ECDSA, RSA PKCS#1 v1.5).
+ *                  For PKCS#1 v1.5, if \p md_alg is #MBEDTLS_MD_NONE, then
+ *                  \p hash is the DigestInfo structure used by RFC 8017
+ *                  &sect;9.2 steps 3&ndash;6. If \p md_alg is a valid hash
+ *                  algorithm then \p hash is the digest itself, and this
+ *                  function calculates the DigestInfo encoding internally.
+ * \param hash      Hash of the message to sign
+ * \param hash_len  Hash length
+ * \param sig       Signature to verify
+ * \param sig_len   Signature length
+ *
+ * \note            For keys of type #MBEDTLS_PK_RSA, the signature algorithm is
+ *                  either PKCS#1 v1.5 or PSS (accepting any salt length),
+ *                  depending on the padding mode in the underlying RSA context.
+ *                  For a pk object constructed by parsing, this is PKCS#1 v1.5
+ *                  by default. Use mbedtls_pk_verify_ext() to explicitly select
+ *                  a different algorithm.
+ *
+ * \return          0 on success (signature is valid),
+ *                  #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid
+ *                  signature in \p sig but its length is less than \p sig_len,
+ *                  or a specific error code.
+ */
+int mbedtls_pk_verify(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+                      const unsigned char *hash, size_t hash_len,
+                      const unsigned char *sig, size_t sig_len);
+
+/**
+ * \brief           Restartable version of \c mbedtls_pk_verify()
+ *
+ * \note            Performs the same job as \c mbedtls_pk_verify(), but can
+ *                  return early and restart according to the limit set with
+ *                  \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC
+ *                  operations. For RSA, same as \c mbedtls_pk_verify().
+ *
+ * \param ctx       The PK context to use. It must have been set up.
+ * \param md_alg    Hash algorithm used (see notes)
+ * \param hash      Hash of the message to sign
+ * \param hash_len  Hash length or 0 (see notes)
+ * \param sig       Signature to verify
+ * \param sig_len   Signature length
+ * \param rs_ctx    Restart context (NULL to disable restart)
+ *
+ * \return          See \c mbedtls_pk_verify(), or
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ */
+int mbedtls_pk_verify_restartable(mbedtls_pk_context *ctx,
+                                  mbedtls_md_type_t md_alg,
+                                  const unsigned char *hash, size_t hash_len,
+                                  const unsigned char *sig, size_t sig_len,
+                                  mbedtls_pk_restart_ctx *rs_ctx);
+
+/**
+ * \brief           Verify signature, with options.
+ *                  (Includes verification of the padding depending on type.)
+ *
+ * \param type      Signature type (inc. possible padding type) to verify
+ * \param options   Pointer to type-specific options, or NULL
+ * \param ctx       The PK context to use. It must have been set up.
+ * \param md_alg    Hash algorithm used (see notes)
+ * \param hash      Hash of the message to sign
+ * \param hash_len  Hash length or 0 (see notes)
+ * \param sig       Signature to verify
+ * \param sig_len   Signature length
+ *
+ * \return          0 on success (signature is valid),
+ *                  #MBEDTLS_ERR_PK_TYPE_MISMATCH if the PK context can't be
+ *                  used for this type of signatures,
+ *                  #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid
+ *                  signature in \p sig but its length is less than \p sig_len,
+ *                  or a specific error code.
+ *
+ * \note            If hash_len is 0, then the length associated with md_alg
+ *                  is used instead, or an error returned if it is invalid.
+ *
+ * \note            md_alg may be MBEDTLS_MD_NONE, only if hash_len != 0
+ *
+ * \note            If type is MBEDTLS_PK_RSASSA_PSS, then options must point
+ *                  to a mbedtls_pk_rsassa_pss_options structure,
+ *                  otherwise it must be NULL. Note that if
+ *                  #MBEDTLS_USE_PSA_CRYPTO is defined, the salt length is not
+ *                  verified as PSA_ALG_RSA_PSS_ANY_SALT is used.
+ */
+int mbedtls_pk_verify_ext(mbedtls_pk_type_t type, const void *options,
+                          mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+                          const unsigned char *hash, size_t hash_len,
+                          const unsigned char *sig, size_t sig_len);
+
+/**
+ * \brief           Make signature, including padding if relevant.
+ *
+ * \param ctx       The PK context to use. It must have been set up
+ *                  with a private key.
+ * \param md_alg    Hash algorithm used (see notes)
+ * \param hash      Hash of the message to sign
+ * \param hash_len  Hash length
+ * \param sig       Place to write the signature.
+ *                  It must have enough room for the signature.
+ *                  #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough.
+ *                  You may use a smaller buffer if it is large enough
+ *                  given the key type.
+ * \param sig_size  The size of the \p sig buffer in bytes.
+ * \param sig_len   On successful return,
+ *                  the number of bytes written to \p sig.
+ * \param f_rng     RNG function, must not be \c NULL.
+ * \param p_rng     RNG parameter
+ *
+ * \note            For keys of type #MBEDTLS_PK_RSA, the signature algorithm is
+ *                  either PKCS#1 v1.5 or PSS (using the largest possible salt
+ *                  length up to the hash length), depending on the padding mode
+ *                  in the underlying RSA context. For a pk object constructed
+ *                  by parsing, this is PKCS#1 v1.5 by default. Use
+ *                  mbedtls_pk_verify_ext() to explicitly select a different
+ *                  algorithm.
+ *
+ * \return          0 on success, or a specific error code.
+ *
+ * \note            For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0.
+ *                  For ECDSA, md_alg may never be MBEDTLS_MD_NONE.
+ */
+int mbedtls_pk_sign(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+                    const unsigned char *hash, size_t hash_len,
+                    unsigned char *sig, size_t sig_size, size_t *sig_len,
+                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
+
+/**
+ * \brief           Make signature given a signature type.
+ *
+ * \param pk_type   Signature type.
+ * \param ctx       The PK context to use. It must have been set up
+ *                  with a private key.
+ * \param md_alg    Hash algorithm used (see notes)
+ * \param hash      Hash of the message to sign
+ * \param hash_len  Hash length
+ * \param sig       Place to write the signature.
+ *                  It must have enough room for the signature.
+ *                  #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough.
+ *                  You may use a smaller buffer if it is large enough
+ *                  given the key type.
+ * \param sig_size  The size of the \p sig buffer in bytes.
+ * \param sig_len   On successful return,
+ *                  the number of bytes written to \p sig.
+ * \param f_rng     RNG function, must not be \c NULL.
+ * \param p_rng     RNG parameter
+ *
+ * \return          0 on success, or a specific error code.
+ *
+ * \note            When \p pk_type is #MBEDTLS_PK_RSASSA_PSS,
+ *                  see #PSA_ALG_RSA_PSS for a description of PSS options used.
+ *
+ * \note            For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0.
+ *                  For ECDSA, md_alg may never be MBEDTLS_MD_NONE.
+ *
+ */
+int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,
+                        mbedtls_pk_context *ctx,
+                        mbedtls_md_type_t md_alg,
+                        const unsigned char *hash, size_t hash_len,
+                        unsigned char *sig, size_t sig_size, size_t *sig_len,
+                        int (*f_rng)(void *, unsigned char *, size_t),
+                        void *p_rng);
+
+/**
+ * \brief           Restartable version of \c mbedtls_pk_sign()
+ *
+ * \note            Performs the same job as \c mbedtls_pk_sign(), but can
+ *                  return early and restart according to the limit set with
+ *                  \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC
+ *                  operations. For RSA, same as \c mbedtls_pk_sign().
+ *
+ * \param ctx       The PK context to use. It must have been set up
+ *                  with a private key.
+ * \param md_alg    Hash algorithm used (see notes for mbedtls_pk_sign())
+ * \param hash      Hash of the message to sign
+ * \param hash_len  Hash length
+ * \param sig       Place to write the signature.
+ *                  It must have enough room for the signature.
+ *                  #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough.
+ *                  You may use a smaller buffer if it is large enough
+ *                  given the key type.
+ * \param sig_size  The size of the \p sig buffer in bytes.
+ * \param sig_len   On successful return,
+ *                  the number of bytes written to \p sig.
+ * \param f_rng     RNG function, must not be \c NULL.
+ * \param p_rng     RNG parameter
+ * \param rs_ctx    Restart context (NULL to disable restart)
+ *
+ * \return          See \c mbedtls_pk_sign().
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ */
+int mbedtls_pk_sign_restartable(mbedtls_pk_context *ctx,
+                                mbedtls_md_type_t md_alg,
+                                const unsigned char *hash, size_t hash_len,
+                                unsigned char *sig, size_t sig_size, size_t *sig_len,
+                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                                mbedtls_pk_restart_ctx *rs_ctx);
+
+/**
+ * \brief           Decrypt message (including padding if relevant).
+ *
+ * \param ctx       The PK context to use. It must have been set up
+ *                  with a private key.
+ * \param input     Input to decrypt
+ * \param ilen      Input size
+ * \param output    Decrypted output
+ * \param olen      Decrypted message length
+ * \param osize     Size of the output buffer
+ * \param f_rng     RNG function, must not be \c NULL.
+ * \param p_rng     RNG parameter
+ *
+ * \note            For keys of type #MBEDTLS_PK_RSA, the signature algorithm is
+ *                  either PKCS#1 v1.5 or OAEP, depending on the padding mode in
+ *                  the underlying RSA context. For a pk object constructed by
+ *                  parsing, this is PKCS#1 v1.5 by default.
+ *
+ * \return          0 on success, or a specific error code.
+ */
+int mbedtls_pk_decrypt(mbedtls_pk_context *ctx,
+                       const unsigned char *input, size_t ilen,
+                       unsigned char *output, size_t *olen, size_t osize,
+                       int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
+
+/**
+ * \brief           Encrypt message (including padding if relevant).
+ *
+ * \param ctx       The PK context to use. It must have been set up.
+ * \param input     Message to encrypt
+ * \param ilen      Message size
+ * \param output    Encrypted output
+ * \param olen      Encrypted output length
+ * \param osize     Size of the output buffer
+ * \param f_rng     RNG function, must not be \c NULL.
+ * \param p_rng     RNG parameter
+ *
+ * \note            For keys of type #MBEDTLS_PK_RSA, the signature algorithm is
+ *                  either PKCS#1 v1.5 or OAEP, depending on the padding mode in
+ *                  the underlying RSA context. For a pk object constructed by
+ *                  parsing, this is PKCS#1 v1.5 by default.
+ *
+ * \note            \p f_rng is used for padding generation.
+ *
+ * \return          0 on success, or a specific error code.
+ */
+int mbedtls_pk_encrypt(mbedtls_pk_context *ctx,
+                       const unsigned char *input, size_t ilen,
+                       unsigned char *output, size_t *olen, size_t osize,
+                       int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
+
+/**
+ * \brief           Check if a public-private pair of keys matches.
+ *
+ * \param pub       Context holding a public key.
+ * \param prv       Context holding a private (and public) key.
+ * \param f_rng     RNG function, must not be \c NULL.
+ * \param p_rng     RNG parameter
+ *
+ * \return          \c 0 on success (keys were checked and match each other).
+ * \return          #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the keys could not
+ *                  be checked - in that case they may or may not match.
+ * \return          #MBEDTLS_ERR_PK_BAD_INPUT_DATA if a context is invalid.
+ * \return          Another non-zero value if the keys do not match.
+ */
+int mbedtls_pk_check_pair(const mbedtls_pk_context *pub,
+                          const mbedtls_pk_context *prv,
+                          int (*f_rng)(void *, unsigned char *, size_t),
+                          void *p_rng);
+
+/**
+ * \brief           Export debug information
+ *
+ * \param ctx       The PK context to use. It must have been initialized.
+ * \param items     Place to write debug items
+ *
+ * \return          0 on success or MBEDTLS_ERR_PK_BAD_INPUT_DATA
+ */
+int mbedtls_pk_debug(const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *items);
+
+/**
+ * \brief           Access the type name
+ *
+ * \param ctx       The PK context to use. It must have been initialized.
+ *
+ * \return          Type name on success, or "invalid PK"
+ */
+const char *mbedtls_pk_get_name(const mbedtls_pk_context *ctx);
+
+/**
+ * \brief           Get the key type
+ *
+ * \param ctx       The PK context to use. It must have been initialized.
+ *
+ * \return          Type on success.
+ * \return          #MBEDTLS_PK_NONE for a context that has not been set up.
+ */
+mbedtls_pk_type_t mbedtls_pk_get_type(const mbedtls_pk_context *ctx);
+
+#if defined(MBEDTLS_RSA_C)
+/**
+ * Quick access to an RSA context inside a PK context.
+ *
+ * \warning This function can only be used when the type of the context, as
+ * returned by mbedtls_pk_get_type(), is #MBEDTLS_PK_RSA.
+ * Ensuring that is the caller's responsibility.
+ * Alternatively, you can check whether this function returns NULL.
+ *
+ * \return The internal RSA context held by the PK context, or NULL.
+ */
+static inline mbedtls_rsa_context *mbedtls_pk_rsa(const mbedtls_pk_context pk)
+{
+    switch (mbedtls_pk_get_type(&pk)) {
+        case MBEDTLS_PK_RSA:
+            return (mbedtls_rsa_context *) (pk).MBEDTLS_PRIVATE(pk_ctx);
+        default:
+            return NULL;
+    }
+}
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+/**
+ * Quick access to an EC context inside a PK context.
+ *
+ * \warning This function can only be used when the type of the context, as
+ * returned by mbedtls_pk_get_type(), is #MBEDTLS_PK_ECKEY,
+ * #MBEDTLS_PK_ECKEY_DH, or #MBEDTLS_PK_ECDSA.
+ * Ensuring that is the caller's responsibility.
+ * Alternatively, you can check whether this function returns NULL.
+ *
+ * \return The internal EC context held by the PK context, or NULL.
+ */
+static inline mbedtls_ecp_keypair *mbedtls_pk_ec(const mbedtls_pk_context pk)
+{
+    switch (mbedtls_pk_get_type(&pk)) {
+        case MBEDTLS_PK_ECKEY:
+        case MBEDTLS_PK_ECKEY_DH:
+        case MBEDTLS_PK_ECDSA:
+            return (mbedtls_ecp_keypair *) (pk).MBEDTLS_PRIVATE(pk_ctx);
+        default:
+            return NULL;
+    }
+}
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_PK_PARSE_C)
+/** \ingroup pk_module */
+/**
+ * \brief           Parse a private key in PEM or DER format
+ *
+ * \note            If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
+ *                  subsystem must have been initialized by calling
+ *                  psa_crypto_init() before calling this function.
+ *
+ * \param ctx       The PK context to fill. It must have been initialized
+ *                  but not set up.
+ * \param key       Input buffer to parse.
+ *                  The buffer must contain the input exactly, with no
+ *                  extra trailing material. For PEM, the buffer must
+ *                  contain a null-terminated string.
+ * \param keylen    Size of \b key in bytes.
+ *                  For PEM data, this includes the terminating null byte,
+ *                  so \p keylen must be equal to `strlen(key) + 1`.
+ * \param pwd       Optional password for decryption.
+ *                  Pass \c NULL if expecting a non-encrypted key.
+ *                  Pass a string of \p pwdlen bytes if expecting an encrypted
+ *                  key; a non-encrypted key will also be accepted.
+ *                  The empty password is not supported.
+ * \param pwdlen    Size of the password in bytes.
+ *                  Ignored if \p pwd is \c NULL.
+ * \param f_rng     RNG function, must not be \c NULL. Used for blinding.
+ * \param p_rng     RNG parameter
+ *
+ * \note            On entry, ctx must be empty, either freshly initialised
+ *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
+ *                  specific key type, check the result with mbedtls_pk_can_do().
+ *
+ * \note            The key is also checked for correctness.
+ *
+ * \return          0 if successful, or a specific PK or PEM error code
+ */
+int mbedtls_pk_parse_key(mbedtls_pk_context *ctx,
+                         const unsigned char *key, size_t keylen,
+                         const unsigned char *pwd, size_t pwdlen,
+                         int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
+
+/** \ingroup pk_module */
+/**
+ * \brief           Parse a public key in PEM or DER format
+ *
+ * \note            If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
+ *                  subsystem must have been initialized by calling
+ *                  psa_crypto_init() before calling this function.
+ *
+ * \param ctx       The PK context to fill. It must have been initialized
+ *                  but not set up.
+ * \param key       Input buffer to parse.
+ *                  The buffer must contain the input exactly, with no
+ *                  extra trailing material. For PEM, the buffer must
+ *                  contain a null-terminated string.
+ * \param keylen    Size of \b key in bytes.
+ *                  For PEM data, this includes the terminating null byte,
+ *                  so \p keylen must be equal to `strlen(key) + 1`.
+ *
+ * \note            On entry, ctx must be empty, either freshly initialised
+ *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
+ *                  specific key type, check the result with mbedtls_pk_can_do().
+ *
+ * \note            For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for
+ *                  limitations.
+ *
+ * \note            The key is also checked for correctness.
+ *
+ * \return          0 if successful, or a specific PK or PEM error code
+ */
+int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx,
+                                const unsigned char *key, size_t keylen);
+
+#if defined(MBEDTLS_FS_IO)
+/** \ingroup pk_module */
+/**
+ * \brief           Load and parse a private key
+ *
+ * \note            If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
+ *                  subsystem must have been initialized by calling
+ *                  psa_crypto_init() before calling this function.
+ *
+ * \param ctx       The PK context to fill. It must have been initialized
+ *                  but not set up.
+ * \param path      filename to read the private key from
+ * \param password  Optional password to decrypt the file.
+ *                  Pass \c NULL if expecting a non-encrypted key.
+ *                  Pass a null-terminated string if expecting an encrypted
+ *                  key; a non-encrypted key will also be accepted.
+ *                  The empty password is not supported.
+ * \param f_rng     RNG function, must not be \c NULL. Used for blinding.
+ * \param p_rng     RNG parameter
+ *
+ * \note            On entry, ctx must be empty, either freshly initialised
+ *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
+ *                  specific key type, check the result with mbedtls_pk_can_do().
+ *
+ * \note            The key is also checked for correctness.
+ *
+ * \return          0 if successful, or a specific PK or PEM error code
+ */
+int mbedtls_pk_parse_keyfile(mbedtls_pk_context *ctx,
+                             const char *path, const char *password,
+                             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
+
+/** \ingroup pk_module */
+/**
+ * \brief           Load and parse a public key
+ *
+ * \param ctx       The PK context to fill. It must have been initialized
+ *                  but not set up.
+ * \param path      filename to read the public key from
+ *
+ * \note            On entry, ctx must be empty, either freshly initialised
+ *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If
+ *                  you need a specific key type, check the result with
+ *                  mbedtls_pk_can_do().
+ *
+ * \note            The key is also checked for correctness.
+ *
+ * \return          0 if successful, or a specific PK or PEM error code
+ */
+int mbedtls_pk_parse_public_keyfile(mbedtls_pk_context *ctx, const char *path);
+#endif /* MBEDTLS_FS_IO */
+#endif /* MBEDTLS_PK_PARSE_C */
+
+#if defined(MBEDTLS_PK_WRITE_C)
+/**
+ * \brief           Write a private key to a PKCS#1 or SEC1 DER structure
+ *                  Note: data is written at the end of the buffer! Use the
+ *                        return value to determine where you should start
+ *                        using the buffer
+ *
+ * \param ctx       PK context which must contain a valid private key.
+ * \param buf       buffer to write to
+ * \param size      size of the buffer
+ *
+ * \return          length of data written if successful, or a specific
+ *                  error code
+ */
+int mbedtls_pk_write_key_der(const mbedtls_pk_context *ctx, unsigned char *buf, size_t size);
+
+/**
+ * \brief           Write a public key to a SubjectPublicKeyInfo DER structure
+ *                  Note: data is written at the end of the buffer! Use the
+ *                        return value to determine where you should start
+ *                        using the buffer
+ *
+ * \param ctx       PK context which must contain a valid public or private key.
+ * \param buf       buffer to write to
+ * \param size      size of the buffer
+ *
+ * \return          length of data written if successful, or a specific
+ *                  error code
+ */
+int mbedtls_pk_write_pubkey_der(const mbedtls_pk_context *ctx, unsigned char *buf, size_t size);
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+/**
+ * \brief           Write a public key to a PEM string
+ *
+ * \param ctx       PK context which must contain a valid public or private key.
+ * \param buf       Buffer to write to. The output includes a
+ *                  terminating null byte.
+ * \param size      Size of the buffer in bytes.
+ *
+ * \return          0 if successful, or a specific error code
+ */
+int mbedtls_pk_write_pubkey_pem(const mbedtls_pk_context *ctx, unsigned char *buf, size_t size);
+
+/**
+ * \brief           Write a private key to a PKCS#1 or SEC1 PEM string
+ *
+ * \param ctx       PK context which must contain a valid private key.
+ * \param buf       Buffer to write to. The output includes a
+ *                  terminating null byte.
+ * \param size      Size of the buffer in bytes.
+ *
+ * \return          0 if successful, or a specific error code
+ */
+int mbedtls_pk_write_key_pem(const mbedtls_pk_context *ctx, unsigned char *buf, size_t size);
+#endif /* MBEDTLS_PEM_WRITE_C */
+#endif /* MBEDTLS_PK_WRITE_C */
+
+/*
+ * WARNING: Low-level functions. You probably do not want to use these unless
+ *          you are certain you do ;)
+ */
+
+#if defined(MBEDTLS_PK_PARSE_C)
+/**
+ * \brief           Parse a SubjectPublicKeyInfo DER structure
+ *
+ * \param p         the position in the ASN.1 data
+ * \param end       end of the buffer
+ * \param pk        The PK context to fill. It must have been initialized
+ *                  but not set up.
+ *
+ * \return          0 if successful, or a specific PK error code
+ */
+int mbedtls_pk_parse_subpubkey(unsigned char **p, const unsigned char *end,
+                               mbedtls_pk_context *pk);
+#endif /* MBEDTLS_PK_PARSE_C */
+
+#if defined(MBEDTLS_PK_WRITE_C)
+/**
+ * \brief           Write a subjectPublicKey to ASN.1 data
+ *                  Note: function works backwards in data buffer
+ *
+ * \param p         reference to current position pointer
+ * \param start     start of the buffer (for bounds-checking)
+ * \param key       PK context which must contain a valid public or private key.
+ *
+ * \return          the length written or a negative error code
+ */
+int mbedtls_pk_write_pubkey(unsigned char **p, unsigned char *start,
+                            const mbedtls_pk_context *key);
+#endif /* MBEDTLS_PK_WRITE_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_PK_H */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/pkcs12.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/pkcs12.h
new file mode 100644
index 0000000..87f7681
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/pkcs12.h
@@ -0,0 +1,186 @@
+/**
+ * \file pkcs12.h
+ *
+ * \brief PKCS#12 Personal Information Exchange Syntax
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_PKCS12_H
+#define MBEDTLS_PKCS12_H
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/md.h"
+#include "mbedtls/cipher.h"
+#include "mbedtls/asn1.h"
+
+#include <stddef.h>
+
+/** Bad input parameters to function. */
+#define MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA                 -0x1F80
+/** Feature not available, e.g. unsupported encryption scheme. */
+#define MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE            -0x1F00
+/** PBE ASN.1 data not as expected. */
+#define MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT             -0x1E80
+/** Given private key password does not allow for correct decryption. */
+#define MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH              -0x1E00
+
+#define MBEDTLS_PKCS12_DERIVE_KEY       1   /**< encryption/decryption key */
+#define MBEDTLS_PKCS12_DERIVE_IV        2   /**< initialization vector     */
+#define MBEDTLS_PKCS12_DERIVE_MAC_KEY   3   /**< integrity / MAC key       */
+
+#define MBEDTLS_PKCS12_PBE_DECRYPT      MBEDTLS_DECRYPT
+#define MBEDTLS_PKCS12_PBE_ENCRYPT      MBEDTLS_ENCRYPT
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C) && defined(MBEDTLS_CIPHER_C)
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+/**
+ * \brief            PKCS12 Password Based function (encryption / decryption)
+ *                   for cipher-based and mbedtls_md-based PBE's
+ *
+ * \note             When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must
+ *                   be enabled at compile time.
+ *
+ * \deprecated       This function is deprecated and will be removed in a
+ *                   future version of the library.
+ *                   Please use mbedtls_pkcs12_pbe_ext() instead.
+ *
+ * \warning          When decrypting:
+ *                   - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile
+ *                     time, this function validates the CBC padding and returns
+ *                     #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is
+ *                     invalid. Note that this can help active adversaries
+ *                     attempting to brute-forcing the password. Note also that
+ *                     there is no guarantee that an invalid password will be
+ *                     detected (the chances of a valid padding with a random
+ *                     password are about 1/255).
+ *                   - if #MBEDTLS_CIPHER_PADDING_PKCS7 is disabled at compile
+ *                     time, this function does not validate the CBC padding.
+ *
+ * \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure
+ * \param mode       either #MBEDTLS_PKCS12_PBE_ENCRYPT or
+ *                   #MBEDTLS_PKCS12_PBE_DECRYPT
+ * \param cipher_type the cipher used
+ * \param md_type    the mbedtls_md used
+ * \param pwd        Latin1-encoded password used. This may only be \c NULL when
+ *                   \p pwdlen is 0. No null terminator should be used.
+ * \param pwdlen     length of the password (may be 0)
+ * \param data       the input data
+ * \param len        data length
+ * \param output     Output buffer.
+ *                   On success, it contains the encrypted or decrypted data,
+ *                   possibly followed by the CBC padding.
+ *                   On failure, the content is indeterminate.
+ *                   For decryption, there must be enough room for \p len
+ *                   bytes.
+ *                   For encryption, there must be enough room for
+ *                   \p len + 1 bytes, rounded up to the block size of
+ *                   the block cipher identified by \p pbe_params.
+ *
+ * \return           0 if successful, or a MBEDTLS_ERR_XXX code
+ */
+int MBEDTLS_DEPRECATED mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
+                                          mbedtls_cipher_type_t cipher_type,
+                                          mbedtls_md_type_t md_type,
+                                          const unsigned char *pwd,  size_t pwdlen,
+                                          const unsigned char *data, size_t len,
+                                          unsigned char *output);
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+
+/**
+ * \brief            PKCS12 Password Based function (encryption / decryption)
+ *                   for cipher-based and mbedtls_md-based PBE's
+ *
+ *
+ * \warning          When decrypting:
+ *                   - This function validates the CBC padding and returns
+ *                     #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is
+ *                     invalid. Note that this can help active adversaries
+ *                     attempting to brute-forcing the password. Note also that
+ *                     there is no guarantee that an invalid password will be
+ *                     detected (the chances of a valid padding with a random
+ *                     password are about 1/255).
+ *
+ * \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure
+ * \param mode       either #MBEDTLS_PKCS12_PBE_ENCRYPT or
+ *                   #MBEDTLS_PKCS12_PBE_DECRYPT
+ * \param cipher_type the cipher used
+ * \param md_type    the mbedtls_md used
+ * \param pwd        Latin1-encoded password used. This may only be \c NULL when
+ *                   \p pwdlen is 0. No null terminator should be used.
+ * \param pwdlen     length of the password (may be 0)
+ * \param data       the input data
+ * \param len        data length
+ * \param output     Output buffer.
+ *                   On success, it contains the encrypted or decrypted data,
+ *                   possibly followed by the CBC padding.
+ *                   On failure, the content is indeterminate.
+ *                   For decryption, there must be enough room for \p len
+ *                   bytes.
+ *                   For encryption, there must be enough room for
+ *                   \p len + 1 bytes, rounded up to the block size of
+ *                   the block cipher identified by \p pbe_params.
+ * \param output_size size of output buffer.
+ *                    This must be big enough to accommodate for output plus
+ *                    padding data.
+ * \param output_len On success, length of actual data written to the output buffer.
+ *
+ * \return           0 if successful, or a MBEDTLS_ERR_XXX code
+ */
+int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
+                           mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
+                           const unsigned char *pwd,  size_t pwdlen,
+                           const unsigned char *data, size_t len,
+                           unsigned char *output, size_t output_size,
+                           size_t *output_len);
+
+#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
+
+#endif /* MBEDTLS_ASN1_PARSE_C && MBEDTLS_CIPHER_C */
+
+/**
+ * \brief            The PKCS#12 derivation function uses a password and a salt
+ *                   to produce pseudo-random bits for a particular "purpose".
+ *
+ *                   Depending on the given id, this function can produce an
+ *                   encryption/decryption key, an initialization vector or an
+ *                   integrity key.
+ *
+ * \param data       buffer to store the derived data in
+ * \param datalen    length of buffer to fill
+ * \param pwd        The password to use. For compliance with PKCS#12 §B.1, this
+ *                   should be a BMPString, i.e. a Unicode string where each
+ *                   character is encoded as 2 bytes in big-endian order, with
+ *                   no byte order mark and with a null terminator (i.e. the
+ *                   last two bytes should be 0x00 0x00).
+ * \param pwdlen     length of the password (may be 0).
+ * \param salt       Salt buffer to use. This may only be \c NULL when
+ *                   \p saltlen is 0.
+ * \param saltlen    length of the salt (may be zero)
+ * \param mbedtls_md mbedtls_md type to use during the derivation
+ * \param id         id that describes the purpose (can be
+ *                   #MBEDTLS_PKCS12_DERIVE_KEY, #MBEDTLS_PKCS12_DERIVE_IV or
+ *                   #MBEDTLS_PKCS12_DERIVE_MAC_KEY)
+ * \param iterations number of iterations
+ *
+ * \return          0 if successful, or a MD, BIGNUM type error.
+ */
+int mbedtls_pkcs12_derivation(unsigned char *data, size_t datalen,
+                              const unsigned char *pwd, size_t pwdlen,
+                              const unsigned char *salt, size_t saltlen,
+                              mbedtls_md_type_t mbedtls_md, int id, int iterations);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* pkcs12.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/pkcs5.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/pkcs5.h
new file mode 100644
index 0000000..9ba5689
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/pkcs5.h
@@ -0,0 +1,198 @@
+/**
+ * \file pkcs5.h
+ *
+ * \brief PKCS#5 functions
+ *
+ * \author Mathias Olsson <mathias@kompetensum.com>
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_PKCS5_H
+#define MBEDTLS_PKCS5_H
+
+#include "mbedtls/build_info.h"
+#include "mbedtls/platform_util.h"
+
+#include "mbedtls/asn1.h"
+#include "mbedtls/md.h"
+#include "mbedtls/cipher.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+/** Bad input parameters to function. */
+#define MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA                  -0x2f80
+/** Unexpected ASN.1 data. */
+#define MBEDTLS_ERR_PKCS5_INVALID_FORMAT                  -0x2f00
+/** Requested encryption or digest alg not available. */
+#define MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE             -0x2e80
+/** Given private key password does not allow for correct decryption. */
+#define MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH               -0x2e00
+
+#define MBEDTLS_PKCS5_DECRYPT      MBEDTLS_DECRYPT
+#define MBEDTLS_PKCS5_ENCRYPT      MBEDTLS_ENCRYPT
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C) && defined(MBEDTLS_CIPHER_C)
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+/**
+ * \brief          PKCS#5 PBES2 function
+ *
+ * \note           When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must
+ *                 be enabled at compile time.
+ *
+ * \deprecated     This function is deprecated and will be removed in a
+ *                 future version of the library.
+ *                 Please use mbedtls_pkcs5_pbes2_ext() instead.
+ *
+ * \warning        When decrypting:
+ *                 - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile
+ *                   time, this function validates the CBC padding and returns
+ *                   #MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH if the padding is
+ *                   invalid. Note that this can help active adversaries
+ *                   attempting to brute-forcing the password. Note also that
+ *                   there is no guarantee that an invalid password will be
+ *                   detected (the chances of a valid padding with a random
+ *                   password are about 1/255).
+ *                 - if #MBEDTLS_CIPHER_PADDING_PKCS7 is disabled at compile
+ *                   time, this function does not validate the CBC padding.
+ *
+ * \param pbe_params the ASN.1 algorithm parameters
+ * \param mode       either #MBEDTLS_PKCS5_DECRYPT or #MBEDTLS_PKCS5_ENCRYPT
+ * \param pwd        password to use when generating key
+ * \param pwdlen     length of password
+ * \param data       data to process
+ * \param datalen    length of data
+ * \param output     Output buffer.
+ *                   On success, it contains the encrypted or decrypted data,
+ *                   possibly followed by the CBC padding.
+ *                   On failure, the content is indeterminate.
+ *                   For decryption, there must be enough room for \p datalen
+ *                   bytes.
+ *                   For encryption, there must be enough room for
+ *                   \p datalen + 1 bytes, rounded up to the block size of
+ *                   the block cipher identified by \p pbe_params.
+ *
+ * \returns        0 on success, or a MBEDTLS_ERR_XXX code if verification fails.
+ */
+int MBEDTLS_DEPRECATED mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
+                                           const unsigned char *pwd,  size_t pwdlen,
+                                           const unsigned char *data, size_t datalen,
+                                           unsigned char *output);
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+
+/**
+ * \brief          PKCS#5 PBES2 function
+ *
+ * \warning        When decrypting:
+ *                 - This function validates the CBC padding and returns
+ *                   #MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH if the padding is
+ *                   invalid. Note that this can help active adversaries
+ *                   attempting to brute-forcing the password. Note also that
+ *                   there is no guarantee that an invalid password will be
+ *                   detected (the chances of a valid padding with a random
+ *                   password are about 1/255).
+ *
+ * \param pbe_params the ASN.1 algorithm parameters
+ * \param mode       either #MBEDTLS_PKCS5_DECRYPT or #MBEDTLS_PKCS5_ENCRYPT
+ * \param pwd        password to use when generating key
+ * \param pwdlen     length of password
+ * \param data       data to process
+ * \param datalen    length of data
+ * \param output     Output buffer.
+ *                   On success, it contains the decrypted data.
+ *                   On failure, the content is indetermidate.
+ *                   For decryption, there must be enough room for \p datalen
+ *                   bytes.
+ *                   For encryption, there must be enough room for
+ *                   \p datalen + 1 bytes, rounded up to the block size of
+ *                   the block cipher identified by \p pbe_params.
+ * \param output_size size of output buffer.
+ *                    This must be big enough to accommodate for output plus
+ *                    padding data.
+ * \param output_len On success, length of actual data written to the output buffer.
+ *
+ * \returns        0 on success, or a MBEDTLS_ERR_XXX code if parsing or decryption fails.
+ */
+int mbedtls_pkcs5_pbes2_ext(const mbedtls_asn1_buf *pbe_params, int mode,
+                            const unsigned char *pwd,  size_t pwdlen,
+                            const unsigned char *data, size_t datalen,
+                            unsigned char *output, size_t output_size,
+                            size_t *output_len);
+
+#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
+
+#endif /* MBEDTLS_ASN1_PARSE_C && MBEDTLS_CIPHER_C*/
+
+/**
+ * \brief          PKCS#5 PBKDF2 using HMAC without using the HMAC context
+ *
+ * \param md_type  Hash algorithm used
+ * \param password Password to use when generating key
+ * \param plen     Length of password
+ * \param salt     Salt to use when generating key
+ * \param slen     Length of salt
+ * \param iteration_count       Iteration count
+ * \param key_length            Length of generated key in bytes
+ * \param output   Generated key. Must be at least as big as key_length
+ *
+ * \returns        0 on success, or a MBEDTLS_ERR_XXX code if verification fails.
+ */
+int mbedtls_pkcs5_pbkdf2_hmac_ext(mbedtls_md_type_t md_type,
+                                  const unsigned char *password,
+                                  size_t plen, const unsigned char *salt, size_t slen,
+                                  unsigned int iteration_count,
+                                  uint32_t key_length, unsigned char *output);
+
+#if defined(MBEDTLS_MD_C)
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+/**
+ * \brief          PKCS#5 PBKDF2 using HMAC
+ *
+ * \deprecated     Superseded by mbedtls_pkcs5_pbkdf2_hmac_ext().
+ *
+ * \param ctx      Generic HMAC context
+ * \param password Password to use when generating key
+ * \param plen     Length of password
+ * \param salt     Salt to use when generating key
+ * \param slen     Length of salt
+ * \param iteration_count       Iteration count
+ * \param key_length            Length of generated key in bytes
+ * \param output   Generated key. Must be at least as big as key_length
+ *
+ * \returns        0 on success, or a MBEDTLS_ERR_XXX code if verification fails.
+ */
+int MBEDTLS_DEPRECATED mbedtls_pkcs5_pbkdf2_hmac(mbedtls_md_context_t *ctx,
+                                                 const unsigned char *password,
+                                                 size_t plen,
+                                                 const unsigned char *salt,
+                                                 size_t slen,
+                                                 unsigned int iteration_count,
+                                                 uint32_t key_length,
+                                                 unsigned char *output);
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+#endif /* MBEDTLS_MD_C */
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_pkcs5_self_test(int verbose);
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* pkcs5.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/platform.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/platform.h
new file mode 100644
index 0000000..de3d71d
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/platform.h
@@ -0,0 +1,485 @@
+/**
+ * \file platform.h
+ *
+ * \brief This file contains the definitions and functions of the
+ *        Mbed TLS platform abstraction layer.
+ *
+ *        The platform abstraction layer removes the need for the library
+ *        to directly link to standard C library functions or operating
+ *        system services, making the library easier to port and embed.
+ *        Application developers and users of the library can provide their own
+ *        implementations of these functions, or implementations specific to
+ *        their platform, which can be statically linked to the library or
+ *        dynamically configured at runtime.
+ *
+ *        When all compilation options related to platform abstraction are
+ *        disabled, this header just defines `mbedtls_xxx` function names
+ *        as aliases to the standard `xxx` function.
+ *
+ *        Most modules in the library and example programs are expected to
+ *        include this header.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_PLATFORM_H
+#define MBEDTLS_PLATFORM_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include "mbedtls/platform_time.h"
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in mbedtls_config.h or define them on the compiler command line.
+ * \{
+ */
+
+/* The older Microsoft Windows common runtime provides non-conforming
+ * implementations of some standard library functions, including snprintf
+ * and vsnprintf. This affects MSVC and MinGW builds.
+ */
+#if defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER <= 1900)
+#define MBEDTLS_PLATFORM_HAS_NON_CONFORMING_SNPRINTF
+#define MBEDTLS_PLATFORM_HAS_NON_CONFORMING_VSNPRINTF
+#endif
+
+#if !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS)
+#include <stdio.h>
+#include <stdlib.h>
+#if defined(MBEDTLS_HAVE_TIME)
+#include <time.h>
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_SNPRINTF)
+#if defined(MBEDTLS_PLATFORM_HAS_NON_CONFORMING_SNPRINTF)
+#define MBEDTLS_PLATFORM_STD_SNPRINTF   mbedtls_platform_win32_snprintf /**< The default \c snprintf function to use.  */
+#else
+#define MBEDTLS_PLATFORM_STD_SNPRINTF   snprintf /**< The default \c snprintf function to use.  */
+#endif
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_VSNPRINTF)
+#if defined(MBEDTLS_PLATFORM_HAS_NON_CONFORMING_VSNPRINTF)
+#define MBEDTLS_PLATFORM_STD_VSNPRINTF   mbedtls_platform_win32_vsnprintf /**< The default \c vsnprintf function to use.  */
+#else
+#define MBEDTLS_PLATFORM_STD_VSNPRINTF   vsnprintf /**< The default \c vsnprintf function to use.  */
+#endif
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_PRINTF)
+#define MBEDTLS_PLATFORM_STD_PRINTF   printf /**< The default \c printf function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_FPRINTF)
+#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< The default \c fprintf function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_CALLOC)
+#define MBEDTLS_PLATFORM_STD_CALLOC   calloc /**< The default \c calloc function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_FREE)
+#define MBEDTLS_PLATFORM_STD_FREE       free /**< The default \c free function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_SETBUF)
+#define MBEDTLS_PLATFORM_STD_SETBUF   setbuf /**< The default \c setbuf function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_EXIT)
+#define MBEDTLS_PLATFORM_STD_EXIT      exit /**< The default \c exit function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_TIME)
+#define MBEDTLS_PLATFORM_STD_TIME       time    /**< The default \c time function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_EXIT_SUCCESS)
+#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS  EXIT_SUCCESS /**< The default exit value to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_EXIT_FAILURE)
+#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE  EXIT_FAILURE /**< The default exit value to use. */
+#endif
+#if defined(MBEDTLS_FS_IO)
+#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_READ)
+#define MBEDTLS_PLATFORM_STD_NV_SEED_READ   mbedtls_platform_std_nv_seed_read
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_WRITE)
+#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE  mbedtls_platform_std_nv_seed_write
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_FILE)
+#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE   "seedfile"
+#endif
+#endif /* MBEDTLS_FS_IO */
+#else /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
+#if defined(MBEDTLS_PLATFORM_STD_MEM_HDR)
+#include MBEDTLS_PLATFORM_STD_MEM_HDR
+#endif
+#endif /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
+
+/* Enable certain documented defines only when generating doxygen to avoid
+ * an "unrecognized define" error. */
+#if defined(__DOXYGEN__) && !defined(MBEDTLS_PLATFORM_STD_CALLOC)
+#define MBEDTLS_PLATFORM_STD_CALLOC
+#endif
+
+#if defined(__DOXYGEN__) && !defined(MBEDTLS_PLATFORM_STD_FREE)
+#define MBEDTLS_PLATFORM_STD_FREE
+#endif
+
+/** \} name SECTION: Module settings */
+
+/*
+ * The function pointers for calloc and free.
+ * Please see MBEDTLS_PLATFORM_STD_CALLOC and MBEDTLS_PLATFORM_STD_FREE
+ * in mbedtls_config.h for more information about behaviour and requirements.
+ */
+#if defined(MBEDTLS_PLATFORM_MEMORY)
+#if defined(MBEDTLS_PLATFORM_FREE_MACRO) && \
+    defined(MBEDTLS_PLATFORM_CALLOC_MACRO)
+#undef mbedtls_free
+#undef mbedtls_calloc
+#define mbedtls_free       MBEDTLS_PLATFORM_FREE_MACRO
+#define mbedtls_calloc     MBEDTLS_PLATFORM_CALLOC_MACRO
+#else
+/* For size_t */
+#include <stddef.h>
+extern void *mbedtls_calloc(size_t n, size_t size);
+extern void mbedtls_free(void *ptr);
+
+/**
+ * \brief               This function dynamically sets the memory-management
+ *                      functions used by the library, during runtime.
+ *
+ * \param calloc_func   The \c calloc function implementation.
+ * \param free_func     The \c free function implementation.
+ *
+ * \return              \c 0.
+ */
+int mbedtls_platform_set_calloc_free(void *(*calloc_func)(size_t, size_t),
+                                     void (*free_func)(void *));
+#endif /* MBEDTLS_PLATFORM_FREE_MACRO && MBEDTLS_PLATFORM_CALLOC_MACRO */
+#else /* !MBEDTLS_PLATFORM_MEMORY */
+#undef mbedtls_free
+#undef mbedtls_calloc
+#define mbedtls_free       free
+#define mbedtls_calloc     calloc
+#endif /* MBEDTLS_PLATFORM_MEMORY && !MBEDTLS_PLATFORM_{FREE,CALLOC}_MACRO */
+
+/*
+ * The function pointers for fprintf
+ */
+#if defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
+/* We need FILE * */
+#include <stdio.h>
+extern int (*mbedtls_fprintf)(FILE *stream, const char *format, ...);
+
+/**
+ * \brief                This function dynamically configures the fprintf
+ *                       function that is called when the
+ *                       mbedtls_fprintf() function is invoked by the library.
+ *
+ * \param fprintf_func   The \c fprintf function implementation.
+ *
+ * \return               \c 0.
+ */
+int mbedtls_platform_set_fprintf(int (*fprintf_func)(FILE *stream, const char *,
+                                                     ...));
+#else
+#undef mbedtls_fprintf
+#if defined(MBEDTLS_PLATFORM_FPRINTF_MACRO)
+#define mbedtls_fprintf    MBEDTLS_PLATFORM_FPRINTF_MACRO
+#else
+#define mbedtls_fprintf    fprintf
+#endif /* MBEDTLS_PLATFORM_FPRINTF_MACRO */
+#endif /* MBEDTLS_PLATFORM_FPRINTF_ALT */
+
+/*
+ * The function pointers for printf
+ */
+#if defined(MBEDTLS_PLATFORM_PRINTF_ALT)
+extern int (*mbedtls_printf)(const char *format, ...);
+
+/**
+ * \brief               This function dynamically configures the snprintf
+ *                      function that is called when the mbedtls_snprintf()
+ *                      function is invoked by the library.
+ *
+ * \param printf_func   The \c printf function implementation.
+ *
+ * \return              \c 0 on success.
+ */
+int mbedtls_platform_set_printf(int (*printf_func)(const char *, ...));
+#else /* !MBEDTLS_PLATFORM_PRINTF_ALT */
+#undef mbedtls_printf
+#if defined(MBEDTLS_PLATFORM_PRINTF_MACRO)
+#define mbedtls_printf     MBEDTLS_PLATFORM_PRINTF_MACRO
+#else
+#define mbedtls_printf     printf
+#endif /* MBEDTLS_PLATFORM_PRINTF_MACRO */
+#endif /* MBEDTLS_PLATFORM_PRINTF_ALT */
+
+/*
+ * The function pointers for snprintf
+ *
+ * The snprintf implementation should conform to C99:
+ * - it *must* always correctly zero-terminate the buffer
+ *   (except when n == 0, then it must leave the buffer untouched)
+ * - however it is acceptable to return -1 instead of the required length when
+ *   the destination buffer is too short.
+ */
+#if defined(MBEDTLS_PLATFORM_HAS_NON_CONFORMING_SNPRINTF)
+/* For Windows (inc. MSYS2), we provide our own fixed implementation */
+int mbedtls_platform_win32_snprintf(char *s, size_t n, const char *fmt, ...);
+#endif
+
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_ALT)
+extern int (*mbedtls_snprintf)(char *s, size_t n, const char *format, ...);
+
+/**
+ * \brief                 This function allows configuring a custom
+ *                        \c snprintf function pointer.
+ *
+ * \param snprintf_func   The \c snprintf function implementation.
+ *
+ * \return                \c 0 on success.
+ */
+int mbedtls_platform_set_snprintf(int (*snprintf_func)(char *s, size_t n,
+                                                       const char *format, ...));
+#else /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
+#undef mbedtls_snprintf
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO)
+#define mbedtls_snprintf   MBEDTLS_PLATFORM_SNPRINTF_MACRO
+#else
+#define mbedtls_snprintf   MBEDTLS_PLATFORM_STD_SNPRINTF
+#endif /* MBEDTLS_PLATFORM_SNPRINTF_MACRO */
+#endif /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
+
+/*
+ * The function pointers for vsnprintf
+ *
+ * The vsnprintf implementation should conform to C99:
+ * - it *must* always correctly zero-terminate the buffer
+ *   (except when n == 0, then it must leave the buffer untouched)
+ * - however it is acceptable to return -1 instead of the required length when
+ *   the destination buffer is too short.
+ */
+#if defined(MBEDTLS_PLATFORM_HAS_NON_CONFORMING_VSNPRINTF)
+#include <stdarg.h>
+/* For Older Windows (inc. MSYS2), we provide our own fixed implementation */
+int mbedtls_platform_win32_vsnprintf(char *s, size_t n, const char *fmt, va_list arg);
+#endif
+
+#if defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT)
+#include <stdarg.h>
+extern int (*mbedtls_vsnprintf)(char *s, size_t n, const char *format, va_list arg);
+
+/**
+ * \brief   Set your own snprintf function pointer
+ *
+ * \param   vsnprintf_func   The \c vsnprintf function implementation
+ *
+ * \return  \c 0
+ */
+int mbedtls_platform_set_vsnprintf(int (*vsnprintf_func)(char *s, size_t n,
+                                                         const char *format, va_list arg));
+#else /* MBEDTLS_PLATFORM_VSNPRINTF_ALT */
+#undef mbedtls_vsnprintf
+#if defined(MBEDTLS_PLATFORM_VSNPRINTF_MACRO)
+#define mbedtls_vsnprintf   MBEDTLS_PLATFORM_VSNPRINTF_MACRO
+#else
+#define mbedtls_vsnprintf   vsnprintf
+#endif /* MBEDTLS_PLATFORM_VSNPRINTF_MACRO */
+#endif /* MBEDTLS_PLATFORM_VSNPRINTF_ALT */
+
+/*
+ * The function pointers for setbuf
+ */
+#if defined(MBEDTLS_PLATFORM_SETBUF_ALT)
+#include <stdio.h>
+/**
+ * \brief                  Function pointer to call for `setbuf()` functionality
+ *                         (changing the internal buffering on stdio calls).
+ *
+ * \note                   The library calls this function to disable
+ *                         buffering when reading or writing sensitive data,
+ *                         to avoid having extra copies of sensitive data
+ *                         remaining in stdio buffers after the file is
+ *                         closed. If this is not a concern, for example if
+ *                         your platform's stdio doesn't have any buffering,
+ *                         you can set mbedtls_setbuf to a function that
+ *                         does nothing.
+ *
+ *                         The library always calls this function with
+ *                         `buf` equal to `NULL`.
+ */
+extern void (*mbedtls_setbuf)(FILE *stream, char *buf);
+
+/**
+ * \brief                  Dynamically configure the function that is called
+ *                         when the mbedtls_setbuf() function is called by the
+ *                         library.
+ *
+ * \param   setbuf_func   The \c setbuf function implementation
+ *
+ * \return                 \c 0
+ */
+int mbedtls_platform_set_setbuf(void (*setbuf_func)(
+                                    FILE *stream, char *buf));
+#else
+#undef mbedtls_setbuf
+#if defined(MBEDTLS_PLATFORM_SETBUF_MACRO)
+/**
+ * \brief                  Macro defining the function for the library to
+ *                         call for `setbuf` functionality (changing the
+ *                         internal buffering on stdio calls).
+ *
+ * \note                   See extra comments on the mbedtls_setbuf() function
+ *                         pointer above.
+ *
+ * \return                 \c 0 on success, negative on error.
+ */
+#define mbedtls_setbuf    MBEDTLS_PLATFORM_SETBUF_MACRO
+#else
+#define mbedtls_setbuf    setbuf
+#endif /* MBEDTLS_PLATFORM_SETBUF_MACRO */
+#endif /* MBEDTLS_PLATFORM_SETBUF_ALT */
+
+/*
+ * The function pointers for exit
+ */
+#if defined(MBEDTLS_PLATFORM_EXIT_ALT)
+extern void (*mbedtls_exit)(int status);
+
+/**
+ * \brief             This function dynamically configures the exit
+ *                    function that is called when the mbedtls_exit()
+ *                    function is invoked by the library.
+ *
+ * \param exit_func   The \c exit function implementation.
+ *
+ * \return            \c 0 on success.
+ */
+int mbedtls_platform_set_exit(void (*exit_func)(int status));
+#else
+#undef mbedtls_exit
+#if defined(MBEDTLS_PLATFORM_EXIT_MACRO)
+#define mbedtls_exit   MBEDTLS_PLATFORM_EXIT_MACRO
+#else
+#define mbedtls_exit   exit
+#endif /* MBEDTLS_PLATFORM_EXIT_MACRO */
+#endif /* MBEDTLS_PLATFORM_EXIT_ALT */
+
+/*
+ * The default exit values
+ */
+#if defined(MBEDTLS_PLATFORM_STD_EXIT_SUCCESS)
+#define MBEDTLS_EXIT_SUCCESS MBEDTLS_PLATFORM_STD_EXIT_SUCCESS
+#else
+#define MBEDTLS_EXIT_SUCCESS 0
+#endif
+#if defined(MBEDTLS_PLATFORM_STD_EXIT_FAILURE)
+#define MBEDTLS_EXIT_FAILURE MBEDTLS_PLATFORM_STD_EXIT_FAILURE
+#else
+#define MBEDTLS_EXIT_FAILURE 1
+#endif
+
+/*
+ * The function pointers for reading from and writing a seed file to
+ * Non-Volatile storage (NV) in a platform-independent way
+ *
+ * Only enabled when the NV seed entropy source is enabled
+ */
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+#if !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS) && defined(MBEDTLS_FS_IO)
+/* Internal standard platform definitions */
+int mbedtls_platform_std_nv_seed_read(unsigned char *buf, size_t buf_len);
+int mbedtls_platform_std_nv_seed_write(unsigned char *buf, size_t buf_len);
+#endif
+
+#if defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
+extern int (*mbedtls_nv_seed_read)(unsigned char *buf, size_t buf_len);
+extern int (*mbedtls_nv_seed_write)(unsigned char *buf, size_t buf_len);
+
+/**
+ * \brief   This function allows configuring custom seed file writing and
+ *          reading functions.
+ *
+ * \param   nv_seed_read_func   The seed reading function implementation.
+ * \param   nv_seed_write_func  The seed writing function implementation.
+ *
+ * \return  \c 0 on success.
+ */
+int mbedtls_platform_set_nv_seed(
+    int (*nv_seed_read_func)(unsigned char *buf, size_t buf_len),
+    int (*nv_seed_write_func)(unsigned char *buf, size_t buf_len)
+    );
+#else
+#undef mbedtls_nv_seed_read
+#undef mbedtls_nv_seed_write
+#if defined(MBEDTLS_PLATFORM_NV_SEED_READ_MACRO) && \
+    defined(MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO)
+#define mbedtls_nv_seed_read    MBEDTLS_PLATFORM_NV_SEED_READ_MACRO
+#define mbedtls_nv_seed_write   MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO
+#else
+#define mbedtls_nv_seed_read    mbedtls_platform_std_nv_seed_read
+#define mbedtls_nv_seed_write   mbedtls_platform_std_nv_seed_write
+#endif
+#endif /* MBEDTLS_PLATFORM_NV_SEED_ALT */
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+
+#if !defined(MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT)
+
+/**
+ * \brief   The platform context structure.
+ *
+ * \note    This structure may be used to assist platform-specific
+ *          setup or teardown operations.
+ */
+typedef struct mbedtls_platform_context {
+    char MBEDTLS_PRIVATE(dummy); /**< A placeholder member, as empty structs are not portable. */
+}
+mbedtls_platform_context;
+
+#else
+#include "platform_alt.h"
+#endif /* !MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT */
+
+/**
+ * \brief   This function performs any platform-specific initialization
+ *          operations.
+ *
+ * \note    This function should be called before any other library functions.
+ *
+ *          Its implementation is platform-specific, and unless
+ *          platform-specific code is provided, it does nothing.
+ *
+ * \note    The usage and necessity of this function is dependent on the platform.
+ *
+ * \param   ctx     The platform context.
+ *
+ * \return  \c 0 on success.
+ */
+int mbedtls_platform_setup(mbedtls_platform_context *ctx);
+/**
+ * \brief   This function performs any platform teardown operations.
+ *
+ * \note    This function should be called after every other Mbed TLS module
+ *          has been correctly freed using the appropriate free function.
+ *
+ *          Its implementation is platform-specific, and unless
+ *          platform-specific code is provided, it does nothing.
+ *
+ * \note    The usage and necessity of this function is dependent on the platform.
+ *
+ * \param   ctx     The platform context.
+ *
+ */
+void mbedtls_platform_teardown(mbedtls_platform_context *ctx);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* platform.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/platform_time.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/platform_time.h
new file mode 100644
index 0000000..97f1963
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/platform_time.h
@@ -0,0 +1,79 @@
+/**
+ * \file platform_time.h
+ *
+ * \brief Mbed TLS Platform time abstraction
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_PLATFORM_TIME_H
+#define MBEDTLS_PLATFORM_TIME_H
+
+#include "mbedtls/build_info.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * The time_t datatype
+ */
+#if defined(MBEDTLS_PLATFORM_TIME_TYPE_MACRO)
+typedef MBEDTLS_PLATFORM_TIME_TYPE_MACRO mbedtls_time_t;
+#else
+/* For time_t */
+#include <time.h>
+typedef time_t mbedtls_time_t;
+#endif /* MBEDTLS_PLATFORM_TIME_TYPE_MACRO */
+
+#if defined(MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO)
+typedef MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO mbedtls_ms_time_t;
+#else
+#include <stdint.h>
+#include <inttypes.h>
+typedef int64_t mbedtls_ms_time_t;
+#endif /* MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO */
+
+/**
+ * \brief   Get time in milliseconds.
+ *
+ * \return Monotonically-increasing current time in milliseconds.
+ *
+ * \note Define MBEDTLS_PLATFORM_MS_TIME_ALT to be able to provide an
+ *       alternative implementation
+ *
+ * \warning This function returns a monotonically-increasing time value from a
+ *          start time that will differ from platform to platform, and possibly
+ *          from run to run of the process.
+ *
+ */
+mbedtls_ms_time_t mbedtls_ms_time(void);
+
+/*
+ * The function pointers for time
+ */
+#if defined(MBEDTLS_PLATFORM_TIME_ALT)
+extern mbedtls_time_t (*mbedtls_time)(mbedtls_time_t *time);
+
+/**
+ * \brief   Set your own time function pointer
+ *
+ * \param   time_func   the time function implementation
+ *
+ * \return              0
+ */
+int mbedtls_platform_set_time(mbedtls_time_t (*time_func)(mbedtls_time_t *time));
+#else
+#if defined(MBEDTLS_PLATFORM_TIME_MACRO)
+#define mbedtls_time    MBEDTLS_PLATFORM_TIME_MACRO
+#else
+#define mbedtls_time   time
+#endif /* MBEDTLS_PLATFORM_TIME_MACRO */
+#endif /* MBEDTLS_PLATFORM_TIME_ALT */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* platform_time.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/platform_util.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/platform_util.h
new file mode 100644
index 0000000..1b371ef
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/platform_util.h
@@ -0,0 +1,197 @@
+/**
+ * \file platform_util.h
+ *
+ * \brief Common and shared functions used by multiple modules in the Mbed TLS
+ *        library.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_PLATFORM_UTIL_H
+#define MBEDTLS_PLATFORM_UTIL_H
+
+#include "mbedtls/build_info.h"
+
+#include <stddef.h>
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+#include "mbedtls/platform_time.h"
+#include <time.h>
+#endif /* MBEDTLS_HAVE_TIME_DATE */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Internal helper macros for deprecating API constants. */
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED __attribute__((deprecated))
+MBEDTLS_DEPRECATED typedef char const *mbedtls_deprecated_string_constant_t;
+#define MBEDTLS_DEPRECATED_STRING_CONSTANT(VAL)       \
+    ((mbedtls_deprecated_string_constant_t) (VAL))
+MBEDTLS_DEPRECATED typedef int mbedtls_deprecated_numeric_constant_t;
+#define MBEDTLS_DEPRECATED_NUMERIC_CONSTANT(VAL)       \
+    ((mbedtls_deprecated_numeric_constant_t) (VAL))
+#else /* MBEDTLS_DEPRECATED_WARNING */
+#define MBEDTLS_DEPRECATED
+#define MBEDTLS_DEPRECATED_STRING_CONSTANT(VAL) VAL
+#define MBEDTLS_DEPRECATED_NUMERIC_CONSTANT(VAL) VAL
+#endif /* MBEDTLS_DEPRECATED_WARNING */
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/* Implementation of the check-return facility.
+ * See the user documentation in mbedtls_config.h.
+ *
+ * Do not use this macro directly to annotate function: instead,
+ * use one of MBEDTLS_CHECK_RETURN_CRITICAL or MBEDTLS_CHECK_RETURN_TYPICAL
+ * depending on how important it is to check the return value.
+ */
+#if !defined(MBEDTLS_CHECK_RETURN)
+#if defined(__GNUC__)
+#define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__))
+#elif defined(_MSC_VER) && _MSC_VER >= 1700
+#include <sal.h>
+#define MBEDTLS_CHECK_RETURN _Check_return_
+#else
+#define MBEDTLS_CHECK_RETURN
+#endif
+#endif
+
+/** Critical-failure function
+ *
+ * This macro appearing at the beginning of the declaration of a function
+ * indicates that its return value should be checked in all applications.
+ * Omitting the check is very likely to indicate a bug in the application
+ * and will result in a compile-time warning if #MBEDTLS_CHECK_RETURN
+ * is implemented for the compiler in use.
+ *
+ * \note  The use of this macro is a work in progress.
+ *        This macro may be added to more functions in the future.
+ *        Such an extension is not considered an API break, provided that
+ *        there are near-unavoidable circumstances under which the function
+ *        can fail. For example, signature/MAC/AEAD verification functions,
+ *        and functions that require a random generator, are considered
+ *        return-check-critical.
+ */
+#define MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN
+
+/** Ordinary-failure function
+ *
+ * This macro appearing at the beginning of the declaration of a function
+ * indicates that its return value should be generally be checked in portable
+ * applications. Omitting the check will result in a compile-time warning if
+ * #MBEDTLS_CHECK_RETURN is implemented for the compiler in use and
+ * #MBEDTLS_CHECK_RETURN_WARNING is enabled in the compile-time configuration.
+ *
+ * You can use #MBEDTLS_IGNORE_RETURN to explicitly ignore the return value
+ * of a function that is annotated with #MBEDTLS_CHECK_RETURN.
+ *
+ * \note  The use of this macro is a work in progress.
+ *        This macro will be added to more functions in the future.
+ *        Eventually this should appear before most functions returning
+ *        an error code (as \c int in the \c mbedtls_xxx API or
+ *        as ::psa_status_t in the \c psa_xxx API).
+ */
+#if defined(MBEDTLS_CHECK_RETURN_WARNING)
+#define MBEDTLS_CHECK_RETURN_TYPICAL MBEDTLS_CHECK_RETURN
+#else
+#define MBEDTLS_CHECK_RETURN_TYPICAL
+#endif
+
+/** Benign-failure function
+ *
+ * This macro appearing at the beginning of the declaration of a function
+ * indicates that it is rarely useful to check its return value.
+ *
+ * This macro has an empty expansion. It exists for documentation purposes:
+ * a #MBEDTLS_CHECK_RETURN_OPTIONAL annotation indicates that the function
+ * has been analyzed for return-check usefulness, whereas the lack of
+ * an annotation indicates that the function has not been analyzed and its
+ * return-check usefulness is unknown.
+ */
+#define MBEDTLS_CHECK_RETURN_OPTIONAL
+
+/** \def MBEDTLS_IGNORE_RETURN
+ *
+ * Call this macro with one argument, a function call, to suppress a warning
+ * from #MBEDTLS_CHECK_RETURN due to that function call.
+ */
+#if !defined(MBEDTLS_IGNORE_RETURN)
+/* GCC doesn't silence the warning with just (void)(result).
+ * (void)!(result) is known to work up at least up to GCC 10, as well
+ * as with Clang and MSVC.
+ *
+ * https://gcc.gnu.org/onlinedocs/gcc-3.4.6/gcc/Non_002dbugs.html
+ * https://stackoverflow.com/questions/40576003/ignoring-warning-wunused-result
+ * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425#c34
+ */
+#define MBEDTLS_IGNORE_RETURN(result) ((void) !(result))
+#endif
+
+/* If the following macro is defined, the library is being built by the test
+ * framework, and the framework is going to provide a replacement
+ * mbedtls_platform_zeroize() using a preprocessor macro, so the function
+ * declaration should be omitted.  */
+#if !defined(MBEDTLS_TEST_DEFINES_ZEROIZE) //no-check-names
+/**
+ * \brief       Securely zeroize a buffer
+ *
+ *              The function is meant to wipe the data contained in a buffer so
+ *              that it can no longer be recovered even if the program memory
+ *              is later compromised. Call this function on sensitive data
+ *              stored on the stack before returning from a function, and on
+ *              sensitive data stored on the heap before freeing the heap
+ *              object.
+ *
+ *              It is extremely difficult to guarantee that calls to
+ *              mbedtls_platform_zeroize() are not removed by aggressive
+ *              compiler optimizations in a portable way. For this reason, Mbed
+ *              TLS provides the configuration option
+ *              MBEDTLS_PLATFORM_ZEROIZE_ALT, which allows users to configure
+ *              mbedtls_platform_zeroize() to use a suitable implementation for
+ *              their platform and needs
+ *
+ * \param buf   Buffer to be zeroized
+ * \param len   Length of the buffer in bytes
+ *
+ */
+void mbedtls_platform_zeroize(void *buf, size_t len);
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+/**
+ * \brief      Platform-specific implementation of gmtime_r()
+ *
+ *             The function is a thread-safe abstraction that behaves
+ *             similarly to the gmtime_r() function from Unix/POSIX.
+ *
+ *             Mbed TLS will try to identify the underlying platform and
+ *             make use of an appropriate underlying implementation (e.g.
+ *             gmtime_r() for POSIX and gmtime_s() for Windows). If this is
+ *             not possible, then gmtime() will be used. In this case, calls
+ *             from the library to gmtime() will be guarded by the mutex
+ *             mbedtls_threading_gmtime_mutex if MBEDTLS_THREADING_C is
+ *             enabled. It is recommended that calls from outside the library
+ *             are also guarded by this mutex.
+ *
+ *             If MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, then Mbed TLS will
+ *             unconditionally use the alternative implementation for
+ *             mbedtls_platform_gmtime_r() supplied by the user at compile time.
+ *
+ * \param tt     Pointer to an object containing time (in seconds) since the
+ *               epoch to be converted
+ * \param tm_buf Pointer to an object where the results will be stored
+ *
+ * \return      Pointer to an object of type struct tm on success, otherwise
+ *              NULL
+ */
+struct tm *mbedtls_platform_gmtime_r(const mbedtls_time_t *tt,
+                                     struct tm *tm_buf);
+#endif /* MBEDTLS_HAVE_TIME_DATE */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_PLATFORM_UTIL_H */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/poly1305.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/poly1305.h
new file mode 100644
index 0000000..61bcaa6
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/poly1305.h
@@ -0,0 +1,168 @@
+/**
+ * \file poly1305.h
+ *
+ * \brief   This file contains Poly1305 definitions and functions.
+ *
+ *          Poly1305 is a one-time message authenticator that can be used to
+ *          authenticate messages. Poly1305-AES was created by Daniel
+ *          Bernstein https://cr.yp.to/mac/poly1305-20050329.pdf The generic
+ *          Poly1305 algorithm (not tied to AES) was also standardized in RFC
+ *          7539.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_POLY1305_H
+#define MBEDTLS_POLY1305_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include <stdint.h>
+#include <stddef.h>
+
+/** Invalid input parameter(s). */
+#define MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA         -0x0057
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_POLY1305_ALT)
+
+typedef struct mbedtls_poly1305_context {
+    uint32_t MBEDTLS_PRIVATE(r)[4];      /** The value for 'r' (low 128 bits of the key). */
+    uint32_t MBEDTLS_PRIVATE(s)[4];      /** The value for 's' (high 128 bits of the key). */
+    uint32_t MBEDTLS_PRIVATE(acc)[5];    /** The accumulator number. */
+    uint8_t MBEDTLS_PRIVATE(queue)[16];  /** The current partial block of data. */
+    size_t MBEDTLS_PRIVATE(queue_len);   /** The number of bytes stored in 'queue'. */
+}
+mbedtls_poly1305_context;
+
+#else  /* MBEDTLS_POLY1305_ALT */
+#include "poly1305_alt.h"
+#endif /* MBEDTLS_POLY1305_ALT */
+
+/**
+ * \brief           This function initializes the specified Poly1305 context.
+ *
+ *                  It must be the first API called before using
+ *                  the context.
+ *
+ *                  It is usually followed by a call to
+ *                  \c mbedtls_poly1305_starts(), then one or more calls to
+ *                  \c mbedtls_poly1305_update(), then one call to
+ *                  \c mbedtls_poly1305_finish(), then finally
+ *                  \c mbedtls_poly1305_free().
+ *
+ * \param ctx       The Poly1305 context to initialize. This must
+ *                  not be \c NULL.
+ */
+void mbedtls_poly1305_init(mbedtls_poly1305_context *ctx);
+
+/**
+ * \brief           This function releases and clears the specified
+ *                  Poly1305 context.
+ *
+ * \param ctx       The Poly1305 context to clear. This may be \c NULL, in which
+ *                  case this function is a no-op. If it is not \c NULL, it must
+ *                  point to an initialized Poly1305 context.
+ */
+void mbedtls_poly1305_free(mbedtls_poly1305_context *ctx);
+
+/**
+ * \brief           This function sets the one-time authentication key.
+ *
+ * \warning         The key must be unique and unpredictable for each
+ *                  invocation of Poly1305.
+ *
+ * \param ctx       The Poly1305 context to which the key should be bound.
+ *                  This must be initialized.
+ * \param key       The buffer containing the \c 32 Byte (\c 256 Bit) key.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_poly1305_starts(mbedtls_poly1305_context *ctx,
+                            const unsigned char key[32]);
+
+/**
+ * \brief           This functions feeds an input buffer into an ongoing
+ *                  Poly1305 computation.
+ *
+ *                  It is called between \c mbedtls_cipher_poly1305_starts() and
+ *                  \c mbedtls_cipher_poly1305_finish().
+ *                  It can be called repeatedly to process a stream of data.
+ *
+ * \param ctx       The Poly1305 context to use for the Poly1305 operation.
+ *                  This must be initialized and bound to a key.
+ * \param ilen      The length of the input data in Bytes.
+ *                  Any value is accepted.
+ * \param input     The buffer holding the input data.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_poly1305_update(mbedtls_poly1305_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen);
+
+/**
+ * \brief           This function generates the Poly1305 Message
+ *                  Authentication Code (MAC).
+ *
+ * \param ctx       The Poly1305 context to use for the Poly1305 operation.
+ *                  This must be initialized and bound to a key.
+ * \param mac       The buffer to where the MAC is written. This must
+ *                  be a writable buffer of length \c 16 Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_poly1305_finish(mbedtls_poly1305_context *ctx,
+                            unsigned char mac[16]);
+
+/**
+ * \brief           This function calculates the Poly1305 MAC of the input
+ *                  buffer with the provided key.
+ *
+ * \warning         The key must be unique and unpredictable for each
+ *                  invocation of Poly1305.
+ *
+ * \param key       The buffer containing the \c 32 Byte (\c 256 Bit) key.
+ * \param ilen      The length of the input data in Bytes.
+ *                  Any value is accepted.
+ * \param input     The buffer holding the input data.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ * \param mac       The buffer to where the MAC is written. This must be
+ *                  a writable buffer of length \c 16 Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_poly1305_mac(const unsigned char key[32],
+                         const unsigned char *input,
+                         size_t ilen,
+                         unsigned char mac[16]);
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief           The Poly1305 checkup routine.
+ *
+ * \return          \c 0 on success.
+ * \return          \c 1 on failure.
+ */
+int mbedtls_poly1305_self_test(int verbose);
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_POLY1305_H */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/private_access.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/private_access.h
new file mode 100644
index 0000000..580f3eb
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/private_access.h
@@ -0,0 +1,20 @@
+/**
+ * \file private_access.h
+ *
+ * \brief Macro wrapper for struct's members.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_PRIVATE_ACCESS_H
+#define MBEDTLS_PRIVATE_ACCESS_H
+
+#ifndef MBEDTLS_ALLOW_PRIVATE_ACCESS
+#define MBEDTLS_PRIVATE(member) private_##member
+#else
+#define MBEDTLS_PRIVATE(member) member
+#endif
+
+#endif /* MBEDTLS_PRIVATE_ACCESS_H */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/psa_util.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/psa_util.h
new file mode 100644
index 0000000..c78cc23
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/psa_util.h
@@ -0,0 +1,188 @@
+/**
+ * \file psa_util.h
+ *
+ * \brief Utility functions for the use of the PSA Crypto library.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_PSA_UTIL_H
+#define MBEDTLS_PSA_UTIL_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include "psa/crypto.h"
+
+/* ASN1 defines used in the ECDSA conversion functions.
+ * Note: intentionally not adding MBEDTLS_ASN1_[PARSE|WRITE]_C guards here
+ * otherwise error codes would be unknown in test_suite_psa_crypto_util.data.*/
+#include <mbedtls/asn1write.h>
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+
+/** The random generator function for the PSA subsystem.
+ *
+ * This function is suitable as the `f_rng` random generator function
+ * parameter of many `mbedtls_xxx` functions.
+ *
+ * The implementation of this function depends on the configuration of the
+ * library.
+ *
+ * \note This function may only be used if the PSA crypto subsystem is active.
+ *       This means that you must call psa_crypto_init() before any call to
+ *       this function, and you must not call this function after calling
+ *       mbedtls_psa_crypto_free().
+ *
+ * \param p_rng         This parameter is only kept for backward compatibility
+ *                      reasons with legacy `f_rng` functions and it's ignored.
+ *                      Set to #MBEDTLS_PSA_RANDOM_STATE or NULL.
+ * \param output        The buffer to fill. It must have room for
+ *                      \c output_size bytes.
+ * \param output_size   The number of bytes to write to \p output.
+ *                      This function may fail if \p output_size is too
+ *                      large. It is guaranteed to accept any output size
+ *                      requested by Mbed TLS library functions. The
+ *                      maximum request size depends on the library
+ *                      configuration.
+ *
+ * \return              \c 0 on success.
+ * \return              An `MBEDTLS_ERR_ENTROPY_xxx`,
+ *                      `MBEDTLS_ERR_PLATFORM_xxx,
+ *                      `MBEDTLS_ERR_CTR_DRBG_xxx` or
+ *                      `MBEDTLS_ERR_HMAC_DRBG_xxx` on error.
+ */
+int mbedtls_psa_get_random(void *p_rng,
+                           unsigned char *output,
+                           size_t output_size);
+
+/** The random generator state for the PSA subsystem.
+ *
+ * This macro always expands to NULL because the `p_rng` parameter is unused
+ * in mbedtls_psa_get_random(), but it's kept for interface's backward
+ * compatibility.
+ */
+#define MBEDTLS_PSA_RANDOM_STATE    NULL
+
+/** \defgroup psa_tls_helpers TLS helper functions
+ * @{
+ */
+#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+#include <mbedtls/ecp.h>
+
+/** Convert an ECC curve identifier from the Mbed TLS encoding to PSA.
+ *
+ * \param grpid         An Mbed TLS elliptic curve identifier
+ *                      (`MBEDTLS_ECP_DP_xxx`).
+ * \param[out] bits     On success the bit size of the curve; 0 on failure.
+ *
+ * \return              If the curve is supported in the PSA API, this function
+ *                      returns the proper PSA curve identifier
+ *                      (`PSA_ECC_FAMILY_xxx`). This holds even if the curve is
+ *                      not supported by the ECP module.
+ * \return              \c 0 if the curve is not supported in the PSA API.
+ */
+psa_ecc_family_t mbedtls_ecc_group_to_psa(mbedtls_ecp_group_id grpid,
+                                          size_t *bits);
+
+/** Convert an ECC curve identifier from the PSA encoding to Mbed TLS.
+ *
+ * \param family        A PSA elliptic curve family identifier
+ *                      (`PSA_ECC_FAMILY_xxx`).
+ * \param bits          The bit-length of a private key on \p curve.
+ *
+ * \return              If the curve is supported in the PSA API, this function
+ *                      returns the corresponding Mbed TLS elliptic curve
+ *                      identifier (`MBEDTLS_ECP_DP_xxx`).
+ * \return              #MBEDTLS_ECP_DP_NONE if the combination of \c curve
+ *                      and \p bits is not supported.
+ */
+mbedtls_ecp_group_id mbedtls_ecc_group_from_psa(psa_ecc_family_t family,
+                                                size_t bits);
+#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
+
+/**
+ * \brief           This function returns the PSA algorithm identifier
+ *                  associated with the given digest type.
+ *
+ * \param md_type   The type of digest to search for. Must not be NONE.
+ *
+ * \warning         If \p md_type is \c MBEDTLS_MD_NONE, this function will
+ *                  not return \c PSA_ALG_NONE, but an invalid algorithm.
+ *
+ * \warning         This function does not check if the algorithm is
+ *                  supported, it always returns the corresponding identifier.
+ *
+ * \return          The PSA algorithm identifier associated with \p md_type,
+ *                  regardless of whether it is supported or not.
+ */
+static inline psa_algorithm_t mbedtls_md_psa_alg_from_type(mbedtls_md_type_t md_type)
+{
+    return PSA_ALG_CATEGORY_HASH | (psa_algorithm_t) md_type;
+}
+
+/**
+ * \brief           This function returns the given digest type
+ *                  associated with the PSA algorithm identifier.
+ *
+ * \param psa_alg   The PSA algorithm identifier to search for.
+ *
+ * \warning         This function does not check if the algorithm is
+ *                  supported, it always returns the corresponding identifier.
+ *
+ * \return          The MD type associated with \p psa_alg,
+ *                  regardless of whether it is supported or not.
+ */
+static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa_alg)
+{
+    return (mbedtls_md_type_t) (psa_alg & PSA_ALG_HASH_MASK);
+}
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+
+#if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA)
+
+/** Convert an ECDSA signature from raw format to DER ASN.1 format.
+ *
+ * \param       bits        Size of each coordinate in bits.
+ * \param       raw         Buffer that contains the signature in raw format.
+ * \param       raw_len     Length of \p raw in bytes. This must be
+ *                          PSA_BITS_TO_BYTES(bits) bytes.
+ * \param[out]  der         Buffer that will be filled with the converted DER
+ *                          output. It can overlap with raw buffer.
+ * \param       der_size    Size of \p der in bytes. It is enough if \p der_size
+ *                          is at least the size of the actual output. (The size
+ *                          of the output can vary depending on the presence of
+ *                          leading zeros in the data.) You can use
+ *                          #MBEDTLS_ECDSA_MAX_SIG_LEN(\p bits) to determine a
+ *                          size that is large enough for all signatures for a
+ *                          given value of \p bits.
+ * \param[out]  der_len     On success it contains the amount of valid data
+ *                          (in bytes) written to \p der. It's undefined
+ *                          in case of failure.
+ */
+int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_len,
+                             unsigned char *der, size_t der_size, size_t *der_len);
+
+/** Convert an ECDSA signature from DER ASN.1 format to raw format.
+ *
+ * \param       bits        Size of each coordinate in bits.
+ * \param       der         Buffer that contains the signature in DER format.
+ * \param       der_len     Size of \p der in bytes.
+ * \param[out]  raw         Buffer that will be filled with the converted raw
+ *                          signature. It can overlap with der buffer.
+ * \param       raw_size    Size of \p raw in bytes. Must be at least
+ *                          2 * PSA_BITS_TO_BYTES(bits) bytes.
+ * \param[out]  raw_len     On success it is updated with the amount of valid
+ *                          data (in bytes) written to \p raw. It's undefined
+ *                          in case of failure.
+ */
+int mbedtls_ecdsa_der_to_raw(size_t bits, const unsigned char *der, size_t der_len,
+                             unsigned char *raw, size_t raw_size, size_t *raw_len);
+
+#endif /* MBEDTLS_PSA_UTIL_HAVE_ECDSA */
+
+/**@}*/
+
+#endif /* MBEDTLS_PSA_UTIL_H */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/ripemd160.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/ripemd160.h
new file mode 100644
index 0000000..279f92b
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/ripemd160.h
@@ -0,0 +1,136 @@
+/**
+ * \file ripemd160.h
+ *
+ * \brief RIPE MD-160 message digest
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_RIPEMD160_H
+#define MBEDTLS_RIPEMD160_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_RIPEMD160_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          RIPEMD-160 context structure
+ */
+typedef struct mbedtls_ripemd160_context {
+    uint32_t MBEDTLS_PRIVATE(total)[2];          /*!< number of bytes processed  */
+    uint32_t MBEDTLS_PRIVATE(state)[5];          /*!< intermediate digest state  */
+    unsigned char MBEDTLS_PRIVATE(buffer)[64];   /*!< data block being processed */
+}
+mbedtls_ripemd160_context;
+
+#else  /* MBEDTLS_RIPEMD160_ALT */
+#include "ripemd160_alt.h"
+#endif /* MBEDTLS_RIPEMD160_ALT */
+
+/**
+ * \brief          Initialize RIPEMD-160 context
+ *
+ * \param ctx      RIPEMD-160 context to be initialized
+ */
+void mbedtls_ripemd160_init(mbedtls_ripemd160_context *ctx);
+
+/**
+ * \brief          Clear RIPEMD-160 context
+ *
+ * \param ctx      RIPEMD-160 context to be cleared
+ */
+void mbedtls_ripemd160_free(mbedtls_ripemd160_context *ctx);
+
+/**
+ * \brief          Clone (the state of) a RIPEMD-160 context
+ *
+ * \param dst      The destination context
+ * \param src      The context to be cloned
+ */
+void mbedtls_ripemd160_clone(mbedtls_ripemd160_context *dst,
+                             const mbedtls_ripemd160_context *src);
+
+/**
+ * \brief          RIPEMD-160 context setup
+ *
+ * \param ctx      context to be initialized
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ripemd160_starts(mbedtls_ripemd160_context *ctx);
+
+/**
+ * \brief          RIPEMD-160 process buffer
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ripemd160_update(mbedtls_ripemd160_context *ctx,
+                             const unsigned char *input,
+                             size_t ilen);
+
+/**
+ * \brief          RIPEMD-160 final digest
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param output   RIPEMD-160 checksum result
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ripemd160_finish(mbedtls_ripemd160_context *ctx,
+                             unsigned char output[20]);
+
+/**
+ * \brief          RIPEMD-160 process data block (internal use only)
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param data     buffer holding one block of data
+ *
+ * \return         0 if successful
+ */
+int mbedtls_internal_ripemd160_process(mbedtls_ripemd160_context *ctx,
+                                       const unsigned char data[64]);
+
+/**
+ * \brief          Output = RIPEMD-160( input buffer )
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   RIPEMD-160 checksum result
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ripemd160(const unsigned char *input,
+                      size_t ilen,
+                      unsigned char output[20]);
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_ripemd160_self_test(int verbose);
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_ripemd160.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/rsa.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/rsa.h
new file mode 100644
index 0000000..cc839f2
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/rsa.h
@@ -0,0 +1,1156 @@
+/**
+ * \file rsa.h
+ *
+ * \brief This file provides an API for the RSA public-key cryptosystem.
+ *
+ * The RSA public-key cryptosystem is defined in <em>Public-Key
+ * Cryptography Standards (PKCS) #1 v1.5: RSA Encryption</em>
+ * and <em>Public-Key Cryptography Standards (PKCS) #1 v2.1:
+ * RSA Cryptography Specifications</em>.
+ *
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_RSA_H
+#define MBEDTLS_RSA_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/bignum.h"
+#include "mbedtls/md.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+/*
+ * RSA Error codes
+ */
+/** Bad input parameters to function. */
+#define MBEDTLS_ERR_RSA_BAD_INPUT_DATA                    -0x4080
+/** Input data contains invalid padding and is rejected. */
+#define MBEDTLS_ERR_RSA_INVALID_PADDING                   -0x4100
+/** Something failed during generation of a key. */
+#define MBEDTLS_ERR_RSA_KEY_GEN_FAILED                    -0x4180
+/** Key failed to pass the validity check of the library. */
+#define MBEDTLS_ERR_RSA_KEY_CHECK_FAILED                  -0x4200
+/** The public key operation failed. */
+#define MBEDTLS_ERR_RSA_PUBLIC_FAILED                     -0x4280
+/** The private key operation failed. */
+#define MBEDTLS_ERR_RSA_PRIVATE_FAILED                    -0x4300
+/** The PKCS#1 verification failed. */
+#define MBEDTLS_ERR_RSA_VERIFY_FAILED                     -0x4380
+/** The output buffer for decryption is not large enough. */
+#define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE                  -0x4400
+/** The random generator failed to generate non-zeros. */
+#define MBEDTLS_ERR_RSA_RNG_FAILED                        -0x4480
+
+/*
+ * RSA constants
+ */
+
+#define MBEDTLS_RSA_PKCS_V15    0 /**< Use PKCS#1 v1.5 encoding. */
+#define MBEDTLS_RSA_PKCS_V21    1 /**< Use PKCS#1 v2.1 encoding. */
+
+#define MBEDTLS_RSA_SIGN        1 /**< Identifier for RSA signature operations. */
+#define MBEDTLS_RSA_CRYPT       2 /**< Identifier for RSA encryption and decryption operations. */
+
+#define MBEDTLS_RSA_SALT_LEN_ANY    -1
+
+/*
+ * The above constants may be used even if the RSA module is compile out,
+ * eg for alternative (PKCS#11) RSA implementations in the PK layers.
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_RSA_GEN_KEY_MIN_BITS)
+#define MBEDTLS_RSA_GEN_KEY_MIN_BITS 1024
+#elif MBEDTLS_RSA_GEN_KEY_MIN_BITS < 128
+#error "MBEDTLS_RSA_GEN_KEY_MIN_BITS must be at least 128 bits"
+#endif
+
+/**
+ * \brief   The RSA context structure.
+ */
+typedef struct mbedtls_rsa_context {
+    int MBEDTLS_PRIVATE(ver);                    /*!<  Reserved for internal purposes.
+                                                  *    Do not set this field in application
+                                                  *    code. Its meaning might change without
+                                                  *    notice. */
+    size_t MBEDTLS_PRIVATE(len);                 /*!<  The size of \p N in Bytes. */
+
+    mbedtls_mpi MBEDTLS_PRIVATE(N);              /*!<  The public modulus. */
+    mbedtls_mpi MBEDTLS_PRIVATE(E);              /*!<  The public exponent. */
+
+    mbedtls_mpi MBEDTLS_PRIVATE(D);              /*!<  The private exponent. */
+    mbedtls_mpi MBEDTLS_PRIVATE(P);              /*!<  The first prime factor. */
+    mbedtls_mpi MBEDTLS_PRIVATE(Q);              /*!<  The second prime factor. */
+
+    mbedtls_mpi MBEDTLS_PRIVATE(DP);             /*!<  <code>D % (P - 1)</code>. */
+    mbedtls_mpi MBEDTLS_PRIVATE(DQ);             /*!<  <code>D % (Q - 1)</code>. */
+    mbedtls_mpi MBEDTLS_PRIVATE(QP);             /*!<  <code>1 / (Q % P)</code>. */
+
+    mbedtls_mpi MBEDTLS_PRIVATE(RN);             /*!<  cached <code>R^2 mod N</code>. */
+
+    mbedtls_mpi MBEDTLS_PRIVATE(RP);             /*!<  cached <code>R^2 mod P</code>. */
+    mbedtls_mpi MBEDTLS_PRIVATE(RQ);             /*!<  cached <code>R^2 mod Q</code>. */
+
+    mbedtls_mpi MBEDTLS_PRIVATE(Vi);             /*!<  The cached blinding value. */
+    mbedtls_mpi MBEDTLS_PRIVATE(Vf);             /*!<  The cached un-blinding value. */
+
+    int MBEDTLS_PRIVATE(padding);                /*!< Selects padding mode:
+                                                  #MBEDTLS_RSA_PKCS_V15 for 1.5 padding and
+                                                  #MBEDTLS_RSA_PKCS_V21 for OAEP or PSS. */
+    int MBEDTLS_PRIVATE(hash_id);                /*!< Hash identifier of mbedtls_md_type_t type,
+                                                    as specified in md.h for use in the MGF
+                                                    mask generating function used in the
+                                                    EME-OAEP and EMSA-PSS encodings. */
+#if defined(MBEDTLS_THREADING_C)
+    /* Invariant: the mutex is initialized iff ver != 0. */
+    mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex);    /*!<  Thread-safety mutex. */
+#endif
+}
+mbedtls_rsa_context;
+
+/**
+ * \brief          This function initializes an RSA context.
+ *
+ * \note           This function initializes the padding and the hash
+ *                 identifier to respectively #MBEDTLS_RSA_PKCS_V15 and
+ *                 #MBEDTLS_MD_NONE. See mbedtls_rsa_set_padding() for more
+ *                 information about those parameters.
+ *
+ * \param ctx      The RSA context to initialize. This must not be \c NULL.
+ */
+void mbedtls_rsa_init(mbedtls_rsa_context *ctx);
+
+/**
+ * \brief          This function sets padding for an already initialized RSA
+ *                 context.
+ *
+ * \note           Set padding to #MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP
+ *                 encryption scheme and the RSASSA-PSS signature scheme.
+ *
+ * \note           The \p hash_id parameter is ignored when using
+ *                 #MBEDTLS_RSA_PKCS_V15 padding.
+ *
+ * \note           The choice of padding mode is strictly enforced for private
+ *                 key operations, since there might be security concerns in
+ *                 mixing padding modes. For public key operations it is
+ *                 a default value, which can be overridden by calling specific
+ *                 \c mbedtls_rsa_rsaes_xxx or \c mbedtls_rsa_rsassa_xxx
+ *                 functions.
+ *
+ * \note           The hash selected in \p hash_id is always used for OEAP
+ *                 encryption. For PSS signatures, it is always used for
+ *                 making signatures, but can be overridden for verifying them.
+ *                 If set to #MBEDTLS_MD_NONE, it is always overridden.
+ *
+ * \param ctx      The initialized RSA context to be configured.
+ * \param padding  The padding mode to use. This must be either
+ *                 #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21.
+ * \param hash_id  The hash identifier for PSS or OAEP, if \p padding is
+ *                 #MBEDTLS_RSA_PKCS_V21. #MBEDTLS_MD_NONE is accepted by this
+ *                 function but may be not suitable for some operations.
+ *                 Ignored if \p padding is #MBEDTLS_RSA_PKCS_V15.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_RSA_INVALID_PADDING failure:
+ *                 \p padding or \p hash_id is invalid.
+ */
+int mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx, int padding,
+                            mbedtls_md_type_t hash_id);
+
+/**
+ * \brief          This function retrieves padding mode of initialized
+ *                 RSA context.
+ *
+ * \param ctx      The initialized RSA context.
+ *
+ * \return         RSA padding mode.
+ *
+ */
+int mbedtls_rsa_get_padding_mode(const mbedtls_rsa_context *ctx);
+
+/**
+ * \brief          This function retrieves hash identifier of mbedtls_md_type_t
+ *                 type.
+ *
+ * \param ctx      The initialized RSA context.
+ *
+ * \return         Hash identifier of mbedtls_md_type_t type.
+ *
+ */
+int mbedtls_rsa_get_md_alg(const mbedtls_rsa_context *ctx);
+
+/**
+ * \brief          This function imports a set of core parameters into an
+ *                 RSA context.
+ *
+ * \note           This function can be called multiple times for successive
+ *                 imports, if the parameters are not simultaneously present.
+ *
+ *                 Any sequence of calls to this function should be followed
+ *                 by a call to mbedtls_rsa_complete(), which checks and
+ *                 completes the provided information to a ready-for-use
+ *                 public or private RSA key.
+ *
+ * \note           See mbedtls_rsa_complete() for more information on which
+ *                 parameters are necessary to set up a private or public
+ *                 RSA key.
+ *
+ * \note           The imported parameters are copied and need not be preserved
+ *                 for the lifetime of the RSA context being set up.
+ *
+ * \param ctx      The initialized RSA context to store the parameters in.
+ * \param N        The RSA modulus. This may be \c NULL.
+ * \param P        The first prime factor of \p N. This may be \c NULL.
+ * \param Q        The second prime factor of \p N. This may be \c NULL.
+ * \param D        The private exponent. This may be \c NULL.
+ * \param E        The public exponent. This may be \c NULL.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_rsa_import(mbedtls_rsa_context *ctx,
+                       const mbedtls_mpi *N,
+                       const mbedtls_mpi *P, const mbedtls_mpi *Q,
+                       const mbedtls_mpi *D, const mbedtls_mpi *E);
+
+/**
+ * \brief          This function imports core RSA parameters, in raw big-endian
+ *                 binary format, into an RSA context.
+ *
+ * \note           This function can be called multiple times for successive
+ *                 imports, if the parameters are not simultaneously present.
+ *
+ *                 Any sequence of calls to this function should be followed
+ *                 by a call to mbedtls_rsa_complete(), which checks and
+ *                 completes the provided information to a ready-for-use
+ *                 public or private RSA key.
+ *
+ * \note           See mbedtls_rsa_complete() for more information on which
+ *                 parameters are necessary to set up a private or public
+ *                 RSA key.
+ *
+ * \note           The imported parameters are copied and need not be preserved
+ *                 for the lifetime of the RSA context being set up.
+ *
+ * \param ctx      The initialized RSA context to store the parameters in.
+ * \param N        The RSA modulus. This may be \c NULL.
+ * \param N_len    The Byte length of \p N; it is ignored if \p N == NULL.
+ * \param P        The first prime factor of \p N. This may be \c NULL.
+ * \param P_len    The Byte length of \p P; it is ignored if \p P == NULL.
+ * \param Q        The second prime factor of \p N. This may be \c NULL.
+ * \param Q_len    The Byte length of \p Q; it is ignored if \p Q == NULL.
+ * \param D        The private exponent. This may be \c NULL.
+ * \param D_len    The Byte length of \p D; it is ignored if \p D == NULL.
+ * \param E        The public exponent. This may be \c NULL.
+ * \param E_len    The Byte length of \p E; it is ignored if \p E == NULL.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_rsa_import_raw(mbedtls_rsa_context *ctx,
+                           unsigned char const *N, size_t N_len,
+                           unsigned char const *P, size_t P_len,
+                           unsigned char const *Q, size_t Q_len,
+                           unsigned char const *D, size_t D_len,
+                           unsigned char const *E, size_t E_len);
+
+/**
+ * \brief          This function completes an RSA context from
+ *                 a set of imported core parameters.
+ *
+ *                 To setup an RSA public key, precisely \c N and \c E
+ *                 must have been imported.
+ *
+ *                 To setup an RSA private key, sufficient information must
+ *                 be present for the other parameters to be derivable.
+ *
+ *                 The default implementation supports the following:
+ *                 <ul><li>Derive \c P, \c Q from \c N, \c D, \c E.</li>
+ *                 <li>Derive \c N, \c D from \c P, \c Q, \c E.</li></ul>
+ *                 Alternative implementations need not support these.
+ *
+ *                 If this function runs successfully, it guarantees that
+ *                 the RSA context can be used for RSA operations without
+ *                 the risk of failure or crash.
+ *
+ * \warning        This function need not perform consistency checks
+ *                 for the imported parameters. In particular, parameters that
+ *                 are not needed by the implementation might be silently
+ *                 discarded and left unchecked. To check the consistency
+ *                 of the key material, see mbedtls_rsa_check_privkey().
+ *
+ * \param ctx      The initialized RSA context holding imported parameters.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the attempted derivations
+ *                 failed.
+ *
+ */
+int mbedtls_rsa_complete(mbedtls_rsa_context *ctx);
+
+/**
+ * \brief          This function exports the core parameters of an RSA key.
+ *
+ *                 If this function runs successfully, the non-NULL buffers
+ *                 pointed to by \p N, \p P, \p Q, \p D, and \p E are fully
+ *                 written, with additional unused space filled leading by
+ *                 zero Bytes.
+ *
+ *                 Possible reasons for returning
+ *                 #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:<ul>
+ *                 <li>An alternative RSA implementation is in use, which
+ *                 stores the key externally, and either cannot or should
+ *                 not export it into RAM.</li>
+ *                 <li>A SW or HW implementation might not support a certain
+ *                 deduction. For example, \p P, \p Q from \p N, \p D,
+ *                 and \p E if the former are not part of the
+ *                 implementation.</li></ul>
+ *
+ *                 If the function fails due to an unsupported operation,
+ *                 the RSA context stays intact and remains usable.
+ *
+ * \param ctx      The initialized RSA context.
+ * \param N        The MPI to hold the RSA modulus.
+ *                 This may be \c NULL if this field need not be exported.
+ * \param P        The MPI to hold the first prime factor of \p N.
+ *                 This may be \c NULL if this field need not be exported.
+ * \param Q        The MPI to hold the second prime factor of \p N.
+ *                 This may be \c NULL if this field need not be exported.
+ * \param D        The MPI to hold the private exponent.
+ *                 This may be \c NULL if this field need not be exported.
+ * \param E        The MPI to hold the public exponent.
+ *                 This may be \c NULL if this field need not be exported.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the
+ *                 requested parameters cannot be done due to missing
+ *                 functionality or because of security policies.
+ * \return         A non-zero return code on any other failure.
+ *
+ */
+int mbedtls_rsa_export(const mbedtls_rsa_context *ctx,
+                       mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
+                       mbedtls_mpi *D, mbedtls_mpi *E);
+
+/**
+ * \brief          This function exports core parameters of an RSA key
+ *                 in raw big-endian binary format.
+ *
+ *                 If this function runs successfully, the non-NULL buffers
+ *                 pointed to by \p N, \p P, \p Q, \p D, and \p E are fully
+ *                 written, with additional unused space filled leading by
+ *                 zero Bytes.
+ *
+ *                 Possible reasons for returning
+ *                 #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:<ul>
+ *                 <li>An alternative RSA implementation is in use, which
+ *                 stores the key externally, and either cannot or should
+ *                 not export it into RAM.</li>
+ *                 <li>A SW or HW implementation might not support a certain
+ *                 deduction. For example, \p P, \p Q from \p N, \p D,
+ *                 and \p E if the former are not part of the
+ *                 implementation.</li></ul>
+ *                 If the function fails due to an unsupported operation,
+ *                 the RSA context stays intact and remains usable.
+ *
+ * \note           The length parameters are ignored if the corresponding
+ *                 buffer pointers are NULL.
+ *
+ * \param ctx      The initialized RSA context.
+ * \param N        The Byte array to store the RSA modulus,
+ *                 or \c NULL if this field need not be exported.
+ * \param N_len    The size of the buffer for the modulus.
+ * \param P        The Byte array to hold the first prime factor of \p N,
+ *                 or \c NULL if this field need not be exported.
+ * \param P_len    The size of the buffer for the first prime factor.
+ * \param Q        The Byte array to hold the second prime factor of \p N,
+ *                 or \c NULL if this field need not be exported.
+ * \param Q_len    The size of the buffer for the second prime factor.
+ * \param D        The Byte array to hold the private exponent,
+ *                 or \c NULL if this field need not be exported.
+ * \param D_len    The size of the buffer for the private exponent.
+ * \param E        The Byte array to hold the public exponent,
+ *                 or \c NULL if this field need not be exported.
+ * \param E_len    The size of the buffer for the public exponent.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the
+ *                 requested parameters cannot be done due to missing
+ *                 functionality or because of security policies.
+ * \return         A non-zero return code on any other failure.
+ */
+int mbedtls_rsa_export_raw(const mbedtls_rsa_context *ctx,
+                           unsigned char *N, size_t N_len,
+                           unsigned char *P, size_t P_len,
+                           unsigned char *Q, size_t Q_len,
+                           unsigned char *D, size_t D_len,
+                           unsigned char *E, size_t E_len);
+
+/**
+ * \brief          This function exports CRT parameters of a private RSA key.
+ *
+ * \note           Alternative RSA implementations not using CRT-parameters
+ *                 internally can implement this function based on
+ *                 mbedtls_rsa_deduce_opt().
+ *
+ * \param ctx      The initialized RSA context.
+ * \param DP       The MPI to hold \c D modulo `P-1`,
+ *                 or \c NULL if it need not be exported.
+ * \param DQ       The MPI to hold \c D modulo `Q-1`,
+ *                 or \c NULL if it need not be exported.
+ * \param QP       The MPI to hold modular inverse of \c Q modulo \c P,
+ *                 or \c NULL if it need not be exported.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ *
+ */
+int mbedtls_rsa_export_crt(const mbedtls_rsa_context *ctx,
+                           mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP);
+
+/**
+ * \brief          This function retrieves the length of the RSA modulus in bits.
+ *
+ * \param ctx      The initialized RSA context.
+ *
+ * \return         The length of the RSA modulus in bits.
+ *
+ */
+size_t mbedtls_rsa_get_bitlen(const mbedtls_rsa_context *ctx);
+
+/**
+ * \brief          This function retrieves the length of RSA modulus in Bytes.
+ *
+ * \param ctx      The initialized RSA context.
+ *
+ * \return         The length of the RSA modulus in Bytes.
+ *
+ */
+size_t mbedtls_rsa_get_len(const mbedtls_rsa_context *ctx);
+
+/**
+ * \brief          This function generates an RSA keypair.
+ *
+ * \note           mbedtls_rsa_init() must be called before this function,
+ *                 to set up the RSA context.
+ *
+ * \param ctx      The initialized RSA context used to hold the key.
+ * \param f_rng    The RNG function to be used for key generation.
+ *                 This is mandatory and must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng.
+ *                 This may be \c NULL if \p f_rng doesn't need a context.
+ * \param nbits    The size of the public key in bits.
+ * \param exponent The public exponent to use. For example, \c 65537.
+ *                 This must be odd and greater than \c 1.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_gen_key(mbedtls_rsa_context *ctx,
+                        int (*f_rng)(void *, unsigned char *, size_t),
+                        void *p_rng,
+                        unsigned int nbits, int exponent);
+
+/**
+ * \brief          This function checks if a context contains at least an RSA
+ *                 public key.
+ *
+ *                 If the function runs successfully, it is guaranteed that
+ *                 enough information is present to perform an RSA public key
+ *                 operation using mbedtls_rsa_public().
+ *
+ * \param ctx      The initialized RSA context to check.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ *
+ */
+int mbedtls_rsa_check_pubkey(const mbedtls_rsa_context *ctx);
+
+/**
+ * \brief      This function checks if a context contains an RSA private key
+ *             and perform basic consistency checks.
+ *
+ * \note       The consistency checks performed by this function not only
+ *             ensure that mbedtls_rsa_private() can be called successfully
+ *             on the given context, but that the various parameters are
+ *             mutually consistent with high probability, in the sense that
+ *             mbedtls_rsa_public() and mbedtls_rsa_private() are inverses.
+ *
+ * \warning    This function should catch accidental misconfigurations
+ *             like swapping of parameters, but it cannot establish full
+ *             trust in neither the quality nor the consistency of the key
+ *             material that was used to setup the given RSA context:
+ *             <ul><li>Consistency: Imported parameters that are irrelevant
+ *             for the implementation might be silently dropped. If dropped,
+ *             the current function does not have access to them,
+ *             and therefore cannot check them. See mbedtls_rsa_complete().
+ *             If you want to check the consistency of the entire
+ *             content of a PKCS1-encoded RSA private key, for example, you
+ *             should use mbedtls_rsa_validate_params() before setting
+ *             up the RSA context.
+ *             Additionally, if the implementation performs empirical checks,
+ *             these checks substantiate but do not guarantee consistency.</li>
+ *             <li>Quality: This function is not expected to perform
+ *             extended quality assessments like checking that the prime
+ *             factors are safe. Additionally, it is the responsibility of the
+ *             user to ensure the trustworthiness of the source of his RSA
+ *             parameters, which goes beyond what is effectively checkable
+ *             by the library.</li></ul>
+ *
+ * \param ctx  The initialized RSA context to check.
+ *
+ * \return     \c 0 on success.
+ * \return     An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_check_privkey(const mbedtls_rsa_context *ctx);
+
+/**
+ * \brief          This function checks a public-private RSA key pair.
+ *
+ *                 It checks each of the contexts, and makes sure they match.
+ *
+ * \param pub      The initialized RSA context holding the public key.
+ * \param prv      The initialized RSA context holding the private key.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_check_pub_priv(const mbedtls_rsa_context *pub,
+                               const mbedtls_rsa_context *prv);
+
+/**
+ * \brief          This function performs an RSA public key operation.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param input    The input buffer. This must be a readable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ * \param output   The output buffer. This must be a writable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \note           This function does not handle message padding.
+ *
+ * \note           Make sure to set \p input[0] = 0 or ensure that
+ *                 input is smaller than \c N.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_public(mbedtls_rsa_context *ctx,
+                       const unsigned char *input,
+                       unsigned char *output);
+
+/**
+ * \brief          This function performs an RSA private key operation.
+ *
+ * \note           Blinding is used if and only if a PRNG is provided.
+ *
+ * \note           If blinding is used, both the base of exponentiation
+ *                 and the exponent are blinded, providing protection
+ *                 against some side-channel attacks.
+ *
+ * \warning        It is deprecated and a security risk to not provide
+ *                 a PRNG here and thereby prevent the use of blinding.
+ *                 Future versions of the library may enforce the presence
+ *                 of a PRNG.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function, used for blinding. It is mandatory.
+ * \param p_rng    The RNG context to pass to \p f_rng. This may be \c NULL
+ *                 if \p f_rng doesn't need a context.
+ * \param input    The input buffer. This must be a readable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ * \param output   The output buffer. This must be a writable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ *
+ */
+int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
+                        int (*f_rng)(void *, unsigned char *, size_t),
+                        void *p_rng,
+                        const unsigned char *input,
+                        unsigned char *output);
+
+/**
+ * \brief          This function adds the message padding, then performs an RSA
+ *                 operation.
+ *
+ *                 It is the generic wrapper for performing a PKCS#1 encryption
+ *                 operation.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG to use. It is used for padding generation
+ *                 and it is mandatory.
+ * \param p_rng    The RNG context to be passed to \p f_rng. May be
+ *                 \c NULL if \p f_rng doesn't need a context argument.
+ * \param ilen     The length of the plaintext in Bytes.
+ * \param input    The input data to encrypt. This must be a readable
+ *                 buffer of size \p ilen Bytes. It may be \c NULL if
+ *                 `ilen == 0`.
+ * \param output   The output buffer. This must be a writable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context *ctx,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng,
+                              size_t ilen,
+                              const unsigned char *input,
+                              unsigned char *output);
+
+/**
+ * \brief          This function performs a PKCS#1 v1.5 encryption operation
+ *                 (RSAES-PKCS1-v1_5-ENCRYPT).
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function to use. It is mandatory and used for
+ *                 padding generation.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may
+ *                 be \c NULL if \p f_rng doesn't need a context argument.
+ * \param ilen     The length of the plaintext in Bytes.
+ * \param input    The input data to encrypt. This must be a readable
+ *                 buffer of size \p ilen Bytes. It may be \c NULL if
+ *                 `ilen == 0`.
+ * \param output   The output buffer. This must be a writable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context *ctx,
+                                        int (*f_rng)(void *, unsigned char *, size_t),
+                                        void *p_rng,
+                                        size_t ilen,
+                                        const unsigned char *input,
+                                        unsigned char *output);
+
+/**
+ * \brief            This function performs a PKCS#1 v2.1 OAEP encryption
+ *                   operation (RSAES-OAEP-ENCRYPT).
+ *
+ * \note             The output buffer must be as large as the size
+ *                   of ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *
+ * \param ctx        The initialized RSA context to use.
+ * \param f_rng      The RNG function to use. This is needed for padding
+ *                   generation and is mandatory.
+ * \param p_rng      The RNG context to be passed to \p f_rng. This may
+ *                   be \c NULL if \p f_rng doesn't need a context argument.
+ * \param label      The buffer holding the custom label to use.
+ *                   This must be a readable buffer of length \p label_len
+ *                   Bytes. It may be \c NULL if \p label_len is \c 0.
+ * \param label_len  The length of the label in Bytes.
+ * \param ilen       The length of the plaintext buffer \p input in Bytes.
+ * \param input      The input data to encrypt. This must be a readable
+ *                   buffer of size \p ilen Bytes. It may be \c NULL if
+ *                   `ilen == 0`.
+ * \param output     The output buffer. This must be a writable buffer
+ *                   of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                   for an 2048-bit RSA modulus.
+ *
+ * \return           \c 0 on success.
+ * \return           An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx,
+                                   int (*f_rng)(void *, unsigned char *, size_t),
+                                   void *p_rng,
+                                   const unsigned char *label, size_t label_len,
+                                   size_t ilen,
+                                   const unsigned char *input,
+                                   unsigned char *output);
+
+/**
+ * \brief          This function performs an RSA operation, then removes the
+ *                 message padding.
+ *
+ *                 It is the generic wrapper for performing a PKCS#1 decryption
+ *                 operation.
+ *
+ * \warning        When \p ctx->padding is set to #MBEDTLS_RSA_PKCS_V15,
+ *                 mbedtls_rsa_rsaes_pkcs1_v15_decrypt() is called, which is an
+ *                 inherently dangerous function (CWE-242).
+ *
+ * \note           The output buffer length \c output_max_len should be
+ *                 as large as the size \p ctx->len of \p ctx->N (for example,
+ *                 128 Bytes if RSA-1024 is used) to be able to hold an
+ *                 arbitrary decrypted message. If it is not large enough to
+ *                 hold the decryption of the particular ciphertext provided,
+ *                 the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function. This is used for blinding and is
+ *                 mandatory; see mbedtls_rsa_private() for more.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng doesn't need a context.
+ * \param olen     The address at which to store the length of
+ *                 the plaintext. This must not be \c NULL.
+ * \param input    The ciphertext buffer. This must be a readable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ * \param output   The buffer used to hold the plaintext. This must
+ *                 be a writable buffer of length \p output_max_len Bytes.
+ * \param output_max_len The length in Bytes of the output buffer \p output.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context *ctx,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng,
+                              size_t *olen,
+                              const unsigned char *input,
+                              unsigned char *output,
+                              size_t output_max_len);
+
+/**
+ * \brief          This function performs a PKCS#1 v1.5 decryption
+ *                 operation (RSAES-PKCS1-v1_5-DECRYPT).
+ *
+ * \warning        This is an inherently dangerous function (CWE-242). Unless
+ *                 it is used in a side channel free and safe way (eg.
+ *                 implementing the TLS protocol as per 7.4.7.1 of RFC 5246),
+ *                 the calling code is vulnerable.
+ *
+ * \note           The output buffer length \c output_max_len should be
+ *                 as large as the size \p ctx->len of \p ctx->N, for example,
+ *                 128 Bytes if RSA-1024 is used, to be able to hold an
+ *                 arbitrary decrypted message. If it is not large enough to
+ *                 hold the decryption of the particular ciphertext provided,
+ *                 the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function. This is used for blinding and is
+ *                 mandatory; see mbedtls_rsa_private() for more.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng doesn't need a context.
+ * \param olen     The address at which to store the length of
+ *                 the plaintext. This must not be \c NULL.
+ * \param input    The ciphertext buffer. This must be a readable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ * \param output   The buffer used to hold the plaintext. This must
+ *                 be a writable buffer of length \p output_max_len Bytes.
+ * \param output_max_len The length in Bytes of the output buffer \p output.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ *
+ */
+int mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context *ctx,
+                                        int (*f_rng)(void *, unsigned char *, size_t),
+                                        void *p_rng,
+                                        size_t *olen,
+                                        const unsigned char *input,
+                                        unsigned char *output,
+                                        size_t output_max_len);
+
+/**
+ * \brief            This function performs a PKCS#1 v2.1 OAEP decryption
+ *                   operation (RSAES-OAEP-DECRYPT).
+ *
+ * \note             The output buffer length \c output_max_len should be
+ *                   as large as the size \p ctx->len of \p ctx->N, for
+ *                   example, 128 Bytes if RSA-1024 is used, to be able to
+ *                   hold an arbitrary decrypted message. If it is not
+ *                   large enough to hold the decryption of the particular
+ *                   ciphertext provided, the function returns
+ *                   #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
+ *
+ * \param ctx        The initialized RSA context to use.
+ * \param f_rng      The RNG function. This is used for blinding and is
+ *                   mandatory.
+ * \param p_rng      The RNG context to be passed to \p f_rng. This may be
+ *                   \c NULL if \p f_rng doesn't need a context.
+ * \param label      The buffer holding the custom label to use.
+ *                   This must be a readable buffer of length \p label_len
+ *                   Bytes. It may be \c NULL if \p label_len is \c 0.
+ * \param label_len  The length of the label in Bytes.
+ * \param olen       The address at which to store the length of
+ *                   the plaintext. This must not be \c NULL.
+ * \param input      The ciphertext buffer. This must be a readable buffer
+ *                   of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                   for an 2048-bit RSA modulus.
+ * \param output     The buffer used to hold the plaintext. This must
+ *                   be a writable buffer of length \p output_max_len Bytes.
+ * \param output_max_len The length in Bytes of the output buffer \p output.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
+                                   int (*f_rng)(void *, unsigned char *, size_t),
+                                   void *p_rng,
+                                   const unsigned char *label, size_t label_len,
+                                   size_t *olen,
+                                   const unsigned char *input,
+                                   unsigned char *output,
+                                   size_t output_max_len);
+
+/**
+ * \brief          This function performs a private RSA operation to sign
+ *                 a message digest using PKCS#1.
+ *
+ *                 It is the generic wrapper for performing a PKCS#1
+ *                 signature.
+ *
+ * \note           The \p sig buffer must be as large as the size
+ *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *
+ * \note           For PKCS#1 v2.1 encoding, see comments on
+ *                 mbedtls_rsa_rsassa_pss_sign() for details on
+ *                 \p md_alg and \p hash_id.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function to use. This is mandatory and
+ *                 must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
+ *                 if \p f_rng doesn't need a context argument.
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest or raw data in Bytes.
+ *                 If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
+ *                 output length of the corresponding hash algorithm.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 This must be a readable buffer of at least \p hashlen Bytes.
+ * \param sig      The buffer to hold the signature. This must be a writable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus. A buffer length of
+ *                 #MBEDTLS_MPI_MAX_SIZE is always safe.
+ *
+ * \return         \c 0 if the signing operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context *ctx,
+                           int (*f_rng)(void *, unsigned char *, size_t),
+                           void *p_rng,
+                           mbedtls_md_type_t md_alg,
+                           unsigned int hashlen,
+                           const unsigned char *hash,
+                           unsigned char *sig);
+
+/**
+ * \brief          This function performs a PKCS#1 v1.5 signature
+ *                 operation (RSASSA-PKCS1-v1_5-SIGN).
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function. This is used for blinding and is
+ *                 mandatory; see mbedtls_rsa_private() for more.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
+ *                 if \p f_rng doesn't need a context argument.
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest or raw data in Bytes.
+ *                 If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
+ *                 output length of the corresponding hash algorithm.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 This must be a readable buffer of at least \p hashlen Bytes.
+ * \param sig      The buffer to hold the signature. This must be a writable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus. A buffer length of
+ *                 #MBEDTLS_MPI_MAX_SIZE is always safe.
+ *
+ * \return         \c 0 if the signing operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context *ctx,
+                                      int (*f_rng)(void *, unsigned char *, size_t),
+                                      void *p_rng,
+                                      mbedtls_md_type_t md_alg,
+                                      unsigned int hashlen,
+                                      const unsigned char *hash,
+                                      unsigned char *sig);
+
+#if defined(MBEDTLS_PKCS1_V21)
+/**
+ * \brief          This function performs a PKCS#1 v2.1 PSS signature
+ *                 operation (RSASSA-PSS-SIGN).
+ *
+ * \note           The \c hash_id set in \p ctx by calling
+ *                 mbedtls_rsa_set_padding() selects the hash used for the
+ *                 encoding operation and for the mask generation function
+ *                 (MGF1). For more details on the encoding operation and the
+ *                 mask generation function, consult <em>RFC-3447: Public-Key
+ *                 Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
+ *                 Specifications</em>.
+ *
+ * \note           This function enforces that the provided salt length complies
+ *                 with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 v2.2) §9.1.1
+ *                 step 3. The constraint is that the hash length plus the salt
+ *                 length plus 2 bytes must be at most the key length. If this
+ *                 constraint is not met, this function returns
+ *                 #MBEDTLS_ERR_RSA_BAD_INPUT_DATA.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function. It is mandatory and must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
+ *                 if \p f_rng doesn't need a context argument.
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest or raw data in Bytes.
+ *                 If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
+ *                 output length of the corresponding hash algorithm.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 This must be a readable buffer of at least \p hashlen Bytes.
+ * \param saltlen  The length of the salt that should be used.
+ *                 If passed #MBEDTLS_RSA_SALT_LEN_ANY, the function will use
+ *                 the largest possible salt length up to the hash length,
+ *                 which is the largest permitted by some standards including
+ *                 FIPS 186-4 §5.5.
+ * \param sig      The buffer to hold the signature. This must be a writable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus. A buffer length of
+ *                 #MBEDTLS_MPI_MAX_SIZE is always safe.
+ *
+ * \return         \c 0 if the signing operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsassa_pss_sign_ext(mbedtls_rsa_context *ctx,
+                                    int (*f_rng)(void *, unsigned char *, size_t),
+                                    void *p_rng,
+                                    mbedtls_md_type_t md_alg,
+                                    unsigned int hashlen,
+                                    const unsigned char *hash,
+                                    int saltlen,
+                                    unsigned char *sig);
+
+/**
+ * \brief          This function performs a PKCS#1 v2.1 PSS signature
+ *                 operation (RSASSA-PSS-SIGN).
+ *
+ * \note           The \c hash_id set in \p ctx by calling
+ *                 mbedtls_rsa_set_padding() selects the hash used for the
+ *                 encoding operation and for the mask generation function
+ *                 (MGF1). For more details on the encoding operation and the
+ *                 mask generation function, consult <em>RFC-3447: Public-Key
+ *                 Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
+ *                 Specifications</em>.
+ *
+ * \note           This function always uses the maximum possible salt size,
+ *                 up to the length of the payload hash. This choice of salt
+ *                 size complies with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1
+ *                 v2.2) §9.1.1 step 3. Furthermore this function enforces a
+ *                 minimum salt size which is the hash size minus 2 bytes. If
+ *                 this minimum size is too large given the key size (the salt
+ *                 size, plus the hash size, plus 2 bytes must be no more than
+ *                 the key size in bytes), this function returns
+ *                 #MBEDTLS_ERR_RSA_BAD_INPUT_DATA.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function. It is mandatory and must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
+ *                 if \p f_rng doesn't need a context argument.
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest or raw data in Bytes.
+ *                 If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
+ *                 output length of the corresponding hash algorithm.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 This must be a readable buffer of at least \p hashlen Bytes.
+ * \param sig      The buffer to hold the signature. This must be a writable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus. A buffer length of
+ *                 #MBEDTLS_MPI_MAX_SIZE is always safe.
+ *
+ * \return         \c 0 if the signing operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
+                                int (*f_rng)(void *, unsigned char *, size_t),
+                                void *p_rng,
+                                mbedtls_md_type_t md_alg,
+                                unsigned int hashlen,
+                                const unsigned char *hash,
+                                unsigned char *sig);
+#endif /* MBEDTLS_PKCS1_V21 */
+
+/**
+ * \brief          This function performs a public RSA operation and checks
+ *                 the message digest.
+ *
+ *                 This is the generic wrapper for performing a PKCS#1
+ *                 verification.
+ *
+ * \note           For PKCS#1 v2.1 encoding, see comments on
+ *                 mbedtls_rsa_rsassa_pss_verify() about \c md_alg and
+ *                 \c hash_id.
+ *
+ * \param ctx      The initialized RSA public key context to use.
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest or raw data in Bytes.
+ *                 If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
+ *                 output length of the corresponding hash algorithm.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 This must be a readable buffer of at least \p hashlen Bytes.
+ * \param sig      The buffer holding the signature. This must be a readable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 if the verify operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context *ctx,
+                             mbedtls_md_type_t md_alg,
+                             unsigned int hashlen,
+                             const unsigned char *hash,
+                             const unsigned char *sig);
+
+/**
+ * \brief          This function performs a PKCS#1 v1.5 verification
+ *                 operation (RSASSA-PKCS1-v1_5-VERIFY).
+ *
+ * \param ctx      The initialized RSA public key context to use.
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest or raw data in Bytes.
+ *                 If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
+ *                 output length of the corresponding hash algorithm.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 This must be a readable buffer of at least \p hashlen Bytes.
+ * \param sig      The buffer holding the signature. This must be a readable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 if the verify operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context *ctx,
+                                        mbedtls_md_type_t md_alg,
+                                        unsigned int hashlen,
+                                        const unsigned char *hash,
+                                        const unsigned char *sig);
+
+/**
+ * \brief          This function performs a PKCS#1 v2.1 PSS verification
+ *                 operation (RSASSA-PSS-VERIFY).
+ *
+ * \note           The \c hash_id set in \p ctx by calling
+ *                 mbedtls_rsa_set_padding() selects the hash used for the
+ *                 encoding operation and for the mask generation function
+ *                 (MGF1). For more details on the encoding operation and the
+ *                 mask generation function, consult <em>RFC-3447: Public-Key
+ *                 Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
+ *                 Specifications</em>. If the \c hash_id set in \p ctx by
+ *                 mbedtls_rsa_set_padding() is #MBEDTLS_MD_NONE, the \p md_alg
+ *                 parameter is used.
+ *
+ * \param ctx      The initialized RSA public key context to use.
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest or raw data in Bytes.
+ *                 If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
+ *                 output length of the corresponding hash algorithm.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 This must be a readable buffer of at least \p hashlen Bytes.
+ * \param sig      The buffer holding the signature. This must be a readable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 if the verify operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context *ctx,
+                                  mbedtls_md_type_t md_alg,
+                                  unsigned int hashlen,
+                                  const unsigned char *hash,
+                                  const unsigned char *sig);
+
+/**
+ * \brief          This function performs a PKCS#1 v2.1 PSS verification
+ *                 operation (RSASSA-PSS-VERIFY).
+ *
+ * \note           The \p sig buffer must be as large as the size
+ *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *
+ * \note           The \c hash_id set in \p ctx by mbedtls_rsa_set_padding() is
+ *                 ignored.
+ *
+ * \param ctx      The initialized RSA public key context to use.
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest or raw data in Bytes.
+ *                 If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
+ *                 output length of the corresponding hash algorithm.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 This must be a readable buffer of at least \p hashlen Bytes.
+ * \param mgf1_hash_id      The message digest algorithm used for the
+ *                          verification operation and the mask generation
+ *                          function (MGF1). For more details on the encoding
+ *                          operation and the mask generation function, consult
+ *                          <em>RFC-3447: Public-Key Cryptography Standards
+ *                          (PKCS) #1 v2.1: RSA Cryptography
+ *                          Specifications</em>.
+ * \param expected_salt_len The length of the salt used in padding. Use
+ *                          #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length.
+ * \param sig      The buffer holding the signature. This must be a readable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 if the verify operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx,
+                                      mbedtls_md_type_t md_alg,
+                                      unsigned int hashlen,
+                                      const unsigned char *hash,
+                                      mbedtls_md_type_t mgf1_hash_id,
+                                      int expected_salt_len,
+                                      const unsigned char *sig);
+
+/**
+ * \brief          This function copies the components of an RSA context.
+ *
+ * \param dst      The destination context. This must be initialized.
+ * \param src      The source context. This must be initialized.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure.
+ */
+int mbedtls_rsa_copy(mbedtls_rsa_context *dst, const mbedtls_rsa_context *src);
+
+/**
+ * \brief          This function frees the components of an RSA key.
+ *
+ * \param ctx      The RSA context to free. May be \c NULL, in which case
+ *                 this function is a no-op. If it is not \c NULL, it must
+ *                 point to an initialized RSA context.
+ */
+void mbedtls_rsa_free(mbedtls_rsa_context *ctx);
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          The RSA checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_rsa_self_test(int verbose);
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* rsa.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/sha1.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/sha1.h
new file mode 100644
index 0000000..592ffd1
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/sha1.h
@@ -0,0 +1,219 @@
+/**
+ * \file sha1.h
+ *
+ * \brief This file contains SHA-1 definitions and functions.
+ *
+ * The Secure Hash Algorithm 1 (SHA-1) cryptographic hash function is defined in
+ * <em>FIPS 180-4: Secure Hash Standard (SHS)</em>.
+ *
+ * \warning   SHA-1 is considered a weak message digest and its use constitutes
+ *            a security risk. We recommend considering stronger message
+ *            digests instead.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_SHA1_H
+#define MBEDTLS_SHA1_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+/** SHA-1 input data was malformed. */
+#define MBEDTLS_ERR_SHA1_BAD_INPUT_DATA                   -0x0073
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_SHA1_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          The SHA-1 context structure.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+typedef struct mbedtls_sha1_context {
+    uint32_t MBEDTLS_PRIVATE(total)[2];          /*!< The number of Bytes processed.  */
+    uint32_t MBEDTLS_PRIVATE(state)[5];          /*!< The intermediate digest state.  */
+    unsigned char MBEDTLS_PRIVATE(buffer)[64];   /*!< The data block being processed. */
+}
+mbedtls_sha1_context;
+
+#else  /* MBEDTLS_SHA1_ALT */
+#include "sha1_alt.h"
+#endif /* MBEDTLS_SHA1_ALT */
+
+/**
+ * \brief          This function initializes a SHA-1 context.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \param ctx      The SHA-1 context to initialize.
+ *                 This must not be \c NULL.
+ *
+ */
+void mbedtls_sha1_init(mbedtls_sha1_context *ctx);
+
+/**
+ * \brief          This function clears a SHA-1 context.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \param ctx      The SHA-1 context to clear. This may be \c NULL,
+ *                 in which case this function does nothing. If it is
+ *                 not \c NULL, it must point to an initialized
+ *                 SHA-1 context.
+ *
+ */
+void mbedtls_sha1_free(mbedtls_sha1_context *ctx);
+
+/**
+ * \brief          This function clones the state of a SHA-1 context.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \param dst      The SHA-1 context to clone to. This must be initialized.
+ * \param src      The SHA-1 context to clone from. This must be initialized.
+ *
+ */
+void mbedtls_sha1_clone(mbedtls_sha1_context *dst,
+                        const mbedtls_sha1_context *src);
+
+/**
+ * \brief          This function starts a SHA-1 checksum calculation.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \param ctx      The SHA-1 context to initialize. This must be initialized.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ *
+ */
+int mbedtls_sha1_starts(mbedtls_sha1_context *ctx);
+
+/**
+ * \brief          This function feeds an input buffer into an ongoing SHA-1
+ *                 checksum calculation.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \param ctx      The SHA-1 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param input    The buffer holding the input data.
+ *                 This must be a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data \p input in Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha1_update(mbedtls_sha1_context *ctx,
+                        const unsigned char *input,
+                        size_t ilen);
+
+/**
+ * \brief          This function finishes the SHA-1 operation, and writes
+ *                 the result to the output buffer.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \param ctx      The SHA-1 context to use. This must be initialized and
+ *                 have a hash operation started.
+ * \param output   The SHA-1 checksum result. This must be a writable
+ *                 buffer of length \c 20 Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha1_finish(mbedtls_sha1_context *ctx,
+                        unsigned char output[20]);
+
+/**
+ * \brief          SHA-1 process data block (internal use only).
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \param ctx      The SHA-1 context to use. This must be initialized.
+ * \param data     The data block being processed. This must be a
+ *                 readable buffer of length \c 64 Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ *
+ */
+int mbedtls_internal_sha1_process(mbedtls_sha1_context *ctx,
+                                  const unsigned char data[64]);
+
+/**
+ * \brief          This function calculates the SHA-1 checksum of a buffer.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The SHA-1 result is calculated as
+ *                 output = SHA-1(input buffer).
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \param input    The buffer holding the input data.
+ *                 This must be a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data \p input in Bytes.
+ * \param output   The SHA-1 checksum result.
+ *                 This must be a writable buffer of length \c 20 Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ *
+ */
+int mbedtls_sha1(const unsigned char *input,
+                 size_t ilen,
+                 unsigned char output[20]);
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          The SHA-1 checkup routine.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ *
+ */
+int mbedtls_sha1_self_test(int verbose);
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_sha1.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/sha256.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/sha256.h
new file mode 100644
index 0000000..ca568e2
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/sha256.h
@@ -0,0 +1,200 @@
+/**
+ * \file sha256.h
+ *
+ * \brief This file contains SHA-224 and SHA-256 definitions and functions.
+ *
+ * The Secure Hash Algorithms 224 and 256 (SHA-224 and SHA-256) cryptographic
+ * hash functions are defined in <em>FIPS 180-4: Secure Hash Standard (SHS)</em>.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_SHA256_H
+#define MBEDTLS_SHA256_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+/** SHA-256 input data was malformed. */
+#define MBEDTLS_ERR_SHA256_BAD_INPUT_DATA                 -0x0074
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_SHA256_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          The SHA-256 context structure.
+ *
+ *                 The structure is used both for SHA-256 and for SHA-224
+ *                 checksum calculations. The choice between these two is
+ *                 made in the call to mbedtls_sha256_starts().
+ */
+typedef struct mbedtls_sha256_context {
+    unsigned char MBEDTLS_PRIVATE(buffer)[64];   /*!< The data block being processed. */
+    uint32_t MBEDTLS_PRIVATE(total)[2];          /*!< The number of Bytes processed.  */
+    uint32_t MBEDTLS_PRIVATE(state)[8];          /*!< The intermediate digest state.  */
+#if defined(MBEDTLS_SHA224_C)
+    int MBEDTLS_PRIVATE(is224);                  /*!< Determines which function to use:
+                                                    0: Use SHA-256, or 1: Use SHA-224. */
+#endif
+}
+mbedtls_sha256_context;
+
+#else  /* MBEDTLS_SHA256_ALT */
+#include "sha256_alt.h"
+#endif /* MBEDTLS_SHA256_ALT */
+
+/**
+ * \brief          This function initializes a SHA-256 context.
+ *
+ * \param ctx      The SHA-256 context to initialize. This must not be \c NULL.
+ */
+void mbedtls_sha256_init(mbedtls_sha256_context *ctx);
+
+/**
+ * \brief          This function clears a SHA-256 context.
+ *
+ * \param ctx      The SHA-256 context to clear. This may be \c NULL, in which
+ *                 case this function returns immediately. If it is not \c NULL,
+ *                 it must point to an initialized SHA-256 context.
+ */
+void mbedtls_sha256_free(mbedtls_sha256_context *ctx);
+
+/**
+ * \brief          This function clones the state of a SHA-256 context.
+ *
+ * \param dst      The destination context. This must be initialized.
+ * \param src      The context to clone. This must be initialized.
+ */
+void mbedtls_sha256_clone(mbedtls_sha256_context *dst,
+                          const mbedtls_sha256_context *src);
+
+/**
+ * \brief          This function starts a SHA-224 or SHA-256 checksum
+ *                 calculation.
+ *
+ * \param ctx      The context to use. This must be initialized.
+ * \param is224    This determines which function to use. This must be
+ *                 either \c 0 for SHA-256, or \c 1 for SHA-224.
+ *
+ * \note           is224 must be defined accordingly to the enabled
+ *                 MBEDTLS_SHA224_C/MBEDTLS_SHA256_C symbols otherwise the
+ *                 function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha256_starts(mbedtls_sha256_context *ctx, int is224);
+
+/**
+ * \brief          This function feeds an input buffer into an ongoing
+ *                 SHA-256 checksum calculation.
+ *
+ * \param ctx      The SHA-256 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha256_update(mbedtls_sha256_context *ctx,
+                          const unsigned char *input,
+                          size_t ilen);
+
+/**
+ * \brief          This function finishes the SHA-256 operation, and writes
+ *                 the result to the output buffer.
+ *
+ * \param ctx      The SHA-256 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param output   The SHA-224 or SHA-256 checksum result.
+ *                 This must be a writable buffer of length \c 32 bytes
+ *                 for SHA-256, \c 28 bytes for SHA-224.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha256_finish(mbedtls_sha256_context *ctx,
+                          unsigned char *output);
+
+/**
+ * \brief          This function processes a single data block within
+ *                 the ongoing SHA-256 computation. This function is for
+ *                 internal use only.
+ *
+ * \param ctx      The SHA-256 context. This must be initialized.
+ * \param data     The buffer holding one block of data. This must
+ *                 be a readable buffer of length \c 64 Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_internal_sha256_process(mbedtls_sha256_context *ctx,
+                                    const unsigned char data[64]);
+
+/**
+ * \brief          This function calculates the SHA-224 or SHA-256
+ *                 checksum of a buffer.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The SHA-256 result is calculated as
+ *                 output = SHA-256(input buffer).
+ *
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ * \param output   The SHA-224 or SHA-256 checksum result.
+ *                 This must be a writable buffer of length \c 32 bytes
+ *                 for SHA-256, \c 28 bytes for SHA-224.
+ * \param is224    Determines which function to use. This must be
+ *                 either \c 0 for SHA-256, or \c 1 for SHA-224.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha256(const unsigned char *input,
+                   size_t ilen,
+                   unsigned char *output,
+                   int is224);
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if defined(MBEDTLS_SHA224_C)
+/**
+ * \brief          The SHA-224 checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_sha224_self_test(int verbose);
+#endif /* MBEDTLS_SHA224_C */
+
+#if defined(MBEDTLS_SHA256_C)
+/**
+ * \brief          The SHA-256 checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_sha256_self_test(int verbose);
+#endif /* MBEDTLS_SHA256_C */
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_sha256.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/sha3.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/sha3.h
new file mode 100644
index 0000000..3eeee65
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/sha3.h
@@ -0,0 +1,172 @@
+/**
+ * \file sha3.h
+ *
+ * \brief This file contains SHA-3 definitions and functions.
+ *
+ * The Secure Hash Algorithms cryptographic
+ * hash functions are defined in <em>FIPS 202: SHA-3 Standard:
+ * Permutation-Based Hash and Extendable-Output Functions </em>.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_SHA3_H
+#define MBEDTLS_SHA3_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** SHA-3 input data was malformed. */
+#define MBEDTLS_ERR_SHA3_BAD_INPUT_DATA                 -0x0076
+
+/**
+ * SHA-3 family id.
+ *
+ * It identifies the family (SHA3-256, SHA3-512, etc.)
+ */
+
+typedef enum {
+    MBEDTLS_SHA3_NONE = 0, /*!< Operation not defined. */
+    MBEDTLS_SHA3_224, /*!< SHA3-224 */
+    MBEDTLS_SHA3_256, /*!< SHA3-256 */
+    MBEDTLS_SHA3_384, /*!< SHA3-384 */
+    MBEDTLS_SHA3_512, /*!< SHA3-512 */
+} mbedtls_sha3_id;
+
+/**
+ * \brief          The SHA-3 context structure.
+ *
+ *                 The structure is used SHA-3 checksum calculations.
+ */
+typedef struct {
+    uint64_t MBEDTLS_PRIVATE(state[25]);
+    uint32_t MBEDTLS_PRIVATE(index);
+    uint16_t MBEDTLS_PRIVATE(olen);
+    uint16_t MBEDTLS_PRIVATE(max_block_size);
+}
+mbedtls_sha3_context;
+
+/**
+ * \brief          This function initializes a SHA-3 context.
+ *
+ * \param ctx      The SHA-3 context to initialize. This must not be \c NULL.
+ */
+void mbedtls_sha3_init(mbedtls_sha3_context *ctx);
+
+/**
+ * \brief          This function clears a SHA-3 context.
+ *
+ * \param ctx      The SHA-3 context to clear. This may be \c NULL, in which
+ *                 case this function returns immediately. If it is not \c NULL,
+ *                 it must point to an initialized SHA-3 context.
+ */
+void mbedtls_sha3_free(mbedtls_sha3_context *ctx);
+
+/**
+ * \brief          This function clones the state of a SHA-3 context.
+ *
+ * \param dst      The destination context. This must be initialized.
+ * \param src      The context to clone. This must be initialized.
+ */
+void mbedtls_sha3_clone(mbedtls_sha3_context *dst,
+                        const mbedtls_sha3_context *src);
+
+/**
+ * \brief          This function starts a SHA-3 checksum
+ *                 calculation.
+ *
+ * \param ctx      The context to use. This must be initialized.
+ * \param id       The id of the SHA-3 family.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha3_starts(mbedtls_sha3_context *ctx, mbedtls_sha3_id id);
+
+/**
+ * \brief          This function feeds an input buffer into an ongoing
+ *                 SHA-3 checksum calculation.
+ *
+ * \param ctx      The SHA-3 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha3_update(mbedtls_sha3_context *ctx,
+                        const uint8_t *input,
+                        size_t ilen);
+
+/**
+ * \brief          This function finishes the SHA-3 operation, and writes
+ *                 the result to the output buffer.
+ *
+ * \param ctx      The SHA-3 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param output   The SHA-3 checksum result.
+ *                 This must be a writable buffer of length \c olen bytes.
+ * \param olen     Defines the length of output buffer (in bytes). For SHA-3 224, SHA-3 256,
+ *                 SHA-3 384 and SHA-3 512 \c olen must equal to 28, 32, 48 and 64,
+ *                 respectively.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha3_finish(mbedtls_sha3_context *ctx,
+                        uint8_t *output, size_t olen);
+
+/**
+ * \brief          This function calculates the SHA-3
+ *                 checksum of a buffer.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The SHA-3 result is calculated as
+ *                 output = SHA-3(id, input buffer, d).
+ *
+ * \param id       The id of the SHA-3 family.
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ * \param output   The SHA-3 checksum result.
+ *                 This must be a writable buffer of length \c olen bytes.
+ * \param olen     Defines the length of output buffer (in bytes). For SHA-3 224, SHA-3 256,
+ *                 SHA-3 384 and SHA-3 512 \c olen must equal to 28, 32, 48 and 64,
+ *                 respectively.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha3(mbedtls_sha3_id id, const uint8_t *input,
+                 size_t ilen,
+                 uint8_t *output,
+                 size_t olen);
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine for the algorithms implemented
+ *                 by this module: SHA3-224, SHA3-256, SHA3-384, SHA3-512.
+ *
+ * \return         0 if successful, or 1 if the test failed.
+ */
+int mbedtls_sha3_self_test(int verbose);
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_sha3.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/sha512.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/sha512.h
new file mode 100644
index 0000000..1c20e4c
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/sha512.h
@@ -0,0 +1,208 @@
+/**
+ * \file sha512.h
+ * \brief This file contains SHA-384 and SHA-512 definitions and functions.
+ *
+ * The Secure Hash Algorithms 384 and 512 (SHA-384 and SHA-512) cryptographic
+ * hash functions are defined in <em>FIPS 180-4: Secure Hash Standard (SHS)</em>.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_SHA512_H
+#define MBEDTLS_SHA512_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+/** SHA-512 input data was malformed. */
+#define MBEDTLS_ERR_SHA512_BAD_INPUT_DATA                 -0x0075
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_SHA512_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          The SHA-512 context structure.
+ *
+ *                 The structure is used both for SHA-384 and for SHA-512
+ *                 checksum calculations. The choice between these two is
+ *                 made in the call to mbedtls_sha512_starts().
+ */
+typedef struct mbedtls_sha512_context {
+    uint64_t MBEDTLS_PRIVATE(total)[2];          /*!< The number of Bytes processed. */
+    uint64_t MBEDTLS_PRIVATE(state)[8];          /*!< The intermediate digest state. */
+    unsigned char MBEDTLS_PRIVATE(buffer)[128];  /*!< The data block being processed. */
+#if defined(MBEDTLS_SHA384_C)
+    int MBEDTLS_PRIVATE(is384);                  /*!< Determines which function to use:
+                                                      0: Use SHA-512, or 1: Use SHA-384. */
+#endif
+}
+mbedtls_sha512_context;
+
+#else  /* MBEDTLS_SHA512_ALT */
+#include "sha512_alt.h"
+#endif /* MBEDTLS_SHA512_ALT */
+
+/**
+ * \brief          This function initializes a SHA-512 context.
+ *
+ * \param ctx      The SHA-512 context to initialize. This must
+ *                 not be \c NULL.
+ */
+void mbedtls_sha512_init(mbedtls_sha512_context *ctx);
+
+/**
+ * \brief          This function clears a SHA-512 context.
+ *
+ * \param ctx      The SHA-512 context to clear. This may be \c NULL,
+ *                 in which case this function does nothing. If it
+ *                 is not \c NULL, it must point to an initialized
+ *                 SHA-512 context.
+ */
+void mbedtls_sha512_free(mbedtls_sha512_context *ctx);
+
+/**
+ * \brief          This function clones the state of a SHA-512 context.
+ *
+ * \param dst      The destination context. This must be initialized.
+ * \param src      The context to clone. This must be initialized.
+ */
+void mbedtls_sha512_clone(mbedtls_sha512_context *dst,
+                          const mbedtls_sha512_context *src);
+
+/**
+ * \brief          This function starts a SHA-384 or SHA-512 checksum
+ *                 calculation.
+ *
+ * \param ctx      The SHA-512 context to use. This must be initialized.
+ * \param is384    Determines which function to use. This must be
+ *                 either \c 0 for SHA-512, or \c 1 for SHA-384.
+ *
+ * \note           is384 must be defined accordingly to the enabled
+ *                 MBEDTLS_SHA384_C/MBEDTLS_SHA512_C symbols otherwise the
+ *                 function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha512_starts(mbedtls_sha512_context *ctx, int is384);
+
+/**
+ * \brief          This function feeds an input buffer into an ongoing
+ *                 SHA-512 checksum calculation.
+ *
+ * \param ctx      The SHA-512 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param input    The buffer holding the input data. This must
+ *                 be a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha512_update(mbedtls_sha512_context *ctx,
+                          const unsigned char *input,
+                          size_t ilen);
+
+/**
+ * \brief          This function finishes the SHA-512 operation, and writes
+ *                 the result to the output buffer.
+ *
+ * \param ctx      The SHA-512 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param output   The SHA-384 or SHA-512 checksum result.
+ *                 This must be a writable buffer of length \c 64 bytes
+ *                 for SHA-512, \c 48 bytes for SHA-384.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha512_finish(mbedtls_sha512_context *ctx,
+                          unsigned char *output);
+
+/**
+ * \brief          This function processes a single data block within
+ *                 the ongoing SHA-512 computation.
+ *                 This function is for internal use only.
+ *
+ * \param ctx      The SHA-512 context. This must be initialized.
+ * \param data     The buffer holding one block of data. This
+ *                 must be a readable buffer of length \c 128 Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_internal_sha512_process(mbedtls_sha512_context *ctx,
+                                    const unsigned char data[128]);
+
+/**
+ * \brief          This function calculates the SHA-512 or SHA-384
+ *                 checksum of a buffer.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The SHA-512 result is calculated as
+ *                 output = SHA-512(input buffer).
+ *
+ * \param input    The buffer holding the input data. This must be
+ *                 a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ * \param output   The SHA-384 or SHA-512 checksum result.
+ *                 This must be a writable buffer of length \c 64 bytes
+ *                 for SHA-512, \c 48 bytes for SHA-384.
+ * \param is384    Determines which function to use. This must be either
+ *                 \c 0 for SHA-512, or \c 1 for SHA-384.
+ *
+ * \note           is384 must be defined accordingly with the supported
+ *                 symbols in the config file. If:
+ *                 - is384 is 0, but \c MBEDTLS_SHA384_C is not defined, or
+ *                 - is384 is 1, but \c MBEDTLS_SHA512_C is not defined
+ *                 then the function will return
+ *                 #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha512(const unsigned char *input,
+                   size_t ilen,
+                   unsigned char *output,
+                   int is384);
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if defined(MBEDTLS_SHA384_C)
+/**
+ * \brief          The SHA-384 checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_sha384_self_test(int verbose);
+#endif /* MBEDTLS_SHA384_C */
+
+#if defined(MBEDTLS_SHA512_C)
+/**
+ * \brief          The SHA-512 checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_sha512_self_test(int verbose);
+#endif /* MBEDTLS_SHA512_C */
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_sha512.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/threading.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/threading.h
new file mode 100644
index 0000000..d50d04e
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/threading.h
@@ -0,0 +1,137 @@
+/**
+ * \file threading.h
+ *
+ * \brief Threading abstraction layer
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_THREADING_H
+#define MBEDTLS_THREADING_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include <stdlib.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** Bad input parameters to function. */
+#define MBEDTLS_ERR_THREADING_BAD_INPUT_DATA              -0x001C
+/** Locking / unlocking / free failed with error code. */
+#define MBEDTLS_ERR_THREADING_MUTEX_ERROR                 -0x001E
+
+#if defined(MBEDTLS_THREADING_PTHREAD)
+#include <pthread.h>
+typedef struct mbedtls_threading_mutex_t {
+    pthread_mutex_t MBEDTLS_PRIVATE(mutex);
+
+    /* WARNING - state should only be accessed when holding the mutex lock in
+     * tests/src/threading_helpers.c, otherwise corruption can occur.
+     * state will be 0 after a failed init or a free, and nonzero after a
+     * successful init. This field is for testing only and thus not considered
+     * part of the public API of Mbed TLS and may change without notice.*/
+    char MBEDTLS_PRIVATE(state);
+
+} mbedtls_threading_mutex_t;
+#endif
+
+#if defined(MBEDTLS_THREADING_ALT)
+/* You should define the mbedtls_threading_mutex_t type in your header */
+#include "threading_alt.h"
+
+/**
+ * \brief           Set your alternate threading implementation function
+ *                  pointers and initialize global mutexes. If used, this
+ *                  function must be called once in the main thread before any
+ *                  other Mbed TLS function is called, and
+ *                  mbedtls_threading_free_alt() must be called once in the main
+ *                  thread after all other Mbed TLS functions.
+ *
+ * \note            mutex_init() and mutex_free() don't return a status code.
+ *                  If mutex_init() fails, it should leave its argument (the
+ *                  mutex) in a state such that mutex_lock() will fail when
+ *                  called with this argument.
+ *
+ * \param mutex_init    the init function implementation
+ * \param mutex_free    the free function implementation
+ * \param mutex_lock    the lock function implementation
+ * \param mutex_unlock  the unlock function implementation
+ */
+void mbedtls_threading_set_alt(void (*mutex_init)(mbedtls_threading_mutex_t *),
+                               void (*mutex_free)(mbedtls_threading_mutex_t *),
+                               int (*mutex_lock)(mbedtls_threading_mutex_t *),
+                               int (*mutex_unlock)(mbedtls_threading_mutex_t *));
+
+/**
+ * \brief               Free global mutexes.
+ */
+void mbedtls_threading_free_alt(void);
+#endif /* MBEDTLS_THREADING_ALT */
+
+#if defined(MBEDTLS_THREADING_C)
+/*
+ * The function pointers for mutex_init, mutex_free, mutex_ and mutex_unlock
+ *
+ * All these functions are expected to work or the result will be undefined.
+ */
+extern void (*mbedtls_mutex_init)(mbedtls_threading_mutex_t *mutex);
+extern void (*mbedtls_mutex_free)(mbedtls_threading_mutex_t *mutex);
+extern int (*mbedtls_mutex_lock)(mbedtls_threading_mutex_t *mutex);
+extern int (*mbedtls_mutex_unlock)(mbedtls_threading_mutex_t *mutex);
+
+/*
+ * Global mutexes
+ */
+#if defined(MBEDTLS_FS_IO)
+extern mbedtls_threading_mutex_t mbedtls_threading_readdir_mutex;
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
+/* This mutex may or may not be used in the default definition of
+ * mbedtls_platform_gmtime_r(), but in order to determine that,
+ * we need to check POSIX features, hence modify _POSIX_C_SOURCE.
+ * With the current approach, this declaration is orphaned, lacking
+ * an accompanying definition, in case mbedtls_platform_gmtime_r()
+ * doesn't need it, but that's not a problem. */
+extern mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex;
+#endif /* MBEDTLS_HAVE_TIME_DATE && !MBEDTLS_PLATFORM_GMTIME_R_ALT */
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+/*
+ * A mutex used to make the PSA subsystem thread safe.
+ *
+ * key_slot_mutex protects the registered_readers and
+ * state variable for all key slots in &global_data.key_slots.
+ *
+ * This mutex must be held when any read from or write to a state or
+ * registered_readers field is performed, i.e. when calling functions:
+ * psa_key_slot_state_transition(), psa_register_read(), psa_unregister_read(),
+ * psa_key_slot_has_readers() and psa_wipe_key_slot(). */
+extern mbedtls_threading_mutex_t mbedtls_threading_key_slot_mutex;
+
+/*
+ * A mutex used to make the non-rng PSA global_data struct members thread safe.
+ *
+ * This mutex must be held when reading or writing to any of the PSA global_data
+ * structure members, other than the rng_state or rng struct. */
+extern mbedtls_threading_mutex_t mbedtls_threading_psa_globaldata_mutex;
+
+/*
+ * A mutex used to make the PSA global_data rng data thread safe.
+ *
+ * This mutex must be held when reading or writing to the PSA
+ * global_data rng_state or rng struct members. */
+extern mbedtls_threading_mutex_t mbedtls_threading_psa_rngdata_mutex;
+#endif
+
+#endif /* MBEDTLS_THREADING_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* threading.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/timing.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/timing.h
new file mode 100644
index 0000000..62ae102
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/timing.h
@@ -0,0 +1,94 @@
+/**
+ * \file timing.h
+ *
+ * \brief Portable interface to timeouts and to the CPU cycle counter
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_TIMING_H
+#define MBEDTLS_TIMING_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_TIMING_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          timer structure
+ */
+struct mbedtls_timing_hr_time {
+    uint64_t MBEDTLS_PRIVATE(opaque)[4];
+};
+
+/**
+ * \brief          Context for mbedtls_timing_set/get_delay()
+ */
+typedef struct mbedtls_timing_delay_context {
+    struct mbedtls_timing_hr_time   MBEDTLS_PRIVATE(timer);
+    uint32_t                        MBEDTLS_PRIVATE(int_ms);
+    uint32_t                        MBEDTLS_PRIVATE(fin_ms);
+} mbedtls_timing_delay_context;
+
+#else  /* MBEDTLS_TIMING_ALT */
+#include "timing_alt.h"
+#endif /* MBEDTLS_TIMING_ALT */
+
+/* Internal use */
+unsigned long mbedtls_timing_get_timer(struct mbedtls_timing_hr_time *val, int reset);
+
+/**
+ * \brief          Set a pair of delays to watch
+ *                 (See \c mbedtls_timing_get_delay().)
+ *
+ * \param data     Pointer to timing data.
+ *                 Must point to a valid \c mbedtls_timing_delay_context struct.
+ * \param int_ms   First (intermediate) delay in milliseconds.
+ *                 The effect if int_ms > fin_ms is unspecified.
+ * \param fin_ms   Second (final) delay in milliseconds.
+ *                 Pass 0 to cancel the current delay.
+ *
+ * \note           To set a single delay, either use \c mbedtls_timing_set_timer
+ *                 directly or use this function with int_ms == fin_ms.
+ */
+void mbedtls_timing_set_delay(void *data, uint32_t int_ms, uint32_t fin_ms);
+
+/**
+ * \brief          Get the status of delays
+ *                 (Memory helper: number of delays passed.)
+ *
+ * \param data     Pointer to timing data
+ *                 Must point to a valid \c mbedtls_timing_delay_context struct.
+ *
+ * \return         -1 if cancelled (fin_ms = 0),
+ *                  0 if none of the delays are passed,
+ *                  1 if only the intermediate delay is passed,
+ *                  2 if the final delay is passed.
+ */
+int mbedtls_timing_get_delay(void *data);
+
+/**
+ * \brief          Get the final timing delay
+ *
+ * \param data     Pointer to timing data
+ *                 Must point to a valid \c mbedtls_timing_delay_context struct.
+ *
+ * \return         Final timing delay in milliseconds.
+ */
+uint32_t mbedtls_timing_get_final_delay(
+    const mbedtls_timing_delay_context *data);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* timing.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/version.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/version.h
new file mode 100644
index 0000000..637f9d3
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/version.h
@@ -0,0 +1,78 @@
+/**
+ * \file version.h
+ *
+ * \brief Run-time version information
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * This set of run-time variables can be used to determine the version number of
+ * the Mbed TLS library used. Compile-time version defines for the same can be
+ * found in build_info.h
+ */
+#ifndef MBEDTLS_VERSION_H
+#define MBEDTLS_VERSION_H
+
+#include "mbedtls/build_info.h"
+
+#if defined(MBEDTLS_VERSION_C)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Get the version number.
+ *
+ * \return          The constructed version number in the format
+ *                  MMNNPP00 (Major, Minor, Patch).
+ */
+unsigned int mbedtls_version_get_number(void);
+
+/**
+ * Get the version string ("x.y.z").
+ *
+ * \param string    The string that will receive the value.
+ *                  (Should be at least 9 bytes in size)
+ */
+void mbedtls_version_get_string(char *string);
+
+/**
+ * Get the full version string ("Mbed TLS x.y.z").
+ *
+ * \param string    The string that will receive the value. The Mbed TLS version
+ *                  string will use 18 bytes AT MOST including a terminating
+ *                  null byte.
+ *                  (So the buffer should be at least 18 bytes to receive this
+ *                  version string).
+ */
+void mbedtls_version_get_string_full(char *string);
+
+/**
+ * \brief           Check if support for a feature was compiled into this
+ *                  Mbed TLS binary. This allows you to see at runtime if the
+ *                  library was for instance compiled with or without
+ *                  Multi-threading support.
+ *
+ * \note            only checks against defines in the sections "System
+ *                  support", "Mbed TLS modules" and "Mbed TLS feature
+ *                  support" in mbedtls_config.h
+ *
+ * \param feature   The string for the define to check (e.g. "MBEDTLS_AES_C")
+ *
+ * \return          0 if the feature is present,
+ *                  -1 if the feature is not present and
+ *                  -2 if support for feature checking as a whole was not
+ *                  compiled in.
+ */
+int mbedtls_version_check_feature(const char *feature);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_VERSION_C */
+
+#endif /* version.h */
diff --git a/tf-psa-crypto/drivers/builtin/src/.gitignore b/tf-psa-crypto/drivers/builtin/src/.gitignore
new file mode 100644
index 0000000..f3923b1
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/.gitignore
@@ -0,0 +1,4 @@
+###START_GENERATED_FILES###
+/error.c
+/version_features.c
+###END_GENERATED_FILES###
diff --git a/tests/data_files/hash_file_4 b/tf-psa-crypto/drivers/builtin/src/CMakeLists.txt
index e69de29..e69de29 100644
--- a/tests/data_files/hash_file_4
+++ b/tf-psa-crypto/drivers/builtin/src/CMakeLists.txt
diff --git a/tf-psa-crypto/drivers/builtin/src/aes.c b/tf-psa-crypto/drivers/builtin/src/aes.c
new file mode 100644
index 0000000..72e2c57
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/aes.c
@@ -0,0 +1,2244 @@
+/*
+ *  FIPS-197 compliant AES implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ *  The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
+ *
+ *  https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf
+ *  http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_AES_C)
+
+#include <string.h>
+
+#include "mbedtls/aes.h"
+#include "mbedtls/platform.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+#if !((defined(MBEDTLS_ARCH_IS_ARMV8_A) && defined(MBEDTLS_AESCE_C)) || \
+    (defined(MBEDTLS_ARCH_IS_X64)       && defined(MBEDTLS_AESNI_C)) || \
+    (defined(MBEDTLS_ARCH_IS_X86)       && defined(MBEDTLS_AESNI_C)))
+#error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites"
+#endif
+#endif
+
+#if defined(MBEDTLS_AESNI_C)
+#include "aesni.h"
+#endif
+#if defined(MBEDTLS_AESCE_C)
+#include "aesce.h"
+#endif
+
+#include "mbedtls/platform.h"
+#include "ctr.h"
+
+/*
+ * This is a convenience shorthand macro to check if we need reverse S-box and
+ * reverse tables. It's private and only defined in this file.
+ */
+#if (!defined(MBEDTLS_AES_DECRYPT_ALT) || \
+    (!defined(MBEDTLS_AES_SETKEY_DEC_ALT) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY))) && \
+    !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+#define MBEDTLS_AES_NEED_REVERSE_TABLES
+#endif
+
+#if !defined(MBEDTLS_AES_ALT)
+
+#if defined(MBEDTLS_AES_ROM_TABLES)
+/*
+ * Forward S-box
+ */
+MBEDTLS_MAYBE_UNUSED static const unsigned char FSb[256] =
+{
+    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
+    0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
+    0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
+    0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
+    0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
+    0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
+    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
+    0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
+    0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
+    0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
+    0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
+    0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
+    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
+    0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
+    0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
+    0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
+    0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
+    0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
+    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
+    0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
+    0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
+    0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
+    0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
+    0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
+    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
+    0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
+    0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
+    0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
+    0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
+    0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
+    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
+    0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
+};
+
+/*
+ * Forward tables
+ */
+#define FT \
+\
+    V(A5, 63, 63, C6), V(84, 7C, 7C, F8), V(99, 77, 77, EE), V(8D, 7B, 7B, F6), \
+    V(0D, F2, F2, FF), V(BD, 6B, 6B, D6), V(B1, 6F, 6F, DE), V(54, C5, C5, 91), \
+    V(50, 30, 30, 60), V(03, 01, 01, 02), V(A9, 67, 67, CE), V(7D, 2B, 2B, 56), \
+    V(19, FE, FE, E7), V(62, D7, D7, B5), V(E6, AB, AB, 4D), V(9A, 76, 76, EC), \
+    V(45, CA, CA, 8F), V(9D, 82, 82, 1F), V(40, C9, C9, 89), V(87, 7D, 7D, FA), \
+    V(15, FA, FA, EF), V(EB, 59, 59, B2), V(C9, 47, 47, 8E), V(0B, F0, F0, FB), \
+    V(EC, AD, AD, 41), V(67, D4, D4, B3), V(FD, A2, A2, 5F), V(EA, AF, AF, 45), \
+    V(BF, 9C, 9C, 23), V(F7, A4, A4, 53), V(96, 72, 72, E4), V(5B, C0, C0, 9B), \
+    V(C2, B7, B7, 75), V(1C, FD, FD, E1), V(AE, 93, 93, 3D), V(6A, 26, 26, 4C), \
+    V(5A, 36, 36, 6C), V(41, 3F, 3F, 7E), V(02, F7, F7, F5), V(4F, CC, CC, 83), \
+    V(5C, 34, 34, 68), V(F4, A5, A5, 51), V(34, E5, E5, D1), V(08, F1, F1, F9), \
+    V(93, 71, 71, E2), V(73, D8, D8, AB), V(53, 31, 31, 62), V(3F, 15, 15, 2A), \
+    V(0C, 04, 04, 08), V(52, C7, C7, 95), V(65, 23, 23, 46), V(5E, C3, C3, 9D), \
+    V(28, 18, 18, 30), V(A1, 96, 96, 37), V(0F, 05, 05, 0A), V(B5, 9A, 9A, 2F), \
+    V(09, 07, 07, 0E), V(36, 12, 12, 24), V(9B, 80, 80, 1B), V(3D, E2, E2, DF), \
+    V(26, EB, EB, CD), V(69, 27, 27, 4E), V(CD, B2, B2, 7F), V(9F, 75, 75, EA), \
+    V(1B, 09, 09, 12), V(9E, 83, 83, 1D), V(74, 2C, 2C, 58), V(2E, 1A, 1A, 34), \
+    V(2D, 1B, 1B, 36), V(B2, 6E, 6E, DC), V(EE, 5A, 5A, B4), V(FB, A0, A0, 5B), \
+    V(F6, 52, 52, A4), V(4D, 3B, 3B, 76), V(61, D6, D6, B7), V(CE, B3, B3, 7D), \
+    V(7B, 29, 29, 52), V(3E, E3, E3, DD), V(71, 2F, 2F, 5E), V(97, 84, 84, 13), \
+    V(F5, 53, 53, A6), V(68, D1, D1, B9), V(00, 00, 00, 00), V(2C, ED, ED, C1), \
+    V(60, 20, 20, 40), V(1F, FC, FC, E3), V(C8, B1, B1, 79), V(ED, 5B, 5B, B6), \
+    V(BE, 6A, 6A, D4), V(46, CB, CB, 8D), V(D9, BE, BE, 67), V(4B, 39, 39, 72), \
+    V(DE, 4A, 4A, 94), V(D4, 4C, 4C, 98), V(E8, 58, 58, B0), V(4A, CF, CF, 85), \
+    V(6B, D0, D0, BB), V(2A, EF, EF, C5), V(E5, AA, AA, 4F), V(16, FB, FB, ED), \
+    V(C5, 43, 43, 86), V(D7, 4D, 4D, 9A), V(55, 33, 33, 66), V(94, 85, 85, 11), \
+    V(CF, 45, 45, 8A), V(10, F9, F9, E9), V(06, 02, 02, 04), V(81, 7F, 7F, FE), \
+    V(F0, 50, 50, A0), V(44, 3C, 3C, 78), V(BA, 9F, 9F, 25), V(E3, A8, A8, 4B), \
+    V(F3, 51, 51, A2), V(FE, A3, A3, 5D), V(C0, 40, 40, 80), V(8A, 8F, 8F, 05), \
+    V(AD, 92, 92, 3F), V(BC, 9D, 9D, 21), V(48, 38, 38, 70), V(04, F5, F5, F1), \
+    V(DF, BC, BC, 63), V(C1, B6, B6, 77), V(75, DA, DA, AF), V(63, 21, 21, 42), \
+    V(30, 10, 10, 20), V(1A, FF, FF, E5), V(0E, F3, F3, FD), V(6D, D2, D2, BF), \
+    V(4C, CD, CD, 81), V(14, 0C, 0C, 18), V(35, 13, 13, 26), V(2F, EC, EC, C3), \
+    V(E1, 5F, 5F, BE), V(A2, 97, 97, 35), V(CC, 44, 44, 88), V(39, 17, 17, 2E), \
+    V(57, C4, C4, 93), V(F2, A7, A7, 55), V(82, 7E, 7E, FC), V(47, 3D, 3D, 7A), \
+    V(AC, 64, 64, C8), V(E7, 5D, 5D, BA), V(2B, 19, 19, 32), V(95, 73, 73, E6), \
+    V(A0, 60, 60, C0), V(98, 81, 81, 19), V(D1, 4F, 4F, 9E), V(7F, DC, DC, A3), \
+    V(66, 22, 22, 44), V(7E, 2A, 2A, 54), V(AB, 90, 90, 3B), V(83, 88, 88, 0B), \
+    V(CA, 46, 46, 8C), V(29, EE, EE, C7), V(D3, B8, B8, 6B), V(3C, 14, 14, 28), \
+    V(79, DE, DE, A7), V(E2, 5E, 5E, BC), V(1D, 0B, 0B, 16), V(76, DB, DB, AD), \
+    V(3B, E0, E0, DB), V(56, 32, 32, 64), V(4E, 3A, 3A, 74), V(1E, 0A, 0A, 14), \
+    V(DB, 49, 49, 92), V(0A, 06, 06, 0C), V(6C, 24, 24, 48), V(E4, 5C, 5C, B8), \
+    V(5D, C2, C2, 9F), V(6E, D3, D3, BD), V(EF, AC, AC, 43), V(A6, 62, 62, C4), \
+    V(A8, 91, 91, 39), V(A4, 95, 95, 31), V(37, E4, E4, D3), V(8B, 79, 79, F2), \
+    V(32, E7, E7, D5), V(43, C8, C8, 8B), V(59, 37, 37, 6E), V(B7, 6D, 6D, DA), \
+    V(8C, 8D, 8D, 01), V(64, D5, D5, B1), V(D2, 4E, 4E, 9C), V(E0, A9, A9, 49), \
+    V(B4, 6C, 6C, D8), V(FA, 56, 56, AC), V(07, F4, F4, F3), V(25, EA, EA, CF), \
+    V(AF, 65, 65, CA), V(8E, 7A, 7A, F4), V(E9, AE, AE, 47), V(18, 08, 08, 10), \
+    V(D5, BA, BA, 6F), V(88, 78, 78, F0), V(6F, 25, 25, 4A), V(72, 2E, 2E, 5C), \
+    V(24, 1C, 1C, 38), V(F1, A6, A6, 57), V(C7, B4, B4, 73), V(51, C6, C6, 97), \
+    V(23, E8, E8, CB), V(7C, DD, DD, A1), V(9C, 74, 74, E8), V(21, 1F, 1F, 3E), \
+    V(DD, 4B, 4B, 96), V(DC, BD, BD, 61), V(86, 8B, 8B, 0D), V(85, 8A, 8A, 0F), \
+    V(90, 70, 70, E0), V(42, 3E, 3E, 7C), V(C4, B5, B5, 71), V(AA, 66, 66, CC), \
+    V(D8, 48, 48, 90), V(05, 03, 03, 06), V(01, F6, F6, F7), V(12, 0E, 0E, 1C), \
+    V(A3, 61, 61, C2), V(5F, 35, 35, 6A), V(F9, 57, 57, AE), V(D0, B9, B9, 69), \
+    V(91, 86, 86, 17), V(58, C1, C1, 99), V(27, 1D, 1D, 3A), V(B9, 9E, 9E, 27), \
+    V(38, E1, E1, D9), V(13, F8, F8, EB), V(B3, 98, 98, 2B), V(33, 11, 11, 22), \
+    V(BB, 69, 69, D2), V(70, D9, D9, A9), V(89, 8E, 8E, 07), V(A7, 94, 94, 33), \
+    V(B6, 9B, 9B, 2D), V(22, 1E, 1E, 3C), V(92, 87, 87, 15), V(20, E9, E9, C9), \
+    V(49, CE, CE, 87), V(FF, 55, 55, AA), V(78, 28, 28, 50), V(7A, DF, DF, A5), \
+    V(8F, 8C, 8C, 03), V(F8, A1, A1, 59), V(80, 89, 89, 09), V(17, 0D, 0D, 1A), \
+    V(DA, BF, BF, 65), V(31, E6, E6, D7), V(C6, 42, 42, 84), V(B8, 68, 68, D0), \
+    V(C3, 41, 41, 82), V(B0, 99, 99, 29), V(77, 2D, 2D, 5A), V(11, 0F, 0F, 1E), \
+    V(CB, B0, B0, 7B), V(FC, 54, 54, A8), V(D6, BB, BB, 6D), V(3A, 16, 16, 2C)
+
+#define V(a, b, c, d) 0x##a##b##c##d
+MBEDTLS_MAYBE_UNUSED static const uint32_t FT0[256] = { FT };
+#undef V
+
+#define V(a, b, c, d) 0x##b##c##d##a
+MBEDTLS_MAYBE_UNUSED static const uint32_t FT1[256] = { FT };
+#undef V
+
+#define V(a, b, c, d) 0x##c##d##a##b
+MBEDTLS_MAYBE_UNUSED static const uint32_t FT2[256] = { FT };
+#undef V
+
+#define V(a, b, c, d) 0x##d##a##b##c
+MBEDTLS_MAYBE_UNUSED static const uint32_t FT3[256] = { FT };
+#undef V
+
+#undef FT
+
+/*
+ * Reverse S-box
+ */
+MBEDTLS_MAYBE_UNUSED static const unsigned char RSb[256] =
+{
+    0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
+    0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
+    0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
+    0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
+    0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
+    0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
+    0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
+    0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
+    0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
+    0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
+    0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
+    0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
+    0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
+    0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
+    0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
+    0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
+    0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
+    0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
+    0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
+    0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
+    0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
+    0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
+    0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
+    0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
+    0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
+    0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
+    0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
+    0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
+    0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
+    0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
+    0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
+    0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
+};
+
+/*
+ * Reverse tables
+ */
+#define RT \
+\
+    V(50, A7, F4, 51), V(53, 65, 41, 7E), V(C3, A4, 17, 1A), V(96, 5E, 27, 3A), \
+    V(CB, 6B, AB, 3B), V(F1, 45, 9D, 1F), V(AB, 58, FA, AC), V(93, 03, E3, 4B), \
+    V(55, FA, 30, 20), V(F6, 6D, 76, AD), V(91, 76, CC, 88), V(25, 4C, 02, F5), \
+    V(FC, D7, E5, 4F), V(D7, CB, 2A, C5), V(80, 44, 35, 26), V(8F, A3, 62, B5), \
+    V(49, 5A, B1, DE), V(67, 1B, BA, 25), V(98, 0E, EA, 45), V(E1, C0, FE, 5D), \
+    V(02, 75, 2F, C3), V(12, F0, 4C, 81), V(A3, 97, 46, 8D), V(C6, F9, D3, 6B), \
+    V(E7, 5F, 8F, 03), V(95, 9C, 92, 15), V(EB, 7A, 6D, BF), V(DA, 59, 52, 95), \
+    V(2D, 83, BE, D4), V(D3, 21, 74, 58), V(29, 69, E0, 49), V(44, C8, C9, 8E), \
+    V(6A, 89, C2, 75), V(78, 79, 8E, F4), V(6B, 3E, 58, 99), V(DD, 71, B9, 27), \
+    V(B6, 4F, E1, BE), V(17, AD, 88, F0), V(66, AC, 20, C9), V(B4, 3A, CE, 7D), \
+    V(18, 4A, DF, 63), V(82, 31, 1A, E5), V(60, 33, 51, 97), V(45, 7F, 53, 62), \
+    V(E0, 77, 64, B1), V(84, AE, 6B, BB), V(1C, A0, 81, FE), V(94, 2B, 08, F9), \
+    V(58, 68, 48, 70), V(19, FD, 45, 8F), V(87, 6C, DE, 94), V(B7, F8, 7B, 52), \
+    V(23, D3, 73, AB), V(E2, 02, 4B, 72), V(57, 8F, 1F, E3), V(2A, AB, 55, 66), \
+    V(07, 28, EB, B2), V(03, C2, B5, 2F), V(9A, 7B, C5, 86), V(A5, 08, 37, D3), \
+    V(F2, 87, 28, 30), V(B2, A5, BF, 23), V(BA, 6A, 03, 02), V(5C, 82, 16, ED), \
+    V(2B, 1C, CF, 8A), V(92, B4, 79, A7), V(F0, F2, 07, F3), V(A1, E2, 69, 4E), \
+    V(CD, F4, DA, 65), V(D5, BE, 05, 06), V(1F, 62, 34, D1), V(8A, FE, A6, C4), \
+    V(9D, 53, 2E, 34), V(A0, 55, F3, A2), V(32, E1, 8A, 05), V(75, EB, F6, A4), \
+    V(39, EC, 83, 0B), V(AA, EF, 60, 40), V(06, 9F, 71, 5E), V(51, 10, 6E, BD), \
+    V(F9, 8A, 21, 3E), V(3D, 06, DD, 96), V(AE, 05, 3E, DD), V(46, BD, E6, 4D), \
+    V(B5, 8D, 54, 91), V(05, 5D, C4, 71), V(6F, D4, 06, 04), V(FF, 15, 50, 60), \
+    V(24, FB, 98, 19), V(97, E9, BD, D6), V(CC, 43, 40, 89), V(77, 9E, D9, 67), \
+    V(BD, 42, E8, B0), V(88, 8B, 89, 07), V(38, 5B, 19, E7), V(DB, EE, C8, 79), \
+    V(47, 0A, 7C, A1), V(E9, 0F, 42, 7C), V(C9, 1E, 84, F8), V(00, 00, 00, 00), \
+    V(83, 86, 80, 09), V(48, ED, 2B, 32), V(AC, 70, 11, 1E), V(4E, 72, 5A, 6C), \
+    V(FB, FF, 0E, FD), V(56, 38, 85, 0F), V(1E, D5, AE, 3D), V(27, 39, 2D, 36), \
+    V(64, D9, 0F, 0A), V(21, A6, 5C, 68), V(D1, 54, 5B, 9B), V(3A, 2E, 36, 24), \
+    V(B1, 67, 0A, 0C), V(0F, E7, 57, 93), V(D2, 96, EE, B4), V(9E, 91, 9B, 1B), \
+    V(4F, C5, C0, 80), V(A2, 20, DC, 61), V(69, 4B, 77, 5A), V(16, 1A, 12, 1C), \
+    V(0A, BA, 93, E2), V(E5, 2A, A0, C0), V(43, E0, 22, 3C), V(1D, 17, 1B, 12), \
+    V(0B, 0D, 09, 0E), V(AD, C7, 8B, F2), V(B9, A8, B6, 2D), V(C8, A9, 1E, 14), \
+    V(85, 19, F1, 57), V(4C, 07, 75, AF), V(BB, DD, 99, EE), V(FD, 60, 7F, A3), \
+    V(9F, 26, 01, F7), V(BC, F5, 72, 5C), V(C5, 3B, 66, 44), V(34, 7E, FB, 5B), \
+    V(76, 29, 43, 8B), V(DC, C6, 23, CB), V(68, FC, ED, B6), V(63, F1, E4, B8), \
+    V(CA, DC, 31, D7), V(10, 85, 63, 42), V(40, 22, 97, 13), V(20, 11, C6, 84), \
+    V(7D, 24, 4A, 85), V(F8, 3D, BB, D2), V(11, 32, F9, AE), V(6D, A1, 29, C7), \
+    V(4B, 2F, 9E, 1D), V(F3, 30, B2, DC), V(EC, 52, 86, 0D), V(D0, E3, C1, 77), \
+    V(6C, 16, B3, 2B), V(99, B9, 70, A9), V(FA, 48, 94, 11), V(22, 64, E9, 47), \
+    V(C4, 8C, FC, A8), V(1A, 3F, F0, A0), V(D8, 2C, 7D, 56), V(EF, 90, 33, 22), \
+    V(C7, 4E, 49, 87), V(C1, D1, 38, D9), V(FE, A2, CA, 8C), V(36, 0B, D4, 98), \
+    V(CF, 81, F5, A6), V(28, DE, 7A, A5), V(26, 8E, B7, DA), V(A4, BF, AD, 3F), \
+    V(E4, 9D, 3A, 2C), V(0D, 92, 78, 50), V(9B, CC, 5F, 6A), V(62, 46, 7E, 54), \
+    V(C2, 13, 8D, F6), V(E8, B8, D8, 90), V(5E, F7, 39, 2E), V(F5, AF, C3, 82), \
+    V(BE, 80, 5D, 9F), V(7C, 93, D0, 69), V(A9, 2D, D5, 6F), V(B3, 12, 25, CF), \
+    V(3B, 99, AC, C8), V(A7, 7D, 18, 10), V(6E, 63, 9C, E8), V(7B, BB, 3B, DB), \
+    V(09, 78, 26, CD), V(F4, 18, 59, 6E), V(01, B7, 9A, EC), V(A8, 9A, 4F, 83), \
+    V(65, 6E, 95, E6), V(7E, E6, FF, AA), V(08, CF, BC, 21), V(E6, E8, 15, EF), \
+    V(D9, 9B, E7, BA), V(CE, 36, 6F, 4A), V(D4, 09, 9F, EA), V(D6, 7C, B0, 29), \
+    V(AF, B2, A4, 31), V(31, 23, 3F, 2A), V(30, 94, A5, C6), V(C0, 66, A2, 35), \
+    V(37, BC, 4E, 74), V(A6, CA, 82, FC), V(B0, D0, 90, E0), V(15, D8, A7, 33), \
+    V(4A, 98, 04, F1), V(F7, DA, EC, 41), V(0E, 50, CD, 7F), V(2F, F6, 91, 17), \
+    V(8D, D6, 4D, 76), V(4D, B0, EF, 43), V(54, 4D, AA, CC), V(DF, 04, 96, E4), \
+    V(E3, B5, D1, 9E), V(1B, 88, 6A, 4C), V(B8, 1F, 2C, C1), V(7F, 51, 65, 46), \
+    V(04, EA, 5E, 9D), V(5D, 35, 8C, 01), V(73, 74, 87, FA), V(2E, 41, 0B, FB), \
+    V(5A, 1D, 67, B3), V(52, D2, DB, 92), V(33, 56, 10, E9), V(13, 47, D6, 6D), \
+    V(8C, 61, D7, 9A), V(7A, 0C, A1, 37), V(8E, 14, F8, 59), V(89, 3C, 13, EB), \
+    V(EE, 27, A9, CE), V(35, C9, 61, B7), V(ED, E5, 1C, E1), V(3C, B1, 47, 7A), \
+    V(59, DF, D2, 9C), V(3F, 73, F2, 55), V(79, CE, 14, 18), V(BF, 37, C7, 73), \
+    V(EA, CD, F7, 53), V(5B, AA, FD, 5F), V(14, 6F, 3D, DF), V(86, DB, 44, 78), \
+    V(81, F3, AF, CA), V(3E, C4, 68, B9), V(2C, 34, 24, 38), V(5F, 40, A3, C2), \
+    V(72, C3, 1D, 16), V(0C, 25, E2, BC), V(8B, 49, 3C, 28), V(41, 95, 0D, FF), \
+    V(71, 01, A8, 39), V(DE, B3, 0C, 08), V(9C, E4, B4, D8), V(90, C1, 56, 64), \
+    V(61, 84, CB, 7B), V(70, B6, 32, D5), V(74, 5C, 6C, 48), V(42, 57, B8, D0)
+
+
+#define V(a, b, c, d) 0x##a##b##c##d
+MBEDTLS_MAYBE_UNUSED static const uint32_t RT0[256] = { RT };
+#undef V
+
+#define V(a, b, c, d) 0x##b##c##d##a
+MBEDTLS_MAYBE_UNUSED static const uint32_t RT1[256] = { RT };
+#undef V
+
+#define V(a, b, c, d) 0x##c##d##a##b
+MBEDTLS_MAYBE_UNUSED static const uint32_t RT2[256] = { RT };
+#undef V
+
+#define V(a, b, c, d) 0x##d##a##b##c
+MBEDTLS_MAYBE_UNUSED static const uint32_t RT3[256] = { RT };
+#undef V
+
+#undef RT
+
+/*
+ * Round constants
+ */
+MBEDTLS_MAYBE_UNUSED static const uint32_t round_constants[10] =
+{
+    0x00000001, 0x00000002, 0x00000004, 0x00000008,
+    0x00000010, 0x00000020, 0x00000040, 0x00000080,
+    0x0000001B, 0x00000036
+};
+
+#else /* MBEDTLS_AES_ROM_TABLES */
+
+/*
+ * Forward S-box & tables
+ */
+MBEDTLS_MAYBE_UNUSED static unsigned char FSb[256];
+MBEDTLS_MAYBE_UNUSED static uint32_t FT0[256];
+MBEDTLS_MAYBE_UNUSED static uint32_t FT1[256];
+MBEDTLS_MAYBE_UNUSED static uint32_t FT2[256];
+MBEDTLS_MAYBE_UNUSED static uint32_t FT3[256];
+
+/*
+ * Reverse S-box & tables
+ */
+MBEDTLS_MAYBE_UNUSED static unsigned char RSb[256];
+
+MBEDTLS_MAYBE_UNUSED static uint32_t RT0[256];
+MBEDTLS_MAYBE_UNUSED static uint32_t RT1[256];
+MBEDTLS_MAYBE_UNUSED static uint32_t RT2[256];
+MBEDTLS_MAYBE_UNUSED static uint32_t RT3[256];
+
+/*
+ * Round constants
+ */
+MBEDTLS_MAYBE_UNUSED static uint32_t round_constants[10];
+
+/*
+ * Tables generation code
+ */
+#define ROTL8(x) (((x) << 8) & 0xFFFFFFFF) | ((x) >> 24)
+#define XTIME(x) (((x) << 1) ^ (((x) & 0x80) ? 0x1B : 0x00))
+#define MUL(x, y) (((x) && (y)) ? pow[(log[(x)]+log[(y)]) % 255] : 0)
+
+MBEDTLS_MAYBE_UNUSED static int aes_init_done = 0;
+
+MBEDTLS_MAYBE_UNUSED static void aes_gen_tables(void)
+{
+    int i;
+    uint8_t x, y, z;
+    uint8_t pow[256];
+    uint8_t log[256];
+
+    /*
+     * compute pow and log tables over GF(2^8)
+     */
+    for (i = 0, x = 1; i < 256; i++) {
+        pow[i] = x;
+        log[x] = (uint8_t) i;
+        x ^= XTIME(x);
+    }
+
+    /*
+     * calculate the round constants
+     */
+    for (i = 0, x = 1; i < 10; i++) {
+        round_constants[i] = x;
+        x = XTIME(x);
+    }
+
+    /*
+     * generate the forward and reverse S-boxes
+     */
+    FSb[0x00] = 0x63;
+#if defined(MBEDTLS_AES_NEED_REVERSE_TABLES)
+    RSb[0x63] = 0x00;
+#endif
+
+    for (i = 1; i < 256; i++) {
+        x = pow[255 - log[i]];
+
+        y  = x; y = (y << 1) | (y >> 7);
+        x ^= y; y = (y << 1) | (y >> 7);
+        x ^= y; y = (y << 1) | (y >> 7);
+        x ^= y; y = (y << 1) | (y >> 7);
+        x ^= y ^ 0x63;
+
+        FSb[i] = x;
+#if defined(MBEDTLS_AES_NEED_REVERSE_TABLES)
+        RSb[x] = (unsigned char) i;
+#endif
+    }
+
+    /*
+     * generate the forward and reverse tables
+     */
+    for (i = 0; i < 256; i++) {
+        x = FSb[i];
+        y = XTIME(x);
+        z = y ^ x;
+
+        FT0[i] = ((uint32_t) y) ^
+                 ((uint32_t) x <<  8) ^
+                 ((uint32_t) x << 16) ^
+                 ((uint32_t) z << 24);
+
+#if !defined(MBEDTLS_AES_FEWER_TABLES)
+        FT1[i] = ROTL8(FT0[i]);
+        FT2[i] = ROTL8(FT1[i]);
+        FT3[i] = ROTL8(FT2[i]);
+#endif /* !MBEDTLS_AES_FEWER_TABLES */
+
+#if defined(MBEDTLS_AES_NEED_REVERSE_TABLES)
+        x = RSb[i];
+
+        RT0[i] = ((uint32_t) MUL(0x0E, x)) ^
+                 ((uint32_t) MUL(0x09, x) <<  8) ^
+                 ((uint32_t) MUL(0x0D, x) << 16) ^
+                 ((uint32_t) MUL(0x0B, x) << 24);
+
+#if !defined(MBEDTLS_AES_FEWER_TABLES)
+        RT1[i] = ROTL8(RT0[i]);
+        RT2[i] = ROTL8(RT1[i]);
+        RT3[i] = ROTL8(RT2[i]);
+#endif /* !MBEDTLS_AES_FEWER_TABLES */
+#endif /* MBEDTLS_AES_NEED_REVERSE_TABLES */
+    }
+}
+
+#undef ROTL8
+
+#endif /* MBEDTLS_AES_ROM_TABLES */
+
+#if defined(MBEDTLS_AES_FEWER_TABLES)
+
+#define ROTL8(x)  ((uint32_t) ((x) <<  8) + (uint32_t) ((x) >> 24))
+#define ROTL16(x) ((uint32_t) ((x) << 16) + (uint32_t) ((x) >> 16))
+#define ROTL24(x) ((uint32_t) ((x) << 24) + (uint32_t) ((x) >>  8))
+
+#define AES_RT0(idx) RT0[idx]
+#define AES_RT1(idx) ROTL8(RT0[idx])
+#define AES_RT2(idx) ROTL16(RT0[idx])
+#define AES_RT3(idx) ROTL24(RT0[idx])
+
+#define AES_FT0(idx) FT0[idx]
+#define AES_FT1(idx) ROTL8(FT0[idx])
+#define AES_FT2(idx) ROTL16(FT0[idx])
+#define AES_FT3(idx) ROTL24(FT0[idx])
+
+#else /* MBEDTLS_AES_FEWER_TABLES */
+
+#define AES_RT0(idx) RT0[idx]
+#define AES_RT1(idx) RT1[idx]
+#define AES_RT2(idx) RT2[idx]
+#define AES_RT3(idx) RT3[idx]
+
+#define AES_FT0(idx) FT0[idx]
+#define AES_FT1(idx) FT1[idx]
+#define AES_FT2(idx) FT2[idx]
+#define AES_FT3(idx) FT3[idx]
+
+#endif /* MBEDTLS_AES_FEWER_TABLES */
+
+void mbedtls_aes_init(mbedtls_aes_context *ctx)
+{
+    memset(ctx, 0, sizeof(mbedtls_aes_context));
+}
+
+void mbedtls_aes_free(mbedtls_aes_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aes_context));
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+void mbedtls_aes_xts_init(mbedtls_aes_xts_context *ctx)
+{
+    mbedtls_aes_init(&ctx->crypt);
+    mbedtls_aes_init(&ctx->tweak);
+}
+
+void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_aes_free(&ctx->crypt);
+    mbedtls_aes_free(&ctx->tweak);
+}
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+/* Some implementations need the round keys to be aligned.
+ * Return an offset to be added to buf, such that (buf + offset) is
+ * correctly aligned.
+ * Note that the offset is in units of elements of buf, i.e. 32-bit words,
+ * i.e. an offset of 1 means 4 bytes and so on.
+ */
+#if defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2
+#define MAY_NEED_TO_ALIGN
+#endif
+
+MBEDTLS_MAYBE_UNUSED static unsigned mbedtls_aes_rk_offset(uint32_t *buf)
+{
+#if defined(MAY_NEED_TO_ALIGN)
+    int align_16_bytes = 0;
+
+#if defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2
+    if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
+        align_16_bytes = 1;
+    }
+#endif
+
+    if (align_16_bytes) {
+        /* These implementations needs 16-byte alignment
+         * for the round key array. */
+        unsigned delta = ((uintptr_t) buf & 0x0000000fU) / 4;
+        if (delta == 0) {
+            return 0;
+        } else {
+            return 4 - delta; // 16 bytes = 4 uint32_t
+        }
+    }
+#else /* MAY_NEED_TO_ALIGN */
+    (void) buf;
+#endif /* MAY_NEED_TO_ALIGN */
+
+    return 0;
+}
+
+/*
+ * AES key schedule (encryption)
+ */
+#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
+int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
+                           unsigned int keybits)
+{
+    uint32_t *RK;
+
+    switch (keybits) {
+        case 128: ctx->nr = 10; break;
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+        case 192: ctx->nr = 12; break;
+        case 256: ctx->nr = 14; break;
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+        default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
+    }
+
+#if !defined(MBEDTLS_AES_ROM_TABLES)
+    if (aes_init_done == 0) {
+        aes_gen_tables();
+        aes_init_done = 1;
+    }
+#endif
+
+    ctx->rk_offset = mbedtls_aes_rk_offset(ctx->buf);
+    RK = ctx->buf + ctx->rk_offset;
+
+#if defined(MBEDTLS_AESNI_HAVE_CODE)
+    if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
+        return mbedtls_aesni_setkey_enc((unsigned char *) RK, key, keybits);
+    }
+#endif
+
+#if defined(MBEDTLS_AESCE_HAVE_CODE)
+    if (MBEDTLS_AESCE_HAS_SUPPORT()) {
+        return mbedtls_aesce_setkey_enc((unsigned char *) RK, key, keybits);
+    }
+#endif
+
+#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+    for (unsigned int i = 0; i < (keybits >> 5); i++) {
+        RK[i] = MBEDTLS_GET_UINT32_LE(key, i << 2);
+    }
+
+    switch (ctx->nr) {
+        case 10:
+
+            for (unsigned int i = 0; i < 10; i++, RK += 4) {
+                RK[4]  = RK[0] ^ round_constants[i] ^
+                         ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[3])]) ^
+                         ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[3])] <<  8) ^
+                         ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[3])] << 16) ^
+                         ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[3])] << 24);
+
+                RK[5]  = RK[1] ^ RK[4];
+                RK[6]  = RK[2] ^ RK[5];
+                RK[7]  = RK[3] ^ RK[6];
+            }
+            break;
+
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+        case 12:
+
+            for (unsigned int i = 0; i < 8; i++, RK += 6) {
+                RK[6]  = RK[0] ^ round_constants[i] ^
+                         ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[5])]) ^
+                         ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[5])] <<  8) ^
+                         ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[5])] << 16) ^
+                         ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[5])] << 24);
+
+                RK[7]  = RK[1] ^ RK[6];
+                RK[8]  = RK[2] ^ RK[7];
+                RK[9]  = RK[3] ^ RK[8];
+                RK[10] = RK[4] ^ RK[9];
+                RK[11] = RK[5] ^ RK[10];
+            }
+            break;
+
+        case 14:
+
+            for (unsigned int i = 0; i < 7; i++, RK += 8) {
+                RK[8]  = RK[0] ^ round_constants[i] ^
+                         ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[7])]) ^
+                         ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[7])] <<  8) ^
+                         ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[7])] << 16) ^
+                         ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[7])] << 24);
+
+                RK[9]  = RK[1] ^ RK[8];
+                RK[10] = RK[2] ^ RK[9];
+                RK[11] = RK[3] ^ RK[10];
+
+                RK[12] = RK[4] ^
+                         ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[11])]) ^
+                         ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[11])] <<  8) ^
+                         ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[11])] << 16) ^
+                         ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[11])] << 24);
+
+                RK[13] = RK[5] ^ RK[12];
+                RK[14] = RK[6] ^ RK[13];
+                RK[15] = RK[7] ^ RK[14];
+            }
+            break;
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+    }
+
+    return 0;
+#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */
+}
+#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
+
+/*
+ * AES key schedule (decryption)
+ */
+#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT) && !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
+                           unsigned int keybits)
+{
+#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+    uint32_t *SK;
+#endif
+    int ret;
+    mbedtls_aes_context cty;
+    uint32_t *RK;
+
+
+    mbedtls_aes_init(&cty);
+
+    ctx->rk_offset = mbedtls_aes_rk_offset(ctx->buf);
+    RK = ctx->buf + ctx->rk_offset;
+
+    /* Also checks keybits */
+    if ((ret = mbedtls_aes_setkey_enc(&cty, key, keybits)) != 0) {
+        goto exit;
+    }
+
+    ctx->nr = cty.nr;
+
+#if defined(MBEDTLS_AESNI_HAVE_CODE)
+    if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
+        mbedtls_aesni_inverse_key((unsigned char *) RK,
+                                  (const unsigned char *) (cty.buf + cty.rk_offset), ctx->nr);
+        goto exit;
+    }
+#endif
+
+#if defined(MBEDTLS_AESCE_HAVE_CODE)
+    if (MBEDTLS_AESCE_HAS_SUPPORT()) {
+        mbedtls_aesce_inverse_key(
+            (unsigned char *) RK,
+            (const unsigned char *) (cty.buf + cty.rk_offset),
+            ctx->nr);
+        goto exit;
+    }
+#endif
+
+#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+    SK = cty.buf + cty.rk_offset + cty.nr * 4;
+
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    SK -= 8;
+    for (int i = ctx->nr - 1; i > 0; i--, SK -= 8) {
+        for (int j = 0; j < 4; j++, SK++) {
+            *RK++ = AES_RT0(FSb[MBEDTLS_BYTE_0(*SK)]) ^
+                    AES_RT1(FSb[MBEDTLS_BYTE_1(*SK)]) ^
+                    AES_RT2(FSb[MBEDTLS_BYTE_2(*SK)]) ^
+                    AES_RT3(FSb[MBEDTLS_BYTE_3(*SK)]);
+        }
+    }
+
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */
+exit:
+    mbedtls_aes_free(&cty);
+
+    return ret;
+}
+#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT && !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+static int mbedtls_aes_xts_decode_keys(const unsigned char *key,
+                                       unsigned int keybits,
+                                       const unsigned char **key1,
+                                       unsigned int *key1bits,
+                                       const unsigned char **key2,
+                                       unsigned int *key2bits)
+{
+    const unsigned int half_keybits = keybits / 2;
+    const unsigned int half_keybytes = half_keybits / 8;
+
+    switch (keybits) {
+        case 256: break;
+        case 512: break;
+        default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
+    }
+
+    *key1bits = half_keybits;
+    *key2bits = half_keybits;
+    *key1 = &key[0];
+    *key2 = &key[half_keybytes];
+
+    return 0;
+}
+
+int mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context *ctx,
+                               const unsigned char *key,
+                               unsigned int keybits)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const unsigned char *key1, *key2;
+    unsigned int key1bits, key2bits;
+
+    ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits,
+                                      &key2, &key2bits);
+    if (ret != 0) {
+        return ret;
+    }
+
+    /* Set the tweak key. Always set tweak key for the encryption mode. */
+    ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits);
+    if (ret != 0) {
+        return ret;
+    }
+
+    /* Set crypt key for encryption. */
+    return mbedtls_aes_setkey_enc(&ctx->crypt, key1, key1bits);
+}
+
+int mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context *ctx,
+                               const unsigned char *key,
+                               unsigned int keybits)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const unsigned char *key1, *key2;
+    unsigned int key1bits, key2bits;
+
+    ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits,
+                                      &key2, &key2bits);
+    if (ret != 0) {
+        return ret;
+    }
+
+    /* Set the tweak key. Always set tweak key for encryption. */
+    ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits);
+    if (ret != 0) {
+        return ret;
+    }
+
+    /* Set crypt key for decryption. */
+    return mbedtls_aes_setkey_dec(&ctx->crypt, key1, key1bits);
+}
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#define AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3)                 \
+    do                                                      \
+    {                                                       \
+        (X0) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y0)) ^    \
+               AES_FT1(MBEDTLS_BYTE_1(Y1)) ^    \
+               AES_FT2(MBEDTLS_BYTE_2(Y2)) ^    \
+               AES_FT3(MBEDTLS_BYTE_3(Y3));     \
+                                                            \
+        (X1) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y1)) ^    \
+               AES_FT1(MBEDTLS_BYTE_1(Y2)) ^    \
+               AES_FT2(MBEDTLS_BYTE_2(Y3)) ^    \
+               AES_FT3(MBEDTLS_BYTE_3(Y0));     \
+                                                            \
+        (X2) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y2)) ^    \
+               AES_FT1(MBEDTLS_BYTE_1(Y3)) ^    \
+               AES_FT2(MBEDTLS_BYTE_2(Y0)) ^    \
+               AES_FT3(MBEDTLS_BYTE_3(Y1));     \
+                                                            \
+        (X3) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y3)) ^    \
+               AES_FT1(MBEDTLS_BYTE_1(Y0)) ^    \
+               AES_FT2(MBEDTLS_BYTE_2(Y1)) ^    \
+               AES_FT3(MBEDTLS_BYTE_3(Y2));     \
+    } while (0)
+
+#define AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3)                 \
+    do                                                      \
+    {                                                       \
+        (X0) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y0)) ^    \
+               AES_RT1(MBEDTLS_BYTE_1(Y3)) ^    \
+               AES_RT2(MBEDTLS_BYTE_2(Y2)) ^    \
+               AES_RT3(MBEDTLS_BYTE_3(Y1));     \
+                                                            \
+        (X1) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y1)) ^    \
+               AES_RT1(MBEDTLS_BYTE_1(Y0)) ^    \
+               AES_RT2(MBEDTLS_BYTE_2(Y3)) ^    \
+               AES_RT3(MBEDTLS_BYTE_3(Y2));     \
+                                                            \
+        (X2) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y2)) ^    \
+               AES_RT1(MBEDTLS_BYTE_1(Y1)) ^    \
+               AES_RT2(MBEDTLS_BYTE_2(Y0)) ^    \
+               AES_RT3(MBEDTLS_BYTE_3(Y3));     \
+                                                            \
+        (X3) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y3)) ^    \
+               AES_RT1(MBEDTLS_BYTE_1(Y2)) ^    \
+               AES_RT2(MBEDTLS_BYTE_2(Y1)) ^    \
+               AES_RT3(MBEDTLS_BYTE_3(Y0));     \
+    } while (0)
+
+/*
+ * AES-ECB block encryption
+ */
+#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
+int mbedtls_internal_aes_encrypt(mbedtls_aes_context *ctx,
+                                 const unsigned char input[16],
+                                 unsigned char output[16])
+{
+    int i;
+    uint32_t *RK = ctx->buf + ctx->rk_offset;
+    struct {
+        uint32_t X[4];
+        uint32_t Y[4];
+    } t;
+
+    t.X[0] = MBEDTLS_GET_UINT32_LE(input,  0); t.X[0] ^= *RK++;
+    t.X[1] = MBEDTLS_GET_UINT32_LE(input,  4); t.X[1] ^= *RK++;
+    t.X[2] = MBEDTLS_GET_UINT32_LE(input,  8); t.X[2] ^= *RK++;
+    t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++;
+
+    for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
+        AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
+        AES_FROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]);
+    }
+
+    AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
+
+    t.X[0] = *RK++ ^ \
+             ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[0])]) ^
+             ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[1])] <<  8) ^
+             ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^
+             ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[3])] << 24);
+
+    t.X[1] = *RK++ ^ \
+             ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[1])]) ^
+             ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[2])] <<  8) ^
+             ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^
+             ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[0])] << 24);
+
+    t.X[2] = *RK++ ^ \
+             ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[2])]) ^
+             ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[3])] <<  8) ^
+             ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^
+             ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[1])] << 24);
+
+    t.X[3] = *RK++ ^ \
+             ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[3])]) ^
+             ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[0])] <<  8) ^
+             ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^
+             ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[2])] << 24);
+
+    MBEDTLS_PUT_UINT32_LE(t.X[0], output,  0);
+    MBEDTLS_PUT_UINT32_LE(t.X[1], output,  4);
+    MBEDTLS_PUT_UINT32_LE(t.X[2], output,  8);
+    MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12);
+
+    mbedtls_platform_zeroize(&t, sizeof(t));
+
+    return 0;
+}
+#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
+
+/*
+ * AES-ECB block decryption
+ */
+#if !defined(MBEDTLS_AES_DECRYPT_ALT) && !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx,
+                                 const unsigned char input[16],
+                                 unsigned char output[16])
+{
+    int i;
+    uint32_t *RK = ctx->buf + ctx->rk_offset;
+    struct {
+        uint32_t X[4];
+        uint32_t Y[4];
+    } t;
+
+    t.X[0] = MBEDTLS_GET_UINT32_LE(input,  0); t.X[0] ^= *RK++;
+    t.X[1] = MBEDTLS_GET_UINT32_LE(input,  4); t.X[1] ^= *RK++;
+    t.X[2] = MBEDTLS_GET_UINT32_LE(input,  8); t.X[2] ^= *RK++;
+    t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++;
+
+    for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
+        AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
+        AES_RROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]);
+    }
+
+    AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
+
+    t.X[0] = *RK++ ^ \
+             ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[0])]) ^
+             ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[3])] <<  8) ^
+             ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^
+             ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[1])] << 24);
+
+    t.X[1] = *RK++ ^ \
+             ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[1])]) ^
+             ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[0])] <<  8) ^
+             ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^
+             ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[2])] << 24);
+
+    t.X[2] = *RK++ ^ \
+             ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[2])]) ^
+             ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[1])] <<  8) ^
+             ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^
+             ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[3])] << 24);
+
+    t.X[3] = *RK++ ^ \
+             ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[3])]) ^
+             ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[2])] <<  8) ^
+             ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^
+             ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[0])] << 24);
+
+    MBEDTLS_PUT_UINT32_LE(t.X[0], output,  0);
+    MBEDTLS_PUT_UINT32_LE(t.X[1], output,  4);
+    MBEDTLS_PUT_UINT32_LE(t.X[2], output,  8);
+    MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12);
+
+    mbedtls_platform_zeroize(&t, sizeof(t));
+
+    return 0;
+}
+#endif /* !MBEDTLS_AES_DECRYPT_ALT && !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
+
+/*
+ * Our intrinsics-based implementation of AESNI requires the round keys to be
+ * aligned on a 16-byte boundary. We take care of this before creating them,
+ * but the AES context may have moved (this can happen if the library is
+ * called from a language with managed memory), and in later calls it might
+ * have a different alignment with respect to 16-byte memory. So we may need
+ * to realign.
+ */
+#if defined(MAY_NEED_TO_ALIGN)
+MBEDTLS_MAYBE_UNUSED static void aes_maybe_realign(mbedtls_aes_context *ctx)
+{
+    unsigned new_offset = mbedtls_aes_rk_offset(ctx->buf);
+    if (new_offset != ctx->rk_offset) {
+        memmove(ctx->buf + new_offset,     // new address
+                ctx->buf + ctx->rk_offset, // current address
+                (ctx->nr + 1) * 16);       // number of round keys * bytes per rk
+        ctx->rk_offset = new_offset;
+    }
+}
+#endif /* MAY_NEED_TO_ALIGN */
+/*
+ * AES-ECB block encryption/decryption
+ */
+int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx,
+                          int mode,
+                          const unsigned char input[16],
+                          unsigned char output[16])
+{
+    if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
+        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
+    }
+
+#if defined(MAY_NEED_TO_ALIGN)
+    aes_maybe_realign(ctx);
+#endif
+
+#if defined(MBEDTLS_AESNI_HAVE_CODE)
+    if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
+        return mbedtls_aesni_crypt_ecb(ctx, mode, input, output);
+    }
+#endif
+
+#if defined(MBEDTLS_AESCE_HAVE_CODE)
+    if (MBEDTLS_AESCE_HAS_SUPPORT()) {
+        return mbedtls_aesce_crypt_ecb(ctx, mode, input, output);
+    }
+#endif
+
+#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+    if (mode == MBEDTLS_AES_DECRYPT) {
+        return mbedtls_internal_aes_decrypt(ctx, input, output);
+    } else
+#endif
+    {
+        return mbedtls_internal_aes_encrypt(ctx, input, output);
+    }
+#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+
+/*
+ * AES-CBC buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx,
+                          int mode,
+                          size_t length,
+                          unsigned char iv[16],
+                          const unsigned char *input,
+                          unsigned char *output)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char temp[16];
+
+    if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
+        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
+    }
+
+    /* Nothing to do if length is zero. */
+    if (length == 0) {
+        return 0;
+    }
+
+    if (length % 16) {
+        return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
+    }
+
+    const unsigned char *ivp = iv;
+
+    if (mode == MBEDTLS_AES_DECRYPT) {
+        while (length > 0) {
+            memcpy(temp, input, 16);
+            ret = mbedtls_aes_crypt_ecb(ctx, mode, input, output);
+            if (ret != 0) {
+                goto exit;
+            }
+            /* Avoid using the NEON implementation of mbedtls_xor. Because of the dependency on
+             * the result for the next block in CBC, and the cost of transferring that data from
+             * NEON registers, NEON is slower on aarch64. */
+            mbedtls_xor_no_simd(output, output, iv, 16);
+
+            memcpy(iv, temp, 16);
+
+            input  += 16;
+            output += 16;
+            length -= 16;
+        }
+    } else {
+        while (length > 0) {
+            mbedtls_xor_no_simd(output, input, ivp, 16);
+
+            ret = mbedtls_aes_crypt_ecb(ctx, mode, output, output);
+            if (ret != 0) {
+                goto exit;
+            }
+            ivp = output;
+
+            input  += 16;
+            output += 16;
+            length -= 16;
+        }
+        memcpy(iv, ivp, 16);
+    }
+    ret = 0;
+
+exit:
+    return ret;
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+
+typedef unsigned char mbedtls_be128[16];
+
+/*
+ * GF(2^128) multiplication function
+ *
+ * This function multiplies a field element by x in the polynomial field
+ * representation. It uses 64-bit word operations to gain speed but compensates
+ * for machine endianness and hence works correctly on both big and little
+ * endian machines.
+ */
+#if defined(MBEDTLS_AESCE_C) || defined(MBEDTLS_AESNI_C)
+MBEDTLS_OPTIMIZE_FOR_PERFORMANCE
+#endif
+static inline void mbedtls_gf128mul_x_ble(unsigned char r[16],
+                                          const unsigned char x[16])
+{
+    uint64_t a, b, ra, rb;
+
+    a = MBEDTLS_GET_UINT64_LE(x, 0);
+    b = MBEDTLS_GET_UINT64_LE(x, 8);
+
+    ra = (a << 1)  ^ 0x0087 >> (8 - ((b >> 63) << 3));
+    rb = (a >> 63) | (b << 1);
+
+    MBEDTLS_PUT_UINT64_LE(ra, r, 0);
+    MBEDTLS_PUT_UINT64_LE(rb, r, 8);
+}
+
+/*
+ * AES-XTS buffer encryption/decryption
+ *
+ * Use of MBEDTLS_OPTIMIZE_FOR_PERFORMANCE here and for mbedtls_gf128mul_x_ble()
+ * is a 3x performance improvement for gcc -Os, if we have hardware AES support.
+ */
+#if defined(MBEDTLS_AESCE_C) || defined(MBEDTLS_AESNI_C)
+MBEDTLS_OPTIMIZE_FOR_PERFORMANCE
+#endif
+int mbedtls_aes_crypt_xts(mbedtls_aes_xts_context *ctx,
+                          int mode,
+                          size_t length,
+                          const unsigned char data_unit[16],
+                          const unsigned char *input,
+                          unsigned char *output)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t blocks = length / 16;
+    size_t leftover = length % 16;
+    unsigned char tweak[16];
+    unsigned char prev_tweak[16];
+    unsigned char tmp[16];
+
+    if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
+        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
+    }
+
+    /* Data units must be at least 16 bytes long. */
+    if (length < 16) {
+        return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
+    }
+
+    /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
+    if (length > (1 << 20) * 16) {
+        return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
+    }
+
+    /* Compute the tweak. */
+    ret = mbedtls_aes_crypt_ecb(&ctx->tweak, MBEDTLS_AES_ENCRYPT,
+                                data_unit, tweak);
+    if (ret != 0) {
+        return ret;
+    }
+
+    while (blocks--) {
+        if (MBEDTLS_UNLIKELY(leftover && (mode == MBEDTLS_AES_DECRYPT) && blocks == 0)) {
+            /* We are on the last block in a decrypt operation that has
+             * leftover bytes, so we need to use the next tweak for this block,
+             * and this tweak for the leftover bytes. Save the current tweak for
+             * the leftovers and then update the current tweak for use on this,
+             * the last full block. */
+            memcpy(prev_tweak, tweak, sizeof(tweak));
+            mbedtls_gf128mul_x_ble(tweak, tweak);
+        }
+
+        mbedtls_xor(tmp, input, tweak, 16);
+
+        ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp);
+        if (ret != 0) {
+            return ret;
+        }
+
+        mbedtls_xor(output, tmp, tweak, 16);
+
+        /* Update the tweak for the next block. */
+        mbedtls_gf128mul_x_ble(tweak, tweak);
+
+        output += 16;
+        input += 16;
+    }
+
+    if (leftover) {
+        /* If we are on the leftover bytes in a decrypt operation, we need to
+         * use the previous tweak for these bytes (as saved in prev_tweak). */
+        unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
+
+        /* We are now on the final part of the data unit, which doesn't divide
+         * evenly by 16. It's time for ciphertext stealing. */
+        size_t i;
+        unsigned char *prev_output = output - 16;
+
+        /* Copy ciphertext bytes from the previous block to our output for each
+         * byte of ciphertext we won't steal. */
+        for (i = 0; i < leftover; i++) {
+            output[i] = prev_output[i];
+        }
+
+        /* Copy the remainder of the input for this final round. */
+        mbedtls_xor(tmp, input, t, leftover);
+
+        /* Copy ciphertext bytes from the previous block for input in this
+         * round. */
+        mbedtls_xor(tmp + i, prev_output + i, t + i, 16 - i);
+
+        ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp);
+        if (ret != 0) {
+            return ret;
+        }
+
+        /* Write the result back to the previous block, overriding the previous
+         * output we copied. */
+        mbedtls_xor(prev_output, tmp, t, 16);
+    }
+
+    return 0;
+}
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * AES-CFB128 buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_cfb128(mbedtls_aes_context *ctx,
+                             int mode,
+                             size_t length,
+                             size_t *iv_off,
+                             unsigned char iv[16],
+                             const unsigned char *input,
+                             unsigned char *output)
+{
+    int c;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t n;
+
+    if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
+        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
+    }
+
+    n = *iv_off;
+
+    if (n > 15) {
+        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
+    }
+
+    if (mode == MBEDTLS_AES_DECRYPT) {
+        while (length--) {
+            if (n == 0) {
+                ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
+                if (ret != 0) {
+                    goto exit;
+                }
+            }
+
+            c = *input++;
+            *output++ = (unsigned char) (c ^ iv[n]);
+            iv[n] = (unsigned char) c;
+
+            n = (n + 1) & 0x0F;
+        }
+    } else {
+        while (length--) {
+            if (n == 0) {
+                ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
+                if (ret != 0) {
+                    goto exit;
+                }
+            }
+
+            iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
+
+            n = (n + 1) & 0x0F;
+        }
+    }
+
+    *iv_off = n;
+    ret = 0;
+
+exit:
+    return ret;
+}
+
+/*
+ * AES-CFB8 buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_cfb8(mbedtls_aes_context *ctx,
+                           int mode,
+                           size_t length,
+                           unsigned char iv[16],
+                           const unsigned char *input,
+                           unsigned char *output)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char c;
+    unsigned char ov[17];
+
+    if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
+        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
+    }
+    while (length--) {
+        memcpy(ov, iv, 16);
+        ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
+        if (ret != 0) {
+            goto exit;
+        }
+
+        if (mode == MBEDTLS_AES_DECRYPT) {
+            ov[16] = *input;
+        }
+
+        c = *output++ = (unsigned char) (iv[0] ^ *input++);
+
+        if (mode == MBEDTLS_AES_ENCRYPT) {
+            ov[16] = c;
+        }
+
+        memcpy(iv, ov + 1, 16);
+    }
+    ret = 0;
+
+exit:
+    return ret;
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+/*
+ * AES-OFB (Output Feedback Mode) buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_ofb(mbedtls_aes_context *ctx,
+                          size_t length,
+                          size_t *iv_off,
+                          unsigned char iv[16],
+                          const unsigned char *input,
+                          unsigned char *output)
+{
+    int ret = 0;
+    size_t n;
+
+    n = *iv_off;
+
+    if (n > 15) {
+        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
+    }
+
+    while (length--) {
+        if (n == 0) {
+            ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
+            if (ret != 0) {
+                goto exit;
+            }
+        }
+        *output++ =  *input++ ^ iv[n];
+
+        n = (n + 1) & 0x0F;
+    }
+
+    *iv_off = n;
+
+exit:
+    return ret;
+}
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * AES-CTR buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_ctr(mbedtls_aes_context *ctx,
+                          size_t length,
+                          size_t *nc_off,
+                          unsigned char nonce_counter[16],
+                          unsigned char stream_block[16],
+                          const unsigned char *input,
+                          unsigned char *output)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    size_t offset = *nc_off;
+
+    if (offset > 0x0F) {
+        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
+    }
+
+    for (size_t i = 0; i < length;) {
+        size_t n = 16;
+        if (offset == 0) {
+            ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block);
+            if (ret != 0) {
+                goto exit;
+            }
+            mbedtls_ctr_increment_counter(nonce_counter);
+        } else {
+            n -= offset;
+        }
+
+        if (n > (length - i)) {
+            n = (length - i);
+        }
+        mbedtls_xor(&output[i], &input[i], &stream_block[offset], n);
+        // offset might be non-zero for the last block, but in that case, we don't use it again
+        offset = 0;
+        i += n;
+    }
+
+    // capture offset for future resumption
+    *nc_off = (*nc_off + length) % 16;
+
+    ret = 0;
+
+exit:
+    return ret;
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#endif /* !MBEDTLS_AES_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * AES test vectors from:
+ *
+ * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
+ */
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+static const unsigned char aes_test_ecb_dec[][16] =
+{
+    { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
+      0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
+      0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
+    { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
+      0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
+#endif
+};
+#endif
+
+static const unsigned char aes_test_ecb_enc[][16] =
+{
+    { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
+      0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
+      0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
+    { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
+      0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
+#endif
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const unsigned char aes_test_cbc_dec[][16] =
+{
+    { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
+      0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
+      0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
+    { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
+      0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
+#endif
+};
+
+static const unsigned char aes_test_cbc_enc[][16] =
+{
+    { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
+      0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
+      0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
+    { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
+      0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
+#endif
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * AES-CFB128 test vectors from:
+ *
+ * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
+ */
+static const unsigned char aes_test_cfb128_key[][32] =
+{
+    { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
+      0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
+      0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
+      0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
+    { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
+      0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
+      0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
+      0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
+#endif
+};
+
+static const unsigned char aes_test_cfb128_iv[16] =
+{
+    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
+};
+
+static const unsigned char aes_test_cfb128_pt[64] =
+{
+    0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
+    0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
+    0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
+    0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
+    0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
+    0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
+    0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
+    0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
+};
+
+static const unsigned char aes_test_cfb128_ct[][64] =
+{
+    { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
+      0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
+      0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
+      0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
+      0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
+      0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
+      0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
+      0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
+      0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
+      0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
+      0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
+      0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
+      0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
+      0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
+      0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
+    { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
+      0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
+      0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
+      0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
+      0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
+      0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
+      0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
+      0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
+#endif
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+/*
+ * AES-OFB test vectors from:
+ *
+ * https://csrc.nist.gov/publications/detail/sp/800-38a/final
+ */
+static const unsigned char aes_test_ofb_key[][32] =
+{
+    { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
+      0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
+      0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
+      0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
+    { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
+      0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
+      0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
+      0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
+#endif
+};
+
+static const unsigned char aes_test_ofb_iv[16] =
+{
+    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
+};
+
+static const unsigned char aes_test_ofb_pt[64] =
+{
+    0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
+    0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
+    0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
+    0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
+    0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
+    0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
+    0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
+    0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
+};
+
+static const unsigned char aes_test_ofb_ct[][64] =
+{
+    { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
+      0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
+      0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
+      0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
+      0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
+      0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
+      0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
+      0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
+      0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
+      0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
+      0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
+      0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
+      0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
+      0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
+      0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
+    { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
+      0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
+      0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
+      0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
+      0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
+      0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
+      0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
+      0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
+#endif
+};
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * AES-CTR test vectors from:
+ *
+ * http://www.faqs.org/rfcs/rfc3686.html
+ */
+
+static const unsigned char aes_test_ctr_key[][16] =
+{
+    { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
+      0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
+    { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
+      0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
+    { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
+      0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
+};
+
+static const unsigned char aes_test_ctr_nonce_counter[][16] =
+{
+    { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
+    { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
+      0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
+    { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
+      0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
+};
+
+static const unsigned char aes_test_ctr_pt[][48] =
+{
+    { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
+      0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
+    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
+
+    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
+      0x20, 0x21, 0x22, 0x23 }
+};
+
+static const unsigned char aes_test_ctr_ct[][48] =
+{
+    { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
+      0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
+    { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
+      0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
+      0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
+      0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
+    { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
+      0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
+      0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
+      0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
+      0x25, 0xB2, 0x07, 0x2F }
+};
+
+static const int aes_test_ctr_len[3] =
+{ 16, 32, 36 };
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/*
+ * AES-XTS test vectors from:
+ *
+ * IEEE P1619/D16 Annex B
+ * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
+ * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
+ */
+static const unsigned char aes_test_xts_key[][32] =
+{
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+      0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
+      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
+    { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
+      0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
+      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
+      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
+};
+
+static const unsigned char aes_test_xts_pt32[][32] =
+{
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
+    { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
+};
+
+static const unsigned char aes_test_xts_ct32[][32] =
+{
+    { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
+      0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
+      0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
+      0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
+    { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
+      0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
+      0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
+      0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
+    { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
+      0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
+      0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
+      0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
+};
+
+static const unsigned char aes_test_xts_data_unit[][16] =
+{
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+};
+
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+/*
+ * Checkup routine
+ */
+int mbedtls_aes_self_test(int verbose)
+{
+    int ret = 0, i, j, u, mode;
+    unsigned int keybits;
+    unsigned char key[32];
+    unsigned char buf[64];
+    const unsigned char *aes_tests;
+#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
+    defined(MBEDTLS_CIPHER_MODE_OFB)
+    unsigned char iv[16];
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    unsigned char prv[16];
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
+    defined(MBEDTLS_CIPHER_MODE_OFB)
+    size_t offset;
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
+    int len;
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    unsigned char nonce_counter[16];
+    unsigned char stream_block[16];
+#endif
+    mbedtls_aes_context ctx;
+
+    memset(key, 0, 32);
+    mbedtls_aes_init(&ctx);
+
+    if (verbose != 0) {
+#if defined(MBEDTLS_AES_ALT)
+        mbedtls_printf("  AES note: alternative implementation.\n");
+#else /* MBEDTLS_AES_ALT */
+#if defined(MBEDTLS_AESNI_HAVE_CODE)
+#if MBEDTLS_AESNI_HAVE_CODE == 1
+        mbedtls_printf("  AES note: AESNI code present (assembly implementation).\n");
+#elif MBEDTLS_AESNI_HAVE_CODE == 2
+        mbedtls_printf("  AES note: AESNI code present (intrinsics implementation).\n");
+#else
+#error "Unrecognised value for MBEDTLS_AESNI_HAVE_CODE"
+#endif
+        if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
+            mbedtls_printf("  AES note: using AESNI.\n");
+        } else
+#endif
+#if defined(MBEDTLS_AESCE_HAVE_CODE)
+        if (MBEDTLS_AESCE_HAS_SUPPORT()) {
+            mbedtls_printf("  AES note: using AESCE.\n");
+        } else
+#endif
+        {
+#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+            mbedtls_printf("  AES note: built-in implementation.\n");
+#endif
+        }
+#endif /* MBEDTLS_AES_ALT */
+    }
+
+    /*
+     * ECB mode
+     */
+    {
+        static const int num_tests =
+            sizeof(aes_test_ecb_enc) / sizeof(*aes_test_ecb_enc);
+
+        for (i = 0; i < num_tests << 1; i++) {
+            u = i >> 1;
+            keybits = 128 + u * 64;
+            mode = i & 1;
+
+            if (verbose != 0) {
+                mbedtls_printf("  AES-ECB-%3u (%s): ", keybits,
+                               (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
+            }
+#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+            if (mode == MBEDTLS_AES_DECRYPT) {
+                if (verbose != 0) {
+                    mbedtls_printf("skipped\n");
+                }
+                continue;
+            }
+#endif
+
+            memset(buf, 0, 16);
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+            if (mode == MBEDTLS_AES_DECRYPT) {
+                ret = mbedtls_aes_setkey_dec(&ctx, key, keybits);
+                aes_tests = aes_test_ecb_dec[u];
+            } else
+#endif
+            {
+                ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
+                aes_tests = aes_test_ecb_enc[u];
+            }
+
+            /*
+             * AES-192 is an optional feature that may be unavailable when
+             * there is an alternative underlying implementation i.e. when
+             * MBEDTLS_AES_ALT is defined.
+             */
+            if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
+                mbedtls_printf("skipped\n");
+                continue;
+            } else if (ret != 0) {
+                goto exit;
+            }
+
+            for (j = 0; j < 10000; j++) {
+                ret = mbedtls_aes_crypt_ecb(&ctx, mode, buf, buf);
+                if (ret != 0) {
+                    goto exit;
+                }
+            }
+
+            if (memcmp(buf, aes_tests, 16) != 0) {
+                ret = 1;
+                goto exit;
+            }
+
+            if (verbose != 0) {
+                mbedtls_printf("passed\n");
+            }
+        }
+
+        if (verbose != 0) {
+            mbedtls_printf("\n");
+        }
+    }
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    /*
+     * CBC mode
+     */
+    {
+        static const int num_tests =
+            sizeof(aes_test_cbc_dec) / sizeof(*aes_test_cbc_dec);
+
+        for (i = 0; i < num_tests << 1; i++) {
+            u = i >> 1;
+            keybits = 128 + u * 64;
+            mode = i & 1;
+
+            if (verbose != 0) {
+                mbedtls_printf("  AES-CBC-%3u (%s): ", keybits,
+                               (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
+            }
+
+            memset(iv, 0, 16);
+            memset(prv, 0, 16);
+            memset(buf, 0, 16);
+
+            if (mode == MBEDTLS_AES_DECRYPT) {
+                ret = mbedtls_aes_setkey_dec(&ctx, key, keybits);
+                aes_tests = aes_test_cbc_dec[u];
+            } else {
+                ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
+                aes_tests = aes_test_cbc_enc[u];
+            }
+
+            /*
+             * AES-192 is an optional feature that may be unavailable when
+             * there is an alternative underlying implementation i.e. when
+             * MBEDTLS_AES_ALT is defined.
+             */
+            if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
+                mbedtls_printf("skipped\n");
+                continue;
+            } else if (ret != 0) {
+                goto exit;
+            }
+
+            for (j = 0; j < 10000; j++) {
+                if (mode == MBEDTLS_AES_ENCRYPT) {
+                    unsigned char tmp[16];
+
+                    memcpy(tmp, prv, 16);
+                    memcpy(prv, buf, 16);
+                    memcpy(buf, tmp, 16);
+                }
+
+                ret = mbedtls_aes_crypt_cbc(&ctx, mode, 16, iv, buf, buf);
+                if (ret != 0) {
+                    goto exit;
+                }
+
+            }
+
+            if (memcmp(buf, aes_tests, 16) != 0) {
+                ret = 1;
+                goto exit;
+            }
+
+            if (verbose != 0) {
+                mbedtls_printf("passed\n");
+            }
+        }
+
+        if (verbose != 0) {
+            mbedtls_printf("\n");
+        }
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    /*
+     * CFB128 mode
+     */
+    {
+        static const int num_tests =
+            sizeof(aes_test_cfb128_key) / sizeof(*aes_test_cfb128_key);
+
+        for (i = 0; i < num_tests << 1; i++) {
+            u = i >> 1;
+            keybits = 128 + u * 64;
+            mode = i & 1;
+
+            if (verbose != 0) {
+                mbedtls_printf("  AES-CFB128-%3u (%s): ", keybits,
+                               (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
+            }
+
+            memcpy(iv,  aes_test_cfb128_iv, 16);
+            memcpy(key, aes_test_cfb128_key[u], keybits / 8);
+
+            offset = 0;
+            ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
+            /*
+             * AES-192 is an optional feature that may be unavailable when
+             * there is an alternative underlying implementation i.e. when
+             * MBEDTLS_AES_ALT is defined.
+             */
+            if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
+                mbedtls_printf("skipped\n");
+                continue;
+            } else if (ret != 0) {
+                goto exit;
+            }
+
+            if (mode == MBEDTLS_AES_DECRYPT) {
+                memcpy(buf, aes_test_cfb128_ct[u], 64);
+                aes_tests = aes_test_cfb128_pt;
+            } else {
+                memcpy(buf, aes_test_cfb128_pt, 64);
+                aes_tests = aes_test_cfb128_ct[u];
+            }
+
+            ret = mbedtls_aes_crypt_cfb128(&ctx, mode, 64, &offset, iv, buf, buf);
+            if (ret != 0) {
+                goto exit;
+            }
+
+            if (memcmp(buf, aes_tests, 64) != 0) {
+                ret = 1;
+                goto exit;
+            }
+
+            if (verbose != 0) {
+                mbedtls_printf("passed\n");
+            }
+        }
+
+        if (verbose != 0) {
+            mbedtls_printf("\n");
+        }
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    /*
+     * OFB mode
+     */
+    {
+        static const int num_tests =
+            sizeof(aes_test_ofb_key) / sizeof(*aes_test_ofb_key);
+
+        for (i = 0; i < num_tests << 1; i++) {
+            u = i >> 1;
+            keybits = 128 + u * 64;
+            mode = i & 1;
+
+            if (verbose != 0) {
+                mbedtls_printf("  AES-OFB-%3u (%s): ", keybits,
+                               (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
+            }
+
+            memcpy(iv,  aes_test_ofb_iv, 16);
+            memcpy(key, aes_test_ofb_key[u], keybits / 8);
+
+            offset = 0;
+            ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
+            /*
+             * AES-192 is an optional feature that may be unavailable when
+             * there is an alternative underlying implementation i.e. when
+             * MBEDTLS_AES_ALT is defined.
+             */
+            if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
+                mbedtls_printf("skipped\n");
+                continue;
+            } else if (ret != 0) {
+                goto exit;
+            }
+
+            if (mode == MBEDTLS_AES_DECRYPT) {
+                memcpy(buf, aes_test_ofb_ct[u], 64);
+                aes_tests = aes_test_ofb_pt;
+            } else {
+                memcpy(buf, aes_test_ofb_pt, 64);
+                aes_tests = aes_test_ofb_ct[u];
+            }
+
+            ret = mbedtls_aes_crypt_ofb(&ctx, 64, &offset, iv, buf, buf);
+            if (ret != 0) {
+                goto exit;
+            }
+
+            if (memcmp(buf, aes_tests, 64) != 0) {
+                ret = 1;
+                goto exit;
+            }
+
+            if (verbose != 0) {
+                mbedtls_printf("passed\n");
+            }
+        }
+
+        if (verbose != 0) {
+            mbedtls_printf("\n");
+        }
+    }
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    /*
+     * CTR mode
+     */
+    {
+        static const int num_tests =
+            sizeof(aes_test_ctr_key) / sizeof(*aes_test_ctr_key);
+
+        for (i = 0; i < num_tests << 1; i++) {
+            u = i >> 1;
+            mode = i & 1;
+
+            if (verbose != 0) {
+                mbedtls_printf("  AES-CTR-128 (%s): ",
+                               (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
+            }
+
+            memcpy(nonce_counter, aes_test_ctr_nonce_counter[u], 16);
+            memcpy(key, aes_test_ctr_key[u], 16);
+
+            offset = 0;
+            if ((ret = mbedtls_aes_setkey_enc(&ctx, key, 128)) != 0) {
+                goto exit;
+            }
+
+            len = aes_test_ctr_len[u];
+
+            if (mode == MBEDTLS_AES_DECRYPT) {
+                memcpy(buf, aes_test_ctr_ct[u], len);
+                aes_tests = aes_test_ctr_pt[u];
+            } else {
+                memcpy(buf, aes_test_ctr_pt[u], len);
+                aes_tests = aes_test_ctr_ct[u];
+            }
+
+            ret = mbedtls_aes_crypt_ctr(&ctx, len, &offset, nonce_counter,
+                                        stream_block, buf, buf);
+            if (ret != 0) {
+                goto exit;
+            }
+
+            if (memcmp(buf, aes_tests, len) != 0) {
+                ret = 1;
+                goto exit;
+            }
+
+            if (verbose != 0) {
+                mbedtls_printf("passed\n");
+            }
+        }
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    /*
+     * XTS mode
+     */
+    {
+        static const int num_tests =
+            sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
+        mbedtls_aes_xts_context ctx_xts;
+
+        mbedtls_aes_xts_init(&ctx_xts);
+
+        for (i = 0; i < num_tests << 1; i++) {
+            const unsigned char *data_unit;
+            u = i >> 1;
+            mode = i & 1;
+
+            if (verbose != 0) {
+                mbedtls_printf("  AES-XTS-128 (%s): ",
+                               (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
+            }
+
+            memset(key, 0, sizeof(key));
+            memcpy(key, aes_test_xts_key[u], 32);
+            data_unit = aes_test_xts_data_unit[u];
+
+            len = sizeof(*aes_test_xts_ct32);
+
+            if (mode == MBEDTLS_AES_DECRYPT) {
+                ret = mbedtls_aes_xts_setkey_dec(&ctx_xts, key, 256);
+                if (ret != 0) {
+                    goto exit;
+                }
+                memcpy(buf, aes_test_xts_ct32[u], len);
+                aes_tests = aes_test_xts_pt32[u];
+            } else {
+                ret = mbedtls_aes_xts_setkey_enc(&ctx_xts, key, 256);
+                if (ret != 0) {
+                    goto exit;
+                }
+                memcpy(buf, aes_test_xts_pt32[u], len);
+                aes_tests = aes_test_xts_ct32[u];
+            }
+
+
+            ret = mbedtls_aes_crypt_xts(&ctx_xts, mode, len, data_unit,
+                                        buf, buf);
+            if (ret != 0) {
+                goto exit;
+            }
+
+            if (memcmp(buf, aes_tests, len) != 0) {
+                ret = 1;
+                goto exit;
+            }
+
+            if (verbose != 0) {
+                mbedtls_printf("passed\n");
+            }
+        }
+
+        if (verbose != 0) {
+            mbedtls_printf("\n");
+        }
+
+        mbedtls_aes_xts_free(&ctx_xts);
+    }
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+    ret = 0;
+
+exit:
+    if (ret != 0 && verbose != 0) {
+        mbedtls_printf("failed\n");
+    }
+
+    mbedtls_aes_free(&ctx);
+
+    return ret;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_AES_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/aesce.c b/tf-psa-crypto/drivers/builtin/src/aesce.c
new file mode 100644
index 0000000..6a9e0a1
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/aesce.c
@@ -0,0 +1,618 @@
+/*
+ *  Armv8-A Cryptographic Extension support functions for Aarch64
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#if defined(__clang__) &&  (__clang_major__ >= 4)
+
+/* Ideally, we would simply use MBEDTLS_ARCH_IS_ARMV8_A in the following #if,
+ * but that is defined by build_info.h, and we need this block to happen first. */
+#if defined(__ARM_ARCH)
+#if __ARM_ARCH >= 8
+#define MBEDTLS_AESCE_ARCH_IS_ARMV8_A
+#endif
+#endif
+
+#if defined(MBEDTLS_AESCE_ARCH_IS_ARMV8_A) && !defined(__ARM_FEATURE_CRYPTO)
+/* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged.
+ *
+ * The intrinsic declaration are guarded by predefined ACLE macros in clang:
+ * these are normally only enabled by the -march option on the command line.
+ * By defining the macros ourselves we gain access to those declarations without
+ * requiring -march on the command line.
+ *
+ * `arm_neon.h` is included by common.h, so we put these defines
+ * at the top of this file, before any includes.
+ */
+#define __ARM_FEATURE_CRYPTO 1
+/* See: https://arm-software.github.io/acle/main/acle.html#cryptographic-extensions
+ *
+ * `__ARM_FEATURE_CRYPTO` is deprecated, but we need to continue to specify it
+ * for older compilers.
+ */
+#define __ARM_FEATURE_AES    1
+#define MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG
+#endif
+
+#endif /* defined(__clang__) &&  (__clang_major__ >= 4) */
+
+#include <string.h>
+#include "common.h"
+
+#if defined(MBEDTLS_AESCE_C)
+
+#include "aesce.h"
+
+#if defined(MBEDTLS_AESCE_HAVE_CODE)
+
+/* Compiler version checks. */
+#if defined(__clang__)
+#   if defined(MBEDTLS_ARCH_IS_ARM32) && (__clang_major__ < 11)
+#       error "Minimum version of Clang for MBEDTLS_AESCE_C on 32-bit Arm or Thumb is 11.0."
+#   elif defined(MBEDTLS_ARCH_IS_ARM64) && (__clang_major__ < 4)
+#       error "Minimum version of Clang for MBEDTLS_AESCE_C on aarch64 is 4.0."
+#   endif
+#elif defined(__GNUC__)
+#   if __GNUC__ < 6
+#       error "Minimum version of GCC for MBEDTLS_AESCE_C is 6.0."
+#   endif
+#elif defined(_MSC_VER)
+/* TODO: We haven't verified MSVC from 1920 to 1928. If someone verified that,
+ *       please update this and document of `MBEDTLS_AESCE_C` in
+ *       `mbedtls_config.h`. */
+#   if _MSC_VER < 1929
+#       error "Minimum version of MSVC for MBEDTLS_AESCE_C is 2019 version 16.11.2."
+#   endif
+#elif defined(__ARMCC_VERSION)
+#    if defined(MBEDTLS_ARCH_IS_ARM32) && (__ARMCC_VERSION < 6200002)
+/* TODO: We haven't verified armclang for 32-bit Arm/Thumb prior to 6.20.
+ * If someone verified that, please update this and document of
+ * `MBEDTLS_AESCE_C` in `mbedtls_config.h`. */
+#         error "Minimum version of armclang for MBEDTLS_AESCE_C on 32-bit Arm is 6.20."
+#    elif defined(MBEDTLS_ARCH_IS_ARM64) && (__ARMCC_VERSION < 6060000)
+#         error "Minimum version of armclang for MBEDTLS_AESCE_C on aarch64 is 6.6."
+#    endif
+#endif
+
+#if !(defined(__ARM_FEATURE_CRYPTO) || defined(__ARM_FEATURE_AES)) || \
+    defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG)
+#   if defined(__ARMCOMPILER_VERSION)
+#       if __ARMCOMPILER_VERSION <= 6090000
+#           error "Must use minimum -march=armv8-a+crypto for MBEDTLS_AESCE_C"
+#       else
+#           pragma clang attribute push (__attribute__((target("aes"))), apply_to=function)
+#           define MBEDTLS_POP_TARGET_PRAGMA
+#       endif
+#   elif defined(__clang__)
+#       pragma clang attribute push (__attribute__((target("aes"))), apply_to=function)
+#       define MBEDTLS_POP_TARGET_PRAGMA
+#   elif defined(__GNUC__)
+#       pragma GCC push_options
+#       pragma GCC target ("+crypto")
+#       define MBEDTLS_POP_TARGET_PRAGMA
+#   elif defined(_MSC_VER)
+#       error "Required feature(__ARM_FEATURE_AES) is not enabled."
+#   endif
+#endif /* !(__ARM_FEATURE_CRYPTO || __ARM_FEATURE_AES) ||
+          MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG */
+
+#if defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+
+#include <sys/auxv.h>
+#if !defined(HWCAP_NEON)
+#define HWCAP_NEON  (1 << 12)
+#endif
+#if !defined(HWCAP2_AES)
+#define HWCAP2_AES  (1 << 0)
+#endif
+#if !defined(HWCAP_AES)
+#define HWCAP_AES   (1 << 3)
+#endif
+#if !defined(HWCAP_ASIMD)
+#define HWCAP_ASIMD (1 << 1)
+#endif
+
+signed char mbedtls_aesce_has_support_result = -1;
+
+#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+/*
+ * AES instruction support detection routine
+ */
+int mbedtls_aesce_has_support_impl(void)
+{
+    /* To avoid many calls to getauxval, cache the result. This is
+     * thread-safe, because we store the result in a char so cannot
+     * be vulnerable to non-atomic updates.
+     * It is possible that we could end up setting result more than
+     * once, but that is harmless.
+     */
+    if (mbedtls_aesce_has_support_result == -1) {
+#if defined(MBEDTLS_ARCH_IS_ARM32)
+        unsigned long auxval  = getauxval(AT_HWCAP);
+        unsigned long auxval2 = getauxval(AT_HWCAP2);
+        if (((auxval  & HWCAP_NEON) == HWCAP_NEON) &&
+            ((auxval2 & HWCAP2_AES) == HWCAP2_AES)) {
+            mbedtls_aesce_has_support_result = 1;
+        } else {
+            mbedtls_aesce_has_support_result = 0;
+        }
+#else
+        unsigned long auxval = getauxval(AT_HWCAP);
+        if ((auxval & (HWCAP_ASIMD | HWCAP_AES)) ==
+            (HWCAP_ASIMD | HWCAP_AES)) {
+            mbedtls_aesce_has_support_result = 1;
+        } else {
+            mbedtls_aesce_has_support_result = 0;
+        }
+#endif
+    }
+    return mbedtls_aesce_has_support_result;
+}
+#endif
+
+#endif /* defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) */
+
+/* Single round of AESCE encryption */
+#define AESCE_ENCRYPT_ROUND                   \
+    block = vaeseq_u8(block, vld1q_u8(keys)); \
+    block = vaesmcq_u8(block);                \
+    keys += 16
+/* Two rounds of AESCE encryption */
+#define AESCE_ENCRYPT_ROUND_X2        AESCE_ENCRYPT_ROUND; AESCE_ENCRYPT_ROUND
+
+MBEDTLS_OPTIMIZE_FOR_PERFORMANCE
+static uint8x16_t aesce_encrypt_block(uint8x16_t block,
+                                      unsigned char *keys,
+                                      int rounds)
+{
+    /* 10, 12 or 14 rounds. Unroll loop. */
+    if (rounds == 10) {
+        goto rounds_10;
+    }
+    if (rounds == 12) {
+        goto rounds_12;
+    }
+    AESCE_ENCRYPT_ROUND_X2;
+rounds_12:
+    AESCE_ENCRYPT_ROUND_X2;
+rounds_10:
+    AESCE_ENCRYPT_ROUND_X2;
+    AESCE_ENCRYPT_ROUND_X2;
+    AESCE_ENCRYPT_ROUND_X2;
+    AESCE_ENCRYPT_ROUND_X2;
+    AESCE_ENCRYPT_ROUND;
+
+    /* AES AddRoundKey for the previous round.
+     * SubBytes, ShiftRows for the final round.  */
+    block = vaeseq_u8(block, vld1q_u8(keys));
+    keys += 16;
+
+    /* Final round: no MixColumns */
+
+    /* Final AddRoundKey */
+    block = veorq_u8(block, vld1q_u8(keys));
+
+    return block;
+}
+
+/* Single round of AESCE decryption
+ *
+ * AES AddRoundKey, SubBytes, ShiftRows
+ *
+ *      block = vaesdq_u8(block, vld1q_u8(keys));
+ *
+ * AES inverse MixColumns for the next round.
+ *
+ * This means that we switch the order of the inverse AddRoundKey and
+ * inverse MixColumns operations. We have to do this as AddRoundKey is
+ * done in an atomic instruction together with the inverses of SubBytes
+ * and ShiftRows.
+ *
+ * It works because MixColumns is a linear operation over GF(2^8) and
+ * AddRoundKey is an exclusive or, which is equivalent to addition over
+ * GF(2^8). (The inverse of MixColumns needs to be applied to the
+ * affected round keys separately which has been done when the
+ * decryption round keys were calculated.)
+ *
+ *      block = vaesimcq_u8(block);
+ */
+#define AESCE_DECRYPT_ROUND                   \
+    block = vaesdq_u8(block, vld1q_u8(keys)); \
+    block = vaesimcq_u8(block);               \
+    keys += 16
+/* Two rounds of AESCE decryption */
+#define AESCE_DECRYPT_ROUND_X2        AESCE_DECRYPT_ROUND; AESCE_DECRYPT_ROUND
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+static uint8x16_t aesce_decrypt_block(uint8x16_t block,
+                                      unsigned char *keys,
+                                      int rounds)
+{
+    /* 10, 12 or 14 rounds. Unroll loop. */
+    if (rounds == 10) {
+        goto rounds_10;
+    }
+    if (rounds == 12) {
+        goto rounds_12;
+    }
+    AESCE_DECRYPT_ROUND_X2;
+rounds_12:
+    AESCE_DECRYPT_ROUND_X2;
+rounds_10:
+    AESCE_DECRYPT_ROUND_X2;
+    AESCE_DECRYPT_ROUND_X2;
+    AESCE_DECRYPT_ROUND_X2;
+    AESCE_DECRYPT_ROUND_X2;
+    AESCE_DECRYPT_ROUND;
+
+    /* The inverses of AES AddRoundKey, SubBytes, ShiftRows finishing up the
+     * last full round. */
+    block = vaesdq_u8(block, vld1q_u8(keys));
+    keys += 16;
+
+    /* Inverse AddRoundKey for inverting the initial round key addition. */
+    block = veorq_u8(block, vld1q_u8(keys));
+
+    return block;
+}
+#endif
+
+/*
+ * AES-ECB block en(de)cryption
+ */
+int mbedtls_aesce_crypt_ecb(mbedtls_aes_context *ctx,
+                            int mode,
+                            const unsigned char input[16],
+                            unsigned char output[16])
+{
+    uint8x16_t block = vld1q_u8(&input[0]);
+    unsigned char *keys = (unsigned char *) (ctx->buf + ctx->rk_offset);
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+    if (mode == MBEDTLS_AES_DECRYPT) {
+        block = aesce_decrypt_block(block, keys, ctx->nr);
+    } else
+#else
+    (void) mode;
+#endif
+    {
+        block = aesce_encrypt_block(block, keys, ctx->nr);
+    }
+    vst1q_u8(&output[0], block);
+
+    return 0;
+}
+
+/*
+ * Compute decryption round keys from encryption round keys
+ */
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+void mbedtls_aesce_inverse_key(unsigned char *invkey,
+                               const unsigned char *fwdkey,
+                               int nr)
+{
+    int i, j;
+    j = nr;
+    vst1q_u8(invkey, vld1q_u8(fwdkey + j * 16));
+    for (i = 1, j--; j > 0; i++, j--) {
+        vst1q_u8(invkey + i * 16,
+                 vaesimcq_u8(vld1q_u8(fwdkey + j * 16)));
+    }
+    vst1q_u8(invkey + i * 16, vld1q_u8(fwdkey + j * 16));
+
+}
+#endif
+
+static inline uint32_t aes_rot_word(uint32_t word)
+{
+    return (word << (32 - 8)) | (word >> 8);
+}
+
+static inline uint32_t aes_sub_word(uint32_t in)
+{
+    uint8x16_t v = vreinterpretq_u8_u32(vdupq_n_u32(in));
+    uint8x16_t zero = vdupq_n_u8(0);
+
+    /* vaeseq_u8 does both SubBytes and ShiftRows. Taking the first row yields
+     * the correct result as ShiftRows doesn't change the first row. */
+    v = vaeseq_u8(zero, v);
+    return vgetq_lane_u32(vreinterpretq_u32_u8(v), 0);
+}
+
+/*
+ * Key expansion function
+ */
+static void aesce_setkey_enc(unsigned char *rk,
+                             const unsigned char *key,
+                             const size_t key_bit_length)
+{
+    static uint8_t const rcon[] = { 0x01, 0x02, 0x04, 0x08, 0x10,
+                                    0x20, 0x40, 0x80, 0x1b, 0x36 };
+    /* See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf
+     *   - Section 5, Nr = Nk + 6
+     *   - Section 5.2, the length of round keys is Nb*(Nr+1)
+     */
+    const size_t key_len_in_words = key_bit_length / 32;    /* Nk */
+    const size_t round_key_len_in_words = 4;                /* Nb */
+    const size_t rounds_needed = key_len_in_words + 6;      /* Nr */
+    const size_t round_keys_len_in_words =
+        round_key_len_in_words * (rounds_needed + 1);       /* Nb*(Nr+1) */
+    const uint32_t *rko_end = (uint32_t *) rk + round_keys_len_in_words;
+
+    memcpy(rk, key, key_len_in_words * 4);
+
+    for (uint32_t *rki = (uint32_t *) rk;
+         rki + key_len_in_words < rko_end;
+         rki += key_len_in_words) {
+
+        size_t iteration = (size_t) (rki - (uint32_t *) rk) / key_len_in_words;
+        uint32_t *rko;
+        rko = rki + key_len_in_words;
+        rko[0] = aes_rot_word(aes_sub_word(rki[key_len_in_words - 1]));
+        rko[0] ^= rcon[iteration] ^ rki[0];
+        rko[1] = rko[0] ^ rki[1];
+        rko[2] = rko[1] ^ rki[2];
+        rko[3] = rko[2] ^ rki[3];
+        if (rko + key_len_in_words > rko_end) {
+            /* Do not write overflow words.*/
+            continue;
+        }
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+        switch (key_bit_length) {
+            case 128:
+                break;
+            case 192:
+                rko[4] = rko[3] ^ rki[4];
+                rko[5] = rko[4] ^ rki[5];
+                break;
+            case 256:
+                rko[4] = aes_sub_word(rko[3]) ^ rki[4];
+                rko[5] = rko[4] ^ rki[5];
+                rko[6] = rko[5] ^ rki[6];
+                rko[7] = rko[6] ^ rki[7];
+                break;
+        }
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+    }
+}
+
+/*
+ * Key expansion, wrapper
+ */
+int mbedtls_aesce_setkey_enc(unsigned char *rk,
+                             const unsigned char *key,
+                             size_t bits)
+{
+    switch (bits) {
+        case 128:
+        case 192:
+        case 256:
+            aesce_setkey_enc(rk, key, bits);
+            break;
+        default:
+            return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
+    }
+
+    return 0;
+}
+
+#if defined(MBEDTLS_GCM_C)
+
+#if defined(MBEDTLS_ARCH_IS_ARM32)
+
+#if defined(__clang__)
+/* On clang for A32/T32, work around some missing intrinsics and types which are listed in
+ * [ACLE](https://arm-software.github.io/acle/neon_intrinsics/advsimd.html#polynomial-1)
+ * These are only required for GCM.
+ */
+#define vreinterpretq_u64_p64(a) ((uint64x2_t) a)
+
+typedef uint8x16_t poly128_t;
+
+static inline poly128_t vmull_p64(poly64_t a, poly64_t b)
+{
+    poly128_t r;
+    asm ("vmull.p64 %[r], %[a], %[b]" : [r] "=w" (r) : [a] "w" (a), [b] "w" (b) :);
+    return r;
+}
+
+/* This is set to cause some more missing intrinsics to be defined below */
+#define COMMON_MISSING_INTRINSICS
+
+static inline poly128_t vmull_high_p64(poly64x2_t a, poly64x2_t b)
+{
+    return vmull_p64((poly64_t) (vget_high_u64((uint64x2_t) a)),
+                     (poly64_t) (vget_high_u64((uint64x2_t) b)));
+}
+
+#endif /* defined(__clang__) */
+
+static inline uint8x16_t vrbitq_u8(uint8x16_t x)
+{
+    /* There is no vrbitq_u8 instruction in A32/T32, so provide
+     * an equivalent non-Neon implementation. Reverse bit order in each
+     * byte with 4x rbit, rev. */
+    asm ("ldm  %[p], { r2-r5 } \n\t"
+         "rbit r2, r2          \n\t"
+         "rev  r2, r2          \n\t"
+         "rbit r3, r3          \n\t"
+         "rev  r3, r3          \n\t"
+         "rbit r4, r4          \n\t"
+         "rev  r4, r4          \n\t"
+         "rbit r5, r5          \n\t"
+         "rev  r5, r5          \n\t"
+         "stm  %[p], { r2-r5 } \n\t"
+         :
+         /* Output: 16 bytes of memory pointed to by &x */
+         "+m" (*(uint8_t(*)[16]) &x)
+         :
+         [p] "r" (&x)
+         :
+         "r2", "r3", "r4", "r5"
+         );
+    return x;
+}
+
+#endif /* defined(MBEDTLS_ARCH_IS_ARM32) */
+
+#if defined(MBEDTLS_COMPILER_IS_GCC) && __GNUC__ == 5
+/* Some intrinsics are not available for GCC 5.X. */
+#define COMMON_MISSING_INTRINSICS
+#endif /* MBEDTLS_COMPILER_IS_GCC && __GNUC__ == 5 */
+
+
+#if defined(COMMON_MISSING_INTRINSICS)
+
+/* Missing intrinsics common to both GCC 5, and Clang on 32-bit */
+
+#define vreinterpretq_p64_u8(a)  ((poly64x2_t) a)
+#define vreinterpretq_u8_p128(a) ((uint8x16_t) a)
+
+static inline poly64x1_t vget_low_p64(poly64x2_t a)
+{
+    uint64x1_t r = vget_low_u64(vreinterpretq_u64_p64(a));
+    return (poly64x1_t) r;
+
+}
+
+#endif /* COMMON_MISSING_INTRINSICS */
+
+/* vmull_p64/vmull_high_p64 wrappers.
+ *
+ * Older compilers miss some intrinsic functions for `poly*_t`. We use
+ * uint8x16_t and uint8x16x3_t as input/output parameters.
+ */
+#if defined(MBEDTLS_COMPILER_IS_GCC)
+/* GCC reports incompatible type error without cast. GCC think poly64_t and
+ * poly64x1_t are different, that is different with MSVC and Clang. */
+#define MBEDTLS_VMULL_P64(a, b) vmull_p64((poly64_t) a, (poly64_t) b)
+#else
+/* MSVC reports `error C2440: 'type cast'` with cast. Clang does not report
+ * error with/without cast. And I think poly64_t and poly64x1_t are same, no
+ * cast for clang also. */
+#define MBEDTLS_VMULL_P64(a, b) vmull_p64(a, b)
+#endif /* MBEDTLS_COMPILER_IS_GCC */
+
+static inline uint8x16_t pmull_low(uint8x16_t a, uint8x16_t b)
+{
+
+    return vreinterpretq_u8_p128(
+        MBEDTLS_VMULL_P64(
+            (poly64_t) vget_low_p64(vreinterpretq_p64_u8(a)),
+            (poly64_t) vget_low_p64(vreinterpretq_p64_u8(b))
+            ));
+}
+
+static inline uint8x16_t pmull_high(uint8x16_t a, uint8x16_t b)
+{
+    return vreinterpretq_u8_p128(
+        vmull_high_p64(vreinterpretq_p64_u8(a),
+                       vreinterpretq_p64_u8(b)));
+}
+
+/* GHASH does 128b polynomial multiplication on block in GF(2^128) defined by
+ * `x^128 + x^7 + x^2 + x + 1`.
+ *
+ * Arm64 only has 64b->128b polynomial multipliers, we need to do 4 64b
+ * multiplies to generate a 128b.
+ *
+ * `poly_mult_128` executes polynomial multiplication and outputs 256b that
+ * represented by 3 128b due to code size optimization.
+ *
+ * Output layout:
+ * |            |             |             |
+ * |------------|-------------|-------------|
+ * | ret.val[0] | h3:h2:00:00 | high   128b |
+ * | ret.val[1] |   :m2:m1:00 | middle 128b |
+ * | ret.val[2] |   :  :l1:l0 | low    128b |
+ */
+static inline uint8x16x3_t poly_mult_128(uint8x16_t a, uint8x16_t b)
+{
+    uint8x16x3_t ret;
+    uint8x16_t h, m, l; /* retval high/middle/low */
+    uint8x16_t c, d, e;
+
+    h = pmull_high(a, b);                       /* h3:h2:00:00 = a1*b1 */
+    l = pmull_low(a, b);                        /*   :  :l1:l0 = a0*b0 */
+    c = vextq_u8(b, b, 8);                      /*      :c1:c0 = b0:b1 */
+    d = pmull_high(a, c);                       /*   :d2:d1:00 = a1*b0 */
+    e = pmull_low(a, c);                        /*   :e2:e1:00 = a0*b1 */
+    m = veorq_u8(d, e);                         /*   :m2:m1:00 = d + e */
+
+    ret.val[0] = h;
+    ret.val[1] = m;
+    ret.val[2] = l;
+    return ret;
+}
+
+/*
+ * Modulo reduction.
+ *
+ * See: https://www.researchgate.net/publication/285612706_Implementing_GCM_on_ARMv8
+ *
+ * Section 4.3
+ *
+ * Modular reduction is slightly more complex. Write the GCM modulus as f(z) =
+ * z^128 +r(z), where r(z) = z^7+z^2+z+ 1. The well known approach is to
+ * consider that z^128 ≡r(z) (mod z^128 +r(z)), allowing us to write the 256-bit
+ * operand to be reduced as a(z) = h(z)z^128 +l(z)≡h(z)r(z) + l(z). That is, we
+ * simply multiply the higher part of the operand by r(z) and add it to l(z). If
+ * the result is still larger than 128 bits, we reduce again.
+ */
+static inline uint8x16_t poly_mult_reduce(uint8x16x3_t input)
+{
+    uint8x16_t const ZERO = vdupq_n_u8(0);
+
+    uint64x2_t r = vreinterpretq_u64_u8(vdupq_n_u8(0x87));
+#if defined(__GNUC__)
+    /* use 'asm' as an optimisation barrier to prevent loading MODULO from
+     * memory. It is for GNUC compatible compilers.
+     */
+    asm volatile ("" : "+w" (r));
+#endif
+    uint8x16_t const MODULO = vreinterpretq_u8_u64(vshrq_n_u64(r, 64 - 8));
+    uint8x16_t h, m, l; /* input high/middle/low 128b */
+    uint8x16_t c, d, e, f, g, n, o;
+    h = input.val[0];            /* h3:h2:00:00                          */
+    m = input.val[1];            /*   :m2:m1:00                          */
+    l = input.val[2];            /*   :  :l1:l0                          */
+    c = pmull_high(h, MODULO);   /*   :c2:c1:00 = reduction of h3        */
+    d = pmull_low(h, MODULO);    /*   :  :d1:d0 = reduction of h2        */
+    e = veorq_u8(c, m);          /*   :e2:e1:00 = m2:m1:00 + c2:c1:00    */
+    f = pmull_high(e, MODULO);   /*   :  :f1:f0 = reduction of e2        */
+    g = vextq_u8(ZERO, e, 8);    /*   :  :g1:00 = e1:00                  */
+    n = veorq_u8(d, l);          /*   :  :n1:n0 = d1:d0 + l1:l0          */
+    o = veorq_u8(n, f);          /*       o1:o0 = f1:f0 + n1:n0          */
+    return veorq_u8(o, g);       /*             = o1:o0 + g1:00          */
+}
+
+/*
+ * GCM multiplication: c = a times b in GF(2^128)
+ */
+void mbedtls_aesce_gcm_mult(unsigned char c[16],
+                            const unsigned char a[16],
+                            const unsigned char b[16])
+{
+    uint8x16_t va, vb, vc;
+    va = vrbitq_u8(vld1q_u8(&a[0]));
+    vb = vrbitq_u8(vld1q_u8(&b[0]));
+    vc = vrbitq_u8(poly_mult_reduce(poly_mult_128(va, vb)));
+    vst1q_u8(&c[0], vc);
+}
+
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_POP_TARGET_PRAGMA)
+#if defined(__clang__)
+#pragma clang attribute pop
+#elif defined(__GNUC__)
+#pragma GCC pop_options
+#endif
+#undef MBEDTLS_POP_TARGET_PRAGMA
+#endif
+
+#endif /* MBEDTLS_AESCE_HAVE_CODE */
+
+#endif /* MBEDTLS_AESCE_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/aesce.h b/tf-psa-crypto/drivers/builtin/src/aesce.h
new file mode 100644
index 0000000..a14d085
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/aesce.h
@@ -0,0 +1,136 @@
+/**
+ * \file aesce.h
+ *
+ * \brief Support hardware AES acceleration on Armv8-A processors with
+ *        the Armv8-A Cryptographic Extension.
+ *
+ * \warning These functions are only for internal use by other library
+ *          functions; you must not call them directly.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_AESCE_H
+#define MBEDTLS_AESCE_H
+
+#include "mbedtls/build_info.h"
+#include "common.h"
+
+#include "mbedtls/aes.h"
+
+
+#if defined(MBEDTLS_AESCE_C) \
+    && defined(MBEDTLS_ARCH_IS_ARMV8_A) && defined(MBEDTLS_HAVE_NEON_INTRINSICS) \
+    && (defined(MBEDTLS_COMPILER_IS_GCC) || defined(__clang__) || defined(MSC_VER))
+
+/* MBEDTLS_AESCE_HAVE_CODE is defined if we have a suitable target platform, and a
+ * potentially suitable compiler (compiler version & flags are not checked when defining
+ * this). */
+#define MBEDTLS_AESCE_HAVE_CODE
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+
+extern signed char mbedtls_aesce_has_support_result;
+
+/**
+ * \brief          Internal function to detect the crypto extension in CPUs.
+ *
+ * \return         1 if CPU has support for the feature, 0 otherwise
+ */
+int mbedtls_aesce_has_support_impl(void);
+
+#define MBEDTLS_AESCE_HAS_SUPPORT() (mbedtls_aesce_has_support_result == -1 ? \
+                                     mbedtls_aesce_has_support_impl() : \
+                                     mbedtls_aesce_has_support_result)
+
+#else /* defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) */
+
+/* If we are not on Linux, we can't detect support so assume that it's supported.
+ * Similarly, assume support if MBEDTLS_AES_USE_HARDWARE_ONLY is set.
+ */
+#define MBEDTLS_AESCE_HAS_SUPPORT() 1
+
+#endif /* defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) */
+
+/**
+ * \brief          Internal AES-ECB block encryption and decryption
+ *
+ * \warning        This assumes that the context specifies either 10, 12 or 14
+ *                 rounds and will behave incorrectly if this is not the case.
+ *
+ * \param ctx      AES context
+ * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
+ * \param input    16-byte input block
+ * \param output   16-byte output block
+ *
+ * \return         0 on success (cannot fail)
+ */
+int mbedtls_aesce_crypt_ecb(mbedtls_aes_context *ctx,
+                            int mode,
+                            const unsigned char input[16],
+                            unsigned char output[16]);
+
+/**
+ * \brief          Internal GCM multiplication: c = a * b in GF(2^128)
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
+ *
+ * \param c        Result
+ * \param a        First operand
+ * \param b        Second operand
+ *
+ * \note           Both operands and result are bit strings interpreted as
+ *                 elements of GF(2^128) as per the GCM spec.
+ */
+void mbedtls_aesce_gcm_mult(unsigned char c[16],
+                            const unsigned char a[16],
+                            const unsigned char b[16]);
+
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+/**
+ * \brief           Internal round key inversion. This function computes
+ *                  decryption round keys from the encryption round keys.
+ *
+ * \param invkey    Round keys for the equivalent inverse cipher
+ * \param fwdkey    Original round keys (for encryption)
+ * \param nr        Number of rounds (that is, number of round keys minus one)
+ */
+void mbedtls_aesce_inverse_key(unsigned char *invkey,
+                               const unsigned char *fwdkey,
+                               int nr);
+#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
+
+/**
+ * \brief           Internal key expansion for encryption
+ *
+ * \param rk        Destination buffer where the round keys are written
+ * \param key       Encryption key
+ * \param bits      Key size in bits (must be 128, 192 or 256)
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
+ */
+int mbedtls_aesce_setkey_enc(unsigned char *rk,
+                             const unsigned char *key,
+                             size_t bits);
+
+#ifdef __cplusplus
+}
+#endif
+
+#else
+
+#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY) && defined(MBEDTLS_ARCH_IS_ARMV8_A)
+#error "AES hardware acceleration not supported on this platform / compiler"
+#endif
+
+#endif /* MBEDTLS_AESCE_C && MBEDTLS_ARCH_IS_ARMV8_A && MBEDTLS_HAVE_NEON_INTRINSICS &&
+          (MBEDTLS_COMPILER_IS_GCC || __clang__ || MSC_VER) */
+
+#endif /* MBEDTLS_AESCE_H */
diff --git a/tf-psa-crypto/drivers/builtin/src/aesni.c b/tf-psa-crypto/drivers/builtin/src/aesni.c
new file mode 100644
index 0000000..8e5bd55
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/aesni.c
@@ -0,0 +1,835 @@
+/*
+ *  AES-NI support functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * [AES-WP] https://www.intel.com/content/www/us/en/developer/articles/tool/intel-advanced-encryption-standard-aes-instructions-set.html
+ * [CLMUL-WP] https://www.intel.com/content/www/us/en/develop/download/intel-carry-less-multiplication-instruction-and-its-usage-for-computing-the-gcm-mode.html
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_AESNI_C)
+
+#include "aesni.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_AESNI_HAVE_CODE)
+
+#if MBEDTLS_AESNI_HAVE_CODE == 2
+#if defined(__GNUC__)
+#include <cpuid.h>
+#elif defined(_MSC_VER)
+#include <intrin.h>
+#else
+#error "`__cpuid` required by MBEDTLS_AESNI_C is not supported by the compiler"
+#endif
+#include <immintrin.h>
+#endif
+
+#if defined(MBEDTLS_ARCH_IS_X86)
+#if defined(MBEDTLS_COMPILER_IS_GCC)
+#pragma GCC push_options
+#pragma GCC target ("pclmul,sse2,aes")
+#define MBEDTLS_POP_TARGET_PRAGMA
+#elif defined(__clang__) && (__clang_major__ >= 5)
+#pragma clang attribute push (__attribute__((target("pclmul,sse2,aes"))), apply_to=function)
+#define MBEDTLS_POP_TARGET_PRAGMA
+#endif
+#endif
+
+#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+/*
+ * AES-NI support detection routine
+ */
+int mbedtls_aesni_has_support(unsigned int what)
+{
+    static int done = 0;
+    static unsigned int c = 0;
+
+    if (!done) {
+#if MBEDTLS_AESNI_HAVE_CODE == 2
+        static int info[4] = { 0, 0, 0, 0 };
+#if defined(_MSC_VER)
+        __cpuid(info, 1);
+#else
+        __cpuid(1, info[0], info[1], info[2], info[3]);
+#endif
+        c = info[2];
+#else /* AESNI using asm */
+        asm ("movl  $1, %%eax   \n\t"
+             "cpuid             \n\t"
+             : "=c" (c)
+             :
+             : "eax", "ebx", "edx");
+#endif /* MBEDTLS_AESNI_HAVE_CODE */
+        done = 1;
+    }
+
+    return (c & what) != 0;
+}
+#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */
+
+#if MBEDTLS_AESNI_HAVE_CODE == 2
+
+/*
+ * AES-NI AES-ECB block en(de)cryption
+ */
+int mbedtls_aesni_crypt_ecb(mbedtls_aes_context *ctx,
+                            int mode,
+                            const unsigned char input[16],
+                            unsigned char output[16])
+{
+    const __m128i *rk = (const __m128i *) (ctx->buf + ctx->rk_offset);
+    unsigned nr = ctx->nr; // Number of remaining rounds
+
+    // Load round key 0
+    __m128i state;
+    memcpy(&state, input, 16);
+    state = _mm_xor_si128(state, rk[0]);  // state ^= *rk;
+    ++rk;
+    --nr;
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+    if (mode == MBEDTLS_AES_DECRYPT) {
+        while (nr != 0) {
+            state = _mm_aesdec_si128(state, *rk);
+            ++rk;
+            --nr;
+        }
+        state = _mm_aesdeclast_si128(state, *rk);
+    } else
+#else
+    (void) mode;
+#endif
+    {
+        while (nr != 0) {
+            state = _mm_aesenc_si128(state, *rk);
+            ++rk;
+            --nr;
+        }
+        state = _mm_aesenclast_si128(state, *rk);
+    }
+
+    memcpy(output, &state, 16);
+    return 0;
+}
+
+/*
+ * GCM multiplication: c = a times b in GF(2^128)
+ * Based on [CLMUL-WP] algorithms 1 (with equation 27) and 5.
+ */
+
+static void gcm_clmul(const __m128i aa, const __m128i bb,
+                      __m128i *cc, __m128i *dd)
+{
+    /*
+     * Caryless multiplication dd:cc = aa * bb
+     * using [CLMUL-WP] algorithm 1 (p. 12).
+     */
+    *cc = _mm_clmulepi64_si128(aa, bb, 0x00); // a0*b0 = c1:c0
+    *dd = _mm_clmulepi64_si128(aa, bb, 0x11); // a1*b1 = d1:d0
+    __m128i ee = _mm_clmulepi64_si128(aa, bb, 0x10); // a0*b1 = e1:e0
+    __m128i ff = _mm_clmulepi64_si128(aa, bb, 0x01); // a1*b0 = f1:f0
+    ff = _mm_xor_si128(ff, ee);                      // e1+f1:e0+f0
+    ee = ff;                                         // e1+f1:e0+f0
+    ff = _mm_srli_si128(ff, 8);                      // 0:e1+f1
+    ee = _mm_slli_si128(ee, 8);                      // e0+f0:0
+    *dd = _mm_xor_si128(*dd, ff);                    // d1:d0+e1+f1
+    *cc = _mm_xor_si128(*cc, ee);                    // c1+e0+f0:c0
+}
+
+static void gcm_shift(__m128i *cc, __m128i *dd)
+{
+    /* [CMUCL-WP] Algorithm 5 Step 1: shift cc:dd one bit to the left,
+     * taking advantage of [CLMUL-WP] eq 27 (p. 18). */
+    //                                        // *cc = r1:r0
+    //                                        // *dd = r3:r2
+    __m128i cc_lo = _mm_slli_epi64(*cc, 1);   // r1<<1:r0<<1
+    __m128i dd_lo = _mm_slli_epi64(*dd, 1);   // r3<<1:r2<<1
+    __m128i cc_hi = _mm_srli_epi64(*cc, 63);  // r1>>63:r0>>63
+    __m128i dd_hi = _mm_srli_epi64(*dd, 63);  // r3>>63:r2>>63
+    __m128i xmm5 = _mm_srli_si128(cc_hi, 8);  // 0:r1>>63
+    cc_hi = _mm_slli_si128(cc_hi, 8);         // r0>>63:0
+    dd_hi = _mm_slli_si128(dd_hi, 8);         // 0:r1>>63
+
+    *cc = _mm_or_si128(cc_lo, cc_hi);         // r1<<1|r0>>63:r0<<1
+    *dd = _mm_or_si128(_mm_or_si128(dd_lo, dd_hi), xmm5); // r3<<1|r2>>62:r2<<1|r1>>63
+}
+
+static __m128i gcm_reduce(__m128i xx)
+{
+    //                                            // xx = x1:x0
+    /* [CLMUL-WP] Algorithm 5 Step 2 */
+    __m128i aa = _mm_slli_epi64(xx, 63);          // x1<<63:x0<<63 = stuff:a
+    __m128i bb = _mm_slli_epi64(xx, 62);          // x1<<62:x0<<62 = stuff:b
+    __m128i cc = _mm_slli_epi64(xx, 57);          // x1<<57:x0<<57 = stuff:c
+    __m128i dd = _mm_slli_si128(_mm_xor_si128(_mm_xor_si128(aa, bb), cc), 8); // a+b+c:0
+    return _mm_xor_si128(dd, xx);                 // x1+a+b+c:x0 = d:x0
+}
+
+static __m128i gcm_mix(__m128i dx)
+{
+    /* [CLMUL-WP] Algorithm 5 Steps 3 and 4 */
+    __m128i ee = _mm_srli_epi64(dx, 1);           // e1:x0>>1 = e1:e0'
+    __m128i ff = _mm_srli_epi64(dx, 2);           // f1:x0>>2 = f1:f0'
+    __m128i gg = _mm_srli_epi64(dx, 7);           // g1:x0>>7 = g1:g0'
+
+    // e0'+f0'+g0' is almost e0+f0+g0, except for some missing
+    // bits carried from d. Now get those bits back in.
+    __m128i eh = _mm_slli_epi64(dx, 63);          // d<<63:stuff
+    __m128i fh = _mm_slli_epi64(dx, 62);          // d<<62:stuff
+    __m128i gh = _mm_slli_epi64(dx, 57);          // d<<57:stuff
+    __m128i hh = _mm_srli_si128(_mm_xor_si128(_mm_xor_si128(eh, fh), gh), 8); // 0:missing bits of d
+
+    return _mm_xor_si128(_mm_xor_si128(_mm_xor_si128(_mm_xor_si128(ee, ff), gg), hh), dx);
+}
+
+void mbedtls_aesni_gcm_mult(unsigned char c[16],
+                            const unsigned char a[16],
+                            const unsigned char b[16])
+{
+    __m128i aa = { 0 }, bb = { 0 }, cc, dd;
+
+    /* The inputs are in big-endian order, so byte-reverse them */
+    for (size_t i = 0; i < 16; i++) {
+        ((uint8_t *) &aa)[i] = a[15 - i];
+        ((uint8_t *) &bb)[i] = b[15 - i];
+    }
+
+    gcm_clmul(aa, bb, &cc, &dd);
+    gcm_shift(&cc, &dd);
+    /*
+     * Now reduce modulo the GCM polynomial x^128 + x^7 + x^2 + x + 1
+     * using [CLMUL-WP] algorithm 5 (p. 18).
+     * Currently dd:cc holds x3:x2:x1:x0 (already shifted).
+     */
+    __m128i dx = gcm_reduce(cc);
+    __m128i xh = gcm_mix(dx);
+    cc = _mm_xor_si128(xh, dd); // x3+h1:x2+h0
+
+    /* Now byte-reverse the outputs */
+    for (size_t i = 0; i < 16; i++) {
+        c[i] = ((uint8_t *) &cc)[15 - i];
+    }
+
+    return;
+}
+
+/*
+ * Compute decryption round keys from encryption round keys
+ */
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+void mbedtls_aesni_inverse_key(unsigned char *invkey,
+                               const unsigned char *fwdkey, int nr)
+{
+    __m128i *ik = (__m128i *) invkey;
+    const __m128i *fk = (const __m128i *) fwdkey + nr;
+
+    *ik = *fk;
+    for (--fk, ++ik; fk > (const __m128i *) fwdkey; --fk, ++ik) {
+        *ik = _mm_aesimc_si128(*fk);
+    }
+    *ik = *fk;
+}
+#endif
+
+/*
+ * Key expansion, 128-bit case
+ */
+static __m128i aesni_set_rk_128(__m128i state, __m128i xword)
+{
+    /*
+     * Finish generating the next round key.
+     *
+     * On entry state is r3:r2:r1:r0 and xword is X:stuff:stuff:stuff
+     * with X = rot( sub( r3 ) ) ^ RCON (obtained with AESKEYGENASSIST).
+     *
+     * On exit, xword is r7:r6:r5:r4
+     * with r4 = X + r0, r5 = r4 + r1, r6 = r5 + r2, r7 = r6 + r3
+     * and this is returned, to be written to the round key buffer.
+     */
+    xword = _mm_shuffle_epi32(xword, 0xff);   // X:X:X:X
+    xword = _mm_xor_si128(xword, state);      // X+r3:X+r2:X+r1:r4
+    state = _mm_slli_si128(state, 4);         // r2:r1:r0:0
+    xword = _mm_xor_si128(xword, state);      // X+r3+r2:X+r2+r1:r5:r4
+    state = _mm_slli_si128(state, 4);         // r1:r0:0:0
+    xword = _mm_xor_si128(xword, state);      // X+r3+r2+r1:r6:r5:r4
+    state = _mm_slli_si128(state, 4);         // r0:0:0:0
+    state = _mm_xor_si128(xword, state);      // r7:r6:r5:r4
+    return state;
+}
+
+static void aesni_setkey_enc_128(unsigned char *rk_bytes,
+                                 const unsigned char *key)
+{
+    __m128i *rk = (__m128i *) rk_bytes;
+
+    memcpy(&rk[0], key, 16);
+    rk[1] = aesni_set_rk_128(rk[0], _mm_aeskeygenassist_si128(rk[0], 0x01));
+    rk[2] = aesni_set_rk_128(rk[1], _mm_aeskeygenassist_si128(rk[1], 0x02));
+    rk[3] = aesni_set_rk_128(rk[2], _mm_aeskeygenassist_si128(rk[2], 0x04));
+    rk[4] = aesni_set_rk_128(rk[3], _mm_aeskeygenassist_si128(rk[3], 0x08));
+    rk[5] = aesni_set_rk_128(rk[4], _mm_aeskeygenassist_si128(rk[4], 0x10));
+    rk[6] = aesni_set_rk_128(rk[5], _mm_aeskeygenassist_si128(rk[5], 0x20));
+    rk[7] = aesni_set_rk_128(rk[6], _mm_aeskeygenassist_si128(rk[6], 0x40));
+    rk[8] = aesni_set_rk_128(rk[7], _mm_aeskeygenassist_si128(rk[7], 0x80));
+    rk[9] = aesni_set_rk_128(rk[8], _mm_aeskeygenassist_si128(rk[8], 0x1B));
+    rk[10] = aesni_set_rk_128(rk[9], _mm_aeskeygenassist_si128(rk[9], 0x36));
+}
+
+/*
+ * Key expansion, 192-bit case
+ */
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static void aesni_set_rk_192(__m128i *state0, __m128i *state1, __m128i xword,
+                             unsigned char *rk)
+{
+    /*
+     * Finish generating the next 6 quarter-keys.
+     *
+     * On entry state0 is r3:r2:r1:r0, state1 is stuff:stuff:r5:r4
+     * and xword is stuff:stuff:X:stuff with X = rot( sub( r3 ) ) ^ RCON
+     * (obtained with AESKEYGENASSIST).
+     *
+     * On exit, state0 is r9:r8:r7:r6 and state1 is stuff:stuff:r11:r10
+     * and those are written to the round key buffer.
+     */
+    xword = _mm_shuffle_epi32(xword, 0x55);   // X:X:X:X
+    xword = _mm_xor_si128(xword, *state0);    // X+r3:X+r2:X+r1:X+r0
+    *state0 = _mm_slli_si128(*state0, 4);     // r2:r1:r0:0
+    xword = _mm_xor_si128(xword, *state0);    // X+r3+r2:X+r2+r1:X+r1+r0:X+r0
+    *state0 = _mm_slli_si128(*state0, 4);     // r1:r0:0:0
+    xword = _mm_xor_si128(xword, *state0);    // X+r3+r2+r1:X+r2+r1+r0:X+r1+r0:X+r0
+    *state0 = _mm_slli_si128(*state0, 4);     // r0:0:0:0
+    xword = _mm_xor_si128(xword, *state0);    // X+r3+r2+r1+r0:X+r2+r1+r0:X+r1+r0:X+r0
+    *state0 = xword;                          // = r9:r8:r7:r6
+
+    xword = _mm_shuffle_epi32(xword, 0xff);   // r9:r9:r9:r9
+    xword = _mm_xor_si128(xword, *state1);    // stuff:stuff:r9+r5:r9+r4
+    *state1 = _mm_slli_si128(*state1, 4);     // stuff:stuff:r4:0
+    xword = _mm_xor_si128(xword, *state1);    // stuff:stuff:r9+r5+r4:r9+r4
+    *state1 = xword;                          // = stuff:stuff:r11:r10
+
+    /* Store state0 and the low half of state1 into rk, which is conceptually
+     * an array of 24-byte elements. Since 24 is not a multiple of 16,
+     * rk is not necessarily aligned so just `*rk = *state0` doesn't work. */
+    memcpy(rk, state0, 16);
+    memcpy(rk + 16, state1, 8);
+}
+
+static void aesni_setkey_enc_192(unsigned char *rk,
+                                 const unsigned char *key)
+{
+    /* First round: use original key */
+    memcpy(rk, key, 24);
+    /* aes.c guarantees that rk is aligned on a 16-byte boundary. */
+    __m128i state0 = ((__m128i *) rk)[0];
+    __m128i state1 = _mm_loadl_epi64(((__m128i *) rk) + 1);
+
+    aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x01), rk + 24 * 1);
+    aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x02), rk + 24 * 2);
+    aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x04), rk + 24 * 3);
+    aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x08), rk + 24 * 4);
+    aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x10), rk + 24 * 5);
+    aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x20), rk + 24 * 6);
+    aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x40), rk + 24 * 7);
+    aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x80), rk + 24 * 8);
+}
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+
+/*
+ * Key expansion, 256-bit case
+ */
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static void aesni_set_rk_256(__m128i state0, __m128i state1, __m128i xword,
+                             __m128i *rk0, __m128i *rk1)
+{
+    /*
+     * Finish generating the next two round keys.
+     *
+     * On entry state0 is r3:r2:r1:r0, state1 is r7:r6:r5:r4 and
+     * xword is X:stuff:stuff:stuff with X = rot( sub( r7 )) ^ RCON
+     * (obtained with AESKEYGENASSIST).
+     *
+     * On exit, *rk0 is r11:r10:r9:r8 and *rk1 is r15:r14:r13:r12
+     */
+    xword = _mm_shuffle_epi32(xword, 0xff);
+    xword = _mm_xor_si128(xword, state0);
+    state0 = _mm_slli_si128(state0, 4);
+    xword = _mm_xor_si128(xword, state0);
+    state0 = _mm_slli_si128(state0, 4);
+    xword = _mm_xor_si128(xword, state0);
+    state0 = _mm_slli_si128(state0, 4);
+    state0 = _mm_xor_si128(state0, xword);
+    *rk0 = state0;
+
+    /* Set xword to stuff:Y:stuff:stuff with Y = subword( r11 )
+     * and proceed to generate next round key from there */
+    xword = _mm_aeskeygenassist_si128(state0, 0x00);
+    xword = _mm_shuffle_epi32(xword, 0xaa);
+    xword = _mm_xor_si128(xword, state1);
+    state1 = _mm_slli_si128(state1, 4);
+    xword = _mm_xor_si128(xword, state1);
+    state1 = _mm_slli_si128(state1, 4);
+    xword = _mm_xor_si128(xword, state1);
+    state1 = _mm_slli_si128(state1, 4);
+    state1 = _mm_xor_si128(state1, xword);
+    *rk1 = state1;
+}
+
+static void aesni_setkey_enc_256(unsigned char *rk_bytes,
+                                 const unsigned char *key)
+{
+    __m128i *rk = (__m128i *) rk_bytes;
+
+    memcpy(&rk[0], key, 16);
+    memcpy(&rk[1], key + 16, 16);
+
+    /*
+     * Main "loop" - Generating one more key than necessary,
+     * see definition of mbedtls_aes_context.buf
+     */
+    aesni_set_rk_256(rk[0], rk[1], _mm_aeskeygenassist_si128(rk[1], 0x01), &rk[2], &rk[3]);
+    aesni_set_rk_256(rk[2], rk[3], _mm_aeskeygenassist_si128(rk[3], 0x02), &rk[4], &rk[5]);
+    aesni_set_rk_256(rk[4], rk[5], _mm_aeskeygenassist_si128(rk[5], 0x04), &rk[6], &rk[7]);
+    aesni_set_rk_256(rk[6], rk[7], _mm_aeskeygenassist_si128(rk[7], 0x08), &rk[8], &rk[9]);
+    aesni_set_rk_256(rk[8], rk[9], _mm_aeskeygenassist_si128(rk[9], 0x10), &rk[10], &rk[11]);
+    aesni_set_rk_256(rk[10], rk[11], _mm_aeskeygenassist_si128(rk[11], 0x20), &rk[12], &rk[13]);
+    aesni_set_rk_256(rk[12], rk[13], _mm_aeskeygenassist_si128(rk[13], 0x40), &rk[14], &rk[15]);
+}
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+
+#if defined(MBEDTLS_POP_TARGET_PRAGMA)
+#if defined(__clang__)
+#pragma clang attribute pop
+#elif defined(__GNUC__)
+#pragma GCC pop_options
+#endif
+#undef MBEDTLS_POP_TARGET_PRAGMA
+#endif
+
+#else /* MBEDTLS_AESNI_HAVE_CODE == 1 */
+
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+#warning \
+    "MBEDTLS_AESNI_C is known to cause spurious error reports with some memory sanitizers as they do not understand the assembly code."
+#endif
+#endif
+
+/*
+ * Binutils needs to be at least 2.19 to support AES-NI instructions.
+ * Unfortunately, a lot of users have a lower version now (2014-04).
+ * Emit bytecode directly in order to support "old" version of gas.
+ *
+ * Opcodes from the Intel architecture reference manual, vol. 3.
+ * We always use registers, so we don't need prefixes for memory operands.
+ * Operand macros are in gas order (src, dst) as opposed to Intel order
+ * (dst, src) in order to blend better into the surrounding assembly code.
+ */
+#define AESDEC(regs)      ".byte 0x66,0x0F,0x38,0xDE," regs "\n\t"
+#define AESDECLAST(regs)  ".byte 0x66,0x0F,0x38,0xDF," regs "\n\t"
+#define AESENC(regs)      ".byte 0x66,0x0F,0x38,0xDC," regs "\n\t"
+#define AESENCLAST(regs)  ".byte 0x66,0x0F,0x38,0xDD," regs "\n\t"
+#define AESIMC(regs)      ".byte 0x66,0x0F,0x38,0xDB," regs "\n\t"
+#define AESKEYGENA(regs, imm)  ".byte 0x66,0x0F,0x3A,0xDF," regs "," imm "\n\t"
+#define PCLMULQDQ(regs, imm)   ".byte 0x66,0x0F,0x3A,0x44," regs "," imm "\n\t"
+
+#define xmm0_xmm0   "0xC0"
+#define xmm0_xmm1   "0xC8"
+#define xmm0_xmm2   "0xD0"
+#define xmm0_xmm3   "0xD8"
+#define xmm0_xmm4   "0xE0"
+#define xmm1_xmm0   "0xC1"
+#define xmm1_xmm2   "0xD1"
+
+/*
+ * AES-NI AES-ECB block en(de)cryption
+ */
+int mbedtls_aesni_crypt_ecb(mbedtls_aes_context *ctx,
+                            int mode,
+                            const unsigned char input[16],
+                            unsigned char output[16])
+{
+    asm ("movdqu    (%3), %%xmm0    \n\t" // load input
+         "movdqu    (%1), %%xmm1    \n\t" // load round key 0
+         "pxor      %%xmm1, %%xmm0  \n\t" // round 0
+         "add       $16, %1         \n\t" // point to next round key
+         "subl      $1, %0          \n\t" // normal rounds = nr - 1
+         "test      %2, %2          \n\t" // mode?
+         "jz        2f              \n\t" // 0 = decrypt
+
+         "1:                        \n\t" // encryption loop
+         "movdqu    (%1), %%xmm1    \n\t" // load round key
+         AESENC(xmm1_xmm0)                // do round
+         "add       $16, %1         \n\t" // point to next round key
+         "subl      $1, %0          \n\t" // loop
+         "jnz       1b              \n\t"
+         "movdqu    (%1), %%xmm1    \n\t" // load round key
+         AESENCLAST(xmm1_xmm0)            // last round
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+         "jmp       3f              \n\t"
+
+         "2:                        \n\t" // decryption loop
+         "movdqu    (%1), %%xmm1    \n\t"
+         AESDEC(xmm1_xmm0)                // do round
+         "add       $16, %1         \n\t"
+         "subl      $1, %0          \n\t"
+         "jnz       2b              \n\t"
+         "movdqu    (%1), %%xmm1    \n\t" // load round key
+         AESDECLAST(xmm1_xmm0)            // last round
+#endif
+
+         "3:                        \n\t"
+         "movdqu    %%xmm0, (%4)    \n\t" // export output
+         :
+         : "r" (ctx->nr), "r" (ctx->buf + ctx->rk_offset), "r" (mode), "r" (input), "r" (output)
+         : "memory", "cc", "xmm0", "xmm1");
+
+
+    return 0;
+}
+
+/*
+ * GCM multiplication: c = a times b in GF(2^128)
+ * Based on [CLMUL-WP] algorithms 1 (with equation 27) and 5.
+ */
+void mbedtls_aesni_gcm_mult(unsigned char c[16],
+                            const unsigned char a[16],
+                            const unsigned char b[16])
+{
+    unsigned char aa[16], bb[16], cc[16];
+    size_t i;
+
+    /* The inputs are in big-endian order, so byte-reverse them */
+    for (i = 0; i < 16; i++) {
+        aa[i] = a[15 - i];
+        bb[i] = b[15 - i];
+    }
+
+    asm ("movdqu (%0), %%xmm0               \n\t" // a1:a0
+         "movdqu (%1), %%xmm1               \n\t" // b1:b0
+
+         /*
+          * Caryless multiplication xmm2:xmm1 = xmm0 * xmm1
+          * using [CLMUL-WP] algorithm 1 (p. 12).
+          */
+         "movdqa %%xmm1, %%xmm2             \n\t" // copy of b1:b0
+         "movdqa %%xmm1, %%xmm3             \n\t" // same
+         "movdqa %%xmm1, %%xmm4             \n\t" // same
+         PCLMULQDQ(xmm0_xmm1, "0x00")             // a0*b0 = c1:c0
+         PCLMULQDQ(xmm0_xmm2, "0x11")             // a1*b1 = d1:d0
+         PCLMULQDQ(xmm0_xmm3, "0x10")             // a0*b1 = e1:e0
+         PCLMULQDQ(xmm0_xmm4, "0x01")             // a1*b0 = f1:f0
+         "pxor %%xmm3, %%xmm4               \n\t" // e1+f1:e0+f0
+         "movdqa %%xmm4, %%xmm3             \n\t" // same
+         "psrldq $8, %%xmm4                 \n\t" // 0:e1+f1
+         "pslldq $8, %%xmm3                 \n\t" // e0+f0:0
+         "pxor %%xmm4, %%xmm2               \n\t" // d1:d0+e1+f1
+         "pxor %%xmm3, %%xmm1               \n\t" // c1+e0+f1:c0
+
+         /*
+          * Now shift the result one bit to the left,
+          * taking advantage of [CLMUL-WP] eq 27 (p. 18)
+          */
+         "movdqa %%xmm1, %%xmm3             \n\t" // r1:r0
+         "movdqa %%xmm2, %%xmm4             \n\t" // r3:r2
+         "psllq $1, %%xmm1                  \n\t" // r1<<1:r0<<1
+         "psllq $1, %%xmm2                  \n\t" // r3<<1:r2<<1
+         "psrlq $63, %%xmm3                 \n\t" // r1>>63:r0>>63
+         "psrlq $63, %%xmm4                 \n\t" // r3>>63:r2>>63
+         "movdqa %%xmm3, %%xmm5             \n\t" // r1>>63:r0>>63
+         "pslldq $8, %%xmm3                 \n\t" // r0>>63:0
+         "pslldq $8, %%xmm4                 \n\t" // r2>>63:0
+         "psrldq $8, %%xmm5                 \n\t" // 0:r1>>63
+         "por %%xmm3, %%xmm1                \n\t" // r1<<1|r0>>63:r0<<1
+         "por %%xmm4, %%xmm2                \n\t" // r3<<1|r2>>62:r2<<1
+         "por %%xmm5, %%xmm2                \n\t" // r3<<1|r2>>62:r2<<1|r1>>63
+
+         /*
+          * Now reduce modulo the GCM polynomial x^128 + x^7 + x^2 + x + 1
+          * using [CLMUL-WP] algorithm 5 (p. 18).
+          * Currently xmm2:xmm1 holds x3:x2:x1:x0 (already shifted).
+          */
+         /* Step 2 (1) */
+         "movdqa %%xmm1, %%xmm3             \n\t" // x1:x0
+         "movdqa %%xmm1, %%xmm4             \n\t" // same
+         "movdqa %%xmm1, %%xmm5             \n\t" // same
+         "psllq $63, %%xmm3                 \n\t" // x1<<63:x0<<63 = stuff:a
+         "psllq $62, %%xmm4                 \n\t" // x1<<62:x0<<62 = stuff:b
+         "psllq $57, %%xmm5                 \n\t" // x1<<57:x0<<57 = stuff:c
+
+         /* Step 2 (2) */
+         "pxor %%xmm4, %%xmm3               \n\t" // stuff:a+b
+         "pxor %%xmm5, %%xmm3               \n\t" // stuff:a+b+c
+         "pslldq $8, %%xmm3                 \n\t" // a+b+c:0
+         "pxor %%xmm3, %%xmm1               \n\t" // x1+a+b+c:x0 = d:x0
+
+         /* Steps 3 and 4 */
+         "movdqa %%xmm1,%%xmm0              \n\t" // d:x0
+         "movdqa %%xmm1,%%xmm4              \n\t" // same
+         "movdqa %%xmm1,%%xmm5              \n\t" // same
+         "psrlq $1, %%xmm0                  \n\t" // e1:x0>>1 = e1:e0'
+         "psrlq $2, %%xmm4                  \n\t" // f1:x0>>2 = f1:f0'
+         "psrlq $7, %%xmm5                  \n\t" // g1:x0>>7 = g1:g0'
+         "pxor %%xmm4, %%xmm0               \n\t" // e1+f1:e0'+f0'
+         "pxor %%xmm5, %%xmm0               \n\t" // e1+f1+g1:e0'+f0'+g0'
+         // e0'+f0'+g0' is almost e0+f0+g0, ex\tcept for some missing
+         // bits carried from d. Now get those\t bits back in.
+         "movdqa %%xmm1,%%xmm3              \n\t" // d:x0
+         "movdqa %%xmm1,%%xmm4              \n\t" // same
+         "movdqa %%xmm1,%%xmm5              \n\t" // same
+         "psllq $63, %%xmm3                 \n\t" // d<<63:stuff
+         "psllq $62, %%xmm4                 \n\t" // d<<62:stuff
+         "psllq $57, %%xmm5                 \n\t" // d<<57:stuff
+         "pxor %%xmm4, %%xmm3               \n\t" // d<<63+d<<62:stuff
+         "pxor %%xmm5, %%xmm3               \n\t" // missing bits of d:stuff
+         "psrldq $8, %%xmm3                 \n\t" // 0:missing bits of d
+         "pxor %%xmm3, %%xmm0               \n\t" // e1+f1+g1:e0+f0+g0
+         "pxor %%xmm1, %%xmm0               \n\t" // h1:h0
+         "pxor %%xmm2, %%xmm0               \n\t" // x3+h1:x2+h0
+
+         "movdqu %%xmm0, (%2)               \n\t" // done
+         :
+         : "r" (aa), "r" (bb), "r" (cc)
+         : "memory", "cc", "xmm0", "xmm1", "xmm2", "xmm3", "xmm4", "xmm5");
+
+    /* Now byte-reverse the outputs */
+    for (i = 0; i < 16; i++) {
+        c[i] = cc[15 - i];
+    }
+
+    return;
+}
+
+/*
+ * Compute decryption round keys from encryption round keys
+ */
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+void mbedtls_aesni_inverse_key(unsigned char *invkey,
+                               const unsigned char *fwdkey, int nr)
+{
+    unsigned char *ik = invkey;
+    const unsigned char *fk = fwdkey + 16 * nr;
+
+    memcpy(ik, fk, 16);
+
+    for (fk -= 16, ik += 16; fk > fwdkey; fk -= 16, ik += 16) {
+        asm ("movdqu (%0), %%xmm0       \n\t"
+             AESIMC(xmm0_xmm0)
+             "movdqu %%xmm0, (%1)       \n\t"
+             :
+             : "r" (fk), "r" (ik)
+             : "memory", "xmm0");
+    }
+
+    memcpy(ik, fk, 16);
+}
+#endif
+
+/*
+ * Key expansion, 128-bit case
+ */
+static void aesni_setkey_enc_128(unsigned char *rk,
+                                 const unsigned char *key)
+{
+    asm ("movdqu (%1), %%xmm0               \n\t" // copy the original key
+         "movdqu %%xmm0, (%0)               \n\t" // as round key 0
+         "jmp 2f                            \n\t" // skip auxiliary routine
+
+         /*
+          * Finish generating the next round key.
+          *
+          * On entry xmm0 is r3:r2:r1:r0 and xmm1 is X:stuff:stuff:stuff
+          * with X = rot( sub( r3 ) ) ^ RCON.
+          *
+          * On exit, xmm0 is r7:r6:r5:r4
+          * with r4 = X + r0, r5 = r4 + r1, r6 = r5 + r2, r7 = r6 + r3
+          * and those are written to the round key buffer.
+          */
+         "1:                                \n\t"
+         "pshufd $0xff, %%xmm1, %%xmm1      \n\t" // X:X:X:X
+         "pxor %%xmm0, %%xmm1               \n\t" // X+r3:X+r2:X+r1:r4
+         "pslldq $4, %%xmm0                 \n\t" // r2:r1:r0:0
+         "pxor %%xmm0, %%xmm1               \n\t" // X+r3+r2:X+r2+r1:r5:r4
+         "pslldq $4, %%xmm0                 \n\t" // etc
+         "pxor %%xmm0, %%xmm1               \n\t"
+         "pslldq $4, %%xmm0                 \n\t"
+         "pxor %%xmm1, %%xmm0               \n\t" // update xmm0 for next time!
+         "add $16, %0                       \n\t" // point to next round key
+         "movdqu %%xmm0, (%0)               \n\t" // write it
+         "ret                               \n\t"
+
+         /* Main "loop" */
+         "2:                                \n\t"
+         AESKEYGENA(xmm0_xmm1, "0x01")      "call 1b \n\t"
+         AESKEYGENA(xmm0_xmm1, "0x02")      "call 1b \n\t"
+         AESKEYGENA(xmm0_xmm1, "0x04")      "call 1b \n\t"
+         AESKEYGENA(xmm0_xmm1, "0x08")      "call 1b \n\t"
+         AESKEYGENA(xmm0_xmm1, "0x10")      "call 1b \n\t"
+         AESKEYGENA(xmm0_xmm1, "0x20")      "call 1b \n\t"
+         AESKEYGENA(xmm0_xmm1, "0x40")      "call 1b \n\t"
+         AESKEYGENA(xmm0_xmm1, "0x80")      "call 1b \n\t"
+         AESKEYGENA(xmm0_xmm1, "0x1B")      "call 1b \n\t"
+         AESKEYGENA(xmm0_xmm1, "0x36")      "call 1b \n\t"
+         :
+         : "r" (rk), "r" (key)
+         : "memory", "cc", "0");
+}
+
+/*
+ * Key expansion, 192-bit case
+ */
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static void aesni_setkey_enc_192(unsigned char *rk,
+                                 const unsigned char *key)
+{
+    asm ("movdqu (%1), %%xmm0   \n\t" // copy original round key
+         "movdqu %%xmm0, (%0)   \n\t"
+         "add $16, %0           \n\t"
+         "movq 16(%1), %%xmm1   \n\t"
+         "movq %%xmm1, (%0)     \n\t"
+         "add $8, %0            \n\t"
+         "jmp 2f                \n\t" // skip auxiliary routine
+
+         /*
+          * Finish generating the next 6 quarter-keys.
+          *
+          * On entry xmm0 is r3:r2:r1:r0, xmm1 is stuff:stuff:r5:r4
+          * and xmm2 is stuff:stuff:X:stuff with X = rot( sub( r3 ) ) ^ RCON.
+          *
+          * On exit, xmm0 is r9:r8:r7:r6 and xmm1 is stuff:stuff:r11:r10
+          * and those are written to the round key buffer.
+          */
+         "1:                            \n\t"
+         "pshufd $0x55, %%xmm2, %%xmm2  \n\t" // X:X:X:X
+         "pxor %%xmm0, %%xmm2           \n\t" // X+r3:X+r2:X+r1:r4
+         "pslldq $4, %%xmm0             \n\t" // etc
+         "pxor %%xmm0, %%xmm2           \n\t"
+         "pslldq $4, %%xmm0             \n\t"
+         "pxor %%xmm0, %%xmm2           \n\t"
+         "pslldq $4, %%xmm0             \n\t"
+         "pxor %%xmm2, %%xmm0           \n\t" // update xmm0 = r9:r8:r7:r6
+         "movdqu %%xmm0, (%0)           \n\t"
+         "add $16, %0                   \n\t"
+         "pshufd $0xff, %%xmm0, %%xmm2  \n\t" // r9:r9:r9:r9
+         "pxor %%xmm1, %%xmm2           \n\t" // stuff:stuff:r9+r5:r10
+         "pslldq $4, %%xmm1             \n\t" // r2:r1:r0:0
+         "pxor %%xmm2, %%xmm1           \n\t" // xmm1 = stuff:stuff:r11:r10
+         "movq %%xmm1, (%0)             \n\t"
+         "add $8, %0                    \n\t"
+         "ret                           \n\t"
+
+         "2:                            \n\t"
+         AESKEYGENA(xmm1_xmm2, "0x01")  "call 1b \n\t"
+         AESKEYGENA(xmm1_xmm2, "0x02")  "call 1b \n\t"
+         AESKEYGENA(xmm1_xmm2, "0x04")  "call 1b \n\t"
+         AESKEYGENA(xmm1_xmm2, "0x08")  "call 1b \n\t"
+         AESKEYGENA(xmm1_xmm2, "0x10")  "call 1b \n\t"
+         AESKEYGENA(xmm1_xmm2, "0x20")  "call 1b \n\t"
+         AESKEYGENA(xmm1_xmm2, "0x40")  "call 1b \n\t"
+         AESKEYGENA(xmm1_xmm2, "0x80")  "call 1b \n\t"
+
+         :
+         : "r" (rk), "r" (key)
+         : "memory", "cc", "0");
+}
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+
+/*
+ * Key expansion, 256-bit case
+ */
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static void aesni_setkey_enc_256(unsigned char *rk,
+                                 const unsigned char *key)
+{
+    asm ("movdqu (%1), %%xmm0           \n\t"
+         "movdqu %%xmm0, (%0)           \n\t"
+         "add $16, %0                   \n\t"
+         "movdqu 16(%1), %%xmm1         \n\t"
+         "movdqu %%xmm1, (%0)           \n\t"
+         "jmp 2f                        \n\t" // skip auxiliary routine
+
+         /*
+          * Finish generating the next two round keys.
+          *
+          * On entry xmm0 is r3:r2:r1:r0, xmm1 is r7:r6:r5:r4 and
+          * xmm2 is X:stuff:stuff:stuff with X = rot( sub( r7 )) ^ RCON
+          *
+          * On exit, xmm0 is r11:r10:r9:r8 and xmm1 is r15:r14:r13:r12
+          * and those have been written to the output buffer.
+          */
+         "1:                                \n\t"
+         "pshufd $0xff, %%xmm2, %%xmm2      \n\t"
+         "pxor %%xmm0, %%xmm2               \n\t"
+         "pslldq $4, %%xmm0                 \n\t"
+         "pxor %%xmm0, %%xmm2               \n\t"
+         "pslldq $4, %%xmm0                 \n\t"
+         "pxor %%xmm0, %%xmm2               \n\t"
+         "pslldq $4, %%xmm0                 \n\t"
+         "pxor %%xmm2, %%xmm0               \n\t"
+         "add $16, %0                       \n\t"
+         "movdqu %%xmm0, (%0)               \n\t"
+
+         /* Set xmm2 to stuff:Y:stuff:stuff with Y = subword( r11 )
+          * and proceed to generate next round key from there */
+         AESKEYGENA(xmm0_xmm2, "0x00")
+         "pshufd $0xaa, %%xmm2, %%xmm2      \n\t"
+         "pxor %%xmm1, %%xmm2               \n\t"
+         "pslldq $4, %%xmm1                 \n\t"
+         "pxor %%xmm1, %%xmm2               \n\t"
+         "pslldq $4, %%xmm1                 \n\t"
+         "pxor %%xmm1, %%xmm2               \n\t"
+         "pslldq $4, %%xmm1                 \n\t"
+         "pxor %%xmm2, %%xmm1               \n\t"
+         "add $16, %0                       \n\t"
+         "movdqu %%xmm1, (%0)               \n\t"
+         "ret                               \n\t"
+
+         /*
+          * Main "loop" - Generating one more key than necessary,
+          * see definition of mbedtls_aes_context.buf
+          */
+         "2:                                \n\t"
+         AESKEYGENA(xmm1_xmm2, "0x01")      "call 1b \n\t"
+         AESKEYGENA(xmm1_xmm2, "0x02")      "call 1b \n\t"
+         AESKEYGENA(xmm1_xmm2, "0x04")      "call 1b \n\t"
+         AESKEYGENA(xmm1_xmm2, "0x08")      "call 1b \n\t"
+         AESKEYGENA(xmm1_xmm2, "0x10")      "call 1b \n\t"
+         AESKEYGENA(xmm1_xmm2, "0x20")      "call 1b \n\t"
+         AESKEYGENA(xmm1_xmm2, "0x40")      "call 1b \n\t"
+         :
+         : "r" (rk), "r" (key)
+         : "memory", "cc", "0");
+}
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+
+#endif  /* MBEDTLS_AESNI_HAVE_CODE */
+
+/*
+ * Key expansion, wrapper
+ */
+int mbedtls_aesni_setkey_enc(unsigned char *rk,
+                             const unsigned char *key,
+                             size_t bits)
+{
+    switch (bits) {
+        case 128: aesni_setkey_enc_128(rk, key); break;
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+        case 192: aesni_setkey_enc_192(rk, key); break;
+        case 256: aesni_setkey_enc_256(rk, key); break;
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+        default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
+    }
+
+    return 0;
+}
+
+#endif /* MBEDTLS_AESNI_HAVE_CODE */
+
+#endif /* MBEDTLS_AESNI_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/aesni.h b/tf-psa-crypto/drivers/builtin/src/aesni.h
new file mode 100644
index 0000000..59e27af
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/aesni.h
@@ -0,0 +1,162 @@
+/**
+ * \file aesni.h
+ *
+ * \brief AES-NI for hardware AES acceleration on some Intel processors
+ *
+ * \warning These functions are only for internal use by other library
+ *          functions; you must not call them directly.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_AESNI_H
+#define MBEDTLS_AESNI_H
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/aes.h"
+
+#define MBEDTLS_AESNI_AES      0x02000000u
+#define MBEDTLS_AESNI_CLMUL    0x00000002u
+
+#if defined(MBEDTLS_AESNI_C) && \
+    (defined(MBEDTLS_ARCH_IS_X64) || defined(MBEDTLS_ARCH_IS_X86))
+
+/* Can we do AESNI with intrinsics?
+ * (Only implemented with certain compilers, only for certain targets.)
+ */
+#undef MBEDTLS_AESNI_HAVE_INTRINSICS
+#if defined(_MSC_VER) && !defined(__clang__)
+/* Visual Studio supports AESNI intrinsics since VS 2008 SP1. We only support
+ * VS 2013 and up for other reasons anyway, so no need to check the version. */
+#define MBEDTLS_AESNI_HAVE_INTRINSICS
+#endif
+/* GCC-like compilers: currently, we only support intrinsics if the requisite
+ * target flag is enabled when building the library (e.g. `gcc -mpclmul -msse2`
+ * or `clang -maes -mpclmul`). */
+#if (defined(__GNUC__) || defined(__clang__)) && defined(__AES__) && defined(__PCLMUL__)
+#define MBEDTLS_AESNI_HAVE_INTRINSICS
+#endif
+/* For 32-bit, we only support intrinsics */
+#if defined(MBEDTLS_ARCH_IS_X86) && (defined(__GNUC__) || defined(__clang__))
+#define MBEDTLS_AESNI_HAVE_INTRINSICS
+#endif
+
+/* Choose the implementation of AESNI, if one is available.
+ *
+ * Favor the intrinsics-based implementation if it's available, for better
+ * maintainability.
+ * Performance is about the same (see #7380).
+ * In the long run, we will likely remove the assembly implementation. */
+#if defined(MBEDTLS_AESNI_HAVE_INTRINSICS)
+#define MBEDTLS_AESNI_HAVE_CODE 2 // via intrinsics
+#elif defined(MBEDTLS_HAVE_ASM) && \
+    (defined(__GNUC__) || defined(__clang__)) && defined(MBEDTLS_ARCH_IS_X64)
+/* Can we do AESNI with inline assembly?
+ * (Only implemented with gas syntax, only for 64-bit.)
+ */
+#define MBEDTLS_AESNI_HAVE_CODE 1 // via assembly
+#else
+#error "MBEDTLS_AESNI_C defined, but neither intrinsics nor assembly available"
+#endif
+
+#if defined(MBEDTLS_AESNI_HAVE_CODE)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Internal function to detect the AES-NI feature in CPUs.
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
+ *
+ * \param what     The feature to detect
+ *                 (MBEDTLS_AESNI_AES or MBEDTLS_AESNI_CLMUL)
+ *
+ * \return         1 if CPU has support for the feature, 0 otherwise
+ */
+#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+int mbedtls_aesni_has_support(unsigned int what);
+#else
+#define mbedtls_aesni_has_support(what) 1
+#endif
+
+/**
+ * \brief          Internal AES-NI AES-ECB block encryption and decryption
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
+ *
+ * \param ctx      AES context
+ * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
+ * \param input    16-byte input block
+ * \param output   16-byte output block
+ *
+ * \return         0 on success (cannot fail)
+ */
+int mbedtls_aesni_crypt_ecb(mbedtls_aes_context *ctx,
+                            int mode,
+                            const unsigned char input[16],
+                            unsigned char output[16]);
+
+/**
+ * \brief          Internal GCM multiplication: c = a * b in GF(2^128)
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
+ *
+ * \param c        Result
+ * \param a        First operand
+ * \param b        Second operand
+ *
+ * \note           Both operands and result are bit strings interpreted as
+ *                 elements of GF(2^128) as per the GCM spec.
+ */
+void mbedtls_aesni_gcm_mult(unsigned char c[16],
+                            const unsigned char a[16],
+                            const unsigned char b[16]);
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+/**
+ * \brief           Internal round key inversion. This function computes
+ *                  decryption round keys from the encryption round keys.
+ *
+ * \note            This function is only for internal use by other library
+ *                  functions; you must not call it directly.
+ *
+ * \param invkey    Round keys for the equivalent inverse cipher
+ * \param fwdkey    Original round keys (for encryption)
+ * \param nr        Number of rounds (that is, number of round keys minus one)
+ */
+void mbedtls_aesni_inverse_key(unsigned char *invkey,
+                               const unsigned char *fwdkey,
+                               int nr);
+#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
+
+/**
+ * \brief           Internal key expansion for encryption
+ *
+ * \note            This function is only for internal use by other library
+ *                  functions; you must not call it directly.
+ *
+ * \param rk        Destination buffer where the round keys are written
+ * \param key       Encryption key
+ * \param bits      Key size in bits (must be 128, 192 or 256)
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
+ */
+int mbedtls_aesni_setkey_enc(unsigned char *rk,
+                             const unsigned char *key,
+                             size_t bits);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_AESNI_HAVE_CODE */
+#endif  /* MBEDTLS_AESNI_C && (MBEDTLS_ARCH_IS_X64 || MBEDTLS_ARCH_IS_X86) */
+
+#endif /* MBEDTLS_AESNI_H */
diff --git a/tf-psa-crypto/drivers/builtin/src/aria.c b/tf-psa-crypto/drivers/builtin/src/aria.c
new file mode 100644
index 0000000..d9f84cc
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/aria.c
@@ -0,0 +1,969 @@
+/*
+ *  ARIA implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * This implementation is based on the following standards:
+ * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
+ * [2] https://tools.ietf.org/html/rfc5794
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_ARIA_C)
+
+#include "mbedtls/aria.h"
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_ARIA_ALT)
+
+#include "mbedtls/platform_util.h"
+
+/*
+ * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
+ *
+ * This is submatrix P1 in [1] Appendix B.1
+ *
+ * Common compilers fail to translate this to minimal number of instructions,
+ * so let's provide asm versions for common platforms with C fallback.
+ */
+#if defined(MBEDTLS_HAVE_ASM)
+#if defined(__arm__) /* rev16 available from v6 up */
+/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
+#if defined(__GNUC__) && \
+    (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \
+    __ARM_ARCH >= 6
+static inline uint32_t aria_p1(uint32_t x)
+{
+    uint32_t r;
+    __asm("rev16 %0, %1" : "=l" (r) : "l" (x));
+    return r;
+}
+#define ARIA_P1 aria_p1
+#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
+    (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
+static inline uint32_t aria_p1(uint32_t x)
+{
+    uint32_t r;
+    __asm("rev16 r, x");
+    return r;
+}
+#define ARIA_P1 aria_p1
+#endif
+#endif /* arm */
+#if defined(__GNUC__) && \
+    defined(__i386__) || defined(__amd64__) || defined(__x86_64__)
+/* I couldn't find an Intel equivalent of rev16, so two instructions */
+#define ARIA_P1(x) ARIA_P2(ARIA_P3(x))
+#endif /* x86 gnuc */
+#endif /* MBEDTLS_HAVE_ASM && GNUC */
+#if !defined(ARIA_P1)
+#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
+#endif
+
+/*
+ * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
+ *
+ * This is submatrix P2 in [1] Appendix B.1
+ *
+ * Common compilers will translate this to a single instruction.
+ */
+#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
+
+/*
+ * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
+ *
+ * This is submatrix P3 in [1] Appendix B.1
+ */
+#define ARIA_P3(x) MBEDTLS_BSWAP32(x)
+
+/*
+ * ARIA Affine Transform
+ * (a, b, c, d) = state in/out
+ *
+ * If we denote the first byte of input by 0, ..., the last byte by f,
+ * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
+ *
+ * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
+ * rearrangements on adjacent pairs, output is:
+ *
+ * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
+ *   = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
+ * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
+ *   = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
+ * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
+ *   = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
+ * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
+ *   = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
+ *
+ * Note: another presentation of the A transform can be found as the first
+ * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
+ * The implementation below uses only P1 and P2 as they are sufficient.
+ */
+static inline void aria_a(uint32_t *a, uint32_t *b,
+                          uint32_t *c, uint32_t *d)
+{
+    uint32_t ta, tb, tc;
+    ta  =  *b;                      // 4567
+    *b  =  *a;                      // 0123
+    *a  =  ARIA_P2(ta);             // 6745
+    tb  =  ARIA_P2(*d);             // efcd
+    *d  =  ARIA_P1(*c);             // 98ba
+    *c  =  ARIA_P1(tb);             // fedc
+    ta  ^= *d;                      // 4567+98ba
+    tc  =  ARIA_P2(*b);             // 2301
+    ta  =  ARIA_P1(ta) ^ tc ^ *c;   // 2301+5476+89ab+fedc
+    tb  ^= ARIA_P2(*d);             // ba98+efcd
+    tc  ^= ARIA_P1(*a);             // 2301+7654
+    *b  ^= ta ^ tb;                 // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
+    tb  =  ARIA_P2(tb) ^ ta;        // 2301+5476+89ab+98ba+cdef+fedc
+    *a  ^= ARIA_P1(tb);             // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
+    ta  =  ARIA_P2(ta);             // 0123+7654+ab89+dcfe
+    *d  ^= ARIA_P1(ta) ^ tc;        // 1032+2301+6745+7654+98ba+ba98+cdef OUT
+    tc  =  ARIA_P2(tc);             // 0123+5476
+    *c  ^= ARIA_P1(tc) ^ ta;        // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
+}
+
+/*
+ * ARIA Substitution Layer SL1 / SL2
+ * (a, b, c, d) = state in/out
+ * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
+ *
+ * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
+ * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
+ */
+static inline void aria_sl(uint32_t *a, uint32_t *b,
+                           uint32_t *c, uint32_t *d,
+                           const uint8_t sa[256], const uint8_t sb[256],
+                           const uint8_t sc[256], const uint8_t sd[256])
+{
+    *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^
+         (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) <<  8) ^
+         (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^
+         (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24);
+    *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^
+         (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) <<  8) ^
+         (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^
+         (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24);
+    *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^
+         (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) <<  8) ^
+         (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^
+         (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24);
+    *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^
+         (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) <<  8) ^
+         (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^
+         (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24);
+}
+
+/*
+ * S-Boxes
+ */
+static const uint8_t aria_sb1[256] =
+{
+    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
+    0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
+    0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
+    0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
+    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
+    0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
+    0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
+    0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
+    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
+    0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
+    0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
+    0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
+    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
+    0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
+    0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
+    0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
+    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
+    0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
+    0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
+    0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
+    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
+    0xB0, 0x54, 0xBB, 0x16
+};
+
+static const uint8_t aria_sb2[256] =
+{
+    0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
+    0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
+    0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
+    0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
+    0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
+    0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
+    0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
+    0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
+    0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
+    0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
+    0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
+    0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
+    0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
+    0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
+    0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
+    0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
+    0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
+    0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
+    0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
+    0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
+    0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
+    0xAF, 0xBA, 0xB5, 0x81
+};
+
+static const uint8_t aria_is1[256] =
+{
+    0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
+    0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
+    0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
+    0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
+    0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
+    0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
+    0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
+    0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
+    0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
+    0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
+    0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
+    0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
+    0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
+    0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
+    0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
+    0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
+    0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
+    0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
+    0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
+    0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
+    0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
+    0x55, 0x21, 0x0C, 0x7D
+};
+
+static const uint8_t aria_is2[256] =
+{
+    0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
+    0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
+    0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
+    0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
+    0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
+    0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
+    0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
+    0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
+    0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
+    0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
+    0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
+    0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
+    0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
+    0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
+    0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
+    0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
+    0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
+    0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
+    0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
+    0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
+    0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
+    0x03, 0xA2, 0xAC, 0x60
+};
+
+/*
+ * Helper for key schedule: r = FO( p, k ) ^ x
+ */
+static void aria_fo_xor(uint32_t r[4], const uint32_t p[4],
+                        const uint32_t k[4], const uint32_t x[4])
+{
+    uint32_t a, b, c, d;
+
+    a = p[0] ^ k[0];
+    b = p[1] ^ k[1];
+    c = p[2] ^ k[2];
+    d = p[3] ^ k[3];
+
+    aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
+    aria_a(&a, &b, &c, &d);
+
+    r[0] = a ^ x[0];
+    r[1] = b ^ x[1];
+    r[2] = c ^ x[2];
+    r[3] = d ^ x[3];
+}
+
+/*
+ * Helper for key schedule: r = FE( p, k ) ^ x
+ */
+static void aria_fe_xor(uint32_t r[4], const uint32_t p[4],
+                        const uint32_t k[4], const uint32_t x[4])
+{
+    uint32_t a, b, c, d;
+
+    a = p[0] ^ k[0];
+    b = p[1] ^ k[1];
+    c = p[2] ^ k[2];
+    d = p[3] ^ k[3];
+
+    aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
+    aria_a(&a, &b, &c, &d);
+
+    r[0] = a ^ x[0];
+    r[1] = b ^ x[1];
+    r[2] = c ^ x[2];
+    r[3] = d ^ x[3];
+}
+
+/*
+ * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
+ *
+ * We chose to store bytes into 32-bit words in little-endian format (see
+ * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
+ * bytes here.
+ */
+static void aria_rot128(uint32_t r[4], const uint32_t a[4],
+                        const uint32_t b[4], uint8_t n)
+{
+    uint8_t i, j;
+    uint32_t t, u;
+
+    const uint8_t n1 = n % 32;              // bit offset
+    const uint8_t n2 = n1 ? 32 - n1 : 0;    // reverse bit offset
+
+    j = (n / 32) % 4;                       // initial word offset
+    t = ARIA_P3(b[j]);                      // big endian
+    for (i = 0; i < 4; i++) {
+        j = (j + 1) % 4;                    // get next word, big endian
+        u = ARIA_P3(b[j]);
+        t <<= n1;                           // rotate
+        t |= u >> n2;
+        t = ARIA_P3(t);                     // back to little endian
+        r[i] = a[i] ^ t;                    // store
+        t = u;                              // move to next word
+    }
+}
+
+/*
+ * Set encryption key
+ */
+int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
+                            const unsigned char *key, unsigned int keybits)
+{
+    /* round constant masks */
+    const uint32_t rc[3][4] =
+    {
+        {   0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA  },
+        {   0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF  },
+        {   0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804  }
+    };
+
+    int i;
+    uint32_t w[4][4], *w2;
+
+    if (keybits != 128 && keybits != 192 && keybits != 256) {
+        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
+    }
+
+    /* Copy key to W0 (and potential remainder to W1) */
+    w[0][0] = MBEDTLS_GET_UINT32_LE(key,  0);
+    w[0][1] = MBEDTLS_GET_UINT32_LE(key,  4);
+    w[0][2] = MBEDTLS_GET_UINT32_LE(key,  8);
+    w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12);
+
+    memset(w[1], 0, 16);
+    if (keybits >= 192) {
+        w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16);    // 192 bit key
+        w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20);
+    }
+    if (keybits == 256) {
+        w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24);    // 256 bit key
+        w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28);
+    }
+
+    i = (keybits - 128) >> 6;               // index: 0, 1, 2
+    ctx->nr = 12 + 2 * i;                   // no. rounds: 12, 14, 16
+
+    aria_fo_xor(w[1], w[0], rc[i], w[1]);   // W1 = FO(W0, CK1) ^ KR
+    i = i < 2 ? i + 1 : 0;
+    aria_fe_xor(w[2], w[1], rc[i], w[0]);   // W2 = FE(W1, CK2) ^ W0
+    i = i < 2 ? i + 1 : 0;
+    aria_fo_xor(w[3], w[2], rc[i], w[1]);   // W3 = FO(W2, CK3) ^ W1
+
+    for (i = 0; i < 4; i++) {               // create round keys
+        w2 = w[(i + 1) & 3];
+        aria_rot128(ctx->rk[i], w[i], w2, 128 - 19);
+        aria_rot128(ctx->rk[i +  4], w[i], w2, 128 - 31);
+        aria_rot128(ctx->rk[i +  8], w[i], w2,       61);
+        aria_rot128(ctx->rk[i + 12], w[i], w2,       31);
+    }
+    aria_rot128(ctx->rk[16], w[0], w[1], 19);
+
+    /* w holds enough info to reconstruct the round keys */
+    mbedtls_platform_zeroize(w, sizeof(w));
+
+    return 0;
+}
+
+/*
+ * Set decryption key
+ */
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
+                            const unsigned char *key, unsigned int keybits)
+{
+    int i, j, k, ret;
+
+    ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
+    if (ret != 0) {
+        return ret;
+    }
+
+    /* flip the order of round keys */
+    for (i = 0, j = ctx->nr; i < j; i++, j--) {
+        for (k = 0; k < 4; k++) {
+            uint32_t t = ctx->rk[i][k];
+            ctx->rk[i][k] = ctx->rk[j][k];
+            ctx->rk[j][k] = t;
+        }
+    }
+
+    /* apply affine transform to middle keys */
+    for (i = 1; i < ctx->nr; i++) {
+        aria_a(&ctx->rk[i][0], &ctx->rk[i][1],
+               &ctx->rk[i][2], &ctx->rk[i][3]);
+    }
+
+    return 0;
+}
+#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
+
+/*
+ * Encrypt a block
+ */
+int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
+                           const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
+                           unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])
+{
+    int i;
+
+    uint32_t a, b, c, d;
+
+    a = MBEDTLS_GET_UINT32_LE(input,  0);
+    b = MBEDTLS_GET_UINT32_LE(input,  4);
+    c = MBEDTLS_GET_UINT32_LE(input,  8);
+    d = MBEDTLS_GET_UINT32_LE(input, 12);
+
+    i = 0;
+    while (1) {
+        a ^= ctx->rk[i][0];
+        b ^= ctx->rk[i][1];
+        c ^= ctx->rk[i][2];
+        d ^= ctx->rk[i][3];
+        i++;
+
+        aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
+        aria_a(&a, &b, &c, &d);
+
+        a ^= ctx->rk[i][0];
+        b ^= ctx->rk[i][1];
+        c ^= ctx->rk[i][2];
+        d ^= ctx->rk[i][3];
+        i++;
+
+        aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
+        if (i >= ctx->nr) {
+            break;
+        }
+        aria_a(&a, &b, &c, &d);
+    }
+
+    /* final key mixing */
+    a ^= ctx->rk[i][0];
+    b ^= ctx->rk[i][1];
+    c ^= ctx->rk[i][2];
+    d ^= ctx->rk[i][3];
+
+    MBEDTLS_PUT_UINT32_LE(a, output,  0);
+    MBEDTLS_PUT_UINT32_LE(b, output,  4);
+    MBEDTLS_PUT_UINT32_LE(c, output,  8);
+    MBEDTLS_PUT_UINT32_LE(d, output, 12);
+
+    return 0;
+}
+
+/* Initialize context */
+void mbedtls_aria_init(mbedtls_aria_context *ctx)
+{
+    memset(ctx, 0, sizeof(mbedtls_aria_context));
+}
+
+/* Clear context */
+void mbedtls_aria_free(mbedtls_aria_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context));
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * ARIA-CBC buffer encryption/decryption
+ */
+int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
+                           int mode,
+                           size_t length,
+                           unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+                           const unsigned char *input,
+                           unsigned char *output)
+{
+    unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
+
+    if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) {
+        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
+    }
+
+    if (length % MBEDTLS_ARIA_BLOCKSIZE) {
+        return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH;
+    }
+
+    if (mode == MBEDTLS_ARIA_DECRYPT) {
+        while (length > 0) {
+            memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE);
+            mbedtls_aria_crypt_ecb(ctx, input, output);
+
+            mbedtls_xor(output, output, iv, MBEDTLS_ARIA_BLOCKSIZE);
+
+            memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE);
+
+            input  += MBEDTLS_ARIA_BLOCKSIZE;
+            output += MBEDTLS_ARIA_BLOCKSIZE;
+            length -= MBEDTLS_ARIA_BLOCKSIZE;
+        }
+    } else {
+        while (length > 0) {
+            mbedtls_xor(output, input, iv, MBEDTLS_ARIA_BLOCKSIZE);
+
+            mbedtls_aria_crypt_ecb(ctx, output, output);
+            memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE);
+
+            input  += MBEDTLS_ARIA_BLOCKSIZE;
+            output += MBEDTLS_ARIA_BLOCKSIZE;
+            length -= MBEDTLS_ARIA_BLOCKSIZE;
+        }
+    }
+
+    return 0;
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * ARIA-CFB128 buffer encryption/decryption
+ */
+int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
+                              int mode,
+                              size_t length,
+                              size_t *iv_off,
+                              unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+                              const unsigned char *input,
+                              unsigned char *output)
+{
+    unsigned char c;
+    size_t n;
+
+    if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) {
+        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
+    }
+
+    n = *iv_off;
+
+    /* An overly large value of n can lead to an unlimited
+     * buffer overflow. */
+    if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
+        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
+    }
+
+    if (mode == MBEDTLS_ARIA_DECRYPT) {
+        while (length--) {
+            if (n == 0) {
+                mbedtls_aria_crypt_ecb(ctx, iv, iv);
+            }
+
+            c = *input++;
+            *output++ = c ^ iv[n];
+            iv[n] = c;
+
+            n = (n + 1) & 0x0F;
+        }
+    } else {
+        while (length--) {
+            if (n == 0) {
+                mbedtls_aria_crypt_ecb(ctx, iv, iv);
+            }
+
+            iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
+
+            n = (n + 1) & 0x0F;
+        }
+    }
+
+    *iv_off = n;
+
+    return 0;
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * ARIA-CTR buffer encryption/decryption
+ */
+int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
+                           size_t length,
+                           size_t *nc_off,
+                           unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
+                           unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
+                           const unsigned char *input,
+                           unsigned char *output)
+{
+    int c, i;
+    size_t n;
+
+    n = *nc_off;
+    /* An overly large value of n can lead to an unlimited
+     * buffer overflow. */
+    if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
+        return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
+    }
+
+    while (length--) {
+        if (n == 0) {
+            mbedtls_aria_crypt_ecb(ctx, nonce_counter,
+                                   stream_block);
+
+            for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) {
+                if (++nonce_counter[i - 1] != 0) {
+                    break;
+                }
+            }
+        }
+        c = *input++;
+        *output++ = (unsigned char) (c ^ stream_block[n]);
+
+        n = (n + 1) & 0x0F;
+    }
+
+    *nc_off = n;
+
+    return 0;
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#endif /* !MBEDTLS_ARIA_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * Basic ARIA ECB test vectors from RFC 5794
+ */
+static const uint8_t aria_test1_ecb_key[32] =           // test key
+{
+    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,     // 128 bit
+    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,     // 192 bit
+    0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F      // 256 bit
+};
+
+static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] =            // plaintext
+{
+    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // same for all
+    0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF      // key sizes
+};
+
+static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] =         // ciphertext
+{
+    { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73,   // 128 bit
+      0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
+    { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA,   // 192 bit
+      0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
+    { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F,   // 256 bit
+      0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
+};
+
+/*
+ * Mode tests from "Test Vectors for ARIA"  Version 1.0
+ * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
+ */
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
+    defined(MBEDTLS_CIPHER_MODE_CTR))
+static const uint8_t aria_test2_key[32] =
+{
+    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 128 bit
+    0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
+    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 192 bit
+    0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff      // 256 bit
+};
+
+static const uint8_t aria_test2_pt[48] =
+{
+    0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa,     // same for all
+    0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
+    0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
+    0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
+    0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
+    0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
+};
+#endif
+
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
+static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
+{
+    0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78,     // same for CBC, CFB
+    0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0      // CTR has zero IV
+};
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const uint8_t aria_test2_cbc_ct[3][48] =         // CBC ciphertext
+{
+    { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10,   // 128-bit key
+      0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
+      0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
+      0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
+      0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
+      0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
+    { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c,   // 192-bit key
+      0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
+      0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
+      0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
+      0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
+      0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
+    { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1,   // 256-bit key
+      0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
+      0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
+      0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
+      0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
+      0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const uint8_t aria_test2_cfb_ct[3][48] =         // CFB ciphertext
+{
+    { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38,   // 128-bit key
+      0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
+      0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
+      0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
+      0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
+      0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
+    { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54,   // 192-bit key
+      0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
+      0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
+      0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
+      0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
+      0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
+    { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2,   // 256-bit key
+      0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
+      0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
+      0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
+      0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
+      0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const uint8_t aria_test2_ctr_ct[3][48] =         // CTR ciphertext
+{
+    { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c,   // 128-bit key
+      0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
+      0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
+      0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
+      0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
+      0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
+    { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19,   // 192-bit key
+      0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
+      0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
+      0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
+      0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
+      0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
+    { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17,   // 256-bit key
+      0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
+      0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
+      0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
+      0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
+      0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#define ARIA_SELF_TEST_ASSERT(cond)                   \
+    do {                                            \
+        if (cond) {                                \
+            if (verbose)                           \
+            mbedtls_printf("failed\n");       \
+            goto exit;                              \
+        } else {                                    \
+            if (verbose)                           \
+            mbedtls_printf("passed\n");       \
+        }                                           \
+    } while (0)
+
+/*
+ * Checkup routine
+ */
+int mbedtls_aria_self_test(int verbose)
+{
+    int i;
+    uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
+    mbedtls_aria_context ctx;
+    int ret = 1;
+
+#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
+    size_t j;
+#endif
+
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
+    defined(MBEDTLS_CIPHER_MODE_CFB) || \
+    defined(MBEDTLS_CIPHER_MODE_CTR))
+    uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
+#endif
+
+    mbedtls_aria_init(&ctx);
+
+    /*
+     * Test set 1
+     */
+    for (i = 0; i < 3; i++) {
+        /* test ECB encryption */
+        if (verbose) {
+            mbedtls_printf("  ARIA-ECB-%d (enc): ", 128 + 64 * i);
+        }
+        mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i);
+        mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk);
+        ARIA_SELF_TEST_ASSERT(
+            memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE)
+            != 0);
+
+        /* test ECB decryption */
+        if (verbose) {
+            mbedtls_printf("  ARIA-ECB-%d (dec): ", 128 + 64 * i);
+#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+            mbedtls_printf("skipped\n");
+#endif
+        }
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+        mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i);
+        mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk);
+        ARIA_SELF_TEST_ASSERT(
+            memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE)
+            != 0);
+#endif
+    }
+    if (verbose) {
+        mbedtls_printf("\n");
+    }
+
+    /*
+     * Test set 2
+     */
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    for (i = 0; i < 3; i++) {
+        /* Test CBC encryption */
+        if (verbose) {
+            mbedtls_printf("  ARIA-CBC-%d (enc): ", 128 + 64 * i);
+        }
+        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
+        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
+        memset(buf, 0x55, sizeof(buf));
+        mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
+                               aria_test2_pt, buf);
+        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48)
+                              != 0);
+
+        /* Test CBC decryption */
+        if (verbose) {
+            mbedtls_printf("  ARIA-CBC-%d (dec): ", 128 + 64 * i);
+        }
+        mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i);
+        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
+        memset(buf, 0xAA, sizeof(buf));
+        mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
+                               aria_test2_cbc_ct[i], buf);
+        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
+    }
+    if (verbose) {
+        mbedtls_printf("\n");
+    }
+
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    for (i = 0; i < 3; i++) {
+        /* Test CFB encryption */
+        if (verbose) {
+            mbedtls_printf("  ARIA-CFB-%d (enc): ", 128 + 64 * i);
+        }
+        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
+        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
+        memset(buf, 0x55, sizeof(buf));
+        j = 0;
+        mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
+                                  aria_test2_pt, buf);
+        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0);
+
+        /* Test CFB decryption */
+        if (verbose) {
+            mbedtls_printf("  ARIA-CFB-%d (dec): ", 128 + 64 * i);
+        }
+        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
+        memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
+        memset(buf, 0xAA, sizeof(buf));
+        j = 0;
+        mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
+                                  iv, aria_test2_cfb_ct[i], buf);
+        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
+    }
+    if (verbose) {
+        mbedtls_printf("\n");
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    for (i = 0; i < 3; i++) {
+        /* Test CTR encryption */
+        if (verbose) {
+            mbedtls_printf("  ARIA-CTR-%d (enc): ", 128 + 64 * i);
+        }
+        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
+        memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE);                      // IV = 0
+        memset(buf, 0x55, sizeof(buf));
+        j = 0;
+        mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
+                               aria_test2_pt, buf);
+        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0);
+
+        /* Test CTR decryption */
+        if (verbose) {
+            mbedtls_printf("  ARIA-CTR-%d (dec): ", 128 + 64 * i);
+        }
+        mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
+        memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE);                      // IV = 0
+        memset(buf, 0xAA, sizeof(buf));
+        j = 0;
+        mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
+                               aria_test2_ctr_ct[i], buf);
+        ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
+    }
+    if (verbose) {
+        mbedtls_printf("\n");
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+    ret = 0;
+
+exit:
+    mbedtls_aria_free(&ctx);
+    return ret;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_ARIA_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/asn1parse.c b/tf-psa-crypto/drivers/builtin/src/asn1parse.c
new file mode 100644
index 0000000..e33fdf7
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/asn1parse.c
@@ -0,0 +1,468 @@
+/*
+ *  Generic ASN.1 parsing
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C) || \
+    defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA)
+
+#include "mbedtls/asn1.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_BIGNUM_C)
+#include "mbedtls/bignum.h"
+#endif
+
+#include "mbedtls/platform.h"
+
+/*
+ * ASN.1 DER decoding routines
+ */
+int mbedtls_asn1_get_len(unsigned char **p,
+                         const unsigned char *end,
+                         size_t *len)
+{
+    if ((end - *p) < 1) {
+        return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
+    }
+
+    if ((**p & 0x80) == 0) {
+        *len = *(*p)++;
+    } else {
+        int n = (**p) & 0x7F;
+        if (n == 0 || n > 4) {
+            return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
+        }
+        if ((end - *p) <= n) {
+            return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
+        }
+        *len = 0;
+        (*p)++;
+        while (n--) {
+            *len = (*len << 8) | **p;
+            (*p)++;
+        }
+    }
+
+    if (*len > (size_t) (end - *p)) {
+        return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
+    }
+
+    return 0;
+}
+
+int mbedtls_asn1_get_tag(unsigned char **p,
+                         const unsigned char *end,
+                         size_t *len, int tag)
+{
+    if ((end - *p) < 1) {
+        return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
+    }
+
+    if (**p != tag) {
+        return MBEDTLS_ERR_ASN1_UNEXPECTED_TAG;
+    }
+
+    (*p)++;
+
+    return mbedtls_asn1_get_len(p, end, len);
+}
+#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA */
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+int mbedtls_asn1_get_bool(unsigned char **p,
+                          const unsigned char *end,
+                          int *val)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len;
+
+    if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_BOOLEAN)) != 0) {
+        return ret;
+    }
+
+    if (len != 1) {
+        return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
+    }
+
+    *val = (**p != 0) ? 1 : 0;
+    (*p)++;
+
+    return 0;
+}
+
+static int asn1_get_tagged_int(unsigned char **p,
+                               const unsigned char *end,
+                               int tag, int *val)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len;
+
+    if ((ret = mbedtls_asn1_get_tag(p, end, &len, tag)) != 0) {
+        return ret;
+    }
+
+    /*
+     * len==0 is malformed (0 must be represented as 020100 for INTEGER,
+     * or 0A0100 for ENUMERATED tags
+     */
+    if (len == 0) {
+        return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
+    }
+    /* This is a cryptography library. Reject negative integers. */
+    if ((**p & 0x80) != 0) {
+        return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
+    }
+
+    /* Skip leading zeros. */
+    while (len > 0 && **p == 0) {
+        ++(*p);
+        --len;
+    }
+
+    /* Reject integers that don't fit in an int. This code assumes that
+     * the int type has no padding bit. */
+    if (len > sizeof(int)) {
+        return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
+    }
+    if (len == sizeof(int) && (**p & 0x80) != 0) {
+        return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
+    }
+
+    *val = 0;
+    while (len-- > 0) {
+        *val = (*val << 8) | **p;
+        (*p)++;
+    }
+
+    return 0;
+}
+
+int mbedtls_asn1_get_int(unsigned char **p,
+                         const unsigned char *end,
+                         int *val)
+{
+    return asn1_get_tagged_int(p, end, MBEDTLS_ASN1_INTEGER, val);
+}
+
+int mbedtls_asn1_get_enum(unsigned char **p,
+                          const unsigned char *end,
+                          int *val)
+{
+    return asn1_get_tagged_int(p, end, MBEDTLS_ASN1_ENUMERATED, val);
+}
+
+#if defined(MBEDTLS_BIGNUM_C)
+int mbedtls_asn1_get_mpi(unsigned char **p,
+                         const unsigned char *end,
+                         mbedtls_mpi *X)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len;
+
+    if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) {
+        return ret;
+    }
+
+    ret = mbedtls_mpi_read_binary(X, *p, len);
+
+    *p += len;
+
+    return ret;
+}
+#endif /* MBEDTLS_BIGNUM_C */
+
+int mbedtls_asn1_get_bitstring(unsigned char **p, const unsigned char *end,
+                               mbedtls_asn1_bitstring *bs)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    /* Certificate type is a single byte bitstring */
+    if ((ret = mbedtls_asn1_get_tag(p, end, &bs->len, MBEDTLS_ASN1_BIT_STRING)) != 0) {
+        return ret;
+    }
+
+    /* Check length, subtract one for actual bit string length */
+    if (bs->len < 1) {
+        return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
+    }
+    bs->len -= 1;
+
+    /* Get number of unused bits, ensure unused bits <= 7 */
+    bs->unused_bits = **p;
+    if (bs->unused_bits > 7) {
+        return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
+    }
+    (*p)++;
+
+    /* Get actual bitstring */
+    bs->p = *p;
+    *p += bs->len;
+
+    if (*p != end) {
+        return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+    }
+
+    return 0;
+}
+
+/*
+ * Traverse an ASN.1 "SEQUENCE OF <tag>"
+ * and call a callback for each entry found.
+ */
+int mbedtls_asn1_traverse_sequence_of(
+    unsigned char **p,
+    const unsigned char *end,
+    unsigned char tag_must_mask, unsigned char tag_must_val,
+    unsigned char tag_may_mask, unsigned char tag_may_val,
+    int (*cb)(void *ctx, int tag,
+              unsigned char *start, size_t len),
+    void *ctx)
+{
+    int ret;
+    size_t len;
+
+    /* Get main sequence tag */
+    if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+        return ret;
+    }
+
+    if (*p + len != end) {
+        return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+    }
+
+    while (*p < end) {
+        unsigned char const tag = *(*p)++;
+
+        if ((tag & tag_must_mask) != tag_must_val) {
+            return MBEDTLS_ERR_ASN1_UNEXPECTED_TAG;
+        }
+
+        if ((ret = mbedtls_asn1_get_len(p, end, &len)) != 0) {
+            return ret;
+        }
+
+        if ((tag & tag_may_mask) == tag_may_val) {
+            if (cb != NULL) {
+                ret = cb(ctx, tag, *p, len);
+                if (ret != 0) {
+                    return ret;
+                }
+            }
+        }
+
+        *p += len;
+    }
+
+    return 0;
+}
+
+/*
+ * Get a bit string without unused bits
+ */
+int mbedtls_asn1_get_bitstring_null(unsigned char **p, const unsigned char *end,
+                                    size_t *len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if ((ret = mbedtls_asn1_get_tag(p, end, len, MBEDTLS_ASN1_BIT_STRING)) != 0) {
+        return ret;
+    }
+
+    if (*len == 0) {
+        return MBEDTLS_ERR_ASN1_INVALID_DATA;
+    }
+    --(*len);
+
+    if (**p != 0) {
+        return MBEDTLS_ERR_ASN1_INVALID_DATA;
+    }
+    ++(*p);
+
+    return 0;
+}
+
+void mbedtls_asn1_sequence_free(mbedtls_asn1_sequence *seq)
+{
+    while (seq != NULL) {
+        mbedtls_asn1_sequence *next = seq->next;
+        mbedtls_free(seq);
+        seq = next;
+    }
+}
+
+typedef struct {
+    int tag;
+    mbedtls_asn1_sequence *cur;
+} asn1_get_sequence_of_cb_ctx_t;
+
+static int asn1_get_sequence_of_cb(void *ctx,
+                                   int tag,
+                                   unsigned char *start,
+                                   size_t len)
+{
+    asn1_get_sequence_of_cb_ctx_t *cb_ctx =
+        (asn1_get_sequence_of_cb_ctx_t *) ctx;
+    mbedtls_asn1_sequence *cur =
+        cb_ctx->cur;
+
+    if (cur->buf.p != NULL) {
+        cur->next =
+            mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence));
+
+        if (cur->next == NULL) {
+            return MBEDTLS_ERR_ASN1_ALLOC_FAILED;
+        }
+
+        cur = cur->next;
+    }
+
+    cur->buf.p = start;
+    cur->buf.len = len;
+    cur->buf.tag = tag;
+
+    cb_ctx->cur = cur;
+    return 0;
+}
+
+/*
+ *  Parses and splits an ASN.1 "SEQUENCE OF <tag>"
+ */
+int mbedtls_asn1_get_sequence_of(unsigned char **p,
+                                 const unsigned char *end,
+                                 mbedtls_asn1_sequence *cur,
+                                 int tag)
+{
+    asn1_get_sequence_of_cb_ctx_t cb_ctx = { tag, cur };
+    memset(cur, 0, sizeof(mbedtls_asn1_sequence));
+    return mbedtls_asn1_traverse_sequence_of(
+        p, end, 0xFF, tag, 0, 0,
+        asn1_get_sequence_of_cb, &cb_ctx);
+}
+
+int mbedtls_asn1_get_alg(unsigned char **p,
+                         const unsigned char *end,
+                         mbedtls_asn1_buf *alg, mbedtls_asn1_buf *params)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len;
+
+    if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+        return ret;
+    }
+
+    if ((end - *p) < 1) {
+        return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
+    }
+
+    alg->tag = **p;
+    end = *p + len;
+
+    if ((ret = mbedtls_asn1_get_tag(p, end, &alg->len, MBEDTLS_ASN1_OID)) != 0) {
+        return ret;
+    }
+
+    alg->p = *p;
+    *p += alg->len;
+
+    if (*p == end) {
+        mbedtls_platform_zeroize(params, sizeof(mbedtls_asn1_buf));
+        return 0;
+    }
+
+    params->tag = **p;
+    (*p)++;
+
+    if ((ret = mbedtls_asn1_get_len(p, end, &params->len)) != 0) {
+        return ret;
+    }
+
+    params->p = *p;
+    *p += params->len;
+
+    if (*p != end) {
+        return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+    }
+
+    return 0;
+}
+
+int mbedtls_asn1_get_alg_null(unsigned char **p,
+                              const unsigned char *end,
+                              mbedtls_asn1_buf *alg)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_asn1_buf params;
+
+    memset(&params, 0, sizeof(mbedtls_asn1_buf));
+
+    if ((ret = mbedtls_asn1_get_alg(p, end, alg, &params)) != 0) {
+        return ret;
+    }
+
+    if ((params.tag != MBEDTLS_ASN1_NULL && params.tag != 0) || params.len != 0) {
+        return MBEDTLS_ERR_ASN1_INVALID_DATA;
+    }
+
+    return 0;
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_asn1_free_named_data(mbedtls_asn1_named_data *cur)
+{
+    if (cur == NULL) {
+        return;
+    }
+
+    mbedtls_free(cur->oid.p);
+    mbedtls_free(cur->val.p);
+
+    mbedtls_platform_zeroize(cur, sizeof(mbedtls_asn1_named_data));
+}
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+void mbedtls_asn1_free_named_data_list(mbedtls_asn1_named_data **head)
+{
+    mbedtls_asn1_named_data *cur;
+
+    while ((cur = *head) != NULL) {
+        *head = cur->next;
+        mbedtls_free(cur->oid.p);
+        mbedtls_free(cur->val.p);
+        mbedtls_free(cur);
+    }
+}
+
+void mbedtls_asn1_free_named_data_list_shallow(mbedtls_asn1_named_data *name)
+{
+    for (mbedtls_asn1_named_data *next; name != NULL; name = next) {
+        next = name->next;
+        mbedtls_free(name);
+    }
+}
+
+const mbedtls_asn1_named_data *mbedtls_asn1_find_named_data(const mbedtls_asn1_named_data *list,
+                                                            const char *oid, size_t len)
+{
+    while (list != NULL) {
+        if (list->oid.len == len &&
+            memcmp(list->oid.p, oid, len) == 0) {
+            break;
+        }
+
+        list = list->next;
+    }
+
+    return list;
+}
+
+#endif /* MBEDTLS_ASN1_PARSE_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/asn1write.c b/tf-psa-crypto/drivers/builtin/src/asn1write.c
new file mode 100644
index 0000000..775a9ef
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/asn1write.c
@@ -0,0 +1,437 @@
+/*
+ * ASN.1 buffer writing functionality
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_ASN1_WRITE_C) || defined(MBEDTLS_X509_USE_C) || \
+    defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA)
+
+#include "mbedtls/asn1write.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+#include "mbedtls/asn1.h"
+#endif
+
+int mbedtls_asn1_write_len(unsigned char **p, const unsigned char *start, size_t len)
+{
+#if SIZE_MAX > 0xFFFFFFFF
+    if (len > 0xFFFFFFFF) {
+        return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
+    }
+#endif
+
+    int required = 1;
+
+    if (len >= 0x80) {
+        for (size_t l = len; l != 0; l >>= 8) {
+            required++;
+        }
+    }
+
+    if (required > (*p - start)) {
+        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+    }
+
+    do {
+        *--(*p) = MBEDTLS_BYTE_0(len);
+        len >>= 8;
+    } while (len);
+
+    if (required > 1) {
+        *--(*p) = (unsigned char) (0x80 + required - 1);
+    }
+
+    return required;
+}
+
+int mbedtls_asn1_write_tag(unsigned char **p, const unsigned char *start, unsigned char tag)
+{
+    if (*p - start < 1) {
+        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+    }
+
+    *--(*p) = tag;
+
+    return 1;
+}
+#endif /* MBEDTLS_ASN1_WRITE_C || MBEDTLS_X509_USE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA */
+
+#if defined(MBEDTLS_ASN1_WRITE_C)
+static int mbedtls_asn1_write_len_and_tag(unsigned char **p,
+                                          const unsigned char *start,
+                                          size_t len,
+                                          unsigned char tag)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, tag));
+
+    return (int) len;
+}
+
+int mbedtls_asn1_write_raw_buffer(unsigned char **p, const unsigned char *start,
+                                  const unsigned char *buf, size_t size)
+{
+    size_t len = 0;
+
+    if (*p < start || (size_t) (*p - start) < size) {
+        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+    }
+
+    len = size;
+    (*p) -= len;
+    memcpy(*p, buf, len);
+
+    return (int) len;
+}
+
+#if defined(MBEDTLS_BIGNUM_C)
+int mbedtls_asn1_write_mpi(unsigned char **p, const unsigned char *start, const mbedtls_mpi *X)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len = 0;
+
+    // Write the MPI
+    //
+    len = mbedtls_mpi_size(X);
+
+    /* DER represents 0 with a sign bit (0=nonnegative) and 7 value bits, not
+     * as 0 digits. We need to end up with 020100, not with 0200. */
+    if (len == 0) {
+        len = 1;
+    }
+
+    if (*p < start || (size_t) (*p - start) < len) {
+        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+    }
+
+    (*p) -= len;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(X, *p, len));
+
+    // DER format assumes 2s complement for numbers, so the leftmost bit
+    // should be 0 for positive numbers and 1 for negative numbers.
+    //
+    if (X->s == 1 && **p & 0x80) {
+        if (*p - start < 1) {
+            return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+        }
+
+        *--(*p) = 0x00;
+        len += 1;
+    }
+
+    ret = mbedtls_asn1_write_len_and_tag(p, start, len, MBEDTLS_ASN1_INTEGER);
+
+cleanup:
+    return ret;
+}
+#endif /* MBEDTLS_BIGNUM_C */
+
+int mbedtls_asn1_write_null(unsigned char **p, const unsigned char *start)
+{
+    // Write NULL
+    //
+    return mbedtls_asn1_write_len_and_tag(p, start, 0, MBEDTLS_ASN1_NULL);
+}
+
+int mbedtls_asn1_write_oid(unsigned char **p, const unsigned char *start,
+                           const char *oid, size_t oid_len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(p, start,
+                                                            (const unsigned char *) oid, oid_len));
+    return mbedtls_asn1_write_len_and_tag(p, start, len, MBEDTLS_ASN1_OID);
+}
+
+int mbedtls_asn1_write_algorithm_identifier(unsigned char **p, const unsigned char *start,
+                                            const char *oid, size_t oid_len,
+                                            size_t par_len)
+{
+    return mbedtls_asn1_write_algorithm_identifier_ext(p, start, oid, oid_len, par_len, 1);
+}
+
+int mbedtls_asn1_write_algorithm_identifier_ext(unsigned char **p, const unsigned char *start,
+                                                const char *oid, size_t oid_len,
+                                                size_t par_len, int has_par)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len = 0;
+
+    if (has_par) {
+        if (par_len == 0) {
+            MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_null(p, start));
+        } else {
+            len += par_len;
+        }
+    }
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_oid(p, start, oid, oid_len));
+
+    return mbedtls_asn1_write_len_and_tag(p, start, len,
+                                          MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
+}
+
+int mbedtls_asn1_write_bool(unsigned char **p, const unsigned char *start, int boolean)
+{
+    size_t len = 0;
+
+    if (*p - start < 1) {
+        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+    }
+
+    *--(*p) = (boolean) ? 255 : 0;
+    len++;
+
+    return mbedtls_asn1_write_len_and_tag(p, start, len, MBEDTLS_ASN1_BOOLEAN);
+}
+
+static int asn1_write_tagged_int(unsigned char **p, const unsigned char *start, int val, int tag)
+{
+    size_t len = 0;
+
+    do {
+        if (*p - start < 1) {
+            return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+        }
+        len += 1;
+        *--(*p) = val & 0xff;
+        val >>= 8;
+    } while (val > 0);
+
+    if (**p & 0x80) {
+        if (*p - start < 1) {
+            return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+        }
+        *--(*p) = 0x00;
+        len += 1;
+    }
+
+    return mbedtls_asn1_write_len_and_tag(p, start, len, tag);
+}
+
+int mbedtls_asn1_write_int(unsigned char **p, const unsigned char *start, int val)
+{
+    return asn1_write_tagged_int(p, start, val, MBEDTLS_ASN1_INTEGER);
+}
+
+int mbedtls_asn1_write_enum(unsigned char **p, const unsigned char *start, int val)
+{
+    return asn1_write_tagged_int(p, start, val, MBEDTLS_ASN1_ENUMERATED);
+}
+
+int mbedtls_asn1_write_tagged_string(unsigned char **p, const unsigned char *start, int tag,
+                                     const char *text, size_t text_len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(p, start,
+                                                            (const unsigned char *) text,
+                                                            text_len));
+
+    return mbedtls_asn1_write_len_and_tag(p, start, len, tag);
+}
+
+int mbedtls_asn1_write_utf8_string(unsigned char **p, const unsigned char *start,
+                                   const char *text, size_t text_len)
+{
+    return mbedtls_asn1_write_tagged_string(p, start, MBEDTLS_ASN1_UTF8_STRING, text, text_len);
+}
+
+int mbedtls_asn1_write_printable_string(unsigned char **p, const unsigned char *start,
+                                        const char *text, size_t text_len)
+{
+    return mbedtls_asn1_write_tagged_string(p, start, MBEDTLS_ASN1_PRINTABLE_STRING, text,
+                                            text_len);
+}
+
+int mbedtls_asn1_write_ia5_string(unsigned char **p, const unsigned char *start,
+                                  const char *text, size_t text_len)
+{
+    return mbedtls_asn1_write_tagged_string(p, start, MBEDTLS_ASN1_IA5_STRING, text, text_len);
+}
+
+int mbedtls_asn1_write_named_bitstring(unsigned char **p,
+                                       const unsigned char *start,
+                                       const unsigned char *buf,
+                                       size_t bits)
+{
+    size_t unused_bits, byte_len;
+    const unsigned char *cur_byte;
+    unsigned char cur_byte_shifted;
+    unsigned char bit;
+
+    byte_len = (bits + 7) / 8;
+    unused_bits = (byte_len * 8) - bits;
+
+    /*
+     * Named bitstrings require that trailing 0s are excluded in the encoding
+     * of the bitstring. Trailing 0s are considered part of the 'unused' bits
+     * when encoding this value in the first content octet
+     */
+    if (bits != 0) {
+        cur_byte = buf + byte_len - 1;
+        cur_byte_shifted = *cur_byte >> unused_bits;
+
+        for (;;) {
+            bit = cur_byte_shifted & 0x1;
+            cur_byte_shifted >>= 1;
+
+            if (bit != 0) {
+                break;
+            }
+
+            bits--;
+            if (bits == 0) {
+                break;
+            }
+
+            if (bits % 8 == 0) {
+                cur_byte_shifted = *--cur_byte;
+            }
+        }
+    }
+
+    return mbedtls_asn1_write_bitstring(p, start, buf, bits);
+}
+
+int mbedtls_asn1_write_bitstring(unsigned char **p, const unsigned char *start,
+                                 const unsigned char *buf, size_t bits)
+{
+    size_t len = 0;
+    size_t unused_bits, byte_len;
+
+    byte_len = (bits + 7) / 8;
+    unused_bits = (byte_len * 8) - bits;
+
+    if (*p < start || (size_t) (*p - start) < byte_len + 1) {
+        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+    }
+
+    len = byte_len + 1;
+
+    /* Write the bitstring. Ensure the unused bits are zeroed */
+    if (byte_len > 0) {
+        byte_len--;
+        *--(*p) = buf[byte_len] & ~((0x1 << unused_bits) - 1);
+        (*p) -= byte_len;
+        memcpy(*p, buf, byte_len);
+    }
+
+    /* Write unused bits */
+    *--(*p) = (unsigned char) unused_bits;
+
+    return mbedtls_asn1_write_len_and_tag(p, start, len, MBEDTLS_ASN1_BIT_STRING);
+}
+
+int mbedtls_asn1_write_octet_string(unsigned char **p, const unsigned char *start,
+                                    const unsigned char *buf, size_t size)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(p, start, buf, size));
+
+    return mbedtls_asn1_write_len_and_tag(p, start, len, MBEDTLS_ASN1_OCTET_STRING);
+}
+
+
+#if !defined(MBEDTLS_ASN1_PARSE_C)
+/* This is a copy of the ASN.1 parsing function mbedtls_asn1_find_named_data(),
+ * which is replicated to avoid a dependency ASN1_WRITE_C on ASN1_PARSE_C. */
+static mbedtls_asn1_named_data *asn1_find_named_data(
+    mbedtls_asn1_named_data *list,
+    const char *oid, size_t len)
+{
+    while (list != NULL) {
+        if (list->oid.len == len &&
+            memcmp(list->oid.p, oid, len) == 0) {
+            break;
+        }
+
+        list = list->next;
+    }
+
+    return list;
+}
+#else
+#define asn1_find_named_data(list, oid, len) \
+    ((mbedtls_asn1_named_data *) mbedtls_asn1_find_named_data(list, oid, len))
+#endif
+
+mbedtls_asn1_named_data *mbedtls_asn1_store_named_data(
+    mbedtls_asn1_named_data **head,
+    const char *oid, size_t oid_len,
+    const unsigned char *val,
+    size_t val_len)
+{
+    mbedtls_asn1_named_data *cur;
+
+    if ((cur = asn1_find_named_data(*head, oid, oid_len)) == NULL) {
+        // Add new entry if not present yet based on OID
+        //
+        cur = (mbedtls_asn1_named_data *) mbedtls_calloc(1,
+                                                         sizeof(mbedtls_asn1_named_data));
+        if (cur == NULL) {
+            return NULL;
+        }
+
+        cur->oid.len = oid_len;
+        cur->oid.p = mbedtls_calloc(1, oid_len);
+        if (cur->oid.p == NULL) {
+            mbedtls_free(cur);
+            return NULL;
+        }
+
+        memcpy(cur->oid.p, oid, oid_len);
+
+        cur->val.len = val_len;
+        if (val_len != 0) {
+            cur->val.p = mbedtls_calloc(1, val_len);
+            if (cur->val.p == NULL) {
+                mbedtls_free(cur->oid.p);
+                mbedtls_free(cur);
+                return NULL;
+            }
+        }
+
+        cur->next = *head;
+        *head = cur;
+    } else if (val_len == 0) {
+        mbedtls_free(cur->val.p);
+        cur->val.p = NULL;
+    } else if (cur->val.len != val_len) {
+        /*
+         * Enlarge existing value buffer if needed
+         * Preserve old data until the allocation succeeded, to leave list in
+         * a consistent state in case allocation fails.
+         */
+        void *p = mbedtls_calloc(1, val_len);
+        if (p == NULL) {
+            return NULL;
+        }
+
+        mbedtls_free(cur->val.p);
+        cur->val.p = p;
+        cur->val.len = val_len;
+    }
+
+    if (val != NULL && val_len != 0) {
+        memcpy(cur->val.p, val, val_len);
+    }
+
+    return cur;
+}
+#endif /* MBEDTLS_ASN1_WRITE_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/base64.c b/tf-psa-crypto/drivers/builtin/src/base64.c
new file mode 100644
index 0000000..9677dee
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/base64.c
@@ -0,0 +1,299 @@
+/*
+ *  RFC 1521 base64 encoding/decoding
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include <limits.h>
+
+#include "common.h"
+
+#if defined(MBEDTLS_BASE64_C)
+
+#include "mbedtls/base64.h"
+#include "base64_internal.h"
+#include "constant_time_internal.h"
+
+#include <stdint.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#include <string.h>
+#include "mbedtls/platform.h"
+#endif /* MBEDTLS_SELF_TEST */
+
+MBEDTLS_STATIC_TESTABLE
+unsigned char mbedtls_ct_base64_enc_char(unsigned char value)
+{
+    unsigned char digit = 0;
+    /* For each range of values, if value is in that range, mask digit with
+     * the corresponding value. Since value can only be in a single range,
+     * only at most one masking will change digit. */
+    digit |= mbedtls_ct_uchar_in_range_if(0, 25, value, 'A' + value);
+    digit |= mbedtls_ct_uchar_in_range_if(26, 51, value, 'a' + value - 26);
+    digit |= mbedtls_ct_uchar_in_range_if(52, 61, value, '0' + value - 52);
+    digit |= mbedtls_ct_uchar_in_range_if(62, 62, value, '+');
+    digit |= mbedtls_ct_uchar_in_range_if(63, 63, value, '/');
+    return digit;
+}
+
+MBEDTLS_STATIC_TESTABLE
+signed char mbedtls_ct_base64_dec_value(unsigned char c)
+{
+    unsigned char val = 0;
+    /* For each range of digits, if c is in that range, mask val with
+     * the corresponding value. Since c can only be in a single range,
+     * only at most one masking will change val. Set val to one plus
+     * the desired value so that it stays 0 if c is in none of the ranges. */
+    val |= mbedtls_ct_uchar_in_range_if('A', 'Z', c, c - 'A' +  0 + 1);
+    val |= mbedtls_ct_uchar_in_range_if('a', 'z', c, c - 'a' + 26 + 1);
+    val |= mbedtls_ct_uchar_in_range_if('0', '9', c, c - '0' + 52 + 1);
+    val |= mbedtls_ct_uchar_in_range_if('+', '+', c, c - '+' + 62 + 1);
+    val |= mbedtls_ct_uchar_in_range_if('/', '/', c, c - '/' + 63 + 1);
+    /* At this point, val is 0 if c is an invalid digit and v+1 if c is
+     * a digit with the value v. */
+    return val - 1;
+}
+
+/*
+ * Encode a buffer into base64 format
+ */
+int mbedtls_base64_encode(unsigned char *dst, size_t dlen, size_t *olen,
+                          const unsigned char *src, size_t slen)
+{
+    size_t i, n;
+    int C1, C2, C3;
+    unsigned char *p;
+
+    if (slen == 0) {
+        *olen = 0;
+        return 0;
+    }
+
+    n = slen / 3 + (slen % 3 != 0);
+
+    if (n > (SIZE_MAX - 1) / 4) {
+        *olen = SIZE_MAX;
+        return MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL;
+    }
+
+    n *= 4;
+
+    if ((dlen < n + 1) || (NULL == dst)) {
+        *olen = n + 1;
+        return MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL;
+    }
+
+    n = (slen / 3) * 3;
+
+    for (i = 0, p = dst; i < n; i += 3) {
+        C1 = *src++;
+        C2 = *src++;
+        C3 = *src++;
+
+        *p++ = mbedtls_ct_base64_enc_char((C1 >> 2) & 0x3F);
+        *p++ = mbedtls_ct_base64_enc_char((((C1 &  3) << 4) + (C2 >> 4))
+                                          & 0x3F);
+        *p++ = mbedtls_ct_base64_enc_char((((C2 & 15) << 2) + (C3 >> 6))
+                                          & 0x3F);
+        *p++ = mbedtls_ct_base64_enc_char(C3 & 0x3F);
+    }
+
+    if (i < slen) {
+        C1 = *src++;
+        C2 = ((i + 1) < slen) ? *src++ : 0;
+
+        *p++ = mbedtls_ct_base64_enc_char((C1 >> 2) & 0x3F);
+        *p++ = mbedtls_ct_base64_enc_char((((C1 & 3) << 4) + (C2 >> 4))
+                                          & 0x3F);
+
+        if ((i + 1) < slen) {
+            *p++ = mbedtls_ct_base64_enc_char(((C2 & 15) << 2) & 0x3F);
+        } else {
+            *p++ = '=';
+        }
+
+        *p++ = '=';
+    }
+
+    *olen = (size_t) (p - dst);
+    *p = 0;
+
+    return 0;
+}
+
+/*
+ * Decode a base64-formatted buffer
+ */
+int mbedtls_base64_decode(unsigned char *dst, size_t dlen, size_t *olen,
+                          const unsigned char *src, size_t slen)
+{
+    size_t i; /* index in source */
+    size_t n; /* number of digits or trailing = in source */
+    uint32_t x; /* value accumulator */
+    unsigned accumulated_digits = 0;
+    unsigned equals = 0;
+    int spaces_present = 0;
+    unsigned char *p;
+
+    /* First pass: check for validity and get output length */
+    for (i = n = 0; i < slen; i++) {
+        /* Skip spaces before checking for EOL */
+        spaces_present = 0;
+        while (i < slen && src[i] == ' ') {
+            ++i;
+            spaces_present = 1;
+        }
+
+        /* Spaces at end of buffer are OK */
+        if (i == slen) {
+            break;
+        }
+
+        if ((slen - i) >= 2 &&
+            src[i] == '\r' && src[i + 1] == '\n') {
+            continue;
+        }
+
+        if (src[i] == '\n') {
+            continue;
+        }
+
+        /* Space inside a line is an error */
+        if (spaces_present) {
+            return MBEDTLS_ERR_BASE64_INVALID_CHARACTER;
+        }
+
+        if (src[i] > 127) {
+            return MBEDTLS_ERR_BASE64_INVALID_CHARACTER;
+        }
+
+        if (src[i] == '=') {
+            if (++equals > 2) {
+                return MBEDTLS_ERR_BASE64_INVALID_CHARACTER;
+            }
+        } else {
+            if (equals != 0) {
+                return MBEDTLS_ERR_BASE64_INVALID_CHARACTER;
+            }
+            if (mbedtls_ct_base64_dec_value(src[i]) < 0) {
+                return MBEDTLS_ERR_BASE64_INVALID_CHARACTER;
+            }
+        }
+        n++;
+    }
+
+    if (n == 0) {
+        *olen = 0;
+        return 0;
+    }
+
+    /* The following expression is to calculate the following formula without
+     * risk of integer overflow in n:
+     *     n = ( ( n * 6 ) + 7 ) >> 3;
+     */
+    n = (6 * (n >> 3)) + ((6 * (n & 0x7) + 7) >> 3);
+    n -= equals;
+
+    if (dst == NULL || dlen < n) {
+        *olen = n;
+        return MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL;
+    }
+
+    equals = 0;
+    for (x = 0, p = dst; i > 0; i--, src++) {
+        if (*src == '\r' || *src == '\n' || *src == ' ') {
+            continue;
+        }
+
+        x = x << 6;
+        if (*src == '=') {
+            ++equals;
+        } else {
+            x |= mbedtls_ct_base64_dec_value(*src);
+        }
+
+        if (++accumulated_digits == 4) {
+            accumulated_digits = 0;
+            *p++ = MBEDTLS_BYTE_2(x);
+            if (equals <= 1) {
+                *p++ = MBEDTLS_BYTE_1(x);
+            }
+            if (equals <= 0) {
+                *p++ = MBEDTLS_BYTE_0(x);
+            }
+        }
+    }
+
+    *olen = (size_t) (p - dst);
+
+    return 0;
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char base64_test_dec[64] =
+{
+    0x24, 0x48, 0x6E, 0x56, 0x87, 0x62, 0x5A, 0xBD,
+    0xBF, 0x17, 0xD9, 0xA2, 0xC4, 0x17, 0x1A, 0x01,
+    0x94, 0xED, 0x8F, 0x1E, 0x11, 0xB3, 0xD7, 0x09,
+    0x0C, 0xB6, 0xE9, 0x10, 0x6F, 0x22, 0xEE, 0x13,
+    0xCA, 0xB3, 0x07, 0x05, 0x76, 0xC9, 0xFA, 0x31,
+    0x6C, 0x08, 0x34, 0xFF, 0x8D, 0xC2, 0x6C, 0x38,
+    0x00, 0x43, 0xE9, 0x54, 0x97, 0xAF, 0x50, 0x4B,
+    0xD1, 0x41, 0xBA, 0x95, 0x31, 0x5A, 0x0B, 0x97
+};
+
+static const unsigned char base64_test_enc[] =
+    "JEhuVodiWr2/F9mixBcaAZTtjx4Rs9cJDLbpEG8i7hPK"
+    "swcFdsn6MWwINP+Nwmw4AEPpVJevUEvRQbqVMVoLlw==";
+
+/*
+ * Checkup routine
+ */
+int mbedtls_base64_self_test(int verbose)
+{
+    size_t len;
+    const unsigned char *src;
+    unsigned char buffer[128];
+
+    if (verbose != 0) {
+        mbedtls_printf("  Base64 encoding test: ");
+    }
+
+    src = base64_test_dec;
+
+    if (mbedtls_base64_encode(buffer, sizeof(buffer), &len, src, 64) != 0 ||
+        memcmp(base64_test_enc, buffer, 88) != 0) {
+        if (verbose != 0) {
+            mbedtls_printf("failed\n");
+        }
+
+        return 1;
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("passed\n  Base64 decoding test: ");
+    }
+
+    src = base64_test_enc;
+
+    if (mbedtls_base64_decode(buffer, sizeof(buffer), &len, src, 88) != 0 ||
+        memcmp(base64_test_dec, buffer, 64) != 0) {
+        if (verbose != 0) {
+            mbedtls_printf("failed\n");
+        }
+
+        return 1;
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("passed\n\n");
+    }
+
+    return 0;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_BASE64_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/base64_internal.h b/tf-psa-crypto/drivers/builtin/src/base64_internal.h
new file mode 100644
index 0000000..a09bd23
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/base64_internal.h
@@ -0,0 +1,45 @@
+/**
+ * \file base64_internal.h
+ *
+ * \brief RFC 1521 base64 encoding/decoding: interfaces for invasive testing
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_BASE64_INTERNAL
+#define MBEDTLS_BASE64_INTERNAL
+
+#include "common.h"
+
+#if defined(MBEDTLS_TEST_HOOKS)
+
+/** Given a value in the range 0..63, return the corresponding Base64 digit.
+ *
+ * The implementation assumes that letters are consecutive (e.g. ASCII
+ * but not EBCDIC).
+ *
+ * \param value     A value in the range 0..63.
+ *
+ * \return          A base64 digit converted from \p value.
+ */
+unsigned char mbedtls_ct_base64_enc_char(unsigned char value);
+
+/** Given a Base64 digit, return its value.
+ *
+ * If c is not a Base64 digit ('A'..'Z', 'a'..'z', '0'..'9', '+' or '/'),
+ * return -1.
+ *
+ * The implementation assumes that letters are consecutive (e.g. ASCII
+ * but not EBCDIC).
+ *
+ * \param c     A base64 digit.
+ *
+ * \return      The value of the base64 digit \p c.
+ */
+signed char mbedtls_ct_base64_dec_value(unsigned char c);
+
+#endif /* MBEDTLS_TEST_HOOKS */
+
+#endif /* MBEDTLS_BASE64_INTERNAL */
diff --git a/tf-psa-crypto/drivers/builtin/src/bignum.c b/tf-psa-crypto/drivers/builtin/src/bignum.c
new file mode 100644
index 0000000..c45fd5b
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/bignum.c
@@ -0,0 +1,2464 @@
+/*
+ *  Multi-precision integer library
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ *  The following sources were referenced in the design of this Multi-precision
+ *  Integer library:
+ *
+ *  [1] Handbook of Applied Cryptography - 1997
+ *      Menezes, van Oorschot and Vanstone
+ *
+ *  [2] Multi-Precision Math
+ *      Tom St Denis
+ *      https://github.com/libtom/libtommath/blob/develop/tommath.pdf
+ *
+ *  [3] GNU Multi-Precision Arithmetic Library
+ *      https://gmplib.org/manual/index.html
+ *
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_BIGNUM_C)
+
+#include "mbedtls/bignum.h"
+#include "bignum_core.h"
+#include "bn_mul.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "constant_time_internal.h"
+
+#include <limits.h>
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+
+
+/*
+ * Conditionally select an MPI sign in constant time.
+ * (MPI sign is the field s in mbedtls_mpi. It is unsigned short and only 1 and -1 are valid
+ * values.)
+ */
+static inline signed short mbedtls_ct_mpi_sign_if(mbedtls_ct_condition_t cond,
+                                                  signed short sign1, signed short sign2)
+{
+    return (signed short) mbedtls_ct_uint_if(cond, sign1 + 1, sign2 + 1) - 1;
+}
+
+/*
+ * Compare signed values in constant time
+ */
+int mbedtls_mpi_lt_mpi_ct(const mbedtls_mpi *X,
+                          const mbedtls_mpi *Y,
+                          unsigned *ret)
+{
+    mbedtls_ct_condition_t different_sign, X_is_negative, Y_is_negative, result;
+
+    if (X->n != Y->n) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    /*
+     * Set N_is_negative to MBEDTLS_CT_FALSE if N >= 0, MBEDTLS_CT_TRUE if N < 0.
+     * We know that N->s == 1 if N >= 0 and N->s == -1 if N < 0.
+     */
+    X_is_negative = mbedtls_ct_bool((X->s & 2) >> 1);
+    Y_is_negative = mbedtls_ct_bool((Y->s & 2) >> 1);
+
+    /*
+     * If the signs are different, then the positive operand is the bigger.
+     * That is if X is negative (X_is_negative == 1), then X < Y is true and it
+     * is false if X is positive (X_is_negative == 0).
+     */
+    different_sign = mbedtls_ct_bool_ne(X_is_negative, Y_is_negative); // true if different sign
+    result = mbedtls_ct_bool_and(different_sign, X_is_negative);
+
+    /*
+     * Assuming signs are the same, compare X and Y. We switch the comparison
+     * order if they are negative so that we get the right result, regardles of
+     * sign.
+     */
+
+    /* This array is used to conditionally swap the pointers in const time */
+    void * const p[2] = { X->p, Y->p };
+    size_t i = mbedtls_ct_size_if_else_0(X_is_negative, 1);
+    mbedtls_ct_condition_t lt = mbedtls_mpi_core_lt_ct(p[i], p[i ^ 1], X->n);
+
+    /*
+     * Store in result iff the signs are the same (i.e., iff different_sign == false). If
+     * the signs differ, result has already been set, so we don't change it.
+     */
+    result = mbedtls_ct_bool_or(result,
+                                mbedtls_ct_bool_and(mbedtls_ct_bool_not(different_sign), lt));
+
+    *ret = mbedtls_ct_uint_if_else_0(result, 1);
+
+    return 0;
+}
+
+/*
+ * Conditionally assign X = Y, without leaking information
+ * about whether the assignment was made or not.
+ * (Leaking information about the respective sizes of X and Y is ok however.)
+ */
+#if defined(_MSC_VER) && defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64) && \
+    (_MSC_FULL_VER < 193131103)
+/*
+ * MSVC miscompiles this function if it's inlined prior to Visual Studio 2022 version 17.1. See:
+ * https://developercommunity.visualstudio.com/t/c-compiler-miscompiles-part-of-mbedtls-library-on/1646989
+ */
+__declspec(noinline)
+#endif
+int mbedtls_mpi_safe_cond_assign(mbedtls_mpi *X,
+                                 const mbedtls_mpi *Y,
+                                 unsigned char assign)
+{
+    int ret = 0;
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, Y->n));
+
+    {
+        mbedtls_ct_condition_t do_assign = mbedtls_ct_bool(assign);
+
+        X->s = mbedtls_ct_mpi_sign_if(do_assign, Y->s, X->s);
+
+        mbedtls_mpi_core_cond_assign(X->p, Y->p, Y->n, do_assign);
+
+        mbedtls_ct_condition_t do_not_assign = mbedtls_ct_bool_not(do_assign);
+        for (size_t i = Y->n; i < X->n; i++) {
+            X->p[i] = mbedtls_ct_mpi_uint_if_else_0(do_not_assign, X->p[i]);
+        }
+    }
+
+cleanup:
+    return ret;
+}
+
+/*
+ * Conditionally swap X and Y, without leaking information
+ * about whether the swap was made or not.
+ * Here it is not ok to simply swap the pointers, which would lead to
+ * different memory access patterns when X and Y are used afterwards.
+ */
+int mbedtls_mpi_safe_cond_swap(mbedtls_mpi *X,
+                               mbedtls_mpi *Y,
+                               unsigned char swap)
+{
+    int ret = 0;
+    int s;
+
+    if (X == Y) {
+        return 0;
+    }
+
+    mbedtls_ct_condition_t do_swap = mbedtls_ct_bool(swap);
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, Y->n));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(Y, X->n));
+
+    s = X->s;
+    X->s = mbedtls_ct_mpi_sign_if(do_swap, Y->s, X->s);
+    Y->s = mbedtls_ct_mpi_sign_if(do_swap, s, Y->s);
+
+    mbedtls_mpi_core_cond_swap(X->p, Y->p, X->n, do_swap);
+
+cleanup:
+    return ret;
+}
+
+/* Implementation that should never be optimized out by the compiler */
+#define mbedtls_mpi_zeroize_and_free(v, n) mbedtls_zeroize_and_free(v, ciL * (n))
+
+/*
+ * Initialize one MPI
+ */
+void mbedtls_mpi_init(mbedtls_mpi *X)
+{
+    X->s = 1;
+    X->n = 0;
+    X->p = NULL;
+}
+
+/*
+ * Unallocate one MPI
+ */
+void mbedtls_mpi_free(mbedtls_mpi *X)
+{
+    if (X == NULL) {
+        return;
+    }
+
+    if (X->p != NULL) {
+        mbedtls_mpi_zeroize_and_free(X->p, X->n);
+    }
+
+    X->s = 1;
+    X->n = 0;
+    X->p = NULL;
+}
+
+/*
+ * Enlarge to the specified number of limbs
+ */
+int mbedtls_mpi_grow(mbedtls_mpi *X, size_t nblimbs)
+{
+    mbedtls_mpi_uint *p;
+
+    if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) {
+        return MBEDTLS_ERR_MPI_ALLOC_FAILED;
+    }
+
+    if (X->n < nblimbs) {
+        if ((p = (mbedtls_mpi_uint *) mbedtls_calloc(nblimbs, ciL)) == NULL) {
+            return MBEDTLS_ERR_MPI_ALLOC_FAILED;
+        }
+
+        if (X->p != NULL) {
+            memcpy(p, X->p, X->n * ciL);
+            mbedtls_mpi_zeroize_and_free(X->p, X->n);
+        }
+
+        /* nblimbs fits in n because we ensure that MBEDTLS_MPI_MAX_LIMBS
+         * fits, and we've checked that nblimbs <= MBEDTLS_MPI_MAX_LIMBS. */
+        X->n = (unsigned short) nblimbs;
+        X->p = p;
+    }
+
+    return 0;
+}
+
+/*
+ * Resize down as much as possible,
+ * while keeping at least the specified number of limbs
+ */
+int mbedtls_mpi_shrink(mbedtls_mpi *X, size_t nblimbs)
+{
+    mbedtls_mpi_uint *p;
+    size_t i;
+
+    if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) {
+        return MBEDTLS_ERR_MPI_ALLOC_FAILED;
+    }
+
+    /* Actually resize up if there are currently fewer than nblimbs limbs. */
+    if (X->n <= nblimbs) {
+        return mbedtls_mpi_grow(X, nblimbs);
+    }
+    /* After this point, then X->n > nblimbs and in particular X->n > 0. */
+
+    for (i = X->n - 1; i > 0; i--) {
+        if (X->p[i] != 0) {
+            break;
+        }
+    }
+    i++;
+
+    if (i < nblimbs) {
+        i = nblimbs;
+    }
+
+    if ((p = (mbedtls_mpi_uint *) mbedtls_calloc(i, ciL)) == NULL) {
+        return MBEDTLS_ERR_MPI_ALLOC_FAILED;
+    }
+
+    if (X->p != NULL) {
+        memcpy(p, X->p, i * ciL);
+        mbedtls_mpi_zeroize_and_free(X->p, X->n);
+    }
+
+    /* i fits in n because we ensure that MBEDTLS_MPI_MAX_LIMBS
+     * fits, and we've checked that i <= nblimbs <= MBEDTLS_MPI_MAX_LIMBS. */
+    X->n = (unsigned short) i;
+    X->p = p;
+
+    return 0;
+}
+
+/* Resize X to have exactly n limbs and set it to 0. */
+static int mbedtls_mpi_resize_clear(mbedtls_mpi *X, size_t limbs)
+{
+    if (limbs == 0) {
+        mbedtls_mpi_free(X);
+        return 0;
+    } else if (X->n == limbs) {
+        memset(X->p, 0, limbs * ciL);
+        X->s = 1;
+        return 0;
+    } else {
+        mbedtls_mpi_free(X);
+        return mbedtls_mpi_grow(X, limbs);
+    }
+}
+
+/*
+ * Copy the contents of Y into X.
+ *
+ * This function is not constant-time. Leading zeros in Y may be removed.
+ *
+ * Ensure that X does not shrink. This is not guaranteed by the public API,
+ * but some code in the bignum module might still rely on this property.
+ */
+int mbedtls_mpi_copy(mbedtls_mpi *X, const mbedtls_mpi *Y)
+{
+    int ret = 0;
+    size_t i;
+
+    if (X == Y) {
+        return 0;
+    }
+
+    if (Y->n == 0) {
+        if (X->n != 0) {
+            X->s = 1;
+            memset(X->p, 0, X->n * ciL);
+        }
+        return 0;
+    }
+
+    for (i = Y->n - 1; i > 0; i--) {
+        if (Y->p[i] != 0) {
+            break;
+        }
+    }
+    i++;
+
+    X->s = Y->s;
+
+    if (X->n < i) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, i));
+    } else {
+        memset(X->p + i, 0, (X->n - i) * ciL);
+    }
+
+    memcpy(X->p, Y->p, i * ciL);
+
+cleanup:
+
+    return ret;
+}
+
+/*
+ * Swap the contents of X and Y
+ */
+void mbedtls_mpi_swap(mbedtls_mpi *X, mbedtls_mpi *Y)
+{
+    mbedtls_mpi T;
+
+    memcpy(&T,  X, sizeof(mbedtls_mpi));
+    memcpy(X,  Y, sizeof(mbedtls_mpi));
+    memcpy(Y, &T, sizeof(mbedtls_mpi));
+}
+
+static inline mbedtls_mpi_uint mpi_sint_abs(mbedtls_mpi_sint z)
+{
+    if (z >= 0) {
+        return z;
+    }
+    /* Take care to handle the most negative value (-2^(biL-1)) correctly.
+     * A naive -z would have undefined behavior.
+     * Write this in a way that makes popular compilers happy (GCC, Clang,
+     * MSVC). */
+    return (mbedtls_mpi_uint) 0 - (mbedtls_mpi_uint) z;
+}
+
+/* Convert x to a sign, i.e. to 1, if x is positive, or -1, if x is negative.
+ * This looks awkward but generates smaller code than (x < 0 ? -1 : 1) */
+#define TO_SIGN(x) ((mbedtls_mpi_sint) (((mbedtls_mpi_uint) x) >> (biL - 1)) * -2 + 1)
+
+/*
+ * Set value from integer
+ */
+int mbedtls_mpi_lset(mbedtls_mpi *X, mbedtls_mpi_sint z)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, 1));
+    memset(X->p, 0, X->n * ciL);
+
+    X->p[0] = mpi_sint_abs(z);
+    X->s    = TO_SIGN(z);
+
+cleanup:
+
+    return ret;
+}
+
+/*
+ * Get a specific bit
+ */
+int mbedtls_mpi_get_bit(const mbedtls_mpi *X, size_t pos)
+{
+    if (X->n * biL <= pos) {
+        return 0;
+    }
+
+    return (X->p[pos / biL] >> (pos % biL)) & 0x01;
+}
+
+/*
+ * Set a bit to a specific value of 0 or 1
+ */
+int mbedtls_mpi_set_bit(mbedtls_mpi *X, size_t pos, unsigned char val)
+{
+    int ret = 0;
+    size_t off = pos / biL;
+    size_t idx = pos % biL;
+
+    if (val != 0 && val != 1) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    if (X->n * biL <= pos) {
+        if (val == 0) {
+            return 0;
+        }
+
+        MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, off + 1));
+    }
+
+    X->p[off] &= ~((mbedtls_mpi_uint) 0x01 << idx);
+    X->p[off] |= (mbedtls_mpi_uint) val << idx;
+
+cleanup:
+
+    return ret;
+}
+
+/*
+ * Return the number of less significant zero-bits
+ */
+size_t mbedtls_mpi_lsb(const mbedtls_mpi *X)
+{
+    size_t i;
+
+#if defined(__has_builtin)
+#if (MBEDTLS_MPI_UINT_MAX == UINT_MAX) && __has_builtin(__builtin_ctz)
+    #define mbedtls_mpi_uint_ctz __builtin_ctz
+#elif (MBEDTLS_MPI_UINT_MAX == ULONG_MAX) && __has_builtin(__builtin_ctzl)
+    #define mbedtls_mpi_uint_ctz __builtin_ctzl
+#elif (MBEDTLS_MPI_UINT_MAX == ULLONG_MAX) && __has_builtin(__builtin_ctzll)
+    #define mbedtls_mpi_uint_ctz __builtin_ctzll
+#endif
+#endif
+
+#if defined(mbedtls_mpi_uint_ctz)
+    for (i = 0; i < X->n; i++) {
+        if (X->p[i] != 0) {
+            return i * biL + mbedtls_mpi_uint_ctz(X->p[i]);
+        }
+    }
+#else
+    size_t count = 0;
+    for (i = 0; i < X->n; i++) {
+        for (size_t j = 0; j < biL; j++, count++) {
+            if (((X->p[i] >> j) & 1) != 0) {
+                return count;
+            }
+        }
+    }
+#endif
+
+    return 0;
+}
+
+/*
+ * Return the number of bits
+ */
+size_t mbedtls_mpi_bitlen(const mbedtls_mpi *X)
+{
+    return mbedtls_mpi_core_bitlen(X->p, X->n);
+}
+
+/*
+ * Return the total size in bytes
+ */
+size_t mbedtls_mpi_size(const mbedtls_mpi *X)
+{
+    return (mbedtls_mpi_bitlen(X) + 7) >> 3;
+}
+
+/*
+ * Convert an ASCII character to digit value
+ */
+static int mpi_get_digit(mbedtls_mpi_uint *d, int radix, char c)
+{
+    *d = 255;
+
+    if (c >= 0x30 && c <= 0x39) {
+        *d = c - 0x30;
+    }
+    if (c >= 0x41 && c <= 0x46) {
+        *d = c - 0x37;
+    }
+    if (c >= 0x61 && c <= 0x66) {
+        *d = c - 0x57;
+    }
+
+    if (*d >= (mbedtls_mpi_uint) radix) {
+        return MBEDTLS_ERR_MPI_INVALID_CHARACTER;
+    }
+
+    return 0;
+}
+
+/*
+ * Import from an ASCII string
+ */
+int mbedtls_mpi_read_string(mbedtls_mpi *X, int radix, const char *s)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t i, j, slen, n;
+    int sign = 1;
+    mbedtls_mpi_uint d;
+    mbedtls_mpi T;
+
+    if (radix < 2 || radix > 16) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    mbedtls_mpi_init(&T);
+
+    if (s[0] == 0) {
+        mbedtls_mpi_free(X);
+        return 0;
+    }
+
+    if (s[0] == '-') {
+        ++s;
+        sign = -1;
+    }
+
+    slen = strlen(s);
+
+    if (radix == 16) {
+        if (slen > SIZE_MAX >> 2) {
+            return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+        }
+
+        n = BITS_TO_LIMBS(slen << 2);
+
+        MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, n));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
+
+        for (i = slen, j = 0; i > 0; i--, j++) {
+            MBEDTLS_MPI_CHK(mpi_get_digit(&d, radix, s[i - 1]));
+            X->p[j / (2 * ciL)] |= d << ((j % (2 * ciL)) << 2);
+        }
+    } else {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
+
+        for (i = 0; i < slen; i++) {
+            MBEDTLS_MPI_CHK(mpi_get_digit(&d, radix, s[i]));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T, X, radix));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, &T, d));
+        }
+    }
+
+    if (sign < 0 && mbedtls_mpi_bitlen(X) != 0) {
+        X->s = -1;
+    }
+
+cleanup:
+
+    mbedtls_mpi_free(&T);
+
+    return ret;
+}
+
+/*
+ * Helper to write the digits high-order first.
+ */
+static int mpi_write_hlp(mbedtls_mpi *X, int radix,
+                         char **p, const size_t buflen)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi_uint r;
+    size_t length = 0;
+    char *p_end = *p + buflen;
+
+    do {
+        if (length >= buflen) {
+            return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
+        }
+
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, radix));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_div_int(X, NULL, X, radix));
+        /*
+         * Write the residue in the current position, as an ASCII character.
+         */
+        if (r < 0xA) {
+            *(--p_end) = (char) ('0' + r);
+        } else {
+            *(--p_end) = (char) ('A' + (r - 0xA));
+        }
+
+        length++;
+    } while (mbedtls_mpi_cmp_int(X, 0) != 0);
+
+    memmove(*p, p_end, length);
+    *p += length;
+
+cleanup:
+
+    return ret;
+}
+
+/*
+ * Export into an ASCII string
+ */
+int mbedtls_mpi_write_string(const mbedtls_mpi *X, int radix,
+                             char *buf, size_t buflen, size_t *olen)
+{
+    int ret = 0;
+    size_t n;
+    char *p;
+    mbedtls_mpi T;
+
+    if (radix < 2 || radix > 16) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    n = mbedtls_mpi_bitlen(X);   /* Number of bits necessary to present `n`. */
+    if (radix >=  4) {
+        n >>= 1;                 /* Number of 4-adic digits necessary to present
+                                  * `n`. If radix > 4, this might be a strict
+                                  * overapproximation of the number of
+                                  * radix-adic digits needed to present `n`. */
+    }
+    if (radix >= 16) {
+        n >>= 1;                 /* Number of hexadecimal digits necessary to
+                                  * present `n`. */
+
+    }
+    n += 1; /* Terminating null byte */
+    n += 1; /* Compensate for the divisions above, which round down `n`
+             * in case it's not even. */
+    n += 1; /* Potential '-'-sign. */
+    n += (n & 1);   /* Make n even to have enough space for hexadecimal writing,
+                     * which always uses an even number of hex-digits. */
+
+    if (buflen < n) {
+        *olen = n;
+        return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
+    }
+
+    p = buf;
+    mbedtls_mpi_init(&T);
+
+    if (X->s == -1) {
+        *p++ = '-';
+        buflen--;
+    }
+
+    if (radix == 16) {
+        int c;
+        size_t i, j, k;
+
+        for (i = X->n, k = 0; i > 0; i--) {
+            for (j = ciL; j > 0; j--) {
+                c = (X->p[i - 1] >> ((j - 1) << 3)) & 0xFF;
+
+                if (c == 0 && k == 0 && (i + j) != 2) {
+                    continue;
+                }
+
+                *(p++) = "0123456789ABCDEF" [c / 16];
+                *(p++) = "0123456789ABCDEF" [c % 16];
+                k = 1;
+            }
+        }
+    } else {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&T, X));
+
+        if (T.s == -1) {
+            T.s = 1;
+        }
+
+        MBEDTLS_MPI_CHK(mpi_write_hlp(&T, radix, &p, buflen));
+    }
+
+    *p++ = '\0';
+    *olen = (size_t) (p - buf);
+
+cleanup:
+
+    mbedtls_mpi_free(&T);
+
+    return ret;
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Read X from an opened file
+ */
+int mbedtls_mpi_read_file(mbedtls_mpi *X, int radix, FILE *fin)
+{
+    mbedtls_mpi_uint d;
+    size_t slen;
+    char *p;
+    /*
+     * Buffer should have space for (short) label and decimal formatted MPI,
+     * newline characters and '\0'
+     */
+    char s[MBEDTLS_MPI_RW_BUFFER_SIZE];
+
+    if (radix < 2 || radix > 16) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    memset(s, 0, sizeof(s));
+    if (fgets(s, sizeof(s) - 1, fin) == NULL) {
+        return MBEDTLS_ERR_MPI_FILE_IO_ERROR;
+    }
+
+    slen = strlen(s);
+    if (slen == sizeof(s) - 2) {
+        return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
+    }
+
+    if (slen > 0 && s[slen - 1] == '\n') {
+        slen--; s[slen] = '\0';
+    }
+    if (slen > 0 && s[slen - 1] == '\r') {
+        slen--; s[slen] = '\0';
+    }
+
+    p = s + slen;
+    while (p-- > s) {
+        if (mpi_get_digit(&d, radix, *p) != 0) {
+            break;
+        }
+    }
+
+    return mbedtls_mpi_read_string(X, radix, p + 1);
+}
+
+/*
+ * Write X into an opened file (or stdout if fout == NULL)
+ */
+int mbedtls_mpi_write_file(const char *p, const mbedtls_mpi *X, int radix, FILE *fout)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t n, slen, plen;
+    /*
+     * Buffer should have space for (short) label and decimal formatted MPI,
+     * newline characters and '\0'
+     */
+    char s[MBEDTLS_MPI_RW_BUFFER_SIZE];
+
+    if (radix < 2 || radix > 16) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    memset(s, 0, sizeof(s));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_write_string(X, radix, s, sizeof(s) - 2, &n));
+
+    if (p == NULL) {
+        p = "";
+    }
+
+    plen = strlen(p);
+    slen = strlen(s);
+    s[slen++] = '\r';
+    s[slen++] = '\n';
+
+    if (fout != NULL) {
+        if (fwrite(p, 1, plen, fout) != plen ||
+            fwrite(s, 1, slen, fout) != slen) {
+            return MBEDTLS_ERR_MPI_FILE_IO_ERROR;
+        }
+    } else {
+        mbedtls_printf("%s%s", p, s);
+    }
+
+cleanup:
+
+    return ret;
+}
+#endif /* MBEDTLS_FS_IO */
+
+/*
+ * Import X from unsigned binary data, little endian
+ *
+ * This function is guaranteed to return an MPI with exactly the necessary
+ * number of limbs (in particular, it does not skip 0s in the input).
+ */
+int mbedtls_mpi_read_binary_le(mbedtls_mpi *X,
+                               const unsigned char *buf, size_t buflen)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const size_t limbs = CHARS_TO_LIMBS(buflen);
+
+    /* Ensure that target MPI has exactly the necessary number of limbs */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_core_read_le(X->p, X->n, buf, buflen));
+
+cleanup:
+
+    /*
+     * This function is also used to import keys. However, wiping the buffers
+     * upon failure is not necessary because failure only can happen before any
+     * input is copied.
+     */
+    return ret;
+}
+
+/*
+ * Import X from unsigned binary data, big endian
+ *
+ * This function is guaranteed to return an MPI with exactly the necessary
+ * number of limbs (in particular, it does not skip 0s in the input).
+ */
+int mbedtls_mpi_read_binary(mbedtls_mpi *X, const unsigned char *buf, size_t buflen)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const size_t limbs = CHARS_TO_LIMBS(buflen);
+
+    /* Ensure that target MPI has exactly the necessary number of limbs */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_core_read_be(X->p, X->n, buf, buflen));
+
+cleanup:
+
+    /*
+     * This function is also used to import keys. However, wiping the buffers
+     * upon failure is not necessary because failure only can happen before any
+     * input is copied.
+     */
+    return ret;
+}
+
+/*
+ * Export X into unsigned binary data, little endian
+ */
+int mbedtls_mpi_write_binary_le(const mbedtls_mpi *X,
+                                unsigned char *buf, size_t buflen)
+{
+    return mbedtls_mpi_core_write_le(X->p, X->n, buf, buflen);
+}
+
+/*
+ * Export X into unsigned binary data, big endian
+ */
+int mbedtls_mpi_write_binary(const mbedtls_mpi *X,
+                             unsigned char *buf, size_t buflen)
+{
+    return mbedtls_mpi_core_write_be(X->p, X->n, buf, buflen);
+}
+
+/*
+ * Left-shift: X <<= count
+ */
+int mbedtls_mpi_shift_l(mbedtls_mpi *X, size_t count)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t i;
+
+    i = mbedtls_mpi_bitlen(X) + count;
+
+    if (X->n * biL < i) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, BITS_TO_LIMBS(i)));
+    }
+
+    ret = 0;
+
+    mbedtls_mpi_core_shift_l(X->p, X->n, count);
+cleanup:
+
+    return ret;
+}
+
+/*
+ * Right-shift: X >>= count
+ */
+int mbedtls_mpi_shift_r(mbedtls_mpi *X, size_t count)
+{
+    if (X->n != 0) {
+        mbedtls_mpi_core_shift_r(X->p, X->n, count);
+    }
+    return 0;
+}
+
+/*
+ * Compare unsigned values
+ */
+int mbedtls_mpi_cmp_abs(const mbedtls_mpi *X, const mbedtls_mpi *Y)
+{
+    size_t i, j;
+
+    for (i = X->n; i > 0; i--) {
+        if (X->p[i - 1] != 0) {
+            break;
+        }
+    }
+
+    for (j = Y->n; j > 0; j--) {
+        if (Y->p[j - 1] != 0) {
+            break;
+        }
+    }
+
+    /* If i == j == 0, i.e. abs(X) == abs(Y),
+     * we end up returning 0 at the end of the function. */
+
+    if (i > j) {
+        return 1;
+    }
+    if (j > i) {
+        return -1;
+    }
+
+    for (; i > 0; i--) {
+        if (X->p[i - 1] > Y->p[i - 1]) {
+            return 1;
+        }
+        if (X->p[i - 1] < Y->p[i - 1]) {
+            return -1;
+        }
+    }
+
+    return 0;
+}
+
+/*
+ * Compare signed values
+ */
+int mbedtls_mpi_cmp_mpi(const mbedtls_mpi *X, const mbedtls_mpi *Y)
+{
+    size_t i, j;
+
+    for (i = X->n; i > 0; i--) {
+        if (X->p[i - 1] != 0) {
+            break;
+        }
+    }
+
+    for (j = Y->n; j > 0; j--) {
+        if (Y->p[j - 1] != 0) {
+            break;
+        }
+    }
+
+    if (i == 0 && j == 0) {
+        return 0;
+    }
+
+    if (i > j) {
+        return X->s;
+    }
+    if (j > i) {
+        return -Y->s;
+    }
+
+    if (X->s > 0 && Y->s < 0) {
+        return 1;
+    }
+    if (Y->s > 0 && X->s < 0) {
+        return -1;
+    }
+
+    for (; i > 0; i--) {
+        if (X->p[i - 1] > Y->p[i - 1]) {
+            return X->s;
+        }
+        if (X->p[i - 1] < Y->p[i - 1]) {
+            return -X->s;
+        }
+    }
+
+    return 0;
+}
+
+/*
+ * Compare signed values
+ */
+int mbedtls_mpi_cmp_int(const mbedtls_mpi *X, mbedtls_mpi_sint z)
+{
+    mbedtls_mpi Y;
+    mbedtls_mpi_uint p[1];
+
+    *p  = mpi_sint_abs(z);
+    Y.s = TO_SIGN(z);
+    Y.n = 1;
+    Y.p = p;
+
+    return mbedtls_mpi_cmp_mpi(X, &Y);
+}
+
+/*
+ * Unsigned addition: X = |A| + |B|  (HAC 14.7)
+ */
+int mbedtls_mpi_add_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t j;
+    mbedtls_mpi_uint *p;
+    mbedtls_mpi_uint c;
+
+    if (X == B) {
+        const mbedtls_mpi *T = A; A = X; B = T;
+    }
+
+    if (X != A) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));
+    }
+
+    /*
+     * X must always be positive as a result of unsigned additions.
+     */
+    X->s = 1;
+
+    for (j = B->n; j > 0; j--) {
+        if (B->p[j - 1] != 0) {
+            break;
+        }
+    }
+
+    /* Exit early to avoid undefined behavior on NULL+0 when X->n == 0
+     * and B is 0 (of any size). */
+    if (j == 0) {
+        return 0;
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, j));
+
+    /* j is the number of non-zero limbs of B. Add those to X. */
+
+    p = X->p;
+
+    c = mbedtls_mpi_core_add(p, p, B->p, j);
+
+    p += j;
+
+    /* Now propagate any carry */
+
+    while (c != 0) {
+        if (j >= X->n) {
+            MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, j + 1));
+            p = X->p + j;
+        }
+
+        *p += c; c = (*p < c); j++; p++;
+    }
+
+cleanup:
+
+    return ret;
+}
+
+/*
+ * Unsigned subtraction: X = |A| - |B|  (HAC 14.9, 14.10)
+ */
+int mbedtls_mpi_sub_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t n;
+    mbedtls_mpi_uint carry;
+
+    for (n = B->n; n > 0; n--) {
+        if (B->p[n - 1] != 0) {
+            break;
+        }
+    }
+    if (n > A->n) {
+        /* B >= (2^ciL)^n > A */
+        ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, A->n));
+
+    /* Set the high limbs of X to match A. Don't touch the lower limbs
+     * because X might be aliased to B, and we must not overwrite the
+     * significant digits of B. */
+    if (A->n > n && A != X) {
+        memcpy(X->p + n, A->p + n, (A->n - n) * ciL);
+    }
+    if (X->n > A->n) {
+        memset(X->p + A->n, 0, (X->n - A->n) * ciL);
+    }
+
+    carry = mbedtls_mpi_core_sub(X->p, A->p, B->p, n);
+    if (carry != 0) {
+        /* Propagate the carry through the rest of X. */
+        carry = mbedtls_mpi_core_sub_int(X->p + n, X->p + n, carry, X->n - n);
+
+        /* If we have further carry/borrow, the result is negative. */
+        if (carry != 0) {
+            ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
+            goto cleanup;
+        }
+    }
+
+    /* X should always be positive as a result of unsigned subtractions. */
+    X->s = 1;
+
+cleanup:
+    return ret;
+}
+
+/* Common function for signed addition and subtraction.
+ * Calculate A + B * flip_B where flip_B is 1 or -1.
+ */
+static int add_sub_mpi(mbedtls_mpi *X,
+                       const mbedtls_mpi *A, const mbedtls_mpi *B,
+                       int flip_B)
+{
+    int ret, s;
+
+    s = A->s;
+    if (A->s * B->s * flip_B < 0) {
+        int cmp = mbedtls_mpi_cmp_abs(A, B);
+        if (cmp >= 0) {
+            MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(X, A, B));
+            /* If |A| = |B|, the result is 0 and we must set the sign bit
+             * to +1 regardless of which of A or B was negative. Otherwise,
+             * since |A| > |B|, the sign is the sign of A. */
+            X->s = cmp == 0 ? 1 : s;
+        } else {
+            MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(X, B, A));
+            /* Since |A| < |B|, the sign is the opposite of A. */
+            X->s = -s;
+        }
+    } else {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(X, A, B));
+        X->s = s;
+    }
+
+cleanup:
+
+    return ret;
+}
+
+/*
+ * Signed addition: X = A + B
+ */
+int mbedtls_mpi_add_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
+{
+    return add_sub_mpi(X, A, B, 1);
+}
+
+/*
+ * Signed subtraction: X = A - B
+ */
+int mbedtls_mpi_sub_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
+{
+    return add_sub_mpi(X, A, B, -1);
+}
+
+/*
+ * Signed addition: X = A + b
+ */
+int mbedtls_mpi_add_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b)
+{
+    mbedtls_mpi B;
+    mbedtls_mpi_uint p[1];
+
+    p[0] = mpi_sint_abs(b);
+    B.s = TO_SIGN(b);
+    B.n = 1;
+    B.p = p;
+
+    return mbedtls_mpi_add_mpi(X, A, &B);
+}
+
+/*
+ * Signed subtraction: X = A - b
+ */
+int mbedtls_mpi_sub_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b)
+{
+    mbedtls_mpi B;
+    mbedtls_mpi_uint p[1];
+
+    p[0] = mpi_sint_abs(b);
+    B.s = TO_SIGN(b);
+    B.n = 1;
+    B.p = p;
+
+    return mbedtls_mpi_sub_mpi(X, A, &B);
+}
+
+/*
+ * Baseline multiplication: X = A * B  (HAC 14.12)
+ */
+int mbedtls_mpi_mul_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t i, j;
+    mbedtls_mpi TA, TB;
+    int result_is_zero = 0;
+
+    mbedtls_mpi_init(&TA);
+    mbedtls_mpi_init(&TB);
+
+    if (X == A) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TA, A)); A = &TA;
+    }
+    if (X == B) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, B)); B = &TB;
+    }
+
+    for (i = A->n; i > 0; i--) {
+        if (A->p[i - 1] != 0) {
+            break;
+        }
+    }
+    if (i == 0) {
+        result_is_zero = 1;
+    }
+
+    for (j = B->n; j > 0; j--) {
+        if (B->p[j - 1] != 0) {
+            break;
+        }
+    }
+    if (j == 0) {
+        result_is_zero = 1;
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, i + j));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
+
+    mbedtls_mpi_core_mul(X->p, A->p, i, B->p, j);
+
+    /* If the result is 0, we don't shortcut the operation, which reduces
+     * but does not eliminate side channels leaking the zero-ness. We do
+     * need to take care to set the sign bit properly since the library does
+     * not fully support an MPI object with a value of 0 and s == -1. */
+    if (result_is_zero) {
+        X->s = 1;
+    } else {
+        X->s = A->s * B->s;
+    }
+
+cleanup:
+
+    mbedtls_mpi_free(&TB); mbedtls_mpi_free(&TA);
+
+    return ret;
+}
+
+/*
+ * Baseline multiplication: X = A * b
+ */
+int mbedtls_mpi_mul_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint b)
+{
+    size_t n = A->n;
+    while (n > 0 && A->p[n - 1] == 0) {
+        --n;
+    }
+
+    /* The general method below doesn't work if b==0. */
+    if (b == 0 || n == 0) {
+        return mbedtls_mpi_lset(X, 0);
+    }
+
+    /* Calculate A*b as A + A*(b-1) to take advantage of mbedtls_mpi_core_mla */
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    /* In general, A * b requires 1 limb more than b. If
+     * A->p[n - 1] * b / b == A->p[n - 1], then A * b fits in the same
+     * number of limbs as A and the call to grow() is not required since
+     * copy() will take care of the growth if needed. However, experimentally,
+     * making the call to grow() unconditional causes slightly fewer
+     * calls to calloc() in ECP code, presumably because it reuses the
+     * same mpi for a while and this way the mpi is more likely to directly
+     * grow to its final size.
+     *
+     * Note that calculating A*b as 0 + A*b doesn't work as-is because
+     * A,X can be the same. */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, n + 1));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));
+    mbedtls_mpi_core_mla(X->p, X->n, A->p, n, b - 1);
+
+cleanup:
+    return ret;
+}
+
+/*
+ * Unsigned integer divide - double mbedtls_mpi_uint dividend, u1/u0, and
+ * mbedtls_mpi_uint divisor, d
+ */
+static mbedtls_mpi_uint mbedtls_int_div_int(mbedtls_mpi_uint u1,
+                                            mbedtls_mpi_uint u0,
+                                            mbedtls_mpi_uint d,
+                                            mbedtls_mpi_uint *r)
+{
+#if defined(MBEDTLS_HAVE_UDBL)
+    mbedtls_t_udbl dividend, quotient;
+#else
+    const mbedtls_mpi_uint radix = (mbedtls_mpi_uint) 1 << biH;
+    const mbedtls_mpi_uint uint_halfword_mask = ((mbedtls_mpi_uint) 1 << biH) - 1;
+    mbedtls_mpi_uint d0, d1, q0, q1, rAX, r0, quotient;
+    mbedtls_mpi_uint u0_msw, u0_lsw;
+    size_t s;
+#endif
+
+    /*
+     * Check for overflow
+     */
+    if (0 == d || u1 >= d) {
+        if (r != NULL) {
+            *r = ~(mbedtls_mpi_uint) 0u;
+        }
+
+        return ~(mbedtls_mpi_uint) 0u;
+    }
+
+#if defined(MBEDTLS_HAVE_UDBL)
+    dividend  = (mbedtls_t_udbl) u1 << biL;
+    dividend |= (mbedtls_t_udbl) u0;
+    quotient = dividend / d;
+    if (quotient > ((mbedtls_t_udbl) 1 << biL) - 1) {
+        quotient = ((mbedtls_t_udbl) 1 << biL) - 1;
+    }
+
+    if (r != NULL) {
+        *r = (mbedtls_mpi_uint) (dividend - (quotient * d));
+    }
+
+    return (mbedtls_mpi_uint) quotient;
+#else
+
+    /*
+     * Algorithm D, Section 4.3.1 - The Art of Computer Programming
+     *   Vol. 2 - Seminumerical Algorithms, Knuth
+     */
+
+    /*
+     * Normalize the divisor, d, and dividend, u0, u1
+     */
+    s = mbedtls_mpi_core_clz(d);
+    d = d << s;
+
+    u1 = u1 << s;
+    u1 |= (u0 >> (biL - s)) & (-(mbedtls_mpi_sint) s >> (biL - 1));
+    u0 =  u0 << s;
+
+    d1 = d >> biH;
+    d0 = d & uint_halfword_mask;
+
+    u0_msw = u0 >> biH;
+    u0_lsw = u0 & uint_halfword_mask;
+
+    /*
+     * Find the first quotient and remainder
+     */
+    q1 = u1 / d1;
+    r0 = u1 - d1 * q1;
+
+    while (q1 >= radix || (q1 * d0 > radix * r0 + u0_msw)) {
+        q1 -= 1;
+        r0 += d1;
+
+        if (r0 >= radix) {
+            break;
+        }
+    }
+
+    rAX = (u1 * radix) + (u0_msw - q1 * d);
+    q0 = rAX / d1;
+    r0 = rAX - q0 * d1;
+
+    while (q0 >= radix || (q0 * d0 > radix * r0 + u0_lsw)) {
+        q0 -= 1;
+        r0 += d1;
+
+        if (r0 >= radix) {
+            break;
+        }
+    }
+
+    if (r != NULL) {
+        *r = (rAX * radix + u0_lsw - q0 * d) >> s;
+    }
+
+    quotient = q1 * radix + q0;
+
+    return quotient;
+#endif
+}
+
+/*
+ * Division by mbedtls_mpi: A = Q * B + R  (HAC 14.20)
+ */
+int mbedtls_mpi_div_mpi(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
+                        const mbedtls_mpi *B)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t i, n, t, k;
+    mbedtls_mpi X, Y, Z, T1, T2;
+    mbedtls_mpi_uint TP2[3];
+
+    if (mbedtls_mpi_cmp_int(B, 0) == 0) {
+        return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO;
+    }
+
+    mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y); mbedtls_mpi_init(&Z);
+    mbedtls_mpi_init(&T1);
+    /*
+     * Avoid dynamic memory allocations for constant-size T2.
+     *
+     * T2 is used for comparison only and the 3 limbs are assigned explicitly,
+     * so nobody increase the size of the MPI and we're safe to use an on-stack
+     * buffer.
+     */
+    T2.s = 1;
+    T2.n = sizeof(TP2) / sizeof(*TP2);
+    T2.p = TP2;
+
+    if (mbedtls_mpi_cmp_abs(A, B) < 0) {
+        if (Q != NULL) {
+            MBEDTLS_MPI_CHK(mbedtls_mpi_lset(Q, 0));
+        }
+        if (R != NULL) {
+            MBEDTLS_MPI_CHK(mbedtls_mpi_copy(R, A));
+        }
+        return 0;
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&X, A));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Y, B));
+    X.s = Y.s = 1;
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&Z, A->n + 2));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&Z,  0));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&T1, A->n + 2));
+
+    k = mbedtls_mpi_bitlen(&Y) % biL;
+    if (k < biL - 1) {
+        k = biL - 1 - k;
+        MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&X, k));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&Y, k));
+    } else {
+        k = 0;
+    }
+
+    n = X.n - 1;
+    t = Y.n - 1;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&Y, biL * (n - t)));
+
+    while (mbedtls_mpi_cmp_mpi(&X, &Y) >= 0) {
+        Z.p[n - t]++;
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&X, &X, &Y));
+    }
+    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Y, biL * (n - t)));
+
+    for (i = n; i > t; i--) {
+        if (X.p[i] >= Y.p[t]) {
+            Z.p[i - t - 1] = ~(mbedtls_mpi_uint) 0u;
+        } else {
+            Z.p[i - t - 1] = mbedtls_int_div_int(X.p[i], X.p[i - 1],
+                                                 Y.p[t], NULL);
+        }
+
+        T2.p[0] = (i < 2) ? 0 : X.p[i - 2];
+        T2.p[1] = (i < 1) ? 0 : X.p[i - 1];
+        T2.p[2] = X.p[i];
+
+        Z.p[i - t - 1]++;
+        do {
+            Z.p[i - t - 1]--;
+
+            MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&T1, 0));
+            T1.p[0] = (t < 1) ? 0 : Y.p[t - 1];
+            T1.p[1] = Y.p[t];
+            MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1, &T1, Z.p[i - t - 1]));
+        } while (mbedtls_mpi_cmp_mpi(&T1, &T2) > 0);
+
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1, &Y, Z.p[i - t - 1]));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&T1,  biL * (i - t - 1)));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&X, &X, &T1));
+
+        if (mbedtls_mpi_cmp_int(&X, 0) < 0) {
+            MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&T1, &Y));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&T1, biL * (i - t - 1)));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&X, &X, &T1));
+            Z.p[i - t - 1]--;
+        }
+    }
+
+    if (Q != NULL) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_copy(Q, &Z));
+        Q->s = A->s * B->s;
+    }
+
+    if (R != NULL) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&X, k));
+        X.s = A->s;
+        MBEDTLS_MPI_CHK(mbedtls_mpi_copy(R, &X));
+
+        if (mbedtls_mpi_cmp_int(R, 0) == 0) {
+            R->s = 1;
+        }
+    }
+
+cleanup:
+
+    mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y); mbedtls_mpi_free(&Z);
+    mbedtls_mpi_free(&T1);
+    mbedtls_platform_zeroize(TP2, sizeof(TP2));
+
+    return ret;
+}
+
+/*
+ * Division by int: A = Q * b + R
+ */
+int mbedtls_mpi_div_int(mbedtls_mpi *Q, mbedtls_mpi *R,
+                        const mbedtls_mpi *A,
+                        mbedtls_mpi_sint b)
+{
+    mbedtls_mpi B;
+    mbedtls_mpi_uint p[1];
+
+    p[0] = mpi_sint_abs(b);
+    B.s = TO_SIGN(b);
+    B.n = 1;
+    B.p = p;
+
+    return mbedtls_mpi_div_mpi(Q, R, A, &B);
+}
+
+/*
+ * Modulo: R = A mod B
+ */
+int mbedtls_mpi_mod_mpi(mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (mbedtls_mpi_cmp_int(B, 0) < 0) {
+        return MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(NULL, R, A, B));
+
+    while (mbedtls_mpi_cmp_int(R, 0) < 0) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(R, R, B));
+    }
+
+    while (mbedtls_mpi_cmp_mpi(R, B) >= 0) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(R, R, B));
+    }
+
+cleanup:
+
+    return ret;
+}
+
+/*
+ * Modulo: r = A mod b
+ */
+int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_sint b)
+{
+    size_t i;
+    mbedtls_mpi_uint x, y, z;
+
+    if (b == 0) {
+        return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO;
+    }
+
+    if (b < 0) {
+        return MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
+    }
+
+    /*
+     * handle trivial cases
+     */
+    if (b == 1 || A->n == 0) {
+        *r = 0;
+        return 0;
+    }
+
+    if (b == 2) {
+        *r = A->p[0] & 1;
+        return 0;
+    }
+
+    /*
+     * general case
+     */
+    for (i = A->n, y = 0; i > 0; i--) {
+        x  = A->p[i - 1];
+        y  = (y << biH) | (x >> biH);
+        z  = y / b;
+        y -= z * b;
+
+        x <<= biH;
+        y  = (y << biH) | (x >> biH);
+        z  = y / b;
+        y -= z * b;
+    }
+
+    /*
+     * If A is negative, then the current y represents a negative value.
+     * Flipping it to the positive side.
+     */
+    if (A->s < 0 && y != 0) {
+        y = b - y;
+    }
+
+    *r = y;
+
+    return 0;
+}
+
+int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
+                        const mbedtls_mpi *E, const mbedtls_mpi *N,
+                        mbedtls_mpi *prec_RR)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (mbedtls_mpi_cmp_int(N, 0) <= 0 || (N->p[0] & 1) == 0) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    if (mbedtls_mpi_cmp_int(E, 0) < 0) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    if (mbedtls_mpi_bitlen(E) > MBEDTLS_MPI_MAX_BITS ||
+        mbedtls_mpi_bitlen(N) > MBEDTLS_MPI_MAX_BITS) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    /*
+     * Ensure that the exponent that we are passing to the core is not NULL.
+     */
+    if (E->n == 0) {
+        ret = mbedtls_mpi_lset(X, 1);
+        return ret;
+    }
+
+    /*
+     * Allocate working memory for mbedtls_mpi_core_exp_mod()
+     */
+    size_t T_limbs = mbedtls_mpi_core_exp_mod_working_limbs(N->n, E->n);
+    mbedtls_mpi_uint *T = (mbedtls_mpi_uint *) mbedtls_calloc(T_limbs, sizeof(mbedtls_mpi_uint));
+    if (T == NULL) {
+        return MBEDTLS_ERR_MPI_ALLOC_FAILED;
+    }
+
+    mbedtls_mpi RR;
+    mbedtls_mpi_init(&RR);
+
+    /*
+     * If 1st call, pre-compute R^2 mod N
+     */
+    if (prec_RR == NULL || prec_RR->p == NULL) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_core_get_mont_r2_unsafe(&RR, N));
+
+        if (prec_RR != NULL) {
+            *prec_RR = RR;
+        }
+    } else {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_grow(prec_RR, N->n));
+        RR = *prec_RR;
+    }
+
+    /*
+     * To preserve constness we need to make a copy of A. Using X for this to
+     * save memory.
+     */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));
+
+    /*
+     * Compensate for negative A (and correct at the end).
+     */
+    X->s = 1;
+
+    /*
+     * Make sure that X is in a form that is safe for consumption by
+     * the core functions.
+     *
+     * - The core functions will not touch the limbs of X above N->n. The
+     *   result will be correct if those limbs are 0, which the mod call
+     *   ensures.
+     * - Also, X must have at least as many limbs as N for the calls to the
+     *   core functions.
+     */
+    if (mbedtls_mpi_cmp_mpi(X, N) >= 0) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(X, X, N));
+    }
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, N->n));
+
+    /*
+     * Convert to and from Montgomery around mbedtls_mpi_core_exp_mod().
+     */
+    {
+        mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p);
+        mbedtls_mpi_core_to_mont_rep(X->p, X->p, N->p, N->n, mm, RR.p, T);
+        mbedtls_mpi_core_exp_mod(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, T);
+        mbedtls_mpi_core_from_mont_rep(X->p, X->p, N->p, N->n, mm, T);
+    }
+
+    /*
+     * Correct for negative A.
+     */
+    if (A->s == -1 && (E->p[0] & 1) != 0) {
+        mbedtls_ct_condition_t is_x_non_zero = mbedtls_mpi_core_check_zero_ct(X->p, X->n);
+        X->s = mbedtls_ct_mpi_sign_if(is_x_non_zero, -1, 1);
+
+        MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(X, N, X));
+    }
+
+cleanup:
+
+    mbedtls_mpi_zeroize_and_free(T, T_limbs);
+
+    if (prec_RR == NULL || prec_RR->p == NULL) {
+        mbedtls_mpi_free(&RR);
+    }
+
+    return ret;
+}
+
+/*
+ * Greatest common divisor: G = gcd(A, B)  (HAC 14.54)
+ */
+int mbedtls_mpi_gcd(mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t lz, lzt;
+    mbedtls_mpi TA, TB;
+
+    mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TB);
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TA, A));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, B));
+
+    lz = mbedtls_mpi_lsb(&TA);
+    lzt = mbedtls_mpi_lsb(&TB);
+
+    /* The loop below gives the correct result when A==0 but not when B==0.
+     * So have a special case for B==0. Leverage the fact that we just
+     * calculated the lsb and lsb(B)==0 iff B is odd or 0 to make the test
+     * slightly more efficient than cmp_int(). */
+    if (lzt == 0 && mbedtls_mpi_get_bit(&TB, 0) == 0) {
+        ret = mbedtls_mpi_copy(G, A);
+        goto cleanup;
+    }
+
+    if (lzt < lz) {
+        lz = lzt;
+    }
+
+    TA.s = TB.s = 1;
+
+    /* We mostly follow the procedure described in HAC 14.54, but with some
+     * minor differences:
+     * - Sequences of multiplications or divisions by 2 are grouped into a
+     *   single shift operation.
+     * - The procedure in HAC assumes that 0 < TB <= TA.
+     *     - The condition TB <= TA is not actually necessary for correctness.
+     *       TA and TB have symmetric roles except for the loop termination
+     *       condition, and the shifts at the beginning of the loop body
+     *       remove any significance from the ordering of TA vs TB before
+     *       the shifts.
+     *     - If TA = 0, the loop goes through 0 iterations and the result is
+     *       correctly TB.
+     *     - The case TB = 0 was short-circuited above.
+     *
+     * For the correctness proof below, decompose the original values of
+     * A and B as
+     *   A = sa * 2^a * A' with A'=0 or A' odd, and sa = +-1
+     *   B = sb * 2^b * B' with B'=0 or B' odd, and sb = +-1
+     * Then gcd(A, B) = 2^{min(a,b)} * gcd(A',B'),
+     * and gcd(A',B') is odd or 0.
+     *
+     * At the beginning, we have TA = |A| and TB = |B| so gcd(A,B) = gcd(TA,TB).
+     * The code maintains the following invariant:
+     *     gcd(A,B) = 2^k * gcd(TA,TB) for some k   (I)
+     */
+
+    /* Proof that the loop terminates:
+     * At each iteration, either the right-shift by 1 is made on a nonzero
+     * value and the nonnegative integer bitlen(TA) + bitlen(TB) decreases
+     * by at least 1, or the right-shift by 1 is made on zero and then
+     * TA becomes 0 which ends the loop (TB cannot be 0 if it is right-shifted
+     * since in that case TB is calculated from TB-TA with the condition TB>TA).
+     */
+    while (mbedtls_mpi_cmp_int(&TA, 0) != 0) {
+        /* Divisions by 2 preserve the invariant (I). */
+        MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TA, mbedtls_mpi_lsb(&TA)));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TB, mbedtls_mpi_lsb(&TB)));
+
+        /* Set either TA or TB to |TA-TB|/2. Since TA and TB are both odd,
+         * TA-TB is even so the division by 2 has an integer result.
+         * Invariant (I) is preserved since any odd divisor of both TA and TB
+         * also divides |TA-TB|/2, and any odd divisor of both TA and |TA-TB|/2
+         * also divides TB, and any odd divisor of both TB and |TA-TB|/2 also
+         * divides TA.
+         */
+        if (mbedtls_mpi_cmp_mpi(&TA, &TB) >= 0) {
+            MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(&TA, &TA, &TB));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TA, 1));
+        } else {
+            MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(&TB, &TB, &TA));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TB, 1));
+        }
+        /* Note that one of TA or TB is still odd. */
+    }
+
+    /* By invariant (I), gcd(A,B) = 2^k * gcd(TA,TB) for some k.
+     * At the loop exit, TA = 0, so gcd(TA,TB) = TB.
+     * - If there was at least one loop iteration, then one of TA or TB is odd,
+     *   and TA = 0, so TB is odd and gcd(TA,TB) = gcd(A',B'). In this case,
+     *   lz = min(a,b) so gcd(A,B) = 2^lz * TB.
+     * - If there was no loop iteration, then A was 0, and gcd(A,B) = B.
+     *   In this case, lz = 0 and B = TB so gcd(A,B) = B = 2^lz * TB as well.
+     */
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&TB, lz));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(G, &TB));
+
+cleanup:
+
+    mbedtls_mpi_free(&TA); mbedtls_mpi_free(&TB);
+
+    return ret;
+}
+
+/*
+ * Fill X with size bytes of random.
+ * The bytes returned from the RNG are used in a specific order which
+ * is suitable for deterministic ECDSA (see the specification of
+ * mbedtls_mpi_random() and the implementation in mbedtls_mpi_fill_random()).
+ */
+int mbedtls_mpi_fill_random(mbedtls_mpi *X, size_t size,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const size_t limbs = CHARS_TO_LIMBS(size);
+
+    /* Ensure that target MPI has exactly the necessary number of limbs */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
+    if (size == 0) {
+        return 0;
+    }
+
+    ret = mbedtls_mpi_core_fill_random(X->p, X->n, size, f_rng, p_rng);
+
+cleanup:
+    return ret;
+}
+
+int mbedtls_mpi_random(mbedtls_mpi *X,
+                       mbedtls_mpi_sint min,
+                       const mbedtls_mpi *N,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng)
+{
+    if (min < 0) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+    if (mbedtls_mpi_cmp_int(N, min) <= 0) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    /* Ensure that target MPI has exactly the same number of limbs
+     * as the upper bound, even if the upper bound has leading zeros.
+     * This is necessary for mbedtls_mpi_core_random. */
+    int ret = mbedtls_mpi_resize_clear(X, N->n);
+    if (ret != 0) {
+        return ret;
+    }
+
+    return mbedtls_mpi_core_random(X->p, min, N->p, X->n, f_rng, p_rng);
+}
+
+/*
+ * Modular inverse: X = A^-1 mod N  (HAC 14.61 / 14.64)
+ */
+int mbedtls_mpi_inv_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *N)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
+
+    if (mbedtls_mpi_cmp_int(N, 1) <= 0) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TU); mbedtls_mpi_init(&U1); mbedtls_mpi_init(&U2);
+    mbedtls_mpi_init(&G); mbedtls_mpi_init(&TB); mbedtls_mpi_init(&TV);
+    mbedtls_mpi_init(&V1); mbedtls_mpi_init(&V2);
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, A, N));
+
+    if (mbedtls_mpi_cmp_int(&G, 1) != 0) {
+        ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&TA, A, N));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TU, &TA));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, N));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TV, N));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&U1, 1));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&U2, 0));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&V1, 0));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&V2, 1));
+
+    do {
+        while ((TU.p[0] & 1) == 0) {
+            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TU, 1));
+
+            if ((U1.p[0] & 1) != 0 || (U2.p[0] & 1) != 0) {
+                MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&U1, &U1, &TB));
+                MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U2, &U2, &TA));
+            }
+
+            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&U1, 1));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&U2, 1));
+        }
+
+        while ((TV.p[0] & 1) == 0) {
+            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TV, 1));
+
+            if ((V1.p[0] & 1) != 0 || (V2.p[0] & 1) != 0) {
+                MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&V1, &V1, &TB));
+                MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V2, &V2, &TA));
+            }
+
+            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&V1, 1));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&V2, 1));
+        }
+
+        if (mbedtls_mpi_cmp_mpi(&TU, &TV) >= 0) {
+            MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&TU, &TU, &TV));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U1, &U1, &V1));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U2, &U2, &V2));
+        } else {
+            MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&TV, &TV, &TU));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V1, &V1, &U1));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V2, &V2, &U2));
+        }
+    } while (mbedtls_mpi_cmp_int(&TU, 0) != 0);
+
+    while (mbedtls_mpi_cmp_int(&V1, 0) < 0) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&V1, &V1, N));
+    }
+
+    while (mbedtls_mpi_cmp_mpi(&V1, N) >= 0) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V1, &V1, N));
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, &V1));
+
+cleanup:
+
+    mbedtls_mpi_free(&TA); mbedtls_mpi_free(&TU); mbedtls_mpi_free(&U1); mbedtls_mpi_free(&U2);
+    mbedtls_mpi_free(&G); mbedtls_mpi_free(&TB); mbedtls_mpi_free(&TV);
+    mbedtls_mpi_free(&V1); mbedtls_mpi_free(&V2);
+
+    return ret;
+}
+
+#if defined(MBEDTLS_GENPRIME)
+
+/* Gaps between primes, starting at 3. https://oeis.org/A001223 */
+static const unsigned char small_prime_gaps[] = {
+    2, 2, 4, 2, 4, 2, 4, 6,
+    2, 6, 4, 2, 4, 6, 6, 2,
+    6, 4, 2, 6, 4, 6, 8, 4,
+    2, 4, 2, 4, 14, 4, 6, 2,
+    10, 2, 6, 6, 4, 6, 6, 2,
+    10, 2, 4, 2, 12, 12, 4, 2,
+    4, 6, 2, 10, 6, 6, 6, 2,
+    6, 4, 2, 10, 14, 4, 2, 4,
+    14, 6, 10, 2, 4, 6, 8, 6,
+    6, 4, 6, 8, 4, 8, 10, 2,
+    10, 2, 6, 4, 6, 8, 4, 2,
+    4, 12, 8, 4, 8, 4, 6, 12,
+    2, 18, 6, 10, 6, 6, 2, 6,
+    10, 6, 6, 2, 6, 6, 4, 2,
+    12, 10, 2, 4, 6, 6, 2, 12,
+    4, 6, 8, 10, 8, 10, 8, 6,
+    6, 4, 8, 6, 4, 8, 4, 14,
+    10, 12, 2, 10, 2, 4, 2, 10,
+    14, 4, 2, 4, 14, 4, 2, 4,
+    20, 4, 8, 10, 8, 4, 6, 6,
+    14, 4, 6, 6, 8, 6, /*reaches 997*/
+    0 /* the last entry is effectively unused */
+};
+
+/*
+ * Small divisors test (X must be positive)
+ *
+ * Return values:
+ * 0: no small factor (possible prime, more tests needed)
+ * 1: certain prime
+ * MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: certain non-prime
+ * other negative: error
+ */
+static int mpi_check_small_factors(const mbedtls_mpi *X)
+{
+    int ret = 0;
+    size_t i;
+    mbedtls_mpi_uint r;
+    unsigned p = 3; /* The first odd prime */
+
+    if ((X->p[0] & 1) == 0) {
+        return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+    }
+
+    for (i = 0; i < sizeof(small_prime_gaps); p += small_prime_gaps[i], i++) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, p));
+        if (r == 0) {
+            if (mbedtls_mpi_cmp_int(X, p) == 0) {
+                return 1;
+            } else {
+                return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+            }
+        }
+    }
+
+cleanup:
+    return ret;
+}
+
+/*
+ * Miller-Rabin pseudo-primality test  (HAC 4.24)
+ */
+static int mpi_miller_rabin(const mbedtls_mpi *X, size_t rounds,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng)
+{
+    int ret, count;
+    size_t i, j, k, s;
+    mbedtls_mpi W, R, T, A, RR;
+
+    mbedtls_mpi_init(&W); mbedtls_mpi_init(&R);
+    mbedtls_mpi_init(&T); mbedtls_mpi_init(&A);
+    mbedtls_mpi_init(&RR);
+
+    /*
+     * W = |X| - 1
+     * R = W >> lsb( W )
+     */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&W, X, 1));
+    s = mbedtls_mpi_lsb(&W);
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&R, &W));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&R, s));
+
+    for (i = 0; i < rounds; i++) {
+        /*
+         * pick a random A, 1 < A < |X| - 1
+         */
+        count = 0;
+        do {
+            MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&A, X->n * ciL, f_rng, p_rng));
+
+            j = mbedtls_mpi_bitlen(&A);
+            k = mbedtls_mpi_bitlen(&W);
+            if (j > k) {
+                A.p[A.n - 1] &= ((mbedtls_mpi_uint) 1 << (k - (A.n - 1) * biL - 1)) - 1;
+            }
+
+            if (count++ > 30) {
+                ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+                goto cleanup;
+            }
+
+        } while (mbedtls_mpi_cmp_mpi(&A, &W) >= 0 ||
+                 mbedtls_mpi_cmp_int(&A, 1)  <= 0);
+
+        /*
+         * A = A^R mod |X|
+         */
+        MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&A, &A, &R, X, &RR));
+
+        if (mbedtls_mpi_cmp_mpi(&A, &W) == 0 ||
+            mbedtls_mpi_cmp_int(&A,  1) == 0) {
+            continue;
+        }
+
+        j = 1;
+        while (j < s && mbedtls_mpi_cmp_mpi(&A, &W) != 0) {
+            /*
+             * A = A * A mod |X|
+             */
+            MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &A, &A));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&A, &T, X));
+
+            if (mbedtls_mpi_cmp_int(&A, 1) == 0) {
+                break;
+            }
+
+            j++;
+        }
+
+        /*
+         * not prime if A != |X| - 1 or A == 1
+         */
+        if (mbedtls_mpi_cmp_mpi(&A, &W) != 0 ||
+            mbedtls_mpi_cmp_int(&A,  1) == 0) {
+            ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+            break;
+        }
+    }
+
+cleanup:
+    mbedtls_mpi_free(&W); mbedtls_mpi_free(&R);
+    mbedtls_mpi_free(&T); mbedtls_mpi_free(&A);
+    mbedtls_mpi_free(&RR);
+
+    return ret;
+}
+
+/*
+ * Pseudo-primality test: small factors, then Miller-Rabin
+ */
+int mbedtls_mpi_is_prime_ext(const mbedtls_mpi *X, int rounds,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi XX;
+
+    XX.s = 1;
+    XX.n = X->n;
+    XX.p = X->p;
+
+    if (mbedtls_mpi_cmp_int(&XX, 0) == 0 ||
+        mbedtls_mpi_cmp_int(&XX, 1) == 0) {
+        return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+    }
+
+    if (mbedtls_mpi_cmp_int(&XX, 2) == 0) {
+        return 0;
+    }
+
+    if ((ret = mpi_check_small_factors(&XX)) != 0) {
+        if (ret == 1) {
+            return 0;
+        }
+
+        return ret;
+    }
+
+    return mpi_miller_rabin(&XX, rounds, f_rng, p_rng);
+}
+
+/*
+ * Prime number generation
+ *
+ * To generate an RSA key in a way recommended by FIPS 186-4, both primes must
+ * be either 1024 bits or 1536 bits long, and flags must contain
+ * MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR.
+ */
+int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int flags,
+                          int (*f_rng)(void *, unsigned char *, size_t),
+                          void *p_rng)
+{
+#ifdef MBEDTLS_HAVE_INT64
+// ceil(2^63.5)
+#define CEIL_MAXUINT_DIV_SQRT2 0xb504f333f9de6485ULL
+#else
+// ceil(2^31.5)
+#define CEIL_MAXUINT_DIV_SQRT2 0xb504f334U
+#endif
+    int ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+    size_t k, n;
+    int rounds;
+    mbedtls_mpi_uint r;
+    mbedtls_mpi Y;
+
+    if (nbits < 3 || nbits > MBEDTLS_MPI_MAX_BITS) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    mbedtls_mpi_init(&Y);
+
+    n = BITS_TO_LIMBS(nbits);
+
+    if ((flags & MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR) == 0) {
+        /*
+         * 2^-80 error probability, number of rounds chosen per HAC, table 4.4
+         */
+        rounds = ((nbits >= 1300) ?  2 : (nbits >=  850) ?  3 :
+                  (nbits >=  650) ?  4 : (nbits >=  350) ?  8 :
+                  (nbits >=  250) ? 12 : (nbits >=  150) ? 18 : 27);
+    } else {
+        /*
+         * 2^-100 error probability, number of rounds computed based on HAC,
+         * fact 4.48
+         */
+        rounds = ((nbits >= 1450) ?  4 : (nbits >=  1150) ?  5 :
+                  (nbits >= 1000) ?  6 : (nbits >=   850) ?  7 :
+                  (nbits >=  750) ?  8 : (nbits >=   500) ? 13 :
+                  (nbits >=  250) ? 28 : (nbits >=   150) ? 40 : 51);
+    }
+
+    while (1) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(X, n * ciL, f_rng, p_rng));
+        /* make sure generated number is at least (nbits-1)+0.5 bits (FIPS 186-4 §B.3.3 steps 4.4, 5.5) */
+        if (X->p[n-1] < CEIL_MAXUINT_DIV_SQRT2) {
+            continue;
+        }
+
+        k = n * biL;
+        if (k > nbits) {
+            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(X, k - nbits));
+        }
+        X->p[0] |= 1;
+
+        if ((flags & MBEDTLS_MPI_GEN_PRIME_FLAG_DH) == 0) {
+            ret = mbedtls_mpi_is_prime_ext(X, rounds, f_rng, p_rng);
+
+            if (ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
+                goto cleanup;
+            }
+        } else {
+            /*
+             * A necessary condition for Y and X = 2Y + 1 to be prime
+             * is X = 2 mod 3 (which is equivalent to Y = 2 mod 3).
+             * Make sure it is satisfied, while keeping X = 3 mod 4
+             */
+
+            X->p[0] |= 2;
+
+            MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, 3));
+            if (r == 0) {
+                MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 8));
+            } else if (r == 1) {
+                MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 4));
+            }
+
+            /* Set Y = (X-1) / 2, which is X / 2 because X is odd */
+            MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Y, X));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Y, 1));
+
+            while (1) {
+                /*
+                 * First, check small factors for X and Y
+                 * before doing Miller-Rabin on any of them
+                 */
+                if ((ret = mpi_check_small_factors(X)) == 0 &&
+                    (ret = mpi_check_small_factors(&Y)) == 0 &&
+                    (ret = mpi_miller_rabin(X, rounds, f_rng, p_rng))
+                    == 0 &&
+                    (ret = mpi_miller_rabin(&Y, rounds, f_rng, p_rng))
+                    == 0) {
+                    goto cleanup;
+                }
+
+                if (ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
+                    goto cleanup;
+                }
+
+                /*
+                 * Next candidates. We want to preserve Y = (X-1) / 2 and
+                 * Y = 1 mod 2 and Y = 2 mod 3 (eq X = 3 mod 4 and X = 2 mod 3)
+                 * so up Y by 6 and X by 12.
+                 */
+                MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X,  X, 12));
+                MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&Y, &Y, 6));
+            }
+        }
+    }
+
+cleanup:
+
+    mbedtls_mpi_free(&Y);
+
+    return ret;
+}
+
+#endif /* MBEDTLS_GENPRIME */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#define GCD_PAIR_COUNT  3
+
+static const int gcd_pairs[GCD_PAIR_COUNT][3] =
+{
+    { 693, 609, 21 },
+    { 1764, 868, 28 },
+    { 768454923, 542167814, 1 }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_mpi_self_test(int verbose)
+{
+    int ret, i;
+    mbedtls_mpi A, E, N, X, Y, U, V;
+
+    mbedtls_mpi_init(&A); mbedtls_mpi_init(&E); mbedtls_mpi_init(&N); mbedtls_mpi_init(&X);
+    mbedtls_mpi_init(&Y); mbedtls_mpi_init(&U); mbedtls_mpi_init(&V);
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&A, 16,
+                                            "EFE021C2645FD1DC586E69184AF4A31E" \
+                                            "D5F53E93B5F123FA41680867BA110131" \
+                                            "944FE7952E2517337780CB0DB80E61AA" \
+                                            "E7C8DDC6C5C6AADEB34EB38A2F40D5E6"));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&E, 16,
+                                            "B2E7EFD37075B9F03FF989C7C5051C20" \
+                                            "34D2A323810251127E7BF8625A4F49A5" \
+                                            "F3E27F4DA8BD59C47D6DAABA4C8127BD" \
+                                            "5B5C25763222FEFCCFC38B832366C29E"));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&N, 16,
+                                            "0066A198186C18C10B2F5ED9B522752A" \
+                                            "9830B69916E535C8F047518A889A43A5" \
+                                            "94B6BED27A168D31D4A52F88925AA8F5"));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&X, &A, &N));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
+                                            "602AB7ECA597A3D6B56FF9829A5E8B85" \
+                                            "9E857EA95A03512E2BAE7391688D264A" \
+                                            "A5663B0341DB9CCFD2C4C5F421FEC814" \
+                                            "8001B72E848A38CAE1C65F78E56ABDEF" \
+                                            "E12D3C039B8A02D6BE593F0BBBDA56F1" \
+                                            "ECF677152EF804370C1A305CAF3B5BF1" \
+                                            "30879B56C61DE584A0F53A2447A51E"));
+
+    if (verbose != 0) {
+        mbedtls_printf("  MPI test #1 (mul_mpi): ");
+    }
+
+    if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
+        if (verbose != 0) {
+            mbedtls_printf("failed\n");
+        }
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("passed\n");
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&X, &Y, &A, &N));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
+                                            "256567336059E52CAE22925474705F39A94"));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&V, 16,
+                                            "6613F26162223DF488E9CD48CC132C7A" \
+                                            "0AC93C701B001B092E4E5B9F73BCD27B" \
+                                            "9EE50D0657C77F374E903CDFA4C642"));
+
+    if (verbose != 0) {
+        mbedtls_printf("  MPI test #2 (div_mpi): ");
+    }
+
+    if (mbedtls_mpi_cmp_mpi(&X, &U) != 0 ||
+        mbedtls_mpi_cmp_mpi(&Y, &V) != 0) {
+        if (verbose != 0) {
+            mbedtls_printf("failed\n");
+        }
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("passed\n");
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&X, &A, &E, &N, NULL));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
+                                            "36E139AEA55215609D2816998ED020BB" \
+                                            "BD96C37890F65171D948E9BC7CBAA4D9" \
+                                            "325D24D6A3C12710F10A09FA08AB87"));
+
+    if (verbose != 0) {
+        mbedtls_printf("  MPI test #3 (exp_mod): ");
+    }
+
+    if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
+        if (verbose != 0) {
+            mbedtls_printf("failed\n");
+        }
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("passed\n");
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&X, &A, &N));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
+                                            "003A0AAEDD7E784FC07D8F9EC6E3BFD5" \
+                                            "C3DBA76456363A10869622EAC2DD84EC" \
+                                            "C5B8A74DAC4D09E03B5E0BE779F2DF61"));
+
+    if (verbose != 0) {
+        mbedtls_printf("  MPI test #4 (inv_mod): ");
+    }
+
+    if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
+        if (verbose != 0) {
+            mbedtls_printf("failed\n");
+        }
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("passed\n");
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("  MPI test #5 (simple gcd): ");
+    }
+
+    for (i = 0; i < GCD_PAIR_COUNT; i++) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&X, gcd_pairs[i][0]));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&Y, gcd_pairs[i][1]));
+
+        MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&A, &X, &Y));
+
+        if (mbedtls_mpi_cmp_int(&A, gcd_pairs[i][2]) != 0) {
+            if (verbose != 0) {
+                mbedtls_printf("failed at %d\n", i);
+            }
+
+            ret = 1;
+            goto cleanup;
+        }
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("passed\n");
+    }
+
+cleanup:
+
+    if (ret != 0 && verbose != 0) {
+        mbedtls_printf("Unexpected error, return code = %08X\n", (unsigned int) ret);
+    }
+
+    mbedtls_mpi_free(&A); mbedtls_mpi_free(&E); mbedtls_mpi_free(&N); mbedtls_mpi_free(&X);
+    mbedtls_mpi_free(&Y); mbedtls_mpi_free(&U); mbedtls_mpi_free(&V);
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+
+    return ret;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_BIGNUM_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/bignum_core.c b/tf-psa-crypto/drivers/builtin/src/bignum_core.c
new file mode 100644
index 0000000..1a3e0b9
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/bignum_core.c
@@ -0,0 +1,895 @@
+/*
+ *  Core bignum functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_BIGNUM_C)
+
+#include <string.h>
+
+#include "mbedtls/error.h"
+#include "mbedtls/platform_util.h"
+#include "constant_time_internal.h"
+
+#include "mbedtls/platform.h"
+
+#include "bignum_core.h"
+#include "bn_mul.h"
+#include "constant_time_internal.h"
+
+size_t mbedtls_mpi_core_clz(mbedtls_mpi_uint a)
+{
+#if defined(__has_builtin)
+#if (MBEDTLS_MPI_UINT_MAX == UINT_MAX) && __has_builtin(__builtin_clz)
+    #define core_clz __builtin_clz
+#elif (MBEDTLS_MPI_UINT_MAX == ULONG_MAX) && __has_builtin(__builtin_clzl)
+    #define core_clz __builtin_clzl
+#elif (MBEDTLS_MPI_UINT_MAX == ULLONG_MAX) && __has_builtin(__builtin_clzll)
+    #define core_clz __builtin_clzll
+#endif
+#endif
+#if defined(core_clz)
+    return (size_t) core_clz(a);
+#else
+    size_t j;
+    mbedtls_mpi_uint mask = (mbedtls_mpi_uint) 1 << (biL - 1);
+
+    for (j = 0; j < biL; j++) {
+        if (a & mask) {
+            break;
+        }
+
+        mask >>= 1;
+    }
+
+    return j;
+#endif
+}
+
+size_t mbedtls_mpi_core_bitlen(const mbedtls_mpi_uint *A, size_t A_limbs)
+{
+    int i;
+    size_t j;
+
+    for (i = ((int) A_limbs) - 1; i >= 0; i--) {
+        if (A[i] != 0) {
+            j = biL - mbedtls_mpi_core_clz(A[i]);
+            return (i * biL) + j;
+        }
+    }
+
+    return 0;
+}
+
+static mbedtls_mpi_uint mpi_bigendian_to_host(mbedtls_mpi_uint a)
+{
+    if (MBEDTLS_IS_BIG_ENDIAN) {
+        /* Nothing to do on bigendian systems. */
+        return a;
+    } else {
+#if defined(MBEDTLS_HAVE_INT32)
+        return (mbedtls_mpi_uint) MBEDTLS_BSWAP32(a);
+#elif defined(MBEDTLS_HAVE_INT64)
+        return (mbedtls_mpi_uint) MBEDTLS_BSWAP64(a);
+#endif
+    }
+}
+
+void mbedtls_mpi_core_bigendian_to_host(mbedtls_mpi_uint *A,
+                                        size_t A_limbs)
+{
+    mbedtls_mpi_uint *cur_limb_left;
+    mbedtls_mpi_uint *cur_limb_right;
+    if (A_limbs == 0) {
+        return;
+    }
+
+    /*
+     * Traverse limbs and
+     * - adapt byte-order in each limb
+     * - swap the limbs themselves.
+     * For that, simultaneously traverse the limbs from left to right
+     * and from right to left, as long as the left index is not bigger
+     * than the right index (it's not a problem if limbs is odd and the
+     * indices coincide in the last iteration).
+     */
+    for (cur_limb_left = A, cur_limb_right = A + (A_limbs - 1);
+         cur_limb_left <= cur_limb_right;
+         cur_limb_left++, cur_limb_right--) {
+        mbedtls_mpi_uint tmp;
+        /* Note that if cur_limb_left == cur_limb_right,
+         * this code effectively swaps the bytes only once. */
+        tmp             = mpi_bigendian_to_host(*cur_limb_left);
+        *cur_limb_left  = mpi_bigendian_to_host(*cur_limb_right);
+        *cur_limb_right = tmp;
+    }
+}
+
+/* Whether min <= A, in constant time.
+ * A_limbs must be at least 1. */
+mbedtls_ct_condition_t mbedtls_mpi_core_uint_le_mpi(mbedtls_mpi_uint min,
+                                                    const mbedtls_mpi_uint *A,
+                                                    size_t A_limbs)
+{
+    /* min <= least significant limb? */
+    mbedtls_ct_condition_t min_le_lsl = mbedtls_ct_uint_ge(A[0], min);
+
+    /* limbs other than the least significant one are all zero? */
+    mbedtls_ct_condition_t msll_mask = MBEDTLS_CT_FALSE;
+    for (size_t i = 1; i < A_limbs; i++) {
+        msll_mask = mbedtls_ct_bool_or(msll_mask, mbedtls_ct_bool(A[i]));
+    }
+
+    /* min <= A iff the lowest limb of A is >= min or the other limbs
+     * are not all zero. */
+    return mbedtls_ct_bool_or(msll_mask, min_le_lsl);
+}
+
+mbedtls_ct_condition_t mbedtls_mpi_core_lt_ct(const mbedtls_mpi_uint *A,
+                                              const mbedtls_mpi_uint *B,
+                                              size_t limbs)
+{
+    mbedtls_ct_condition_t ret = MBEDTLS_CT_FALSE, cond = MBEDTLS_CT_FALSE, done = MBEDTLS_CT_FALSE;
+
+    for (size_t i = limbs; i > 0; i--) {
+        /*
+         * If B[i - 1] < A[i - 1] then A < B is false and the result must
+         * remain 0.
+         *
+         * Again even if we can make a decision, we just mark the result and
+         * the fact that we are done and continue looping.
+         */
+        cond = mbedtls_ct_uint_lt(B[i - 1], A[i - 1]);
+        done = mbedtls_ct_bool_or(done, cond);
+
+        /*
+         * If A[i - 1] < B[i - 1] then A < B is true.
+         *
+         * Again even if we can make a decision, we just mark the result and
+         * the fact that we are done and continue looping.
+         */
+        cond = mbedtls_ct_uint_lt(A[i - 1], B[i - 1]);
+        ret  = mbedtls_ct_bool_or(ret, mbedtls_ct_bool_and(cond, mbedtls_ct_bool_not(done)));
+        done = mbedtls_ct_bool_or(done, cond);
+    }
+
+    /*
+     * If all the limbs were equal, then the numbers are equal, A < B is false
+     * and leaving the result 0 is correct.
+     */
+
+    return ret;
+}
+
+void mbedtls_mpi_core_cond_assign(mbedtls_mpi_uint *X,
+                                  const mbedtls_mpi_uint *A,
+                                  size_t limbs,
+                                  mbedtls_ct_condition_t assign)
+{
+    if (X == A) {
+        return;
+    }
+
+    /* This function is very performance-sensitive for RSA. For this reason
+     * we have the loop below, instead of calling mbedtls_ct_memcpy_if
+     * (this is more optimal since here we don't have to handle the case where
+     * we copy awkwardly sized data).
+     */
+    for (size_t i = 0; i < limbs; i++) {
+        X[i] = mbedtls_ct_mpi_uint_if(assign, A[i], X[i]);
+    }
+}
+
+void mbedtls_mpi_core_cond_swap(mbedtls_mpi_uint *X,
+                                mbedtls_mpi_uint *Y,
+                                size_t limbs,
+                                mbedtls_ct_condition_t swap)
+{
+    if (X == Y) {
+        return;
+    }
+
+    for (size_t i = 0; i < limbs; i++) {
+        mbedtls_mpi_uint tmp = X[i];
+        X[i] = mbedtls_ct_mpi_uint_if(swap, Y[i], X[i]);
+        Y[i] = mbedtls_ct_mpi_uint_if(swap, tmp, Y[i]);
+    }
+}
+
+int mbedtls_mpi_core_read_le(mbedtls_mpi_uint *X,
+                             size_t X_limbs,
+                             const unsigned char *input,
+                             size_t input_length)
+{
+    const size_t limbs = CHARS_TO_LIMBS(input_length);
+
+    if (X_limbs < limbs) {
+        return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
+    }
+
+    if (X != NULL) {
+        memset(X, 0, X_limbs * ciL);
+
+        for (size_t i = 0; i < input_length; i++) {
+            size_t offset = ((i % ciL) << 3);
+            X[i / ciL] |= ((mbedtls_mpi_uint) input[i]) << offset;
+        }
+    }
+
+    return 0;
+}
+
+int mbedtls_mpi_core_read_be(mbedtls_mpi_uint *X,
+                             size_t X_limbs,
+                             const unsigned char *input,
+                             size_t input_length)
+{
+    const size_t limbs = CHARS_TO_LIMBS(input_length);
+
+    if (X_limbs < limbs) {
+        return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
+    }
+
+    /* If X_limbs is 0, input_length must also be 0 (from previous test).
+     * Nothing to do. */
+    if (X_limbs == 0) {
+        return 0;
+    }
+
+    memset(X, 0, X_limbs * ciL);
+
+    /* memcpy() with (NULL, 0) is undefined behaviour */
+    if (input_length != 0) {
+        size_t overhead = (X_limbs * ciL) - input_length;
+        unsigned char *Xp = (unsigned char *) X;
+        memcpy(Xp + overhead, input, input_length);
+    }
+
+    mbedtls_mpi_core_bigendian_to_host(X, X_limbs);
+
+    return 0;
+}
+
+int mbedtls_mpi_core_write_le(const mbedtls_mpi_uint *A,
+                              size_t A_limbs,
+                              unsigned char *output,
+                              size_t output_length)
+{
+    size_t stored_bytes = A_limbs * ciL;
+    size_t bytes_to_copy;
+
+    if (stored_bytes < output_length) {
+        bytes_to_copy = stored_bytes;
+    } else {
+        bytes_to_copy = output_length;
+
+        /* The output buffer is smaller than the allocated size of A.
+         * However A may fit if its leading bytes are zero. */
+        for (size_t i = bytes_to_copy; i < stored_bytes; i++) {
+            if (GET_BYTE(A, i) != 0) {
+                return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
+            }
+        }
+    }
+
+    for (size_t i = 0; i < bytes_to_copy; i++) {
+        output[i] = GET_BYTE(A, i);
+    }
+
+    if (stored_bytes < output_length) {
+        /* Write trailing 0 bytes */
+        memset(output + stored_bytes, 0, output_length - stored_bytes);
+    }
+
+    return 0;
+}
+
+int mbedtls_mpi_core_write_be(const mbedtls_mpi_uint *X,
+                              size_t X_limbs,
+                              unsigned char *output,
+                              size_t output_length)
+{
+    size_t stored_bytes;
+    size_t bytes_to_copy;
+    unsigned char *p;
+
+    stored_bytes = X_limbs * ciL;
+
+    if (stored_bytes < output_length) {
+        /* There is enough space in the output buffer. Write initial
+         * null bytes and record the position at which to start
+         * writing the significant bytes. In this case, the execution
+         * trace of this function does not depend on the value of the
+         * number. */
+        bytes_to_copy = stored_bytes;
+        p = output + output_length - stored_bytes;
+        memset(output, 0, output_length - stored_bytes);
+    } else {
+        /* The output buffer is smaller than the allocated size of X.
+         * However X may fit if its leading bytes are zero. */
+        bytes_to_copy = output_length;
+        p = output;
+        for (size_t i = bytes_to_copy; i < stored_bytes; i++) {
+            if (GET_BYTE(X, i) != 0) {
+                return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
+            }
+        }
+    }
+
+    for (size_t i = 0; i < bytes_to_copy; i++) {
+        p[bytes_to_copy - i - 1] = GET_BYTE(X, i);
+    }
+
+    return 0;
+}
+
+void mbedtls_mpi_core_shift_r(mbedtls_mpi_uint *X, size_t limbs,
+                              size_t count)
+{
+    size_t i, v0, v1;
+    mbedtls_mpi_uint r0 = 0, r1;
+
+    v0 = count /  biL;
+    v1 = count & (biL - 1);
+
+    if (v0 > limbs || (v0 == limbs && v1 > 0)) {
+        memset(X, 0, limbs * ciL);
+        return;
+    }
+
+    /*
+     * shift by count / limb_size
+     */
+    if (v0 > 0) {
+        for (i = 0; i < limbs - v0; i++) {
+            X[i] = X[i + v0];
+        }
+
+        for (; i < limbs; i++) {
+            X[i] = 0;
+        }
+    }
+
+    /*
+     * shift by count % limb_size
+     */
+    if (v1 > 0) {
+        for (i = limbs; i > 0; i--) {
+            r1 = X[i - 1] << (biL - v1);
+            X[i - 1] >>= v1;
+            X[i - 1] |= r0;
+            r0 = r1;
+        }
+    }
+}
+
+void mbedtls_mpi_core_shift_l(mbedtls_mpi_uint *X, size_t limbs,
+                              size_t count)
+{
+    size_t i, v0, v1;
+    mbedtls_mpi_uint r0 = 0, r1;
+
+    v0 = count / (biL);
+    v1 = count & (biL - 1);
+
+    /*
+     * shift by count / limb_size
+     */
+    if (v0 > 0) {
+        for (i = limbs; i > v0; i--) {
+            X[i - 1] = X[i - v0 - 1];
+        }
+
+        for (; i > 0; i--) {
+            X[i - 1] = 0;
+        }
+    }
+
+    /*
+     * shift by count % limb_size
+     */
+    if (v1 > 0) {
+        for (i = v0; i < limbs; i++) {
+            r1 = X[i] >> (biL - v1);
+            X[i] <<= v1;
+            X[i] |= r0;
+            r0 = r1;
+        }
+    }
+}
+
+mbedtls_mpi_uint mbedtls_mpi_core_add(mbedtls_mpi_uint *X,
+                                      const mbedtls_mpi_uint *A,
+                                      const mbedtls_mpi_uint *B,
+                                      size_t limbs)
+{
+    mbedtls_mpi_uint c = 0;
+
+    for (size_t i = 0; i < limbs; i++) {
+        mbedtls_mpi_uint t = c + A[i];
+        c = (t < A[i]);
+        t += B[i];
+        c += (t < B[i]);
+        X[i] = t;
+    }
+
+    return c;
+}
+
+mbedtls_mpi_uint mbedtls_mpi_core_add_if(mbedtls_mpi_uint *X,
+                                         const mbedtls_mpi_uint *A,
+                                         size_t limbs,
+                                         unsigned cond)
+{
+    mbedtls_mpi_uint c = 0;
+
+    mbedtls_ct_condition_t do_add = mbedtls_ct_bool(cond);
+
+    for (size_t i = 0; i < limbs; i++) {
+        mbedtls_mpi_uint add = mbedtls_ct_mpi_uint_if_else_0(do_add, A[i]);
+        mbedtls_mpi_uint t = c + X[i];
+        c = (t < X[i]);
+        t += add;
+        c += (t < add);
+        X[i] = t;
+    }
+
+    return c;
+}
+
+mbedtls_mpi_uint mbedtls_mpi_core_sub(mbedtls_mpi_uint *X,
+                                      const mbedtls_mpi_uint *A,
+                                      const mbedtls_mpi_uint *B,
+                                      size_t limbs)
+{
+    mbedtls_mpi_uint c = 0;
+
+    for (size_t i = 0; i < limbs; i++) {
+        mbedtls_mpi_uint z = (A[i] < c);
+        mbedtls_mpi_uint t = A[i] - c;
+        c = (t < B[i]) + z;
+        X[i] = t - B[i];
+    }
+
+    return c;
+}
+
+mbedtls_mpi_uint mbedtls_mpi_core_mla(mbedtls_mpi_uint *d, size_t d_len,
+                                      const mbedtls_mpi_uint *s, size_t s_len,
+                                      mbedtls_mpi_uint b)
+{
+    mbedtls_mpi_uint c = 0; /* carry */
+    /*
+     * It is a documented precondition of this function that d_len >= s_len.
+     * If that's not the case, we swap these round: this turns what would be
+     * a buffer overflow into an incorrect result.
+     */
+    if (d_len < s_len) {
+        s_len = d_len;
+    }
+    size_t excess_len = d_len - s_len;
+    size_t steps_x8 = s_len / 8;
+    size_t steps_x1 = s_len & 7;
+
+    while (steps_x8--) {
+        MULADDC_X8_INIT
+        MULADDC_X8_CORE
+            MULADDC_X8_STOP
+    }
+
+    while (steps_x1--) {
+        MULADDC_X1_INIT
+        MULADDC_X1_CORE
+            MULADDC_X1_STOP
+    }
+
+    while (excess_len--) {
+        *d += c;
+        c = (*d < c);
+        d++;
+    }
+
+    return c;
+}
+
+void mbedtls_mpi_core_mul(mbedtls_mpi_uint *X,
+                          const mbedtls_mpi_uint *A, size_t A_limbs,
+                          const mbedtls_mpi_uint *B, size_t B_limbs)
+{
+    memset(X, 0, (A_limbs + B_limbs) * ciL);
+
+    for (size_t i = 0; i < B_limbs; i++) {
+        (void) mbedtls_mpi_core_mla(X + i, A_limbs + 1, A, A_limbs, B[i]);
+    }
+}
+
+/*
+ * Fast Montgomery initialization (thanks to Tom St Denis).
+ */
+mbedtls_mpi_uint mbedtls_mpi_core_montmul_init(const mbedtls_mpi_uint *N)
+{
+    mbedtls_mpi_uint x = N[0];
+
+    x += ((N[0] + 2) & 4) << 1;
+
+    for (unsigned int i = biL; i >= 8; i /= 2) {
+        x *= (2 - (N[0] * x));
+    }
+
+    return ~x + 1;
+}
+
+void mbedtls_mpi_core_montmul(mbedtls_mpi_uint *X,
+                              const mbedtls_mpi_uint *A,
+                              const mbedtls_mpi_uint *B,
+                              size_t B_limbs,
+                              const mbedtls_mpi_uint *N,
+                              size_t AN_limbs,
+                              mbedtls_mpi_uint mm,
+                              mbedtls_mpi_uint *T)
+{
+    memset(T, 0, (2 * AN_limbs + 1) * ciL);
+
+    for (size_t i = 0; i < AN_limbs; i++) {
+        /* T = (T + u0*B + u1*N) / 2^biL */
+        mbedtls_mpi_uint u0 = A[i];
+        mbedtls_mpi_uint u1 = (T[0] + u0 * B[0]) * mm;
+
+        (void) mbedtls_mpi_core_mla(T, AN_limbs + 2, B, B_limbs, u0);
+        (void) mbedtls_mpi_core_mla(T, AN_limbs + 2, N, AN_limbs, u1);
+
+        T++;
+    }
+
+    /*
+     * The result we want is (T >= N) ? T - N : T.
+     *
+     * For better constant-time properties in this function, we always do the
+     * subtraction, with the result in X.
+     *
+     * We also look to see if there was any carry in the final additions in the
+     * loop above.
+     */
+
+    mbedtls_mpi_uint carry  = T[AN_limbs];
+    mbedtls_mpi_uint borrow = mbedtls_mpi_core_sub(X, T, N, AN_limbs);
+
+    /*
+     * Using R as the Montgomery radix (auxiliary modulus) i.e. 2^(biL*AN_limbs):
+     *
+     * T can be in one of 3 ranges:
+     *
+     * 1) T < N      : (carry, borrow) = (0, 1): we want T
+     * 2) N <= T < R : (carry, borrow) = (0, 0): we want X
+     * 3) T >= R     : (carry, borrow) = (1, 1): we want X
+     *
+     * and (carry, borrow) = (1, 0) can't happen.
+     *
+     * So the correct return value is already in X if (carry ^ borrow) = 0,
+     * but is in (the lower AN_limbs limbs of) T if (carry ^ borrow) = 1.
+     */
+    mbedtls_ct_memcpy_if(mbedtls_ct_bool(carry ^ borrow),
+                         (unsigned char *) X,
+                         (unsigned char *) T,
+                         NULL,
+                         AN_limbs * sizeof(mbedtls_mpi_uint));
+}
+
+int mbedtls_mpi_core_get_mont_r2_unsafe(mbedtls_mpi *X,
+                                        const mbedtls_mpi *N)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 1));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(X, N->n * 2 * biL));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(X, X, N));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_shrink(X, N->n));
+
+cleanup:
+    return ret;
+}
+
+MBEDTLS_STATIC_TESTABLE
+void mbedtls_mpi_core_ct_uint_table_lookup(mbedtls_mpi_uint *dest,
+                                           const mbedtls_mpi_uint *table,
+                                           size_t limbs,
+                                           size_t count,
+                                           size_t index)
+{
+    for (size_t i = 0; i < count; i++, table += limbs) {
+        mbedtls_ct_condition_t assign = mbedtls_ct_uint_eq(i, index);
+        mbedtls_mpi_core_cond_assign(dest, table, limbs, assign);
+    }
+}
+
+/* Fill X with n_bytes random bytes.
+ * X must already have room for those bytes.
+ * The ordering of the bytes returned from the RNG is suitable for
+ * deterministic ECDSA (see RFC 6979 §3.3 and the specification of
+ * mbedtls_mpi_core_random()).
+ */
+int mbedtls_mpi_core_fill_random(
+    mbedtls_mpi_uint *X, size_t X_limbs,
+    size_t n_bytes,
+    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const size_t limbs = CHARS_TO_LIMBS(n_bytes);
+    const size_t overhead = (limbs * ciL) - n_bytes;
+
+    if (X_limbs < limbs) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    memset(X, 0, overhead);
+    memset((unsigned char *) X + limbs * ciL, 0, (X_limbs - limbs) * ciL);
+    MBEDTLS_MPI_CHK(f_rng(p_rng, (unsigned char *) X + overhead, n_bytes));
+    mbedtls_mpi_core_bigendian_to_host(X, limbs);
+
+cleanup:
+    return ret;
+}
+
+int mbedtls_mpi_core_random(mbedtls_mpi_uint *X,
+                            mbedtls_mpi_uint min,
+                            const mbedtls_mpi_uint *N,
+                            size_t limbs,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng)
+{
+    mbedtls_ct_condition_t ge_lower = MBEDTLS_CT_TRUE, lt_upper = MBEDTLS_CT_FALSE;
+    size_t n_bits = mbedtls_mpi_core_bitlen(N, limbs);
+    size_t n_bytes = (n_bits + 7) / 8;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    /*
+     * When min == 0, each try has at worst a probability 1/2 of failing
+     * (the msb has a probability 1/2 of being 0, and then the result will
+     * be < N), so after 30 tries failure probability is a most 2**(-30).
+     *
+     * When N is just below a power of 2, as is the case when generating
+     * a random scalar on most elliptic curves, 1 try is enough with
+     * overwhelming probability. When N is just above a power of 2,
+     * as when generating a random scalar on secp224k1, each try has
+     * a probability of failing that is almost 1/2.
+     *
+     * The probabilities are almost the same if min is nonzero but negligible
+     * compared to N. This is always the case when N is crypto-sized, but
+     * it's convenient to support small N for testing purposes. When N
+     * is small, use a higher repeat count, otherwise the probability of
+     * failure is macroscopic.
+     */
+    int count = (n_bytes > 4 ? 30 : 250);
+
+    /*
+     * Match the procedure given in RFC 6979 §3.3 (deterministic ECDSA)
+     * when f_rng is a suitably parametrized instance of HMAC_DRBG:
+     * - use the same byte ordering;
+     * - keep the leftmost n_bits bits of the generated octet string;
+     * - try until result is in the desired range.
+     * This also avoids any bias, which is especially important for ECDSA.
+     */
+    do {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_core_fill_random(X, limbs,
+                                                     n_bytes,
+                                                     f_rng, p_rng));
+        mbedtls_mpi_core_shift_r(X, limbs, 8 * n_bytes - n_bits);
+
+        if (--count == 0) {
+            ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+            goto cleanup;
+        }
+
+        ge_lower = mbedtls_mpi_core_uint_le_mpi(min, X, limbs);
+        lt_upper = mbedtls_mpi_core_lt_ct(X, N, limbs);
+    } while (mbedtls_ct_bool_and(ge_lower, lt_upper) == MBEDTLS_CT_FALSE);
+
+cleanup:
+    return ret;
+}
+
+static size_t exp_mod_get_window_size(size_t Ebits)
+{
+#if MBEDTLS_MPI_WINDOW_SIZE >= 6
+    return (Ebits > 671) ? 6 : (Ebits > 239) ? 5 : (Ebits >  79) ? 4 : 1;
+#elif MBEDTLS_MPI_WINDOW_SIZE == 5
+    return (Ebits > 239) ? 5 : (Ebits >  79) ? 4 : 1;
+#elif MBEDTLS_MPI_WINDOW_SIZE > 1
+    return (Ebits >  79) ? MBEDTLS_MPI_WINDOW_SIZE : 1;
+#else
+    (void) Ebits;
+    return 1;
+#endif
+}
+
+size_t mbedtls_mpi_core_exp_mod_working_limbs(size_t AN_limbs, size_t E_limbs)
+{
+    const size_t wsize = exp_mod_get_window_size(E_limbs * biL);
+    const size_t welem = ((size_t) 1) << wsize;
+
+    /* How big does each part of the working memory pool need to be? */
+    const size_t table_limbs   = welem * AN_limbs;
+    const size_t select_limbs  = AN_limbs;
+    const size_t temp_limbs    = 2 * AN_limbs + 1;
+
+    return table_limbs + select_limbs + temp_limbs;
+}
+
+static void exp_mod_precompute_window(const mbedtls_mpi_uint *A,
+                                      const mbedtls_mpi_uint *N,
+                                      size_t AN_limbs,
+                                      mbedtls_mpi_uint mm,
+                                      const mbedtls_mpi_uint *RR,
+                                      size_t welem,
+                                      mbedtls_mpi_uint *Wtable,
+                                      mbedtls_mpi_uint *temp)
+{
+    /* W[0] = 1 (in Montgomery presentation) */
+    memset(Wtable, 0, AN_limbs * ciL);
+    Wtable[0] = 1;
+    mbedtls_mpi_core_montmul(Wtable, Wtable, RR, AN_limbs, N, AN_limbs, mm, temp);
+
+    /* W[1] = A (already in Montgomery presentation) */
+    mbedtls_mpi_uint *W1 = Wtable + AN_limbs;
+    memcpy(W1, A, AN_limbs * ciL);
+
+    /* W[i+1] = W[i] * W[1], i >= 2 */
+    mbedtls_mpi_uint *Wprev = W1;
+    for (size_t i = 2; i < welem; i++) {
+        mbedtls_mpi_uint *Wcur = Wprev + AN_limbs;
+        mbedtls_mpi_core_montmul(Wcur, Wprev, W1, AN_limbs, N, AN_limbs, mm, temp);
+        Wprev = Wcur;
+    }
+}
+
+/* Exponentiation: X := A^E mod N.
+ *
+ * A must already be in Montgomery form.
+ *
+ * As in other bignum functions, assume that AN_limbs and E_limbs are nonzero.
+ *
+ * RR must contain 2^{2*biL} mod N.
+ *
+ * The algorithm is a variant of Left-to-right k-ary exponentiation: HAC 14.82
+ * (The difference is that the body in our loop processes a single bit instead
+ * of a full window.)
+ */
+void mbedtls_mpi_core_exp_mod(mbedtls_mpi_uint *X,
+                              const mbedtls_mpi_uint *A,
+                              const mbedtls_mpi_uint *N,
+                              size_t AN_limbs,
+                              const mbedtls_mpi_uint *E,
+                              size_t E_limbs,
+                              const mbedtls_mpi_uint *RR,
+                              mbedtls_mpi_uint *T)
+{
+    const size_t wsize = exp_mod_get_window_size(E_limbs * biL);
+    const size_t welem = ((size_t) 1) << wsize;
+
+    /* This is how we will use the temporary storage T, which must have space
+     * for table_limbs, select_limbs and (2 * AN_limbs + 1) for montmul. */
+    const size_t table_limbs  = welem * AN_limbs;
+    const size_t select_limbs = AN_limbs;
+
+    /* Pointers to specific parts of the temporary working memory pool */
+    mbedtls_mpi_uint *const Wtable  = T;
+    mbedtls_mpi_uint *const Wselect = Wtable  +  table_limbs;
+    mbedtls_mpi_uint *const temp    = Wselect + select_limbs;
+
+    /*
+     * Window precomputation
+     */
+
+    const mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N);
+
+    /* Set Wtable[i] = A^(2^i) (in Montgomery representation) */
+    exp_mod_precompute_window(A, N, AN_limbs,
+                              mm, RR,
+                              welem, Wtable, temp);
+
+    /*
+     * Fixed window exponentiation
+     */
+
+    /* X = 1 (in Montgomery presentation) initially */
+    memcpy(X, Wtable, AN_limbs * ciL);
+
+    /* We'll process the bits of E from most significant
+     * (limb_index=E_limbs-1, E_bit_index=biL-1) to least significant
+     * (limb_index=0, E_bit_index=0). */
+    size_t E_limb_index = E_limbs;
+    size_t E_bit_index = 0;
+    /* At any given time, window contains window_bits bits from E.
+     * window_bits can go up to wsize. */
+    size_t window_bits = 0;
+    mbedtls_mpi_uint window = 0;
+
+    do {
+        /* Square */
+        mbedtls_mpi_core_montmul(X, X, X, AN_limbs, N, AN_limbs, mm, temp);
+
+        /* Move to the next bit of the exponent */
+        if (E_bit_index == 0) {
+            --E_limb_index;
+            E_bit_index = biL - 1;
+        } else {
+            --E_bit_index;
+        }
+        /* Insert next exponent bit into window */
+        ++window_bits;
+        window <<= 1;
+        window |= (E[E_limb_index] >> E_bit_index) & 1;
+
+        /* Clear window if it's full. Also clear the window at the end,
+         * when we've finished processing the exponent. */
+        if (window_bits == wsize ||
+            (E_bit_index == 0 && E_limb_index == 0)) {
+            /* Select Wtable[window] without leaking window through
+             * memory access patterns. */
+            mbedtls_mpi_core_ct_uint_table_lookup(Wselect, Wtable,
+                                                  AN_limbs, welem, window);
+            /* Multiply X by the selected element. */
+            mbedtls_mpi_core_montmul(X, X, Wselect, AN_limbs, N, AN_limbs, mm,
+                                     temp);
+            window = 0;
+            window_bits = 0;
+        }
+    } while (!(E_bit_index == 0 && E_limb_index == 0));
+}
+
+mbedtls_mpi_uint mbedtls_mpi_core_sub_int(mbedtls_mpi_uint *X,
+                                          const mbedtls_mpi_uint *A,
+                                          mbedtls_mpi_uint c,  /* doubles as carry */
+                                          size_t limbs)
+{
+    for (size_t i = 0; i < limbs; i++) {
+        mbedtls_mpi_uint s = A[i];
+        mbedtls_mpi_uint t = s - c;
+        c = (t > s);
+        X[i] = t;
+    }
+
+    return c;
+}
+
+mbedtls_ct_condition_t mbedtls_mpi_core_check_zero_ct(const mbedtls_mpi_uint *A,
+                                                      size_t limbs)
+{
+    volatile const mbedtls_mpi_uint *force_read_A = A;
+    mbedtls_mpi_uint bits = 0;
+
+    for (size_t i = 0; i < limbs; i++) {
+        bits |= force_read_A[i];
+    }
+
+    return mbedtls_ct_bool(bits);
+}
+
+void mbedtls_mpi_core_to_mont_rep(mbedtls_mpi_uint *X,
+                                  const mbedtls_mpi_uint *A,
+                                  const mbedtls_mpi_uint *N,
+                                  size_t AN_limbs,
+                                  mbedtls_mpi_uint mm,
+                                  const mbedtls_mpi_uint *rr,
+                                  mbedtls_mpi_uint *T)
+{
+    mbedtls_mpi_core_montmul(X, A, rr, AN_limbs, N, AN_limbs, mm, T);
+}
+
+void mbedtls_mpi_core_from_mont_rep(mbedtls_mpi_uint *X,
+                                    const mbedtls_mpi_uint *A,
+                                    const mbedtls_mpi_uint *N,
+                                    size_t AN_limbs,
+                                    mbedtls_mpi_uint mm,
+                                    mbedtls_mpi_uint *T)
+{
+    const mbedtls_mpi_uint Rinv = 1;    /* 1/R in Mont. rep => 1 */
+
+    mbedtls_mpi_core_montmul(X, A, &Rinv, 1, N, AN_limbs, mm, T);
+}
+
+#endif /* MBEDTLS_BIGNUM_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/bignum_core.h b/tf-psa-crypto/drivers/builtin/src/bignum_core.h
new file mode 100644
index 0000000..92c8d47
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/bignum_core.h
@@ -0,0 +1,763 @@
+/**
+ *  Core bignum functions
+ *
+ *  This interface should only be used by the legacy bignum module (bignum.h)
+ *  and the modular bignum modules (bignum_mod.c, bignum_mod_raw.c). All other
+ *  modules should use the high-level modular bignum interface (bignum_mod.h)
+ *  or the legacy bignum interface (bignum.h).
+ *
+ * This module is about processing non-negative integers with a fixed upper
+ * bound that's of the form 2^n-1 where n is a multiple of #biL.
+ * These can be thought of integers written in base 2^#biL with a fixed
+ * number of digits. Digits in this base are called *limbs*.
+ * Many operations treat these numbers as the principal representation of
+ * a number modulo 2^n or a smaller bound.
+ *
+ * The functions in this module obey the following conventions unless
+ * explicitly indicated otherwise:
+ *
+ * - **Overflow**: some functions indicate overflow from the range
+ *   [0, 2^n-1] by returning carry parameters, while others operate
+ *   modulo and so cannot overflow. This should be clear from the function
+ *   documentation.
+ * - **Bignum parameters**: Bignums are passed as pointers to an array of
+ *   limbs. A limb has the type #mbedtls_mpi_uint. Unless otherwise specified:
+ *     - Bignum parameters called \p A, \p B, ... are inputs, and are
+ *       not modified by the function.
+ *     - For operations modulo some number, the modulus is called \p N
+ *       and is input-only.
+ *     - Bignum parameters called \p X, \p Y are outputs or input-output.
+ *       The initial content of output-only parameters is ignored.
+ *     - Some functions use different names that reflect traditional
+ *       naming of operands of certain operations (e.g.
+ *       divisor/dividend/quotient/remainder).
+ *     - \p T is a temporary storage area. The initial content of such
+ *       parameter is ignored and the final content is unspecified.
+ * - **Bignum sizes**: bignum sizes are always expressed in limbs.
+ *   Most functions work on bignums of a given size and take a single
+ *   \p limbs parameter that applies to all parameters that are limb arrays.
+ *   All bignum sizes must be at least 1 and must be significantly less than
+ *   #SIZE_MAX. The behavior if a size is 0 is undefined. The behavior if the
+ *   total size of all parameters overflows #SIZE_MAX is undefined.
+ * - **Parameter ordering**: for bignum parameters, outputs come before inputs.
+ *   Temporaries come last.
+ * - **Aliasing**: in general, output bignums may be aliased to one or more
+ *   inputs. As an exception, parameters that are documented as a modulus value
+ *   may not be aliased to an output. Outputs may not be aliased to one another.
+ *   Temporaries may not be aliased to any other parameter.
+ * - **Overlap**: apart from aliasing of limb array pointers (where two
+ *   arguments are equal pointers), overlap is not supported and may result
+ *   in undefined behavior.
+ * - **Error handling**: This is a low-level module. Functions generally do not
+ *   try to protect against invalid arguments such as nonsensical sizes or
+ *   null pointers. Note that some functions that operate on bignums of
+ *   different sizes have constraints about their size, and violating those
+ *   constraints may lead to buffer overflows.
+ * - **Modular representatives**: functions that operate modulo \p N expect
+ *   all modular inputs to be in the range [0, \p N - 1] and guarantee outputs
+ *   in the range [0, \p N - 1]. If an input is out of range, outputs are
+ *   fully unspecified, though bignum values out of range should not cause
+ *   buffer overflows (beware that this is not extensively tested).
+ */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_BIGNUM_CORE_H
+#define MBEDTLS_BIGNUM_CORE_H
+
+#include "common.h"
+
+#if defined(MBEDTLS_BIGNUM_C)
+#include "mbedtls/bignum.h"
+#endif
+
+#include "constant_time_internal.h"
+
+#define ciL    (sizeof(mbedtls_mpi_uint))     /** chars in limb  */
+#define biL    (ciL << 3)                     /** bits  in limb  */
+#define biH    (ciL << 2)                     /** half limb size */
+
+/*
+ * Convert between bits/chars and number of limbs
+ * Divide first in order to avoid potential overflows
+ */
+#define BITS_TO_LIMBS(i)  ((i) / biL + ((i) % biL != 0))
+#define CHARS_TO_LIMBS(i) ((i) / ciL + ((i) % ciL != 0))
+/* Get a specific byte, without range checks. */
+#define GET_BYTE(X, i)                                \
+    (((X)[(i) / ciL] >> (((i) % ciL) * 8)) & 0xff)
+
+/** Count leading zero bits in a given integer.
+ *
+ * \warning     The result is undefined if \p a == 0
+ *
+ * \param a     Integer to count leading zero bits.
+ *
+ * \return      The number of leading zero bits in \p a, if \p a != 0.
+ *              If \p a == 0, the result is undefined.
+ */
+size_t mbedtls_mpi_core_clz(mbedtls_mpi_uint a);
+
+/** Return the minimum number of bits required to represent the value held
+ * in the MPI.
+ *
+ * \note This function returns 0 if all the limbs of \p A are 0.
+ *
+ * \param[in] A     The address of the MPI.
+ * \param A_limbs   The number of limbs of \p A.
+ *
+ * \return      The number of bits in \p A.
+ */
+size_t mbedtls_mpi_core_bitlen(const mbedtls_mpi_uint *A, size_t A_limbs);
+
+/** Convert a big-endian byte array aligned to the size of mbedtls_mpi_uint
+ * into the storage form used by mbedtls_mpi.
+ *
+ * \param[in,out] A     The address of the MPI.
+ * \param A_limbs       The number of limbs of \p A.
+ */
+void mbedtls_mpi_core_bigendian_to_host(mbedtls_mpi_uint *A,
+                                        size_t A_limbs);
+
+/** \brief         Compare a machine integer with an MPI.
+ *
+ *                 This function operates in constant time with respect
+ *                 to the values of \p min and \p A.
+ *
+ * \param min      A machine integer.
+ * \param[in] A    An MPI.
+ * \param A_limbs  The number of limbs of \p A.
+ *                 This must be at least 1.
+ *
+ * \return         MBEDTLS_CT_TRUE if \p min is less than or equal to \p A, otherwise MBEDTLS_CT_FALSE.
+ */
+mbedtls_ct_condition_t mbedtls_mpi_core_uint_le_mpi(mbedtls_mpi_uint min,
+                                                    const mbedtls_mpi_uint *A,
+                                                    size_t A_limbs);
+
+/**
+ * \brief          Check if one unsigned MPI is less than another in constant
+ *                 time.
+ *
+ * \param A        The left-hand MPI. This must point to an array of limbs
+ *                 with the same allocated length as \p B.
+ * \param B        The right-hand MPI. This must point to an array of limbs
+ *                 with the same allocated length as \p A.
+ * \param limbs    The number of limbs in \p A and \p B.
+ *                 This must not be 0.
+ *
+ * \return         MBEDTLS_CT_TRUE  if \p A is less than \p B.
+ *                 MBEDTLS_CT_FALSE if \p A is greater than or equal to \p B.
+ */
+mbedtls_ct_condition_t mbedtls_mpi_core_lt_ct(const mbedtls_mpi_uint *A,
+                                              const mbedtls_mpi_uint *B,
+                                              size_t limbs);
+
+/**
+ * \brief   Perform a safe conditional copy of an MPI which doesn't reveal
+ *          whether assignment was done or not.
+ *
+ * \param[out] X        The address of the destination MPI.
+ *                      This must be initialized. Must have enough limbs to
+ *                      store the full value of \p A.
+ * \param[in]  A        The address of the source MPI. This must be initialized.
+ * \param      limbs    The number of limbs of \p A.
+ * \param      assign   The condition deciding whether to perform the
+ *                      assignment or not. Callers will need to use
+ *                      the constant time interface (e.g. `mbedtls_ct_bool()`)
+ *                      to construct this argument.
+ *
+ * \note           This function avoids leaking any information about whether
+ *                 the assignment was done or not.
+ */
+void mbedtls_mpi_core_cond_assign(mbedtls_mpi_uint *X,
+                                  const mbedtls_mpi_uint *A,
+                                  size_t limbs,
+                                  mbedtls_ct_condition_t assign);
+
+/**
+ * \brief   Perform a safe conditional swap of two MPIs which doesn't reveal
+ *          whether the swap was done or not.
+ *
+ * \param[in,out] X         The address of the first MPI.
+ *                          This must be initialized.
+ * \param[in,out] Y         The address of the second MPI.
+ *                          This must be initialized.
+ * \param         limbs     The number of limbs of \p X and \p Y.
+ * \param         swap      The condition deciding whether to perform
+ *                          the swap or not.
+ *
+ * \note           This function avoids leaking any information about whether
+ *                 the swap was done or not.
+ */
+void mbedtls_mpi_core_cond_swap(mbedtls_mpi_uint *X,
+                                mbedtls_mpi_uint *Y,
+                                size_t limbs,
+                                mbedtls_ct_condition_t swap);
+
+/** Import X from unsigned binary data, little-endian.
+ *
+ * The MPI needs to have enough limbs to store the full value (including any
+ * most significant zero bytes in the input).
+ *
+ * \param[out] X         The address of the MPI.
+ * \param X_limbs        The number of limbs of \p X.
+ * \param[in] input      The input buffer to import from.
+ * \param input_length   The length bytes of \p input.
+ *
+ * \return       \c 0 if successful.
+ * \return       #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p X isn't
+ *               large enough to hold the value in \p input.
+ */
+int mbedtls_mpi_core_read_le(mbedtls_mpi_uint *X,
+                             size_t X_limbs,
+                             const unsigned char *input,
+                             size_t input_length);
+
+/** Import X from unsigned binary data, big-endian.
+ *
+ * The MPI needs to have enough limbs to store the full value (including any
+ * most significant zero bytes in the input).
+ *
+ * \param[out] X        The address of the MPI.
+ *                      May only be #NULL if \p X_limbs is 0 and \p input_length
+ *                      is 0.
+ * \param X_limbs       The number of limbs of \p X.
+ * \param[in] input     The input buffer to import from.
+ *                      May only be #NULL if \p input_length is 0.
+ * \param input_length  The length in bytes of \p input.
+ *
+ * \return       \c 0 if successful.
+ * \return       #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p X isn't
+ *               large enough to hold the value in \p input.
+ */
+int mbedtls_mpi_core_read_be(mbedtls_mpi_uint *X,
+                             size_t X_limbs,
+                             const unsigned char *input,
+                             size_t input_length);
+
+/** Export A into unsigned binary data, little-endian.
+ *
+ * \note If \p output is shorter than \p A the export is still successful if the
+ *       value held in \p A fits in the buffer (that is, if enough of the most
+ *       significant bytes of \p A are 0).
+ *
+ * \param[in] A         The address of the MPI.
+ * \param A_limbs       The number of limbs of \p A.
+ * \param[out] output   The output buffer to export to.
+ * \param output_length The length in bytes of \p output.
+ *
+ * \return       \c 0 if successful.
+ * \return       #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p output isn't
+ *               large enough to hold the value of \p A.
+ */
+int mbedtls_mpi_core_write_le(const mbedtls_mpi_uint *A,
+                              size_t A_limbs,
+                              unsigned char *output,
+                              size_t output_length);
+
+/** Export A into unsigned binary data, big-endian.
+ *
+ * \note If \p output is shorter than \p A the export is still successful if the
+ *       value held in \p A fits in the buffer (that is, if enough of the most
+ *       significant bytes of \p A are 0).
+ *
+ * \param[in] A         The address of the MPI.
+ * \param A_limbs       The number of limbs of \p A.
+ * \param[out] output   The output buffer to export to.
+ * \param output_length The length in bytes of \p output.
+ *
+ * \return       \c 0 if successful.
+ * \return       #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p output isn't
+ *               large enough to hold the value of \p A.
+ */
+int mbedtls_mpi_core_write_be(const mbedtls_mpi_uint *A,
+                              size_t A_limbs,
+                              unsigned char *output,
+                              size_t output_length);
+
+/** \brief              Shift an MPI in-place right by a number of bits.
+ *
+ *                      Shifting by more bits than there are bit positions
+ *                      in \p X is valid and results in setting \p X to 0.
+ *
+ *                      This function's execution time depends on the value
+ *                      of \p count (and of course \p limbs).
+ *
+ * \param[in,out] X     The number to shift.
+ * \param limbs         The number of limbs of \p X. This must be at least 1.
+ * \param count         The number of bits to shift by.
+ */
+void mbedtls_mpi_core_shift_r(mbedtls_mpi_uint *X, size_t limbs,
+                              size_t count);
+
+/**
+ * \brief               Shift an MPI in-place left by a number of bits.
+ *
+ *                      Shifting by more bits than there are bit positions
+ *                      in \p X will produce an unspecified result.
+ *
+ *                      This function's execution time depends on the value
+ *                      of \p count (and of course \p limbs).
+ * \param[in,out] X     The number to shift.
+ * \param limbs         The number of limbs of \p X. This must be at least 1.
+ * \param count         The number of bits to shift by.
+ */
+void mbedtls_mpi_core_shift_l(mbedtls_mpi_uint *X, size_t limbs,
+                              size_t count);
+
+/**
+ * \brief Add two fixed-size large unsigned integers, returning the carry.
+ *
+ * Calculates `A + B` where `A` and `B` have the same size.
+ *
+ * This function operates modulo `2^(biL*limbs)` and returns the carry
+ * (1 if there was a wraparound, and 0 otherwise).
+ *
+ * \p X may be aliased to \p A or \p B.
+ *
+ * \param[out] X    The result of the addition.
+ * \param[in] A     Little-endian presentation of the left operand.
+ * \param[in] B     Little-endian presentation of the right operand.
+ * \param limbs     Number of limbs of \p X, \p A and \p B.
+ *
+ * \return          1 if `A + B >= 2^(biL*limbs)`, 0 otherwise.
+ */
+mbedtls_mpi_uint mbedtls_mpi_core_add(mbedtls_mpi_uint *X,
+                                      const mbedtls_mpi_uint *A,
+                                      const mbedtls_mpi_uint *B,
+                                      size_t limbs);
+
+/**
+ * \brief Conditional addition of two fixed-size large unsigned integers,
+ *        returning the carry.
+ *
+ * Functionally equivalent to
+ *
+ * ```
+ * if( cond )
+ *    X += A;
+ * return carry;
+ * ```
+ *
+ * This function operates modulo `2^(biL*limbs)`.
+ *
+ * \param[in,out] X  The pointer to the (little-endian) array
+ *                   representing the bignum to accumulate onto.
+ * \param[in] A      The pointer to the (little-endian) array
+ *                   representing the bignum to conditionally add
+ *                   to \p X. This may be aliased to \p X but may not
+ *                   overlap otherwise.
+ * \param limbs      Number of limbs of \p X and \p A.
+ * \param cond       Condition bit dictating whether addition should
+ *                   happen or not. This must be \c 0 or \c 1.
+ *
+ * \warning          If \p cond is neither 0 nor 1, the result of this function
+ *                   is unspecified, and the resulting value in \p X might be
+ *                   neither its original value nor \p X + \p A.
+ *
+ * \return           1 if `X + cond * A >= 2^(biL*limbs)`, 0 otherwise.
+ */
+mbedtls_mpi_uint mbedtls_mpi_core_add_if(mbedtls_mpi_uint *X,
+                                         const mbedtls_mpi_uint *A,
+                                         size_t limbs,
+                                         unsigned cond);
+
+/**
+ * \brief Subtract two fixed-size large unsigned integers, returning the borrow.
+ *
+ * Calculate `A - B` where \p A and \p B have the same size.
+ * This function operates modulo `2^(biL*limbs)` and returns the carry
+ * (1 if there was a wraparound, i.e. if `A < B`, and 0 otherwise).
+ *
+ * \p X may be aliased to \p A or \p B, or even both, but may not overlap
+ * either otherwise.
+ *
+ * \param[out] X    The result of the subtraction.
+ * \param[in] A     Little-endian presentation of left operand.
+ * \param[in] B     Little-endian presentation of right operand.
+ * \param limbs     Number of limbs of \p X, \p A and \p B.
+ *
+ * \return          1 if `A < B`.
+ *                  0 if `A >= B`.
+ */
+mbedtls_mpi_uint mbedtls_mpi_core_sub(mbedtls_mpi_uint *X,
+                                      const mbedtls_mpi_uint *A,
+                                      const mbedtls_mpi_uint *B,
+                                      size_t limbs);
+
+/**
+ * \brief Perform a fixed-size multiply accumulate operation: X += b * A
+ *
+ * \p X may be aliased to \p A (when \p X_limbs == \p A_limbs), but may not
+ * otherwise overlap.
+ *
+ * This function operates modulo `2^(biL*X_limbs)`.
+ *
+ * \param[in,out] X  The pointer to the (little-endian) array
+ *                   representing the bignum to accumulate onto.
+ * \param X_limbs    The number of limbs of \p X. This must be
+ *                   at least \p A_limbs.
+ * \param[in] A      The pointer to the (little-endian) array
+ *                   representing the bignum to multiply with.
+ *                   This may be aliased to \p X but may not overlap
+ *                   otherwise.
+ * \param A_limbs    The number of limbs of \p A.
+ * \param b          X scalar to multiply with.
+ *
+ * \return           The carry at the end of the operation.
+ */
+mbedtls_mpi_uint mbedtls_mpi_core_mla(mbedtls_mpi_uint *X, size_t X_limbs,
+                                      const mbedtls_mpi_uint *A, size_t A_limbs,
+                                      mbedtls_mpi_uint b);
+
+/**
+ * \brief Perform a known-size multiplication
+ *
+ * \p X may not be aliased to any of the inputs for this function.
+ * \p A may be aliased to \p B.
+ *
+ * \param[out] X     The pointer to the (little-endian) array to receive
+ *                   the product of \p A_limbs and \p B_limbs.
+ *                   This must be of length \p A_limbs + \p B_limbs.
+ * \param[in] A      The pointer to the (little-endian) array
+ *                   representing the first factor.
+ * \param A_limbs    The number of limbs in \p A.
+ * \param[in] B      The pointer to the (little-endian) array
+ *                   representing the second factor.
+ * \param B_limbs    The number of limbs in \p B.
+ */
+void mbedtls_mpi_core_mul(mbedtls_mpi_uint *X,
+                          const mbedtls_mpi_uint *A, size_t A_limbs,
+                          const mbedtls_mpi_uint *B, size_t B_limbs);
+
+/**
+ * \brief Calculate initialisation value for fast Montgomery modular
+ *        multiplication
+ *
+ * \param[in] N  Little-endian presentation of the modulus. This must have
+ *               at least one limb.
+ *
+ * \return       The initialisation value for fast Montgomery modular multiplication
+ */
+mbedtls_mpi_uint mbedtls_mpi_core_montmul_init(const mbedtls_mpi_uint *N);
+
+/**
+ * \brief Montgomery multiplication: X = A * B * R^-1 mod N (HAC 14.36)
+ *
+ * \p A and \p B must be in canonical form. That is, < \p N.
+ *
+ * \p X may be aliased to \p A or \p N, or even \p B (if \p AN_limbs ==
+ * \p B_limbs) but may not overlap any parameters otherwise.
+ *
+ * \p A and \p B may alias each other, if \p AN_limbs == \p B_limbs. They may
+ * not alias \p N (since they must be in canonical form, they cannot == \p N).
+ *
+ * \param[out]    X         The destination MPI, as a little-endian array of
+ *                          length \p AN_limbs.
+ *                          On successful completion, X contains the result of
+ *                          the multiplication `A * B * R^-1` mod N where
+ *                          `R = 2^(biL*AN_limbs)`.
+ * \param[in]     A         Little-endian presentation of first operand.
+ *                          Must have the same number of limbs as \p N.
+ * \param[in]     B         Little-endian presentation of second operand.
+ * \param[in]     B_limbs   The number of limbs in \p B.
+ *                          Must be <= \p AN_limbs.
+ * \param[in]     N         Little-endian presentation of the modulus.
+ *                          This must be odd, and have exactly the same number
+ *                          of limbs as \p A.
+ *                          It may alias \p X, but must not alias or otherwise
+ *                          overlap any of the other parameters.
+ * \param[in]     AN_limbs  The number of limbs in \p X, \p A and \p N.
+ * \param         mm        The Montgomery constant for \p N: -N^-1 mod 2^biL.
+ *                          This can be calculated by `mbedtls_mpi_core_montmul_init()`.
+ * \param[in,out] T         Temporary storage of size at least 2*AN_limbs+1 limbs.
+ *                          Its initial content is unused and
+ *                          its final content is indeterminate.
+ *                          It must not alias or otherwise overlap any of the
+ *                          other parameters.
+ */
+void mbedtls_mpi_core_montmul(mbedtls_mpi_uint *X,
+                              const mbedtls_mpi_uint *A,
+                              const mbedtls_mpi_uint *B, size_t B_limbs,
+                              const mbedtls_mpi_uint *N, size_t AN_limbs,
+                              mbedtls_mpi_uint mm, mbedtls_mpi_uint *T);
+
+/**
+ * \brief Calculate the square of the Montgomery constant. (Needed
+ *        for conversion and operations in Montgomery form.)
+ *
+ * \param[out] X  A pointer to the result of the calculation of
+ *                the square of the Montgomery constant:
+ *                2^{2*n*biL} mod N.
+ * \param[in]  N  Little-endian presentation of the modulus, which must be odd.
+ *
+ * \return        0 if successful.
+ * \return        #MBEDTLS_ERR_MPI_ALLOC_FAILED if there is not enough space
+ *                to store the value of Montgomery constant squared.
+ * \return        #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p N modulus is zero.
+ * \return        #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p N modulus is negative.
+ */
+int mbedtls_mpi_core_get_mont_r2_unsafe(mbedtls_mpi *X,
+                                        const mbedtls_mpi *N);
+
+#if defined(MBEDTLS_TEST_HOOKS)
+/**
+ * Copy an MPI from a table without leaking the index.
+ *
+ * \param dest              The destination buffer. This must point to a writable
+ *                          buffer of at least \p limbs limbs.
+ * \param table             The address of the table. This must point to a readable
+ *                          array of \p count elements of \p limbs limbs each.
+ * \param limbs             The number of limbs in each table entry.
+ * \param count             The number of entries in \p table.
+ * \param index             The (secret) table index to look up. This must be in the
+ *                          range `0 .. count-1`.
+ */
+void mbedtls_mpi_core_ct_uint_table_lookup(mbedtls_mpi_uint *dest,
+                                           const mbedtls_mpi_uint *table,
+                                           size_t limbs,
+                                           size_t count,
+                                           size_t index);
+#endif /* MBEDTLS_TEST_HOOKS */
+
+/**
+ * \brief          Fill an integer with a number of random bytes.
+ *
+ * \param X        The destination MPI.
+ * \param X_limbs  The number of limbs of \p X.
+ * \param bytes    The number of random bytes to generate.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG parameter to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p X does not have
+ *                 enough room for \p bytes bytes.
+ * \return         A negative error code on RNG failure.
+ *
+ * \note           The bytes obtained from the RNG are interpreted
+ *                 as a big-endian representation of an MPI; this can
+ *                 be relevant in applications like deterministic ECDSA.
+ */
+int mbedtls_mpi_core_fill_random(mbedtls_mpi_uint *X, size_t X_limbs,
+                                 size_t bytes,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng);
+
+/** Generate a random number uniformly in a range.
+ *
+ * This function generates a random number between \p min inclusive and
+ * \p N exclusive.
+ *
+ * The procedure complies with RFC 6979 §3.3 (deterministic ECDSA)
+ * when the RNG is a suitably parametrized instance of HMAC_DRBG
+ * and \p min is \c 1.
+ *
+ * \note           There are `N - min` possible outputs. The lower bound
+ *                 \p min can be reached, but the upper bound \p N cannot.
+ *
+ * \param X        The destination MPI, with \p limbs limbs.
+ *                 It must not be aliased with \p N or otherwise overlap it.
+ * \param min      The minimum value to return.
+ * \param N        The upper bound of the range, exclusive, with \p limbs limbs.
+ *                 In other words, this is one plus the maximum value to return.
+ *                 \p N must be strictly larger than \p min.
+ * \param limbs    The number of limbs of \p N and \p X.
+ *                 This must not be 0.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG parameter to be passed to \p f_rng.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if the implementation was
+ *                 unable to find a suitable value within a limited number
+ *                 of attempts. This has a negligible probability if \p N
+ *                 is significantly larger than \p min, which is the case
+ *                 for all usual cryptographic applications.
+ */
+int mbedtls_mpi_core_random(mbedtls_mpi_uint *X,
+                            mbedtls_mpi_uint min,
+                            const mbedtls_mpi_uint *N,
+                            size_t limbs,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng);
+
+/**
+ * \brief          Returns the number of limbs of working memory required for
+ *                 a call to `mbedtls_mpi_core_exp_mod()`.
+ *
+ * \note           This will always be at least
+ *                 `mbedtls_mpi_core_montmul_working_limbs(AN_limbs)`,
+ *                 i.e. sufficient for a call to `mbedtls_mpi_core_montmul()`.
+ *
+ * \param AN_limbs The number of limbs in the input `A` and the modulus `N`
+ *                 (they must be the same size) that will be given to
+ *                 `mbedtls_mpi_core_exp_mod()`.
+ * \param E_limbs  The number of limbs in the exponent `E` that will be given
+ *                 to `mbedtls_mpi_core_exp_mod()`.
+ *
+ * \return         The number of limbs of working memory required by
+ *                 `mbedtls_mpi_core_exp_mod()`.
+ */
+size_t mbedtls_mpi_core_exp_mod_working_limbs(size_t AN_limbs, size_t E_limbs);
+
+/**
+ * \brief            Perform a modular exponentiation with secret exponent:
+ *                   X = A^E mod N, where \p A is already in Montgomery form.
+ *
+ * \p X may be aliased to \p A, but not to \p RR or \p E, even if \p E_limbs ==
+ * \p AN_limbs.
+ *
+ * \param[out] X     The destination MPI, as a little endian array of length
+ *                   \p AN_limbs.
+ * \param[in] A      The base MPI, as a little endian array of length \p AN_limbs.
+ *                   Must be in Montgomery form.
+ * \param[in] N      The modulus, as a little endian array of length \p AN_limbs.
+ * \param AN_limbs   The number of limbs in \p X, \p A, \p N, \p RR.
+ * \param[in] E      The exponent, as a little endian array of length \p E_limbs.
+ * \param E_limbs    The number of limbs in \p E.
+ * \param[in] RR     The precomputed residue of 2^{2*biL} modulo N, as a little
+ *                   endian array of length \p AN_limbs.
+ * \param[in,out] T  Temporary storage of at least the number of limbs returned
+ *                   by `mbedtls_mpi_core_exp_mod_working_limbs()`.
+ *                   Its initial content is unused and its final content is
+ *                   indeterminate.
+ *                   It must not alias or otherwise overlap any of the other
+ *                   parameters.
+ *                   It is up to the caller to zeroize \p T when it is no
+ *                   longer needed, and before freeing it if it was dynamically
+ *                   allocated.
+ */
+void mbedtls_mpi_core_exp_mod(mbedtls_mpi_uint *X,
+                              const mbedtls_mpi_uint *A,
+                              const mbedtls_mpi_uint *N, size_t AN_limbs,
+                              const mbedtls_mpi_uint *E, size_t E_limbs,
+                              const mbedtls_mpi_uint *RR,
+                              mbedtls_mpi_uint *T);
+
+/**
+ * \brief Subtract unsigned integer from known-size large unsigned integers.
+ *        Return the borrow.
+ *
+ * \param[out] X    The result of the subtraction.
+ * \param[in] A     The left operand.
+ * \param b         The unsigned scalar to subtract.
+ * \param limbs     Number of limbs of \p X and \p A.
+ *
+ * \return          1 if `A < b`.
+ *                  0 if `A >= b`.
+ */
+mbedtls_mpi_uint mbedtls_mpi_core_sub_int(mbedtls_mpi_uint *X,
+                                          const mbedtls_mpi_uint *A,
+                                          mbedtls_mpi_uint b,
+                                          size_t limbs);
+
+/**
+ * \brief Determine if a given MPI has the value \c 0 in constant time with
+ *        respect to the value (but not with respect to the number of limbs).
+ *
+ * \param[in] A   The MPI to test.
+ * \param limbs   Number of limbs in \p A.
+ *
+ * \return        MBEDTLS_CT_FALSE if `A == 0`
+ *                MBEDTLS_CT_TRUE  if `A != 0`.
+ */
+mbedtls_ct_condition_t mbedtls_mpi_core_check_zero_ct(const mbedtls_mpi_uint *A,
+                                                      size_t limbs);
+
+/**
+ * \brief          Returns the number of limbs of working memory required for
+ *                 a call to `mbedtls_mpi_core_montmul()`.
+ *
+ * \param AN_limbs The number of limbs in the input `A` and the modulus `N`
+ *                 (they must be the same size) that will be given to
+ *                 `mbedtls_mpi_core_montmul()` or one of the other functions
+ *                 that specifies this as the amount of working memory needed.
+ *
+ * \return         The number of limbs of working memory required by
+ *                 `mbedtls_mpi_core_montmul()` (or other similar function).
+ */
+static inline size_t mbedtls_mpi_core_montmul_working_limbs(size_t AN_limbs)
+{
+    return 2 * AN_limbs + 1;
+}
+
+/** Convert an MPI into Montgomery form.
+ *
+ * \p X may be aliased to \p A, but may not otherwise overlap it.
+ *
+ * \p X may not alias \p N (it is in canonical form, so must be strictly less
+ * than \p N). Nor may it alias or overlap \p rr (this is unlikely to be
+ * required in practice.)
+ *
+ * This function is a thin wrapper around `mbedtls_mpi_core_montmul()` that is
+ * an alternative to calling `mbedtls_mpi_mod_raw_to_mont_rep()` when we
+ * don't want to allocate memory.
+ *
+ * \param[out]    X         The result of the conversion.
+ *                          Must have the same number of limbs as \p A.
+ * \param[in]     A         The MPI to convert into Montgomery form.
+ *                          Must have the same number of limbs as the modulus.
+ * \param[in]     N         The address of the modulus, which gives the size of
+ *                          the base `R` = 2^(biL*N->limbs).
+ * \param[in]     AN_limbs  The number of limbs in \p X, \p A, \p N and \p rr.
+ * \param         mm        The Montgomery constant for \p N: -N^-1 mod 2^biL.
+ *                          This can be determined by calling
+ *                          `mbedtls_mpi_core_montmul_init()`.
+ * \param[in]     rr        The residue for `2^{2*n*biL} mod N`.
+ * \param[in,out] T         Temporary storage of size at least
+ *                          `mbedtls_mpi_core_montmul_working_limbs(AN_limbs)`
+ *                          limbs.
+ *                          Its initial content is unused and
+ *                          its final content is indeterminate.
+ *                          It must not alias or otherwise overlap any of the
+ *                          other parameters.
+ */
+void mbedtls_mpi_core_to_mont_rep(mbedtls_mpi_uint *X,
+                                  const mbedtls_mpi_uint *A,
+                                  const mbedtls_mpi_uint *N,
+                                  size_t AN_limbs,
+                                  mbedtls_mpi_uint mm,
+                                  const mbedtls_mpi_uint *rr,
+                                  mbedtls_mpi_uint *T);
+
+/** Convert an MPI from Montgomery form.
+ *
+ * \p X may be aliased to \p A, but may not otherwise overlap it.
+ *
+ * \p X may not alias \p N (it is in canonical form, so must be strictly less
+ * than \p N).
+ *
+ * This function is a thin wrapper around `mbedtls_mpi_core_montmul()` that is
+ * an alternative to calling `mbedtls_mpi_mod_raw_from_mont_rep()` when we
+ * don't want to allocate memory.
+ *
+ * \param[out]    X         The result of the conversion.
+ *                          Must have the same number of limbs as \p A.
+ * \param[in]     A         The MPI to convert from Montgomery form.
+ *                          Must have the same number of limbs as the modulus.
+ * \param[in]     N         The address of the modulus, which gives the size of
+ *                          the base `R` = 2^(biL*N->limbs).
+ * \param[in]     AN_limbs  The number of limbs in \p X, \p A and \p N.
+ * \param         mm        The Montgomery constant for \p N: -N^-1 mod 2^biL.
+ *                          This can be determined by calling
+ *                          `mbedtls_mpi_core_montmul_init()`.
+ * \param[in,out] T         Temporary storage of size at least
+ *                          `mbedtls_mpi_core_montmul_working_limbs(AN_limbs)`
+ *                          limbs.
+ *                          Its initial content is unused and
+ *                          its final content is indeterminate.
+ *                          It must not alias or otherwise overlap any of the
+ *                          other parameters.
+ */
+void mbedtls_mpi_core_from_mont_rep(mbedtls_mpi_uint *X,
+                                    const mbedtls_mpi_uint *A,
+                                    const mbedtls_mpi_uint *N,
+                                    size_t AN_limbs,
+                                    mbedtls_mpi_uint mm,
+                                    mbedtls_mpi_uint *T);
+
+#endif /* MBEDTLS_BIGNUM_CORE_H */
diff --git a/tf-psa-crypto/drivers/builtin/src/bignum_mod.c b/tf-psa-crypto/drivers/builtin/src/bignum_mod.c
new file mode 100644
index 0000000..dfd332a
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/bignum_mod.c
@@ -0,0 +1,394 @@
+/**
+ *  Modular bignum functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_ECP_WITH_MPI_UINT)
+
+#include <string.h>
+
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "mbedtls/bignum.h"
+
+#include "mbedtls/platform.h"
+
+#include "bignum_core.h"
+#include "bignum_mod.h"
+#include "bignum_mod_raw.h"
+#include "constant_time_internal.h"
+
+int mbedtls_mpi_mod_residue_setup(mbedtls_mpi_mod_residue *r,
+                                  const mbedtls_mpi_mod_modulus *N,
+                                  mbedtls_mpi_uint *p,
+                                  size_t p_limbs)
+{
+    if (p_limbs != N->limbs || !mbedtls_mpi_core_lt_ct(p, N->p, N->limbs)) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    r->limbs = N->limbs;
+    r->p = p;
+
+    return 0;
+}
+
+void mbedtls_mpi_mod_residue_release(mbedtls_mpi_mod_residue *r)
+{
+    if (r == NULL) {
+        return;
+    }
+
+    r->limbs = 0;
+    r->p = NULL;
+}
+
+void mbedtls_mpi_mod_modulus_init(mbedtls_mpi_mod_modulus *N)
+{
+    if (N == NULL) {
+        return;
+    }
+
+    N->p = NULL;
+    N->limbs = 0;
+    N->bits = 0;
+    N->int_rep = MBEDTLS_MPI_MOD_REP_INVALID;
+}
+
+void mbedtls_mpi_mod_modulus_free(mbedtls_mpi_mod_modulus *N)
+{
+    if (N == NULL) {
+        return;
+    }
+
+    switch (N->int_rep) {
+        case MBEDTLS_MPI_MOD_REP_MONTGOMERY:
+            if (N->rep.mont.rr != NULL) {
+                mbedtls_zeroize_and_free((mbedtls_mpi_uint *) N->rep.mont.rr,
+                                         N->limbs * sizeof(mbedtls_mpi_uint));
+                N->rep.mont.rr = NULL;
+            }
+            N->rep.mont.mm = 0;
+            break;
+        case MBEDTLS_MPI_MOD_REP_OPT_RED:
+            N->rep.ored.modp = NULL;
+            break;
+        case MBEDTLS_MPI_MOD_REP_INVALID:
+            break;
+    }
+
+    N->p = NULL;
+    N->limbs = 0;
+    N->bits = 0;
+    N->int_rep = MBEDTLS_MPI_MOD_REP_INVALID;
+}
+
+static int set_mont_const_square(const mbedtls_mpi_uint **X,
+                                 const mbedtls_mpi_uint *A,
+                                 size_t limbs)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi N;
+    mbedtls_mpi RR;
+    *X = NULL;
+
+    mbedtls_mpi_init(&N);
+    mbedtls_mpi_init(&RR);
+
+    if (A == NULL || limbs == 0 || limbs >= (MBEDTLS_MPI_MAX_LIMBS / 2) - 2) {
+        goto cleanup;
+    }
+
+    if (mbedtls_mpi_grow(&N, limbs)) {
+        goto cleanup;
+    }
+
+    memcpy(N.p, A, sizeof(mbedtls_mpi_uint) * limbs);
+
+    ret = mbedtls_mpi_core_get_mont_r2_unsafe(&RR, &N);
+
+    if (ret == 0) {
+        *X = RR.p;
+        RR.p = NULL;
+    }
+
+cleanup:
+    mbedtls_mpi_free(&N);
+    mbedtls_mpi_free(&RR);
+    ret = (ret != 0) ? MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED : 0;
+    return ret;
+}
+
+static inline void standard_modulus_setup(mbedtls_mpi_mod_modulus *N,
+                                          const mbedtls_mpi_uint *p,
+                                          size_t p_limbs,
+                                          mbedtls_mpi_mod_rep_selector int_rep)
+{
+    N->p = p;
+    N->limbs = p_limbs;
+    N->bits = mbedtls_mpi_core_bitlen(p, p_limbs);
+    N->int_rep = int_rep;
+}
+
+int mbedtls_mpi_mod_modulus_setup(mbedtls_mpi_mod_modulus *N,
+                                  const mbedtls_mpi_uint *p,
+                                  size_t p_limbs)
+{
+    int ret = 0;
+    standard_modulus_setup(N, p, p_limbs, MBEDTLS_MPI_MOD_REP_MONTGOMERY);
+    N->rep.mont.mm = mbedtls_mpi_core_montmul_init(N->p);
+    ret = set_mont_const_square(&N->rep.mont.rr, N->p, N->limbs);
+
+    if (ret != 0) {
+        mbedtls_mpi_mod_modulus_free(N);
+    }
+
+    return ret;
+}
+
+int mbedtls_mpi_mod_optred_modulus_setup(mbedtls_mpi_mod_modulus *N,
+                                         const mbedtls_mpi_uint *p,
+                                         size_t p_limbs,
+                                         mbedtls_mpi_modp_fn modp)
+{
+    standard_modulus_setup(N, p, p_limbs, MBEDTLS_MPI_MOD_REP_OPT_RED);
+    N->rep.ored.modp = modp;
+    return 0;
+}
+
+int mbedtls_mpi_mod_mul(mbedtls_mpi_mod_residue *X,
+                        const mbedtls_mpi_mod_residue *A,
+                        const mbedtls_mpi_mod_residue *B,
+                        const mbedtls_mpi_mod_modulus *N)
+{
+    if (N->limbs == 0) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    if (X->limbs != N->limbs || A->limbs != N->limbs || B->limbs != N->limbs) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    mbedtls_mpi_uint *T = mbedtls_calloc(N->limbs * 2 + 1, ciL);
+    if (T == NULL) {
+        return MBEDTLS_ERR_MPI_ALLOC_FAILED;
+    }
+
+    mbedtls_mpi_mod_raw_mul(X->p, A->p, B->p, N, T);
+
+    mbedtls_free(T);
+
+    return 0;
+}
+
+int mbedtls_mpi_mod_sub(mbedtls_mpi_mod_residue *X,
+                        const mbedtls_mpi_mod_residue *A,
+                        const mbedtls_mpi_mod_residue *B,
+                        const mbedtls_mpi_mod_modulus *N)
+{
+    if (X->limbs != N->limbs || A->limbs != N->limbs || B->limbs != N->limbs) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    mbedtls_mpi_mod_raw_sub(X->p, A->p, B->p, N);
+
+    return 0;
+}
+
+static int mbedtls_mpi_mod_inv_mont(mbedtls_mpi_mod_residue *X,
+                                    const mbedtls_mpi_mod_residue *A,
+                                    const mbedtls_mpi_mod_modulus *N,
+                                    mbedtls_mpi_uint *working_memory)
+{
+    /* Input already in Montgomery form, so there's little to do */
+    mbedtls_mpi_mod_raw_inv_prime(X->p, A->p,
+                                  N->p, N->limbs,
+                                  N->rep.mont.rr,
+                                  working_memory);
+    return 0;
+}
+
+static int mbedtls_mpi_mod_inv_non_mont(mbedtls_mpi_mod_residue *X,
+                                        const mbedtls_mpi_mod_residue *A,
+                                        const mbedtls_mpi_mod_modulus *N,
+                                        mbedtls_mpi_uint *working_memory)
+{
+    /* Need to convert input into Montgomery form */
+
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    mbedtls_mpi_mod_modulus Nmont;
+    mbedtls_mpi_mod_modulus_init(&Nmont);
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_modulus_setup(&Nmont, N->p, N->limbs));
+
+    /* We'll use X->p to hold the Montgomery form of the input A->p */
+    mbedtls_mpi_core_to_mont_rep(X->p, A->p, Nmont.p, Nmont.limbs,
+                                 Nmont.rep.mont.mm, Nmont.rep.mont.rr,
+                                 working_memory);
+
+    mbedtls_mpi_mod_raw_inv_prime(X->p, X->p,
+                                  Nmont.p, Nmont.limbs,
+                                  Nmont.rep.mont.rr,
+                                  working_memory);
+
+    /* And convert back from Montgomery form */
+
+    mbedtls_mpi_core_from_mont_rep(X->p, X->p, Nmont.p, Nmont.limbs,
+                                   Nmont.rep.mont.mm, working_memory);
+
+cleanup:
+    mbedtls_mpi_mod_modulus_free(&Nmont);
+    return ret;
+}
+
+int mbedtls_mpi_mod_inv(mbedtls_mpi_mod_residue *X,
+                        const mbedtls_mpi_mod_residue *A,
+                        const mbedtls_mpi_mod_modulus *N)
+{
+    if (X->limbs != N->limbs || A->limbs != N->limbs) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    /* Zero has the same value regardless of Montgomery form or not */
+    if (mbedtls_mpi_core_check_zero_ct(A->p, A->limbs) == 0) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    size_t working_limbs =
+        mbedtls_mpi_mod_raw_inv_prime_working_limbs(N->limbs);
+
+    mbedtls_mpi_uint *working_memory = mbedtls_calloc(working_limbs,
+                                                      sizeof(mbedtls_mpi_uint));
+    if (working_memory == NULL) {
+        return MBEDTLS_ERR_MPI_ALLOC_FAILED;
+    }
+
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    switch (N->int_rep) {
+        case MBEDTLS_MPI_MOD_REP_MONTGOMERY:
+            ret = mbedtls_mpi_mod_inv_mont(X, A, N, working_memory);
+            break;
+        case MBEDTLS_MPI_MOD_REP_OPT_RED:
+            ret = mbedtls_mpi_mod_inv_non_mont(X, A, N, working_memory);
+            break;
+        default:
+            ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+            break;
+    }
+
+    mbedtls_zeroize_and_free(working_memory,
+                             working_limbs * sizeof(mbedtls_mpi_uint));
+
+    return ret;
+}
+
+int mbedtls_mpi_mod_add(mbedtls_mpi_mod_residue *X,
+                        const mbedtls_mpi_mod_residue *A,
+                        const mbedtls_mpi_mod_residue *B,
+                        const mbedtls_mpi_mod_modulus *N)
+{
+    if (X->limbs != N->limbs || A->limbs != N->limbs || B->limbs != N->limbs) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    mbedtls_mpi_mod_raw_add(X->p, A->p, B->p, N);
+
+    return 0;
+}
+
+int mbedtls_mpi_mod_random(mbedtls_mpi_mod_residue *X,
+                           mbedtls_mpi_uint min,
+                           const mbedtls_mpi_mod_modulus *N,
+                           int (*f_rng)(void *, unsigned char *, size_t),
+                           void *p_rng)
+{
+    if (X->limbs != N->limbs) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+    return mbedtls_mpi_mod_raw_random(X->p, min, N, f_rng, p_rng);
+}
+
+int mbedtls_mpi_mod_read(mbedtls_mpi_mod_residue *r,
+                         const mbedtls_mpi_mod_modulus *N,
+                         const unsigned char *buf,
+                         size_t buflen,
+                         mbedtls_mpi_mod_ext_rep ext_rep)
+{
+    int ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+
+    /* Do our best to check if r and m have been set up */
+    if (r->limbs == 0 || N->limbs == 0) {
+        goto cleanup;
+    }
+    if (r->limbs != N->limbs) {
+        goto cleanup;
+    }
+
+    ret = mbedtls_mpi_mod_raw_read(r->p, N, buf, buflen, ext_rep);
+    if (ret != 0) {
+        goto cleanup;
+    }
+
+    r->limbs = N->limbs;
+
+    ret = mbedtls_mpi_mod_raw_canonical_to_modulus_rep(r->p, N);
+
+cleanup:
+    return ret;
+}
+
+int mbedtls_mpi_mod_write(const mbedtls_mpi_mod_residue *r,
+                          const mbedtls_mpi_mod_modulus *N,
+                          unsigned char *buf,
+                          size_t buflen,
+                          mbedtls_mpi_mod_ext_rep ext_rep)
+{
+    /* Do our best to check if r and m have been set up */
+    if (r->limbs == 0 || N->limbs == 0) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+    if (r->limbs != N->limbs) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi_uint *working_memory = r->p;
+    size_t working_memory_len = sizeof(mbedtls_mpi_uint) * r->limbs;
+
+    if (N->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY) {
+
+        working_memory = mbedtls_calloc(r->limbs, sizeof(mbedtls_mpi_uint));
+
+        if (working_memory == NULL) {
+            ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
+            goto cleanup;
+        }
+
+        memcpy(working_memory, r->p, working_memory_len);
+
+        ret = mbedtls_mpi_mod_raw_from_mont_rep(working_memory, N);
+        if (ret != 0) {
+            goto cleanup;
+        }
+    }
+
+    ret = mbedtls_mpi_mod_raw_write(working_memory, N, buf, buflen, ext_rep);
+
+cleanup:
+
+    if (N->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY &&
+        working_memory != NULL) {
+
+        mbedtls_zeroize_and_free(working_memory, working_memory_len);
+    }
+
+    return ret;
+}
+
+#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ECP_WITH_MPI_UINT */
diff --git a/tf-psa-crypto/drivers/builtin/src/bignum_mod.h b/tf-psa-crypto/drivers/builtin/src/bignum_mod.h
new file mode 100644
index 0000000..963d888
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/bignum_mod.h
@@ -0,0 +1,452 @@
+/**
+ *  Modular bignum functions
+ *
+ * This module implements operations on integers modulo some fixed modulus.
+ *
+ * The functions in this module obey the following conventions unless
+ * explicitly indicated otherwise:
+ *
+ * - **Modulus parameters**: the modulus is passed as a pointer to a structure
+ *   of type #mbedtls_mpi_mod_modulus. The structure must be set up with an
+ *   array of limbs storing the bignum value of the modulus. The modulus must
+ *   be odd and is assumed to have no leading zeroes. The modulus is usually
+ *   named \c N and is usually input-only. Functions which take a parameter
+ *   of type \c const #mbedtls_mpi_mod_modulus* must not modify its value.
+ * - **Bignum parameters**: Bignums are passed as pointers to an array of
+ *   limbs or to a #mbedtls_mpi_mod_residue structure. A limb has the type
+ *   #mbedtls_mpi_uint. Residues must be initialized before use, and must be
+ *   associated with the modulus \c N. Unless otherwise specified:
+ *     - Bignum parameters called \c A, \c B, ... are inputs and are not
+ *       modified by the function. Functions which take a parameter of
+ *       type \c const #mbedtls_mpi_mod_residue* must not modify its value.
+ *     - Bignum parameters called \c X, \c Y, ... are outputs or input-output.
+ *       The initial bignum value of output-only parameters is ignored, but
+ *       they must be set up and associated with the modulus \c N. Some
+ *       functions (typically constant-flow) require that the limbs in an
+ *       output residue are initialized.
+ *     - Bignum parameters called \c p are inputs used to set up a modulus or
+ *       residue. These must be pointers to an array of limbs.
+ *     - \c T is a temporary storage area. The initial content of such a
+ *       parameter is ignored and the final content is unspecified.
+ *     - Some functions use different names, such as \c r for the residue.
+ * - **Bignum sizes**: bignum sizes are always expressed in limbs. Both
+ *   #mbedtls_mpi_mod_modulus and #mbedtls_mpi_mod_residue have a \c limbs
+ *   member storing its size. All bignum parameters must have the same
+ *   number of limbs as the modulus. All bignum sizes must be at least 1 and
+ *   must be significantly less than #SIZE_MAX. The behavior if a size is 0 is
+ *   undefined.
+ * - **Bignum representation**: the representation of inputs and outputs is
+ *   specified by the \c int_rep field of the modulus.
+ * - **Parameter ordering**: for bignum parameters, outputs come before inputs.
+ *   The modulus is passed after residues. Temporaries come last.
+ * - **Aliasing**: in general, output bignums may be aliased to one or more
+ *   inputs. Modulus values may not be aliased to any other parameter. Outputs
+ *   may not be aliased to one another. Temporaries may not be aliased to any
+ *   other parameter.
+ * - **Overlap**: apart from aliasing of residue pointers (where two residue
+ *   arguments are equal pointers), overlap is not supported and may result
+ *   in undefined behavior.
+ * - **Error handling**: functions generally check compatibility of input
+ *   sizes. Most functions will not check that input values are in canonical
+ *   form (i.e. that \c A < \c N), this is only checked during setup of a
+ *   residue structure.
+ * - **Modular representatives**: all functions expect inputs to be in the
+ *   range [0, \c N - 1] and guarantee outputs in the range [0, \c N - 1].
+ *   Residues are set up with an associated modulus, and operations are only
+ *   guaranteed to work if the modulus is associated with all residue
+ *   parameters. If a residue is passed with a modulus other than the one it
+ *   is associated with, then it may be out of range. If an input is out of
+ *   range, outputs are fully unspecified, though bignum values out of range
+ *   should not cause buffer overflows (beware that this is not extensively
+ *   tested).
+ */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_BIGNUM_MOD_H
+#define MBEDTLS_BIGNUM_MOD_H
+
+#include "common.h"
+
+#if defined(MBEDTLS_BIGNUM_C)
+#include "mbedtls/bignum.h"
+#endif
+
+/** How residues associated with a modulus are represented.
+ *
+ * This also determines which fields of the modulus structure are valid and
+ * what their contents are (see #mbedtls_mpi_mod_modulus).
+ */
+typedef enum {
+    /** Representation not chosen (makes the modulus structure invalid). */
+    MBEDTLS_MPI_MOD_REP_INVALID    = 0,
+    /* Skip 1 as it is slightly easier to accidentally pass to functions. */
+    /** Montgomery representation. */
+    MBEDTLS_MPI_MOD_REP_MONTGOMERY = 2,
+    /* Optimised reduction available. This indicates a coordinate modulus (P)
+     * and one or more of the following have been configured:
+     * - A nist curve (MBEDTLS_ECP_DP_SECPXXXR1_ENABLED) & MBEDTLS_ECP_NIST_OPTIM.
+     * - A Kobliz Curve.
+     * - A Fast Reduction Curve CURVE25519 or CURVE448. */
+    MBEDTLS_MPI_MOD_REP_OPT_RED,
+} mbedtls_mpi_mod_rep_selector;
+
+/* Make mbedtls_mpi_mod_rep_selector and mbedtls_mpi_mod_ext_rep disjoint to
+ * make it easier to catch when they are accidentally swapped. */
+typedef enum {
+    MBEDTLS_MPI_MOD_EXT_REP_INVALID = 0,
+    MBEDTLS_MPI_MOD_EXT_REP_LE      = 8,
+    MBEDTLS_MPI_MOD_EXT_REP_BE
+} mbedtls_mpi_mod_ext_rep;
+
+typedef struct {
+    mbedtls_mpi_uint *p;
+    size_t limbs;
+} mbedtls_mpi_mod_residue;
+
+typedef struct {
+    mbedtls_mpi_uint const *rr;  /* The residue for 2^{2*n*biL} mod N */
+    mbedtls_mpi_uint mm;         /* Montgomery const for -N^{-1} mod 2^{ciL} */
+} mbedtls_mpi_mont_struct;
+
+typedef int (*mbedtls_mpi_modp_fn)(mbedtls_mpi_uint *X, size_t X_limbs);
+
+typedef struct {
+    mbedtls_mpi_modp_fn modp;    /* The optimised reduction function pointer */
+} mbedtls_mpi_opt_red_struct;
+
+typedef struct {
+    const mbedtls_mpi_uint *p;
+    size_t limbs;                            // number of limbs
+    size_t bits;                             // bitlen of p
+    mbedtls_mpi_mod_rep_selector int_rep;    // selector to signal the active member of the union
+    union rep {
+        /* if int_rep == #MBEDTLS_MPI_MOD_REP_MONTGOMERY */
+        mbedtls_mpi_mont_struct mont;
+        /* if int_rep == #MBEDTLS_MPI_MOD_REP_OPT_RED */
+        mbedtls_mpi_opt_red_struct ored;
+    } rep;
+} mbedtls_mpi_mod_modulus;
+
+/** Setup a residue structure.
+ *
+ * The residue will be set up with the buffer \p p and modulus \p N.
+ *
+ * The memory pointed to by \p p will be used by the resulting residue structure.
+ * The value at the pointed-to memory will be the initial value of \p r and must
+ * hold a value that is less than the modulus. This value will be used as-is
+ * and interpreted according to the value of the `N->int_rep` field.
+ *
+ * The modulus \p N will be the modulus associated with \p r. The residue \p r
+ * should only be used in operations where the modulus is \p N.
+ *
+ * \param[out] r    The address of the residue to setup.
+ * \param[in] N     The address of the modulus related to \p r.
+ * \param[in] p     The address of the limb array containing the value of \p r.
+ *                  The memory pointed to by \p p will be used by \p r and must
+ *                  not be modified in any way until after
+ *                  mbedtls_mpi_mod_residue_release() is called. The data
+ *                  pointed to by \p p must be less than the modulus (the value
+ *                  pointed to by `N->p`) and already in the representation
+ *                  indicated by `N->int_rep`.
+ * \param p_limbs   The number of limbs of \p p. Must be the same as the number
+ *                  of limbs in the modulus \p N.
+ *
+ * \return      \c 0 if successful.
+ * \return      #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p p_limbs is less than the
+ *              limbs in \p N or if \p p is not less than \p N.
+ */
+int mbedtls_mpi_mod_residue_setup(mbedtls_mpi_mod_residue *r,
+                                  const mbedtls_mpi_mod_modulus *N,
+                                  mbedtls_mpi_uint *p,
+                                  size_t p_limbs);
+
+/** Unbind elements of a residue structure.
+ *
+ * This function removes the reference to the limb array that was passed to
+ * mbedtls_mpi_mod_residue_setup() to make it safe to free or use again.
+ *
+ * This function invalidates \p r and it must not be used until after
+ * mbedtls_mpi_mod_residue_setup() is called on it again.
+ *
+ * \param[out] r     The address of residue to release.
+ */
+void mbedtls_mpi_mod_residue_release(mbedtls_mpi_mod_residue *r);
+
+/** Initialize a modulus structure.
+ *
+ * \param[out] N     The address of the modulus structure to initialize.
+ */
+void mbedtls_mpi_mod_modulus_init(mbedtls_mpi_mod_modulus *N);
+
+/** Setup a modulus structure.
+ *
+ * \param[out] N    The address of the modulus structure to populate.
+ * \param[in] p     The address of the limb array storing the value of \p N.
+ *                  The memory pointed to by \p p will be used by \p N and must
+ *                  not be modified in any way until after
+ *                  mbedtls_mpi_mod_modulus_free() is called.
+ * \param p_limbs   The number of limbs of \p p.
+ *
+ * \return      \c 0 if successful.
+ */
+int mbedtls_mpi_mod_modulus_setup(mbedtls_mpi_mod_modulus *N,
+                                  const mbedtls_mpi_uint *p,
+                                  size_t p_limbs);
+
+/** Setup an optimised-reduction compatible modulus structure.
+ *
+ * \param[out] N    The address of the modulus structure to populate.
+ * \param[in] p     The address of the limb array storing the value of \p N.
+ *                  The memory pointed to by \p p will be used by \p N and must
+ *                  not be modified in any way until after
+ *                  mbedtls_mpi_mod_modulus_free() is called.
+ * \param p_limbs   The number of limbs of \p p.
+ * \param modp      A pointer to the optimised reduction function to use. \p p.
+ *
+ * \return      \c 0 if successful.
+ */
+int mbedtls_mpi_mod_optred_modulus_setup(mbedtls_mpi_mod_modulus *N,
+                                         const mbedtls_mpi_uint *p,
+                                         size_t p_limbs,
+                                         mbedtls_mpi_modp_fn modp);
+
+/** Free elements of a modulus structure.
+ *
+ * This function frees any memory allocated by mbedtls_mpi_mod_modulus_setup().
+ *
+ * \warning This function does not free the limb array passed to
+ *          mbedtls_mpi_mod_modulus_setup() only removes the reference to it,
+ *          making it safe to free or to use it again.
+ *
+ * \param[in,out] N     The address of the modulus structure to free.
+ */
+void mbedtls_mpi_mod_modulus_free(mbedtls_mpi_mod_modulus *N);
+
+/** \brief  Multiply two residues, returning the residue modulo the specified
+ *          modulus.
+ *
+ * \note Currently handles the case when `N->int_rep` is
+ * MBEDTLS_MPI_MOD_REP_MONTGOMERY.
+ *
+ * The size of the operation is determined by \p N. \p A, \p B and \p X must
+ * all be associated with the modulus \p N and must all have the same number
+ * of limbs as \p N.
+ *
+ * \p X may be aliased to \p A or \p B, or even both, but may not overlap
+ * either otherwise. They may not alias \p N (since they must be in canonical
+ * form, they cannot == \p N).
+ *
+ * \param[out] X        The address of the result MPI. Must have the same
+ *                      number of limbs as \p N.
+ *                      On successful completion, \p X contains the result of
+ *                      the multiplication `A * B * R^-1` mod N where
+ *                      `R = 2^(biL * N->limbs)`.
+ * \param[in]  A        The address of the first MPI.
+ * \param[in]  B        The address of the second MPI.
+ * \param[in]  N        The address of the modulus. Used to perform a modulo
+ *                      operation on the result of the multiplication.
+ *
+ * \return      \c 0 if successful.
+ * \return      #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if all the parameters do not
+ *              have the same number of limbs or \p N is invalid.
+ * \return      #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ */
+int mbedtls_mpi_mod_mul(mbedtls_mpi_mod_residue *X,
+                        const mbedtls_mpi_mod_residue *A,
+                        const mbedtls_mpi_mod_residue *B,
+                        const mbedtls_mpi_mod_modulus *N);
+
+/**
+ * \brief Perform a fixed-size modular subtraction.
+ *
+ * Calculate `A - B modulo N`.
+ *
+ * \p A, \p B and \p X must all have the same number of limbs as \p N.
+ *
+ * \p X may be aliased to \p A or \p B, or even both, but may not overlap
+ * either otherwise.
+ *
+ * \note This function does not check that \p A or \p B are in canonical
+ *       form (that is, are < \p N) - that will have been done by
+ *       mbedtls_mpi_mod_residue_setup().
+ *
+ * \param[out] X    The address of the result MPI. Must be initialized.
+ *                  Must have the same number of limbs as the modulus \p N.
+ * \param[in]  A    The address of the first MPI.
+ * \param[in]  B    The address of the second MPI.
+ * \param[in]  N    The address of the modulus. Used to perform a modulo
+ *                  operation on the result of the subtraction.
+ *
+ * \return          \c 0 if successful.
+ * \return          #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the given MPIs do not
+ *                  have the correct number of limbs.
+ */
+int mbedtls_mpi_mod_sub(mbedtls_mpi_mod_residue *X,
+                        const mbedtls_mpi_mod_residue *A,
+                        const mbedtls_mpi_mod_residue *B,
+                        const mbedtls_mpi_mod_modulus *N);
+
+/**
+ * \brief Perform modular inversion of an MPI with respect to a modulus \p N.
+ *
+ * \p A and \p X must be associated with the modulus \p N and will therefore
+ * have the same number of limbs as \p N.
+ *
+ * \p X may be aliased to \p A.
+ *
+ * \warning  Currently only supports prime moduli, but does not check for them.
+ *
+ * \param[out] X   The modular inverse of \p A with respect to \p N.
+ * \param[in] A    The number to calculate the modular inverse of.
+ *                 Must not be 0.
+ * \param[in] N    The modulus to use.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p A and \p N do not
+ *                 have the same number of limbs.
+ * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p A is zero.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if couldn't allocate enough
+ *                 memory (needed for conversion to and from Mongtomery form
+ *                 when not in Montgomery form already, and for temporary use
+ *                 by the inversion calculation itself).
+ */
+
+int mbedtls_mpi_mod_inv(mbedtls_mpi_mod_residue *X,
+                        const mbedtls_mpi_mod_residue *A,
+                        const mbedtls_mpi_mod_modulus *N);
+/**
+ * \brief Perform a fixed-size modular addition.
+ *
+ * Calculate `A + B modulo N`.
+ *
+ * \p A, \p B and \p X must all be associated with the modulus \p N and must
+ * all have the same number of limbs as \p N.
+ *
+ * \p X may be aliased to \p A or \p B, or even both, but may not overlap
+ * either otherwise.
+ *
+ * \note This function does not check that \p A or \p B are in canonical
+ *       form (that is, are < \p N) - that will have been done by
+ *       mbedtls_mpi_mod_residue_setup().
+ *
+ * \param[out] X    The address of the result residue. Must be initialized.
+ *                  Must have the same number of limbs as the modulus \p N.
+ * \param[in]  A    The address of the first input residue.
+ * \param[in]  B    The address of the second input residue.
+ * \param[in]  N    The address of the modulus. Used to perform a modulo
+ *                  operation on the result of the addition.
+ *
+ * \return          \c 0 if successful.
+ * \return          #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the given MPIs do not
+ *                  have the correct number of limbs.
+ */
+int mbedtls_mpi_mod_add(mbedtls_mpi_mod_residue *X,
+                        const mbedtls_mpi_mod_residue *A,
+                        const mbedtls_mpi_mod_residue *B,
+                        const mbedtls_mpi_mod_modulus *N);
+
+/** Generate a random number uniformly in a range.
+ *
+ * This function generates a random number between \p min inclusive and
+ * \p N exclusive.
+ *
+ * The procedure complies with RFC 6979 §3.3 (deterministic ECDSA)
+ * when the RNG is a suitably parametrized instance of HMAC_DRBG
+ * and \p min is \c 1.
+ *
+ * \note           There are `N - min` possible outputs. The lower bound
+ *                 \p min can be reached, but the upper bound \p N cannot.
+ *
+ * \param X        The destination residue.
+ * \param min      The minimum value to return. It must be strictly smaller
+ *                 than \b N.
+ * \param N        The modulus.
+ *                 This is the upper bound of the output range, exclusive.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG parameter to be passed to \p f_rng.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if the implementation was
+ *                 unable to find a suitable value within a limited number
+ *                 of attempts. This has a negligible probability if \p N
+ *                 is significantly larger than \p min, which is the case
+ *                 for all usual cryptographic applications.
+ */
+int mbedtls_mpi_mod_random(mbedtls_mpi_mod_residue *X,
+                           mbedtls_mpi_uint min,
+                           const mbedtls_mpi_mod_modulus *N,
+                           int (*f_rng)(void *, unsigned char *, size_t),
+                           void *p_rng);
+
+/** Read a residue from a byte buffer.
+ *
+ * The residue will be automatically converted to the internal representation
+ * based on the value of the `N->int_rep` field.
+ *
+ * The modulus \p N will be the modulus associated with \p r. The residue \p r
+ * should only be used in operations where the modulus is \p N or a modulus
+ * equivalent to \p N (in the sense that all their fields or memory pointed by
+ * their fields hold the same value).
+ *
+ * \param[out] r    The address of the residue. It must have exactly the same
+ *                  number of limbs as the modulus \p N.
+ * \param[in] N     The address of the modulus.
+ * \param[in] buf   The input buffer to import from.
+ * \param buflen    The length in bytes of \p buf.
+ * \param ext_rep   The endianness of the number in the input buffer.
+ *
+ * \return       \c 0 if successful.
+ * \return       #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p r isn't
+ *               large enough to hold the value in \p buf.
+ * \return       #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p ext_rep
+ *               is invalid or the value in the buffer is not less than \p N.
+ */
+int mbedtls_mpi_mod_read(mbedtls_mpi_mod_residue *r,
+                         const mbedtls_mpi_mod_modulus *N,
+                         const unsigned char *buf,
+                         size_t buflen,
+                         mbedtls_mpi_mod_ext_rep ext_rep);
+
+/** Write a residue into a byte buffer.
+ *
+ * The modulus \p N must be the modulus associated with \p r (see
+ * mbedtls_mpi_mod_residue_setup() and mbedtls_mpi_mod_read()).
+ *
+ * The residue will be automatically converted from the internal representation
+ * based on the value of `N->int_rep` field.
+ *
+ * \warning     If the buffer is smaller than `N->bits`, the number of
+ *              leading zeroes is leaked through timing. If \p r is
+ *              secret, the caller must ensure that \p buflen is at least
+ *              (`N->bits`+7)/8.
+ *
+ * \param[in] r     The address of the residue. It must have the same number of
+ *                  limbs as the modulus \p N. (\p r is an input parameter, but
+ *                  its value will be modified during execution and restored
+ *                  before the function returns.)
+ * \param[in] N     The address of the modulus associated with \p r.
+ * \param[out] buf  The output buffer to export to.
+ * \param buflen    The length in bytes of \p buf.
+ * \param ext_rep   The endianness in which the number should be written into
+ *                  the output buffer.
+ *
+ * \return       \c 0 if successful.
+ * \return       #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p buf isn't
+ *               large enough to hold the value of \p r (without leading
+ *               zeroes).
+ * \return       #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p ext_rep is invalid.
+ * \return       #MBEDTLS_ERR_MPI_ALLOC_FAILED if couldn't allocate enough
+ *               memory for conversion. Can occur only for moduli with
+ *               MBEDTLS_MPI_MOD_REP_MONTGOMERY.
+ */
+int mbedtls_mpi_mod_write(const mbedtls_mpi_mod_residue *r,
+                          const mbedtls_mpi_mod_modulus *N,
+                          unsigned char *buf,
+                          size_t buflen,
+                          mbedtls_mpi_mod_ext_rep ext_rep);
+
+#endif /* MBEDTLS_BIGNUM_MOD_H */
diff --git a/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw.c b/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw.c
new file mode 100644
index 0000000..5343bc6
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw.c
@@ -0,0 +1,276 @@
+/*
+ *  Low-level modular bignum functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_ECP_WITH_MPI_UINT)
+
+#include <string.h>
+
+#include "mbedtls/error.h"
+#include "mbedtls/platform_util.h"
+
+#include "mbedtls/platform.h"
+
+#include "bignum_core.h"
+#include "bignum_mod_raw.h"
+#include "bignum_mod.h"
+#include "constant_time_internal.h"
+
+#include "bignum_mod_raw_invasive.h"
+
+void mbedtls_mpi_mod_raw_cond_assign(mbedtls_mpi_uint *X,
+                                     const mbedtls_mpi_uint *A,
+                                     const mbedtls_mpi_mod_modulus *N,
+                                     unsigned char assign)
+{
+    mbedtls_mpi_core_cond_assign(X, A, N->limbs, mbedtls_ct_bool(assign));
+}
+
+void mbedtls_mpi_mod_raw_cond_swap(mbedtls_mpi_uint *X,
+                                   mbedtls_mpi_uint *Y,
+                                   const mbedtls_mpi_mod_modulus *N,
+                                   unsigned char swap)
+{
+    mbedtls_mpi_core_cond_swap(X, Y, N->limbs, mbedtls_ct_bool(swap));
+}
+
+int mbedtls_mpi_mod_raw_read(mbedtls_mpi_uint *X,
+                             const mbedtls_mpi_mod_modulus *N,
+                             const unsigned char *input,
+                             size_t input_length,
+                             mbedtls_mpi_mod_ext_rep ext_rep)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    switch (ext_rep) {
+        case MBEDTLS_MPI_MOD_EXT_REP_LE:
+            ret = mbedtls_mpi_core_read_le(X, N->limbs,
+                                           input, input_length);
+            break;
+        case MBEDTLS_MPI_MOD_EXT_REP_BE:
+            ret = mbedtls_mpi_core_read_be(X, N->limbs,
+                                           input, input_length);
+            break;
+        default:
+            return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    if (ret != 0) {
+        goto cleanup;
+    }
+
+    if (!mbedtls_mpi_core_lt_ct(X, N->p, N->limbs)) {
+        ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+cleanup:
+
+    return ret;
+}
+
+int mbedtls_mpi_mod_raw_write(const mbedtls_mpi_uint *A,
+                              const mbedtls_mpi_mod_modulus *N,
+                              unsigned char *output,
+                              size_t output_length,
+                              mbedtls_mpi_mod_ext_rep ext_rep)
+{
+    switch (ext_rep) {
+        case MBEDTLS_MPI_MOD_EXT_REP_LE:
+            return mbedtls_mpi_core_write_le(A, N->limbs,
+                                             output, output_length);
+        case MBEDTLS_MPI_MOD_EXT_REP_BE:
+            return mbedtls_mpi_core_write_be(A, N->limbs,
+                                             output, output_length);
+        default:
+            return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+}
+
+void mbedtls_mpi_mod_raw_sub(mbedtls_mpi_uint *X,
+                             const mbedtls_mpi_uint *A,
+                             const mbedtls_mpi_uint *B,
+                             const mbedtls_mpi_mod_modulus *N)
+{
+    mbedtls_mpi_uint c = mbedtls_mpi_core_sub(X, A, B, N->limbs);
+
+    (void) mbedtls_mpi_core_add_if(X, N->p, N->limbs, (unsigned) c);
+}
+
+MBEDTLS_STATIC_TESTABLE
+void mbedtls_mpi_mod_raw_fix_quasi_reduction(mbedtls_mpi_uint *X,
+                                             const mbedtls_mpi_mod_modulus *N)
+{
+    mbedtls_mpi_uint c = mbedtls_mpi_core_sub(X, X, N->p, N->limbs);
+
+    (void) mbedtls_mpi_core_add_if(X, N->p, N->limbs, (unsigned) c);
+}
+
+
+void mbedtls_mpi_mod_raw_mul(mbedtls_mpi_uint *X,
+                             const mbedtls_mpi_uint *A,
+                             const mbedtls_mpi_uint *B,
+                             const mbedtls_mpi_mod_modulus *N,
+                             mbedtls_mpi_uint *T)
+{
+    /* Standard (A * B) multiplication stored into pre-allocated T
+     * buffer of fixed limb size of (2N + 1).
+     *
+     * The space may not not fully filled by when
+     * MBEDTLS_MPI_MOD_REP_OPT_RED is used. */
+    const size_t T_limbs = BITS_TO_LIMBS(N->bits) * 2;
+    switch (N->int_rep) {
+        case MBEDTLS_MPI_MOD_REP_MONTGOMERY:
+            mbedtls_mpi_core_montmul(X, A, B, N->limbs, N->p, N->limbs,
+                                     N->rep.mont.mm, T);
+            break;
+        case MBEDTLS_MPI_MOD_REP_OPT_RED:
+            mbedtls_mpi_core_mul(T, A, N->limbs, B, N->limbs);
+
+            /* Optimised Reduction */
+            (*N->rep.ored.modp)(T, T_limbs);
+
+            /* Convert back to canonical representation */
+            mbedtls_mpi_mod_raw_fix_quasi_reduction(T, N);
+            memcpy(X, T, N->limbs * sizeof(mbedtls_mpi_uint));
+            break;
+        default:
+            break;
+    }
+
+}
+
+size_t mbedtls_mpi_mod_raw_inv_prime_working_limbs(size_t AN_limbs)
+{
+    /* mbedtls_mpi_mod_raw_inv_prime() needs a temporary for the exponent,
+     * which will be the same size as the modulus and input (AN_limbs),
+     * and additional space to pass to mbedtls_mpi_core_exp_mod(). */
+    return AN_limbs +
+           mbedtls_mpi_core_exp_mod_working_limbs(AN_limbs, AN_limbs);
+}
+
+void mbedtls_mpi_mod_raw_inv_prime(mbedtls_mpi_uint *X,
+                                   const mbedtls_mpi_uint *A,
+                                   const mbedtls_mpi_uint *N,
+                                   size_t AN_limbs,
+                                   const mbedtls_mpi_uint *RR,
+                                   mbedtls_mpi_uint *T)
+{
+    /* Inversion by power: g^|G| = 1 => g^(-1) = g^(|G|-1), and
+     *                       |G| = N - 1, so we want
+     *                 g^(|G|-1) = g^(N - 2)
+     */
+
+    /* Use the first AN_limbs of T to hold N - 2 */
+    mbedtls_mpi_uint *Nminus2 = T;
+    (void) mbedtls_mpi_core_sub_int(Nminus2, N, 2, AN_limbs);
+
+    /* Rest of T is given to exp_mod for its working space */
+    mbedtls_mpi_core_exp_mod(X,
+                             A, N, AN_limbs, Nminus2, AN_limbs,
+                             RR, T + AN_limbs);
+}
+
+void mbedtls_mpi_mod_raw_add(mbedtls_mpi_uint *X,
+                             const mbedtls_mpi_uint *A,
+                             const mbedtls_mpi_uint *B,
+                             const mbedtls_mpi_mod_modulus *N)
+{
+    mbedtls_mpi_uint carry, borrow;
+    carry  = mbedtls_mpi_core_add(X, A, B, N->limbs);
+    borrow = mbedtls_mpi_core_sub(X, X, N->p, N->limbs);
+    (void) mbedtls_mpi_core_add_if(X, N->p, N->limbs, (unsigned) (carry ^ borrow));
+}
+
+int mbedtls_mpi_mod_raw_canonical_to_modulus_rep(
+    mbedtls_mpi_uint *X,
+    const mbedtls_mpi_mod_modulus *N)
+{
+    switch (N->int_rep) {
+        case MBEDTLS_MPI_MOD_REP_MONTGOMERY:
+            return mbedtls_mpi_mod_raw_to_mont_rep(X, N);
+        case MBEDTLS_MPI_MOD_REP_OPT_RED:
+            return 0;
+        default:
+            return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+}
+
+int mbedtls_mpi_mod_raw_modulus_to_canonical_rep(
+    mbedtls_mpi_uint *X,
+    const mbedtls_mpi_mod_modulus *N)
+{
+    switch (N->int_rep) {
+        case MBEDTLS_MPI_MOD_REP_MONTGOMERY:
+            return mbedtls_mpi_mod_raw_from_mont_rep(X, N);
+        case MBEDTLS_MPI_MOD_REP_OPT_RED:
+            return 0;
+        default:
+            return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+}
+
+int mbedtls_mpi_mod_raw_random(mbedtls_mpi_uint *X,
+                               mbedtls_mpi_uint min,
+                               const mbedtls_mpi_mod_modulus *N,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng)
+{
+    int ret = mbedtls_mpi_core_random(X, min, N->p, N->limbs, f_rng, p_rng);
+    if (ret != 0) {
+        return ret;
+    }
+    return mbedtls_mpi_mod_raw_canonical_to_modulus_rep(X, N);
+}
+
+int mbedtls_mpi_mod_raw_to_mont_rep(mbedtls_mpi_uint *X,
+                                    const mbedtls_mpi_mod_modulus *N)
+{
+    mbedtls_mpi_uint *T;
+    const size_t t_limbs = mbedtls_mpi_core_montmul_working_limbs(N->limbs);
+
+    if ((T = (mbedtls_mpi_uint *) mbedtls_calloc(t_limbs, ciL)) == NULL) {
+        return MBEDTLS_ERR_MPI_ALLOC_FAILED;
+    }
+
+    mbedtls_mpi_core_to_mont_rep(X, X, N->p, N->limbs,
+                                 N->rep.mont.mm, N->rep.mont.rr, T);
+
+    mbedtls_zeroize_and_free(T, t_limbs * ciL);
+    return 0;
+}
+
+int mbedtls_mpi_mod_raw_from_mont_rep(mbedtls_mpi_uint *X,
+                                      const mbedtls_mpi_mod_modulus *N)
+{
+    const size_t t_limbs = mbedtls_mpi_core_montmul_working_limbs(N->limbs);
+    mbedtls_mpi_uint *T;
+
+    if ((T = (mbedtls_mpi_uint *) mbedtls_calloc(t_limbs, ciL)) == NULL) {
+        return MBEDTLS_ERR_MPI_ALLOC_FAILED;
+    }
+
+    mbedtls_mpi_core_from_mont_rep(X, X, N->p, N->limbs, N->rep.mont.mm, T);
+
+    mbedtls_zeroize_and_free(T, t_limbs * ciL);
+    return 0;
+}
+
+void mbedtls_mpi_mod_raw_neg(mbedtls_mpi_uint *X,
+                             const mbedtls_mpi_uint *A,
+                             const mbedtls_mpi_mod_modulus *N)
+{
+    mbedtls_mpi_core_sub(X, N->p, A, N->limbs);
+
+    /* If A=0 initially, then X=N now. Detect this by
+     * subtracting N and catching the carry. */
+    mbedtls_mpi_uint borrow = mbedtls_mpi_core_sub(X, X, N->p, N->limbs);
+    (void) mbedtls_mpi_core_add_if(X, N->p, N->limbs, (unsigned) borrow);
+}
+
+#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ECP_WITH_MPI_UINT */
diff --git a/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw.h b/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw.h
new file mode 100644
index 0000000..7bb4ca3
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw.h
@@ -0,0 +1,416 @@
+/**
+ *  Low-level modular bignum functions
+ *
+ *  This interface should only be used by the higher-level modular bignum
+ *  module (bignum_mod.c) and the ECP module (ecp.c, ecp_curves.c). All other
+ *  modules should use the high-level modular bignum interface (bignum_mod.h)
+ *  or the legacy bignum interface (bignum.h).
+ *
+ * This is a low-level interface to operations on integers modulo which
+ * has no protection against passing invalid arguments such as arrays of
+ * the wrong size. The functions in bignum_mod.h provide a higher-level
+ * interface that includes protections against accidental misuse, at the
+ * expense of code size and sometimes more cumbersome memory management.
+ *
+ * The functions in this module obey the following conventions unless
+ * explicitly indicated otherwise:
+ * - **Modulus parameters**: the modulus is passed as a pointer to a structure
+ *   of type #mbedtls_mpi_mod_modulus. The structure must be set up with an
+ *   array of limbs storing the bignum value of the modulus. The modulus must
+ *   be odd and is assumed to have no leading zeroes. The modulus is usually
+ *   named \c N and is usually input-only.
+ * - **Bignum parameters**: Bignums are passed as pointers to an array of
+ *   limbs. A limb has the type #mbedtls_mpi_uint. Unless otherwise specified:
+ *     - Bignum parameters called \c A, \c B, ... are inputs, and are not
+ *       modified by the function.
+ *     - Bignum parameters called \c X, \c Y are outputs or input-output.
+ *       The initial content of output-only parameters is ignored.
+ *     - \c T is a temporary storage area. The initial content of such a
+ *       parameter is ignored and the final content is unspecified.
+ * - **Bignum sizes**: bignum sizes are usually expressed by the \c limbs
+ *   member of the modulus argument. All bignum parameters must have the same
+ *   number of limbs as the modulus. All bignum sizes must be at least 1 and
+ *   must be significantly less than #SIZE_MAX. The behavior if a size is 0 is
+ *   undefined.
+ * - **Bignum representation**: the representation of inputs and outputs is
+ *   specified by the \c int_rep field of the modulus for arithmetic
+ *   functions. Utility functions may allow for different representation.
+ * - **Parameter ordering**: for bignum parameters, outputs come before inputs.
+ *   The modulus is passed after other bignum input parameters. Temporaries
+ *   come last.
+ * - **Aliasing**: in general, output bignums may be aliased to one or more
+ *   inputs. Modulus values may not be aliased to any other parameter. Outputs
+ *   may not be aliased to one another. Temporaries may not be aliased to any
+ *   other parameter.
+ * - **Overlap**: apart from aliasing of limb array pointers (where two
+ *   arguments are equal pointers), overlap is not supported and may result
+ *   in undefined behavior.
+ * - **Error handling**: This is a low-level module. Functions generally do not
+ *   try to protect against invalid arguments such as nonsensical sizes or
+ *   null pointers. Note that passing bignums with a different size than the
+ *   modulus may lead to buffer overflows. Some functions which allocate
+ *   memory or handle reading/writing of bignums will return an error if
+ *   memory allocation fails or if buffer sizes are invalid.
+ * - **Modular representatives**: all functions expect inputs to be in the
+ *   range [0, \c N - 1] and guarantee outputs in the range [0, \c N - 1]. If
+ *   an input is out of range, outputs are fully unspecified, though bignum
+ *   values out of range should not cause buffer overflows (beware that this is
+ *   not extensively tested).
+ */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_BIGNUM_MOD_RAW_H
+#define MBEDTLS_BIGNUM_MOD_RAW_H
+
+#include "common.h"
+
+#if defined(MBEDTLS_BIGNUM_C)
+#include "mbedtls/bignum.h"
+#endif
+
+#include "bignum_mod.h"
+
+/**
+ * \brief   Perform a safe conditional copy of an MPI which doesn't reveal
+ *          whether the assignment was done or not.
+ *
+ * The size to copy is determined by \p N.
+ *
+ * \param[out] X        The address of the destination MPI.
+ *                      This must be initialized. Must have enough limbs to
+ *                      store the full value of \p A.
+ * \param[in]  A        The address of the source MPI. This must be initialized.
+ * \param[in]  N        The address of the modulus related to \p X and \p A.
+ * \param      assign   The condition deciding whether to perform the
+ *                      assignment or not. Must be either 0 or 1:
+ *                      * \c 1: Perform the assignment `X = A`.
+ *                      * \c 0: Keep the original value of \p X.
+ *
+ * \note           This function avoids leaking any information about whether
+ *                 the assignment was done or not.
+ *
+ * \warning        If \p assign is neither 0 nor 1, the result of this function
+ *                 is indeterminate, and the resulting value in \p X might be
+ *                 neither its original value nor the value in \p A.
+ */
+void mbedtls_mpi_mod_raw_cond_assign(mbedtls_mpi_uint *X,
+                                     const mbedtls_mpi_uint *A,
+                                     const mbedtls_mpi_mod_modulus *N,
+                                     unsigned char assign);
+
+/**
+ * \brief   Perform a safe conditional swap of two MPIs which doesn't reveal
+ *          whether the swap was done or not.
+ *
+ * The size to swap is determined by \p N.
+ *
+ * \param[in,out] X     The address of the first MPI. This must be initialized.
+ * \param[in,out] Y     The address of the second MPI. This must be initialized.
+ * \param[in]     N     The address of the modulus related to \p X and \p Y.
+ * \param         swap  The condition deciding whether to perform
+ *                      the swap or not. Must be either 0 or 1:
+ *                      * \c 1: Swap the values of \p X and \p Y.
+ *                      * \c 0: Keep the original values of \p X and \p Y.
+ *
+ * \note           This function avoids leaking any information about whether
+ *                 the swap was done or not.
+ *
+ * \warning        If \p swap is neither 0 nor 1, the result of this function
+ *                 is indeterminate, and both \p X and \p Y might end up with
+ *                 values different to either of the original ones.
+ */
+void mbedtls_mpi_mod_raw_cond_swap(mbedtls_mpi_uint *X,
+                                   mbedtls_mpi_uint *Y,
+                                   const mbedtls_mpi_mod_modulus *N,
+                                   unsigned char swap);
+
+/** Import X from unsigned binary data.
+ *
+ * The MPI needs to have enough limbs to store the full value (including any
+ * most significant zero bytes in the input).
+ *
+ * \param[out] X        The address of the MPI. The size is determined by \p N.
+ *                      (In particular, it must have at least as many limbs as
+ *                      the modulus \p N.)
+ * \param[in] N         The address of the modulus related to \p X.
+ * \param[in] input     The input buffer to import from.
+ * \param input_length  The length in bytes of \p input.
+ * \param ext_rep       The endianness of the number in the input buffer.
+ *
+ * \return       \c 0 if successful.
+ * \return       #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p X isn't
+ *               large enough to hold the value in \p input.
+ * \return       #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the external representation
+ *               of \p N is invalid or \p X is not less than \p N.
+ */
+int mbedtls_mpi_mod_raw_read(mbedtls_mpi_uint *X,
+                             const mbedtls_mpi_mod_modulus *N,
+                             const unsigned char *input,
+                             size_t input_length,
+                             mbedtls_mpi_mod_ext_rep ext_rep);
+
+/** Export A into unsigned binary data.
+ *
+ * \param[in] A         The address of the MPI. The size is determined by \p N.
+ *                      (In particular, it must have at least as many limbs as
+ *                      the modulus \p N.)
+ * \param[in] N         The address of the modulus related to \p A.
+ * \param[out] output   The output buffer to export to.
+ * \param output_length The length in bytes of \p output.
+ * \param ext_rep       The endianness in which the number should be written into the output buffer.
+ *
+ * \return       \c 0 if successful.
+ * \return       #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p output isn't
+ *               large enough to hold the value of \p A.
+ * \return       #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the external representation
+ *               of \p N is invalid.
+ */
+int mbedtls_mpi_mod_raw_write(const mbedtls_mpi_uint *A,
+                              const mbedtls_mpi_mod_modulus *N,
+                              unsigned char *output,
+                              size_t output_length,
+                              mbedtls_mpi_mod_ext_rep ext_rep);
+
+/** \brief  Subtract two MPIs, returning the residue modulo the specified
+ *          modulus.
+ *
+ * The size of the operation is determined by \p N. \p A and \p B must have
+ * the same number of limbs as \p N.
+ *
+ * \p X may be aliased to \p A or \p B, or even both, but may not overlap
+ * either otherwise.
+ *
+ * \param[out] X        The address of the result MPI.
+ *                      This must be initialized. Must have enough limbs to
+ *                      store the full value of the result.
+ * \param[in]  A        The address of the first MPI. This must be initialized.
+ * \param[in]  B        The address of the second MPI. This must be initialized.
+ * \param[in]  N        The address of the modulus. Used to perform a modulo
+ *                      operation on the result of the subtraction.
+ */
+void mbedtls_mpi_mod_raw_sub(mbedtls_mpi_uint *X,
+                             const mbedtls_mpi_uint *A,
+                             const mbedtls_mpi_uint *B,
+                             const mbedtls_mpi_mod_modulus *N);
+
+/** \brief  Multiply two MPIs, returning the residue modulo the specified
+ *          modulus.
+ *
+ * \note Currently handles the case when `N->int_rep` is
+ * MBEDTLS_MPI_MOD_REP_MONTGOMERY.
+ *
+ * The size of the operation is determined by \p N. \p A, \p B and \p X must
+ * all be associated with the modulus \p N and must all have the same number
+ * of limbs as \p N.
+ *
+ * \p X may be aliased to \p A or \p B, or even both, but may not overlap
+ * either otherwise. They may not alias \p N (since they must be in canonical
+ * form, they cannot == \p N).
+ *
+ * \param[out] X        The address of the result MPI. Must have the same
+ *                      number of limbs as \p N.
+ *                      On successful completion, \p X contains the result of
+ *                      the multiplication `A * B * R^-1` mod N where
+ *                      `R = 2^(biL * N->limbs)`.
+ * \param[in]  A        The address of the first MPI.
+ * \param[in]  B        The address of the second MPI.
+ * \param[in]  N        The address of the modulus. Used to perform a modulo
+ *                      operation on the result of the multiplication.
+ * \param[in,out] T     Temporary storage of size at least 2 * N->limbs + 1
+ *                      limbs. Its initial content is unused and
+ *                      its final content is indeterminate.
+ *                      It must not alias or otherwise overlap any of the
+ *                      other parameters.
+ */
+void mbedtls_mpi_mod_raw_mul(mbedtls_mpi_uint *X,
+                             const mbedtls_mpi_uint *A,
+                             const mbedtls_mpi_uint *B,
+                             const mbedtls_mpi_mod_modulus *N,
+                             mbedtls_mpi_uint *T);
+
+/**
+ * \brief          Returns the number of limbs of working memory required for
+ *                 a call to `mbedtls_mpi_mod_raw_inv_prime()`.
+ *
+ * \note           This will always be at least
+ *                 `mbedtls_mpi_core_montmul_working_limbs(AN_limbs)`,
+ *                 i.e. sufficient for a call to `mbedtls_mpi_core_montmul()`.
+ *
+ * \param AN_limbs The number of limbs in the input `A` and the modulus `N`
+ *                 (they must be the same size) that will be given to
+ *                 `mbedtls_mpi_mod_raw_inv_prime()`.
+ *
+ * \return         The number of limbs of working memory required by
+ *                 `mbedtls_mpi_mod_raw_inv_prime()`.
+ */
+size_t mbedtls_mpi_mod_raw_inv_prime_working_limbs(size_t AN_limbs);
+
+/**
+ * \brief Perform fixed-width modular inversion of a Montgomery-form MPI with
+ *        respect to a modulus \p N that must be prime.
+ *
+ * \p X may be aliased to \p A, but not to \p N or \p RR.
+ *
+ * \param[out] X     The modular inverse of \p A with respect to \p N.
+ *                   Will be in Montgomery form.
+ * \param[in] A      The number to calculate the modular inverse of.
+ *                   Must be in Montgomery form. Must not be 0.
+ * \param[in] N      The modulus, as a little-endian array of length \p AN_limbs.
+ *                   Must be prime.
+ * \param AN_limbs   The number of limbs in \p A, \p N and \p RR.
+ * \param[in] RR     The precomputed residue of 2^{2*biL} modulo N, as a little-
+ *                   endian array of length \p AN_limbs.
+ * \param[in,out] T  Temporary storage of at least the number of limbs returned
+ *                   by `mbedtls_mpi_mod_raw_inv_prime_working_limbs()`.
+ *                   Its initial content is unused and its final content is
+ *                   indeterminate.
+ *                   It must not alias or otherwise overlap any of the other
+ *                   parameters.
+ *                   It is up to the caller to zeroize \p T when it is no
+ *                   longer needed, and before freeing it if it was dynamically
+ *                   allocated.
+ */
+void mbedtls_mpi_mod_raw_inv_prime(mbedtls_mpi_uint *X,
+                                   const mbedtls_mpi_uint *A,
+                                   const mbedtls_mpi_uint *N,
+                                   size_t AN_limbs,
+                                   const mbedtls_mpi_uint *RR,
+                                   mbedtls_mpi_uint *T);
+
+/**
+ * \brief Perform a known-size modular addition.
+ *
+ * Calculate `A + B modulo N`.
+ *
+ * The number of limbs in each operand, and the result, is given by the
+ * modulus \p N.
+ *
+ * \p X may be aliased to \p A or \p B, or even both, but may not overlap
+ * either otherwise.
+ *
+ * \param[out] X    The result of the modular addition.
+ * \param[in] A     Little-endian presentation of the left operand. This
+ *                  must be smaller than \p N.
+ * \param[in] B     Little-endian presentation of the right operand. This
+ *                  must be smaller than \p N.
+ * \param[in] N     The address of the modulus.
+ */
+void mbedtls_mpi_mod_raw_add(mbedtls_mpi_uint *X,
+                             const mbedtls_mpi_uint *A,
+                             const mbedtls_mpi_uint *B,
+                             const mbedtls_mpi_mod_modulus *N);
+
+/** Convert an MPI from canonical representation (little-endian limb array)
+ * to the representation associated with the modulus.
+ *
+ * \param[in,out] X The limb array to convert.
+ *                  It must have as many limbs as \p N.
+ *                  It is converted in place.
+ *                  If this function returns an error, the content of \p X
+ *                  is unspecified.
+ * \param[in] N     The modulus structure.
+ *
+ * \return          \c 0 if successful.
+ *                  Otherwise an \c MBEDTLS_ERR_MPI_xxx error code.
+ */
+int mbedtls_mpi_mod_raw_canonical_to_modulus_rep(
+    mbedtls_mpi_uint *X,
+    const mbedtls_mpi_mod_modulus *N);
+
+/** Convert an MPI from the representation associated with the modulus
+ * to canonical representation (little-endian limb array).
+ *
+ * \param[in,out] X The limb array to convert.
+ *                  It must have as many limbs as \p N.
+ *                  It is converted in place.
+ *                  If this function returns an error, the content of \p X
+ *                  is unspecified.
+ * \param[in] N     The modulus structure.
+ *
+ * \return          \c 0 if successful.
+ *                  Otherwise an \c MBEDTLS_ERR_MPI_xxx error code.
+ */
+int mbedtls_mpi_mod_raw_modulus_to_canonical_rep(
+    mbedtls_mpi_uint *X,
+    const mbedtls_mpi_mod_modulus *N);
+
+/** Generate a random number uniformly in a range.
+ *
+ * This function generates a random number between \p min inclusive and
+ * \p N exclusive.
+ *
+ * The procedure complies with RFC 6979 §3.3 (deterministic ECDSA)
+ * when the RNG is a suitably parametrized instance of HMAC_DRBG
+ * and \p min is \c 1.
+ *
+ * \note           There are `N - min` possible outputs. The lower bound
+ *                 \p min can be reached, but the upper bound \p N cannot.
+ *
+ * \param X        The destination MPI, in canonical representation modulo \p N.
+ *                 It must not be aliased with \p N or otherwise overlap it.
+ * \param min      The minimum value to return. It must be strictly smaller
+ *                 than \b N.
+ * \param N        The modulus.
+ *                 This is the upper bound of the output range, exclusive.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG parameter to be passed to \p f_rng.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if the implementation was
+ *                 unable to find a suitable value within a limited number
+ *                 of attempts. This has a negligible probability if \p N
+ *                 is significantly larger than \p min, which is the case
+ *                 for all usual cryptographic applications.
+ */
+int mbedtls_mpi_mod_raw_random(mbedtls_mpi_uint *X,
+                               mbedtls_mpi_uint min,
+                               const mbedtls_mpi_mod_modulus *N,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng);
+
+/** Convert an MPI into Montgomery form.
+ *
+ * \param X      The address of the MPI.
+ *               Must have the same number of limbs as \p N.
+ * \param N      The address of the modulus, which gives the size of
+ *               the base `R` = 2^(biL*N->limbs).
+ *
+ * \return       \c 0 if successful.
+ */
+int mbedtls_mpi_mod_raw_to_mont_rep(mbedtls_mpi_uint *X,
+                                    const mbedtls_mpi_mod_modulus *N);
+
+/** Convert an MPI back from Montgomery representation.
+ *
+ * \param X      The address of the MPI.
+ *               Must have the same number of limbs as \p N.
+ * \param N      The address of the modulus, which gives the size of
+ *               the base `R`= 2^(biL*N->limbs).
+ *
+ * \return       \c 0 if successful.
+ */
+int mbedtls_mpi_mod_raw_from_mont_rep(mbedtls_mpi_uint *X,
+                                      const mbedtls_mpi_mod_modulus *N);
+
+/** \brief  Perform fixed width modular negation.
+ *
+ * The size of the operation is determined by \p N. \p A must have
+ * the same number of limbs as \p N.
+ *
+ * \p X may be aliased to \p A.
+ *
+ * \param[out] X        The result of the modular negation.
+ *                      This must be initialized.
+ * \param[in] A         Little-endian presentation of the input operand. This
+ *                      must be less than or equal to \p N.
+ * \param[in] N         The modulus to use.
+ */
+void mbedtls_mpi_mod_raw_neg(mbedtls_mpi_uint *X,
+                             const mbedtls_mpi_uint *A,
+                             const mbedtls_mpi_mod_modulus *N);
+
+#endif /* MBEDTLS_BIGNUM_MOD_RAW_H */
diff --git a/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw_invasive.h b/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw_invasive.h
new file mode 100644
index 0000000..94a0d06
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw_invasive.h
@@ -0,0 +1,34 @@
+/**
+ * \file bignum_mod_raw_invasive.h
+ *
+ * \brief Function declarations for invasive functions of Low-level
+ *        modular bignum.
+ */
+/**
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_BIGNUM_MOD_RAW_INVASIVE_H
+#define MBEDTLS_BIGNUM_MOD_RAW_INVASIVE_H
+
+#include "common.h"
+#include "mbedtls/bignum.h"
+#include "bignum_mod.h"
+
+#if defined(MBEDTLS_TEST_HOOKS)
+
+/** Convert the result of a quasi-reduction to its canonical representative.
+ *
+ * \param[in,out] X     The address of the MPI to be converted. Must have the
+ *                      same number of limbs as \p N. The input value must
+ *                      be in range 0 <= X < 2N.
+ * \param[in]     N     The address of the modulus.
+ */
+MBEDTLS_STATIC_TESTABLE
+void mbedtls_mpi_mod_raw_fix_quasi_reduction(mbedtls_mpi_uint *X,
+                                             const mbedtls_mpi_mod_modulus *N);
+
+#endif /* MBEDTLS_TEST_HOOKS */
+
+#endif /* MBEDTLS_BIGNUM_MOD_RAW_INVASIVE_H */
diff --git a/tf-psa-crypto/drivers/builtin/src/block_cipher.c b/tf-psa-crypto/drivers/builtin/src/block_cipher.c
new file mode 100644
index 0000000..51cdcdf
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/block_cipher.c
@@ -0,0 +1,207 @@
+/**
+ * \file block_cipher.c
+ *
+ * \brief Lightweight abstraction layer for block ciphers with 128 bit blocks,
+ * for use by the GCM and CCM modules.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+#include "psa/crypto.h"
+#include "psa_crypto_core.h"
+#include "psa_util_internal.h"
+#endif
+
+#include "block_cipher_internal.h"
+
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+static psa_key_type_t psa_key_type_from_block_cipher_id(mbedtls_block_cipher_id_t cipher_id)
+{
+    switch (cipher_id) {
+#if defined(MBEDTLS_BLOCK_CIPHER_AES_VIA_PSA)
+        case MBEDTLS_BLOCK_CIPHER_ID_AES:
+            return PSA_KEY_TYPE_AES;
+#endif
+#if defined(MBEDTLS_BLOCK_CIPHER_ARIA_VIA_PSA)
+        case MBEDTLS_BLOCK_CIPHER_ID_ARIA:
+            return PSA_KEY_TYPE_ARIA;
+#endif
+#if defined(MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_PSA)
+        case MBEDTLS_BLOCK_CIPHER_ID_CAMELLIA:
+            return PSA_KEY_TYPE_CAMELLIA;
+#endif
+        default:
+            return PSA_KEY_TYPE_NONE;
+    }
+}
+
+static int mbedtls_cipher_error_from_psa(psa_status_t status)
+{
+    return PSA_TO_MBEDTLS_ERR_LIST(status, psa_to_cipher_errors,
+                                   psa_generic_status_to_mbedtls);
+}
+#endif /* MBEDTLS_BLOCK_CIPHER_SOME_PSA */
+
+void mbedtls_block_cipher_free(mbedtls_block_cipher_context_t *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+    if (ctx->engine == MBEDTLS_BLOCK_CIPHER_ENGINE_PSA) {
+        psa_destroy_key(ctx->psa_key_id);
+        return;
+    }
+#endif
+    switch (ctx->id) {
+#if defined(MBEDTLS_AES_C)
+        case MBEDTLS_BLOCK_CIPHER_ID_AES:
+            mbedtls_aes_free(&ctx->ctx.aes);
+            break;
+#endif
+#if defined(MBEDTLS_ARIA_C)
+        case MBEDTLS_BLOCK_CIPHER_ID_ARIA:
+            mbedtls_aria_free(&ctx->ctx.aria);
+            break;
+#endif
+#if defined(MBEDTLS_CAMELLIA_C)
+        case MBEDTLS_BLOCK_CIPHER_ID_CAMELLIA:
+            mbedtls_camellia_free(&ctx->ctx.camellia);
+            break;
+#endif
+        default:
+            break;
+    }
+    ctx->id = MBEDTLS_BLOCK_CIPHER_ID_NONE;
+}
+
+int mbedtls_block_cipher_setup(mbedtls_block_cipher_context_t *ctx,
+                               mbedtls_cipher_id_t cipher_id)
+{
+    ctx->id = (cipher_id == MBEDTLS_CIPHER_ID_AES) ? MBEDTLS_BLOCK_CIPHER_ID_AES :
+              (cipher_id == MBEDTLS_CIPHER_ID_ARIA) ? MBEDTLS_BLOCK_CIPHER_ID_ARIA :
+              (cipher_id == MBEDTLS_CIPHER_ID_CAMELLIA) ? MBEDTLS_BLOCK_CIPHER_ID_CAMELLIA :
+              MBEDTLS_BLOCK_CIPHER_ID_NONE;
+
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+    psa_key_type_t psa_key_type = psa_key_type_from_block_cipher_id(ctx->id);
+    if (psa_key_type != PSA_KEY_TYPE_NONE &&
+        psa_can_do_cipher(psa_key_type, PSA_ALG_ECB_NO_PADDING)) {
+        ctx->engine = MBEDTLS_BLOCK_CIPHER_ENGINE_PSA;
+        return 0;
+    }
+    ctx->engine = MBEDTLS_BLOCK_CIPHER_ENGINE_LEGACY;
+#endif
+
+    switch (ctx->id) {
+#if defined(MBEDTLS_AES_C)
+        case MBEDTLS_BLOCK_CIPHER_ID_AES:
+            mbedtls_aes_init(&ctx->ctx.aes);
+            return 0;
+#endif
+#if defined(MBEDTLS_ARIA_C)
+        case MBEDTLS_BLOCK_CIPHER_ID_ARIA:
+            mbedtls_aria_init(&ctx->ctx.aria);
+            return 0;
+#endif
+#if defined(MBEDTLS_CAMELLIA_C)
+        case MBEDTLS_BLOCK_CIPHER_ID_CAMELLIA:
+            mbedtls_camellia_init(&ctx->ctx.camellia);
+            return 0;
+#endif
+        default:
+            ctx->id = MBEDTLS_BLOCK_CIPHER_ID_NONE;
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+}
+
+int mbedtls_block_cipher_setkey(mbedtls_block_cipher_context_t *ctx,
+                                const unsigned char *key,
+                                unsigned key_bitlen)
+{
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+    if (ctx->engine == MBEDTLS_BLOCK_CIPHER_ENGINE_PSA) {
+        psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+        psa_status_t status;
+
+        psa_set_key_type(&key_attr, psa_key_type_from_block_cipher_id(ctx->id));
+        psa_set_key_bits(&key_attr, key_bitlen);
+        psa_set_key_algorithm(&key_attr, PSA_ALG_ECB_NO_PADDING);
+        psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_ENCRYPT);
+
+        status = psa_import_key(&key_attr, key, PSA_BITS_TO_BYTES(key_bitlen), &ctx->psa_key_id);
+        if (status != PSA_SUCCESS) {
+            return mbedtls_cipher_error_from_psa(status);
+        }
+        psa_reset_key_attributes(&key_attr);
+
+        return 0;
+    }
+#endif /* MBEDTLS_BLOCK_CIPHER_SOME_PSA */
+
+    switch (ctx->id) {
+#if defined(MBEDTLS_AES_C)
+        case MBEDTLS_BLOCK_CIPHER_ID_AES:
+            return mbedtls_aes_setkey_enc(&ctx->ctx.aes, key, key_bitlen);
+#endif
+#if defined(MBEDTLS_ARIA_C)
+        case MBEDTLS_BLOCK_CIPHER_ID_ARIA:
+            return mbedtls_aria_setkey_enc(&ctx->ctx.aria, key, key_bitlen);
+#endif
+#if defined(MBEDTLS_CAMELLIA_C)
+        case MBEDTLS_BLOCK_CIPHER_ID_CAMELLIA:
+            return mbedtls_camellia_setkey_enc(&ctx->ctx.camellia, key, key_bitlen);
+#endif
+        default:
+            return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT;
+    }
+}
+
+int mbedtls_block_cipher_encrypt(mbedtls_block_cipher_context_t *ctx,
+                                 const unsigned char input[16],
+                                 unsigned char output[16])
+{
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+    if (ctx->engine == MBEDTLS_BLOCK_CIPHER_ENGINE_PSA) {
+        psa_status_t status;
+        size_t olen;
+
+        status = psa_cipher_encrypt(ctx->psa_key_id, PSA_ALG_ECB_NO_PADDING,
+                                    input, 16, output, 16, &olen);
+        if (status != PSA_SUCCESS) {
+            return mbedtls_cipher_error_from_psa(status);
+        }
+        return 0;
+    }
+#endif /* MBEDTLS_BLOCK_CIPHER_SOME_PSA */
+
+    switch (ctx->id) {
+#if defined(MBEDTLS_AES_C)
+        case MBEDTLS_BLOCK_CIPHER_ID_AES:
+            return mbedtls_aes_crypt_ecb(&ctx->ctx.aes, MBEDTLS_AES_ENCRYPT,
+                                         input, output);
+#endif
+#if defined(MBEDTLS_ARIA_C)
+        case MBEDTLS_BLOCK_CIPHER_ID_ARIA:
+            return mbedtls_aria_crypt_ecb(&ctx->ctx.aria, input, output);
+#endif
+#if defined(MBEDTLS_CAMELLIA_C)
+        case MBEDTLS_BLOCK_CIPHER_ID_CAMELLIA:
+            return mbedtls_camellia_crypt_ecb(&ctx->ctx.camellia,
+                                              MBEDTLS_CAMELLIA_ENCRYPT,
+                                              input, output);
+#endif
+        default:
+            return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT;
+    }
+}
+
+#endif /* MBEDTLS_BLOCK_CIPHER_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/block_cipher_internal.h b/tf-psa-crypto/drivers/builtin/src/block_cipher_internal.h
new file mode 100644
index 0000000..c57338b
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/block_cipher_internal.h
@@ -0,0 +1,99 @@
+/**
+ * \file block_cipher_internal.h
+ *
+ * \brief Lightweight abstraction layer for block ciphers with 128 bit blocks,
+ * for use by the GCM and CCM modules.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_BLOCK_CIPHER_INTERNAL_H
+#define MBEDTLS_BLOCK_CIPHER_INTERNAL_H
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/cipher.h"
+
+#include "mbedtls/block_cipher.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief           Initialize the context.
+ *                  This must be the first API call before using the context.
+ *
+ * \param ctx       The context to initialize.
+ */
+static inline void mbedtls_block_cipher_init(mbedtls_block_cipher_context_t *ctx)
+{
+    memset(ctx, 0, sizeof(*ctx));
+}
+
+/**
+ * \brief           Set the block cipher to use with this context.
+ *                  This must be called after mbedtls_block_cipher_init().
+ *
+ * \param ctx       The context to set up.
+ * \param cipher_id The identifier of the cipher to use.
+ *                  This must be either AES, ARIA or Camellia.
+ *                  Warning: this is a ::mbedtls_cipher_id_t,
+ *                  not a ::mbedtls_block_cipher_id_t!
+ *
+ * \retval          \c 0 on success.
+ * \retval          #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if \p cipher_id was
+ *                  invalid.
+ */
+int mbedtls_block_cipher_setup(mbedtls_block_cipher_context_t *ctx,
+                               mbedtls_cipher_id_t cipher_id);
+
+/**
+ * \brief           Set the key into the context.
+ *
+ * \param ctx       The context to configure.
+ * \param key       The buffer holding the key material.
+ * \param key_bitlen    The size of the key in bits.
+ *
+ * \retval          \c 0 on success.
+ * \retval          #MBEDTLS_ERR_CIPHER_INVALID_CONTEXT if the context was not
+ *                  properly set up before calling this function.
+ * \retval          One of #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH,
+ *                  #MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+ *                  #MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA if \p key_bitlen is
+ *                  invalid.
+ */
+int mbedtls_block_cipher_setkey(mbedtls_block_cipher_context_t *ctx,
+                                const unsigned char *key,
+                                unsigned key_bitlen);
+
+/**
+ * \brief           Encrypt one block (16 bytes) with the configured key.
+ *
+ * \param ctx       The context holding the key.
+ * \param input     The buffer holding the input block. Must be 16 bytes.
+ * \param output    The buffer to which the output block will be written.
+ *                  Must be writable and 16 bytes long.
+ *                  This must either not overlap with \p input, or be equal.
+ *
+ * \retval          \c 0 on success.
+ * \retval          #MBEDTLS_ERR_CIPHER_INVALID_CONTEXT if the context was not
+ *                  properly set up before calling this function.
+ * \retval          Another negative value if encryption failed.
+ */
+int mbedtls_block_cipher_encrypt(mbedtls_block_cipher_context_t *ctx,
+                                 const unsigned char input[16],
+                                 unsigned char output[16]);
+/**
+ * \brief           Clear the context.
+ *
+ * \param ctx       The context to clear.
+ */
+void mbedtls_block_cipher_free(mbedtls_block_cipher_context_t *ctx);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_BLOCK_CIPHER_INTERNAL_H */
diff --git a/tf-psa-crypto/drivers/builtin/src/bn_mul.h b/tf-psa-crypto/drivers/builtin/src/bn_mul.h
new file mode 100644
index 0000000..0738469
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/bn_mul.h
@@ -0,0 +1,1094 @@
+/**
+ * \file bn_mul.h
+ *
+ * \brief Multi-precision integer library
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ *      Multiply source vector [s] with b, add result
+ *       to destination vector [d] and set carry c.
+ *
+ *      Currently supports:
+ *
+ *         . IA-32 (386+)         . AMD64 / EM64T
+ *         . IA-32 (SSE2)         . Motorola 68000
+ *         . PowerPC, 32-bit      . MicroBlaze
+ *         . PowerPC, 64-bit      . TriCore
+ *         . SPARC v8             . ARM v3+
+ *         . Alpha                . MIPS32
+ *         . C, longlong          . C, generic
+ */
+#ifndef MBEDTLS_BN_MUL_H
+#define MBEDTLS_BN_MUL_H
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/bignum.h"
+
+
+/*
+ * Conversion macros for embedded constants:
+ * build lists of mbedtls_mpi_uint's from lists of unsigned char's grouped by 8, 4 or 2
+ */
+#if defined(MBEDTLS_HAVE_INT32)
+
+#define MBEDTLS_BYTES_TO_T_UINT_4(a, b, c, d)               \
+    ((mbedtls_mpi_uint) (a) <<  0) |                        \
+    ((mbedtls_mpi_uint) (b) <<  8) |                        \
+    ((mbedtls_mpi_uint) (c) << 16) |                        \
+    ((mbedtls_mpi_uint) (d) << 24)
+
+#define MBEDTLS_BYTES_TO_T_UINT_2(a, b)                   \
+    MBEDTLS_BYTES_TO_T_UINT_4(a, b, 0, 0)
+
+#define MBEDTLS_BYTES_TO_T_UINT_8(a, b, c, d, e, f, g, h) \
+    MBEDTLS_BYTES_TO_T_UINT_4(a, b, c, d),                \
+    MBEDTLS_BYTES_TO_T_UINT_4(e, f, g, h)
+
+#else /* 64-bits */
+
+#define MBEDTLS_BYTES_TO_T_UINT_8(a, b, c, d, e, f, g, h)   \
+    ((mbedtls_mpi_uint) (a) <<  0) |                        \
+    ((mbedtls_mpi_uint) (b) <<  8) |                        \
+    ((mbedtls_mpi_uint) (c) << 16) |                        \
+    ((mbedtls_mpi_uint) (d) << 24) |                        \
+    ((mbedtls_mpi_uint) (e) << 32) |                        \
+    ((mbedtls_mpi_uint) (f) << 40) |                        \
+    ((mbedtls_mpi_uint) (g) << 48) |                        \
+    ((mbedtls_mpi_uint) (h) << 56)
+
+#define MBEDTLS_BYTES_TO_T_UINT_4(a, b, c, d)             \
+    MBEDTLS_BYTES_TO_T_UINT_8(a, b, c, d, 0, 0, 0, 0)
+
+#define MBEDTLS_BYTES_TO_T_UINT_2(a, b)                   \
+    MBEDTLS_BYTES_TO_T_UINT_8(a, b, 0, 0, 0, 0, 0, 0)
+
+#endif /* bits in mbedtls_mpi_uint */
+
+/* *INDENT-OFF* */
+#if defined(MBEDTLS_HAVE_ASM)
+
+/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
+#if defined(__GNUC__) && \
+    ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 )
+
+/*
+ * GCC < 5.0 treated the x86 ebx (which is used for the GOT) as a
+ * fixed reserved register when building as PIC, leading to errors
+ * like: bn_mul.h:46:13: error: PIC register clobbered by 'ebx' in 'asm'
+ *
+ * This is fixed by an improved register allocator in GCC 5+. From the
+ * release notes:
+ * Register allocation improvements: Reuse of the PIC hard register,
+ * instead of using a fixed register, was implemented on x86/x86-64
+ * targets. This improves generated PIC code performance as more hard
+ * registers can be used.
+ */
+#if defined(__GNUC__) && __GNUC__ < 5 && defined(__PIC__)
+#define MULADDC_CANNOT_USE_EBX
+#endif
+
+/*
+ * Disable use of the i386 assembly code below if option -O0, to disable all
+ * compiler optimisations, is passed, detected with __OPTIMIZE__
+ * This is done as the number of registers used in the assembly code doesn't
+ * work with the -O0 option.
+ */
+#if defined(__i386__) && defined(__OPTIMIZE__) && !defined(MULADDC_CANNOT_USE_EBX)
+
+#define MULADDC_X1_INIT                     \
+    { mbedtls_mpi_uint t;                   \
+    asm(                                    \
+        "movl   %%ebx, %0           \n\t"   \
+        "movl   %5, %%esi           \n\t"   \
+        "movl   %6, %%edi           \n\t"   \
+        "movl   %7, %%ecx           \n\t"   \
+        "movl   %8, %%ebx           \n\t"
+
+#define MULADDC_X1_CORE                     \
+        "lodsl                      \n\t"   \
+        "mull   %%ebx               \n\t"   \
+        "addl   %%ecx,   %%eax      \n\t"   \
+        "adcl   $0,      %%edx      \n\t"   \
+        "addl   (%%edi), %%eax      \n\t"   \
+        "adcl   $0,      %%edx      \n\t"   \
+        "movl   %%edx,   %%ecx      \n\t"   \
+        "stosl                      \n\t"
+
+#define MULADDC_X1_STOP                                 \
+        "movl   %4, %%ebx       \n\t"                   \
+        "movl   %%ecx, %1       \n\t"                   \
+        "movl   %%edi, %2       \n\t"                   \
+        "movl   %%esi, %3       \n\t"                   \
+        : "=m" (t), "=m" (c), "=m" (d), "=m" (s)        \
+        : "m" (t), "m" (s), "m" (d), "m" (c), "m" (b)   \
+        : "eax", "ebx", "ecx", "edx", "esi", "edi"      \
+    ); }
+
+#if defined(MBEDTLS_HAVE_SSE2)
+
+#define MULADDC_X8_INIT MULADDC_X1_INIT
+
+#define MULADDC_X8_CORE                         \
+        "movd     %%ecx,     %%mm1      \n\t"   \
+        "movd     %%ebx,     %%mm0      \n\t"   \
+        "movd     (%%edi),   %%mm3      \n\t"   \
+        "paddq    %%mm3,     %%mm1      \n\t"   \
+        "movd     (%%esi),   %%mm2      \n\t"   \
+        "pmuludq  %%mm0,     %%mm2      \n\t"   \
+        "movd     4(%%esi),  %%mm4      \n\t"   \
+        "pmuludq  %%mm0,     %%mm4      \n\t"   \
+        "movd     8(%%esi),  %%mm6      \n\t"   \
+        "pmuludq  %%mm0,     %%mm6      \n\t"   \
+        "movd     12(%%esi), %%mm7      \n\t"   \
+        "pmuludq  %%mm0,     %%mm7      \n\t"   \
+        "paddq    %%mm2,     %%mm1      \n\t"   \
+        "movd     4(%%edi),  %%mm3      \n\t"   \
+        "paddq    %%mm4,     %%mm3      \n\t"   \
+        "movd     8(%%edi),  %%mm5      \n\t"   \
+        "paddq    %%mm6,     %%mm5      \n\t"   \
+        "movd     12(%%edi), %%mm4      \n\t"   \
+        "paddq    %%mm4,     %%mm7      \n\t"   \
+        "movd     %%mm1,     (%%edi)    \n\t"   \
+        "movd     16(%%esi), %%mm2      \n\t"   \
+        "pmuludq  %%mm0,     %%mm2      \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "movd     20(%%esi), %%mm4      \n\t"   \
+        "pmuludq  %%mm0,     %%mm4      \n\t"   \
+        "paddq    %%mm3,     %%mm1      \n\t"   \
+        "movd     24(%%esi), %%mm6      \n\t"   \
+        "pmuludq  %%mm0,     %%mm6      \n\t"   \
+        "movd     %%mm1,     4(%%edi)   \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "movd     28(%%esi), %%mm3      \n\t"   \
+        "pmuludq  %%mm0,     %%mm3      \n\t"   \
+        "paddq    %%mm5,     %%mm1      \n\t"   \
+        "movd     16(%%edi), %%mm5      \n\t"   \
+        "paddq    %%mm5,     %%mm2      \n\t"   \
+        "movd     %%mm1,     8(%%edi)   \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm7,     %%mm1      \n\t"   \
+        "movd     20(%%edi), %%mm5      \n\t"   \
+        "paddq    %%mm5,     %%mm4      \n\t"   \
+        "movd     %%mm1,     12(%%edi)  \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm2,     %%mm1      \n\t"   \
+        "movd     24(%%edi), %%mm5      \n\t"   \
+        "paddq    %%mm5,     %%mm6      \n\t"   \
+        "movd     %%mm1,     16(%%edi)  \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm4,     %%mm1      \n\t"   \
+        "movd     28(%%edi), %%mm5      \n\t"   \
+        "paddq    %%mm5,     %%mm3      \n\t"   \
+        "movd     %%mm1,     20(%%edi)  \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm6,     %%mm1      \n\t"   \
+        "movd     %%mm1,     24(%%edi)  \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm3,     %%mm1      \n\t"   \
+        "movd     %%mm1,     28(%%edi)  \n\t"   \
+        "addl     $32,       %%edi      \n\t"   \
+        "addl     $32,       %%esi      \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "movd     %%mm1,     %%ecx      \n\t"
+
+#define MULADDC_X8_STOP                 \
+        "emms                   \n\t"   \
+        "movl   %4, %%ebx       \n\t"   \
+        "movl   %%ecx, %1       \n\t"   \
+        "movl   %%edi, %2       \n\t"   \
+        "movl   %%esi, %3       \n\t"   \
+        : "=m" (t), "=m" (c), "=m" (d), "=m" (s)        \
+        : "m" (t), "m" (s), "m" (d), "m" (c), "m" (b)   \
+        : "eax", "ebx", "ecx", "edx", "esi", "edi"      \
+    ); }                                                \
+
+#endif /* SSE2 */
+
+#endif /* i386 */
+
+#if defined(__amd64__) || defined (__x86_64__)
+
+#define MULADDC_X1_INIT                        \
+    asm(                                    \
+        "xorq   %%r8, %%r8\n"
+
+#define MULADDC_X1_CORE                        \
+        "movq   (%%rsi), %%rax\n"           \
+        "mulq   %%rbx\n"                    \
+        "addq   $8, %%rsi\n"                \
+        "addq   %%rcx, %%rax\n"             \
+        "movq   %%r8, %%rcx\n"              \
+        "adcq   $0, %%rdx\n"                \
+        "nop    \n"                         \
+        "addq   %%rax, (%%rdi)\n"           \
+        "adcq   %%rdx, %%rcx\n"             \
+        "addq   $8, %%rdi\n"
+
+#define MULADDC_X1_STOP                                              \
+        : "+c" (c), "+D" (d), "+S" (s), "+m" (*(uint64_t (*)[16]) d) \
+        : "b" (b), "m" (*(const uint64_t (*)[16]) s)                 \
+        : "rax", "rdx", "r8"                                         \
+    );
+
+#endif /* AMD64 */
+
+// The following assembly code assumes that a pointer will fit in a 64-bit register
+// (including ILP32 __aarch64__ ABIs such as on watchOS, hence the 2^32 - 1)
+#if defined(__aarch64__) && (UINTPTR_MAX == 0xfffffffful || UINTPTR_MAX == 0xfffffffffffffffful)
+
+/*
+ * There are some issues around different compilers requiring different constraint
+ * syntax for updating pointers from assembly code (see notes for
+ * MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT in common.h), especially on aarch64_32 (aka ILP32).
+ *
+ * For this reason we cast the pointers to/from uintptr_t here.
+ */
+#define MULADDC_X1_INIT             \
+    do { uintptr_t muladdc_d = (uintptr_t) d, muladdc_s = (uintptr_t) s; asm(
+
+#define MULADDC_X1_CORE             \
+        "ldr x4, [%x2], #8  \n\t"   \
+        "ldr x5, [%x1]      \n\t"   \
+        "mul x6, x4, %4     \n\t"   \
+        "umulh x7, x4, %4   \n\t"   \
+        "adds x5, x5, x6    \n\t"   \
+        "adc x7, x7, xzr    \n\t"   \
+        "adds x5, x5, %0    \n\t"   \
+        "adc %0, x7, xzr    \n\t"   \
+        "str x5, [%x1], #8  \n\t"
+
+#define MULADDC_X1_STOP                                                 \
+         : "+r" (c),                                                    \
+           "+r" (muladdc_d),                                            \
+           "+r" (muladdc_s),                                            \
+           "+m" (*(uint64_t (*)[16]) d)                                 \
+         : "r" (b), "m" (*(const uint64_t (*)[16]) s)                   \
+         : "x4", "x5", "x6", "x7", "cc"                                 \
+    ); d = (mbedtls_mpi_uint *)muladdc_d; s = (mbedtls_mpi_uint *)muladdc_s; } while (0);
+
+#endif /* Aarch64 */
+
+#if defined(__mc68020__) || defined(__mcpu32__)
+
+#define MULADDC_X1_INIT                 \
+    asm(                                \
+        "movl   %3, %%a2        \n\t"   \
+        "movl   %4, %%a3        \n\t"   \
+        "movl   %5, %%d3        \n\t"   \
+        "movl   %6, %%d2        \n\t"   \
+        "moveq  #0, %%d0        \n\t"
+
+#define MULADDC_X1_CORE                 \
+        "movel  %%a2@+, %%d1    \n\t"   \
+        "mulul  %%d2, %%d4:%%d1 \n\t"   \
+        "addl   %%d3, %%d1      \n\t"   \
+        "addxl  %%d0, %%d4      \n\t"   \
+        "moveq  #0,   %%d3      \n\t"   \
+        "addl   %%d1, %%a3@+    \n\t"   \
+        "addxl  %%d4, %%d3      \n\t"
+
+#define MULADDC_X1_STOP                 \
+        "movl   %%d3, %0        \n\t"   \
+        "movl   %%a3, %1        \n\t"   \
+        "movl   %%a2, %2        \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "d0", "d1", "d2", "d3", "d4", "a2", "a3"  \
+    );
+
+#define MULADDC_X8_INIT MULADDC_X1_INIT
+
+#define MULADDC_X8_CORE                     \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d4:%%d1  \n\t"   \
+        "addxl  %%d3,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d4       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d3:%%d1  \n\t"   \
+        "addxl  %%d4,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d4:%%d1  \n\t"   \
+        "addxl  %%d3,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d4       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d3:%%d1  \n\t"   \
+        "addxl  %%d4,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d4:%%d1  \n\t"   \
+        "addxl  %%d3,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d4       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d3:%%d1  \n\t"   \
+        "addxl  %%d4,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d4:%%d1  \n\t"   \
+        "addxl  %%d3,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d4       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d3:%%d1  \n\t"   \
+        "addxl  %%d4,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"
+
+#define MULADDC_X8_STOP MULADDC_X1_STOP
+
+#endif /* MC68000 */
+
+#if defined(__powerpc64__) || defined(__ppc64__)
+
+#if defined(__MACH__) && defined(__APPLE__)
+
+#define MULADDC_X1_INIT                     \
+    asm(                                    \
+        "ld     r3, %3              \n\t"   \
+        "ld     r4, %4              \n\t"   \
+        "ld     r5, %5              \n\t"   \
+        "ld     r6, %6              \n\t"   \
+        "addi   r3, r3, -8          \n\t"   \
+        "addi   r4, r4, -8          \n\t"   \
+        "addic  r5, r5,  0          \n\t"
+
+#define MULADDC_X1_CORE                     \
+        "ldu    r7, 8(r3)           \n\t"   \
+        "mulld  r8, r7, r6          \n\t"   \
+        "mulhdu r9, r7, r6          \n\t"   \
+        "adde   r8, r8, r5          \n\t"   \
+        "ld     r7, 8(r4)           \n\t"   \
+        "addze  r5, r9              \n\t"   \
+        "addc   r8, r8, r7          \n\t"   \
+        "stdu   r8, 8(r4)           \n\t"
+
+#define MULADDC_X1_STOP                     \
+        "addze  r5, r5              \n\t"   \
+        "addi   r4, r4, 8           \n\t"   \
+        "addi   r3, r3, 8           \n\t"   \
+        "std    r5, %0              \n\t"   \
+        "std    r4, %1              \n\t"   \
+        "std    r3, %2              \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
+    );
+
+
+#else /* __MACH__ && __APPLE__ */
+
+#define MULADDC_X1_INIT                     \
+    asm(                                    \
+        "ld     %%r3, %3            \n\t"   \
+        "ld     %%r4, %4            \n\t"   \
+        "ld     %%r5, %5            \n\t"   \
+        "ld     %%r6, %6            \n\t"   \
+        "addi   %%r3, %%r3, -8      \n\t"   \
+        "addi   %%r4, %%r4, -8      \n\t"   \
+        "addic  %%r5, %%r5,  0      \n\t"
+
+#define MULADDC_X1_CORE                     \
+        "ldu    %%r7, 8(%%r3)       \n\t"   \
+        "mulld  %%r8, %%r7, %%r6    \n\t"   \
+        "mulhdu %%r9, %%r7, %%r6    \n\t"   \
+        "adde   %%r8, %%r8, %%r5    \n\t"   \
+        "ld     %%r7, 8(%%r4)       \n\t"   \
+        "addze  %%r5, %%r9          \n\t"   \
+        "addc   %%r8, %%r8, %%r7    \n\t"   \
+        "stdu   %%r8, 8(%%r4)       \n\t"
+
+#define MULADDC_X1_STOP                     \
+        "addze  %%r5, %%r5          \n\t"   \
+        "addi   %%r4, %%r4, 8       \n\t"   \
+        "addi   %%r3, %%r3, 8       \n\t"   \
+        "std    %%r5, %0            \n\t"   \
+        "std    %%r4, %1            \n\t"   \
+        "std    %%r3, %2            \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
+    );
+
+#endif /* __MACH__ && __APPLE__ */
+
+#elif defined(__powerpc__) || defined(__ppc__) /* end PPC64/begin PPC32  */
+
+#if defined(__MACH__) && defined(__APPLE__)
+
+#define MULADDC_X1_INIT                 \
+    asm(                                \
+        "lwz    r3, %3          \n\t"   \
+        "lwz    r4, %4          \n\t"   \
+        "lwz    r5, %5          \n\t"   \
+        "lwz    r6, %6          \n\t"   \
+        "addi   r3, r3, -4      \n\t"   \
+        "addi   r4, r4, -4      \n\t"   \
+        "addic  r5, r5,  0      \n\t"
+
+#define MULADDC_X1_CORE                 \
+        "lwzu   r7, 4(r3)       \n\t"   \
+        "mullw  r8, r7, r6      \n\t"   \
+        "mulhwu r9, r7, r6      \n\t"   \
+        "adde   r8, r8, r5      \n\t"   \
+        "lwz    r7, 4(r4)       \n\t"   \
+        "addze  r5, r9          \n\t"   \
+        "addc   r8, r8, r7      \n\t"   \
+        "stwu   r8, 4(r4)       \n\t"
+
+#define MULADDC_X1_STOP                 \
+        "addze  r5, r5          \n\t"   \
+        "addi   r4, r4, 4       \n\t"   \
+        "addi   r3, r3, 4       \n\t"   \
+        "stw    r5, %0          \n\t"   \
+        "stw    r4, %1          \n\t"   \
+        "stw    r3, %2          \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
+    );
+
+#else /* __MACH__ && __APPLE__ */
+
+#define MULADDC_X1_INIT                     \
+    asm(                                    \
+        "lwz    %%r3, %3            \n\t"   \
+        "lwz    %%r4, %4            \n\t"   \
+        "lwz    %%r5, %5            \n\t"   \
+        "lwz    %%r6, %6            \n\t"   \
+        "addi   %%r3, %%r3, -4      \n\t"   \
+        "addi   %%r4, %%r4, -4      \n\t"   \
+        "addic  %%r5, %%r5,  0      \n\t"
+
+#define MULADDC_X1_CORE                     \
+        "lwzu   %%r7, 4(%%r3)       \n\t"   \
+        "mullw  %%r8, %%r7, %%r6    \n\t"   \
+        "mulhwu %%r9, %%r7, %%r6    \n\t"   \
+        "adde   %%r8, %%r8, %%r5    \n\t"   \
+        "lwz    %%r7, 4(%%r4)       \n\t"   \
+        "addze  %%r5, %%r9          \n\t"   \
+        "addc   %%r8, %%r8, %%r7    \n\t"   \
+        "stwu   %%r8, 4(%%r4)       \n\t"
+
+#define MULADDC_X1_STOP                     \
+        "addze  %%r5, %%r5          \n\t"   \
+        "addi   %%r4, %%r4, 4       \n\t"   \
+        "addi   %%r3, %%r3, 4       \n\t"   \
+        "stw    %%r5, %0            \n\t"   \
+        "stw    %%r4, %1            \n\t"   \
+        "stw    %%r3, %2            \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
+    );
+
+#endif /* __MACH__ && __APPLE__ */
+
+#endif /* PPC32 */
+
+/*
+ * The Sparc(64) assembly is reported to be broken.
+ * Disable it for now, until we're able to fix it.
+ */
+#if 0 && defined(__sparc__)
+#if defined(__sparc64__)
+
+#define MULADDC_X1_INIT                                 \
+    asm(                                                \
+                "ldx     %3, %%o0               \n\t"   \
+                "ldx     %4, %%o1               \n\t"   \
+                "ld      %5, %%o2               \n\t"   \
+                "ld      %6, %%o3               \n\t"
+
+#define MULADDC_X1_CORE                                 \
+                "ld      [%%o0], %%o4           \n\t"   \
+                "inc     4, %%o0                \n\t"   \
+                "ld      [%%o1], %%o5           \n\t"   \
+                "umul    %%o3, %%o4, %%o4       \n\t"   \
+                "addcc   %%o4, %%o2, %%o4       \n\t"   \
+                "rd      %%y, %%g1              \n\t"   \
+                "addx    %%g1, 0, %%g1          \n\t"   \
+                "addcc   %%o4, %%o5, %%o4       \n\t"   \
+                "st      %%o4, [%%o1]           \n\t"   \
+                "addx    %%g1, 0, %%o2          \n\t"   \
+                "inc     4, %%o1                \n\t"
+
+#define MULADDC_X1_STOP                                 \
+                "st      %%o2, %0               \n\t"   \
+                "stx     %%o1, %1               \n\t"   \
+                "stx     %%o0, %2               \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)          \
+        : "m" (s), "m" (d), "m" (c), "m" (b)    \
+        : "g1", "o0", "o1", "o2", "o3", "o4",   \
+          "o5"                                  \
+        );
+
+#else /* __sparc64__ */
+
+#define MULADDC_X1_INIT                                 \
+    asm(                                                \
+                "ld      %3, %%o0               \n\t"   \
+                "ld      %4, %%o1               \n\t"   \
+                "ld      %5, %%o2               \n\t"   \
+                "ld      %6, %%o3               \n\t"
+
+#define MULADDC_X1_CORE                                 \
+                "ld      [%%o0], %%o4           \n\t"   \
+                "inc     4, %%o0                \n\t"   \
+                "ld      [%%o1], %%o5           \n\t"   \
+                "umul    %%o3, %%o4, %%o4       \n\t"   \
+                "addcc   %%o4, %%o2, %%o4       \n\t"   \
+                "rd      %%y, %%g1              \n\t"   \
+                "addx    %%g1, 0, %%g1          \n\t"   \
+                "addcc   %%o4, %%o5, %%o4       \n\t"   \
+                "st      %%o4, [%%o1]           \n\t"   \
+                "addx    %%g1, 0, %%o2          \n\t"   \
+                "inc     4, %%o1                \n\t"
+
+#define MULADDC_X1_STOP                                 \
+                "st      %%o2, %0               \n\t"   \
+                "st      %%o1, %1               \n\t"   \
+                "st      %%o0, %2               \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)          \
+        : "m" (s), "m" (d), "m" (c), "m" (b)    \
+        : "g1", "o0", "o1", "o2", "o3", "o4",   \
+          "o5"                                  \
+        );
+
+#endif /* __sparc64__ */
+#endif /* __sparc__ */
+
+#if defined(__microblaze__) || defined(microblaze)
+
+#define MULADDC_X1_INIT                 \
+    asm(                                \
+        "lwi   r3,   %3         \n\t"   \
+        "lwi   r4,   %4         \n\t"   \
+        "lwi   r5,   %5         \n\t"   \
+        "lwi   r6,   %6         \n\t"   \
+        "andi  r7,   r6, 0xffff \n\t"   \
+        "bsrli r6,   r6, 16     \n\t"
+
+#if(__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__)
+#define MULADDC_LHUI                    \
+        "lhui  r9,   r3,   0    \n\t"   \
+        "addi  r3,   r3,   2    \n\t"   \
+        "lhui  r8,   r3,   0    \n\t"
+#else
+#define MULADDC_LHUI                    \
+        "lhui  r8,   r3,   0    \n\t"   \
+        "addi  r3,   r3,   2    \n\t"   \
+        "lhui  r9,   r3,   0    \n\t"
+#endif
+
+#define MULADDC_X1_CORE                    \
+        MULADDC_LHUI                    \
+        "addi  r3,   r3,   2    \n\t"   \
+        "mul   r10,  r9,  r6    \n\t"   \
+        "mul   r11,  r8,  r7    \n\t"   \
+        "mul   r12,  r9,  r7    \n\t"   \
+        "mul   r13,  r8,  r6    \n\t"   \
+        "bsrli  r8, r10,  16    \n\t"   \
+        "bsrli  r9, r11,  16    \n\t"   \
+        "add   r13, r13,  r8    \n\t"   \
+        "add   r13, r13,  r9    \n\t"   \
+        "bslli r10, r10,  16    \n\t"   \
+        "bslli r11, r11,  16    \n\t"   \
+        "add   r12, r12, r10    \n\t"   \
+        "addc  r13, r13,  r0    \n\t"   \
+        "add   r12, r12, r11    \n\t"   \
+        "addc  r13, r13,  r0    \n\t"   \
+        "lwi   r10,  r4,   0    \n\t"   \
+        "add   r12, r12, r10    \n\t"   \
+        "addc  r13, r13,  r0    \n\t"   \
+        "add   r12, r12,  r5    \n\t"   \
+        "addc   r5, r13,  r0    \n\t"   \
+        "swi   r12,  r4,   0    \n\t"   \
+        "addi   r4,  r4,   4    \n\t"
+
+#define MULADDC_X1_STOP                 \
+        "swi   r5,   %0         \n\t"   \
+        "swi   r4,   %1         \n\t"   \
+        "swi   r3,   %2         \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "r3", "r4", "r5", "r6", "r7", "r8",       \
+          "r9", "r10", "r11", "r12", "r13"          \
+    );
+
+#endif /* MicroBlaze */
+
+#if defined(__tricore__)
+
+#define MULADDC_X1_INIT                         \
+    asm(                                        \
+        "ld.a   %%a2, %3                \n\t"   \
+        "ld.a   %%a3, %4                \n\t"   \
+        "ld.w   %%d4, %5                \n\t"   \
+        "ld.w   %%d1, %6                \n\t"   \
+        "xor    %%d5, %%d5              \n\t"
+
+#define MULADDC_X1_CORE                         \
+        "ld.w   %%d0,   [%%a2+]         \n\t"   \
+        "madd.u %%e2, %%e4, %%d0, %%d1  \n\t"   \
+        "ld.w   %%d0,   [%%a3]          \n\t"   \
+        "addx   %%d2,    %%d2,  %%d0    \n\t"   \
+        "addc   %%d3,    %%d3,    0     \n\t"   \
+        "mov    %%d4,    %%d3           \n\t"   \
+        "st.w  [%%a3+],  %%d2           \n\t"
+
+#define MULADDC_X1_STOP                         \
+        "st.w   %0, %%d4                \n\t"   \
+        "st.a   %1, %%a3                \n\t"   \
+        "st.a   %2, %%a2                \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)          \
+        : "m" (s), "m" (d), "m" (c), "m" (b)    \
+        : "d0", "d1", "e2", "d4", "a2", "a3"    \
+    );
+
+#endif /* TriCore */
+
+#if defined(__arm__)
+
+#if defined(__thumb__) && !defined(__thumb2__)
+#if defined(MBEDTLS_COMPILER_IS_GCC)
+/*
+ * Thumb 1 ISA. This code path has only been tested successfully on gcc;
+ * it does not compile on clang or armclang.
+ */
+
+#if !defined(__OPTIMIZE__) && defined(__GNUC__)
+/*
+ * Note, gcc -O0 by default uses r7 for the frame pointer, so it complains about
+ * our use of r7 below, unless -fomit-frame-pointer is passed.
+ *
+ * On the other hand, -fomit-frame-pointer is implied by any -Ox options with
+ * x !=0, which we can detect using __OPTIMIZE__ (which is also defined by
+ * clang and armcc5 under the same conditions).
+ *
+ * If gcc needs to use r7, we use r1 as a scratch register and have a few extra
+ * instructions to preserve/restore it; otherwise, we can use r7 and avoid
+ * the preserve/restore overhead.
+ */
+#define MULADDC_SCRATCH              "RS .req r1         \n\t"
+#define MULADDC_PRESERVE_SCRATCH     "mov    r10, r1     \n\t"
+#define MULADDC_RESTORE_SCRATCH      "mov    r1, r10     \n\t"
+#define MULADDC_SCRATCH_CLOBBER      "r10"
+#else /* !defined(__OPTIMIZE__) && defined(__GNUC__) */
+#define MULADDC_SCRATCH              "RS .req r7         \n\t"
+#define MULADDC_PRESERVE_SCRATCH     ""
+#define MULADDC_RESTORE_SCRATCH      ""
+#define MULADDC_SCRATCH_CLOBBER      "r7"
+#endif /* !defined(__OPTIMIZE__) && defined(__GNUC__) */
+
+#define MULADDC_X1_INIT                                 \
+    asm(                                                \
+    MULADDC_SCRATCH                                     \
+            "ldr    r0, %3                      \n\t"   \
+            "ldr    r1, %4                      \n\t"   \
+            "ldr    r2, %5                      \n\t"   \
+            "ldr    r3, %6                      \n\t"   \
+            "lsr    r4, r3, #16                 \n\t"   \
+            "mov    r9, r4                      \n\t"   \
+            "lsl    r4, r3, #16                 \n\t"   \
+            "lsr    r4, r4, #16                 \n\t"   \
+            "mov    r8, r4                      \n\t"   \
+
+
+#define MULADDC_X1_CORE                                 \
+            MULADDC_PRESERVE_SCRATCH                    \
+            "ldmia  r0!, {r6}                   \n\t"   \
+            "lsr    RS, r6, #16                 \n\t"   \
+            "lsl    r6, r6, #16                 \n\t"   \
+            "lsr    r6, r6, #16                 \n\t"   \
+            "mov    r4, r8                      \n\t"   \
+            "mul    r4, r6                      \n\t"   \
+            "mov    r3, r9                      \n\t"   \
+            "mul    r6, r3                      \n\t"   \
+            "mov    r5, r9                      \n\t"   \
+            "mul    r5, RS                      \n\t"   \
+            "mov    r3, r8                      \n\t"   \
+            "mul    RS, r3                      \n\t"   \
+            "lsr    r3, r6, #16                 \n\t"   \
+            "add    r5, r5, r3                  \n\t"   \
+            "lsr    r3, RS, #16                 \n\t"   \
+            "add    r5, r5, r3                  \n\t"   \
+            "add    r4, r4, r2                  \n\t"   \
+            "mov    r2, #0                      \n\t"   \
+            "adc    r5, r2                      \n\t"   \
+            "lsl    r3, r6, #16                 \n\t"   \
+            "add    r4, r4, r3                  \n\t"   \
+            "adc    r5, r2                      \n\t"   \
+            "lsl    r3, RS, #16                 \n\t"   \
+            "add    r4, r4, r3                  \n\t"   \
+            "adc    r5, r2                      \n\t"   \
+            MULADDC_RESTORE_SCRATCH                     \
+            "ldr    r3, [r1]                    \n\t"   \
+            "add    r4, r4, r3                  \n\t"   \
+            "adc    r2, r5                      \n\t"   \
+            "stmia  r1!, {r4}                   \n\t"
+
+#define MULADDC_X1_STOP                                 \
+            "str    r2, %0                      \n\t"   \
+            "str    r1, %1                      \n\t"   \
+            "str    r0, %2                      \n\t"   \
+         : "=m" (c),  "=m" (d), "=m" (s)        \
+         : "m" (s), "m" (d), "m" (c), "m" (b)   \
+         : "r0", "r1", "r2", "r3", "r4", "r5",  \
+           "r6", MULADDC_SCRATCH_CLOBBER, "r8", "r9", "cc" \
+         );
+#endif /* !defined(__ARMCC_VERSION) && !defined(__clang__) */
+
+#elif (__ARM_ARCH >= 6) && \
+    defined (__ARM_FEATURE_DSP) && (__ARM_FEATURE_DSP == 1)
+/* Armv6-M (or later) with DSP Instruction Set Extensions.
+ * Requires support for either Thumb 2 or Arm ISA.
+ */
+
+#define MULADDC_X1_INIT                            \
+    {                                              \
+        mbedtls_mpi_uint tmp_a, tmp_b;             \
+        asm volatile (
+
+#define MULADDC_X1_CORE                                         \
+           ".p2align  2                                 \n\t"   \
+            "ldr      %[a], [%[in]], #4                 \n\t"   \
+            "ldr      %[b], [%[acc]]                    \n\t"   \
+            "umaal    %[b], %[carry], %[scalar], %[a]   \n\t"   \
+            "str      %[b], [%[acc]], #4                \n\t"
+
+#define MULADDC_X1_STOP                                      \
+            : [a]      "=&r" (tmp_a),                        \
+              [b]      "=&r" (tmp_b),                        \
+              [in]     "+r"  (s),                            \
+              [acc]    "+r"  (d),                            \
+              [carry]  "+l"  (c)                             \
+            : [scalar] "r"   (b)                             \
+            : "memory"                                       \
+        );                                                   \
+    }
+
+#define MULADDC_X2_INIT                              \
+    {                                                \
+        mbedtls_mpi_uint tmp_a0, tmp_b0;             \
+        mbedtls_mpi_uint tmp_a1, tmp_b1;             \
+        asm volatile (
+
+            /* - Make sure loop is 4-byte aligned to avoid stalls
+             *   upon repeated non-word aligned instructions in
+             *   some microarchitectures.
+             * - Don't use ldm with post-increment or back-to-back
+             *   loads with post-increment and same address register
+             *   to avoid stalls on some microarchitectures.
+             * - Bunch loads and stores to reduce latency on some
+             *   microarchitectures. E.g., on Cortex-M4, the first
+             *   in a series of load/store operations has latency
+             *   2 cycles, while subsequent loads/stores are single-cycle. */
+#define MULADDC_X2_CORE                                           \
+           ".p2align  2                                   \n\t"   \
+            "ldr      %[a0], [%[in]],  #+8                \n\t"   \
+            "ldr      %[b0], [%[acc]], #+8                \n\t"   \
+            "ldr      %[a1], [%[in],  #-4]                \n\t"   \
+            "ldr      %[b1], [%[acc], #-4]                \n\t"   \
+            "umaal    %[b0], %[carry], %[scalar], %[a0]   \n\t"   \
+            "umaal    %[b1], %[carry], %[scalar], %[a1]   \n\t"   \
+            "str      %[b0], [%[acc], #-8]                \n\t"   \
+            "str      %[b1], [%[acc], #-4]                \n\t"
+
+#define MULADDC_X2_STOP                                      \
+            : [a0]     "=&r" (tmp_a0),                       \
+              [b0]     "=&r" (tmp_b0),                       \
+              [a1]     "=&r" (tmp_a1),                       \
+              [b1]     "=&r" (tmp_b1),                       \
+              [in]     "+r"  (s),                            \
+              [acc]    "+r"  (d),                            \
+              [carry]  "+l"  (c)                             \
+            : [scalar] "r"   (b)                             \
+            : "memory"                                       \
+        );                                                   \
+    }
+
+#else /* Thumb 2 or Arm ISA, without DSP extensions */
+
+#define MULADDC_X1_INIT                                 \
+    asm(                                                \
+            "ldr    r0, %3                      \n\t"   \
+            "ldr    r1, %4                      \n\t"   \
+            "ldr    r2, %5                      \n\t"   \
+            "ldr    r3, %6                      \n\t"
+
+#define MULADDC_X1_CORE                                 \
+            "ldr    r4, [r0], #4                \n\t"   \
+            "mov    r5, #0                      \n\t"   \
+            "ldr    r6, [r1]                    \n\t"   \
+            "umlal  r2, r5, r3, r4              \n\t"   \
+            "adds   r4, r6, r2                  \n\t"   \
+            "adc    r2, r5, #0                  \n\t"   \
+            "str    r4, [r1], #4                \n\t"
+
+#define MULADDC_X1_STOP                                 \
+            "str    r2, %0                      \n\t"   \
+            "str    r1, %1                      \n\t"   \
+            "str    r0, %2                      \n\t"   \
+         : "=m" (c),  "=m" (d), "=m" (s)        \
+         : "m" (s), "m" (d), "m" (c), "m" (b)   \
+         : "r0", "r1", "r2", "r3", "r4", "r5",  \
+           "r6", "cc"                     \
+         );
+
+#endif /* ISA codepath selection */
+
+#endif /* defined(__arm__) */
+
+#if defined(__alpha__)
+
+#define MULADDC_X1_INIT                 \
+    asm(                                \
+        "ldq    $1, %3          \n\t"   \
+        "ldq    $2, %4          \n\t"   \
+        "ldq    $3, %5          \n\t"   \
+        "ldq    $4, %6          \n\t"
+
+#define MULADDC_X1_CORE                 \
+        "ldq    $6,  0($1)      \n\t"   \
+        "addq   $1,  8, $1      \n\t"   \
+        "mulq   $6, $4, $7      \n\t"   \
+        "umulh  $6, $4, $6      \n\t"   \
+        "addq   $7, $3, $7      \n\t"   \
+        "cmpult $7, $3, $3      \n\t"   \
+        "ldq    $5,  0($2)      \n\t"   \
+        "addq   $7, $5, $7      \n\t"   \
+        "cmpult $7, $5, $5      \n\t"   \
+        "stq    $7,  0($2)      \n\t"   \
+        "addq   $2,  8, $2      \n\t"   \
+        "addq   $6, $3, $3      \n\t"   \
+        "addq   $5, $3, $3      \n\t"
+
+#define MULADDC_X1_STOP                 \
+        "stq    $3, %0          \n\t"   \
+        "stq    $2, %1          \n\t"   \
+        "stq    $1, %2          \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "$1", "$2", "$3", "$4", "$5", "$6", "$7"  \
+    );
+#endif /* Alpha */
+
+#if defined(__mips__) && !defined(__mips64)
+
+#define MULADDC_X1_INIT                 \
+    asm(                                \
+        "lw     $10, %3         \n\t"   \
+        "lw     $11, %4         \n\t"   \
+        "lw     $12, %5         \n\t"   \
+        "lw     $13, %6         \n\t"
+
+#define MULADDC_X1_CORE                 \
+        "lw     $14, 0($10)     \n\t"   \
+        "multu  $13, $14        \n\t"   \
+        "addi   $10, $10, 4     \n\t"   \
+        "mflo   $14             \n\t"   \
+        "mfhi   $9              \n\t"   \
+        "addu   $14, $12, $14   \n\t"   \
+        "lw     $15, 0($11)     \n\t"   \
+        "sltu   $12, $14, $12   \n\t"   \
+        "addu   $15, $14, $15   \n\t"   \
+        "sltu   $14, $15, $14   \n\t"   \
+        "addu   $12, $12, $9    \n\t"   \
+        "sw     $15, 0($11)     \n\t"   \
+        "addu   $12, $12, $14   \n\t"   \
+        "addi   $11, $11, 4     \n\t"
+
+#define MULADDC_X1_STOP                 \
+        "sw     $12, %0         \n\t"   \
+        "sw     $11, %1         \n\t"   \
+        "sw     $10, %2         \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)                      \
+        : "m" (s), "m" (d), "m" (c), "m" (b)                \
+        : "$9", "$10", "$11", "$12", "$13", "$14", "$15", "lo", "hi" \
+    );
+
+#endif /* MIPS */
+#endif /* GNUC */
+
+#if (defined(_MSC_VER) && defined(_M_IX86)) || defined(__WATCOMC__)
+
+#define MULADDC_X1_INIT                         \
+    __asm   mov     esi, s                      \
+    __asm   mov     edi, d                      \
+    __asm   mov     ecx, c                      \
+    __asm   mov     ebx, b
+
+#define MULADDC_X1_CORE                         \
+    __asm   lodsd                               \
+    __asm   mul     ebx                         \
+    __asm   add     eax, ecx                    \
+    __asm   adc     edx, 0                      \
+    __asm   add     eax, [edi]                  \
+    __asm   adc     edx, 0                      \
+    __asm   mov     ecx, edx                    \
+    __asm   stosd
+
+#define MULADDC_X1_STOP                         \
+    __asm   mov     c, ecx                      \
+    __asm   mov     d, edi                      \
+    __asm   mov     s, esi
+
+#if defined(MBEDTLS_HAVE_SSE2)
+
+#define EMIT __asm _emit
+
+#define MULADDC_X8_INIT MULADDC_X1_INIT
+
+#define MULADDC_X8_CORE                         \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0xC9             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0xC3             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x1F             \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCB             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x16             \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xD0             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x66  EMIT 0x04  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xE0             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x76  EMIT 0x08  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xF0             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x7E  EMIT 0x0C  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xF8             \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCA             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x5F  EMIT 0x04  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xDC             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x08  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xEE             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x67  EMIT 0x0C  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xFC             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x0F             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x56  EMIT 0x10  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xD0             \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x66  EMIT 0x14  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xE0             \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCB             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x76  EMIT 0x18  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xF0             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x04  \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x5E  EMIT 0x1C  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xD8             \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCD             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x10  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xD5             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x08  \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCF             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x14  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xE5             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x0C  \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCA             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x18  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xF5             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x10  \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCC             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x1C  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xDD             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x14  \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCE             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x18  \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCB             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x1C  \
+    EMIT 0x83  EMIT 0xC7  EMIT 0x20             \
+    EMIT 0x83  EMIT 0xC6  EMIT 0x20             \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0xC9
+
+#define MULADDC_X8_STOP                         \
+    EMIT 0x0F  EMIT 0x77                        \
+    __asm   mov     c, ecx                      \
+    __asm   mov     d, edi                      \
+    __asm   mov     s, esi
+
+#endif /* SSE2 */
+#endif /* MSVC */
+
+#endif /* MBEDTLS_HAVE_ASM */
+
+#if !defined(MULADDC_X1_CORE)
+#if defined(MBEDTLS_HAVE_UDBL)
+
+#define MULADDC_X1_INIT                 \
+{                                       \
+    mbedtls_t_udbl r;                           \
+    mbedtls_mpi_uint r0, r1;
+
+#define MULADDC_X1_CORE                 \
+    r   = *(s++) * (mbedtls_t_udbl) b;          \
+    r0  = (mbedtls_mpi_uint) r;                   \
+    r1  = (mbedtls_mpi_uint)( r >> biL );         \
+    r0 += c;  r1 += (r0 <  c);          \
+    r0 += *d; r1 += (r0 < *d);          \
+    c = r1; *(d++) = r0;
+
+#define MULADDC_X1_STOP                 \
+}
+
+#else /* MBEDTLS_HAVE_UDBL */
+
+#define MULADDC_X1_INIT                 \
+{                                       \
+    mbedtls_mpi_uint s0, s1, b0, b1;              \
+    mbedtls_mpi_uint r0, r1, rx, ry;              \
+    b0 = ( b << biH ) >> biH;           \
+    b1 = ( b >> biH );
+
+#define MULADDC_X1_CORE                 \
+    s0 = ( *s << biH ) >> biH;          \
+    s1 = ( *s >> biH ); s++;            \
+    rx = s0 * b1; r0 = s0 * b0;         \
+    ry = s1 * b0; r1 = s1 * b1;         \
+    r1 += ( rx >> biH );                \
+    r1 += ( ry >> biH );                \
+    rx <<= biH; ry <<= biH;             \
+    r0 += rx; r1 += (r0 < rx);          \
+    r0 += ry; r1 += (r0 < ry);          \
+    r0 +=  c; r1 += (r0 <  c);          \
+    r0 += *d; r1 += (r0 < *d);          \
+    c = r1; *(d++) = r0;
+
+#define MULADDC_X1_STOP                 \
+}
+
+#endif /* C (longlong) */
+#endif /* C (generic)  */
+
+#if !defined(MULADDC_X2_CORE)
+#define MULADDC_X2_INIT MULADDC_X1_INIT
+#define MULADDC_X2_STOP MULADDC_X1_STOP
+#define MULADDC_X2_CORE MULADDC_X1_CORE MULADDC_X1_CORE
+#endif /* MULADDC_X2_CORE */
+
+#if !defined(MULADDC_X4_CORE)
+#define MULADDC_X4_INIT MULADDC_X2_INIT
+#define MULADDC_X4_STOP MULADDC_X2_STOP
+#define MULADDC_X4_CORE MULADDC_X2_CORE MULADDC_X2_CORE
+#endif /* MULADDC_X4_CORE */
+
+#if !defined(MULADDC_X8_CORE)
+#define MULADDC_X8_INIT MULADDC_X4_INIT
+#define MULADDC_X8_STOP MULADDC_X4_STOP
+#define MULADDC_X8_CORE MULADDC_X4_CORE MULADDC_X4_CORE
+#endif /* MULADDC_X8_CORE */
+
+/* *INDENT-ON* */
+#endif /* bn_mul.h */
diff --git a/tf-psa-crypto/drivers/builtin/src/camellia.c b/tf-psa-crypto/drivers/builtin/src/camellia.c
new file mode 100644
index 0000000..b1c0a08
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/camellia.c
@@ -0,0 +1,1058 @@
+/*
+ *  Camellia implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ *  The Camellia block cipher was designed by NTT and Mitsubishi Electric
+ *  Corporation.
+ *
+ *  http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_CAMELLIA_C)
+
+#include "mbedtls/camellia.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_CAMELLIA_ALT)
+
+static const unsigned char SIGMA_CHARS[6][8] =
+{
+    { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
+    { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
+    { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
+    { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
+    { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
+    { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
+};
+
+#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
+
+static const unsigned char FSb[256] =
+{
+    112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
+    35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
+    134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
+    166, 225, 57, 202, 213, 71, 93, 61, 217,  1, 90, 214, 81, 86, 108, 77,
+    139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
+    223, 76, 203, 194, 52, 126, 118,  5, 109, 183, 169, 49, 209, 23,  4, 215,
+    20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
+    254, 68, 207, 178, 195, 181, 122, 145, 36,  8, 232, 168, 96, 252, 105, 80,
+    170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
+    16, 196,  0, 72, 163, 247, 117, 219, 138,  3, 230, 218,  9, 63, 221, 148,
+    135, 92, 131,  2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
+    82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
+    233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
+    120, 152,  6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
+    114,  7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
+    64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
+};
+
+#define SBOX1(n) FSb[(n)]
+#define SBOX2(n) (unsigned char) ((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
+#define SBOX3(n) (unsigned char) ((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
+#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
+
+#else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
+
+static const unsigned char FSb[256] =
+{
+    112, 130,  44, 236, 179,  39, 192, 229, 228, 133,  87,  53, 234,  12, 174,  65,
+    35, 239, 107, 147,  69,  25, 165,  33, 237,  14,  79,  78,  29, 101, 146, 189,
+    134, 184, 175, 143, 124, 235,  31, 206,  62,  48, 220,  95,  94, 197,  11,  26,
+    166, 225,  57, 202, 213,  71,  93,  61, 217,   1,  90, 214,  81,  86, 108,  77,
+    139,  13, 154, 102, 251, 204, 176,  45, 116,  18,  43,  32, 240, 177, 132, 153,
+    223,  76, 203, 194,  52, 126, 118,   5, 109, 183, 169,  49, 209,  23,   4, 215,
+    20,  88,  58,  97, 222,  27,  17,  28,  50,  15, 156,  22,  83,  24, 242,  34,
+    254,  68, 207, 178, 195, 181, 122, 145,  36,   8, 232, 168,  96, 252, 105,  80,
+    170, 208, 160, 125, 161, 137,  98, 151,  84,  91,  30, 149, 224, 255, 100, 210,
+    16, 196,   0,  72, 163, 247, 117, 219, 138,   3, 230, 218,   9,  63, 221, 148,
+    135,  92, 131,   2, 205,  74, 144,  51, 115, 103, 246, 243, 157, 127, 191, 226,
+    82, 155, 216,  38, 200,  55, 198,  59, 129, 150, 111,  75,  19, 190,  99,  46,
+    233, 121, 167, 140, 159, 110, 188, 142,  41, 245, 249, 182,  47, 253, 180,  89,
+    120, 152,   6, 106, 231,  70, 113, 186, 212,  37, 171,  66, 136, 162, 141, 250,
+    114,   7, 185,  85, 248, 238, 172,  10,  54,  73,  42, 104,  60,  56, 241, 164,
+    64,  40, 211, 123, 187, 201,  67, 193,  21, 227, 173, 244, 119, 199, 128, 158
+};
+
+static const unsigned char FSb2[256] =
+{
+    224,   5,  88, 217, 103,  78, 129, 203, 201,  11, 174, 106, 213,  24,  93, 130,
+    70, 223, 214,  39, 138,  50,  75,  66, 219,  28, 158, 156,  58, 202,  37, 123,
+    13, 113,  95,  31, 248, 215,  62, 157, 124,  96, 185, 190, 188, 139,  22,  52,
+    77, 195, 114, 149, 171, 142, 186, 122, 179,   2, 180, 173, 162, 172, 216, 154,
+    23,  26,  53, 204, 247, 153,  97,  90, 232,  36,  86,  64, 225,  99,   9,  51,
+    191, 152, 151, 133, 104, 252, 236,  10, 218, 111,  83,  98, 163,  46,   8, 175,
+    40, 176, 116, 194, 189,  54,  34,  56, 100,  30,  57,  44, 166,  48, 229,  68,
+    253, 136, 159, 101, 135, 107, 244,  35,  72,  16, 209,  81, 192, 249, 210, 160,
+    85, 161,  65, 250,  67,  19, 196,  47, 168, 182,  60,  43, 193, 255, 200, 165,
+    32, 137,   0, 144,  71, 239, 234, 183,  21,   6, 205, 181,  18, 126, 187,  41,
+    15, 184,   7,   4, 155, 148,  33, 102, 230, 206, 237, 231,  59, 254, 127, 197,
+    164,  55, 177,  76, 145, 110, 141, 118,   3,  45, 222, 150,  38, 125, 198,  92,
+    211, 242,  79,  25,  63, 220, 121,  29,  82, 235, 243, 109,  94, 251, 105, 178,
+    240,  49,  12, 212, 207, 140, 226, 117, 169,  74,  87, 132,  17,  69,  27, 245,
+    228,  14, 115, 170, 241, 221,  89,  20, 108, 146,  84, 208, 120, 112, 227,  73,
+    128,  80, 167, 246, 119, 147, 134, 131,  42, 199,  91, 233, 238, 143,   1,  61
+};
+
+static const unsigned char FSb3[256] =
+{
+    56,  65,  22, 118, 217, 147,  96, 242, 114, 194, 171, 154, 117,   6,  87, 160,
+    145, 247, 181, 201, 162, 140, 210, 144, 246,   7, 167,  39, 142, 178,  73, 222,
+    67,  92, 215, 199,  62, 245, 143, 103,  31,  24, 110, 175,  47, 226, 133,  13,
+    83, 240, 156, 101, 234, 163, 174, 158, 236, 128,  45, 107, 168,  43,  54, 166,
+    197, 134,  77,  51, 253, 102,  88, 150,  58,   9, 149,  16, 120, 216,  66, 204,
+    239,  38, 229,  97,  26,  63,  59, 130, 182, 219, 212, 152, 232, 139,   2, 235,
+    10,  44,  29, 176, 111, 141, 136,  14,  25, 135,  78,  11, 169,  12, 121,  17,
+    127,  34, 231,  89, 225, 218,  61, 200,  18,   4, 116,  84,  48, 126, 180,  40,
+    85, 104,  80, 190, 208, 196,  49, 203,  42, 173,  15, 202, 112, 255,  50, 105,
+    8,  98,   0,  36, 209, 251, 186, 237,  69, 129, 115, 109, 132, 159, 238,  74,
+    195,  46, 193,   1, 230,  37,  72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
+    41, 205, 108,  19, 100, 155,  99, 157, 192,  75, 183, 165, 137,  95, 177,  23,
+    244, 188, 211,  70, 207,  55,  94,  71, 148, 250, 252,  91, 151, 254,  90, 172,
+    60,  76,   3,  53, 243,  35, 184,  93, 106, 146, 213,  33,  68,  81, 198, 125,
+    57, 131, 220, 170, 124, 119,  86,   5,  27, 164,  21,  52,  30,  28, 248,  82,
+    32,  20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227,  64,  79
+};
+
+static const unsigned char FSb4[256] =
+{
+    112,  44, 179, 192, 228,  87, 234, 174,  35, 107,  69, 165, 237,  79,  29, 146,
+    134, 175, 124,  31,  62, 220,  94,  11, 166,  57, 213,  93, 217,  90,  81, 108,
+    139, 154, 251, 176, 116,  43, 240, 132, 223, 203,  52, 118, 109, 169, 209,   4,
+    20,  58, 222,  17,  50, 156,  83, 242, 254, 207, 195, 122,  36, 232,  96, 105,
+    170, 160, 161,  98,  84,  30, 224, 100,  16,   0, 163, 117, 138, 230,   9, 221,
+    135, 131, 205, 144, 115, 246, 157, 191,  82, 216, 200, 198, 129, 111,  19,  99,
+    233, 167, 159, 188,  41, 249,  47, 180, 120,   6, 231, 113, 212, 171, 136, 141,
+    114, 185, 248, 172,  54,  42,  60, 241,  64, 211, 187,  67,  21, 173, 119, 128,
+    130, 236,  39, 229, 133,  53,  12,  65, 239, 147,  25,  33,  14,  78, 101, 189,
+    184, 143, 235, 206,  48,  95, 197,  26, 225, 202,  71,  61,   1, 214,  86,  77,
+    13, 102, 204,  45,  18,  32, 177, 153,  76, 194, 126,   5, 183,  49,  23, 215,
+    88,  97,  27,  28,  15,  22,  24,  34,  68, 178, 181, 145,   8, 168, 252,  80,
+    208, 125, 137, 151,  91, 149, 255, 210, 196,  72, 247, 219,   3, 218,  63, 148,
+    92,   2,  74,  51, 103, 243, 127, 226, 155,  38,  55,  59, 150,  75, 190,  46,
+    121, 140, 110, 142, 245, 182, 253,  89, 152, 106,  70, 186,  37,  66, 162, 250,
+    7,  85, 238,  10,  73, 104,  56, 164,  40, 123, 201, 193, 227, 244, 199, 158
+};
+
+#define SBOX1(n) FSb[(n)]
+#define SBOX2(n) FSb2[(n)]
+#define SBOX3(n) FSb3[(n)]
+#define SBOX4(n) FSb4[(n)]
+
+#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
+
+static const unsigned char shifts[2][4][4] =
+{
+    {
+        { 1, 1, 1, 1 }, /* KL */
+        { 0, 0, 0, 0 }, /* KR */
+        { 1, 1, 1, 1 }, /* KA */
+        { 0, 0, 0, 0 }  /* KB */
+    },
+    {
+        { 1, 0, 1, 1 }, /* KL */
+        { 1, 1, 0, 1 }, /* KR */
+        { 1, 1, 1, 0 }, /* KA */
+        { 1, 1, 0, 1 }  /* KB */
+    }
+};
+
+static const signed char indexes[2][4][20] =
+{
+    {
+        {  0,  1,  2,  3,  8,  9, 10, 11, 38, 39,
+           36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
+        { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+          -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
+        {  4,  5,  6,  7, 12, 13, 14, 15, 16, 17,
+           18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
+        { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+          -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }  /* KB -> RK */
+    },
+    {
+        {  0,  1,  2,  3, 61, 62, 63, 60, -1, -1,
+           -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
+        { -1, -1, -1, -1,  8,  9, 10, 11, 16, 17,
+          18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
+        { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
+          56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
+        {  4,  5,  6,  7, 65, 66, 67, 64, 20, 21,
+           22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
+    }
+};
+
+static const signed char transposes[2][20] =
+{
+    {
+        21, 22, 23, 20,
+        -1, -1, -1, -1,
+        18, 19, 16, 17,
+        11,  8,  9, 10,
+        15, 12, 13, 14
+    },
+    {
+        25, 26, 27, 24,
+        29, 30, 31, 28,
+        18, 19, 16, 17,
+        -1, -1, -1, -1,
+        -1, -1, -1, -1
+    }
+};
+
+/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
+#define ROTL(DEST, SRC, SHIFT)                                      \
+    {                                                                   \
+        (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT));   \
+        (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT));   \
+        (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT));   \
+        (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT));   \
+    }
+
+#define FL(XL, XR, KL, KR)                                          \
+    {                                                                   \
+        (XR) = ((((XL) &(KL)) << 1) | (((XL) &(KL)) >> 31)) ^ (XR);   \
+        (XL) = ((XR) | (KR)) ^ (XL);                                    \
+    }
+
+#define FLInv(YL, YR, KL, KR)                                       \
+    {                                                                   \
+        (YL) = ((YR) | (KR)) ^ (YL);                                    \
+        (YR) = ((((YL) &(KL)) << 1) | (((YL) &(KL)) >> 31)) ^ (YR);   \
+    }
+
+#define SHIFT_AND_PLACE(INDEX, OFFSET)                      \
+    {                                                           \
+        TK[0] = KC[(OFFSET) * 4 + 0];                           \
+        TK[1] = KC[(OFFSET) * 4 + 1];                           \
+        TK[2] = KC[(OFFSET) * 4 + 2];                           \
+        TK[3] = KC[(OFFSET) * 4 + 3];                           \
+                                                            \
+        for (i = 1; i <= 4; i++)                               \
+        if (shifts[(INDEX)][(OFFSET)][i -1])               \
+        ROTL(TK + i * 4, TK, (15 * i) % 32);          \
+                                                            \
+        for (i = 0; i < 20; i++)                               \
+        if (indexes[(INDEX)][(OFFSET)][i] != -1) {         \
+            RK[indexes[(INDEX)][(OFFSET)][i]] = TK[i];    \
+        }                                                   \
+    }
+
+static void camellia_feistel(const uint32_t x[2], const uint32_t k[2],
+                             uint32_t z[2])
+{
+    uint32_t I0, I1;
+    I0 = x[0] ^ k[0];
+    I1 = x[1] ^ k[1];
+
+    I0 = ((uint32_t) SBOX1(MBEDTLS_BYTE_3(I0)) << 24) |
+         ((uint32_t) SBOX2(MBEDTLS_BYTE_2(I0)) << 16) |
+         ((uint32_t) SBOX3(MBEDTLS_BYTE_1(I0)) <<  8) |
+         ((uint32_t) SBOX4(MBEDTLS_BYTE_0(I0)));
+    I1 = ((uint32_t) SBOX2(MBEDTLS_BYTE_3(I1)) << 24) |
+         ((uint32_t) SBOX3(MBEDTLS_BYTE_2(I1)) << 16) |
+         ((uint32_t) SBOX4(MBEDTLS_BYTE_1(I1)) <<  8) |
+         ((uint32_t) SBOX1(MBEDTLS_BYTE_0(I1)));
+
+    I0 ^= (I1 << 8) | (I1 >> 24);
+    I1 ^= (I0 << 16) | (I0 >> 16);
+    I0 ^= (I1 >> 8) | (I1 << 24);
+    I1 ^= (I0 >> 8) | (I0 << 24);
+
+    z[0] ^= I1;
+    z[1] ^= I0;
+}
+
+void mbedtls_camellia_init(mbedtls_camellia_context *ctx)
+{
+    memset(ctx, 0, sizeof(mbedtls_camellia_context));
+}
+
+void mbedtls_camellia_free(mbedtls_camellia_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_camellia_context));
+}
+
+/*
+ * Camellia key schedule (encryption)
+ */
+int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx,
+                                const unsigned char *key,
+                                unsigned int keybits)
+{
+    int idx;
+    size_t i;
+    uint32_t *RK;
+    unsigned char t[64];
+    uint32_t SIGMA[6][2];
+    uint32_t KC[16];
+    uint32_t TK[20];
+
+    RK = ctx->rk;
+
+    memset(t, 0, 64);
+    memset(RK, 0, sizeof(ctx->rk));
+
+    switch (keybits) {
+        case 128: ctx->nr = 3; idx = 0; break;
+        case 192:
+        case 256: ctx->nr = 4; idx = 1; break;
+        default: return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
+    }
+
+    for (i = 0; i < keybits / 8; ++i) {
+        t[i] = key[i];
+    }
+
+    if (keybits == 192) {
+        for (i = 0; i < 8; i++) {
+            t[24 + i] = ~t[16 + i];
+        }
+    }
+
+    /*
+     * Prepare SIGMA values
+     */
+    for (i = 0; i < 6; i++) {
+        SIGMA[i][0] = MBEDTLS_GET_UINT32_BE(SIGMA_CHARS[i], 0);
+        SIGMA[i][1] = MBEDTLS_GET_UINT32_BE(SIGMA_CHARS[i], 4);
+    }
+
+    /*
+     * Key storage in KC
+     * Order: KL, KR, KA, KB
+     */
+    memset(KC, 0, sizeof(KC));
+
+    /* Store KL, KR */
+    for (i = 0; i < 8; i++) {
+        KC[i] = MBEDTLS_GET_UINT32_BE(t, i * 4);
+    }
+
+    /* Generate KA */
+    for (i = 0; i < 4; ++i) {
+        KC[8 + i] = KC[i] ^ KC[4 + i];
+    }
+
+    camellia_feistel(KC + 8, SIGMA[0], KC + 10);
+    camellia_feistel(KC + 10, SIGMA[1], KC + 8);
+
+    for (i = 0; i < 4; ++i) {
+        KC[8 + i] ^= KC[i];
+    }
+
+    camellia_feistel(KC + 8, SIGMA[2], KC + 10);
+    camellia_feistel(KC + 10, SIGMA[3], KC + 8);
+
+    if (keybits > 128) {
+        /* Generate KB */
+        for (i = 0; i < 4; ++i) {
+            KC[12 + i] = KC[4 + i] ^ KC[8 + i];
+        }
+
+        camellia_feistel(KC + 12, SIGMA[4], KC + 14);
+        camellia_feistel(KC + 14, SIGMA[5], KC + 12);
+    }
+
+    /*
+     * Generating subkeys
+     */
+
+    /* Manipulating KL */
+    SHIFT_AND_PLACE(idx, 0);
+
+    /* Manipulating KR */
+    if (keybits > 128) {
+        SHIFT_AND_PLACE(idx, 1);
+    }
+
+    /* Manipulating KA */
+    SHIFT_AND_PLACE(idx, 2);
+
+    /* Manipulating KB */
+    if (keybits > 128) {
+        SHIFT_AND_PLACE(idx, 3);
+    }
+
+    /* Do transpositions */
+    for (i = 0; i < 20; i++) {
+        if (transposes[idx][i] != -1) {
+            RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
+        }
+    }
+
+    return 0;
+}
+
+/*
+ * Camellia key schedule (decryption)
+ */
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+int mbedtls_camellia_setkey_dec(mbedtls_camellia_context *ctx,
+                                const unsigned char *key,
+                                unsigned int keybits)
+{
+    int idx, ret;
+    size_t i;
+    mbedtls_camellia_context cty;
+    uint32_t *RK;
+    uint32_t *SK;
+
+    mbedtls_camellia_init(&cty);
+
+    /* Also checks keybits */
+    if ((ret = mbedtls_camellia_setkey_enc(&cty, key, keybits)) != 0) {
+        goto exit;
+    }
+
+    ctx->nr = cty.nr;
+    idx = (ctx->nr == 4);
+
+    RK = ctx->rk;
+    SK = cty.rk + 24 * 2 + 8 * idx * 2;
+
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+
+    for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4) {
+        *RK++ = *SK++;
+        *RK++ = *SK++;
+    }
+
+    SK -= 2;
+
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+
+exit:
+    mbedtls_camellia_free(&cty);
+
+    return ret;
+}
+#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
+
+/*
+ * Camellia-ECB block encryption/decryption
+ */
+int mbedtls_camellia_crypt_ecb(mbedtls_camellia_context *ctx,
+                               int mode,
+                               const unsigned char input[16],
+                               unsigned char output[16])
+{
+    int NR;
+    uint32_t *RK, X[4];
+    if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
+        return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
+    }
+
+    ((void) mode);
+
+    NR = ctx->nr;
+    RK = ctx->rk;
+
+    X[0] = MBEDTLS_GET_UINT32_BE(input,  0);
+    X[1] = MBEDTLS_GET_UINT32_BE(input,  4);
+    X[2] = MBEDTLS_GET_UINT32_BE(input,  8);
+    X[3] = MBEDTLS_GET_UINT32_BE(input, 12);
+
+    X[0] ^= *RK++;
+    X[1] ^= *RK++;
+    X[2] ^= *RK++;
+    X[3] ^= *RK++;
+
+    while (NR) {
+        --NR;
+        camellia_feistel(X, RK, X + 2);
+        RK += 2;
+        camellia_feistel(X + 2, RK, X);
+        RK += 2;
+        camellia_feistel(X, RK, X + 2);
+        RK += 2;
+        camellia_feistel(X + 2, RK, X);
+        RK += 2;
+        camellia_feistel(X, RK, X + 2);
+        RK += 2;
+        camellia_feistel(X + 2, RK, X);
+        RK += 2;
+
+        if (NR) {
+            FL(X[0], X[1], RK[0], RK[1]);
+            RK += 2;
+            FLInv(X[2], X[3], RK[0], RK[1]);
+            RK += 2;
+        }
+    }
+
+    X[2] ^= *RK++;
+    X[3] ^= *RK++;
+    X[0] ^= *RK++;
+    X[1] ^= *RK++;
+
+    MBEDTLS_PUT_UINT32_BE(X[2], output,  0);
+    MBEDTLS_PUT_UINT32_BE(X[3], output,  4);
+    MBEDTLS_PUT_UINT32_BE(X[0], output,  8);
+    MBEDTLS_PUT_UINT32_BE(X[1], output, 12);
+
+    return 0;
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * Camellia-CBC buffer encryption/decryption
+ */
+int mbedtls_camellia_crypt_cbc(mbedtls_camellia_context *ctx,
+                               int mode,
+                               size_t length,
+                               unsigned char iv[16],
+                               const unsigned char *input,
+                               unsigned char *output)
+{
+    unsigned char temp[16];
+    if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
+        return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
+    }
+
+    if (length % 16) {
+        return MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH;
+    }
+
+    if (mode == MBEDTLS_CAMELLIA_DECRYPT) {
+        while (length > 0) {
+            memcpy(temp, input, 16);
+            mbedtls_camellia_crypt_ecb(ctx, mode, input, output);
+
+            mbedtls_xor(output, output, iv, 16);
+
+            memcpy(iv, temp, 16);
+
+            input  += 16;
+            output += 16;
+            length -= 16;
+        }
+    } else {
+        while (length > 0) {
+            mbedtls_xor(output, input, iv, 16);
+
+            mbedtls_camellia_crypt_ecb(ctx, mode, output, output);
+            memcpy(iv, output, 16);
+
+            input  += 16;
+            output += 16;
+            length -= 16;
+        }
+    }
+
+    return 0;
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * Camellia-CFB128 buffer encryption/decryption
+ */
+int mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context *ctx,
+                                  int mode,
+                                  size_t length,
+                                  size_t *iv_off,
+                                  unsigned char iv[16],
+                                  const unsigned char *input,
+                                  unsigned char *output)
+{
+    int c;
+    size_t n;
+    if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
+        return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
+    }
+
+    n = *iv_off;
+    if (n >= 16) {
+        return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
+    }
+
+    if (mode == MBEDTLS_CAMELLIA_DECRYPT) {
+        while (length--) {
+            if (n == 0) {
+                mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv);
+            }
+
+            c = *input++;
+            *output++ = (unsigned char) (c ^ iv[n]);
+            iv[n] = (unsigned char) c;
+
+            n = (n + 1) & 0x0F;
+        }
+    } else {
+        while (length--) {
+            if (n == 0) {
+                mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv);
+            }
+
+            iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
+
+            n = (n + 1) & 0x0F;
+        }
+    }
+
+    *iv_off = n;
+
+    return 0;
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * Camellia-CTR buffer encryption/decryption
+ */
+int mbedtls_camellia_crypt_ctr(mbedtls_camellia_context *ctx,
+                               size_t length,
+                               size_t *nc_off,
+                               unsigned char nonce_counter[16],
+                               unsigned char stream_block[16],
+                               const unsigned char *input,
+                               unsigned char *output)
+{
+    int c, i;
+    size_t n;
+
+    n = *nc_off;
+    if (n >= 16) {
+        return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
+    }
+
+    while (length--) {
+        if (n == 0) {
+            mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
+                                       stream_block);
+
+            for (i = 16; i > 0; i--) {
+                if (++nonce_counter[i - 1] != 0) {
+                    break;
+                }
+            }
+        }
+        c = *input++;
+        *output++ = (unsigned char) (c ^ stream_block[n]);
+
+        n = (n + 1) & 0x0F;
+    }
+
+    *nc_off = n;
+
+    return 0;
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#endif /* !MBEDTLS_CAMELLIA_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * Camellia test vectors from:
+ *
+ * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
+ *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
+ *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
+ *                      (For each bitlength: Key 0, Nr 39)
+ */
+#define CAMELLIA_TESTS_ECB  2
+
+static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
+{
+    {
+        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
+        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+    },
+    {
+        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
+          0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
+        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+    },
+    {
+        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
+          0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
+          0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
+        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+    },
+};
+
+static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
+{
+    { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+      0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
+    { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+};
+
+static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
+{
+    {
+        { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
+          0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
+        { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
+          0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
+    },
+    {
+        { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
+          0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
+        { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
+          0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
+    },
+    {
+        { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
+          0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
+        { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
+          0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
+    }
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#define CAMELLIA_TESTS_CBC  3
+
+static const unsigned char camellia_test_cbc_key[3][32] =
+{
+    { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
+      0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
+    ,
+    { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
+      0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
+      0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
+    ,
+    { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
+      0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
+      0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
+      0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
+};
+
+static const unsigned char camellia_test_cbc_iv[16] =
+
+{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
+;
+
+static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
+{
+    { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
+      0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
+    { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
+      0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
+    { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
+      0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
+
+};
+
+static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
+{
+    {
+        { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
+          0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
+        { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
+          0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
+        { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
+          0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
+    },
+    {
+        { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
+          0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
+        { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
+          0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
+        { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
+          0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
+    },
+    {
+        { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
+          0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
+        { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
+          0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
+        { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
+          0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
+    }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * Camellia-CTR test vectors from:
+ *
+ * http://www.faqs.org/rfcs/rfc5528.html
+ */
+
+static const unsigned char camellia_test_ctr_key[3][16] =
+{
+    { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
+      0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
+    { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
+      0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
+    { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
+      0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
+};
+
+static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
+{
+    { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
+    { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
+      0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
+    { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
+      0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
+};
+
+static const unsigned char camellia_test_ctr_pt[3][48] =
+{
+    { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
+      0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
+
+    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
+
+    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
+      0x20, 0x21, 0x22, 0x23 }
+};
+
+static const unsigned char camellia_test_ctr_ct[3][48] =
+{
+    { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
+      0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
+    { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
+      0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
+      0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
+      0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
+    { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
+      0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
+      0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
+      0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
+      0xDF, 0x50, 0x86, 0x96 }
+};
+
+static const int camellia_test_ctr_len[3] =
+{ 16, 32, 36 };
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+/*
+ * Checkup routine
+ */
+int mbedtls_camellia_self_test(int verbose)
+{
+    int i, j, u, v;
+    unsigned char key[32];
+    unsigned char buf[64];
+    unsigned char src[16];
+    unsigned char dst[16];
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    unsigned char iv[16];
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    size_t offset, len;
+    unsigned char nonce_counter[16];
+    unsigned char stream_block[16];
+#endif
+    int ret = 1;
+
+    mbedtls_camellia_context ctx;
+
+    mbedtls_camellia_init(&ctx);
+    memset(key, 0, 32);
+
+    for (j = 0; j < 6; j++) {
+        u = j >> 1;
+        v = j & 1;
+
+        if (verbose != 0) {
+            mbedtls_printf("  CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
+                           (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
+        }
+
+#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+        if (v == MBEDTLS_CAMELLIA_DECRYPT) {
+            if (verbose != 0) {
+                mbedtls_printf("skipped\n");
+            }
+            continue;
+        }
+#endif
+
+        for (i = 0; i < CAMELLIA_TESTS_ECB; i++) {
+            memcpy(key, camellia_test_ecb_key[u][i], 16 + 8 * u);
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+            if (v == MBEDTLS_CAMELLIA_DECRYPT) {
+                mbedtls_camellia_setkey_dec(&ctx, key, 128 + u * 64);
+                memcpy(src, camellia_test_ecb_cipher[u][i], 16);
+                memcpy(dst, camellia_test_ecb_plain[i], 16);
+            } else
+#endif
+            { /* MBEDTLS_CAMELLIA_ENCRYPT */
+                mbedtls_camellia_setkey_enc(&ctx, key, 128 + u * 64);
+                memcpy(src, camellia_test_ecb_plain[i], 16);
+                memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
+            }
+
+            mbedtls_camellia_crypt_ecb(&ctx, v, src, buf);
+
+            if (memcmp(buf, dst, 16) != 0) {
+                if (verbose != 0) {
+                    mbedtls_printf("failed\n");
+                }
+                goto exit;
+            }
+        }
+
+        if (verbose != 0) {
+            mbedtls_printf("passed\n");
+        }
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    /*
+     * CBC mode
+     */
+    for (j = 0; j < 6; j++) {
+        u = j >> 1;
+        v = j  & 1;
+
+        if (verbose != 0) {
+            mbedtls_printf("  CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
+                           (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
+        }
+
+        memcpy(src, camellia_test_cbc_iv, 16);
+        memcpy(dst, camellia_test_cbc_iv, 16);
+        memcpy(key, camellia_test_cbc_key[u], 16 + 8 * u);
+
+        if (v == MBEDTLS_CAMELLIA_DECRYPT) {
+            mbedtls_camellia_setkey_dec(&ctx, key, 128 + u * 64);
+        } else {
+            mbedtls_camellia_setkey_enc(&ctx, key, 128 + u * 64);
+        }
+
+        for (i = 0; i < CAMELLIA_TESTS_CBC; i++) {
+
+            if (v == MBEDTLS_CAMELLIA_DECRYPT) {
+                memcpy(iv, src, 16);
+                memcpy(src, camellia_test_cbc_cipher[u][i], 16);
+                memcpy(dst, camellia_test_cbc_plain[i], 16);
+            } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
+                memcpy(iv, dst, 16);
+                memcpy(src, camellia_test_cbc_plain[i], 16);
+                memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
+            }
+
+            mbedtls_camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
+
+            if (memcmp(buf, dst, 16) != 0) {
+                if (verbose != 0) {
+                    mbedtls_printf("failed\n");
+                }
+                goto exit;
+            }
+        }
+
+        if (verbose != 0) {
+            mbedtls_printf("passed\n");
+        }
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    /*
+     * CTR mode
+     */
+    for (i = 0; i < 6; i++) {
+        u = i >> 1;
+        v = i  & 1;
+
+        if (verbose != 0) {
+            mbedtls_printf("  CAMELLIA-CTR-128 (%s): ",
+                           (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
+        }
+
+        memcpy(nonce_counter, camellia_test_ctr_nonce_counter[u], 16);
+        memcpy(key, camellia_test_ctr_key[u], 16);
+
+        offset = 0;
+        mbedtls_camellia_setkey_enc(&ctx, key, 128);
+
+        if (v == MBEDTLS_CAMELLIA_DECRYPT) {
+            len = camellia_test_ctr_len[u];
+            memcpy(buf, camellia_test_ctr_ct[u], len);
+
+            mbedtls_camellia_crypt_ctr(&ctx, len, &offset, nonce_counter, stream_block,
+                                       buf, buf);
+
+            if (memcmp(buf, camellia_test_ctr_pt[u], len) != 0) {
+                if (verbose != 0) {
+                    mbedtls_printf("failed\n");
+                }
+                goto exit;
+            }
+        } else {
+            len = camellia_test_ctr_len[u];
+            memcpy(buf, camellia_test_ctr_pt[u], len);
+
+            mbedtls_camellia_crypt_ctr(&ctx, len, &offset, nonce_counter, stream_block,
+                                       buf, buf);
+
+            if (memcmp(buf, camellia_test_ctr_ct[u], len) != 0) {
+                if (verbose != 0) {
+                    mbedtls_printf("failed\n");
+                }
+                goto exit;
+            }
+        }
+
+        if (verbose != 0) {
+            mbedtls_printf("passed\n");
+        }
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+    ret = 0;
+
+exit:
+    mbedtls_camellia_free(&ctx);
+    return ret;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_CAMELLIA_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/ccm.c b/tf-psa-crypto/drivers/builtin/src/ccm.c
new file mode 100644
index 0000000..45ed697
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/ccm.c
@@ -0,0 +1,763 @@
+/*
+ *  NIST SP800-38C compliant CCM implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * Definition of CCM:
+ * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
+ * RFC 3610 "Counter with CBC-MAC (CCM)"
+ *
+ * Related:
+ * RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_CCM_C)
+
+#include "mbedtls/ccm.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "mbedtls/constant_time.h"
+
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+#include "block_cipher_internal.h"
+#endif
+
+#include <string.h>
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+#endif /* MBEDTLS_PLATFORM_C */
+
+#if !defined(MBEDTLS_CCM_ALT)
+
+
+/*
+ * Initialize context
+ */
+void mbedtls_ccm_init(mbedtls_ccm_context *ctx)
+{
+    memset(ctx, 0, sizeof(mbedtls_ccm_context));
+}
+
+int mbedtls_ccm_setkey(mbedtls_ccm_context *ctx,
+                       mbedtls_cipher_id_t cipher,
+                       const unsigned char *key,
+                       unsigned int keybits)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+    mbedtls_block_cipher_free(&ctx->block_cipher_ctx);
+
+    if ((ret = mbedtls_block_cipher_setup(&ctx->block_cipher_ctx, cipher)) != 0) {
+        return MBEDTLS_ERR_CCM_BAD_INPUT;
+    }
+
+    if ((ret = mbedtls_block_cipher_setkey(&ctx->block_cipher_ctx, key, keybits)) != 0) {
+        return MBEDTLS_ERR_CCM_BAD_INPUT;
+    }
+#else
+    const mbedtls_cipher_info_t *cipher_info;
+
+    cipher_info = mbedtls_cipher_info_from_values(cipher, keybits,
+                                                  MBEDTLS_MODE_ECB);
+    if (cipher_info == NULL) {
+        return MBEDTLS_ERR_CCM_BAD_INPUT;
+    }
+
+    if (mbedtls_cipher_info_get_block_size(cipher_info) != 16) {
+        return MBEDTLS_ERR_CCM_BAD_INPUT;
+    }
+
+    mbedtls_cipher_free(&ctx->cipher_ctx);
+
+    if ((ret = mbedtls_cipher_setup(&ctx->cipher_ctx, cipher_info)) != 0) {
+        return ret;
+    }
+
+    if ((ret = mbedtls_cipher_setkey(&ctx->cipher_ctx, key, keybits,
+                                     MBEDTLS_ENCRYPT)) != 0) {
+        return ret;
+    }
+#endif
+
+    return ret;
+}
+
+/*
+ * Free context
+ */
+void mbedtls_ccm_free(mbedtls_ccm_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+    mbedtls_block_cipher_free(&ctx->block_cipher_ctx);
+#else
+    mbedtls_cipher_free(&ctx->cipher_ctx);
+#endif
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ccm_context));
+}
+
+#define CCM_STATE__CLEAR                0
+#define CCM_STATE__STARTED              (1 << 0)
+#define CCM_STATE__LENGTHS_SET          (1 << 1)
+#define CCM_STATE__AUTH_DATA_STARTED    (1 << 2)
+#define CCM_STATE__AUTH_DATA_FINISHED   (1 << 3)
+#define CCM_STATE__ERROR                (1 << 4)
+
+/*
+ * Encrypt or decrypt a partial block with CTR
+ */
+static int mbedtls_ccm_crypt(mbedtls_ccm_context *ctx,
+                             size_t offset, size_t use_len,
+                             const unsigned char *input,
+                             unsigned char *output)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char tmp_buf[16] = { 0 };
+
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+    ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, ctx->ctr, tmp_buf);
+#else
+    size_t olen = 0;
+    ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->ctr, 16, tmp_buf, &olen);
+#endif
+    if (ret != 0) {
+        ctx->state |= CCM_STATE__ERROR;
+        mbedtls_platform_zeroize(tmp_buf, sizeof(tmp_buf));
+        return ret;
+    }
+
+    mbedtls_xor(output, input, tmp_buf + offset, use_len);
+
+    mbedtls_platform_zeroize(tmp_buf, sizeof(tmp_buf));
+    return ret;
+}
+
+static void mbedtls_ccm_clear_state(mbedtls_ccm_context *ctx)
+{
+    ctx->state = CCM_STATE__CLEAR;
+    memset(ctx->y, 0, 16);
+    memset(ctx->ctr, 0, 16);
+}
+
+static int ccm_calculate_first_block_if_ready(mbedtls_ccm_context *ctx)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char i;
+    size_t len_left;
+#if !defined(MBEDTLS_BLOCK_CIPHER_C)
+    size_t olen;
+#endif
+
+    /* length calculation can be done only after both
+     * mbedtls_ccm_starts() and mbedtls_ccm_set_lengths() have been executed
+     */
+    if (!(ctx->state & CCM_STATE__STARTED) || !(ctx->state & CCM_STATE__LENGTHS_SET)) {
+        return 0;
+    }
+
+    /* CCM expects non-empty tag.
+     * CCM* allows empty tag. For CCM* without tag, ignore plaintext length.
+     */
+    if (ctx->tag_len == 0) {
+        if (ctx->mode == MBEDTLS_CCM_STAR_ENCRYPT || ctx->mode == MBEDTLS_CCM_STAR_DECRYPT) {
+            ctx->plaintext_len = 0;
+        } else {
+            return MBEDTLS_ERR_CCM_BAD_INPUT;
+        }
+    }
+
+    /*
+     * First block:
+     * 0        .. 0        flags
+     * 1        .. iv_len   nonce (aka iv)  - set by: mbedtls_ccm_starts()
+     * iv_len+1 .. 15       length
+     *
+     * With flags as (bits):
+     * 7        0
+     * 6        add present?
+     * 5 .. 3   (t - 2) / 2
+     * 2 .. 0   q - 1
+     */
+    ctx->y[0] |= (ctx->add_len > 0) << 6;
+    ctx->y[0] |= ((ctx->tag_len - 2) / 2) << 3;
+    ctx->y[0] |= ctx->q - 1;
+
+    for (i = 0, len_left = ctx->plaintext_len; i < ctx->q; i++, len_left >>= 8) {
+        ctx->y[15-i] = MBEDTLS_BYTE_0(len_left);
+    }
+
+    if (len_left > 0) {
+        ctx->state |= CCM_STATE__ERROR;
+        return MBEDTLS_ERR_CCM_BAD_INPUT;
+    }
+
+    /* Start CBC-MAC with first block*/
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+    ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, ctx->y, ctx->y);
+#else
+    ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen);
+#endif
+    if (ret != 0) {
+        ctx->state |= CCM_STATE__ERROR;
+        return ret;
+    }
+
+    return 0;
+}
+
+int mbedtls_ccm_starts(mbedtls_ccm_context *ctx,
+                       int mode,
+                       const unsigned char *iv,
+                       size_t iv_len)
+{
+    /* Also implies q is within bounds */
+    if (iv_len < 7 || iv_len > 13) {
+        return MBEDTLS_ERR_CCM_BAD_INPUT;
+    }
+
+    ctx->mode = mode;
+    ctx->q = 16 - 1 - (unsigned char) iv_len;
+
+    /*
+     * Prepare counter block for encryption:
+     * 0        .. 0        flags
+     * 1        .. iv_len   nonce (aka iv)
+     * iv_len+1 .. 15       counter (initially 1)
+     *
+     * With flags as (bits):
+     * 7 .. 3   0
+     * 2 .. 0   q - 1
+     */
+    memset(ctx->ctr, 0, 16);
+    ctx->ctr[0] = ctx->q - 1;
+    memcpy(ctx->ctr + 1, iv, iv_len);
+    memset(ctx->ctr + 1 + iv_len, 0, ctx->q);
+    ctx->ctr[15] = 1;
+
+    /*
+     * See ccm_calculate_first_block_if_ready() for block layout description
+     */
+    memcpy(ctx->y + 1, iv, iv_len);
+
+    ctx->state |= CCM_STATE__STARTED;
+    return ccm_calculate_first_block_if_ready(ctx);
+}
+
+int mbedtls_ccm_set_lengths(mbedtls_ccm_context *ctx,
+                            size_t total_ad_len,
+                            size_t plaintext_len,
+                            size_t tag_len)
+{
+    /*
+     * Check length requirements: SP800-38C A.1
+     * Additional requirement: a < 2^16 - 2^8 to simplify the code.
+     * 'length' checked later (when writing it to the first block)
+     *
+     * Also, loosen the requirements to enable support for CCM* (IEEE 802.15.4).
+     */
+    if (tag_len == 2 || tag_len > 16 || tag_len % 2 != 0) {
+        return MBEDTLS_ERR_CCM_BAD_INPUT;
+    }
+
+    if (total_ad_len >= 0xFF00) {
+        return MBEDTLS_ERR_CCM_BAD_INPUT;
+    }
+
+    ctx->plaintext_len = plaintext_len;
+    ctx->add_len = total_ad_len;
+    ctx->tag_len = tag_len;
+    ctx->processed = 0;
+
+    ctx->state |= CCM_STATE__LENGTHS_SET;
+    return ccm_calculate_first_block_if_ready(ctx);
+}
+
+int mbedtls_ccm_update_ad(mbedtls_ccm_context *ctx,
+                          const unsigned char *add,
+                          size_t add_len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t use_len, offset;
+#if !defined(MBEDTLS_BLOCK_CIPHER_C)
+    size_t olen;
+#endif
+
+    if (ctx->state & CCM_STATE__ERROR) {
+        return MBEDTLS_ERR_CCM_BAD_INPUT;
+    }
+
+    if (add_len > 0) {
+        if (ctx->state & CCM_STATE__AUTH_DATA_FINISHED) {
+            return MBEDTLS_ERR_CCM_BAD_INPUT;
+        }
+
+        if (!(ctx->state & CCM_STATE__AUTH_DATA_STARTED)) {
+            if (add_len > ctx->add_len) {
+                return MBEDTLS_ERR_CCM_BAD_INPUT;
+            }
+
+            ctx->y[0] ^= (unsigned char) ((ctx->add_len >> 8) & 0xFF);
+            ctx->y[1] ^= (unsigned char) ((ctx->add_len) & 0xFF);
+
+            ctx->state |= CCM_STATE__AUTH_DATA_STARTED;
+        } else if (ctx->processed + add_len > ctx->add_len) {
+            return MBEDTLS_ERR_CCM_BAD_INPUT;
+        }
+
+        while (add_len > 0) {
+            offset = (ctx->processed + 2) % 16; /* account for y[0] and y[1]
+                                                 * holding total auth data length */
+            use_len = 16 - offset;
+
+            if (use_len > add_len) {
+                use_len = add_len;
+            }
+
+            mbedtls_xor(ctx->y + offset, ctx->y + offset, add, use_len);
+
+            ctx->processed += use_len;
+            add_len -= use_len;
+            add += use_len;
+
+            if (use_len + offset == 16 || ctx->processed == ctx->add_len) {
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+                ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, ctx->y, ctx->y);
+#else
+                ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen);
+#endif
+                if (ret != 0) {
+                    ctx->state |= CCM_STATE__ERROR;
+                    return ret;
+                }
+            }
+        }
+
+        if (ctx->processed == ctx->add_len) {
+            ctx->state |= CCM_STATE__AUTH_DATA_FINISHED;
+            ctx->processed = 0; // prepare for mbedtls_ccm_update()
+        }
+    }
+
+    return 0;
+}
+
+int mbedtls_ccm_update(mbedtls_ccm_context *ctx,
+                       const unsigned char *input, size_t input_len,
+                       unsigned char *output, size_t output_size,
+                       size_t *output_len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char i;
+    size_t use_len, offset;
+#if !defined(MBEDTLS_BLOCK_CIPHER_C)
+    size_t olen;
+#endif
+
+    unsigned char local_output[16];
+
+    if (ctx->state & CCM_STATE__ERROR) {
+        return MBEDTLS_ERR_CCM_BAD_INPUT;
+    }
+
+    /* Check against plaintext length only if performing operation with
+     * authentication
+     */
+    if (ctx->tag_len != 0 && ctx->processed + input_len > ctx->plaintext_len) {
+        return MBEDTLS_ERR_CCM_BAD_INPUT;
+    }
+
+    if (output_size < input_len) {
+        return MBEDTLS_ERR_CCM_BAD_INPUT;
+    }
+    *output_len = input_len;
+
+    ret = 0;
+
+    while (input_len > 0) {
+        offset = ctx->processed % 16;
+
+        use_len = 16 - offset;
+
+        if (use_len > input_len) {
+            use_len = input_len;
+        }
+
+        ctx->processed += use_len;
+
+        if (ctx->mode == MBEDTLS_CCM_ENCRYPT || \
+            ctx->mode == MBEDTLS_CCM_STAR_ENCRYPT) {
+            mbedtls_xor(ctx->y + offset, ctx->y + offset, input, use_len);
+
+            if (use_len + offset == 16 || ctx->processed == ctx->plaintext_len) {
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+                ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, ctx->y, ctx->y);
+#else
+                ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen);
+#endif
+                if (ret != 0) {
+                    ctx->state |= CCM_STATE__ERROR;
+                    goto exit;
+                }
+            }
+
+            ret = mbedtls_ccm_crypt(ctx, offset, use_len, input, output);
+            if (ret != 0) {
+                goto exit;
+            }
+        }
+
+        if (ctx->mode == MBEDTLS_CCM_DECRYPT || \
+            ctx->mode == MBEDTLS_CCM_STAR_DECRYPT) {
+            /* Since output may be in shared memory, we cannot be sure that
+             * it will contain what we wrote to it. Therefore, we should avoid using
+             * it as input to any operations.
+             * Write decrypted data to local_output to avoid using output variable as
+             * input in the XOR operation for Y.
+             */
+            ret = mbedtls_ccm_crypt(ctx, offset, use_len, input, local_output);
+            if (ret != 0) {
+                goto exit;
+            }
+
+            mbedtls_xor(ctx->y + offset, ctx->y + offset, local_output, use_len);
+
+            memcpy(output, local_output, use_len);
+
+            if (use_len + offset == 16 || ctx->processed == ctx->plaintext_len) {
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+                ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, ctx->y, ctx->y);
+#else
+                ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen);
+#endif
+                if (ret != 0) {
+                    ctx->state |= CCM_STATE__ERROR;
+                    goto exit;
+                }
+            }
+        }
+
+        if (use_len + offset == 16 || ctx->processed == ctx->plaintext_len) {
+            for (i = 0; i < ctx->q; i++) {
+                if (++(ctx->ctr)[15-i] != 0) {
+                    break;
+                }
+            }
+        }
+
+        input_len -= use_len;
+        input += use_len;
+        output += use_len;
+    }
+
+exit:
+    mbedtls_platform_zeroize(local_output, 16);
+
+    return ret;
+}
+
+int mbedtls_ccm_finish(mbedtls_ccm_context *ctx,
+                       unsigned char *tag, size_t tag_len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char i;
+
+    if (ctx->state & CCM_STATE__ERROR) {
+        return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    }
+
+    if (ctx->add_len > 0 && !(ctx->state & CCM_STATE__AUTH_DATA_FINISHED)) {
+        return MBEDTLS_ERR_CCM_BAD_INPUT;
+    }
+
+    if (ctx->plaintext_len > 0 && ctx->processed != ctx->plaintext_len) {
+        return MBEDTLS_ERR_CCM_BAD_INPUT;
+    }
+
+    /*
+     * Authentication: reset counter and crypt/mask internal tag
+     */
+    for (i = 0; i < ctx->q; i++) {
+        ctx->ctr[15-i] = 0;
+    }
+
+    ret = mbedtls_ccm_crypt(ctx, 0, 16, ctx->y, ctx->y);
+    if (ret != 0) {
+        return ret;
+    }
+    if (tag != NULL) {
+        memcpy(tag, ctx->y, tag_len);
+    }
+    mbedtls_ccm_clear_state(ctx);
+
+    return 0;
+}
+
+/*
+ * Authenticated encryption or decryption
+ */
+static int ccm_auth_crypt(mbedtls_ccm_context *ctx, int mode, size_t length,
+                          const unsigned char *iv, size_t iv_len,
+                          const unsigned char *add, size_t add_len,
+                          const unsigned char *input, unsigned char *output,
+                          unsigned char *tag, size_t tag_len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t olen;
+
+    if ((ret = mbedtls_ccm_starts(ctx, mode, iv, iv_len)) != 0) {
+        return ret;
+    }
+
+    if ((ret = mbedtls_ccm_set_lengths(ctx, add_len, length, tag_len)) != 0) {
+        return ret;
+    }
+
+    if ((ret = mbedtls_ccm_update_ad(ctx, add, add_len)) != 0) {
+        return ret;
+    }
+
+    if ((ret = mbedtls_ccm_update(ctx, input, length,
+                                  output, length, &olen)) != 0) {
+        return ret;
+    }
+
+    if ((ret = mbedtls_ccm_finish(ctx, tag, tag_len)) != 0) {
+        return ret;
+    }
+
+    return 0;
+}
+
+/*
+ * Authenticated encryption
+ */
+int mbedtls_ccm_star_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,
+                                     const unsigned char *iv, size_t iv_len,
+                                     const unsigned char *add, size_t add_len,
+                                     const unsigned char *input, unsigned char *output,
+                                     unsigned char *tag, size_t tag_len)
+{
+    return ccm_auth_crypt(ctx, MBEDTLS_CCM_STAR_ENCRYPT, length, iv, iv_len,
+                          add, add_len, input, output, tag, tag_len);
+}
+
+int mbedtls_ccm_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,
+                                const unsigned char *iv, size_t iv_len,
+                                const unsigned char *add, size_t add_len,
+                                const unsigned char *input, unsigned char *output,
+                                unsigned char *tag, size_t tag_len)
+{
+    return ccm_auth_crypt(ctx, MBEDTLS_CCM_ENCRYPT, length, iv, iv_len,
+                          add, add_len, input, output, tag, tag_len);
+}
+
+/*
+ * Authenticated decryption
+ */
+static int mbedtls_ccm_compare_tags(const unsigned char *tag1,
+                                    const unsigned char *tag2,
+                                    size_t tag_len)
+{
+    /* Check tag in "constant-time" */
+    int diff = mbedtls_ct_memcmp(tag1, tag2, tag_len);
+
+    if (diff != 0) {
+        return MBEDTLS_ERR_CCM_AUTH_FAILED;
+    }
+
+    return 0;
+}
+
+static int ccm_auth_decrypt(mbedtls_ccm_context *ctx, int mode, size_t length,
+                            const unsigned char *iv, size_t iv_len,
+                            const unsigned char *add, size_t add_len,
+                            const unsigned char *input, unsigned char *output,
+                            const unsigned char *tag, size_t tag_len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char check_tag[16];
+
+    if ((ret = ccm_auth_crypt(ctx, mode, length,
+                              iv, iv_len, add, add_len,
+                              input, output, check_tag, tag_len)) != 0) {
+        return ret;
+    }
+
+    if ((ret = mbedtls_ccm_compare_tags(tag, check_tag, tag_len)) != 0) {
+        mbedtls_platform_zeroize(output, length);
+        return ret;
+    }
+
+    return 0;
+}
+
+int mbedtls_ccm_star_auth_decrypt(mbedtls_ccm_context *ctx, size_t length,
+                                  const unsigned char *iv, size_t iv_len,
+                                  const unsigned char *add, size_t add_len,
+                                  const unsigned char *input, unsigned char *output,
+                                  const unsigned char *tag, size_t tag_len)
+{
+    return ccm_auth_decrypt(ctx, MBEDTLS_CCM_STAR_DECRYPT, length,
+                            iv, iv_len, add, add_len,
+                            input, output, tag, tag_len);
+}
+
+int mbedtls_ccm_auth_decrypt(mbedtls_ccm_context *ctx, size_t length,
+                             const unsigned char *iv, size_t iv_len,
+                             const unsigned char *add, size_t add_len,
+                             const unsigned char *input, unsigned char *output,
+                             const unsigned char *tag, size_t tag_len)
+{
+    return ccm_auth_decrypt(ctx, MBEDTLS_CCM_DECRYPT, length,
+                            iv, iv_len, add, add_len,
+                            input, output, tag, tag_len);
+}
+#endif /* !MBEDTLS_CCM_ALT */
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_CCM_GCM_CAN_AES)
+/*
+ * Examples 1 to 3 from SP800-38C Appendix C
+ */
+
+#define NB_TESTS 3
+#define CCM_SELFTEST_PT_MAX_LEN 24
+#define CCM_SELFTEST_CT_MAX_LEN 32
+/*
+ * The data is the same for all tests, only the used length changes
+ */
+static const unsigned char key_test_data[] = {
+    0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+    0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f
+};
+
+static const unsigned char iv_test_data[] = {
+    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+    0x18, 0x19, 0x1a, 0x1b
+};
+
+static const unsigned char ad_test_data[] = {
+    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+    0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+    0x10, 0x11, 0x12, 0x13
+};
+
+static const unsigned char msg_test_data[CCM_SELFTEST_PT_MAX_LEN] = {
+    0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
+    0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+    0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+};
+
+static const size_t iv_len_test_data[NB_TESTS] = { 7, 8,  12 };
+static const size_t add_len_test_data[NB_TESTS] = { 8, 16, 20 };
+static const size_t msg_len_test_data[NB_TESTS] = { 4, 16, 24 };
+static const size_t tag_len_test_data[NB_TESTS] = { 4, 6,  8  };
+
+static const unsigned char res_test_data[NB_TESTS][CCM_SELFTEST_CT_MAX_LEN] = {
+    {   0x71, 0x62, 0x01, 0x5b, 0x4d, 0xac, 0x25, 0x5d },
+    {   0xd2, 0xa1, 0xf0, 0xe0, 0x51, 0xea, 0x5f, 0x62,
+        0x08, 0x1a, 0x77, 0x92, 0x07, 0x3d, 0x59, 0x3d,
+        0x1f, 0xc6, 0x4f, 0xbf, 0xac, 0xcd },
+    {   0xe3, 0xb2, 0x01, 0xa9, 0xf5, 0xb7, 0x1a, 0x7a,
+        0x9b, 0x1c, 0xea, 0xec, 0xcd, 0x97, 0xe7, 0x0b,
+        0x61, 0x76, 0xaa, 0xd9, 0xa4, 0x42, 0x8a, 0xa5,
+        0x48, 0x43, 0x92, 0xfb, 0xc1, 0xb0, 0x99, 0x51 }
+};
+
+int mbedtls_ccm_self_test(int verbose)
+{
+    mbedtls_ccm_context ctx;
+    /*
+     * Some hardware accelerators require the input and output buffers
+     * would be in RAM, because the flash is not accessible.
+     * Use buffers on the stack to hold the test vectors data.
+     */
+    unsigned char plaintext[CCM_SELFTEST_PT_MAX_LEN];
+    unsigned char ciphertext[CCM_SELFTEST_CT_MAX_LEN];
+    size_t i;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    mbedtls_ccm_init(&ctx);
+
+    if (mbedtls_ccm_setkey(&ctx, MBEDTLS_CIPHER_ID_AES, key_test_data,
+                           8 * sizeof(key_test_data)) != 0) {
+        if (verbose != 0) {
+            mbedtls_printf("  CCM: setup failed");
+        }
+
+        return 1;
+    }
+
+    for (i = 0; i < NB_TESTS; i++) {
+        if (verbose != 0) {
+            mbedtls_printf("  CCM-AES #%u: ", (unsigned int) i + 1);
+        }
+
+        memset(plaintext, 0, CCM_SELFTEST_PT_MAX_LEN);
+        memset(ciphertext, 0, CCM_SELFTEST_CT_MAX_LEN);
+        memcpy(plaintext, msg_test_data, msg_len_test_data[i]);
+
+        ret = mbedtls_ccm_encrypt_and_tag(&ctx, msg_len_test_data[i],
+                                          iv_test_data, iv_len_test_data[i],
+                                          ad_test_data, add_len_test_data[i],
+                                          plaintext, ciphertext,
+                                          ciphertext + msg_len_test_data[i],
+                                          tag_len_test_data[i]);
+
+        if (ret != 0 ||
+            memcmp(ciphertext, res_test_data[i],
+                   msg_len_test_data[i] + tag_len_test_data[i]) != 0) {
+            if (verbose != 0) {
+                mbedtls_printf("failed\n");
+            }
+
+            return 1;
+        }
+        memset(plaintext, 0, CCM_SELFTEST_PT_MAX_LEN);
+
+        ret = mbedtls_ccm_auth_decrypt(&ctx, msg_len_test_data[i],
+                                       iv_test_data, iv_len_test_data[i],
+                                       ad_test_data, add_len_test_data[i],
+                                       ciphertext, plaintext,
+                                       ciphertext + msg_len_test_data[i],
+                                       tag_len_test_data[i]);
+
+        if (ret != 0 ||
+            memcmp(plaintext, msg_test_data, msg_len_test_data[i]) != 0) {
+            if (verbose != 0) {
+                mbedtls_printf("failed\n");
+            }
+
+            return 1;
+        }
+
+        if (verbose != 0) {
+            mbedtls_printf("passed\n");
+        }
+    }
+
+    mbedtls_ccm_free(&ctx);
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+
+    return 0;
+}
+
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#endif /* MBEDTLS_CCM_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/chacha20.c b/tf-psa-crypto/drivers/builtin/src/chacha20.c
new file mode 100644
index 0000000..acaae5b
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/chacha20.c
@@ -0,0 +1,497 @@
+/**
+ * \file chacha20.c
+ *
+ * \brief ChaCha20 cipher.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_CHACHA20_C)
+
+#include "mbedtls/chacha20.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <stddef.h>
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_CHACHA20_ALT)
+
+#define ROTL32(value, amount) \
+    ((uint32_t) ((value) << (amount)) | ((value) >> (32 - (amount))))
+
+#define CHACHA20_CTR_INDEX (12U)
+
+#define CHACHA20_BLOCK_SIZE_BYTES (4U * 16U)
+
+/**
+ * \brief           ChaCha20 quarter round operation.
+ *
+ *                  The quarter round is defined as follows (from RFC 7539):
+ *                      1.  a += b; d ^= a; d <<<= 16;
+ *                      2.  c += d; b ^= c; b <<<= 12;
+ *                      3.  a += b; d ^= a; d <<<= 8;
+ *                      4.  c += d; b ^= c; b <<<= 7;
+ *
+ * \param state     ChaCha20 state to modify.
+ * \param a         The index of 'a' in the state.
+ * \param b         The index of 'b' in the state.
+ * \param c         The index of 'c' in the state.
+ * \param d         The index of 'd' in the state.
+ */
+static inline void chacha20_quarter_round(uint32_t state[16],
+                                          size_t a,
+                                          size_t b,
+                                          size_t c,
+                                          size_t d)
+{
+    /* a += b; d ^= a; d <<<= 16; */
+    state[a] += state[b];
+    state[d] ^= state[a];
+    state[d] = ROTL32(state[d], 16);
+
+    /* c += d; b ^= c; b <<<= 12 */
+    state[c] += state[d];
+    state[b] ^= state[c];
+    state[b] = ROTL32(state[b], 12);
+
+    /* a += b; d ^= a; d <<<= 8; */
+    state[a] += state[b];
+    state[d] ^= state[a];
+    state[d] = ROTL32(state[d], 8);
+
+    /* c += d; b ^= c; b <<<= 7; */
+    state[c] += state[d];
+    state[b] ^= state[c];
+    state[b] = ROTL32(state[b], 7);
+}
+
+/**
+ * \brief           Perform the ChaCha20 inner block operation.
+ *
+ *                  This function performs two rounds: the column round and the
+ *                  diagonal round.
+ *
+ * \param state     The ChaCha20 state to update.
+ */
+static void chacha20_inner_block(uint32_t state[16])
+{
+    chacha20_quarter_round(state, 0, 4, 8,  12);
+    chacha20_quarter_round(state, 1, 5, 9,  13);
+    chacha20_quarter_round(state, 2, 6, 10, 14);
+    chacha20_quarter_round(state, 3, 7, 11, 15);
+
+    chacha20_quarter_round(state, 0, 5, 10, 15);
+    chacha20_quarter_round(state, 1, 6, 11, 12);
+    chacha20_quarter_round(state, 2, 7, 8,  13);
+    chacha20_quarter_round(state, 3, 4, 9,  14);
+}
+
+/**
+ * \brief               Generates a keystream block.
+ *
+ * \param initial_state The initial ChaCha20 state (key, nonce, counter).
+ * \param keystream     Generated keystream bytes are written to this buffer.
+ */
+static void chacha20_block(const uint32_t initial_state[16],
+                           unsigned char keystream[64])
+{
+    uint32_t working_state[16];
+    size_t i;
+
+    memcpy(working_state,
+           initial_state,
+           CHACHA20_BLOCK_SIZE_BYTES);
+
+    for (i = 0U; i < 10U; i++) {
+        chacha20_inner_block(working_state);
+    }
+
+    working_state[0] += initial_state[0];
+    working_state[1] += initial_state[1];
+    working_state[2] += initial_state[2];
+    working_state[3] += initial_state[3];
+    working_state[4] += initial_state[4];
+    working_state[5] += initial_state[5];
+    working_state[6] += initial_state[6];
+    working_state[7] += initial_state[7];
+    working_state[8] += initial_state[8];
+    working_state[9] += initial_state[9];
+    working_state[10] += initial_state[10];
+    working_state[11] += initial_state[11];
+    working_state[12] += initial_state[12];
+    working_state[13] += initial_state[13];
+    working_state[14] += initial_state[14];
+    working_state[15] += initial_state[15];
+
+    for (i = 0U; i < 16; i++) {
+        size_t offset = i * 4U;
+
+        MBEDTLS_PUT_UINT32_LE(working_state[i], keystream, offset);
+    }
+
+    mbedtls_platform_zeroize(working_state, sizeof(working_state));
+}
+
+void mbedtls_chacha20_init(mbedtls_chacha20_context *ctx)
+{
+    mbedtls_platform_zeroize(ctx->state, sizeof(ctx->state));
+    mbedtls_platform_zeroize(ctx->keystream8, sizeof(ctx->keystream8));
+
+    /* Initially, there's no keystream bytes available */
+    ctx->keystream_bytes_used = CHACHA20_BLOCK_SIZE_BYTES;
+}
+
+void mbedtls_chacha20_free(mbedtls_chacha20_context *ctx)
+{
+    if (ctx != NULL) {
+        mbedtls_platform_zeroize(ctx, sizeof(mbedtls_chacha20_context));
+    }
+}
+
+int mbedtls_chacha20_setkey(mbedtls_chacha20_context *ctx,
+                            const unsigned char key[32])
+{
+    /* ChaCha20 constants - the string "expand 32-byte k" */
+    ctx->state[0] = 0x61707865;
+    ctx->state[1] = 0x3320646e;
+    ctx->state[2] = 0x79622d32;
+    ctx->state[3] = 0x6b206574;
+
+    /* Set key */
+    ctx->state[4]  = MBEDTLS_GET_UINT32_LE(key, 0);
+    ctx->state[5]  = MBEDTLS_GET_UINT32_LE(key, 4);
+    ctx->state[6]  = MBEDTLS_GET_UINT32_LE(key, 8);
+    ctx->state[7]  = MBEDTLS_GET_UINT32_LE(key, 12);
+    ctx->state[8]  = MBEDTLS_GET_UINT32_LE(key, 16);
+    ctx->state[9]  = MBEDTLS_GET_UINT32_LE(key, 20);
+    ctx->state[10] = MBEDTLS_GET_UINT32_LE(key, 24);
+    ctx->state[11] = MBEDTLS_GET_UINT32_LE(key, 28);
+
+    return 0;
+}
+
+int mbedtls_chacha20_starts(mbedtls_chacha20_context *ctx,
+                            const unsigned char nonce[12],
+                            uint32_t counter)
+{
+    /* Counter */
+    ctx->state[12] = counter;
+
+    /* Nonce */
+    ctx->state[13] = MBEDTLS_GET_UINT32_LE(nonce, 0);
+    ctx->state[14] = MBEDTLS_GET_UINT32_LE(nonce, 4);
+    ctx->state[15] = MBEDTLS_GET_UINT32_LE(nonce, 8);
+
+    mbedtls_platform_zeroize(ctx->keystream8, sizeof(ctx->keystream8));
+
+    /* Initially, there's no keystream bytes available */
+    ctx->keystream_bytes_used = CHACHA20_BLOCK_SIZE_BYTES;
+
+    return 0;
+}
+
+int mbedtls_chacha20_update(mbedtls_chacha20_context *ctx,
+                            size_t size,
+                            const unsigned char *input,
+                            unsigned char *output)
+{
+    size_t offset = 0U;
+
+    /* Use leftover keystream bytes, if available */
+    while (size > 0U && ctx->keystream_bytes_used < CHACHA20_BLOCK_SIZE_BYTES) {
+        output[offset] = input[offset]
+                         ^ ctx->keystream8[ctx->keystream_bytes_used];
+
+        ctx->keystream_bytes_used++;
+        offset++;
+        size--;
+    }
+
+    /* Process full blocks */
+    while (size >= CHACHA20_BLOCK_SIZE_BYTES) {
+        /* Generate new keystream block and increment counter */
+        chacha20_block(ctx->state, ctx->keystream8);
+        ctx->state[CHACHA20_CTR_INDEX]++;
+
+        mbedtls_xor(output + offset, input + offset, ctx->keystream8, 64U);
+
+        offset += CHACHA20_BLOCK_SIZE_BYTES;
+        size   -= CHACHA20_BLOCK_SIZE_BYTES;
+    }
+
+    /* Last (partial) block */
+    if (size > 0U) {
+        /* Generate new keystream block and increment counter */
+        chacha20_block(ctx->state, ctx->keystream8);
+        ctx->state[CHACHA20_CTR_INDEX]++;
+
+        mbedtls_xor(output + offset, input + offset, ctx->keystream8, size);
+
+        ctx->keystream_bytes_used = size;
+
+    }
+
+    return 0;
+}
+
+int mbedtls_chacha20_crypt(const unsigned char key[32],
+                           const unsigned char nonce[12],
+                           uint32_t counter,
+                           size_t data_len,
+                           const unsigned char *input,
+                           unsigned char *output)
+{
+    mbedtls_chacha20_context ctx;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    mbedtls_chacha20_init(&ctx);
+
+    ret = mbedtls_chacha20_setkey(&ctx, key);
+    if (ret != 0) {
+        goto cleanup;
+    }
+
+    ret = mbedtls_chacha20_starts(&ctx, nonce, counter);
+    if (ret != 0) {
+        goto cleanup;
+    }
+
+    ret = mbedtls_chacha20_update(&ctx, data_len, input, output);
+
+cleanup:
+    mbedtls_chacha20_free(&ctx);
+    return ret;
+}
+
+#endif /* !MBEDTLS_CHACHA20_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_keys[2][32] =
+{
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+    },
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
+    }
+};
+
+static const unsigned char test_nonces[2][12] =
+{
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00
+    },
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x02
+    }
+};
+
+static const uint32_t test_counters[2] =
+{
+    0U,
+    1U
+};
+
+static const unsigned char test_input[2][375] =
+{
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+    },
+    {
+        0x41, 0x6e, 0x79, 0x20, 0x73, 0x75, 0x62, 0x6d,
+        0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x20, 0x74,
+        0x6f, 0x20, 0x74, 0x68, 0x65, 0x20, 0x49, 0x45,
+        0x54, 0x46, 0x20, 0x69, 0x6e, 0x74, 0x65, 0x6e,
+        0x64, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x74,
+        0x68, 0x65, 0x20, 0x43, 0x6f, 0x6e, 0x74, 0x72,
+        0x69, 0x62, 0x75, 0x74, 0x6f, 0x72, 0x20, 0x66,
+        0x6f, 0x72, 0x20, 0x70, 0x75, 0x62, 0x6c, 0x69,
+        0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x61,
+        0x73, 0x20, 0x61, 0x6c, 0x6c, 0x20, 0x6f, 0x72,
+        0x20, 0x70, 0x61, 0x72, 0x74, 0x20, 0x6f, 0x66,
+        0x20, 0x61, 0x6e, 0x20, 0x49, 0x45, 0x54, 0x46,
+        0x20, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65,
+        0x74, 0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x20,
+        0x6f, 0x72, 0x20, 0x52, 0x46, 0x43, 0x20, 0x61,
+        0x6e, 0x64, 0x20, 0x61, 0x6e, 0x79, 0x20, 0x73,
+        0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e, 0x74,
+        0x20, 0x6d, 0x61, 0x64, 0x65, 0x20, 0x77, 0x69,
+        0x74, 0x68, 0x69, 0x6e, 0x20, 0x74, 0x68, 0x65,
+        0x20, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74,
+        0x20, 0x6f, 0x66, 0x20, 0x61, 0x6e, 0x20, 0x49,
+        0x45, 0x54, 0x46, 0x20, 0x61, 0x63, 0x74, 0x69,
+        0x76, 0x69, 0x74, 0x79, 0x20, 0x69, 0x73, 0x20,
+        0x63, 0x6f, 0x6e, 0x73, 0x69, 0x64, 0x65, 0x72,
+        0x65, 0x64, 0x20, 0x61, 0x6e, 0x20, 0x22, 0x49,
+        0x45, 0x54, 0x46, 0x20, 0x43, 0x6f, 0x6e, 0x74,
+        0x72, 0x69, 0x62, 0x75, 0x74, 0x69, 0x6f, 0x6e,
+        0x22, 0x2e, 0x20, 0x53, 0x75, 0x63, 0x68, 0x20,
+        0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e,
+        0x74, 0x73, 0x20, 0x69, 0x6e, 0x63, 0x6c, 0x75,
+        0x64, 0x65, 0x20, 0x6f, 0x72, 0x61, 0x6c, 0x20,
+        0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e,
+        0x74, 0x73, 0x20, 0x69, 0x6e, 0x20, 0x49, 0x45,
+        0x54, 0x46, 0x20, 0x73, 0x65, 0x73, 0x73, 0x69,
+        0x6f, 0x6e, 0x73, 0x2c, 0x20, 0x61, 0x73, 0x20,
+        0x77, 0x65, 0x6c, 0x6c, 0x20, 0x61, 0x73, 0x20,
+        0x77, 0x72, 0x69, 0x74, 0x74, 0x65, 0x6e, 0x20,
+        0x61, 0x6e, 0x64, 0x20, 0x65, 0x6c, 0x65, 0x63,
+        0x74, 0x72, 0x6f, 0x6e, 0x69, 0x63, 0x20, 0x63,
+        0x6f, 0x6d, 0x6d, 0x75, 0x6e, 0x69, 0x63, 0x61,
+        0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20, 0x6d, 0x61,
+        0x64, 0x65, 0x20, 0x61, 0x74, 0x20, 0x61, 0x6e,
+        0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x20, 0x6f,
+        0x72, 0x20, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x2c,
+        0x20, 0x77, 0x68, 0x69, 0x63, 0x68, 0x20, 0x61,
+        0x72, 0x65, 0x20, 0x61, 0x64, 0x64, 0x72, 0x65,
+        0x73, 0x73, 0x65, 0x64, 0x20, 0x74, 0x6f
+    }
+};
+
+static const unsigned char test_output[2][375] =
+{
+    {
+        0x76, 0xb8, 0xe0, 0xad, 0xa0, 0xf1, 0x3d, 0x90,
+        0x40, 0x5d, 0x6a, 0xe5, 0x53, 0x86, 0xbd, 0x28,
+        0xbd, 0xd2, 0x19, 0xb8, 0xa0, 0x8d, 0xed, 0x1a,
+        0xa8, 0x36, 0xef, 0xcc, 0x8b, 0x77, 0x0d, 0xc7,
+        0xda, 0x41, 0x59, 0x7c, 0x51, 0x57, 0x48, 0x8d,
+        0x77, 0x24, 0xe0, 0x3f, 0xb8, 0xd8, 0x4a, 0x37,
+        0x6a, 0x43, 0xb8, 0xf4, 0x15, 0x18, 0xa1, 0x1c,
+        0xc3, 0x87, 0xb6, 0x69, 0xb2, 0xee, 0x65, 0x86
+    },
+    {
+        0xa3, 0xfb, 0xf0, 0x7d, 0xf3, 0xfa, 0x2f, 0xde,
+        0x4f, 0x37, 0x6c, 0xa2, 0x3e, 0x82, 0x73, 0x70,
+        0x41, 0x60, 0x5d, 0x9f, 0x4f, 0x4f, 0x57, 0xbd,
+        0x8c, 0xff, 0x2c, 0x1d, 0x4b, 0x79, 0x55, 0xec,
+        0x2a, 0x97, 0x94, 0x8b, 0xd3, 0x72, 0x29, 0x15,
+        0xc8, 0xf3, 0xd3, 0x37, 0xf7, 0xd3, 0x70, 0x05,
+        0x0e, 0x9e, 0x96, 0xd6, 0x47, 0xb7, 0xc3, 0x9f,
+        0x56, 0xe0, 0x31, 0xca, 0x5e, 0xb6, 0x25, 0x0d,
+        0x40, 0x42, 0xe0, 0x27, 0x85, 0xec, 0xec, 0xfa,
+        0x4b, 0x4b, 0xb5, 0xe8, 0xea, 0xd0, 0x44, 0x0e,
+        0x20, 0xb6, 0xe8, 0xdb, 0x09, 0xd8, 0x81, 0xa7,
+        0xc6, 0x13, 0x2f, 0x42, 0x0e, 0x52, 0x79, 0x50,
+        0x42, 0xbd, 0xfa, 0x77, 0x73, 0xd8, 0xa9, 0x05,
+        0x14, 0x47, 0xb3, 0x29, 0x1c, 0xe1, 0x41, 0x1c,
+        0x68, 0x04, 0x65, 0x55, 0x2a, 0xa6, 0xc4, 0x05,
+        0xb7, 0x76, 0x4d, 0x5e, 0x87, 0xbe, 0xa8, 0x5a,
+        0xd0, 0x0f, 0x84, 0x49, 0xed, 0x8f, 0x72, 0xd0,
+        0xd6, 0x62, 0xab, 0x05, 0x26, 0x91, 0xca, 0x66,
+        0x42, 0x4b, 0xc8, 0x6d, 0x2d, 0xf8, 0x0e, 0xa4,
+        0x1f, 0x43, 0xab, 0xf9, 0x37, 0xd3, 0x25, 0x9d,
+        0xc4, 0xb2, 0xd0, 0xdf, 0xb4, 0x8a, 0x6c, 0x91,
+        0x39, 0xdd, 0xd7, 0xf7, 0x69, 0x66, 0xe9, 0x28,
+        0xe6, 0x35, 0x55, 0x3b, 0xa7, 0x6c, 0x5c, 0x87,
+        0x9d, 0x7b, 0x35, 0xd4, 0x9e, 0xb2, 0xe6, 0x2b,
+        0x08, 0x71, 0xcd, 0xac, 0x63, 0x89, 0x39, 0xe2,
+        0x5e, 0x8a, 0x1e, 0x0e, 0xf9, 0xd5, 0x28, 0x0f,
+        0xa8, 0xca, 0x32, 0x8b, 0x35, 0x1c, 0x3c, 0x76,
+        0x59, 0x89, 0xcb, 0xcf, 0x3d, 0xaa, 0x8b, 0x6c,
+        0xcc, 0x3a, 0xaf, 0x9f, 0x39, 0x79, 0xc9, 0x2b,
+        0x37, 0x20, 0xfc, 0x88, 0xdc, 0x95, 0xed, 0x84,
+        0xa1, 0xbe, 0x05, 0x9c, 0x64, 0x99, 0xb9, 0xfd,
+        0xa2, 0x36, 0xe7, 0xe8, 0x18, 0xb0, 0x4b, 0x0b,
+        0xc3, 0x9c, 0x1e, 0x87, 0x6b, 0x19, 0x3b, 0xfe,
+        0x55, 0x69, 0x75, 0x3f, 0x88, 0x12, 0x8c, 0xc0,
+        0x8a, 0xaa, 0x9b, 0x63, 0xd1, 0xa1, 0x6f, 0x80,
+        0xef, 0x25, 0x54, 0xd7, 0x18, 0x9c, 0x41, 0x1f,
+        0x58, 0x69, 0xca, 0x52, 0xc5, 0xb8, 0x3f, 0xa3,
+        0x6f, 0xf2, 0x16, 0xb9, 0xc1, 0xd3, 0x00, 0x62,
+        0xbe, 0xbc, 0xfd, 0x2d, 0xc5, 0xbc, 0xe0, 0x91,
+        0x19, 0x34, 0xfd, 0xa7, 0x9a, 0x86, 0xf6, 0xe6,
+        0x98, 0xce, 0xd7, 0x59, 0xc3, 0xff, 0x9b, 0x64,
+        0x77, 0x33, 0x8f, 0x3d, 0xa4, 0xf9, 0xcd, 0x85,
+        0x14, 0xea, 0x99, 0x82, 0xcc, 0xaf, 0xb3, 0x41,
+        0xb2, 0x38, 0x4d, 0xd9, 0x02, 0xf3, 0xd1, 0xab,
+        0x7a, 0xc6, 0x1d, 0xd2, 0x9c, 0x6f, 0x21, 0xba,
+        0x5b, 0x86, 0x2f, 0x37, 0x30, 0xe3, 0x7c, 0xfd,
+        0xc4, 0xfd, 0x80, 0x6c, 0x22, 0xf2, 0x21
+    }
+};
+
+static const size_t test_lengths[2] =
+{
+    64U,
+    375U
+};
+
+/* Make sure no other definition is already present. */
+#undef ASSERT
+
+#define ASSERT(cond, args)            \
+    do                                  \
+    {                                   \
+        if (!(cond))                \
+        {                               \
+            if (verbose != 0)          \
+            mbedtls_printf args;    \
+                                        \
+            return -1;               \
+        }                               \
+    }                                   \
+    while (0)
+
+int mbedtls_chacha20_self_test(int verbose)
+{
+    unsigned char output[381];
+    unsigned i;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    for (i = 0U; i < 2U; i++) {
+        if (verbose != 0) {
+            mbedtls_printf("  ChaCha20 test %u ", i);
+        }
+
+        ret = mbedtls_chacha20_crypt(test_keys[i],
+                                     test_nonces[i],
+                                     test_counters[i],
+                                     test_lengths[i],
+                                     test_input[i],
+                                     output);
+
+        ASSERT(0 == ret, ("error code: %i\n", ret));
+
+        ASSERT(0 == memcmp(output, test_output[i], test_lengths[i]),
+               ("failed (output)\n"));
+
+        if (verbose != 0) {
+            mbedtls_printf("passed\n");
+        }
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+
+    return 0;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* !MBEDTLS_CHACHA20_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/chachapoly.c b/tf-psa-crypto/drivers/builtin/src/chachapoly.c
new file mode 100644
index 0000000..a1314ea
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/chachapoly.c
@@ -0,0 +1,478 @@
+/**
+ * \file chachapoly.c
+ *
+ * \brief ChaCha20-Poly1305 AEAD construction based on RFC 7539.
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#include "common.h"
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+
+#include "mbedtls/chachapoly.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "mbedtls/constant_time.h"
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_CHACHAPOLY_ALT)
+
+#define CHACHAPOLY_STATE_INIT       (0)
+#define CHACHAPOLY_STATE_AAD        (1)
+#define CHACHAPOLY_STATE_CIPHERTEXT (2)   /* Encrypting or decrypting */
+#define CHACHAPOLY_STATE_FINISHED   (3)
+
+/**
+ * \brief           Adds nul bytes to pad the AAD for Poly1305.
+ *
+ * \param ctx       The ChaCha20-Poly1305 context.
+ */
+static int chachapoly_pad_aad(mbedtls_chachapoly_context *ctx)
+{
+    uint32_t partial_block_len = (uint32_t) (ctx->aad_len % 16U);
+    unsigned char zeroes[15];
+
+    if (partial_block_len == 0U) {
+        return 0;
+    }
+
+    memset(zeroes, 0, sizeof(zeroes));
+
+    return mbedtls_poly1305_update(&ctx->poly1305_ctx,
+                                   zeroes,
+                                   16U - partial_block_len);
+}
+
+/**
+ * \brief           Adds nul bytes to pad the ciphertext for Poly1305.
+ *
+ * \param ctx       The ChaCha20-Poly1305 context.
+ */
+static int chachapoly_pad_ciphertext(mbedtls_chachapoly_context *ctx)
+{
+    uint32_t partial_block_len = (uint32_t) (ctx->ciphertext_len % 16U);
+    unsigned char zeroes[15];
+
+    if (partial_block_len == 0U) {
+        return 0;
+    }
+
+    memset(zeroes, 0, sizeof(zeroes));
+    return mbedtls_poly1305_update(&ctx->poly1305_ctx,
+                                   zeroes,
+                                   16U - partial_block_len);
+}
+
+void mbedtls_chachapoly_init(mbedtls_chachapoly_context *ctx)
+{
+    mbedtls_chacha20_init(&ctx->chacha20_ctx);
+    mbedtls_poly1305_init(&ctx->poly1305_ctx);
+    ctx->aad_len        = 0U;
+    ctx->ciphertext_len = 0U;
+    ctx->state          = CHACHAPOLY_STATE_INIT;
+    ctx->mode           = MBEDTLS_CHACHAPOLY_ENCRYPT;
+}
+
+void mbedtls_chachapoly_free(mbedtls_chachapoly_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_chacha20_free(&ctx->chacha20_ctx);
+    mbedtls_poly1305_free(&ctx->poly1305_ctx);
+    ctx->aad_len        = 0U;
+    ctx->ciphertext_len = 0U;
+    ctx->state          = CHACHAPOLY_STATE_INIT;
+    ctx->mode           = MBEDTLS_CHACHAPOLY_ENCRYPT;
+}
+
+int mbedtls_chachapoly_setkey(mbedtls_chachapoly_context *ctx,
+                              const unsigned char key[32])
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    ret = mbedtls_chacha20_setkey(&ctx->chacha20_ctx, key);
+
+    return ret;
+}
+
+int mbedtls_chachapoly_starts(mbedtls_chachapoly_context *ctx,
+                              const unsigned char nonce[12],
+                              mbedtls_chachapoly_mode_t mode)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char poly1305_key[64];
+
+    /* Set counter = 0, will be update to 1 when generating Poly1305 key */
+    ret = mbedtls_chacha20_starts(&ctx->chacha20_ctx, nonce, 0U);
+    if (ret != 0) {
+        goto cleanup;
+    }
+
+    /* Generate the Poly1305 key by getting the ChaCha20 keystream output with
+     * counter = 0.  This is the same as encrypting a buffer of zeroes.
+     * Only the first 256-bits (32 bytes) of the key is used for Poly1305.
+     * The other 256 bits are discarded.
+     */
+    memset(poly1305_key, 0, sizeof(poly1305_key));
+    ret = mbedtls_chacha20_update(&ctx->chacha20_ctx, sizeof(poly1305_key),
+                                  poly1305_key, poly1305_key);
+    if (ret != 0) {
+        goto cleanup;
+    }
+
+    ret = mbedtls_poly1305_starts(&ctx->poly1305_ctx, poly1305_key);
+
+    if (ret == 0) {
+        ctx->aad_len        = 0U;
+        ctx->ciphertext_len = 0U;
+        ctx->state          = CHACHAPOLY_STATE_AAD;
+        ctx->mode           = mode;
+    }
+
+cleanup:
+    mbedtls_platform_zeroize(poly1305_key, 64U);
+    return ret;
+}
+
+int mbedtls_chachapoly_update_aad(mbedtls_chachapoly_context *ctx,
+                                  const unsigned char *aad,
+                                  size_t aad_len)
+{
+    if (ctx->state != CHACHAPOLY_STATE_AAD) {
+        return MBEDTLS_ERR_CHACHAPOLY_BAD_STATE;
+    }
+
+    ctx->aad_len += aad_len;
+
+    return mbedtls_poly1305_update(&ctx->poly1305_ctx, aad, aad_len);
+}
+
+int mbedtls_chachapoly_update(mbedtls_chachapoly_context *ctx,
+                              size_t len,
+                              const unsigned char *input,
+                              unsigned char *output)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if ((ctx->state != CHACHAPOLY_STATE_AAD) &&
+        (ctx->state != CHACHAPOLY_STATE_CIPHERTEXT)) {
+        return MBEDTLS_ERR_CHACHAPOLY_BAD_STATE;
+    }
+
+    if (ctx->state == CHACHAPOLY_STATE_AAD) {
+        ctx->state = CHACHAPOLY_STATE_CIPHERTEXT;
+
+        ret = chachapoly_pad_aad(ctx);
+        if (ret != 0) {
+            return ret;
+        }
+    }
+
+    ctx->ciphertext_len += len;
+
+    if (ctx->mode == MBEDTLS_CHACHAPOLY_ENCRYPT) {
+        ret = mbedtls_chacha20_update(&ctx->chacha20_ctx, len, input, output);
+        if (ret != 0) {
+            return ret;
+        }
+
+        ret = mbedtls_poly1305_update(&ctx->poly1305_ctx, output, len);
+        if (ret != 0) {
+            return ret;
+        }
+    } else { /* DECRYPT */
+        ret = mbedtls_poly1305_update(&ctx->poly1305_ctx, input, len);
+        if (ret != 0) {
+            return ret;
+        }
+
+        ret = mbedtls_chacha20_update(&ctx->chacha20_ctx, len, input, output);
+        if (ret != 0) {
+            return ret;
+        }
+    }
+
+    return 0;
+}
+
+int mbedtls_chachapoly_finish(mbedtls_chachapoly_context *ctx,
+                              unsigned char mac[16])
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char len_block[16];
+
+    if (ctx->state == CHACHAPOLY_STATE_INIT) {
+        return MBEDTLS_ERR_CHACHAPOLY_BAD_STATE;
+    }
+
+    if (ctx->state == CHACHAPOLY_STATE_AAD) {
+        ret = chachapoly_pad_aad(ctx);
+        if (ret != 0) {
+            return ret;
+        }
+    } else if (ctx->state == CHACHAPOLY_STATE_CIPHERTEXT) {
+        ret = chachapoly_pad_ciphertext(ctx);
+        if (ret != 0) {
+            return ret;
+        }
+    }
+
+    ctx->state = CHACHAPOLY_STATE_FINISHED;
+
+    /* The lengths of the AAD and ciphertext are processed by
+     * Poly1305 as the final 128-bit block, encoded as little-endian integers.
+     */
+    MBEDTLS_PUT_UINT64_LE(ctx->aad_len, len_block, 0);
+    MBEDTLS_PUT_UINT64_LE(ctx->ciphertext_len, len_block, 8);
+
+    ret = mbedtls_poly1305_update(&ctx->poly1305_ctx, len_block, 16U);
+    if (ret != 0) {
+        return ret;
+    }
+
+    ret = mbedtls_poly1305_finish(&ctx->poly1305_ctx, mac);
+
+    return ret;
+}
+
+static int chachapoly_crypt_and_tag(mbedtls_chachapoly_context *ctx,
+                                    mbedtls_chachapoly_mode_t mode,
+                                    size_t length,
+                                    const unsigned char nonce[12],
+                                    const unsigned char *aad,
+                                    size_t aad_len,
+                                    const unsigned char *input,
+                                    unsigned char *output,
+                                    unsigned char tag[16])
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    ret = mbedtls_chachapoly_starts(ctx, nonce, mode);
+    if (ret != 0) {
+        goto cleanup;
+    }
+
+    ret = mbedtls_chachapoly_update_aad(ctx, aad, aad_len);
+    if (ret != 0) {
+        goto cleanup;
+    }
+
+    ret = mbedtls_chachapoly_update(ctx, length, input, output);
+    if (ret != 0) {
+        goto cleanup;
+    }
+
+    ret = mbedtls_chachapoly_finish(ctx, tag);
+
+cleanup:
+    return ret;
+}
+
+int mbedtls_chachapoly_encrypt_and_tag(mbedtls_chachapoly_context *ctx,
+                                       size_t length,
+                                       const unsigned char nonce[12],
+                                       const unsigned char *aad,
+                                       size_t aad_len,
+                                       const unsigned char *input,
+                                       unsigned char *output,
+                                       unsigned char tag[16])
+{
+    return chachapoly_crypt_and_tag(ctx, MBEDTLS_CHACHAPOLY_ENCRYPT,
+                                    length, nonce, aad, aad_len,
+                                    input, output, tag);
+}
+
+int mbedtls_chachapoly_auth_decrypt(mbedtls_chachapoly_context *ctx,
+                                    size_t length,
+                                    const unsigned char nonce[12],
+                                    const unsigned char *aad,
+                                    size_t aad_len,
+                                    const unsigned char tag[16],
+                                    const unsigned char *input,
+                                    unsigned char *output)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char check_tag[16];
+    int diff;
+
+    if ((ret = chachapoly_crypt_and_tag(ctx,
+                                        MBEDTLS_CHACHAPOLY_DECRYPT, length, nonce,
+                                        aad, aad_len, input, output, check_tag)) != 0) {
+        return ret;
+    }
+
+    /* Check tag in "constant-time" */
+    diff = mbedtls_ct_memcmp(tag, check_tag, sizeof(check_tag));
+
+    if (diff != 0) {
+        mbedtls_platform_zeroize(output, length);
+        return MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED;
+    }
+
+    return 0;
+}
+
+#endif /* MBEDTLS_CHACHAPOLY_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_key[1][32] =
+{
+    {
+        0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
+        0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+        0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
+        0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
+    }
+};
+
+static const unsigned char test_nonce[1][12] =
+{
+    {
+        0x07, 0x00, 0x00, 0x00,                         /* 32-bit common part */
+        0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47  /* 64-bit IV */
+    }
+};
+
+static const unsigned char test_aad[1][12] =
+{
+    {
+        0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3,
+        0xc4, 0xc5, 0xc6, 0xc7
+    }
+};
+
+static const size_t test_aad_len[1] =
+{
+    12U
+};
+
+static const unsigned char test_input[1][114] =
+{
+    {
+        0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61,
+        0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c,
+        0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20,
+        0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73,
+        0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39,
+        0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63,
+        0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66,
+        0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f,
+        0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20,
+        0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20,
+        0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75,
+        0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73,
+        0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f,
+        0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69,
+        0x74, 0x2e
+    }
+};
+
+static const unsigned char test_output[1][114] =
+{
+    {
+        0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb,
+        0x7b, 0x86, 0xaf, 0xbc, 0x53, 0xef, 0x7e, 0xc2,
+        0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,
+        0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6,
+        0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, 0x12,
+        0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,
+        0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29,
+        0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36,
+        0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,
+        0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58,
+        0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94,
+        0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,
+        0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d,
+        0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b,
+        0x61, 0x16
+    }
+};
+
+static const size_t test_input_len[1] =
+{
+    114U
+};
+
+static const unsigned char test_mac[1][16] =
+{
+    {
+        0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a,
+        0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91
+    }
+};
+
+/* Make sure no other definition is already present. */
+#undef ASSERT
+
+#define ASSERT(cond, args)            \
+    do                                  \
+    {                                   \
+        if (!(cond))                \
+        {                               \
+            if (verbose != 0)          \
+            mbedtls_printf args;    \
+                                        \
+            return -1;               \
+        }                               \
+    }                                   \
+    while (0)
+
+int mbedtls_chachapoly_self_test(int verbose)
+{
+    mbedtls_chachapoly_context ctx;
+    unsigned i;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char output[200];
+    unsigned char mac[16];
+
+    for (i = 0U; i < 1U; i++) {
+        if (verbose != 0) {
+            mbedtls_printf("  ChaCha20-Poly1305 test %u ", i);
+        }
+
+        mbedtls_chachapoly_init(&ctx);
+
+        ret = mbedtls_chachapoly_setkey(&ctx, test_key[i]);
+        ASSERT(0 == ret, ("setkey() error code: %i\n", ret));
+
+        ret = mbedtls_chachapoly_encrypt_and_tag(&ctx,
+                                                 test_input_len[i],
+                                                 test_nonce[i],
+                                                 test_aad[i],
+                                                 test_aad_len[i],
+                                                 test_input[i],
+                                                 output,
+                                                 mac);
+
+        ASSERT(0 == ret, ("crypt_and_tag() error code: %i\n", ret));
+
+        ASSERT(0 == memcmp(output, test_output[i], test_input_len[i]),
+               ("failure (wrong output)\n"));
+
+        ASSERT(0 == memcmp(mac, test_mac[i], 16U),
+               ("failure (wrong MAC)\n"));
+
+        mbedtls_chachapoly_free(&ctx);
+
+        if (verbose != 0) {
+            mbedtls_printf("passed\n");
+        }
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+
+    return 0;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_CHACHAPOLY_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/check_crypto_config.h b/tf-psa-crypto/drivers/builtin/src/check_crypto_config.h
new file mode 100644
index 0000000..6469e9f
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/check_crypto_config.h
@@ -0,0 +1,141 @@
+/**
+ * \file check_crypto_config.h
+ *
+ * \brief Consistency checks for PSA configuration options
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * It is recommended to include this file from your crypto_config.h
+ * in order to catch dependency issues early.
+ */
+
+#ifndef MBEDTLS_CHECK_CRYPTO_CONFIG_H
+#define MBEDTLS_CHECK_CRYPTO_CONFIG_H
+
+#if defined(PSA_WANT_ALG_CCM) && \
+    !(defined(PSA_WANT_KEY_TYPE_AES) || \
+    defined(PSA_WANT_KEY_TYPE_CAMELLIA))
+#error "PSA_WANT_ALG_CCM defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_CMAC) && \
+    !(defined(PSA_WANT_KEY_TYPE_AES) || \
+    defined(PSA_WANT_KEY_TYPE_CAMELLIA) || \
+    defined(PSA_WANT_KEY_TYPE_DES))
+#error "PSA_WANT_ALG_CMAC defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && \
+    !(defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
+    defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY))
+#error "PSA_WANT_ALG_DETERMINISTIC_ECDSA defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_ECDSA) && \
+    !(defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
+    defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY))
+#error "PSA_WANT_ALG_ECDSA defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_GCM) && \
+    !(defined(PSA_WANT_KEY_TYPE_AES) || \
+    defined(PSA_WANT_KEY_TYPE_CAMELLIA))
+#error "PSA_WANT_ALG_GCM defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_PKCS1V15_CRYPT) && \
+    !(defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || \
+    defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY))
+#error "PSA_WANT_ALG_RSA_PKCS1V15_CRYPT defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN) && \
+    !(defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || \
+    defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY))
+#error "PSA_WANT_ALG_RSA_PKCS1V15_SIGN defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_OAEP) && \
+    !(defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || \
+    defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY))
+#error "PSA_WANT_ALG_RSA_OAEP defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_PSS) && \
+    !(defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || \
+    defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY))
+#error "PSA_WANT_ALG_RSA_PSS defined, but not all prerequisites"
+#endif
+
+#if (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
+    defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
+    defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
+    defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) || \
+    defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE)) && \
+    !defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+#error "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_xxx defined, but not all prerequisites"
+#endif
+
+#if (defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || \
+    defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT) || \
+    defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || \
+    defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)) && \
+    !defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY)
+#error "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_xxx defined, but not all prerequisites"
+#endif
+
+#if (defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC) || \
+    defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \
+    defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \
+    defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE)) && \
+    !defined(PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY)
+#error "PSA_WANT_KEY_TYPE_DH_KEY_PAIR_xxx defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR)
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+#error "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR is deprecated and will be removed in a \
+    future version of Mbed TLS. Please switch to new PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_xxx \
+    symbols, where xxx can be: USE, IMPORT, EXPORT, GENERATE, DERIVE"
+#elif defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR is deprecated and will be removed in a \
+    future version of Mbed TLS. Please switch to new PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_xxx \
+    symbols, where xxx can be: USE, IMPORT, EXPORT, GENERATE, DERIVE"
+#endif /* MBEDTLS_DEPRECATED_WARNING */
+#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR */
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR)
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+#error "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR is deprecated and will be removed in a \
+    future version of Mbed TLS. Please switch to new PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_xxx \
+    symbols, where xxx can be: USE, IMPORT, EXPORT, GENERATE, DERIVE"
+#elif defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR is deprecated and will be removed in a \
+    future version of Mbed TLS. Please switch to new PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_xxx \
+    symbols, where xxx can be: USE, IMPORT, EXPORT, GENERATE, DERIVE"
+#endif /* MBEDTLS_DEPRECATED_WARNING */
+#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR */
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE)
+#error "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE defined, but feature is not supported"
+#endif
+
+#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE)
+#error "PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE defined, but feature is not supported"
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_USE_PSA_CRYPTO) && \
+    !(defined(PSA_WANT_ALG_SHA_1) || defined(PSA_WANT_ALG_SHA_256) || defined(PSA_WANT_ALG_SHA_512))
+#error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS) && \
+    !defined(PSA_WANT_ALG_SHA_256)
+#error "PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS defined, but not all prerequisites"
+#endif
+
+#endif /* MBEDTLS_CHECK_CRYPTO_CONFIG_H */
diff --git a/tf-psa-crypto/drivers/builtin/src/cipher.c b/tf-psa-crypto/drivers/builtin/src/cipher.c
new file mode 100644
index 0000000..7f4c121
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/cipher.c
@@ -0,0 +1,1683 @@
+/**
+ * \file cipher.c
+ *
+ * \brief Generic cipher wrapper for Mbed TLS
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_CIPHER_C)
+
+#include "mbedtls/cipher.h"
+#include "cipher_wrap.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "mbedtls/constant_time.h"
+#include "constant_time_internal.h"
+
+#include <stdlib.h>
+#include <string.h>
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+#include "mbedtls/chachapoly.h"
+#endif
+
+#if defined(MBEDTLS_GCM_C)
+#include "mbedtls/gcm.h"
+#endif
+
+#if defined(MBEDTLS_CCM_C)
+#include "mbedtls/ccm.h"
+#endif
+
+#if defined(MBEDTLS_CHACHA20_C)
+#include "mbedtls/chacha20.h"
+#endif
+
+#if defined(MBEDTLS_CMAC_C)
+#include "mbedtls/cmac.h"
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+#include "psa/crypto.h"
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_NIST_KW_C)
+#include "mbedtls/nist_kw.h"
+#endif
+
+#include "mbedtls/platform.h"
+
+static int supported_init = 0;
+
+static inline const mbedtls_cipher_base_t *mbedtls_cipher_get_base(
+    const mbedtls_cipher_info_t *info)
+{
+    return mbedtls_cipher_base_lookup_table[info->base_idx];
+}
+
+const int *mbedtls_cipher_list(void)
+{
+    const mbedtls_cipher_definition_t *def;
+    int *type;
+
+    if (!supported_init) {
+        def = mbedtls_cipher_definitions;
+        type = mbedtls_cipher_supported;
+
+        while (def->type != 0) {
+            *type++ = (*def++).type;
+        }
+
+        *type = 0;
+
+        supported_init = 1;
+    }
+
+    return mbedtls_cipher_supported;
+}
+
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(
+    const mbedtls_cipher_type_t cipher_type)
+{
+    const mbedtls_cipher_definition_t *def;
+
+    for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
+        if (def->type == cipher_type) {
+            return def->info;
+        }
+    }
+
+    return NULL;
+}
+
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(
+    const char *cipher_name)
+{
+    const mbedtls_cipher_definition_t *def;
+
+    if (NULL == cipher_name) {
+        return NULL;
+    }
+
+    for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
+        if (!strcmp(def->info->name, cipher_name)) {
+            return def->info;
+        }
+    }
+
+    return NULL;
+}
+
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(
+    const mbedtls_cipher_id_t cipher_id,
+    int key_bitlen,
+    const mbedtls_cipher_mode_t mode)
+{
+    const mbedtls_cipher_definition_t *def;
+
+    for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
+        if (mbedtls_cipher_get_base(def->info)->cipher == cipher_id &&
+            mbedtls_cipher_info_get_key_bitlen(def->info) == (unsigned) key_bitlen &&
+            def->info->mode == mode) {
+            return def->info;
+        }
+    }
+
+    return NULL;
+}
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+static inline psa_key_type_t mbedtls_psa_translate_cipher_type(
+    mbedtls_cipher_type_t cipher)
+{
+    switch (cipher) {
+        case MBEDTLS_CIPHER_AES_128_CCM:
+        case MBEDTLS_CIPHER_AES_192_CCM:
+        case MBEDTLS_CIPHER_AES_256_CCM:
+        case MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:
+        case MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:
+        case MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:
+        case MBEDTLS_CIPHER_AES_128_GCM:
+        case MBEDTLS_CIPHER_AES_192_GCM:
+        case MBEDTLS_CIPHER_AES_256_GCM:
+        case MBEDTLS_CIPHER_AES_128_CBC:
+        case MBEDTLS_CIPHER_AES_192_CBC:
+        case MBEDTLS_CIPHER_AES_256_CBC:
+        case MBEDTLS_CIPHER_AES_128_ECB:
+        case MBEDTLS_CIPHER_AES_192_ECB:
+        case MBEDTLS_CIPHER_AES_256_ECB:
+            return PSA_KEY_TYPE_AES;
+
+        /* ARIA not yet supported in PSA. */
+        /* case MBEDTLS_CIPHER_ARIA_128_CCM:
+           case MBEDTLS_CIPHER_ARIA_192_CCM:
+           case MBEDTLS_CIPHER_ARIA_256_CCM:
+           case MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:
+           case MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:
+           case MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:
+           case MBEDTLS_CIPHER_ARIA_128_GCM:
+           case MBEDTLS_CIPHER_ARIA_192_GCM:
+           case MBEDTLS_CIPHER_ARIA_256_GCM:
+           case MBEDTLS_CIPHER_ARIA_128_CBC:
+           case MBEDTLS_CIPHER_ARIA_192_CBC:
+           case MBEDTLS_CIPHER_ARIA_256_CBC:
+               return( PSA_KEY_TYPE_ARIA ); */
+
+        default:
+            return 0;
+    }
+}
+
+static inline psa_algorithm_t mbedtls_psa_translate_cipher_mode(
+    mbedtls_cipher_mode_t mode, size_t taglen)
+{
+    switch (mode) {
+        case MBEDTLS_MODE_ECB:
+            return PSA_ALG_ECB_NO_PADDING;
+        case MBEDTLS_MODE_GCM:
+            return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, taglen);
+        case MBEDTLS_MODE_CCM:
+            return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen);
+        case MBEDTLS_MODE_CCM_STAR_NO_TAG:
+            return PSA_ALG_CCM_STAR_NO_TAG;
+        case MBEDTLS_MODE_CBC:
+            if (taglen == 0) {
+                return PSA_ALG_CBC_NO_PADDING;
+            } else {
+                return 0;
+            }
+        default:
+            return 0;
+    }
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx)
+{
+    memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
+}
+
+void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+    if (ctx->psa_enabled == 1) {
+        if (ctx->cipher_ctx != NULL) {
+            mbedtls_cipher_context_psa * const cipher_psa =
+                (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
+
+            if (cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED) {
+                /* xxx_free() doesn't allow to return failures. */
+                (void) psa_destroy_key(cipher_psa->slot);
+            }
+
+            mbedtls_zeroize_and_free(cipher_psa, sizeof(*cipher_psa));
+        }
+
+        mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t));
+        return;
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_CMAC_C)
+    if (ctx->cmac_ctx) {
+        mbedtls_zeroize_and_free(ctx->cmac_ctx,
+                                 sizeof(mbedtls_cmac_context_t));
+    }
+#endif
+
+    if (ctx->cipher_ctx) {
+        mbedtls_cipher_get_base(ctx->cipher_info)->ctx_free_func(ctx->cipher_ctx);
+    }
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t));
+}
+
+int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx,
+                         const mbedtls_cipher_info_t *cipher_info)
+{
+    if (cipher_info == NULL) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
+
+    if (mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func != NULL) {
+        ctx->cipher_ctx = mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func();
+        if (ctx->cipher_ctx == NULL) {
+            return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
+        }
+    }
+
+    ctx->cipher_info = cipher_info;
+
+    return 0;
+}
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+int mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx,
+                             const mbedtls_cipher_info_t *cipher_info,
+                             size_t taglen)
+{
+    psa_algorithm_t alg;
+    mbedtls_cipher_context_psa *cipher_psa;
+
+    if (NULL == cipher_info || NULL == ctx) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    /* Check that the underlying cipher mode and cipher type are
+     * supported by the underlying PSA Crypto implementation. */
+    alg = mbedtls_psa_translate_cipher_mode(((mbedtls_cipher_mode_t) cipher_info->mode), taglen);
+    if (alg == 0) {
+        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+    }
+    if (mbedtls_psa_translate_cipher_type(((mbedtls_cipher_type_t) cipher_info->type)) == 0) {
+        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+    }
+
+    memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
+
+    cipher_psa = mbedtls_calloc(1, sizeof(mbedtls_cipher_context_psa));
+    if (cipher_psa == NULL) {
+        return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
+    }
+    cipher_psa->alg  = alg;
+    ctx->cipher_ctx  = cipher_psa;
+    ctx->cipher_info = cipher_info;
+    ctx->psa_enabled = 1;
+    return 0;
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
+                          const unsigned char *key,
+                          int key_bitlen,
+                          const mbedtls_operation_t operation)
+{
+    if (operation != MBEDTLS_ENCRYPT && operation != MBEDTLS_DECRYPT) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+    if (ctx->cipher_info == NULL) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+    if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) &&
+        MBEDTLS_DECRYPT == operation) {
+        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+    }
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+    if (ctx->psa_enabled == 1) {
+        mbedtls_cipher_context_psa * const cipher_psa =
+            (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
+
+        size_t const key_bytelen = ((size_t) key_bitlen + 7) / 8;
+
+        psa_status_t status;
+        psa_key_type_t key_type;
+        psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+
+        /* PSA Crypto API only accepts byte-aligned keys. */
+        if (key_bitlen % 8 != 0) {
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+        }
+
+        /* Don't allow keys to be set multiple times. */
+        if (cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET) {
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+        }
+
+        key_type = mbedtls_psa_translate_cipher_type(
+            ((mbedtls_cipher_type_t) ctx->cipher_info->type));
+        if (key_type == 0) {
+            return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+        }
+        psa_set_key_type(&attributes, key_type);
+
+        /* Mbed TLS' cipher layer doesn't enforce the mode of operation
+         * (encrypt vs. decrypt): it is possible to setup a key for encryption
+         * and use it for AEAD decryption. Until tests relying on this
+         * are changed, allow any usage in PSA. */
+        psa_set_key_usage_flags(&attributes,
+                                PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
+        psa_set_key_algorithm(&attributes, cipher_psa->alg);
+
+        status = psa_import_key(&attributes, key, key_bytelen,
+                                &cipher_psa->slot);
+        switch (status) {
+            case PSA_SUCCESS:
+                break;
+            case PSA_ERROR_INSUFFICIENT_MEMORY:
+                return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
+            case PSA_ERROR_NOT_SUPPORTED:
+                return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+            default:
+                return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
+        }
+        /* Indicate that we own the key slot and need to
+         * destroy it in mbedtls_cipher_free(). */
+        cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED;
+
+        ctx->key_bitlen = key_bitlen;
+        ctx->operation = operation;
+        return 0;
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+    if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN) == 0 &&
+        (int) mbedtls_cipher_info_get_key_bitlen(ctx->cipher_info) != key_bitlen) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    ctx->key_bitlen = key_bitlen;
+    ctx->operation = operation;
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+    /*
+     * For OFB, CFB and CTR mode always use the encryption key schedule
+     */
+    if (MBEDTLS_ENCRYPT == operation ||
+        MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
+        MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
+        MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+        return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key,
+                                                                          ctx->key_bitlen);
+    }
+
+    if (MBEDTLS_DECRYPT == operation) {
+        return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_dec_func(ctx->cipher_ctx, key,
+                                                                          ctx->key_bitlen);
+    }
+#else
+    if (operation == MBEDTLS_ENCRYPT || operation == MBEDTLS_DECRYPT) {
+        return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key,
+                                                                          ctx->key_bitlen);
+    }
+#endif
+
+    return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+}
+
+int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
+                          const unsigned char *iv,
+                          size_t iv_len)
+{
+    size_t actual_iv_size;
+
+    if (ctx->cipher_info == NULL) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+    if (ctx->psa_enabled == 1) {
+        /* While PSA Crypto has an API for multipart
+         * operations, we currently don't make it
+         * accessible through the cipher layer. */
+        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+    /* avoid buffer overflow in ctx->iv */
+    if (iv_len > MBEDTLS_MAX_IV_LENGTH) {
+        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+    }
+
+    if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN) != 0) {
+        actual_iv_size = iv_len;
+    } else {
+        actual_iv_size = mbedtls_cipher_info_get_iv_size(ctx->cipher_info);
+
+        /* avoid reading past the end of input buffer */
+        if (actual_iv_size > iv_len) {
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+        }
+    }
+
+#if defined(MBEDTLS_CHACHA20_C)
+    if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20) {
+        /* Even though the actual_iv_size is overwritten with a correct value
+         * of 12 from the cipher info, return an error to indicate that
+         * the input iv_len is wrong. */
+        if (iv_len != 12) {
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+        }
+
+        if (0 != mbedtls_chacha20_starts((mbedtls_chacha20_context *) ctx->cipher_ctx,
+                                         iv,
+                                         0U)) {   /* Initial counter value */
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+        }
+    }
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305 &&
+        iv_len != 12) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+#endif
+#endif
+
+#if defined(MBEDTLS_GCM_C)
+    if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+        return mbedtls_gcm_starts((mbedtls_gcm_context *) ctx->cipher_ctx,
+                                  ctx->operation,
+                                  iv, iv_len);
+    }
+#endif
+
+#if defined(MBEDTLS_CCM_C)
+    if (MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+        int set_lengths_result;
+        int ccm_star_mode;
+
+        set_lengths_result = mbedtls_ccm_set_lengths(
+            (mbedtls_ccm_context *) ctx->cipher_ctx,
+            0, 0, 0);
+        if (set_lengths_result != 0) {
+            return set_lengths_result;
+        }
+
+        if (ctx->operation == MBEDTLS_DECRYPT) {
+            ccm_star_mode = MBEDTLS_CCM_STAR_DECRYPT;
+        } else if (ctx->operation == MBEDTLS_ENCRYPT) {
+            ccm_star_mode = MBEDTLS_CCM_STAR_ENCRYPT;
+        } else {
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+        }
+
+        return mbedtls_ccm_starts((mbedtls_ccm_context *) ctx->cipher_ctx,
+                                  ccm_star_mode,
+                                  iv, iv_len);
+    }
+#endif
+
+    if (actual_iv_size != 0) {
+        memcpy(ctx->iv, iv, actual_iv_size);
+        ctx->iv_size = actual_iv_size;
+    }
+
+    return 0;
+}
+
+int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx)
+{
+    if (ctx->cipher_info == NULL) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+    if (ctx->psa_enabled == 1) {
+        /* We don't support resetting PSA-based
+         * cipher contexts, yet. */
+        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+    ctx->unprocessed_len = 0;
+
+    return 0;
+}
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx,
+                             const unsigned char *ad, size_t ad_len)
+{
+    if (ctx->cipher_info == NULL) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+    if (ctx->psa_enabled == 1) {
+        /* While PSA Crypto has an API for multipart
+         * operations, we currently don't make it
+         * accessible through the cipher layer. */
+        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_GCM_C)
+    if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+        return mbedtls_gcm_update_ad((mbedtls_gcm_context *) ctx->cipher_ctx,
+                                     ad, ad_len);
+    }
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
+        int result;
+        mbedtls_chachapoly_mode_t mode;
+
+        mode = (ctx->operation == MBEDTLS_ENCRYPT)
+                ? MBEDTLS_CHACHAPOLY_ENCRYPT
+                : MBEDTLS_CHACHAPOLY_DECRYPT;
+
+        result = mbedtls_chachapoly_starts((mbedtls_chachapoly_context *) ctx->cipher_ctx,
+                                           ctx->iv,
+                                           mode);
+        if (result != 0) {
+            return result;
+        }
+
+        return mbedtls_chachapoly_update_aad((mbedtls_chachapoly_context *) ctx->cipher_ctx,
+                                             ad, ad_len);
+    }
+#endif
+
+    return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+}
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
+
+int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *input,
+                          size_t ilen, unsigned char *output, size_t *olen)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t block_size;
+
+    if (ctx->cipher_info == NULL) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+    if (ctx->psa_enabled == 1) {
+        /* While PSA Crypto has an API for multipart
+         * operations, we currently don't make it
+         * accessible through the cipher layer. */
+        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+    *olen = 0;
+    block_size = mbedtls_cipher_get_block_size(ctx);
+    if (0 == block_size) {
+        return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT;
+    }
+
+    if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_ECB) {
+        if (ilen != block_size) {
+            return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
+        }
+
+        *olen = ilen;
+
+        if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ecb_func(ctx->cipher_ctx,
+                                                                            ctx->operation, input,
+                                                                            output))) {
+            return ret;
+        }
+
+        return 0;
+    }
+
+#if defined(MBEDTLS_GCM_C)
+    if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_GCM) {
+        return mbedtls_gcm_update((mbedtls_gcm_context *) ctx->cipher_ctx,
+                                  input, ilen,
+                                  output, ilen, olen);
+    }
+#endif
+
+#if defined(MBEDTLS_CCM_C)
+    if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CCM_STAR_NO_TAG) {
+        return mbedtls_ccm_update((mbedtls_ccm_context *) ctx->cipher_ctx,
+                                  input, ilen,
+                                  output, ilen, olen);
+    }
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305) {
+        *olen = ilen;
+        return mbedtls_chachapoly_update((mbedtls_chachapoly_context *) ctx->cipher_ctx,
+                                         ilen, input, output);
+    }
+#endif
+
+    if (input == output &&
+        (ctx->unprocessed_len != 0 || ilen % block_size)) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CBC) {
+        size_t copy_len = 0;
+
+        /*
+         * If there is not enough data for a full block, cache it.
+         */
+        if ((ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
+             ilen <= block_size - ctx->unprocessed_len) ||
+            (ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
+             ilen < block_size - ctx->unprocessed_len) ||
+            (ctx->operation == MBEDTLS_ENCRYPT &&
+             ilen < block_size - ctx->unprocessed_len)) {
+            memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input,
+                   ilen);
+
+            ctx->unprocessed_len += ilen;
+            return 0;
+        }
+
+        /*
+         * Process cached data first
+         */
+        if (0 != ctx->unprocessed_len) {
+            copy_len = block_size - ctx->unprocessed_len;
+
+            memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input,
+                   copy_len);
+
+            if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
+                                                                                ctx->operation,
+                                                                                block_size, ctx->iv,
+                                                                                ctx->
+                                                                                unprocessed_data,
+                                                                                output))) {
+                return ret;
+            }
+
+            *olen += block_size;
+            output += block_size;
+            ctx->unprocessed_len = 0;
+
+            input += copy_len;
+            ilen -= copy_len;
+        }
+
+        /*
+         * Cache final, incomplete block
+         */
+        if (0 != ilen) {
+            /* Encryption: only cache partial blocks
+             * Decryption w/ padding: always keep at least one whole block
+             * Decryption w/o padding: only cache partial blocks
+             */
+            copy_len = ilen % block_size;
+            if (copy_len == 0 &&
+                ctx->operation == MBEDTLS_DECRYPT &&
+                NULL != ctx->add_padding) {
+                copy_len = block_size;
+            }
+
+            memcpy(ctx->unprocessed_data, &(input[ilen - copy_len]),
+                   copy_len);
+
+            ctx->unprocessed_len += copy_len;
+            ilen -= copy_len;
+        }
+
+        /*
+         * Process remaining full blocks
+         */
+        if (ilen) {
+            if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
+                                                                                ctx->operation,
+                                                                                ilen, ctx->iv,
+                                                                                input,
+                                                                                output))) {
+                return ret;
+            }
+
+            *olen += ilen;
+        }
+
+        return 0;
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CFB) {
+        if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cfb_func(ctx->cipher_ctx,
+                                                                            ctx->operation, ilen,
+                                                                            &ctx->unprocessed_len,
+                                                                            ctx->iv,
+                                                                            input, output))) {
+            return ret;
+        }
+
+        *olen = ilen;
+
+        return 0;
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_OFB) {
+        if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ofb_func(ctx->cipher_ctx,
+                                                                            ilen,
+                                                                            &ctx->unprocessed_len,
+                                                                            ctx->iv,
+                                                                            input, output))) {
+            return ret;
+        }
+
+        *olen = ilen;
+
+        return 0;
+    }
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CTR) {
+        if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ctr_func(ctx->cipher_ctx,
+                                                                            ilen,
+                                                                            &ctx->unprocessed_len,
+                                                                            ctx->iv,
+                                                                            ctx->unprocessed_data,
+                                                                            input, output))) {
+            return ret;
+        }
+
+        *olen = ilen;
+
+        return 0;
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_XTS) {
+        if (ctx->unprocessed_len > 0) {
+            /* We can only process an entire data unit at a time. */
+            return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+        }
+
+        ret = mbedtls_cipher_get_base(ctx->cipher_info)->xts_func(ctx->cipher_ctx,
+                                                                  ctx->operation,
+                                                                  ilen,
+                                                                  ctx->iv,
+                                                                  input,
+                                                                  output);
+        if (ret != 0) {
+            return ret;
+        }
+
+        *olen = ilen;
+
+        return 0;
+    }
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_STREAM) {
+        if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->stream_func(ctx->cipher_ctx,
+                                                                               ilen, input,
+                                                                               output))) {
+            return ret;
+        }
+
+        *olen = ilen;
+
+        return 0;
+    }
+#endif /* MBEDTLS_CIPHER_MODE_STREAM */
+
+    return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+/*
+ * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
+ */
+static void add_pkcs_padding(unsigned char *output, size_t output_len,
+                             size_t data_len)
+{
+    size_t padding_len = output_len - data_len;
+    unsigned char i;
+
+    for (i = 0; i < padding_len; i++) {
+        output[data_len + i] = (unsigned char) padding_len;
+    }
+}
+
+static int get_pkcs_padding(unsigned char *input, size_t input_len,
+                            size_t *data_len)
+{
+    size_t i, pad_idx;
+    unsigned char padding_len;
+
+    if (NULL == input || NULL == data_len) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    padding_len = input[input_len - 1];
+    if (padding_len == 0 || padding_len > input_len) {
+        return MBEDTLS_ERR_CIPHER_INVALID_PADDING;
+    }
+    *data_len = input_len - padding_len;
+
+    mbedtls_ct_condition_t bad = mbedtls_ct_uint_gt(padding_len, input_len);
+    bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));
+
+    /* The number of bytes checked must be independent of padding_len,
+     * so pick input_len, which is usually 8 or 16 (one block) */
+    pad_idx = input_len - padding_len;
+    for (i = 0; i < input_len; i++) {
+        mbedtls_ct_condition_t in_padding = mbedtls_ct_uint_ge(i, pad_idx);
+        mbedtls_ct_condition_t different  = mbedtls_ct_uint_ne(input[i], padding_len);
+        bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_and(in_padding, different));
+    }
+
+    return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
+}
+#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
+
+#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
+/*
+ * One and zeros padding: fill with 80 00 ... 00
+ */
+static void add_one_and_zeros_padding(unsigned char *output,
+                                      size_t output_len, size_t data_len)
+{
+    size_t padding_len = output_len - data_len;
+    unsigned char i = 0;
+
+    output[data_len] = 0x80;
+    for (i = 1; i < padding_len; i++) {
+        output[data_len + i] = 0x00;
+    }
+}
+
+static int get_one_and_zeros_padding(unsigned char *input, size_t input_len,
+                                     size_t *data_len)
+{
+    if (NULL == input || NULL == data_len) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    mbedtls_ct_condition_t in_padding = MBEDTLS_CT_TRUE;
+    mbedtls_ct_condition_t bad = MBEDTLS_CT_TRUE;
+
+    *data_len = 0;
+
+    for (ptrdiff_t i = (ptrdiff_t) (input_len) - 1; i >= 0; i--) {
+        mbedtls_ct_condition_t is_nonzero = mbedtls_ct_bool(input[i]);
+
+        mbedtls_ct_condition_t hit_first_nonzero = mbedtls_ct_bool_and(is_nonzero, in_padding);
+
+        *data_len = mbedtls_ct_size_if(hit_first_nonzero, i, *data_len);
+
+        bad = mbedtls_ct_bool_if(hit_first_nonzero, mbedtls_ct_uint_ne(input[i], 0x80), bad);
+
+        in_padding = mbedtls_ct_bool_and(in_padding, mbedtls_ct_bool_not(is_nonzero));
+    }
+
+    return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
+}
+#endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
+
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
+/*
+ * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
+ */
+static void add_zeros_and_len_padding(unsigned char *output,
+                                      size_t output_len, size_t data_len)
+{
+    size_t padding_len = output_len - data_len;
+    unsigned char i = 0;
+
+    for (i = 1; i < padding_len; i++) {
+        output[data_len + i - 1] = 0x00;
+    }
+    output[output_len - 1] = (unsigned char) padding_len;
+}
+
+static int get_zeros_and_len_padding(unsigned char *input, size_t input_len,
+                                     size_t *data_len)
+{
+    size_t i, pad_idx;
+    unsigned char padding_len;
+    mbedtls_ct_condition_t bad;
+
+    if (NULL == input || NULL == data_len) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    padding_len = input[input_len - 1];
+    *data_len = input_len - padding_len;
+
+    /* Avoid logical || since it results in a branch */
+    bad = mbedtls_ct_uint_gt(padding_len, input_len);
+    bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));
+
+    /* The number of bytes checked must be independent of padding_len */
+    pad_idx = input_len - padding_len;
+    for (i = 0; i < input_len - 1; i++) {
+        mbedtls_ct_condition_t is_padding = mbedtls_ct_uint_ge(i, pad_idx);
+        mbedtls_ct_condition_t nonzero_pad_byte;
+        nonzero_pad_byte = mbedtls_ct_bool_if_else_0(is_padding, mbedtls_ct_bool(input[i]));
+        bad = mbedtls_ct_bool_or(bad, nonzero_pad_byte);
+    }
+
+    return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
+}
+#endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
+
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
+/*
+ * Zero padding: fill with 00 ... 00
+ */
+static void add_zeros_padding(unsigned char *output,
+                              size_t output_len, size_t data_len)
+{
+    memset(output + data_len, 0, output_len - data_len);
+}
+
+static int get_zeros_padding(unsigned char *input, size_t input_len,
+                             size_t *data_len)
+{
+    size_t i;
+    mbedtls_ct_condition_t done = MBEDTLS_CT_FALSE, prev_done;
+
+    if (NULL == input || NULL == data_len) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    *data_len = 0;
+    for (i = input_len; i > 0; i--) {
+        prev_done = done;
+        done = mbedtls_ct_bool_or(done, mbedtls_ct_uint_ne(input[i-1], 0));
+        *data_len = mbedtls_ct_size_if(mbedtls_ct_bool_ne(done, prev_done), i, *data_len);
+    }
+
+    return 0;
+}
+#endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
+
+/*
+ * No padding: don't pad :)
+ *
+ * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
+ * but a trivial get_padding function
+ */
+static int get_no_padding(unsigned char *input, size_t input_len,
+                          size_t *data_len)
+{
+    if (NULL == input || NULL == data_len) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    *data_len = input_len;
+
+    return 0;
+}
+#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
+
+int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
+                          unsigned char *output, size_t *olen)
+{
+    if (ctx->cipher_info == NULL) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+    if (ctx->psa_enabled == 1) {
+        /* While PSA Crypto has an API for multipart
+         * operations, we currently don't make it
+         * accessible through the cipher layer. */
+        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+    *olen = 0;
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+    /* CBC mode requires padding so we make sure a call to
+     * mbedtls_cipher_set_padding_mode has been done successfully. */
+    if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+        if (ctx->get_padding == NULL) {
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+        }
+    }
+#endif
+
+    if (MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
+        MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
+        MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
+        MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
+        MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
+        MBEDTLS_MODE_XTS == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
+        MBEDTLS_MODE_STREAM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+        return 0;
+    }
+
+    if ((MBEDTLS_CIPHER_CHACHA20          == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) ||
+        (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type))) {
+        return 0;
+    }
+
+    if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+        if (ctx->unprocessed_len != 0) {
+            return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
+        }
+
+        return 0;
+    }
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+        int ret = 0;
+
+        if (MBEDTLS_ENCRYPT == ctx->operation) {
+            /* check for 'no padding' mode */
+            if (NULL == ctx->add_padding) {
+                if (0 != ctx->unprocessed_len) {
+                    return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
+                }
+
+                return 0;
+            }
+
+            ctx->add_padding(ctx->unprocessed_data, mbedtls_cipher_get_iv_size(ctx),
+                             ctx->unprocessed_len);
+        } else if (mbedtls_cipher_get_block_size(ctx) != ctx->unprocessed_len) {
+            /*
+             * For decrypt operations, expect a full block,
+             * or an empty block if no padding
+             */
+            if (NULL == ctx->add_padding && 0 == ctx->unprocessed_len) {
+                return 0;
+            }
+
+            return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
+        }
+
+        /* cipher block */
+        if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
+                                                                            ctx->operation,
+                                                                            mbedtls_cipher_get_block_size(
+                                                                                ctx),
+                                                                            ctx->iv,
+                                                                            ctx->unprocessed_data,
+                                                                            output))) {
+            return ret;
+        }
+
+        /* Set output size for decryption */
+        if (MBEDTLS_DECRYPT == ctx->operation) {
+            return ctx->get_padding(output, mbedtls_cipher_get_block_size(ctx),
+                                    olen);
+        }
+
+        /* Set output size for encryption */
+        *olen = mbedtls_cipher_get_block_size(ctx);
+        return 0;
+    }
+#else
+    ((void) output);
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+    return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx,
+                                    mbedtls_cipher_padding_t mode)
+{
+    if (NULL == ctx->cipher_info ||
+        MBEDTLS_MODE_CBC != ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+    if (ctx->psa_enabled == 1) {
+        /* While PSA Crypto knows about CBC padding
+         * schemes, we currently don't make them
+         * accessible through the cipher layer. */
+        if (mode != MBEDTLS_PADDING_NONE) {
+            return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+        }
+
+        return 0;
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+    switch (mode) {
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+        case MBEDTLS_PADDING_PKCS7:
+            ctx->add_padding = add_pkcs_padding;
+            ctx->get_padding = get_pkcs_padding;
+            break;
+#endif
+#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
+        case MBEDTLS_PADDING_ONE_AND_ZEROS:
+            ctx->add_padding = add_one_and_zeros_padding;
+            ctx->get_padding = get_one_and_zeros_padding;
+            break;
+#endif
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
+        case MBEDTLS_PADDING_ZEROS_AND_LEN:
+            ctx->add_padding = add_zeros_and_len_padding;
+            ctx->get_padding = get_zeros_and_len_padding;
+            break;
+#endif
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
+        case MBEDTLS_PADDING_ZEROS:
+            ctx->add_padding = add_zeros_padding;
+            ctx->get_padding = get_zeros_padding;
+            break;
+#endif
+        case MBEDTLS_PADDING_NONE:
+            ctx->add_padding = NULL;
+            ctx->get_padding = get_no_padding;
+            break;
+
+        default:
+            return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+    }
+
+    return 0;
+}
+#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx,
+                             unsigned char *tag, size_t tag_len)
+{
+    if (ctx->cipher_info == NULL) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    if (MBEDTLS_ENCRYPT != ctx->operation) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+    if (ctx->psa_enabled == 1) {
+        /* While PSA Crypto has an API for multipart
+         * operations, we currently don't make it
+         * accessible through the cipher layer. */
+        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_GCM_C)
+    if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+        size_t output_length;
+        /* The code here doesn't yet support alternative implementations
+         * that can delay up to a block of output. */
+        return mbedtls_gcm_finish((mbedtls_gcm_context *) ctx->cipher_ctx,
+                                  NULL, 0, &output_length,
+                                  tag, tag_len);
+    }
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
+        /* Don't allow truncated MAC for Poly1305 */
+        if (tag_len != 16U) {
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+        }
+
+        return mbedtls_chachapoly_finish(
+            (mbedtls_chachapoly_context *) ctx->cipher_ctx, tag);
+    }
+#endif
+
+    return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+}
+
+int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx,
+                             const unsigned char *tag, size_t tag_len)
+{
+    unsigned char check_tag[16];
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (ctx->cipher_info == NULL) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    if (MBEDTLS_DECRYPT != ctx->operation) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+    if (ctx->psa_enabled == 1) {
+        /* While PSA Crypto has an API for multipart
+         * operations, we currently don't make it
+         * accessible through the cipher layer. */
+        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+    /* Status to return on a non-authenticated algorithm. */
+    ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+
+#if defined(MBEDTLS_GCM_C)
+    if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+        size_t output_length;
+        /* The code here doesn't yet support alternative implementations
+         * that can delay up to a block of output. */
+
+        if (tag_len > sizeof(check_tag)) {
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+        }
+
+        if (0 != (ret = mbedtls_gcm_finish(
+                      (mbedtls_gcm_context *) ctx->cipher_ctx,
+                      NULL, 0, &output_length,
+                      check_tag, tag_len))) {
+            return ret;
+        }
+
+        /* Check the tag in "constant-time" */
+        if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) {
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+            goto exit;
+        }
+    }
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
+        /* Don't allow truncated MAC for Poly1305 */
+        if (tag_len != sizeof(check_tag)) {
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+        }
+
+        ret = mbedtls_chachapoly_finish(
+            (mbedtls_chachapoly_context *) ctx->cipher_ctx, check_tag);
+        if (ret != 0) {
+            return ret;
+        }
+
+        /* Check the tag in "constant-time" */
+        if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) {
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+            goto exit;
+        }
+    }
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
+exit:
+    mbedtls_platform_zeroize(check_tag, tag_len);
+    return ret;
+}
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
+
+/*
+ * Packet-oriented wrapper for non-AEAD modes
+ */
+int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *input, size_t ilen,
+                         unsigned char *output, size_t *olen)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t finish_olen;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+    if (ctx->psa_enabled == 1) {
+        /* As in the non-PSA case, we don't check that
+         * a key has been set. If not, the key slot will
+         * still be in its default state of 0, which is
+         * guaranteed to be invalid, hence the PSA-call
+         * below will gracefully fail. */
+        mbedtls_cipher_context_psa * const cipher_psa =
+            (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
+
+        psa_status_t status;
+        psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
+        size_t part_len;
+
+        if (ctx->operation == MBEDTLS_DECRYPT) {
+            status = psa_cipher_decrypt_setup(&cipher_op,
+                                              cipher_psa->slot,
+                                              cipher_psa->alg);
+        } else if (ctx->operation == MBEDTLS_ENCRYPT) {
+            status = psa_cipher_encrypt_setup(&cipher_op,
+                                              cipher_psa->slot,
+                                              cipher_psa->alg);
+        } else {
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+        }
+
+        /* In the following, we can immediately return on an error,
+         * because the PSA Crypto API guarantees that cipher operations
+         * are terminated by unsuccessful calls to psa_cipher_update(),
+         * and by any call to psa_cipher_finish(). */
+        if (status != PSA_SUCCESS) {
+            return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
+        }
+
+        if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) != MBEDTLS_MODE_ECB) {
+            status = psa_cipher_set_iv(&cipher_op, iv, iv_len);
+            if (status != PSA_SUCCESS) {
+                return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
+            }
+        }
+
+        status = psa_cipher_update(&cipher_op,
+                                   input, ilen,
+                                   output, ilen, olen);
+        if (status != PSA_SUCCESS) {
+            return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
+        }
+
+        status = psa_cipher_finish(&cipher_op,
+                                   output + *olen, ilen - *olen,
+                                   &part_len);
+        if (status != PSA_SUCCESS) {
+            return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
+        }
+
+        *olen += part_len;
+        return 0;
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+    if ((ret = mbedtls_cipher_set_iv(ctx, iv, iv_len)) != 0) {
+        return ret;
+    }
+
+    if ((ret = mbedtls_cipher_reset(ctx)) != 0) {
+        return ret;
+    }
+
+    if ((ret = mbedtls_cipher_update(ctx, input, ilen,
+                                     output, olen)) != 0) {
+        return ret;
+    }
+
+    if ((ret = mbedtls_cipher_finish(ctx, output + *olen,
+                                     &finish_olen)) != 0) {
+        return ret;
+    }
+
+    *olen += finish_olen;
+
+    return 0;
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_AEAD)
+/*
+ * Packet-oriented encryption for AEAD modes: internal function used by
+ * mbedtls_cipher_auth_encrypt_ext().
+ */
+static int mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t *ctx,
+                                       const unsigned char *iv, size_t iv_len,
+                                       const unsigned char *ad, size_t ad_len,
+                                       const unsigned char *input, size_t ilen,
+                                       unsigned char *output, size_t *olen,
+                                       unsigned char *tag, size_t tag_len)
+{
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+    if (ctx->psa_enabled == 1) {
+        /* As in the non-PSA case, we don't check that
+         * a key has been set. If not, the key slot will
+         * still be in its default state of 0, which is
+         * guaranteed to be invalid, hence the PSA-call
+         * below will gracefully fail. */
+        mbedtls_cipher_context_psa * const cipher_psa =
+            (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
+
+        psa_status_t status;
+
+        /* PSA Crypto API always writes the authentication tag
+         * at the end of the encrypted message. */
+        if (output == NULL || tag != output + ilen) {
+            return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+        }
+
+        status = psa_aead_encrypt(cipher_psa->slot,
+                                  cipher_psa->alg,
+                                  iv, iv_len,
+                                  ad, ad_len,
+                                  input, ilen,
+                                  output, ilen + tag_len, olen);
+        if (status != PSA_SUCCESS) {
+            return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
+        }
+
+        *olen -= tag_len;
+        return 0;
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_GCM_C)
+    if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+        *olen = ilen;
+        return mbedtls_gcm_crypt_and_tag(ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT,
+                                         ilen, iv, iv_len, ad, ad_len,
+                                         input, output, tag_len, tag);
+    }
+#endif /* MBEDTLS_GCM_C */
+#if defined(MBEDTLS_CCM_C)
+    if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+        *olen = ilen;
+        return mbedtls_ccm_encrypt_and_tag(ctx->cipher_ctx, ilen,
+                                           iv, iv_len, ad, ad_len, input, output,
+                                           tag, tag_len);
+    }
+#endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
+        /* ChachaPoly has fixed length nonce and MAC (tag) */
+        if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) ||
+            (tag_len != 16U)) {
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+        }
+
+        *olen = ilen;
+        return mbedtls_chachapoly_encrypt_and_tag(ctx->cipher_ctx,
+                                                  ilen, iv, ad, ad_len, input, output, tag);
+    }
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
+    return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+}
+
+/*
+ * Packet-oriented encryption for AEAD modes: internal function used by
+ * mbedtls_cipher_auth_encrypt_ext().
+ */
+static int mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t *ctx,
+                                       const unsigned char *iv, size_t iv_len,
+                                       const unsigned char *ad, size_t ad_len,
+                                       const unsigned char *input, size_t ilen,
+                                       unsigned char *output, size_t *olen,
+                                       const unsigned char *tag, size_t tag_len)
+{
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+    if (ctx->psa_enabled == 1) {
+        /* As in the non-PSA case, we don't check that
+         * a key has been set. If not, the key slot will
+         * still be in its default state of 0, which is
+         * guaranteed to be invalid, hence the PSA-call
+         * below will gracefully fail. */
+        mbedtls_cipher_context_psa * const cipher_psa =
+            (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
+
+        psa_status_t status;
+
+        /* PSA Crypto API always writes the authentication tag
+         * at the end of the encrypted message. */
+        if (input == NULL || tag != input + ilen) {
+            return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+        }
+
+        status = psa_aead_decrypt(cipher_psa->slot,
+                                  cipher_psa->alg,
+                                  iv, iv_len,
+                                  ad, ad_len,
+                                  input, ilen + tag_len,
+                                  output, ilen, olen);
+        if (status == PSA_ERROR_INVALID_SIGNATURE) {
+            return MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+        } else if (status != PSA_SUCCESS) {
+            return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
+        }
+
+        return 0;
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_GCM_C)
+    if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+        *olen = ilen;
+        ret = mbedtls_gcm_auth_decrypt(ctx->cipher_ctx, ilen,
+                                       iv, iv_len, ad, ad_len,
+                                       tag, tag_len, input, output);
+
+        if (ret == MBEDTLS_ERR_GCM_AUTH_FAILED) {
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+        }
+
+        return ret;
+    }
+#endif /* MBEDTLS_GCM_C */
+#if defined(MBEDTLS_CCM_C)
+    if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+        *olen = ilen;
+        ret = mbedtls_ccm_auth_decrypt(ctx->cipher_ctx, ilen,
+                                       iv, iv_len, ad, ad_len,
+                                       input, output, tag, tag_len);
+
+        if (ret == MBEDTLS_ERR_CCM_AUTH_FAILED) {
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+        }
+
+        return ret;
+    }
+#endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
+        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+        /* ChachaPoly has fixed length nonce and MAC (tag) */
+        if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) ||
+            (tag_len != 16U)) {
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+        }
+
+        *olen = ilen;
+        ret = mbedtls_chachapoly_auth_decrypt(ctx->cipher_ctx, ilen,
+                                              iv, ad, ad_len, tag, input, output);
+
+        if (ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED) {
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+        }
+
+        return ret;
+    }
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
+    return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+}
+#endif /* MBEDTLS_CIPHER_MODE_AEAD */
+
+#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
+/*
+ * Packet-oriented encryption for AEAD/NIST_KW: public function.
+ */
+int mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t *ctx,
+                                    const unsigned char *iv, size_t iv_len,
+                                    const unsigned char *ad, size_t ad_len,
+                                    const unsigned char *input, size_t ilen,
+                                    unsigned char *output, size_t output_len,
+                                    size_t *olen, size_t tag_len)
+{
+#if defined(MBEDTLS_NIST_KW_C)
+    if (
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+        ctx->psa_enabled == 0 &&
+#endif
+        (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
+         MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) {
+        mbedtls_nist_kw_mode_t mode =
+            (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ?
+            MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
+
+        /* There is no iv, tag or ad associated with KW and KWP,
+         * so these length should be 0 as documented. */
+        if (iv_len != 0 || tag_len != 0 || ad_len != 0) {
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+        }
+
+        (void) iv;
+        (void) ad;
+
+        return mbedtls_nist_kw_wrap(ctx->cipher_ctx, mode, input, ilen,
+                                    output, olen, output_len);
+    }
+#endif /* MBEDTLS_NIST_KW_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_AEAD)
+    /* AEAD case: check length before passing on to shared function */
+    if (output_len < ilen + tag_len) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    int ret = mbedtls_cipher_aead_encrypt(ctx, iv, iv_len, ad, ad_len,
+                                          input, ilen, output, olen,
+                                          output + ilen, tag_len);
+    *olen += tag_len;
+    return ret;
+#else
+    return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+#endif /* MBEDTLS_CIPHER_MODE_AEAD */
+}
+
+/*
+ * Packet-oriented decryption for AEAD/NIST_KW: public function.
+ */
+int mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t *ctx,
+                                    const unsigned char *iv, size_t iv_len,
+                                    const unsigned char *ad, size_t ad_len,
+                                    const unsigned char *input, size_t ilen,
+                                    unsigned char *output, size_t output_len,
+                                    size_t *olen, size_t tag_len)
+{
+#if defined(MBEDTLS_NIST_KW_C)
+    if (
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+        ctx->psa_enabled == 0 &&
+#endif
+        (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
+         MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) {
+        mbedtls_nist_kw_mode_t mode =
+            (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ?
+            MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
+
+        /* There is no iv, tag or ad associated with KW and KWP,
+         * so these length should be 0 as documented. */
+        if (iv_len != 0 || tag_len != 0 || ad_len != 0) {
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+        }
+
+        (void) iv;
+        (void) ad;
+
+        return mbedtls_nist_kw_unwrap(ctx->cipher_ctx, mode, input, ilen,
+                                      output, olen, output_len);
+    }
+#endif /* MBEDTLS_NIST_KW_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_AEAD)
+    /* AEAD case: check length before passing on to shared function */
+    if (ilen < tag_len || output_len < ilen - tag_len) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    return mbedtls_cipher_aead_decrypt(ctx, iv, iv_len, ad, ad_len,
+                                       input, ilen - tag_len, output, olen,
+                                       input + ilen - tag_len, tag_len);
+#else
+    return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+#endif /* MBEDTLS_CIPHER_MODE_AEAD */
+}
+#endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
+
+#endif /* MBEDTLS_CIPHER_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/cipher_wrap.c b/tf-psa-crypto/drivers/builtin/src/cipher_wrap.c
new file mode 100644
index 0000000..d2fee22
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/cipher_wrap.c
@@ -0,0 +1,2482 @@
+/**
+ * \file cipher_wrap.c
+ *
+ * \brief Generic cipher wrapper for Mbed TLS
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_CIPHER_C)
+
+#include "cipher_wrap.h"
+#include "mbedtls/error.h"
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+#include "mbedtls/chachapoly.h"
+#endif
+
+#if defined(MBEDTLS_AES_C)
+#include "mbedtls/aes.h"
+#endif
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#include "mbedtls/camellia.h"
+#endif
+
+#if defined(MBEDTLS_ARIA_C)
+#include "mbedtls/aria.h"
+#endif
+
+#if defined(MBEDTLS_DES_C)
+#include "mbedtls/des.h"
+#endif
+
+#if defined(MBEDTLS_CHACHA20_C)
+#include "mbedtls/chacha20.h"
+#endif
+
+#if defined(MBEDTLS_GCM_C)
+#include "mbedtls/gcm.h"
+#endif
+
+#if defined(MBEDTLS_CCM_C)
+#include "mbedtls/ccm.h"
+#endif
+
+#if defined(MBEDTLS_NIST_KW_C)
+#include "mbedtls/nist_kw.h"
+#endif
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#include <string.h>
+#endif
+
+#include "mbedtls/platform.h"
+
+enum mbedtls_cipher_base_index {
+#if defined(MBEDTLS_AES_C)
+    MBEDTLS_CIPHER_BASE_INDEX_AES,
+#endif
+#if defined(MBEDTLS_ARIA_C)
+    MBEDTLS_CIPHER_BASE_INDEX_ARIA,
+#endif
+#if defined(MBEDTLS_CAMELLIA_C)
+    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA,
+#endif
+#if defined(MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA)
+    MBEDTLS_CIPHER_BASE_INDEX_CCM_AES,
+#endif
+#if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_ARIA_C)
+    MBEDTLS_CIPHER_BASE_INDEX_CCM_ARIA,
+#endif
+#if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_CAMELLIA_C)
+    MBEDTLS_CIPHER_BASE_INDEX_CCM_CAMELLIA,
+#endif
+#if defined(MBEDTLS_CHACHA20_C)
+    MBEDTLS_CIPHER_BASE_INDEX_CHACHA20_BASE,
+#endif
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    MBEDTLS_CIPHER_BASE_INDEX_CHACHAPOLY_BASE,
+#endif
+#if defined(MBEDTLS_DES_C)
+    MBEDTLS_CIPHER_BASE_INDEX_DES_EDE3,
+#endif
+#if defined(MBEDTLS_DES_C)
+    MBEDTLS_CIPHER_BASE_INDEX_DES_EDE,
+#endif
+#if defined(MBEDTLS_DES_C)
+    MBEDTLS_CIPHER_BASE_INDEX_DES,
+#endif
+#if defined(MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA)
+    MBEDTLS_CIPHER_BASE_INDEX_GCM_AES,
+#endif
+#if defined(MBEDTLS_GCM_C) && defined(MBEDTLS_ARIA_C)
+    MBEDTLS_CIPHER_BASE_INDEX_GCM_ARIA,
+#endif
+#if defined(MBEDTLS_GCM_C) && defined(MBEDTLS_CAMELLIA_C)
+    MBEDTLS_CIPHER_BASE_INDEX_GCM_CAMELLIA,
+#endif
+#if defined(MBEDTLS_NIST_KW_C)
+    MBEDTLS_CIPHER_BASE_INDEX_KW_AES,
+#endif
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+    MBEDTLS_CIPHER_BASE_INDEX_NULL_BASE,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS) && defined(MBEDTLS_AES_C)
+    MBEDTLS_CIPHER_BASE_INDEX_XTS_AES,
+#endif
+    /* Prevent compile failure due to empty enum */
+    MBEDTLS_CIPHER_BASE_PREVENT_EMPTY_ENUM
+};
+
+#if defined(MBEDTLS_GCM_C) && \
+    (defined(MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA) || \
+    defined(MBEDTLS_ARIA_C) || defined(MBEDTLS_CAMELLIA_C))
+/* shared by all GCM ciphers */
+static void *gcm_ctx_alloc(void)
+{
+    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_gcm_context));
+
+    if (ctx != NULL) {
+        mbedtls_gcm_init((mbedtls_gcm_context *) ctx);
+    }
+
+    return ctx;
+}
+
+static void gcm_ctx_free(void *ctx)
+{
+    mbedtls_gcm_free(ctx);
+    mbedtls_free(ctx);
+}
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CCM_C) && \
+    (defined(MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA) || \
+    defined(MBEDTLS_ARIA_C) || defined(MBEDTLS_CAMELLIA_C))
+/* shared by all CCM ciphers */
+static void *ccm_ctx_alloc(void)
+{
+    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ccm_context));
+
+    if (ctx != NULL) {
+        mbedtls_ccm_init((mbedtls_ccm_context *) ctx);
+    }
+
+    return ctx;
+}
+
+static void ccm_ctx_free(void *ctx)
+{
+    mbedtls_ccm_free(ctx);
+    mbedtls_free(ctx);
+}
+#endif /* MBEDTLS_CCM_C */
+
+#if defined(MBEDTLS_AES_C)
+
+static int aes_crypt_ecb_wrap(void *ctx, mbedtls_operation_t operation,
+                              const unsigned char *input, unsigned char *output)
+{
+    return mbedtls_aes_crypt_ecb((mbedtls_aes_context *) ctx, operation, input, output);
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int aes_crypt_cbc_wrap(void *ctx, mbedtls_operation_t operation, size_t length,
+                              unsigned char *iv, const unsigned char *input, unsigned char *output)
+{
+    return mbedtls_aes_crypt_cbc((mbedtls_aes_context *) ctx, operation, length, iv, input,
+                                 output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static int aes_crypt_cfb128_wrap(void *ctx, mbedtls_operation_t operation,
+                                 size_t length, size_t *iv_off, unsigned char *iv,
+                                 const unsigned char *input, unsigned char *output)
+{
+    return mbedtls_aes_crypt_cfb128((mbedtls_aes_context *) ctx, operation, length, iv_off, iv,
+                                    input, output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+static int aes_crypt_ofb_wrap(void *ctx, size_t length, size_t *iv_off,
+                              unsigned char *iv, const unsigned char *input, unsigned char *output)
+{
+    return mbedtls_aes_crypt_ofb((mbedtls_aes_context *) ctx, length, iv_off,
+                                 iv, input, output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static int aes_crypt_ctr_wrap(void *ctx, size_t length, size_t *nc_off,
+                              unsigned char *nonce_counter, unsigned char *stream_block,
+                              const unsigned char *input, unsigned char *output)
+{
+    return mbedtls_aes_crypt_ctr((mbedtls_aes_context *) ctx, length, nc_off, nonce_counter,
+                                 stream_block, input, output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+static int aes_crypt_xts_wrap(void *ctx, mbedtls_operation_t operation,
+                              size_t length,
+                              const unsigned char data_unit[16],
+                              const unsigned char *input,
+                              unsigned char *output)
+{
+    mbedtls_aes_xts_context *xts_ctx = ctx;
+    int mode;
+
+    switch (operation) {
+        case MBEDTLS_ENCRYPT:
+            mode = MBEDTLS_AES_ENCRYPT;
+            break;
+        case MBEDTLS_DECRYPT:
+            mode = MBEDTLS_AES_DECRYPT;
+            break;
+        default:
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    return mbedtls_aes_crypt_xts(xts_ctx, mode, length,
+                                 data_unit, input, output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+static int aes_setkey_dec_wrap(void *ctx, const unsigned char *key,
+                               unsigned int key_bitlen)
+{
+    return mbedtls_aes_setkey_dec((mbedtls_aes_context *) ctx, key, key_bitlen);
+}
+#endif
+
+static int aes_setkey_enc_wrap(void *ctx, const unsigned char *key,
+                               unsigned int key_bitlen)
+{
+    return mbedtls_aes_setkey_enc((mbedtls_aes_context *) ctx, key, key_bitlen);
+}
+
+static void *aes_ctx_alloc(void)
+{
+    mbedtls_aes_context *aes = mbedtls_calloc(1, sizeof(mbedtls_aes_context));
+
+    if (aes == NULL) {
+        return NULL;
+    }
+
+    mbedtls_aes_init(aes);
+
+    return aes;
+}
+
+static void aes_ctx_free(void *ctx)
+{
+    mbedtls_aes_free((mbedtls_aes_context *) ctx);
+    mbedtls_free(ctx);
+}
+
+static const mbedtls_cipher_base_t aes_info = {
+    MBEDTLS_CIPHER_ID_AES,
+    aes_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    aes_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    aes_crypt_cfb128_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    aes_crypt_ofb_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    aes_crypt_ctr_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    aes_setkey_enc_wrap,
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+    aes_setkey_dec_wrap,
+#endif
+    aes_ctx_alloc,
+    aes_ctx_free
+};
+
+static const mbedtls_cipher_info_t aes_128_ecb_info = {
+    "AES-128-ECB",
+    16,
+    0 >> MBEDTLS_IV_SIZE_SHIFT,
+    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_ECB,
+    MBEDTLS_CIPHER_AES_128_ECB,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const mbedtls_cipher_info_t aes_192_ecb_info = {
+    "AES-192-ECB",
+    16,
+    0 >> MBEDTLS_IV_SIZE_SHIFT,
+    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_ECB,
+    MBEDTLS_CIPHER_AES_192_ECB,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+
+static const mbedtls_cipher_info_t aes_256_ecb_info = {
+    "AES-256-ECB",
+    16,
+    0 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_ECB,
+    MBEDTLS_CIPHER_AES_256_ECB,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t aes_128_cbc_info = {
+    "AES-128-CBC",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CBC,
+    MBEDTLS_CIPHER_AES_128_CBC,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const mbedtls_cipher_info_t aes_192_cbc_info = {
+    "AES-192-CBC",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CBC,
+    MBEDTLS_CIPHER_AES_192_CBC,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+
+static const mbedtls_cipher_info_t aes_256_cbc_info = {
+    "AES-256-CBC",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CBC,
+    MBEDTLS_CIPHER_AES_256_CBC,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+#endif
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const mbedtls_cipher_info_t aes_128_cfb128_info = {
+    "AES-128-CFB128",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CFB,
+    MBEDTLS_CIPHER_AES_128_CFB128,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const mbedtls_cipher_info_t aes_192_cfb128_info = {
+    "AES-192-CFB128",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CFB,
+    MBEDTLS_CIPHER_AES_192_CFB128,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+
+static const mbedtls_cipher_info_t aes_256_cfb128_info = {
+    "AES-256-CFB128",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CFB,
+    MBEDTLS_CIPHER_AES_256_CFB128,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+#endif
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+static const mbedtls_cipher_info_t aes_128_ofb_info = {
+    "AES-128-OFB",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_OFB,
+    MBEDTLS_CIPHER_AES_128_OFB,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const mbedtls_cipher_info_t aes_192_ofb_info = {
+    "AES-192-OFB",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_OFB,
+    MBEDTLS_CIPHER_AES_192_OFB,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+
+static const mbedtls_cipher_info_t aes_256_ofb_info = {
+    "AES-256-OFB",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_OFB,
+    MBEDTLS_CIPHER_AES_256_OFB,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+#endif
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const mbedtls_cipher_info_t aes_128_ctr_info = {
+    "AES-128-CTR",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CTR,
+    MBEDTLS_CIPHER_AES_128_CTR,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const mbedtls_cipher_info_t aes_192_ctr_info = {
+    "AES-192-CTR",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CTR,
+    MBEDTLS_CIPHER_AES_192_CTR,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+
+static const mbedtls_cipher_info_t aes_256_ctr_info = {
+    "AES-256-CTR",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CTR,
+    MBEDTLS_CIPHER_AES_256_CTR,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+#endif
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+static int xts_aes_setkey_enc_wrap(void *ctx, const unsigned char *key,
+                                   unsigned int key_bitlen)
+{
+    mbedtls_aes_xts_context *xts_ctx = ctx;
+    return mbedtls_aes_xts_setkey_enc(xts_ctx, key, key_bitlen);
+}
+
+static int xts_aes_setkey_dec_wrap(void *ctx, const unsigned char *key,
+                                   unsigned int key_bitlen)
+{
+    mbedtls_aes_xts_context *xts_ctx = ctx;
+    return mbedtls_aes_xts_setkey_dec(xts_ctx, key, key_bitlen);
+}
+
+static void *xts_aes_ctx_alloc(void)
+{
+    mbedtls_aes_xts_context *xts_ctx = mbedtls_calloc(1, sizeof(*xts_ctx));
+
+    if (xts_ctx != NULL) {
+        mbedtls_aes_xts_init(xts_ctx);
+    }
+
+    return xts_ctx;
+}
+
+static void xts_aes_ctx_free(void *ctx)
+{
+    mbedtls_aes_xts_context *xts_ctx = ctx;
+
+    if (xts_ctx == NULL) {
+        return;
+    }
+
+    mbedtls_aes_xts_free(xts_ctx);
+    mbedtls_free(xts_ctx);
+}
+
+static const mbedtls_cipher_base_t xts_aes_info = {
+    MBEDTLS_CIPHER_ID_AES,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    aes_crypt_xts_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    xts_aes_setkey_enc_wrap,
+    xts_aes_setkey_dec_wrap,
+    xts_aes_ctx_alloc,
+    xts_aes_ctx_free
+};
+
+static const mbedtls_cipher_info_t aes_128_xts_info = {
+    "AES-128-XTS",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_XTS,
+    MBEDTLS_CIPHER_AES_128_XTS,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_XTS_AES
+};
+
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const mbedtls_cipher_info_t aes_256_xts_info = {
+    "AES-256-XTS",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    512 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_XTS,
+    MBEDTLS_CIPHER_AES_256_XTS,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_XTS_AES
+};
+#endif
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_GCM_C) && defined(MBEDTLS_CCM_GCM_CAN_AES)
+static int gcm_aes_setkey_wrap(void *ctx, const unsigned char *key,
+                               unsigned int key_bitlen)
+{
+    return mbedtls_gcm_setkey((mbedtls_gcm_context *) ctx, MBEDTLS_CIPHER_ID_AES,
+                              key, key_bitlen);
+}
+#endif /* MBEDTLS_GCM_C && MBEDTLS_CCM_GCM_CAN_AES */
+
+#if defined(MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA)
+static const mbedtls_cipher_base_t gcm_aes_info = {
+    MBEDTLS_CIPHER_ID_AES,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+#if defined(MBEDTLS_GCM_C)
+    gcm_aes_setkey_wrap,
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+    gcm_aes_setkey_wrap,
+#endif
+    gcm_ctx_alloc,
+    gcm_ctx_free,
+#else
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+#endif /* MBEDTLS_GCM_C */
+};
+#endif /* MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA */
+
+#if defined(MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA)
+static const mbedtls_cipher_info_t aes_128_gcm_info = {
+    "AES-128-GCM",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_GCM,
+    MBEDTLS_CIPHER_AES_128_GCM,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_GCM_AES
+};
+
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const mbedtls_cipher_info_t aes_192_gcm_info = {
+    "AES-192-GCM",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_GCM,
+    MBEDTLS_CIPHER_AES_192_GCM,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_GCM_AES
+};
+
+static const mbedtls_cipher_info_t aes_256_gcm_info = {
+    "AES-256-GCM",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_GCM,
+    MBEDTLS_CIPHER_AES_256_GCM,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_GCM_AES
+};
+#endif
+#endif /* MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA */
+
+#if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_CCM_GCM_CAN_AES)
+static int ccm_aes_setkey_wrap(void *ctx, const unsigned char *key,
+                               unsigned int key_bitlen)
+{
+    return mbedtls_ccm_setkey((mbedtls_ccm_context *) ctx, MBEDTLS_CIPHER_ID_AES,
+                              key, key_bitlen);
+}
+#endif /* MBEDTLS_CCM_C && MBEDTLS_CCM_GCM_CAN_AES */
+
+#if defined(MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA)
+static const mbedtls_cipher_base_t ccm_aes_info = {
+    MBEDTLS_CIPHER_ID_AES,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+#if defined(MBEDTLS_CCM_C)
+    ccm_aes_setkey_wrap,
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+    ccm_aes_setkey_wrap,
+#endif
+    ccm_ctx_alloc,
+    ccm_ctx_free,
+#else
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+#endif
+};
+#endif /* MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA */
+
+#if defined(MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA)
+static const mbedtls_cipher_info_t aes_128_ccm_info = {
+    "AES-128-CCM",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CCM,
+    MBEDTLS_CIPHER_AES_128_CCM,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_CCM_AES
+};
+
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const mbedtls_cipher_info_t aes_192_ccm_info = {
+    "AES-192-CCM",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CCM,
+    MBEDTLS_CIPHER_AES_192_CCM,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_CCM_AES
+};
+
+static const mbedtls_cipher_info_t aes_256_ccm_info = {
+    "AES-256-CCM",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CCM,
+    MBEDTLS_CIPHER_AES_256_CCM,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_CCM_AES
+};
+#endif
+#endif /* MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA */
+
+#if defined(MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_AES_VIA_LEGACY_OR_USE_PSA)
+static const mbedtls_cipher_info_t aes_128_ccm_star_no_tag_info = {
+    "AES-128-CCM*-NO-TAG",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CCM_STAR_NO_TAG,
+    MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_CCM_AES
+};
+
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const mbedtls_cipher_info_t aes_192_ccm_star_no_tag_info = {
+    "AES-192-CCM*-NO-TAG",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CCM_STAR_NO_TAG,
+    MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_CCM_AES
+};
+
+static const mbedtls_cipher_info_t aes_256_ccm_star_no_tag_info = {
+    "AES-256-CCM*-NO-TAG",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CCM_STAR_NO_TAG,
+    MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_CCM_AES
+};
+#endif
+#endif /* MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_AES_VIA_LEGACY_OR_USE_PSA */
+
+
+#if defined(MBEDTLS_CAMELLIA_C)
+
+static int camellia_crypt_ecb_wrap(void *ctx, mbedtls_operation_t operation,
+                                   const unsigned char *input, unsigned char *output)
+{
+    return mbedtls_camellia_crypt_ecb((mbedtls_camellia_context *) ctx, operation, input,
+                                      output);
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int camellia_crypt_cbc_wrap(void *ctx, mbedtls_operation_t operation,
+                                   size_t length, unsigned char *iv,
+                                   const unsigned char *input, unsigned char *output)
+{
+    return mbedtls_camellia_crypt_cbc((mbedtls_camellia_context *) ctx, operation, length, iv,
+                                      input, output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static int camellia_crypt_cfb128_wrap(void *ctx, mbedtls_operation_t operation,
+                                      size_t length, size_t *iv_off, unsigned char *iv,
+                                      const unsigned char *input, unsigned char *output)
+{
+    return mbedtls_camellia_crypt_cfb128((mbedtls_camellia_context *) ctx, operation, length,
+                                         iv_off, iv, input, output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static int camellia_crypt_ctr_wrap(void *ctx, size_t length, size_t *nc_off,
+                                   unsigned char *nonce_counter, unsigned char *stream_block,
+                                   const unsigned char *input, unsigned char *output)
+{
+    return mbedtls_camellia_crypt_ctr((mbedtls_camellia_context *) ctx, length, nc_off,
+                                      nonce_counter, stream_block, input, output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+static int camellia_setkey_dec_wrap(void *ctx, const unsigned char *key,
+                                    unsigned int key_bitlen)
+{
+    return mbedtls_camellia_setkey_dec((mbedtls_camellia_context *) ctx, key, key_bitlen);
+}
+#endif
+
+static int camellia_setkey_enc_wrap(void *ctx, const unsigned char *key,
+                                    unsigned int key_bitlen)
+{
+    return mbedtls_camellia_setkey_enc((mbedtls_camellia_context *) ctx, key, key_bitlen);
+}
+
+static void *camellia_ctx_alloc(void)
+{
+    mbedtls_camellia_context *ctx;
+    ctx = mbedtls_calloc(1, sizeof(mbedtls_camellia_context));
+
+    if (ctx == NULL) {
+        return NULL;
+    }
+
+    mbedtls_camellia_init(ctx);
+
+    return ctx;
+}
+
+static void camellia_ctx_free(void *ctx)
+{
+    mbedtls_camellia_free((mbedtls_camellia_context *) ctx);
+    mbedtls_free(ctx);
+}
+
+static const mbedtls_cipher_base_t camellia_info = {
+    MBEDTLS_CIPHER_ID_CAMELLIA,
+    camellia_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    camellia_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    camellia_crypt_cfb128_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    camellia_crypt_ctr_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    camellia_setkey_enc_wrap,
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+    camellia_setkey_dec_wrap,
+#endif
+    camellia_ctx_alloc,
+    camellia_ctx_free
+};
+
+static const mbedtls_cipher_info_t camellia_128_ecb_info = {
+    "CAMELLIA-128-ECB",
+    16,
+    0 >> MBEDTLS_IV_SIZE_SHIFT,
+    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_ECB,
+    MBEDTLS_CIPHER_CAMELLIA_128_ECB,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_192_ecb_info = {
+    "CAMELLIA-192-ECB",
+    16,
+    0 >> MBEDTLS_IV_SIZE_SHIFT,
+    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_ECB,
+    MBEDTLS_CIPHER_CAMELLIA_192_ECB,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_256_ecb_info = {
+    "CAMELLIA-256-ECB",
+    16,
+    0 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_ECB,
+    MBEDTLS_CIPHER_CAMELLIA_256_ECB,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t camellia_128_cbc_info = {
+    "CAMELLIA-128-CBC",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CBC,
+    MBEDTLS_CIPHER_CAMELLIA_128_CBC,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_192_cbc_info = {
+    "CAMELLIA-192-CBC",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CBC,
+    MBEDTLS_CIPHER_CAMELLIA_192_CBC,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_256_cbc_info = {
+    "CAMELLIA-256-CBC",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CBC,
+    MBEDTLS_CIPHER_CAMELLIA_256_CBC,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const mbedtls_cipher_info_t camellia_128_cfb128_info = {
+    "CAMELLIA-128-CFB128",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CFB,
+    MBEDTLS_CIPHER_CAMELLIA_128_CFB128,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_192_cfb128_info = {
+    "CAMELLIA-192-CFB128",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CFB,
+    MBEDTLS_CIPHER_CAMELLIA_192_CFB128,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_256_cfb128_info = {
+    "CAMELLIA-256-CFB128",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CFB,
+    MBEDTLS_CIPHER_CAMELLIA_256_CFB128,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const mbedtls_cipher_info_t camellia_128_ctr_info = {
+    "CAMELLIA-128-CTR",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CTR,
+    MBEDTLS_CIPHER_CAMELLIA_128_CTR,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_192_ctr_info = {
+    "CAMELLIA-192-CTR",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CTR,
+    MBEDTLS_CIPHER_CAMELLIA_192_CTR,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_256_ctr_info = {
+    "CAMELLIA-256-CTR",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CTR,
+    MBEDTLS_CIPHER_CAMELLIA_256_CTR,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
+};
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_GCM_C)
+static int gcm_camellia_setkey_wrap(void *ctx, const unsigned char *key,
+                                    unsigned int key_bitlen)
+{
+    return mbedtls_gcm_setkey((mbedtls_gcm_context *) ctx, MBEDTLS_CIPHER_ID_CAMELLIA,
+                              key, key_bitlen);
+}
+
+static const mbedtls_cipher_base_t gcm_camellia_info = {
+    MBEDTLS_CIPHER_ID_CAMELLIA,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    gcm_camellia_setkey_wrap,
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+    gcm_camellia_setkey_wrap,
+#endif
+    gcm_ctx_alloc,
+    gcm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t camellia_128_gcm_info = {
+    "CAMELLIA-128-GCM",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_GCM,
+    MBEDTLS_CIPHER_CAMELLIA_128_GCM,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_GCM_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_192_gcm_info = {
+    "CAMELLIA-192-GCM",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_GCM,
+    MBEDTLS_CIPHER_CAMELLIA_192_GCM,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_GCM_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_256_gcm_info = {
+    "CAMELLIA-256-GCM",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_GCM,
+    MBEDTLS_CIPHER_CAMELLIA_256_GCM,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_GCM_CAMELLIA
+};
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CCM_C)
+static int ccm_camellia_setkey_wrap(void *ctx, const unsigned char *key,
+                                    unsigned int key_bitlen)
+{
+    return mbedtls_ccm_setkey((mbedtls_ccm_context *) ctx, MBEDTLS_CIPHER_ID_CAMELLIA,
+                              key, key_bitlen);
+}
+
+static const mbedtls_cipher_base_t ccm_camellia_info = {
+    MBEDTLS_CIPHER_ID_CAMELLIA,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    ccm_camellia_setkey_wrap,
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+    ccm_camellia_setkey_wrap,
+#endif
+    ccm_ctx_alloc,
+    ccm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t camellia_128_ccm_info = {
+    "CAMELLIA-128-CCM",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CCM,
+    MBEDTLS_CIPHER_CAMELLIA_128_CCM,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_CCM_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_192_ccm_info = {
+    "CAMELLIA-192-CCM",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CCM,
+    MBEDTLS_CIPHER_CAMELLIA_192_CCM,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_CCM_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_256_ccm_info = {
+    "CAMELLIA-256-CCM",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CCM,
+    MBEDTLS_CIPHER_CAMELLIA_256_CCM,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_CCM_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_128_ccm_star_no_tag_info = {
+    "CAMELLIA-128-CCM*-NO-TAG",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CCM_STAR_NO_TAG,
+    MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_CCM_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_192_ccm_star_no_tag_info = {
+    "CAMELLIA-192-CCM*-NO-TAG",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CCM_STAR_NO_TAG,
+    MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_CCM_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_256_ccm_star_no_tag_info = {
+    "CAMELLIA-256-CCM*-NO-TAG",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CCM_STAR_NO_TAG,
+    MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_CCM_CAMELLIA
+};
+#endif /* MBEDTLS_CCM_C */
+
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_ARIA_C)
+
+static int aria_crypt_ecb_wrap(void *ctx, mbedtls_operation_t operation,
+                               const unsigned char *input, unsigned char *output)
+{
+    (void) operation;
+    return mbedtls_aria_crypt_ecb((mbedtls_aria_context *) ctx, input,
+                                  output);
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int aria_crypt_cbc_wrap(void *ctx, mbedtls_operation_t operation,
+                               size_t length, unsigned char *iv,
+                               const unsigned char *input, unsigned char *output)
+{
+    return mbedtls_aria_crypt_cbc((mbedtls_aria_context *) ctx, operation, length, iv,
+                                  input, output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static int aria_crypt_cfb128_wrap(void *ctx, mbedtls_operation_t operation,
+                                  size_t length, size_t *iv_off, unsigned char *iv,
+                                  const unsigned char *input, unsigned char *output)
+{
+    return mbedtls_aria_crypt_cfb128((mbedtls_aria_context *) ctx, operation, length,
+                                     iv_off, iv, input, output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static int aria_crypt_ctr_wrap(void *ctx, size_t length, size_t *nc_off,
+                               unsigned char *nonce_counter, unsigned char *stream_block,
+                               const unsigned char *input, unsigned char *output)
+{
+    return mbedtls_aria_crypt_ctr((mbedtls_aria_context *) ctx, length, nc_off,
+                                  nonce_counter, stream_block, input, output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+static int aria_setkey_dec_wrap(void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen)
+{
+    return mbedtls_aria_setkey_dec((mbedtls_aria_context *) ctx, key, key_bitlen);
+}
+#endif
+
+static int aria_setkey_enc_wrap(void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen)
+{
+    return mbedtls_aria_setkey_enc((mbedtls_aria_context *) ctx, key, key_bitlen);
+}
+
+static void *aria_ctx_alloc(void)
+{
+    mbedtls_aria_context *ctx;
+    ctx = mbedtls_calloc(1, sizeof(mbedtls_aria_context));
+
+    if (ctx == NULL) {
+        return NULL;
+    }
+
+    mbedtls_aria_init(ctx);
+
+    return ctx;
+}
+
+static void aria_ctx_free(void *ctx)
+{
+    mbedtls_aria_free((mbedtls_aria_context *) ctx);
+    mbedtls_free(ctx);
+}
+
+static const mbedtls_cipher_base_t aria_info = {
+    MBEDTLS_CIPHER_ID_ARIA,
+    aria_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    aria_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    aria_crypt_cfb128_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    aria_crypt_ctr_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    aria_setkey_enc_wrap,
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+    aria_setkey_dec_wrap,
+#endif
+    aria_ctx_alloc,
+    aria_ctx_free
+};
+
+static const mbedtls_cipher_info_t aria_128_ecb_info = {
+    "ARIA-128-ECB",
+    16,
+    0 >> MBEDTLS_IV_SIZE_SHIFT,
+    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_ECB,
+    MBEDTLS_CIPHER_ARIA_128_ECB,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_192_ecb_info = {
+    "ARIA-192-ECB",
+    16,
+    0 >> MBEDTLS_IV_SIZE_SHIFT,
+    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_ECB,
+    MBEDTLS_CIPHER_ARIA_192_ECB,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_256_ecb_info = {
+    "ARIA-256-ECB",
+    16,
+    0 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_ECB,
+    MBEDTLS_CIPHER_ARIA_256_ECB,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_ARIA
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t aria_128_cbc_info = {
+    "ARIA-128-CBC",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CBC,
+    MBEDTLS_CIPHER_ARIA_128_CBC,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_192_cbc_info = {
+    "ARIA-192-CBC",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CBC,
+    MBEDTLS_CIPHER_ARIA_192_CBC,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_256_cbc_info = {
+    "ARIA-256-CBC",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CBC,
+    MBEDTLS_CIPHER_ARIA_256_CBC,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_ARIA
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const mbedtls_cipher_info_t aria_128_cfb128_info = {
+    "ARIA-128-CFB128",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CFB,
+    MBEDTLS_CIPHER_ARIA_128_CFB128,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_192_cfb128_info = {
+    "ARIA-192-CFB128",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CFB,
+    MBEDTLS_CIPHER_ARIA_192_CFB128,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_256_cfb128_info = {
+    "ARIA-256-CFB128",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CFB,
+    MBEDTLS_CIPHER_ARIA_256_CFB128,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_ARIA
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const mbedtls_cipher_info_t aria_128_ctr_info = {
+    "ARIA-128-CTR",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CTR,
+    MBEDTLS_CIPHER_ARIA_128_CTR,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_192_ctr_info = {
+    "ARIA-192-CTR",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CTR,
+    MBEDTLS_CIPHER_ARIA_192_CTR,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_256_ctr_info = {
+    "ARIA-256-CTR",
+    16,
+    16 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CTR,
+    MBEDTLS_CIPHER_ARIA_256_CTR,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_ARIA
+};
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_GCM_C)
+static int gcm_aria_setkey_wrap(void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen)
+{
+    return mbedtls_gcm_setkey((mbedtls_gcm_context *) ctx, MBEDTLS_CIPHER_ID_ARIA,
+                              key, key_bitlen);
+}
+
+static const mbedtls_cipher_base_t gcm_aria_info = {
+    MBEDTLS_CIPHER_ID_ARIA,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    gcm_aria_setkey_wrap,
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+    gcm_aria_setkey_wrap,
+#endif
+    gcm_ctx_alloc,
+    gcm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t aria_128_gcm_info = {
+    "ARIA-128-GCM",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_GCM,
+    MBEDTLS_CIPHER_ARIA_128_GCM,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_GCM_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_192_gcm_info = {
+    "ARIA-192-GCM",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_GCM,
+    MBEDTLS_CIPHER_ARIA_192_GCM,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_GCM_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_256_gcm_info = {
+    "ARIA-256-GCM",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_GCM,
+    MBEDTLS_CIPHER_ARIA_256_GCM,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_GCM_ARIA
+};
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CCM_C)
+static int ccm_aria_setkey_wrap(void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen)
+{
+    return mbedtls_ccm_setkey((mbedtls_ccm_context *) ctx, MBEDTLS_CIPHER_ID_ARIA,
+                              key, key_bitlen);
+}
+
+static const mbedtls_cipher_base_t ccm_aria_info = {
+    MBEDTLS_CIPHER_ID_ARIA,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    ccm_aria_setkey_wrap,
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+    ccm_aria_setkey_wrap,
+#endif
+    ccm_ctx_alloc,
+    ccm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t aria_128_ccm_info = {
+    "ARIA-128-CCM",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CCM,
+    MBEDTLS_CIPHER_ARIA_128_CCM,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_CCM_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_192_ccm_info = {
+    "ARIA-192-CCM",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CCM,
+    MBEDTLS_CIPHER_ARIA_192_CCM,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_CCM_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_256_ccm_info = {
+    "ARIA-256-CCM",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CCM,
+    MBEDTLS_CIPHER_ARIA_256_CCM,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_CCM_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_128_ccm_star_no_tag_info = {
+    "ARIA-128-CCM*-NO-TAG",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CCM_STAR_NO_TAG,
+    MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_CCM_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_192_ccm_star_no_tag_info = {
+    "ARIA-192-CCM*-NO-TAG",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CCM_STAR_NO_TAG,
+    MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_CCM_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_256_ccm_star_no_tag_info = {
+    "ARIA-256-CCM*-NO-TAG",
+    16,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CCM_STAR_NO_TAG,
+    MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    MBEDTLS_CIPHER_BASE_INDEX_CCM_ARIA
+};
+#endif /* MBEDTLS_CCM_C */
+
+#endif /* MBEDTLS_ARIA_C */
+
+#if defined(MBEDTLS_DES_C)
+
+static int des_crypt_ecb_wrap(void *ctx, mbedtls_operation_t operation,
+                              const unsigned char *input, unsigned char *output)
+{
+    ((void) operation);
+    return mbedtls_des_crypt_ecb((mbedtls_des_context *) ctx, input, output);
+}
+
+static int des3_crypt_ecb_wrap(void *ctx, mbedtls_operation_t operation,
+                               const unsigned char *input, unsigned char *output)
+{
+    ((void) operation);
+    return mbedtls_des3_crypt_ecb((mbedtls_des3_context *) ctx, input, output);
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int des_crypt_cbc_wrap(void *ctx, mbedtls_operation_t operation, size_t length,
+                              unsigned char *iv, const unsigned char *input, unsigned char *output)
+{
+    return mbedtls_des_crypt_cbc((mbedtls_des_context *) ctx, operation, length, iv, input,
+                                 output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int des3_crypt_cbc_wrap(void *ctx, mbedtls_operation_t operation, size_t length,
+                               unsigned char *iv, const unsigned char *input, unsigned char *output)
+{
+    return mbedtls_des3_crypt_cbc((mbedtls_des3_context *) ctx, operation, length, iv, input,
+                                  output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+static int des_setkey_dec_wrap(void *ctx, const unsigned char *key,
+                               unsigned int key_bitlen)
+{
+    ((void) key_bitlen);
+
+    return mbedtls_des_setkey_dec((mbedtls_des_context *) ctx, key);
+}
+
+static int des_setkey_enc_wrap(void *ctx, const unsigned char *key,
+                               unsigned int key_bitlen)
+{
+    ((void) key_bitlen);
+
+    return mbedtls_des_setkey_enc((mbedtls_des_context *) ctx, key);
+}
+
+static int des3_set2key_dec_wrap(void *ctx, const unsigned char *key,
+                                 unsigned int key_bitlen)
+{
+    ((void) key_bitlen);
+
+    return mbedtls_des3_set2key_dec((mbedtls_des3_context *) ctx, key);
+}
+
+static int des3_set2key_enc_wrap(void *ctx, const unsigned char *key,
+                                 unsigned int key_bitlen)
+{
+    ((void) key_bitlen);
+
+    return mbedtls_des3_set2key_enc((mbedtls_des3_context *) ctx, key);
+}
+
+static int des3_set3key_dec_wrap(void *ctx, const unsigned char *key,
+                                 unsigned int key_bitlen)
+{
+    ((void) key_bitlen);
+
+    return mbedtls_des3_set3key_dec((mbedtls_des3_context *) ctx, key);
+}
+
+static int des3_set3key_enc_wrap(void *ctx, const unsigned char *key,
+                                 unsigned int key_bitlen)
+{
+    ((void) key_bitlen);
+
+    return mbedtls_des3_set3key_enc((mbedtls_des3_context *) ctx, key);
+}
+
+static void *des_ctx_alloc(void)
+{
+    mbedtls_des_context *des = mbedtls_calloc(1, sizeof(mbedtls_des_context));
+
+    if (des == NULL) {
+        return NULL;
+    }
+
+    mbedtls_des_init(des);
+
+    return des;
+}
+
+static void des_ctx_free(void *ctx)
+{
+    mbedtls_des_free((mbedtls_des_context *) ctx);
+    mbedtls_free(ctx);
+}
+
+static void *des3_ctx_alloc(void)
+{
+    mbedtls_des3_context *des3;
+    des3 = mbedtls_calloc(1, sizeof(mbedtls_des3_context));
+
+    if (des3 == NULL) {
+        return NULL;
+    }
+
+    mbedtls_des3_init(des3);
+
+    return des3;
+}
+
+static void des3_ctx_free(void *ctx)
+{
+    mbedtls_des3_free((mbedtls_des3_context *) ctx);
+    mbedtls_free(ctx);
+}
+
+static const mbedtls_cipher_base_t des_info = {
+    MBEDTLS_CIPHER_ID_DES,
+    des_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    des_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    des_setkey_enc_wrap,
+    des_setkey_dec_wrap,
+    des_ctx_alloc,
+    des_ctx_free
+};
+
+static const mbedtls_cipher_info_t des_ecb_info = {
+    "DES-ECB",
+    8,
+    0 >> MBEDTLS_IV_SIZE_SHIFT,
+    MBEDTLS_KEY_LENGTH_DES >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_ECB,
+    MBEDTLS_CIPHER_DES_ECB,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_DES
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t des_cbc_info = {
+    "DES-CBC",
+    8,
+    8 >> MBEDTLS_IV_SIZE_SHIFT,
+    MBEDTLS_KEY_LENGTH_DES >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CBC,
+    MBEDTLS_CIPHER_DES_CBC,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_DES
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+static const mbedtls_cipher_base_t des_ede_info = {
+    MBEDTLS_CIPHER_ID_DES,
+    des3_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    des3_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    des3_set2key_enc_wrap,
+    des3_set2key_dec_wrap,
+    des3_ctx_alloc,
+    des3_ctx_free
+};
+
+static const mbedtls_cipher_info_t des_ede_ecb_info = {
+    "DES-EDE-ECB",
+    8,
+    0 >> MBEDTLS_IV_SIZE_SHIFT,
+    MBEDTLS_KEY_LENGTH_DES_EDE >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_ECB,
+    MBEDTLS_CIPHER_DES_EDE_ECB,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_DES_EDE
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t des_ede_cbc_info = {
+    "DES-EDE-CBC",
+    8,
+    8 >> MBEDTLS_IV_SIZE_SHIFT,
+    MBEDTLS_KEY_LENGTH_DES_EDE >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CBC,
+    MBEDTLS_CIPHER_DES_EDE_CBC,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_DES_EDE
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+static const mbedtls_cipher_base_t des_ede3_info = {
+    MBEDTLS_CIPHER_ID_3DES,
+    des3_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    des3_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    des3_set3key_enc_wrap,
+    des3_set3key_dec_wrap,
+    des3_ctx_alloc,
+    des3_ctx_free
+};
+
+static const mbedtls_cipher_info_t des_ede3_ecb_info = {
+    "DES-EDE3-ECB",
+    8,
+    0 >> MBEDTLS_IV_SIZE_SHIFT,
+    MBEDTLS_KEY_LENGTH_DES_EDE3 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_ECB,
+    MBEDTLS_CIPHER_DES_EDE3_ECB,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_DES_EDE3
+};
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t des_ede3_cbc_info = {
+    "DES-EDE3-CBC",
+    8,
+    8 >> MBEDTLS_IV_SIZE_SHIFT,
+    MBEDTLS_KEY_LENGTH_DES_EDE3 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CBC,
+    MBEDTLS_CIPHER_DES_EDE3_CBC,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_DES_EDE3
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_CHACHA20_C)
+
+static int chacha20_setkey_wrap(void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen)
+{
+    if (key_bitlen != 256U) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    if (0 != mbedtls_chacha20_setkey((mbedtls_chacha20_context *) ctx, key)) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    return 0;
+}
+
+static int chacha20_stream_wrap(void *ctx,  size_t length,
+                                const unsigned char *input,
+                                unsigned char *output)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    ret = mbedtls_chacha20_update(ctx, length, input, output);
+    if (ret == MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    return ret;
+}
+
+static void *chacha20_ctx_alloc(void)
+{
+    mbedtls_chacha20_context *ctx;
+    ctx = mbedtls_calloc(1, sizeof(mbedtls_chacha20_context));
+
+    if (ctx == NULL) {
+        return NULL;
+    }
+
+    mbedtls_chacha20_init(ctx);
+
+    return ctx;
+}
+
+static void chacha20_ctx_free(void *ctx)
+{
+    mbedtls_chacha20_free((mbedtls_chacha20_context *) ctx);
+    mbedtls_free(ctx);
+}
+
+static const mbedtls_cipher_base_t chacha20_base_info = {
+    MBEDTLS_CIPHER_ID_CHACHA20,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    chacha20_stream_wrap,
+#endif
+    chacha20_setkey_wrap,
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+    chacha20_setkey_wrap,
+#endif
+    chacha20_ctx_alloc,
+    chacha20_ctx_free
+};
+static const mbedtls_cipher_info_t chacha20_info = {
+    "CHACHA20",
+    1,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_STREAM,
+    MBEDTLS_CIPHER_CHACHA20,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_CHACHA20_BASE
+};
+#endif /* MBEDTLS_CHACHA20_C */
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+
+static int chachapoly_setkey_wrap(void *ctx,
+                                  const unsigned char *key,
+                                  unsigned int key_bitlen)
+{
+    if (key_bitlen != 256U) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    if (0 != mbedtls_chachapoly_setkey((mbedtls_chachapoly_context *) ctx, key)) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    return 0;
+}
+
+static void *chachapoly_ctx_alloc(void)
+{
+    mbedtls_chachapoly_context *ctx;
+    ctx = mbedtls_calloc(1, sizeof(mbedtls_chachapoly_context));
+
+    if (ctx == NULL) {
+        return NULL;
+    }
+
+    mbedtls_chachapoly_init(ctx);
+
+    return ctx;
+}
+
+static void chachapoly_ctx_free(void *ctx)
+{
+    mbedtls_chachapoly_free((mbedtls_chachapoly_context *) ctx);
+    mbedtls_free(ctx);
+}
+
+static const mbedtls_cipher_base_t chachapoly_base_info = {
+    MBEDTLS_CIPHER_ID_CHACHA20,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    chachapoly_setkey_wrap,
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+    chachapoly_setkey_wrap,
+#endif
+    chachapoly_ctx_alloc,
+    chachapoly_ctx_free
+};
+static const mbedtls_cipher_info_t chachapoly_info = {
+    "CHACHA20-POLY1305",
+    1,
+    12 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_CHACHAPOLY,
+    MBEDTLS_CIPHER_CHACHA20_POLY1305,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_CHACHAPOLY_BASE
+};
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+static int null_crypt_stream(void *ctx, size_t length,
+                             const unsigned char *input,
+                             unsigned char *output)
+{
+    ((void) ctx);
+    memmove(output, input, length);
+    return 0;
+}
+
+static int null_setkey(void *ctx, const unsigned char *key,
+                       unsigned int key_bitlen)
+{
+    ((void) ctx);
+    ((void) key);
+    ((void) key_bitlen);
+
+    return 0;
+}
+
+static void *null_ctx_alloc(void)
+{
+    return (void *) 1;
+}
+
+static void null_ctx_free(void *ctx)
+{
+    ((void) ctx);
+}
+
+static const mbedtls_cipher_base_t null_base_info = {
+    MBEDTLS_CIPHER_ID_NULL,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    null_crypt_stream,
+#endif
+    null_setkey,
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+    null_setkey,
+#endif
+    null_ctx_alloc,
+    null_ctx_free
+};
+
+static const mbedtls_cipher_info_t null_cipher_info = {
+    "NULL",
+    1,
+    0 >> MBEDTLS_IV_SIZE_SHIFT,
+    0 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_STREAM,
+    MBEDTLS_CIPHER_NULL,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_NULL_BASE
+};
+#endif /* defined(MBEDTLS_CIPHER_NULL_CIPHER) */
+
+#if defined(MBEDTLS_NIST_KW_C)
+static void *kw_ctx_alloc(void)
+{
+    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_nist_kw_context));
+
+    if (ctx != NULL) {
+        mbedtls_nist_kw_init((mbedtls_nist_kw_context *) ctx);
+    }
+
+    return ctx;
+}
+
+static void kw_ctx_free(void *ctx)
+{
+    mbedtls_nist_kw_free(ctx);
+    mbedtls_free(ctx);
+}
+
+static int kw_aes_setkey_wrap(void *ctx, const unsigned char *key,
+                              unsigned int key_bitlen)
+{
+    return mbedtls_nist_kw_setkey((mbedtls_nist_kw_context *) ctx,
+                                  MBEDTLS_CIPHER_ID_AES, key, key_bitlen, 1);
+}
+
+static int kw_aes_setkey_unwrap(void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen)
+{
+    return mbedtls_nist_kw_setkey((mbedtls_nist_kw_context *) ctx,
+                                  MBEDTLS_CIPHER_ID_AES, key, key_bitlen, 0);
+}
+
+static const mbedtls_cipher_base_t kw_aes_info = {
+    MBEDTLS_CIPHER_ID_AES,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    kw_aes_setkey_wrap,
+    kw_aes_setkey_unwrap,
+    kw_ctx_alloc,
+    kw_ctx_free,
+};
+
+static const mbedtls_cipher_info_t aes_128_nist_kw_info = {
+    "AES-128-KW",
+    16,
+    0 >> MBEDTLS_IV_SIZE_SHIFT,
+    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_KW,
+    MBEDTLS_CIPHER_AES_128_KW,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_KW_AES
+};
+
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const mbedtls_cipher_info_t aes_192_nist_kw_info = {
+    "AES-192-KW",
+    16,
+    0 >> MBEDTLS_IV_SIZE_SHIFT,
+    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_KW,
+    MBEDTLS_CIPHER_AES_192_KW,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_KW_AES
+};
+
+static const mbedtls_cipher_info_t aes_256_nist_kw_info = {
+    "AES-256-KW",
+    16,
+    0 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_KW,
+    MBEDTLS_CIPHER_AES_256_KW,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_KW_AES
+};
+#endif
+
+static const mbedtls_cipher_info_t aes_128_nist_kwp_info = {
+    "AES-128-KWP",
+    16,
+    0 >> MBEDTLS_IV_SIZE_SHIFT,
+    128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_KWP,
+    MBEDTLS_CIPHER_AES_128_KWP,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_KW_AES
+};
+
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const mbedtls_cipher_info_t aes_192_nist_kwp_info = {
+    "AES-192-KWP",
+    16,
+    0 >> MBEDTLS_IV_SIZE_SHIFT,
+    192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_KWP,
+    MBEDTLS_CIPHER_AES_192_KWP,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_KW_AES
+};
+
+static const mbedtls_cipher_info_t aes_256_nist_kwp_info = {
+    "AES-256-KWP",
+    16,
+    0 >> MBEDTLS_IV_SIZE_SHIFT,
+    256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+    MBEDTLS_MODE_KWP,
+    MBEDTLS_CIPHER_AES_256_KWP,
+    0,
+    MBEDTLS_CIPHER_BASE_INDEX_KW_AES
+};
+#endif
+#endif /* MBEDTLS_NIST_KW_C */
+
+const mbedtls_cipher_definition_t mbedtls_cipher_definitions[] =
+{
+#if defined(MBEDTLS_AES_C)
+    { MBEDTLS_CIPHER_AES_128_ECB,          &aes_128_ecb_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { MBEDTLS_CIPHER_AES_192_ECB,          &aes_192_ecb_info },
+    { MBEDTLS_CIPHER_AES_256_ECB,          &aes_256_ecb_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_CIPHER_AES_128_CBC,          &aes_128_cbc_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { MBEDTLS_CIPHER_AES_192_CBC,          &aes_192_cbc_info },
+    { MBEDTLS_CIPHER_AES_256_CBC,          &aes_256_cbc_info },
+#endif
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    { MBEDTLS_CIPHER_AES_128_CFB128,       &aes_128_cfb128_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { MBEDTLS_CIPHER_AES_192_CFB128,       &aes_192_cfb128_info },
+    { MBEDTLS_CIPHER_AES_256_CFB128,       &aes_256_cfb128_info },
+#endif
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    { MBEDTLS_CIPHER_AES_128_OFB,          &aes_128_ofb_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { MBEDTLS_CIPHER_AES_192_OFB,          &aes_192_ofb_info },
+    { MBEDTLS_CIPHER_AES_256_OFB,          &aes_256_ofb_info },
+#endif
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    { MBEDTLS_CIPHER_AES_128_CTR,          &aes_128_ctr_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { MBEDTLS_CIPHER_AES_192_CTR,          &aes_192_ctr_info },
+    { MBEDTLS_CIPHER_AES_256_CTR,          &aes_256_ctr_info },
+#endif
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    { MBEDTLS_CIPHER_AES_128_XTS,          &aes_128_xts_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { MBEDTLS_CIPHER_AES_256_XTS,          &aes_256_xts_info },
+#endif
+#endif
+#endif /* MBEDTLS_AES_C */
+#if defined(MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA)
+    { MBEDTLS_CIPHER_AES_128_GCM,          &aes_128_gcm_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { MBEDTLS_CIPHER_AES_192_GCM,          &aes_192_gcm_info },
+    { MBEDTLS_CIPHER_AES_256_GCM,          &aes_256_gcm_info },
+#endif
+#endif
+#if defined(MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA)
+    { MBEDTLS_CIPHER_AES_128_CCM,          &aes_128_ccm_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { MBEDTLS_CIPHER_AES_192_CCM,          &aes_192_ccm_info },
+    { MBEDTLS_CIPHER_AES_256_CCM,          &aes_256_ccm_info },
+#endif
+#endif
+#if defined(MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_AES_VIA_LEGACY_OR_USE_PSA)
+    { MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG,          &aes_128_ccm_star_no_tag_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG,          &aes_192_ccm_star_no_tag_info },
+    { MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG,          &aes_256_ccm_star_no_tag_info },
+#endif
+#endif
+
+#if defined(MBEDTLS_CAMELLIA_C)
+    { MBEDTLS_CIPHER_CAMELLIA_128_ECB,     &camellia_128_ecb_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_ECB,     &camellia_192_ecb_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_ECB,     &camellia_256_ecb_info },
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_CIPHER_CAMELLIA_128_CBC,     &camellia_128_cbc_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_CBC,     &camellia_192_cbc_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_CBC,     &camellia_256_cbc_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    { MBEDTLS_CIPHER_CAMELLIA_128_CFB128,  &camellia_128_cfb128_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_CFB128,  &camellia_192_cfb128_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_CFB128,  &camellia_256_cfb128_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    { MBEDTLS_CIPHER_CAMELLIA_128_CTR,     &camellia_128_ctr_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_CTR,     &camellia_192_ctr_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_CTR,     &camellia_256_ctr_info },
+#endif
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_CIPHER_CAMELLIA_128_GCM,     &camellia_128_gcm_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_GCM,     &camellia_192_gcm_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_GCM,     &camellia_256_gcm_info },
+#endif
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_CIPHER_CAMELLIA_128_CCM,     &camellia_128_ccm_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_CCM,     &camellia_192_ccm_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_CCM,     &camellia_256_ccm_info },
+    { MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG,     &camellia_128_ccm_star_no_tag_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG,     &camellia_192_ccm_star_no_tag_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG,     &camellia_256_ccm_star_no_tag_info },
+#endif
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_ARIA_C)
+    { MBEDTLS_CIPHER_ARIA_128_ECB,     &aria_128_ecb_info },
+    { MBEDTLS_CIPHER_ARIA_192_ECB,     &aria_192_ecb_info },
+    { MBEDTLS_CIPHER_ARIA_256_ECB,     &aria_256_ecb_info },
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_CIPHER_ARIA_128_CBC,     &aria_128_cbc_info },
+    { MBEDTLS_CIPHER_ARIA_192_CBC,     &aria_192_cbc_info },
+    { MBEDTLS_CIPHER_ARIA_256_CBC,     &aria_256_cbc_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    { MBEDTLS_CIPHER_ARIA_128_CFB128,  &aria_128_cfb128_info },
+    { MBEDTLS_CIPHER_ARIA_192_CFB128,  &aria_192_cfb128_info },
+    { MBEDTLS_CIPHER_ARIA_256_CFB128,  &aria_256_cfb128_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    { MBEDTLS_CIPHER_ARIA_128_CTR,     &aria_128_ctr_info },
+    { MBEDTLS_CIPHER_ARIA_192_CTR,     &aria_192_ctr_info },
+    { MBEDTLS_CIPHER_ARIA_256_CTR,     &aria_256_ctr_info },
+#endif
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_CIPHER_ARIA_128_GCM,     &aria_128_gcm_info },
+    { MBEDTLS_CIPHER_ARIA_192_GCM,     &aria_192_gcm_info },
+    { MBEDTLS_CIPHER_ARIA_256_GCM,     &aria_256_gcm_info },
+#endif
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_CIPHER_ARIA_128_CCM,     &aria_128_ccm_info },
+    { MBEDTLS_CIPHER_ARIA_192_CCM,     &aria_192_ccm_info },
+    { MBEDTLS_CIPHER_ARIA_256_CCM,     &aria_256_ccm_info },
+    { MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG,     &aria_128_ccm_star_no_tag_info },
+    { MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG,     &aria_192_ccm_star_no_tag_info },
+    { MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG,     &aria_256_ccm_star_no_tag_info },
+#endif
+#endif /* MBEDTLS_ARIA_C */
+
+#if defined(MBEDTLS_DES_C)
+    { MBEDTLS_CIPHER_DES_ECB,              &des_ecb_info },
+    { MBEDTLS_CIPHER_DES_EDE_ECB,          &des_ede_ecb_info },
+    { MBEDTLS_CIPHER_DES_EDE3_ECB,         &des_ede3_ecb_info },
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_CIPHER_DES_CBC,              &des_cbc_info },
+    { MBEDTLS_CIPHER_DES_EDE_CBC,          &des_ede_cbc_info },
+    { MBEDTLS_CIPHER_DES_EDE3_CBC,         &des_ede3_cbc_info },
+#endif
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_CHACHA20_C)
+    { MBEDTLS_CIPHER_CHACHA20,             &chacha20_info },
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    { MBEDTLS_CIPHER_CHACHA20_POLY1305,    &chachapoly_info },
+#endif
+
+#if defined(MBEDTLS_NIST_KW_C)
+    { MBEDTLS_CIPHER_AES_128_KW,          &aes_128_nist_kw_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { MBEDTLS_CIPHER_AES_192_KW,          &aes_192_nist_kw_info },
+    { MBEDTLS_CIPHER_AES_256_KW,          &aes_256_nist_kw_info },
+#endif
+    { MBEDTLS_CIPHER_AES_128_KWP,         &aes_128_nist_kwp_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { MBEDTLS_CIPHER_AES_192_KWP,         &aes_192_nist_kwp_info },
+    { MBEDTLS_CIPHER_AES_256_KWP,         &aes_256_nist_kwp_info },
+#endif
+#endif
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+    { MBEDTLS_CIPHER_NULL,                 &null_cipher_info },
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+
+    { MBEDTLS_CIPHER_NONE, NULL }
+};
+
+#define NUM_CIPHERS (sizeof(mbedtls_cipher_definitions) /      \
+                     sizeof(mbedtls_cipher_definitions[0]))
+int mbedtls_cipher_supported[NUM_CIPHERS];
+
+const mbedtls_cipher_base_t *mbedtls_cipher_base_lookup_table[] = {
+#if defined(MBEDTLS_AES_C)
+    [MBEDTLS_CIPHER_BASE_INDEX_AES] = &aes_info,
+#endif
+#if defined(MBEDTLS_ARIA_C)
+    [MBEDTLS_CIPHER_BASE_INDEX_ARIA] = &aria_info,
+#endif
+#if defined(MBEDTLS_CAMELLIA_C)
+    [MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA] = &camellia_info,
+#endif
+#if defined(MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA)
+    [MBEDTLS_CIPHER_BASE_INDEX_CCM_AES] = &ccm_aes_info,
+#endif
+#if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_ARIA_C)
+    [MBEDTLS_CIPHER_BASE_INDEX_CCM_ARIA] = &ccm_aria_info,
+#endif
+#if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_CAMELLIA_C)
+    [MBEDTLS_CIPHER_BASE_INDEX_CCM_CAMELLIA] = &ccm_camellia_info,
+#endif
+#if defined(MBEDTLS_CHACHA20_C)
+    [MBEDTLS_CIPHER_BASE_INDEX_CHACHA20_BASE] = &chacha20_base_info,
+#endif
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    [MBEDTLS_CIPHER_BASE_INDEX_CHACHAPOLY_BASE] = &chachapoly_base_info,
+#endif
+#if defined(MBEDTLS_DES_C)
+    [MBEDTLS_CIPHER_BASE_INDEX_DES_EDE3] = &des_ede3_info,
+#endif
+#if defined(MBEDTLS_DES_C)
+    [MBEDTLS_CIPHER_BASE_INDEX_DES_EDE] = &des_ede_info,
+#endif
+#if defined(MBEDTLS_DES_C)
+    [MBEDTLS_CIPHER_BASE_INDEX_DES] = &des_info,
+#endif
+#if defined(MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA)
+    [MBEDTLS_CIPHER_BASE_INDEX_GCM_AES] = &gcm_aes_info,
+#endif
+#if defined(MBEDTLS_GCM_C) && defined(MBEDTLS_ARIA_C)
+    [MBEDTLS_CIPHER_BASE_INDEX_GCM_ARIA] = &gcm_aria_info,
+#endif
+#if defined(MBEDTLS_GCM_C) && defined(MBEDTLS_CAMELLIA_C)
+    [MBEDTLS_CIPHER_BASE_INDEX_GCM_CAMELLIA] = &gcm_camellia_info,
+#endif
+#if defined(MBEDTLS_NIST_KW_C)
+    [MBEDTLS_CIPHER_BASE_INDEX_KW_AES] = &kw_aes_info,
+#endif
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+    [MBEDTLS_CIPHER_BASE_INDEX_NULL_BASE] = &null_base_info,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS) && defined(MBEDTLS_AES_C)
+    [MBEDTLS_CIPHER_BASE_INDEX_XTS_AES] = &xts_aes_info
+#endif
+};
+
+#endif /* MBEDTLS_CIPHER_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/cipher_wrap.h b/tf-psa-crypto/drivers/builtin/src/cipher_wrap.h
new file mode 100644
index 0000000..f229151
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/cipher_wrap.h
@@ -0,0 +1,178 @@
+/**
+ * \file cipher_wrap.h
+ *
+ * \brief Cipher wrappers.
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_CIPHER_WRAP_H
+#define MBEDTLS_CIPHER_WRAP_H
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/cipher.h"
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Support for GCM either through Mbed TLS SW implementation or PSA */
+#if defined(MBEDTLS_GCM_C) || \
+    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_GCM))
+#define MBEDTLS_CIPHER_HAVE_GCM_VIA_LEGACY_OR_USE_PSA
+#endif
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_AES_C)) || \
+    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_KEY_TYPE_AES))
+#define MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA
+#endif
+
+#if defined(MBEDTLS_CCM_C) || \
+    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CCM))
+#define MBEDTLS_CIPHER_HAVE_CCM_VIA_LEGACY_OR_USE_PSA
+#endif
+
+#if (defined(MBEDTLS_CCM_C) && defined(MBEDTLS_AES_C)) || \
+    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CCM) && defined(PSA_WANT_KEY_TYPE_AES))
+#define MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA
+#endif
+
+#if defined(MBEDTLS_CCM_C) || \
+    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CCM_STAR_NO_TAG))
+#define MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_VIA_LEGACY_OR_USE_PSA
+#endif
+
+#if (defined(MBEDTLS_CCM_C) && defined(MBEDTLS_AES_C)) || \
+    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CCM_STAR_NO_TAG) && \
+    defined(PSA_WANT_KEY_TYPE_AES))
+#define MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_AES_VIA_LEGACY_OR_USE_PSA
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C) || \
+    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CHACHA20_POLY1305))
+#define MBEDTLS_CIPHER_HAVE_CHACHAPOLY_VIA_LEGACY_OR_USE_PSA
+#endif
+
+#if defined(MBEDTLS_CIPHER_HAVE_GCM_VIA_LEGACY_OR_USE_PSA) || \
+    defined(MBEDTLS_CIPHER_HAVE_CCM_VIA_LEGACY_OR_USE_PSA) || \
+    defined(MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_VIA_LEGACY_OR_USE_PSA) || \
+    defined(MBEDTLS_CIPHER_HAVE_CHACHAPOLY_VIA_LEGACY_OR_USE_PSA)
+#define MBEDTLS_CIPHER_HAVE_SOME_AEAD_VIA_LEGACY_OR_USE_PSA
+#endif
+
+/**
+ * Base cipher information. The non-mode specific functions and values.
+ */
+struct mbedtls_cipher_base_t {
+    /** Base Cipher type (e.g. MBEDTLS_CIPHER_ID_AES) */
+    mbedtls_cipher_id_t cipher;
+
+    /** Encrypt using ECB */
+    int (*ecb_func)(void *ctx, mbedtls_operation_t mode,
+                    const unsigned char *input, unsigned char *output);
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    /** Encrypt using CBC */
+    int (*cbc_func)(void *ctx, mbedtls_operation_t mode, size_t length,
+                    unsigned char *iv, const unsigned char *input,
+                    unsigned char *output);
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    /** Encrypt using CFB (Full length) */
+    int (*cfb_func)(void *ctx, mbedtls_operation_t mode, size_t length, size_t *iv_off,
+                    unsigned char *iv, const unsigned char *input,
+                    unsigned char *output);
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    /** Encrypt using OFB (Full length) */
+    int (*ofb_func)(void *ctx, size_t length, size_t *iv_off,
+                    unsigned char *iv,
+                    const unsigned char *input,
+                    unsigned char *output);
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    /** Encrypt using CTR */
+    int (*ctr_func)(void *ctx, size_t length, size_t *nc_off,
+                    unsigned char *nonce_counter, unsigned char *stream_block,
+                    const unsigned char *input, unsigned char *output);
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    /** Encrypt or decrypt using XTS. */
+    int (*xts_func)(void *ctx, mbedtls_operation_t mode, size_t length,
+                    const unsigned char data_unit[16],
+                    const unsigned char *input, unsigned char *output);
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    /** Encrypt using STREAM */
+    int (*stream_func)(void *ctx, size_t length,
+                       const unsigned char *input, unsigned char *output);
+#endif
+
+    /** Set key for encryption purposes */
+    int (*setkey_enc_func)(void *ctx, const unsigned char *key,
+                           unsigned int key_bitlen);
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+    /** Set key for decryption purposes */
+    int (*setkey_dec_func)(void *ctx, const unsigned char *key,
+                           unsigned int key_bitlen);
+#endif
+
+    /** Allocate a new context */
+    void * (*ctx_alloc_func)(void);
+
+    /** Free the given context */
+    void (*ctx_free_func)(void *ctx);
+
+};
+
+typedef struct {
+    mbedtls_cipher_type_t type;
+    const mbedtls_cipher_info_t *info;
+} mbedtls_cipher_definition_t;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+typedef enum {
+    MBEDTLS_CIPHER_PSA_KEY_UNSET = 0,
+    MBEDTLS_CIPHER_PSA_KEY_OWNED, /* Used for PSA-based cipher contexts which */
+                                  /* use raw key material internally imported */
+                                  /* as a volatile key, and which hence need  */
+                                  /* to destroy that key when the context is  */
+                                  /* freed.                                   */
+    MBEDTLS_CIPHER_PSA_KEY_NOT_OWNED, /* Used for PSA-based cipher contexts   */
+                                      /* which use a key provided by the      */
+                                      /* user, and which hence will not be    */
+                                      /* destroyed when the context is freed. */
+} mbedtls_cipher_psa_key_ownership;
+
+typedef struct {
+    psa_algorithm_t alg;
+    mbedtls_svc_key_id_t slot;
+    mbedtls_cipher_psa_key_ownership slot_state;
+} mbedtls_cipher_context_psa;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+extern const mbedtls_cipher_definition_t mbedtls_cipher_definitions[];
+
+extern int mbedtls_cipher_supported[];
+
+extern const mbedtls_cipher_base_t *mbedtls_cipher_base_lookup_table[];
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CIPHER_WRAP_H */
diff --git a/tf-psa-crypto/drivers/builtin/src/cmac.c b/tf-psa-crypto/drivers/builtin/src/cmac.c
new file mode 100644
index 0000000..eda10d0
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/cmac.c
@@ -0,0 +1,1067 @@
+/**
+ * \file cmac.c
+ *
+ * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * References:
+ *
+ * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
+ *      CMAC Mode for Authentication
+ *   http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
+ *
+ * - RFC 4493 - The AES-CMAC Algorithm
+ *   https://tools.ietf.org/html/rfc4493
+ *
+ * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
+ *      Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
+ *      Algorithm for the Internet Key Exchange Protocol (IKE)
+ *   https://tools.ietf.org/html/rfc4615
+ *
+ *   Additional test vectors: ISO/IEC 9797-1
+ *
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_CMAC_C)
+
+#include "mbedtls/cmac.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform.h"
+#include "constant_time_internal.h"
+
+#include <string.h>
+
+#if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
+
+/*
+ * Multiplication by u in the Galois field of GF(2^n)
+ *
+ * As explained in NIST SP 800-38B, this can be computed:
+ *
+ *   If MSB(p) = 0, then p = (p << 1)
+ *   If MSB(p) = 1, then p = (p << 1) ^ R_n
+ *   with R_64 = 0x1B and  R_128 = 0x87
+ *
+ * Input and output MUST NOT point to the same buffer
+ * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
+ */
+static int cmac_multiply_by_u(unsigned char *output,
+                              const unsigned char *input,
+                              size_t blocksize)
+{
+    const unsigned char R_128 = 0x87;
+    unsigned char R_n;
+    uint32_t overflow = 0x00;
+    int i;
+
+    if (blocksize == MBEDTLS_AES_BLOCK_SIZE) {
+        R_n = R_128;
+    }
+#if defined(MBEDTLS_DES_C)
+    else if (blocksize == MBEDTLS_DES3_BLOCK_SIZE) {
+        const unsigned char R_64 = 0x1B;
+        R_n = R_64;
+    }
+#endif
+    else {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    for (i = (int) blocksize - 4; i >= 0; i -= 4) {
+        uint32_t i32 = MBEDTLS_GET_UINT32_BE(&input[i], 0);
+        uint32_t new_overflow = i32 >> 31;
+        i32 = (i32 << 1) | overflow;
+        MBEDTLS_PUT_UINT32_BE(i32, &output[i], 0);
+        overflow = new_overflow;
+    }
+
+    R_n = (unsigned char) mbedtls_ct_uint_if_else_0(mbedtls_ct_bool(input[0] >> 7), R_n);
+    output[blocksize - 1] ^= R_n;
+
+    return 0;
+}
+
+/*
+ * Generate subkeys
+ *
+ * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
+ */
+static int cmac_generate_subkeys(mbedtls_cipher_context_t *ctx,
+                                 unsigned char *K1, unsigned char *K2)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char L[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
+    size_t olen, block_size;
+
+    mbedtls_platform_zeroize(L, sizeof(L));
+
+    block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
+
+    /* Calculate Ek(0) */
+    if ((ret = mbedtls_cipher_update(ctx, L, block_size, L, &olen)) != 0) {
+        goto exit;
+    }
+
+    /*
+     * Generate K1 and K2
+     */
+    if ((ret = cmac_multiply_by_u(K1, L, block_size)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = cmac_multiply_by_u(K2, K1, block_size)) != 0) {
+        goto exit;
+    }
+
+exit:
+    mbedtls_platform_zeroize(L, sizeof(L));
+
+    return ret;
+}
+#endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
+
+#if !defined(MBEDTLS_CMAC_ALT)
+
+/*
+ * Create padded last block from (partial) last block.
+ *
+ * We can't use the padding option from the cipher layer, as it only works for
+ * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
+ */
+static void cmac_pad(unsigned char padded_block[MBEDTLS_CMAC_MAX_BLOCK_SIZE],
+                     size_t padded_block_len,
+                     const unsigned char *last_block,
+                     size_t last_block_len)
+{
+    size_t j;
+
+    for (j = 0; j < padded_block_len; j++) {
+        if (j < last_block_len) {
+            padded_block[j] = last_block[j];
+        } else if (j == last_block_len) {
+            padded_block[j] = 0x80;
+        } else {
+            padded_block[j] = 0x00;
+        }
+    }
+}
+
+int mbedtls_cipher_cmac_starts(mbedtls_cipher_context_t *ctx,
+                               const unsigned char *key, size_t keybits)
+{
+    mbedtls_cipher_type_t type;
+    mbedtls_cmac_context_t *cmac_ctx;
+    int retval;
+
+    if (ctx == NULL || ctx->cipher_info == NULL || key == NULL) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    if ((retval = mbedtls_cipher_setkey(ctx, key, (int) keybits,
+                                        MBEDTLS_ENCRYPT)) != 0) {
+        return retval;
+    }
+
+    type = mbedtls_cipher_info_get_type(ctx->cipher_info);
+
+    switch (type) {
+        case MBEDTLS_CIPHER_AES_128_ECB:
+        case MBEDTLS_CIPHER_AES_192_ECB:
+        case MBEDTLS_CIPHER_AES_256_ECB:
+        case MBEDTLS_CIPHER_DES_EDE3_ECB:
+            break;
+        default:
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    /* Allocated and initialise in the cipher context memory for the CMAC
+     * context */
+    cmac_ctx = mbedtls_calloc(1, sizeof(mbedtls_cmac_context_t));
+    if (cmac_ctx == NULL) {
+        return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
+    }
+
+    ctx->cmac_ctx = cmac_ctx;
+
+    mbedtls_platform_zeroize(cmac_ctx->state, sizeof(cmac_ctx->state));
+
+    return 0;
+}
+
+int mbedtls_cipher_cmac_update(mbedtls_cipher_context_t *ctx,
+                               const unsigned char *input, size_t ilen)
+{
+    mbedtls_cmac_context_t *cmac_ctx;
+    unsigned char *state;
+    int ret = 0;
+    size_t n, j, olen, block_size;
+
+    if (ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
+        ctx->cmac_ctx == NULL) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    cmac_ctx = ctx->cmac_ctx;
+    block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
+    state = ctx->cmac_ctx->state;
+
+    /* Without the MBEDTLS_ASSUME below, gcc -O3 will generate a warning of the form
+     * error: writing 16 bytes into a region of size 0 [-Werror=stringop-overflow=] */
+    MBEDTLS_ASSUME(block_size <= MBEDTLS_CMAC_MAX_BLOCK_SIZE);
+
+    /* Is there data still to process from the last call, that's greater in
+     * size than a block? */
+    if (cmac_ctx->unprocessed_len > 0 &&
+        ilen > block_size - cmac_ctx->unprocessed_len) {
+        memcpy(&cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
+               input,
+               block_size - cmac_ctx->unprocessed_len);
+
+        mbedtls_xor_no_simd(state, cmac_ctx->unprocessed_block, state, block_size);
+
+        if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
+                                         &olen)) != 0) {
+            goto exit;
+        }
+
+        input += block_size - cmac_ctx->unprocessed_len;
+        ilen -= block_size - cmac_ctx->unprocessed_len;
+        cmac_ctx->unprocessed_len = 0;
+    }
+
+    /* n is the number of blocks including any final partial block */
+    n = (ilen + block_size - 1) / block_size;
+
+    /* Iterate across the input data in block sized chunks, excluding any
+     * final partial or complete block */
+    for (j = 1; j < n; j++) {
+        mbedtls_xor_no_simd(state, input, state, block_size);
+
+        if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
+                                         &olen)) != 0) {
+            goto exit;
+        }
+
+        ilen -= block_size;
+        input += block_size;
+    }
+
+    /* If there is data left over that wasn't aligned to a block */
+    if (ilen > 0) {
+        memcpy(&cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
+               input,
+               ilen);
+        cmac_ctx->unprocessed_len += ilen;
+    }
+
+exit:
+    return ret;
+}
+
+int mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t *ctx,
+                               unsigned char *output)
+{
+    mbedtls_cmac_context_t *cmac_ctx;
+    unsigned char *state, *last_block;
+    unsigned char K1[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
+    unsigned char K2[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
+    unsigned char M_last[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t olen, block_size;
+
+    if (ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
+        output == NULL) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    cmac_ctx = ctx->cmac_ctx;
+    block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
+    MBEDTLS_ASSUME(block_size <= MBEDTLS_CMAC_MAX_BLOCK_SIZE); // silence GCC warning
+    state = cmac_ctx->state;
+
+    mbedtls_platform_zeroize(K1, sizeof(K1));
+    mbedtls_platform_zeroize(K2, sizeof(K2));
+    cmac_generate_subkeys(ctx, K1, K2);
+
+    last_block = cmac_ctx->unprocessed_block;
+
+    /* Calculate last block */
+    if (cmac_ctx->unprocessed_len < block_size) {
+        cmac_pad(M_last, block_size, last_block, cmac_ctx->unprocessed_len);
+        mbedtls_xor(M_last, M_last, K2, block_size);
+    } else {
+        /* Last block is complete block */
+        mbedtls_xor(M_last, last_block, K1, block_size);
+    }
+
+
+    mbedtls_xor(state, M_last, state, block_size);
+    if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
+                                     &olen)) != 0) {
+        goto exit;
+    }
+
+    memcpy(output, state, block_size);
+
+exit:
+    /* Wipe the generated keys on the stack, and any other transients to avoid
+     * side channel leakage */
+    mbedtls_platform_zeroize(K1, sizeof(K1));
+    mbedtls_platform_zeroize(K2, sizeof(K2));
+
+    cmac_ctx->unprocessed_len = 0;
+    mbedtls_platform_zeroize(cmac_ctx->unprocessed_block,
+                             sizeof(cmac_ctx->unprocessed_block));
+
+    mbedtls_platform_zeroize(state, MBEDTLS_CMAC_MAX_BLOCK_SIZE);
+    return ret;
+}
+
+int mbedtls_cipher_cmac_reset(mbedtls_cipher_context_t *ctx)
+{
+    mbedtls_cmac_context_t *cmac_ctx;
+
+    if (ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    cmac_ctx = ctx->cmac_ctx;
+
+    /* Reset the internal state */
+    cmac_ctx->unprocessed_len = 0;
+    mbedtls_platform_zeroize(cmac_ctx->unprocessed_block,
+                             sizeof(cmac_ctx->unprocessed_block));
+    mbedtls_platform_zeroize(cmac_ctx->state,
+                             sizeof(cmac_ctx->state));
+
+    return 0;
+}
+
+int mbedtls_cipher_cmac(const mbedtls_cipher_info_t *cipher_info,
+                        const unsigned char *key, size_t keylen,
+                        const unsigned char *input, size_t ilen,
+                        unsigned char *output)
+{
+    mbedtls_cipher_context_t ctx;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (cipher_info == NULL || key == NULL || input == NULL || output == NULL) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    mbedtls_cipher_init(&ctx);
+
+    if ((ret = mbedtls_cipher_setup(&ctx, cipher_info)) != 0) {
+        goto exit;
+    }
+
+    ret = mbedtls_cipher_cmac_starts(&ctx, key, keylen);
+    if (ret != 0) {
+        goto exit;
+    }
+
+    ret = mbedtls_cipher_cmac_update(&ctx, input, ilen);
+    if (ret != 0) {
+        goto exit;
+    }
+
+    ret = mbedtls_cipher_cmac_finish(&ctx, output);
+
+exit:
+    mbedtls_cipher_free(&ctx);
+
+    return ret;
+}
+
+#if defined(MBEDTLS_AES_C)
+/*
+ * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
+ */
+int mbedtls_aes_cmac_prf_128(const unsigned char *key, size_t key_length,
+                             const unsigned char *input, size_t in_len,
+                             unsigned char output[16])
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const mbedtls_cipher_info_t *cipher_info;
+    unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
+    unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
+
+    if (key == NULL || input == NULL || output == NULL) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_ECB);
+    if (cipher_info == NULL) {
+        /* Failing at this point must be due to a build issue */
+        ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+        goto exit;
+    }
+
+    if (key_length == MBEDTLS_AES_BLOCK_SIZE) {
+        /* Use key as is */
+        memcpy(int_key, key, MBEDTLS_AES_BLOCK_SIZE);
+    } else {
+        memset(zero_key, 0, MBEDTLS_AES_BLOCK_SIZE);
+
+        ret = mbedtls_cipher_cmac(cipher_info, zero_key, 128, key,
+                                  key_length, int_key);
+        if (ret != 0) {
+            goto exit;
+        }
+    }
+
+    ret = mbedtls_cipher_cmac(cipher_info, int_key, 128, input, in_len,
+                              output);
+
+exit:
+    mbedtls_platform_zeroize(int_key, sizeof(int_key));
+
+    return ret;
+}
+#endif /* MBEDTLS_AES_C */
+
+#endif /* !MBEDTLS_CMAC_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * CMAC test data for SP800-38B
+ * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
+ * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
+ *
+ * AES-CMAC-PRF-128 test data from RFC 4615
+ * https://tools.ietf.org/html/rfc4615#page-4
+ */
+
+#define NB_CMAC_TESTS_PER_KEY 4
+#define NB_PRF_TESTS 3
+
+#if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
+/* All CMAC test inputs are truncated from the same 64 byte buffer. */
+static const unsigned char test_message[] = {
+    /* PT */
+    0x6b, 0xc1, 0xbe, 0xe2,     0x2e, 0x40, 0x9f, 0x96,
+    0xe9, 0x3d, 0x7e, 0x11,     0x73, 0x93, 0x17, 0x2a,
+    0xae, 0x2d, 0x8a, 0x57,     0x1e, 0x03, 0xac, 0x9c,
+    0x9e, 0xb7, 0x6f, 0xac,     0x45, 0xaf, 0x8e, 0x51,
+    0x30, 0xc8, 0x1c, 0x46,     0xa3, 0x5c, 0xe4, 0x11,
+    0xe5, 0xfb, 0xc1, 0x19,     0x1a, 0x0a, 0x52, 0xef,
+    0xf6, 0x9f, 0x24, 0x45,     0xdf, 0x4f, 0x9b, 0x17,
+    0xad, 0x2b, 0x41, 0x7b,     0xe6, 0x6c, 0x37, 0x10
+};
+#endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+/* Truncation point of message for AES CMAC tests  */
+static const  unsigned int  aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
+    /* Mlen */
+    0,
+    16,
+    20,
+    64
+};
+
+/* CMAC-AES128 Test Data */
+static const unsigned char aes_128_key[16] = {
+    0x2b, 0x7e, 0x15, 0x16,     0x28, 0xae, 0xd2, 0xa6,
+    0xab, 0xf7, 0x15, 0x88,     0x09, 0xcf, 0x4f, 0x3c
+};
+static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
+    {
+        /* K1 */
+        0xfb, 0xee, 0xd6, 0x18,     0x35, 0x71, 0x33, 0x66,
+        0x7c, 0x85, 0xe0, 0x8f,     0x72, 0x36, 0xa8, 0xde
+    },
+    {
+        /* K2 */
+        0xf7, 0xdd, 0xac, 0x30,     0x6a, 0xe2, 0x66, 0xcc,
+        0xf9, 0x0b, 0xc1, 0x1e,     0xe4, 0x6d, 0x51, 0x3b
+    }
+};
+static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] =
+{
+    {
+        /* Example #1 */
+        0xbb, 0x1d, 0x69, 0x29,     0xe9, 0x59, 0x37, 0x28,
+        0x7f, 0xa3, 0x7d, 0x12,     0x9b, 0x75, 0x67, 0x46
+    },
+    {
+        /* Example #2 */
+        0x07, 0x0a, 0x16, 0xb4,     0x6b, 0x4d, 0x41, 0x44,
+        0xf7, 0x9b, 0xdd, 0x9d,     0xd0, 0x4a, 0x28, 0x7c
+    },
+    {
+        /* Example #3 */
+        0x7d, 0x85, 0x44, 0x9e,     0xa6, 0xea, 0x19, 0xc8,
+        0x23, 0xa7, 0xbf, 0x78,     0x83, 0x7d, 0xfa, 0xde
+    },
+    {
+        /* Example #4 */
+        0x51, 0xf0, 0xbe, 0xbf,     0x7e, 0x3b, 0x9d, 0x92,
+        0xfc, 0x49, 0x74, 0x17,     0x79, 0x36, 0x3c, 0xfe
+    }
+};
+
+/* CMAC-AES192 Test Data */
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const unsigned char aes_192_key[24] = {
+    0x8e, 0x73, 0xb0, 0xf7,     0xda, 0x0e, 0x64, 0x52,
+    0xc8, 0x10, 0xf3, 0x2b,     0x80, 0x90, 0x79, 0xe5,
+    0x62, 0xf8, 0xea, 0xd2,     0x52, 0x2c, 0x6b, 0x7b
+};
+static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
+    {
+        /* K1 */
+        0x44, 0x8a, 0x5b, 0x1c,     0x93, 0x51, 0x4b, 0x27,
+        0x3e, 0xe6, 0x43, 0x9d,     0xd4, 0xda, 0xa2, 0x96
+    },
+    {
+        /* K2 */
+        0x89, 0x14, 0xb6, 0x39,     0x26, 0xa2, 0x96, 0x4e,
+        0x7d, 0xcc, 0x87, 0x3b,     0xa9, 0xb5, 0x45, 0x2c
+    }
+};
+static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] =
+{
+    {
+        /* Example #1 */
+        0xd1, 0x7d, 0xdf, 0x46,     0xad, 0xaa, 0xcd, 0xe5,
+        0x31, 0xca, 0xc4, 0x83,     0xde, 0x7a, 0x93, 0x67
+    },
+    {
+        /* Example #2 */
+        0x9e, 0x99, 0xa7, 0xbf,     0x31, 0xe7, 0x10, 0x90,
+        0x06, 0x62, 0xf6, 0x5e,     0x61, 0x7c, 0x51, 0x84
+    },
+    {
+        /* Example #3 */
+        0x3d, 0x75, 0xc1, 0x94,     0xed, 0x96, 0x07, 0x04,
+        0x44, 0xa9, 0xfa, 0x7e,     0xc7, 0x40, 0xec, 0xf8
+    },
+    {
+        /* Example #4 */
+        0xa1, 0xd5, 0xdf, 0x0e,     0xed, 0x79, 0x0f, 0x79,
+        0x4d, 0x77, 0x58, 0x96,     0x59, 0xf3, 0x9a, 0x11
+    }
+};
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+
+/* CMAC-AES256 Test Data */
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const unsigned char aes_256_key[32] = {
+    0x60, 0x3d, 0xeb, 0x10,     0x15, 0xca, 0x71, 0xbe,
+    0x2b, 0x73, 0xae, 0xf0,     0x85, 0x7d, 0x77, 0x81,
+    0x1f, 0x35, 0x2c, 0x07,     0x3b, 0x61, 0x08, 0xd7,
+    0x2d, 0x98, 0x10, 0xa3,     0x09, 0x14, 0xdf, 0xf4
+};
+static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
+    {
+        /* K1 */
+        0xca, 0xd1, 0xed, 0x03,     0x29, 0x9e, 0xed, 0xac,
+        0x2e, 0x9a, 0x99, 0x80,     0x86, 0x21, 0x50, 0x2f
+    },
+    {
+        /* K2 */
+        0x95, 0xa3, 0xda, 0x06,     0x53, 0x3d, 0xdb, 0x58,
+        0x5d, 0x35, 0x33, 0x01,     0x0c, 0x42, 0xa0, 0xd9
+    }
+};
+static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] =
+{
+    {
+        /* Example #1 */
+        0x02, 0x89, 0x62, 0xf6,     0x1b, 0x7b, 0xf8, 0x9e,
+        0xfc, 0x6b, 0x55, 0x1f,     0x46, 0x67, 0xd9, 0x83
+    },
+    {
+        /* Example #2 */
+        0x28, 0xa7, 0x02, 0x3f,     0x45, 0x2e, 0x8f, 0x82,
+        0xbd, 0x4b, 0xf2, 0x8d,     0x8c, 0x37, 0xc3, 0x5c
+    },
+    {
+        /* Example #3 */
+        0x15, 0x67, 0x27, 0xdc,     0x08, 0x78, 0x94, 0x4a,
+        0x02, 0x3c, 0x1f, 0xe0,     0x3b, 0xad, 0x6d, 0x93
+    },
+    {
+        /* Example #4 */
+        0xe1, 0x99, 0x21, 0x90,     0x54, 0x9f, 0x6e, 0xd5,
+        0x69, 0x6a, 0x2c, 0x05,     0x6c, 0x31, 0x54, 0x10
+    }
+};
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_DES_C)
+/* Truncation point of message for 3DES CMAC tests  */
+static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
+    0,
+    16,
+    20,
+    32
+};
+
+/* CMAC-TDES (Generation) - 2 Key Test Data */
+static const unsigned char des3_2key_key[24] = {
+    /* Key1 */
+    0x01, 0x23, 0x45, 0x67,     0x89, 0xab, 0xcd, 0xef,
+    /* Key2 */
+    0x23, 0x45, 0x67, 0x89,     0xab, 0xcd, 0xEF, 0x01,
+    /* Key3 */
+    0x01, 0x23, 0x45, 0x67,     0x89, 0xab, 0xcd, 0xef
+};
+static const unsigned char des3_2key_subkeys[2][8] = {
+    {
+        /* K1 */
+        0x0d, 0xd2, 0xcb, 0x7a,     0x3d, 0x88, 0x88, 0xd9
+    },
+    {
+        /* K2 */
+        0x1b, 0xa5, 0x96, 0xf4,     0x7b, 0x11, 0x11, 0xb2
+    }
+};
+static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE]
+    = {
+    {
+        /* Sample #1 */
+        0x79, 0xce, 0x52, 0xa7,     0xf7, 0x86, 0xa9, 0x60
+    },
+    {
+        /* Sample #2 */
+        0xcc, 0x18, 0xa0, 0xb7,     0x9a, 0xf2, 0x41, 0x3b
+    },
+    {
+        /* Sample #3 */
+        0xc0, 0x6d, 0x37, 0x7e,     0xcd, 0x10, 0x19, 0x69
+    },
+    {
+        /* Sample #4 */
+        0x9c, 0xd3, 0x35, 0x80,     0xf9, 0xb6, 0x4d, 0xfb
+    }
+    };
+
+/* CMAC-TDES (Generation) - 3 Key Test Data */
+static const unsigned char des3_3key_key[24] = {
+    /* Key1 */
+    0x01, 0x23, 0x45, 0x67,     0x89, 0xaa, 0xcd, 0xef,
+    /* Key2 */
+    0x23, 0x45, 0x67, 0x89,     0xab, 0xcd, 0xef, 0x01,
+    /* Key3 */
+    0x45, 0x67, 0x89, 0xab,     0xcd, 0xef, 0x01, 0x23
+};
+static const unsigned char des3_3key_subkeys[2][8] = {
+    {
+        /* K1 */
+        0x9d, 0x74, 0xe7, 0x39,     0x33, 0x17, 0x96, 0xc0
+    },
+    {
+        /* K2 */
+        0x3a, 0xe9, 0xce, 0x72,     0x66, 0x2f, 0x2d, 0x9b
+    }
+};
+static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE]
+    = {
+    {
+        /* Sample #1 */
+        0x7d, 0xb0, 0xd3, 0x7d,     0xf9, 0x36, 0xc5, 0x50
+    },
+    {
+        /* Sample #2 */
+        0x30, 0x23, 0x9c, 0xf1,     0xf5, 0x2e, 0x66, 0x09
+    },
+    {
+        /* Sample #3 */
+        0x6c, 0x9f, 0x3e, 0xe4,     0x92, 0x3f, 0x6b, 0xe2
+    },
+    {
+        /* Sample #4 */
+        0x99, 0x42, 0x9b, 0xd0,     0xbF, 0x79, 0x04, 0xe5
+    }
+    };
+
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+/* AES AES-CMAC-PRF-128 Test Data */
+static const unsigned char PRFK[] = {
+    /* Key */
+    0x00, 0x01, 0x02, 0x03,     0x04, 0x05, 0x06, 0x07,
+    0x08, 0x09, 0x0a, 0x0b,     0x0c, 0x0d, 0x0e, 0x0f,
+    0xed, 0xcb
+};
+
+/* Sizes in bytes */
+static const size_t PRFKlen[NB_PRF_TESTS] = {
+    18,
+    16,
+    10
+};
+
+/* Message */
+static const unsigned char PRFM[] = {
+    0x00, 0x01, 0x02, 0x03,     0x04, 0x05, 0x06, 0x07,
+    0x08, 0x09, 0x0a, 0x0b,     0x0c, 0x0d, 0x0e, 0x0f,
+    0x10, 0x11, 0x12, 0x13
+};
+
+static const unsigned char PRFT[NB_PRF_TESTS][16] = {
+    {
+        0x84, 0xa3, 0x48, 0xa4,     0xa4, 0x5d, 0x23, 0x5b,
+        0xab, 0xff, 0xfc, 0x0d,     0x2b, 0x4d, 0xa0, 0x9a
+    },
+    {
+        0x98, 0x0a, 0xe8, 0x7b,     0x5f, 0x4c, 0x9c, 0x52,
+        0x14, 0xf5, 0xb6, 0xa8,     0x45, 0x5e, 0x4c, 0x2d
+    },
+    {
+        0x29, 0x0d, 0x9e, 0x11,     0x2e, 0xdb, 0x09, 0xee,
+        0x14, 0x1f, 0xcf, 0x64,     0xc0, 0xb7, 0x2f, 0x3d
+    }
+};
+#endif /* MBEDTLS_AES_C */
+
+static int cmac_test_subkeys(int verbose,
+                             const char *testname,
+                             const unsigned char *key,
+                             int keybits,
+                             const unsigned char *subkeys,
+                             mbedtls_cipher_type_t cipher_type,
+                             int block_size,
+                             int num_tests)
+{
+    int i, ret = 0;
+    mbedtls_cipher_context_t ctx;
+    const mbedtls_cipher_info_t *cipher_info;
+    unsigned char K1[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
+    unsigned char K2[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
+
+    cipher_info = mbedtls_cipher_info_from_type(cipher_type);
+    if (cipher_info == NULL) {
+        /* Failing at this point must be due to a build issue */
+        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+    }
+
+    for (i = 0; i < num_tests; i++) {
+        if (verbose != 0) {
+            mbedtls_printf("  %s CMAC subkey #%d: ", testname, i + 1);
+        }
+
+        mbedtls_cipher_init(&ctx);
+
+        if ((ret = mbedtls_cipher_setup(&ctx, cipher_info)) != 0) {
+            if (verbose != 0) {
+                mbedtls_printf("test execution failed\n");
+            }
+
+            goto cleanup;
+        }
+
+        if ((ret = mbedtls_cipher_setkey(&ctx, key, keybits,
+                                         MBEDTLS_ENCRYPT)) != 0) {
+            /* When CMAC is implemented by an alternative implementation, or
+             * the underlying primitive itself is implemented alternatively,
+             * AES-192 may be unavailable. This should not cause the selftest
+             * function to fail. */
+            if ((ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
+                 ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) &&
+                cipher_type == MBEDTLS_CIPHER_AES_192_ECB) {
+                if (verbose != 0) {
+                    mbedtls_printf("skipped\n");
+                }
+                goto next_test;
+            }
+
+            if (verbose != 0) {
+                mbedtls_printf("test execution failed\n");
+            }
+
+            goto cleanup;
+        }
+
+        ret = cmac_generate_subkeys(&ctx, K1, K2);
+        if (ret != 0) {
+            if (verbose != 0) {
+                mbedtls_printf("failed\n");
+            }
+
+            goto cleanup;
+        }
+
+        if ((ret = memcmp(K1, subkeys, block_size)) != 0  ||
+            (ret = memcmp(K2, &subkeys[block_size], block_size)) != 0) {
+            if (verbose != 0) {
+                mbedtls_printf("failed\n");
+            }
+
+            goto cleanup;
+        }
+
+        if (verbose != 0) {
+            mbedtls_printf("passed\n");
+        }
+
+next_test:
+        mbedtls_cipher_free(&ctx);
+    }
+
+    ret = 0;
+    goto exit;
+
+cleanup:
+    mbedtls_cipher_free(&ctx);
+
+exit:
+    return ret;
+}
+
+static int cmac_test_wth_cipher(int verbose,
+                                const char *testname,
+                                const unsigned char *key,
+                                int keybits,
+                                const unsigned char *messages,
+                                const unsigned int message_lengths[4],
+                                const unsigned char *expected_result,
+                                mbedtls_cipher_type_t cipher_type,
+                                int block_size,
+                                int num_tests)
+{
+    const mbedtls_cipher_info_t *cipher_info;
+    int i, ret = 0;
+    unsigned char output[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
+
+    cipher_info = mbedtls_cipher_info_from_type(cipher_type);
+    if (cipher_info == NULL) {
+        /* Failing at this point must be due to a build issue */
+        ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+        goto exit;
+    }
+
+    for (i = 0; i < num_tests; i++) {
+        if (verbose != 0) {
+            mbedtls_printf("  %s CMAC #%d: ", testname, i + 1);
+        }
+
+        if ((ret = mbedtls_cipher_cmac(cipher_info, key, keybits, messages,
+                                       message_lengths[i], output)) != 0) {
+            /* When CMAC is implemented by an alternative implementation, or
+             * the underlying primitive itself is implemented alternatively,
+             * AES-192 and/or 3DES may be unavailable. This should not cause
+             * the selftest function to fail. */
+            if ((ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
+                 ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) &&
+                (cipher_type == MBEDTLS_CIPHER_AES_192_ECB ||
+                 cipher_type == MBEDTLS_CIPHER_DES_EDE3_ECB)) {
+                if (verbose != 0) {
+                    mbedtls_printf("skipped\n");
+                }
+                continue;
+            }
+
+            if (verbose != 0) {
+                mbedtls_printf("failed\n");
+            }
+            goto exit;
+        }
+
+        if ((ret = memcmp(output, &expected_result[i * block_size], block_size)) != 0) {
+            if (verbose != 0) {
+                mbedtls_printf("failed\n");
+            }
+            goto exit;
+        }
+
+        if (verbose != 0) {
+            mbedtls_printf("passed\n");
+        }
+    }
+    ret = 0;
+
+exit:
+    return ret;
+}
+
+#if defined(MBEDTLS_AES_C)
+static int test_aes128_cmac_prf(int verbose)
+{
+    int i;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
+
+    for (i = 0; i < NB_PRF_TESTS; i++) {
+        mbedtls_printf("  AES CMAC 128 PRF #%d: ", i);
+        ret = mbedtls_aes_cmac_prf_128(PRFK, PRFKlen[i], PRFM, 20, output);
+        if (ret != 0 ||
+            memcmp(output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE) != 0) {
+
+            if (verbose != 0) {
+                mbedtls_printf("failed\n");
+            }
+
+            return ret;
+        } else if (verbose != 0) {
+            mbedtls_printf("passed\n");
+        }
+    }
+    return ret;
+}
+#endif /* MBEDTLS_AES_C */
+
+int mbedtls_cmac_self_test(int verbose)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_AES_C)
+    /* AES-128 */
+    if ((ret = cmac_test_subkeys(verbose,
+                                 "AES 128",
+                                 aes_128_key,
+                                 128,
+                                 (const unsigned char *) aes_128_subkeys,
+                                 MBEDTLS_CIPHER_AES_128_ECB,
+                                 MBEDTLS_AES_BLOCK_SIZE,
+                                 NB_CMAC_TESTS_PER_KEY)) != 0) {
+        return ret;
+    }
+
+    if ((ret = cmac_test_wth_cipher(verbose,
+                                    "AES 128",
+                                    aes_128_key,
+                                    128,
+                                    test_message,
+                                    aes_message_lengths,
+                                    (const unsigned char *) aes_128_expected_result,
+                                    MBEDTLS_CIPHER_AES_128_ECB,
+                                    MBEDTLS_AES_BLOCK_SIZE,
+                                    NB_CMAC_TESTS_PER_KEY)) != 0) {
+        return ret;
+    }
+
+    /* AES-192 */
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    if ((ret = cmac_test_subkeys(verbose,
+                                 "AES 192",
+                                 aes_192_key,
+                                 192,
+                                 (const unsigned char *) aes_192_subkeys,
+                                 MBEDTLS_CIPHER_AES_192_ECB,
+                                 MBEDTLS_AES_BLOCK_SIZE,
+                                 NB_CMAC_TESTS_PER_KEY)) != 0) {
+        return ret;
+    }
+
+    if ((ret = cmac_test_wth_cipher(verbose,
+                                    "AES 192",
+                                    aes_192_key,
+                                    192,
+                                    test_message,
+                                    aes_message_lengths,
+                                    (const unsigned char *) aes_192_expected_result,
+                                    MBEDTLS_CIPHER_AES_192_ECB,
+                                    MBEDTLS_AES_BLOCK_SIZE,
+                                    NB_CMAC_TESTS_PER_KEY)) != 0) {
+        return ret;
+    }
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+
+    /* AES-256 */
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    if ((ret = cmac_test_subkeys(verbose,
+                                 "AES 256",
+                                 aes_256_key,
+                                 256,
+                                 (const unsigned char *) aes_256_subkeys,
+                                 MBEDTLS_CIPHER_AES_256_ECB,
+                                 MBEDTLS_AES_BLOCK_SIZE,
+                                 NB_CMAC_TESTS_PER_KEY)) != 0) {
+        return ret;
+    }
+
+    if ((ret = cmac_test_wth_cipher(verbose,
+                                    "AES 256",
+                                    aes_256_key,
+                                    256,
+                                    test_message,
+                                    aes_message_lengths,
+                                    (const unsigned char *) aes_256_expected_result,
+                                    MBEDTLS_CIPHER_AES_256_ECB,
+                                    MBEDTLS_AES_BLOCK_SIZE,
+                                    NB_CMAC_TESTS_PER_KEY)) != 0) {
+        return ret;
+    }
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_DES_C)
+    /* 3DES 2 key */
+    if ((ret = cmac_test_subkeys(verbose,
+                                 "3DES 2 key",
+                                 des3_2key_key,
+                                 192,
+                                 (const unsigned char *) des3_2key_subkeys,
+                                 MBEDTLS_CIPHER_DES_EDE3_ECB,
+                                 MBEDTLS_DES3_BLOCK_SIZE,
+                                 NB_CMAC_TESTS_PER_KEY)) != 0) {
+        return ret;
+    }
+
+    if ((ret = cmac_test_wth_cipher(verbose,
+                                    "3DES 2 key",
+                                    des3_2key_key,
+                                    192,
+                                    test_message,
+                                    des3_message_lengths,
+                                    (const unsigned char *) des3_2key_expected_result,
+                                    MBEDTLS_CIPHER_DES_EDE3_ECB,
+                                    MBEDTLS_DES3_BLOCK_SIZE,
+                                    NB_CMAC_TESTS_PER_KEY)) != 0) {
+        return ret;
+    }
+
+    /* 3DES 3 key */
+    if ((ret = cmac_test_subkeys(verbose,
+                                 "3DES 3 key",
+                                 des3_3key_key,
+                                 192,
+                                 (const unsigned char *) des3_3key_subkeys,
+                                 MBEDTLS_CIPHER_DES_EDE3_ECB,
+                                 MBEDTLS_DES3_BLOCK_SIZE,
+                                 NB_CMAC_TESTS_PER_KEY)) != 0) {
+        return ret;
+    }
+
+    if ((ret = cmac_test_wth_cipher(verbose,
+                                    "3DES 3 key",
+                                    des3_3key_key,
+                                    192,
+                                    test_message,
+                                    des3_message_lengths,
+                                    (const unsigned char *) des3_3key_expected_result,
+                                    MBEDTLS_CIPHER_DES_EDE3_ECB,
+                                    MBEDTLS_DES3_BLOCK_SIZE,
+                                    NB_CMAC_TESTS_PER_KEY)) != 0) {
+        return ret;
+    }
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+    if ((ret = test_aes128_cmac_prf(verbose)) != 0) {
+        return ret;
+    }
+#endif /* MBEDTLS_AES_C */
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+
+    return 0;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_CMAC_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/constant_time.c b/tf-psa-crypto/drivers/builtin/src/constant_time.c
new file mode 100644
index 0000000..95b8122
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/constant_time.c
@@ -0,0 +1,248 @@
+/**
+ *  Constant-time functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * The following functions are implemented without using comparison operators, as those
+ * might be translated to branches by some compilers on some platforms.
+ */
+
+#include <stdint.h>
+#include <limits.h>
+
+#include "common.h"
+#include "constant_time_internal.h"
+#include "mbedtls/constant_time.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if !defined(MBEDTLS_CT_ASM)
+/*
+ * Define an object with the value zero, such that the compiler cannot prove that it
+ * has the value zero (because it is volatile, it "may be modified in ways unknown to
+ * the implementation").
+ */
+volatile mbedtls_ct_uint_t mbedtls_ct_zero = 0;
+#endif
+
+/*
+ * Define MBEDTLS_EFFICIENT_UNALIGNED_VOLATILE_ACCESS where assembly is present to
+ * perform fast unaligned access to volatile data.
+ *
+ * This is needed because mbedtls_get_unaligned_uintXX etc don't support volatile
+ * memory accesses.
+ *
+ * Some of these definitions could be moved into alignment.h but for now they are
+ * only used here.
+ */
+#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS) && \
+    ((defined(MBEDTLS_CT_ARM_ASM) && (UINTPTR_MAX == 0xfffffffful)) || \
+    defined(MBEDTLS_CT_AARCH64_ASM))
+/* We check pointer sizes to avoid issues with them not matching register size requirements */
+#define MBEDTLS_EFFICIENT_UNALIGNED_VOLATILE_ACCESS
+
+static inline uint32_t mbedtls_get_unaligned_volatile_uint32(volatile const unsigned char *p)
+{
+    /* This is UB, even where it's safe:
+     *    return *((volatile uint32_t*)p);
+     * so instead the same thing is expressed in assembly below.
+     */
+    uint32_t r;
+#if defined(MBEDTLS_CT_ARM_ASM)
+    asm volatile ("ldr %0, [%1]" : "=r" (r) : "r" (p) :);
+#elif defined(MBEDTLS_CT_AARCH64_ASM)
+    asm volatile ("ldr %w0, [%1]" : "=r" (r) : MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT(p) :);
+#else
+#error "No assembly defined for mbedtls_get_unaligned_volatile_uint32"
+#endif
+    return r;
+}
+#endif /* defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS) &&
+          (defined(MBEDTLS_CT_ARM_ASM) || defined(MBEDTLS_CT_AARCH64_ASM)) */
+
+int mbedtls_ct_memcmp(const void *a,
+                      const void *b,
+                      size_t n)
+{
+    size_t i = 0;
+    /*
+     * `A` and `B` are cast to volatile to ensure that the compiler
+     * generates code that always fully reads both buffers.
+     * Otherwise it could generate a test to exit early if `diff` has all
+     * bits set early in the loop.
+     */
+    volatile const unsigned char *A = (volatile const unsigned char *) a;
+    volatile const unsigned char *B = (volatile const unsigned char *) b;
+    uint32_t diff = 0;
+
+#if defined(MBEDTLS_EFFICIENT_UNALIGNED_VOLATILE_ACCESS)
+    for (; (i + 4) <= n; i += 4) {
+        uint32_t x = mbedtls_get_unaligned_volatile_uint32(A + i);
+        uint32_t y = mbedtls_get_unaligned_volatile_uint32(B + i);
+        diff |= x ^ y;
+    }
+#endif
+
+    for (; i < n; i++) {
+        /* Read volatile data in order before computing diff.
+         * This avoids IAR compiler warning:
+         * 'the order of volatile accesses is undefined ..' */
+        unsigned char x = A[i], y = B[i];
+        diff |= x ^ y;
+    }
+
+
+#if (INT_MAX < INT32_MAX)
+    /* We don't support int smaller than 32-bits, but if someone tried to build
+     * with this configuration, there is a risk that, for differing data, the
+     * only bits set in diff are in the top 16-bits, and would be lost by a
+     * simple cast from uint32 to int.
+     * This would have significant security implications, so protect against it. */
+#error "mbedtls_ct_memcmp() requires minimum 32-bit ints"
+#else
+    /* The bit-twiddling ensures that when we cast uint32_t to int, we are casting
+     * a value that is in the range 0..INT_MAX - a value larger than this would
+     * result in implementation defined behaviour.
+     *
+     * This ensures that the value returned by the function is non-zero iff
+     * diff is non-zero.
+     */
+    return (int) ((diff & 0xffff) | (diff >> 16));
+#endif
+}
+
+#if defined(MBEDTLS_NIST_KW_C)
+
+int mbedtls_ct_memcmp_partial(const void *a,
+                              const void *b,
+                              size_t n,
+                              size_t skip_head,
+                              size_t skip_tail)
+{
+    unsigned int diff = 0;
+
+    volatile const unsigned char *A = (volatile const unsigned char *) a;
+    volatile const unsigned char *B = (volatile const unsigned char *) b;
+
+    size_t valid_end = n - skip_tail;
+
+    for (size_t i = 0; i < n; i++) {
+        unsigned char x = A[i], y = B[i];
+        unsigned int d = x ^ y;
+        mbedtls_ct_condition_t valid = mbedtls_ct_bool_and(mbedtls_ct_uint_ge(i, skip_head),
+                                                           mbedtls_ct_uint_lt(i, valid_end));
+        diff |= mbedtls_ct_uint_if_else_0(valid, d);
+    }
+
+    /* Since we go byte-by-byte, the only bits set will be in the bottom 8 bits, so the
+     * cast from uint to int is safe. */
+    return (int) diff;
+}
+
+#endif
+
+#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C)
+
+void mbedtls_ct_memmove_left(void *start, size_t total, size_t offset)
+{
+    volatile unsigned char *buf = start;
+    for (size_t i = 0; i < total; i++) {
+        mbedtls_ct_condition_t no_op = mbedtls_ct_uint_gt(total - offset, i);
+        /* The first `total - offset` passes are a no-op. The last
+         * `offset` passes shift the data one byte to the left and
+         * zero out the last byte. */
+        for (size_t n = 0; n < total - 1; n++) {
+            unsigned char current = buf[n];
+            unsigned char next    = buf[n+1];
+            buf[n] = mbedtls_ct_uint_if(no_op, current, next);
+        }
+        buf[total-1] = mbedtls_ct_uint_if_else_0(no_op, buf[total-1]);
+    }
+}
+
+#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C */
+
+void mbedtls_ct_memcpy_if(mbedtls_ct_condition_t condition,
+                          unsigned char *dest,
+                          const unsigned char *src1,
+                          const unsigned char *src2,
+                          size_t len)
+{
+#if defined(MBEDTLS_CT_SIZE_64)
+    const uint64_t mask     = (uint64_t) condition;
+    const uint64_t not_mask = (uint64_t) ~mbedtls_ct_compiler_opaque(condition);
+#else
+    const uint32_t mask     = (uint32_t) condition;
+    const uint32_t not_mask = (uint32_t) ~mbedtls_ct_compiler_opaque(condition);
+#endif
+
+    /* If src2 is NULL, setup src2 so that we read from the destination address.
+     *
+     * This means that if src2 == NULL && condition is false, the result will be a
+     * no-op because we read from dest and write the same data back into dest.
+     */
+    if (src2 == NULL) {
+        src2 = dest;
+    }
+
+    /* dest[i] = c1 == c2 ? src[i] : dest[i] */
+    size_t i = 0;
+#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)
+#if defined(MBEDTLS_CT_SIZE_64)
+    for (; (i + 8) <= len; i += 8) {
+        uint64_t a = mbedtls_get_unaligned_uint64(src1 + i) & mask;
+        uint64_t b = mbedtls_get_unaligned_uint64(src2 + i) & not_mask;
+        mbedtls_put_unaligned_uint64(dest + i, a | b);
+    }
+#else
+    for (; (i + 4) <= len; i += 4) {
+        uint32_t a = mbedtls_get_unaligned_uint32(src1 + i) & mask;
+        uint32_t b = mbedtls_get_unaligned_uint32(src2 + i) & not_mask;
+        mbedtls_put_unaligned_uint32(dest + i, a | b);
+    }
+#endif /* defined(MBEDTLS_CT_SIZE_64) */
+#endif /* MBEDTLS_EFFICIENT_UNALIGNED_ACCESS */
+    for (; i < len; i++) {
+        dest[i] = (src1[i] & mask) | (src2[i] & not_mask);
+    }
+}
+
+void mbedtls_ct_memcpy_offset(unsigned char *dest,
+                              const unsigned char *src,
+                              size_t offset,
+                              size_t offset_min,
+                              size_t offset_max,
+                              size_t len)
+{
+    size_t offsetval;
+
+    for (offsetval = offset_min; offsetval <= offset_max; offsetval++) {
+        mbedtls_ct_memcpy_if(mbedtls_ct_uint_eq(offsetval, offset), dest, src + offsetval, NULL,
+                             len);
+    }
+}
+
+#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C)
+
+void mbedtls_ct_zeroize_if(mbedtls_ct_condition_t condition, void *buf, size_t len)
+{
+    uint32_t mask = (uint32_t) ~condition;
+    uint8_t *p = (uint8_t *) buf;
+    size_t i = 0;
+#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)
+    for (; (i + 4) <= len; i += 4) {
+        mbedtls_put_unaligned_uint32((void *) (p + i),
+                                     mbedtls_get_unaligned_uint32((void *) (p + i)) & mask);
+    }
+#endif
+    for (; i < len; i++) {
+        p[i] = p[i] & mask;
+    }
+}
+
+#endif /* defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) */
diff --git a/tf-psa-crypto/drivers/builtin/src/constant_time_impl.h b/tf-psa-crypto/drivers/builtin/src/constant_time_impl.h
new file mode 100644
index 0000000..2a4574b
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/constant_time_impl.h
@@ -0,0 +1,556 @@
+/**
+ *  Constant-time functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_CONSTANT_TIME_IMPL_H
+#define MBEDTLS_CONSTANT_TIME_IMPL_H
+
+#include <stddef.h>
+
+#include "common.h"
+
+#if defined(MBEDTLS_BIGNUM_C)
+#include "mbedtls/bignum.h"
+#endif
+
+/*
+ * To improve readability of constant_time_internal.h, the static inline
+ * definitions are here, and constant_time_internal.h has only the declarations.
+ *
+ * This results in duplicate declarations of the form:
+ *     static inline void f();         // from constant_time_internal.h
+ *     static inline void f() { ... }  // from constant_time_impl.h
+ * when constant_time_internal.h is included.
+ *
+ * This appears to behave as if the declaration-without-definition was not present
+ * (except for warnings if gcc -Wredundant-decls or similar is used).
+ *
+ * Disable -Wredundant-decls so that gcc does not warn about this. This is re-enabled
+ * at the bottom of this file.
+ */
+#if defined(MBEDTLS_COMPILER_IS_GCC) && (__GNUC__ > 4)
+    #pragma GCC diagnostic push
+    #pragma GCC diagnostic ignored "-Wredundant-decls"
+#endif
+
+/* Disable asm under Memsan because it confuses Memsan and generates false errors.
+ *
+ * We also disable under Valgrind by default, because it's more useful
+ * for Valgrind to test the plain C implementation. MBEDTLS_TEST_CONSTANT_FLOW_ASM //no-check-names
+ * may be set to permit building asm under Valgrind.
+ */
+#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) || \
+    (defined(MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND) && !defined(MBEDTLS_TEST_CONSTANT_FLOW_ASM)) //no-check-names
+#define MBEDTLS_CT_NO_ASM
+#elif defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+#define MBEDTLS_CT_NO_ASM
+#endif
+#endif
+
+/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
+#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && (!defined(__ARMCC_VERSION) || \
+    __ARMCC_VERSION >= 6000000) && !defined(MBEDTLS_CT_NO_ASM)
+#define MBEDTLS_CT_ASM
+#if (defined(__arm__) || defined(__thumb__) || defined(__thumb2__))
+#define MBEDTLS_CT_ARM_ASM
+#elif defined(__aarch64__)
+#define MBEDTLS_CT_AARCH64_ASM
+#elif defined(__amd64__) || defined(__x86_64__)
+#define MBEDTLS_CT_X86_64_ASM
+#elif defined(__i386__)
+#define MBEDTLS_CT_X86_ASM
+#endif
+#endif
+
+#define MBEDTLS_CT_SIZE (sizeof(mbedtls_ct_uint_t) * 8)
+
+
+/* ============================================================================
+ * Core const-time primitives
+ */
+
+/* Ensure that the compiler cannot know the value of x (i.e., cannot optimise
+ * based on its value) after this function is called.
+ *
+ * If we are not using assembly, this will be fairly inefficient, so its use
+ * should be minimised.
+ */
+
+#if !defined(MBEDTLS_CT_ASM)
+extern volatile mbedtls_ct_uint_t mbedtls_ct_zero;
+#endif
+
+/**
+ * \brief   Ensure that a value cannot be known at compile time.
+ *
+ * \param x        The value to hide from the compiler.
+ * \return         The same value that was passed in, such that the compiler
+ *                 cannot prove its value (even for calls of the form
+ *                 x = mbedtls_ct_compiler_opaque(1), x will be unknown).
+ *
+ * \note           This is mainly used in constructing mbedtls_ct_condition_t
+ *                 values and performing operations over them, to ensure that
+ *                 there is no way for the compiler to ever know anything about
+ *                 the value of an mbedtls_ct_condition_t.
+ */
+static inline mbedtls_ct_uint_t mbedtls_ct_compiler_opaque(mbedtls_ct_uint_t x)
+{
+#if defined(MBEDTLS_CT_ASM)
+    asm volatile ("" : [x] "+r" (x) :);
+    return x;
+#else
+    return x ^ mbedtls_ct_zero;
+#endif
+}
+
+/*
+ * Selecting unified syntax is needed for gcc, and harmless on clang.
+ *
+ * This is needed because on Thumb 1, condition flags are always set, so
+ * e.g. "negs" is supported but "neg" is not (on Thumb 2, both exist).
+ *
+ * Under Thumb 1 unified syntax, only the "negs" form is accepted, and
+ * under divided syntax, only the "neg" form is accepted. clang only
+ * supports unified syntax.
+ *
+ * On Thumb 2 and Arm, both compilers are happy with the "s" suffix,
+ * although we don't actually care about setting the flags.
+ *
+ * For old versions of gcc (see #8516 for details), restore divided
+ * syntax afterwards - otherwise old versions of gcc seem to apply
+ * unified syntax globally, which breaks other asm code.
+ */
+#if defined(MBEDTLS_COMPILER_IS_GCC) && defined(__thumb__) && !defined(__thumb2__) && \
+    (__GNUC__ < 11) && !defined(__ARM_ARCH_2__)
+#define RESTORE_ASM_SYNTAX  ".syntax divided                      \n\t"
+#else
+#define RESTORE_ASM_SYNTAX
+#endif
+
+/* Convert a number into a condition in constant time. */
+static inline mbedtls_ct_condition_t mbedtls_ct_bool(mbedtls_ct_uint_t x)
+{
+    /*
+     * Define mask-generation code that, as far as possible, will not use branches or conditional instructions.
+     *
+     * For some platforms / type sizes, we define assembly to assure this.
+     *
+     * Otherwise, we define a plain C fallback which (in May 2023) does not get optimised into
+     * conditional instructions or branches by trunk clang, gcc, or MSVC v19.
+     */
+#if defined(MBEDTLS_CT_AARCH64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64))
+    mbedtls_ct_uint_t s;
+    asm volatile ("neg %x[s], %x[x]                               \n\t"
+                  "orr %x[x], %x[s], %x[x]                        \n\t"
+                  "asr %x[x], %x[x], 63                           \n\t"
+                  :
+                  [s] "=&r" (s),
+                  [x] "+&r" (x)
+                  :
+                  :
+                  );
+    return (mbedtls_ct_condition_t) x;
+#elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32)
+    uint32_t s;
+    asm volatile (".syntax unified                                \n\t"
+                  "negs %[s], %[x]                                \n\t"
+                  "orrs %[x], %[x], %[s]                          \n\t"
+                  "asrs %[x], %[x], #31                           \n\t"
+                  RESTORE_ASM_SYNTAX
+                  :
+                  [s] "=&l" (s),
+                  [x] "+&l" (x)
+                  :
+                  :
+                  "cc" /* clobbers flag bits */
+                  );
+    return (mbedtls_ct_condition_t) x;
+#elif defined(MBEDTLS_CT_X86_64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64))
+    uint64_t s;
+    asm volatile ("mov  %[x], %[s]                                \n\t"
+                  "neg  %[s]                                      \n\t"
+                  "or   %[x], %[s]                                \n\t"
+                  "sar  $63, %[s]                                 \n\t"
+                  :
+                  [s] "=&a" (s)
+                  :
+                  [x] "D" (x)
+                  :
+                  );
+    return (mbedtls_ct_condition_t) s;
+#elif defined(MBEDTLS_CT_X86_ASM) && defined(MBEDTLS_CT_SIZE_32)
+    uint32_t s;
+    asm volatile ("mov %[x], %[s]                                 \n\t"
+                  "neg %[s]                                       \n\t"
+                  "or %[s], %[x]                                  \n\t"
+                  "sar $31, %[x]                                  \n\t"
+                  :
+                  [s] "=&c" (s),
+                  [x] "+&a" (x)
+                  :
+                  :
+                  );
+    return (mbedtls_ct_condition_t) x;
+#else
+    const mbedtls_ct_uint_t xo = mbedtls_ct_compiler_opaque(x);
+#if defined(_MSC_VER)
+    /* MSVC has a warning about unary minus on unsigned, but this is
+     * well-defined and precisely what we want to do here */
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+    // y is negative (i.e., top bit set) iff x is non-zero
+    mbedtls_ct_int_t y = (-xo) | -(xo >> 1);
+
+    // extract only the sign bit of y so that y == 1 (if x is non-zero) or 0 (if x is zero)
+    y = (((mbedtls_ct_uint_t) y) >> (MBEDTLS_CT_SIZE - 1));
+
+    // -y has all bits set (if x is non-zero), or all bits clear (if x is zero)
+    return (mbedtls_ct_condition_t) (-y);
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+#endif
+}
+
+static inline mbedtls_ct_uint_t mbedtls_ct_if(mbedtls_ct_condition_t condition,
+                                              mbedtls_ct_uint_t if1,
+                                              mbedtls_ct_uint_t if0)
+{
+#if defined(MBEDTLS_CT_AARCH64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64))
+    asm volatile ("and %x[if1], %x[if1], %x[condition]            \n\t"
+                  "mvn %x[condition], %x[condition]               \n\t"
+                  "and %x[condition], %x[condition], %x[if0]      \n\t"
+                  "orr %x[condition], %x[if1], %x[condition]"
+                  :
+                  [condition] "+&r" (condition),
+                  [if1] "+&r" (if1)
+                  :
+                  [if0] "r" (if0)
+                  :
+                  );
+    return (mbedtls_ct_uint_t) condition;
+#elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32)
+    asm volatile (".syntax unified                                \n\t"
+                  "ands %[if1], %[if1], %[condition]              \n\t"
+                  "mvns %[condition], %[condition]                \n\t"
+                  "ands %[condition], %[condition], %[if0]        \n\t"
+                  "orrs %[condition], %[if1], %[condition]        \n\t"
+                  RESTORE_ASM_SYNTAX
+                  :
+                  [condition] "+&l" (condition),
+                  [if1] "+&l" (if1)
+                  :
+                  [if0] "l" (if0)
+                  :
+                  "cc"
+                  );
+    return (mbedtls_ct_uint_t) condition;
+#elif defined(MBEDTLS_CT_X86_64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64))
+    asm volatile ("and  %[condition], %[if1]                      \n\t"
+                  "not  %[condition]                              \n\t"
+                  "and  %[condition], %[if0]                      \n\t"
+                  "or   %[if1], %[if0]                            \n\t"
+                  :
+                  [condition] "+&D" (condition),
+                  [if1] "+&S" (if1),
+                  [if0] "+&a" (if0)
+                  :
+                  :
+                  );
+    return if0;
+#elif defined(MBEDTLS_CT_X86_ASM) && defined(MBEDTLS_CT_SIZE_32)
+    asm volatile ("and %[condition], %[if1]                       \n\t"
+                  "not %[condition]                               \n\t"
+                  "and %[if0], %[condition]                       \n\t"
+                  "or %[condition], %[if1]                        \n\t"
+                  :
+                  [condition] "+&c" (condition),
+                  [if1] "+&a" (if1)
+                  :
+                  [if0] "b" (if0)
+                  :
+                  );
+    return if1;
+#else
+    mbedtls_ct_condition_t not_cond =
+        (mbedtls_ct_condition_t) (~mbedtls_ct_compiler_opaque(condition));
+    return (mbedtls_ct_uint_t) ((condition & if1) | (not_cond & if0));
+#endif
+}
+
+static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y)
+{
+#if defined(MBEDTLS_CT_AARCH64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64))
+    uint64_t s1;
+    asm volatile ("eor     %x[s1], %x[y], %x[x]                   \n\t"
+                  "sub     %x[x], %x[x], %x[y]                    \n\t"
+                  "bic     %x[x], %x[x], %x[s1]                   \n\t"
+                  "and     %x[s1], %x[s1], %x[y]                  \n\t"
+                  "orr     %x[s1], %x[x], %x[s1]                  \n\t"
+                  "asr     %x[x], %x[s1], 63"
+                  :
+                  [s1] "=&r" (s1),
+                  [x] "+&r" (x)
+                  :
+                  [y] "r" (y)
+                  :
+                  );
+    return (mbedtls_ct_condition_t) x;
+#elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32)
+    uint32_t s1;
+    asm volatile (
+        ".syntax unified                                          \n\t"
+#if defined(__thumb__) && !defined(__thumb2__)
+        "movs     %[s1], %[x]                                     \n\t"
+        "eors     %[s1], %[s1], %[y]                              \n\t"
+#else
+        "eors     %[s1], %[x], %[y]                               \n\t"
+#endif
+        "subs    %[x], %[x], %[y]                                 \n\t"
+        "bics    %[x], %[x], %[s1]                                \n\t"
+        "ands    %[y], %[s1], %[y]                                \n\t"
+        "orrs    %[x], %[x], %[y]                                 \n\t"
+        "asrs    %[x], %[x], #31                                  \n\t"
+        RESTORE_ASM_SYNTAX
+        :
+        [s1] "=&l" (s1),
+        [x] "+&l" (x),
+        [y] "+&l" (y)
+        :
+        :
+        "cc"
+        );
+    return (mbedtls_ct_condition_t) x;
+#elif defined(MBEDTLS_CT_X86_64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64))
+    uint64_t s;
+    asm volatile ("mov %[x], %[s]                                 \n\t"
+                  "xor %[y], %[s]                                 \n\t"
+                  "sub %[y], %[x]                                 \n\t"
+                  "and %[s], %[y]                                 \n\t"
+                  "not %[s]                                       \n\t"
+                  "and %[s], %[x]                                 \n\t"
+                  "or %[y], %[x]                                  \n\t"
+                  "sar $63, %[x]                                  \n\t"
+                  :
+                  [s] "=&a" (s),
+                  [x] "+&D" (x),
+                  [y] "+&S" (y)
+                  :
+                  :
+                  );
+    return (mbedtls_ct_condition_t) x;
+#elif defined(MBEDTLS_CT_X86_ASM) && defined(MBEDTLS_CT_SIZE_32)
+    uint32_t s;
+    asm volatile ("mov %[x], %[s]                                 \n\t"
+                  "xor %[y], %[s]                                 \n\t"
+                  "sub %[y], %[x]                                 \n\t"
+                  "and %[s], %[y]                                 \n\t"
+                  "not %[s]                                       \n\t"
+                  "and %[s], %[x]                                 \n\t"
+                  "or  %[y], %[x]                                 \n\t"
+                  "sar $31, %[x]                                  \n\t"
+                  :
+                  [s] "=&b" (s),
+                  [x] "+&a" (x),
+                  [y] "+&c" (y)
+                  :
+                  :
+                  );
+    return (mbedtls_ct_condition_t) x;
+#else
+    /* Ensure that the compiler cannot optimise the following operations over x and y,
+     * even if it knows the value of x and y.
+     */
+    const mbedtls_ct_uint_t xo = mbedtls_ct_compiler_opaque(x);
+    const mbedtls_ct_uint_t yo = mbedtls_ct_compiler_opaque(y);
+    /*
+     * Check if the most significant bits (MSB) of the operands are different.
+     * cond is true iff the MSBs differ.
+     */
+    mbedtls_ct_condition_t cond = mbedtls_ct_bool((xo ^ yo) >> (MBEDTLS_CT_SIZE - 1));
+
+    /*
+     * If the MSB are the same then the difference x-y will be negative (and
+     * have its MSB set to 1 during conversion to unsigned) if and only if x<y.
+     *
+     * If the MSB are different, then the operand with the MSB of 1 is the
+     * bigger. (That is if y has MSB of 1, then x<y is true and it is false if
+     * the MSB of y is 0.)
+     */
+
+    // Select either y, or x - y
+    mbedtls_ct_uint_t ret = mbedtls_ct_if(cond, yo, (mbedtls_ct_uint_t) (xo - yo));
+
+    // Extract only the MSB of ret
+    ret = ret >> (MBEDTLS_CT_SIZE - 1);
+
+    // Convert to a condition (i.e., all bits set iff non-zero)
+    return mbedtls_ct_bool(ret);
+#endif
+}
+
+static inline mbedtls_ct_condition_t mbedtls_ct_uint_ne(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y)
+{
+    /* diff = 0 if x == y, non-zero otherwise */
+    const mbedtls_ct_uint_t diff = mbedtls_ct_compiler_opaque(x) ^ mbedtls_ct_compiler_opaque(y);
+
+    /* all ones if x != y, 0 otherwise */
+    return mbedtls_ct_bool(diff);
+}
+
+static inline unsigned char mbedtls_ct_uchar_in_range_if(unsigned char low,
+                                                         unsigned char high,
+                                                         unsigned char c,
+                                                         unsigned char t)
+{
+    const unsigned char co = (unsigned char) mbedtls_ct_compiler_opaque(c);
+    const unsigned char to = (unsigned char) mbedtls_ct_compiler_opaque(t);
+
+    /* low_mask is: 0 if low <= c, 0x...ff if low > c */
+    unsigned low_mask = ((unsigned) co - low) >> 8;
+    /* high_mask is: 0 if c <= high, 0x...ff if c > high */
+    unsigned high_mask = ((unsigned) high - co) >> 8;
+
+    return (unsigned char) (~(low_mask | high_mask)) & to;
+}
+
+/* ============================================================================
+ * Everything below here is trivial wrapper functions
+ */
+
+static inline size_t mbedtls_ct_size_if(mbedtls_ct_condition_t condition,
+                                        size_t if1,
+                                        size_t if0)
+{
+    return (size_t) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) if1, (mbedtls_ct_uint_t) if0);
+}
+
+static inline unsigned mbedtls_ct_uint_if(mbedtls_ct_condition_t condition,
+                                          unsigned if1,
+                                          unsigned if0)
+{
+    return (unsigned) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) if1, (mbedtls_ct_uint_t) if0);
+}
+
+static inline mbedtls_ct_condition_t mbedtls_ct_bool_if(mbedtls_ct_condition_t condition,
+                                                        mbedtls_ct_condition_t if1,
+                                                        mbedtls_ct_condition_t if0)
+{
+    return (mbedtls_ct_condition_t) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) if1,
+                                                  (mbedtls_ct_uint_t) if0);
+}
+
+#if defined(MBEDTLS_BIGNUM_C)
+
+static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if(mbedtls_ct_condition_t condition,
+                                                      mbedtls_mpi_uint if1,
+                                                      mbedtls_mpi_uint if0)
+{
+    return (mbedtls_mpi_uint) mbedtls_ct_if(condition,
+                                            (mbedtls_ct_uint_t) if1,
+                                            (mbedtls_ct_uint_t) if0);
+}
+
+#endif
+
+static inline size_t mbedtls_ct_size_if_else_0(mbedtls_ct_condition_t condition, size_t if1)
+{
+    return (size_t) (condition & if1);
+}
+
+static inline unsigned mbedtls_ct_uint_if_else_0(mbedtls_ct_condition_t condition, unsigned if1)
+{
+    return (unsigned) (condition & if1);
+}
+
+static inline mbedtls_ct_condition_t mbedtls_ct_bool_if_else_0(mbedtls_ct_condition_t condition,
+                                                               mbedtls_ct_condition_t if1)
+{
+    return (mbedtls_ct_condition_t) (condition & if1);
+}
+
+#if defined(MBEDTLS_BIGNUM_C)
+
+static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if_else_0(mbedtls_ct_condition_t condition,
+                                                             mbedtls_mpi_uint if1)
+{
+    return (mbedtls_mpi_uint) (condition & if1);
+}
+
+#endif /* MBEDTLS_BIGNUM_C */
+
+static inline int mbedtls_ct_error_if(mbedtls_ct_condition_t condition, int if1, int if0)
+{
+    /* Coverting int -> uint -> int here is safe, because we require if1 and if0 to be
+     * in the range -32767..0, and we require 32-bit int and uint types.
+     *
+     * This means that (0 <= -if0 < INT_MAX), so negating if0 is safe, and similarly for
+     * converting back to int.
+     */
+    return -((int) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) (-if1),
+                                 (mbedtls_ct_uint_t) (-if0)));
+}
+
+static inline int mbedtls_ct_error_if_else_0(mbedtls_ct_condition_t condition, int if1)
+{
+    return -((int) (condition & (-if1)));
+}
+
+static inline mbedtls_ct_condition_t mbedtls_ct_uint_eq(mbedtls_ct_uint_t x,
+                                                        mbedtls_ct_uint_t y)
+{
+    return ~mbedtls_ct_uint_ne(x, y);
+}
+
+static inline mbedtls_ct_condition_t mbedtls_ct_uint_gt(mbedtls_ct_uint_t x,
+                                                        mbedtls_ct_uint_t y)
+{
+    return mbedtls_ct_uint_lt(y, x);
+}
+
+static inline mbedtls_ct_condition_t mbedtls_ct_uint_ge(mbedtls_ct_uint_t x,
+                                                        mbedtls_ct_uint_t y)
+{
+    return ~mbedtls_ct_uint_lt(x, y);
+}
+
+static inline mbedtls_ct_condition_t mbedtls_ct_uint_le(mbedtls_ct_uint_t x,
+                                                        mbedtls_ct_uint_t y)
+{
+    return ~mbedtls_ct_uint_gt(x, y);
+}
+
+static inline mbedtls_ct_condition_t mbedtls_ct_bool_ne(mbedtls_ct_condition_t x,
+                                                        mbedtls_ct_condition_t y)
+{
+    return (mbedtls_ct_condition_t) (x ^ y);
+}
+
+static inline mbedtls_ct_condition_t mbedtls_ct_bool_and(mbedtls_ct_condition_t x,
+                                                         mbedtls_ct_condition_t y)
+{
+    return (mbedtls_ct_condition_t) (x & y);
+}
+
+static inline mbedtls_ct_condition_t mbedtls_ct_bool_or(mbedtls_ct_condition_t x,
+                                                        mbedtls_ct_condition_t y)
+{
+    return (mbedtls_ct_condition_t) (x | y);
+}
+
+static inline mbedtls_ct_condition_t mbedtls_ct_bool_not(mbedtls_ct_condition_t x)
+{
+    return (mbedtls_ct_condition_t) (~x);
+}
+
+#if defined(MBEDTLS_COMPILER_IS_GCC) && (__GNUC__ > 4)
+/* Restore warnings for -Wredundant-decls on gcc */
+    #pragma GCC diagnostic pop
+#endif
+
+#endif /* MBEDTLS_CONSTANT_TIME_IMPL_H */
diff --git a/tf-psa-crypto/drivers/builtin/src/constant_time_internal.h b/tf-psa-crypto/drivers/builtin/src/constant_time_internal.h
new file mode 100644
index 0000000..26f6606
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/constant_time_internal.h
@@ -0,0 +1,579 @@
+/**
+ *  Constant-time functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_CONSTANT_TIME_INTERNAL_H
+#define MBEDTLS_CONSTANT_TIME_INTERNAL_H
+
+#include <stdint.h>
+#include <stddef.h>
+
+#include "common.h"
+
+#if defined(MBEDTLS_BIGNUM_C)
+#include "mbedtls/bignum.h"
+#endif
+
+/* The constant-time interface provides various operations that are likely
+ * to result in constant-time code that does not branch or use conditional
+ * instructions for secret data (for secret pointers, this also applies to
+ * the data pointed to).
+ *
+ * It has three main parts:
+ *
+ * - boolean operations
+ *   These are all named mbedtls_ct_<type>_<operation>.
+ *   They operate over <type> and return mbedtls_ct_condition_t.
+ *   All arguments are considered secret.
+ *   example: bool x = y | z          =>    x = mbedtls_ct_bool_or(y, z)
+ *   example: bool x = y == z         =>    x = mbedtls_ct_uint_eq(y, z)
+ *
+ * - conditional data selection
+ *   These are all named mbedtls_ct_<type>_if and mbedtls_ct_<type>_if_else_0
+ *   All arguments are considered secret.
+ *   example: size_t a = x ? b : c    =>    a = mbedtls_ct_size_if(x, b, c)
+ *   example: unsigned a = x ? b : 0  =>    a = mbedtls_ct_uint_if_else_0(x, b)
+ *
+ * - block memory operations
+ *   Only some arguments are considered secret, as documented for each
+ *   function.
+ *   example: if (x) memcpy(...)      =>    mbedtls_ct_memcpy_if(x, ...)
+ *
+ * mbedtls_ct_condition_t must be treated as opaque and only created and
+ * manipulated via the functions in this header. The compiler should never
+ * be able to prove anything about its value at compile-time.
+ *
+ * mbedtls_ct_uint_t is an unsigned integer type over which constant time
+ * operations may be performed via the functions in this header. It is as big
+ * as the larger of size_t and mbedtls_mpi_uint, i.e. it is safe to cast
+ * to/from "unsigned int", "size_t", and "mbedtls_mpi_uint" (and any other
+ * not-larger integer types).
+ *
+ * For Arm (32-bit, 64-bit and Thumb), x86 and x86-64, assembly implementations
+ * are used to ensure that the generated code is constant time. For other
+ * architectures, it uses a plain C fallback designed to yield constant-time code
+ * (this has been observed to be constant-time on latest gcc, clang and MSVC
+ * as of May 2023).
+ *
+ * For readability, the static inline definitions are separated out into
+ * constant_time_impl.h.
+ */
+
+#if (SIZE_MAX > 0xffffffffffffffffULL)
+/* Pointer size > 64-bit */
+typedef size_t    mbedtls_ct_condition_t;
+typedef size_t    mbedtls_ct_uint_t;
+typedef ptrdiff_t mbedtls_ct_int_t;
+#define MBEDTLS_CT_TRUE  ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(SIZE_MAX))
+#elif (SIZE_MAX > 0xffffffff) || defined(MBEDTLS_HAVE_INT64)
+/* 32-bit < pointer size <= 64-bit, or 64-bit MPI */
+typedef uint64_t  mbedtls_ct_condition_t;
+typedef uint64_t  mbedtls_ct_uint_t;
+typedef int64_t   mbedtls_ct_int_t;
+#define MBEDTLS_CT_SIZE_64
+#define MBEDTLS_CT_TRUE  ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(UINT64_MAX))
+#else
+/* Pointer size <= 32-bit, and no 64-bit MPIs */
+typedef uint32_t  mbedtls_ct_condition_t;
+typedef uint32_t  mbedtls_ct_uint_t;
+typedef int32_t   mbedtls_ct_int_t;
+#define MBEDTLS_CT_SIZE_32
+#define MBEDTLS_CT_TRUE  ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(UINT32_MAX))
+#endif
+#define MBEDTLS_CT_FALSE ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(0))
+
+/* ============================================================================
+ * Boolean operations
+ */
+
+/** Convert a number into a mbedtls_ct_condition_t.
+ *
+ * \param x Number to convert.
+ *
+ * \return MBEDTLS_CT_TRUE if \p x != 0, or MBEDTLS_CT_FALSE if \p x == 0
+ *
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_bool(mbedtls_ct_uint_t x);
+
+/** Boolean "not equal" operation.
+ *
+ * Functionally equivalent to:
+ *
+ * \p x != \p y
+ *
+ * \param x     The first value to analyze.
+ * \param y     The second value to analyze.
+ *
+ * \return      MBEDTLS_CT_TRUE if \p x != \p y, otherwise MBEDTLS_CT_FALSE.
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_uint_ne(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y);
+
+/** Boolean "equals" operation.
+ *
+ * Functionally equivalent to:
+ *
+ * \p x == \p y
+ *
+ * \param x     The first value to analyze.
+ * \param y     The second value to analyze.
+ *
+ * \return      MBEDTLS_CT_TRUE if \p x == \p y, otherwise MBEDTLS_CT_FALSE.
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_uint_eq(mbedtls_ct_uint_t x,
+                                                        mbedtls_ct_uint_t y);
+
+/** Boolean "less than" operation.
+ *
+ * Functionally equivalent to:
+ *
+ * \p x < \p y
+ *
+ * \param x     The first value to analyze.
+ * \param y     The second value to analyze.
+ *
+ * \return      MBEDTLS_CT_TRUE if \p x < \p y, otherwise MBEDTLS_CT_FALSE.
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y);
+
+/** Boolean "greater than" operation.
+ *
+ * Functionally equivalent to:
+ *
+ * \p x > \p y
+ *
+ * \param x     The first value to analyze.
+ * \param y     The second value to analyze.
+ *
+ * \return      MBEDTLS_CT_TRUE if \p x > \p y, otherwise MBEDTLS_CT_FALSE.
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_uint_gt(mbedtls_ct_uint_t x,
+                                                        mbedtls_ct_uint_t y);
+
+/** Boolean "greater or equal" operation.
+ *
+ * Functionally equivalent to:
+ *
+ * \p x >= \p y
+ *
+ * \param x     The first value to analyze.
+ * \param y     The second value to analyze.
+ *
+ * \return      MBEDTLS_CT_TRUE if \p x >= \p y,
+ *              otherwise MBEDTLS_CT_FALSE.
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_uint_ge(mbedtls_ct_uint_t x,
+                                                        mbedtls_ct_uint_t y);
+
+/** Boolean "less than or equal" operation.
+ *
+ * Functionally equivalent to:
+ *
+ * \p x <= \p y
+ *
+ * \param x     The first value to analyze.
+ * \param y     The second value to analyze.
+ *
+ * \return      MBEDTLS_CT_TRUE if \p x <= \p y,
+ *              otherwise MBEDTLS_CT_FALSE.
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_uint_le(mbedtls_ct_uint_t x,
+                                                        mbedtls_ct_uint_t y);
+
+/** Boolean not-equals operation.
+ *
+ * Functionally equivalent to:
+ *
+ * \p x != \p y
+ *
+ * \param x     The first value to analyze.
+ * \param y     The second value to analyze.
+ *
+ * \note        This is more efficient than mbedtls_ct_uint_ne if both arguments are
+ *              mbedtls_ct_condition_t.
+ *
+ * \return      MBEDTLS_CT_TRUE if \p x != \p y,
+ *              otherwise MBEDTLS_CT_FALSE.
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_bool_ne(mbedtls_ct_condition_t x,
+                                                        mbedtls_ct_condition_t y);
+
+/** Boolean "and" operation.
+ *
+ * Functionally equivalent to:
+ *
+ * \p x && \p y
+ *
+ * \param x     The first value to analyze.
+ * \param y     The second value to analyze.
+ *
+ * \return      MBEDTLS_CT_TRUE if \p x && \p y,
+ *              otherwise MBEDTLS_CT_FALSE.
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_bool_and(mbedtls_ct_condition_t x,
+                                                         mbedtls_ct_condition_t y);
+
+/** Boolean "or" operation.
+ *
+ * Functionally equivalent to:
+ *
+ * \p x || \p y
+ *
+ * \param x     The first value to analyze.
+ * \param y     The second value to analyze.
+ *
+ * \return      MBEDTLS_CT_TRUE if \p x || \p y,
+ *              otherwise MBEDTLS_CT_FALSE.
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_bool_or(mbedtls_ct_condition_t x,
+                                                        mbedtls_ct_condition_t y);
+
+/** Boolean "not" operation.
+ *
+ * Functionally equivalent to:
+ *
+ * ! \p x
+ *
+ * \param x     The value to invert
+ *
+ * \return      MBEDTLS_CT_FALSE if \p x, otherwise MBEDTLS_CT_TRUE.
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_bool_not(mbedtls_ct_condition_t x);
+
+
+/* ============================================================================
+ * Data selection operations
+ */
+
+/** Choose between two size_t values.
+ *
+ * Functionally equivalent to:
+ *
+ * condition ? if1 : if0.
+ *
+ * \param condition     Condition to test.
+ * \param if1           Value to use if \p condition == MBEDTLS_CT_TRUE.
+ * \param if0           Value to use if \p condition == MBEDTLS_CT_FALSE.
+ *
+ * \return  \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
+ */
+static inline size_t mbedtls_ct_size_if(mbedtls_ct_condition_t condition,
+                                        size_t if1,
+                                        size_t if0);
+
+/** Choose between two unsigned values.
+ *
+ * Functionally equivalent to:
+ *
+ * condition ? if1 : if0.
+ *
+ * \param condition     Condition to test.
+ * \param if1           Value to use if \p condition == MBEDTLS_CT_TRUE.
+ * \param if0           Value to use if \p condition == MBEDTLS_CT_FALSE.
+ *
+ * \return  \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
+ */
+static inline unsigned mbedtls_ct_uint_if(mbedtls_ct_condition_t condition,
+                                          unsigned if1,
+                                          unsigned if0);
+
+/** Choose between two mbedtls_ct_condition_t values.
+ *
+ * Functionally equivalent to:
+ *
+ * condition ? if1 : if0.
+ *
+ * \param condition     Condition to test.
+ * \param if1           Value to use if \p condition == MBEDTLS_CT_TRUE.
+ * \param if0           Value to use if \p condition == MBEDTLS_CT_FALSE.
+ *
+ * \return  \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_bool_if(mbedtls_ct_condition_t condition,
+                                                        mbedtls_ct_condition_t if1,
+                                                        mbedtls_ct_condition_t if0);
+
+#if defined(MBEDTLS_BIGNUM_C)
+
+/** Choose between two mbedtls_mpi_uint values.
+ *
+ * Functionally equivalent to:
+ *
+ * condition ? if1 : if0.
+ *
+ * \param condition     Condition to test.
+ * \param if1           Value to use if \p condition == MBEDTLS_CT_TRUE.
+ * \param if0           Value to use if \p condition == MBEDTLS_CT_FALSE.
+ *
+ * \return  \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
+ */
+static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if(mbedtls_ct_condition_t condition, \
+                                                      mbedtls_mpi_uint if1, \
+                                                      mbedtls_mpi_uint if0);
+
+#endif
+
+/** Choose between an unsigned value and 0.
+ *
+ * Functionally equivalent to:
+ *
+ * condition ? if1 : 0.
+ *
+ * Functionally equivalent to mbedtls_ct_uint_if(condition, if1, 0) but
+ * results in smaller code size.
+ *
+ * \param condition     Condition to test.
+ * \param if1           Value to use if \p condition == MBEDTLS_CT_TRUE.
+ *
+ * \return  \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
+ */
+static inline unsigned mbedtls_ct_uint_if_else_0(mbedtls_ct_condition_t condition, unsigned if1);
+
+/** Choose between an mbedtls_ct_condition_t and 0.
+ *
+ * Functionally equivalent to:
+ *
+ * condition ? if1 : 0.
+ *
+ * Functionally equivalent to mbedtls_ct_bool_if(condition, if1, 0) but
+ * results in smaller code size.
+ *
+ * \param condition     Condition to test.
+ * \param if1           Value to use if \p condition == MBEDTLS_CT_TRUE.
+ *
+ * \return  \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_bool_if_else_0(mbedtls_ct_condition_t condition,
+                                                               mbedtls_ct_condition_t if1);
+
+/** Choose between a size_t value and 0.
+ *
+ * Functionally equivalent to:
+ *
+ * condition ? if1 : 0.
+ *
+ * Functionally equivalent to mbedtls_ct_size_if(condition, if1, 0) but
+ * results in smaller code size.
+ *
+ * \param condition     Condition to test.
+ * \param if1           Value to use if \p condition == MBEDTLS_CT_TRUE.
+ *
+ * \return  \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
+ */
+static inline size_t mbedtls_ct_size_if_else_0(mbedtls_ct_condition_t condition, size_t if1);
+
+#if defined(MBEDTLS_BIGNUM_C)
+
+/** Choose between an mbedtls_mpi_uint value and 0.
+ *
+ * Functionally equivalent to:
+ *
+ * condition ? if1 : 0.
+ *
+ * Functionally equivalent to mbedtls_ct_mpi_uint_if(condition, if1, 0) but
+ * results in smaller code size.
+ *
+ * \param condition     Condition to test.
+ * \param if1           Value to use if \p condition == MBEDTLS_CT_TRUE.
+ *
+ * \return  \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
+ */
+static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if_else_0(mbedtls_ct_condition_t condition,
+                                                             mbedtls_mpi_uint if1);
+
+#endif
+
+/** Constant-flow char selection
+ *
+ * \param low   Secret. Bottom of range
+ * \param high  Secret. Top of range
+ * \param c     Secret. Value to compare to range
+ * \param t     Secret. Value to return, if in range
+ *
+ * \return      \p t if \p low <= \p c <= \p high, 0 otherwise.
+ */
+static inline unsigned char mbedtls_ct_uchar_in_range_if(unsigned char low,
+                                                         unsigned char high,
+                                                         unsigned char c,
+                                                         unsigned char t);
+
+/** Choose between two error values. The values must be in the range [-32767..0].
+ *
+ * Functionally equivalent to:
+ *
+ * condition ? if1 : if0.
+ *
+ * \param condition     Condition to test.
+ * \param if1           Value to use if \p condition == MBEDTLS_CT_TRUE.
+ * \param if0           Value to use if \p condition == MBEDTLS_CT_FALSE.
+ *
+ * \return  \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
+ */
+static inline int mbedtls_ct_error_if(mbedtls_ct_condition_t condition, int if1, int if0);
+
+/** Choose between an error value and 0. The error value must be in the range [-32767..0].
+ *
+ * Functionally equivalent to:
+ *
+ * condition ? if1 : 0.
+ *
+ * Functionally equivalent to mbedtls_ct_error_if(condition, if1, 0) but
+ * results in smaller code size.
+ *
+ * \param condition     Condition to test.
+ * \param if1           Value to use if \p condition == MBEDTLS_CT_TRUE.
+ *
+ * \return  \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
+ */
+static inline int mbedtls_ct_error_if_else_0(mbedtls_ct_condition_t condition, int if1);
+
+/* ============================================================================
+ * Block memory operations
+ */
+
+#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C)
+
+/** Conditionally set a block of memory to zero.
+ *
+ * Regardless of the condition, every byte will be read once and written to
+ * once.
+ *
+ * \param condition     Secret. Condition to test.
+ * \param buf           Secret. Pointer to the start of the buffer.
+ * \param len           Number of bytes to set to zero.
+ *
+ * \warning Unlike mbedtls_platform_zeroize, this does not have the same guarantees
+ * about not being optimised away if the memory is never read again.
+ */
+void mbedtls_ct_zeroize_if(mbedtls_ct_condition_t condition, void *buf, size_t len);
+
+/** Shift some data towards the left inside a buffer.
+ *
+ * Functionally equivalent to:
+ *
+ * memmove(start, start + offset, total - offset);
+ * memset(start + (total - offset), 0, offset);
+ *
+ * Timing independence comes at the expense of performance.
+ *
+ * \param start     Secret. Pointer to the start of the buffer.
+ * \param total     Total size of the buffer.
+ * \param offset    Secret. Offset from which to copy \p total - \p offset bytes.
+ */
+void mbedtls_ct_memmove_left(void *start,
+                             size_t total,
+                             size_t offset);
+
+#endif /* defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) */
+
+/** Conditional memcpy.
+ *
+ * Functionally equivalent to:
+ *
+ * if (condition) {
+ *      memcpy(dest, src1, len);
+ * } else {
+ *      if (src2 != NULL)
+ *          memcpy(dest, src2, len);
+ * }
+ *
+ * It will always read len bytes from src1.
+ * If src2 != NULL, it will always read len bytes from src2.
+ * If src2 == NULL, it will instead read len bytes from dest (as if src2 == dest).
+ *
+ * \param condition The condition
+ * \param dest      Secret. Destination pointer.
+ * \param src1      Secret. Pointer to copy from (if \p condition == MBEDTLS_CT_TRUE).
+ *                  This may be equal to \p dest, but may not overlap in other ways.
+ * \param src2      Secret (contents only - may branch to determine if this parameter is NULL).
+ *                  Pointer to copy from (if \p condition == MBEDTLS_CT_FALSE and \p src2 is not NULL). May be NULL.
+ *                  This may be equal to \p dest, but may not overlap it in other ways. It may overlap with \p src1.
+ * \param len       Number of bytes to copy.
+ */
+void mbedtls_ct_memcpy_if(mbedtls_ct_condition_t condition,
+                          unsigned char *dest,
+                          const unsigned char *src1,
+                          const unsigned char *src2,
+                          size_t len
+                          );
+
+/** Copy data from a secret position.
+ *
+ * Functionally equivalent to:
+ *
+ * memcpy(dst, src + offset, len)
+ *
+ * This function copies \p len bytes from \p src + \p offset to
+ * \p dst, with a code flow and memory access pattern that does not depend on
+ * \p offset, but only on \p offset_min, \p offset_max and \p len.
+ *
+ * \note                This function reads from \p dest, but the value that
+ *                      is read does not influence the result and this
+ *                      function's behavior is well-defined regardless of the
+ *                      contents of the buffers. This may result in false
+ *                      positives from static or dynamic analyzers, especially
+ *                      if \p dest is not initialized.
+ *
+ * \param dest          Secret. The destination buffer. This must point to a writable
+ *                      buffer of at least \p len bytes.
+ * \param src           Secret. The base of the source buffer. This must point to a
+ *                      readable buffer of at least \p offset_max + \p len
+ *                      bytes. Shouldn't overlap with \p dest
+ * \param offset        Secret. The offset in the source buffer from which to copy.
+ *                      This must be no less than \p offset_min and no greater
+ *                      than \p offset_max.
+ * \param offset_min    The minimal value of \p offset.
+ * \param offset_max    The maximal value of \p offset.
+ * \param len           The number of bytes to copy.
+ */
+void mbedtls_ct_memcpy_offset(unsigned char *dest,
+                              const unsigned char *src,
+                              size_t offset,
+                              size_t offset_min,
+                              size_t offset_max,
+                              size_t len);
+
+/* Documented in include/mbedtls/constant_time.h. a and b are secret.
+
+   int mbedtls_ct_memcmp(const void *a,
+                         const void *b,
+                         size_t n);
+ */
+
+#if defined(MBEDTLS_NIST_KW_C)
+
+/** Constant-time buffer comparison without branches.
+ *
+ * Similar to mbedtls_ct_memcmp, except that the result only depends on part of
+ * the input data - differences in the head or tail are ignored. Functionally equivalent to:
+ *
+ * memcmp(a + skip_head, b + skip_head, size - skip_head - skip_tail)
+ *
+ * Time taken depends on \p n, but not on \p skip_head or \p skip_tail .
+ *
+ * Behaviour is undefined if ( \p skip_head + \p skip_tail) > \p n.
+ *
+ * \param a         Secret. Pointer to the first buffer, containing at least \p n bytes. May not be NULL.
+ * \param b         Secret. Pointer to the second buffer, containing at least \p n bytes. May not be NULL.
+ * \param n         The number of bytes to examine (total size of the buffers).
+ * \param skip_head Secret. The number of bytes to treat as non-significant at the start of the buffer.
+ *                  These bytes will still be read.
+ * \param skip_tail Secret. The number of bytes to treat as non-significant at the end of the buffer.
+ *                  These bytes will still be read.
+ *
+ * \return          Zero if the contents of the two buffers are the same, otherwise non-zero.
+ */
+int mbedtls_ct_memcmp_partial(const void *a,
+                              const void *b,
+                              size_t n,
+                              size_t skip_head,
+                              size_t skip_tail);
+
+#endif
+
+/* Include the implementation of static inline functions above. */
+#include "constant_time_impl.h"
+
+#endif /* MBEDTLS_CONSTANT_TIME_INTERNAL_H */
diff --git a/tf-psa-crypto/drivers/builtin/src/ctr.h b/tf-psa-crypto/drivers/builtin/src/ctr.h
new file mode 100644
index 0000000..aa48fb9
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/ctr.h
@@ -0,0 +1,35 @@
+/**
+ * \file ctr.h
+ *
+ * \brief    This file contains common functionality for counter algorithms.
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_CTR_H
+#define MBEDTLS_CTR_H
+
+#include "common.h"
+
+/**
+ * \brief               Increment a big-endian 16-byte value.
+ *                      This is quite performance-sensitive for AES-CTR and CTR-DRBG.
+ *
+ * \param n             A 16-byte value to be incremented.
+ */
+static inline void mbedtls_ctr_increment_counter(uint8_t n[16])
+{
+    // The 32-bit version seems to perform about the same as a 64-bit version
+    // on 64-bit architectures, so no need to define a 64-bit version.
+    for (int i = 3;; i--) {
+        uint32_t x = MBEDTLS_GET_UINT32_BE(n, i << 2);
+        x += 1;
+        MBEDTLS_PUT_UINT32_BE(x, n, i << 2);
+        if (x != 0 || i == 0) {
+            break;
+        }
+    }
+}
+
+#endif /* MBEDTLS_CTR_H */
diff --git a/tf-psa-crypto/drivers/builtin/src/ctr_drbg.c b/tf-psa-crypto/drivers/builtin/src/ctr_drbg.c
new file mode 100644
index 0000000..66d9d28
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/ctr_drbg.c
@@ -0,0 +1,1016 @@
+/*
+ *  CTR_DRBG implementation based on AES-256 (NIST SP 800-90)
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ *  The NIST SP 800-90 DRBGs are described in the following publication.
+ *
+ *  https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-90r.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_CTR_DRBG_C)
+
+#include "ctr.h"
+#include "mbedtls/ctr_drbg.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+/* Using error translation functions from PSA to MbedTLS */
+#if !defined(MBEDTLS_AES_C)
+#include "psa_util_internal.h"
+#endif
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_AES_C)
+static psa_status_t ctr_drbg_setup_psa_context(mbedtls_ctr_drbg_psa_context *psa_ctx,
+                                               unsigned char *key, size_t key_len)
+{
+    psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+    psa_status_t status;
+
+    psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_ENCRYPT);
+    psa_set_key_algorithm(&key_attr, PSA_ALG_ECB_NO_PADDING);
+    psa_set_key_type(&key_attr, PSA_KEY_TYPE_AES);
+    status = psa_import_key(&key_attr, key, key_len, &psa_ctx->key_id);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_cipher_encrypt_setup(&psa_ctx->operation, psa_ctx->key_id, PSA_ALG_ECB_NO_PADDING);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+exit:
+    psa_reset_key_attributes(&key_attr);
+    return status;
+}
+
+static void ctr_drbg_destroy_psa_contex(mbedtls_ctr_drbg_psa_context *psa_ctx)
+{
+    psa_cipher_abort(&psa_ctx->operation);
+    psa_destroy_key(psa_ctx->key_id);
+
+    psa_ctx->operation = psa_cipher_operation_init();
+    psa_ctx->key_id = MBEDTLS_SVC_KEY_ID_INIT;
+}
+#endif
+
+/*
+ * CTR_DRBG context initialization
+ */
+void mbedtls_ctr_drbg_init(mbedtls_ctr_drbg_context *ctx)
+{
+    memset(ctx, 0, sizeof(mbedtls_ctr_drbg_context));
+#if defined(MBEDTLS_AES_C)
+    mbedtls_aes_init(&ctx->aes_ctx);
+#else
+    ctx->psa_ctx.key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    ctx->psa_ctx.operation = psa_cipher_operation_init();
+#endif
+    /* Indicate that the entropy nonce length is not set explicitly.
+     * See mbedtls_ctr_drbg_set_nonce_len(). */
+    ctx->reseed_counter = -1;
+
+    ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
+}
+
+/*
+ *  This function resets CTR_DRBG context to the state immediately
+ *  after initial call of mbedtls_ctr_drbg_init().
+ */
+void mbedtls_ctr_drbg_free(mbedtls_ctr_drbg_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    /* The mutex is initialized iff f_entropy is set. */
+    if (ctx->f_entropy != NULL) {
+        mbedtls_mutex_free(&ctx->mutex);
+    }
+#endif
+#if defined(MBEDTLS_AES_C)
+    mbedtls_aes_free(&ctx->aes_ctx);
+#else
+    ctr_drbg_destroy_psa_contex(&ctx->psa_ctx);
+#endif
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ctr_drbg_context));
+    ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
+    ctx->reseed_counter = -1;
+}
+
+void mbedtls_ctr_drbg_set_prediction_resistance(mbedtls_ctr_drbg_context *ctx,
+                                                int resistance)
+{
+    ctx->prediction_resistance = resistance;
+}
+
+void mbedtls_ctr_drbg_set_entropy_len(mbedtls_ctr_drbg_context *ctx,
+                                      size_t len)
+{
+    ctx->entropy_len = len;
+}
+
+int mbedtls_ctr_drbg_set_nonce_len(mbedtls_ctr_drbg_context *ctx,
+                                   size_t len)
+{
+    /* If mbedtls_ctr_drbg_seed() has already been called, it's
+     * too late. Return the error code that's closest to making sense. */
+    if (ctx->f_entropy != NULL) {
+        return MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED;
+    }
+
+    if (len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT) {
+        return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
+    }
+
+    /* This shouldn't be an issue because
+     * MBEDTLS_CTR_DRBG_MAX_SEED_INPUT < INT_MAX in any sensible
+     * configuration, but make sure anyway. */
+    if (len > INT_MAX) {
+        return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
+    }
+
+    /* For backward compatibility with Mbed TLS <= 2.19, store the
+     * entropy nonce length in a field that already exists, but isn't
+     * used until after the initial seeding. */
+    /* Due to the capping of len above, the value fits in an int. */
+    ctx->reseed_counter = (int) len;
+    return 0;
+}
+
+void mbedtls_ctr_drbg_set_reseed_interval(mbedtls_ctr_drbg_context *ctx,
+                                          int interval)
+{
+    ctx->reseed_interval = interval;
+}
+
+static int block_cipher_df(unsigned char *output,
+                           const unsigned char *data, size_t data_len)
+{
+    unsigned char buf[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT +
+                      MBEDTLS_CTR_DRBG_BLOCKSIZE + 16];
+    unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
+    unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
+    unsigned char chain[MBEDTLS_CTR_DRBG_BLOCKSIZE];
+    unsigned char *p, *iv;
+    int ret = 0;
+#if defined(MBEDTLS_AES_C)
+    mbedtls_aes_context aes_ctx;
+#else
+    psa_status_t status;
+    size_t tmp_len;
+    mbedtls_ctr_drbg_psa_context psa_ctx;
+
+    psa_ctx.key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_ctx.operation = psa_cipher_operation_init();
+#endif
+
+    int i, j;
+    size_t buf_len, use_len;
+
+    if (data_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT) {
+        return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
+    }
+
+    memset(buf, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT +
+           MBEDTLS_CTR_DRBG_BLOCKSIZE + 16);
+
+    /*
+     * Construct IV (16 bytes) and S in buffer
+     * IV = Counter (in 32-bits) padded to 16 with zeroes
+     * S = Length input string (in 32-bits) || Length of output (in 32-bits) ||
+     *     data || 0x80
+     *     (Total is padded to a multiple of 16-bytes with zeroes)
+     */
+    p = buf + MBEDTLS_CTR_DRBG_BLOCKSIZE;
+    MBEDTLS_PUT_UINT32_BE(data_len, p, 0);
+    p += 4 + 3;
+    *p++ = MBEDTLS_CTR_DRBG_SEEDLEN;
+    memcpy(p, data, data_len);
+    p[data_len] = 0x80;
+
+    buf_len = MBEDTLS_CTR_DRBG_BLOCKSIZE + 8 + data_len + 1;
+
+    for (i = 0; i < MBEDTLS_CTR_DRBG_KEYSIZE; i++) {
+        key[i] = i;
+    }
+
+#if defined(MBEDTLS_AES_C)
+    mbedtls_aes_init(&aes_ctx);
+
+    if ((ret = mbedtls_aes_setkey_enc(&aes_ctx, key,
+                                      MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
+        goto exit;
+    }
+#else
+    status = ctr_drbg_setup_psa_context(&psa_ctx, key, sizeof(key));
+    if (status != PSA_SUCCESS) {
+        ret = psa_generic_status_to_mbedtls(status);
+        goto exit;
+    }
+#endif
+
+    /*
+     * Reduce data to MBEDTLS_CTR_DRBG_SEEDLEN bytes of data
+     */
+    for (j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE) {
+        p = buf;
+        memset(chain, 0, MBEDTLS_CTR_DRBG_BLOCKSIZE);
+        use_len = buf_len;
+
+        while (use_len > 0) {
+            mbedtls_xor(chain, chain, p, MBEDTLS_CTR_DRBG_BLOCKSIZE);
+            p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
+            use_len -= (use_len >= MBEDTLS_CTR_DRBG_BLOCKSIZE) ?
+                       MBEDTLS_CTR_DRBG_BLOCKSIZE : use_len;
+
+#if defined(MBEDTLS_AES_C)
+            if ((ret = mbedtls_aes_crypt_ecb(&aes_ctx, MBEDTLS_AES_ENCRYPT,
+                                             chain, chain)) != 0) {
+                goto exit;
+            }
+#else
+            status = psa_cipher_update(&psa_ctx.operation, chain, MBEDTLS_CTR_DRBG_BLOCKSIZE,
+                                       chain, MBEDTLS_CTR_DRBG_BLOCKSIZE, &tmp_len);
+            if (status != PSA_SUCCESS) {
+                ret = psa_generic_status_to_mbedtls(status);
+                goto exit;
+            }
+#endif
+        }
+
+        memcpy(tmp + j, chain, MBEDTLS_CTR_DRBG_BLOCKSIZE);
+
+        /*
+         * Update IV
+         */
+        buf[3]++;
+    }
+
+    /*
+     * Do final encryption with reduced data
+     */
+#if defined(MBEDTLS_AES_C)
+    if ((ret = mbedtls_aes_setkey_enc(&aes_ctx, tmp,
+                                      MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
+        goto exit;
+    }
+#else
+    ctr_drbg_destroy_psa_contex(&psa_ctx);
+
+    status = ctr_drbg_setup_psa_context(&psa_ctx, tmp, MBEDTLS_CTR_DRBG_KEYSIZE);
+    if (status != PSA_SUCCESS) {
+        ret = psa_generic_status_to_mbedtls(status);
+        goto exit;
+    }
+#endif
+    iv = tmp + MBEDTLS_CTR_DRBG_KEYSIZE;
+    p = output;
+
+    for (j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE) {
+#if defined(MBEDTLS_AES_C)
+        if ((ret = mbedtls_aes_crypt_ecb(&aes_ctx, MBEDTLS_AES_ENCRYPT,
+                                         iv, iv)) != 0) {
+            goto exit;
+        }
+#else
+        status = psa_cipher_update(&psa_ctx.operation, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE,
+                                   iv, MBEDTLS_CTR_DRBG_BLOCKSIZE, &tmp_len);
+        if (status != PSA_SUCCESS) {
+            ret = psa_generic_status_to_mbedtls(status);
+            goto exit;
+        }
+#endif
+        memcpy(p, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE);
+        p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
+    }
+exit:
+#if defined(MBEDTLS_AES_C)
+    mbedtls_aes_free(&aes_ctx);
+#else
+    ctr_drbg_destroy_psa_contex(&psa_ctx);
+#endif
+    /*
+     * tidy up the stack
+     */
+    mbedtls_platform_zeroize(buf, sizeof(buf));
+    mbedtls_platform_zeroize(tmp, sizeof(tmp));
+    mbedtls_platform_zeroize(key, sizeof(key));
+    mbedtls_platform_zeroize(chain, sizeof(chain));
+    if (0 != ret) {
+        /*
+         * wipe partial seed from memory
+         */
+        mbedtls_platform_zeroize(output, MBEDTLS_CTR_DRBG_SEEDLEN);
+    }
+
+    return ret;
+}
+
+/* CTR_DRBG_Update (SP 800-90A &sect;10.2.1.2)
+ * ctr_drbg_update_internal(ctx, provided_data)
+ * implements
+ * CTR_DRBG_Update(provided_data, Key, V)
+ * with inputs and outputs
+ *   ctx->aes_ctx = Key
+ *   ctx->counter = V
+ */
+static int ctr_drbg_update_internal(mbedtls_ctr_drbg_context *ctx,
+                                    const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN])
+{
+    unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
+    unsigned char *p = tmp;
+    int j;
+    int ret = 0;
+#if !defined(MBEDTLS_AES_C)
+    psa_status_t status;
+    size_t tmp_len;
+#endif
+
+    memset(tmp, 0, MBEDTLS_CTR_DRBG_SEEDLEN);
+
+    for (j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE) {
+        /*
+         * Increase counter
+         */
+        mbedtls_ctr_increment_counter(ctx->counter);
+
+        /*
+         * Crypt counter block
+         */
+#if defined(MBEDTLS_AES_C)
+        if ((ret = mbedtls_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
+                                         ctx->counter, p)) != 0) {
+            goto exit;
+        }
+#else
+        status = psa_cipher_update(&ctx->psa_ctx.operation, ctx->counter, sizeof(ctx->counter),
+                                   p, MBEDTLS_CTR_DRBG_BLOCKSIZE, &tmp_len);
+        if (status != PSA_SUCCESS) {
+            ret = psa_generic_status_to_mbedtls(status);
+            goto exit;
+        }
+#endif
+
+        p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
+    }
+
+    mbedtls_xor(tmp, tmp, data, MBEDTLS_CTR_DRBG_SEEDLEN);
+
+    /*
+     * Update key and counter
+     */
+#if defined(MBEDTLS_AES_C)
+    if ((ret = mbedtls_aes_setkey_enc(&ctx->aes_ctx, tmp,
+                                      MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
+        goto exit;
+    }
+#else
+    ctr_drbg_destroy_psa_contex(&ctx->psa_ctx);
+
+    status = ctr_drbg_setup_psa_context(&ctx->psa_ctx, tmp, MBEDTLS_CTR_DRBG_KEYSIZE);
+    if (status != PSA_SUCCESS) {
+        ret = psa_generic_status_to_mbedtls(status);
+        goto exit;
+    }
+#endif
+    memcpy(ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE,
+           MBEDTLS_CTR_DRBG_BLOCKSIZE);
+
+exit:
+    mbedtls_platform_zeroize(tmp, sizeof(tmp));
+    return ret;
+}
+
+/* CTR_DRBG_Instantiate with derivation function (SP 800-90A &sect;10.2.1.3.2)
+ * mbedtls_ctr_drbg_update(ctx, additional, add_len)
+ * implements
+ * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
+ *                      security_strength) -> initial_working_state
+ * with inputs
+ *   ctx->counter = all-bits-0
+ *   ctx->aes_ctx = context from all-bits-0 key
+ *   additional[:add_len] = entropy_input || nonce || personalization_string
+ * and with outputs
+ *   ctx = initial_working_state
+ */
+int mbedtls_ctr_drbg_update(mbedtls_ctr_drbg_context *ctx,
+                            const unsigned char *additional,
+                            size_t add_len)
+{
+    unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (add_len == 0) {
+        return 0;
+    }
+
+    if ((ret = block_cipher_df(add_input, additional, add_len)) != 0) {
+        goto exit;
+    }
+    if ((ret = ctr_drbg_update_internal(ctx, add_input)) != 0) {
+        goto exit;
+    }
+
+exit:
+    mbedtls_platform_zeroize(add_input, sizeof(add_input));
+    return ret;
+}
+
+/* CTR_DRBG_Reseed with derivation function (SP 800-90A &sect;10.2.1.4.2)
+ * mbedtls_ctr_drbg_reseed(ctx, additional, len, nonce_len)
+ * implements
+ * CTR_DRBG_Reseed(working_state, entropy_input, additional_input)
+ *                -> new_working_state
+ * with inputs
+ *   ctx contains working_state
+ *   additional[:len] = additional_input
+ * and entropy_input comes from calling ctx->f_entropy
+ *                              for (ctx->entropy_len + nonce_len) bytes
+ * and with output
+ *   ctx contains new_working_state
+ */
+static int mbedtls_ctr_drbg_reseed_internal(mbedtls_ctr_drbg_context *ctx,
+                                            const unsigned char *additional,
+                                            size_t len,
+                                            size_t nonce_len)
+{
+    unsigned char seed[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT];
+    size_t seedlen = 0;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (ctx->entropy_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT) {
+        return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
+    }
+    if (nonce_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len) {
+        return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
+    }
+    if (len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len - nonce_len) {
+        return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
+    }
+
+    memset(seed, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT);
+
+    /* Gather entropy_len bytes of entropy to seed state. */
+    if (0 != ctx->f_entropy(ctx->p_entropy, seed, ctx->entropy_len)) {
+        return MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED;
+    }
+    seedlen += ctx->entropy_len;
+
+    /* Gather entropy for a nonce if requested. */
+    if (nonce_len != 0) {
+        if (0 != ctx->f_entropy(ctx->p_entropy, seed + seedlen, nonce_len)) {
+            return MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED;
+        }
+        seedlen += nonce_len;
+    }
+
+    /* Add additional data if provided. */
+    if (additional != NULL && len != 0) {
+        memcpy(seed + seedlen, additional, len);
+        seedlen += len;
+    }
+
+    /* Reduce to 384 bits. */
+    if ((ret = block_cipher_df(seed, seed, seedlen)) != 0) {
+        goto exit;
+    }
+
+    /* Update state. */
+    if ((ret = ctr_drbg_update_internal(ctx, seed)) != 0) {
+        goto exit;
+    }
+    ctx->reseed_counter = 1;
+
+exit:
+    mbedtls_platform_zeroize(seed, sizeof(seed));
+    return ret;
+}
+
+int mbedtls_ctr_drbg_reseed(mbedtls_ctr_drbg_context *ctx,
+                            const unsigned char *additional, size_t len)
+{
+    return mbedtls_ctr_drbg_reseed_internal(ctx, additional, len, 0);
+}
+
+/* Return a "good" nonce length for CTR_DRBG. The chosen nonce length
+ * is sufficient to achieve the maximum security strength given the key
+ * size and entropy length. If there is enough entropy in the initial
+ * call to the entropy function to serve as both the entropy input and
+ * the nonce, don't make a second call to get a nonce. */
+static size_t good_nonce_len(size_t entropy_len)
+{
+    if (entropy_len >= MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2) {
+        return 0;
+    } else {
+        return (entropy_len + 1) / 2;
+    }
+}
+
+/* CTR_DRBG_Instantiate with derivation function (SP 800-90A &sect;10.2.1.3.2)
+ * mbedtls_ctr_drbg_seed(ctx, f_entropy, p_entropy, custom, len)
+ * implements
+ * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
+ *                      security_strength) -> initial_working_state
+ * with inputs
+ *   custom[:len] = nonce || personalization_string
+ * where entropy_input comes from f_entropy for ctx->entropy_len bytes
+ * and with outputs
+ *   ctx = initial_working_state
+ */
+int mbedtls_ctr_drbg_seed(mbedtls_ctr_drbg_context *ctx,
+                          int (*f_entropy)(void *, unsigned char *, size_t),
+                          void *p_entropy,
+                          const unsigned char *custom,
+                          size_t len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
+    size_t nonce_len;
+
+    memset(key, 0, MBEDTLS_CTR_DRBG_KEYSIZE);
+
+    /* The mutex is initialized iff f_entropy is set. */
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init(&ctx->mutex);
+#endif
+
+    ctx->f_entropy = f_entropy;
+    ctx->p_entropy = p_entropy;
+
+    if (ctx->entropy_len == 0) {
+        ctx->entropy_len = MBEDTLS_CTR_DRBG_ENTROPY_LEN;
+    }
+    /* ctx->reseed_counter contains the desired amount of entropy to
+     * grab for a nonce (see mbedtls_ctr_drbg_set_nonce_len()).
+     * If it's -1, indicating that the entropy nonce length was not set
+     * explicitly, use a sufficiently large nonce for security. */
+    nonce_len = (ctx->reseed_counter >= 0 ?
+                 (size_t) ctx->reseed_counter :
+                 good_nonce_len(ctx->entropy_len));
+
+    /* Initialize with an empty key. */
+#if defined(MBEDTLS_AES_C)
+    if ((ret = mbedtls_aes_setkey_enc(&ctx->aes_ctx, key,
+                                      MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
+        return ret;
+    }
+#else
+    psa_status_t status;
+
+    status = ctr_drbg_setup_psa_context(&ctx->psa_ctx, key, MBEDTLS_CTR_DRBG_KEYSIZE);
+    if (status != PSA_SUCCESS) {
+        ret = psa_generic_status_to_mbedtls(status);
+        return status;
+    }
+#endif
+
+    /* Do the initial seeding. */
+    if ((ret = mbedtls_ctr_drbg_reseed_internal(ctx, custom, len,
+                                                nonce_len)) != 0) {
+        return ret;
+    }
+    return 0;
+}
+
+/* CTR_DRBG_Generate with derivation function (SP 800-90A &sect;10.2.1.5.2)
+ * mbedtls_ctr_drbg_random_with_add(ctx, output, output_len, additional, add_len)
+ * implements
+ * CTR_DRBG_Reseed(working_state, entropy_input, additional[:add_len])
+ *                -> working_state_after_reseed
+ *                if required, then
+ * CTR_DRBG_Generate(working_state_after_reseed,
+ *                   requested_number_of_bits, additional_input)
+ *                -> status, returned_bits, new_working_state
+ * with inputs
+ *   ctx contains working_state
+ *   requested_number_of_bits = 8 * output_len
+ *   additional[:add_len] = additional_input
+ * and entropy_input comes from calling ctx->f_entropy
+ * and with outputs
+ *   status = SUCCESS (this function does the reseed internally)
+ *   returned_bits = output[:output_len]
+ *   ctx contains new_working_state
+ */
+int mbedtls_ctr_drbg_random_with_add(void *p_rng,
+                                     unsigned char *output, size_t output_len,
+                                     const unsigned char *additional, size_t add_len)
+{
+    int ret = 0;
+    mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
+    unsigned char *p = output;
+    struct {
+        unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
+        unsigned char tmp[MBEDTLS_CTR_DRBG_BLOCKSIZE];
+    } locals;
+    size_t use_len;
+
+    if (output_len > MBEDTLS_CTR_DRBG_MAX_REQUEST) {
+        return MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG;
+    }
+
+    if (add_len > MBEDTLS_CTR_DRBG_MAX_INPUT) {
+        return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
+    }
+
+    memset(locals.add_input, 0, MBEDTLS_CTR_DRBG_SEEDLEN);
+
+    if (ctx->reseed_counter > ctx->reseed_interval ||
+        ctx->prediction_resistance) {
+        if ((ret = mbedtls_ctr_drbg_reseed(ctx, additional, add_len)) != 0) {
+            return ret;
+        }
+        add_len = 0;
+    }
+
+    if (add_len > 0) {
+        if ((ret = block_cipher_df(locals.add_input, additional, add_len)) != 0) {
+            goto exit;
+        }
+        if ((ret = ctr_drbg_update_internal(ctx, locals.add_input)) != 0) {
+            goto exit;
+        }
+    }
+
+    while (output_len > 0) {
+        /*
+         * Increase counter (treat it as a 128-bit big-endian integer).
+         */
+        mbedtls_ctr_increment_counter(ctx->counter);
+
+        /*
+         * Crypt counter block
+         */
+#if defined(MBEDTLS_AES_C)
+        if ((ret = mbedtls_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
+                                         ctx->counter, locals.tmp)) != 0) {
+            goto exit;
+        }
+#else
+        psa_status_t status;
+        size_t tmp_len;
+
+        status = psa_cipher_update(&ctx->psa_ctx.operation, ctx->counter, sizeof(ctx->counter),
+                                   locals.tmp, MBEDTLS_CTR_DRBG_BLOCKSIZE, &tmp_len);
+        if (status != PSA_SUCCESS) {
+            ret = psa_generic_status_to_mbedtls(status);
+            goto exit;
+        }
+#endif
+
+        use_len = (output_len > MBEDTLS_CTR_DRBG_BLOCKSIZE)
+            ? MBEDTLS_CTR_DRBG_BLOCKSIZE : output_len;
+        /*
+         * Copy random block to destination
+         */
+        memcpy(p, locals.tmp, use_len);
+        p += use_len;
+        output_len -= use_len;
+    }
+
+    if ((ret = ctr_drbg_update_internal(ctx, locals.add_input)) != 0) {
+        goto exit;
+    }
+
+    ctx->reseed_counter++;
+
+exit:
+    mbedtls_platform_zeroize(&locals, sizeof(locals));
+    return ret;
+}
+
+int mbedtls_ctr_drbg_random(void *p_rng, unsigned char *output,
+                            size_t output_len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
+
+#if defined(MBEDTLS_THREADING_C)
+    if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
+        return ret;
+    }
+#endif
+
+    ret = mbedtls_ctr_drbg_random_with_add(ctx, output, output_len, NULL, 0);
+
+#if defined(MBEDTLS_THREADING_C)
+    if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
+        return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+    }
+#endif
+
+    return ret;
+}
+
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_ctr_drbg_write_seed_file(mbedtls_ctr_drbg_context *ctx,
+                                     const char *path)
+{
+    int ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
+    FILE *f;
+    unsigned char buf[MBEDTLS_CTR_DRBG_MAX_INPUT];
+
+    if ((f = fopen(path, "wb")) == NULL) {
+        return MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
+    }
+
+    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+    mbedtls_setbuf(f, NULL);
+
+    if ((ret = mbedtls_ctr_drbg_random(ctx, buf,
+                                       MBEDTLS_CTR_DRBG_MAX_INPUT)) != 0) {
+        goto exit;
+    }
+
+    if (fwrite(buf, 1, MBEDTLS_CTR_DRBG_MAX_INPUT, f) !=
+        MBEDTLS_CTR_DRBG_MAX_INPUT) {
+        ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
+    } else {
+        ret = 0;
+    }
+
+exit:
+    mbedtls_platform_zeroize(buf, sizeof(buf));
+
+    fclose(f);
+    return ret;
+}
+
+int mbedtls_ctr_drbg_update_seed_file(mbedtls_ctr_drbg_context *ctx,
+                                      const char *path)
+{
+    int ret = 0;
+    FILE *f = NULL;
+    size_t n;
+    unsigned char buf[MBEDTLS_CTR_DRBG_MAX_INPUT];
+    unsigned char c;
+
+    if ((f = fopen(path, "rb")) == NULL) {
+        return MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
+    }
+
+    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+    mbedtls_setbuf(f, NULL);
+
+    n = fread(buf, 1, sizeof(buf), f);
+    if (fread(&c, 1, 1, f) != 0) {
+        ret = MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
+        goto exit;
+    }
+    if (n == 0 || ferror(f)) {
+        ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
+        goto exit;
+    }
+    fclose(f);
+    f = NULL;
+
+    ret = mbedtls_ctr_drbg_update(ctx, buf, n);
+
+exit:
+    mbedtls_platform_zeroize(buf, sizeof(buf));
+    if (f != NULL) {
+        fclose(f);
+    }
+    if (ret != 0) {
+        return ret;
+    }
+    return mbedtls_ctr_drbg_write_seed_file(ctx, path);
+}
+#endif /* MBEDTLS_FS_IO */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/* The CTR_DRBG NIST test vectors used here are available at
+ * https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/drbg/drbgtestvectors.zip
+ *
+ * The parameters used to derive the test data are:
+ *
+ * [AES-128 use df]
+ * [PredictionResistance = True/False]
+ * [EntropyInputLen = 128]
+ * [NonceLen = 64]
+ * [PersonalizationStringLen = 128]
+ * [AdditionalInputLen = 0]
+ * [ReturnedBitsLen = 512]
+ *
+ * [AES-256 use df]
+ * [PredictionResistance = True/False]
+ * [EntropyInputLen = 256]
+ * [NonceLen = 128]
+ * [PersonalizationStringLen = 256]
+ * [AdditionalInputLen = 0]
+ * [ReturnedBitsLen = 512]
+ *
+ */
+
+#if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
+static const unsigned char entropy_source_pr[] =
+{ 0x04, 0xd9, 0x49, 0xa6, 0xdc, 0xe8, 0x6e, 0xbb,
+  0xf1, 0x08, 0x77, 0x2b, 0x9e, 0x08, 0xca, 0x92,
+  0x65, 0x16, 0xda, 0x99, 0xa2, 0x59, 0xf3, 0xe8,
+  0x38, 0x7e, 0x3f, 0x6b, 0x51, 0x70, 0x7b, 0x20,
+  0xec, 0x53, 0xd0, 0x66, 0xc3, 0x0f, 0xe3, 0xb0,
+  0xe0, 0x86, 0xa6, 0xaa, 0x5f, 0x72, 0x2f, 0xad,
+  0xf7, 0xef, 0x06, 0xb8, 0xd6, 0x9c, 0x9d, 0xe8 };
+
+static const unsigned char entropy_source_nopr[] =
+{ 0x07, 0x0d, 0x59, 0x63, 0x98, 0x73, 0xa5, 0x45,
+  0x27, 0x38, 0x22, 0x7b, 0x76, 0x85, 0xd1, 0xa9,
+  0x74, 0x18, 0x1f, 0x3c, 0x22, 0xf6, 0x49, 0x20,
+  0x4a, 0x47, 0xc2, 0xf3, 0x85, 0x16, 0xb4, 0x6f,
+  0x00, 0x2e, 0x71, 0xda, 0xed, 0x16, 0x9b, 0x5c };
+
+static const unsigned char pers_pr[] =
+{ 0xbf, 0xa4, 0x9a, 0x8f, 0x7b, 0xd8, 0xb1, 0x7a,
+  0x9d, 0xfa, 0x45, 0xed, 0x21, 0x52, 0xb3, 0xad };
+
+static const unsigned char pers_nopr[] =
+{ 0x4e, 0x61, 0x79, 0xd4, 0xc2, 0x72, 0xa1, 0x4c,
+  0xf1, 0x3d, 0xf6, 0x5e, 0xa3, 0xa6, 0xe5, 0x0f };
+
+static const unsigned char result_pr[] =
+{ 0xc9, 0x0a, 0xaf, 0x85, 0x89, 0x71, 0x44, 0x66,
+  0x4f, 0x25, 0x0b, 0x2b, 0xde, 0xd8, 0xfa, 0xff,
+  0x52, 0x5a, 0x1b, 0x32, 0x5e, 0x41, 0x7a, 0x10,
+  0x1f, 0xef, 0x1e, 0x62, 0x23, 0xe9, 0x20, 0x30,
+  0xc9, 0x0d, 0xad, 0x69, 0xb4, 0x9c, 0x5b, 0xf4,
+  0x87, 0x42, 0xd5, 0xae, 0x5e, 0x5e, 0x43, 0xcc,
+  0xd9, 0xfd, 0x0b, 0x93, 0x4a, 0xe3, 0xd4, 0x06,
+  0x37, 0x36, 0x0f, 0x3f, 0x72, 0x82, 0x0c, 0xcf };
+
+static const unsigned char result_nopr[] =
+{ 0x31, 0xc9, 0x91, 0x09, 0xf8, 0xc5, 0x10, 0x13,
+  0x3c, 0xd3, 0x96, 0xf9, 0xbc, 0x2c, 0x12, 0xc0,
+  0x7c, 0xc1, 0x61, 0x5f, 0xa3, 0x09, 0x99, 0xaf,
+  0xd7, 0xf2, 0x36, 0xfd, 0x40, 0x1a, 0x8b, 0xf2,
+  0x33, 0x38, 0xee, 0x1d, 0x03, 0x5f, 0x83, 0xb7,
+  0xa2, 0x53, 0xdc, 0xee, 0x18, 0xfc, 0xa7, 0xf2,
+  0xee, 0x96, 0xc6, 0xc2, 0xcd, 0x0c, 0xff, 0x02,
+  0x76, 0x70, 0x69, 0xaa, 0x69, 0xd1, 0x3b, 0xe8 };
+#else /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
+
+static const unsigned char entropy_source_pr[] =
+{ 0xca, 0x58, 0xfd, 0xf2, 0xb9, 0x77, 0xcb, 0x49,
+  0xd4, 0xe0, 0x5b, 0xe2, 0x39, 0x50, 0xd9, 0x8a,
+  0x6a, 0xb3, 0xc5, 0x2f, 0xdf, 0x74, 0xd5, 0x85,
+  0x8f, 0xd1, 0xba, 0x64, 0x54, 0x7b, 0xdb, 0x1e,
+  0xc5, 0xea, 0x24, 0xc0, 0xfa, 0x0c, 0x90, 0x15,
+  0x09, 0x20, 0x92, 0x42, 0x32, 0x36, 0x45, 0x45,
+  0x7d, 0x20, 0x76, 0x6b, 0xcf, 0xa2, 0x15, 0xc8,
+  0x2f, 0x9f, 0xbc, 0x88, 0x3f, 0x80, 0xd1, 0x2c,
+  0xb7, 0x16, 0xd1, 0x80, 0x9e, 0xe1, 0xc9, 0xb3,
+  0x88, 0x1b, 0x21, 0x45, 0xef, 0xa1, 0x7f, 0xce,
+  0xc8, 0x92, 0x35, 0x55, 0x2a, 0xd9, 0x1d, 0x8e,
+  0x12, 0x38, 0xac, 0x01, 0x4e, 0x38, 0x18, 0x76,
+  0x9c, 0xf2, 0xb6, 0xd4, 0x13, 0xb6, 0x2c, 0x77,
+  0xc0, 0xe7, 0xe6, 0x0c, 0x47, 0x44, 0x95, 0xbe };
+
+static const unsigned char entropy_source_nopr[] =
+{ 0x4c, 0xfb, 0x21, 0x86, 0x73, 0x34, 0x6d, 0x9d,
+  0x50, 0xc9, 0x22, 0xe4, 0x9b, 0x0d, 0xfc, 0xd0,
+  0x90, 0xad, 0xf0, 0x4f, 0x5c, 0x3b, 0xa4, 0x73,
+  0x27, 0xdf, 0xcd, 0x6f, 0xa6, 0x3a, 0x78, 0x5c,
+  0x01, 0x69, 0x62, 0xa7, 0xfd, 0x27, 0x87, 0xa2,
+  0x4b, 0xf6, 0xbe, 0x47, 0xef, 0x37, 0x83, 0xf1,
+  0xb7, 0xec, 0x46, 0x07, 0x23, 0x63, 0x83, 0x4a,
+  0x1b, 0x01, 0x33, 0xf2, 0xc2, 0x38, 0x91, 0xdb,
+  0x4f, 0x11, 0xa6, 0x86, 0x51, 0xf2, 0x3e, 0x3a,
+  0x8b, 0x1f, 0xdc, 0x03, 0xb1, 0x92, 0xc7, 0xe7 };
+
+static const unsigned char pers_pr[] =
+{ 0x5a, 0x70, 0x95, 0xe9, 0x81, 0x40, 0x52, 0x33,
+  0x91, 0x53, 0x7e, 0x75, 0xd6, 0x19, 0x9d, 0x1e,
+  0xad, 0x0d, 0xc6, 0xa7, 0xde, 0x6c, 0x1f, 0xe0,
+  0xea, 0x18, 0x33, 0xa8, 0x7e, 0x06, 0x20, 0xe9 };
+
+static const unsigned char pers_nopr[] =
+{ 0x88, 0xee, 0xb8, 0xe0, 0xe8, 0x3b, 0xf3, 0x29,
+  0x4b, 0xda, 0xcd, 0x60, 0x99, 0xeb, 0xe4, 0xbf,
+  0x55, 0xec, 0xd9, 0x11, 0x3f, 0x71, 0xe5, 0xeb,
+  0xcb, 0x45, 0x75, 0xf3, 0xd6, 0xa6, 0x8a, 0x6b };
+
+static const unsigned char result_pr[] =
+{ 0xce, 0x2f, 0xdb, 0xb6, 0xd9, 0xb7, 0x39, 0x85,
+  0x04, 0xc5, 0xc0, 0x42, 0xc2, 0x31, 0xc6, 0x1d,
+  0x9b, 0x5a, 0x59, 0xf8, 0x7e, 0x0d, 0xcc, 0x62,
+  0x7b, 0x65, 0x11, 0x55, 0x10, 0xeb, 0x9e, 0x3d,
+  0xa4, 0xfb, 0x1c, 0x6a, 0x18, 0xc0, 0x74, 0xdb,
+  0xdd, 0xe7, 0x02, 0x23, 0x63, 0x21, 0xd0, 0x39,
+  0xf9, 0xa7, 0xc4, 0x52, 0x84, 0x3b, 0x49, 0x40,
+  0x72, 0x2b, 0xb0, 0x6c, 0x9c, 0xdb, 0xc3, 0x43 };
+
+static const unsigned char result_nopr[] =
+{ 0xa5, 0x51, 0x80, 0xa1, 0x90, 0xbe, 0xf3, 0xad,
+  0xaf, 0x28, 0xf6, 0xb7, 0x95, 0xe9, 0xf1, 0xf3,
+  0xd6, 0xdf, 0xa1, 0xb2, 0x7d, 0xd0, 0x46, 0x7b,
+  0x0c, 0x75, 0xf5, 0xfa, 0x93, 0x1e, 0x97, 0x14,
+  0x75, 0xb2, 0x7c, 0xae, 0x03, 0xa2, 0x96, 0x54,
+  0xe2, 0xf4, 0x09, 0x66, 0xea, 0x33, 0x64, 0x30,
+  0x40, 0xd1, 0x40, 0x0f, 0xe6, 0x77, 0x87, 0x3a,
+  0xf8, 0x09, 0x7c, 0x1f, 0xe9, 0xf0, 0x02, 0x98 };
+#endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
+
+static size_t test_offset;
+static int ctr_drbg_self_test_entropy(void *data, unsigned char *buf,
+                                      size_t len)
+{
+    const unsigned char *p = data;
+    memcpy(buf, p + test_offset, len);
+    test_offset += len;
+    return 0;
+}
+
+#define CHK(c)    if ((c) != 0)                          \
+    {                                       \
+        if (verbose != 0)                  \
+        mbedtls_printf("failed\n");  \
+        return 1;                        \
+    }
+
+#define SELF_TEST_OUTPUT_DISCARD_LENGTH 64
+
+/*
+ * Checkup routine
+ */
+int mbedtls_ctr_drbg_self_test(int verbose)
+{
+    mbedtls_ctr_drbg_context ctx;
+    unsigned char buf[sizeof(result_pr)];
+
+    mbedtls_ctr_drbg_init(&ctx);
+
+    /*
+     * Based on a NIST CTR_DRBG test vector (PR = True)
+     */
+    if (verbose != 0) {
+        mbedtls_printf("  CTR_DRBG (PR = TRUE) : ");
+    }
+
+    test_offset = 0;
+    mbedtls_ctr_drbg_set_entropy_len(&ctx, MBEDTLS_CTR_DRBG_KEYSIZE);
+    mbedtls_ctr_drbg_set_nonce_len(&ctx, MBEDTLS_CTR_DRBG_KEYSIZE / 2);
+    CHK(mbedtls_ctr_drbg_seed(&ctx,
+                              ctr_drbg_self_test_entropy,
+                              (void *) entropy_source_pr,
+                              pers_pr, MBEDTLS_CTR_DRBG_KEYSIZE));
+    mbedtls_ctr_drbg_set_prediction_resistance(&ctx, MBEDTLS_CTR_DRBG_PR_ON);
+    CHK(mbedtls_ctr_drbg_random(&ctx, buf, SELF_TEST_OUTPUT_DISCARD_LENGTH));
+    CHK(mbedtls_ctr_drbg_random(&ctx, buf, sizeof(result_pr)));
+    CHK(memcmp(buf, result_pr, sizeof(result_pr)));
+
+    mbedtls_ctr_drbg_free(&ctx);
+
+    if (verbose != 0) {
+        mbedtls_printf("passed\n");
+    }
+
+    /*
+     * Based on a NIST CTR_DRBG test vector (PR = FALSE)
+     */
+    if (verbose != 0) {
+        mbedtls_printf("  CTR_DRBG (PR = FALSE): ");
+    }
+
+    mbedtls_ctr_drbg_init(&ctx);
+
+    test_offset = 0;
+    mbedtls_ctr_drbg_set_entropy_len(&ctx, MBEDTLS_CTR_DRBG_KEYSIZE);
+    mbedtls_ctr_drbg_set_nonce_len(&ctx, MBEDTLS_CTR_DRBG_KEYSIZE / 2);
+    CHK(mbedtls_ctr_drbg_seed(&ctx,
+                              ctr_drbg_self_test_entropy,
+                              (void *) entropy_source_nopr,
+                              pers_nopr, MBEDTLS_CTR_DRBG_KEYSIZE));
+    CHK(mbedtls_ctr_drbg_reseed(&ctx, NULL, 0));
+    CHK(mbedtls_ctr_drbg_random(&ctx, buf, SELF_TEST_OUTPUT_DISCARD_LENGTH));
+    CHK(mbedtls_ctr_drbg_random(&ctx, buf, sizeof(result_nopr)));
+    CHK(memcmp(buf, result_nopr, sizeof(result_nopr)));
+
+    mbedtls_ctr_drbg_free(&ctx);
+
+    if (verbose != 0) {
+        mbedtls_printf("passed\n");
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+
+    return 0;
+}
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_CTR_DRBG_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/des.c b/tf-psa-crypto/drivers/builtin/src/des.c
new file mode 100644
index 0000000..f0032b3
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/des.c
@@ -0,0 +1,1042 @@
+/*
+ *  FIPS-46-3 compliant Triple-DES implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ *  DES, on which TDES is based, was originally designed by Horst Feistel
+ *  at IBM in 1974, and was adopted as a standard by NIST (formerly NBS).
+ *
+ *  http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_DES_C)
+
+#include "mbedtls/des.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_DES_ALT)
+
+/*
+ * Expanded DES S-boxes
+ */
+static const uint32_t SB1[64] =
+{
+    0x01010400, 0x00000000, 0x00010000, 0x01010404,
+    0x01010004, 0x00010404, 0x00000004, 0x00010000,
+    0x00000400, 0x01010400, 0x01010404, 0x00000400,
+    0x01000404, 0x01010004, 0x01000000, 0x00000004,
+    0x00000404, 0x01000400, 0x01000400, 0x00010400,
+    0x00010400, 0x01010000, 0x01010000, 0x01000404,
+    0x00010004, 0x01000004, 0x01000004, 0x00010004,
+    0x00000000, 0x00000404, 0x00010404, 0x01000000,
+    0x00010000, 0x01010404, 0x00000004, 0x01010000,
+    0x01010400, 0x01000000, 0x01000000, 0x00000400,
+    0x01010004, 0x00010000, 0x00010400, 0x01000004,
+    0x00000400, 0x00000004, 0x01000404, 0x00010404,
+    0x01010404, 0x00010004, 0x01010000, 0x01000404,
+    0x01000004, 0x00000404, 0x00010404, 0x01010400,
+    0x00000404, 0x01000400, 0x01000400, 0x00000000,
+    0x00010004, 0x00010400, 0x00000000, 0x01010004
+};
+
+static const uint32_t SB2[64] =
+{
+    0x80108020, 0x80008000, 0x00008000, 0x00108020,
+    0x00100000, 0x00000020, 0x80100020, 0x80008020,
+    0x80000020, 0x80108020, 0x80108000, 0x80000000,
+    0x80008000, 0x00100000, 0x00000020, 0x80100020,
+    0x00108000, 0x00100020, 0x80008020, 0x00000000,
+    0x80000000, 0x00008000, 0x00108020, 0x80100000,
+    0x00100020, 0x80000020, 0x00000000, 0x00108000,
+    0x00008020, 0x80108000, 0x80100000, 0x00008020,
+    0x00000000, 0x00108020, 0x80100020, 0x00100000,
+    0x80008020, 0x80100000, 0x80108000, 0x00008000,
+    0x80100000, 0x80008000, 0x00000020, 0x80108020,
+    0x00108020, 0x00000020, 0x00008000, 0x80000000,
+    0x00008020, 0x80108000, 0x00100000, 0x80000020,
+    0x00100020, 0x80008020, 0x80000020, 0x00100020,
+    0x00108000, 0x00000000, 0x80008000, 0x00008020,
+    0x80000000, 0x80100020, 0x80108020, 0x00108000
+};
+
+static const uint32_t SB3[64] =
+{
+    0x00000208, 0x08020200, 0x00000000, 0x08020008,
+    0x08000200, 0x00000000, 0x00020208, 0x08000200,
+    0x00020008, 0x08000008, 0x08000008, 0x00020000,
+    0x08020208, 0x00020008, 0x08020000, 0x00000208,
+    0x08000000, 0x00000008, 0x08020200, 0x00000200,
+    0x00020200, 0x08020000, 0x08020008, 0x00020208,
+    0x08000208, 0x00020200, 0x00020000, 0x08000208,
+    0x00000008, 0x08020208, 0x00000200, 0x08000000,
+    0x08020200, 0x08000000, 0x00020008, 0x00000208,
+    0x00020000, 0x08020200, 0x08000200, 0x00000000,
+    0x00000200, 0x00020008, 0x08020208, 0x08000200,
+    0x08000008, 0x00000200, 0x00000000, 0x08020008,
+    0x08000208, 0x00020000, 0x08000000, 0x08020208,
+    0x00000008, 0x00020208, 0x00020200, 0x08000008,
+    0x08020000, 0x08000208, 0x00000208, 0x08020000,
+    0x00020208, 0x00000008, 0x08020008, 0x00020200
+};
+
+static const uint32_t SB4[64] =
+{
+    0x00802001, 0x00002081, 0x00002081, 0x00000080,
+    0x00802080, 0x00800081, 0x00800001, 0x00002001,
+    0x00000000, 0x00802000, 0x00802000, 0x00802081,
+    0x00000081, 0x00000000, 0x00800080, 0x00800001,
+    0x00000001, 0x00002000, 0x00800000, 0x00802001,
+    0x00000080, 0x00800000, 0x00002001, 0x00002080,
+    0x00800081, 0x00000001, 0x00002080, 0x00800080,
+    0x00002000, 0x00802080, 0x00802081, 0x00000081,
+    0x00800080, 0x00800001, 0x00802000, 0x00802081,
+    0x00000081, 0x00000000, 0x00000000, 0x00802000,
+    0x00002080, 0x00800080, 0x00800081, 0x00000001,
+    0x00802001, 0x00002081, 0x00002081, 0x00000080,
+    0x00802081, 0x00000081, 0x00000001, 0x00002000,
+    0x00800001, 0x00002001, 0x00802080, 0x00800081,
+    0x00002001, 0x00002080, 0x00800000, 0x00802001,
+    0x00000080, 0x00800000, 0x00002000, 0x00802080
+};
+
+static const uint32_t SB5[64] =
+{
+    0x00000100, 0x02080100, 0x02080000, 0x42000100,
+    0x00080000, 0x00000100, 0x40000000, 0x02080000,
+    0x40080100, 0x00080000, 0x02000100, 0x40080100,
+    0x42000100, 0x42080000, 0x00080100, 0x40000000,
+    0x02000000, 0x40080000, 0x40080000, 0x00000000,
+    0x40000100, 0x42080100, 0x42080100, 0x02000100,
+    0x42080000, 0x40000100, 0x00000000, 0x42000000,
+    0x02080100, 0x02000000, 0x42000000, 0x00080100,
+    0x00080000, 0x42000100, 0x00000100, 0x02000000,
+    0x40000000, 0x02080000, 0x42000100, 0x40080100,
+    0x02000100, 0x40000000, 0x42080000, 0x02080100,
+    0x40080100, 0x00000100, 0x02000000, 0x42080000,
+    0x42080100, 0x00080100, 0x42000000, 0x42080100,
+    0x02080000, 0x00000000, 0x40080000, 0x42000000,
+    0x00080100, 0x02000100, 0x40000100, 0x00080000,
+    0x00000000, 0x40080000, 0x02080100, 0x40000100
+};
+
+static const uint32_t SB6[64] =
+{
+    0x20000010, 0x20400000, 0x00004000, 0x20404010,
+    0x20400000, 0x00000010, 0x20404010, 0x00400000,
+    0x20004000, 0x00404010, 0x00400000, 0x20000010,
+    0x00400010, 0x20004000, 0x20000000, 0x00004010,
+    0x00000000, 0x00400010, 0x20004010, 0x00004000,
+    0x00404000, 0x20004010, 0x00000010, 0x20400010,
+    0x20400010, 0x00000000, 0x00404010, 0x20404000,
+    0x00004010, 0x00404000, 0x20404000, 0x20000000,
+    0x20004000, 0x00000010, 0x20400010, 0x00404000,
+    0x20404010, 0x00400000, 0x00004010, 0x20000010,
+    0x00400000, 0x20004000, 0x20000000, 0x00004010,
+    0x20000010, 0x20404010, 0x00404000, 0x20400000,
+    0x00404010, 0x20404000, 0x00000000, 0x20400010,
+    0x00000010, 0x00004000, 0x20400000, 0x00404010,
+    0x00004000, 0x00400010, 0x20004010, 0x00000000,
+    0x20404000, 0x20000000, 0x00400010, 0x20004010
+};
+
+static const uint32_t SB7[64] =
+{
+    0x00200000, 0x04200002, 0x04000802, 0x00000000,
+    0x00000800, 0x04000802, 0x00200802, 0x04200800,
+    0x04200802, 0x00200000, 0x00000000, 0x04000002,
+    0x00000002, 0x04000000, 0x04200002, 0x00000802,
+    0x04000800, 0x00200802, 0x00200002, 0x04000800,
+    0x04000002, 0x04200000, 0x04200800, 0x00200002,
+    0x04200000, 0x00000800, 0x00000802, 0x04200802,
+    0x00200800, 0x00000002, 0x04000000, 0x00200800,
+    0x04000000, 0x00200800, 0x00200000, 0x04000802,
+    0x04000802, 0x04200002, 0x04200002, 0x00000002,
+    0x00200002, 0x04000000, 0x04000800, 0x00200000,
+    0x04200800, 0x00000802, 0x00200802, 0x04200800,
+    0x00000802, 0x04000002, 0x04200802, 0x04200000,
+    0x00200800, 0x00000000, 0x00000002, 0x04200802,
+    0x00000000, 0x00200802, 0x04200000, 0x00000800,
+    0x04000002, 0x04000800, 0x00000800, 0x00200002
+};
+
+static const uint32_t SB8[64] =
+{
+    0x10001040, 0x00001000, 0x00040000, 0x10041040,
+    0x10000000, 0x10001040, 0x00000040, 0x10000000,
+    0x00040040, 0x10040000, 0x10041040, 0x00041000,
+    0x10041000, 0x00041040, 0x00001000, 0x00000040,
+    0x10040000, 0x10000040, 0x10001000, 0x00001040,
+    0x00041000, 0x00040040, 0x10040040, 0x10041000,
+    0x00001040, 0x00000000, 0x00000000, 0x10040040,
+    0x10000040, 0x10001000, 0x00041040, 0x00040000,
+    0x00041040, 0x00040000, 0x10041000, 0x00001000,
+    0x00000040, 0x10040040, 0x00001000, 0x00041040,
+    0x10001000, 0x00000040, 0x10000040, 0x10040000,
+    0x10040040, 0x10000000, 0x00040000, 0x10001040,
+    0x00000000, 0x10041040, 0x00040040, 0x10000040,
+    0x10040000, 0x10001000, 0x10001040, 0x00000000,
+    0x10041040, 0x00041000, 0x00041000, 0x00001040,
+    0x00001040, 0x00040040, 0x10000000, 0x10041000
+};
+
+/*
+ * PC1: left and right halves bit-swap
+ */
+static const uint32_t LHs[16] =
+{
+    0x00000000, 0x00000001, 0x00000100, 0x00000101,
+    0x00010000, 0x00010001, 0x00010100, 0x00010101,
+    0x01000000, 0x01000001, 0x01000100, 0x01000101,
+    0x01010000, 0x01010001, 0x01010100, 0x01010101
+};
+
+static const uint32_t RHs[16] =
+{
+    0x00000000, 0x01000000, 0x00010000, 0x01010000,
+    0x00000100, 0x01000100, 0x00010100, 0x01010100,
+    0x00000001, 0x01000001, 0x00010001, 0x01010001,
+    0x00000101, 0x01000101, 0x00010101, 0x01010101,
+};
+
+/*
+ * Initial Permutation macro
+ */
+#define DES_IP(X, Y)                                                       \
+    do                                                                    \
+    {                                                                     \
+        T = (((X) >>  4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T <<  4); \
+        T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
+        T = (((Y) >>  2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T <<  2); \
+        T = (((Y) >>  8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T <<  8); \
+        (Y) = (((Y) << 1) | ((Y) >> 31)) & 0xFFFFFFFF;                    \
+        T = ((X) ^ (Y)) & 0xAAAAAAAA; (Y) ^= T; (X) ^= T;                 \
+        (X) = (((X) << 1) | ((X) >> 31)) & 0xFFFFFFFF;                    \
+    } while (0)
+
+/*
+ * Final Permutation macro
+ */
+#define DES_FP(X, Y)                                                       \
+    do                                                                    \
+    {                                                                     \
+        (X) = (((X) << 31) | ((X) >> 1)) & 0xFFFFFFFF;                    \
+        T = ((X) ^ (Y)) & 0xAAAAAAAA; (X) ^= T; (Y) ^= T;                 \
+        (Y) = (((Y) << 31) | ((Y) >> 1)) & 0xFFFFFFFF;                    \
+        T = (((Y) >>  8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T <<  8); \
+        T = (((Y) >>  2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T <<  2); \
+        T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
+        T = (((X) >>  4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T <<  4); \
+    } while (0)
+
+/*
+ * DES round macro
+ */
+#define DES_ROUND(X, Y)                              \
+    do                                              \
+    {                                               \
+        T = *SK++ ^ (X);                            \
+        (Y) ^= SB8[(T) & 0x3F] ^            \
+               SB6[(T >>  8) & 0x3F] ^            \
+               SB4[(T >> 16) & 0x3F] ^            \
+               SB2[(T >> 24) & 0x3F];             \
+                                                    \
+        T = *SK++ ^ (((X) << 28) | ((X) >> 4));     \
+        (Y) ^= SB7[(T) & 0x3F] ^            \
+               SB5[(T >>  8) & 0x3F] ^            \
+               SB3[(T >> 16) & 0x3F] ^            \
+               SB1[(T >> 24) & 0x3F];             \
+    } while (0)
+
+#define SWAP(a, b)                                       \
+    do                                                  \
+    {                                                   \
+        uint32_t t = (a); (a) = (b); (b) = t; t = 0;    \
+    } while (0)
+
+void mbedtls_des_init(mbedtls_des_context *ctx)
+{
+    memset(ctx, 0, sizeof(mbedtls_des_context));
+}
+
+void mbedtls_des_free(mbedtls_des_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_des_context));
+}
+
+void mbedtls_des3_init(mbedtls_des3_context *ctx)
+{
+    memset(ctx, 0, sizeof(mbedtls_des3_context));
+}
+
+void mbedtls_des3_free(mbedtls_des3_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_des3_context));
+}
+
+static const unsigned char odd_parity_table[128] = { 1,  2,  4,  7,  8,
+                                                     11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32,
+                                                     35, 37, 38, 41, 42, 44,
+                                                     47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69,
+                                                     70, 73, 74, 76, 79, 81,
+                                                     82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103,
+                                                     104, 107, 109, 110, 112,
+                                                     115, 117, 118, 121, 122, 124, 127, 128, 131,
+                                                     133, 134, 137, 138, 140,
+                                                     143, 145, 146, 148, 151, 152, 155, 157, 158,
+                                                     161, 162, 164, 167, 168,
+                                                     171, 173, 174, 176, 179, 181, 182, 185, 186,
+                                                     188, 191, 193, 194, 196,
+                                                     199, 200, 203, 205, 206, 208, 211, 213, 214,
+                                                     217, 218, 220, 223, 224,
+                                                     227, 229, 230, 233, 234, 236, 239, 241, 242,
+                                                     244, 247, 248, 251, 253,
+                                                     254 };
+
+void mbedtls_des_key_set_parity(unsigned char key[MBEDTLS_DES_KEY_SIZE])
+{
+    int i;
+
+    for (i = 0; i < MBEDTLS_DES_KEY_SIZE; i++) {
+        key[i] = odd_parity_table[key[i] / 2];
+    }
+}
+
+/*
+ * Check the given key's parity, returns 1 on failure, 0 on SUCCESS
+ */
+int mbedtls_des_key_check_key_parity(const unsigned char key[MBEDTLS_DES_KEY_SIZE])
+{
+    int i;
+
+    for (i = 0; i < MBEDTLS_DES_KEY_SIZE; i++) {
+        if (key[i] != odd_parity_table[key[i] / 2]) {
+            return 1;
+        }
+    }
+
+    return 0;
+}
+
+/*
+ * Table of weak and semi-weak keys
+ *
+ * Source: http://en.wikipedia.org/wiki/Weak_key
+ *
+ * Weak:
+ * Alternating ones + zeros (0x0101010101010101)
+ * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
+ * '0xE0E0E0E0F1F1F1F1'
+ * '0x1F1F1F1F0E0E0E0E'
+ *
+ * Semi-weak:
+ * 0x011F011F010E010E and 0x1F011F010E010E01
+ * 0x01E001E001F101F1 and 0xE001E001F101F101
+ * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
+ * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
+ * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
+ * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
+ *
+ */
+
+#define WEAK_KEY_COUNT 16
+
+static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE] =
+{
+    { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
+    { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE },
+    { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E },
+    { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 },
+
+    { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E },
+    { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 },
+    { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 },
+    { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 },
+    { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE },
+    { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 },
+    { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 },
+    { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E },
+    { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE },
+    { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E },
+    { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE },
+    { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 }
+};
+
+int mbedtls_des_key_check_weak(const unsigned char key[MBEDTLS_DES_KEY_SIZE])
+{
+    int i;
+
+    for (i = 0; i < WEAK_KEY_COUNT; i++) {
+        if (memcmp(weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0) {
+            return 1;
+        }
+    }
+
+    return 0;
+}
+
+#if !defined(MBEDTLS_DES_SETKEY_ALT)
+void mbedtls_des_setkey(uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE])
+{
+    int i;
+    uint32_t X, Y, T;
+
+    X = MBEDTLS_GET_UINT32_BE(key, 0);
+    Y = MBEDTLS_GET_UINT32_BE(key, 4);
+
+    /*
+     * Permuted Choice 1
+     */
+    T =  ((Y >>  4) ^ X) & 0x0F0F0F0F;  X ^= T; Y ^= (T <<  4);
+    T =  ((Y) ^ X) & 0x10101010;  X ^= T; Y ^= (T);
+
+    X =   (LHs[(X) & 0xF] << 3) | (LHs[(X >>  8) & 0xF] << 2)
+        | (LHs[(X >> 16) & 0xF] << 1) | (LHs[(X >> 24) & 0xF])
+        | (LHs[(X >>  5) & 0xF] << 7) | (LHs[(X >> 13) & 0xF] << 6)
+        | (LHs[(X >> 21) & 0xF] << 5) | (LHs[(X >> 29) & 0xF] << 4);
+
+    Y =   (RHs[(Y >>  1) & 0xF] << 3) | (RHs[(Y >>  9) & 0xF] << 2)
+        | (RHs[(Y >> 17) & 0xF] << 1) | (RHs[(Y >> 25) & 0xF])
+        | (RHs[(Y >>  4) & 0xF] << 7) | (RHs[(Y >> 12) & 0xF] << 6)
+        | (RHs[(Y >> 20) & 0xF] << 5) | (RHs[(Y >> 28) & 0xF] << 4);
+
+    X &= 0x0FFFFFFF;
+    Y &= 0x0FFFFFFF;
+
+    /*
+     * calculate subkeys
+     */
+    for (i = 0; i < 16; i++) {
+        if (i < 2 || i == 8 || i == 15) {
+            X = ((X <<  1) | (X >> 27)) & 0x0FFFFFFF;
+            Y = ((Y <<  1) | (Y >> 27)) & 0x0FFFFFFF;
+        } else {
+            X = ((X <<  2) | (X >> 26)) & 0x0FFFFFFF;
+            Y = ((Y <<  2) | (Y >> 26)) & 0x0FFFFFFF;
+        }
+
+        *SK++ =   ((X <<  4) & 0x24000000) | ((X << 28) & 0x10000000)
+                | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000)
+                | ((X <<  6) & 0x01000000) | ((X <<  9) & 0x00200000)
+                | ((X >>  1) & 0x00100000) | ((X << 10) & 0x00040000)
+                | ((X <<  2) & 0x00020000) | ((X >> 10) & 0x00010000)
+                | ((Y >> 13) & 0x00002000) | ((Y >>  4) & 0x00001000)
+                | ((Y <<  6) & 0x00000800) | ((Y >>  1) & 0x00000400)
+                | ((Y >> 14) & 0x00000200) | ((Y) & 0x00000100)
+                | ((Y >>  5) & 0x00000020) | ((Y >> 10) & 0x00000010)
+                | ((Y >>  3) & 0x00000008) | ((Y >> 18) & 0x00000004)
+                | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001);
+
+        *SK++ =   ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000)
+                | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000)
+                | ((X >>  2) & 0x02000000) | ((X <<  1) & 0x01000000)
+                | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000)
+                | ((X <<  3) & 0x00080000) | ((X >>  6) & 0x00040000)
+                | ((X << 15) & 0x00020000) | ((X >>  4) & 0x00010000)
+                | ((Y >>  2) & 0x00002000) | ((Y <<  8) & 0x00001000)
+                | ((Y >> 14) & 0x00000808) | ((Y >>  9) & 0x00000400)
+                | ((Y) & 0x00000200) | ((Y <<  7) & 0x00000100)
+                | ((Y >>  7) & 0x00000020) | ((Y >>  3) & 0x00000011)
+                | ((Y <<  2) & 0x00000004) | ((Y >> 21) & 0x00000002);
+    }
+}
+#endif /* !MBEDTLS_DES_SETKEY_ALT */
+
+/*
+ * DES key schedule (56-bit, encryption)
+ */
+int mbedtls_des_setkey_enc(mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE])
+{
+    mbedtls_des_setkey(ctx->sk, key);
+
+    return 0;
+}
+
+/*
+ * DES key schedule (56-bit, decryption)
+ */
+int mbedtls_des_setkey_dec(mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE])
+{
+    int i;
+
+    mbedtls_des_setkey(ctx->sk, key);
+
+    for (i = 0; i < 16; i += 2) {
+        SWAP(ctx->sk[i], ctx->sk[30 - i]);
+        SWAP(ctx->sk[i + 1], ctx->sk[31 - i]);
+    }
+
+    return 0;
+}
+
+static void des3_set2key(uint32_t esk[96],
+                         uint32_t dsk[96],
+                         const unsigned char key[MBEDTLS_DES_KEY_SIZE*2])
+{
+    int i;
+
+    mbedtls_des_setkey(esk, key);
+    mbedtls_des_setkey(dsk + 32, key + 8);
+
+    for (i = 0; i < 32; i += 2) {
+        dsk[i] = esk[30 - i];
+        dsk[i +  1] = esk[31 - i];
+
+        esk[i + 32] = dsk[62 - i];
+        esk[i + 33] = dsk[63 - i];
+
+        esk[i + 64] = esk[i];
+        esk[i + 65] = esk[i + 1];
+
+        dsk[i + 64] = dsk[i];
+        dsk[i + 65] = dsk[i + 1];
+    }
+}
+
+/*
+ * Triple-DES key schedule (112-bit, encryption)
+ */
+int mbedtls_des3_set2key_enc(mbedtls_des3_context *ctx,
+                             const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])
+{
+    uint32_t sk[96];
+
+    des3_set2key(ctx->sk, sk, key);
+    mbedtls_platform_zeroize(sk,  sizeof(sk));
+
+    return 0;
+}
+
+/*
+ * Triple-DES key schedule (112-bit, decryption)
+ */
+int mbedtls_des3_set2key_dec(mbedtls_des3_context *ctx,
+                             const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])
+{
+    uint32_t sk[96];
+
+    des3_set2key(sk, ctx->sk, key);
+    mbedtls_platform_zeroize(sk,  sizeof(sk));
+
+    return 0;
+}
+
+static void des3_set3key(uint32_t esk[96],
+                         uint32_t dsk[96],
+                         const unsigned char key[24])
+{
+    int i;
+
+    mbedtls_des_setkey(esk, key);
+    mbedtls_des_setkey(dsk + 32, key +  8);
+    mbedtls_des_setkey(esk + 64, key + 16);
+
+    for (i = 0; i < 32; i += 2) {
+        dsk[i] = esk[94 - i];
+        dsk[i +  1] = esk[95 - i];
+
+        esk[i + 32] = dsk[62 - i];
+        esk[i + 33] = dsk[63 - i];
+
+        dsk[i + 64] = esk[30 - i];
+        dsk[i + 65] = esk[31 - i];
+    }
+}
+
+/*
+ * Triple-DES key schedule (168-bit, encryption)
+ */
+int mbedtls_des3_set3key_enc(mbedtls_des3_context *ctx,
+                             const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])
+{
+    uint32_t sk[96];
+
+    des3_set3key(ctx->sk, sk, key);
+    mbedtls_platform_zeroize(sk,  sizeof(sk));
+
+    return 0;
+}
+
+/*
+ * Triple-DES key schedule (168-bit, decryption)
+ */
+int mbedtls_des3_set3key_dec(mbedtls_des3_context *ctx,
+                             const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])
+{
+    uint32_t sk[96];
+
+    des3_set3key(sk, ctx->sk, key);
+    mbedtls_platform_zeroize(sk,  sizeof(sk));
+
+    return 0;
+}
+
+/*
+ * DES-ECB block encryption/decryption
+ */
+#if !defined(MBEDTLS_DES_CRYPT_ECB_ALT)
+int mbedtls_des_crypt_ecb(mbedtls_des_context *ctx,
+                          const unsigned char input[8],
+                          unsigned char output[8])
+{
+    int i;
+    uint32_t X, Y, T, *SK;
+
+    SK = ctx->sk;
+
+    X = MBEDTLS_GET_UINT32_BE(input, 0);
+    Y = MBEDTLS_GET_UINT32_BE(input, 4);
+
+    DES_IP(X, Y);
+
+    for (i = 0; i < 8; i++) {
+        DES_ROUND(Y, X);
+        DES_ROUND(X, Y);
+    }
+
+    DES_FP(Y, X);
+
+    MBEDTLS_PUT_UINT32_BE(Y, output, 0);
+    MBEDTLS_PUT_UINT32_BE(X, output, 4);
+
+    return 0;
+}
+#endif /* !MBEDTLS_DES_CRYPT_ECB_ALT */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * DES-CBC buffer encryption/decryption
+ */
+int mbedtls_des_crypt_cbc(mbedtls_des_context *ctx,
+                          int mode,
+                          size_t length,
+                          unsigned char iv[8],
+                          const unsigned char *input,
+                          unsigned char *output)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char temp[8];
+
+    if (length % 8) {
+        return MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH;
+    }
+
+    if (mode == MBEDTLS_DES_ENCRYPT) {
+        while (length > 0) {
+            mbedtls_xor(output, input, iv, 8);
+
+            ret = mbedtls_des_crypt_ecb(ctx, output, output);
+            if (ret != 0) {
+                goto exit;
+            }
+            memcpy(iv, output, 8);
+
+            input  += 8;
+            output += 8;
+            length -= 8;
+        }
+    } else { /* MBEDTLS_DES_DECRYPT */
+        while (length > 0) {
+            memcpy(temp, input, 8);
+            ret = mbedtls_des_crypt_ecb(ctx, input, output);
+            if (ret != 0) {
+                goto exit;
+            }
+
+            mbedtls_xor(output, output, iv, 8);
+
+            memcpy(iv, temp, 8);
+
+            input  += 8;
+            output += 8;
+            length -= 8;
+        }
+    }
+    ret = 0;
+
+exit:
+    return ret;
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+/*
+ * 3DES-ECB block encryption/decryption
+ */
+#if !defined(MBEDTLS_DES3_CRYPT_ECB_ALT)
+int mbedtls_des3_crypt_ecb(mbedtls_des3_context *ctx,
+                           const unsigned char input[8],
+                           unsigned char output[8])
+{
+    int i;
+    uint32_t X, Y, T, *SK;
+
+    SK = ctx->sk;
+
+    X = MBEDTLS_GET_UINT32_BE(input, 0);
+    Y = MBEDTLS_GET_UINT32_BE(input, 4);
+
+    DES_IP(X, Y);
+
+    for (i = 0; i < 8; i++) {
+        DES_ROUND(Y, X);
+        DES_ROUND(X, Y);
+    }
+
+    for (i = 0; i < 8; i++) {
+        DES_ROUND(X, Y);
+        DES_ROUND(Y, X);
+    }
+
+    for (i = 0; i < 8; i++) {
+        DES_ROUND(Y, X);
+        DES_ROUND(X, Y);
+    }
+
+    DES_FP(Y, X);
+
+    MBEDTLS_PUT_UINT32_BE(Y, output, 0);
+    MBEDTLS_PUT_UINT32_BE(X, output, 4);
+
+    return 0;
+}
+#endif /* !MBEDTLS_DES3_CRYPT_ECB_ALT */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * 3DES-CBC buffer encryption/decryption
+ */
+int mbedtls_des3_crypt_cbc(mbedtls_des3_context *ctx,
+                           int mode,
+                           size_t length,
+                           unsigned char iv[8],
+                           const unsigned char *input,
+                           unsigned char *output)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char temp[8];
+
+    if (length % 8) {
+        return MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH;
+    }
+
+    if (mode == MBEDTLS_DES_ENCRYPT) {
+        while (length > 0) {
+            mbedtls_xor(output, input, iv, 8);
+
+            ret = mbedtls_des3_crypt_ecb(ctx, output, output);
+            if (ret != 0) {
+                goto exit;
+            }
+            memcpy(iv, output, 8);
+
+            input  += 8;
+            output += 8;
+            length -= 8;
+        }
+    } else { /* MBEDTLS_DES_DECRYPT */
+        while (length > 0) {
+            memcpy(temp, input, 8);
+            ret = mbedtls_des3_crypt_ecb(ctx, input, output);
+            if (ret != 0) {
+                goto exit;
+            }
+
+            mbedtls_xor(output, output, iv, 8);
+
+            memcpy(iv, temp, 8);
+
+            input  += 8;
+            output += 8;
+            length -= 8;
+        }
+    }
+    ret = 0;
+
+exit:
+    return ret;
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#endif /* !MBEDTLS_DES_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * DES and 3DES test vectors from:
+ *
+ * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip
+ */
+static const unsigned char des3_test_keys[24] =
+{
+    0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
+    0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
+    0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23
+};
+
+static const unsigned char des3_test_buf[8] =
+{
+    0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74
+};
+
+static const unsigned char des3_test_ecb_dec[3][8] =
+{
+    { 0x37, 0x2B, 0x98, 0xBF, 0x52, 0x65, 0xB0, 0x59 },
+    { 0xC2, 0x10, 0x19, 0x9C, 0x38, 0x5A, 0x65, 0xA1 },
+    { 0xA2, 0x70, 0x56, 0x68, 0x69, 0xE5, 0x15, 0x1D }
+};
+
+static const unsigned char des3_test_ecb_enc[3][8] =
+{
+    { 0x1C, 0xD5, 0x97, 0xEA, 0x84, 0x26, 0x73, 0xFB },
+    { 0xB3, 0x92, 0x4D, 0xF3, 0xC5, 0xB5, 0x42, 0x93 },
+    { 0xDA, 0x37, 0x64, 0x41, 0xBA, 0x6F, 0x62, 0x6F }
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const unsigned char des3_test_iv[8] =
+{
+    0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
+};
+
+static const unsigned char des3_test_cbc_dec[3][8] =
+{
+    { 0x58, 0xD9, 0x48, 0xEF, 0x85, 0x14, 0x65, 0x9A },
+    { 0x5F, 0xC8, 0x78, 0xD4, 0xD7, 0x92, 0xD9, 0x54 },
+    { 0x25, 0xF9, 0x75, 0x85, 0xA8, 0x1E, 0x48, 0xBF }
+};
+
+static const unsigned char des3_test_cbc_enc[3][8] =
+{
+    { 0x91, 0x1C, 0x6D, 0xCF, 0x48, 0xA7, 0xC3, 0x4D },
+    { 0x60, 0x1A, 0x76, 0x8F, 0xA1, 0xF9, 0x66, 0xF1 },
+    { 0xA1, 0x50, 0x0F, 0x99, 0xB2, 0xCD, 0x64, 0x76 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+/*
+ * Checkup routine
+ */
+int mbedtls_des_self_test(int verbose)
+{
+    int i, j, u, v, ret = 0;
+    mbedtls_des_context ctx;
+    mbedtls_des3_context ctx3;
+    unsigned char buf[8];
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    unsigned char prv[8];
+    unsigned char iv[8];
+#endif
+
+    mbedtls_des_init(&ctx);
+    mbedtls_des3_init(&ctx3);
+    /*
+     * ECB mode
+     */
+    for (i = 0; i < 6; i++) {
+        u = i >> 1;
+        v = i  & 1;
+
+        if (verbose != 0) {
+            mbedtls_printf("  DES%c-ECB-%3d (%s): ",
+                           (u == 0) ? ' ' : '3', 56 + u * 56,
+                           (v == MBEDTLS_DES_DECRYPT) ? "dec" : "enc");
+        }
+
+        memcpy(buf, des3_test_buf, 8);
+
+        switch (i) {
+            case 0:
+                ret = mbedtls_des_setkey_dec(&ctx, des3_test_keys);
+                break;
+
+            case 1:
+                ret = mbedtls_des_setkey_enc(&ctx, des3_test_keys);
+                break;
+
+            case 2:
+                ret = mbedtls_des3_set2key_dec(&ctx3, des3_test_keys);
+                break;
+
+            case 3:
+                ret = mbedtls_des3_set2key_enc(&ctx3, des3_test_keys);
+                break;
+
+            case 4:
+                ret = mbedtls_des3_set3key_dec(&ctx3, des3_test_keys);
+                break;
+
+            case 5:
+                ret = mbedtls_des3_set3key_enc(&ctx3, des3_test_keys);
+                break;
+
+            default:
+                return 1;
+        }
+        if (ret != 0) {
+            goto exit;
+        }
+
+        for (j = 0; j < 100; j++) {
+            if (u == 0) {
+                ret = mbedtls_des_crypt_ecb(&ctx, buf, buf);
+            } else {
+                ret = mbedtls_des3_crypt_ecb(&ctx3, buf, buf);
+            }
+            if (ret != 0) {
+                goto exit;
+            }
+        }
+
+        if ((v == MBEDTLS_DES_DECRYPT &&
+             memcmp(buf, des3_test_ecb_dec[u], 8) != 0) ||
+            (v != MBEDTLS_DES_DECRYPT &&
+             memcmp(buf, des3_test_ecb_enc[u], 8) != 0)) {
+            if (verbose != 0) {
+                mbedtls_printf("failed\n");
+            }
+
+            ret = 1;
+            goto exit;
+        }
+
+        if (verbose != 0) {
+            mbedtls_printf("passed\n");
+        }
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    /*
+     * CBC mode
+     */
+    for (i = 0; i < 6; i++) {
+        u = i >> 1;
+        v = i  & 1;
+
+        if (verbose != 0) {
+            mbedtls_printf("  DES%c-CBC-%3d (%s): ",
+                           (u == 0) ? ' ' : '3', 56 + u * 56,
+                           (v == MBEDTLS_DES_DECRYPT) ? "dec" : "enc");
+        }
+
+        memcpy(iv,  des3_test_iv,  8);
+        memcpy(prv, des3_test_iv,  8);
+        memcpy(buf, des3_test_buf, 8);
+
+        switch (i) {
+            case 0:
+                ret = mbedtls_des_setkey_dec(&ctx, des3_test_keys);
+                break;
+
+            case 1:
+                ret = mbedtls_des_setkey_enc(&ctx, des3_test_keys);
+                break;
+
+            case 2:
+                ret = mbedtls_des3_set2key_dec(&ctx3, des3_test_keys);
+                break;
+
+            case 3:
+                ret = mbedtls_des3_set2key_enc(&ctx3, des3_test_keys);
+                break;
+
+            case 4:
+                ret = mbedtls_des3_set3key_dec(&ctx3, des3_test_keys);
+                break;
+
+            case 5:
+                ret = mbedtls_des3_set3key_enc(&ctx3, des3_test_keys);
+                break;
+
+            default:
+                return 1;
+        }
+        if (ret != 0) {
+            goto exit;
+        }
+
+        if (v == MBEDTLS_DES_DECRYPT) {
+            for (j = 0; j < 100; j++) {
+                if (u == 0) {
+                    ret = mbedtls_des_crypt_cbc(&ctx, v, 8, iv, buf, buf);
+                } else {
+                    ret = mbedtls_des3_crypt_cbc(&ctx3, v, 8, iv, buf, buf);
+                }
+                if (ret != 0) {
+                    goto exit;
+                }
+            }
+        } else {
+            for (j = 0; j < 100; j++) {
+                unsigned char tmp[8];
+
+                if (u == 0) {
+                    ret = mbedtls_des_crypt_cbc(&ctx, v, 8, iv, buf, buf);
+                } else {
+                    ret = mbedtls_des3_crypt_cbc(&ctx3, v, 8, iv, buf, buf);
+                }
+                if (ret != 0) {
+                    goto exit;
+                }
+
+                memcpy(tmp, prv, 8);
+                memcpy(prv, buf, 8);
+                memcpy(buf, tmp, 8);
+            }
+
+            memcpy(buf, prv, 8);
+        }
+
+        if ((v == MBEDTLS_DES_DECRYPT &&
+             memcmp(buf, des3_test_cbc_dec[u], 8) != 0) ||
+            (v != MBEDTLS_DES_DECRYPT &&
+             memcmp(buf, des3_test_cbc_enc[u], 8) != 0)) {
+            if (verbose != 0) {
+                mbedtls_printf("failed\n");
+            }
+
+            ret = 1;
+            goto exit;
+        }
+
+        if (verbose != 0) {
+            mbedtls_printf("passed\n");
+        }
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+
+exit:
+    mbedtls_des_free(&ctx);
+    mbedtls_des3_free(&ctx3);
+
+    if (ret != 0) {
+        ret = 1;
+    }
+    return ret;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_DES_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/dhm.c b/tf-psa-crypto/drivers/builtin/src/dhm.c
new file mode 100644
index 0000000..75af8b7
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/dhm.c
@@ -0,0 +1,709 @@
+/*
+ *  Diffie-Hellman-Merkle key exchange
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ *  The following sources were referenced in the design of this implementation
+ *  of the Diffie-Hellman-Merkle algorithm:
+ *
+ *  [1] Handbook of Applied Cryptography - 1997, Chapter 12
+ *      Menezes, van Oorschot and Vanstone
+ *
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_DHM_C)
+
+#include "mbedtls/dhm.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+#include "mbedtls/asn1.h"
+#endif
+
+#include "mbedtls/platform.h"
+
+/*
+ * helper to validate the mbedtls_mpi size and import it
+ */
+static int dhm_read_bignum(mbedtls_mpi *X,
+                           unsigned char **p,
+                           const unsigned char *end)
+{
+    int ret, n;
+
+    if (end - *p < 2) {
+        return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+    }
+
+    n = MBEDTLS_GET_UINT16_BE(*p, 0);
+    (*p) += 2;
+
+    if ((size_t) (end - *p) < (size_t) n) {
+        return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+    }
+
+    if ((ret = mbedtls_mpi_read_binary(X, *p, n)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_READ_PARAMS_FAILED, ret);
+    }
+
+    (*p) += n;
+
+    return 0;
+}
+
+/*
+ * Verify sanity of parameter with regards to P
+ *
+ * Parameter should be: 2 <= public_param <= P - 2
+ *
+ * This means that we need to return an error if
+ *              public_param < 2 or public_param > P-2
+ *
+ * For more information on the attack, see:
+ *  http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf
+ *  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2643
+ */
+static int dhm_check_range(const mbedtls_mpi *param, const mbedtls_mpi *P)
+{
+    mbedtls_mpi U;
+    int ret = 0;
+
+    mbedtls_mpi_init(&U);
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&U, P, 2));
+
+    if (mbedtls_mpi_cmp_int(param, 2) < 0 ||
+        mbedtls_mpi_cmp_mpi(param, &U) > 0) {
+        ret = MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+    }
+
+cleanup:
+    mbedtls_mpi_free(&U);
+    return ret;
+}
+
+void mbedtls_dhm_init(mbedtls_dhm_context *ctx)
+{
+    memset(ctx, 0, sizeof(mbedtls_dhm_context));
+}
+
+size_t mbedtls_dhm_get_bitlen(const mbedtls_dhm_context *ctx)
+{
+    return mbedtls_mpi_bitlen(&ctx->P);
+}
+
+size_t mbedtls_dhm_get_len(const mbedtls_dhm_context *ctx)
+{
+    return mbedtls_mpi_size(&ctx->P);
+}
+
+int mbedtls_dhm_get_value(const mbedtls_dhm_context *ctx,
+                          mbedtls_dhm_parameter param,
+                          mbedtls_mpi *dest)
+{
+    const mbedtls_mpi *src = NULL;
+    switch (param) {
+        case MBEDTLS_DHM_PARAM_P:
+            src = &ctx->P;
+            break;
+        case MBEDTLS_DHM_PARAM_G:
+            src = &ctx->G;
+            break;
+        case MBEDTLS_DHM_PARAM_X:
+            src = &ctx->X;
+            break;
+        case MBEDTLS_DHM_PARAM_GX:
+            src = &ctx->GX;
+            break;
+        case MBEDTLS_DHM_PARAM_GY:
+            src = &ctx->GY;
+            break;
+        case MBEDTLS_DHM_PARAM_K:
+            src = &ctx->K;
+            break;
+        default:
+            return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+    }
+    return mbedtls_mpi_copy(dest, src);
+}
+
+/*
+ * Parse the ServerKeyExchange parameters
+ */
+int mbedtls_dhm_read_params(mbedtls_dhm_context *ctx,
+                            unsigned char **p,
+                            const unsigned char *end)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if ((ret = dhm_read_bignum(&ctx->P,  p, end)) != 0 ||
+        (ret = dhm_read_bignum(&ctx->G,  p, end)) != 0 ||
+        (ret = dhm_read_bignum(&ctx->GY, p, end)) != 0) {
+        return ret;
+    }
+
+    if ((ret = dhm_check_range(&ctx->GY, &ctx->P)) != 0) {
+        return ret;
+    }
+
+    return 0;
+}
+
+/*
+ * Pick a random R in the range [2, M-2] for blinding or key generation.
+ */
+static int dhm_random_below(mbedtls_mpi *R, const mbedtls_mpi *M,
+                            int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    int ret;
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_random(R, 3, M, f_rng, p_rng));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(R, R, 1));
+
+cleanup:
+    return ret;
+}
+
+static int dhm_make_common(mbedtls_dhm_context *ctx, int x_size,
+                           int (*f_rng)(void *, unsigned char *, size_t),
+                           void *p_rng)
+{
+    int ret = 0;
+
+    if (mbedtls_mpi_cmp_int(&ctx->P, 0) == 0) {
+        return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+    }
+    if (x_size < 0) {
+        return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+    }
+
+    if ((unsigned) x_size < mbedtls_mpi_size(&ctx->P)) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&ctx->X, x_size, f_rng, p_rng));
+    } else {
+        /* Generate X as large as possible ( <= P - 2 ) */
+        ret = dhm_random_below(&ctx->X, &ctx->P, f_rng, p_rng);
+        if (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
+            return MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED;
+        }
+        if (ret != 0) {
+            return ret;
+        }
+    }
+
+    /*
+     * Calculate GX = G^X mod P
+     */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->GX, &ctx->G, &ctx->X,
+                                        &ctx->P, &ctx->RP));
+
+    if ((ret = dhm_check_range(&ctx->GX, &ctx->P)) != 0) {
+        return ret;
+    }
+
+cleanup:
+    return ret;
+}
+
+/*
+ * Setup and write the ServerKeyExchange parameters
+ */
+int mbedtls_dhm_make_params(mbedtls_dhm_context *ctx, int x_size,
+                            unsigned char *output, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng)
+{
+    int ret;
+    size_t n1, n2, n3;
+    unsigned char *p;
+
+    ret = dhm_make_common(ctx, x_size, f_rng, p_rng);
+    if (ret != 0) {
+        goto cleanup;
+    }
+
+    /*
+     * Export P, G, GX. RFC 5246 §4.4 states that "leading zero octets are
+     * not required". We omit leading zeros for compactness.
+     */
+#define DHM_MPI_EXPORT(X, n)                                          \
+    do {                                                                \
+        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary((X),               \
+                                                 p + 2,               \
+                                                 (n)));           \
+        *p++ = MBEDTLS_BYTE_1(n);                                     \
+        *p++ = MBEDTLS_BYTE_0(n);                                     \
+        p += (n);                                                     \
+    } while (0)
+
+    n1 = mbedtls_mpi_size(&ctx->P);
+    n2 = mbedtls_mpi_size(&ctx->G);
+    n3 = mbedtls_mpi_size(&ctx->GX);
+
+    p = output;
+    DHM_MPI_EXPORT(&ctx->P, n1);
+    DHM_MPI_EXPORT(&ctx->G, n2);
+    DHM_MPI_EXPORT(&ctx->GX, n3);
+
+    *olen = (size_t) (p - output);
+
+cleanup:
+    if (ret != 0 && ret > -128) {
+        ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED, ret);
+    }
+    return ret;
+}
+
+/*
+ * Set prime modulus and generator
+ */
+int mbedtls_dhm_set_group(mbedtls_dhm_context *ctx,
+                          const mbedtls_mpi *P,
+                          const mbedtls_mpi *G)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if ((ret = mbedtls_mpi_copy(&ctx->P, P)) != 0 ||
+        (ret = mbedtls_mpi_copy(&ctx->G, G)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_SET_GROUP_FAILED, ret);
+    }
+
+    return 0;
+}
+
+/*
+ * Import the peer's public value G^Y
+ */
+int mbedtls_dhm_read_public(mbedtls_dhm_context *ctx,
+                            const unsigned char *input, size_t ilen)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (ilen < 1 || ilen > mbedtls_dhm_get_len(ctx)) {
+        return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+    }
+
+    if ((ret = mbedtls_mpi_read_binary(&ctx->GY, input, ilen)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED, ret);
+    }
+
+    return 0;
+}
+
+/*
+ * Create own private value X and export G^X
+ */
+int mbedtls_dhm_make_public(mbedtls_dhm_context *ctx, int x_size,
+                            unsigned char *output, size_t olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng)
+{
+    int ret;
+
+    if (olen < 1 || olen > mbedtls_dhm_get_len(ctx)) {
+        return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+    }
+
+    ret = dhm_make_common(ctx, x_size, f_rng, p_rng);
+    if (ret == MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED) {
+        return MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED;
+    }
+    if (ret != 0) {
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->GX, output, olen));
+
+cleanup:
+    if (ret != 0 && ret > -128) {
+        ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED, ret);
+    }
+    return ret;
+}
+
+
+/*
+ * Use the blinding method and optimisation suggested in section 10 of:
+ *  KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
+ *  DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
+ *  Berlin Heidelberg, 1996. p. 104-113.
+ */
+static int dhm_update_blinding(mbedtls_dhm_context *ctx,
+                               int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    int ret;
+    mbedtls_mpi R;
+
+    mbedtls_mpi_init(&R);
+
+    /*
+     * Don't use any blinding the first time a particular X is used,
+     * but remember it to use blinding next time.
+     */
+    if (mbedtls_mpi_cmp_mpi(&ctx->X, &ctx->pX) != 0) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&ctx->pX, &ctx->X));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->Vi, 1));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->Vf, 1));
+
+        return 0;
+    }
+
+    /*
+     * Ok, we need blinding. Can we re-use existing values?
+     * If yes, just update them by squaring them.
+     */
+    if (mbedtls_mpi_cmp_int(&ctx->Vi, 1) != 0) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &ctx->Vi));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->P));
+
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &ctx->Vf));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->P));
+
+        return 0;
+    }
+
+    /*
+     * We need to generate blinding values from scratch
+     */
+
+    /* Vi = random( 2, P-2 ) */
+    MBEDTLS_MPI_CHK(dhm_random_below(&ctx->Vi, &ctx->P, f_rng, p_rng));
+
+    /* Vf = Vi^-X mod P
+     * First compute Vi^-1 = R * (R Vi)^-1, (avoiding leaks from inv_mod),
+     * then elevate to the Xth power. */
+    MBEDTLS_MPI_CHK(dhm_random_below(&R, &ctx->P, f_rng, p_rng));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vi, &R));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->P));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&ctx->Vf, &ctx->Vf, &ctx->P));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &R));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->P));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->Vf, &ctx->Vf, &ctx->X, &ctx->P, &ctx->RP));
+
+cleanup:
+    mbedtls_mpi_free(&R);
+
+    return ret;
+}
+
+/*
+ * Derive and export the shared secret (G^Y)^X mod P
+ */
+int mbedtls_dhm_calc_secret(mbedtls_dhm_context *ctx,
+                            unsigned char *output, size_t output_size, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi GYb;
+
+    if (f_rng == NULL) {
+        return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+    }
+
+    if (output_size < mbedtls_dhm_get_len(ctx)) {
+        return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+    }
+
+    if ((ret = dhm_check_range(&ctx->GY, &ctx->P)) != 0) {
+        return ret;
+    }
+
+    mbedtls_mpi_init(&GYb);
+
+    /* Blind peer's value */
+    MBEDTLS_MPI_CHK(dhm_update_blinding(ctx, f_rng, p_rng));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&GYb, &ctx->GY, &ctx->Vi));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&GYb, &GYb, &ctx->P));
+
+    /* Do modular exponentiation */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->K, &GYb, &ctx->X,
+                                        &ctx->P, &ctx->RP));
+
+    /* Unblind secret value */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->K, &ctx->K, &ctx->Vf));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->K, &ctx->K, &ctx->P));
+
+    /* Output the secret without any leading zero byte. This is mandatory
+     * for TLS per RFC 5246 §8.1.2. */
+    *olen = mbedtls_mpi_size(&ctx->K);
+    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->K, output, *olen));
+
+cleanup:
+    mbedtls_mpi_free(&GYb);
+
+    if (ret != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_CALC_SECRET_FAILED, ret);
+    }
+
+    return 0;
+}
+
+/*
+ * Free the components of a DHM key
+ */
+void mbedtls_dhm_free(mbedtls_dhm_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_mpi_free(&ctx->pX);
+    mbedtls_mpi_free(&ctx->Vf);
+    mbedtls_mpi_free(&ctx->Vi);
+    mbedtls_mpi_free(&ctx->RP);
+    mbedtls_mpi_free(&ctx->K);
+    mbedtls_mpi_free(&ctx->GY);
+    mbedtls_mpi_free(&ctx->GX);
+    mbedtls_mpi_free(&ctx->X);
+    mbedtls_mpi_free(&ctx->G);
+    mbedtls_mpi_free(&ctx->P);
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_dhm_context));
+}
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+/*
+ * Parse DHM parameters
+ */
+int mbedtls_dhm_parse_dhm(mbedtls_dhm_context *dhm, const unsigned char *dhmin,
+                          size_t dhminlen)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len;
+    unsigned char *p, *end;
+#if defined(MBEDTLS_PEM_PARSE_C)
+    mbedtls_pem_context pem;
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+    mbedtls_pem_init(&pem);
+
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if (dhminlen == 0 || dhmin[dhminlen - 1] != '\0') {
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    } else {
+        ret = mbedtls_pem_read_buffer(&pem,
+                                      "-----BEGIN DH PARAMETERS-----",
+                                      "-----END DH PARAMETERS-----",
+                                      dhmin, NULL, 0, &dhminlen);
+    }
+
+    if (ret == 0) {
+        /*
+         * Was PEM encoded
+         */
+        dhminlen = pem.buflen;
+    } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
+        goto exit;
+    }
+
+    p = (ret == 0) ? pem.buf : (unsigned char *) dhmin;
+#else
+    p = (unsigned char *) dhmin;
+#endif /* MBEDTLS_PEM_PARSE_C */
+    end = p + dhminlen;
+
+    /*
+     *  DHParams ::= SEQUENCE {
+     *      prime              INTEGER,  -- P
+     *      generator          INTEGER,  -- g
+     *      privateValueLength INTEGER OPTIONAL
+     *  }
+     */
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+        ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_INVALID_FORMAT, ret);
+        goto exit;
+    }
+
+    end = p + len;
+
+    if ((ret = mbedtls_asn1_get_mpi(&p, end, &dhm->P)) != 0 ||
+        (ret = mbedtls_asn1_get_mpi(&p, end, &dhm->G)) != 0) {
+        ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_INVALID_FORMAT, ret);
+        goto exit;
+    }
+
+    if (p != end) {
+        /* This might be the optional privateValueLength.
+         * If so, we can cleanly discard it */
+        mbedtls_mpi rec;
+        mbedtls_mpi_init(&rec);
+        ret = mbedtls_asn1_get_mpi(&p, end, &rec);
+        mbedtls_mpi_free(&rec);
+        if (ret != 0) {
+            ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_INVALID_FORMAT, ret);
+            goto exit;
+        }
+        if (p != end) {
+            ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_INVALID_FORMAT,
+                                    MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+            goto exit;
+        }
+    }
+
+    ret = 0;
+
+exit:
+#if defined(MBEDTLS_PEM_PARSE_C)
+    mbedtls_pem_free(&pem);
+#endif
+    if (ret != 0) {
+        mbedtls_dhm_free(dhm);
+    }
+
+    return ret;
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load all data from a file into a given buffer.
+ *
+ * The file is expected to contain either PEM or DER encoded data.
+ * A terminating null byte is always appended. It is included in the announced
+ * length only if the data looks like it is PEM encoded.
+ */
+static int load_file(const char *path, unsigned char **buf, size_t *n)
+{
+    FILE *f;
+    long size;
+
+    if ((f = fopen(path, "rb")) == NULL) {
+        return MBEDTLS_ERR_DHM_FILE_IO_ERROR;
+    }
+    /* The data loaded here is public, so don't bother disabling buffering. */
+
+    fseek(f, 0, SEEK_END);
+    if ((size = ftell(f)) == -1) {
+        fclose(f);
+        return MBEDTLS_ERR_DHM_FILE_IO_ERROR;
+    }
+    fseek(f, 0, SEEK_SET);
+
+    *n = (size_t) size;
+
+    if (*n + 1 == 0 ||
+        (*buf = mbedtls_calloc(1, *n + 1)) == NULL) {
+        fclose(f);
+        return MBEDTLS_ERR_DHM_ALLOC_FAILED;
+    }
+
+    if (fread(*buf, 1, *n, f) != *n) {
+        fclose(f);
+
+        mbedtls_zeroize_and_free(*buf, *n + 1);
+
+        return MBEDTLS_ERR_DHM_FILE_IO_ERROR;
+    }
+
+    fclose(f);
+
+    (*buf)[*n] = '\0';
+
+    if (strstr((const char *) *buf, "-----BEGIN ") != NULL) {
+        ++*n;
+    }
+
+    return 0;
+}
+
+/*
+ * Load and parse DHM parameters
+ */
+int mbedtls_dhm_parse_dhmfile(mbedtls_dhm_context *dhm, const char *path)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t n;
+    unsigned char *buf;
+
+    if ((ret = load_file(path, &buf, &n)) != 0) {
+        return ret;
+    }
+
+    ret = mbedtls_dhm_parse_dhm(dhm, buf, n);
+
+    mbedtls_zeroize_and_free(buf, n);
+
+    return ret;
+}
+#endif /* MBEDTLS_FS_IO */
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+static const char mbedtls_test_dhm_params[] =
+    "-----BEGIN DH PARAMETERS-----\r\n"
+    "MIGHAoGBAJ419DBEOgmQTzo5qXl5fQcN9TN455wkOL7052HzxxRVMyhYmwQcgJvh\r\n"
+    "1sa18fyfR9OiVEMYglOpkqVoGLN7qd5aQNNi5W7/C+VBdHTBJcGZJyyP5B3qcz32\r\n"
+    "9mLJKudlVudV0Qxk5qUJaPZ/xupz0NyoVpviuiBOI1gNi8ovSXWzAgEC\r\n"
+    "-----END DH PARAMETERS-----\r\n";
+#else /* MBEDTLS_PEM_PARSE_C */
+static const char mbedtls_test_dhm_params[] = {
+    0x30, 0x81, 0x87, 0x02, 0x81, 0x81, 0x00, 0x9e, 0x35, 0xf4, 0x30, 0x44,
+    0x3a, 0x09, 0x90, 0x4f, 0x3a, 0x39, 0xa9, 0x79, 0x79, 0x7d, 0x07, 0x0d,
+    0xf5, 0x33, 0x78, 0xe7, 0x9c, 0x24, 0x38, 0xbe, 0xf4, 0xe7, 0x61, 0xf3,
+    0xc7, 0x14, 0x55, 0x33, 0x28, 0x58, 0x9b, 0x04, 0x1c, 0x80, 0x9b, 0xe1,
+    0xd6, 0xc6, 0xb5, 0xf1, 0xfc, 0x9f, 0x47, 0xd3, 0xa2, 0x54, 0x43, 0x18,
+    0x82, 0x53, 0xa9, 0x92, 0xa5, 0x68, 0x18, 0xb3, 0x7b, 0xa9, 0xde, 0x5a,
+    0x40, 0xd3, 0x62, 0xe5, 0x6e, 0xff, 0x0b, 0xe5, 0x41, 0x74, 0x74, 0xc1,
+    0x25, 0xc1, 0x99, 0x27, 0x2c, 0x8f, 0xe4, 0x1d, 0xea, 0x73, 0x3d, 0xf6,
+    0xf6, 0x62, 0xc9, 0x2a, 0xe7, 0x65, 0x56, 0xe7, 0x55, 0xd1, 0x0c, 0x64,
+    0xe6, 0xa5, 0x09, 0x68, 0xf6, 0x7f, 0xc6, 0xea, 0x73, 0xd0, 0xdc, 0xa8,
+    0x56, 0x9b, 0xe2, 0xba, 0x20, 0x4e, 0x23, 0x58, 0x0d, 0x8b, 0xca, 0x2f,
+    0x49, 0x75, 0xb3, 0x02, 0x01, 0x02
+};
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+static const size_t mbedtls_test_dhm_params_len = sizeof(mbedtls_test_dhm_params);
+
+/*
+ * Checkup routine
+ */
+int mbedtls_dhm_self_test(int verbose)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_dhm_context dhm;
+
+    mbedtls_dhm_init(&dhm);
+
+    if (verbose != 0) {
+        mbedtls_printf("  DHM parameter load: ");
+    }
+
+    if ((ret = mbedtls_dhm_parse_dhm(&dhm,
+                                     (const unsigned char *) mbedtls_test_dhm_params,
+                                     mbedtls_test_dhm_params_len)) != 0) {
+        if (verbose != 0) {
+            mbedtls_printf("failed\n");
+        }
+
+        ret = 1;
+        goto exit;
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("passed\n\n");
+    }
+
+exit:
+    mbedtls_dhm_free(&dhm);
+
+    return ret;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_DHM_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/ecdh.c b/tf-psa-crypto/drivers/builtin/src/ecdh.c
new file mode 100644
index 0000000..b276c6a
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/ecdh.c
@@ -0,0 +1,694 @@
+/*
+ *  Elliptic curve Diffie-Hellman
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * References:
+ *
+ * SEC1 https://www.secg.org/sec1-v2.pdf
+ * RFC 4492
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_ECDH_C)
+
+#include "mbedtls/ecdh.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+typedef mbedtls_ecdh_context mbedtls_ecdh_context_mbed;
+#endif
+
+static mbedtls_ecp_group_id mbedtls_ecdh_grp_id(
+    const mbedtls_ecdh_context *ctx)
+{
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return ctx->grp.id;
+#else
+    return ctx->grp_id;
+#endif
+}
+
+int mbedtls_ecdh_can_do(mbedtls_ecp_group_id gid)
+{
+    /* At this time, all groups support ECDH. */
+    (void) gid;
+    return 1;
+}
+
+#if !defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT)
+/*
+ * Generate public key (restartable version)
+ *
+ * Note: this internal function relies on its caller preserving the value of
+ * the output parameter 'd' across continuation calls. This would not be
+ * acceptable for a public function but is OK here as we control call sites.
+ */
+static int ecdh_gen_public_restartable(mbedtls_ecp_group *grp,
+                                       mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                                       int (*f_rng)(void *, unsigned char *, size_t),
+                                       void *p_rng,
+                                       mbedtls_ecp_restart_ctx *rs_ctx)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    int restarting = 0;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    restarting = (rs_ctx != NULL && rs_ctx->rsm != NULL);
+#endif
+    /* If multiplication is in progress, we already generated a privkey */
+    if (!restarting) {
+        MBEDTLS_MPI_CHK(mbedtls_ecp_gen_privkey(grp, d, f_rng, p_rng));
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_ecp_mul_restartable(grp, Q, d, &grp->G,
+                                                f_rng, p_rng, rs_ctx));
+
+cleanup:
+    return ret;
+}
+
+/*
+ * Generate public key
+ */
+int mbedtls_ecdh_gen_public(mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng)
+{
+    return ecdh_gen_public_restartable(grp, d, Q, f_rng, p_rng, NULL);
+}
+#endif /* !MBEDTLS_ECDH_GEN_PUBLIC_ALT */
+
+#if !defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT)
+/*
+ * Compute shared secret (SEC1 3.3.1)
+ */
+static int ecdh_compute_shared_restartable(mbedtls_ecp_group *grp,
+                                           mbedtls_mpi *z,
+                                           const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
+                                           int (*f_rng)(void *, unsigned char *, size_t),
+                                           void *p_rng,
+                                           mbedtls_ecp_restart_ctx *rs_ctx)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_point P;
+
+    mbedtls_ecp_point_init(&P);
+
+    MBEDTLS_MPI_CHK(mbedtls_ecp_mul_restartable(grp, &P, d, Q,
+                                                f_rng, p_rng, rs_ctx));
+
+    if (mbedtls_ecp_is_zero(&P)) {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(z, &P.X));
+
+cleanup:
+    mbedtls_ecp_point_free(&P);
+
+    return ret;
+}
+
+/*
+ * Compute shared secret (SEC1 3.3.1)
+ */
+int mbedtls_ecdh_compute_shared(mbedtls_ecp_group *grp, mbedtls_mpi *z,
+                                const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
+                                int (*f_rng)(void *, unsigned char *, size_t),
+                                void *p_rng)
+{
+    return ecdh_compute_shared_restartable(grp, z, Q, d,
+                                           f_rng, p_rng, NULL);
+}
+#endif /* !MBEDTLS_ECDH_COMPUTE_SHARED_ALT */
+
+static void ecdh_init_internal(mbedtls_ecdh_context_mbed *ctx)
+{
+    mbedtls_ecp_group_init(&ctx->grp);
+    mbedtls_mpi_init(&ctx->d);
+    mbedtls_ecp_point_init(&ctx->Q);
+    mbedtls_ecp_point_init(&ctx->Qp);
+    mbedtls_mpi_init(&ctx->z);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_init(&ctx->rs);
+#endif
+}
+
+mbedtls_ecp_group_id mbedtls_ecdh_get_grp_id(mbedtls_ecdh_context *ctx)
+{
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return ctx->MBEDTLS_PRIVATE(grp).id;
+#else
+    return ctx->MBEDTLS_PRIVATE(grp_id);
+#endif
+}
+
+/*
+ * Initialize context
+ */
+void mbedtls_ecdh_init(mbedtls_ecdh_context *ctx)
+{
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    ecdh_init_internal(ctx);
+    mbedtls_ecp_point_init(&ctx->Vi);
+    mbedtls_ecp_point_init(&ctx->Vf);
+    mbedtls_mpi_init(&ctx->_d);
+#else
+    memset(ctx, 0, sizeof(mbedtls_ecdh_context));
+
+    ctx->var = MBEDTLS_ECDH_VARIANT_NONE;
+#endif
+    ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    ctx->restart_enabled = 0;
+#endif
+}
+
+static int ecdh_setup_internal(mbedtls_ecdh_context_mbed *ctx,
+                               mbedtls_ecp_group_id grp_id)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    ret = mbedtls_ecp_group_load(&ctx->grp, grp_id);
+    if (ret != 0) {
+        return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+    }
+
+    return 0;
+}
+
+/*
+ * Setup context
+ */
+int mbedtls_ecdh_setup(mbedtls_ecdh_context *ctx, mbedtls_ecp_group_id grp_id)
+{
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return ecdh_setup_internal(ctx, grp_id);
+#else
+    switch (grp_id) {
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+        case MBEDTLS_ECP_DP_CURVE25519:
+            ctx->point_format = MBEDTLS_ECP_PF_COMPRESSED;
+            ctx->var = MBEDTLS_ECDH_VARIANT_EVEREST;
+            ctx->grp_id = grp_id;
+            return mbedtls_everest_setup(&ctx->ctx.everest_ecdh, grp_id);
+#endif
+        default:
+            ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
+            ctx->var = MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0;
+            ctx->grp_id = grp_id;
+            ecdh_init_internal(&ctx->ctx.mbed_ecdh);
+            return ecdh_setup_internal(&ctx->ctx.mbed_ecdh, grp_id);
+    }
+#endif
+}
+
+static void ecdh_free_internal(mbedtls_ecdh_context_mbed *ctx)
+{
+    mbedtls_ecp_group_free(&ctx->grp);
+    mbedtls_mpi_free(&ctx->d);
+    mbedtls_ecp_point_free(&ctx->Q);
+    mbedtls_ecp_point_free(&ctx->Qp);
+    mbedtls_mpi_free(&ctx->z);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_free(&ctx->rs);
+#endif
+}
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Enable restartable operations for context
+ */
+void mbedtls_ecdh_enable_restart(mbedtls_ecdh_context *ctx)
+{
+    ctx->restart_enabled = 1;
+}
+#endif
+
+/*
+ * Free context
+ */
+void mbedtls_ecdh_free(mbedtls_ecdh_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    mbedtls_ecp_point_free(&ctx->Vi);
+    mbedtls_ecp_point_free(&ctx->Vf);
+    mbedtls_mpi_free(&ctx->_d);
+    ecdh_free_internal(ctx);
+#else
+    switch (ctx->var) {
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+        case MBEDTLS_ECDH_VARIANT_EVEREST:
+            mbedtls_everest_free(&ctx->ctx.everest_ecdh);
+            break;
+#endif
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            ecdh_free_internal(&ctx->ctx.mbed_ecdh);
+            break;
+        default:
+            break;
+    }
+
+    ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
+    ctx->var = MBEDTLS_ECDH_VARIANT_NONE;
+    ctx->grp_id = MBEDTLS_ECP_DP_NONE;
+#endif
+}
+
+static int ecdh_make_params_internal(mbedtls_ecdh_context_mbed *ctx,
+                                     size_t *olen, int point_format,
+                                     unsigned char *buf, size_t blen,
+                                     int (*f_rng)(void *,
+                                                  unsigned char *,
+                                                  size_t),
+                                     void *p_rng,
+                                     int restart_enabled)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t grp_len, pt_len;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_ctx *rs_ctx = NULL;
+#endif
+
+    if (ctx->grp.pbits == 0) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (restart_enabled) {
+        rs_ctx = &ctx->rs;
+    }
+#else
+    (void) restart_enabled;
+#endif
+
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if ((ret = ecdh_gen_public_restartable(&ctx->grp, &ctx->d, &ctx->Q,
+                                           f_rng, p_rng, rs_ctx)) != 0) {
+        return ret;
+    }
+#else
+    if ((ret = mbedtls_ecdh_gen_public(&ctx->grp, &ctx->d, &ctx->Q,
+                                       f_rng, p_rng)) != 0) {
+        return ret;
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    if ((ret = mbedtls_ecp_tls_write_group(&ctx->grp, &grp_len, buf,
+                                           blen)) != 0) {
+        return ret;
+    }
+
+    buf += grp_len;
+    blen -= grp_len;
+
+    if ((ret = mbedtls_ecp_tls_write_point(&ctx->grp, &ctx->Q, point_format,
+                                           &pt_len, buf, blen)) != 0) {
+        return ret;
+    }
+
+    *olen = grp_len + pt_len;
+    return 0;
+}
+
+/*
+ * Setup and write the ServerKeyExchange parameters (RFC 4492)
+ *      struct {
+ *          ECParameters    curve_params;
+ *          ECPoint         public;
+ *      } ServerECDHParams;
+ */
+int mbedtls_ecdh_make_params(mbedtls_ecdh_context *ctx, size_t *olen,
+                             unsigned char *buf, size_t blen,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng)
+{
+    int restart_enabled = 0;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    restart_enabled = ctx->restart_enabled;
+#else
+    (void) restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return ecdh_make_params_internal(ctx, olen, ctx->point_format, buf, blen,
+                                     f_rng, p_rng, restart_enabled);
+#else
+    switch (ctx->var) {
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+        case MBEDTLS_ECDH_VARIANT_EVEREST:
+            return mbedtls_everest_make_params(&ctx->ctx.everest_ecdh, olen,
+                                               buf, blen, f_rng, p_rng);
+#endif
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return ecdh_make_params_internal(&ctx->ctx.mbed_ecdh, olen,
+                                             ctx->point_format, buf, blen,
+                                             f_rng, p_rng,
+                                             restart_enabled);
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
+
+static int ecdh_read_params_internal(mbedtls_ecdh_context_mbed *ctx,
+                                     const unsigned char **buf,
+                                     const unsigned char *end)
+{
+    return mbedtls_ecp_tls_read_point(&ctx->grp, &ctx->Qp, buf,
+                                      (size_t) (end - *buf));
+}
+
+/*
+ * Read the ServerKeyExchange parameters (RFC 4492)
+ *      struct {
+ *          ECParameters    curve_params;
+ *          ECPoint         public;
+ *      } ServerECDHParams;
+ */
+int mbedtls_ecdh_read_params(mbedtls_ecdh_context *ctx,
+                             const unsigned char **buf,
+                             const unsigned char *end)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_group_id grp_id;
+    if ((ret = mbedtls_ecp_tls_read_group_id(&grp_id, buf, (size_t) (end - *buf)))
+        != 0) {
+        return ret;
+    }
+
+    if ((ret = mbedtls_ecdh_setup(ctx, grp_id)) != 0) {
+        return ret;
+    }
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return ecdh_read_params_internal(ctx, buf, end);
+#else
+    switch (ctx->var) {
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+        case MBEDTLS_ECDH_VARIANT_EVEREST:
+            return mbedtls_everest_read_params(&ctx->ctx.everest_ecdh,
+                                               buf, end);
+#endif
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return ecdh_read_params_internal(&ctx->ctx.mbed_ecdh,
+                                             buf, end);
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
+
+static int ecdh_get_params_internal(mbedtls_ecdh_context_mbed *ctx,
+                                    const mbedtls_ecp_keypair *key,
+                                    mbedtls_ecdh_side side)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    /* If it's not our key, just import the public part as Qp */
+    if (side == MBEDTLS_ECDH_THEIRS) {
+        return mbedtls_ecp_copy(&ctx->Qp, &key->Q);
+    }
+
+    /* Our key: import public (as Q) and private parts */
+    if (side != MBEDTLS_ECDH_OURS) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    if ((ret = mbedtls_ecp_copy(&ctx->Q, &key->Q)) != 0 ||
+        (ret = mbedtls_mpi_copy(&ctx->d, &key->d)) != 0) {
+        return ret;
+    }
+
+    return 0;
+}
+
+/*
+ * Get parameters from a keypair
+ */
+int mbedtls_ecdh_get_params(mbedtls_ecdh_context *ctx,
+                            const mbedtls_ecp_keypair *key,
+                            mbedtls_ecdh_side side)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    if (side != MBEDTLS_ECDH_OURS && side != MBEDTLS_ECDH_THEIRS) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    if (mbedtls_ecdh_grp_id(ctx) == MBEDTLS_ECP_DP_NONE) {
+        /* This is the first call to get_params(). Set up the context
+         * for use with the group. */
+        if ((ret = mbedtls_ecdh_setup(ctx, key->grp.id)) != 0) {
+            return ret;
+        }
+    } else {
+        /* This is not the first call to get_params(). Check that the
+         * current key's group is the same as the context's, which was set
+         * from the first key's group. */
+        if (mbedtls_ecdh_grp_id(ctx) != key->grp.id) {
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        }
+    }
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return ecdh_get_params_internal(ctx, key, side);
+#else
+    switch (ctx->var) {
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+        case MBEDTLS_ECDH_VARIANT_EVEREST:
+        {
+            mbedtls_everest_ecdh_side s = side == MBEDTLS_ECDH_OURS ?
+                                          MBEDTLS_EVEREST_ECDH_OURS :
+                                          MBEDTLS_EVEREST_ECDH_THEIRS;
+            return mbedtls_everest_get_params(&ctx->ctx.everest_ecdh,
+                                              key, s);
+        }
+#endif
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return ecdh_get_params_internal(&ctx->ctx.mbed_ecdh,
+                                            key, side);
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
+
+static int ecdh_make_public_internal(mbedtls_ecdh_context_mbed *ctx,
+                                     size_t *olen, int point_format,
+                                     unsigned char *buf, size_t blen,
+                                     int (*f_rng)(void *,
+                                                  unsigned char *,
+                                                  size_t),
+                                     void *p_rng,
+                                     int restart_enabled)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_ctx *rs_ctx = NULL;
+#endif
+
+    if (ctx->grp.pbits == 0) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (restart_enabled) {
+        rs_ctx = &ctx->rs;
+    }
+#else
+    (void) restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if ((ret = ecdh_gen_public_restartable(&ctx->grp, &ctx->d, &ctx->Q,
+                                           f_rng, p_rng, rs_ctx)) != 0) {
+        return ret;
+    }
+#else
+    if ((ret = mbedtls_ecdh_gen_public(&ctx->grp, &ctx->d, &ctx->Q,
+                                       f_rng, p_rng)) != 0) {
+        return ret;
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    return mbedtls_ecp_tls_write_point(&ctx->grp, &ctx->Q, point_format, olen,
+                                       buf, blen);
+}
+
+/*
+ * Setup and export the client public value
+ */
+int mbedtls_ecdh_make_public(mbedtls_ecdh_context *ctx, size_t *olen,
+                             unsigned char *buf, size_t blen,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng)
+{
+    int restart_enabled = 0;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    restart_enabled = ctx->restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return ecdh_make_public_internal(ctx, olen, ctx->point_format, buf, blen,
+                                     f_rng, p_rng, restart_enabled);
+#else
+    switch (ctx->var) {
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+        case MBEDTLS_ECDH_VARIANT_EVEREST:
+            return mbedtls_everest_make_public(&ctx->ctx.everest_ecdh, olen,
+                                               buf, blen, f_rng, p_rng);
+#endif
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return ecdh_make_public_internal(&ctx->ctx.mbed_ecdh, olen,
+                                             ctx->point_format, buf, blen,
+                                             f_rng, p_rng,
+                                             restart_enabled);
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
+
+static int ecdh_read_public_internal(mbedtls_ecdh_context_mbed *ctx,
+                                     const unsigned char *buf, size_t blen)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const unsigned char *p = buf;
+
+    if ((ret = mbedtls_ecp_tls_read_point(&ctx->grp, &ctx->Qp, &p,
+                                          blen)) != 0) {
+        return ret;
+    }
+
+    if ((size_t) (p - buf) != blen) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    return 0;
+}
+
+/*
+ * Parse and import the client's public value
+ */
+int mbedtls_ecdh_read_public(mbedtls_ecdh_context *ctx,
+                             const unsigned char *buf, size_t blen)
+{
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return ecdh_read_public_internal(ctx, buf, blen);
+#else
+    switch (ctx->var) {
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+        case MBEDTLS_ECDH_VARIANT_EVEREST:
+            return mbedtls_everest_read_public(&ctx->ctx.everest_ecdh,
+                                               buf, blen);
+#endif
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return ecdh_read_public_internal(&ctx->ctx.mbed_ecdh,
+                                             buf, blen);
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
+
+static int ecdh_calc_secret_internal(mbedtls_ecdh_context_mbed *ctx,
+                                     size_t *olen, unsigned char *buf,
+                                     size_t blen,
+                                     int (*f_rng)(void *,
+                                                  unsigned char *,
+                                                  size_t),
+                                     void *p_rng,
+                                     int restart_enabled)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_ctx *rs_ctx = NULL;
+#endif
+
+    if (ctx == NULL || ctx->grp.pbits == 0) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (restart_enabled) {
+        rs_ctx = &ctx->rs;
+    }
+#else
+    (void) restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if ((ret = ecdh_compute_shared_restartable(&ctx->grp, &ctx->z, &ctx->Qp,
+                                               &ctx->d, f_rng, p_rng,
+                                               rs_ctx)) != 0) {
+        return ret;
+    }
+#else
+    if ((ret = mbedtls_ecdh_compute_shared(&ctx->grp, &ctx->z, &ctx->Qp,
+                                           &ctx->d, f_rng, p_rng)) != 0) {
+        return ret;
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    if (mbedtls_mpi_size(&ctx->z) > blen) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    *olen = ctx->grp.pbits / 8 + ((ctx->grp.pbits % 8) != 0);
+
+    if (mbedtls_ecp_get_type(&ctx->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+        return mbedtls_mpi_write_binary_le(&ctx->z, buf, *olen);
+    }
+
+    return mbedtls_mpi_write_binary(&ctx->z, buf, *olen);
+}
+
+/*
+ * Derive and export the shared secret
+ */
+int mbedtls_ecdh_calc_secret(mbedtls_ecdh_context *ctx, size_t *olen,
+                             unsigned char *buf, size_t blen,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng)
+{
+    int restart_enabled = 0;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    restart_enabled = ctx->restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return ecdh_calc_secret_internal(ctx, olen, buf, blen, f_rng, p_rng,
+                                     restart_enabled);
+#else
+    switch (ctx->var) {
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+        case MBEDTLS_ECDH_VARIANT_EVEREST:
+            return mbedtls_everest_calc_secret(&ctx->ctx.everest_ecdh, olen,
+                                               buf, blen, f_rng, p_rng);
+#endif
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return ecdh_calc_secret_internal(&ctx->ctx.mbed_ecdh, olen, buf,
+                                             blen, f_rng, p_rng,
+                                             restart_enabled);
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
+#endif /* MBEDTLS_ECDH_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/ecdsa.c b/tf-psa-crypto/drivers/builtin/src/ecdsa.c
new file mode 100644
index 0000000..2f7a996
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/ecdsa.c
@@ -0,0 +1,867 @@
+/*
+ *  Elliptic curve DSA
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * References:
+ *
+ * SEC1 https://www.secg.org/sec1-v2.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_ECDSA_C)
+
+#include "mbedtls/ecdsa.h"
+#include "mbedtls/asn1write.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+#include "mbedtls/hmac_drbg.h"
+#endif
+
+#include "mbedtls/platform.h"
+
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+
+/*
+ * Sub-context for ecdsa_verify()
+ */
+struct mbedtls_ecdsa_restart_ver {
+    mbedtls_mpi u1, u2;     /* intermediate values  */
+    enum {                  /* what to do next?     */
+        ecdsa_ver_init = 0, /* getting started      */
+        ecdsa_ver_muladd,   /* muladd step          */
+    } state;
+};
+
+/*
+ * Init verify restart sub-context
+ */
+static void ecdsa_restart_ver_init(mbedtls_ecdsa_restart_ver_ctx *ctx)
+{
+    mbedtls_mpi_init(&ctx->u1);
+    mbedtls_mpi_init(&ctx->u2);
+    ctx->state = ecdsa_ver_init;
+}
+
+/*
+ * Free the components of a verify restart sub-context
+ */
+static void ecdsa_restart_ver_free(mbedtls_ecdsa_restart_ver_ctx *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_mpi_free(&ctx->u1);
+    mbedtls_mpi_free(&ctx->u2);
+
+    ecdsa_restart_ver_init(ctx);
+}
+
+/*
+ * Sub-context for ecdsa_sign()
+ */
+struct mbedtls_ecdsa_restart_sig {
+    int sign_tries;
+    int key_tries;
+    mbedtls_mpi k;          /* per-signature random */
+    mbedtls_mpi r;          /* r value              */
+    enum {                  /* what to do next?     */
+        ecdsa_sig_init = 0, /* getting started      */
+        ecdsa_sig_mul,      /* doing ecp_mul()      */
+        ecdsa_sig_modn,     /* mod N computations   */
+    } state;
+};
+
+/*
+ * Init verify sign sub-context
+ */
+static void ecdsa_restart_sig_init(mbedtls_ecdsa_restart_sig_ctx *ctx)
+{
+    ctx->sign_tries = 0;
+    ctx->key_tries = 0;
+    mbedtls_mpi_init(&ctx->k);
+    mbedtls_mpi_init(&ctx->r);
+    ctx->state = ecdsa_sig_init;
+}
+
+/*
+ * Free the components of a sign restart sub-context
+ */
+static void ecdsa_restart_sig_free(mbedtls_ecdsa_restart_sig_ctx *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_mpi_free(&ctx->k);
+    mbedtls_mpi_free(&ctx->r);
+}
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+/*
+ * Sub-context for ecdsa_sign_det()
+ */
+struct mbedtls_ecdsa_restart_det {
+    mbedtls_hmac_drbg_context rng_ctx;  /* DRBG state   */
+    enum {                      /* what to do next?     */
+        ecdsa_det_init = 0,     /* getting started      */
+        ecdsa_det_sign,         /* make signature       */
+    } state;
+};
+
+/*
+ * Init verify sign_det sub-context
+ */
+static void ecdsa_restart_det_init(mbedtls_ecdsa_restart_det_ctx *ctx)
+{
+    mbedtls_hmac_drbg_init(&ctx->rng_ctx);
+    ctx->state = ecdsa_det_init;
+}
+
+/*
+ * Free the components of a sign_det restart sub-context
+ */
+static void ecdsa_restart_det_free(mbedtls_ecdsa_restart_det_ctx *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_hmac_drbg_free(&ctx->rng_ctx);
+
+    ecdsa_restart_det_init(ctx);
+}
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+#define ECDSA_RS_ECP    (rs_ctx == NULL ? NULL : &rs_ctx->ecp)
+
+/* Utility macro for checking and updating ops budget */
+#define ECDSA_BUDGET(ops)   \
+    MBEDTLS_MPI_CHK(mbedtls_ecp_check_budget(grp, ECDSA_RS_ECP, ops));
+
+/* Call this when entering a function that needs its own sub-context */
+#define ECDSA_RS_ENTER(SUB)   do {                                 \
+        /* reset ops count for this call if top-level */                 \
+        if (rs_ctx != NULL && rs_ctx->ecp.depth++ == 0)                 \
+        rs_ctx->ecp.ops_done = 0;                                    \
+                                                                     \
+        /* set up our own sub-context if needed */                       \
+        if (mbedtls_ecp_restart_is_enabled() &&                          \
+            rs_ctx != NULL && rs_ctx->SUB == NULL)                      \
+        {                                                                \
+            rs_ctx->SUB = mbedtls_calloc(1, sizeof(*rs_ctx->SUB));   \
+            if (rs_ctx->SUB == NULL)                                    \
+            return MBEDTLS_ERR_ECP_ALLOC_FAILED;                  \
+                                                                   \
+            ecdsa_restart_## SUB ##_init(rs_ctx->SUB);                 \
+        }                                                                \
+} while (0)
+
+/* Call this when leaving a function that needs its own sub-context */
+#define ECDSA_RS_LEAVE(SUB)   do {                                 \
+        /* clear our sub-context when not in progress (done or error) */ \
+        if (rs_ctx != NULL && rs_ctx->SUB != NULL &&                     \
+            ret != MBEDTLS_ERR_ECP_IN_PROGRESS)                         \
+        {                                                                \
+            ecdsa_restart_## SUB ##_free(rs_ctx->SUB);                 \
+            mbedtls_free(rs_ctx->SUB);                                 \
+            rs_ctx->SUB = NULL;                                          \
+        }                                                                \
+                                                                     \
+        if (rs_ctx != NULL)                                             \
+        rs_ctx->ecp.depth--;                                         \
+} while (0)
+
+#else /* MBEDTLS_ECP_RESTARTABLE */
+
+#define ECDSA_RS_ECP    NULL
+
+#define ECDSA_BUDGET(ops)     /* no-op; for compatibility */
+
+#define ECDSA_RS_ENTER(SUB)   (void) rs_ctx
+#define ECDSA_RS_LEAVE(SUB)   (void) rs_ctx
+
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC) || \
+    !defined(MBEDTLS_ECDSA_SIGN_ALT)     || \
+    !defined(MBEDTLS_ECDSA_VERIFY_ALT)
+/*
+ * Derive a suitable integer for group grp from a buffer of length len
+ * SEC1 4.1.3 step 5 aka SEC1 4.1.4 step 3
+ */
+static int derive_mpi(const mbedtls_ecp_group *grp, mbedtls_mpi *x,
+                      const unsigned char *buf, size_t blen)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t n_size = (grp->nbits + 7) / 8;
+    size_t use_size = blen > n_size ? n_size : blen;
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(x, buf, use_size));
+    if (use_size * 8 > grp->nbits) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(x, use_size * 8 - grp->nbits));
+    }
+
+    /* While at it, reduce modulo N */
+    if (mbedtls_mpi_cmp_mpi(x, &grp->N) >= 0) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(x, x, &grp->N));
+    }
+
+cleanup:
+    return ret;
+}
+#endif /* ECDSA_DETERMINISTIC || !ECDSA_SIGN_ALT || !ECDSA_VERIFY_ALT */
+
+int mbedtls_ecdsa_can_do(mbedtls_ecp_group_id gid)
+{
+    switch (gid) {
+#ifdef MBEDTLS_ECP_DP_CURVE25519_ENABLED
+        case MBEDTLS_ECP_DP_CURVE25519: return 0;
+#endif
+#ifdef MBEDTLS_ECP_DP_CURVE448_ENABLED
+        case MBEDTLS_ECP_DP_CURVE448: return 0;
+#endif
+        default: return 1;
+    }
+}
+
+#if !defined(MBEDTLS_ECDSA_SIGN_ALT)
+/*
+ * Compute ECDSA signature of a hashed message (SEC1 4.1.3)
+ * Obviously, compared to SEC1 4.1.3, we skip step 4 (hash message)
+ */
+int mbedtls_ecdsa_sign_restartable(mbedtls_ecp_group *grp,
+                                   mbedtls_mpi *r, mbedtls_mpi *s,
+                                   const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+                                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                                   int (*f_rng_blind)(void *, unsigned char *, size_t),
+                                   void *p_rng_blind,
+                                   mbedtls_ecdsa_restart_ctx *rs_ctx)
+{
+    int ret, key_tries, sign_tries;
+    int *p_sign_tries = &sign_tries, *p_key_tries = &key_tries;
+    mbedtls_ecp_point R;
+    mbedtls_mpi k, e, t;
+    mbedtls_mpi *pk = &k, *pr = r;
+
+    /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
+    if (!mbedtls_ecdsa_can_do(grp->id) || grp->N.p == NULL) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    /* Make sure d is in range 1..n-1 */
+    if (mbedtls_mpi_cmp_int(d, 1) < 0 || mbedtls_mpi_cmp_mpi(d, &grp->N) >= 0) {
+        return MBEDTLS_ERR_ECP_INVALID_KEY;
+    }
+
+    mbedtls_ecp_point_init(&R);
+    mbedtls_mpi_init(&k); mbedtls_mpi_init(&e); mbedtls_mpi_init(&t);
+
+    ECDSA_RS_ENTER(sig);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->sig != NULL) {
+        /* redirect to our context */
+        p_sign_tries = &rs_ctx->sig->sign_tries;
+        p_key_tries = &rs_ctx->sig->key_tries;
+        pk = &rs_ctx->sig->k;
+        pr = &rs_ctx->sig->r;
+
+        /* jump to current step */
+        if (rs_ctx->sig->state == ecdsa_sig_mul) {
+            goto mul;
+        }
+        if (rs_ctx->sig->state == ecdsa_sig_modn) {
+            goto modn;
+        }
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    *p_sign_tries = 0;
+    do {
+        if ((*p_sign_tries)++ > 10) {
+            ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+            goto cleanup;
+        }
+
+        /*
+         * Steps 1-3: generate a suitable ephemeral keypair
+         * and set r = xR mod n
+         */
+        *p_key_tries = 0;
+        do {
+            if ((*p_key_tries)++ > 10) {
+                ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+                goto cleanup;
+            }
+
+            MBEDTLS_MPI_CHK(mbedtls_ecp_gen_privkey(grp, pk, f_rng, p_rng));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+            if (rs_ctx != NULL && rs_ctx->sig != NULL) {
+                rs_ctx->sig->state = ecdsa_sig_mul;
+            }
+
+mul:
+#endif
+            MBEDTLS_MPI_CHK(mbedtls_ecp_mul_restartable(grp, &R, pk, &grp->G,
+                                                        f_rng_blind,
+                                                        p_rng_blind,
+                                                        ECDSA_RS_ECP));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(pr, &R.X, &grp->N));
+        } while (mbedtls_mpi_cmp_int(pr, 0) == 0);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+        if (rs_ctx != NULL && rs_ctx->sig != NULL) {
+            rs_ctx->sig->state = ecdsa_sig_modn;
+        }
+
+modn:
+#endif
+        /*
+         * Accounting for everything up to the end of the loop
+         * (step 6, but checking now avoids saving e and t)
+         */
+        ECDSA_BUDGET(MBEDTLS_ECP_OPS_INV + 4);
+
+        /*
+         * Step 5: derive MPI from hashed message
+         */
+        MBEDTLS_MPI_CHK(derive_mpi(grp, &e, buf, blen));
+
+        /*
+         * Generate a random value to blind inv_mod in next step,
+         * avoiding a potential timing leak.
+         */
+        MBEDTLS_MPI_CHK(mbedtls_ecp_gen_privkey(grp, &t, f_rng_blind,
+                                                p_rng_blind));
+
+        /*
+         * Step 6: compute s = (e + r * d) / k = t (e + rd) / (kt) mod n
+         */
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(s, pr, d));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&e, &e, s));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&e, &e, &t));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(pk, pk, &t));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(pk, pk, &grp->N));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(s, pk, &grp->N));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(s, s, &e));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(s, s, &grp->N));
+    } while (mbedtls_mpi_cmp_int(s, 0) == 0);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->sig != NULL) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_copy(r, pr));
+    }
+#endif
+
+cleanup:
+    mbedtls_ecp_point_free(&R);
+    mbedtls_mpi_free(&k); mbedtls_mpi_free(&e); mbedtls_mpi_free(&t);
+
+    ECDSA_RS_LEAVE(sig);
+
+    return ret;
+}
+
+/*
+ * Compute ECDSA signature of a hashed message
+ */
+int mbedtls_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
+                       const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+                       int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    /* Use the same RNG for both blinding and ephemeral key generation */
+    return mbedtls_ecdsa_sign_restartable(grp, r, s, d, buf, blen,
+                                          f_rng, p_rng, f_rng, p_rng, NULL);
+}
+#endif /* !MBEDTLS_ECDSA_SIGN_ALT */
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+/*
+ * Deterministic signature wrapper
+ *
+ * note:    The f_rng_blind parameter must not be NULL.
+ *
+ */
+int mbedtls_ecdsa_sign_det_restartable(mbedtls_ecp_group *grp,
+                                       mbedtls_mpi *r, mbedtls_mpi *s,
+                                       const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+                                       mbedtls_md_type_t md_alg,
+                                       int (*f_rng_blind)(void *, unsigned char *, size_t),
+                                       void *p_rng_blind,
+                                       mbedtls_ecdsa_restart_ctx *rs_ctx)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_hmac_drbg_context rng_ctx;
+    mbedtls_hmac_drbg_context *p_rng = &rng_ctx;
+    unsigned char data[2 * MBEDTLS_ECP_MAX_BYTES];
+    size_t grp_len = (grp->nbits + 7) / 8;
+    const mbedtls_md_info_t *md_info;
+    mbedtls_mpi h;
+
+    if ((md_info = mbedtls_md_info_from_type(md_alg)) == NULL) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    mbedtls_mpi_init(&h);
+    mbedtls_hmac_drbg_init(&rng_ctx);
+
+    ECDSA_RS_ENTER(det);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->det != NULL) {
+        /* redirect to our context */
+        p_rng = &rs_ctx->det->rng_ctx;
+
+        /* jump to current step */
+        if (rs_ctx->det->state == ecdsa_det_sign) {
+            goto sign;
+        }
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    /* Use private key and message hash (reduced) to initialize HMAC_DRBG */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(d, data, grp_len));
+    MBEDTLS_MPI_CHK(derive_mpi(grp, &h, buf, blen));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&h, data + grp_len, grp_len));
+    MBEDTLS_MPI_CHK(mbedtls_hmac_drbg_seed_buf(p_rng, md_info, data, 2 * grp_len));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->det != NULL) {
+        rs_ctx->det->state = ecdsa_det_sign;
+    }
+
+sign:
+#endif
+#if defined(MBEDTLS_ECDSA_SIGN_ALT)
+    (void) f_rng_blind;
+    (void) p_rng_blind;
+    ret = mbedtls_ecdsa_sign(grp, r, s, d, buf, blen,
+                             mbedtls_hmac_drbg_random, p_rng);
+#else
+    ret = mbedtls_ecdsa_sign_restartable(grp, r, s, d, buf, blen,
+                                         mbedtls_hmac_drbg_random, p_rng,
+                                         f_rng_blind, p_rng_blind, rs_ctx);
+#endif /* MBEDTLS_ECDSA_SIGN_ALT */
+
+cleanup:
+    mbedtls_hmac_drbg_free(&rng_ctx);
+    mbedtls_mpi_free(&h);
+
+    ECDSA_RS_LEAVE(det);
+
+    return ret;
+}
+
+/*
+ * Deterministic signature wrapper
+ */
+int mbedtls_ecdsa_sign_det_ext(mbedtls_ecp_group *grp, mbedtls_mpi *r,
+                               mbedtls_mpi *s, const mbedtls_mpi *d,
+                               const unsigned char *buf, size_t blen,
+                               mbedtls_md_type_t md_alg,
+                               int (*f_rng_blind)(void *, unsigned char *,
+                                                  size_t),
+                               void *p_rng_blind)
+{
+    return mbedtls_ecdsa_sign_det_restartable(grp, r, s, d, buf, blen, md_alg,
+                                              f_rng_blind, p_rng_blind, NULL);
+}
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+#if !defined(MBEDTLS_ECDSA_VERIFY_ALT)
+/*
+ * Verify ECDSA signature of hashed message (SEC1 4.1.4)
+ * Obviously, compared to SEC1 4.1.3, we skip step 2 (hash message)
+ */
+int mbedtls_ecdsa_verify_restartable(mbedtls_ecp_group *grp,
+                                     const unsigned char *buf, size_t blen,
+                                     const mbedtls_ecp_point *Q,
+                                     const mbedtls_mpi *r,
+                                     const mbedtls_mpi *s,
+                                     mbedtls_ecdsa_restart_ctx *rs_ctx)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi e, s_inv, u1, u2;
+    mbedtls_ecp_point R;
+    mbedtls_mpi *pu1 = &u1, *pu2 = &u2;
+
+    mbedtls_ecp_point_init(&R);
+    mbedtls_mpi_init(&e); mbedtls_mpi_init(&s_inv);
+    mbedtls_mpi_init(&u1); mbedtls_mpi_init(&u2);
+
+    /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
+    if (!mbedtls_ecdsa_can_do(grp->id) || grp->N.p == NULL) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    ECDSA_RS_ENTER(ver);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->ver != NULL) {
+        /* redirect to our context */
+        pu1 = &rs_ctx->ver->u1;
+        pu2 = &rs_ctx->ver->u2;
+
+        /* jump to current step */
+        if (rs_ctx->ver->state == ecdsa_ver_muladd) {
+            goto muladd;
+        }
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    /*
+     * Step 1: make sure r and s are in range 1..n-1
+     */
+    if (mbedtls_mpi_cmp_int(r, 1) < 0 || mbedtls_mpi_cmp_mpi(r, &grp->N) >= 0 ||
+        mbedtls_mpi_cmp_int(s, 1) < 0 || mbedtls_mpi_cmp_mpi(s, &grp->N) >= 0) {
+        ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+    /*
+     * Step 3: derive MPI from hashed message
+     */
+    MBEDTLS_MPI_CHK(derive_mpi(grp, &e, buf, blen));
+
+    /*
+     * Step 4: u1 = e / s mod n, u2 = r / s mod n
+     */
+    ECDSA_BUDGET(MBEDTLS_ECP_OPS_CHK + MBEDTLS_ECP_OPS_INV + 2);
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&s_inv, s, &grp->N));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(pu1, &e, &s_inv));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(pu1, pu1, &grp->N));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(pu2, r, &s_inv));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(pu2, pu2, &grp->N));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->ver != NULL) {
+        rs_ctx->ver->state = ecdsa_ver_muladd;
+    }
+
+muladd:
+#endif
+    /*
+     * Step 5: R = u1 G + u2 Q
+     */
+    MBEDTLS_MPI_CHK(mbedtls_ecp_muladd_restartable(grp,
+                                                   &R, pu1, &grp->G, pu2, Q, ECDSA_RS_ECP));
+
+    if (mbedtls_ecp_is_zero(&R)) {
+        ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+    /*
+     * Step 6: convert xR to an integer (no-op)
+     * Step 7: reduce xR mod n (gives v)
+     */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&R.X, &R.X, &grp->N));
+
+    /*
+     * Step 8: check if v (that is, R.X) is equal to r
+     */
+    if (mbedtls_mpi_cmp_mpi(&R.X, r) != 0) {
+        ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+cleanup:
+    mbedtls_ecp_point_free(&R);
+    mbedtls_mpi_free(&e); mbedtls_mpi_free(&s_inv);
+    mbedtls_mpi_free(&u1); mbedtls_mpi_free(&u2);
+
+    ECDSA_RS_LEAVE(ver);
+
+    return ret;
+}
+
+/*
+ * Verify ECDSA signature of hashed message
+ */
+int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp,
+                         const unsigned char *buf, size_t blen,
+                         const mbedtls_ecp_point *Q,
+                         const mbedtls_mpi *r,
+                         const mbedtls_mpi *s)
+{
+    return mbedtls_ecdsa_verify_restartable(grp, buf, blen, Q, r, s, NULL);
+}
+#endif /* !MBEDTLS_ECDSA_VERIFY_ALT */
+
+/*
+ * Convert a signature (given by context) to ASN.1
+ */
+static int ecdsa_signature_to_asn1(const mbedtls_mpi *r, const mbedtls_mpi *s,
+                                   unsigned char *sig, size_t sig_size,
+                                   size_t *slen)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char buf[MBEDTLS_ECDSA_MAX_LEN] = { 0 };
+    unsigned char *p = buf + sizeof(buf);
+    size_t len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_mpi(&p, buf, s));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_mpi(&p, buf, r));
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, buf, len));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, buf,
+                                                     MBEDTLS_ASN1_CONSTRUCTED |
+                                                     MBEDTLS_ASN1_SEQUENCE));
+
+    if (len > sig_size) {
+        return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+    }
+
+    memcpy(sig, p, len);
+    *slen = len;
+
+    return 0;
+}
+
+/*
+ * Compute and write signature
+ */
+int mbedtls_ecdsa_write_signature_restartable(mbedtls_ecdsa_context *ctx,
+                                              mbedtls_md_type_t md_alg,
+                                              const unsigned char *hash, size_t hlen,
+                                              unsigned char *sig, size_t sig_size, size_t *slen,
+                                              int (*f_rng)(void *, unsigned char *, size_t),
+                                              void *p_rng,
+                                              mbedtls_ecdsa_restart_ctx *rs_ctx)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi r, s;
+    if (f_rng == NULL) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    mbedtls_mpi_init(&r);
+    mbedtls_mpi_init(&s);
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_det_restartable(&ctx->grp, &r, &s, &ctx->d,
+                                                       hash, hlen, md_alg, f_rng,
+                                                       p_rng, rs_ctx));
+#else
+    (void) md_alg;
+
+#if defined(MBEDTLS_ECDSA_SIGN_ALT)
+    (void) rs_ctx;
+
+    MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign(&ctx->grp, &r, &s, &ctx->d,
+                                       hash, hlen, f_rng, p_rng));
+#else
+    /* Use the same RNG for both blinding and ephemeral key generation */
+    MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_restartable(&ctx->grp, &r, &s, &ctx->d,
+                                                   hash, hlen, f_rng, p_rng, f_rng,
+                                                   p_rng, rs_ctx));
+#endif /* MBEDTLS_ECDSA_SIGN_ALT */
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+    MBEDTLS_MPI_CHK(ecdsa_signature_to_asn1(&r, &s, sig, sig_size, slen));
+
+cleanup:
+    mbedtls_mpi_free(&r);
+    mbedtls_mpi_free(&s);
+
+    return ret;
+}
+
+/*
+ * Compute and write signature
+ */
+int mbedtls_ecdsa_write_signature(mbedtls_ecdsa_context *ctx,
+                                  mbedtls_md_type_t md_alg,
+                                  const unsigned char *hash, size_t hlen,
+                                  unsigned char *sig, size_t sig_size, size_t *slen,
+                                  int (*f_rng)(void *, unsigned char *, size_t),
+                                  void *p_rng)
+{
+    return mbedtls_ecdsa_write_signature_restartable(
+        ctx, md_alg, hash, hlen, sig, sig_size, slen,
+        f_rng, p_rng, NULL);
+}
+
+/*
+ * Read and check signature
+ */
+int mbedtls_ecdsa_read_signature(mbedtls_ecdsa_context *ctx,
+                                 const unsigned char *hash, size_t hlen,
+                                 const unsigned char *sig, size_t slen)
+{
+    return mbedtls_ecdsa_read_signature_restartable(
+        ctx, hash, hlen, sig, slen, NULL);
+}
+
+/*
+ * Restartable read and check signature
+ */
+int mbedtls_ecdsa_read_signature_restartable(mbedtls_ecdsa_context *ctx,
+                                             const unsigned char *hash, size_t hlen,
+                                             const unsigned char *sig, size_t slen,
+                                             mbedtls_ecdsa_restart_ctx *rs_ctx)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *p = (unsigned char *) sig;
+    const unsigned char *end = sig + slen;
+    size_t len;
+    mbedtls_mpi r, s;
+    mbedtls_mpi_init(&r);
+    mbedtls_mpi_init(&s);
+
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+        ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    if (p + len != end) {
+        ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+        goto cleanup;
+    }
+
+    if ((ret = mbedtls_asn1_get_mpi(&p, end, &r)) != 0 ||
+        (ret = mbedtls_asn1_get_mpi(&p, end, &s)) != 0) {
+        ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+#if defined(MBEDTLS_ECDSA_VERIFY_ALT)
+    (void) rs_ctx;
+
+    if ((ret = mbedtls_ecdsa_verify(&ctx->grp, hash, hlen,
+                                    &ctx->Q, &r, &s)) != 0) {
+        goto cleanup;
+    }
+#else
+    if ((ret = mbedtls_ecdsa_verify_restartable(&ctx->grp, hash, hlen,
+                                                &ctx->Q, &r, &s, rs_ctx)) != 0) {
+        goto cleanup;
+    }
+#endif /* MBEDTLS_ECDSA_VERIFY_ALT */
+
+    /* At this point we know that the buffer starts with a valid signature.
+     * Return 0 if the buffer just contains the signature, and a specific
+     * error code if the valid signature is followed by more data. */
+    if (p != end) {
+        ret = MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH;
+    }
+
+cleanup:
+    mbedtls_mpi_free(&r);
+    mbedtls_mpi_free(&s);
+
+    return ret;
+}
+
+#if !defined(MBEDTLS_ECDSA_GENKEY_ALT)
+/*
+ * Generate key pair
+ */
+int mbedtls_ecdsa_genkey(mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
+                         int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    int ret = 0;
+    ret = mbedtls_ecp_group_load(&ctx->grp, gid);
+    if (ret != 0) {
+        return ret;
+    }
+
+    return mbedtls_ecp_gen_keypair(&ctx->grp, &ctx->d,
+                                   &ctx->Q, f_rng, p_rng);
+}
+#endif /* !MBEDTLS_ECDSA_GENKEY_ALT */
+
+/*
+ * Set context from an mbedtls_ecp_keypair
+ */
+int mbedtls_ecdsa_from_keypair(mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    if ((ret = mbedtls_ecp_group_copy(&ctx->grp, &key->grp)) != 0 ||
+        (ret = mbedtls_mpi_copy(&ctx->d, &key->d)) != 0 ||
+        (ret = mbedtls_ecp_copy(&ctx->Q, &key->Q)) != 0) {
+        mbedtls_ecdsa_free(ctx);
+    }
+
+    return ret;
+}
+
+/*
+ * Initialize context
+ */
+void mbedtls_ecdsa_init(mbedtls_ecdsa_context *ctx)
+{
+    mbedtls_ecp_keypair_init(ctx);
+}
+
+/*
+ * Free context
+ */
+void mbedtls_ecdsa_free(mbedtls_ecdsa_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_ecp_keypair_free(ctx);
+}
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Initialize a restart context
+ */
+void mbedtls_ecdsa_restart_init(mbedtls_ecdsa_restart_ctx *ctx)
+{
+    mbedtls_ecp_restart_init(&ctx->ecp);
+
+    ctx->ver = NULL;
+    ctx->sig = NULL;
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    ctx->det = NULL;
+#endif
+}
+
+/*
+ * Free the components of a restart context
+ */
+void mbedtls_ecdsa_restart_free(mbedtls_ecdsa_restart_ctx *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_ecp_restart_free(&ctx->ecp);
+
+    ecdsa_restart_ver_free(ctx->ver);
+    mbedtls_free(ctx->ver);
+    ctx->ver = NULL;
+
+    ecdsa_restart_sig_free(ctx->sig);
+    mbedtls_free(ctx->sig);
+    ctx->sig = NULL;
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    ecdsa_restart_det_free(ctx->det);
+    mbedtls_free(ctx->det);
+    ctx->det = NULL;
+#endif
+}
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+#endif /* MBEDTLS_ECDSA_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/ecjpake.c b/tf-psa-crypto/drivers/builtin/src/ecjpake.c
new file mode 100644
index 0000000..628fb65
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/ecjpake.c
@@ -0,0 +1,1206 @@
+/*
+ *  Elliptic curve J-PAKE
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * References in the code are to the Thread v1.0 Specification,
+ * available to members of the Thread Group http://threadgroup.org/
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_ECJPAKE_C)
+
+#include "mbedtls/ecjpake.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+/*
+ * Convert a mbedtls_ecjpake_role to identifier string
+ */
+static const char * const ecjpake_id[] = {
+    "client",
+    "server"
+};
+
+#define ID_MINE     (ecjpake_id[ctx->role])
+#define ID_PEER     (ecjpake_id[1 - ctx->role])
+
+/**
+ * Helper to Compute a hash from md_type
+ */
+static int mbedtls_ecjpake_compute_hash(mbedtls_md_type_t md_type,
+                                        const unsigned char *input, size_t ilen,
+                                        unsigned char *output)
+{
+    return mbedtls_md(mbedtls_md_info_from_type(md_type),
+                      input, ilen, output);
+}
+
+/*
+ * Initialize context
+ */
+void mbedtls_ecjpake_init(mbedtls_ecjpake_context *ctx)
+{
+    ctx->md_type = MBEDTLS_MD_NONE;
+    mbedtls_ecp_group_init(&ctx->grp);
+    ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
+
+    mbedtls_ecp_point_init(&ctx->Xm1);
+    mbedtls_ecp_point_init(&ctx->Xm2);
+    mbedtls_ecp_point_init(&ctx->Xp1);
+    mbedtls_ecp_point_init(&ctx->Xp2);
+    mbedtls_ecp_point_init(&ctx->Xp);
+
+    mbedtls_mpi_init(&ctx->xm1);
+    mbedtls_mpi_init(&ctx->xm2);
+    mbedtls_mpi_init(&ctx->s);
+}
+
+/*
+ * Free context
+ */
+void mbedtls_ecjpake_free(mbedtls_ecjpake_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    ctx->md_type = MBEDTLS_MD_NONE;
+    mbedtls_ecp_group_free(&ctx->grp);
+
+    mbedtls_ecp_point_free(&ctx->Xm1);
+    mbedtls_ecp_point_free(&ctx->Xm2);
+    mbedtls_ecp_point_free(&ctx->Xp1);
+    mbedtls_ecp_point_free(&ctx->Xp2);
+    mbedtls_ecp_point_free(&ctx->Xp);
+
+    mbedtls_mpi_free(&ctx->xm1);
+    mbedtls_mpi_free(&ctx->xm2);
+    mbedtls_mpi_free(&ctx->s);
+}
+
+/*
+ * Setup context
+ */
+int mbedtls_ecjpake_setup(mbedtls_ecjpake_context *ctx,
+                          mbedtls_ecjpake_role role,
+                          mbedtls_md_type_t hash,
+                          mbedtls_ecp_group_id curve,
+                          const unsigned char *secret,
+                          size_t len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (role != MBEDTLS_ECJPAKE_CLIENT && role != MBEDTLS_ECJPAKE_SERVER) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    ctx->role = role;
+
+    if ((mbedtls_md_info_from_type(hash)) == NULL) {
+        return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
+    }
+
+    ctx->md_type = hash;
+
+    MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&ctx->grp, curve));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->s, secret, len));
+
+cleanup:
+    if (ret != 0) {
+        mbedtls_ecjpake_free(ctx);
+    }
+
+    return ret;
+}
+
+int mbedtls_ecjpake_set_point_format(mbedtls_ecjpake_context *ctx,
+                                     int point_format)
+{
+    switch (point_format) {
+        case MBEDTLS_ECP_PF_UNCOMPRESSED:
+        case MBEDTLS_ECP_PF_COMPRESSED:
+            ctx->point_format = point_format;
+            return 0;
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+}
+
+/*
+ * Check if context is ready for use
+ */
+int mbedtls_ecjpake_check(const mbedtls_ecjpake_context *ctx)
+{
+    if (ctx->md_type == MBEDTLS_MD_NONE ||
+        ctx->grp.id == MBEDTLS_ECP_DP_NONE ||
+        ctx->s.p == NULL) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    return 0;
+}
+
+/*
+ * Write a point plus its length to a buffer
+ */
+static int ecjpake_write_len_point(unsigned char **p,
+                                   const unsigned char *end,
+                                   const mbedtls_ecp_group *grp,
+                                   const int pf,
+                                   const mbedtls_ecp_point *P)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len;
+
+    /* Need at least 4 for length plus 1 for point */
+    if (end < *p || end - *p < 5) {
+        return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+    }
+
+    ret = mbedtls_ecp_point_write_binary(grp, P, pf,
+                                         &len, *p + 4, (size_t) (end - (*p + 4)));
+    if (ret != 0) {
+        return ret;
+    }
+
+    MBEDTLS_PUT_UINT32_BE(len, *p, 0);
+
+    *p += 4 + len;
+
+    return 0;
+}
+
+/*
+ * Size of the temporary buffer for ecjpake_hash:
+ * 3 EC points plus their length, plus ID and its length (4 + 6 bytes)
+ */
+#define ECJPAKE_HASH_BUF_LEN    (3 * (4 + MBEDTLS_ECP_MAX_PT_LEN) + 4 + 6)
+
+/*
+ * Compute hash for ZKP (7.4.2.2.2.1)
+ */
+static int ecjpake_hash(const mbedtls_md_type_t md_type,
+                        const mbedtls_ecp_group *grp,
+                        const int pf,
+                        const mbedtls_ecp_point *G,
+                        const mbedtls_ecp_point *V,
+                        const mbedtls_ecp_point *X,
+                        const char *id,
+                        mbedtls_mpi *h)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char buf[ECJPAKE_HASH_BUF_LEN];
+    unsigned char *p = buf;
+    const unsigned char *end = buf + sizeof(buf);
+    const size_t id_len = strlen(id);
+    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+
+    /* Write things to temporary buffer */
+    MBEDTLS_MPI_CHK(ecjpake_write_len_point(&p, end, grp, pf, G));
+    MBEDTLS_MPI_CHK(ecjpake_write_len_point(&p, end, grp, pf, V));
+    MBEDTLS_MPI_CHK(ecjpake_write_len_point(&p, end, grp, pf, X));
+
+    if (end - p < 4) {
+        return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+    }
+
+    MBEDTLS_PUT_UINT32_BE(id_len, p, 0);
+    p += 4;
+
+    if (end < p || (size_t) (end - p) < id_len) {
+        return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+    }
+
+    memcpy(p, id, id_len);
+    p += id_len;
+
+    /* Compute hash */
+    MBEDTLS_MPI_CHK(mbedtls_ecjpake_compute_hash(md_type,
+                                                 buf, (size_t) (p - buf), hash));
+
+    /* Turn it into an integer mod n */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(h, hash,
+                                            mbedtls_md_get_size_from_type(md_type)));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(h, h, &grp->N));
+
+cleanup:
+    return ret;
+}
+
+/*
+ * Parse a ECShnorrZKP (7.4.2.2.2) and verify it (7.4.2.3.3)
+ */
+static int ecjpake_zkp_read(const mbedtls_md_type_t md_type,
+                            const mbedtls_ecp_group *grp,
+                            const int pf,
+                            const mbedtls_ecp_point *G,
+                            const mbedtls_ecp_point *X,
+                            const char *id,
+                            const unsigned char **p,
+                            const unsigned char *end)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_point V, VV;
+    mbedtls_mpi r, h;
+    size_t r_len;
+
+    mbedtls_ecp_point_init(&V);
+    mbedtls_ecp_point_init(&VV);
+    mbedtls_mpi_init(&r);
+    mbedtls_mpi_init(&h);
+
+    /*
+     * struct {
+     *     ECPoint V;
+     *     opaque r<1..2^8-1>;
+     * } ECSchnorrZKP;
+     */
+    if (end < *p) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_ecp_tls_read_point(grp, &V, p, (size_t) (end - *p)));
+
+    if (end < *p || (size_t) (end - *p) < 1) {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    r_len = *(*p)++;
+
+    if (end < *p || (size_t) (end - *p) < r_len || r_len == 0) {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&r, *p, r_len));
+    *p += r_len;
+
+    /*
+     * Verification
+     */
+    MBEDTLS_MPI_CHK(ecjpake_hash(md_type, grp, pf, G, &V, X, id, &h));
+    MBEDTLS_MPI_CHK(mbedtls_ecp_muladd((mbedtls_ecp_group *) grp,
+                                       &VV, &h, X, &r, G));
+
+    if (mbedtls_ecp_point_cmp(&VV, &V) != 0) {
+        ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+cleanup:
+    mbedtls_ecp_point_free(&V);
+    mbedtls_ecp_point_free(&VV);
+    mbedtls_mpi_free(&r);
+    mbedtls_mpi_free(&h);
+
+    return ret;
+}
+
+/*
+ * Generate ZKP (7.4.2.3.2) and write it as ECSchnorrZKP (7.4.2.2.2)
+ */
+static int ecjpake_zkp_write(const mbedtls_md_type_t md_type,
+                             const mbedtls_ecp_group *grp,
+                             const int pf,
+                             const mbedtls_ecp_point *G,
+                             const mbedtls_mpi *x,
+                             const mbedtls_ecp_point *X,
+                             const char *id,
+                             unsigned char **p,
+                             const unsigned char *end,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_point V;
+    mbedtls_mpi v;
+    mbedtls_mpi h; /* later recycled to hold r */
+    size_t len;
+
+    if (end < *p) {
+        return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+    }
+
+    mbedtls_ecp_point_init(&V);
+    mbedtls_mpi_init(&v);
+    mbedtls_mpi_init(&h);
+
+    /* Compute signature */
+    MBEDTLS_MPI_CHK(mbedtls_ecp_gen_keypair_base((mbedtls_ecp_group *) grp,
+                                                 G, &v, &V, f_rng, p_rng));
+    MBEDTLS_MPI_CHK(ecjpake_hash(md_type, grp, pf, G, &V, X, id, &h));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&h, &h, x));     /* x*h */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&h, &v, &h));     /* v - x*h */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&h, &h, &grp->N));     /* r */
+
+    /* Write it out */
+    MBEDTLS_MPI_CHK(mbedtls_ecp_tls_write_point(grp, &V,
+                                                pf, &len, *p, (size_t) (end - *p)));
+    *p += len;
+
+    len = mbedtls_mpi_size(&h);   /* actually r */
+    if (end < *p || (size_t) (end - *p) < 1 + len || len > 255) {
+        ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+        goto cleanup;
+    }
+
+    *(*p)++ = MBEDTLS_BYTE_0(len);
+    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&h, *p, len));     /* r */
+    *p += len;
+
+cleanup:
+    mbedtls_ecp_point_free(&V);
+    mbedtls_mpi_free(&v);
+    mbedtls_mpi_free(&h);
+
+    return ret;
+}
+
+/*
+ * Parse a ECJPAKEKeyKP (7.4.2.2.1) and check proof
+ * Output: verified public key X
+ */
+static int ecjpake_kkp_read(const mbedtls_md_type_t md_type,
+                            const mbedtls_ecp_group *grp,
+                            const int pf,
+                            const mbedtls_ecp_point *G,
+                            mbedtls_ecp_point *X,
+                            const char *id,
+                            const unsigned char **p,
+                            const unsigned char *end)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (end < *p) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    /*
+     * struct {
+     *     ECPoint X;
+     *     ECSchnorrZKP zkp;
+     * } ECJPAKEKeyKP;
+     */
+    MBEDTLS_MPI_CHK(mbedtls_ecp_tls_read_point(grp, X, p, (size_t) (end - *p)));
+    if (mbedtls_ecp_is_zero(X)) {
+        ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK(ecjpake_zkp_read(md_type, grp, pf, G, X, id, p, end));
+
+cleanup:
+    return ret;
+}
+
+/*
+ * Generate an ECJPAKEKeyKP
+ * Output: the serialized structure, plus private/public key pair
+ */
+static int ecjpake_kkp_write(const mbedtls_md_type_t md_type,
+                             const mbedtls_ecp_group *grp,
+                             const int pf,
+                             const mbedtls_ecp_point *G,
+                             mbedtls_mpi *x,
+                             mbedtls_ecp_point *X,
+                             const char *id,
+                             unsigned char **p,
+                             const unsigned char *end,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len;
+
+    if (end < *p) {
+        return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+    }
+
+    /* Generate key (7.4.2.3.1) and write it out */
+    MBEDTLS_MPI_CHK(mbedtls_ecp_gen_keypair_base((mbedtls_ecp_group *) grp, G, x, X,
+                                                 f_rng, p_rng));
+    MBEDTLS_MPI_CHK(mbedtls_ecp_tls_write_point(grp, X,
+                                                pf, &len, *p, (size_t) (end - *p)));
+    *p += len;
+
+    /* Generate and write proof */
+    MBEDTLS_MPI_CHK(ecjpake_zkp_write(md_type, grp, pf, G, x, X, id,
+                                      p, end, f_rng, p_rng));
+
+cleanup:
+    return ret;
+}
+
+/*
+ * Read a ECJPAKEKeyKPPairList (7.4.2.3) and check proofs
+ * Outputs: verified peer public keys Xa, Xb
+ */
+static int ecjpake_kkpp_read(const mbedtls_md_type_t md_type,
+                             const mbedtls_ecp_group *grp,
+                             const int pf,
+                             const mbedtls_ecp_point *G,
+                             mbedtls_ecp_point *Xa,
+                             mbedtls_ecp_point *Xb,
+                             const char *id,
+                             const unsigned char *buf,
+                             size_t len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const unsigned char *p = buf;
+    const unsigned char *end = buf + len;
+
+    /*
+     * struct {
+     *     ECJPAKEKeyKP ecjpake_key_kp_pair_list[2];
+     * } ECJPAKEKeyKPPairList;
+     */
+    MBEDTLS_MPI_CHK(ecjpake_kkp_read(md_type, grp, pf, G, Xa, id, &p, end));
+    MBEDTLS_MPI_CHK(ecjpake_kkp_read(md_type, grp, pf, G, Xb, id, &p, end));
+
+    if (p != end) {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+cleanup:
+    return ret;
+}
+
+/*
+ * Generate a ECJPAKEKeyKPPairList
+ * Outputs: the serialized structure, plus two private/public key pairs
+ */
+static int ecjpake_kkpp_write(const mbedtls_md_type_t md_type,
+                              const mbedtls_ecp_group *grp,
+                              const int pf,
+                              const mbedtls_ecp_point *G,
+                              mbedtls_mpi *xm1,
+                              mbedtls_ecp_point *Xa,
+                              mbedtls_mpi *xm2,
+                              mbedtls_ecp_point *Xb,
+                              const char *id,
+                              unsigned char *buf,
+                              size_t len,
+                              size_t *olen,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *p = buf;
+    const unsigned char *end = buf + len;
+
+    MBEDTLS_MPI_CHK(ecjpake_kkp_write(md_type, grp, pf, G, xm1, Xa, id,
+                                      &p, end, f_rng, p_rng));
+    MBEDTLS_MPI_CHK(ecjpake_kkp_write(md_type, grp, pf, G, xm2, Xb, id,
+                                      &p, end, f_rng, p_rng));
+
+    *olen = (size_t) (p - buf);
+
+cleanup:
+    return ret;
+}
+
+/*
+ * Read and process the first round message
+ */
+int mbedtls_ecjpake_read_round_one(mbedtls_ecjpake_context *ctx,
+                                   const unsigned char *buf,
+                                   size_t len)
+{
+    return ecjpake_kkpp_read(ctx->md_type, &ctx->grp, ctx->point_format,
+                             &ctx->grp.G,
+                             &ctx->Xp1, &ctx->Xp2, ID_PEER,
+                             buf, len);
+}
+
+/*
+ * Generate and write the first round message
+ */
+int mbedtls_ecjpake_write_round_one(mbedtls_ecjpake_context *ctx,
+                                    unsigned char *buf, size_t len, size_t *olen,
+                                    int (*f_rng)(void *, unsigned char *, size_t),
+                                    void *p_rng)
+{
+    return ecjpake_kkpp_write(ctx->md_type, &ctx->grp, ctx->point_format,
+                              &ctx->grp.G,
+                              &ctx->xm1, &ctx->Xm1, &ctx->xm2, &ctx->Xm2,
+                              ID_MINE, buf, len, olen, f_rng, p_rng);
+}
+
+/*
+ * Compute the sum of three points R = A + B + C
+ */
+static int ecjpake_ecp_add3(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                            const mbedtls_ecp_point *A,
+                            const mbedtls_ecp_point *B,
+                            const mbedtls_ecp_point *C)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi one;
+
+    mbedtls_mpi_init(&one);
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&one, 1));
+    MBEDTLS_MPI_CHK(mbedtls_ecp_muladd(grp, R, &one, A, &one, B));
+    MBEDTLS_MPI_CHK(mbedtls_ecp_muladd(grp, R, &one, R, &one, C));
+
+cleanup:
+    mbedtls_mpi_free(&one);
+
+    return ret;
+}
+
+/*
+ * Read and process second round message (C: 7.4.2.5, S: 7.4.2.6)
+ */
+int mbedtls_ecjpake_read_round_two(mbedtls_ecjpake_context *ctx,
+                                   const unsigned char *buf,
+                                   size_t len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const unsigned char *p = buf;
+    const unsigned char *end = buf + len;
+    mbedtls_ecp_group grp;
+    mbedtls_ecp_point G;    /* C: GB, S: GA */
+
+    mbedtls_ecp_group_init(&grp);
+    mbedtls_ecp_point_init(&G);
+
+    /*
+     * Server: GA = X3  + X4  + X1      (7.4.2.6.1)
+     * Client: GB = X1  + X2  + X3      (7.4.2.5.1)
+     * Unified: G = Xm1 + Xm2 + Xp1
+     * We need that before parsing in order to check Xp as we read it
+     */
+    MBEDTLS_MPI_CHK(ecjpake_ecp_add3(&ctx->grp, &G,
+                                     &ctx->Xm1, &ctx->Xm2, &ctx->Xp1));
+
+    /*
+     * struct {
+     *     ECParameters curve_params;   // only client reading server msg
+     *     ECJPAKEKeyKP ecjpake_key_kp;
+     * } Client/ServerECJPAKEParams;
+     */
+    if (ctx->role == MBEDTLS_ECJPAKE_CLIENT) {
+        MBEDTLS_MPI_CHK(mbedtls_ecp_tls_read_group(&grp, &p, len));
+        if (grp.id != ctx->grp.id) {
+            ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+            goto cleanup;
+        }
+    }
+
+    MBEDTLS_MPI_CHK(ecjpake_kkp_read(ctx->md_type, &ctx->grp,
+                                     ctx->point_format,
+                                     &G, &ctx->Xp, ID_PEER, &p, end));
+
+    if (p != end) {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+cleanup:
+    mbedtls_ecp_group_free(&grp);
+    mbedtls_ecp_point_free(&G);
+
+    return ret;
+}
+
+/*
+ * Compute R = +/- X * S mod N, taking care not to leak S
+ */
+static int ecjpake_mul_secret(mbedtls_mpi *R, int sign,
+                              const mbedtls_mpi *X,
+                              const mbedtls_mpi *S,
+                              const mbedtls_mpi *N,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi b; /* Blinding value, then s + N * blinding */
+
+    mbedtls_mpi_init(&b);
+
+    /* b = s + rnd-128-bit * N */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&b, 16, f_rng, p_rng));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&b, &b, N));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&b, &b, S));
+
+    /* R = sign * X * b mod N */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(R, X, &b));
+    R->s *= sign;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(R, R, N));
+
+cleanup:
+    mbedtls_mpi_free(&b);
+
+    return ret;
+}
+
+/*
+ * Generate and write the second round message (S: 7.4.2.5, C: 7.4.2.6)
+ */
+int mbedtls_ecjpake_write_round_two(mbedtls_ecjpake_context *ctx,
+                                    unsigned char *buf, size_t len, size_t *olen,
+                                    int (*f_rng)(void *, unsigned char *, size_t),
+                                    void *p_rng)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_point G;    /* C: GA, S: GB */
+    mbedtls_ecp_point Xm;   /* C: Xc, S: Xs */
+    mbedtls_mpi xm;         /* C: xc, S: xs */
+    unsigned char *p = buf;
+    const unsigned char *end = buf + len;
+    size_t ec_len;
+
+    mbedtls_ecp_point_init(&G);
+    mbedtls_ecp_point_init(&Xm);
+    mbedtls_mpi_init(&xm);
+
+    /*
+     * First generate private/public key pair (S: 7.4.2.5.1, C: 7.4.2.6.1)
+     *
+     * Client:  GA = X1  + X3  + X4  | xs = x2  * s | Xc = xc * GA
+     * Server:  GB = X3  + X1  + X2  | xs = x4  * s | Xs = xs * GB
+     * Unified: G  = Xm1 + Xp1 + Xp2 | xm = xm2 * s | Xm = xm * G
+     */
+    MBEDTLS_MPI_CHK(ecjpake_ecp_add3(&ctx->grp, &G,
+                                     &ctx->Xp1, &ctx->Xp2, &ctx->Xm1));
+    MBEDTLS_MPI_CHK(ecjpake_mul_secret(&xm, 1, &ctx->xm2, &ctx->s,
+                                       &ctx->grp.N, f_rng, p_rng));
+    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&ctx->grp, &Xm, &xm, &G, f_rng, p_rng));
+
+    /*
+     * Now write things out
+     *
+     * struct {
+     *     ECParameters curve_params;   // only server writing its message
+     *     ECJPAKEKeyKP ecjpake_key_kp;
+     * } Client/ServerECJPAKEParams;
+     */
+    if (ctx->role == MBEDTLS_ECJPAKE_SERVER) {
+        if (end < p) {
+            ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+            goto cleanup;
+        }
+        MBEDTLS_MPI_CHK(mbedtls_ecp_tls_write_group(&ctx->grp, &ec_len,
+                                                    p, (size_t) (end - p)));
+        p += ec_len;
+    }
+
+    if (end < p) {
+        ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+        goto cleanup;
+    }
+    MBEDTLS_MPI_CHK(mbedtls_ecp_tls_write_point(&ctx->grp, &Xm,
+                                                ctx->point_format, &ec_len, p, (size_t) (end - p)));
+    p += ec_len;
+
+    MBEDTLS_MPI_CHK(ecjpake_zkp_write(ctx->md_type, &ctx->grp,
+                                      ctx->point_format,
+                                      &G, &xm, &Xm, ID_MINE,
+                                      &p, end, f_rng, p_rng));
+
+    *olen = (size_t) (p - buf);
+
+cleanup:
+    mbedtls_ecp_point_free(&G);
+    mbedtls_ecp_point_free(&Xm);
+    mbedtls_mpi_free(&xm);
+
+    return ret;
+}
+
+/*
+ * Derive PMS (7.4.2.7 / 7.4.2.8)
+ */
+static int mbedtls_ecjpake_derive_k(mbedtls_ecjpake_context *ctx,
+                                    mbedtls_ecp_point *K,
+                                    int (*f_rng)(void *, unsigned char *, size_t),
+                                    void *p_rng)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi m_xm2_s, one;
+
+    mbedtls_mpi_init(&m_xm2_s);
+    mbedtls_mpi_init(&one);
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&one, 1));
+
+    /*
+     * Client:  K = ( Xs - X4  * x2  * s ) * x2
+     * Server:  K = ( Xc - X2  * x4  * s ) * x4
+     * Unified: K = ( Xp - Xp2 * xm2 * s ) * xm2
+     */
+    MBEDTLS_MPI_CHK(ecjpake_mul_secret(&m_xm2_s, -1, &ctx->xm2, &ctx->s,
+                                       &ctx->grp.N, f_rng, p_rng));
+    MBEDTLS_MPI_CHK(mbedtls_ecp_muladd(&ctx->grp, K,
+                                       &one, &ctx->Xp,
+                                       &m_xm2_s, &ctx->Xp2));
+    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&ctx->grp, K, &ctx->xm2, K,
+                                    f_rng, p_rng));
+
+cleanup:
+    mbedtls_mpi_free(&m_xm2_s);
+    mbedtls_mpi_free(&one);
+
+    return ret;
+}
+
+int mbedtls_ecjpake_derive_secret(mbedtls_ecjpake_context *ctx,
+                                  unsigned char *buf, size_t len, size_t *olen,
+                                  int (*f_rng)(void *, unsigned char *, size_t),
+                                  void *p_rng)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_point K;
+    unsigned char kx[MBEDTLS_ECP_MAX_BYTES];
+    size_t x_bytes;
+
+    *olen = mbedtls_md_get_size_from_type(ctx->md_type);
+    if (len < *olen) {
+        return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+    }
+
+    mbedtls_ecp_point_init(&K);
+
+    ret = mbedtls_ecjpake_derive_k(ctx, &K, f_rng, p_rng);
+    if (ret) {
+        goto cleanup;
+    }
+
+    /* PMS = SHA-256( K.X ) */
+    x_bytes = (ctx->grp.pbits + 7) / 8;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&K.X, kx, x_bytes));
+    MBEDTLS_MPI_CHK(mbedtls_ecjpake_compute_hash(ctx->md_type,
+                                                 kx, x_bytes, buf));
+
+cleanup:
+    mbedtls_ecp_point_free(&K);
+
+    return ret;
+}
+
+int mbedtls_ecjpake_write_shared_key(mbedtls_ecjpake_context *ctx,
+                                     unsigned char *buf, size_t len, size_t *olen,
+                                     int (*f_rng)(void *, unsigned char *, size_t),
+                                     void *p_rng)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_point K;
+
+    mbedtls_ecp_point_init(&K);
+
+    ret = mbedtls_ecjpake_derive_k(ctx, &K, f_rng, p_rng);
+    if (ret) {
+        goto cleanup;
+    }
+
+    ret = mbedtls_ecp_point_write_binary(&ctx->grp, &K, ctx->point_format,
+                                         olen, buf, len);
+    if (ret != 0) {
+        goto cleanup;
+    }
+
+cleanup:
+    mbedtls_ecp_point_free(&K);
+
+    return ret;
+}
+
+#undef ID_MINE
+#undef ID_PEER
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
+    !defined(MBEDTLS_MD_CAN_SHA256)
+int mbedtls_ecjpake_self_test(int verbose)
+{
+    (void) verbose;
+    return 0;
+}
+#else
+
+static const unsigned char ecjpake_test_password[] = {
+    0x74, 0x68, 0x72, 0x65, 0x61, 0x64, 0x6a, 0x70, 0x61, 0x6b, 0x65, 0x74,
+    0x65, 0x73, 0x74
+};
+
+static const unsigned char ecjpake_test_x1[] = {
+    0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c,
+    0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
+    0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x21
+};
+
+static const unsigned char ecjpake_test_x2[] = {
+    0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
+    0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
+    0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x81
+};
+
+static const unsigned char ecjpake_test_x3[] = {
+    0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
+    0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
+    0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x81
+};
+
+static const unsigned char ecjpake_test_x4[] = {
+    0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, 0xcc,
+    0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8,
+    0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe1
+};
+
+static const unsigned char ecjpake_test_cli_one[] = {
+    0x41, 0x04, 0xac, 0xcf, 0x01, 0x06, 0xef, 0x85, 0x8f, 0xa2, 0xd9, 0x19,
+    0x33, 0x13, 0x46, 0x80, 0x5a, 0x78, 0xb5, 0x8b, 0xba, 0xd0, 0xb8, 0x44,
+    0xe5, 0xc7, 0x89, 0x28, 0x79, 0x14, 0x61, 0x87, 0xdd, 0x26, 0x66, 0xad,
+    0xa7, 0x81, 0xbb, 0x7f, 0x11, 0x13, 0x72, 0x25, 0x1a, 0x89, 0x10, 0x62,
+    0x1f, 0x63, 0x4d, 0xf1, 0x28, 0xac, 0x48, 0xe3, 0x81, 0xfd, 0x6e, 0xf9,
+    0x06, 0x07, 0x31, 0xf6, 0x94, 0xa4, 0x41, 0x04, 0x1d, 0xd0, 0xbd, 0x5d,
+    0x45, 0x66, 0xc9, 0xbe, 0xd9, 0xce, 0x7d, 0xe7, 0x01, 0xb5, 0xe8, 0x2e,
+    0x08, 0xe8, 0x4b, 0x73, 0x04, 0x66, 0x01, 0x8a, 0xb9, 0x03, 0xc7, 0x9e,
+    0xb9, 0x82, 0x17, 0x22, 0x36, 0xc0, 0xc1, 0x72, 0x8a, 0xe4, 0xbf, 0x73,
+    0x61, 0x0d, 0x34, 0xde, 0x44, 0x24, 0x6e, 0xf3, 0xd9, 0xc0, 0x5a, 0x22,
+    0x36, 0xfb, 0x66, 0xa6, 0x58, 0x3d, 0x74, 0x49, 0x30, 0x8b, 0xab, 0xce,
+    0x20, 0x72, 0xfe, 0x16, 0x66, 0x29, 0x92, 0xe9, 0x23, 0x5c, 0x25, 0x00,
+    0x2f, 0x11, 0xb1, 0x50, 0x87, 0xb8, 0x27, 0x38, 0xe0, 0x3c, 0x94, 0x5b,
+    0xf7, 0xa2, 0x99, 0x5d, 0xda, 0x1e, 0x98, 0x34, 0x58, 0x41, 0x04, 0x7e,
+    0xa6, 0xe3, 0xa4, 0x48, 0x70, 0x37, 0xa9, 0xe0, 0xdb, 0xd7, 0x92, 0x62,
+    0xb2, 0xcc, 0x27, 0x3e, 0x77, 0x99, 0x30, 0xfc, 0x18, 0x40, 0x9a, 0xc5,
+    0x36, 0x1c, 0x5f, 0xe6, 0x69, 0xd7, 0x02, 0xe1, 0x47, 0x79, 0x0a, 0xeb,
+    0x4c, 0xe7, 0xfd, 0x65, 0x75, 0xab, 0x0f, 0x6c, 0x7f, 0xd1, 0xc3, 0x35,
+    0x93, 0x9a, 0xa8, 0x63, 0xba, 0x37, 0xec, 0x91, 0xb7, 0xe3, 0x2b, 0xb0,
+    0x13, 0xbb, 0x2b, 0x41, 0x04, 0xa4, 0x95, 0x58, 0xd3, 0x2e, 0xd1, 0xeb,
+    0xfc, 0x18, 0x16, 0xaf, 0x4f, 0xf0, 0x9b, 0x55, 0xfc, 0xb4, 0xca, 0x47,
+    0xb2, 0xa0, 0x2d, 0x1e, 0x7c, 0xaf, 0x11, 0x79, 0xea, 0x3f, 0xe1, 0x39,
+    0x5b, 0x22, 0xb8, 0x61, 0x96, 0x40, 0x16, 0xfa, 0xba, 0xf7, 0x2c, 0x97,
+    0x56, 0x95, 0xd9, 0x3d, 0x4d, 0xf0, 0xe5, 0x19, 0x7f, 0xe9, 0xf0, 0x40,
+    0x63, 0x4e, 0xd5, 0x97, 0x64, 0x93, 0x77, 0x87, 0xbe, 0x20, 0xbc, 0x4d,
+    0xee, 0xbb, 0xf9, 0xb8, 0xd6, 0x0a, 0x33, 0x5f, 0x04, 0x6c, 0xa3, 0xaa,
+    0x94, 0x1e, 0x45, 0x86, 0x4c, 0x7c, 0xad, 0xef, 0x9c, 0xf7, 0x5b, 0x3d,
+    0x8b, 0x01, 0x0e, 0x44, 0x3e, 0xf0
+};
+
+static const unsigned char ecjpake_test_srv_one[] = {
+    0x41, 0x04, 0x7e, 0xa6, 0xe3, 0xa4, 0x48, 0x70, 0x37, 0xa9, 0xe0, 0xdb,
+    0xd7, 0x92, 0x62, 0xb2, 0xcc, 0x27, 0x3e, 0x77, 0x99, 0x30, 0xfc, 0x18,
+    0x40, 0x9a, 0xc5, 0x36, 0x1c, 0x5f, 0xe6, 0x69, 0xd7, 0x02, 0xe1, 0x47,
+    0x79, 0x0a, 0xeb, 0x4c, 0xe7, 0xfd, 0x65, 0x75, 0xab, 0x0f, 0x6c, 0x7f,
+    0xd1, 0xc3, 0x35, 0x93, 0x9a, 0xa8, 0x63, 0xba, 0x37, 0xec, 0x91, 0xb7,
+    0xe3, 0x2b, 0xb0, 0x13, 0xbb, 0x2b, 0x41, 0x04, 0x09, 0xf8, 0x5b, 0x3d,
+    0x20, 0xeb, 0xd7, 0x88, 0x5c, 0xe4, 0x64, 0xc0, 0x8d, 0x05, 0x6d, 0x64,
+    0x28, 0xfe, 0x4d, 0xd9, 0x28, 0x7a, 0xa3, 0x65, 0xf1, 0x31, 0xf4, 0x36,
+    0x0f, 0xf3, 0x86, 0xd8, 0x46, 0x89, 0x8b, 0xc4, 0xb4, 0x15, 0x83, 0xc2,
+    0xa5, 0x19, 0x7f, 0x65, 0xd7, 0x87, 0x42, 0x74, 0x6c, 0x12, 0xa5, 0xec,
+    0x0a, 0x4f, 0xfe, 0x2f, 0x27, 0x0a, 0x75, 0x0a, 0x1d, 0x8f, 0xb5, 0x16,
+    0x20, 0x93, 0x4d, 0x74, 0xeb, 0x43, 0xe5, 0x4d, 0xf4, 0x24, 0xfd, 0x96,
+    0x30, 0x6c, 0x01, 0x17, 0xbf, 0x13, 0x1a, 0xfa, 0xbf, 0x90, 0xa9, 0xd3,
+    0x3d, 0x11, 0x98, 0xd9, 0x05, 0x19, 0x37, 0x35, 0x14, 0x41, 0x04, 0x19,
+    0x0a, 0x07, 0x70, 0x0f, 0xfa, 0x4b, 0xe6, 0xae, 0x1d, 0x79, 0xee, 0x0f,
+    0x06, 0xae, 0xb5, 0x44, 0xcd, 0x5a, 0xdd, 0xaa, 0xbe, 0xdf, 0x70, 0xf8,
+    0x62, 0x33, 0x21, 0x33, 0x2c, 0x54, 0xf3, 0x55, 0xf0, 0xfb, 0xfe, 0xc7,
+    0x83, 0xed, 0x35, 0x9e, 0x5d, 0x0b, 0xf7, 0x37, 0x7a, 0x0f, 0xc4, 0xea,
+    0x7a, 0xce, 0x47, 0x3c, 0x9c, 0x11, 0x2b, 0x41, 0xcc, 0xd4, 0x1a, 0xc5,
+    0x6a, 0x56, 0x12, 0x41, 0x04, 0x36, 0x0a, 0x1c, 0xea, 0x33, 0xfc, 0xe6,
+    0x41, 0x15, 0x64, 0x58, 0xe0, 0xa4, 0xea, 0xc2, 0x19, 0xe9, 0x68, 0x31,
+    0xe6, 0xae, 0xbc, 0x88, 0xb3, 0xf3, 0x75, 0x2f, 0x93, 0xa0, 0x28, 0x1d,
+    0x1b, 0xf1, 0xfb, 0x10, 0x60, 0x51, 0xdb, 0x96, 0x94, 0xa8, 0xd6, 0xe8,
+    0x62, 0xa5, 0xef, 0x13, 0x24, 0xa3, 0xd9, 0xe2, 0x78, 0x94, 0xf1, 0xee,
+    0x4f, 0x7c, 0x59, 0x19, 0x99, 0x65, 0xa8, 0xdd, 0x4a, 0x20, 0x91, 0x84,
+    0x7d, 0x2d, 0x22, 0xdf, 0x3e, 0xe5, 0x5f, 0xaa, 0x2a, 0x3f, 0xb3, 0x3f,
+    0xd2, 0xd1, 0xe0, 0x55, 0xa0, 0x7a, 0x7c, 0x61, 0xec, 0xfb, 0x8d, 0x80,
+    0xec, 0x00, 0xc2, 0xc9, 0xeb, 0x12
+};
+
+static const unsigned char ecjpake_test_srv_two[] = {
+    0x03, 0x00, 0x17, 0x41, 0x04, 0x0f, 0xb2, 0x2b, 0x1d, 0x5d, 0x11, 0x23,
+    0xe0, 0xef, 0x9f, 0xeb, 0x9d, 0x8a, 0x2e, 0x59, 0x0a, 0x1f, 0x4d, 0x7c,
+    0xed, 0x2c, 0x2b, 0x06, 0x58, 0x6e, 0x8f, 0x2a, 0x16, 0xd4, 0xeb, 0x2f,
+    0xda, 0x43, 0x28, 0xa2, 0x0b, 0x07, 0xd8, 0xfd, 0x66, 0x76, 0x54, 0xca,
+    0x18, 0xc5, 0x4e, 0x32, 0xa3, 0x33, 0xa0, 0x84, 0x54, 0x51, 0xe9, 0x26,
+    0xee, 0x88, 0x04, 0xfd, 0x7a, 0xf0, 0xaa, 0xa7, 0xa6, 0x41, 0x04, 0x55,
+    0x16, 0xea, 0x3e, 0x54, 0xa0, 0xd5, 0xd8, 0xb2, 0xce, 0x78, 0x6b, 0x38,
+    0xd3, 0x83, 0x37, 0x00, 0x29, 0xa5, 0xdb, 0xe4, 0x45, 0x9c, 0x9d, 0xd6,
+    0x01, 0xb4, 0x08, 0xa2, 0x4a, 0xe6, 0x46, 0x5c, 0x8a, 0xc9, 0x05, 0xb9,
+    0xeb, 0x03, 0xb5, 0xd3, 0x69, 0x1c, 0x13, 0x9e, 0xf8, 0x3f, 0x1c, 0xd4,
+    0x20, 0x0f, 0x6c, 0x9c, 0xd4, 0xec, 0x39, 0x22, 0x18, 0xa5, 0x9e, 0xd2,
+    0x43, 0xd3, 0xc8, 0x20, 0xff, 0x72, 0x4a, 0x9a, 0x70, 0xb8, 0x8c, 0xb8,
+    0x6f, 0x20, 0xb4, 0x34, 0xc6, 0x86, 0x5a, 0xa1, 0xcd, 0x79, 0x06, 0xdd,
+    0x7c, 0x9b, 0xce, 0x35, 0x25, 0xf5, 0x08, 0x27, 0x6f, 0x26, 0x83, 0x6c
+};
+
+static const unsigned char ecjpake_test_cli_two[] = {
+    0x41, 0x04, 0x69, 0xd5, 0x4e, 0xe8, 0x5e, 0x90, 0xce, 0x3f, 0x12, 0x46,
+    0x74, 0x2d, 0xe5, 0x07, 0xe9, 0x39, 0xe8, 0x1d, 0x1d, 0xc1, 0xc5, 0xcb,
+    0x98, 0x8b, 0x58, 0xc3, 0x10, 0xc9, 0xfd, 0xd9, 0x52, 0x4d, 0x93, 0x72,
+    0x0b, 0x45, 0x54, 0x1c, 0x83, 0xee, 0x88, 0x41, 0x19, 0x1d, 0xa7, 0xce,
+    0xd8, 0x6e, 0x33, 0x12, 0xd4, 0x36, 0x23, 0xc1, 0xd6, 0x3e, 0x74, 0x98,
+    0x9a, 0xba, 0x4a, 0xff, 0xd1, 0xee, 0x41, 0x04, 0x07, 0x7e, 0x8c, 0x31,
+    0xe2, 0x0e, 0x6b, 0xed, 0xb7, 0x60, 0xc1, 0x35, 0x93, 0xe6, 0x9f, 0x15,
+    0xbe, 0x85, 0xc2, 0x7d, 0x68, 0xcd, 0x09, 0xcc, 0xb8, 0xc4, 0x18, 0x36,
+    0x08, 0x91, 0x7c, 0x5c, 0x3d, 0x40, 0x9f, 0xac, 0x39, 0xfe, 0xfe, 0xe8,
+    0x2f, 0x72, 0x92, 0xd3, 0x6f, 0x0d, 0x23, 0xe0, 0x55, 0x91, 0x3f, 0x45,
+    0xa5, 0x2b, 0x85, 0xdd, 0x8a, 0x20, 0x52, 0xe9, 0xe1, 0x29, 0xbb, 0x4d,
+    0x20, 0x0f, 0x01, 0x1f, 0x19, 0x48, 0x35, 0x35, 0xa6, 0xe8, 0x9a, 0x58,
+    0x0c, 0x9b, 0x00, 0x03, 0xba, 0xf2, 0x14, 0x62, 0xec, 0xe9, 0x1a, 0x82,
+    0xcc, 0x38, 0xdb, 0xdc, 0xae, 0x60, 0xd9, 0xc5, 0x4c
+};
+
+static const unsigned char ecjpake_test_shared_key[] = {
+    0x04, 0x01, 0xab, 0xe9, 0xf2, 0xc7, 0x3a, 0x99, 0x14, 0xcb, 0x1f, 0x80,
+    0xfb, 0x9d, 0xdb, 0x7e, 0x00, 0x12, 0xa8, 0x9c, 0x2f, 0x39, 0x27, 0x79,
+    0xf9, 0x64, 0x40, 0x14, 0x75, 0xea, 0xc1, 0x31, 0x28, 0x43, 0x8f, 0xe1,
+    0x12, 0x41, 0xd6, 0xc1, 0xe5, 0x5f, 0x7b, 0x80, 0x88, 0x94, 0xc9, 0xc0,
+    0x27, 0xa3, 0x34, 0x41, 0xf5, 0xcb, 0xa1, 0xfe, 0x6c, 0xc7, 0xe6, 0x12,
+    0x17, 0xc3, 0xde, 0x27, 0xb4,
+};
+
+static const unsigned char ecjpake_test_pms[] = {
+    0xf3, 0xd4, 0x7f, 0x59, 0x98, 0x44, 0xdb, 0x92, 0xa5, 0x69, 0xbb, 0xe7,
+    0x98, 0x1e, 0x39, 0xd9, 0x31, 0xfd, 0x74, 0x3b, 0xf2, 0x2e, 0x98, 0xf9,
+    0xb4, 0x38, 0xf7, 0x19, 0xd3, 0xc4, 0xf3, 0x51
+};
+
+/*
+ * PRNG for test - !!!INSECURE NEVER USE IN PRODUCTION!!!
+ *
+ * This is the linear congruential generator from numerical recipes,
+ * except we only use the low byte as the output. See
+ * https://en.wikipedia.org/wiki/Linear_congruential_generator#Parameters_in_common_use
+ */
+static int self_test_rng(void *ctx, unsigned char *out, size_t len)
+{
+    static uint32_t state = 42;
+
+    (void) ctx;
+
+    for (size_t i = 0; i < len; i++) {
+        state = state * 1664525u + 1013904223u;
+        out[i] = (unsigned char) state;
+    }
+
+    return 0;
+}
+
+/* Load my private keys and generate the corresponding public keys */
+static int ecjpake_test_load(mbedtls_ecjpake_context *ctx,
+                             const unsigned char *xm1, size_t len1,
+                             const unsigned char *xm2, size_t len2)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->xm1, xm1, len1));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->xm2, xm2, len2));
+    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&ctx->grp, &ctx->Xm1, &ctx->xm1,
+                                    &ctx->grp.G, self_test_rng, NULL));
+    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&ctx->grp, &ctx->Xm2, &ctx->xm2,
+                                    &ctx->grp.G, self_test_rng, NULL));
+
+cleanup:
+    return ret;
+}
+
+/* For tests we don't need a secure RNG;
+ * use the LGC from Numerical Recipes for simplicity */
+static int ecjpake_lgc(void *p, unsigned char *out, size_t len)
+{
+    static uint32_t x = 42;
+    (void) p;
+
+    while (len > 0) {
+        size_t use_len = len > 4 ? 4 : len;
+        x = 1664525 * x + 1013904223;
+        memcpy(out, &x, use_len);
+        out += use_len;
+        len -= use_len;
+    }
+
+    return 0;
+}
+
+#define TEST_ASSERT(x)    \
+    do {                    \
+        if (x)             \
+        ret = 0;        \
+        else                \
+        {                   \
+            ret = 1;        \
+            goto cleanup;   \
+        }                   \
+    } while (0)
+
+/*
+ * Checkup routine
+ */
+int mbedtls_ecjpake_self_test(int verbose)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecjpake_context cli;
+    mbedtls_ecjpake_context srv;
+    unsigned char buf[512], pms[32];
+    size_t len, pmslen;
+
+    mbedtls_ecjpake_init(&cli);
+    mbedtls_ecjpake_init(&srv);
+
+    if (verbose != 0) {
+        mbedtls_printf("  ECJPAKE test #0 (setup): ");
+    }
+
+    TEST_ASSERT(mbedtls_ecjpake_setup(&cli, MBEDTLS_ECJPAKE_CLIENT,
+                                      MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1,
+                                      ecjpake_test_password,
+                                      sizeof(ecjpake_test_password)) == 0);
+
+    TEST_ASSERT(mbedtls_ecjpake_setup(&srv, MBEDTLS_ECJPAKE_SERVER,
+                                      MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1,
+                                      ecjpake_test_password,
+                                      sizeof(ecjpake_test_password)) == 0);
+
+    if (verbose != 0) {
+        mbedtls_printf("passed\n");
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("  ECJPAKE test #1 (random handshake): ");
+    }
+
+    TEST_ASSERT(mbedtls_ecjpake_write_round_one(&cli,
+                                                buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+    TEST_ASSERT(mbedtls_ecjpake_read_round_one(&srv, buf, len) == 0);
+
+    TEST_ASSERT(mbedtls_ecjpake_write_round_one(&srv,
+                                                buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+    TEST_ASSERT(mbedtls_ecjpake_read_round_one(&cli, buf, len) == 0);
+
+    TEST_ASSERT(mbedtls_ecjpake_write_round_two(&srv,
+                                                buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+    TEST_ASSERT(mbedtls_ecjpake_read_round_two(&cli, buf, len) == 0);
+
+    TEST_ASSERT(mbedtls_ecjpake_derive_secret(&cli,
+                                              pms, sizeof(pms), &pmslen, ecjpake_lgc, NULL) == 0);
+
+    TEST_ASSERT(mbedtls_ecjpake_write_round_two(&cli,
+                                                buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+    TEST_ASSERT(mbedtls_ecjpake_read_round_two(&srv, buf, len) == 0);
+
+    TEST_ASSERT(mbedtls_ecjpake_derive_secret(&srv,
+                                              buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+    TEST_ASSERT(len == pmslen);
+    TEST_ASSERT(memcmp(buf, pms, len) == 0);
+
+    if (verbose != 0) {
+        mbedtls_printf("passed\n");
+    }
+
+    /* 'reference handshake' tests can only be run against implementations
+     * for which we have 100% control over how the random ephemeral keys
+     * are generated. This is only the case for the internal Mbed TLS
+     * implementation, so these tests are skipped in case the internal
+     * implementation is swapped out for an alternative one. */
+    if (verbose != 0) {
+        mbedtls_printf("  ECJPAKE test #2 (reference handshake): ");
+    }
+
+    /* Simulate generation of round one */
+    MBEDTLS_MPI_CHK(ecjpake_test_load(&cli,
+                                      ecjpake_test_x1, sizeof(ecjpake_test_x1),
+                                      ecjpake_test_x2, sizeof(ecjpake_test_x2)));
+
+    MBEDTLS_MPI_CHK(ecjpake_test_load(&srv,
+                                      ecjpake_test_x3, sizeof(ecjpake_test_x3),
+                                      ecjpake_test_x4, sizeof(ecjpake_test_x4)));
+
+    /* Read round one */
+    TEST_ASSERT(mbedtls_ecjpake_read_round_one(&srv,
+                                               ecjpake_test_cli_one,
+                                               sizeof(ecjpake_test_cli_one)) == 0);
+
+    TEST_ASSERT(mbedtls_ecjpake_read_round_one(&cli,
+                                               ecjpake_test_srv_one,
+                                               sizeof(ecjpake_test_srv_one)) == 0);
+
+    /* Skip generation of round two, read round two */
+    TEST_ASSERT(mbedtls_ecjpake_read_round_two(&cli,
+                                               ecjpake_test_srv_two,
+                                               sizeof(ecjpake_test_srv_two)) == 0);
+
+    TEST_ASSERT(mbedtls_ecjpake_read_round_two(&srv,
+                                               ecjpake_test_cli_two,
+                                               sizeof(ecjpake_test_cli_two)) == 0);
+
+    /* Server derives PMS */
+    TEST_ASSERT(mbedtls_ecjpake_derive_secret(&srv,
+                                              buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+    TEST_ASSERT(len == sizeof(ecjpake_test_pms));
+    TEST_ASSERT(memcmp(buf, ecjpake_test_pms, len) == 0);
+
+    /* Server derives K as unsigned binary data */
+    TEST_ASSERT(mbedtls_ecjpake_write_shared_key(&srv,
+                                                 buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+    TEST_ASSERT(len == sizeof(ecjpake_test_shared_key));
+    TEST_ASSERT(memcmp(buf, ecjpake_test_shared_key, len) == 0);
+
+    memset(buf, 0, len);   /* Avoid interferences with next step */
+
+    /* Client derives PMS */
+    TEST_ASSERT(mbedtls_ecjpake_derive_secret(&cli,
+                                              buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+    TEST_ASSERT(len == sizeof(ecjpake_test_pms));
+    TEST_ASSERT(memcmp(buf, ecjpake_test_pms, len) == 0);
+
+    /* Client derives K as unsigned binary data */
+    TEST_ASSERT(mbedtls_ecjpake_write_shared_key(&cli,
+                                                 buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+    TEST_ASSERT(len == sizeof(ecjpake_test_shared_key));
+    TEST_ASSERT(memcmp(buf, ecjpake_test_shared_key, len) == 0);
+
+    if (verbose != 0) {
+        mbedtls_printf("passed\n");
+    }
+
+cleanup:
+    mbedtls_ecjpake_free(&cli);
+    mbedtls_ecjpake_free(&srv);
+
+    if (ret != 0) {
+        if (verbose != 0) {
+            mbedtls_printf("failed\n");
+        }
+
+        ret = 1;
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+
+    return ret;
+}
+
+#undef TEST_ASSERT
+
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED && MBEDTLS_MD_CAN_SHA256 */
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_ECJPAKE_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/ecp.c b/tf-psa-crypto/drivers/builtin/src/ecp.c
new file mode 100644
index 0000000..1e6b69b
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/ecp.c
@@ -0,0 +1,3558 @@
+/*
+ *  Elliptic curves over GF(p): generic functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * References:
+ *
+ * SEC1 https://www.secg.org/sec1-v2.pdf
+ * GECC = Guide to Elliptic Curve Cryptography - Hankerson, Menezes, Vanstone
+ * FIPS 186-3 http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
+ * RFC 4492 for the related TLS structures and constants
+ * - https://www.rfc-editor.org/rfc/rfc4492
+ * RFC 7748 for the Curve448 and Curve25519 curve definitions
+ * - https://www.rfc-editor.org/rfc/rfc7748
+ *
+ * [Curve25519] https://cr.yp.to/ecdh/curve25519-20060209.pdf
+ *
+ * [2] CORON, Jean-S'ebastien. Resistance against differential power analysis
+ *     for elliptic curve cryptosystems. In : Cryptographic Hardware and
+ *     Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302.
+ *     <http://link.springer.com/chapter/10.1007/3-540-48059-5_25>
+ *
+ * [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to
+ *     render ECC resistant against Side Channel Attacks. IACR Cryptology
+ *     ePrint Archive, 2004, vol. 2004, p. 342.
+ *     <http://eprint.iacr.org/2004/342.pdf>
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_ECP_LIGHT)
+
+#include "mbedtls/ecp.h"
+#include "mbedtls/threading.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include "bn_mul.h"
+#include "ecp_invasive.h"
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * Counts of point addition and doubling, and field multiplications.
+ * Used to test resistance of point multiplication to simple timing attacks.
+ */
+#if defined(MBEDTLS_ECP_C)
+static unsigned long add_count, dbl_count;
+#endif /* MBEDTLS_ECP_C */
+static unsigned long mul_count;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Maximum number of "basic operations" to be done in a row.
+ *
+ * Default value 0 means that ECC operations will not yield.
+ * Note that regardless of the value of ecp_max_ops, always at
+ * least one step is performed before yielding.
+ *
+ * Setting ecp_max_ops=1 can be suitable for testing purposes
+ * as it will interrupt computation at all possible points.
+ */
+static unsigned ecp_max_ops = 0;
+
+/*
+ * Set ecp_max_ops
+ */
+void mbedtls_ecp_set_max_ops(unsigned max_ops)
+{
+    ecp_max_ops = max_ops;
+}
+
+/*
+ * Check if restart is enabled
+ */
+int mbedtls_ecp_restart_is_enabled(void)
+{
+    return ecp_max_ops != 0;
+}
+
+/*
+ * Restart sub-context for ecp_mul_comb()
+ */
+struct mbedtls_ecp_restart_mul {
+    mbedtls_ecp_point R;    /* current intermediate result                  */
+    size_t i;               /* current index in various loops, 0 outside    */
+    mbedtls_ecp_point *T;   /* table for precomputed points                 */
+    unsigned char T_size;   /* number of points in table T                  */
+    enum {                  /* what were we doing last time we returned?    */
+        ecp_rsm_init = 0,       /* nothing so far, dummy initial state      */
+        ecp_rsm_pre_dbl,        /* precompute 2^n multiples                 */
+        ecp_rsm_pre_norm_dbl,   /* normalize precomputed 2^n multiples      */
+        ecp_rsm_pre_add,        /* precompute remaining points by adding    */
+        ecp_rsm_pre_norm_add,   /* normalize all precomputed points         */
+        ecp_rsm_comb_core,      /* ecp_mul_comb_core()                      */
+        ecp_rsm_final_norm,     /* do the final normalization               */
+    } state;
+};
+
+/*
+ * Init restart_mul sub-context
+ */
+static void ecp_restart_rsm_init(mbedtls_ecp_restart_mul_ctx *ctx)
+{
+    mbedtls_ecp_point_init(&ctx->R);
+    ctx->i = 0;
+    ctx->T = NULL;
+    ctx->T_size = 0;
+    ctx->state = ecp_rsm_init;
+}
+
+/*
+ * Free the components of a restart_mul sub-context
+ */
+static void ecp_restart_rsm_free(mbedtls_ecp_restart_mul_ctx *ctx)
+{
+    unsigned char i;
+
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_ecp_point_free(&ctx->R);
+
+    if (ctx->T != NULL) {
+        for (i = 0; i < ctx->T_size; i++) {
+            mbedtls_ecp_point_free(ctx->T + i);
+        }
+        mbedtls_free(ctx->T);
+    }
+
+    ecp_restart_rsm_init(ctx);
+}
+
+/*
+ * Restart context for ecp_muladd()
+ */
+struct mbedtls_ecp_restart_muladd {
+    mbedtls_ecp_point mP;       /* mP value                             */
+    mbedtls_ecp_point R;        /* R intermediate result                */
+    enum {                      /* what should we do next?              */
+        ecp_rsma_mul1 = 0,      /* first multiplication                 */
+        ecp_rsma_mul2,          /* second multiplication                */
+        ecp_rsma_add,           /* addition                             */
+        ecp_rsma_norm,          /* normalization                        */
+    } state;
+};
+
+/*
+ * Init restart_muladd sub-context
+ */
+static void ecp_restart_ma_init(mbedtls_ecp_restart_muladd_ctx *ctx)
+{
+    mbedtls_ecp_point_init(&ctx->mP);
+    mbedtls_ecp_point_init(&ctx->R);
+    ctx->state = ecp_rsma_mul1;
+}
+
+/*
+ * Free the components of a restart_muladd sub-context
+ */
+static void ecp_restart_ma_free(mbedtls_ecp_restart_muladd_ctx *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_ecp_point_free(&ctx->mP);
+    mbedtls_ecp_point_free(&ctx->R);
+
+    ecp_restart_ma_init(ctx);
+}
+
+/*
+ * Initialize a restart context
+ */
+void mbedtls_ecp_restart_init(mbedtls_ecp_restart_ctx *ctx)
+{
+    ctx->ops_done = 0;
+    ctx->depth = 0;
+    ctx->rsm = NULL;
+    ctx->ma = NULL;
+}
+
+/*
+ * Free the components of a restart context
+ */
+void mbedtls_ecp_restart_free(mbedtls_ecp_restart_ctx *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    ecp_restart_rsm_free(ctx->rsm);
+    mbedtls_free(ctx->rsm);
+
+    ecp_restart_ma_free(ctx->ma);
+    mbedtls_free(ctx->ma);
+
+    mbedtls_ecp_restart_init(ctx);
+}
+
+/*
+ * Check if we can do the next step
+ */
+int mbedtls_ecp_check_budget(const mbedtls_ecp_group *grp,
+                             mbedtls_ecp_restart_ctx *rs_ctx,
+                             unsigned ops)
+{
+    if (rs_ctx != NULL && ecp_max_ops != 0) {
+        /* scale depending on curve size: the chosen reference is 256-bit,
+         * and multiplication is quadratic. Round to the closest integer. */
+        if (grp->pbits >= 512) {
+            ops *= 4;
+        } else if (grp->pbits >= 384) {
+            ops *= 2;
+        }
+
+        /* Avoid infinite loops: always allow first step.
+         * Because of that, however, it's not generally true
+         * that ops_done <= ecp_max_ops, so the check
+         * ops_done > ecp_max_ops below is mandatory. */
+        if ((rs_ctx->ops_done != 0) &&
+            (rs_ctx->ops_done > ecp_max_ops ||
+             ops > ecp_max_ops - rs_ctx->ops_done)) {
+            return MBEDTLS_ERR_ECP_IN_PROGRESS;
+        }
+
+        /* update running count */
+        rs_ctx->ops_done += ops;
+    }
+
+    return 0;
+}
+
+/* Call this when entering a function that needs its own sub-context */
+#define ECP_RS_ENTER(SUB)   do {                                      \
+        /* reset ops count for this call if top-level */                    \
+        if (rs_ctx != NULL && rs_ctx->depth++ == 0)                        \
+        rs_ctx->ops_done = 0;                                           \
+                                                                        \
+        /* set up our own sub-context if needed */                          \
+        if (mbedtls_ecp_restart_is_enabled() &&                             \
+            rs_ctx != NULL && rs_ctx->SUB == NULL)                         \
+        {                                                                   \
+            rs_ctx->SUB = mbedtls_calloc(1, sizeof(*rs_ctx->SUB));      \
+            if (rs_ctx->SUB == NULL)                                       \
+            return MBEDTLS_ERR_ECP_ALLOC_FAILED;                     \
+                                                                      \
+            ecp_restart_## SUB ##_init(rs_ctx->SUB);                      \
+        }                                                                   \
+} while (0)
+
+/* Call this when leaving a function that needs its own sub-context */
+#define ECP_RS_LEAVE(SUB)   do {                                      \
+        /* clear our sub-context when not in progress (done or error) */    \
+        if (rs_ctx != NULL && rs_ctx->SUB != NULL &&                        \
+            ret != MBEDTLS_ERR_ECP_IN_PROGRESS)                            \
+        {                                                                   \
+            ecp_restart_## SUB ##_free(rs_ctx->SUB);                      \
+            mbedtls_free(rs_ctx->SUB);                                    \
+            rs_ctx->SUB = NULL;                                             \
+        }                                                                   \
+                                                                        \
+        if (rs_ctx != NULL)                                                \
+        rs_ctx->depth--;                                                \
+} while (0)
+
+#else /* MBEDTLS_ECP_RESTARTABLE */
+
+#define ECP_RS_ENTER(sub)     (void) rs_ctx;
+#define ECP_RS_LEAVE(sub)     (void) rs_ctx;
+
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+#if defined(MBEDTLS_ECP_C)
+static void mpi_init_many(mbedtls_mpi *arr, size_t size)
+{
+    while (size--) {
+        mbedtls_mpi_init(arr++);
+    }
+}
+
+static void mpi_free_many(mbedtls_mpi *arr, size_t size)
+{
+    while (size--) {
+        mbedtls_mpi_free(arr++);
+    }
+}
+#endif /* MBEDTLS_ECP_C */
+
+/*
+ * List of supported curves:
+ *  - internal ID
+ *  - TLS NamedCurve ID (RFC 4492 sec. 5.1.1, RFC 7071 sec. 2, RFC 8446 sec. 4.2.7)
+ *  - size in bits
+ *  - readable name
+ *
+ * Curves are listed in order: largest curves first, and for a given size,
+ * fastest curves first.
+ *
+ * Reminder: update profiles in x509_crt.c and ssl_tls.c when adding a new curve!
+ */
+static const mbedtls_ecp_curve_info ecp_supported_curves[] =
+{
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP521R1,    25,     521,    "secp521r1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+    { MBEDTLS_ECP_DP_BP512R1,      28,     512,    "brainpoolP512r1"   },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP384R1,    24,     384,    "secp384r1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+    { MBEDTLS_ECP_DP_BP384R1,      27,     384,    "brainpoolP384r1"   },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP256R1,    23,     256,    "secp256r1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP256K1,    22,     256,    "secp256k1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+    { MBEDTLS_ECP_DP_BP256R1,      26,     256,    "brainpoolP256r1"   },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP224R1,    21,     224,    "secp224r1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP224K1,    20,     224,    "secp224k1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP192R1,    19,     192,    "secp192r1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP192K1,    18,     192,    "secp192k1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+    { MBEDTLS_ECP_DP_CURVE25519,   29,     256,    "x25519"            },
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+    { MBEDTLS_ECP_DP_CURVE448,     30,     448,    "x448"              },
+#endif
+    { MBEDTLS_ECP_DP_NONE,          0,     0,      NULL                },
+};
+
+#define ECP_NB_CURVES   sizeof(ecp_supported_curves) /    \
+    sizeof(ecp_supported_curves[0])
+
+static mbedtls_ecp_group_id ecp_supported_grp_id[ECP_NB_CURVES];
+
+/*
+ * List of supported curves and associated info
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list(void)
+{
+    return ecp_supported_curves;
+}
+
+/*
+ * List of supported curves, group ID only
+ */
+const mbedtls_ecp_group_id *mbedtls_ecp_grp_id_list(void)
+{
+    static int init_done = 0;
+
+    if (!init_done) {
+        size_t i = 0;
+        const mbedtls_ecp_curve_info *curve_info;
+
+        for (curve_info = mbedtls_ecp_curve_list();
+             curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
+             curve_info++) {
+            ecp_supported_grp_id[i++] = curve_info->grp_id;
+        }
+        ecp_supported_grp_id[i] = MBEDTLS_ECP_DP_NONE;
+
+        init_done = 1;
+    }
+
+    return ecp_supported_grp_id;
+}
+
+/*
+ * Get the curve info for the internal identifier
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_grp_id(mbedtls_ecp_group_id grp_id)
+{
+    const mbedtls_ecp_curve_info *curve_info;
+
+    for (curve_info = mbedtls_ecp_curve_list();
+         curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
+         curve_info++) {
+        if (curve_info->grp_id == grp_id) {
+            return curve_info;
+        }
+    }
+
+    return NULL;
+}
+
+/*
+ * Get the curve info from the TLS identifier
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_tls_id(uint16_t tls_id)
+{
+    const mbedtls_ecp_curve_info *curve_info;
+
+    for (curve_info = mbedtls_ecp_curve_list();
+         curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
+         curve_info++) {
+        if (curve_info->tls_id == tls_id) {
+            return curve_info;
+        }
+    }
+
+    return NULL;
+}
+
+/*
+ * Get the curve info from the name
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name(const char *name)
+{
+    const mbedtls_ecp_curve_info *curve_info;
+
+    if (name == NULL) {
+        return NULL;
+    }
+
+    for (curve_info = mbedtls_ecp_curve_list();
+         curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
+         curve_info++) {
+        if (strcmp(curve_info->name, name) == 0) {
+            return curve_info;
+        }
+    }
+
+    return NULL;
+}
+
+/*
+ * Get the type of a curve
+ */
+mbedtls_ecp_curve_type mbedtls_ecp_get_type(const mbedtls_ecp_group *grp)
+{
+    if (grp->G.X.p == NULL) {
+        return MBEDTLS_ECP_TYPE_NONE;
+    }
+
+    if (grp->G.Y.p == NULL) {
+        return MBEDTLS_ECP_TYPE_MONTGOMERY;
+    } else {
+        return MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS;
+    }
+}
+
+/*
+ * Initialize (the components of) a point
+ */
+void mbedtls_ecp_point_init(mbedtls_ecp_point *pt)
+{
+    mbedtls_mpi_init(&pt->X);
+    mbedtls_mpi_init(&pt->Y);
+    mbedtls_mpi_init(&pt->Z);
+}
+
+/*
+ * Initialize (the components of) a group
+ */
+void mbedtls_ecp_group_init(mbedtls_ecp_group *grp)
+{
+    grp->id = MBEDTLS_ECP_DP_NONE;
+    mbedtls_mpi_init(&grp->P);
+    mbedtls_mpi_init(&grp->A);
+    mbedtls_mpi_init(&grp->B);
+    mbedtls_ecp_point_init(&grp->G);
+    mbedtls_mpi_init(&grp->N);
+    grp->pbits = 0;
+    grp->nbits = 0;
+    grp->h = 0;
+    grp->modp = NULL;
+    grp->t_pre = NULL;
+    grp->t_post = NULL;
+    grp->t_data = NULL;
+    grp->T = NULL;
+    grp->T_size = 0;
+}
+
+/*
+ * Initialize (the components of) a key pair
+ */
+void mbedtls_ecp_keypair_init(mbedtls_ecp_keypair *key)
+{
+    mbedtls_ecp_group_init(&key->grp);
+    mbedtls_mpi_init(&key->d);
+    mbedtls_ecp_point_init(&key->Q);
+}
+
+/*
+ * Unallocate (the components of) a point
+ */
+void mbedtls_ecp_point_free(mbedtls_ecp_point *pt)
+{
+    if (pt == NULL) {
+        return;
+    }
+
+    mbedtls_mpi_free(&(pt->X));
+    mbedtls_mpi_free(&(pt->Y));
+    mbedtls_mpi_free(&(pt->Z));
+}
+
+/*
+ * Check that the comb table (grp->T) is static initialized.
+ */
+static int ecp_group_is_static_comb_table(const mbedtls_ecp_group *grp)
+{
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+    return grp->T != NULL && grp->T_size == 0;
+#else
+    (void) grp;
+    return 0;
+#endif
+}
+
+/*
+ * Unallocate (the components of) a group
+ */
+void mbedtls_ecp_group_free(mbedtls_ecp_group *grp)
+{
+    size_t i;
+
+    if (grp == NULL) {
+        return;
+    }
+
+    if (grp->h != 1) {
+        mbedtls_mpi_free(&grp->A);
+        mbedtls_mpi_free(&grp->B);
+        mbedtls_ecp_point_free(&grp->G);
+
+#if !defined(MBEDTLS_ECP_WITH_MPI_UINT)
+        mbedtls_mpi_free(&grp->N);
+        mbedtls_mpi_free(&grp->P);
+#endif
+    }
+
+    if (!ecp_group_is_static_comb_table(grp) && grp->T != NULL) {
+        for (i = 0; i < grp->T_size; i++) {
+            mbedtls_ecp_point_free(&grp->T[i]);
+        }
+        mbedtls_free(grp->T);
+    }
+
+    mbedtls_platform_zeroize(grp, sizeof(mbedtls_ecp_group));
+}
+
+/*
+ * Unallocate (the components of) a key pair
+ */
+void mbedtls_ecp_keypair_free(mbedtls_ecp_keypair *key)
+{
+    if (key == NULL) {
+        return;
+    }
+
+    mbedtls_ecp_group_free(&key->grp);
+    mbedtls_mpi_free(&key->d);
+    mbedtls_ecp_point_free(&key->Q);
+}
+
+/*
+ * Copy the contents of a point
+ */
+int mbedtls_ecp_copy(mbedtls_ecp_point *P, const mbedtls_ecp_point *Q)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&P->X, &Q->X));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&P->Y, &Q->Y));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&P->Z, &Q->Z));
+
+cleanup:
+    return ret;
+}
+
+/*
+ * Copy the contents of a group object
+ */
+int mbedtls_ecp_group_copy(mbedtls_ecp_group *dst, const mbedtls_ecp_group *src)
+{
+    return mbedtls_ecp_group_load(dst, src->id);
+}
+
+/*
+ * Set point to zero
+ */
+int mbedtls_ecp_set_zero(mbedtls_ecp_point *pt)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->X, 1));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Y, 1));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Z, 0));
+
+cleanup:
+    return ret;
+}
+
+/*
+ * Tell if a point is zero
+ */
+int mbedtls_ecp_is_zero(mbedtls_ecp_point *pt)
+{
+    return mbedtls_mpi_cmp_int(&pt->Z, 0) == 0;
+}
+
+/*
+ * Compare two points lazily
+ */
+int mbedtls_ecp_point_cmp(const mbedtls_ecp_point *P,
+                          const mbedtls_ecp_point *Q)
+{
+    if (mbedtls_mpi_cmp_mpi(&P->X, &Q->X) == 0 &&
+        mbedtls_mpi_cmp_mpi(&P->Y, &Q->Y) == 0 &&
+        mbedtls_mpi_cmp_mpi(&P->Z, &Q->Z) == 0) {
+        return 0;
+    }
+
+    return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+}
+
+/*
+ * Import a non-zero point from ASCII strings
+ */
+int mbedtls_ecp_point_read_string(mbedtls_ecp_point *P, int radix,
+                                  const char *x, const char *y)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&P->X, radix, x));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&P->Y, radix, y));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&P->Z, 1));
+
+cleanup:
+    return ret;
+}
+
+/*
+ * Export a point into unsigned binary data (SEC1 2.3.3 and RFC7748)
+ */
+int mbedtls_ecp_point_write_binary(const mbedtls_ecp_group *grp,
+                                   const mbedtls_ecp_point *P,
+                                   int format, size_t *olen,
+                                   unsigned char *buf, size_t buflen)
+{
+    int ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+    size_t plen;
+    if (format != MBEDTLS_ECP_PF_UNCOMPRESSED &&
+        format != MBEDTLS_ECP_PF_COMPRESSED) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    plen = mbedtls_mpi_size(&grp->P);
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+    (void) format; /* Montgomery curves always use the same point format */
+    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+        *olen = plen;
+        if (buflen < *olen) {
+            return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+        }
+
+        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary_le(&P->X, buf, plen));
+    }
+#endif
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+        /*
+         * Common case: P == 0
+         */
+        if (mbedtls_mpi_cmp_int(&P->Z, 0) == 0) {
+            if (buflen < 1) {
+                return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+            }
+
+            buf[0] = 0x00;
+            *olen = 1;
+
+            return 0;
+        }
+
+        if (format == MBEDTLS_ECP_PF_UNCOMPRESSED) {
+            *olen = 2 * plen + 1;
+
+            if (buflen < *olen) {
+                return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+            }
+
+            buf[0] = 0x04;
+            MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&P->X, buf + 1, plen));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&P->Y, buf + 1 + plen, plen));
+        } else if (format == MBEDTLS_ECP_PF_COMPRESSED) {
+            *olen = plen + 1;
+
+            if (buflen < *olen) {
+                return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+            }
+
+            buf[0] = 0x02 + mbedtls_mpi_get_bit(&P->Y, 0);
+            MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&P->X, buf + 1, plen));
+        }
+    }
+#endif
+
+cleanup:
+    return ret;
+}
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+static int mbedtls_ecp_sw_derive_y(const mbedtls_ecp_group *grp,
+                                   const mbedtls_mpi *X,
+                                   mbedtls_mpi *Y,
+                                   int parity_bit);
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+
+/*
+ * Import a point from unsigned binary data (SEC1 2.3.4 and RFC7748)
+ */
+int mbedtls_ecp_point_read_binary(const mbedtls_ecp_group *grp,
+                                  mbedtls_ecp_point *pt,
+                                  const unsigned char *buf, size_t ilen)
+{
+    int ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+    size_t plen;
+    if (ilen < 1) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    plen = mbedtls_mpi_size(&grp->P);
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+        if (plen != ilen) {
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        }
+
+        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary_le(&pt->X, buf, plen));
+        mbedtls_mpi_free(&pt->Y);
+
+        if (grp->id == MBEDTLS_ECP_DP_CURVE25519) {
+            /* Set most significant bit to 0 as prescribed in RFC7748 §5 */
+            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&pt->X, plen * 8 - 1, 0));
+        }
+
+        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Z, 1));
+    }
+#endif
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+        if (buf[0] == 0x00) {
+            if (ilen == 1) {
+                return mbedtls_ecp_set_zero(pt);
+            } else {
+                return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+            }
+        }
+
+        if (ilen < 1 + plen) {
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        }
+
+        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&pt->X, buf + 1, plen));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Z, 1));
+
+        if (buf[0] == 0x04) {
+            /* format == MBEDTLS_ECP_PF_UNCOMPRESSED */
+            if (ilen != 1 + plen * 2) {
+                return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+            }
+            return mbedtls_mpi_read_binary(&pt->Y, buf + 1 + plen, plen);
+        } else if (buf[0] == 0x02 || buf[0] == 0x03) {
+            /* format == MBEDTLS_ECP_PF_COMPRESSED */
+            if (ilen != 1 + plen) {
+                return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+            }
+            return mbedtls_ecp_sw_derive_y(grp, &pt->X, &pt->Y,
+                                           (buf[0] & 1));
+        } else {
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        }
+    }
+#endif
+
+cleanup:
+    return ret;
+}
+
+/*
+ * Import a point from a TLS ECPoint record (RFC 4492)
+ *      struct {
+ *          opaque point <1..2^8-1>;
+ *      } ECPoint;
+ */
+int mbedtls_ecp_tls_read_point(const mbedtls_ecp_group *grp,
+                               mbedtls_ecp_point *pt,
+                               const unsigned char **buf, size_t buf_len)
+{
+    unsigned char data_len;
+    const unsigned char *buf_start;
+    /*
+     * We must have at least two bytes (1 for length, at least one for data)
+     */
+    if (buf_len < 2) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    data_len = *(*buf)++;
+    if (data_len < 1 || data_len > buf_len - 1) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    /*
+     * Save buffer start for read_binary and update buf
+     */
+    buf_start = *buf;
+    *buf += data_len;
+
+    return mbedtls_ecp_point_read_binary(grp, pt, buf_start, data_len);
+}
+
+/*
+ * Export a point as a TLS ECPoint record (RFC 4492)
+ *      struct {
+ *          opaque point <1..2^8-1>;
+ *      } ECPoint;
+ */
+int mbedtls_ecp_tls_write_point(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt,
+                                int format, size_t *olen,
+                                unsigned char *buf, size_t blen)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    if (format != MBEDTLS_ECP_PF_UNCOMPRESSED &&
+        format != MBEDTLS_ECP_PF_COMPRESSED) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    /*
+     * buffer length must be at least one, for our length byte
+     */
+    if (blen < 1) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    if ((ret = mbedtls_ecp_point_write_binary(grp, pt, format,
+                                              olen, buf + 1, blen - 1)) != 0) {
+        return ret;
+    }
+
+    /*
+     * write length to the first byte and update total length
+     */
+    buf[0] = (unsigned char) *olen;
+    ++*olen;
+
+    return 0;
+}
+
+/*
+ * Set a group from an ECParameters record (RFC 4492)
+ */
+int mbedtls_ecp_tls_read_group(mbedtls_ecp_group *grp,
+                               const unsigned char **buf, size_t len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_group_id grp_id;
+    if ((ret = mbedtls_ecp_tls_read_group_id(&grp_id, buf, len)) != 0) {
+        return ret;
+    }
+
+    return mbedtls_ecp_group_load(grp, grp_id);
+}
+
+/*
+ * Read a group id from an ECParameters record (RFC 4492) and convert it to
+ * mbedtls_ecp_group_id.
+ */
+int mbedtls_ecp_tls_read_group_id(mbedtls_ecp_group_id *grp,
+                                  const unsigned char **buf, size_t len)
+{
+    uint16_t tls_id;
+    const mbedtls_ecp_curve_info *curve_info;
+    /*
+     * We expect at least three bytes (see below)
+     */
+    if (len < 3) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    /*
+     * First byte is curve_type; only named_curve is handled
+     */
+    if (*(*buf)++ != MBEDTLS_ECP_TLS_NAMED_CURVE) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    /*
+     * Next two bytes are the namedcurve value
+     */
+    tls_id = MBEDTLS_GET_UINT16_BE(*buf, 0);
+    *buf += 2;
+
+    if ((curve_info = mbedtls_ecp_curve_info_from_tls_id(tls_id)) == NULL) {
+        return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+    }
+
+    *grp = curve_info->grp_id;
+
+    return 0;
+}
+
+/*
+ * Write the ECParameters record corresponding to a group (RFC 4492)
+ */
+int mbedtls_ecp_tls_write_group(const mbedtls_ecp_group *grp, size_t *olen,
+                                unsigned char *buf, size_t blen)
+{
+    const mbedtls_ecp_curve_info *curve_info;
+    if ((curve_info = mbedtls_ecp_curve_info_from_grp_id(grp->id)) == NULL) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    /*
+     * We are going to write 3 bytes (see below)
+     */
+    *olen = 3;
+    if (blen < *olen) {
+        return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+    }
+
+    /*
+     * First byte is curve_type, always named_curve
+     */
+    *buf++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
+
+    /*
+     * Next two bytes are the namedcurve value
+     */
+    MBEDTLS_PUT_UINT16_BE(curve_info->tls_id, buf, 0);
+
+    return 0;
+}
+
+/*
+ * Wrapper around fast quasi-modp functions, with fall-back to mbedtls_mpi_mod_mpi.
+ * See the documentation of struct mbedtls_ecp_group.
+ *
+ * This function is in the critial loop for mbedtls_ecp_mul, so pay attention to perf.
+ */
+static int ecp_modp(mbedtls_mpi *N, const mbedtls_ecp_group *grp)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (grp->modp == NULL) {
+        return mbedtls_mpi_mod_mpi(N, N, &grp->P);
+    }
+
+    /* N->s < 0 is a much faster test, which fails only if N is 0 */
+    if ((N->s < 0 && mbedtls_mpi_cmp_int(N, 0) != 0) ||
+        mbedtls_mpi_bitlen(N) > 2 * grp->pbits) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    MBEDTLS_MPI_CHK(grp->modp(N));
+
+    /* N->s < 0 is a much faster test, which fails only if N is 0 */
+    while (N->s < 0 && mbedtls_mpi_cmp_int(N, 0) != 0) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &grp->P));
+    }
+
+    while (mbedtls_mpi_cmp_mpi(N, &grp->P) >= 0) {
+        /* we known P, N and the result are positive */
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(N, N, &grp->P));
+    }
+
+cleanup:
+    return ret;
+}
+
+/*
+ * Fast mod-p functions expect their argument to be in the 0..p^2 range.
+ *
+ * In order to guarantee that, we need to ensure that operands of
+ * mbedtls_mpi_mul_mpi are in the 0..p range. So, after each operation we will
+ * bring the result back to this range.
+ *
+ * The following macros are shortcuts for doing that.
+ */
+
+/*
+ * Reduce a mbedtls_mpi mod p in-place, general case, to use after mbedtls_mpi_mul_mpi
+ */
+#if defined(MBEDTLS_SELF_TEST)
+#define INC_MUL_COUNT   mul_count++;
+#else
+#define INC_MUL_COUNT
+#endif
+
+#define MOD_MUL(N)                                                    \
+    do                                                                  \
+    {                                                                   \
+        MBEDTLS_MPI_CHK(ecp_modp(&(N), grp));                       \
+        INC_MUL_COUNT                                                   \
+    } while (0)
+
+static inline int mbedtls_mpi_mul_mod(const mbedtls_ecp_group *grp,
+                                      mbedtls_mpi *X,
+                                      const mbedtls_mpi *A,
+                                      const mbedtls_mpi *B)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(X, A, B));
+    MOD_MUL(*X);
+cleanup:
+    return ret;
+}
+
+/*
+ * Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_sub_mpi
+ * N->s < 0 is a very fast test, which fails only if N is 0
+ */
+#define MOD_SUB(N)                                                          \
+    do {                                                                      \
+        while ((N)->s < 0 && mbedtls_mpi_cmp_int((N), 0) != 0)             \
+        MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi((N), (N), &grp->P));      \
+    } while (0)
+
+MBEDTLS_MAYBE_UNUSED
+static inline int mbedtls_mpi_sub_mod(const mbedtls_ecp_group *grp,
+                                      mbedtls_mpi *X,
+                                      const mbedtls_mpi *A,
+                                      const mbedtls_mpi *B)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(X, A, B));
+    MOD_SUB(X);
+cleanup:
+    return ret;
+}
+
+/*
+ * Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_add_mpi and mbedtls_mpi_mul_int.
+ * We known P, N and the result are positive, so sub_abs is correct, and
+ * a bit faster.
+ */
+#define MOD_ADD(N)                                                   \
+    while (mbedtls_mpi_cmp_mpi((N), &grp->P) >= 0)                  \
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs((N), (N), &grp->P))
+
+static inline int mbedtls_mpi_add_mod(const mbedtls_ecp_group *grp,
+                                      mbedtls_mpi *X,
+                                      const mbedtls_mpi *A,
+                                      const mbedtls_mpi *B)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(X, A, B));
+    MOD_ADD(X);
+cleanup:
+    return ret;
+}
+
+MBEDTLS_MAYBE_UNUSED
+static inline int mbedtls_mpi_mul_int_mod(const mbedtls_ecp_group *grp,
+                                          mbedtls_mpi *X,
+                                          const mbedtls_mpi *A,
+                                          mbedtls_mpi_uint c)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(X, A, c));
+    MOD_ADD(X);
+cleanup:
+    return ret;
+}
+
+MBEDTLS_MAYBE_UNUSED
+static inline int mbedtls_mpi_sub_int_mod(const mbedtls_ecp_group *grp,
+                                          mbedtls_mpi *X,
+                                          const mbedtls_mpi *A,
+                                          mbedtls_mpi_uint c)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(X, A, c));
+    MOD_SUB(X);
+cleanup:
+    return ret;
+}
+
+#define MPI_ECP_SUB_INT(X, A, c)             \
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int_mod(grp, X, A, c))
+
+MBEDTLS_MAYBE_UNUSED
+static inline int mbedtls_mpi_shift_l_mod(const mbedtls_ecp_group *grp,
+                                          mbedtls_mpi *X,
+                                          size_t count)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(X, count));
+    MOD_ADD(X);
+cleanup:
+    return ret;
+}
+
+/*
+ * Macro wrappers around ECP modular arithmetic
+ *
+ * Currently, these wrappers are defined via the bignum module.
+ */
+
+#define MPI_ECP_ADD(X, A, B)                                                  \
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mod(grp, X, A, B))
+
+#define MPI_ECP_SUB(X, A, B)                                                  \
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mod(grp, X, A, B))
+
+#define MPI_ECP_MUL(X, A, B)                                                  \
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, X, A, B))
+
+#define MPI_ECP_SQR(X, A)                                                     \
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, X, A, A))
+
+#define MPI_ECP_MUL_INT(X, A, c)                                              \
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int_mod(grp, X, A, c))
+
+#define MPI_ECP_INV(dst, src)                                                 \
+    MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod((dst), (src), &grp->P))
+
+#define MPI_ECP_MOV(X, A)                                                     \
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A))
+
+#define MPI_ECP_SHIFT_L(X, count)                                             \
+    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l_mod(grp, X, count))
+
+#define MPI_ECP_LSET(X, c)                                                    \
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, c))
+
+#define MPI_ECP_CMP_INT(X, c)                                                 \
+    mbedtls_mpi_cmp_int(X, c)
+
+#define MPI_ECP_CMP(X, Y)                                                     \
+    mbedtls_mpi_cmp_mpi(X, Y)
+
+/* Needs f_rng, p_rng to be defined. */
+#define MPI_ECP_RAND(X)                                                       \
+    MBEDTLS_MPI_CHK(mbedtls_mpi_random((X), 2, &grp->P, f_rng, p_rng))
+
+/* Conditional negation
+ * Needs grp and a temporary MPI tmp to be defined. */
+#define MPI_ECP_COND_NEG(X, cond)                                        \
+    do                                                                     \
+    {                                                                      \
+        unsigned char nonzero = mbedtls_mpi_cmp_int((X), 0) != 0;        \
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&tmp, &grp->P, (X)));      \
+        MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign((X), &tmp,          \
+                                                     nonzero & cond)); \
+    } while (0)
+
+#define MPI_ECP_NEG(X) MPI_ECP_COND_NEG((X), 1)
+
+#define MPI_ECP_VALID(X)                      \
+    ((X)->p != NULL)
+
+#define MPI_ECP_COND_ASSIGN(X, Y, cond)       \
+    MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign((X), (Y), (cond)))
+
+#define MPI_ECP_COND_SWAP(X, Y, cond)       \
+    MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_swap((X), (Y), (cond)))
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+
+/*
+ * Computes the right-hand side of the Short Weierstrass equation
+ * RHS = X^3 + A X + B
+ */
+static int ecp_sw_rhs(const mbedtls_ecp_group *grp,
+                      mbedtls_mpi *rhs,
+                      const mbedtls_mpi *X)
+{
+    int ret;
+
+    /* Compute X^3 + A X + B as X (X^2 + A) + B */
+    MPI_ECP_SQR(rhs, X);
+
+    /* Special case for A = -3 */
+    if (mbedtls_ecp_group_a_is_minus_3(grp)) {
+        MPI_ECP_SUB_INT(rhs, rhs, 3);
+    } else {
+        MPI_ECP_ADD(rhs, rhs, &grp->A);
+    }
+
+    MPI_ECP_MUL(rhs, rhs, X);
+    MPI_ECP_ADD(rhs, rhs, &grp->B);
+
+cleanup:
+    return ret;
+}
+
+/*
+ * Derive Y from X and a parity bit
+ */
+static int mbedtls_ecp_sw_derive_y(const mbedtls_ecp_group *grp,
+                                   const mbedtls_mpi *X,
+                                   mbedtls_mpi *Y,
+                                   int parity_bit)
+{
+    /* w = y^2 = x^3 + ax + b
+     * y = sqrt(w) = w^((p+1)/4) mod p   (for prime p where p = 3 mod 4)
+     *
+     * Note: this method for extracting square root does not validate that w
+     * was indeed a square so this function will return garbage in Y if X
+     * does not correspond to a point on the curve.
+     */
+
+    /* Check prerequisite p = 3 mod 4 */
+    if (mbedtls_mpi_get_bit(&grp->P, 0) != 1 ||
+        mbedtls_mpi_get_bit(&grp->P, 1) != 1) {
+        return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+    }
+
+    int ret;
+    mbedtls_mpi exp;
+    mbedtls_mpi_init(&exp);
+
+    /* use Y to store intermediate result, actually w above */
+    MBEDTLS_MPI_CHK(ecp_sw_rhs(grp, Y, X));
+
+    /* w = y^2 */ /* Y contains y^2 intermediate result */
+    /* exp = ((p+1)/4) */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&exp, &grp->P, 1));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&exp, 2));
+    /* sqrt(w) = w^((p+1)/4) mod p   (for prime p where p = 3 mod 4) */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(Y, Y /*y^2*/, &exp, &grp->P, NULL));
+
+    /* check parity bit match or else invert Y */
+    /* This quick inversion implementation is valid because Y != 0 for all
+     * Short Weierstrass curves supported by mbedtls, as each supported curve
+     * has an order that is a large prime, so each supported curve does not
+     * have any point of order 2, and a point with Y == 0 would be of order 2 */
+    if (mbedtls_mpi_get_bit(Y, 0) != parity_bit) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(Y, &grp->P, Y));
+    }
+
+cleanup:
+
+    mbedtls_mpi_free(&exp);
+    return ret;
+}
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+
+#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+/*
+ * For curves in short Weierstrass form, we do all the internal operations in
+ * Jacobian coordinates.
+ *
+ * For multiplication, we'll use a comb method with countermeasures against
+ * SPA, hence timing attacks.
+ */
+
+/*
+ * Normalize jacobian coordinates so that Z == 0 || Z == 1  (GECC 3.2.1)
+ * Cost: 1N := 1I + 3M + 1S
+ */
+static int ecp_normalize_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt)
+{
+    if (MPI_ECP_CMP_INT(&pt->Z, 0) == 0) {
+        return 0;
+    }
+
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi T;
+    mbedtls_mpi_init(&T);
+
+    MPI_ECP_INV(&T,       &pt->Z);            /* T   <-          1 / Z   */
+    MPI_ECP_MUL(&pt->Y,   &pt->Y,     &T);    /* Y'  <- Y*T    = Y / Z   */
+    MPI_ECP_SQR(&T,       &T);                /* T   <- T^2    = 1 / Z^2 */
+    MPI_ECP_MUL(&pt->X,   &pt->X,     &T);    /* X   <- X  * T = X / Z^2 */
+    MPI_ECP_MUL(&pt->Y,   &pt->Y,     &T);    /* Y'' <- Y' * T = Y / Z^3 */
+
+    MPI_ECP_LSET(&pt->Z, 1);
+
+cleanup:
+
+    mbedtls_mpi_free(&T);
+
+    return ret;
+}
+
+/*
+ * Normalize jacobian coordinates of an array of (pointers to) points,
+ * using Montgomery's trick to perform only one inversion mod P.
+ * (See for example Cohen's "A Course in Computational Algebraic Number
+ * Theory", Algorithm 10.3.4.)
+ *
+ * Warning: fails (returning an error) if one of the points is zero!
+ * This should never happen, see choice of w in ecp_mul_comb().
+ *
+ * Cost: 1N(t) := 1I + (6t - 3)M + 1S
+ */
+static int ecp_normalize_jac_many(const mbedtls_ecp_group *grp,
+                                  mbedtls_ecp_point *T[], size_t T_size)
+{
+    if (T_size < 2) {
+        return ecp_normalize_jac(grp, *T);
+    }
+
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t i;
+    mbedtls_mpi *c, t;
+
+    if ((c = mbedtls_calloc(T_size, sizeof(mbedtls_mpi))) == NULL) {
+        return MBEDTLS_ERR_ECP_ALLOC_FAILED;
+    }
+
+    mbedtls_mpi_init(&t);
+
+    mpi_init_many(c, T_size);
+    /*
+     * c[i] = Z_0 * ... * Z_i,   i = 0,..,n := T_size-1
+     */
+    MPI_ECP_MOV(&c[0], &T[0]->Z);
+    for (i = 1; i < T_size; i++) {
+        MPI_ECP_MUL(&c[i], &c[i-1], &T[i]->Z);
+    }
+
+    /*
+     * c[n] = 1 / (Z_0 * ... * Z_n) mod P
+     */
+    MPI_ECP_INV(&c[T_size-1], &c[T_size-1]);
+
+    for (i = T_size - 1;; i--) {
+        /* At the start of iteration i (note that i decrements), we have
+         * - c[j] = Z_0 * .... * Z_j        for j  < i,
+         * - c[j] = 1 / (Z_0 * .... * Z_j)  for j == i,
+         *
+         * This is maintained via
+         * - c[i-1] <- c[i] * Z_i
+         *
+         * We also derive 1/Z_i = c[i] * c[i-1] for i>0 and use that
+         * to do the actual normalization. For i==0, we already have
+         * c[0] = 1 / Z_0.
+         */
+
+        if (i > 0) {
+            /* Compute 1/Z_i and establish invariant for the next iteration. */
+            MPI_ECP_MUL(&t,      &c[i], &c[i-1]);
+            MPI_ECP_MUL(&c[i-1], &c[i], &T[i]->Z);
+        } else {
+            MPI_ECP_MOV(&t, &c[0]);
+        }
+
+        /* Now t holds 1 / Z_i; normalize as in ecp_normalize_jac() */
+        MPI_ECP_MUL(&T[i]->Y, &T[i]->Y, &t);
+        MPI_ECP_SQR(&t,       &t);
+        MPI_ECP_MUL(&T[i]->X, &T[i]->X, &t);
+        MPI_ECP_MUL(&T[i]->Y, &T[i]->Y, &t);
+
+        /*
+         * Post-precessing: reclaim some memory by shrinking coordinates
+         * - not storing Z (always 1)
+         * - shrinking other coordinates, but still keeping the same number of
+         *   limbs as P, as otherwise it will too likely be regrown too fast.
+         */
+        MBEDTLS_MPI_CHK(mbedtls_mpi_shrink(&T[i]->X, grp->P.n));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_shrink(&T[i]->Y, grp->P.n));
+
+        MPI_ECP_LSET(&T[i]->Z, 1);
+
+        if (i == 0) {
+            break;
+        }
+    }
+
+cleanup:
+
+    mbedtls_mpi_free(&t);
+    mpi_free_many(c, T_size);
+    mbedtls_free(c);
+
+    return ret;
+}
+
+/*
+ * Conditional point inversion: Q -> -Q = (Q.X, -Q.Y, Q.Z) without leak.
+ * "inv" must be 0 (don't invert) or 1 (invert) or the result will be invalid
+ */
+static int ecp_safe_invert_jac(const mbedtls_ecp_group *grp,
+                               mbedtls_ecp_point *Q,
+                               unsigned char inv)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi tmp;
+    mbedtls_mpi_init(&tmp);
+
+    MPI_ECP_COND_NEG(&Q->Y, inv);
+
+cleanup:
+    mbedtls_mpi_free(&tmp);
+    return ret;
+}
+
+/*
+ * Point doubling R = 2 P, Jacobian coordinates
+ *
+ * Based on http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-dbl-1998-cmo-2 .
+ *
+ * We follow the variable naming fairly closely. The formula variations that trade a MUL for a SQR
+ * (plus a few ADDs) aren't useful as our bignum implementation doesn't distinguish squaring.
+ *
+ * Standard optimizations are applied when curve parameter A is one of { 0, -3 }.
+ *
+ * Cost: 1D := 3M + 4S          (A ==  0)
+ *             4M + 4S          (A == -3)
+ *             3M + 6S + 1a     otherwise
+ */
+static int ecp_double_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                          const mbedtls_ecp_point *P,
+                          mbedtls_mpi tmp[4])
+{
+#if defined(MBEDTLS_SELF_TEST)
+    dbl_count++;
+#endif
+
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    /* Special case for A = -3 */
+    if (mbedtls_ecp_group_a_is_minus_3(grp)) {
+        /* tmp[0] <- M = 3(X + Z^2)(X - Z^2) */
+        MPI_ECP_SQR(&tmp[1],  &P->Z);
+        MPI_ECP_ADD(&tmp[2],  &P->X,  &tmp[1]);
+        MPI_ECP_SUB(&tmp[3],  &P->X,  &tmp[1]);
+        MPI_ECP_MUL(&tmp[1],  &tmp[2],     &tmp[3]);
+        MPI_ECP_MUL_INT(&tmp[0],  &tmp[1],     3);
+    } else {
+        /* tmp[0] <- M = 3.X^2 + A.Z^4 */
+        MPI_ECP_SQR(&tmp[1],  &P->X);
+        MPI_ECP_MUL_INT(&tmp[0],  &tmp[1],  3);
+
+        /* Optimize away for "koblitz" curves with A = 0 */
+        if (MPI_ECP_CMP_INT(&grp->A, 0) != 0) {
+            /* M += A.Z^4 */
+            MPI_ECP_SQR(&tmp[1],  &P->Z);
+            MPI_ECP_SQR(&tmp[2],  &tmp[1]);
+            MPI_ECP_MUL(&tmp[1],  &tmp[2],     &grp->A);
+            MPI_ECP_ADD(&tmp[0],  &tmp[0],     &tmp[1]);
+        }
+    }
+
+    /* tmp[1] <- S = 4.X.Y^2 */
+    MPI_ECP_SQR(&tmp[2],  &P->Y);
+    MPI_ECP_SHIFT_L(&tmp[2],  1);
+    MPI_ECP_MUL(&tmp[1],  &P->X, &tmp[2]);
+    MPI_ECP_SHIFT_L(&tmp[1],  1);
+
+    /* tmp[3] <- U = 8.Y^4 */
+    MPI_ECP_SQR(&tmp[3],  &tmp[2]);
+    MPI_ECP_SHIFT_L(&tmp[3],  1);
+
+    /* tmp[2] <- T = M^2 - 2.S */
+    MPI_ECP_SQR(&tmp[2],  &tmp[0]);
+    MPI_ECP_SUB(&tmp[2],  &tmp[2], &tmp[1]);
+    MPI_ECP_SUB(&tmp[2],  &tmp[2], &tmp[1]);
+
+    /* tmp[1] <- S = M(S - T) - U */
+    MPI_ECP_SUB(&tmp[1],  &tmp[1],     &tmp[2]);
+    MPI_ECP_MUL(&tmp[1],  &tmp[1],     &tmp[0]);
+    MPI_ECP_SUB(&tmp[1],  &tmp[1],     &tmp[3]);
+
+    /* tmp[3] <- U = 2.Y.Z */
+    MPI_ECP_MUL(&tmp[3],  &P->Y,  &P->Z);
+    MPI_ECP_SHIFT_L(&tmp[3],  1);
+
+    /* Store results */
+    MPI_ECP_MOV(&R->X, &tmp[2]);
+    MPI_ECP_MOV(&R->Y, &tmp[1]);
+    MPI_ECP_MOV(&R->Z, &tmp[3]);
+
+cleanup:
+
+    return ret;
+}
+
+/*
+ * Addition: R = P + Q, mixed affine-Jacobian coordinates (GECC 3.22)
+ *
+ * The coordinates of Q must be normalized (= affine),
+ * but those of P don't need to. R is not normalized.
+ *
+ * P,Q,R may alias, but only at the level of EC points: they must be either
+ * equal as pointers, or disjoint (including the coordinate data buffers).
+ * Fine-grained aliasing at the level of coordinates is not supported.
+ *
+ * Special cases: (1) P or Q is zero, (2) R is zero, (3) P == Q.
+ * None of these cases can happen as intermediate step in ecp_mul_comb():
+ * - at each step, P, Q and R are multiples of the base point, the factor
+ *   being less than its order, so none of them is zero;
+ * - Q is an odd multiple of the base point, P an even multiple,
+ *   due to the choice of precomputed points in the modified comb method.
+ * So branches for these cases do not leak secret information.
+ *
+ * Cost: 1A := 8M + 3S
+ */
+static int ecp_add_mixed(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                         const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q,
+                         mbedtls_mpi tmp[4])
+{
+#if defined(MBEDTLS_SELF_TEST)
+    add_count++;
+#endif
+
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    /* NOTE: Aliasing between input and output is allowed, so one has to make
+     *       sure that at the point X,Y,Z are written, {P,Q}->{X,Y,Z} are no
+     *       longer read from. */
+    mbedtls_mpi * const X = &R->X;
+    mbedtls_mpi * const Y = &R->Y;
+    mbedtls_mpi * const Z = &R->Z;
+
+    if (!MPI_ECP_VALID(&Q->Z)) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    /*
+     * Trivial cases: P == 0 or Q == 0 (case 1)
+     */
+    if (MPI_ECP_CMP_INT(&P->Z, 0) == 0) {
+        return mbedtls_ecp_copy(R, Q);
+    }
+
+    if (MPI_ECP_CMP_INT(&Q->Z, 0) == 0) {
+        return mbedtls_ecp_copy(R, P);
+    }
+
+    /*
+     * Make sure Q coordinates are normalized
+     */
+    if (MPI_ECP_CMP_INT(&Q->Z, 1) != 0) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    MPI_ECP_SQR(&tmp[0], &P->Z);
+    MPI_ECP_MUL(&tmp[1], &tmp[0], &P->Z);
+    MPI_ECP_MUL(&tmp[0], &tmp[0], &Q->X);
+    MPI_ECP_MUL(&tmp[1], &tmp[1], &Q->Y);
+    MPI_ECP_SUB(&tmp[0], &tmp[0], &P->X);
+    MPI_ECP_SUB(&tmp[1], &tmp[1], &P->Y);
+
+    /* Special cases (2) and (3) */
+    if (MPI_ECP_CMP_INT(&tmp[0], 0) == 0) {
+        if (MPI_ECP_CMP_INT(&tmp[1], 0) == 0) {
+            ret = ecp_double_jac(grp, R, P, tmp);
+            goto cleanup;
+        } else {
+            ret = mbedtls_ecp_set_zero(R);
+            goto cleanup;
+        }
+    }
+
+    /* {P,Q}->Z no longer used, so OK to write to Z even if there's aliasing. */
+    MPI_ECP_MUL(Z,        &P->Z,    &tmp[0]);
+    MPI_ECP_SQR(&tmp[2],  &tmp[0]);
+    MPI_ECP_MUL(&tmp[3],  &tmp[2],  &tmp[0]);
+    MPI_ECP_MUL(&tmp[2],  &tmp[2],  &P->X);
+
+    MPI_ECP_MOV(&tmp[0], &tmp[2]);
+    MPI_ECP_SHIFT_L(&tmp[0], 1);
+
+    /* {P,Q}->X no longer used, so OK to write to X even if there's aliasing. */
+    MPI_ECP_SQR(X,        &tmp[1]);
+    MPI_ECP_SUB(X,        X,        &tmp[0]);
+    MPI_ECP_SUB(X,        X,        &tmp[3]);
+    MPI_ECP_SUB(&tmp[2],  &tmp[2],  X);
+    MPI_ECP_MUL(&tmp[2],  &tmp[2],  &tmp[1]);
+    MPI_ECP_MUL(&tmp[3],  &tmp[3],  &P->Y);
+    /* {P,Q}->Y no longer used, so OK to write to Y even if there's aliasing. */
+    MPI_ECP_SUB(Y,     &tmp[2],     &tmp[3]);
+
+cleanup:
+
+    return ret;
+}
+
+/*
+ * Randomize jacobian coordinates:
+ * (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l
+ * This is sort of the reverse operation of ecp_normalize_jac().
+ *
+ * This countermeasure was first suggested in [2].
+ */
+static int ecp_randomize_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt,
+                             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi l;
+
+    mbedtls_mpi_init(&l);
+
+    /* Generate l such that 1 < l < p */
+    MPI_ECP_RAND(&l);
+
+    /* Z' = l * Z */
+    MPI_ECP_MUL(&pt->Z,   &pt->Z,     &l);
+
+    /* Y' = l * Y */
+    MPI_ECP_MUL(&pt->Y,   &pt->Y,     &l);
+
+    /* X' = l^2 * X */
+    MPI_ECP_SQR(&l,       &l);
+    MPI_ECP_MUL(&pt->X,   &pt->X,     &l);
+
+    /* Y'' = l^2 * Y' = l^3 * Y */
+    MPI_ECP_MUL(&pt->Y,   &pt->Y,     &l);
+
+cleanup:
+    mbedtls_mpi_free(&l);
+
+    if (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
+        ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+    }
+    return ret;
+}
+
+/*
+ * Check and define parameters used by the comb method (see below for details)
+ */
+#if MBEDTLS_ECP_WINDOW_SIZE < 2 || MBEDTLS_ECP_WINDOW_SIZE > 7
+#error "MBEDTLS_ECP_WINDOW_SIZE out of bounds"
+#endif
+
+/* d = ceil( n / w ) */
+#define COMB_MAX_D      (MBEDTLS_ECP_MAX_BITS + 1) / 2
+
+/* number of precomputed points */
+#define COMB_MAX_PRE    (1 << (MBEDTLS_ECP_WINDOW_SIZE - 1))
+
+/*
+ * Compute the representation of m that will be used with our comb method.
+ *
+ * The basic comb method is described in GECC 3.44 for example. We use a
+ * modified version that provides resistance to SPA by avoiding zero
+ * digits in the representation as in [3]. We modify the method further by
+ * requiring that all K_i be odd, which has the small cost that our
+ * representation uses one more K_i, due to carries, but saves on the size of
+ * the precomputed table.
+ *
+ * Summary of the comb method and its modifications:
+ *
+ * - The goal is to compute m*P for some w*d-bit integer m.
+ *
+ * - The basic comb method splits m into the w-bit integers
+ *   x[0] .. x[d-1] where x[i] consists of the bits in m whose
+ *   index has residue i modulo d, and computes m * P as
+ *   S[x[0]] + 2 * S[x[1]] + .. + 2^(d-1) S[x[d-1]], where
+ *   S[i_{w-1} .. i_0] := i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + i_0 P.
+ *
+ * - If it happens that, say, x[i+1]=0 (=> S[x[i+1]]=0), one can replace the sum by
+ *    .. + 2^{i-1} S[x[i-1]] - 2^i S[x[i]] + 2^{i+1} S[x[i]] + 2^{i+2} S[x[i+2]] ..,
+ *   thereby successively converting it into a form where all summands
+ *   are nonzero, at the cost of negative summands. This is the basic idea of [3].
+ *
+ * - More generally, even if x[i+1] != 0, we can first transform the sum as
+ *   .. - 2^i S[x[i]] + 2^{i+1} ( S[x[i]] + S[x[i+1]] ) + 2^{i+2} S[x[i+2]] ..,
+ *   and then replace S[x[i]] + S[x[i+1]] = S[x[i] ^ x[i+1]] + 2 S[x[i] & x[i+1]].
+ *   Performing and iterating this procedure for those x[i] that are even
+ *   (keeping track of carry), we can transform the original sum into one of the form
+ *   S[x'[0]] +- 2 S[x'[1]] +- .. +- 2^{d-1} S[x'[d-1]] + 2^d S[x'[d]]
+ *   with all x'[i] odd. It is therefore only necessary to know S at odd indices,
+ *   which is why we are only computing half of it in the first place in
+ *   ecp_precompute_comb and accessing it with index abs(i) / 2 in ecp_select_comb.
+ *
+ * - For the sake of compactness, only the seven low-order bits of x[i]
+ *   are used to represent its absolute value (K_i in the paper), and the msb
+ *   of x[i] encodes the sign (s_i in the paper): it is set if and only if
+ *   if s_i == -1;
+ *
+ * Calling conventions:
+ * - x is an array of size d + 1
+ * - w is the size, ie number of teeth, of the comb, and must be between
+ *   2 and 7 (in practice, between 2 and MBEDTLS_ECP_WINDOW_SIZE)
+ * - m is the MPI, expected to be odd and such that bitlength(m) <= w * d
+ *   (the result will be incorrect if these assumptions are not satisfied)
+ */
+static void ecp_comb_recode_core(unsigned char x[], size_t d,
+                                 unsigned char w, const mbedtls_mpi *m)
+{
+    size_t i, j;
+    unsigned char c, cc, adjust;
+
+    memset(x, 0, d+1);
+
+    /* First get the classical comb values (except for x_d = 0) */
+    for (i = 0; i < d; i++) {
+        for (j = 0; j < w; j++) {
+            x[i] |= mbedtls_mpi_get_bit(m, i + d * j) << j;
+        }
+    }
+
+    /* Now make sure x_1 .. x_d are odd */
+    c = 0;
+    for (i = 1; i <= d; i++) {
+        /* Add carry and update it */
+        cc   = x[i] & c;
+        x[i] = x[i] ^ c;
+        c = cc;
+
+        /* Adjust if needed, avoiding branches */
+        adjust = 1 - (x[i] & 0x01);
+        c   |= x[i] & (x[i-1] * adjust);
+        x[i] = x[i] ^ (x[i-1] * adjust);
+        x[i-1] |= adjust << 7;
+    }
+}
+
+/*
+ * Precompute points for the adapted comb method
+ *
+ * Assumption: T must be able to hold 2^{w - 1} elements.
+ *
+ * Operation: If i = i_{w-1} ... i_1 is the binary representation of i,
+ *            sets T[i] = i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + P.
+ *
+ * Cost: d(w-1) D + (2^{w-1} - 1) A + 1 N(w-1) + 1 N(2^{w-1} - 1)
+ *
+ * Note: Even comb values (those where P would be omitted from the
+ *       sum defining T[i] above) are not needed in our adaption
+ *       the comb method. See ecp_comb_recode_core().
+ *
+ * This function currently works in four steps:
+ * (1) [dbl]      Computation of intermediate T[i] for 2-power values of i
+ * (2) [norm_dbl] Normalization of coordinates of these T[i]
+ * (3) [add]      Computation of all T[i]
+ * (4) [norm_add] Normalization of all T[i]
+ *
+ * Step 1 can be interrupted but not the others; together with the final
+ * coordinate normalization they are the largest steps done at once, depending
+ * on the window size. Here are operation counts for P-256:
+ *
+ * step     (2)     (3)     (4)
+ * w = 5    142     165     208
+ * w = 4    136      77     160
+ * w = 3    130      33     136
+ * w = 2    124      11     124
+ *
+ * So if ECC operations are blocking for too long even with a low max_ops
+ * value, it's useful to set MBEDTLS_ECP_WINDOW_SIZE to a lower value in order
+ * to minimize maximum blocking time.
+ */
+static int ecp_precompute_comb(const mbedtls_ecp_group *grp,
+                               mbedtls_ecp_point T[], const mbedtls_ecp_point *P,
+                               unsigned char w, size_t d,
+                               mbedtls_ecp_restart_ctx *rs_ctx)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char i;
+    size_t j = 0;
+    const unsigned char T_size = 1U << (w - 1);
+    mbedtls_ecp_point *cur, *TT[COMB_MAX_PRE - 1] = { NULL };
+
+    mbedtls_mpi tmp[4];
+
+    mpi_init_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
+        if (rs_ctx->rsm->state == ecp_rsm_pre_dbl) {
+            goto dbl;
+        }
+        if (rs_ctx->rsm->state == ecp_rsm_pre_norm_dbl) {
+            goto norm_dbl;
+        }
+        if (rs_ctx->rsm->state == ecp_rsm_pre_add) {
+            goto add;
+        }
+        if (rs_ctx->rsm->state == ecp_rsm_pre_norm_add) {
+            goto norm_add;
+        }
+    }
+#else
+    (void) rs_ctx;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
+        rs_ctx->rsm->state = ecp_rsm_pre_dbl;
+
+        /* initial state for the loop */
+        rs_ctx->rsm->i = 0;
+    }
+
+dbl:
+#endif
+    /*
+     * Set T[0] = P and
+     * T[2^{l-1}] = 2^{dl} P for l = 1 .. w-1 (this is not the final value)
+     */
+    MBEDTLS_MPI_CHK(mbedtls_ecp_copy(&T[0], P));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->i != 0) {
+        j = rs_ctx->rsm->i;
+    } else
+#endif
+    j = 0;
+
+    for (; j < d * (w - 1); j++) {
+        MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_DBL);
+
+        i = 1U << (j / d);
+        cur = T + i;
+
+        if (j % d == 0) {
+            MBEDTLS_MPI_CHK(mbedtls_ecp_copy(cur, T + (i >> 1)));
+        }
+
+        MBEDTLS_MPI_CHK(ecp_double_jac(grp, cur, cur, tmp));
+    }
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
+        rs_ctx->rsm->state = ecp_rsm_pre_norm_dbl;
+    }
+
+norm_dbl:
+#endif
+    /*
+     * Normalize current elements in T to allow them to be used in
+     * ecp_add_mixed() below, which requires one normalized input.
+     *
+     * As T has holes, use an auxiliary array of pointers to elements in T.
+     *
+     */
+    j = 0;
+    for (i = 1; i < T_size; i <<= 1) {
+        TT[j++] = T + i;
+    }
+
+    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV + 6 * j - 2);
+
+    MBEDTLS_MPI_CHK(ecp_normalize_jac_many(grp, TT, j));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
+        rs_ctx->rsm->state = ecp_rsm_pre_add;
+    }
+
+add:
+#endif
+    /*
+     * Compute the remaining ones using the minimal number of additions
+     * Be careful to update T[2^l] only after using it!
+     */
+    MBEDTLS_ECP_BUDGET((T_size - 1) * MBEDTLS_ECP_OPS_ADD);
+
+    for (i = 1; i < T_size; i <<= 1) {
+        j = i;
+        while (j--) {
+            MBEDTLS_MPI_CHK(ecp_add_mixed(grp, &T[i + j], &T[j], &T[i], tmp));
+        }
+    }
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
+        rs_ctx->rsm->state = ecp_rsm_pre_norm_add;
+    }
+
+norm_add:
+#endif
+    /*
+     * Normalize final elements in T. Even though there are no holes now, we
+     * still need the auxiliary array for homogeneity with the previous
+     * call. Also, skip T[0] which is already normalised, being a copy of P.
+     */
+    for (j = 0; j + 1 < T_size; j++) {
+        TT[j] = T + j + 1;
+    }
+
+    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV + 6 * j - 2);
+
+    MBEDTLS_MPI_CHK(ecp_normalize_jac_many(grp, TT, j));
+
+    /* Free Z coordinate (=1 after normalization) to save RAM.
+     * This makes T[i] invalid as mbedtls_ecp_points, but this is OK
+     * since from this point onwards, they are only accessed indirectly
+     * via the getter function ecp_select_comb() which does set the
+     * target's Z coordinate to 1. */
+    for (i = 0; i < T_size; i++) {
+        mbedtls_mpi_free(&T[i].Z);
+    }
+
+cleanup:
+
+    mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL &&
+        ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
+        if (rs_ctx->rsm->state == ecp_rsm_pre_dbl) {
+            rs_ctx->rsm->i = j;
+        }
+    }
+#endif
+
+    return ret;
+}
+
+/*
+ * Select precomputed point: R = sign(i) * T[ abs(i) / 2 ]
+ *
+ * See ecp_comb_recode_core() for background
+ */
+static int ecp_select_comb(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                           const mbedtls_ecp_point T[], unsigned char T_size,
+                           unsigned char i)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char ii, j;
+
+    /* Ignore the "sign" bit and scale down */
+    ii =  (i & 0x7Fu) >> 1;
+
+    /* Read the whole table to thwart cache-based timing attacks */
+    for (j = 0; j < T_size; j++) {
+        MPI_ECP_COND_ASSIGN(&R->X, &T[j].X, j == ii);
+        MPI_ECP_COND_ASSIGN(&R->Y, &T[j].Y, j == ii);
+    }
+
+    /* Safely invert result if i is "negative" */
+    MBEDTLS_MPI_CHK(ecp_safe_invert_jac(grp, R, i >> 7));
+
+    MPI_ECP_LSET(&R->Z, 1);
+
+cleanup:
+    return ret;
+}
+
+/*
+ * Core multiplication algorithm for the (modified) comb method.
+ * This part is actually common with the basic comb method (GECC 3.44)
+ *
+ * Cost: d A + d D + 1 R
+ */
+static int ecp_mul_comb_core(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                             const mbedtls_ecp_point T[], unsigned char T_size,
+                             const unsigned char x[], size_t d,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng,
+                             mbedtls_ecp_restart_ctx *rs_ctx)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_point Txi;
+    mbedtls_mpi tmp[4];
+    size_t i;
+
+    mbedtls_ecp_point_init(&Txi);
+    mpi_init_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
+
+#if !defined(MBEDTLS_ECP_RESTARTABLE)
+    (void) rs_ctx;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL &&
+        rs_ctx->rsm->state != ecp_rsm_comb_core) {
+        rs_ctx->rsm->i = 0;
+        rs_ctx->rsm->state = ecp_rsm_comb_core;
+    }
+
+    /* new 'if' instead of nested for the sake of the 'else' branch */
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->i != 0) {
+        /* restore current index (R already pointing to rs_ctx->rsm->R) */
+        i = rs_ctx->rsm->i;
+    } else
+#endif
+    {
+        /* Start with a non-zero point and randomize its coordinates */
+        i = d;
+        MBEDTLS_MPI_CHK(ecp_select_comb(grp, R, T, T_size, x[i]));
+        if (f_rng != 0) {
+            MBEDTLS_MPI_CHK(ecp_randomize_jac(grp, R, f_rng, p_rng));
+        }
+    }
+
+    while (i != 0) {
+        MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_DBL + MBEDTLS_ECP_OPS_ADD);
+        --i;
+
+        MBEDTLS_MPI_CHK(ecp_double_jac(grp, R, R, tmp));
+        MBEDTLS_MPI_CHK(ecp_select_comb(grp, &Txi, T, T_size, x[i]));
+        MBEDTLS_MPI_CHK(ecp_add_mixed(grp, R, R, &Txi, tmp));
+    }
+
+cleanup:
+
+    mbedtls_ecp_point_free(&Txi);
+    mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL &&
+        ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
+        rs_ctx->rsm->i = i;
+        /* no need to save R, already pointing to rs_ctx->rsm->R */
+    }
+#endif
+
+    return ret;
+}
+
+/*
+ * Recode the scalar to get constant-time comb multiplication
+ *
+ * As the actual scalar recoding needs an odd scalar as a starting point,
+ * this wrapper ensures that by replacing m by N - m if necessary, and
+ * informs the caller that the result of multiplication will be negated.
+ *
+ * This works because we only support large prime order for Short Weierstrass
+ * curves, so N is always odd hence either m or N - m is.
+ *
+ * See ecp_comb_recode_core() for background.
+ */
+static int ecp_comb_recode_scalar(const mbedtls_ecp_group *grp,
+                                  const mbedtls_mpi *m,
+                                  unsigned char k[COMB_MAX_D + 1],
+                                  size_t d,
+                                  unsigned char w,
+                                  unsigned char *parity_trick)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi M, mm;
+
+    mbedtls_mpi_init(&M);
+    mbedtls_mpi_init(&mm);
+
+    /* N is always odd (see above), just make extra sure */
+    if (mbedtls_mpi_get_bit(&grp->N, 0) != 1) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    /* do we need the parity trick? */
+    *parity_trick = (mbedtls_mpi_get_bit(m, 0) == 0);
+
+    /* execute parity fix in constant time */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&M, m));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&mm, &grp->N, m));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign(&M, &mm, *parity_trick));
+
+    /* actual scalar recoding */
+    ecp_comb_recode_core(k, d, w, &M);
+
+cleanup:
+    mbedtls_mpi_free(&mm);
+    mbedtls_mpi_free(&M);
+
+    return ret;
+}
+
+/*
+ * Perform comb multiplication (for short Weierstrass curves)
+ * once the auxiliary table has been pre-computed.
+ *
+ * Scalar recoding may use a parity trick that makes us compute -m * P,
+ * if that is the case we'll need to recover m * P at the end.
+ */
+static int ecp_mul_comb_after_precomp(const mbedtls_ecp_group *grp,
+                                      mbedtls_ecp_point *R,
+                                      const mbedtls_mpi *m,
+                                      const mbedtls_ecp_point *T,
+                                      unsigned char T_size,
+                                      unsigned char w,
+                                      size_t d,
+                                      int (*f_rng)(void *, unsigned char *, size_t),
+                                      void *p_rng,
+                                      mbedtls_ecp_restart_ctx *rs_ctx)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char parity_trick;
+    unsigned char k[COMB_MAX_D + 1];
+    mbedtls_ecp_point *RR = R;
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
+        RR = &rs_ctx->rsm->R;
+
+        if (rs_ctx->rsm->state == ecp_rsm_final_norm) {
+            goto final_norm;
+        }
+    }
+#endif
+
+    MBEDTLS_MPI_CHK(ecp_comb_recode_scalar(grp, m, k, d, w,
+                                           &parity_trick));
+    MBEDTLS_MPI_CHK(ecp_mul_comb_core(grp, RR, T, T_size, k, d,
+                                      f_rng, p_rng, rs_ctx));
+    MBEDTLS_MPI_CHK(ecp_safe_invert_jac(grp, RR, parity_trick));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
+        rs_ctx->rsm->state = ecp_rsm_final_norm;
+    }
+
+final_norm:
+    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV);
+#endif
+    /*
+     * Knowledge of the jacobian coordinates may leak the last few bits of the
+     * scalar [1], and since our MPI implementation isn't constant-flow,
+     * inversion (used for coordinate normalization) may leak the full value
+     * of its input via side-channels [2].
+     *
+     * [1] https://eprint.iacr.org/2003/191
+     * [2] https://eprint.iacr.org/2020/055
+     *
+     * Avoid the leak by randomizing coordinates before we normalize them.
+     */
+    if (f_rng != 0) {
+        MBEDTLS_MPI_CHK(ecp_randomize_jac(grp, RR, f_rng, p_rng));
+    }
+
+    MBEDTLS_MPI_CHK(ecp_normalize_jac(grp, RR));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
+        MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, RR));
+    }
+#endif
+
+cleanup:
+    return ret;
+}
+
+/*
+ * Pick window size based on curve size and whether we optimize for base point
+ */
+static unsigned char ecp_pick_window_size(const mbedtls_ecp_group *grp,
+                                          unsigned char p_eq_g)
+{
+    unsigned char w;
+
+    /*
+     * Minimize the number of multiplications, that is minimize
+     * 10 * d * w + 18 * 2^(w-1) + 11 * d + 7 * w, with d = ceil( nbits / w )
+     * (see costs of the various parts, with 1S = 1M)
+     */
+    w = grp->nbits >= 384 ? 5 : 4;
+
+    /*
+     * If P == G, pre-compute a bit more, since this may be re-used later.
+     * Just adding one avoids upping the cost of the first mul too much,
+     * and the memory cost too.
+     */
+    if (p_eq_g) {
+        w++;
+    }
+
+    /*
+     * If static comb table may not be used (!p_eq_g) or static comb table does
+     * not exists, make sure w is within bounds.
+     * (The last test is useful only for very small curves in the test suite.)
+     *
+     * The user reduces MBEDTLS_ECP_WINDOW_SIZE does not changes the size of
+     * static comb table, because the size of static comb table is fixed when
+     * it is generated.
+     */
+#if (MBEDTLS_ECP_WINDOW_SIZE < 6)
+    if ((!p_eq_g || !ecp_group_is_static_comb_table(grp)) && w > MBEDTLS_ECP_WINDOW_SIZE) {
+        w = MBEDTLS_ECP_WINDOW_SIZE;
+    }
+#endif
+    if (w >= grp->nbits) {
+        w = 2;
+    }
+
+    return w;
+}
+
+/*
+ * Multiplication using the comb method - for curves in short Weierstrass form
+ *
+ * This function is mainly responsible for administrative work:
+ * - managing the restart context if enabled
+ * - managing the table of precomputed points (passed between the below two
+ *   functions): allocation, computation, ownership transfer, freeing.
+ *
+ * It delegates the actual arithmetic work to:
+ *      ecp_precompute_comb() and ecp_mul_comb_with_precomp()
+ *
+ * See comments on ecp_comb_recode_core() regarding the computation strategy.
+ */
+static int ecp_mul_comb(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                        const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+                        int (*f_rng)(void *, unsigned char *, size_t),
+                        void *p_rng,
+                        mbedtls_ecp_restart_ctx *rs_ctx)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char w, p_eq_g, i;
+    size_t d;
+    unsigned char T_size = 0, T_ok = 0;
+    mbedtls_ecp_point *T = NULL;
+
+    ECP_RS_ENTER(rsm);
+
+    /* Is P the base point ? */
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+    p_eq_g = (MPI_ECP_CMP(&P->Y, &grp->G.Y) == 0 &&
+              MPI_ECP_CMP(&P->X, &grp->G.X) == 0);
+#else
+    p_eq_g = 0;
+#endif
+
+    /* Pick window size and deduce related sizes */
+    w = ecp_pick_window_size(grp, p_eq_g);
+    T_size = 1U << (w - 1);
+    d = (grp->nbits + w - 1) / w;
+
+    /* Pre-computed table: do we have it already for the base point? */
+    if (p_eq_g && grp->T != NULL) {
+        /* second pointer to the same table, will be deleted on exit */
+        T = grp->T;
+        T_ok = 1;
+    } else
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    /* Pre-computed table: do we have one in progress? complete? */
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->T != NULL) {
+        /* transfer ownership of T from rsm to local function */
+        T = rs_ctx->rsm->T;
+        rs_ctx->rsm->T = NULL;
+        rs_ctx->rsm->T_size = 0;
+
+        /* This effectively jumps to the call to mul_comb_after_precomp() */
+        T_ok = rs_ctx->rsm->state >= ecp_rsm_comb_core;
+    } else
+#endif
+    /* Allocate table if we didn't have any */
+    {
+        T = mbedtls_calloc(T_size, sizeof(mbedtls_ecp_point));
+        if (T == NULL) {
+            ret = MBEDTLS_ERR_ECP_ALLOC_FAILED;
+            goto cleanup;
+        }
+
+        for (i = 0; i < T_size; i++) {
+            mbedtls_ecp_point_init(&T[i]);
+        }
+
+        T_ok = 0;
+    }
+
+    /* Compute table (or finish computing it) if not done already */
+    if (!T_ok) {
+        MBEDTLS_MPI_CHK(ecp_precompute_comb(grp, T, P, w, d, rs_ctx));
+
+        if (p_eq_g) {
+            /* almost transfer ownership of T to the group, but keep a copy of
+             * the pointer to use for calling the next function more easily */
+            grp->T = T;
+            grp->T_size = T_size;
+        }
+    }
+
+    /* Actual comb multiplication using precomputed points */
+    MBEDTLS_MPI_CHK(ecp_mul_comb_after_precomp(grp, R, m,
+                                               T, T_size, w, d,
+                                               f_rng, p_rng, rs_ctx));
+
+cleanup:
+
+    /* does T belong to the group? */
+    if (T == grp->T) {
+        T = NULL;
+    }
+
+    /* does T belong to the restart context? */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->rsm != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS && T != NULL) {
+        /* transfer ownership of T from local function to rsm */
+        rs_ctx->rsm->T_size = T_size;
+        rs_ctx->rsm->T = T;
+        T = NULL;
+    }
+#endif
+
+    /* did T belong to us? then let's destroy it! */
+    if (T != NULL) {
+        for (i = 0; i < T_size; i++) {
+            mbedtls_ecp_point_free(&T[i]);
+        }
+        mbedtls_free(T);
+    }
+
+    /* prevent caller from using invalid value */
+    int should_free_R = (ret != 0);
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    /* don't free R while in progress in case R == P */
+    if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
+        should_free_R = 0;
+    }
+#endif
+    if (should_free_R) {
+        mbedtls_ecp_point_free(R);
+    }
+
+    ECP_RS_LEAVE(rsm);
+
+    return ret;
+}
+
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+/*
+ * For Montgomery curves, we do all the internal arithmetic in projective
+ * coordinates. Import/export of points uses only the x coordinates, which is
+ * internally represented as X / Z.
+ *
+ * For scalar multiplication, we'll use a Montgomery ladder.
+ */
+
+/*
+ * Normalize Montgomery x/z coordinates: X = X/Z, Z = 1
+ * Cost: 1M + 1I
+ */
+static int ecp_normalize_mxz(const mbedtls_ecp_group *grp, mbedtls_ecp_point *P)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    MPI_ECP_INV(&P->Z, &P->Z);
+    MPI_ECP_MUL(&P->X, &P->X, &P->Z);
+    MPI_ECP_LSET(&P->Z, 1);
+
+cleanup:
+    return ret;
+}
+
+/*
+ * Randomize projective x/z coordinates:
+ * (X, Z) -> (l X, l Z) for random l
+ * This is sort of the reverse operation of ecp_normalize_mxz().
+ *
+ * This countermeasure was first suggested in [2].
+ * Cost: 2M
+ */
+static int ecp_randomize_mxz(const mbedtls_ecp_group *grp, mbedtls_ecp_point *P,
+                             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi l;
+    mbedtls_mpi_init(&l);
+
+    /* Generate l such that 1 < l < p */
+    MPI_ECP_RAND(&l);
+
+    MPI_ECP_MUL(&P->X, &P->X, &l);
+    MPI_ECP_MUL(&P->Z, &P->Z, &l);
+
+cleanup:
+    mbedtls_mpi_free(&l);
+
+    if (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
+        ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+    }
+    return ret;
+}
+
+/*
+ * Double-and-add: R = 2P, S = P + Q, with d = X(P - Q),
+ * for Montgomery curves in x/z coordinates.
+ *
+ * http://www.hyperelliptic.org/EFD/g1p/auto-code/montgom/xz/ladder/mladd-1987-m.op3
+ * with
+ * d =  X1
+ * P = (X2, Z2)
+ * Q = (X3, Z3)
+ * R = (X4, Z4)
+ * S = (X5, Z5)
+ * and eliminating temporary variables tO, ..., t4.
+ *
+ * Cost: 5M + 4S
+ */
+static int ecp_double_add_mxz(const mbedtls_ecp_group *grp,
+                              mbedtls_ecp_point *R, mbedtls_ecp_point *S,
+                              const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q,
+                              const mbedtls_mpi *d,
+                              mbedtls_mpi T[4])
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    MPI_ECP_ADD(&T[0], &P->X,   &P->Z);   /* Pp := PX + PZ                    */
+    MPI_ECP_SUB(&T[1], &P->X,   &P->Z);   /* Pm := PX - PZ                    */
+    MPI_ECP_ADD(&T[2], &Q->X,   &Q->Z);   /* Qp := QX + XZ                    */
+    MPI_ECP_SUB(&T[3], &Q->X,   &Q->Z);   /* Qm := QX - QZ                    */
+    MPI_ECP_MUL(&T[3], &T[3],   &T[0]);   /* Qm * Pp                          */
+    MPI_ECP_MUL(&T[2], &T[2],   &T[1]);   /* Qp * Pm                          */
+    MPI_ECP_SQR(&T[0], &T[0]);            /* Pp^2                             */
+    MPI_ECP_SQR(&T[1], &T[1]);            /* Pm^2                             */
+    MPI_ECP_MUL(&R->X, &T[0],   &T[1]);   /* Pp^2 * Pm^2                      */
+    MPI_ECP_SUB(&T[0], &T[0],   &T[1]);   /* Pp^2 - Pm^2                      */
+    MPI_ECP_MUL(&R->Z, &grp->A, &T[0]);   /* A * (Pp^2 - Pm^2)                */
+    MPI_ECP_ADD(&R->Z, &T[1],   &R->Z);   /* [ A * (Pp^2-Pm^2) ] + Pm^2       */
+    MPI_ECP_ADD(&S->X, &T[3],   &T[2]);   /* Qm*Pp + Qp*Pm                    */
+    MPI_ECP_SQR(&S->X, &S->X);            /* (Qm*Pp + Qp*Pm)^2                */
+    MPI_ECP_SUB(&S->Z, &T[3],   &T[2]);   /* Qm*Pp - Qp*Pm                    */
+    MPI_ECP_SQR(&S->Z, &S->Z);            /* (Qm*Pp - Qp*Pm)^2                */
+    MPI_ECP_MUL(&S->Z, d,       &S->Z);   /* d * ( Qm*Pp - Qp*Pm )^2          */
+    MPI_ECP_MUL(&R->Z, &T[0],   &R->Z);   /* [A*(Pp^2-Pm^2)+Pm^2]*(Pp^2-Pm^2) */
+
+cleanup:
+
+    return ret;
+}
+
+/*
+ * Multiplication with Montgomery ladder in x/z coordinates,
+ * for curves in Montgomery form
+ */
+static int ecp_mul_mxz(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                       const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t i;
+    unsigned char b;
+    mbedtls_ecp_point RP;
+    mbedtls_mpi PX;
+    mbedtls_mpi tmp[4];
+    mbedtls_ecp_point_init(&RP); mbedtls_mpi_init(&PX);
+
+    mpi_init_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
+
+    if (f_rng == NULL) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    /* Save PX and read from P before writing to R, in case P == R */
+    MPI_ECP_MOV(&PX, &P->X);
+    MBEDTLS_MPI_CHK(mbedtls_ecp_copy(&RP, P));
+
+    /* Set R to zero in modified x/z coordinates */
+    MPI_ECP_LSET(&R->X, 1);
+    MPI_ECP_LSET(&R->Z, 0);
+    mbedtls_mpi_free(&R->Y);
+
+    /* RP.X might be slightly larger than P, so reduce it */
+    MOD_ADD(&RP.X);
+
+    /* Randomize coordinates of the starting point */
+    MBEDTLS_MPI_CHK(ecp_randomize_mxz(grp, &RP, f_rng, p_rng));
+
+    /* Loop invariant: R = result so far, RP = R + P */
+    i = grp->nbits + 1; /* one past the (zero-based) required msb for private keys */
+    while (i-- > 0) {
+        b = mbedtls_mpi_get_bit(m, i);
+        /*
+         *  if (b) R = 2R + P else R = 2R,
+         * which is:
+         *  if (b) double_add( RP, R, RP, R )
+         *  else   double_add( R, RP, R, RP )
+         * but using safe conditional swaps to avoid leaks
+         */
+        MPI_ECP_COND_SWAP(&R->X, &RP.X, b);
+        MPI_ECP_COND_SWAP(&R->Z, &RP.Z, b);
+        MBEDTLS_MPI_CHK(ecp_double_add_mxz(grp, R, &RP, R, &RP, &PX, tmp));
+        MPI_ECP_COND_SWAP(&R->X, &RP.X, b);
+        MPI_ECP_COND_SWAP(&R->Z, &RP.Z, b);
+    }
+
+    /*
+     * Knowledge of the projective coordinates may leak the last few bits of the
+     * scalar [1], and since our MPI implementation isn't constant-flow,
+     * inversion (used for coordinate normalization) may leak the full value
+     * of its input via side-channels [2].
+     *
+     * [1] https://eprint.iacr.org/2003/191
+     * [2] https://eprint.iacr.org/2020/055
+     *
+     * Avoid the leak by randomizing coordinates before we normalize them.
+     */
+    MBEDTLS_MPI_CHK(ecp_randomize_mxz(grp, R, f_rng, p_rng));
+    MBEDTLS_MPI_CHK(ecp_normalize_mxz(grp, R));
+
+cleanup:
+    mbedtls_ecp_point_free(&RP); mbedtls_mpi_free(&PX);
+
+    mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
+    return ret;
+}
+
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+
+/*
+ * Restartable multiplication R = m * P
+ *
+ * This internal function can be called without an RNG in case where we know
+ * the inputs are not sensitive.
+ */
+static int ecp_mul_restartable_internal(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                                        const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+                                        int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                                        mbedtls_ecp_restart_ctx *rs_ctx)
+{
+    int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    /* reset ops count for this call if top-level */
+    if (rs_ctx != NULL && rs_ctx->depth++ == 0) {
+        rs_ctx->ops_done = 0;
+    }
+#else
+    (void) rs_ctx;
+#endif
+
+    int restarting = 0;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    restarting = (rs_ctx != NULL && rs_ctx->rsm != NULL);
+#endif
+    /* skip argument check when restarting */
+    if (!restarting) {
+        /* check_privkey is free */
+        MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_CHK);
+
+        /* Common sanity checks */
+        MBEDTLS_MPI_CHK(mbedtls_ecp_check_privkey(grp, m));
+        MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
+    }
+
+    ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+        MBEDTLS_MPI_CHK(ecp_mul_mxz(grp, R, m, P, f_rng, p_rng));
+    }
+#endif
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+        MBEDTLS_MPI_CHK(ecp_mul_comb(grp, R, m, P, f_rng, p_rng, rs_ctx));
+    }
+#endif
+
+cleanup:
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL) {
+        rs_ctx->depth--;
+    }
+#endif
+
+    return ret;
+}
+
+/*
+ * Restartable multiplication R = m * P
+ */
+int mbedtls_ecp_mul_restartable(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                                const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                                mbedtls_ecp_restart_ctx *rs_ctx)
+{
+    if (f_rng == NULL) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    return ecp_mul_restartable_internal(grp, R, m, P, f_rng, p_rng, rs_ctx);
+}
+
+/*
+ * Multiplication R = m * P
+ */
+int mbedtls_ecp_mul(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                    const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    return mbedtls_ecp_mul_restartable(grp, R, m, P, f_rng, p_rng, NULL);
+}
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+/*
+ * Check that an affine point is valid as a public key,
+ * short weierstrass curves (SEC1 3.2.3.1)
+ */
+static int ecp_check_pubkey_sw(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi YY, RHS;
+
+    /* pt coordinates must be normalized for our checks */
+    if (mbedtls_mpi_cmp_int(&pt->X, 0) < 0 ||
+        mbedtls_mpi_cmp_int(&pt->Y, 0) < 0 ||
+        mbedtls_mpi_cmp_mpi(&pt->X, &grp->P) >= 0 ||
+        mbedtls_mpi_cmp_mpi(&pt->Y, &grp->P) >= 0) {
+        return MBEDTLS_ERR_ECP_INVALID_KEY;
+    }
+
+    mbedtls_mpi_init(&YY); mbedtls_mpi_init(&RHS);
+
+    /*
+     * YY = Y^2
+     * RHS = X^3 + A X + B
+     */
+    MPI_ECP_SQR(&YY,  &pt->Y);
+    MBEDTLS_MPI_CHK(ecp_sw_rhs(grp, &RHS, &pt->X));
+
+    if (MPI_ECP_CMP(&YY, &RHS) != 0) {
+        ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+    }
+
+cleanup:
+
+    mbedtls_mpi_free(&YY); mbedtls_mpi_free(&RHS);
+
+    return ret;
+}
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+
+#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+/*
+ * R = m * P with shortcuts for m == 0, m == 1 and m == -1
+ * NOT constant-time - ONLY for short Weierstrass!
+ */
+static int mbedtls_ecp_mul_shortcuts(mbedtls_ecp_group *grp,
+                                     mbedtls_ecp_point *R,
+                                     const mbedtls_mpi *m,
+                                     const mbedtls_ecp_point *P,
+                                     mbedtls_ecp_restart_ctx *rs_ctx)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi tmp;
+    mbedtls_mpi_init(&tmp);
+
+    if (mbedtls_mpi_cmp_int(m, 0) == 0) {
+        MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
+        MBEDTLS_MPI_CHK(mbedtls_ecp_set_zero(R));
+    } else if (mbedtls_mpi_cmp_int(m, 1) == 0) {
+        MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
+        MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, P));
+    } else if (mbedtls_mpi_cmp_int(m, -1) == 0) {
+        MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
+        MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, P));
+        MPI_ECP_NEG(&R->Y);
+    } else {
+        MBEDTLS_MPI_CHK(ecp_mul_restartable_internal(grp, R, m, P,
+                                                     NULL, NULL, rs_ctx));
+    }
+
+cleanup:
+    mbedtls_mpi_free(&tmp);
+
+    return ret;
+}
+
+/*
+ * Restartable linear combination
+ * NOT constant-time
+ */
+int mbedtls_ecp_muladd_restartable(
+    mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+    const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+    const mbedtls_mpi *n, const mbedtls_ecp_point *Q,
+    mbedtls_ecp_restart_ctx *rs_ctx)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_point mP;
+    mbedtls_ecp_point *pmP = &mP;
+    mbedtls_ecp_point *pR = R;
+    mbedtls_mpi tmp[4];
+    if (mbedtls_ecp_get_type(grp) != MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+        return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+    }
+
+    mbedtls_ecp_point_init(&mP);
+    mpi_init_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
+
+    ECP_RS_ENTER(ma);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->ma != NULL) {
+        /* redirect intermediate results to restart context */
+        pmP = &rs_ctx->ma->mP;
+        pR  = &rs_ctx->ma->R;
+
+        /* jump to next operation */
+        if (rs_ctx->ma->state == ecp_rsma_mul2) {
+            goto mul2;
+        }
+        if (rs_ctx->ma->state == ecp_rsma_add) {
+            goto add;
+        }
+        if (rs_ctx->ma->state == ecp_rsma_norm) {
+            goto norm;
+        }
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    MBEDTLS_MPI_CHK(mbedtls_ecp_mul_shortcuts(grp, pmP, m, P, rs_ctx));
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->ma != NULL) {
+        rs_ctx->ma->state = ecp_rsma_mul2;
+    }
+
+mul2:
+#endif
+    MBEDTLS_MPI_CHK(mbedtls_ecp_mul_shortcuts(grp, pR,  n, Q, rs_ctx));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->ma != NULL) {
+        rs_ctx->ma->state = ecp_rsma_add;
+    }
+
+add:
+#endif
+    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_ADD);
+    MBEDTLS_MPI_CHK(ecp_add_mixed(grp, pR, pmP, pR, tmp));
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->ma != NULL) {
+        rs_ctx->ma->state = ecp_rsma_norm;
+    }
+
+norm:
+#endif
+    MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV);
+    MBEDTLS_MPI_CHK(ecp_normalize_jac(grp, pR));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if (rs_ctx != NULL && rs_ctx->ma != NULL) {
+        MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, pR));
+    }
+#endif
+
+cleanup:
+
+    mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
+
+    mbedtls_ecp_point_free(&mP);
+
+    ECP_RS_LEAVE(ma);
+
+    return ret;
+}
+
+/*
+ * Linear combination
+ * NOT constant-time
+ */
+int mbedtls_ecp_muladd(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                       const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+                       const mbedtls_mpi *n, const mbedtls_ecp_point *Q)
+{
+    return mbedtls_ecp_muladd_restartable(grp, R, m, P, n, Q, NULL);
+}
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+#define ECP_MPI_INIT(_p, _n) { .p = (mbedtls_mpi_uint *) (_p), .s = 1, .n = (_n) }
+#define ECP_MPI_INIT_ARRAY(x)   \
+    ECP_MPI_INIT(x, sizeof(x) / sizeof(mbedtls_mpi_uint))
+/*
+ * Constants for the two points other than 0, 1, -1 (mod p) in
+ * https://cr.yp.to/ecdh.html#validate
+ * See ecp_check_pubkey_x25519().
+ */
+static const mbedtls_mpi_uint x25519_bad_point_1[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00),
+};
+static const mbedtls_mpi_uint x25519_bad_point_2[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57),
+};
+static const mbedtls_mpi ecp_x25519_bad_point_1 = ECP_MPI_INIT_ARRAY(
+    x25519_bad_point_1);
+static const mbedtls_mpi ecp_x25519_bad_point_2 = ECP_MPI_INIT_ARRAY(
+    x25519_bad_point_2);
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+/*
+ * Check that the input point is not one of the low-order points.
+ * This is recommended by the "May the Fourth" paper:
+ * https://eprint.iacr.org/2017/806.pdf
+ * Those points are never sent by an honest peer.
+ */
+static int ecp_check_bad_points_mx(const mbedtls_mpi *X, const mbedtls_mpi *P,
+                                   const mbedtls_ecp_group_id grp_id)
+{
+    int ret;
+    mbedtls_mpi XmP;
+
+    mbedtls_mpi_init(&XmP);
+
+    /* Reduce X mod P so that we only need to check values less than P.
+     * We know X < 2^256 so we can proceed by subtraction. */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&XmP, X));
+    while (mbedtls_mpi_cmp_mpi(&XmP, P) >= 0) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&XmP, &XmP, P));
+    }
+
+    /* Check against the known bad values that are less than P. For Curve448
+     * these are 0, 1 and -1. For Curve25519 we check the values less than P
+     * from the following list: https://cr.yp.to/ecdh.html#validate */
+    if (mbedtls_mpi_cmp_int(&XmP, 1) <= 0) {  /* takes care of 0 and 1 */
+        ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+        goto cleanup;
+    }
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+    if (grp_id == MBEDTLS_ECP_DP_CURVE25519) {
+        if (mbedtls_mpi_cmp_mpi(&XmP, &ecp_x25519_bad_point_1) == 0) {
+            ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+            goto cleanup;
+        }
+
+        if (mbedtls_mpi_cmp_mpi(&XmP, &ecp_x25519_bad_point_2) == 0) {
+            ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+            goto cleanup;
+        }
+    }
+#else
+    (void) grp_id;
+#endif
+
+    /* Final check: check if XmP + 1 is P (final because it changes XmP!) */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&XmP, &XmP, 1));
+    if (mbedtls_mpi_cmp_mpi(&XmP, P) == 0) {
+        ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+        goto cleanup;
+    }
+
+    ret = 0;
+
+cleanup:
+    mbedtls_mpi_free(&XmP);
+
+    return ret;
+}
+
+/*
+ * Check validity of a public key for Montgomery curves with x-only schemes
+ */
+static int ecp_check_pubkey_mx(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt)
+{
+    /* [Curve25519 p. 5] Just check X is the correct number of bytes */
+    /* Allow any public value, if it's too big then we'll just reduce it mod p
+     * (RFC 7748 sec. 5 para. 3). */
+    if (mbedtls_mpi_size(&pt->X) > (grp->nbits + 7) / 8) {
+        return MBEDTLS_ERR_ECP_INVALID_KEY;
+    }
+
+    /* Implicit in all standards (as they don't consider negative numbers):
+     * X must be non-negative. This is normally ensured by the way it's
+     * encoded for transmission, but let's be extra sure. */
+    if (mbedtls_mpi_cmp_int(&pt->X, 0) < 0) {
+        return MBEDTLS_ERR_ECP_INVALID_KEY;
+    }
+
+    return ecp_check_bad_points_mx(&pt->X, &grp->P, grp->id);
+}
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+
+/*
+ * Check that a point is valid as a public key
+ */
+int mbedtls_ecp_check_pubkey(const mbedtls_ecp_group *grp,
+                             const mbedtls_ecp_point *pt)
+{
+    /* Must use affine coordinates */
+    if (mbedtls_mpi_cmp_int(&pt->Z, 1) != 0) {
+        return MBEDTLS_ERR_ECP_INVALID_KEY;
+    }
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+        return ecp_check_pubkey_mx(grp, pt);
+    }
+#endif
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+        return ecp_check_pubkey_sw(grp, pt);
+    }
+#endif
+    return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+}
+
+/*
+ * Check that an mbedtls_mpi is valid as a private key
+ */
+int mbedtls_ecp_check_privkey(const mbedtls_ecp_group *grp,
+                              const mbedtls_mpi *d)
+{
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+        /* see RFC 7748 sec. 5 para. 5 */
+        if (mbedtls_mpi_get_bit(d, 0) != 0 ||
+            mbedtls_mpi_get_bit(d, 1) != 0 ||
+            mbedtls_mpi_bitlen(d) - 1 != grp->nbits) {  /* mbedtls_mpi_bitlen is one-based! */
+            return MBEDTLS_ERR_ECP_INVALID_KEY;
+        }
+
+        /* see [Curve25519] page 5 */
+        if (grp->nbits == 254 && mbedtls_mpi_get_bit(d, 2) != 0) {
+            return MBEDTLS_ERR_ECP_INVALID_KEY;
+        }
+
+        return 0;
+    }
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+        /* see SEC1 3.2 */
+        if (mbedtls_mpi_cmp_int(d, 1) < 0 ||
+            mbedtls_mpi_cmp_mpi(d, &grp->N) >= 0) {
+            return MBEDTLS_ERR_ECP_INVALID_KEY;
+        } else {
+            return 0;
+        }
+    }
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+
+    return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+}
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_gen_privkey_mx(size_t high_bit,
+                               mbedtls_mpi *d,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng)
+{
+    int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    size_t n_random_bytes = high_bit / 8 + 1;
+
+    /* [Curve25519] page 5 */
+    /* Generate a (high_bit+1)-bit random number by generating just enough
+     * random bytes, then shifting out extra bits from the top (necessary
+     * when (high_bit+1) is not a multiple of 8). */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(d, n_random_bytes,
+                                            f_rng, p_rng));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(d, 8 * n_random_bytes - high_bit - 1));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, high_bit, 1));
+
+    /* Make sure the last two bits are unset for Curve448, three bits for
+       Curve25519 */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, 0, 0));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, 1, 0));
+    if (high_bit == 254) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, 2, 0));
+    }
+
+cleanup:
+    return ret;
+}
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+static int mbedtls_ecp_gen_privkey_sw(
+    const mbedtls_mpi *N, mbedtls_mpi *d,
+    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    int ret = mbedtls_mpi_random(d, 1, N, f_rng, p_rng);
+    switch (ret) {
+        case MBEDTLS_ERR_MPI_NOT_ACCEPTABLE:
+            return MBEDTLS_ERR_ECP_RANDOM_FAILED;
+        default:
+            return ret;
+    }
+}
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+
+/*
+ * Generate a private key
+ */
+int mbedtls_ecp_gen_privkey(const mbedtls_ecp_group *grp,
+                            mbedtls_mpi *d,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng)
+{
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+        return mbedtls_ecp_gen_privkey_mx(grp->nbits, d, f_rng, p_rng);
+    }
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+    if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+        return mbedtls_ecp_gen_privkey_sw(&grp->N, d, f_rng, p_rng);
+    }
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+
+    return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+}
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * Generate a keypair with configurable base point
+ */
+int mbedtls_ecp_gen_keypair_base(mbedtls_ecp_group *grp,
+                                 const mbedtls_ecp_point *G,
+                                 mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    MBEDTLS_MPI_CHK(mbedtls_ecp_gen_privkey(grp, d, f_rng, p_rng));
+    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(grp, Q, d, G, f_rng, p_rng));
+
+cleanup:
+    return ret;
+}
+
+/*
+ * Generate key pair, wrapper for conventional base point
+ */
+int mbedtls_ecp_gen_keypair(mbedtls_ecp_group *grp,
+                            mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng)
+{
+    return mbedtls_ecp_gen_keypair_base(grp, &grp->G, d, Q, f_rng, p_rng);
+}
+
+/*
+ * Generate a keypair, prettier wrapper
+ */
+int mbedtls_ecp_gen_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
+                        int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    if ((ret = mbedtls_ecp_group_load(&key->grp, grp_id)) != 0) {
+        return ret;
+    }
+
+    return mbedtls_ecp_gen_keypair(&key->grp, &key->d, &key->Q, f_rng, p_rng);
+}
+#endif /* MBEDTLS_ECP_C */
+
+int mbedtls_ecp_set_public_key(mbedtls_ecp_group_id grp_id,
+                               mbedtls_ecp_keypair *key,
+                               const mbedtls_ecp_point *Q)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (key->grp.id == MBEDTLS_ECP_DP_NONE) {
+        /* Group not set yet */
+        if ((ret = mbedtls_ecp_group_load(&key->grp, grp_id)) != 0) {
+            return ret;
+        }
+    } else if (key->grp.id != grp_id) {
+        /* Group mismatch */
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+    return mbedtls_ecp_copy(&key->Q, Q);
+}
+
+
+#define ECP_CURVE25519_KEY_SIZE 32
+#define ECP_CURVE448_KEY_SIZE   56
+/*
+ * Read a private key.
+ */
+int mbedtls_ecp_read_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
+                         const unsigned char *buf, size_t buflen)
+{
+    int ret = 0;
+
+    if ((ret = mbedtls_ecp_group_load(&key->grp, grp_id)) != 0) {
+        return ret;
+    }
+
+    ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+    if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+        /*
+         * Mask the key as mandated by RFC7748 for Curve25519 and Curve448.
+         */
+        if (grp_id == MBEDTLS_ECP_DP_CURVE25519) {
+            if (buflen != ECP_CURVE25519_KEY_SIZE) {
+                return MBEDTLS_ERR_ECP_INVALID_KEY;
+            }
+
+            MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary_le(&key->d, buf, buflen));
+
+            /* Set the three least significant bits to 0 */
+            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 0, 0));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 1, 0));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 2, 0));
+
+            /* Set the most significant bit to 0 */
+            MBEDTLS_MPI_CHK(
+                mbedtls_mpi_set_bit(&key->d,
+                                    ECP_CURVE25519_KEY_SIZE * 8 - 1, 0)
+                );
+
+            /* Set the second most significant bit to 1 */
+            MBEDTLS_MPI_CHK(
+                mbedtls_mpi_set_bit(&key->d,
+                                    ECP_CURVE25519_KEY_SIZE * 8 - 2, 1)
+                );
+        } else if (grp_id == MBEDTLS_ECP_DP_CURVE448) {
+            if (buflen != ECP_CURVE448_KEY_SIZE) {
+                return MBEDTLS_ERR_ECP_INVALID_KEY;
+            }
+
+            MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary_le(&key->d, buf, buflen));
+
+            /* Set the two least significant bits to 0 */
+            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 0, 0));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 1, 0));
+
+            /* Set the most significant bit to 1 */
+            MBEDTLS_MPI_CHK(
+                mbedtls_mpi_set_bit(&key->d,
+                                    ECP_CURVE448_KEY_SIZE * 8 - 1, 1)
+                );
+        }
+    }
+#endif
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+    if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&key->d, buf, buflen));
+    }
+#endif
+
+    if (ret == 0) {
+        MBEDTLS_MPI_CHK(mbedtls_ecp_check_privkey(&key->grp, &key->d));
+    }
+
+cleanup:
+
+    if (ret != 0) {
+        mbedtls_mpi_free(&key->d);
+    }
+
+    return ret;
+}
+
+/*
+ * Write a private key.
+ */
+#if !defined MBEDTLS_DEPRECATED_REMOVED
+int mbedtls_ecp_write_key(mbedtls_ecp_keypair *key,
+                          unsigned char *buf, size_t buflen)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+    if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+        if (key->grp.id == MBEDTLS_ECP_DP_CURVE25519) {
+            if (buflen < ECP_CURVE25519_KEY_SIZE) {
+                return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+            }
+
+        } else if (key->grp.id == MBEDTLS_ECP_DP_CURVE448) {
+            if (buflen < ECP_CURVE448_KEY_SIZE) {
+                return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+            }
+        }
+        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary_le(&key->d, buf, buflen));
+    }
+#endif
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+    if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&key->d, buf, buflen));
+    }
+
+#endif
+cleanup:
+
+    return ret;
+}
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+int mbedtls_ecp_write_key_ext(const mbedtls_ecp_keypair *key,
+                              size_t *olen, unsigned char *buf, size_t buflen)
+{
+    size_t len = (key->grp.nbits + 7) / 8;
+    if (len > buflen) {
+        /* For robustness, ensure *olen <= buflen even on error. */
+        *olen = 0;
+        return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+    }
+    *olen = len;
+
+    /* Private key not set */
+    if (key->d.n == 0) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+    if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+        return mbedtls_mpi_write_binary_le(&key->d, buf, len);
+    }
+#endif
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+    if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+        return mbedtls_mpi_write_binary(&key->d, buf, len);
+    }
+#endif
+
+    /* Private key set but no recognized curve type? This shouldn't happen. */
+    return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+}
+
+/*
+ * Write a public key.
+ */
+int mbedtls_ecp_write_public_key(const mbedtls_ecp_keypair *key,
+                                 int format, size_t *olen,
+                                 unsigned char *buf, size_t buflen)
+{
+    return mbedtls_ecp_point_write_binary(&key->grp, &key->Q,
+                                          format, olen, buf, buflen);
+}
+
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * Check a public-private key pair
+ */
+int mbedtls_ecp_check_pub_priv(
+    const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv,
+    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_point Q;
+    mbedtls_ecp_group grp;
+    if (pub->grp.id == MBEDTLS_ECP_DP_NONE ||
+        pub->grp.id != prv->grp.id ||
+        mbedtls_mpi_cmp_mpi(&pub->Q.X, &prv->Q.X) ||
+        mbedtls_mpi_cmp_mpi(&pub->Q.Y, &prv->Q.Y) ||
+        mbedtls_mpi_cmp_mpi(&pub->Q.Z, &prv->Q.Z)) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    mbedtls_ecp_point_init(&Q);
+    mbedtls_ecp_group_init(&grp);
+
+    /* mbedtls_ecp_mul() needs a non-const group... */
+    mbedtls_ecp_group_copy(&grp, &prv->grp);
+
+    /* Also checks d is valid */
+    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&grp, &Q, &prv->d, &prv->grp.G, f_rng, p_rng));
+
+    if (mbedtls_mpi_cmp_mpi(&Q.X, &prv->Q.X) ||
+        mbedtls_mpi_cmp_mpi(&Q.Y, &prv->Q.Y) ||
+        mbedtls_mpi_cmp_mpi(&Q.Z, &prv->Q.Z)) {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+cleanup:
+    mbedtls_ecp_point_free(&Q);
+    mbedtls_ecp_group_free(&grp);
+
+    return ret;
+}
+
+int mbedtls_ecp_keypair_calc_public(mbedtls_ecp_keypair *key,
+                                    int (*f_rng)(void *, unsigned char *, size_t),
+                                    void *p_rng)
+{
+    return mbedtls_ecp_mul(&key->grp, &key->Q, &key->d, &key->grp.G,
+                           f_rng, p_rng);
+}
+#endif /* MBEDTLS_ECP_C */
+
+mbedtls_ecp_group_id mbedtls_ecp_keypair_get_group_id(
+    const mbedtls_ecp_keypair *key)
+{
+    return key->grp.id;
+}
+
+/*
+ * Export generic key-pair parameters.
+ */
+int mbedtls_ecp_export(const mbedtls_ecp_keypair *key, mbedtls_ecp_group *grp,
+                       mbedtls_mpi *d, mbedtls_ecp_point *Q)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (grp != NULL && (ret = mbedtls_ecp_group_copy(grp, &key->grp)) != 0) {
+        return ret;
+    }
+
+    if (d != NULL && (ret = mbedtls_mpi_copy(d, &key->d)) != 0) {
+        return ret;
+    }
+
+    if (Q != NULL && (ret = mbedtls_ecp_copy(Q, &key->Q)) != 0) {
+        return ret;
+    }
+
+    return 0;
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * PRNG for test - !!!INSECURE NEVER USE IN PRODUCTION!!!
+ *
+ * This is the linear congruential generator from numerical recipes,
+ * except we only use the low byte as the output. See
+ * https://en.wikipedia.org/wiki/Linear_congruential_generator#Parameters_in_common_use
+ */
+static int self_test_rng(void *ctx, unsigned char *out, size_t len)
+{
+    static uint32_t state = 42;
+
+    (void) ctx;
+
+    for (size_t i = 0; i < len; i++) {
+        state = state * 1664525u + 1013904223u;
+        out[i] = (unsigned char) state;
+    }
+
+    return 0;
+}
+
+/* Adjust the exponent to be a valid private point for the specified curve.
+ * This is sometimes necessary because we use a single set of exponents
+ * for all curves but the validity of values depends on the curve. */
+static int self_test_adjust_exponent(const mbedtls_ecp_group *grp,
+                                     mbedtls_mpi *m)
+{
+    int ret = 0;
+    switch (grp->id) {
+    /* If Curve25519 is available, then that's what we use for the
+     * Montgomery test, so we don't need the adjustment code. */
+#if !defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+        case MBEDTLS_ECP_DP_CURVE448:
+            /* Move highest bit from 254 to N-1. Setting bit N-1 is
+             * necessary to enforce the highest-bit-set constraint. */
+            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(m, 254, 0));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(m, grp->nbits, 1));
+            /* Copy second-highest bit from 253 to N-2. This is not
+             * necessary but improves the test variety a bit. */
+            MBEDTLS_MPI_CHK(
+                mbedtls_mpi_set_bit(m, grp->nbits - 1,
+                                    mbedtls_mpi_get_bit(m, 253)));
+            break;
+#endif
+#endif /* ! defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) */
+        default:
+            /* Non-Montgomery curves and Curve25519 need no adjustment. */
+            (void) grp;
+            (void) m;
+            goto cleanup;
+    }
+cleanup:
+    return ret;
+}
+
+/* Calculate R = m.P for each m in exponents. Check that the number of
+ * basic operations doesn't depend on the value of m. */
+static int self_test_point(int verbose,
+                           mbedtls_ecp_group *grp,
+                           mbedtls_ecp_point *R,
+                           mbedtls_mpi *m,
+                           const mbedtls_ecp_point *P,
+                           const char *const *exponents,
+                           size_t n_exponents)
+{
+    int ret = 0;
+    size_t i = 0;
+    unsigned long add_c_prev, dbl_c_prev, mul_c_prev;
+    add_count = 0;
+    dbl_count = 0;
+    mul_count = 0;
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(m, 16, exponents[0]));
+    MBEDTLS_MPI_CHK(self_test_adjust_exponent(grp, m));
+    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(grp, R, m, P, self_test_rng, NULL));
+
+    for (i = 1; i < n_exponents; i++) {
+        add_c_prev = add_count;
+        dbl_c_prev = dbl_count;
+        mul_c_prev = mul_count;
+        add_count = 0;
+        dbl_count = 0;
+        mul_count = 0;
+
+        MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(m, 16, exponents[i]));
+        MBEDTLS_MPI_CHK(self_test_adjust_exponent(grp, m));
+        MBEDTLS_MPI_CHK(mbedtls_ecp_mul(grp, R, m, P, self_test_rng, NULL));
+
+        if (add_count != add_c_prev ||
+            dbl_count != dbl_c_prev ||
+            mul_count != mul_c_prev) {
+            ret = 1;
+            break;
+        }
+    }
+
+cleanup:
+    if (verbose != 0) {
+        if (ret != 0) {
+            mbedtls_printf("failed (%u)\n", (unsigned int) i);
+        } else {
+            mbedtls_printf("passed\n");
+        }
+    }
+    return ret;
+}
+#endif /* MBEDTLS_ECP_C */
+
+/*
+ * Checkup routine
+ */
+int mbedtls_ecp_self_test(int verbose)
+{
+#if defined(MBEDTLS_ECP_C)
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_group grp;
+    mbedtls_ecp_point R, P;
+    mbedtls_mpi m;
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+    /* Exponents especially adapted for secp192k1, which has the lowest
+     * order n of all supported curves (secp192r1 is in a slightly larger
+     * field but the order of its base point is slightly smaller). */
+    const char *sw_exponents[] =
+    {
+        "000000000000000000000000000000000000000000000001", /* one */
+        "FFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8C", /* n - 1 */
+        "5EA6F389A38B8BC81E767753B15AA5569E1782E30ABE7D25", /* random */
+        "400000000000000000000000000000000000000000000000", /* one and zeros */
+        "7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", /* all ones */
+        "555555555555555555555555555555555555555555555555", /* 101010... */
+    };
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+    const char *m_exponents[] =
+    {
+        /* Valid private values for Curve25519. In a build with Curve448
+         * but not Curve25519, they will be adjusted in
+         * self_test_adjust_exponent(). */
+        "4000000000000000000000000000000000000000000000000000000000000000",
+        "5C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C30",
+        "5715ECCE24583F7A7023C24164390586842E816D7280A49EF6DF4EAE6B280BF8",
+        "41A2B017516F6D254E1F002BCCBADD54BE30F8CEC737A0E912B4963B6BA74460",
+        "5555555555555555555555555555555555555555555555555555555555555550",
+        "7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8",
+    };
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+
+    mbedtls_ecp_group_init(&grp);
+    mbedtls_ecp_point_init(&R);
+    mbedtls_ecp_point_init(&P);
+    mbedtls_mpi_init(&m);
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+    /* Use secp192r1 if available, or any available curve */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+    MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_SECP192R1));
+#else
+    MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, mbedtls_ecp_curve_list()->grp_id));
+#endif
+
+    if (verbose != 0) {
+        mbedtls_printf("  ECP SW test #1 (constant op_count, base point G): ");
+    }
+    /* Do a dummy multiplication first to trigger precomputation */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&m, 2));
+    MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&grp, &P, &m, &grp.G, self_test_rng, NULL));
+    ret = self_test_point(verbose,
+                          &grp, &R, &m, &grp.G,
+                          sw_exponents,
+                          sizeof(sw_exponents) / sizeof(sw_exponents[0]));
+    if (ret != 0) {
+        goto cleanup;
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("  ECP SW test #2 (constant op_count, other point): ");
+    }
+    /* We computed P = 2G last time, use it */
+    ret = self_test_point(verbose,
+                          &grp, &R, &m, &P,
+                          sw_exponents,
+                          sizeof(sw_exponents) / sizeof(sw_exponents[0]));
+    if (ret != 0) {
+        goto cleanup;
+    }
+
+    mbedtls_ecp_group_free(&grp);
+    mbedtls_ecp_point_free(&R);
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+    if (verbose != 0) {
+        mbedtls_printf("  ECP Montgomery test (constant op_count): ");
+    }
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+    MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_CURVE25519));
+#elif defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+    MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_CURVE448));
+#else
+#error "MBEDTLS_ECP_MONTGOMERY_ENABLED is defined, but no curve is supported for self-test"
+#endif
+    ret = self_test_point(verbose,
+                          &grp, &R, &m, &grp.G,
+                          m_exponents,
+                          sizeof(m_exponents) / sizeof(m_exponents[0]));
+    if (ret != 0) {
+        goto cleanup;
+    }
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+
+cleanup:
+
+    if (ret < 0 && verbose != 0) {
+        mbedtls_printf("Unexpected error, return code = %08X\n", (unsigned int) ret);
+    }
+
+    mbedtls_ecp_group_free(&grp);
+    mbedtls_ecp_point_free(&R);
+    mbedtls_ecp_point_free(&P);
+    mbedtls_mpi_free(&m);
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+
+    return ret;
+#else /* MBEDTLS_ECP_C */
+    (void) verbose;
+    return 0;
+#endif /* MBEDTLS_ECP_C */
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_ECP_LIGHT */
diff --git a/tf-psa-crypto/drivers/builtin/src/ecp_curves.c b/tf-psa-crypto/drivers/builtin/src/ecp_curves.c
new file mode 100644
index 0000000..97636a7
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/ecp_curves.c
@@ -0,0 +1,5456 @@
+/*
+ *  Elliptic curves over GF(p): curve-specific data and functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if !defined(MBEDTLS_ECP_WITH_MPI_UINT)
+
+#if defined(MBEDTLS_ECP_LIGHT)
+
+#include "mbedtls/ecp.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include "bn_mul.h"
+#include "bignum_core.h"
+#include "ecp_invasive.h"
+
+#include <string.h>
+
+#define ECP_MPI_INIT(_p, _n) { .p = (mbedtls_mpi_uint *) (_p), .s = 1, .n = (_n) }
+
+#define ECP_MPI_INIT_ARRAY(x)   \
+    ECP_MPI_INIT(x, sizeof(x) / sizeof(mbedtls_mpi_uint))
+
+#define ECP_POINT_INIT_XY_Z0(x, y) { \
+        ECP_MPI_INIT_ARRAY(x), ECP_MPI_INIT_ARRAY(y), ECP_MPI_INIT(NULL, 0) }
+#define ECP_POINT_INIT_XY_Z1(x, y) { \
+        ECP_MPI_INIT_ARRAY(x), ECP_MPI_INIT_ARRAY(y), ECP_MPI_INIT(mpi_one, 1) }
+
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)   ||   \
+    defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)   ||   \
+    defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)   ||   \
+    defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+/* For these curves, we build the group parameters dynamically. */
+#define ECP_LOAD_GROUP
+static const mbedtls_mpi_uint mpi_one[] = { 1 };
+#endif
+
+/*
+ * Note: the constants are in little-endian order
+ * to be directly usable in MPIs
+ */
+
+/*
+ * Domain parameters for secp192r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+static const mbedtls_mpi_uint secp192r1_p[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+static const mbedtls_mpi_uint secp192r1_b[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64),
+};
+static const mbedtls_mpi_uint secp192r1_gx[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18),
+};
+static const mbedtls_mpi_uint secp192r1_gy[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07),
+};
+static const mbedtls_mpi_uint secp192r1_n[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp192r1_T_0_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18),
+};
+static const mbedtls_mpi_uint secp192r1_T_0_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07),
+};
+static const mbedtls_mpi_uint secp192r1_T_1_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x9E, 0xE3, 0x60, 0x59, 0xD1, 0xC4, 0xC2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xBD, 0x22, 0xD7, 0x2D, 0x07, 0xBD, 0xB6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x2A, 0xCF, 0x33, 0xF0, 0xBE, 0xD1, 0xED),
+};
+static const mbedtls_mpi_uint secp192r1_T_1_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x71, 0x4B, 0xA8, 0xED, 0x7E, 0xC9, 0x1A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x2A, 0xF6, 0xDF, 0x0E, 0xE8, 0x4C, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x35, 0xF7, 0x8A, 0xC3, 0xEC, 0xDE, 0x1E),
+};
+static const mbedtls_mpi_uint secp192r1_T_2_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x67, 0xC2, 0x1D, 0x32, 0x8F, 0x10, 0xFB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x2D, 0x17, 0xF3, 0xE4, 0xFE, 0xD8, 0x13),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x45, 0x10, 0x70, 0x2C, 0x3E, 0x52, 0x3E),
+};
+static const mbedtls_mpi_uint secp192r1_T_2_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xF1, 0x04, 0x5D, 0xEE, 0xD4, 0x56, 0xE6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xB7, 0x38, 0x27, 0x61, 0xAA, 0x81, 0x87),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x37, 0xD7, 0x0E, 0x29, 0x0E, 0x11, 0x14),
+};
+static const mbedtls_mpi_uint secp192r1_T_3_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x35, 0x52, 0xC6, 0x31, 0xB7, 0x27, 0xF5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xD4, 0x15, 0x98, 0x0F, 0xE7, 0xF3, 0x6A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x31, 0x70, 0x35, 0x09, 0xA0, 0x2B, 0xC2),
+};
+static const mbedtls_mpi_uint secp192r1_T_3_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x75, 0xA7, 0x4C, 0x88, 0xCF, 0x5B, 0xE4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x17, 0x48, 0x8D, 0xF2, 0xF0, 0x86, 0xED),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xCF, 0xFE, 0x6B, 0xB0, 0xA5, 0x06, 0xAB),
+};
+static const mbedtls_mpi_uint secp192r1_T_4_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x6A, 0xDC, 0x9A, 0x6D, 0x7B, 0x47, 0x2E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0xFC, 0x51, 0x12, 0x62, 0x66, 0x0B, 0x59),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x40, 0x93, 0xA0, 0xB5, 0x5A, 0x58, 0xD7),
+};
+static const mbedtls_mpi_uint secp192r1_T_4_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0xCB, 0xAF, 0xDC, 0x0B, 0xA1, 0x26, 0xFB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x36, 0x9D, 0xA3, 0xD7, 0x3B, 0xAD, 0x39),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x3B, 0x05, 0x9A, 0xA8, 0xAA, 0x69, 0xB2),
+};
+static const mbedtls_mpi_uint secp192r1_T_5_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xD9, 0xD1, 0x4D, 0x4A, 0x6E, 0x96, 0x1E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x66, 0x32, 0x39, 0xC6, 0x57, 0x7D, 0xE6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xA0, 0x36, 0xC2, 0x45, 0xF9, 0x00, 0x62),
+};
+static const mbedtls_mpi_uint secp192r1_T_5_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xEF, 0x59, 0x46, 0xDC, 0x60, 0xD9, 0x8F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0xB0, 0xE9, 0x41, 0xA4, 0x87, 0x76, 0x89),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0xD4, 0x0E, 0xB2, 0xFA, 0x16, 0x56, 0xDC),
+};
+static const mbedtls_mpi_uint secp192r1_T_6_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x62, 0xD2, 0xB1, 0x34, 0xB2, 0xF1, 0x06),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0xED, 0x55, 0xC5, 0x47, 0xB5, 0x07, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xF6, 0x2F, 0x94, 0xC3, 0xDD, 0x54, 0x2F),
+};
+static const mbedtls_mpi_uint secp192r1_T_6_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xA6, 0xD4, 0x8C, 0xA9, 0xCE, 0x4D, 0x2E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x4B, 0x46, 0xCC, 0xB2, 0x55, 0xC8, 0xB2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0xAE, 0x31, 0xED, 0x89, 0x65, 0x59, 0x55),
+};
+static const mbedtls_mpi_uint secp192r1_T_7_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x0A, 0xD1, 0x1A, 0xC5, 0xF6, 0xEA, 0x43),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xFC, 0x0C, 0x1A, 0xFB, 0xA0, 0xC8, 0x70),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xFD, 0x53, 0x6F, 0x6D, 0xBF, 0xBA, 0xAF),
+};
+static const mbedtls_mpi_uint secp192r1_T_7_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xB0, 0x7D, 0x83, 0x96, 0xE3, 0xCB, 0x9D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x6E, 0x55, 0x2C, 0x20, 0x53, 0x2F, 0x46),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0x66, 0x00, 0x17, 0x08, 0xFE, 0xAC, 0x31),
+};
+static const mbedtls_mpi_uint secp192r1_T_8_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x12, 0x97, 0x3A, 0xC7, 0x57, 0x45, 0xCD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x25, 0x99, 0x00, 0xF6, 0x97, 0xB4, 0x64),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x74, 0xE6, 0xE6, 0xA3, 0xDF, 0x9C, 0xCC),
+};
+static const mbedtls_mpi_uint secp192r1_T_8_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xF4, 0x76, 0xD5, 0x5F, 0x2A, 0xFD, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x80, 0x7E, 0x3E, 0xE5, 0xE8, 0xD6, 0x63),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0xAD, 0x1E, 0x70, 0x79, 0x3E, 0x3D, 0x83),
+};
+static const mbedtls_mpi_uint secp192r1_T_9_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x15, 0xBB, 0xB3, 0x42, 0x6A, 0xA1, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x58, 0xCB, 0x43, 0x25, 0x00, 0x14, 0x68),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x4E, 0x93, 0x11, 0xE0, 0x32, 0x54, 0x98),
+};
+static const mbedtls_mpi_uint secp192r1_T_9_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x52, 0xA2, 0xB4, 0x57, 0x32, 0xB9, 0x11),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x43, 0xA1, 0xB1, 0xFB, 0x01, 0xE1, 0xE7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xFB, 0x5A, 0x11, 0xB8, 0xC2, 0x03, 0xE5),
+};
+static const mbedtls_mpi_uint secp192r1_T_10_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x2B, 0x71, 0x26, 0x4E, 0x7C, 0xC5, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0xF5, 0xD3, 0xA8, 0xE4, 0x95, 0x48, 0x65),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xAE, 0xD9, 0x5D, 0x9F, 0x6A, 0x22, 0xAD),
+};
+static const mbedtls_mpi_uint secp192r1_T_10_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0xCC, 0xA3, 0x4D, 0xA0, 0x1C, 0x34, 0xEF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x3C, 0x62, 0xF8, 0x5E, 0xA6, 0x58, 0x7D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x6E, 0x66, 0x8A, 0x3D, 0x17, 0xFF, 0x0F),
+};
+static const mbedtls_mpi_uint secp192r1_T_11_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xCD, 0xA8, 0xDD, 0xD1, 0x20, 0x5C, 0xEA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0xFE, 0x17, 0xE2, 0xCF, 0xEA, 0x63, 0xDE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x51, 0xC9, 0x16, 0xDE, 0xB4, 0xB2, 0xDD),
+};
+static const mbedtls_mpi_uint secp192r1_T_11_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xBE, 0x12, 0xD7, 0xA3, 0x0A, 0x50, 0x33),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0x87, 0xC5, 0x8A, 0x76, 0x57, 0x07, 0x60),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x1F, 0xC6, 0x1B, 0x66, 0xC4, 0x3D, 0x8A),
+};
+static const mbedtls_mpi_uint secp192r1_T_12_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0xA4, 0x85, 0x13, 0x8F, 0xA7, 0x35, 0x19),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x0D, 0xFD, 0xFF, 0x1B, 0xD1, 0xD6, 0xEF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x7A, 0xD0, 0xC3, 0xB4, 0xEF, 0x39, 0x66),
+};
+static const mbedtls_mpi_uint secp192r1_T_12_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0xFE, 0xA5, 0x9C, 0x34, 0x30, 0x49, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0xC5, 0x39, 0x26, 0x06, 0xE3, 0x01, 0x17),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x2B, 0x66, 0xFC, 0x95, 0x5F, 0x35, 0xF7),
+};
+static const mbedtls_mpi_uint secp192r1_T_13_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xCF, 0x54, 0x63, 0x99, 0x57, 0x05, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x6F, 0x00, 0x5F, 0x65, 0x08, 0x47, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x2A, 0x90, 0x6D, 0x67, 0xC6, 0xBC, 0x45),
+};
+static const mbedtls_mpi_uint secp192r1_T_13_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x4D, 0x88, 0x0A, 0x35, 0x9E, 0x33, 0x9C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x17, 0x0C, 0xF8, 0xE1, 0x7A, 0x49, 0x02),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x44, 0x06, 0x8F, 0x0B, 0x70, 0x2F, 0x71),
+};
+static const mbedtls_mpi_uint secp192r1_T_14_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x4B, 0xCB, 0xF9, 0x8E, 0x6A, 0xDA, 0x1B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x43, 0xA1, 0x3F, 0xCE, 0x17, 0xD2, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x0D, 0xD2, 0x6C, 0x82, 0x37, 0xE5, 0xFC),
+};
+static const mbedtls_mpi_uint secp192r1_T_14_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x3C, 0xF4, 0x92, 0xB4, 0x8A, 0x95, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x96, 0xF1, 0x0A, 0x34, 0x2F, 0x74, 0x7E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xA1, 0xAA, 0xBA, 0x86, 0x77, 0x4F, 0xA2),
+};
+static const mbedtls_mpi_uint secp192r1_T_15_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x7F, 0xEF, 0x60, 0x50, 0x80, 0xD7, 0xD4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0xAC, 0xC9, 0xFE, 0xEC, 0x0A, 0x1A, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x2F, 0xBE, 0x91, 0xD7, 0xB7, 0x38, 0x48),
+};
+static const mbedtls_mpi_uint secp192r1_T_15_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xAE, 0x85, 0x98, 0xFE, 0x05, 0x7F, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xBE, 0xFD, 0x11, 0x31, 0x3D, 0x14, 0x13),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x75, 0xE8, 0x30, 0x01, 0xCB, 0x9B, 0x1C),
+};
+static const mbedtls_ecp_point secp192r1_T[16] = {
+    ECP_POINT_INIT_XY_Z1(secp192r1_T_0_X, secp192r1_T_0_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_1_X, secp192r1_T_1_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_2_X, secp192r1_T_2_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_3_X, secp192r1_T_3_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_4_X, secp192r1_T_4_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_5_X, secp192r1_T_5_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_6_X, secp192r1_T_6_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_7_X, secp192r1_T_7_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_8_X, secp192r1_T_8_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_9_X, secp192r1_T_9_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_10_X, secp192r1_T_10_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_11_X, secp192r1_T_11_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_12_X, secp192r1_T_12_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_13_X, secp192r1_T_13_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_14_X, secp192r1_T_14_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_15_X, secp192r1_T_15_Y),
+};
+#else
+#define secp192r1_T NULL
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+/*
+ * Domain parameters for secp224r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+static const mbedtls_mpi_uint secp224r1_p[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_b[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C),
+    MBEDTLS_BYTES_TO_T_UINT_4(0x85, 0x0A, 0x05, 0xB4),
+};
+static const mbedtls_mpi_uint secp224r1_gx[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B),
+    MBEDTLS_BYTES_TO_T_UINT_4(0xBD, 0x0C, 0x0E, 0xB7),
+};
+static const mbedtls_mpi_uint secp224r1_gy[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5),
+    MBEDTLS_BYTES_TO_T_UINT_4(0x88, 0x63, 0x37, 0xBD),
+};
+static const mbedtls_mpi_uint secp224r1_n[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_4(0xFF, 0xFF, 0xFF, 0xFF),
+};
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp224r1_T_0_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x0C, 0x0E, 0xB7, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_0_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x63, 0x37, 0xBD, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_1_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0xF9, 0xB8, 0xD0, 0x3D, 0xD2, 0xD3, 0xFA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xFD, 0x99, 0x26, 0x19, 0xFE, 0x13, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x0E, 0x4C, 0x48, 0x7C, 0xA2, 0x17, 0x01),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xA3, 0x13, 0x57, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_1_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x16, 0x5C, 0x8F, 0xAA, 0xED, 0x0F, 0x58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0xC5, 0x43, 0x34, 0x93, 0x05, 0x2A, 0x4C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0xE3, 0x6C, 0xCA, 0xC6, 0x14, 0xC2, 0x25),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x43, 0x6C, 0xD7, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_2_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x5A, 0x98, 0x1E, 0xC8, 0xA5, 0x42, 0xA3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x49, 0x56, 0x78, 0xF8, 0xEF, 0xED, 0x65),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0xBB, 0x64, 0xB6, 0x4C, 0x54, 0x5F, 0xD1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x0C, 0x33, 0xCC, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_2_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x79, 0xCB, 0x2E, 0x08, 0xFF, 0xD8, 0xE6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2E, 0x1F, 0xD4, 0xD7, 0x57, 0xE9, 0x39, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xD6, 0x3B, 0x0A, 0x1C, 0x87, 0xB7, 0x6A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x30, 0xD8, 0x05, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_3_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x79, 0x74, 0x9A, 0xE6, 0xBB, 0xC2, 0xC2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x5B, 0xA6, 0x67, 0xC1, 0x91, 0xE7, 0x64),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0xDF, 0x38, 0x82, 0x19, 0x2C, 0x4C, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x2E, 0x39, 0xC5, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_3_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x36, 0x78, 0x4E, 0xAE, 0x5B, 0x02, 0x76),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0xF6, 0x8B, 0xF8, 0xF4, 0x92, 0x6B, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x4D, 0x71, 0x35, 0xE7, 0x0C, 0x2C, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xA5, 0x1F, 0xAE, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_4_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x1C, 0x4B, 0xDF, 0x5B, 0xF2, 0x51, 0xB7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x74, 0xB1, 0x5A, 0xC6, 0x0F, 0x0E, 0x61),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x24, 0x09, 0x62, 0xAF, 0xFC, 0xDB, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0xE1, 0x80, 0x55, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_4_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x82, 0xFE, 0xAD, 0xC3, 0xE5, 0xCF, 0xD8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0xA2, 0x62, 0x17, 0x76, 0xF0, 0x5A, 0xFA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xB8, 0xE5, 0xAC, 0xB7, 0x66, 0x38, 0xAA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0xFD, 0x86, 0x05, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_5_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xD3, 0x0C, 0x3C, 0xD1, 0x66, 0xB0, 0xF1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x59, 0xB4, 0x8D, 0x90, 0x10, 0xB7, 0xA2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x47, 0x9B, 0xE6, 0x55, 0x8A, 0xE4, 0xEE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x49, 0xDB, 0x78, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_5_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x97, 0xED, 0xDE, 0xFF, 0xB3, 0xDF, 0x48),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xB9, 0x83, 0xB7, 0xEB, 0xBE, 0x40, 0x8D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xD3, 0xD3, 0xCD, 0x0E, 0x82, 0x79, 0x3D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x83, 0x1B, 0xF0, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_6_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x22, 0xBB, 0x54, 0xD3, 0x31, 0x56, 0xFC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x36, 0xE5, 0xE0, 0x89, 0x96, 0x8E, 0x71),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0xEF, 0x0A, 0xED, 0xD0, 0x11, 0x4A, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x00, 0x57, 0x27, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_6_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0xCA, 0x3D, 0xF7, 0x64, 0x9B, 0x6E, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xE3, 0x70, 0x6B, 0x41, 0xD7, 0xED, 0x8F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x44, 0x44, 0x80, 0xCE, 0x13, 0x37, 0x92),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x73, 0x80, 0x79, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_7_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x4D, 0x70, 0x7D, 0x31, 0x0F, 0x1C, 0x58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x35, 0x88, 0x47, 0xC4, 0x24, 0x78, 0x3F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xF0, 0xCD, 0x91, 0x81, 0xB3, 0xDE, 0xB6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xCE, 0xC6, 0xF7, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_7_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x9C, 0x2D, 0xE8, 0xD2, 0x00, 0x8F, 0x10),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x5E, 0x7C, 0x0E, 0x0C, 0x6E, 0x58, 0x02),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x81, 0x21, 0xCE, 0x43, 0xF4, 0x24, 0x3D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0xBC, 0xF0, 0xF4, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_8_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x10, 0xC2, 0x74, 0x4A, 0x8F, 0x8A, 0xCF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x67, 0xF4, 0x2B, 0x38, 0x2B, 0x35, 0x17),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xE7, 0x0C, 0xA9, 0xFA, 0x77, 0x5C, 0xBD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x33, 0x19, 0x2B, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_8_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x3E, 0x96, 0x22, 0x53, 0xE1, 0xE9, 0xBE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x13, 0xBC, 0xA1, 0x16, 0xEC, 0x01, 0x1A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x00, 0xC9, 0x7A, 0xC3, 0x73, 0xA5, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0xF4, 0x5E, 0xC1, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_9_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x95, 0xD6, 0xD9, 0x32, 0x30, 0x2B, 0xD0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x42, 0x09, 0x05, 0x61, 0x2A, 0x7E, 0x82),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x84, 0xA2, 0x05, 0x88, 0x64, 0x65, 0xF9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x2D, 0x90, 0xB3, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_9_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0xE7, 0x2E, 0x85, 0x55, 0x80, 0x7C, 0x79),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xC1, 0xAC, 0x78, 0xB4, 0xAF, 0xFB, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0xC3, 0x28, 0x8E, 0x79, 0x18, 0x1F, 0x58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x46, 0xCF, 0x49, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_10_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x5F, 0xA8, 0x6C, 0x46, 0x83, 0x43, 0xFA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xA9, 0x93, 0x11, 0xB6, 0x07, 0x57, 0x74),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x2A, 0x9D, 0x03, 0x89, 0x7E, 0xD7, 0x3C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x8C, 0x62, 0xCF, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_10_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0x2C, 0x13, 0x59, 0xCC, 0xFA, 0x84, 0x9E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xB9, 0x48, 0xBC, 0x57, 0xC7, 0xB3, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x0A, 0x38, 0x24, 0x2E, 0x3A, 0x28, 0x25),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x0A, 0x43, 0xB8, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_11_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x25, 0xAB, 0xC1, 0xEE, 0x70, 0x3C, 0xE1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0xDB, 0x45, 0x1D, 0x4A, 0x80, 0x75, 0x35),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x1F, 0x4D, 0x2D, 0x9A, 0x05, 0xF4, 0xCB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x10, 0xF0, 0x5A, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_11_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x95, 0xE1, 0xDC, 0x15, 0x86, 0xC3, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0xDC, 0x27, 0xD1, 0x56, 0xA1, 0x14, 0x0D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x0B, 0xD6, 0x77, 0x4E, 0x44, 0xA2, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x42, 0x71, 0x1F, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_12_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x86, 0xB2, 0xB0, 0xC8, 0x2F, 0x7B, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xEF, 0xCB, 0xDB, 0xBC, 0x9E, 0x3B, 0xC5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x03, 0x86, 0xDD, 0x5B, 0xF5, 0x8D, 0x46),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x95, 0x79, 0xD6, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_12_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x32, 0x14, 0xDA, 0x9B, 0x4F, 0x07, 0x39),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x3E, 0xFB, 0x06, 0xEE, 0xA7, 0x40, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x1F, 0xDF, 0x71, 0x61, 0xFD, 0x8B, 0xBE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x8B, 0xAB, 0x8B, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_13_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x34, 0xB3, 0xB4, 0xBC, 0x9F, 0xB0, 0x5E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x58, 0x48, 0xA8, 0x77, 0xBB, 0x13, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xC6, 0xF7, 0x34, 0xCC, 0x89, 0x21, 0x0A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x33, 0xDD, 0x1F, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_13_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x81, 0xEF, 0xA4, 0xF2, 0x10, 0x0B, 0xCD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xF7, 0x6E, 0x72, 0x4A, 0xDF, 0xDD, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x23, 0x0A, 0x53, 0x03, 0x16, 0x62, 0xD2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x76, 0xFD, 0x3C, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_14_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x14, 0xA1, 0xFA, 0xA0, 0x18, 0xBE, 0x07),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x2A, 0xE1, 0xD7, 0xB0, 0x6C, 0xA0, 0xDE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xC0, 0xB0, 0xC6, 0x63, 0x24, 0xCD, 0x4E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x38, 0x2C, 0xB1, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_14_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xCD, 0x7D, 0x20, 0x0C, 0xFE, 0xAC, 0xC3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x97, 0x9F, 0xA2, 0xB6, 0x45, 0xF7, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x99, 0xF3, 0xD2, 0x20, 0x02, 0xEB, 0x04),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x18, 0x5B, 0x7B, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_15_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xDD, 0x77, 0x91, 0x60, 0xEA, 0xFD, 0xD3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0xD3, 0xB5, 0xD6, 0x90, 0x17, 0x0E, 0x1A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0xF4, 0x28, 0xC1, 0xF2, 0x53, 0xF6, 0x63),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0x58, 0xDC, 0x61, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_15_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x20, 0x01, 0xFB, 0xF1, 0xBD, 0x5F, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x7F, 0x06, 0xDA, 0x11, 0xCB, 0xBA, 0xA6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x41, 0x00, 0xA4, 0x1B, 0x30, 0x33, 0x79),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0xFF, 0x27, 0xCA, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_ecp_point secp224r1_T[16] = {
+    ECP_POINT_INIT_XY_Z1(secp224r1_T_0_X, secp224r1_T_0_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_1_X, secp224r1_T_1_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_2_X, secp224r1_T_2_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_3_X, secp224r1_T_3_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_4_X, secp224r1_T_4_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_5_X, secp224r1_T_5_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_6_X, secp224r1_T_6_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_7_X, secp224r1_T_7_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_8_X, secp224r1_T_8_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_9_X, secp224r1_T_9_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_10_X, secp224r1_T_10_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_11_X, secp224r1_T_11_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_12_X, secp224r1_T_12_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_13_X, secp224r1_T_13_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_14_X, secp224r1_T_14_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_15_X, secp224r1_T_15_Y),
+};
+#else
+#define secp224r1_T NULL
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+/*
+ * Domain parameters for secp256r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+static const mbedtls_mpi_uint secp256r1_p[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+static const mbedtls_mpi_uint secp256r1_b[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A),
+};
+static const mbedtls_mpi_uint secp256r1_gx[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B),
+};
+static const mbedtls_mpi_uint secp256r1_gy[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F),
+};
+static const mbedtls_mpi_uint secp256r1_n[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp256r1_T_0_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B),
+};
+static const mbedtls_mpi_uint secp256r1_T_0_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F),
+};
+static const mbedtls_mpi_uint secp256r1_T_1_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xC8, 0xBA, 0x04, 0xB7, 0x4B, 0xD2, 0xF7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0xC6, 0x23, 0x3A, 0xA0, 0x09, 0x3A, 0x59),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x9D, 0x4C, 0xF9, 0x58, 0x23, 0xCC, 0xDF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0xED, 0x7B, 0x29, 0x87, 0x0F, 0xFA, 0x3C),
+};
+static const mbedtls_mpi_uint secp256r1_T_1_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x69, 0xF2, 0x40, 0x0B, 0xA3, 0x98, 0xCE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xA8, 0x48, 0x02, 0x0D, 0x1C, 0x12, 0x62),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xAF, 0x09, 0x83, 0x80, 0xAA, 0x58, 0xA7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x12, 0xBE, 0x70, 0x94, 0x76, 0xE3, 0xE4),
+};
+static const mbedtls_mpi_uint secp256r1_T_2_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x7D, 0xEF, 0x86, 0xFF, 0xE3, 0x37, 0xDD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x86, 0x8B, 0x08, 0x27, 0x7C, 0xD7, 0xF6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x54, 0x4C, 0x25, 0x4F, 0x9A, 0xFE, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xFD, 0xF0, 0x6D, 0x37, 0x03, 0x69, 0xD6),
+};
+static const mbedtls_mpi_uint secp256r1_T_2_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xD5, 0xDA, 0xAD, 0x92, 0x49, 0xF0, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x73, 0x43, 0x9E, 0xAF, 0xA7, 0xD1, 0xF3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x41, 0x07, 0xDF, 0x78, 0x95, 0x3E, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x3D, 0xD1, 0xE6, 0x3C, 0xA5, 0xE2, 0x20),
+};
+static const mbedtls_mpi_uint secp256r1_T_3_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x6A, 0x5D, 0x52, 0x35, 0xD7, 0xBF, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0xA2, 0xBE, 0x96, 0xF4, 0xF8, 0x02, 0xC3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x20, 0x49, 0x54, 0xEA, 0xB3, 0x82, 0xDB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2E, 0xDB, 0xEA, 0x02, 0xD1, 0x75, 0x1C, 0x62),
+};
+static const mbedtls_mpi_uint secp256r1_T_3_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x85, 0xF4, 0x9E, 0x4C, 0xDC, 0x39, 0x89),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x6D, 0xC4, 0x57, 0xD8, 0x03, 0x5D, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x7F, 0x2D, 0x52, 0x6F, 0xC9, 0xDA, 0x4F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x64, 0xFA, 0xB4, 0xFE, 0xA4, 0xC4, 0xD7),
+};
+static const mbedtls_mpi_uint secp256r1_T_4_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x37, 0xB9, 0xC0, 0xAA, 0x59, 0xC6, 0x8B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x58, 0xD9, 0xED, 0x58, 0x99, 0x65, 0xF7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x7D, 0x26, 0x8C, 0x4A, 0xF9, 0x05, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x73, 0x9A, 0xC9, 0xE7, 0x46, 0xDC, 0x00),
+};
+static const mbedtls_mpi_uint secp256r1_T_4_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0xD0, 0x55, 0xDF, 0x00, 0x0A, 0xF5, 0x4A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0xBF, 0x56, 0x81, 0x2D, 0x20, 0xEB, 0xB5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xC1, 0x28, 0x52, 0xAB, 0xE3, 0xD1, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x34, 0x79, 0x45, 0x57, 0xA5, 0x12, 0x03),
+};
+static const mbedtls_mpi_uint secp256r1_T_5_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xCF, 0xB8, 0x7E, 0xF7, 0x92, 0x96, 0x8D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x01, 0x8C, 0x0D, 0x23, 0xF2, 0xE3, 0x05),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x2E, 0xE3, 0x84, 0x52, 0x7A, 0x34, 0x76),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0xA1, 0xB0, 0x15, 0x90, 0xE2, 0x53, 0x3C),
+};
+static const mbedtls_mpi_uint secp256r1_T_5_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x98, 0xE7, 0xFA, 0xA5, 0x7D, 0x8B, 0x53),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x35, 0xD2, 0x00, 0xD1, 0x1B, 0x9F, 0x1B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x69, 0x08, 0x9A, 0x72, 0xF0, 0xA9, 0x11),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0xFE, 0x0E, 0x14, 0xDA, 0x7C, 0x0E, 0xD3),
+};
+static const mbedtls_mpi_uint secp256r1_T_6_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xF6, 0xE8, 0xF8, 0x87, 0xF7, 0xFC, 0x6D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xBE, 0x7F, 0x3F, 0x7A, 0x2B, 0xD7, 0x13),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0x32, 0xF2, 0x2D, 0x94, 0x6D, 0x42, 0xFD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x9A, 0xE3, 0x5F, 0x42, 0xBB, 0x84, 0xED),
+};
+static const mbedtls_mpi_uint secp256r1_T_6_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x95, 0x29, 0x73, 0xA1, 0x67, 0x3E, 0x02),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x30, 0x54, 0x35, 0x8E, 0x0A, 0xDD, 0x67),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0xD7, 0xA1, 0x97, 0x61, 0x3B, 0xF8, 0x0C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x33, 0x3C, 0x58, 0x55, 0x34, 0x23, 0xA3),
+};
+static const mbedtls_mpi_uint secp256r1_T_7_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x5D, 0x16, 0x5F, 0x7B, 0xBC, 0xBB, 0xCE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xEE, 0x4E, 0x8A, 0xC1, 0x51, 0xCC, 0x50),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x0D, 0x4D, 0x1B, 0x53, 0x23, 0x1D, 0xB3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x2A, 0x38, 0x66, 0x52, 0x84, 0xE1, 0x95),
+};
+static const mbedtls_mpi_uint secp256r1_T_7_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x9B, 0x83, 0x0A, 0x81, 0x4F, 0xAD, 0xAC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xFF, 0x42, 0x41, 0x6E, 0xA9, 0xA2, 0xA0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xA1, 0x4F, 0x1F, 0x89, 0x82, 0xAA, 0x3E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0xB8, 0x0F, 0x6B, 0x8F, 0x8C, 0xD6, 0x68),
+};
+static const mbedtls_mpi_uint secp256r1_T_8_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0xB3, 0xBB, 0x51, 0x69, 0xA2, 0x11, 0x93),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x4F, 0x0F, 0x8D, 0xBD, 0x26, 0x0F, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xCB, 0xEC, 0x6B, 0x34, 0xC3, 0x3D, 0x9D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x5D, 0x1E, 0x10, 0xD5, 0x44, 0xE2, 0x54),
+};
+static const mbedtls_mpi_uint secp256r1_T_8_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x9E, 0xB1, 0xF1, 0x6E, 0x4C, 0xAD, 0xB3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xE3, 0xC2, 0x58, 0xC0, 0xFB, 0x34, 0x43),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x9C, 0xDF, 0x35, 0x07, 0x41, 0xBD, 0x19),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x6E, 0x10, 0xEC, 0x0E, 0xEC, 0xBB, 0xD6),
+};
+static const mbedtls_mpi_uint secp256r1_T_9_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xCF, 0xEF, 0x3F, 0x83, 0x1A, 0x88, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x29, 0xB5, 0xB9, 0xE0, 0xC9, 0xA3, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x46, 0x1E, 0x77, 0xCD, 0x7E, 0xB3, 0x10),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x21, 0xD0, 0xD4, 0xA3, 0x16, 0x08, 0xEE),
+};
+static const mbedtls_mpi_uint secp256r1_T_9_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0xCA, 0xA8, 0xB3, 0xBF, 0x29, 0x99, 0x8E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xF2, 0x05, 0xC1, 0xCF, 0x5D, 0x91, 0x48),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x01, 0x49, 0xDB, 0x82, 0xDF, 0x5F, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x06, 0x90, 0xAD, 0xE3, 0x38, 0xA4, 0xC4),
+};
+static const mbedtls_mpi_uint secp256r1_T_10_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xD2, 0x3A, 0xE8, 0x03, 0xC5, 0x6D, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x35, 0xD0, 0xAE, 0x1D, 0x7A, 0x9F, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x1E, 0xD2, 0xCB, 0xAC, 0x88, 0x27, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0xB9, 0x9C, 0xE0, 0x31, 0xDD, 0x99, 0x86),
+};
+static const mbedtls_mpi_uint secp256r1_T_10_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xF9, 0x9B, 0x32, 0x96, 0x41, 0x58, 0x38),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x5A, 0x2A, 0xB8, 0x96, 0x0E, 0xB2, 0x4C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x78, 0x2C, 0xC7, 0x08, 0x99, 0x19, 0x24),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x59, 0x28, 0xE9, 0x84, 0x54, 0xE6, 0x16),
+};
+static const mbedtls_mpi_uint secp256r1_T_11_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x38, 0x30, 0xDB, 0x70, 0x2C, 0x0A, 0xA2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x5C, 0x9D, 0xE9, 0xD5, 0x46, 0x0B, 0x5F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x0B, 0x60, 0x4B, 0x37, 0x7D, 0xB9, 0xC9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x24, 0xF3, 0x3D, 0x79, 0x7F, 0x6C, 0x18),
+};
+static const mbedtls_mpi_uint secp256r1_T_11_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7F, 0xE5, 0x1C, 0x4F, 0x60, 0x24, 0xF7, 0x2A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xD8, 0xE2, 0x91, 0x7F, 0x89, 0x49, 0x92),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0xA7, 0x2E, 0x8D, 0x6A, 0xB3, 0x39, 0x81),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x89, 0xB5, 0x9A, 0xB8, 0x8D, 0x42, 0x9C),
+};
+static const mbedtls_mpi_uint secp256r1_T_12_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0x45, 0xE6, 0x4B, 0x3F, 0x4F, 0x1E, 0x1F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x65, 0x5E, 0x59, 0x22, 0xCC, 0x72, 0x5F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x93, 0x1A, 0x27, 0x1E, 0x34, 0xC5, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0xF2, 0xA5, 0x58, 0x5C, 0x15, 0x2E, 0xC6),
+};
+static const mbedtls_mpi_uint secp256r1_T_12_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x7F, 0xBA, 0x58, 0x5A, 0x84, 0x6F, 0x5F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xA6, 0x36, 0x7E, 0xDC, 0xF7, 0xE1, 0x67),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x4D, 0xAA, 0xEE, 0x57, 0x76, 0x3A, 0xD3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x7E, 0x26, 0x18, 0x22, 0x23, 0x9F, 0xFF),
+};
+static const mbedtls_mpi_uint secp256r1_T_13_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x4C, 0x64, 0xC7, 0x55, 0x02, 0x3F, 0xE3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x02, 0x90, 0xBB, 0xC3, 0xEC, 0x30, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x6F, 0x64, 0xF4, 0x16, 0x69, 0x48, 0xA4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x44, 0x9C, 0x95, 0x0C, 0x7D, 0x67, 0x5E),
+};
+static const mbedtls_mpi_uint secp256r1_T_13_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0x91, 0x8B, 0xD8, 0xD0, 0xD7, 0xE7, 0xE2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0xF9, 0x48, 0x62, 0x6F, 0xA8, 0x93, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x3A, 0x99, 0x02, 0xD5, 0x0B, 0x3D, 0xE3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xD3, 0x00, 0x31, 0xE6, 0x0C, 0x9F, 0x44),
+};
+static const mbedtls_mpi_uint secp256r1_T_14_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0xB2, 0xAA, 0xFD, 0x88, 0x15, 0xDF, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4C, 0x35, 0x27, 0x31, 0x44, 0xCD, 0xC0, 0x68),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xF8, 0x91, 0xA5, 0x71, 0x94, 0x84, 0x2A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xCB, 0xD0, 0x93, 0xE9, 0x88, 0xDA, 0xE4),
+};
+static const mbedtls_mpi_uint secp256r1_T_14_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0xC6, 0x39, 0x16, 0x5D, 0xA3, 0x1E, 0x6D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x07, 0x37, 0x26, 0x36, 0x2A, 0xFE, 0x60),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xBC, 0xF3, 0xD0, 0xDE, 0x50, 0xFC, 0x97),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x2E, 0x06, 0x10, 0x15, 0x4D, 0xFA, 0xF7),
+};
+static const mbedtls_mpi_uint secp256r1_T_15_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x65, 0x69, 0x5B, 0x66, 0xA2, 0x75, 0x2E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x16, 0x00, 0x5A, 0xB0, 0x30, 0x25, 0x1A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xFB, 0x86, 0x42, 0x80, 0xC1, 0xC4, 0x76),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x1D, 0x83, 0x8E, 0x94, 0x01, 0x5F, 0x82),
+};
+static const mbedtls_mpi_uint secp256r1_T_15_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x37, 0x70, 0xEF, 0x1F, 0xA1, 0xF0, 0xDB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x10, 0x5B, 0xCE, 0xC4, 0x9B, 0x6F, 0x10),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x11, 0x11, 0x24, 0x4F, 0x4C, 0x79, 0x61),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x3A, 0x72, 0xBC, 0xFE, 0x72, 0x58, 0x43),
+};
+static const mbedtls_ecp_point secp256r1_T[16] = {
+    ECP_POINT_INIT_XY_Z1(secp256r1_T_0_X, secp256r1_T_0_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_1_X, secp256r1_T_1_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_2_X, secp256r1_T_2_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_3_X, secp256r1_T_3_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_4_X, secp256r1_T_4_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_5_X, secp256r1_T_5_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_6_X, secp256r1_T_6_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_7_X, secp256r1_T_7_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_8_X, secp256r1_T_8_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_9_X, secp256r1_T_9_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_10_X, secp256r1_T_10_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_11_X, secp256r1_T_11_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_12_X, secp256r1_T_12_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_13_X, secp256r1_T_13_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_14_X, secp256r1_T_14_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_15_X, secp256r1_T_15_Y),
+};
+#else
+#define secp256r1_T NULL
+#endif
+
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+/*
+ * Domain parameters for secp384r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+static const mbedtls_mpi_uint secp384r1_p[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+static const mbedtls_mpi_uint secp384r1_b[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3),
+};
+static const mbedtls_mpi_uint secp384r1_gx[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA),
+};
+static const mbedtls_mpi_uint secp384r1_gy[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36),
+};
+static const mbedtls_mpi_uint secp384r1_n[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp384r1_T_0_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA),
+};
+static const mbedtls_mpi_uint secp384r1_T_0_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36),
+};
+static const mbedtls_mpi_uint secp384r1_T_1_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x92, 0x00, 0x2C, 0x78, 0xDB, 0x1F, 0x37),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xF3, 0xEB, 0xB7, 0x06, 0xF7, 0xB6, 0xBC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xBC, 0x2C, 0xCF, 0xD8, 0xED, 0x53, 0xE7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x75, 0x7B, 0xA3, 0xAB, 0xC3, 0x2C, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x9D, 0x78, 0x41, 0xF6, 0x76, 0x84, 0xAC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x56, 0xE8, 0x52, 0xB3, 0xCB, 0xA8, 0xBD),
+};
+static const mbedtls_mpi_uint secp384r1_T_1_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xF2, 0xAE, 0xA4, 0xB6, 0x89, 0x1B, 0xDA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x0F, 0xCE, 0x1C, 0x7C, 0xF6, 0x50, 0x4C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4C, 0xEB, 0x90, 0xE6, 0x4D, 0xC7, 0xD4, 0x7A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x49, 0x2D, 0x8A, 0x01, 0x99, 0x60, 0x94),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x80, 0x9B, 0x9B, 0x6A, 0xB0, 0x07, 0xD9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xA2, 0xEE, 0x59, 0xBE, 0x95, 0xBC, 0x23),
+};
+static const mbedtls_mpi_uint secp384r1_T_2_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x9D, 0x56, 0xAE, 0x59, 0xFB, 0x1F, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0xAC, 0x91, 0x80, 0x87, 0xA8, 0x6E, 0x58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x08, 0xA7, 0x08, 0x94, 0x32, 0xFC, 0x67),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x29, 0x9E, 0x84, 0xF4, 0xE5, 0x6E, 0x7E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x21, 0xB9, 0x50, 0x24, 0xF8, 0x9C, 0xC7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x04, 0x01, 0xC2, 0xFB, 0x77, 0x3E, 0xDE),
+};
+static const mbedtls_mpi_uint secp384r1_T_2_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x38, 0xEE, 0xE3, 0xC7, 0x9D, 0xEC, 0xA6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x88, 0xCF, 0x43, 0xFA, 0x92, 0x5E, 0x8E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0xCA, 0x43, 0xF8, 0x3B, 0x49, 0x7E, 0x75),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0xE7, 0xEB, 0x17, 0x45, 0x86, 0xC2, 0xE1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x69, 0x57, 0x32, 0xE0, 0x9C, 0xD1, 0x00),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x10, 0xB8, 0x4D, 0xB8, 0xF4, 0x0D, 0xE3),
+};
+static const mbedtls_mpi_uint secp384r1_T_3_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0xDC, 0x9A, 0xB2, 0x79, 0x39, 0x27, 0x16),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x71, 0xE4, 0x3B, 0x4D, 0x60, 0x0C, 0xA3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xBD, 0x19, 0x40, 0xFA, 0x19, 0x2A, 0x5A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xF8, 0x1E, 0x43, 0xA1, 0x50, 0x8D, 0xEF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x18, 0x7C, 0x41, 0xFA, 0x7C, 0x1B, 0x58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x59, 0x24, 0xC4, 0xE9, 0xB7, 0xD3, 0xAD),
+};
+static const mbedtls_mpi_uint secp384r1_T_3_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x01, 0x3D, 0x63, 0x54, 0x45, 0x6F, 0xB7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xB2, 0x19, 0xA3, 0x86, 0x1D, 0x42, 0x34),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x02, 0x87, 0x18, 0x92, 0x52, 0x1A, 0x71),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x18, 0xB1, 0x5D, 0x18, 0x1B, 0x37, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x74, 0x61, 0xBA, 0x18, 0xAF, 0x40, 0x30),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x7D, 0x3C, 0x52, 0x0F, 0x07, 0xB0, 0x6F),
+};
+static const mbedtls_mpi_uint secp384r1_T_4_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x39, 0x13, 0xAA, 0x60, 0x15, 0x99, 0x30),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x00, 0xCB, 0xC6, 0xB1, 0xDB, 0x97, 0x90),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xFA, 0x60, 0xB8, 0x24, 0xE4, 0x7D, 0xD3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x75, 0xB3, 0x70, 0xB2, 0x83, 0xB1, 0x9B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0xE3, 0x6C, 0xCD, 0x33, 0x62, 0x7A, 0x56),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x30, 0xDC, 0x0F, 0x9F, 0xBB, 0xB8, 0xAA),
+};
+static const mbedtls_mpi_uint secp384r1_T_4_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xD5, 0x0A, 0x60, 0x81, 0xB9, 0xC5, 0x16),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0xAA, 0x2F, 0xD6, 0xF2, 0x73, 0xDF, 0xEB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x7B, 0x74, 0xC9, 0xB3, 0x5B, 0x95, 0x6D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x04, 0xEB, 0x15, 0xC8, 0x5F, 0x00, 0xF6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x50, 0x20, 0x28, 0xD1, 0x01, 0xAF, 0xF0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x6D, 0x4F, 0x31, 0x81, 0x2F, 0x94, 0x48),
+};
+static const mbedtls_mpi_uint secp384r1_T_5_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x2F, 0xD8, 0xB6, 0x63, 0x7C, 0xE9, 0x50),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x8C, 0xB9, 0x14, 0xD9, 0x37, 0x63, 0xDE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x02, 0xB8, 0x46, 0xAD, 0xCE, 0x7B, 0x38),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x47, 0x2D, 0x66, 0xA7, 0xE9, 0x33, 0x23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xF9, 0x93, 0x94, 0xA8, 0x48, 0xB3, 0x4F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x4A, 0xAC, 0x51, 0x08, 0x72, 0x2F, 0x1A),
+};
+static const mbedtls_mpi_uint secp384r1_T_5_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0xAD, 0xA0, 0xF9, 0x81, 0xE1, 0x78, 0x97),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x9A, 0x63, 0xD8, 0xBA, 0x79, 0x1A, 0x17),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x31, 0x7B, 0x7A, 0x5A, 0x5D, 0x7D, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x96, 0x12, 0x4B, 0x19, 0x09, 0xE0, 0xB7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x8A, 0x57, 0xEE, 0x4E, 0x6E, 0x7E, 0xEC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x9D, 0x69, 0xDC, 0xB3, 0xDA, 0xD8, 0x08),
+};
+static const mbedtls_mpi_uint secp384r1_T_6_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x49, 0x03, 0x03, 0x33, 0x6F, 0x28, 0x4A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xDB, 0xA7, 0x05, 0x8C, 0xF3, 0x4D, 0xFB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x92, 0xB1, 0xA8, 0xEC, 0x0D, 0x64, 0x3B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0xFC, 0xFD, 0xD0, 0x4B, 0x88, 0x1B, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x9C, 0x51, 0x69, 0xCE, 0x71, 0x73, 0xF5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x5A, 0x14, 0x23, 0x1A, 0x46, 0x63, 0x5F),
+};
+static const mbedtls_mpi_uint secp384r1_T_6_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x4C, 0x70, 0x44, 0x18, 0xCD, 0xEF, 0xED),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x49, 0xDD, 0x64, 0x7E, 0x7E, 0x4D, 0x92),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x32, 0x7C, 0x09, 0xD0, 0x3F, 0xD6, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xE0, 0x4F, 0x65, 0x0C, 0x7A, 0x54, 0x3E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xFA, 0xFB, 0x4A, 0xB4, 0x79, 0x5A, 0x8C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x5D, 0x1B, 0x2B, 0xDA, 0xBC, 0x9A, 0x74),
+};
+static const mbedtls_mpi_uint secp384r1_T_7_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xAC, 0x56, 0xF7, 0x5F, 0x51, 0x68, 0x0B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xE0, 0x1D, 0xBC, 0x13, 0x4E, 0xAC, 0x03),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xF5, 0xC5, 0xE6, 0xD2, 0x88, 0xBA, 0xCB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x0E, 0x28, 0x23, 0x58, 0x67, 0xFA, 0xEE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x80, 0x4B, 0xD8, 0xC4, 0xDF, 0x15, 0xE4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x0E, 0x58, 0xE6, 0x2C, 0x59, 0xC2, 0x03),
+};
+static const mbedtls_mpi_uint secp384r1_T_7_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x26, 0x27, 0x99, 0x16, 0x2B, 0x22, 0x0B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xF3, 0x8F, 0xC3, 0x2A, 0x9B, 0xFC, 0x38),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x2E, 0x83, 0x3D, 0xFE, 0x9E, 0x3C, 0x1B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x57, 0xCD, 0x2D, 0xC1, 0x49, 0x38, 0xB5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x42, 0x8B, 0x33, 0x89, 0x1F, 0xEA, 0x01),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x1D, 0x13, 0xD7, 0x50, 0xBB, 0x3E, 0xEB),
+};
+static const mbedtls_mpi_uint secp384r1_T_8_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x9A, 0x52, 0xD2, 0x54, 0x7C, 0x97, 0xF2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x33, 0x6E, 0xED, 0xD9, 0x87, 0x50, 0xC5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x35, 0x7E, 0x16, 0x40, 0x15, 0x83, 0xB8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x2B, 0xA4, 0xAB, 0x03, 0x91, 0xEA, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x47, 0x39, 0xEF, 0x05, 0x59, 0xD0, 0x90),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x24, 0x0D, 0x76, 0x11, 0x53, 0x08, 0xAF),
+};
+static const mbedtls_mpi_uint secp384r1_T_8_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x2F, 0xDD, 0xBD, 0x50, 0x48, 0xB1, 0xE5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x1C, 0x84, 0x55, 0x78, 0x14, 0xEB, 0xF6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x5E, 0x3E, 0xA6, 0xAF, 0xF6, 0xC7, 0x04),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x11, 0xE2, 0x65, 0xCA, 0x41, 0x95, 0x3B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x83, 0xD8, 0xE6, 0x4D, 0x22, 0x06, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x7F, 0x25, 0x2A, 0xAA, 0x28, 0x46, 0x97),
+};
+static const mbedtls_mpi_uint secp384r1_T_9_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xDB, 0x15, 0x56, 0x84, 0xCB, 0xC0, 0x56),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0xDB, 0x0E, 0x08, 0xC9, 0xF5, 0xD4, 0x9E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x62, 0xD0, 0x1A, 0x7C, 0x13, 0xD5, 0x07),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0xAD, 0x53, 0xE0, 0x32, 0x21, 0xA0, 0xC0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x38, 0x81, 0x21, 0x23, 0x0E, 0xD2, 0xBB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x51, 0x05, 0xD0, 0x1E, 0x82, 0xA9, 0x71),
+};
+static const mbedtls_mpi_uint secp384r1_T_9_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xC3, 0x27, 0xBF, 0xC6, 0xAA, 0xB7, 0xB9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x65, 0x45, 0xDF, 0xB9, 0x46, 0x17, 0x46),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x38, 0x3F, 0xB2, 0xB1, 0x5D, 0xCA, 0x1C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x29, 0x6C, 0x63, 0xE9, 0xD7, 0x48, 0xB8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xF1, 0xD7, 0x99, 0x8C, 0xC2, 0x05, 0x99),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xE6, 0x5E, 0x82, 0x6D, 0xE5, 0x7E, 0xD5),
+};
+static const mbedtls_mpi_uint secp384r1_T_10_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x61, 0xFA, 0x7D, 0x01, 0xDB, 0xB6, 0x63),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xC6, 0x58, 0x39, 0xF4, 0xC6, 0x82, 0x23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x5A, 0x7A, 0x80, 0x08, 0xCD, 0xAA, 0xD8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x8C, 0xC6, 0x3F, 0x3C, 0xA5, 0x68, 0xF4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0xF5, 0xD5, 0x17, 0xAE, 0x36, 0xD8, 0x8A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xAD, 0x92, 0xC5, 0x57, 0x6C, 0xDA, 0x91),
+};
+static const mbedtls_mpi_uint secp384r1_T_10_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x67, 0x17, 0xC0, 0x40, 0x78, 0x8C, 0x84),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x9F, 0xF4, 0xAA, 0xDA, 0x5C, 0x7E, 0xB2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xDB, 0x42, 0x3E, 0x72, 0x64, 0xA0, 0x67),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0xF9, 0x41, 0x17, 0x43, 0xE3, 0xE8, 0xA8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xDD, 0xCC, 0x43, 0x7E, 0x16, 0x05, 0x03),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x4B, 0xCF, 0x48, 0x8F, 0x41, 0x90, 0xE5),
+};
+static const mbedtls_mpi_uint secp384r1_T_11_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x0C, 0x6B, 0x9D, 0x22, 0x04, 0xBC, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x63, 0x79, 0x2F, 0x6A, 0x0E, 0x8A, 0xDE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x67, 0x3F, 0x02, 0xB8, 0x91, 0x7F, 0x74),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x14, 0x64, 0xA0, 0x33, 0xF4, 0x6B, 0x50),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x44, 0x71, 0x87, 0xB8, 0x88, 0x3F, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x2B, 0x85, 0x05, 0xC5, 0x44, 0x53, 0x15),
+};
+static const mbedtls_mpi_uint secp384r1_T_11_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x2B, 0xFE, 0xD1, 0x1C, 0x73, 0xE3, 0x2E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x33, 0xA1, 0xD3, 0x69, 0x1C, 0x9D, 0xD2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x5A, 0xBA, 0xB6, 0xAE, 0x1B, 0x94, 0x04),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x74, 0x90, 0x5C, 0x57, 0xB0, 0x3A, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x2F, 0x93, 0x20, 0x24, 0x54, 0x1D, 0x8D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x78, 0x9D, 0x71, 0x67, 0x5D, 0x49, 0x98),
+};
+static const mbedtls_mpi_uint secp384r1_T_12_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0xC8, 0x0E, 0x11, 0x8D, 0xE0, 0x8F, 0x69),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x7F, 0x79, 0x6C, 0x5F, 0xB7, 0xBC, 0xB1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0xE1, 0x83, 0x3C, 0x12, 0xBB, 0xEE, 0x96),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xC2, 0xC4, 0x1B, 0x41, 0x71, 0xB9, 0x17),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0xEE, 0xBB, 0x1D, 0x89, 0x50, 0x88, 0xF2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x1C, 0x55, 0x74, 0xEB, 0xDE, 0x92, 0x3F),
+};
+static const mbedtls_mpi_uint secp384r1_T_12_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x38, 0x92, 0x06, 0x19, 0xD0, 0xB3, 0xB2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x99, 0x26, 0xA3, 0x5F, 0xE2, 0xC1, 0x81),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0xFC, 0xFD, 0xC3, 0xB6, 0x26, 0x24, 0x8F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xAD, 0xE7, 0x49, 0xB7, 0x64, 0x4B, 0x96),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x4E, 0x95, 0xAD, 0x07, 0xFE, 0xB6, 0x30),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x15, 0xE7, 0x2D, 0x19, 0xA9, 0x08, 0x10),
+};
+static const mbedtls_mpi_uint secp384r1_T_13_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xBD, 0xAC, 0x0A, 0x3F, 0x6B, 0xFF, 0xFA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0xE4, 0x74, 0x14, 0xD9, 0x70, 0x1D, 0x71),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0xB0, 0x71, 0xBB, 0xD8, 0x18, 0x96, 0x2B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0xB8, 0x19, 0x90, 0x80, 0xB5, 0xEE, 0x01),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x21, 0x20, 0xA6, 0x17, 0x48, 0x03, 0x6F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x1D, 0xBB, 0x6D, 0x94, 0x20, 0x34, 0xF1),
+};
+static const mbedtls_mpi_uint secp384r1_T_13_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x82, 0x67, 0x4B, 0x8E, 0x4E, 0xBE, 0xE2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xDA, 0x77, 0xF8, 0x23, 0x55, 0x2B, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x02, 0xDE, 0x25, 0x35, 0x2D, 0x74, 0x51),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x0C, 0xB8, 0x0B, 0x39, 0xBA, 0xAD, 0x04),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0x0E, 0x28, 0x4D, 0xE1, 0x3D, 0xE4, 0x1B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xEC, 0x0A, 0xD4, 0xB8, 0xC4, 0x8D, 0xB0),
+};
+static const mbedtls_mpi_uint secp384r1_T_14_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x68, 0xCE, 0xC2, 0x55, 0x4D, 0x0C, 0x6D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x20, 0x93, 0x32, 0x90, 0xD6, 0xAE, 0x47),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x78, 0xAB, 0x43, 0x9E, 0xEB, 0x73, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x97, 0xC3, 0x83, 0xA6, 0x3C, 0xF1, 0xBF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0x25, 0x25, 0x66, 0x08, 0x26, 0xFA, 0x4B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xFB, 0x44, 0x5D, 0x82, 0xEC, 0x3B, 0xAC),
+};
+static const mbedtls_mpi_uint secp384r1_T_14_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x90, 0xEA, 0xB5, 0x04, 0x99, 0xD0, 0x69),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0xF2, 0x22, 0xA0, 0xEB, 0xFD, 0x45, 0x87),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xA4, 0x81, 0x32, 0xFC, 0xFA, 0xEE, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0xBB, 0xA4, 0x6A, 0x77, 0x41, 0x5C, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x1E, 0xAA, 0x4F, 0xF0, 0x10, 0xB3, 0x50),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x74, 0x13, 0x14, 0x9E, 0x90, 0xD7, 0xE6),
+};
+static const mbedtls_mpi_uint secp384r1_T_15_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0xBD, 0x70, 0x4F, 0xA8, 0xD1, 0x06, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x4E, 0x2E, 0x68, 0xFC, 0x35, 0xFA, 0x50),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0x53, 0x75, 0xED, 0xF2, 0x5F, 0xC2, 0xEB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x87, 0x6B, 0x9F, 0x05, 0xE2, 0x22, 0x93),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x1A, 0xA8, 0xB7, 0x03, 0x9E, 0x6D, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0xD0, 0x69, 0x88, 0xA8, 0x39, 0x9E, 0x3A),
+};
+static const mbedtls_mpi_uint secp384r1_T_15_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0xEF, 0x68, 0xFE, 0xEC, 0x24, 0x08, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x06, 0x4B, 0x92, 0x0D, 0xB7, 0x34, 0x74),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xF4, 0xDD, 0x1A, 0xA0, 0x4A, 0xE4, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x63, 0x4F, 0x4F, 0xCE, 0xBB, 0xD6, 0xD3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xEE, 0x8D, 0xDF, 0x3F, 0x73, 0xB7, 0xAC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x06, 0xB6, 0x80, 0x4D, 0x81, 0xD9, 0x53),
+};
+static const mbedtls_mpi_uint secp384r1_T_16_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0xF5, 0x13, 0xDF, 0x13, 0x19, 0x97, 0x94),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xF9, 0xB3, 0x33, 0x66, 0x82, 0x21, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xFC, 0x39, 0x16, 0x23, 0x43, 0x76, 0x0E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x48, 0x25, 0xA1, 0x64, 0x95, 0x1C, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0xAC, 0x15, 0x57, 0xD9, 0xDE, 0xA0, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x5F, 0xB8, 0x3D, 0x48, 0x91, 0x24, 0xCC),
+};
+static const mbedtls_mpi_uint secp384r1_T_16_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xF2, 0xC8, 0x54, 0xD1, 0x32, 0xBD, 0xC4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x3B, 0xF0, 0xAA, 0x9D, 0xD8, 0xF4, 0x20),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0xC3, 0xBB, 0x6C, 0x66, 0xAC, 0x25, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x25, 0x10, 0xB2, 0xE1, 0x41, 0xDE, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xE8, 0x30, 0xB8, 0x37, 0xBC, 0x2A, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x57, 0x01, 0x4A, 0x1E, 0x78, 0x9F, 0x85),
+};
+static const mbedtls_mpi_uint secp384r1_T_17_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x19, 0xCD, 0x12, 0x0B, 0x51, 0x4F, 0x56),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x4B, 0x3D, 0x24, 0xA4, 0x16, 0x59, 0x05),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xEB, 0xD3, 0x59, 0x2E, 0x75, 0x7C, 0x01),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0xB9, 0xB4, 0xA5, 0xD9, 0x2E, 0x29, 0x4C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x16, 0x05, 0x75, 0x02, 0xB3, 0x06, 0xEE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x7C, 0x9F, 0x79, 0x91, 0xF1, 0x4F, 0x23),
+};
+static const mbedtls_mpi_uint secp384r1_T_17_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x98, 0x7C, 0x84, 0xE1, 0xFF, 0x30, 0x77),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0xE2, 0xC2, 0x5F, 0x55, 0x40, 0xBD, 0xCD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x65, 0x87, 0x3F, 0xC4, 0xC2, 0x24, 0x57),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0x30, 0x0A, 0x60, 0x15, 0xD1, 0x24, 0x48),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x99, 0xD9, 0xB6, 0xAE, 0xB1, 0xAF, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x80, 0xEE, 0xA2, 0x0F, 0x74, 0xB9, 0xF3),
+};
+static const mbedtls_mpi_uint secp384r1_T_18_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0xE6, 0x0F, 0x37, 0xC1, 0x10, 0x99, 0x1E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xAD, 0x9D, 0x5D, 0x80, 0x01, 0xA6, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x0F, 0x10, 0x2A, 0x9D, 0x20, 0x38, 0xEB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x60, 0xCB, 0xCE, 0x5A, 0xA0, 0xA7, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xCF, 0x14, 0xDF, 0xBF, 0xE5, 0x74, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x12, 0x1A, 0xDD, 0x59, 0x02, 0x5D, 0xC6),
+};
+static const mbedtls_mpi_uint secp384r1_T_18_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xC9, 0xF8, 0xF5, 0xB6, 0x13, 0x4D, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x45, 0xB1, 0x93, 0xB3, 0xA2, 0x79, 0xDC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xF6, 0xCF, 0xF7, 0xE6, 0x29, 0x9C, 0xCC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x50, 0x65, 0x80, 0xBC, 0x59, 0x0A, 0x59),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xF0, 0x24, 0x35, 0xA2, 0x46, 0xF0, 0x0C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x26, 0xC0, 0x9D, 0x61, 0x56, 0x62, 0x67),
+};
+static const mbedtls_mpi_uint secp384r1_T_19_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xBB, 0xC2, 0x24, 0x43, 0x2E, 0x37, 0x54),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0xF7, 0xCE, 0x35, 0xFC, 0x77, 0xF3, 0x3F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x34, 0x96, 0xD5, 0x4A, 0x76, 0x9D, 0x6B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x3B, 0x0F, 0xEA, 0xA8, 0x12, 0x0B, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x3F, 0x5D, 0x2D, 0x1C, 0xD4, 0x9E, 0xFB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x2E, 0xDD, 0xC7, 0x6E, 0xAB, 0xAF, 0xDC),
+};
+static const mbedtls_mpi_uint secp384r1_T_19_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0xB2, 0x7B, 0x0C, 0x9A, 0x83, 0x8E, 0x59),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x51, 0x90, 0x92, 0x79, 0x32, 0x19, 0xC3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x89, 0xF9, 0xD0, 0xCF, 0x2C, 0xA5, 0x8F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x50, 0x21, 0xDE, 0x50, 0x41, 0x9D, 0x81),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x7D, 0x2B, 0x9E, 0x9D, 0x95, 0xA8, 0xE3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xA5, 0x20, 0x87, 0x88, 0x97, 0x5F, 0xAA),
+};
+static const mbedtls_mpi_uint secp384r1_T_20_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x59, 0xB4, 0x66, 0x7E, 0xE8, 0x5A, 0x60),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x5C, 0x7E, 0xB2, 0xAD, 0xD9, 0xC9, 0xDA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x97, 0x49, 0xA3, 0x13, 0x83, 0x07, 0x2E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x26, 0xC7, 0x13, 0x35, 0x0D, 0xB0, 0x6B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x60, 0xAB, 0xFA, 0x4B, 0x93, 0x18, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x2D, 0x1C, 0x31, 0x4C, 0xE4, 0x61, 0xAE),
+};
+static const mbedtls_mpi_uint secp384r1_T_20_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0x4D, 0x1E, 0x51, 0x59, 0x6E, 0x91, 0xC5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x54, 0x4D, 0x51, 0xED, 0x36, 0xCC, 0x60),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0xA8, 0x56, 0xC7, 0x78, 0x27, 0x33, 0xC5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xB7, 0x95, 0xC9, 0x8B, 0xC8, 0x6A, 0xBC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xE9, 0x13, 0x96, 0xB3, 0xE1, 0xF9, 0xEE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x46, 0xB0, 0x5E, 0xC3, 0x94, 0x03, 0x05),
+};
+static const mbedtls_mpi_uint secp384r1_T_21_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x5B, 0x29, 0x30, 0x41, 0x1A, 0x9E, 0xB6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xCA, 0x83, 0x31, 0x5B, 0xA7, 0xCB, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x41, 0x50, 0x44, 0x4D, 0x64, 0x31, 0x89),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0x84, 0xC2, 0x5D, 0x97, 0xA5, 0x3C, 0x18),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x0F, 0xA5, 0xFD, 0x8E, 0x5A, 0x47, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x58, 0x02, 0x2D, 0x40, 0xB1, 0x0B, 0xBA),
+};
+static const mbedtls_mpi_uint secp384r1_T_21_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x33, 0x8C, 0x67, 0xCE, 0x23, 0x43, 0x99),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x53, 0x47, 0x72, 0x44, 0x1F, 0x5B, 0x2A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xC1, 0xD9, 0xA4, 0x50, 0x88, 0x63, 0x18),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xF2, 0x75, 0x69, 0x73, 0x00, 0xC4, 0x31),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x90, 0x1D, 0xDF, 0x1A, 0x00, 0xD8, 0x69),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0xB1, 0x89, 0x48, 0xA8, 0x70, 0x62, 0xEF),
+};
+static const mbedtls_mpi_uint secp384r1_T_22_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x8A, 0x55, 0x50, 0x7B, 0xEF, 0x8A, 0x3C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x1B, 0x23, 0x48, 0x23, 0x63, 0x91, 0xB6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x04, 0x54, 0x3C, 0x24, 0x9B, 0xC7, 0x9A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x38, 0xC3, 0x84, 0xFB, 0xFF, 0x9F, 0x49),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x2A, 0xE0, 0x6D, 0x68, 0x8A, 0x5C, 0xCB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x93, 0x53, 0x85, 0xA1, 0x0D, 0xAF, 0x63),
+};
+static const mbedtls_mpi_uint secp384r1_T_22_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x88, 0x95, 0x4C, 0x0B, 0xD0, 0x06, 0x51),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xAF, 0x8D, 0x49, 0xA2, 0xC8, 0xB4, 0xE0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x76, 0x53, 0x09, 0x88, 0x43, 0x87, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xA4, 0x77, 0x3F, 0x5E, 0x21, 0xB4, 0x0A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x9E, 0x86, 0x64, 0xCC, 0x91, 0xC1, 0x77),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x17, 0x56, 0xCB, 0xC3, 0x7D, 0x5B, 0xB1),
+};
+static const mbedtls_mpi_uint secp384r1_T_23_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x74, 0x9F, 0xB5, 0x91, 0x21, 0xB1, 0x1C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xED, 0xE1, 0x11, 0xEF, 0x45, 0xAF, 0xC1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x31, 0xBE, 0xB2, 0xBC, 0x72, 0x65, 0x1F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x4B, 0x8C, 0x77, 0xCE, 0x1E, 0x42, 0xB5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xC9, 0xAA, 0xB9, 0xD9, 0x86, 0x99, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x23, 0x80, 0xC6, 0x4E, 0x35, 0x0B, 0x6D),
+};
+static const mbedtls_mpi_uint secp384r1_T_23_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0xD8, 0xA2, 0x0A, 0x39, 0x32, 0x1D, 0x23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xC8, 0x86, 0xF1, 0x12, 0x9A, 0x4A, 0x05),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xF1, 0x7C, 0xAA, 0x70, 0x8E, 0xBC, 0x01),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x01, 0x47, 0x8F, 0xDD, 0x8B, 0xA5, 0xC8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x08, 0x21, 0xF4, 0xAB, 0xC7, 0xF5, 0x96),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x76, 0xA5, 0x95, 0xC4, 0x0F, 0x88, 0x1D),
+};
+static const mbedtls_mpi_uint secp384r1_T_24_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x42, 0x2A, 0x52, 0xCD, 0x75, 0x51, 0x49),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0x36, 0xE5, 0x04, 0x2B, 0x44, 0xC6, 0xEF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xEE, 0x16, 0x13, 0x07, 0x83, 0xB5, 0x30),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x59, 0xC6, 0xA2, 0x19, 0x05, 0xD3, 0xC6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x8B, 0xA8, 0x16, 0x09, 0xB7, 0xEA, 0xD6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xEE, 0x14, 0xAF, 0xB5, 0xFD, 0xD0, 0xEF),
+};
+static const mbedtls_mpi_uint secp384r1_T_24_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x7C, 0xCA, 0x71, 0x3E, 0x6E, 0x66, 0x75),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x31, 0x0E, 0x3F, 0xE5, 0x91, 0xC4, 0x7F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x3D, 0xC2, 0x3E, 0x95, 0x37, 0x58, 0x2B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x1F, 0x02, 0x03, 0xF3, 0xEF, 0xEE, 0x66),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x5B, 0x1A, 0xFC, 0x38, 0xCD, 0xE8, 0x24),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x57, 0x42, 0x85, 0xC6, 0x21, 0x68, 0x71),
+};
+static const mbedtls_mpi_uint secp384r1_T_25_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xA2, 0x4A, 0x66, 0xB1, 0x0A, 0xE6, 0xC0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x0C, 0x94, 0x9D, 0x5E, 0x99, 0xB2, 0xCE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x03, 0x40, 0xCA, 0xB2, 0xB3, 0x30, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x78, 0x48, 0x27, 0x34, 0x1E, 0xE2, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x72, 0x5B, 0xAC, 0xC1, 0x6D, 0xE3, 0x82),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xAB, 0x46, 0xCB, 0xEA, 0x5E, 0x4B, 0x0B),
+};
+static const mbedtls_mpi_uint secp384r1_T_25_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x08, 0xAD, 0x4E, 0x51, 0x9F, 0x2A, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x5C, 0x7D, 0x4C, 0xD6, 0xCF, 0xDD, 0x02),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x76, 0x26, 0xE0, 0x8B, 0x10, 0xD9, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0xA7, 0x23, 0x4E, 0x5F, 0xD2, 0x42, 0x17),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xE5, 0xA4, 0xEC, 0x77, 0x21, 0x34, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x14, 0x65, 0xEA, 0x4A, 0x85, 0xC3, 0x2F),
+};
+static const mbedtls_mpi_uint secp384r1_T_26_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0xD8, 0x40, 0x27, 0x73, 0x15, 0x7E, 0x65),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xBB, 0x53, 0x7E, 0x0F, 0x40, 0xC8, 0xD4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x37, 0x19, 0x73, 0xEF, 0x5A, 0x5E, 0x04),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x73, 0x2B, 0x49, 0x7E, 0xAC, 0x97, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0xB2, 0xC3, 0x1E, 0x0E, 0xE7, 0xD2, 0x21),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x08, 0xD6, 0xDD, 0xAC, 0x21, 0xD6, 0x3E),
+};
+static const mbedtls_mpi_uint secp384r1_T_26_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x26, 0xBE, 0x6D, 0x6D, 0xF2, 0x38, 0x3F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x6C, 0x31, 0xA7, 0x49, 0x50, 0x3A, 0x89),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x99, 0xC6, 0xF5, 0xD2, 0xC2, 0x30, 0x5A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xE4, 0xF6, 0x8B, 0x8B, 0x97, 0xE9, 0xB2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x21, 0xB7, 0x0D, 0xFC, 0x15, 0x54, 0x0B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x83, 0x1C, 0xA4, 0xCD, 0x6B, 0x9D, 0xF2),
+};
+static const mbedtls_mpi_uint secp384r1_T_27_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xE8, 0x4C, 0x48, 0xE4, 0xAA, 0x69, 0x93),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x7A, 0x27, 0xFC, 0x37, 0x96, 0x1A, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0xE7, 0x30, 0xA5, 0xCF, 0x13, 0x46, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0xD8, 0xAF, 0x74, 0x23, 0x4D, 0x56, 0x84),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x3D, 0x44, 0x14, 0x1B, 0x97, 0x83, 0xF0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x47, 0xD7, 0x5F, 0xFD, 0x98, 0x38, 0xF7),
+};
+static const mbedtls_mpi_uint secp384r1_T_27_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x73, 0x64, 0x36, 0xFD, 0x7B, 0xC1, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x5D, 0x32, 0xD2, 0x47, 0x94, 0x89, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xE9, 0x30, 0xAC, 0x06, 0xC8, 0x65, 0x04),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x6C, 0xB9, 0x1B, 0xF7, 0x61, 0x49, 0x53),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0xFF, 0x32, 0x43, 0x80, 0xDA, 0xA6, 0xB1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xF8, 0x04, 0x01, 0x95, 0x35, 0xCE, 0x21),
+};
+static const mbedtls_mpi_uint secp384r1_T_28_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x06, 0x46, 0x0D, 0x51, 0xE2, 0xD8, 0xAC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0x57, 0x1D, 0x6F, 0x79, 0xA0, 0xCD, 0xA6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0xFB, 0x36, 0xCA, 0xAD, 0xF5, 0x9E, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x7A, 0x1D, 0x9E, 0x1D, 0x95, 0x48, 0xDC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x26, 0xA5, 0xB7, 0x15, 0x2C, 0xC2, 0xC6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x42, 0x72, 0xAA, 0x11, 0xDC, 0xC9, 0xB6),
+};
+static const mbedtls_mpi_uint secp384r1_T_28_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x6C, 0x64, 0xA7, 0x62, 0x3C, 0xAB, 0xD4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x6A, 0x44, 0xD8, 0x60, 0xC0, 0xA8, 0x80),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x76, 0x58, 0x12, 0x57, 0x3C, 0x89, 0x46),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x4F, 0x83, 0xCE, 0xCB, 0xB8, 0xD0, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x84, 0x04, 0xB0, 0xAD, 0xEB, 0xFA, 0xDF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xA4, 0xC3, 0x41, 0x44, 0x4E, 0x65, 0x3E),
+};
+static const mbedtls_mpi_uint secp384r1_T_29_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x16, 0xA9, 0x1C, 0xE7, 0x65, 0x20, 0xC1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x53, 0x32, 0xF8, 0xC0, 0xA6, 0xBD, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xF0, 0xE6, 0x57, 0x31, 0xCC, 0x26, 0x6F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0xE3, 0x54, 0x1C, 0x34, 0xD3, 0x17, 0xBC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xAE, 0xED, 0xFB, 0xCD, 0xE7, 0x1E, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x16, 0x1C, 0x34, 0x40, 0x00, 0x1F, 0xB6),
+};
+static const mbedtls_mpi_uint secp384r1_T_29_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x32, 0x00, 0xC2, 0xD4, 0x3B, 0x1A, 0x09),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xE0, 0x99, 0x8F, 0x0C, 0x4A, 0x16, 0x44),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x73, 0x18, 0x1B, 0xD4, 0x94, 0x29, 0x62),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xA4, 0x2D, 0xB1, 0x9D, 0x74, 0x32, 0x67),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0xF4, 0xB1, 0x0C, 0x37, 0x62, 0x8B, 0x66),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xFF, 0xDA, 0xE2, 0x35, 0xA3, 0xB6, 0x42),
+};
+static const mbedtls_mpi_uint secp384r1_T_30_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x49, 0x99, 0x65, 0xC5, 0xED, 0x16, 0xEF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x42, 0x9A, 0xF3, 0xA7, 0x4E, 0x6F, 0x2B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x0A, 0x7E, 0xC0, 0xD7, 0x4E, 0x07, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x7A, 0x31, 0x69, 0xA6, 0xB9, 0x15, 0x34),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0xE0, 0x72, 0xA4, 0x3F, 0xB9, 0xF8, 0x0C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0x75, 0x32, 0x85, 0xA2, 0xDE, 0x37, 0x12),
+};
+static const mbedtls_mpi_uint secp384r1_T_30_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xC0, 0x0D, 0xCF, 0x25, 0x41, 0xA4, 0xF4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xFC, 0xB2, 0x48, 0xC3, 0x85, 0x83, 0x4B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xBE, 0x0B, 0x58, 0x2D, 0x7A, 0x9A, 0x62),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0xF3, 0x81, 0x18, 0x1B, 0x74, 0x4F, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x43, 0xA3, 0x0A, 0x16, 0x8B, 0xA3, 0x1E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x18, 0x81, 0x7B, 0x8D, 0xA2, 0x35, 0x77),
+};
+static const mbedtls_mpi_uint secp384r1_T_31_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xC4, 0x3F, 0x2C, 0xE7, 0x5F, 0x99, 0x03),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x2B, 0xB7, 0xB6, 0xAD, 0x5A, 0x56, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x00, 0xA4, 0x48, 0xC8, 0xE8, 0xBA, 0xBF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0xA1, 0xB5, 0x13, 0x5A, 0xCD, 0x99, 0x9C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x95, 0xAD, 0xFC, 0xE2, 0x7E, 0xE7, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x6B, 0xD1, 0x34, 0x99, 0x53, 0x63, 0x0B),
+};
+static const mbedtls_mpi_uint secp384r1_T_31_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x8A, 0x77, 0x5D, 0x2B, 0xAB, 0x01, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x85, 0xD0, 0xD5, 0x49, 0x83, 0x4D, 0x60),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0xC6, 0x91, 0x30, 0x3B, 0x00, 0xAF, 0x7A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0xAE, 0x61, 0x07, 0xE1, 0xB6, 0xE2, 0xC9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x43, 0x41, 0xFE, 0x9B, 0xB6, 0xF0, 0xA5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x97, 0xAE, 0xAD, 0x89, 0x88, 0x9E, 0x41),
+};
+static const mbedtls_ecp_point secp384r1_T[32] = {
+    ECP_POINT_INIT_XY_Z1(secp384r1_T_0_X, secp384r1_T_0_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_1_X, secp384r1_T_1_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_2_X, secp384r1_T_2_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_3_X, secp384r1_T_3_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_4_X, secp384r1_T_4_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_5_X, secp384r1_T_5_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_6_X, secp384r1_T_6_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_7_X, secp384r1_T_7_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_8_X, secp384r1_T_8_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_9_X, secp384r1_T_9_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_10_X, secp384r1_T_10_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_11_X, secp384r1_T_11_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_12_X, secp384r1_T_12_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_13_X, secp384r1_T_13_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_14_X, secp384r1_T_14_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_15_X, secp384r1_T_15_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_16_X, secp384r1_T_16_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_17_X, secp384r1_T_17_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_18_X, secp384r1_T_18_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_19_X, secp384r1_T_19_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_20_X, secp384r1_T_20_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_21_X, secp384r1_T_21_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_22_X, secp384r1_T_22_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_23_X, secp384r1_T_23_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_24_X, secp384r1_T_24_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_25_X, secp384r1_T_25_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_26_X, secp384r1_T_26_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_27_X, secp384r1_T_27_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_28_X, secp384r1_T_28_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_29_X, secp384r1_T_29_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_30_X, secp384r1_T_30_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_31_X, secp384r1_T_31_Y),
+};
+#else
+#define secp384r1_T NULL
+#endif
+
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+/*
+ * Domain parameters for secp521r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+static const mbedtls_mpi_uint secp521r1_p[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_2(0xFF, 0x01),
+};
+static const mbedtls_mpi_uint secp521r1_b[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95),
+    MBEDTLS_BYTES_TO_T_UINT_2(0x51, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_gx[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_2(0xC6, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_gy[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39),
+    MBEDTLS_BYTES_TO_T_UINT_2(0x18, 0x01),
+};
+static const mbedtls_mpi_uint secp521r1_n[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_2(0xFF, 0x01),
+};
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp521r1_T_0_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_0_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_1_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xB1, 0x2D, 0xEB, 0x27, 0x2F, 0xE8, 0xDA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x4B, 0x44, 0x25, 0xDB, 0x5C, 0x5F, 0x67),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x85, 0x28, 0x78, 0x2E, 0x75, 0x34, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x57, 0x0F, 0x73, 0x78, 0x7A, 0xE3, 0x53),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xD8, 0xEC, 0xDC, 0xDA, 0x04, 0xAD, 0xAB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x8A, 0x09, 0xF3, 0x58, 0x79, 0xD8, 0x29),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x03, 0xCB, 0x50, 0x1A, 0x7F, 0x56, 0x00),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xA6, 0x78, 0x38, 0x85, 0x67, 0x0B, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_1_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0xD5, 0xD2, 0x22, 0xC4, 0x00, 0x3B, 0xBA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x93, 0x0E, 0x7B, 0x85, 0x51, 0xC3, 0x06),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xA6, 0x5F, 0x54, 0x49, 0x02, 0x81, 0x78),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xE9, 0x6B, 0x3A, 0x92, 0xE7, 0x72, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x5F, 0x28, 0x9E, 0x91, 0x27, 0x88, 0xE3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x28, 0x31, 0xB3, 0x84, 0xCA, 0x12, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xF9, 0xAC, 0x22, 0x10, 0x0A, 0x64, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0xC6, 0x33, 0x1F, 0x69, 0x19, 0x18, 0xBF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_2_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x48, 0xB8, 0xC7, 0x37, 0x5A, 0x00, 0x36),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xCC, 0x32, 0xE0, 0xEE, 0x03, 0xC2, 0xBA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x29, 0xC2, 0xE4, 0x6E, 0x24, 0x20, 0x8D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x6B, 0x7F, 0x7B, 0xF9, 0xB0, 0xB8, 0x13),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x7B, 0x3C, 0xE1, 0x19, 0xA1, 0x23, 0x02),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xE3, 0xC2, 0x53, 0xC0, 0x07, 0x13, 0xA9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xFE, 0x36, 0x35, 0x9F, 0x5E, 0x59, 0xCE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x55, 0x89, 0x84, 0xBC, 0xEF, 0xA2, 0xC2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_2_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x1A, 0x08, 0x67, 0xB4, 0xE7, 0x22, 0xED),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x26, 0xDF, 0x81, 0x3C, 0x5F, 0x1C, 0xDA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x4D, 0xD0, 0x0A, 0x48, 0x06, 0xF4, 0x48),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x18, 0x39, 0xF7, 0xD1, 0x20, 0x77, 0x8D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0x8F, 0x44, 0x13, 0xCB, 0x78, 0x11, 0x11),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xE2, 0x49, 0xEA, 0x43, 0x79, 0x08, 0x39),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0xD1, 0xD8, 0x73, 0x2C, 0x71, 0x2F, 0x69),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xE5, 0xE7, 0xF4, 0x46, 0xAB, 0x20, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_3_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x0B, 0xB9, 0x71, 0x1A, 0x27, 0xB7, 0xA7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xA2, 0x2C, 0xD1, 0xDA, 0xBC, 0xC1, 0xBD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xA3, 0x10, 0x1F, 0x90, 0xF2, 0xA5, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0xFB, 0x20, 0xF4, 0xC0, 0x70, 0xC0, 0xF5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0xA7, 0x99, 0xF0, 0xA5, 0xD3, 0x09, 0xDD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0xE8, 0x14, 0x39, 0xBE, 0xCB, 0x60, 0xAF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0xD6, 0x14, 0xA9, 0xC9, 0x20, 0xC3, 0xEA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xA8, 0x5B, 0xFD, 0x2D, 0x96, 0xBC, 0x78),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_3_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x04, 0x45, 0xBE, 0xCE, 0x75, 0x95, 0xF6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0xDA, 0x58, 0x49, 0x35, 0x09, 0x8D, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xF0, 0xC0, 0x36, 0xF2, 0xA6, 0x2D, 0x14),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xFC, 0x3D, 0xA8, 0xFB, 0x3C, 0xD2, 0x51),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x4D, 0x71, 0x09, 0x18, 0x42, 0xF0, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xC1, 0xCE, 0x9E, 0x6A, 0x49, 0x60, 0x12),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xB1, 0x00, 0xF7, 0xA1, 0x7A, 0x31, 0xB4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xC3, 0x86, 0xCD, 0x20, 0x4A, 0x17, 0x86),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_4_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0xAB, 0x8B, 0x47, 0x8D, 0xAA, 0xA6, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x97, 0xF0, 0xBC, 0x2D, 0xDC, 0x9D, 0x84),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x86, 0xB0, 0x74, 0xB2, 0xF4, 0xF6, 0x67),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xBD, 0xAC, 0xE3, 0x8F, 0x43, 0x5C, 0xB1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xC3, 0xE2, 0x6E, 0x25, 0x49, 0xCD, 0x0B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x5E, 0x08, 0xB3, 0xB9, 0xAC, 0x5F, 0xD1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xB7, 0xD1, 0xF4, 0xDC, 0x19, 0xE9, 0xC8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xE4, 0xFA, 0xE1, 0x36, 0x3E, 0xED, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_4_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x67, 0x92, 0x84, 0x6E, 0x48, 0x03, 0x51),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x95, 0xEF, 0x8F, 0xB2, 0x82, 0x6B, 0x1C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xFA, 0xB9, 0x55, 0x23, 0xFE, 0x09, 0xB3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x79, 0x85, 0x4B, 0x0E, 0xD4, 0x35, 0xDB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x27, 0x45, 0x81, 0xE0, 0x88, 0x52, 0xAD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x63, 0xA2, 0x4B, 0xBC, 0x5D, 0xB1, 0x92),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x8C, 0x83, 0xD9, 0x3E, 0xD3, 0x42, 0xDA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x03, 0x3A, 0x31, 0xBA, 0xE9, 0x3A, 0xD1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_5_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x10, 0xCD, 0x2D, 0x00, 0xFE, 0x32, 0xA7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x6E, 0x1F, 0xDA, 0xF8, 0x6F, 0x4D, 0x03),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x79, 0x7D, 0x09, 0xE5, 0xD3, 0x03, 0x21),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xC3, 0xBE, 0xDF, 0x07, 0x65, 0x49, 0xCC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x57, 0x33, 0xEF, 0xAE, 0x4F, 0x04, 0x27),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0xE9, 0x9B, 0xFE, 0xBF, 0xE6, 0x85, 0xF6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0xBA, 0xAA, 0x06, 0xC4, 0xC6, 0xB8, 0x57),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x83, 0x01, 0xA9, 0xF6, 0x51, 0xE7, 0xB8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_5_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xA6, 0x15, 0x8E, 0xAB, 0x1F, 0x10, 0x87),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x08, 0x27, 0x1A, 0xA1, 0x21, 0xAD, 0xF5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x09, 0x90, 0x6E, 0x50, 0x90, 0x9A, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x9A, 0xFE, 0xD7, 0xA1, 0xF5, 0xA2, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x7D, 0xE3, 0xDC, 0x21, 0xFB, 0xA4, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xBF, 0x07, 0xFF, 0x45, 0xDF, 0x51, 0x77),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x5C, 0x34, 0x02, 0x62, 0x9B, 0x08, 0x12),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xCE, 0x9A, 0x6A, 0xEC, 0x75, 0xF6, 0x46),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_6_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x59, 0xF4, 0x78, 0x3C, 0x60, 0xB1, 0x4A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x37, 0x84, 0x6A, 0xDC, 0xF2, 0x9A, 0x7D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x9A, 0x9A, 0x15, 0x36, 0xE0, 0x2B, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x38, 0x9C, 0x50, 0x3D, 0x1E, 0x37, 0x82),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x79, 0xF0, 0x92, 0xF2, 0x8B, 0x18, 0x82),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xE0, 0x82, 0x1E, 0x80, 0x82, 0x4B, 0xD7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xBB, 0x59, 0x6B, 0x8A, 0x77, 0x41, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xF9, 0xD4, 0xB8, 0x4A, 0x82, 0xCF, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_6_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x8C, 0xC8, 0x9B, 0x72, 0x9E, 0xF7, 0xF9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0xCE, 0xE9, 0x77, 0x0A, 0x19, 0x59, 0x84),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xA1, 0x41, 0x6A, 0x72, 0x4B, 0xB4, 0xDC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x35, 0x43, 0xE2, 0x8C, 0xBE, 0x0D, 0xE3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0xEB, 0xAD, 0xF3, 0xA9, 0xA6, 0x68, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x2F, 0xE2, 0x48, 0x0C, 0xDB, 0x1F, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x1E, 0x60, 0x9B, 0x2A, 0xD2, 0xC1, 0x3C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x64, 0xB5, 0xD2, 0xF6, 0xF6, 0x6E, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_7_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x3D, 0x30, 0x78, 0x10, 0x18, 0x41, 0x51),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x1D, 0x1C, 0xE0, 0x6D, 0x83, 0xD1, 0x93),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x03, 0x0B, 0xF5, 0x2F, 0x6C, 0x04, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x3E, 0xD5, 0xFC, 0x31, 0x5B, 0x3A, 0xEB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x82, 0x2F, 0xFB, 0xFE, 0xF8, 0x76, 0x39),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x26, 0xDA, 0x9C, 0x36, 0xF5, 0x93, 0xD1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4C, 0xE7, 0x6E, 0xD2, 0x7D, 0x81, 0x09, 0xC6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x03, 0xF9, 0x58, 0x48, 0x24, 0xA2, 0xEE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_7_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x79, 0x0C, 0x8E, 0x6B, 0x95, 0xF3, 0xC4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x10, 0x5C, 0x87, 0x03, 0x39, 0xCF, 0x68),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xF0, 0xF7, 0xC1, 0x07, 0xA4, 0xF4, 0x3F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xE8, 0x02, 0x89, 0x65, 0xC4, 0x72, 0x36),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x88, 0xEA, 0x96, 0x67, 0x0B, 0x5D, 0xDF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x75, 0x60, 0xA8, 0xBD, 0x74, 0xDF, 0x68),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0xE5, 0x71, 0x50, 0x67, 0xD0, 0xD2, 0xE6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xFC, 0xE5, 0xC7, 0x77, 0xB0, 0x7F, 0x8C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_8_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x86, 0x69, 0xCD, 0x0D, 0x9A, 0xBD, 0x66),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x17, 0xBC, 0xBB, 0x59, 0x85, 0x7D, 0x0E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xA8, 0x76, 0xAC, 0x80, 0xA9, 0x72, 0xE0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x78, 0xC1, 0xE2, 0x4D, 0xAF, 0xF9, 0x3C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x97, 0x8E, 0x74, 0xC4, 0x4B, 0xB2, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xD8, 0xF6, 0xF3, 0xAF, 0x2F, 0x52, 0xE5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x57, 0xF4, 0xCE, 0xEE, 0x43, 0xED, 0x60),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x46, 0x38, 0xDE, 0x20, 0xFD, 0x59, 0x18),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_8_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x18, 0xE8, 0x58, 0xB9, 0x76, 0x2C, 0xE6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x54, 0xE4, 0xFE, 0xC7, 0xBC, 0x31, 0x37),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xF8, 0x89, 0xEE, 0x70, 0xB5, 0xB0, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x22, 0x26, 0x9A, 0x53, 0xB9, 0x38, 0x0A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xA7, 0x19, 0x8C, 0x74, 0x7E, 0x88, 0x46),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xDA, 0x0A, 0xE8, 0xDA, 0xA5, 0xBE, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0x5C, 0xF7, 0xB1, 0x0C, 0x72, 0xFB, 0x09),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xE2, 0x23, 0xE7, 0x46, 0xB7, 0xE0, 0x91),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_9_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x36, 0xBC, 0xBD, 0x48, 0x11, 0x8E, 0x72),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0xBB, 0xA1, 0xF7, 0x0B, 0x9E, 0xBF, 0xDF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x28, 0xE1, 0xA2, 0x8F, 0xFC, 0xFC, 0xD6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0xFE, 0x19, 0x0A, 0xE5, 0xE7, 0x69, 0x39),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xCD, 0x12, 0xF5, 0xBE, 0xD3, 0x04, 0xF1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xA8, 0x0D, 0x81, 0x59, 0xC4, 0x79, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0xF3, 0x4B, 0x92, 0x65, 0xC3, 0x31, 0xAD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0xB5, 0x4F, 0x4D, 0x91, 0xD4, 0xE2, 0xB2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_9_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x09, 0x41, 0x79, 0x1D, 0x4D, 0x0D, 0x33),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x31, 0x18, 0xBA, 0xA0, 0xF2, 0x6E, 0x7E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x5B, 0x4D, 0x4F, 0xAF, 0xC9, 0x8C, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x99, 0x9C, 0x06, 0x68, 0xDE, 0xD8, 0x29),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x04, 0xE1, 0xB5, 0x9D, 0x00, 0xBC, 0xB8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x95, 0x92, 0x8D, 0x72, 0xD3, 0x37, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x4B, 0x27, 0xA2, 0xE8, 0xA4, 0x26, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x45, 0x9C, 0xA9, 0xCB, 0x9F, 0xBA, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_10_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x7E, 0x1B, 0x64, 0xF4, 0xE8, 0xA5, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x20, 0xA9, 0xCA, 0xF3, 0x89, 0xE5, 0xE1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xED, 0xFC, 0xAB, 0xD9, 0x0A, 0xB9, 0x07),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x6F, 0x46, 0x7C, 0xCD, 0x78, 0xFF, 0x05),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0xAB, 0x71, 0x5A, 0x94, 0xAB, 0x20, 0x20),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x2E, 0xEE, 0x87, 0x57, 0x1F, 0xAD, 0xD3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x4C, 0x3D, 0xFB, 0x7E, 0xA1, 0x8B, 0x07),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0xCF, 0x07, 0x86, 0xBA, 0x53, 0x37, 0xCF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_10_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x26, 0xB2, 0xB9, 0xE2, 0x91, 0xE3, 0xB5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xC9, 0x54, 0x84, 0x08, 0x3D, 0x0B, 0xD2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xA8, 0x77, 0x2F, 0x64, 0x45, 0x99, 0x4C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x96, 0x16, 0x1F, 0xDB, 0x96, 0x28, 0x97),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x2B, 0x8D, 0xFF, 0xA2, 0x4F, 0x55, 0xD3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0xE6, 0x48, 0xBD, 0x99, 0x3D, 0x12, 0x57),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x84, 0x59, 0xDA, 0xB9, 0xB6, 0x66, 0x12),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x78, 0x41, 0x92, 0xDF, 0xF4, 0x3F, 0x63),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_11_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x86, 0x6F, 0x4F, 0xBF, 0x67, 0xDF, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x2B, 0x1E, 0x5F, 0x00, 0xEA, 0xF6, 0x56),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xB9, 0x6A, 0x89, 0xD8, 0xC0, 0xD7, 0xA7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x9A, 0x32, 0x23, 0xA0, 0x02, 0x91, 0x58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x7F, 0x6A, 0x15, 0x64, 0x6A, 0x8B, 0xBB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x57, 0x82, 0x58, 0xA9, 0x56, 0xB5, 0xFB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x50, 0x92, 0x60, 0xCC, 0x81, 0x24, 0xA8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x3D, 0xAD, 0xDA, 0xD9, 0x51, 0x3E, 0x57),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_11_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0xFE, 0x8F, 0xB0, 0x0B, 0xDE, 0x2E, 0x7E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xD2, 0xBE, 0xEF, 0xAC, 0x76, 0x71, 0xA3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xE8, 0x72, 0x0B, 0xAC, 0xFE, 0xCA, 0x5A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x5B, 0xC7, 0xFC, 0xE3, 0x3C, 0x7C, 0x4C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x04, 0xA7, 0xB9, 0x9B, 0x93, 0xC0, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x48, 0x4B, 0x8E, 0x32, 0xC5, 0xF0, 0x6B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x42, 0x07, 0xC1, 0xF2, 0xF1, 0x72, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x37, 0x54, 0x9C, 0x88, 0xD2, 0x62, 0xAA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_12_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x19, 0x8A, 0x89, 0x58, 0xA2, 0x0F, 0xDB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0xCC, 0x4C, 0x97, 0x30, 0x66, 0x34, 0x26),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x6A, 0x1E, 0x1F, 0xDB, 0xC9, 0x5E, 0x13),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x4D, 0x49, 0xFF, 0x9B, 0x9C, 0xAC, 0x9B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0xE4, 0x4B, 0xF2, 0xD4, 0x1A, 0xD2, 0x78),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xDA, 0xE8, 0x61, 0x9F, 0xC8, 0x49, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xCB, 0xF2, 0x2D, 0x85, 0xF6, 0x8D, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xC5, 0xCD, 0x2C, 0x79, 0xC6, 0x0E, 0x4F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_12_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x1D, 0x55, 0x0F, 0xF8, 0x22, 0x9F, 0x78),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x56, 0xBA, 0xE7, 0x57, 0x32, 0xEC, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x9A, 0xC6, 0x4C, 0x09, 0xC4, 0x52, 0x3F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x1E, 0x6F, 0xF4, 0x7D, 0x27, 0xDD, 0xAF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x11, 0x16, 0xEC, 0x79, 0x83, 0xAD, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x4E, 0x92, 0x1F, 0x19, 0x7D, 0x65, 0xDC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0xFF, 0x78, 0x15, 0x45, 0x63, 0x32, 0xE4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x91, 0xD0, 0x78, 0x58, 0xDA, 0x50, 0x47),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_13_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0xDE, 0x40, 0xF6, 0x41, 0xB4, 0x3B, 0x95),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x8D, 0xE0, 0xE1, 0xA9, 0xF0, 0x35, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xD4, 0xBA, 0x7B, 0xCC, 0x1B, 0x3A, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x5A, 0x2E, 0x74, 0x47, 0x14, 0xC3, 0x4D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0xF0, 0x8B, 0x06, 0x15, 0x8E, 0x0E, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0xD2, 0xEB, 0x97, 0x50, 0x7D, 0x31, 0xFC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x93, 0x4C, 0xDB, 0x97, 0x79, 0x44, 0xF5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0xA2, 0xA0, 0x0B, 0xC8, 0x3A, 0x8A, 0xF9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_13_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x50, 0x92, 0x9E, 0x24, 0x1F, 0xCB, 0x4C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x16, 0xC9, 0xC5, 0x3D, 0x5A, 0xAF, 0x97),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0xE3, 0x97, 0xE4, 0xA8, 0x50, 0xF6, 0x7E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x57, 0x97, 0x42, 0x78, 0x92, 0x49, 0x0D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0xEB, 0x62, 0x24, 0xFB, 0x8F, 0x32, 0xCF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x0C, 0x36, 0x6E, 0x8F, 0xE8, 0xE8, 0x8E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xD3, 0x7C, 0xC7, 0x8D, 0x3F, 0x5C, 0xE1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x64, 0x6A, 0x73, 0x10, 0x79, 0xB8, 0x5A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_14_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xF9, 0xEF, 0xA5, 0x20, 0x4A, 0x5C, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xF3, 0xF4, 0x49, 0x5B, 0x73, 0xAA, 0x1B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xF2, 0xEA, 0x0F, 0x00, 0xAD, 0x53, 0xAB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0xB8, 0x66, 0xED, 0xC4, 0x2B, 0x4C, 0x35),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x2F, 0xC1, 0x9A, 0x37, 0xD2, 0x7F, 0x58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xA7, 0x81, 0x38, 0x64, 0xC9, 0x37, 0x38),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x3B, 0x6C, 0x9F, 0x5B, 0xD9, 0x8B, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x14, 0xD9, 0x08, 0xD8, 0xD2, 0x7E, 0x23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_14_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x71, 0xE6, 0x3D, 0xD1, 0xB0, 0xE7, 0xCD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x81, 0x23, 0xEC, 0x2D, 0x42, 0x45, 0xE6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x5B, 0x44, 0x6B, 0x89, 0x03, 0x67, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x27, 0xAE, 0x80, 0x5A, 0x33, 0xBE, 0x11),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xB6, 0x64, 0x1A, 0xDF, 0xD3, 0x85, 0x91),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x8C, 0x22, 0xBA, 0xD0, 0xBD, 0xCC, 0xA0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x3C, 0x01, 0x3A, 0xFF, 0x9D, 0xC7, 0x6B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xC7, 0x64, 0xB4, 0x59, 0x4E, 0x9F, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_15_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x34, 0x0A, 0x41, 0x94, 0xA8, 0xF2, 0xB7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xD4, 0xE4, 0xF0, 0x97, 0x45, 0x6D, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0x1F, 0x4D, 0x6D, 0xFE, 0xA0, 0xC4, 0x84),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x28, 0x5C, 0x40, 0xBB, 0x65, 0xD4, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0xA8, 0x87, 0x35, 0x20, 0x3A, 0x89, 0x44),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xFD, 0x4F, 0xAB, 0x2D, 0xD1, 0xD0, 0xC0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xE8, 0x00, 0xFC, 0x69, 0x52, 0xF8, 0xD5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x9A, 0x99, 0xE1, 0xDC, 0x9C, 0x3F, 0xD9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_15_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x08, 0x98, 0xD9, 0xCA, 0x73, 0xD5, 0xA9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x2C, 0xE0, 0xA7, 0x3E, 0x91, 0xD7, 0x87),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x04, 0xB0, 0x54, 0x09, 0xF4, 0x72, 0xB7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xEE, 0x28, 0xCC, 0xE8, 0x50, 0x78, 0x20),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x91, 0x03, 0x76, 0xDB, 0x68, 0x24, 0x77),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xE0, 0x56, 0xB2, 0x5D, 0x12, 0xD3, 0xB5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x42, 0x59, 0x8B, 0xDF, 0x67, 0xB5, 0xBE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xCC, 0xE5, 0x31, 0x53, 0x7A, 0x46, 0xB3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_16_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x8D, 0x59, 0xB5, 0x1B, 0x0F, 0xF4, 0xAF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x2F, 0xD1, 0x2C, 0xE0, 0xD8, 0x04, 0xEF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xF4, 0xD7, 0xBA, 0xB0, 0xA3, 0x7E, 0xC9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x08, 0x51, 0x56, 0xA6, 0x76, 0x67, 0x33),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x17, 0x63, 0xFE, 0x56, 0xD0, 0xD9, 0x71),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0xF6, 0xC3, 0x14, 0x47, 0xC5, 0xA7, 0x31),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x4C, 0x80, 0xF6, 0xA2, 0x57, 0xA7, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xB3, 0x7B, 0xF8, 0x2F, 0xE1, 0x3E, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_16_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0xF4, 0xF9, 0x6B, 0x7B, 0x90, 0xDF, 0x30),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x82, 0xEF, 0x62, 0xA1, 0x4C, 0x53, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x99, 0x76, 0x01, 0xBA, 0x8D, 0x0F, 0x54),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xF4, 0x58, 0x73, 0x56, 0xFE, 0xDD, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xCE, 0xF9, 0xE8, 0xA1, 0x34, 0xC3, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x5F, 0xDC, 0x6A, 0x3D, 0xD8, 0x7F, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xF4, 0x51, 0xB8, 0xB8, 0xC1, 0xD7, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x7D, 0x58, 0xD1, 0xD4, 0x1B, 0x4D, 0x23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_17_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x95, 0xDF, 0x00, 0xD8, 0x21, 0xDE, 0x94),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x47, 0x3C, 0xC3, 0xB2, 0x01, 0x53, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x17, 0x43, 0x23, 0xBD, 0xCA, 0x71, 0xF2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xBA, 0x0F, 0x4F, 0xDC, 0x41, 0x54, 0xBE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x39, 0x26, 0x70, 0x53, 0x32, 0x18, 0x11),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x46, 0x07, 0x97, 0x3A, 0x57, 0xE0, 0x01),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x92, 0x4F, 0xCE, 0xDF, 0x25, 0x80, 0x26),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x6F, 0x9A, 0x03, 0x05, 0x4B, 0xD1, 0x47),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_17_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x01, 0x72, 0x30, 0x90, 0x17, 0x51, 0x20),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xFB, 0x41, 0x65, 0x5C, 0xB4, 0x2D, 0xEE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xCD, 0xCD, 0xAA, 0x41, 0xCC, 0xBB, 0x07),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xCE, 0x08, 0x0A, 0x63, 0xE9, 0xA2, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xA8, 0x21, 0x7F, 0x7A, 0x5B, 0x9B, 0x81),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x6B, 0x89, 0x44, 0x0A, 0x7F, 0x85, 0x5F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0xDE, 0x7C, 0x19, 0x5C, 0x65, 0x26, 0x61),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0xAC, 0x62, 0x29, 0x4A, 0xF1, 0xD0, 0x81),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_18_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x00, 0x40, 0x87, 0xEB, 0xA9, 0x58, 0x56),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x51, 0x0B, 0xFF, 0x56, 0x35, 0x51, 0xB3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xAC, 0x08, 0x94, 0x71, 0xDA, 0xEC, 0x99),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x4D, 0xC5, 0x7B, 0x31, 0x8B, 0x8D, 0x5E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x05, 0xF1, 0x3E, 0x9E, 0x8F, 0x17, 0x8F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x9C, 0x4B, 0x62, 0x94, 0xAD, 0x49, 0xFC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xC9, 0xC6, 0x8F, 0xFD, 0x33, 0x44, 0x34),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x96, 0x17, 0x7F, 0x42, 0xBE, 0xF7, 0x0D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_18_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0x29, 0x39, 0x13, 0x08, 0x8D, 0x91, 0x47),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x79, 0xF9, 0x2F, 0xA9, 0x0A, 0xCF, 0xD6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x87, 0x7A, 0xA3, 0x19, 0xAB, 0x55, 0xAD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x0B, 0x01, 0xC5, 0x56, 0x19, 0x9D, 0x9E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0xDE, 0x82, 0x3B, 0xEA, 0xD3, 0x0B, 0x8C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x6B, 0xC7, 0xF3, 0x0F, 0x82, 0x87, 0x6C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x2E, 0x23, 0xF2, 0x39, 0x9D, 0x49, 0x70),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0xDE, 0xAF, 0x7A, 0xEE, 0xB0, 0xDA, 0x70),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_19_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x4E, 0x2A, 0x50, 0xFD, 0x8E, 0xC0, 0xEB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x0F, 0x7C, 0x76, 0x63, 0xD8, 0x89, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x2D, 0xB9, 0x4E, 0xF4, 0xEE, 0x85, 0xCF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x95, 0x5C, 0x96, 0x5D, 0xAA, 0x59, 0x0B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xDB, 0xD2, 0x68, 0x8E, 0x5A, 0x94, 0x60),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x02, 0xBF, 0x77, 0x9F, 0xB9, 0x4C, 0xC9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xDC, 0xC0, 0xCF, 0x81, 0x1E, 0xC4, 0x6C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xCC, 0x37, 0x86, 0xDC, 0xE2, 0x64, 0x72),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_19_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x30, 0xB1, 0x59, 0x20, 0x9D, 0x98, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x0C, 0x9D, 0xF8, 0x20, 0xDC, 0x90, 0xBA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xA0, 0xF4, 0xE7, 0x3E, 0x9C, 0x9E, 0xA2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x25, 0xA2, 0xB0, 0x54, 0xCD, 0x2E, 0x33),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xD9, 0x42, 0xB0, 0x80, 0xB0, 0xA3, 0x38),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0xFE, 0x9D, 0x8D, 0x40, 0xFF, 0x27, 0x6D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x9D, 0xA6, 0x88, 0x3A, 0x8B, 0x6F, 0x14),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x39, 0xEE, 0x1F, 0x3F, 0xB1, 0x4F, 0x63),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_20_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xD7, 0x9E, 0xFF, 0xD2, 0x35, 0x67, 0x03),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x4F, 0x15, 0x5D, 0xE3, 0xE8, 0x53, 0x86),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xF7, 0x24, 0x98, 0xA2, 0xCB, 0x11, 0x68),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x2E, 0x25, 0xE1, 0x94, 0xC5, 0xA3, 0x96),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x82, 0x6E, 0xBA, 0xE7, 0x43, 0x25, 0xB0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x65, 0xB4, 0x49, 0x73, 0x18, 0x35, 0x54),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x5B, 0xBC, 0x62, 0x86, 0x4C, 0xC1, 0xB7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xF2, 0x95, 0xA2, 0xBB, 0xA2, 0x35, 0x65),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_20_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x59, 0x62, 0xB0, 0x4B, 0x1E, 0xB4, 0xD8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x55, 0xCE, 0xB0, 0x69, 0xBA, 0x63, 0x10),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0x69, 0x86, 0xDB, 0x34, 0x7D, 0x68, 0x64),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x06, 0xCA, 0x55, 0x44, 0x36, 0x2B, 0xBA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0xD4, 0xC4, 0x3D, 0xCD, 0x9E, 0x69, 0xA4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x44, 0xE4, 0xBF, 0x31, 0xE6, 0x40, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x4F, 0xFA, 0x75, 0xE3, 0xFB, 0x97, 0x0E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xC0, 0xBD, 0x1C, 0x48, 0xB0, 0x26, 0xD0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_21_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x7B, 0x32, 0xFA, 0xF2, 0x6D, 0x84, 0x8E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x21, 0x03, 0x1D, 0x0D, 0x22, 0x55, 0x67),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0xF9, 0x42, 0x03, 0x9C, 0xC2, 0xCB, 0xBA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0xA1, 0x96, 0xD9, 0x9D, 0x11, 0x6F, 0xBE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x40, 0x57, 0xEB, 0x40, 0x2D, 0xC0, 0x11),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x96, 0xBB, 0x4F, 0x2F, 0x23, 0xA8, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x29, 0x85, 0x21, 0xA5, 0x50, 0x62, 0x06),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x7D, 0x92, 0xCF, 0x87, 0x0C, 0x22, 0xF9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_21_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x0E, 0xA5, 0x32, 0x5B, 0xDF, 0x9C, 0xD5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x96, 0x37, 0x2C, 0x88, 0x35, 0x30, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xB4, 0x69, 0xFF, 0xEB, 0xC6, 0x94, 0x08),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x55, 0x60, 0xAD, 0xAA, 0x58, 0x14, 0x88),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xFF, 0xF2, 0xB2, 0xD5, 0xA7, 0xD9, 0x27),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xAE, 0x54, 0xD2, 0x60, 0x31, 0xF3, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x92, 0x83, 0xE3, 0xF1, 0x42, 0x83, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xD2, 0xC8, 0xB7, 0x76, 0x45, 0x7F, 0x7D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_22_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x11, 0xA4, 0xFB, 0x7A, 0x01, 0xBC, 0xC8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x27, 0x73, 0x8D, 0x02, 0x91, 0x27, 0x8E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x62, 0xF6, 0xDD, 0x6B, 0xFA, 0x5B, 0xB9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0xCA, 0xA2, 0x44, 0x2C, 0xF0, 0x28, 0xD8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xF1, 0x7A, 0xA2, 0x42, 0x4C, 0x50, 0xC6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x83, 0x3E, 0x50, 0xAB, 0x9C, 0xF7, 0x67),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xED, 0x78, 0xCB, 0x76, 0x69, 0xDA, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x01, 0x1E, 0x43, 0x27, 0x47, 0x6E, 0xDA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_22_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x4F, 0x54, 0xB9, 0x3E, 0xBD, 0xD5, 0x44),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x35, 0x40, 0x69, 0x7F, 0x74, 0x9D, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x06, 0x6F, 0x67, 0x68, 0x2B, 0x4D, 0x10),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x65, 0x41, 0xFC, 0x7C, 0x1E, 0xE8, 0xC8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x79, 0x37, 0xAF, 0xFD, 0xD2, 0xDA, 0x4C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xA8, 0x69, 0x56, 0x62, 0xA4, 0xE4, 0xA3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x71, 0x73, 0x21, 0x8A, 0x17, 0x81, 0xA2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0x55, 0x8F, 0x7B, 0xB8, 0xAF, 0xF7, 0x86),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_23_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0xD1, 0xBD, 0xBE, 0x8C, 0xBC, 0x60, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0xA6, 0x57, 0x8C, 0xAE, 0x5C, 0x19, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0x43, 0xE4, 0xD9, 0xD8, 0x7B, 0xE7, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xB9, 0xE4, 0x85, 0x7C, 0x2E, 0xFC, 0x20),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x2E, 0x01, 0x2A, 0x6D, 0x56, 0xBE, 0x97),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x0C, 0x25, 0x9B, 0xAE, 0x86, 0x37, 0x43),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x22, 0xB3, 0xCB, 0x99, 0x66, 0xB7, 0x9E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0xF7, 0x90, 0xF0, 0x1B, 0x09, 0x27, 0xF7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_23_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x16, 0x08, 0xEF, 0x39, 0x64, 0x49, 0x31),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xA0, 0xE3, 0x97, 0xA9, 0x07, 0x54, 0x26),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xFF, 0xE2, 0x00, 0x07, 0x21, 0x88, 0x20),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xFD, 0x59, 0x53, 0x05, 0x6C, 0x42, 0x27),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0xF7, 0x39, 0x5C, 0x82, 0x36, 0xE8, 0x03),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2E, 0x83, 0xA8, 0xE2, 0xA8, 0x43, 0x07, 0x38),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xAF, 0x2B, 0x79, 0xED, 0xD8, 0x39, 0x87),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x20, 0x91, 0x7A, 0xC4, 0x07, 0xEF, 0x6C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_24_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x10, 0x2F, 0xAA, 0x0C, 0x94, 0x0E, 0x5A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x81, 0x87, 0x41, 0x23, 0xEB, 0x55, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x53, 0xCC, 0x79, 0xB6, 0xEB, 0x6C, 0xCC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x77, 0x73, 0x9D, 0xFC, 0x64, 0x6F, 0x7F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x40, 0xE3, 0x6D, 0x1C, 0x16, 0x71, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0xF4, 0x1B, 0xFF, 0x1C, 0x2F, 0xA5, 0xD7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x0E, 0x0B, 0x11, 0xF4, 0x8D, 0x93, 0xAF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xC5, 0x64, 0x6F, 0x24, 0x19, 0xF2, 0x9B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_24_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xB3, 0xAF, 0xA5, 0x0E, 0x4F, 0x5E, 0xE1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0x77, 0xCA, 0xF2, 0x6D, 0xC5, 0xF6, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0x18, 0x8E, 0x33, 0x68, 0x6C, 0xE8, 0xE0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x8B, 0x80, 0x90, 0x19, 0x7F, 0x90, 0x96),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x80, 0x6B, 0x68, 0xE2, 0x7D, 0xD4, 0xD0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xC1, 0x67, 0xB3, 0x72, 0xCB, 0xBF, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0xD5, 0xD3, 0x1D, 0x14, 0x58, 0x0A, 0x80),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x7A, 0x65, 0x98, 0xB3, 0x07, 0x4B, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_25_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x87, 0x0F, 0x5F, 0xCF, 0xA2, 0x01, 0x08),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xC9, 0xC8, 0x6E, 0x35, 0x87, 0xA5, 0x67),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x3E, 0x91, 0xA0, 0xAB, 0x24, 0x1E, 0xF2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xBC, 0x02, 0x35, 0x70, 0xC1, 0x5F, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x59, 0xA0, 0x50, 0x04, 0x80, 0x52, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x56, 0x6E, 0x42, 0x8F, 0x8C, 0x91, 0x65),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xA2, 0xCB, 0xA5, 0xDE, 0x14, 0x24, 0x38),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0xCB, 0x74, 0x28, 0xE6, 0xA7, 0xE7, 0xC3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_25_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x73, 0xA8, 0x8F, 0x9E, 0x0E, 0x63, 0x96),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x1B, 0x77, 0xC7, 0xC1, 0x38, 0xF9, 0xDC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x3C, 0xCF, 0xA8, 0x7A, 0xD7, 0xF3, 0xC4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x5F, 0x9A, 0xC9, 0xAD, 0xE9, 0x1A, 0x93),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0xCF, 0x2B, 0x5E, 0xD5, 0x81, 0x95, 0xA8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x88, 0x75, 0x29, 0x1F, 0xC7, 0xC7, 0xD0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xA9, 0x5A, 0x4D, 0x63, 0x95, 0xF9, 0x4E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xCD, 0x04, 0x8F, 0xCD, 0x91, 0xDE, 0xC6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_26_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0xD4, 0xFD, 0x25, 0x11, 0x99, 0x6E, 0xEA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x83, 0x01, 0x3D, 0xFB, 0x56, 0xA5, 0x4E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x3A, 0xDC, 0x74, 0xC2, 0xD7, 0xCF, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0xBD, 0xF1, 0xDD, 0xA3, 0x07, 0x03, 0xE2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xBE, 0xE9, 0x2E, 0x58, 0x84, 0x66, 0xFC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x20, 0x78, 0x37, 0x79, 0x0B, 0xA6, 0x64),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xF2, 0xAC, 0x65, 0xC8, 0xC9, 0x2F, 0x61),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x93, 0xE5, 0x0D, 0x0C, 0xC6, 0xB8, 0xCB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_26_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0xAD, 0x5C, 0x19, 0x12, 0x61, 0x0E, 0x25),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x4F, 0x0B, 0x1F, 0x49, 0x7E, 0xCD, 0x81),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x2E, 0x30, 0x61, 0xDB, 0x08, 0x68, 0x9B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x78, 0xAF, 0xB3, 0x08, 0xC1, 0x69, 0xE5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x5F, 0x5D, 0xC1, 0x57, 0x6F, 0xD8, 0x34),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0xD3, 0x6A, 0xF7, 0xFD, 0x86, 0xE5, 0xB3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x63, 0xBD, 0x70, 0x7B, 0x47, 0xE8, 0x6D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x62, 0xC8, 0x7E, 0x9D, 0x11, 0x2B, 0xA5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_27_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x84, 0xFD, 0xD5, 0x9A, 0x56, 0x7F, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xBB, 0xA4, 0x6F, 0x12, 0x6E, 0x4D, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x08, 0xA1, 0x82, 0x9C, 0x62, 0x74, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x58, 0x22, 0x05, 0x1D, 0x15, 0x35, 0x79),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x88, 0xCF, 0x5C, 0x05, 0x78, 0xFB, 0x94),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x6B, 0x2F, 0x79, 0x09, 0x73, 0x67, 0xEC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xA0, 0x80, 0xD8, 0xE8, 0xEC, 0xFB, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xE7, 0x0B, 0xB7, 0x81, 0x48, 0x7B, 0xD9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_27_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x53, 0xA9, 0xED, 0x61, 0x92, 0xD7, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x49, 0xD9, 0x5D, 0x9B, 0x4E, 0x89, 0x35),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x12, 0xEB, 0x9A, 0xC9, 0xCB, 0xC1, 0x95),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0xDC, 0x95, 0x16, 0xFE, 0x29, 0x70, 0x01),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x33, 0xB1, 0xD6, 0x78, 0xB9, 0xE2, 0x36),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xCE, 0x88, 0xC3, 0xFD, 0x7A, 0x6B, 0xB8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x1E, 0x50, 0x1E, 0xAF, 0xB1, 0x25, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0xE7, 0xD7, 0xD5, 0xBD, 0x7A, 0x12, 0xF9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_28_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xAA, 0xA2, 0x80, 0x5D, 0x8F, 0xCD, 0xC8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x39, 0x79, 0x64, 0xA1, 0x67, 0x3C, 0xB7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xC7, 0x49, 0xFF, 0x7F, 0xAC, 0xAB, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x54, 0x3E, 0x83, 0xF0, 0x3D, 0xBC, 0xB5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x92, 0x4A, 0x38, 0x42, 0x8A, 0xAB, 0xF6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x0B, 0x4F, 0xEE, 0x9E, 0x92, 0xA5, 0xBE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xDD, 0x19, 0x96, 0xF2, 0xF0, 0x6B, 0x2E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xFC, 0xDD, 0xB2, 0x8A, 0xE5, 0x4C, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_28_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x06, 0x49, 0xAC, 0x99, 0x7E, 0xF8, 0x12),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xC8, 0x01, 0x51, 0xEA, 0xF6, 0x52, 0xE7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x89, 0x66, 0x2B, 0x1F, 0x9B, 0x2A, 0xA3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x0F, 0x95, 0x07, 0x2B, 0x6C, 0x6E, 0x9E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0xC3, 0xB4, 0xBB, 0x91, 0x1F, 0xA3, 0x72),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x6E, 0x54, 0x28, 0x7B, 0x9C, 0x79, 0x2E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x45, 0xFF, 0xA6, 0xDA, 0xA2, 0x83, 0x71),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xDE, 0x8F, 0x17, 0x37, 0x82, 0xCB, 0xE2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_29_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x94, 0x3F, 0x26, 0xC9, 0x1D, 0xD9, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x97, 0x28, 0x20, 0xCD, 0xC1, 0xF3, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0xC9, 0xB5, 0x60, 0x9B, 0x1E, 0xDC, 0x74),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0xB9, 0x5B, 0x7D, 0xA0, 0xB2, 0x8C, 0xF0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xD1, 0x42, 0xE6, 0x39, 0x33, 0x6D, 0xBB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xC0, 0xFC, 0xD2, 0x14, 0x5D, 0x3E, 0x3C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0x4A, 0x3E, 0x40, 0x16, 0x93, 0x15, 0xCF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x24, 0xC1, 0x27, 0x27, 0xE5, 0x4B, 0xD8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_29_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x50, 0xD8, 0xBC, 0xC1, 0x46, 0x22, 0xBB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x0E, 0x60, 0xA1, 0xB3, 0x50, 0xD4, 0x86),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0xB1, 0x26, 0xB6, 0x6D, 0x47, 0x5A, 0x6F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0xAC, 0x11, 0x35, 0x3E, 0xB9, 0xF4, 0x01),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x97, 0xFA, 0xBB, 0x6B, 0x39, 0x13, 0xD8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x7B, 0x34, 0x12, 0x75, 0x8E, 0x9B, 0xC6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x9E, 0xCD, 0x29, 0xB6, 0xEF, 0x8D, 0x10),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0xAC, 0xE9, 0x25, 0x27, 0xBB, 0x78, 0x47),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_30_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x7A, 0xA8, 0xD3, 0xE3, 0x66, 0xE5, 0x66),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x4C, 0xC4, 0x2C, 0x76, 0x81, 0x50, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x71, 0x08, 0xB8, 0x52, 0x7C, 0xAF, 0xDC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x59, 0x24, 0xDD, 0xFB, 0x2F, 0xD0, 0xDA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xCD, 0x56, 0xE9, 0xAC, 0x91, 0xE6, 0xB9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x64, 0x20, 0xC6, 0x9F, 0xE4, 0xEF, 0xDF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x2C, 0x8F, 0x8C, 0x97, 0xF6, 0x22, 0xC3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xF4, 0x88, 0xAA, 0xA8, 0xD7, 0xA5, 0x68),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_30_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x6C, 0xAE, 0x83, 0xB1, 0x55, 0x55, 0xEE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x67, 0x84, 0x47, 0x7C, 0x83, 0x5C, 0x89),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x10, 0x4D, 0xDD, 0x30, 0x60, 0xB0, 0xE6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xA7, 0x36, 0x76, 0x24, 0x32, 0x9F, 0x9D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x42, 0x81, 0xFB, 0xA4, 0x2E, 0x13, 0x68),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x94, 0x91, 0xFF, 0x99, 0xA0, 0x09, 0x61),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x83, 0xA1, 0x76, 0xAF, 0x37, 0x5C, 0x77),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xA8, 0x04, 0x86, 0xC4, 0xA9, 0x79, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_31_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x8C, 0xC2, 0x34, 0xFB, 0x83, 0x28, 0x27),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x03, 0x7D, 0x5E, 0x9E, 0x0E, 0xB0, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x02, 0x46, 0x7F, 0xB9, 0xAC, 0xBB, 0x23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0xED, 0x48, 0xC2, 0x96, 0x4D, 0x56, 0x27),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0xB5, 0xC5, 0xD1, 0xE6, 0x1C, 0x7E, 0x9B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x2E, 0x18, 0x71, 0x2D, 0x7B, 0xD7, 0xB3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x46, 0x9D, 0xDE, 0xAA, 0x78, 0x8E, 0xB1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xD7, 0x69, 0x2E, 0xE1, 0xD9, 0x48, 0xDE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_31_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xFF, 0x9E, 0x09, 0x22, 0x22, 0xE6, 0x8D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x14, 0x28, 0x13, 0x1B, 0x62, 0x12, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x7F, 0x67, 0x03, 0xB0, 0xC0, 0xF3, 0x05),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xC3, 0x0F, 0xFB, 0x25, 0x48, 0x3E, 0xF4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x6E, 0x53, 0x98, 0x36, 0xB3, 0xD3, 0x94),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x81, 0x54, 0x22, 0xA4, 0xCC, 0xC1, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xBA, 0xFC, 0xA9, 0xDF, 0x68, 0x86, 0x2B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x92, 0x0E, 0xC3, 0xF2, 0x58, 0xE8, 0x51),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_ecp_point secp521r1_T[32] = {
+    ECP_POINT_INIT_XY_Z1(secp521r1_T_0_X, secp521r1_T_0_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_1_X, secp521r1_T_1_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_2_X, secp521r1_T_2_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_3_X, secp521r1_T_3_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_4_X, secp521r1_T_4_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_5_X, secp521r1_T_5_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_6_X, secp521r1_T_6_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_7_X, secp521r1_T_7_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_8_X, secp521r1_T_8_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_9_X, secp521r1_T_9_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_10_X, secp521r1_T_10_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_11_X, secp521r1_T_11_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_12_X, secp521r1_T_12_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_13_X, secp521r1_T_13_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_14_X, secp521r1_T_14_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_15_X, secp521r1_T_15_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_16_X, secp521r1_T_16_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_17_X, secp521r1_T_17_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_18_X, secp521r1_T_18_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_19_X, secp521r1_T_19_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_20_X, secp521r1_T_20_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_21_X, secp521r1_T_21_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_22_X, secp521r1_T_22_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_23_X, secp521r1_T_23_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_24_X, secp521r1_T_24_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_25_X, secp521r1_T_25_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_26_X, secp521r1_T_26_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_27_X, secp521r1_T_27_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_28_X, secp521r1_T_28_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_29_X, secp521r1_T_29_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_30_X, secp521r1_T_30_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_31_X, secp521r1_T_31_Y),
+};
+#else
+#define secp521r1_T NULL
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+static const mbedtls_mpi_uint secp192k1_p[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+static const mbedtls_mpi_uint secp192k1_a[] = {
+    MBEDTLS_BYTES_TO_T_UINT_2(0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp192k1_b[] = {
+    MBEDTLS_BYTES_TO_T_UINT_2(0x03, 0x00),
+};
+static const mbedtls_mpi_uint secp192k1_gx[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB),
+};
+static const mbedtls_mpi_uint secp192k1_gy[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B),
+};
+static const mbedtls_mpi_uint secp192k1_n[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp192k1_T_0_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB),
+};
+static const mbedtls_mpi_uint secp192k1_T_0_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B),
+};
+static const mbedtls_mpi_uint secp192k1_T_1_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x77, 0x3D, 0x0D, 0x85, 0x48, 0xA8, 0xA9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x07, 0xDF, 0x1D, 0xB3, 0xB3, 0x01, 0x54),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x86, 0xF6, 0xAF, 0x19, 0x2A, 0x88, 0x2E),
+};
+static const mbedtls_mpi_uint secp192k1_T_1_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x90, 0xB6, 0x2F, 0x48, 0x36, 0x4C, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x11, 0x14, 0xA6, 0xCB, 0xBA, 0x15, 0xD9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0xB0, 0xF2, 0xD4, 0xC9, 0xDA, 0xBA, 0xD7),
+};
+static const mbedtls_mpi_uint secp192k1_T_2_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0xC1, 0x9C, 0xE6, 0xBB, 0xFB, 0xCF, 0x23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x19, 0xAC, 0x5A, 0xC9, 0x8A, 0x1C, 0x75),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0xF6, 0x76, 0x86, 0x89, 0x27, 0x8D, 0x28),
+};
+static const mbedtls_mpi_uint secp192k1_T_2_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0xE0, 0x6F, 0x34, 0xBA, 0x5E, 0xD3, 0x96),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0xDC, 0xA6, 0x87, 0xC9, 0x9D, 0xC0, 0x82),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x11, 0x7E, 0xD6, 0xF7, 0x33, 0xFC, 0xE4),
+};
+static const mbedtls_mpi_uint secp192k1_T_3_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x37, 0x3E, 0xC0, 0x7F, 0x62, 0xE7, 0x54),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x3B, 0x69, 0x9D, 0x44, 0xBC, 0x82, 0x99),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x84, 0xB3, 0x5F, 0x2B, 0xA5, 0x9E, 0x2C),
+};
+static const mbedtls_mpi_uint secp192k1_T_3_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x95, 0xEB, 0x4C, 0x04, 0xB4, 0xF4, 0x75),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xAD, 0x4B, 0xD5, 0x9A, 0xEB, 0xC4, 0x4E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xB1, 0xC5, 0x59, 0xE3, 0xD5, 0x16, 0x2A),
+};
+static const mbedtls_mpi_uint secp192k1_T_4_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x2A, 0xCC, 0xAC, 0xD0, 0xEE, 0x50, 0xEC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x83, 0xE0, 0x5B, 0x14, 0x44, 0x52, 0x20),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x15, 0x2D, 0x78, 0xF6, 0x51, 0x32, 0xCF),
+};
+static const mbedtls_mpi_uint secp192k1_T_4_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x36, 0x9B, 0xDD, 0xF8, 0xDD, 0xEF, 0xB2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0xB1, 0x6A, 0x2B, 0xAF, 0xEB, 0x2B, 0xB1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x87, 0x7A, 0x66, 0x5D, 0x5B, 0xDF, 0x8F),
+};
+static const mbedtls_mpi_uint secp192k1_T_5_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x45, 0xE5, 0x81, 0x9B, 0xEB, 0x37, 0x23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x29, 0xE2, 0x20, 0x64, 0x23, 0x6B, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x1D, 0x41, 0xE1, 0x9B, 0x61, 0x7B, 0xD9),
+};
+static const mbedtls_mpi_uint secp192k1_T_5_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x57, 0xA3, 0x0A, 0x13, 0xE4, 0x59, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x6E, 0x4A, 0x48, 0x84, 0x90, 0xAC, 0xC7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0xB8, 0xF5, 0xF3, 0xDE, 0xA0, 0xA1, 0x1D),
+};
+static const mbedtls_mpi_uint secp192k1_T_6_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x32, 0x81, 0xA9, 0x91, 0x5A, 0x4E, 0x33),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0xA8, 0x90, 0xBE, 0x0F, 0xEC, 0xC0, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x30, 0xD7, 0x08, 0xAE, 0xC4, 0x3A, 0xA5),
+};
+static const mbedtls_mpi_uint secp192k1_T_6_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x55, 0xE3, 0x76, 0xB3, 0x64, 0x74, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x75, 0xD4, 0xDB, 0x98, 0xD7, 0x39, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xEB, 0x8A, 0xAB, 0x16, 0xD9, 0xD4, 0x0B),
+};
+static const mbedtls_mpi_uint secp192k1_T_7_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xBE, 0xF9, 0xC7, 0xC7, 0xBA, 0xF3, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x85, 0x59, 0xF3, 0x60, 0x41, 0x02, 0xD2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x1C, 0x4A, 0xA4, 0xC7, 0xED, 0x66, 0xBC),
+};
+static const mbedtls_mpi_uint secp192k1_T_7_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x9C, 0x2E, 0x46, 0x52, 0x18, 0x87, 0x14),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x35, 0x5A, 0x75, 0xAC, 0x4D, 0x75, 0x91),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0x2F, 0xAC, 0xFC, 0xBC, 0xE6, 0x93, 0x5E),
+};
+static const mbedtls_mpi_uint secp192k1_T_8_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x4D, 0xC9, 0x18, 0xE9, 0x00, 0xEB, 0x33),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x69, 0x72, 0x07, 0x5A, 0x59, 0xA8, 0x26),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x65, 0x83, 0x20, 0x10, 0xF9, 0x69, 0x82),
+};
+static const mbedtls_mpi_uint secp192k1_T_8_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0x56, 0x7F, 0x9F, 0xBF, 0x46, 0x0C, 0x7E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0xCF, 0xF0, 0xDC, 0xDF, 0x2D, 0xE6, 0xE5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0xF0, 0x72, 0x3A, 0x7A, 0x03, 0xE5, 0x22),
+};
+static const mbedtls_mpi_uint secp192k1_T_9_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xAA, 0x57, 0x13, 0x37, 0xA7, 0x2C, 0xD4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0xAC, 0xA2, 0x23, 0xF9, 0x84, 0x60, 0xD3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xEB, 0x51, 0x70, 0x64, 0x78, 0xCA, 0x05),
+};
+static const mbedtls_mpi_uint secp192k1_T_9_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xCC, 0x30, 0x62, 0x93, 0x46, 0x13, 0xE9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x26, 0xCC, 0x6C, 0x3D, 0x5C, 0xDA, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xAA, 0xB8, 0x03, 0xA4, 0x1A, 0x00, 0x96),
+};
+static const mbedtls_mpi_uint secp192k1_T_10_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x9D, 0xE6, 0xCC, 0x4E, 0x2E, 0xC2, 0xD5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xC3, 0x8A, 0xAE, 0x6F, 0x40, 0x05, 0xEB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x8F, 0x4A, 0x4D, 0x35, 0xD3, 0x50, 0x9D),
+};
+static const mbedtls_mpi_uint secp192k1_T_10_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0xFD, 0x98, 0xAB, 0xC7, 0x03, 0xB4, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x40, 0xD2, 0x9F, 0xCA, 0xD0, 0x53, 0x00),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x84, 0x00, 0x6F, 0xC8, 0xAD, 0xED, 0x8D),
+};
+static const mbedtls_mpi_uint secp192k1_T_11_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xD3, 0x57, 0xD7, 0xC3, 0x07, 0xBD, 0xD7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0xBA, 0x47, 0x1D, 0x3D, 0xEF, 0x98, 0x6C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xC0, 0x6C, 0x7F, 0x12, 0xEE, 0x9F, 0x67),
+};
+static const mbedtls_mpi_uint secp192k1_T_11_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x02, 0xDA, 0x79, 0xAA, 0xC9, 0x27, 0xC4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x79, 0xC7, 0x71, 0x84, 0xCB, 0xE5, 0x5A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x37, 0x06, 0xBA, 0xB5, 0xD5, 0x18, 0x4C),
+};
+static const mbedtls_mpi_uint secp192k1_T_12_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x65, 0x72, 0x6C, 0xF2, 0x63, 0x27, 0x6A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0xBC, 0x71, 0xDF, 0x75, 0xF8, 0x98, 0x4D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x70, 0x9B, 0xDC, 0xE7, 0x18, 0x71, 0xFF),
+};
+static const mbedtls_mpi_uint secp192k1_T_12_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x5B, 0x9F, 0x00, 0x5A, 0xB6, 0x80, 0x7A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xE0, 0xBB, 0xFC, 0x5E, 0x78, 0x9C, 0x89),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0x03, 0x68, 0x83, 0x3D, 0x2E, 0x4C, 0xDD),
+};
+static const mbedtls_mpi_uint secp192k1_T_13_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0x49, 0x23, 0xA8, 0xCB, 0x3B, 0x1A, 0xF6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0x3D, 0xA7, 0x46, 0xCF, 0x75, 0xB6, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xFD, 0x30, 0x01, 0xB6, 0xEF, 0xF9, 0xE8),
+};
+static const mbedtls_mpi_uint secp192k1_T_13_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xFA, 0xDA, 0xB8, 0x29, 0x42, 0xC9, 0xC7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0xD7, 0xA0, 0xE6, 0x6B, 0x86, 0x61, 0x39),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0xE9, 0xD3, 0x37, 0xD8, 0xE7, 0x35, 0xA9),
+};
+static const mbedtls_mpi_uint secp192k1_T_14_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xC8, 0x8E, 0xB1, 0xCB, 0xB1, 0xB5, 0x4D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xD7, 0x46, 0x7D, 0xAF, 0xE2, 0xDC, 0xBB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x46, 0xE7, 0xD8, 0x76, 0x31, 0x90, 0x76),
+};
+static const mbedtls_mpi_uint secp192k1_T_14_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xD3, 0xF4, 0x74, 0xE1, 0x67, 0xD8, 0x66),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x70, 0x3C, 0xC8, 0xAF, 0x5F, 0xF4, 0x58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x4E, 0xED, 0x5C, 0x43, 0xB3, 0x16, 0x35),
+};
+static const mbedtls_mpi_uint secp192k1_T_15_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xAE, 0xD1, 0xDD, 0x31, 0x14, 0xD3, 0xF0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x14, 0x06, 0x13, 0x12, 0x1C, 0x81, 0xF5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xF9, 0x0C, 0x91, 0xF7, 0x67, 0x59, 0x63),
+};
+static const mbedtls_mpi_uint secp192k1_T_15_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x91, 0xE2, 0xF4, 0x9D, 0xEB, 0x88, 0x87),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x82, 0x30, 0x9C, 0xAE, 0x18, 0x4D, 0xB7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x79, 0xCF, 0x17, 0xA5, 0x1E, 0xE8, 0xC8),
+};
+static const mbedtls_ecp_point secp192k1_T[16] = {
+    ECP_POINT_INIT_XY_Z1(secp192k1_T_0_X, secp192k1_T_0_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_1_X, secp192k1_T_1_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_2_X, secp192k1_T_2_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_3_X, secp192k1_T_3_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_4_X, secp192k1_T_4_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_5_X, secp192k1_T_5_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_6_X, secp192k1_T_6_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_7_X, secp192k1_T_7_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_8_X, secp192k1_T_8_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_9_X, secp192k1_T_9_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_10_X, secp192k1_T_10_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_11_X, secp192k1_T_11_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_12_X, secp192k1_T_12_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_13_X, secp192k1_T_13_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_14_X, secp192k1_T_14_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_15_X, secp192k1_T_15_Y),
+};
+#else
+#define secp192k1_T NULL
+#endif
+
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+static const mbedtls_mpi_uint secp224k1_p[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_4(0xFF, 0xFF, 0xFF, 0xFF),
+};
+static const mbedtls_mpi_uint secp224k1_a[] = {
+    MBEDTLS_BYTES_TO_T_UINT_2(0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_b[] = {
+    MBEDTLS_BYTES_TO_T_UINT_2(0x05, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_gx[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D),
+    MBEDTLS_BYTES_TO_T_UINT_4(0x33, 0x5B, 0x45, 0xA1),
+};
+static const mbedtls_mpi_uint secp224k1_gy[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F),
+    MBEDTLS_BYTES_TO_T_UINT_4(0xED, 0x9F, 0x08, 0x7E),
+};
+static const mbedtls_mpi_uint secp224k1_n[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00),
+};
+
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp224k1_T_0_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x5B, 0x45, 0xA1, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_0_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x9F, 0x08, 0x7E, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_1_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x6C, 0x22, 0x22, 0x40, 0x89, 0xAE, 0x7A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x92, 0xE1, 0x87, 0x56, 0x35, 0xAF, 0x9B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0xAF, 0x08, 0x35, 0x27, 0xEA, 0x04, 0xED),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x53, 0xFD, 0xCF, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_1_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0xD0, 0x9F, 0x8D, 0xF3, 0x63, 0x54, 0x30),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0xDB, 0x0F, 0x61, 0x54, 0x26, 0xD1, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x21, 0xF7, 0x1B, 0xB5, 0x1D, 0xF6, 0x7E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x05, 0xDA, 0x8F, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_2_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x26, 0x73, 0xBC, 0xE4, 0x29, 0x62, 0x56),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x95, 0x17, 0x8B, 0xC3, 0x9B, 0xAC, 0xCC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xDB, 0x77, 0xDF, 0xDD, 0x13, 0x04, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0xFC, 0x22, 0x93, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_2_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x65, 0xF1, 0x5A, 0x37, 0xEF, 0x79, 0xAD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x01, 0x37, 0xAC, 0x9A, 0x5B, 0x51, 0x65),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x75, 0x13, 0xA9, 0x4A, 0xAD, 0xFE, 0x9B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x82, 0x6F, 0x66, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_3_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0x5E, 0xF0, 0x40, 0xC3, 0xA6, 0xE2, 0x1E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x9A, 0x6F, 0xCF, 0x11, 0x26, 0x66, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x73, 0xA8, 0xCF, 0x2B, 0x12, 0x36, 0x37),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xB3, 0x0A, 0x58, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_3_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x79, 0x00, 0x55, 0x04, 0x34, 0x90, 0x1A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x54, 0x1C, 0xC2, 0x45, 0x0C, 0x1B, 0x23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x19, 0xAB, 0xA8, 0xFC, 0x73, 0xDC, 0xEE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0xFB, 0x93, 0xCE, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_4_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x75, 0xD0, 0x66, 0x95, 0x86, 0xCA, 0x66),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xEA, 0x29, 0x16, 0x6A, 0x38, 0xDF, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xA2, 0x36, 0x2F, 0xDC, 0xBB, 0x5E, 0xF7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x89, 0x59, 0x49, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_4_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xA3, 0x99, 0x9D, 0xB8, 0x77, 0x9D, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x93, 0x43, 0x47, 0xC6, 0x5C, 0xF9, 0xFD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x00, 0x79, 0x42, 0x64, 0xB8, 0x25, 0x3E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x54, 0xB4, 0x33, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_5_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x0C, 0x42, 0x90, 0x83, 0x0B, 0x31, 0x5F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x2E, 0xAE, 0xC8, 0xC7, 0x5F, 0xD2, 0x70),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xBC, 0xAD, 0x41, 0xE7, 0x32, 0x3A, 0x81),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x97, 0x52, 0x83, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_5_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x13, 0x7A, 0xBD, 0xAE, 0x94, 0x60, 0xFD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x9B, 0x95, 0xB4, 0x6E, 0x68, 0xB2, 0x1F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x49, 0xBE, 0x51, 0xFE, 0x66, 0x15, 0x74),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x37, 0xE4, 0xFE, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_6_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x9B, 0xEE, 0x64, 0xC9, 0x1B, 0xBD, 0x77),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x5F, 0x34, 0xA9, 0x0B, 0xB7, 0x25, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0x13, 0xB1, 0x38, 0xFB, 0x9D, 0x78, 0xED),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0xE7, 0x1B, 0xFA, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_6_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xB3, 0xB7, 0x44, 0x92, 0x6B, 0x00, 0x82),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x82, 0x44, 0x3E, 0x18, 0x1A, 0x58, 0x6A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0xF8, 0xC0, 0xE4, 0xEE, 0xC1, 0xBF, 0x44),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x32, 0x27, 0xB2, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_7_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x9A, 0x42, 0x62, 0x8B, 0x26, 0x54, 0x21),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x85, 0x74, 0xA0, 0x79, 0xA8, 0xEE, 0xBE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x36, 0x60, 0xB3, 0x28, 0x4D, 0x55, 0xBE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x27, 0x82, 0x29, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_7_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0xFC, 0x73, 0x77, 0xAF, 0x5C, 0xAC, 0x78),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0xED, 0xE5, 0xF6, 0x1D, 0xA8, 0x67, 0x43),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0xDE, 0x33, 0x1C, 0xF1, 0x80, 0x73, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xE2, 0xDE, 0x3C, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_8_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x3E, 0x6B, 0xFE, 0xF0, 0x04, 0x28, 0x01),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0xB2, 0x14, 0x9D, 0x18, 0x11, 0x7D, 0x9D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xC4, 0xD6, 0x2E, 0x6E, 0x57, 0x4D, 0xE1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x55, 0x1B, 0xDE, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_8_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xF7, 0x17, 0xBC, 0x45, 0xAB, 0x16, 0xAB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xB0, 0xEF, 0x61, 0xE3, 0x20, 0x7C, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x85, 0x41, 0x4D, 0xF1, 0x7E, 0x4D, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xC2, 0x9B, 0x5E, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_9_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x2E, 0x49, 0x3D, 0x3E, 0x4B, 0xD3, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x2B, 0x9D, 0xD5, 0x27, 0xFA, 0xCA, 0xE0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0xB3, 0x6A, 0xE0, 0x79, 0x14, 0x28, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x1E, 0xDC, 0xF5, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_9_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x44, 0x56, 0xCD, 0xFC, 0x9F, 0x09, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x8C, 0x59, 0xA4, 0x64, 0x2A, 0x3A, 0xED),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xA0, 0xB5, 0x86, 0x4E, 0x69, 0xDA, 0x06),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x8B, 0x11, 0x38, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_10_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x17, 0x16, 0x12, 0x17, 0xDC, 0x00, 0x7E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x76, 0x24, 0x6C, 0x97, 0x2C, 0xB5, 0xF9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x71, 0xE3, 0xB0, 0xBB, 0x4E, 0x50, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0x48, 0x26, 0xD5, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_10_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x5F, 0x28, 0xF6, 0x01, 0x5A, 0x60, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x95, 0xFE, 0xD0, 0xAD, 0x15, 0xD4, 0xD9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x5B, 0x7A, 0xFD, 0x80, 0xF7, 0x9F, 0x64),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xBC, 0x1B, 0xDF, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_11_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0xE6, 0xDF, 0x14, 0x29, 0xF4, 0xD4, 0x14),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x12, 0xDD, 0xEC, 0x5B, 0x8A, 0x59, 0xE5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x92, 0x3E, 0x35, 0x08, 0xE9, 0xCF, 0x0E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x35, 0x29, 0x97, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_11_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xDB, 0xD6, 0x6A, 0xC5, 0x43, 0xA4, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x33, 0x50, 0x61, 0x70, 0xA1, 0xE9, 0xCE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x15, 0x6E, 0x5F, 0x01, 0x0C, 0x8C, 0xFA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0xA1, 0x9A, 0x9D, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_12_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0xC6, 0xF7, 0xE2, 0x4A, 0xCD, 0x9B, 0x61),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x4D, 0x5A, 0xB8, 0xE2, 0x6D, 0xA6, 0x50),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x3F, 0xB6, 0x17, 0xE3, 0x2C, 0x6F, 0x65),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xA4, 0x59, 0x51, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_12_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x4F, 0x7C, 0x49, 0xCD, 0x6E, 0xEB, 0x3C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0xC9, 0x1F, 0xB7, 0x4D, 0x98, 0xC7, 0x67),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4C, 0xFD, 0x98, 0x20, 0x95, 0xBB, 0x20, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0xF2, 0x73, 0x92, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_13_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0xEF, 0xFB, 0x30, 0xFA, 0x12, 0x1A, 0xB0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0x4C, 0x24, 0xB4, 0x5B, 0xC9, 0x4C, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xDD, 0x5E, 0x84, 0x95, 0x4D, 0x26, 0xED),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xFA, 0xF9, 0x3A, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_13_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0xA3, 0x2E, 0x7A, 0xDC, 0xA7, 0x53, 0xA9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x9F, 0x81, 0x84, 0xB2, 0x0D, 0xFE, 0x31),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x89, 0x1B, 0x77, 0x0C, 0x89, 0x71, 0xEC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xFF, 0x7F, 0xB2, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_14_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0xE9, 0x2C, 0x79, 0xA6, 0x3C, 0xAD, 0x93),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xE0, 0x23, 0x02, 0x86, 0x0F, 0x77, 0x2A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x93, 0x6D, 0xE9, 0xF9, 0x3C, 0xBE, 0xB9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xE7, 0x24, 0x92, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_14_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x3C, 0x5B, 0x4B, 0x1B, 0x25, 0x37, 0xD6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xE8, 0x38, 0x1B, 0xA1, 0x5A, 0x2E, 0x68),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x19, 0xFD, 0xF4, 0x78, 0x01, 0x6B, 0x44),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0x69, 0x37, 0x4F, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_15_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0xE2, 0xBF, 0xD3, 0xEC, 0x95, 0x9C, 0x03),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x7B, 0xFC, 0xD5, 0xD3, 0x25, 0x5E, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x55, 0x09, 0xA2, 0x58, 0x6A, 0xC9, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0xCC, 0x3B, 0xD9, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_15_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0x08, 0x65, 0x5E, 0xCB, 0xAB, 0x48, 0xC8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x79, 0x8B, 0xC0, 0x11, 0xC0, 0x69, 0x38),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xE8, 0x8C, 0x4C, 0xC5, 0x28, 0xE4, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x1F, 0x34, 0x5C, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_ecp_point secp224k1_T[16] = {
+    ECP_POINT_INIT_XY_Z1(secp224k1_T_0_X, secp224k1_T_0_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_1_X, secp224k1_T_1_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_2_X, secp224k1_T_2_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_3_X, secp224k1_T_3_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_4_X, secp224k1_T_4_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_5_X, secp224k1_T_5_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_6_X, secp224k1_T_6_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_7_X, secp224k1_T_7_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_8_X, secp224k1_T_8_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_9_X, secp224k1_T_9_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_10_X, secp224k1_T_10_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_11_X, secp224k1_T_11_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_12_X, secp224k1_T_12_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_13_X, secp224k1_T_13_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_14_X, secp224k1_T_14_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_15_X, secp224k1_T_15_Y),
+};
+#else
+#define secp224k1_T NULL
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+static const mbedtls_mpi_uint secp256k1_p[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+static const mbedtls_mpi_uint secp256k1_a[] = {
+    MBEDTLS_BYTES_TO_T_UINT_2(0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp256k1_b[] = {
+    MBEDTLS_BYTES_TO_T_UINT_2(0x07, 0x00),
+};
+static const mbedtls_mpi_uint secp256k1_gx[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79),
+};
+static const mbedtls_mpi_uint secp256k1_gy[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48),
+};
+static const mbedtls_mpi_uint secp256k1_n[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp256k1_T_0_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79),
+};
+static const mbedtls_mpi_uint secp256k1_T_0_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48),
+};
+static const mbedtls_mpi_uint secp256k1_T_1_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xEE, 0xD7, 0x1E, 0x67, 0x86, 0x32, 0x74),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x73, 0xB1, 0xA9, 0xD5, 0xCC, 0x27, 0x78),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x0E, 0x11, 0x01, 0x71, 0xFE, 0x92, 0x73),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x28, 0x63, 0x6D, 0x72, 0x09, 0xA6, 0xC0),
+};
+static const mbedtls_mpi_uint secp256k1_T_1_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xE1, 0x69, 0xDC, 0x3E, 0x2C, 0x75, 0xC3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0xB7, 0x3F, 0x30, 0x26, 0x3C, 0xDF, 0x8E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xBE, 0xB9, 0x5D, 0x0E, 0xE8, 0x5E, 0x14),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0xC3, 0x05, 0xD6, 0xB7, 0xD5, 0x24, 0xFC),
+};
+static const mbedtls_mpi_uint secp256k1_T_2_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0xCF, 0x7B, 0xDC, 0xCD, 0xC3, 0x39, 0x9D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xDA, 0xB9, 0xE5, 0x64, 0xA7, 0x47, 0x91),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x46, 0xA8, 0x61, 0xF6, 0x23, 0xEB, 0x58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xC1, 0xFF, 0xE4, 0x55, 0xD5, 0xC2, 0xBF),
+};
+static const mbedtls_mpi_uint secp256k1_T_2_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xBE, 0xB9, 0x59, 0x24, 0x13, 0x4A, 0x2A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x45, 0x12, 0xDE, 0xBA, 0x4F, 0xEF, 0x56),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x08, 0xBF, 0xC1, 0x66, 0xAA, 0x0A, 0xBC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xFE, 0x30, 0x55, 0x31, 0x86, 0xA7, 0xB4),
+};
+static const mbedtls_mpi_uint secp256k1_T_3_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xBF, 0x18, 0x81, 0x67, 0x27, 0x42, 0xBD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x05, 0x83, 0xA4, 0xDD, 0x57, 0xD3, 0x50),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0x63, 0xAB, 0xE4, 0x90, 0x70, 0xD0, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x5D, 0xFD, 0xA0, 0xEF, 0xCF, 0x1C, 0x54),
+};
+static const mbedtls_mpi_uint secp256k1_T_3_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x80, 0xE4, 0xF6, 0x09, 0xBC, 0x57, 0x90),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x9F, 0x6E, 0x88, 0x54, 0x6E, 0x51, 0xF2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x5F, 0x85, 0xFB, 0x84, 0x3E, 0x4A, 0xAA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x19, 0xF5, 0x55, 0xC9, 0x07, 0xD8, 0xCE),
+};
+static const mbedtls_mpi_uint secp256k1_T_4_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0xB4, 0xC3, 0xD9, 0x5C, 0xA0, 0xD4, 0x90),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x30, 0xAF, 0x59, 0x9B, 0xF8, 0x04, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xA6, 0xFD, 0x66, 0x7B, 0xC3, 0x39, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0xBF, 0xF0, 0xC2, 0xE9, 0x71, 0xA4, 0x9E),
+};
+static const mbedtls_mpi_uint secp256k1_T_4_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0x2D, 0xB9, 0x88, 0x28, 0xF1, 0xBE, 0x78),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0xF3, 0x1A, 0x0E, 0xB9, 0x01, 0x66, 0x34),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0xA7, 0xA4, 0xF4, 0x05, 0xD0, 0xAA, 0x53),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x39, 0x1E, 0x47, 0xE5, 0x68, 0xC8, 0xC0),
+};
+static const mbedtls_mpi_uint secp256k1_T_5_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0xB9, 0xFC, 0xE0, 0x33, 0x8A, 0x7D, 0x96),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x93, 0xA5, 0x53, 0x55, 0x16, 0xB4, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x5F, 0xEA, 0x9B, 0x29, 0x52, 0x71, 0xDA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0xF0, 0x24, 0xB8, 0x7D, 0xB7, 0xA0, 0x9B),
+};
+static const mbedtls_mpi_uint secp256k1_T_5_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x00, 0x27, 0xB2, 0xDF, 0x73, 0xA2, 0xE0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x2E, 0x4D, 0x7C, 0xDE, 0x7A, 0x23, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x65, 0x60, 0xC7, 0x97, 0x1E, 0xA4, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x13, 0x5B, 0x77, 0x59, 0xCB, 0x36, 0xE1),
+};
+static const mbedtls_mpi_uint secp256k1_T_6_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xBC, 0x9F, 0x9E, 0x2D, 0x53, 0x2A, 0xA8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x5F, 0x64, 0x9F, 0x1A, 0x19, 0xE6, 0x77),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x7B, 0x39, 0xD2, 0xDB, 0x85, 0x84, 0xD5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xC7, 0x0D, 0x58, 0x6E, 0x3F, 0x52, 0x15),
+};
+static const mbedtls_mpi_uint secp256k1_T_6_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x68, 0x19, 0x0B, 0x68, 0xC9, 0x1E, 0xFB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x4E, 0x21, 0x49, 0x3D, 0x55, 0xCC, 0x25),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xF9, 0x25, 0x45, 0x54, 0x45, 0xB1, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xB3, 0xF7, 0xCD, 0x80, 0xA4, 0x04, 0x05),
+};
+static const mbedtls_mpi_uint secp256k1_T_7_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x1E, 0x88, 0xC4, 0xAA, 0x18, 0x7E, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0xAC, 0xD9, 0xB2, 0xA1, 0xC0, 0x71, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xA2, 0xF1, 0x15, 0xA6, 0x5F, 0x6C, 0x86),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x5B, 0x05, 0xBC, 0xB7, 0xC6, 0x4E, 0x72),
+};
+static const mbedtls_mpi_uint secp256k1_T_7_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x80, 0xF8, 0x5C, 0x20, 0x2A, 0xE1, 0xE2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x48, 0x2E, 0x68, 0x82, 0x7F, 0xEB, 0x5F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x3B, 0x25, 0xDB, 0x32, 0x4D, 0x88, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x6E, 0xA6, 0xB6, 0x6D, 0x62, 0x78, 0x22),
+};
+static const mbedtls_mpi_uint secp256k1_T_8_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x4D, 0x3E, 0x86, 0x58, 0xC3, 0xEB, 0xBA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x89, 0x33, 0x18, 0x21, 0x1D, 0x9B, 0xE7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x9D, 0xFF, 0xC3, 0x79, 0xC1, 0x88, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0xD4, 0x48, 0x53, 0xE8, 0xAD, 0x21, 0x16),
+};
+static const mbedtls_mpi_uint secp256k1_T_8_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x7B, 0xDE, 0xCB, 0xD8, 0x39, 0x17, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0xF3, 0x03, 0xF2, 0x5C, 0xBC, 0xC8, 0x8A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0xAE, 0x4C, 0xB0, 0x16, 0xA4, 0x93, 0x86),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x8B, 0x6B, 0xDC, 0xD7, 0x9A, 0x3E, 0x7E),
+};
+static const mbedtls_mpi_uint secp256k1_T_9_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x2D, 0x7A, 0xD2, 0x59, 0x05, 0xA2, 0x82),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x56, 0x09, 0x32, 0xF1, 0xE8, 0xE3, 0x72),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0xCA, 0xE5, 0x2E, 0xF0, 0xFB, 0x18, 0x19),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x85, 0xA9, 0x23, 0x15, 0x31, 0x1F, 0x0E),
+};
+static const mbedtls_mpi_uint secp256k1_T_9_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xE5, 0xB1, 0x86, 0xB9, 0x6E, 0x8D, 0xD3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x77, 0xFC, 0xC9, 0xA3, 0x3F, 0x89, 0xD2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x6A, 0xDC, 0x25, 0xB0, 0xC7, 0x41, 0x54),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x11, 0x6B, 0xA6, 0x11, 0x62, 0xD4, 0x2D),
+};
+static const mbedtls_mpi_uint secp256k1_T_10_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x7D, 0x34, 0xB3, 0x20, 0x7F, 0x37, 0xAA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0xD4, 0x45, 0xE8, 0xC2, 0xE9, 0xC5, 0xEA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x32, 0x3B, 0x25, 0x7E, 0x79, 0xAF, 0xE7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0xE4, 0x54, 0x71, 0xBE, 0x35, 0x4E, 0xD0),
+};
+static const mbedtls_mpi_uint secp256k1_T_10_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x94, 0xDD, 0x8F, 0xB5, 0xC2, 0xDD, 0x75),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x49, 0xE9, 0x1C, 0x2F, 0x08, 0x49, 0xC6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0xB6, 0x03, 0x88, 0x6F, 0xB8, 0x15, 0x67),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xD3, 0x1C, 0xF3, 0xA5, 0xEB, 0x79, 0x01),
+};
+static const mbedtls_mpi_uint secp256k1_T_11_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0xF9, 0x43, 0x88, 0x89, 0x0D, 0x06, 0xEA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x2D, 0xF5, 0x98, 0x32, 0xF6, 0xB1, 0x05),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x73, 0x8F, 0x2B, 0x50, 0x27, 0x0A, 0xE7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xE3, 0xBD, 0x16, 0x05, 0xC8, 0x93, 0x12),
+};
+static const mbedtls_mpi_uint secp256k1_T_11_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x6A, 0xF7, 0xE3, 0x3D, 0xDE, 0x5F, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0xA3, 0x9C, 0x22, 0x3C, 0x33, 0x36, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0x24, 0x4C, 0x69, 0x45, 0x78, 0x14, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xF8, 0xD4, 0xBF, 0xB8, 0xC0, 0xA1, 0x25),
+};
+static const mbedtls_mpi_uint secp256k1_T_12_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x88, 0xE1, 0x91, 0x03, 0xEB, 0xB3, 0x2B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x11, 0xA1, 0xEF, 0x14, 0x0D, 0xC4, 0x7D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xD4, 0x0D, 0x1D, 0x96, 0x33, 0x5C, 0x19),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x45, 0x2A, 0x1A, 0xE6, 0x57, 0x04, 0x9B),
+};
+static const mbedtls_mpi_uint secp256k1_T_12_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xB5, 0xA7, 0x80, 0xE9, 0x93, 0x97, 0x8D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xB9, 0x7C, 0xA0, 0xC9, 0x57, 0x26, 0x43),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0xEF, 0x56, 0xDA, 0x66, 0xF6, 0x1B, 0x9A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x89, 0x6B, 0x91, 0xE0, 0xA9, 0x65, 0x2B),
+};
+static const mbedtls_mpi_uint secp256k1_T_13_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x98, 0x96, 0x9B, 0x06, 0x7D, 0x5E, 0x5A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0xFA, 0xC1, 0x5F, 0x19, 0x37, 0x94, 0x9D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0xBE, 0x6B, 0x1A, 0x05, 0xE4, 0xBF, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0xCD, 0x5D, 0x35, 0xB4, 0x51, 0xF7, 0x64),
+};
+static const mbedtls_mpi_uint secp256k1_T_13_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0xEF, 0x96, 0xDB, 0xF2, 0x61, 0x63, 0x59),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x04, 0x88, 0xC9, 0x9F, 0x1B, 0x94, 0xB9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x30, 0x79, 0x7E, 0x24, 0xE7, 0x5F, 0xB8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0xB8, 0x90, 0xB7, 0x94, 0x25, 0xBB, 0x0F),
+};
+static const mbedtls_mpi_uint secp256k1_T_14_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x79, 0xEA, 0xAD, 0xC0, 0x6D, 0x18, 0x57),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0xA4, 0x58, 0x2A, 0x8D, 0x95, 0xB3, 0xE6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xC4, 0xC2, 0x12, 0x0D, 0x79, 0xE2, 0x2B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x6F, 0xBE, 0x97, 0x4D, 0xA4, 0x20, 0x07),
+};
+static const mbedtls_mpi_uint secp256k1_T_14_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x31, 0x71, 0xC6, 0xA6, 0x91, 0xEB, 0x1F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x9B, 0xA8, 0x4A, 0xE7, 0x77, 0xE1, 0xAA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x06, 0xD3, 0x3D, 0x94, 0x30, 0xEF, 0x8C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xDF, 0xCA, 0xFA, 0xF5, 0x28, 0xF8, 0xC9),
+};
+static const mbedtls_mpi_uint secp256k1_T_15_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0xE1, 0x32, 0xFD, 0x3E, 0x81, 0xF8, 0x11),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xF2, 0x4B, 0x1D, 0x19, 0xC9, 0x0F, 0xCC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xB1, 0x8A, 0x22, 0x8B, 0x05, 0x6B, 0x56),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x21, 0xEF, 0x30, 0xEC, 0x09, 0x2A, 0x89),
+};
+static const mbedtls_mpi_uint secp256k1_T_15_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x84, 0x4A, 0x46, 0x07, 0x6C, 0x3C, 0x4C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x18, 0x3A, 0xF4, 0xCC, 0xF5, 0xB2, 0xF2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x8F, 0xCD, 0x0A, 0x9C, 0xF4, 0xBD, 0x95),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x89, 0x7F, 0x8A, 0xB1, 0x52, 0x3A, 0xAB),
+};
+static const mbedtls_ecp_point secp256k1_T[16] = {
+    ECP_POINT_INIT_XY_Z1(secp256k1_T_0_X, secp256k1_T_0_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_1_X, secp256k1_T_1_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_2_X, secp256k1_T_2_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_3_X, secp256k1_T_3_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_4_X, secp256k1_T_4_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_5_X, secp256k1_T_5_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_6_X, secp256k1_T_6_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_7_X, secp256k1_T_7_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_8_X, secp256k1_T_8_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_9_X, secp256k1_T_9_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_10_X, secp256k1_T_10_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_11_X, secp256k1_T_11_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_12_X, secp256k1_T_12_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_13_X, secp256k1_T_13_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_14_X, secp256k1_T_14_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_15_X, secp256k1_T_15_Y),
+};
+#else
+#define secp256k1_T NULL
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+/*
+ * Domain parameters for brainpoolP256r1 (RFC 5639 3.4)
+ */
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+static const mbedtls_mpi_uint brainpoolP256r1_p[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_a[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_b[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_gx[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_gy[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_n[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9),
+};
+
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint brainpoolP256r1_T_0_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_0_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_1_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xA2, 0xED, 0x52, 0xC9, 0x8C, 0xE3, 0xA5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0xC9, 0xC4, 0x87, 0x3F, 0x93, 0x7A, 0xD1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x12, 0x53, 0x61, 0x3E, 0x76, 0x08, 0xCB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x8C, 0x74, 0xF4, 0x08, 0xC3, 0x76, 0x80),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_1_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0xDD, 0x09, 0xA6, 0xED, 0xEE, 0xC4, 0x38),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xD9, 0xBE, 0x4B, 0xA5, 0xB7, 0x2B, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x20, 0x12, 0xCA, 0x0A, 0x38, 0x24, 0xAB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x72, 0x71, 0x90, 0x7A, 0x2E, 0xB7, 0x23),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_2_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x66, 0xA1, 0x93, 0x10, 0x2A, 0x51, 0x17),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x10, 0x11, 0x12, 0xBC, 0xB0, 0xB6, 0x93),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x58, 0xD7, 0x0A, 0x84, 0x05, 0xA3, 0x9C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x8E, 0x95, 0x61, 0xD3, 0x0B, 0xDF, 0x36),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_2_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x92, 0x12, 0x0F, 0x5E, 0x87, 0x70, 0x1B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0xE9, 0x9B, 0xEB, 0x3A, 0xFB, 0xCF, 0xC4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0x92, 0xB9, 0xF7, 0x45, 0xD3, 0x06, 0xB6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x28, 0x65, 0xE1, 0xC5, 0x6C, 0x57, 0x18),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_3_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x0E, 0x77, 0x01, 0x81, 0x9E, 0x38, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0xF0, 0xD5, 0xA5, 0x91, 0x2B, 0xDF, 0xC0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xEE, 0xB6, 0x25, 0xD6, 0x98, 0xDE, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xA1, 0x55, 0x63, 0x39, 0xEB, 0xB5, 0x47),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_3_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0xD6, 0xB8, 0xE3, 0x13, 0xED, 0x7F, 0xA3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0xE8, 0xAE, 0x36, 0xB8, 0xCD, 0x19, 0x02),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x82, 0x83, 0x7A, 0x7B, 0x46, 0x56, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x60, 0x46, 0x15, 0x5A, 0xAC, 0x99, 0x30),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_4_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x61, 0x50, 0xC6, 0xFF, 0x10, 0x7D, 0x04),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x51, 0xDF, 0xA9, 0x7D, 0x78, 0x26, 0x74),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0x15, 0x9A, 0xF7, 0x01, 0xC1, 0xBB, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x0F, 0xE6, 0x2A, 0xBD, 0x4A, 0x9E, 0x87),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_4_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xF8, 0xD1, 0x77, 0xD2, 0x49, 0xB3, 0xDD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x86, 0xFB, 0x9E, 0x1F, 0x5A, 0x60, 0x47),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0xC4, 0x8D, 0xCD, 0x86, 0x61, 0x2F, 0xF9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xF6, 0xB9, 0xAC, 0x37, 0x9D, 0xE9, 0x28),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_5_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x77, 0xAA, 0x97, 0x9C, 0x0B, 0x04, 0x20),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0xA6, 0x60, 0x81, 0xCE, 0x25, 0x13, 0x3E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x00, 0xF3, 0xBB, 0x82, 0x99, 0x95, 0xB7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x5A, 0xCE, 0x90, 0x71, 0x38, 0x2F, 0x10),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_5_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x1A, 0xC0, 0x84, 0x27, 0xD6, 0x9D, 0xB7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x37, 0x52, 0x16, 0x13, 0x0E, 0xCE, 0x92),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xBF, 0x5A, 0xDB, 0xDB, 0x6E, 0x1E, 0x69),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xB7, 0x5E, 0xF9, 0x86, 0xDD, 0x8A, 0x5C),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_6_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xAB, 0x5C, 0x8D, 0x1D, 0xF2, 0x2D, 0x1E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0xC5, 0xF8, 0xF7, 0x1D, 0x96, 0x0B, 0x4D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x4C, 0xA7, 0x45, 0x20, 0x6A, 0x1E, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x5D, 0xEF, 0xDE, 0xEE, 0x39, 0x44, 0x19),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_6_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x2F, 0x6D, 0x52, 0xC9, 0x58, 0x60, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0xC9, 0x62, 0xCB, 0x38, 0x3C, 0x55, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xA5, 0x09, 0x10, 0x88, 0xDB, 0xE3, 0xBD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xE0, 0x3C, 0xCE, 0x06, 0x0B, 0x4B, 0x5D),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_7_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x1D, 0xB4, 0x10, 0x76, 0x8F, 0xBA, 0x09),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x70, 0x5A, 0x07, 0xF5, 0x1A, 0x74, 0xC7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0xE9, 0x94, 0xA8, 0xC0, 0xD5, 0x4A, 0x4A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x6D, 0xD4, 0xE8, 0x9B, 0xE9, 0x6D, 0x0E),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_7_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x00, 0x32, 0x41, 0x57, 0x84, 0x89, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xC7, 0x14, 0xEC, 0xE9, 0x27, 0xFF, 0xF3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x67, 0x9E, 0xFB, 0xB6, 0xB8, 0x96, 0xF3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x4A, 0xE3, 0x97, 0x4B, 0x58, 0xDE, 0x30),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_8_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0x1E, 0x5C, 0xF5, 0x7F, 0xD5, 0xD4, 0xAA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x08, 0x7A, 0xF1, 0xBD, 0x89, 0xC7, 0x1E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0xF9, 0x11, 0x1B, 0xF5, 0x3C, 0x6D, 0x8C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x50, 0xE5, 0x69, 0x1D, 0x59, 0xFC, 0x0C),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_8_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x2F, 0xF8, 0x3F, 0xEC, 0x55, 0x99, 0x57),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xA7, 0x29, 0x90, 0x43, 0x81, 0x31, 0x4C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x18, 0x44, 0x50, 0x5D, 0x76, 0xCB, 0xDD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0xC5, 0x5B, 0x9A, 0x03, 0xE6, 0x17, 0x39),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_9_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x89, 0xFC, 0x55, 0x94, 0x91, 0x6A, 0xA2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x46, 0x35, 0xF2, 0x3A, 0x42, 0x08, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0xD2, 0x76, 0x49, 0x42, 0x87, 0xD3, 0x7F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xEA, 0xA0, 0x52, 0xF1, 0x6A, 0x30, 0x57),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_9_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0xB2, 0x57, 0xA3, 0x8A, 0x4D, 0x1B, 0x3C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0xA3, 0x99, 0x94, 0xB5, 0x3D, 0x64, 0x09),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0xC3, 0xD7, 0x53, 0xF6, 0x49, 0x1C, 0x60),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x23, 0x41, 0x4D, 0xFB, 0x7A, 0x5C, 0x53),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_10_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xB8, 0x15, 0x65, 0x5C, 0x85, 0x94, 0xD7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x37, 0xC7, 0xF8, 0x7E, 0xAE, 0x6C, 0x10),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xD8, 0x11, 0x54, 0x98, 0x44, 0xE3, 0xF1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x4D, 0xA6, 0x4B, 0x28, 0xF2, 0x57, 0x9E),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_10_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xD0, 0xEB, 0x1E, 0xAA, 0x30, 0xD3, 0x6A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x9B, 0x4D, 0xA7, 0x73, 0x6E, 0xB6, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x47, 0xF6, 0xED, 0x37, 0xEF, 0x71, 0x4D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0xB5, 0x49, 0x61, 0x5E, 0x45, 0xF6, 0x4A),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_11_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x0E, 0xB3, 0x84, 0x3A, 0x63, 0x72, 0x84),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x53, 0x5C, 0xA7, 0xC6, 0x2E, 0xAB, 0x9E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x0F, 0x8F, 0x87, 0x50, 0x28, 0xB4, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x98, 0x4A, 0x98, 0x31, 0x86, 0xCA, 0x51),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_11_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xC9, 0xE2, 0xFD, 0x5D, 0x1F, 0xE8, 0xC2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x90, 0x91, 0xC4, 0x84, 0xF0, 0xBA, 0xC5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x5A, 0xB3, 0x4E, 0xFB, 0xE0, 0x57, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x0B, 0x90, 0xA6, 0xFD, 0x9D, 0x8E, 0x02),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_12_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x41, 0x8F, 0x31, 0xFA, 0x5A, 0xF6, 0x33),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xE9, 0xE3, 0xF6, 0xE0, 0x4A, 0xE7, 0xD2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x4E, 0xCD, 0xA2, 0x22, 0x14, 0xD4, 0x12),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xED, 0x21, 0xB7, 0x0F, 0x53, 0x10, 0x17),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_12_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x06, 0x24, 0x2C, 0x4E, 0xD1, 0x1E, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x3F, 0xC1, 0x9F, 0xAB, 0xF0, 0x37, 0x95),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x5E, 0x12, 0xCE, 0x83, 0x1B, 0x2A, 0x18),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x65, 0xCF, 0xE8, 0x5C, 0xA5, 0xA2, 0x70),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_13_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x86, 0x76, 0x3A, 0x94, 0xF6, 0x1D, 0xC1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xDA, 0xC9, 0xA6, 0x29, 0x93, 0x15, 0x10),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x61, 0x6A, 0x7D, 0xC7, 0xA9, 0xF3, 0x76),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x03, 0x71, 0xA2, 0x15, 0xCE, 0x50, 0x72),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_13_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0xD0, 0xA8, 0x1E, 0x91, 0xC4, 0x4F, 0x24),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x4B, 0x7E, 0xD7, 0x71, 0x58, 0x7E, 0x1E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x45, 0xAF, 0x2A, 0x18, 0x93, 0x95, 0x3B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x8F, 0xC7, 0xFA, 0x4C, 0x7A, 0x86, 0x54),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_14_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0xAF, 0x68, 0x3A, 0x23, 0xC1, 0x2E, 0xBF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x50, 0x11, 0x67, 0x39, 0xB9, 0xAF, 0x48),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x86, 0xAA, 0x1E, 0x88, 0x21, 0x29, 0x8B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x28, 0xA4, 0x9D, 0x89, 0xA9, 0x9A, 0x10),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_14_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xBA, 0x04, 0x67, 0xB7, 0x01, 0x40, 0x38),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xE9, 0x09, 0xA3, 0xCA, 0xA6, 0x37, 0xF6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x97, 0xA8, 0xB6, 0x3C, 0xEE, 0x90, 0x3D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xED, 0xC4, 0xF7, 0xC3, 0x95, 0xEC, 0x85),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_15_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x84, 0xBD, 0xEB, 0xD5, 0x64, 0xBB, 0x9D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x9B, 0xE2, 0x28, 0x50, 0xC2, 0x72, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0xF2, 0x74, 0xD1, 0x26, 0xBF, 0x32, 0x68),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xCB, 0xAF, 0x72, 0xDB, 0x6D, 0x30, 0x98),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_15_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x50, 0x85, 0xF4, 0x2B, 0x48, 0xC1, 0xAD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x28, 0xBB, 0x11, 0xBA, 0x5B, 0x22, 0x6C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xA1, 0xE5, 0x5C, 0xC9, 0x1D, 0x44, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xE8, 0xE6, 0x6F, 0xBB, 0xC1, 0x81, 0x7F),
+};
+static const mbedtls_ecp_point brainpoolP256r1_T[16] = {
+    ECP_POINT_INIT_XY_Z1(brainpoolP256r1_T_0_X, brainpoolP256r1_T_0_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_1_X, brainpoolP256r1_T_1_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_2_X, brainpoolP256r1_T_2_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_3_X, brainpoolP256r1_T_3_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_4_X, brainpoolP256r1_T_4_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_5_X, brainpoolP256r1_T_5_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_6_X, brainpoolP256r1_T_6_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_7_X, brainpoolP256r1_T_7_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_8_X, brainpoolP256r1_T_8_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_9_X, brainpoolP256r1_T_9_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_10_X, brainpoolP256r1_T_10_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_11_X, brainpoolP256r1_T_11_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_12_X, brainpoolP256r1_T_12_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_13_X, brainpoolP256r1_T_13_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_14_X, brainpoolP256r1_T_14_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_15_X, brainpoolP256r1_T_15_Y),
+};
+#else
+#define brainpoolP256r1_T NULL
+#endif
+
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+
+/*
+ * Domain parameters for brainpoolP384r1 (RFC 5639 3.6)
+ */
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+static const mbedtls_mpi_uint brainpoolP384r1_p[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_a[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_b[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_gx[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_gy[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_n[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C),
+};
+
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint brainpoolP384r1_T_0_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_0_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_1_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0xD8, 0x8A, 0x54, 0x41, 0xD6, 0x6B, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x3B, 0xF1, 0x22, 0xFD, 0x2D, 0x4B, 0x03),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x55, 0xE3, 0x33, 0xF0, 0x73, 0x52, 0x5A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x3F, 0x30, 0x26, 0xCA, 0x7F, 0x52, 0xA3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x6E, 0x17, 0x9B, 0xD5, 0x2A, 0x4A, 0x31),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xDA, 0x6B, 0xE5, 0x03, 0x07, 0x1D, 0x2E),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_1_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x7A, 0xAF, 0x98, 0xE3, 0xA4, 0xF6, 0x19),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x7D, 0xFE, 0x51, 0x40, 0x3B, 0x47, 0xD2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x88, 0xEC, 0xC4, 0xE2, 0x8F, 0xCB, 0xA4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0xE2, 0x88, 0x2D, 0x4E, 0x50, 0xEB, 0x9A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x54, 0x94, 0x5E, 0xF4, 0x7F, 0x3A, 0x04),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x07, 0x1C, 0xE1, 0xBD, 0x0F, 0xF8, 0x63),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_2_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x92, 0x28, 0x2E, 0x32, 0x04, 0xB1, 0x4D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x82, 0x44, 0x43, 0x76, 0x0D, 0x55, 0xBF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0xE3, 0xFF, 0x89, 0x46, 0xDE, 0x4E, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x22, 0xBB, 0x67, 0x1A, 0x81, 0xEE, 0x27),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x54, 0xE2, 0x7A, 0xAE, 0xDA, 0x2C, 0xD0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x9A, 0x90, 0xAA, 0x6E, 0x8B, 0xCC, 0x5F),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_2_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x40, 0xAC, 0xED, 0x7D, 0x37, 0x87, 0xAC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0xF8, 0xB1, 0x80, 0x4C, 0x8C, 0x04, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x98, 0x2C, 0xAD, 0x30, 0x69, 0x35, 0xC0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x2E, 0x00, 0x2F, 0x44, 0x8C, 0xF0, 0xC0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x58, 0x07, 0xD7, 0xCD, 0x60, 0xA1, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xFB, 0x7B, 0x03, 0x05, 0x5E, 0x79, 0x73),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_3_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x17, 0xCE, 0x38, 0x4B, 0x5E, 0x5B, 0xC8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0x0E, 0x0A, 0x61, 0x9D, 0x7C, 0x62, 0x08),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0xF0, 0x98, 0x71, 0x7F, 0x17, 0x26, 0xD7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xD3, 0xFA, 0x3C, 0xF0, 0x70, 0x07, 0x82),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x47, 0x5C, 0x09, 0x43, 0xB7, 0x65, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xA9, 0xA7, 0x3E, 0xFA, 0xF3, 0xEC, 0x22),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_3_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x78, 0x22, 0x2B, 0x58, 0x71, 0xFA, 0xAA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x30, 0xCE, 0x6A, 0xB3, 0xB0, 0x4F, 0x83),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0x95, 0x20, 0xA9, 0x23, 0xC2, 0x65, 0xE7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xCF, 0x03, 0x5B, 0x8A, 0x80, 0x44, 0xBB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xF8, 0x91, 0xF7, 0xD5, 0xED, 0xEA, 0x81),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x5B, 0x16, 0x10, 0x25, 0xAC, 0x2A, 0x17),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_4_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0xEC, 0xDC, 0xC4, 0x7B, 0x8C, 0x6B, 0xE9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xBB, 0x1C, 0xD3, 0x5A, 0xEE, 0xD9, 0x97),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x5D, 0x30, 0x5E, 0xF7, 0xB2, 0x41, 0x9D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xCE, 0x0F, 0x1A, 0xC6, 0x41, 0x64, 0x62),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x18, 0xE1, 0xE3, 0x82, 0x15, 0x66, 0x4B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xE2, 0x24, 0x04, 0x72, 0x39, 0xA0, 0x7C),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_4_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0x51, 0xA2, 0x58, 0x88, 0x62, 0xE1, 0x02),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xD2, 0x65, 0x14, 0xE9, 0x4C, 0x82, 0x30),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xE1, 0xAC, 0x87, 0xAE, 0x31, 0x1A, 0x7A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x4F, 0x96, 0x1E, 0x85, 0x7A, 0xC3, 0x2B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x86, 0xBB, 0xF0, 0xC0, 0x9D, 0x08, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x53, 0x03, 0x09, 0x80, 0x91, 0xEF, 0x68),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_5_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xD7, 0xAF, 0x6F, 0x69, 0x7B, 0x88, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x13, 0xE4, 0x30, 0xA2, 0x47, 0xB5, 0xC1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xD2, 0xC0, 0xDD, 0x8A, 0x1C, 0x3C, 0xF2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x8C, 0xB3, 0x4C, 0xBA, 0x8B, 0x6D, 0xCF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0xC7, 0xA1, 0xA8, 0x6E, 0x3C, 0x4F, 0xF1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x4A, 0x97, 0xC8, 0x03, 0x6F, 0x01, 0x82),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_5_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x18, 0x12, 0xA9, 0x39, 0xD5, 0x22, 0x26),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0xA7, 0xC0, 0xBD, 0x9D, 0x8D, 0x78, 0x38),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xB3, 0xD0, 0x7F, 0xDF, 0xD0, 0x30, 0xDE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x25, 0x73, 0x96, 0xEC, 0xA8, 0x1D, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xD1, 0x65, 0x66, 0xDC, 0xD9, 0xCF, 0xDF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0xED, 0x7B, 0x37, 0xAD, 0xE2, 0xBE, 0x2D),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_6_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x79, 0x42, 0x6A, 0x07, 0x66, 0xB1, 0xBD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x53, 0x62, 0x65, 0x92, 0x09, 0x4C, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0xAF, 0xC3, 0x03, 0xF6, 0xF4, 0x2D, 0x9B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0xCA, 0x41, 0xD9, 0xA2, 0x69, 0x9B, 0xC9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0xB2, 0xA6, 0x8D, 0xE1, 0xAA, 0x61, 0x76),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xBA, 0x4D, 0x12, 0xB6, 0xBE, 0xF3, 0x7E),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_6_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xD9, 0x92, 0x22, 0x07, 0xCE, 0xC9, 0x26),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0xA1, 0x7C, 0x91, 0xDB, 0x32, 0xF7, 0xE5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x49, 0x4B, 0x6D, 0xFB, 0xD9, 0x70, 0x3B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0xFB, 0x4E, 0x4C, 0x5E, 0x66, 0x81, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0xB3, 0xE1, 0x00, 0xB7, 0xD9, 0xCC, 0x58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x36, 0x8B, 0xC4, 0x39, 0x20, 0xFD, 0x30),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_7_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x1F, 0x60, 0x03, 0xBB, 0xD7, 0x60, 0x57),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x3C, 0x62, 0xDD, 0x71, 0x95, 0xE9, 0x61),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x5B, 0x7A, 0x5F, 0x68, 0x81, 0xC5, 0x90),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xAF, 0xB5, 0xB9, 0x98, 0x42, 0x28, 0xA5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x29, 0x8E, 0x11, 0x49, 0xB4, 0xD7, 0x20),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x3E, 0xD2, 0x30, 0xA1, 0xBA, 0xCA, 0x03),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_7_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x37, 0x64, 0x44, 0x2F, 0x03, 0xE5, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x42, 0xBC, 0xFF, 0xA2, 0x1A, 0x5F, 0x06),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x04, 0xAB, 0x04, 0xE0, 0x24, 0xAD, 0x2A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x45, 0x17, 0x67, 0x1F, 0x3E, 0x53, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x0F, 0xB3, 0x1B, 0x57, 0x54, 0xC2, 0x03),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xD3, 0xF8, 0xC4, 0x1B, 0x9B, 0xFA, 0x30),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_8_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x90, 0xFD, 0xFB, 0xCA, 0x49, 0x38, 0x4E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0xCF, 0xC6, 0xDD, 0xF0, 0xFF, 0x8C, 0x11),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x69, 0x9D, 0xBD, 0x5F, 0x33, 0xE9, 0xB4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x19, 0x82, 0x3D, 0xAC, 0x1C, 0x40, 0x23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xC7, 0x02, 0x46, 0x14, 0x77, 0x00, 0xBE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x05, 0xF2, 0x77, 0x3A, 0x66, 0x5C, 0x39),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_8_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xE6, 0x17, 0xDE, 0xB2, 0xA1, 0xE5, 0xB8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x71, 0xEC, 0x9D, 0xD8, 0xF5, 0xD4, 0x66),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0xC6, 0x42, 0x5E, 0xE7, 0x18, 0xBA, 0xD0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x21, 0x68, 0x5A, 0x26, 0xFB, 0xD7, 0x17),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x00, 0x5C, 0xBA, 0x8A, 0x34, 0xEC, 0x75),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x9C, 0x3C, 0xAF, 0x53, 0xE8, 0x65, 0x35),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_9_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xEF, 0x28, 0xDC, 0x67, 0x05, 0xC8, 0xDF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x78, 0xC3, 0x85, 0x49, 0xA0, 0xBC, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x3E, 0x2D, 0xA0, 0xCF, 0xD4, 0x7A, 0xF5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x93, 0xFE, 0x60, 0xB3, 0x6E, 0x99, 0xE2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0xAD, 0x04, 0xE7, 0x49, 0xAF, 0x5E, 0xE3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x7A, 0xED, 0xA6, 0x9E, 0x18, 0x09, 0x31),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_9_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x05, 0x94, 0x44, 0xDC, 0xB8, 0x85, 0x94),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0xB7, 0x37, 0xC2, 0x50, 0x75, 0x15, 0xDA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xC6, 0x0F, 0xB2, 0xA9, 0x91, 0x3E, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x81, 0xAD, 0x25, 0xA1, 0x26, 0x73, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xF1, 0xD1, 0x61, 0x7C, 0x76, 0x8F, 0x13),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0xDB, 0x4A, 0xFF, 0x14, 0xA7, 0x48, 0x0B),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_10_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x73, 0xC6, 0xC2, 0xCC, 0xF1, 0x57, 0x04),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0xED, 0x73, 0x27, 0x70, 0x82, 0xB6, 0x5E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0xBA, 0xAC, 0x3A, 0xCF, 0xF4, 0xEA, 0xA6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xD6, 0xB1, 0x8F, 0x0E, 0x08, 0x2C, 0x5E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xE3, 0x8F, 0x2F, 0x0E, 0xA1, 0xF3, 0x07),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0xF5, 0x7C, 0x9B, 0x29, 0x0A, 0xF6, 0x28),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_10_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0xEE, 0x17, 0x47, 0x34, 0x15, 0xA3, 0xAF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xBE, 0x88, 0x48, 0xE7, 0xA2, 0xBB, 0xDE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0xAD, 0xDC, 0x65, 0x61, 0x37, 0x0F, 0xC1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x67, 0xAD, 0xA2, 0x3A, 0x1C, 0x91, 0x78),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x07, 0x0C, 0x3A, 0x41, 0x6E, 0x13, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0xBD, 0x7E, 0xED, 0xAA, 0x14, 0xDD, 0x61),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_11_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0xDC, 0x20, 0x01, 0x72, 0x11, 0x48, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xC4, 0x7B, 0xF8, 0x62, 0x3D, 0xF0, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0xC2, 0x3D, 0x2E, 0x52, 0xA3, 0x4A, 0x89),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xE2, 0x53, 0x46, 0x5E, 0x21, 0xF8, 0xCE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xC7, 0x8F, 0xA9, 0x26, 0x42, 0x32, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xA6, 0xA0, 0x8D, 0x4B, 0x9A, 0x19, 0x03),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_11_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xAB, 0x6D, 0x1E, 0xFB, 0xEE, 0x60, 0x0C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x56, 0x3C, 0xC5, 0x5D, 0x10, 0x79, 0x1C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0xBC, 0x41, 0x9F, 0x71, 0xEF, 0x02, 0xF9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x36, 0xC4, 0xD0, 0x88, 0x9B, 0x32, 0xFC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0xD4, 0x5D, 0x17, 0x39, 0xE6, 0x22, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x26, 0x01, 0xCE, 0xBE, 0x4A, 0x9C, 0x27),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_12_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x6D, 0x11, 0xCA, 0x6C, 0x5A, 0x93, 0x0C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x96, 0x26, 0xAF, 0x2F, 0xE4, 0x30, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0xC1, 0x4C, 0xC6, 0x30, 0x1F, 0x5C, 0x04),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xB3, 0xE8, 0xFC, 0x35, 0xEB, 0x63, 0x6C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x1D, 0xCA, 0xFC, 0x50, 0x36, 0x4B, 0x96),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x0E, 0x23, 0x5B, 0xAF, 0xEB, 0x2D, 0x31),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_12_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x88, 0xB6, 0xD7, 0x74, 0x4A, 0x23, 0xB6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x66, 0xE2, 0xBB, 0x29, 0xA6, 0x4F, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x6F, 0x7E, 0x68, 0x6E, 0xA0, 0x14, 0x94),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0x73, 0xD4, 0xE8, 0xAB, 0x5B, 0xF6, 0x0D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0xE0, 0x3C, 0x24, 0x00, 0x95, 0xE9, 0xAD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x0D, 0x4F, 0x81, 0xD0, 0xF2, 0x3F, 0x00),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_13_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x1D, 0xCD, 0x78, 0x39, 0xC4, 0x6B, 0xD9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x45, 0xC7, 0xB8, 0x2F, 0xAA, 0x5D, 0xE3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x8C, 0x6E, 0xA3, 0x24, 0xB2, 0xDB, 0x4B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x2D, 0xD9, 0xF1, 0xC7, 0x9B, 0x8A, 0xAF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0xE1, 0x2C, 0xB9, 0x40, 0x37, 0x91, 0x75),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x2C, 0xB5, 0x23, 0x03, 0x2B, 0xAF, 0x2F),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_13_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x9D, 0x5A, 0x20, 0x10, 0xA9, 0x84, 0xDA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x30, 0x89, 0x20, 0x13, 0xE9, 0xB2, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x6E, 0x52, 0xEB, 0x03, 0x18, 0x1F, 0xA6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x9E, 0x1C, 0x35, 0x87, 0x92, 0x69, 0xC7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0xC9, 0x88, 0xAF, 0xC6, 0x6C, 0x83, 0x72),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0xD5, 0x7A, 0x54, 0x34, 0x99, 0xB6, 0x6F),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_14_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0xAD, 0x45, 0x9B, 0x4B, 0x41, 0x4D, 0x50),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x5D, 0xAB, 0x7F, 0x35, 0x34, 0xE9, 0x29),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0xBE, 0x78, 0x34, 0x44, 0xF3, 0x4A, 0x87),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xDE, 0xE3, 0xC4, 0xEE, 0x0B, 0xF9, 0xEB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x86, 0x16, 0x48, 0x32, 0xB8, 0x74, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0xEE, 0x7C, 0xBA, 0xBD, 0x81, 0xE3, 0x55),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_14_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x6A, 0xFA, 0x84, 0xDA, 0xB8, 0xD5, 0x14),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0x9F, 0x8A, 0xD5, 0x1B, 0x2E, 0x1A, 0x0B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x0C, 0x61, 0xE2, 0xFF, 0x5B, 0xE6, 0xD5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0x62, 0xC1, 0x87, 0x53, 0x1B, 0x92, 0xA3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x90, 0x00, 0xD1, 0x6A, 0x0C, 0x0E, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0x2E, 0xB5, 0x3B, 0x44, 0xB5, 0xA0, 0x78),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_15_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x5D, 0x02, 0x58, 0xB5, 0xBE, 0x45, 0x14),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xEF, 0x8E, 0x90, 0x4D, 0x2A, 0x32, 0xAC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x99, 0x75, 0x5C, 0x0A, 0x33, 0x8F, 0x36),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x6C, 0x95, 0xD4, 0x1F, 0xF3, 0xEB, 0xDA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xE4, 0x4C, 0x91, 0x20, 0xF3, 0x25, 0xEB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x95, 0xEB, 0x29, 0x6F, 0x20, 0x34, 0x81),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_15_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x15, 0xE5, 0x13, 0x7E, 0x64, 0x8B, 0xAD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xBC, 0x0D, 0x18, 0x7E, 0x37, 0x9E, 0xFA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x82, 0x20, 0xF7, 0x2D, 0x7A, 0x77, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x29, 0xA2, 0xDB, 0x7A, 0xE6, 0x6F, 0xA5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xC6, 0x50, 0x5C, 0xBC, 0xE6, 0x4F, 0xBD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x9F, 0xD5, 0xE8, 0xC5, 0x3D, 0xB7, 0x30),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_16_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x03, 0x55, 0x10, 0xDB, 0xA6, 0x8B, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x17, 0xAE, 0x78, 0xC9, 0x1D, 0x43, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x35, 0x49, 0xD4, 0x47, 0x84, 0x8D, 0x20),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x95, 0x2F, 0xEA, 0xBC, 0xB4, 0x18, 0xB3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x48, 0xAE, 0x89, 0xF5, 0x65, 0x3D, 0x89),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xF2, 0x2B, 0x20, 0xD1, 0x75, 0x50, 0x63),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_16_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xE6, 0x5C, 0x2C, 0xE0, 0x7D, 0xDF, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x07, 0x3E, 0xCE, 0x9F, 0x18, 0xB6, 0x05),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0xF8, 0xF0, 0xD5, 0xFA, 0x42, 0x1D, 0x6D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x6C, 0x1D, 0x03, 0xC9, 0x0E, 0x2B, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x18, 0x52, 0xA5, 0xB4, 0x63, 0xE1, 0x06),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x0A, 0xD9, 0xC4, 0xFD, 0x16, 0x60, 0x54),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_17_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x7D, 0xDE, 0xDF, 0x4B, 0x4A, 0xB0, 0xCB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x4E, 0x8C, 0x94, 0xC1, 0xE2, 0x85, 0xDF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0xF0, 0xEA, 0xB5, 0x9B, 0x70, 0xEF, 0x10),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0xC2, 0x39, 0x5D, 0xF3, 0x2C, 0xD9, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x1C, 0x2E, 0xCC, 0x2F, 0x54, 0x87, 0x80),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x72, 0xC7, 0xB5, 0x50, 0xA3, 0x84, 0x77),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_17_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xD1, 0xAF, 0xA9, 0xB4, 0x8B, 0x5D, 0xFA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xF6, 0x52, 0x8A, 0xC3, 0x56, 0xA5, 0x5E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0x52, 0xFF, 0xEA, 0x05, 0x42, 0x77, 0x83),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x08, 0x90, 0x72, 0x86, 0xC4, 0xC3, 0xB8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0x15, 0xF8, 0xF1, 0x16, 0x67, 0xC6, 0xD5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x87, 0xAC, 0x8F, 0x71, 0xEC, 0x83, 0x81),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_18_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xE1, 0xE6, 0x2D, 0x0E, 0x11, 0xA1, 0x62),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xE2, 0xA8, 0x32, 0xE6, 0xE3, 0x83, 0xD1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x56, 0xE5, 0xCD, 0xB7, 0x2B, 0x67, 0x6F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0xED, 0xC9, 0x65, 0x6D, 0x87, 0xE1, 0x8E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x8E, 0xFD, 0x9A, 0x53, 0x0E, 0xFA, 0xA3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0x4C, 0x4A, 0xE2, 0x23, 0x84, 0xFA, 0x01),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_18_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xFE, 0x49, 0x81, 0xD1, 0x3E, 0xF4, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x72, 0xE0, 0xEF, 0x0D, 0xB8, 0x3E, 0x6F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x00, 0x0F, 0x5F, 0xCE, 0x60, 0x72, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xCC, 0xD8, 0x03, 0x07, 0x6E, 0x5A, 0xCD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x3A, 0x35, 0x50, 0x4E, 0x1F, 0xCA, 0x5F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xEA, 0x88, 0x55, 0xBD, 0x6E, 0x05, 0x7F),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_19_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x6D, 0xF1, 0x97, 0xA6, 0x69, 0x39, 0x24),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x41, 0x99, 0xFF, 0x3B, 0xA1, 0x26, 0xEC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x2F, 0x95, 0x80, 0x12, 0x4A, 0x1B, 0xCB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xBF, 0x51, 0xAA, 0xAE, 0x2D, 0xDA, 0xCF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x1C, 0xB3, 0x52, 0x36, 0x49, 0xD4, 0x86),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xC1, 0x1F, 0x3A, 0xD3, 0x3E, 0x5C, 0x1A),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_19_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x51, 0xF7, 0x2B, 0xC8, 0xA9, 0xA7, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x4E, 0x7F, 0x98, 0x41, 0x66, 0xB0, 0x03),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x1D, 0xC0, 0x42, 0xCD, 0xF8, 0xC3, 0x2B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x41, 0x91, 0x7D, 0xCC, 0x8B, 0xCC, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xAE, 0x76, 0xED, 0x56, 0x18, 0xC5, 0xAB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x6A, 0x06, 0xA3, 0x7F, 0x65, 0x10, 0x1F),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_20_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xEC, 0x3C, 0x05, 0x05, 0xCA, 0xF6, 0xED),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0xCD, 0x02, 0x51, 0x12, 0x16, 0x3C, 0x63),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0xEB, 0xB3, 0x43, 0x7B, 0xDD, 0xB2, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x59, 0x90, 0x41, 0xDB, 0xE4, 0xF5, 0x91),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x0E, 0x18, 0x2A, 0x5A, 0x83, 0x7C, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x37, 0xA1, 0x0D, 0xF1, 0x2F, 0x63, 0x79),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_20_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xC0, 0xFA, 0x6F, 0x1F, 0x67, 0xCF, 0xEC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x34, 0x45, 0xBB, 0xF4, 0xF9, 0x9B, 0x89),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x69, 0xFE, 0x67, 0x1D, 0x64, 0x8F, 0xB9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x39, 0xBF, 0xD8, 0xB3, 0xC7, 0xAD, 0x8A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x93, 0xFF, 0xF3, 0x28, 0xFA, 0x39, 0xF6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xF9, 0xC3, 0x85, 0x26, 0x7A, 0x88, 0x89),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_21_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xD5, 0x79, 0xD8, 0x11, 0xDE, 0xEB, 0x4E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x46, 0xA4, 0x6A, 0xDA, 0x74, 0x34, 0xA8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xBD, 0xD3, 0xF5, 0x14, 0xEE, 0xFE, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x4C, 0xA3, 0x71, 0x43, 0x65, 0xF8, 0x94),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x6C, 0x35, 0xFA, 0x90, 0x25, 0xD8, 0xE2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x34, 0x84, 0x96, 0xA1, 0x43, 0x03, 0x4D),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_21_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x3B, 0x3B, 0x2F, 0xCA, 0x59, 0xF2, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x48, 0x24, 0x74, 0xD8, 0x72, 0x90, 0xA3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x42, 0x74, 0x8C, 0x6F, 0x52, 0x19, 0x3D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x9E, 0x41, 0x63, 0x68, 0x78, 0x4C, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0x94, 0xB6, 0x6B, 0x38, 0x52, 0xA8, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x30, 0x25, 0x93, 0xA1, 0x6F, 0x6E, 0x68),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_22_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x2F, 0x4B, 0x64, 0x79, 0x50, 0xFF, 0x01),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x36, 0xED, 0x57, 0x39, 0x3B, 0xE7, 0xF3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x85, 0xEA, 0x35, 0xD6, 0xC0, 0xA0, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x89, 0x3A, 0xCC, 0x22, 0x1C, 0x46, 0x02),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x7A, 0xB0, 0xA1, 0x1B, 0x69, 0x62, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xB8, 0x8A, 0x6C, 0x18, 0x85, 0x0D, 0x88),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_22_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xB6, 0x50, 0xE9, 0x4E, 0x7F, 0xE8, 0x07),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x5B, 0x5C, 0xD1, 0x4B, 0x11, 0x9A, 0xD8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x25, 0x56, 0x74, 0x51, 0x9C, 0xEC, 0x9C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x7F, 0xB6, 0x8A, 0xCB, 0x3A, 0x10, 0x6A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0x33, 0x07, 0x01, 0xE9, 0x49, 0x59, 0xE6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xA5, 0x2E, 0xF2, 0xBA, 0x32, 0x63, 0x44),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_23_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x06, 0x0B, 0xA5, 0x44, 0x27, 0x7F, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x74, 0xAC, 0x0F, 0xCC, 0x4F, 0x13, 0x61),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xB1, 0xBF, 0x97, 0x49, 0xA5, 0x1C, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x64, 0x68, 0x7B, 0x0F, 0xCC, 0x77, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x39, 0xF9, 0x4E, 0x84, 0x9C, 0xF6, 0x96),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xCF, 0x6D, 0xE2, 0xA1, 0x2D, 0xF9, 0x2B),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_23_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0xC4, 0x90, 0x57, 0x31, 0x01, 0x05, 0x5E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x1E, 0xBB, 0xBF, 0x98, 0xA4, 0x7C, 0xE3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0xE3, 0xA0, 0xB2, 0xCD, 0x39, 0x9A, 0x3F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x34, 0x60, 0x7A, 0x89, 0x98, 0xB5, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0x20, 0x3D, 0x3A, 0x04, 0x8F, 0x5A, 0xAC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x26, 0xB6, 0x49, 0x09, 0x9C, 0x0F, 0x59),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_24_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x66, 0xD2, 0x38, 0x2A, 0x62, 0x81, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0xC8, 0x20, 0x5E, 0x28, 0xA3, 0x81, 0xA7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0x31, 0xA4, 0xF1, 0xEA, 0x7D, 0x87, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0x2C, 0x99, 0x09, 0x6F, 0x63, 0xEB, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x76, 0xDA, 0x1A, 0x06, 0xBE, 0xDE, 0xA2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x09, 0x2E, 0x75, 0x39, 0x30, 0x2D, 0x42),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_24_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x9B, 0xC1, 0x5A, 0x17, 0xC3, 0x8C, 0x31),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x8D, 0x94, 0x4D, 0x3D, 0xAB, 0x60, 0xD4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFD, 0x1E, 0x0F, 0x43, 0xAE, 0x9D, 0x62),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0xF2, 0xF3, 0x20, 0x1B, 0xAA, 0xB7, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x5B, 0xA4, 0xF4, 0x90, 0x3B, 0xE3, 0x71),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x78, 0x72, 0xBD, 0x65, 0x09, 0x0B, 0x01),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_25_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x37, 0x2A, 0x6C, 0x16, 0x4F, 0x64, 0x59),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0xCE, 0xA3, 0x90, 0xB4, 0x9A, 0xBC, 0xF7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x38, 0x55, 0x63, 0x1D, 0x3A, 0x6E, 0x18),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xB4, 0xAA, 0x99, 0x22, 0x45, 0x89, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x7C, 0x8C, 0xA6, 0x3D, 0xA7, 0x3E, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x06, 0x42, 0xDC, 0xA6, 0xE3, 0xC6, 0x12),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_25_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x8C, 0x3D, 0x5D, 0x47, 0x31, 0x7C, 0xEB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x85, 0xEE, 0x46, 0x7E, 0x13, 0x04, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x3C, 0x8B, 0x43, 0x2E, 0x74, 0xF5, 0xF6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x88, 0x8E, 0x07, 0x29, 0x08, 0x03, 0x26),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x9B, 0x89, 0xEB, 0x08, 0xE8, 0x43, 0xB5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x07, 0x67, 0xFD, 0xD9, 0x73, 0x6F, 0x18),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_26_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xEB, 0x21, 0x8D, 0x98, 0x43, 0x74, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0xCC, 0x14, 0xD8, 0x08, 0xBB, 0xA6, 0xE3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x98, 0xF2, 0x6A, 0x18, 0xC3, 0xDD, 0x9E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x38, 0x91, 0xA0, 0x03, 0xF2, 0x04, 0x62),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xAF, 0xE8, 0xFD, 0xFB, 0x13, 0x70, 0x74),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x93, 0x87, 0x98, 0x4A, 0xE0, 0x00, 0x12),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_26_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x2E, 0x69, 0x9C, 0xA2, 0x2D, 0x03, 0x3F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xFE, 0xF3, 0xB9, 0xC1, 0x85, 0x2A, 0xEE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xFD, 0x86, 0xB1, 0xCD, 0xBF, 0x41, 0xB7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xD8, 0x9A, 0x21, 0xF3, 0xFE, 0xCB, 0xF1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x78, 0x04, 0x60, 0xB7, 0xA9, 0xA2, 0x84),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x1E, 0x66, 0x2A, 0x54, 0x51, 0xBD, 0x8B),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_27_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x16, 0x36, 0xEF, 0x61, 0x2D, 0xEE, 0x3B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x5F, 0x88, 0xA0, 0x13, 0x12, 0xF7, 0x23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xC6, 0xAD, 0x4A, 0x4A, 0x07, 0x01, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x74, 0xB1, 0x4F, 0xEB, 0xBD, 0xD5, 0x6B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xF9, 0x71, 0xA2, 0x06, 0x4F, 0xD7, 0xBC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x8B, 0x4D, 0x48, 0xE0, 0x98, 0xFB, 0x6A),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_27_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0xBA, 0x10, 0xA3, 0x0D, 0x52, 0xAC, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xD0, 0xE0, 0x36, 0xE6, 0x07, 0x3A, 0x30),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x80, 0xF0, 0xAA, 0x49, 0x22, 0x4B, 0xDD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xC7, 0xAB, 0x1C, 0x89, 0xCD, 0x24, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x2A, 0xFC, 0xB3, 0x6D, 0x45, 0x96, 0x49),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0xE4, 0xDB, 0x52, 0x3F, 0xC4, 0xB4, 0x19),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_28_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0xCC, 0xC8, 0x7F, 0xBB, 0x6B, 0x87, 0x47),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x21, 0x3C, 0x69, 0x7D, 0x38, 0x57, 0x50),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x4C, 0x18, 0x3C, 0x53, 0xA5, 0x48, 0x6D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xC3, 0x64, 0x45, 0xDB, 0xC4, 0x6D, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xCC, 0xD1, 0xBB, 0x17, 0xB8, 0x34, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x69, 0x71, 0xFA, 0xA0, 0x28, 0x4A, 0x3D),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_28_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xE8, 0x9E, 0x39, 0xEA, 0x8D, 0x38, 0xDB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x9C, 0xBB, 0xCD, 0x80, 0x1A, 0xEE, 0xB7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xA0, 0x45, 0xBF, 0xD9, 0x22, 0x11, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x7C, 0x5C, 0xD9, 0xC0, 0x9F, 0x69, 0xF5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x8A, 0xA6, 0x79, 0x4E, 0x35, 0xB9, 0xD5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x8B, 0x9A, 0x3E, 0xA1, 0xB8, 0x28, 0x10),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_29_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x2F, 0xEF, 0xBB, 0xA9, 0x72, 0x7F, 0xEA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x34, 0xB7, 0x12, 0xB9, 0xE7, 0xC3, 0x2A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x1D, 0xD9, 0x42, 0x77, 0x0C, 0x71, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x01, 0x59, 0xA7, 0x56, 0x03, 0x91, 0x8D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x91, 0x99, 0x33, 0x30, 0x3E, 0xEF, 0x13),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0xC9, 0x5A, 0x9A, 0x54, 0x66, 0xF1, 0x70),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_29_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x2C, 0xB7, 0x6E, 0x71, 0x7D, 0x35, 0x30),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x0D, 0xEF, 0xD1, 0x2D, 0x99, 0x63, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x31, 0xAF, 0x2D, 0xC9, 0xC6, 0xC2, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0xC0, 0xDF, 0x80, 0x54, 0xC4, 0xAC, 0xF3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x6B, 0xA0, 0x84, 0x96, 0xF7, 0x31, 0xC8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0xE2, 0x7C, 0x7A, 0x41, 0x45, 0x75, 0x6A),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_30_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xEE, 0x58, 0x31, 0xE8, 0x68, 0xD6, 0x76),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x2E, 0x48, 0xB7, 0x09, 0x9F, 0xD4, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xA9, 0x5C, 0xE7, 0x64, 0x43, 0x5D, 0xC9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x58, 0x9F, 0x50, 0xAB, 0x68, 0xFF, 0x6D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x88, 0x2D, 0xBA, 0x12, 0xBF, 0x8D, 0x7D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xDF, 0x6F, 0xB3, 0x75, 0xA4, 0x55, 0x73),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_30_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x17, 0x92, 0x39, 0xB7, 0x13, 0x37, 0x6F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x43, 0x71, 0xA7, 0xCA, 0x17, 0x1B, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xB9, 0xB0, 0x78, 0xEF, 0xA0, 0xDA, 0x83),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x84, 0xF2, 0x0F, 0x85, 0xA2, 0xB6, 0x1F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x65, 0x2E, 0x6E, 0x45, 0xB9, 0x4C, 0x3C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x6A, 0x8C, 0x2B, 0x77, 0x96, 0x36, 0x22),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_31_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x7A, 0x13, 0x4A, 0x97, 0x63, 0x02, 0x10),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x1E, 0x06, 0x03, 0x8F, 0xB9, 0xEE, 0x64),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0xEE, 0x8B, 0x89, 0xA9, 0x70, 0xDB, 0xCE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x7B, 0x81, 0xC9, 0x70, 0x8D, 0x62, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0xDA, 0x46, 0xF8, 0xF9, 0x3A, 0xBE, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x9C, 0x7A, 0x97, 0x62, 0xEB, 0xFA, 0x0F),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_31_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0x03, 0x3D, 0x3C, 0x46, 0x27, 0x9E, 0x65),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x08, 0x1C, 0xD5, 0x25, 0xAF, 0xE9, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x69, 0xDC, 0x59, 0xF4, 0x8A, 0x7C, 0x1F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x9A, 0x7A, 0x99, 0x21, 0x0C, 0x4E, 0xE3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xCE, 0x85, 0x5F, 0xAC, 0xAA, 0x82, 0x10),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x57, 0x69, 0x90, 0x76, 0xF3, 0x53, 0x3F),
+};
+static const mbedtls_ecp_point brainpoolP384r1_T[32] = {
+    ECP_POINT_INIT_XY_Z1(brainpoolP384r1_T_0_X, brainpoolP384r1_T_0_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_1_X, brainpoolP384r1_T_1_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_2_X, brainpoolP384r1_T_2_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_3_X, brainpoolP384r1_T_3_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_4_X, brainpoolP384r1_T_4_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_5_X, brainpoolP384r1_T_5_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_6_X, brainpoolP384r1_T_6_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_7_X, brainpoolP384r1_T_7_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_8_X, brainpoolP384r1_T_8_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_9_X, brainpoolP384r1_T_9_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_10_X, brainpoolP384r1_T_10_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_11_X, brainpoolP384r1_T_11_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_12_X, brainpoolP384r1_T_12_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_13_X, brainpoolP384r1_T_13_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_14_X, brainpoolP384r1_T_14_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_15_X, brainpoolP384r1_T_15_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_16_X, brainpoolP384r1_T_16_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_17_X, brainpoolP384r1_T_17_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_18_X, brainpoolP384r1_T_18_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_19_X, brainpoolP384r1_T_19_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_20_X, brainpoolP384r1_T_20_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_21_X, brainpoolP384r1_T_21_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_22_X, brainpoolP384r1_T_22_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_23_X, brainpoolP384r1_T_23_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_24_X, brainpoolP384r1_T_24_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_25_X, brainpoolP384r1_T_25_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_26_X, brainpoolP384r1_T_26_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_27_X, brainpoolP384r1_T_27_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_28_X, brainpoolP384r1_T_28_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_29_X, brainpoolP384r1_T_29_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_30_X, brainpoolP384r1_T_30_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_31_X, brainpoolP384r1_T_31_Y),
+};
+#else
+#define brainpoolP384r1_T NULL
+#endif
+
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+
+/*
+ * Domain parameters for brainpoolP512r1 (RFC 5639 3.7)
+ */
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+static const mbedtls_mpi_uint brainpoolP512r1_p[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_a[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_b[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_gx[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_gy[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_n[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA),
+};
+
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint brainpoolP512r1_T_0_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_0_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_1_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xE9, 0x6B, 0x8C, 0x6F, 0x9D, 0x88, 0x43),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x4F, 0x86, 0x96, 0xA7, 0x56, 0xD1, 0x37),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xAB, 0xFA, 0xEE, 0xA7, 0xF5, 0x0E, 0xA6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x40, 0xEF, 0x9E, 0x6D, 0xD6, 0x32, 0x33),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xED, 0x56, 0x14, 0x57, 0x1A, 0x8D, 0x69),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xED, 0x4D, 0x3A, 0xFA, 0x71, 0x75, 0x6B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xC5, 0x76, 0x1C, 0x14, 0xBE, 0xB5, 0xCD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x5A, 0xCB, 0xE7, 0x36, 0x1D, 0x52, 0x1C),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_1_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x8D, 0x7A, 0xEB, 0xA3, 0x8B, 0xD5, 0xB0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0xA3, 0x41, 0xF8, 0xAC, 0x9E, 0xAB, 0x74),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0xE3, 0x65, 0x0D, 0x1C, 0xFE, 0x09, 0x2B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0xCA, 0x13, 0x3F, 0xC5, 0xF9, 0x7E, 0xEC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x5D, 0x63, 0x28, 0xA6, 0x89, 0xD3, 0x91),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x95, 0x3F, 0x7A, 0x82, 0xD4, 0x77, 0xE3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xBB, 0x92, 0x32, 0x00, 0xF4, 0x66, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x58, 0x31, 0xD1, 0x17, 0x9F, 0x2A, 0x22),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_2_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x36, 0xA9, 0xCD, 0x80, 0xA5, 0x2D, 0x78),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x44, 0xAB, 0xCE, 0x71, 0xFF, 0x0C, 0x9B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x24, 0x58, 0x35, 0x5A, 0x21, 0x32, 0x93),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0xA6, 0x28, 0xF8, 0x7A, 0x97, 0xAE, 0x8B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0xE7, 0x08, 0xFA, 0x47, 0xC9, 0x55, 0x09),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xAC, 0x2E, 0x84, 0xA4, 0xF5, 0x52, 0xC4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x58, 0x05, 0x9D, 0xA7, 0xC8, 0x71, 0xBF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x92, 0xB4, 0x92, 0xC1, 0x92, 0xEC, 0x6B),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_2_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x48, 0x2D, 0x79, 0x5E, 0x58, 0xE5, 0x69),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x85, 0x26, 0xEC, 0xE9, 0x6E, 0xD4, 0x06),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x68, 0x26, 0x87, 0x38, 0xA2, 0xD2, 0x0B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x17, 0x60, 0xCE, 0x75, 0xF8, 0xA5, 0x6F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0x51, 0xDB, 0xA9, 0xAE, 0x87, 0xF1, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x49, 0x92, 0x3B, 0x19, 0x96, 0xF5, 0xB0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0xD5, 0x52, 0x52, 0x8C, 0xCE, 0xFD, 0xFA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x18, 0x0A, 0xE6, 0xF6, 0xAE, 0x08, 0x41),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_3_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x2B, 0xD8, 0x54, 0xCE, 0xB0, 0x57, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0xB0, 0xF8, 0x9E, 0x03, 0x03, 0x3C, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x0E, 0x29, 0x29, 0x00, 0xF3, 0x70, 0xBF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x33, 0x99, 0x0E, 0x00, 0x5D, 0xFE, 0x4B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x2D, 0xF2, 0x59, 0x32, 0xCF, 0x03, 0xF4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0xC9, 0x72, 0xAE, 0x0C, 0xEF, 0xD1, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x5A, 0x27, 0xBF, 0x2F, 0x45, 0xF9, 0x51),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xBE, 0xE5, 0x2C, 0xFF, 0x5B, 0x1E, 0x88),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_3_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0xAC, 0xBB, 0xD8, 0x83, 0xC2, 0x46, 0xF6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0xDC, 0xCE, 0x15, 0xB4, 0xEF, 0xCF, 0x46),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0xDB, 0x5E, 0x94, 0x31, 0x0B, 0xB2, 0x7A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xB9, 0xE3, 0xE3, 0x11, 0x71, 0x41, 0x1E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xE3, 0x01, 0xB7, 0x7D, 0xBC, 0x65, 0xBE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x07, 0x65, 0x87, 0xA7, 0xE8, 0x48, 0xE3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x48, 0x8F, 0xD4, 0x30, 0x8E, 0xB4, 0x6C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xE0, 0x73, 0xBE, 0x1E, 0xBF, 0x56, 0x36),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_4_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x0E, 0x5E, 0x87, 0xC5, 0xAB, 0x0E, 0x3C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xF9, 0x5F, 0x80, 0x24, 0x4C, 0x2A, 0xF1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0x15, 0x21, 0x54, 0x92, 0x84, 0x8D, 0x6A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x8A, 0x47, 0x74, 0xDC, 0x42, 0xB1, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0xF7, 0x30, 0xFD, 0xC1, 0x9B, 0x0C, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x6C, 0xCC, 0xDF, 0xC5, 0xE3, 0xA9, 0xD5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x67, 0x59, 0x10, 0x5C, 0x51, 0x54, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x37, 0xFB, 0x6E, 0xB0, 0x78, 0x63, 0x8E),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_4_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0xEF, 0xC4, 0x39, 0x20, 0xF1, 0x46, 0x66),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x62, 0xAE, 0xFF, 0x10, 0xE4, 0xE2, 0xE9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x5C, 0xF5, 0x2E, 0x22, 0x89, 0xE5, 0x82),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x0C, 0x29, 0xA8, 0x62, 0xAE, 0xDB, 0x65),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x9E, 0x0F, 0xCA, 0x87, 0x2A, 0x6F, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xDC, 0x9B, 0x9F, 0x65, 0xD4, 0xAD, 0x27),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xC3, 0x08, 0x0F, 0xCF, 0x67, 0xE9, 0xF4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x5C, 0xD7, 0xFF, 0x41, 0x9C, 0xCB, 0x26),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_5_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x25, 0x05, 0x12, 0xAD, 0x73, 0x63, 0x90),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x99, 0x07, 0x86, 0x57, 0xE7, 0x94, 0xB1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x4B, 0xA5, 0xBF, 0x18, 0xA9, 0xEF, 0x6A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x4C, 0xC4, 0x09, 0xF2, 0x2F, 0x0C, 0xAA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x3A, 0x04, 0xEA, 0x89, 0x6C, 0x91, 0xB9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x6C, 0x3A, 0xE7, 0xA3, 0xEC, 0x24, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xA1, 0x26, 0x21, 0x04, 0xE3, 0xB9, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0x71, 0x4B, 0x7B, 0xC2, 0x89, 0xCD, 0xA2),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_5_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xB9, 0xA8, 0x9D, 0xFD, 0x00, 0x3A, 0x1F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x41, 0x6C, 0xBB, 0x5A, 0xCA, 0x1F, 0x74),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xD7, 0xE2, 0x6C, 0x6B, 0xA7, 0x48, 0xC9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x19, 0xAD, 0xA7, 0xC1, 0x7E, 0x4F, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xF7, 0x19, 0x3C, 0x06, 0x74, 0x2C, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x23, 0x4F, 0x0C, 0x09, 0xB0, 0x80, 0x4A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x74, 0x34, 0x08, 0x44, 0x7E, 0xA3, 0xDD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xCC, 0x8D, 0x12, 0x6E, 0xE1, 0x3D, 0x0B),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_6_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x18, 0xB1, 0x71, 0x02, 0x93, 0xC2, 0xA4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x89, 0x40, 0xE2, 0x1F, 0xE7, 0x5E, 0x68),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x8E, 0xAE, 0x89, 0x01, 0xD4, 0x0C, 0xEB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xDA, 0x58, 0x70, 0x24, 0xF2, 0xE4, 0x5F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0xC7, 0x1D, 0xD6, 0x4A, 0x6F, 0x66, 0x4F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x1D, 0x7E, 0x4A, 0x2C, 0xCA, 0xEC, 0x3B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x06, 0x7F, 0xA8, 0x99, 0xE4, 0xD3, 0x4E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x1D, 0x5A, 0xDF, 0x5E, 0x58, 0x36, 0x49),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_6_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0xB9, 0x32, 0x69, 0x1F, 0x72, 0x2A, 0xB3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x73, 0xE2, 0x03, 0x39, 0x35, 0xAA, 0xA8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x5E, 0x5D, 0x48, 0xEF, 0xAE, 0x30, 0xF5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x7F, 0x60, 0x19, 0xAF, 0xEC, 0x9D, 0xFC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xD9, 0x19, 0xE4, 0x1B, 0x56, 0x15, 0x5F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xD7, 0x33, 0x59, 0x1F, 0x43, 0x59, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xCE, 0xEE, 0xCA, 0xA4, 0x7F, 0x63, 0xD4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x40, 0xC0, 0xF6, 0x19, 0x89, 0x43, 0x20),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_7_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x92, 0xEA, 0x07, 0x65, 0x79, 0x86, 0xD3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xB7, 0x13, 0x75, 0xD3, 0xC5, 0x0A, 0xC9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x9E, 0xFA, 0xE1, 0x1F, 0x0C, 0xF9, 0x74),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x8C, 0xED, 0x5C, 0x21, 0xE9, 0x09, 0xDD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x4D, 0xD8, 0x18, 0xC4, 0xF6, 0x36, 0x39),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xC9, 0xAC, 0x5C, 0xFA, 0x69, 0xA4, 0xA0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x8C, 0x94, 0x1C, 0x7B, 0x71, 0x36, 0x58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xBD, 0x46, 0xCE, 0xB7, 0x1D, 0x9C, 0x5E),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_7_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xD6, 0x96, 0x4B, 0xA6, 0x47, 0xEB, 0xE5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0xF1, 0x5F, 0x15, 0xDE, 0x99, 0x6F, 0x66),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xBD, 0xE5, 0x04, 0xB8, 0xE6, 0xC0, 0x0B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xD3, 0xF0, 0x04, 0x00, 0xE4, 0x05, 0xDB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xF3, 0x06, 0xA3, 0x1A, 0xFF, 0xEA, 0x73),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x32, 0xAA, 0x99, 0x33, 0x09, 0xB6, 0x34),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0xEF, 0xFC, 0x61, 0x10, 0x42, 0x31, 0x94),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xF1, 0xF4, 0x33, 0xCF, 0x28, 0x90, 0x9C),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_8_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xDE, 0xF9, 0x88, 0x87, 0x7B, 0xEB, 0xC9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xB8, 0xDA, 0xFA, 0xDA, 0x3D, 0xA6, 0x17),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xF0, 0x62, 0x82, 0x53, 0x32, 0x55, 0x03),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xA5, 0x32, 0x4A, 0x19, 0x11, 0x9C, 0x10),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xB3, 0x27, 0xE9, 0x75, 0x90, 0x05, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x1C, 0x90, 0x48, 0x77, 0x01, 0x85, 0x1B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xD6, 0x9B, 0x84, 0xA8, 0xD7, 0xC5, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x7A, 0xCB, 0xB3, 0x11, 0x46, 0xD7, 0x99),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_8_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0x23, 0xBF, 0x75, 0x75, 0xA1, 0x95, 0x90),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x66, 0x5D, 0x34, 0x13, 0xA9, 0x03, 0xBE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x80, 0x9D, 0x5F, 0xD2, 0x44, 0xE1, 0x62),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x5D, 0xBD, 0xA8, 0xBF, 0xB4, 0x25, 0x1F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x99, 0x1F, 0x53, 0xF1, 0x57, 0xDB, 0xE7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x7C, 0xE5, 0xC5, 0x51, 0x0B, 0x4C, 0x9B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0xB0, 0x1A, 0x9C, 0x16, 0xB0, 0x32, 0x1F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0xE3, 0xCF, 0xDD, 0x48, 0xB4, 0x7B, 0x33),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_9_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xDD, 0x9E, 0x3C, 0x98, 0x0E, 0x77, 0x65),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0xAB, 0x01, 0xD3, 0x87, 0x74, 0x25, 0x4A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0xA3, 0xE3, 0x76, 0x43, 0x87, 0x12, 0xBD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0xB1, 0x3B, 0x60, 0x66, 0xEB, 0x98, 0x54),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x78, 0xC8, 0xD7, 0x4E, 0x75, 0xCA, 0x69),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xDF, 0x71, 0x19, 0xE7, 0x07, 0x36, 0xB5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xC9, 0xA8, 0x5F, 0x91, 0xBF, 0x47, 0xB2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x96, 0x58, 0x96, 0x18, 0xB6, 0xFA, 0x01),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_9_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x2D, 0xA9, 0x9B, 0x86, 0xDB, 0x0C, 0x4C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x0B, 0x2D, 0x56, 0x4A, 0xD3, 0x93, 0x8A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x15, 0xE2, 0x65, 0x12, 0x86, 0x0E, 0xB2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x41, 0x4D, 0xC1, 0xCB, 0xE4, 0xC3, 0xD7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x53, 0x10, 0xCA, 0xA3, 0xAC, 0x83, 0x26),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x01, 0x22, 0x96, 0x10, 0xAD, 0x69, 0xDB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x46, 0x4E, 0xD8, 0xEA, 0xD6, 0x9D, 0xF3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x2F, 0x7F, 0x62, 0x62, 0x80, 0xD0, 0x14),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_10_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0xDA, 0x00, 0x63, 0x09, 0xBD, 0x6A, 0x83),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xD4, 0x6E, 0x48, 0x05, 0xB7, 0xF7, 0x17),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0x4D, 0xD7, 0x00, 0x4A, 0x15, 0x27, 0x7A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x15, 0xAA, 0x37, 0x27, 0x34, 0x18, 0x24),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x20, 0x2C, 0x84, 0x1B, 0x88, 0xBA, 0x05),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x09, 0xD6, 0x04, 0xA2, 0x60, 0x84, 0x72),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x04, 0x94, 0x08, 0xD4, 0xED, 0x47, 0xDB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xF3, 0xE4, 0x3E, 0xB9, 0x5B, 0x35, 0x42),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_10_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0xD8, 0xB6, 0x80, 0xD6, 0xF1, 0x30, 0xDD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x14, 0xA6, 0x85, 0xEE, 0xA7, 0xD8, 0x61),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x49, 0x2A, 0x1E, 0x7C, 0xE9, 0x2D, 0xEC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x87, 0x56, 0x91, 0x03, 0x77, 0x4D, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0x52, 0xD4, 0xAA, 0xF7, 0xFA, 0xB0, 0xC5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x5D, 0x11, 0x39, 0xB1, 0xE7, 0x76, 0xAD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x13, 0xBC, 0x37, 0x5D, 0x74, 0xCD, 0xC2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x48, 0x14, 0x23, 0x30, 0xF8, 0x46, 0x37),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_11_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x27, 0xB0, 0xD9, 0xB2, 0x74, 0xB4, 0xC0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xA6, 0xB9, 0x6F, 0x9F, 0x64, 0x36, 0x92),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2E, 0x2B, 0x78, 0x40, 0x05, 0x2B, 0x7B, 0xA9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x68, 0x3A, 0xB6, 0x4A, 0xE2, 0xDB, 0xB8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x33, 0xD7, 0x34, 0x8B, 0x25, 0x45, 0xEF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0xCE, 0xA8, 0xC9, 0x01, 0xFB, 0x0E, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0xF9, 0x51, 0x4C, 0x12, 0x9F, 0x60, 0xE4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x85, 0xBD, 0x30, 0x37, 0x84, 0x39, 0x44),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_11_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x33, 0xAF, 0x2E, 0xB8, 0x2E, 0xCC, 0x3C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xB1, 0x73, 0x59, 0x4E, 0x0C, 0x09, 0x4A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x24, 0x89, 0x81, 0x12, 0xFF, 0xBB, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x37, 0x1A, 0x66, 0xEE, 0xED, 0xB6, 0x9B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xBD, 0x04, 0x20, 0x5D, 0xFB, 0xBF, 0x95),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xF8, 0x34, 0xA3, 0xFF, 0x45, 0xDE, 0x92),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x18, 0x73, 0xF1, 0x32, 0x25, 0x58, 0xEB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0xC1, 0x14, 0xE3, 0x9E, 0x40, 0x0F, 0x12),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_12_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x07, 0x9D, 0x9C, 0x00, 0xF7, 0x56, 0x19),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xBA, 0x87, 0xF9, 0x15, 0x0C, 0x66, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x1F, 0xC1, 0x28, 0xB0, 0x47, 0x0D, 0xF5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xCA, 0x27, 0xEE, 0x4B, 0x23, 0x2B, 0x89),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0xB5, 0x68, 0xC8, 0x17, 0x5D, 0xC3, 0xAA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x02, 0x08, 0xEE, 0x20, 0x9D, 0xEA, 0x64),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x14, 0x50, 0xD4, 0x7D, 0x5F, 0xCF, 0xA0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xFA, 0xF8, 0xA7, 0xC6, 0xDC, 0x14, 0x8C),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_12_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xBD, 0x0A, 0x1A, 0x18, 0x98, 0xDC, 0xB0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x63, 0x02, 0xB7, 0xD5, 0x5B, 0x5A, 0xC6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xB1, 0xD7, 0x4B, 0x15, 0x39, 0x61, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x32, 0xE1, 0x9E, 0x70, 0x1B, 0xCE, 0x51),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0xD8, 0x18, 0x83, 0x52, 0x9B, 0x6D, 0xA2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x55, 0x56, 0x19, 0x34, 0xA4, 0xEA, 0xFC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0xA9, 0x55, 0x80, 0xE3, 0x15, 0x36, 0x8B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x06, 0xC8, 0x1D, 0x17, 0x0D, 0xAD, 0x16),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_13_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0xD6, 0xF0, 0xCC, 0xF3, 0x63, 0x53, 0xD2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x5A, 0xDC, 0x46, 0xBD, 0x0D, 0xAD, 0x96),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x2F, 0x11, 0x60, 0x15, 0x51, 0x4A, 0xEA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xE3, 0x93, 0x38, 0xD5, 0x83, 0xAA, 0x0D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xA6, 0xCC, 0xB1, 0xFD, 0xBB, 0x1A, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0x54, 0xC8, 0x54, 0x6F, 0x79, 0x1A, 0x59),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x4A, 0xDA, 0x28, 0x92, 0x97, 0x9D, 0x7F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x4B, 0xDB, 0xC7, 0x52, 0xC5, 0x66, 0x34),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_13_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x7E, 0x92, 0x53, 0x30, 0x93, 0xFD, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x16, 0x6A, 0xB1, 0x91, 0x0A, 0xB4, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x9D, 0x40, 0x3F, 0xE3, 0xF1, 0x01, 0x46),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x0E, 0xD8, 0xED, 0x11, 0x8E, 0x4C, 0xED),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x4A, 0x1B, 0x88, 0xDF, 0x8D, 0x29, 0xE7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x23, 0x21, 0x11, 0xAB, 0x77, 0x81, 0x62),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0xAF, 0x11, 0xFA, 0xBA, 0x40, 0x63, 0xE7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0x6F, 0x8D, 0x80, 0xDF, 0x67, 0xF5, 0x44),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_14_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0x8B, 0xB7, 0x08, 0xF4, 0xD7, 0x2D, 0xA8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x2B, 0x30, 0x02, 0x45, 0x71, 0x08, 0x49),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x3A, 0xCA, 0x50, 0xF6, 0xC2, 0x19, 0x8C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xB9, 0x9B, 0x3E, 0x73, 0x95, 0x1D, 0x49),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x60, 0x59, 0x48, 0xCB, 0xD8, 0xD6, 0xAA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0xB9, 0x6C, 0x89, 0xAB, 0x99, 0xA8, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0xA1, 0x8B, 0x4E, 0x06, 0x19, 0xEC, 0x99),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x95, 0x04, 0xCF, 0xD5, 0x94, 0xB3, 0x02),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_14_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x35, 0x93, 0x7C, 0xB3, 0xB8, 0x9E, 0x1B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x45, 0x5C, 0x7E, 0xBF, 0x75, 0x81, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xE8, 0x24, 0xDF, 0xEC, 0x2F, 0x7D, 0xB9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x8B, 0xD5, 0x6A, 0x9B, 0xA0, 0xE0, 0x4F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xE3, 0x27, 0x82, 0xDE, 0xDD, 0xCA, 0x4B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x57, 0x56, 0x46, 0x05, 0x06, 0x01, 0x2E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x35, 0xA7, 0x47, 0xE2, 0x6B, 0x2C, 0x4F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x9D, 0x4C, 0xEC, 0x1F, 0x11, 0x75, 0x2B),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_15_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xAA, 0x41, 0xC1, 0xE9, 0x0E, 0xE9, 0xAA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0xCF, 0x9C, 0x4B, 0xE8, 0xED, 0x0A, 0x49),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x73, 0xCA, 0x0C, 0x46, 0x0A, 0x9C, 0xE4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xE1, 0x9E, 0xBC, 0xFE, 0x44, 0x63, 0x6D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x43, 0x71, 0xEE, 0xF8, 0xC1, 0x8C, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x4B, 0xF0, 0x69, 0x25, 0xBD, 0x71, 0x1A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x9A, 0xFE, 0x82, 0xE7, 0xC1, 0xC1, 0xEE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x5A, 0x6E, 0x5E, 0x97, 0x6A, 0x35, 0x8D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_15_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x18, 0x6C, 0x7E, 0xB8, 0x9E, 0x57, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0xB9, 0xC1, 0xD0, 0xFE, 0x78, 0xFB, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x08, 0xAE, 0x46, 0x34, 0xEA, 0x7A, 0x7F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x1C, 0x56, 0xA9, 0x18, 0x37, 0xD4, 0x9E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x63, 0xE9, 0x0A, 0xB6, 0x38, 0x3C, 0xC1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x4F, 0xA4, 0x6E, 0x85, 0x31, 0x23, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0xAD, 0xC4, 0xC3, 0xB1, 0x4B, 0x1C, 0x82),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x56, 0x4A, 0x38, 0xB3, 0x6B, 0x6F, 0x2C),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_16_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0xC7, 0x19, 0xDE, 0x21, 0xED, 0x89, 0xD0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xBE, 0xA6, 0xAE, 0xEB, 0x9D, 0xA7, 0x2A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x0E, 0x13, 0x1E, 0x86, 0x57, 0xC3, 0x3B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x4B, 0x30, 0x46, 0x52, 0xC1, 0xEC, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0xD5, 0x44, 0x31, 0x96, 0x3B, 0x26, 0x27),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x68, 0xA8, 0x67, 0x78, 0x39, 0xE8, 0x68),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x78, 0xB7, 0xDD, 0xF2, 0x58, 0xB6, 0x3D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x3C, 0xB3, 0x26, 0xC4, 0x2C, 0x8C, 0xA5),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_16_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x24, 0xE5, 0x73, 0xEE, 0x9A, 0x02, 0xA9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x6A, 0x65, 0x60, 0xF3, 0x62, 0xE3, 0xE9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0x07, 0x84, 0xE6, 0x3B, 0x46, 0x65, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x8F, 0x0C, 0xB0, 0xE1, 0x04, 0x82, 0x9D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x13, 0xBF, 0x3D, 0xA0, 0x48, 0xA2, 0x74),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x26, 0x76, 0x74, 0xAB, 0x0B, 0x29, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x6E, 0x5F, 0x03, 0x34, 0x7C, 0x38, 0xCE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0x72, 0xF9, 0x3B, 0x3C, 0xA4, 0xBC, 0x7C),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_17_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xCE, 0x18, 0x80, 0xB8, 0x24, 0x45, 0x81),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x09, 0x03, 0xB8, 0x06, 0x64, 0xF7, 0xEC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x26, 0xB1, 0x10, 0x6D, 0x71, 0x12, 0x2E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x12, 0xC6, 0x6E, 0x1E, 0x6A, 0xC3, 0x80),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0xD3, 0x0A, 0xDE, 0xD8, 0x6B, 0x04, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x87, 0x5B, 0xAE, 0xDB, 0x3C, 0xC0, 0xC5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0xF5, 0xF9, 0xC1, 0x9A, 0x89, 0xBB, 0x7E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x69, 0x72, 0x8B, 0xAE, 0x32, 0x13, 0x11),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_17_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x16, 0x07, 0x50, 0xFA, 0x4C, 0xCF, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x50, 0x21, 0xE9, 0xDE, 0xEC, 0x7E, 0xDF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x2F, 0xE8, 0x83, 0x30, 0x0B, 0x65, 0x0E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x0B, 0x99, 0xAC, 0xC9, 0xBA, 0x6C, 0x2A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x59, 0x5A, 0x0D, 0x7B, 0x9E, 0x08, 0xAD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x91, 0xB2, 0xDC, 0x90, 0xCE, 0x67, 0xED),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x93, 0x60, 0x0C, 0xD7, 0x1F, 0x2F, 0x17),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x7F, 0x9D, 0x40, 0xF8, 0x78, 0x7A, 0x54),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_18_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x22, 0x95, 0xE8, 0xEF, 0x31, 0x57, 0x35),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x88, 0x53, 0xFE, 0xAF, 0x7C, 0x47, 0x14),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xCE, 0xCC, 0x79, 0xE8, 0x9F, 0x8C, 0xC4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x16, 0xDD, 0x77, 0x6E, 0x8A, 0x73, 0x97),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x07, 0x97, 0x21, 0x3B, 0xF8, 0x5F, 0xA8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xB5, 0xD2, 0x81, 0x84, 0xF0, 0xE7, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x8F, 0x75, 0x09, 0x6A, 0x0E, 0x53, 0xAD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x4F, 0x70, 0x97, 0xC7, 0xAC, 0x7D, 0x3F),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_18_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x3C, 0x6A, 0xB4, 0x10, 0xA9, 0xC8, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xC5, 0xD6, 0x69, 0x16, 0xB8, 0xAC, 0x25),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x44, 0xDC, 0xEB, 0x48, 0x54, 0x5D, 0x5F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x48, 0x9B, 0xD7, 0x72, 0x69, 0xA4, 0x8A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x0D, 0x36, 0x9A, 0x66, 0x0B, 0xEC, 0x24),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xC6, 0xD4, 0xB6, 0x60, 0xE5, 0xC3, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x29, 0x42, 0xE0, 0x9D, 0xFD, 0x7C, 0x3E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x10, 0xBA, 0x55, 0xBC, 0x3B, 0x38, 0x5D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_19_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x66, 0xFA, 0x05, 0x73, 0x03, 0x1B, 0x69),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xA4, 0x66, 0x12, 0x96, 0x7B, 0x02, 0x4C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0xB5, 0xDE, 0x6D, 0x98, 0xD1, 0xD5, 0xA8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0xF5, 0x44, 0xB8, 0x8E, 0xF6, 0x8C, 0x05),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x15, 0x2B, 0x72, 0xBC, 0x49, 0xE5, 0xDF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x44, 0xD7, 0xDF, 0x8F, 0xEB, 0x8D, 0x80),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x64, 0x88, 0xAA, 0xB7, 0xE4, 0x70, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x14, 0xBB, 0xE9, 0x9B, 0xB9, 0x65, 0x5D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_19_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x8E, 0x88, 0xF5, 0xF1, 0xC1, 0x89, 0xA2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x30, 0x53, 0xE6, 0xFB, 0x2D, 0x82, 0xB4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xE4, 0xFF, 0xBA, 0x31, 0x79, 0xAB, 0xC2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x09, 0xF7, 0xB7, 0x09, 0x78, 0x4C, 0x90),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xAE, 0xC2, 0x44, 0xDC, 0x17, 0x78, 0x47),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xD4, 0x17, 0x43, 0x19, 0x74, 0x9E, 0x23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x64, 0x3B, 0x73, 0xA2, 0x99, 0x27, 0x76),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x74, 0x36, 0x5F, 0xD3, 0x14, 0xB1, 0x31),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_20_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x07, 0xAB, 0xFD, 0x9B, 0x03, 0xC5, 0xD5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xBE, 0xB0, 0x1D, 0xF2, 0x0C, 0x73, 0x73),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xE7, 0x7B, 0x87, 0xD3, 0x34, 0xFD, 0xE2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x25, 0x3D, 0xC7, 0x36, 0x83, 0x53, 0xDC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x7C, 0xCF, 0x63, 0x55, 0x12, 0x11, 0xB0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x34, 0x4D, 0x27, 0x92, 0xAC, 0x18, 0x16),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x42, 0x61, 0x9D, 0x2E, 0xFF, 0x13, 0x16),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0xDE, 0x92, 0x65, 0x57, 0x0D, 0xBC, 0x0A),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_20_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x7B, 0x6E, 0xC6, 0x2A, 0x21, 0x74, 0x0A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xA7, 0x53, 0x4D, 0x29, 0x36, 0xEF, 0xE5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0xD6, 0x41, 0xC7, 0x99, 0xAD, 0x50, 0x53),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xAC, 0x41, 0x9F, 0xFB, 0x4C, 0x86, 0xF1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xBB, 0xE6, 0x25, 0x28, 0xAA, 0xEB, 0x1E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x04, 0xA2, 0xC3, 0xAA, 0x08, 0x8A, 0xCC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x2B, 0x5B, 0xE2, 0x8D, 0x76, 0xEA, 0x34),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x33, 0xD2, 0x21, 0x4D, 0x62, 0xE3, 0x8E),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_21_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x06, 0x8B, 0x2B, 0xC2, 0xC4, 0xB1, 0xD2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xF5, 0xA1, 0xC0, 0x03, 0x6A, 0x29, 0x12),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xA9, 0xEF, 0x55, 0xB6, 0x1A, 0x9F, 0x6B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x54, 0x32, 0xBE, 0x06, 0x43, 0xB5, 0xFD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xD6, 0xD9, 0x20, 0x89, 0xBE, 0xD4, 0x1B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x26, 0x95, 0x10, 0xCE, 0xB4, 0x88, 0x79),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xA6, 0x27, 0xAC, 0x32, 0xBA, 0xBD, 0xC7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0xA6, 0xAE, 0x9C, 0x7B, 0xBE, 0xA1, 0x63),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_21_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xCD, 0x4D, 0x3D, 0xDF, 0x96, 0xBB, 0x7D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0xA7, 0x11, 0x06, 0xCC, 0x0E, 0x31, 0x81),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0xE4, 0xF4, 0xAD, 0x7B, 0x5F, 0xF1, 0xEF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x54, 0xBE, 0xF4, 0x8A, 0x03, 0x47, 0xDF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x53, 0x00, 0x7F, 0xB0, 0x8A, 0x68, 0xA6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x16, 0xB1, 0x73, 0x6F, 0x5B, 0x0E, 0xC3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x32, 0xE3, 0x43, 0x64, 0x75, 0xFB, 0xFB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x18, 0x55, 0x8A, 0x4E, 0x6E, 0x35, 0x54),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_22_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x97, 0x15, 0x1E, 0xCB, 0xF2, 0x9C, 0xA5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xD1, 0xBB, 0xF3, 0x70, 0xAD, 0x13, 0xAD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x96, 0xA4, 0xC5, 0x5E, 0xDA, 0xD5, 0x57),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x81, 0xE9, 0x65, 0x66, 0x76, 0x47, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x35, 0x87, 0x06, 0x73, 0xCF, 0x34, 0xD2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x81, 0x15, 0x42, 0xA2, 0x79, 0x5B, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xA2, 0x7D, 0x09, 0x14, 0x64, 0xC6, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x6D, 0xC4, 0xED, 0xF1, 0xD6, 0xE9, 0x24),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_22_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xD5, 0xBB, 0x25, 0xA3, 0xDD, 0xA3, 0x88),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0xF2, 0x68, 0x67, 0x39, 0x8F, 0x73, 0x93),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x76, 0x28, 0x89, 0xAD, 0x32, 0xE0, 0xDF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x90, 0xCC, 0x57, 0x58, 0xAA, 0xC9, 0x75),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xD7, 0x43, 0xD2, 0xCE, 0x5E, 0xA0, 0x08),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xB0, 0xB8, 0xA4, 0x9E, 0x96, 0x26, 0x86),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x61, 0x1D, 0xF3, 0x65, 0x5E, 0x60, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x1E, 0x65, 0xED, 0xCF, 0x07, 0x60, 0x20),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_23_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x30, 0x17, 0x8A, 0x91, 0x88, 0x0A, 0xA4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x7D, 0x18, 0xA4, 0xAC, 0x59, 0xFC, 0x5F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x31, 0x8B, 0x25, 0x65, 0x39, 0x9A, 0xDC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x16, 0x4B, 0x68, 0xBA, 0x59, 0x13, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xFD, 0xD3, 0xC5, 0x56, 0xC9, 0x8C, 0x5E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xC6, 0x9F, 0xF4, 0xE6, 0xF7, 0xB4, 0x01),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x7C, 0x03, 0x00, 0x26, 0x9F, 0xD8, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x1D, 0x6E, 0x00, 0xB9, 0x00, 0x6E, 0x93),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_23_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x63, 0xDA, 0x03, 0x2B, 0xD5, 0x0B, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0xFC, 0xE2, 0xC8, 0x47, 0xF0, 0xAE, 0xF2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x4C, 0xF7, 0x50, 0x0C, 0x48, 0x06, 0x2A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x2B, 0x32, 0x98, 0x0E, 0x7E, 0x61, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x02, 0x27, 0xFE, 0x75, 0x86, 0xDF, 0x24),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0x30, 0xB1, 0x22, 0x32, 0x1B, 0xFE, 0x24),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x27, 0xF7, 0x78, 0x6F, 0xD7, 0xFD, 0xE4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x78, 0xCC, 0xEA, 0xC0, 0x50, 0x24, 0x44),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_24_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x2B, 0x4F, 0x7F, 0x58, 0xE6, 0xC2, 0x70),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x43, 0xD5, 0xA7, 0x35, 0x3C, 0x80, 0xB8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x6D, 0x4B, 0x12, 0x00, 0x7B, 0xE6, 0xA6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x15, 0xBD, 0xD0, 0x9B, 0xCA, 0xAA, 0x81),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0xCE, 0x9C, 0xE3, 0x8B, 0x60, 0x7A, 0x53),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xDA, 0x4B, 0x03, 0xA7, 0x8D, 0x43, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xAF, 0x00, 0x2B, 0x32, 0xF0, 0x22, 0x68),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xD9, 0x99, 0x99, 0xBE, 0x43, 0x99, 0x3E),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_24_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x71, 0x41, 0xF4, 0xB5, 0xFD, 0xDD, 0x36),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xE2, 0x20, 0x4C, 0xD1, 0x2E, 0x1F, 0x06),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x43, 0x48, 0x76, 0x8A, 0x49, 0xAC, 0x87),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x1A, 0x55, 0xA8, 0xA3, 0xD4, 0x57, 0x75),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xA6, 0x84, 0x39, 0xC9, 0x13, 0xBB, 0x60),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0xFA, 0xA9, 0x70, 0xDE, 0x83, 0xDD, 0xC9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0xC9, 0xD9, 0x3E, 0x44, 0x91, 0x68, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x9F, 0x85, 0x6D, 0xF7, 0x54, 0x36, 0x82),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_25_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x6B, 0xA6, 0xA3, 0xE5, 0xD4, 0x46, 0xDB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x3E, 0xDC, 0x84, 0x7C, 0x7B, 0x24, 0x34),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0xED, 0x7F, 0x86, 0x07, 0x6C, 0x57, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x06, 0xFE, 0x52, 0x12, 0x79, 0x69, 0x56),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0xD1, 0x44, 0x5F, 0x21, 0x3A, 0xC3, 0x84),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xD9, 0x4A, 0xC0, 0x75, 0xAB, 0x17, 0xAC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x81, 0x94, 0xB6, 0x80, 0x6B, 0x6F, 0xC3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xBE, 0x8E, 0xA5, 0xAA, 0xBC, 0x1E, 0x3E),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_25_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0xC7, 0x85, 0xA6, 0x59, 0x9B, 0xB1, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0xCE, 0x40, 0xD1, 0xFB, 0xDF, 0x94, 0xF7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0xB8, 0x5E, 0xBF, 0x45, 0xA8, 0x2D, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x9C, 0x06, 0x1B, 0xA9, 0x57, 0xB9, 0x79),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xE9, 0xCE, 0xA2, 0xD3, 0x74, 0xA1, 0x3C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x5F, 0x34, 0x78, 0xDB, 0xAE, 0x3A, 0x14),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x32, 0x84, 0x3E, 0x68, 0x6A, 0x43, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0xBC, 0x39, 0x36, 0xA4, 0xC5, 0xBB, 0x11),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_26_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x07, 0xA2, 0xB5, 0xC9, 0x0F, 0x4D, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x1D, 0x67, 0xE6, 0xF1, 0x46, 0xEB, 0x71),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x41, 0x23, 0x95, 0xE7, 0xE0, 0x10, 0xDD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x69, 0xFE, 0x68, 0x8C, 0xC6, 0x5F, 0xB6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xB9, 0x2B, 0x3D, 0xD2, 0x4F, 0xD8, 0x1A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x09, 0xF5, 0x5F, 0xCF, 0xF6, 0x91, 0x57),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x15, 0x42, 0x6B, 0x6D, 0xB5, 0xF3, 0xB6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x56, 0x9D, 0xC5, 0xFF, 0xCA, 0x13, 0x9B),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_26_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0x38, 0xE6, 0x23, 0x63, 0x48, 0x3C, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x68, 0x3C, 0xD1, 0x3B, 0xE9, 0x3B, 0x82),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x08, 0x54, 0x49, 0xD1, 0x46, 0x45, 0x13),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x70, 0x52, 0x6E, 0x79, 0xC4, 0x5E, 0x95),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xDF, 0xE8, 0x5A, 0x32, 0x81, 0xDA, 0xD3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x2D, 0x94, 0x5B, 0xB5, 0x35, 0x9F, 0x0A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x12, 0x8D, 0xC3, 0x36, 0x36, 0xB2, 0x2A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x2F, 0x22, 0x38, 0x5B, 0x18, 0x4C, 0x35),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_27_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xC1, 0x22, 0x0E, 0xF0, 0x73, 0x11, 0x05),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0xAE, 0xA4, 0x56, 0x18, 0x61, 0x66, 0x12),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xFB, 0x72, 0x08, 0x84, 0x38, 0x51, 0xB0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x86, 0xA8, 0xB9, 0x31, 0x99, 0x29, 0xC3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0xFB, 0xC3, 0x42, 0xB3, 0xC7, 0x6F, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xF8, 0xE1, 0x09, 0xBE, 0x75, 0xB0, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x7D, 0xFF, 0xF4, 0x99, 0xFC, 0x13, 0xAB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x1B, 0x84, 0x81, 0x42, 0x22, 0xC6, 0x3D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_27_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xE0, 0x37, 0xA4, 0xA0, 0x2F, 0x38, 0x7F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x3D, 0xB7, 0x40, 0x2F, 0x39, 0x3C, 0x7A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0x3B, 0x8A, 0x51, 0xAE, 0x40, 0x49, 0x7A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x20, 0x9F, 0xDD, 0xA9, 0xD0, 0x77, 0xC7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0x1D, 0x64, 0xDA, 0xA0, 0x53, 0xC7, 0x7D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x7B, 0x66, 0x55, 0x94, 0xD1, 0x51, 0x44),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xA9, 0xB5, 0x5B, 0x38, 0x35, 0x40, 0xC0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xC9, 0x0F, 0xF0, 0x73, 0x79, 0x43, 0x61),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_28_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x47, 0x45, 0x69, 0x80, 0x72, 0x72, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x11, 0x99, 0x59, 0xDB, 0x48, 0x80, 0x39),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x6E, 0x3D, 0xFC, 0x37, 0x15, 0xF4, 0xBF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xBB, 0x5B, 0xA6, 0x35, 0x8D, 0x28, 0x20),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x1A, 0x3B, 0x2C, 0x8F, 0xD3, 0xAA, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x1C, 0x1A, 0xF8, 0x02, 0xD9, 0x7B, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x69, 0xAC, 0xF8, 0x54, 0x31, 0x14, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x8A, 0xE6, 0xDE, 0x58, 0xB9, 0xC4, 0x7A),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_28_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x83, 0x52, 0xFE, 0xF9, 0x7B, 0xE9, 0x1F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xA2, 0x55, 0x46, 0x15, 0x49, 0xC1, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xBC, 0x5C, 0x91, 0xBD, 0xB9, 0x9C, 0xF4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0xFD, 0xB1, 0x4E, 0x5F, 0x74, 0xEE, 0x53),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x8B, 0xD8, 0x8B, 0x17, 0x73, 0x1B, 0x96),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x92, 0xD7, 0x67, 0x06, 0xAD, 0x25, 0xCD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x0F, 0x80, 0x24, 0xE2, 0x27, 0x5F, 0x8B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x1C, 0xCE, 0xD0, 0x67, 0xCA, 0xD4, 0x0B),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_29_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0xF1, 0xDD, 0x33, 0x66, 0xF9, 0x05, 0xD6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xE5, 0x6B, 0x79, 0xBD, 0x48, 0x42, 0xAA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x14, 0x52, 0xE3, 0x53, 0xB4, 0x50, 0xD4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x84, 0x6C, 0xCF, 0xDA, 0xB2, 0x20, 0x0A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xD6, 0x1A, 0xE5, 0xE2, 0x29, 0x70, 0xCE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x61, 0xFE, 0xBB, 0x21, 0x82, 0xD1, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0xF0, 0x9C, 0x8B, 0x1A, 0x42, 0x30, 0x06),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0xD6, 0x49, 0x81, 0x92, 0xF1, 0xD0, 0x90),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_29_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x91, 0x93, 0x6A, 0xA6, 0x22, 0xE9, 0xD6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0xDC, 0xC3, 0x69, 0x11, 0x95, 0x7D, 0xEC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0xA3, 0x9D, 0x87, 0x5E, 0x64, 0x41, 0xA2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x87, 0x5A, 0x15, 0xBD, 0x6E, 0x3C, 0x8D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x8D, 0x50, 0xCC, 0xCF, 0xB7, 0x8F, 0x0B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x65, 0xCD, 0x31, 0x30, 0xF1, 0x68, 0x13),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x5C, 0x66, 0x67, 0x92, 0x30, 0x57, 0x95),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x9B, 0x01, 0x3D, 0x20, 0x8B, 0xD1, 0x0D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_30_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0xC0, 0xE6, 0x4F, 0xDE, 0x62, 0xAB, 0xB3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x48, 0xB3, 0x1C, 0x0F, 0x16, 0x93, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x63, 0xBD, 0x1F, 0x16, 0x50, 0x56, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x06, 0xBC, 0xE9, 0x27, 0x1C, 0x9A, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0xFE, 0x21, 0xC5, 0x39, 0x55, 0xE1, 0xFD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xA8, 0xD0, 0x96, 0x0E, 0xB5, 0xB2, 0x84),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xE7, 0x4B, 0xF3, 0x11, 0x0C, 0xC9, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x3A, 0xC4, 0x87, 0x71, 0xEE, 0xFA, 0x18),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_30_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x77, 0xEE, 0x81, 0x5E, 0x96, 0xEA, 0x4B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xDF, 0xA9, 0xF4, 0x4F, 0x7C, 0xB2, 0x43),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0xD4, 0xDF, 0x35, 0x63, 0x47, 0x25, 0x8A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x3D, 0xFF, 0xA4, 0x02, 0xC3, 0x95, 0x11),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x10, 0x78, 0xD1, 0x2B, 0xB7, 0xBE, 0x0E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0xE9, 0x57, 0xF9, 0xE0, 0xD8, 0xFC, 0xBC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0xC4, 0x01, 0xD6, 0xB4, 0xE7, 0x78, 0xE2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x6C, 0xB9, 0x13, 0xA4, 0xE8, 0x6D, 0x6F),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_31_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0xB0, 0xC9, 0xCD, 0xBF, 0xA2, 0x1E, 0x63),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x4F, 0x86, 0x22, 0x9B, 0xEA, 0xE8, 0xBB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x46, 0xDF, 0x43, 0xB9, 0x82, 0x2D, 0x0A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x32, 0xF1, 0x4E, 0x95, 0x41, 0xAE, 0x8E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x93, 0x26, 0xFC, 0xD3, 0x90, 0xDC, 0xEB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x05, 0x45, 0xCA, 0xF9, 0x5A, 0x89, 0x93),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x82, 0x63, 0x4E, 0x55, 0x1D, 0x3A, 0x08),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x69, 0x52, 0x49, 0xE9, 0xED, 0x57, 0x34),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_31_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x64, 0xE9, 0xAC, 0x4C, 0x4A, 0xEA, 0x25),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0xE9, 0x0B, 0x99, 0xE7, 0xF9, 0xA9, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x0C, 0xC1, 0xF4, 0x8D, 0x07, 0xB6, 0xB1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x68, 0xFA, 0x35, 0xE4, 0x9E, 0xAE, 0xD9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x2D, 0x1A, 0x13, 0x8E, 0x02, 0xE2, 0x63),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x38, 0x28, 0x86, 0x46, 0x7B, 0x3A, 0xE1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x4C, 0x64, 0x59, 0x0A, 0xF9, 0x02, 0xC4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x4F, 0x23, 0xA2, 0xC3, 0xD5, 0xEF, 0x42),
+};
+static const mbedtls_ecp_point brainpoolP512r1_T[32] = {
+    ECP_POINT_INIT_XY_Z1(brainpoolP512r1_T_0_X, brainpoolP512r1_T_0_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_1_X, brainpoolP512r1_T_1_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_2_X, brainpoolP512r1_T_2_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_3_X, brainpoolP512r1_T_3_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_4_X, brainpoolP512r1_T_4_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_5_X, brainpoolP512r1_T_5_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_6_X, brainpoolP512r1_T_6_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_7_X, brainpoolP512r1_T_7_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_8_X, brainpoolP512r1_T_8_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_9_X, brainpoolP512r1_T_9_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_10_X, brainpoolP512r1_T_10_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_11_X, brainpoolP512r1_T_11_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_12_X, brainpoolP512r1_T_12_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_13_X, brainpoolP512r1_T_13_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_14_X, brainpoolP512r1_T_14_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_15_X, brainpoolP512r1_T_15_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_16_X, brainpoolP512r1_T_16_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_17_X, brainpoolP512r1_T_17_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_18_X, brainpoolP512r1_T_18_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_19_X, brainpoolP512r1_T_19_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_20_X, brainpoolP512r1_T_20_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_21_X, brainpoolP512r1_T_21_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_22_X, brainpoolP512r1_T_22_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_23_X, brainpoolP512r1_T_23_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_24_X, brainpoolP512r1_T_24_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_25_X, brainpoolP512r1_T_25_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_26_X, brainpoolP512r1_T_26_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_27_X, brainpoolP512r1_T_27_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_28_X, brainpoolP512r1_T_28_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_29_X, brainpoolP512r1_T_29_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_30_X, brainpoolP512r1_T_30_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_31_X, brainpoolP512r1_T_31_Y),
+};
+#else
+#define brainpoolP512r1_T NULL
+#endif
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+
+#if defined(ECP_LOAD_GROUP)
+/*
+ * Create an MPI from embedded constants
+ * (assumes len is an exact multiple of sizeof(mbedtls_mpi_uint))
+ */
+static inline void ecp_mpi_load(mbedtls_mpi *X, const mbedtls_mpi_uint *p, size_t len)
+{
+    X->s = 1;
+    X->n = (unsigned short) (len / sizeof(mbedtls_mpi_uint));
+    X->p = (mbedtls_mpi_uint *) p;
+}
+
+/*
+ * Set an MPI to static value 1
+ */
+static inline void ecp_mpi_set1(mbedtls_mpi *X)
+{
+    X->s = 1;
+    X->n = 1;
+    X->p = (mbedtls_mpi_uint *) mpi_one; /* X->p will not be modified so the cast is safe */
+}
+
+/*
+ * Make group available from embedded constants
+ */
+static int ecp_group_load(mbedtls_ecp_group *grp,
+                          const mbedtls_mpi_uint *p,  size_t plen,
+                          const mbedtls_mpi_uint *a,  size_t alen,
+                          const mbedtls_mpi_uint *b,  size_t blen,
+                          const mbedtls_mpi_uint *gx, size_t gxlen,
+                          const mbedtls_mpi_uint *gy, size_t gylen,
+                          const mbedtls_mpi_uint *n,  size_t nlen,
+                          const mbedtls_ecp_point *T)
+{
+    ecp_mpi_load(&grp->P, p, plen);
+    if (a != NULL) {
+        ecp_mpi_load(&grp->A, a, alen);
+    }
+    ecp_mpi_load(&grp->B, b, blen);
+    ecp_mpi_load(&grp->N, n, nlen);
+
+    ecp_mpi_load(&grp->G.X, gx, gxlen);
+    ecp_mpi_load(&grp->G.Y, gy, gylen);
+    ecp_mpi_set1(&grp->G.Z);
+
+    grp->pbits = mbedtls_mpi_bitlen(&grp->P);
+    grp->nbits = mbedtls_mpi_bitlen(&grp->N);
+
+    grp->h = 1;
+
+    grp->T = (mbedtls_ecp_point *) T;
+    /*
+     * Set T_size to 0 to prevent T free by mbedtls_ecp_group_free.
+     */
+    grp->T_size = 0;
+
+    return 0;
+}
+#endif /* ECP_LOAD_GROUP */
+
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+/* Forward declarations */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+static int ecp_mod_p192(mbedtls_mpi *);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+static int ecp_mod_p224(mbedtls_mpi *);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+static int ecp_mod_p256(mbedtls_mpi *);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+static int ecp_mod_p384(mbedtls_mpi *);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+static int ecp_mod_p521(mbedtls_mpi *);
+#endif
+
+#define NIST_MODP(P)      grp->modp = ecp_mod_ ## P;
+#else
+#define NIST_MODP(P)
+#endif /* MBEDTLS_ECP_NIST_OPTIM */
+
+/* Additional forward declarations */
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+static int ecp_mod_p255(mbedtls_mpi *);
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+static int ecp_mod_p448(mbedtls_mpi *);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+static int ecp_mod_p192k1(mbedtls_mpi *);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+static int ecp_mod_p224k1(mbedtls_mpi *);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+static int ecp_mod_p256k1(mbedtls_mpi *);
+#endif
+
+#if defined(ECP_LOAD_GROUP)
+#define LOAD_GROUP_A(G)   ecp_group_load(grp,            \
+                                         G ## _p,  sizeof(G ## _p),   \
+                                         G ## _a,  sizeof(G ## _a),   \
+                                         G ## _b,  sizeof(G ## _b),   \
+                                         G ## _gx, sizeof(G ## _gx),   \
+                                         G ## _gy, sizeof(G ## _gy),   \
+                                         G ## _n,  sizeof(G ## _n),   \
+                                         G ## _T                         \
+                                         )
+
+#define LOAD_GROUP(G)     ecp_group_load(grp,            \
+                                         G ## _p,  sizeof(G ## _p),   \
+                                         NULL,     0,                    \
+                                         G ## _b,  sizeof(G ## _b),   \
+                                         G ## _gx, sizeof(G ## _gx),   \
+                                         G ## _gy, sizeof(G ## _gy),   \
+                                         G ## _n,  sizeof(G ## _n),   \
+                                         G ## _T                         \
+                                         )
+#endif /* ECP_LOAD_GROUP */
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+/* Constants used by ecp_use_curve25519() */
+static const mbedtls_mpi_sint curve25519_a24 = 0x01DB42;
+static const unsigned char curve25519_part_of_n[] = {
+    0x14, 0xDE, 0xF9, 0xDE, 0xA2, 0xF7, 0x9C, 0xD6,
+    0x58, 0x12, 0x63, 0x1A, 0x5C, 0xF5, 0xD3, 0xED,
+};
+
+/*
+ * Specialized function for creating the Curve25519 group
+ */
+static int ecp_use_curve25519(mbedtls_ecp_group *grp)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    /* Actually ( A + 2 ) / 4 */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->A, curve25519_a24));
+
+    /* P = 2^255 - 19 */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->P, 1));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&grp->P, 255));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&grp->P, &grp->P, 19));
+    grp->pbits = mbedtls_mpi_bitlen(&grp->P);
+
+    /* N = 2^252 + 27742317777372353535851937790883648493 */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&grp->N,
+                                            curve25519_part_of_n, sizeof(curve25519_part_of_n)));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&grp->N, 252, 1));
+
+    /* Y intentionally not set, since we use x/z coordinates.
+     * This is used as a marker to identify Montgomery curves! */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.X, 9));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.Z, 1));
+    mbedtls_mpi_free(&grp->G.Y);
+
+    /* Actually, the required msb for private keys */
+    grp->nbits = 254;
+
+cleanup:
+    if (ret != 0) {
+        mbedtls_ecp_group_free(grp);
+    }
+
+    return ret;
+}
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+/* Constants used by ecp_use_curve448() */
+static const mbedtls_mpi_sint curve448_a24 = 0x98AA;
+static const unsigned char curve448_part_of_n[] = {
+    0x83, 0x35, 0xDC, 0x16, 0x3B, 0xB1, 0x24,
+    0xB6, 0x51, 0x29, 0xC9, 0x6F, 0xDE, 0x93,
+    0x3D, 0x8D, 0x72, 0x3A, 0x70, 0xAA, 0xDC,
+    0x87, 0x3D, 0x6D, 0x54, 0xA7, 0xBB, 0x0D,
+};
+
+/*
+ * Specialized function for creating the Curve448 group
+ */
+static int ecp_use_curve448(mbedtls_ecp_group *grp)
+{
+    mbedtls_mpi Ns;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    mbedtls_mpi_init(&Ns);
+
+    /* Actually ( A + 2 ) / 4 */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->A, curve448_a24));
+
+    /* P = 2^448 - 2^224 - 1 */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->P, 1));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&grp->P, 224));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&grp->P, &grp->P, 1));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&grp->P, 224));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&grp->P, &grp->P, 1));
+    grp->pbits = mbedtls_mpi_bitlen(&grp->P);
+
+    /* Y intentionally not set, since we use x/z coordinates.
+     * This is used as a marker to identify Montgomery curves! */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.X, 5));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.Z, 1));
+    mbedtls_mpi_free(&grp->G.Y);
+
+    /* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&grp->N, 446, 1));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&Ns,
+                                            curve448_part_of_n, sizeof(curve448_part_of_n)));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&grp->N, &grp->N, &Ns));
+
+    /* Actually, the required msb for private keys */
+    grp->nbits = 447;
+
+cleanup:
+    mbedtls_mpi_free(&Ns);
+    if (ret != 0) {
+        mbedtls_ecp_group_free(grp);
+    }
+
+    return ret;
+}
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
+/*
+ * Set a group using well-known domain parameters
+ */
+int mbedtls_ecp_group_load(mbedtls_ecp_group *grp, mbedtls_ecp_group_id id)
+{
+    mbedtls_ecp_group_free(grp);
+
+    mbedtls_ecp_group_init(grp);
+
+    grp->id = id;
+
+    switch (id) {
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP192R1:
+            NIST_MODP(p192);
+            return LOAD_GROUP(secp192r1);
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP224R1:
+            NIST_MODP(p224);
+            return LOAD_GROUP(secp224r1);
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP256R1:
+            NIST_MODP(p256);
+            return LOAD_GROUP(secp256r1);
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP384R1:
+            NIST_MODP(p384);
+            return LOAD_GROUP(secp384r1);
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP521R1:
+            NIST_MODP(p521);
+            return LOAD_GROUP(secp521r1);
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP192K1:
+            grp->modp = ecp_mod_p192k1;
+            return LOAD_GROUP_A(secp192k1);
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP224K1:
+            grp->modp = ecp_mod_p224k1;
+            return LOAD_GROUP_A(secp224k1);
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP256K1:
+            grp->modp = ecp_mod_p256k1;
+            return LOAD_GROUP_A(secp256k1);
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+        case MBEDTLS_ECP_DP_BP256R1:
+            return LOAD_GROUP_A(brainpoolP256r1);
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+        case MBEDTLS_ECP_DP_BP384R1:
+            return LOAD_GROUP_A(brainpoolP384r1);
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+        case MBEDTLS_ECP_DP_BP512R1:
+            return LOAD_GROUP_A(brainpoolP512r1);
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+        case MBEDTLS_ECP_DP_CURVE25519:
+            grp->modp = ecp_mod_p255;
+            return ecp_use_curve25519(grp);
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+        case MBEDTLS_ECP_DP_CURVE448:
+            grp->modp = ecp_mod_p448;
+            return ecp_use_curve448(grp);
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
+        default:
+            grp->id = MBEDTLS_ECP_DP_NONE;
+            return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+    }
+}
+
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+/*
+ * Fast reduction modulo the primes used by the NIST curves.
+ *
+ * These functions are critical for speed, but not needed for correct
+ * operations. So, we make the choice to heavily rely on the internals of our
+ * bignum library, which creates a tight coupling between these functions and
+ * our MPI implementation.  However, the coupling between the ECP module and
+ * MPI remains loose, since these functions can be deactivated at will.
+ */
+
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+/*
+ * Compared to the way things are presented in FIPS 186-3 D.2,
+ * we proceed in columns, from right (least significant chunk) to left,
+ * adding chunks to N in place, and keeping a carry for the next chunk.
+ * This avoids moving things around in memory, and uselessly adding zeros,
+ * compared to the more straightforward, line-oriented approach.
+ *
+ * For this prime we need to handle data in chunks of 64 bits.
+ * Since this is always a multiple of our basic mbedtls_mpi_uint, we can
+ * use a mbedtls_mpi_uint * to designate such a chunk, and small loops to handle it.
+ */
+
+/* Add 64-bit chunks (dst += src) and update carry */
+static inline void add64(mbedtls_mpi_uint *dst, mbedtls_mpi_uint *src, mbedtls_mpi_uint *carry)
+{
+    unsigned char i;
+    mbedtls_mpi_uint c = 0;
+    for (i = 0; i < 8 / sizeof(mbedtls_mpi_uint); i++, dst++, src++) {
+        *dst += c;      c  = (*dst < c);
+        *dst += *src;   c += (*dst < *src);
+    }
+    *carry += c;
+}
+
+/* Add carry to a 64-bit chunk and update carry */
+static inline void carry64(mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry)
+{
+    unsigned char i;
+    for (i = 0; i < 8 / sizeof(mbedtls_mpi_uint); i++, dst++) {
+        *dst += *carry;
+        *carry  = (*dst < *carry);
+    }
+}
+
+#define WIDTH       8 / sizeof(mbedtls_mpi_uint)
+#define A(i)      N->p + (i) * WIDTH
+#define ADD(i)    add64(p, A(i), &c)
+#define NEXT        p += WIDTH; carry64(p, &c)
+#define LAST        p += WIDTH; *p = c; while (++p < end) *p = 0
+
+/*
+ * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
+ */
+static int ecp_mod_p192(mbedtls_mpi *N)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi_uint c = 0;
+    mbedtls_mpi_uint *p, *end;
+
+    /* Make sure we have enough blocks so that A(5) is legal */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, 6 * WIDTH));
+
+    p = N->p;
+    end = p + N->n;
+
+    ADD(3); ADD(5);             NEXT;     // A0 += A3 + A5
+    ADD(3); ADD(4); ADD(5);   NEXT;       // A1 += A3 + A4 + A5
+    ADD(4); ADD(5);             LAST;     // A2 += A4 + A5
+
+cleanup:
+    return ret;
+}
+
+#undef WIDTH
+#undef A
+#undef ADD
+#undef NEXT
+#undef LAST
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+/*
+ * The reader is advised to first understand ecp_mod_p192() since the same
+ * general structure is used here, but with additional complications:
+ * (1) chunks of 32 bits, and (2) subtractions.
+ */
+
+/*
+ * For these primes, we need to handle data in chunks of 32 bits.
+ * This makes it more complicated if we use 64 bits limbs in MPI,
+ * which prevents us from using a uniform access method as for p192.
+ *
+ * So, we define a mini abstraction layer to access 32 bit chunks,
+ * load them in 'cur' for work, and store them back from 'cur' when done.
+ *
+ * While at it, also define the size of N in terms of 32-bit chunks.
+ */
+#define LOAD32      cur = A(i);
+
+#if defined(MBEDTLS_HAVE_INT32)  /* 32 bit */
+
+#define MAX32       N->n
+#define A(j)      N->p[j]
+#define STORE32     N->p[i] = cur;
+
+#else                               /* 64-bit */
+
+#define MAX32       N->n * 2
+#define A(j) (j) % 2 ? (uint32_t) (N->p[(j)/2] >> 32) : \
+    (uint32_t) (N->p[(j)/2])
+#define STORE32                                   \
+    if (i % 2) {                                 \
+        N->p[i/2] &= 0x00000000FFFFFFFF;          \
+        N->p[i/2] |= ((mbedtls_mpi_uint) cur) << 32;        \
+    } else {                                      \
+        N->p[i/2] &= 0xFFFFFFFF00000000;          \
+        N->p[i/2] |= (mbedtls_mpi_uint) cur;                \
+    }
+
+#endif /* sizeof( mbedtls_mpi_uint ) */
+
+/*
+ * Helpers for addition and subtraction of chunks, with signed carry.
+ */
+static inline void add32(uint32_t *dst, uint32_t src, signed char *carry)
+{
+    *dst += src;
+    *carry += (*dst < src);
+}
+
+static inline void sub32(uint32_t *dst, uint32_t src, signed char *carry)
+{
+    *carry -= (*dst < src);
+    *dst -= src;
+}
+
+#define ADD(j)    add32(&cur, A(j), &c);
+#define SUB(j)    sub32(&cur, A(j), &c);
+
+/*
+ * Helpers for the main 'loop'
+ */
+#define INIT(b)                                                       \
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;                    \
+    signed char c = 0, cc;                                              \
+    uint32_t cur;                                                       \
+    size_t i = 0, bits = (b);                                           \
+    /* N is the size of the product of two b-bit numbers, plus one */   \
+    /* limb for fix_negative */                                         \
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, (b) * 2 / biL + 1));      \
+    LOAD32;
+
+#define NEXT                    \
+    STORE32; i++; LOAD32;       \
+    cc = c; c = 0;              \
+    if (cc < 0)                \
+    sub32(&cur, -cc, &c); \
+    else                        \
+    add32(&cur, cc, &c);  \
+
+#define LAST                                    \
+    STORE32; i++;                               \
+    cur = c > 0 ? c : 0; STORE32;               \
+    cur = 0; while (++i < MAX32) { STORE32; }  \
+    if (c < 0) mbedtls_ecp_fix_negative(N, c, bits);
+
+/*
+ * If the result is negative, we get it in the form
+ * c * 2^bits + N, with c negative and N positive shorter than 'bits'
+ */
+static void mbedtls_ecp_fix_negative(mbedtls_mpi *N, signed char c, size_t bits)
+{
+    size_t i;
+
+    /* Set N := 2^bits - 1 - N. We know that 0 <= N < 2^bits, so
+     * set the absolute value to 0xfff...fff - N. There is no carry
+     * since we're subtracting from all-bits-one.  */
+    for (i = 0; i <= bits / 8 / sizeof(mbedtls_mpi_uint); i++) {
+        N->p[i] = ~(mbedtls_mpi_uint) 0 - N->p[i];
+    }
+    /* Add 1, taking care of the carry. */
+    i = 0;
+    do {
+        ++N->p[i];
+    } while (N->p[i++] == 0 && i <= bits / 8 / sizeof(mbedtls_mpi_uint));
+    /* Invert the sign.
+     * Now N = N0 - 2^bits where N0 is the initial value of N. */
+    N->s = -1;
+
+    /* Add |c| * 2^bits to the absolute value. Since c and N are
+     * negative, this adds c * 2^bits. */
+    mbedtls_mpi_uint msw = (mbedtls_mpi_uint) -c;
+#if defined(MBEDTLS_HAVE_INT64)
+    if (bits == 224) {
+        msw <<= 32;
+    }
+#endif
+    N->p[bits / 8 / sizeof(mbedtls_mpi_uint)] += msw;
+}
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2)
+ */
+static int ecp_mod_p224(mbedtls_mpi *N)
+{
+    INIT(224);
+
+    SUB(7); SUB(11);               NEXT;      // A0 += -A7 - A11
+    SUB(8); SUB(12);               NEXT;      // A1 += -A8 - A12
+    SUB(9); SUB(13);               NEXT;      // A2 += -A9 - A13
+    SUB(10); ADD(7); ADD(11);    NEXT;        // A3 += -A10 + A7 + A11
+    SUB(11); ADD(8); ADD(12);    NEXT;        // A4 += -A11 + A8 + A12
+    SUB(12); ADD(9); ADD(13);    NEXT;        // A5 += -A12 + A9 + A13
+    SUB(13); ADD(10);               LAST;     // A6 += -A13 + A10
+
+cleanup:
+    return ret;
+}
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3)
+ */
+static int ecp_mod_p256(mbedtls_mpi *N)
+{
+    INIT(256);
+
+    ADD(8); ADD(9);
+    SUB(11); SUB(12); SUB(13); SUB(14);             NEXT;         // A0
+
+    ADD(9); ADD(10);
+    SUB(12); SUB(13); SUB(14); SUB(15);             NEXT;         // A1
+
+    ADD(10); ADD(11);
+    SUB(13); SUB(14); SUB(15);                        NEXT;       // A2
+
+    ADD(11); ADD(11); ADD(12); ADD(12); ADD(13);
+    SUB(15); SUB(8); SUB(9);                        NEXT;         // A3
+
+    ADD(12); ADD(12); ADD(13); ADD(13); ADD(14);
+    SUB(9); SUB(10);                                   NEXT;      // A4
+
+    ADD(13); ADD(13); ADD(14); ADD(14); ADD(15);
+    SUB(10); SUB(11);                                   NEXT;     // A5
+
+    ADD(14); ADD(14); ADD(15); ADD(15); ADD(14); ADD(13);
+    SUB(8); SUB(9);                                   NEXT;       // A6
+
+    ADD(15); ADD(15); ADD(15); ADD(8);
+    SUB(10); SUB(11); SUB(12); SUB(13);             LAST;         // A7
+
+cleanup:
+    return ret;
+}
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4)
+ */
+static int ecp_mod_p384(mbedtls_mpi *N)
+{
+    INIT(384);
+
+    ADD(12); ADD(21); ADD(20);
+    SUB(23);                                              NEXT;   // A0
+
+    ADD(13); ADD(22); ADD(23);
+    SUB(12); SUB(20);                                   NEXT;     // A2
+
+    ADD(14); ADD(23);
+    SUB(13); SUB(21);                                   NEXT;     // A2
+
+    ADD(15); ADD(12); ADD(20); ADD(21);
+    SUB(14); SUB(22); SUB(23);                        NEXT;       // A3
+
+    ADD(21); ADD(21); ADD(16); ADD(13); ADD(12); ADD(20); ADD(22);
+    SUB(15); SUB(23); SUB(23);                        NEXT;       // A4
+
+    ADD(22); ADD(22); ADD(17); ADD(14); ADD(13); ADD(21); ADD(23);
+    SUB(16);                                              NEXT;   // A5
+
+    ADD(23); ADD(23); ADD(18); ADD(15); ADD(14); ADD(22);
+    SUB(17);                                              NEXT;   // A6
+
+    ADD(19); ADD(16); ADD(15); ADD(23);
+    SUB(18);                                              NEXT;   // A7
+
+    ADD(20); ADD(17); ADD(16);
+    SUB(19);                                              NEXT;   // A8
+
+    ADD(21); ADD(18); ADD(17);
+    SUB(20);                                              NEXT;   // A9
+
+    ADD(22); ADD(19); ADD(18);
+    SUB(21);                                              NEXT;   // A10
+
+    ADD(23); ADD(20); ADD(19);
+    SUB(22);                                              LAST;   // A11
+
+cleanup:
+    return ret;
+}
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#undef A
+#undef LOAD32
+#undef STORE32
+#undef MAX32
+#undef INIT
+#undef NEXT
+#undef LAST
+
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED ||
+          MBEDTLS_ECP_DP_SECP256R1_ENABLED ||
+          MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+/*
+ * Here we have an actual Mersenne prime, so things are more straightforward.
+ * However, chunks are aligned on a 'weird' boundary (521 bits).
+ */
+
+/* Size of p521 in terms of mbedtls_mpi_uint */
+#define P521_WIDTH      (521 / 8 / sizeof(mbedtls_mpi_uint) + 1)
+
+/* Bits to keep in the most significant mbedtls_mpi_uint */
+#define P521_MASK       0x01FF
+
+/*
+ * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5)
+ * Write N as A1 + 2^521 A0, return A0 + A1
+ */
+static int ecp_mod_p521(mbedtls_mpi *N)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t i;
+    mbedtls_mpi M;
+    mbedtls_mpi_uint Mp[P521_WIDTH + 1];
+    /* Worst case for the size of M is when mbedtls_mpi_uint is 16 bits:
+     * we need to hold bits 513 to 1056, which is 34 limbs, that is
+     * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */
+
+    if (N->n < P521_WIDTH) {
+        return 0;
+    }
+
+    /* M = A1 */
+    M.s = 1;
+    M.n = N->n - (P521_WIDTH - 1);
+    if (M.n > P521_WIDTH + 1) {
+        M.n = P521_WIDTH + 1;
+    }
+    M.p = Mp;
+    memcpy(Mp, N->p + P521_WIDTH - 1, M.n * sizeof(mbedtls_mpi_uint));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, 521 % (8 * sizeof(mbedtls_mpi_uint))));
+
+    /* N = A0 */
+    N->p[P521_WIDTH - 1] &= P521_MASK;
+    for (i = P521_WIDTH; i < N->n; i++) {
+        N->p[i] = 0;
+    }
+
+    /* N = A0 + A1 */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(N, N, &M));
+
+cleanup:
+    return ret;
+}
+
+#undef P521_WIDTH
+#undef P521_MASK
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#endif /* MBEDTLS_ECP_NIST_OPTIM */
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+
+/* Size of p255 in terms of mbedtls_mpi_uint */
+#define P255_WIDTH      (255 / 8 / sizeof(mbedtls_mpi_uint) + 1)
+
+/*
+ * Fast quasi-reduction modulo p255 = 2^255 - 19
+ * Write N as A0 + 2^256 A1, return A0 + 38 * A1
+ */
+static int ecp_mod_p255(mbedtls_mpi *N)
+{
+    mbedtls_mpi_uint Mp[P255_WIDTH];
+
+    /* Helper references for top part of N */
+    mbedtls_mpi_uint * const NT_p = N->p + P255_WIDTH;
+    const size_t NT_n = N->n - P255_WIDTH;
+    if (N->n <= P255_WIDTH) {
+        return 0;
+    }
+    if (NT_n > P255_WIDTH) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    /* Split N as N + 2^256 M */
+    memcpy(Mp,   NT_p, sizeof(mbedtls_mpi_uint) * NT_n);
+    memset(NT_p, 0,    sizeof(mbedtls_mpi_uint) * NT_n);
+
+    /* N = A0 + 38 * A1 */
+    mbedtls_mpi_core_mla(N->p, P255_WIDTH + 1,
+                         Mp, NT_n,
+                         38);
+
+    return 0;
+}
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+
+/* Size of p448 in terms of mbedtls_mpi_uint */
+#define P448_WIDTH      (448 / 8 / sizeof(mbedtls_mpi_uint))
+
+/* Number of limbs fully occupied by 2^224 (max), and limbs used by it (min) */
+#define DIV_ROUND_UP(X, Y) (((X) + (Y) -1) / (Y))
+#define P224_SIZE        (224 / 8)
+#define P224_WIDTH_MIN   (P224_SIZE / sizeof(mbedtls_mpi_uint))
+#define P224_WIDTH_MAX   DIV_ROUND_UP(P224_SIZE, sizeof(mbedtls_mpi_uint))
+#define P224_UNUSED_BITS ((P224_WIDTH_MAX * sizeof(mbedtls_mpi_uint) * 8) - 224)
+
+/*
+ * Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1
+ * Write N as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return
+ * A0 + A1 + B1 + (B0 + B1) * 2^224.  This is different to the reference
+ * implementation of Curve448, which uses its own special 56-bit limbs rather
+ * than a generic bignum library.  We could squeeze some extra speed out on
+ * 32-bit machines by splitting N up into 32-bit limbs and doing the
+ * arithmetic using the limbs directly as we do for the NIST primes above,
+ * but for 64-bit targets it should use half the number of operations if we do
+ * the reduction with 224-bit limbs, since mpi_add_mpi will then use 64-bit adds.
+ */
+static int ecp_mod_p448(mbedtls_mpi *N)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t i;
+    mbedtls_mpi M, Q;
+    mbedtls_mpi_uint Mp[P448_WIDTH + 1], Qp[P448_WIDTH];
+
+    if (N->n <= P448_WIDTH) {
+        return 0;
+    }
+
+    /* M = A1 */
+    M.s = 1;
+    M.n = N->n - (P448_WIDTH);
+    if (M.n > P448_WIDTH) {
+        /* Shouldn't be called with N larger than 2^896! */
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+    M.p = Mp;
+    memset(Mp, 0, sizeof(Mp));
+    memcpy(Mp, N->p + P448_WIDTH, M.n * sizeof(mbedtls_mpi_uint));
+
+    /* N = A0 */
+    for (i = P448_WIDTH; i < N->n; i++) {
+        N->p[i] = 0;
+    }
+
+    /* N += A1 */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &M));
+
+    /* Q = B1, N += B1 */
+    Q = M;
+    Q.p = Qp;
+    memcpy(Qp, Mp, sizeof(Qp));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Q, 224));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &Q));
+
+    /* M = (B0 + B1) * 2^224, N += M */
+    if (sizeof(mbedtls_mpi_uint) > 4) {
+        Mp[P224_WIDTH_MIN] &= ((mbedtls_mpi_uint)-1) >> (P224_UNUSED_BITS);
+    }
+    for (i = P224_WIDTH_MAX; i < M.n; ++i) {
+        Mp[i] = 0;
+    }
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&M, &M, &Q));
+    M.n = P448_WIDTH + 1; /* Make room for shifted carry bit from the addition */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&M, 224));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &M));
+
+cleanup:
+    return ret;
+}
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+/*
+ * Fast quasi-reduction modulo P = 2^s - R,
+ * with R about 33 bits, used by the Koblitz curves.
+ *
+ * Write N as A0 + 2^224 A1, return A0 + R * A1.
+ * Actually do two passes, since R is big.
+ */
+#define P_KOBLITZ_MAX   (256 / 8 / sizeof(mbedtls_mpi_uint))      // Max limbs in P
+#define P_KOBLITZ_R     (8 / sizeof(mbedtls_mpi_uint))            // Limbs in R
+static inline int ecp_mod_koblitz(mbedtls_mpi *N, const mbedtls_mpi_uint *Rp, size_t p_limbs,
+                                  size_t adjust, size_t shift, mbedtls_mpi_uint mask)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t i;
+    mbedtls_mpi M, R;
+    mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1];
+
+    if (N->n < p_limbs) {
+        return 0;
+    }
+
+    /* Init R */
+    R.s = 1;
+    R.p = (mbedtls_mpi_uint *) Rp; /* R.p will not be modified so the cast is safe */
+    R.n = P_KOBLITZ_R;
+
+    /* Common setup for M */
+    M.s = 1;
+    M.p = Mp;
+
+    /* M = A1 */
+    M.n = (unsigned short) (N->n - (p_limbs - adjust));
+    if (M.n > p_limbs + adjust) {
+        M.n = (unsigned short) (p_limbs + adjust);
+    }
+    memset(Mp, 0, sizeof(Mp));
+    memcpy(Mp, N->p + p_limbs - adjust, M.n * sizeof(mbedtls_mpi_uint));
+    if (shift != 0) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, shift));
+    }
+    M.n += R.n; /* Make room for multiplication by R */
+
+    /* N = A0 */
+    if (mask != 0) {
+        N->p[p_limbs - 1] &= mask;
+    }
+    for (i = p_limbs; i < N->n; i++) {
+        N->p[i] = 0;
+    }
+
+    /* N = A0 + R * A1 */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&M, &M, &R));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(N, N, &M));
+
+    /* Second pass */
+
+    /* M = A1 */
+    M.n = (unsigned short) (N->n - (p_limbs - adjust));
+    if (M.n > p_limbs + adjust) {
+        M.n = (unsigned short) (p_limbs + adjust);
+    }
+    memset(Mp, 0, sizeof(Mp));
+    memcpy(Mp, N->p + p_limbs - adjust, M.n * sizeof(mbedtls_mpi_uint));
+    if (shift != 0) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, shift));
+    }
+    M.n += R.n; /* Make room for multiplication by R */
+
+    /* N = A0 */
+    if (mask != 0) {
+        N->p[p_limbs - 1] &= mask;
+    }
+    for (i = p_limbs; i < N->n; i++) {
+        N->p[i] = 0;
+    }
+
+    /* N = A0 + R * A1 */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&M, &M, &R));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(N, N, &M));
+
+cleanup:
+    return ret;
+}
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||
+          MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||
+          MBEDTLS_ECP_DP_SECP256K1_ENABLED) */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p192k1 = 2^192 - R,
+ * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x01000011C9
+ */
+static int ecp_mod_p192k1(mbedtls_mpi *N)
+{
+    static const mbedtls_mpi_uint Rp[] = {
+        MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00,
+                                  0x00)
+    };
+
+    return ecp_mod_koblitz(N, Rp, 192 / 8 / sizeof(mbedtls_mpi_uint), 0, 0,
+                           0);
+}
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p224k1 = 2^224 - R,
+ * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
+ */
+static int ecp_mod_p224k1(mbedtls_mpi *N)
+{
+    static const mbedtls_mpi_uint Rp[] = {
+        MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00,
+                                  0x00)
+    };
+
+#if defined(MBEDTLS_HAVE_INT64)
+    return ecp_mod_koblitz(N, Rp, 4, 1, 32, 0xFFFFFFFF);
+#else
+    return ecp_mod_koblitz(N, Rp, 224 / 8 / sizeof(mbedtls_mpi_uint), 0, 0,
+                           0);
+#endif
+}
+
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p256k1 = 2^256 - R,
+ * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
+ */
+static int ecp_mod_p256k1(mbedtls_mpi *N)
+{
+    static const mbedtls_mpi_uint Rp[] = {
+        MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00,
+                                  0x00)
+    };
+    return ecp_mod_koblitz(N, Rp, 256 / 8 / sizeof(mbedtls_mpi_uint), 0, 0,
+                           0);
+}
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+#if defined(MBEDTLS_TEST_HOOKS)
+
+MBEDTLS_STATIC_TESTABLE
+mbedtls_ecp_variant mbedtls_ecp_get_variant(void)
+{
+    return MBEDTLS_ECP_VARIANT_WITH_MPI_STRUCT;
+}
+
+#endif /* MBEDTLS_TEST_HOOKS */
+
+#endif /* MBEDTLS_ECP_LIGHT */
+#endif /* MBEDTLS_ECP_WITH_MPI_UINT */
diff --git a/tf-psa-crypto/drivers/builtin/src/ecp_curves_new.c b/tf-psa-crypto/drivers/builtin/src/ecp_curves_new.c
new file mode 100644
index 0000000..169247f
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/ecp_curves_new.c
@@ -0,0 +1,6033 @@
+/*
+ *  Elliptic curves over GF(p): curve-specific data and functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_ECP_WITH_MPI_UINT)
+
+#if defined(MBEDTLS_ECP_LIGHT)
+
+#include "mbedtls/ecp.h"
+#include "mbedtls/platform.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include "mbedtls/platform.h"
+
+#include "constant_time_internal.h"
+
+#include "bn_mul.h"
+#include "bignum_core.h"
+#include "ecp_invasive.h"
+
+#include <string.h>
+
+#define ECP_MPI_INIT(_p, _n) { .p = (mbedtls_mpi_uint *) (_p), .s = 1, .n = (_n) }
+
+#define ECP_MPI_INIT_ARRAY(x)   \
+    ECP_MPI_INIT(x, sizeof(x) / sizeof(mbedtls_mpi_uint))
+
+#define ECP_POINT_INIT_XY_Z0(x, y) { \
+        ECP_MPI_INIT_ARRAY(x), ECP_MPI_INIT_ARRAY(y), ECP_MPI_INIT(NULL, 0) }
+#define ECP_POINT_INIT_XY_Z1(x, y) { \
+        ECP_MPI_INIT_ARRAY(x), ECP_MPI_INIT_ARRAY(y), ECP_MPI_INIT(mpi_one, 1) }
+
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)   ||   \
+    defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)   ||   \
+    defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)   ||   \
+    defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+/* For these curves, we build the group parameters dynamically. */
+#define ECP_LOAD_GROUP
+static mbedtls_mpi_uint mpi_one[] = { 1 };
+#endif
+
+/*
+ * Note: the constants are in little-endian order
+ * to be directly usable in MPIs
+ */
+
+/*
+ * Domain parameters for secp192r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+static const mbedtls_mpi_uint secp192r1_p[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+static const mbedtls_mpi_uint secp192r1_b[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64),
+};
+static const mbedtls_mpi_uint secp192r1_gx[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18),
+};
+static const mbedtls_mpi_uint secp192r1_gy[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07),
+};
+static const mbedtls_mpi_uint secp192r1_n[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp192r1_T_0_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18),
+};
+static const mbedtls_mpi_uint secp192r1_T_0_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07),
+};
+static const mbedtls_mpi_uint secp192r1_T_1_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x9E, 0xE3, 0x60, 0x59, 0xD1, 0xC4, 0xC2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xBD, 0x22, 0xD7, 0x2D, 0x07, 0xBD, 0xB6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x2A, 0xCF, 0x33, 0xF0, 0xBE, 0xD1, 0xED),
+};
+static const mbedtls_mpi_uint secp192r1_T_1_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x71, 0x4B, 0xA8, 0xED, 0x7E, 0xC9, 0x1A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x2A, 0xF6, 0xDF, 0x0E, 0xE8, 0x4C, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x35, 0xF7, 0x8A, 0xC3, 0xEC, 0xDE, 0x1E),
+};
+static const mbedtls_mpi_uint secp192r1_T_2_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x67, 0xC2, 0x1D, 0x32, 0x8F, 0x10, 0xFB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x2D, 0x17, 0xF3, 0xE4, 0xFE, 0xD8, 0x13),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x45, 0x10, 0x70, 0x2C, 0x3E, 0x52, 0x3E),
+};
+static const mbedtls_mpi_uint secp192r1_T_2_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xF1, 0x04, 0x5D, 0xEE, 0xD4, 0x56, 0xE6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xB7, 0x38, 0x27, 0x61, 0xAA, 0x81, 0x87),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x37, 0xD7, 0x0E, 0x29, 0x0E, 0x11, 0x14),
+};
+static const mbedtls_mpi_uint secp192r1_T_3_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x35, 0x52, 0xC6, 0x31, 0xB7, 0x27, 0xF5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xD4, 0x15, 0x98, 0x0F, 0xE7, 0xF3, 0x6A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x31, 0x70, 0x35, 0x09, 0xA0, 0x2B, 0xC2),
+};
+static const mbedtls_mpi_uint secp192r1_T_3_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x75, 0xA7, 0x4C, 0x88, 0xCF, 0x5B, 0xE4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x17, 0x48, 0x8D, 0xF2, 0xF0, 0x86, 0xED),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xCF, 0xFE, 0x6B, 0xB0, 0xA5, 0x06, 0xAB),
+};
+static const mbedtls_mpi_uint secp192r1_T_4_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x6A, 0xDC, 0x9A, 0x6D, 0x7B, 0x47, 0x2E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0xFC, 0x51, 0x12, 0x62, 0x66, 0x0B, 0x59),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x40, 0x93, 0xA0, 0xB5, 0x5A, 0x58, 0xD7),
+};
+static const mbedtls_mpi_uint secp192r1_T_4_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0xCB, 0xAF, 0xDC, 0x0B, 0xA1, 0x26, 0xFB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x36, 0x9D, 0xA3, 0xD7, 0x3B, 0xAD, 0x39),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x3B, 0x05, 0x9A, 0xA8, 0xAA, 0x69, 0xB2),
+};
+static const mbedtls_mpi_uint secp192r1_T_5_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xD9, 0xD1, 0x4D, 0x4A, 0x6E, 0x96, 0x1E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x66, 0x32, 0x39, 0xC6, 0x57, 0x7D, 0xE6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xA0, 0x36, 0xC2, 0x45, 0xF9, 0x00, 0x62),
+};
+static const mbedtls_mpi_uint secp192r1_T_5_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xEF, 0x59, 0x46, 0xDC, 0x60, 0xD9, 0x8F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0xB0, 0xE9, 0x41, 0xA4, 0x87, 0x76, 0x89),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0xD4, 0x0E, 0xB2, 0xFA, 0x16, 0x56, 0xDC),
+};
+static const mbedtls_mpi_uint secp192r1_T_6_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x62, 0xD2, 0xB1, 0x34, 0xB2, 0xF1, 0x06),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0xED, 0x55, 0xC5, 0x47, 0xB5, 0x07, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xF6, 0x2F, 0x94, 0xC3, 0xDD, 0x54, 0x2F),
+};
+static const mbedtls_mpi_uint secp192r1_T_6_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xA6, 0xD4, 0x8C, 0xA9, 0xCE, 0x4D, 0x2E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x4B, 0x46, 0xCC, 0xB2, 0x55, 0xC8, 0xB2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0xAE, 0x31, 0xED, 0x89, 0x65, 0x59, 0x55),
+};
+static const mbedtls_mpi_uint secp192r1_T_7_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x0A, 0xD1, 0x1A, 0xC5, 0xF6, 0xEA, 0x43),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xFC, 0x0C, 0x1A, 0xFB, 0xA0, 0xC8, 0x70),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xFD, 0x53, 0x6F, 0x6D, 0xBF, 0xBA, 0xAF),
+};
+static const mbedtls_mpi_uint secp192r1_T_7_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xB0, 0x7D, 0x83, 0x96, 0xE3, 0xCB, 0x9D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x6E, 0x55, 0x2C, 0x20, 0x53, 0x2F, 0x46),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0x66, 0x00, 0x17, 0x08, 0xFE, 0xAC, 0x31),
+};
+static const mbedtls_mpi_uint secp192r1_T_8_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x12, 0x97, 0x3A, 0xC7, 0x57, 0x45, 0xCD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x25, 0x99, 0x00, 0xF6, 0x97, 0xB4, 0x64),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x74, 0xE6, 0xE6, 0xA3, 0xDF, 0x9C, 0xCC),
+};
+static const mbedtls_mpi_uint secp192r1_T_8_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xF4, 0x76, 0xD5, 0x5F, 0x2A, 0xFD, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x80, 0x7E, 0x3E, 0xE5, 0xE8, 0xD6, 0x63),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0xAD, 0x1E, 0x70, 0x79, 0x3E, 0x3D, 0x83),
+};
+static const mbedtls_mpi_uint secp192r1_T_9_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x15, 0xBB, 0xB3, 0x42, 0x6A, 0xA1, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x58, 0xCB, 0x43, 0x25, 0x00, 0x14, 0x68),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x4E, 0x93, 0x11, 0xE0, 0x32, 0x54, 0x98),
+};
+static const mbedtls_mpi_uint secp192r1_T_9_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x52, 0xA2, 0xB4, 0x57, 0x32, 0xB9, 0x11),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x43, 0xA1, 0xB1, 0xFB, 0x01, 0xE1, 0xE7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xFB, 0x5A, 0x11, 0xB8, 0xC2, 0x03, 0xE5),
+};
+static const mbedtls_mpi_uint secp192r1_T_10_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x2B, 0x71, 0x26, 0x4E, 0x7C, 0xC5, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0xF5, 0xD3, 0xA8, 0xE4, 0x95, 0x48, 0x65),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xAE, 0xD9, 0x5D, 0x9F, 0x6A, 0x22, 0xAD),
+};
+static const mbedtls_mpi_uint secp192r1_T_10_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0xCC, 0xA3, 0x4D, 0xA0, 0x1C, 0x34, 0xEF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x3C, 0x62, 0xF8, 0x5E, 0xA6, 0x58, 0x7D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x6E, 0x66, 0x8A, 0x3D, 0x17, 0xFF, 0x0F),
+};
+static const mbedtls_mpi_uint secp192r1_T_11_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xCD, 0xA8, 0xDD, 0xD1, 0x20, 0x5C, 0xEA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0xFE, 0x17, 0xE2, 0xCF, 0xEA, 0x63, 0xDE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x51, 0xC9, 0x16, 0xDE, 0xB4, 0xB2, 0xDD),
+};
+static const mbedtls_mpi_uint secp192r1_T_11_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xBE, 0x12, 0xD7, 0xA3, 0x0A, 0x50, 0x33),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0x87, 0xC5, 0x8A, 0x76, 0x57, 0x07, 0x60),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x1F, 0xC6, 0x1B, 0x66, 0xC4, 0x3D, 0x8A),
+};
+static const mbedtls_mpi_uint secp192r1_T_12_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0xA4, 0x85, 0x13, 0x8F, 0xA7, 0x35, 0x19),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x0D, 0xFD, 0xFF, 0x1B, 0xD1, 0xD6, 0xEF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x7A, 0xD0, 0xC3, 0xB4, 0xEF, 0x39, 0x66),
+};
+static const mbedtls_mpi_uint secp192r1_T_12_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0xFE, 0xA5, 0x9C, 0x34, 0x30, 0x49, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0xC5, 0x39, 0x26, 0x06, 0xE3, 0x01, 0x17),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x2B, 0x66, 0xFC, 0x95, 0x5F, 0x35, 0xF7),
+};
+static const mbedtls_mpi_uint secp192r1_T_13_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xCF, 0x54, 0x63, 0x99, 0x57, 0x05, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x6F, 0x00, 0x5F, 0x65, 0x08, 0x47, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x2A, 0x90, 0x6D, 0x67, 0xC6, 0xBC, 0x45),
+};
+static const mbedtls_mpi_uint secp192r1_T_13_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x4D, 0x88, 0x0A, 0x35, 0x9E, 0x33, 0x9C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x17, 0x0C, 0xF8, 0xE1, 0x7A, 0x49, 0x02),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x44, 0x06, 0x8F, 0x0B, 0x70, 0x2F, 0x71),
+};
+static const mbedtls_mpi_uint secp192r1_T_14_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x4B, 0xCB, 0xF9, 0x8E, 0x6A, 0xDA, 0x1B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x43, 0xA1, 0x3F, 0xCE, 0x17, 0xD2, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x0D, 0xD2, 0x6C, 0x82, 0x37, 0xE5, 0xFC),
+};
+static const mbedtls_mpi_uint secp192r1_T_14_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x3C, 0xF4, 0x92, 0xB4, 0x8A, 0x95, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x96, 0xF1, 0x0A, 0x34, 0x2F, 0x74, 0x7E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xA1, 0xAA, 0xBA, 0x86, 0x77, 0x4F, 0xA2),
+};
+static const mbedtls_mpi_uint secp192r1_T_15_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x7F, 0xEF, 0x60, 0x50, 0x80, 0xD7, 0xD4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0xAC, 0xC9, 0xFE, 0xEC, 0x0A, 0x1A, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x2F, 0xBE, 0x91, 0xD7, 0xB7, 0x38, 0x48),
+};
+static const mbedtls_mpi_uint secp192r1_T_15_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xAE, 0x85, 0x98, 0xFE, 0x05, 0x7F, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xBE, 0xFD, 0x11, 0x31, 0x3D, 0x14, 0x13),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x75, 0xE8, 0x30, 0x01, 0xCB, 0x9B, 0x1C),
+};
+static const mbedtls_ecp_point secp192r1_T[16] = {
+    ECP_POINT_INIT_XY_Z1(secp192r1_T_0_X, secp192r1_T_0_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_1_X, secp192r1_T_1_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_2_X, secp192r1_T_2_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_3_X, secp192r1_T_3_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_4_X, secp192r1_T_4_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_5_X, secp192r1_T_5_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_6_X, secp192r1_T_6_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_7_X, secp192r1_T_7_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_8_X, secp192r1_T_8_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_9_X, secp192r1_T_9_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_10_X, secp192r1_T_10_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_11_X, secp192r1_T_11_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_12_X, secp192r1_T_12_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_13_X, secp192r1_T_13_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_14_X, secp192r1_T_14_Y),
+    ECP_POINT_INIT_XY_Z0(secp192r1_T_15_X, secp192r1_T_15_Y),
+};
+#else
+#define secp192r1_T NULL
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+/*
+ * Domain parameters for secp224r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+static const mbedtls_mpi_uint secp224r1_p[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_b[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C),
+    MBEDTLS_BYTES_TO_T_UINT_4(0x85, 0x0A, 0x05, 0xB4),
+};
+static const mbedtls_mpi_uint secp224r1_gx[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B),
+    MBEDTLS_BYTES_TO_T_UINT_4(0xBD, 0x0C, 0x0E, 0xB7),
+};
+static const mbedtls_mpi_uint secp224r1_gy[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5),
+    MBEDTLS_BYTES_TO_T_UINT_4(0x88, 0x63, 0x37, 0xBD),
+};
+static const mbedtls_mpi_uint secp224r1_n[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_4(0xFF, 0xFF, 0xFF, 0xFF),
+};
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp224r1_T_0_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x0C, 0x0E, 0xB7, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_0_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x63, 0x37, 0xBD, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_1_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0xF9, 0xB8, 0xD0, 0x3D, 0xD2, 0xD3, 0xFA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xFD, 0x99, 0x26, 0x19, 0xFE, 0x13, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x0E, 0x4C, 0x48, 0x7C, 0xA2, 0x17, 0x01),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xA3, 0x13, 0x57, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_1_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x16, 0x5C, 0x8F, 0xAA, 0xED, 0x0F, 0x58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0xC5, 0x43, 0x34, 0x93, 0x05, 0x2A, 0x4C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0xE3, 0x6C, 0xCA, 0xC6, 0x14, 0xC2, 0x25),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x43, 0x6C, 0xD7, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_2_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x5A, 0x98, 0x1E, 0xC8, 0xA5, 0x42, 0xA3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x49, 0x56, 0x78, 0xF8, 0xEF, 0xED, 0x65),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0xBB, 0x64, 0xB6, 0x4C, 0x54, 0x5F, 0xD1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x0C, 0x33, 0xCC, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_2_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x79, 0xCB, 0x2E, 0x08, 0xFF, 0xD8, 0xE6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2E, 0x1F, 0xD4, 0xD7, 0x57, 0xE9, 0x39, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xD6, 0x3B, 0x0A, 0x1C, 0x87, 0xB7, 0x6A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x30, 0xD8, 0x05, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_3_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x79, 0x74, 0x9A, 0xE6, 0xBB, 0xC2, 0xC2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x5B, 0xA6, 0x67, 0xC1, 0x91, 0xE7, 0x64),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0xDF, 0x38, 0x82, 0x19, 0x2C, 0x4C, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x2E, 0x39, 0xC5, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_3_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x36, 0x78, 0x4E, 0xAE, 0x5B, 0x02, 0x76),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0xF6, 0x8B, 0xF8, 0xF4, 0x92, 0x6B, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x4D, 0x71, 0x35, 0xE7, 0x0C, 0x2C, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xA5, 0x1F, 0xAE, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_4_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x1C, 0x4B, 0xDF, 0x5B, 0xF2, 0x51, 0xB7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x74, 0xB1, 0x5A, 0xC6, 0x0F, 0x0E, 0x61),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x24, 0x09, 0x62, 0xAF, 0xFC, 0xDB, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0xE1, 0x80, 0x55, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_4_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x82, 0xFE, 0xAD, 0xC3, 0xE5, 0xCF, 0xD8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0xA2, 0x62, 0x17, 0x76, 0xF0, 0x5A, 0xFA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xB8, 0xE5, 0xAC, 0xB7, 0x66, 0x38, 0xAA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0xFD, 0x86, 0x05, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_5_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xD3, 0x0C, 0x3C, 0xD1, 0x66, 0xB0, 0xF1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x59, 0xB4, 0x8D, 0x90, 0x10, 0xB7, 0xA2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x47, 0x9B, 0xE6, 0x55, 0x8A, 0xE4, 0xEE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x49, 0xDB, 0x78, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_5_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x97, 0xED, 0xDE, 0xFF, 0xB3, 0xDF, 0x48),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xB9, 0x83, 0xB7, 0xEB, 0xBE, 0x40, 0x8D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xD3, 0xD3, 0xCD, 0x0E, 0x82, 0x79, 0x3D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x83, 0x1B, 0xF0, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_6_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x22, 0xBB, 0x54, 0xD3, 0x31, 0x56, 0xFC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x36, 0xE5, 0xE0, 0x89, 0x96, 0x8E, 0x71),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0xEF, 0x0A, 0xED, 0xD0, 0x11, 0x4A, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x00, 0x57, 0x27, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_6_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0xCA, 0x3D, 0xF7, 0x64, 0x9B, 0x6E, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xE3, 0x70, 0x6B, 0x41, 0xD7, 0xED, 0x8F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x44, 0x44, 0x80, 0xCE, 0x13, 0x37, 0x92),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x73, 0x80, 0x79, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_7_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x4D, 0x70, 0x7D, 0x31, 0x0F, 0x1C, 0x58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x35, 0x88, 0x47, 0xC4, 0x24, 0x78, 0x3F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xF0, 0xCD, 0x91, 0x81, 0xB3, 0xDE, 0xB6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xCE, 0xC6, 0xF7, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_7_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x9C, 0x2D, 0xE8, 0xD2, 0x00, 0x8F, 0x10),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x5E, 0x7C, 0x0E, 0x0C, 0x6E, 0x58, 0x02),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x81, 0x21, 0xCE, 0x43, 0xF4, 0x24, 0x3D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0xBC, 0xF0, 0xF4, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_8_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x10, 0xC2, 0x74, 0x4A, 0x8F, 0x8A, 0xCF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x67, 0xF4, 0x2B, 0x38, 0x2B, 0x35, 0x17),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xE7, 0x0C, 0xA9, 0xFA, 0x77, 0x5C, 0xBD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x33, 0x19, 0x2B, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_8_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x3E, 0x96, 0x22, 0x53, 0xE1, 0xE9, 0xBE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x13, 0xBC, 0xA1, 0x16, 0xEC, 0x01, 0x1A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x00, 0xC9, 0x7A, 0xC3, 0x73, 0xA5, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0xF4, 0x5E, 0xC1, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_9_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x95, 0xD6, 0xD9, 0x32, 0x30, 0x2B, 0xD0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x42, 0x09, 0x05, 0x61, 0x2A, 0x7E, 0x82),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x84, 0xA2, 0x05, 0x88, 0x64, 0x65, 0xF9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x2D, 0x90, 0xB3, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_9_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0xE7, 0x2E, 0x85, 0x55, 0x80, 0x7C, 0x79),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xC1, 0xAC, 0x78, 0xB4, 0xAF, 0xFB, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0xC3, 0x28, 0x8E, 0x79, 0x18, 0x1F, 0x58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x46, 0xCF, 0x49, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_10_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x5F, 0xA8, 0x6C, 0x46, 0x83, 0x43, 0xFA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xA9, 0x93, 0x11, 0xB6, 0x07, 0x57, 0x74),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x2A, 0x9D, 0x03, 0x89, 0x7E, 0xD7, 0x3C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x8C, 0x62, 0xCF, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_10_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0x2C, 0x13, 0x59, 0xCC, 0xFA, 0x84, 0x9E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xB9, 0x48, 0xBC, 0x57, 0xC7, 0xB3, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x0A, 0x38, 0x24, 0x2E, 0x3A, 0x28, 0x25),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x0A, 0x43, 0xB8, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_11_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x25, 0xAB, 0xC1, 0xEE, 0x70, 0x3C, 0xE1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0xDB, 0x45, 0x1D, 0x4A, 0x80, 0x75, 0x35),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x1F, 0x4D, 0x2D, 0x9A, 0x05, 0xF4, 0xCB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x10, 0xF0, 0x5A, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_11_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x95, 0xE1, 0xDC, 0x15, 0x86, 0xC3, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0xDC, 0x27, 0xD1, 0x56, 0xA1, 0x14, 0x0D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x0B, 0xD6, 0x77, 0x4E, 0x44, 0xA2, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x42, 0x71, 0x1F, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_12_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x86, 0xB2, 0xB0, 0xC8, 0x2F, 0x7B, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xEF, 0xCB, 0xDB, 0xBC, 0x9E, 0x3B, 0xC5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x03, 0x86, 0xDD, 0x5B, 0xF5, 0x8D, 0x46),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x95, 0x79, 0xD6, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_12_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x32, 0x14, 0xDA, 0x9B, 0x4F, 0x07, 0x39),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x3E, 0xFB, 0x06, 0xEE, 0xA7, 0x40, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x1F, 0xDF, 0x71, 0x61, 0xFD, 0x8B, 0xBE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x8B, 0xAB, 0x8B, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_13_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x34, 0xB3, 0xB4, 0xBC, 0x9F, 0xB0, 0x5E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x58, 0x48, 0xA8, 0x77, 0xBB, 0x13, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xC6, 0xF7, 0x34, 0xCC, 0x89, 0x21, 0x0A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x33, 0xDD, 0x1F, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_13_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x81, 0xEF, 0xA4, 0xF2, 0x10, 0x0B, 0xCD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xF7, 0x6E, 0x72, 0x4A, 0xDF, 0xDD, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x23, 0x0A, 0x53, 0x03, 0x16, 0x62, 0xD2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x76, 0xFD, 0x3C, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_14_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x14, 0xA1, 0xFA, 0xA0, 0x18, 0xBE, 0x07),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x2A, 0xE1, 0xD7, 0xB0, 0x6C, 0xA0, 0xDE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xC0, 0xB0, 0xC6, 0x63, 0x24, 0xCD, 0x4E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x38, 0x2C, 0xB1, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_14_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xCD, 0x7D, 0x20, 0x0C, 0xFE, 0xAC, 0xC3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x97, 0x9F, 0xA2, 0xB6, 0x45, 0xF7, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x99, 0xF3, 0xD2, 0x20, 0x02, 0xEB, 0x04),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x18, 0x5B, 0x7B, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_15_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xDD, 0x77, 0x91, 0x60, 0xEA, 0xFD, 0xD3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0xD3, 0xB5, 0xD6, 0x90, 0x17, 0x0E, 0x1A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0xF4, 0x28, 0xC1, 0xF2, 0x53, 0xF6, 0x63),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0x58, 0xDC, 0x61, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_15_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x20, 0x01, 0xFB, 0xF1, 0xBD, 0x5F, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x7F, 0x06, 0xDA, 0x11, 0xCB, 0xBA, 0xA6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x41, 0x00, 0xA4, 0x1B, 0x30, 0x33, 0x79),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0xFF, 0x27, 0xCA, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_ecp_point secp224r1_T[16] = {
+    ECP_POINT_INIT_XY_Z1(secp224r1_T_0_X, secp224r1_T_0_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_1_X, secp224r1_T_1_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_2_X, secp224r1_T_2_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_3_X, secp224r1_T_3_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_4_X, secp224r1_T_4_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_5_X, secp224r1_T_5_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_6_X, secp224r1_T_6_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_7_X, secp224r1_T_7_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_8_X, secp224r1_T_8_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_9_X, secp224r1_T_9_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_10_X, secp224r1_T_10_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_11_X, secp224r1_T_11_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_12_X, secp224r1_T_12_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_13_X, secp224r1_T_13_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_14_X, secp224r1_T_14_Y),
+    ECP_POINT_INIT_XY_Z0(secp224r1_T_15_X, secp224r1_T_15_Y),
+};
+#else
+#define secp224r1_T NULL
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+/*
+ * Domain parameters for secp256r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+static const mbedtls_mpi_uint secp256r1_p[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+static const mbedtls_mpi_uint secp256r1_b[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A),
+};
+static const mbedtls_mpi_uint secp256r1_gx[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B),
+};
+static const mbedtls_mpi_uint secp256r1_gy[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F),
+};
+static const mbedtls_mpi_uint secp256r1_n[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp256r1_T_0_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B),
+};
+static const mbedtls_mpi_uint secp256r1_T_0_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F),
+};
+static const mbedtls_mpi_uint secp256r1_T_1_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xC8, 0xBA, 0x04, 0xB7, 0x4B, 0xD2, 0xF7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0xC6, 0x23, 0x3A, 0xA0, 0x09, 0x3A, 0x59),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x9D, 0x4C, 0xF9, 0x58, 0x23, 0xCC, 0xDF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0xED, 0x7B, 0x29, 0x87, 0x0F, 0xFA, 0x3C),
+};
+static const mbedtls_mpi_uint secp256r1_T_1_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x69, 0xF2, 0x40, 0x0B, 0xA3, 0x98, 0xCE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xA8, 0x48, 0x02, 0x0D, 0x1C, 0x12, 0x62),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xAF, 0x09, 0x83, 0x80, 0xAA, 0x58, 0xA7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x12, 0xBE, 0x70, 0x94, 0x76, 0xE3, 0xE4),
+};
+static const mbedtls_mpi_uint secp256r1_T_2_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x7D, 0xEF, 0x86, 0xFF, 0xE3, 0x37, 0xDD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x86, 0x8B, 0x08, 0x27, 0x7C, 0xD7, 0xF6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x54, 0x4C, 0x25, 0x4F, 0x9A, 0xFE, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xFD, 0xF0, 0x6D, 0x37, 0x03, 0x69, 0xD6),
+};
+static const mbedtls_mpi_uint secp256r1_T_2_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xD5, 0xDA, 0xAD, 0x92, 0x49, 0xF0, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x73, 0x43, 0x9E, 0xAF, 0xA7, 0xD1, 0xF3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x41, 0x07, 0xDF, 0x78, 0x95, 0x3E, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x3D, 0xD1, 0xE6, 0x3C, 0xA5, 0xE2, 0x20),
+};
+static const mbedtls_mpi_uint secp256r1_T_3_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x6A, 0x5D, 0x52, 0x35, 0xD7, 0xBF, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0xA2, 0xBE, 0x96, 0xF4, 0xF8, 0x02, 0xC3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x20, 0x49, 0x54, 0xEA, 0xB3, 0x82, 0xDB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2E, 0xDB, 0xEA, 0x02, 0xD1, 0x75, 0x1C, 0x62),
+};
+static const mbedtls_mpi_uint secp256r1_T_3_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x85, 0xF4, 0x9E, 0x4C, 0xDC, 0x39, 0x89),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x6D, 0xC4, 0x57, 0xD8, 0x03, 0x5D, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x7F, 0x2D, 0x52, 0x6F, 0xC9, 0xDA, 0x4F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x64, 0xFA, 0xB4, 0xFE, 0xA4, 0xC4, 0xD7),
+};
+static const mbedtls_mpi_uint secp256r1_T_4_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x37, 0xB9, 0xC0, 0xAA, 0x59, 0xC6, 0x8B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x58, 0xD9, 0xED, 0x58, 0x99, 0x65, 0xF7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x7D, 0x26, 0x8C, 0x4A, 0xF9, 0x05, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x73, 0x9A, 0xC9, 0xE7, 0x46, 0xDC, 0x00),
+};
+static const mbedtls_mpi_uint secp256r1_T_4_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0xD0, 0x55, 0xDF, 0x00, 0x0A, 0xF5, 0x4A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0xBF, 0x56, 0x81, 0x2D, 0x20, 0xEB, 0xB5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xC1, 0x28, 0x52, 0xAB, 0xE3, 0xD1, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x34, 0x79, 0x45, 0x57, 0xA5, 0x12, 0x03),
+};
+static const mbedtls_mpi_uint secp256r1_T_5_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xCF, 0xB8, 0x7E, 0xF7, 0x92, 0x96, 0x8D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x01, 0x8C, 0x0D, 0x23, 0xF2, 0xE3, 0x05),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x2E, 0xE3, 0x84, 0x52, 0x7A, 0x34, 0x76),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0xA1, 0xB0, 0x15, 0x90, 0xE2, 0x53, 0x3C),
+};
+static const mbedtls_mpi_uint secp256r1_T_5_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x98, 0xE7, 0xFA, 0xA5, 0x7D, 0x8B, 0x53),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x35, 0xD2, 0x00, 0xD1, 0x1B, 0x9F, 0x1B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x69, 0x08, 0x9A, 0x72, 0xF0, 0xA9, 0x11),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0xFE, 0x0E, 0x14, 0xDA, 0x7C, 0x0E, 0xD3),
+};
+static const mbedtls_mpi_uint secp256r1_T_6_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xF6, 0xE8, 0xF8, 0x87, 0xF7, 0xFC, 0x6D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xBE, 0x7F, 0x3F, 0x7A, 0x2B, 0xD7, 0x13),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0x32, 0xF2, 0x2D, 0x94, 0x6D, 0x42, 0xFD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x9A, 0xE3, 0x5F, 0x42, 0xBB, 0x84, 0xED),
+};
+static const mbedtls_mpi_uint secp256r1_T_6_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x95, 0x29, 0x73, 0xA1, 0x67, 0x3E, 0x02),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x30, 0x54, 0x35, 0x8E, 0x0A, 0xDD, 0x67),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0xD7, 0xA1, 0x97, 0x61, 0x3B, 0xF8, 0x0C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x33, 0x3C, 0x58, 0x55, 0x34, 0x23, 0xA3),
+};
+static const mbedtls_mpi_uint secp256r1_T_7_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x5D, 0x16, 0x5F, 0x7B, 0xBC, 0xBB, 0xCE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xEE, 0x4E, 0x8A, 0xC1, 0x51, 0xCC, 0x50),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x0D, 0x4D, 0x1B, 0x53, 0x23, 0x1D, 0xB3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x2A, 0x38, 0x66, 0x52, 0x84, 0xE1, 0x95),
+};
+static const mbedtls_mpi_uint secp256r1_T_7_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x9B, 0x83, 0x0A, 0x81, 0x4F, 0xAD, 0xAC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xFF, 0x42, 0x41, 0x6E, 0xA9, 0xA2, 0xA0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xA1, 0x4F, 0x1F, 0x89, 0x82, 0xAA, 0x3E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0xB8, 0x0F, 0x6B, 0x8F, 0x8C, 0xD6, 0x68),
+};
+static const mbedtls_mpi_uint secp256r1_T_8_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0xB3, 0xBB, 0x51, 0x69, 0xA2, 0x11, 0x93),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x4F, 0x0F, 0x8D, 0xBD, 0x26, 0x0F, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xCB, 0xEC, 0x6B, 0x34, 0xC3, 0x3D, 0x9D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x5D, 0x1E, 0x10, 0xD5, 0x44, 0xE2, 0x54),
+};
+static const mbedtls_mpi_uint secp256r1_T_8_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x9E, 0xB1, 0xF1, 0x6E, 0x4C, 0xAD, 0xB3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xE3, 0xC2, 0x58, 0xC0, 0xFB, 0x34, 0x43),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x9C, 0xDF, 0x35, 0x07, 0x41, 0xBD, 0x19),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x6E, 0x10, 0xEC, 0x0E, 0xEC, 0xBB, 0xD6),
+};
+static const mbedtls_mpi_uint secp256r1_T_9_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xCF, 0xEF, 0x3F, 0x83, 0x1A, 0x88, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x29, 0xB5, 0xB9, 0xE0, 0xC9, 0xA3, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x46, 0x1E, 0x77, 0xCD, 0x7E, 0xB3, 0x10),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x21, 0xD0, 0xD4, 0xA3, 0x16, 0x08, 0xEE),
+};
+static const mbedtls_mpi_uint secp256r1_T_9_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0xCA, 0xA8, 0xB3, 0xBF, 0x29, 0x99, 0x8E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xF2, 0x05, 0xC1, 0xCF, 0x5D, 0x91, 0x48),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x01, 0x49, 0xDB, 0x82, 0xDF, 0x5F, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x06, 0x90, 0xAD, 0xE3, 0x38, 0xA4, 0xC4),
+};
+static const mbedtls_mpi_uint secp256r1_T_10_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xD2, 0x3A, 0xE8, 0x03, 0xC5, 0x6D, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x35, 0xD0, 0xAE, 0x1D, 0x7A, 0x9F, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x1E, 0xD2, 0xCB, 0xAC, 0x88, 0x27, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0xB9, 0x9C, 0xE0, 0x31, 0xDD, 0x99, 0x86),
+};
+static const mbedtls_mpi_uint secp256r1_T_10_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xF9, 0x9B, 0x32, 0x96, 0x41, 0x58, 0x38),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x5A, 0x2A, 0xB8, 0x96, 0x0E, 0xB2, 0x4C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x78, 0x2C, 0xC7, 0x08, 0x99, 0x19, 0x24),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x59, 0x28, 0xE9, 0x84, 0x54, 0xE6, 0x16),
+};
+static const mbedtls_mpi_uint secp256r1_T_11_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x38, 0x30, 0xDB, 0x70, 0x2C, 0x0A, 0xA2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x5C, 0x9D, 0xE9, 0xD5, 0x46, 0x0B, 0x5F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x0B, 0x60, 0x4B, 0x37, 0x7D, 0xB9, 0xC9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x24, 0xF3, 0x3D, 0x79, 0x7F, 0x6C, 0x18),
+};
+static const mbedtls_mpi_uint secp256r1_T_11_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7F, 0xE5, 0x1C, 0x4F, 0x60, 0x24, 0xF7, 0x2A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xD8, 0xE2, 0x91, 0x7F, 0x89, 0x49, 0x92),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0xA7, 0x2E, 0x8D, 0x6A, 0xB3, 0x39, 0x81),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x89, 0xB5, 0x9A, 0xB8, 0x8D, 0x42, 0x9C),
+};
+static const mbedtls_mpi_uint secp256r1_T_12_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0x45, 0xE6, 0x4B, 0x3F, 0x4F, 0x1E, 0x1F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x65, 0x5E, 0x59, 0x22, 0xCC, 0x72, 0x5F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x93, 0x1A, 0x27, 0x1E, 0x34, 0xC5, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0xF2, 0xA5, 0x58, 0x5C, 0x15, 0x2E, 0xC6),
+};
+static const mbedtls_mpi_uint secp256r1_T_12_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x7F, 0xBA, 0x58, 0x5A, 0x84, 0x6F, 0x5F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xA6, 0x36, 0x7E, 0xDC, 0xF7, 0xE1, 0x67),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x4D, 0xAA, 0xEE, 0x57, 0x76, 0x3A, 0xD3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x7E, 0x26, 0x18, 0x22, 0x23, 0x9F, 0xFF),
+};
+static const mbedtls_mpi_uint secp256r1_T_13_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x4C, 0x64, 0xC7, 0x55, 0x02, 0x3F, 0xE3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x02, 0x90, 0xBB, 0xC3, 0xEC, 0x30, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x6F, 0x64, 0xF4, 0x16, 0x69, 0x48, 0xA4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x44, 0x9C, 0x95, 0x0C, 0x7D, 0x67, 0x5E),
+};
+static const mbedtls_mpi_uint secp256r1_T_13_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0x91, 0x8B, 0xD8, 0xD0, 0xD7, 0xE7, 0xE2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0xF9, 0x48, 0x62, 0x6F, 0xA8, 0x93, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x3A, 0x99, 0x02, 0xD5, 0x0B, 0x3D, 0xE3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xD3, 0x00, 0x31, 0xE6, 0x0C, 0x9F, 0x44),
+};
+static const mbedtls_mpi_uint secp256r1_T_14_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0xB2, 0xAA, 0xFD, 0x88, 0x15, 0xDF, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4C, 0x35, 0x27, 0x31, 0x44, 0xCD, 0xC0, 0x68),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xF8, 0x91, 0xA5, 0x71, 0x94, 0x84, 0x2A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xCB, 0xD0, 0x93, 0xE9, 0x88, 0xDA, 0xE4),
+};
+static const mbedtls_mpi_uint secp256r1_T_14_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0xC6, 0x39, 0x16, 0x5D, 0xA3, 0x1E, 0x6D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x07, 0x37, 0x26, 0x36, 0x2A, 0xFE, 0x60),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xBC, 0xF3, 0xD0, 0xDE, 0x50, 0xFC, 0x97),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x2E, 0x06, 0x10, 0x15, 0x4D, 0xFA, 0xF7),
+};
+static const mbedtls_mpi_uint secp256r1_T_15_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x65, 0x69, 0x5B, 0x66, 0xA2, 0x75, 0x2E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x16, 0x00, 0x5A, 0xB0, 0x30, 0x25, 0x1A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xFB, 0x86, 0x42, 0x80, 0xC1, 0xC4, 0x76),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x1D, 0x83, 0x8E, 0x94, 0x01, 0x5F, 0x82),
+};
+static const mbedtls_mpi_uint secp256r1_T_15_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x37, 0x70, 0xEF, 0x1F, 0xA1, 0xF0, 0xDB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x10, 0x5B, 0xCE, 0xC4, 0x9B, 0x6F, 0x10),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x11, 0x11, 0x24, 0x4F, 0x4C, 0x79, 0x61),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x3A, 0x72, 0xBC, 0xFE, 0x72, 0x58, 0x43),
+};
+static const mbedtls_ecp_point secp256r1_T[16] = {
+    ECP_POINT_INIT_XY_Z1(secp256r1_T_0_X, secp256r1_T_0_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_1_X, secp256r1_T_1_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_2_X, secp256r1_T_2_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_3_X, secp256r1_T_3_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_4_X, secp256r1_T_4_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_5_X, secp256r1_T_5_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_6_X, secp256r1_T_6_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_7_X, secp256r1_T_7_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_8_X, secp256r1_T_8_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_9_X, secp256r1_T_9_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_10_X, secp256r1_T_10_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_11_X, secp256r1_T_11_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_12_X, secp256r1_T_12_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_13_X, secp256r1_T_13_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_14_X, secp256r1_T_14_Y),
+    ECP_POINT_INIT_XY_Z0(secp256r1_T_15_X, secp256r1_T_15_Y),
+};
+#else
+#define secp256r1_T NULL
+#endif
+
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+/*
+ * Domain parameters for secp384r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+static const mbedtls_mpi_uint secp384r1_p[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+static const mbedtls_mpi_uint secp384r1_b[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3),
+};
+static const mbedtls_mpi_uint secp384r1_gx[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA),
+};
+static const mbedtls_mpi_uint secp384r1_gy[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36),
+};
+static const mbedtls_mpi_uint secp384r1_n[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp384r1_T_0_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA),
+};
+static const mbedtls_mpi_uint secp384r1_T_0_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36),
+};
+static const mbedtls_mpi_uint secp384r1_T_1_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x92, 0x00, 0x2C, 0x78, 0xDB, 0x1F, 0x37),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xF3, 0xEB, 0xB7, 0x06, 0xF7, 0xB6, 0xBC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xBC, 0x2C, 0xCF, 0xD8, 0xED, 0x53, 0xE7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x75, 0x7B, 0xA3, 0xAB, 0xC3, 0x2C, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x9D, 0x78, 0x41, 0xF6, 0x76, 0x84, 0xAC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x56, 0xE8, 0x52, 0xB3, 0xCB, 0xA8, 0xBD),
+};
+static const mbedtls_mpi_uint secp384r1_T_1_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xF2, 0xAE, 0xA4, 0xB6, 0x89, 0x1B, 0xDA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x0F, 0xCE, 0x1C, 0x7C, 0xF6, 0x50, 0x4C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4C, 0xEB, 0x90, 0xE6, 0x4D, 0xC7, 0xD4, 0x7A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x49, 0x2D, 0x8A, 0x01, 0x99, 0x60, 0x94),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x80, 0x9B, 0x9B, 0x6A, 0xB0, 0x07, 0xD9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xA2, 0xEE, 0x59, 0xBE, 0x95, 0xBC, 0x23),
+};
+static const mbedtls_mpi_uint secp384r1_T_2_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x9D, 0x56, 0xAE, 0x59, 0xFB, 0x1F, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0xAC, 0x91, 0x80, 0x87, 0xA8, 0x6E, 0x58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x08, 0xA7, 0x08, 0x94, 0x32, 0xFC, 0x67),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x29, 0x9E, 0x84, 0xF4, 0xE5, 0x6E, 0x7E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x21, 0xB9, 0x50, 0x24, 0xF8, 0x9C, 0xC7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x04, 0x01, 0xC2, 0xFB, 0x77, 0x3E, 0xDE),
+};
+static const mbedtls_mpi_uint secp384r1_T_2_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x38, 0xEE, 0xE3, 0xC7, 0x9D, 0xEC, 0xA6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x88, 0xCF, 0x43, 0xFA, 0x92, 0x5E, 0x8E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0xCA, 0x43, 0xF8, 0x3B, 0x49, 0x7E, 0x75),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0xE7, 0xEB, 0x17, 0x45, 0x86, 0xC2, 0xE1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x69, 0x57, 0x32, 0xE0, 0x9C, 0xD1, 0x00),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x10, 0xB8, 0x4D, 0xB8, 0xF4, 0x0D, 0xE3),
+};
+static const mbedtls_mpi_uint secp384r1_T_3_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0xDC, 0x9A, 0xB2, 0x79, 0x39, 0x27, 0x16),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x71, 0xE4, 0x3B, 0x4D, 0x60, 0x0C, 0xA3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xBD, 0x19, 0x40, 0xFA, 0x19, 0x2A, 0x5A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xF8, 0x1E, 0x43, 0xA1, 0x50, 0x8D, 0xEF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x18, 0x7C, 0x41, 0xFA, 0x7C, 0x1B, 0x58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x59, 0x24, 0xC4, 0xE9, 0xB7, 0xD3, 0xAD),
+};
+static const mbedtls_mpi_uint secp384r1_T_3_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x01, 0x3D, 0x63, 0x54, 0x45, 0x6F, 0xB7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xB2, 0x19, 0xA3, 0x86, 0x1D, 0x42, 0x34),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x02, 0x87, 0x18, 0x92, 0x52, 0x1A, 0x71),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x18, 0xB1, 0x5D, 0x18, 0x1B, 0x37, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x74, 0x61, 0xBA, 0x18, 0xAF, 0x40, 0x30),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x7D, 0x3C, 0x52, 0x0F, 0x07, 0xB0, 0x6F),
+};
+static const mbedtls_mpi_uint secp384r1_T_4_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x39, 0x13, 0xAA, 0x60, 0x15, 0x99, 0x30),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x00, 0xCB, 0xC6, 0xB1, 0xDB, 0x97, 0x90),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xFA, 0x60, 0xB8, 0x24, 0xE4, 0x7D, 0xD3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x75, 0xB3, 0x70, 0xB2, 0x83, 0xB1, 0x9B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0xE3, 0x6C, 0xCD, 0x33, 0x62, 0x7A, 0x56),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x30, 0xDC, 0x0F, 0x9F, 0xBB, 0xB8, 0xAA),
+};
+static const mbedtls_mpi_uint secp384r1_T_4_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xD5, 0x0A, 0x60, 0x81, 0xB9, 0xC5, 0x16),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0xAA, 0x2F, 0xD6, 0xF2, 0x73, 0xDF, 0xEB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x7B, 0x74, 0xC9, 0xB3, 0x5B, 0x95, 0x6D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x04, 0xEB, 0x15, 0xC8, 0x5F, 0x00, 0xF6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x50, 0x20, 0x28, 0xD1, 0x01, 0xAF, 0xF0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x6D, 0x4F, 0x31, 0x81, 0x2F, 0x94, 0x48),
+};
+static const mbedtls_mpi_uint secp384r1_T_5_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x2F, 0xD8, 0xB6, 0x63, 0x7C, 0xE9, 0x50),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x8C, 0xB9, 0x14, 0xD9, 0x37, 0x63, 0xDE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x02, 0xB8, 0x46, 0xAD, 0xCE, 0x7B, 0x38),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x47, 0x2D, 0x66, 0xA7, 0xE9, 0x33, 0x23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xF9, 0x93, 0x94, 0xA8, 0x48, 0xB3, 0x4F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x4A, 0xAC, 0x51, 0x08, 0x72, 0x2F, 0x1A),
+};
+static const mbedtls_mpi_uint secp384r1_T_5_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0xAD, 0xA0, 0xF9, 0x81, 0xE1, 0x78, 0x97),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x9A, 0x63, 0xD8, 0xBA, 0x79, 0x1A, 0x17),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x31, 0x7B, 0x7A, 0x5A, 0x5D, 0x7D, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x96, 0x12, 0x4B, 0x19, 0x09, 0xE0, 0xB7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x8A, 0x57, 0xEE, 0x4E, 0x6E, 0x7E, 0xEC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x9D, 0x69, 0xDC, 0xB3, 0xDA, 0xD8, 0x08),
+};
+static const mbedtls_mpi_uint secp384r1_T_6_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x49, 0x03, 0x03, 0x33, 0x6F, 0x28, 0x4A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xDB, 0xA7, 0x05, 0x8C, 0xF3, 0x4D, 0xFB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x92, 0xB1, 0xA8, 0xEC, 0x0D, 0x64, 0x3B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0xFC, 0xFD, 0xD0, 0x4B, 0x88, 0x1B, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x9C, 0x51, 0x69, 0xCE, 0x71, 0x73, 0xF5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x5A, 0x14, 0x23, 0x1A, 0x46, 0x63, 0x5F),
+};
+static const mbedtls_mpi_uint secp384r1_T_6_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x4C, 0x70, 0x44, 0x18, 0xCD, 0xEF, 0xED),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x49, 0xDD, 0x64, 0x7E, 0x7E, 0x4D, 0x92),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x32, 0x7C, 0x09, 0xD0, 0x3F, 0xD6, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xE0, 0x4F, 0x65, 0x0C, 0x7A, 0x54, 0x3E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xFA, 0xFB, 0x4A, 0xB4, 0x79, 0x5A, 0x8C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x5D, 0x1B, 0x2B, 0xDA, 0xBC, 0x9A, 0x74),
+};
+static const mbedtls_mpi_uint secp384r1_T_7_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xAC, 0x56, 0xF7, 0x5F, 0x51, 0x68, 0x0B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xE0, 0x1D, 0xBC, 0x13, 0x4E, 0xAC, 0x03),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xF5, 0xC5, 0xE6, 0xD2, 0x88, 0xBA, 0xCB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x0E, 0x28, 0x23, 0x58, 0x67, 0xFA, 0xEE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x80, 0x4B, 0xD8, 0xC4, 0xDF, 0x15, 0xE4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x0E, 0x58, 0xE6, 0x2C, 0x59, 0xC2, 0x03),
+};
+static const mbedtls_mpi_uint secp384r1_T_7_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x26, 0x27, 0x99, 0x16, 0x2B, 0x22, 0x0B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xF3, 0x8F, 0xC3, 0x2A, 0x9B, 0xFC, 0x38),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x2E, 0x83, 0x3D, 0xFE, 0x9E, 0x3C, 0x1B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x57, 0xCD, 0x2D, 0xC1, 0x49, 0x38, 0xB5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x42, 0x8B, 0x33, 0x89, 0x1F, 0xEA, 0x01),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x1D, 0x13, 0xD7, 0x50, 0xBB, 0x3E, 0xEB),
+};
+static const mbedtls_mpi_uint secp384r1_T_8_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x9A, 0x52, 0xD2, 0x54, 0x7C, 0x97, 0xF2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x33, 0x6E, 0xED, 0xD9, 0x87, 0x50, 0xC5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x35, 0x7E, 0x16, 0x40, 0x15, 0x83, 0xB8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x2B, 0xA4, 0xAB, 0x03, 0x91, 0xEA, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x47, 0x39, 0xEF, 0x05, 0x59, 0xD0, 0x90),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x24, 0x0D, 0x76, 0x11, 0x53, 0x08, 0xAF),
+};
+static const mbedtls_mpi_uint secp384r1_T_8_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x2F, 0xDD, 0xBD, 0x50, 0x48, 0xB1, 0xE5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x1C, 0x84, 0x55, 0x78, 0x14, 0xEB, 0xF6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x5E, 0x3E, 0xA6, 0xAF, 0xF6, 0xC7, 0x04),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x11, 0xE2, 0x65, 0xCA, 0x41, 0x95, 0x3B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x83, 0xD8, 0xE6, 0x4D, 0x22, 0x06, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x7F, 0x25, 0x2A, 0xAA, 0x28, 0x46, 0x97),
+};
+static const mbedtls_mpi_uint secp384r1_T_9_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xDB, 0x15, 0x56, 0x84, 0xCB, 0xC0, 0x56),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0xDB, 0x0E, 0x08, 0xC9, 0xF5, 0xD4, 0x9E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x62, 0xD0, 0x1A, 0x7C, 0x13, 0xD5, 0x07),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0xAD, 0x53, 0xE0, 0x32, 0x21, 0xA0, 0xC0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x38, 0x81, 0x21, 0x23, 0x0E, 0xD2, 0xBB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x51, 0x05, 0xD0, 0x1E, 0x82, 0xA9, 0x71),
+};
+static const mbedtls_mpi_uint secp384r1_T_9_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xC3, 0x27, 0xBF, 0xC6, 0xAA, 0xB7, 0xB9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x65, 0x45, 0xDF, 0xB9, 0x46, 0x17, 0x46),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x38, 0x3F, 0xB2, 0xB1, 0x5D, 0xCA, 0x1C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x29, 0x6C, 0x63, 0xE9, 0xD7, 0x48, 0xB8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xF1, 0xD7, 0x99, 0x8C, 0xC2, 0x05, 0x99),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xE6, 0x5E, 0x82, 0x6D, 0xE5, 0x7E, 0xD5),
+};
+static const mbedtls_mpi_uint secp384r1_T_10_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x61, 0xFA, 0x7D, 0x01, 0xDB, 0xB6, 0x63),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xC6, 0x58, 0x39, 0xF4, 0xC6, 0x82, 0x23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x5A, 0x7A, 0x80, 0x08, 0xCD, 0xAA, 0xD8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x8C, 0xC6, 0x3F, 0x3C, 0xA5, 0x68, 0xF4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0xF5, 0xD5, 0x17, 0xAE, 0x36, 0xD8, 0x8A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xAD, 0x92, 0xC5, 0x57, 0x6C, 0xDA, 0x91),
+};
+static const mbedtls_mpi_uint secp384r1_T_10_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x67, 0x17, 0xC0, 0x40, 0x78, 0x8C, 0x84),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x9F, 0xF4, 0xAA, 0xDA, 0x5C, 0x7E, 0xB2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xDB, 0x42, 0x3E, 0x72, 0x64, 0xA0, 0x67),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0xF9, 0x41, 0x17, 0x43, 0xE3, 0xE8, 0xA8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xDD, 0xCC, 0x43, 0x7E, 0x16, 0x05, 0x03),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x4B, 0xCF, 0x48, 0x8F, 0x41, 0x90, 0xE5),
+};
+static const mbedtls_mpi_uint secp384r1_T_11_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x0C, 0x6B, 0x9D, 0x22, 0x04, 0xBC, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x63, 0x79, 0x2F, 0x6A, 0x0E, 0x8A, 0xDE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x67, 0x3F, 0x02, 0xB8, 0x91, 0x7F, 0x74),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x14, 0x64, 0xA0, 0x33, 0xF4, 0x6B, 0x50),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x44, 0x71, 0x87, 0xB8, 0x88, 0x3F, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x2B, 0x85, 0x05, 0xC5, 0x44, 0x53, 0x15),
+};
+static const mbedtls_mpi_uint secp384r1_T_11_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x2B, 0xFE, 0xD1, 0x1C, 0x73, 0xE3, 0x2E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x33, 0xA1, 0xD3, 0x69, 0x1C, 0x9D, 0xD2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x5A, 0xBA, 0xB6, 0xAE, 0x1B, 0x94, 0x04),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x74, 0x90, 0x5C, 0x57, 0xB0, 0x3A, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x2F, 0x93, 0x20, 0x24, 0x54, 0x1D, 0x8D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x78, 0x9D, 0x71, 0x67, 0x5D, 0x49, 0x98),
+};
+static const mbedtls_mpi_uint secp384r1_T_12_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0xC8, 0x0E, 0x11, 0x8D, 0xE0, 0x8F, 0x69),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x7F, 0x79, 0x6C, 0x5F, 0xB7, 0xBC, 0xB1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0xE1, 0x83, 0x3C, 0x12, 0xBB, 0xEE, 0x96),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xC2, 0xC4, 0x1B, 0x41, 0x71, 0xB9, 0x17),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0xEE, 0xBB, 0x1D, 0x89, 0x50, 0x88, 0xF2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x1C, 0x55, 0x74, 0xEB, 0xDE, 0x92, 0x3F),
+};
+static const mbedtls_mpi_uint secp384r1_T_12_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x38, 0x92, 0x06, 0x19, 0xD0, 0xB3, 0xB2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x99, 0x26, 0xA3, 0x5F, 0xE2, 0xC1, 0x81),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0xFC, 0xFD, 0xC3, 0xB6, 0x26, 0x24, 0x8F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xAD, 0xE7, 0x49, 0xB7, 0x64, 0x4B, 0x96),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x4E, 0x95, 0xAD, 0x07, 0xFE, 0xB6, 0x30),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x15, 0xE7, 0x2D, 0x19, 0xA9, 0x08, 0x10),
+};
+static const mbedtls_mpi_uint secp384r1_T_13_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xBD, 0xAC, 0x0A, 0x3F, 0x6B, 0xFF, 0xFA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0xE4, 0x74, 0x14, 0xD9, 0x70, 0x1D, 0x71),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0xB0, 0x71, 0xBB, 0xD8, 0x18, 0x96, 0x2B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0xB8, 0x19, 0x90, 0x80, 0xB5, 0xEE, 0x01),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x21, 0x20, 0xA6, 0x17, 0x48, 0x03, 0x6F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x1D, 0xBB, 0x6D, 0x94, 0x20, 0x34, 0xF1),
+};
+static const mbedtls_mpi_uint secp384r1_T_13_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x82, 0x67, 0x4B, 0x8E, 0x4E, 0xBE, 0xE2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xDA, 0x77, 0xF8, 0x23, 0x55, 0x2B, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x02, 0xDE, 0x25, 0x35, 0x2D, 0x74, 0x51),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x0C, 0xB8, 0x0B, 0x39, 0xBA, 0xAD, 0x04),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0x0E, 0x28, 0x4D, 0xE1, 0x3D, 0xE4, 0x1B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xEC, 0x0A, 0xD4, 0xB8, 0xC4, 0x8D, 0xB0),
+};
+static const mbedtls_mpi_uint secp384r1_T_14_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x68, 0xCE, 0xC2, 0x55, 0x4D, 0x0C, 0x6D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x20, 0x93, 0x32, 0x90, 0xD6, 0xAE, 0x47),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x78, 0xAB, 0x43, 0x9E, 0xEB, 0x73, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x97, 0xC3, 0x83, 0xA6, 0x3C, 0xF1, 0xBF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0x25, 0x25, 0x66, 0x08, 0x26, 0xFA, 0x4B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xFB, 0x44, 0x5D, 0x82, 0xEC, 0x3B, 0xAC),
+};
+static const mbedtls_mpi_uint secp384r1_T_14_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x90, 0xEA, 0xB5, 0x04, 0x99, 0xD0, 0x69),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0xF2, 0x22, 0xA0, 0xEB, 0xFD, 0x45, 0x87),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xA4, 0x81, 0x32, 0xFC, 0xFA, 0xEE, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0xBB, 0xA4, 0x6A, 0x77, 0x41, 0x5C, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x1E, 0xAA, 0x4F, 0xF0, 0x10, 0xB3, 0x50),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x74, 0x13, 0x14, 0x9E, 0x90, 0xD7, 0xE6),
+};
+static const mbedtls_mpi_uint secp384r1_T_15_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0xBD, 0x70, 0x4F, 0xA8, 0xD1, 0x06, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x4E, 0x2E, 0x68, 0xFC, 0x35, 0xFA, 0x50),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0x53, 0x75, 0xED, 0xF2, 0x5F, 0xC2, 0xEB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x87, 0x6B, 0x9F, 0x05, 0xE2, 0x22, 0x93),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x1A, 0xA8, 0xB7, 0x03, 0x9E, 0x6D, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0xD0, 0x69, 0x88, 0xA8, 0x39, 0x9E, 0x3A),
+};
+static const mbedtls_mpi_uint secp384r1_T_15_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0xEF, 0x68, 0xFE, 0xEC, 0x24, 0x08, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x06, 0x4B, 0x92, 0x0D, 0xB7, 0x34, 0x74),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xF4, 0xDD, 0x1A, 0xA0, 0x4A, 0xE4, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x63, 0x4F, 0x4F, 0xCE, 0xBB, 0xD6, 0xD3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xEE, 0x8D, 0xDF, 0x3F, 0x73, 0xB7, 0xAC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x06, 0xB6, 0x80, 0x4D, 0x81, 0xD9, 0x53),
+};
+static const mbedtls_mpi_uint secp384r1_T_16_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0xF5, 0x13, 0xDF, 0x13, 0x19, 0x97, 0x94),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xF9, 0xB3, 0x33, 0x66, 0x82, 0x21, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xFC, 0x39, 0x16, 0x23, 0x43, 0x76, 0x0E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x48, 0x25, 0xA1, 0x64, 0x95, 0x1C, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0xAC, 0x15, 0x57, 0xD9, 0xDE, 0xA0, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x5F, 0xB8, 0x3D, 0x48, 0x91, 0x24, 0xCC),
+};
+static const mbedtls_mpi_uint secp384r1_T_16_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xF2, 0xC8, 0x54, 0xD1, 0x32, 0xBD, 0xC4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x3B, 0xF0, 0xAA, 0x9D, 0xD8, 0xF4, 0x20),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0xC3, 0xBB, 0x6C, 0x66, 0xAC, 0x25, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x25, 0x10, 0xB2, 0xE1, 0x41, 0xDE, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xE8, 0x30, 0xB8, 0x37, 0xBC, 0x2A, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x57, 0x01, 0x4A, 0x1E, 0x78, 0x9F, 0x85),
+};
+static const mbedtls_mpi_uint secp384r1_T_17_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x19, 0xCD, 0x12, 0x0B, 0x51, 0x4F, 0x56),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x4B, 0x3D, 0x24, 0xA4, 0x16, 0x59, 0x05),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xEB, 0xD3, 0x59, 0x2E, 0x75, 0x7C, 0x01),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0xB9, 0xB4, 0xA5, 0xD9, 0x2E, 0x29, 0x4C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x16, 0x05, 0x75, 0x02, 0xB3, 0x06, 0xEE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x7C, 0x9F, 0x79, 0x91, 0xF1, 0x4F, 0x23),
+};
+static const mbedtls_mpi_uint secp384r1_T_17_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x98, 0x7C, 0x84, 0xE1, 0xFF, 0x30, 0x77),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0xE2, 0xC2, 0x5F, 0x55, 0x40, 0xBD, 0xCD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x65, 0x87, 0x3F, 0xC4, 0xC2, 0x24, 0x57),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0x30, 0x0A, 0x60, 0x15, 0xD1, 0x24, 0x48),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x99, 0xD9, 0xB6, 0xAE, 0xB1, 0xAF, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x80, 0xEE, 0xA2, 0x0F, 0x74, 0xB9, 0xF3),
+};
+static const mbedtls_mpi_uint secp384r1_T_18_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0xE6, 0x0F, 0x37, 0xC1, 0x10, 0x99, 0x1E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xAD, 0x9D, 0x5D, 0x80, 0x01, 0xA6, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x0F, 0x10, 0x2A, 0x9D, 0x20, 0x38, 0xEB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x60, 0xCB, 0xCE, 0x5A, 0xA0, 0xA7, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xCF, 0x14, 0xDF, 0xBF, 0xE5, 0x74, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x12, 0x1A, 0xDD, 0x59, 0x02, 0x5D, 0xC6),
+};
+static const mbedtls_mpi_uint secp384r1_T_18_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xC9, 0xF8, 0xF5, 0xB6, 0x13, 0x4D, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x45, 0xB1, 0x93, 0xB3, 0xA2, 0x79, 0xDC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xF6, 0xCF, 0xF7, 0xE6, 0x29, 0x9C, 0xCC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x50, 0x65, 0x80, 0xBC, 0x59, 0x0A, 0x59),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xF0, 0x24, 0x35, 0xA2, 0x46, 0xF0, 0x0C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x26, 0xC0, 0x9D, 0x61, 0x56, 0x62, 0x67),
+};
+static const mbedtls_mpi_uint secp384r1_T_19_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xBB, 0xC2, 0x24, 0x43, 0x2E, 0x37, 0x54),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0xF7, 0xCE, 0x35, 0xFC, 0x77, 0xF3, 0x3F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x34, 0x96, 0xD5, 0x4A, 0x76, 0x9D, 0x6B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x3B, 0x0F, 0xEA, 0xA8, 0x12, 0x0B, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x3F, 0x5D, 0x2D, 0x1C, 0xD4, 0x9E, 0xFB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x2E, 0xDD, 0xC7, 0x6E, 0xAB, 0xAF, 0xDC),
+};
+static const mbedtls_mpi_uint secp384r1_T_19_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0xB2, 0x7B, 0x0C, 0x9A, 0x83, 0x8E, 0x59),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x51, 0x90, 0x92, 0x79, 0x32, 0x19, 0xC3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x89, 0xF9, 0xD0, 0xCF, 0x2C, 0xA5, 0x8F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x50, 0x21, 0xDE, 0x50, 0x41, 0x9D, 0x81),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x7D, 0x2B, 0x9E, 0x9D, 0x95, 0xA8, 0xE3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xA5, 0x20, 0x87, 0x88, 0x97, 0x5F, 0xAA),
+};
+static const mbedtls_mpi_uint secp384r1_T_20_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x59, 0xB4, 0x66, 0x7E, 0xE8, 0x5A, 0x60),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x5C, 0x7E, 0xB2, 0xAD, 0xD9, 0xC9, 0xDA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x97, 0x49, 0xA3, 0x13, 0x83, 0x07, 0x2E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x26, 0xC7, 0x13, 0x35, 0x0D, 0xB0, 0x6B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x60, 0xAB, 0xFA, 0x4B, 0x93, 0x18, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x2D, 0x1C, 0x31, 0x4C, 0xE4, 0x61, 0xAE),
+};
+static const mbedtls_mpi_uint secp384r1_T_20_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0x4D, 0x1E, 0x51, 0x59, 0x6E, 0x91, 0xC5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x54, 0x4D, 0x51, 0xED, 0x36, 0xCC, 0x60),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0xA8, 0x56, 0xC7, 0x78, 0x27, 0x33, 0xC5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xB7, 0x95, 0xC9, 0x8B, 0xC8, 0x6A, 0xBC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xE9, 0x13, 0x96, 0xB3, 0xE1, 0xF9, 0xEE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x46, 0xB0, 0x5E, 0xC3, 0x94, 0x03, 0x05),
+};
+static const mbedtls_mpi_uint secp384r1_T_21_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x5B, 0x29, 0x30, 0x41, 0x1A, 0x9E, 0xB6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xCA, 0x83, 0x31, 0x5B, 0xA7, 0xCB, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x41, 0x50, 0x44, 0x4D, 0x64, 0x31, 0x89),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0x84, 0xC2, 0x5D, 0x97, 0xA5, 0x3C, 0x18),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x0F, 0xA5, 0xFD, 0x8E, 0x5A, 0x47, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x58, 0x02, 0x2D, 0x40, 0xB1, 0x0B, 0xBA),
+};
+static const mbedtls_mpi_uint secp384r1_T_21_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x33, 0x8C, 0x67, 0xCE, 0x23, 0x43, 0x99),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x53, 0x47, 0x72, 0x44, 0x1F, 0x5B, 0x2A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xC1, 0xD9, 0xA4, 0x50, 0x88, 0x63, 0x18),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xF2, 0x75, 0x69, 0x73, 0x00, 0xC4, 0x31),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x90, 0x1D, 0xDF, 0x1A, 0x00, 0xD8, 0x69),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0xB1, 0x89, 0x48, 0xA8, 0x70, 0x62, 0xEF),
+};
+static const mbedtls_mpi_uint secp384r1_T_22_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x8A, 0x55, 0x50, 0x7B, 0xEF, 0x8A, 0x3C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x1B, 0x23, 0x48, 0x23, 0x63, 0x91, 0xB6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x04, 0x54, 0x3C, 0x24, 0x9B, 0xC7, 0x9A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x38, 0xC3, 0x84, 0xFB, 0xFF, 0x9F, 0x49),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x2A, 0xE0, 0x6D, 0x68, 0x8A, 0x5C, 0xCB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x93, 0x53, 0x85, 0xA1, 0x0D, 0xAF, 0x63),
+};
+static const mbedtls_mpi_uint secp384r1_T_22_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x88, 0x95, 0x4C, 0x0B, 0xD0, 0x06, 0x51),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xAF, 0x8D, 0x49, 0xA2, 0xC8, 0xB4, 0xE0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x76, 0x53, 0x09, 0x88, 0x43, 0x87, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xA4, 0x77, 0x3F, 0x5E, 0x21, 0xB4, 0x0A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x9E, 0x86, 0x64, 0xCC, 0x91, 0xC1, 0x77),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x17, 0x56, 0xCB, 0xC3, 0x7D, 0x5B, 0xB1),
+};
+static const mbedtls_mpi_uint secp384r1_T_23_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x74, 0x9F, 0xB5, 0x91, 0x21, 0xB1, 0x1C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xED, 0xE1, 0x11, 0xEF, 0x45, 0xAF, 0xC1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x31, 0xBE, 0xB2, 0xBC, 0x72, 0x65, 0x1F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x4B, 0x8C, 0x77, 0xCE, 0x1E, 0x42, 0xB5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xC9, 0xAA, 0xB9, 0xD9, 0x86, 0x99, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x23, 0x80, 0xC6, 0x4E, 0x35, 0x0B, 0x6D),
+};
+static const mbedtls_mpi_uint secp384r1_T_23_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0xD8, 0xA2, 0x0A, 0x39, 0x32, 0x1D, 0x23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xC8, 0x86, 0xF1, 0x12, 0x9A, 0x4A, 0x05),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xF1, 0x7C, 0xAA, 0x70, 0x8E, 0xBC, 0x01),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x01, 0x47, 0x8F, 0xDD, 0x8B, 0xA5, 0xC8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x08, 0x21, 0xF4, 0xAB, 0xC7, 0xF5, 0x96),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x76, 0xA5, 0x95, 0xC4, 0x0F, 0x88, 0x1D),
+};
+static const mbedtls_mpi_uint secp384r1_T_24_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x42, 0x2A, 0x52, 0xCD, 0x75, 0x51, 0x49),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0x36, 0xE5, 0x04, 0x2B, 0x44, 0xC6, 0xEF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xEE, 0x16, 0x13, 0x07, 0x83, 0xB5, 0x30),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x59, 0xC6, 0xA2, 0x19, 0x05, 0xD3, 0xC6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x8B, 0xA8, 0x16, 0x09, 0xB7, 0xEA, 0xD6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xEE, 0x14, 0xAF, 0xB5, 0xFD, 0xD0, 0xEF),
+};
+static const mbedtls_mpi_uint secp384r1_T_24_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x7C, 0xCA, 0x71, 0x3E, 0x6E, 0x66, 0x75),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x31, 0x0E, 0x3F, 0xE5, 0x91, 0xC4, 0x7F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x3D, 0xC2, 0x3E, 0x95, 0x37, 0x58, 0x2B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x1F, 0x02, 0x03, 0xF3, 0xEF, 0xEE, 0x66),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x5B, 0x1A, 0xFC, 0x38, 0xCD, 0xE8, 0x24),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x57, 0x42, 0x85, 0xC6, 0x21, 0x68, 0x71),
+};
+static const mbedtls_mpi_uint secp384r1_T_25_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xA2, 0x4A, 0x66, 0xB1, 0x0A, 0xE6, 0xC0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x0C, 0x94, 0x9D, 0x5E, 0x99, 0xB2, 0xCE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x03, 0x40, 0xCA, 0xB2, 0xB3, 0x30, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x78, 0x48, 0x27, 0x34, 0x1E, 0xE2, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x72, 0x5B, 0xAC, 0xC1, 0x6D, 0xE3, 0x82),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xAB, 0x46, 0xCB, 0xEA, 0x5E, 0x4B, 0x0B),
+};
+static const mbedtls_mpi_uint secp384r1_T_25_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x08, 0xAD, 0x4E, 0x51, 0x9F, 0x2A, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x5C, 0x7D, 0x4C, 0xD6, 0xCF, 0xDD, 0x02),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x76, 0x26, 0xE0, 0x8B, 0x10, 0xD9, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0xA7, 0x23, 0x4E, 0x5F, 0xD2, 0x42, 0x17),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xE5, 0xA4, 0xEC, 0x77, 0x21, 0x34, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x14, 0x65, 0xEA, 0x4A, 0x85, 0xC3, 0x2F),
+};
+static const mbedtls_mpi_uint secp384r1_T_26_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0xD8, 0x40, 0x27, 0x73, 0x15, 0x7E, 0x65),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xBB, 0x53, 0x7E, 0x0F, 0x40, 0xC8, 0xD4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x37, 0x19, 0x73, 0xEF, 0x5A, 0x5E, 0x04),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x73, 0x2B, 0x49, 0x7E, 0xAC, 0x97, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0xB2, 0xC3, 0x1E, 0x0E, 0xE7, 0xD2, 0x21),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x08, 0xD6, 0xDD, 0xAC, 0x21, 0xD6, 0x3E),
+};
+static const mbedtls_mpi_uint secp384r1_T_26_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x26, 0xBE, 0x6D, 0x6D, 0xF2, 0x38, 0x3F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x6C, 0x31, 0xA7, 0x49, 0x50, 0x3A, 0x89),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x99, 0xC6, 0xF5, 0xD2, 0xC2, 0x30, 0x5A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xE4, 0xF6, 0x8B, 0x8B, 0x97, 0xE9, 0xB2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x21, 0xB7, 0x0D, 0xFC, 0x15, 0x54, 0x0B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x83, 0x1C, 0xA4, 0xCD, 0x6B, 0x9D, 0xF2),
+};
+static const mbedtls_mpi_uint secp384r1_T_27_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xE8, 0x4C, 0x48, 0xE4, 0xAA, 0x69, 0x93),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x7A, 0x27, 0xFC, 0x37, 0x96, 0x1A, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0xE7, 0x30, 0xA5, 0xCF, 0x13, 0x46, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0xD8, 0xAF, 0x74, 0x23, 0x4D, 0x56, 0x84),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x3D, 0x44, 0x14, 0x1B, 0x97, 0x83, 0xF0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x47, 0xD7, 0x5F, 0xFD, 0x98, 0x38, 0xF7),
+};
+static const mbedtls_mpi_uint secp384r1_T_27_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x73, 0x64, 0x36, 0xFD, 0x7B, 0xC1, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x5D, 0x32, 0xD2, 0x47, 0x94, 0x89, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xE9, 0x30, 0xAC, 0x06, 0xC8, 0x65, 0x04),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x6C, 0xB9, 0x1B, 0xF7, 0x61, 0x49, 0x53),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0xFF, 0x32, 0x43, 0x80, 0xDA, 0xA6, 0xB1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xF8, 0x04, 0x01, 0x95, 0x35, 0xCE, 0x21),
+};
+static const mbedtls_mpi_uint secp384r1_T_28_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x06, 0x46, 0x0D, 0x51, 0xE2, 0xD8, 0xAC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0x57, 0x1D, 0x6F, 0x79, 0xA0, 0xCD, 0xA6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0xFB, 0x36, 0xCA, 0xAD, 0xF5, 0x9E, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x7A, 0x1D, 0x9E, 0x1D, 0x95, 0x48, 0xDC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x26, 0xA5, 0xB7, 0x15, 0x2C, 0xC2, 0xC6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x42, 0x72, 0xAA, 0x11, 0xDC, 0xC9, 0xB6),
+};
+static const mbedtls_mpi_uint secp384r1_T_28_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x6C, 0x64, 0xA7, 0x62, 0x3C, 0xAB, 0xD4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x6A, 0x44, 0xD8, 0x60, 0xC0, 0xA8, 0x80),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x76, 0x58, 0x12, 0x57, 0x3C, 0x89, 0x46),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x4F, 0x83, 0xCE, 0xCB, 0xB8, 0xD0, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x84, 0x04, 0xB0, 0xAD, 0xEB, 0xFA, 0xDF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xA4, 0xC3, 0x41, 0x44, 0x4E, 0x65, 0x3E),
+};
+static const mbedtls_mpi_uint secp384r1_T_29_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x16, 0xA9, 0x1C, 0xE7, 0x65, 0x20, 0xC1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x53, 0x32, 0xF8, 0xC0, 0xA6, 0xBD, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xF0, 0xE6, 0x57, 0x31, 0xCC, 0x26, 0x6F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0xE3, 0x54, 0x1C, 0x34, 0xD3, 0x17, 0xBC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xAE, 0xED, 0xFB, 0xCD, 0xE7, 0x1E, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x16, 0x1C, 0x34, 0x40, 0x00, 0x1F, 0xB6),
+};
+static const mbedtls_mpi_uint secp384r1_T_29_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x32, 0x00, 0xC2, 0xD4, 0x3B, 0x1A, 0x09),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xE0, 0x99, 0x8F, 0x0C, 0x4A, 0x16, 0x44),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x73, 0x18, 0x1B, 0xD4, 0x94, 0x29, 0x62),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xA4, 0x2D, 0xB1, 0x9D, 0x74, 0x32, 0x67),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0xF4, 0xB1, 0x0C, 0x37, 0x62, 0x8B, 0x66),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xFF, 0xDA, 0xE2, 0x35, 0xA3, 0xB6, 0x42),
+};
+static const mbedtls_mpi_uint secp384r1_T_30_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x49, 0x99, 0x65, 0xC5, 0xED, 0x16, 0xEF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x42, 0x9A, 0xF3, 0xA7, 0x4E, 0x6F, 0x2B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x0A, 0x7E, 0xC0, 0xD7, 0x4E, 0x07, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x7A, 0x31, 0x69, 0xA6, 0xB9, 0x15, 0x34),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0xE0, 0x72, 0xA4, 0x3F, 0xB9, 0xF8, 0x0C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0x75, 0x32, 0x85, 0xA2, 0xDE, 0x37, 0x12),
+};
+static const mbedtls_mpi_uint secp384r1_T_30_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xC0, 0x0D, 0xCF, 0x25, 0x41, 0xA4, 0xF4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xFC, 0xB2, 0x48, 0xC3, 0x85, 0x83, 0x4B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xBE, 0x0B, 0x58, 0x2D, 0x7A, 0x9A, 0x62),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0xF3, 0x81, 0x18, 0x1B, 0x74, 0x4F, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x43, 0xA3, 0x0A, 0x16, 0x8B, 0xA3, 0x1E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x18, 0x81, 0x7B, 0x8D, 0xA2, 0x35, 0x77),
+};
+static const mbedtls_mpi_uint secp384r1_T_31_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xC4, 0x3F, 0x2C, 0xE7, 0x5F, 0x99, 0x03),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x2B, 0xB7, 0xB6, 0xAD, 0x5A, 0x56, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x00, 0xA4, 0x48, 0xC8, 0xE8, 0xBA, 0xBF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0xA1, 0xB5, 0x13, 0x5A, 0xCD, 0x99, 0x9C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x95, 0xAD, 0xFC, 0xE2, 0x7E, 0xE7, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x6B, 0xD1, 0x34, 0x99, 0x53, 0x63, 0x0B),
+};
+static const mbedtls_mpi_uint secp384r1_T_31_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x8A, 0x77, 0x5D, 0x2B, 0xAB, 0x01, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x85, 0xD0, 0xD5, 0x49, 0x83, 0x4D, 0x60),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0xC6, 0x91, 0x30, 0x3B, 0x00, 0xAF, 0x7A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0xAE, 0x61, 0x07, 0xE1, 0xB6, 0xE2, 0xC9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x43, 0x41, 0xFE, 0x9B, 0xB6, 0xF0, 0xA5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x97, 0xAE, 0xAD, 0x89, 0x88, 0x9E, 0x41),
+};
+static const mbedtls_ecp_point secp384r1_T[32] = {
+    ECP_POINT_INIT_XY_Z1(secp384r1_T_0_X, secp384r1_T_0_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_1_X, secp384r1_T_1_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_2_X, secp384r1_T_2_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_3_X, secp384r1_T_3_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_4_X, secp384r1_T_4_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_5_X, secp384r1_T_5_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_6_X, secp384r1_T_6_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_7_X, secp384r1_T_7_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_8_X, secp384r1_T_8_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_9_X, secp384r1_T_9_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_10_X, secp384r1_T_10_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_11_X, secp384r1_T_11_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_12_X, secp384r1_T_12_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_13_X, secp384r1_T_13_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_14_X, secp384r1_T_14_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_15_X, secp384r1_T_15_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_16_X, secp384r1_T_16_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_17_X, secp384r1_T_17_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_18_X, secp384r1_T_18_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_19_X, secp384r1_T_19_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_20_X, secp384r1_T_20_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_21_X, secp384r1_T_21_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_22_X, secp384r1_T_22_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_23_X, secp384r1_T_23_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_24_X, secp384r1_T_24_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_25_X, secp384r1_T_25_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_26_X, secp384r1_T_26_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_27_X, secp384r1_T_27_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_28_X, secp384r1_T_28_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_29_X, secp384r1_T_29_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_30_X, secp384r1_T_30_Y),
+    ECP_POINT_INIT_XY_Z0(secp384r1_T_31_X, secp384r1_T_31_Y),
+};
+#else
+#define secp384r1_T NULL
+#endif
+
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+/*
+ * Domain parameters for secp521r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+static const mbedtls_mpi_uint secp521r1_p[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_2(0xFF, 0x01),
+};
+static const mbedtls_mpi_uint secp521r1_b[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95),
+    MBEDTLS_BYTES_TO_T_UINT_2(0x51, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_gx[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_2(0xC6, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_gy[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39),
+    MBEDTLS_BYTES_TO_T_UINT_2(0x18, 0x01),
+};
+static const mbedtls_mpi_uint secp521r1_n[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_2(0xFF, 0x01),
+};
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp521r1_T_0_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_0_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_1_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xB1, 0x2D, 0xEB, 0x27, 0x2F, 0xE8, 0xDA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x4B, 0x44, 0x25, 0xDB, 0x5C, 0x5F, 0x67),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x85, 0x28, 0x78, 0x2E, 0x75, 0x34, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x57, 0x0F, 0x73, 0x78, 0x7A, 0xE3, 0x53),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xD8, 0xEC, 0xDC, 0xDA, 0x04, 0xAD, 0xAB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x8A, 0x09, 0xF3, 0x58, 0x79, 0xD8, 0x29),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x03, 0xCB, 0x50, 0x1A, 0x7F, 0x56, 0x00),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xA6, 0x78, 0x38, 0x85, 0x67, 0x0B, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_1_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0xD5, 0xD2, 0x22, 0xC4, 0x00, 0x3B, 0xBA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x93, 0x0E, 0x7B, 0x85, 0x51, 0xC3, 0x06),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xA6, 0x5F, 0x54, 0x49, 0x02, 0x81, 0x78),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xE9, 0x6B, 0x3A, 0x92, 0xE7, 0x72, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x5F, 0x28, 0x9E, 0x91, 0x27, 0x88, 0xE3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x28, 0x31, 0xB3, 0x84, 0xCA, 0x12, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xF9, 0xAC, 0x22, 0x10, 0x0A, 0x64, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0xC6, 0x33, 0x1F, 0x69, 0x19, 0x18, 0xBF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_2_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x48, 0xB8, 0xC7, 0x37, 0x5A, 0x00, 0x36),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xCC, 0x32, 0xE0, 0xEE, 0x03, 0xC2, 0xBA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x29, 0xC2, 0xE4, 0x6E, 0x24, 0x20, 0x8D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x6B, 0x7F, 0x7B, 0xF9, 0xB0, 0xB8, 0x13),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x7B, 0x3C, 0xE1, 0x19, 0xA1, 0x23, 0x02),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xE3, 0xC2, 0x53, 0xC0, 0x07, 0x13, 0xA9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xFE, 0x36, 0x35, 0x9F, 0x5E, 0x59, 0xCE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x55, 0x89, 0x84, 0xBC, 0xEF, 0xA2, 0xC2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_2_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x1A, 0x08, 0x67, 0xB4, 0xE7, 0x22, 0xED),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x26, 0xDF, 0x81, 0x3C, 0x5F, 0x1C, 0xDA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x4D, 0xD0, 0x0A, 0x48, 0x06, 0xF4, 0x48),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x18, 0x39, 0xF7, 0xD1, 0x20, 0x77, 0x8D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0x8F, 0x44, 0x13, 0xCB, 0x78, 0x11, 0x11),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xE2, 0x49, 0xEA, 0x43, 0x79, 0x08, 0x39),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0xD1, 0xD8, 0x73, 0x2C, 0x71, 0x2F, 0x69),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xE5, 0xE7, 0xF4, 0x46, 0xAB, 0x20, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_3_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x0B, 0xB9, 0x71, 0x1A, 0x27, 0xB7, 0xA7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xA2, 0x2C, 0xD1, 0xDA, 0xBC, 0xC1, 0xBD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xA3, 0x10, 0x1F, 0x90, 0xF2, 0xA5, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0xFB, 0x20, 0xF4, 0xC0, 0x70, 0xC0, 0xF5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0xA7, 0x99, 0xF0, 0xA5, 0xD3, 0x09, 0xDD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0xE8, 0x14, 0x39, 0xBE, 0xCB, 0x60, 0xAF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0xD6, 0x14, 0xA9, 0xC9, 0x20, 0xC3, 0xEA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xA8, 0x5B, 0xFD, 0x2D, 0x96, 0xBC, 0x78),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_3_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x04, 0x45, 0xBE, 0xCE, 0x75, 0x95, 0xF6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0xDA, 0x58, 0x49, 0x35, 0x09, 0x8D, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xF0, 0xC0, 0x36, 0xF2, 0xA6, 0x2D, 0x14),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xFC, 0x3D, 0xA8, 0xFB, 0x3C, 0xD2, 0x51),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x4D, 0x71, 0x09, 0x18, 0x42, 0xF0, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xC1, 0xCE, 0x9E, 0x6A, 0x49, 0x60, 0x12),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xB1, 0x00, 0xF7, 0xA1, 0x7A, 0x31, 0xB4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xC3, 0x86, 0xCD, 0x20, 0x4A, 0x17, 0x86),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_4_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0xAB, 0x8B, 0x47, 0x8D, 0xAA, 0xA6, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x97, 0xF0, 0xBC, 0x2D, 0xDC, 0x9D, 0x84),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x86, 0xB0, 0x74, 0xB2, 0xF4, 0xF6, 0x67),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xBD, 0xAC, 0xE3, 0x8F, 0x43, 0x5C, 0xB1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xC3, 0xE2, 0x6E, 0x25, 0x49, 0xCD, 0x0B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x5E, 0x08, 0xB3, 0xB9, 0xAC, 0x5F, 0xD1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xB7, 0xD1, 0xF4, 0xDC, 0x19, 0xE9, 0xC8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xE4, 0xFA, 0xE1, 0x36, 0x3E, 0xED, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_4_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x67, 0x92, 0x84, 0x6E, 0x48, 0x03, 0x51),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x95, 0xEF, 0x8F, 0xB2, 0x82, 0x6B, 0x1C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xFA, 0xB9, 0x55, 0x23, 0xFE, 0x09, 0xB3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x79, 0x85, 0x4B, 0x0E, 0xD4, 0x35, 0xDB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x27, 0x45, 0x81, 0xE0, 0x88, 0x52, 0xAD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x63, 0xA2, 0x4B, 0xBC, 0x5D, 0xB1, 0x92),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x8C, 0x83, 0xD9, 0x3E, 0xD3, 0x42, 0xDA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x03, 0x3A, 0x31, 0xBA, 0xE9, 0x3A, 0xD1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_5_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x10, 0xCD, 0x2D, 0x00, 0xFE, 0x32, 0xA7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x6E, 0x1F, 0xDA, 0xF8, 0x6F, 0x4D, 0x03),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x79, 0x7D, 0x09, 0xE5, 0xD3, 0x03, 0x21),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xC3, 0xBE, 0xDF, 0x07, 0x65, 0x49, 0xCC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x57, 0x33, 0xEF, 0xAE, 0x4F, 0x04, 0x27),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0xE9, 0x9B, 0xFE, 0xBF, 0xE6, 0x85, 0xF6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0xBA, 0xAA, 0x06, 0xC4, 0xC6, 0xB8, 0x57),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x83, 0x01, 0xA9, 0xF6, 0x51, 0xE7, 0xB8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_5_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xA6, 0x15, 0x8E, 0xAB, 0x1F, 0x10, 0x87),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x08, 0x27, 0x1A, 0xA1, 0x21, 0xAD, 0xF5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x09, 0x90, 0x6E, 0x50, 0x90, 0x9A, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x9A, 0xFE, 0xD7, 0xA1, 0xF5, 0xA2, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x7D, 0xE3, 0xDC, 0x21, 0xFB, 0xA4, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xBF, 0x07, 0xFF, 0x45, 0xDF, 0x51, 0x77),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x5C, 0x34, 0x02, 0x62, 0x9B, 0x08, 0x12),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xCE, 0x9A, 0x6A, 0xEC, 0x75, 0xF6, 0x46),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_6_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x59, 0xF4, 0x78, 0x3C, 0x60, 0xB1, 0x4A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x37, 0x84, 0x6A, 0xDC, 0xF2, 0x9A, 0x7D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x9A, 0x9A, 0x15, 0x36, 0xE0, 0x2B, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x38, 0x9C, 0x50, 0x3D, 0x1E, 0x37, 0x82),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x79, 0xF0, 0x92, 0xF2, 0x8B, 0x18, 0x82),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xE0, 0x82, 0x1E, 0x80, 0x82, 0x4B, 0xD7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xBB, 0x59, 0x6B, 0x8A, 0x77, 0x41, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xF9, 0xD4, 0xB8, 0x4A, 0x82, 0xCF, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_6_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x8C, 0xC8, 0x9B, 0x72, 0x9E, 0xF7, 0xF9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0xCE, 0xE9, 0x77, 0x0A, 0x19, 0x59, 0x84),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xA1, 0x41, 0x6A, 0x72, 0x4B, 0xB4, 0xDC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x35, 0x43, 0xE2, 0x8C, 0xBE, 0x0D, 0xE3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0xEB, 0xAD, 0xF3, 0xA9, 0xA6, 0x68, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x2F, 0xE2, 0x48, 0x0C, 0xDB, 0x1F, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x1E, 0x60, 0x9B, 0x2A, 0xD2, 0xC1, 0x3C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x64, 0xB5, 0xD2, 0xF6, 0xF6, 0x6E, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_7_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x3D, 0x30, 0x78, 0x10, 0x18, 0x41, 0x51),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x1D, 0x1C, 0xE0, 0x6D, 0x83, 0xD1, 0x93),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x03, 0x0B, 0xF5, 0x2F, 0x6C, 0x04, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x3E, 0xD5, 0xFC, 0x31, 0x5B, 0x3A, 0xEB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x82, 0x2F, 0xFB, 0xFE, 0xF8, 0x76, 0x39),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x26, 0xDA, 0x9C, 0x36, 0xF5, 0x93, 0xD1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4C, 0xE7, 0x6E, 0xD2, 0x7D, 0x81, 0x09, 0xC6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x03, 0xF9, 0x58, 0x48, 0x24, 0xA2, 0xEE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_7_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x79, 0x0C, 0x8E, 0x6B, 0x95, 0xF3, 0xC4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x10, 0x5C, 0x87, 0x03, 0x39, 0xCF, 0x68),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xF0, 0xF7, 0xC1, 0x07, 0xA4, 0xF4, 0x3F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xE8, 0x02, 0x89, 0x65, 0xC4, 0x72, 0x36),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x88, 0xEA, 0x96, 0x67, 0x0B, 0x5D, 0xDF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x75, 0x60, 0xA8, 0xBD, 0x74, 0xDF, 0x68),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0xE5, 0x71, 0x50, 0x67, 0xD0, 0xD2, 0xE6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xFC, 0xE5, 0xC7, 0x77, 0xB0, 0x7F, 0x8C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_8_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x86, 0x69, 0xCD, 0x0D, 0x9A, 0xBD, 0x66),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x17, 0xBC, 0xBB, 0x59, 0x85, 0x7D, 0x0E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xA8, 0x76, 0xAC, 0x80, 0xA9, 0x72, 0xE0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x78, 0xC1, 0xE2, 0x4D, 0xAF, 0xF9, 0x3C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x97, 0x8E, 0x74, 0xC4, 0x4B, 0xB2, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xD8, 0xF6, 0xF3, 0xAF, 0x2F, 0x52, 0xE5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x57, 0xF4, 0xCE, 0xEE, 0x43, 0xED, 0x60),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x46, 0x38, 0xDE, 0x20, 0xFD, 0x59, 0x18),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_8_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x18, 0xE8, 0x58, 0xB9, 0x76, 0x2C, 0xE6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x54, 0xE4, 0xFE, 0xC7, 0xBC, 0x31, 0x37),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xF8, 0x89, 0xEE, 0x70, 0xB5, 0xB0, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x22, 0x26, 0x9A, 0x53, 0xB9, 0x38, 0x0A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xA7, 0x19, 0x8C, 0x74, 0x7E, 0x88, 0x46),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xDA, 0x0A, 0xE8, 0xDA, 0xA5, 0xBE, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0x5C, 0xF7, 0xB1, 0x0C, 0x72, 0xFB, 0x09),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xE2, 0x23, 0xE7, 0x46, 0xB7, 0xE0, 0x91),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_9_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x36, 0xBC, 0xBD, 0x48, 0x11, 0x8E, 0x72),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0xBB, 0xA1, 0xF7, 0x0B, 0x9E, 0xBF, 0xDF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x28, 0xE1, 0xA2, 0x8F, 0xFC, 0xFC, 0xD6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0xFE, 0x19, 0x0A, 0xE5, 0xE7, 0x69, 0x39),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xCD, 0x12, 0xF5, 0xBE, 0xD3, 0x04, 0xF1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xA8, 0x0D, 0x81, 0x59, 0xC4, 0x79, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0xF3, 0x4B, 0x92, 0x65, 0xC3, 0x31, 0xAD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0xB5, 0x4F, 0x4D, 0x91, 0xD4, 0xE2, 0xB2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_9_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x09, 0x41, 0x79, 0x1D, 0x4D, 0x0D, 0x33),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x31, 0x18, 0xBA, 0xA0, 0xF2, 0x6E, 0x7E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x5B, 0x4D, 0x4F, 0xAF, 0xC9, 0x8C, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x99, 0x9C, 0x06, 0x68, 0xDE, 0xD8, 0x29),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x04, 0xE1, 0xB5, 0x9D, 0x00, 0xBC, 0xB8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x95, 0x92, 0x8D, 0x72, 0xD3, 0x37, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x4B, 0x27, 0xA2, 0xE8, 0xA4, 0x26, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x45, 0x9C, 0xA9, 0xCB, 0x9F, 0xBA, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_10_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x7E, 0x1B, 0x64, 0xF4, 0xE8, 0xA5, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x20, 0xA9, 0xCA, 0xF3, 0x89, 0xE5, 0xE1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xED, 0xFC, 0xAB, 0xD9, 0x0A, 0xB9, 0x07),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x6F, 0x46, 0x7C, 0xCD, 0x78, 0xFF, 0x05),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0xAB, 0x71, 0x5A, 0x94, 0xAB, 0x20, 0x20),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x2E, 0xEE, 0x87, 0x57, 0x1F, 0xAD, 0xD3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x4C, 0x3D, 0xFB, 0x7E, 0xA1, 0x8B, 0x07),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0xCF, 0x07, 0x86, 0xBA, 0x53, 0x37, 0xCF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_10_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x26, 0xB2, 0xB9, 0xE2, 0x91, 0xE3, 0xB5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xC9, 0x54, 0x84, 0x08, 0x3D, 0x0B, 0xD2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xA8, 0x77, 0x2F, 0x64, 0x45, 0x99, 0x4C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x96, 0x16, 0x1F, 0xDB, 0x96, 0x28, 0x97),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x2B, 0x8D, 0xFF, 0xA2, 0x4F, 0x55, 0xD3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0xE6, 0x48, 0xBD, 0x99, 0x3D, 0x12, 0x57),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x84, 0x59, 0xDA, 0xB9, 0xB6, 0x66, 0x12),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x78, 0x41, 0x92, 0xDF, 0xF4, 0x3F, 0x63),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_11_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x86, 0x6F, 0x4F, 0xBF, 0x67, 0xDF, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x2B, 0x1E, 0x5F, 0x00, 0xEA, 0xF6, 0x56),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xB9, 0x6A, 0x89, 0xD8, 0xC0, 0xD7, 0xA7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x9A, 0x32, 0x23, 0xA0, 0x02, 0x91, 0x58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x7F, 0x6A, 0x15, 0x64, 0x6A, 0x8B, 0xBB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x57, 0x82, 0x58, 0xA9, 0x56, 0xB5, 0xFB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x50, 0x92, 0x60, 0xCC, 0x81, 0x24, 0xA8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x3D, 0xAD, 0xDA, 0xD9, 0x51, 0x3E, 0x57),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_11_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0xFE, 0x8F, 0xB0, 0x0B, 0xDE, 0x2E, 0x7E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xD2, 0xBE, 0xEF, 0xAC, 0x76, 0x71, 0xA3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xE8, 0x72, 0x0B, 0xAC, 0xFE, 0xCA, 0x5A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x5B, 0xC7, 0xFC, 0xE3, 0x3C, 0x7C, 0x4C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x04, 0xA7, 0xB9, 0x9B, 0x93, 0xC0, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x48, 0x4B, 0x8E, 0x32, 0xC5, 0xF0, 0x6B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x42, 0x07, 0xC1, 0xF2, 0xF1, 0x72, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x37, 0x54, 0x9C, 0x88, 0xD2, 0x62, 0xAA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_12_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x19, 0x8A, 0x89, 0x58, 0xA2, 0x0F, 0xDB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0xCC, 0x4C, 0x97, 0x30, 0x66, 0x34, 0x26),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x6A, 0x1E, 0x1F, 0xDB, 0xC9, 0x5E, 0x13),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x4D, 0x49, 0xFF, 0x9B, 0x9C, 0xAC, 0x9B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0xE4, 0x4B, 0xF2, 0xD4, 0x1A, 0xD2, 0x78),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xDA, 0xE8, 0x61, 0x9F, 0xC8, 0x49, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xCB, 0xF2, 0x2D, 0x85, 0xF6, 0x8D, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xC5, 0xCD, 0x2C, 0x79, 0xC6, 0x0E, 0x4F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_12_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x1D, 0x55, 0x0F, 0xF8, 0x22, 0x9F, 0x78),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x56, 0xBA, 0xE7, 0x57, 0x32, 0xEC, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x9A, 0xC6, 0x4C, 0x09, 0xC4, 0x52, 0x3F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x1E, 0x6F, 0xF4, 0x7D, 0x27, 0xDD, 0xAF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x11, 0x16, 0xEC, 0x79, 0x83, 0xAD, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x4E, 0x92, 0x1F, 0x19, 0x7D, 0x65, 0xDC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0xFF, 0x78, 0x15, 0x45, 0x63, 0x32, 0xE4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x91, 0xD0, 0x78, 0x58, 0xDA, 0x50, 0x47),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_13_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0xDE, 0x40, 0xF6, 0x41, 0xB4, 0x3B, 0x95),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x8D, 0xE0, 0xE1, 0xA9, 0xF0, 0x35, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xD4, 0xBA, 0x7B, 0xCC, 0x1B, 0x3A, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x5A, 0x2E, 0x74, 0x47, 0x14, 0xC3, 0x4D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0xF0, 0x8B, 0x06, 0x15, 0x8E, 0x0E, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0xD2, 0xEB, 0x97, 0x50, 0x7D, 0x31, 0xFC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x93, 0x4C, 0xDB, 0x97, 0x79, 0x44, 0xF5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0xA2, 0xA0, 0x0B, 0xC8, 0x3A, 0x8A, 0xF9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_13_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x50, 0x92, 0x9E, 0x24, 0x1F, 0xCB, 0x4C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x16, 0xC9, 0xC5, 0x3D, 0x5A, 0xAF, 0x97),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0xE3, 0x97, 0xE4, 0xA8, 0x50, 0xF6, 0x7E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x57, 0x97, 0x42, 0x78, 0x92, 0x49, 0x0D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0xEB, 0x62, 0x24, 0xFB, 0x8F, 0x32, 0xCF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x0C, 0x36, 0x6E, 0x8F, 0xE8, 0xE8, 0x8E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xD3, 0x7C, 0xC7, 0x8D, 0x3F, 0x5C, 0xE1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x64, 0x6A, 0x73, 0x10, 0x79, 0xB8, 0x5A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_14_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xF9, 0xEF, 0xA5, 0x20, 0x4A, 0x5C, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xF3, 0xF4, 0x49, 0x5B, 0x73, 0xAA, 0x1B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xF2, 0xEA, 0x0F, 0x00, 0xAD, 0x53, 0xAB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0xB8, 0x66, 0xED, 0xC4, 0x2B, 0x4C, 0x35),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x2F, 0xC1, 0x9A, 0x37, 0xD2, 0x7F, 0x58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xA7, 0x81, 0x38, 0x64, 0xC9, 0x37, 0x38),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x3B, 0x6C, 0x9F, 0x5B, 0xD9, 0x8B, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x14, 0xD9, 0x08, 0xD8, 0xD2, 0x7E, 0x23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_14_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x71, 0xE6, 0x3D, 0xD1, 0xB0, 0xE7, 0xCD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x81, 0x23, 0xEC, 0x2D, 0x42, 0x45, 0xE6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x5B, 0x44, 0x6B, 0x89, 0x03, 0x67, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x27, 0xAE, 0x80, 0x5A, 0x33, 0xBE, 0x11),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xB6, 0x64, 0x1A, 0xDF, 0xD3, 0x85, 0x91),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x8C, 0x22, 0xBA, 0xD0, 0xBD, 0xCC, 0xA0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x3C, 0x01, 0x3A, 0xFF, 0x9D, 0xC7, 0x6B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xC7, 0x64, 0xB4, 0x59, 0x4E, 0x9F, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_15_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x34, 0x0A, 0x41, 0x94, 0xA8, 0xF2, 0xB7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xD4, 0xE4, 0xF0, 0x97, 0x45, 0x6D, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0x1F, 0x4D, 0x6D, 0xFE, 0xA0, 0xC4, 0x84),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x28, 0x5C, 0x40, 0xBB, 0x65, 0xD4, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0xA8, 0x87, 0x35, 0x20, 0x3A, 0x89, 0x44),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xFD, 0x4F, 0xAB, 0x2D, 0xD1, 0xD0, 0xC0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xE8, 0x00, 0xFC, 0x69, 0x52, 0xF8, 0xD5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x9A, 0x99, 0xE1, 0xDC, 0x9C, 0x3F, 0xD9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_15_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x08, 0x98, 0xD9, 0xCA, 0x73, 0xD5, 0xA9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x2C, 0xE0, 0xA7, 0x3E, 0x91, 0xD7, 0x87),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x04, 0xB0, 0x54, 0x09, 0xF4, 0x72, 0xB7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xEE, 0x28, 0xCC, 0xE8, 0x50, 0x78, 0x20),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x91, 0x03, 0x76, 0xDB, 0x68, 0x24, 0x77),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xE0, 0x56, 0xB2, 0x5D, 0x12, 0xD3, 0xB5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x42, 0x59, 0x8B, 0xDF, 0x67, 0xB5, 0xBE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xCC, 0xE5, 0x31, 0x53, 0x7A, 0x46, 0xB3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_16_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x8D, 0x59, 0xB5, 0x1B, 0x0F, 0xF4, 0xAF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x2F, 0xD1, 0x2C, 0xE0, 0xD8, 0x04, 0xEF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xF4, 0xD7, 0xBA, 0xB0, 0xA3, 0x7E, 0xC9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x08, 0x51, 0x56, 0xA6, 0x76, 0x67, 0x33),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x17, 0x63, 0xFE, 0x56, 0xD0, 0xD9, 0x71),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0xF6, 0xC3, 0x14, 0x47, 0xC5, 0xA7, 0x31),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x4C, 0x80, 0xF6, 0xA2, 0x57, 0xA7, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xB3, 0x7B, 0xF8, 0x2F, 0xE1, 0x3E, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_16_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0xF4, 0xF9, 0x6B, 0x7B, 0x90, 0xDF, 0x30),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x82, 0xEF, 0x62, 0xA1, 0x4C, 0x53, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x99, 0x76, 0x01, 0xBA, 0x8D, 0x0F, 0x54),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xF4, 0x58, 0x73, 0x56, 0xFE, 0xDD, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xCE, 0xF9, 0xE8, 0xA1, 0x34, 0xC3, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x5F, 0xDC, 0x6A, 0x3D, 0xD8, 0x7F, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xF4, 0x51, 0xB8, 0xB8, 0xC1, 0xD7, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x7D, 0x58, 0xD1, 0xD4, 0x1B, 0x4D, 0x23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_17_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x95, 0xDF, 0x00, 0xD8, 0x21, 0xDE, 0x94),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x47, 0x3C, 0xC3, 0xB2, 0x01, 0x53, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x17, 0x43, 0x23, 0xBD, 0xCA, 0x71, 0xF2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xBA, 0x0F, 0x4F, 0xDC, 0x41, 0x54, 0xBE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x39, 0x26, 0x70, 0x53, 0x32, 0x18, 0x11),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x46, 0x07, 0x97, 0x3A, 0x57, 0xE0, 0x01),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x92, 0x4F, 0xCE, 0xDF, 0x25, 0x80, 0x26),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x6F, 0x9A, 0x03, 0x05, 0x4B, 0xD1, 0x47),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_17_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x01, 0x72, 0x30, 0x90, 0x17, 0x51, 0x20),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xFB, 0x41, 0x65, 0x5C, 0xB4, 0x2D, 0xEE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xCD, 0xCD, 0xAA, 0x41, 0xCC, 0xBB, 0x07),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xCE, 0x08, 0x0A, 0x63, 0xE9, 0xA2, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xA8, 0x21, 0x7F, 0x7A, 0x5B, 0x9B, 0x81),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x6B, 0x89, 0x44, 0x0A, 0x7F, 0x85, 0x5F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0xDE, 0x7C, 0x19, 0x5C, 0x65, 0x26, 0x61),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0xAC, 0x62, 0x29, 0x4A, 0xF1, 0xD0, 0x81),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_18_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x00, 0x40, 0x87, 0xEB, 0xA9, 0x58, 0x56),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x51, 0x0B, 0xFF, 0x56, 0x35, 0x51, 0xB3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xAC, 0x08, 0x94, 0x71, 0xDA, 0xEC, 0x99),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x4D, 0xC5, 0x7B, 0x31, 0x8B, 0x8D, 0x5E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x05, 0xF1, 0x3E, 0x9E, 0x8F, 0x17, 0x8F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x9C, 0x4B, 0x62, 0x94, 0xAD, 0x49, 0xFC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xC9, 0xC6, 0x8F, 0xFD, 0x33, 0x44, 0x34),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x96, 0x17, 0x7F, 0x42, 0xBE, 0xF7, 0x0D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_18_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0x29, 0x39, 0x13, 0x08, 0x8D, 0x91, 0x47),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x79, 0xF9, 0x2F, 0xA9, 0x0A, 0xCF, 0xD6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x87, 0x7A, 0xA3, 0x19, 0xAB, 0x55, 0xAD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x0B, 0x01, 0xC5, 0x56, 0x19, 0x9D, 0x9E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0xDE, 0x82, 0x3B, 0xEA, 0xD3, 0x0B, 0x8C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x6B, 0xC7, 0xF3, 0x0F, 0x82, 0x87, 0x6C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x2E, 0x23, 0xF2, 0x39, 0x9D, 0x49, 0x70),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0xDE, 0xAF, 0x7A, 0xEE, 0xB0, 0xDA, 0x70),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_19_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x4E, 0x2A, 0x50, 0xFD, 0x8E, 0xC0, 0xEB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x0F, 0x7C, 0x76, 0x63, 0xD8, 0x89, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x2D, 0xB9, 0x4E, 0xF4, 0xEE, 0x85, 0xCF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x95, 0x5C, 0x96, 0x5D, 0xAA, 0x59, 0x0B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xDB, 0xD2, 0x68, 0x8E, 0x5A, 0x94, 0x60),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x02, 0xBF, 0x77, 0x9F, 0xB9, 0x4C, 0xC9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xDC, 0xC0, 0xCF, 0x81, 0x1E, 0xC4, 0x6C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xCC, 0x37, 0x86, 0xDC, 0xE2, 0x64, 0x72),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_19_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x30, 0xB1, 0x59, 0x20, 0x9D, 0x98, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x0C, 0x9D, 0xF8, 0x20, 0xDC, 0x90, 0xBA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xA0, 0xF4, 0xE7, 0x3E, 0x9C, 0x9E, 0xA2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x25, 0xA2, 0xB0, 0x54, 0xCD, 0x2E, 0x33),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xD9, 0x42, 0xB0, 0x80, 0xB0, 0xA3, 0x38),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0xFE, 0x9D, 0x8D, 0x40, 0xFF, 0x27, 0x6D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x9D, 0xA6, 0x88, 0x3A, 0x8B, 0x6F, 0x14),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x39, 0xEE, 0x1F, 0x3F, 0xB1, 0x4F, 0x63),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_20_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xD7, 0x9E, 0xFF, 0xD2, 0x35, 0x67, 0x03),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x4F, 0x15, 0x5D, 0xE3, 0xE8, 0x53, 0x86),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xF7, 0x24, 0x98, 0xA2, 0xCB, 0x11, 0x68),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x2E, 0x25, 0xE1, 0x94, 0xC5, 0xA3, 0x96),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x82, 0x6E, 0xBA, 0xE7, 0x43, 0x25, 0xB0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x65, 0xB4, 0x49, 0x73, 0x18, 0x35, 0x54),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x5B, 0xBC, 0x62, 0x86, 0x4C, 0xC1, 0xB7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xF2, 0x95, 0xA2, 0xBB, 0xA2, 0x35, 0x65),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_20_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x59, 0x62, 0xB0, 0x4B, 0x1E, 0xB4, 0xD8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x55, 0xCE, 0xB0, 0x69, 0xBA, 0x63, 0x10),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0x69, 0x86, 0xDB, 0x34, 0x7D, 0x68, 0x64),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x06, 0xCA, 0x55, 0x44, 0x36, 0x2B, 0xBA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0xD4, 0xC4, 0x3D, 0xCD, 0x9E, 0x69, 0xA4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x44, 0xE4, 0xBF, 0x31, 0xE6, 0x40, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x4F, 0xFA, 0x75, 0xE3, 0xFB, 0x97, 0x0E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xC0, 0xBD, 0x1C, 0x48, 0xB0, 0x26, 0xD0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_21_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x7B, 0x32, 0xFA, 0xF2, 0x6D, 0x84, 0x8E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x21, 0x03, 0x1D, 0x0D, 0x22, 0x55, 0x67),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0xF9, 0x42, 0x03, 0x9C, 0xC2, 0xCB, 0xBA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0xA1, 0x96, 0xD9, 0x9D, 0x11, 0x6F, 0xBE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x40, 0x57, 0xEB, 0x40, 0x2D, 0xC0, 0x11),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x96, 0xBB, 0x4F, 0x2F, 0x23, 0xA8, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x29, 0x85, 0x21, 0xA5, 0x50, 0x62, 0x06),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x7D, 0x92, 0xCF, 0x87, 0x0C, 0x22, 0xF9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_21_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x0E, 0xA5, 0x32, 0x5B, 0xDF, 0x9C, 0xD5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x96, 0x37, 0x2C, 0x88, 0x35, 0x30, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xB4, 0x69, 0xFF, 0xEB, 0xC6, 0x94, 0x08),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x55, 0x60, 0xAD, 0xAA, 0x58, 0x14, 0x88),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xFF, 0xF2, 0xB2, 0xD5, 0xA7, 0xD9, 0x27),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xAE, 0x54, 0xD2, 0x60, 0x31, 0xF3, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x92, 0x83, 0xE3, 0xF1, 0x42, 0x83, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xD2, 0xC8, 0xB7, 0x76, 0x45, 0x7F, 0x7D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_22_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x11, 0xA4, 0xFB, 0x7A, 0x01, 0xBC, 0xC8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x27, 0x73, 0x8D, 0x02, 0x91, 0x27, 0x8E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x62, 0xF6, 0xDD, 0x6B, 0xFA, 0x5B, 0xB9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0xCA, 0xA2, 0x44, 0x2C, 0xF0, 0x28, 0xD8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xF1, 0x7A, 0xA2, 0x42, 0x4C, 0x50, 0xC6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x83, 0x3E, 0x50, 0xAB, 0x9C, 0xF7, 0x67),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xED, 0x78, 0xCB, 0x76, 0x69, 0xDA, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x01, 0x1E, 0x43, 0x27, 0x47, 0x6E, 0xDA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_22_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x4F, 0x54, 0xB9, 0x3E, 0xBD, 0xD5, 0x44),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x35, 0x40, 0x69, 0x7F, 0x74, 0x9D, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x06, 0x6F, 0x67, 0x68, 0x2B, 0x4D, 0x10),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x65, 0x41, 0xFC, 0x7C, 0x1E, 0xE8, 0xC8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x79, 0x37, 0xAF, 0xFD, 0xD2, 0xDA, 0x4C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xA8, 0x69, 0x56, 0x62, 0xA4, 0xE4, 0xA3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x71, 0x73, 0x21, 0x8A, 0x17, 0x81, 0xA2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0x55, 0x8F, 0x7B, 0xB8, 0xAF, 0xF7, 0x86),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_23_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0xD1, 0xBD, 0xBE, 0x8C, 0xBC, 0x60, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0xA6, 0x57, 0x8C, 0xAE, 0x5C, 0x19, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0x43, 0xE4, 0xD9, 0xD8, 0x7B, 0xE7, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xB9, 0xE4, 0x85, 0x7C, 0x2E, 0xFC, 0x20),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x2E, 0x01, 0x2A, 0x6D, 0x56, 0xBE, 0x97),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x0C, 0x25, 0x9B, 0xAE, 0x86, 0x37, 0x43),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x22, 0xB3, 0xCB, 0x99, 0x66, 0xB7, 0x9E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0xF7, 0x90, 0xF0, 0x1B, 0x09, 0x27, 0xF7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_23_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x16, 0x08, 0xEF, 0x39, 0x64, 0x49, 0x31),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xA0, 0xE3, 0x97, 0xA9, 0x07, 0x54, 0x26),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xFF, 0xE2, 0x00, 0x07, 0x21, 0x88, 0x20),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xFD, 0x59, 0x53, 0x05, 0x6C, 0x42, 0x27),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0xF7, 0x39, 0x5C, 0x82, 0x36, 0xE8, 0x03),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2E, 0x83, 0xA8, 0xE2, 0xA8, 0x43, 0x07, 0x38),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xAF, 0x2B, 0x79, 0xED, 0xD8, 0x39, 0x87),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x20, 0x91, 0x7A, 0xC4, 0x07, 0xEF, 0x6C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_24_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x10, 0x2F, 0xAA, 0x0C, 0x94, 0x0E, 0x5A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x81, 0x87, 0x41, 0x23, 0xEB, 0x55, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x53, 0xCC, 0x79, 0xB6, 0xEB, 0x6C, 0xCC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x77, 0x73, 0x9D, 0xFC, 0x64, 0x6F, 0x7F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x40, 0xE3, 0x6D, 0x1C, 0x16, 0x71, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0xF4, 0x1B, 0xFF, 0x1C, 0x2F, 0xA5, 0xD7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x0E, 0x0B, 0x11, 0xF4, 0x8D, 0x93, 0xAF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xC5, 0x64, 0x6F, 0x24, 0x19, 0xF2, 0x9B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_24_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xB3, 0xAF, 0xA5, 0x0E, 0x4F, 0x5E, 0xE1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0x77, 0xCA, 0xF2, 0x6D, 0xC5, 0xF6, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0x18, 0x8E, 0x33, 0x68, 0x6C, 0xE8, 0xE0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x8B, 0x80, 0x90, 0x19, 0x7F, 0x90, 0x96),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x80, 0x6B, 0x68, 0xE2, 0x7D, 0xD4, 0xD0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xC1, 0x67, 0xB3, 0x72, 0xCB, 0xBF, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0xD5, 0xD3, 0x1D, 0x14, 0x58, 0x0A, 0x80),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x7A, 0x65, 0x98, 0xB3, 0x07, 0x4B, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_25_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x87, 0x0F, 0x5F, 0xCF, 0xA2, 0x01, 0x08),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xC9, 0xC8, 0x6E, 0x35, 0x87, 0xA5, 0x67),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x3E, 0x91, 0xA0, 0xAB, 0x24, 0x1E, 0xF2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xBC, 0x02, 0x35, 0x70, 0xC1, 0x5F, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x59, 0xA0, 0x50, 0x04, 0x80, 0x52, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x56, 0x6E, 0x42, 0x8F, 0x8C, 0x91, 0x65),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xA2, 0xCB, 0xA5, 0xDE, 0x14, 0x24, 0x38),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0xCB, 0x74, 0x28, 0xE6, 0xA7, 0xE7, 0xC3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_25_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x73, 0xA8, 0x8F, 0x9E, 0x0E, 0x63, 0x96),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x1B, 0x77, 0xC7, 0xC1, 0x38, 0xF9, 0xDC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x3C, 0xCF, 0xA8, 0x7A, 0xD7, 0xF3, 0xC4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x5F, 0x9A, 0xC9, 0xAD, 0xE9, 0x1A, 0x93),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0xCF, 0x2B, 0x5E, 0xD5, 0x81, 0x95, 0xA8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x88, 0x75, 0x29, 0x1F, 0xC7, 0xC7, 0xD0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xA9, 0x5A, 0x4D, 0x63, 0x95, 0xF9, 0x4E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xCD, 0x04, 0x8F, 0xCD, 0x91, 0xDE, 0xC6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_26_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0xD4, 0xFD, 0x25, 0x11, 0x99, 0x6E, 0xEA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x83, 0x01, 0x3D, 0xFB, 0x56, 0xA5, 0x4E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x3A, 0xDC, 0x74, 0xC2, 0xD7, 0xCF, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0xBD, 0xF1, 0xDD, 0xA3, 0x07, 0x03, 0xE2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xBE, 0xE9, 0x2E, 0x58, 0x84, 0x66, 0xFC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x20, 0x78, 0x37, 0x79, 0x0B, 0xA6, 0x64),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xF2, 0xAC, 0x65, 0xC8, 0xC9, 0x2F, 0x61),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x93, 0xE5, 0x0D, 0x0C, 0xC6, 0xB8, 0xCB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_26_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0xAD, 0x5C, 0x19, 0x12, 0x61, 0x0E, 0x25),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x4F, 0x0B, 0x1F, 0x49, 0x7E, 0xCD, 0x81),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x2E, 0x30, 0x61, 0xDB, 0x08, 0x68, 0x9B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x78, 0xAF, 0xB3, 0x08, 0xC1, 0x69, 0xE5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x5F, 0x5D, 0xC1, 0x57, 0x6F, 0xD8, 0x34),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0xD3, 0x6A, 0xF7, 0xFD, 0x86, 0xE5, 0xB3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x63, 0xBD, 0x70, 0x7B, 0x47, 0xE8, 0x6D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x62, 0xC8, 0x7E, 0x9D, 0x11, 0x2B, 0xA5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_27_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x84, 0xFD, 0xD5, 0x9A, 0x56, 0x7F, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xBB, 0xA4, 0x6F, 0x12, 0x6E, 0x4D, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x08, 0xA1, 0x82, 0x9C, 0x62, 0x74, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x58, 0x22, 0x05, 0x1D, 0x15, 0x35, 0x79),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x88, 0xCF, 0x5C, 0x05, 0x78, 0xFB, 0x94),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x6B, 0x2F, 0x79, 0x09, 0x73, 0x67, 0xEC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xA0, 0x80, 0xD8, 0xE8, 0xEC, 0xFB, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xE7, 0x0B, 0xB7, 0x81, 0x48, 0x7B, 0xD9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_27_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x53, 0xA9, 0xED, 0x61, 0x92, 0xD7, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x49, 0xD9, 0x5D, 0x9B, 0x4E, 0x89, 0x35),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x12, 0xEB, 0x9A, 0xC9, 0xCB, 0xC1, 0x95),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0xDC, 0x95, 0x16, 0xFE, 0x29, 0x70, 0x01),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x33, 0xB1, 0xD6, 0x78, 0xB9, 0xE2, 0x36),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xCE, 0x88, 0xC3, 0xFD, 0x7A, 0x6B, 0xB8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x1E, 0x50, 0x1E, 0xAF, 0xB1, 0x25, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0xE7, 0xD7, 0xD5, 0xBD, 0x7A, 0x12, 0xF9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_28_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xAA, 0xA2, 0x80, 0x5D, 0x8F, 0xCD, 0xC8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x39, 0x79, 0x64, 0xA1, 0x67, 0x3C, 0xB7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xC7, 0x49, 0xFF, 0x7F, 0xAC, 0xAB, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x54, 0x3E, 0x83, 0xF0, 0x3D, 0xBC, 0xB5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x92, 0x4A, 0x38, 0x42, 0x8A, 0xAB, 0xF6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x0B, 0x4F, 0xEE, 0x9E, 0x92, 0xA5, 0xBE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xDD, 0x19, 0x96, 0xF2, 0xF0, 0x6B, 0x2E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xFC, 0xDD, 0xB2, 0x8A, 0xE5, 0x4C, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_28_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x06, 0x49, 0xAC, 0x99, 0x7E, 0xF8, 0x12),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xC8, 0x01, 0x51, 0xEA, 0xF6, 0x52, 0xE7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x89, 0x66, 0x2B, 0x1F, 0x9B, 0x2A, 0xA3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x0F, 0x95, 0x07, 0x2B, 0x6C, 0x6E, 0x9E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0xC3, 0xB4, 0xBB, 0x91, 0x1F, 0xA3, 0x72),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x6E, 0x54, 0x28, 0x7B, 0x9C, 0x79, 0x2E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x45, 0xFF, 0xA6, 0xDA, 0xA2, 0x83, 0x71),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xDE, 0x8F, 0x17, 0x37, 0x82, 0xCB, 0xE2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_29_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x94, 0x3F, 0x26, 0xC9, 0x1D, 0xD9, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x97, 0x28, 0x20, 0xCD, 0xC1, 0xF3, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0xC9, 0xB5, 0x60, 0x9B, 0x1E, 0xDC, 0x74),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0xB9, 0x5B, 0x7D, 0xA0, 0xB2, 0x8C, 0xF0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xD1, 0x42, 0xE6, 0x39, 0x33, 0x6D, 0xBB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xC0, 0xFC, 0xD2, 0x14, 0x5D, 0x3E, 0x3C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0x4A, 0x3E, 0x40, 0x16, 0x93, 0x15, 0xCF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x24, 0xC1, 0x27, 0x27, 0xE5, 0x4B, 0xD8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_29_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x50, 0xD8, 0xBC, 0xC1, 0x46, 0x22, 0xBB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x0E, 0x60, 0xA1, 0xB3, 0x50, 0xD4, 0x86),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0xB1, 0x26, 0xB6, 0x6D, 0x47, 0x5A, 0x6F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0xAC, 0x11, 0x35, 0x3E, 0xB9, 0xF4, 0x01),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x97, 0xFA, 0xBB, 0x6B, 0x39, 0x13, 0xD8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x7B, 0x34, 0x12, 0x75, 0x8E, 0x9B, 0xC6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x9E, 0xCD, 0x29, 0xB6, 0xEF, 0x8D, 0x10),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0xAC, 0xE9, 0x25, 0x27, 0xBB, 0x78, 0x47),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_30_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x7A, 0xA8, 0xD3, 0xE3, 0x66, 0xE5, 0x66),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x4C, 0xC4, 0x2C, 0x76, 0x81, 0x50, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x71, 0x08, 0xB8, 0x52, 0x7C, 0xAF, 0xDC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x59, 0x24, 0xDD, 0xFB, 0x2F, 0xD0, 0xDA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xCD, 0x56, 0xE9, 0xAC, 0x91, 0xE6, 0xB9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x64, 0x20, 0xC6, 0x9F, 0xE4, 0xEF, 0xDF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x2C, 0x8F, 0x8C, 0x97, 0xF6, 0x22, 0xC3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xF4, 0x88, 0xAA, 0xA8, 0xD7, 0xA5, 0x68),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_30_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x6C, 0xAE, 0x83, 0xB1, 0x55, 0x55, 0xEE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x67, 0x84, 0x47, 0x7C, 0x83, 0x5C, 0x89),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x10, 0x4D, 0xDD, 0x30, 0x60, 0xB0, 0xE6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xA7, 0x36, 0x76, 0x24, 0x32, 0x9F, 0x9D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x42, 0x81, 0xFB, 0xA4, 0x2E, 0x13, 0x68),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x94, 0x91, 0xFF, 0x99, 0xA0, 0x09, 0x61),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x83, 0xA1, 0x76, 0xAF, 0x37, 0x5C, 0x77),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xA8, 0x04, 0x86, 0xC4, 0xA9, 0x79, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_31_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x8C, 0xC2, 0x34, 0xFB, 0x83, 0x28, 0x27),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x03, 0x7D, 0x5E, 0x9E, 0x0E, 0xB0, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x02, 0x46, 0x7F, 0xB9, 0xAC, 0xBB, 0x23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0xED, 0x48, 0xC2, 0x96, 0x4D, 0x56, 0x27),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0xB5, 0xC5, 0xD1, 0xE6, 0x1C, 0x7E, 0x9B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x2E, 0x18, 0x71, 0x2D, 0x7B, 0xD7, 0xB3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x46, 0x9D, 0xDE, 0xAA, 0x78, 0x8E, 0xB1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xD7, 0x69, 0x2E, 0xE1, 0xD9, 0x48, 0xDE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_31_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xFF, 0x9E, 0x09, 0x22, 0x22, 0xE6, 0x8D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x14, 0x28, 0x13, 0x1B, 0x62, 0x12, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x7F, 0x67, 0x03, 0xB0, 0xC0, 0xF3, 0x05),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xC3, 0x0F, 0xFB, 0x25, 0x48, 0x3E, 0xF4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x6E, 0x53, 0x98, 0x36, 0xB3, 0xD3, 0x94),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x81, 0x54, 0x22, 0xA4, 0xCC, 0xC1, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xBA, 0xFC, 0xA9, 0xDF, 0x68, 0x86, 0x2B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x92, 0x0E, 0xC3, 0xF2, 0x58, 0xE8, 0x51),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_ecp_point secp521r1_T[32] = {
+    ECP_POINT_INIT_XY_Z1(secp521r1_T_0_X, secp521r1_T_0_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_1_X, secp521r1_T_1_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_2_X, secp521r1_T_2_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_3_X, secp521r1_T_3_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_4_X, secp521r1_T_4_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_5_X, secp521r1_T_5_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_6_X, secp521r1_T_6_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_7_X, secp521r1_T_7_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_8_X, secp521r1_T_8_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_9_X, secp521r1_T_9_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_10_X, secp521r1_T_10_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_11_X, secp521r1_T_11_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_12_X, secp521r1_T_12_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_13_X, secp521r1_T_13_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_14_X, secp521r1_T_14_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_15_X, secp521r1_T_15_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_16_X, secp521r1_T_16_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_17_X, secp521r1_T_17_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_18_X, secp521r1_T_18_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_19_X, secp521r1_T_19_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_20_X, secp521r1_T_20_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_21_X, secp521r1_T_21_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_22_X, secp521r1_T_22_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_23_X, secp521r1_T_23_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_24_X, secp521r1_T_24_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_25_X, secp521r1_T_25_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_26_X, secp521r1_T_26_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_27_X, secp521r1_T_27_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_28_X, secp521r1_T_28_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_29_X, secp521r1_T_29_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_30_X, secp521r1_T_30_Y),
+    ECP_POINT_INIT_XY_Z0(secp521r1_T_31_X, secp521r1_T_31_Y),
+};
+#else
+#define secp521r1_T NULL
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+static const mbedtls_mpi_uint secp192k1_p[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+static const mbedtls_mpi_uint secp192k1_a[] = {
+    MBEDTLS_BYTES_TO_T_UINT_2(0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp192k1_b[] = {
+    MBEDTLS_BYTES_TO_T_UINT_2(0x03, 0x00),
+};
+static const mbedtls_mpi_uint secp192k1_gx[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB),
+};
+static const mbedtls_mpi_uint secp192k1_gy[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B),
+};
+static const mbedtls_mpi_uint secp192k1_n[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp192k1_T_0_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB),
+};
+static const mbedtls_mpi_uint secp192k1_T_0_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B),
+};
+static const mbedtls_mpi_uint secp192k1_T_1_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x77, 0x3D, 0x0D, 0x85, 0x48, 0xA8, 0xA9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x07, 0xDF, 0x1D, 0xB3, 0xB3, 0x01, 0x54),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x86, 0xF6, 0xAF, 0x19, 0x2A, 0x88, 0x2E),
+};
+static const mbedtls_mpi_uint secp192k1_T_1_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x90, 0xB6, 0x2F, 0x48, 0x36, 0x4C, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x11, 0x14, 0xA6, 0xCB, 0xBA, 0x15, 0xD9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0xB0, 0xF2, 0xD4, 0xC9, 0xDA, 0xBA, 0xD7),
+};
+static const mbedtls_mpi_uint secp192k1_T_2_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0xC1, 0x9C, 0xE6, 0xBB, 0xFB, 0xCF, 0x23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x19, 0xAC, 0x5A, 0xC9, 0x8A, 0x1C, 0x75),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0xF6, 0x76, 0x86, 0x89, 0x27, 0x8D, 0x28),
+};
+static const mbedtls_mpi_uint secp192k1_T_2_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0xE0, 0x6F, 0x34, 0xBA, 0x5E, 0xD3, 0x96),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0xDC, 0xA6, 0x87, 0xC9, 0x9D, 0xC0, 0x82),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x11, 0x7E, 0xD6, 0xF7, 0x33, 0xFC, 0xE4),
+};
+static const mbedtls_mpi_uint secp192k1_T_3_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x37, 0x3E, 0xC0, 0x7F, 0x62, 0xE7, 0x54),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x3B, 0x69, 0x9D, 0x44, 0xBC, 0x82, 0x99),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x84, 0xB3, 0x5F, 0x2B, 0xA5, 0x9E, 0x2C),
+};
+static const mbedtls_mpi_uint secp192k1_T_3_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x95, 0xEB, 0x4C, 0x04, 0xB4, 0xF4, 0x75),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xAD, 0x4B, 0xD5, 0x9A, 0xEB, 0xC4, 0x4E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xB1, 0xC5, 0x59, 0xE3, 0xD5, 0x16, 0x2A),
+};
+static const mbedtls_mpi_uint secp192k1_T_4_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x2A, 0xCC, 0xAC, 0xD0, 0xEE, 0x50, 0xEC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x83, 0xE0, 0x5B, 0x14, 0x44, 0x52, 0x20),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x15, 0x2D, 0x78, 0xF6, 0x51, 0x32, 0xCF),
+};
+static const mbedtls_mpi_uint secp192k1_T_4_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x36, 0x9B, 0xDD, 0xF8, 0xDD, 0xEF, 0xB2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0xB1, 0x6A, 0x2B, 0xAF, 0xEB, 0x2B, 0xB1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x87, 0x7A, 0x66, 0x5D, 0x5B, 0xDF, 0x8F),
+};
+static const mbedtls_mpi_uint secp192k1_T_5_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x45, 0xE5, 0x81, 0x9B, 0xEB, 0x37, 0x23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x29, 0xE2, 0x20, 0x64, 0x23, 0x6B, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x1D, 0x41, 0xE1, 0x9B, 0x61, 0x7B, 0xD9),
+};
+static const mbedtls_mpi_uint secp192k1_T_5_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x57, 0xA3, 0x0A, 0x13, 0xE4, 0x59, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x6E, 0x4A, 0x48, 0x84, 0x90, 0xAC, 0xC7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0xB8, 0xF5, 0xF3, 0xDE, 0xA0, 0xA1, 0x1D),
+};
+static const mbedtls_mpi_uint secp192k1_T_6_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x32, 0x81, 0xA9, 0x91, 0x5A, 0x4E, 0x33),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0xA8, 0x90, 0xBE, 0x0F, 0xEC, 0xC0, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x30, 0xD7, 0x08, 0xAE, 0xC4, 0x3A, 0xA5),
+};
+static const mbedtls_mpi_uint secp192k1_T_6_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x55, 0xE3, 0x76, 0xB3, 0x64, 0x74, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x75, 0xD4, 0xDB, 0x98, 0xD7, 0x39, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xEB, 0x8A, 0xAB, 0x16, 0xD9, 0xD4, 0x0B),
+};
+static const mbedtls_mpi_uint secp192k1_T_7_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xBE, 0xF9, 0xC7, 0xC7, 0xBA, 0xF3, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x85, 0x59, 0xF3, 0x60, 0x41, 0x02, 0xD2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x1C, 0x4A, 0xA4, 0xC7, 0xED, 0x66, 0xBC),
+};
+static const mbedtls_mpi_uint secp192k1_T_7_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x9C, 0x2E, 0x46, 0x52, 0x18, 0x87, 0x14),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x35, 0x5A, 0x75, 0xAC, 0x4D, 0x75, 0x91),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0x2F, 0xAC, 0xFC, 0xBC, 0xE6, 0x93, 0x5E),
+};
+static const mbedtls_mpi_uint secp192k1_T_8_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x4D, 0xC9, 0x18, 0xE9, 0x00, 0xEB, 0x33),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x69, 0x72, 0x07, 0x5A, 0x59, 0xA8, 0x26),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x65, 0x83, 0x20, 0x10, 0xF9, 0x69, 0x82),
+};
+static const mbedtls_mpi_uint secp192k1_T_8_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0x56, 0x7F, 0x9F, 0xBF, 0x46, 0x0C, 0x7E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0xCF, 0xF0, 0xDC, 0xDF, 0x2D, 0xE6, 0xE5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0xF0, 0x72, 0x3A, 0x7A, 0x03, 0xE5, 0x22),
+};
+static const mbedtls_mpi_uint secp192k1_T_9_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xAA, 0x57, 0x13, 0x37, 0xA7, 0x2C, 0xD4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0xAC, 0xA2, 0x23, 0xF9, 0x84, 0x60, 0xD3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xEB, 0x51, 0x70, 0x64, 0x78, 0xCA, 0x05),
+};
+static const mbedtls_mpi_uint secp192k1_T_9_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xCC, 0x30, 0x62, 0x93, 0x46, 0x13, 0xE9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x26, 0xCC, 0x6C, 0x3D, 0x5C, 0xDA, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xAA, 0xB8, 0x03, 0xA4, 0x1A, 0x00, 0x96),
+};
+static const mbedtls_mpi_uint secp192k1_T_10_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x9D, 0xE6, 0xCC, 0x4E, 0x2E, 0xC2, 0xD5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xC3, 0x8A, 0xAE, 0x6F, 0x40, 0x05, 0xEB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x8F, 0x4A, 0x4D, 0x35, 0xD3, 0x50, 0x9D),
+};
+static const mbedtls_mpi_uint secp192k1_T_10_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0xFD, 0x98, 0xAB, 0xC7, 0x03, 0xB4, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x40, 0xD2, 0x9F, 0xCA, 0xD0, 0x53, 0x00),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x84, 0x00, 0x6F, 0xC8, 0xAD, 0xED, 0x8D),
+};
+static const mbedtls_mpi_uint secp192k1_T_11_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xD3, 0x57, 0xD7, 0xC3, 0x07, 0xBD, 0xD7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0xBA, 0x47, 0x1D, 0x3D, 0xEF, 0x98, 0x6C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xC0, 0x6C, 0x7F, 0x12, 0xEE, 0x9F, 0x67),
+};
+static const mbedtls_mpi_uint secp192k1_T_11_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x02, 0xDA, 0x79, 0xAA, 0xC9, 0x27, 0xC4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x79, 0xC7, 0x71, 0x84, 0xCB, 0xE5, 0x5A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x37, 0x06, 0xBA, 0xB5, 0xD5, 0x18, 0x4C),
+};
+static const mbedtls_mpi_uint secp192k1_T_12_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x65, 0x72, 0x6C, 0xF2, 0x63, 0x27, 0x6A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0xBC, 0x71, 0xDF, 0x75, 0xF8, 0x98, 0x4D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x70, 0x9B, 0xDC, 0xE7, 0x18, 0x71, 0xFF),
+};
+static const mbedtls_mpi_uint secp192k1_T_12_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x5B, 0x9F, 0x00, 0x5A, 0xB6, 0x80, 0x7A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xE0, 0xBB, 0xFC, 0x5E, 0x78, 0x9C, 0x89),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0x03, 0x68, 0x83, 0x3D, 0x2E, 0x4C, 0xDD),
+};
+static const mbedtls_mpi_uint secp192k1_T_13_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0x49, 0x23, 0xA8, 0xCB, 0x3B, 0x1A, 0xF6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0x3D, 0xA7, 0x46, 0xCF, 0x75, 0xB6, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xFD, 0x30, 0x01, 0xB6, 0xEF, 0xF9, 0xE8),
+};
+static const mbedtls_mpi_uint secp192k1_T_13_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xFA, 0xDA, 0xB8, 0x29, 0x42, 0xC9, 0xC7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0xD7, 0xA0, 0xE6, 0x6B, 0x86, 0x61, 0x39),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0xE9, 0xD3, 0x37, 0xD8, 0xE7, 0x35, 0xA9),
+};
+static const mbedtls_mpi_uint secp192k1_T_14_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xC8, 0x8E, 0xB1, 0xCB, 0xB1, 0xB5, 0x4D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xD7, 0x46, 0x7D, 0xAF, 0xE2, 0xDC, 0xBB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x46, 0xE7, 0xD8, 0x76, 0x31, 0x90, 0x76),
+};
+static const mbedtls_mpi_uint secp192k1_T_14_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xD3, 0xF4, 0x74, 0xE1, 0x67, 0xD8, 0x66),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x70, 0x3C, 0xC8, 0xAF, 0x5F, 0xF4, 0x58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x4E, 0xED, 0x5C, 0x43, 0xB3, 0x16, 0x35),
+};
+static const mbedtls_mpi_uint secp192k1_T_15_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xAE, 0xD1, 0xDD, 0x31, 0x14, 0xD3, 0xF0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x14, 0x06, 0x13, 0x12, 0x1C, 0x81, 0xF5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xF9, 0x0C, 0x91, 0xF7, 0x67, 0x59, 0x63),
+};
+static const mbedtls_mpi_uint secp192k1_T_15_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x91, 0xE2, 0xF4, 0x9D, 0xEB, 0x88, 0x87),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x82, 0x30, 0x9C, 0xAE, 0x18, 0x4D, 0xB7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x79, 0xCF, 0x17, 0xA5, 0x1E, 0xE8, 0xC8),
+};
+static const mbedtls_ecp_point secp192k1_T[16] = {
+    ECP_POINT_INIT_XY_Z1(secp192k1_T_0_X, secp192k1_T_0_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_1_X, secp192k1_T_1_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_2_X, secp192k1_T_2_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_3_X, secp192k1_T_3_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_4_X, secp192k1_T_4_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_5_X, secp192k1_T_5_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_6_X, secp192k1_T_6_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_7_X, secp192k1_T_7_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_8_X, secp192k1_T_8_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_9_X, secp192k1_T_9_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_10_X, secp192k1_T_10_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_11_X, secp192k1_T_11_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_12_X, secp192k1_T_12_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_13_X, secp192k1_T_13_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_14_X, secp192k1_T_14_Y),
+    ECP_POINT_INIT_XY_Z0(secp192k1_T_15_X, secp192k1_T_15_Y),
+};
+#else
+#define secp192k1_T NULL
+#endif
+
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+static const mbedtls_mpi_uint secp224k1_p[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_4(0xFF, 0xFF, 0xFF, 0xFF),
+};
+static const mbedtls_mpi_uint secp224k1_a[] = {
+    MBEDTLS_BYTES_TO_T_UINT_2(0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_b[] = {
+    MBEDTLS_BYTES_TO_T_UINT_2(0x05, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_gx[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D),
+    MBEDTLS_BYTES_TO_T_UINT_4(0x33, 0x5B, 0x45, 0xA1),
+};
+static const mbedtls_mpi_uint secp224k1_gy[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F),
+    MBEDTLS_BYTES_TO_T_UINT_4(0xED, 0x9F, 0x08, 0x7E),
+};
+static const mbedtls_mpi_uint secp224k1_n[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00),
+};
+
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp224k1_T_0_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x5B, 0x45, 0xA1, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_0_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x9F, 0x08, 0x7E, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_1_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x6C, 0x22, 0x22, 0x40, 0x89, 0xAE, 0x7A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x92, 0xE1, 0x87, 0x56, 0x35, 0xAF, 0x9B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0xAF, 0x08, 0x35, 0x27, 0xEA, 0x04, 0xED),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x53, 0xFD, 0xCF, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_1_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0xD0, 0x9F, 0x8D, 0xF3, 0x63, 0x54, 0x30),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0xDB, 0x0F, 0x61, 0x54, 0x26, 0xD1, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x21, 0xF7, 0x1B, 0xB5, 0x1D, 0xF6, 0x7E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x05, 0xDA, 0x8F, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_2_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x26, 0x73, 0xBC, 0xE4, 0x29, 0x62, 0x56),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x95, 0x17, 0x8B, 0xC3, 0x9B, 0xAC, 0xCC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xDB, 0x77, 0xDF, 0xDD, 0x13, 0x04, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0xFC, 0x22, 0x93, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_2_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x65, 0xF1, 0x5A, 0x37, 0xEF, 0x79, 0xAD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x01, 0x37, 0xAC, 0x9A, 0x5B, 0x51, 0x65),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x75, 0x13, 0xA9, 0x4A, 0xAD, 0xFE, 0x9B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x82, 0x6F, 0x66, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_3_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0x5E, 0xF0, 0x40, 0xC3, 0xA6, 0xE2, 0x1E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x9A, 0x6F, 0xCF, 0x11, 0x26, 0x66, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x73, 0xA8, 0xCF, 0x2B, 0x12, 0x36, 0x37),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xB3, 0x0A, 0x58, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_3_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x79, 0x00, 0x55, 0x04, 0x34, 0x90, 0x1A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x54, 0x1C, 0xC2, 0x45, 0x0C, 0x1B, 0x23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x19, 0xAB, 0xA8, 0xFC, 0x73, 0xDC, 0xEE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0xFB, 0x93, 0xCE, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_4_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x75, 0xD0, 0x66, 0x95, 0x86, 0xCA, 0x66),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xEA, 0x29, 0x16, 0x6A, 0x38, 0xDF, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xA2, 0x36, 0x2F, 0xDC, 0xBB, 0x5E, 0xF7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x89, 0x59, 0x49, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_4_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xA3, 0x99, 0x9D, 0xB8, 0x77, 0x9D, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x93, 0x43, 0x47, 0xC6, 0x5C, 0xF9, 0xFD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x00, 0x79, 0x42, 0x64, 0xB8, 0x25, 0x3E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x54, 0xB4, 0x33, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_5_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x0C, 0x42, 0x90, 0x83, 0x0B, 0x31, 0x5F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x2E, 0xAE, 0xC8, 0xC7, 0x5F, 0xD2, 0x70),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xBC, 0xAD, 0x41, 0xE7, 0x32, 0x3A, 0x81),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x97, 0x52, 0x83, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_5_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x13, 0x7A, 0xBD, 0xAE, 0x94, 0x60, 0xFD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x9B, 0x95, 0xB4, 0x6E, 0x68, 0xB2, 0x1F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x49, 0xBE, 0x51, 0xFE, 0x66, 0x15, 0x74),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x37, 0xE4, 0xFE, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_6_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x9B, 0xEE, 0x64, 0xC9, 0x1B, 0xBD, 0x77),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x5F, 0x34, 0xA9, 0x0B, 0xB7, 0x25, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0x13, 0xB1, 0x38, 0xFB, 0x9D, 0x78, 0xED),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0xE7, 0x1B, 0xFA, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_6_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xB3, 0xB7, 0x44, 0x92, 0x6B, 0x00, 0x82),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x82, 0x44, 0x3E, 0x18, 0x1A, 0x58, 0x6A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0xF8, 0xC0, 0xE4, 0xEE, 0xC1, 0xBF, 0x44),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x32, 0x27, 0xB2, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_7_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x9A, 0x42, 0x62, 0x8B, 0x26, 0x54, 0x21),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x85, 0x74, 0xA0, 0x79, 0xA8, 0xEE, 0xBE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x36, 0x60, 0xB3, 0x28, 0x4D, 0x55, 0xBE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x27, 0x82, 0x29, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_7_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0xFC, 0x73, 0x77, 0xAF, 0x5C, 0xAC, 0x78),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0xED, 0xE5, 0xF6, 0x1D, 0xA8, 0x67, 0x43),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0xDE, 0x33, 0x1C, 0xF1, 0x80, 0x73, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xE2, 0xDE, 0x3C, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_8_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x3E, 0x6B, 0xFE, 0xF0, 0x04, 0x28, 0x01),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0xB2, 0x14, 0x9D, 0x18, 0x11, 0x7D, 0x9D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xC4, 0xD6, 0x2E, 0x6E, 0x57, 0x4D, 0xE1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x55, 0x1B, 0xDE, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_8_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xF7, 0x17, 0xBC, 0x45, 0xAB, 0x16, 0xAB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xB0, 0xEF, 0x61, 0xE3, 0x20, 0x7C, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x85, 0x41, 0x4D, 0xF1, 0x7E, 0x4D, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xC2, 0x9B, 0x5E, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_9_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x2E, 0x49, 0x3D, 0x3E, 0x4B, 0xD3, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x2B, 0x9D, 0xD5, 0x27, 0xFA, 0xCA, 0xE0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0xB3, 0x6A, 0xE0, 0x79, 0x14, 0x28, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x1E, 0xDC, 0xF5, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_9_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x44, 0x56, 0xCD, 0xFC, 0x9F, 0x09, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x8C, 0x59, 0xA4, 0x64, 0x2A, 0x3A, 0xED),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xA0, 0xB5, 0x86, 0x4E, 0x69, 0xDA, 0x06),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x8B, 0x11, 0x38, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_10_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x17, 0x16, 0x12, 0x17, 0xDC, 0x00, 0x7E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x76, 0x24, 0x6C, 0x97, 0x2C, 0xB5, 0xF9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x71, 0xE3, 0xB0, 0xBB, 0x4E, 0x50, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0x48, 0x26, 0xD5, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_10_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x5F, 0x28, 0xF6, 0x01, 0x5A, 0x60, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x95, 0xFE, 0xD0, 0xAD, 0x15, 0xD4, 0xD9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x5B, 0x7A, 0xFD, 0x80, 0xF7, 0x9F, 0x64),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xBC, 0x1B, 0xDF, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_11_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0xE6, 0xDF, 0x14, 0x29, 0xF4, 0xD4, 0x14),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x12, 0xDD, 0xEC, 0x5B, 0x8A, 0x59, 0xE5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x92, 0x3E, 0x35, 0x08, 0xE9, 0xCF, 0x0E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x35, 0x29, 0x97, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_11_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xDB, 0xD6, 0x6A, 0xC5, 0x43, 0xA4, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x33, 0x50, 0x61, 0x70, 0xA1, 0xE9, 0xCE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x15, 0x6E, 0x5F, 0x01, 0x0C, 0x8C, 0xFA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0xA1, 0x9A, 0x9D, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_12_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0xC6, 0xF7, 0xE2, 0x4A, 0xCD, 0x9B, 0x61),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x4D, 0x5A, 0xB8, 0xE2, 0x6D, 0xA6, 0x50),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x3F, 0xB6, 0x17, 0xE3, 0x2C, 0x6F, 0x65),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xA4, 0x59, 0x51, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_12_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x4F, 0x7C, 0x49, 0xCD, 0x6E, 0xEB, 0x3C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0xC9, 0x1F, 0xB7, 0x4D, 0x98, 0xC7, 0x67),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4C, 0xFD, 0x98, 0x20, 0x95, 0xBB, 0x20, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0xF2, 0x73, 0x92, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_13_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0xEF, 0xFB, 0x30, 0xFA, 0x12, 0x1A, 0xB0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0x4C, 0x24, 0xB4, 0x5B, 0xC9, 0x4C, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xDD, 0x5E, 0x84, 0x95, 0x4D, 0x26, 0xED),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xFA, 0xF9, 0x3A, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_13_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0xA3, 0x2E, 0x7A, 0xDC, 0xA7, 0x53, 0xA9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x9F, 0x81, 0x84, 0xB2, 0x0D, 0xFE, 0x31),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x89, 0x1B, 0x77, 0x0C, 0x89, 0x71, 0xEC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xFF, 0x7F, 0xB2, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_14_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0xE9, 0x2C, 0x79, 0xA6, 0x3C, 0xAD, 0x93),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xE0, 0x23, 0x02, 0x86, 0x0F, 0x77, 0x2A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x93, 0x6D, 0xE9, 0xF9, 0x3C, 0xBE, 0xB9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xE7, 0x24, 0x92, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_14_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x3C, 0x5B, 0x4B, 0x1B, 0x25, 0x37, 0xD6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xE8, 0x38, 0x1B, 0xA1, 0x5A, 0x2E, 0x68),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x19, 0xFD, 0xF4, 0x78, 0x01, 0x6B, 0x44),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0x69, 0x37, 0x4F, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_15_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0xE2, 0xBF, 0xD3, 0xEC, 0x95, 0x9C, 0x03),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x7B, 0xFC, 0xD5, 0xD3, 0x25, 0x5E, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x55, 0x09, 0xA2, 0x58, 0x6A, 0xC9, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0xCC, 0x3B, 0xD9, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_15_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0x08, 0x65, 0x5E, 0xCB, 0xAB, 0x48, 0xC8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x79, 0x8B, 0xC0, 0x11, 0xC0, 0x69, 0x38),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xE8, 0x8C, 0x4C, 0xC5, 0x28, 0xE4, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x1F, 0x34, 0x5C, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_ecp_point secp224k1_T[16] = {
+    ECP_POINT_INIT_XY_Z1(secp224k1_T_0_X, secp224k1_T_0_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_1_X, secp224k1_T_1_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_2_X, secp224k1_T_2_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_3_X, secp224k1_T_3_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_4_X, secp224k1_T_4_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_5_X, secp224k1_T_5_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_6_X, secp224k1_T_6_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_7_X, secp224k1_T_7_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_8_X, secp224k1_T_8_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_9_X, secp224k1_T_9_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_10_X, secp224k1_T_10_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_11_X, secp224k1_T_11_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_12_X, secp224k1_T_12_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_13_X, secp224k1_T_13_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_14_X, secp224k1_T_14_Y),
+    ECP_POINT_INIT_XY_Z0(secp224k1_T_15_X, secp224k1_T_15_Y),
+};
+#else
+#define secp224k1_T NULL
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+static const mbedtls_mpi_uint secp256k1_p[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+static const mbedtls_mpi_uint secp256k1_a[] = {
+    MBEDTLS_BYTES_TO_T_UINT_2(0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp256k1_b[] = {
+    MBEDTLS_BYTES_TO_T_UINT_2(0x07, 0x00),
+};
+static const mbedtls_mpi_uint secp256k1_gx[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79),
+};
+static const mbedtls_mpi_uint secp256k1_gy[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48),
+};
+static const mbedtls_mpi_uint secp256k1_n[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp256k1_T_0_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79),
+};
+static const mbedtls_mpi_uint secp256k1_T_0_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48),
+};
+static const mbedtls_mpi_uint secp256k1_T_1_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xEE, 0xD7, 0x1E, 0x67, 0x86, 0x32, 0x74),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x73, 0xB1, 0xA9, 0xD5, 0xCC, 0x27, 0x78),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x0E, 0x11, 0x01, 0x71, 0xFE, 0x92, 0x73),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x28, 0x63, 0x6D, 0x72, 0x09, 0xA6, 0xC0),
+};
+static const mbedtls_mpi_uint secp256k1_T_1_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xE1, 0x69, 0xDC, 0x3E, 0x2C, 0x75, 0xC3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0xB7, 0x3F, 0x30, 0x26, 0x3C, 0xDF, 0x8E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xBE, 0xB9, 0x5D, 0x0E, 0xE8, 0x5E, 0x14),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0xC3, 0x05, 0xD6, 0xB7, 0xD5, 0x24, 0xFC),
+};
+static const mbedtls_mpi_uint secp256k1_T_2_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0xCF, 0x7B, 0xDC, 0xCD, 0xC3, 0x39, 0x9D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xDA, 0xB9, 0xE5, 0x64, 0xA7, 0x47, 0x91),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x46, 0xA8, 0x61, 0xF6, 0x23, 0xEB, 0x58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xC1, 0xFF, 0xE4, 0x55, 0xD5, 0xC2, 0xBF),
+};
+static const mbedtls_mpi_uint secp256k1_T_2_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xBE, 0xB9, 0x59, 0x24, 0x13, 0x4A, 0x2A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x45, 0x12, 0xDE, 0xBA, 0x4F, 0xEF, 0x56),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x08, 0xBF, 0xC1, 0x66, 0xAA, 0x0A, 0xBC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xFE, 0x30, 0x55, 0x31, 0x86, 0xA7, 0xB4),
+};
+static const mbedtls_mpi_uint secp256k1_T_3_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xBF, 0x18, 0x81, 0x67, 0x27, 0x42, 0xBD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x05, 0x83, 0xA4, 0xDD, 0x57, 0xD3, 0x50),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0x63, 0xAB, 0xE4, 0x90, 0x70, 0xD0, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x5D, 0xFD, 0xA0, 0xEF, 0xCF, 0x1C, 0x54),
+};
+static const mbedtls_mpi_uint secp256k1_T_3_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x80, 0xE4, 0xF6, 0x09, 0xBC, 0x57, 0x90),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x9F, 0x6E, 0x88, 0x54, 0x6E, 0x51, 0xF2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x5F, 0x85, 0xFB, 0x84, 0x3E, 0x4A, 0xAA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x19, 0xF5, 0x55, 0xC9, 0x07, 0xD8, 0xCE),
+};
+static const mbedtls_mpi_uint secp256k1_T_4_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0xB4, 0xC3, 0xD9, 0x5C, 0xA0, 0xD4, 0x90),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x30, 0xAF, 0x59, 0x9B, 0xF8, 0x04, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xA6, 0xFD, 0x66, 0x7B, 0xC3, 0x39, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0xBF, 0xF0, 0xC2, 0xE9, 0x71, 0xA4, 0x9E),
+};
+static const mbedtls_mpi_uint secp256k1_T_4_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0x2D, 0xB9, 0x88, 0x28, 0xF1, 0xBE, 0x78),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0xF3, 0x1A, 0x0E, 0xB9, 0x01, 0x66, 0x34),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0xA7, 0xA4, 0xF4, 0x05, 0xD0, 0xAA, 0x53),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x39, 0x1E, 0x47, 0xE5, 0x68, 0xC8, 0xC0),
+};
+static const mbedtls_mpi_uint secp256k1_T_5_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0xB9, 0xFC, 0xE0, 0x33, 0x8A, 0x7D, 0x96),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x93, 0xA5, 0x53, 0x55, 0x16, 0xB4, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x5F, 0xEA, 0x9B, 0x29, 0x52, 0x71, 0xDA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0xF0, 0x24, 0xB8, 0x7D, 0xB7, 0xA0, 0x9B),
+};
+static const mbedtls_mpi_uint secp256k1_T_5_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x00, 0x27, 0xB2, 0xDF, 0x73, 0xA2, 0xE0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x2E, 0x4D, 0x7C, 0xDE, 0x7A, 0x23, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x65, 0x60, 0xC7, 0x97, 0x1E, 0xA4, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x13, 0x5B, 0x77, 0x59, 0xCB, 0x36, 0xE1),
+};
+static const mbedtls_mpi_uint secp256k1_T_6_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xBC, 0x9F, 0x9E, 0x2D, 0x53, 0x2A, 0xA8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x5F, 0x64, 0x9F, 0x1A, 0x19, 0xE6, 0x77),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x7B, 0x39, 0xD2, 0xDB, 0x85, 0x84, 0xD5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xC7, 0x0D, 0x58, 0x6E, 0x3F, 0x52, 0x15),
+};
+static const mbedtls_mpi_uint secp256k1_T_6_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x68, 0x19, 0x0B, 0x68, 0xC9, 0x1E, 0xFB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x4E, 0x21, 0x49, 0x3D, 0x55, 0xCC, 0x25),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xF9, 0x25, 0x45, 0x54, 0x45, 0xB1, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xB3, 0xF7, 0xCD, 0x80, 0xA4, 0x04, 0x05),
+};
+static const mbedtls_mpi_uint secp256k1_T_7_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x1E, 0x88, 0xC4, 0xAA, 0x18, 0x7E, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0xAC, 0xD9, 0xB2, 0xA1, 0xC0, 0x71, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xA2, 0xF1, 0x15, 0xA6, 0x5F, 0x6C, 0x86),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x5B, 0x05, 0xBC, 0xB7, 0xC6, 0x4E, 0x72),
+};
+static const mbedtls_mpi_uint secp256k1_T_7_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x80, 0xF8, 0x5C, 0x20, 0x2A, 0xE1, 0xE2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x48, 0x2E, 0x68, 0x82, 0x7F, 0xEB, 0x5F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x3B, 0x25, 0xDB, 0x32, 0x4D, 0x88, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x6E, 0xA6, 0xB6, 0x6D, 0x62, 0x78, 0x22),
+};
+static const mbedtls_mpi_uint secp256k1_T_8_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x4D, 0x3E, 0x86, 0x58, 0xC3, 0xEB, 0xBA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x89, 0x33, 0x18, 0x21, 0x1D, 0x9B, 0xE7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x9D, 0xFF, 0xC3, 0x79, 0xC1, 0x88, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0xD4, 0x48, 0x53, 0xE8, 0xAD, 0x21, 0x16),
+};
+static const mbedtls_mpi_uint secp256k1_T_8_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x7B, 0xDE, 0xCB, 0xD8, 0x39, 0x17, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0xF3, 0x03, 0xF2, 0x5C, 0xBC, 0xC8, 0x8A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0xAE, 0x4C, 0xB0, 0x16, 0xA4, 0x93, 0x86),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x8B, 0x6B, 0xDC, 0xD7, 0x9A, 0x3E, 0x7E),
+};
+static const mbedtls_mpi_uint secp256k1_T_9_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x2D, 0x7A, 0xD2, 0x59, 0x05, 0xA2, 0x82),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x56, 0x09, 0x32, 0xF1, 0xE8, 0xE3, 0x72),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0xCA, 0xE5, 0x2E, 0xF0, 0xFB, 0x18, 0x19),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x85, 0xA9, 0x23, 0x15, 0x31, 0x1F, 0x0E),
+};
+static const mbedtls_mpi_uint secp256k1_T_9_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xE5, 0xB1, 0x86, 0xB9, 0x6E, 0x8D, 0xD3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x77, 0xFC, 0xC9, 0xA3, 0x3F, 0x89, 0xD2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x6A, 0xDC, 0x25, 0xB0, 0xC7, 0x41, 0x54),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x11, 0x6B, 0xA6, 0x11, 0x62, 0xD4, 0x2D),
+};
+static const mbedtls_mpi_uint secp256k1_T_10_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x7D, 0x34, 0xB3, 0x20, 0x7F, 0x37, 0xAA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0xD4, 0x45, 0xE8, 0xC2, 0xE9, 0xC5, 0xEA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x32, 0x3B, 0x25, 0x7E, 0x79, 0xAF, 0xE7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0xE4, 0x54, 0x71, 0xBE, 0x35, 0x4E, 0xD0),
+};
+static const mbedtls_mpi_uint secp256k1_T_10_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x94, 0xDD, 0x8F, 0xB5, 0xC2, 0xDD, 0x75),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x49, 0xE9, 0x1C, 0x2F, 0x08, 0x49, 0xC6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0xB6, 0x03, 0x88, 0x6F, 0xB8, 0x15, 0x67),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xD3, 0x1C, 0xF3, 0xA5, 0xEB, 0x79, 0x01),
+};
+static const mbedtls_mpi_uint secp256k1_T_11_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0xF9, 0x43, 0x88, 0x89, 0x0D, 0x06, 0xEA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x2D, 0xF5, 0x98, 0x32, 0xF6, 0xB1, 0x05),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x73, 0x8F, 0x2B, 0x50, 0x27, 0x0A, 0xE7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xE3, 0xBD, 0x16, 0x05, 0xC8, 0x93, 0x12),
+};
+static const mbedtls_mpi_uint secp256k1_T_11_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x6A, 0xF7, 0xE3, 0x3D, 0xDE, 0x5F, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0xA3, 0x9C, 0x22, 0x3C, 0x33, 0x36, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0x24, 0x4C, 0x69, 0x45, 0x78, 0x14, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xF8, 0xD4, 0xBF, 0xB8, 0xC0, 0xA1, 0x25),
+};
+static const mbedtls_mpi_uint secp256k1_T_12_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x88, 0xE1, 0x91, 0x03, 0xEB, 0xB3, 0x2B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x11, 0xA1, 0xEF, 0x14, 0x0D, 0xC4, 0x7D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xD4, 0x0D, 0x1D, 0x96, 0x33, 0x5C, 0x19),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x45, 0x2A, 0x1A, 0xE6, 0x57, 0x04, 0x9B),
+};
+static const mbedtls_mpi_uint secp256k1_T_12_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xB5, 0xA7, 0x80, 0xE9, 0x93, 0x97, 0x8D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xB9, 0x7C, 0xA0, 0xC9, 0x57, 0x26, 0x43),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0xEF, 0x56, 0xDA, 0x66, 0xF6, 0x1B, 0x9A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x89, 0x6B, 0x91, 0xE0, 0xA9, 0x65, 0x2B),
+};
+static const mbedtls_mpi_uint secp256k1_T_13_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x98, 0x96, 0x9B, 0x06, 0x7D, 0x5E, 0x5A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0xFA, 0xC1, 0x5F, 0x19, 0x37, 0x94, 0x9D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0xBE, 0x6B, 0x1A, 0x05, 0xE4, 0xBF, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0xCD, 0x5D, 0x35, 0xB4, 0x51, 0xF7, 0x64),
+};
+static const mbedtls_mpi_uint secp256k1_T_13_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0xEF, 0x96, 0xDB, 0xF2, 0x61, 0x63, 0x59),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x04, 0x88, 0xC9, 0x9F, 0x1B, 0x94, 0xB9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x30, 0x79, 0x7E, 0x24, 0xE7, 0x5F, 0xB8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0xB8, 0x90, 0xB7, 0x94, 0x25, 0xBB, 0x0F),
+};
+static const mbedtls_mpi_uint secp256k1_T_14_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x79, 0xEA, 0xAD, 0xC0, 0x6D, 0x18, 0x57),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0xA4, 0x58, 0x2A, 0x8D, 0x95, 0xB3, 0xE6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xC4, 0xC2, 0x12, 0x0D, 0x79, 0xE2, 0x2B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x6F, 0xBE, 0x97, 0x4D, 0xA4, 0x20, 0x07),
+};
+static const mbedtls_mpi_uint secp256k1_T_14_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x31, 0x71, 0xC6, 0xA6, 0x91, 0xEB, 0x1F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x9B, 0xA8, 0x4A, 0xE7, 0x77, 0xE1, 0xAA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x06, 0xD3, 0x3D, 0x94, 0x30, 0xEF, 0x8C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xDF, 0xCA, 0xFA, 0xF5, 0x28, 0xF8, 0xC9),
+};
+static const mbedtls_mpi_uint secp256k1_T_15_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0xE1, 0x32, 0xFD, 0x3E, 0x81, 0xF8, 0x11),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xF2, 0x4B, 0x1D, 0x19, 0xC9, 0x0F, 0xCC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xB1, 0x8A, 0x22, 0x8B, 0x05, 0x6B, 0x56),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x21, 0xEF, 0x30, 0xEC, 0x09, 0x2A, 0x89),
+};
+static const mbedtls_mpi_uint secp256k1_T_15_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x84, 0x4A, 0x46, 0x07, 0x6C, 0x3C, 0x4C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x18, 0x3A, 0xF4, 0xCC, 0xF5, 0xB2, 0xF2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x8F, 0xCD, 0x0A, 0x9C, 0xF4, 0xBD, 0x95),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x89, 0x7F, 0x8A, 0xB1, 0x52, 0x3A, 0xAB),
+};
+static const mbedtls_ecp_point secp256k1_T[16] = {
+    ECP_POINT_INIT_XY_Z1(secp256k1_T_0_X, secp256k1_T_0_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_1_X, secp256k1_T_1_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_2_X, secp256k1_T_2_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_3_X, secp256k1_T_3_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_4_X, secp256k1_T_4_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_5_X, secp256k1_T_5_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_6_X, secp256k1_T_6_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_7_X, secp256k1_T_7_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_8_X, secp256k1_T_8_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_9_X, secp256k1_T_9_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_10_X, secp256k1_T_10_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_11_X, secp256k1_T_11_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_12_X, secp256k1_T_12_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_13_X, secp256k1_T_13_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_14_X, secp256k1_T_14_Y),
+    ECP_POINT_INIT_XY_Z0(secp256k1_T_15_X, secp256k1_T_15_Y),
+};
+#else
+#define secp256k1_T NULL
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+/*
+ * Domain parameters for brainpoolP256r1 (RFC 5639 3.4)
+ */
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+static const mbedtls_mpi_uint brainpoolP256r1_p[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_a[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_b[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_gx[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_gy[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_n[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9),
+};
+
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint brainpoolP256r1_T_0_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_0_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_1_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xA2, 0xED, 0x52, 0xC9, 0x8C, 0xE3, 0xA5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0xC9, 0xC4, 0x87, 0x3F, 0x93, 0x7A, 0xD1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x12, 0x53, 0x61, 0x3E, 0x76, 0x08, 0xCB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x8C, 0x74, 0xF4, 0x08, 0xC3, 0x76, 0x80),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_1_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0xDD, 0x09, 0xA6, 0xED, 0xEE, 0xC4, 0x38),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xD9, 0xBE, 0x4B, 0xA5, 0xB7, 0x2B, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x20, 0x12, 0xCA, 0x0A, 0x38, 0x24, 0xAB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x72, 0x71, 0x90, 0x7A, 0x2E, 0xB7, 0x23),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_2_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x66, 0xA1, 0x93, 0x10, 0x2A, 0x51, 0x17),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x10, 0x11, 0x12, 0xBC, 0xB0, 0xB6, 0x93),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x58, 0xD7, 0x0A, 0x84, 0x05, 0xA3, 0x9C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x8E, 0x95, 0x61, 0xD3, 0x0B, 0xDF, 0x36),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_2_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x92, 0x12, 0x0F, 0x5E, 0x87, 0x70, 0x1B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0xE9, 0x9B, 0xEB, 0x3A, 0xFB, 0xCF, 0xC4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0x92, 0xB9, 0xF7, 0x45, 0xD3, 0x06, 0xB6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x28, 0x65, 0xE1, 0xC5, 0x6C, 0x57, 0x18),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_3_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x0E, 0x77, 0x01, 0x81, 0x9E, 0x38, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0xF0, 0xD5, 0xA5, 0x91, 0x2B, 0xDF, 0xC0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xEE, 0xB6, 0x25, 0xD6, 0x98, 0xDE, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xA1, 0x55, 0x63, 0x39, 0xEB, 0xB5, 0x47),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_3_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0xD6, 0xB8, 0xE3, 0x13, 0xED, 0x7F, 0xA3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0xE8, 0xAE, 0x36, 0xB8, 0xCD, 0x19, 0x02),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x82, 0x83, 0x7A, 0x7B, 0x46, 0x56, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x60, 0x46, 0x15, 0x5A, 0xAC, 0x99, 0x30),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_4_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x61, 0x50, 0xC6, 0xFF, 0x10, 0x7D, 0x04),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x51, 0xDF, 0xA9, 0x7D, 0x78, 0x26, 0x74),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0x15, 0x9A, 0xF7, 0x01, 0xC1, 0xBB, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x0F, 0xE6, 0x2A, 0xBD, 0x4A, 0x9E, 0x87),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_4_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xF8, 0xD1, 0x77, 0xD2, 0x49, 0xB3, 0xDD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x86, 0xFB, 0x9E, 0x1F, 0x5A, 0x60, 0x47),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0xC4, 0x8D, 0xCD, 0x86, 0x61, 0x2F, 0xF9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xF6, 0xB9, 0xAC, 0x37, 0x9D, 0xE9, 0x28),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_5_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x77, 0xAA, 0x97, 0x9C, 0x0B, 0x04, 0x20),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0xA6, 0x60, 0x81, 0xCE, 0x25, 0x13, 0x3E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x00, 0xF3, 0xBB, 0x82, 0x99, 0x95, 0xB7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x5A, 0xCE, 0x90, 0x71, 0x38, 0x2F, 0x10),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_5_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x1A, 0xC0, 0x84, 0x27, 0xD6, 0x9D, 0xB7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x37, 0x52, 0x16, 0x13, 0x0E, 0xCE, 0x92),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xBF, 0x5A, 0xDB, 0xDB, 0x6E, 0x1E, 0x69),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xB7, 0x5E, 0xF9, 0x86, 0xDD, 0x8A, 0x5C),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_6_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xAB, 0x5C, 0x8D, 0x1D, 0xF2, 0x2D, 0x1E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0xC5, 0xF8, 0xF7, 0x1D, 0x96, 0x0B, 0x4D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x4C, 0xA7, 0x45, 0x20, 0x6A, 0x1E, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x5D, 0xEF, 0xDE, 0xEE, 0x39, 0x44, 0x19),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_6_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x2F, 0x6D, 0x52, 0xC9, 0x58, 0x60, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0xC9, 0x62, 0xCB, 0x38, 0x3C, 0x55, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xA5, 0x09, 0x10, 0x88, 0xDB, 0xE3, 0xBD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xE0, 0x3C, 0xCE, 0x06, 0x0B, 0x4B, 0x5D),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_7_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x1D, 0xB4, 0x10, 0x76, 0x8F, 0xBA, 0x09),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x70, 0x5A, 0x07, 0xF5, 0x1A, 0x74, 0xC7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0xE9, 0x94, 0xA8, 0xC0, 0xD5, 0x4A, 0x4A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x6D, 0xD4, 0xE8, 0x9B, 0xE9, 0x6D, 0x0E),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_7_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x00, 0x32, 0x41, 0x57, 0x84, 0x89, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xC7, 0x14, 0xEC, 0xE9, 0x27, 0xFF, 0xF3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x67, 0x9E, 0xFB, 0xB6, 0xB8, 0x96, 0xF3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x4A, 0xE3, 0x97, 0x4B, 0x58, 0xDE, 0x30),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_8_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0x1E, 0x5C, 0xF5, 0x7F, 0xD5, 0xD4, 0xAA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x08, 0x7A, 0xF1, 0xBD, 0x89, 0xC7, 0x1E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0xF9, 0x11, 0x1B, 0xF5, 0x3C, 0x6D, 0x8C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x50, 0xE5, 0x69, 0x1D, 0x59, 0xFC, 0x0C),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_8_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x2F, 0xF8, 0x3F, 0xEC, 0x55, 0x99, 0x57),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xA7, 0x29, 0x90, 0x43, 0x81, 0x31, 0x4C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x18, 0x44, 0x50, 0x5D, 0x76, 0xCB, 0xDD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0xC5, 0x5B, 0x9A, 0x03, 0xE6, 0x17, 0x39),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_9_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x89, 0xFC, 0x55, 0x94, 0x91, 0x6A, 0xA2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x46, 0x35, 0xF2, 0x3A, 0x42, 0x08, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0xD2, 0x76, 0x49, 0x42, 0x87, 0xD3, 0x7F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xEA, 0xA0, 0x52, 0xF1, 0x6A, 0x30, 0x57),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_9_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0xB2, 0x57, 0xA3, 0x8A, 0x4D, 0x1B, 0x3C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0xA3, 0x99, 0x94, 0xB5, 0x3D, 0x64, 0x09),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0xC3, 0xD7, 0x53, 0xF6, 0x49, 0x1C, 0x60),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x23, 0x41, 0x4D, 0xFB, 0x7A, 0x5C, 0x53),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_10_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xB8, 0x15, 0x65, 0x5C, 0x85, 0x94, 0xD7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x37, 0xC7, 0xF8, 0x7E, 0xAE, 0x6C, 0x10),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xD8, 0x11, 0x54, 0x98, 0x44, 0xE3, 0xF1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x4D, 0xA6, 0x4B, 0x28, 0xF2, 0x57, 0x9E),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_10_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xD0, 0xEB, 0x1E, 0xAA, 0x30, 0xD3, 0x6A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x9B, 0x4D, 0xA7, 0x73, 0x6E, 0xB6, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x47, 0xF6, 0xED, 0x37, 0xEF, 0x71, 0x4D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0xB5, 0x49, 0x61, 0x5E, 0x45, 0xF6, 0x4A),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_11_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x0E, 0xB3, 0x84, 0x3A, 0x63, 0x72, 0x84),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x53, 0x5C, 0xA7, 0xC6, 0x2E, 0xAB, 0x9E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x0F, 0x8F, 0x87, 0x50, 0x28, 0xB4, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x98, 0x4A, 0x98, 0x31, 0x86, 0xCA, 0x51),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_11_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xC9, 0xE2, 0xFD, 0x5D, 0x1F, 0xE8, 0xC2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x90, 0x91, 0xC4, 0x84, 0xF0, 0xBA, 0xC5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x5A, 0xB3, 0x4E, 0xFB, 0xE0, 0x57, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x0B, 0x90, 0xA6, 0xFD, 0x9D, 0x8E, 0x02),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_12_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x41, 0x8F, 0x31, 0xFA, 0x5A, 0xF6, 0x33),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xE9, 0xE3, 0xF6, 0xE0, 0x4A, 0xE7, 0xD2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x4E, 0xCD, 0xA2, 0x22, 0x14, 0xD4, 0x12),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xED, 0x21, 0xB7, 0x0F, 0x53, 0x10, 0x17),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_12_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x06, 0x24, 0x2C, 0x4E, 0xD1, 0x1E, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x3F, 0xC1, 0x9F, 0xAB, 0xF0, 0x37, 0x95),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x5E, 0x12, 0xCE, 0x83, 0x1B, 0x2A, 0x18),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x65, 0xCF, 0xE8, 0x5C, 0xA5, 0xA2, 0x70),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_13_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x86, 0x76, 0x3A, 0x94, 0xF6, 0x1D, 0xC1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xDA, 0xC9, 0xA6, 0x29, 0x93, 0x15, 0x10),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x61, 0x6A, 0x7D, 0xC7, 0xA9, 0xF3, 0x76),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x03, 0x71, 0xA2, 0x15, 0xCE, 0x50, 0x72),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_13_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0xD0, 0xA8, 0x1E, 0x91, 0xC4, 0x4F, 0x24),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x4B, 0x7E, 0xD7, 0x71, 0x58, 0x7E, 0x1E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x45, 0xAF, 0x2A, 0x18, 0x93, 0x95, 0x3B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x8F, 0xC7, 0xFA, 0x4C, 0x7A, 0x86, 0x54),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_14_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0xAF, 0x68, 0x3A, 0x23, 0xC1, 0x2E, 0xBF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x50, 0x11, 0x67, 0x39, 0xB9, 0xAF, 0x48),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x86, 0xAA, 0x1E, 0x88, 0x21, 0x29, 0x8B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x28, 0xA4, 0x9D, 0x89, 0xA9, 0x9A, 0x10),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_14_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xBA, 0x04, 0x67, 0xB7, 0x01, 0x40, 0x38),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xE9, 0x09, 0xA3, 0xCA, 0xA6, 0x37, 0xF6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x97, 0xA8, 0xB6, 0x3C, 0xEE, 0x90, 0x3D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xED, 0xC4, 0xF7, 0xC3, 0x95, 0xEC, 0x85),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_15_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x84, 0xBD, 0xEB, 0xD5, 0x64, 0xBB, 0x9D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x9B, 0xE2, 0x28, 0x50, 0xC2, 0x72, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0xF2, 0x74, 0xD1, 0x26, 0xBF, 0x32, 0x68),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xCB, 0xAF, 0x72, 0xDB, 0x6D, 0x30, 0x98),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_15_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x50, 0x85, 0xF4, 0x2B, 0x48, 0xC1, 0xAD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x28, 0xBB, 0x11, 0xBA, 0x5B, 0x22, 0x6C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xA1, 0xE5, 0x5C, 0xC9, 0x1D, 0x44, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xE8, 0xE6, 0x6F, 0xBB, 0xC1, 0x81, 0x7F),
+};
+static const mbedtls_ecp_point brainpoolP256r1_T[16] = {
+    ECP_POINT_INIT_XY_Z1(brainpoolP256r1_T_0_X, brainpoolP256r1_T_0_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_1_X, brainpoolP256r1_T_1_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_2_X, brainpoolP256r1_T_2_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_3_X, brainpoolP256r1_T_3_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_4_X, brainpoolP256r1_T_4_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_5_X, brainpoolP256r1_T_5_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_6_X, brainpoolP256r1_T_6_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_7_X, brainpoolP256r1_T_7_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_8_X, brainpoolP256r1_T_8_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_9_X, brainpoolP256r1_T_9_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_10_X, brainpoolP256r1_T_10_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_11_X, brainpoolP256r1_T_11_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_12_X, brainpoolP256r1_T_12_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_13_X, brainpoolP256r1_T_13_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_14_X, brainpoolP256r1_T_14_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_15_X, brainpoolP256r1_T_15_Y),
+};
+#else
+#define brainpoolP256r1_T NULL
+#endif
+
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+
+/*
+ * Domain parameters for brainpoolP384r1 (RFC 5639 3.6)
+ */
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+static const mbedtls_mpi_uint brainpoolP384r1_p[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_a[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_b[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_gx[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_gy[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_n[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C),
+};
+
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint brainpoolP384r1_T_0_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_0_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_1_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0xD8, 0x8A, 0x54, 0x41, 0xD6, 0x6B, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x3B, 0xF1, 0x22, 0xFD, 0x2D, 0x4B, 0x03),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x55, 0xE3, 0x33, 0xF0, 0x73, 0x52, 0x5A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x3F, 0x30, 0x26, 0xCA, 0x7F, 0x52, 0xA3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x6E, 0x17, 0x9B, 0xD5, 0x2A, 0x4A, 0x31),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xDA, 0x6B, 0xE5, 0x03, 0x07, 0x1D, 0x2E),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_1_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x7A, 0xAF, 0x98, 0xE3, 0xA4, 0xF6, 0x19),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x7D, 0xFE, 0x51, 0x40, 0x3B, 0x47, 0xD2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x88, 0xEC, 0xC4, 0xE2, 0x8F, 0xCB, 0xA4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0xE2, 0x88, 0x2D, 0x4E, 0x50, 0xEB, 0x9A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x54, 0x94, 0x5E, 0xF4, 0x7F, 0x3A, 0x04),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x07, 0x1C, 0xE1, 0xBD, 0x0F, 0xF8, 0x63),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_2_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x92, 0x28, 0x2E, 0x32, 0x04, 0xB1, 0x4D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x82, 0x44, 0x43, 0x76, 0x0D, 0x55, 0xBF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0xE3, 0xFF, 0x89, 0x46, 0xDE, 0x4E, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x22, 0xBB, 0x67, 0x1A, 0x81, 0xEE, 0x27),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x54, 0xE2, 0x7A, 0xAE, 0xDA, 0x2C, 0xD0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x9A, 0x90, 0xAA, 0x6E, 0x8B, 0xCC, 0x5F),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_2_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x40, 0xAC, 0xED, 0x7D, 0x37, 0x87, 0xAC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0xF8, 0xB1, 0x80, 0x4C, 0x8C, 0x04, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x98, 0x2C, 0xAD, 0x30, 0x69, 0x35, 0xC0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x2E, 0x00, 0x2F, 0x44, 0x8C, 0xF0, 0xC0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x58, 0x07, 0xD7, 0xCD, 0x60, 0xA1, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xFB, 0x7B, 0x03, 0x05, 0x5E, 0x79, 0x73),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_3_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x17, 0xCE, 0x38, 0x4B, 0x5E, 0x5B, 0xC8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0x0E, 0x0A, 0x61, 0x9D, 0x7C, 0x62, 0x08),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0xF0, 0x98, 0x71, 0x7F, 0x17, 0x26, 0xD7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xD3, 0xFA, 0x3C, 0xF0, 0x70, 0x07, 0x82),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x47, 0x5C, 0x09, 0x43, 0xB7, 0x65, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xA9, 0xA7, 0x3E, 0xFA, 0xF3, 0xEC, 0x22),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_3_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x78, 0x22, 0x2B, 0x58, 0x71, 0xFA, 0xAA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x30, 0xCE, 0x6A, 0xB3, 0xB0, 0x4F, 0x83),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0x95, 0x20, 0xA9, 0x23, 0xC2, 0x65, 0xE7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xCF, 0x03, 0x5B, 0x8A, 0x80, 0x44, 0xBB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xF8, 0x91, 0xF7, 0xD5, 0xED, 0xEA, 0x81),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x5B, 0x16, 0x10, 0x25, 0xAC, 0x2A, 0x17),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_4_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0xEC, 0xDC, 0xC4, 0x7B, 0x8C, 0x6B, 0xE9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xBB, 0x1C, 0xD3, 0x5A, 0xEE, 0xD9, 0x97),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x5D, 0x30, 0x5E, 0xF7, 0xB2, 0x41, 0x9D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xCE, 0x0F, 0x1A, 0xC6, 0x41, 0x64, 0x62),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x18, 0xE1, 0xE3, 0x82, 0x15, 0x66, 0x4B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xE2, 0x24, 0x04, 0x72, 0x39, 0xA0, 0x7C),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_4_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0x51, 0xA2, 0x58, 0x88, 0x62, 0xE1, 0x02),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xD2, 0x65, 0x14, 0xE9, 0x4C, 0x82, 0x30),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xE1, 0xAC, 0x87, 0xAE, 0x31, 0x1A, 0x7A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x4F, 0x96, 0x1E, 0x85, 0x7A, 0xC3, 0x2B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x86, 0xBB, 0xF0, 0xC0, 0x9D, 0x08, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x53, 0x03, 0x09, 0x80, 0x91, 0xEF, 0x68),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_5_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xD7, 0xAF, 0x6F, 0x69, 0x7B, 0x88, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x13, 0xE4, 0x30, 0xA2, 0x47, 0xB5, 0xC1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xD2, 0xC0, 0xDD, 0x8A, 0x1C, 0x3C, 0xF2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x8C, 0xB3, 0x4C, 0xBA, 0x8B, 0x6D, 0xCF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0xC7, 0xA1, 0xA8, 0x6E, 0x3C, 0x4F, 0xF1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x4A, 0x97, 0xC8, 0x03, 0x6F, 0x01, 0x82),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_5_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x18, 0x12, 0xA9, 0x39, 0xD5, 0x22, 0x26),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0xA7, 0xC0, 0xBD, 0x9D, 0x8D, 0x78, 0x38),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xB3, 0xD0, 0x7F, 0xDF, 0xD0, 0x30, 0xDE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x25, 0x73, 0x96, 0xEC, 0xA8, 0x1D, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xD1, 0x65, 0x66, 0xDC, 0xD9, 0xCF, 0xDF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0xED, 0x7B, 0x37, 0xAD, 0xE2, 0xBE, 0x2D),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_6_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x79, 0x42, 0x6A, 0x07, 0x66, 0xB1, 0xBD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x53, 0x62, 0x65, 0x92, 0x09, 0x4C, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0xAF, 0xC3, 0x03, 0xF6, 0xF4, 0x2D, 0x9B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0xCA, 0x41, 0xD9, 0xA2, 0x69, 0x9B, 0xC9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0xB2, 0xA6, 0x8D, 0xE1, 0xAA, 0x61, 0x76),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xBA, 0x4D, 0x12, 0xB6, 0xBE, 0xF3, 0x7E),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_6_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xD9, 0x92, 0x22, 0x07, 0xCE, 0xC9, 0x26),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0xA1, 0x7C, 0x91, 0xDB, 0x32, 0xF7, 0xE5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x49, 0x4B, 0x6D, 0xFB, 0xD9, 0x70, 0x3B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0xFB, 0x4E, 0x4C, 0x5E, 0x66, 0x81, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0xB3, 0xE1, 0x00, 0xB7, 0xD9, 0xCC, 0x58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x36, 0x8B, 0xC4, 0x39, 0x20, 0xFD, 0x30),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_7_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x1F, 0x60, 0x03, 0xBB, 0xD7, 0x60, 0x57),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x3C, 0x62, 0xDD, 0x71, 0x95, 0xE9, 0x61),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x5B, 0x7A, 0x5F, 0x68, 0x81, 0xC5, 0x90),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xAF, 0xB5, 0xB9, 0x98, 0x42, 0x28, 0xA5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x29, 0x8E, 0x11, 0x49, 0xB4, 0xD7, 0x20),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x3E, 0xD2, 0x30, 0xA1, 0xBA, 0xCA, 0x03),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_7_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x37, 0x64, 0x44, 0x2F, 0x03, 0xE5, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x42, 0xBC, 0xFF, 0xA2, 0x1A, 0x5F, 0x06),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x04, 0xAB, 0x04, 0xE0, 0x24, 0xAD, 0x2A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x45, 0x17, 0x67, 0x1F, 0x3E, 0x53, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x0F, 0xB3, 0x1B, 0x57, 0x54, 0xC2, 0x03),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xD3, 0xF8, 0xC4, 0x1B, 0x9B, 0xFA, 0x30),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_8_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x90, 0xFD, 0xFB, 0xCA, 0x49, 0x38, 0x4E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0xCF, 0xC6, 0xDD, 0xF0, 0xFF, 0x8C, 0x11),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x69, 0x9D, 0xBD, 0x5F, 0x33, 0xE9, 0xB4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x19, 0x82, 0x3D, 0xAC, 0x1C, 0x40, 0x23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xC7, 0x02, 0x46, 0x14, 0x77, 0x00, 0xBE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x05, 0xF2, 0x77, 0x3A, 0x66, 0x5C, 0x39),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_8_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xE6, 0x17, 0xDE, 0xB2, 0xA1, 0xE5, 0xB8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x71, 0xEC, 0x9D, 0xD8, 0xF5, 0xD4, 0x66),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0xC6, 0x42, 0x5E, 0xE7, 0x18, 0xBA, 0xD0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x21, 0x68, 0x5A, 0x26, 0xFB, 0xD7, 0x17),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x00, 0x5C, 0xBA, 0x8A, 0x34, 0xEC, 0x75),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x9C, 0x3C, 0xAF, 0x53, 0xE8, 0x65, 0x35),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_9_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xEF, 0x28, 0xDC, 0x67, 0x05, 0xC8, 0xDF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x78, 0xC3, 0x85, 0x49, 0xA0, 0xBC, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x3E, 0x2D, 0xA0, 0xCF, 0xD4, 0x7A, 0xF5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x93, 0xFE, 0x60, 0xB3, 0x6E, 0x99, 0xE2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0xAD, 0x04, 0xE7, 0x49, 0xAF, 0x5E, 0xE3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x7A, 0xED, 0xA6, 0x9E, 0x18, 0x09, 0x31),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_9_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x05, 0x94, 0x44, 0xDC, 0xB8, 0x85, 0x94),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0xB7, 0x37, 0xC2, 0x50, 0x75, 0x15, 0xDA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xC6, 0x0F, 0xB2, 0xA9, 0x91, 0x3E, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x81, 0xAD, 0x25, 0xA1, 0x26, 0x73, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xF1, 0xD1, 0x61, 0x7C, 0x76, 0x8F, 0x13),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0xDB, 0x4A, 0xFF, 0x14, 0xA7, 0x48, 0x0B),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_10_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x73, 0xC6, 0xC2, 0xCC, 0xF1, 0x57, 0x04),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0xED, 0x73, 0x27, 0x70, 0x82, 0xB6, 0x5E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0xBA, 0xAC, 0x3A, 0xCF, 0xF4, 0xEA, 0xA6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xD6, 0xB1, 0x8F, 0x0E, 0x08, 0x2C, 0x5E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xE3, 0x8F, 0x2F, 0x0E, 0xA1, 0xF3, 0x07),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0xF5, 0x7C, 0x9B, 0x29, 0x0A, 0xF6, 0x28),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_10_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0xEE, 0x17, 0x47, 0x34, 0x15, 0xA3, 0xAF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xBE, 0x88, 0x48, 0xE7, 0xA2, 0xBB, 0xDE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0xAD, 0xDC, 0x65, 0x61, 0x37, 0x0F, 0xC1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x67, 0xAD, 0xA2, 0x3A, 0x1C, 0x91, 0x78),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x07, 0x0C, 0x3A, 0x41, 0x6E, 0x13, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0xBD, 0x7E, 0xED, 0xAA, 0x14, 0xDD, 0x61),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_11_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0xDC, 0x20, 0x01, 0x72, 0x11, 0x48, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xC4, 0x7B, 0xF8, 0x62, 0x3D, 0xF0, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0xC2, 0x3D, 0x2E, 0x52, 0xA3, 0x4A, 0x89),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xE2, 0x53, 0x46, 0x5E, 0x21, 0xF8, 0xCE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xC7, 0x8F, 0xA9, 0x26, 0x42, 0x32, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xA6, 0xA0, 0x8D, 0x4B, 0x9A, 0x19, 0x03),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_11_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xAB, 0x6D, 0x1E, 0xFB, 0xEE, 0x60, 0x0C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x56, 0x3C, 0xC5, 0x5D, 0x10, 0x79, 0x1C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0xBC, 0x41, 0x9F, 0x71, 0xEF, 0x02, 0xF9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x36, 0xC4, 0xD0, 0x88, 0x9B, 0x32, 0xFC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0xD4, 0x5D, 0x17, 0x39, 0xE6, 0x22, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x26, 0x01, 0xCE, 0xBE, 0x4A, 0x9C, 0x27),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_12_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x6D, 0x11, 0xCA, 0x6C, 0x5A, 0x93, 0x0C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x96, 0x26, 0xAF, 0x2F, 0xE4, 0x30, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0xC1, 0x4C, 0xC6, 0x30, 0x1F, 0x5C, 0x04),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xB3, 0xE8, 0xFC, 0x35, 0xEB, 0x63, 0x6C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x1D, 0xCA, 0xFC, 0x50, 0x36, 0x4B, 0x96),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x0E, 0x23, 0x5B, 0xAF, 0xEB, 0x2D, 0x31),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_12_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x88, 0xB6, 0xD7, 0x74, 0x4A, 0x23, 0xB6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x66, 0xE2, 0xBB, 0x29, 0xA6, 0x4F, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x6F, 0x7E, 0x68, 0x6E, 0xA0, 0x14, 0x94),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0x73, 0xD4, 0xE8, 0xAB, 0x5B, 0xF6, 0x0D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0xE0, 0x3C, 0x24, 0x00, 0x95, 0xE9, 0xAD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x0D, 0x4F, 0x81, 0xD0, 0xF2, 0x3F, 0x00),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_13_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x1D, 0xCD, 0x78, 0x39, 0xC4, 0x6B, 0xD9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x45, 0xC7, 0xB8, 0x2F, 0xAA, 0x5D, 0xE3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x8C, 0x6E, 0xA3, 0x24, 0xB2, 0xDB, 0x4B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x2D, 0xD9, 0xF1, 0xC7, 0x9B, 0x8A, 0xAF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0xE1, 0x2C, 0xB9, 0x40, 0x37, 0x91, 0x75),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x2C, 0xB5, 0x23, 0x03, 0x2B, 0xAF, 0x2F),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_13_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x9D, 0x5A, 0x20, 0x10, 0xA9, 0x84, 0xDA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x30, 0x89, 0x20, 0x13, 0xE9, 0xB2, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x6E, 0x52, 0xEB, 0x03, 0x18, 0x1F, 0xA6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x9E, 0x1C, 0x35, 0x87, 0x92, 0x69, 0xC7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0xC9, 0x88, 0xAF, 0xC6, 0x6C, 0x83, 0x72),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0xD5, 0x7A, 0x54, 0x34, 0x99, 0xB6, 0x6F),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_14_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0xAD, 0x45, 0x9B, 0x4B, 0x41, 0x4D, 0x50),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x5D, 0xAB, 0x7F, 0x35, 0x34, 0xE9, 0x29),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0xBE, 0x78, 0x34, 0x44, 0xF3, 0x4A, 0x87),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xDE, 0xE3, 0xC4, 0xEE, 0x0B, 0xF9, 0xEB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x86, 0x16, 0x48, 0x32, 0xB8, 0x74, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0xEE, 0x7C, 0xBA, 0xBD, 0x81, 0xE3, 0x55),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_14_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x6A, 0xFA, 0x84, 0xDA, 0xB8, 0xD5, 0x14),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0x9F, 0x8A, 0xD5, 0x1B, 0x2E, 0x1A, 0x0B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x0C, 0x61, 0xE2, 0xFF, 0x5B, 0xE6, 0xD5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0x62, 0xC1, 0x87, 0x53, 0x1B, 0x92, 0xA3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x90, 0x00, 0xD1, 0x6A, 0x0C, 0x0E, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0x2E, 0xB5, 0x3B, 0x44, 0xB5, 0xA0, 0x78),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_15_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x5D, 0x02, 0x58, 0xB5, 0xBE, 0x45, 0x14),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xEF, 0x8E, 0x90, 0x4D, 0x2A, 0x32, 0xAC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x99, 0x75, 0x5C, 0x0A, 0x33, 0x8F, 0x36),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x6C, 0x95, 0xD4, 0x1F, 0xF3, 0xEB, 0xDA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xE4, 0x4C, 0x91, 0x20, 0xF3, 0x25, 0xEB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x95, 0xEB, 0x29, 0x6F, 0x20, 0x34, 0x81),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_15_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x15, 0xE5, 0x13, 0x7E, 0x64, 0x8B, 0xAD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xBC, 0x0D, 0x18, 0x7E, 0x37, 0x9E, 0xFA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x82, 0x20, 0xF7, 0x2D, 0x7A, 0x77, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x29, 0xA2, 0xDB, 0x7A, 0xE6, 0x6F, 0xA5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xC6, 0x50, 0x5C, 0xBC, 0xE6, 0x4F, 0xBD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x9F, 0xD5, 0xE8, 0xC5, 0x3D, 0xB7, 0x30),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_16_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x03, 0x55, 0x10, 0xDB, 0xA6, 0x8B, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x17, 0xAE, 0x78, 0xC9, 0x1D, 0x43, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x35, 0x49, 0xD4, 0x47, 0x84, 0x8D, 0x20),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x95, 0x2F, 0xEA, 0xBC, 0xB4, 0x18, 0xB3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x48, 0xAE, 0x89, 0xF5, 0x65, 0x3D, 0x89),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xF2, 0x2B, 0x20, 0xD1, 0x75, 0x50, 0x63),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_16_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xE6, 0x5C, 0x2C, 0xE0, 0x7D, 0xDF, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x07, 0x3E, 0xCE, 0x9F, 0x18, 0xB6, 0x05),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0xF8, 0xF0, 0xD5, 0xFA, 0x42, 0x1D, 0x6D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x6C, 0x1D, 0x03, 0xC9, 0x0E, 0x2B, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x18, 0x52, 0xA5, 0xB4, 0x63, 0xE1, 0x06),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x0A, 0xD9, 0xC4, 0xFD, 0x16, 0x60, 0x54),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_17_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x7D, 0xDE, 0xDF, 0x4B, 0x4A, 0xB0, 0xCB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x4E, 0x8C, 0x94, 0xC1, 0xE2, 0x85, 0xDF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0xF0, 0xEA, 0xB5, 0x9B, 0x70, 0xEF, 0x10),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0xC2, 0x39, 0x5D, 0xF3, 0x2C, 0xD9, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x1C, 0x2E, 0xCC, 0x2F, 0x54, 0x87, 0x80),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x72, 0xC7, 0xB5, 0x50, 0xA3, 0x84, 0x77),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_17_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xD1, 0xAF, 0xA9, 0xB4, 0x8B, 0x5D, 0xFA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xF6, 0x52, 0x8A, 0xC3, 0x56, 0xA5, 0x5E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0x52, 0xFF, 0xEA, 0x05, 0x42, 0x77, 0x83),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x08, 0x90, 0x72, 0x86, 0xC4, 0xC3, 0xB8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0x15, 0xF8, 0xF1, 0x16, 0x67, 0xC6, 0xD5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x87, 0xAC, 0x8F, 0x71, 0xEC, 0x83, 0x81),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_18_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xE1, 0xE6, 0x2D, 0x0E, 0x11, 0xA1, 0x62),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xE2, 0xA8, 0x32, 0xE6, 0xE3, 0x83, 0xD1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x56, 0xE5, 0xCD, 0xB7, 0x2B, 0x67, 0x6F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0xED, 0xC9, 0x65, 0x6D, 0x87, 0xE1, 0x8E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x8E, 0xFD, 0x9A, 0x53, 0x0E, 0xFA, 0xA3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0x4C, 0x4A, 0xE2, 0x23, 0x84, 0xFA, 0x01),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_18_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xFE, 0x49, 0x81, 0xD1, 0x3E, 0xF4, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x72, 0xE0, 0xEF, 0x0D, 0xB8, 0x3E, 0x6F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x00, 0x0F, 0x5F, 0xCE, 0x60, 0x72, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xCC, 0xD8, 0x03, 0x07, 0x6E, 0x5A, 0xCD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x3A, 0x35, 0x50, 0x4E, 0x1F, 0xCA, 0x5F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xEA, 0x88, 0x55, 0xBD, 0x6E, 0x05, 0x7F),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_19_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x6D, 0xF1, 0x97, 0xA6, 0x69, 0x39, 0x24),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x41, 0x99, 0xFF, 0x3B, 0xA1, 0x26, 0xEC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x2F, 0x95, 0x80, 0x12, 0x4A, 0x1B, 0xCB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xBF, 0x51, 0xAA, 0xAE, 0x2D, 0xDA, 0xCF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x1C, 0xB3, 0x52, 0x36, 0x49, 0xD4, 0x86),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xC1, 0x1F, 0x3A, 0xD3, 0x3E, 0x5C, 0x1A),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_19_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x51, 0xF7, 0x2B, 0xC8, 0xA9, 0xA7, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x4E, 0x7F, 0x98, 0x41, 0x66, 0xB0, 0x03),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x1D, 0xC0, 0x42, 0xCD, 0xF8, 0xC3, 0x2B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x41, 0x91, 0x7D, 0xCC, 0x8B, 0xCC, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xAE, 0x76, 0xED, 0x56, 0x18, 0xC5, 0xAB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x6A, 0x06, 0xA3, 0x7F, 0x65, 0x10, 0x1F),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_20_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xEC, 0x3C, 0x05, 0x05, 0xCA, 0xF6, 0xED),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0xCD, 0x02, 0x51, 0x12, 0x16, 0x3C, 0x63),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0xEB, 0xB3, 0x43, 0x7B, 0xDD, 0xB2, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x59, 0x90, 0x41, 0xDB, 0xE4, 0xF5, 0x91),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x0E, 0x18, 0x2A, 0x5A, 0x83, 0x7C, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x37, 0xA1, 0x0D, 0xF1, 0x2F, 0x63, 0x79),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_20_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xC0, 0xFA, 0x6F, 0x1F, 0x67, 0xCF, 0xEC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x34, 0x45, 0xBB, 0xF4, 0xF9, 0x9B, 0x89),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x69, 0xFE, 0x67, 0x1D, 0x64, 0x8F, 0xB9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x39, 0xBF, 0xD8, 0xB3, 0xC7, 0xAD, 0x8A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x93, 0xFF, 0xF3, 0x28, 0xFA, 0x39, 0xF6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xF9, 0xC3, 0x85, 0x26, 0x7A, 0x88, 0x89),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_21_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xD5, 0x79, 0xD8, 0x11, 0xDE, 0xEB, 0x4E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x46, 0xA4, 0x6A, 0xDA, 0x74, 0x34, 0xA8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xBD, 0xD3, 0xF5, 0x14, 0xEE, 0xFE, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x4C, 0xA3, 0x71, 0x43, 0x65, 0xF8, 0x94),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x6C, 0x35, 0xFA, 0x90, 0x25, 0xD8, 0xE2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x34, 0x84, 0x96, 0xA1, 0x43, 0x03, 0x4D),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_21_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x3B, 0x3B, 0x2F, 0xCA, 0x59, 0xF2, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x48, 0x24, 0x74, 0xD8, 0x72, 0x90, 0xA3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x42, 0x74, 0x8C, 0x6F, 0x52, 0x19, 0x3D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x9E, 0x41, 0x63, 0x68, 0x78, 0x4C, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0x94, 0xB6, 0x6B, 0x38, 0x52, 0xA8, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x30, 0x25, 0x93, 0xA1, 0x6F, 0x6E, 0x68),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_22_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x2F, 0x4B, 0x64, 0x79, 0x50, 0xFF, 0x01),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x36, 0xED, 0x57, 0x39, 0x3B, 0xE7, 0xF3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x85, 0xEA, 0x35, 0xD6, 0xC0, 0xA0, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x89, 0x3A, 0xCC, 0x22, 0x1C, 0x46, 0x02),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x7A, 0xB0, 0xA1, 0x1B, 0x69, 0x62, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xB8, 0x8A, 0x6C, 0x18, 0x85, 0x0D, 0x88),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_22_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xB6, 0x50, 0xE9, 0x4E, 0x7F, 0xE8, 0x07),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x5B, 0x5C, 0xD1, 0x4B, 0x11, 0x9A, 0xD8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x25, 0x56, 0x74, 0x51, 0x9C, 0xEC, 0x9C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x7F, 0xB6, 0x8A, 0xCB, 0x3A, 0x10, 0x6A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0x33, 0x07, 0x01, 0xE9, 0x49, 0x59, 0xE6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xA5, 0x2E, 0xF2, 0xBA, 0x32, 0x63, 0x44),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_23_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x06, 0x0B, 0xA5, 0x44, 0x27, 0x7F, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x74, 0xAC, 0x0F, 0xCC, 0x4F, 0x13, 0x61),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xB1, 0xBF, 0x97, 0x49, 0xA5, 0x1C, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x64, 0x68, 0x7B, 0x0F, 0xCC, 0x77, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x39, 0xF9, 0x4E, 0x84, 0x9C, 0xF6, 0x96),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xCF, 0x6D, 0xE2, 0xA1, 0x2D, 0xF9, 0x2B),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_23_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0xC4, 0x90, 0x57, 0x31, 0x01, 0x05, 0x5E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x1E, 0xBB, 0xBF, 0x98, 0xA4, 0x7C, 0xE3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0xE3, 0xA0, 0xB2, 0xCD, 0x39, 0x9A, 0x3F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x34, 0x60, 0x7A, 0x89, 0x98, 0xB5, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0x20, 0x3D, 0x3A, 0x04, 0x8F, 0x5A, 0xAC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x26, 0xB6, 0x49, 0x09, 0x9C, 0x0F, 0x59),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_24_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x66, 0xD2, 0x38, 0x2A, 0x62, 0x81, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0xC8, 0x20, 0x5E, 0x28, 0xA3, 0x81, 0xA7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0x31, 0xA4, 0xF1, 0xEA, 0x7D, 0x87, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0x2C, 0x99, 0x09, 0x6F, 0x63, 0xEB, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x76, 0xDA, 0x1A, 0x06, 0xBE, 0xDE, 0xA2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x09, 0x2E, 0x75, 0x39, 0x30, 0x2D, 0x42),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_24_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x9B, 0xC1, 0x5A, 0x17, 0xC3, 0x8C, 0x31),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x8D, 0x94, 0x4D, 0x3D, 0xAB, 0x60, 0xD4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFD, 0x1E, 0x0F, 0x43, 0xAE, 0x9D, 0x62),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0xF2, 0xF3, 0x20, 0x1B, 0xAA, 0xB7, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x5B, 0xA4, 0xF4, 0x90, 0x3B, 0xE3, 0x71),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x78, 0x72, 0xBD, 0x65, 0x09, 0x0B, 0x01),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_25_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x37, 0x2A, 0x6C, 0x16, 0x4F, 0x64, 0x59),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0xCE, 0xA3, 0x90, 0xB4, 0x9A, 0xBC, 0xF7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x38, 0x55, 0x63, 0x1D, 0x3A, 0x6E, 0x18),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xB4, 0xAA, 0x99, 0x22, 0x45, 0x89, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x7C, 0x8C, 0xA6, 0x3D, 0xA7, 0x3E, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x06, 0x42, 0xDC, 0xA6, 0xE3, 0xC6, 0x12),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_25_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x8C, 0x3D, 0x5D, 0x47, 0x31, 0x7C, 0xEB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x85, 0xEE, 0x46, 0x7E, 0x13, 0x04, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x3C, 0x8B, 0x43, 0x2E, 0x74, 0xF5, 0xF6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x88, 0x8E, 0x07, 0x29, 0x08, 0x03, 0x26),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x9B, 0x89, 0xEB, 0x08, 0xE8, 0x43, 0xB5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x07, 0x67, 0xFD, 0xD9, 0x73, 0x6F, 0x18),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_26_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xEB, 0x21, 0x8D, 0x98, 0x43, 0x74, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0xCC, 0x14, 0xD8, 0x08, 0xBB, 0xA6, 0xE3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x98, 0xF2, 0x6A, 0x18, 0xC3, 0xDD, 0x9E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x38, 0x91, 0xA0, 0x03, 0xF2, 0x04, 0x62),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xAF, 0xE8, 0xFD, 0xFB, 0x13, 0x70, 0x74),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x93, 0x87, 0x98, 0x4A, 0xE0, 0x00, 0x12),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_26_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x2E, 0x69, 0x9C, 0xA2, 0x2D, 0x03, 0x3F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xFE, 0xF3, 0xB9, 0xC1, 0x85, 0x2A, 0xEE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xFD, 0x86, 0xB1, 0xCD, 0xBF, 0x41, 0xB7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xD8, 0x9A, 0x21, 0xF3, 0xFE, 0xCB, 0xF1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x78, 0x04, 0x60, 0xB7, 0xA9, 0xA2, 0x84),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x1E, 0x66, 0x2A, 0x54, 0x51, 0xBD, 0x8B),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_27_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x16, 0x36, 0xEF, 0x61, 0x2D, 0xEE, 0x3B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x5F, 0x88, 0xA0, 0x13, 0x12, 0xF7, 0x23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xC6, 0xAD, 0x4A, 0x4A, 0x07, 0x01, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x74, 0xB1, 0x4F, 0xEB, 0xBD, 0xD5, 0x6B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xF9, 0x71, 0xA2, 0x06, 0x4F, 0xD7, 0xBC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x8B, 0x4D, 0x48, 0xE0, 0x98, 0xFB, 0x6A),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_27_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0xBA, 0x10, 0xA3, 0x0D, 0x52, 0xAC, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xD0, 0xE0, 0x36, 0xE6, 0x07, 0x3A, 0x30),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x80, 0xF0, 0xAA, 0x49, 0x22, 0x4B, 0xDD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xC7, 0xAB, 0x1C, 0x89, 0xCD, 0x24, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x2A, 0xFC, 0xB3, 0x6D, 0x45, 0x96, 0x49),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0xE4, 0xDB, 0x52, 0x3F, 0xC4, 0xB4, 0x19),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_28_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0xCC, 0xC8, 0x7F, 0xBB, 0x6B, 0x87, 0x47),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x21, 0x3C, 0x69, 0x7D, 0x38, 0x57, 0x50),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x4C, 0x18, 0x3C, 0x53, 0xA5, 0x48, 0x6D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xC3, 0x64, 0x45, 0xDB, 0xC4, 0x6D, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xCC, 0xD1, 0xBB, 0x17, 0xB8, 0x34, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x69, 0x71, 0xFA, 0xA0, 0x28, 0x4A, 0x3D),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_28_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xE8, 0x9E, 0x39, 0xEA, 0x8D, 0x38, 0xDB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x9C, 0xBB, 0xCD, 0x80, 0x1A, 0xEE, 0xB7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xA0, 0x45, 0xBF, 0xD9, 0x22, 0x11, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x7C, 0x5C, 0xD9, 0xC0, 0x9F, 0x69, 0xF5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x8A, 0xA6, 0x79, 0x4E, 0x35, 0xB9, 0xD5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x8B, 0x9A, 0x3E, 0xA1, 0xB8, 0x28, 0x10),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_29_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x2F, 0xEF, 0xBB, 0xA9, 0x72, 0x7F, 0xEA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x34, 0xB7, 0x12, 0xB9, 0xE7, 0xC3, 0x2A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x1D, 0xD9, 0x42, 0x77, 0x0C, 0x71, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x01, 0x59, 0xA7, 0x56, 0x03, 0x91, 0x8D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x91, 0x99, 0x33, 0x30, 0x3E, 0xEF, 0x13),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0xC9, 0x5A, 0x9A, 0x54, 0x66, 0xF1, 0x70),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_29_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x2C, 0xB7, 0x6E, 0x71, 0x7D, 0x35, 0x30),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x0D, 0xEF, 0xD1, 0x2D, 0x99, 0x63, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x31, 0xAF, 0x2D, 0xC9, 0xC6, 0xC2, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0xC0, 0xDF, 0x80, 0x54, 0xC4, 0xAC, 0xF3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x6B, 0xA0, 0x84, 0x96, 0xF7, 0x31, 0xC8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0xE2, 0x7C, 0x7A, 0x41, 0x45, 0x75, 0x6A),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_30_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xEE, 0x58, 0x31, 0xE8, 0x68, 0xD6, 0x76),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x2E, 0x48, 0xB7, 0x09, 0x9F, 0xD4, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xA9, 0x5C, 0xE7, 0x64, 0x43, 0x5D, 0xC9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x58, 0x9F, 0x50, 0xAB, 0x68, 0xFF, 0x6D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x88, 0x2D, 0xBA, 0x12, 0xBF, 0x8D, 0x7D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xDF, 0x6F, 0xB3, 0x75, 0xA4, 0x55, 0x73),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_30_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x17, 0x92, 0x39, 0xB7, 0x13, 0x37, 0x6F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x43, 0x71, 0xA7, 0xCA, 0x17, 0x1B, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xB9, 0xB0, 0x78, 0xEF, 0xA0, 0xDA, 0x83),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x84, 0xF2, 0x0F, 0x85, 0xA2, 0xB6, 0x1F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x65, 0x2E, 0x6E, 0x45, 0xB9, 0x4C, 0x3C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x6A, 0x8C, 0x2B, 0x77, 0x96, 0x36, 0x22),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_31_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x7A, 0x13, 0x4A, 0x97, 0x63, 0x02, 0x10),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x1E, 0x06, 0x03, 0x8F, 0xB9, 0xEE, 0x64),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0xEE, 0x8B, 0x89, 0xA9, 0x70, 0xDB, 0xCE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x7B, 0x81, 0xC9, 0x70, 0x8D, 0x62, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0xDA, 0x46, 0xF8, 0xF9, 0x3A, 0xBE, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x9C, 0x7A, 0x97, 0x62, 0xEB, 0xFA, 0x0F),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_31_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0x03, 0x3D, 0x3C, 0x46, 0x27, 0x9E, 0x65),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x08, 0x1C, 0xD5, 0x25, 0xAF, 0xE9, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x69, 0xDC, 0x59, 0xF4, 0x8A, 0x7C, 0x1F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x9A, 0x7A, 0x99, 0x21, 0x0C, 0x4E, 0xE3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xCE, 0x85, 0x5F, 0xAC, 0xAA, 0x82, 0x10),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x57, 0x69, 0x90, 0x76, 0xF3, 0x53, 0x3F),
+};
+static const mbedtls_ecp_point brainpoolP384r1_T[32] = {
+    ECP_POINT_INIT_XY_Z1(brainpoolP384r1_T_0_X, brainpoolP384r1_T_0_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_1_X, brainpoolP384r1_T_1_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_2_X, brainpoolP384r1_T_2_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_3_X, brainpoolP384r1_T_3_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_4_X, brainpoolP384r1_T_4_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_5_X, brainpoolP384r1_T_5_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_6_X, brainpoolP384r1_T_6_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_7_X, brainpoolP384r1_T_7_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_8_X, brainpoolP384r1_T_8_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_9_X, brainpoolP384r1_T_9_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_10_X, brainpoolP384r1_T_10_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_11_X, brainpoolP384r1_T_11_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_12_X, brainpoolP384r1_T_12_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_13_X, brainpoolP384r1_T_13_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_14_X, brainpoolP384r1_T_14_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_15_X, brainpoolP384r1_T_15_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_16_X, brainpoolP384r1_T_16_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_17_X, brainpoolP384r1_T_17_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_18_X, brainpoolP384r1_T_18_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_19_X, brainpoolP384r1_T_19_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_20_X, brainpoolP384r1_T_20_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_21_X, brainpoolP384r1_T_21_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_22_X, brainpoolP384r1_T_22_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_23_X, brainpoolP384r1_T_23_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_24_X, brainpoolP384r1_T_24_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_25_X, brainpoolP384r1_T_25_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_26_X, brainpoolP384r1_T_26_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_27_X, brainpoolP384r1_T_27_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_28_X, brainpoolP384r1_T_28_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_29_X, brainpoolP384r1_T_29_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_30_X, brainpoolP384r1_T_30_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_31_X, brainpoolP384r1_T_31_Y),
+};
+#else
+#define brainpoolP384r1_T NULL
+#endif
+
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+
+/*
+ * Domain parameters for brainpoolP512r1 (RFC 5639 3.7)
+ */
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+static const mbedtls_mpi_uint brainpoolP512r1_p[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_a[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_b[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_gx[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_gy[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_n[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA),
+};
+
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint brainpoolP512r1_T_0_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_0_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_1_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xE9, 0x6B, 0x8C, 0x6F, 0x9D, 0x88, 0x43),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x4F, 0x86, 0x96, 0xA7, 0x56, 0xD1, 0x37),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xAB, 0xFA, 0xEE, 0xA7, 0xF5, 0x0E, 0xA6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x40, 0xEF, 0x9E, 0x6D, 0xD6, 0x32, 0x33),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xED, 0x56, 0x14, 0x57, 0x1A, 0x8D, 0x69),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xED, 0x4D, 0x3A, 0xFA, 0x71, 0x75, 0x6B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xC5, 0x76, 0x1C, 0x14, 0xBE, 0xB5, 0xCD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x5A, 0xCB, 0xE7, 0x36, 0x1D, 0x52, 0x1C),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_1_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x8D, 0x7A, 0xEB, 0xA3, 0x8B, 0xD5, 0xB0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0xA3, 0x41, 0xF8, 0xAC, 0x9E, 0xAB, 0x74),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0xE3, 0x65, 0x0D, 0x1C, 0xFE, 0x09, 0x2B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0xCA, 0x13, 0x3F, 0xC5, 0xF9, 0x7E, 0xEC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x5D, 0x63, 0x28, 0xA6, 0x89, 0xD3, 0x91),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x95, 0x3F, 0x7A, 0x82, 0xD4, 0x77, 0xE3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xBB, 0x92, 0x32, 0x00, 0xF4, 0x66, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x58, 0x31, 0xD1, 0x17, 0x9F, 0x2A, 0x22),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_2_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x36, 0xA9, 0xCD, 0x80, 0xA5, 0x2D, 0x78),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x44, 0xAB, 0xCE, 0x71, 0xFF, 0x0C, 0x9B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x24, 0x58, 0x35, 0x5A, 0x21, 0x32, 0x93),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0xA6, 0x28, 0xF8, 0x7A, 0x97, 0xAE, 0x8B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0xE7, 0x08, 0xFA, 0x47, 0xC9, 0x55, 0x09),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xAC, 0x2E, 0x84, 0xA4, 0xF5, 0x52, 0xC4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x58, 0x05, 0x9D, 0xA7, 0xC8, 0x71, 0xBF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x92, 0xB4, 0x92, 0xC1, 0x92, 0xEC, 0x6B),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_2_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x48, 0x2D, 0x79, 0x5E, 0x58, 0xE5, 0x69),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x85, 0x26, 0xEC, 0xE9, 0x6E, 0xD4, 0x06),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x68, 0x26, 0x87, 0x38, 0xA2, 0xD2, 0x0B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x17, 0x60, 0xCE, 0x75, 0xF8, 0xA5, 0x6F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0x51, 0xDB, 0xA9, 0xAE, 0x87, 0xF1, 0x15),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x49, 0x92, 0x3B, 0x19, 0x96, 0xF5, 0xB0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0xD5, 0x52, 0x52, 0x8C, 0xCE, 0xFD, 0xFA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x18, 0x0A, 0xE6, 0xF6, 0xAE, 0x08, 0x41),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_3_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x2B, 0xD8, 0x54, 0xCE, 0xB0, 0x57, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0xB0, 0xF8, 0x9E, 0x03, 0x03, 0x3C, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x0E, 0x29, 0x29, 0x00, 0xF3, 0x70, 0xBF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x33, 0x99, 0x0E, 0x00, 0x5D, 0xFE, 0x4B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x2D, 0xF2, 0x59, 0x32, 0xCF, 0x03, 0xF4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0xC9, 0x72, 0xAE, 0x0C, 0xEF, 0xD1, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x5A, 0x27, 0xBF, 0x2F, 0x45, 0xF9, 0x51),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xBE, 0xE5, 0x2C, 0xFF, 0x5B, 0x1E, 0x88),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_3_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0xAC, 0xBB, 0xD8, 0x83, 0xC2, 0x46, 0xF6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0xDC, 0xCE, 0x15, 0xB4, 0xEF, 0xCF, 0x46),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0xDB, 0x5E, 0x94, 0x31, 0x0B, 0xB2, 0x7A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xB9, 0xE3, 0xE3, 0x11, 0x71, 0x41, 0x1E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xE3, 0x01, 0xB7, 0x7D, 0xBC, 0x65, 0xBE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x07, 0x65, 0x87, 0xA7, 0xE8, 0x48, 0xE3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x48, 0x8F, 0xD4, 0x30, 0x8E, 0xB4, 0x6C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xE0, 0x73, 0xBE, 0x1E, 0xBF, 0x56, 0x36),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_4_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x0E, 0x5E, 0x87, 0xC5, 0xAB, 0x0E, 0x3C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xF9, 0x5F, 0x80, 0x24, 0x4C, 0x2A, 0xF1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0x15, 0x21, 0x54, 0x92, 0x84, 0x8D, 0x6A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x8A, 0x47, 0x74, 0xDC, 0x42, 0xB1, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0xF7, 0x30, 0xFD, 0xC1, 0x9B, 0x0C, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x6C, 0xCC, 0xDF, 0xC5, 0xE3, 0xA9, 0xD5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x67, 0x59, 0x10, 0x5C, 0x51, 0x54, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x37, 0xFB, 0x6E, 0xB0, 0x78, 0x63, 0x8E),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_4_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0xEF, 0xC4, 0x39, 0x20, 0xF1, 0x46, 0x66),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x62, 0xAE, 0xFF, 0x10, 0xE4, 0xE2, 0xE9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x5C, 0xF5, 0x2E, 0x22, 0x89, 0xE5, 0x82),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x0C, 0x29, 0xA8, 0x62, 0xAE, 0xDB, 0x65),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x9E, 0x0F, 0xCA, 0x87, 0x2A, 0x6F, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xDC, 0x9B, 0x9F, 0x65, 0xD4, 0xAD, 0x27),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xC3, 0x08, 0x0F, 0xCF, 0x67, 0xE9, 0xF4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x5C, 0xD7, 0xFF, 0x41, 0x9C, 0xCB, 0x26),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_5_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x25, 0x05, 0x12, 0xAD, 0x73, 0x63, 0x90),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x99, 0x07, 0x86, 0x57, 0xE7, 0x94, 0xB1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x4B, 0xA5, 0xBF, 0x18, 0xA9, 0xEF, 0x6A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x4C, 0xC4, 0x09, 0xF2, 0x2F, 0x0C, 0xAA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x3A, 0x04, 0xEA, 0x89, 0x6C, 0x91, 0xB9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x6C, 0x3A, 0xE7, 0xA3, 0xEC, 0x24, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xA1, 0x26, 0x21, 0x04, 0xE3, 0xB9, 0x40),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0x71, 0x4B, 0x7B, 0xC2, 0x89, 0xCD, 0xA2),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_5_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xB9, 0xA8, 0x9D, 0xFD, 0x00, 0x3A, 0x1F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x41, 0x6C, 0xBB, 0x5A, 0xCA, 0x1F, 0x74),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xD7, 0xE2, 0x6C, 0x6B, 0xA7, 0x48, 0xC9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x19, 0xAD, 0xA7, 0xC1, 0x7E, 0x4F, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xF7, 0x19, 0x3C, 0x06, 0x74, 0x2C, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x23, 0x4F, 0x0C, 0x09, 0xB0, 0x80, 0x4A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x74, 0x34, 0x08, 0x44, 0x7E, 0xA3, 0xDD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xCC, 0x8D, 0x12, 0x6E, 0xE1, 0x3D, 0x0B),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_6_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x18, 0xB1, 0x71, 0x02, 0x93, 0xC2, 0xA4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x89, 0x40, 0xE2, 0x1F, 0xE7, 0x5E, 0x68),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x8E, 0xAE, 0x89, 0x01, 0xD4, 0x0C, 0xEB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xDA, 0x58, 0x70, 0x24, 0xF2, 0xE4, 0x5F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0xC7, 0x1D, 0xD6, 0x4A, 0x6F, 0x66, 0x4F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x1D, 0x7E, 0x4A, 0x2C, 0xCA, 0xEC, 0x3B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x06, 0x7F, 0xA8, 0x99, 0xE4, 0xD3, 0x4E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x1D, 0x5A, 0xDF, 0x5E, 0x58, 0x36, 0x49),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_6_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0xB9, 0x32, 0x69, 0x1F, 0x72, 0x2A, 0xB3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x73, 0xE2, 0x03, 0x39, 0x35, 0xAA, 0xA8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x5E, 0x5D, 0x48, 0xEF, 0xAE, 0x30, 0xF5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x7F, 0x60, 0x19, 0xAF, 0xEC, 0x9D, 0xFC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xD9, 0x19, 0xE4, 0x1B, 0x56, 0x15, 0x5F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xD7, 0x33, 0x59, 0x1F, 0x43, 0x59, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xCE, 0xEE, 0xCA, 0xA4, 0x7F, 0x63, 0xD4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x40, 0xC0, 0xF6, 0x19, 0x89, 0x43, 0x20),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_7_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x92, 0xEA, 0x07, 0x65, 0x79, 0x86, 0xD3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xB7, 0x13, 0x75, 0xD3, 0xC5, 0x0A, 0xC9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x9E, 0xFA, 0xE1, 0x1F, 0x0C, 0xF9, 0x74),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x8C, 0xED, 0x5C, 0x21, 0xE9, 0x09, 0xDD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x4D, 0xD8, 0x18, 0xC4, 0xF6, 0x36, 0x39),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xC9, 0xAC, 0x5C, 0xFA, 0x69, 0xA4, 0xA0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x8C, 0x94, 0x1C, 0x7B, 0x71, 0x36, 0x58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xBD, 0x46, 0xCE, 0xB7, 0x1D, 0x9C, 0x5E),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_7_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xD6, 0x96, 0x4B, 0xA6, 0x47, 0xEB, 0xE5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0xF1, 0x5F, 0x15, 0xDE, 0x99, 0x6F, 0x66),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xBD, 0xE5, 0x04, 0xB8, 0xE6, 0xC0, 0x0B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xD3, 0xF0, 0x04, 0x00, 0xE4, 0x05, 0xDB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xF3, 0x06, 0xA3, 0x1A, 0xFF, 0xEA, 0x73),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x32, 0xAA, 0x99, 0x33, 0x09, 0xB6, 0x34),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0xEF, 0xFC, 0x61, 0x10, 0x42, 0x31, 0x94),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xF1, 0xF4, 0x33, 0xCF, 0x28, 0x90, 0x9C),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_8_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xDE, 0xF9, 0x88, 0x87, 0x7B, 0xEB, 0xC9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xB8, 0xDA, 0xFA, 0xDA, 0x3D, 0xA6, 0x17),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xF0, 0x62, 0x82, 0x53, 0x32, 0x55, 0x03),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xA5, 0x32, 0x4A, 0x19, 0x11, 0x9C, 0x10),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xB3, 0x27, 0xE9, 0x75, 0x90, 0x05, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x1C, 0x90, 0x48, 0x77, 0x01, 0x85, 0x1B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xD6, 0x9B, 0x84, 0xA8, 0xD7, 0xC5, 0x28),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x7A, 0xCB, 0xB3, 0x11, 0x46, 0xD7, 0x99),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_8_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0x23, 0xBF, 0x75, 0x75, 0xA1, 0x95, 0x90),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x66, 0x5D, 0x34, 0x13, 0xA9, 0x03, 0xBE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x80, 0x9D, 0x5F, 0xD2, 0x44, 0xE1, 0x62),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x5D, 0xBD, 0xA8, 0xBF, 0xB4, 0x25, 0x1F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x99, 0x1F, 0x53, 0xF1, 0x57, 0xDB, 0xE7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x7C, 0xE5, 0xC5, 0x51, 0x0B, 0x4C, 0x9B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0xB0, 0x1A, 0x9C, 0x16, 0xB0, 0x32, 0x1F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0xE3, 0xCF, 0xDD, 0x48, 0xB4, 0x7B, 0x33),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_9_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xDD, 0x9E, 0x3C, 0x98, 0x0E, 0x77, 0x65),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0xAB, 0x01, 0xD3, 0x87, 0x74, 0x25, 0x4A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0xA3, 0xE3, 0x76, 0x43, 0x87, 0x12, 0xBD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0xB1, 0x3B, 0x60, 0x66, 0xEB, 0x98, 0x54),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x78, 0xC8, 0xD7, 0x4E, 0x75, 0xCA, 0x69),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xDF, 0x71, 0x19, 0xE7, 0x07, 0x36, 0xB5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xC9, 0xA8, 0x5F, 0x91, 0xBF, 0x47, 0xB2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x96, 0x58, 0x96, 0x18, 0xB6, 0xFA, 0x01),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_9_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x2D, 0xA9, 0x9B, 0x86, 0xDB, 0x0C, 0x4C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x0B, 0x2D, 0x56, 0x4A, 0xD3, 0x93, 0x8A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x15, 0xE2, 0x65, 0x12, 0x86, 0x0E, 0xB2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x41, 0x4D, 0xC1, 0xCB, 0xE4, 0xC3, 0xD7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x53, 0x10, 0xCA, 0xA3, 0xAC, 0x83, 0x26),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x01, 0x22, 0x96, 0x10, 0xAD, 0x69, 0xDB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x46, 0x4E, 0xD8, 0xEA, 0xD6, 0x9D, 0xF3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x2F, 0x7F, 0x62, 0x62, 0x80, 0xD0, 0x14),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_10_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0xDA, 0x00, 0x63, 0x09, 0xBD, 0x6A, 0x83),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xD4, 0x6E, 0x48, 0x05, 0xB7, 0xF7, 0x17),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0x4D, 0xD7, 0x00, 0x4A, 0x15, 0x27, 0x7A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x15, 0xAA, 0x37, 0x27, 0x34, 0x18, 0x24),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x20, 0x2C, 0x84, 0x1B, 0x88, 0xBA, 0x05),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x09, 0xD6, 0x04, 0xA2, 0x60, 0x84, 0x72),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x04, 0x94, 0x08, 0xD4, 0xED, 0x47, 0xDB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xF3, 0xE4, 0x3E, 0xB9, 0x5B, 0x35, 0x42),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_10_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0xD8, 0xB6, 0x80, 0xD6, 0xF1, 0x30, 0xDD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x14, 0xA6, 0x85, 0xEE, 0xA7, 0xD8, 0x61),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x49, 0x2A, 0x1E, 0x7C, 0xE9, 0x2D, 0xEC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x87, 0x56, 0x91, 0x03, 0x77, 0x4D, 0x55),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0x52, 0xD4, 0xAA, 0xF7, 0xFA, 0xB0, 0xC5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x5D, 0x11, 0x39, 0xB1, 0xE7, 0x76, 0xAD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x13, 0xBC, 0x37, 0x5D, 0x74, 0xCD, 0xC2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x48, 0x14, 0x23, 0x30, 0xF8, 0x46, 0x37),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_11_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x27, 0xB0, 0xD9, 0xB2, 0x74, 0xB4, 0xC0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xA6, 0xB9, 0x6F, 0x9F, 0x64, 0x36, 0x92),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2E, 0x2B, 0x78, 0x40, 0x05, 0x2B, 0x7B, 0xA9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x68, 0x3A, 0xB6, 0x4A, 0xE2, 0xDB, 0xB8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x33, 0xD7, 0x34, 0x8B, 0x25, 0x45, 0xEF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0xCE, 0xA8, 0xC9, 0x01, 0xFB, 0x0E, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0xF9, 0x51, 0x4C, 0x12, 0x9F, 0x60, 0xE4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x85, 0xBD, 0x30, 0x37, 0x84, 0x39, 0x44),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_11_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x33, 0xAF, 0x2E, 0xB8, 0x2E, 0xCC, 0x3C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xB1, 0x73, 0x59, 0x4E, 0x0C, 0x09, 0x4A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x24, 0x89, 0x81, 0x12, 0xFF, 0xBB, 0x6E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x37, 0x1A, 0x66, 0xEE, 0xED, 0xB6, 0x9B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xBD, 0x04, 0x20, 0x5D, 0xFB, 0xBF, 0x95),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xF8, 0x34, 0xA3, 0xFF, 0x45, 0xDE, 0x92),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x18, 0x73, 0xF1, 0x32, 0x25, 0x58, 0xEB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0xC1, 0x14, 0xE3, 0x9E, 0x40, 0x0F, 0x12),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_12_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x07, 0x9D, 0x9C, 0x00, 0xF7, 0x56, 0x19),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xBA, 0x87, 0xF9, 0x15, 0x0C, 0x66, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x1F, 0xC1, 0x28, 0xB0, 0x47, 0x0D, 0xF5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xCA, 0x27, 0xEE, 0x4B, 0x23, 0x2B, 0x89),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0xB5, 0x68, 0xC8, 0x17, 0x5D, 0xC3, 0xAA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x02, 0x08, 0xEE, 0x20, 0x9D, 0xEA, 0x64),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x14, 0x50, 0xD4, 0x7D, 0x5F, 0xCF, 0xA0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xFA, 0xF8, 0xA7, 0xC6, 0xDC, 0x14, 0x8C),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_12_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xBD, 0x0A, 0x1A, 0x18, 0x98, 0xDC, 0xB0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x63, 0x02, 0xB7, 0xD5, 0x5B, 0x5A, 0xC6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xB1, 0xD7, 0x4B, 0x15, 0x39, 0x61, 0x5D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x32, 0xE1, 0x9E, 0x70, 0x1B, 0xCE, 0x51),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0xD8, 0x18, 0x83, 0x52, 0x9B, 0x6D, 0xA2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x55, 0x56, 0x19, 0x34, 0xA4, 0xEA, 0xFC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0xA9, 0x55, 0x80, 0xE3, 0x15, 0x36, 0x8B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x06, 0xC8, 0x1D, 0x17, 0x0D, 0xAD, 0x16),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_13_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0xD6, 0xF0, 0xCC, 0xF3, 0x63, 0x53, 0xD2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x5A, 0xDC, 0x46, 0xBD, 0x0D, 0xAD, 0x96),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x2F, 0x11, 0x60, 0x15, 0x51, 0x4A, 0xEA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xE3, 0x93, 0x38, 0xD5, 0x83, 0xAA, 0x0D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xA6, 0xCC, 0xB1, 0xFD, 0xBB, 0x1A, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0x54, 0xC8, 0x54, 0x6F, 0x79, 0x1A, 0x59),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x4A, 0xDA, 0x28, 0x92, 0x97, 0x9D, 0x7F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x4B, 0xDB, 0xC7, 0x52, 0xC5, 0x66, 0x34),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_13_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x7E, 0x92, 0x53, 0x30, 0x93, 0xFD, 0xFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x16, 0x6A, 0xB1, 0x91, 0x0A, 0xB4, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x9D, 0x40, 0x3F, 0xE3, 0xF1, 0x01, 0x46),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x0E, 0xD8, 0xED, 0x11, 0x8E, 0x4C, 0xED),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x4A, 0x1B, 0x88, 0xDF, 0x8D, 0x29, 0xE7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x23, 0x21, 0x11, 0xAB, 0x77, 0x81, 0x62),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0xAF, 0x11, 0xFA, 0xBA, 0x40, 0x63, 0xE7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0x6F, 0x8D, 0x80, 0xDF, 0x67, 0xF5, 0x44),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_14_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0x8B, 0xB7, 0x08, 0xF4, 0xD7, 0x2D, 0xA8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x2B, 0x30, 0x02, 0x45, 0x71, 0x08, 0x49),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x3A, 0xCA, 0x50, 0xF6, 0xC2, 0x19, 0x8C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xB9, 0x9B, 0x3E, 0x73, 0x95, 0x1D, 0x49),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x60, 0x59, 0x48, 0xCB, 0xD8, 0xD6, 0xAA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0xB9, 0x6C, 0x89, 0xAB, 0x99, 0xA8, 0xF8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0xA1, 0x8B, 0x4E, 0x06, 0x19, 0xEC, 0x99),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x95, 0x04, 0xCF, 0xD5, 0x94, 0xB3, 0x02),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_14_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x35, 0x93, 0x7C, 0xB3, 0xB8, 0x9E, 0x1B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x45, 0x5C, 0x7E, 0xBF, 0x75, 0x81, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xE8, 0x24, 0xDF, 0xEC, 0x2F, 0x7D, 0xB9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x8B, 0xD5, 0x6A, 0x9B, 0xA0, 0xE0, 0x4F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xE3, 0x27, 0x82, 0xDE, 0xDD, 0xCA, 0x4B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x57, 0x56, 0x46, 0x05, 0x06, 0x01, 0x2E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x35, 0xA7, 0x47, 0xE2, 0x6B, 0x2C, 0x4F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x9D, 0x4C, 0xEC, 0x1F, 0x11, 0x75, 0x2B),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_15_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xAA, 0x41, 0xC1, 0xE9, 0x0E, 0xE9, 0xAA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0xCF, 0x9C, 0x4B, 0xE8, 0xED, 0x0A, 0x49),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x73, 0xCA, 0x0C, 0x46, 0x0A, 0x9C, 0xE4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xE1, 0x9E, 0xBC, 0xFE, 0x44, 0x63, 0x6D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x43, 0x71, 0xEE, 0xF8, 0xC1, 0x8C, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x4B, 0xF0, 0x69, 0x25, 0xBD, 0x71, 0x1A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x9A, 0xFE, 0x82, 0xE7, 0xC1, 0xC1, 0xEE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x5A, 0x6E, 0x5E, 0x97, 0x6A, 0x35, 0x8D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_15_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x18, 0x6C, 0x7E, 0xB8, 0x9E, 0x57, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0xB9, 0xC1, 0xD0, 0xFE, 0x78, 0xFB, 0x32),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x08, 0xAE, 0x46, 0x34, 0xEA, 0x7A, 0x7F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x1C, 0x56, 0xA9, 0x18, 0x37, 0xD4, 0x9E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x63, 0xE9, 0x0A, 0xB6, 0x38, 0x3C, 0xC1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x4F, 0xA4, 0x6E, 0x85, 0x31, 0x23, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0xAD, 0xC4, 0xC3, 0xB1, 0x4B, 0x1C, 0x82),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x56, 0x4A, 0x38, 0xB3, 0x6B, 0x6F, 0x2C),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_16_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0xC7, 0x19, 0xDE, 0x21, 0xED, 0x89, 0xD0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xBE, 0xA6, 0xAE, 0xEB, 0x9D, 0xA7, 0x2A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x0E, 0x13, 0x1E, 0x86, 0x57, 0xC3, 0x3B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x4B, 0x30, 0x46, 0x52, 0xC1, 0xEC, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0xD5, 0x44, 0x31, 0x96, 0x3B, 0x26, 0x27),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x68, 0xA8, 0x67, 0x78, 0x39, 0xE8, 0x68),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x78, 0xB7, 0xDD, 0xF2, 0x58, 0xB6, 0x3D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x3C, 0xB3, 0x26, 0xC4, 0x2C, 0x8C, 0xA5),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_16_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x24, 0xE5, 0x73, 0xEE, 0x9A, 0x02, 0xA9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x6A, 0x65, 0x60, 0xF3, 0x62, 0xE3, 0xE9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0x07, 0x84, 0xE6, 0x3B, 0x46, 0x65, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x8F, 0x0C, 0xB0, 0xE1, 0x04, 0x82, 0x9D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x13, 0xBF, 0x3D, 0xA0, 0x48, 0xA2, 0x74),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x26, 0x76, 0x74, 0xAB, 0x0B, 0x29, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x6E, 0x5F, 0x03, 0x34, 0x7C, 0x38, 0xCE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0x72, 0xF9, 0x3B, 0x3C, 0xA4, 0xBC, 0x7C),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_17_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xCE, 0x18, 0x80, 0xB8, 0x24, 0x45, 0x81),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x09, 0x03, 0xB8, 0x06, 0x64, 0xF7, 0xEC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x26, 0xB1, 0x10, 0x6D, 0x71, 0x12, 0x2E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x12, 0xC6, 0x6E, 0x1E, 0x6A, 0xC3, 0x80),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0xD3, 0x0A, 0xDE, 0xD8, 0x6B, 0x04, 0x5C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x87, 0x5B, 0xAE, 0xDB, 0x3C, 0xC0, 0xC5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0xF5, 0xF9, 0xC1, 0x9A, 0x89, 0xBB, 0x7E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x69, 0x72, 0x8B, 0xAE, 0x32, 0x13, 0x11),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_17_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x16, 0x07, 0x50, 0xFA, 0x4C, 0xCF, 0xE8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x50, 0x21, 0xE9, 0xDE, 0xEC, 0x7E, 0xDF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x2F, 0xE8, 0x83, 0x30, 0x0B, 0x65, 0x0E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x0B, 0x99, 0xAC, 0xC9, 0xBA, 0x6C, 0x2A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x59, 0x5A, 0x0D, 0x7B, 0x9E, 0x08, 0xAD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x91, 0xB2, 0xDC, 0x90, 0xCE, 0x67, 0xED),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x93, 0x60, 0x0C, 0xD7, 0x1F, 0x2F, 0x17),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x7F, 0x9D, 0x40, 0xF8, 0x78, 0x7A, 0x54),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_18_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x22, 0x95, 0xE8, 0xEF, 0x31, 0x57, 0x35),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x88, 0x53, 0xFE, 0xAF, 0x7C, 0x47, 0x14),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xCE, 0xCC, 0x79, 0xE8, 0x9F, 0x8C, 0xC4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x16, 0xDD, 0x77, 0x6E, 0x8A, 0x73, 0x97),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x07, 0x97, 0x21, 0x3B, 0xF8, 0x5F, 0xA8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xB5, 0xD2, 0x81, 0x84, 0xF0, 0xE7, 0x9F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x8F, 0x75, 0x09, 0x6A, 0x0E, 0x53, 0xAD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x4F, 0x70, 0x97, 0xC7, 0xAC, 0x7D, 0x3F),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_18_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x3C, 0x6A, 0xB4, 0x10, 0xA9, 0xC8, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xC5, 0xD6, 0x69, 0x16, 0xB8, 0xAC, 0x25),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x44, 0xDC, 0xEB, 0x48, 0x54, 0x5D, 0x5F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x48, 0x9B, 0xD7, 0x72, 0x69, 0xA4, 0x8A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x0D, 0x36, 0x9A, 0x66, 0x0B, 0xEC, 0x24),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xC6, 0xD4, 0xB6, 0x60, 0xE5, 0xC3, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x29, 0x42, 0xE0, 0x9D, 0xFD, 0x7C, 0x3E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x10, 0xBA, 0x55, 0xBC, 0x3B, 0x38, 0x5D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_19_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x66, 0xFA, 0x05, 0x73, 0x03, 0x1B, 0x69),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xA4, 0x66, 0x12, 0x96, 0x7B, 0x02, 0x4C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0xB5, 0xDE, 0x6D, 0x98, 0xD1, 0xD5, 0xA8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0xF5, 0x44, 0xB8, 0x8E, 0xF6, 0x8C, 0x05),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x15, 0x2B, 0x72, 0xBC, 0x49, 0xE5, 0xDF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x44, 0xD7, 0xDF, 0x8F, 0xEB, 0x8D, 0x80),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x64, 0x88, 0xAA, 0xB7, 0xE4, 0x70, 0x1D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x14, 0xBB, 0xE9, 0x9B, 0xB9, 0x65, 0x5D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_19_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x8E, 0x88, 0xF5, 0xF1, 0xC1, 0x89, 0xA2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x30, 0x53, 0xE6, 0xFB, 0x2D, 0x82, 0xB4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xE4, 0xFF, 0xBA, 0x31, 0x79, 0xAB, 0xC2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x09, 0xF7, 0xB7, 0x09, 0x78, 0x4C, 0x90),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xAE, 0xC2, 0x44, 0xDC, 0x17, 0x78, 0x47),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xD4, 0x17, 0x43, 0x19, 0x74, 0x9E, 0x23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x64, 0x3B, 0x73, 0xA2, 0x99, 0x27, 0x76),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x74, 0x36, 0x5F, 0xD3, 0x14, 0xB1, 0x31),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_20_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x07, 0xAB, 0xFD, 0x9B, 0x03, 0xC5, 0xD5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xBE, 0xB0, 0x1D, 0xF2, 0x0C, 0x73, 0x73),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xE7, 0x7B, 0x87, 0xD3, 0x34, 0xFD, 0xE2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x25, 0x3D, 0xC7, 0x36, 0x83, 0x53, 0xDC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x7C, 0xCF, 0x63, 0x55, 0x12, 0x11, 0xB0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x34, 0x4D, 0x27, 0x92, 0xAC, 0x18, 0x16),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x42, 0x61, 0x9D, 0x2E, 0xFF, 0x13, 0x16),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0xDE, 0x92, 0x65, 0x57, 0x0D, 0xBC, 0x0A),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_20_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x7B, 0x6E, 0xC6, 0x2A, 0x21, 0x74, 0x0A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xA7, 0x53, 0x4D, 0x29, 0x36, 0xEF, 0xE5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0xD6, 0x41, 0xC7, 0x99, 0xAD, 0x50, 0x53),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xAC, 0x41, 0x9F, 0xFB, 0x4C, 0x86, 0xF1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xBB, 0xE6, 0x25, 0x28, 0xAA, 0xEB, 0x1E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x04, 0xA2, 0xC3, 0xAA, 0x08, 0x8A, 0xCC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x2B, 0x5B, 0xE2, 0x8D, 0x76, 0xEA, 0x34),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x33, 0xD2, 0x21, 0x4D, 0x62, 0xE3, 0x8E),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_21_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x06, 0x8B, 0x2B, 0xC2, 0xC4, 0xB1, 0xD2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xF5, 0xA1, 0xC0, 0x03, 0x6A, 0x29, 0x12),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xA9, 0xEF, 0x55, 0xB6, 0x1A, 0x9F, 0x6B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x54, 0x32, 0xBE, 0x06, 0x43, 0xB5, 0xFD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xD6, 0xD9, 0x20, 0x89, 0xBE, 0xD4, 0x1B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x26, 0x95, 0x10, 0xCE, 0xB4, 0x88, 0x79),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xA6, 0x27, 0xAC, 0x32, 0xBA, 0xBD, 0xC7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0xA6, 0xAE, 0x9C, 0x7B, 0xBE, 0xA1, 0x63),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_21_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xCD, 0x4D, 0x3D, 0xDF, 0x96, 0xBB, 0x7D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0xA7, 0x11, 0x06, 0xCC, 0x0E, 0x31, 0x81),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0xE4, 0xF4, 0xAD, 0x7B, 0x5F, 0xF1, 0xEF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x54, 0xBE, 0xF4, 0x8A, 0x03, 0x47, 0xDF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x53, 0x00, 0x7F, 0xB0, 0x8A, 0x68, 0xA6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x16, 0xB1, 0x73, 0x6F, 0x5B, 0x0E, 0xC3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x32, 0xE3, 0x43, 0x64, 0x75, 0xFB, 0xFB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x18, 0x55, 0x8A, 0x4E, 0x6E, 0x35, 0x54),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_22_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x97, 0x15, 0x1E, 0xCB, 0xF2, 0x9C, 0xA5),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xD1, 0xBB, 0xF3, 0x70, 0xAD, 0x13, 0xAD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x96, 0xA4, 0xC5, 0x5E, 0xDA, 0xD5, 0x57),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x81, 0xE9, 0x65, 0x66, 0x76, 0x47, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x35, 0x87, 0x06, 0x73, 0xCF, 0x34, 0xD2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x81, 0x15, 0x42, 0xA2, 0x79, 0x5B, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xA2, 0x7D, 0x09, 0x14, 0x64, 0xC6, 0xAE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x6D, 0xC4, 0xED, 0xF1, 0xD6, 0xE9, 0x24),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_22_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xD5, 0xBB, 0x25, 0xA3, 0xDD, 0xA3, 0x88),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0xF2, 0x68, 0x67, 0x39, 0x8F, 0x73, 0x93),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x76, 0x28, 0x89, 0xAD, 0x32, 0xE0, 0xDF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x90, 0xCC, 0x57, 0x58, 0xAA, 0xC9, 0x75),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xD7, 0x43, 0xD2, 0xCE, 0x5E, 0xA0, 0x08),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xB0, 0xB8, 0xA4, 0x9E, 0x96, 0x26, 0x86),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x61, 0x1D, 0xF3, 0x65, 0x5E, 0x60, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x1E, 0x65, 0xED, 0xCF, 0x07, 0x60, 0x20),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_23_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x30, 0x17, 0x8A, 0x91, 0x88, 0x0A, 0xA4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x7D, 0x18, 0xA4, 0xAC, 0x59, 0xFC, 0x5F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x31, 0x8B, 0x25, 0x65, 0x39, 0x9A, 0xDC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x16, 0x4B, 0x68, 0xBA, 0x59, 0x13, 0x2F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xFD, 0xD3, 0xC5, 0x56, 0xC9, 0x8C, 0x5E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xC6, 0x9F, 0xF4, 0xE6, 0xF7, 0xB4, 0x01),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x7C, 0x03, 0x00, 0x26, 0x9F, 0xD8, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x1D, 0x6E, 0x00, 0xB9, 0x00, 0x6E, 0x93),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_23_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x63, 0xDA, 0x03, 0x2B, 0xD5, 0x0B, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0xFC, 0xE2, 0xC8, 0x47, 0xF0, 0xAE, 0xF2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x4C, 0xF7, 0x50, 0x0C, 0x48, 0x06, 0x2A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x2B, 0x32, 0x98, 0x0E, 0x7E, 0x61, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x02, 0x27, 0xFE, 0x75, 0x86, 0xDF, 0x24),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0x30, 0xB1, 0x22, 0x32, 0x1B, 0xFE, 0x24),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x27, 0xF7, 0x78, 0x6F, 0xD7, 0xFD, 0xE4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x78, 0xCC, 0xEA, 0xC0, 0x50, 0x24, 0x44),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_24_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x2B, 0x4F, 0x7F, 0x58, 0xE6, 0xC2, 0x70),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x43, 0xD5, 0xA7, 0x35, 0x3C, 0x80, 0xB8),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x6D, 0x4B, 0x12, 0x00, 0x7B, 0xE6, 0xA6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x15, 0xBD, 0xD0, 0x9B, 0xCA, 0xAA, 0x81),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0xCE, 0x9C, 0xE3, 0x8B, 0x60, 0x7A, 0x53),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xDA, 0x4B, 0x03, 0xA7, 0x8D, 0x43, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xAF, 0x00, 0x2B, 0x32, 0xF0, 0x22, 0x68),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xD9, 0x99, 0x99, 0xBE, 0x43, 0x99, 0x3E),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_24_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x71, 0x41, 0xF4, 0xB5, 0xFD, 0xDD, 0x36),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xE2, 0x20, 0x4C, 0xD1, 0x2E, 0x1F, 0x06),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x43, 0x48, 0x76, 0x8A, 0x49, 0xAC, 0x87),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x1A, 0x55, 0xA8, 0xA3, 0xD4, 0x57, 0x75),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xA6, 0x84, 0x39, 0xC9, 0x13, 0xBB, 0x60),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0xFA, 0xA9, 0x70, 0xDE, 0x83, 0xDD, 0xC9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0xC9, 0xD9, 0x3E, 0x44, 0x91, 0x68, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x9F, 0x85, 0x6D, 0xF7, 0x54, 0x36, 0x82),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_25_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x6B, 0xA6, 0xA3, 0xE5, 0xD4, 0x46, 0xDB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x3E, 0xDC, 0x84, 0x7C, 0x7B, 0x24, 0x34),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0xED, 0x7F, 0x86, 0x07, 0x6C, 0x57, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x06, 0xFE, 0x52, 0x12, 0x79, 0x69, 0x56),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0xD1, 0x44, 0x5F, 0x21, 0x3A, 0xC3, 0x84),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xD9, 0x4A, 0xC0, 0x75, 0xAB, 0x17, 0xAC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x81, 0x94, 0xB6, 0x80, 0x6B, 0x6F, 0xC3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xBE, 0x8E, 0xA5, 0xAA, 0xBC, 0x1E, 0x3E),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_25_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0xC7, 0x85, 0xA6, 0x59, 0x9B, 0xB1, 0x52),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0xCE, 0x40, 0xD1, 0xFB, 0xDF, 0x94, 0xF7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0xB8, 0x5E, 0xBF, 0x45, 0xA8, 0x2D, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x9C, 0x06, 0x1B, 0xA9, 0x57, 0xB9, 0x79),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xE9, 0xCE, 0xA2, 0xD3, 0x74, 0xA1, 0x3C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x5F, 0x34, 0x78, 0xDB, 0xAE, 0x3A, 0x14),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x32, 0x84, 0x3E, 0x68, 0x6A, 0x43, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0xBC, 0x39, 0x36, 0xA4, 0xC5, 0xBB, 0x11),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_26_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x07, 0xA2, 0xB5, 0xC9, 0x0F, 0x4D, 0x0F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x1D, 0x67, 0xE6, 0xF1, 0x46, 0xEB, 0x71),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x41, 0x23, 0x95, 0xE7, 0xE0, 0x10, 0xDD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x69, 0xFE, 0x68, 0x8C, 0xC6, 0x5F, 0xB6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xB9, 0x2B, 0x3D, 0xD2, 0x4F, 0xD8, 0x1A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x09, 0xF5, 0x5F, 0xCF, 0xF6, 0x91, 0x57),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x15, 0x42, 0x6B, 0x6D, 0xB5, 0xF3, 0xB6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x56, 0x9D, 0xC5, 0xFF, 0xCA, 0x13, 0x9B),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_26_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0x38, 0xE6, 0x23, 0x63, 0x48, 0x3C, 0xCA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x68, 0x3C, 0xD1, 0x3B, 0xE9, 0x3B, 0x82),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x08, 0x54, 0x49, 0xD1, 0x46, 0x45, 0x13),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x70, 0x52, 0x6E, 0x79, 0xC4, 0x5E, 0x95),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xDF, 0xE8, 0x5A, 0x32, 0x81, 0xDA, 0xD3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x2D, 0x94, 0x5B, 0xB5, 0x35, 0x9F, 0x0A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x12, 0x8D, 0xC3, 0x36, 0x36, 0xB2, 0x2A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x2F, 0x22, 0x38, 0x5B, 0x18, 0x4C, 0x35),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_27_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xC1, 0x22, 0x0E, 0xF0, 0x73, 0x11, 0x05),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0xAE, 0xA4, 0x56, 0x18, 0x61, 0x66, 0x12),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xFB, 0x72, 0x08, 0x84, 0x38, 0x51, 0xB0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x86, 0xA8, 0xB9, 0x31, 0x99, 0x29, 0xC3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0xFB, 0xC3, 0x42, 0xB3, 0xC7, 0x6F, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xF8, 0xE1, 0x09, 0xBE, 0x75, 0xB0, 0x22),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x7D, 0xFF, 0xF4, 0x99, 0xFC, 0x13, 0xAB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x1B, 0x84, 0x81, 0x42, 0x22, 0xC6, 0x3D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_27_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xE0, 0x37, 0xA4, 0xA0, 0x2F, 0x38, 0x7F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x3D, 0xB7, 0x40, 0x2F, 0x39, 0x3C, 0x7A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0x3B, 0x8A, 0x51, 0xAE, 0x40, 0x49, 0x7A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x20, 0x9F, 0xDD, 0xA9, 0xD0, 0x77, 0xC7),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0x1D, 0x64, 0xDA, 0xA0, 0x53, 0xC7, 0x7D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x7B, 0x66, 0x55, 0x94, 0xD1, 0x51, 0x44),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xA9, 0xB5, 0x5B, 0x38, 0x35, 0x40, 0xC0),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xC9, 0x0F, 0xF0, 0x73, 0x79, 0x43, 0x61),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_28_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x47, 0x45, 0x69, 0x80, 0x72, 0x72, 0x42),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x11, 0x99, 0x59, 0xDB, 0x48, 0x80, 0x39),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x6E, 0x3D, 0xFC, 0x37, 0x15, 0xF4, 0xBF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xBB, 0x5B, 0xA6, 0x35, 0x8D, 0x28, 0x20),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x1A, 0x3B, 0x2C, 0x8F, 0xD3, 0xAA, 0x2D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x1C, 0x1A, 0xF8, 0x02, 0xD9, 0x7B, 0x41),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x69, 0xAC, 0xF8, 0x54, 0x31, 0x14, 0xA1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x8A, 0xE6, 0xDE, 0x58, 0xB9, 0xC4, 0x7A),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_28_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x83, 0x52, 0xFE, 0xF9, 0x7B, 0xE9, 0x1F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xA2, 0x55, 0x46, 0x15, 0x49, 0xC1, 0x3A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xBC, 0x5C, 0x91, 0xBD, 0xB9, 0x9C, 0xF4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0xFD, 0xB1, 0x4E, 0x5F, 0x74, 0xEE, 0x53),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x8B, 0xD8, 0x8B, 0x17, 0x73, 0x1B, 0x96),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x92, 0xD7, 0x67, 0x06, 0xAD, 0x25, 0xCD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x0F, 0x80, 0x24, 0xE2, 0x27, 0x5F, 0x8B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x1C, 0xCE, 0xD0, 0x67, 0xCA, 0xD4, 0x0B),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_29_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0xF1, 0xDD, 0x33, 0x66, 0xF9, 0x05, 0xD6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xE5, 0x6B, 0x79, 0xBD, 0x48, 0x42, 0xAA),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x14, 0x52, 0xE3, 0x53, 0xB4, 0x50, 0xD4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x84, 0x6C, 0xCF, 0xDA, 0xB2, 0x20, 0x0A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xD6, 0x1A, 0xE5, 0xE2, 0x29, 0x70, 0xCE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x61, 0xFE, 0xBB, 0x21, 0x82, 0xD1, 0xFE),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0xF0, 0x9C, 0x8B, 0x1A, 0x42, 0x30, 0x06),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0xD6, 0x49, 0x81, 0x92, 0xF1, 0xD0, 0x90),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_29_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x91, 0x93, 0x6A, 0xA6, 0x22, 0xE9, 0xD6),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0xDC, 0xC3, 0x69, 0x11, 0x95, 0x7D, 0xEC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0xA3, 0x9D, 0x87, 0x5E, 0x64, 0x41, 0xA2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x87, 0x5A, 0x15, 0xBD, 0x6E, 0x3C, 0x8D),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x8D, 0x50, 0xCC, 0xCF, 0xB7, 0x8F, 0x0B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x65, 0xCD, 0x31, 0x30, 0xF1, 0x68, 0x13),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x5C, 0x66, 0x67, 0x92, 0x30, 0x57, 0x95),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x9B, 0x01, 0x3D, 0x20, 0x8B, 0xD1, 0x0D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_30_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0xC0, 0xE6, 0x4F, 0xDE, 0x62, 0xAB, 0xB3),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x48, 0xB3, 0x1C, 0x0F, 0x16, 0x93, 0x45),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x63, 0xBD, 0x1F, 0x16, 0x50, 0x56, 0x98),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x06, 0xBC, 0xE9, 0x27, 0x1C, 0x9A, 0x7B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0xFE, 0x21, 0xC5, 0x39, 0x55, 0xE1, 0xFD),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xA8, 0xD0, 0x96, 0x0E, 0xB5, 0xB2, 0x84),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xE7, 0x4B, 0xF3, 0x11, 0x0C, 0xC9, 0x5B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x3A, 0xC4, 0x87, 0x71, 0xEE, 0xFA, 0x18),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_30_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x77, 0xEE, 0x81, 0x5E, 0x96, 0xEA, 0x4B),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xDF, 0xA9, 0xF4, 0x4F, 0x7C, 0xB2, 0x43),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0xD4, 0xDF, 0x35, 0x63, 0x47, 0x25, 0x8A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x3D, 0xFF, 0xA4, 0x02, 0xC3, 0x95, 0x11),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x10, 0x78, 0xD1, 0x2B, 0xB7, 0xBE, 0x0E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0xE9, 0x57, 0xF9, 0xE0, 0xD8, 0xFC, 0xBC),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0xC4, 0x01, 0xD6, 0xB4, 0xE7, 0x78, 0xE2),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x6C, 0xB9, 0x13, 0xA4, 0xE8, 0x6D, 0x6F),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_31_X[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0xB0, 0xC9, 0xCD, 0xBF, 0xA2, 0x1E, 0x63),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x4F, 0x86, 0x22, 0x9B, 0xEA, 0xE8, 0xBB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x46, 0xDF, 0x43, 0xB9, 0x82, 0x2D, 0x0A),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x32, 0xF1, 0x4E, 0x95, 0x41, 0xAE, 0x8E),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x93, 0x26, 0xFC, 0xD3, 0x90, 0xDC, 0xEB),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x05, 0x45, 0xCA, 0xF9, 0x5A, 0x89, 0x93),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x82, 0x63, 0x4E, 0x55, 0x1D, 0x3A, 0x08),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x69, 0x52, 0x49, 0xE9, 0xED, 0x57, 0x34),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_31_Y[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x64, 0xE9, 0xAC, 0x4C, 0x4A, 0xEA, 0x25),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0xE9, 0x0B, 0x99, 0xE7, 0xF9, 0xA9, 0x2C),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x0C, 0xC1, 0xF4, 0x8D, 0x07, 0xB6, 0xB1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x68, 0xFA, 0x35, 0xE4, 0x9E, 0xAE, 0xD9),
+    MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x2D, 0x1A, 0x13, 0x8E, 0x02, 0xE2, 0x63),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x38, 0x28, 0x86, 0x46, 0x7B, 0x3A, 0xE1),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x4C, 0x64, 0x59, 0x0A, 0xF9, 0x02, 0xC4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x4F, 0x23, 0xA2, 0xC3, 0xD5, 0xEF, 0x42),
+};
+static const mbedtls_ecp_point brainpoolP512r1_T[32] = {
+    ECP_POINT_INIT_XY_Z1(brainpoolP512r1_T_0_X, brainpoolP512r1_T_0_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_1_X, brainpoolP512r1_T_1_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_2_X, brainpoolP512r1_T_2_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_3_X, brainpoolP512r1_T_3_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_4_X, brainpoolP512r1_T_4_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_5_X, brainpoolP512r1_T_5_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_6_X, brainpoolP512r1_T_6_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_7_X, brainpoolP512r1_T_7_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_8_X, brainpoolP512r1_T_8_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_9_X, brainpoolP512r1_T_9_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_10_X, brainpoolP512r1_T_10_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_11_X, brainpoolP512r1_T_11_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_12_X, brainpoolP512r1_T_12_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_13_X, brainpoolP512r1_T_13_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_14_X, brainpoolP512r1_T_14_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_15_X, brainpoolP512r1_T_15_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_16_X, brainpoolP512r1_T_16_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_17_X, brainpoolP512r1_T_17_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_18_X, brainpoolP512r1_T_18_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_19_X, brainpoolP512r1_T_19_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_20_X, brainpoolP512r1_T_20_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_21_X, brainpoolP512r1_T_21_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_22_X, brainpoolP512r1_T_22_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_23_X, brainpoolP512r1_T_23_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_24_X, brainpoolP512r1_T_24_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_25_X, brainpoolP512r1_T_25_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_26_X, brainpoolP512r1_T_26_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_27_X, brainpoolP512r1_T_27_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_28_X, brainpoolP512r1_T_28_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_29_X, brainpoolP512r1_T_29_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_30_X, brainpoolP512r1_T_30_Y),
+    ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_31_X, brainpoolP512r1_T_31_Y),
+};
+#else
+#define brainpoolP512r1_T NULL
+#endif
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+
+
+#if defined(ECP_LOAD_GROUP) || defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+/*
+ * Create an MPI from embedded constants
+ * (assumes len is an exact multiple of sizeof(mbedtls_mpi_uint) and
+ * len < 1048576)
+ */
+static inline void ecp_mpi_load(mbedtls_mpi *X, const mbedtls_mpi_uint *p, size_t len)
+{
+    X->s = 1;
+    X->n = (unsigned short) (len / sizeof(mbedtls_mpi_uint));
+    X->p = (mbedtls_mpi_uint *) p;
+}
+#endif
+
+#if defined(ECP_LOAD_GROUP)
+/*
+ * Set an MPI to static value 1
+ */
+static inline void ecp_mpi_set1(mbedtls_mpi *X)
+{
+    X->s = 1;
+    X->n = 1;
+    X->p = mpi_one;
+}
+
+/*
+ * Make group available from embedded constants
+ */
+static int ecp_group_load(mbedtls_ecp_group *grp,
+                          const mbedtls_mpi_uint *p,  size_t plen,
+                          const mbedtls_mpi_uint *a,  size_t alen,
+                          const mbedtls_mpi_uint *b,  size_t blen,
+                          const mbedtls_mpi_uint *gx, size_t gxlen,
+                          const mbedtls_mpi_uint *gy, size_t gylen,
+                          const mbedtls_mpi_uint *n,  size_t nlen,
+                          const mbedtls_ecp_point *T)
+{
+    ecp_mpi_load(&grp->P, p, plen);
+    if (a != NULL) {
+        ecp_mpi_load(&grp->A, a, alen);
+    }
+    ecp_mpi_load(&grp->B, b, blen);
+    ecp_mpi_load(&grp->N, n, nlen);
+
+    ecp_mpi_load(&grp->G.X, gx, gxlen);
+    ecp_mpi_load(&grp->G.Y, gy, gylen);
+    ecp_mpi_set1(&grp->G.Z);
+
+    grp->pbits = mbedtls_mpi_bitlen(&grp->P);
+    grp->nbits = mbedtls_mpi_bitlen(&grp->N);
+
+    grp->h = 1;
+
+    grp->T = (mbedtls_ecp_point *) T;
+    /*
+     * Set T_size to 0 to prevent T free by mbedtls_ecp_group_free.
+     */
+    grp->T_size = 0;
+
+    return 0;
+}
+#endif /* ECP_LOAD_GROUP */
+
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+/* Forward declarations */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+static int ecp_mod_p192(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+static int ecp_mod_p224(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p224_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+static int ecp_mod_p256(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p256_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+static int ecp_mod_p384(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p384_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+static int ecp_mod_p521(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n);
+#endif
+
+#define NIST_MODP(P)      grp->modp = ecp_mod_ ## P;
+#else
+#define NIST_MODP(P)
+#endif /* MBEDTLS_ECP_NIST_OPTIM */
+
+/* Additional forward declarations */
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+static int ecp_mod_p255(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p255_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+static int ecp_mod_p448(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p448_raw(mbedtls_mpi_uint *, size_t);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+static int ecp_mod_p192k1(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+static int ecp_mod_p224k1(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+static int ecp_mod_p256k1(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p256k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+#endif
+
+#if defined(ECP_LOAD_GROUP)
+#define LOAD_GROUP_A(G)   ecp_group_load(grp,            \
+                                         G ## _p,  sizeof(G ## _p),   \
+                                         G ## _a,  sizeof(G ## _a),   \
+                                         G ## _b,  sizeof(G ## _b),   \
+                                         G ## _gx, sizeof(G ## _gx),   \
+                                         G ## _gy, sizeof(G ## _gy),   \
+                                         G ## _n,  sizeof(G ## _n),   \
+                                         G ## _T                         \
+                                         )
+
+#define LOAD_GROUP(G)     ecp_group_load(grp,            \
+                                         G ## _p,  sizeof(G ## _p),   \
+                                         NULL,     0,                    \
+                                         G ## _b,  sizeof(G ## _b),   \
+                                         G ## _gx, sizeof(G ## _gx),   \
+                                         G ## _gy, sizeof(G ## _gy),   \
+                                         G ## _n,  sizeof(G ## _n),   \
+                                         G ## _T                         \
+                                         )
+#endif /* ECP_LOAD_GROUP */
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+/* Constants used by ecp_use_curve25519() */
+static const mbedtls_mpi_sint curve25519_a24 = 0x01DB42;
+
+/* P = 2^255 - 19 */
+static const mbedtls_mpi_uint curve25519_p[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0X7F)
+};
+
+/* N = 2^252 + 27742317777372353535851937790883648493 */
+static const mbedtls_mpi_uint curve25519_n[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0XED, 0XD3, 0XF5, 0X5C, 0X1A, 0X63, 0X12, 0X58),
+    MBEDTLS_BYTES_TO_T_UINT_8(0XD6, 0X9C, 0XF7, 0XA2, 0XDE, 0XF9, 0XDE, 0X14),
+    MBEDTLS_BYTES_TO_T_UINT_8(0X00, 0X00, 0X00, 0X00, 0x00, 0x00, 0x00, 0x00),
+    MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10)
+};
+
+/*
+ * Specialized function for creating the Curve25519 group
+ */
+static int ecp_use_curve25519(mbedtls_ecp_group *grp)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    /* Actually ( A + 2 ) / 4 */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->A, curve25519_a24));
+
+    ecp_mpi_load(&grp->P, curve25519_p, sizeof(curve25519_p));
+
+    grp->pbits = mbedtls_mpi_bitlen(&grp->P);
+
+    ecp_mpi_load(&grp->N, curve25519_n, sizeof(curve25519_n));
+
+    /* Y intentionally not set, since we use x/z coordinates.
+     * This is used as a marker to identify Montgomery curves! */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.X, 9));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.Z, 1));
+    mbedtls_mpi_free(&grp->G.Y);
+
+    /* Actually, the required msb for private keys */
+    grp->nbits = 254;
+
+cleanup:
+    if (ret != 0) {
+        mbedtls_ecp_group_free(grp);
+    }
+
+    return ret;
+}
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+/* Constants used by ecp_use_curve448() */
+static const mbedtls_mpi_sint curve448_a24 = 0x98AA;
+
+/* P = 2^448 - 2^224 - 1 */
+static const mbedtls_mpi_uint curve448_p[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFE, 0XFF, 0XFF, 0XFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0X00, 0X00, 0X00, 0X00, 0X00, 0X00, 0X00, 0X00)
+};
+
+/* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */
+static const mbedtls_mpi_uint curve448_n[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8(0XF3, 0X44, 0X58, 0XAB, 0X92, 0XC2, 0X78, 0X23),
+    MBEDTLS_BYTES_TO_T_UINT_8(0X55, 0X8F, 0XC5, 0X8D, 0X72, 0XC2, 0X6C, 0X21),
+    MBEDTLS_BYTES_TO_T_UINT_8(0X90, 0X36, 0XD6, 0XAE, 0X49, 0XDB, 0X4E, 0XC4),
+    MBEDTLS_BYTES_TO_T_UINT_8(0XE9, 0X23, 0XCA, 0X7C, 0XFF, 0XFF, 0XFF, 0XFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+    MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0X3F),
+    MBEDTLS_BYTES_TO_T_UINT_8(0X00, 0X00, 0X00, 0X00, 0X00, 0X00, 0X00, 0X00)
+};
+
+/*
+ * Specialized function for creating the Curve448 group
+ */
+static int ecp_use_curve448(mbedtls_ecp_group *grp)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    /* Actually ( A + 2 ) / 4 */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->A, curve448_a24));
+
+    ecp_mpi_load(&grp->P, curve448_p, sizeof(curve448_p));
+    grp->pbits = mbedtls_mpi_bitlen(&grp->P);
+
+    /* Y intentionally not set, since we use x/z coordinates.
+     * This is used as a marker to identify Montgomery curves! */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.X, 5));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.Z, 1));
+    mbedtls_mpi_free(&grp->G.Y);
+
+    ecp_mpi_load(&grp->N, curve448_n, sizeof(curve448_n));
+
+    /* Actually, the required msb for private keys */
+    grp->nbits = 447;
+
+cleanup:
+    if (ret != 0) {
+        mbedtls_ecp_group_free(grp);
+    }
+
+    return ret;
+}
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
+/*
+ * Set a group using well-known domain parameters
+ */
+int mbedtls_ecp_group_load(mbedtls_ecp_group *grp, mbedtls_ecp_group_id id)
+{
+    mbedtls_ecp_group_free(grp);
+
+    mbedtls_ecp_group_init(grp);
+
+    grp->id = id;
+
+    switch (id) {
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP192R1:
+            NIST_MODP(p192);
+            return LOAD_GROUP(secp192r1);
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP224R1:
+            NIST_MODP(p224);
+            return LOAD_GROUP(secp224r1);
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP256R1:
+            NIST_MODP(p256);
+            return LOAD_GROUP(secp256r1);
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP384R1:
+            NIST_MODP(p384);
+            return LOAD_GROUP(secp384r1);
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP521R1:
+            NIST_MODP(p521);
+            return LOAD_GROUP(secp521r1);
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP192K1:
+            grp->modp = ecp_mod_p192k1;
+            return LOAD_GROUP_A(secp192k1);
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP224K1:
+            grp->modp = ecp_mod_p224k1;
+            return LOAD_GROUP_A(secp224k1);
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP256K1:
+            grp->modp = ecp_mod_p256k1;
+            return LOAD_GROUP_A(secp256k1);
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+        case MBEDTLS_ECP_DP_BP256R1:
+            return LOAD_GROUP_A(brainpoolP256r1);
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+        case MBEDTLS_ECP_DP_BP384R1:
+            return LOAD_GROUP_A(brainpoolP384r1);
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+        case MBEDTLS_ECP_DP_BP512R1:
+            return LOAD_GROUP_A(brainpoolP512r1);
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+        case MBEDTLS_ECP_DP_CURVE25519:
+            grp->modp = ecp_mod_p255;
+            return ecp_use_curve25519(grp);
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+        case MBEDTLS_ECP_DP_CURVE448:
+            grp->modp = ecp_mod_p448;
+            return ecp_use_curve448(grp);
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
+        default:
+            grp->id = MBEDTLS_ECP_DP_NONE;
+            return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+    }
+}
+
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+/*
+ * Fast reduction modulo the primes used by the NIST curves.
+ *
+ * These functions are critical for speed, but not needed for correct
+ * operations. So, we make the choice to heavily rely on the internals of our
+ * bignum library, which creates a tight coupling between these functions and
+ * our MPI implementation.  However, the coupling between the ECP module and
+ * MPI remains loose, since these functions can be deactivated at will.
+ */
+
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+/*
+ * Compared to the way things are presented in FIPS 186-3 D.2,
+ * we proceed in columns, from right (least significant chunk) to left,
+ * adding chunks to N in place, and keeping a carry for the next chunk.
+ * This avoids moving things around in memory, and uselessly adding zeros,
+ * compared to the more straightforward, line-oriented approach.
+ *
+ * For this prime we need to handle data in chunks of 64 bits.
+ * Since this is always a multiple of our basic mbedtls_mpi_uint, we can
+ * use a mbedtls_mpi_uint * to designate such a chunk, and small loops to handle it.
+ */
+
+/* Add 64-bit chunks (dst += src) and update carry */
+static inline void add64(mbedtls_mpi_uint *dst, mbedtls_mpi_uint *src, mbedtls_mpi_uint *carry)
+{
+    unsigned char i;
+    mbedtls_mpi_uint c = 0;
+    for (i = 0; i < 8 / sizeof(mbedtls_mpi_uint); i++, dst++, src++) {
+        *dst += c;      c  = (*dst < c);
+        *dst += *src;   c += (*dst < *src);
+    }
+    *carry += c;
+}
+
+/* Add carry to a 64-bit chunk and update carry */
+static inline void carry64(mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry)
+{
+    unsigned char i;
+    for (i = 0; i < 8 / sizeof(mbedtls_mpi_uint); i++, dst++) {
+        *dst += *carry;
+        *carry  = (*dst < *carry);
+    }
+}
+
+#define WIDTH       8 / sizeof(mbedtls_mpi_uint)
+#define A(i)        Np + (i) * WIDTH
+#define ADD(i)      add64(p, A(i), &c)
+#define NEXT        p += WIDTH; carry64(p, &c)
+#define LAST        p += WIDTH; do *p = 0; while (++p < end)
+#define RESET       last_carry[0] = c; c = 0; p = Np
+#define ADD_LAST    add64(p, last_carry, &c)
+
+/*
+ * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
+ */
+static int ecp_mod_p192(mbedtls_mpi *N)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t expected_width = BITS_TO_LIMBS(192) * 2;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+    ret = mbedtls_ecp_mod_p192_raw(N->p, expected_width);
+
+cleanup:
+    return ret;
+}
+
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn)
+{
+    mbedtls_mpi_uint c = 0, last_carry[WIDTH] = { 0 };
+    mbedtls_mpi_uint *p, *end;
+
+    if (Nn != BITS_TO_LIMBS(192) * 2) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    p = Np;
+    end = p + Nn;
+
+    ADD(3); ADD(5);         NEXT;   // A0 += A3 + A5
+    ADD(3); ADD(4); ADD(5); NEXT;   // A1 += A3 + A4 + A5
+    ADD(4); ADD(5);                 // A2 += A4 + A5
+
+    RESET;
+
+    /* Use the reduction for the carry as well:
+     * 2^192 * last_carry = 2^64 * last_carry + last_carry mod P192
+     * It can generate a carry. */
+    ADD_LAST; NEXT;                 // A0 += last_carry
+    ADD_LAST; NEXT;                 // A1 += last_carry
+                                    // A2 += carry
+
+    RESET;
+
+    /* Use the reduction for the carry as well:
+     * 2^192 * last_carry = 2^64 * last_carry + last_carry mod P192
+     */
+    ADD_LAST; NEXT;                 // A0 += last_carry
+    ADD_LAST; NEXT;                 // A1 += last_carry
+                                    // A2 += carry
+
+    LAST;
+
+    return 0;
+}
+
+#undef WIDTH
+#undef A
+#undef ADD
+#undef NEXT
+#undef LAST
+#undef RESET
+#undef ADD_LAST
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+
+/*
+ * The reader is advised to first understand ecp_mod_p192() since the same
+ * general structure is used here, but with additional complications:
+ * (1) chunks of 32 bits, and (2) subtractions.
+ */
+
+/*
+ * For these primes, we need to handle data in chunks of 32 bits.
+ * This makes it more complicated if we use 64 bits limbs in MPI,
+ * which prevents us from using a uniform access method as for p192.
+ *
+ * So, we define a mini abstraction layer to access 32 bit chunks,
+ * load them in 'cur' for work, and store them back from 'cur' when done.
+ *
+ * While at it, also define the size of N in terms of 32-bit chunks.
+ */
+#define LOAD32      cur = A(i);
+
+#if defined(MBEDTLS_HAVE_INT32)  /* 32 bit */
+
+#define MAX32       X_limbs
+#define A(j)        X[j]
+#define STORE32     X[i] = (mbedtls_mpi_uint) cur;
+#define STORE0      X[i] = 0;
+
+#else /* 64 bit */
+
+#define MAX32   X_limbs * 2
+#define A(j)                                                \
+    (j) % 2 ?                                               \
+    (uint32_t) (X[(j) / 2] >> 32) :                         \
+    (uint32_t) (X[(j) / 2])
+#define STORE32                                             \
+    if (i % 2) {                                            \
+        X[i/2] &= 0x00000000FFFFFFFF;                       \
+        X[i/2] |= (uint64_t) (cur) << 32;                   \
+    } else {                                                \
+        X[i/2] &= 0xFFFFFFFF00000000;                       \
+        X[i/2] |= (uint32_t) cur;                           \
+    }
+
+#define STORE0                                              \
+    if (i % 2) {                                            \
+        X[i/2] &= 0x00000000FFFFFFFF;                       \
+    } else {                                                \
+        X[i/2] &= 0xFFFFFFFF00000000;                       \
+    }
+
+#endif
+
+static inline int8_t extract_carry(int64_t cur)
+{
+    return (int8_t) (cur >> 32);
+}
+
+#define ADD(j)    cur += A(j)
+#define SUB(j)    cur -= A(j)
+
+#define ADD_CARRY(cc) cur += (cc)
+#define SUB_CARRY(cc) cur -= (cc)
+
+#define ADD_LAST ADD_CARRY(last_c)
+#define SUB_LAST SUB_CARRY(last_c)
+
+/*
+ * Helpers for the main 'loop'
+ */
+#define INIT(b)                                         \
+    int8_t c = 0, last_c;                               \
+    int64_t cur;                                        \
+    size_t i = 0;                                       \
+    LOAD32;
+
+#define NEXT                                            \
+    c = extract_carry(cur);                             \
+    STORE32; i++; LOAD32;                               \
+    ADD_CARRY(c);
+
+#define RESET                                           \
+    c = extract_carry(cur);                             \
+    last_c = c;                                         \
+    STORE32; i = 0; LOAD32;                             \
+    c = 0;                                              \
+
+#define LAST                                            \
+    c = extract_carry(cur);                             \
+    STORE32; i++;                                       \
+    if (c != 0)                                         \
+    return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;              \
+    while (i < MAX32) { STORE0; i++; }
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+
+/*
+ * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2)
+ */
+static int ecp_mod_p224(mbedtls_mpi *N)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t expected_width = BITS_TO_LIMBS(224) * 2;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+    ret = mbedtls_ecp_mod_p224_raw(N->p, expected_width);
+cleanup:
+    return ret;
+}
+
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p224_raw(mbedtls_mpi_uint *X, size_t X_limbs)
+{
+    if (X_limbs != BITS_TO_LIMBS(224) * 2) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    INIT(224);
+
+    SUB(7);  SUB(11);           NEXT;   // A0 += -A7  - A11
+    SUB(8);  SUB(12);           NEXT;   // A1 += -A8  - A12
+    SUB(9);  SUB(13);           NEXT;   // A2 += -A9  - A13
+    SUB(10); ADD(7);  ADD(11);  NEXT;   // A3 += -A10 + A7 + A11
+    SUB(11); ADD(8);  ADD(12);  NEXT;   // A4 += -A11 + A8 + A12
+    SUB(12); ADD(9);  ADD(13);  NEXT;   // A5 += -A12 + A9 + A13
+    SUB(13); ADD(10);                   // A6 += -A13 + A10
+
+    RESET;
+
+    /* Use 2^224 = P + 2^96 - 1 to modulo reduce the final carry */
+    SUB_LAST; NEXT;                     // A0 -= last_c
+    ;         NEXT;                     // A1
+    ;         NEXT;                     // A2
+    ADD_LAST; NEXT;                     // A3 += last_c
+    ;         NEXT;                     // A4
+    ;         NEXT;                     // A5
+                                        // A6
+
+    /* The carry reduction cannot generate a carry
+     * (see commit 73e8553 for details)*/
+
+    LAST;
+
+    return 0;
+}
+
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+
+/*
+ * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3)
+ */
+static int ecp_mod_p256(mbedtls_mpi *N)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t expected_width = BITS_TO_LIMBS(256) * 2;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+    ret = mbedtls_ecp_mod_p256_raw(N->p, expected_width);
+cleanup:
+    return ret;
+}
+
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p256_raw(mbedtls_mpi_uint *X, size_t X_limbs)
+{
+    if (X_limbs != BITS_TO_LIMBS(256) * 2) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    INIT(256);
+
+    ADD(8);  ADD(9);
+    SUB(11); SUB(12); SUB(13); SUB(14);                   NEXT; // A0
+
+    ADD(9);  ADD(10);
+    SUB(12); SUB(13); SUB(14); SUB(15);                   NEXT; // A1
+
+    ADD(10); ADD(11);
+    SUB(13); SUB(14); SUB(15);                            NEXT; // A2
+
+    ADD(11); ADD(11); ADD(12); ADD(12); ADD(13);
+    SUB(15); SUB(8);  SUB(9);                             NEXT; // A3
+
+    ADD(12); ADD(12); ADD(13); ADD(13); ADD(14);
+    SUB(9);  SUB(10);                                     NEXT; // A4
+
+    ADD(13); ADD(13); ADD(14); ADD(14); ADD(15);
+    SUB(10); SUB(11);                                     NEXT; // A5
+
+    ADD(14); ADD(14); ADD(15); ADD(15); ADD(14); ADD(13);
+    SUB(8);  SUB(9);                                      NEXT; // A6
+
+    ADD(15); ADD(15); ADD(15); ADD(8);
+    SUB(10); SUB(11); SUB(12); SUB(13);                         // A7
+
+    RESET;
+
+    /* Use 2^224 * (2^32 - 1) + 2^192 + 2^96 - 1
+     * to modulo reduce the final carry. */
+    ADD_LAST; NEXT;                                             // A0
+    ;         NEXT;                                             // A1
+    ;         NEXT;                                             // A2
+    SUB_LAST; NEXT;                                             // A3
+    ;         NEXT;                                             // A4
+    ;         NEXT;                                             // A5
+    SUB_LAST; NEXT;                                             // A6
+    ADD_LAST;                                                   // A7
+
+    RESET;
+
+    /* Use 2^224 * (2^32 - 1) + 2^192 + 2^96 - 1
+     * to modulo reduce the carry generated by the previous reduction. */
+    ADD_LAST; NEXT;                                             // A0
+    ;         NEXT;                                             // A1
+    ;         NEXT;                                             // A2
+    SUB_LAST; NEXT;                                             // A3
+    ;         NEXT;                                             // A4
+    ;         NEXT;                                             // A5
+    SUB_LAST; NEXT;                                             // A6
+    ADD_LAST;                                                   // A7
+
+    LAST;
+
+    return 0;
+}
+
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4)
+ */
+static int ecp_mod_p384(mbedtls_mpi *N)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t expected_width = BITS_TO_LIMBS(384) * 2;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+    ret = mbedtls_ecp_mod_p384_raw(N->p, expected_width);
+cleanup:
+    return ret;
+}
+
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p384_raw(mbedtls_mpi_uint *X, size_t X_limbs)
+{
+    if (X_limbs != BITS_TO_LIMBS(384) * 2) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    INIT(384);
+
+    ADD(12); ADD(21); ADD(20);
+    SUB(23);                                                NEXT; // A0
+
+    ADD(13); ADD(22); ADD(23);
+    SUB(12); SUB(20);                                       NEXT; // A1
+
+    ADD(14); ADD(23);
+    SUB(13); SUB(21);                                       NEXT; // A2
+
+    ADD(15); ADD(12); ADD(20); ADD(21);
+    SUB(14); SUB(22); SUB(23);                              NEXT; // A3
+
+    ADD(21); ADD(21); ADD(16); ADD(13); ADD(12); ADD(20); ADD(22);
+    SUB(15); SUB(23); SUB(23);                              NEXT; // A4
+
+    ADD(22); ADD(22); ADD(17); ADD(14); ADD(13); ADD(21); ADD(23);
+    SUB(16);                                                NEXT; // A5
+
+    ADD(23); ADD(23); ADD(18); ADD(15); ADD(14); ADD(22);
+    SUB(17);                                                NEXT; // A6
+
+    ADD(19); ADD(16); ADD(15); ADD(23);
+    SUB(18);                                                NEXT; // A7
+
+    ADD(20); ADD(17); ADD(16);
+    SUB(19);                                                NEXT; // A8
+
+    ADD(21); ADD(18); ADD(17);
+    SUB(20);                                                NEXT; // A9
+
+    ADD(22); ADD(19); ADD(18);
+    SUB(21);                                                NEXT; // A10
+
+    ADD(23); ADD(20); ADD(19);
+    SUB(22);                                                      // A11
+
+    RESET;
+
+    /* Use 2^384 = P + 2^128 + 2^96 - 2^32 + 1 to modulo reduce the final carry */
+    ADD_LAST; NEXT;                                               // A0
+    SUB_LAST; NEXT;                                               // A1
+    ;         NEXT;                                               // A2
+    ADD_LAST; NEXT;                                               // A3
+    ADD_LAST; NEXT;                                               // A4
+    ;         NEXT;                                               // A5
+    ;         NEXT;                                               // A6
+    ;         NEXT;                                               // A7
+    ;         NEXT;                                               // A8
+    ;         NEXT;                                               // A9
+    ;         NEXT;                                               // A10
+                                                                  // A11
+
+    RESET;
+
+    ADD_LAST; NEXT;                                               // A0
+    SUB_LAST; NEXT;                                               // A1
+    ;         NEXT;                                               // A2
+    ADD_LAST; NEXT;                                               // A3
+    ADD_LAST; NEXT;                                               // A4
+    ;         NEXT;                                               // A5
+    ;         NEXT;                                               // A6
+    ;         NEXT;                                               // A7
+    ;         NEXT;                                               // A8
+    ;         NEXT;                                               // A9
+    ;         NEXT;                                               // A10
+                                                                  // A11
+
+    LAST;
+
+    return 0;
+}
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#undef LOAD32
+#undef MAX32
+#undef A
+#undef STORE32
+#undef STORE0
+#undef ADD
+#undef SUB
+#undef ADD_CARRY
+#undef SUB_CARRY
+#undef ADD_LAST
+#undef SUB_LAST
+#undef INIT
+#undef NEXT
+#undef RESET
+#undef LAST
+
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED ||
+          MBEDTLS_ECP_DP_SECP256R1_ENABLED ||
+          MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+/* Size of p521 in terms of mbedtls_mpi_uint */
+#define P521_WIDTH      (521 / 8 / sizeof(mbedtls_mpi_uint) + 1)
+
+/* Bits to keep in the most significant mbedtls_mpi_uint */
+#define P521_MASK       0x01FF
+
+/*
+ * Fast quasi-reduction modulo p521 = 2^521 - 1 (FIPS 186-3 D.2.5)
+ */
+static int ecp_mod_p521(mbedtls_mpi *N)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t expected_width = BITS_TO_LIMBS(521) * 2;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+    ret = mbedtls_ecp_mod_p521_raw(N->p, expected_width);
+cleanup:
+    return ret;
+}
+
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs)
+{
+    mbedtls_mpi_uint carry = 0;
+
+    if (X_limbs != BITS_TO_LIMBS(521) * 2) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    /* Step 1: Reduction to P521_WIDTH limbs */
+    /* Helper references for bottom part of X */
+    mbedtls_mpi_uint *X0 = X;
+    size_t X0_limbs = P521_WIDTH;
+    /* Helper references for top part of X */
+    mbedtls_mpi_uint *X1 = X + X0_limbs;
+    size_t X1_limbs = X_limbs - X0_limbs;
+    /* Split X as X0 + 2^P521_WIDTH X1 and compute X0 + 2^(biL - 9) X1.
+     * (We are using that 2^P521_WIDTH = 2^(512 + biL) and that
+     * 2^(512 + biL) X1 = 2^(biL - 9) X1 mod P521.)
+     * The high order limb of the result will be held in carry and the rest
+     * in X0 (that is the result will be represented as
+     * 2^P521_WIDTH carry + X0).
+     *
+     * Also, note that the resulting carry is either 0 or 1:
+     * X0 < 2^P521_WIDTH = 2^(512 + biL) and X1 < 2^(P521_WIDTH-biL) = 2^512
+     * therefore
+     * X0 + 2^(biL - 9) X1 < 2^(512 + biL) + 2^(512 + biL - 9)
+     * which in turn is less than 2 * 2^(512 + biL).
+     */
+    mbedtls_mpi_uint shift = ((mbedtls_mpi_uint) 1u) << (biL - 9);
+    carry = mbedtls_mpi_core_mla(X0, X0_limbs, X1, X1_limbs, shift);
+    /* Set X to X0 (by clearing the top part). */
+    memset(X1, 0, X1_limbs * sizeof(mbedtls_mpi_uint));
+
+    /* Step 2: Reduction modulo P521
+     *
+     * At this point X is reduced to P521_WIDTH limbs. What remains is to add
+     * the carry (that is 2^P521_WIDTH carry) and to reduce mod P521. */
+
+    /* 2^P521_WIDTH carry = 2^(512 + biL) carry = 2^(biL - 9) carry mod P521.
+     * Also, recall that carry is either 0 or 1. */
+    mbedtls_mpi_uint addend = carry << (biL - 9);
+    /* Keep the top 9 bits and reduce the rest, using 2^521 = 1 mod P521. */
+    addend += (X[P521_WIDTH - 1] >> 9);
+    X[P521_WIDTH - 1] &= P521_MASK;
+
+    /* Reuse the top part of X (already zeroed) as a helper array for
+     * carrying out the addition. */
+    mbedtls_mpi_uint *addend_arr = X + P521_WIDTH;
+    addend_arr[0] = addend;
+    (void) mbedtls_mpi_core_add(X, X, addend_arr, P521_WIDTH);
+    /* Both addends were less than P521 therefore X < 2 * P521. (This also means
+     * that the result fit in P521_WIDTH limbs and there won't be any carry.) */
+
+    /* Clear the reused part of X. */
+    addend_arr[0] = 0;
+
+    return 0;
+}
+
+#undef P521_WIDTH
+#undef P521_MASK
+
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#endif /* MBEDTLS_ECP_NIST_OPTIM */
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+
+/* Size of p255 in terms of mbedtls_mpi_uint */
+#define P255_WIDTH      (255 / 8 / sizeof(mbedtls_mpi_uint) + 1)
+
+/*
+ * Fast quasi-reduction modulo p255 = 2^255 - 19
+ * Write N as A0 + 2^256 A1, return A0 + 38 * A1
+ */
+static int ecp_mod_p255(mbedtls_mpi *N)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t expected_width = BITS_TO_LIMBS(255) * 2;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+    ret = mbedtls_ecp_mod_p255_raw(N->p, expected_width);
+cleanup:
+    return ret;
+}
+
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p255_raw(mbedtls_mpi_uint *X, size_t X_Limbs)
+{
+
+    if (X_Limbs != BITS_TO_LIMBS(255) * 2) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    mbedtls_mpi_uint *carry = mbedtls_calloc(P255_WIDTH, ciL);
+    if (carry == NULL) {
+        return MBEDTLS_ERR_ECP_ALLOC_FAILED;
+    }
+
+    /* Step 1: Reduction to P255_WIDTH limbs */
+    if (X_Limbs > P255_WIDTH) {
+        /* Helper references for top part of X */
+        mbedtls_mpi_uint * const A1 = X + P255_WIDTH;
+        const size_t A1_limbs = X_Limbs - P255_WIDTH;
+
+        /* X = A0 + 38 * A1, capture carry out */
+        *carry = mbedtls_mpi_core_mla(X, P255_WIDTH, A1, A1_limbs, 38);
+        /* Clear top part */
+        memset(A1, 0, sizeof(mbedtls_mpi_uint) * A1_limbs);
+    }
+
+    /* Step 2: Reduce to <2p
+     * Split as A0 + 2^255*c, with c a scalar, and compute A0 + 19*c */
+    *carry <<= 1;
+    *carry += (X[P255_WIDTH - 1] >> (biL - 1));
+    *carry *= 19;
+
+    /* Clear top bit */
+    X[P255_WIDTH - 1] <<= 1; X[P255_WIDTH - 1] >>= 1;
+    /* Since the top bit for X has been cleared 0 + 0 + Carry
+     * will not overflow.
+     *
+     * Furthermore for 2p = 2^256-38. When a carry propagation on the highest
+     * limb occurs, X > 2^255 and all the remaining bits on the limb are zero.
+     *   - If X < 2^255 ==> X < 2p
+     *   - If X > 2^255 ==> X < 2^256 - 2^255 < 2p  */
+    (void) mbedtls_mpi_core_add(X, X, carry, P255_WIDTH);
+
+    mbedtls_free(carry);
+    return 0;
+}
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+
+/* Size of p448 in terms of mbedtls_mpi_uint */
+#define P448_WIDTH      (448 / 8 / sizeof(mbedtls_mpi_uint))
+
+/* Number of limbs fully occupied by 2^224 (max), and limbs used by it (min) */
+#define DIV_ROUND_UP(X, Y) (((X) + (Y) -1) / (Y))
+#define P224_SIZE        (224 / 8)
+#define P224_WIDTH_MIN   (P224_SIZE / sizeof(mbedtls_mpi_uint))
+#define P224_WIDTH_MAX   DIV_ROUND_UP(P224_SIZE, sizeof(mbedtls_mpi_uint))
+#define P224_UNUSED_BITS ((P224_WIDTH_MAX * sizeof(mbedtls_mpi_uint) * 8) - 224)
+
+static int ecp_mod_p448(mbedtls_mpi *N)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t expected_width = BITS_TO_LIMBS(448) * 2;
+
+    /* This is required as some tests and use cases do not pass in a Bignum of
+     * the correct size, and expect the growth to be done automatically, which
+     * will no longer happen. */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+
+    ret = mbedtls_ecp_mod_p448_raw(N->p, N->n);
+
+cleanup:
+    return ret;
+}
+
+/*
+ * Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1
+ * Write X as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return A0 + A1 + B1 +
+ * (B0 + B1) * 2^224.  This is different to the reference implementation of
+ * Curve448, which uses its own special 56-bit limbs rather than a generic
+ * bignum library.  We could squeeze some extra speed out on 32-bit machines by
+ * splitting N up into 32-bit limbs and doing the arithmetic using the limbs
+ * directly as we do for the NIST primes above, but for 64-bit targets it should
+ * use half the number of operations if we do the reduction with 224-bit limbs,
+ * since mpi_core_add will then use 64-bit adds.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p448_raw(mbedtls_mpi_uint *X, size_t X_limbs)
+{
+    size_t round;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (X_limbs != BITS_TO_LIMBS(448) * 2) {
+        return 0;
+    }
+
+    size_t M_limbs = X_limbs - (P448_WIDTH);
+
+    if (M_limbs > P448_WIDTH) {
+        /* Shouldn't be called with X larger than 2^896! */
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    /* Both M and Q require an extra limb to catch carries. */
+    M_limbs++;
+
+    const size_t Q_limbs = M_limbs;
+    mbedtls_mpi_uint *M = NULL;
+    mbedtls_mpi_uint *Q = NULL;
+
+    M = mbedtls_calloc(M_limbs, ciL);
+
+    if (M == NULL) {
+        return MBEDTLS_ERR_ECP_ALLOC_FAILED;
+    }
+
+    Q = mbedtls_calloc(Q_limbs, ciL);
+
+    if (Q == NULL) {
+        ret =  MBEDTLS_ERR_ECP_ALLOC_FAILED;
+        goto cleanup;
+    }
+
+    /* M = A1 */
+    memset(M, 0, (M_limbs * ciL));
+    /* Do not copy into the overflow limb, as this would read past the end of
+     * X. */
+    memcpy(M, X + P448_WIDTH, ((M_limbs - 1) * ciL));
+
+    /* X = A0 */
+    memset(X + P448_WIDTH, 0, ((M_limbs - 1) * ciL));
+
+    /* X = X + M = A0 + A1 */
+    /* Carry here fits in oversize X. Oversize M means it will get
+     * added in, not returned as carry. */
+    (void) mbedtls_mpi_core_add(X, X, M, M_limbs);
+
+    /* Q = B1 = M >> 224 */
+    memcpy(Q, (char *) M + P224_SIZE, P224_SIZE);
+    memset((char *) Q + P224_SIZE, 0, P224_SIZE);
+
+    /* X = X + Q = (A0 + A1) + B1
+     * Oversize Q catches potential carry here when X is already max 448 bits.
+     */
+    (void) mbedtls_mpi_core_add(X, X, Q, Q_limbs);
+
+    /* M = B0 */
+#ifdef MBEDTLS_HAVE_INT64
+    M[P224_WIDTH_MIN] &= ((mbedtls_mpi_uint)-1) >> (P224_UNUSED_BITS);
+ #endif
+    memset(M + P224_WIDTH_MAX, 0, ((M_limbs - P224_WIDTH_MAX) * ciL));
+
+    /* M = M + Q = B0 + B1 */
+    (void) mbedtls_mpi_core_add(M, M, Q, Q_limbs);
+
+    /* M = (B0 + B1) * 2^224 */
+    /* Shifted carry bit from the addition fits in oversize M. */
+    memmove((char *) M + P224_SIZE, M, P224_SIZE + ciL);
+    memset(M, 0, P224_SIZE);
+
+    /* X = X + M = (A0 + A1 + B1) + (B0 + B1) * 2^224 */
+    (void) mbedtls_mpi_core_add(X, X, M, M_limbs);
+
+    /* In the second and third rounds A1 and B0 have at most 1 non-zero limb and
+     * B1=0.
+     * Using this we need to calculate:
+     * A0 + A1 + B1 + (B0 + B1) * 2^224 = A0 + A1 + B0 * 2^224. */
+    for (round = 0; round < 2; ++round) {
+
+        /* M = A1 */
+        memset(M, 0, (M_limbs * ciL));
+        memcpy(M, X + P448_WIDTH, ((M_limbs - 1) * ciL));
+
+        /* X = A0 */
+        memset(X + P448_WIDTH, 0, ((M_limbs - 1) * ciL));
+
+        /* M = A1 + B0 * 2^224
+         * We know that only one limb of A1 will be non-zero and that it will be
+         * limb 0. We also know that B0 is the bottom 224 bits of A1 (which is
+         * then shifted up 224 bits), so, given M is currently A1 this turns
+         * into:
+         * M = M + (M << 224)
+         * As the single non-zero limb in B0 will be A1 limb 0 shifted up by 224
+         * bits, we can just move that into the right place, shifted up
+         * accordingly.*/
+        M[P224_WIDTH_MIN] = M[0] << (224 & (biL - 1));
+
+        /* X = A0 + (A1 + B0 * 2^224) */
+        (void) mbedtls_mpi_core_add(X, X, M, M_limbs);
+    }
+
+    ret = 0;
+
+cleanup:
+    mbedtls_free(M);
+    mbedtls_free(Q);
+
+    return ret;
+}
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+
+/*
+ * Fast quasi-reduction modulo P = 2^s - R,
+ * with R about 33 bits, used by the Koblitz curves.
+ *
+ * Write X as A0 + 2^224 A1, return A0 + R * A1.
+ */
+#define P_KOBLITZ_R     (8 / sizeof(mbedtls_mpi_uint))            // Limbs in R
+
+static inline int ecp_mod_koblitz(mbedtls_mpi_uint *X,
+                                  size_t X_limbs,
+                                  mbedtls_mpi_uint *R,
+                                  size_t bits)
+{
+    int ret = 0;
+
+    /* Determine if A1 is aligned to limb bitsize. If not then the used limbs
+     * of P, A0 and A1 must be set accordingly and there is a middle limb
+     * which is shared by A0 and A1 and need to handle accordingly.
+     */
+    size_t shift   = bits % biL;
+    size_t adjust  = (shift + biL - 1) / biL;
+    size_t P_limbs = bits / biL + adjust;
+
+    mbedtls_mpi_uint *A1 = mbedtls_calloc(P_limbs, ciL);
+    if (A1 == NULL) {
+        return MBEDTLS_ERR_ECP_ALLOC_FAILED;
+    }
+
+    /* Create a buffer to store the value of `R * A1` */
+    size_t R_limbs = P_KOBLITZ_R;
+    size_t M_limbs = P_limbs + R_limbs;
+    mbedtls_mpi_uint *M = mbedtls_calloc(M_limbs, ciL);
+    if (M == NULL) {
+        ret = MBEDTLS_ERR_ECP_ALLOC_FAILED;
+        goto cleanup;
+    }
+
+    mbedtls_mpi_uint mask = 0;
+    if (adjust != 0) {
+        mask  = ((mbedtls_mpi_uint) 1 << shift) - 1;
+    }
+
+    /* Two passes are needed to reduce the value of `A0 + R * A1` and then
+     * we need an additional one to reduce the possible overflow during
+     * the addition.
+     */
+    for (size_t pass = 0; pass < 3; pass++) {
+        /* Copy A1 */
+        memcpy(A1, X + P_limbs - adjust, P_limbs * ciL);
+
+        /* Shift A1 to be aligned */
+        if (shift != 0) {
+            mbedtls_mpi_core_shift_r(A1, P_limbs, shift);
+        }
+
+        /* Zeroize the A1 part of the shared limb */
+        if (mask != 0) {
+            X[P_limbs - 1] &= mask;
+        }
+
+        /* X = A0
+         * Zeroize the A1 part of X to keep only the A0 part.
+         */
+        for (size_t i = P_limbs; i < X_limbs; i++) {
+            X[i] = 0;
+        }
+
+        /* X = A0 + R * A1 */
+        mbedtls_mpi_core_mul(M, A1, P_limbs, R, R_limbs);
+        (void) mbedtls_mpi_core_add(X, X, M, P_limbs + R_limbs);
+
+        /* Carry can not be generated since R is a 33-bit value and stored in
+         * 64 bits. The result value of the multiplication is at most
+         * P length + 33 bits in length and the result value of the addition
+         * is at most P length + 34 bits in length. So the result of the
+         * addition always fits in P length + 64 bits.
+         */
+    }
+
+cleanup:
+    mbedtls_free(M);
+    mbedtls_free(A1);
+
+    return ret;
+}
+
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||
+          MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||
+          MBEDTLS_ECP_DP_SECP256K1_ENABLED) */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+
+/*
+ * Fast quasi-reduction modulo p192k1 = 2^192 - R,
+ * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x01000011C9
+ */
+static int ecp_mod_p192k1(mbedtls_mpi *N)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t expected_width = BITS_TO_LIMBS(192) * 2;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+    ret = mbedtls_ecp_mod_p192k1_raw(N->p, expected_width);
+
+cleanup:
+    return ret;
+}
+
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs)
+{
+    static mbedtls_mpi_uint Rp[] = {
+        MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x11, 0x00, 0x00,
+                                  0x01, 0x00, 0x00, 0x00)
+    };
+
+    if (X_limbs != BITS_TO_LIMBS(192) * 2) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    return ecp_mod_koblitz(X, X_limbs, Rp, 192);
+}
+
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+
+/*
+ * Fast quasi-reduction modulo p224k1 = 2^224 - R,
+ * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
+ */
+static int ecp_mod_p224k1(mbedtls_mpi *N)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t expected_width = BITS_TO_LIMBS(224) * 2;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+    ret = mbedtls_ecp_mod_p224k1_raw(N->p, expected_width);
+
+cleanup:
+    return ret;
+}
+
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs)
+{
+    static mbedtls_mpi_uint Rp[] = {
+        MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x1A, 0x00, 0x00,
+                                  0x01, 0x00, 0x00, 0x00)
+    };
+
+    if (X_limbs !=  BITS_TO_LIMBS(224) * 2) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    return ecp_mod_koblitz(X, X_limbs, Rp, 224);
+}
+
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+
+/*
+ * Fast quasi-reduction modulo p256k1 = 2^256 - R,
+ * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
+ */
+static int ecp_mod_p256k1(mbedtls_mpi *N)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t expected_width = BITS_TO_LIMBS(256) * 2;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+    ret = mbedtls_ecp_mod_p256k1_raw(N->p, expected_width);
+
+cleanup:
+    return ret;
+}
+
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p256k1_raw(mbedtls_mpi_uint *X, size_t X_limbs)
+{
+    static mbedtls_mpi_uint Rp[] = {
+        MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x03, 0x00, 0x00,
+                                  0x01, 0x00, 0x00, 0x00)
+    };
+
+    if (X_limbs != BITS_TO_LIMBS(256) * 2) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    return ecp_mod_koblitz(X, X_limbs, Rp, 256);
+}
+
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+#if defined(MBEDTLS_TEST_HOOKS)
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
+                              const mbedtls_ecp_group_id id,
+                              const mbedtls_ecp_modulus_type ctype)
+{
+    mbedtls_mpi_modp_fn modp = NULL;
+    mbedtls_mpi_uint *p = NULL;
+    size_t p_limbs;
+
+    if (!(ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE || \
+          ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_SCALAR)) {
+        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    switch (id) {
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP192R1:
+            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+                modp = &mbedtls_ecp_mod_p192_raw;
+#endif
+                p = (mbedtls_mpi_uint *) secp192r1_p;
+                p_limbs = CHARS_TO_LIMBS(sizeof(secp192r1_p));
+            } else {
+                p = (mbedtls_mpi_uint *) secp192r1_n;
+                p_limbs = CHARS_TO_LIMBS(sizeof(secp192r1_n));
+            }
+            break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP224R1:
+            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+                modp = &mbedtls_ecp_mod_p224_raw;
+#endif
+                p = (mbedtls_mpi_uint *) secp224r1_p;
+                p_limbs = CHARS_TO_LIMBS(sizeof(secp224r1_p));
+            } else {
+                p = (mbedtls_mpi_uint *) secp224r1_n;
+                p_limbs = CHARS_TO_LIMBS(sizeof(secp224r1_n));
+            }
+            break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP256R1:
+            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+                modp = &mbedtls_ecp_mod_p256_raw;
+#endif
+                p = (mbedtls_mpi_uint *) secp256r1_p;
+                p_limbs = CHARS_TO_LIMBS(sizeof(secp256r1_p));
+            } else {
+                p = (mbedtls_mpi_uint *) secp256r1_n;
+                p_limbs = CHARS_TO_LIMBS(sizeof(secp256r1_n));
+            }
+            break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP384R1:
+            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+                modp = &mbedtls_ecp_mod_p384_raw;
+#endif
+                p = (mbedtls_mpi_uint *) secp384r1_p;
+                p_limbs = CHARS_TO_LIMBS(sizeof(secp384r1_p));
+            } else {
+                p = (mbedtls_mpi_uint *) secp384r1_n;
+                p_limbs = CHARS_TO_LIMBS(sizeof(secp384r1_n));
+            }
+            break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP521R1:
+            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+                modp = &mbedtls_ecp_mod_p521_raw;
+#endif
+                p = (mbedtls_mpi_uint *) secp521r1_p;
+                p_limbs = CHARS_TO_LIMBS(sizeof(secp521r1_p));
+            } else {
+                p = (mbedtls_mpi_uint *) secp521r1_n;
+                p_limbs = CHARS_TO_LIMBS(sizeof(secp521r1_n));
+            }
+            break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+        case MBEDTLS_ECP_DP_BP256R1:
+            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+                p = (mbedtls_mpi_uint *) brainpoolP256r1_p;
+                p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP256r1_p));
+            } else {
+                p = (mbedtls_mpi_uint *) brainpoolP256r1_n;
+                p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP256r1_n));
+            }
+            break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+        case MBEDTLS_ECP_DP_BP384R1:
+            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+                p = (mbedtls_mpi_uint *) brainpoolP384r1_p;
+                p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP384r1_p));
+            } else {
+                p = (mbedtls_mpi_uint *) brainpoolP384r1_n;
+                p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP384r1_n));
+            }
+            break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+        case MBEDTLS_ECP_DP_BP512R1:
+            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+                p = (mbedtls_mpi_uint *) brainpoolP512r1_p;
+                p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP512r1_p));
+            } else {
+                p = (mbedtls_mpi_uint *) brainpoolP512r1_n;
+                p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP512r1_n));
+            }
+            break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+        case MBEDTLS_ECP_DP_CURVE25519:
+            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+                modp = &mbedtls_ecp_mod_p255_raw;
+                p = (mbedtls_mpi_uint *) curve25519_p;
+                p_limbs = CHARS_TO_LIMBS(sizeof(curve25519_p));
+            } else {
+                p = (mbedtls_mpi_uint *) curve25519_n;
+                p_limbs = CHARS_TO_LIMBS(sizeof(curve25519_n));
+            }
+            break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP192K1:
+            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+                modp = &mbedtls_ecp_mod_p192k1_raw;
+                p = (mbedtls_mpi_uint *) secp192k1_p;
+                p_limbs = CHARS_TO_LIMBS(sizeof(secp192k1_p));
+            } else {
+                p = (mbedtls_mpi_uint *) secp192k1_n;
+                p_limbs = CHARS_TO_LIMBS(sizeof(secp192k1_n));
+            }
+            break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP224K1:
+            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+                modp = &mbedtls_ecp_mod_p224k1_raw;
+                p = (mbedtls_mpi_uint *) secp224k1_p;
+                p_limbs = CHARS_TO_LIMBS(sizeof(secp224k1_p));
+            } else {
+                p = (mbedtls_mpi_uint *) secp224k1_n;
+                p_limbs = CHARS_TO_LIMBS(sizeof(secp224k1_n));
+            }
+            break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP256K1:
+            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+                modp = &mbedtls_ecp_mod_p256k1_raw;
+                p = (mbedtls_mpi_uint *) secp256k1_p;
+                p_limbs = CHARS_TO_LIMBS(sizeof(secp256k1_p));
+            } else {
+                p = (mbedtls_mpi_uint *) secp256k1_n;
+                p_limbs = CHARS_TO_LIMBS(sizeof(secp256k1_n));
+            }
+            break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+        case MBEDTLS_ECP_DP_CURVE448:
+            if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+                modp = &mbedtls_ecp_mod_p448_raw;
+                p = (mbedtls_mpi_uint *) curve448_p;
+                p_limbs = CHARS_TO_LIMBS(sizeof(curve448_p));
+            } else {
+                p = (mbedtls_mpi_uint *) curve448_n;
+                p_limbs = CHARS_TO_LIMBS(sizeof(curve448_n));
+            }
+            break;
+#endif
+
+        default:
+        case MBEDTLS_ECP_DP_NONE:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+
+    if (modp != NULL) {
+        if (mbedtls_mpi_mod_optred_modulus_setup(N, p, p_limbs, modp)) {
+            return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+        }
+    } else {
+        if (mbedtls_mpi_mod_modulus_setup(N, p, p_limbs)) {
+            return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+        }
+    }
+    return 0;
+}
+#endif /* MBEDTLS_TEST_HOOKS */
+
+#if defined(MBEDTLS_TEST_HOOKS)
+
+MBEDTLS_STATIC_TESTABLE
+mbedtls_ecp_variant mbedtls_ecp_get_variant(void)
+{
+    return MBEDTLS_ECP_VARIANT_WITH_MPI_UINT;
+}
+
+#endif /* MBEDTLS_TEST_HOOKS */
+
+#endif /* MBEDTLS_ECP_LIGHT */
+#endif /* MBEDTLS_ECP_WITH_MPI_UINT */
diff --git a/tf-psa-crypto/drivers/builtin/src/ecp_invasive.h b/tf-psa-crypto/drivers/builtin/src/ecp_invasive.h
new file mode 100644
index 0000000..ff9f9ec
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/ecp_invasive.h
@@ -0,0 +1,325 @@
+/**
+ * \file ecp_invasive.h
+ *
+ * \brief ECP module: interfaces for invasive testing only.
+ *
+ * The interfaces in this file are intended for testing purposes only.
+ * They SHOULD NOT be made available in library integrations except when
+ * building the library for testing.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_ECP_INVASIVE_H
+#define MBEDTLS_ECP_INVASIVE_H
+
+#include "common.h"
+#include "mbedtls/bignum.h"
+#include "bignum_mod.h"
+#include "mbedtls/ecp.h"
+
+/*
+ * Curve modulus types
+ */
+typedef enum {
+    MBEDTLS_ECP_MOD_NONE = 0,
+    MBEDTLS_ECP_MOD_COORDINATE,
+    MBEDTLS_ECP_MOD_SCALAR
+} mbedtls_ecp_modulus_type;
+
+typedef enum {
+    MBEDTLS_ECP_VARIANT_NONE = 0,
+    MBEDTLS_ECP_VARIANT_WITH_MPI_STRUCT,
+    MBEDTLS_ECP_VARIANT_WITH_MPI_UINT
+} mbedtls_ecp_variant;
+
+#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_ECP_LIGHT)
+
+/** Queries the ecp variant.
+ *
+ * \return  The id of the ecp variant.
+ */
+MBEDTLS_STATIC_TESTABLE
+mbedtls_ecp_variant mbedtls_ecp_get_variant(void);
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+/** Generate a private key on a Montgomery curve (Curve25519 or Curve448).
+ *
+ * This function implements key generation for the set of secret keys
+ * specified in [Curve25519] p. 5 and in [Curve448]. The resulting value
+ * has the lower bits masked but is not necessarily canonical.
+ *
+ * \note            - [Curve25519] http://cr.yp.to/ecdh/curve25519-20060209.pdf
+ *                  - [RFC7748] https://tools.ietf.org/html/rfc7748
+ *
+ * \p high_bit      The position of the high-order bit of the key to generate.
+ *                  This is the bit-size of the key minus 1:
+ *                  254 for Curve25519 or 447 for Curve448.
+ * \param d         The randomly generated key. This is a number of size
+ *                  exactly \p high_bit + 1 bits, with the least significant bits
+ *                  masked as specified in [Curve25519] and in [RFC7748] §5.
+ * \param f_rng     The RNG function.
+ * \param p_rng     The RNG context to be passed to \p f_rng.
+ *
+ * \return          \c 0 on success.
+ * \return          \c MBEDTLS_ERR_ECP_xxx or MBEDTLS_ERR_MPI_xxx on failure.
+ */
+int mbedtls_ecp_gen_privkey_mx(size_t high_bit,
+                               mbedtls_mpi *d,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng);
+
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+
+/** Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
+ *
+ * This operation expects a 384 bit MPI and the result of the reduction
+ * is a 192 bit MPI.
+ *
+ * \param[in,out]   Np  The address of the MPI to be converted.
+ *                      Must have twice as many limbs as the modulus.
+ *                      Upon return this holds the reduced value. The bitlength
+ *                      of the reduced value is the same as that of the modulus
+ *                      (192 bits).
+ * \param[in]       Nn  The length of \p Np in limbs.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn);
+
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+
+/** Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2)
+ *
+ * \param[in,out]   X       The address of the MPI to be converted.
+ *                          Must have exact limb size that stores a 448-bit MPI
+ *                          (double the bitlength of the modulus).
+ *                          Upon return holds the reduced value which is
+ *                          in range `0 <= X < 2 * N` (where N is the modulus).
+ *                          The bitlength of the reduced value is the same as
+ *                          that of the modulus (224 bits).
+ * \param[in]       X_limbs The length of \p X in limbs.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X_limbs is not the
+ *                  limb size that sores a 448-bit MPI.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p224_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+
+/** Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3)
+ *
+ * \param[in,out]   X       The address of the MPI to be converted.
+ *                          Must have exact limb size that stores a 512-bit MPI
+ *                          (double the bitlength of the modulus).
+ *                          Upon return holds the reduced value which is
+ *                          in range `0 <= X < 2 * N` (where N is the modulus).
+ *                          The bitlength of the reduced value is the same as
+ *                          that of the modulus (256 bits).
+ * \param[in]       X_limbs The length of \p X in limbs.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X_limbs is not the
+ *                  limb size that sores a 512-bit MPI.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p256_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+
+/** Fast quasi-reduction modulo p521 = 2^521 - 1 (FIPS 186-3 D.2.5)
+ *
+ * \param[in,out]   X       The address of the MPI to be converted.
+ *                          Must have twice as many limbs as the modulus
+ *                          (the modulus is 521 bits long). Upon return this
+ *                          holds the reduced value. The reduced value is
+ *                          in range `0 <= X < 2 * N` (where N is the modulus).
+ *                          and its the bitlength is one plus the bitlength
+ *                          of the modulus.
+ * \param[in]       X_limbs The length of \p X in limbs.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X_limbs does not have
+ *                  twice as many limbs as the modulus.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+
+/** Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4)
+ *
+ * \param[in,out]   X       The address of the MPI to be converted.
+ *                          Must have exact limb size that stores a 768-bit MPI
+ *                          (double the bitlength of the modulus).
+ *                          Upon return holds the reduced value which is
+ *                          in range `0 <= X < 2 * N` (where N is the modulus).
+ *                          The bitlength of the reduced value is the same as
+ *                          that of the modulus (384 bits).
+ * \param[in]       X_limbs The length of \p N in limbs.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p N_n does not have
+ *                  twice as many limbs as the modulus.
+ */
+MBEDTLS_STATIC_TESTABLE
+int  mbedtls_ecp_mod_p384_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+
+/** Fast quasi-reduction modulo p192k1 = 2^192 - R,
+ * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x01000011C9
+ *
+ * \param[in,out]   X       The address of the MPI to be converted.
+ *                          Must have exact limb size that stores a 384-bit MPI
+ *                          (double the bitlength of the modulus).
+ *                          Upon return holds the reduced value which is
+ *                          in range `0 <= X < 2 * N` (where N is the modulus).
+ *                          The bitlength of the reduced value is the same as
+ *                          that of the modulus (192 bits).
+ * \param[in]       X_limbs The length of \p X in limbs.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have
+ *                  twice as many limbs as the modulus.
+ * \return          #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+
+/** Fast quasi-reduction modulo p224k1 = 2^224 - R,
+ * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
+ *
+ * \param[in,out]   X       The address of the MPI to be converted.
+ *                          Must have exact limb size that stores a 448-bit MPI
+ *                          (double the bitlength of the modulus).
+ *                          Upon return holds the reduced value which is
+ *                          in range `0 <= X < 2 * N` (where N is the modulus).
+ *                          The bitlength of the reduced value is the same as
+ *                          that of the modulus (224 bits).
+ * \param[in]       X_limbs The length of \p X in limbs.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have
+ *                  twice as many limbs as the modulus.
+ * \return          #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+
+/** Fast quasi-reduction modulo p256k1 = 2^256 - R,
+ * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
+ *
+ * \param[in,out]   X       The address of the MPI to be converted.
+ *                          Must have exact limb size that stores a 512-bit MPI
+ *                          (double the bitlength of the modulus).
+ *                          Upon return holds the reduced value which is
+ *                          in range `0 <= X < 2 * N` (where N is the modulus).
+ *                          The bitlength of the reduced value is the same as
+ *                          that of the modulus (256 bits).
+ * \param[in]       X_limbs The length of \p X in limbs.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have
+ *                  twice as many limbs as the modulus.
+ * \return          #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p256k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+
+/** Fast quasi-reduction modulo p255 = 2^255 - 19
+ *
+ * \param[in,out]   X       The address of the MPI to be converted.
+ *                          Must have exact limb size that stores a 510-bit MPI
+ *                          (double the bitlength of the modulus).
+ *                          Upon return holds the reduced value which is
+ *                          in range `0 <= X < 2 * N` (where N is the modulus).
+ * \param[in]       X_limbs The length of \p X in limbs.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have
+ *                  twice as many limbs as the modulus.
+ * \return          #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p255_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+
+/** Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1
+ * Write X as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return A0 + A1 + B1 +
+ * (B0 + B1) * 2^224.
+ *
+ * \param[in,out]   X       The address of the MPI to be converted.
+ *                          Must have exact limb size that stores a 896-bit MPI
+ *                          (double the bitlength of the modulus). Upon return
+ *                          holds the reduced value which is in range `0 <= X <
+ *                          N` (where N is the modulus). The bitlength of the
+ *                          reduced value is the same as that of the modulus
+ *                          (448 bits).
+ * \param[in]       X_limbs The length of \p X in limbs.
+ *
+ * \return          \c 0 on Success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have
+ *                  twice as many limbs as the modulus.
+ * \return          #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation
+ *                  failed.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p448_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
+/** Initialise a modulus with hard-coded const curve data.
+ *
+ * \note            The caller is responsible for the \p N modulus' memory.
+ *                  mbedtls_mpi_mod_modulus_free(&N) should be invoked at the
+ *                  end of its lifecycle.
+ *
+ * \param[in,out] N The address of the modulus structure to populate.
+ *                  Must be initialized.
+ * \param[in] id    The mbedtls_ecp_group_id for which to initialise the modulus.
+ * \param[in] ctype The mbedtls_ecp_modulus_type identifier for a coordinate modulus (P)
+ *                  or a scalar modulus (N).
+ *
+ * \return          \c 0 if successful.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the given MPIs do not
+ *                  have the correct number of limbs.
+ *
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
+                              const mbedtls_ecp_group_id id,
+                              const mbedtls_ecp_modulus_type ctype);
+
+#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_ECP_C */
+
+#endif /* MBEDTLS_ECP_INVASIVE_H */
diff --git a/tf-psa-crypto/drivers/builtin/src/entropy.c b/tf-psa-crypto/drivers/builtin/src/entropy.c
new file mode 100644
index 0000000..7dcf067
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/entropy.c
@@ -0,0 +1,680 @@
+/*
+ *  Entropy accumulator implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_ENTROPY_C)
+
+#include "mbedtls/entropy.h"
+#include "entropy_poll.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+#include "mbedtls/platform.h"
+
+#define ENTROPY_MAX_LOOP    256     /**< Maximum amount to loop before error */
+
+void mbedtls_entropy_init(mbedtls_entropy_context *ctx)
+{
+    ctx->source_count = 0;
+    memset(ctx->source, 0, sizeof(ctx->source));
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init(&ctx->mutex);
+#endif
+
+    ctx->accumulator_started = 0;
+    mbedtls_md_init(&ctx->accumulator);
+
+    /* Reminder: Update ENTROPY_HAVE_STRONG in the test files
+     *           when adding more strong entropy sources here. */
+
+#if !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
+#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+    mbedtls_entropy_add_source(ctx, mbedtls_platform_entropy_poll, NULL,
+                               MBEDTLS_ENTROPY_MIN_PLATFORM,
+                               MBEDTLS_ENTROPY_SOURCE_STRONG);
+#endif
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+    mbedtls_entropy_add_source(ctx, mbedtls_hardware_poll, NULL,
+                               MBEDTLS_ENTROPY_MIN_HARDWARE,
+                               MBEDTLS_ENTROPY_SOURCE_STRONG);
+#endif
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+    mbedtls_entropy_add_source(ctx, mbedtls_nv_seed_poll, NULL,
+                               MBEDTLS_ENTROPY_BLOCK_SIZE,
+                               MBEDTLS_ENTROPY_SOURCE_STRONG);
+    ctx->initial_entropy_run = 0;
+#endif
+#endif /* MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES */
+}
+
+void mbedtls_entropy_free(mbedtls_entropy_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    /* If the context was already free, don't call free() again.
+     * This is important for mutexes which don't allow double-free. */
+    if (ctx->accumulator_started == -1) {
+        return;
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free(&ctx->mutex);
+#endif
+    mbedtls_md_free(&ctx->accumulator);
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+    ctx->initial_entropy_run = 0;
+#endif
+    ctx->source_count = 0;
+    mbedtls_platform_zeroize(ctx->source, sizeof(ctx->source));
+    ctx->accumulator_started = -1;
+}
+
+int mbedtls_entropy_add_source(mbedtls_entropy_context *ctx,
+                               mbedtls_entropy_f_source_ptr f_source, void *p_source,
+                               size_t threshold, int strong)
+{
+    int idx, ret = 0;
+
+#if defined(MBEDTLS_THREADING_C)
+    if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
+        return ret;
+    }
+#endif
+
+    idx = ctx->source_count;
+    if (idx >= MBEDTLS_ENTROPY_MAX_SOURCES) {
+        ret = MBEDTLS_ERR_ENTROPY_MAX_SOURCES;
+        goto exit;
+    }
+
+    ctx->source[idx].f_source  = f_source;
+    ctx->source[idx].p_source  = p_source;
+    ctx->source[idx].threshold = threshold;
+    ctx->source[idx].strong    = strong;
+
+    ctx->source_count++;
+
+exit:
+#if defined(MBEDTLS_THREADING_C)
+    if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
+        return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+    }
+#endif
+
+    return ret;
+}
+
+/*
+ * Entropy accumulator update
+ */
+static int entropy_update(mbedtls_entropy_context *ctx, unsigned char source_id,
+                          const unsigned char *data, size_t len)
+{
+    unsigned char header[2];
+    unsigned char tmp[MBEDTLS_ENTROPY_BLOCK_SIZE];
+    size_t use_len = len;
+    const unsigned char *p = data;
+    int ret = 0;
+
+    if (use_len > MBEDTLS_ENTROPY_BLOCK_SIZE) {
+        if ((ret = mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_ENTROPY_MD),
+                              data, len, tmp)) != 0) {
+            goto cleanup;
+        }
+        p = tmp;
+        use_len = MBEDTLS_ENTROPY_BLOCK_SIZE;
+    }
+
+    header[0] = source_id;
+    header[1] = use_len & 0xFF;
+
+    /*
+     * Start the accumulator if this has not already happened. Note that
+     * it is sufficient to start the accumulator here only because all calls to
+     * gather entropy eventually execute this code.
+     */
+    if (ctx->accumulator_started == 0) {
+        ret = mbedtls_md_setup(&ctx->accumulator,
+                               mbedtls_md_info_from_type(MBEDTLS_ENTROPY_MD), 0);
+        if (ret != 0) {
+            goto cleanup;
+        }
+        ret = mbedtls_md_starts(&ctx->accumulator);
+        if (ret != 0) {
+            goto cleanup;
+        }
+        ctx->accumulator_started = 1;
+    }
+    if ((ret = mbedtls_md_update(&ctx->accumulator, header, 2)) != 0) {
+        goto cleanup;
+    }
+    ret = mbedtls_md_update(&ctx->accumulator, p, use_len);
+
+cleanup:
+    mbedtls_platform_zeroize(tmp, sizeof(tmp));
+
+    return ret;
+}
+
+int mbedtls_entropy_update_manual(mbedtls_entropy_context *ctx,
+                                  const unsigned char *data, size_t len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_THREADING_C)
+    if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
+        return ret;
+    }
+#endif
+
+    ret = entropy_update(ctx, MBEDTLS_ENTROPY_SOURCE_MANUAL, data, len);
+
+#if defined(MBEDTLS_THREADING_C)
+    if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
+        return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+    }
+#endif
+
+    return ret;
+}
+
+/*
+ * Run through the different sources to add entropy to our accumulator
+ */
+static int entropy_gather_internal(mbedtls_entropy_context *ctx)
+{
+    int ret = MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+    int i;
+    int have_one_strong = 0;
+    unsigned char buf[MBEDTLS_ENTROPY_MAX_GATHER];
+    size_t olen;
+
+    if (ctx->source_count == 0) {
+        return MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED;
+    }
+
+    /*
+     * Run through our entropy sources
+     */
+    for (i = 0; i < ctx->source_count; i++) {
+        if (ctx->source[i].strong == MBEDTLS_ENTROPY_SOURCE_STRONG) {
+            have_one_strong = 1;
+        }
+
+        olen = 0;
+        if ((ret = ctx->source[i].f_source(ctx->source[i].p_source,
+                                           buf, MBEDTLS_ENTROPY_MAX_GATHER, &olen)) != 0) {
+            goto cleanup;
+        }
+
+        /*
+         * Add if we actually gathered something
+         */
+        if (olen > 0) {
+            if ((ret = entropy_update(ctx, (unsigned char) i,
+                                      buf, olen)) != 0) {
+                return ret;
+            }
+            ctx->source[i].size += olen;
+        }
+    }
+
+    if (have_one_strong == 0) {
+        ret = MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE;
+    }
+
+cleanup:
+    mbedtls_platform_zeroize(buf, sizeof(buf));
+
+    return ret;
+}
+
+/*
+ * Thread-safe wrapper for entropy_gather_internal()
+ */
+int mbedtls_entropy_gather(mbedtls_entropy_context *ctx)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_THREADING_C)
+    if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
+        return ret;
+    }
+#endif
+
+    ret = entropy_gather_internal(ctx);
+
+#if defined(MBEDTLS_THREADING_C)
+    if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
+        return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+    }
+#endif
+
+    return ret;
+}
+
+int mbedtls_entropy_func(void *data, unsigned char *output, size_t len)
+{
+    int ret, count = 0, i, thresholds_reached;
+    size_t strong_size;
+    mbedtls_entropy_context *ctx = (mbedtls_entropy_context *) data;
+    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
+
+    if (len > MBEDTLS_ENTROPY_BLOCK_SIZE) {
+        return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+    }
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+    /* Update the NV entropy seed before generating any entropy for outside
+     * use.
+     */
+    if (ctx->initial_entropy_run == 0) {
+        ctx->initial_entropy_run = 1;
+        if ((ret = mbedtls_entropy_update_nv_seed(ctx)) != 0) {
+            return ret;
+        }
+    }
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+    if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
+        return ret;
+    }
+#endif
+
+    /*
+     * Always gather extra entropy before a call
+     */
+    do {
+        if (count++ > ENTROPY_MAX_LOOP) {
+            ret = MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+            goto exit;
+        }
+
+        if ((ret = entropy_gather_internal(ctx)) != 0) {
+            goto exit;
+        }
+
+        thresholds_reached = 1;
+        strong_size = 0;
+        for (i = 0; i < ctx->source_count; i++) {
+            if (ctx->source[i].size < ctx->source[i].threshold) {
+                thresholds_reached = 0;
+            }
+            if (ctx->source[i].strong == MBEDTLS_ENTROPY_SOURCE_STRONG) {
+                strong_size += ctx->source[i].size;
+            }
+        }
+    } while (!thresholds_reached || strong_size < MBEDTLS_ENTROPY_BLOCK_SIZE);
+
+    memset(buf, 0, MBEDTLS_ENTROPY_BLOCK_SIZE);
+
+    /*
+     * Note that at this stage it is assumed that the accumulator was started
+     * in a previous call to entropy_update(). If this is not guaranteed, the
+     * code below will fail.
+     */
+    if ((ret = mbedtls_md_finish(&ctx->accumulator, buf)) != 0) {
+        goto exit;
+    }
+
+    /*
+     * Reset accumulator and counters and recycle existing entropy
+     */
+    mbedtls_md_free(&ctx->accumulator);
+    mbedtls_md_init(&ctx->accumulator);
+    ret = mbedtls_md_setup(&ctx->accumulator,
+                           mbedtls_md_info_from_type(MBEDTLS_ENTROPY_MD), 0);
+    if (ret != 0) {
+        goto exit;
+    }
+    ret = mbedtls_md_starts(&ctx->accumulator);
+    if (ret != 0) {
+        goto exit;
+    }
+    if ((ret = mbedtls_md_update(&ctx->accumulator, buf,
+                                 MBEDTLS_ENTROPY_BLOCK_SIZE)) != 0) {
+        goto exit;
+    }
+
+    /*
+     * Perform second hashing on entropy
+     */
+    if ((ret = mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_ENTROPY_MD),
+                          buf, MBEDTLS_ENTROPY_BLOCK_SIZE, buf)) != 0) {
+        goto exit;
+    }
+
+    for (i = 0; i < ctx->source_count; i++) {
+        ctx->source[i].size = 0;
+    }
+
+    memcpy(output, buf, len);
+
+    ret = 0;
+
+exit:
+    mbedtls_platform_zeroize(buf, sizeof(buf));
+
+#if defined(MBEDTLS_THREADING_C)
+    if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
+        return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+    }
+#endif
+
+    return ret;
+}
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+int mbedtls_entropy_update_nv_seed(mbedtls_entropy_context *ctx)
+{
+    int ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
+
+    /* Read new seed  and write it to NV */
+    if ((ret = mbedtls_entropy_func(ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE)) != 0) {
+        return ret;
+    }
+
+    if (mbedtls_nv_seed_write(buf, MBEDTLS_ENTROPY_BLOCK_SIZE) < 0) {
+        return MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+    }
+
+    /* Manually update the remaining stream with a separator value to diverge */
+    memset(buf, 0, MBEDTLS_ENTROPY_BLOCK_SIZE);
+    ret = mbedtls_entropy_update_manual(ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE);
+
+    return ret;
+}
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_entropy_write_seed_file(mbedtls_entropy_context *ctx, const char *path)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    FILE *f = NULL;
+    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
+
+    if ((ret = mbedtls_entropy_func(ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE)) != 0) {
+        ret = MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+        goto exit;
+    }
+
+    if ((f = fopen(path, "wb")) == NULL) {
+        ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+        goto exit;
+    }
+
+    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+    mbedtls_setbuf(f, NULL);
+
+    if (fwrite(buf, 1, MBEDTLS_ENTROPY_BLOCK_SIZE, f) != MBEDTLS_ENTROPY_BLOCK_SIZE) {
+        ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+        goto exit;
+    }
+
+    ret = 0;
+
+exit:
+    mbedtls_platform_zeroize(buf, sizeof(buf));
+
+    if (f != NULL) {
+        fclose(f);
+    }
+
+    return ret;
+}
+
+int mbedtls_entropy_update_seed_file(mbedtls_entropy_context *ctx, const char *path)
+{
+    int ret = 0;
+    FILE *f;
+    size_t n;
+    unsigned char buf[MBEDTLS_ENTROPY_MAX_SEED_SIZE];
+
+    if ((f = fopen(path, "rb")) == NULL) {
+        return MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+    }
+
+    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+    mbedtls_setbuf(f, NULL);
+
+    fseek(f, 0, SEEK_END);
+    n = (size_t) ftell(f);
+    fseek(f, 0, SEEK_SET);
+
+    if (n > MBEDTLS_ENTROPY_MAX_SEED_SIZE) {
+        n = MBEDTLS_ENTROPY_MAX_SEED_SIZE;
+    }
+
+    if (fread(buf, 1, n, f) != n) {
+        ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+    } else {
+        ret = mbedtls_entropy_update_manual(ctx, buf, n);
+    }
+
+    fclose(f);
+
+    mbedtls_platform_zeroize(buf, sizeof(buf));
+
+    if (ret != 0) {
+        return ret;
+    }
+
+    return mbedtls_entropy_write_seed_file(ctx, path);
+}
+#endif /* MBEDTLS_FS_IO */
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * Dummy source function
+ */
+static int entropy_dummy_source(void *data, unsigned char *output,
+                                size_t len, size_t *olen)
+{
+    ((void) data);
+
+    memset(output, 0x2a, len);
+    *olen = len;
+
+    return 0;
+}
+
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+
+static int mbedtls_entropy_source_self_test_gather(unsigned char *buf, size_t buf_len)
+{
+    int ret = 0;
+    size_t entropy_len = 0;
+    size_t olen = 0;
+    size_t attempts = buf_len;
+
+    while (attempts > 0 && entropy_len < buf_len) {
+        if ((ret = mbedtls_hardware_poll(NULL, buf + entropy_len,
+                                         buf_len - entropy_len, &olen)) != 0) {
+            return ret;
+        }
+
+        entropy_len += olen;
+        attempts--;
+    }
+
+    if (entropy_len < buf_len) {
+        ret = 1;
+    }
+
+    return ret;
+}
+
+
+static int mbedtls_entropy_source_self_test_check_bits(const unsigned char *buf,
+                                                       size_t buf_len)
+{
+    unsigned char set = 0xFF;
+    unsigned char unset = 0x00;
+    size_t i;
+
+    for (i = 0; i < buf_len; i++) {
+        set &= buf[i];
+        unset |= buf[i];
+    }
+
+    return set == 0xFF || unset == 0x00;
+}
+
+/*
+ * A test to ensure that the entropy sources are functioning correctly
+ * and there is no obvious failure. The test performs the following checks:
+ *  - The entropy source is not providing only 0s (all bits unset) or 1s (all
+ *    bits set).
+ *  - The entropy source is not providing values in a pattern. Because the
+ *    hardware could be providing data in an arbitrary length, this check polls
+ *    the hardware entropy source twice and compares the result to ensure they
+ *    are not equal.
+ *  - The error code returned by the entropy source is not an error.
+ */
+int mbedtls_entropy_source_self_test(int verbose)
+{
+    int ret = 0;
+    unsigned char buf0[2 * sizeof(unsigned long long int)];
+    unsigned char buf1[2 * sizeof(unsigned long long int)];
+
+    if (verbose != 0) {
+        mbedtls_printf("  ENTROPY_BIAS test: ");
+    }
+
+    memset(buf0, 0x00, sizeof(buf0));
+    memset(buf1, 0x00, sizeof(buf1));
+
+    if ((ret = mbedtls_entropy_source_self_test_gather(buf0, sizeof(buf0))) != 0) {
+        goto cleanup;
+    }
+    if ((ret = mbedtls_entropy_source_self_test_gather(buf1, sizeof(buf1))) != 0) {
+        goto cleanup;
+    }
+
+    /* Make sure that the returned values are not all 0 or 1 */
+    if ((ret = mbedtls_entropy_source_self_test_check_bits(buf0, sizeof(buf0))) != 0) {
+        goto cleanup;
+    }
+    if ((ret = mbedtls_entropy_source_self_test_check_bits(buf1, sizeof(buf1))) != 0) {
+        goto cleanup;
+    }
+
+    /* Make sure that the entropy source is not returning values in a
+     * pattern */
+    ret = memcmp(buf0, buf1, sizeof(buf0)) == 0;
+
+cleanup:
+    if (verbose != 0) {
+        if (ret != 0) {
+            mbedtls_printf("failed\n");
+        } else {
+            mbedtls_printf("passed\n");
+        }
+
+        mbedtls_printf("\n");
+    }
+
+    return ret != 0;
+}
+
+#endif /* MBEDTLS_ENTROPY_HARDWARE_ALT */
+
+/*
+ * The actual entropy quality is hard to test, but we can at least
+ * test that the functions don't cause errors and write the correct
+ * amount of data to buffers.
+ */
+int mbedtls_entropy_self_test(int verbose)
+{
+    int ret = 1;
+    mbedtls_entropy_context ctx;
+    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE] = { 0 };
+    unsigned char acc[MBEDTLS_ENTROPY_BLOCK_SIZE] = { 0 };
+    size_t i, j;
+
+    if (verbose != 0) {
+        mbedtls_printf("  ENTROPY test: ");
+    }
+
+    mbedtls_entropy_init(&ctx);
+
+    /* First do a gather to make sure we have default sources */
+    if ((ret = mbedtls_entropy_gather(&ctx)) != 0) {
+        goto cleanup;
+    }
+
+    ret = mbedtls_entropy_add_source(&ctx, entropy_dummy_source, NULL, 16,
+                                     MBEDTLS_ENTROPY_SOURCE_WEAK);
+    if (ret != 0) {
+        goto cleanup;
+    }
+
+    if ((ret = mbedtls_entropy_update_manual(&ctx, buf, sizeof(buf))) != 0) {
+        goto cleanup;
+    }
+
+    /*
+     * To test that mbedtls_entropy_func writes correct number of bytes:
+     * - use the whole buffer and rely on ASan to detect overruns
+     * - collect entropy 8 times and OR the result in an accumulator:
+     *   any byte should then be 0 with probably 2^(-64), so requiring
+     *   each of the 32 or 64 bytes to be non-zero has a false failure rate
+     *   of at most 2^(-58) which is acceptable.
+     */
+    for (i = 0; i < 8; i++) {
+        if ((ret = mbedtls_entropy_func(&ctx, buf, sizeof(buf))) != 0) {
+            goto cleanup;
+        }
+
+        for (j = 0; j < sizeof(buf); j++) {
+            acc[j] |= buf[j];
+        }
+    }
+
+    for (j = 0; j < sizeof(buf); j++) {
+        if (acc[j] == 0) {
+            ret = 1;
+            goto cleanup;
+        }
+    }
+
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+    if ((ret = mbedtls_entropy_source_self_test(0)) != 0) {
+        goto cleanup;
+    }
+#endif
+
+cleanup:
+    mbedtls_entropy_free(&ctx);
+
+    if (verbose != 0) {
+        if (ret != 0) {
+            mbedtls_printf("failed\n");
+        } else {
+            mbedtls_printf("passed\n");
+        }
+
+        mbedtls_printf("\n");
+    }
+
+    return ret != 0;
+}
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_ENTROPY_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/entropy_poll.c b/tf-psa-crypto/drivers/builtin/src/entropy_poll.c
new file mode 100644
index 0000000..611768c
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/entropy_poll.c
@@ -0,0 +1,231 @@
+/*
+ *  Platform-specific and custom entropy polling functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#if defined(__linux__) || defined(__midipix__)
+/* Ensure that syscall() is available even when compiling with -std=c99 */
+#if !defined(_GNU_SOURCE)
+#define _GNU_SOURCE
+#endif
+#endif
+
+#include "common.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_ENTROPY_C)
+
+#include "mbedtls/entropy.h"
+#include "entropy_poll.h"
+#include "mbedtls/error.h"
+
+#if defined(MBEDTLS_TIMING_C)
+#include "mbedtls/timing.h"
+#endif
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+
+#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
+    !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
+    !defined(__HAIKU__) && !defined(__midipix__) && !defined(__MVS__)
+#error \
+    "Platform entropy sources only work on Unix and Windows, see MBEDTLS_NO_PLATFORM_ENTROPY in mbedtls_config.h"
+#endif
+
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+
+#include <windows.h>
+#include <bcrypt.h>
+#include <intsafe.h>
+
+int mbedtls_platform_entropy_poll(void *data, unsigned char *output, size_t len,
+                                  size_t *olen)
+{
+    ((void) data);
+    *olen = 0;
+
+    /*
+     * BCryptGenRandom takes ULONG for size, which is smaller than size_t on
+     * 64-bit Windows platforms. Extract entropy in chunks of len (dependent
+     * on ULONG_MAX) size.
+     */
+    while (len != 0) {
+        unsigned long ulong_bytes =
+            (len > ULONG_MAX) ? ULONG_MAX : (unsigned long) len;
+
+        if (!BCRYPT_SUCCESS(BCryptGenRandom(NULL, output, ulong_bytes,
+                                            BCRYPT_USE_SYSTEM_PREFERRED_RNG))) {
+            return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+        }
+
+        *olen += ulong_bytes;
+        len -= ulong_bytes;
+    }
+
+    return 0;
+}
+#else /* _WIN32 && !EFIX64 && !EFI32 */
+
+/*
+ * Test for Linux getrandom() support.
+ * Since there is no wrapper in the libc yet, use the generic syscall wrapper
+ * available in GNU libc and compatible libc's (eg uClibc).
+ */
+#if ((defined(__linux__) && defined(__GLIBC__)) || defined(__midipix__))
+#include <unistd.h>
+#include <sys/syscall.h>
+#if defined(SYS_getrandom)
+#define HAVE_GETRANDOM
+#include <errno.h>
+
+static int getrandom_wrapper(void *buf, size_t buflen, unsigned int flags)
+{
+    /* MemSan cannot understand that the syscall writes to the buffer */
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+    memset(buf, 0, buflen);
+#endif
+#endif
+    return (int) syscall(SYS_getrandom, buf, buflen, flags);
+}
+#endif /* SYS_getrandom */
+#endif /* __linux__ || __midipix__ */
+
+#if defined(__FreeBSD__) || defined(__DragonFly__)
+#include <sys/param.h>
+#if (defined(__FreeBSD__) && __FreeBSD_version >= 1200000) || \
+    (defined(__DragonFly__) && __DragonFly_version >= 500700)
+#include <errno.h>
+#include <sys/random.h>
+#define HAVE_GETRANDOM
+static int getrandom_wrapper(void *buf, size_t buflen, unsigned int flags)
+{
+    return (int) getrandom(buf, buflen, flags);
+}
+#endif /* (__FreeBSD__ && __FreeBSD_version >= 1200000) ||
+          (__DragonFly__ && __DragonFly_version >= 500700) */
+#endif /* __FreeBSD__ || __DragonFly__ */
+
+/*
+ * Some BSD systems provide KERN_ARND.
+ * This is equivalent to reading from /dev/urandom, only it doesn't require an
+ * open file descriptor, and provides up to 256 bytes per call (basically the
+ * same as getentropy(), but with a longer history).
+ *
+ * Documentation: https://netbsd.gw.com/cgi-bin/man-cgi?sysctl+7
+ */
+#if (defined(__FreeBSD__) || defined(__NetBSD__)) && !defined(HAVE_GETRANDOM)
+#include <sys/param.h>
+#include <sys/sysctl.h>
+#if defined(KERN_ARND)
+#define HAVE_SYSCTL_ARND
+
+static int sysctl_arnd_wrapper(unsigned char *buf, size_t buflen)
+{
+    int name[2];
+    size_t len;
+
+    name[0] = CTL_KERN;
+    name[1] = KERN_ARND;
+
+    while (buflen > 0) {
+        len = buflen > 256 ? 256 : buflen;
+        if (sysctl(name, 2, buf, &len, NULL, 0) == -1) {
+            return -1;
+        }
+        buflen -= len;
+        buf += len;
+    }
+    return 0;
+}
+#endif /* KERN_ARND */
+#endif /* __FreeBSD__ || __NetBSD__ */
+
+#include <stdio.h>
+
+int mbedtls_platform_entropy_poll(void *data,
+                                  unsigned char *output, size_t len, size_t *olen)
+{
+    FILE *file;
+    size_t read_len;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    ((void) data);
+
+#if defined(HAVE_GETRANDOM)
+    ret = getrandom_wrapper(output, len, 0);
+    if (ret >= 0) {
+        *olen = (size_t) ret;
+        return 0;
+    } else if (errno != ENOSYS) {
+        return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+    }
+    /* Fall through if the system call isn't known. */
+#else
+    ((void) ret);
+#endif /* HAVE_GETRANDOM */
+
+#if defined(HAVE_SYSCTL_ARND)
+    ((void) file);
+    ((void) read_len);
+    if (sysctl_arnd_wrapper(output, len) == -1) {
+        return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+    }
+    *olen = len;
+    return 0;
+#else
+
+    *olen = 0;
+
+    file = fopen("/dev/urandom", "rb");
+    if (file == NULL) {
+        return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+    }
+
+    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+    mbedtls_setbuf(file, NULL);
+
+    read_len = fread(output, 1, len, file);
+    if (read_len != len) {
+        fclose(file);
+        return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+    }
+
+    fclose(file);
+    *olen = len;
+
+    return 0;
+#endif /* HAVE_SYSCTL_ARND */
+}
+#endif /* _WIN32 && !EFIX64 && !EFI32 */
+#endif /* !MBEDTLS_NO_PLATFORM_ENTROPY */
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+int mbedtls_nv_seed_poll(void *data,
+                         unsigned char *output, size_t len, size_t *olen)
+{
+    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
+    size_t use_len = MBEDTLS_ENTROPY_BLOCK_SIZE;
+    ((void) data);
+
+    memset(buf, 0, MBEDTLS_ENTROPY_BLOCK_SIZE);
+
+    if (mbedtls_nv_seed_read(buf, MBEDTLS_ENTROPY_BLOCK_SIZE) < 0) {
+        return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+    }
+
+    if (len < use_len) {
+        use_len = len;
+    }
+
+    memcpy(output, buf, use_len);
+    *olen = use_len;
+
+    return 0;
+}
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+
+#endif /* MBEDTLS_ENTROPY_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/entropy_poll.h b/tf-psa-crypto/drivers/builtin/src/entropy_poll.h
new file mode 100644
index 0000000..6b4aec0
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/entropy_poll.h
@@ -0,0 +1,64 @@
+/**
+ * \file entropy_poll.h
+ *
+ * \brief Platform-specific and custom entropy polling functions
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_ENTROPY_POLL_H
+#define MBEDTLS_ENTROPY_POLL_H
+
+#include "mbedtls/build_info.h"
+
+#include <stddef.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Default thresholds for built-in sources, in bytes
+ */
+#define MBEDTLS_ENTROPY_MIN_PLATFORM     32     /**< Minimum for platform source    */
+#if !defined(MBEDTLS_ENTROPY_MIN_HARDWARE)
+#define MBEDTLS_ENTROPY_MIN_HARDWARE     32     /**< Minimum for the hardware source */
+#endif
+
+#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+/**
+ * \brief           Platform-specific entropy poll callback
+ */
+int mbedtls_platform_entropy_poll(void *data,
+                                  unsigned char *output, size_t len, size_t *olen);
+#endif
+
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+/**
+ * \brief           Entropy poll callback for a hardware source
+ *
+ * \warning         This is not provided by Mbed TLS!
+ *                  See \c MBEDTLS_ENTROPY_HARDWARE_ALT in mbedtls_config.h.
+ *
+ * \note            This must accept NULL as its first argument.
+ */
+int mbedtls_hardware_poll(void *data,
+                          unsigned char *output, size_t len, size_t *olen);
+#endif
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+/**
+ * \brief           Entropy poll callback for a non-volatile seed file
+ *
+ * \note            This must accept NULL as its first argument.
+ */
+int mbedtls_nv_seed_poll(void *data,
+                         unsigned char *output, size_t len, size_t *olen);
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* entropy_poll.h */
diff --git a/tf-psa-crypto/drivers/builtin/src/gcm.c b/tf-psa-crypto/drivers/builtin/src/gcm.c
new file mode 100644
index 0000000..5dfac23
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/gcm.c
@@ -0,0 +1,1330 @@
+/*
+ *  NIST SP800-38D compliant GCM implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
+ *
+ * See also:
+ * [MGV] http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
+ *
+ * We use the algorithm described as Shoup's method with 4-bit tables in
+ * [MGV] 4.1, pp. 12-13, to enhance speed without using too much memory.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_GCM_C)
+
+#include "mbedtls/gcm.h"
+#include "mbedtls/platform.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "mbedtls/constant_time.h"
+
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+#include "block_cipher_internal.h"
+#endif
+
+#include <string.h>
+
+#if defined(MBEDTLS_AESNI_C)
+#include "aesni.h"
+#endif
+
+#if defined(MBEDTLS_AESCE_C)
+#include "aesce.h"
+#endif
+
+#if !defined(MBEDTLS_GCM_ALT)
+
+/* Used to select the acceleration mechanism */
+#define MBEDTLS_GCM_ACC_SMALLTABLE  0
+#define MBEDTLS_GCM_ACC_LARGETABLE  1
+#define MBEDTLS_GCM_ACC_AESNI       2
+#define MBEDTLS_GCM_ACC_AESCE       3
+
+/*
+ * Initialize a context
+ */
+void mbedtls_gcm_init(mbedtls_gcm_context *ctx)
+{
+    memset(ctx, 0, sizeof(mbedtls_gcm_context));
+}
+
+static inline void gcm_set_acceleration(mbedtls_gcm_context *ctx)
+{
+#if defined(MBEDTLS_GCM_LARGE_TABLE)
+    ctx->acceleration = MBEDTLS_GCM_ACC_LARGETABLE;
+#else
+    ctx->acceleration = MBEDTLS_GCM_ACC_SMALLTABLE;
+#endif
+
+#if defined(MBEDTLS_AESNI_HAVE_CODE)
+    /* With CLMUL support, we need only h, not the rest of the table */
+    if (mbedtls_aesni_has_support(MBEDTLS_AESNI_CLMUL)) {
+        ctx->acceleration = MBEDTLS_GCM_ACC_AESNI;
+    }
+#endif
+
+#if defined(MBEDTLS_AESCE_HAVE_CODE)
+    if (MBEDTLS_AESCE_HAS_SUPPORT()) {
+        ctx->acceleration = MBEDTLS_GCM_ACC_AESCE;
+    }
+#endif
+}
+
+static inline void gcm_gen_table_rightshift(uint64_t dst[2], const uint64_t src[2])
+{
+    uint8_t *u8Dst = (uint8_t *) dst;
+    uint8_t *u8Src = (uint8_t *) src;
+
+    MBEDTLS_PUT_UINT64_BE(MBEDTLS_GET_UINT64_BE(&src[1], 0) >> 1, &dst[1], 0);
+    u8Dst[8] |= (u8Src[7] & 0x01) << 7;
+    MBEDTLS_PUT_UINT64_BE(MBEDTLS_GET_UINT64_BE(&src[0], 0) >> 1, &dst[0], 0);
+    u8Dst[0] ^= (u8Src[15] & 0x01) ? 0xE1 : 0;
+}
+
+/*
+ * Precompute small multiples of H, that is set
+ *      HH[i] || HL[i] = H times i,
+ * where i is seen as a field element as in [MGV], ie high-order bits
+ * correspond to low powers of P. The result is stored in the same way, that
+ * is the high-order bit of HH corresponds to P^0 and the low-order bit of HL
+ * corresponds to P^127.
+ */
+static int gcm_gen_table(mbedtls_gcm_context *ctx)
+{
+    int ret, i, j;
+    uint64_t u64h[2] = { 0 };
+    uint8_t *h = (uint8_t *) u64h;
+
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+    ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, h, h);
+#else
+    size_t olen = 0;
+    ret = mbedtls_cipher_update(&ctx->cipher_ctx, h, 16, h, &olen);
+#endif
+    if (ret != 0) {
+        return ret;
+    }
+
+    gcm_set_acceleration(ctx);
+
+    /* MBEDTLS_GCM_HTABLE_SIZE/2 = 1000 corresponds to 1 in GF(2^128) */
+    ctx->H[MBEDTLS_GCM_HTABLE_SIZE/2][0] = u64h[0];
+    ctx->H[MBEDTLS_GCM_HTABLE_SIZE/2][1] = u64h[1];
+
+    switch (ctx->acceleration) {
+#if defined(MBEDTLS_AESNI_HAVE_CODE)
+        case MBEDTLS_GCM_ACC_AESNI:
+            return 0;
+#endif
+
+#if defined(MBEDTLS_AESCE_HAVE_CODE)
+        case MBEDTLS_GCM_ACC_AESCE:
+            return 0;
+#endif
+
+        default:
+            /* 0 corresponds to 0 in GF(2^128) */
+            ctx->H[0][0] = 0;
+            ctx->H[0][1] = 0;
+
+            for (i = MBEDTLS_GCM_HTABLE_SIZE/4; i > 0; i >>= 1) {
+                gcm_gen_table_rightshift(ctx->H[i], ctx->H[i*2]);
+            }
+
+#if !defined(MBEDTLS_GCM_LARGE_TABLE)
+            /* pack elements of H as 64-bits ints, big-endian */
+            for (i = MBEDTLS_GCM_HTABLE_SIZE/2; i > 0; i >>= 1) {
+                MBEDTLS_PUT_UINT64_BE(ctx->H[i][0], &ctx->H[i][0], 0);
+                MBEDTLS_PUT_UINT64_BE(ctx->H[i][1], &ctx->H[i][1], 0);
+            }
+#endif
+
+            for (i = 2; i < MBEDTLS_GCM_HTABLE_SIZE; i <<= 1) {
+                for (j = 1; j < i; j++) {
+                    mbedtls_xor_no_simd((unsigned char *) ctx->H[i+j],
+                                        (unsigned char *) ctx->H[i],
+                                        (unsigned char *) ctx->H[j],
+                                        16);
+                }
+            }
+    }
+
+    return 0;
+}
+
+int mbedtls_gcm_setkey(mbedtls_gcm_context *ctx,
+                       mbedtls_cipher_id_t cipher,
+                       const unsigned char *key,
+                       unsigned int keybits)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (keybits != 128 && keybits != 192 && keybits != 256) {
+        return MBEDTLS_ERR_GCM_BAD_INPUT;
+    }
+
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+    mbedtls_block_cipher_free(&ctx->block_cipher_ctx);
+
+    if ((ret = mbedtls_block_cipher_setup(&ctx->block_cipher_ctx, cipher)) != 0) {
+        return ret;
+    }
+
+    if ((ret = mbedtls_block_cipher_setkey(&ctx->block_cipher_ctx, key, keybits)) != 0) {
+        return ret;
+    }
+#else
+    const mbedtls_cipher_info_t *cipher_info;
+
+    cipher_info = mbedtls_cipher_info_from_values(cipher, keybits,
+                                                  MBEDTLS_MODE_ECB);
+    if (cipher_info == NULL) {
+        return MBEDTLS_ERR_GCM_BAD_INPUT;
+    }
+
+    if (mbedtls_cipher_info_get_block_size(cipher_info) != 16) {
+        return MBEDTLS_ERR_GCM_BAD_INPUT;
+    }
+
+    mbedtls_cipher_free(&ctx->cipher_ctx);
+
+    if ((ret = mbedtls_cipher_setup(&ctx->cipher_ctx, cipher_info)) != 0) {
+        return ret;
+    }
+
+    if ((ret = mbedtls_cipher_setkey(&ctx->cipher_ctx, key, keybits,
+                                     MBEDTLS_ENCRYPT)) != 0) {
+        return ret;
+    }
+#endif
+
+    if ((ret = gcm_gen_table(ctx)) != 0) {
+        return ret;
+    }
+
+    return 0;
+}
+
+#if defined(MBEDTLS_GCM_LARGE_TABLE)
+static const uint16_t last8[256] = {
+    0x0000, 0xc201, 0x8403, 0x4602, 0x0807, 0xca06, 0x8c04, 0x4e05,
+    0x100e, 0xd20f, 0x940d, 0x560c, 0x1809, 0xda08, 0x9c0a, 0x5e0b,
+    0x201c, 0xe21d, 0xa41f, 0x661e, 0x281b, 0xea1a, 0xac18, 0x6e19,
+    0x3012, 0xf213, 0xb411, 0x7610, 0x3815, 0xfa14, 0xbc16, 0x7e17,
+    0x4038, 0x8239, 0xc43b, 0x063a, 0x483f, 0x8a3e, 0xcc3c, 0x0e3d,
+    0x5036, 0x9237, 0xd435, 0x1634, 0x5831, 0x9a30, 0xdc32, 0x1e33,
+    0x6024, 0xa225, 0xe427, 0x2626, 0x6823, 0xaa22, 0xec20, 0x2e21,
+    0x702a, 0xb22b, 0xf429, 0x3628, 0x782d, 0xba2c, 0xfc2e, 0x3e2f,
+    0x8070, 0x4271, 0x0473, 0xc672, 0x8877, 0x4a76, 0x0c74, 0xce75,
+    0x907e, 0x527f, 0x147d, 0xd67c, 0x9879, 0x5a78, 0x1c7a, 0xde7b,
+    0xa06c, 0x626d, 0x246f, 0xe66e, 0xa86b, 0x6a6a, 0x2c68, 0xee69,
+    0xb062, 0x7263, 0x3461, 0xf660, 0xb865, 0x7a64, 0x3c66, 0xfe67,
+    0xc048, 0x0249, 0x444b, 0x864a, 0xc84f, 0x0a4e, 0x4c4c, 0x8e4d,
+    0xd046, 0x1247, 0x5445, 0x9644, 0xd841, 0x1a40, 0x5c42, 0x9e43,
+    0xe054, 0x2255, 0x6457, 0xa656, 0xe853, 0x2a52, 0x6c50, 0xae51,
+    0xf05a, 0x325b, 0x7459, 0xb658, 0xf85d, 0x3a5c, 0x7c5e, 0xbe5f,
+    0x00e1, 0xc2e0, 0x84e2, 0x46e3, 0x08e6, 0xcae7, 0x8ce5, 0x4ee4,
+    0x10ef, 0xd2ee, 0x94ec, 0x56ed, 0x18e8, 0xdae9, 0x9ceb, 0x5eea,
+    0x20fd, 0xe2fc, 0xa4fe, 0x66ff, 0x28fa, 0xeafb, 0xacf9, 0x6ef8,
+    0x30f3, 0xf2f2, 0xb4f0, 0x76f1, 0x38f4, 0xfaf5, 0xbcf7, 0x7ef6,
+    0x40d9, 0x82d8, 0xc4da, 0x06db, 0x48de, 0x8adf, 0xccdd, 0x0edc,
+    0x50d7, 0x92d6, 0xd4d4, 0x16d5, 0x58d0, 0x9ad1, 0xdcd3, 0x1ed2,
+    0x60c5, 0xa2c4, 0xe4c6, 0x26c7, 0x68c2, 0xaac3, 0xecc1, 0x2ec0,
+    0x70cb, 0xb2ca, 0xf4c8, 0x36c9, 0x78cc, 0xbacd, 0xfccf, 0x3ece,
+    0x8091, 0x4290, 0x0492, 0xc693, 0x8896, 0x4a97, 0x0c95, 0xce94,
+    0x909f, 0x529e, 0x149c, 0xd69d, 0x9898, 0x5a99, 0x1c9b, 0xde9a,
+    0xa08d, 0x628c, 0x248e, 0xe68f, 0xa88a, 0x6a8b, 0x2c89, 0xee88,
+    0xb083, 0x7282, 0x3480, 0xf681, 0xb884, 0x7a85, 0x3c87, 0xfe86,
+    0xc0a9, 0x02a8, 0x44aa, 0x86ab, 0xc8ae, 0x0aaf, 0x4cad, 0x8eac,
+    0xd0a7, 0x12a6, 0x54a4, 0x96a5, 0xd8a0, 0x1aa1, 0x5ca3, 0x9ea2,
+    0xe0b5, 0x22b4, 0x64b6, 0xa6b7, 0xe8b2, 0x2ab3, 0x6cb1, 0xaeb0,
+    0xf0bb, 0x32ba, 0x74b8, 0xb6b9, 0xf8bc, 0x3abd, 0x7cbf, 0xbebe
+};
+
+static void gcm_mult_largetable(uint8_t *output, const uint8_t *x, uint64_t H[256][2])
+{
+    int i;
+    uint64_t u64z[2];
+    uint16_t *u16z = (uint16_t *) u64z;
+    uint8_t *u8z = (uint8_t *) u64z;
+    uint8_t rem;
+
+    u64z[0] = 0;
+    u64z[1] = 0;
+
+    if (MBEDTLS_IS_BIG_ENDIAN) {
+        for (i = 15; i > 0; i--) {
+            mbedtls_xor_no_simd(u8z, u8z, (uint8_t *) H[x[i]], 16);
+            rem = u8z[15];
+
+            u64z[1] >>= 8;
+            u8z[8] = u8z[7];
+            u64z[0] >>= 8;
+
+            u16z[0] ^= MBEDTLS_GET_UINT16_LE(&last8[rem], 0);
+        }
+    } else {
+        for (i = 15; i > 0; i--) {
+            mbedtls_xor_no_simd(u8z, u8z, (uint8_t *) H[x[i]], 16);
+            rem = u8z[15];
+
+            u64z[1] <<= 8;
+            u8z[8] = u8z[7];
+            u64z[0] <<= 8;
+
+            u16z[0] ^= last8[rem];
+        }
+    }
+
+    mbedtls_xor_no_simd(output, u8z, (uint8_t *) H[x[0]], 16);
+}
+#else
+/*
+ * Shoup's method for multiplication use this table with
+ *      last4[x] = x times P^128
+ * where x and last4[x] are seen as elements of GF(2^128) as in [MGV]
+ */
+static const uint16_t last4[16] =
+{
+    0x0000, 0x1c20, 0x3840, 0x2460,
+    0x7080, 0x6ca0, 0x48c0, 0x54e0,
+    0xe100, 0xfd20, 0xd940, 0xc560,
+    0x9180, 0x8da0, 0xa9c0, 0xb5e0
+};
+
+static void gcm_mult_smalltable(uint8_t *output, const uint8_t *x, uint64_t H[16][2])
+{
+    int i = 0;
+    unsigned char lo, hi, rem;
+    uint64_t u64z[2];
+    const uint64_t *pu64z = NULL;
+    uint8_t *u8z = (uint8_t *) u64z;
+
+    lo = x[15] & 0xf;
+    hi = (x[15] >> 4) & 0xf;
+
+    pu64z = H[lo];
+
+    rem = (unsigned char) pu64z[1] & 0xf;
+    u64z[1] = (pu64z[0] << 60) | (pu64z[1] >> 4);
+    u64z[0] = (pu64z[0] >> 4);
+    u64z[0] ^= (uint64_t) last4[rem] << 48;
+    mbedtls_xor_no_simd(u8z, u8z, (uint8_t *) H[hi], 16);
+
+    for (i = 14; i >= 0; i--) {
+        lo = x[i] & 0xf;
+        hi = (x[i] >> 4) & 0xf;
+
+        rem = (unsigned char) u64z[1] & 0xf;
+        u64z[1] = (u64z[0] << 60) | (u64z[1] >> 4);
+        u64z[0] = (u64z[0] >> 4);
+        u64z[0] ^= (uint64_t) last4[rem] << 48;
+        mbedtls_xor_no_simd(u8z, u8z, (uint8_t *) H[lo], 16);
+
+        rem = (unsigned char) u64z[1] & 0xf;
+        u64z[1] = (u64z[0] << 60) | (u64z[1] >> 4);
+        u64z[0] = (u64z[0] >> 4);
+        u64z[0] ^= (uint64_t) last4[rem] << 48;
+        mbedtls_xor_no_simd(u8z, u8z, (uint8_t *) H[hi], 16);
+    }
+
+    MBEDTLS_PUT_UINT64_BE(u64z[0], output, 0);
+    MBEDTLS_PUT_UINT64_BE(u64z[1], output, 8);
+}
+#endif
+
+/*
+ * Sets output to x times H using the precomputed tables.
+ * x and output are seen as elements of GF(2^128) as in [MGV].
+ */
+static void gcm_mult(mbedtls_gcm_context *ctx, const unsigned char x[16],
+                     unsigned char output[16])
+{
+    switch (ctx->acceleration) {
+#if defined(MBEDTLS_AESNI_HAVE_CODE)
+        case MBEDTLS_GCM_ACC_AESNI:
+            mbedtls_aesni_gcm_mult(output, x, (uint8_t *) ctx->H[MBEDTLS_GCM_HTABLE_SIZE/2]);
+            break;
+#endif
+
+#if defined(MBEDTLS_AESCE_HAVE_CODE)
+        case MBEDTLS_GCM_ACC_AESCE:
+            mbedtls_aesce_gcm_mult(output, x, (uint8_t *) ctx->H[MBEDTLS_GCM_HTABLE_SIZE/2]);
+            break;
+#endif
+
+#if defined(MBEDTLS_GCM_LARGE_TABLE)
+        case MBEDTLS_GCM_ACC_LARGETABLE:
+            gcm_mult_largetable(output, x, ctx->H);
+            break;
+#else
+        case MBEDTLS_GCM_ACC_SMALLTABLE:
+            gcm_mult_smalltable(output, x, ctx->H);
+            break;
+#endif
+    }
+
+    return;
+}
+
+int mbedtls_gcm_starts(mbedtls_gcm_context *ctx,
+                       int mode,
+                       const unsigned char *iv, size_t iv_len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char work_buf[16];
+    const unsigned char *p;
+    size_t use_len;
+    uint64_t iv_bits;
+#if !defined(MBEDTLS_BLOCK_CIPHER_C)
+    size_t olen = 0;
+#endif
+
+    /* IV is limited to 2^64 bits, so 2^61 bytes */
+    /* IV is not allowed to be zero length */
+    if (iv_len == 0 || (uint64_t) iv_len >> 61 != 0) {
+        return MBEDTLS_ERR_GCM_BAD_INPUT;
+    }
+
+    memset(ctx->y, 0x00, sizeof(ctx->y));
+    memset(ctx->buf, 0x00, sizeof(ctx->buf));
+
+    ctx->mode = mode;
+    ctx->len = 0;
+    ctx->add_len = 0;
+
+    if (iv_len == 12) {
+        memcpy(ctx->y, iv, iv_len);
+        ctx->y[15] = 1;
+    } else {
+        memset(work_buf, 0x00, 16);
+        iv_bits = (uint64_t) iv_len * 8;
+        MBEDTLS_PUT_UINT64_BE(iv_bits, work_buf, 8);
+
+        p = iv;
+        while (iv_len > 0) {
+            use_len = (iv_len < 16) ? iv_len : 16;
+
+#if defined(MBEDTLS_COMPILER_IS_GCC) && (MBEDTLS_GCC_VERSION >= 70110)
+#pragma GCC diagnostic push
+#pragma GCC diagnostic warning "-Wstringop-overflow=0"
+#endif
+
+            mbedtls_xor(ctx->y, ctx->y, p, use_len);
+
+#if defined(MBEDTLS_COMPILER_IS_GCC) && (MBEDTLS_GCC_VERSION >= 70110)
+#pragma GCC diagnostic pop
+#endif
+
+            gcm_mult(ctx, ctx->y, ctx->y);
+
+            iv_len -= use_len;
+            p += use_len;
+        }
+
+        mbedtls_xor(ctx->y, ctx->y, work_buf, 16);
+
+        gcm_mult(ctx, ctx->y, ctx->y);
+    }
+
+
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+    ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, ctx->y, ctx->base_ectr);
+#else
+    ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->base_ectr, &olen);
+#endif
+    if (ret != 0) {
+        return ret;
+    }
+
+    return 0;
+}
+
+/**
+ * mbedtls_gcm_context::buf contains the partial state of the computation of
+ * the authentication tag.
+ * mbedtls_gcm_context::add_len and mbedtls_gcm_context::len indicate
+ * different stages of the computation:
+ *     * len == 0 && add_len == 0:      initial state
+ *     * len == 0 && add_len % 16 != 0: the first `add_len % 16` bytes have
+ *                                      a partial block of AD that has been
+ *                                      xored in but not yet multiplied in.
+ *     * len == 0 && add_len % 16 == 0: the authentication tag is correct if
+ *                                      the data ends now.
+ *     * len % 16 != 0:                 the first `len % 16` bytes have
+ *                                      a partial block of ciphertext that has
+ *                                      been xored in but not yet multiplied in.
+ *     * len > 0 && len % 16 == 0:      the authentication tag is correct if
+ *                                      the data ends now.
+ */
+int mbedtls_gcm_update_ad(mbedtls_gcm_context *ctx,
+                          const unsigned char *add, size_t add_len)
+{
+    const unsigned char *p;
+    size_t use_len, offset;
+    uint64_t new_add_len;
+
+    /* AD is limited to 2^64 bits, ie 2^61 bytes
+     * Also check for possible overflow */
+#if SIZE_MAX > 0xFFFFFFFFFFFFFFFFULL
+    if (add_len > 0xFFFFFFFFFFFFFFFFULL) {
+        return MBEDTLS_ERR_GCM_BAD_INPUT;
+    }
+#endif
+    new_add_len = ctx->add_len + (uint64_t) add_len;
+    if (new_add_len < ctx->add_len || new_add_len >> 61 != 0) {
+        return MBEDTLS_ERR_GCM_BAD_INPUT;
+    }
+
+    offset = ctx->add_len % 16;
+    p = add;
+
+    if (offset != 0) {
+        use_len = 16 - offset;
+        if (use_len > add_len) {
+            use_len = add_len;
+        }
+
+        mbedtls_xor(ctx->buf + offset, ctx->buf + offset, p, use_len);
+
+        if (offset + use_len == 16) {
+            gcm_mult(ctx, ctx->buf, ctx->buf);
+        }
+
+        ctx->add_len += use_len;
+        add_len -= use_len;
+        p += use_len;
+    }
+
+    ctx->add_len += add_len;
+
+    while (add_len >= 16) {
+        mbedtls_xor(ctx->buf, ctx->buf, p, 16);
+
+        gcm_mult(ctx, ctx->buf, ctx->buf);
+
+        add_len -= 16;
+        p += 16;
+    }
+
+    if (add_len > 0) {
+        mbedtls_xor(ctx->buf, ctx->buf, p, add_len);
+    }
+
+    return 0;
+}
+
+/* Increment the counter. */
+static void gcm_incr(unsigned char y[16])
+{
+    uint32_t x = MBEDTLS_GET_UINT32_BE(y, 12);
+    x++;
+    MBEDTLS_PUT_UINT32_BE(x, y, 12);
+}
+
+/* Calculate and apply the encryption mask. Process use_len bytes of data,
+ * starting at position offset in the mask block. */
+static int gcm_mask(mbedtls_gcm_context *ctx,
+                    unsigned char ectr[16],
+                    size_t offset, size_t use_len,
+                    const unsigned char *input,
+                    unsigned char *output)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+    ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, ctx->y, ectr);
+#else
+    size_t olen = 0;
+    ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ectr, &olen);
+#endif
+    if (ret != 0) {
+        mbedtls_platform_zeroize(ectr, 16);
+        return ret;
+    }
+
+    if (ctx->mode == MBEDTLS_GCM_DECRYPT) {
+        mbedtls_xor(ctx->buf + offset, ctx->buf + offset, input, use_len);
+    }
+    mbedtls_xor(output, ectr + offset, input, use_len);
+    if (ctx->mode == MBEDTLS_GCM_ENCRYPT) {
+        mbedtls_xor(ctx->buf + offset, ctx->buf + offset, output, use_len);
+    }
+
+    return 0;
+}
+
+int mbedtls_gcm_update(mbedtls_gcm_context *ctx,
+                       const unsigned char *input, size_t input_length,
+                       unsigned char *output, size_t output_size,
+                       size_t *output_length)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const unsigned char *p = input;
+    unsigned char *out_p = output;
+    size_t offset;
+    unsigned char ectr[16] = { 0 };
+
+    if (output_size < input_length) {
+        return MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL;
+    }
+    *output_length = input_length;
+
+    /* Exit early if input_length==0 so that we don't do any pointer arithmetic
+     * on a potentially null pointer.
+     * Returning early also means that the last partial block of AD remains
+     * untouched for mbedtls_gcm_finish */
+    if (input_length == 0) {
+        return 0;
+    }
+
+    if (output > input && (size_t) (output - input) < input_length) {
+        return MBEDTLS_ERR_GCM_BAD_INPUT;
+    }
+
+    /* Total length is restricted to 2^39 - 256 bits, ie 2^36 - 2^5 bytes
+     * Also check for possible overflow */
+    if (ctx->len + input_length < ctx->len ||
+        (uint64_t) ctx->len + input_length > 0xFFFFFFFE0ull) {
+        return MBEDTLS_ERR_GCM_BAD_INPUT;
+    }
+
+    if (ctx->len == 0 && ctx->add_len % 16 != 0) {
+        gcm_mult(ctx, ctx->buf, ctx->buf);
+    }
+
+    offset = ctx->len % 16;
+    if (offset != 0) {
+        size_t use_len = 16 - offset;
+        if (use_len > input_length) {
+            use_len = input_length;
+        }
+
+        if ((ret = gcm_mask(ctx, ectr, offset, use_len, p, out_p)) != 0) {
+            return ret;
+        }
+
+        if (offset + use_len == 16) {
+            gcm_mult(ctx, ctx->buf, ctx->buf);
+        }
+
+        ctx->len += use_len;
+        input_length -= use_len;
+        p += use_len;
+        out_p += use_len;
+    }
+
+    ctx->len += input_length;
+
+    while (input_length >= 16) {
+        gcm_incr(ctx->y);
+        if ((ret = gcm_mask(ctx, ectr, 0, 16, p, out_p)) != 0) {
+            return ret;
+        }
+
+        gcm_mult(ctx, ctx->buf, ctx->buf);
+
+        input_length -= 16;
+        p += 16;
+        out_p += 16;
+    }
+
+    if (input_length > 0) {
+        gcm_incr(ctx->y);
+        if ((ret = gcm_mask(ctx, ectr, 0, input_length, p, out_p)) != 0) {
+            return ret;
+        }
+    }
+
+    mbedtls_platform_zeroize(ectr, sizeof(ectr));
+    return 0;
+}
+
+int mbedtls_gcm_finish(mbedtls_gcm_context *ctx,
+                       unsigned char *output, size_t output_size,
+                       size_t *output_length,
+                       unsigned char *tag, size_t tag_len)
+{
+    unsigned char work_buf[16];
+    uint64_t orig_len;
+    uint64_t orig_add_len;
+
+    /* We never pass any output in finish(). The output parameter exists only
+     * for the sake of alternative implementations. */
+    (void) output;
+    (void) output_size;
+    *output_length = 0;
+
+    /* Total length is restricted to 2^39 - 256 bits, ie 2^36 - 2^5 bytes
+     * and AD length is restricted to 2^64 bits, ie 2^61 bytes so neither of
+     * the two multiplications would overflow. */
+    orig_len = ctx->len * 8;
+    orig_add_len = ctx->add_len * 8;
+
+    if (ctx->len == 0 && ctx->add_len % 16 != 0) {
+        gcm_mult(ctx, ctx->buf, ctx->buf);
+    }
+
+    if (tag_len > 16 || tag_len < 4) {
+        return MBEDTLS_ERR_GCM_BAD_INPUT;
+    }
+
+    if (ctx->len % 16 != 0) {
+        gcm_mult(ctx, ctx->buf, ctx->buf);
+    }
+
+    memcpy(tag, ctx->base_ectr, tag_len);
+
+    if (orig_len || orig_add_len) {
+        memset(work_buf, 0x00, 16);
+
+        MBEDTLS_PUT_UINT32_BE((orig_add_len >> 32), work_buf, 0);
+        MBEDTLS_PUT_UINT32_BE((orig_add_len), work_buf, 4);
+        MBEDTLS_PUT_UINT32_BE((orig_len     >> 32), work_buf, 8);
+        MBEDTLS_PUT_UINT32_BE((orig_len), work_buf, 12);
+
+        mbedtls_xor(ctx->buf, ctx->buf, work_buf, 16);
+
+        gcm_mult(ctx, ctx->buf, ctx->buf);
+
+        mbedtls_xor(tag, tag, ctx->buf, tag_len);
+    }
+
+    return 0;
+}
+
+int mbedtls_gcm_crypt_and_tag(mbedtls_gcm_context *ctx,
+                              int mode,
+                              size_t length,
+                              const unsigned char *iv,
+                              size_t iv_len,
+                              const unsigned char *add,
+                              size_t add_len,
+                              const unsigned char *input,
+                              unsigned char *output,
+                              size_t tag_len,
+                              unsigned char *tag)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t olen;
+
+    if ((ret = mbedtls_gcm_starts(ctx, mode, iv, iv_len)) != 0) {
+        return ret;
+    }
+
+    if ((ret = mbedtls_gcm_update_ad(ctx, add, add_len)) != 0) {
+        return ret;
+    }
+
+    if ((ret = mbedtls_gcm_update(ctx, input, length,
+                                  output, length, &olen)) != 0) {
+        return ret;
+    }
+
+    if ((ret = mbedtls_gcm_finish(ctx, NULL, 0, &olen, tag, tag_len)) != 0) {
+        return ret;
+    }
+
+    return 0;
+}
+
+int mbedtls_gcm_auth_decrypt(mbedtls_gcm_context *ctx,
+                             size_t length,
+                             const unsigned char *iv,
+                             size_t iv_len,
+                             const unsigned char *add,
+                             size_t add_len,
+                             const unsigned char *tag,
+                             size_t tag_len,
+                             const unsigned char *input,
+                             unsigned char *output)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char check_tag[16];
+    int diff;
+
+    if ((ret = mbedtls_gcm_crypt_and_tag(ctx, MBEDTLS_GCM_DECRYPT, length,
+                                         iv, iv_len, add, add_len,
+                                         input, output, tag_len, check_tag)) != 0) {
+        return ret;
+    }
+
+    /* Check tag in "constant-time" */
+    diff = mbedtls_ct_memcmp(tag, check_tag, tag_len);
+
+    if (diff != 0) {
+        mbedtls_platform_zeroize(output, length);
+        return MBEDTLS_ERR_GCM_AUTH_FAILED;
+    }
+
+    return 0;
+}
+
+void mbedtls_gcm_free(mbedtls_gcm_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+    mbedtls_block_cipher_free(&ctx->block_cipher_ctx);
+#else
+    mbedtls_cipher_free(&ctx->cipher_ctx);
+#endif
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_gcm_context));
+}
+
+#endif /* !MBEDTLS_GCM_ALT */
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_CCM_GCM_CAN_AES)
+/*
+ * AES-GCM test vectors from:
+ *
+ * http://csrc.nist.gov/groups/STM/cavp/documents/mac/gcmtestvectors.zip
+ */
+#define MAX_TESTS   6
+
+static const int key_index_test_data[MAX_TESTS] =
+{ 0, 0, 1, 1, 1, 1 };
+
+static const unsigned char key_test_data[][32] =
+{
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+      0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
+      0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+      0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08 },
+};
+
+static const size_t iv_len_test_data[MAX_TESTS] =
+{ 12, 12, 12, 12, 8, 60 };
+
+static const int iv_index_test_data[MAX_TESTS] =
+{ 0, 0, 1, 1, 1, 2 };
+
+static const unsigned char iv_test_data[][64] =
+{
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00 },
+    { 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
+      0xde, 0xca, 0xf8, 0x88 },
+    { 0x93, 0x13, 0x22, 0x5d, 0xf8, 0x84, 0x06, 0xe5,
+      0x55, 0x90, 0x9c, 0x5a, 0xff, 0x52, 0x69, 0xaa,
+      0x6a, 0x7a, 0x95, 0x38, 0x53, 0x4f, 0x7d, 0xa1,
+      0xe4, 0xc3, 0x03, 0xd2, 0xa3, 0x18, 0xa7, 0x28,
+      0xc3, 0xc0, 0xc9, 0x51, 0x56, 0x80, 0x95, 0x39,
+      0xfc, 0xf0, 0xe2, 0x42, 0x9a, 0x6b, 0x52, 0x54,
+      0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, 0x6a, 0x57,
+      0xa6, 0x37, 0xb3, 0x9b },
+};
+
+static const size_t add_len_test_data[MAX_TESTS] =
+{ 0, 0, 0, 20, 20, 20 };
+
+static const int add_index_test_data[MAX_TESTS] =
+{ 0, 0, 0, 1, 1, 1 };
+
+static const unsigned char additional_test_data[][64] =
+{
+    { 0x00 },
+    { 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+      0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+      0xab, 0xad, 0xda, 0xd2 },
+};
+
+static const size_t pt_len_test_data[MAX_TESTS] =
+{ 0, 16, 64, 60, 60, 60 };
+
+static const int pt_index_test_data[MAX_TESTS] =
+{ 0, 0, 1, 1, 1, 1 };
+
+static const unsigned char pt_test_data[][64] =
+{
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
+      0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
+      0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
+      0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
+      0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
+      0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
+      0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
+      0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55 },
+};
+
+static const unsigned char ct_test_data[][64] =
+{
+    { 0x00 },
+    { 0x03, 0x88, 0xda, 0xce, 0x60, 0xb6, 0xa3, 0x92,
+      0xf3, 0x28, 0xc2, 0xb9, 0x71, 0xb2, 0xfe, 0x78 },
+    { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
+      0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
+      0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
+      0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
+      0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
+      0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
+      0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
+      0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85 },
+    { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
+      0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
+      0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
+      0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
+      0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
+      0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
+      0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
+      0x3d, 0x58, 0xe0, 0x91 },
+    { 0x61, 0x35, 0x3b, 0x4c, 0x28, 0x06, 0x93, 0x4a,
+      0x77, 0x7f, 0xf5, 0x1f, 0xa2, 0x2a, 0x47, 0x55,
+      0x69, 0x9b, 0x2a, 0x71, 0x4f, 0xcd, 0xc6, 0xf8,
+      0x37, 0x66, 0xe5, 0xf9, 0x7b, 0x6c, 0x74, 0x23,
+      0x73, 0x80, 0x69, 0x00, 0xe4, 0x9f, 0x24, 0xb2,
+      0x2b, 0x09, 0x75, 0x44, 0xd4, 0x89, 0x6b, 0x42,
+      0x49, 0x89, 0xb5, 0xe1, 0xeb, 0xac, 0x0f, 0x07,
+      0xc2, 0x3f, 0x45, 0x98 },
+    { 0x8c, 0xe2, 0x49, 0x98, 0x62, 0x56, 0x15, 0xb6,
+      0x03, 0xa0, 0x33, 0xac, 0xa1, 0x3f, 0xb8, 0x94,
+      0xbe, 0x91, 0x12, 0xa5, 0xc3, 0xa2, 0x11, 0xa8,
+      0xba, 0x26, 0x2a, 0x3c, 0xca, 0x7e, 0x2c, 0xa7,
+      0x01, 0xe4, 0xa9, 0xa4, 0xfb, 0xa4, 0x3c, 0x90,
+      0xcc, 0xdc, 0xb2, 0x81, 0xd4, 0x8c, 0x7c, 0x6f,
+      0xd6, 0x28, 0x75, 0xd2, 0xac, 0xa4, 0x17, 0x03,
+      0x4c, 0x34, 0xae, 0xe5 },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { 0x00 },
+    { 0x98, 0xe7, 0x24, 0x7c, 0x07, 0xf0, 0xfe, 0x41,
+      0x1c, 0x26, 0x7e, 0x43, 0x84, 0xb0, 0xf6, 0x00 },
+    { 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
+      0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57,
+      0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
+      0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c,
+      0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25,
+      0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47,
+      0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
+      0xcc, 0xda, 0x27, 0x10, 0xac, 0xad, 0xe2, 0x56 },
+    { 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
+      0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57,
+      0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
+      0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c,
+      0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25,
+      0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47,
+      0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
+      0xcc, 0xda, 0x27, 0x10 },
+    { 0x0f, 0x10, 0xf5, 0x99, 0xae, 0x14, 0xa1, 0x54,
+      0xed, 0x24, 0xb3, 0x6e, 0x25, 0x32, 0x4d, 0xb8,
+      0xc5, 0x66, 0x63, 0x2e, 0xf2, 0xbb, 0xb3, 0x4f,
+      0x83, 0x47, 0x28, 0x0f, 0xc4, 0x50, 0x70, 0x57,
+      0xfd, 0xdc, 0x29, 0xdf, 0x9a, 0x47, 0x1f, 0x75,
+      0xc6, 0x65, 0x41, 0xd4, 0xd4, 0xda, 0xd1, 0xc9,
+      0xe9, 0x3a, 0x19, 0xa5, 0x8e, 0x8b, 0x47, 0x3f,
+      0xa0, 0xf0, 0x62, 0xf7 },
+    { 0xd2, 0x7e, 0x88, 0x68, 0x1c, 0xe3, 0x24, 0x3c,
+      0x48, 0x30, 0x16, 0x5a, 0x8f, 0xdc, 0xf9, 0xff,
+      0x1d, 0xe9, 0xa1, 0xd8, 0xe6, 0xb4, 0x47, 0xef,
+      0x6e, 0xf7, 0xb7, 0x98, 0x28, 0x66, 0x6e, 0x45,
+      0x81, 0xe7, 0x90, 0x12, 0xaf, 0x34, 0xdd, 0xd9,
+      0xe2, 0xf0, 0x37, 0x58, 0x9b, 0x29, 0x2d, 0xb3,
+      0xe6, 0x7c, 0x03, 0x67, 0x45, 0xfa, 0x22, 0xe7,
+      0xe9, 0xb7, 0x37, 0x3b },
+    { 0x00 },
+    { 0xce, 0xa7, 0x40, 0x3d, 0x4d, 0x60, 0x6b, 0x6e,
+      0x07, 0x4e, 0xc5, 0xd3, 0xba, 0xf3, 0x9d, 0x18 },
+    { 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
+      0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
+      0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
+      0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
+      0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
+      0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
+      0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
+      0xbc, 0xc9, 0xf6, 0x62, 0x89, 0x80, 0x15, 0xad },
+    { 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
+      0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
+      0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
+      0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
+      0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
+      0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
+      0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
+      0xbc, 0xc9, 0xf6, 0x62 },
+    { 0xc3, 0x76, 0x2d, 0xf1, 0xca, 0x78, 0x7d, 0x32,
+      0xae, 0x47, 0xc1, 0x3b, 0xf1, 0x98, 0x44, 0xcb,
+      0xaf, 0x1a, 0xe1, 0x4d, 0x0b, 0x97, 0x6a, 0xfa,
+      0xc5, 0x2f, 0xf7, 0xd7, 0x9b, 0xba, 0x9d, 0xe0,
+      0xfe, 0xb5, 0x82, 0xd3, 0x39, 0x34, 0xa4, 0xf0,
+      0x95, 0x4c, 0xc2, 0x36, 0x3b, 0xc7, 0x3f, 0x78,
+      0x62, 0xac, 0x43, 0x0e, 0x64, 0xab, 0xe4, 0x99,
+      0xf4, 0x7c, 0x9b, 0x1f },
+    { 0x5a, 0x8d, 0xef, 0x2f, 0x0c, 0x9e, 0x53, 0xf1,
+      0xf7, 0x5d, 0x78, 0x53, 0x65, 0x9e, 0x2a, 0x20,
+      0xee, 0xb2, 0xb2, 0x2a, 0xaf, 0xde, 0x64, 0x19,
+      0xa0, 0x58, 0xab, 0x4f, 0x6f, 0x74, 0x6b, 0xf4,
+      0x0f, 0xc0, 0xc3, 0xb7, 0x80, 0xf2, 0x44, 0x45,
+      0x2d, 0xa3, 0xeb, 0xf1, 0xc5, 0xd8, 0x2c, 0xde,
+      0xa2, 0x41, 0x89, 0x97, 0x20, 0x0e, 0xf8, 0x2e,
+      0x44, 0xae, 0x7e, 0x3f },
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+};
+
+static const unsigned char tag_test_data[][16] =
+{
+    { 0x58, 0xe2, 0xfc, 0xce, 0xfa, 0x7e, 0x30, 0x61,
+      0x36, 0x7f, 0x1d, 0x57, 0xa4, 0xe7, 0x45, 0x5a },
+    { 0xab, 0x6e, 0x47, 0xd4, 0x2c, 0xec, 0x13, 0xbd,
+      0xf5, 0x3a, 0x67, 0xb2, 0x12, 0x57, 0xbd, 0xdf },
+    { 0x4d, 0x5c, 0x2a, 0xf3, 0x27, 0xcd, 0x64, 0xa6,
+      0x2c, 0xf3, 0x5a, 0xbd, 0x2b, 0xa6, 0xfa, 0xb4 },
+    { 0x5b, 0xc9, 0x4f, 0xbc, 0x32, 0x21, 0xa5, 0xdb,
+      0x94, 0xfa, 0xe9, 0x5a, 0xe7, 0x12, 0x1a, 0x47 },
+    { 0x36, 0x12, 0xd2, 0xe7, 0x9e, 0x3b, 0x07, 0x85,
+      0x56, 0x1b, 0xe1, 0x4a, 0xac, 0xa2, 0xfc, 0xcb },
+    { 0x61, 0x9c, 0xc5, 0xae, 0xff, 0xfe, 0x0b, 0xfa,
+      0x46, 0x2a, 0xf4, 0x3c, 0x16, 0x99, 0xd0, 0x50 },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { 0xcd, 0x33, 0xb2, 0x8a, 0xc7, 0x73, 0xf7, 0x4b,
+      0xa0, 0x0e, 0xd1, 0xf3, 0x12, 0x57, 0x24, 0x35 },
+    { 0x2f, 0xf5, 0x8d, 0x80, 0x03, 0x39, 0x27, 0xab,
+      0x8e, 0xf4, 0xd4, 0x58, 0x75, 0x14, 0xf0, 0xfb },
+    { 0x99, 0x24, 0xa7, 0xc8, 0x58, 0x73, 0x36, 0xbf,
+      0xb1, 0x18, 0x02, 0x4d, 0xb8, 0x67, 0x4a, 0x14 },
+    { 0x25, 0x19, 0x49, 0x8e, 0x80, 0xf1, 0x47, 0x8f,
+      0x37, 0xba, 0x55, 0xbd, 0x6d, 0x27, 0x61, 0x8c },
+    { 0x65, 0xdc, 0xc5, 0x7f, 0xcf, 0x62, 0x3a, 0x24,
+      0x09, 0x4f, 0xcc, 0xa4, 0x0d, 0x35, 0x33, 0xf8 },
+    { 0xdc, 0xf5, 0x66, 0xff, 0x29, 0x1c, 0x25, 0xbb,
+      0xb8, 0x56, 0x8f, 0xc3, 0xd3, 0x76, 0xa6, 0xd9 },
+    { 0x53, 0x0f, 0x8a, 0xfb, 0xc7, 0x45, 0x36, 0xb9,
+      0xa9, 0x63, 0xb4, 0xf1, 0xc4, 0xcb, 0x73, 0x8b },
+    { 0xd0, 0xd1, 0xc8, 0xa7, 0x99, 0x99, 0x6b, 0xf0,
+      0x26, 0x5b, 0x98, 0xb5, 0xd4, 0x8a, 0xb9, 0x19 },
+    { 0xb0, 0x94, 0xda, 0xc5, 0xd9, 0x34, 0x71, 0xbd,
+      0xec, 0x1a, 0x50, 0x22, 0x70, 0xe3, 0xcc, 0x6c },
+    { 0x76, 0xfc, 0x6e, 0xce, 0x0f, 0x4e, 0x17, 0x68,
+      0xcd, 0xdf, 0x88, 0x53, 0xbb, 0x2d, 0x55, 0x1b },
+    { 0x3a, 0x33, 0x7d, 0xbf, 0x46, 0xa7, 0x92, 0xc4,
+      0x5e, 0x45, 0x49, 0x13, 0xfe, 0x2e, 0xa8, 0xf2 },
+    { 0xa4, 0x4a, 0x82, 0x66, 0xee, 0x1c, 0x8e, 0xb0,
+      0xc8, 0xb5, 0xd4, 0xcf, 0x5a, 0xe9, 0xf1, 0x9a },
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+};
+
+int mbedtls_gcm_self_test(int verbose)
+{
+    mbedtls_gcm_context ctx;
+    unsigned char buf[64];
+    unsigned char tag_buf[16];
+    int i, j, ret;
+    mbedtls_cipher_id_t cipher = MBEDTLS_CIPHER_ID_AES;
+    size_t olen;
+
+    if (verbose != 0) {
+#if defined(MBEDTLS_GCM_ALT)
+        mbedtls_printf("  GCM note: alternative implementation.\n");
+#else /* MBEDTLS_GCM_ALT */
+#if defined(MBEDTLS_AESNI_HAVE_CODE)
+        if (mbedtls_aesni_has_support(MBEDTLS_AESNI_CLMUL)) {
+            mbedtls_printf("  GCM note: using AESNI.\n");
+        } else
+#endif
+
+#if defined(MBEDTLS_AESCE_HAVE_CODE)
+        if (MBEDTLS_AESCE_HAS_SUPPORT()) {
+            mbedtls_printf("  GCM note: using AESCE.\n");
+        } else
+#endif
+
+        mbedtls_printf("  GCM note: built-in implementation.\n");
+#endif /* MBEDTLS_GCM_ALT */
+    }
+
+    static const int loop_limit =
+        (sizeof(ct_test_data) / sizeof(*ct_test_data)) / MAX_TESTS;
+
+    for (j = 0; j < loop_limit; j++) {
+        int key_len = 128 + 64 * j;
+
+        for (i = 0; i < MAX_TESTS; i++) {
+            if (verbose != 0) {
+                mbedtls_printf("  AES-GCM-%3d #%d (%s): ",
+                               key_len, i, "enc");
+            }
+
+            mbedtls_gcm_init(&ctx);
+
+            ret = mbedtls_gcm_setkey(&ctx, cipher,
+                                     key_test_data[key_index_test_data[i]],
+                                     key_len);
+            /*
+             * AES-192 is an optional feature that may be unavailable when
+             * there is an alternative underlying implementation i.e. when
+             * MBEDTLS_AES_ALT is defined.
+             */
+            if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && key_len == 192) {
+                mbedtls_printf("skipped\n");
+                break;
+            } else if (ret != 0) {
+                goto exit;
+            }
+
+            ret = mbedtls_gcm_crypt_and_tag(&ctx, MBEDTLS_GCM_ENCRYPT,
+                                            pt_len_test_data[i],
+                                            iv_test_data[iv_index_test_data[i]],
+                                            iv_len_test_data[i],
+                                            additional_test_data[add_index_test_data[i]],
+                                            add_len_test_data[i],
+                                            pt_test_data[pt_index_test_data[i]],
+                                            buf, 16, tag_buf);
+#if defined(MBEDTLS_GCM_ALT)
+            /* Allow alternative implementations to only support 12-byte nonces. */
+            if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED &&
+                iv_len_test_data[i] != 12) {
+                mbedtls_printf("skipped\n");
+                break;
+            }
+#endif /* defined(MBEDTLS_GCM_ALT) */
+            if (ret != 0) {
+                goto exit;
+            }
+
+            if (memcmp(buf, ct_test_data[j * 6 + i],
+                       pt_len_test_data[i]) != 0 ||
+                memcmp(tag_buf, tag_test_data[j * 6 + i], 16) != 0) {
+                ret = 1;
+                goto exit;
+            }
+
+            mbedtls_gcm_free(&ctx);
+
+            if (verbose != 0) {
+                mbedtls_printf("passed\n");
+            }
+
+            mbedtls_gcm_init(&ctx);
+
+            if (verbose != 0) {
+                mbedtls_printf("  AES-GCM-%3d #%d (%s): ",
+                               key_len, i, "dec");
+            }
+
+            ret = mbedtls_gcm_setkey(&ctx, cipher,
+                                     key_test_data[key_index_test_data[i]],
+                                     key_len);
+            if (ret != 0) {
+                goto exit;
+            }
+
+            ret = mbedtls_gcm_crypt_and_tag(&ctx, MBEDTLS_GCM_DECRYPT,
+                                            pt_len_test_data[i],
+                                            iv_test_data[iv_index_test_data[i]],
+                                            iv_len_test_data[i],
+                                            additional_test_data[add_index_test_data[i]],
+                                            add_len_test_data[i],
+                                            ct_test_data[j * 6 + i], buf, 16, tag_buf);
+
+            if (ret != 0) {
+                goto exit;
+            }
+
+            if (memcmp(buf, pt_test_data[pt_index_test_data[i]],
+                       pt_len_test_data[i]) != 0 ||
+                memcmp(tag_buf, tag_test_data[j * 6 + i], 16) != 0) {
+                ret = 1;
+                goto exit;
+            }
+
+            mbedtls_gcm_free(&ctx);
+
+            if (verbose != 0) {
+                mbedtls_printf("passed\n");
+            }
+
+            mbedtls_gcm_init(&ctx);
+
+            if (verbose != 0) {
+                mbedtls_printf("  AES-GCM-%3d #%d split (%s): ",
+                               key_len, i, "enc");
+            }
+
+            ret = mbedtls_gcm_setkey(&ctx, cipher,
+                                     key_test_data[key_index_test_data[i]],
+                                     key_len);
+            if (ret != 0) {
+                goto exit;
+            }
+
+            ret = mbedtls_gcm_starts(&ctx, MBEDTLS_GCM_ENCRYPT,
+                                     iv_test_data[iv_index_test_data[i]],
+                                     iv_len_test_data[i]);
+            if (ret != 0) {
+                goto exit;
+            }
+
+            ret = mbedtls_gcm_update_ad(&ctx,
+                                        additional_test_data[add_index_test_data[i]],
+                                        add_len_test_data[i]);
+            if (ret != 0) {
+                goto exit;
+            }
+
+            if (pt_len_test_data[i] > 32) {
+                size_t rest_len = pt_len_test_data[i] - 32;
+                ret = mbedtls_gcm_update(&ctx,
+                                         pt_test_data[pt_index_test_data[i]],
+                                         32,
+                                         buf, sizeof(buf), &olen);
+                if (ret != 0) {
+                    goto exit;
+                }
+                if (olen != 32) {
+                    goto exit;
+                }
+
+                ret = mbedtls_gcm_update(&ctx,
+                                         pt_test_data[pt_index_test_data[i]] + 32,
+                                         rest_len,
+                                         buf + 32, sizeof(buf) - 32, &olen);
+                if (ret != 0) {
+                    goto exit;
+                }
+                if (olen != rest_len) {
+                    goto exit;
+                }
+            } else {
+                ret = mbedtls_gcm_update(&ctx,
+                                         pt_test_data[pt_index_test_data[i]],
+                                         pt_len_test_data[i],
+                                         buf, sizeof(buf), &olen);
+                if (ret != 0) {
+                    goto exit;
+                }
+                if (olen != pt_len_test_data[i]) {
+                    goto exit;
+                }
+            }
+
+            ret = mbedtls_gcm_finish(&ctx, NULL, 0, &olen, tag_buf, 16);
+            if (ret != 0) {
+                goto exit;
+            }
+
+            if (memcmp(buf, ct_test_data[j * 6 + i],
+                       pt_len_test_data[i]) != 0 ||
+                memcmp(tag_buf, tag_test_data[j * 6 + i], 16) != 0) {
+                ret = 1;
+                goto exit;
+            }
+
+            mbedtls_gcm_free(&ctx);
+
+            if (verbose != 0) {
+                mbedtls_printf("passed\n");
+            }
+
+            mbedtls_gcm_init(&ctx);
+
+            if (verbose != 0) {
+                mbedtls_printf("  AES-GCM-%3d #%d split (%s): ",
+                               key_len, i, "dec");
+            }
+
+            ret = mbedtls_gcm_setkey(&ctx, cipher,
+                                     key_test_data[key_index_test_data[i]],
+                                     key_len);
+            if (ret != 0) {
+                goto exit;
+            }
+
+            ret = mbedtls_gcm_starts(&ctx, MBEDTLS_GCM_DECRYPT,
+                                     iv_test_data[iv_index_test_data[i]],
+                                     iv_len_test_data[i]);
+            if (ret != 0) {
+                goto exit;
+            }
+            ret = mbedtls_gcm_update_ad(&ctx,
+                                        additional_test_data[add_index_test_data[i]],
+                                        add_len_test_data[i]);
+            if (ret != 0) {
+                goto exit;
+            }
+
+            if (pt_len_test_data[i] > 32) {
+                size_t rest_len = pt_len_test_data[i] - 32;
+                ret = mbedtls_gcm_update(&ctx,
+                                         ct_test_data[j * 6 + i], 32,
+                                         buf, sizeof(buf), &olen);
+                if (ret != 0) {
+                    goto exit;
+                }
+                if (olen != 32) {
+                    goto exit;
+                }
+
+                ret = mbedtls_gcm_update(&ctx,
+                                         ct_test_data[j * 6 + i] + 32,
+                                         rest_len,
+                                         buf + 32, sizeof(buf) - 32, &olen);
+                if (ret != 0) {
+                    goto exit;
+                }
+                if (olen != rest_len) {
+                    goto exit;
+                }
+            } else {
+                ret = mbedtls_gcm_update(&ctx,
+                                         ct_test_data[j * 6 + i],
+                                         pt_len_test_data[i],
+                                         buf, sizeof(buf), &olen);
+                if (ret != 0) {
+                    goto exit;
+                }
+                if (olen != pt_len_test_data[i]) {
+                    goto exit;
+                }
+            }
+
+            ret = mbedtls_gcm_finish(&ctx, NULL, 0, &olen, tag_buf, 16);
+            if (ret != 0) {
+                goto exit;
+            }
+
+            if (memcmp(buf, pt_test_data[pt_index_test_data[i]],
+                       pt_len_test_data[i]) != 0 ||
+                memcmp(tag_buf, tag_test_data[j * 6 + i], 16) != 0) {
+                ret = 1;
+                goto exit;
+            }
+
+            mbedtls_gcm_free(&ctx);
+
+            if (verbose != 0) {
+                mbedtls_printf("passed\n");
+            }
+        }
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+
+    ret = 0;
+
+exit:
+    if (ret != 0) {
+        if (verbose != 0) {
+            mbedtls_printf("failed\n");
+        }
+        mbedtls_gcm_free(&ctx);
+    }
+
+    return ret;
+}
+
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#endif /* MBEDTLS_GCM_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/hkdf.c b/tf-psa-crypto/drivers/builtin/src/hkdf.c
new file mode 100644
index 0000000..631ac24
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/hkdf.c
@@ -0,0 +1,161 @@
+/*
+ *  HKDF implementation -- RFC 5869
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#include "common.h"
+
+#if defined(MBEDTLS_HKDF_C)
+
+#include <string.h>
+#include "mbedtls/hkdf.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+int mbedtls_hkdf(const mbedtls_md_info_t *md, const unsigned char *salt,
+                 size_t salt_len, const unsigned char *ikm, size_t ikm_len,
+                 const unsigned char *info, size_t info_len,
+                 unsigned char *okm, size_t okm_len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char prk[MBEDTLS_MD_MAX_SIZE];
+
+    ret = mbedtls_hkdf_extract(md, salt, salt_len, ikm, ikm_len, prk);
+
+    if (ret == 0) {
+        ret = mbedtls_hkdf_expand(md, prk, mbedtls_md_get_size(md),
+                                  info, info_len, okm, okm_len);
+    }
+
+    mbedtls_platform_zeroize(prk, sizeof(prk));
+
+    return ret;
+}
+
+int mbedtls_hkdf_extract(const mbedtls_md_info_t *md,
+                         const unsigned char *salt, size_t salt_len,
+                         const unsigned char *ikm, size_t ikm_len,
+                         unsigned char *prk)
+{
+    unsigned char null_salt[MBEDTLS_MD_MAX_SIZE] = { '\0' };
+
+    if (salt == NULL) {
+        size_t hash_len;
+
+        if (salt_len != 0) {
+            return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
+        }
+
+        hash_len = mbedtls_md_get_size(md);
+
+        if (hash_len == 0) {
+            return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
+        }
+
+        salt = null_salt;
+        salt_len = hash_len;
+    }
+
+    return mbedtls_md_hmac(md, salt, salt_len, ikm, ikm_len, prk);
+}
+
+int mbedtls_hkdf_expand(const mbedtls_md_info_t *md, const unsigned char *prk,
+                        size_t prk_len, const unsigned char *info,
+                        size_t info_len, unsigned char *okm, size_t okm_len)
+{
+    size_t hash_len;
+    size_t where = 0;
+    size_t n;
+    size_t t_len = 0;
+    size_t i;
+    int ret = 0;
+    mbedtls_md_context_t ctx;
+    unsigned char t[MBEDTLS_MD_MAX_SIZE];
+
+    if (okm == NULL) {
+        return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
+    }
+
+    hash_len = mbedtls_md_get_size(md);
+
+    if (prk_len < hash_len || hash_len == 0) {
+        return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
+    }
+
+    if (info == NULL) {
+        info = (const unsigned char *) "";
+        info_len = 0;
+    }
+
+    n = okm_len / hash_len;
+
+    if (okm_len % hash_len != 0) {
+        n++;
+    }
+
+    /*
+     * Per RFC 5869 Section 2.3, okm_len must not exceed
+     * 255 times the hash length
+     */
+    if (n > 255) {
+        return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
+    }
+
+    mbedtls_md_init(&ctx);
+
+    if ((ret = mbedtls_md_setup(&ctx, md, 1)) != 0) {
+        goto exit;
+    }
+
+    memset(t, 0, hash_len);
+
+    /*
+     * Compute T = T(1) | T(2) | T(3) | ... | T(N)
+     * Where T(N) is defined in RFC 5869 Section 2.3
+     */
+    for (i = 1; i <= n; i++) {
+        size_t num_to_copy;
+        unsigned char c = i & 0xff;
+
+        ret = mbedtls_md_hmac_starts(&ctx, prk, prk_len);
+        if (ret != 0) {
+            goto exit;
+        }
+
+        ret = mbedtls_md_hmac_update(&ctx, t, t_len);
+        if (ret != 0) {
+            goto exit;
+        }
+
+        ret = mbedtls_md_hmac_update(&ctx, info, info_len);
+        if (ret != 0) {
+            goto exit;
+        }
+
+        /* The constant concatenated to the end of each T(n) is a single octet.
+         * */
+        ret = mbedtls_md_hmac_update(&ctx, &c, 1);
+        if (ret != 0) {
+            goto exit;
+        }
+
+        ret = mbedtls_md_hmac_finish(&ctx, t);
+        if (ret != 0) {
+            goto exit;
+        }
+
+        num_to_copy = i != n ? hash_len : okm_len - where;
+        memcpy(okm + where, t, num_to_copy);
+        where += hash_len;
+        t_len = hash_len;
+    }
+
+exit:
+    mbedtls_md_free(&ctx);
+    mbedtls_platform_zeroize(t, sizeof(t));
+
+    return ret;
+}
+
+#endif /* MBEDTLS_HKDF_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/hmac_drbg.c b/tf-psa-crypto/drivers/builtin/src/hmac_drbg.c
new file mode 100644
index 0000000..90174d5
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/hmac_drbg.c
@@ -0,0 +1,633 @@
+/*
+ *  HMAC_DRBG implementation (NIST SP 800-90)
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ *  The NIST SP 800-90A DRBGs are described in the following publication.
+ *  http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf
+ *  References below are based on rev. 1 (January 2012).
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_HMAC_DRBG_C)
+
+#include "mbedtls/hmac_drbg.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+#include "mbedtls/platform.h"
+
+/*
+ * HMAC_DRBG context initialization
+ */
+void mbedtls_hmac_drbg_init(mbedtls_hmac_drbg_context *ctx)
+{
+    memset(ctx, 0, sizeof(mbedtls_hmac_drbg_context));
+
+    ctx->reseed_interval = MBEDTLS_HMAC_DRBG_RESEED_INTERVAL;
+}
+
+/*
+ * HMAC_DRBG update, using optional additional data (10.1.2.2)
+ */
+int mbedtls_hmac_drbg_update(mbedtls_hmac_drbg_context *ctx,
+                             const unsigned char *additional,
+                             size_t add_len)
+{
+    size_t md_len = mbedtls_md_get_size(ctx->md_ctx.md_info);
+    unsigned char rounds = (additional != NULL && add_len != 0) ? 2 : 1;
+    unsigned char sep[1];
+    unsigned char K[MBEDTLS_MD_MAX_SIZE];
+    int ret = MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+
+    for (sep[0] = 0; sep[0] < rounds; sep[0]++) {
+        /* Step 1 or 4 */
+        if ((ret = mbedtls_md_hmac_reset(&ctx->md_ctx)) != 0) {
+            goto exit;
+        }
+        if ((ret = mbedtls_md_hmac_update(&ctx->md_ctx,
+                                          ctx->V, md_len)) != 0) {
+            goto exit;
+        }
+        if ((ret = mbedtls_md_hmac_update(&ctx->md_ctx,
+                                          sep, 1)) != 0) {
+            goto exit;
+        }
+        if (rounds == 2) {
+            if ((ret = mbedtls_md_hmac_update(&ctx->md_ctx,
+                                              additional, add_len)) != 0) {
+                goto exit;
+            }
+        }
+        if ((ret = mbedtls_md_hmac_finish(&ctx->md_ctx, K)) != 0) {
+            goto exit;
+        }
+
+        /* Step 2 or 5 */
+        if ((ret = mbedtls_md_hmac_starts(&ctx->md_ctx, K, md_len)) != 0) {
+            goto exit;
+        }
+        if ((ret = mbedtls_md_hmac_update(&ctx->md_ctx,
+                                          ctx->V, md_len)) != 0) {
+            goto exit;
+        }
+        if ((ret = mbedtls_md_hmac_finish(&ctx->md_ctx, ctx->V)) != 0) {
+            goto exit;
+        }
+    }
+
+exit:
+    mbedtls_platform_zeroize(K, sizeof(K));
+    return ret;
+}
+
+/*
+ * Simplified HMAC_DRBG initialisation (for use with deterministic ECDSA)
+ */
+int mbedtls_hmac_drbg_seed_buf(mbedtls_hmac_drbg_context *ctx,
+                               const mbedtls_md_info_t *md_info,
+                               const unsigned char *data, size_t data_len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if ((ret = mbedtls_md_setup(&ctx->md_ctx, md_info, 1)) != 0) {
+        return ret;
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init(&ctx->mutex);
+#endif
+
+    /*
+     * Set initial working state.
+     * Use the V memory location, which is currently all 0, to initialize the
+     * MD context with an all-zero key. Then set V to its initial value.
+     */
+    if ((ret = mbedtls_md_hmac_starts(&ctx->md_ctx, ctx->V,
+                                      mbedtls_md_get_size(md_info))) != 0) {
+        return ret;
+    }
+    memset(ctx->V, 0x01, mbedtls_md_get_size(md_info));
+
+    if ((ret = mbedtls_hmac_drbg_update(ctx, data, data_len)) != 0) {
+        return ret;
+    }
+
+    return 0;
+}
+
+/*
+ * Internal function used both for seeding and reseeding the DRBG.
+ * Comments starting with arabic numbers refer to section 10.1.2.4
+ * of SP800-90A, while roman numbers refer to section 9.2.
+ */
+static int hmac_drbg_reseed_core(mbedtls_hmac_drbg_context *ctx,
+                                 const unsigned char *additional, size_t len,
+                                 int use_nonce)
+{
+    unsigned char seed[MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT];
+    size_t seedlen = 0;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    {
+        size_t total_entropy_len;
+
+        if (use_nonce == 0) {
+            total_entropy_len = ctx->entropy_len;
+        } else {
+            total_entropy_len = ctx->entropy_len * 3 / 2;
+        }
+
+        /* III. Check input length */
+        if (len > MBEDTLS_HMAC_DRBG_MAX_INPUT ||
+            total_entropy_len + len > MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT) {
+            return MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG;
+        }
+    }
+
+    memset(seed, 0, MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT);
+
+    /* IV. Gather entropy_len bytes of entropy for the seed */
+    if ((ret = ctx->f_entropy(ctx->p_entropy,
+                              seed, ctx->entropy_len)) != 0) {
+        return MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED;
+    }
+    seedlen += ctx->entropy_len;
+
+    /* For initial seeding, allow adding of nonce generated
+     * from the entropy source. See Sect 8.6.7 in SP800-90A. */
+    if (use_nonce) {
+        /* Note: We don't merge the two calls to f_entropy() in order
+         *       to avoid requesting too much entropy from f_entropy()
+         *       at once. Specifically, if the underlying digest is not
+         *       SHA-1, 3 / 2 * entropy_len is at least 36 Bytes, which
+         *       is larger than the maximum of 32 Bytes that our own
+         *       entropy source implementation can emit in a single
+         *       call in configurations disabling SHA-512. */
+        if ((ret = ctx->f_entropy(ctx->p_entropy,
+                                  seed + seedlen,
+                                  ctx->entropy_len / 2)) != 0) {
+            return MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED;
+        }
+
+        seedlen += ctx->entropy_len / 2;
+    }
+
+
+    /* 1. Concatenate entropy and additional data if any */
+    if (additional != NULL && len != 0) {
+        memcpy(seed + seedlen, additional, len);
+        seedlen += len;
+    }
+
+    /* 2. Update state */
+    if ((ret = mbedtls_hmac_drbg_update(ctx, seed, seedlen)) != 0) {
+        goto exit;
+    }
+
+    /* 3. Reset reseed_counter */
+    ctx->reseed_counter = 1;
+
+exit:
+    /* 4. Done */
+    mbedtls_platform_zeroize(seed, seedlen);
+    return ret;
+}
+
+/*
+ * HMAC_DRBG reseeding: 10.1.2.4 + 9.2
+ */
+int mbedtls_hmac_drbg_reseed(mbedtls_hmac_drbg_context *ctx,
+                             const unsigned char *additional, size_t len)
+{
+    return hmac_drbg_reseed_core(ctx, additional, len, 0);
+}
+
+/*
+ * HMAC_DRBG initialisation (10.1.2.3 + 9.1)
+ *
+ * The nonce is not passed as a separate parameter but extracted
+ * from the entropy source as suggested in 8.6.7.
+ */
+int mbedtls_hmac_drbg_seed(mbedtls_hmac_drbg_context *ctx,
+                           const mbedtls_md_info_t *md_info,
+                           int (*f_entropy)(void *, unsigned char *, size_t),
+                           void *p_entropy,
+                           const unsigned char *custom,
+                           size_t len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t md_size;
+
+    if ((ret = mbedtls_md_setup(&ctx->md_ctx, md_info, 1)) != 0) {
+        return ret;
+    }
+
+    /* The mutex is initialized iff the md context is set up. */
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init(&ctx->mutex);
+#endif
+
+    md_size = mbedtls_md_get_size(md_info);
+
+    /*
+     * Set initial working state.
+     * Use the V memory location, which is currently all 0, to initialize the
+     * MD context with an all-zero key. Then set V to its initial value.
+     */
+    if ((ret = mbedtls_md_hmac_starts(&ctx->md_ctx, ctx->V, md_size)) != 0) {
+        return ret;
+    }
+    memset(ctx->V, 0x01, md_size);
+
+    ctx->f_entropy = f_entropy;
+    ctx->p_entropy = p_entropy;
+
+    if (ctx->entropy_len == 0) {
+        /*
+         * See SP800-57 5.6.1 (p. 65-66) for the security strength provided by
+         * each hash function, then according to SP800-90A rev1 10.1 table 2,
+         * min_entropy_len (in bits) is security_strength.
+         *
+         * (This also matches the sizes used in the NIST test vectors.)
+         */
+        ctx->entropy_len = md_size <= 20 ? 16 : /* 160-bits hash -> 128 bits */
+                           md_size <= 28 ? 24 : /* 224-bits hash -> 192 bits */
+                           32;  /* better (256+) -> 256 bits */
+    }
+
+    if ((ret = hmac_drbg_reseed_core(ctx, custom, len,
+                                     1 /* add nonce */)) != 0) {
+        return ret;
+    }
+
+    return 0;
+}
+
+/*
+ * Set prediction resistance
+ */
+void mbedtls_hmac_drbg_set_prediction_resistance(mbedtls_hmac_drbg_context *ctx,
+                                                 int resistance)
+{
+    ctx->prediction_resistance = resistance;
+}
+
+/*
+ * Set entropy length grabbed for seeding
+ */
+void mbedtls_hmac_drbg_set_entropy_len(mbedtls_hmac_drbg_context *ctx, size_t len)
+{
+    ctx->entropy_len = len;
+}
+
+/*
+ * Set reseed interval
+ */
+void mbedtls_hmac_drbg_set_reseed_interval(mbedtls_hmac_drbg_context *ctx, int interval)
+{
+    ctx->reseed_interval = interval;
+}
+
+/*
+ * HMAC_DRBG random function with optional additional data:
+ * 10.1.2.5 (arabic) + 9.3 (Roman)
+ */
+int mbedtls_hmac_drbg_random_with_add(void *p_rng,
+                                      unsigned char *output, size_t out_len,
+                                      const unsigned char *additional, size_t add_len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_hmac_drbg_context *ctx = (mbedtls_hmac_drbg_context *) p_rng;
+    size_t md_len = mbedtls_md_get_size(ctx->md_ctx.md_info);
+    size_t left = out_len;
+    unsigned char *out = output;
+
+    /* II. Check request length */
+    if (out_len > MBEDTLS_HMAC_DRBG_MAX_REQUEST) {
+        return MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG;
+    }
+
+    /* III. Check input length */
+    if (add_len > MBEDTLS_HMAC_DRBG_MAX_INPUT) {
+        return MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG;
+    }
+
+    /* 1. (aka VII and IX) Check reseed counter and PR */
+    if (ctx->f_entropy != NULL && /* For no-reseeding instances */
+        (ctx->prediction_resistance == MBEDTLS_HMAC_DRBG_PR_ON ||
+         ctx->reseed_counter > ctx->reseed_interval)) {
+        if ((ret = mbedtls_hmac_drbg_reseed(ctx, additional, add_len)) != 0) {
+            return ret;
+        }
+
+        add_len = 0; /* VII.4 */
+    }
+
+    /* 2. Use additional data if any */
+    if (additional != NULL && add_len != 0) {
+        if ((ret = mbedtls_hmac_drbg_update(ctx,
+                                            additional, add_len)) != 0) {
+            goto exit;
+        }
+    }
+
+    /* 3, 4, 5. Generate bytes */
+    while (left != 0) {
+        size_t use_len = left > md_len ? md_len : left;
+
+        if ((ret = mbedtls_md_hmac_reset(&ctx->md_ctx)) != 0) {
+            goto exit;
+        }
+        if ((ret = mbedtls_md_hmac_update(&ctx->md_ctx,
+                                          ctx->V, md_len)) != 0) {
+            goto exit;
+        }
+        if ((ret = mbedtls_md_hmac_finish(&ctx->md_ctx, ctx->V)) != 0) {
+            goto exit;
+        }
+
+        memcpy(out, ctx->V, use_len);
+        out += use_len;
+        left -= use_len;
+    }
+
+    /* 6. Update */
+    if ((ret = mbedtls_hmac_drbg_update(ctx,
+                                        additional, add_len)) != 0) {
+        goto exit;
+    }
+
+    /* 7. Update reseed counter */
+    ctx->reseed_counter++;
+
+exit:
+    /* 8. Done */
+    return ret;
+}
+
+/*
+ * HMAC_DRBG random function
+ */
+int mbedtls_hmac_drbg_random(void *p_rng, unsigned char *output, size_t out_len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_hmac_drbg_context *ctx = (mbedtls_hmac_drbg_context *) p_rng;
+
+#if defined(MBEDTLS_THREADING_C)
+    if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
+        return ret;
+    }
+#endif
+
+    ret = mbedtls_hmac_drbg_random_with_add(ctx, output, out_len, NULL, 0);
+
+#if defined(MBEDTLS_THREADING_C)
+    if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
+        return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+    }
+#endif
+
+    return ret;
+}
+
+/*
+ *  This function resets HMAC_DRBG context to the state immediately
+ *  after initial call of mbedtls_hmac_drbg_init().
+ */
+void mbedtls_hmac_drbg_free(mbedtls_hmac_drbg_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    /* The mutex is initialized iff the md context is set up. */
+    if (ctx->md_ctx.md_info != NULL) {
+        mbedtls_mutex_free(&ctx->mutex);
+    }
+#endif
+    mbedtls_md_free(&ctx->md_ctx);
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_hmac_drbg_context));
+    ctx->reseed_interval = MBEDTLS_HMAC_DRBG_RESEED_INTERVAL;
+}
+
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_hmac_drbg_write_seed_file(mbedtls_hmac_drbg_context *ctx, const char *path)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    FILE *f;
+    unsigned char buf[MBEDTLS_HMAC_DRBG_MAX_INPUT];
+
+    if ((f = fopen(path, "wb")) == NULL) {
+        return MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR;
+    }
+
+    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+    mbedtls_setbuf(f, NULL);
+
+    if ((ret = mbedtls_hmac_drbg_random(ctx, buf, sizeof(buf))) != 0) {
+        goto exit;
+    }
+
+    if (fwrite(buf, 1, sizeof(buf), f) != sizeof(buf)) {
+        ret = MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR;
+        goto exit;
+    }
+
+    ret = 0;
+
+exit:
+    fclose(f);
+    mbedtls_platform_zeroize(buf, sizeof(buf));
+
+    return ret;
+}
+
+int mbedtls_hmac_drbg_update_seed_file(mbedtls_hmac_drbg_context *ctx, const char *path)
+{
+    int ret = 0;
+    FILE *f = NULL;
+    size_t n;
+    unsigned char buf[MBEDTLS_HMAC_DRBG_MAX_INPUT];
+    unsigned char c;
+
+    if ((f = fopen(path, "rb")) == NULL) {
+        return MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR;
+    }
+
+    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+    mbedtls_setbuf(f, NULL);
+
+    n = fread(buf, 1, sizeof(buf), f);
+    if (fread(&c, 1, 1, f) != 0) {
+        ret = MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG;
+        goto exit;
+    }
+    if (n == 0 || ferror(f)) {
+        ret = MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR;
+        goto exit;
+    }
+    fclose(f);
+    f = NULL;
+
+    ret = mbedtls_hmac_drbg_update(ctx, buf, n);
+
+exit:
+    mbedtls_platform_zeroize(buf, sizeof(buf));
+    if (f != NULL) {
+        fclose(f);
+    }
+    if (ret != 0) {
+        return ret;
+    }
+    return mbedtls_hmac_drbg_write_seed_file(ctx, path);
+}
+#endif /* MBEDTLS_FS_IO */
+
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if !defined(MBEDTLS_MD_CAN_SHA1)
+/* Dummy checkup routine */
+int mbedtls_hmac_drbg_self_test(int verbose)
+{
+    (void) verbose;
+    return 0;
+}
+#else
+
+#define OUTPUT_LEN  80
+
+/* From a NIST PR=true test vector */
+static const unsigned char entropy_pr[] = {
+    0xa0, 0xc9, 0xab, 0x58, 0xf1, 0xe2, 0xe5, 0xa4, 0xde, 0x3e, 0xbd, 0x4f,
+    0xf7, 0x3e, 0x9c, 0x5b, 0x64, 0xef, 0xd8, 0xca, 0x02, 0x8c, 0xf8, 0x11,
+    0x48, 0xa5, 0x84, 0xfe, 0x69, 0xab, 0x5a, 0xee, 0x42, 0xaa, 0x4d, 0x42,
+    0x17, 0x60, 0x99, 0xd4, 0x5e, 0x13, 0x97, 0xdc, 0x40, 0x4d, 0x86, 0xa3,
+    0x7b, 0xf5, 0x59, 0x54, 0x75, 0x69, 0x51, 0xe4
+};
+static const unsigned char result_pr[OUTPUT_LEN] = {
+    0x9a, 0x00, 0xa2, 0xd0, 0x0e, 0xd5, 0x9b, 0xfe, 0x31, 0xec, 0xb1, 0x39,
+    0x9b, 0x60, 0x81, 0x48, 0xd1, 0x96, 0x9d, 0x25, 0x0d, 0x3c, 0x1e, 0x94,
+    0x10, 0x10, 0x98, 0x12, 0x93, 0x25, 0xca, 0xb8, 0xfc, 0xcc, 0x2d, 0x54,
+    0x73, 0x19, 0x70, 0xc0, 0x10, 0x7a, 0xa4, 0x89, 0x25, 0x19, 0x95, 0x5e,
+    0x4b, 0xc6, 0x00, 0x1d, 0x7f, 0x4e, 0x6a, 0x2b, 0xf8, 0xa3, 0x01, 0xab,
+    0x46, 0x05, 0x5c, 0x09, 0xa6, 0x71, 0x88, 0xf1, 0xa7, 0x40, 0xee, 0xf3,
+    0xe1, 0x5c, 0x02, 0x9b, 0x44, 0xaf, 0x03, 0x44
+};
+
+/* From a NIST PR=false test vector */
+static const unsigned char entropy_nopr[] = {
+    0x79, 0x34, 0x9b, 0xbf, 0x7c, 0xdd, 0xa5, 0x79, 0x95, 0x57, 0x86, 0x66,
+    0x21, 0xc9, 0x13, 0x83, 0x11, 0x46, 0x73, 0x3a, 0xbf, 0x8c, 0x35, 0xc8,
+    0xc7, 0x21, 0x5b, 0x5b, 0x96, 0xc4, 0x8e, 0x9b, 0x33, 0x8c, 0x74, 0xe3,
+    0xe9, 0x9d, 0xfe, 0xdf
+};
+static const unsigned char result_nopr[OUTPUT_LEN] = {
+    0xc6, 0xa1, 0x6a, 0xb8, 0xd4, 0x20, 0x70, 0x6f, 0x0f, 0x34, 0xab, 0x7f,
+    0xec, 0x5a, 0xdc, 0xa9, 0xd8, 0xca, 0x3a, 0x13, 0x3e, 0x15, 0x9c, 0xa6,
+    0xac, 0x43, 0xc6, 0xf8, 0xa2, 0xbe, 0x22, 0x83, 0x4a, 0x4c, 0x0a, 0x0a,
+    0xff, 0xb1, 0x0d, 0x71, 0x94, 0xf1, 0xc1, 0xa5, 0xcf, 0x73, 0x22, 0xec,
+    0x1a, 0xe0, 0x96, 0x4e, 0xd4, 0xbf, 0x12, 0x27, 0x46, 0xe0, 0x87, 0xfd,
+    0xb5, 0xb3, 0xe9, 0x1b, 0x34, 0x93, 0xd5, 0xbb, 0x98, 0xfa, 0xed, 0x49,
+    0xe8, 0x5f, 0x13, 0x0f, 0xc8, 0xa4, 0x59, 0xb7
+};
+
+/* "Entropy" from buffer */
+static size_t test_offset;
+static int hmac_drbg_self_test_entropy(void *data,
+                                       unsigned char *buf, size_t len)
+{
+    const unsigned char *p = data;
+    memcpy(buf, p + test_offset, len);
+    test_offset += len;
+    return 0;
+}
+
+#define CHK(c)    if ((c) != 0)                          \
+    {                                       \
+        if (verbose != 0)                  \
+        mbedtls_printf("failed\n");  \
+        return 1;                        \
+    }
+
+/*
+ * Checkup routine for HMAC_DRBG with SHA-1
+ */
+int mbedtls_hmac_drbg_self_test(int verbose)
+{
+    mbedtls_hmac_drbg_context ctx;
+    unsigned char buf[OUTPUT_LEN];
+    const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA1);
+
+    mbedtls_hmac_drbg_init(&ctx);
+
+    /*
+     * PR = True
+     */
+    if (verbose != 0) {
+        mbedtls_printf("  HMAC_DRBG (PR = True) : ");
+    }
+
+    test_offset = 0;
+    CHK(mbedtls_hmac_drbg_seed(&ctx, md_info,
+                               hmac_drbg_self_test_entropy, (void *) entropy_pr,
+                               NULL, 0));
+    mbedtls_hmac_drbg_set_prediction_resistance(&ctx, MBEDTLS_HMAC_DRBG_PR_ON);
+    CHK(mbedtls_hmac_drbg_random(&ctx, buf, OUTPUT_LEN));
+    CHK(mbedtls_hmac_drbg_random(&ctx, buf, OUTPUT_LEN));
+    CHK(memcmp(buf, result_pr, OUTPUT_LEN));
+    mbedtls_hmac_drbg_free(&ctx);
+
+    mbedtls_hmac_drbg_free(&ctx);
+
+    if (verbose != 0) {
+        mbedtls_printf("passed\n");
+    }
+
+    /*
+     * PR = False
+     */
+    if (verbose != 0) {
+        mbedtls_printf("  HMAC_DRBG (PR = False) : ");
+    }
+
+    mbedtls_hmac_drbg_init(&ctx);
+
+    test_offset = 0;
+    CHK(mbedtls_hmac_drbg_seed(&ctx, md_info,
+                               hmac_drbg_self_test_entropy, (void *) entropy_nopr,
+                               NULL, 0));
+    CHK(mbedtls_hmac_drbg_reseed(&ctx, NULL, 0));
+    CHK(mbedtls_hmac_drbg_random(&ctx, buf, OUTPUT_LEN));
+    CHK(mbedtls_hmac_drbg_random(&ctx, buf, OUTPUT_LEN));
+    CHK(memcmp(buf, result_nopr, OUTPUT_LEN));
+    mbedtls_hmac_drbg_free(&ctx);
+
+    mbedtls_hmac_drbg_free(&ctx);
+
+    if (verbose != 0) {
+        mbedtls_printf("passed\n");
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+
+    return 0;
+}
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_HMAC_DRBG_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/lmots.c b/tf-psa-crypto/drivers/builtin/src/lmots.c
new file mode 100644
index 0000000..c51cb41
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/lmots.c
@@ -0,0 +1,786 @@
+/*
+ * The LM-OTS one-time public-key signature scheme
+ *
+ * Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ *  The following sources were referenced in the design of this implementation
+ *  of the LM-OTS algorithm:
+ *
+ *  [1] IETF RFC8554
+ *      D. McGrew, M. Curcio, S.Fluhrer
+ *      https://datatracker.ietf.org/doc/html/rfc8554
+ *
+ *  [2] NIST Special Publication 800-208
+ *      David A. Cooper et. al.
+ *      https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_LMS_C)
+
+#include <string.h>
+
+#include "lmots.h"
+
+#include "mbedtls/lms.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "psa_util_internal.h"
+
+#include "psa/crypto.h"
+
+/* Define a local translating function to save code size by not using too many
+ * arguments in each translating place. */
+static int local_err_translation(psa_status_t status)
+{
+    return psa_status_to_mbedtls(status, psa_to_lms_errors,
+                                 ARRAY_LENGTH(psa_to_lms_errors),
+                                 psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
+
+#define PUBLIC_KEY_TYPE_OFFSET     (0)
+#define PUBLIC_KEY_I_KEY_ID_OFFSET (PUBLIC_KEY_TYPE_OFFSET + \
+                                    MBEDTLS_LMOTS_TYPE_LEN)
+#define PUBLIC_KEY_Q_LEAF_ID_OFFSET (PUBLIC_KEY_I_KEY_ID_OFFSET + \
+                                     MBEDTLS_LMOTS_I_KEY_ID_LEN)
+#define PUBLIC_KEY_KEY_HASH_OFFSET (PUBLIC_KEY_Q_LEAF_ID_OFFSET + \
+                                    MBEDTLS_LMOTS_Q_LEAF_ID_LEN)
+
+/* We only support parameter sets that use 8-bit digits, as it does not require
+ * translation logic between digits and bytes */
+#define W_WINTERNITZ_PARAMETER (8u)
+#define CHECKSUM_LEN           (2)
+#define I_DIGIT_IDX_LEN        (2)
+#define J_HASH_IDX_LEN         (1)
+#define D_CONST_LEN            (2)
+
+#define DIGIT_MAX_VALUE        ((1u << W_WINTERNITZ_PARAMETER) - 1u)
+
+#define D_CONST_LEN            (2)
+static const unsigned char D_PUBLIC_CONSTANT_BYTES[D_CONST_LEN] = { 0x80, 0x80 };
+static const unsigned char D_MESSAGE_CONSTANT_BYTES[D_CONST_LEN] = { 0x81, 0x81 };
+
+#if defined(MBEDTLS_TEST_HOOKS)
+int (*mbedtls_lmots_sign_private_key_invalidated_hook)(unsigned char *) = NULL;
+#endif /* defined(MBEDTLS_TEST_HOOKS) */
+
+/* Calculate the checksum digits that are appended to the end of the LMOTS digit
+ * string. See NIST SP800-208 section 3.1 or RFC8554 Algorithm 2 for details of
+ * the checksum algorithm.
+ *
+ *  params              The LMOTS parameter set, I and q values which
+ *                      describe the key being used.
+ *
+ *  digest              The digit string to create the digest from. As
+ *                      this does not contain a checksum, it is the same
+ *                      size as a hash output.
+ */
+static unsigned short lmots_checksum_calculate(const mbedtls_lmots_parameters_t *params,
+                                               const unsigned char *digest)
+{
+    size_t idx;
+    unsigned sum = 0;
+
+    for (idx = 0; idx < MBEDTLS_LMOTS_N_HASH_LEN(params->type); idx++) {
+        sum += DIGIT_MAX_VALUE - digest[idx];
+    }
+
+    return sum;
+}
+
+/* Create the string of digest digits (in the base determined by the Winternitz
+ * parameter with the checksum appended to the end (Q || cksm(Q)). See NIST
+ * SP800-208 section 3.1 or RFC8554 Algorithm 3 step 5 (also used in Algorithm
+ * 4b step 3) for details.
+ *
+ *  params              The LMOTS parameter set, I and q values which
+ *                      describe the key being used.
+ *
+ *  msg                 The message that will be hashed to create the
+ *                      digest.
+ *
+ *  msg_size            The size of the message.
+ *
+ *  C_random_value      The random value that will be combined with the
+ *                      message digest. This is always the same size as a
+ *                      hash output for whichever hash algorithm is
+ *                      determined by the parameter set.
+ *
+ *  output              An output containing the digit string (+
+ *                      checksum) of length P digits (in the case of
+ *                      MBEDTLS_LMOTS_SHA256_N32_W8, this means it is of
+ *                      size P bytes).
+ */
+static int create_digit_array_with_checksum(const mbedtls_lmots_parameters_t *params,
+                                            const unsigned char *msg,
+                                            size_t msg_len,
+                                            const unsigned char *C_random_value,
+                                            unsigned char *out)
+{
+    psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    size_t output_hash_len;
+    unsigned short checksum;
+
+    status = psa_hash_setup(&op, PSA_ALG_SHA_256);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_hash_update(&op, params->I_key_identifier,
+                             MBEDTLS_LMOTS_I_KEY_ID_LEN);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_hash_update(&op, params->q_leaf_identifier,
+                             MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_hash_update(&op, D_MESSAGE_CONSTANT_BYTES, D_CONST_LEN);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_hash_update(&op, C_random_value,
+                             MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(params->type));
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_hash_update(&op, msg, msg_len);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_hash_finish(&op, out,
+                             MBEDTLS_LMOTS_N_HASH_LEN(params->type),
+                             &output_hash_len);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    checksum = lmots_checksum_calculate(params, out);
+    MBEDTLS_PUT_UINT16_BE(checksum, out, MBEDTLS_LMOTS_N_HASH_LEN(params->type));
+
+exit:
+    psa_hash_abort(&op);
+
+    return PSA_TO_MBEDTLS_ERR(status);
+}
+
+/* Hash each element of the string of digits (+ checksum), producing a hash
+ * output for each element. This is used in several places (by varying the
+ * hash_idx_min/max_values) in order to calculate a public key from a private
+ * key (RFC8554 Algorithm 1 step 4), in order to sign a message (RFC8554
+ * Algorithm 3 step 5), and to calculate a public key candidate from a
+ * signature and message (RFC8554 Algorithm 4b step 3).
+ *
+ *  params              The LMOTS parameter set, I and q values which
+ *                      describe the key being used.
+ *
+ *  x_digit_array       The array of digits (of size P, 34 in the case of
+ *                      MBEDTLS_LMOTS_SHA256_N32_W8).
+ *
+ *  hash_idx_min_values An array of the starting values of the j iterator
+ *                      for each of the members of the digit array. If
+ *                      this value in NULL, then all iterators will start
+ *                      at 0.
+ *
+ *  hash_idx_max_values An array of the upper bound values of the j
+ *                      iterator for each of the members of the digit
+ *                      array. If this value in NULL, then iterator is
+ *                      bounded to be less than 2^w - 1 (255 in the case
+ *                      of MBEDTLS_LMOTS_SHA256_N32_W8)
+ *
+ *  output              An array containing a hash output for each member
+ *                      of the digit string P. In the case of
+ *                      MBEDTLS_LMOTS_SHA256_N32_W8, this is of size 32 *
+ *                      34.
+ */
+static int hash_digit_array(const mbedtls_lmots_parameters_t *params,
+                            const unsigned char *x_digit_array,
+                            const unsigned char *hash_idx_min_values,
+                            const unsigned char *hash_idx_max_values,
+                            unsigned char *output)
+{
+    unsigned int i_digit_idx;
+    unsigned char i_digit_idx_bytes[I_DIGIT_IDX_LEN];
+    unsigned int j_hash_idx;
+    unsigned char j_hash_idx_bytes[J_HASH_IDX_LEN];
+    unsigned int j_hash_idx_min;
+    unsigned int j_hash_idx_max;
+    psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    size_t output_hash_len;
+    unsigned char tmp_hash[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+
+    for (i_digit_idx = 0;
+         i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type);
+         i_digit_idx++) {
+
+        memcpy(tmp_hash,
+               &x_digit_array[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
+               MBEDTLS_LMOTS_N_HASH_LEN(params->type));
+
+        j_hash_idx_min = hash_idx_min_values != NULL ?
+                         hash_idx_min_values[i_digit_idx] : 0;
+        j_hash_idx_max = hash_idx_max_values != NULL ?
+                         hash_idx_max_values[i_digit_idx] : DIGIT_MAX_VALUE;
+
+        for (j_hash_idx = j_hash_idx_min;
+             j_hash_idx < j_hash_idx_max;
+             j_hash_idx++) {
+            status = psa_hash_setup(&op, PSA_ALG_SHA_256);
+            if (status != PSA_SUCCESS) {
+                goto exit;
+            }
+
+            status = psa_hash_update(&op,
+                                     params->I_key_identifier,
+                                     MBEDTLS_LMOTS_I_KEY_ID_LEN);
+            if (status != PSA_SUCCESS) {
+                goto exit;
+            }
+
+            status = psa_hash_update(&op,
+                                     params->q_leaf_identifier,
+                                     MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
+            if (status != PSA_SUCCESS) {
+                goto exit;
+            }
+
+            MBEDTLS_PUT_UINT16_BE(i_digit_idx, i_digit_idx_bytes, 0);
+            status = psa_hash_update(&op, i_digit_idx_bytes, I_DIGIT_IDX_LEN);
+            if (status != PSA_SUCCESS) {
+                goto exit;
+            }
+
+            j_hash_idx_bytes[0] = (uint8_t) j_hash_idx;
+            status = psa_hash_update(&op, j_hash_idx_bytes, J_HASH_IDX_LEN);
+            if (status != PSA_SUCCESS) {
+                goto exit;
+            }
+
+            status = psa_hash_update(&op, tmp_hash,
+                                     MBEDTLS_LMOTS_N_HASH_LEN(params->type));
+            if (status != PSA_SUCCESS) {
+                goto exit;
+            }
+
+            status = psa_hash_finish(&op, tmp_hash, sizeof(tmp_hash),
+                                     &output_hash_len);
+            if (status != PSA_SUCCESS) {
+                goto exit;
+            }
+
+            psa_hash_abort(&op);
+        }
+
+        memcpy(&output[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
+               tmp_hash, MBEDTLS_LMOTS_N_HASH_LEN(params->type));
+    }
+
+exit:
+    psa_hash_abort(&op);
+    mbedtls_platform_zeroize(tmp_hash, sizeof(tmp_hash));
+
+    return PSA_TO_MBEDTLS_ERR(status);
+}
+
+/* Combine the hashes of the digit array into a public key. This is used in
+ * in order to calculate a public key from a private key (RFC8554 Algorithm 1
+ * step 4), and to calculate a public key candidate from a signature and message
+ * (RFC8554 Algorithm 4b step 3).
+ *
+ *  params           The LMOTS parameter set, I and q values which describe
+ *                   the key being used.
+ *  y_hashed_digits  The array of hashes, one hash for each digit of the
+ *                   symbol array (which is of size P, 34 in the case of
+ *                   MBEDTLS_LMOTS_SHA256_N32_W8)
+ *
+ *  pub_key          The output public key (or candidate public key in
+ *                   case this is being run as part of signature
+ *                   verification), in the form of a hash output.
+ */
+static int public_key_from_hashed_digit_array(const mbedtls_lmots_parameters_t *params,
+                                              const unsigned char *y_hashed_digits,
+                                              unsigned char *pub_key)
+{
+    psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    size_t output_hash_len;
+
+    status = psa_hash_setup(&op, PSA_ALG_SHA_256);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_hash_update(&op,
+                             params->I_key_identifier,
+                             MBEDTLS_LMOTS_I_KEY_ID_LEN);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_hash_update(&op, params->q_leaf_identifier,
+                             MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_hash_update(&op, D_PUBLIC_CONSTANT_BYTES, D_CONST_LEN);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_hash_update(&op, y_hashed_digits,
+                             MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type) *
+                             MBEDTLS_LMOTS_N_HASH_LEN(params->type));
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_hash_finish(&op, pub_key,
+                             MBEDTLS_LMOTS_N_HASH_LEN(params->type),
+                             &output_hash_len);
+    if (status != PSA_SUCCESS) {
+
+exit:
+        psa_hash_abort(&op);
+    }
+
+    return PSA_TO_MBEDTLS_ERR(status);
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+int mbedtls_lms_error_from_psa(psa_status_t status)
+{
+    switch (status) {
+        case PSA_SUCCESS:
+            return 0;
+        case PSA_ERROR_HARDWARE_FAILURE:
+            return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
+        case PSA_ERROR_NOT_SUPPORTED:
+            return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
+        case PSA_ERROR_BUFFER_TOO_SMALL:
+            return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
+        case PSA_ERROR_INVALID_ARGUMENT:
+            return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+        default:
+            return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
+    }
+}
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+void mbedtls_lmots_public_init(mbedtls_lmots_public_t *ctx)
+{
+    memset(ctx, 0, sizeof(*ctx));
+}
+
+void mbedtls_lmots_public_free(mbedtls_lmots_public_t *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_platform_zeroize(ctx, sizeof(*ctx));
+}
+
+int mbedtls_lmots_import_public_key(mbedtls_lmots_public_t *ctx,
+                                    const unsigned char *key, size_t key_len)
+{
+    if (key_len < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    ctx->params.type = (mbedtls_lmots_algorithm_type_t)
+                       MBEDTLS_GET_UINT32_BE(key, MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
+
+    if (key_len != MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type)) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    memcpy(ctx->params.I_key_identifier,
+           key + PUBLIC_KEY_I_KEY_ID_OFFSET,
+           MBEDTLS_LMOTS_I_KEY_ID_LEN);
+
+    memcpy(ctx->params.q_leaf_identifier,
+           key + PUBLIC_KEY_Q_LEAF_ID_OFFSET,
+           MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
+
+    memcpy(ctx->public_key,
+           key + PUBLIC_KEY_KEY_HASH_OFFSET,
+           MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
+
+    ctx->have_public_key = 1;
+
+    return 0;
+}
+
+int mbedtls_lmots_export_public_key(const mbedtls_lmots_public_t *ctx,
+                                    unsigned char *key, size_t key_size,
+                                    size_t *key_len)
+{
+    if (key_size < MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type)) {
+        return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
+    }
+
+    if (!ctx->have_public_key) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    MBEDTLS_PUT_UINT32_BE(ctx->params.type, key, MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
+
+    memcpy(key + PUBLIC_KEY_I_KEY_ID_OFFSET,
+           ctx->params.I_key_identifier,
+           MBEDTLS_LMOTS_I_KEY_ID_LEN);
+
+    memcpy(key + PUBLIC_KEY_Q_LEAF_ID_OFFSET,
+           ctx->params.q_leaf_identifier,
+           MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
+
+    memcpy(key + PUBLIC_KEY_KEY_HASH_OFFSET, ctx->public_key,
+           MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
+
+    if (key_len != NULL) {
+        *key_len = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type);
+    }
+
+    return 0;
+}
+
+int mbedtls_lmots_calculate_public_key_candidate(const mbedtls_lmots_parameters_t *params,
+                                                 const unsigned char  *msg,
+                                                 size_t msg_size,
+                                                 const unsigned char *sig,
+                                                 size_t sig_size,
+                                                 unsigned char *out,
+                                                 size_t out_size,
+                                                 size_t *out_len)
+{
+    unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
+    unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (msg == NULL && msg_size != 0) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    if (sig_size != MBEDTLS_LMOTS_SIG_LEN(params->type) ||
+        out_size < MBEDTLS_LMOTS_N_HASH_LEN(params->type)) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    ret = create_digit_array_with_checksum(params, msg, msg_size,
+                                           sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET,
+                                           tmp_digit_array);
+    if (ret) {
+        return ret;
+    }
+
+    ret = hash_digit_array(params,
+                           sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(params->type),
+                           tmp_digit_array, NULL, (unsigned char *) y_hashed_digits);
+    if (ret) {
+        return ret;
+    }
+
+    ret = public_key_from_hashed_digit_array(params,
+                                             (unsigned char *) y_hashed_digits,
+                                             out);
+    if (ret) {
+        return ret;
+    }
+
+    if (out_len != NULL) {
+        *out_len = MBEDTLS_LMOTS_N_HASH_LEN(params->type);
+    }
+
+    return 0;
+}
+
+int mbedtls_lmots_verify(const mbedtls_lmots_public_t *ctx,
+                         const unsigned char *msg, size_t msg_size,
+                         const unsigned char *sig, size_t sig_size)
+{
+    unsigned char Kc_public_key_candidate[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (msg == NULL && msg_size != 0) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    if (!ctx->have_public_key) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    if (ctx->params.type != MBEDTLS_LMOTS_SHA256_N32_W8) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    if (sig_size < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) {
+        return MBEDTLS_ERR_LMS_VERIFY_FAILED;
+    }
+
+    if (MBEDTLS_GET_UINT32_BE(sig, MBEDTLS_LMOTS_SIG_TYPE_OFFSET) != MBEDTLS_LMOTS_SHA256_N32_W8) {
+        return MBEDTLS_ERR_LMS_VERIFY_FAILED;
+    }
+
+    ret = mbedtls_lmots_calculate_public_key_candidate(&ctx->params,
+                                                       msg, msg_size, sig, sig_size,
+                                                       Kc_public_key_candidate,
+                                                       MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
+                                                       NULL);
+    if (ret) {
+        return MBEDTLS_ERR_LMS_VERIFY_FAILED;
+    }
+
+    if (memcmp(&Kc_public_key_candidate, ctx->public_key,
+               sizeof(ctx->public_key))) {
+        return MBEDTLS_ERR_LMS_VERIFY_FAILED;
+    }
+
+    return 0;
+}
+
+#if defined(MBEDTLS_LMS_PRIVATE)
+
+void mbedtls_lmots_private_init(mbedtls_lmots_private_t *ctx)
+{
+    memset(ctx, 0, sizeof(*ctx));
+}
+
+void mbedtls_lmots_private_free(mbedtls_lmots_private_t *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_platform_zeroize(ctx,
+                             sizeof(*ctx));
+}
+
+int mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t *ctx,
+                                       mbedtls_lmots_algorithm_type_t type,
+                                       const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN],
+                                       uint32_t q_leaf_identifier,
+                                       const unsigned char *seed,
+                                       size_t seed_size)
+{
+    psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    size_t output_hash_len;
+    unsigned int i_digit_idx;
+    unsigned char i_digit_idx_bytes[2];
+    unsigned char const_bytes[1] = { 0xFF };
+
+    if (ctx->have_private_key) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    if (type != MBEDTLS_LMOTS_SHA256_N32_W8) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    ctx->params.type = type;
+
+    memcpy(ctx->params.I_key_identifier,
+           I_key_identifier,
+           sizeof(ctx->params.I_key_identifier));
+
+    MBEDTLS_PUT_UINT32_BE(q_leaf_identifier, ctx->params.q_leaf_identifier, 0);
+
+    for (i_digit_idx = 0;
+         i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type);
+         i_digit_idx++) {
+        status = psa_hash_setup(&op, PSA_ALG_SHA_256);
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+
+        status = psa_hash_update(&op,
+                                 ctx->params.I_key_identifier,
+                                 sizeof(ctx->params.I_key_identifier));
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+
+        status = psa_hash_update(&op,
+                                 ctx->params.q_leaf_identifier,
+                                 MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+
+        MBEDTLS_PUT_UINT16_BE(i_digit_idx, i_digit_idx_bytes, 0);
+        status = psa_hash_update(&op, i_digit_idx_bytes, I_DIGIT_IDX_LEN);
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+
+        status = psa_hash_update(&op, const_bytes, sizeof(const_bytes));
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+
+        status = psa_hash_update(&op, seed, seed_size);
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+
+        status = psa_hash_finish(&op,
+                                 ctx->private_key[i_digit_idx],
+                                 MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
+                                 &output_hash_len);
+        if (status != PSA_SUCCESS) {
+            goto exit;
+        }
+
+        psa_hash_abort(&op);
+    }
+
+    ctx->have_private_key = 1;
+
+exit:
+    psa_hash_abort(&op);
+
+    return PSA_TO_MBEDTLS_ERR(status);
+}
+
+int mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t *ctx,
+                                       const mbedtls_lmots_private_t *priv_ctx)
+{
+    unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    /* Check that a private key is loaded */
+    if (!priv_ctx->have_private_key) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    ret = hash_digit_array(&priv_ctx->params,
+                           (unsigned char *) priv_ctx->private_key, NULL,
+                           NULL, (unsigned char *) y_hashed_digits);
+    if (ret) {
+        goto exit;
+    }
+
+    ret = public_key_from_hashed_digit_array(&priv_ctx->params,
+                                             (unsigned char *) y_hashed_digits,
+                                             ctx->public_key);
+    if (ret) {
+        goto exit;
+    }
+
+    memcpy(&ctx->params, &priv_ctx->params,
+           sizeof(ctx->params));
+
+    ctx->have_public_key = 1;
+
+exit:
+    mbedtls_platform_zeroize(y_hashed_digits, sizeof(y_hashed_digits));
+
+    return ret;
+}
+
+int mbedtls_lmots_sign(mbedtls_lmots_private_t *ctx,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng, const unsigned char *msg, size_t msg_size,
+                       unsigned char *sig, size_t sig_size, size_t *sig_len)
+{
+    unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
+    /* Create a temporary buffer to prepare the signature in. This allows us to
+     * finish creating a signature (ensuring the process doesn't fail), and then
+     * erase the private key **before** writing any data into the sig parameter
+     * buffer. If data were directly written into the sig buffer, it might leak
+     * a partial signature on failure, which effectively compromises the private
+     * key.
+     */
+    unsigned char tmp_sig[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+    unsigned char tmp_c_random[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (msg == NULL && msg_size != 0) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    if (sig_size < MBEDTLS_LMOTS_SIG_LEN(ctx->params.type)) {
+        return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
+    }
+
+    /* Check that a private key is loaded */
+    if (!ctx->have_private_key) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    ret = f_rng(p_rng, tmp_c_random,
+                MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
+    if (ret) {
+        return ret;
+    }
+
+    ret = create_digit_array_with_checksum(&ctx->params,
+                                           msg, msg_size,
+                                           tmp_c_random,
+                                           tmp_digit_array);
+    if (ret) {
+        goto exit;
+    }
+
+    ret = hash_digit_array(&ctx->params, (unsigned char *) ctx->private_key,
+                           NULL, tmp_digit_array, (unsigned char *) tmp_sig);
+    if (ret) {
+        goto exit;
+    }
+
+    MBEDTLS_PUT_UINT32_BE(ctx->params.type, sig, MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
+
+    /* Test hook to check if sig is being written to before we invalidate the
+     * private key.
+     */
+#if defined(MBEDTLS_TEST_HOOKS)
+    if (mbedtls_lmots_sign_private_key_invalidated_hook != NULL) {
+        ret = (*mbedtls_lmots_sign_private_key_invalidated_hook)(sig);
+        if (ret != 0) {
+            return ret;
+        }
+    }
+#endif /* defined(MBEDTLS_TEST_HOOKS) */
+
+    /* We've got a valid signature now, so it's time to make sure the private
+     * key can't be reused.
+     */
+    ctx->have_private_key = 0;
+    mbedtls_platform_zeroize(ctx->private_key,
+                             sizeof(ctx->private_key));
+
+    memcpy(sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET, tmp_c_random,
+           MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(ctx->params.type));
+
+    memcpy(sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(ctx->params.type), tmp_sig,
+           MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type)
+           * MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
+
+    if (sig_len != NULL) {
+        *sig_len = MBEDTLS_LMOTS_SIG_LEN(ctx->params.type);
+    }
+
+    ret = 0;
+
+exit:
+    mbedtls_platform_zeroize(tmp_digit_array, sizeof(tmp_digit_array));
+    mbedtls_platform_zeroize(tmp_sig, sizeof(tmp_sig));
+
+    return ret;
+}
+
+#endif /* defined(MBEDTLS_LMS_PRIVATE) */
+#endif /* defined(MBEDTLS_LMS_C) */
diff --git a/tf-psa-crypto/drivers/builtin/src/lmots.h b/tf-psa-crypto/drivers/builtin/src/lmots.h
new file mode 100644
index 0000000..cf92d32
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/lmots.h
@@ -0,0 +1,288 @@
+/**
+ * \file lmots.h
+ *
+ * \brief This file provides an API for the LM-OTS post-quantum-safe one-time
+ *        public-key signature scheme as defined in RFC8554 and NIST.SP.200-208.
+ *        This implementation currently only supports a single parameter set
+ *        MBEDTLS_LMOTS_SHA256_N32_W8 in order to reduce complexity.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_LMOTS_H
+#define MBEDTLS_LMOTS_H
+
+#include "mbedtls/build_info.h"
+
+#include "psa/crypto.h"
+
+#include "mbedtls/lms.h"
+
+#include <stdint.h>
+#include <stddef.h>
+
+
+#define MBEDTLS_LMOTS_PUBLIC_KEY_LEN(type) (MBEDTLS_LMOTS_TYPE_LEN + \
+                                            MBEDTLS_LMOTS_I_KEY_ID_LEN + \
+                                            MBEDTLS_LMOTS_Q_LEAF_ID_LEN + \
+                                            MBEDTLS_LMOTS_N_HASH_LEN(type))
+
+#define MBEDTLS_LMOTS_SIG_TYPE_OFFSET       (0)
+#define MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET (MBEDTLS_LMOTS_SIG_TYPE_OFFSET + \
+                                           MBEDTLS_LMOTS_TYPE_LEN)
+#define MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(type) (MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET + \
+                                                  MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(type))
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+#if defined(MBEDTLS_TEST_HOOKS)
+extern int (*mbedtls_lmots_sign_private_key_invalidated_hook)(unsigned char *);
+#endif /* defined(MBEDTLS_TEST_HOOKS) */
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+/**
+ * \brief                    This function converts a \ref psa_status_t to a
+ *                           low-level LMS error code.
+ *
+ * \param status             The psa_status_t to convert
+ *
+ * \return                   The corresponding LMS error code.
+ */
+int MBEDTLS_DEPRECATED mbedtls_lms_error_from_psa(psa_status_t status);
+#endif
+
+/**
+ * \brief                    This function initializes a public LMOTS context
+ *
+ * \param ctx                The uninitialized LMOTS context that will then be
+ *                           initialized.
+ */
+void mbedtls_lmots_public_init(mbedtls_lmots_public_t *ctx);
+
+/**
+ * \brief                    This function uninitializes a public LMOTS context
+ *
+ * \param ctx                The initialized LMOTS context that will then be
+ *                           uninitialized.
+ */
+void mbedtls_lmots_public_free(mbedtls_lmots_public_t *ctx);
+
+/**
+ * \brief                    This function imports an LMOTS public key into a
+ *                           LMOTS context.
+ *
+ * \note                     Before this function is called, the context must
+ *                           have been initialized.
+ *
+ * \note                     See IETF RFC8554 for details of the encoding of
+ *                           this public key.
+ *
+ * \param ctx                The initialized LMOTS context store the key in.
+ * \param key                The buffer from which the key will be read.
+ *                           #MBEDTLS_LMOTS_PUBLIC_KEY_LEN bytes will be read
+ *                           from this.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_lmots_import_public_key(mbedtls_lmots_public_t *ctx,
+                                    const unsigned char *key, size_t key_size);
+
+/**
+ * \brief                    This function exports an LMOTS public key from a
+ *                           LMOTS context that already contains a public key.
+ *
+ * \note                     Before this function is called, the context must
+ *                           have been initialized and the context must contain
+ *                           a public key.
+ *
+ * \note                     See IETF RFC8554 for details of the encoding of
+ *                           this public key.
+ *
+ * \param ctx                The initialized LMOTS context that contains the
+ *                           public key.
+ * \param key                The buffer into which the key will be output. Must
+ *                           be at least #MBEDTLS_LMOTS_PUBLIC_KEY_LEN in size.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_lmots_export_public_key(const mbedtls_lmots_public_t *ctx,
+                                    unsigned char *key, size_t key_size,
+                                    size_t *key_len);
+
+/**
+ * \brief                    This function creates a candidate public key from
+ *                           an LMOTS signature. This can then be compared to
+ *                           the real public key to determine the validity of
+ *                           the signature.
+ *
+ * \note                     This function is exposed publicly to be used in LMS
+ *                           signature verification, it is expected that
+ *                           mbedtls_lmots_verify will be used for LMOTS
+ *                           signature verification.
+ *
+ * \param params             The LMOTS parameter set, q and I values as an
+ *                           mbedtls_lmots_parameters_t struct.
+ * \param msg                The buffer from which the message will be read.
+ * \param msg_size           The size of the message that will be read.
+ * \param sig                The buffer from which the signature will be read.
+ *                           #MBEDTLS_LMOTS_SIG_LEN bytes will be read from
+ *                           this.
+ * \param out                The buffer where the candidate public key will be
+ *                           stored. Must be at least #MBEDTLS_LMOTS_N_HASH_LEN
+ *                           bytes in size.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_lmots_calculate_public_key_candidate(const mbedtls_lmots_parameters_t *params,
+                                                 const unsigned char *msg,
+                                                 size_t msg_size,
+                                                 const unsigned char *sig,
+                                                 size_t sig_size,
+                                                 unsigned char *out,
+                                                 size_t out_size,
+                                                 size_t *out_len);
+
+/**
+ * \brief                    This function verifies a LMOTS signature, using a
+ *                           LMOTS context that contains a public key.
+ *
+ * \warning                  This function is **not intended for use in
+ *                           production**, due to as-yet unsolved problems with
+ *                           handling stateful keys. The API for this function
+ *                           may change considerably in future versions.
+ *
+ * \note                     Before this function is called, the context must
+ *                           have been initialized and must contain a public key
+ *                           (either by import or calculation from a private
+ *                           key).
+ *
+ * \param ctx                The initialized LMOTS context from which the public
+ *                           key will be read.
+ * \param msg                The buffer from which the message will be read.
+ * \param msg_size           The size of the message that will be read.
+ * \param sig                The buf from which the signature will be read.
+ *                           #MBEDTLS_LMOTS_SIG_LEN bytes will be read from
+ *                           this.
+ *
+ * \return         \c 0 on successful verification.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_lmots_verify(const mbedtls_lmots_public_t *ctx,
+                         const unsigned char *msg,
+                         size_t msg_size, const unsigned char *sig,
+                         size_t sig_size);
+
+#if defined(MBEDTLS_LMS_PRIVATE)
+
+/**
+ * \brief                    This function initializes a private LMOTS context
+ *
+ * \param ctx                The uninitialized LMOTS context that will then be
+ *                           initialized.
+ */
+void mbedtls_lmots_private_init(mbedtls_lmots_private_t *ctx);
+
+/**
+ * \brief                    This function uninitializes a private LMOTS context
+ *
+ * \param ctx                The initialized LMOTS context that will then be
+ *                           uninitialized.
+ */
+void mbedtls_lmots_private_free(mbedtls_lmots_private_t *ctx);
+
+/**
+ * \brief                    This function calculates an LMOTS private key, and
+ *                           stores in into an LMOTS context.
+ *
+ * \warning                  This function is **not intended for use in
+ *                           production**, due to as-yet unsolved problems with
+ *                           handling stateful keys. The API for this function
+ *                           may change considerably in future versions.
+ *
+ * \note                     The seed must have at least 256 bits of entropy.
+ *
+ * \param ctx                The initialized LMOTS context to generate the key
+ *                           into.
+ * \param I_key_identifier   The key identifier of the key, as a 16-byte string.
+ * \param q_leaf_identifier  The leaf identifier of key. If this LMOTS key is
+ *                           not being used as part of an LMS key, this should
+ *                           be set to 0.
+ * \param seed               The seed used to deterministically generate the
+ *                           key.
+ * \param seed_size          The length of the seed.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t *ctx,
+                                       mbedtls_lmots_algorithm_type_t type,
+                                       const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN],
+                                       uint32_t q_leaf_identifier,
+                                       const unsigned char *seed,
+                                       size_t seed_size);
+
+/**
+ * \brief                    This function generates an LMOTS public key from a
+ *                           LMOTS context that already contains a private key.
+ *
+ * \note                     Before this function is called, the context must
+ *                           have been initialized and the context must contain
+ *                           a private key.
+ *
+ * \param ctx                The initialized LMOTS context to generate the key
+ *                           from and store it into.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t *ctx,
+                                       const mbedtls_lmots_private_t *priv_ctx);
+
+/**
+ * \brief                    This function creates a LMOTS signature, using a
+ *                           LMOTS context that contains a private key.
+ *
+ * \note                     Before this function is called, the context must
+ *                           have been initialized and must contain a private
+ *                           key.
+ *
+ * \note                     LMOTS private keys can only be used once, otherwise
+ *                           attackers may be able to create forged signatures.
+ *                           If the signing operation is successful, the private
+ *                           key in the context will be erased, and no further
+ *                           signing will be possible until another private key
+ *                           is loaded
+ *
+ * \param ctx                The initialized LMOTS context from which the
+ *                           private key will be read.
+ * \param f_rng              The RNG function to be used for signature
+ *                           generation.
+ * \param p_rng              The RNG context to be passed to f_rng
+ * \param msg                The buffer from which the message will be read.
+ * \param msg_size           The size of the message that will be read.
+ * \param sig                The buf into which the signature will be stored.
+ *                           Must be at least #MBEDTLS_LMOTS_SIG_LEN in size.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_lmots_sign(mbedtls_lmots_private_t *ctx,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng, const unsigned char *msg, size_t msg_size,
+                       unsigned char *sig, size_t sig_size, size_t *sig_len);
+
+#endif /* defined(MBEDTLS_LMS_PRIVATE) */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_LMOTS_H */
diff --git a/tf-psa-crypto/drivers/builtin/src/lms.c b/tf-psa-crypto/drivers/builtin/src/lms.c
new file mode 100644
index 0000000..7f7bec0
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/lms.c
@@ -0,0 +1,769 @@
+/*
+ *  The LMS stateful-hash public-key signature scheme
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ *  The following sources were referenced in the design of this implementation
+ *  of the LMS algorithm:
+ *
+ *  [1] IETF RFC8554
+ *      D. McGrew, M. Curcio, S.Fluhrer
+ *      https://datatracker.ietf.org/doc/html/rfc8554
+ *
+ *  [2] NIST Special Publication 800-208
+ *      David A. Cooper et. al.
+ *      https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_LMS_C)
+
+#include <string.h>
+
+#include "lmots.h"
+
+#include "psa/crypto.h"
+#include "psa_util_internal.h"
+#include "mbedtls/lms.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform_util.h"
+
+#include "mbedtls/platform.h"
+
+/* Define a local translating function to save code size by not using too many
+ * arguments in each translating place. */
+static int local_err_translation(psa_status_t status)
+{
+    return psa_status_to_mbedtls(status, psa_to_lms_errors,
+                                 ARRAY_LENGTH(psa_to_lms_errors),
+                                 psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
+
+#define SIG_Q_LEAF_ID_OFFSET     (0)
+#define SIG_OTS_SIG_OFFSET       (SIG_Q_LEAF_ID_OFFSET + \
+                                  MBEDTLS_LMOTS_Q_LEAF_ID_LEN)
+#define SIG_TYPE_OFFSET(otstype) (SIG_OTS_SIG_OFFSET   + \
+                                  MBEDTLS_LMOTS_SIG_LEN(otstype))
+#define SIG_PATH_OFFSET(otstype) (SIG_TYPE_OFFSET(otstype) + \
+                                  MBEDTLS_LMS_TYPE_LEN)
+
+#define PUBLIC_KEY_TYPE_OFFSET      (0)
+#define PUBLIC_KEY_OTSTYPE_OFFSET   (PUBLIC_KEY_TYPE_OFFSET + \
+                                     MBEDTLS_LMS_TYPE_LEN)
+#define PUBLIC_KEY_I_KEY_ID_OFFSET  (PUBLIC_KEY_OTSTYPE_OFFSET  + \
+                                     MBEDTLS_LMOTS_TYPE_LEN)
+#define PUBLIC_KEY_ROOT_NODE_OFFSET (PUBLIC_KEY_I_KEY_ID_OFFSET + \
+                                     MBEDTLS_LMOTS_I_KEY_ID_LEN)
+
+
+/* Currently only support H=10 */
+#define H_TREE_HEIGHT_MAX                  10
+#define MERKLE_TREE_NODE_AM(type)          ((size_t) 1 << (MBEDTLS_LMS_H_TREE_HEIGHT(type) + 1u))
+#define MERKLE_TREE_LEAF_NODE_AM(type)     ((size_t) 1 << MBEDTLS_LMS_H_TREE_HEIGHT(type))
+#define MERKLE_TREE_INTERNAL_NODE_AM(type) ((unsigned int) \
+                                            (1u << MBEDTLS_LMS_H_TREE_HEIGHT(type)))
+
+#define D_CONST_LEN           (2)
+static const unsigned char D_LEAF_CONSTANT_BYTES[D_CONST_LEN] = { 0x82, 0x82 };
+static const unsigned char D_INTR_CONSTANT_BYTES[D_CONST_LEN] = { 0x83, 0x83 };
+
+
+/* Calculate the value of a leaf node of the Merkle tree (which is a hash of a
+ * public key and some other parameters like the leaf index). This function
+ * implements RFC8554 section 5.3, in the case where r >= 2^h.
+ *
+ *  params              The LMS parameter set, the underlying LMOTS
+ *                      parameter set, and I value which describe the key
+ *                      being used.
+ *
+ *  pub_key             The public key of the private whose index
+ *                      corresponds to the index of this leaf node. This
+ *                      is a hash output.
+ *
+ *  r_node_idx          The index of this node in the Merkle tree. Note
+ *                      that the root node of the Merkle tree is
+ *                      1-indexed.
+ *
+ *  out                 The output node value, which is a hash output.
+ */
+static int create_merkle_leaf_value(const mbedtls_lms_parameters_t *params,
+                                    unsigned char *pub_key,
+                                    unsigned int r_node_idx,
+                                    unsigned char *out)
+{
+    psa_hash_operation_t op;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    size_t output_hash_len;
+    unsigned char r_node_idx_bytes[4];
+
+    op = psa_hash_operation_init();
+    status = psa_hash_setup(&op, PSA_ALG_SHA_256);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_hash_update(&op, params->I_key_identifier,
+                             MBEDTLS_LMOTS_I_KEY_ID_LEN);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    MBEDTLS_PUT_UINT32_BE(r_node_idx, r_node_idx_bytes, 0);
+    status = psa_hash_update(&op, r_node_idx_bytes, 4);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_hash_update(&op, D_LEAF_CONSTANT_BYTES, D_CONST_LEN);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_hash_update(&op, pub_key,
+                             MBEDTLS_LMOTS_N_HASH_LEN(params->otstype));
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_hash_finish(&op, out, MBEDTLS_LMS_M_NODE_BYTES(params->type),
+                             &output_hash_len);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+exit:
+    psa_hash_abort(&op);
+
+    return PSA_TO_MBEDTLS_ERR(status);
+}
+
+/* Calculate the value of an internal node of the Merkle tree (which is a hash
+ * of a public key and some other parameters like the node index). This function
+ * implements RFC8554 section 5.3, in the case where r < 2^h.
+ *
+ *  params              The LMS parameter set, the underlying LMOTS
+ *                      parameter set, and I value which describe the key
+ *                      being used.
+ *
+ *  left_node           The value of the child of this node which is on
+ *                      the left-hand side. As with all nodes on the
+ *                      Merkle tree, this is a hash output.
+ *
+ *  right_node          The value of the child of this node which is on
+ *                      the right-hand side. As with all nodes on the
+ *                      Merkle tree, this is a hash output.
+ *
+ *  r_node_idx          The index of this node in the Merkle tree. Note
+ *                      that the root node of the Merkle tree is
+ *                      1-indexed.
+ *
+ *  out                 The output node value, which is a hash output.
+ */
+static int create_merkle_internal_value(const mbedtls_lms_parameters_t *params,
+                                        const unsigned char *left_node,
+                                        const unsigned char *right_node,
+                                        unsigned int r_node_idx,
+                                        unsigned char *out)
+{
+    psa_hash_operation_t op;
+    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+    size_t output_hash_len;
+    unsigned char r_node_idx_bytes[4];
+
+    op = psa_hash_operation_init();
+    status = psa_hash_setup(&op, PSA_ALG_SHA_256);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_hash_update(&op, params->I_key_identifier,
+                             MBEDTLS_LMOTS_I_KEY_ID_LEN);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    MBEDTLS_PUT_UINT32_BE(r_node_idx, r_node_idx_bytes, 0);
+    status = psa_hash_update(&op, r_node_idx_bytes, 4);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_hash_update(&op, D_INTR_CONSTANT_BYTES, D_CONST_LEN);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_hash_update(&op, left_node,
+                             MBEDTLS_LMS_M_NODE_BYTES(params->type));
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_hash_update(&op, right_node,
+                             MBEDTLS_LMS_M_NODE_BYTES(params->type));
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = psa_hash_finish(&op, out, MBEDTLS_LMS_M_NODE_BYTES(params->type),
+                             &output_hash_len);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+exit:
+    psa_hash_abort(&op);
+
+    return PSA_TO_MBEDTLS_ERR(status);
+}
+
+void mbedtls_lms_public_init(mbedtls_lms_public_t *ctx)
+{
+    memset(ctx, 0, sizeof(*ctx));
+}
+
+void mbedtls_lms_public_free(mbedtls_lms_public_t *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_platform_zeroize(ctx, sizeof(*ctx));
+}
+
+int mbedtls_lms_import_public_key(mbedtls_lms_public_t *ctx,
+                                  const unsigned char *key, size_t key_size)
+{
+    mbedtls_lms_algorithm_type_t type;
+    mbedtls_lmots_algorithm_type_t otstype;
+
+    type = (mbedtls_lms_algorithm_type_t) MBEDTLS_GET_UINT32_BE(key, PUBLIC_KEY_TYPE_OFFSET);
+    if (type != MBEDTLS_LMS_SHA256_M32_H10) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+    ctx->params.type = type;
+
+    if (key_size != MBEDTLS_LMS_PUBLIC_KEY_LEN(ctx->params.type)) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    otstype = (mbedtls_lmots_algorithm_type_t)
+              MBEDTLS_GET_UINT32_BE(key, PUBLIC_KEY_OTSTYPE_OFFSET);
+    if (otstype != MBEDTLS_LMOTS_SHA256_N32_W8) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+    ctx->params.otstype = otstype;
+
+    memcpy(ctx->params.I_key_identifier,
+           key + PUBLIC_KEY_I_KEY_ID_OFFSET,
+           MBEDTLS_LMOTS_I_KEY_ID_LEN);
+    memcpy(ctx->T_1_pub_key, key + PUBLIC_KEY_ROOT_NODE_OFFSET,
+           MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type));
+
+    ctx->have_public_key = 1;
+
+    return 0;
+}
+
+int mbedtls_lms_export_public_key(const mbedtls_lms_public_t *ctx,
+                                  unsigned char *key,
+                                  size_t key_size, size_t *key_len)
+{
+    if (key_size < MBEDTLS_LMS_PUBLIC_KEY_LEN(ctx->params.type)) {
+        return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
+    }
+
+    if (!ctx->have_public_key) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    MBEDTLS_PUT_UINT32_BE(ctx->params.type, key, PUBLIC_KEY_TYPE_OFFSET);
+    MBEDTLS_PUT_UINT32_BE(ctx->params.otstype, key, PUBLIC_KEY_OTSTYPE_OFFSET);
+    memcpy(key + PUBLIC_KEY_I_KEY_ID_OFFSET,
+           ctx->params.I_key_identifier,
+           MBEDTLS_LMOTS_I_KEY_ID_LEN);
+    memcpy(key +PUBLIC_KEY_ROOT_NODE_OFFSET,
+           ctx->T_1_pub_key,
+           MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type));
+
+    if (key_len != NULL) {
+        *key_len = MBEDTLS_LMS_PUBLIC_KEY_LEN(ctx->params.type);
+    }
+
+    return 0;
+}
+
+int mbedtls_lms_verify(const mbedtls_lms_public_t *ctx,
+                       const unsigned char *msg, size_t msg_size,
+                       const unsigned char *sig, size_t sig_size)
+{
+    unsigned int q_leaf_identifier;
+    unsigned char Kc_candidate_ots_pub_key[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+    unsigned char Tc_candidate_root_node[MBEDTLS_LMS_M_NODE_BYTES_MAX];
+    unsigned int height;
+    unsigned int curr_node_id;
+    unsigned int parent_node_id;
+    const unsigned char *left_node;
+    const unsigned char *right_node;
+    mbedtls_lmots_parameters_t ots_params;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (!ctx->have_public_key) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    if (ctx->params.type
+        != MBEDTLS_LMS_SHA256_M32_H10) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    if (ctx->params.otstype
+        != MBEDTLS_LMOTS_SHA256_N32_W8) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    if (sig_size != MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype)) {
+        return MBEDTLS_ERR_LMS_VERIFY_FAILED;
+    }
+
+    if (sig_size < SIG_OTS_SIG_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) {
+        return MBEDTLS_ERR_LMS_VERIFY_FAILED;
+    }
+
+    if (MBEDTLS_GET_UINT32_BE(sig, SIG_OTS_SIG_OFFSET + MBEDTLS_LMOTS_SIG_TYPE_OFFSET)
+        != MBEDTLS_LMOTS_SHA256_N32_W8) {
+        return MBEDTLS_ERR_LMS_VERIFY_FAILED;
+    }
+
+    if (sig_size < SIG_TYPE_OFFSET(ctx->params.otstype) + MBEDTLS_LMS_TYPE_LEN) {
+        return MBEDTLS_ERR_LMS_VERIFY_FAILED;
+    }
+
+    if (MBEDTLS_GET_UINT32_BE(sig, SIG_TYPE_OFFSET(ctx->params.otstype))
+        != MBEDTLS_LMS_SHA256_M32_H10) {
+        return MBEDTLS_ERR_LMS_VERIFY_FAILED;
+    }
+
+
+    q_leaf_identifier = MBEDTLS_GET_UINT32_BE(sig, SIG_Q_LEAF_ID_OFFSET);
+
+    if (q_leaf_identifier >= MERKLE_TREE_LEAF_NODE_AM(ctx->params.type)) {
+        return MBEDTLS_ERR_LMS_VERIFY_FAILED;
+    }
+
+    memcpy(ots_params.I_key_identifier,
+           ctx->params.I_key_identifier,
+           MBEDTLS_LMOTS_I_KEY_ID_LEN);
+    MBEDTLS_PUT_UINT32_BE(q_leaf_identifier, ots_params.q_leaf_identifier, 0);
+    ots_params.type = ctx->params.otstype;
+
+    ret = mbedtls_lmots_calculate_public_key_candidate(&ots_params,
+                                                       msg,
+                                                       msg_size,
+                                                       sig + SIG_OTS_SIG_OFFSET,
+                                                       MBEDTLS_LMOTS_SIG_LEN(ctx->params.otstype),
+                                                       Kc_candidate_ots_pub_key,
+                                                       sizeof(Kc_candidate_ots_pub_key),
+                                                       NULL);
+    if (ret != 0) {
+        return MBEDTLS_ERR_LMS_VERIFY_FAILED;
+    }
+
+    create_merkle_leaf_value(
+        &ctx->params,
+        Kc_candidate_ots_pub_key,
+        MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) + q_leaf_identifier,
+        Tc_candidate_root_node);
+
+    curr_node_id = MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) +
+                   q_leaf_identifier;
+
+    for (height = 0; height < MBEDTLS_LMS_H_TREE_HEIGHT(ctx->params.type);
+         height++) {
+        parent_node_id = curr_node_id / 2;
+
+        /* Left/right node ordering matters for the hash */
+        if (curr_node_id & 1) {
+            left_node = sig + SIG_PATH_OFFSET(ctx->params.otstype) +
+                        height * MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type);
+            right_node = Tc_candidate_root_node;
+        } else {
+            left_node = Tc_candidate_root_node;
+            right_node = sig + SIG_PATH_OFFSET(ctx->params.otstype) +
+                         height * MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type);
+        }
+
+        create_merkle_internal_value(&ctx->params, left_node, right_node,
+                                     parent_node_id, Tc_candidate_root_node);
+
+        curr_node_id /= 2;
+    }
+
+    if (memcmp(Tc_candidate_root_node, ctx->T_1_pub_key,
+               MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type))) {
+        return MBEDTLS_ERR_LMS_VERIFY_FAILED;
+    }
+
+    return 0;
+}
+
+#if defined(MBEDTLS_LMS_PRIVATE)
+
+/* Calculate a full Merkle tree based on a private key. This function
+ * implements RFC8554 section 5.3, and is used to generate a public key (as the
+ * public key is the root node of the Merkle tree).
+ *
+ *  ctx                 The LMS private context, containing a parameter
+ *                      set and private key material consisting of both
+ *                      public and private OTS.
+ *
+ *  tree                The output tree, which is 2^(H + 1) hash outputs.
+ *                      In the case of H=10 we have 2048 tree nodes (of
+ *                      which 1024 of them are leaf nodes). Note that
+ *                      because the Merkle tree root is 1-indexed, the 0
+ *                      index tree node is never used.
+ */
+static int calculate_merkle_tree(const mbedtls_lms_private_t *ctx,
+                                 unsigned char *tree)
+{
+    unsigned int priv_key_idx;
+    unsigned int r_node_idx;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    /* First create the leaf nodes, in ascending order */
+    for (priv_key_idx = 0;
+         priv_key_idx < MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type);
+         priv_key_idx++) {
+        r_node_idx = MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) + priv_key_idx;
+
+        ret = create_merkle_leaf_value(&ctx->params,
+                                       ctx->ots_public_keys[priv_key_idx].public_key,
+                                       r_node_idx,
+                                       &tree[r_node_idx * MBEDTLS_LMS_M_NODE_BYTES(
+                                                 ctx->params.type)]);
+        if (ret != 0) {
+            return ret;
+        }
+    }
+
+    /* Then the internal nodes, in reverse order so that we can guarantee the
+     * parent has been created */
+    for (r_node_idx = MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) - 1;
+         r_node_idx > 0;
+         r_node_idx--) {
+        ret = create_merkle_internal_value(&ctx->params,
+                                           &tree[(r_node_idx * 2) *
+                                                 MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type)],
+                                           &tree[(r_node_idx * 2 + 1) *
+                                                 MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type)],
+                                           r_node_idx,
+                                           &tree[r_node_idx *
+                                                 MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type)]);
+        if (ret != 0) {
+            return ret;
+        }
+    }
+
+    return 0;
+}
+
+/* Calculate a path from a leaf node of the Merkle tree to the root of the tree,
+ * and return the full path. This function implements RFC8554 section 5.4.1, as
+ * the Merkle path is the main component of an LMS signature.
+ *
+ *  ctx                 The LMS private context, containing a parameter
+ *                      set and private key material consisting of both
+ *                      public and private OTS.
+ *
+ *  leaf_node_id        Which leaf node to calculate the path from.
+ *
+ *  path                The output path, which is H hash outputs.
+ */
+static int get_merkle_path(mbedtls_lms_private_t *ctx,
+                           unsigned int leaf_node_id,
+                           unsigned char *path)
+{
+    const size_t node_bytes = MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type);
+    unsigned int curr_node_id = leaf_node_id;
+    unsigned int adjacent_node_id;
+    unsigned char *tree = NULL;
+    unsigned int height;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    tree = mbedtls_calloc((size_t) MERKLE_TREE_NODE_AM(ctx->params.type),
+                          node_bytes);
+    if (tree == NULL) {
+        return MBEDTLS_ERR_LMS_ALLOC_FAILED;
+    }
+
+    ret = calculate_merkle_tree(ctx, tree);
+    if (ret != 0) {
+        goto exit;
+    }
+
+    for (height = 0; height < MBEDTLS_LMS_H_TREE_HEIGHT(ctx->params.type);
+         height++) {
+        adjacent_node_id = curr_node_id ^ 1;
+
+        memcpy(&path[height * node_bytes],
+               &tree[adjacent_node_id * node_bytes], node_bytes);
+
+        curr_node_id >>= 1;
+    }
+
+    ret = 0;
+
+exit:
+    mbedtls_zeroize_and_free(tree, node_bytes *
+                             (size_t) MERKLE_TREE_NODE_AM(ctx->params.type));
+
+    return ret;
+}
+
+void mbedtls_lms_private_init(mbedtls_lms_private_t *ctx)
+{
+    memset(ctx, 0, sizeof(*ctx));
+}
+
+void mbedtls_lms_private_free(mbedtls_lms_private_t *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    unsigned int idx;
+
+    if (ctx->have_private_key) {
+        if (ctx->ots_private_keys != NULL) {
+            for (idx = 0; idx < MERKLE_TREE_LEAF_NODE_AM(ctx->params.type); idx++) {
+                mbedtls_lmots_private_free(&ctx->ots_private_keys[idx]);
+            }
+        }
+
+        if (ctx->ots_public_keys != NULL) {
+            for (idx = 0; idx < MERKLE_TREE_LEAF_NODE_AM(ctx->params.type); idx++) {
+                mbedtls_lmots_public_free(&ctx->ots_public_keys[idx]);
+            }
+        }
+
+        mbedtls_free(ctx->ots_private_keys);
+        mbedtls_free(ctx->ots_public_keys);
+    }
+
+    mbedtls_platform_zeroize(ctx, sizeof(*ctx));
+}
+
+
+int mbedtls_lms_generate_private_key(mbedtls_lms_private_t *ctx,
+                                     mbedtls_lms_algorithm_type_t type,
+                                     mbedtls_lmots_algorithm_type_t otstype,
+                                     int (*f_rng)(void *, unsigned char *, size_t),
+                                     void *p_rng, const unsigned char *seed,
+                                     size_t seed_size)
+{
+    unsigned int idx = 0;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (type != MBEDTLS_LMS_SHA256_M32_H10) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    if (otstype != MBEDTLS_LMOTS_SHA256_N32_W8) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    if (ctx->have_private_key) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    ctx->params.type = type;
+    ctx->params.otstype = otstype;
+    ctx->have_private_key = 1;
+
+    ret = f_rng(p_rng,
+                ctx->params.I_key_identifier,
+                MBEDTLS_LMOTS_I_KEY_ID_LEN);
+    if (ret != 0) {
+        goto exit;
+    }
+
+    /* Requires a cast to size_t to avoid an implicit cast warning on certain
+     * platforms (particularly Windows) */
+    ctx->ots_private_keys = mbedtls_calloc((size_t) MERKLE_TREE_LEAF_NODE_AM(ctx->params.type),
+                                           sizeof(*ctx->ots_private_keys));
+    if (ctx->ots_private_keys == NULL) {
+        ret = MBEDTLS_ERR_LMS_ALLOC_FAILED;
+        goto exit;
+    }
+
+    /* Requires a cast to size_t to avoid an implicit cast warning on certain
+     * platforms (particularly Windows) */
+    ctx->ots_public_keys = mbedtls_calloc((size_t) MERKLE_TREE_LEAF_NODE_AM(ctx->params.type),
+                                          sizeof(*ctx->ots_public_keys));
+    if (ctx->ots_public_keys == NULL) {
+        ret = MBEDTLS_ERR_LMS_ALLOC_FAILED;
+        goto exit;
+    }
+
+    for (idx = 0; idx < MERKLE_TREE_LEAF_NODE_AM(ctx->params.type); idx++) {
+        mbedtls_lmots_private_init(&ctx->ots_private_keys[idx]);
+        mbedtls_lmots_public_init(&ctx->ots_public_keys[idx]);
+    }
+
+
+    for (idx = 0; idx < MERKLE_TREE_LEAF_NODE_AM(ctx->params.type); idx++) {
+        ret = mbedtls_lmots_generate_private_key(&ctx->ots_private_keys[idx],
+                                                 otstype,
+                                                 ctx->params.I_key_identifier,
+                                                 idx, seed, seed_size);
+        if (ret != 0) {
+            goto exit;
+        }
+
+        ret = mbedtls_lmots_calculate_public_key(&ctx->ots_public_keys[idx],
+                                                 &ctx->ots_private_keys[idx]);
+        if (ret != 0) {
+            goto exit;
+        }
+    }
+
+    ctx->q_next_usable_key = 0;
+
+exit:
+    if (ret != 0) {
+        mbedtls_lms_private_free(ctx);
+    }
+
+    return ret;
+}
+
+int mbedtls_lms_calculate_public_key(mbedtls_lms_public_t *ctx,
+                                     const mbedtls_lms_private_t *priv_ctx)
+{
+    const size_t node_bytes = MBEDTLS_LMS_M_NODE_BYTES(priv_ctx->params.type);
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *tree = NULL;
+
+    if (!priv_ctx->have_private_key) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    if (priv_ctx->params.type
+        != MBEDTLS_LMS_SHA256_M32_H10) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    if (priv_ctx->params.otstype
+        != MBEDTLS_LMOTS_SHA256_N32_W8) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    tree = mbedtls_calloc((size_t) MERKLE_TREE_NODE_AM(priv_ctx->params.type),
+                          node_bytes);
+    if (tree == NULL) {
+        return MBEDTLS_ERR_LMS_ALLOC_FAILED;
+    }
+
+    memcpy(&ctx->params, &priv_ctx->params,
+           sizeof(mbedtls_lmots_parameters_t));
+
+    ret = calculate_merkle_tree(priv_ctx, tree);
+    if (ret != 0) {
+        goto exit;
+    }
+
+    /* Root node is always at position 1, due to 1-based indexing */
+    memcpy(ctx->T_1_pub_key, &tree[node_bytes], node_bytes);
+
+    ctx->have_public_key = 1;
+
+    ret = 0;
+
+exit:
+    mbedtls_zeroize_and_free(tree, node_bytes *
+                             (size_t) MERKLE_TREE_NODE_AM(priv_ctx->params.type));
+
+    return ret;
+}
+
+
+int mbedtls_lms_sign(mbedtls_lms_private_t *ctx,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng, const unsigned char *msg,
+                     unsigned int msg_size, unsigned char *sig, size_t sig_size,
+                     size_t *sig_len)
+{
+    uint32_t q_leaf_identifier;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (!ctx->have_private_key) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    if (sig_size < MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype)) {
+        return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
+    }
+
+    if (ctx->params.type != MBEDTLS_LMS_SHA256_M32_H10) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    if (ctx->params.otstype
+        != MBEDTLS_LMOTS_SHA256_N32_W8) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    if (ctx->q_next_usable_key >= MERKLE_TREE_LEAF_NODE_AM(ctx->params.type)) {
+        return MBEDTLS_ERR_LMS_OUT_OF_PRIVATE_KEYS;
+    }
+
+
+    q_leaf_identifier = ctx->q_next_usable_key;
+    /* This new value must _always_ be written back to the disk before the
+     * signature is returned.
+     */
+    ctx->q_next_usable_key += 1;
+
+    if (MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype)
+        < SIG_OTS_SIG_OFFSET) {
+        return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+    }
+
+    ret = mbedtls_lmots_sign(&ctx->ots_private_keys[q_leaf_identifier],
+                             f_rng,
+                             p_rng,
+                             msg,
+                             msg_size,
+                             sig + SIG_OTS_SIG_OFFSET,
+                             MBEDTLS_LMS_SIG_LEN(ctx->params.type,
+                                                 ctx->params.otstype) - SIG_OTS_SIG_OFFSET,
+                             NULL);
+    if (ret != 0) {
+        return ret;
+    }
+
+    MBEDTLS_PUT_UINT32_BE(ctx->params.type, sig, SIG_TYPE_OFFSET(ctx->params.otstype));
+    MBEDTLS_PUT_UINT32_BE(q_leaf_identifier, sig, SIG_Q_LEAF_ID_OFFSET);
+
+    ret = get_merkle_path(ctx,
+                          MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) + q_leaf_identifier,
+                          sig + SIG_PATH_OFFSET(ctx->params.otstype));
+    if (ret != 0) {
+        return ret;
+    }
+
+    if (sig_len != NULL) {
+        *sig_len = MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype);
+    }
+
+
+    return 0;
+}
+
+#endif /* defined(MBEDTLS_LMS_PRIVATE) */
+#endif /* defined(MBEDTLS_LMS_C) */
diff --git a/tf-psa-crypto/drivers/builtin/src/md.c b/tf-psa-crypto/drivers/builtin/src/md.c
new file mode 100644
index 0000000..7e0465d
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/md.c
@@ -0,0 +1,1108 @@
+/**
+ * \file md.c
+ *
+ * \brief Generic message digest wrapper for Mbed TLS
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+/*
+ * Availability of functions in this module is controlled by two
+ * feature macros:
+ * - MBEDTLS_MD_C enables the whole module;
+ * - MBEDTLS_MD_LIGHT enables only functions for hashing and accessing
+ * most hash metadata (everything except string names); is it
+ * automatically set whenever MBEDTLS_MD_C is defined.
+ *
+ * In this file, functions from MD_LIGHT are at the top, MD_C at the end.
+ *
+ * In the future we may want to change the contract of some functions
+ * (behaviour with NULL arguments) depending on whether MD_C is defined or
+ * only MD_LIGHT. Also, the exact scope of MD_LIGHT might vary.
+ *
+ * For these reasons, we're keeping MD_LIGHT internal for now.
+ */
+#if defined(MBEDTLS_MD_LIGHT)
+
+#include "mbedtls/md.h"
+#include "md_wrap.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include "mbedtls/md5.h"
+#include "mbedtls/ripemd160.h"
+#include "mbedtls/sha1.h"
+#include "mbedtls/sha256.h"
+#include "mbedtls/sha512.h"
+#include "mbedtls/sha3.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+#include <psa/crypto.h>
+#include "md_psa.h"
+#include "psa_util_internal.h"
+#endif
+
+#if defined(MBEDTLS_MD_SOME_PSA)
+#include "psa_crypto_core.h"
+#endif
+
+#include "mbedtls/platform.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+/* See comment above MBEDTLS_MD_MAX_SIZE in md.h */
+#if defined(MBEDTLS_PSA_CRYPTO_C) && MBEDTLS_MD_MAX_SIZE < PSA_HASH_MAX_SIZE
+#error "Internal error: MBEDTLS_MD_MAX_SIZE < PSA_HASH_MAX_SIZE"
+#endif
+
+#if defined(MBEDTLS_MD_C)
+#define MD_INFO(type, out_size, block_size) type, out_size, block_size,
+#else
+#define MD_INFO(type, out_size, block_size) type, out_size,
+#endif
+
+#if defined(MBEDTLS_MD_CAN_MD5)
+static const mbedtls_md_info_t mbedtls_md5_info = {
+    MD_INFO(MBEDTLS_MD_MD5, 16, 64)
+};
+#endif
+
+#if defined(PSA_WANT_ALG_RIPEMD160)
+static const mbedtls_md_info_t mbedtls_ripemd160_info = {
+    MD_INFO(MBEDTLS_MD_RIPEMD160, 20, 64)
+};
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA1)
+static const mbedtls_md_info_t mbedtls_sha1_info = {
+    MD_INFO(MBEDTLS_MD_SHA1, 20, 64)
+};
+#endif
+
+#if defined(PSA_WANT_ALG_SHA_224)
+static const mbedtls_md_info_t mbedtls_sha224_info = {
+    MD_INFO(MBEDTLS_MD_SHA224, 28, 64)
+};
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+static const mbedtls_md_info_t mbedtls_sha256_info = {
+    MD_INFO(MBEDTLS_MD_SHA256, 32, 64)
+};
+#endif
+
+#if defined(PSA_WANT_ALG_SHA_384)
+static const mbedtls_md_info_t mbedtls_sha384_info = {
+    MD_INFO(MBEDTLS_MD_SHA384, 48, 128)
+};
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA512)
+static const mbedtls_md_info_t mbedtls_sha512_info = {
+    MD_INFO(MBEDTLS_MD_SHA512, 64, 128)
+};
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA3_224)
+static const mbedtls_md_info_t mbedtls_sha3_224_info = {
+    MD_INFO(MBEDTLS_MD_SHA3_224, 28, 144)
+};
+#endif
+
+#if defined(PSA_WANT_ALG_SHA3_256)
+static const mbedtls_md_info_t mbedtls_sha3_256_info = {
+    MD_INFO(MBEDTLS_MD_SHA3_256, 32, 136)
+};
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA3_384)
+static const mbedtls_md_info_t mbedtls_sha3_384_info = {
+    MD_INFO(MBEDTLS_MD_SHA3_384, 48, 104)
+};
+#endif
+
+#if defined(PSA_WANT_ALG_SHA3_512)
+static const mbedtls_md_info_t mbedtls_sha3_512_info = {
+    MD_INFO(MBEDTLS_MD_SHA3_512, 64, 72)
+};
+#endif
+
+const mbedtls_md_info_t *mbedtls_md_info_from_type(mbedtls_md_type_t md_type)
+{
+    switch (md_type) {
+#if defined(MBEDTLS_MD_CAN_MD5)
+        case MBEDTLS_MD_MD5:
+            return &mbedtls_md5_info;
+#endif
+#if defined(PSA_WANT_ALG_RIPEMD160)
+        case MBEDTLS_MD_RIPEMD160:
+            return &mbedtls_ripemd160_info;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA1)
+        case MBEDTLS_MD_SHA1:
+            return &mbedtls_sha1_info;
+#endif
+#if defined(PSA_WANT_ALG_SHA_224)
+        case MBEDTLS_MD_SHA224:
+            return &mbedtls_sha224_info;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA256)
+        case MBEDTLS_MD_SHA256:
+            return &mbedtls_sha256_info;
+#endif
+#if defined(PSA_WANT_ALG_SHA_384)
+        case MBEDTLS_MD_SHA384:
+            return &mbedtls_sha384_info;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA512)
+        case MBEDTLS_MD_SHA512:
+            return &mbedtls_sha512_info;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA3_224)
+        case MBEDTLS_MD_SHA3_224:
+            return &mbedtls_sha3_224_info;
+#endif
+#if defined(PSA_WANT_ALG_SHA3_256)
+        case MBEDTLS_MD_SHA3_256:
+            return &mbedtls_sha3_256_info;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA3_384)
+        case MBEDTLS_MD_SHA3_384:
+            return &mbedtls_sha3_384_info;
+#endif
+#if defined(PSA_WANT_ALG_SHA3_512)
+        case MBEDTLS_MD_SHA3_512:
+            return &mbedtls_sha3_512_info;
+#endif
+        default:
+            return NULL;
+    }
+}
+
+#if defined(MBEDTLS_MD_SOME_PSA)
+static psa_algorithm_t psa_alg_of_md(const mbedtls_md_info_t *info)
+{
+    switch (info->type) {
+#if defined(MBEDTLS_MD_MD5_VIA_PSA)
+        case MBEDTLS_MD_MD5:
+            return PSA_ALG_MD5;
+#endif
+#if defined(MBEDTLS_MD_RIPEMD160_VIA_PSA)
+        case MBEDTLS_MD_RIPEMD160:
+            return PSA_ALG_RIPEMD160;
+#endif
+#if defined(MBEDTLS_MD_SHA1_VIA_PSA)
+        case MBEDTLS_MD_SHA1:
+            return PSA_ALG_SHA_1;
+#endif
+#if defined(MBEDTLS_MD_SHA224_VIA_PSA)
+        case MBEDTLS_MD_SHA224:
+            return PSA_ALG_SHA_224;
+#endif
+#if defined(MBEDTLS_MD_SHA256_VIA_PSA)
+        case MBEDTLS_MD_SHA256:
+            return PSA_ALG_SHA_256;
+#endif
+#if defined(MBEDTLS_MD_SHA384_VIA_PSA)
+        case MBEDTLS_MD_SHA384:
+            return PSA_ALG_SHA_384;
+#endif
+#if defined(MBEDTLS_MD_SHA512_VIA_PSA)
+        case MBEDTLS_MD_SHA512:
+            return PSA_ALG_SHA_512;
+#endif
+#if defined(MBEDTLS_MD_SHA3_224_VIA_PSA)
+        case MBEDTLS_MD_SHA3_224:
+            return PSA_ALG_SHA3_224;
+#endif
+#if defined(MBEDTLS_MD_SHA3_256_VIA_PSA)
+        case MBEDTLS_MD_SHA3_256:
+            return PSA_ALG_SHA3_256;
+#endif
+#if defined(MBEDTLS_MD_SHA3_384_VIA_PSA)
+        case MBEDTLS_MD_SHA3_384:
+            return PSA_ALG_SHA3_384;
+#endif
+#if defined(MBEDTLS_MD_SHA3_512_VIA_PSA)
+        case MBEDTLS_MD_SHA3_512:
+            return PSA_ALG_SHA3_512;
+#endif
+        default:
+            return PSA_ALG_NONE;
+    }
+}
+
+static int md_can_use_psa(const mbedtls_md_info_t *info)
+{
+    psa_algorithm_t alg = psa_alg_of_md(info);
+    if (alg == PSA_ALG_NONE) {
+        return 0;
+    }
+
+    return psa_can_do_hash(alg);
+}
+#endif /* MBEDTLS_MD_SOME_PSA */
+
+void mbedtls_md_init(mbedtls_md_context_t *ctx)
+{
+    /* Note: this sets engine (if present) to MBEDTLS_MD_ENGINE_LEGACY */
+    memset(ctx, 0, sizeof(mbedtls_md_context_t));
+}
+
+void mbedtls_md_free(mbedtls_md_context_t *ctx)
+{
+    if (ctx == NULL || ctx->md_info == NULL) {
+        return;
+    }
+
+    if (ctx->md_ctx != NULL) {
+#if defined(MBEDTLS_MD_SOME_PSA)
+        if (ctx->engine == MBEDTLS_MD_ENGINE_PSA) {
+            psa_hash_abort(ctx->md_ctx);
+        } else
+#endif
+        switch (ctx->md_info->type) {
+#if defined(MBEDTLS_MD5_C)
+            case MBEDTLS_MD_MD5:
+                mbedtls_md5_free(ctx->md_ctx);
+                break;
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+            case MBEDTLS_MD_RIPEMD160:
+                mbedtls_ripemd160_free(ctx->md_ctx);
+                break;
+#endif
+#if defined(MBEDTLS_SHA1_C)
+            case MBEDTLS_MD_SHA1:
+                mbedtls_sha1_free(ctx->md_ctx);
+                break;
+#endif
+#if defined(MBEDTLS_SHA224_C)
+            case MBEDTLS_MD_SHA224:
+                mbedtls_sha256_free(ctx->md_ctx);
+                break;
+#endif
+#if defined(MBEDTLS_SHA256_C)
+            case MBEDTLS_MD_SHA256:
+                mbedtls_sha256_free(ctx->md_ctx);
+                break;
+#endif
+#if defined(MBEDTLS_SHA384_C)
+            case MBEDTLS_MD_SHA384:
+                mbedtls_sha512_free(ctx->md_ctx);
+                break;
+#endif
+#if defined(MBEDTLS_SHA512_C)
+            case MBEDTLS_MD_SHA512:
+                mbedtls_sha512_free(ctx->md_ctx);
+                break;
+#endif
+#if defined(MBEDTLS_SHA3_C)
+            case MBEDTLS_MD_SHA3_224:
+            case MBEDTLS_MD_SHA3_256:
+            case MBEDTLS_MD_SHA3_384:
+            case MBEDTLS_MD_SHA3_512:
+                mbedtls_sha3_free(ctx->md_ctx);
+                break;
+#endif
+            default:
+                /* Shouldn't happen */
+                break;
+        }
+        mbedtls_free(ctx->md_ctx);
+    }
+
+#if defined(MBEDTLS_MD_C)
+    if (ctx->hmac_ctx != NULL) {
+        mbedtls_zeroize_and_free(ctx->hmac_ctx,
+                                 2 * ctx->md_info->block_size);
+    }
+#endif
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_md_context_t));
+}
+
+int mbedtls_md_clone(mbedtls_md_context_t *dst,
+                     const mbedtls_md_context_t *src)
+{
+    if (dst == NULL || dst->md_info == NULL ||
+        src == NULL || src->md_info == NULL ||
+        dst->md_info != src->md_info) {
+        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+    }
+
+#if defined(MBEDTLS_MD_SOME_PSA)
+    if (src->engine != dst->engine) {
+        /* This can happen with src set to legacy because PSA wasn't ready
+         * yet, and dst to PSA because it became ready in the meantime.
+         * We currently don't support that case (we'd need to re-allocate
+         * md_ctx to the size of the appropriate MD context). */
+        return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
+    }
+
+    if (src->engine == MBEDTLS_MD_ENGINE_PSA) {
+        psa_status_t status = psa_hash_clone(src->md_ctx, dst->md_ctx);
+        return mbedtls_md_error_from_psa(status);
+    }
+#endif
+
+    switch (src->md_info->type) {
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_MD_MD5:
+            mbedtls_md5_clone(dst->md_ctx, src->md_ctx);
+            break;
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+        case MBEDTLS_MD_RIPEMD160:
+            mbedtls_ripemd160_clone(dst->md_ctx, src->md_ctx);
+            break;
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_MD_SHA1:
+            mbedtls_sha1_clone(dst->md_ctx, src->md_ctx);
+            break;
+#endif
+#if defined(MBEDTLS_SHA224_C)
+        case MBEDTLS_MD_SHA224:
+            mbedtls_sha256_clone(dst->md_ctx, src->md_ctx);
+            break;
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_MD_SHA256:
+            mbedtls_sha256_clone(dst->md_ctx, src->md_ctx);
+            break;
+#endif
+#if defined(MBEDTLS_SHA384_C)
+        case MBEDTLS_MD_SHA384:
+            mbedtls_sha512_clone(dst->md_ctx, src->md_ctx);
+            break;
+#endif
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_MD_SHA512:
+            mbedtls_sha512_clone(dst->md_ctx, src->md_ctx);
+            break;
+#endif
+#if defined(MBEDTLS_SHA3_C)
+        case MBEDTLS_MD_SHA3_224:
+        case MBEDTLS_MD_SHA3_256:
+        case MBEDTLS_MD_SHA3_384:
+        case MBEDTLS_MD_SHA3_512:
+            mbedtls_sha3_clone(dst->md_ctx, src->md_ctx);
+            break;
+#endif
+        default:
+            return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+    }
+
+    return 0;
+}
+
+#define ALLOC(type)                                                   \
+    do {                                                                \
+        ctx->md_ctx = mbedtls_calloc(1, sizeof(mbedtls_##type##_context)); \
+        if (ctx->md_ctx == NULL)                                       \
+        return MBEDTLS_ERR_MD_ALLOC_FAILED;                      \
+        mbedtls_##type##_init(ctx->md_ctx);                           \
+    }                                                                   \
+    while (0)
+
+int mbedtls_md_setup(mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info, int hmac)
+{
+#if defined(MBEDTLS_MD_C)
+    if (ctx == NULL) {
+        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+    }
+#endif
+    if (md_info == NULL) {
+        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+    }
+
+    ctx->md_info = md_info;
+    ctx->md_ctx = NULL;
+#if defined(MBEDTLS_MD_C)
+    ctx->hmac_ctx = NULL;
+#else
+    if (hmac != 0) {
+        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+    }
+#endif
+
+#if defined(MBEDTLS_MD_SOME_PSA)
+    if (md_can_use_psa(ctx->md_info)) {
+        ctx->md_ctx = mbedtls_calloc(1, sizeof(psa_hash_operation_t));
+        if (ctx->md_ctx == NULL) {
+            return MBEDTLS_ERR_MD_ALLOC_FAILED;
+        }
+        ctx->engine = MBEDTLS_MD_ENGINE_PSA;
+    } else
+#endif
+    switch (md_info->type) {
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_MD_MD5:
+            ALLOC(md5);
+            break;
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+        case MBEDTLS_MD_RIPEMD160:
+            ALLOC(ripemd160);
+            break;
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_MD_SHA1:
+            ALLOC(sha1);
+            break;
+#endif
+#if defined(MBEDTLS_SHA224_C)
+        case MBEDTLS_MD_SHA224:
+            ALLOC(sha256);
+            break;
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_MD_SHA256:
+            ALLOC(sha256);
+            break;
+#endif
+#if defined(MBEDTLS_SHA384_C)
+        case MBEDTLS_MD_SHA384:
+            ALLOC(sha512);
+            break;
+#endif
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_MD_SHA512:
+            ALLOC(sha512);
+            break;
+#endif
+#if defined(MBEDTLS_SHA3_C)
+        case MBEDTLS_MD_SHA3_224:
+        case MBEDTLS_MD_SHA3_256:
+        case MBEDTLS_MD_SHA3_384:
+        case MBEDTLS_MD_SHA3_512:
+            ALLOC(sha3);
+            break;
+#endif
+        default:
+            return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+    }
+
+#if defined(MBEDTLS_MD_C)
+    if (hmac != 0) {
+        ctx->hmac_ctx = mbedtls_calloc(2, md_info->block_size);
+        if (ctx->hmac_ctx == NULL) {
+            mbedtls_md_free(ctx);
+            return MBEDTLS_ERR_MD_ALLOC_FAILED;
+        }
+    }
+#endif
+
+    return 0;
+}
+#undef ALLOC
+
+int mbedtls_md_starts(mbedtls_md_context_t *ctx)
+{
+#if defined(MBEDTLS_MD_C)
+    if (ctx == NULL || ctx->md_info == NULL) {
+        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+    }
+#endif
+
+#if defined(MBEDTLS_MD_SOME_PSA)
+    if (ctx->engine == MBEDTLS_MD_ENGINE_PSA) {
+        psa_algorithm_t alg = psa_alg_of_md(ctx->md_info);
+        psa_hash_abort(ctx->md_ctx);
+        psa_status_t status = psa_hash_setup(ctx->md_ctx, alg);
+        return mbedtls_md_error_from_psa(status);
+    }
+#endif
+
+    switch (ctx->md_info->type) {
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_MD_MD5:
+            return mbedtls_md5_starts(ctx->md_ctx);
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+        case MBEDTLS_MD_RIPEMD160:
+            return mbedtls_ripemd160_starts(ctx->md_ctx);
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_MD_SHA1:
+            return mbedtls_sha1_starts(ctx->md_ctx);
+#endif
+#if defined(MBEDTLS_SHA224_C)
+        case MBEDTLS_MD_SHA224:
+            return mbedtls_sha256_starts(ctx->md_ctx, 1);
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_MD_SHA256:
+            return mbedtls_sha256_starts(ctx->md_ctx, 0);
+#endif
+#if defined(MBEDTLS_SHA384_C)
+        case MBEDTLS_MD_SHA384:
+            return mbedtls_sha512_starts(ctx->md_ctx, 1);
+#endif
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_MD_SHA512:
+            return mbedtls_sha512_starts(ctx->md_ctx, 0);
+#endif
+#if defined(MBEDTLS_SHA3_C)
+        case MBEDTLS_MD_SHA3_224:
+            return mbedtls_sha3_starts(ctx->md_ctx, MBEDTLS_SHA3_224);
+        case MBEDTLS_MD_SHA3_256:
+            return mbedtls_sha3_starts(ctx->md_ctx, MBEDTLS_SHA3_256);
+        case MBEDTLS_MD_SHA3_384:
+            return mbedtls_sha3_starts(ctx->md_ctx, MBEDTLS_SHA3_384);
+        case MBEDTLS_MD_SHA3_512:
+            return mbedtls_sha3_starts(ctx->md_ctx, MBEDTLS_SHA3_512);
+#endif
+        default:
+            return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+    }
+}
+
+int mbedtls_md_update(mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen)
+{
+#if defined(MBEDTLS_MD_C)
+    if (ctx == NULL || ctx->md_info == NULL) {
+        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+    }
+#endif
+
+#if defined(MBEDTLS_MD_SOME_PSA)
+    if (ctx->engine == MBEDTLS_MD_ENGINE_PSA) {
+        psa_status_t status = psa_hash_update(ctx->md_ctx, input, ilen);
+        return mbedtls_md_error_from_psa(status);
+    }
+#endif
+
+    switch (ctx->md_info->type) {
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_MD_MD5:
+            return mbedtls_md5_update(ctx->md_ctx, input, ilen);
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+        case MBEDTLS_MD_RIPEMD160:
+            return mbedtls_ripemd160_update(ctx->md_ctx, input, ilen);
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_MD_SHA1:
+            return mbedtls_sha1_update(ctx->md_ctx, input, ilen);
+#endif
+#if defined(MBEDTLS_SHA224_C)
+        case MBEDTLS_MD_SHA224:
+            return mbedtls_sha256_update(ctx->md_ctx, input, ilen);
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_MD_SHA256:
+            return mbedtls_sha256_update(ctx->md_ctx, input, ilen);
+#endif
+#if defined(MBEDTLS_SHA384_C)
+        case MBEDTLS_MD_SHA384:
+            return mbedtls_sha512_update(ctx->md_ctx, input, ilen);
+#endif
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_MD_SHA512:
+            return mbedtls_sha512_update(ctx->md_ctx, input, ilen);
+#endif
+#if defined(MBEDTLS_SHA3_C)
+        case MBEDTLS_MD_SHA3_224:
+        case MBEDTLS_MD_SHA3_256:
+        case MBEDTLS_MD_SHA3_384:
+        case MBEDTLS_MD_SHA3_512:
+            return mbedtls_sha3_update(ctx->md_ctx, input, ilen);
+#endif
+        default:
+            return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+    }
+}
+
+int mbedtls_md_finish(mbedtls_md_context_t *ctx, unsigned char *output)
+{
+#if defined(MBEDTLS_MD_C)
+    if (ctx == NULL || ctx->md_info == NULL) {
+        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+    }
+#endif
+
+#if defined(MBEDTLS_MD_SOME_PSA)
+    if (ctx->engine == MBEDTLS_MD_ENGINE_PSA) {
+        size_t size = ctx->md_info->size;
+        psa_status_t status = psa_hash_finish(ctx->md_ctx,
+                                              output, size, &size);
+        return mbedtls_md_error_from_psa(status);
+    }
+#endif
+
+    switch (ctx->md_info->type) {
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_MD_MD5:
+            return mbedtls_md5_finish(ctx->md_ctx, output);
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+        case MBEDTLS_MD_RIPEMD160:
+            return mbedtls_ripemd160_finish(ctx->md_ctx, output);
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_MD_SHA1:
+            return mbedtls_sha1_finish(ctx->md_ctx, output);
+#endif
+#if defined(MBEDTLS_SHA224_C)
+        case MBEDTLS_MD_SHA224:
+            return mbedtls_sha256_finish(ctx->md_ctx, output);
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_MD_SHA256:
+            return mbedtls_sha256_finish(ctx->md_ctx, output);
+#endif
+#if defined(MBEDTLS_SHA384_C)
+        case MBEDTLS_MD_SHA384:
+            return mbedtls_sha512_finish(ctx->md_ctx, output);
+#endif
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_MD_SHA512:
+            return mbedtls_sha512_finish(ctx->md_ctx, output);
+#endif
+#if defined(MBEDTLS_SHA3_C)
+        case MBEDTLS_MD_SHA3_224:
+        case MBEDTLS_MD_SHA3_256:
+        case MBEDTLS_MD_SHA3_384:
+        case MBEDTLS_MD_SHA3_512:
+            return mbedtls_sha3_finish(ctx->md_ctx, output, ctx->md_info->size);
+#endif
+        default:
+            return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+    }
+}
+
+int mbedtls_md(const mbedtls_md_info_t *md_info, const unsigned char *input, size_t ilen,
+               unsigned char *output)
+{
+    if (md_info == NULL) {
+        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+    }
+
+#if defined(MBEDTLS_MD_SOME_PSA)
+    if (md_can_use_psa(md_info)) {
+        size_t size = md_info->size;
+        psa_status_t status = psa_hash_compute(psa_alg_of_md(md_info),
+                                               input, ilen,
+                                               output, size, &size);
+        return mbedtls_md_error_from_psa(status);
+    }
+#endif
+
+    switch (md_info->type) {
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_MD_MD5:
+            return mbedtls_md5(input, ilen, output);
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+        case MBEDTLS_MD_RIPEMD160:
+            return mbedtls_ripemd160(input, ilen, output);
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_MD_SHA1:
+            return mbedtls_sha1(input, ilen, output);
+#endif
+#if defined(MBEDTLS_SHA224_C)
+        case MBEDTLS_MD_SHA224:
+            return mbedtls_sha256(input, ilen, output, 1);
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_MD_SHA256:
+            return mbedtls_sha256(input, ilen, output, 0);
+#endif
+#if defined(MBEDTLS_SHA384_C)
+        case MBEDTLS_MD_SHA384:
+            return mbedtls_sha512(input, ilen, output, 1);
+#endif
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_MD_SHA512:
+            return mbedtls_sha512(input, ilen, output, 0);
+#endif
+#if defined(MBEDTLS_SHA3_C)
+        case MBEDTLS_MD_SHA3_224:
+            return mbedtls_sha3(MBEDTLS_SHA3_224, input, ilen, output, md_info->size);
+        case MBEDTLS_MD_SHA3_256:
+            return mbedtls_sha3(MBEDTLS_SHA3_256, input, ilen, output, md_info->size);
+        case MBEDTLS_MD_SHA3_384:
+            return mbedtls_sha3(MBEDTLS_SHA3_384, input, ilen, output, md_info->size);
+        case MBEDTLS_MD_SHA3_512:
+            return mbedtls_sha3(MBEDTLS_SHA3_512, input, ilen, output, md_info->size);
+#endif
+        default:
+            return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+    }
+}
+
+unsigned char mbedtls_md_get_size(const mbedtls_md_info_t *md_info)
+{
+    if (md_info == NULL) {
+        return 0;
+    }
+
+    return md_info->size;
+}
+
+mbedtls_md_type_t mbedtls_md_get_type(const mbedtls_md_info_t *md_info)
+{
+    if (md_info == NULL) {
+        return MBEDTLS_MD_NONE;
+    }
+
+    return md_info->type;
+}
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+int mbedtls_md_error_from_psa(psa_status_t status)
+{
+    return PSA_TO_MBEDTLS_ERR_LIST(status, psa_to_md_errors,
+                                   psa_generic_status_to_mbedtls);
+}
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+
+
+/************************************************************************
+ * Functions above this separator are part of MBEDTLS_MD_LIGHT,         *
+ * functions below are only available when MBEDTLS_MD_C is set.         *
+ ************************************************************************/
+#if defined(MBEDTLS_MD_C)
+
+/*
+ * Reminder: update profiles in x509_crt.c when adding a new hash!
+ */
+static const int supported_digests[] = {
+
+#if defined(MBEDTLS_MD_CAN_SHA512)
+    MBEDTLS_MD_SHA512,
+#endif
+
+#if defined(PSA_WANT_ALG_SHA_384)
+    MBEDTLS_MD_SHA384,
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+    MBEDTLS_MD_SHA256,
+#endif
+#if defined(PSA_WANT_ALG_SHA_224)
+    MBEDTLS_MD_SHA224,
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA1)
+    MBEDTLS_MD_SHA1,
+#endif
+
+#if defined(PSA_WANT_ALG_RIPEMD160)
+    MBEDTLS_MD_RIPEMD160,
+#endif
+
+#if defined(MBEDTLS_MD_CAN_MD5)
+    MBEDTLS_MD_MD5,
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA3_224)
+    MBEDTLS_MD_SHA3_224,
+#endif
+
+#if defined(PSA_WANT_ALG_SHA3_256)
+    MBEDTLS_MD_SHA3_256,
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA3_384)
+    MBEDTLS_MD_SHA3_384,
+#endif
+
+#if defined(PSA_WANT_ALG_SHA3_512)
+    MBEDTLS_MD_SHA3_512,
+#endif
+
+    MBEDTLS_MD_NONE
+};
+
+const int *mbedtls_md_list(void)
+{
+    return supported_digests;
+}
+
+typedef struct {
+    const char *md_name;
+    mbedtls_md_type_t md_type;
+} md_name_entry;
+
+static const md_name_entry md_names[] = {
+#if defined(MBEDTLS_MD_CAN_MD5)
+    { "MD5", MBEDTLS_MD_MD5 },
+#endif
+#if defined(PSA_WANT_ALG_RIPEMD160)
+    { "RIPEMD160", MBEDTLS_MD_RIPEMD160 },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA1)
+    { "SHA1", MBEDTLS_MD_SHA1 },
+    { "SHA", MBEDTLS_MD_SHA1 }, // compatibility fallback
+#endif
+#if defined(PSA_WANT_ALG_SHA_224)
+    { "SHA224", MBEDTLS_MD_SHA224 },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA256)
+    { "SHA256", MBEDTLS_MD_SHA256 },
+#endif
+#if defined(PSA_WANT_ALG_SHA_384)
+    { "SHA384", MBEDTLS_MD_SHA384 },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA512)
+    { "SHA512", MBEDTLS_MD_SHA512 },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA3_224)
+    { "SHA3-224", MBEDTLS_MD_SHA3_224 },
+#endif
+#if defined(PSA_WANT_ALG_SHA3_256)
+    { "SHA3-256", MBEDTLS_MD_SHA3_256 },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA3_384)
+    { "SHA3-384", MBEDTLS_MD_SHA3_384 },
+#endif
+#if defined(PSA_WANT_ALG_SHA3_512)
+    { "SHA3-512", MBEDTLS_MD_SHA3_512 },
+#endif
+    { NULL, MBEDTLS_MD_NONE },
+};
+
+const mbedtls_md_info_t *mbedtls_md_info_from_string(const char *md_name)
+{
+    if (NULL == md_name) {
+        return NULL;
+    }
+
+    const md_name_entry *entry = md_names;
+    while (entry->md_name != NULL &&
+           strcmp(entry->md_name, md_name) != 0) {
+        ++entry;
+    }
+
+    return mbedtls_md_info_from_type(entry->md_type);
+}
+
+const char *mbedtls_md_get_name(const mbedtls_md_info_t *md_info)
+{
+    if (md_info == NULL) {
+        return NULL;
+    }
+
+    const md_name_entry *entry = md_names;
+    while (entry->md_type != MBEDTLS_MD_NONE &&
+           entry->md_type != md_info->type) {
+        ++entry;
+    }
+
+    return entry->md_name;
+}
+
+const mbedtls_md_info_t *mbedtls_md_info_from_ctx(
+    const mbedtls_md_context_t *ctx)
+{
+    if (ctx == NULL) {
+        return NULL;
+    }
+
+    return ctx->MBEDTLS_PRIVATE(md_info);
+}
+
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_md_file(const mbedtls_md_info_t *md_info, const char *path, unsigned char *output)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    FILE *f;
+    size_t n;
+    mbedtls_md_context_t ctx;
+    unsigned char buf[1024];
+
+    if (md_info == NULL) {
+        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+    }
+
+    if ((f = fopen(path, "rb")) == NULL) {
+        return MBEDTLS_ERR_MD_FILE_IO_ERROR;
+    }
+
+    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+    mbedtls_setbuf(f, NULL);
+
+    mbedtls_md_init(&ctx);
+
+    if ((ret = mbedtls_md_setup(&ctx, md_info, 0)) != 0) {
+        goto cleanup;
+    }
+
+    if ((ret = mbedtls_md_starts(&ctx)) != 0) {
+        goto cleanup;
+    }
+
+    while ((n = fread(buf, 1, sizeof(buf), f)) > 0) {
+        if ((ret = mbedtls_md_update(&ctx, buf, n)) != 0) {
+            goto cleanup;
+        }
+    }
+
+    if (ferror(f) != 0) {
+        ret = MBEDTLS_ERR_MD_FILE_IO_ERROR;
+    } else {
+        ret = mbedtls_md_finish(&ctx, output);
+    }
+
+cleanup:
+    mbedtls_platform_zeroize(buf, sizeof(buf));
+    fclose(f);
+    mbedtls_md_free(&ctx);
+
+    return ret;
+}
+#endif /* MBEDTLS_FS_IO */
+
+int mbedtls_md_hmac_starts(mbedtls_md_context_t *ctx, const unsigned char *key, size_t keylen)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char sum[MBEDTLS_MD_MAX_SIZE];
+    unsigned char *ipad, *opad;
+
+    if (ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL) {
+        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+    }
+
+    if (keylen > (size_t) ctx->md_info->block_size) {
+        if ((ret = mbedtls_md_starts(ctx)) != 0) {
+            goto cleanup;
+        }
+        if ((ret = mbedtls_md_update(ctx, key, keylen)) != 0) {
+            goto cleanup;
+        }
+        if ((ret = mbedtls_md_finish(ctx, sum)) != 0) {
+            goto cleanup;
+        }
+
+        keylen = ctx->md_info->size;
+        key = sum;
+    }
+
+    ipad = (unsigned char *) ctx->hmac_ctx;
+    opad = (unsigned char *) ctx->hmac_ctx + ctx->md_info->block_size;
+
+    memset(ipad, 0x36, ctx->md_info->block_size);
+    memset(opad, 0x5C, ctx->md_info->block_size);
+
+    mbedtls_xor(ipad, ipad, key, keylen);
+    mbedtls_xor(opad, opad, key, keylen);
+
+    if ((ret = mbedtls_md_starts(ctx)) != 0) {
+        goto cleanup;
+    }
+    if ((ret = mbedtls_md_update(ctx, ipad,
+                                 ctx->md_info->block_size)) != 0) {
+        goto cleanup;
+    }
+
+cleanup:
+    mbedtls_platform_zeroize(sum, sizeof(sum));
+
+    return ret;
+}
+
+int mbedtls_md_hmac_update(mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen)
+{
+    if (ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL) {
+        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+    }
+
+    return mbedtls_md_update(ctx, input, ilen);
+}
+
+int mbedtls_md_hmac_finish(mbedtls_md_context_t *ctx, unsigned char *output)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char tmp[MBEDTLS_MD_MAX_SIZE];
+    unsigned char *opad;
+
+    if (ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL) {
+        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+    }
+
+    opad = (unsigned char *) ctx->hmac_ctx + ctx->md_info->block_size;
+
+    if ((ret = mbedtls_md_finish(ctx, tmp)) != 0) {
+        return ret;
+    }
+    if ((ret = mbedtls_md_starts(ctx)) != 0) {
+        return ret;
+    }
+    if ((ret = mbedtls_md_update(ctx, opad,
+                                 ctx->md_info->block_size)) != 0) {
+        return ret;
+    }
+    if ((ret = mbedtls_md_update(ctx, tmp,
+                                 ctx->md_info->size)) != 0) {
+        return ret;
+    }
+    return mbedtls_md_finish(ctx, output);
+}
+
+int mbedtls_md_hmac_reset(mbedtls_md_context_t *ctx)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *ipad;
+
+    if (ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL) {
+        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+    }
+
+    ipad = (unsigned char *) ctx->hmac_ctx;
+
+    if ((ret = mbedtls_md_starts(ctx)) != 0) {
+        return ret;
+    }
+    return mbedtls_md_update(ctx, ipad, ctx->md_info->block_size);
+}
+
+int mbedtls_md_hmac(const mbedtls_md_info_t *md_info,
+                    const unsigned char *key, size_t keylen,
+                    const unsigned char *input, size_t ilen,
+                    unsigned char *output)
+{
+    mbedtls_md_context_t ctx;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (md_info == NULL) {
+        return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+    }
+
+    mbedtls_md_init(&ctx);
+
+    if ((ret = mbedtls_md_setup(&ctx, md_info, 1)) != 0) {
+        goto cleanup;
+    }
+
+    if ((ret = mbedtls_md_hmac_starts(&ctx, key, keylen)) != 0) {
+        goto cleanup;
+    }
+    if ((ret = mbedtls_md_hmac_update(&ctx, input, ilen)) != 0) {
+        goto cleanup;
+    }
+    if ((ret = mbedtls_md_hmac_finish(&ctx, output)) != 0) {
+        goto cleanup;
+    }
+
+cleanup:
+    mbedtls_md_free(&ctx);
+
+    return ret;
+}
+
+#endif /* MBEDTLS_MD_C */
+
+#endif /* MBEDTLS_MD_LIGHT */
diff --git a/tf-psa-crypto/drivers/builtin/src/md5.c b/tf-psa-crypto/drivers/builtin/src/md5.c
new file mode 100644
index 0000000..e4a87a2
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/md5.c
@@ -0,0 +1,426 @@
+/*
+ *  RFC 1321 compliant MD5 implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ *  The MD5 algorithm was designed by Ron Rivest in 1991.
+ *
+ *  http://www.ietf.org/rfc/rfc1321.txt
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_MD5_C)
+
+#include "mbedtls/md5.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_MD5_ALT)
+
+void mbedtls_md5_init(mbedtls_md5_context *ctx)
+{
+    memset(ctx, 0, sizeof(mbedtls_md5_context));
+}
+
+void mbedtls_md5_free(mbedtls_md5_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_md5_context));
+}
+
+void mbedtls_md5_clone(mbedtls_md5_context *dst,
+                       const mbedtls_md5_context *src)
+{
+    *dst = *src;
+}
+
+/*
+ * MD5 context setup
+ */
+int mbedtls_md5_starts(mbedtls_md5_context *ctx)
+{
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    ctx->state[0] = 0x67452301;
+    ctx->state[1] = 0xEFCDAB89;
+    ctx->state[2] = 0x98BADCFE;
+    ctx->state[3] = 0x10325476;
+
+    return 0;
+}
+
+#if !defined(MBEDTLS_MD5_PROCESS_ALT)
+int mbedtls_internal_md5_process(mbedtls_md5_context *ctx,
+                                 const unsigned char data[64])
+{
+    struct {
+        uint32_t X[16], A, B, C, D;
+    } local;
+
+    local.X[0] = MBEDTLS_GET_UINT32_LE(data,  0);
+    local.X[1] = MBEDTLS_GET_UINT32_LE(data,  4);
+    local.X[2] = MBEDTLS_GET_UINT32_LE(data,  8);
+    local.X[3] = MBEDTLS_GET_UINT32_LE(data, 12);
+    local.X[4] = MBEDTLS_GET_UINT32_LE(data, 16);
+    local.X[5] = MBEDTLS_GET_UINT32_LE(data, 20);
+    local.X[6] = MBEDTLS_GET_UINT32_LE(data, 24);
+    local.X[7] = MBEDTLS_GET_UINT32_LE(data, 28);
+    local.X[8] = MBEDTLS_GET_UINT32_LE(data, 32);
+    local.X[9] = MBEDTLS_GET_UINT32_LE(data, 36);
+    local.X[10] = MBEDTLS_GET_UINT32_LE(data, 40);
+    local.X[11] = MBEDTLS_GET_UINT32_LE(data, 44);
+    local.X[12] = MBEDTLS_GET_UINT32_LE(data, 48);
+    local.X[13] = MBEDTLS_GET_UINT32_LE(data, 52);
+    local.X[14] = MBEDTLS_GET_UINT32_LE(data, 56);
+    local.X[15] = MBEDTLS_GET_UINT32_LE(data, 60);
+
+#define S(x, n)                                                          \
+    (((x) << (n)) | (((x) & 0xFFFFFFFF) >> (32 - (n))))
+
+#define P(a, b, c, d, k, s, t)                                                \
+    do                                                                  \
+    {                                                                   \
+        (a) += F((b), (c), (d)) + local.X[(k)] + (t);                     \
+        (a) = S((a), (s)) + (b);                                         \
+    } while (0)
+
+    local.A = ctx->state[0];
+    local.B = ctx->state[1];
+    local.C = ctx->state[2];
+    local.D = ctx->state[3];
+
+#define F(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
+
+    P(local.A, local.B, local.C, local.D,  0,  7, 0xD76AA478);
+    P(local.D, local.A, local.B, local.C,  1, 12, 0xE8C7B756);
+    P(local.C, local.D, local.A, local.B,  2, 17, 0x242070DB);
+    P(local.B, local.C, local.D, local.A,  3, 22, 0xC1BDCEEE);
+    P(local.A, local.B, local.C, local.D,  4,  7, 0xF57C0FAF);
+    P(local.D, local.A, local.B, local.C,  5, 12, 0x4787C62A);
+    P(local.C, local.D, local.A, local.B,  6, 17, 0xA8304613);
+    P(local.B, local.C, local.D, local.A,  7, 22, 0xFD469501);
+    P(local.A, local.B, local.C, local.D,  8,  7, 0x698098D8);
+    P(local.D, local.A, local.B, local.C,  9, 12, 0x8B44F7AF);
+    P(local.C, local.D, local.A, local.B, 10, 17, 0xFFFF5BB1);
+    P(local.B, local.C, local.D, local.A, 11, 22, 0x895CD7BE);
+    P(local.A, local.B, local.C, local.D, 12,  7, 0x6B901122);
+    P(local.D, local.A, local.B, local.C, 13, 12, 0xFD987193);
+    P(local.C, local.D, local.A, local.B, 14, 17, 0xA679438E);
+    P(local.B, local.C, local.D, local.A, 15, 22, 0x49B40821);
+
+#undef F
+
+#define F(x, y, z) ((y) ^ ((z) & ((x) ^ (y))))
+
+    P(local.A, local.B, local.C, local.D,  1,  5, 0xF61E2562);
+    P(local.D, local.A, local.B, local.C,  6,  9, 0xC040B340);
+    P(local.C, local.D, local.A, local.B, 11, 14, 0x265E5A51);
+    P(local.B, local.C, local.D, local.A,  0, 20, 0xE9B6C7AA);
+    P(local.A, local.B, local.C, local.D,  5,  5, 0xD62F105D);
+    P(local.D, local.A, local.B, local.C, 10,  9, 0x02441453);
+    P(local.C, local.D, local.A, local.B, 15, 14, 0xD8A1E681);
+    P(local.B, local.C, local.D, local.A,  4, 20, 0xE7D3FBC8);
+    P(local.A, local.B, local.C, local.D,  9,  5, 0x21E1CDE6);
+    P(local.D, local.A, local.B, local.C, 14,  9, 0xC33707D6);
+    P(local.C, local.D, local.A, local.B,  3, 14, 0xF4D50D87);
+    P(local.B, local.C, local.D, local.A,  8, 20, 0x455A14ED);
+    P(local.A, local.B, local.C, local.D, 13,  5, 0xA9E3E905);
+    P(local.D, local.A, local.B, local.C,  2,  9, 0xFCEFA3F8);
+    P(local.C, local.D, local.A, local.B,  7, 14, 0x676F02D9);
+    P(local.B, local.C, local.D, local.A, 12, 20, 0x8D2A4C8A);
+
+#undef F
+
+#define F(x, y, z) ((x) ^ (y) ^ (z))
+
+    P(local.A, local.B, local.C, local.D,  5,  4, 0xFFFA3942);
+    P(local.D, local.A, local.B, local.C,  8, 11, 0x8771F681);
+    P(local.C, local.D, local.A, local.B, 11, 16, 0x6D9D6122);
+    P(local.B, local.C, local.D, local.A, 14, 23, 0xFDE5380C);
+    P(local.A, local.B, local.C, local.D,  1,  4, 0xA4BEEA44);
+    P(local.D, local.A, local.B, local.C,  4, 11, 0x4BDECFA9);
+    P(local.C, local.D, local.A, local.B,  7, 16, 0xF6BB4B60);
+    P(local.B, local.C, local.D, local.A, 10, 23, 0xBEBFBC70);
+    P(local.A, local.B, local.C, local.D, 13,  4, 0x289B7EC6);
+    P(local.D, local.A, local.B, local.C,  0, 11, 0xEAA127FA);
+    P(local.C, local.D, local.A, local.B,  3, 16, 0xD4EF3085);
+    P(local.B, local.C, local.D, local.A,  6, 23, 0x04881D05);
+    P(local.A, local.B, local.C, local.D,  9,  4, 0xD9D4D039);
+    P(local.D, local.A, local.B, local.C, 12, 11, 0xE6DB99E5);
+    P(local.C, local.D, local.A, local.B, 15, 16, 0x1FA27CF8);
+    P(local.B, local.C, local.D, local.A,  2, 23, 0xC4AC5665);
+
+#undef F
+
+#define F(x, y, z) ((y) ^ ((x) | ~(z)))
+
+    P(local.A, local.B, local.C, local.D,  0,  6, 0xF4292244);
+    P(local.D, local.A, local.B, local.C,  7, 10, 0x432AFF97);
+    P(local.C, local.D, local.A, local.B, 14, 15, 0xAB9423A7);
+    P(local.B, local.C, local.D, local.A,  5, 21, 0xFC93A039);
+    P(local.A, local.B, local.C, local.D, 12,  6, 0x655B59C3);
+    P(local.D, local.A, local.B, local.C,  3, 10, 0x8F0CCC92);
+    P(local.C, local.D, local.A, local.B, 10, 15, 0xFFEFF47D);
+    P(local.B, local.C, local.D, local.A,  1, 21, 0x85845DD1);
+    P(local.A, local.B, local.C, local.D,  8,  6, 0x6FA87E4F);
+    P(local.D, local.A, local.B, local.C, 15, 10, 0xFE2CE6E0);
+    P(local.C, local.D, local.A, local.B,  6, 15, 0xA3014314);
+    P(local.B, local.C, local.D, local.A, 13, 21, 0x4E0811A1);
+    P(local.A, local.B, local.C, local.D,  4,  6, 0xF7537E82);
+    P(local.D, local.A, local.B, local.C, 11, 10, 0xBD3AF235);
+    P(local.C, local.D, local.A, local.B,  2, 15, 0x2AD7D2BB);
+    P(local.B, local.C, local.D, local.A,  9, 21, 0xEB86D391);
+
+#undef F
+
+    ctx->state[0] += local.A;
+    ctx->state[1] += local.B;
+    ctx->state[2] += local.C;
+    ctx->state[3] += local.D;
+
+    /* Zeroise variables to clear sensitive data from memory. */
+    mbedtls_platform_zeroize(&local, sizeof(local));
+
+    return 0;
+}
+
+#endif /* !MBEDTLS_MD5_PROCESS_ALT */
+
+/*
+ * MD5 process buffer
+ */
+int mbedtls_md5_update(mbedtls_md5_context *ctx,
+                       const unsigned char *input,
+                       size_t ilen)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t fill;
+    uint32_t left;
+
+    if (ilen == 0) {
+        return 0;
+    }
+
+    left = ctx->total[0] & 0x3F;
+    fill = 64 - left;
+
+    ctx->total[0] += (uint32_t) ilen;
+    ctx->total[0] &= 0xFFFFFFFF;
+
+    if (ctx->total[0] < (uint32_t) ilen) {
+        ctx->total[1]++;
+    }
+
+    if (left && ilen >= fill) {
+        memcpy((void *) (ctx->buffer + left), input, fill);
+        if ((ret = mbedtls_internal_md5_process(ctx, ctx->buffer)) != 0) {
+            return ret;
+        }
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while (ilen >= 64) {
+        if ((ret = mbedtls_internal_md5_process(ctx, input)) != 0) {
+            return ret;
+        }
+
+        input += 64;
+        ilen  -= 64;
+    }
+
+    if (ilen > 0) {
+        memcpy((void *) (ctx->buffer + left), input, ilen);
+    }
+
+    return 0;
+}
+
+/*
+ * MD5 final digest
+ */
+int mbedtls_md5_finish(mbedtls_md5_context *ctx,
+                       unsigned char output[16])
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    uint32_t used;
+    uint32_t high, low;
+
+    /*
+     * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
+     */
+    used = ctx->total[0] & 0x3F;
+
+    ctx->buffer[used++] = 0x80;
+
+    if (used <= 56) {
+        /* Enough room for padding + length in current block */
+        memset(ctx->buffer + used, 0, 56 - used);
+    } else {
+        /* We'll need an extra block */
+        memset(ctx->buffer + used, 0, 64 - used);
+
+        if ((ret = mbedtls_internal_md5_process(ctx, ctx->buffer)) != 0) {
+            goto exit;
+        }
+
+        memset(ctx->buffer, 0, 56);
+    }
+
+    /*
+     * Add message length
+     */
+    high = (ctx->total[0] >> 29)
+           | (ctx->total[1] <<  3);
+    low  = (ctx->total[0] <<  3);
+
+    MBEDTLS_PUT_UINT32_LE(low,  ctx->buffer, 56);
+    MBEDTLS_PUT_UINT32_LE(high, ctx->buffer, 60);
+
+    if ((ret = mbedtls_internal_md5_process(ctx, ctx->buffer)) != 0) {
+        goto exit;
+    }
+
+    /*
+     * Output final state
+     */
+    MBEDTLS_PUT_UINT32_LE(ctx->state[0], output,  0);
+    MBEDTLS_PUT_UINT32_LE(ctx->state[1], output,  4);
+    MBEDTLS_PUT_UINT32_LE(ctx->state[2], output,  8);
+    MBEDTLS_PUT_UINT32_LE(ctx->state[3], output, 12);
+
+    ret = 0;
+
+exit:
+    mbedtls_md5_free(ctx);
+    return ret;
+}
+
+#endif /* !MBEDTLS_MD5_ALT */
+
+/*
+ * output = MD5( input buffer )
+ */
+int mbedtls_md5(const unsigned char *input,
+                size_t ilen,
+                unsigned char output[16])
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_md5_context ctx;
+
+    mbedtls_md5_init(&ctx);
+
+    if ((ret = mbedtls_md5_starts(&ctx)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_md5_update(&ctx, input, ilen)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_md5_finish(&ctx, output)) != 0) {
+        goto exit;
+    }
+
+exit:
+    mbedtls_md5_free(&ctx);
+
+    return ret;
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * RFC 1321 test vectors
+ */
+static const unsigned char md5_test_buf[7][81] =
+{
+    { "" },
+    { "a" },
+    { "abc" },
+    { "message digest" },
+    { "abcdefghijklmnopqrstuvwxyz" },
+    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
+    { "12345678901234567890123456789012345678901234567890123456789012345678901234567890" }
+};
+
+static const size_t md5_test_buflen[7] =
+{
+    0, 1, 3, 14, 26, 62, 80
+};
+
+static const unsigned char md5_test_sum[7][16] =
+{
+    { 0xD4, 0x1D, 0x8C, 0xD9, 0x8F, 0x00, 0xB2, 0x04,
+      0xE9, 0x80, 0x09, 0x98, 0xEC, 0xF8, 0x42, 0x7E },
+    { 0x0C, 0xC1, 0x75, 0xB9, 0xC0, 0xF1, 0xB6, 0xA8,
+      0x31, 0xC3, 0x99, 0xE2, 0x69, 0x77, 0x26, 0x61 },
+    { 0x90, 0x01, 0x50, 0x98, 0x3C, 0xD2, 0x4F, 0xB0,
+      0xD6, 0x96, 0x3F, 0x7D, 0x28, 0xE1, 0x7F, 0x72 },
+    { 0xF9, 0x6B, 0x69, 0x7D, 0x7C, 0xB7, 0x93, 0x8D,
+      0x52, 0x5A, 0x2F, 0x31, 0xAA, 0xF1, 0x61, 0xD0 },
+    { 0xC3, 0xFC, 0xD3, 0xD7, 0x61, 0x92, 0xE4, 0x00,
+      0x7D, 0xFB, 0x49, 0x6C, 0xCA, 0x67, 0xE1, 0x3B },
+    { 0xD1, 0x74, 0xAB, 0x98, 0xD2, 0x77, 0xD9, 0xF5,
+      0xA5, 0x61, 0x1C, 0x2C, 0x9F, 0x41, 0x9D, 0x9F },
+    { 0x57, 0xED, 0xF4, 0xA2, 0x2B, 0xE3, 0xC9, 0x55,
+      0xAC, 0x49, 0xDA, 0x2E, 0x21, 0x07, 0xB6, 0x7A }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_md5_self_test(int verbose)
+{
+    int i, ret = 0;
+    unsigned char md5sum[16];
+
+    for (i = 0; i < 7; i++) {
+        if (verbose != 0) {
+            mbedtls_printf("  MD5 test #%d: ", i + 1);
+        }
+
+        ret = mbedtls_md5(md5_test_buf[i], md5_test_buflen[i], md5sum);
+        if (ret != 0) {
+            goto fail;
+        }
+
+        if (memcmp(md5sum, md5_test_sum[i], 16) != 0) {
+            ret = 1;
+            goto fail;
+        }
+
+        if (verbose != 0) {
+            mbedtls_printf("passed\n");
+        }
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+
+    return 0;
+
+fail:
+    if (verbose != 0) {
+        mbedtls_printf("failed\n");
+    }
+
+    return ret;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_MD5_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/md_psa.h b/tf-psa-crypto/drivers/builtin/src/md_psa.h
new file mode 100644
index 0000000..028ba24
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/md_psa.h
@@ -0,0 +1,26 @@
+/**
+ * Translation between MD and PSA identifiers (algorithms, errors).
+ *
+ *  Note: this internal module will go away when everything becomes based on
+ *  PSA Crypto; it is a helper for the transition period.
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_MD_PSA_H
+#define MBEDTLS_MD_PSA_H
+
+#include "common.h"
+
+#include "mbedtls/md.h"
+#include "psa/crypto.h"
+
+/** Convert PSA status to MD error code.
+ *
+ * \param status    PSA status.
+ *
+ * \return          The corresponding MD error code,
+ */
+int mbedtls_md_error_from_psa(psa_status_t status);
+
+#endif /* MBEDTLS_MD_PSA_H */
diff --git a/tf-psa-crypto/drivers/builtin/src/md_wrap.h b/tf-psa-crypto/drivers/builtin/src/md_wrap.h
new file mode 100644
index 0000000..dad1235
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/md_wrap.h
@@ -0,0 +1,46 @@
+/**
+ * \file md_wrap.h
+ *
+ * \brief Message digest wrappers.
+ *
+ * \warning This in an internal header. Do not include directly.
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_MD_WRAP_H
+#define MBEDTLS_MD_WRAP_H
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/md.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Message digest information.
+ * Allows message digest functions to be called in a generic way.
+ */
+struct mbedtls_md_info_t {
+    /** Digest identifier */
+    mbedtls_md_type_t type;
+
+    /** Output length of the digest function in bytes */
+    unsigned char size;
+
+#if defined(MBEDTLS_MD_C)
+    /** Block length of the digest function in bytes */
+    unsigned char block_size;
+#endif
+};
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_MD_WRAP_H */
diff --git a/tf-psa-crypto/drivers/builtin/src/memory_buffer_alloc.c b/tf-psa-crypto/drivers/builtin/src/memory_buffer_alloc.c
new file mode 100644
index 0000000..79b0a8b
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/memory_buffer_alloc.c
@@ -0,0 +1,745 @@
+/*
+ *  Buffer-based memory allocator
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+#include "mbedtls/memory_buffer_alloc.h"
+
+/* No need for the header guard as MBEDTLS_MEMORY_BUFFER_ALLOC_C
+   is dependent upon MBEDTLS_PLATFORM_C */
+#include "mbedtls/platform.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+#include <execinfo.h>
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+#define MAGIC1       0xFF00AA55
+#define MAGIC2       0xEE119966
+#define MAX_BT 20
+
+typedef struct _memory_header memory_header;
+struct _memory_header {
+    size_t          magic1;
+    size_t          size;
+    size_t          alloc;
+    memory_header   *prev;
+    memory_header   *next;
+    memory_header   *prev_free;
+    memory_header   *next_free;
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    char            **trace;
+    size_t          trace_count;
+#endif
+    size_t          magic2;
+};
+
+typedef struct {
+    unsigned char   *buf;
+    size_t          len;
+    memory_header   *first;
+    memory_header   *first_free;
+    int             verify;
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    size_t          alloc_count;
+    size_t          free_count;
+    size_t          total_used;
+    size_t          maximum_used;
+    size_t          header_count;
+    size_t          maximum_header_count;
+#endif
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t   mutex;
+#endif
+}
+buffer_alloc_ctx;
+
+static buffer_alloc_ctx heap;
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+static void debug_header(memory_header *hdr)
+{
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    size_t i;
+#endif
+
+    mbedtls_fprintf(stderr, "HDR:  PTR(%10zu), PREV(%10zu), NEXT(%10zu), "
+                            "ALLOC(%zu), SIZE(%10zu)\n",
+                    (size_t) hdr, (size_t) hdr->prev, (size_t) hdr->next,
+                    hdr->alloc, hdr->size);
+    mbedtls_fprintf(stderr, "      FPREV(%10zu), FNEXT(%10zu)\n",
+                    (size_t) hdr->prev_free, (size_t) hdr->next_free);
+
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    mbedtls_fprintf(stderr, "TRACE: \n");
+    for (i = 0; i < hdr->trace_count; i++) {
+        mbedtls_fprintf(stderr, "%s\n", hdr->trace[i]);
+    }
+    mbedtls_fprintf(stderr, "\n");
+#endif
+}
+
+static void debug_chain(void)
+{
+    memory_header *cur = heap.first;
+
+    mbedtls_fprintf(stderr, "\nBlock list\n");
+    while (cur != NULL) {
+        debug_header(cur);
+        cur = cur->next;
+    }
+
+    mbedtls_fprintf(stderr, "Free list\n");
+    cur = heap.first_free;
+
+    while (cur != NULL) {
+        debug_header(cur);
+        cur = cur->next_free;
+    }
+}
+#endif /* MBEDTLS_MEMORY_DEBUG */
+
+static int verify_header(memory_header *hdr)
+{
+    if (hdr->magic1 != MAGIC1) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf(stderr, "FATAL: MAGIC1 mismatch\n");
+#endif
+        return 1;
+    }
+
+    if (hdr->magic2 != MAGIC2) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf(stderr, "FATAL: MAGIC2 mismatch\n");
+#endif
+        return 1;
+    }
+
+    if (hdr->alloc > 1) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf(stderr, "FATAL: alloc has illegal value\n");
+#endif
+        return 1;
+    }
+
+    if (hdr->prev != NULL && hdr->prev == hdr->next) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf(stderr, "FATAL: prev == next\n");
+#endif
+        return 1;
+    }
+
+    if (hdr->prev_free != NULL && hdr->prev_free == hdr->next_free) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf(stderr, "FATAL: prev_free == next_free\n");
+#endif
+        return 1;
+    }
+
+    return 0;
+}
+
+static int verify_chain(void)
+{
+    memory_header *prv = heap.first, *cur;
+
+    if (prv == NULL || verify_header(prv) != 0) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf(stderr, "FATAL: verification of first header "
+                                "failed\n");
+#endif
+        return 1;
+    }
+
+    if (heap.first->prev != NULL) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf(stderr, "FATAL: verification failed: "
+                                "first->prev != NULL\n");
+#endif
+        return 1;
+    }
+
+    cur = heap.first->next;
+
+    while (cur != NULL) {
+        if (verify_header(cur) != 0) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+            mbedtls_fprintf(stderr, "FATAL: verification of header "
+                                    "failed\n");
+#endif
+            return 1;
+        }
+
+        if (cur->prev != prv) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+            mbedtls_fprintf(stderr, "FATAL: verification failed: "
+                                    "cur->prev != prv\n");
+#endif
+            return 1;
+        }
+
+        prv = cur;
+        cur = cur->next;
+    }
+
+    return 0;
+}
+
+static void *buffer_alloc_calloc(size_t n, size_t size)
+{
+    memory_header *new, *cur = heap.first_free;
+    unsigned char *p;
+    void *ret;
+    size_t original_len, len;
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    void *trace_buffer[MAX_BT];
+    size_t trace_cnt;
+#endif
+
+    if (heap.buf == NULL || heap.first == NULL) {
+        return NULL;
+    }
+
+    original_len = len = n * size;
+
+    if (n == 0 || size == 0 || len / n != size) {
+        return NULL;
+    } else if (len > (size_t) -MBEDTLS_MEMORY_ALIGN_MULTIPLE) {
+        return NULL;
+    }
+
+    if (len % MBEDTLS_MEMORY_ALIGN_MULTIPLE) {
+        len -= len % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+        len += MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+    }
+
+    // Find block that fits
+    //
+    while (cur != NULL) {
+        if (cur->size >= len) {
+            break;
+        }
+
+        cur = cur->next_free;
+    }
+
+    if (cur == NULL) {
+        return NULL;
+    }
+
+    if (cur->alloc != 0) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf(stderr, "FATAL: block in free_list but allocated "
+                                "data\n");
+#endif
+        mbedtls_exit(1);
+    }
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    heap.alloc_count++;
+#endif
+
+    // Found location, split block if > memory_header + 4 room left
+    //
+    if (cur->size - len < sizeof(memory_header) +
+        MBEDTLS_MEMORY_ALIGN_MULTIPLE) {
+        cur->alloc = 1;
+
+        // Remove from free_list
+        //
+        if (cur->prev_free != NULL) {
+            cur->prev_free->next_free = cur->next_free;
+        } else {
+            heap.first_free = cur->next_free;
+        }
+
+        if (cur->next_free != NULL) {
+            cur->next_free->prev_free = cur->prev_free;
+        }
+
+        cur->prev_free = NULL;
+        cur->next_free = NULL;
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        heap.total_used += cur->size;
+        if (heap.total_used > heap.maximum_used) {
+            heap.maximum_used = heap.total_used;
+        }
+#endif
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+        trace_cnt = backtrace(trace_buffer, MAX_BT);
+        cur->trace = backtrace_symbols(trace_buffer, trace_cnt);
+        cur->trace_count = trace_cnt;
+#endif
+
+        if ((heap.verify & MBEDTLS_MEMORY_VERIFY_ALLOC) && verify_chain() != 0) {
+            mbedtls_exit(1);
+        }
+
+        ret = (unsigned char *) cur + sizeof(memory_header);
+        memset(ret, 0, original_len);
+
+        return ret;
+    }
+
+    p = ((unsigned char *) cur) + sizeof(memory_header) + len;
+    new = (memory_header *) p;
+
+    new->size = cur->size - len - sizeof(memory_header);
+    new->alloc = 0;
+    new->prev = cur;
+    new->next = cur->next;
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    new->trace = NULL;
+    new->trace_count = 0;
+#endif
+    new->magic1 = MAGIC1;
+    new->magic2 = MAGIC2;
+
+    if (new->next != NULL) {
+        new->next->prev = new;
+    }
+
+    // Replace cur with new in free_list
+    //
+    new->prev_free = cur->prev_free;
+    new->next_free = cur->next_free;
+    if (new->prev_free != NULL) {
+        new->prev_free->next_free = new;
+    } else {
+        heap.first_free = new;
+    }
+
+    if (new->next_free != NULL) {
+        new->next_free->prev_free = new;
+    }
+
+    cur->alloc = 1;
+    cur->size = len;
+    cur->next = new;
+    cur->prev_free = NULL;
+    cur->next_free = NULL;
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    heap.header_count++;
+    if (heap.header_count > heap.maximum_header_count) {
+        heap.maximum_header_count = heap.header_count;
+    }
+    heap.total_used += cur->size;
+    if (heap.total_used > heap.maximum_used) {
+        heap.maximum_used = heap.total_used;
+    }
+#endif
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    trace_cnt = backtrace(trace_buffer, MAX_BT);
+    cur->trace = backtrace_symbols(trace_buffer, trace_cnt);
+    cur->trace_count = trace_cnt;
+#endif
+
+    if ((heap.verify & MBEDTLS_MEMORY_VERIFY_ALLOC) && verify_chain() != 0) {
+        mbedtls_exit(1);
+    }
+
+    ret = (unsigned char *) cur + sizeof(memory_header);
+    memset(ret, 0, original_len);
+
+    return ret;
+}
+
+static void buffer_alloc_free(void *ptr)
+{
+    memory_header *hdr, *old = NULL;
+    unsigned char *p = (unsigned char *) ptr;
+
+    if (ptr == NULL || heap.buf == NULL || heap.first == NULL) {
+        return;
+    }
+
+    if (p < heap.buf || p >= heap.buf + heap.len) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf(stderr, "FATAL: mbedtls_free() outside of managed "
+                                "space\n");
+#endif
+        mbedtls_exit(1);
+    }
+
+    p -= sizeof(memory_header);
+    hdr = (memory_header *) p;
+
+    if (verify_header(hdr) != 0) {
+        mbedtls_exit(1);
+    }
+
+    if (hdr->alloc != 1) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf(stderr, "FATAL: mbedtls_free() on unallocated "
+                                "data\n");
+#endif
+        mbedtls_exit(1);
+    }
+
+    hdr->alloc = 0;
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    heap.free_count++;
+    heap.total_used -= hdr->size;
+#endif
+
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    free(hdr->trace);
+    hdr->trace = NULL;
+    hdr->trace_count = 0;
+#endif
+
+    // Regroup with block before
+    //
+    if (hdr->prev != NULL && hdr->prev->alloc == 0) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        heap.header_count--;
+#endif
+        hdr->prev->size += sizeof(memory_header) + hdr->size;
+        hdr->prev->next = hdr->next;
+        old = hdr;
+        hdr = hdr->prev;
+
+        if (hdr->next != NULL) {
+            hdr->next->prev = hdr;
+        }
+
+        memset(old, 0, sizeof(memory_header));
+    }
+
+    // Regroup with block after
+    //
+    if (hdr->next != NULL && hdr->next->alloc == 0) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        heap.header_count--;
+#endif
+        hdr->size += sizeof(memory_header) + hdr->next->size;
+        old = hdr->next;
+        hdr->next = hdr->next->next;
+
+        if (hdr->prev_free != NULL || hdr->next_free != NULL) {
+            if (hdr->prev_free != NULL) {
+                hdr->prev_free->next_free = hdr->next_free;
+            } else {
+                heap.first_free = hdr->next_free;
+            }
+
+            if (hdr->next_free != NULL) {
+                hdr->next_free->prev_free = hdr->prev_free;
+            }
+        }
+
+        hdr->prev_free = old->prev_free;
+        hdr->next_free = old->next_free;
+
+        if (hdr->prev_free != NULL) {
+            hdr->prev_free->next_free = hdr;
+        } else {
+            heap.first_free = hdr;
+        }
+
+        if (hdr->next_free != NULL) {
+            hdr->next_free->prev_free = hdr;
+        }
+
+        if (hdr->next != NULL) {
+            hdr->next->prev = hdr;
+        }
+
+        memset(old, 0, sizeof(memory_header));
+    }
+
+    // Prepend to free_list if we have not merged
+    // (Does not have to stay in same order as prev / next list)
+    //
+    if (old == NULL) {
+        hdr->next_free = heap.first_free;
+        if (heap.first_free != NULL) {
+            heap.first_free->prev_free = hdr;
+        }
+        heap.first_free = hdr;
+    }
+
+    if ((heap.verify & MBEDTLS_MEMORY_VERIFY_FREE) && verify_chain() != 0) {
+        mbedtls_exit(1);
+    }
+}
+
+void mbedtls_memory_buffer_set_verify(int verify)
+{
+    heap.verify = verify;
+}
+
+int mbedtls_memory_buffer_alloc_verify(void)
+{
+    return verify_chain();
+}
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+void mbedtls_memory_buffer_alloc_status(void)
+{
+    mbedtls_fprintf(stderr,
+                    "Current use: %zu blocks / %zu bytes, max: %zu blocks / "
+                    "%zu bytes (total %zu bytes), alloc / free: %zu / %zu\n",
+                    heap.header_count, heap.total_used,
+                    heap.maximum_header_count, heap.maximum_used,
+                    heap.maximum_header_count * sizeof(memory_header)
+                    + heap.maximum_used,
+                    heap.alloc_count, heap.free_count);
+
+    if (heap.first->next == NULL) {
+        mbedtls_fprintf(stderr, "All memory de-allocated in stack buffer\n");
+    } else {
+        mbedtls_fprintf(stderr, "Memory currently allocated:\n");
+        debug_chain();
+    }
+}
+
+void mbedtls_memory_buffer_alloc_count_get(size_t *alloc_count, size_t *free_count)
+{
+    *alloc_count = heap.alloc_count;
+    *free_count = heap.free_count;
+}
+
+void mbedtls_memory_buffer_alloc_max_get(size_t *max_used, size_t *max_blocks)
+{
+    *max_used   = heap.maximum_used;
+    *max_blocks = heap.maximum_header_count;
+}
+
+void mbedtls_memory_buffer_alloc_max_reset(void)
+{
+    heap.maximum_used = 0;
+    heap.maximum_header_count = 0;
+}
+
+void mbedtls_memory_buffer_alloc_cur_get(size_t *cur_used, size_t *cur_blocks)
+{
+    *cur_used   = heap.total_used;
+    *cur_blocks = heap.header_count;
+}
+#endif /* MBEDTLS_MEMORY_DEBUG */
+
+#if defined(MBEDTLS_THREADING_C)
+static void *buffer_alloc_calloc_mutexed(size_t n, size_t size)
+{
+    void *buf;
+    if (mbedtls_mutex_lock(&heap.mutex) != 0) {
+        return NULL;
+    }
+    buf = buffer_alloc_calloc(n, size);
+    if (mbedtls_mutex_unlock(&heap.mutex)) {
+        return NULL;
+    }
+    return buf;
+}
+
+static void buffer_alloc_free_mutexed(void *ptr)
+{
+    /* We have no good option here, but corrupting the heap seems
+     * worse than losing memory. */
+    if (mbedtls_mutex_lock(&heap.mutex)) {
+        return;
+    }
+    buffer_alloc_free(ptr);
+    (void) mbedtls_mutex_unlock(&heap.mutex);
+}
+#endif /* MBEDTLS_THREADING_C */
+
+void mbedtls_memory_buffer_alloc_init(unsigned char *buf, size_t len)
+{
+    memset(&heap, 0, sizeof(buffer_alloc_ctx));
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init(&heap.mutex);
+    mbedtls_platform_set_calloc_free(buffer_alloc_calloc_mutexed,
+                                     buffer_alloc_free_mutexed);
+#else
+    mbedtls_platform_set_calloc_free(buffer_alloc_calloc, buffer_alloc_free);
+#endif
+
+    if (len < sizeof(memory_header) + MBEDTLS_MEMORY_ALIGN_MULTIPLE) {
+        return;
+    } else if ((size_t) buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE) {
+        /* Adjust len first since buf is used in the computation */
+        len -= MBEDTLS_MEMORY_ALIGN_MULTIPLE
+               - (size_t) buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+        buf += MBEDTLS_MEMORY_ALIGN_MULTIPLE
+               - (size_t) buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+    }
+
+    memset(buf, 0, len);
+
+    heap.buf = buf;
+    heap.len = len;
+
+    heap.first = (memory_header *) buf;
+    heap.first->size = len - sizeof(memory_header);
+    heap.first->magic1 = MAGIC1;
+    heap.first->magic2 = MAGIC2;
+    heap.first_free = heap.first;
+}
+
+void mbedtls_memory_buffer_alloc_free(void)
+{
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free(&heap.mutex);
+#endif
+    mbedtls_platform_zeroize(&heap, sizeof(buffer_alloc_ctx));
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+static int check_pointer(void *p)
+{
+    if (p == NULL) {
+        return -1;
+    }
+
+    if ((size_t) p % MBEDTLS_MEMORY_ALIGN_MULTIPLE != 0) {
+        return -1;
+    }
+
+    return 0;
+}
+
+static int check_all_free(void)
+{
+    if (
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        heap.total_used != 0 ||
+#endif
+        heap.first != heap.first_free ||
+        (void *) heap.first != (void *) heap.buf) {
+        return -1;
+    }
+
+    return 0;
+}
+
+#define TEST_ASSERT(condition)            \
+    if (!(condition))                     \
+    {                                       \
+        if (verbose != 0)                  \
+        mbedtls_printf("failed\n");  \
+                                            \
+        ret = 1;                            \
+        goto cleanup;                       \
+    }
+
+int mbedtls_memory_buffer_alloc_self_test(int verbose)
+{
+    unsigned char buf[1024];
+    unsigned char *p, *q, *r, *end;
+    int ret = 0;
+
+    if (verbose != 0) {
+        mbedtls_printf("  MBA test #1 (basic alloc-free cycle): ");
+    }
+
+    mbedtls_memory_buffer_alloc_init(buf, sizeof(buf));
+
+    p = mbedtls_calloc(1, 1);
+    q = mbedtls_calloc(1, 128);
+    r = mbedtls_calloc(1, 16);
+
+    TEST_ASSERT(check_pointer(p) == 0 &&
+                check_pointer(q) == 0 &&
+                check_pointer(r) == 0);
+
+    mbedtls_free(r);
+    mbedtls_free(q);
+    mbedtls_free(p);
+
+    TEST_ASSERT(check_all_free() == 0);
+
+    /* Memorize end to compare with the next test */
+    end = heap.buf + heap.len;
+
+    mbedtls_memory_buffer_alloc_free();
+
+    if (verbose != 0) {
+        mbedtls_printf("passed\n");
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("  MBA test #2 (buf not aligned): ");
+    }
+
+    mbedtls_memory_buffer_alloc_init(buf + 1, sizeof(buf) - 1);
+
+    TEST_ASSERT(heap.buf + heap.len == end);
+
+    p = mbedtls_calloc(1, 1);
+    q = mbedtls_calloc(1, 128);
+    r = mbedtls_calloc(1, 16);
+
+    TEST_ASSERT(check_pointer(p) == 0 &&
+                check_pointer(q) == 0 &&
+                check_pointer(r) == 0);
+
+    mbedtls_free(r);
+    mbedtls_free(q);
+    mbedtls_free(p);
+
+    TEST_ASSERT(check_all_free() == 0);
+
+    mbedtls_memory_buffer_alloc_free();
+
+    if (verbose != 0) {
+        mbedtls_printf("passed\n");
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("  MBA test #3 (full): ");
+    }
+
+    mbedtls_memory_buffer_alloc_init(buf, sizeof(buf));
+
+    p = mbedtls_calloc(1, sizeof(buf) - sizeof(memory_header));
+
+    TEST_ASSERT(check_pointer(p) == 0);
+    TEST_ASSERT(mbedtls_calloc(1, 1) == NULL);
+
+    mbedtls_free(p);
+
+    p = mbedtls_calloc(1, sizeof(buf) - 2 * sizeof(memory_header) - 16);
+    q = mbedtls_calloc(1, 16);
+
+    TEST_ASSERT(check_pointer(p) == 0 && check_pointer(q) == 0);
+    TEST_ASSERT(mbedtls_calloc(1, 1) == NULL);
+
+    mbedtls_free(q);
+
+    TEST_ASSERT(mbedtls_calloc(1, 17) == NULL);
+
+    mbedtls_free(p);
+
+    TEST_ASSERT(check_all_free() == 0);
+
+    mbedtls_memory_buffer_alloc_free();
+
+    if (verbose != 0) {
+        mbedtls_printf("passed\n");
+    }
+
+cleanup:
+    mbedtls_memory_buffer_alloc_free();
+
+    return ret;
+}
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_MEMORY_BUFFER_ALLOC_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/nist_kw.c b/tf-psa-crypto/drivers/builtin/src/nist_kw.c
new file mode 100644
index 0000000..8faafe4
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/nist_kw.c
@@ -0,0 +1,729 @@
+/*
+ *  Implementation of NIST SP 800-38F key wrapping, supporting KW and KWP modes
+ *  only
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * Definition of Key Wrapping:
+ * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
+ * RFC 3394 "Advanced Encryption Standard (AES) Key Wrap Algorithm"
+ * RFC 5649 "Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm"
+ *
+ * Note: RFC 3394 defines different methodology for intermediate operations for
+ * the wrapping and unwrapping operation than the definition in NIST SP 800-38F.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_NIST_KW_C)
+
+#include "mbedtls/nist_kw.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "mbedtls/constant_time.h"
+#include "constant_time_internal.h"
+
+#include <stdint.h>
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_NIST_KW_ALT)
+
+#define KW_SEMIBLOCK_LENGTH    8
+#define MIN_SEMIBLOCKS_COUNT   3
+
+/*! The 64-bit default integrity check value (ICV) for KW mode. */
+static const unsigned char NIST_KW_ICV1[] = { 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6 };
+/*! The 32-bit default integrity check value (ICV) for KWP mode. */
+static const  unsigned char NIST_KW_ICV2[] = { 0xA6, 0x59, 0x59, 0xA6 };
+
+/*
+ * Initialize context
+ */
+void mbedtls_nist_kw_init(mbedtls_nist_kw_context *ctx)
+{
+    memset(ctx, 0, sizeof(mbedtls_nist_kw_context));
+}
+
+int mbedtls_nist_kw_setkey(mbedtls_nist_kw_context *ctx,
+                           mbedtls_cipher_id_t cipher,
+                           const unsigned char *key,
+                           unsigned int keybits,
+                           const int is_wrap)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const mbedtls_cipher_info_t *cipher_info;
+
+    cipher_info = mbedtls_cipher_info_from_values(cipher,
+                                                  keybits,
+                                                  MBEDTLS_MODE_ECB);
+    if (cipher_info == NULL) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    if (mbedtls_cipher_info_get_block_size(cipher_info) != 16) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    /*
+     * SP 800-38F currently defines AES cipher as the only block cipher allowed:
+     * "For KW and KWP, the underlying block cipher shall be approved, and the
+     *  block size shall be 128 bits. Currently, the AES block cipher, with key
+     *  lengths of 128, 192, or 256 bits, is the only block cipher that fits
+     *  this profile."
+     *  Currently we don't support other 128 bit block ciphers for key wrapping,
+     *  such as Camellia and Aria.
+     */
+    if (cipher != MBEDTLS_CIPHER_ID_AES) {
+        return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+    }
+
+    mbedtls_cipher_free(&ctx->cipher_ctx);
+
+    if ((ret = mbedtls_cipher_setup(&ctx->cipher_ctx, cipher_info)) != 0) {
+        return ret;
+    }
+
+    if ((ret = mbedtls_cipher_setkey(&ctx->cipher_ctx, key, keybits,
+                                     is_wrap ? MBEDTLS_ENCRYPT :
+                                     MBEDTLS_DECRYPT)
+         ) != 0) {
+        return ret;
+    }
+
+    return 0;
+}
+
+/*
+ * Free context
+ */
+void mbedtls_nist_kw_free(mbedtls_nist_kw_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_cipher_free(&ctx->cipher_ctx);
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_nist_kw_context));
+}
+
+/*
+ * Helper function for Xoring the uint64_t "t" with the encrypted A.
+ * Defined in NIST SP 800-38F section 6.1
+ */
+static void calc_a_xor_t(unsigned char A[KW_SEMIBLOCK_LENGTH], uint64_t t)
+{
+    size_t i = 0;
+    for (i = 0; i < sizeof(t); i++) {
+        A[i] ^= (t >> ((sizeof(t) - 1 - i) * 8)) & 0xff;
+    }
+}
+
+/*
+ * KW-AE as defined in SP 800-38F section 6.2
+ * KWP-AE as defined in SP 800-38F section 6.3
+ */
+int mbedtls_nist_kw_wrap(mbedtls_nist_kw_context *ctx,
+                         mbedtls_nist_kw_mode_t mode,
+                         const unsigned char *input, size_t in_len,
+                         unsigned char *output, size_t *out_len, size_t out_size)
+{
+    int ret = 0;
+    size_t semiblocks = 0;
+    size_t s;
+    size_t olen, padlen = 0;
+    uint64_t t = 0;
+    unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
+    unsigned char inbuff[KW_SEMIBLOCK_LENGTH * 2];
+
+    *out_len = 0;
+    /*
+     * Generate the String to work on
+     */
+    if (mode == MBEDTLS_KW_MODE_KW) {
+        if (out_size < in_len + KW_SEMIBLOCK_LENGTH) {
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+        }
+
+        /*
+         * According to SP 800-38F Table 1, the plaintext length for KW
+         * must be between 2 to 2^54-1 semiblocks inclusive.
+         */
+        if (in_len < 16 ||
+#if SIZE_MAX > 0x1FFFFFFFFFFFFF8
+            in_len > 0x1FFFFFFFFFFFFF8 ||
+#endif
+            in_len % KW_SEMIBLOCK_LENGTH != 0) {
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+        }
+
+        memcpy(output, NIST_KW_ICV1, KW_SEMIBLOCK_LENGTH);
+        memmove(output + KW_SEMIBLOCK_LENGTH, input, in_len);
+    } else {
+        if (in_len % 8 != 0) {
+            padlen = (8 - (in_len % 8));
+        }
+
+        if (out_size < in_len + KW_SEMIBLOCK_LENGTH + padlen) {
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+        }
+
+        /*
+         * According to SP 800-38F Table 1, the plaintext length for KWP
+         * must be between 1 and 2^32-1 octets inclusive.
+         */
+        if (in_len < 1
+#if SIZE_MAX > 0xFFFFFFFF
+            || in_len > 0xFFFFFFFF
+#endif
+            ) {
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+        }
+
+        memcpy(output, NIST_KW_ICV2, KW_SEMIBLOCK_LENGTH / 2);
+        MBEDTLS_PUT_UINT32_BE((in_len & 0xffffffff), output,
+                              KW_SEMIBLOCK_LENGTH / 2);
+
+        memcpy(output + KW_SEMIBLOCK_LENGTH, input, in_len);
+        memset(output + KW_SEMIBLOCK_LENGTH + in_len, 0, padlen);
+    }
+    semiblocks = ((in_len + padlen) / KW_SEMIBLOCK_LENGTH) + 1;
+
+    s = 6 * (semiblocks - 1);
+
+    if (mode == MBEDTLS_KW_MODE_KWP
+        && in_len <= KW_SEMIBLOCK_LENGTH) {
+        memcpy(inbuff, output, 16);
+        ret = mbedtls_cipher_update(&ctx->cipher_ctx,
+                                    inbuff, 16, output, &olen);
+        if (ret != 0) {
+            goto cleanup;
+        }
+    } else {
+        unsigned char *R2 = output + KW_SEMIBLOCK_LENGTH;
+        unsigned char *A = output;
+
+        /*
+         * Do the wrapping function W, as defined in RFC 3394 section 2.2.1
+         */
+        if (semiblocks < MIN_SEMIBLOCKS_COUNT) {
+            ret = MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+            goto cleanup;
+        }
+
+        /* Calculate intermediate values */
+        for (t = 1; t <= s; t++) {
+            memcpy(inbuff, A, KW_SEMIBLOCK_LENGTH);
+            memcpy(inbuff + KW_SEMIBLOCK_LENGTH, R2, KW_SEMIBLOCK_LENGTH);
+
+            ret = mbedtls_cipher_update(&ctx->cipher_ctx,
+                                        inbuff, 16, outbuff, &olen);
+            if (ret != 0) {
+                goto cleanup;
+            }
+
+            memcpy(A, outbuff, KW_SEMIBLOCK_LENGTH);
+            calc_a_xor_t(A, t);
+
+            memcpy(R2, outbuff + KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH);
+            R2 += KW_SEMIBLOCK_LENGTH;
+            if (R2 >= output + (semiblocks * KW_SEMIBLOCK_LENGTH)) {
+                R2 = output + KW_SEMIBLOCK_LENGTH;
+            }
+        }
+    }
+
+    *out_len = semiblocks * KW_SEMIBLOCK_LENGTH;
+
+cleanup:
+
+    if (ret != 0) {
+        memset(output, 0, semiblocks * KW_SEMIBLOCK_LENGTH);
+    }
+    mbedtls_platform_zeroize(inbuff, KW_SEMIBLOCK_LENGTH * 2);
+    mbedtls_platform_zeroize(outbuff, KW_SEMIBLOCK_LENGTH * 2);
+
+    return ret;
+}
+
+/*
+ * W-1 function as defined in RFC 3394 section 2.2.2
+ * This function assumes the following:
+ * 1. Output buffer is at least of size ( semiblocks - 1 ) * KW_SEMIBLOCK_LENGTH.
+ * 2. The input buffer is of size semiblocks * KW_SEMIBLOCK_LENGTH.
+ * 3. Minimal number of semiblocks is 3.
+ * 4. A is a buffer to hold the first semiblock of the input buffer.
+ */
+static int unwrap(mbedtls_nist_kw_context *ctx,
+                  const unsigned char *input, size_t semiblocks,
+                  unsigned char A[KW_SEMIBLOCK_LENGTH],
+                  unsigned char *output, size_t *out_len)
+{
+    int ret = 0;
+    const size_t s = 6 * (semiblocks - 1);
+    size_t olen;
+    uint64_t t = 0;
+    unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
+    unsigned char inbuff[KW_SEMIBLOCK_LENGTH * 2];
+    unsigned char *R = NULL;
+    *out_len = 0;
+
+    if (semiblocks < MIN_SEMIBLOCKS_COUNT) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    memcpy(A, input, KW_SEMIBLOCK_LENGTH);
+    memmove(output, input + KW_SEMIBLOCK_LENGTH, (semiblocks - 1) * KW_SEMIBLOCK_LENGTH);
+    R = output + (semiblocks - 2) * KW_SEMIBLOCK_LENGTH;
+
+    /* Calculate intermediate values */
+    for (t = s; t >= 1; t--) {
+        calc_a_xor_t(A, t);
+
+        memcpy(inbuff, A, KW_SEMIBLOCK_LENGTH);
+        memcpy(inbuff + KW_SEMIBLOCK_LENGTH, R, KW_SEMIBLOCK_LENGTH);
+
+        ret = mbedtls_cipher_update(&ctx->cipher_ctx,
+                                    inbuff, 16, outbuff, &olen);
+        if (ret != 0) {
+            goto cleanup;
+        }
+
+        memcpy(A, outbuff, KW_SEMIBLOCK_LENGTH);
+
+        /* Set R as LSB64 of outbuff */
+        memcpy(R, outbuff + KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH);
+
+        if (R == output) {
+            R = output + (semiblocks - 2) * KW_SEMIBLOCK_LENGTH;
+        } else {
+            R -= KW_SEMIBLOCK_LENGTH;
+        }
+    }
+
+    *out_len = (semiblocks - 1) * KW_SEMIBLOCK_LENGTH;
+
+cleanup:
+    if (ret != 0) {
+        memset(output, 0, (semiblocks - 1) * KW_SEMIBLOCK_LENGTH);
+    }
+    mbedtls_platform_zeroize(inbuff, sizeof(inbuff));
+    mbedtls_platform_zeroize(outbuff, sizeof(outbuff));
+
+    return ret;
+}
+
+/*
+ * KW-AD as defined in SP 800-38F section 6.2
+ * KWP-AD as defined in SP 800-38F section 6.3
+ */
+int mbedtls_nist_kw_unwrap(mbedtls_nist_kw_context *ctx,
+                           mbedtls_nist_kw_mode_t mode,
+                           const unsigned char *input, size_t in_len,
+                           unsigned char *output, size_t *out_len, size_t out_size)
+{
+    int ret = 0;
+    size_t olen;
+    unsigned char A[KW_SEMIBLOCK_LENGTH];
+    int diff;
+
+    *out_len = 0;
+    if (out_size < in_len - KW_SEMIBLOCK_LENGTH) {
+        return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    if (mode == MBEDTLS_KW_MODE_KW) {
+        /*
+         * According to SP 800-38F Table 1, the ciphertext length for KW
+         * must be between 3 to 2^54 semiblocks inclusive.
+         */
+        if (in_len < 24 ||
+#if SIZE_MAX > 0x200000000000000
+            in_len > 0x200000000000000 ||
+#endif
+            in_len % KW_SEMIBLOCK_LENGTH != 0) {
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+        }
+
+        ret = unwrap(ctx, input, in_len / KW_SEMIBLOCK_LENGTH,
+                     A, output, out_len);
+        if (ret != 0) {
+            goto cleanup;
+        }
+
+        /* Check ICV in "constant-time" */
+        diff = mbedtls_ct_memcmp(NIST_KW_ICV1, A, KW_SEMIBLOCK_LENGTH);
+
+        if (diff != 0) {
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+            goto cleanup;
+        }
+
+    } else if (mode == MBEDTLS_KW_MODE_KWP) {
+        size_t padlen = 0;
+        uint32_t Plen;
+        /*
+         * According to SP 800-38F Table 1, the ciphertext length for KWP
+         * must be between 2 to 2^29 semiblocks inclusive.
+         */
+        if (in_len < KW_SEMIBLOCK_LENGTH * 2 ||
+#if SIZE_MAX > 0x100000000
+            in_len > 0x100000000 ||
+#endif
+            in_len % KW_SEMIBLOCK_LENGTH != 0) {
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+        }
+
+        if (in_len == KW_SEMIBLOCK_LENGTH * 2) {
+            unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
+            ret = mbedtls_cipher_update(&ctx->cipher_ctx,
+                                        input, 16, outbuff, &olen);
+            if (ret != 0) {
+                goto cleanup;
+            }
+
+            memcpy(A, outbuff, KW_SEMIBLOCK_LENGTH);
+            memcpy(output, outbuff + KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH);
+            mbedtls_platform_zeroize(outbuff, sizeof(outbuff));
+            *out_len = KW_SEMIBLOCK_LENGTH;
+        } else {
+            /* in_len >=  KW_SEMIBLOCK_LENGTH * 3 */
+            ret = unwrap(ctx, input, in_len / KW_SEMIBLOCK_LENGTH,
+                         A, output, out_len);
+            if (ret != 0) {
+                goto cleanup;
+            }
+        }
+
+        /* Check ICV in "constant-time" */
+        diff = mbedtls_ct_memcmp(NIST_KW_ICV2, A, KW_SEMIBLOCK_LENGTH / 2);
+
+        if (diff != 0) {
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+        }
+
+        Plen = MBEDTLS_GET_UINT32_BE(A, KW_SEMIBLOCK_LENGTH / 2);
+
+        /*
+         * Plen is the length of the plaintext, when the input is valid.
+         * If Plen is larger than the plaintext and padding, padlen will be
+         * larger than 8, because of the type wrap around.
+         */
+        padlen = in_len - KW_SEMIBLOCK_LENGTH - Plen;
+        ret = mbedtls_ct_error_if(mbedtls_ct_uint_gt(padlen, 7),
+                                  MBEDTLS_ERR_CIPHER_AUTH_FAILED, ret);
+        padlen &= 7;
+
+        /* Check padding in "constant-time" */
+        const uint8_t zero[KW_SEMIBLOCK_LENGTH] = { 0 };
+        diff = mbedtls_ct_memcmp_partial(
+            &output[*out_len - KW_SEMIBLOCK_LENGTH], zero,
+            KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH - padlen, 0);
+
+        if (diff != 0) {
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+        }
+
+        if (ret != 0) {
+            goto cleanup;
+        }
+        memset(output + Plen, 0, padlen);
+        *out_len = Plen;
+    } else {
+        ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+        goto cleanup;
+    }
+
+cleanup:
+    if (ret != 0) {
+        memset(output, 0, *out_len);
+        *out_len = 0;
+    }
+
+    mbedtls_platform_zeroize(&diff, sizeof(diff));
+    mbedtls_platform_zeroize(A, sizeof(A));
+
+    return ret;
+}
+
+#endif /* !MBEDTLS_NIST_KW_ALT */
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+
+/*
+ * Test vectors taken from NIST
+ * https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/CAVP-TESTING-BLOCK-CIPHER-MODES#KW
+ */
+static const unsigned int key_len[] = {
+    16,
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    24,
+    32
+#endif
+};
+
+static const unsigned char kw_key[][32] = {
+    { 0x75, 0x75, 0xda, 0x3a, 0x93, 0x60, 0x7c, 0xc2,
+      0xbf, 0xd8, 0xce, 0xc7, 0xaa, 0xdf, 0xd9, 0xa6 },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { 0x2d, 0x85, 0x26, 0x08, 0x1d, 0x02, 0xfb, 0x5b,
+      0x85, 0xf6, 0x9a, 0xc2, 0x86, 0xec, 0xd5, 0x7d,
+      0x40, 0xdf, 0x5d, 0xf3, 0x49, 0x47, 0x44, 0xd3 },
+    { 0x11, 0x2a, 0xd4, 0x1b, 0x48, 0x56, 0xc7, 0x25,
+      0x4a, 0x98, 0x48, 0xd3, 0x0f, 0xdd, 0x78, 0x33,
+      0x5b, 0x03, 0x9a, 0x48, 0xa8, 0x96, 0x2c, 0x4d,
+      0x1c, 0xb7, 0x8e, 0xab, 0xd5, 0xda, 0xd7, 0x88 }
+#endif
+};
+
+static const unsigned char kw_msg[][40] = {
+    { 0x42, 0x13, 0x6d, 0x3c, 0x38, 0x4a, 0x3e, 0xea,
+      0xc9, 0x5a, 0x06, 0x6f, 0xd2, 0x8f, 0xed, 0x3f },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { 0x95, 0xc1, 0x1b, 0xf5, 0x35, 0x3a, 0xfe, 0xdb,
+      0x98, 0xfd, 0xd6, 0xc8, 0xca, 0x6f, 0xdb, 0x6d,
+      0xa5, 0x4b, 0x74, 0xb4, 0x99, 0x0f, 0xdc, 0x45,
+      0xc0, 0x9d, 0x15, 0x8f, 0x51, 0xce, 0x62, 0x9d,
+      0xe2, 0xaf, 0x26, 0xe3, 0x25, 0x0e, 0x6b, 0x4c },
+    { 0x1b, 0x20, 0xbf, 0x19, 0x90, 0xb0, 0x65, 0xd7,
+      0x98, 0xe1, 0xb3, 0x22, 0x64, 0xad, 0x50, 0xa8,
+      0x74, 0x74, 0x92, 0xba, 0x09, 0xa0, 0x4d, 0xd1 }
+#endif
+};
+
+static const size_t kw_msg_len[] = {
+    16,
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    40,
+    24
+#endif
+};
+static const size_t kw_out_len[] = {
+    24,
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    48,
+    32
+#endif
+};
+static const unsigned char kw_res[][48] = {
+    { 0x03, 0x1f, 0x6b, 0xd7, 0xe6, 0x1e, 0x64, 0x3d,
+      0xf6, 0x85, 0x94, 0x81, 0x6f, 0x64, 0xca, 0xa3,
+      0xf5, 0x6f, 0xab, 0xea, 0x25, 0x48, 0xf5, 0xfb },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { 0x44, 0x3c, 0x6f, 0x15, 0x09, 0x83, 0x71, 0x91,
+      0x3e, 0x5c, 0x81, 0x4c, 0xa1, 0xa0, 0x42, 0xec,
+      0x68, 0x2f, 0x7b, 0x13, 0x6d, 0x24, 0x3a, 0x4d,
+      0x6c, 0x42, 0x6f, 0xc6, 0x97, 0x15, 0x63, 0xe8,
+      0xa1, 0x4a, 0x55, 0x8e, 0x09, 0x64, 0x16, 0x19,
+      0xbf, 0x03, 0xfc, 0xaf, 0x90, 0xb1, 0xfc, 0x2d },
+    { 0xba, 0x8a, 0x25, 0x9a, 0x47, 0x1b, 0x78, 0x7d,
+      0xd5, 0xd5, 0x40, 0xec, 0x25, 0xd4, 0x3d, 0x87,
+      0x20, 0x0f, 0xda, 0xdc, 0x6d, 0x1f, 0x05, 0xd9,
+      0x16, 0x58, 0x4f, 0xa9, 0xf6, 0xcb, 0xf5, 0x12 }
+#endif
+};
+
+static const unsigned char kwp_key[][32] = {
+    { 0x78, 0x65, 0xe2, 0x0f, 0x3c, 0x21, 0x65, 0x9a,
+      0xb4, 0x69, 0x0b, 0x62, 0x9c, 0xdf, 0x3c, 0xc4 },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { 0xf5, 0xf8, 0x96, 0xa3, 0xbd, 0x2f, 0x4a, 0x98,
+      0x23, 0xef, 0x16, 0x2b, 0x00, 0xb8, 0x05, 0xd7,
+      0xde, 0x1e, 0xa4, 0x66, 0x26, 0x96, 0xa2, 0x58 },
+    { 0x95, 0xda, 0x27, 0x00, 0xca, 0x6f, 0xd9, 0xa5,
+      0x25, 0x54, 0xee, 0x2a, 0x8d, 0xf1, 0x38, 0x6f,
+      0x5b, 0x94, 0xa1, 0xa6, 0x0e, 0xd8, 0xa4, 0xae,
+      0xf6, 0x0a, 0x8d, 0x61, 0xab, 0x5f, 0x22, 0x5a }
+#endif
+};
+
+static const unsigned char kwp_msg[][31] = {
+    { 0xbd, 0x68, 0x43, 0xd4, 0x20, 0x37, 0x8d, 0xc8,
+      0x96 },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { 0x6c, 0xcd, 0xd5, 0x85, 0x18, 0x40, 0x97, 0xeb,
+      0xd5, 0xc3, 0xaf, 0x3e, 0x47, 0xd0, 0x2c, 0x19,
+      0x14, 0x7b, 0x4d, 0x99, 0x5f, 0x96, 0x43, 0x66,
+      0x91, 0x56, 0x75, 0x8c, 0x13, 0x16, 0x8f },
+    { 0xd1 }
+#endif
+};
+static const size_t kwp_msg_len[] = {
+    9,
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    31,
+    1
+#endif
+};
+
+static const unsigned char kwp_res[][48] = {
+    { 0x41, 0xec, 0xa9, 0x56, 0xd4, 0xaa, 0x04, 0x7e,
+      0xb5, 0xcf, 0x4e, 0xfe, 0x65, 0x96, 0x61, 0xe7,
+      0x4d, 0xb6, 0xf8, 0xc5, 0x64, 0xe2, 0x35, 0x00 },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    { 0x4e, 0x9b, 0xc2, 0xbc, 0xbc, 0x6c, 0x1e, 0x13,
+      0xd3, 0x35, 0xbc, 0xc0, 0xf7, 0x73, 0x6a, 0x88,
+      0xfa, 0x87, 0x53, 0x66, 0x15, 0xbb, 0x8e, 0x63,
+      0x8b, 0xcc, 0x81, 0x66, 0x84, 0x68, 0x17, 0x90,
+      0x67, 0xcf, 0xa9, 0x8a, 0x9d, 0x0e, 0x33, 0x26 },
+    { 0x06, 0xba, 0x7a, 0xe6, 0xf3, 0x24, 0x8c, 0xfd,
+      0xcf, 0x26, 0x75, 0x07, 0xfa, 0x00, 0x1b, 0xc4  }
+#endif
+};
+static const size_t kwp_out_len[] = {
+    24,
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+    40,
+    16
+#endif
+};
+
+int mbedtls_nist_kw_self_test(int verbose)
+{
+    mbedtls_nist_kw_context ctx;
+    unsigned char out[48];
+    size_t olen;
+    int i;
+    int ret = 0;
+    mbedtls_nist_kw_init(&ctx);
+
+    /*
+     * KW mode
+     */
+    {
+        static const int num_tests = sizeof(kw_key) / sizeof(*kw_key);
+
+        for (i = 0; i < num_tests; i++) {
+            if (verbose != 0) {
+                mbedtls_printf("  KW-AES-%u ", (unsigned int) key_len[i] * 8);
+            }
+
+            ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES,
+                                         kw_key[i], key_len[i] * 8, 1);
+            if (ret != 0) {
+                if (verbose != 0) {
+                    mbedtls_printf("  KW: setup failed ");
+                }
+
+                goto end;
+            }
+
+            ret = mbedtls_nist_kw_wrap(&ctx, MBEDTLS_KW_MODE_KW, kw_msg[i],
+                                       kw_msg_len[i], out, &olen, sizeof(out));
+            if (ret != 0 || kw_out_len[i] != olen ||
+                memcmp(out, kw_res[i], kw_out_len[i]) != 0) {
+                if (verbose != 0) {
+                    mbedtls_printf("failed. ");
+                }
+
+                ret = 1;
+                goto end;
+            }
+
+            if ((ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES,
+                                              kw_key[i], key_len[i] * 8, 0))
+                != 0) {
+                if (verbose != 0) {
+                    mbedtls_printf("  KW: setup failed ");
+                }
+
+                goto end;
+            }
+
+            ret = mbedtls_nist_kw_unwrap(&ctx, MBEDTLS_KW_MODE_KW,
+                                         out, olen, out, &olen, sizeof(out));
+
+            if (ret != 0 || olen != kw_msg_len[i] ||
+                memcmp(out, kw_msg[i], kw_msg_len[i]) != 0) {
+                if (verbose != 0) {
+                    mbedtls_printf("failed\n");
+                }
+
+                ret = 1;
+                goto end;
+            }
+
+            if (verbose != 0) {
+                mbedtls_printf(" passed\n");
+            }
+        }
+    }
+
+    /*
+     * KWP mode
+     */
+    {
+        static const int num_tests = sizeof(kwp_key) / sizeof(*kwp_key);
+
+        for (i = 0; i < num_tests; i++) {
+            olen = sizeof(out);
+            if (verbose != 0) {
+                mbedtls_printf("  KWP-AES-%u ", (unsigned int) key_len[i] * 8);
+            }
+
+            ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES, kwp_key[i],
+                                         key_len[i] * 8, 1);
+            if (ret  != 0) {
+                if (verbose != 0) {
+                    mbedtls_printf("  KWP: setup failed ");
+                }
+
+                goto end;
+            }
+            ret = mbedtls_nist_kw_wrap(&ctx, MBEDTLS_KW_MODE_KWP, kwp_msg[i],
+                                       kwp_msg_len[i], out, &olen, sizeof(out));
+
+            if (ret != 0 || kwp_out_len[i] != olen ||
+                memcmp(out, kwp_res[i], kwp_out_len[i]) != 0) {
+                if (verbose != 0) {
+                    mbedtls_printf("failed. ");
+                }
+
+                ret = 1;
+                goto end;
+            }
+
+            if ((ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES,
+                                              kwp_key[i], key_len[i] * 8, 0))
+                != 0) {
+                if (verbose != 0) {
+                    mbedtls_printf("  KWP: setup failed ");
+                }
+
+                goto end;
+            }
+
+            ret = mbedtls_nist_kw_unwrap(&ctx, MBEDTLS_KW_MODE_KWP, out,
+                                         olen, out, &olen, sizeof(out));
+
+            if (ret != 0 || olen != kwp_msg_len[i] ||
+                memcmp(out, kwp_msg[i], kwp_msg_len[i]) != 0) {
+                if (verbose != 0) {
+                    mbedtls_printf("failed. ");
+                }
+
+                ret = 1;
+                goto end;
+            }
+
+            if (verbose != 0) {
+                mbedtls_printf(" passed\n");
+            }
+        }
+    }
+end:
+    mbedtls_nist_kw_free(&ctx);
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+
+    return ret;
+}
+
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#endif /* MBEDTLS_NIST_KW_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/oid.c b/tf-psa-crypto/drivers/builtin/src/oid.c
new file mode 100644
index 0000000..972a859
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/oid.c
@@ -0,0 +1,1166 @@
+/**
+ * \file oid.c
+ *
+ * \brief Object Identifier (OID) database
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_OID_C)
+
+#include "mbedtls/oid.h"
+#include "mbedtls/rsa.h"
+#include "mbedtls/error.h"
+#include "mbedtls/pk.h"
+
+#include <stdio.h>
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+/*
+ * Macro to automatically add the size of #define'd OIDs
+ */
+#define ADD_LEN(s)      s, MBEDTLS_OID_SIZE(s)
+
+/*
+ * Macro to generate mbedtls_oid_descriptor_t
+ */
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
+#define OID_DESCRIPTOR(s, name, description)  { ADD_LEN(s), name, description }
+#define NULL_OID_DESCRIPTOR                   { NULL, 0, NULL, NULL }
+#else
+#define OID_DESCRIPTOR(s, name, description)  { ADD_LEN(s) }
+#define NULL_OID_DESCRIPTOR                   { NULL, 0 }
+#endif
+
+/*
+ * Macro to generate an internal function for oid_XXX_from_asn1() (used by
+ * the other functions)
+ */
+#define FN_OID_TYPED_FROM_ASN1(TYPE_T, NAME, LIST)                    \
+    static const TYPE_T *oid_ ## NAME ## _from_asn1(                   \
+        const mbedtls_asn1_buf *oid)     \
+    {                                                                   \
+        const TYPE_T *p = (LIST);                                       \
+        const mbedtls_oid_descriptor_t *cur =                           \
+            (const mbedtls_oid_descriptor_t *) p;                       \
+        if (p == NULL || oid == NULL) return NULL;                  \
+        while (cur->asn1 != NULL) {                                    \
+            if (cur->asn1_len == oid->len &&                            \
+                memcmp(cur->asn1, oid->p, oid->len) == 0) {          \
+                return p;                                            \
+            }                                                           \
+            p++;                                                        \
+            cur = (const mbedtls_oid_descriptor_t *) p;                 \
+        }                                                               \
+        return NULL;                                                 \
+    }
+
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
+/*
+ * Macro to generate a function for retrieving a single attribute from the
+ * descriptor of an mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_DESCRIPTOR_ATTR1(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1) \
+    int FN_NAME(const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1)                  \
+    {                                                                       \
+        const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1(oid);        \
+        if (data == NULL) return MBEDTLS_ERR_OID_NOT_FOUND;            \
+        *ATTR1 = data->descriptor.ATTR1;                                    \
+        return 0;                                                        \
+    }
+#endif /* MBEDTLS_X509_REMOVE_INFO */
+
+/*
+ * Macro to generate a function for retrieving a single attribute from an
+ * mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_ATTR1(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1) \
+    int FN_NAME(const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1)                  \
+    {                                                                       \
+        const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1(oid);        \
+        if (data == NULL) return MBEDTLS_ERR_OID_NOT_FOUND;            \
+        *ATTR1 = data->ATTR1;                                               \
+        return 0;                                                        \
+    }
+
+/*
+ * Macro to generate a function for retrieving two attributes from an
+ * mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_ATTR2(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1,     \
+                         ATTR2_TYPE, ATTR2)                                 \
+    int FN_NAME(const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1,               \
+                ATTR2_TYPE * ATTR2)              \
+    {                                                                           \
+        const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1(oid);            \
+        if (data == NULL) return MBEDTLS_ERR_OID_NOT_FOUND;                 \
+        *(ATTR1) = data->ATTR1;                                                 \
+        *(ATTR2) = data->ATTR2;                                                 \
+        return 0;                                                            \
+    }
+
+/*
+ * Macro to generate a function for retrieving the OID based on a single
+ * attribute from a mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_OID_BY_ATTR1(FN_NAME, TYPE_T, LIST, ATTR1_TYPE, ATTR1)   \
+    int FN_NAME(ATTR1_TYPE ATTR1, const char **oid, size_t *olen)             \
+    {                                                                           \
+        const TYPE_T *cur = (LIST);                                             \
+        while (cur->descriptor.asn1 != NULL) {                                 \
+            if (cur->ATTR1 == (ATTR1)) {                                       \
+                *oid = cur->descriptor.asn1;                                    \
+                *olen = cur->descriptor.asn1_len;                               \
+                return 0;                                                    \
+            }                                                                   \
+            cur++;                                                              \
+        }                                                                       \
+        return MBEDTLS_ERR_OID_NOT_FOUND;                                    \
+    }
+
+/*
+ * Macro to generate a function for retrieving the OID based on two
+ * attributes from a mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_OID_BY_ATTR2(FN_NAME, TYPE_T, LIST, ATTR1_TYPE, ATTR1,   \
+                                ATTR2_TYPE, ATTR2)                          \
+    int FN_NAME(ATTR1_TYPE ATTR1, ATTR2_TYPE ATTR2, const char **oid,         \
+                size_t *olen)                                                 \
+    {                                                                           \
+        const TYPE_T *cur = (LIST);                                             \
+        while (cur->descriptor.asn1 != NULL) {                                 \
+            if (cur->ATTR1 == (ATTR1) && cur->ATTR2 == (ATTR2)) {              \
+                *oid = cur->descriptor.asn1;                                    \
+                *olen = cur->descriptor.asn1_len;                               \
+                return 0;                                                    \
+            }                                                                   \
+            cur++;                                                              \
+        }                                                                       \
+        return MBEDTLS_ERR_OID_NOT_FOUND;                                   \
+    }
+
+/*
+ * For X520 attribute types
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    const char          *short_name;
+} oid_x520_attr_t;
+
+static const oid_x520_attr_t oid_x520_attr_type[] =
+{
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_CN,          "id-at-commonName",               "Common Name"),
+        "CN",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_COUNTRY,     "id-at-countryName",              "Country"),
+        "C",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_LOCALITY,    "id-at-locality",                 "Locality"),
+        "L",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_STATE,       "id-at-state",                    "State"),
+        "ST",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_ORGANIZATION, "id-at-organizationName",
+                       "Organization"),
+        "O",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_ORG_UNIT,    "id-at-organizationalUnitName",   "Org Unit"),
+        "OU",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_PKCS9_EMAIL,
+                       "emailAddress",
+                       "E-mail address"),
+        "emailAddress",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_SERIAL_NUMBER,
+                       "id-at-serialNumber",
+                       "Serial number"),
+        "serialNumber",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_POSTAL_ADDRESS,
+                       "id-at-postalAddress",
+                       "Postal address"),
+        "postalAddress",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_POSTAL_CODE, "id-at-postalCode",               "Postal code"),
+        "postalCode",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_SUR_NAME,    "id-at-surName",                  "Surname"),
+        "SN",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_GIVEN_NAME,  "id-at-givenName",                "Given name"),
+        "GN",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_INITIALS,    "id-at-initials",                 "Initials"),
+        "initials",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_GENERATION_QUALIFIER,
+                       "id-at-generationQualifier",
+                       "Generation qualifier"),
+        "generationQualifier",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_TITLE,       "id-at-title",                    "Title"),
+        "title",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_DN_QUALIFIER,
+                       "id-at-dnQualifier",
+                       "Distinguished Name qualifier"),
+        "dnQualifier",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_PSEUDONYM,   "id-at-pseudonym",                "Pseudonym"),
+        "pseudonym",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_UID,            "id-uid",                         "User Id"),
+        "uid",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_DOMAIN_COMPONENT,
+                       "id-domainComponent",
+                       "Domain component"),
+        "DC",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_UNIQUE_IDENTIFIER,
+                       "id-at-uniqueIdentifier",
+                       "Unique Identifier"),
+        "uniqueIdentifier",
+    },
+    {
+        NULL_OID_DESCRIPTOR,
+        NULL,
+    }
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_x520_attr_t, x520_attr, oid_x520_attr_type)
+FN_OID_GET_ATTR1(mbedtls_oid_get_attr_short_name,
+                 oid_x520_attr_t,
+                 x520_attr,
+                 const char *,
+                 short_name)
+
+/*
+ * For X509 extensions
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    int                 ext_type;
+} oid_x509_ext_t;
+
+static const oid_x509_ext_t oid_x509_ext[] =
+{
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_BASIC_CONSTRAINTS,
+                       "id-ce-basicConstraints",
+                       "Basic Constraints"),
+        MBEDTLS_OID_X509_EXT_BASIC_CONSTRAINTS,
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_KEY_USAGE,            "id-ce-keyUsage",            "Key Usage"),
+        MBEDTLS_OID_X509_EXT_KEY_USAGE,
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_EXTENDED_KEY_USAGE,
+                       "id-ce-extKeyUsage",
+                       "Extended Key Usage"),
+        MBEDTLS_OID_X509_EXT_EXTENDED_KEY_USAGE,
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_SUBJECT_ALT_NAME,
+                       "id-ce-subjectAltName",
+                       "Subject Alt Name"),
+        MBEDTLS_OID_X509_EXT_SUBJECT_ALT_NAME,
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_NS_CERT_TYPE,
+                       "id-netscape-certtype",
+                       "Netscape Certificate Type"),
+        MBEDTLS_OID_X509_EXT_NS_CERT_TYPE,
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_CERTIFICATE_POLICIES,
+                       "id-ce-certificatePolicies",
+                       "Certificate Policies"),
+        MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES,
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER,
+                       "id-ce-subjectKeyIdentifier",
+                       "Subject Key Identifier"),
+        MBEDTLS_OID_X509_EXT_SUBJECT_KEY_IDENTIFIER,
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER,
+                       "id-ce-authorityKeyIdentifier",
+                       "Authority Key Identifier"),
+        MBEDTLS_OID_X509_EXT_AUTHORITY_KEY_IDENTIFIER,
+    },
+    {
+        NULL_OID_DESCRIPTOR,
+        0,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_x509_ext_t, x509_ext, oid_x509_ext)
+FN_OID_GET_ATTR1(mbedtls_oid_get_x509_ext_type, oid_x509_ext_t, x509_ext, int, ext_type)
+
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
+static const mbedtls_oid_descriptor_t oid_ext_key_usage[] =
+{
+    OID_DESCRIPTOR(MBEDTLS_OID_SERVER_AUTH,
+                   "id-kp-serverAuth",
+                   "TLS Web Server Authentication"),
+    OID_DESCRIPTOR(MBEDTLS_OID_CLIENT_AUTH,
+                   "id-kp-clientAuth",
+                   "TLS Web Client Authentication"),
+    OID_DESCRIPTOR(MBEDTLS_OID_CODE_SIGNING,     "id-kp-codeSigning",     "Code Signing"),
+    OID_DESCRIPTOR(MBEDTLS_OID_EMAIL_PROTECTION, "id-kp-emailProtection", "E-mail Protection"),
+    OID_DESCRIPTOR(MBEDTLS_OID_TIME_STAMPING,    "id-kp-timeStamping",    "Time Stamping"),
+    OID_DESCRIPTOR(MBEDTLS_OID_OCSP_SIGNING,     "id-kp-OCSPSigning",     "OCSP Signing"),
+    OID_DESCRIPTOR(MBEDTLS_OID_WISUN_FAN,
+                   "id-kp-wisun-fan-device",
+                   "Wi-SUN Alliance Field Area Network (FAN)"),
+    NULL_OID_DESCRIPTOR,
+};
+
+FN_OID_TYPED_FROM_ASN1(mbedtls_oid_descriptor_t, ext_key_usage, oid_ext_key_usage)
+FN_OID_GET_ATTR1(mbedtls_oid_get_extended_key_usage,
+                 mbedtls_oid_descriptor_t,
+                 ext_key_usage,
+                 const char *,
+                 description)
+
+static const mbedtls_oid_descriptor_t oid_certificate_policies[] =
+{
+    OID_DESCRIPTOR(MBEDTLS_OID_ANY_POLICY,      "anyPolicy",       "Any Policy"),
+    NULL_OID_DESCRIPTOR,
+};
+
+FN_OID_TYPED_FROM_ASN1(mbedtls_oid_descriptor_t, certificate_policies, oid_certificate_policies)
+FN_OID_GET_ATTR1(mbedtls_oid_get_certificate_policies,
+                 mbedtls_oid_descriptor_t,
+                 certificate_policies,
+                 const char *,
+                 description)
+#endif /* MBEDTLS_X509_REMOVE_INFO */
+
+/*
+ * For SignatureAlgorithmIdentifier
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_md_type_t           md_alg;
+    mbedtls_pk_type_t           pk_alg;
+} oid_sig_alg_t;
+
+static const oid_sig_alg_t oid_sig_alg[] =
+{
+#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_MD_CAN_MD5)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_MD5,        "md5WithRSAEncryption",     "RSA with MD5"),
+        MBEDTLS_MD_MD5,      MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_MD_CAN_MD5 */
+#if defined(MBEDTLS_MD_CAN_SHA1)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA1,       "sha-1WithRSAEncryption",   "RSA with SHA1"),
+        MBEDTLS_MD_SHA1,     MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#if defined(PSA_WANT_ALG_SHA_224)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA224,     "sha224WithRSAEncryption",
+                       "RSA with SHA-224"),
+        MBEDTLS_MD_SHA224,   MBEDTLS_PK_RSA,
+    },
+#endif /* PSA_WANT_ALG_SHA_224 */
+#if defined(MBEDTLS_MD_CAN_SHA256)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA256,     "sha256WithRSAEncryption",
+                       "RSA with SHA-256"),
+        MBEDTLS_MD_SHA256,   MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+#if defined(PSA_WANT_ALG_SHA_384)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA384,     "sha384WithRSAEncryption",
+                       "RSA with SHA-384"),
+        MBEDTLS_MD_SHA384,   MBEDTLS_PK_RSA,
+    },
+#endif /* PSA_WANT_ALG_SHA_384 */
+#if defined(MBEDTLS_MD_CAN_SHA512)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA512,     "sha512WithRSAEncryption",
+                       "RSA with SHA-512"),
+        MBEDTLS_MD_SHA512,   MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_MD_CAN_SHA512 */
+#if defined(MBEDTLS_MD_CAN_SHA1)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_RSA_SHA_OBS,      "sha-1WithRSAEncryption",   "RSA with SHA1"),
+        MBEDTLS_MD_SHA1,     MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
+#if defined(MBEDTLS_MD_CAN_SHA1)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA1,       "ecdsa-with-SHA1",      "ECDSA with SHA1"),
+        MBEDTLS_MD_SHA1,     MBEDTLS_PK_ECDSA,
+    },
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#if defined(PSA_WANT_ALG_SHA_224)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA224,     "ecdsa-with-SHA224",    "ECDSA with SHA224"),
+        MBEDTLS_MD_SHA224,   MBEDTLS_PK_ECDSA,
+    },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA256)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA256,     "ecdsa-with-SHA256",    "ECDSA with SHA256"),
+        MBEDTLS_MD_SHA256,   MBEDTLS_PK_ECDSA,
+    },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+#if defined(PSA_WANT_ALG_SHA_384)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA384,     "ecdsa-with-SHA384",    "ECDSA with SHA384"),
+        MBEDTLS_MD_SHA384,   MBEDTLS_PK_ECDSA,
+    },
+#endif /* PSA_WANT_ALG_SHA_384 */
+#if defined(MBEDTLS_MD_CAN_SHA512)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA512,     "ecdsa-with-SHA512",    "ECDSA with SHA512"),
+        MBEDTLS_MD_SHA512,   MBEDTLS_PK_ECDSA,
+    },
+#endif /* MBEDTLS_MD_CAN_SHA512 */
+#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
+#if defined(MBEDTLS_RSA_C)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_RSASSA_PSS,        "RSASSA-PSS",           "RSASSA-PSS"),
+        MBEDTLS_MD_NONE,     MBEDTLS_PK_RSASSA_PSS,
+    },
+#endif /* MBEDTLS_RSA_C */
+    {
+        NULL_OID_DESCRIPTOR,
+        MBEDTLS_MD_NONE, MBEDTLS_PK_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_sig_alg_t, sig_alg, oid_sig_alg)
+
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
+FN_OID_GET_DESCRIPTOR_ATTR1(mbedtls_oid_get_sig_alg_desc,
+                            oid_sig_alg_t,
+                            sig_alg,
+                            const char *,
+                            description)
+#endif
+
+FN_OID_GET_ATTR2(mbedtls_oid_get_sig_alg,
+                 oid_sig_alg_t,
+                 sig_alg,
+                 mbedtls_md_type_t,
+                 md_alg,
+                 mbedtls_pk_type_t,
+                 pk_alg)
+FN_OID_GET_OID_BY_ATTR2(mbedtls_oid_get_oid_by_sig_alg,
+                        oid_sig_alg_t,
+                        oid_sig_alg,
+                        mbedtls_pk_type_t,
+                        pk_alg,
+                        mbedtls_md_type_t,
+                        md_alg)
+
+/*
+ * For PublicKeyInfo (PKCS1, RFC 5480)
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_pk_type_t           pk_alg;
+} oid_pk_alg_t;
+
+static const oid_pk_alg_t oid_pk_alg[] =
+{
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_RSA,           "rsaEncryption",    "RSA"),
+        MBEDTLS_PK_RSA,
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_EC_ALG_UNRESTRICTED, "id-ecPublicKey",   "Generic EC key"),
+        MBEDTLS_PK_ECKEY,
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_EC_ALG_ECDH,         "id-ecDH",          "EC key for ECDH"),
+        MBEDTLS_PK_ECKEY_DH,
+    },
+    {
+        NULL_OID_DESCRIPTOR,
+        MBEDTLS_PK_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_pk_alg_t, pk_alg, oid_pk_alg)
+FN_OID_GET_ATTR1(mbedtls_oid_get_pk_alg, oid_pk_alg_t, pk_alg, mbedtls_pk_type_t, pk_alg)
+FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_pk_alg,
+                        oid_pk_alg_t,
+                        oid_pk_alg,
+                        mbedtls_pk_type_t,
+                        pk_alg)
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+/*
+ * For elliptic curves that use namedCurve inside ECParams (RFC 5480)
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_ecp_group_id        grp_id;
+} oid_ecp_grp_t;
+
+static const oid_ecp_grp_t oid_ecp_grp[] =
+{
+#if defined(MBEDTLS_ECP_HAVE_SECP192R1)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_SECP192R1, "secp192r1",    "secp192r1"),
+        MBEDTLS_ECP_DP_SECP192R1,
+    },
+#endif /* MBEDTLS_ECP_HAVE_SECP192R1 */
+#if defined(MBEDTLS_ECP_HAVE_SECP224R1)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_SECP224R1, "secp224r1",    "secp224r1"),
+        MBEDTLS_ECP_DP_SECP224R1,
+    },
+#endif /* MBEDTLS_ECP_HAVE_SECP224R1 */
+#if defined(MBEDTLS_ECP_HAVE_SECP256R1)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_SECP256R1, "secp256r1",    "secp256r1"),
+        MBEDTLS_ECP_DP_SECP256R1,
+    },
+#endif /* MBEDTLS_ECP_HAVE_SECP256R1 */
+#if defined(MBEDTLS_ECP_HAVE_SECP384R1)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_SECP384R1, "secp384r1",    "secp384r1"),
+        MBEDTLS_ECP_DP_SECP384R1,
+    },
+#endif /* MBEDTLS_ECP_HAVE_SECP384R1 */
+#if defined(MBEDTLS_ECP_HAVE_SECP521R1)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_SECP521R1, "secp521r1",    "secp521r1"),
+        MBEDTLS_ECP_DP_SECP521R1,
+    },
+#endif /* MBEDTLS_ECP_HAVE_SECP521R1 */
+#if defined(MBEDTLS_ECP_HAVE_SECP192K1)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_SECP192K1, "secp192k1",    "secp192k1"),
+        MBEDTLS_ECP_DP_SECP192K1,
+    },
+#endif /* MBEDTLS_ECP_HAVE_SECP192K1 */
+#if defined(MBEDTLS_ECP_HAVE_SECP224K1)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_SECP224K1, "secp224k1",    "secp224k1"),
+        MBEDTLS_ECP_DP_SECP224K1,
+    },
+#endif /* MBEDTLS_ECP_HAVE_SECP224K1 */
+#if defined(MBEDTLS_ECP_HAVE_SECP256K1)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_SECP256K1, "secp256k1",    "secp256k1"),
+        MBEDTLS_ECP_DP_SECP256K1,
+    },
+#endif /* MBEDTLS_ECP_HAVE_SECP256K1 */
+#if defined(MBEDTLS_ECP_HAVE_BP256R1)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_BP256R1,   "brainpoolP256r1", "brainpool256r1"),
+        MBEDTLS_ECP_DP_BP256R1,
+    },
+#endif /* MBEDTLS_ECP_HAVE_BP256R1 */
+#if defined(MBEDTLS_ECP_HAVE_BP384R1)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_BP384R1,   "brainpoolP384r1", "brainpool384r1"),
+        MBEDTLS_ECP_DP_BP384R1,
+    },
+#endif /* MBEDTLS_ECP_HAVE_BP384R1 */
+#if defined(MBEDTLS_ECP_HAVE_BP512R1)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_BP512R1,   "brainpoolP512r1", "brainpool512r1"),
+        MBEDTLS_ECP_DP_BP512R1,
+    },
+#endif /* MBEDTLS_ECP_HAVE_BP512R1 */
+    {
+        NULL_OID_DESCRIPTOR,
+        MBEDTLS_ECP_DP_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_ecp_grp_t, grp_id, oid_ecp_grp)
+FN_OID_GET_ATTR1(mbedtls_oid_get_ec_grp, oid_ecp_grp_t, grp_id, mbedtls_ecp_group_id, grp_id)
+FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_ec_grp,
+                        oid_ecp_grp_t,
+                        oid_ecp_grp,
+                        mbedtls_ecp_group_id,
+                        grp_id)
+
+/*
+ * For Elliptic Curve algorithms that are directly
+ * encoded in the AlgorithmIdentifier (RFC 8410)
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_ecp_group_id        grp_id;
+} oid_ecp_grp_algid_t;
+
+static const oid_ecp_grp_algid_t oid_ecp_grp_algid[] =
+{
+#if defined(MBEDTLS_ECP_HAVE_CURVE25519)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_X25519,               "X25519",       "X25519"),
+        MBEDTLS_ECP_DP_CURVE25519,
+    },
+#endif /* MBEDTLS_ECP_HAVE_CURVE25519 */
+#if defined(MBEDTLS_ECP_HAVE_CURVE448)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_X448,                 "X448",         "X448"),
+        MBEDTLS_ECP_DP_CURVE448,
+    },
+#endif /* MBEDTLS_ECP_HAVE_CURVE448 */
+    {
+        NULL_OID_DESCRIPTOR,
+        MBEDTLS_ECP_DP_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_ecp_grp_algid_t, grp_id_algid, oid_ecp_grp_algid)
+FN_OID_GET_ATTR1(mbedtls_oid_get_ec_grp_algid,
+                 oid_ecp_grp_algid_t,
+                 grp_id_algid,
+                 mbedtls_ecp_group_id,
+                 grp_id)
+FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_ec_grp_algid,
+                        oid_ecp_grp_algid_t,
+                        oid_ecp_grp_algid,
+                        mbedtls_ecp_group_id,
+                        grp_id)
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+#if defined(MBEDTLS_CIPHER_C)
+/*
+ * For PKCS#5 PBES2 encryption algorithm
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_cipher_type_t       cipher_alg;
+} oid_cipher_alg_t;
+
+static const oid_cipher_alg_t oid_cipher_alg[] =
+{
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_DES_CBC,              "desCBC",       "DES-CBC"),
+        MBEDTLS_CIPHER_DES_CBC,
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_DES_EDE3_CBC,         "des-ede3-cbc", "DES-EDE3-CBC"),
+        MBEDTLS_CIPHER_DES_EDE3_CBC,
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AES_128_CBC,          "aes128-cbc", "AES128-CBC"),
+        MBEDTLS_CIPHER_AES_128_CBC,
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AES_192_CBC,          "aes192-cbc", "AES192-CBC"),
+        MBEDTLS_CIPHER_AES_192_CBC,
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AES_256_CBC,          "aes256-cbc", "AES256-CBC"),
+        MBEDTLS_CIPHER_AES_256_CBC,
+    },
+    {
+        NULL_OID_DESCRIPTOR,
+        MBEDTLS_CIPHER_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_cipher_alg_t, cipher_alg, oid_cipher_alg)
+FN_OID_GET_ATTR1(mbedtls_oid_get_cipher_alg,
+                 oid_cipher_alg_t,
+                 cipher_alg,
+                 mbedtls_cipher_type_t,
+                 cipher_alg)
+#endif /* MBEDTLS_CIPHER_C */
+
+/*
+ * For digestAlgorithm
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_md_type_t           md_alg;
+} oid_md_alg_t;
+
+static const oid_md_alg_t oid_md_alg[] =
+{
+#if defined(MBEDTLS_MD_CAN_MD5)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_MD5,       "id-md5",       "MD5"),
+        MBEDTLS_MD_MD5,
+    },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA1)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA1,      "id-sha1",      "SHA-1"),
+        MBEDTLS_MD_SHA1,
+    },
+#endif
+#if defined(PSA_WANT_ALG_SHA_224)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA224,    "id-sha224",    "SHA-224"),
+        MBEDTLS_MD_SHA224,
+    },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA256)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA256,    "id-sha256",    "SHA-256"),
+        MBEDTLS_MD_SHA256,
+    },
+#endif
+#if defined(PSA_WANT_ALG_SHA_384)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA384,    "id-sha384",    "SHA-384"),
+        MBEDTLS_MD_SHA384,
+    },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA512)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA512,    "id-sha512",    "SHA-512"),
+        MBEDTLS_MD_SHA512,
+    },
+#endif
+#if defined(PSA_WANT_ALG_RIPEMD160)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_RIPEMD160, "id-ripemd160", "RIPEMD-160"),
+        MBEDTLS_MD_RIPEMD160,
+    },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA3_224)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA3_224,    "id-sha3-224",    "SHA-3-224"),
+        MBEDTLS_MD_SHA3_224,
+    },
+#endif
+#if defined(PSA_WANT_ALG_SHA3_256)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA3_256,    "id-sha3-256",    "SHA-3-256"),
+        MBEDTLS_MD_SHA3_256,
+    },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA3_384)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA3_384,    "id-sha3-384",    "SHA-3-384"),
+        MBEDTLS_MD_SHA3_384,
+    },
+#endif
+#if defined(PSA_WANT_ALG_SHA3_512)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA3_512,    "id-sha3-512",    "SHA-3-512"),
+        MBEDTLS_MD_SHA3_512,
+    },
+#endif
+    {
+        NULL_OID_DESCRIPTOR,
+        MBEDTLS_MD_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_md_alg_t, md_alg, oid_md_alg)
+FN_OID_GET_ATTR1(mbedtls_oid_get_md_alg, oid_md_alg_t, md_alg, mbedtls_md_type_t, md_alg)
+FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_md,
+                        oid_md_alg_t,
+                        oid_md_alg,
+                        mbedtls_md_type_t,
+                        md_alg)
+
+/*
+ * For HMAC digestAlgorithm
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_md_type_t           md_hmac;
+} oid_md_hmac_t;
+
+static const oid_md_hmac_t oid_md_hmac[] =
+{
+#if defined(MBEDTLS_MD_CAN_SHA1)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA1,      "hmacSHA1",      "HMAC-SHA-1"),
+        MBEDTLS_MD_SHA1,
+    },
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#if defined(PSA_WANT_ALG_SHA_224)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA224,    "hmacSHA224",    "HMAC-SHA-224"),
+        MBEDTLS_MD_SHA224,
+    },
+#endif /* PSA_WANT_ALG_SHA_224 */
+#if defined(MBEDTLS_MD_CAN_SHA256)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA256,    "hmacSHA256",    "HMAC-SHA-256"),
+        MBEDTLS_MD_SHA256,
+    },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+#if defined(PSA_WANT_ALG_SHA_384)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA384,    "hmacSHA384",    "HMAC-SHA-384"),
+        MBEDTLS_MD_SHA384,
+    },
+#endif /* PSA_WANT_ALG_SHA_384 */
+#if defined(MBEDTLS_MD_CAN_SHA512)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA512,    "hmacSHA512",    "HMAC-SHA-512"),
+        MBEDTLS_MD_SHA512,
+    },
+#endif /* MBEDTLS_MD_CAN_SHA512 */
+#if defined(MBEDTLS_MD_CAN_SHA3_224)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA3_224,    "hmacSHA3-224",    "HMAC-SHA3-224"),
+        MBEDTLS_MD_SHA3_224,
+    },
+#endif /* MBEDTLS_MD_CAN_SHA3_224 */
+#if defined(PSA_WANT_ALG_SHA3_256)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA3_256,    "hmacSHA3-256",    "HMAC-SHA3-256"),
+        MBEDTLS_MD_SHA3_256,
+    },
+#endif /* PSA_WANT_ALG_SHA3_256 */
+#if defined(MBEDTLS_MD_CAN_SHA3_384)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA3_384,    "hmacSHA3-384",    "HMAC-SHA3-384"),
+        MBEDTLS_MD_SHA3_384,
+    },
+#endif /* MBEDTLS_MD_CAN_SHA3_384 */
+#if defined(PSA_WANT_ALG_SHA3_512)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA3_512,    "hmacSHA3-512",    "HMAC-SHA3-512"),
+        MBEDTLS_MD_SHA3_512,
+    },
+#endif /* PSA_WANT_ALG_SHA3_512 */
+#if defined(PSA_WANT_ALG_RIPEMD160)
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_HMAC_RIPEMD160,    "hmacRIPEMD160",    "HMAC-RIPEMD160"),
+        MBEDTLS_MD_RIPEMD160,
+    },
+#endif /* PSA_WANT_ALG_RIPEMD160 */
+    {
+        NULL_OID_DESCRIPTOR,
+        MBEDTLS_MD_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_md_hmac_t, md_hmac, oid_md_hmac)
+FN_OID_GET_ATTR1(mbedtls_oid_get_md_hmac, oid_md_hmac_t, md_hmac, mbedtls_md_type_t, md_hmac)
+
+#if defined(MBEDTLS_PKCS12_C) && defined(MBEDTLS_CIPHER_C)
+/*
+ * For PKCS#12 PBEs
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_md_type_t           md_alg;
+    mbedtls_cipher_type_t       cipher_alg;
+} oid_pkcs12_pbe_alg_t;
+
+static const oid_pkcs12_pbe_alg_t oid_pkcs12_pbe_alg[] =
+{
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_PKCS12_PBE_SHA1_DES3_EDE_CBC,
+                       "pbeWithSHAAnd3-KeyTripleDES-CBC",
+                       "PBE with SHA1 and 3-Key 3DES"),
+        MBEDTLS_MD_SHA1,      MBEDTLS_CIPHER_DES_EDE3_CBC,
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_PKCS12_PBE_SHA1_DES2_EDE_CBC,
+                       "pbeWithSHAAnd2-KeyTripleDES-CBC",
+                       "PBE with SHA1 and 2-Key 3DES"),
+        MBEDTLS_MD_SHA1,      MBEDTLS_CIPHER_DES_EDE_CBC,
+    },
+    {
+        NULL_OID_DESCRIPTOR,
+        MBEDTLS_MD_NONE, MBEDTLS_CIPHER_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_pkcs12_pbe_alg_t, pkcs12_pbe_alg, oid_pkcs12_pbe_alg)
+FN_OID_GET_ATTR2(mbedtls_oid_get_pkcs12_pbe_alg,
+                 oid_pkcs12_pbe_alg_t,
+                 pkcs12_pbe_alg,
+                 mbedtls_md_type_t,
+                 md_alg,
+                 mbedtls_cipher_type_t,
+                 cipher_alg)
+#endif /* MBEDTLS_PKCS12_C && MBEDTLS_CIPHER_C */
+
+/* Return the x.y.z.... style numeric string for the given OID */
+int mbedtls_oid_get_numeric_string(char *buf, size_t size,
+                                   const mbedtls_asn1_buf *oid)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    char *p = buf;
+    size_t n = size;
+    unsigned int value = 0;
+
+    if (size > INT_MAX) {
+        /* Avoid overflow computing return value */
+        return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
+    }
+
+    if (oid->len <= 0) {
+        /* OID must not be empty */
+        return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
+    }
+
+    for (size_t i = 0; i < oid->len; i++) {
+        /* Prevent overflow in value. */
+        if (value > (UINT_MAX >> 7)) {
+            return MBEDTLS_ERR_ASN1_INVALID_DATA;
+        }
+        if ((value == 0) && ((oid->p[i]) == 0x80)) {
+            /* Overlong encoding is not allowed */
+            return MBEDTLS_ERR_ASN1_INVALID_DATA;
+        }
+
+        value <<= 7;
+        value |= oid->p[i] & 0x7F;
+
+        if (!(oid->p[i] & 0x80)) {
+            /* Last byte */
+            if (n == size) {
+                int component1;
+                unsigned int component2;
+                /* First subidentifier contains first two OID components */
+                if (value >= 80) {
+                    component1 = '2';
+                    component2 = value - 80;
+                } else if (value >= 40) {
+                    component1 = '1';
+                    component2 = value - 40;
+                } else {
+                    component1 = '0';
+                    component2 = value;
+                }
+                ret = mbedtls_snprintf(p, n, "%c.%u", component1, component2);
+            } else {
+                ret = mbedtls_snprintf(p, n, ".%u", value);
+            }
+            if (ret < 2 || (size_t) ret >= n) {
+                return MBEDTLS_ERR_OID_BUF_TOO_SMALL;
+            }
+            n -= (size_t) ret;
+            p += ret;
+            value = 0;
+        }
+    }
+
+    if (value != 0) {
+        /* Unterminated subidentifier */
+        return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
+    }
+
+    return (int) (size - n);
+}
+
+static int oid_parse_number(unsigned int *num, const char **p, const char *bound)
+{
+    int ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+
+    *num = 0;
+
+    while (*p < bound && **p >= '0' && **p <= '9') {
+        ret = 0;
+        if (*num > (UINT_MAX / 10)) {
+            return MBEDTLS_ERR_ASN1_INVALID_DATA;
+        }
+        *num *= 10;
+        *num += **p - '0';
+        (*p)++;
+    }
+    return ret;
+}
+
+static size_t oid_subidentifier_num_bytes(unsigned int value)
+{
+    size_t num_bytes = 0;
+
+    do {
+        value >>= 7;
+        num_bytes++;
+    } while (value != 0);
+
+    return num_bytes;
+}
+
+static int oid_subidentifier_encode_into(unsigned char **p,
+                                         unsigned char *bound,
+                                         unsigned int value)
+{
+    size_t num_bytes = oid_subidentifier_num_bytes(value);
+
+    if ((size_t) (bound - *p) < num_bytes) {
+        return MBEDTLS_ERR_OID_BUF_TOO_SMALL;
+    }
+    (*p)[num_bytes - 1] = (unsigned char) (value & 0x7f);
+    value >>= 7;
+
+    for (size_t i = 2; i <= num_bytes; i++) {
+        (*p)[num_bytes - i] = 0x80 | (unsigned char) (value & 0x7f);
+        value >>= 7;
+    }
+    *p += num_bytes;
+
+    return 0;
+}
+
+/* Return the OID for the given x.y.z.... style numeric string  */
+int mbedtls_oid_from_numeric_string(mbedtls_asn1_buf *oid,
+                                    const char *oid_str, size_t size)
+{
+    int ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+    const char *str_ptr = oid_str;
+    const char *str_bound = oid_str + size;
+    unsigned int val = 0;
+    unsigned int component1, component2;
+    size_t encoded_len;
+    unsigned char *resized_mem;
+
+    /* Count the number of dots to get a worst-case allocation size. */
+    size_t num_dots = 0;
+    for (size_t i = 0; i < size; i++) {
+        if (oid_str[i] == '.') {
+            num_dots++;
+        }
+    }
+    /* Allocate maximum possible required memory:
+     * There are (num_dots + 1) integer components, but the first 2 share the
+     * same subidentifier, so we only need num_dots subidentifiers maximum. */
+    if (num_dots == 0 || (num_dots > MBEDTLS_OID_MAX_COMPONENTS - 1)) {
+        return MBEDTLS_ERR_ASN1_INVALID_DATA;
+    }
+    /* Each byte can store 7 bits, calculate number of bytes for a
+     * subidentifier:
+     *
+     * bytes = ceil(subidentifer_size * 8 / 7)
+     */
+    size_t bytes_per_subidentifier = (((sizeof(unsigned int) * 8) - 1) / 7)
+                                     + 1;
+    size_t max_possible_bytes = num_dots * bytes_per_subidentifier;
+    oid->p = mbedtls_calloc(max_possible_bytes, 1);
+    if (oid->p == NULL) {
+        return MBEDTLS_ERR_ASN1_ALLOC_FAILED;
+    }
+    unsigned char *out_ptr = oid->p;
+    unsigned char *out_bound = oid->p + max_possible_bytes;
+
+    ret = oid_parse_number(&component1, &str_ptr, str_bound);
+    if (ret != 0) {
+        goto error;
+    }
+    if (component1 > 2) {
+        /* First component can't be > 2 */
+        ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+        goto error;
+    }
+    if (str_ptr >= str_bound || *str_ptr != '.') {
+        ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+        goto error;
+    }
+    str_ptr++;
+
+    ret = oid_parse_number(&component2, &str_ptr, str_bound);
+    if (ret != 0) {
+        goto error;
+    }
+    if ((component1 < 2) && (component2 > 39)) {
+        /* Root nodes 0 and 1 may have up to 40 children, numbered 0-39 */
+        ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+        goto error;
+    }
+    if (str_ptr < str_bound) {
+        if (*str_ptr == '.') {
+            str_ptr++;
+        } else {
+            ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+            goto error;
+        }
+    }
+
+    if (component2 > (UINT_MAX - (component1 * 40))) {
+        ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+        goto error;
+    }
+    ret = oid_subidentifier_encode_into(&out_ptr, out_bound,
+                                        (component1 * 40) + component2);
+    if (ret != 0) {
+        goto error;
+    }
+
+    while (str_ptr < str_bound) {
+        ret = oid_parse_number(&val, &str_ptr, str_bound);
+        if (ret != 0) {
+            goto error;
+        }
+        if (str_ptr < str_bound) {
+            if (*str_ptr == '.') {
+                str_ptr++;
+            } else {
+                ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+                goto error;
+            }
+        }
+
+        ret = oid_subidentifier_encode_into(&out_ptr, out_bound, val);
+        if (ret != 0) {
+            goto error;
+        }
+    }
+
+    encoded_len = (size_t) (out_ptr - oid->p);
+    resized_mem = mbedtls_calloc(encoded_len, 1);
+    if (resized_mem == NULL) {
+        ret = MBEDTLS_ERR_ASN1_ALLOC_FAILED;
+        goto error;
+    }
+    memcpy(resized_mem, oid->p, encoded_len);
+    mbedtls_free(oid->p);
+    oid->p = resized_mem;
+    oid->len = encoded_len;
+
+    oid->tag = MBEDTLS_ASN1_OID;
+
+    return 0;
+
+error:
+    mbedtls_free(oid->p);
+    oid->p = NULL;
+    oid->len = 0;
+    return ret;
+}
+
+#endif /* MBEDTLS_OID_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/pem.c b/tf-psa-crypto/drivers/builtin/src/pem.c
new file mode 100644
index 0000000..0207601
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/pem.c
@@ -0,0 +1,551 @@
+/*
+ *  Privacy Enhanced Mail (PEM) decoding
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
+
+#include "mbedtls/pem.h"
+#include "mbedtls/base64.h"
+#include "mbedtls/des.h"
+#include "mbedtls/aes.h"
+#include "mbedtls/md.h"
+#include "mbedtls/cipher.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#endif
+
+#if defined(MBEDTLS_MD_CAN_MD5) &&  \
+    defined(MBEDTLS_CIPHER_MODE_CBC) &&                             \
+    (defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C))
+#define PEM_RFC1421
+#endif /* MBEDTLS_MD_CAN_MD5 &&
+          MBEDTLS_CIPHER_MODE_CBC &&
+          ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+void mbedtls_pem_init(mbedtls_pem_context *ctx)
+{
+    memset(ctx, 0, sizeof(mbedtls_pem_context));
+}
+
+#if defined(PEM_RFC1421)
+/*
+ * Read a 16-byte hex string and convert it to binary
+ */
+static int pem_get_iv(const unsigned char *s, unsigned char *iv,
+                      size_t iv_len)
+{
+    size_t i, j, k;
+
+    memset(iv, 0, iv_len);
+
+    for (i = 0; i < iv_len * 2; i++, s++) {
+        if (*s >= '0' && *s <= '9') {
+            j = *s - '0';
+        } else
+        if (*s >= 'A' && *s <= 'F') {
+            j = *s - '7';
+        } else
+        if (*s >= 'a' && *s <= 'f') {
+            j = *s - 'W';
+        } else {
+            return MBEDTLS_ERR_PEM_INVALID_ENC_IV;
+        }
+
+        k = ((i & 1) != 0) ? j : j << 4;
+
+        iv[i >> 1] = (unsigned char) (iv[i >> 1] | k);
+    }
+
+    return 0;
+}
+
+static int pem_pbkdf1(unsigned char *key, size_t keylen,
+                      unsigned char *iv,
+                      const unsigned char *pwd, size_t pwdlen)
+{
+    mbedtls_md_context_t md5_ctx;
+    const mbedtls_md_info_t *md5_info;
+    unsigned char md5sum[16];
+    size_t use_len;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    mbedtls_md_init(&md5_ctx);
+
+    /* Prepare the context. (setup() errors gracefully on NULL info.) */
+    md5_info = mbedtls_md_info_from_type(MBEDTLS_MD_MD5);
+    if ((ret = mbedtls_md_setup(&md5_ctx, md5_info, 0)) != 0) {
+        goto exit;
+    }
+
+    /*
+     * key[ 0..15] = MD5(pwd || IV)
+     */
+    if ((ret = mbedtls_md_starts(&md5_ctx)) != 0) {
+        goto exit;
+    }
+    if ((ret = mbedtls_md_update(&md5_ctx, pwd, pwdlen)) != 0) {
+        goto exit;
+    }
+    if ((ret = mbedtls_md_update(&md5_ctx, iv,  8)) != 0) {
+        goto exit;
+    }
+    if ((ret = mbedtls_md_finish(&md5_ctx, md5sum)) != 0) {
+        goto exit;
+    }
+
+    if (keylen <= 16) {
+        memcpy(key, md5sum, keylen);
+        goto exit;
+    }
+
+    memcpy(key, md5sum, 16);
+
+    /*
+     * key[16..23] = MD5(key[ 0..15] || pwd || IV])
+     */
+    if ((ret = mbedtls_md_starts(&md5_ctx)) != 0) {
+        goto exit;
+    }
+    if ((ret = mbedtls_md_update(&md5_ctx, md5sum, 16)) != 0) {
+        goto exit;
+    }
+    if ((ret = mbedtls_md_update(&md5_ctx, pwd, pwdlen)) != 0) {
+        goto exit;
+    }
+    if ((ret = mbedtls_md_update(&md5_ctx, iv, 8)) != 0) {
+        goto exit;
+    }
+    if ((ret = mbedtls_md_finish(&md5_ctx, md5sum)) != 0) {
+        goto exit;
+    }
+
+    use_len = 16;
+    if (keylen < 32) {
+        use_len = keylen - 16;
+    }
+
+    memcpy(key + 16, md5sum, use_len);
+
+exit:
+    mbedtls_md_free(&md5_ctx);
+    mbedtls_platform_zeroize(md5sum, 16);
+
+    return ret;
+}
+
+#if defined(MBEDTLS_DES_C)
+/*
+ * Decrypt with DES-CBC, using PBKDF1 for key derivation
+ */
+static int pem_des_decrypt(unsigned char des_iv[8],
+                           unsigned char *buf, size_t buflen,
+                           const unsigned char *pwd, size_t pwdlen)
+{
+    mbedtls_des_context des_ctx;
+    unsigned char des_key[8];
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    mbedtls_des_init(&des_ctx);
+
+    if ((ret = pem_pbkdf1(des_key, 8, des_iv, pwd, pwdlen)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_des_setkey_dec(&des_ctx, des_key)) != 0) {
+        goto exit;
+    }
+    ret = mbedtls_des_crypt_cbc(&des_ctx, MBEDTLS_DES_DECRYPT, buflen,
+                                des_iv, buf, buf);
+
+exit:
+    mbedtls_des_free(&des_ctx);
+    mbedtls_platform_zeroize(des_key, 8);
+
+    return ret;
+}
+
+/*
+ * Decrypt with 3DES-CBC, using PBKDF1 for key derivation
+ */
+static int pem_des3_decrypt(unsigned char des3_iv[8],
+                            unsigned char *buf, size_t buflen,
+                            const unsigned char *pwd, size_t pwdlen)
+{
+    mbedtls_des3_context des3_ctx;
+    unsigned char des3_key[24];
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    mbedtls_des3_init(&des3_ctx);
+
+    if ((ret = pem_pbkdf1(des3_key, 24, des3_iv, pwd, pwdlen)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_des3_set3key_dec(&des3_ctx, des3_key)) != 0) {
+        goto exit;
+    }
+    ret = mbedtls_des3_crypt_cbc(&des3_ctx, MBEDTLS_DES_DECRYPT, buflen,
+                                 des3_iv, buf, buf);
+
+exit:
+    mbedtls_des3_free(&des3_ctx);
+    mbedtls_platform_zeroize(des3_key, 24);
+
+    return ret;
+}
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+/*
+ * Decrypt with AES-XXX-CBC, using PBKDF1 for key derivation
+ */
+static int pem_aes_decrypt(unsigned char aes_iv[16], unsigned int keylen,
+                           unsigned char *buf, size_t buflen,
+                           const unsigned char *pwd, size_t pwdlen)
+{
+    mbedtls_aes_context aes_ctx;
+    unsigned char aes_key[32];
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    mbedtls_aes_init(&aes_ctx);
+
+    if ((ret = pem_pbkdf1(aes_key, keylen, aes_iv, pwd, pwdlen)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_aes_setkey_dec(&aes_ctx, aes_key, keylen * 8)) != 0) {
+        goto exit;
+    }
+    ret = mbedtls_aes_crypt_cbc(&aes_ctx, MBEDTLS_AES_DECRYPT, buflen,
+                                aes_iv, buf, buf);
+
+exit:
+    mbedtls_aes_free(&aes_ctx);
+    mbedtls_platform_zeroize(aes_key, keylen);
+
+    return ret;
+}
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C)
+static int pem_check_pkcs_padding(unsigned char *input, size_t input_len, size_t *data_len)
+{
+    /* input_len > 0 is guaranteed by mbedtls_pem_read_buffer(). */
+    size_t pad_len = input[input_len - 1];
+    size_t i;
+
+    if (pad_len > input_len) {
+        return MBEDTLS_ERR_PEM_PASSWORD_MISMATCH;
+    }
+
+    *data_len = input_len - pad_len;
+
+    for (i = *data_len; i < input_len; i++) {
+        if (input[i] != pad_len) {
+            return MBEDTLS_ERR_PEM_PASSWORD_MISMATCH;
+        }
+    }
+
+    return 0;
+}
+#endif /* MBEDTLS_DES_C || MBEDTLS_AES_C */
+
+#endif /* PEM_RFC1421 */
+
+int mbedtls_pem_read_buffer(mbedtls_pem_context *ctx, const char *header, const char *footer,
+                            const unsigned char *data, const unsigned char *pwd,
+                            size_t pwdlen, size_t *use_len)
+{
+    int ret, enc;
+    size_t len;
+    unsigned char *buf;
+    const unsigned char *s1, *s2, *end;
+#if defined(PEM_RFC1421)
+    unsigned char pem_iv[16];
+    mbedtls_cipher_type_t enc_alg = MBEDTLS_CIPHER_NONE;
+#else
+    ((void) pwd);
+    ((void) pwdlen);
+#endif /* PEM_RFC1421 */
+
+    if (ctx == NULL) {
+        return MBEDTLS_ERR_PEM_BAD_INPUT_DATA;
+    }
+
+    s1 = (unsigned char *) strstr((const char *) data, header);
+
+    if (s1 == NULL) {
+        return MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    }
+
+    s2 = (unsigned char *) strstr((const char *) data, footer);
+
+    if (s2 == NULL || s2 <= s1) {
+        return MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    }
+
+    s1 += strlen(header);
+    if (*s1 == ' ') {
+        s1++;
+    }
+    if (*s1 == '\r') {
+        s1++;
+    }
+    if (*s1 == '\n') {
+        s1++;
+    } else {
+        return MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    }
+
+    end = s2;
+    end += strlen(footer);
+    if (*end == ' ') {
+        end++;
+    }
+    if (*end == '\r') {
+        end++;
+    }
+    if (*end == '\n') {
+        end++;
+    }
+    *use_len = (size_t) (end - data);
+
+    enc = 0;
+
+    if (s2 - s1 >= 22 && memcmp(s1, "Proc-Type: 4,ENCRYPTED", 22) == 0) {
+#if defined(PEM_RFC1421)
+        enc++;
+
+        s1 += 22;
+        if (*s1 == '\r') {
+            s1++;
+        }
+        if (*s1 == '\n') {
+            s1++;
+        } else {
+            return MBEDTLS_ERR_PEM_INVALID_DATA;
+        }
+
+
+#if defined(MBEDTLS_DES_C)
+        if (s2 - s1 >= 23 && memcmp(s1, "DEK-Info: DES-EDE3-CBC,", 23) == 0) {
+            enc_alg = MBEDTLS_CIPHER_DES_EDE3_CBC;
+
+            s1 += 23;
+            if (s2 - s1 < 16 || pem_get_iv(s1, pem_iv, 8) != 0) {
+                return MBEDTLS_ERR_PEM_INVALID_ENC_IV;
+            }
+
+            s1 += 16;
+        } else if (s2 - s1 >= 18 && memcmp(s1, "DEK-Info: DES-CBC,", 18) == 0) {
+            enc_alg = MBEDTLS_CIPHER_DES_CBC;
+
+            s1 += 18;
+            if (s2 - s1 < 16 || pem_get_iv(s1, pem_iv, 8) != 0) {
+                return MBEDTLS_ERR_PEM_INVALID_ENC_IV;
+            }
+
+            s1 += 16;
+        }
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+        if (s2 - s1 >= 14 && memcmp(s1, "DEK-Info: AES-", 14) == 0) {
+            if (s2 - s1 < 22) {
+                return MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG;
+            } else if (memcmp(s1, "DEK-Info: AES-128-CBC,", 22) == 0) {
+                enc_alg = MBEDTLS_CIPHER_AES_128_CBC;
+            } else if (memcmp(s1, "DEK-Info: AES-192-CBC,", 22) == 0) {
+                enc_alg = MBEDTLS_CIPHER_AES_192_CBC;
+            } else if (memcmp(s1, "DEK-Info: AES-256-CBC,", 22) == 0) {
+                enc_alg = MBEDTLS_CIPHER_AES_256_CBC;
+            } else {
+                return MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG;
+            }
+
+            s1 += 22;
+            if (s2 - s1 < 32 || pem_get_iv(s1, pem_iv, 16) != 0) {
+                return MBEDTLS_ERR_PEM_INVALID_ENC_IV;
+            }
+
+            s1 += 32;
+        }
+#endif /* MBEDTLS_AES_C */
+
+        if (enc_alg == MBEDTLS_CIPHER_NONE) {
+            return MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG;
+        }
+
+        if (*s1 == '\r') {
+            s1++;
+        }
+        if (*s1 == '\n') {
+            s1++;
+        } else {
+            return MBEDTLS_ERR_PEM_INVALID_DATA;
+        }
+#else
+        return MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE;
+#endif /* PEM_RFC1421 */
+    }
+
+    if (s1 >= s2) {
+        return MBEDTLS_ERR_PEM_INVALID_DATA;
+    }
+
+    ret = mbedtls_base64_decode(NULL, 0, &len, s1, (size_t) (s2 - s1));
+
+    if (ret == MBEDTLS_ERR_BASE64_INVALID_CHARACTER) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PEM_INVALID_DATA, ret);
+    }
+
+    if (len == 0) {
+        return MBEDTLS_ERR_PEM_BAD_INPUT_DATA;
+    }
+
+    if ((buf = mbedtls_calloc(1, len)) == NULL) {
+        return MBEDTLS_ERR_PEM_ALLOC_FAILED;
+    }
+
+    if ((ret = mbedtls_base64_decode(buf, len, &len, s1, (size_t) (s2 - s1))) != 0) {
+        mbedtls_zeroize_and_free(buf, len);
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PEM_INVALID_DATA, ret);
+    }
+
+    if (enc != 0) {
+#if defined(PEM_RFC1421)
+        if (pwd == NULL) {
+            mbedtls_zeroize_and_free(buf, len);
+            return MBEDTLS_ERR_PEM_PASSWORD_REQUIRED;
+        }
+
+        ret = 0;
+
+#if defined(MBEDTLS_DES_C)
+        if (enc_alg == MBEDTLS_CIPHER_DES_EDE3_CBC) {
+            ret = pem_des3_decrypt(pem_iv, buf, len, pwd, pwdlen);
+        } else if (enc_alg == MBEDTLS_CIPHER_DES_CBC) {
+            ret = pem_des_decrypt(pem_iv, buf, len, pwd, pwdlen);
+        }
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+        if (enc_alg == MBEDTLS_CIPHER_AES_128_CBC) {
+            ret = pem_aes_decrypt(pem_iv, 16, buf, len, pwd, pwdlen);
+        } else if (enc_alg == MBEDTLS_CIPHER_AES_192_CBC) {
+            ret = pem_aes_decrypt(pem_iv, 24, buf, len, pwd, pwdlen);
+        } else if (enc_alg == MBEDTLS_CIPHER_AES_256_CBC) {
+            ret = pem_aes_decrypt(pem_iv, 32, buf, len, pwd, pwdlen);
+        }
+#endif /* MBEDTLS_AES_C */
+
+        if (ret != 0) {
+            mbedtls_zeroize_and_free(buf, len);
+            return ret;
+        }
+
+        /* Check PKCS padding and update data length based on padding info.
+         * This can be used to detect invalid padding data and password
+         * mismatches. */
+        size_t unpadded_len;
+        ret = pem_check_pkcs_padding(buf, len, &unpadded_len);
+        if (ret != 0) {
+            mbedtls_zeroize_and_free(buf, len);
+            return ret;
+        }
+        len = unpadded_len;
+#else
+        mbedtls_zeroize_and_free(buf, len);
+        return MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE;
+#endif /* PEM_RFC1421 */
+    }
+
+    ctx->buf = buf;
+    ctx->buflen = len;
+
+    return 0;
+}
+
+void mbedtls_pem_free(mbedtls_pem_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    if (ctx->buf != NULL) {
+        mbedtls_zeroize_and_free(ctx->buf, ctx->buflen);
+    }
+    mbedtls_free(ctx->info);
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_pem_context));
+}
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+int mbedtls_pem_write_buffer(const char *header, const char *footer,
+                             const unsigned char *der_data, size_t der_len,
+                             unsigned char *buf, size_t buf_len, size_t *olen)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *encode_buf = NULL, *c, *p = buf;
+    size_t len = 0, use_len, add_len = 0;
+
+    mbedtls_base64_encode(NULL, 0, &use_len, der_data, der_len);
+    add_len = strlen(header) + strlen(footer) + (((use_len > 2) ? (use_len - 2) : 0) / 64) + 1;
+
+    if (use_len + add_len > buf_len) {
+        *olen = use_len + add_len;
+        return MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL;
+    }
+
+    if (use_len != 0 &&
+        ((encode_buf = mbedtls_calloc(1, use_len)) == NULL)) {
+        return MBEDTLS_ERR_PEM_ALLOC_FAILED;
+    }
+
+    if ((ret = mbedtls_base64_encode(encode_buf, use_len, &use_len, der_data,
+                                     der_len)) != 0) {
+        mbedtls_free(encode_buf);
+        return ret;
+    }
+
+    memcpy(p, header, strlen(header));
+    p += strlen(header);
+    c = encode_buf;
+
+    while (use_len) {
+        len = (use_len > 64) ? 64 : use_len;
+        memcpy(p, c, len);
+        use_len -= len;
+        p += len;
+        c += len;
+        *p++ = '\n';
+    }
+
+    memcpy(p, footer, strlen(footer));
+    p += strlen(footer);
+
+    *p++ = '\0';
+    *olen = (size_t) (p - buf);
+
+    /* Clean any remaining data previously written to the buffer */
+    memset(buf + *olen, 0, buf_len - *olen);
+
+    mbedtls_free(encode_buf);
+    return 0;
+}
+#endif /* MBEDTLS_PEM_WRITE_C */
+#endif /* MBEDTLS_PEM_PARSE_C || MBEDTLS_PEM_WRITE_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/pk.c b/tf-psa-crypto/drivers/builtin/src/pk.c
new file mode 100644
index 0000000..3fe51ea
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/pk.c
@@ -0,0 +1,1507 @@
+/*
+ *  Public Key abstraction layer
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PK_C)
+#include "mbedtls/pk.h"
+#include "pk_wrap.h"
+#include "pkwrite.h"
+#include "pk_internal.h"
+
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#if defined(MBEDTLS_RSA_C)
+#include "mbedtls/rsa.h"
+#include "rsa_internal.h"
+#endif
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+#include "mbedtls/ecp.h"
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+#include "mbedtls/ecdsa.h"
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+#include "psa_util_internal.h"
+#include "mbedtls/psa_util.h"
+#endif
+
+#include <limits.h>
+#include <stdint.h>
+
+#define PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE \
+    (PSA_EXPORT_KEY_PAIR_MAX_SIZE > PSA_EXPORT_PUBLIC_KEY_MAX_SIZE) ? \
+    PSA_EXPORT_KEY_PAIR_MAX_SIZE : PSA_EXPORT_PUBLIC_KEY_MAX_SIZE
+
+/*
+ * Initialise a mbedtls_pk_context
+ */
+void mbedtls_pk_init(mbedtls_pk_context *ctx)
+{
+    ctx->pk_info = NULL;
+    ctx->pk_ctx = NULL;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    ctx->priv_id = MBEDTLS_SVC_KEY_ID_INIT;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+    memset(ctx->pub_raw, 0, sizeof(ctx->pub_raw));
+    ctx->pub_raw_len = 0;
+    ctx->ec_family = 0;
+    ctx->ec_bits = 0;
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+}
+
+/*
+ * Free (the components of) a mbedtls_pk_context
+ */
+void mbedtls_pk_free(mbedtls_pk_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    if ((ctx->pk_info != NULL) && (ctx->pk_info->ctx_free_func != NULL)) {
+        ctx->pk_info->ctx_free_func(ctx->pk_ctx);
+    }
+
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+    /* The ownership of the priv_id key for opaque keys is external of the PK
+     * module. It's the user responsibility to clear it after use. */
+    if ((ctx->pk_info != NULL) && (ctx->pk_info->type != MBEDTLS_PK_OPAQUE)) {
+        psa_destroy_key(ctx->priv_id);
+    }
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_pk_context));
+}
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Initialize a restart context
+ */
+void mbedtls_pk_restart_init(mbedtls_pk_restart_ctx *ctx)
+{
+    ctx->pk_info = NULL;
+    ctx->rs_ctx = NULL;
+}
+
+/*
+ * Free the components of a restart context
+ */
+void mbedtls_pk_restart_free(mbedtls_pk_restart_ctx *ctx)
+{
+    if (ctx == NULL || ctx->pk_info == NULL ||
+        ctx->pk_info->rs_free_func == NULL) {
+        return;
+    }
+
+    ctx->pk_info->rs_free_func(ctx->rs_ctx);
+
+    ctx->pk_info = NULL;
+    ctx->rs_ctx = NULL;
+}
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+/*
+ * Get pk_info structure from type
+ */
+const mbedtls_pk_info_t *mbedtls_pk_info_from_type(mbedtls_pk_type_t pk_type)
+{
+    switch (pk_type) {
+#if defined(MBEDTLS_RSA_C)
+        case MBEDTLS_PK_RSA:
+            return &mbedtls_rsa_info;
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+        case MBEDTLS_PK_ECKEY:
+            return &mbedtls_eckey_info;
+        case MBEDTLS_PK_ECKEY_DH:
+            return &mbedtls_eckeydh_info;
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
+        case MBEDTLS_PK_ECDSA:
+            return &mbedtls_ecdsa_info;
+#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
+        /* MBEDTLS_PK_RSA_ALT omitted on purpose */
+        default:
+            return NULL;
+    }
+}
+
+/*
+ * Initialise context
+ */
+int mbedtls_pk_setup(mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info)
+{
+    if (info == NULL || ctx->pk_info != NULL) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    if ((info->ctx_alloc_func != NULL) &&
+        ((ctx->pk_ctx = info->ctx_alloc_func()) == NULL)) {
+        return MBEDTLS_ERR_PK_ALLOC_FAILED;
+    }
+
+    ctx->pk_info = info;
+
+    return 0;
+}
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/*
+ * Initialise a PSA-wrapping context
+ */
+int mbedtls_pk_setup_opaque(mbedtls_pk_context *ctx,
+                            const mbedtls_svc_key_id_t key)
+{
+    const mbedtls_pk_info_t *info = NULL;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_type_t type;
+
+    if (ctx == NULL || ctx->pk_info != NULL) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    if (PSA_SUCCESS != psa_get_key_attributes(key, &attributes)) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+    type = psa_get_key_type(&attributes);
+    psa_reset_key_attributes(&attributes);
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+    if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type)) {
+        info = &mbedtls_ecdsa_opaque_info;
+    } else
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+    if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
+        info = &mbedtls_rsa_opaque_info;
+    } else {
+        return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+    }
+
+    ctx->pk_info = info;
+    ctx->priv_id = key;
+
+    return 0;
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+/*
+ * Initialize an RSA-alt context
+ */
+int mbedtls_pk_setup_rsa_alt(mbedtls_pk_context *ctx, void *key,
+                             mbedtls_pk_rsa_alt_decrypt_func decrypt_func,
+                             mbedtls_pk_rsa_alt_sign_func sign_func,
+                             mbedtls_pk_rsa_alt_key_len_func key_len_func)
+{
+    mbedtls_rsa_alt_context *rsa_alt;
+    const mbedtls_pk_info_t *info = &mbedtls_rsa_alt_info;
+
+    if (ctx->pk_info != NULL) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    if ((ctx->pk_ctx = info->ctx_alloc_func()) == NULL) {
+        return MBEDTLS_ERR_PK_ALLOC_FAILED;
+    }
+
+    ctx->pk_info = info;
+
+    rsa_alt = (mbedtls_rsa_alt_context *) ctx->pk_ctx;
+
+    rsa_alt->key = key;
+    rsa_alt->decrypt_func = decrypt_func;
+    rsa_alt->sign_func = sign_func;
+    rsa_alt->key_len_func = key_len_func;
+
+    return 0;
+}
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+
+/*
+ * Tell if a PK can do the operations of the given type
+ */
+int mbedtls_pk_can_do(const mbedtls_pk_context *ctx, mbedtls_pk_type_t type)
+{
+    /* A context with null pk_info is not set up yet and can't do anything.
+     * For backward compatibility, also accept NULL instead of a context
+     * pointer. */
+    if (ctx == NULL || ctx->pk_info == NULL) {
+        return 0;
+    }
+
+    return ctx->pk_info->can_do(type);
+}
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/*
+ * Tell if a PK can do the operations of the given PSA algorithm
+ */
+int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg,
+                          psa_key_usage_t usage)
+{
+    psa_key_usage_t key_usage;
+
+    /* A context with null pk_info is not set up yet and can't do anything.
+     * For backward compatibility, also accept NULL instead of a context
+     * pointer. */
+    if (ctx == NULL || ctx->pk_info == NULL) {
+        return 0;
+    }
+
+    /* Filter out non allowed algorithms */
+    if (PSA_ALG_IS_ECDSA(alg) == 0 &&
+        PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) == 0 &&
+        PSA_ALG_IS_RSA_PSS(alg) == 0 &&
+        alg != PSA_ALG_RSA_PKCS1V15_CRYPT &&
+        PSA_ALG_IS_ECDH(alg) == 0) {
+        return 0;
+    }
+
+    /* Filter out non allowed usage flags */
+    if (usage == 0 ||
+        (usage & ~(PSA_KEY_USAGE_SIGN_HASH |
+                   PSA_KEY_USAGE_DECRYPT |
+                   PSA_KEY_USAGE_DERIVE)) != 0) {
+        return 0;
+    }
+
+    /* Wildcard hash is not allowed */
+    if (PSA_ALG_IS_SIGN_HASH(alg) &&
+        PSA_ALG_SIGN_GET_HASH(alg) == PSA_ALG_ANY_HASH) {
+        return 0;
+    }
+
+    if (mbedtls_pk_get_type(ctx) != MBEDTLS_PK_OPAQUE) {
+        mbedtls_pk_type_t type;
+
+        if (PSA_ALG_IS_ECDSA(alg) || PSA_ALG_IS_ECDH(alg)) {
+            type = MBEDTLS_PK_ECKEY;
+        } else if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||
+                   alg == PSA_ALG_RSA_PKCS1V15_CRYPT) {
+            type = MBEDTLS_PK_RSA;
+        } else if (PSA_ALG_IS_RSA_PSS(alg)) {
+            type = MBEDTLS_PK_RSASSA_PSS;
+        } else {
+            return 0;
+        }
+
+        if (ctx->pk_info->can_do(type) == 0) {
+            return 0;
+        }
+
+        switch (type) {
+            case MBEDTLS_PK_ECKEY:
+                key_usage = PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_DERIVE;
+                break;
+            case MBEDTLS_PK_RSA:
+            case MBEDTLS_PK_RSASSA_PSS:
+                key_usage = PSA_KEY_USAGE_SIGN_HASH |
+                            PSA_KEY_USAGE_SIGN_MESSAGE |
+                            PSA_KEY_USAGE_DECRYPT;
+                break;
+            default:
+                /* Should never happen */
+                return 0;
+        }
+
+        return (key_usage & usage) == usage;
+    }
+
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_status_t status;
+
+    status = psa_get_key_attributes(ctx->priv_id, &attributes);
+    if (status != PSA_SUCCESS) {
+        return 0;
+    }
+
+    psa_algorithm_t key_alg = psa_get_key_algorithm(&attributes);
+    /* Key's enrollment is available only when an Mbed TLS implementation of PSA
+     * Crypto is being used, i.e. when MBEDTLS_PSA_CRYPTO_C is defined.
+     * Even though we don't officially support using other implementations of PSA
+     * Crypto with TLS and X.509 (yet), we try to keep vendor's customizations
+     * separated. */
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+    psa_algorithm_t key_alg2 = psa_get_key_enrollment_algorithm(&attributes);
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+    key_usage = psa_get_key_usage_flags(&attributes);
+    psa_reset_key_attributes(&attributes);
+
+    if ((key_usage & usage) != usage) {
+        return 0;
+    }
+
+    /*
+     * Common case: the key alg [or alg2] only allows alg.
+     * This will match PSA_ALG_RSA_PKCS1V15_CRYPT & PSA_ALG_IS_ECDH
+     * directly.
+     * This would also match ECDSA/RSA_PKCS1V15_SIGN/RSA_PSS with
+     * a fixed hash on key_alg [or key_alg2].
+     */
+    if (alg == key_alg) {
+        return 1;
+    }
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+    if (alg == key_alg2) {
+        return 1;
+    }
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+
+    /*
+     * If key_alg [or key_alg2] is a hash-and-sign with a wildcard for the hash,
+     * and alg is the same hash-and-sign family with any hash,
+     * then alg is compliant with this key alg
+     */
+    if (PSA_ALG_IS_SIGN_HASH(alg)) {
+        if (PSA_ALG_IS_SIGN_HASH(key_alg) &&
+            PSA_ALG_SIGN_GET_HASH(key_alg) == PSA_ALG_ANY_HASH &&
+            (alg & ~PSA_ALG_HASH_MASK) == (key_alg & ~PSA_ALG_HASH_MASK)) {
+            return 1;
+        }
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+        if (PSA_ALG_IS_SIGN_HASH(key_alg2) &&
+            PSA_ALG_SIGN_GET_HASH(key_alg2) == PSA_ALG_ANY_HASH &&
+            (alg & ~PSA_ALG_HASH_MASK) == (key_alg2 & ~PSA_ALG_HASH_MASK)) {
+            return 1;
+        }
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+    }
+
+    return 0;
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+#if defined(MBEDTLS_RSA_C)
+static psa_algorithm_t psa_algorithm_for_rsa(const mbedtls_rsa_context *rsa,
+                                             int want_crypt)
+{
+    if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) {
+        if (want_crypt) {
+            mbedtls_md_type_t md_type = (mbedtls_md_type_t) mbedtls_rsa_get_md_alg(rsa);
+            return PSA_ALG_RSA_OAEP(mbedtls_md_psa_alg_from_type(md_type));
+        } else {
+            return PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH);
+        }
+    } else {
+        if (want_crypt) {
+            return PSA_ALG_RSA_PKCS1V15_CRYPT;
+        } else {
+            return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH);
+        }
+    }
+}
+#endif /* MBEDTLS_RSA_C */
+
+int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk,
+                                  psa_key_usage_t usage,
+                                  psa_key_attributes_t *attributes)
+{
+    mbedtls_pk_type_t pk_type = mbedtls_pk_get_type(pk);
+
+    psa_key_usage_t more_usage = usage;
+    if (usage == PSA_KEY_USAGE_SIGN_MESSAGE) {
+        more_usage |= PSA_KEY_USAGE_VERIFY_MESSAGE;
+    } else if (usage == PSA_KEY_USAGE_SIGN_HASH) {
+        more_usage |= PSA_KEY_USAGE_VERIFY_HASH;
+    } else if (usage == PSA_KEY_USAGE_DECRYPT) {
+        more_usage |= PSA_KEY_USAGE_ENCRYPT;
+    }
+    more_usage |= PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY;
+
+    int want_private = !(usage == PSA_KEY_USAGE_VERIFY_MESSAGE ||
+                         usage == PSA_KEY_USAGE_VERIFY_HASH ||
+                         usage == PSA_KEY_USAGE_ENCRYPT);
+
+    switch (pk_type) {
+#if defined(MBEDTLS_RSA_C)
+        case MBEDTLS_PK_RSA:
+        {
+            int want_crypt = 0; /* 0: sign/verify; 1: encrypt/decrypt */
+            switch (usage) {
+                case PSA_KEY_USAGE_SIGN_MESSAGE:
+                case PSA_KEY_USAGE_SIGN_HASH:
+                case PSA_KEY_USAGE_VERIFY_MESSAGE:
+                case PSA_KEY_USAGE_VERIFY_HASH:
+                    /* Nothing to do. */
+                    break;
+                case PSA_KEY_USAGE_DECRYPT:
+                case PSA_KEY_USAGE_ENCRYPT:
+                    want_crypt = 1;
+                    break;
+                default:
+                    return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+            }
+            /* Detect the presence of a private key in a way that works both
+             * in CRT and non-CRT configurations. */
+            mbedtls_rsa_context *rsa = mbedtls_pk_rsa(*pk);
+            int has_private = (mbedtls_rsa_check_privkey(rsa) == 0);
+            if (want_private && !has_private) {
+                return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+            }
+            psa_set_key_type(attributes, (want_private ?
+                                          PSA_KEY_TYPE_RSA_KEY_PAIR :
+                                          PSA_KEY_TYPE_RSA_PUBLIC_KEY));
+            psa_set_key_bits(attributes, mbedtls_pk_get_bitlen(pk));
+            psa_set_key_algorithm(attributes,
+                                  psa_algorithm_for_rsa(rsa, want_crypt));
+            break;
+        }
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+        case MBEDTLS_PK_ECKEY:
+        case MBEDTLS_PK_ECKEY_DH:
+        case MBEDTLS_PK_ECDSA:
+        {
+            int sign_ok = (pk_type != MBEDTLS_PK_ECKEY_DH);
+            int derive_ok = (pk_type != MBEDTLS_PK_ECDSA);
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+            psa_ecc_family_t family = pk->ec_family;
+            size_t bits = pk->ec_bits;
+            int has_private = 0;
+            if (pk->priv_id != MBEDTLS_SVC_KEY_ID_INIT) {
+                has_private = 1;
+            }
+#else
+            const mbedtls_ecp_keypair *ec = mbedtls_pk_ec_ro(*pk);
+            int has_private = (ec->d.n != 0);
+            size_t bits = 0;
+            psa_ecc_family_t family =
+                mbedtls_ecc_group_to_psa(ec->grp.id, &bits);
+#endif
+            psa_algorithm_t alg = 0;
+            switch (usage) {
+                case PSA_KEY_USAGE_SIGN_MESSAGE:
+                case PSA_KEY_USAGE_SIGN_HASH:
+                case PSA_KEY_USAGE_VERIFY_MESSAGE:
+                case PSA_KEY_USAGE_VERIFY_HASH:
+                    if (!sign_ok) {
+                        return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+                    }
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+                    alg = PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH);
+#else
+                    alg = PSA_ALG_ECDSA(PSA_ALG_ANY_HASH);
+#endif
+                    break;
+                case PSA_KEY_USAGE_DERIVE:
+                    alg = PSA_ALG_ECDH;
+                    if (!derive_ok) {
+                        return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+                    }
+                    break;
+                default:
+                    return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+            }
+            if (want_private && !has_private) {
+                return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+            }
+            psa_set_key_type(attributes, (want_private ?
+                                          PSA_KEY_TYPE_ECC_KEY_PAIR(family) :
+                                          PSA_KEY_TYPE_ECC_PUBLIC_KEY(family)));
+            psa_set_key_bits(attributes, bits);
+            psa_set_key_algorithm(attributes, alg);
+            break;
+        }
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+        case MBEDTLS_PK_RSA_ALT:
+            return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+        case MBEDTLS_PK_OPAQUE:
+        {
+            psa_key_attributes_t old_attributes = PSA_KEY_ATTRIBUTES_INIT;
+            psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+            status = psa_get_key_attributes(pk->priv_id, &old_attributes);
+            if (status != PSA_SUCCESS) {
+                return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+            }
+            psa_key_type_t old_type = psa_get_key_type(&old_attributes);
+            switch (usage) {
+                case PSA_KEY_USAGE_SIGN_MESSAGE:
+                case PSA_KEY_USAGE_SIGN_HASH:
+                case PSA_KEY_USAGE_VERIFY_MESSAGE:
+                case PSA_KEY_USAGE_VERIFY_HASH:
+                    if (!(PSA_KEY_TYPE_IS_ECC_KEY_PAIR(old_type) ||
+                          old_type == PSA_KEY_TYPE_RSA_KEY_PAIR)) {
+                        return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+                    }
+                    break;
+                case PSA_KEY_USAGE_DECRYPT:
+                case PSA_KEY_USAGE_ENCRYPT:
+                    if (old_type != PSA_KEY_TYPE_RSA_KEY_PAIR) {
+                        return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+                    }
+                    break;
+                case PSA_KEY_USAGE_DERIVE:
+                    if (!(PSA_KEY_TYPE_IS_ECC_KEY_PAIR(old_type))) {
+                        return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+                    }
+                    break;
+                default:
+                    return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+            }
+            psa_key_type_t new_type = old_type;
+            /* Opaque keys are always key pairs, so we don't need a check
+             * on the input if the required usage is private. We just need
+             * to adjust the type correctly if the required usage is public. */
+            if (!want_private) {
+                new_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(new_type);
+            }
+            more_usage = psa_get_key_usage_flags(&old_attributes);
+            if ((usage & more_usage) == 0) {
+                return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+            }
+            psa_set_key_type(attributes, new_type);
+            psa_set_key_bits(attributes, psa_get_key_bits(&old_attributes));
+            psa_set_key_algorithm(attributes, psa_get_key_algorithm(&old_attributes));
+            break;
+        }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+        default:
+            return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    psa_set_key_usage_flags(attributes, more_usage);
+    /* Key's enrollment is available only when an Mbed TLS implementation of PSA
+     * Crypto is being used, i.e. when MBEDTLS_PSA_CRYPTO_C is defined.
+     * Even though we don't officially support using other implementations of PSA
+     * Crypto with TLS and X.509 (yet), we try to keep vendor's customizations
+     * separated. */
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+    psa_set_key_enrollment_algorithm(attributes, PSA_ALG_NONE);
+#endif
+
+    return 0;
+}
+
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) || defined(MBEDTLS_USE_PSA_CRYPTO)
+static psa_status_t export_import_into_psa(mbedtls_svc_key_id_t old_key_id,
+                                           const psa_key_attributes_t *attributes,
+                                           mbedtls_svc_key_id_t *new_key_id)
+{
+    unsigned char key_buffer[PSA_EXPORT_KEY_PAIR_MAX_SIZE];
+    size_t key_length = 0;
+    psa_status_t status = psa_export_key(old_key_id,
+                                         key_buffer, sizeof(key_buffer),
+                                         &key_length);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+    status = psa_import_key(attributes, key_buffer, key_length, new_key_id);
+    mbedtls_platform_zeroize(key_buffer, key_length);
+    return status;
+}
+
+static int copy_into_psa(mbedtls_svc_key_id_t old_key_id,
+                         const psa_key_attributes_t *attributes,
+                         mbedtls_svc_key_id_t *new_key_id)
+{
+    /* Normally, we prefer copying: it's more efficient and works even
+     * for non-exportable keys. */
+    psa_status_t status = psa_copy_key(old_key_id, attributes, new_key_id);
+    if (status == PSA_ERROR_NOT_PERMITTED /*missing COPY usage*/ ||
+        status == PSA_ERROR_INVALID_ARGUMENT /*incompatible policy*/) {
+        /* There are edge cases where copying won't work, but export+import
+         * might:
+         * - If the old key does not allow PSA_KEY_USAGE_COPY.
+         * - If the old key's usage does not allow what attributes wants.
+         *   Because the key was intended for use in the pk module, and may
+         *   have had a policy chosen solely for what pk needs rather than
+         *   based on a detailed understanding of PSA policies, we are a bit
+         *   more liberal than psa_copy_key() here.
+         */
+        /* Here we need to check that the types match, otherwise we risk
+         * importing nonsensical data. */
+        psa_key_attributes_t old_attributes = PSA_KEY_ATTRIBUTES_INIT;
+        status = psa_get_key_attributes(old_key_id, &old_attributes);
+        if (status != PSA_SUCCESS) {
+            return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+        }
+        psa_key_type_t old_type = psa_get_key_type(&old_attributes);
+        psa_reset_key_attributes(&old_attributes);
+        if (old_type != psa_get_key_type(attributes)) {
+            return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+        }
+        status = export_import_into_psa(old_key_id, attributes, new_key_id);
+    }
+    return PSA_PK_TO_MBEDTLS_ERR(status);
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA || MBEDTLS_USE_PSA_CRYPTO */
+
+static int import_pair_into_psa(const mbedtls_pk_context *pk,
+                                const psa_key_attributes_t *attributes,
+                                mbedtls_svc_key_id_t *key_id)
+{
+    switch (mbedtls_pk_get_type(pk)) {
+#if defined(MBEDTLS_RSA_C)
+        case MBEDTLS_PK_RSA:
+        {
+            if (psa_get_key_type(attributes) != PSA_KEY_TYPE_RSA_KEY_PAIR) {
+                return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+            }
+            unsigned char key_buffer[
+                PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS)];
+            unsigned char *const key_end = key_buffer + sizeof(key_buffer);
+            unsigned char *key_data = key_end;
+            int ret = mbedtls_rsa_write_key(mbedtls_pk_rsa(*pk),
+                                            key_buffer, &key_data);
+            if (ret < 0) {
+                return ret;
+            }
+            size_t key_length = key_end - key_data;
+            ret = PSA_PK_TO_MBEDTLS_ERR(psa_import_key(attributes,
+                                                       key_data, key_length,
+                                                       key_id));
+            mbedtls_platform_zeroize(key_data, key_length);
+            return ret;
+        }
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+        case MBEDTLS_PK_ECKEY:
+        case MBEDTLS_PK_ECKEY_DH:
+        case MBEDTLS_PK_ECDSA:
+        {
+            /* We need to check the curve family, otherwise the import could
+             * succeed with nonsensical data.
+             * We don't check the bit-size: it's optional in attributes,
+             * and if it's specified, psa_import_key() will know from the key
+             * data length and will check that the bit-size matches. */
+            psa_key_type_t to_type = psa_get_key_type(attributes);
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+            psa_ecc_family_t from_family = pk->ec_family;
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+            const mbedtls_ecp_keypair *ec = mbedtls_pk_ec_ro(*pk);
+            size_t from_bits = 0;
+            psa_ecc_family_t from_family = mbedtls_ecc_group_to_psa(ec->grp.id,
+                                                                    &from_bits);
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+            if (to_type != PSA_KEY_TYPE_ECC_KEY_PAIR(from_family)) {
+                return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+            }
+
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+            if (mbedtls_svc_key_id_is_null(pk->priv_id)) {
+                /* We have a public key and want a key pair. */
+                return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+            }
+            return copy_into_psa(pk->priv_id, attributes, key_id);
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+            if (ec->d.n == 0) {
+                /* Private key not set. Assume the input is a public key only.
+                 * (The other possibility is that it's an incomplete object
+                 * where the group is set but neither the public key nor
+                 * the private key. This is not possible through ecp.h
+                 * functions, so we don't bother reporting a more suitable
+                 * error in that case.) */
+                return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+            }
+            unsigned char key_buffer[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
+            size_t key_length = 0;
+            int ret = mbedtls_ecp_write_key_ext(ec, &key_length,
+                                                key_buffer, sizeof(key_buffer));
+            if (ret < 0) {
+                return ret;
+            }
+            ret = PSA_PK_TO_MBEDTLS_ERR(psa_import_key(attributes,
+                                                       key_buffer, key_length,
+                                                       key_id));
+            mbedtls_platform_zeroize(key_buffer, key_length);
+            return ret;
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+        }
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+        case MBEDTLS_PK_OPAQUE:
+            return copy_into_psa(pk->priv_id, attributes, key_id);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+        default:
+            return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+}
+
+static int import_public_into_psa(const mbedtls_pk_context *pk,
+                                  const psa_key_attributes_t *attributes,
+                                  mbedtls_svc_key_id_t *key_id)
+{
+    psa_key_type_t psa_type = psa_get_key_type(attributes);
+
+#if defined(MBEDTLS_RSA_C) ||                                           \
+    (defined(MBEDTLS_PK_HAVE_ECC_KEYS) && !defined(MBEDTLS_PK_USE_PSA_EC_DATA)) || \
+    defined(MBEDTLS_USE_PSA_CRYPTO)
+    unsigned char key_buffer[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
+#endif
+    unsigned char *key_data = NULL;
+    size_t key_length = 0;
+
+    switch (mbedtls_pk_get_type(pk)) {
+#if defined(MBEDTLS_RSA_C)
+        case MBEDTLS_PK_RSA:
+        {
+            if (psa_type != PSA_KEY_TYPE_RSA_PUBLIC_KEY) {
+                return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+            }
+            unsigned char *const key_end = key_buffer + sizeof(key_buffer);
+            key_data = key_end;
+            int ret = mbedtls_rsa_write_pubkey(mbedtls_pk_rsa(*pk),
+                                               key_buffer, &key_data);
+            if (ret < 0) {
+                return ret;
+            }
+            key_length = (size_t) ret;
+            break;
+        }
+#endif /*MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+        case MBEDTLS_PK_ECKEY:
+        case MBEDTLS_PK_ECKEY_DH:
+        case MBEDTLS_PK_ECDSA:
+        {
+            /* We need to check the curve family, otherwise the import could
+             * succeed with nonsensical data.
+             * We don't check the bit-size: it's optional in attributes,
+             * and if it's specified, psa_import_key() will know from the key
+             * data length and will check that the bit-size matches. */
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+            if (psa_type != PSA_KEY_TYPE_ECC_PUBLIC_KEY(pk->ec_family)) {
+                return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+            }
+            key_data = (unsigned char *) pk->pub_raw;
+            key_length = pk->pub_raw_len;
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+            const mbedtls_ecp_keypair *ec = mbedtls_pk_ec_ro(*pk);
+            size_t from_bits = 0;
+            psa_ecc_family_t from_family = mbedtls_ecc_group_to_psa(ec->grp.id,
+                                                                    &from_bits);
+            if (psa_type != PSA_KEY_TYPE_ECC_PUBLIC_KEY(from_family)) {
+                return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+            }
+            int ret = mbedtls_ecp_write_public_key(
+                ec, MBEDTLS_ECP_PF_UNCOMPRESSED,
+                &key_length, key_buffer, sizeof(key_buffer));
+            if (ret < 0) {
+                return ret;
+            }
+            key_data = key_buffer;
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+            break;
+        }
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+        case MBEDTLS_PK_OPAQUE:
+        {
+            psa_key_attributes_t old_attributes = PSA_KEY_ATTRIBUTES_INIT;
+            psa_status_t status =
+                psa_get_key_attributes(pk->priv_id, &old_attributes);
+            if (status != PSA_SUCCESS) {
+                return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+            }
+            psa_key_type_t old_type = psa_get_key_type(&old_attributes);
+            psa_reset_key_attributes(&old_attributes);
+            if (psa_type != PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(old_type)) {
+                return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+            }
+            status = psa_export_public_key(pk->priv_id,
+                                           key_buffer, sizeof(key_buffer),
+                                           &key_length);
+            if (status != PSA_SUCCESS) {
+                return PSA_PK_TO_MBEDTLS_ERR(status);
+            }
+            key_data = key_buffer;
+            break;
+        }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+        default:
+            return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    return PSA_PK_TO_MBEDTLS_ERR(psa_import_key(attributes,
+                                                key_data, key_length,
+                                                key_id));
+}
+
+int mbedtls_pk_import_into_psa(const mbedtls_pk_context *pk,
+                               const psa_key_attributes_t *attributes,
+                               mbedtls_svc_key_id_t *key_id)
+{
+    /* Set the output immediately so that it won't contain garbage even
+     * if we error out before calling psa_import_key(). */
+    *key_id = MBEDTLS_SVC_KEY_ID_INIT;
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+    if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_RSA_ALT) {
+        return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+    }
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+
+    int want_public = PSA_KEY_TYPE_IS_PUBLIC_KEY(psa_get_key_type(attributes));
+    if (want_public) {
+        return import_public_into_psa(pk, attributes, key_id);
+    } else {
+        return import_pair_into_psa(pk, attributes, key_id);
+    }
+}
+
+static int copy_from_psa(mbedtls_svc_key_id_t key_id,
+                         mbedtls_pk_context *pk,
+                         int public_only)
+{
+    psa_status_t status;
+    psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_type_t key_type;
+    size_t key_bits;
+    /* Use a buffer size large enough to contain either a key pair or public key. */
+    unsigned char exp_key[PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE];
+    size_t exp_key_len;
+    int ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+
+    if (pk == NULL) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    status = psa_get_key_attributes(key_id, &key_attr);
+    if (status != PSA_SUCCESS) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    if (public_only) {
+        status = psa_export_public_key(key_id, exp_key, sizeof(exp_key), &exp_key_len);
+    } else {
+        status = psa_export_key(key_id, exp_key, sizeof(exp_key), &exp_key_len);
+    }
+    if (status != PSA_SUCCESS) {
+        ret = PSA_PK_TO_MBEDTLS_ERR(status);
+        goto exit;
+    }
+
+    key_type = psa_get_key_type(&key_attr);
+    if (public_only) {
+        key_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(key_type);
+    }
+    key_bits = psa_get_key_bits(&key_attr);
+
+#if defined(MBEDTLS_RSA_C)
+    if ((key_type == PSA_KEY_TYPE_RSA_KEY_PAIR) ||
+        (key_type == PSA_KEY_TYPE_RSA_PUBLIC_KEY)) {
+
+        ret = mbedtls_pk_setup(pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA));
+        if (ret != 0) {
+            goto exit;
+        }
+
+        if (key_type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
+            ret = mbedtls_rsa_parse_key(mbedtls_pk_rsa(*pk), exp_key, exp_key_len);
+        } else {
+            ret = mbedtls_rsa_parse_pubkey(mbedtls_pk_rsa(*pk), exp_key, exp_key_len);
+        }
+        if (ret != 0) {
+            goto exit;
+        }
+
+        psa_algorithm_t alg_type = psa_get_key_algorithm(&key_attr);
+        mbedtls_md_type_t md_type = MBEDTLS_MD_NONE;
+        if (PSA_ALG_GET_HASH(alg_type) != PSA_ALG_ANY_HASH) {
+            md_type = mbedtls_md_type_from_psa_alg(alg_type);
+        }
+
+        if (PSA_ALG_IS_RSA_OAEP(alg_type) || PSA_ALG_IS_RSA_PSS(alg_type)) {
+            ret = mbedtls_rsa_set_padding(mbedtls_pk_rsa(*pk), MBEDTLS_RSA_PKCS_V21, md_type);
+        } else if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg_type) ||
+                   alg_type == PSA_ALG_RSA_PKCS1V15_CRYPT) {
+            ret = mbedtls_rsa_set_padding(mbedtls_pk_rsa(*pk), MBEDTLS_RSA_PKCS_V15, md_type);
+        }
+        if (ret != 0) {
+            goto exit;
+        }
+    } else
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+    if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type) ||
+        PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(key_type)) {
+        mbedtls_ecp_group_id grp_id;
+
+        ret = mbedtls_pk_setup(pk, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY));
+        if (ret != 0) {
+            goto exit;
+        }
+
+        grp_id = mbedtls_ecc_group_from_psa(PSA_KEY_TYPE_ECC_GET_FAMILY(key_type), key_bits);
+        ret = mbedtls_pk_ecc_set_group(pk, grp_id);
+        if (ret != 0) {
+            goto exit;
+        }
+
+        if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type)) {
+            ret = mbedtls_pk_ecc_set_key(pk, exp_key, exp_key_len);
+            if (ret != 0) {
+                goto exit;
+            }
+            ret = mbedtls_pk_ecc_set_pubkey_from_prv(pk, exp_key, exp_key_len,
+                                                     mbedtls_psa_get_random,
+                                                     MBEDTLS_PSA_RANDOM_STATE);
+        } else {
+            ret = mbedtls_pk_ecc_set_pubkey(pk, exp_key, exp_key_len);
+        }
+        if (ret != 0) {
+            goto exit;
+        }
+    } else
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+    {
+        (void) key_bits;
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+exit:
+    psa_reset_key_attributes(&key_attr);
+    mbedtls_platform_zeroize(exp_key, sizeof(exp_key));
+
+    return ret;
+}
+
+int mbedtls_pk_copy_from_psa(mbedtls_svc_key_id_t key_id,
+                             mbedtls_pk_context *pk)
+{
+    return copy_from_psa(key_id, pk, 0);
+}
+
+int mbedtls_pk_copy_public_from_psa(mbedtls_svc_key_id_t key_id,
+                                    mbedtls_pk_context *pk)
+{
+    return copy_from_psa(key_id, pk, 1);
+}
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+
+/*
+ * Helper for mbedtls_pk_sign and mbedtls_pk_verify
+ */
+static inline int pk_hashlen_helper(mbedtls_md_type_t md_alg, size_t *hash_len)
+{
+    if (*hash_len != 0) {
+        return 0;
+    }
+
+    *hash_len = mbedtls_md_get_size_from_type(md_alg);
+
+    if (*hash_len == 0) {
+        return -1;
+    }
+
+    return 0;
+}
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Helper to set up a restart context if needed
+ */
+static int pk_restart_setup(mbedtls_pk_restart_ctx *ctx,
+                            const mbedtls_pk_info_t *info)
+{
+    /* Don't do anything if already set up or invalid */
+    if (ctx == NULL || ctx->pk_info != NULL) {
+        return 0;
+    }
+
+    /* Should never happen when we're called */
+    if (info->rs_alloc_func == NULL || info->rs_free_func == NULL) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    if ((ctx->rs_ctx = info->rs_alloc_func()) == NULL) {
+        return MBEDTLS_ERR_PK_ALLOC_FAILED;
+    }
+
+    ctx->pk_info = info;
+
+    return 0;
+}
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+/*
+ * Verify a signature (restartable)
+ */
+int mbedtls_pk_verify_restartable(mbedtls_pk_context *ctx,
+                                  mbedtls_md_type_t md_alg,
+                                  const unsigned char *hash, size_t hash_len,
+                                  const unsigned char *sig, size_t sig_len,
+                                  mbedtls_pk_restart_ctx *rs_ctx)
+{
+    if ((md_alg != MBEDTLS_MD_NONE || hash_len != 0) && hash == NULL) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    if (ctx->pk_info == NULL ||
+        pk_hashlen_helper(md_alg, &hash_len) != 0) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /* optimization: use non-restartable version if restart disabled */
+    if (rs_ctx != NULL &&
+        mbedtls_ecp_restart_is_enabled() &&
+        ctx->pk_info->verify_rs_func != NULL) {
+        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+        if ((ret = pk_restart_setup(rs_ctx, ctx->pk_info)) != 0) {
+            return ret;
+        }
+
+        ret = ctx->pk_info->verify_rs_func(ctx,
+                                           md_alg, hash, hash_len, sig, sig_len, rs_ctx->rs_ctx);
+
+        if (ret != MBEDTLS_ERR_ECP_IN_PROGRESS) {
+            mbedtls_pk_restart_free(rs_ctx);
+        }
+
+        return ret;
+    }
+#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+    (void) rs_ctx;
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+    if (ctx->pk_info->verify_func == NULL) {
+        return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+    }
+
+    return ctx->pk_info->verify_func(ctx, md_alg, hash, hash_len,
+                                     sig, sig_len);
+}
+
+/*
+ * Verify a signature
+ */
+int mbedtls_pk_verify(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+                      const unsigned char *hash, size_t hash_len,
+                      const unsigned char *sig, size_t sig_len)
+{
+    return mbedtls_pk_verify_restartable(ctx, md_alg, hash, hash_len,
+                                         sig, sig_len, NULL);
+}
+
+/*
+ * Verify a signature with options
+ */
+int mbedtls_pk_verify_ext(mbedtls_pk_type_t type, const void *options,
+                          mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+                          const unsigned char *hash, size_t hash_len,
+                          const unsigned char *sig, size_t sig_len)
+{
+    if ((md_alg != MBEDTLS_MD_NONE || hash_len != 0) && hash == NULL) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    if (ctx->pk_info == NULL) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    if (!mbedtls_pk_can_do(ctx, type)) {
+        return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+    }
+
+    if (type != MBEDTLS_PK_RSASSA_PSS) {
+        /* General case: no options */
+        if (options != NULL) {
+            return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+        }
+
+        return mbedtls_pk_verify(ctx, md_alg, hash, hash_len, sig, sig_len);
+    }
+
+    /* Ensure the PK context is of the right type otherwise mbedtls_pk_rsa()
+     * below would return a NULL pointer. */
+    if (mbedtls_pk_get_type(ctx) != MBEDTLS_PK_RSA) {
+        return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+    }
+
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21)
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const mbedtls_pk_rsassa_pss_options *pss_opts;
+
+#if SIZE_MAX > UINT_MAX
+    if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+#endif
+
+    if (options == NULL) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    pss_opts = (const mbedtls_pk_rsassa_pss_options *) options;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (pss_opts->mgf1_hash_id == md_alg) {
+        unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
+        unsigned char *p;
+        int key_len;
+        size_t signature_length;
+        psa_status_t status = PSA_ERROR_DATA_CORRUPT;
+        psa_status_t destruction_status = PSA_ERROR_DATA_CORRUPT;
+
+        psa_algorithm_t psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
+        mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+        psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+        psa_algorithm_t psa_sig_alg = PSA_ALG_RSA_PSS_ANY_SALT(psa_md_alg);
+        p = buf + sizeof(buf);
+        key_len = mbedtls_rsa_write_pubkey(mbedtls_pk_rsa(*ctx), buf, &p);
+
+        if (key_len < 0) {
+            return key_len;
+        }
+
+        psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY);
+        psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
+        psa_set_key_algorithm(&attributes, psa_sig_alg);
+
+        status = psa_import_key(&attributes,
+                                buf + sizeof(buf) - key_len, key_len,
+                                &key_id);
+        if (status != PSA_SUCCESS) {
+            psa_destroy_key(key_id);
+            return PSA_PK_TO_MBEDTLS_ERR(status);
+        }
+
+        /* This function requires returning MBEDTLS_ERR_PK_SIG_LEN_MISMATCH
+         * on a valid signature with trailing data in a buffer, but
+         * mbedtls_psa_rsa_verify_hash requires the sig_len to be exact,
+         * so for this reason the passed sig_len is overwritten. Smaller
+         * signature lengths should not be accepted for verification. */
+        signature_length = sig_len > mbedtls_pk_get_len(ctx) ?
+                           mbedtls_pk_get_len(ctx) : sig_len;
+        status = psa_verify_hash(key_id, psa_sig_alg, hash,
+                                 hash_len, sig, signature_length);
+        destruction_status = psa_destroy_key(key_id);
+
+        if (status == PSA_SUCCESS && sig_len > mbedtls_pk_get_len(ctx)) {
+            return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
+        }
+
+        if (status == PSA_SUCCESS) {
+            status = destruction_status;
+        }
+
+        return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
+    } else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+    {
+        if (sig_len < mbedtls_pk_get_len(ctx)) {
+            return MBEDTLS_ERR_RSA_VERIFY_FAILED;
+        }
+
+        ret = mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_pk_rsa(*ctx),
+                                                md_alg, (unsigned int) hash_len, hash,
+                                                pss_opts->mgf1_hash_id,
+                                                pss_opts->expected_salt_len,
+                                                sig);
+        if (ret != 0) {
+            return ret;
+        }
+
+        if (sig_len > mbedtls_pk_get_len(ctx)) {
+            return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
+        }
+
+        return 0;
+    }
+#else
+    return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+#endif /* MBEDTLS_RSA_C && MBEDTLS_PKCS1_V21 */
+}
+
+/*
+ * Make a signature (restartable)
+ */
+int mbedtls_pk_sign_restartable(mbedtls_pk_context *ctx,
+                                mbedtls_md_type_t md_alg,
+                                const unsigned char *hash, size_t hash_len,
+                                unsigned char *sig, size_t sig_size, size_t *sig_len,
+                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                                mbedtls_pk_restart_ctx *rs_ctx)
+{
+    if ((md_alg != MBEDTLS_MD_NONE || hash_len != 0) && hash == NULL) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    if (ctx->pk_info == NULL || pk_hashlen_helper(md_alg, &hash_len) != 0) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /* optimization: use non-restartable version if restart disabled */
+    if (rs_ctx != NULL &&
+        mbedtls_ecp_restart_is_enabled() &&
+        ctx->pk_info->sign_rs_func != NULL) {
+        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+        if ((ret = pk_restart_setup(rs_ctx, ctx->pk_info)) != 0) {
+            return ret;
+        }
+
+        ret = ctx->pk_info->sign_rs_func(ctx, md_alg,
+                                         hash, hash_len,
+                                         sig, sig_size, sig_len,
+                                         f_rng, p_rng, rs_ctx->rs_ctx);
+
+        if (ret != MBEDTLS_ERR_ECP_IN_PROGRESS) {
+            mbedtls_pk_restart_free(rs_ctx);
+        }
+
+        return ret;
+    }
+#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+    (void) rs_ctx;
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+    if (ctx->pk_info->sign_func == NULL) {
+        return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+    }
+
+    return ctx->pk_info->sign_func(ctx, md_alg,
+                                   hash, hash_len,
+                                   sig, sig_size, sig_len,
+                                   f_rng, p_rng);
+}
+
+/*
+ * Make a signature
+ */
+int mbedtls_pk_sign(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+                    const unsigned char *hash, size_t hash_len,
+                    unsigned char *sig, size_t sig_size, size_t *sig_len,
+                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    return mbedtls_pk_sign_restartable(ctx, md_alg, hash, hash_len,
+                                       sig, sig_size, sig_len,
+                                       f_rng, p_rng, NULL);
+}
+
+/*
+ * Make a signature given a signature type.
+ */
+int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,
+                        mbedtls_pk_context *ctx,
+                        mbedtls_md_type_t md_alg,
+                        const unsigned char *hash, size_t hash_len,
+                        unsigned char *sig, size_t sig_size, size_t *sig_len,
+                        int (*f_rng)(void *, unsigned char *, size_t),
+                        void *p_rng)
+{
+    if (ctx->pk_info == NULL) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    if (!mbedtls_pk_can_do(ctx, pk_type)) {
+        return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+    }
+
+    if (pk_type != MBEDTLS_PK_RSASSA_PSS) {
+        return mbedtls_pk_sign(ctx, md_alg, hash, hash_len,
+                               sig, sig_size, sig_len, f_rng, p_rng);
+    }
+
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21)
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    const psa_algorithm_t psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
+    if (psa_md_alg == 0) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    if (mbedtls_pk_get_type(ctx) == MBEDTLS_PK_OPAQUE) {
+        psa_status_t status;
+
+        /* PSA_ALG_RSA_PSS() behaves the same as PSA_ALG_RSA_PSS_ANY_SALT() when
+         * performing a signature, but they are encoded differently. Instead of
+         * extracting the proper one from the wrapped key policy, just try both. */
+        status = psa_sign_hash(ctx->priv_id, PSA_ALG_RSA_PSS(psa_md_alg),
+                               hash, hash_len,
+                               sig, sig_size, sig_len);
+        if (status == PSA_ERROR_NOT_PERMITTED) {
+            status = psa_sign_hash(ctx->priv_id, PSA_ALG_RSA_PSS_ANY_SALT(psa_md_alg),
+                                   hash, hash_len,
+                                   sig, sig_size, sig_len);
+        }
+        return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
+    }
+
+    return mbedtls_pk_psa_rsa_sign_ext(PSA_ALG_RSA_PSS(psa_md_alg),
+                                       ctx->pk_ctx, hash, hash_len,
+                                       sig, sig_size, sig_len);
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+
+    if (sig_size < mbedtls_pk_get_len(ctx)) {
+        return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
+    }
+
+    if (pk_hashlen_helper(md_alg, &hash_len) != 0) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    mbedtls_rsa_context *const rsa_ctx = mbedtls_pk_rsa(*ctx);
+
+    const int ret = mbedtls_rsa_rsassa_pss_sign_no_mode_check(rsa_ctx, f_rng, p_rng, md_alg,
+                                                              (unsigned int) hash_len, hash, sig);
+    if (ret == 0) {
+        *sig_len = rsa_ctx->len;
+    }
+    return ret;
+
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#else
+    return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+#endif /* MBEDTLS_RSA_C && MBEDTLS_PKCS1_V21 */
+}
+
+/*
+ * Decrypt message
+ */
+int mbedtls_pk_decrypt(mbedtls_pk_context *ctx,
+                       const unsigned char *input, size_t ilen,
+                       unsigned char *output, size_t *olen, size_t osize,
+                       int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    if (ctx->pk_info == NULL) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    if (ctx->pk_info->decrypt_func == NULL) {
+        return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+    }
+
+    return ctx->pk_info->decrypt_func(ctx, input, ilen,
+                                      output, olen, osize, f_rng, p_rng);
+}
+
+/*
+ * Encrypt message
+ */
+int mbedtls_pk_encrypt(mbedtls_pk_context *ctx,
+                       const unsigned char *input, size_t ilen,
+                       unsigned char *output, size_t *olen, size_t osize,
+                       int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    if (ctx->pk_info == NULL) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    if (ctx->pk_info->encrypt_func == NULL) {
+        return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+    }
+
+    return ctx->pk_info->encrypt_func(ctx, input, ilen,
+                                      output, olen, osize, f_rng, p_rng);
+}
+
+/*
+ * Check public-private key pair
+ */
+int mbedtls_pk_check_pair(const mbedtls_pk_context *pub,
+                          const mbedtls_pk_context *prv,
+                          int (*f_rng)(void *, unsigned char *, size_t),
+                          void *p_rng)
+{
+    if (pub->pk_info == NULL ||
+        prv->pk_info == NULL) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    if (f_rng == NULL) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    if (prv->pk_info->check_pair_func == NULL) {
+        return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+    }
+
+    if (prv->pk_info->type == MBEDTLS_PK_RSA_ALT) {
+        if (pub->pk_info->type != MBEDTLS_PK_RSA) {
+            return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+        }
+    } else {
+        if ((prv->pk_info->type != MBEDTLS_PK_OPAQUE) &&
+            (pub->pk_info != prv->pk_info)) {
+            return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+        }
+    }
+
+    return prv->pk_info->check_pair_func((mbedtls_pk_context *) pub,
+                                         (mbedtls_pk_context *) prv,
+                                         f_rng, p_rng);
+}
+
+/*
+ * Get key size in bits
+ */
+size_t mbedtls_pk_get_bitlen(const mbedtls_pk_context *ctx)
+{
+    /* For backward compatibility, accept NULL or a context that
+     * isn't set up yet, and return a fake value that should be safe. */
+    if (ctx == NULL || ctx->pk_info == NULL) {
+        return 0;
+    }
+
+    return ctx->pk_info->get_bitlen((mbedtls_pk_context *) ctx);
+}
+
+/*
+ * Export debug information
+ */
+int mbedtls_pk_debug(const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *items)
+{
+    if (ctx->pk_info == NULL) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    if (ctx->pk_info->debug_func == NULL) {
+        return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+    }
+
+    ctx->pk_info->debug_func((mbedtls_pk_context *) ctx, items);
+    return 0;
+}
+
+/*
+ * Access the PK type name
+ */
+const char *mbedtls_pk_get_name(const mbedtls_pk_context *ctx)
+{
+    if (ctx == NULL || ctx->pk_info == NULL) {
+        return "invalid PK";
+    }
+
+    return ctx->pk_info->name;
+}
+
+/*
+ * Access the PK type
+ */
+mbedtls_pk_type_t mbedtls_pk_get_type(const mbedtls_pk_context *ctx)
+{
+    if (ctx == NULL || ctx->pk_info == NULL) {
+        return MBEDTLS_PK_NONE;
+    }
+
+    return ctx->pk_info->type;
+}
+
+#endif /* MBEDTLS_PK_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/pk_ecc.c b/tf-psa-crypto/drivers/builtin/src/pk_ecc.c
new file mode 100644
index 0000000..86218ff
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/pk_ecc.c
@@ -0,0 +1,255 @@
+/*
+ *  ECC setters for PK.
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#include "mbedtls/pk.h"
+#include "mbedtls/error.h"
+#include "mbedtls/ecp.h"
+#include "pk_internal.h"
+
+#if defined(MBEDTLS_PK_C) && defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+
+int mbedtls_pk_ecc_set_group(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id)
+{
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+    size_t ec_bits;
+    psa_ecc_family_t ec_family = mbedtls_ecc_group_to_psa(grp_id, &ec_bits);
+
+    /* group may already be initialized; if so, make sure IDs match */
+    if ((pk->ec_family != 0 && pk->ec_family != ec_family) ||
+        (pk->ec_bits != 0 && pk->ec_bits != ec_bits)) {
+        return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+    }
+
+    /* set group */
+    pk->ec_family = ec_family;
+    pk->ec_bits = ec_bits;
+
+    return 0;
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+    mbedtls_ecp_keypair *ecp = mbedtls_pk_ec_rw(*pk);
+
+    /* grp may already be initialized; if so, make sure IDs match */
+    if (mbedtls_pk_ec_ro(*pk)->grp.id != MBEDTLS_ECP_DP_NONE &&
+        mbedtls_pk_ec_ro(*pk)->grp.id != grp_id) {
+        return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+    }
+
+    /* set group */
+    return mbedtls_ecp_group_load(&(ecp->grp), grp_id);
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+}
+
+int mbedtls_pk_ecc_set_key(mbedtls_pk_context *pk, unsigned char *key, size_t key_len)
+{
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_usage_t flags;
+    psa_status_t status;
+
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(pk->ec_family));
+    if (pk->ec_family == PSA_ECC_FAMILY_MONTGOMERY) {
+        /* Do not set algorithm here because Montgomery keys cannot do ECDSA and
+         * the PK module cannot do ECDH. When the key will be used in TLS for
+         * ECDH, it will be exported and then re-imported with proper flags
+         * and algorithm. */
+        flags = PSA_KEY_USAGE_EXPORT;
+    } else {
+        psa_set_key_algorithm(&attributes,
+                              MBEDTLS_PK_PSA_ALG_ECDSA_MAYBE_DET(PSA_ALG_ANY_HASH));
+        flags = PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE |
+                PSA_KEY_USAGE_EXPORT;
+    }
+    psa_set_key_usage_flags(&attributes, flags);
+
+    status = psa_import_key(&attributes, key, key_len, &pk->priv_id);
+    return psa_pk_status_to_mbedtls(status);
+
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
+    mbedtls_ecp_keypair *eck = mbedtls_pk_ec_rw(*pk);
+    int ret = mbedtls_ecp_read_key(eck->grp.id, eck, key, key_len);
+    if (ret != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+    }
+    return 0;
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+}
+
+int mbedtls_pk_ecc_set_pubkey_from_prv(mbedtls_pk_context *pk,
+                                       const unsigned char *prv, size_t prv_len,
+                                       int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+
+    (void) f_rng;
+    (void) p_rng;
+    (void) prv;
+    (void) prv_len;
+    psa_status_t status;
+
+    status = psa_export_public_key(pk->priv_id, pk->pub_raw, sizeof(pk->pub_raw),
+                                   &pk->pub_raw_len);
+    return psa_pk_status_to_mbedtls(status);
+
+#elif defined(MBEDTLS_USE_PSA_CRYPTO) /* && !MBEDTLS_PK_USE_PSA_EC_DATA */
+
+    (void) f_rng;
+    (void) p_rng;
+    psa_status_t status;
+
+    mbedtls_ecp_keypair *eck = (mbedtls_ecp_keypair *) pk->pk_ctx;
+    size_t curve_bits;
+    psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(eck->grp.id, &curve_bits);
+
+    /* Import private key into PSA, from serialized input */
+    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+    psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
+    psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT);
+    status = psa_import_key(&key_attr, prv, prv_len, &key_id);
+    if (status != PSA_SUCCESS) {
+        return psa_pk_status_to_mbedtls(status);
+    }
+
+    /* Export public key from PSA */
+    unsigned char pub[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
+    size_t pub_len;
+    status = psa_export_public_key(key_id, pub, sizeof(pub), &pub_len);
+    psa_status_t destruction_status = psa_destroy_key(key_id);
+    if (status != PSA_SUCCESS) {
+        return psa_pk_status_to_mbedtls(status);
+    } else if (destruction_status != PSA_SUCCESS) {
+        return psa_pk_status_to_mbedtls(destruction_status);
+    }
+
+    /* Load serialized public key into ecp_keypair structure */
+    return mbedtls_ecp_point_read_binary(&eck->grp, &eck->Q, pub, pub_len);
+
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+
+    (void) prv;
+    (void) prv_len;
+
+    mbedtls_ecp_keypair *eck = (mbedtls_ecp_keypair *) pk->pk_ctx;
+    return mbedtls_ecp_mul(&eck->grp, &eck->Q, &eck->d, &eck->grp.G, f_rng, p_rng);
+
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+}
+
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+/*
+ * Set the public key: fallback using ECP_LIGHT in the USE_PSA_EC_DATA case.
+ *
+ * Normally, when MBEDTLS_PK_USE_PSA_EC_DATA is enabled, we only use PSA
+ * functions to handle keys. However, currently psa_import_key() does not
+ * support compressed points. In case that support was explicitly requested,
+ * this fallback uses ECP functions to get the job done. This is the reason
+ * why MBEDTLS_PK_PARSE_EC_COMPRESSED auto-enables MBEDTLS_ECP_LIGHT.
+ *
+ * [in/out] pk: in: must have the group set, see mbedtls_pk_ecc_set_group().
+ *              out: will have the public key set.
+ * [in] pub, pub_len: the public key as an ECPoint,
+ *                    in any format supported by ECP.
+ *
+ * Return:
+ * - 0 on success;
+ * - MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the format is potentially valid
+ *   but not supported;
+ * - another error code otherwise.
+ */
+static int pk_ecc_set_pubkey_psa_ecp_fallback(mbedtls_pk_context *pk,
+                                              const unsigned char *pub,
+                                              size_t pub_len)
+{
+#if !defined(MBEDTLS_PK_PARSE_EC_COMPRESSED)
+    (void) pk;
+    (void) pub;
+    (void) pub_len;
+    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+#else /* MBEDTLS_PK_PARSE_EC_COMPRESSED */
+    mbedtls_ecp_keypair ecp_key;
+    mbedtls_ecp_group_id ecp_group_id;
+    int ret;
+
+    ecp_group_id = mbedtls_ecc_group_from_psa(pk->ec_family, pk->ec_bits);
+
+    mbedtls_ecp_keypair_init(&ecp_key);
+    ret = mbedtls_ecp_group_load(&(ecp_key.grp), ecp_group_id);
+    if (ret != 0) {
+        goto exit;
+    }
+    ret = mbedtls_ecp_point_read_binary(&(ecp_key.grp), &ecp_key.Q,
+                                        pub, pub_len);
+    if (ret != 0) {
+        goto exit;
+    }
+    ret = mbedtls_ecp_point_write_binary(&(ecp_key.grp), &ecp_key.Q,
+                                         MBEDTLS_ECP_PF_UNCOMPRESSED,
+                                         &pk->pub_raw_len, pk->pub_raw,
+                                         sizeof(pk->pub_raw));
+
+exit:
+    mbedtls_ecp_keypair_free(&ecp_key);
+    return ret;
+#endif /* MBEDTLS_PK_PARSE_EC_COMPRESSED */
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
+int mbedtls_pk_ecc_set_pubkey(mbedtls_pk_context *pk, const unsigned char *pub, size_t pub_len)
+{
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+
+    /* Load the key */
+    if (!PSA_ECC_FAMILY_IS_WEIERSTRASS(pk->ec_family) || *pub == 0x04) {
+        /* Format directly supported by PSA:
+         * - non-Weierstrass curves that only have one format;
+         * - uncompressed format for Weierstrass curves. */
+        if (pub_len > sizeof(pk->pub_raw)) {
+            return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
+        }
+        memcpy(pk->pub_raw, pub, pub_len);
+        pk->pub_raw_len = pub_len;
+    } else {
+        /* Other format, try the fallback */
+        int ret = pk_ecc_set_pubkey_psa_ecp_fallback(pk, pub, pub_len);
+        if (ret != 0) {
+            return ret;
+        }
+    }
+
+    /* Validate the key by trying to import it */
+    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_key_attributes_t key_attrs = PSA_KEY_ATTRIBUTES_INIT;
+
+    psa_set_key_usage_flags(&key_attrs, 0);
+    psa_set_key_type(&key_attrs, PSA_KEY_TYPE_ECC_PUBLIC_KEY(pk->ec_family));
+    psa_set_key_bits(&key_attrs, pk->ec_bits);
+
+    if ((psa_import_key(&key_attrs, pk->pub_raw, pk->pub_raw_len,
+                        &key_id) != PSA_SUCCESS) ||
+        (psa_destroy_key(key_id) != PSA_SUCCESS)) {
+        return MBEDTLS_ERR_PK_INVALID_PUBKEY;
+    }
+
+    return 0;
+
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
+    int ret;
+    mbedtls_ecp_keypair *ec_key = (mbedtls_ecp_keypair *) pk->pk_ctx;
+    ret = mbedtls_ecp_point_read_binary(&ec_key->grp, &ec_key->Q, pub, pub_len);
+    if (ret != 0) {
+        return ret;
+    }
+    return mbedtls_ecp_check_pubkey(&ec_key->grp, &ec_key->Q);
+
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+}
+
+#endif /* MBEDTLS_PK_C && MBEDTLS_PK_HAVE_ECC_KEYS */
diff --git a/tf-psa-crypto/drivers/builtin/src/pk_internal.h b/tf-psa-crypto/drivers/builtin/src/pk_internal.h
new file mode 100644
index 0000000..e86a3a0
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/pk_internal.h
@@ -0,0 +1,207 @@
+/**
+ * \file pk_internal.h
+ *
+ * \brief Public Key abstraction layer: internal (i.e. library only) functions
+ *        and definitions.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_PK_INTERNAL_H
+#define MBEDTLS_PK_INTERNAL_H
+
+#include "mbedtls/pk.h"
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+#include "mbedtls/ecp.h"
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+#include "psa/crypto.h"
+
+#include "psa_util_internal.h"
+#define PSA_PK_TO_MBEDTLS_ERR(status) psa_pk_status_to_mbedtls(status)
+#define PSA_PK_RSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status,     \
+                                                                  psa_to_pk_rsa_errors,            \
+                                                                  psa_pk_status_to_mbedtls)
+#define PSA_PK_ECDSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status,   \
+                                                                    psa_to_pk_ecdsa_errors,        \
+                                                                    psa_pk_status_to_mbedtls)
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+
+/* Headers/footers for PEM files */
+#define PEM_BEGIN_PUBLIC_KEY    "-----BEGIN PUBLIC KEY-----"
+#define PEM_END_PUBLIC_KEY      "-----END PUBLIC KEY-----"
+#define PEM_BEGIN_PRIVATE_KEY_RSA   "-----BEGIN RSA PRIVATE KEY-----"
+#define PEM_END_PRIVATE_KEY_RSA     "-----END RSA PRIVATE KEY-----"
+#define PEM_BEGIN_PUBLIC_KEY_RSA     "-----BEGIN RSA PUBLIC KEY-----"
+#define PEM_END_PUBLIC_KEY_RSA     "-----END RSA PUBLIC KEY-----"
+#define PEM_BEGIN_PRIVATE_KEY_EC    "-----BEGIN EC PRIVATE KEY-----"
+#define PEM_END_PRIVATE_KEY_EC      "-----END EC PRIVATE KEY-----"
+#define PEM_BEGIN_PRIVATE_KEY_PKCS8 "-----BEGIN PRIVATE KEY-----"
+#define PEM_END_PRIVATE_KEY_PKCS8   "-----END PRIVATE KEY-----"
+#define PEM_BEGIN_ENCRYPTED_PRIVATE_KEY_PKCS8 "-----BEGIN ENCRYPTED PRIVATE KEY-----"
+#define PEM_END_ENCRYPTED_PRIVATE_KEY_PKCS8   "-----END ENCRYPTED PRIVATE KEY-----"
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) && !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+/**
+ * Public function mbedtls_pk_ec() can be used to get direct access to the
+ * wrapped ecp_keypair structure pointed to the pk_ctx. However this is not
+ * ideal because it bypasses the PK module on the control of its internal
+ * structure (pk_context) fields.
+ * For backward compatibility we keep mbedtls_pk_ec() when ECP_C is defined, but
+ * we provide 2 very similar functions when only ECP_LIGHT is enabled and not
+ * ECP_C.
+ * These variants embed the "ro" or "rw" keywords in their name to make the
+ * usage of the returned pointer explicit. Of course the returned value is
+ * const or non-const accordingly.
+ */
+static inline const mbedtls_ecp_keypair *mbedtls_pk_ec_ro(const mbedtls_pk_context pk)
+{
+    switch (mbedtls_pk_get_type(&pk)) {
+        case MBEDTLS_PK_ECKEY:
+        case MBEDTLS_PK_ECKEY_DH:
+        case MBEDTLS_PK_ECDSA:
+            return (const mbedtls_ecp_keypair *) (pk).MBEDTLS_PRIVATE(pk_ctx);
+        default:
+            return NULL;
+    }
+}
+
+static inline mbedtls_ecp_keypair *mbedtls_pk_ec_rw(const mbedtls_pk_context pk)
+{
+    switch (mbedtls_pk_get_type(&pk)) {
+        case MBEDTLS_PK_ECKEY:
+        case MBEDTLS_PK_ECKEY_DH:
+        case MBEDTLS_PK_ECDSA:
+            return (mbedtls_ecp_keypair *) (pk).MBEDTLS_PRIVATE(pk_ctx);
+        default:
+            return NULL;
+    }
+}
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS && !MBEDTLS_PK_USE_PSA_EC_DATA */
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+static inline mbedtls_ecp_group_id mbedtls_pk_get_ec_group_id(const mbedtls_pk_context *pk)
+{
+    mbedtls_ecp_group_id id;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
+        psa_key_attributes_t opaque_attrs = PSA_KEY_ATTRIBUTES_INIT;
+        psa_key_type_t opaque_key_type;
+        psa_ecc_family_t curve;
+
+        if (psa_get_key_attributes(pk->priv_id, &opaque_attrs) != PSA_SUCCESS) {
+            return MBEDTLS_ECP_DP_NONE;
+        }
+        opaque_key_type = psa_get_key_type(&opaque_attrs);
+        curve = PSA_KEY_TYPE_ECC_GET_FAMILY(opaque_key_type);
+        id = mbedtls_ecc_group_from_psa(curve, psa_get_key_bits(&opaque_attrs));
+        psa_reset_key_attributes(&opaque_attrs);
+    } else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+    {
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+        id = mbedtls_ecc_group_from_psa(pk->ec_family, pk->ec_bits);
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+        id = mbedtls_pk_ec_ro(*pk)->grp.id;
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+    }
+
+    return id;
+}
+
+/* Helper for Montgomery curves */
+#if defined(MBEDTLS_ECP_HAVE_CURVE25519) || defined(MBEDTLS_ECP_HAVE_CURVE448)
+#define MBEDTLS_PK_HAVE_RFC8410_CURVES
+#endif /* MBEDTLS_ECP_HAVE_CURVE25519 || MBEDTLS_ECP_DP_CURVE448 */
+
+#define MBEDTLS_PK_IS_RFC8410_GROUP_ID(id)  \
+    ((id == MBEDTLS_ECP_DP_CURVE25519) || (id == MBEDTLS_ECP_DP_CURVE448))
+
+static inline int mbedtls_pk_is_rfc8410(const mbedtls_pk_context *pk)
+{
+    mbedtls_ecp_group_id id = mbedtls_pk_get_ec_group_id(pk);
+
+    return MBEDTLS_PK_IS_RFC8410_GROUP_ID(id);
+}
+
+/*
+ * Set the group used by this key.
+ *
+ * [in/out] pk: in: must have been pk_setup() to an ECC type
+ *              out: will have group (curve) information set
+ * [in] grp_in: a supported group ID (not NONE)
+ */
+int mbedtls_pk_ecc_set_group(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id);
+
+/*
+ * Set the private key material
+ *
+ * [in/out] pk: in: must have the group set already, see mbedtls_pk_ecc_set_group().
+ *              out: will have the private key set.
+ * [in] key, key_len: the raw private key (no ASN.1 wrapping).
+ */
+int mbedtls_pk_ecc_set_key(mbedtls_pk_context *pk, unsigned char *key, size_t key_len);
+
+/*
+ * Set the public key.
+ *
+ * [in/out] pk: in: must have its group set, see mbedtls_pk_ecc_set_group().
+ *              out: will have the public key set.
+ * [in] pub, pub_len: the raw public key (an ECPoint).
+ *
+ * Return:
+ * - 0 on success;
+ * - MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the format is potentially valid
+ *   but not supported;
+ * - another error code otherwise.
+ */
+int mbedtls_pk_ecc_set_pubkey(mbedtls_pk_context *pk, const unsigned char *pub, size_t pub_len);
+
+/*
+ * Derive a public key from its private counterpart.
+ * Computationally intensive, only use when public key is not available.
+ *
+ * [in/out] pk: in: must have the private key set, see mbedtls_pk_ecc_set_key().
+ *              out: will have the public key set.
+ * [in] prv, prv_len: the raw private key (see note below).
+ * [in] f_rng, p_rng: RNG function and context.
+ *
+ * Note: the private key information is always available from pk,
+ * however for convenience the serialized version is also passed,
+ * as it's available at each calling site, and useful in some configs
+ * (as otherwise we would have to re-serialize it from the pk context).
+ *
+ * There are three implementations of this function:
+ * 1. MBEDTLS_PK_USE_PSA_EC_DATA,
+ * 2. MBEDTLS_USE_PSA_CRYPTO but not MBEDTLS_PK_USE_PSA_EC_DATA,
+ * 3. not MBEDTLS_USE_PSA_CRYPTO.
+ */
+int mbedtls_pk_ecc_set_pubkey_from_prv(mbedtls_pk_context *pk,
+                                       const unsigned char *prv, size_t prv_len,
+                                       int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+/* Helper for (deterministic) ECDSA */
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+#define MBEDTLS_PK_PSA_ALG_ECDSA_MAYBE_DET  PSA_ALG_DETERMINISTIC_ECDSA
+#else
+#define MBEDTLS_PK_PSA_ALG_ECDSA_MAYBE_DET  PSA_ALG_ECDSA
+#endif
+
+#if defined(MBEDTLS_TEST_HOOKS)
+MBEDTLS_STATIC_TESTABLE int mbedtls_pk_parse_key_pkcs8_encrypted_der(
+    mbedtls_pk_context *pk,
+    unsigned char *key, size_t keylen,
+    const unsigned char *pwd, size_t pwdlen,
+    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
+#endif
+
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_pk_load_file(const char *path, unsigned char **buf, size_t *n);
+#endif
+
+#endif /* MBEDTLS_PK_INTERNAL_H */
diff --git a/tf-psa-crypto/drivers/builtin/src/pk_wrap.c b/tf-psa-crypto/drivers/builtin/src/pk_wrap.c
new file mode 100644
index 0000000..8710889
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/pk_wrap.c
@@ -0,0 +1,1578 @@
+/*
+ *  Public Key abstraction layer: wrapper functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#include "mbedtls/platform_util.h"
+
+#if defined(MBEDTLS_PK_C)
+#include "pk_wrap.h"
+#include "pk_internal.h"
+#include "mbedtls/error.h"
+#include "mbedtls/psa_util.h"
+
+/* Even if RSA not activated, for the sake of RSA-alt */
+#include "mbedtls/rsa.h"
+
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/ecp.h"
+#endif
+
+#if defined(MBEDTLS_ECDSA_C)
+#include "mbedtls/ecdsa.h"
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa_util_internal.h"
+#include "psa/crypto.h"
+#include "mbedtls/psa_util.h"
+
+#if defined(MBEDTLS_RSA_C)
+#include "pkwrite.h"
+#include "rsa_internal.h"
+#endif
+
+#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
+#include "mbedtls/asn1write.h"
+#include "mbedtls/asn1.h"
+#endif
+#endif  /* MBEDTLS_USE_PSA_CRYPTO */
+
+#include "mbedtls/platform.h"
+
+#include <limits.h>
+#include <stdint.h>
+#include <string.h>
+
+#if defined(MBEDTLS_RSA_C)
+static int rsa_can_do(mbedtls_pk_type_t type)
+{
+    return type == MBEDTLS_PK_RSA ||
+           type == MBEDTLS_PK_RSASSA_PSS;
+}
+
+static size_t rsa_get_bitlen(mbedtls_pk_context *pk)
+{
+    const mbedtls_rsa_context *rsa = (const mbedtls_rsa_context *) pk->pk_ctx;
+    return mbedtls_rsa_get_bitlen(rsa);
+}
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+static int rsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+                           const unsigned char *hash, size_t hash_len,
+                           const unsigned char *sig, size_t sig_len)
+{
+    mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_status_t status;
+    int key_len;
+    unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
+    unsigned char *p = buf + sizeof(buf);
+    psa_algorithm_t psa_alg_md;
+    size_t rsa_len = mbedtls_rsa_get_len(rsa);
+
+#if SIZE_MAX > UINT_MAX
+    if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+#endif
+
+    if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) {
+        psa_alg_md = PSA_ALG_RSA_PSS(mbedtls_md_psa_alg_from_type(md_alg));
+    } else {
+        psa_alg_md = PSA_ALG_RSA_PKCS1V15_SIGN(mbedtls_md_psa_alg_from_type(md_alg));
+    }
+
+    if (sig_len < rsa_len) {
+        return MBEDTLS_ERR_RSA_VERIFY_FAILED;
+    }
+
+    key_len = mbedtls_rsa_write_pubkey(rsa, buf, &p);
+    if (key_len <= 0) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
+    psa_set_key_algorithm(&attributes, psa_alg_md);
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY);
+
+    status = psa_import_key(&attributes,
+                            buf + sizeof(buf) - key_len, key_len,
+                            &key_id);
+    if (status != PSA_SUCCESS) {
+        ret = PSA_PK_TO_MBEDTLS_ERR(status);
+        goto cleanup;
+    }
+
+    status = psa_verify_hash(key_id, psa_alg_md, hash, hash_len,
+                             sig, sig_len);
+    if (status != PSA_SUCCESS) {
+        ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
+        goto cleanup;
+    }
+    ret = 0;
+
+cleanup:
+    status = psa_destroy_key(key_id);
+    if (ret == 0 && status != PSA_SUCCESS) {
+        ret = PSA_PK_TO_MBEDTLS_ERR(status);
+    }
+
+    return ret;
+}
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+static int rsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+                           const unsigned char *hash, size_t hash_len,
+                           const unsigned char *sig, size_t sig_len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
+    size_t rsa_len = mbedtls_rsa_get_len(rsa);
+
+#if SIZE_MAX > UINT_MAX
+    if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+#endif
+
+    if (sig_len < rsa_len) {
+        return MBEDTLS_ERR_RSA_VERIFY_FAILED;
+    }
+
+    if ((ret = mbedtls_rsa_pkcs1_verify(rsa, md_alg,
+                                        (unsigned int) hash_len,
+                                        hash, sig)) != 0) {
+        return ret;
+    }
+
+    /* The buffer contains a valid signature followed by extra data.
+     * We have a special error code for that so that so that callers can
+     * use mbedtls_pk_verify() to check "Does the buffer start with a
+     * valid signature?" and not just "Does the buffer contain a valid
+     * signature?". */
+    if (sig_len > rsa_len) {
+        return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
+    }
+
+    return 0;
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+int  mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t alg,
+                                 mbedtls_rsa_context *rsa_ctx,
+                                 const unsigned char *hash, size_t hash_len,
+                                 unsigned char *sig, size_t sig_size,
+                                 size_t *sig_len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_status_t status;
+    int key_len;
+    unsigned char *buf = NULL;
+    unsigned char *p;
+
+    buf = mbedtls_calloc(1, MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES);
+    if (buf == NULL) {
+        return MBEDTLS_ERR_PK_ALLOC_FAILED;
+    }
+    p = buf + MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES;
+
+    *sig_len = mbedtls_rsa_get_len(rsa_ctx);
+    if (sig_size < *sig_len) {
+        mbedtls_free(buf);
+        return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
+    }
+
+    key_len = mbedtls_rsa_write_key(rsa_ctx, buf, &p);
+    if (key_len <= 0) {
+        mbedtls_free(buf);
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
+    psa_set_key_algorithm(&attributes, alg);
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
+
+    status = psa_import_key(&attributes,
+                            buf + MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES - key_len, key_len,
+                            &key_id);
+    if (status != PSA_SUCCESS) {
+        ret = PSA_PK_TO_MBEDTLS_ERR(status);
+        goto cleanup;
+    }
+    status = psa_sign_hash(key_id, alg, hash, hash_len,
+                           sig, sig_size, sig_len);
+    if (status != PSA_SUCCESS) {
+        ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
+        goto cleanup;
+    }
+
+    ret = 0;
+
+cleanup:
+    mbedtls_free(buf);
+    status = psa_destroy_key(key_id);
+    if (ret == 0 && status != PSA_SUCCESS) {
+        ret = PSA_PK_TO_MBEDTLS_ERR(status);
+    }
+    return ret;
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+static int rsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+                         const unsigned char *hash, size_t hash_len,
+                         unsigned char *sig, size_t sig_size, size_t *sig_len,
+                         int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    ((void) f_rng);
+    ((void) p_rng);
+
+    psa_algorithm_t psa_md_alg;
+    psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
+    if (psa_md_alg == 0) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+    psa_algorithm_t psa_alg;
+    if (mbedtls_rsa_get_padding_mode(mbedtls_pk_rsa(*pk)) == MBEDTLS_RSA_PKCS_V21) {
+        psa_alg = PSA_ALG_RSA_PSS(psa_md_alg);
+    } else {
+        psa_alg = PSA_ALG_RSA_PKCS1V15_SIGN(psa_md_alg);
+    }
+
+    return mbedtls_pk_psa_rsa_sign_ext(psa_alg, pk->pk_ctx, hash, hash_len,
+                                       sig, sig_size, sig_len);
+}
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+static int rsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+                         const unsigned char *hash, size_t hash_len,
+                         unsigned char *sig, size_t sig_size, size_t *sig_len,
+                         int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
+
+#if SIZE_MAX > UINT_MAX
+    if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+#endif
+
+    *sig_len = mbedtls_rsa_get_len(rsa);
+    if (sig_size < *sig_len) {
+        return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
+    }
+
+    return mbedtls_rsa_pkcs1_sign(rsa, f_rng, p_rng,
+                                  md_alg, (unsigned int) hash_len,
+                                  hash, sig);
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+static int rsa_decrypt_wrap(mbedtls_pk_context *pk,
+                            const unsigned char *input, size_t ilen,
+                            unsigned char *output, size_t *olen, size_t osize,
+                            int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_algorithm_t psa_md_alg, decrypt_alg;
+    psa_status_t status;
+    int key_len;
+    unsigned char buf[MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES];
+    unsigned char *p = buf + sizeof(buf);
+
+    ((void) f_rng);
+    ((void) p_rng);
+
+    if (ilen != mbedtls_rsa_get_len(rsa)) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    key_len = mbedtls_rsa_write_key(rsa, buf, &p);
+    if (key_len <= 0) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
+    if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) {
+        psa_md_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) mbedtls_rsa_get_md_alg(rsa));
+        decrypt_alg = PSA_ALG_RSA_OAEP(psa_md_alg);
+    } else {
+        decrypt_alg = PSA_ALG_RSA_PKCS1V15_CRYPT;
+    }
+    psa_set_key_algorithm(&attributes, decrypt_alg);
+
+    status = psa_import_key(&attributes,
+                            buf + sizeof(buf) - key_len, key_len,
+                            &key_id);
+    if (status != PSA_SUCCESS) {
+        ret = PSA_PK_TO_MBEDTLS_ERR(status);
+        goto cleanup;
+    }
+
+    status = psa_asymmetric_decrypt(key_id, decrypt_alg,
+                                    input, ilen,
+                                    NULL, 0,
+                                    output, osize, olen);
+    if (status != PSA_SUCCESS) {
+        ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
+        goto cleanup;
+    }
+
+    ret = 0;
+
+cleanup:
+    mbedtls_platform_zeroize(buf, sizeof(buf));
+    status = psa_destroy_key(key_id);
+    if (ret == 0 && status != PSA_SUCCESS) {
+        ret = PSA_PK_TO_MBEDTLS_ERR(status);
+    }
+
+    return ret;
+}
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+static int rsa_decrypt_wrap(mbedtls_pk_context *pk,
+                            const unsigned char *input, size_t ilen,
+                            unsigned char *output, size_t *olen, size_t osize,
+                            int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
+
+    if (ilen != mbedtls_rsa_get_len(rsa)) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    return mbedtls_rsa_pkcs1_decrypt(rsa, f_rng, p_rng,
+                                     olen, input, output, osize);
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+static int rsa_encrypt_wrap(mbedtls_pk_context *pk,
+                            const unsigned char *input, size_t ilen,
+                            unsigned char *output, size_t *olen, size_t osize,
+                            int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_algorithm_t psa_md_alg, psa_encrypt_alg;
+    psa_status_t status;
+    int key_len;
+    unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
+    unsigned char *p = buf + sizeof(buf);
+
+    ((void) f_rng);
+    ((void) p_rng);
+
+    if (mbedtls_rsa_get_len(rsa) > osize) {
+        return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
+    }
+
+    key_len = mbedtls_rsa_write_pubkey(rsa, buf, &p);
+    if (key_len <= 0) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
+    if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) {
+        psa_md_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) mbedtls_rsa_get_md_alg(rsa));
+        psa_encrypt_alg = PSA_ALG_RSA_OAEP(psa_md_alg);
+    } else {
+        psa_encrypt_alg = PSA_ALG_RSA_PKCS1V15_CRYPT;
+    }
+    psa_set_key_algorithm(&attributes, psa_encrypt_alg);
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY);
+
+    status = psa_import_key(&attributes,
+                            buf + sizeof(buf) - key_len, key_len,
+                            &key_id);
+    if (status != PSA_SUCCESS) {
+        ret = PSA_PK_TO_MBEDTLS_ERR(status);
+        goto cleanup;
+    }
+
+    status = psa_asymmetric_encrypt(key_id, psa_encrypt_alg,
+                                    input, ilen,
+                                    NULL, 0,
+                                    output, osize, olen);
+    if (status != PSA_SUCCESS) {
+        ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
+        goto cleanup;
+    }
+
+    ret = 0;
+
+cleanup:
+    status = psa_destroy_key(key_id);
+    if (ret == 0 && status != PSA_SUCCESS) {
+        ret = PSA_PK_TO_MBEDTLS_ERR(status);
+    }
+
+    return ret;
+}
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+static int rsa_encrypt_wrap(mbedtls_pk_context *pk,
+                            const unsigned char *input, size_t ilen,
+                            unsigned char *output, size_t *olen, size_t osize,
+                            int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
+    *olen = mbedtls_rsa_get_len(rsa);
+
+    if (*olen > osize) {
+        return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
+    }
+
+    return mbedtls_rsa_pkcs1_encrypt(rsa, f_rng, p_rng,
+                                     ilen, input, output);
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+static int rsa_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng)
+{
+    (void) f_rng;
+    (void) p_rng;
+    return mbedtls_rsa_check_pub_priv((const mbedtls_rsa_context *) pub->pk_ctx,
+                                      (const mbedtls_rsa_context *) prv->pk_ctx);
+}
+
+static void *rsa_alloc_wrap(void)
+{
+    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_rsa_context));
+
+    if (ctx != NULL) {
+        mbedtls_rsa_init((mbedtls_rsa_context *) ctx);
+    }
+
+    return ctx;
+}
+
+static void rsa_free_wrap(void *ctx)
+{
+    mbedtls_rsa_free((mbedtls_rsa_context *) ctx);
+    mbedtls_free(ctx);
+}
+
+static void rsa_debug(mbedtls_pk_context *pk, mbedtls_pk_debug_item *items)
+{
+    mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
+
+    items->type = MBEDTLS_PK_DEBUG_MPI;
+    items->name = "rsa.N";
+    items->value = &(rsa->N);
+
+    items++;
+
+    items->type = MBEDTLS_PK_DEBUG_MPI;
+    items->name = "rsa.E";
+    items->value = &(rsa->E);
+}
+
+const mbedtls_pk_info_t mbedtls_rsa_info = {
+    .type = MBEDTLS_PK_RSA,
+    .name = "RSA",
+    .get_bitlen = rsa_get_bitlen,
+    .can_do = rsa_can_do,
+    .verify_func = rsa_verify_wrap,
+    .sign_func = rsa_sign_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    .verify_rs_func = NULL,
+    .sign_rs_func = NULL,
+    .rs_alloc_func = NULL,
+    .rs_free_func = NULL,
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+    .decrypt_func = rsa_decrypt_wrap,
+    .encrypt_func = rsa_encrypt_wrap,
+    .check_pair_func = rsa_check_pair_wrap,
+    .ctx_alloc_func = rsa_alloc_wrap,
+    .ctx_free_func = rsa_free_wrap,
+    .debug_func = rsa_debug,
+};
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+/*
+ * Generic EC key
+ */
+static int eckey_can_do(mbedtls_pk_type_t type)
+{
+    return type == MBEDTLS_PK_ECKEY ||
+           type == MBEDTLS_PK_ECKEY_DH ||
+           type == MBEDTLS_PK_ECDSA;
+}
+
+static size_t eckey_get_bitlen(mbedtls_pk_context *pk)
+{
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+    return pk->ec_bits;
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+    mbedtls_ecp_keypair *ecp = (mbedtls_ecp_keypair *) pk->pk_ctx;
+    return ecp->grp.pbits;
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+}
+
+#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/* Common helper for ECDSA verify using PSA functions. */
+static int ecdsa_verify_psa(unsigned char *key, size_t key_len,
+                            psa_ecc_family_t curve, size_t curve_bits,
+                            const unsigned char *hash, size_t hash_len,
+                            const unsigned char *sig, size_t sig_len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY;
+    size_t signature_len = PSA_ECDSA_SIGNATURE_SIZE(curve_bits);
+    size_t converted_sig_len;
+    unsigned char extracted_sig[PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE];
+    unsigned char *p;
+    psa_status_t status;
+
+    if (curve == 0) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve));
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
+    psa_set_key_algorithm(&attributes, psa_sig_md);
+
+    status = psa_import_key(&attributes, key, key_len, &key_id);
+    if (status != PSA_SUCCESS) {
+        ret = PSA_PK_TO_MBEDTLS_ERR(status);
+        goto cleanup;
+    }
+
+    if (signature_len > sizeof(extracted_sig)) {
+        ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    p = (unsigned char *) sig;
+    ret = mbedtls_ecdsa_der_to_raw(curve_bits, p, sig_len, extracted_sig,
+                                   sizeof(extracted_sig), &converted_sig_len);
+    if (ret != 0) {
+        goto cleanup;
+    }
+
+    if (converted_sig_len != signature_len) {
+        ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    status = psa_verify_hash(key_id, psa_sig_md, hash, hash_len,
+                             extracted_sig, signature_len);
+    if (status != PSA_SUCCESS) {
+        ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
+        goto cleanup;
+    }
+
+    ret = 0;
+
+cleanup:
+    status = psa_destroy_key(key_id);
+    if (ret == 0 && status != PSA_SUCCESS) {
+        ret = PSA_PK_TO_MBEDTLS_ERR(status);
+    }
+
+    return ret;
+}
+
+static int ecdsa_opaque_verify_wrap(mbedtls_pk_context *pk,
+                                    mbedtls_md_type_t md_alg,
+                                    const unsigned char *hash, size_t hash_len,
+                                    const unsigned char *sig, size_t sig_len)
+{
+    (void) md_alg;
+    unsigned char key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
+    size_t key_len;
+    psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+    psa_ecc_family_t curve;
+    size_t curve_bits;
+    psa_status_t status;
+
+    status = psa_get_key_attributes(pk->priv_id, &key_attr);
+    if (status != PSA_SUCCESS) {
+        return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
+    }
+    curve = PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(&key_attr));
+    curve_bits = psa_get_key_bits(&key_attr);
+    psa_reset_key_attributes(&key_attr);
+
+    status = psa_export_public_key(pk->priv_id, key, sizeof(key), &key_len);
+    if (status != PSA_SUCCESS) {
+        return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
+    }
+
+    return ecdsa_verify_psa(key, key_len, curve, curve_bits,
+                            hash, hash_len, sig, sig_len);
+}
+
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+static int ecdsa_verify_wrap(mbedtls_pk_context *pk,
+                             mbedtls_md_type_t md_alg,
+                             const unsigned char *hash, size_t hash_len,
+                             const unsigned char *sig, size_t sig_len)
+{
+    (void) md_alg;
+    psa_ecc_family_t curve = pk->ec_family;
+    size_t curve_bits = pk->ec_bits;
+
+    return ecdsa_verify_psa(pk->pub_raw, pk->pub_raw_len, curve, curve_bits,
+                            hash, hash_len, sig, sig_len);
+}
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+static int ecdsa_verify_wrap(mbedtls_pk_context *pk,
+                             mbedtls_md_type_t md_alg,
+                             const unsigned char *hash, size_t hash_len,
+                             const unsigned char *sig, size_t sig_len)
+{
+    (void) md_alg;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_keypair *ctx = pk->pk_ctx;
+    unsigned char key[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
+    size_t key_len;
+    size_t curve_bits;
+    psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits);
+
+    ret = mbedtls_ecp_point_write_binary(&ctx->grp, &ctx->Q,
+                                         MBEDTLS_ECP_PF_UNCOMPRESSED,
+                                         &key_len, key, sizeof(key));
+    if (ret != 0) {
+        return ret;
+    }
+
+    return ecdsa_verify_psa(key, key_len, curve, curve_bits,
+                            hash, hash_len, sig, sig_len);
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+static int ecdsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+                             const unsigned char *hash, size_t hash_len,
+                             const unsigned char *sig, size_t sig_len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    ((void) md_alg);
+
+    ret = mbedtls_ecdsa_read_signature((mbedtls_ecdsa_context *) pk->pk_ctx,
+                                       hash, hash_len, sig, sig_len);
+
+    if (ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) {
+        return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
+    }
+
+    return ret;
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
+
+#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/* Common helper for ECDSA sign using PSA functions.
+ * Instead of extracting key's properties in order to check which kind of ECDSA
+ * signature it supports, we try both deterministic and non-deterministic.
+ */
+static int ecdsa_sign_psa(mbedtls_svc_key_id_t key_id, mbedtls_md_type_t md_alg,
+                          const unsigned char *hash, size_t hash_len,
+                          unsigned char *sig, size_t sig_size, size_t *sig_len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    psa_status_t status;
+    psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+    size_t key_bits = 0;
+
+    status = psa_get_key_attributes(key_id, &key_attr);
+    if (status != PSA_SUCCESS) {
+        return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
+    }
+    key_bits = psa_get_key_bits(&key_attr);
+    psa_reset_key_attributes(&key_attr);
+
+    status = psa_sign_hash(key_id,
+                           PSA_ALG_DETERMINISTIC_ECDSA(mbedtls_md_psa_alg_from_type(md_alg)),
+                           hash, hash_len, sig, sig_size, sig_len);
+    if (status == PSA_SUCCESS) {
+        goto done;
+    } else if (status != PSA_ERROR_NOT_PERMITTED) {
+        return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
+    }
+
+    status = psa_sign_hash(key_id,
+                           PSA_ALG_ECDSA(mbedtls_md_psa_alg_from_type(md_alg)),
+                           hash, hash_len, sig, sig_size, sig_len);
+    if (status != PSA_SUCCESS) {
+        return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
+    }
+
+done:
+    ret = mbedtls_ecdsa_raw_to_der(key_bits, sig, *sig_len, sig, sig_size, sig_len);
+
+    return ret;
+}
+
+static int ecdsa_opaque_sign_wrap(mbedtls_pk_context *pk,
+                                  mbedtls_md_type_t md_alg,
+                                  const unsigned char *hash, size_t hash_len,
+                                  unsigned char *sig, size_t sig_size,
+                                  size_t *sig_len,
+                                  int (*f_rng)(void *, unsigned char *, size_t),
+                                  void *p_rng)
+{
+    ((void) f_rng);
+    ((void) p_rng);
+
+    return ecdsa_sign_psa(pk->priv_id, md_alg, hash, hash_len, sig, sig_size,
+                          sig_len);
+}
+
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+/* When PK_USE_PSA_EC_DATA is defined opaque and non-opaque keys end up
+ * using the same function. */
+#define ecdsa_sign_wrap     ecdsa_opaque_sign_wrap
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+static int ecdsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+                           const unsigned char *hash, size_t hash_len,
+                           unsigned char *sig, size_t sig_size, size_t *sig_len,
+                           int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_status_t status;
+    mbedtls_ecp_keypair *ctx = pk->pk_ctx;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    unsigned char buf[MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH];
+    size_t curve_bits;
+    psa_ecc_family_t curve =
+        mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits);
+    size_t key_len = PSA_BITS_TO_BYTES(curve_bits);
+    psa_algorithm_t psa_hash = mbedtls_md_psa_alg_from_type(md_alg);
+    psa_algorithm_t psa_sig_md = MBEDTLS_PK_PSA_ALG_ECDSA_MAYBE_DET(psa_hash);
+    ((void) f_rng);
+    ((void) p_rng);
+
+    if (curve == 0) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    if (key_len > sizeof(buf)) {
+        return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    }
+    ret = mbedtls_mpi_write_binary(&ctx->d, buf, key_len);
+    if (ret != 0) {
+        goto cleanup;
+    }
+
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
+    psa_set_key_algorithm(&attributes, psa_sig_md);
+
+    status = psa_import_key(&attributes, buf, key_len, &key_id);
+    if (status != PSA_SUCCESS) {
+        ret = PSA_PK_TO_MBEDTLS_ERR(status);
+        goto cleanup;
+    }
+
+    ret = ecdsa_sign_psa(key_id, md_alg, hash, hash_len, sig, sig_size, sig_len);
+
+cleanup:
+    mbedtls_platform_zeroize(buf, sizeof(buf));
+    status = psa_destroy_key(key_id);
+    if (ret == 0 && status != PSA_SUCCESS) {
+        ret = PSA_PK_TO_MBEDTLS_ERR(status);
+    }
+
+    return ret;
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+static int ecdsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+                           const unsigned char *hash, size_t hash_len,
+                           unsigned char *sig, size_t sig_size, size_t *sig_len,
+                           int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    return mbedtls_ecdsa_write_signature((mbedtls_ecdsa_context *) pk->pk_ctx,
+                                         md_alg, hash, hash_len,
+                                         sig, sig_size, sig_len,
+                                         f_rng, p_rng);
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/* Forward declarations */
+static int ecdsa_verify_rs_wrap(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+                                const unsigned char *hash, size_t hash_len,
+                                const unsigned char *sig, size_t sig_len,
+                                void *rs_ctx);
+
+static int ecdsa_sign_rs_wrap(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+                              const unsigned char *hash, size_t hash_len,
+                              unsigned char *sig, size_t sig_size, size_t *sig_len,
+                              int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                              void *rs_ctx);
+
+/*
+ * Restart context for ECDSA operations with ECKEY context
+ *
+ * We need to store an actual ECDSA context, as we need to pass the same to
+ * the underlying ecdsa function, so we can't create it on the fly every time.
+ */
+typedef struct {
+    mbedtls_ecdsa_restart_ctx ecdsa_rs;
+    mbedtls_ecdsa_context ecdsa_ctx;
+} eckey_restart_ctx;
+
+static void *eckey_rs_alloc(void)
+{
+    eckey_restart_ctx *rs_ctx;
+
+    void *ctx = mbedtls_calloc(1, sizeof(eckey_restart_ctx));
+
+    if (ctx != NULL) {
+        rs_ctx = ctx;
+        mbedtls_ecdsa_restart_init(&rs_ctx->ecdsa_rs);
+        mbedtls_ecdsa_init(&rs_ctx->ecdsa_ctx);
+    }
+
+    return ctx;
+}
+
+static void eckey_rs_free(void *ctx)
+{
+    eckey_restart_ctx *rs_ctx;
+
+    if (ctx == NULL) {
+        return;
+    }
+
+    rs_ctx = ctx;
+    mbedtls_ecdsa_restart_free(&rs_ctx->ecdsa_rs);
+    mbedtls_ecdsa_free(&rs_ctx->ecdsa_ctx);
+
+    mbedtls_free(ctx);
+}
+
+static int eckey_verify_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+                                const unsigned char *hash, size_t hash_len,
+                                const unsigned char *sig, size_t sig_len,
+                                void *rs_ctx)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    eckey_restart_ctx *rs = rs_ctx;
+
+    /* Should never happen */
+    if (rs == NULL) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    /* set up our own sub-context if needed (that is, on first run) */
+    if (rs->ecdsa_ctx.grp.pbits == 0) {
+        MBEDTLS_MPI_CHK(mbedtls_ecdsa_from_keypair(&rs->ecdsa_ctx, pk->pk_ctx));
+    }
+
+    MBEDTLS_MPI_CHK(ecdsa_verify_rs_wrap(pk,
+                                         md_alg, hash, hash_len,
+                                         sig, sig_len, &rs->ecdsa_rs));
+
+cleanup:
+    return ret;
+}
+
+static int eckey_sign_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+                              const unsigned char *hash, size_t hash_len,
+                              unsigned char *sig, size_t sig_size, size_t *sig_len,
+                              int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                              void *rs_ctx)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    eckey_restart_ctx *rs = rs_ctx;
+
+    /* Should never happen */
+    if (rs == NULL) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    /* set up our own sub-context if needed (that is, on first run) */
+    if (rs->ecdsa_ctx.grp.pbits == 0) {
+        MBEDTLS_MPI_CHK(mbedtls_ecdsa_from_keypair(&rs->ecdsa_ctx, pk->pk_ctx));
+    }
+
+    MBEDTLS_MPI_CHK(ecdsa_sign_rs_wrap(pk, md_alg,
+                                       hash, hash_len, sig, sig_size, sig_len,
+                                       f_rng, p_rng, &rs->ecdsa_rs));
+
+cleanup:
+    return ret;
+}
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+static int eckey_check_pair_psa(mbedtls_pk_context *pub, mbedtls_pk_context *prv)
+{
+    psa_status_t status;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    uint8_t prv_key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
+    size_t prv_key_len;
+    mbedtls_svc_key_id_t key_id = prv->priv_id;
+
+    status = psa_export_public_key(key_id, prv_key_buf, sizeof(prv_key_buf),
+                                   &prv_key_len);
+    ret = PSA_PK_TO_MBEDTLS_ERR(status);
+    if (ret != 0) {
+        return ret;
+    }
+
+    if (memcmp(prv_key_buf, pub->pub_raw, pub->pub_raw_len) != 0) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    return 0;
+}
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+static int eckey_check_pair_psa(mbedtls_pk_context *pub, mbedtls_pk_context *prv)
+{
+    psa_status_t status;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    uint8_t prv_key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
+    size_t prv_key_len;
+    psa_status_t destruction_status;
+    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+    uint8_t pub_key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
+    size_t pub_key_len;
+    size_t curve_bits;
+    const psa_ecc_family_t curve =
+        mbedtls_ecc_group_to_psa(mbedtls_pk_ec_ro(*prv)->grp.id, &curve_bits);
+    const size_t curve_bytes = PSA_BITS_TO_BYTES(curve_bits);
+
+    if (curve == 0) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
+    psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT);
+
+    ret = mbedtls_mpi_write_binary(&mbedtls_pk_ec_ro(*prv)->d,
+                                   prv_key_buf, curve_bytes);
+    if (ret != 0) {
+        mbedtls_platform_zeroize(prv_key_buf, sizeof(prv_key_buf));
+        return ret;
+    }
+
+    status = psa_import_key(&key_attr, prv_key_buf, curve_bytes, &key_id);
+    mbedtls_platform_zeroize(prv_key_buf, sizeof(prv_key_buf));
+    ret = PSA_PK_TO_MBEDTLS_ERR(status);
+    if (ret != 0) {
+        return ret;
+    }
+
+    // From now on prv_key_buf is used to store the public key of prv.
+    status = psa_export_public_key(key_id, prv_key_buf, sizeof(prv_key_buf),
+                                   &prv_key_len);
+    ret = PSA_PK_TO_MBEDTLS_ERR(status);
+    destruction_status = psa_destroy_key(key_id);
+    if (ret != 0) {
+        return ret;
+    } else if (destruction_status != PSA_SUCCESS) {
+        return PSA_PK_TO_MBEDTLS_ERR(destruction_status);
+    }
+
+    ret = mbedtls_ecp_point_write_binary(&mbedtls_pk_ec_rw(*pub)->grp,
+                                         &mbedtls_pk_ec_rw(*pub)->Q,
+                                         MBEDTLS_ECP_PF_UNCOMPRESSED,
+                                         &pub_key_len, pub_key_buf,
+                                         sizeof(pub_key_buf));
+    if (ret != 0) {
+        return ret;
+    }
+
+    if (memcmp(prv_key_buf, pub_key_buf, curve_bytes) != 0) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    return 0;
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
+static int eckey_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng)
+{
+    (void) f_rng;
+    (void) p_rng;
+    return eckey_check_pair_psa(pub, prv);
+}
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+static int eckey_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng)
+{
+    return mbedtls_ecp_check_pub_priv((const mbedtls_ecp_keypair *) pub->pk_ctx,
+                                      (const mbedtls_ecp_keypair *) prv->pk_ctx,
+                                      f_rng, p_rng);
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+/* When PK_USE_PSA_EC_DATA is defined opaque and non-opaque keys end up
+ * using the same function. */
+#define ecdsa_opaque_check_pair_wrap    eckey_check_pair_wrap
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+static int ecdsa_opaque_check_pair_wrap(mbedtls_pk_context *pub,
+                                        mbedtls_pk_context *prv,
+                                        int (*f_rng)(void *, unsigned char *, size_t),
+                                        void *p_rng)
+{
+    psa_status_t status;
+    uint8_t exp_pub_key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
+    size_t exp_pub_key_len = 0;
+    uint8_t pub_key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
+    size_t pub_key_len = 0;
+    int ret;
+    (void) f_rng;
+    (void) p_rng;
+
+    status = psa_export_public_key(prv->priv_id, exp_pub_key, sizeof(exp_pub_key),
+                                   &exp_pub_key_len);
+    if (status != PSA_SUCCESS) {
+        ret = psa_pk_status_to_mbedtls(status);
+        return ret;
+    }
+    ret = mbedtls_ecp_point_write_binary(&(mbedtls_pk_ec_ro(*pub)->grp),
+                                         &(mbedtls_pk_ec_ro(*pub)->Q),
+                                         MBEDTLS_ECP_PF_UNCOMPRESSED,
+                                         &pub_key_len, pub_key, sizeof(pub_key));
+    if (ret != 0) {
+        return ret;
+    }
+    if ((exp_pub_key_len != pub_key_len) ||
+        memcmp(exp_pub_key, pub_key, exp_pub_key_len)) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+    return 0;
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+static void *eckey_alloc_wrap(void)
+{
+    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecp_keypair));
+
+    if (ctx != NULL) {
+        mbedtls_ecp_keypair_init(ctx);
+    }
+
+    return ctx;
+}
+
+static void eckey_free_wrap(void *ctx)
+{
+    mbedtls_ecp_keypair_free((mbedtls_ecp_keypair *) ctx);
+    mbedtls_free(ctx);
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
+static void eckey_debug(mbedtls_pk_context *pk, mbedtls_pk_debug_item *items)
+{
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+    items->type = MBEDTLS_PK_DEBUG_PSA_EC;
+    items->name = "eckey.Q";
+    items->value = pk;
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+    mbedtls_ecp_keypair *ecp = (mbedtls_ecp_keypair *) pk->pk_ctx;
+    items->type = MBEDTLS_PK_DEBUG_ECP;
+    items->name = "eckey.Q";
+    items->value = &(ecp->Q);
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+}
+
+const mbedtls_pk_info_t mbedtls_eckey_info = {
+    .type = MBEDTLS_PK_ECKEY,
+    .name = "EC",
+    .get_bitlen = eckey_get_bitlen,
+    .can_do = eckey_can_do,
+#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
+    .verify_func = ecdsa_verify_wrap,   /* Compatible key structures */
+#else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
+    .verify_func = NULL,
+#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
+#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
+    .sign_func = ecdsa_sign_wrap,   /* Compatible key structures */
+#else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
+    .sign_func = NULL,
+#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    .verify_rs_func = eckey_verify_rs_wrap,
+    .sign_rs_func = eckey_sign_rs_wrap,
+    .rs_alloc_func = eckey_rs_alloc,
+    .rs_free_func = eckey_rs_free,
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+    .decrypt_func = NULL,
+    .encrypt_func = NULL,
+    .check_pair_func = eckey_check_pair_wrap,
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+    .ctx_alloc_func = NULL,
+    .ctx_free_func = NULL,
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+    .ctx_alloc_func = eckey_alloc_wrap,
+    .ctx_free_func = eckey_free_wrap,
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+    .debug_func = eckey_debug,
+};
+
+/*
+ * EC key restricted to ECDH
+ */
+static int eckeydh_can_do(mbedtls_pk_type_t type)
+{
+    return type == MBEDTLS_PK_ECKEY ||
+           type == MBEDTLS_PK_ECKEY_DH;
+}
+
+const mbedtls_pk_info_t mbedtls_eckeydh_info = {
+    .type = MBEDTLS_PK_ECKEY_DH,
+    .name = "EC_DH",
+    .get_bitlen = eckey_get_bitlen,         /* Same underlying key structure */
+    .can_do = eckeydh_can_do,
+    .verify_func = NULL,
+    .sign_func = NULL,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    .verify_rs_func = NULL,
+    .sign_rs_func = NULL,
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+    .decrypt_func = NULL,
+    .encrypt_func = NULL,
+    .check_pair_func = eckey_check_pair_wrap,
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+    .ctx_alloc_func = NULL,
+    .ctx_free_func = NULL,
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+    .ctx_alloc_func = eckey_alloc_wrap,   /* Same underlying key structure */
+    .ctx_free_func = eckey_free_wrap,    /* Same underlying key structure */
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+    .debug_func = eckey_debug,            /* Same underlying key structure */
+};
+
+#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
+static int ecdsa_can_do(mbedtls_pk_type_t type)
+{
+    return type == MBEDTLS_PK_ECDSA;
+}
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+static int ecdsa_verify_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+                                const unsigned char *hash, size_t hash_len,
+                                const unsigned char *sig, size_t sig_len,
+                                void *rs_ctx)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    ((void) md_alg);
+
+    ret = mbedtls_ecdsa_read_signature_restartable(
+        (mbedtls_ecdsa_context *) pk->pk_ctx,
+        hash, hash_len, sig, sig_len,
+        (mbedtls_ecdsa_restart_ctx *) rs_ctx);
+
+    if (ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) {
+        return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
+    }
+
+    return ret;
+}
+
+static int ecdsa_sign_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+                              const unsigned char *hash, size_t hash_len,
+                              unsigned char *sig, size_t sig_size, size_t *sig_len,
+                              int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                              void *rs_ctx)
+{
+    return mbedtls_ecdsa_write_signature_restartable(
+        (mbedtls_ecdsa_context *) pk->pk_ctx,
+        md_alg, hash, hash_len, sig, sig_size, sig_len, f_rng, p_rng,
+        (mbedtls_ecdsa_restart_ctx *) rs_ctx);
+
+}
+
+static void *ecdsa_rs_alloc(void)
+{
+    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecdsa_restart_ctx));
+
+    if (ctx != NULL) {
+        mbedtls_ecdsa_restart_init(ctx);
+    }
+
+    return ctx;
+}
+
+static void ecdsa_rs_free(void *ctx)
+{
+    mbedtls_ecdsa_restart_free(ctx);
+    mbedtls_free(ctx);
+}
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+const mbedtls_pk_info_t mbedtls_ecdsa_info = {
+    .type = MBEDTLS_PK_ECDSA,
+    .name = "ECDSA",
+    .get_bitlen = eckey_get_bitlen,     /* Compatible key structures */
+    .can_do = ecdsa_can_do,
+#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
+    .verify_func = ecdsa_verify_wrap,   /* Compatible key structures */
+#else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
+    .verify_func = NULL,
+#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
+#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
+    .sign_func = ecdsa_sign_wrap,   /* Compatible key structures */
+#else /* MBEDTLS_PK_CAN_ECDSA_SIGN */
+    .sign_func = NULL,
+#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    .verify_rs_func = ecdsa_verify_rs_wrap,
+    .sign_rs_func = ecdsa_sign_rs_wrap,
+    .rs_alloc_func = ecdsa_rs_alloc,
+    .rs_free_func = ecdsa_rs_free,
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+    .decrypt_func = NULL,
+    .encrypt_func = NULL,
+    .check_pair_func = eckey_check_pair_wrap,   /* Compatible key structures */
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+    .ctx_alloc_func = NULL,
+    .ctx_free_func = NULL,
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+    .ctx_alloc_func = eckey_alloc_wrap,   /* Compatible key structures */
+    .ctx_free_func = eckey_free_wrap,   /* Compatible key structures */
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+    .debug_func = eckey_debug,        /* Compatible key structures */
+};
+#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+/*
+ * Support for alternative RSA-private implementations
+ */
+
+static int rsa_alt_can_do(mbedtls_pk_type_t type)
+{
+    return type == MBEDTLS_PK_RSA;
+}
+
+static size_t rsa_alt_get_bitlen(mbedtls_pk_context *pk)
+{
+    const mbedtls_rsa_alt_context *rsa_alt = pk->pk_ctx;
+
+    return 8 * rsa_alt->key_len_func(rsa_alt->key);
+}
+
+static int rsa_alt_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+                             const unsigned char *hash, size_t hash_len,
+                             unsigned char *sig, size_t sig_size, size_t *sig_len,
+                             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    mbedtls_rsa_alt_context *rsa_alt = pk->pk_ctx;
+
+#if SIZE_MAX > UINT_MAX
+    if (UINT_MAX < hash_len) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+#endif
+
+    *sig_len = rsa_alt->key_len_func(rsa_alt->key);
+    if (*sig_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+    if (*sig_len > sig_size) {
+        return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
+    }
+
+    return rsa_alt->sign_func(rsa_alt->key, f_rng, p_rng,
+                              md_alg, (unsigned int) hash_len, hash, sig);
+}
+
+static int rsa_alt_decrypt_wrap(mbedtls_pk_context *pk,
+                                const unsigned char *input, size_t ilen,
+                                unsigned char *output, size_t *olen, size_t osize,
+                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    mbedtls_rsa_alt_context *rsa_alt = pk->pk_ctx;
+
+    ((void) f_rng);
+    ((void) p_rng);
+
+    if (ilen != rsa_alt->key_len_func(rsa_alt->key)) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    return rsa_alt->decrypt_func(rsa_alt->key,
+                                 olen, input, output, osize);
+}
+
+#if defined(MBEDTLS_RSA_C)
+static int rsa_alt_check_pair(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng)
+{
+    unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
+    unsigned char hash[32];
+    size_t sig_len = 0;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (rsa_alt_get_bitlen(prv) != rsa_get_bitlen(pub)) {
+        return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+    }
+
+    memset(hash, 0x2a, sizeof(hash));
+
+    if ((ret = rsa_alt_sign_wrap(prv, MBEDTLS_MD_NONE,
+                                 hash, sizeof(hash),
+                                 sig, sizeof(sig), &sig_len,
+                                 f_rng, p_rng)) != 0) {
+        return ret;
+    }
+
+    if (rsa_verify_wrap(pub, MBEDTLS_MD_NONE,
+                        hash, sizeof(hash), sig, sig_len) != 0) {
+        return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+    }
+
+    return 0;
+}
+#endif /* MBEDTLS_RSA_C */
+
+static void *rsa_alt_alloc_wrap(void)
+{
+    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_rsa_alt_context));
+
+    if (ctx != NULL) {
+        memset(ctx, 0, sizeof(mbedtls_rsa_alt_context));
+    }
+
+    return ctx;
+}
+
+static void rsa_alt_free_wrap(void *ctx)
+{
+    mbedtls_zeroize_and_free(ctx, sizeof(mbedtls_rsa_alt_context));
+}
+
+const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
+    .type = MBEDTLS_PK_RSA_ALT,
+    .name = "RSA-alt",
+    .get_bitlen = rsa_alt_get_bitlen,
+    .can_do = rsa_alt_can_do,
+    .verify_func = NULL,
+    .sign_func = rsa_alt_sign_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    .verify_rs_func = NULL,
+    .sign_rs_func = NULL,
+    .rs_alloc_func = NULL,
+    .rs_free_func = NULL,
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+    .decrypt_func = rsa_alt_decrypt_wrap,
+    .encrypt_func = NULL,
+#if defined(MBEDTLS_RSA_C)
+    .check_pair_func = rsa_alt_check_pair,
+#else
+    .check_pair_func = NULL,
+#endif
+    .ctx_alloc_func = rsa_alt_alloc_wrap,
+    .ctx_free_func = rsa_alt_free_wrap,
+    .debug_func = NULL,
+};
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+static size_t opaque_get_bitlen(mbedtls_pk_context *pk)
+{
+    size_t bits;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+
+    if (PSA_SUCCESS != psa_get_key_attributes(pk->priv_id, &attributes)) {
+        return 0;
+    }
+
+    bits = psa_get_key_bits(&attributes);
+    psa_reset_key_attributes(&attributes);
+    return bits;
+}
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+static int ecdsa_opaque_can_do(mbedtls_pk_type_t type)
+{
+    return type == MBEDTLS_PK_ECKEY ||
+           type == MBEDTLS_PK_ECDSA;
+}
+
+const mbedtls_pk_info_t mbedtls_ecdsa_opaque_info = {
+    .type = MBEDTLS_PK_OPAQUE,
+    .name = "Opaque",
+    .get_bitlen = opaque_get_bitlen,
+    .can_do = ecdsa_opaque_can_do,
+#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
+    .verify_func = ecdsa_opaque_verify_wrap,
+#else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
+    .verify_func = NULL,
+#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
+#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
+    .sign_func = ecdsa_opaque_sign_wrap,
+#else /* MBEDTLS_PK_CAN_ECDSA_SIGN */
+    .sign_func = NULL,
+#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    .verify_rs_func = NULL,
+    .sign_rs_func = NULL,
+    .rs_alloc_func = NULL,
+    .rs_free_func = NULL,
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+    .decrypt_func = NULL,
+    .encrypt_func = NULL,
+    .check_pair_func = ecdsa_opaque_check_pair_wrap,
+    .ctx_alloc_func = NULL,
+    .ctx_free_func = NULL,
+    .debug_func = NULL,
+};
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+static int rsa_opaque_can_do(mbedtls_pk_type_t type)
+{
+    return type == MBEDTLS_PK_RSA ||
+           type == MBEDTLS_PK_RSASSA_PSS;
+}
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
+static int rsa_opaque_decrypt(mbedtls_pk_context *pk,
+                              const unsigned char *input, size_t ilen,
+                              unsigned char *output, size_t *olen, size_t osize,
+                              int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_algorithm_t alg;
+    psa_key_type_t type;
+    psa_status_t status;
+
+    /* PSA has its own RNG */
+    (void) f_rng;
+    (void) p_rng;
+
+    status = psa_get_key_attributes(pk->priv_id, &attributes);
+    if (status != PSA_SUCCESS) {
+        return PSA_PK_TO_MBEDTLS_ERR(status);
+    }
+
+    type = psa_get_key_type(&attributes);
+    alg = psa_get_key_algorithm(&attributes);
+    psa_reset_key_attributes(&attributes);
+
+    if (!PSA_KEY_TYPE_IS_RSA(type)) {
+        return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+    }
+
+    status = psa_asymmetric_decrypt(pk->priv_id, alg, input, ilen, NULL, 0, output, osize, olen);
+    if (status != PSA_SUCCESS) {
+        return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
+    }
+
+    return 0;
+}
+#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
+
+static int rsa_opaque_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+                                const unsigned char *hash, size_t hash_len,
+                                unsigned char *sig, size_t sig_size, size_t *sig_len,
+                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+#if defined(MBEDTLS_RSA_C)
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_algorithm_t alg;
+    psa_key_type_t type;
+    psa_status_t status;
+
+    /* PSA has its own RNG */
+    (void) f_rng;
+    (void) p_rng;
+
+    status = psa_get_key_attributes(pk->priv_id, &attributes);
+    if (status != PSA_SUCCESS) {
+        return PSA_PK_TO_MBEDTLS_ERR(status);
+    }
+
+    type = psa_get_key_type(&attributes);
+    alg = psa_get_key_algorithm(&attributes);
+    psa_reset_key_attributes(&attributes);
+
+    if (PSA_KEY_TYPE_IS_RSA(type)) {
+        alg = (alg & ~PSA_ALG_HASH_MASK) | mbedtls_md_psa_alg_from_type(md_alg);
+    } else {
+        return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+    }
+
+    status = psa_sign_hash(pk->priv_id, alg, hash, hash_len, sig, sig_size, sig_len);
+    if (status != PSA_SUCCESS) {
+        if (PSA_KEY_TYPE_IS_RSA(type)) {
+            return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
+        } else {
+            return PSA_PK_TO_MBEDTLS_ERR(status);
+        }
+    }
+
+    return 0;
+#else /* !MBEDTLS_RSA_C */
+    ((void) pk);
+    ((void) md_alg);
+    ((void) hash);
+    ((void) hash_len);
+    ((void) sig);
+    ((void) sig_size);
+    ((void) sig_len);
+    ((void) f_rng);
+    ((void) p_rng);
+    return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+#endif /* !MBEDTLS_RSA_C */
+}
+
+const mbedtls_pk_info_t mbedtls_rsa_opaque_info = {
+    .type = MBEDTLS_PK_OPAQUE,
+    .name = "Opaque",
+    .get_bitlen = opaque_get_bitlen,
+    .can_do = rsa_opaque_can_do,
+    .verify_func = NULL,
+    .sign_func = rsa_opaque_sign_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    .verify_rs_func = NULL,
+    .sign_rs_func = NULL,
+    .rs_alloc_func = NULL,
+    .rs_free_func = NULL,
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
+    .decrypt_func = rsa_opaque_decrypt,
+#else /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
+    .decrypt_func = NULL,
+#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
+    .encrypt_func = NULL,
+    .check_pair_func = NULL,
+    .ctx_alloc_func = NULL,
+    .ctx_free_func = NULL,
+    .debug_func = NULL,
+};
+
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#endif /* MBEDTLS_PK_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/pk_wrap.h b/tf-psa-crypto/drivers/builtin/src/pk_wrap.h
new file mode 100644
index 0000000..be096da
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/pk_wrap.h
@@ -0,0 +1,138 @@
+/**
+ * \file pk_wrap.h
+ *
+ * \brief Public Key abstraction layer: wrapper functions
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_PK_WRAP_H
+#define MBEDTLS_PK_WRAP_H
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/pk.h"
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#endif
+
+struct mbedtls_pk_info_t {
+    /** Public key type */
+    mbedtls_pk_type_t type;
+
+    /** Type name */
+    const char *name;
+
+    /** Get key size in bits */
+    size_t (*get_bitlen)(mbedtls_pk_context *pk);
+
+    /** Tell if the context implements this type (e.g. ECKEY can do ECDSA) */
+    int (*can_do)(mbedtls_pk_type_t type);
+
+    /** Verify signature */
+    int (*verify_func)(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+                       const unsigned char *hash, size_t hash_len,
+                       const unsigned char *sig, size_t sig_len);
+
+    /** Make signature */
+    int (*sign_func)(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+                     const unsigned char *hash, size_t hash_len,
+                     unsigned char *sig, size_t sig_size, size_t *sig_len,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng);
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /** Verify signature (restartable) */
+    int (*verify_rs_func)(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+                          const unsigned char *hash, size_t hash_len,
+                          const unsigned char *sig, size_t sig_len,
+                          void *rs_ctx);
+
+    /** Make signature (restartable) */
+    int (*sign_rs_func)(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+                        const unsigned char *hash, size_t hash_len,
+                        unsigned char *sig, size_t sig_size, size_t *sig_len,
+                        int (*f_rng)(void *, unsigned char *, size_t),
+                        void *p_rng, void *rs_ctx);
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+    /** Decrypt message */
+    int (*decrypt_func)(mbedtls_pk_context *pk, const unsigned char *input, size_t ilen,
+                        unsigned char *output, size_t *olen, size_t osize,
+                        int (*f_rng)(void *, unsigned char *, size_t),
+                        void *p_rng);
+
+    /** Encrypt message */
+    int (*encrypt_func)(mbedtls_pk_context *pk, const unsigned char *input, size_t ilen,
+                        unsigned char *output, size_t *olen, size_t osize,
+                        int (*f_rng)(void *, unsigned char *, size_t),
+                        void *p_rng);
+
+    /** Check public-private key pair */
+    int (*check_pair_func)(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
+                           int (*f_rng)(void *, unsigned char *, size_t),
+                           void *p_rng);
+
+    /** Allocate a new context */
+    void * (*ctx_alloc_func)(void);
+
+    /** Free the given context */
+    void (*ctx_free_func)(void *ctx);
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /** Allocate the restart context */
+    void *(*rs_alloc_func)(void);
+
+    /** Free the restart context */
+    void (*rs_free_func)(void *rs_ctx);
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+    /** Interface with the debug module */
+    void (*debug_func)(mbedtls_pk_context *pk, mbedtls_pk_debug_item *items);
+
+};
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+/* Container for RSA-alt */
+typedef struct {
+    void *key;
+    mbedtls_pk_rsa_alt_decrypt_func decrypt_func;
+    mbedtls_pk_rsa_alt_sign_func sign_func;
+    mbedtls_pk_rsa_alt_key_len_func key_len_func;
+} mbedtls_rsa_alt_context;
+#endif
+
+#if defined(MBEDTLS_RSA_C)
+extern const mbedtls_pk_info_t mbedtls_rsa_info;
+#endif
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+extern const mbedtls_pk_info_t mbedtls_eckey_info;
+extern const mbedtls_pk_info_t mbedtls_eckeydh_info;
+#endif
+
+#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
+extern const mbedtls_pk_info_t mbedtls_ecdsa_info;
+#endif
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+extern const mbedtls_pk_info_t mbedtls_rsa_alt_info;
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+extern const mbedtls_pk_info_t mbedtls_ecdsa_opaque_info;
+extern const mbedtls_pk_info_t mbedtls_rsa_opaque_info;
+
+#if defined(MBEDTLS_RSA_C)
+int mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t psa_alg_md,
+                                mbedtls_rsa_context *rsa_ctx,
+                                const unsigned char *hash, size_t hash_len,
+                                unsigned char *sig, size_t sig_size,
+                                size_t *sig_len);
+#endif /* MBEDTLS_RSA_C */
+
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#endif /* MBEDTLS_PK_WRAP_H */
diff --git a/tf-psa-crypto/drivers/builtin/src/pkcs12.c b/tf-psa-crypto/drivers/builtin/src/pkcs12.c
new file mode 100644
index 0000000..a3467b9
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/pkcs12.c
@@ -0,0 +1,437 @@
+/*
+ *  PKCS#12 Personal Information Exchange Syntax
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ *  The PKCS #12 Personal Information Exchange Syntax Standard v1.1
+ *
+ *  http://www.rsa.com/rsalabs/pkcs/files/h11301-wp-pkcs-12v1-1-personal-information-exchange-syntax.pdf
+ *  ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1-1.asn
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PKCS12_C)
+
+#include "mbedtls/pkcs12.h"
+#include "mbedtls/asn1.h"
+#if defined(MBEDTLS_CIPHER_C)
+#include "mbedtls/cipher.h"
+#endif /* MBEDTLS_CIPHER_C */
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_DES_C)
+#include "mbedtls/des.h"
+#endif
+
+#include "psa_util_internal.h"
+
+#if defined(MBEDTLS_ASN1_PARSE_C) && defined(MBEDTLS_CIPHER_C)
+
+static int pkcs12_parse_pbe_params(mbedtls_asn1_buf *params,
+                                   mbedtls_asn1_buf *salt, int *iterations)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char **p = &params->p;
+    const unsigned char *end = params->p + params->len;
+
+    /*
+     *  pkcs-12PbeParams ::= SEQUENCE {
+     *    salt          OCTET STRING,
+     *    iterations    INTEGER
+     *  }
+     *
+     */
+    if (params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT,
+                                 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+    }
+
+    if ((ret = mbedtls_asn1_get_tag(p, end, &salt->len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT, ret);
+    }
+
+    salt->p = *p;
+    *p += salt->len;
+
+    if ((ret = mbedtls_asn1_get_int(p, end, iterations)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT, ret);
+    }
+
+    if (*p != end) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT,
+                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+    }
+
+    return 0;
+}
+
+#define PKCS12_MAX_PWDLEN 128
+
+static int pkcs12_pbe_derive_key_iv(mbedtls_asn1_buf *pbe_params, mbedtls_md_type_t md_type,
+                                    const unsigned char *pwd,  size_t pwdlen,
+                                    unsigned char *key, size_t keylen,
+                                    unsigned char *iv,  size_t ivlen)
+{
+    int ret, iterations = 0;
+    mbedtls_asn1_buf salt;
+    size_t i;
+    unsigned char unipwd[PKCS12_MAX_PWDLEN * 2 + 2];
+
+    if (pwdlen > PKCS12_MAX_PWDLEN) {
+        return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
+    }
+
+    memset(&salt, 0, sizeof(mbedtls_asn1_buf));
+    memset(&unipwd, 0, sizeof(unipwd));
+
+    if ((ret = pkcs12_parse_pbe_params(pbe_params, &salt,
+                                       &iterations)) != 0) {
+        return ret;
+    }
+
+    for (i = 0; i < pwdlen; i++) {
+        unipwd[i * 2 + 1] = pwd[i];
+    }
+
+    if ((ret = mbedtls_pkcs12_derivation(key, keylen, unipwd, pwdlen * 2 + 2,
+                                         salt.p, salt.len, md_type,
+                                         MBEDTLS_PKCS12_DERIVE_KEY, iterations)) != 0) {
+        return ret;
+    }
+
+    if (iv == NULL || ivlen == 0) {
+        return 0;
+    }
+
+    if ((ret = mbedtls_pkcs12_derivation(iv, ivlen, unipwd, pwdlen * 2 + 2,
+                                         salt.p, salt.len, md_type,
+                                         MBEDTLS_PKCS12_DERIVE_IV, iterations)) != 0) {
+        return ret;
+    }
+    return 0;
+}
+
+#undef PKCS12_MAX_PWDLEN
+
+#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
+                           mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
+                           const unsigned char *pwd,  size_t pwdlen,
+                           const unsigned char *data, size_t len,
+                           unsigned char *output, size_t output_size,
+                           size_t *output_len);
+#endif
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
+                       mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
+                       const unsigned char *pwd,  size_t pwdlen,
+                       const unsigned char *data, size_t len,
+                       unsigned char *output)
+{
+    size_t output_len = 0;
+
+    /* We assume caller of the function is providing a big enough output buffer
+     * so we pass output_size as SIZE_MAX to pass checks, However, no guarantees
+     * for the output size actually being correct.
+     */
+    return mbedtls_pkcs12_pbe_ext(pbe_params, mode, cipher_type, md_type,
+                                  pwd, pwdlen, data, len, output, SIZE_MAX,
+                                  &output_len);
+}
+#endif
+
+int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
+                           mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
+                           const unsigned char *pwd,  size_t pwdlen,
+                           const unsigned char *data, size_t len,
+                           unsigned char *output, size_t output_size,
+                           size_t *output_len)
+{
+    int ret, keylen = 0;
+    unsigned char key[32];
+    unsigned char iv[16];
+    const mbedtls_cipher_info_t *cipher_info;
+    mbedtls_cipher_context_t cipher_ctx;
+    size_t iv_len = 0;
+    size_t finish_olen = 0;
+    unsigned int padlen = 0;
+
+    if (pwd == NULL && pwdlen != 0) {
+        return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
+    }
+
+    cipher_info = mbedtls_cipher_info_from_type(cipher_type);
+    if (cipher_info == NULL) {
+        return MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE;
+    }
+
+    keylen = (int) mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8;
+
+    if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) {
+        if (output_size < len) {
+            return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+        }
+    }
+
+    if (mode == MBEDTLS_PKCS12_PBE_ENCRYPT) {
+        padlen = cipher_info->block_size - (len % cipher_info->block_size);
+        if (output_size < (len + padlen)) {
+            return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+        }
+    }
+
+    iv_len = mbedtls_cipher_info_get_iv_size(cipher_info);
+    if ((ret = pkcs12_pbe_derive_key_iv(pbe_params, md_type, pwd, pwdlen,
+                                        key, keylen,
+                                        iv, iv_len)) != 0) {
+        return ret;
+    }
+
+    mbedtls_cipher_init(&cipher_ctx);
+
+    if ((ret = mbedtls_cipher_setup(&cipher_ctx, cipher_info)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_cipher_setkey(&cipher_ctx, key, 8 * keylen,
+                                     (mbedtls_operation_t) mode)) != 0) {
+        goto exit;
+    }
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+    {
+        /* PKCS12 uses CBC with PKCS7 padding */
+        mbedtls_cipher_padding_t padding = MBEDTLS_PADDING_PKCS7;
+#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+        /* For historical reasons, when decrypting, this function works when
+         * decrypting even when support for PKCS7 padding is disabled. In this
+         * case, it ignores the padding, and so will never report a
+         * password mismatch.
+         */
+        if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) {
+            padding = MBEDTLS_PADDING_NONE;
+        }
+#endif
+        if ((ret = mbedtls_cipher_set_padding_mode(&cipher_ctx, padding)) != 0) {
+            goto exit;
+        }
+    }
+#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
+
+    ret = mbedtls_cipher_crypt(&cipher_ctx, iv, iv_len, data, len, output, &finish_olen);
+    if (ret == MBEDTLS_ERR_CIPHER_INVALID_PADDING) {
+        ret = MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH;
+    }
+
+    *output_len += finish_olen;
+
+exit:
+    mbedtls_platform_zeroize(key, sizeof(key));
+    mbedtls_platform_zeroize(iv,  sizeof(iv));
+    mbedtls_cipher_free(&cipher_ctx);
+
+    return ret;
+}
+
+#endif /* MBEDTLS_ASN1_PARSE_C && MBEDTLS_CIPHER_C */
+
+static void pkcs12_fill_buffer(unsigned char *data, size_t data_len,
+                               const unsigned char *filler, size_t fill_len)
+{
+    unsigned char *p = data;
+    size_t use_len;
+
+    if (filler != NULL && fill_len != 0) {
+        while (data_len > 0) {
+            use_len = (data_len > fill_len) ? fill_len : data_len;
+            memcpy(p, filler, use_len);
+            p += use_len;
+            data_len -= use_len;
+        }
+    } else {
+        /* If either of the above are not true then clearly there is nothing
+         * that this function can do. The function should *not* be called
+         * under either of those circumstances, as you could end up with an
+         * incorrect output but for safety's sake, leaving the check in as
+         * otherwise we could end up with memory corruption.*/
+    }
+}
+
+
+static int calculate_hashes(mbedtls_md_type_t md_type, int iterations,
+                            unsigned char *diversifier, unsigned char *salt_block,
+                            unsigned char *pwd_block, unsigned char *hash_output, int use_salt,
+                            int use_password, size_t hlen, size_t v)
+{
+    int ret = -1;
+    size_t i;
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+    md_info = mbedtls_md_info_from_type(md_type);
+    if (md_info == NULL) {
+        return MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE;
+    }
+
+    mbedtls_md_init(&md_ctx);
+
+    if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
+        return ret;
+    }
+    // Calculate hash( diversifier || salt_block || pwd_block )
+    if ((ret = mbedtls_md_starts(&md_ctx)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_md_update(&md_ctx, diversifier, v)) != 0) {
+        goto exit;
+    }
+
+    if (use_salt != 0) {
+        if ((ret = mbedtls_md_update(&md_ctx, salt_block, v)) != 0) {
+            goto exit;
+        }
+    }
+
+    if (use_password != 0) {
+        if ((ret = mbedtls_md_update(&md_ctx, pwd_block, v)) != 0) {
+            goto exit;
+        }
+    }
+
+    if ((ret = mbedtls_md_finish(&md_ctx, hash_output)) != 0) {
+        goto exit;
+    }
+
+    // Perform remaining ( iterations - 1 ) recursive hash calculations
+    for (i = 1; i < (size_t) iterations; i++) {
+        if ((ret = mbedtls_md(md_info, hash_output, hlen, hash_output))
+            != 0) {
+            goto exit;
+        }
+    }
+
+exit:
+    mbedtls_md_free(&md_ctx);
+    return ret;
+}
+
+
+int mbedtls_pkcs12_derivation(unsigned char *data, size_t datalen,
+                              const unsigned char *pwd, size_t pwdlen,
+                              const unsigned char *salt, size_t saltlen,
+                              mbedtls_md_type_t md_type, int id, int iterations)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned int j;
+
+    unsigned char diversifier[128];
+    unsigned char salt_block[128], pwd_block[128], hash_block[128] = { 0 };
+    unsigned char hash_output[MBEDTLS_MD_MAX_SIZE];
+    unsigned char *p;
+    unsigned char c;
+    int           use_password = 0;
+    int           use_salt = 0;
+
+    size_t hlen, use_len, v, i;
+
+    // This version only allows max of 64 bytes of password or salt
+    if (datalen > 128 || pwdlen > 64 || saltlen > 64) {
+        return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
+    }
+
+    if (pwd == NULL && pwdlen != 0) {
+        return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
+    }
+
+    if (salt == NULL && saltlen != 0) {
+        return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
+    }
+
+    use_password = (pwd && pwdlen != 0);
+    use_salt = (salt && saltlen != 0);
+
+    hlen = mbedtls_md_get_size_from_type(md_type);
+
+    if (hlen <= 32) {
+        v = 64;
+    } else {
+        v = 128;
+    }
+
+    memset(diversifier, (unsigned char) id, v);
+
+    if (use_salt != 0) {
+        pkcs12_fill_buffer(salt_block, v, salt, saltlen);
+    }
+
+    if (use_password != 0) {
+        pkcs12_fill_buffer(pwd_block,  v, pwd,  pwdlen);
+    }
+
+    p = data;
+    while (datalen > 0) {
+        if (calculate_hashes(md_type, iterations, diversifier, salt_block,
+                             pwd_block, hash_output, use_salt, use_password, hlen,
+                             v) != 0) {
+            goto exit;
+        }
+
+        use_len = (datalen > hlen) ? hlen : datalen;
+        memcpy(p, hash_output, use_len);
+        datalen -= use_len;
+        p += use_len;
+
+        if (datalen == 0) {
+            break;
+        }
+
+        // Concatenating copies of hash_output into hash_block (B)
+        pkcs12_fill_buffer(hash_block, v, hash_output, hlen);
+
+        // B += 1
+        for (i = v; i > 0; i--) {
+            if (++hash_block[i - 1] != 0) {
+                break;
+            }
+        }
+
+        if (use_salt != 0) {
+            // salt_block += B
+            c = 0;
+            for (i = v; i > 0; i--) {
+                j = salt_block[i - 1] + hash_block[i - 1] + c;
+                c = MBEDTLS_BYTE_1(j);
+                salt_block[i - 1] = MBEDTLS_BYTE_0(j);
+            }
+        }
+
+        if (use_password != 0) {
+            // pwd_block  += B
+            c = 0;
+            for (i = v; i > 0; i--) {
+                j = pwd_block[i - 1] + hash_block[i - 1] + c;
+                c = MBEDTLS_BYTE_1(j);
+                pwd_block[i - 1] = MBEDTLS_BYTE_0(j);
+            }
+        }
+    }
+
+    ret = 0;
+
+exit:
+    mbedtls_platform_zeroize(salt_block, sizeof(salt_block));
+    mbedtls_platform_zeroize(pwd_block, sizeof(pwd_block));
+    mbedtls_platform_zeroize(hash_block, sizeof(hash_block));
+    mbedtls_platform_zeroize(hash_output, sizeof(hash_output));
+
+    return ret;
+}
+
+#endif /* MBEDTLS_PKCS12_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/pkcs5.c b/tf-psa-crypto/drivers/builtin/src/pkcs5.c
new file mode 100644
index 0000000..c6c5305
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/pkcs5.c
@@ -0,0 +1,500 @@
+/**
+ * \file pkcs5.c
+ *
+ * \brief PKCS#5 functions
+ *
+ * \author Mathias Olsson <mathias@kompetensum.com>
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * PKCS#5 includes PBKDF2 and more
+ *
+ * http://tools.ietf.org/html/rfc2898 (Specification)
+ * http://tools.ietf.org/html/rfc6070 (Test vectors)
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PKCS5_C)
+
+#include "mbedtls/pkcs5.h"
+#include "mbedtls/error.h"
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+#include "mbedtls/asn1.h"
+#if defined(MBEDTLS_CIPHER_C)
+#include "mbedtls/cipher.h"
+#endif /* MBEDTLS_CIPHER_C */
+#include "mbedtls/oid.h"
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#include "psa_util_internal.h"
+
+#if defined(MBEDTLS_ASN1_PARSE_C) && defined(MBEDTLS_CIPHER_C)
+static int pkcs5_parse_pbkdf2_params(const mbedtls_asn1_buf *params,
+                                     mbedtls_asn1_buf *salt, int *iterations,
+                                     int *keylen, mbedtls_md_type_t *md_type)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_asn1_buf prf_alg_oid;
+    unsigned char *p = params->p;
+    const unsigned char *end = params->p + params->len;
+
+    if (params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT,
+                                 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+    }
+    /*
+     *  PBKDF2-params ::= SEQUENCE {
+     *    salt              OCTET STRING,
+     *    iterationCount    INTEGER,
+     *    keyLength         INTEGER OPTIONAL
+     *    prf               AlgorithmIdentifier DEFAULT algid-hmacWithSHA1
+     *  }
+     *
+     */
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &salt->len,
+                                    MBEDTLS_ASN1_OCTET_STRING)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
+    }
+
+    salt->p = p;
+    p += salt->len;
+
+    if ((ret = mbedtls_asn1_get_int(&p, end, iterations)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
+    }
+
+    if (p == end) {
+        return 0;
+    }
+
+    if ((ret = mbedtls_asn1_get_int(&p, end, keylen)) != 0) {
+        if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
+        }
+    }
+
+    if (p == end) {
+        return 0;
+    }
+
+    if ((ret = mbedtls_asn1_get_alg_null(&p, end, &prf_alg_oid)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
+    }
+
+    if (mbedtls_oid_get_md_hmac(&prf_alg_oid, md_type) != 0) {
+        return MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE;
+    }
+
+    if (p != end) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT,
+                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+    }
+
+    return 0;
+}
+
+#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+int mbedtls_pkcs5_pbes2_ext(const mbedtls_asn1_buf *pbe_params, int mode,
+                            const unsigned char *pwd,  size_t pwdlen,
+                            const unsigned char *data, size_t datalen,
+                            unsigned char *output, size_t output_size,
+                            size_t *output_len);
+#endif
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
+                        const unsigned char *pwd,  size_t pwdlen,
+                        const unsigned char *data, size_t datalen,
+                        unsigned char *output)
+{
+    size_t output_len = 0;
+
+    /* We assume caller of the function is providing a big enough output buffer
+     * so we pass output_size as SIZE_MAX to pass checks, However, no guarantees
+     * for the output size actually being correct.
+     */
+    return mbedtls_pkcs5_pbes2_ext(pbe_params, mode, pwd, pwdlen, data,
+                                   datalen, output, SIZE_MAX, &output_len);
+}
+#endif
+
+int mbedtls_pkcs5_pbes2_ext(const mbedtls_asn1_buf *pbe_params, int mode,
+                            const unsigned char *pwd,  size_t pwdlen,
+                            const unsigned char *data, size_t datalen,
+                            unsigned char *output, size_t output_size,
+                            size_t *output_len)
+{
+    int ret, iterations = 0, keylen = 0;
+    unsigned char *p, *end;
+    mbedtls_asn1_buf kdf_alg_oid, enc_scheme_oid, kdf_alg_params, enc_scheme_params;
+    mbedtls_asn1_buf salt;
+    mbedtls_md_type_t md_type = MBEDTLS_MD_SHA1;
+    unsigned char key[32], iv[32];
+    const mbedtls_cipher_info_t *cipher_info;
+    mbedtls_cipher_type_t cipher_alg;
+    mbedtls_cipher_context_t cipher_ctx;
+    unsigned int padlen = 0;
+
+    p = pbe_params->p;
+    end = p + pbe_params->len;
+
+    /*
+     *  PBES2-params ::= SEQUENCE {
+     *    keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
+     *    encryptionScheme AlgorithmIdentifier {{PBES2-Encs}}
+     *  }
+     */
+    if (pbe_params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT,
+                                 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+    }
+
+    if ((ret = mbedtls_asn1_get_alg(&p, end, &kdf_alg_oid,
+                                    &kdf_alg_params)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
+    }
+
+    // Only PBKDF2 supported at the moment
+    //
+    if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS5_PBKDF2, &kdf_alg_oid) != 0) {
+        return MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE;
+    }
+
+    if ((ret = pkcs5_parse_pbkdf2_params(&kdf_alg_params,
+                                         &salt, &iterations, &keylen,
+                                         &md_type)) != 0) {
+        return ret;
+    }
+
+    if ((ret = mbedtls_asn1_get_alg(&p, end, &enc_scheme_oid,
+                                    &enc_scheme_params)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
+    }
+
+    if (mbedtls_oid_get_cipher_alg(&enc_scheme_oid, &cipher_alg) != 0) {
+        return MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE;
+    }
+
+    cipher_info = mbedtls_cipher_info_from_type(cipher_alg);
+    if (cipher_info == NULL) {
+        return MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE;
+    }
+
+    /*
+     * The value of keylen from pkcs5_parse_pbkdf2_params() is ignored
+     * since it is optional and we don't know if it was set or not
+     */
+    keylen = (int) mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8;
+
+    if (enc_scheme_params.tag != MBEDTLS_ASN1_OCTET_STRING ||
+        enc_scheme_params.len != mbedtls_cipher_info_get_iv_size(cipher_info)) {
+        return MBEDTLS_ERR_PKCS5_INVALID_FORMAT;
+    }
+
+    if (mode == MBEDTLS_PKCS5_DECRYPT) {
+        if (output_size < datalen) {
+            return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+        }
+    }
+
+    if (mode == MBEDTLS_PKCS5_ENCRYPT) {
+        padlen = cipher_info->block_size - (datalen % cipher_info->block_size);
+        if (output_size < (datalen + padlen)) {
+            return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+        }
+    }
+
+    mbedtls_cipher_init(&cipher_ctx);
+
+    memcpy(iv, enc_scheme_params.p, enc_scheme_params.len);
+
+    if ((ret = mbedtls_pkcs5_pbkdf2_hmac_ext(md_type, pwd, pwdlen, salt.p,
+                                             salt.len, iterations, keylen,
+                                             key)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_cipher_setup(&cipher_ctx, cipher_info)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_cipher_setkey(&cipher_ctx, key, 8 * keylen,
+                                     (mbedtls_operation_t) mode)) != 0) {
+        goto exit;
+    }
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+    {
+        /* PKCS5 uses CBC with PKCS7 padding (which is the same as
+         * "PKCS5 padding" except that it's typically only called PKCS5
+         * with 64-bit-block ciphers).
+         */
+        mbedtls_cipher_padding_t padding = MBEDTLS_PADDING_PKCS7;
+#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+        /* For historical reasons, when decrypting, this function works when
+         * decrypting even when support for PKCS7 padding is disabled. In this
+         * case, it ignores the padding, and so will never report a
+         * password mismatch.
+         */
+        if (mode == MBEDTLS_DECRYPT) {
+            padding = MBEDTLS_PADDING_NONE;
+        }
+#endif
+        if ((ret = mbedtls_cipher_set_padding_mode(&cipher_ctx, padding)) != 0) {
+            goto exit;
+        }
+    }
+#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
+    if ((ret = mbedtls_cipher_crypt(&cipher_ctx, iv, enc_scheme_params.len,
+                                    data, datalen, output, output_len)) != 0) {
+        ret = MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH;
+    }
+
+exit:
+    mbedtls_cipher_free(&cipher_ctx);
+
+    return ret;
+}
+#endif /* MBEDTLS_ASN1_PARSE_C && MBEDTLS_CIPHER_C */
+
+static int pkcs5_pbkdf2_hmac(mbedtls_md_context_t *ctx,
+                             const unsigned char *password,
+                             size_t plen, const unsigned char *salt, size_t slen,
+                             unsigned int iteration_count,
+                             uint32_t key_length, unsigned char *output)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned int i;
+    unsigned char md1[MBEDTLS_MD_MAX_SIZE];
+    unsigned char work[MBEDTLS_MD_MAX_SIZE];
+    unsigned char md_size = mbedtls_md_get_size(ctx->md_info);
+    size_t use_len;
+    unsigned char *out_p = output;
+    unsigned char counter[4];
+
+    memset(counter, 0, 4);
+    counter[3] = 1;
+
+#if UINT_MAX > 0xFFFFFFFF
+    if (iteration_count > 0xFFFFFFFF) {
+        return MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA;
+    }
+#endif
+
+    if ((ret = mbedtls_md_hmac_starts(ctx, password, plen)) != 0) {
+        return ret;
+    }
+    while (key_length) {
+        // U1 ends up in work
+        //
+        if ((ret = mbedtls_md_hmac_update(ctx, salt, slen)) != 0) {
+            goto cleanup;
+        }
+
+        if ((ret = mbedtls_md_hmac_update(ctx, counter, 4)) != 0) {
+            goto cleanup;
+        }
+
+        if ((ret = mbedtls_md_hmac_finish(ctx, work)) != 0) {
+            goto cleanup;
+        }
+
+        if ((ret = mbedtls_md_hmac_reset(ctx)) != 0) {
+            goto cleanup;
+        }
+
+        memcpy(md1, work, md_size);
+
+        for (i = 1; i < iteration_count; i++) {
+            // U2 ends up in md1
+            //
+            if ((ret = mbedtls_md_hmac_update(ctx, md1, md_size)) != 0) {
+                goto cleanup;
+            }
+
+            if ((ret = mbedtls_md_hmac_finish(ctx, md1)) != 0) {
+                goto cleanup;
+            }
+
+            if ((ret = mbedtls_md_hmac_reset(ctx)) != 0) {
+                goto cleanup;
+            }
+
+            // U1 xor U2
+            //
+            mbedtls_xor(work, work, md1, md_size);
+        }
+
+        use_len = (key_length < md_size) ? key_length : md_size;
+        memcpy(out_p, work, use_len);
+
+        key_length -= (uint32_t) use_len;
+        out_p += use_len;
+
+        for (i = 4; i > 0; i--) {
+            if (++counter[i - 1] != 0) {
+                break;
+            }
+        }
+    }
+
+cleanup:
+    /* Zeroise buffers to clear sensitive data from memory. */
+    mbedtls_platform_zeroize(work, MBEDTLS_MD_MAX_SIZE);
+    mbedtls_platform_zeroize(md1, MBEDTLS_MD_MAX_SIZE);
+
+    return ret;
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+int mbedtls_pkcs5_pbkdf2_hmac(mbedtls_md_context_t *ctx,
+                              const unsigned char *password,
+                              size_t plen, const unsigned char *salt, size_t slen,
+                              unsigned int iteration_count,
+                              uint32_t key_length, unsigned char *output)
+{
+    return pkcs5_pbkdf2_hmac(ctx, password, plen, salt, slen, iteration_count,
+                             key_length, output);
+}
+#endif
+
+int mbedtls_pkcs5_pbkdf2_hmac_ext(mbedtls_md_type_t md_alg,
+                                  const unsigned char *password,
+                                  size_t plen, const unsigned char *salt, size_t slen,
+                                  unsigned int iteration_count,
+                                  uint32_t key_length, unsigned char *output)
+{
+    mbedtls_md_context_t md_ctx;
+    const mbedtls_md_info_t *md_info = NULL;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    md_info = mbedtls_md_info_from_type(md_alg);
+    if (md_info == NULL) {
+        return MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE;
+    }
+
+    mbedtls_md_init(&md_ctx);
+
+    if ((ret = mbedtls_md_setup(&md_ctx, md_info, 1)) != 0) {
+        goto exit;
+    }
+    ret = pkcs5_pbkdf2_hmac(&md_ctx, password, plen, salt, slen,
+                            iteration_count, key_length, output);
+exit:
+    mbedtls_md_free(&md_ctx);
+    return ret;
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if !defined(MBEDTLS_MD_CAN_SHA1)
+int mbedtls_pkcs5_self_test(int verbose)
+{
+    if (verbose != 0) {
+        mbedtls_printf("  PBKDF2 (SHA1): skipped\n\n");
+    }
+
+    return 0;
+}
+#else
+
+#define MAX_TESTS   6
+
+static const size_t plen_test_data[MAX_TESTS] =
+{ 8, 8, 8, 24, 9 };
+
+static const unsigned char password_test_data[MAX_TESTS][32] =
+{
+    "password",
+    "password",
+    "password",
+    "passwordPASSWORDpassword",
+    "pass\0word",
+};
+
+static const size_t slen_test_data[MAX_TESTS] =
+{ 4, 4, 4, 36, 5 };
+
+static const unsigned char salt_test_data[MAX_TESTS][40] =
+{
+    "salt",
+    "salt",
+    "salt",
+    "saltSALTsaltSALTsaltSALTsaltSALTsalt",
+    "sa\0lt",
+};
+
+static const uint32_t it_cnt_test_data[MAX_TESTS] =
+{ 1, 2, 4096, 4096, 4096 };
+
+static const uint32_t key_len_test_data[MAX_TESTS] =
+{ 20, 20, 20, 25, 16 };
+
+static const unsigned char result_key_test_data[MAX_TESTS][32] =
+{
+    { 0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e, 0x71,
+      0xf3, 0xa9, 0xb5, 0x24, 0xaf, 0x60, 0x12, 0x06,
+      0x2f, 0xe0, 0x37, 0xa6 },
+    { 0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f, 0x8c,
+      0xcd, 0x1e, 0xd9, 0x2a, 0xce, 0x1d, 0x41, 0xf0,
+      0xd8, 0xde, 0x89, 0x57 },
+    { 0x4b, 0x00, 0x79, 0x01, 0xb7, 0x65, 0x48, 0x9a,
+      0xbe, 0xad, 0x49, 0xd9, 0x26, 0xf7, 0x21, 0xd0,
+      0x65, 0xa4, 0x29, 0xc1 },
+    { 0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b,
+      0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0, 0xe4, 0x4a,
+      0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70,
+      0x38 },
+    { 0x56, 0xfa, 0x6a, 0xa7, 0x55, 0x48, 0x09, 0x9d,
+      0xcc, 0x37, 0xd7, 0xf0, 0x34, 0x25, 0xe0, 0xc3 },
+};
+
+int mbedtls_pkcs5_self_test(int verbose)
+{
+    int ret, i;
+    unsigned char key[64];
+
+    for (i = 0; i < MAX_TESTS; i++) {
+        if (verbose != 0) {
+            mbedtls_printf("  PBKDF2 (SHA1) #%d: ", i);
+        }
+
+        ret = mbedtls_pkcs5_pbkdf2_hmac_ext(MBEDTLS_MD_SHA1, password_test_data[i],
+                                            plen_test_data[i], salt_test_data[i],
+                                            slen_test_data[i], it_cnt_test_data[i],
+                                            key_len_test_data[i], key);
+        if (ret != 0 ||
+            memcmp(result_key_test_data[i], key, key_len_test_data[i]) != 0) {
+            if (verbose != 0) {
+                mbedtls_printf("failed\n");
+            }
+
+            ret = 1;
+            goto exit;
+        }
+
+        if (verbose != 0) {
+            mbedtls_printf("passed\n");
+        }
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+
+exit:
+    return ret;
+}
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_PKCS5_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/pkparse.c b/tf-psa-crypto/drivers/builtin/src/pkparse.c
new file mode 100644
index 0000000..4f6ee13
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/pkparse.c
@@ -0,0 +1,1392 @@
+/*
+ *  Public Key layer for parsing key files and structures
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PK_PARSE_C)
+
+#include "mbedtls/pk.h"
+#include "mbedtls/asn1.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/platform.h"
+#include "mbedtls/error.h"
+#include "mbedtls/ecp.h"
+#include "pk_internal.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "mbedtls/psa_util.h"
+#include "psa/crypto.h"
+#endif
+
+/* Key types */
+#if defined(MBEDTLS_RSA_C)
+#include "mbedtls/rsa.h"
+#include "rsa_internal.h"
+#endif
+
+/* Extended formats */
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+#if defined(MBEDTLS_PKCS5_C)
+#include "mbedtls/pkcs5.h"
+#endif
+#if defined(MBEDTLS_PKCS12_C)
+#include "mbedtls/pkcs12.h"
+#endif
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+
+/***********************************************************************
+ *
+ *      Low-level ECC parsing: optional support for SpecifiedECDomain
+ *
+ * There are two functions here that are used by the rest of the code:
+ * - pk_ecc_tag_is_speficied_ec_domain()
+ * - pk_ecc_group_id_from_specified()
+ *
+ * All the other functions are internal to this section.
+ *
+ * The two "public" functions have a dummy variant provided
+ * in configs without MBEDTLS_PK_PARSE_EC_EXTENDED. This acts as an
+ * abstraction layer for this macro, which should not appear outside
+ * this section.
+ *
+ **********************************************************************/
+
+#if !defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
+/* See the "real" version for documentation */
+static int pk_ecc_tag_is_specified_ec_domain(int tag)
+{
+    (void) tag;
+    return 0;
+}
+
+/* See the "real" version for documentation */
+static int pk_ecc_group_id_from_specified(const mbedtls_asn1_buf *params,
+                                          mbedtls_ecp_group_id *grp_id)
+{
+    (void) params;
+    (void) grp_id;
+    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+}
+#else /* MBEDTLS_PK_PARSE_EC_EXTENDED */
+/*
+ * Tell if the passed tag might be the start of SpecifiedECDomain
+ * (that is, a sequence).
+ */
+static int pk_ecc_tag_is_specified_ec_domain(int tag)
+{
+    return tag == (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
+}
+
+/*
+ * Parse a SpecifiedECDomain (SEC 1 C.2) and (mostly) fill the group with it.
+ * WARNING: the resulting group should only be used with
+ * pk_ecc_group_id_from_specified(), since its base point may not be set correctly
+ * if it was encoded compressed.
+ *
+ *  SpecifiedECDomain ::= SEQUENCE {
+ *      version SpecifiedECDomainVersion(ecdpVer1 | ecdpVer2 | ecdpVer3, ...),
+ *      fieldID FieldID {{FieldTypes}},
+ *      curve Curve,
+ *      base ECPoint,
+ *      order INTEGER,
+ *      cofactor INTEGER OPTIONAL,
+ *      hash HashAlgorithm OPTIONAL,
+ *      ...
+ *  }
+ *
+ * We only support prime-field as field type, and ignore hash and cofactor.
+ */
+static int pk_group_from_specified(const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *p = params->p;
+    const unsigned char *const end = params->p + params->len;
+    const unsigned char *end_field, *end_curve;
+    size_t len;
+    int ver;
+
+    /* SpecifiedECDomainVersion ::= INTEGER { 1, 2, 3 } */
+    if ((ret = mbedtls_asn1_get_int(&p, end, &ver)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+    }
+
+    if (ver < 1 || ver > 3) {
+        return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+    }
+
+    /*
+     * FieldID { FIELD-ID:IOSet } ::= SEQUENCE { -- Finite field
+     *       fieldType FIELD-ID.&id({IOSet}),
+     *       parameters FIELD-ID.&Type({IOSet}{@fieldType})
+     * }
+     */
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+        return ret;
+    }
+
+    end_field = p + len;
+
+    /*
+     * FIELD-ID ::= TYPE-IDENTIFIER
+     * FieldTypes FIELD-ID ::= {
+     *       { Prime-p IDENTIFIED BY prime-field } |
+     *       { Characteristic-two IDENTIFIED BY characteristic-two-field }
+     * }
+     * prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 }
+     */
+    if ((ret = mbedtls_asn1_get_tag(&p, end_field, &len, MBEDTLS_ASN1_OID)) != 0) {
+        return ret;
+    }
+
+    if (len != MBEDTLS_OID_SIZE(MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD) ||
+        memcmp(p, MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD, len) != 0) {
+        return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+    }
+
+    p += len;
+
+    /* Prime-p ::= INTEGER -- Field of size p. */
+    if ((ret = mbedtls_asn1_get_mpi(&p, end_field, &grp->P)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+    }
+
+    grp->pbits = mbedtls_mpi_bitlen(&grp->P);
+
+    if (p != end_field) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
+                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+    }
+
+    /*
+     * Curve ::= SEQUENCE {
+     *       a FieldElement,
+     *       b FieldElement,
+     *       seed BIT STRING OPTIONAL
+     *       -- Shall be present if used in SpecifiedECDomain
+     *       -- with version equal to ecdpVer2 or ecdpVer3
+     * }
+     */
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+        return ret;
+    }
+
+    end_curve = p + len;
+
+    /*
+     * FieldElement ::= OCTET STRING
+     * containing an integer in the case of a prime field
+     */
+    if ((ret = mbedtls_asn1_get_tag(&p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0 ||
+        (ret = mbedtls_mpi_read_binary(&grp->A, p, len)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+    }
+
+    p += len;
+
+    if ((ret = mbedtls_asn1_get_tag(&p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0 ||
+        (ret = mbedtls_mpi_read_binary(&grp->B, p, len)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+    }
+
+    p += len;
+
+    /* Ignore seed BIT STRING OPTIONAL */
+    if ((ret = mbedtls_asn1_get_tag(&p, end_curve, &len, MBEDTLS_ASN1_BIT_STRING)) == 0) {
+        p += len;
+    }
+
+    if (p != end_curve) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
+                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+    }
+
+    /*
+     * ECPoint ::= OCTET STRING
+     */
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+    }
+
+    if ((ret = mbedtls_ecp_point_read_binary(grp, &grp->G,
+                                             (const unsigned char *) p, len)) != 0) {
+        /*
+         * If we can't read the point because it's compressed, cheat by
+         * reading only the X coordinate and the parity bit of Y.
+         */
+        if (ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ||
+            (p[0] != 0x02 && p[0] != 0x03) ||
+            len != mbedtls_mpi_size(&grp->P) + 1 ||
+            mbedtls_mpi_read_binary(&grp->G.X, p + 1, len - 1) != 0 ||
+            mbedtls_mpi_lset(&grp->G.Y, p[0] - 2) != 0 ||
+            mbedtls_mpi_lset(&grp->G.Z, 1) != 0) {
+            return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+        }
+    }
+
+    p += len;
+
+    /*
+     * order INTEGER
+     */
+    if ((ret = mbedtls_asn1_get_mpi(&p, end, &grp->N)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+    }
+
+    grp->nbits = mbedtls_mpi_bitlen(&grp->N);
+
+    /*
+     * Allow optional elements by purposefully not enforcing p == end here.
+     */
+
+    return 0;
+}
+
+/*
+ * Find the group id associated with an (almost filled) group as generated by
+ * pk_group_from_specified(), or return an error if unknown.
+ */
+static int pk_group_id_from_group(const mbedtls_ecp_group *grp, mbedtls_ecp_group_id *grp_id)
+{
+    int ret = 0;
+    mbedtls_ecp_group ref;
+    const mbedtls_ecp_group_id *id;
+
+    mbedtls_ecp_group_init(&ref);
+
+    for (id = mbedtls_ecp_grp_id_list(); *id != MBEDTLS_ECP_DP_NONE; id++) {
+        /* Load the group associated to that id */
+        mbedtls_ecp_group_free(&ref);
+        MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&ref, *id));
+
+        /* Compare to the group we were given, starting with easy tests */
+        if (grp->pbits == ref.pbits && grp->nbits == ref.nbits &&
+            mbedtls_mpi_cmp_mpi(&grp->P, &ref.P) == 0 &&
+            mbedtls_mpi_cmp_mpi(&grp->A, &ref.A) == 0 &&
+            mbedtls_mpi_cmp_mpi(&grp->B, &ref.B) == 0 &&
+            mbedtls_mpi_cmp_mpi(&grp->N, &ref.N) == 0 &&
+            mbedtls_mpi_cmp_mpi(&grp->G.X, &ref.G.X) == 0 &&
+            mbedtls_mpi_cmp_mpi(&grp->G.Z, &ref.G.Z) == 0 &&
+            /* For Y we may only know the parity bit, so compare only that */
+            mbedtls_mpi_get_bit(&grp->G.Y, 0) == mbedtls_mpi_get_bit(&ref.G.Y, 0)) {
+            break;
+        }
+    }
+
+cleanup:
+    mbedtls_ecp_group_free(&ref);
+
+    *grp_id = *id;
+
+    if (ret == 0 && *id == MBEDTLS_ECP_DP_NONE) {
+        ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+    }
+
+    return ret;
+}
+
+/*
+ * Parse a SpecifiedECDomain (SEC 1 C.2) and find the associated group ID
+ */
+static int pk_ecc_group_id_from_specified(const mbedtls_asn1_buf *params,
+                                          mbedtls_ecp_group_id *grp_id)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_group grp;
+
+    mbedtls_ecp_group_init(&grp);
+
+    if ((ret = pk_group_from_specified(params, &grp)) != 0) {
+        goto cleanup;
+    }
+
+    ret = pk_group_id_from_group(&grp, grp_id);
+
+cleanup:
+    /* The API respecting lifecycle for mbedtls_ecp_group struct is
+     * _init(), _load() and _free(). In pk_ecc_group_id_from_specified() the
+     * temporary grp breaks that flow and it's members are populated
+     * by pk_group_id_from_group(). As such mbedtls_ecp_group_free()
+     * which is assuming a group populated by _setup() may not clean-up
+     * properly -> Manually free it's members.
+     */
+    mbedtls_mpi_free(&grp.N);
+    mbedtls_mpi_free(&grp.P);
+    mbedtls_mpi_free(&grp.A);
+    mbedtls_mpi_free(&grp.B);
+    mbedtls_ecp_point_free(&grp.G);
+
+    return ret;
+}
+#endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */
+
+/***********************************************************************
+ *
+ * Unsorted (yet!) from this point on until the next section header
+ *
+ **********************************************************************/
+
+/* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf
+ *
+ * ECParameters ::= CHOICE {
+ *   namedCurve         OBJECT IDENTIFIER
+ *   specifiedCurve     SpecifiedECDomain -- = SEQUENCE { ... }
+ *   -- implicitCurve   NULL
+ * }
+ */
+static int pk_get_ecparams(unsigned char **p, const unsigned char *end,
+                           mbedtls_asn1_buf *params)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if (end - *p < 1) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
+                                 MBEDTLS_ERR_ASN1_OUT_OF_DATA);
+    }
+
+    /* Acceptable tags: OID for namedCurve, or specifiedECDomain */
+    params->tag = **p;
+    if (params->tag != MBEDTLS_ASN1_OID &&
+        !pk_ecc_tag_is_specified_ec_domain(params->tag)) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
+                                 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+    }
+
+    if ((ret = mbedtls_asn1_get_tag(p, end, &params->len, params->tag)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+    }
+
+    params->p = *p;
+    *p += params->len;
+
+    if (*p != end) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
+                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+    }
+
+    return 0;
+}
+
+/*
+ * Use EC parameters to initialise an EC group
+ *
+ * ECParameters ::= CHOICE {
+ *   namedCurve         OBJECT IDENTIFIER
+ *   specifiedCurve     SpecifiedECDomain -- = SEQUENCE { ... }
+ *   -- implicitCurve   NULL
+ */
+static int pk_use_ecparams(const mbedtls_asn1_buf *params, mbedtls_pk_context *pk)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ecp_group_id grp_id;
+
+    if (params->tag == MBEDTLS_ASN1_OID) {
+        if (mbedtls_oid_get_ec_grp(params, &grp_id) != 0) {
+            return MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE;
+        }
+    } else {
+        ret = pk_ecc_group_id_from_specified(params, &grp_id);
+        if (ret != 0) {
+            return ret;
+        }
+    }
+
+    return mbedtls_pk_ecc_set_group(pk, grp_id);
+}
+
+#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
+
+/*
+ * Load an RFC8410 EC key, which doesn't have any parameters
+ */
+static int pk_use_ecparams_rfc8410(const mbedtls_asn1_buf *params,
+                                   mbedtls_ecp_group_id grp_id,
+                                   mbedtls_pk_context *pk)
+{
+    if (params->tag != 0 || params->len != 0) {
+        return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+    }
+
+    return mbedtls_pk_ecc_set_group(pk, grp_id);
+}
+
+/*
+ * Parse an RFC 8410 encoded private EC key
+ *
+ * CurvePrivateKey ::= OCTET STRING
+ */
+static int pk_parse_key_rfc8410_der(mbedtls_pk_context *pk,
+                                    unsigned char *key, size_t keylen, const unsigned char *end,
+                                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len;
+
+    if ((ret = mbedtls_asn1_get_tag(&key, (key + keylen), &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+    }
+
+    if (key + len != end) {
+        return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+    }
+
+    /*
+     * Load the private key
+     */
+    ret = mbedtls_pk_ecc_set_key(pk, key, len);
+    if (ret != 0) {
+        return ret;
+    }
+
+    /* pk_parse_key_pkcs8_unencrypted_der() only supports version 1 PKCS8 keys,
+     * which never contain a public key. As such, derive the public key
+     * unconditionally. */
+    if ((ret = mbedtls_pk_ecc_set_pubkey_from_prv(pk, key, len, f_rng, p_rng)) != 0) {
+        return ret;
+    }
+
+    return 0;
+}
+#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
+
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+/* Get a PK algorithm identifier
+ *
+ *  AlgorithmIdentifier  ::=  SEQUENCE  {
+ *       algorithm               OBJECT IDENTIFIER,
+ *       parameters              ANY DEFINED BY algorithm OPTIONAL  }
+ */
+static int pk_get_pk_alg(unsigned char **p,
+                         const unsigned char *end,
+                         mbedtls_pk_type_t *pk_alg, mbedtls_asn1_buf *params,
+                         mbedtls_ecp_group_id *ec_grp_id)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_asn1_buf alg_oid;
+
+    memset(params, 0, sizeof(mbedtls_asn1_buf));
+
+    if ((ret = mbedtls_asn1_get_alg(p, end, &alg_oid, params)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_ALG, ret);
+    }
+
+    ret = mbedtls_oid_get_pk_alg(&alg_oid, pk_alg);
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+    if (ret == MBEDTLS_ERR_OID_NOT_FOUND) {
+        ret = mbedtls_oid_get_ec_grp_algid(&alg_oid, ec_grp_id);
+        if (ret == 0) {
+            *pk_alg = MBEDTLS_PK_ECKEY;
+        }
+    }
+#else
+    (void) ec_grp_id;
+#endif
+    if (ret != 0) {
+        return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
+    }
+
+    /*
+     * No parameters with RSA (only for EC)
+     */
+    if (*pk_alg == MBEDTLS_PK_RSA &&
+        ((params->tag != MBEDTLS_ASN1_NULL && params->tag != 0) ||
+         params->len != 0)) {
+        return MBEDTLS_ERR_PK_INVALID_ALG;
+    }
+
+    return 0;
+}
+
+/*
+ *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
+ *       algorithm            AlgorithmIdentifier,
+ *       subjectPublicKey     BIT STRING }
+ */
+int mbedtls_pk_parse_subpubkey(unsigned char **p, const unsigned char *end,
+                               mbedtls_pk_context *pk)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len;
+    mbedtls_asn1_buf alg_params;
+    mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
+    mbedtls_ecp_group_id ec_grp_id = MBEDTLS_ECP_DP_NONE;
+    const mbedtls_pk_info_t *pk_info;
+
+    if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+    }
+
+    end = *p + len;
+
+    if ((ret = pk_get_pk_alg(p, end, &pk_alg, &alg_params, &ec_grp_id)) != 0) {
+        return ret;
+    }
+
+    if ((ret = mbedtls_asn1_get_bitstring_null(p, end, &len)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret);
+    }
+
+    if (*p + len != end) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY,
+                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+    }
+
+    if ((pk_info = mbedtls_pk_info_from_type(pk_alg)) == NULL) {
+        return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
+    }
+
+    if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0) {
+        return ret;
+    }
+
+#if defined(MBEDTLS_RSA_C)
+    if (pk_alg == MBEDTLS_PK_RSA) {
+        ret = mbedtls_rsa_parse_pubkey(mbedtls_pk_rsa(*pk), *p, (size_t) (end - *p));
+        if (ret == 0) {
+            /* On success all the input has been consumed by the parsing function. */
+            *p += end - *p;
+        } else if ((ret <= MBEDTLS_ERR_ASN1_OUT_OF_DATA) &&
+                   (ret >= MBEDTLS_ERR_ASN1_BUF_TOO_SMALL)) {
+            /* In case of ASN1 error codes add MBEDTLS_ERR_PK_INVALID_PUBKEY. */
+            ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret);
+        } else {
+            ret = MBEDTLS_ERR_PK_INVALID_PUBKEY;
+        }
+    } else
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+    if (pk_alg == MBEDTLS_PK_ECKEY_DH || pk_alg == MBEDTLS_PK_ECKEY) {
+#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
+        if (MBEDTLS_PK_IS_RFC8410_GROUP_ID(ec_grp_id)) {
+            ret = pk_use_ecparams_rfc8410(&alg_params, ec_grp_id, pk);
+        } else
+#endif
+        {
+            ret = pk_use_ecparams(&alg_params, pk);
+        }
+        if (ret == 0) {
+            ret = mbedtls_pk_ecc_set_pubkey(pk, *p, (size_t) (end - *p));
+            *p += end - *p;
+        }
+    } else
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+    ret = MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
+
+    if (ret == 0 && *p != end) {
+        ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY,
+                                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+    }
+
+    if (ret != 0) {
+        mbedtls_pk_free(pk);
+    }
+
+    return ret;
+}
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+/*
+ * Parse a SEC1 encoded private EC key
+ */
+static int pk_parse_key_sec1_der(mbedtls_pk_context *pk,
+                                 const unsigned char *key, size_t keylen,
+                                 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    int version, pubkey_done;
+    size_t len, d_len;
+    mbedtls_asn1_buf params = { 0, 0, NULL };
+    unsigned char *p = (unsigned char *) key;
+    unsigned char *d;
+    unsigned char *end = p + keylen;
+    unsigned char *end2;
+
+    /*
+     * RFC 5915, or SEC1 Appendix C.4
+     *
+     * ECPrivateKey ::= SEQUENCE {
+     *      version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
+     *      privateKey     OCTET STRING,
+     *      parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
+     *      publicKey  [1] BIT STRING OPTIONAL
+     *    }
+     */
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+    }
+
+    end = p + len;
+
+    if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+    }
+
+    if (version != 1) {
+        return MBEDTLS_ERR_PK_KEY_INVALID_VERSION;
+    }
+
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+    }
+
+    /* Keep a reference to the position fo the private key. It will be used
+     * later in this function. */
+    d = p;
+    d_len = len;
+
+    p += len;
+
+    pubkey_done = 0;
+    if (p != end) {
+        /*
+         * Is 'parameters' present?
+         */
+        if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                        MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
+                                        0)) == 0) {
+            if ((ret = pk_get_ecparams(&p, p + len, &params)) != 0 ||
+                (ret = pk_use_ecparams(&params, pk)) != 0) {
+                return ret;
+            }
+        } else if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+        }
+    }
+
+    /*
+     * Load the private key
+     */
+    ret = mbedtls_pk_ecc_set_key(pk, d, d_len);
+    if (ret != 0) {
+        return ret;
+    }
+
+    if (p != end) {
+        /*
+         * Is 'publickey' present? If not, or if we can't read it (eg because it
+         * is compressed), create it from the private key.
+         */
+        if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                        MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
+                                        1)) == 0) {
+            end2 = p + len;
+
+            if ((ret = mbedtls_asn1_get_bitstring_null(&p, end2, &len)) != 0) {
+                return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+            }
+
+            if (p + len != end2) {
+                return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
+                                         MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+            }
+
+            if ((ret = mbedtls_pk_ecc_set_pubkey(pk, p, (size_t) (end2 - p))) == 0) {
+                pubkey_done = 1;
+            } else {
+                /*
+                 * The only acceptable failure mode of mbedtls_pk_ecc_set_pubkey() above
+                 * is if the point format is not recognized.
+                 */
+                if (ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE) {
+                    return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+                }
+            }
+        } else if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+        }
+    }
+
+    if (!pubkey_done) {
+        if ((ret = mbedtls_pk_ecc_set_pubkey_from_prv(pk, d, d_len, f_rng, p_rng)) != 0) {
+            return ret;
+        }
+    }
+
+    return 0;
+}
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+/***********************************************************************
+ *
+ *      PKCS#8 parsing functions
+ *
+ **********************************************************************/
+
+/*
+ * Parse an unencrypted PKCS#8 encoded private key
+ *
+ * Notes:
+ *
+ * - This function does not own the key buffer. It is the
+ *   responsibility of the caller to take care of zeroizing
+ *   and freeing it after use.
+ *
+ * - The function is responsible for freeing the provided
+ *   PK context on failure.
+ *
+ */
+static int pk_parse_key_pkcs8_unencrypted_der(
+    mbedtls_pk_context *pk,
+    const unsigned char *key, size_t keylen,
+    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    int ret, version;
+    size_t len;
+    mbedtls_asn1_buf params;
+    unsigned char *p = (unsigned char *) key;
+    unsigned char *end = p + keylen;
+    mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
+    mbedtls_ecp_group_id ec_grp_id = MBEDTLS_ECP_DP_NONE;
+    const mbedtls_pk_info_t *pk_info;
+
+#if !defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+    (void) f_rng;
+    (void) p_rng;
+#endif
+
+    /*
+     * This function parses the PrivateKeyInfo object (PKCS#8 v1.2 = RFC 5208)
+     *
+     *    PrivateKeyInfo ::= SEQUENCE {
+     *      version                   Version,
+     *      privateKeyAlgorithm       PrivateKeyAlgorithmIdentifier,
+     *      privateKey                PrivateKey,
+     *      attributes           [0]  IMPLICIT Attributes OPTIONAL }
+     *
+     *    Version ::= INTEGER
+     *    PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
+     *    PrivateKey ::= OCTET STRING
+     *
+     *  The PrivateKey OCTET STRING is a SEC1 ECPrivateKey
+     */
+
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+    }
+
+    end = p + len;
+
+    if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+    }
+
+    if (version != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_VERSION, ret);
+    }
+
+    if ((ret = pk_get_pk_alg(&p, end, &pk_alg, &params, &ec_grp_id)) != 0) {
+        return ret;
+    }
+
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+    }
+
+    if (len < 1) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
+                                 MBEDTLS_ERR_ASN1_OUT_OF_DATA);
+    }
+
+    if ((pk_info = mbedtls_pk_info_from_type(pk_alg)) == NULL) {
+        return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
+    }
+
+    if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0) {
+        return ret;
+    }
+
+#if defined(MBEDTLS_RSA_C)
+    if (pk_alg == MBEDTLS_PK_RSA) {
+        if ((ret = mbedtls_rsa_parse_key(mbedtls_pk_rsa(*pk), p, len)) != 0) {
+            mbedtls_pk_free(pk);
+            return ret;
+        }
+    } else
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+    if (pk_alg == MBEDTLS_PK_ECKEY || pk_alg == MBEDTLS_PK_ECKEY_DH) {
+#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
+        if (MBEDTLS_PK_IS_RFC8410_GROUP_ID(ec_grp_id)) {
+            if ((ret =
+                     pk_use_ecparams_rfc8410(&params, ec_grp_id, pk)) != 0 ||
+                (ret =
+                     pk_parse_key_rfc8410_der(pk, p, len, end, f_rng,
+                                              p_rng)) != 0) {
+                mbedtls_pk_free(pk);
+                return ret;
+            }
+        } else
+#endif
+        {
+            if ((ret = pk_use_ecparams(&params, pk)) != 0 ||
+                (ret = pk_parse_key_sec1_der(pk, p, len, f_rng, p_rng)) != 0) {
+                mbedtls_pk_free(pk);
+                return ret;
+            }
+        }
+    } else
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+    return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
+
+    end = p + len;
+    if (end != (key + keylen)) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
+                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+    }
+
+    return 0;
+}
+
+/*
+ * Parse an encrypted PKCS#8 encoded private key
+ *
+ * To save space, the decryption happens in-place on the given key buffer.
+ * Also, while this function may modify the keybuffer, it doesn't own it,
+ * and instead it is the responsibility of the caller to zeroize and properly
+ * free it after use.
+ *
+ */
+#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
+MBEDTLS_STATIC_TESTABLE int mbedtls_pk_parse_key_pkcs8_encrypted_der(
+    mbedtls_pk_context *pk,
+    unsigned char *key, size_t keylen,
+    const unsigned char *pwd, size_t pwdlen,
+    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    int ret, decrypted = 0;
+    size_t len;
+    unsigned char *buf;
+    unsigned char *p, *end;
+    mbedtls_asn1_buf pbe_alg_oid, pbe_params;
+#if defined(MBEDTLS_PKCS12_C) && defined(MBEDTLS_CIPHER_PADDING_PKCS7) && defined(MBEDTLS_CIPHER_C)
+    mbedtls_cipher_type_t cipher_alg;
+    mbedtls_md_type_t md_alg;
+#endif
+    size_t outlen = 0;
+
+    p = key;
+    end = p + keylen;
+
+    if (pwdlen == 0) {
+        return MBEDTLS_ERR_PK_PASSWORD_REQUIRED;
+    }
+
+    /*
+     * This function parses the EncryptedPrivateKeyInfo object (PKCS#8)
+     *
+     *  EncryptedPrivateKeyInfo ::= SEQUENCE {
+     *    encryptionAlgorithm  EncryptionAlgorithmIdentifier,
+     *    encryptedData        EncryptedData
+     *  }
+     *
+     *  EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
+     *
+     *  EncryptedData ::= OCTET STRING
+     *
+     *  The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo
+     *
+     */
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+    }
+
+    end = p + len;
+
+    if ((ret = mbedtls_asn1_get_alg(&p, end, &pbe_alg_oid, &pbe_params)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+    }
+
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+    }
+
+    buf = p;
+
+    /*
+     * Decrypt EncryptedData with appropriate PBE
+     */
+#if defined(MBEDTLS_PKCS12_C) && defined(MBEDTLS_CIPHER_PADDING_PKCS7) && defined(MBEDTLS_CIPHER_C)
+    if (mbedtls_oid_get_pkcs12_pbe_alg(&pbe_alg_oid, &md_alg, &cipher_alg) == 0) {
+        if ((ret = mbedtls_pkcs12_pbe_ext(&pbe_params, MBEDTLS_PKCS12_PBE_DECRYPT,
+                                          cipher_alg, md_alg,
+                                          pwd, pwdlen, p, len, buf, len, &outlen)) != 0) {
+            if (ret == MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH) {
+                return MBEDTLS_ERR_PK_PASSWORD_MISMATCH;
+            }
+
+            return ret;
+        }
+
+        decrypted = 1;
+    } else
+#endif /* MBEDTLS_PKCS12_C && MBEDTLS_CIPHER_PADDING_PKCS7 && MBEDTLS_CIPHER_C */
+#if defined(MBEDTLS_PKCS5_C) && defined(MBEDTLS_CIPHER_PADDING_PKCS7) && defined(MBEDTLS_CIPHER_C)
+    if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS5_PBES2, &pbe_alg_oid) == 0) {
+        if ((ret = mbedtls_pkcs5_pbes2_ext(&pbe_params, MBEDTLS_PKCS5_DECRYPT, pwd, pwdlen,
+                                           p, len, buf, len, &outlen)) != 0) {
+            if (ret == MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH) {
+                return MBEDTLS_ERR_PK_PASSWORD_MISMATCH;
+            }
+
+            return ret;
+        }
+
+        decrypted = 1;
+    } else
+#endif /* MBEDTLS_PKCS5_C && MBEDTLS_CIPHER_PADDING_PKCS7 && MBEDTLS_CIPHER_C */
+    {
+        ((void) pwd);
+    }
+
+    if (decrypted == 0) {
+        return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+    }
+    return pk_parse_key_pkcs8_unencrypted_der(pk, buf, outlen, f_rng, p_rng);
+}
+#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
+
+/***********************************************************************
+ *
+ *      Top-level functions, with format auto-discovery
+ *
+ **********************************************************************/
+
+/*
+ * Parse a private key
+ */
+int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
+                         const unsigned char *key, size_t keylen,
+                         const unsigned char *pwd, size_t pwdlen,
+                         int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const mbedtls_pk_info_t *pk_info;
+#if defined(MBEDTLS_PEM_PARSE_C)
+    size_t len;
+    mbedtls_pem_context pem;
+#endif
+
+    if (keylen == 0) {
+        return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+    }
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+    mbedtls_pem_init(&pem);
+
+#if defined(MBEDTLS_RSA_C)
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if (key[keylen - 1] != '\0') {
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    } else {
+        ret = mbedtls_pem_read_buffer(&pem,
+                                      PEM_BEGIN_PRIVATE_KEY_RSA, PEM_END_PRIVATE_KEY_RSA,
+                                      key, pwd, pwdlen, &len);
+    }
+
+    if (ret == 0) {
+        pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA);
+        if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0 ||
+            (ret = mbedtls_rsa_parse_key(mbedtls_pk_rsa(*pk),
+                                         pem.buf, pem.buflen)) != 0) {
+            mbedtls_pk_free(pk);
+        }
+
+        mbedtls_pem_free(&pem);
+        return ret;
+    } else if (ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH) {
+        return MBEDTLS_ERR_PK_PASSWORD_MISMATCH;
+    } else if (ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED) {
+        return MBEDTLS_ERR_PK_PASSWORD_REQUIRED;
+    } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
+        return ret;
+    }
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if (key[keylen - 1] != '\0') {
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    } else {
+        ret = mbedtls_pem_read_buffer(&pem,
+                                      PEM_BEGIN_PRIVATE_KEY_EC,
+                                      PEM_END_PRIVATE_KEY_EC,
+                                      key, pwd, pwdlen, &len);
+    }
+    if (ret == 0) {
+        pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY);
+
+        if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0 ||
+            (ret = pk_parse_key_sec1_der(pk,
+                                         pem.buf, pem.buflen,
+                                         f_rng, p_rng)) != 0) {
+            mbedtls_pk_free(pk);
+        }
+
+        mbedtls_pem_free(&pem);
+        return ret;
+    } else if (ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH) {
+        return MBEDTLS_ERR_PK_PASSWORD_MISMATCH;
+    } else if (ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED) {
+        return MBEDTLS_ERR_PK_PASSWORD_REQUIRED;
+    } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
+        return ret;
+    }
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if (key[keylen - 1] != '\0') {
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    } else {
+        ret = mbedtls_pem_read_buffer(&pem,
+                                      PEM_BEGIN_PRIVATE_KEY_PKCS8, PEM_END_PRIVATE_KEY_PKCS8,
+                                      key, NULL, 0, &len);
+    }
+    if (ret == 0) {
+        if ((ret = pk_parse_key_pkcs8_unencrypted_der(pk,
+                                                      pem.buf, pem.buflen, f_rng, p_rng)) != 0) {
+            mbedtls_pk_free(pk);
+        }
+
+        mbedtls_pem_free(&pem);
+        return ret;
+    } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
+        return ret;
+    }
+
+#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if (key[keylen - 1] != '\0') {
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    } else {
+        ret = mbedtls_pem_read_buffer(&pem,
+                                      PEM_BEGIN_ENCRYPTED_PRIVATE_KEY_PKCS8,
+                                      PEM_END_ENCRYPTED_PRIVATE_KEY_PKCS8,
+                                      key, NULL, 0, &len);
+    }
+    if (ret == 0) {
+        if ((ret = mbedtls_pk_parse_key_pkcs8_encrypted_der(pk, pem.buf, pem.buflen,
+                                                            pwd, pwdlen, f_rng, p_rng)) != 0) {
+            mbedtls_pk_free(pk);
+        }
+
+        mbedtls_pem_free(&pem);
+        return ret;
+    } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
+        return ret;
+    }
+#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
+#else
+    ((void) pwd);
+    ((void) pwdlen);
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+    /*
+     * At this point we only know it's not a PEM formatted key. Could be any
+     * of the known DER encoded private key formats
+     *
+     * We try the different DER format parsers to see if one passes without
+     * error
+     */
+#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
+    if (pwdlen != 0) {
+        unsigned char *key_copy;
+
+        if ((key_copy = mbedtls_calloc(1, keylen)) == NULL) {
+            return MBEDTLS_ERR_PK_ALLOC_FAILED;
+        }
+
+        memcpy(key_copy, key, keylen);
+
+        ret = mbedtls_pk_parse_key_pkcs8_encrypted_der(pk, key_copy, keylen,
+                                                       pwd, pwdlen, f_rng, p_rng);
+
+        mbedtls_zeroize_and_free(key_copy, keylen);
+    }
+
+    if (ret == 0) {
+        return 0;
+    }
+
+    mbedtls_pk_free(pk);
+    mbedtls_pk_init(pk);
+
+    if (ret == MBEDTLS_ERR_PK_PASSWORD_MISMATCH) {
+        return ret;
+    }
+#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
+
+    ret = pk_parse_key_pkcs8_unencrypted_der(pk, key, keylen, f_rng, p_rng);
+    if (ret == 0) {
+        return 0;
+    }
+
+    mbedtls_pk_free(pk);
+    mbedtls_pk_init(pk);
+
+#if defined(MBEDTLS_RSA_C)
+
+    pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA);
+    if (mbedtls_pk_setup(pk, pk_info) == 0 &&
+        mbedtls_rsa_parse_key(mbedtls_pk_rsa(*pk), key, keylen) == 0) {
+        return 0;
+    }
+
+    mbedtls_pk_free(pk);
+    mbedtls_pk_init(pk);
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+    pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY);
+    if (mbedtls_pk_setup(pk, pk_info) == 0 &&
+        pk_parse_key_sec1_der(pk,
+                              key, keylen, f_rng, p_rng) == 0) {
+        return 0;
+    }
+    mbedtls_pk_free(pk);
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+    /* If MBEDTLS_RSA_C is defined but MBEDTLS_PK_HAVE_ECC_KEYS isn't,
+     * it is ok to leave the PK context initialized but not
+     * freed: It is the caller's responsibility to call pk_init()
+     * before calling this function, and to call pk_free()
+     * when it fails. If MBEDTLS_PK_HAVE_ECC_KEYS is defined but MBEDTLS_RSA_C
+     * isn't, this leads to mbedtls_pk_free() being called
+     * twice, once here and once by the caller, but this is
+     * also ok and in line with the mbedtls_pk_free() calls
+     * on failed PEM parsing attempts. */
+
+    return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+}
+
+/*
+ * Parse a public key
+ */
+int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx,
+                                const unsigned char *key, size_t keylen)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *p;
+#if defined(MBEDTLS_RSA_C)
+    const mbedtls_pk_info_t *pk_info;
+#endif
+#if defined(MBEDTLS_PEM_PARSE_C)
+    size_t len;
+    mbedtls_pem_context pem;
+#endif
+
+    if (keylen == 0) {
+        return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+    }
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+    mbedtls_pem_init(&pem);
+#if defined(MBEDTLS_RSA_C)
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if (key[keylen - 1] != '\0') {
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    } else {
+        ret = mbedtls_pem_read_buffer(&pem,
+                                      PEM_BEGIN_PUBLIC_KEY_RSA, PEM_END_PUBLIC_KEY_RSA,
+                                      key, NULL, 0, &len);
+    }
+
+    if (ret == 0) {
+        p = pem.buf;
+        if ((pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == NULL) {
+            mbedtls_pem_free(&pem);
+            return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
+        }
+
+        if ((ret = mbedtls_pk_setup(ctx, pk_info)) != 0) {
+            mbedtls_pem_free(&pem);
+            return ret;
+        }
+
+        if ((ret = mbedtls_rsa_parse_pubkey(mbedtls_pk_rsa(*ctx), p, pem.buflen)) != 0) {
+            mbedtls_pk_free(ctx);
+        }
+
+        mbedtls_pem_free(&pem);
+        return ret;
+    } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
+        mbedtls_pem_free(&pem);
+        return ret;
+    }
+#endif /* MBEDTLS_RSA_C */
+
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if (key[keylen - 1] != '\0') {
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    } else {
+        ret = mbedtls_pem_read_buffer(&pem,
+                                      PEM_BEGIN_PUBLIC_KEY, PEM_END_PUBLIC_KEY,
+                                      key, NULL, 0, &len);
+    }
+
+    if (ret == 0) {
+        /*
+         * Was PEM encoded
+         */
+        p = pem.buf;
+
+        ret = mbedtls_pk_parse_subpubkey(&p, p + pem.buflen, ctx);
+        mbedtls_pem_free(&pem);
+        return ret;
+    } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
+        mbedtls_pem_free(&pem);
+        return ret;
+    }
+    mbedtls_pem_free(&pem);
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+#if defined(MBEDTLS_RSA_C)
+    if ((pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == NULL) {
+        return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
+    }
+
+    if ((ret = mbedtls_pk_setup(ctx, pk_info)) != 0) {
+        return ret;
+    }
+
+    p = (unsigned char *) key;
+    ret = mbedtls_rsa_parse_pubkey(mbedtls_pk_rsa(*ctx), p, keylen);
+    if (ret == 0) {
+        return ret;
+    }
+    mbedtls_pk_free(ctx);
+    if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+        return ret;
+    }
+#endif /* MBEDTLS_RSA_C */
+    p = (unsigned char *) key;
+
+    ret = mbedtls_pk_parse_subpubkey(&p, p + keylen, ctx);
+
+    return ret;
+}
+
+/***********************************************************************
+ *
+ *      Top-level functions, with filesystem support
+ *
+ **********************************************************************/
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load all data from a file into a given buffer.
+ *
+ * The file is expected to contain either PEM or DER encoded data.
+ * A terminating null byte is always appended. It is included in the announced
+ * length only if the data looks like it is PEM encoded.
+ */
+int mbedtls_pk_load_file(const char *path, unsigned char **buf, size_t *n)
+{
+    FILE *f;
+    long size;
+
+    if ((f = fopen(path, "rb")) == NULL) {
+        return MBEDTLS_ERR_PK_FILE_IO_ERROR;
+    }
+
+    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+    mbedtls_setbuf(f, NULL);
+
+    fseek(f, 0, SEEK_END);
+    if ((size = ftell(f)) == -1) {
+        fclose(f);
+        return MBEDTLS_ERR_PK_FILE_IO_ERROR;
+    }
+    fseek(f, 0, SEEK_SET);
+
+    *n = (size_t) size;
+
+    if (*n + 1 == 0 ||
+        (*buf = mbedtls_calloc(1, *n + 1)) == NULL) {
+        fclose(f);
+        return MBEDTLS_ERR_PK_ALLOC_FAILED;
+    }
+
+    if (fread(*buf, 1, *n, f) != *n) {
+        fclose(f);
+
+        mbedtls_zeroize_and_free(*buf, *n);
+
+        return MBEDTLS_ERR_PK_FILE_IO_ERROR;
+    }
+
+    fclose(f);
+
+    (*buf)[*n] = '\0';
+
+    if (strstr((const char *) *buf, "-----BEGIN ") != NULL) {
+        ++*n;
+    }
+
+    return 0;
+}
+
+/*
+ * Load and parse a private key
+ */
+int mbedtls_pk_parse_keyfile(mbedtls_pk_context *ctx,
+                             const char *path, const char *pwd,
+                             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t n;
+    unsigned char *buf;
+
+    if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) {
+        return ret;
+    }
+
+    if (pwd == NULL) {
+        ret = mbedtls_pk_parse_key(ctx, buf, n, NULL, 0, f_rng, p_rng);
+    } else {
+        ret = mbedtls_pk_parse_key(ctx, buf, n,
+                                   (const unsigned char *) pwd, strlen(pwd), f_rng, p_rng);
+    }
+
+    mbedtls_zeroize_and_free(buf, n);
+
+    return ret;
+}
+
+/*
+ * Load and parse a public key
+ */
+int mbedtls_pk_parse_public_keyfile(mbedtls_pk_context *ctx, const char *path)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t n;
+    unsigned char *buf;
+
+    if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) {
+        return ret;
+    }
+
+    ret = mbedtls_pk_parse_public_key(ctx, buf, n);
+
+    mbedtls_zeroize_and_free(buf, n);
+
+    return ret;
+}
+#endif /* MBEDTLS_FS_IO */
+
+#endif /* MBEDTLS_PK_PARSE_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/pkwrite.c b/tf-psa-crypto/drivers/builtin/src/pkwrite.c
new file mode 100644
index 0000000..5e009c5
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/pkwrite.c
@@ -0,0 +1,621 @@
+/*
+ *  Public Key layer for writing key files and structures
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PK_WRITE_C)
+
+#include "mbedtls/pk.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "pk_internal.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/bignum.h"
+#include "mbedtls/ecp.h"
+#include "mbedtls/platform_util.h"
+#endif
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+#include "pk_internal.h"
+#endif
+#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+#include "pkwrite.h"
+#endif
+#if defined(MBEDTLS_PEM_WRITE_C)
+#include "mbedtls/pem.h"
+#endif
+#if defined(MBEDTLS_RSA_C)
+#include "rsa_internal.h"
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#include "psa_util_internal.h"
+#endif
+#include "mbedtls/platform.h"
+
+/* Helpers for properly sizing buffers aimed at holding public keys or
+ * key-pairs based on build symbols. */
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+#define PK_MAX_EC_PUBLIC_KEY_SIZE       PSA_EXPORT_PUBLIC_KEY_MAX_SIZE
+#define PK_MAX_EC_KEY_PAIR_SIZE         MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH
+#elif defined(MBEDTLS_USE_PSA_CRYPTO)
+#define PK_MAX_EC_PUBLIC_KEY_SIZE       PSA_EXPORT_PUBLIC_KEY_MAX_SIZE
+#define PK_MAX_EC_KEY_PAIR_SIZE         MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH
+#else
+#define PK_MAX_EC_PUBLIC_KEY_SIZE       MBEDTLS_ECP_MAX_PT_LEN
+#define PK_MAX_EC_KEY_PAIR_SIZE         MBEDTLS_ECP_MAX_BYTES
+#endif
+
+/******************************************************************************
+ * Internal functions for RSA keys.
+ ******************************************************************************/
+#if defined(MBEDTLS_RSA_C)
+static int pk_write_rsa_der(unsigned char **p, unsigned char *buf,
+                            const mbedtls_pk_context *pk)
+{
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
+        uint8_t tmp[PSA_EXPORT_KEY_PAIR_MAX_SIZE];
+        size_t len = 0, tmp_len = 0;
+
+        if (psa_export_key(pk->priv_id, tmp, sizeof(tmp), &tmp_len) != PSA_SUCCESS) {
+            return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+        }
+        *p -= tmp_len;
+        memcpy(*p, tmp, tmp_len);
+        len += tmp_len;
+        mbedtls_platform_zeroize(tmp, sizeof(tmp));
+
+        return (int) len;
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+    return mbedtls_rsa_write_key(mbedtls_pk_rsa(*pk), buf, p);
+}
+#endif /* MBEDTLS_RSA_C */
+
+/******************************************************************************
+ * Internal functions for EC keys.
+ ******************************************************************************/
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+static int pk_write_ec_pubkey(unsigned char **p, unsigned char *start,
+                              const mbedtls_pk_context *pk)
+{
+    size_t len = 0;
+    uint8_t buf[PK_MAX_EC_PUBLIC_KEY_SIZE];
+
+    if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
+        if (psa_export_public_key(pk->priv_id, buf, sizeof(buf), &len) != PSA_SUCCESS) {
+            return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+        }
+    } else {
+        len = pk->pub_raw_len;
+        memcpy(buf, pk->pub_raw, len);
+    }
+
+    if (*p < start || (size_t) (*p - start) < len) {
+        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+    }
+
+    *p -= len;
+    memcpy(*p, buf, len);
+
+    return (int) len;
+}
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+static int pk_write_ec_pubkey(unsigned char **p, unsigned char *start,
+                              const mbedtls_pk_context *pk)
+{
+    size_t len = 0;
+    unsigned char buf[PK_MAX_EC_PUBLIC_KEY_SIZE];
+    mbedtls_ecp_keypair *ec = mbedtls_pk_ec(*pk);
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
+        if (psa_export_public_key(pk->priv_id, buf, sizeof(buf), &len) != PSA_SUCCESS) {
+            return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+        }
+        *p -= len;
+        memcpy(*p, buf, len);
+        return (int) len;
+    } else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+    {
+        if ((ret = mbedtls_ecp_point_write_binary(&ec->grp, &ec->Q,
+                                                  MBEDTLS_ECP_PF_UNCOMPRESSED,
+                                                  &len, buf, sizeof(buf))) != 0) {
+            return ret;
+        }
+    }
+
+    if (*p < start || (size_t) (*p - start) < len) {
+        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+    }
+
+    *p -= len;
+    memcpy(*p, buf, len);
+
+    return (int) len;
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
+/*
+ * privateKey  OCTET STRING -- always of length ceil(log2(n)/8)
+ */
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+static int pk_write_ec_private(unsigned char **p, unsigned char *start,
+                               const mbedtls_pk_context *pk)
+{
+    size_t byte_length;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char tmp[PK_MAX_EC_KEY_PAIR_SIZE];
+    psa_status_t status;
+
+    if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
+        status = psa_export_key(pk->priv_id, tmp, sizeof(tmp), &byte_length);
+        if (status != PSA_SUCCESS) {
+            ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
+            return ret;
+        }
+    } else {
+        status = psa_export_key(pk->priv_id, tmp, sizeof(tmp), &byte_length);
+        if (status != PSA_SUCCESS) {
+            ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
+            goto exit;
+        }
+    }
+
+    ret = mbedtls_asn1_write_octet_string(p, start, tmp, byte_length);
+exit:
+    mbedtls_platform_zeroize(tmp, sizeof(tmp));
+    return ret;
+}
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+static int pk_write_ec_private(unsigned char **p, unsigned char *start,
+                               const mbedtls_pk_context *pk)
+{
+    size_t byte_length;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char tmp[PK_MAX_EC_KEY_PAIR_SIZE];
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    psa_status_t status;
+    if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
+        status = psa_export_key(pk->priv_id, tmp, sizeof(tmp), &byte_length);
+        if (status != PSA_SUCCESS) {
+            ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
+            return ret;
+        }
+    } else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+    {
+        mbedtls_ecp_keypair *ec = mbedtls_pk_ec_rw(*pk);
+        byte_length = (ec->grp.pbits + 7) / 8;
+
+        ret = mbedtls_ecp_write_key_ext(ec, &byte_length, tmp, sizeof(tmp));
+        if (ret != 0) {
+            goto exit;
+        }
+    }
+    ret = mbedtls_asn1_write_octet_string(p, start, tmp, byte_length);
+exit:
+    mbedtls_platform_zeroize(tmp, sizeof(tmp));
+    return ret;
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
+/*
+ * ECParameters ::= CHOICE {
+ *   namedCurve         OBJECT IDENTIFIER
+ * }
+ */
+static int pk_write_ec_param(unsigned char **p, unsigned char *start,
+                             mbedtls_ecp_group_id grp_id)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len = 0;
+    const char *oid;
+    size_t oid_len;
+
+    if ((ret = mbedtls_oid_get_oid_by_ec_grp(grp_id, &oid, &oid_len)) != 0) {
+        return ret;
+    }
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_oid(p, start, oid, oid_len));
+
+    return (int) len;
+}
+
+#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
+/*
+ * RFC8410 section 7
+ *
+ * OneAsymmetricKey ::= SEQUENCE {
+ *    version Version,
+ *    privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
+ *    privateKey PrivateKey,
+ *    attributes [0] IMPLICIT Attributes OPTIONAL,
+ *    ...,
+ *    [[2: publicKey [1] IMPLICIT PublicKey OPTIONAL ]],
+ *    ...
+ * }
+ * ...
+ * CurvePrivateKey ::= OCTET STRING
+ */
+static int pk_write_ec_rfc8410_der(unsigned char **p, unsigned char *buf,
+                                   const mbedtls_pk_context *pk)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len = 0;
+    size_t oid_len = 0;
+    const char *oid;
+    mbedtls_ecp_group_id grp_id;
+
+    /* privateKey */
+    MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_private(p, buf, pk));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, buf, len));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, buf, MBEDTLS_ASN1_OCTET_STRING));
+
+    grp_id = mbedtls_pk_get_ec_group_id(pk);
+    /* privateKeyAlgorithm */
+    if ((ret = mbedtls_oid_get_oid_by_ec_grp_algid(grp_id, &oid, &oid_len)) != 0) {
+        return ret;
+    }
+    MBEDTLS_ASN1_CHK_ADD(len,
+                         mbedtls_asn1_write_algorithm_identifier_ext(p, buf, oid, oid_len, 0, 0));
+
+    /* version */
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(p, buf, 0));
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, buf, len));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                     MBEDTLS_ASN1_SEQUENCE));
+
+    return (int) len;
+}
+#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
+
+/*
+ * RFC 5915, or SEC1 Appendix C.4
+ *
+ * ECPrivateKey ::= SEQUENCE {
+ *      version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
+ *      privateKey     OCTET STRING,
+ *      parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
+ *      publicKey  [1] BIT STRING OPTIONAL
+ *    }
+ */
+static int pk_write_ec_der(unsigned char **p, unsigned char *buf,
+                           const mbedtls_pk_context *pk)
+{
+    size_t len = 0;
+    int ret;
+    size_t pub_len = 0, par_len = 0;
+    mbedtls_ecp_group_id grp_id;
+
+    /* publicKey */
+    MBEDTLS_ASN1_CHK_ADD(pub_len, pk_write_ec_pubkey(p, buf, pk));
+
+    if (*p - buf < 1) {
+        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+    }
+    (*p)--;
+    **p = 0;
+    pub_len += 1;
+
+    MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_len(p, buf, pub_len));
+    MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_tag(p, buf, MBEDTLS_ASN1_BIT_STRING));
+
+    MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_len(p, buf, pub_len));
+    MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_tag(p, buf,
+                                                         MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+                                                         MBEDTLS_ASN1_CONSTRUCTED | 1));
+    len += pub_len;
+
+    /* parameters */
+    grp_id = mbedtls_pk_get_ec_group_id(pk);
+    MBEDTLS_ASN1_CHK_ADD(par_len, pk_write_ec_param(p, buf, grp_id));
+    MBEDTLS_ASN1_CHK_ADD(par_len, mbedtls_asn1_write_len(p, buf, par_len));
+    MBEDTLS_ASN1_CHK_ADD(par_len, mbedtls_asn1_write_tag(p, buf,
+                                                         MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+                                                         MBEDTLS_ASN1_CONSTRUCTED | 0));
+    len += par_len;
+
+    /* privateKey */
+    MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_private(p, buf, pk));
+
+    /* version */
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(p, buf, 1));
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, buf, len));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                     MBEDTLS_ASN1_SEQUENCE));
+
+    return (int) len;
+}
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+/******************************************************************************
+ * Internal functions for Opaque keys.
+ ******************************************************************************/
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+static int pk_write_opaque_pubkey(unsigned char **p, unsigned char *start,
+                                  const mbedtls_pk_context *pk)
+{
+    size_t buffer_size;
+    size_t len = 0;
+
+    if (*p < start) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    buffer_size = (size_t) (*p - start);
+    if (psa_export_public_key(pk->priv_id, start, buffer_size,
+                              &len) != PSA_SUCCESS) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+
+    *p -= len;
+    memmove(*p, start, len);
+
+    return (int) len;
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+/******************************************************************************
+ * Generic helpers
+ ******************************************************************************/
+
+/* Extend the public mbedtls_pk_get_type() by getting key type also in case of
+ * opaque keys. */
+static mbedtls_pk_type_t pk_get_type_ext(const mbedtls_pk_context *pk)
+{
+    mbedtls_pk_type_t pk_type = mbedtls_pk_get_type(pk);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (pk_type == MBEDTLS_PK_OPAQUE) {
+        psa_key_attributes_t opaque_attrs = PSA_KEY_ATTRIBUTES_INIT;
+        psa_key_type_t opaque_key_type;
+
+        if (psa_get_key_attributes(pk->priv_id, &opaque_attrs) != PSA_SUCCESS) {
+            return MBEDTLS_PK_NONE;
+        }
+        opaque_key_type = psa_get_key_type(&opaque_attrs);
+        psa_reset_key_attributes(&opaque_attrs);
+
+        if (PSA_KEY_TYPE_IS_ECC(opaque_key_type)) {
+            return MBEDTLS_PK_ECKEY;
+        } else if (PSA_KEY_TYPE_IS_RSA(opaque_key_type)) {
+            return MBEDTLS_PK_RSA;
+        } else {
+            return MBEDTLS_PK_NONE;
+        }
+    } else
+#endif
+    return pk_type;
+}
+
+/******************************************************************************
+ * Public functions for writing private/public DER keys.
+ ******************************************************************************/
+int mbedtls_pk_write_pubkey(unsigned char **p, unsigned char *start,
+                            const mbedtls_pk_context *key)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len = 0;
+
+#if defined(MBEDTLS_RSA_C)
+    if (mbedtls_pk_get_type(key) == MBEDTLS_PK_RSA) {
+        MBEDTLS_ASN1_CHK_ADD(len, mbedtls_rsa_write_pubkey(mbedtls_pk_rsa(*key), start, p));
+    } else
+#endif
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+    if (mbedtls_pk_get_type(key) == MBEDTLS_PK_ECKEY) {
+        MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_pubkey(p, start, key));
+    } else
+#endif
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (mbedtls_pk_get_type(key) == MBEDTLS_PK_OPAQUE) {
+        MBEDTLS_ASN1_CHK_ADD(len, pk_write_opaque_pubkey(p, start, key));
+    } else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+    return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+
+    return (int) len;
+}
+
+int mbedtls_pk_write_pubkey_der(const mbedtls_pk_context *key, unsigned char *buf, size_t size)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *c;
+    int has_par = 1;
+    size_t len = 0, par_len = 0, oid_len = 0;
+    mbedtls_pk_type_t pk_type;
+    const char *oid = NULL;
+
+    if (size == 0) {
+        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+    }
+
+    c = buf + size;
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_pk_write_pubkey(&c, buf, key));
+
+    if (c - buf < 1) {
+        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+    }
+
+    /*
+     *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
+     *       algorithm            AlgorithmIdentifier,
+     *       subjectPublicKey     BIT STRING }
+     */
+    *--c = 0;
+    len += 1;
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf, MBEDTLS_ASN1_BIT_STRING));
+
+    pk_type = pk_get_type_ext(key);
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+    if (pk_get_type_ext(key) == MBEDTLS_PK_ECKEY) {
+        mbedtls_ecp_group_id ec_grp_id = mbedtls_pk_get_ec_group_id(key);
+        if (MBEDTLS_PK_IS_RFC8410_GROUP_ID(ec_grp_id)) {
+            ret = mbedtls_oid_get_oid_by_ec_grp_algid(ec_grp_id, &oid, &oid_len);
+            if (ret != 0) {
+                return ret;
+            }
+            has_par = 0;
+        } else {
+            MBEDTLS_ASN1_CHK_ADD(par_len, pk_write_ec_param(&c, buf, ec_grp_id));
+        }
+    }
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+    /* At this point oid_len is not null only for EC Montgomery keys. */
+    if (oid_len == 0) {
+        ret = mbedtls_oid_get_oid_by_pk_alg(pk_type, &oid, &oid_len);
+        if (ret != 0) {
+            return ret;
+        }
+    }
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_algorithm_identifier_ext(&c, buf, oid, oid_len,
+                                                                          par_len, has_par));
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                     MBEDTLS_ASN1_SEQUENCE));
+
+    return (int) len;
+}
+
+int mbedtls_pk_write_key_der(const mbedtls_pk_context *key, unsigned char *buf, size_t size)
+{
+    unsigned char *c;
+
+    if (size == 0) {
+        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+    }
+
+    c = buf + size;
+
+#if defined(MBEDTLS_RSA_C)
+    if (pk_get_type_ext(key) == MBEDTLS_PK_RSA) {
+        return pk_write_rsa_der(&c, buf, key);
+    } else
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+    if (pk_get_type_ext(key) == MBEDTLS_PK_ECKEY) {
+#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
+        if (mbedtls_pk_is_rfc8410(key)) {
+            return pk_write_ec_rfc8410_der(&c, buf, key);
+        }
+#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
+        return pk_write_ec_der(&c, buf, key);
+    } else
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+    return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+}
+
+/******************************************************************************
+ * Public functions for wrinting private/public PEM keys.
+ ******************************************************************************/
+#if defined(MBEDTLS_PEM_WRITE_C)
+
+#define PUB_DER_MAX_BYTES                                                   \
+    (MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES > MBEDTLS_PK_ECP_PUB_DER_MAX_BYTES ? \
+     MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES : MBEDTLS_PK_ECP_PUB_DER_MAX_BYTES)
+#define PRV_DER_MAX_BYTES                                                   \
+    (MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES > MBEDTLS_PK_ECP_PRV_DER_MAX_BYTES ? \
+     MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES : MBEDTLS_PK_ECP_PRV_DER_MAX_BYTES)
+
+int mbedtls_pk_write_pubkey_pem(const mbedtls_pk_context *key, unsigned char *buf, size_t size)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *output_buf = NULL;
+    output_buf = mbedtls_calloc(1, PUB_DER_MAX_BYTES);
+    if (output_buf == NULL) {
+        return MBEDTLS_ERR_PK_ALLOC_FAILED;
+    }
+    size_t olen = 0;
+
+    if ((ret = mbedtls_pk_write_pubkey_der(key, output_buf,
+                                           PUB_DER_MAX_BYTES)) < 0) {
+        goto cleanup;
+    }
+
+    if ((ret = mbedtls_pem_write_buffer(PEM_BEGIN_PUBLIC_KEY "\n", PEM_END_PUBLIC_KEY "\n",
+                                        output_buf + PUB_DER_MAX_BYTES - ret,
+                                        ret, buf, size, &olen)) != 0) {
+        goto cleanup;
+    }
+
+    ret = 0;
+cleanup:
+    mbedtls_free(output_buf);
+    return ret;
+}
+
+int mbedtls_pk_write_key_pem(const mbedtls_pk_context *key, unsigned char *buf, size_t size)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *output_buf = NULL;
+    output_buf = mbedtls_calloc(1, PRV_DER_MAX_BYTES);
+    if (output_buf == NULL) {
+        return MBEDTLS_ERR_PK_ALLOC_FAILED;
+    }
+    const char *begin, *end;
+    size_t olen = 0;
+
+    if ((ret = mbedtls_pk_write_key_der(key, output_buf, PRV_DER_MAX_BYTES)) < 0) {
+        goto cleanup;
+    }
+
+#if defined(MBEDTLS_RSA_C)
+    if (pk_get_type_ext(key) == MBEDTLS_PK_RSA) {
+        begin = PEM_BEGIN_PRIVATE_KEY_RSA "\n";
+        end = PEM_END_PRIVATE_KEY_RSA "\n";
+    } else
+#endif
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+    if (pk_get_type_ext(key) == MBEDTLS_PK_ECKEY) {
+        if (mbedtls_pk_is_rfc8410(key)) {
+            begin = PEM_BEGIN_PRIVATE_KEY_PKCS8 "\n";
+            end = PEM_END_PRIVATE_KEY_PKCS8 "\n";
+        } else {
+            begin = PEM_BEGIN_PRIVATE_KEY_EC "\n";
+            end = PEM_END_PRIVATE_KEY_EC "\n";
+        }
+    } else
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+    {
+        ret = MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+        goto cleanup;
+    }
+
+    if ((ret = mbedtls_pem_write_buffer(begin, end,
+                                        output_buf + PRV_DER_MAX_BYTES - ret,
+                                        ret, buf, size, &olen)) != 0) {
+        goto cleanup;
+    }
+
+    ret = 0;
+cleanup:
+    mbedtls_zeroize_and_free(output_buf, PRV_DER_MAX_BYTES);
+    return ret;
+}
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+#endif /* MBEDTLS_PK_WRITE_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/pkwrite.h b/tf-psa-crypto/drivers/builtin/src/pkwrite.h
new file mode 100644
index 0000000..01dc3d2
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/pkwrite.h
@@ -0,0 +1,121 @@
+/**
+ * \file pkwrite.h
+ *
+ * \brief Internal defines shared by the PK write module
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_PK_WRITE_H
+#define MBEDTLS_PK_WRITE_H
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/pk.h"
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+/*
+ * Max sizes of key per types. Shown as tag + len (+ content).
+ */
+
+#if defined(MBEDTLS_RSA_C)
+/*
+ * RSA public keys:
+ *  SubjectPublicKeyInfo  ::=  SEQUENCE  {          1 + 3
+ *       algorithm            AlgorithmIdentifier,  1 + 1 (sequence)
+ *                                                + 1 + 1 + 9 (rsa oid)
+ *                                                + 1 + 1 (params null)
+ *       subjectPublicKey     BIT STRING }          1 + 3 + (1 + below)
+ *  RSAPublicKey ::= SEQUENCE {                     1 + 3
+ *      modulus           INTEGER,  -- n            1 + 3 + MPI_MAX + 1
+ *      publicExponent    INTEGER   -- e            1 + 3 + MPI_MAX + 1
+ *  }
+ */
+#define MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES    (38 + 2 * MBEDTLS_MPI_MAX_SIZE)
+
+/*
+ * RSA private keys:
+ *  RSAPrivateKey ::= SEQUENCE {                    1 + 3
+ *      version           Version,                  1 + 1 + 1
+ *      modulus           INTEGER,                  1 + 3 + MPI_MAX + 1
+ *      publicExponent    INTEGER,                  1 + 3 + MPI_MAX + 1
+ *      privateExponent   INTEGER,                  1 + 3 + MPI_MAX + 1
+ *      prime1            INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
+ *      prime2            INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
+ *      exponent1         INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
+ *      exponent2         INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
+ *      coefficient       INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
+ *      otherPrimeInfos   OtherPrimeInfos OPTIONAL  0 (not supported)
+ *  }
+ */
+#define MBEDTLS_MPI_MAX_SIZE_2  (MBEDTLS_MPI_MAX_SIZE / 2 + \
+                                 MBEDTLS_MPI_MAX_SIZE % 2)
+#define MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES    (47 + 3 * MBEDTLS_MPI_MAX_SIZE \
+                                             + 5 * MBEDTLS_MPI_MAX_SIZE_2)
+
+#else /* MBEDTLS_RSA_C */
+
+#define MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES   0
+#define MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES   0
+
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+
+/* Find the maximum number of bytes necessary to store an EC point. When USE_PSA
+ * is defined this means looking for the maximum between PSA and built-in
+ * supported curves. */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#define MBEDTLS_PK_MAX_ECC_BYTES   (PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS) > \
+                                    MBEDTLS_ECP_MAX_BYTES ? \
+                                    PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS) : \
+                                    MBEDTLS_ECP_MAX_BYTES)
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+#define MBEDTLS_PK_MAX_ECC_BYTES   MBEDTLS_ECP_MAX_BYTES
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+/*
+ * EC public keys:
+ *  SubjectPublicKeyInfo  ::=  SEQUENCE  {      1 + 2
+ *    algorithm         AlgorithmIdentifier,    1 + 1 (sequence)
+ *                                            + 1 + 1 + 7 (ec oid)
+ *                                            + 1 + 1 + 9 (namedCurve oid)
+ *    subjectPublicKey  BIT STRING              1 + 2 + 1               [1]
+ *                                            + 1 (point format)        [1]
+ *                                            + 2 * ECP_MAX (coords)    [1]
+ *  }
+ */
+#define MBEDTLS_PK_ECP_PUB_DER_MAX_BYTES    (30 + 2 * MBEDTLS_PK_MAX_ECC_BYTES)
+
+/*
+ * EC private keys:
+ * ECPrivateKey ::= SEQUENCE {                  1 + 2
+ *      version        INTEGER ,                1 + 1 + 1
+ *      privateKey     OCTET STRING,            1 + 1 + ECP_MAX
+ *      parameters [0] ECParameters OPTIONAL,   1 + 1 + (1 + 1 + 9)
+ *      publicKey  [1] BIT STRING OPTIONAL      1 + 2 + [1] above
+ *    }
+ */
+#define MBEDTLS_PK_ECP_PRV_DER_MAX_BYTES    (29 + 3 * MBEDTLS_PK_MAX_ECC_BYTES)
+
+#else /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+#define MBEDTLS_PK_ECP_PUB_DER_MAX_BYTES   0
+#define MBEDTLS_PK_ECP_PRV_DER_MAX_BYTES   0
+
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+/* Define the maximum available public key DER length based on the supported
+ * key types (EC and/or RSA). */
+#if (MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES > MBEDTLS_PK_ECP_PUB_DER_MAX_BYTES)
+#define MBEDTLS_PK_WRITE_PUBKEY_MAX_SIZE    MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES
+#else
+#define MBEDTLS_PK_WRITE_PUBKEY_MAX_SIZE    MBEDTLS_PK_ECP_PUB_DER_MAX_BYTES
+#endif
+
+#endif /* MBEDTLS_PK_WRITE_H */
diff --git a/tf-psa-crypto/drivers/builtin/src/platform.c b/tf-psa-crypto/drivers/builtin/src/platform.c
new file mode 100644
index 0000000..890c4cb
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/platform.c
@@ -0,0 +1,402 @@
+/*
+ *  Platform abstraction layer
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PLATFORM_C)
+
+#include "mbedtls/platform.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+/* The compile time configuration of memory allocation via the macros
+ * MBEDTLS_PLATFORM_{FREE/CALLOC}_MACRO takes precedence over the runtime
+ * configuration via mbedtls_platform_set_calloc_free(). So, omit everything
+ * related to the latter if MBEDTLS_PLATFORM_{FREE/CALLOC}_MACRO are defined. */
+#if defined(MBEDTLS_PLATFORM_MEMORY) &&                 \
+    !(defined(MBEDTLS_PLATFORM_CALLOC_MACRO) &&        \
+    defined(MBEDTLS_PLATFORM_FREE_MACRO))
+
+#if !defined(MBEDTLS_PLATFORM_STD_CALLOC)
+static void *platform_calloc_uninit(size_t n, size_t size)
+{
+    ((void) n);
+    ((void) size);
+    return NULL;
+}
+
+#define MBEDTLS_PLATFORM_STD_CALLOC   platform_calloc_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_CALLOC */
+
+#if !defined(MBEDTLS_PLATFORM_STD_FREE)
+static void platform_free_uninit(void *ptr)
+{
+    ((void) ptr);
+}
+
+#define MBEDTLS_PLATFORM_STD_FREE     platform_free_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_FREE */
+
+static void * (*mbedtls_calloc_func)(size_t, size_t) = MBEDTLS_PLATFORM_STD_CALLOC;
+static void (*mbedtls_free_func)(void *) = MBEDTLS_PLATFORM_STD_FREE;
+
+void *mbedtls_calloc(size_t nmemb, size_t size)
+{
+    return (*mbedtls_calloc_func)(nmemb, size);
+}
+
+void mbedtls_free(void *ptr)
+{
+    (*mbedtls_free_func)(ptr);
+}
+
+int mbedtls_platform_set_calloc_free(void *(*calloc_func)(size_t, size_t),
+                                     void (*free_func)(void *))
+{
+    mbedtls_calloc_func = calloc_func;
+    mbedtls_free_func = free_func;
+    return 0;
+}
+#endif /* MBEDTLS_PLATFORM_MEMORY &&
+          !( defined(MBEDTLS_PLATFORM_CALLOC_MACRO) &&
+             defined(MBEDTLS_PLATFORM_FREE_MACRO) ) */
+
+#if defined(MBEDTLS_PLATFORM_HAS_NON_CONFORMING_SNPRINTF)
+#include <stdarg.h>
+int mbedtls_platform_win32_snprintf(char *s, size_t n, const char *fmt, ...)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    va_list argp;
+
+    va_start(argp, fmt);
+    ret = mbedtls_vsnprintf(s, n, fmt, argp);
+    va_end(argp);
+
+    return ret;
+}
+#endif
+
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_SNPRINTF)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_snprintf_uninit(char *s, size_t n,
+                                    const char *format, ...)
+{
+    ((void) s);
+    ((void) n);
+    ((void) format);
+    return 0;
+}
+
+#define MBEDTLS_PLATFORM_STD_SNPRINTF    platform_snprintf_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_SNPRINTF */
+
+int (*mbedtls_snprintf)(char *s, size_t n,
+                        const char *format,
+                        ...) = MBEDTLS_PLATFORM_STD_SNPRINTF;
+
+int mbedtls_platform_set_snprintf(int (*snprintf_func)(char *s, size_t n,
+                                                       const char *format,
+                                                       ...))
+{
+    mbedtls_snprintf = snprintf_func;
+    return 0;
+}
+#endif /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
+
+#if defined(MBEDTLS_PLATFORM_HAS_NON_CONFORMING_VSNPRINTF)
+#include <stdarg.h>
+int mbedtls_platform_win32_vsnprintf(char *s, size_t n, const char *fmt, va_list arg)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    /* Avoid calling the invalid parameter handler by checking ourselves */
+    if (s == NULL || n == 0 || fmt == NULL) {
+        return -1;
+    }
+
+#if defined(_TRUNCATE)
+    ret = vsnprintf_s(s, n, _TRUNCATE, fmt, arg);
+#else
+    ret = vsnprintf(s, n, fmt, arg);
+    if (ret < 0 || (size_t) ret == n) {
+        s[n-1] = '\0';
+        ret = -1;
+    }
+#endif
+
+    return ret;
+}
+#endif
+
+#if defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_VSNPRINTF)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_vsnprintf_uninit(char *s, size_t n,
+                                     const char *format, va_list arg)
+{
+    ((void) s);
+    ((void) n);
+    ((void) format);
+    ((void) arg);
+    return -1;
+}
+
+#define MBEDTLS_PLATFORM_STD_VSNPRINTF    platform_vsnprintf_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_VSNPRINTF */
+
+int (*mbedtls_vsnprintf)(char *s, size_t n,
+                         const char *format,
+                         va_list arg) = MBEDTLS_PLATFORM_STD_VSNPRINTF;
+
+int mbedtls_platform_set_vsnprintf(int (*vsnprintf_func)(char *s, size_t n,
+                                                         const char *format,
+                                                         va_list arg))
+{
+    mbedtls_vsnprintf = vsnprintf_func;
+    return 0;
+}
+#endif /* MBEDTLS_PLATFORM_VSNPRINTF_ALT */
+
+#if defined(MBEDTLS_PLATFORM_PRINTF_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_PRINTF)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_printf_uninit(const char *format, ...)
+{
+    ((void) format);
+    return 0;
+}
+
+#define MBEDTLS_PLATFORM_STD_PRINTF    platform_printf_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_PRINTF */
+
+int (*mbedtls_printf)(const char *, ...) = MBEDTLS_PLATFORM_STD_PRINTF;
+
+int mbedtls_platform_set_printf(int (*printf_func)(const char *, ...))
+{
+    mbedtls_printf = printf_func;
+    return 0;
+}
+#endif /* MBEDTLS_PLATFORM_PRINTF_ALT */
+
+#if defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_FPRINTF)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_fprintf_uninit(FILE *stream, const char *format, ...)
+{
+    ((void) stream);
+    ((void) format);
+    return 0;
+}
+
+#define MBEDTLS_PLATFORM_STD_FPRINTF   platform_fprintf_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_FPRINTF */
+
+int (*mbedtls_fprintf)(FILE *, const char *, ...) =
+    MBEDTLS_PLATFORM_STD_FPRINTF;
+
+int mbedtls_platform_set_fprintf(int (*fprintf_func)(FILE *, const char *, ...))
+{
+    mbedtls_fprintf = fprintf_func;
+    return 0;
+}
+#endif /* MBEDTLS_PLATFORM_FPRINTF_ALT */
+
+#if defined(MBEDTLS_PLATFORM_SETBUF_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_SETBUF)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static void platform_setbuf_uninit(FILE *stream, char *buf)
+{
+    ((void) stream);
+    ((void) buf);
+}
+
+#define MBEDTLS_PLATFORM_STD_SETBUF   platform_setbuf_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_SETBUF */
+void (*mbedtls_setbuf)(FILE *stream, char *buf) = MBEDTLS_PLATFORM_STD_SETBUF;
+
+int mbedtls_platform_set_setbuf(void (*setbuf_func)(FILE *stream, char *buf))
+{
+    mbedtls_setbuf = setbuf_func;
+    return 0;
+}
+#endif /* MBEDTLS_PLATFORM_SETBUF_ALT */
+
+#if defined(MBEDTLS_PLATFORM_EXIT_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_EXIT)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static void platform_exit_uninit(int status)
+{
+    ((void) status);
+}
+
+#define MBEDTLS_PLATFORM_STD_EXIT   platform_exit_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_EXIT */
+
+void (*mbedtls_exit)(int status) = MBEDTLS_PLATFORM_STD_EXIT;
+
+int mbedtls_platform_set_exit(void (*exit_func)(int status))
+{
+    mbedtls_exit = exit_func;
+    return 0;
+}
+#endif /* MBEDTLS_PLATFORM_EXIT_ALT */
+
+#if defined(MBEDTLS_HAVE_TIME)
+
+#if defined(MBEDTLS_PLATFORM_TIME_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_TIME)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static mbedtls_time_t platform_time_uninit(mbedtls_time_t *timer)
+{
+    ((void) timer);
+    return 0;
+}
+
+#define MBEDTLS_PLATFORM_STD_TIME   platform_time_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_TIME */
+
+mbedtls_time_t (*mbedtls_time)(mbedtls_time_t *timer) = MBEDTLS_PLATFORM_STD_TIME;
+
+int mbedtls_platform_set_time(mbedtls_time_t (*time_func)(mbedtls_time_t *timer))
+{
+    mbedtls_time = time_func;
+    return 0;
+}
+#endif /* MBEDTLS_PLATFORM_TIME_ALT */
+
+#endif /* MBEDTLS_HAVE_TIME */
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+#if !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS) && defined(MBEDTLS_FS_IO)
+/* Default implementations for the platform independent seed functions use
+ * standard libc file functions to read from and write to a pre-defined filename
+ */
+int mbedtls_platform_std_nv_seed_read(unsigned char *buf, size_t buf_len)
+{
+    FILE *file;
+    size_t n;
+
+    if ((file = fopen(MBEDTLS_PLATFORM_STD_NV_SEED_FILE, "rb")) == NULL) {
+        return -1;
+    }
+
+    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+    mbedtls_setbuf(file, NULL);
+
+    if ((n = fread(buf, 1, buf_len, file)) != buf_len) {
+        fclose(file);
+        mbedtls_platform_zeroize(buf, buf_len);
+        return -1;
+    }
+
+    fclose(file);
+    return (int) n;
+}
+
+int mbedtls_platform_std_nv_seed_write(unsigned char *buf, size_t buf_len)
+{
+    FILE *file;
+    size_t n;
+
+    if ((file = fopen(MBEDTLS_PLATFORM_STD_NV_SEED_FILE, "w")) == NULL) {
+        return -1;
+    }
+
+    /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+    mbedtls_setbuf(file, NULL);
+
+    if ((n = fwrite(buf, 1, buf_len, file)) != buf_len) {
+        fclose(file);
+        return -1;
+    }
+
+    fclose(file);
+    return (int) n;
+}
+#endif /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
+
+#if defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_READ)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_nv_seed_read_uninit(unsigned char *buf, size_t buf_len)
+{
+    ((void) buf);
+    ((void) buf_len);
+    return -1;
+}
+
+#define MBEDTLS_PLATFORM_STD_NV_SEED_READ   platform_nv_seed_read_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_NV_SEED_READ */
+
+#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_WRITE)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_nv_seed_write_uninit(unsigned char *buf, size_t buf_len)
+{
+    ((void) buf);
+    ((void) buf_len);
+    return -1;
+}
+
+#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE   platform_nv_seed_write_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_NV_SEED_WRITE */
+
+int (*mbedtls_nv_seed_read)(unsigned char *buf, size_t buf_len) =
+    MBEDTLS_PLATFORM_STD_NV_SEED_READ;
+int (*mbedtls_nv_seed_write)(unsigned char *buf, size_t buf_len) =
+    MBEDTLS_PLATFORM_STD_NV_SEED_WRITE;
+
+int mbedtls_platform_set_nv_seed(
+    int (*nv_seed_read_func)(unsigned char *buf, size_t buf_len),
+    int (*nv_seed_write_func)(unsigned char *buf, size_t buf_len))
+{
+    mbedtls_nv_seed_read = nv_seed_read_func;
+    mbedtls_nv_seed_write = nv_seed_write_func;
+    return 0;
+}
+#endif /* MBEDTLS_PLATFORM_NV_SEED_ALT */
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+
+#if !defined(MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT)
+/*
+ * Placeholder platform setup that does nothing by default
+ */
+int mbedtls_platform_setup(mbedtls_platform_context *ctx)
+{
+    (void) ctx;
+
+    return 0;
+}
+
+/*
+ * Placeholder platform teardown that does nothing by default
+ */
+void mbedtls_platform_teardown(mbedtls_platform_context *ctx)
+{
+    (void) ctx;
+}
+#endif /* MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT */
+
+#endif /* MBEDTLS_PLATFORM_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/platform_util.c b/tf-psa-crypto/drivers/builtin/src/platform_util.c
new file mode 100644
index 0000000..0741bf5
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/platform_util.c
@@ -0,0 +1,263 @@
+/*
+ * Common and shared functions used by multiple modules in the Mbed TLS
+ * library.
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * Ensure gmtime_r is available even with -std=c99; must be defined before
+ * mbedtls_config.h, which pulls in glibc's features.h. Harmless on other platforms
+ * except OpenBSD, where it stops us accessing explicit_bzero.
+ */
+#if !defined(_POSIX_C_SOURCE) && !defined(__OpenBSD__)
+#define _POSIX_C_SOURCE 200112L
+#endif
+
+#if !defined(_GNU_SOURCE)
+/* Clang requires this to get support for explicit_bzero */
+#define _GNU_SOURCE
+#endif
+
+#include "common.h"
+
+#include "mbedtls/platform_util.h"
+#include "mbedtls/platform.h"
+#include "mbedtls/threading.h"
+
+#include <stddef.h>
+
+#ifndef __STDC_WANT_LIB_EXT1__
+#define __STDC_WANT_LIB_EXT1__ 1 /* Ask for the C11 gmtime_s() and memset_s() if available */
+#endif
+#include <string.h>
+
+#if defined(_WIN32)
+#include <windows.h>
+#endif
+
+// Detect platforms known to support explicit_bzero()
+#if defined(__GLIBC__) && (__GLIBC__ >= 2) && (__GLIBC_MINOR__ >= 25)
+#define MBEDTLS_PLATFORM_HAS_EXPLICIT_BZERO 1
+#elif (defined(__FreeBSD__) && (__FreeBSD_version >= 1100037)) || defined(__OpenBSD__)
+#define MBEDTLS_PLATFORM_HAS_EXPLICIT_BZERO 1
+#endif
+
+#if !defined(MBEDTLS_PLATFORM_ZEROIZE_ALT)
+
+#undef HAVE_MEMORY_SANITIZER
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+#include <sanitizer/msan_interface.h>
+#define HAVE_MEMORY_SANITIZER
+#endif
+#endif
+
+/*
+ * Where possible, we try to detect the presence of a platform-provided
+ * secure memset, such as explicit_bzero(), that is safe against being optimized
+ * out, and use that.
+ *
+ * For other platforms, we provide an implementation that aims not to be
+ * optimized out by the compiler.
+ *
+ * This implementation for mbedtls_platform_zeroize() was inspired from Colin
+ * Percival's blog article at:
+ *
+ * http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html
+ *
+ * It uses a volatile function pointer to the standard memset(). Because the
+ * pointer is volatile the compiler expects it to change at
+ * any time and will not optimize out the call that could potentially perform
+ * other operations on the input buffer instead of just setting it to 0.
+ * Nevertheless, as pointed out by davidtgoldblatt on Hacker News
+ * (refer to http://www.daemonology.net/blog/2014-09-05-erratum.html for
+ * details), optimizations of the following form are still possible:
+ *
+ * if (memset_func != memset)
+ *     memset_func(buf, 0, len);
+ *
+ * Note that it is extremely difficult to guarantee that
+ * the memset() call will not be optimized out by aggressive compilers
+ * in a portable way. For this reason, Mbed TLS also provides the configuration
+ * option MBEDTLS_PLATFORM_ZEROIZE_ALT, which allows users to configure
+ * mbedtls_platform_zeroize() to use a suitable implementation for their
+ * platform and needs.
+ */
+#if !defined(MBEDTLS_PLATFORM_HAS_EXPLICIT_BZERO) && !(defined(__STDC_LIB_EXT1__) && \
+    !defined(__IAR_SYSTEMS_ICC__)) \
+    && !defined(_WIN32)
+static void *(*const volatile memset_func)(void *, int, size_t) = memset;
+#endif
+
+void mbedtls_platform_zeroize(void *buf, size_t len)
+{
+    if (len > 0) {
+#if defined(MBEDTLS_PLATFORM_HAS_EXPLICIT_BZERO)
+        explicit_bzero(buf, len);
+#if defined(HAVE_MEMORY_SANITIZER)
+        /* You'd think that Msan would recognize explicit_bzero() as
+         * equivalent to bzero(), but it actually doesn't on several
+         * platforms, including Linux (Ubuntu 20.04).
+         * https://github.com/google/sanitizers/issues/1507
+         * https://github.com/openssh/openssh-portable/commit/74433a19bb6f4cef607680fa4d1d7d81ca3826aa
+         */
+        __msan_unpoison(buf, len);
+#endif
+#elif defined(__STDC_LIB_EXT1__) && !defined(__IAR_SYSTEMS_ICC__)
+        memset_s(buf, len, 0, len);
+#elif defined(_WIN32)
+        SecureZeroMemory(buf, len);
+#else
+        memset_func(buf, 0, len);
+#endif
+
+#if defined(__GNUC__)
+        /* For clang and recent gcc, pretend that we have some assembly that reads the
+         * zero'd memory as an additional protection against being optimised away. */
+#if defined(__clang__) || (__GNUC__ >= 10)
+#if defined(__clang__)
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wvla"
+#elif defined(MBEDTLS_COMPILER_IS_GCC)
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wvla"
+#endif
+        asm volatile ("" : : "m" (*(char (*)[len]) buf) :);
+#if defined(__clang__)
+#pragma clang diagnostic pop
+#elif defined(MBEDTLS_COMPILER_IS_GCC)
+#pragma GCC diagnostic pop
+#endif
+#endif
+#endif
+    }
+}
+#endif /* MBEDTLS_PLATFORM_ZEROIZE_ALT */
+
+void mbedtls_zeroize_and_free(void *buf, size_t len)
+{
+    if (buf != NULL) {
+        mbedtls_platform_zeroize(buf, len);
+    }
+
+    mbedtls_free(buf);
+}
+
+#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
+#include <time.h>
+#if !defined(_WIN32) && (defined(unix) || \
+    defined(__unix) || defined(__unix__) || (defined(__APPLE__) && \
+    defined(__MACH__)) || defined__midipix__)
+#include <unistd.h>
+#endif /* !_WIN32 && (unix || __unix || __unix__ ||
+        * (__APPLE__ && __MACH__) || __midipix__) */
+
+#if !((defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L) ||     \
+    (defined(_POSIX_THREAD_SAFE_FUNCTIONS) &&                     \
+    _POSIX_THREAD_SAFE_FUNCTIONS >= 200112L))
+/*
+ * This is a convenience shorthand macro to avoid checking the long
+ * preprocessor conditions above. Ideally, we could expose this macro in
+ * platform_util.h and simply use it in platform_util.c, threading.c and
+ * threading.h. However, this macro is not part of the Mbed TLS public API, so
+ * we keep it private by only defining it in this file
+ */
+#if !(defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)) || \
+    (defined(__MINGW32__) && !defined(__MINGW64_VERSION_MAJOR))
+#define PLATFORM_UTIL_USE_GMTIME
+#endif
+
+#endif /* !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) || \
+             ( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) && \
+                _POSIX_THREAD_SAFE_FUNCTIONS >= 200112L ) ) */
+
+struct tm *mbedtls_platform_gmtime_r(const mbedtls_time_t *tt,
+                                     struct tm *tm_buf)
+{
+#if defined(_WIN32) && !defined(PLATFORM_UTIL_USE_GMTIME)
+#if defined(__STDC_LIB_EXT1__)
+    return (gmtime_s(tt, tm_buf) == 0) ? NULL : tm_buf;
+#else
+    /* MSVC and mingw64 argument order and return value are inconsistent with the C11 standard */
+    return (gmtime_s(tm_buf, tt) == 0) ? tm_buf : NULL;
+#endif
+#elif !defined(PLATFORM_UTIL_USE_GMTIME)
+    return gmtime_r(tt, tm_buf);
+#else
+    struct tm *lt;
+
+#if defined(MBEDTLS_THREADING_C)
+    if (mbedtls_mutex_lock(&mbedtls_threading_gmtime_mutex) != 0) {
+        return NULL;
+    }
+#endif /* MBEDTLS_THREADING_C */
+
+    lt = gmtime(tt);
+
+    if (lt != NULL) {
+        memcpy(tm_buf, lt, sizeof(struct tm));
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    if (mbedtls_mutex_unlock(&mbedtls_threading_gmtime_mutex) != 0) {
+        return NULL;
+    }
+#endif /* MBEDTLS_THREADING_C */
+
+    return (lt == NULL) ? NULL : tm_buf;
+#endif /* _WIN32 && !EFIX64 && !EFI32 */
+}
+#endif /* MBEDTLS_HAVE_TIME_DATE && MBEDTLS_PLATFORM_GMTIME_R_ALT */
+
+#if defined(MBEDTLS_TEST_HOOKS)
+void (*mbedtls_test_hook_test_fail)(const char *, int, const char *);
+#endif /* MBEDTLS_TEST_HOOKS */
+
+#if defined(MBEDTLS_HAVE_TIME) && !defined(MBEDTLS_PLATFORM_MS_TIME_ALT)
+
+#include <time.h>
+#if !defined(_WIN32) && \
+    (defined(unix) || defined(__unix) || defined(__unix__) || \
+    (defined(__APPLE__) && defined(__MACH__)) || defined(__HAIKU__) || defined(__midipix__))
+#include <unistd.h>
+#endif \
+    /* !_WIN32 && (unix || __unix || __unix__ || (__APPLE__ && __MACH__) || __HAIKU__ || __midipix__) */
+#if (defined(_POSIX_VERSION) && _POSIX_VERSION >= 199309L) || defined(__HAIKU__)
+mbedtls_ms_time_t mbedtls_ms_time(void)
+{
+    int ret;
+    struct timespec tv;
+    mbedtls_ms_time_t current_ms;
+
+#if defined(__linux__) && defined(CLOCK_BOOTTIME) || defined(__midipix__)
+    ret = clock_gettime(CLOCK_BOOTTIME, &tv);
+#else
+    ret = clock_gettime(CLOCK_MONOTONIC, &tv);
+#endif
+    if (ret) {
+        return time(NULL) * 1000;
+    }
+
+    current_ms = tv.tv_sec;
+
+    return current_ms*1000 + tv.tv_nsec / 1000000;
+}
+#elif defined(_WIN32) || defined(WIN32) || defined(__CYGWIN__) || \
+    defined(__MINGW32__) || defined(_WIN64)
+#include <windows.h>
+mbedtls_ms_time_t mbedtls_ms_time(void)
+{
+    FILETIME ct;
+    mbedtls_ms_time_t current_ms;
+
+    GetSystemTimeAsFileTime(&ct);
+    current_ms = ((mbedtls_ms_time_t) ct.dwLowDateTime +
+                  ((mbedtls_ms_time_t) (ct.dwHighDateTime) << 32LL))/10000;
+    return current_ms;
+}
+#else
+#error "No mbedtls_ms_time available"
+#endif
+#endif /* MBEDTLS_HAVE_TIME && !MBEDTLS_PLATFORM_MS_TIME_ALT */
diff --git a/tf-psa-crypto/drivers/builtin/src/poly1305.c b/tf-psa-crypto/drivers/builtin/src/poly1305.c
new file mode 100644
index 0000000..c9ebe9e
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/poly1305.c
@@ -0,0 +1,492 @@
+/**
+ * \file poly1305.c
+ *
+ * \brief Poly1305 authentication algorithm.
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#include "common.h"
+
+#if defined(MBEDTLS_POLY1305_C)
+
+#include "mbedtls/poly1305.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_POLY1305_ALT)
+
+#define POLY1305_BLOCK_SIZE_BYTES (16U)
+
+/*
+ * Our implementation is tuned for 32-bit platforms with a 64-bit multiplier.
+ * However we provided an alternative for platforms without such a multiplier.
+ */
+#if defined(MBEDTLS_NO_64BIT_MULTIPLICATION)
+static uint64_t mul64(uint32_t a, uint32_t b)
+{
+    /* a = al + 2**16 ah, b = bl + 2**16 bh */
+    const uint16_t al = (uint16_t) a;
+    const uint16_t bl = (uint16_t) b;
+    const uint16_t ah = a >> 16;
+    const uint16_t bh = b >> 16;
+
+    /* ab = al*bl + 2**16 (ah*bl + bl*bh) + 2**32 ah*bh */
+    const uint32_t lo = (uint32_t) al * bl;
+    const uint64_t me = (uint64_t) ((uint32_t) ah * bl) + (uint32_t) al * bh;
+    const uint32_t hi = (uint32_t) ah * bh;
+
+    return lo + (me << 16) + ((uint64_t) hi << 32);
+}
+#else
+static inline uint64_t mul64(uint32_t a, uint32_t b)
+{
+    return (uint64_t) a * b;
+}
+#endif
+
+
+/**
+ * \brief                   Process blocks with Poly1305.
+ *
+ * \param ctx               The Poly1305 context.
+ * \param nblocks           Number of blocks to process. Note that this
+ *                          function only processes full blocks.
+ * \param input             Buffer containing the input block(s).
+ * \param needs_padding     Set to 0 if the padding bit has already been
+ *                          applied to the input data before calling this
+ *                          function.  Otherwise, set this parameter to 1.
+ */
+static void poly1305_process(mbedtls_poly1305_context *ctx,
+                             size_t nblocks,
+                             const unsigned char *input,
+                             uint32_t needs_padding)
+{
+    uint64_t d0, d1, d2, d3;
+    uint32_t acc0, acc1, acc2, acc3, acc4;
+    uint32_t r0, r1, r2, r3;
+    uint32_t rs1, rs2, rs3;
+    size_t offset  = 0U;
+    size_t i;
+
+    r0 = ctx->r[0];
+    r1 = ctx->r[1];
+    r2 = ctx->r[2];
+    r3 = ctx->r[3];
+
+    rs1 = r1 + (r1 >> 2U);
+    rs2 = r2 + (r2 >> 2U);
+    rs3 = r3 + (r3 >> 2U);
+
+    acc0 = ctx->acc[0];
+    acc1 = ctx->acc[1];
+    acc2 = ctx->acc[2];
+    acc3 = ctx->acc[3];
+    acc4 = ctx->acc[4];
+
+    /* Process full blocks */
+    for (i = 0U; i < nblocks; i++) {
+        /* The input block is treated as a 128-bit little-endian integer */
+        d0   = MBEDTLS_GET_UINT32_LE(input, offset + 0);
+        d1   = MBEDTLS_GET_UINT32_LE(input, offset + 4);
+        d2   = MBEDTLS_GET_UINT32_LE(input, offset + 8);
+        d3   = MBEDTLS_GET_UINT32_LE(input, offset + 12);
+
+        /* Compute: acc += (padded) block as a 130-bit integer */
+        d0  += (uint64_t) acc0;
+        d1  += (uint64_t) acc1 + (d0 >> 32U);
+        d2  += (uint64_t) acc2 + (d1 >> 32U);
+        d3  += (uint64_t) acc3 + (d2 >> 32U);
+        acc0 = (uint32_t) d0;
+        acc1 = (uint32_t) d1;
+        acc2 = (uint32_t) d2;
+        acc3 = (uint32_t) d3;
+        acc4 += (uint32_t) (d3 >> 32U) + needs_padding;
+
+        /* Compute: acc *= r */
+        d0 = mul64(acc0, r0) +
+             mul64(acc1, rs3) +
+             mul64(acc2, rs2) +
+             mul64(acc3, rs1);
+        d1 = mul64(acc0, r1) +
+             mul64(acc1, r0) +
+             mul64(acc2, rs3) +
+             mul64(acc3, rs2) +
+             mul64(acc4, rs1);
+        d2 = mul64(acc0, r2) +
+             mul64(acc1, r1) +
+             mul64(acc2, r0) +
+             mul64(acc3, rs3) +
+             mul64(acc4, rs2);
+        d3 = mul64(acc0, r3) +
+             mul64(acc1, r2) +
+             mul64(acc2, r1) +
+             mul64(acc3, r0) +
+             mul64(acc4, rs3);
+        acc4 *= r0;
+
+        /* Compute: acc %= (2^130 - 5) (partial remainder) */
+        d1 += (d0 >> 32);
+        d2 += (d1 >> 32);
+        d3 += (d2 >> 32);
+        acc0 = (uint32_t) d0;
+        acc1 = (uint32_t) d1;
+        acc2 = (uint32_t) d2;
+        acc3 = (uint32_t) d3;
+        acc4 = (uint32_t) (d3 >> 32) + acc4;
+
+        d0 = (uint64_t) acc0 + (acc4 >> 2) + (acc4 & 0xFFFFFFFCU);
+        acc4 &= 3U;
+        acc0 = (uint32_t) d0;
+        d0 = (uint64_t) acc1 + (d0 >> 32U);
+        acc1 = (uint32_t) d0;
+        d0 = (uint64_t) acc2 + (d0 >> 32U);
+        acc2 = (uint32_t) d0;
+        d0 = (uint64_t) acc3 + (d0 >> 32U);
+        acc3 = (uint32_t) d0;
+        d0 = (uint64_t) acc4 + (d0 >> 32U);
+        acc4 = (uint32_t) d0;
+
+        offset    += POLY1305_BLOCK_SIZE_BYTES;
+    }
+
+    ctx->acc[0] = acc0;
+    ctx->acc[1] = acc1;
+    ctx->acc[2] = acc2;
+    ctx->acc[3] = acc3;
+    ctx->acc[4] = acc4;
+}
+
+/**
+ * \brief                   Compute the Poly1305 MAC
+ *
+ * \param ctx               The Poly1305 context.
+ * \param mac               The buffer to where the MAC is written. Must be
+ *                          big enough to contain the 16-byte MAC.
+ */
+static void poly1305_compute_mac(const mbedtls_poly1305_context *ctx,
+                                 unsigned char mac[16])
+{
+    uint64_t d;
+    uint32_t g0, g1, g2, g3, g4;
+    uint32_t acc0, acc1, acc2, acc3, acc4;
+    uint32_t mask;
+    uint32_t mask_inv;
+
+    acc0 = ctx->acc[0];
+    acc1 = ctx->acc[1];
+    acc2 = ctx->acc[2];
+    acc3 = ctx->acc[3];
+    acc4 = ctx->acc[4];
+
+    /* Before adding 's' we ensure that the accumulator is mod 2^130 - 5.
+     * We do this by calculating acc - (2^130 - 5), then checking if
+     * the 131st bit is set. If it is, then reduce: acc -= (2^130 - 5)
+     */
+
+    /* Calculate acc + -(2^130 - 5) */
+    d  = ((uint64_t) acc0 + 5U);
+    g0 = (uint32_t) d;
+    d  = ((uint64_t) acc1 + (d >> 32));
+    g1 = (uint32_t) d;
+    d  = ((uint64_t) acc2 + (d >> 32));
+    g2 = (uint32_t) d;
+    d  = ((uint64_t) acc3 + (d >> 32));
+    g3 = (uint32_t) d;
+    g4 = acc4 + (uint32_t) (d >> 32U);
+
+    /* mask == 0xFFFFFFFF if 131st bit is set, otherwise mask == 0 */
+    mask = (uint32_t) 0U - (g4 >> 2U);
+    mask_inv = ~mask;
+
+    /* If 131st bit is set then acc=g, otherwise, acc is unmodified */
+    acc0 = (acc0 & mask_inv) | (g0 & mask);
+    acc1 = (acc1 & mask_inv) | (g1 & mask);
+    acc2 = (acc2 & mask_inv) | (g2 & mask);
+    acc3 = (acc3 & mask_inv) | (g3 & mask);
+
+    /* Add 's' */
+    d = (uint64_t) acc0 + ctx->s[0];
+    acc0 = (uint32_t) d;
+    d = (uint64_t) acc1 + ctx->s[1] + (d >> 32U);
+    acc1 = (uint32_t) d;
+    d = (uint64_t) acc2 + ctx->s[2] + (d >> 32U);
+    acc2 = (uint32_t) d;
+    acc3 += ctx->s[3] + (uint32_t) (d >> 32U);
+
+    /* Compute MAC (128 least significant bits of the accumulator) */
+    MBEDTLS_PUT_UINT32_LE(acc0, mac,  0);
+    MBEDTLS_PUT_UINT32_LE(acc1, mac,  4);
+    MBEDTLS_PUT_UINT32_LE(acc2, mac,  8);
+    MBEDTLS_PUT_UINT32_LE(acc3, mac, 12);
+}
+
+void mbedtls_poly1305_init(mbedtls_poly1305_context *ctx)
+{
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_poly1305_context));
+}
+
+void mbedtls_poly1305_free(mbedtls_poly1305_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_poly1305_context));
+}
+
+int mbedtls_poly1305_starts(mbedtls_poly1305_context *ctx,
+                            const unsigned char key[32])
+{
+    /* r &= 0x0ffffffc0ffffffc0ffffffc0fffffff */
+    ctx->r[0] = MBEDTLS_GET_UINT32_LE(key, 0)  & 0x0FFFFFFFU;
+    ctx->r[1] = MBEDTLS_GET_UINT32_LE(key, 4)  & 0x0FFFFFFCU;
+    ctx->r[2] = MBEDTLS_GET_UINT32_LE(key, 8)  & 0x0FFFFFFCU;
+    ctx->r[3] = MBEDTLS_GET_UINT32_LE(key, 12) & 0x0FFFFFFCU;
+
+    ctx->s[0] = MBEDTLS_GET_UINT32_LE(key, 16);
+    ctx->s[1] = MBEDTLS_GET_UINT32_LE(key, 20);
+    ctx->s[2] = MBEDTLS_GET_UINT32_LE(key, 24);
+    ctx->s[3] = MBEDTLS_GET_UINT32_LE(key, 28);
+
+    /* Initial accumulator state */
+    ctx->acc[0] = 0U;
+    ctx->acc[1] = 0U;
+    ctx->acc[2] = 0U;
+    ctx->acc[3] = 0U;
+    ctx->acc[4] = 0U;
+
+    /* Queue initially empty */
+    mbedtls_platform_zeroize(ctx->queue, sizeof(ctx->queue));
+    ctx->queue_len = 0U;
+
+    return 0;
+}
+
+int mbedtls_poly1305_update(mbedtls_poly1305_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen)
+{
+    size_t offset    = 0U;
+    size_t remaining = ilen;
+    size_t queue_free_len;
+    size_t nblocks;
+
+    if ((remaining > 0U) && (ctx->queue_len > 0U)) {
+        queue_free_len = (POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len);
+
+        if (ilen < queue_free_len) {
+            /* Not enough data to complete the block.
+             * Store this data with the other leftovers.
+             */
+            memcpy(&ctx->queue[ctx->queue_len],
+                   input,
+                   ilen);
+
+            ctx->queue_len += ilen;
+
+            remaining = 0U;
+        } else {
+            /* Enough data to produce a complete block */
+            memcpy(&ctx->queue[ctx->queue_len],
+                   input,
+                   queue_free_len);
+
+            ctx->queue_len = 0U;
+
+            poly1305_process(ctx, 1U, ctx->queue, 1U);   /* add padding bit */
+
+            offset    += queue_free_len;
+            remaining -= queue_free_len;
+        }
+    }
+
+    if (remaining >= POLY1305_BLOCK_SIZE_BYTES) {
+        nblocks = remaining / POLY1305_BLOCK_SIZE_BYTES;
+
+        poly1305_process(ctx, nblocks, &input[offset], 1U);
+
+        offset += nblocks * POLY1305_BLOCK_SIZE_BYTES;
+        remaining %= POLY1305_BLOCK_SIZE_BYTES;
+    }
+
+    if (remaining > 0U) {
+        /* Store partial block */
+        ctx->queue_len = remaining;
+        memcpy(ctx->queue, &input[offset], remaining);
+    }
+
+    return 0;
+}
+
+int mbedtls_poly1305_finish(mbedtls_poly1305_context *ctx,
+                            unsigned char mac[16])
+{
+    /* Process any leftover data */
+    if (ctx->queue_len > 0U) {
+        /* Add padding bit */
+        ctx->queue[ctx->queue_len] = 1U;
+        ctx->queue_len++;
+
+        /* Pad with zeroes */
+        memset(&ctx->queue[ctx->queue_len],
+               0,
+               POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len);
+
+        poly1305_process(ctx, 1U,           /* Process 1 block */
+                         ctx->queue, 0U);   /* Already padded above */
+    }
+
+    poly1305_compute_mac(ctx, mac);
+
+    return 0;
+}
+
+int mbedtls_poly1305_mac(const unsigned char key[32],
+                         const unsigned char *input,
+                         size_t ilen,
+                         unsigned char mac[16])
+{
+    mbedtls_poly1305_context ctx;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    mbedtls_poly1305_init(&ctx);
+
+    ret = mbedtls_poly1305_starts(&ctx, key);
+    if (ret != 0) {
+        goto cleanup;
+    }
+
+    ret = mbedtls_poly1305_update(&ctx, input, ilen);
+    if (ret != 0) {
+        goto cleanup;
+    }
+
+    ret = mbedtls_poly1305_finish(&ctx, mac);
+
+cleanup:
+    mbedtls_poly1305_free(&ctx);
+    return ret;
+}
+
+#endif /* MBEDTLS_POLY1305_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_keys[2][32] =
+{
+    {
+        0x85, 0xd6, 0xbe, 0x78, 0x57, 0x55, 0x6d, 0x33,
+        0x7f, 0x44, 0x52, 0xfe, 0x42, 0xd5, 0x06, 0xa8,
+        0x01, 0x03, 0x80, 0x8a, 0xfb, 0x0d, 0xb2, 0xfd,
+        0x4a, 0xbf, 0xf6, 0xaf, 0x41, 0x49, 0xf5, 0x1b
+    },
+    {
+        0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a,
+        0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0,
+        0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09,
+        0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0
+    }
+};
+
+static const unsigned char test_data[2][127] =
+{
+    {
+        0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x67, 0x72,
+        0x61, 0x70, 0x68, 0x69, 0x63, 0x20, 0x46, 0x6f,
+        0x72, 0x75, 0x6d, 0x20, 0x52, 0x65, 0x73, 0x65,
+        0x61, 0x72, 0x63, 0x68, 0x20, 0x47, 0x72, 0x6f,
+        0x75, 0x70
+    },
+    {
+        0x27, 0x54, 0x77, 0x61, 0x73, 0x20, 0x62, 0x72,
+        0x69, 0x6c, 0x6c, 0x69, 0x67, 0x2c, 0x20, 0x61,
+        0x6e, 0x64, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
+        0x6c, 0x69, 0x74, 0x68, 0x79, 0x20, 0x74, 0x6f,
+        0x76, 0x65, 0x73, 0x0a, 0x44, 0x69, 0x64, 0x20,
+        0x67, 0x79, 0x72, 0x65, 0x20, 0x61, 0x6e, 0x64,
+        0x20, 0x67, 0x69, 0x6d, 0x62, 0x6c, 0x65, 0x20,
+        0x69, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x77,
+        0x61, 0x62, 0x65, 0x3a, 0x0a, 0x41, 0x6c, 0x6c,
+        0x20, 0x6d, 0x69, 0x6d, 0x73, 0x79, 0x20, 0x77,
+        0x65, 0x72, 0x65, 0x20, 0x74, 0x68, 0x65, 0x20,
+        0x62, 0x6f, 0x72, 0x6f, 0x67, 0x6f, 0x76, 0x65,
+        0x73, 0x2c, 0x0a, 0x41, 0x6e, 0x64, 0x20, 0x74,
+        0x68, 0x65, 0x20, 0x6d, 0x6f, 0x6d, 0x65, 0x20,
+        0x72, 0x61, 0x74, 0x68, 0x73, 0x20, 0x6f, 0x75,
+        0x74, 0x67, 0x72, 0x61, 0x62, 0x65, 0x2e
+    }
+};
+
+static const size_t test_data_len[2] =
+{
+    34U,
+    127U
+};
+
+static const unsigned char test_mac[2][16] =
+{
+    {
+        0xa8, 0x06, 0x1d, 0xc1, 0x30, 0x51, 0x36, 0xc6,
+        0xc2, 0x2b, 0x8b, 0xaf, 0x0c, 0x01, 0x27, 0xa9
+    },
+    {
+        0x45, 0x41, 0x66, 0x9a, 0x7e, 0xaa, 0xee, 0x61,
+        0xe7, 0x08, 0xdc, 0x7c, 0xbc, 0xc5, 0xeb, 0x62
+    }
+};
+
+/* Make sure no other definition is already present. */
+#undef ASSERT
+
+#define ASSERT(cond, args)            \
+    do                                  \
+    {                                   \
+        if (!(cond))                \
+        {                               \
+            if (verbose != 0)          \
+            mbedtls_printf args;    \
+                                        \
+            return -1;               \
+        }                               \
+    }                                   \
+    while (0)
+
+int mbedtls_poly1305_self_test(int verbose)
+{
+    unsigned char mac[16];
+    unsigned i;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    for (i = 0U; i < 2U; i++) {
+        if (verbose != 0) {
+            mbedtls_printf("  Poly1305 test %u ", i);
+        }
+
+        ret = mbedtls_poly1305_mac(test_keys[i],
+                                   test_data[i],
+                                   test_data_len[i],
+                                   mac);
+        ASSERT(0 == ret, ("error code: %i\n", ret));
+
+        ASSERT(0 == memcmp(mac, test_mac[i], 16U), ("failed (mac)\n"));
+
+        if (verbose != 0) {
+            mbedtls_printf("passed\n");
+        }
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+
+    return 0;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_POLY1305_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/ripemd160.c b/tf-psa-crypto/drivers/builtin/src/ripemd160.c
new file mode 100644
index 0000000..b4fc3cd
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/ripemd160.c
@@ -0,0 +1,490 @@
+/*
+ *  RIPE MD-160 implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ *  The RIPEMD-160 algorithm was designed by RIPE in 1996
+ *  http://homes.esat.kuleuven.be/~bosselae/mbedtls_ripemd160.html
+ *  http://ehash.iaik.tugraz.at/wiki/RIPEMD-160
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_RIPEMD160_C)
+
+#include "mbedtls/ripemd160.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_RIPEMD160_ALT)
+
+void mbedtls_ripemd160_init(mbedtls_ripemd160_context *ctx)
+{
+    memset(ctx, 0, sizeof(mbedtls_ripemd160_context));
+}
+
+void mbedtls_ripemd160_free(mbedtls_ripemd160_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ripemd160_context));
+}
+
+void mbedtls_ripemd160_clone(mbedtls_ripemd160_context *dst,
+                             const mbedtls_ripemd160_context *src)
+{
+    *dst = *src;
+}
+
+/*
+ * RIPEMD-160 context setup
+ */
+int mbedtls_ripemd160_starts(mbedtls_ripemd160_context *ctx)
+{
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    ctx->state[0] = 0x67452301;
+    ctx->state[1] = 0xEFCDAB89;
+    ctx->state[2] = 0x98BADCFE;
+    ctx->state[3] = 0x10325476;
+    ctx->state[4] = 0xC3D2E1F0;
+
+    return 0;
+}
+
+#if !defined(MBEDTLS_RIPEMD160_PROCESS_ALT)
+/*
+ * Process one block
+ */
+int mbedtls_internal_ripemd160_process(mbedtls_ripemd160_context *ctx,
+                                       const unsigned char data[64])
+{
+    struct {
+        uint32_t A, B, C, D, E, Ap, Bp, Cp, Dp, Ep, X[16];
+    } local;
+
+    local.X[0] = MBEDTLS_GET_UINT32_LE(data,  0);
+    local.X[1] = MBEDTLS_GET_UINT32_LE(data,  4);
+    local.X[2] = MBEDTLS_GET_UINT32_LE(data,  8);
+    local.X[3] = MBEDTLS_GET_UINT32_LE(data, 12);
+    local.X[4] = MBEDTLS_GET_UINT32_LE(data, 16);
+    local.X[5] = MBEDTLS_GET_UINT32_LE(data, 20);
+    local.X[6] = MBEDTLS_GET_UINT32_LE(data, 24);
+    local.X[7] = MBEDTLS_GET_UINT32_LE(data, 28);
+    local.X[8] = MBEDTLS_GET_UINT32_LE(data, 32);
+    local.X[9] = MBEDTLS_GET_UINT32_LE(data, 36);
+    local.X[10] = MBEDTLS_GET_UINT32_LE(data, 40);
+    local.X[11] = MBEDTLS_GET_UINT32_LE(data, 44);
+    local.X[12] = MBEDTLS_GET_UINT32_LE(data, 48);
+    local.X[13] = MBEDTLS_GET_UINT32_LE(data, 52);
+    local.X[14] = MBEDTLS_GET_UINT32_LE(data, 56);
+    local.X[15] = MBEDTLS_GET_UINT32_LE(data, 60);
+
+    local.A = local.Ap = ctx->state[0];
+    local.B = local.Bp = ctx->state[1];
+    local.C = local.Cp = ctx->state[2];
+    local.D = local.Dp = ctx->state[3];
+    local.E = local.Ep = ctx->state[4];
+
+#define F1(x, y, z)   ((x) ^ (y) ^ (z))
+#define F2(x, y, z)   (((x) & (y)) | (~(x) & (z)))
+#define F3(x, y, z)   (((x) | ~(y)) ^ (z))
+#define F4(x, y, z)   (((x) & (z)) | ((y) & ~(z)))
+#define F5(x, y, z)   ((x) ^ ((y) | ~(z)))
+
+#define S(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
+
+#define P(a, b, c, d, e, r, s, f, k)                      \
+    do                                                      \
+    {                                                       \
+        (a) += f((b), (c), (d)) + local.X[r] + (k);       \
+        (a) = S((a), (s)) + (e);                          \
+        (c) = S((c), 10);                                 \
+    } while (0)
+
+#define P2(a, b, c, d, e, r, s, rp, sp)                               \
+    do                                                                  \
+    {                                                                   \
+        P((a), (b), (c), (d), (e), (r), (s), F, K);                   \
+        P(a ## p, b ## p, c ## p, d ## p, e ## p,                      \
+          (rp), (sp), Fp, Kp);                                        \
+    } while (0)
+
+#define F   F1
+#define K   0x00000000
+#define Fp  F5
+#define Kp  0x50A28BE6
+    P2(local.A, local.B, local.C, local.D, local.E,  0, 11,  5,  8);
+    P2(local.E, local.A, local.B, local.C, local.D,  1, 14, 14,  9);
+    P2(local.D, local.E, local.A, local.B, local.C,  2, 15,  7,  9);
+    P2(local.C, local.D, local.E, local.A, local.B,  3, 12,  0, 11);
+    P2(local.B, local.C, local.D, local.E, local.A,  4,  5,  9, 13);
+    P2(local.A, local.B, local.C, local.D, local.E,  5,  8,  2, 15);
+    P2(local.E, local.A, local.B, local.C, local.D,  6,  7, 11, 15);
+    P2(local.D, local.E, local.A, local.B, local.C,  7,  9,  4,  5);
+    P2(local.C, local.D, local.E, local.A, local.B,  8, 11, 13,  7);
+    P2(local.B, local.C, local.D, local.E, local.A,  9, 13,  6,  7);
+    P2(local.A, local.B, local.C, local.D, local.E, 10, 14, 15,  8);
+    P2(local.E, local.A, local.B, local.C, local.D, 11, 15,  8, 11);
+    P2(local.D, local.E, local.A, local.B, local.C, 12,  6,  1, 14);
+    P2(local.C, local.D, local.E, local.A, local.B, 13,  7, 10, 14);
+    P2(local.B, local.C, local.D, local.E, local.A, 14,  9,  3, 12);
+    P2(local.A, local.B, local.C, local.D, local.E, 15,  8, 12,  6);
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+#define F   F2
+#define K   0x5A827999
+#define Fp  F4
+#define Kp  0x5C4DD124
+    P2(local.E, local.A, local.B, local.C, local.D,  7,  7,  6,  9);
+    P2(local.D, local.E, local.A, local.B, local.C,  4,  6, 11, 13);
+    P2(local.C, local.D, local.E, local.A, local.B, 13,  8,  3, 15);
+    P2(local.B, local.C, local.D, local.E, local.A,  1, 13,  7,  7);
+    P2(local.A, local.B, local.C, local.D, local.E, 10, 11,  0, 12);
+    P2(local.E, local.A, local.B, local.C, local.D,  6,  9, 13,  8);
+    P2(local.D, local.E, local.A, local.B, local.C, 15,  7,  5,  9);
+    P2(local.C, local.D, local.E, local.A, local.B,  3, 15, 10, 11);
+    P2(local.B, local.C, local.D, local.E, local.A, 12,  7, 14,  7);
+    P2(local.A, local.B, local.C, local.D, local.E,  0, 12, 15,  7);
+    P2(local.E, local.A, local.B, local.C, local.D,  9, 15,  8, 12);
+    P2(local.D, local.E, local.A, local.B, local.C,  5,  9, 12,  7);
+    P2(local.C, local.D, local.E, local.A, local.B,  2, 11,  4,  6);
+    P2(local.B, local.C, local.D, local.E, local.A, 14,  7,  9, 15);
+    P2(local.A, local.B, local.C, local.D, local.E, 11, 13,  1, 13);
+    P2(local.E, local.A, local.B, local.C, local.D,  8, 12,  2, 11);
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+#define F   F3
+#define K   0x6ED9EBA1
+#define Fp  F3
+#define Kp  0x6D703EF3
+    P2(local.D, local.E, local.A, local.B, local.C,  3, 11, 15,  9);
+    P2(local.C, local.D, local.E, local.A, local.B, 10, 13,  5,  7);
+    P2(local.B, local.C, local.D, local.E, local.A, 14,  6,  1, 15);
+    P2(local.A, local.B, local.C, local.D, local.E,  4,  7,  3, 11);
+    P2(local.E, local.A, local.B, local.C, local.D,  9, 14,  7,  8);
+    P2(local.D, local.E, local.A, local.B, local.C, 15,  9, 14,  6);
+    P2(local.C, local.D, local.E, local.A, local.B,  8, 13,  6,  6);
+    P2(local.B, local.C, local.D, local.E, local.A,  1, 15,  9, 14);
+    P2(local.A, local.B, local.C, local.D, local.E,  2, 14, 11, 12);
+    P2(local.E, local.A, local.B, local.C, local.D,  7,  8,  8, 13);
+    P2(local.D, local.E, local.A, local.B, local.C,  0, 13, 12,  5);
+    P2(local.C, local.D, local.E, local.A, local.B,  6,  6,  2, 14);
+    P2(local.B, local.C, local.D, local.E, local.A, 13,  5, 10, 13);
+    P2(local.A, local.B, local.C, local.D, local.E, 11, 12,  0, 13);
+    P2(local.E, local.A, local.B, local.C, local.D,  5,  7,  4,  7);
+    P2(local.D, local.E, local.A, local.B, local.C, 12,  5, 13,  5);
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+#define F   F4
+#define K   0x8F1BBCDC
+#define Fp  F2
+#define Kp  0x7A6D76E9
+    P2(local.C, local.D, local.E, local.A, local.B,  1, 11,  8, 15);
+    P2(local.B, local.C, local.D, local.E, local.A,  9, 12,  6,  5);
+    P2(local.A, local.B, local.C, local.D, local.E, 11, 14,  4,  8);
+    P2(local.E, local.A, local.B, local.C, local.D, 10, 15,  1, 11);
+    P2(local.D, local.E, local.A, local.B, local.C,  0, 14,  3, 14);
+    P2(local.C, local.D, local.E, local.A, local.B,  8, 15, 11, 14);
+    P2(local.B, local.C, local.D, local.E, local.A, 12,  9, 15,  6);
+    P2(local.A, local.B, local.C, local.D, local.E,  4,  8,  0, 14);
+    P2(local.E, local.A, local.B, local.C, local.D, 13,  9,  5,  6);
+    P2(local.D, local.E, local.A, local.B, local.C,  3, 14, 12,  9);
+    P2(local.C, local.D, local.E, local.A, local.B,  7,  5,  2, 12);
+    P2(local.B, local.C, local.D, local.E, local.A, 15,  6, 13,  9);
+    P2(local.A, local.B, local.C, local.D, local.E, 14,  8,  9, 12);
+    P2(local.E, local.A, local.B, local.C, local.D,  5,  6,  7,  5);
+    P2(local.D, local.E, local.A, local.B, local.C,  6,  5, 10, 15);
+    P2(local.C, local.D, local.E, local.A, local.B,  2, 12, 14,  8);
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+#define F   F5
+#define K   0xA953FD4E
+#define Fp  F1
+#define Kp  0x00000000
+    P2(local.B, local.C, local.D, local.E, local.A,  4,  9, 12,  8);
+    P2(local.A, local.B, local.C, local.D, local.E,  0, 15, 15,  5);
+    P2(local.E, local.A, local.B, local.C, local.D,  5,  5, 10, 12);
+    P2(local.D, local.E, local.A, local.B, local.C,  9, 11,  4,  9);
+    P2(local.C, local.D, local.E, local.A, local.B,  7,  6,  1, 12);
+    P2(local.B, local.C, local.D, local.E, local.A, 12,  8,  5,  5);
+    P2(local.A, local.B, local.C, local.D, local.E,  2, 13,  8, 14);
+    P2(local.E, local.A, local.B, local.C, local.D, 10, 12,  7,  6);
+    P2(local.D, local.E, local.A, local.B, local.C, 14,  5,  6,  8);
+    P2(local.C, local.D, local.E, local.A, local.B,  1, 12,  2, 13);
+    P2(local.B, local.C, local.D, local.E, local.A,  3, 13, 13,  6);
+    P2(local.A, local.B, local.C, local.D, local.E,  8, 14, 14,  5);
+    P2(local.E, local.A, local.B, local.C, local.D, 11, 11,  0, 15);
+    P2(local.D, local.E, local.A, local.B, local.C,  6,  8,  3, 13);
+    P2(local.C, local.D, local.E, local.A, local.B, 15,  5,  9, 11);
+    P2(local.B, local.C, local.D, local.E, local.A, 13,  6, 11, 11);
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+    local.C       = ctx->state[1] + local.C + local.Dp;
+    ctx->state[1] = ctx->state[2] + local.D + local.Ep;
+    ctx->state[2] = ctx->state[3] + local.E + local.Ap;
+    ctx->state[3] = ctx->state[4] + local.A + local.Bp;
+    ctx->state[4] = ctx->state[0] + local.B + local.Cp;
+    ctx->state[0] = local.C;
+
+    /* Zeroise variables to clear sensitive data from memory. */
+    mbedtls_platform_zeroize(&local, sizeof(local));
+
+    return 0;
+}
+
+#endif /* !MBEDTLS_RIPEMD160_PROCESS_ALT */
+
+/*
+ * RIPEMD-160 process buffer
+ */
+int mbedtls_ripemd160_update(mbedtls_ripemd160_context *ctx,
+                             const unsigned char *input,
+                             size_t ilen)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t fill;
+    uint32_t left;
+
+    if (ilen == 0) {
+        return 0;
+    }
+
+    left = ctx->total[0] & 0x3F;
+    fill = 64 - left;
+
+    ctx->total[0] += (uint32_t) ilen;
+    ctx->total[0] &= 0xFFFFFFFF;
+
+    if (ctx->total[0] < (uint32_t) ilen) {
+        ctx->total[1]++;
+    }
+
+    if (left && ilen >= fill) {
+        memcpy((void *) (ctx->buffer + left), input, fill);
+
+        if ((ret = mbedtls_internal_ripemd160_process(ctx, ctx->buffer)) != 0) {
+            return ret;
+        }
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while (ilen >= 64) {
+        if ((ret = mbedtls_internal_ripemd160_process(ctx, input)) != 0) {
+            return ret;
+        }
+
+        input += 64;
+        ilen  -= 64;
+    }
+
+    if (ilen > 0) {
+        memcpy((void *) (ctx->buffer + left), input, ilen);
+    }
+
+    return 0;
+}
+
+static const unsigned char ripemd160_padding[64] =
+{
+    0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+/*
+ * RIPEMD-160 final digest
+ */
+int mbedtls_ripemd160_finish(mbedtls_ripemd160_context *ctx,
+                             unsigned char output[20])
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    uint32_t last, padn;
+    uint32_t high, low;
+    unsigned char msglen[8];
+
+    high = (ctx->total[0] >> 29)
+           | (ctx->total[1] <<  3);
+    low  = (ctx->total[0] <<  3);
+
+    MBEDTLS_PUT_UINT32_LE(low,  msglen, 0);
+    MBEDTLS_PUT_UINT32_LE(high, msglen, 4);
+
+    last = ctx->total[0] & 0x3F;
+    padn = (last < 56) ? (56 - last) : (120 - last);
+
+    ret = mbedtls_ripemd160_update(ctx, ripemd160_padding, padn);
+    if (ret != 0) {
+        goto exit;
+    }
+
+    ret = mbedtls_ripemd160_update(ctx, msglen, 8);
+    if (ret != 0) {
+        goto exit;
+    }
+
+    MBEDTLS_PUT_UINT32_LE(ctx->state[0], output,  0);
+    MBEDTLS_PUT_UINT32_LE(ctx->state[1], output,  4);
+    MBEDTLS_PUT_UINT32_LE(ctx->state[2], output,  8);
+    MBEDTLS_PUT_UINT32_LE(ctx->state[3], output, 12);
+    MBEDTLS_PUT_UINT32_LE(ctx->state[4], output, 16);
+
+    ret = 0;
+
+exit:
+    mbedtls_ripemd160_free(ctx);
+    return ret;
+}
+
+#endif /* ! MBEDTLS_RIPEMD160_ALT */
+
+/*
+ * output = RIPEMD-160( input buffer )
+ */
+int mbedtls_ripemd160(const unsigned char *input,
+                      size_t ilen,
+                      unsigned char output[20])
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ripemd160_context ctx;
+
+    mbedtls_ripemd160_init(&ctx);
+
+    if ((ret = mbedtls_ripemd160_starts(&ctx)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_ripemd160_update(&ctx, input, ilen)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_ripemd160_finish(&ctx, output)) != 0) {
+        goto exit;
+    }
+
+exit:
+    mbedtls_ripemd160_free(&ctx);
+
+    return ret;
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * Test vectors from the RIPEMD-160 paper and
+ * http://homes.esat.kuleuven.be/~bosselae/mbedtls_ripemd160.html#HMAC
+ */
+#define TESTS   8
+static const unsigned char ripemd160_test_str[TESTS][81] =
+{
+    { "" },
+    { "a" },
+    { "abc" },
+    { "message digest" },
+    { "abcdefghijklmnopqrstuvwxyz" },
+    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
+    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
+    { "12345678901234567890123456789012345678901234567890123456789012345678901234567890" },
+};
+
+static const size_t ripemd160_test_strlen[TESTS] =
+{
+    0, 1, 3, 14, 26, 56, 62, 80
+};
+
+static const unsigned char ripemd160_test_md[TESTS][20] =
+{
+    { 0x9c, 0x11, 0x85, 0xa5, 0xc5, 0xe9, 0xfc, 0x54, 0x61, 0x28,
+      0x08, 0x97, 0x7e, 0xe8, 0xf5, 0x48, 0xb2, 0x25, 0x8d, 0x31 },
+    { 0x0b, 0xdc, 0x9d, 0x2d, 0x25, 0x6b, 0x3e, 0xe9, 0xda, 0xae,
+      0x34, 0x7b, 0xe6, 0xf4, 0xdc, 0x83, 0x5a, 0x46, 0x7f, 0xfe },
+    { 0x8e, 0xb2, 0x08, 0xf7, 0xe0, 0x5d, 0x98, 0x7a, 0x9b, 0x04,
+      0x4a, 0x8e, 0x98, 0xc6, 0xb0, 0x87, 0xf1, 0x5a, 0x0b, 0xfc },
+    { 0x5d, 0x06, 0x89, 0xef, 0x49, 0xd2, 0xfa, 0xe5, 0x72, 0xb8,
+      0x81, 0xb1, 0x23, 0xa8, 0x5f, 0xfa, 0x21, 0x59, 0x5f, 0x36 },
+    { 0xf7, 0x1c, 0x27, 0x10, 0x9c, 0x69, 0x2c, 0x1b, 0x56, 0xbb,
+      0xdc, 0xeb, 0x5b, 0x9d, 0x28, 0x65, 0xb3, 0x70, 0x8d, 0xbc },
+    { 0x12, 0xa0, 0x53, 0x38, 0x4a, 0x9c, 0x0c, 0x88, 0xe4, 0x05,
+      0xa0, 0x6c, 0x27, 0xdc, 0xf4, 0x9a, 0xda, 0x62, 0xeb, 0x2b },
+    { 0xb0, 0xe2, 0x0b, 0x6e, 0x31, 0x16, 0x64, 0x02, 0x86, 0xed,
+      0x3a, 0x87, 0xa5, 0x71, 0x30, 0x79, 0xb2, 0x1f, 0x51, 0x89 },
+    { 0x9b, 0x75, 0x2e, 0x45, 0x57, 0x3d, 0x4b, 0x39, 0xf4, 0xdb,
+      0xd3, 0x32, 0x3c, 0xab, 0x82, 0xbf, 0x63, 0x32, 0x6b, 0xfb },
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_ripemd160_self_test(int verbose)
+{
+    int i, ret = 0;
+    unsigned char output[20];
+
+    memset(output, 0, sizeof(output));
+
+    for (i = 0; i < TESTS; i++) {
+        if (verbose != 0) {
+            mbedtls_printf("  RIPEMD-160 test #%d: ", i + 1);
+        }
+
+        ret = mbedtls_ripemd160(ripemd160_test_str[i],
+                                ripemd160_test_strlen[i], output);
+        if (ret != 0) {
+            goto fail;
+        }
+
+        if (memcmp(output, ripemd160_test_md[i], 20) != 0) {
+            ret = 1;
+            goto fail;
+        }
+
+        if (verbose != 0) {
+            mbedtls_printf("passed\n");
+        }
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+
+    return 0;
+
+fail:
+    if (verbose != 0) {
+        mbedtls_printf("failed\n");
+    }
+
+    return ret;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_RIPEMD160_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/rsa.c b/tf-psa-crypto/drivers/builtin/src/rsa.c
new file mode 100644
index 0000000..8a4c3d0
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/rsa.c
@@ -0,0 +1,3061 @@
+/*
+ *  The RSA public-key cryptosystem
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ *  The following sources were referenced in the design of this implementation
+ *  of the RSA algorithm:
+ *
+ *  [1] A method for obtaining digital signatures and public-key cryptosystems
+ *      R Rivest, A Shamir, and L Adleman
+ *      http://people.csail.mit.edu/rivest/pubs.html#RSA78
+ *
+ *  [2] Handbook of Applied Cryptography - 1997, Chapter 8
+ *      Menezes, van Oorschot and Vanstone
+ *
+ *  [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
+ *      Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
+ *      Stefan Mangard
+ *      https://arxiv.org/abs/1702.08719v2
+ *
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_RSA_C)
+
+#include "mbedtls/rsa.h"
+#include "bignum_core.h"
+#include "rsa_alt_helpers.h"
+#include "rsa_internal.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "constant_time_internal.h"
+#include "mbedtls/constant_time.h"
+#include "md_psa.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && !defined(__NetBSD__)
+#include <stdlib.h>
+#endif
+
+#include "mbedtls/platform.h"
+
+/*
+ * Wrapper around mbedtls_asn1_get_mpi() that rejects zero.
+ *
+ * The value zero is:
+ * - never a valid value for an RSA parameter
+ * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete().
+ *
+ * Since values can't be omitted in PKCS#1, passing a zero value to
+ * rsa_complete() would be incorrect, so reject zero values early.
+ */
+static int asn1_get_nonzero_mpi(unsigned char **p,
+                                const unsigned char *end,
+                                mbedtls_mpi *X)
+{
+    int ret;
+
+    ret = mbedtls_asn1_get_mpi(p, end, X);
+    if (ret != 0) {
+        return ret;
+    }
+
+    if (mbedtls_mpi_cmp_int(X, 0) == 0) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    return 0;
+}
+
+int mbedtls_rsa_parse_key(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen)
+{
+    int ret, version;
+    size_t len;
+    unsigned char *p, *end;
+
+    mbedtls_mpi T;
+    mbedtls_mpi_init(&T);
+
+    p = (unsigned char *) key;
+    end = p + keylen;
+
+    /*
+     * This function parses the RSAPrivateKey (PKCS#1)
+     *
+     *  RSAPrivateKey ::= SEQUENCE {
+     *      version           Version,
+     *      modulus           INTEGER,  -- n
+     *      publicExponent    INTEGER,  -- e
+     *      privateExponent   INTEGER,  -- d
+     *      prime1            INTEGER,  -- p
+     *      prime2            INTEGER,  -- q
+     *      exponent1         INTEGER,  -- d mod (p-1)
+     *      exponent2         INTEGER,  -- d mod (q-1)
+     *      coefficient       INTEGER,  -- (inverse of q) mod p
+     *      otherPrimeInfos   OtherPrimeInfos OPTIONAL
+     *  }
+     */
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+        return ret;
+    }
+
+    if (end != p + len) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) {
+        return ret;
+    }
+
+    if (version != 0) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    /* Import N */
+    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+        (ret = mbedtls_rsa_import(rsa, &T, NULL, NULL,
+                                  NULL, NULL)) != 0) {
+        goto cleanup;
+    }
+
+    /* Import E */
+    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+        (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL,
+                                  NULL, &T)) != 0) {
+        goto cleanup;
+    }
+
+    /* Import D */
+    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+        (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL,
+                                  &T, NULL)) != 0) {
+        goto cleanup;
+    }
+
+    /* Import P */
+    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+        (ret = mbedtls_rsa_import(rsa, NULL, &T, NULL,
+                                  NULL, NULL)) != 0) {
+        goto cleanup;
+    }
+
+    /* Import Q */
+    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+        (ret = mbedtls_rsa_import(rsa, NULL, NULL, &T,
+                                  NULL, NULL)) != 0) {
+        goto cleanup;
+    }
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    /*
+     * The RSA CRT parameters DP, DQ and QP are nominally redundant, in
+     * that they can be easily recomputed from D, P and Q. However by
+     * parsing them from the PKCS1 structure it is possible to avoid
+     * recalculating them which both reduces the overhead of loading
+     * RSA private keys into memory and also avoids side channels which
+     * can arise when computing those values, since all of D, P, and Q
+     * are secret. See https://eprint.iacr.org/2020/055 for a
+     * description of one such attack.
+     */
+
+    /* Import DP */
+    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+        (ret = mbedtls_mpi_copy(&rsa->DP, &T)) != 0) {
+        goto cleanup;
+    }
+
+    /* Import DQ */
+    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+        (ret = mbedtls_mpi_copy(&rsa->DQ, &T)) != 0) {
+        goto cleanup;
+    }
+
+    /* Import QP */
+    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+        (ret = mbedtls_mpi_copy(&rsa->QP, &T)) != 0) {
+        goto cleanup;
+    }
+
+#else
+    /* Verify existence of the CRT params */
+    if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+        (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+        (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0) {
+        goto cleanup;
+    }
+#endif
+
+    /* rsa_complete() doesn't complete anything with the default
+     * implementation but is still called:
+     * - for the benefit of alternative implementation that may want to
+     *   pre-compute stuff beyond what's provided (eg Montgomery factors)
+     * - as is also sanity-checks the key
+     *
+     * Furthermore, we also check the public part for consistency with
+     * mbedtls_pk_parse_pubkey(), as it includes size minima for example.
+     */
+    if ((ret = mbedtls_rsa_complete(rsa)) != 0 ||
+        (ret = mbedtls_rsa_check_pubkey(rsa)) != 0) {
+        goto cleanup;
+    }
+
+    if (p != end) {
+        ret = MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+    }
+
+cleanup:
+
+    mbedtls_mpi_free(&T);
+
+    if (ret != 0) {
+        mbedtls_rsa_free(rsa);
+    }
+
+    return ret;
+}
+
+int mbedtls_rsa_parse_pubkey(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen)
+{
+    unsigned char *p = (unsigned char *) key;
+    unsigned char *end = (unsigned char *) (key + keylen);
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len;
+
+    /*
+     *  RSAPublicKey ::= SEQUENCE {
+     *      modulus           INTEGER,  -- n
+     *      publicExponent    INTEGER   -- e
+     *  }
+     */
+
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+                                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+        return ret;
+    }
+
+    if (end != p + len) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    /* Import N */
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) {
+        return ret;
+    }
+
+    if ((ret = mbedtls_rsa_import_raw(rsa, p, len, NULL, 0, NULL, 0,
+                                      NULL, 0, NULL, 0)) != 0) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    p += len;
+
+    /* Import E */
+    if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) {
+        return ret;
+    }
+
+    if ((ret = mbedtls_rsa_import_raw(rsa, NULL, 0, NULL, 0, NULL, 0,
+                                      NULL, 0, p, len)) != 0) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    p += len;
+
+    if (mbedtls_rsa_complete(rsa) != 0 ||
+        mbedtls_rsa_check_pubkey(rsa) != 0) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    if (p != end) {
+        return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+    }
+
+    return 0;
+}
+
+int mbedtls_rsa_write_key(const mbedtls_rsa_context *rsa, unsigned char *start,
+                          unsigned char **p)
+{
+    size_t len = 0;
+    int ret;
+
+    mbedtls_mpi T; /* Temporary holding the exported parameters */
+
+    /*
+     * Export the parameters one after another to avoid simultaneous copies.
+     */
+
+    mbedtls_mpi_init(&T);
+
+    /* Export QP */
+    if ((ret = mbedtls_rsa_export_crt(rsa, NULL, NULL, &T)) != 0 ||
+        (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
+        goto end_of_export;
+    }
+    len += ret;
+
+    /* Export DQ */
+    if ((ret = mbedtls_rsa_export_crt(rsa, NULL, &T, NULL)) != 0 ||
+        (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
+        goto end_of_export;
+    }
+    len += ret;
+
+    /* Export DP */
+    if ((ret = mbedtls_rsa_export_crt(rsa, &T, NULL, NULL)) != 0 ||
+        (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
+        goto end_of_export;
+    }
+    len += ret;
+
+    /* Export Q */
+    if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, &T, NULL, NULL)) != 0 ||
+        (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
+        goto end_of_export;
+    }
+    len += ret;
+
+    /* Export P */
+    if ((ret = mbedtls_rsa_export(rsa, NULL, &T, NULL, NULL, NULL)) != 0 ||
+        (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
+        goto end_of_export;
+    }
+    len += ret;
+
+    /* Export D */
+    if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, &T, NULL)) != 0 ||
+        (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
+        goto end_of_export;
+    }
+    len += ret;
+
+    /* Export E */
+    if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, NULL, &T)) != 0 ||
+        (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
+        goto end_of_export;
+    }
+    len += ret;
+
+    /* Export N */
+    if ((ret = mbedtls_rsa_export(rsa, &T, NULL, NULL, NULL, NULL)) != 0 ||
+        (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
+        goto end_of_export;
+    }
+    len += ret;
+
+end_of_export:
+
+    mbedtls_mpi_free(&T);
+    if (ret < 0) {
+        return ret;
+    }
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(p, start, 0));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start,
+                                                     MBEDTLS_ASN1_CONSTRUCTED |
+                                                     MBEDTLS_ASN1_SEQUENCE));
+
+    return (int) len;
+}
+
+/*
+ *  RSAPublicKey ::= SEQUENCE {
+ *      modulus           INTEGER,  -- n
+ *      publicExponent    INTEGER   -- e
+ *  }
+ */
+int mbedtls_rsa_write_pubkey(const mbedtls_rsa_context *rsa, unsigned char *start,
+                             unsigned char **p)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t len = 0;
+    mbedtls_mpi T;
+
+    mbedtls_mpi_init(&T);
+
+    /* Export E */
+    if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, NULL, &T)) != 0 ||
+        (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
+        goto end_of_export;
+    }
+    len += ret;
+
+    /* Export N */
+    if ((ret = mbedtls_rsa_export(rsa, &T, NULL, NULL, NULL, NULL)) != 0 ||
+        (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
+        goto end_of_export;
+    }
+    len += ret;
+
+end_of_export:
+
+    mbedtls_mpi_free(&T);
+    if (ret < 0) {
+        return ret;
+    }
+
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
+    MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, MBEDTLS_ASN1_CONSTRUCTED |
+                                                     MBEDTLS_ASN1_SEQUENCE));
+
+    return (int) len;
+}
+
+#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C)
+
+/** This function performs the unpadding part of a PKCS#1 v1.5 decryption
+ *  operation (EME-PKCS1-v1_5 decoding).
+ *
+ * \note The return value from this function is a sensitive value
+ *       (this is unusual). #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE shouldn't happen
+ *       in a well-written application, but 0 vs #MBEDTLS_ERR_RSA_INVALID_PADDING
+ *       is often a situation that an attacker can provoke and leaking which
+ *       one is the result is precisely the information the attacker wants.
+ *
+ * \param input          The input buffer which is the payload inside PKCS#1v1.5
+ *                       encryption padding, called the "encoded message EM"
+ *                       by the terminology.
+ * \param ilen           The length of the payload in the \p input buffer.
+ * \param output         The buffer for the payload, called "message M" by the
+ *                       PKCS#1 terminology. This must be a writable buffer of
+ *                       length \p output_max_len bytes.
+ * \param olen           The address at which to store the length of
+ *                       the payload. This must not be \c NULL.
+ * \param output_max_len The length in bytes of the output buffer \p output.
+ *
+ * \return      \c 0 on success.
+ * \return      #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE
+ *              The output buffer is too small for the unpadded payload.
+ * \return      #MBEDTLS_ERR_RSA_INVALID_PADDING
+ *              The input doesn't contain properly formatted padding.
+ */
+static int mbedtls_ct_rsaes_pkcs1_v15_unpadding(unsigned char *input,
+                                                size_t ilen,
+                                                unsigned char *output,
+                                                size_t output_max_len,
+                                                size_t *olen)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t i, plaintext_max_size;
+
+    /* The following variables take sensitive values: their value must
+     * not leak into the observable behavior of the function other than
+     * the designated outputs (output, olen, return value). Otherwise
+     * this would open the execution of the function to
+     * side-channel-based variants of the Bleichenbacher padding oracle
+     * attack. Potential side channels include overall timing, memory
+     * access patterns (especially visible to an adversary who has access
+     * to a shared memory cache), and branches (especially visible to
+     * an adversary who has access to a shared code cache or to a shared
+     * branch predictor). */
+    size_t pad_count = 0;
+    mbedtls_ct_condition_t bad;
+    mbedtls_ct_condition_t pad_done;
+    size_t plaintext_size = 0;
+    mbedtls_ct_condition_t output_too_large;
+
+    plaintext_max_size = (output_max_len > ilen - 11) ? ilen - 11
+                                                        : output_max_len;
+
+    /* Check and get padding length in constant time and constant
+     * memory trace. The first byte must be 0. */
+    bad = mbedtls_ct_bool(input[0]);
+
+
+    /* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00
+     * where PS must be at least 8 nonzero bytes. */
+    bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_ne(input[1], MBEDTLS_RSA_CRYPT));
+
+    /* Read the whole buffer. Set pad_done to nonzero if we find
+     * the 0x00 byte and remember the padding length in pad_count. */
+    pad_done = MBEDTLS_CT_FALSE;
+    for (i = 2; i < ilen; i++) {
+        mbedtls_ct_condition_t found = mbedtls_ct_uint_eq(input[i], 0);
+        pad_done   = mbedtls_ct_bool_or(pad_done, found);
+        pad_count += mbedtls_ct_uint_if_else_0(mbedtls_ct_bool_not(pad_done), 1);
+    }
+
+    /* If pad_done is still zero, there's no data, only unfinished padding. */
+    bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_not(pad_done));
+
+    /* There must be at least 8 bytes of padding. */
+    bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_gt(8, pad_count));
+
+    /* If the padding is valid, set plaintext_size to the number of
+     * remaining bytes after stripping the padding. If the padding
+     * is invalid, avoid leaking this fact through the size of the
+     * output: use the maximum message size that fits in the output
+     * buffer. Do it without branches to avoid leaking the padding
+     * validity through timing. RSA keys are small enough that all the
+     * size_t values involved fit in unsigned int. */
+    plaintext_size = mbedtls_ct_uint_if(
+        bad, (unsigned) plaintext_max_size,
+        (unsigned) (ilen - pad_count - 3));
+
+    /* Set output_too_large to 0 if the plaintext fits in the output
+     * buffer and to 1 otherwise. */
+    output_too_large = mbedtls_ct_uint_gt(plaintext_size,
+                                          plaintext_max_size);
+
+    /* Set ret without branches to avoid timing attacks. Return:
+     * - INVALID_PADDING if the padding is bad (bad != 0).
+     * - OUTPUT_TOO_LARGE if the padding is good but the decrypted
+     *   plaintext does not fit in the output buffer.
+     * - 0 if the padding is correct. */
+    ret = mbedtls_ct_error_if(
+        bad,
+        MBEDTLS_ERR_RSA_INVALID_PADDING,
+        mbedtls_ct_error_if_else_0(output_too_large, MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE)
+        );
+
+    /* If the padding is bad or the plaintext is too large, zero the
+     * data that we're about to copy to the output buffer.
+     * We need to copy the same amount of data
+     * from the same buffer whether the padding is good or not to
+     * avoid leaking the padding validity through overall timing or
+     * through memory or cache access patterns. */
+    mbedtls_ct_zeroize_if(mbedtls_ct_bool_or(bad, output_too_large), input + 11, ilen - 11);
+
+    /* If the plaintext is too large, truncate it to the buffer size.
+     * Copy anyway to avoid revealing the length through timing, because
+     * revealing the length is as bad as revealing the padding validity
+     * for a Bleichenbacher attack. */
+    plaintext_size = mbedtls_ct_uint_if(output_too_large,
+                                        (unsigned) plaintext_max_size,
+                                        (unsigned) plaintext_size);
+
+    /* Move the plaintext to the leftmost position where it can start in
+     * the working buffer, i.e. make it start plaintext_max_size from
+     * the end of the buffer. Do this with a memory access trace that
+     * does not depend on the plaintext size. After this move, the
+     * starting location of the plaintext is no longer sensitive
+     * information. */
+    mbedtls_ct_memmove_left(input + ilen - plaintext_max_size,
+                            plaintext_max_size,
+                            plaintext_max_size - plaintext_size);
+
+    /* Finally copy the decrypted plaintext plus trailing zeros into the output
+     * buffer. If output_max_len is 0, then output may be an invalid pointer
+     * and the result of memcpy() would be undefined; prevent undefined
+     * behavior making sure to depend only on output_max_len (the size of the
+     * user-provided output buffer), which is independent from plaintext
+     * length, validity of padding, success of the decryption, and other
+     * secrets. */
+    if (output_max_len != 0) {
+        memcpy(output, input + ilen - plaintext_max_size, plaintext_max_size);
+    }
+
+    /* Report the amount of data we copied to the output buffer. In case
+     * of errors (bad padding or output too large), the value of *olen
+     * when this function returns is not specified. Making it equivalent
+     * to the good case limits the risks of leaking the padding validity. */
+    *olen = plaintext_size;
+
+    return ret;
+}
+
+#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C */
+
+int mbedtls_rsa_import(mbedtls_rsa_context *ctx,
+                       const mbedtls_mpi *N,
+                       const mbedtls_mpi *P, const mbedtls_mpi *Q,
+                       const mbedtls_mpi *D, const mbedtls_mpi *E)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    if ((N != NULL && (ret = mbedtls_mpi_copy(&ctx->N, N)) != 0) ||
+        (P != NULL && (ret = mbedtls_mpi_copy(&ctx->P, P)) != 0) ||
+        (Q != NULL && (ret = mbedtls_mpi_copy(&ctx->Q, Q)) != 0) ||
+        (D != NULL && (ret = mbedtls_mpi_copy(&ctx->D, D)) != 0) ||
+        (E != NULL && (ret = mbedtls_mpi_copy(&ctx->E, E)) != 0)) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
+    }
+
+    if (N != NULL) {
+        ctx->len = mbedtls_mpi_size(&ctx->N);
+    }
+
+    return 0;
+}
+
+int mbedtls_rsa_import_raw(mbedtls_rsa_context *ctx,
+                           unsigned char const *N, size_t N_len,
+                           unsigned char const *P, size_t P_len,
+                           unsigned char const *Q, size_t Q_len,
+                           unsigned char const *D, size_t D_len,
+                           unsigned char const *E, size_t E_len)
+{
+    int ret = 0;
+
+    if (N != NULL) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->N, N, N_len));
+        ctx->len = mbedtls_mpi_size(&ctx->N);
+    }
+
+    if (P != NULL) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->P, P, P_len));
+    }
+
+    if (Q != NULL) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->Q, Q, Q_len));
+    }
+
+    if (D != NULL) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->D, D, D_len));
+    }
+
+    if (E != NULL) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->E, E, E_len));
+    }
+
+cleanup:
+
+    if (ret != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
+    }
+
+    return 0;
+}
+
+/*
+ * Checks whether the context fields are set in such a way
+ * that the RSA primitives will be able to execute without error.
+ * It does *not* make guarantees for consistency of the parameters.
+ */
+static int rsa_check_context(mbedtls_rsa_context const *ctx, int is_priv,
+                             int blinding_needed)
+{
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    /* blinding_needed is only used for NO_CRT to decide whether
+     * P,Q need to be present or not. */
+    ((void) blinding_needed);
+#endif
+
+    if (ctx->len != mbedtls_mpi_size(&ctx->N) ||
+        ctx->len > MBEDTLS_MPI_MAX_SIZE) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    /*
+     * 1. Modular exponentiation needs positive, odd moduli.
+     */
+
+    /* Modular exponentiation wrt. N is always used for
+     * RSA public key operations. */
+    if (mbedtls_mpi_cmp_int(&ctx->N, 0) <= 0 ||
+        mbedtls_mpi_get_bit(&ctx->N, 0) == 0) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    /* Modular exponentiation for P and Q is only
+     * used for private key operations and if CRT
+     * is used. */
+    if (is_priv &&
+        (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 ||
+         mbedtls_mpi_get_bit(&ctx->P, 0) == 0 ||
+         mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0 ||
+         mbedtls_mpi_get_bit(&ctx->Q, 0) == 0)) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+#endif /* !MBEDTLS_RSA_NO_CRT */
+
+    /*
+     * 2. Exponents must be positive
+     */
+
+    /* Always need E for public key operations */
+    if (mbedtls_mpi_cmp_int(&ctx->E, 0) <= 0) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+#if defined(MBEDTLS_RSA_NO_CRT)
+    /* For private key operations, use D or DP & DQ
+     * as (unblinded) exponents. */
+    if (is_priv && mbedtls_mpi_cmp_int(&ctx->D, 0) <= 0) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+#else
+    if (is_priv &&
+        (mbedtls_mpi_cmp_int(&ctx->DP, 0) <= 0 ||
+         mbedtls_mpi_cmp_int(&ctx->DQ, 0) <= 0)) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+    /* Blinding shouldn't make exponents negative either,
+     * so check that P, Q >= 1 if that hasn't yet been
+     * done as part of 1. */
+#if defined(MBEDTLS_RSA_NO_CRT)
+    if (is_priv && blinding_needed &&
+        (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 ||
+         mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0)) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+#endif
+
+    /* It wouldn't lead to an error if it wasn't satisfied,
+     * but check for QP >= 1 nonetheless. */
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    if (is_priv &&
+        mbedtls_mpi_cmp_int(&ctx->QP, 0) <= 0) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+#endif
+
+    return 0;
+}
+
+int mbedtls_rsa_complete(mbedtls_rsa_context *ctx)
+{
+    int ret = 0;
+    int have_N, have_P, have_Q, have_D, have_E;
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    int have_DP, have_DQ, have_QP;
+#endif
+    int n_missing, pq_missing, d_missing, is_pub, is_priv;
+
+    have_N = (mbedtls_mpi_cmp_int(&ctx->N, 0) != 0);
+    have_P = (mbedtls_mpi_cmp_int(&ctx->P, 0) != 0);
+    have_Q = (mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0);
+    have_D = (mbedtls_mpi_cmp_int(&ctx->D, 0) != 0);
+    have_E = (mbedtls_mpi_cmp_int(&ctx->E, 0) != 0);
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    have_DP = (mbedtls_mpi_cmp_int(&ctx->DP, 0) != 0);
+    have_DQ = (mbedtls_mpi_cmp_int(&ctx->DQ, 0) != 0);
+    have_QP = (mbedtls_mpi_cmp_int(&ctx->QP, 0) != 0);
+#endif
+
+    /*
+     * Check whether provided parameters are enough
+     * to deduce all others. The following incomplete
+     * parameter sets for private keys are supported:
+     *
+     * (1) P, Q missing.
+     * (2) D and potentially N missing.
+     *
+     */
+
+    n_missing  =              have_P &&  have_Q &&  have_D && have_E;
+    pq_missing =   have_N && !have_P && !have_Q &&  have_D && have_E;
+    d_missing  =              have_P &&  have_Q && !have_D && have_E;
+    is_pub     =   have_N && !have_P && !have_Q && !have_D && have_E;
+
+    /* These three alternatives are mutually exclusive */
+    is_priv = n_missing || pq_missing || d_missing;
+
+    if (!is_priv && !is_pub) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    /*
+     * Step 1: Deduce N if P, Q are provided.
+     */
+
+    if (!have_N && have_P && have_Q) {
+        if ((ret = mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P,
+                                       &ctx->Q)) != 0) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
+        }
+
+        ctx->len = mbedtls_mpi_size(&ctx->N);
+    }
+
+    /*
+     * Step 2: Deduce and verify all remaining core parameters.
+     */
+
+    if (pq_missing) {
+        ret = mbedtls_rsa_deduce_primes(&ctx->N, &ctx->E, &ctx->D,
+                                        &ctx->P, &ctx->Q);
+        if (ret != 0) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
+        }
+
+    } else if (d_missing) {
+        if ((ret = mbedtls_rsa_deduce_private_exponent(&ctx->P,
+                                                       &ctx->Q,
+                                                       &ctx->E,
+                                                       &ctx->D)) != 0) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
+        }
+    }
+
+    /*
+     * Step 3: Deduce all additional parameters specific
+     *         to our current RSA implementation.
+     */
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    if (is_priv && !(have_DP && have_DQ && have_QP)) {
+        ret = mbedtls_rsa_deduce_crt(&ctx->P,  &ctx->Q,  &ctx->D,
+                                     &ctx->DP, &ctx->DQ, &ctx->QP);
+        if (ret != 0) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
+        }
+    }
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+    /*
+     * Step 3: Basic sanity checks
+     */
+
+    return rsa_check_context(ctx, is_priv, 1);
+}
+
+int mbedtls_rsa_export_raw(const mbedtls_rsa_context *ctx,
+                           unsigned char *N, size_t N_len,
+                           unsigned char *P, size_t P_len,
+                           unsigned char *Q, size_t Q_len,
+                           unsigned char *D, size_t D_len,
+                           unsigned char *E, size_t E_len)
+{
+    int ret = 0;
+    int is_priv;
+
+    /* Check if key is private or public */
+    is_priv =
+        mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
+        mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
+        mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
+        mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
+        mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
+
+    if (!is_priv) {
+        /* If we're trying to export private parameters for a public key,
+         * something must be wrong. */
+        if (P != NULL || Q != NULL || D != NULL) {
+            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+        }
+
+    }
+
+    if (N != NULL) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->N, N, N_len));
+    }
+
+    if (P != NULL) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->P, P, P_len));
+    }
+
+    if (Q != NULL) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->Q, Q, Q_len));
+    }
+
+    if (D != NULL) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->D, D, D_len));
+    }
+
+    if (E != NULL) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->E, E, E_len));
+    }
+
+cleanup:
+
+    return ret;
+}
+
+int mbedtls_rsa_export(const mbedtls_rsa_context *ctx,
+                       mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
+                       mbedtls_mpi *D, mbedtls_mpi *E)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    int is_priv;
+
+    /* Check if key is private or public */
+    is_priv =
+        mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
+        mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
+        mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
+        mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
+        mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
+
+    if (!is_priv) {
+        /* If we're trying to export private parameters for a public key,
+         * something must be wrong. */
+        if (P != NULL || Q != NULL || D != NULL) {
+            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+        }
+
+    }
+
+    /* Export all requested core parameters. */
+
+    if ((N != NULL && (ret = mbedtls_mpi_copy(N, &ctx->N)) != 0) ||
+        (P != NULL && (ret = mbedtls_mpi_copy(P, &ctx->P)) != 0) ||
+        (Q != NULL && (ret = mbedtls_mpi_copy(Q, &ctx->Q)) != 0) ||
+        (D != NULL && (ret = mbedtls_mpi_copy(D, &ctx->D)) != 0) ||
+        (E != NULL && (ret = mbedtls_mpi_copy(E, &ctx->E)) != 0)) {
+        return ret;
+    }
+
+    return 0;
+}
+
+/*
+ * Export CRT parameters
+ * This must also be implemented if CRT is not used, for being able to
+ * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt
+ * can be used in this case.
+ */
+int mbedtls_rsa_export_crt(const mbedtls_rsa_context *ctx,
+                           mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    int is_priv;
+
+    /* Check if key is private or public */
+    is_priv =
+        mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
+        mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
+        mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
+        mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
+        mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
+
+    if (!is_priv) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    /* Export all requested blinding parameters. */
+    if ((DP != NULL && (ret = mbedtls_mpi_copy(DP, &ctx->DP)) != 0) ||
+        (DQ != NULL && (ret = mbedtls_mpi_copy(DQ, &ctx->DQ)) != 0) ||
+        (QP != NULL && (ret = mbedtls_mpi_copy(QP, &ctx->QP)) != 0)) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
+    }
+#else
+    if ((ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
+                                      DP, DQ, QP)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
+    }
+#endif
+
+    return 0;
+}
+
+/*
+ * Initialize an RSA context
+ */
+void mbedtls_rsa_init(mbedtls_rsa_context *ctx)
+{
+    memset(ctx, 0, sizeof(mbedtls_rsa_context));
+
+    ctx->padding = MBEDTLS_RSA_PKCS_V15;
+    ctx->hash_id = MBEDTLS_MD_NONE;
+
+#if defined(MBEDTLS_THREADING_C)
+    /* Set ctx->ver to nonzero to indicate that the mutex has been
+     * initialized and will need to be freed. */
+    ctx->ver = 1;
+    mbedtls_mutex_init(&ctx->mutex);
+#endif
+}
+
+/*
+ * Set padding for an existing RSA context
+ */
+int mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx, int padding,
+                            mbedtls_md_type_t hash_id)
+{
+    switch (padding) {
+#if defined(MBEDTLS_PKCS1_V15)
+        case MBEDTLS_RSA_PKCS_V15:
+            break;
+#endif
+
+#if defined(MBEDTLS_PKCS1_V21)
+        case MBEDTLS_RSA_PKCS_V21:
+            break;
+#endif
+        default:
+            return MBEDTLS_ERR_RSA_INVALID_PADDING;
+    }
+
+#if defined(MBEDTLS_PKCS1_V21)
+    if ((padding == MBEDTLS_RSA_PKCS_V21) &&
+        (hash_id != MBEDTLS_MD_NONE)) {
+        /* Just make sure this hash is supported in this build. */
+        if (mbedtls_md_info_from_type(hash_id) == NULL) {
+            return MBEDTLS_ERR_RSA_INVALID_PADDING;
+        }
+    }
+#endif /* MBEDTLS_PKCS1_V21 */
+
+    ctx->padding = padding;
+    ctx->hash_id = hash_id;
+
+    return 0;
+}
+
+/*
+ * Get padding mode of initialized RSA context
+ */
+int mbedtls_rsa_get_padding_mode(const mbedtls_rsa_context *ctx)
+{
+    return ctx->padding;
+}
+
+/*
+ * Get hash identifier of mbedtls_md_type_t type
+ */
+int mbedtls_rsa_get_md_alg(const mbedtls_rsa_context *ctx)
+{
+    return ctx->hash_id;
+}
+
+/*
+ * Get length in bits of RSA modulus
+ */
+size_t mbedtls_rsa_get_bitlen(const mbedtls_rsa_context *ctx)
+{
+    return mbedtls_mpi_bitlen(&ctx->N);
+}
+
+/*
+ * Get length in bytes of RSA modulus
+ */
+size_t mbedtls_rsa_get_len(const mbedtls_rsa_context *ctx)
+{
+    return ctx->len;
+}
+
+#if defined(MBEDTLS_GENPRIME)
+
+/*
+ * Generate an RSA keypair
+ *
+ * This generation method follows the RSA key pair generation procedure of
+ * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.
+ */
+int mbedtls_rsa_gen_key(mbedtls_rsa_context *ctx,
+                        int (*f_rng)(void *, unsigned char *, size_t),
+                        void *p_rng,
+                        unsigned int nbits, int exponent)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_mpi H, G, L;
+    int prime_quality = 0;
+
+    /*
+     * If the modulus is 1024 bit long or shorter, then the security strength of
+     * the RSA algorithm is less than or equal to 80 bits and therefore an error
+     * rate of 2^-80 is sufficient.
+     */
+    if (nbits > 1024) {
+        prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR;
+    }
+
+    mbedtls_mpi_init(&H);
+    mbedtls_mpi_init(&G);
+    mbedtls_mpi_init(&L);
+
+    if (exponent < 3 || nbits % 2 != 0) {
+        ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    if (nbits < MBEDTLS_RSA_GEN_KEY_MIN_BITS) {
+        ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    /*
+     * find primes P and Q with Q < P so that:
+     * 1.  |P-Q| > 2^( nbits / 2 - 100 )
+     * 2.  GCD( E, (P-1)*(Q-1) ) == 1
+     * 3.  E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 )
+     */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->E, exponent));
+
+    do {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->P, nbits >> 1,
+                                              prime_quality, f_rng, p_rng));
+
+        MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->Q, nbits >> 1,
+                                              prime_quality, f_rng, p_rng));
+
+        /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&H, &ctx->P, &ctx->Q));
+        if (mbedtls_mpi_bitlen(&H) <= ((nbits >= 200) ? ((nbits >> 1) - 99) : 0)) {
+            continue;
+        }
+
+        /* not required by any standards, but some users rely on the fact that P > Q */
+        if (H.s < 0) {
+            mbedtls_mpi_swap(&ctx->P, &ctx->Q);
+        }
+
+        /* Temporarily replace P,Q by P-1, Q-1 */
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->P, &ctx->P, 1));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->Q, &ctx->Q, 1));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&H, &ctx->P, &ctx->Q));
+
+        /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */
+        MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->E, &H));
+        if (mbedtls_mpi_cmp_int(&G, 1) != 0) {
+            continue;
+        }
+
+        /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */
+        MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->P, &ctx->Q));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&L, NULL, &H, &G));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&ctx->D, &ctx->E, &L));
+
+        if (mbedtls_mpi_bitlen(&ctx->D) <= ((nbits + 1) / 2)) {      // (FIPS 186-4 §B.3.1 criterion 3(a))
+            continue;
+        }
+
+        break;
+    } while (1);
+
+    /* Restore P,Q */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->P,  &ctx->P, 1));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->Q,  &ctx->Q, 1));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P, &ctx->Q));
+
+    ctx->len = mbedtls_mpi_size(&ctx->N);
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    /*
+     * DP = D mod (P - 1)
+     * DQ = D mod (Q - 1)
+     * QP = Q^-1 mod P
+     */
+    MBEDTLS_MPI_CHK(mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
+                                           &ctx->DP, &ctx->DQ, &ctx->QP));
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+    /* Double-check */
+    MBEDTLS_MPI_CHK(mbedtls_rsa_check_privkey(ctx));
+
+cleanup:
+
+    mbedtls_mpi_free(&H);
+    mbedtls_mpi_free(&G);
+    mbedtls_mpi_free(&L);
+
+    if (ret != 0) {
+        mbedtls_rsa_free(ctx);
+
+        if ((-ret & ~0x7f) == 0) {
+            ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_KEY_GEN_FAILED, ret);
+        }
+        return ret;
+    }
+
+    return 0;
+}
+
+#endif /* MBEDTLS_GENPRIME */
+
+/*
+ * Check a public RSA key
+ */
+int mbedtls_rsa_check_pubkey(const mbedtls_rsa_context *ctx)
+{
+    if (rsa_check_context(ctx, 0 /* public */, 0 /* no blinding */) != 0) {
+        return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+    }
+
+    if (mbedtls_mpi_bitlen(&ctx->N) < 128) {
+        return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+    }
+
+    if (mbedtls_mpi_get_bit(&ctx->E, 0) == 0 ||
+        mbedtls_mpi_bitlen(&ctx->E)     < 2  ||
+        mbedtls_mpi_cmp_mpi(&ctx->E, &ctx->N) >= 0) {
+        return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+    }
+
+    return 0;
+}
+
+/*
+ * Check for the consistency of all fields in an RSA private key context
+ */
+int mbedtls_rsa_check_privkey(const mbedtls_rsa_context *ctx)
+{
+    if (mbedtls_rsa_check_pubkey(ctx) != 0 ||
+        rsa_check_context(ctx, 1 /* private */, 1 /* blinding */) != 0) {
+        return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+    }
+
+    if (mbedtls_rsa_validate_params(&ctx->N, &ctx->P, &ctx->Q,
+                                    &ctx->D, &ctx->E, NULL, NULL) != 0) {
+        return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+    }
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    else if (mbedtls_rsa_validate_crt(&ctx->P, &ctx->Q, &ctx->D,
+                                      &ctx->DP, &ctx->DQ, &ctx->QP) != 0) {
+        return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+    }
+#endif
+
+    return 0;
+}
+
+/*
+ * Check if contexts holding a public and private key match
+ */
+int mbedtls_rsa_check_pub_priv(const mbedtls_rsa_context *pub,
+                               const mbedtls_rsa_context *prv)
+{
+    if (mbedtls_rsa_check_pubkey(pub)  != 0 ||
+        mbedtls_rsa_check_privkey(prv) != 0) {
+        return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+    }
+
+    if (mbedtls_mpi_cmp_mpi(&pub->N, &prv->N) != 0 ||
+        mbedtls_mpi_cmp_mpi(&pub->E, &prv->E) != 0) {
+        return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+    }
+
+    return 0;
+}
+
+/*
+ * Do an RSA public key operation
+ */
+int mbedtls_rsa_public(mbedtls_rsa_context *ctx,
+                       const unsigned char *input,
+                       unsigned char *output)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t olen;
+    mbedtls_mpi T;
+
+    if (rsa_check_context(ctx, 0 /* public */, 0 /* no blinding */)) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    mbedtls_mpi_init(&T);
+
+#if defined(MBEDTLS_THREADING_C)
+    if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
+        return ret;
+    }
+#endif
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&T, input, ctx->len));
+
+    if (mbedtls_mpi_cmp_mpi(&T, &ctx->N) >= 0) {
+        ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    olen = ctx->len;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, &ctx->E, &ctx->N, &ctx->RN));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));
+
+cleanup:
+#if defined(MBEDTLS_THREADING_C)
+    if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
+        return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+    }
+#endif
+
+    mbedtls_mpi_free(&T);
+
+    if (ret != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_PUBLIC_FAILED, ret);
+    }
+
+    return 0;
+}
+
+/*
+ * Generate or update blinding values, see section 10 of:
+ *  KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
+ *  DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
+ *  Berlin Heidelberg, 1996. p. 104-113.
+ */
+static int rsa_prepare_blinding(mbedtls_rsa_context *ctx,
+                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+    int ret, count = 0;
+    mbedtls_mpi R;
+
+    mbedtls_mpi_init(&R);
+
+    if (ctx->Vf.p != NULL) {
+        /* We already have blinding values, just update them by squaring */
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &ctx->Vi));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &ctx->Vf));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->N));
+
+        goto cleanup;
+    }
+
+    /* Unblinding value: Vf = random number, invertible mod N */
+    do {
+        if (count++ > 10) {
+            ret = MBEDTLS_ERR_RSA_RNG_FAILED;
+            goto cleanup;
+        }
+
+        MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&ctx->Vf, ctx->len - 1, f_rng, p_rng));
+
+        /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */
+        MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, ctx->len - 1, f_rng, p_rng));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vf, &R));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
+
+        /* At this point, Vi is invertible mod N if and only if both Vf and R
+         * are invertible mod N. If one of them isn't, we don't need to know
+         * which one, we just loop and choose new values for both of them.
+         * (Each iteration succeeds with overwhelming probability.) */
+        ret = mbedtls_mpi_inv_mod(&ctx->Vi, &ctx->Vi, &ctx->N);
+        if (ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
+            goto cleanup;
+        }
+
+    } while (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE);
+
+    /* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &R));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
+
+    /* Blinding value: Vi = Vf^(-e) mod N
+     * (Vi already contains Vf^-1 at this point) */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN));
+
+
+cleanup:
+    mbedtls_mpi_free(&R);
+
+    return ret;
+}
+
+/*
+ * Unblind
+ * T = T * Vf mod N
+ */
+static int rsa_unblind(mbedtls_mpi *T, mbedtls_mpi *Vf, const mbedtls_mpi *N)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p);
+    const size_t nlimbs = N->n;
+    const size_t tlimbs = mbedtls_mpi_core_montmul_working_limbs(nlimbs);
+    mbedtls_mpi RR, M_T;
+
+    mbedtls_mpi_init(&RR);
+    mbedtls_mpi_init(&M_T);
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_core_get_mont_r2_unsafe(&RR, N));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&M_T, tlimbs));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(T, nlimbs));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_grow(Vf, nlimbs));
+
+    /* T = T * Vf mod N
+     * Reminder: montmul(A, B, N) = A * B * R^-1 mod N
+     * Usually both operands are multiplied by R mod N beforehand (by calling
+     * `to_mont_rep()` on them), yielding a result that's also * R mod N (aka
+     * "in the Montgomery domain"). Here we only multiply one operand by R mod
+     * N, so the result is directly what we want - no need to call
+     * `from_mont_rep()` on it. */
+    mbedtls_mpi_core_to_mont_rep(T->p, T->p, N->p, nlimbs, mm, RR.p, M_T.p);
+    mbedtls_mpi_core_montmul(T->p, T->p, Vf->p, nlimbs, N->p, nlimbs, mm, M_T.p);
+
+cleanup:
+
+    mbedtls_mpi_free(&RR);
+    mbedtls_mpi_free(&M_T);
+
+    return ret;
+}
+
+/*
+ * Exponent blinding supposed to prevent side-channel attacks using multiple
+ * traces of measurements to recover the RSA key. The more collisions are there,
+ * the more bits of the key can be recovered. See [3].
+ *
+ * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
+ * observations on average.
+ *
+ * For example with 28 byte blinding to achieve 2 collisions the adversary has
+ * to make 2^112 observations on average.
+ *
+ * (With the currently (as of 2017 April) known best algorithms breaking 2048
+ * bit RSA requires approximately as much time as trying out 2^112 random keys.
+ * Thus in this sense with 28 byte blinding the security is not reduced by
+ * side-channel attacks like the one in [3])
+ *
+ * This countermeasure does not help if the key recovery is possible with a
+ * single trace.
+ */
+#define RSA_EXPONENT_BLINDING 28
+
+/*
+ * Do an RSA private key operation
+ */
+int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
+                        int (*f_rng)(void *, unsigned char *, size_t),
+                        void *p_rng,
+                        const unsigned char *input,
+                        unsigned char *output)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t olen;
+
+    /* Temporary holding the result */
+    mbedtls_mpi T;
+
+    /* Temporaries holding P-1, Q-1 and the
+     * exponent blinding factor, respectively. */
+    mbedtls_mpi P1, Q1, R;
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    /* Temporaries holding the results mod p resp. mod q. */
+    mbedtls_mpi TP, TQ;
+
+    /* Temporaries holding the blinded exponents for
+     * the mod p resp. mod q computation (if used). */
+    mbedtls_mpi DP_blind, DQ_blind;
+#else
+    /* Temporary holding the blinded exponent (if used). */
+    mbedtls_mpi D_blind;
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+    /* Temporaries holding the initial input and the double
+     * checked result; should be the same in the end. */
+    mbedtls_mpi input_blinded, check_result_blinded;
+
+    if (f_rng == NULL) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    if (rsa_check_context(ctx, 1 /* private key checks */,
+                          1 /* blinding on        */) != 0) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
+        return ret;
+    }
+#endif
+
+    /* MPI Initialization */
+    mbedtls_mpi_init(&T);
+
+    mbedtls_mpi_init(&P1);
+    mbedtls_mpi_init(&Q1);
+    mbedtls_mpi_init(&R);
+
+#if defined(MBEDTLS_RSA_NO_CRT)
+    mbedtls_mpi_init(&D_blind);
+#else
+    mbedtls_mpi_init(&DP_blind);
+    mbedtls_mpi_init(&DQ_blind);
+#endif
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    mbedtls_mpi_init(&TP); mbedtls_mpi_init(&TQ);
+#endif
+
+    mbedtls_mpi_init(&input_blinded);
+    mbedtls_mpi_init(&check_result_blinded);
+
+    /* End of MPI initialization */
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&T, input, ctx->len));
+    if (mbedtls_mpi_cmp_mpi(&T, &ctx->N) >= 0) {
+        ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    /*
+     * Blinding
+     * T = T * Vi mod N
+     */
+    MBEDTLS_MPI_CHK(rsa_prepare_blinding(ctx, f_rng, p_rng));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vi));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&input_blinded, &T));
+
+    /*
+     * Exponent blinding
+     */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&P1, &ctx->P, 1));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&Q1, &ctx->Q, 1));
+
+#if defined(MBEDTLS_RSA_NO_CRT)
+    /*
+     * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
+     */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
+                                            f_rng, p_rng));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &P1, &Q1));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &D_blind, &R));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&D_blind, &D_blind, &ctx->D));
+#else
+    /*
+     * DP_blind = ( P - 1 ) * R + DP
+     */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
+                                            f_rng, p_rng));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DP_blind, &P1, &R));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DP_blind, &DP_blind,
+                                        &ctx->DP));
+
+    /*
+     * DQ_blind = ( Q - 1 ) * R + DQ
+     */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
+                                            f_rng, p_rng));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DQ_blind, &Q1, &R));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DQ_blind, &DQ_blind,
+                                        &ctx->DQ));
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+#if defined(MBEDTLS_RSA_NO_CRT)
+    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, &D_blind, &ctx->N, &ctx->RN));
+#else
+    /*
+     * Faster decryption using the CRT
+     *
+     * TP = input ^ dP mod P
+     * TQ = input ^ dQ mod Q
+     */
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TP, &T, &DP_blind, &ctx->P, &ctx->RP));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TQ, &T, &DQ_blind, &ctx->Q, &ctx->RQ));
+
+    /*
+     * T = (TP - TQ) * (Q^-1 mod P) mod P
+     */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&T, &TP, &TQ));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&TP, &T, &ctx->QP));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &TP, &ctx->P));
+
+    /*
+     * T = TQ + T * Q
+     */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&TP, &T, &ctx->Q));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&T, &TQ, &TP));
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+    /* Verify the result to prevent glitching attacks. */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&check_result_blinded, &T, &ctx->E,
+                                        &ctx->N, &ctx->RN));
+    if (mbedtls_mpi_cmp_mpi(&check_result_blinded, &input_blinded) != 0) {
+        ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+    /*
+     * Unblind
+     * T = T * Vf mod N
+     */
+    MBEDTLS_MPI_CHK(rsa_unblind(&T, &ctx->Vf, &ctx->N));
+
+    olen = ctx->len;
+    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));
+
+cleanup:
+#if defined(MBEDTLS_THREADING_C)
+    if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
+        return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+    }
+#endif
+
+    mbedtls_mpi_free(&P1);
+    mbedtls_mpi_free(&Q1);
+    mbedtls_mpi_free(&R);
+
+#if defined(MBEDTLS_RSA_NO_CRT)
+    mbedtls_mpi_free(&D_blind);
+#else
+    mbedtls_mpi_free(&DP_blind);
+    mbedtls_mpi_free(&DQ_blind);
+#endif
+
+    mbedtls_mpi_free(&T);
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    mbedtls_mpi_free(&TP); mbedtls_mpi_free(&TQ);
+#endif
+
+    mbedtls_mpi_free(&check_result_blinded);
+    mbedtls_mpi_free(&input_blinded);
+
+    if (ret != 0 && ret >= -0x007f) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_PRIVATE_FAILED, ret);
+    }
+
+    return ret;
+}
+
+#if defined(MBEDTLS_PKCS1_V21)
+/**
+ * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
+ *
+ * \param dst       buffer to mask
+ * \param dlen      length of destination buffer
+ * \param src       source of the mask generation
+ * \param slen      length of the source buffer
+ * \param md_alg    message digest to use
+ */
+static int mgf_mask(unsigned char *dst, size_t dlen, unsigned char *src,
+                    size_t slen, mbedtls_md_type_t md_alg)
+{
+    unsigned char counter[4];
+    unsigned char *p;
+    unsigned int hlen;
+    size_t i, use_len;
+    unsigned char mask[MBEDTLS_MD_MAX_SIZE];
+    int ret = 0;
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+
+    mbedtls_md_init(&md_ctx);
+    md_info = mbedtls_md_info_from_type(md_alg);
+    if (md_info == NULL) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    mbedtls_md_init(&md_ctx);
+    if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
+        goto exit;
+    }
+
+    hlen = mbedtls_md_get_size(md_info);
+
+    memset(mask, 0, sizeof(mask));
+    memset(counter, 0, 4);
+
+    /* Generate and apply dbMask */
+    p = dst;
+
+    while (dlen > 0) {
+        use_len = hlen;
+        if (dlen < hlen) {
+            use_len = dlen;
+        }
+
+        if ((ret = mbedtls_md_starts(&md_ctx)) != 0) {
+            goto exit;
+        }
+        if ((ret = mbedtls_md_update(&md_ctx, src, slen)) != 0) {
+            goto exit;
+        }
+        if ((ret = mbedtls_md_update(&md_ctx, counter, 4)) != 0) {
+            goto exit;
+        }
+        if ((ret = mbedtls_md_finish(&md_ctx, mask)) != 0) {
+            goto exit;
+        }
+
+        for (i = 0; i < use_len; ++i) {
+            *p++ ^= mask[i];
+        }
+
+        counter[3]++;
+
+        dlen -= use_len;
+    }
+
+exit:
+    mbedtls_platform_zeroize(mask, sizeof(mask));
+    mbedtls_md_free(&md_ctx);
+
+    return ret;
+}
+
+/**
+ * Generate Hash(M') as in RFC 8017 page 43 points 5 and 6.
+ *
+ * \param hash      the input hash
+ * \param hlen      length of the input hash
+ * \param salt      the input salt
+ * \param slen      length of the input salt
+ * \param out       the output buffer - must be large enough for \p md_alg
+ * \param md_alg    message digest to use
+ */
+static int hash_mprime(const unsigned char *hash, size_t hlen,
+                       const unsigned char *salt, size_t slen,
+                       unsigned char *out, mbedtls_md_type_t md_alg)
+{
+    const unsigned char zeros[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
+
+    mbedtls_md_context_t md_ctx;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg);
+    if (md_info == NULL) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    mbedtls_md_init(&md_ctx);
+    if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
+        goto exit;
+    }
+    if ((ret = mbedtls_md_starts(&md_ctx)) != 0) {
+        goto exit;
+    }
+    if ((ret = mbedtls_md_update(&md_ctx, zeros, sizeof(zeros))) != 0) {
+        goto exit;
+    }
+    if ((ret = mbedtls_md_update(&md_ctx, hash, hlen)) != 0) {
+        goto exit;
+    }
+    if ((ret = mbedtls_md_update(&md_ctx, salt, slen)) != 0) {
+        goto exit;
+    }
+    if ((ret = mbedtls_md_finish(&md_ctx, out)) != 0) {
+        goto exit;
+    }
+
+exit:
+    mbedtls_md_free(&md_ctx);
+
+    return ret;
+}
+
+/**
+ * Compute a hash.
+ *
+ * \param md_alg    algorithm to use
+ * \param input     input message to hash
+ * \param ilen      input length
+ * \param output    the output buffer - must be large enough for \p md_alg
+ */
+static int compute_hash(mbedtls_md_type_t md_alg,
+                        const unsigned char *input, size_t ilen,
+                        unsigned char *output)
+{
+    const mbedtls_md_info_t *md_info;
+
+    md_info = mbedtls_md_info_from_type(md_alg);
+    if (md_info == NULL) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    return mbedtls_md(md_info, input, ilen, output);
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V21)
+/*
+ * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
+ */
+int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx,
+                                   int (*f_rng)(void *, unsigned char *, size_t),
+                                   void *p_rng,
+                                   const unsigned char *label, size_t label_len,
+                                   size_t ilen,
+                                   const unsigned char *input,
+                                   unsigned char *output)
+{
+    size_t olen;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *p = output;
+    unsigned int hlen;
+
+    if (f_rng == NULL) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id);
+    if (hlen == 0) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    olen = ctx->len;
+
+    /* first comparison checks for overflow */
+    if (ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    memset(output, 0, olen);
+
+    *p++ = 0;
+
+    /* Generate a random octet string seed */
+    if ((ret = f_rng(p_rng, p, hlen)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
+    }
+
+    p += hlen;
+
+    /* Construct DB */
+    ret = compute_hash((mbedtls_md_type_t) ctx->hash_id, label, label_len, p);
+    if (ret != 0) {
+        return ret;
+    }
+    p += hlen;
+    p += olen - 2 * hlen - 2 - ilen;
+    *p++ = 1;
+    if (ilen != 0) {
+        memcpy(p, input, ilen);
+    }
+
+    /* maskedDB: Apply dbMask to DB */
+    if ((ret = mgf_mask(output + hlen + 1, olen - hlen - 1, output + 1, hlen,
+                        (mbedtls_md_type_t) ctx->hash_id)) != 0) {
+        return ret;
+    }
+
+    /* maskedSeed: Apply seedMask to seed */
+    if ((ret = mgf_mask(output + 1, hlen, output + hlen + 1, olen - hlen - 1,
+                        (mbedtls_md_type_t) ctx->hash_id)) != 0) {
+        return ret;
+    }
+
+    return mbedtls_rsa_public(ctx, output, output);
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V15)
+/*
+ * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
+ */
+int mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context *ctx,
+                                        int (*f_rng)(void *, unsigned char *, size_t),
+                                        void *p_rng, size_t ilen,
+                                        const unsigned char *input,
+                                        unsigned char *output)
+{
+    size_t nb_pad, olen;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *p = output;
+
+    olen = ctx->len;
+
+    /* first comparison checks for overflow */
+    if (ilen + 11 < ilen || olen < ilen + 11) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    nb_pad = olen - 3 - ilen;
+
+    *p++ = 0;
+
+    if (f_rng == NULL) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    *p++ = MBEDTLS_RSA_CRYPT;
+
+    while (nb_pad-- > 0) {
+        int rng_dl = 100;
+
+        do {
+            ret = f_rng(p_rng, p, 1);
+        } while (*p == 0 && --rng_dl && ret == 0);
+
+        /* Check if RNG failed to generate data */
+        if (rng_dl == 0 || ret != 0) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
+        }
+
+        p++;
+    }
+
+    *p++ = 0;
+    if (ilen != 0) {
+        memcpy(p, input, ilen);
+    }
+
+    return mbedtls_rsa_public(ctx, output, output);
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Add the message padding, then do an RSA operation
+ */
+int mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context *ctx,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng,
+                              size_t ilen,
+                              const unsigned char *input,
+                              unsigned char *output)
+{
+    switch (ctx->padding) {
+#if defined(MBEDTLS_PKCS1_V15)
+        case MBEDTLS_RSA_PKCS_V15:
+            return mbedtls_rsa_rsaes_pkcs1_v15_encrypt(ctx, f_rng, p_rng,
+                                                       ilen, input, output);
+#endif
+
+#if defined(MBEDTLS_PKCS1_V21)
+        case MBEDTLS_RSA_PKCS_V21:
+            return mbedtls_rsa_rsaes_oaep_encrypt(ctx, f_rng, p_rng, NULL, 0,
+                                                  ilen, input, output);
+#endif
+
+        default:
+            return MBEDTLS_ERR_RSA_INVALID_PADDING;
+    }
+}
+
+#if defined(MBEDTLS_PKCS1_V21)
+/*
+ * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
+ */
+int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
+                                   int (*f_rng)(void *, unsigned char *, size_t),
+                                   void *p_rng,
+                                   const unsigned char *label, size_t label_len,
+                                   size_t *olen,
+                                   const unsigned char *input,
+                                   unsigned char *output,
+                                   size_t output_max_len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t ilen, i, pad_len;
+    unsigned char *p;
+    mbedtls_ct_condition_t bad, in_padding;
+    unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+    unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
+    unsigned int hlen;
+
+    /*
+     * Parameters sanity checks
+     */
+    if (ctx->padding != MBEDTLS_RSA_PKCS_V21) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    ilen = ctx->len;
+
+    if (ilen < 16 || ilen > sizeof(buf)) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id);
+    if (hlen == 0) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    // checking for integer underflow
+    if (2 * hlen + 2 > ilen) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    /*
+     * RSA operation
+     */
+    ret = mbedtls_rsa_private(ctx, f_rng, p_rng, input, buf);
+
+    if (ret != 0) {
+        goto cleanup;
+    }
+
+    /*
+     * Unmask data and generate lHash
+     */
+    /* seed: Apply seedMask to maskedSeed */
+    if ((ret = mgf_mask(buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
+                        (mbedtls_md_type_t) ctx->hash_id)) != 0 ||
+        /* DB: Apply dbMask to maskedDB */
+        (ret = mgf_mask(buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
+                        (mbedtls_md_type_t) ctx->hash_id)) != 0) {
+        goto cleanup;
+    }
+
+    /* Generate lHash */
+    ret = compute_hash((mbedtls_md_type_t) ctx->hash_id,
+                       label, label_len, lhash);
+    if (ret != 0) {
+        goto cleanup;
+    }
+
+    /*
+     * Check contents, in "constant-time"
+     */
+    p = buf;
+
+    bad = mbedtls_ct_bool(*p++); /* First byte must be 0 */
+
+    p += hlen; /* Skip seed */
+
+    /* Check lHash */
+    bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool(mbedtls_ct_memcmp(lhash, p, hlen)));
+    p += hlen;
+
+    /* Get zero-padding len, but always read till end of buffer
+     * (minus one, for the 01 byte) */
+    pad_len = 0;
+    in_padding = MBEDTLS_CT_TRUE;
+    for (i = 0; i < ilen - 2 * hlen - 2; i++) {
+        in_padding = mbedtls_ct_bool_and(in_padding, mbedtls_ct_uint_eq(p[i], 0));
+        pad_len += mbedtls_ct_uint_if_else_0(in_padding, 1);
+    }
+
+    p += pad_len;
+    bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_ne(*p++, 0x01));
+
+    /*
+     * The only information "leaked" is whether the padding was correct or not
+     * (eg, no data is copied if it was not correct). This meets the
+     * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
+     * the different error conditions.
+     */
+    if (bad != MBEDTLS_CT_FALSE) {
+        ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
+        goto cleanup;
+    }
+
+    if (ilen - ((size_t) (p - buf)) > output_max_len) {
+        ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
+        goto cleanup;
+    }
+
+    *olen = ilen - ((size_t) (p - buf));
+    if (*olen != 0) {
+        memcpy(output, p, *olen);
+    }
+    ret = 0;
+
+cleanup:
+    mbedtls_platform_zeroize(buf, sizeof(buf));
+    mbedtls_platform_zeroize(lhash, sizeof(lhash));
+
+    return ret;
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V15)
+/*
+ * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
+ */
+int mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context *ctx,
+                                        int (*f_rng)(void *, unsigned char *, size_t),
+                                        void *p_rng,
+                                        size_t *olen,
+                                        const unsigned char *input,
+                                        unsigned char *output,
+                                        size_t output_max_len)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t ilen;
+    unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+
+    ilen = ctx->len;
+
+    if (ctx->padding != MBEDTLS_RSA_PKCS_V15) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    if (ilen < 16 || ilen > sizeof(buf)) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    ret = mbedtls_rsa_private(ctx, f_rng, p_rng, input, buf);
+
+    if (ret != 0) {
+        goto cleanup;
+    }
+
+    ret = mbedtls_ct_rsaes_pkcs1_v15_unpadding(buf, ilen,
+                                               output, output_max_len, olen);
+
+cleanup:
+    mbedtls_platform_zeroize(buf, sizeof(buf));
+
+    return ret;
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Do an RSA operation, then remove the message padding
+ */
+int mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context *ctx,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng,
+                              size_t *olen,
+                              const unsigned char *input,
+                              unsigned char *output,
+                              size_t output_max_len)
+{
+    switch (ctx->padding) {
+#if defined(MBEDTLS_PKCS1_V15)
+        case MBEDTLS_RSA_PKCS_V15:
+            return mbedtls_rsa_rsaes_pkcs1_v15_decrypt(ctx, f_rng, p_rng, olen,
+                                                       input, output, output_max_len);
+#endif
+
+#if defined(MBEDTLS_PKCS1_V21)
+        case MBEDTLS_RSA_PKCS_V21:
+            return mbedtls_rsa_rsaes_oaep_decrypt(ctx, f_rng, p_rng, NULL, 0,
+                                                  olen, input, output,
+                                                  output_max_len);
+#endif
+
+        default:
+            return MBEDTLS_ERR_RSA_INVALID_PADDING;
+    }
+}
+
+#if defined(MBEDTLS_PKCS1_V21)
+static int rsa_rsassa_pss_sign_no_mode_check(mbedtls_rsa_context *ctx,
+                                             int (*f_rng)(void *, unsigned char *, size_t),
+                                             void *p_rng,
+                                             mbedtls_md_type_t md_alg,
+                                             unsigned int hashlen,
+                                             const unsigned char *hash,
+                                             int saltlen,
+                                             unsigned char *sig)
+{
+    size_t olen;
+    unsigned char *p = sig;
+    unsigned char *salt = NULL;
+    size_t slen, min_slen, hlen, offset = 0;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t msb;
+    mbedtls_md_type_t hash_id;
+
+    if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    if (f_rng == NULL) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    olen = ctx->len;
+
+    if (md_alg != MBEDTLS_MD_NONE) {
+        /* Gather length of hash to sign */
+        size_t exp_hashlen = mbedtls_md_get_size_from_type(md_alg);
+        if (exp_hashlen == 0) {
+            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+        }
+
+        if (hashlen != exp_hashlen) {
+            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+        }
+    }
+
+    hash_id = (mbedtls_md_type_t) ctx->hash_id;
+    if (hash_id == MBEDTLS_MD_NONE) {
+        hash_id = md_alg;
+    }
+    hlen = mbedtls_md_get_size_from_type(hash_id);
+    if (hlen == 0) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    if (saltlen == MBEDTLS_RSA_SALT_LEN_ANY) {
+        /* Calculate the largest possible salt length, up to the hash size.
+         * Normally this is the hash length, which is the maximum salt length
+         * according to FIPS 185-4 §5.5 (e) and common practice. If there is not
+         * enough room, use the maximum salt length that fits. The constraint is
+         * that the hash length plus the salt length plus 2 bytes must be at most
+         * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017
+         * (PKCS#1 v2.2) §9.1.1 step 3. */
+        min_slen = hlen - 2;
+        if (olen < hlen + min_slen + 2) {
+            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+        } else if (olen >= hlen + hlen + 2) {
+            slen = hlen;
+        } else {
+            slen = olen - hlen - 2;
+        }
+    } else if ((saltlen < 0) || (saltlen + hlen + 2 > olen)) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    } else {
+        slen = (size_t) saltlen;
+    }
+
+    memset(sig, 0, olen);
+
+    /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
+    msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
+    p += olen - hlen - slen - 2;
+    *p++ = 0x01;
+
+    /* Generate salt of length slen in place in the encoded message */
+    salt = p;
+    if ((ret = f_rng(p_rng, salt, slen)) != 0) {
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
+    }
+
+    p += slen;
+
+    /* Generate H = Hash( M' ) */
+    ret = hash_mprime(hash, hashlen, salt, slen, p, hash_id);
+    if (ret != 0) {
+        return ret;
+    }
+
+    /* Compensate for boundary condition when applying mask */
+    if (msb % 8 == 0) {
+        offset = 1;
+    }
+
+    /* maskedDB: Apply dbMask to DB */
+    ret = mgf_mask(sig + offset, olen - hlen - 1 - offset, p, hlen, hash_id);
+    if (ret != 0) {
+        return ret;
+    }
+
+    msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
+    sig[0] &= 0xFF >> (olen * 8 - msb);
+
+    p += hlen;
+    *p++ = 0xBC;
+
+    return mbedtls_rsa_private(ctx, f_rng, p_rng, sig, sig);
+}
+
+static int rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng,
+                               mbedtls_md_type_t md_alg,
+                               unsigned int hashlen,
+                               const unsigned char *hash,
+                               int saltlen,
+                               unsigned char *sig)
+{
+    if (ctx->padding != MBEDTLS_RSA_PKCS_V21) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+    if ((ctx->hash_id == MBEDTLS_MD_NONE) && (md_alg == MBEDTLS_MD_NONE)) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+    return rsa_rsassa_pss_sign_no_mode_check(ctx, f_rng, p_rng, md_alg, hashlen, hash, saltlen,
+                                             sig);
+}
+
+int mbedtls_rsa_rsassa_pss_sign_no_mode_check(mbedtls_rsa_context *ctx,
+                                              int (*f_rng)(void *, unsigned char *, size_t),
+                                              void *p_rng,
+                                              mbedtls_md_type_t md_alg,
+                                              unsigned int hashlen,
+                                              const unsigned char *hash,
+                                              unsigned char *sig)
+{
+    return rsa_rsassa_pss_sign_no_mode_check(ctx, f_rng, p_rng, md_alg,
+                                             hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig);
+}
+
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function with
+ * the option to pass in the salt length.
+ */
+int mbedtls_rsa_rsassa_pss_sign_ext(mbedtls_rsa_context *ctx,
+                                    int (*f_rng)(void *, unsigned char *, size_t),
+                                    void *p_rng,
+                                    mbedtls_md_type_t md_alg,
+                                    unsigned int hashlen,
+                                    const unsigned char *hash,
+                                    int saltlen,
+                                    unsigned char *sig)
+{
+    return rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,
+                               hashlen, hash, saltlen, sig);
+}
+
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
+ */
+int mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
+                                int (*f_rng)(void *, unsigned char *, size_t),
+                                void *p_rng,
+                                mbedtls_md_type_t md_alg,
+                                unsigned int hashlen,
+                                const unsigned char *hash,
+                                unsigned char *sig)
+{
+    return rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,
+                               hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig);
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V15)
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
+ */
+
+/* Construct a PKCS v1.5 encoding of a hashed message
+ *
+ * This is used both for signature generation and verification.
+ *
+ * Parameters:
+ * - md_alg:  Identifies the hash algorithm used to generate the given hash;
+ *            MBEDTLS_MD_NONE if raw data is signed.
+ * - hashlen: Length of hash. Must match md_alg if that's not NONE.
+ * - hash:    Buffer containing the hashed message or the raw data.
+ * - dst_len: Length of the encoded message.
+ * - dst:     Buffer to hold the encoded message.
+ *
+ * Assumptions:
+ * - hash has size hashlen.
+ * - dst points to a buffer of size at least dst_len.
+ *
+ */
+static int rsa_rsassa_pkcs1_v15_encode(mbedtls_md_type_t md_alg,
+                                       unsigned int hashlen,
+                                       const unsigned char *hash,
+                                       size_t dst_len,
+                                       unsigned char *dst)
+{
+    size_t oid_size  = 0;
+    size_t nb_pad    = dst_len;
+    unsigned char *p = dst;
+    const char *oid  = NULL;
+
+    /* Are we signing hashed or raw data? */
+    if (md_alg != MBEDTLS_MD_NONE) {
+        unsigned char md_size = mbedtls_md_get_size_from_type(md_alg);
+        if (md_size == 0) {
+            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+        }
+
+        if (mbedtls_oid_get_oid_by_md(md_alg, &oid, &oid_size) != 0) {
+            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+        }
+
+        if (hashlen != md_size) {
+            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+        }
+
+        /* Double-check that 8 + hashlen + oid_size can be used as a
+         * 1-byte ASN.1 length encoding and that there's no overflow. */
+        if (8 + hashlen + oid_size  >= 0x80         ||
+            10 + hashlen            <  hashlen      ||
+            10 + hashlen + oid_size <  10 + hashlen) {
+            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+        }
+
+        /*
+         * Static bounds check:
+         * - Need 10 bytes for five tag-length pairs.
+         *   (Insist on 1-byte length encodings to protect against variants of
+         *    Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
+         * - Need hashlen bytes for hash
+         * - Need oid_size bytes for hash alg OID.
+         */
+        if (nb_pad < 10 + hashlen + oid_size) {
+            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+        }
+        nb_pad -= 10 + hashlen + oid_size;
+    } else {
+        if (nb_pad < hashlen) {
+            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+        }
+
+        nb_pad -= hashlen;
+    }
+
+    /* Need space for signature header and padding delimiter (3 bytes),
+     * and 8 bytes for the minimal padding */
+    if (nb_pad < 3 + 8) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+    nb_pad -= 3;
+
+    /* Now nb_pad is the amount of memory to be filled
+     * with padding, and at least 8 bytes long. */
+
+    /* Write signature header and padding */
+    *p++ = 0;
+    *p++ = MBEDTLS_RSA_SIGN;
+    memset(p, 0xFF, nb_pad);
+    p += nb_pad;
+    *p++ = 0;
+
+    /* Are we signing raw data? */
+    if (md_alg == MBEDTLS_MD_NONE) {
+        memcpy(p, hash, hashlen);
+        return 0;
+    }
+
+    /* Signing hashed data, add corresponding ASN.1 structure
+     *
+     * DigestInfo ::= SEQUENCE {
+     *   digestAlgorithm DigestAlgorithmIdentifier,
+     *   digest Digest }
+     * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
+     * Digest ::= OCTET STRING
+     *
+     * Schematic:
+     * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID  + LEN [ OID  ]
+     *                                 TAG-NULL + LEN [ NULL ] ]
+     *                 TAG-OCTET + LEN [ HASH ] ]
+     */
+    *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
+    *p++ = (unsigned char) (0x08 + oid_size + hashlen);
+    *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
+    *p++ = (unsigned char) (0x04 + oid_size);
+    *p++ = MBEDTLS_ASN1_OID;
+    *p++ = (unsigned char) oid_size;
+    memcpy(p, oid, oid_size);
+    p += oid_size;
+    *p++ = MBEDTLS_ASN1_NULL;
+    *p++ = 0x00;
+    *p++ = MBEDTLS_ASN1_OCTET_STRING;
+    *p++ = (unsigned char) hashlen;
+    memcpy(p, hash, hashlen);
+    p += hashlen;
+
+    /* Just a sanity-check, should be automatic
+     * after the initial bounds check. */
+    if (p != dst + dst_len) {
+        mbedtls_platform_zeroize(dst, dst_len);
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    return 0;
+}
+
+/*
+ * Do an RSA operation to sign the message digest
+ */
+int mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context *ctx,
+                                      int (*f_rng)(void *, unsigned char *, size_t),
+                                      void *p_rng,
+                                      mbedtls_md_type_t md_alg,
+                                      unsigned int hashlen,
+                                      const unsigned char *hash,
+                                      unsigned char *sig)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *sig_try = NULL, *verif = NULL;
+
+    if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    if (ctx->padding != MBEDTLS_RSA_PKCS_V15) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    /*
+     * Prepare PKCS1-v1.5 encoding (padding and hash identifier)
+     */
+
+    if ((ret = rsa_rsassa_pkcs1_v15_encode(md_alg, hashlen, hash,
+                                           ctx->len, sig)) != 0) {
+        return ret;
+    }
+
+    /* Private key operation
+     *
+     * In order to prevent Lenstra's attack, make the signature in a
+     * temporary buffer and check it before returning it.
+     */
+
+    sig_try = mbedtls_calloc(1, ctx->len);
+    if (sig_try == NULL) {
+        return MBEDTLS_ERR_MPI_ALLOC_FAILED;
+    }
+
+    verif = mbedtls_calloc(1, ctx->len);
+    if (verif == NULL) {
+        mbedtls_free(sig_try);
+        return MBEDTLS_ERR_MPI_ALLOC_FAILED;
+    }
+
+    MBEDTLS_MPI_CHK(mbedtls_rsa_private(ctx, f_rng, p_rng, sig, sig_try));
+    MBEDTLS_MPI_CHK(mbedtls_rsa_public(ctx, sig_try, verif));
+
+    if (mbedtls_ct_memcmp(verif, sig, ctx->len) != 0) {
+        ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
+        goto cleanup;
+    }
+
+    memcpy(sig, sig_try, ctx->len);
+
+cleanup:
+    mbedtls_zeroize_and_free(sig_try, ctx->len);
+    mbedtls_zeroize_and_free(verif, ctx->len);
+
+    if (ret != 0) {
+        memset(sig, '!', ctx->len);
+    }
+    return ret;
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Do an RSA operation to sign the message digest
+ */
+int mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context *ctx,
+                           int (*f_rng)(void *, unsigned char *, size_t),
+                           void *p_rng,
+                           mbedtls_md_type_t md_alg,
+                           unsigned int hashlen,
+                           const unsigned char *hash,
+                           unsigned char *sig)
+{
+    if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    switch (ctx->padding) {
+#if defined(MBEDTLS_PKCS1_V15)
+        case MBEDTLS_RSA_PKCS_V15:
+            return mbedtls_rsa_rsassa_pkcs1_v15_sign(ctx, f_rng, p_rng,
+                                                     md_alg, hashlen, hash, sig);
+#endif
+
+#if defined(MBEDTLS_PKCS1_V21)
+        case MBEDTLS_RSA_PKCS_V21:
+            return mbedtls_rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,
+                                               hashlen, hash, sig);
+#endif
+
+        default:
+            return MBEDTLS_ERR_RSA_INVALID_PADDING;
+    }
+}
+
+#if defined(MBEDTLS_PKCS1_V21)
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
+ */
+int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx,
+                                      mbedtls_md_type_t md_alg,
+                                      unsigned int hashlen,
+                                      const unsigned char *hash,
+                                      mbedtls_md_type_t mgf1_hash_id,
+                                      int expected_salt_len,
+                                      const unsigned char *sig)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t siglen;
+    unsigned char *p;
+    unsigned char *hash_start;
+    unsigned char result[MBEDTLS_MD_MAX_SIZE];
+    unsigned int hlen;
+    size_t observed_salt_len, msb;
+    unsigned char buf[MBEDTLS_MPI_MAX_SIZE] = { 0 };
+
+    if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    siglen = ctx->len;
+
+    if (siglen < 16 || siglen > sizeof(buf)) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    ret = mbedtls_rsa_public(ctx, sig, buf);
+
+    if (ret != 0) {
+        return ret;
+    }
+
+    p = buf;
+
+    if (buf[siglen - 1] != 0xBC) {
+        return MBEDTLS_ERR_RSA_INVALID_PADDING;
+    }
+
+    if (md_alg != MBEDTLS_MD_NONE) {
+        /* Gather length of hash to sign */
+        size_t exp_hashlen = mbedtls_md_get_size_from_type(md_alg);
+        if (exp_hashlen == 0) {
+            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+        }
+
+        if (hashlen != exp_hashlen) {
+            return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+        }
+    }
+
+    hlen = mbedtls_md_get_size_from_type(mgf1_hash_id);
+    if (hlen == 0) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    /*
+     * Note: EMSA-PSS verification is over the length of N - 1 bits
+     */
+    msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
+
+    if (buf[0] >> (8 - siglen * 8 + msb)) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    /* Compensate for boundary condition when applying mask */
+    if (msb % 8 == 0) {
+        p++;
+        siglen -= 1;
+    }
+
+    if (siglen < hlen + 2) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+    hash_start = p + siglen - hlen - 1;
+
+    ret = mgf_mask(p, siglen - hlen - 1, hash_start, hlen, mgf1_hash_id);
+    if (ret != 0) {
+        return ret;
+    }
+
+    buf[0] &= 0xFF >> (siglen * 8 - msb);
+
+    while (p < hash_start - 1 && *p == 0) {
+        p++;
+    }
+
+    if (*p++ != 0x01) {
+        return MBEDTLS_ERR_RSA_INVALID_PADDING;
+    }
+
+    observed_salt_len = (size_t) (hash_start - p);
+
+    if (expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
+        observed_salt_len != (size_t) expected_salt_len) {
+        return MBEDTLS_ERR_RSA_INVALID_PADDING;
+    }
+
+    /*
+     * Generate H = Hash( M' )
+     */
+    ret = hash_mprime(hash, hashlen, p, observed_salt_len,
+                      result, mgf1_hash_id);
+    if (ret != 0) {
+        return ret;
+    }
+
+    if (memcmp(hash_start, result, hlen) != 0) {
+        return MBEDTLS_ERR_RSA_VERIFY_FAILED;
+    }
+
+    return 0;
+}
+
+/*
+ * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
+ */
+int mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context *ctx,
+                                  mbedtls_md_type_t md_alg,
+                                  unsigned int hashlen,
+                                  const unsigned char *hash,
+                                  const unsigned char *sig)
+{
+    mbedtls_md_type_t mgf1_hash_id;
+    if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    mgf1_hash_id = (ctx->hash_id != MBEDTLS_MD_NONE)
+                             ? (mbedtls_md_type_t) ctx->hash_id
+                             : md_alg;
+
+    return mbedtls_rsa_rsassa_pss_verify_ext(ctx,
+                                             md_alg, hashlen, hash,
+                                             mgf1_hash_id,
+                                             MBEDTLS_RSA_SALT_LEN_ANY,
+                                             sig);
+
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V15)
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
+ */
+int mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context *ctx,
+                                        mbedtls_md_type_t md_alg,
+                                        unsigned int hashlen,
+                                        const unsigned char *hash,
+                                        const unsigned char *sig)
+{
+    int ret = 0;
+    size_t sig_len;
+    unsigned char *encoded = NULL, *encoded_expected = NULL;
+
+    if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    sig_len = ctx->len;
+
+    /*
+     * Prepare expected PKCS1 v1.5 encoding of hash.
+     */
+
+    if ((encoded          = mbedtls_calloc(1, sig_len)) == NULL ||
+        (encoded_expected = mbedtls_calloc(1, sig_len)) == NULL) {
+        ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
+        goto cleanup;
+    }
+
+    if ((ret = rsa_rsassa_pkcs1_v15_encode(md_alg, hashlen, hash, sig_len,
+                                           encoded_expected)) != 0) {
+        goto cleanup;
+    }
+
+    /*
+     * Apply RSA primitive to get what should be PKCS1 encoded hash.
+     */
+
+    ret = mbedtls_rsa_public(ctx, sig, encoded);
+    if (ret != 0) {
+        goto cleanup;
+    }
+
+    /*
+     * Compare
+     */
+
+    if ((ret = mbedtls_ct_memcmp(encoded, encoded_expected,
+                                 sig_len)) != 0) {
+        ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+cleanup:
+
+    if (encoded != NULL) {
+        mbedtls_zeroize_and_free(encoded, sig_len);
+    }
+
+    if (encoded_expected != NULL) {
+        mbedtls_zeroize_and_free(encoded_expected, sig_len);
+    }
+
+    return ret;
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Do an RSA operation and check the message digest
+ */
+int mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context *ctx,
+                             mbedtls_md_type_t md_alg,
+                             unsigned int hashlen,
+                             const unsigned char *hash,
+                             const unsigned char *sig)
+{
+    if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
+        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+    }
+
+    switch (ctx->padding) {
+#if defined(MBEDTLS_PKCS1_V15)
+        case MBEDTLS_RSA_PKCS_V15:
+            return mbedtls_rsa_rsassa_pkcs1_v15_verify(ctx, md_alg,
+                                                       hashlen, hash, sig);
+#endif
+
+#if defined(MBEDTLS_PKCS1_V21)
+        case MBEDTLS_RSA_PKCS_V21:
+            return mbedtls_rsa_rsassa_pss_verify(ctx, md_alg,
+                                                 hashlen, hash, sig);
+#endif
+
+        default:
+            return MBEDTLS_ERR_RSA_INVALID_PADDING;
+    }
+}
+
+/*
+ * Copy the components of an RSA key
+ */
+int mbedtls_rsa_copy(mbedtls_rsa_context *dst, const mbedtls_rsa_context *src)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    dst->len = src->len;
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->N, &src->N));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->E, &src->E));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->D, &src->D));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->P, &src->P));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Q, &src->Q));
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->DP, &src->DP));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->DQ, &src->DQ));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->QP, &src->QP));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RP, &src->RP));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RQ, &src->RQ));
+#endif
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RN, &src->RN));
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Vi, &src->Vi));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Vf, &src->Vf));
+
+    dst->padding = src->padding;
+    dst->hash_id = src->hash_id;
+
+cleanup:
+    if (ret != 0) {
+        mbedtls_rsa_free(dst);
+    }
+
+    return ret;
+}
+
+/*
+ * Free the components of an RSA key
+ */
+void mbedtls_rsa_free(mbedtls_rsa_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_mpi_free(&ctx->Vi);
+    mbedtls_mpi_free(&ctx->Vf);
+    mbedtls_mpi_free(&ctx->RN);
+    mbedtls_mpi_free(&ctx->D);
+    mbedtls_mpi_free(&ctx->Q);
+    mbedtls_mpi_free(&ctx->P);
+    mbedtls_mpi_free(&ctx->E);
+    mbedtls_mpi_free(&ctx->N);
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    mbedtls_mpi_free(&ctx->RQ);
+    mbedtls_mpi_free(&ctx->RP);
+    mbedtls_mpi_free(&ctx->QP);
+    mbedtls_mpi_free(&ctx->DQ);
+    mbedtls_mpi_free(&ctx->DP);
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+#if defined(MBEDTLS_THREADING_C)
+    /* Free the mutex, but only if it hasn't been freed already. */
+    if (ctx->ver != 0) {
+        mbedtls_mutex_free(&ctx->mutex);
+        ctx->ver = 0;
+    }
+#endif
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+
+
+/*
+ * Example RSA-1024 keypair, for test purposes
+ */
+#define KEY_LEN 128
+
+#define RSA_N   "9292758453063D803DD603D5E777D788" \
+                "8ED1D5BF35786190FA2F23EBC0848AEA" \
+                "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
+                "7130B9CED7ACDF54CFC7555AC14EEBAB" \
+                "93A89813FBF3C4F8066D2D800F7C38A8" \
+                "1AE31942917403FF4946B0A83D3D3E05" \
+                "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
+                "5E94BB77B07507233A0BC7BAC8F90F79"
+
+#define RSA_E   "10001"
+
+#define RSA_D   "24BF6185468786FDD303083D25E64EFC" \
+                "66CA472BC44D253102F8B4A9D3BFA750" \
+                "91386C0077937FE33FA3252D28855837" \
+                "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
+                "DF79C5CE07EE72C7F123142198164234" \
+                "CABB724CF78B8173B9F880FC86322407" \
+                "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
+                "071513A1E85B5DFA031F21ECAE91A34D"
+
+#define RSA_P   "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
+                "2C01CAD19EA484A87EA4377637E75500" \
+                "FCB2005C5C7DD6EC4AC023CDA285D796" \
+                "C3D9E75E1EFC42488BB4F1D13AC30A57"
+
+#define RSA_Q   "C000DF51A7C77AE8D7C7370C1FF55B69" \
+                "E211C2B9E5DB1ED0BF61D0D9899620F4" \
+                "910E4168387E3C30AA1E00C339A79508" \
+                "8452DD96A9A5EA5D9DCA68DA636032AF"
+
+#define PT_LEN  24
+#define RSA_PT  "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
+                "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
+
+#if defined(MBEDTLS_PKCS1_V15)
+static int myrand(void *rng_state, unsigned char *output, size_t len)
+{
+#if !defined(__OpenBSD__) && !defined(__NetBSD__)
+    size_t i;
+
+    if (rng_state != NULL) {
+        rng_state  = NULL;
+    }
+
+    for (i = 0; i < len; ++i) {
+        output[i] = rand();
+    }
+#else
+    if (rng_state != NULL) {
+        rng_state = NULL;
+    }
+
+    arc4random_buf(output, len);
+#endif /* !OpenBSD && !NetBSD */
+
+    return 0;
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Checkup routine
+ */
+int mbedtls_rsa_self_test(int verbose)
+{
+    int ret = 0;
+#if defined(MBEDTLS_PKCS1_V15)
+    size_t len;
+    mbedtls_rsa_context rsa;
+    unsigned char rsa_plaintext[PT_LEN];
+    unsigned char rsa_decrypted[PT_LEN];
+    unsigned char rsa_ciphertext[KEY_LEN];
+#if defined(MBEDTLS_MD_CAN_SHA1)
+    unsigned char sha1sum[20];
+#endif
+
+    mbedtls_mpi K;
+
+    mbedtls_mpi_init(&K);
+    mbedtls_rsa_init(&rsa);
+
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_N));
+    MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, &K, NULL, NULL, NULL, NULL));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_P));
+    MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, &K, NULL, NULL, NULL));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_Q));
+    MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, &K, NULL, NULL));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_D));
+    MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, NULL, &K, NULL));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_E));
+    MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, NULL, NULL, &K));
+
+    MBEDTLS_MPI_CHK(mbedtls_rsa_complete(&rsa));
+
+    if (verbose != 0) {
+        mbedtls_printf("  RSA key validation: ");
+    }
+
+    if (mbedtls_rsa_check_pubkey(&rsa) != 0 ||
+        mbedtls_rsa_check_privkey(&rsa) != 0) {
+        if (verbose != 0) {
+            mbedtls_printf("failed\n");
+        }
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("passed\n  PKCS#1 encryption : ");
+    }
+
+    memcpy(rsa_plaintext, RSA_PT, PT_LEN);
+
+    if (mbedtls_rsa_pkcs1_encrypt(&rsa, myrand, NULL,
+                                  PT_LEN, rsa_plaintext,
+                                  rsa_ciphertext) != 0) {
+        if (verbose != 0) {
+            mbedtls_printf("failed\n");
+        }
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("passed\n  PKCS#1 decryption : ");
+    }
+
+    if (mbedtls_rsa_pkcs1_decrypt(&rsa, myrand, NULL,
+                                  &len, rsa_ciphertext, rsa_decrypted,
+                                  sizeof(rsa_decrypted)) != 0) {
+        if (verbose != 0) {
+            mbedtls_printf("failed\n");
+        }
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if (memcmp(rsa_decrypted, rsa_plaintext, len) != 0) {
+        if (verbose != 0) {
+            mbedtls_printf("failed\n");
+        }
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("passed\n");
+    }
+
+#if defined(MBEDTLS_MD_CAN_SHA1)
+    if (verbose != 0) {
+        mbedtls_printf("  PKCS#1 data sign  : ");
+    }
+
+    if (mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1),
+                   rsa_plaintext, PT_LEN, sha1sum) != 0) {
+        if (verbose != 0) {
+            mbedtls_printf("failed\n");
+        }
+
+        return 1;
+    }
+
+    if (mbedtls_rsa_pkcs1_sign(&rsa, myrand, NULL,
+                               MBEDTLS_MD_SHA1, 20,
+                               sha1sum, rsa_ciphertext) != 0) {
+        if (verbose != 0) {
+            mbedtls_printf("failed\n");
+        }
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("passed\n  PKCS#1 sig. verify: ");
+    }
+
+    if (mbedtls_rsa_pkcs1_verify(&rsa, MBEDTLS_MD_SHA1, 20,
+                                 sha1sum, rsa_ciphertext) != 0) {
+        if (verbose != 0) {
+            mbedtls_printf("failed\n");
+        }
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("passed\n");
+    }
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+
+cleanup:
+    mbedtls_mpi_free(&K);
+    mbedtls_rsa_free(&rsa);
+#else /* MBEDTLS_PKCS1_V15 */
+    ((void) verbose);
+#endif /* MBEDTLS_PKCS1_V15 */
+    return ret;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_RSA_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/rsa_alt_helpers.c b/tf-psa-crypto/drivers/builtin/src/rsa_alt_helpers.c
new file mode 100644
index 0000000..5c265a9
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/rsa_alt_helpers.c
@@ -0,0 +1,447 @@
+/*
+ *  Helper functions for the RSA module
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_RSA_C)
+
+#include "mbedtls/rsa.h"
+#include "mbedtls/bignum.h"
+#include "rsa_alt_helpers.h"
+
+/*
+ * Compute RSA prime factors from public and private exponents
+ *
+ * Summary of algorithm:
+ * Setting F := lcm(P-1,Q-1), the idea is as follows:
+ *
+ * (a) For any 1 <= X < N with gcd(X,N)=1, we have X^F = 1 modulo N, so X^(F/2)
+ *     is a square root of 1 in Z/NZ. Since Z/NZ ~= Z/PZ x Z/QZ by CRT and the
+ *     square roots of 1 in Z/PZ and Z/QZ are +1 and -1, this leaves the four
+ *     possibilities X^(F/2) = (+-1, +-1). If it happens that X^(F/2) = (-1,+1)
+ *     or (+1,-1), then gcd(X^(F/2) + 1, N) will be equal to one of the prime
+ *     factors of N.
+ *
+ * (b) If we don't know F/2 but (F/2) * K for some odd (!) K, then the same
+ *     construction still applies since (-)^K is the identity on the set of
+ *     roots of 1 in Z/NZ.
+ *
+ * The public and private key primitives (-)^E and (-)^D are mutually inverse
+ * bijections on Z/NZ if and only if (-)^(DE) is the identity on Z/NZ, i.e.
+ * if and only if DE - 1 is a multiple of F, say DE - 1 = F * L.
+ * Splitting L = 2^t * K with K odd, we have
+ *
+ *   DE - 1 = FL = (F/2) * (2^(t+1)) * K,
+ *
+ * so (F / 2) * K is among the numbers
+ *
+ *   (DE - 1) >> 1, (DE - 1) >> 2, ..., (DE - 1) >> ord
+ *
+ * where ord is the order of 2 in (DE - 1).
+ * We can therefore iterate through these numbers apply the construction
+ * of (a) and (b) above to attempt to factor N.
+ *
+ */
+int mbedtls_rsa_deduce_primes(mbedtls_mpi const *N,
+                              mbedtls_mpi const *E, mbedtls_mpi const *D,
+                              mbedtls_mpi *P, mbedtls_mpi *Q)
+{
+    int ret = 0;
+
+    uint16_t attempt;  /* Number of current attempt  */
+    uint16_t iter;     /* Number of squares computed in the current attempt */
+
+    uint16_t order;    /* Order of 2 in DE - 1 */
+
+    mbedtls_mpi T;  /* Holds largest odd divisor of DE - 1     */
+    mbedtls_mpi K;  /* Temporary holding the current candidate */
+
+    const unsigned char primes[] = { 2,
+                                     3,    5,    7,   11,   13,   17,   19,   23,
+                                     29,   31,   37,   41,   43,   47,   53,   59,
+                                     61,   67,   71,   73,   79,   83,   89,   97,
+                                     101,  103,  107,  109,  113,  127,  131,  137,
+                                     139,  149,  151,  157,  163,  167,  173,  179,
+                                     181,  191,  193,  197,  199,  211,  223,  227,
+                                     229,  233,  239,  241,  251 };
+
+    const size_t num_primes = sizeof(primes) / sizeof(*primes);
+
+    if (P == NULL || Q == NULL || P->p != NULL || Q->p != NULL) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    if (mbedtls_mpi_cmp_int(N, 0) <= 0 ||
+        mbedtls_mpi_cmp_int(D, 1) <= 0 ||
+        mbedtls_mpi_cmp_mpi(D, N) >= 0 ||
+        mbedtls_mpi_cmp_int(E, 1) <= 0 ||
+        mbedtls_mpi_cmp_mpi(E, N) >= 0) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    /*
+     * Initializations and temporary changes
+     */
+
+    mbedtls_mpi_init(&K);
+    mbedtls_mpi_init(&T);
+
+    /* T := DE - 1 */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, D,  E));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&T, &T, 1));
+
+    if ((order = (uint16_t) mbedtls_mpi_lsb(&T)) == 0) {
+        ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    /* After this operation, T holds the largest odd divisor of DE - 1. */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&T, order));
+
+    /*
+     * Actual work
+     */
+
+    /* Skip trying 2 if N == 1 mod 8 */
+    attempt = 0;
+    if (N->p[0] % 8 == 1) {
+        attempt = 1;
+    }
+
+    for (; attempt < num_primes; ++attempt) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&K, primes[attempt]));
+
+        /* Check if gcd(K,N) = 1 */
+        MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(P, &K, N));
+        if (mbedtls_mpi_cmp_int(P, 1) != 0) {
+            continue;
+        }
+
+        /* Go through K^T + 1, K^(2T) + 1, K^(4T) + 1, ...
+         * and check whether they have nontrivial GCD with N. */
+        MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&K, &K, &T, N,
+                                            Q /* temporarily use Q for storing Montgomery
+                                               * multiplication helper values */));
+
+        for (iter = 1; iter <= order; ++iter) {
+            /* If we reach 1 prematurely, there's no point
+             * in continuing to square K */
+            if (mbedtls_mpi_cmp_int(&K, 1) == 0) {
+                break;
+            }
+
+            MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&K, &K, 1));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(P, &K, N));
+
+            if (mbedtls_mpi_cmp_int(P, 1) ==  1 &&
+                mbedtls_mpi_cmp_mpi(P, N) == -1) {
+                /*
+                 * Have found a nontrivial divisor P of N.
+                 * Set Q := N / P.
+                 */
+
+                MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(Q, NULL, N, P));
+                goto cleanup;
+            }
+
+            MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, &K, 1));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, &K, &K));
+            MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&K, &K, N));
+        }
+
+        /*
+         * If we get here, then either we prematurely aborted the loop because
+         * we reached 1, or K holds primes[attempt]^(DE - 1) mod N, which must
+         * be 1 if D,E,N were consistent.
+         * Check if that's the case and abort if not, to avoid very long,
+         * yet eventually failing, computations if N,D,E were not sane.
+         */
+        if (mbedtls_mpi_cmp_int(&K, 1) != 0) {
+            break;
+        }
+    }
+
+    ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+
+cleanup:
+
+    mbedtls_mpi_free(&K);
+    mbedtls_mpi_free(&T);
+    return ret;
+}
+
+/*
+ * Given P, Q and the public exponent E, deduce D.
+ * This is essentially a modular inversion.
+ */
+int mbedtls_rsa_deduce_private_exponent(mbedtls_mpi const *P,
+                                        mbedtls_mpi const *Q,
+                                        mbedtls_mpi const *E,
+                                        mbedtls_mpi *D)
+{
+    int ret = 0;
+    mbedtls_mpi K, L;
+
+    if (D == NULL || mbedtls_mpi_cmp_int(D, 0) != 0) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    if (mbedtls_mpi_cmp_int(P, 1) <= 0 ||
+        mbedtls_mpi_cmp_int(Q, 1) <= 0 ||
+        mbedtls_mpi_cmp_int(E, 0) == 0) {
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+    }
+
+    mbedtls_mpi_init(&K);
+    mbedtls_mpi_init(&L);
+
+    /* Temporarily put K := P-1 and L := Q-1 */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, P, 1));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&L, Q, 1));
+
+    /* Temporarily put D := gcd(P-1, Q-1) */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(D, &K, &L));
+
+    /* K := LCM(P-1, Q-1) */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, &K, &L));
+    MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&K, NULL, &K, D));
+
+    /* Compute modular inverse of E in LCM(P-1, Q-1) */
+    MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(D, E, &K));
+
+cleanup:
+
+    mbedtls_mpi_free(&K);
+    mbedtls_mpi_free(&L);
+
+    return ret;
+}
+
+int mbedtls_rsa_deduce_crt(const mbedtls_mpi *P, const mbedtls_mpi *Q,
+                           const mbedtls_mpi *D, mbedtls_mpi *DP,
+                           mbedtls_mpi *DQ, mbedtls_mpi *QP)
+{
+    int ret = 0;
+    mbedtls_mpi K;
+    mbedtls_mpi_init(&K);
+
+    /* DP = D mod P-1 */
+    if (DP != NULL) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, P, 1));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(DP, D, &K));
+    }
+
+    /* DQ = D mod Q-1 */
+    if (DQ != NULL) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, Q, 1));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(DQ, D, &K));
+    }
+
+    /* QP = Q^{-1} mod P */
+    if (QP != NULL) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(QP, Q, P));
+    }
+
+cleanup:
+    mbedtls_mpi_free(&K);
+
+    return ret;
+}
+
+/*
+ * Check that core RSA parameters are sane.
+ */
+int mbedtls_rsa_validate_params(const mbedtls_mpi *N, const mbedtls_mpi *P,
+                                const mbedtls_mpi *Q, const mbedtls_mpi *D,
+                                const mbedtls_mpi *E,
+                                int (*f_rng)(void *, unsigned char *, size_t),
+                                void *p_rng)
+{
+    int ret = 0;
+    mbedtls_mpi K, L;
+
+    mbedtls_mpi_init(&K);
+    mbedtls_mpi_init(&L);
+
+    /*
+     * Step 1: If PRNG provided, check that P and Q are prime
+     */
+
+#if defined(MBEDTLS_GENPRIME)
+    /*
+     * When generating keys, the strongest security we support aims for an error
+     * rate of at most 2^-100 and we are aiming for the same certainty here as
+     * well.
+     */
+    if (f_rng != NULL && P != NULL &&
+        (ret = mbedtls_mpi_is_prime_ext(P, 50, f_rng, p_rng)) != 0) {
+        ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+        goto cleanup;
+    }
+
+    if (f_rng != NULL && Q != NULL &&
+        (ret = mbedtls_mpi_is_prime_ext(Q, 50, f_rng, p_rng)) != 0) {
+        ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+        goto cleanup;
+    }
+#else
+    ((void) f_rng);
+    ((void) p_rng);
+#endif /* MBEDTLS_GENPRIME */
+
+    /*
+     * Step 2: Check that 1 < N = P * Q
+     */
+
+    if (P != NULL && Q != NULL && N != NULL) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, P, Q));
+        if (mbedtls_mpi_cmp_int(N, 1)  <= 0 ||
+            mbedtls_mpi_cmp_mpi(&K, N) != 0) {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+    }
+
+    /*
+     * Step 3: Check and 1 < D, E < N if present.
+     */
+
+    if (N != NULL && D != NULL && E != NULL) {
+        if (mbedtls_mpi_cmp_int(D, 1) <= 0 ||
+            mbedtls_mpi_cmp_int(E, 1) <= 0 ||
+            mbedtls_mpi_cmp_mpi(D, N) >= 0 ||
+            mbedtls_mpi_cmp_mpi(E, N) >= 0) {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+    }
+
+    /*
+     * Step 4: Check that D, E are inverse modulo P-1 and Q-1
+     */
+
+    if (P != NULL && Q != NULL && D != NULL && E != NULL) {
+        if (mbedtls_mpi_cmp_int(P, 1) <= 0 ||
+            mbedtls_mpi_cmp_int(Q, 1) <= 0) {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+
+        /* Compute DE-1 mod P-1 */
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, D, E));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, &K, 1));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&L, P, 1));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&K, &K, &L));
+        if (mbedtls_mpi_cmp_int(&K, 0) != 0) {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+
+        /* Compute DE-1 mod Q-1 */
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, D, E));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, &K, 1));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&L, Q, 1));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&K, &K, &L));
+        if (mbedtls_mpi_cmp_int(&K, 0) != 0) {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+    }
+
+cleanup:
+
+    mbedtls_mpi_free(&K);
+    mbedtls_mpi_free(&L);
+
+    /* Wrap MPI error codes by RSA check failure error code */
+    if (ret != 0 && ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED) {
+        ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+    }
+
+    return ret;
+}
+
+/*
+ * Check that RSA CRT parameters are in accordance with core parameters.
+ */
+int mbedtls_rsa_validate_crt(const mbedtls_mpi *P,  const mbedtls_mpi *Q,
+                             const mbedtls_mpi *D,  const mbedtls_mpi *DP,
+                             const mbedtls_mpi *DQ, const mbedtls_mpi *QP)
+{
+    int ret = 0;
+
+    mbedtls_mpi K, L;
+    mbedtls_mpi_init(&K);
+    mbedtls_mpi_init(&L);
+
+    /* Check that DP - D == 0 mod P - 1 */
+    if (DP != NULL) {
+        if (P == NULL) {
+            ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+            goto cleanup;
+        }
+
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, P, 1));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&L, DP, D));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&L, &L, &K));
+
+        if (mbedtls_mpi_cmp_int(&L, 0) != 0) {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+    }
+
+    /* Check that DQ - D == 0 mod Q - 1 */
+    if (DQ != NULL) {
+        if (Q == NULL) {
+            ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+            goto cleanup;
+        }
+
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, Q, 1));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&L, DQ, D));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&L, &L, &K));
+
+        if (mbedtls_mpi_cmp_int(&L, 0) != 0) {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+    }
+
+    /* Check that QP * Q - 1 == 0 mod P */
+    if (QP != NULL) {
+        if (P == NULL || Q == NULL) {
+            ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+            goto cleanup;
+        }
+
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, QP, Q));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, &K, 1));
+        MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&K, &K, P));
+        if (mbedtls_mpi_cmp_int(&K, 0) != 0) {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+    }
+
+cleanup:
+
+    /* Wrap MPI error codes by RSA check failure error code */
+    if (ret != 0 &&
+        ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED &&
+        ret != MBEDTLS_ERR_RSA_BAD_INPUT_DATA) {
+        ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+    }
+
+    mbedtls_mpi_free(&K);
+    mbedtls_mpi_free(&L);
+
+    return ret;
+}
+
+#endif /* MBEDTLS_RSA_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/rsa_alt_helpers.h b/tf-psa-crypto/drivers/builtin/src/rsa_alt_helpers.h
new file mode 100644
index 0000000..f234036
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/rsa_alt_helpers.h
@@ -0,0 +1,212 @@
+/**
+ * \file rsa_alt_helpers.h
+ *
+ * \brief Context-independent RSA helper functions
+ *
+ *  Please note: The below explanation is historical and is no longer relevant
+ *  due to there being no compelling reason to keep these functions separate
+ *  since the RSA alt interface was removed. A future refactoring will address
+ *  this which is tracked by the following issue:
+ *  https://github.com/Mbed-TLS/TF-PSA-Crypto/issues/105.
+ *
+ *  This module declares some RSA-related helper functions useful when
+ *  implementing the RSA interface. These functions are provided in a separate
+ *  compilation unit in order to make it easy for designers of alternative RSA
+ *  implementations to use them in their own code, as it is conceived that the
+ *  functionality they provide will be necessary for most complete
+ *  implementations.
+ *
+ *  End-users of Mbed TLS who are not providing their own alternative RSA
+ *  implementations should not use these functions directly, and should instead
+ *  use only the functions declared in rsa.h.
+ *
+ *  The interface provided by this module will be maintained through LTS (Long
+ *  Term Support) branches of Mbed TLS, but may otherwise be subject to change,
+ *  and must be considered an internal interface of the library.
+ *
+ *  There are two classes of helper functions:
+ *
+ *  (1) Parameter-generating helpers. These are:
+ *      - mbedtls_rsa_deduce_primes
+ *      - mbedtls_rsa_deduce_private_exponent
+ *      - mbedtls_rsa_deduce_crt
+ *       Each of these functions takes a set of core RSA parameters and
+ *       generates some other, or CRT related parameters.
+ *
+ *  (2) Parameter-checking helpers. These are:
+ *      - mbedtls_rsa_validate_params
+ *      - mbedtls_rsa_validate_crt
+ *      They take a set of core or CRT related RSA parameters and check their
+ *      validity.
+ *
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_RSA_ALT_HELPERS_H
+#define MBEDTLS_RSA_ALT_HELPERS_H
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/bignum.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+/**
+ * \brief          Compute RSA prime moduli P, Q from public modulus N=PQ
+ *                 and a pair of private and public key.
+ *
+ * \note           This is a 'static' helper function not operating on
+ *                 an RSA context. Alternative implementations need not
+ *                 overwrite it.
+ *
+ * \param N        RSA modulus N = PQ, with P, Q to be found
+ * \param E        RSA public exponent
+ * \param D        RSA private exponent
+ * \param P        Pointer to MPI holding first prime factor of N on success
+ * \param Q        Pointer to MPI holding second prime factor of N on success
+ *
+ * \return
+ *                 - 0 if successful. In this case, P and Q constitute a
+ *                   factorization of N.
+ *                 - A non-zero error code otherwise.
+ *
+ * \note           It is neither checked that P, Q are prime nor that
+ *                 D, E are modular inverses wrt. P-1 and Q-1. For that,
+ *                 use the helper function \c mbedtls_rsa_validate_params.
+ *
+ */
+int mbedtls_rsa_deduce_primes(mbedtls_mpi const *N, mbedtls_mpi const *E,
+                              mbedtls_mpi const *D,
+                              mbedtls_mpi *P, mbedtls_mpi *Q);
+
+/**
+ * \brief          Compute RSA private exponent from
+ *                 prime moduli and public key.
+ *
+ * \note           This is a 'static' helper function not operating on
+ *                 an RSA context. Alternative implementations need not
+ *                 overwrite it.
+ *
+ * \param P        First prime factor of RSA modulus
+ * \param Q        Second prime factor of RSA modulus
+ * \param E        RSA public exponent
+ * \param D        Pointer to MPI holding the private exponent on success.
+ *
+ * \return
+ *                 - 0 if successful. In this case, D is set to a simultaneous
+ *                   modular inverse of E modulo both P-1 and Q-1.
+ *                 - A non-zero error code otherwise.
+ *
+ * \note           This function does not check whether P and Q are primes.
+ *
+ */
+int mbedtls_rsa_deduce_private_exponent(mbedtls_mpi const *P,
+                                        mbedtls_mpi const *Q,
+                                        mbedtls_mpi const *E,
+                                        mbedtls_mpi *D);
+
+
+/**
+ * \brief          Generate RSA-CRT parameters
+ *
+ * \note           This is a 'static' helper function not operating on
+ *                 an RSA context. Alternative implementations need not
+ *                 overwrite it.
+ *
+ * \param P        First prime factor of N
+ * \param Q        Second prime factor of N
+ * \param D        RSA private exponent
+ * \param DP       Output variable for D modulo P-1
+ * \param DQ       Output variable for D modulo Q-1
+ * \param QP       Output variable for the modular inverse of Q modulo P.
+ *
+ * \return         0 on success, non-zero error code otherwise.
+ *
+ * \note           This function does not check whether P, Q are
+ *                 prime and whether D is a valid private exponent.
+ *
+ */
+int mbedtls_rsa_deduce_crt(const mbedtls_mpi *P, const mbedtls_mpi *Q,
+                           const mbedtls_mpi *D, mbedtls_mpi *DP,
+                           mbedtls_mpi *DQ, mbedtls_mpi *QP);
+
+
+/**
+ * \brief          Check validity of core RSA parameters
+ *
+ * \note           This is a 'static' helper function not operating on
+ *                 an RSA context. Alternative implementations need not
+ *                 overwrite it.
+ *
+ * \param N        RSA modulus N = PQ
+ * \param P        First prime factor of N
+ * \param Q        Second prime factor of N
+ * \param D        RSA private exponent
+ * \param E        RSA public exponent
+ * \param f_rng    PRNG to be used for primality check, or NULL
+ * \param p_rng    PRNG context for f_rng, or NULL
+ *
+ * \return
+ *                 - 0 if the following conditions are satisfied
+ *                   if all relevant parameters are provided:
+ *                    - P prime if f_rng != NULL (%)
+ *                    - Q prime if f_rng != NULL (%)
+ *                    - 1 < N = P * Q
+ *                    - 1 < D, E < N
+ *                    - D and E are modular inverses modulo P-1 and Q-1
+ *                   (%) This is only done if MBEDTLS_GENPRIME is defined.
+ *                 - A non-zero error code otherwise.
+ *
+ * \note           The function can be used with a restricted set of arguments
+ *                 to perform specific checks only. E.g., calling it with
+ *                 (-,P,-,-,-) and a PRNG amounts to a primality check for P.
+ */
+int mbedtls_rsa_validate_params(const mbedtls_mpi *N, const mbedtls_mpi *P,
+                                const mbedtls_mpi *Q, const mbedtls_mpi *D,
+                                const mbedtls_mpi *E,
+                                int (*f_rng)(void *, unsigned char *, size_t),
+                                void *p_rng);
+
+/**
+ * \brief          Check validity of RSA CRT parameters
+ *
+ * \note           This is a 'static' helper function not operating on
+ *                 an RSA context. Alternative implementations need not
+ *                 overwrite it.
+ *
+ * \param P        First prime factor of RSA modulus
+ * \param Q        Second prime factor of RSA modulus
+ * \param D        RSA private exponent
+ * \param DP       MPI to check for D modulo P-1
+ * \param DQ       MPI to check for D modulo P-1
+ * \param QP       MPI to check for the modular inverse of Q modulo P.
+ *
+ * \return
+ *                 - 0 if the following conditions are satisfied:
+ *                    - D = DP mod P-1 if P, D, DP != NULL
+ *                    - Q = DQ mod P-1 if P, D, DQ != NULL
+ *                    - QP = Q^-1 mod P if P, Q, QP != NULL
+ *                 - \c MBEDTLS_ERR_RSA_KEY_CHECK_FAILED if check failed,
+ *                   potentially including \c MBEDTLS_ERR_MPI_XXX if some
+ *                   MPI calculations failed.
+ *                 - \c MBEDTLS_ERR_RSA_BAD_INPUT_DATA if insufficient
+ *                   data was provided to check DP, DQ or QP.
+ *
+ * \note           The function can be used with a restricted set of arguments
+ *                 to perform specific checks only. E.g., calling it with the
+ *                 parameters (P, -, D, DP, -, -) will check DP = D mod P-1.
+ */
+int mbedtls_rsa_validate_crt(const mbedtls_mpi *P,  const mbedtls_mpi *Q,
+                             const mbedtls_mpi *D,  const mbedtls_mpi *DP,
+                             const mbedtls_mpi *DQ, const mbedtls_mpi *QP);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* rsa_alt_helpers.h */
diff --git a/tf-psa-crypto/drivers/builtin/src/rsa_internal.h b/tf-psa-crypto/drivers/builtin/src/rsa_internal.h
new file mode 100644
index 0000000..f79c3b7
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/rsa_internal.h
@@ -0,0 +1,121 @@
+/**
+ * \file rsa_internal.h
+ *
+ * \brief Internal-only RSA public-key cryptosystem API.
+ *
+ * This file declares RSA-related functions that are to be used
+ * only from within the Mbed TLS library itself.
+ *
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_RSA_INTERNAL_H
+#define MBEDTLS_RSA_INTERNAL_H
+
+#include "mbedtls/rsa.h"
+#include "mbedtls/asn1.h"
+
+/**
+ * \brief           Parse a PKCS#1 (ASN.1) encoded private RSA key.
+ *
+ * \param rsa       The RSA context where parsed data will be stored.
+ * \param key       The buffer that contains the key.
+ * \param keylen    The length of the key buffer in bytes.
+ *
+ * \return          0 on success.
+ * \return          MBEDTLS_ERR_ASN1_xxx in case of ASN.1 parsing errors.
+ * \return          MBEDTLS_ERR_RSA_xxx in case of RSA internal failures while
+ *                  parsing data.
+ * \return          MBEDTLS_ERR_RSA_KEY_CHECK_FAILED if validity checks on the
+ *                  provided key fail.
+ */
+int mbedtls_rsa_parse_key(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen);
+
+/**
+ * \brief           Parse a PKCS#1 (ASN.1) encoded public RSA key.
+ *
+ * \param rsa       The RSA context where parsed data will be stored.
+ * \param key       The buffer that contains the key.
+ * \param keylen    The length of the key buffer in bytes.
+ *
+ * \return          0 on success.
+ * \return          MBEDTLS_ERR_ASN1_xxx in case of ASN.1 parsing errors.
+ * \return          MBEDTLS_ERR_RSA_xxx in case of RSA internal failures while
+ *                  parsing data.
+ * \return          MBEDTLS_ERR_RSA_KEY_CHECK_FAILED if validity checks on the
+ *                  provided key fail.
+ */
+int mbedtls_rsa_parse_pubkey(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen);
+
+/**
+ * \brief           Write a PKCS#1 (ASN.1) encoded private RSA key.
+ *
+ * \param rsa       The RSA context which contains the data to be written.
+ * \param start     Beginning of the buffer that will be filled with the
+ *                  private key.
+ * \param p         End of the buffer that will be filled with the private key.
+ *                  On successful return, the referenced pointer will be
+ *                  updated in order to point to the beginning of written data.
+ *
+ * \return          On success, the number of bytes written to the output buffer
+ *                  (i.e. a value > 0).
+ * \return          MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the RSA context does not
+ *                  contain a valid key pair.
+ * \return          MBEDTLS_ERR_ASN1_xxx in case of failure while writing to the
+ *                  output buffer.
+ *
+ * \note            The output buffer is filled backward, i.e. starting from its
+ *                  end and moving toward its start.
+ */
+int mbedtls_rsa_write_key(const mbedtls_rsa_context *rsa, unsigned char *start,
+                          unsigned char **p);
+
+/**
+ * \brief           Parse a PKCS#1 (ASN.1) encoded public RSA key.
+ *
+ * \param rsa       The RSA context which contains the data to be written.
+ * \param start     Beginning of the buffer that will be filled with the
+ *                  private key.
+ * \param p         End of the buffer that will be filled with the private key.
+ *                  On successful return, the referenced pointer will be
+ *                  updated in order to point to the beginning of written data.
+ *
+ * \return          On success, the number of bytes written to the output buffer
+ *                  (i.e. a value > 0).
+ * \return          MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the RSA context does not
+ *                  contain a valid public key.
+ * \return          MBEDTLS_ERR_ASN1_xxx in case of failure while writing to the
+ *                  output buffer.
+ *
+ * \note            The output buffer is filled backward, i.e. starting from its
+ *                  end and moving toward its start.
+ */
+int mbedtls_rsa_write_pubkey(const mbedtls_rsa_context *rsa, unsigned char *start,
+                             unsigned char **p);
+
+#if defined(MBEDTLS_PKCS1_V21)
+/**
+ * \brief This function is analogue to \c mbedtls_rsa_rsassa_pss_sign().
+ *        The only difference between them is that this function is more flexible
+ *        on the parameters of \p ctx that are set with \c mbedtls_rsa_set_padding().
+ *
+ * \note  Compared to its counterpart, this function:
+ *        - does not check the padding setting of \p ctx.
+ *        - allows the hash_id of \p ctx to be MBEDTLS_MD_NONE,
+ *          in which case it uses \p md_alg as the hash_id.
+ *
+ * \note  Refer to \c mbedtls_rsa_rsassa_pss_sign() for a description
+ *        of the functioning and parameters of this function.
+ */
+int mbedtls_rsa_rsassa_pss_sign_no_mode_check(mbedtls_rsa_context *ctx,
+                                              int (*f_rng)(void *, unsigned char *, size_t),
+                                              void *p_rng,
+                                              mbedtls_md_type_t md_alg,
+                                              unsigned int hashlen,
+                                              const unsigned char *hash,
+                                              unsigned char *sig);
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#endif /* rsa_internal.h */
diff --git a/tf-psa-crypto/drivers/builtin/src/sha1.c b/tf-psa-crypto/drivers/builtin/src/sha1.c
new file mode 100644
index 0000000..dfbe481
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/sha1.c
@@ -0,0 +1,480 @@
+/*
+ *  FIPS-180-1 compliant SHA-1 implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ *  The SHA-1 standard was published by NIST in 1993.
+ *
+ *  http://www.itl.nist.gov/fipspubs/fip180-1.htm
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SHA1_C)
+
+#include "mbedtls/sha1.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_SHA1_ALT)
+
+void mbedtls_sha1_init(mbedtls_sha1_context *ctx)
+{
+    memset(ctx, 0, sizeof(mbedtls_sha1_context));
+}
+
+void mbedtls_sha1_free(mbedtls_sha1_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha1_context));
+}
+
+void mbedtls_sha1_clone(mbedtls_sha1_context *dst,
+                        const mbedtls_sha1_context *src)
+{
+    *dst = *src;
+}
+
+/*
+ * SHA-1 context setup
+ */
+int mbedtls_sha1_starts(mbedtls_sha1_context *ctx)
+{
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    ctx->state[0] = 0x67452301;
+    ctx->state[1] = 0xEFCDAB89;
+    ctx->state[2] = 0x98BADCFE;
+    ctx->state[3] = 0x10325476;
+    ctx->state[4] = 0xC3D2E1F0;
+
+    return 0;
+}
+
+#if !defined(MBEDTLS_SHA1_PROCESS_ALT)
+int mbedtls_internal_sha1_process(mbedtls_sha1_context *ctx,
+                                  const unsigned char data[64])
+{
+    struct {
+        uint32_t temp, W[16], A, B, C, D, E;
+    } local;
+
+    local.W[0] = MBEDTLS_GET_UINT32_BE(data,  0);
+    local.W[1] = MBEDTLS_GET_UINT32_BE(data,  4);
+    local.W[2] = MBEDTLS_GET_UINT32_BE(data,  8);
+    local.W[3] = MBEDTLS_GET_UINT32_BE(data, 12);
+    local.W[4] = MBEDTLS_GET_UINT32_BE(data, 16);
+    local.W[5] = MBEDTLS_GET_UINT32_BE(data, 20);
+    local.W[6] = MBEDTLS_GET_UINT32_BE(data, 24);
+    local.W[7] = MBEDTLS_GET_UINT32_BE(data, 28);
+    local.W[8] = MBEDTLS_GET_UINT32_BE(data, 32);
+    local.W[9] = MBEDTLS_GET_UINT32_BE(data, 36);
+    local.W[10] = MBEDTLS_GET_UINT32_BE(data, 40);
+    local.W[11] = MBEDTLS_GET_UINT32_BE(data, 44);
+    local.W[12] = MBEDTLS_GET_UINT32_BE(data, 48);
+    local.W[13] = MBEDTLS_GET_UINT32_BE(data, 52);
+    local.W[14] = MBEDTLS_GET_UINT32_BE(data, 56);
+    local.W[15] = MBEDTLS_GET_UINT32_BE(data, 60);
+
+#define S(x, n) (((x) << (n)) | (((x) & 0xFFFFFFFF) >> (32 - (n))))
+
+#define R(t)                                                    \
+    (                                                           \
+        local.temp = local.W[((t) -  3) & 0x0F] ^             \
+                     local.W[((t) -  8) & 0x0F] ^             \
+                     local.W[((t) - 14) & 0x0F] ^             \
+                     local.W[(t)        & 0x0F],              \
+        (local.W[(t) & 0x0F] = S(local.temp, 1))               \
+    )
+
+#define P(a, b, c, d, e, x)                                          \
+    do                                                          \
+    {                                                           \
+        (e) += S((a), 5) + F((b), (c), (d)) + K + (x);             \
+        (b) = S((b), 30);                                        \
+    } while (0)
+
+    local.A = ctx->state[0];
+    local.B = ctx->state[1];
+    local.C = ctx->state[2];
+    local.D = ctx->state[3];
+    local.E = ctx->state[4];
+
+#define F(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
+#define K 0x5A827999
+
+    P(local.A, local.B, local.C, local.D, local.E, local.W[0]);
+    P(local.E, local.A, local.B, local.C, local.D, local.W[1]);
+    P(local.D, local.E, local.A, local.B, local.C, local.W[2]);
+    P(local.C, local.D, local.E, local.A, local.B, local.W[3]);
+    P(local.B, local.C, local.D, local.E, local.A, local.W[4]);
+    P(local.A, local.B, local.C, local.D, local.E, local.W[5]);
+    P(local.E, local.A, local.B, local.C, local.D, local.W[6]);
+    P(local.D, local.E, local.A, local.B, local.C, local.W[7]);
+    P(local.C, local.D, local.E, local.A, local.B, local.W[8]);
+    P(local.B, local.C, local.D, local.E, local.A, local.W[9]);
+    P(local.A, local.B, local.C, local.D, local.E, local.W[10]);
+    P(local.E, local.A, local.B, local.C, local.D, local.W[11]);
+    P(local.D, local.E, local.A, local.B, local.C, local.W[12]);
+    P(local.C, local.D, local.E, local.A, local.B, local.W[13]);
+    P(local.B, local.C, local.D, local.E, local.A, local.W[14]);
+    P(local.A, local.B, local.C, local.D, local.E, local.W[15]);
+    P(local.E, local.A, local.B, local.C, local.D, R(16));
+    P(local.D, local.E, local.A, local.B, local.C, R(17));
+    P(local.C, local.D, local.E, local.A, local.B, R(18));
+    P(local.B, local.C, local.D, local.E, local.A, R(19));
+
+#undef K
+#undef F
+
+#define F(x, y, z) ((x) ^ (y) ^ (z))
+#define K 0x6ED9EBA1
+
+    P(local.A, local.B, local.C, local.D, local.E, R(20));
+    P(local.E, local.A, local.B, local.C, local.D, R(21));
+    P(local.D, local.E, local.A, local.B, local.C, R(22));
+    P(local.C, local.D, local.E, local.A, local.B, R(23));
+    P(local.B, local.C, local.D, local.E, local.A, R(24));
+    P(local.A, local.B, local.C, local.D, local.E, R(25));
+    P(local.E, local.A, local.B, local.C, local.D, R(26));
+    P(local.D, local.E, local.A, local.B, local.C, R(27));
+    P(local.C, local.D, local.E, local.A, local.B, R(28));
+    P(local.B, local.C, local.D, local.E, local.A, R(29));
+    P(local.A, local.B, local.C, local.D, local.E, R(30));
+    P(local.E, local.A, local.B, local.C, local.D, R(31));
+    P(local.D, local.E, local.A, local.B, local.C, R(32));
+    P(local.C, local.D, local.E, local.A, local.B, R(33));
+    P(local.B, local.C, local.D, local.E, local.A, R(34));
+    P(local.A, local.B, local.C, local.D, local.E, R(35));
+    P(local.E, local.A, local.B, local.C, local.D, R(36));
+    P(local.D, local.E, local.A, local.B, local.C, R(37));
+    P(local.C, local.D, local.E, local.A, local.B, R(38));
+    P(local.B, local.C, local.D, local.E, local.A, R(39));
+
+#undef K
+#undef F
+
+#define F(x, y, z) (((x) & (y)) | ((z) & ((x) | (y))))
+#define K 0x8F1BBCDC
+
+    P(local.A, local.B, local.C, local.D, local.E, R(40));
+    P(local.E, local.A, local.B, local.C, local.D, R(41));
+    P(local.D, local.E, local.A, local.B, local.C, R(42));
+    P(local.C, local.D, local.E, local.A, local.B, R(43));
+    P(local.B, local.C, local.D, local.E, local.A, R(44));
+    P(local.A, local.B, local.C, local.D, local.E, R(45));
+    P(local.E, local.A, local.B, local.C, local.D, R(46));
+    P(local.D, local.E, local.A, local.B, local.C, R(47));
+    P(local.C, local.D, local.E, local.A, local.B, R(48));
+    P(local.B, local.C, local.D, local.E, local.A, R(49));
+    P(local.A, local.B, local.C, local.D, local.E, R(50));
+    P(local.E, local.A, local.B, local.C, local.D, R(51));
+    P(local.D, local.E, local.A, local.B, local.C, R(52));
+    P(local.C, local.D, local.E, local.A, local.B, R(53));
+    P(local.B, local.C, local.D, local.E, local.A, R(54));
+    P(local.A, local.B, local.C, local.D, local.E, R(55));
+    P(local.E, local.A, local.B, local.C, local.D, R(56));
+    P(local.D, local.E, local.A, local.B, local.C, R(57));
+    P(local.C, local.D, local.E, local.A, local.B, R(58));
+    P(local.B, local.C, local.D, local.E, local.A, R(59));
+
+#undef K
+#undef F
+
+#define F(x, y, z) ((x) ^ (y) ^ (z))
+#define K 0xCA62C1D6
+
+    P(local.A, local.B, local.C, local.D, local.E, R(60));
+    P(local.E, local.A, local.B, local.C, local.D, R(61));
+    P(local.D, local.E, local.A, local.B, local.C, R(62));
+    P(local.C, local.D, local.E, local.A, local.B, R(63));
+    P(local.B, local.C, local.D, local.E, local.A, R(64));
+    P(local.A, local.B, local.C, local.D, local.E, R(65));
+    P(local.E, local.A, local.B, local.C, local.D, R(66));
+    P(local.D, local.E, local.A, local.B, local.C, R(67));
+    P(local.C, local.D, local.E, local.A, local.B, R(68));
+    P(local.B, local.C, local.D, local.E, local.A, R(69));
+    P(local.A, local.B, local.C, local.D, local.E, R(70));
+    P(local.E, local.A, local.B, local.C, local.D, R(71));
+    P(local.D, local.E, local.A, local.B, local.C, R(72));
+    P(local.C, local.D, local.E, local.A, local.B, R(73));
+    P(local.B, local.C, local.D, local.E, local.A, R(74));
+    P(local.A, local.B, local.C, local.D, local.E, R(75));
+    P(local.E, local.A, local.B, local.C, local.D, R(76));
+    P(local.D, local.E, local.A, local.B, local.C, R(77));
+    P(local.C, local.D, local.E, local.A, local.B, R(78));
+    P(local.B, local.C, local.D, local.E, local.A, R(79));
+
+#undef K
+#undef F
+
+    ctx->state[0] += local.A;
+    ctx->state[1] += local.B;
+    ctx->state[2] += local.C;
+    ctx->state[3] += local.D;
+    ctx->state[4] += local.E;
+
+    /* Zeroise buffers and variables to clear sensitive data from memory. */
+    mbedtls_platform_zeroize(&local, sizeof(local));
+
+    return 0;
+}
+
+#endif /* !MBEDTLS_SHA1_PROCESS_ALT */
+
+/*
+ * SHA-1 process buffer
+ */
+int mbedtls_sha1_update(mbedtls_sha1_context *ctx,
+                        const unsigned char *input,
+                        size_t ilen)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t fill;
+    uint32_t left;
+
+    if (ilen == 0) {
+        return 0;
+    }
+
+    left = ctx->total[0] & 0x3F;
+    fill = 64 - left;
+
+    ctx->total[0] += (uint32_t) ilen;
+    ctx->total[0] &= 0xFFFFFFFF;
+
+    if (ctx->total[0] < (uint32_t) ilen) {
+        ctx->total[1]++;
+    }
+
+    if (left && ilen >= fill) {
+        memcpy((void *) (ctx->buffer + left), input, fill);
+
+        if ((ret = mbedtls_internal_sha1_process(ctx, ctx->buffer)) != 0) {
+            return ret;
+        }
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while (ilen >= 64) {
+        if ((ret = mbedtls_internal_sha1_process(ctx, input)) != 0) {
+            return ret;
+        }
+
+        input += 64;
+        ilen  -= 64;
+    }
+
+    if (ilen > 0) {
+        memcpy((void *) (ctx->buffer + left), input, ilen);
+    }
+
+    return 0;
+}
+
+/*
+ * SHA-1 final digest
+ */
+int mbedtls_sha1_finish(mbedtls_sha1_context *ctx,
+                        unsigned char output[20])
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    uint32_t used;
+    uint32_t high, low;
+
+    /*
+     * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
+     */
+    used = ctx->total[0] & 0x3F;
+
+    ctx->buffer[used++] = 0x80;
+
+    if (used <= 56) {
+        /* Enough room for padding + length in current block */
+        memset(ctx->buffer + used, 0, 56 - used);
+    } else {
+        /* We'll need an extra block */
+        memset(ctx->buffer + used, 0, 64 - used);
+
+        if ((ret = mbedtls_internal_sha1_process(ctx, ctx->buffer)) != 0) {
+            goto exit;
+        }
+
+        memset(ctx->buffer, 0, 56);
+    }
+
+    /*
+     * Add message length
+     */
+    high = (ctx->total[0] >> 29)
+           | (ctx->total[1] <<  3);
+    low  = (ctx->total[0] <<  3);
+
+    MBEDTLS_PUT_UINT32_BE(high, ctx->buffer, 56);
+    MBEDTLS_PUT_UINT32_BE(low,  ctx->buffer, 60);
+
+    if ((ret = mbedtls_internal_sha1_process(ctx, ctx->buffer)) != 0) {
+        goto exit;
+    }
+
+    /*
+     * Output final state
+     */
+    MBEDTLS_PUT_UINT32_BE(ctx->state[0], output,  0);
+    MBEDTLS_PUT_UINT32_BE(ctx->state[1], output,  4);
+    MBEDTLS_PUT_UINT32_BE(ctx->state[2], output,  8);
+    MBEDTLS_PUT_UINT32_BE(ctx->state[3], output, 12);
+    MBEDTLS_PUT_UINT32_BE(ctx->state[4], output, 16);
+
+    ret = 0;
+
+exit:
+    mbedtls_sha1_free(ctx);
+    return ret;
+}
+
+#endif /* !MBEDTLS_SHA1_ALT */
+
+/*
+ * output = SHA-1( input buffer )
+ */
+int mbedtls_sha1(const unsigned char *input,
+                 size_t ilen,
+                 unsigned char output[20])
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_sha1_context ctx;
+
+    mbedtls_sha1_init(&ctx);
+
+    if ((ret = mbedtls_sha1_starts(&ctx)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_sha1_update(&ctx, input, ilen)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_sha1_finish(&ctx, output)) != 0) {
+        goto exit;
+    }
+
+exit:
+    mbedtls_sha1_free(&ctx);
+    return ret;
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * FIPS-180-1 test vectors
+ */
+static const unsigned char sha1_test_buf[3][57] =
+{
+    { "abc" },
+    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
+    { "" }
+};
+
+static const size_t sha1_test_buflen[3] =
+{
+    3, 56, 1000
+};
+
+static const unsigned char sha1_test_sum[3][20] =
+{
+    { 0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E,
+      0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D },
+    { 0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
+      0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1 },
+    { 0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E,
+      0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_sha1_self_test(int verbose)
+{
+    int i, j, buflen, ret = 0;
+    unsigned char buf[1024];
+    unsigned char sha1sum[20];
+    mbedtls_sha1_context ctx;
+
+    mbedtls_sha1_init(&ctx);
+
+    /*
+     * SHA-1
+     */
+    for (i = 0; i < 3; i++) {
+        if (verbose != 0) {
+            mbedtls_printf("  SHA-1 test #%d: ", i + 1);
+        }
+
+        if ((ret = mbedtls_sha1_starts(&ctx)) != 0) {
+            goto fail;
+        }
+
+        if (i == 2) {
+            memset(buf, 'a', buflen = 1000);
+
+            for (j = 0; j < 1000; j++) {
+                ret = mbedtls_sha1_update(&ctx, buf, buflen);
+                if (ret != 0) {
+                    goto fail;
+                }
+            }
+        } else {
+            ret = mbedtls_sha1_update(&ctx, sha1_test_buf[i],
+                                      sha1_test_buflen[i]);
+            if (ret != 0) {
+                goto fail;
+            }
+        }
+
+        if ((ret = mbedtls_sha1_finish(&ctx, sha1sum)) != 0) {
+            goto fail;
+        }
+
+        if (memcmp(sha1sum, sha1_test_sum[i], 20) != 0) {
+            ret = 1;
+            goto fail;
+        }
+
+        if (verbose != 0) {
+            mbedtls_printf("passed\n");
+        }
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+
+    goto exit;
+
+fail:
+    if (verbose != 0) {
+        mbedtls_printf("failed\n");
+    }
+
+exit:
+    mbedtls_sha1_free(&ctx);
+
+    return ret;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_SHA1_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/sha256.c b/tf-psa-crypto/drivers/builtin/src/sha256.c
new file mode 100644
index 0000000..8b2c345
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/sha256.c
@@ -0,0 +1,978 @@
+/*
+ *  FIPS-180-2 compliant SHA-256 implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ *  The SHA-256 Secure Hash Standard was published by NIST in 2002.
+ *
+ *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
+ */
+
+#if defined(__clang__) &&  (__clang_major__ >= 4)
+
+/* Ideally, we would simply use MBEDTLS_ARCH_IS_ARMV8_A in the following #if,
+ * but that is defined by build_info.h, and we need this block to happen first. */
+#if defined(__ARM_ARCH) && (__ARM_ARCH_PROFILE == 'A')
+#if __ARM_ARCH >= 8
+#define MBEDTLS_SHA256_ARCH_IS_ARMV8_A
+#endif
+#endif
+
+#if defined(MBEDTLS_SHA256_ARCH_IS_ARMV8_A) && !defined(__ARM_FEATURE_CRYPTO)
+/* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged.
+ *
+ * The intrinsic declaration are guarded by predefined ACLE macros in clang:
+ * these are normally only enabled by the -march option on the command line.
+ * By defining the macros ourselves we gain access to those declarations without
+ * requiring -march on the command line.
+ *
+ * `arm_neon.h` is included by common.h, so we put these defines
+ * at the top of this file, before any includes.
+ */
+#define __ARM_FEATURE_CRYPTO 1
+/* See: https://arm-software.github.io/acle/main/acle.html#cryptographic-extensions
+ *
+ * `__ARM_FEATURE_CRYPTO` is deprecated, but we need to continue to specify it
+ * for older compilers.
+ */
+#define __ARM_FEATURE_SHA2   1
+#define MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG
+#endif
+
+#endif /* defined(__clang__) &&  (__clang_major__ >= 4) */
+
+/* Ensure that SIG_SETMASK is defined when -std=c99 is used. */
+#if !defined(_GNU_SOURCE)
+#define _GNU_SOURCE
+#endif
+
+#include "common.h"
+
+#if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA224_C)
+
+#include "mbedtls/sha256.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if defined(MBEDTLS_ARCH_IS_ARMV8_A)
+
+#  if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \
+    defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
+#       if !defined(MBEDTLS_HAVE_NEON_INTRINSICS)
+#           if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
+#               warning "Target does not support NEON instructions"
+#               undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
+#           else
+#               error "Target does not support NEON instructions"
+#           endif
+#       endif
+#   endif
+
+#  if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \
+    defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
+/* *INDENT-OFF* */
+
+#   if !defined(__ARM_FEATURE_CRYPTO) || defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG)
+#      if defined(__ARMCOMPILER_VERSION)
+#        if __ARMCOMPILER_VERSION <= 6090000
+#          error "Must use minimum -march=armv8-a+crypto for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
+#        endif
+#          pragma clang attribute push (__attribute__((target("sha2"))), apply_to=function)
+#          define MBEDTLS_POP_TARGET_PRAGMA
+#      elif defined(__clang__)
+#        if __clang_major__ < 4
+#          error "A more recent Clang is required for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
+#        endif
+#        pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function)
+#        define MBEDTLS_POP_TARGET_PRAGMA
+#      elif defined(__GNUC__)
+         /* FIXME: GCC 5 claims to support Armv8 Crypto Extensions, but some
+          *        intrinsics are missing. Missing intrinsics could be worked around.
+          */
+#        if __GNUC__ < 6
+#          error "A more recent GCC is required for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
+#        else
+#          pragma GCC push_options
+#          pragma GCC target ("arch=armv8-a+crypto")
+#          define MBEDTLS_POP_TARGET_PRAGMA
+#        endif
+#      else
+#        error "Only GCC and Clang supported for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
+#      endif
+#    endif
+/* *INDENT-ON* */
+
+#  endif
+#  if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
+#    if defined(__unix__)
+#      if defined(__linux__)
+/* Our preferred method of detection is getauxval() */
+#        include <sys/auxv.h>
+/* These are not always defined via sys/auxv.h */
+#        if !defined(HWCAP_SHA2)
+#          define HWCAP_SHA2  (1 << 6)
+#        endif
+#        if !defined(HWCAP2_SHA2)
+#          define HWCAP2_SHA2 (1 << 3)
+#        endif
+#      endif
+/* Use SIGILL on Unix, and fall back to it on Linux */
+#      include <signal.h>
+#    endif
+#  endif
+#elif !defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
+#  undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
+#  undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
+#endif
+
+#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
+/*
+ * Capability detection code comes early, so we can disable
+ * MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT if no detection mechanism found
+ */
+#if defined(MBEDTLS_ARCH_IS_ARM64) && defined(HWCAP_SHA2)
+static int mbedtls_a64_crypto_sha256_determine_support(void)
+{
+    return (getauxval(AT_HWCAP) & HWCAP_SHA2) ? 1 : 0;
+}
+#elif defined(MBEDTLS_ARCH_IS_ARM32) && defined(HWCAP2_SHA2)
+static int mbedtls_a64_crypto_sha256_determine_support(void)
+{
+    return (getauxval(AT_HWCAP2) & HWCAP2_SHA2) ? 1 : 0;
+}
+#elif defined(__APPLE__)
+static int mbedtls_a64_crypto_sha256_determine_support(void)
+{
+    return 1;
+}
+#elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
+#define WIN32_LEAN_AND_MEAN
+#include <Windows.h>
+#include <processthreadsapi.h>
+
+static int mbedtls_a64_crypto_sha256_determine_support(void)
+{
+    return IsProcessorFeaturePresent(PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE) ?
+           1 : 0;
+}
+#elif defined(__unix__) && defined(SIG_SETMASK)
+/* Detection with SIGILL, setjmp() and longjmp() */
+#include <signal.h>
+#include <setjmp.h>
+
+static jmp_buf return_from_sigill;
+
+/*
+ * Armv8-A SHA256 support detection via SIGILL
+ */
+static void sigill_handler(int signal)
+{
+    (void) signal;
+    longjmp(return_from_sigill, 1);
+}
+
+static int mbedtls_a64_crypto_sha256_determine_support(void)
+{
+    struct sigaction old_action, new_action;
+
+    sigset_t old_mask;
+    if (sigprocmask(0, NULL, &old_mask)) {
+        return 0;
+    }
+
+    sigemptyset(&new_action.sa_mask);
+    new_action.sa_flags = 0;
+    new_action.sa_handler = sigill_handler;
+
+    sigaction(SIGILL, &new_action, &old_action);
+
+    static int ret = 0;
+
+    if (setjmp(return_from_sigill) == 0) {         /* First return only */
+        /* If this traps, we will return a second time from setjmp() with 1 */
+#if defined(MBEDTLS_ARCH_IS_ARM64)
+        asm volatile ("sha256h q0, q0, v0.4s" : : : "v0");
+#else
+        asm volatile ("sha256h.32 q0, q0, q0" : : : "q0");
+#endif
+        ret = 1;
+    }
+
+    sigaction(SIGILL, &old_action, NULL);
+    sigprocmask(SIG_SETMASK, &old_mask, NULL);
+
+    return ret;
+}
+#else
+#warning "No mechanism to detect ARMV8_CRYPTO found, using C code only"
+#undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
+#endif  /* HWCAP_SHA2, __APPLE__, __unix__ && SIG_SETMASK */
+
+#endif  /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT */
+
+#if !defined(MBEDTLS_SHA256_ALT)
+
+#define SHA256_BLOCK_SIZE 64
+
+void mbedtls_sha256_init(mbedtls_sha256_context *ctx)
+{
+    memset(ctx, 0, sizeof(mbedtls_sha256_context));
+}
+
+void mbedtls_sha256_free(mbedtls_sha256_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha256_context));
+}
+
+void mbedtls_sha256_clone(mbedtls_sha256_context *dst,
+                          const mbedtls_sha256_context *src)
+{
+    *dst = *src;
+}
+
+/*
+ * SHA-256 context setup
+ */
+int mbedtls_sha256_starts(mbedtls_sha256_context *ctx, int is224)
+{
+#if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
+    if (is224 != 0 && is224 != 1) {
+        return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
+    }
+#elif defined(MBEDTLS_SHA256_C)
+    if (is224 != 0) {
+        return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
+    }
+#else /* defined MBEDTLS_SHA224_C only */
+    if (is224 == 0) {
+        return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
+    }
+#endif
+
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    if (is224 == 0) {
+#if defined(MBEDTLS_SHA256_C)
+        ctx->state[0] = 0x6A09E667;
+        ctx->state[1] = 0xBB67AE85;
+        ctx->state[2] = 0x3C6EF372;
+        ctx->state[3] = 0xA54FF53A;
+        ctx->state[4] = 0x510E527F;
+        ctx->state[5] = 0x9B05688C;
+        ctx->state[6] = 0x1F83D9AB;
+        ctx->state[7] = 0x5BE0CD19;
+#endif
+    } else {
+#if defined(MBEDTLS_SHA224_C)
+        ctx->state[0] = 0xC1059ED8;
+        ctx->state[1] = 0x367CD507;
+        ctx->state[2] = 0x3070DD17;
+        ctx->state[3] = 0xF70E5939;
+        ctx->state[4] = 0xFFC00B31;
+        ctx->state[5] = 0x68581511;
+        ctx->state[6] = 0x64F98FA7;
+        ctx->state[7] = 0xBEFA4FA4;
+#endif
+    }
+
+#if defined(MBEDTLS_SHA224_C)
+    ctx->is224 = is224;
+#endif
+
+    return 0;
+}
+
+#if !defined(MBEDTLS_SHA256_PROCESS_ALT)
+static const uint32_t K[] =
+{
+    0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
+    0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
+    0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
+    0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
+    0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
+    0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
+    0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
+    0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
+    0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
+    0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
+    0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
+    0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
+    0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
+    0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
+    0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
+    0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
+};
+
+#endif
+
+#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \
+    defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
+
+#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
+#  define mbedtls_internal_sha256_process_many_a64_crypto mbedtls_internal_sha256_process_many
+#  define mbedtls_internal_sha256_process_a64_crypto      mbedtls_internal_sha256_process
+#endif
+
+static size_t mbedtls_internal_sha256_process_many_a64_crypto(
+    mbedtls_sha256_context *ctx, const uint8_t *msg, size_t len)
+{
+    uint32x4_t abcd = vld1q_u32(&ctx->state[0]);
+    uint32x4_t efgh = vld1q_u32(&ctx->state[4]);
+
+    size_t processed = 0;
+
+    for (;
+         len >= SHA256_BLOCK_SIZE;
+         processed += SHA256_BLOCK_SIZE,
+         msg += SHA256_BLOCK_SIZE,
+         len -= SHA256_BLOCK_SIZE) {
+        uint32x4_t tmp, abcd_prev;
+
+        uint32x4_t abcd_orig = abcd;
+        uint32x4_t efgh_orig = efgh;
+
+        uint32x4_t sched0 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 0));
+        uint32x4_t sched1 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 1));
+        uint32x4_t sched2 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 2));
+        uint32x4_t sched3 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 3));
+
+#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__  /* Will be true if not defined */
+                                               /* Untested on BE */
+        sched0 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched0)));
+        sched1 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched1)));
+        sched2 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched2)));
+        sched3 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched3)));
+#endif
+
+        /* Rounds 0 to 3 */
+        tmp = vaddq_u32(sched0, vld1q_u32(&K[0]));
+        abcd_prev = abcd;
+        abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
+        efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
+
+        /* Rounds 4 to 7 */
+        tmp = vaddq_u32(sched1, vld1q_u32(&K[4]));
+        abcd_prev = abcd;
+        abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
+        efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
+
+        /* Rounds 8 to 11 */
+        tmp = vaddq_u32(sched2, vld1q_u32(&K[8]));
+        abcd_prev = abcd;
+        abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
+        efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
+
+        /* Rounds 12 to 15 */
+        tmp = vaddq_u32(sched3, vld1q_u32(&K[12]));
+        abcd_prev = abcd;
+        abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
+        efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
+
+        for (int t = 16; t < 64; t += 16) {
+            /* Rounds t to t + 3 */
+            sched0 = vsha256su1q_u32(vsha256su0q_u32(sched0, sched1), sched2, sched3);
+            tmp = vaddq_u32(sched0, vld1q_u32(&K[t]));
+            abcd_prev = abcd;
+            abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
+            efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
+
+            /* Rounds t + 4 to t + 7 */
+            sched1 = vsha256su1q_u32(vsha256su0q_u32(sched1, sched2), sched3, sched0);
+            tmp = vaddq_u32(sched1, vld1q_u32(&K[t + 4]));
+            abcd_prev = abcd;
+            abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
+            efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
+
+            /* Rounds t + 8 to t + 11 */
+            sched2 = vsha256su1q_u32(vsha256su0q_u32(sched2, sched3), sched0, sched1);
+            tmp = vaddq_u32(sched2, vld1q_u32(&K[t + 8]));
+            abcd_prev = abcd;
+            abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
+            efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
+
+            /* Rounds t + 12 to t + 15 */
+            sched3 = vsha256su1q_u32(vsha256su0q_u32(sched3, sched0), sched1, sched2);
+            tmp = vaddq_u32(sched3, vld1q_u32(&K[t + 12]));
+            abcd_prev = abcd;
+            abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
+            efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
+        }
+
+        abcd = vaddq_u32(abcd, abcd_orig);
+        efgh = vaddq_u32(efgh, efgh_orig);
+    }
+
+    vst1q_u32(&ctx->state[0], abcd);
+    vst1q_u32(&ctx->state[4], efgh);
+
+    return processed;
+}
+
+#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
+/*
+ * This function is for internal use only if we are building both C and Armv8-A
+ * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process()
+ */
+static
+#endif
+int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx,
+                                               const unsigned char data[SHA256_BLOCK_SIZE])
+{
+    return (mbedtls_internal_sha256_process_many_a64_crypto(ctx, data,
+                                                            SHA256_BLOCK_SIZE) ==
+            SHA256_BLOCK_SIZE) ? 0 : -1;
+}
+
+#endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT || MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */
+
+#if defined(MBEDTLS_POP_TARGET_PRAGMA)
+#if defined(__clang__)
+#pragma clang attribute pop
+#elif defined(__GNUC__)
+#pragma GCC pop_options
+#endif
+#undef MBEDTLS_POP_TARGET_PRAGMA
+#endif
+
+#if !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
+#define mbedtls_internal_sha256_process_many_c mbedtls_internal_sha256_process_many
+#define mbedtls_internal_sha256_process_c      mbedtls_internal_sha256_process
+#endif
+
+
+#if !defined(MBEDTLS_SHA256_PROCESS_ALT) && \
+    !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
+
+#define  SHR(x, n) (((x) & 0xFFFFFFFF) >> (n))
+#define ROTR(x, n) (SHR(x, n) | ((x) << (32 - (n))))
+
+#define S0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^  SHR(x, 3))
+#define S1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^  SHR(x, 10))
+
+#define S2(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
+#define S3(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
+
+#define F0(x, y, z) (((x) & (y)) | ((z) & ((x) | (y))))
+#define F1(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
+
+#define R(t)                                                        \
+    (                                                               \
+        local.W[t] = S1(local.W[(t) -  2]) + local.W[(t) -  7] +    \
+                     S0(local.W[(t) - 15]) + local.W[(t) - 16]      \
+    )
+
+#define P(a, b, c, d, e, f, g, h, x, K)                                      \
+    do                                                              \
+    {                                                               \
+        local.temp1 = (h) + S3(e) + F1((e), (f), (g)) + (K) + (x);    \
+        local.temp2 = S2(a) + F0((a), (b), (c));                      \
+        (d) += local.temp1; (h) = local.temp1 + local.temp2;        \
+    } while (0)
+
+#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
+/*
+ * This function is for internal use only if we are building both C and Armv8
+ * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process()
+ */
+static
+#endif
+int mbedtls_internal_sha256_process_c(mbedtls_sha256_context *ctx,
+                                      const unsigned char data[SHA256_BLOCK_SIZE])
+{
+    struct {
+        uint32_t temp1, temp2, W[64];
+        uint32_t A[8];
+    } local;
+
+    unsigned int i;
+
+    for (i = 0; i < 8; i++) {
+        local.A[i] = ctx->state[i];
+    }
+
+#if defined(MBEDTLS_SHA256_SMALLER)
+    for (i = 0; i < 64; i++) {
+        if (i < 16) {
+            local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i);
+        } else {
+            R(i);
+        }
+
+        P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
+          local.A[5], local.A[6], local.A[7], local.W[i], K[i]);
+
+        local.temp1 = local.A[7]; local.A[7] = local.A[6];
+        local.A[6] = local.A[5]; local.A[5] = local.A[4];
+        local.A[4] = local.A[3]; local.A[3] = local.A[2];
+        local.A[2] = local.A[1]; local.A[1] = local.A[0];
+        local.A[0] = local.temp1;
+    }
+#else /* MBEDTLS_SHA256_SMALLER */
+    for (i = 0; i < 16; i++) {
+        local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i);
+    }
+
+    for (i = 0; i < 16; i += 8) {
+        P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
+          local.A[5], local.A[6], local.A[7], local.W[i+0], K[i+0]);
+        P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
+          local.A[4], local.A[5], local.A[6], local.W[i+1], K[i+1]);
+        P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
+          local.A[3], local.A[4], local.A[5], local.W[i+2], K[i+2]);
+        P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
+          local.A[2], local.A[3], local.A[4], local.W[i+3], K[i+3]);
+        P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
+          local.A[1], local.A[2], local.A[3], local.W[i+4], K[i+4]);
+        P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
+          local.A[0], local.A[1], local.A[2], local.W[i+5], K[i+5]);
+        P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
+          local.A[7], local.A[0], local.A[1], local.W[i+6], K[i+6]);
+        P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
+          local.A[6], local.A[7], local.A[0], local.W[i+7], K[i+7]);
+    }
+
+    for (i = 16; i < 64; i += 8) {
+        P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
+          local.A[5], local.A[6], local.A[7], R(i+0), K[i+0]);
+        P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
+          local.A[4], local.A[5], local.A[6], R(i+1), K[i+1]);
+        P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
+          local.A[3], local.A[4], local.A[5], R(i+2), K[i+2]);
+        P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
+          local.A[2], local.A[3], local.A[4], R(i+3), K[i+3]);
+        P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
+          local.A[1], local.A[2], local.A[3], R(i+4), K[i+4]);
+        P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
+          local.A[0], local.A[1], local.A[2], R(i+5), K[i+5]);
+        P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
+          local.A[7], local.A[0], local.A[1], R(i+6), K[i+6]);
+        P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
+          local.A[6], local.A[7], local.A[0], R(i+7), K[i+7]);
+    }
+#endif /* MBEDTLS_SHA256_SMALLER */
+
+    for (i = 0; i < 8; i++) {
+        ctx->state[i] += local.A[i];
+    }
+
+    /* Zeroise buffers and variables to clear sensitive data from memory. */
+    mbedtls_platform_zeroize(&local, sizeof(local));
+
+    return 0;
+}
+
+#endif /* !MBEDTLS_SHA256_PROCESS_ALT && !MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */
+
+
+#if !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
+
+static size_t mbedtls_internal_sha256_process_many_c(
+    mbedtls_sha256_context *ctx, const uint8_t *data, size_t len)
+{
+    size_t processed = 0;
+
+    while (len >= SHA256_BLOCK_SIZE) {
+        if (mbedtls_internal_sha256_process_c(ctx, data) != 0) {
+            return 0;
+        }
+
+        data += SHA256_BLOCK_SIZE;
+        len  -= SHA256_BLOCK_SIZE;
+
+        processed += SHA256_BLOCK_SIZE;
+    }
+
+    return processed;
+}
+
+#endif /* !MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */
+
+
+#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
+
+static int mbedtls_a64_crypto_sha256_has_support(void)
+{
+    static int done = 0;
+    static int supported = 0;
+
+    if (!done) {
+        supported = mbedtls_a64_crypto_sha256_determine_support();
+        done = 1;
+    }
+
+    return supported;
+}
+
+static size_t mbedtls_internal_sha256_process_many(mbedtls_sha256_context *ctx,
+                                                   const uint8_t *msg, size_t len)
+{
+    if (mbedtls_a64_crypto_sha256_has_support()) {
+        return mbedtls_internal_sha256_process_many_a64_crypto(ctx, msg, len);
+    } else {
+        return mbedtls_internal_sha256_process_many_c(ctx, msg, len);
+    }
+}
+
+int mbedtls_internal_sha256_process(mbedtls_sha256_context *ctx,
+                                    const unsigned char data[SHA256_BLOCK_SIZE])
+{
+    if (mbedtls_a64_crypto_sha256_has_support()) {
+        return mbedtls_internal_sha256_process_a64_crypto(ctx, data);
+    } else {
+        return mbedtls_internal_sha256_process_c(ctx, data);
+    }
+}
+
+#endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT */
+
+
+/*
+ * SHA-256 process buffer
+ */
+int mbedtls_sha256_update(mbedtls_sha256_context *ctx,
+                          const unsigned char *input,
+                          size_t ilen)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t fill;
+    uint32_t left;
+
+    if (ilen == 0) {
+        return 0;
+    }
+
+    left = ctx->total[0] & 0x3F;
+    fill = SHA256_BLOCK_SIZE - left;
+
+    ctx->total[0] += (uint32_t) ilen;
+    ctx->total[0] &= 0xFFFFFFFF;
+
+    if (ctx->total[0] < (uint32_t) ilen) {
+        ctx->total[1]++;
+    }
+
+    if (left && ilen >= fill) {
+        memcpy((void *) (ctx->buffer + left), input, fill);
+
+        if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
+            return ret;
+        }
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while (ilen >= SHA256_BLOCK_SIZE) {
+        size_t processed =
+            mbedtls_internal_sha256_process_many(ctx, input, ilen);
+        if (processed < SHA256_BLOCK_SIZE) {
+            return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
+        }
+
+        input += processed;
+        ilen  -= processed;
+    }
+
+    if (ilen > 0) {
+        memcpy((void *) (ctx->buffer + left), input, ilen);
+    }
+
+    return 0;
+}
+
+/*
+ * SHA-256 final digest
+ */
+int mbedtls_sha256_finish(mbedtls_sha256_context *ctx,
+                          unsigned char *output)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    uint32_t used;
+    uint32_t high, low;
+    int truncated = 0;
+
+    /*
+     * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
+     */
+    used = ctx->total[0] & 0x3F;
+
+    ctx->buffer[used++] = 0x80;
+
+    if (used <= 56) {
+        /* Enough room for padding + length in current block */
+        memset(ctx->buffer + used, 0, 56 - used);
+    } else {
+        /* We'll need an extra block */
+        memset(ctx->buffer + used, 0, SHA256_BLOCK_SIZE - used);
+
+        if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
+            goto exit;
+        }
+
+        memset(ctx->buffer, 0, 56);
+    }
+
+    /*
+     * Add message length
+     */
+    high = (ctx->total[0] >> 29)
+           | (ctx->total[1] <<  3);
+    low  = (ctx->total[0] <<  3);
+
+    MBEDTLS_PUT_UINT32_BE(high, ctx->buffer, 56);
+    MBEDTLS_PUT_UINT32_BE(low,  ctx->buffer, 60);
+
+    if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
+        goto exit;
+    }
+
+    /*
+     * Output final state
+     */
+    MBEDTLS_PUT_UINT32_BE(ctx->state[0], output,  0);
+    MBEDTLS_PUT_UINT32_BE(ctx->state[1], output,  4);
+    MBEDTLS_PUT_UINT32_BE(ctx->state[2], output,  8);
+    MBEDTLS_PUT_UINT32_BE(ctx->state[3], output, 12);
+    MBEDTLS_PUT_UINT32_BE(ctx->state[4], output, 16);
+    MBEDTLS_PUT_UINT32_BE(ctx->state[5], output, 20);
+    MBEDTLS_PUT_UINT32_BE(ctx->state[6], output, 24);
+
+#if defined(MBEDTLS_SHA224_C)
+    truncated = ctx->is224;
+#endif
+    if (!truncated) {
+        MBEDTLS_PUT_UINT32_BE(ctx->state[7], output, 28);
+    }
+
+    ret = 0;
+
+exit:
+    mbedtls_sha256_free(ctx);
+    return ret;
+}
+
+#endif /* !MBEDTLS_SHA256_ALT */
+
+/*
+ * output = SHA-256( input buffer )
+ */
+int mbedtls_sha256(const unsigned char *input,
+                   size_t ilen,
+                   unsigned char *output,
+                   int is224)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_sha256_context ctx;
+
+#if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
+    if (is224 != 0 && is224 != 1) {
+        return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
+    }
+#elif defined(MBEDTLS_SHA256_C)
+    if (is224 != 0) {
+        return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
+    }
+#else /* defined MBEDTLS_SHA224_C only */
+    if (is224 == 0) {
+        return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
+    }
+#endif
+
+    mbedtls_sha256_init(&ctx);
+
+    if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_sha256_update(&ctx, input, ilen)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_sha256_finish(&ctx, output)) != 0) {
+        goto exit;
+    }
+
+exit:
+    mbedtls_sha256_free(&ctx);
+
+    return ret;
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * FIPS-180-2 test vectors
+ */
+static const unsigned char sha_test_buf[3][57] =
+{
+    { "abc" },
+    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
+    { "" }
+};
+
+static const size_t sha_test_buflen[3] =
+{
+    3, 56, 1000
+};
+
+typedef const unsigned char (sha_test_sum_t)[32];
+
+/*
+ * SHA-224 test vectors
+ */
+#if defined(MBEDTLS_SHA224_C)
+static sha_test_sum_t sha224_test_sum[] =
+{
+    { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
+      0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
+      0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
+      0xE3, 0x6C, 0x9D, 0xA7 },
+    { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
+      0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
+      0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
+      0x52, 0x52, 0x25, 0x25 },
+    { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
+      0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
+      0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
+      0x4E, 0xE7, 0xAD, 0x67 }
+};
+#endif
+
+/*
+ * SHA-256 test vectors
+ */
+#if defined(MBEDTLS_SHA256_C)
+static sha_test_sum_t sha256_test_sum[] =
+{
+    { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
+      0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
+      0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
+      0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
+    { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
+      0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
+      0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
+      0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
+    { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
+      0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
+      0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
+      0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
+};
+#endif
+
+/*
+ * Checkup routine
+ */
+static int mbedtls_sha256_common_self_test(int verbose, int is224)
+{
+    int i, buflen, ret = 0;
+    unsigned char *buf;
+    unsigned char sha256sum[32];
+    mbedtls_sha256_context ctx;
+
+#if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
+    sha_test_sum_t *sha_test_sum = (is224) ? sha224_test_sum : sha256_test_sum;
+#elif defined(MBEDTLS_SHA256_C)
+    sha_test_sum_t *sha_test_sum = sha256_test_sum;
+#else
+    sha_test_sum_t *sha_test_sum = sha224_test_sum;
+#endif
+
+    buf = mbedtls_calloc(1024, sizeof(unsigned char));
+    if (NULL == buf) {
+        if (verbose != 0) {
+            mbedtls_printf("Buffer allocation failed\n");
+        }
+
+        return 1;
+    }
+
+    mbedtls_sha256_init(&ctx);
+
+    for (i = 0; i < 3; i++) {
+        if (verbose != 0) {
+            mbedtls_printf("  SHA-%d test #%d: ", 256 - is224 * 32, i + 1);
+        }
+
+        if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) {
+            goto fail;
+        }
+
+        if (i == 2) {
+            memset(buf, 'a', buflen = 1000);
+
+            for (int j = 0; j < 1000; j++) {
+                ret = mbedtls_sha256_update(&ctx, buf, buflen);
+                if (ret != 0) {
+                    goto fail;
+                }
+            }
+
+        } else {
+            ret = mbedtls_sha256_update(&ctx, sha_test_buf[i],
+                                        sha_test_buflen[i]);
+            if (ret != 0) {
+                goto fail;
+            }
+        }
+
+        if ((ret = mbedtls_sha256_finish(&ctx, sha256sum)) != 0) {
+            goto fail;
+        }
+
+
+        if (memcmp(sha256sum, sha_test_sum[i], 32 - is224 * 4) != 0) {
+            ret = 1;
+            goto fail;
+        }
+
+        if (verbose != 0) {
+            mbedtls_printf("passed\n");
+        }
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+
+    goto exit;
+
+fail:
+    if (verbose != 0) {
+        mbedtls_printf("failed\n");
+    }
+
+exit:
+    mbedtls_sha256_free(&ctx);
+    mbedtls_free(buf);
+
+    return ret;
+}
+
+#if defined(MBEDTLS_SHA256_C)
+int mbedtls_sha256_self_test(int verbose)
+{
+    return mbedtls_sha256_common_self_test(verbose, 0);
+}
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA224_C)
+int mbedtls_sha224_self_test(int verbose)
+{
+    return mbedtls_sha256_common_self_test(verbose, 1);
+}
+#endif /* MBEDTLS_SHA224_C */
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA224_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/sha3.c b/tf-psa-crypto/drivers/builtin/src/sha3.c
new file mode 100644
index 0000000..5738559
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/sha3.c
@@ -0,0 +1,721 @@
+/*
+ *  FIPS-202 compliant SHA3 implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ *  The SHA-3 Secure Hash Standard was published by NIST in 2015.
+ *
+ *  https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.202.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SHA3_C)
+
+/*
+ * These macros select manually unrolled implementations of parts of the main permutation function.
+ *
+ * Unrolling has a major impact on both performance and code size. gcc performance benefits a lot
+ * from manually unrolling at higher optimisation levels.
+ *
+ * Depending on your size/perf priorities, compiler and target, it may be beneficial to adjust
+ * these; the defaults here should give sensible trade-offs for gcc and clang on aarch64 and
+ * x86-64.
+ */
+#if !defined(MBEDTLS_SHA3_THETA_UNROLL)
+    #define MBEDTLS_SHA3_THETA_UNROLL 0 //no-check-names
+#endif
+#if !defined(MBEDTLS_SHA3_CHI_UNROLL)
+    #if defined(__OPTIMIZE_SIZE__)
+        #define MBEDTLS_SHA3_CHI_UNROLL 0 //no-check-names
+    #else
+        #define MBEDTLS_SHA3_CHI_UNROLL 1 //no-check-names
+    #endif
+#endif
+#if !defined(MBEDTLS_SHA3_PI_UNROLL)
+    #define MBEDTLS_SHA3_PI_UNROLL 1 //no-check-names
+#endif
+#if !defined(MBEDTLS_SHA3_RHO_UNROLL)
+    #define MBEDTLS_SHA3_RHO_UNROLL 1 //no-check-names
+#endif
+
+#include "mbedtls/sha3.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#include "mbedtls/platform.h"
+#endif /* MBEDTLS_SELF_TEST */
+
+#define XOR_BYTE 0x6
+
+/* Precomputed masks for the iota transform.
+ *
+ * Each round uses a 64-bit mask value. In each mask values, only
+ * bits whose position is of the form 2^k-1 can be set, thus only
+ * 7 of 64 bits of the mask need to be known for each mask value.
+ *
+ * We use a compressed encoding of the mask where bits 63, 31 and 15
+ * are moved to bits 4-6. This allows us to make each mask value
+ * 1 byte rather than 8 bytes, saving 7*24 = 168 bytes of data (with
+ * perhaps a little variation due to alignment). Decompressing this
+ * requires a little code, but much less than the savings on the table.
+ *
+ * The impact on performance depends on the platform and compiler.
+ * There's a bit more computation, but less memory bandwidth. A quick
+ * benchmark on x86_64 shows a 7% speed improvement with GCC and a
+ * 5% speed penalty with Clang, compared to the naive uint64_t[24] table.
+ * YMMV.
+ */
+/* Helper macro to set the values of the higher bits in unused low positions */
+#define H(b63, b31, b15) (b63 << 6 | b31 << 5 | b15 << 4)
+static const uint8_t iota_r_packed[24] = {
+    H(0, 0, 0) | 0x01, H(0, 0, 1) | 0x82, H(1, 0, 1) | 0x8a, H(1, 1, 1) | 0x00,
+    H(0, 0, 1) | 0x8b, H(0, 1, 0) | 0x01, H(1, 1, 1) | 0x81, H(1, 0, 1) | 0x09,
+    H(0, 0, 0) | 0x8a, H(0, 0, 0) | 0x88, H(0, 1, 1) | 0x09, H(0, 1, 0) | 0x0a,
+    H(0, 1, 1) | 0x8b, H(1, 0, 0) | 0x8b, H(1, 0, 1) | 0x89, H(1, 0, 1) | 0x03,
+    H(1, 0, 1) | 0x02, H(1, 0, 0) | 0x80, H(0, 0, 1) | 0x0a, H(1, 1, 0) | 0x0a,
+    H(1, 1, 1) | 0x81, H(1, 0, 1) | 0x80, H(0, 1, 0) | 0x01, H(1, 1, 1) | 0x08,
+};
+#undef H
+
+static const uint32_t rho[6] = {
+    0x3f022425, 0x1c143a09, 0x2c3d3615, 0x27191713, 0x312b382e, 0x3e030832
+};
+
+static const uint32_t pi[6] = {
+    0x110b070a, 0x10050312, 0x04181508, 0x0d13170f, 0x0e14020c, 0x01060916
+};
+
+#define ROTR64(x, y) (((x) << (64U - (y))) | ((x) >> (y))) // 64-bit rotate right
+#define ABSORB(ctx, idx, v) do { ctx->state[(idx) >> 3] ^= ((uint64_t) (v)) << (((idx) & 0x7) << 3); \
+} while (0)
+#define SQUEEZE(ctx, idx) ((uint8_t) (ctx->state[(idx) >> 3] >> (((idx) & 0x7) << 3)))
+#define SWAP(x, y) do { uint64_t tmp = (x); (x) = (y); (y) = tmp; } while (0)
+
+/* The permutation function.  */
+static void keccak_f1600(mbedtls_sha3_context *ctx)
+{
+    uint64_t lane[5];
+    uint64_t *s = ctx->state;
+    int i;
+
+    for (int round = 0; round < 24; round++) {
+        uint64_t t;
+
+        /* Theta */
+#if MBEDTLS_SHA3_THETA_UNROLL == 0 //no-check-names
+        for (i = 0; i < 5; i++) {
+            lane[i] = s[i] ^ s[i + 5] ^ s[i + 10] ^ s[i + 15] ^ s[i + 20];
+        }
+        for (i = 0; i < 5; i++) {
+            t = lane[(i + 4) % 5] ^ ROTR64(lane[(i + 1) % 5], 63);
+            s[i] ^= t; s[i + 5] ^= t; s[i + 10] ^= t; s[i + 15] ^= t; s[i + 20] ^= t;
+        }
+#else
+        lane[0] = s[0] ^ s[5] ^ s[10] ^ s[15] ^ s[20];
+        lane[1] = s[1] ^ s[6] ^ s[11] ^ s[16] ^ s[21];
+        lane[2] = s[2] ^ s[7] ^ s[12] ^ s[17] ^ s[22];
+        lane[3] = s[3] ^ s[8] ^ s[13] ^ s[18] ^ s[23];
+        lane[4] = s[4] ^ s[9] ^ s[14] ^ s[19] ^ s[24];
+
+        t = lane[4] ^ ROTR64(lane[1], 63);
+        s[0] ^= t; s[5] ^= t; s[10] ^= t; s[15] ^= t; s[20] ^= t;
+
+        t = lane[0] ^ ROTR64(lane[2], 63);
+        s[1] ^= t; s[6] ^= t; s[11] ^= t; s[16] ^= t; s[21] ^= t;
+
+        t = lane[1] ^ ROTR64(lane[3], 63);
+        s[2] ^= t; s[7] ^= t; s[12] ^= t; s[17] ^= t; s[22] ^= t;
+
+        t = lane[2] ^ ROTR64(lane[4], 63);
+        s[3] ^= t; s[8] ^= t; s[13] ^= t; s[18] ^= t; s[23] ^= t;
+
+        t = lane[3] ^ ROTR64(lane[0], 63);
+        s[4] ^= t; s[9] ^= t; s[14] ^= t; s[19] ^= t; s[24] ^= t;
+#endif
+
+        /* Rho */
+        for (i = 1; i < 25; i += 4) {
+            uint32_t r = rho[(i - 1) >> 2];
+#if MBEDTLS_SHA3_RHO_UNROLL == 0
+            for (int j = i; j < i + 4; j++) {
+                uint8_t r8 = (uint8_t) (r >> 24);
+                r <<= 8;
+                s[j] = ROTR64(s[j], r8);
+            }
+#else
+            s[i + 0] = ROTR64(s[i + 0], MBEDTLS_BYTE_3(r));
+            s[i + 1] = ROTR64(s[i + 1], MBEDTLS_BYTE_2(r));
+            s[i + 2] = ROTR64(s[i + 2], MBEDTLS_BYTE_1(r));
+            s[i + 3] = ROTR64(s[i + 3], MBEDTLS_BYTE_0(r));
+#endif
+        }
+
+        /* Pi */
+        t = s[1];
+#if MBEDTLS_SHA3_PI_UNROLL == 0
+        for (i = 0; i < 24; i += 4) {
+            uint32_t p = pi[i >> 2];
+            for (unsigned j = 0; j < 4; j++) {
+                SWAP(s[p & 0xff], t);
+                p >>= 8;
+            }
+        }
+#else
+        uint32_t p = pi[0];
+        SWAP(s[MBEDTLS_BYTE_0(p)], t); SWAP(s[MBEDTLS_BYTE_1(p)], t);
+        SWAP(s[MBEDTLS_BYTE_2(p)], t); SWAP(s[MBEDTLS_BYTE_3(p)], t);
+        p = pi[1];
+        SWAP(s[MBEDTLS_BYTE_0(p)], t); SWAP(s[MBEDTLS_BYTE_1(p)], t);
+        SWAP(s[MBEDTLS_BYTE_2(p)], t); SWAP(s[MBEDTLS_BYTE_3(p)], t);
+        p = pi[2];
+        SWAP(s[MBEDTLS_BYTE_0(p)], t); SWAP(s[MBEDTLS_BYTE_1(p)], t);
+        SWAP(s[MBEDTLS_BYTE_2(p)], t); SWAP(s[MBEDTLS_BYTE_3(p)], t);
+        p = pi[3];
+        SWAP(s[MBEDTLS_BYTE_0(p)], t); SWAP(s[MBEDTLS_BYTE_1(p)], t);
+        SWAP(s[MBEDTLS_BYTE_2(p)], t); SWAP(s[MBEDTLS_BYTE_3(p)], t);
+        p = pi[4];
+        SWAP(s[MBEDTLS_BYTE_0(p)], t); SWAP(s[MBEDTLS_BYTE_1(p)], t);
+        SWAP(s[MBEDTLS_BYTE_2(p)], t); SWAP(s[MBEDTLS_BYTE_3(p)], t);
+        p = pi[5];
+        SWAP(s[MBEDTLS_BYTE_0(p)], t); SWAP(s[MBEDTLS_BYTE_1(p)], t);
+        SWAP(s[MBEDTLS_BYTE_2(p)], t); SWAP(s[MBEDTLS_BYTE_3(p)], t);
+#endif
+
+        /* Chi */
+#if MBEDTLS_SHA3_CHI_UNROLL == 0 //no-check-names
+        for (i = 0; i <= 20; i += 5) {
+            lane[0] = s[i]; lane[1] = s[i + 1]; lane[2] = s[i + 2];
+            lane[3] = s[i + 3]; lane[4] = s[i + 4];
+            s[i + 0] ^= (~lane[1]) & lane[2];
+            s[i + 1] ^= (~lane[2]) & lane[3];
+            s[i + 2] ^= (~lane[3]) & lane[4];
+            s[i + 3] ^= (~lane[4]) & lane[0];
+            s[i + 4] ^= (~lane[0]) & lane[1];
+        }
+#else
+        lane[0] = s[0]; lane[1] = s[1]; lane[2] = s[2]; lane[3] = s[3]; lane[4] = s[4];
+        s[0] ^= (~lane[1]) & lane[2];
+        s[1] ^= (~lane[2]) & lane[3];
+        s[2] ^= (~lane[3]) & lane[4];
+        s[3] ^= (~lane[4]) & lane[0];
+        s[4] ^= (~lane[0]) & lane[1];
+
+        lane[0] = s[5]; lane[1] = s[6]; lane[2] = s[7]; lane[3] = s[8]; lane[4] = s[9];
+        s[5] ^= (~lane[1]) & lane[2];
+        s[6] ^= (~lane[2]) & lane[3];
+        s[7] ^= (~lane[3]) & lane[4];
+        s[8] ^= (~lane[4]) & lane[0];
+        s[9] ^= (~lane[0]) & lane[1];
+
+        lane[0] = s[10]; lane[1] = s[11]; lane[2] = s[12]; lane[3] = s[13]; lane[4] = s[14];
+        s[10] ^= (~lane[1]) & lane[2];
+        s[11] ^= (~lane[2]) & lane[3];
+        s[12] ^= (~lane[3]) & lane[4];
+        s[13] ^= (~lane[4]) & lane[0];
+        s[14] ^= (~lane[0]) & lane[1];
+
+        lane[0] = s[15]; lane[1] = s[16]; lane[2] = s[17]; lane[3] = s[18]; lane[4] = s[19];
+        s[15] ^= (~lane[1]) & lane[2];
+        s[16] ^= (~lane[2]) & lane[3];
+        s[17] ^= (~lane[3]) & lane[4];
+        s[18] ^= (~lane[4]) & lane[0];
+        s[19] ^= (~lane[0]) & lane[1];
+
+        lane[0] = s[20]; lane[1] = s[21]; lane[2] = s[22]; lane[3] = s[23]; lane[4] = s[24];
+        s[20] ^= (~lane[1]) & lane[2];
+        s[21] ^= (~lane[2]) & lane[3];
+        s[22] ^= (~lane[3]) & lane[4];
+        s[23] ^= (~lane[4]) & lane[0];
+        s[24] ^= (~lane[0]) & lane[1];
+#endif
+
+        /* Iota */
+        /* Decompress the round masks (see definition of rc) */
+        s[0] ^= ((iota_r_packed[round] & 0x40ull) << 57 |
+                 (iota_r_packed[round] & 0x20ull) << 26 |
+                 (iota_r_packed[round] & 0x10ull) << 11 |
+                 (iota_r_packed[round] & 0x8f));
+    }
+}
+
+void mbedtls_sha3_init(mbedtls_sha3_context *ctx)
+{
+    memset(ctx, 0, sizeof(mbedtls_sha3_context));
+}
+
+void mbedtls_sha3_free(mbedtls_sha3_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha3_context));
+}
+
+void mbedtls_sha3_clone(mbedtls_sha3_context *dst,
+                        const mbedtls_sha3_context *src)
+{
+    *dst = *src;
+}
+
+/*
+ * SHA-3 context setup
+ */
+int mbedtls_sha3_starts(mbedtls_sha3_context *ctx, mbedtls_sha3_id id)
+{
+    switch (id) {
+        case MBEDTLS_SHA3_224:
+            ctx->olen = 224 / 8;
+            ctx->max_block_size = 1152 / 8;
+            break;
+        case MBEDTLS_SHA3_256:
+            ctx->olen = 256 / 8;
+            ctx->max_block_size = 1088 / 8;
+            break;
+        case MBEDTLS_SHA3_384:
+            ctx->olen = 384 / 8;
+            ctx->max_block_size = 832 / 8;
+            break;
+        case MBEDTLS_SHA3_512:
+            ctx->olen = 512 / 8;
+            ctx->max_block_size = 576 / 8;
+            break;
+        default:
+            return MBEDTLS_ERR_SHA3_BAD_INPUT_DATA;
+    }
+
+    memset(ctx->state, 0, sizeof(ctx->state));
+    ctx->index = 0;
+
+    return 0;
+}
+
+/*
+ * SHA-3 process buffer
+ */
+int mbedtls_sha3_update(mbedtls_sha3_context *ctx,
+                        const uint8_t *input,
+                        size_t ilen)
+{
+    if (ilen >= 8) {
+        // 8-byte align index
+        int align_bytes = 8 - (ctx->index % 8);
+        if (align_bytes) {
+            for (; align_bytes > 0; align_bytes--) {
+                ABSORB(ctx, ctx->index, *input++);
+                ilen--;
+                ctx->index++;
+            }
+            if ((ctx->index = ctx->index % ctx->max_block_size) == 0) {
+                keccak_f1600(ctx);
+            }
+        }
+
+        // process input in 8-byte chunks
+        while (ilen >= 8) {
+            ABSORB(ctx, ctx->index, MBEDTLS_GET_UINT64_LE(input, 0));
+            input += 8;
+            ilen -= 8;
+            if ((ctx->index = (ctx->index + 8) % ctx->max_block_size) == 0) {
+                keccak_f1600(ctx);
+            }
+        }
+    }
+
+    // handle remaining bytes
+    while (ilen-- > 0) {
+        ABSORB(ctx, ctx->index, *input++);
+        if ((ctx->index = (ctx->index + 1) % ctx->max_block_size) == 0) {
+            keccak_f1600(ctx);
+        }
+    }
+
+    return 0;
+}
+
+int mbedtls_sha3_finish(mbedtls_sha3_context *ctx,
+                        uint8_t *output, size_t olen)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    /* Catch SHA-3 families, with fixed output length */
+    if (ctx->olen > 0) {
+        if (ctx->olen > olen) {
+            ret = MBEDTLS_ERR_SHA3_BAD_INPUT_DATA;
+            goto exit;
+        }
+        olen = ctx->olen;
+    }
+
+    ABSORB(ctx, ctx->index, XOR_BYTE);
+    ABSORB(ctx, ctx->max_block_size - 1, 0x80);
+    keccak_f1600(ctx);
+    ctx->index = 0;
+
+    while (olen-- > 0) {
+        *output++ = SQUEEZE(ctx, ctx->index);
+
+        if ((ctx->index = (ctx->index + 1) % ctx->max_block_size) == 0) {
+            keccak_f1600(ctx);
+        }
+    }
+
+    ret = 0;
+
+exit:
+    mbedtls_sha3_free(ctx);
+    return ret;
+}
+
+/*
+ * output = SHA-3( input buffer )
+ */
+int mbedtls_sha3(mbedtls_sha3_id id, const uint8_t *input,
+                 size_t ilen, uint8_t *output, size_t olen)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_sha3_context ctx;
+
+    mbedtls_sha3_init(&ctx);
+
+    /* Sanity checks are performed in every mbedtls_sha3_xxx() */
+    if ((ret = mbedtls_sha3_starts(&ctx, id)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_sha3_update(&ctx, input, ilen)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_sha3_finish(&ctx, output, olen)) != 0) {
+        goto exit;
+    }
+
+exit:
+    mbedtls_sha3_free(&ctx);
+
+    return ret;
+}
+
+/**************** Self-tests ****************/
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_data[2][4] =
+{
+    "",
+    "abc",
+};
+
+static const size_t test_data_len[2] =
+{
+    0, /* "" */
+    3  /* "abc" */
+};
+
+static const unsigned char test_hash_sha3_224[2][28] =
+{
+    { /* "" */
+        0x6B, 0x4E, 0x03, 0x42, 0x36, 0x67, 0xDB, 0xB7,
+        0x3B, 0x6E, 0x15, 0x45, 0x4F, 0x0E, 0xB1, 0xAB,
+        0xD4, 0x59, 0x7F, 0x9A, 0x1B, 0x07, 0x8E, 0x3F,
+        0x5B, 0x5A, 0x6B, 0xC7
+    },
+    { /* "abc" */
+        0xE6, 0x42, 0x82, 0x4C, 0x3F, 0x8C, 0xF2, 0x4A,
+        0xD0, 0x92, 0x34, 0xEE, 0x7D, 0x3C, 0x76, 0x6F,
+        0xC9, 0xA3, 0xA5, 0x16, 0x8D, 0x0C, 0x94, 0xAD,
+        0x73, 0xB4, 0x6F, 0xDF
+    }
+};
+
+static const unsigned char test_hash_sha3_256[2][32] =
+{
+    { /* "" */
+        0xA7, 0xFF, 0xC6, 0xF8, 0xBF, 0x1E, 0xD7, 0x66,
+        0x51, 0xC1, 0x47, 0x56, 0xA0, 0x61, 0xD6, 0x62,
+        0xF5, 0x80, 0xFF, 0x4D, 0xE4, 0x3B, 0x49, 0xFA,
+        0x82, 0xD8, 0x0A, 0x4B, 0x80, 0xF8, 0x43, 0x4A
+    },
+    { /* "abc" */
+        0x3A, 0x98, 0x5D, 0xA7, 0x4F, 0xE2, 0x25, 0xB2,
+        0x04, 0x5C, 0x17, 0x2D, 0x6B, 0xD3, 0x90, 0xBD,
+        0x85, 0x5F, 0x08, 0x6E, 0x3E, 0x9D, 0x52, 0x5B,
+        0x46, 0xBF, 0xE2, 0x45, 0x11, 0x43, 0x15, 0x32
+    }
+};
+
+static const unsigned char test_hash_sha3_384[2][48] =
+{
+    { /* "" */
+        0x0C, 0x63, 0xA7, 0x5B, 0x84, 0x5E, 0x4F, 0x7D,
+        0x01, 0x10, 0x7D, 0x85, 0x2E, 0x4C, 0x24, 0x85,
+        0xC5, 0x1A, 0x50, 0xAA, 0xAA, 0x94, 0xFC, 0x61,
+        0x99, 0x5E, 0x71, 0xBB, 0xEE, 0x98, 0x3A, 0x2A,
+        0xC3, 0x71, 0x38, 0x31, 0x26, 0x4A, 0xDB, 0x47,
+        0xFB, 0x6B, 0xD1, 0xE0, 0x58, 0xD5, 0xF0, 0x04
+    },
+    { /* "abc" */
+        0xEC, 0x01, 0x49, 0x82, 0x88, 0x51, 0x6F, 0xC9,
+        0x26, 0x45, 0x9F, 0x58, 0xE2, 0xC6, 0xAD, 0x8D,
+        0xF9, 0xB4, 0x73, 0xCB, 0x0F, 0xC0, 0x8C, 0x25,
+        0x96, 0xDA, 0x7C, 0xF0, 0xE4, 0x9B, 0xE4, 0xB2,
+        0x98, 0xD8, 0x8C, 0xEA, 0x92, 0x7A, 0xC7, 0xF5,
+        0x39, 0xF1, 0xED, 0xF2, 0x28, 0x37, 0x6D, 0x25
+    }
+};
+
+static const unsigned char test_hash_sha3_512[2][64] =
+{
+    { /* "" */
+        0xA6, 0x9F, 0x73, 0xCC, 0xA2, 0x3A, 0x9A, 0xC5,
+        0xC8, 0xB5, 0x67, 0xDC, 0x18, 0x5A, 0x75, 0x6E,
+        0x97, 0xC9, 0x82, 0x16, 0x4F, 0xE2, 0x58, 0x59,
+        0xE0, 0xD1, 0xDC, 0xC1, 0x47, 0x5C, 0x80, 0xA6,
+        0x15, 0xB2, 0x12, 0x3A, 0xF1, 0xF5, 0xF9, 0x4C,
+        0x11, 0xE3, 0xE9, 0x40, 0x2C, 0x3A, 0xC5, 0x58,
+        0xF5, 0x00, 0x19, 0x9D, 0x95, 0xB6, 0xD3, 0xE3,
+        0x01, 0x75, 0x85, 0x86, 0x28, 0x1D, 0xCD, 0x26
+    },
+    { /* "abc" */
+        0xB7, 0x51, 0x85, 0x0B, 0x1A, 0x57, 0x16, 0x8A,
+        0x56, 0x93, 0xCD, 0x92, 0x4B, 0x6B, 0x09, 0x6E,
+        0x08, 0xF6, 0x21, 0x82, 0x74, 0x44, 0xF7, 0x0D,
+        0x88, 0x4F, 0x5D, 0x02, 0x40, 0xD2, 0x71, 0x2E,
+        0x10, 0xE1, 0x16, 0xE9, 0x19, 0x2A, 0xF3, 0xC9,
+        0x1A, 0x7E, 0xC5, 0x76, 0x47, 0xE3, 0x93, 0x40,
+        0x57, 0x34, 0x0B, 0x4C, 0xF4, 0x08, 0xD5, 0xA5,
+        0x65, 0x92, 0xF8, 0x27, 0x4E, 0xEC, 0x53, 0xF0
+    }
+};
+
+static const unsigned char long_kat_hash_sha3_224[28] =
+{
+    0xD6, 0x93, 0x35, 0xB9, 0x33, 0x25, 0x19, 0x2E,
+    0x51, 0x6A, 0x91, 0x2E, 0x6D, 0x19, 0xA1, 0x5C,
+    0xB5, 0x1C, 0x6E, 0xD5, 0xC1, 0x52, 0x43, 0xE7,
+    0xA7, 0xFD, 0x65, 0x3C
+};
+
+static const unsigned char long_kat_hash_sha3_256[32] =
+{
+    0x5C, 0x88, 0x75, 0xAE, 0x47, 0x4A, 0x36, 0x34,
+    0xBA, 0x4F, 0xD5, 0x5E, 0xC8, 0x5B, 0xFF, 0xD6,
+    0x61, 0xF3, 0x2A, 0xCA, 0x75, 0xC6, 0xD6, 0x99,
+    0xD0, 0xCD, 0xCB, 0x6C, 0x11, 0x58, 0x91, 0xC1
+};
+
+static const unsigned char long_kat_hash_sha3_384[48] =
+{
+    0xEE, 0xE9, 0xE2, 0x4D, 0x78, 0xC1, 0x85, 0x53,
+    0x37, 0x98, 0x34, 0x51, 0xDF, 0x97, 0xC8, 0xAD,
+    0x9E, 0xED, 0xF2, 0x56, 0xC6, 0x33, 0x4F, 0x8E,
+    0x94, 0x8D, 0x25, 0x2D, 0x5E, 0x0E, 0x76, 0x84,
+    0x7A, 0xA0, 0x77, 0x4D, 0xDB, 0x90, 0xA8, 0x42,
+    0x19, 0x0D, 0x2C, 0x55, 0x8B, 0x4B, 0x83, 0x40
+};
+
+static const unsigned char long_kat_hash_sha3_512[64] =
+{
+    0x3C, 0x3A, 0x87, 0x6D, 0xA1, 0x40, 0x34, 0xAB,
+    0x60, 0x62, 0x7C, 0x07, 0x7B, 0xB9, 0x8F, 0x7E,
+    0x12, 0x0A, 0x2A, 0x53, 0x70, 0x21, 0x2D, 0xFF,
+    0xB3, 0x38, 0x5A, 0x18, 0xD4, 0xF3, 0x88, 0x59,
+    0xED, 0x31, 0x1D, 0x0A, 0x9D, 0x51, 0x41, 0xCE,
+    0x9C, 0xC5, 0xC6, 0x6E, 0xE6, 0x89, 0xB2, 0x66,
+    0xA8, 0xAA, 0x18, 0xAC, 0xE8, 0x28, 0x2A, 0x0E,
+    0x0D, 0xB5, 0x96, 0xC9, 0x0B, 0x0A, 0x7B, 0x87
+};
+
+static int mbedtls_sha3_kat_test(int verbose,
+                                 const char *type_name,
+                                 mbedtls_sha3_id id,
+                                 int test_num)
+{
+    uint8_t hash[64];
+    int result;
+
+    result = mbedtls_sha3(id,
+                          test_data[test_num], test_data_len[test_num],
+                          hash, sizeof(hash));
+    if (result != 0) {
+        if (verbose != 0) {
+            mbedtls_printf("  %s test %d error code: %d\n",
+                           type_name, test_num, result);
+        }
+
+        return result;
+    }
+
+    switch (id) {
+        case MBEDTLS_SHA3_224:
+            result = memcmp(hash, test_hash_sha3_224[test_num], 28);
+            break;
+        case MBEDTLS_SHA3_256:
+            result = memcmp(hash, test_hash_sha3_256[test_num], 32);
+            break;
+        case MBEDTLS_SHA3_384:
+            result = memcmp(hash, test_hash_sha3_384[test_num], 48);
+            break;
+        case MBEDTLS_SHA3_512:
+            result = memcmp(hash, test_hash_sha3_512[test_num], 64);
+            break;
+        default:
+            break;
+    }
+
+    if (0 != result) {
+        if (verbose != 0) {
+            mbedtls_printf("  %s test %d failed\n", type_name, test_num);
+        }
+
+        return -1;
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("  %s test %d passed\n", type_name, test_num);
+    }
+
+    return 0;
+}
+
+static int mbedtls_sha3_long_kat_test(int verbose,
+                                      const char *type_name,
+                                      mbedtls_sha3_id id)
+{
+    mbedtls_sha3_context ctx;
+    unsigned char buffer[1000];
+    unsigned char hash[64];
+    int result = 0;
+
+    memset(buffer, 'a', 1000);
+
+    if (verbose != 0) {
+        mbedtls_printf("  %s long KAT test ", type_name);
+    }
+
+    mbedtls_sha3_init(&ctx);
+
+    result = mbedtls_sha3_starts(&ctx, id);
+    if (result != 0) {
+        if (verbose != 0) {
+            mbedtls_printf("setup failed\n ");
+        }
+    }
+
+    /* Process 1,000,000 (one million) 'a' characters */
+    for (int i = 0; i < 1000; i++) {
+        result = mbedtls_sha3_update(&ctx, buffer, 1000);
+        if (result != 0) {
+            if (verbose != 0) {
+                mbedtls_printf("update error code: %i\n", result);
+            }
+
+            goto cleanup;
+        }
+    }
+
+    result = mbedtls_sha3_finish(&ctx, hash, sizeof(hash));
+    if (result != 0) {
+        if (verbose != 0) {
+            mbedtls_printf("finish error code: %d\n", result);
+        }
+
+        goto cleanup;
+    }
+
+    switch (id) {
+        case MBEDTLS_SHA3_224:
+            result = memcmp(hash, long_kat_hash_sha3_224, 28);
+            break;
+        case MBEDTLS_SHA3_256:
+            result = memcmp(hash, long_kat_hash_sha3_256, 32);
+            break;
+        case MBEDTLS_SHA3_384:
+            result = memcmp(hash, long_kat_hash_sha3_384, 48);
+            break;
+        case MBEDTLS_SHA3_512:
+            result = memcmp(hash, long_kat_hash_sha3_512, 64);
+            break;
+        default:
+            break;
+    }
+
+    if (result != 0) {
+        if (verbose != 0) {
+            mbedtls_printf("failed\n");
+        }
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("passed\n");
+    }
+
+cleanup:
+    mbedtls_sha3_free(&ctx);
+    return result;
+}
+
+int mbedtls_sha3_self_test(int verbose)
+{
+    int i;
+
+    /* SHA-3 Known Answer Tests (KAT) */
+    for (i = 0; i < 2; i++) {
+        if (0 != mbedtls_sha3_kat_test(verbose,
+                                       "SHA3-224", MBEDTLS_SHA3_224, i)) {
+            return 1;
+        }
+
+        if (0 != mbedtls_sha3_kat_test(verbose,
+                                       "SHA3-256", MBEDTLS_SHA3_256, i)) {
+            return 1;
+        }
+
+        if (0 != mbedtls_sha3_kat_test(verbose,
+                                       "SHA3-384", MBEDTLS_SHA3_384, i)) {
+            return 1;
+        }
+
+        if (0 != mbedtls_sha3_kat_test(verbose,
+                                       "SHA3-512", MBEDTLS_SHA3_512, i)) {
+            return 1;
+        }
+    }
+
+    /* SHA-3 long KAT tests */
+    if (0 != mbedtls_sha3_long_kat_test(verbose,
+                                        "SHA3-224", MBEDTLS_SHA3_224)) {
+        return 1;
+    }
+
+    if (0 != mbedtls_sha3_long_kat_test(verbose,
+                                        "SHA3-256", MBEDTLS_SHA3_256)) {
+        return 1;
+    }
+
+    if (0 != mbedtls_sha3_long_kat_test(verbose,
+                                        "SHA3-384", MBEDTLS_SHA3_384)) {
+        return 1;
+    }
+
+    if (0 != mbedtls_sha3_long_kat_test(verbose,
+                                        "SHA3-512", MBEDTLS_SHA3_512)) {
+        return 1;
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+
+    return 0;
+}
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_SHA3_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/sha512.c b/tf-psa-crypto/drivers/builtin/src/sha512.c
new file mode 100644
index 0000000..6dcea8d
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/sha512.c
@@ -0,0 +1,1112 @@
+/*
+ *  FIPS-180-2 compliant SHA-384/512 implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ *  The SHA-512 Secure Hash Standard was published by NIST in 2002.
+ *
+ *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
+ */
+
+#if defined(__aarch64__) && !defined(__ARM_FEATURE_SHA512) && \
+    defined(__clang__) && __clang_major__ >= 7
+/* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged.
+ *
+ * The intrinsic declaration are guarded by predefined ACLE macros in clang:
+ * these are normally only enabled by the -march option on the command line.
+ * By defining the macros ourselves we gain access to those declarations without
+ * requiring -march on the command line.
+ *
+ * `arm_neon.h` is included by common.h, so we put these defines
+ * at the top of this file, before any includes.
+ */
+#define __ARM_FEATURE_SHA512 1
+#define MBEDTLS_ENABLE_ARM_SHA3_EXTENSIONS_COMPILER_FLAG
+#endif
+
+#include "common.h"
+
+#if defined(MBEDTLS_SHA512_C) || defined(MBEDTLS_SHA384_C)
+
+#include "mbedtls/sha512.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#if defined(_MSC_VER) || defined(__WATCOMC__)
+  #define UL64(x) x##ui64
+#else
+  #define UL64(x) x##ULL
+#endif
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if defined(__aarch64__)
+#  if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \
+    defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)
+/* *INDENT-OFF* */
+#   if !defined(MBEDTLS_HAVE_NEON_INTRINSICS)
+#       error "Target does not support NEON instructions"
+#   endif
+/*
+ * Best performance comes from most recent compilers, with intrinsics and -O3.
+ * Must compile with -march=armv8.2-a+sha3, but we can't detect armv8.2-a, and
+ * can't always detect __ARM_FEATURE_SHA512 (notably clang 7-12).
+ *
+ * GCC < 8 won't work at all (lacks the sha512 instructions)
+ * GCC >= 8 uses intrinsics, sets __ARM_FEATURE_SHA512
+ *
+ * Clang < 7 won't work at all (lacks the sha512 instructions)
+ * Clang 7-12 don't have intrinsics (but we work around that with inline
+ *            assembler) or __ARM_FEATURE_SHA512
+ * Clang == 13.0.0 same as clang 12 (only seen on macOS)
+ * Clang >= 13.0.1 has __ARM_FEATURE_SHA512 and intrinsics
+ */
+#    if !defined(__ARM_FEATURE_SHA512) || defined(MBEDTLS_ENABLE_ARM_SHA3_EXTENSIONS_COMPILER_FLAG)
+       /* Test Clang first, as it defines __GNUC__ */
+#      if defined(__ARMCOMPILER_VERSION)
+#        if __ARMCOMPILER_VERSION < 6090000
+#          error "A more recent armclang is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*"
+#        elif __ARMCOMPILER_VERSION == 6090000
+#          error "Must use minimum -march=armv8.2-a+sha3 for MBEDTLS_SHA512_USE_A64_CRYPTO_*"
+#        else
+#          pragma clang attribute push (__attribute__((target("sha3"))), apply_to=function)
+#          define MBEDTLS_POP_TARGET_PRAGMA
+#        endif
+#      elif defined(__clang__)
+#        if __clang_major__ < 7
+#          error "A more recent Clang is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*"
+#        else
+#          pragma clang attribute push (__attribute__((target("sha3"))), apply_to=function)
+#          define MBEDTLS_POP_TARGET_PRAGMA
+#        endif
+#      elif defined(__GNUC__)
+#        if __GNUC__ < 8
+#          error "A more recent GCC is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*"
+#        else
+#          pragma GCC push_options
+#          pragma GCC target ("arch=armv8.2-a+sha3")
+#          define MBEDTLS_POP_TARGET_PRAGMA
+#        endif
+#      else
+#        error "Only GCC and Clang supported for MBEDTLS_SHA512_USE_A64_CRYPTO_*"
+#      endif
+#    endif
+/* *INDENT-ON* */
+#  endif
+#  if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT)
+#    if defined(__unix__)
+#      if defined(__linux__)
+/* Our preferred method of detection is getauxval() */
+#        include <sys/auxv.h>
+#        if !defined(HWCAP_SHA512)
+/* The same header that declares getauxval() should provide the HWCAP_xxx
+ * constants to analyze its return value. However, the libc may be too
+ * old to have the constant that we need. So if it's missing, assume that
+ * the value is the same one used by the Linux kernel ABI.
+ */
+#          define HWCAP_SHA512 (1 << 21)
+#        endif
+#      endif
+/* Use SIGILL on Unix, and fall back to it on Linux */
+#      include <signal.h>
+#    endif
+#  endif
+#elif !defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
+#  undef MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY
+#  undef MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
+#endif
+
+#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT)
+/*
+ * Capability detection code comes early, so we can disable
+ * MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT if no detection mechanism found
+ */
+#if defined(HWCAP_SHA512)
+static int mbedtls_a64_crypto_sha512_determine_support(void)
+{
+    return (getauxval(AT_HWCAP) & HWCAP_SHA512) ? 1 : 0;
+}
+#elif defined(__APPLE__)
+#include <sys/types.h>
+#include <sys/sysctl.h>
+
+static int mbedtls_a64_crypto_sha512_determine_support(void)
+{
+    int value = 0;
+    size_t value_len = sizeof(value);
+
+    int ret = sysctlbyname("hw.optional.armv8_2_sha512", &value, &value_len,
+                           NULL, 0);
+    return ret == 0 && value != 0;
+}
+#elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
+/*
+ * As of March 2022, there don't appear to be any PF_ARM_V8_* flags
+ * available to pass to IsProcessorFeaturePresent() to check for
+ * SHA-512 support. So we fall back to the C code only.
+ */
+#if defined(_MSC_VER)
+#pragma message "No mechanism to detect A64_CRYPTO found, using C code only"
+#else
+#warning "No mechanism to detect A64_CRYPTO found, using C code only"
+#endif
+#elif defined(__unix__) && defined(SIG_SETMASK)
+/* Detection with SIGILL, setjmp() and longjmp() */
+#include <signal.h>
+#include <setjmp.h>
+
+static jmp_buf return_from_sigill;
+
+/*
+ * A64 SHA512 support detection via SIGILL
+ */
+static void sigill_handler(int signal)
+{
+    (void) signal;
+    longjmp(return_from_sigill, 1);
+}
+
+static int mbedtls_a64_crypto_sha512_determine_support(void)
+{
+    struct sigaction old_action, new_action;
+
+    sigset_t old_mask;
+    if (sigprocmask(0, NULL, &old_mask)) {
+        return 0;
+    }
+
+    sigemptyset(&new_action.sa_mask);
+    new_action.sa_flags = 0;
+    new_action.sa_handler = sigill_handler;
+
+    sigaction(SIGILL, &new_action, &old_action);
+
+    static int ret = 0;
+
+    if (setjmp(return_from_sigill) == 0) {         /* First return only */
+        /* If this traps, we will return a second time from setjmp() with 1 */
+        asm ("sha512h q0, q0, v0.2d" : : : "v0");
+        ret = 1;
+    }
+
+    sigaction(SIGILL, &old_action, NULL);
+    sigprocmask(SIG_SETMASK, &old_mask, NULL);
+
+    return ret;
+}
+#else
+#warning "No mechanism to detect A64_CRYPTO found, using C code only"
+#undef MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
+#endif  /* HWCAP_SHA512, __APPLE__, __unix__ && SIG_SETMASK */
+
+#endif  /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT */
+
+#if !defined(MBEDTLS_SHA512_ALT)
+
+#define SHA512_BLOCK_SIZE 128
+
+#if defined(MBEDTLS_SHA512_SMALLER)
+static void sha512_put_uint64_be(uint64_t n, unsigned char *b, uint8_t i)
+{
+    MBEDTLS_PUT_UINT64_BE(n, b, i);
+}
+#else
+#define sha512_put_uint64_be    MBEDTLS_PUT_UINT64_BE
+#endif /* MBEDTLS_SHA512_SMALLER */
+
+void mbedtls_sha512_init(mbedtls_sha512_context *ctx)
+{
+    memset(ctx, 0, sizeof(mbedtls_sha512_context));
+}
+
+void mbedtls_sha512_free(mbedtls_sha512_context *ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha512_context));
+}
+
+void mbedtls_sha512_clone(mbedtls_sha512_context *dst,
+                          const mbedtls_sha512_context *src)
+{
+    *dst = *src;
+}
+
+/*
+ * SHA-512 context setup
+ */
+int mbedtls_sha512_starts(mbedtls_sha512_context *ctx, int is384)
+{
+#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_SHA512_C)
+    if (is384 != 0 && is384 != 1) {
+        return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA;
+    }
+#elif defined(MBEDTLS_SHA512_C)
+    if (is384 != 0) {
+        return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA;
+    }
+#else /* defined MBEDTLS_SHA384_C only */
+    if (is384 == 0) {
+        return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA;
+    }
+#endif
+
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    if (is384 == 0) {
+#if defined(MBEDTLS_SHA512_C)
+        ctx->state[0] = UL64(0x6A09E667F3BCC908);
+        ctx->state[1] = UL64(0xBB67AE8584CAA73B);
+        ctx->state[2] = UL64(0x3C6EF372FE94F82B);
+        ctx->state[3] = UL64(0xA54FF53A5F1D36F1);
+        ctx->state[4] = UL64(0x510E527FADE682D1);
+        ctx->state[5] = UL64(0x9B05688C2B3E6C1F);
+        ctx->state[6] = UL64(0x1F83D9ABFB41BD6B);
+        ctx->state[7] = UL64(0x5BE0CD19137E2179);
+#endif /* MBEDTLS_SHA512_C */
+    } else {
+#if defined(MBEDTLS_SHA384_C)
+        ctx->state[0] = UL64(0xCBBB9D5DC1059ED8);
+        ctx->state[1] = UL64(0x629A292A367CD507);
+        ctx->state[2] = UL64(0x9159015A3070DD17);
+        ctx->state[3] = UL64(0x152FECD8F70E5939);
+        ctx->state[4] = UL64(0x67332667FFC00B31);
+        ctx->state[5] = UL64(0x8EB44A8768581511);
+        ctx->state[6] = UL64(0xDB0C2E0D64F98FA7);
+        ctx->state[7] = UL64(0x47B5481DBEFA4FA4);
+#endif /* MBEDTLS_SHA384_C */
+    }
+
+#if defined(MBEDTLS_SHA384_C)
+    ctx->is384 = is384;
+#endif
+
+    return 0;
+}
+
+#if !defined(MBEDTLS_SHA512_PROCESS_ALT)
+
+/*
+ * Round constants
+ */
+static const uint64_t K[80] =
+{
+    UL64(0x428A2F98D728AE22),  UL64(0x7137449123EF65CD),
+    UL64(0xB5C0FBCFEC4D3B2F),  UL64(0xE9B5DBA58189DBBC),
+    UL64(0x3956C25BF348B538),  UL64(0x59F111F1B605D019),
+    UL64(0x923F82A4AF194F9B),  UL64(0xAB1C5ED5DA6D8118),
+    UL64(0xD807AA98A3030242),  UL64(0x12835B0145706FBE),
+    UL64(0x243185BE4EE4B28C),  UL64(0x550C7DC3D5FFB4E2),
+    UL64(0x72BE5D74F27B896F),  UL64(0x80DEB1FE3B1696B1),
+    UL64(0x9BDC06A725C71235),  UL64(0xC19BF174CF692694),
+    UL64(0xE49B69C19EF14AD2),  UL64(0xEFBE4786384F25E3),
+    UL64(0x0FC19DC68B8CD5B5),  UL64(0x240CA1CC77AC9C65),
+    UL64(0x2DE92C6F592B0275),  UL64(0x4A7484AA6EA6E483),
+    UL64(0x5CB0A9DCBD41FBD4),  UL64(0x76F988DA831153B5),
+    UL64(0x983E5152EE66DFAB),  UL64(0xA831C66D2DB43210),
+    UL64(0xB00327C898FB213F),  UL64(0xBF597FC7BEEF0EE4),
+    UL64(0xC6E00BF33DA88FC2),  UL64(0xD5A79147930AA725),
+    UL64(0x06CA6351E003826F),  UL64(0x142929670A0E6E70),
+    UL64(0x27B70A8546D22FFC),  UL64(0x2E1B21385C26C926),
+    UL64(0x4D2C6DFC5AC42AED),  UL64(0x53380D139D95B3DF),
+    UL64(0x650A73548BAF63DE),  UL64(0x766A0ABB3C77B2A8),
+    UL64(0x81C2C92E47EDAEE6),  UL64(0x92722C851482353B),
+    UL64(0xA2BFE8A14CF10364),  UL64(0xA81A664BBC423001),
+    UL64(0xC24B8B70D0F89791),  UL64(0xC76C51A30654BE30),
+    UL64(0xD192E819D6EF5218),  UL64(0xD69906245565A910),
+    UL64(0xF40E35855771202A),  UL64(0x106AA07032BBD1B8),
+    UL64(0x19A4C116B8D2D0C8),  UL64(0x1E376C085141AB53),
+    UL64(0x2748774CDF8EEB99),  UL64(0x34B0BCB5E19B48A8),
+    UL64(0x391C0CB3C5C95A63),  UL64(0x4ED8AA4AE3418ACB),
+    UL64(0x5B9CCA4F7763E373),  UL64(0x682E6FF3D6B2B8A3),
+    UL64(0x748F82EE5DEFB2FC),  UL64(0x78A5636F43172F60),
+    UL64(0x84C87814A1F0AB72),  UL64(0x8CC702081A6439EC),
+    UL64(0x90BEFFFA23631E28),  UL64(0xA4506CEBDE82BDE9),
+    UL64(0xBEF9A3F7B2C67915),  UL64(0xC67178F2E372532B),
+    UL64(0xCA273ECEEA26619C),  UL64(0xD186B8C721C0C207),
+    UL64(0xEADA7DD6CDE0EB1E),  UL64(0xF57D4F7FEE6ED178),
+    UL64(0x06F067AA72176FBA),  UL64(0x0A637DC5A2C898A6),
+    UL64(0x113F9804BEF90DAE),  UL64(0x1B710B35131C471B),
+    UL64(0x28DB77F523047D84),  UL64(0x32CAAB7B40C72493),
+    UL64(0x3C9EBE0A15C9BEBC),  UL64(0x431D67C49C100D4C),
+    UL64(0x4CC5D4BECB3E42B6),  UL64(0x597F299CFC657E2A),
+    UL64(0x5FCB6FAB3AD6FAEC),  UL64(0x6C44198C4A475817)
+};
+#endif
+
+#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \
+    defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)
+
+#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)
+#  define mbedtls_internal_sha512_process_many_a64_crypto mbedtls_internal_sha512_process_many
+#  define mbedtls_internal_sha512_process_a64_crypto      mbedtls_internal_sha512_process
+#endif
+
+/* Accelerated SHA-512 implementation originally written by Simon Tatham for PuTTY,
+ * under the MIT licence; dual-licensed as Apache 2 with his kind permission.
+ */
+
+#if defined(__clang__) && \
+    (__clang_major__ < 13 || \
+     (__clang_major__ == 13 && __clang_minor__ == 0 && __clang_patchlevel__ == 0))
+static inline uint64x2_t vsha512su0q_u64(uint64x2_t x, uint64x2_t y)
+{
+    asm ("sha512su0 %0.2D,%1.2D" : "+w" (x) : "w" (y));
+    return x;
+}
+static inline uint64x2_t vsha512su1q_u64(uint64x2_t x, uint64x2_t y, uint64x2_t z)
+{
+    asm ("sha512su1 %0.2D,%1.2D,%2.2D" : "+w" (x) : "w" (y), "w" (z));
+    return x;
+}
+static inline uint64x2_t vsha512hq_u64(uint64x2_t x, uint64x2_t y, uint64x2_t z)
+{
+    asm ("sha512h %0,%1,%2.2D" : "+w" (x) : "w" (y), "w" (z));
+    return x;
+}
+static inline uint64x2_t vsha512h2q_u64(uint64x2_t x, uint64x2_t y, uint64x2_t z)
+{
+    asm ("sha512h2 %0,%1,%2.2D" : "+w" (x) : "w" (y), "w" (z));
+    return x;
+}
+#endif  /* __clang__ etc */
+
+static size_t mbedtls_internal_sha512_process_many_a64_crypto(
+    mbedtls_sha512_context *ctx, const uint8_t *msg, size_t len)
+{
+    uint64x2_t ab = vld1q_u64(&ctx->state[0]);
+    uint64x2_t cd = vld1q_u64(&ctx->state[2]);
+    uint64x2_t ef = vld1q_u64(&ctx->state[4]);
+    uint64x2_t gh = vld1q_u64(&ctx->state[6]);
+
+    size_t processed = 0;
+
+    for (;
+         len >= SHA512_BLOCK_SIZE;
+         processed += SHA512_BLOCK_SIZE,
+         msg += SHA512_BLOCK_SIZE,
+         len -= SHA512_BLOCK_SIZE) {
+        uint64x2_t initial_sum, sum, intermed;
+
+        uint64x2_t ab_orig = ab;
+        uint64x2_t cd_orig = cd;
+        uint64x2_t ef_orig = ef;
+        uint64x2_t gh_orig = gh;
+
+        uint64x2_t s0 = (uint64x2_t) vld1q_u8(msg + 16 * 0);
+        uint64x2_t s1 = (uint64x2_t) vld1q_u8(msg + 16 * 1);
+        uint64x2_t s2 = (uint64x2_t) vld1q_u8(msg + 16 * 2);
+        uint64x2_t s3 = (uint64x2_t) vld1q_u8(msg + 16 * 3);
+        uint64x2_t s4 = (uint64x2_t) vld1q_u8(msg + 16 * 4);
+        uint64x2_t s5 = (uint64x2_t) vld1q_u8(msg + 16 * 5);
+        uint64x2_t s6 = (uint64x2_t) vld1q_u8(msg + 16 * 6);
+        uint64x2_t s7 = (uint64x2_t) vld1q_u8(msg + 16 * 7);
+
+#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__  /* assume LE if these not defined; untested on BE */
+        s0 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s0)));
+        s1 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s1)));
+        s2 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s2)));
+        s3 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s3)));
+        s4 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s4)));
+        s5 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s5)));
+        s6 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s6)));
+        s7 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s7)));
+#endif
+
+        /* Rounds 0 and 1 */
+        initial_sum = vaddq_u64(s0, vld1q_u64(&K[0]));
+        sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), gh);
+        intermed = vsha512hq_u64(sum, vextq_u64(ef, gh, 1), vextq_u64(cd, ef, 1));
+        gh = vsha512h2q_u64(intermed, cd, ab);
+        cd = vaddq_u64(cd, intermed);
+
+        /* Rounds 2 and 3 */
+        initial_sum = vaddq_u64(s1, vld1q_u64(&K[2]));
+        sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ef);
+        intermed = vsha512hq_u64(sum, vextq_u64(cd, ef, 1), vextq_u64(ab, cd, 1));
+        ef = vsha512h2q_u64(intermed, ab, gh);
+        ab = vaddq_u64(ab, intermed);
+
+        /* Rounds 4 and 5 */
+        initial_sum = vaddq_u64(s2, vld1q_u64(&K[4]));
+        sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), cd);
+        intermed = vsha512hq_u64(sum, vextq_u64(ab, cd, 1), vextq_u64(gh, ab, 1));
+        cd = vsha512h2q_u64(intermed, gh, ef);
+        gh = vaddq_u64(gh, intermed);
+
+        /* Rounds 6 and 7 */
+        initial_sum = vaddq_u64(s3, vld1q_u64(&K[6]));
+        sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ab);
+        intermed = vsha512hq_u64(sum, vextq_u64(gh, ab, 1), vextq_u64(ef, gh, 1));
+        ab = vsha512h2q_u64(intermed, ef, cd);
+        ef = vaddq_u64(ef, intermed);
+
+        /* Rounds 8 and 9 */
+        initial_sum = vaddq_u64(s4, vld1q_u64(&K[8]));
+        sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), gh);
+        intermed = vsha512hq_u64(sum, vextq_u64(ef, gh, 1), vextq_u64(cd, ef, 1));
+        gh = vsha512h2q_u64(intermed, cd, ab);
+        cd = vaddq_u64(cd, intermed);
+
+        /* Rounds 10 and 11 */
+        initial_sum = vaddq_u64(s5, vld1q_u64(&K[10]));
+        sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ef);
+        intermed = vsha512hq_u64(sum, vextq_u64(cd, ef, 1), vextq_u64(ab, cd, 1));
+        ef = vsha512h2q_u64(intermed, ab, gh);
+        ab = vaddq_u64(ab, intermed);
+
+        /* Rounds 12 and 13 */
+        initial_sum = vaddq_u64(s6, vld1q_u64(&K[12]));
+        sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), cd);
+        intermed = vsha512hq_u64(sum, vextq_u64(ab, cd, 1), vextq_u64(gh, ab, 1));
+        cd = vsha512h2q_u64(intermed, gh, ef);
+        gh = vaddq_u64(gh, intermed);
+
+        /* Rounds 14 and 15 */
+        initial_sum = vaddq_u64(s7, vld1q_u64(&K[14]));
+        sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ab);
+        intermed = vsha512hq_u64(sum, vextq_u64(gh, ab, 1), vextq_u64(ef, gh, 1));
+        ab = vsha512h2q_u64(intermed, ef, cd);
+        ef = vaddq_u64(ef, intermed);
+
+        for (unsigned int t = 16; t < 80; t += 16) {
+            /* Rounds t and t + 1 */
+            s0 = vsha512su1q_u64(vsha512su0q_u64(s0, s1), s7, vextq_u64(s4, s5, 1));
+            initial_sum = vaddq_u64(s0, vld1q_u64(&K[t]));
+            sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), gh);
+            intermed = vsha512hq_u64(sum, vextq_u64(ef, gh, 1), vextq_u64(cd, ef, 1));
+            gh = vsha512h2q_u64(intermed, cd, ab);
+            cd = vaddq_u64(cd, intermed);
+
+            /* Rounds t + 2 and t + 3 */
+            s1 = vsha512su1q_u64(vsha512su0q_u64(s1, s2), s0, vextq_u64(s5, s6, 1));
+            initial_sum = vaddq_u64(s1, vld1q_u64(&K[t + 2]));
+            sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ef);
+            intermed = vsha512hq_u64(sum, vextq_u64(cd, ef, 1), vextq_u64(ab, cd, 1));
+            ef = vsha512h2q_u64(intermed, ab, gh);
+            ab = vaddq_u64(ab, intermed);
+
+            /* Rounds t + 4 and t + 5 */
+            s2 = vsha512su1q_u64(vsha512su0q_u64(s2, s3), s1, vextq_u64(s6, s7, 1));
+            initial_sum = vaddq_u64(s2, vld1q_u64(&K[t + 4]));
+            sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), cd);
+            intermed = vsha512hq_u64(sum, vextq_u64(ab, cd, 1), vextq_u64(gh, ab, 1));
+            cd = vsha512h2q_u64(intermed, gh, ef);
+            gh = vaddq_u64(gh, intermed);
+
+            /* Rounds t + 6 and t + 7 */
+            s3 = vsha512su1q_u64(vsha512su0q_u64(s3, s4), s2, vextq_u64(s7, s0, 1));
+            initial_sum = vaddq_u64(s3, vld1q_u64(&K[t + 6]));
+            sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ab);
+            intermed = vsha512hq_u64(sum, vextq_u64(gh, ab, 1), vextq_u64(ef, gh, 1));
+            ab = vsha512h2q_u64(intermed, ef, cd);
+            ef = vaddq_u64(ef, intermed);
+
+            /* Rounds t + 8 and t + 9 */
+            s4 = vsha512su1q_u64(vsha512su0q_u64(s4, s5), s3, vextq_u64(s0, s1, 1));
+            initial_sum = vaddq_u64(s4, vld1q_u64(&K[t + 8]));
+            sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), gh);
+            intermed = vsha512hq_u64(sum, vextq_u64(ef, gh, 1), vextq_u64(cd, ef, 1));
+            gh = vsha512h2q_u64(intermed, cd, ab);
+            cd = vaddq_u64(cd, intermed);
+
+            /* Rounds t + 10 and t + 11 */
+            s5 = vsha512su1q_u64(vsha512su0q_u64(s5, s6), s4, vextq_u64(s1, s2, 1));
+            initial_sum = vaddq_u64(s5, vld1q_u64(&K[t + 10]));
+            sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ef);
+            intermed = vsha512hq_u64(sum, vextq_u64(cd, ef, 1), vextq_u64(ab, cd, 1));
+            ef = vsha512h2q_u64(intermed, ab, gh);
+            ab = vaddq_u64(ab, intermed);
+
+            /* Rounds t + 12 and t + 13 */
+            s6 = vsha512su1q_u64(vsha512su0q_u64(s6, s7), s5, vextq_u64(s2, s3, 1));
+            initial_sum = vaddq_u64(s6, vld1q_u64(&K[t + 12]));
+            sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), cd);
+            intermed = vsha512hq_u64(sum, vextq_u64(ab, cd, 1), vextq_u64(gh, ab, 1));
+            cd = vsha512h2q_u64(intermed, gh, ef);
+            gh = vaddq_u64(gh, intermed);
+
+            /* Rounds t + 14 and t + 15 */
+            s7 = vsha512su1q_u64(vsha512su0q_u64(s7, s0), s6, vextq_u64(s3, s4, 1));
+            initial_sum = vaddq_u64(s7, vld1q_u64(&K[t + 14]));
+            sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ab);
+            intermed = vsha512hq_u64(sum, vextq_u64(gh, ab, 1), vextq_u64(ef, gh, 1));
+            ab = vsha512h2q_u64(intermed, ef, cd);
+            ef = vaddq_u64(ef, intermed);
+        }
+
+        ab = vaddq_u64(ab, ab_orig);
+        cd = vaddq_u64(cd, cd_orig);
+        ef = vaddq_u64(ef, ef_orig);
+        gh = vaddq_u64(gh, gh_orig);
+    }
+
+    vst1q_u64(&ctx->state[0], ab);
+    vst1q_u64(&ctx->state[2], cd);
+    vst1q_u64(&ctx->state[4], ef);
+    vst1q_u64(&ctx->state[6], gh);
+
+    return processed;
+}
+
+#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT)
+/*
+ * This function is for internal use only if we are building both C and A64
+ * versions, otherwise it is renamed to be the public mbedtls_internal_sha512_process()
+ */
+static
+#endif
+int mbedtls_internal_sha512_process_a64_crypto(mbedtls_sha512_context *ctx,
+                                               const unsigned char data[SHA512_BLOCK_SIZE])
+{
+    return (mbedtls_internal_sha512_process_many_a64_crypto(ctx, data,
+                                                            SHA512_BLOCK_SIZE) ==
+            SHA512_BLOCK_SIZE) ? 0 : -1;
+}
+
+#endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */
+
+#if defined(MBEDTLS_POP_TARGET_PRAGMA)
+#if defined(__clang__)
+#pragma clang attribute pop
+#elif defined(__GNUC__)
+#pragma GCC pop_options
+#endif
+#undef MBEDTLS_POP_TARGET_PRAGMA
+#endif
+
+
+#if !defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT)
+#define mbedtls_internal_sha512_process_many_c mbedtls_internal_sha512_process_many
+#define mbedtls_internal_sha512_process_c      mbedtls_internal_sha512_process
+#endif
+
+
+#if !defined(MBEDTLS_SHA512_PROCESS_ALT) && !defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)
+
+#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT)
+/*
+ * This function is for internal use only if we are building both C and A64
+ * versions, otherwise it is renamed to be the public mbedtls_internal_sha512_process()
+ */
+static
+#endif
+int mbedtls_internal_sha512_process_c(mbedtls_sha512_context *ctx,
+                                      const unsigned char data[SHA512_BLOCK_SIZE])
+{
+    int i;
+    struct {
+        uint64_t temp1, temp2, W[80];
+        uint64_t A[8];
+    } local;
+
+#define  SHR(x, n) ((x) >> (n))
+#define ROTR(x, n) (SHR((x), (n)) | ((x) << (64 - (n))))
+
+#define S0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^  SHR(x, 7))
+#define S1(x) (ROTR(x, 19) ^ ROTR(x, 61) ^  SHR(x, 6))
+
+#define S2(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39))
+#define S3(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41))
+
+#define F0(x, y, z) (((x) & (y)) | ((z) & ((x) | (y))))
+#define F1(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
+
+#define P(a, b, c, d, e, f, g, h, x, K)                                      \
+    do                                                              \
+    {                                                               \
+        local.temp1 = (h) + S3(e) + F1((e), (f), (g)) + (K) + (x);    \
+        local.temp2 = S2(a) + F0((a), (b), (c));                      \
+        (d) += local.temp1; (h) = local.temp1 + local.temp2;        \
+    } while (0)
+
+    for (i = 0; i < 8; i++) {
+        local.A[i] = ctx->state[i];
+    }
+
+#if defined(MBEDTLS_SHA512_SMALLER)
+    for (i = 0; i < 80; i++) {
+        if (i < 16) {
+            local.W[i] = MBEDTLS_GET_UINT64_BE(data, i << 3);
+        } else {
+            local.W[i] = S1(local.W[i -  2]) + local.W[i -  7] +
+                         S0(local.W[i - 15]) + local.W[i - 16];
+        }
+
+        P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
+          local.A[5], local.A[6], local.A[7], local.W[i], K[i]);
+
+        local.temp1 = local.A[7]; local.A[7] = local.A[6];
+        local.A[6] = local.A[5]; local.A[5] = local.A[4];
+        local.A[4] = local.A[3]; local.A[3] = local.A[2];
+        local.A[2] = local.A[1]; local.A[1] = local.A[0];
+        local.A[0] = local.temp1;
+    }
+#else /* MBEDTLS_SHA512_SMALLER */
+    for (i = 0; i < 16; i++) {
+        local.W[i] = MBEDTLS_GET_UINT64_BE(data, i << 3);
+    }
+
+    for (; i < 80; i++) {
+        local.W[i] = S1(local.W[i -  2]) + local.W[i -  7] +
+                     S0(local.W[i - 15]) + local.W[i - 16];
+    }
+
+    i = 0;
+    do {
+        P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
+          local.A[5], local.A[6], local.A[7], local.W[i], K[i]); i++;
+        P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
+          local.A[4], local.A[5], local.A[6], local.W[i], K[i]); i++;
+        P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
+          local.A[3], local.A[4], local.A[5], local.W[i], K[i]); i++;
+        P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
+          local.A[2], local.A[3], local.A[4], local.W[i], K[i]); i++;
+        P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
+          local.A[1], local.A[2], local.A[3], local.W[i], K[i]); i++;
+        P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
+          local.A[0], local.A[1], local.A[2], local.W[i], K[i]); i++;
+        P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
+          local.A[7], local.A[0], local.A[1], local.W[i], K[i]); i++;
+        P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
+          local.A[6], local.A[7], local.A[0], local.W[i], K[i]); i++;
+    } while (i < 80);
+#endif /* MBEDTLS_SHA512_SMALLER */
+
+    for (i = 0; i < 8; i++) {
+        ctx->state[i] += local.A[i];
+    }
+
+    /* Zeroise buffers and variables to clear sensitive data from memory. */
+    mbedtls_platform_zeroize(&local, sizeof(local));
+
+    return 0;
+}
+
+#endif /* !MBEDTLS_SHA512_PROCESS_ALT && !MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */
+
+
+#if !defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)
+
+static size_t mbedtls_internal_sha512_process_many_c(
+    mbedtls_sha512_context *ctx, const uint8_t *data, size_t len)
+{
+    size_t processed = 0;
+
+    while (len >= SHA512_BLOCK_SIZE) {
+        if (mbedtls_internal_sha512_process_c(ctx, data) != 0) {
+            return 0;
+        }
+
+        data += SHA512_BLOCK_SIZE;
+        len  -= SHA512_BLOCK_SIZE;
+
+        processed += SHA512_BLOCK_SIZE;
+    }
+
+    return processed;
+}
+
+#endif /* !MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */
+
+
+#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT)
+
+static int mbedtls_a64_crypto_sha512_has_support(void)
+{
+    static int done = 0;
+    static int supported = 0;
+
+    if (!done) {
+        supported = mbedtls_a64_crypto_sha512_determine_support();
+        done = 1;
+    }
+
+    return supported;
+}
+
+static size_t mbedtls_internal_sha512_process_many(mbedtls_sha512_context *ctx,
+                                                   const uint8_t *msg, size_t len)
+{
+    if (mbedtls_a64_crypto_sha512_has_support()) {
+        return mbedtls_internal_sha512_process_many_a64_crypto(ctx, msg, len);
+    } else {
+        return mbedtls_internal_sha512_process_many_c(ctx, msg, len);
+    }
+}
+
+int mbedtls_internal_sha512_process(mbedtls_sha512_context *ctx,
+                                    const unsigned char data[SHA512_BLOCK_SIZE])
+{
+    if (mbedtls_a64_crypto_sha512_has_support()) {
+        return mbedtls_internal_sha512_process_a64_crypto(ctx, data);
+    } else {
+        return mbedtls_internal_sha512_process_c(ctx, data);
+    }
+}
+
+#endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT */
+
+/*
+ * SHA-512 process buffer
+ */
+int mbedtls_sha512_update(mbedtls_sha512_context *ctx,
+                          const unsigned char *input,
+                          size_t ilen)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t fill;
+    unsigned int left;
+
+    if (ilen == 0) {
+        return 0;
+    }
+
+    left = (unsigned int) (ctx->total[0] & 0x7F);
+    fill = SHA512_BLOCK_SIZE - left;
+
+    ctx->total[0] += (uint64_t) ilen;
+
+    if (ctx->total[0] < (uint64_t) ilen) {
+        ctx->total[1]++;
+    }
+
+    if (left && ilen >= fill) {
+        memcpy((void *) (ctx->buffer + left), input, fill);
+
+        if ((ret = mbedtls_internal_sha512_process(ctx, ctx->buffer)) != 0) {
+            return ret;
+        }
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while (ilen >= SHA512_BLOCK_SIZE) {
+        size_t processed =
+            mbedtls_internal_sha512_process_many(ctx, input, ilen);
+        if (processed < SHA512_BLOCK_SIZE) {
+            return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
+        }
+
+        input += processed;
+        ilen  -= processed;
+    }
+
+    if (ilen > 0) {
+        memcpy((void *) (ctx->buffer + left), input, ilen);
+    }
+
+    return 0;
+}
+
+/*
+ * SHA-512 final digest
+ */
+int mbedtls_sha512_finish(mbedtls_sha512_context *ctx,
+                          unsigned char *output)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned used;
+    uint64_t high, low;
+    int truncated = 0;
+
+    /*
+     * Add padding: 0x80 then 0x00 until 16 bytes remain for the length
+     */
+    used = ctx->total[0] & 0x7F;
+
+    ctx->buffer[used++] = 0x80;
+
+    if (used <= 112) {
+        /* Enough room for padding + length in current block */
+        memset(ctx->buffer + used, 0, 112 - used);
+    } else {
+        /* We'll need an extra block */
+        memset(ctx->buffer + used, 0, SHA512_BLOCK_SIZE - used);
+
+        if ((ret = mbedtls_internal_sha512_process(ctx, ctx->buffer)) != 0) {
+            goto exit;
+        }
+
+        memset(ctx->buffer, 0, 112);
+    }
+
+    /*
+     * Add message length
+     */
+    high = (ctx->total[0] >> 61)
+           | (ctx->total[1] <<  3);
+    low  = (ctx->total[0] <<  3);
+
+    sha512_put_uint64_be(high, ctx->buffer, 112);
+    sha512_put_uint64_be(low,  ctx->buffer, 120);
+
+    if ((ret = mbedtls_internal_sha512_process(ctx, ctx->buffer)) != 0) {
+        goto exit;
+    }
+
+    /*
+     * Output final state
+     */
+    sha512_put_uint64_be(ctx->state[0], output,  0);
+    sha512_put_uint64_be(ctx->state[1], output,  8);
+    sha512_put_uint64_be(ctx->state[2], output, 16);
+    sha512_put_uint64_be(ctx->state[3], output, 24);
+    sha512_put_uint64_be(ctx->state[4], output, 32);
+    sha512_put_uint64_be(ctx->state[5], output, 40);
+
+#if defined(MBEDTLS_SHA384_C)
+    truncated = ctx->is384;
+#endif
+    if (!truncated) {
+        sha512_put_uint64_be(ctx->state[6], output, 48);
+        sha512_put_uint64_be(ctx->state[7], output, 56);
+    }
+
+    ret = 0;
+
+exit:
+    mbedtls_sha512_free(ctx);
+    return ret;
+}
+
+#endif /* !MBEDTLS_SHA512_ALT */
+
+/*
+ * output = SHA-512( input buffer )
+ */
+int mbedtls_sha512(const unsigned char *input,
+                   size_t ilen,
+                   unsigned char *output,
+                   int is384)
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_sha512_context ctx;
+
+#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_SHA512_C)
+    if (is384 != 0 && is384 != 1) {
+        return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA;
+    }
+#elif defined(MBEDTLS_SHA512_C)
+    if (is384 != 0) {
+        return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA;
+    }
+#else /* defined MBEDTLS_SHA384_C only */
+    if (is384 == 0) {
+        return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA;
+    }
+#endif
+
+    mbedtls_sha512_init(&ctx);
+
+    if ((ret = mbedtls_sha512_starts(&ctx, is384)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_sha512_update(&ctx, input, ilen)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_sha512_finish(&ctx, output)) != 0) {
+        goto exit;
+    }
+
+exit:
+    mbedtls_sha512_free(&ctx);
+
+    return ret;
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * FIPS-180-2 test vectors
+ */
+static const unsigned char sha_test_buf[3][113] =
+{
+    { "abc" },
+    {
+        "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu"
+    },
+    { "" }
+};
+
+static const size_t sha_test_buflen[3] =
+{
+    3, 112, 1000
+};
+
+typedef const unsigned char (sha_test_sum_t)[64];
+
+/*
+ * SHA-384 test vectors
+ */
+#if defined(MBEDTLS_SHA384_C)
+static sha_test_sum_t sha384_test_sum[] =
+{
+    { 0xCB, 0x00, 0x75, 0x3F, 0x45, 0xA3, 0x5E, 0x8B,
+      0xB5, 0xA0, 0x3D, 0x69, 0x9A, 0xC6, 0x50, 0x07,
+      0x27, 0x2C, 0x32, 0xAB, 0x0E, 0xDE, 0xD1, 0x63,
+      0x1A, 0x8B, 0x60, 0x5A, 0x43, 0xFF, 0x5B, 0xED,
+      0x80, 0x86, 0x07, 0x2B, 0xA1, 0xE7, 0xCC, 0x23,
+      0x58, 0xBA, 0xEC, 0xA1, 0x34, 0xC8, 0x25, 0xA7 },
+    { 0x09, 0x33, 0x0C, 0x33, 0xF7, 0x11, 0x47, 0xE8,
+      0x3D, 0x19, 0x2F, 0xC7, 0x82, 0xCD, 0x1B, 0x47,
+      0x53, 0x11, 0x1B, 0x17, 0x3B, 0x3B, 0x05, 0xD2,
+      0x2F, 0xA0, 0x80, 0x86, 0xE3, 0xB0, 0xF7, 0x12,
+      0xFC, 0xC7, 0xC7, 0x1A, 0x55, 0x7E, 0x2D, 0xB9,
+      0x66, 0xC3, 0xE9, 0xFA, 0x91, 0x74, 0x60, 0x39 },
+    { 0x9D, 0x0E, 0x18, 0x09, 0x71, 0x64, 0x74, 0xCB,
+      0x08, 0x6E, 0x83, 0x4E, 0x31, 0x0A, 0x4A, 0x1C,
+      0xED, 0x14, 0x9E, 0x9C, 0x00, 0xF2, 0x48, 0x52,
+      0x79, 0x72, 0xCE, 0xC5, 0x70, 0x4C, 0x2A, 0x5B,
+      0x07, 0xB8, 0xB3, 0xDC, 0x38, 0xEC, 0xC4, 0xEB,
+      0xAE, 0x97, 0xDD, 0xD8, 0x7F, 0x3D, 0x89, 0x85 }
+};
+#endif /* MBEDTLS_SHA384_C */
+
+/*
+ * SHA-512 test vectors
+ */
+#if defined(MBEDTLS_SHA512_C)
+static sha_test_sum_t sha512_test_sum[] =
+{
+    { 0xDD, 0xAF, 0x35, 0xA1, 0x93, 0x61, 0x7A, 0xBA,
+      0xCC, 0x41, 0x73, 0x49, 0xAE, 0x20, 0x41, 0x31,
+      0x12, 0xE6, 0xFA, 0x4E, 0x89, 0xA9, 0x7E, 0xA2,
+      0x0A, 0x9E, 0xEE, 0xE6, 0x4B, 0x55, 0xD3, 0x9A,
+      0x21, 0x92, 0x99, 0x2A, 0x27, 0x4F, 0xC1, 0xA8,
+      0x36, 0xBA, 0x3C, 0x23, 0xA3, 0xFE, 0xEB, 0xBD,
+      0x45, 0x4D, 0x44, 0x23, 0x64, 0x3C, 0xE8, 0x0E,
+      0x2A, 0x9A, 0xC9, 0x4F, 0xA5, 0x4C, 0xA4, 0x9F },
+    { 0x8E, 0x95, 0x9B, 0x75, 0xDA, 0xE3, 0x13, 0xDA,
+      0x8C, 0xF4, 0xF7, 0x28, 0x14, 0xFC, 0x14, 0x3F,
+      0x8F, 0x77, 0x79, 0xC6, 0xEB, 0x9F, 0x7F, 0xA1,
+      0x72, 0x99, 0xAE, 0xAD, 0xB6, 0x88, 0x90, 0x18,
+      0x50, 0x1D, 0x28, 0x9E, 0x49, 0x00, 0xF7, 0xE4,
+      0x33, 0x1B, 0x99, 0xDE, 0xC4, 0xB5, 0x43, 0x3A,
+      0xC7, 0xD3, 0x29, 0xEE, 0xB6, 0xDD, 0x26, 0x54,
+      0x5E, 0x96, 0xE5, 0x5B, 0x87, 0x4B, 0xE9, 0x09 },
+    { 0xE7, 0x18, 0x48, 0x3D, 0x0C, 0xE7, 0x69, 0x64,
+      0x4E, 0x2E, 0x42, 0xC7, 0xBC, 0x15, 0xB4, 0x63,
+      0x8E, 0x1F, 0x98, 0xB1, 0x3B, 0x20, 0x44, 0x28,
+      0x56, 0x32, 0xA8, 0x03, 0xAF, 0xA9, 0x73, 0xEB,
+      0xDE, 0x0F, 0xF2, 0x44, 0x87, 0x7E, 0xA6, 0x0A,
+      0x4C, 0xB0, 0x43, 0x2C, 0xE5, 0x77, 0xC3, 0x1B,
+      0xEB, 0x00, 0x9C, 0x5C, 0x2C, 0x49, 0xAA, 0x2E,
+      0x4E, 0xAD, 0xB2, 0x17, 0xAD, 0x8C, 0xC0, 0x9B }
+};
+#endif /* MBEDTLS_SHA512_C */
+
+static int mbedtls_sha512_common_self_test(int verbose, int is384)
+{
+    int i, buflen, ret = 0;
+    unsigned char *buf;
+    unsigned char sha512sum[64];
+    mbedtls_sha512_context ctx;
+
+#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_SHA512_C)
+    sha_test_sum_t *sha_test_sum = (is384) ? sha384_test_sum : sha512_test_sum;
+#elif defined(MBEDTLS_SHA512_C)
+    sha_test_sum_t *sha_test_sum = sha512_test_sum;
+#else
+    sha_test_sum_t *sha_test_sum = sha384_test_sum;
+#endif
+
+    buf = mbedtls_calloc(1024, sizeof(unsigned char));
+    if (NULL == buf) {
+        if (verbose != 0) {
+            mbedtls_printf("Buffer allocation failed\n");
+        }
+
+        return 1;
+    }
+
+    mbedtls_sha512_init(&ctx);
+
+    for (i = 0; i < 3; i++) {
+        if (verbose != 0) {
+            mbedtls_printf("  SHA-%d test #%d: ", 512 - is384 * 128, i + 1);
+        }
+
+        if ((ret = mbedtls_sha512_starts(&ctx, is384)) != 0) {
+            goto fail;
+        }
+
+        if (i == 2) {
+            memset(buf, 'a', buflen = 1000);
+
+            for (int j = 0; j < 1000; j++) {
+                ret = mbedtls_sha512_update(&ctx, buf, buflen);
+                if (ret != 0) {
+                    goto fail;
+                }
+            }
+        } else {
+            ret = mbedtls_sha512_update(&ctx, sha_test_buf[i],
+                                        sha_test_buflen[i]);
+            if (ret != 0) {
+                goto fail;
+            }
+        }
+
+        if ((ret = mbedtls_sha512_finish(&ctx, sha512sum)) != 0) {
+            goto fail;
+        }
+
+        if (memcmp(sha512sum, sha_test_sum[i], 64 - is384 * 16) != 0) {
+            ret = 1;
+            goto fail;
+        }
+
+        if (verbose != 0) {
+            mbedtls_printf("passed\n");
+        }
+    }
+
+    if (verbose != 0) {
+        mbedtls_printf("\n");
+    }
+
+    goto exit;
+
+fail:
+    if (verbose != 0) {
+        mbedtls_printf("failed\n");
+    }
+
+exit:
+    mbedtls_sha512_free(&ctx);
+    mbedtls_free(buf);
+
+    return ret;
+}
+
+#if defined(MBEDTLS_SHA512_C)
+int mbedtls_sha512_self_test(int verbose)
+{
+    return mbedtls_sha512_common_self_test(verbose, 0);
+}
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_SHA384_C)
+int mbedtls_sha384_self_test(int verbose)
+{
+    return mbedtls_sha512_common_self_test(verbose, 1);
+}
+#endif /* MBEDTLS_SHA384_C */
+
+#undef ARRAY_LENGTH
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_SHA512_C || MBEDTLS_SHA384_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/threading.c b/tf-psa-crypto/drivers/builtin/src/threading.c
new file mode 100644
index 0000000..85db243
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/threading.c
@@ -0,0 +1,195 @@
+/*
+ *  Threading abstraction layer
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * Ensure gmtime_r is available even with -std=c99; must be defined before
+ * mbedtls_config.h, which pulls in glibc's features.h. Harmless on other platforms.
+ */
+#if !defined(_POSIX_C_SOURCE)
+#define _POSIX_C_SOURCE 200112L
+#endif
+
+#include "common.h"
+
+#if defined(MBEDTLS_THREADING_C)
+
+#include "mbedtls/threading.h"
+
+#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
+
+#if !defined(_WIN32) && (defined(unix) || \
+    defined(__unix) || defined(__unix__) || (defined(__APPLE__) && \
+    defined(__MACH__)))
+#include <unistd.h>
+#endif /* !_WIN32 && (unix || __unix || __unix__ ||
+        * (__APPLE__ && __MACH__)) */
+
+#if !((defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L) ||     \
+    (defined(_POSIX_THREAD_SAFE_FUNCTIONS) &&                     \
+    _POSIX_THREAD_SAFE_FUNCTIONS >= 200112L))
+/*
+ * This is a convenience shorthand macro to avoid checking the long
+ * preprocessor conditions above. Ideally, we could expose this macro in
+ * platform_util.h and simply use it in platform_util.c, threading.c and
+ * threading.h. However, this macro is not part of the Mbed TLS public API, so
+ * we keep it private by only defining it in this file
+ */
+
+#if !(defined(_WIN32) && !defined(EFIX64) && !defined(EFI32))
+#define THREADING_USE_GMTIME
+#endif /* ! ( defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) ) */
+
+#endif /* !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) || \
+             ( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) && \
+                _POSIX_THREAD_SAFE_FUNCTIONS >= 200112L ) ) */
+
+#endif /* MBEDTLS_HAVE_TIME_DATE && !MBEDTLS_PLATFORM_GMTIME_R_ALT */
+
+#if defined(MBEDTLS_THREADING_PTHREAD)
+static void threading_mutex_init_pthread(mbedtls_threading_mutex_t *mutex)
+{
+    if (mutex == NULL) {
+        return;
+    }
+
+    /* One problem here is that calling lock on a pthread mutex without first
+     * having initialised it is undefined behaviour. Obviously we cannot check
+     * this here in a thread safe manner without a significant performance
+     * hit, so state transitions are checked in tests only via the state
+     * variable. Please make sure any new mutex that gets added is exercised in
+     * tests; see tests/src/threading_helpers.c for more details. */
+    (void) pthread_mutex_init(&mutex->mutex, NULL);
+}
+
+static void threading_mutex_free_pthread(mbedtls_threading_mutex_t *mutex)
+{
+    if (mutex == NULL) {
+        return;
+    }
+
+    (void) pthread_mutex_destroy(&mutex->mutex);
+}
+
+static int threading_mutex_lock_pthread(mbedtls_threading_mutex_t *mutex)
+{
+    if (mutex == NULL) {
+        return MBEDTLS_ERR_THREADING_BAD_INPUT_DATA;
+    }
+
+    if (pthread_mutex_lock(&mutex->mutex) != 0) {
+        return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+    }
+
+    return 0;
+}
+
+static int threading_mutex_unlock_pthread(mbedtls_threading_mutex_t *mutex)
+{
+    if (mutex == NULL) {
+        return MBEDTLS_ERR_THREADING_BAD_INPUT_DATA;
+    }
+
+    if (pthread_mutex_unlock(&mutex->mutex) != 0) {
+        return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+    }
+
+    return 0;
+}
+
+void (*mbedtls_mutex_init)(mbedtls_threading_mutex_t *) = threading_mutex_init_pthread;
+void (*mbedtls_mutex_free)(mbedtls_threading_mutex_t *) = threading_mutex_free_pthread;
+int (*mbedtls_mutex_lock)(mbedtls_threading_mutex_t *) = threading_mutex_lock_pthread;
+int (*mbedtls_mutex_unlock)(mbedtls_threading_mutex_t *) = threading_mutex_unlock_pthread;
+
+/*
+ * With pthreads we can statically initialize mutexes
+ */
+#define MUTEX_INIT  = { PTHREAD_MUTEX_INITIALIZER, 1 }
+
+#endif /* MBEDTLS_THREADING_PTHREAD */
+
+#if defined(MBEDTLS_THREADING_ALT)
+static int threading_mutex_fail(mbedtls_threading_mutex_t *mutex)
+{
+    ((void) mutex);
+    return MBEDTLS_ERR_THREADING_BAD_INPUT_DATA;
+}
+static void threading_mutex_dummy(mbedtls_threading_mutex_t *mutex)
+{
+    ((void) mutex);
+    return;
+}
+
+void (*mbedtls_mutex_init)(mbedtls_threading_mutex_t *) = threading_mutex_dummy;
+void (*mbedtls_mutex_free)(mbedtls_threading_mutex_t *) = threading_mutex_dummy;
+int (*mbedtls_mutex_lock)(mbedtls_threading_mutex_t *) = threading_mutex_fail;
+int (*mbedtls_mutex_unlock)(mbedtls_threading_mutex_t *) = threading_mutex_fail;
+
+/*
+ * Set functions pointers and initialize global mutexes
+ */
+void mbedtls_threading_set_alt(void (*mutex_init)(mbedtls_threading_mutex_t *),
+                               void (*mutex_free)(mbedtls_threading_mutex_t *),
+                               int (*mutex_lock)(mbedtls_threading_mutex_t *),
+                               int (*mutex_unlock)(mbedtls_threading_mutex_t *))
+{
+    mbedtls_mutex_init = mutex_init;
+    mbedtls_mutex_free = mutex_free;
+    mbedtls_mutex_lock = mutex_lock;
+    mbedtls_mutex_unlock = mutex_unlock;
+
+#if defined(MBEDTLS_FS_IO)
+    mbedtls_mutex_init(&mbedtls_threading_readdir_mutex);
+#endif
+#if defined(THREADING_USE_GMTIME)
+    mbedtls_mutex_init(&mbedtls_threading_gmtime_mutex);
+#endif
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+    mbedtls_mutex_init(&mbedtls_threading_key_slot_mutex);
+    mbedtls_mutex_init(&mbedtls_threading_psa_globaldata_mutex);
+    mbedtls_mutex_init(&mbedtls_threading_psa_rngdata_mutex);
+#endif
+}
+
+/*
+ * Free global mutexes
+ */
+void mbedtls_threading_free_alt(void)
+{
+#if defined(MBEDTLS_FS_IO)
+    mbedtls_mutex_free(&mbedtls_threading_readdir_mutex);
+#endif
+#if defined(THREADING_USE_GMTIME)
+    mbedtls_mutex_free(&mbedtls_threading_gmtime_mutex);
+#endif
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+    mbedtls_mutex_free(&mbedtls_threading_key_slot_mutex);
+    mbedtls_mutex_free(&mbedtls_threading_psa_globaldata_mutex);
+    mbedtls_mutex_free(&mbedtls_threading_psa_rngdata_mutex);
+#endif
+}
+#endif /* MBEDTLS_THREADING_ALT */
+
+/*
+ * Define global mutexes
+ */
+#ifndef MUTEX_INIT
+#define MUTEX_INIT
+#endif
+#if defined(MBEDTLS_FS_IO)
+mbedtls_threading_mutex_t mbedtls_threading_readdir_mutex MUTEX_INIT;
+#endif
+#if defined(THREADING_USE_GMTIME)
+mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex MUTEX_INIT;
+#endif
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+mbedtls_threading_mutex_t mbedtls_threading_key_slot_mutex MUTEX_INIT;
+mbedtls_threading_mutex_t mbedtls_threading_psa_globaldata_mutex MUTEX_INIT;
+mbedtls_threading_mutex_t mbedtls_threading_psa_rngdata_mutex MUTEX_INIT;
+#endif
+
+#endif /* MBEDTLS_THREADING_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/timing.c b/tf-psa-crypto/drivers/builtin/src/timing.c
new file mode 100644
index 0000000..58f1c1e
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/timing.c
@@ -0,0 +1,154 @@
+/*
+ *  Portable interface to the CPU cycle counter
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_TIMING_C)
+
+#include "mbedtls/timing.h"
+
+#if !defined(MBEDTLS_TIMING_ALT)
+
+#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
+    !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
+    !defined(__HAIKU__) && !defined(__midipix__)
+#error "This module only works on Unix and Windows, see MBEDTLS_TIMING_C in mbedtls_config.h"
+#endif
+
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+
+#include <windows.h>
+#include <process.h>
+
+struct _hr_time {
+    LARGE_INTEGER start;
+};
+
+#else
+
+#include <unistd.h>
+#include <sys/types.h>
+#include <signal.h>
+/* time.h should be included independently of MBEDTLS_HAVE_TIME. If the
+ * platform matches the ifdefs above, it will be used. */
+#include <time.h>
+#include <sys/time.h>
+struct _hr_time {
+    struct timeval start;
+};
+#endif /* _WIN32 && !EFIX64 && !EFI32 */
+
+/**
+ * \brief          Return the elapsed time in milliseconds
+ *
+ * \warning        May change without notice
+ *
+ * \param val      points to a timer structure
+ * \param reset    If 0, query the elapsed time. Otherwise (re)start the timer.
+ *
+ * \return         Elapsed time since the previous reset in ms. When
+ *                 restarting, this is always 0.
+ *
+ * \note           To initialize a timer, call this function with reset=1.
+ *
+ *                 Determining the elapsed time and resetting the timer is not
+ *                 atomic on all platforms, so after the sequence
+ *                 `{ get_timer(1); ...; time1 = get_timer(1); ...; time2 =
+ *                 get_timer(0) }` the value time1+time2 is only approximately
+ *                 the delay since the first reset.
+ */
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+
+unsigned long mbedtls_timing_get_timer(struct mbedtls_timing_hr_time *val, int reset)
+{
+    struct _hr_time *t = (struct _hr_time *) val;
+
+    if (reset) {
+        QueryPerformanceCounter(&t->start);
+        return 0;
+    } else {
+        unsigned long delta;
+        LARGE_INTEGER now, hfreq;
+        QueryPerformanceCounter(&now);
+        QueryPerformanceFrequency(&hfreq);
+        delta = (unsigned long) ((now.QuadPart - t->start.QuadPart) * 1000ul
+                                 / hfreq.QuadPart);
+        return delta;
+    }
+}
+
+#else /* _WIN32 && !EFIX64 && !EFI32 */
+
+unsigned long mbedtls_timing_get_timer(struct mbedtls_timing_hr_time *val, int reset)
+{
+    struct _hr_time *t = (struct _hr_time *) val;
+
+    if (reset) {
+        gettimeofday(&t->start, NULL);
+        return 0;
+    } else {
+        unsigned long delta;
+        struct timeval now;
+        gettimeofday(&now, NULL);
+        delta = (now.tv_sec  - t->start.tv_sec) * 1000ul
+                + (now.tv_usec - t->start.tv_usec) / 1000;
+        return delta;
+    }
+}
+
+#endif /* _WIN32 && !EFIX64 && !EFI32 */
+
+/*
+ * Set delays to watch
+ */
+void mbedtls_timing_set_delay(void *data, uint32_t int_ms, uint32_t fin_ms)
+{
+    mbedtls_timing_delay_context *ctx = (mbedtls_timing_delay_context *) data;
+
+    ctx->int_ms = int_ms;
+    ctx->fin_ms = fin_ms;
+
+    if (fin_ms != 0) {
+        (void) mbedtls_timing_get_timer(&ctx->timer, 1);
+    }
+}
+
+/*
+ * Get number of delays expired
+ */
+int mbedtls_timing_get_delay(void *data)
+{
+    mbedtls_timing_delay_context *ctx = (mbedtls_timing_delay_context *) data;
+    unsigned long elapsed_ms;
+
+    if (ctx->fin_ms == 0) {
+        return -1;
+    }
+
+    elapsed_ms = mbedtls_timing_get_timer(&ctx->timer, 0);
+
+    if (elapsed_ms >= ctx->fin_ms) {
+        return 2;
+    }
+
+    if (elapsed_ms >= ctx->int_ms) {
+        return 1;
+    }
+
+    return 0;
+}
+
+/*
+ * Get the final delay.
+ */
+uint32_t mbedtls_timing_get_final_delay(
+    const mbedtls_timing_delay_context *data)
+{
+    return data->fin_ms;
+}
+#endif /* !MBEDTLS_TIMING_ALT */
+#endif /* MBEDTLS_TIMING_C */
diff --git a/tf-psa-crypto/drivers/builtin/src/version.c b/tf-psa-crypto/drivers/builtin/src/version.c
new file mode 100644
index 0000000..0439733
--- /dev/null
+++ b/tf-psa-crypto/drivers/builtin/src/version.c
@@ -0,0 +1,32 @@
+/*
+ *  Version information
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_VERSION_C)
+
+#include "mbedtls/version.h"
+#include <string.h>
+
+unsigned int mbedtls_version_get_number(void)
+{
+    return MBEDTLS_VERSION_NUMBER;
+}
+
+void mbedtls_version_get_string(char *string)
+{
+    memcpy(string, MBEDTLS_VERSION_STRING,
+           sizeof(MBEDTLS_VERSION_STRING));
+}
+
+void mbedtls_version_get_string_full(char *string)
+{
+    memcpy(string, MBEDTLS_VERSION_STRING_FULL,
+           sizeof(MBEDTLS_VERSION_STRING_FULL));
+}
+
+#endif /* MBEDTLS_VERSION_C */
diff --git a/tf-psa-crypto/drivers/everest/.gitignore b/tf-psa-crypto/drivers/everest/.gitignore
new file mode 100644
index 0000000..f3c7a7c
--- /dev/null
+++ b/tf-psa-crypto/drivers/everest/.gitignore
@@ -0,0 +1 @@
+Makefile
diff --git a/tf-psa-crypto/drivers/everest/CMakeLists.txt b/tf-psa-crypto/drivers/everest/CMakeLists.txt
new file mode 100644
index 0000000..4958a79
--- /dev/null
+++ b/tf-psa-crypto/drivers/everest/CMakeLists.txt
@@ -0,0 +1,45 @@
+set(everest_target "${MBEDTLS_TARGET_PREFIX}everest")
+
+add_library(${everest_target}
+  library/everest.c
+  library/x25519.c
+  library/Hacl_Curve25519_joined.c)
+
+target_include_directories(${everest_target}
+  PUBLIC $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/include>
+         $<BUILD_INTERFACE:${MBEDTLS_DIR}/include>
+         $<BUILD_INTERFACE:${MBEDTLS_DIR}/tf-psa-crypto/include>
+         $<BUILD_INTERFACE:${MBEDTLS_DIR}/tf-psa-crypto/drivers/builtin/include>
+         $<INSTALL_INTERFACE:include>
+  PRIVATE include/everest
+          include/everest/kremlib
+          ${MBEDTLS_DIR}/library
+          ${MBEDTLS_DIR}/tf-psa-crypto/core)
+
+# Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
+# This must be duplicated from library/CMakeLists.txt because
+# everest is not directly linked against any mbedtls targets
+# so does not inherit the compile definitions.
+if(MBEDTLS_CONFIG_FILE)
+    target_compile_definitions(${everest_target}
+        PUBLIC MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
+endif()
+if(MBEDTLS_USER_CONFIG_FILE)
+    target_compile_definitions(${everest_target}
+        PUBLIC MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}")
+endif()
+
+if(INSTALL_MBEDTLS_HEADERS)
+
+  install(DIRECTORY include/everest
+    DESTINATION include
+    FILE_PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ
+    DIRECTORY_PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
+    FILES_MATCHING PATTERN "*.h")
+
+endif(INSTALL_MBEDTLS_HEADERS)
+
+install(TARGETS ${everest_target}
+  EXPORT MbedTLSTargets
+  DESTINATION ${CMAKE_INSTALL_LIBDIR}
+  PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
diff --git a/tf-psa-crypto/drivers/everest/Makefile.inc b/tf-psa-crypto/drivers/everest/Makefile.inc
new file mode 100644
index 0000000..8055ce9
--- /dev/null
+++ b/tf-psa-crypto/drivers/everest/Makefile.inc
@@ -0,0 +1,6 @@
+THIRDPARTY_INCLUDES+=-I$(THIRDPARTY_DIR)/everest/include -I$(THIRDPARTY_DIR)/everest/include/everest -I$(THIRDPARTY_DIR)/everest/include/everest/kremlib
+
+THIRDPARTY_CRYPTO_OBJECTS+= \
+	$(THIRDPARTY_DIR)/everest/library/everest.o \
+	$(THIRDPARTY_DIR)/everest/library/x25519.o \
+	$(THIRDPARTY_DIR)/everest/library/Hacl_Curve25519_joined.o
diff --git a/3rdparty/everest/README.md b/tf-psa-crypto/drivers/everest/README.md
index bcf12c0..bcf12c0 100644
--- a/3rdparty/everest/README.md
+++ b/tf-psa-crypto/drivers/everest/README.md
diff --git a/3rdparty/everest/include/everest/Hacl_Curve25519.h b/tf-psa-crypto/drivers/everest/include/everest/Hacl_Curve25519.h
index e3f5ba4..e3f5ba4 100644
--- a/3rdparty/everest/include/everest/Hacl_Curve25519.h
+++ b/tf-psa-crypto/drivers/everest/include/everest/Hacl_Curve25519.h
diff --git a/3rdparty/everest/include/everest/everest.h b/tf-psa-crypto/drivers/everest/include/everest/everest.h
index 392e792..392e792 100644
--- a/3rdparty/everest/include/everest/everest.h
+++ b/tf-psa-crypto/drivers/everest/include/everest/everest.h
diff --git a/3rdparty/everest/include/everest/kremlib.h b/tf-psa-crypto/drivers/everest/include/everest/kremlib.h
index f06663f..f06663f 100644
--- a/3rdparty/everest/include/everest/kremlib.h
+++ b/tf-psa-crypto/drivers/everest/include/everest/kremlib.h
diff --git a/3rdparty/everest/include/everest/kremlib/FStar_UInt128.h b/tf-psa-crypto/drivers/everest/include/everest/kremlib/FStar_UInt128.h
index d71c882..d71c882 100644
--- a/3rdparty/everest/include/everest/kremlib/FStar_UInt128.h
+++ b/tf-psa-crypto/drivers/everest/include/everest/kremlib/FStar_UInt128.h
diff --git a/3rdparty/everest/include/everest/kremlib/FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8.h b/tf-psa-crypto/drivers/everest/include/everest/kremlib/FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8.h
index 21560c4..21560c4 100644
--- a/3rdparty/everest/include/everest/kremlib/FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8.h
+++ b/tf-psa-crypto/drivers/everest/include/everest/kremlib/FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8.h
diff --git a/3rdparty/everest/include/everest/kremlin/c_endianness.h b/tf-psa-crypto/drivers/everest/include/everest/kremlin/c_endianness.h
index 5cfde5d..5cfde5d 100644
--- a/3rdparty/everest/include/everest/kremlin/c_endianness.h
+++ b/tf-psa-crypto/drivers/everest/include/everest/kremlin/c_endianness.h
diff --git a/3rdparty/everest/include/everest/kremlin/internal/builtin.h b/tf-psa-crypto/drivers/everest/include/everest/kremlin/internal/builtin.h
index 219b266..219b266 100644
--- a/3rdparty/everest/include/everest/kremlin/internal/builtin.h
+++ b/tf-psa-crypto/drivers/everest/include/everest/kremlin/internal/builtin.h
diff --git a/3rdparty/everest/include/everest/kremlin/internal/callconv.h b/tf-psa-crypto/drivers/everest/include/everest/kremlin/internal/callconv.h
index bf631ff..bf631ff 100644
--- a/3rdparty/everest/include/everest/kremlin/internal/callconv.h
+++ b/tf-psa-crypto/drivers/everest/include/everest/kremlin/internal/callconv.h
diff --git a/3rdparty/everest/include/everest/kremlin/internal/compat.h b/tf-psa-crypto/drivers/everest/include/everest/kremlin/internal/compat.h
index a5b8889..a5b8889 100644
--- a/3rdparty/everest/include/everest/kremlin/internal/compat.h
+++ b/tf-psa-crypto/drivers/everest/include/everest/kremlin/internal/compat.h
diff --git a/3rdparty/everest/include/everest/kremlin/internal/debug.h b/tf-psa-crypto/drivers/everest/include/everest/kremlin/internal/debug.h
index 44ac22c..44ac22c 100644
--- a/3rdparty/everest/include/everest/kremlin/internal/debug.h
+++ b/tf-psa-crypto/drivers/everest/include/everest/kremlin/internal/debug.h
diff --git a/3rdparty/everest/include/everest/kremlin/internal/target.h b/tf-psa-crypto/drivers/everest/include/everest/kremlin/internal/target.h
index b552f52..b552f52 100644
--- a/3rdparty/everest/include/everest/kremlin/internal/target.h
+++ b/tf-psa-crypto/drivers/everest/include/everest/kremlin/internal/target.h
diff --git a/3rdparty/everest/include/everest/kremlin/internal/types.h b/tf-psa-crypto/drivers/everest/include/everest/kremlin/internal/types.h
index b936f00..b936f00 100644
--- a/3rdparty/everest/include/everest/kremlin/internal/types.h
+++ b/tf-psa-crypto/drivers/everest/include/everest/kremlin/internal/types.h
diff --git a/3rdparty/everest/include/everest/kremlin/internal/wasmsupport.h b/tf-psa-crypto/drivers/everest/include/everest/kremlin/internal/wasmsupport.h
index b44fa3f..b44fa3f 100644
--- a/3rdparty/everest/include/everest/kremlin/internal/wasmsupport.h
+++ b/tf-psa-crypto/drivers/everest/include/everest/kremlin/internal/wasmsupport.h
diff --git a/3rdparty/everest/include/everest/vs2013/Hacl_Curve25519.h b/tf-psa-crypto/drivers/everest/include/everest/vs2013/Hacl_Curve25519.h
index 27ebe07..27ebe07 100644
--- a/3rdparty/everest/include/everest/vs2013/Hacl_Curve25519.h
+++ b/tf-psa-crypto/drivers/everest/include/everest/vs2013/Hacl_Curve25519.h
diff --git a/3rdparty/everest/include/everest/vs2013/inttypes.h b/tf-psa-crypto/drivers/everest/include/everest/vs2013/inttypes.h
index 77003be..77003be 100644
--- a/3rdparty/everest/include/everest/vs2013/inttypes.h
+++ b/tf-psa-crypto/drivers/everest/include/everest/vs2013/inttypes.h
diff --git a/3rdparty/everest/include/everest/vs2013/stdbool.h b/tf-psa-crypto/drivers/everest/include/everest/vs2013/stdbool.h
index dcae6d8..dcae6d8 100644
--- a/3rdparty/everest/include/everest/vs2013/stdbool.h
+++ b/tf-psa-crypto/drivers/everest/include/everest/vs2013/stdbool.h
diff --git a/3rdparty/everest/include/everest/x25519.h b/tf-psa-crypto/drivers/everest/include/everest/x25519.h
index ef314d2..ef314d2 100644
--- a/3rdparty/everest/include/everest/x25519.h
+++ b/tf-psa-crypto/drivers/everest/include/everest/x25519.h
diff --git a/3rdparty/everest/library/Hacl_Curve25519.c b/tf-psa-crypto/drivers/everest/library/Hacl_Curve25519.c
index 450b9f8..450b9f8 100644
--- a/3rdparty/everest/library/Hacl_Curve25519.c
+++ b/tf-psa-crypto/drivers/everest/library/Hacl_Curve25519.c
diff --git a/3rdparty/everest/library/Hacl_Curve25519_joined.c b/tf-psa-crypto/drivers/everest/library/Hacl_Curve25519_joined.c
index a778160..a778160 100644
--- a/3rdparty/everest/library/Hacl_Curve25519_joined.c
+++ b/tf-psa-crypto/drivers/everest/library/Hacl_Curve25519_joined.c
diff --git a/3rdparty/everest/library/everest.c b/tf-psa-crypto/drivers/everest/library/everest.c
index fefc6a2..fefc6a2 100644
--- a/3rdparty/everest/library/everest.c
+++ b/tf-psa-crypto/drivers/everest/library/everest.c
diff --git a/3rdparty/everest/library/kremlib/FStar_UInt128_extracted.c b/tf-psa-crypto/drivers/everest/library/kremlib/FStar_UInt128_extracted.c
index 1060515..1060515 100644
--- a/3rdparty/everest/library/kremlib/FStar_UInt128_extracted.c
+++ b/tf-psa-crypto/drivers/everest/library/kremlib/FStar_UInt128_extracted.c
diff --git a/3rdparty/everest/library/kremlib/FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8.c b/tf-psa-crypto/drivers/everest/library/kremlib/FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8.c
index 0826524..0826524 100644
--- a/3rdparty/everest/library/kremlib/FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8.c
+++ b/tf-psa-crypto/drivers/everest/library/kremlib/FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8.c
diff --git a/3rdparty/everest/library/legacy/Hacl_Curve25519.c b/tf-psa-crypto/drivers/everest/library/legacy/Hacl_Curve25519.c
index babebe4..babebe4 100644
--- a/3rdparty/everest/library/legacy/Hacl_Curve25519.c
+++ b/tf-psa-crypto/drivers/everest/library/legacy/Hacl_Curve25519.c
diff --git a/3rdparty/everest/library/x25519.c b/tf-psa-crypto/drivers/everest/library/x25519.c
index 83064dc..83064dc 100644
--- a/3rdparty/everest/library/x25519.c
+++ b/tf-psa-crypto/drivers/everest/library/x25519.c
diff --git a/tf-psa-crypto/drivers/p256-m/.gitignore b/tf-psa-crypto/drivers/p256-m/.gitignore
new file mode 100644
index 0000000..f3c7a7c
--- /dev/null
+++ b/tf-psa-crypto/drivers/p256-m/.gitignore
@@ -0,0 +1 @@
+Makefile
diff --git a/tf-psa-crypto/drivers/p256-m/CMakeLists.txt b/tf-psa-crypto/drivers/p256-m/CMakeLists.txt
new file mode 100644
index 0000000..f097ed1
--- /dev/null
+++ b/tf-psa-crypto/drivers/p256-m/CMakeLists.txt
@@ -0,0 +1,43 @@
+set(p256m_target ${MBEDTLS_TARGET_PREFIX}p256m)
+
+add_library(${p256m_target}
+    p256-m_driver_entrypoints.c
+    p256-m/p256-m.c)
+
+target_include_directories(${p256m_target}
+  PUBLIC $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}>
+         $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/p256-m>
+         $<BUILD_INTERFACE:${MBEDTLS_DIR}/include>
+         $<BUILD_INTERFACE:${MBEDTLS_DIR}/tf-psa-crypto/include>
+         $<BUILD_INTERFACE:${MBEDTLS_DIR}/tf-psa-crypto/drivers/builtin/include>
+         $<INSTALL_INTERFACE:include>
+  PRIVATE ${MBEDTLS_DIR}/library/
+          ${MBEDTLS_DIR}/tf-psa-crypto/core)
+
+# Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
+# This must be duplicated from library/CMakeLists.txt because
+# p256m is not directly linked against any mbedtls targets
+# so does not inherit the compile definitions.
+if(MBEDTLS_CONFIG_FILE)
+    target_compile_definitions(${p256m_target}
+        PUBLIC MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
+endif()
+if(MBEDTLS_USER_CONFIG_FILE)
+    target_compile_definitions(${p256m_target}
+        PUBLIC MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}")
+endif()
+
+if(INSTALL_MBEDTLS_HEADERS)
+
+  install(DIRECTORY :${CMAKE_CURRENT_SOURCE_DIR}
+    DESTINATION include
+    FILE_PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ
+    DIRECTORY_PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
+    FILES_MATCHING PATTERN "*.h")
+
+endif(INSTALL_MBEDTLS_HEADERS)
+
+install(TARGETS ${p256m_target}
+EXPORT MbedTLSTargets
+DESTINATION ${CMAKE_INSTALL_LIBDIR}
+PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
diff --git a/tf-psa-crypto/drivers/p256-m/Makefile.inc b/tf-psa-crypto/drivers/p256-m/Makefile.inc
new file mode 100644
index 0000000..53bb55b
--- /dev/null
+++ b/tf-psa-crypto/drivers/p256-m/Makefile.inc
@@ -0,0 +1,5 @@
+THIRDPARTY_INCLUDES+=-I$(THIRDPARTY_DIR)/p256-m/p256-m/include -I$(THIRDPARTY_DIR)/p256-m/p256-m/include/p256-m -I$(THIRDPARTY_DIR)/p256-m/p256-m_driver_interface
+
+THIRDPARTY_CRYPTO_OBJECTS+= \
+	$(THIRDPARTY_DIR)/p256-m//p256-m_driver_entrypoints.o \
+	$(THIRDPARTY_DIR)/p256-m//p256-m/p256-m.o
diff --git a/tf-psa-crypto/drivers/p256-m/README.md b/tf-psa-crypto/drivers/p256-m/README.md
new file mode 100644
index 0000000..ec90f34
--- /dev/null
+++ b/tf-psa-crypto/drivers/p256-m/README.md
@@ -0,0 +1,4 @@
+The files within the `p256-m/` subdirectory originate from the [p256-m GitHub repository](https://github.com/mpg/p256-m). They are distributed here under a dual Apache-2.0 OR GPL-2.0-or-later license. They are authored by Manuel Pégourié-Gonnard. p256-m is a minimalistic implementation of ECDH and ECDSA on NIST P-256, especially suited to constrained 32-bit environments. Mbed TLS documentation for integrating drivers uses p256-m as an example of a software accelerator, and describes how it can be integrated alongside Mbed TLS. It should be noted that p256-m files in the Mbed TLS repo will not be updated regularly, so they may not have fixes and improvements present in the upstream project.
+
+The files `p256-m.c`, `p256-m.h` and `README.md` have been taken from the `p256-m` repository.
+It should be noted that p256-m deliberately does not supply its own cryptographically secure RNG function. As a result, the PSA RNG is used, with `p256_generate_random()` wrapping `psa_generate_random()`.
diff --git a/3rdparty/p256-m/p256-m/README.md b/tf-psa-crypto/drivers/p256-m/p256-m/README.md
index 5e88f71..5e88f71 100644
--- a/3rdparty/p256-m/p256-m/README.md
+++ b/tf-psa-crypto/drivers/p256-m/p256-m/README.md
diff --git a/tf-psa-crypto/drivers/p256-m/p256-m/p256-m.c b/tf-psa-crypto/drivers/p256-m/p256-m/p256-m.c
new file mode 100644
index 0000000..42c35b5
--- /dev/null
+++ b/tf-psa-crypto/drivers/p256-m/p256-m/p256-m.c
@@ -0,0 +1,1514 @@
+/*
+ * Implementation of curve P-256 (ECDH and ECDSA)
+ *
+ * Copyright The Mbed TLS Contributors
+ * Author: Manuel Pégourié-Gonnard.
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "p256-m.h"
+#include "mbedtls/platform_util.h"
+#include "psa/crypto.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#if defined (MBEDTLS_PSA_P256M_DRIVER_ENABLED)
+
+/*
+ * Zeroize memory - this should not be optimized away
+ */
+#define zeroize mbedtls_platform_zeroize
+
+/*
+ * Helpers to test constant-time behaviour with valgrind or MemSan.
+ *
+ * CT_POISON() is used for secret data. It marks the memory area as
+ * uninitialised, so that any branch or pointer dereference that depends on it
+ * (even indirectly) triggers a warning.
+ * CT_UNPOISON() is used for public data; it marks the area as initialised.
+ *
+ * These are macros in order to avoid interfering with origin tracking.
+ */
+#if defined(CT_MEMSAN)
+
+#include <sanitizer/msan_interface.h>
+#define CT_POISON   __msan_allocated_memory
+// void __msan_allocated_memory(const volatile void* data, size_t size);
+#define CT_UNPOISON __msan_unpoison
+// void __msan_unpoison(const volatile void *a, size_t size);
+
+#elif defined(CT_VALGRIND)
+
+#include <valgrind/memcheck.h>
+#define CT_POISON   VALGRIND_MAKE_MEM_UNDEFINED
+// VALGRIND_MAKE_MEM_UNDEFINED(_qzz_addr,_qzz_len)
+#define CT_UNPOISON VALGRIND_MAKE_MEM_DEFINED
+// VALGRIND_MAKE_MEM_DEFINED(_qzz_addr,_qzz_len)
+
+#else
+#define CT_POISON(p, sz)
+#define CT_UNPOISON(p, sz)
+#endif
+
+/**********************************************************************
+ *
+ * Operations on fixed-width unsigned integers
+ *
+ * Represented using 32-bit limbs, least significant limb first.
+ * That is: x = x[0] + 2^32 x[1] + ... + 2^224 x[7] for 256-bit.
+ *
+ **********************************************************************/
+
+/*
+ * 256-bit set to 32-bit value
+ *
+ * in: x in [0, 2^32)
+ * out: z = x
+ */
+static void u256_set32(uint32_t z[8], uint32_t x)
+{
+    z[0] = x;
+    for (unsigned i = 1; i < 8; i++) {
+        z[i] = 0;
+    }
+}
+
+/*
+ * 256-bit addition
+ *
+ * in: x, y in [0, 2^256)
+ * out: z = (x + y) mod 2^256
+ *      c = (x + y) div 2^256
+ * That is, z + c * 2^256 = x + y
+ *
+ * Note: as a memory area, z must be either equal to x or y, or not overlap.
+ */
+static uint32_t u256_add(uint32_t z[8],
+                         const uint32_t x[8], const uint32_t y[8])
+{
+    uint32_t carry = 0;
+
+    for (unsigned i = 0; i < 8; i++) {
+        uint64_t sum = (uint64_t) carry + x[i] + y[i];
+        z[i] = (uint32_t) sum;
+        carry = (uint32_t) (sum >> 32);
+    }
+
+    return carry;
+}
+
+/*
+ * 256-bit subtraction
+ *
+ * in: x, y in [0, 2^256)
+ * out: z = (x - y) mod 2^256
+ *      c = 0 if x >=y, 1 otherwise
+ * That is, z = c * 2^256 + x - y
+ *
+ * Note: as a memory area, z must be either equal to x or y, or not overlap.
+ */
+static uint32_t u256_sub(uint32_t z[8],
+                         const uint32_t x[8], const uint32_t y[8])
+{
+    uint32_t carry = 0;
+
+    for (unsigned i = 0; i < 8; i++) {
+        uint64_t diff = (uint64_t) x[i] - y[i] - carry;
+        z[i] = (uint32_t) diff;
+        carry = -(uint32_t) (diff >> 32);
+    }
+
+    return carry;
+}
+
+/*
+ * 256-bit conditional assignment
+ *
+ * in: x in [0, 2^256)
+ *     c in [0, 1]
+ * out: z = x if c == 1, z unchanged otherwise
+ *
+ * Note: as a memory area, z must be either equal to x, or not overlap.
+ */
+static void u256_cmov(uint32_t z[8], const uint32_t x[8], uint32_t c)
+{
+    const uint32_t x_mask = -c;
+    for (unsigned i = 0; i < 8; i++) {
+        z[i] = (z[i] & ~x_mask) | (x[i] & x_mask);
+    }
+}
+
+/*
+ * 256-bit compare for equality
+ *
+ * in: x in [0, 2^256)
+ *     y in [0, 2^256)
+ * out: 0 if x == y, unspecified non-zero otherwise
+ */
+static uint32_t u256_diff(const uint32_t x[8], const uint32_t y[8])
+{
+    uint32_t diff = 0;
+    for (unsigned i = 0; i < 8; i++) {
+        diff |= x[i] ^ y[i];
+    }
+    return diff;
+}
+
+/*
+ * 256-bit compare to zero
+ *
+ * in: x in [0, 2^256)
+ * out: 0 if x == 0, unspecified non-zero otherwise
+ */
+static uint32_t u256_diff0(const uint32_t x[8])
+{
+    uint32_t diff = 0;
+    for (unsigned i = 0; i < 8; i++) {
+        diff |= x[i];
+    }
+    return diff;
+}
+
+/*
+ * 32 x 32 -> 64-bit multiply-and-accumulate
+ *
+ * in: x, y, z, t in [0, 2^32)
+ * out: x * y + z + t in [0, 2^64)
+ *
+ * Note: this computation cannot overflow.
+ *
+ * Note: this function has two pure-C implementations (depending on whether
+ * MUL64_IS_CONSTANT_TIME), and possibly optimised asm implementations.
+ * Start with the potential asm definitions, and use the C definition only if
+ * we no have no asm for the current toolchain & CPU.
+ */
+static uint64_t u32_muladd64(uint32_t x, uint32_t y, uint32_t z, uint32_t t);
+
+/* This macro is used to mark whether an asm implentation is found */
+#undef MULADD64_ASM
+/* This macro is used to mark whether the implementation has a small
+ * code size (ie, it can be inlined even in an unrolled loop) */
+#undef MULADD64_SMALL
+
+/*
+ * Currently assembly optimisations are only supported with GCC/Clang for
+ * Arm's Cortex-A and Cortex-M lines of CPUs, which start with the v6-M and
+ * v7-M architectures. __ARM_ARCH_PROFILE is not defined for v6 and earlier.
+ * Thumb and 32-bit assembly is supported; aarch64 is not supported.
+ */
+#if defined(__GNUC__) &&\
+    defined(__ARM_ARCH) && __ARM_ARCH >= 6 && defined(__ARM_ARCH_PROFILE) && \
+    ( __ARM_ARCH_PROFILE == 77 || __ARM_ARCH_PROFILE == 65 ) /* 'M' or 'A' */ && \
+    !defined(__aarch64__)
+
+/*
+ * This set of CPUs is conveniently partitioned as follows:
+ *
+ * 1. Cores that have the DSP extension, which includes a 1-cycle UMAAL
+ *    instruction: M4, M7, M33, all A-class cores.
+ * 2. Cores that don't have the DSP extension, and also lack a constant-time
+ *    64-bit multiplication instruction:
+ *    - M0, M0+, M23: 32-bit multiplication only;
+ *    - M3: 64-bit multiplication is not constant-time.
+ */
+#if defined(__ARM_FEATURE_DSP)
+
+static uint64_t u32_muladd64(uint32_t x, uint32_t y, uint32_t z, uint32_t t)
+{
+    __asm__(
+        /* UMAAL <RdLo>, <RdHi>, <Rn>, <Rm> */
+        "umaal   %[z], %[t], %[x], %[y]"
+        : [z] "+l" (z), [t] "+l" (t)
+        : [x] "l" (x), [y] "l" (y)
+    );
+    return ((uint64_t) t << 32) | z;
+}
+#define MULADD64_ASM
+#define MULADD64_SMALL
+
+#else /* __ARM_FEATURE_DSP */
+
+/*
+ * This implementation only uses 16x16->32 bit multiplication.
+ *
+ * It decomposes the multiplicands as:
+ *      x = xh:xl = 2^16 * xh + xl
+ *      y = yh:yl = 2^16 * yh + yl
+ * and computes their product as:
+ *      x*y = xl*yl + 2**16 (xh*yl + yl*yh) + 2**32 xh*yh
+ * then adds z and t to the result.
+ */
+static uint64_t u32_muladd64(uint32_t x, uint32_t y, uint32_t z, uint32_t t)
+{
+    /* First compute x*y, using 3 temporary registers */
+    uint32_t tmp1, tmp2, tmp3;
+    __asm__(
+        ".syntax unified\n\t"
+        /* start by splitting the inputs into halves */
+        "lsrs    %[u], %[x], #16\n\t"
+        "lsrs    %[v], %[y], #16\n\t"
+        "uxth    %[x], %[x]\n\t"
+        "uxth    %[y], %[y]\n\t"
+        /* now we have %[x], %[y], %[u], %[v] = xl, yl, xh, yh */
+        /* let's compute the 4 products we can form with those */
+        "movs    %[w], %[v]\n\t"
+        "muls    %[w], %[u]\n\t"
+        "muls    %[v], %[x]\n\t"
+        "muls    %[x], %[y]\n\t"
+        "muls    %[y], %[u]\n\t"
+        /* now we have %[x], %[y], %[v], %[w] = xl*yl, xh*yl, xl*yh, xh*yh */
+        /* let's split and add the first middle product */
+        "lsls    %[u], %[y], #16\n\t"
+        "lsrs    %[y], %[y], #16\n\t"
+        "adds    %[x], %[u]\n\t"
+        "adcs    %[y], %[w]\n\t"
+        /* let's finish with the second middle product */
+        "lsls    %[u], %[v], #16\n\t"
+        "lsrs    %[v], %[v], #16\n\t"
+        "adds    %[x], %[u]\n\t"
+        "adcs    %[y], %[v]\n\t"
+        : [x] "+l" (x), [y] "+l" (y),
+          [u] "=&l" (tmp1), [v] "=&l" (tmp2), [w] "=&l" (tmp3)
+        : /* no read-only inputs */
+        : "cc"
+    );
+    (void) tmp1;
+    (void) tmp2;
+    (void) tmp3;
+
+    /* Add z and t, using one temporary register */
+    __asm__(
+        ".syntax unified\n\t"
+        "movs    %[u], #0\n\t"
+        "adds    %[x], %[z]\n\t"
+        "adcs    %[y], %[u]\n\t"
+        "adds    %[x], %[t]\n\t"
+        "adcs    %[y], %[u]\n\t"
+        : [x] "+l" (x), [y] "+l" (y), [u] "=&l" (tmp1)
+        : [z] "l" (z), [t] "l" (t)
+        : "cc"
+    );
+    (void) tmp1;
+
+    return ((uint64_t) y << 32) | x;
+}
+#define MULADD64_ASM
+
+#endif /* __ARM_FEATURE_DSP */
+
+#endif /* GCC/Clang with Cortex-M/A CPU */
+
+#if !defined(MULADD64_ASM)
+#if defined(MUL64_IS_CONSTANT_TIME)
+static uint64_t u32_muladd64(uint32_t x, uint32_t y, uint32_t z, uint32_t t)
+{
+    return (uint64_t) x * y + z + t;
+}
+#define MULADD64_SMALL
+#else
+static uint64_t u32_muladd64(uint32_t x, uint32_t y, uint32_t z, uint32_t t)
+{
+    /* x = xl + 2**16 xh, y = yl + 2**16 yh */
+    const uint16_t xl = (uint16_t) x;
+    const uint16_t yl = (uint16_t) y;
+    const uint16_t xh = x >> 16;
+    const uint16_t yh = y >> 16;
+
+    /* x*y = xl*yl + 2**16 (xh*yl + yl*yh) + 2**32 xh*yh
+     *     = lo    + 2**16 (m1    + m2   ) + 2**32 hi    */
+    const uint32_t lo = (uint32_t) xl * yl;
+    const uint32_t m1 = (uint32_t) xh * yl;
+    const uint32_t m2 = (uint32_t) xl * yh;
+    const uint32_t hi = (uint32_t) xh * yh;
+
+    uint64_t acc = lo + ((uint64_t) (hi + (m1 >> 16) + (m2 >> 16)) << 32);
+    acc += m1 << 16;
+    acc += m2 << 16;
+    acc += z;
+    acc += t;
+
+    return acc;
+}
+#endif /* MUL64_IS_CONSTANT_TIME */
+#endif /* MULADD64_ASM */
+
+/*
+ * 288 + 32 x 256 -> 288-bit multiply and add
+ *
+ * in: x in [0, 2^32)
+ *     y in [0, 2^256)
+ *     z in [0, 2^288)
+ * out: z_out = z_in + x * y mod 2^288
+ *      c     = z_in + x * y div 2^288
+ * That is, z_out + c * 2^288 = z_in + x * y
+ *
+ * Note: as a memory area, z must be either equal to y, or not overlap.
+ *
+ * This is a helper for Montgomery multiplication.
+ */
+static uint32_t u288_muladd(uint32_t z[9], uint32_t x, const uint32_t y[8])
+{
+    uint32_t carry = 0;
+
+#define U288_MULADD_STEP(i) \
+    do { \
+        uint64_t prod = u32_muladd64(x, y[i], z[i], carry); \
+        z[i] = (uint32_t) prod; \
+        carry = (uint32_t) (prod >> 32); \
+    } while( 0 )
+
+#if defined(MULADD64_SMALL)
+    U288_MULADD_STEP(0);
+    U288_MULADD_STEP(1);
+    U288_MULADD_STEP(2);
+    U288_MULADD_STEP(3);
+    U288_MULADD_STEP(4);
+    U288_MULADD_STEP(5);
+    U288_MULADD_STEP(6);
+    U288_MULADD_STEP(7);
+#else
+    for (unsigned i = 0; i < 8; i++) {
+        U288_MULADD_STEP(i);
+    }
+#endif
+
+    uint64_t sum = (uint64_t) z[8] + carry;
+    z[8] = (uint32_t) sum;
+    carry = (uint32_t) (sum >> 32);
+
+    return carry;
+}
+
+/*
+ * 288-bit in-place right shift by 32 bits
+ *
+ * in: z in [0, 2^288)
+ *     c in [0, 2^32)
+ * out: z_out = z_in div 2^32 + c * 2^256
+ *            = (z_in + c * 2^288) div 2^32
+ *
+ * This is a helper for Montgomery multiplication.
+ */
+static void u288_rshift32(uint32_t z[9], uint32_t c)
+{
+    for (unsigned i = 0; i < 8; i++) {
+        z[i] = z[i + 1];
+    }
+    z[8] = c;
+}
+
+/*
+ * 256-bit import from big-endian bytes
+ *
+ * in: p = p0, ..., p31
+ * out: z = p0 * 2^248 + p1 * 2^240 + ... + p30 * 2^8 + p31
+ */
+static void u256_from_bytes(uint32_t z[8], const uint8_t p[32])
+{
+    for (unsigned i = 0; i < 8; i++) {
+        unsigned j = 4 * (7 - i);
+        z[i] = ((uint32_t) p[j + 0] << 24) |
+               ((uint32_t) p[j + 1] << 16) |
+               ((uint32_t) p[j + 2] <<  8) |
+               ((uint32_t) p[j + 3] <<  0);
+    }
+}
+
+/*
+ * 256-bit export to big-endian bytes
+ *
+ * in: z in [0, 2^256)
+ * out: p = p0, ..., p31 such that
+ *      z = p0 * 2^248 + p1 * 2^240 + ... + p30 * 2^8 + p31
+ */
+static void u256_to_bytes(uint8_t p[32], const uint32_t z[8])
+{
+    for (unsigned i = 0; i < 8; i++) {
+        unsigned j = 4 * (7 - i);
+        p[j + 0] = (uint8_t) (z[i] >> 24);
+        p[j + 1] = (uint8_t) (z[i] >> 16);
+        p[j + 2] = (uint8_t) (z[i] >>  8);
+        p[j + 3] = (uint8_t) (z[i] >>  0);
+    }
+}
+
+/**********************************************************************
+ *
+ * Operations modulo a 256-bit prime m
+ *
+ * These are done in the Montgomery domain, that is x is represented by
+ *  x * 2^256 mod m
+ * Numbers need to be converted to that domain before computations,
+ * and back from it afterwards.
+ *
+ * Inversion is computed using Fermat's little theorem.
+ *
+ * Assumptions on m:
+ * - Montgomery operations require that m is odd.
+ * - Fermat's little theorem require it to be a prime.
+ * - m256_inv() further requires that m % 2^32 >= 2.
+ * - m256_inv() also assumes that the value of m is not a secret.
+ *
+ * In practice operations are done modulo the curve's p and n,
+ * both of which satisfy those assumptions.
+ *
+ **********************************************************************/
+
+/*
+ * Data associated to a modulus for Montgomery operations.
+ *
+ * m in [0, 2^256) - the modulus itself, must be odd
+ * R2 = 2^512 mod m
+ * ni = -m^-1 mod 2^32
+ */
+typedef struct {
+    uint32_t m[8];
+    uint32_t R2[8];
+    uint32_t ni;
+}
+m256_mod;
+
+/*
+ * Data for Montgomery operations modulo the curve's p
+ */
+static const m256_mod p256_p = {
+    {   /* the curve's p */
+        0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000,
+        0x00000000, 0x00000000, 0x00000001, 0xFFFFFFFF,
+    },
+    {   /* 2^512 mod p */
+        0x00000003, 0x00000000, 0xffffffff, 0xfffffffb,
+        0xfffffffe, 0xffffffff, 0xfffffffd, 0x00000004,
+    },
+    0x00000001, /* -p^-1 mod 2^32 */
+};
+
+/*
+ * Data for Montgomery operations modulo the curve's n
+ */
+static const m256_mod p256_n = {
+    {   /* the curve's n */
+        0xFC632551, 0xF3B9CAC2, 0xA7179E84, 0xBCE6FAAD,
+        0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0xFFFFFFFF,
+    },
+    {   /* 2^512 mod n */
+        0xbe79eea2, 0x83244c95, 0x49bd6fa6, 0x4699799c,
+        0x2b6bec59, 0x2845b239, 0xf3d95620, 0x66e12d94,
+    },
+    0xee00bc4f, /* -n^-1 mod 2^32 */
+};
+
+/*
+ * Modular addition
+ *
+ * in: x, y in [0, m)
+ *     mod must point to a valid m256_mod structure
+ * out: z = (x + y) mod m, in [0, m)
+ *
+ * Note: as a memory area, z must be either equal to x or y, or not overlap.
+ */
+static void m256_add(uint32_t z[8],
+                     const uint32_t x[8], const uint32_t y[8],
+                     const m256_mod *mod)
+{
+    uint32_t r[8];
+    uint32_t carry_add = u256_add(z, x, y);
+    uint32_t carry_sub = u256_sub(r, z, mod->m);
+    /* Need to subract m if:
+     *      x+y >= 2^256 > m (that is, carry_add == 1)
+     *   OR z >= m (that is, carry_sub == 0) */
+    uint32_t use_sub = carry_add | (1 - carry_sub);
+    u256_cmov(z, r, use_sub);
+}
+
+/*
+ * Modular addition mod p
+ *
+ * in: x, y in [0, p)
+ * out: z = (x + y) mod p, in [0, p)
+ *
+ * Note: as a memory area, z must be either equal to x or y, or not overlap.
+ */
+static void m256_add_p(uint32_t z[8],
+                       const uint32_t x[8], const uint32_t y[8])
+{
+    m256_add(z, x, y, &p256_p);
+}
+
+/*
+ * Modular subtraction
+ *
+ * in: x, y in [0, m)
+ *     mod must point to a valid m256_mod structure
+ * out: z = (x - y) mod m, in [0, m)
+ *
+ * Note: as a memory area, z must be either equal to x or y, or not overlap.
+ */
+static void m256_sub(uint32_t z[8],
+                     const uint32_t x[8], const uint32_t y[8],
+                     const m256_mod *mod)
+{
+    uint32_t r[8];
+    uint32_t carry = u256_sub(z, x, y);
+    (void) u256_add(r, z, mod->m);
+    /* Need to add m if and only if x < y, that is carry == 1.
+     * In that case z is in [2^256 - m + 1, 2^256 - 1], so the
+     * addition will have a carry as well, which cancels out. */
+    u256_cmov(z, r, carry);
+}
+
+/*
+ * Modular subtraction mod p
+ *
+ * in: x, y in [0, p)
+ * out: z = (x + y) mod p, in [0, p)
+ *
+ * Note: as a memory area, z must be either equal to x or y, or not overlap.
+ */
+static void m256_sub_p(uint32_t z[8],
+                       const uint32_t x[8], const uint32_t y[8])
+{
+    m256_sub(z, x, y, &p256_p);
+}
+
+/*
+ * Montgomery modular multiplication
+ *
+ * in: x, y in [0, m)
+ *     mod must point to a valid m256_mod structure
+ * out: z = (x * y) / 2^256 mod m, in [0, m)
+ *
+ * Note: as a memory area, z may overlap with x or y.
+ */
+static void m256_mul(uint32_t z[8],
+                     const uint32_t x[8], const uint32_t y[8],
+                     const m256_mod *mod)
+{
+    /*
+     * Algorithm 14.36 in Handbook of Applied Cryptography with:
+     * b = 2^32, n = 8, R = 2^256
+     */
+    uint32_t m_prime = mod->ni;
+    uint32_t a[9];
+
+    for (unsigned i = 0; i < 9; i++) {
+        a[i] = 0;
+    }
+
+    for (unsigned i = 0; i < 8; i++) {
+        /* the "mod 2^32" is implicit from the type */
+        uint32_t u = (a[0] + x[i] * y[0]) * m_prime;
+
+        /* a = (a + x[i] * y + u * m) div b */
+        uint32_t c = u288_muladd(a, x[i], y);
+        c += u288_muladd(a, u, mod->m);
+        u288_rshift32(a, c);
+    }
+
+    /* a = a > m ? a - m : a */
+    uint32_t carry_add = a[8];  // 0 or 1 since a < 2m, see HAC Note 14.37
+    uint32_t carry_sub = u256_sub(z, a, mod->m);
+    uint32_t use_sub = carry_add | (1 - carry_sub);     // see m256_add()
+    u256_cmov(z, a, 1 - use_sub);
+}
+
+/*
+ * Montgomery modular multiplication modulo p.
+ *
+ * in: x, y in [0, p)
+ * out: z = (x * y) / 2^256 mod p, in [0, p)
+ *
+ * Note: as a memory area, z may overlap with x or y.
+ */
+static void m256_mul_p(uint32_t z[8],
+                       const uint32_t x[8], const uint32_t y[8])
+{
+    m256_mul(z, x, y, &p256_p);
+}
+
+/*
+ * In-place conversion to Montgomery form
+ *
+ * in: z in [0, m)
+ *     mod must point to a valid m256_mod structure
+ * out: z_out = z_in * 2^256 mod m, in [0, m)
+ */
+static void m256_prep(uint32_t z[8], const m256_mod *mod)
+{
+    m256_mul(z, z, mod->R2, mod);
+}
+
+/*
+ * In-place conversion from Montgomery form
+ *
+ * in: z in [0, m)
+ *     mod must point to a valid m256_mod structure
+ * out: z_out = z_in / 2^256 mod m, in [0, m)
+ * That is, z_in was z_actual * 2^256 mod m, and z_out is z_actual
+ */
+static void m256_done(uint32_t z[8], const m256_mod *mod)
+{
+    uint32_t one[8];
+    u256_set32(one, 1);
+    m256_mul(z, z, one, mod);
+}
+
+/*
+ * Set to 32-bit value
+ *
+ * in: x in [0, 2^32)
+ *     mod must point to a valid m256_mod structure
+ * out: z = x * 2^256 mod m, in [0, m)
+ * That is, z is set to the image of x in the Montgomery domain.
+ */
+static void m256_set32(uint32_t z[8], uint32_t x, const m256_mod *mod)
+{
+    u256_set32(z, x);
+    m256_prep(z, mod);
+}
+
+/*
+ * Modular inversion in Montgomery form
+ *
+ * in: x in [0, m)
+ *     mod must point to a valid m256_mod structure
+ *     such that mod->m % 2^32 >= 2, assumed to be public.
+ * out: z = x^-1 * 2^512 mod m if x != 0,
+ *      z = 0 if x == 0
+ * That is, if x = x_actual    * 2^256 mod m, then
+ *             z = x_actual^-1 * 2^256 mod m
+ *
+ * Note: as a memory area, z may overlap with x.
+ */
+static void m256_inv(uint32_t z[8], const uint32_t x[8],
+                     const m256_mod *mod)
+{
+    /*
+     * Use Fermat's little theorem to compute x^-1 as x^(m-2).
+     *
+     * Take advantage of the fact that both p's and n's least significant limb
+     * is at least 2 to perform the subtraction on the flight (no carry).
+     *
+     * Use plain right-to-left binary exponentiation;
+     * branches are OK as the exponent is not a secret.
+     */
+    uint32_t bitval[8];
+    u256_cmov(bitval, x, 1);    /* copy x before writing to z */
+
+    m256_set32(z, 1, mod);
+
+    unsigned i = 0;
+    uint32_t limb = mod->m[i] - 2;
+    while (1) {
+        for (unsigned j = 0; j < 32; j++) {
+            if ((limb & 1) != 0) {
+                m256_mul(z, z, bitval, mod);
+            }
+            m256_mul(bitval, bitval, bitval, mod);
+            limb >>= 1;
+        }
+
+        if (i == 7)
+            break;
+
+        i++;
+        limb = mod->m[i];
+    }
+}
+
+/*
+ * Import modular integer from bytes to Montgomery domain
+ *
+ * in: p = p0, ..., p32
+ *     mod must point to a valid m256_mod structure
+ * out: z = (p0 * 2^248 + ... + p31) * 2^256 mod m, in [0, m)
+ *      return 0 if the number was already in [0, m), or -1.
+ *      z may be incorrect and must be discared when -1 is returned.
+ */
+static int m256_from_bytes(uint32_t z[8],
+                           const uint8_t p[32], const m256_mod *mod)
+{
+    u256_from_bytes(z, p);
+
+    uint32_t t[8];
+    uint32_t lt_m = u256_sub(t, z, mod->m);
+    if (lt_m != 1)
+        return -1;
+
+    m256_prep(z, mod);
+    return 0;
+}
+
+/*
+ * Export modular integer from Montgomery domain to bytes
+ *
+ * in: z in [0, 2^256)
+ *     mod must point to a valid m256_mod structure
+ * out: p = p0, ..., p31 such that
+ *      z = (p0 * 2^248 + ... + p31) * 2^256 mod m
+ */
+static void m256_to_bytes(uint8_t p[32],
+                          const uint32_t z[8], const m256_mod *mod)
+{
+    uint32_t zi[8];
+    u256_cmov(zi, z, 1);
+    m256_done(zi, mod);
+
+    u256_to_bytes(p, zi);
+}
+
+/**********************************************************************
+ *
+ * Operations on curve points
+ *
+ * Points are represented in two coordinates system:
+ *  - affine (x, y) - extended to represent 0 (see below)
+ *  - jacobian (x:y:z)
+ * In either case, coordinates are integers modulo p256_p and
+ * are always represented in the Montgomery domain.
+ *
+ * For background on jacobian coordinates, see for example [GECC] 3.2.2:
+ * - conversions go (x, y) -> (x:y:1) and (x:y:z) -> (x/z^2, y/z^3)
+ * - the curve equation becomes y^2 = x^3 - 3 x z^4 + b z^6
+ * - 0 (aka the origin aka point at infinity) is (x:y:0) with y^2 = x^3.
+ * - point negation goes -(x:y:z) = (x:-y:z)
+ *
+ * Normally 0 (the point at infinity) can't be represented in affine
+ * coordinates. However we extend affine coordinates with the convention that
+ * (0, 0) (which is normally not a point on the curve) is interpreted as 0.
+ *
+ * References:
+ * - [GECC]: Guide to Elliptic Curve Cryptography; Hankerson, Menezes,
+ *   Vanstone; Springer, 2004.
+ * - [CMO98]: Efficient Elliptic Curve Exponentiation Using Mixed Coordinates;
+ *   Cohen, Miyaji, Ono; Springer, ASIACRYPT 1998.
+ *   https://link.springer.com/content/pdf/10.1007/3-540-49649-1_6.pdf
+ * - [RCB15]: Complete addition formulas for prime order elliptic curves;
+ *   Renes, Costello, Batina; IACR e-print 2015-1060.
+ *   https://eprint.iacr.org/2015/1060.pdf
+ *
+ **********************************************************************/
+
+/*
+ * The curve's b parameter in the Short Weierstrass equation
+ *  y^2 = x^3 - 3*x + b
+ * Compared to the standard, this is converted to the Montgomery domain.
+ */
+static const uint32_t p256_b[8] = { /* b * 2^256 mod p */
+    0x29c4bddf, 0xd89cdf62, 0x78843090, 0xacf005cd,
+    0xf7212ed6, 0xe5a220ab, 0x04874834, 0xdc30061d,
+};
+
+/*
+ * The curve's conventional base point G.
+ * Compared to the standard, coordinates converted to the Montgomery domain.
+ */
+static const uint32_t p256_gx[8] = { /* G_x * 2^256 mod p */
+    0x18a9143c, 0x79e730d4, 0x5fedb601, 0x75ba95fc,
+    0x77622510, 0x79fb732b, 0xa53755c6, 0x18905f76,
+};
+static const uint32_t p256_gy[8] = { /* G_y * 2^256 mod p */
+    0xce95560a, 0xddf25357, 0xba19e45c, 0x8b4ab8e4,
+    0xdd21f325, 0xd2e88688, 0x25885d85, 0x8571ff18,
+};
+
+/*
+ * Point-on-curve check - do the coordinates satisfy the curve's equation?
+ *
+ * in: x, y in [0, p)   (Montgomery domain)
+ * out: 0 if the point lies on the curve and is not 0,
+ *      unspecified non-zero otherwise
+ */
+static uint32_t point_check(const uint32_t x[8], const uint32_t y[8])
+{
+    uint32_t lhs[8], rhs[8];
+
+    /* lhs = y^2 */
+    m256_mul_p(lhs, y, y);
+
+    /* rhs = x^3 - 3x + b */
+    m256_mul_p(rhs, x,   x);      /* x^2 */
+    m256_mul_p(rhs, rhs, x);      /* x^3 */
+    for (unsigned i = 0; i < 3; i++)
+        m256_sub_p(rhs, rhs, x);  /* x^3 - 3x */
+    m256_add_p(rhs, rhs, p256_b); /* x^3 - 3x + b */
+
+    return u256_diff(lhs, rhs);
+}
+
+/*
+ * In-place jacobian to affine coordinate conversion
+ *
+ * in: (x:y:z) must be on the curve (coordinates in Montegomery domain)
+ * out: x_out = x_in / z_in^2   (Montgomery domain)
+ *      y_out = y_in / z_in^3   (Montgomery domain)
+ *      z_out unspecified, must be disregarded
+ *
+ * Note: if z is 0 (that is, the input point is 0), x_out = y_out = 0.
+ */
+static void point_to_affine(uint32_t x[8], uint32_t y[8], uint32_t z[8])
+{
+    uint32_t t[8];
+
+    m256_inv(z, z, &p256_p);    /* z = z^-1 */
+
+    m256_mul_p(t, z, z);        /* t = z^-2 */
+    m256_mul_p(x, x, t);        /* x = x * z^-2 */
+
+    m256_mul_p(t, t, z);        /* t = z^-3 */
+    m256_mul_p(y, y, t);        /* y = y * z^-3 */
+}
+
+/*
+ * In-place point doubling in jacobian coordinates (Montgomery domain)
+ *
+ * in: P_in = (x:y:z), must be on the curve
+ * out: (x:y:z) = P_out = 2 * P_in
+ */
+static void point_double(uint32_t x[8], uint32_t y[8], uint32_t z[8])
+{
+    /*
+     * This is formula 6 from [CMO98], cited as complete in [RCB15] (table 1).
+     * Notations as in the paper, except u added and t ommited (it's x3).
+     */
+    uint32_t m[8], s[8], u[8];
+
+    /* m = 3 * x^2 + a * z^4 = 3 * (x + z^2) * (x - z^2) */
+    m256_mul_p(s, z, z);
+    m256_add_p(m, x, s);
+    m256_sub_p(u, x, s);
+    m256_mul_p(s, m, u);
+    m256_add_p(m, s, s);
+    m256_add_p(m, m, s);
+
+    /* s = 4 * x * y^2 */
+    m256_mul_p(u, y, y);
+    m256_add_p(u, u, u); /* u = 2 * y^2 (used below) */
+    m256_mul_p(s, x, u);
+    m256_add_p(s, s, s);
+
+    /* u = 8 * y^4 (not named in the paper, first term of y3) */
+    m256_mul_p(u, u, u);
+    m256_add_p(u, u, u);
+
+    /* x3 = t = m^2 - 2 * s */
+    m256_mul_p(x, m, m);
+    m256_sub_p(x, x, s);
+    m256_sub_p(x, x, s);
+
+    /* z3 = 2 * y * z */
+    m256_mul_p(z, y, z);
+    m256_add_p(z, z, z);
+
+    /* y3 = -u + m * (s - t) */
+    m256_sub_p(y, s, x);
+    m256_mul_p(y, y, m);
+    m256_sub_p(y, y, u);
+}
+
+/*
+ * In-place point addition in jacobian-affine coordinates (Montgomery domain)
+ *
+ * in: P_in = (x1:y1:z1), must be on the curve and not 0
+ *     Q = (x2, y2), must be on the curve and not P_in or -P_in or 0
+ * out: P_out = (x1:y1:z1) = P_in + Q
+ */
+static void point_add(uint32_t x1[8], uint32_t y1[8], uint32_t z1[8],
+                      const uint32_t x2[8], const uint32_t y2[8])
+{
+    /*
+     * This is formula 5 from [CMO98], with z2 == 1 substituted. We use
+     * intermediates with neutral names, and names from the paper in comments.
+     */
+    uint32_t t1[8], t2[8], t3[8];
+
+    /* u1 = x1 and s1 = y1 (no computations) */
+
+    /* t1 = u2 = x2 z1^2 */
+    m256_mul_p(t1, z1, z1);
+    m256_mul_p(t2, t1, z1);
+    m256_mul_p(t1, t1, x2);
+
+    /* t2 = s2 = y2 z1^3 */
+    m256_mul_p(t2, t2, y2);
+
+    /* t1 = h = u2 - u1 */
+    m256_sub_p(t1, t1, x1); /* t1 = x2 * z1^2 - x1 */
+
+    /* t2 = r = s2 - s1 */
+    m256_sub_p(t2, t2, y1);
+
+    /* z3 = z1 * h */
+    m256_mul_p(z1, z1, t1);
+
+    /* t1 = h^3 */
+    m256_mul_p(t3, t1, t1);
+    m256_mul_p(t1, t3, t1);
+
+    /* t3 = x1 * h^2 */
+    m256_mul_p(t3, t3, x1);
+
+    /* x3 = r^2 - 2 * x1 * h^2 - h^3 */
+    m256_mul_p(x1, t2, t2);
+    m256_sub_p(x1, x1, t3);
+    m256_sub_p(x1, x1, t3);
+    m256_sub_p(x1, x1, t1);
+
+    /* y3 = r * (x1 * h^2 - x3) - y1 h^3 */
+    m256_sub_p(t3, t3, x1);
+    m256_mul_p(t3, t3, t2);
+    m256_mul_p(t1, t1, y1);
+    m256_sub_p(y1, t3, t1);
+}
+
+/*
+ * Point addition or doubling (affine to jacobian, Montgomery domain)
+ *
+ * in: P = (x1, y1) - must be on the curve and not 0
+ *     Q = (x2, y2) - must be on the curve and not 0
+ * out: (x3, y3) = R = P + Q
+ *
+ * Note: unlike point_add(), this function works if P = +- Q;
+ * however it leaks information on its input through timing,
+ * branches taken and memory access patterns (if observable).
+ */
+static void point_add_or_double_leaky(
+                        uint32_t x3[8], uint32_t y3[8],
+                        const uint32_t x1[8], const uint32_t y1[8],
+                        const uint32_t x2[8], const uint32_t y2[8])
+{
+
+    uint32_t z3[8];
+    u256_cmov(x3, x1, 1);
+    u256_cmov(y3, y1, 1);
+    m256_set32(z3, 1, &p256_p);
+
+    if (u256_diff(x1, x2) != 0) {
+        // P != +- Q -> generic addition
+        point_add(x3, y3, z3, x2, y2);
+        point_to_affine(x3, y3, z3);
+    }
+    else if (u256_diff(y1, y2) == 0) {
+        // P == Q -> double
+        point_double(x3, y3, z3);
+        point_to_affine(x3, y3, z3);
+    } else {
+        // P == -Q -> zero
+        m256_set32(x3, 0, &p256_p);
+        m256_set32(y3, 0, &p256_p);
+    }
+}
+
+/*
+ * Import curve point from bytes
+ *
+ * in: p = (x, y) concatenated, fixed-width 256-bit big-endian integers
+ * out: x, y in Mongomery domain
+ *      return 0 if x and y are both in [0, p)
+ *                  and (x, y) is on the curve and not 0
+ *             unspecified non-zero otherwise.
+ *      x and y are unspecified and must be discarded if returning non-zero.
+ */
+static int point_from_bytes(uint32_t x[8], uint32_t y[8], const uint8_t p[64])
+{
+    int ret;
+
+    ret = m256_from_bytes(x, p, &p256_p);
+    if (ret != 0)
+        return ret;
+
+    ret = m256_from_bytes(y, p + 32, &p256_p);
+    if (ret != 0)
+        return ret;
+
+    return (int) point_check(x, y);
+}
+
+/*
+ * Export curve point to bytes
+ *
+ * in: x, y affine coordinates of a point (Montgomery domain)
+ *     must be on the curve and not 0
+ * out: p = (x, y) concatenated, fixed-width 256-bit big-endian integers
+ */
+static void point_to_bytes(uint8_t p[64],
+                           const uint32_t x[8], const uint32_t y[8])
+{
+    m256_to_bytes(p,        x, &p256_p);
+    m256_to_bytes(p + 32,   y, &p256_p);
+}
+
+/**********************************************************************
+ *
+ * Scalar multiplication and other scalar-related operations
+ *
+ **********************************************************************/
+
+/*
+ * Scalar multiplication
+ *
+ * in: P = (px, py), affine (Montgomery), must be on the curve and not 0
+ *     s in [1, n-1]
+ * out: R = s * P = (rx, ry), affine coordinates (Montgomery).
+ *
+ * Note: as memory areas, none of the parameters may overlap.
+ */
+static void scalar_mult(uint32_t rx[8], uint32_t ry[8],
+                        const uint32_t px[8], const uint32_t py[8],
+                        const uint32_t s[8])
+{
+    /*
+     * We use a signed binary ladder, see for example slides 10-14 of
+     * http://ecc2015.math.u-bordeaux1.fr/documents/hamburg.pdf but with
+     * implicit recoding, and a different loop initialisation to avoid feeding
+     * 0 to our addition formulas, as they don't support it.
+     */
+    uint32_t s_odd[8], py_neg[8], py_use[8], rz[8];
+
+    /*
+     * Make s odd by replacing it with n - s if necessary.
+     *
+     * If s was odd, we'll have s_odd = s, and define P' = P.
+     * Otherwise, we'll have s_odd = n - s and define P' = -P.
+     *
+     * Either way, we can compute s * P as s_odd * P'.
+     */
+    u256_sub(s_odd, p256_n.m, s); /* no carry, result still in [1, n-1] */
+    uint32_t negate = ~s[0] & 1;
+    u256_cmov(s_odd, s, 1 - negate);
+
+    /* Compute py_neg = - py mod p (that's the y coordinate of -P) */
+    u256_set32(py_use, 0);
+    m256_sub_p(py_neg, py_use, py);
+
+    /* Initialize R = P' = (x:(-1)^negate * y:1) */
+    u256_cmov(rx, px, 1);
+    u256_cmov(ry, py, 1);
+    m256_set32(rz, 1, &p256_p);
+    u256_cmov(ry, py_neg, negate);
+
+    /*
+     * For any odd number s_odd = b255 ... b1 1, we have
+     *      s_odd = 2^255 + 2^254 sbit(b255) + ... + 2 sbit(b2) + sbit(b1)
+     * writing
+     *      sbit(b) = 2 * b - 1 = b ? 1 : -1
+     *
+     * Use that to compute s_odd * P' by repeating R = 2 * R +- P':
+     *      s_odd * P' = 2 * ( ... (2 * P' + sbit(b255) P') ... ) + sbit(b1) P'
+     *
+     * The loop invariant is that when beginning an iteration we have
+     *      R = s_i P'
+     * with
+     *      s_i = 2^(255-i) + 2^(254-i) sbit(b_255) + ...
+     * where the sum has 256 - i terms.
+     *
+     * When updating R we need to make sure the input to point_add() is
+     * neither 0 not +-P'. Since that input is 2 s_i P', it is sufficient to
+     * see that 1 < 2 s_i < n-1. The lower bound is obvious since s_i is a
+     * positive integer, and for the upper bound we distinguish three cases.
+     *
+     * If i > 1, then s_i < 2^254, so 2 s_i < 2^255 < n-1.
+     * Otherwise, i == 1 and we have 2 s_i = s_odd - sbit(b1).
+     *      If s_odd <= n-4, then 2 s_1 <= n-3.
+     *      Otherwise, s_odd = n-2, and for this curve's value of n,
+     *      we have b1 == 1, so sbit(b1) = 1 and 2 s_1 <= n-3.
+     */
+    for (unsigned i = 255; i > 0; i--) {
+        uint32_t bit = (s_odd[i / 32] >> i % 32) & 1;
+
+        /* set (px, py_use) = sbit(bit) P' = sbit(bit) * (-1)^negate P */
+        u256_cmov(py_use, py, bit ^ negate);
+        u256_cmov(py_use, py_neg, (1 - bit) ^ negate);
+
+        /* Update R = 2 * R +- P' */
+        point_double(rx, ry, rz);
+        point_add(rx, ry, rz, px, py_use);
+    }
+
+    point_to_affine(rx, ry, rz);
+}
+
+/*
+ * Scalar import from big-endian bytes
+ *
+ * in: p = p0, ..., p31
+ * out: s = p0 * 2^248 + p1 * 2^240 + ... + p30 * 2^8 + p31
+ *      return 0 if s in [1, n-1],
+ *            -1 otherwise.
+ */
+static int scalar_from_bytes(uint32_t s[8], const uint8_t p[32])
+{
+    u256_from_bytes(s, p);
+
+    uint32_t r[8];
+    uint32_t lt_n = u256_sub(r, s, p256_n.m);
+
+    u256_set32(r, 1);
+    uint32_t lt_1 = u256_sub(r, s, r);
+
+    if (lt_n && !lt_1)
+        return 0;
+
+    return -1;
+}
+
+/* Using RNG functions from Mbed TLS as p256-m does not come with a
+ * cryptographically secure RNG function.
+ */
+int p256_generate_random(uint8_t *output, unsigned output_size)
+{
+    int ret;
+    ret = psa_generate_random(output, output_size);
+
+    if (ret != 0){
+        return P256_RANDOM_FAILED;
+    }
+    return P256_SUCCESS;
+}
+
+/*
+ * Scalar generation, with public key
+ *
+ * out: sbytes the big-endian bytes representation of the scalar
+ *      s its u256 representation
+ *      x, y the affine coordinates of s * G (Montgomery domain)
+ *      return 0 if OK, -1 on failure
+ *      sbytes, s, x, y must be discarded when returning non-zero.
+ */
+static int scalar_gen_with_pub(uint8_t sbytes[32], uint32_t s[8],
+                               uint32_t x[8], uint32_t y[8])
+{
+    /* generate a random valid scalar */
+    int ret;
+    unsigned nb_tried = 0;
+    do {
+        if (nb_tried++ >= 4)
+            return -1;
+
+        ret = p256_generate_random(sbytes, 32);
+        CT_POISON(sbytes, 32);
+        if (ret != 0)
+            return -1;
+
+        ret = scalar_from_bytes(s, sbytes);
+        CT_UNPOISON(&ret, sizeof ret);
+    }
+    while (ret != 0);
+
+    /* compute and ouput the associated public key */
+    scalar_mult(x, y, p256_gx, p256_gy, s);
+
+    /* the associated public key is not a secret */
+    CT_UNPOISON(x, 32);
+    CT_UNPOISON(y, 32);
+
+    return 0;
+}
+
+/*
+ * ECDH/ECDSA generate pair
+ */
+int p256_gen_keypair(uint8_t priv[32], uint8_t pub[64])
+{
+    uint32_t s[8], x[8], y[8];
+    int ret = scalar_gen_with_pub(priv, s, x, y);
+    zeroize(s, sizeof s);
+    if (ret != 0)
+        return P256_RANDOM_FAILED;
+
+    point_to_bytes(pub, x, y);
+    return 0;
+}
+
+/**********************************************************************
+ *
+ * ECDH
+ *
+ **********************************************************************/
+
+/*
+ * ECDH compute shared secret
+ */
+int p256_ecdh_shared_secret(uint8_t secret[32],
+                            const uint8_t priv[32], const uint8_t peer[64])
+{
+    CT_POISON(priv, 32);
+
+    uint32_t s[8], px[8], py[8], x[8], y[8];
+    int ret;
+
+    ret = scalar_from_bytes(s, priv);
+    CT_UNPOISON(&ret, sizeof ret);
+    if (ret != 0) {
+        ret = P256_INVALID_PRIVKEY;
+        goto cleanup;
+    }
+
+    ret = point_from_bytes(px, py, peer);
+    if (ret != 0) {
+        ret = P256_INVALID_PUBKEY;
+        goto cleanup;
+    }
+
+    scalar_mult(x, y, px, py, s);
+
+    m256_to_bytes(secret, x, &p256_p);
+    CT_UNPOISON(secret, 32);
+
+cleanup:
+    zeroize(s, sizeof s);
+    return ret;
+}
+
+/**********************************************************************
+ *
+ * ECDSA
+ *
+ * Reference:
+ * [SEC1] SEC 1: Elliptic Curve Cryptography, Certicom research, 2009.
+ *        http://www.secg.org/sec1-v2.pdf
+ **********************************************************************/
+
+/*
+ * Reduction mod n of a small number
+ *
+ * in: x in [0, 2^256)
+ * out: x_out = x_in mod n in [0, n)
+ */
+static void ecdsa_m256_mod_n(uint32_t x[8])
+{
+    uint32_t t[8];
+    uint32_t c = u256_sub(t, x, p256_n.m);
+    u256_cmov(x, t, 1 - c);
+}
+
+/*
+ * Import integer mod n (Montgomery domain) from hash
+ *
+ * in: h = h0, ..., h_hlen
+ *     hlen the length of h in bytes
+ * out: z = (h0 * 2^l-8 + ... + h_l) * 2^256 mod n
+ *      with l = min(32, hlen)
+ *
+ * Note: in [SEC1] this is step 5 of 4.1.3 (sign) or step 3 or 4.1.4 (verify),
+ * with obvious simplications since n's bit-length is a multiple of 8.
+ */
+static void ecdsa_m256_from_hash(uint32_t z[8],
+                                 const uint8_t *h, size_t hlen)
+{
+    /* convert from h (big-endian) */
+    /* hlen is public data so it's OK to branch on it */
+    if (hlen < 32) {
+        uint8_t p[32];
+        for (unsigned i = 0; i < 32; i++)
+            p[i] = 0;
+        for (unsigned i = 0; i < hlen; i++)
+            p[32 - hlen + i] = h[i];
+        u256_from_bytes(z, p);
+    } else {
+        u256_from_bytes(z, h);
+    }
+
+    /* ensure the result is in [0, n) */
+    ecdsa_m256_mod_n(z);
+
+    /* map to Montgomery domain */
+    m256_prep(z, &p256_n);
+}
+
+/*
+ * ECDSA sign
+ */
+int p256_ecdsa_sign(uint8_t sig[64], const uint8_t priv[32],
+                    const uint8_t *hash, size_t hlen)
+{
+    CT_POISON(priv, 32);
+
+    /*
+     * Steps and notations from [SEC1] 4.1.3
+     *
+     * Instead of retrying on r == 0 or s == 0, just abort,
+     * as those events have negligible probability.
+     */
+    int ret;
+
+    /* Temporary buffers - the first two are mostly stable, so have names */
+    uint32_t xr[8], k[8], t3[8], t4[8];
+
+    /* 1. Set ephemeral keypair */
+    uint8_t *kb = (uint8_t *) t4;
+    /* kb will be erased by re-using t4 for dU - if we exit before that, we
+     * haven't read the private key yet so we kb isn't sensitive yet */
+    ret = scalar_gen_with_pub(kb, k, xr, t3);   /* xr = x_coord(k * G) */
+    if (ret != 0)
+        return P256_RANDOM_FAILED;
+    m256_prep(k, &p256_n);
+
+    /* 2. Convert xr to an integer */
+    m256_done(xr, &p256_p);
+
+    /* 3. Reduce xr mod n (extra: output it while at it) */
+    ecdsa_m256_mod_n(xr);    /* xr = int(xr) mod n */
+
+    /* xr is public data so it's OK to use a branch */
+    if (u256_diff0(xr) == 0)
+        return P256_RANDOM_FAILED;
+
+    u256_to_bytes(sig, xr);
+
+    m256_prep(xr, &p256_n);
+
+    /* 4. Skipped - we take the hash as an input, not the message */
+
+    /* 5. Derive an integer from the hash */
+    ecdsa_m256_from_hash(t3, hash, hlen);   /* t3 = e */
+
+    /* 6. Compute s = k^-1 * (e + r * dU) */
+
+    /* Note: dU will be erased by re-using t4 for the value of s (public) */
+    ret = scalar_from_bytes(t4, priv);   /* t4 = dU (integer domain) */
+    CT_UNPOISON(&ret, sizeof ret); /* Result of input validation */
+    if (ret != 0)
+        return P256_INVALID_PRIVKEY;
+    m256_prep(t4, &p256_n);         /* t4 = dU (Montgomery domain) */
+
+    m256_inv(k, k, &p256_n);        /* k^-1 */
+    m256_mul(t4, xr, t4, &p256_n);  /* t4 = r * dU */
+    m256_add(t4, t3, t4, &p256_n);  /* t4 = e + r * dU */
+    m256_mul(t4, k, t4, &p256_n);   /* t4 = s = k^-1 * (e + r * dU) */
+    zeroize(k, sizeof k);
+
+    /* 7. Output s (r already outputed at step 3) */
+    CT_UNPOISON(t4, 32);
+    if (u256_diff0(t4) == 0) {
+        /* undo early output of r */
+        u256_to_bytes(sig, t4);
+        return P256_RANDOM_FAILED;
+    }
+    m256_to_bytes(sig + 32, t4, &p256_n);
+
+    return P256_SUCCESS;
+}
+
+/*
+ * ECDSA verify
+ */
+int p256_ecdsa_verify(const uint8_t sig[64], const uint8_t pub[64],
+                      const uint8_t *hash, size_t hlen)
+{
+    /*
+     * Steps and notations from [SEC1] 4.1.3
+     *
+     * Note: we're using public data only, so branches are OK
+     */
+    int ret;
+
+    /* 1. Validate range of r and s : [1, n-1] */
+    uint32_t r[8], s[8];
+    ret = scalar_from_bytes(r, sig);
+    if (ret != 0)
+        return P256_INVALID_SIGNATURE;
+    ret = scalar_from_bytes(s, sig + 32);
+    if (ret != 0)
+        return P256_INVALID_SIGNATURE;
+
+    /* 2. Skipped - we take the hash as an input, not the message */
+
+    /* 3. Derive an integer from the hash */
+    uint32_t e[8];
+    ecdsa_m256_from_hash(e, hash, hlen);
+
+    /* 4. Compute u1 = e * s^-1 and u2 = r * s^-1 */
+    uint32_t u1[8], u2[8];
+    m256_prep(s, &p256_n);           /* s in Montgomery domain */
+    m256_inv(s, s, &p256_n);         /* s = s^-1 mod n */
+    m256_mul(u1, e, s, &p256_n);     /* u1 = e * s^-1 mod n */
+    m256_done(u1, &p256_n);          /* u1 out of Montgomery domain */
+
+    u256_cmov(u2, r, 1);
+    m256_prep(u2, &p256_n);          /* r in Montgomery domain */
+    m256_mul(u2, u2, s, &p256_n);    /* u2 = r * s^-1 mod n */
+    m256_done(u2, &p256_n);          /* u2 out of Montgomery domain */
+
+    /* 5. Compute R (and re-use (u1, u2) to store its coordinates */
+    uint32_t px[8], py[8];
+    ret = point_from_bytes(px, py, pub);
+    if (ret != 0)
+        return P256_INVALID_PUBKEY;
+
+    scalar_mult(e, s, px, py, u2);      /* (e, s) = R2 = u2 * Qu */
+
+    if (u256_diff0(u1) == 0) {
+        /* u1 out of range for scalar_mult() - just skip it */
+        u256_cmov(u1, e, 1);
+        /* we don't care about the y coordinate */
+    } else {
+        scalar_mult(px, py, p256_gx, p256_gy, u1); /* (px, py) = R1 = u1 * G */
+
+        /* (u1, u2) = R = R1 + R2 */
+        point_add_or_double_leaky(u1, u2, px, py, e, s);
+        /* No need to check if R == 0 here: if that's the case, it will be
+         * caught when comparating rx (which will be 0) to r (which isn't). */
+    }
+
+    /* 6. Convert xR to an integer */
+    m256_done(u1, &p256_p);
+
+    /* 7. Reduce xR mod n */
+    ecdsa_m256_mod_n(u1);
+
+    /* 8. Compare xR mod n to r */
+    uint32_t diff = u256_diff(u1, r);
+    if (diff == 0)
+        return P256_SUCCESS;
+
+    return P256_INVALID_SIGNATURE;
+}
+
+/**********************************************************************
+ *
+ * Key management utilities
+ *
+ **********************************************************************/
+
+int p256_validate_pubkey(const uint8_t pub[64])
+{
+    uint32_t x[8], y[8];
+    int ret = point_from_bytes(x, y, pub);
+
+    return ret == 0 ? P256_SUCCESS : P256_INVALID_PUBKEY;
+}
+
+int p256_validate_privkey(const uint8_t priv[32])
+{
+    uint32_t s[8];
+    int ret = scalar_from_bytes(s, priv);
+    zeroize(s, sizeof(s));
+
+    return ret == 0 ? P256_SUCCESS : P256_INVALID_PRIVKEY;
+}
+
+int p256_public_from_private(uint8_t pub[64], const uint8_t priv[32])
+{
+    int ret;
+    uint32_t s[8];
+
+    ret = scalar_from_bytes(s, priv);
+    if (ret != 0)
+        return P256_INVALID_PRIVKEY;
+
+    /* compute and ouput the associated public key */
+    uint32_t x[8], y[8];
+    scalar_mult(x, y, p256_gx, p256_gy, s);
+
+    /* the associated public key is not a secret, the scalar was */
+    CT_UNPOISON(x, 32);
+    CT_UNPOISON(y, 32);
+    zeroize(s, sizeof(s));
+
+    point_to_bytes(pub, x, y);
+    return P256_SUCCESS;
+}
+
+#endif
diff --git a/tf-psa-crypto/drivers/p256-m/p256-m/p256-m.h b/tf-psa-crypto/drivers/p256-m/p256-m/p256-m.h
new file mode 100644
index 0000000..c267800
--- /dev/null
+++ b/tf-psa-crypto/drivers/p256-m/p256-m/p256-m.h
@@ -0,0 +1,135 @@
+/*
+ * Interface of curve P-256 (ECDH and ECDSA)
+ *
+ * Copyright The Mbed TLS Contributors
+ * Author: Manuel Pégourié-Gonnard.
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef P256_M_H
+#define P256_M_H
+
+#include <stdint.h>
+#include <stddef.h>
+
+/* Status codes */
+#define P256_SUCCESS            0
+#define P256_RANDOM_FAILED      -1
+#define P256_INVALID_PUBKEY     -2
+#define P256_INVALID_PRIVKEY    -3
+#define P256_INVALID_SIGNATURE  -4
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * RNG function - must be provided externally and be cryptographically secure.
+ *
+ * in: output - must point to a writable buffer of at least output_size bytes.
+ *     output_size - the number of random bytes to write to output.
+ * out: output is filled with output_size random bytes.
+ *      return 0 on success, non-zero on errors.
+ */
+extern int p256_generate_random(uint8_t * output, unsigned output_size);
+
+/*
+ * ECDH/ECDSA generate key pair
+ *
+ * [in] draws from p256_generate_random()
+ * [out] priv: on success, holds the private key, as a big-endian integer
+ * [out] pub: on success, holds the public key, as two big-endian integers
+ *
+ * return:  P256_SUCCESS on success
+ *          P256_RANDOM_FAILED on failure
+ */
+int p256_gen_keypair(uint8_t priv[32], uint8_t pub[64]);
+
+/*
+ * ECDH compute shared secret
+ *
+ * [out] secret: on success, holds the shared secret, as a big-endian integer
+ * [in] priv: our private key as a big-endian integer
+ * [in] pub: the peer's public key, as two big-endian integers
+ *
+ * return:  P256_SUCCESS on success
+ *          P256_INVALID_PRIVKEY if priv is invalid
+ *          P256_INVALID_PUBKEY if pub is invalid
+ */
+int p256_ecdh_shared_secret(uint8_t secret[32],
+                            const uint8_t priv[32], const uint8_t pub[64]);
+
+/*
+ * ECDSA sign
+ *
+ * [in] draws from p256_generate_random()
+ * [out] sig: on success, holds the signature, as two big-endian integers
+ * [in] priv: our private key as a big-endian integer
+ * [in] hash: the hash of the message to be signed
+ * [in] hlen: the size of hash in bytes
+ *
+ * return:  P256_SUCCESS on success
+ *          P256_RANDOM_FAILED on failure
+ *          P256_INVALID_PRIVKEY if priv is invalid
+ */
+int p256_ecdsa_sign(uint8_t sig[64], const uint8_t priv[32],
+                    const uint8_t *hash, size_t hlen);
+
+/*
+ * ECDSA verify
+ *
+ * [in] sig: the signature to be verified, as two big-endian integers
+ * [in] pub: the associated public key, as two big-endian integers
+ * [in] hash: the hash of the message that was signed
+ * [in] hlen: the size of hash in bytes
+ *
+ * return:  P256_SUCCESS on success - the signature was verified as valid
+ *          P256_INVALID_PUBKEY if pub is invalid
+ *          P256_INVALID_SIGNATURE if the signature was found to be invalid
+ */
+int p256_ecdsa_verify(const uint8_t sig[64], const uint8_t pub[64],
+                      const uint8_t *hash, size_t hlen);
+
+/*
+ * Public key validation
+ *
+ * Note: you never need to call this function, as all other functions always
+ * validate their input; however it's availabe if you want to validate the key
+ * without performing an operation.
+ *
+ * [in] pub: the public key, as two big-endian integers
+ *
+ * return:  P256_SUCCESS if the key is valid
+ *          P256_INVALID_PUBKEY if pub is invalid
+ */
+int p256_validate_pubkey(const uint8_t pub[64]);
+
+/*
+ * Private key validation
+ *
+ * Note: you never need to call this function, as all other functions always
+ * validate their input; however it's availabe if you want to validate the key
+ * without performing an operation.
+ *
+ * [in] priv: the private key, as a big-endian integer
+ *
+ * return:  P256_SUCCESS if the key is valid
+ *          P256_INVALID_PRIVKEY if priv is invalid
+ */
+int p256_validate_privkey(const uint8_t priv[32]);
+
+/*
+ * Compute public key from private key
+ *
+ * [out] pub: the associated public key, as two big-endian integers
+ * [in] priv: the private key, as a big-endian integer
+ *
+ * return:  P256_SUCCESS on success
+ *          P256_INVALID_PRIVKEY if priv is invalid
+ */
+int p256_public_from_private(uint8_t pub[64], const uint8_t priv[32]);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* P256_M_H */
diff --git a/tf-psa-crypto/drivers/p256-m/p256-m_driver_entrypoints.c b/tf-psa-crypto/drivers/p256-m/p256-m_driver_entrypoints.c
new file mode 100644
index 0000000..d272dcb
--- /dev/null
+++ b/tf-psa-crypto/drivers/p256-m/p256-m_driver_entrypoints.c
@@ -0,0 +1,312 @@
+/*
+ *  Driver entry points for p256-m
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "mbedtls/platform.h"
+#include "p256-m_driver_entrypoints.h"
+#include "p256-m/p256-m.h"
+#include "psa/crypto.h"
+#include <stddef.h>
+#include <string.h>
+#include "psa_crypto_driver_wrappers_no_static.h"
+
+#if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)
+
+/* INFORMATION ON PSA KEY EXPORT FORMATS:
+ *
+ * PSA exports SECP256R1 keys in two formats:
+ * 1. Keypair format: 32 byte string which is just the private key (public key
+ *                    can be calculated from the private key)
+ * 2. Public Key format: A leading byte 0x04 (indicating uncompressed format),
+ *                       followed by the 64 byte public key. This results in a
+ *                       total of 65 bytes.
+ *
+ * p256-m's internal format for private keys matches PSA. Its format for public
+ * keys is only 64 bytes: the same as PSA but without the leading byte (0x04).
+ * Hence, when passing public keys from PSA to p256-m, the leading byte is
+ * removed.
+ *
+ * Shared secret and signature have the same format between PSA and p256-m.
+ */
+#define PSA_PUBKEY_SIZE         65
+#define PSA_PUBKEY_HEADER_BYTE  0x04
+#define P256_PUBKEY_SIZE        64
+#define PRIVKEY_SIZE            32
+#define SHARED_SECRET_SIZE      32
+#define SIGNATURE_SIZE          64
+
+#define CURVE_BITS              256
+
+/* Convert between p256-m and PSA error codes */
+static psa_status_t p256_to_psa_error(int ret)
+{
+    switch (ret) {
+        case P256_SUCCESS:
+            return PSA_SUCCESS;
+        case P256_INVALID_PUBKEY:
+        case P256_INVALID_PRIVKEY:
+            return PSA_ERROR_INVALID_ARGUMENT;
+        case P256_INVALID_SIGNATURE:
+            return PSA_ERROR_INVALID_SIGNATURE;
+        case P256_RANDOM_FAILED:
+        default:
+            return PSA_ERROR_GENERIC_ERROR;
+    }
+}
+
+psa_status_t p256_transparent_import_key(const psa_key_attributes_t *attributes,
+                             const uint8_t *data,
+                             size_t data_length,
+                             uint8_t *key_buffer,
+                             size_t key_buffer_size,
+                             size_t *key_buffer_length,
+                             size_t *bits)
+{
+    /* Check the key size */
+    if (*bits != 0 && *bits != CURVE_BITS) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    /* Validate the key (and its type and size) */
+    psa_key_type_t type = psa_get_key_type(attributes);
+    if (type == PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1)) {
+        if (data_length != PSA_PUBKEY_SIZE) {
+            return *bits == 0 ? PSA_ERROR_NOT_SUPPORTED : PSA_ERROR_INVALID_ARGUMENT;
+        }
+        /* See INFORMATION ON PSA KEY EXPORT FORMATS near top of file */
+        if (p256_validate_pubkey(data + 1) != P256_SUCCESS) {
+            return PSA_ERROR_INVALID_ARGUMENT;
+        }
+    } else if (type == PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)) {
+        if (data_length != PRIVKEY_SIZE) {
+            return *bits == 0 ? PSA_ERROR_NOT_SUPPORTED : PSA_ERROR_INVALID_ARGUMENT;
+        }
+        if (p256_validate_privkey(data) != P256_SUCCESS) {
+            return PSA_ERROR_INVALID_ARGUMENT;
+        }
+    } else {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+    *bits = CURVE_BITS;
+
+    /* We only support the export format for input, so just copy. */
+    if (key_buffer_size < data_length) {
+        return PSA_ERROR_BUFFER_TOO_SMALL;
+    }
+    memcpy(key_buffer, data, data_length);
+    *key_buffer_length = data_length;
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t p256_transparent_export_public_key(const psa_key_attributes_t *attributes,
+                                    const uint8_t *key_buffer,
+                                    size_t key_buffer_size,
+                                    uint8_t *data,
+                                    size_t data_size,
+                                    size_t *data_length)
+{
+    /* Is this the right curve? */
+    size_t bits = psa_get_key_bits(attributes);
+    psa_key_type_t type = psa_get_key_type(attributes);
+    if (bits != CURVE_BITS || type != PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
+    /* Validate sizes, as p256-m expects fixed-size buffers */
+    if (key_buffer_size != PRIVKEY_SIZE) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+    if (data_size < PSA_PUBKEY_SIZE) {
+        return PSA_ERROR_BUFFER_TOO_SMALL;
+    }
+
+    /* See INFORMATION ON PSA KEY EXPORT FORMATS near top of file */
+    data[0] = PSA_PUBKEY_HEADER_BYTE;
+    int ret = p256_public_from_private(data + 1, key_buffer);
+    if (ret == P256_SUCCESS) {
+        *data_length = PSA_PUBKEY_SIZE;
+    }
+
+    return p256_to_psa_error(ret);
+}
+
+psa_status_t p256_transparent_generate_key(
+    const psa_key_attributes_t *attributes,
+    uint8_t *key_buffer,
+    size_t key_buffer_size,
+    size_t *key_buffer_length)
+{
+    /* We don't use this argument, but the specification mandates the signature
+     * of driver entry-points. (void) used to avoid compiler warning. */
+    (void) attributes;
+
+    /* Validate sizes, as p256-m expects fixed-size buffers */
+    if (key_buffer_size != PRIVKEY_SIZE) {
+        return PSA_ERROR_BUFFER_TOO_SMALL;
+    }
+
+    /*
+     *  p256-m's keypair generation function outputs both public and private
+     *  keys. Allocate a buffer to which the public key will be written. The
+     *  private key will be written to key_buffer, which is passed to this
+     *  function as an argument. */
+    uint8_t public_key_buffer[P256_PUBKEY_SIZE];
+
+    int ret = p256_gen_keypair(key_buffer, public_key_buffer);
+    if (ret == P256_SUCCESS) {
+        *key_buffer_length = PRIVKEY_SIZE;
+    }
+
+    return p256_to_psa_error(ret);
+}
+
+psa_status_t p256_transparent_key_agreement(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    psa_algorithm_t alg,
+    const uint8_t *peer_key,
+    size_t peer_key_length,
+    uint8_t *shared_secret,
+    size_t shared_secret_size,
+    size_t *shared_secret_length)
+{
+    /* We don't use these arguments, but the specification mandates the
+     * sginature of driver entry-points. (void) used to avoid compiler
+     * warning. */
+    (void) attributes;
+    (void) alg;
+
+    /* Validate sizes, as p256-m expects fixed-size buffers */
+    if (key_buffer_size != PRIVKEY_SIZE || peer_key_length != PSA_PUBKEY_SIZE) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+    if (shared_secret_size < SHARED_SECRET_SIZE) {
+        return PSA_ERROR_BUFFER_TOO_SMALL;
+    }
+
+    /* See INFORMATION ON PSA KEY EXPORT FORMATS near top of file */
+    const uint8_t *peer_key_p256m = peer_key + 1;
+    int ret = p256_ecdh_shared_secret(shared_secret, key_buffer, peer_key_p256m);
+    if (ret == P256_SUCCESS) {
+        *shared_secret_length = SHARED_SECRET_SIZE;
+    }
+
+    return p256_to_psa_error(ret);
+}
+
+psa_status_t p256_transparent_sign_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    psa_algorithm_t alg,
+    const uint8_t *hash,
+    size_t hash_length,
+    uint8_t *signature,
+    size_t signature_size,
+    size_t *signature_length)
+{
+    /* We don't use these arguments, but the specification mandates the
+     * sginature of driver entry-points. (void) used to avoid compiler
+     * warning. */
+    (void) attributes;
+    (void) alg;
+
+    /* Validate sizes, as p256-m expects fixed-size buffers */
+    if (key_buffer_size != PRIVKEY_SIZE) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+    if (signature_size < SIGNATURE_SIZE) {
+        return PSA_ERROR_BUFFER_TOO_SMALL;
+    }
+
+    int ret = p256_ecdsa_sign(signature, key_buffer, hash, hash_length);
+    if (ret == P256_SUCCESS) {
+        *signature_length = SIGNATURE_SIZE;
+    }
+
+    return p256_to_psa_error(ret);
+}
+
+/*  This function expects the key buffer to contain a PSA public key,
+ *  as exported by psa_export_public_key() */
+static psa_status_t p256_verify_hash_with_public_key(
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    const uint8_t *hash,
+    size_t hash_length,
+    const uint8_t *signature,
+    size_t signature_length)
+{
+    /* Validate sizes, as p256-m expects fixed-size buffers */
+    if (key_buffer_size != PSA_PUBKEY_SIZE || *key_buffer != PSA_PUBKEY_HEADER_BYTE) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+    if (signature_length != SIGNATURE_SIZE) {
+        return PSA_ERROR_INVALID_SIGNATURE;
+    }
+
+    /* See INFORMATION ON PSA KEY EXPORT FORMATS near top of file */
+    const uint8_t *public_key_p256m = key_buffer + 1;
+    int ret = p256_ecdsa_verify(signature, public_key_p256m, hash, hash_length);
+
+    return p256_to_psa_error(ret);
+}
+
+psa_status_t p256_transparent_verify_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    psa_algorithm_t alg,
+    const uint8_t *hash,
+    size_t hash_length,
+    const uint8_t *signature,
+    size_t signature_length)
+{
+    /* We don't use this argument, but the specification mandates the signature
+     * of driver entry-points. (void) used to avoid compiler warning. */
+    (void) alg;
+
+    psa_status_t status;
+    uint8_t public_key_buffer[PSA_PUBKEY_SIZE];
+    size_t public_key_buffer_size = PSA_PUBKEY_SIZE;
+
+    size_t public_key_length = PSA_PUBKEY_SIZE;
+    /* As p256-m doesn't require dynamic allocation, we want to avoid it in
+     * the entrypoint functions as well. psa_driver_wrapper_export_public_key()
+     * requires size_t*, so we use a pointer to a stack variable. */
+    size_t *public_key_length_ptr = &public_key_length;
+
+    /* The contents of key_buffer may either be the 32 byte private key
+     * (keypair format), or 0x04 followed by the 64 byte public key (public
+     * key format). To ensure the key is in the latter format, the public key
+     * is exported. */
+    status = psa_driver_wrapper_export_public_key(
+        attributes,
+        key_buffer,
+        key_buffer_size,
+        public_key_buffer,
+        public_key_buffer_size,
+        public_key_length_ptr);
+    if (status != PSA_SUCCESS) {
+        goto exit;
+    }
+
+    status = p256_verify_hash_with_public_key(
+        public_key_buffer,
+        public_key_buffer_size,
+        hash,
+        hash_length,
+        signature,
+        signature_length);
+
+exit:
+    return status;
+}
+
+#endif /* MBEDTLS_PSA_P256M_DRIVER_ENABLED */
diff --git a/tf-psa-crypto/drivers/p256-m/p256-m_driver_entrypoints.h b/tf-psa-crypto/drivers/p256-m/p256-m_driver_entrypoints.h
new file mode 100644
index 0000000..c740c45
--- /dev/null
+++ b/tf-psa-crypto/drivers/p256-m/p256-m_driver_entrypoints.h
@@ -0,0 +1,219 @@
+/*
+ *   Driver entry points for p256-m
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef P256M_DRIVER_ENTRYPOINTS_H
+#define P256M_DRIVER_ENTRYPOINTS_H
+
+#if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)
+#ifndef PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT
+#define PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+#endif /* MBEDTLS_PSA_P256M_DRIVER_ENABLED */
+
+#include "psa/crypto_types.h"
+
+/** Import SECP256R1 key.
+ *
+ * \param[in]  attributes           The attributes of the key to use for the
+ *                                  operation.
+ * \param[in]  data                 The raw key material. For private keys
+ *                                  this must be a big-endian integer of 32
+ *                                  bytes; for public key this must be an
+ *                                  uncompressed ECPoint (65 bytes).
+ * \param[in]  data_length          The size of the raw key material.
+ * \param[out] key_buffer           The buffer to contain the key data in
+ *                                  output format upon successful return.
+ * \param[in]  key_buffer_size      Size of the \p key_buffer buffer in bytes.
+ * \param[out] key_buffer_length    The length of the data written in \p
+ *                                  key_buffer in bytes.
+ * \param[out] bits                 The bitsize of the key.
+ *
+ * \retval  #PSA_SUCCESS
+ *          Success. Keypair generated and stored in buffer.
+ * \retval  #PSA_ERROR_NOT_SUPPORTED
+ *          The input is not supported by this driver (not SECP256R1).
+ * \retval  #PSA_ERROR_INVALID_ARGUMENT
+ *          The input is invalid.
+ * \retval  #PSA_ERROR_BUFFER_TOO_SMALL
+ *          \p key_buffer_size is too small.
+ */
+psa_status_t p256_transparent_import_key(const psa_key_attributes_t *attributes,
+                             const uint8_t *data,
+                             size_t data_length,
+                             uint8_t *key_buffer,
+                             size_t key_buffer_size,
+                             size_t *key_buffer_length,
+                             size_t *bits);
+
+/** Export SECP256R1 public key, from the private key.
+ *
+ * \param[in]  attributes           The attributes of the key to use for the
+ *                                  operation.
+ * \param[in]  key_buffer           The private key in the export format.
+ * \param[in]  key_buffer_size      The size of the private key in bytes.
+ * \param[out] data                 The buffer to contain the public key in
+ *                                  the export format upon successful return.
+ * \param[in]  data_size            The size of the \p data buffer in bytes.
+ * \param[out] data_length          The length written to \p data in bytes.
+ *
+ * \retval  #PSA_SUCCESS
+ *          Success. Keypair generated and stored in buffer.
+ * \retval  #PSA_ERROR_NOT_SUPPORTED
+ *          The input is not supported by this driver (not SECP256R1).
+ * \retval  #PSA_ERROR_INVALID_ARGUMENT
+ *          The input is invalid.
+ * \retval  #PSA_ERROR_BUFFER_TOO_SMALL
+ *          \p key_buffer_size is too small.
+ */
+psa_status_t p256_transparent_export_public_key(const psa_key_attributes_t *attributes,
+                                    const uint8_t *key_buffer,
+                                    size_t key_buffer_size,
+                                    uint8_t *data,
+                                    size_t data_size,
+                                    size_t *data_length);
+
+/** Generate SECP256R1 ECC Key Pair.
+ *  Interface function which calls the p256-m key generation function and
+ *  places it in the key buffer provided by the caller (Mbed TLS) in the
+ *  correct format. For a SECP256R1 curve this is the 32 bit private key.
+ *
+ * \param[in]  attributes           The attributes of the key to use for the
+ *                                  operation.
+ * \param[out]  key_buffer          The buffer to contain the key data in
+ *                                  output format upon successful return.
+ * \param[in]   key_buffer_size     Size of the \p key_buffer buffer in bytes.
+ * \param[out]  key_buffer_length   The length of the data written in \p
+ *                                  key_buffer in bytes.
+ *
+ * \retval  #PSA_SUCCESS
+ *          Success. Keypair generated and stored in buffer.
+ * \retval  #PSA_ERROR_BUFFER_TOO_SMALL
+ *          \p key_buffer_size is too small.
+ * \retval  #PSA_ERROR_GENERIC_ERROR
+ *          The internal RNG failed.
+ */
+psa_status_t p256_transparent_generate_key(
+    const psa_key_attributes_t *attributes,
+    uint8_t *key_buffer,
+    size_t key_buffer_size,
+    size_t *key_buffer_length);
+
+/** Perform raw key agreement using p256-m's ECDH implementation
+ * \param[in]  attributes           The attributes of the key to use for the
+ *                                  operation.
+ * \param[in]  key_buffer           The buffer containing the private key
+ *                                  in the format specified by PSA.
+ * \param[in]  key_buffer_size      Size of the \p key_buffer buffer in bytes.
+ * \param[in]  alg                  A key agreement algorithm that is
+ *                                  compatible with the type of the key.
+ * \param[in]  peer_key             The buffer containing the peer's public
+ *                                  key in format specified by PSA.
+ * \param[in]  peer_key_length      Size of the \p peer_key buffer in
+ *                                  bytes.
+ * \param[out] shared_secret        The buffer to which the shared secret
+ *                                  is to be written.
+ * \param[in]  shared_secret_size   Size of the \p shared_secret buffer in
+ *                                  bytes.
+ * \param[out] shared_secret_length On success, the number of bytes that
+ *                                  make up the returned shared secret.
+ * \retval  #PSA_SUCCESS
+ *          Success. Shared secret successfully calculated.
+ * \retval  #PSA_ERROR_INVALID_ARGUMENT
+ *          The input is invalid.
+ * \retval  #PSA_ERROR_BUFFER_TOO_SMALL
+ *          \p shared_secret_size is too small.
+ */
+psa_status_t p256_transparent_key_agreement(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    psa_algorithm_t alg,
+    const uint8_t *peer_key,
+    size_t peer_key_length,
+    uint8_t *shared_secret,
+    size_t shared_secret_size,
+    size_t *shared_secret_length);
+
+/** Sign an already-calculated hash with a private key using p256-m's ECDSA
+ *  implementation
+ * \param[in]  attributes           The attributes of the key to use for the
+ *                                  operation.
+ * \param[in]  key_buffer           The buffer containing the private key
+ *                                  in the format specified by PSA.
+ * \param[in]  key_buffer_size      Size of the \p key_buffer buffer in bytes.
+ * \param[in]  alg                  A signature algorithm that is compatible
+ *                                  with the type of the key.
+ * \param[in]  hash                 The hash to sign.
+ * \param[in]  hash_length          Size of the \p hash buffer in bytes.
+ * \param[out] signature            Buffer where signature is to be written.
+ * \param[in]  signature_size       Size of the \p signature buffer in bytes.
+ * \param[out] signature_length     On success, the number of bytes
+ *                                  that make up the returned signature value.
+ *
+ * \retval  #PSA_SUCCESS
+ *          Success. Hash was signed successfully.
+ * \retval  #PSA_ERROR_INVALID_ARGUMENT
+ *          The input is invalid.
+ * \retval  #PSA_ERROR_BUFFER_TOO_SMALL
+ *          \p signature_size is too small.
+ * \retval  #PSA_ERROR_GENERIC_ERROR
+ *          The internal RNG failed.
+ */
+psa_status_t p256_transparent_sign_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    psa_algorithm_t alg,
+    const uint8_t *hash,
+    size_t hash_length,
+    uint8_t *signature,
+    size_t signature_size,
+    size_t *signature_length);
+
+/** Verify the signature of a hash using a SECP256R1 public key using p256-m's
+ *  ECDSA implementation.
+ *
+ * \note p256-m expects a 64 byte public key, but the contents of the key
+         buffer may be the 32 byte keypair representation or the 65 byte
+         public key representation. As a result, this function calls
+         psa_driver_wrapper_export_public_key() to ensure the public key
+         can be passed to p256-m.
+ *
+ * \param[in]  attributes       The attributes of the key to use for the
+ *                              operation.
+ *
+ * \param[in]  key_buffer       The buffer containing the key
+ *                              in the format specified by PSA.
+ * \param[in]  key_buffer_size  Size of the \p key_buffer buffer in bytes.
+ * \param[in]  alg              A signature algorithm that is compatible with
+ *                              the type of the key.
+ * \param[in]  hash             The hash whose signature is to be
+ *                              verified.
+ * \param[in]  hash_length      Size of the \p hash buffer in bytes.
+ * \param[in]  signature        Buffer containing the signature to verify.
+ * \param[in]  signature_length Size of the \p signature buffer in bytes.
+ *
+ * \retval  #PSA_SUCCESS
+ *          The signature is valid.
+ * \retval  #PSA_ERROR_INVALID_SIGNATURE
+ *          The calculation was performed successfully, but the passed
+ *          signature is not a valid signature.
+ * \retval  #PSA_ERROR_INVALID_ARGUMENT
+ *          The input is invalid.
+ */
+psa_status_t p256_transparent_verify_hash(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *key_buffer,
+    size_t key_buffer_size,
+    psa_algorithm_t alg,
+    const uint8_t *hash,
+    size_t hash_length,
+    const uint8_t *signature,
+    size_t signature_length);
+
+#endif /* P256M_DRIVER_ENTRYPOINTS_H */
diff --git a/tf-psa-crypto/include/.gitignore b/tf-psa-crypto/include/.gitignore
new file mode 100644
index 0000000..f3c7a7c
--- /dev/null
+++ b/tf-psa-crypto/include/.gitignore
@@ -0,0 +1 @@
+Makefile
diff --git a/tf-psa-crypto/include/CMakeLists.txt b/tf-psa-crypto/include/CMakeLists.txt
new file mode 100644
index 0000000..bca86ff
--- /dev/null
+++ b/tf-psa-crypto/include/CMakeLists.txt
@@ -0,0 +1,19 @@
+option(INSTALL_TF_PSA_CRYPTO_HEADERS "Install TF PSA Crypto headers." ON)
+
+if(INSTALL_TF_PSA_CRYPTO_HEADERS)
+    file(GLOB psa_headers "psa/*.h")
+    file(GLOB mbedtls_crypto_headers "../drivers/builtin/include/mbedtls/*.h")
+
+    install(FILES ${psa_headers}
+        DESTINATION include/psa
+        PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
+
+    install(FILES ${mbedtls_crypto_headers}
+        DESTINATION include/mbedtls
+        PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
+endif(INSTALL_TF_PSA_CRYPTO_HEADERS)
+
+# Make includes available in an out-of-source build. ssl-opt.sh requires it.
+if (ENABLE_TESTING AND NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR})
+    link_to_source(psa)
+endif()
diff --git a/tf-psa-crypto/include/psa/build_info.h b/tf-psa-crypto/include/psa/build_info.h
new file mode 100644
index 0000000..3ee6cd7
--- /dev/null
+++ b/tf-psa-crypto/include/psa/build_info.h
@@ -0,0 +1,20 @@
+/**
+ * \file psa/build_info.h
+ *
+ * \brief Build-time PSA configuration info
+ *
+ *  Include this file if you need to depend on the
+ *  configuration options defined in mbedtls_config.h or MBEDTLS_CONFIG_FILE
+ *  in PSA cryptography core specific files.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_BUILD_INFO_H
+#define PSA_CRYPTO_BUILD_INFO_H
+
+#include "mbedtls/build_info.h"
+
+#endif /* PSA_CRYPTO_BUILD_INFO_H */
diff --git a/tf-psa-crypto/include/psa/crypto.h b/tf-psa-crypto/include/psa/crypto.h
new file mode 100644
index 0000000..f9db4dd
--- /dev/null
+++ b/tf-psa-crypto/include/psa/crypto.h
@@ -0,0 +1,4835 @@
+/**
+ * \file psa/crypto.h
+ * \brief Platform Security Architecture cryptography module
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_H
+#define PSA_CRYPTO_H
+
+#if defined(MBEDTLS_PSA_CRYPTO_PLATFORM_FILE)
+#include MBEDTLS_PSA_CRYPTO_PLATFORM_FILE
+#else
+#include "crypto_platform.h"
+#endif
+
+#include <stddef.h>
+
+#ifdef __DOXYGEN_ONLY__
+/* This __DOXYGEN_ONLY__ block contains mock definitions for things that
+ * must be defined in the crypto_platform.h header. These mock definitions
+ * are present in this file as a convenience to generate pretty-printed
+ * documentation that includes those definitions. */
+
+/** \defgroup platform Implementation-specific definitions
+ * @{
+ */
+
+/**@}*/
+#endif /* __DOXYGEN_ONLY__ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* The file "crypto_types.h" declares types that encode errors,
+ * algorithms, key types, policies, etc. */
+#include "crypto_types.h"
+
+/** \defgroup version API version
+ * @{
+ */
+
+/**
+ * The major version of this implementation of the PSA Crypto API
+ */
+#define PSA_CRYPTO_API_VERSION_MAJOR 1
+
+/**
+ * The minor version of this implementation of the PSA Crypto API
+ */
+#define PSA_CRYPTO_API_VERSION_MINOR 0
+
+/**@}*/
+
+/* The file "crypto_values.h" declares macros to build and analyze values
+ * of integral types defined in "crypto_types.h". */
+#include "crypto_values.h"
+
+/** \defgroup initialization Library initialization
+ * @{
+ */
+
+/**
+ * \brief Library initialization.
+ *
+ * Applications must call this function before calling any other
+ * function in this module.
+ *
+ * Applications may call this function more than once. Once a call
+ * succeeds, subsequent calls are guaranteed to succeed.
+ *
+ * If the application calls other functions before calling psa_crypto_init(),
+ * the behavior is undefined. Implementations are encouraged to either perform
+ * the operation as if the library had been initialized or to return
+ * #PSA_ERROR_BAD_STATE or some other applicable error. In particular,
+ * implementations should not return a success status if the lack of
+ * initialization may have security implications, for example due to improper
+ * seeding of the random number generator.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ */
+psa_status_t psa_crypto_init(void);
+
+/**@}*/
+
+/** \addtogroup attributes
+ * @{
+ */
+
+/** \def PSA_KEY_ATTRIBUTES_INIT
+ *
+ * This macro returns a suitable initializer for a key attribute structure
+ * of type #psa_key_attributes_t.
+ */
+
+/** Return an initial value for a key attributes structure.
+ */
+static psa_key_attributes_t psa_key_attributes_init(void);
+
+/** Declare a key as persistent and set its key identifier.
+ *
+ * If the attribute structure currently declares the key as volatile (which
+ * is the default content of an attribute structure), this function sets
+ * the lifetime attribute to #PSA_KEY_LIFETIME_PERSISTENT.
+ *
+ * This function does not access storage, it merely stores the given
+ * value in the structure.
+ * The persistent key will be written to storage when the attribute
+ * structure is passed to a key creation function such as
+ * psa_import_key(), psa_generate_key(), psa_generate_key_ext(),
+ * psa_key_derivation_output_key(), psa_key_derivation_output_key_ext()
+ * or psa_copy_key().
+ *
+ * This function may be declared as `static` (i.e. without external
+ * linkage). This function may be provided as a function-like macro,
+ * but in this case it must evaluate each of its arguments exactly once.
+ *
+ * \param[out] attributes  The attribute structure to write to.
+ * \param key              The persistent identifier for the key.
+ */
+static void psa_set_key_id(psa_key_attributes_t *attributes,
+                           mbedtls_svc_key_id_t key);
+
+#ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+/** Set the owner identifier of a key.
+ *
+ * When key identifiers encode key owner identifiers, psa_set_key_id() does
+ * not allow to define in key attributes the owner of volatile keys as
+ * psa_set_key_id() enforces the key to be persistent.
+ *
+ * This function allows to set in key attributes the owner identifier of a
+ * key. It is intended to be used for volatile keys. For persistent keys,
+ * it is recommended to use the PSA Cryptography API psa_set_key_id() to define
+ * the owner of a key.
+ *
+ * \param[out] attributes  The attribute structure to write to.
+ * \param owner            The key owner identifier.
+ */
+static void mbedtls_set_key_owner_id(psa_key_attributes_t *attributes,
+                                     mbedtls_key_owner_id_t owner);
+#endif
+
+/** Set the location of a persistent key.
+ *
+ * To make a key persistent, you must give it a persistent key identifier
+ * with psa_set_key_id(). By default, a key that has a persistent identifier
+ * is stored in the default storage area identifier by
+ * #PSA_KEY_LIFETIME_PERSISTENT. Call this function to choose a storage
+ * area, or to explicitly declare the key as volatile.
+ *
+ * This function does not access storage, it merely stores the given
+ * value in the structure.
+ * The persistent key will be written to storage when the attribute
+ * structure is passed to a key creation function such as
+ * psa_import_key(), psa_generate_key(), psa_generate_key_ext(),
+ * psa_key_derivation_output_key(), psa_key_derivation_output_key_ext()
+ * or psa_copy_key().
+ *
+ * This function may be declared as `static` (i.e. without external
+ * linkage). This function may be provided as a function-like macro,
+ * but in this case it must evaluate each of its arguments exactly once.
+ *
+ * \param[out] attributes       The attribute structure to write to.
+ * \param lifetime              The lifetime for the key.
+ *                              If this is #PSA_KEY_LIFETIME_VOLATILE, the
+ *                              key will be volatile, and the key identifier
+ *                              attribute is reset to 0.
+ */
+static void psa_set_key_lifetime(psa_key_attributes_t *attributes,
+                                 psa_key_lifetime_t lifetime);
+
+/** Retrieve the key identifier from key attributes.
+ *
+ * This function may be declared as `static` (i.e. without external
+ * linkage). This function may be provided as a function-like macro,
+ * but in this case it must evaluate its argument exactly once.
+ *
+ * \param[in] attributes        The key attribute structure to query.
+ *
+ * \return The persistent identifier stored in the attribute structure.
+ *         This value is unspecified if the attribute structure declares
+ *         the key as volatile.
+ */
+static mbedtls_svc_key_id_t psa_get_key_id(
+    const psa_key_attributes_t *attributes);
+
+/** Retrieve the lifetime from key attributes.
+ *
+ * This function may be declared as `static` (i.e. without external
+ * linkage). This function may be provided as a function-like macro,
+ * but in this case it must evaluate its argument exactly once.
+ *
+ * \param[in] attributes        The key attribute structure to query.
+ *
+ * \return The lifetime value stored in the attribute structure.
+ */
+static psa_key_lifetime_t psa_get_key_lifetime(
+    const psa_key_attributes_t *attributes);
+
+/** Declare usage flags for a key.
+ *
+ * Usage flags are part of a key's usage policy. They encode what
+ * kind of operations are permitted on the key. For more details,
+ * refer to the documentation of the type #psa_key_usage_t.
+ *
+ * This function overwrites any usage flags
+ * previously set in \p attributes.
+ *
+ * This function may be declared as `static` (i.e. without external
+ * linkage). This function may be provided as a function-like macro,
+ * but in this case it must evaluate each of its arguments exactly once.
+ *
+ * \param[out] attributes       The attribute structure to write to.
+ * \param usage_flags           The usage flags to write.
+ */
+static void psa_set_key_usage_flags(psa_key_attributes_t *attributes,
+                                    psa_key_usage_t usage_flags);
+
+/** Retrieve the usage flags from key attributes.
+ *
+ * This function may be declared as `static` (i.e. without external
+ * linkage). This function may be provided as a function-like macro,
+ * but in this case it must evaluate its argument exactly once.
+ *
+ * \param[in] attributes        The key attribute structure to query.
+ *
+ * \return The usage flags stored in the attribute structure.
+ */
+static psa_key_usage_t psa_get_key_usage_flags(
+    const psa_key_attributes_t *attributes);
+
+/** Declare the permitted algorithm policy for a key.
+ *
+ * The permitted algorithm policy of a key encodes which algorithm or
+ * algorithms are permitted to be used with this key. The following
+ * algorithm policies are supported:
+ * - 0 does not allow any cryptographic operation with the key. The key
+ *   may be used for non-cryptographic actions such as exporting (if
+ *   permitted by the usage flags).
+ * - An algorithm value permits this particular algorithm.
+ * - An algorithm wildcard built from #PSA_ALG_ANY_HASH allows the specified
+ *   signature scheme with any hash algorithm.
+ * - An algorithm built from #PSA_ALG_AT_LEAST_THIS_LENGTH_MAC allows
+ *   any MAC algorithm from the same base class (e.g. CMAC) which
+ *   generates/verifies a MAC length greater than or equal to the length
+ *   encoded in the wildcard algorithm.
+ * - An algorithm built from #PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG
+ *   allows any AEAD algorithm from the same base class (e.g. CCM) which
+ *   generates/verifies a tag length greater than or equal to the length
+ *   encoded in the wildcard algorithm.
+ *
+ * This function overwrites any algorithm policy
+ * previously set in \p attributes.
+ *
+ * This function may be declared as `static` (i.e. without external
+ * linkage). This function may be provided as a function-like macro,
+ * but in this case it must evaluate each of its arguments exactly once.
+ *
+ * \param[out] attributes       The attribute structure to write to.
+ * \param alg                   The permitted algorithm policy to write.
+ */
+static void psa_set_key_algorithm(psa_key_attributes_t *attributes,
+                                  psa_algorithm_t alg);
+
+
+/** Retrieve the algorithm policy from key attributes.
+ *
+ * This function may be declared as `static` (i.e. without external
+ * linkage). This function may be provided as a function-like macro,
+ * but in this case it must evaluate its argument exactly once.
+ *
+ * \param[in] attributes        The key attribute structure to query.
+ *
+ * \return The algorithm stored in the attribute structure.
+ */
+static psa_algorithm_t psa_get_key_algorithm(
+    const psa_key_attributes_t *attributes);
+
+/** Declare the type of a key.
+ *
+ * This function overwrites any key type
+ * previously set in \p attributes.
+ *
+ * This function may be declared as `static` (i.e. without external
+ * linkage). This function may be provided as a function-like macro,
+ * but in this case it must evaluate each of its arguments exactly once.
+ *
+ * \param[out] attributes       The attribute structure to write to.
+ * \param type                  The key type to write.
+ *                              If this is 0, the key type in \p attributes
+ *                              becomes unspecified.
+ */
+static void psa_set_key_type(psa_key_attributes_t *attributes,
+                             psa_key_type_t type);
+
+
+/** Declare the size of a key.
+ *
+ * This function overwrites any key size previously set in \p attributes.
+ *
+ * This function may be declared as `static` (i.e. without external
+ * linkage). This function may be provided as a function-like macro,
+ * but in this case it must evaluate each of its arguments exactly once.
+ *
+ * \param[out] attributes       The attribute structure to write to.
+ * \param bits                  The key size in bits.
+ *                              If this is 0, the key size in \p attributes
+ *                              becomes unspecified. Keys of size 0 are
+ *                              not supported.
+ */
+static void psa_set_key_bits(psa_key_attributes_t *attributes,
+                             size_t bits);
+
+/** Retrieve the key type from key attributes.
+ *
+ * This function may be declared as `static` (i.e. without external
+ * linkage). This function may be provided as a function-like macro,
+ * but in this case it must evaluate its argument exactly once.
+ *
+ * \param[in] attributes        The key attribute structure to query.
+ *
+ * \return The key type stored in the attribute structure.
+ */
+static psa_key_type_t psa_get_key_type(const psa_key_attributes_t *attributes);
+
+/** Retrieve the key size from key attributes.
+ *
+ * This function may be declared as `static` (i.e. without external
+ * linkage). This function may be provided as a function-like macro,
+ * but in this case it must evaluate its argument exactly once.
+ *
+ * \param[in] attributes        The key attribute structure to query.
+ *
+ * \return The key size stored in the attribute structure, in bits.
+ */
+static size_t psa_get_key_bits(const psa_key_attributes_t *attributes);
+
+/** Retrieve the attributes of a key.
+ *
+ * This function first resets the attribute structure as with
+ * psa_reset_key_attributes(). It then copies the attributes of
+ * the given key into the given attribute structure.
+ *
+ * \note This function may allocate memory or other resources.
+ *       Once you have called this function on an attribute structure,
+ *       you must call psa_reset_key_attributes() to free these resources.
+ *
+ * \param[in] key               Identifier of the key to query.
+ * \param[in,out] attributes    On success, the attributes of the key.
+ *                              On failure, equivalent to a
+ *                              freshly-initialized structure.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key,
+                                    psa_key_attributes_t *attributes);
+
+/** Reset a key attribute structure to a freshly initialized state.
+ *
+ * You must initialize the attribute structure as described in the
+ * documentation of the type #psa_key_attributes_t before calling this
+ * function. Once the structure has been initialized, you may call this
+ * function at any time.
+ *
+ * This function frees any auxiliary resources that the structure
+ * may contain.
+ *
+ * \param[in,out] attributes    The attribute structure to reset.
+ */
+void psa_reset_key_attributes(psa_key_attributes_t *attributes);
+
+/**@}*/
+
+/** \defgroup key_management Key management
+ * @{
+ */
+
+/** Remove non-essential copies of key material from memory.
+ *
+ * If the key identifier designates a volatile key, this functions does not do
+ * anything and returns successfully.
+ *
+ * If the key identifier designates a persistent key, then this function will
+ * free all resources associated with the key in volatile memory. The key
+ * data in persistent storage is not affected and the key can still be used.
+ *
+ * \param key Identifier of the key to purge.
+ *
+ * \retval #PSA_SUCCESS
+ *         The key material will have been removed from memory if it is not
+ *         currently required.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not a valid key identifier.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_purge_key(mbedtls_svc_key_id_t key);
+
+/** Make a copy of a key.
+ *
+ * Copy key material from one location to another.
+ *
+ * This function is primarily useful to copy a key from one location
+ * to another, since it populates a key using the material from
+ * another key which may have a different lifetime.
+ *
+ * This function may be used to share a key with a different party,
+ * subject to implementation-defined restrictions on key sharing.
+ *
+ * The policy on the source key must have the usage flag
+ * #PSA_KEY_USAGE_COPY set.
+ * This flag is sufficient to permit the copy if the key has the lifetime
+ * #PSA_KEY_LIFETIME_VOLATILE or #PSA_KEY_LIFETIME_PERSISTENT.
+ * Some secure elements do not provide a way to copy a key without
+ * making it extractable from the secure element. If a key is located
+ * in such a secure element, then the key must have both usage flags
+ * #PSA_KEY_USAGE_COPY and #PSA_KEY_USAGE_EXPORT in order to make
+ * a copy of the key outside the secure element.
+ *
+ * The resulting key may only be used in a way that conforms to
+ * both the policy of the original key and the policy specified in
+ * the \p attributes parameter:
+ * - The usage flags on the resulting key are the bitwise-and of the
+ *   usage flags on the source policy and the usage flags in \p attributes.
+ * - If both allow the same algorithm or wildcard-based
+ *   algorithm policy, the resulting key has the same algorithm policy.
+ * - If either of the policies allows an algorithm and the other policy
+ *   allows a wildcard-based algorithm policy that includes this algorithm,
+ *   the resulting key allows the same algorithm.
+ * - If the policies do not allow any algorithm in common, this function
+ *   fails with the status #PSA_ERROR_INVALID_ARGUMENT.
+ *
+ * The effect of this function on implementation-defined attributes is
+ * implementation-defined.
+ *
+ * \param source_key        The key to copy. It must allow the usage
+ *                          #PSA_KEY_USAGE_COPY. If a private or secret key is
+ *                          being copied outside of a secure element it must
+ *                          also allow #PSA_KEY_USAGE_EXPORT.
+ * \param[in] attributes    The attributes for the new key.
+ *                          They are used as follows:
+ *                          - The key type and size may be 0. If either is
+ *                            nonzero, it must match the corresponding
+ *                            attribute of the source key.
+ *                          - The key location (the lifetime and, for
+ *                            persistent keys, the key identifier) is
+ *                            used directly.
+ *                          - The policy constraints (usage flags and
+ *                            algorithm policy) are combined from
+ *                            the source key and \p attributes so that
+ *                            both sets of restrictions apply, as
+ *                            described in the documentation of this function.
+ * \param[out] target_key   On success, an identifier for the newly created
+ *                          key. For persistent keys, this is the key
+ *                          identifier defined in \p attributes.
+ *                          \c 0 on failure.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE
+ *         \p source_key is invalid.
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ *         This is an attempt to create a persistent key, and there is
+ *         already a persistent key with the given identifier.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The lifetime or identifier in \p attributes are invalid, or
+ *         the policy constraints on the source and specified in
+ *         \p attributes are incompatible, or
+ *         \p attributes specifies a key type or key size
+ *         which does not match the attributes of the source key.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The source key does not have the #PSA_KEY_USAGE_COPY usage flag, or
+ *         the source key is not exportable and its lifetime does not
+ *         allow copying it to the target's lifetime.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_copy_key(mbedtls_svc_key_id_t source_key,
+                          const psa_key_attributes_t *attributes,
+                          mbedtls_svc_key_id_t *target_key);
+
+
+/**
+ * \brief Destroy a key.
+ *
+ * This function destroys a key from both volatile
+ * memory and, if applicable, non-volatile storage. Implementations shall
+ * make a best effort to ensure that the key material cannot be recovered.
+ *
+ * This function also erases any metadata such as policies and frees
+ * resources associated with the key.
+ *
+ * If a key is currently in use in a multipart operation, then destroying the
+ * key will cause the multipart operation to fail.
+ *
+ * \warning    We can only guarantee that the the key material will
+ *             eventually be wiped from memory. With threading enabled
+ *             and during concurrent execution, copies of the key material may
+ *             still exist until all threads have finished using the key.
+ *
+ * \param key  Identifier of the key to erase. If this is \c 0, do nothing and
+ *             return #PSA_SUCCESS.
+ *
+ * \retval #PSA_SUCCESS
+ *         \p key was a valid identifier and the key material that it
+ *         referred to has been erased. Alternatively, \p key is \c 0.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The key cannot be erased because it is
+ *         read-only, either due to a policy or due to physical restrictions.
+ * \retval #PSA_ERROR_INVALID_HANDLE
+ *         \p key is not a valid identifier nor \c 0.
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE
+ *         There was a failure in communication with the cryptoprocessor.
+ *         The key material may still be present in the cryptoprocessor.
+ * \retval #PSA_ERROR_DATA_INVALID
+ *         This error is typically a result of either storage corruption on a
+ *         cleartext storage backend, or an attempt to read data that was
+ *         written by an incompatible version of the library.
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ *         The storage is corrupted. Implementations shall make a best effort
+ *         to erase key material even in this stage, however applications
+ *         should be aware that it may be impossible to guarantee that the
+ *         key material is not recoverable in such cases.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ *         An unexpected condition which is not a storage corruption or
+ *         a communication failure occurred. The cryptoprocessor may have
+ *         been compromised.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_destroy_key(mbedtls_svc_key_id_t key);
+
+/**@}*/
+
+/** \defgroup import_export Key import and export
+ * @{
+ */
+
+/**
+ * \brief Import a key in binary format.
+ *
+ * This function supports any output from psa_export_key(). Refer to the
+ * documentation of psa_export_public_key() for the format of public keys
+ * and to the documentation of psa_export_key() for the format for
+ * other key types.
+ *
+ * The key data determines the key size. The attributes may optionally
+ * specify a key size; in this case it must match the size determined
+ * from the key data. A key size of 0 in \p attributes indicates that
+ * the key size is solely determined by the key data.
+ *
+ * Implementations must reject an attempt to import a key of size 0.
+ *
+ * This specification supports a single format for each key type.
+ * Implementations may support other formats as long as the standard
+ * format is supported. Implementations that support other formats
+ * should ensure that the formats are clearly unambiguous so as to
+ * minimize the risk that an invalid input is accidentally interpreted
+ * according to a different format.
+ *
+ * \param[in] attributes    The attributes for the new key.
+ *                          The key size is always determined from the
+ *                          \p data buffer.
+ *                          If the key size in \p attributes is nonzero,
+ *                          it must be equal to the size from \p data.
+ * \param[out] key          On success, an identifier to the newly created key.
+ *                          For persistent keys, this is the key identifier
+ *                          defined in \p attributes.
+ *                          \c 0 on failure.
+ * \param[in] data    Buffer containing the key data. The content of this
+ *                    buffer is interpreted according to the type declared
+ *                    in \p attributes.
+ *                    All implementations must support at least the format
+ *                    described in the documentation
+ *                    of psa_export_key() or psa_export_public_key() for
+ *                    the chosen type. Implementations may allow other
+ *                    formats, but should be conservative: implementations
+ *                    should err on the side of rejecting content if it
+ *                    may be erroneous (e.g. wrong type or truncated data).
+ * \param data_length Size of the \p data buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ *         If the key is persistent, the key material and the key's metadata
+ *         have been saved to persistent storage.
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ *         This is an attempt to create a persistent key, and there is
+ *         already a persistent key with the given identifier.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         The key type or key size is not supported, either by the
+ *         implementation in general or in this particular persistent location.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The key attributes, as a whole, are invalid, or
+ *         the key data is not correctly formatted, or
+ *         the size in \p attributes is nonzero and does not match the size
+ *         of the key data.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
+                            const uint8_t *data,
+                            size_t data_length,
+                            mbedtls_svc_key_id_t *key);
+
+
+
+/**
+ * \brief Export a key in binary format.
+ *
+ * The output of this function can be passed to psa_import_key() to
+ * create an equivalent object.
+ *
+ * If the implementation of psa_import_key() supports other formats
+ * beyond the format specified here, the output from psa_export_key()
+ * must use the representation specified here, not the original
+ * representation.
+ *
+ * For standard key types, the output format is as follows:
+ *
+ * - For symmetric keys (including MAC keys), the format is the
+ *   raw bytes of the key.
+ * - For DES, the key data consists of 8 bytes. The parity bits must be
+ *   correct.
+ * - For Triple-DES, the format is the concatenation of the
+ *   two or three DES keys.
+ * - For RSA key pairs (#PSA_KEY_TYPE_RSA_KEY_PAIR), the format
+ *   is the non-encrypted DER encoding of the representation defined by
+ *   PKCS\#1 (RFC 8017) as `RSAPrivateKey`, version 0.
+ *   ```
+ *   RSAPrivateKey ::= SEQUENCE {
+ *       version             INTEGER,  -- must be 0
+ *       modulus             INTEGER,  -- n
+ *       publicExponent      INTEGER,  -- e
+ *       privateExponent     INTEGER,  -- d
+ *       prime1              INTEGER,  -- p
+ *       prime2              INTEGER,  -- q
+ *       exponent1           INTEGER,  -- d mod (p-1)
+ *       exponent2           INTEGER,  -- d mod (q-1)
+ *       coefficient         INTEGER,  -- (inverse of q) mod p
+ *   }
+ *   ```
+ * - For elliptic curve key pairs (key types for which
+ *   #PSA_KEY_TYPE_IS_ECC_KEY_PAIR is true), the format is
+ *   a representation of the private value as a `ceiling(m/8)`-byte string
+ *   where `m` is the bit size associated with the curve, i.e. the bit size
+ *   of the order of the curve's coordinate field. This byte string is
+ *   in little-endian order for Montgomery curves (curve types
+ *   `PSA_ECC_FAMILY_CURVEXXX`), and in big-endian order for Weierstrass
+ *   curves (curve types `PSA_ECC_FAMILY_SECTXXX`, `PSA_ECC_FAMILY_SECPXXX`
+ *   and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`).
+ *   For Weierstrass curves, this is the content of the `privateKey` field of
+ *   the `ECPrivateKey` format defined by RFC 5915.  For Montgomery curves,
+ *   the format is defined by RFC 7748, and output is masked according to §5.
+ *   For twisted Edwards curves, the private key is as defined by RFC 8032
+ *   (a 32-byte string for Edwards25519, a 57-byte string for Edwards448).
+ * - For Diffie-Hellman key exchange key pairs (key types for which
+ *   #PSA_KEY_TYPE_IS_DH_KEY_PAIR is true), the
+ *   format is the representation of the private key `x` as a big-endian byte
+ *   string. The length of the byte string is the private key size in bytes
+ *   (leading zeroes are not stripped).
+ * - For public keys (key types for which #PSA_KEY_TYPE_IS_PUBLIC_KEY is
+ *   true), the format is the same as for psa_export_public_key().
+ *
+ * The policy on the key must have the usage flag #PSA_KEY_USAGE_EXPORT set.
+ *
+ * \param key               Identifier of the key to export. It must allow the
+ *                          usage #PSA_KEY_USAGE_EXPORT, unless it is a public
+ *                          key.
+ * \param[out] data         Buffer where the key data is to be written.
+ * \param data_size         Size of the \p data buffer in bytes.
+ * \param[out] data_length  On success, the number of bytes
+ *                          that make up the key data.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The key does not have the #PSA_KEY_USAGE_EXPORT flag.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p data buffer is too small. You can determine a
+ *         sufficient buffer size by calling
+ *         #PSA_EXPORT_KEY_OUTPUT_SIZE(\c type, \c bits)
+ *         where \c type is the key type
+ *         and \c bits is the key size in bits.
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_export_key(mbedtls_svc_key_id_t key,
+                            uint8_t *data,
+                            size_t data_size,
+                            size_t *data_length);
+
+/**
+ * \brief Export a public key or the public part of a key pair in binary format.
+ *
+ * The output of this function can be passed to psa_import_key() to
+ * create an object that is equivalent to the public key.
+ *
+ * This specification supports a single format for each key type.
+ * Implementations may support other formats as long as the standard
+ * format is supported. Implementations that support other formats
+ * should ensure that the formats are clearly unambiguous so as to
+ * minimize the risk that an invalid input is accidentally interpreted
+ * according to a different format.
+ *
+ * For standard key types, the output format is as follows:
+ * - For RSA public keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY), the DER encoding of
+ *   the representation defined by RFC 3279 &sect;2.3.1 as `RSAPublicKey`.
+ *   ```
+ *   RSAPublicKey ::= SEQUENCE {
+ *      modulus            INTEGER,    -- n
+ *      publicExponent     INTEGER  }  -- e
+ *   ```
+ * - For elliptic curve keys on a twisted Edwards curve (key types for which
+ *   #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true and #PSA_KEY_TYPE_ECC_GET_FAMILY
+ *   returns #PSA_ECC_FAMILY_TWISTED_EDWARDS), the public key is as defined
+ *   by RFC 8032
+ *   (a 32-byte string for Edwards25519, a 57-byte string for Edwards448).
+ * - For other elliptic curve public keys (key types for which
+ *   #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true), the format is the uncompressed
+ *   representation defined by SEC1 &sect;2.3.3 as the content of an ECPoint.
+ *   Let `m` be the bit size associated with the curve, i.e. the bit size of
+ *   `q` for a curve over `F_q`. The representation consists of:
+ *      - The byte 0x04;
+ *      - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
+ *      - `y_P` as a `ceiling(m/8)`-byte string, big-endian.
+ * - For Diffie-Hellman key exchange public keys (key types for which
+ *   #PSA_KEY_TYPE_IS_DH_PUBLIC_KEY is true),
+ *   the format is the representation of the public key `y = g^x mod p` as a
+ *   big-endian byte string. The length of the byte string is the length of the
+ *   base prime `p` in bytes.
+ *
+ * Exporting a public key object or the public part of a key pair is
+ * always permitted, regardless of the key's usage flags.
+ *
+ * \param key               Identifier of the key to export.
+ * \param[out] data         Buffer where the key data is to be written.
+ * \param data_size         Size of the \p data buffer in bytes.
+ * \param[out] data_length  On success, the number of bytes
+ *                          that make up the key data.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The key is neither a public key nor a key pair.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p data buffer is too small. You can determine a
+ *         sufficient buffer size by calling
+ *         #PSA_EXPORT_KEY_OUTPUT_SIZE(#PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(\c type), \c bits)
+ *         where \c type is the key type
+ *         and \c bits is the key size in bits.
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_export_public_key(mbedtls_svc_key_id_t key,
+                                   uint8_t *data,
+                                   size_t data_size,
+                                   size_t *data_length);
+
+
+
+/**@}*/
+
+/** \defgroup hash Message digests
+ * @{
+ */
+
+/** Calculate the hash (digest) of a message.
+ *
+ * \note To verify the hash of a message against an
+ *       expected value, use psa_hash_compare() instead.
+ *
+ * \param alg               The hash algorithm to compute (\c PSA_ALG_XXX value
+ *                          such that #PSA_ALG_IS_HASH(\p alg) is true).
+ * \param[in] input         Buffer containing the message to hash.
+ * \param input_length      Size of the \p input buffer in bytes.
+ * \param[out] hash         Buffer where the hash is to be written.
+ * \param hash_size         Size of the \p hash buffer in bytes.
+ * \param[out] hash_length  On success, the number of bytes
+ *                          that make up the hash value. This is always
+ *                          #PSA_HASH_LENGTH(\p alg).
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not a hash algorithm.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         \p hash_size is too small
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_hash_compute(psa_algorithm_t alg,
+                              const uint8_t *input,
+                              size_t input_length,
+                              uint8_t *hash,
+                              size_t hash_size,
+                              size_t *hash_length);
+
+/** Calculate the hash (digest) of a message and compare it with a
+ * reference value.
+ *
+ * \param alg               The hash algorithm to compute (\c PSA_ALG_XXX value
+ *                          such that #PSA_ALG_IS_HASH(\p alg) is true).
+ * \param[in] input         Buffer containing the message to hash.
+ * \param input_length      Size of the \p input buffer in bytes.
+ * \param[in] hash          Buffer containing the expected hash value.
+ * \param hash_length       Size of the \p hash buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The expected hash is identical to the actual hash of the input.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The hash of the message was calculated successfully, but it
+ *         differs from the expected hash.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not a hash algorithm.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p input_length or \p hash_length do not match the hash size for \p alg
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_hash_compare(psa_algorithm_t alg,
+                              const uint8_t *input,
+                              size_t input_length,
+                              const uint8_t *hash,
+                              size_t hash_length);
+
+/** The type of the state data structure for multipart hash operations.
+ *
+ * Before calling any function on a hash operation object, the application must
+ * initialize it by any of the following means:
+ * - Set the structure to all-bits-zero, for example:
+ *   \code
+ *   psa_hash_operation_t operation;
+ *   memset(&operation, 0, sizeof(operation));
+ *   \endcode
+ * - Initialize the structure to logical zero values, for example:
+ *   \code
+ *   psa_hash_operation_t operation = {0};
+ *   \endcode
+ * - Initialize the structure to the initializer #PSA_HASH_OPERATION_INIT,
+ *   for example:
+ *   \code
+ *   psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
+ *   \endcode
+ * - Assign the result of the function psa_hash_operation_init()
+ *   to the structure, for example:
+ *   \code
+ *   psa_hash_operation_t operation;
+ *   operation = psa_hash_operation_init();
+ *   \endcode
+ *
+ * This is an implementation-defined \c struct. Applications should not
+ * make any assumptions about the content of this structure.
+ * Implementation details can change in future versions without notice. */
+typedef struct psa_hash_operation_s psa_hash_operation_t;
+
+/** \def PSA_HASH_OPERATION_INIT
+ *
+ * This macro returns a suitable initializer for a hash operation object
+ * of type #psa_hash_operation_t.
+ */
+
+/** Return an initial value for a hash operation object.
+ */
+static psa_hash_operation_t psa_hash_operation_init(void);
+
+/** Set up a multipart hash operation.
+ *
+ * The sequence of operations to calculate a hash (message digest)
+ * is as follows:
+ * -# Allocate an operation object which will be passed to all the functions
+ *    listed here.
+ * -# Initialize the operation object with one of the methods described in the
+ *    documentation for #psa_hash_operation_t, e.g. #PSA_HASH_OPERATION_INIT.
+ * -# Call psa_hash_setup() to specify the algorithm.
+ * -# Call psa_hash_update() zero, one or more times, passing a fragment
+ *    of the message each time. The hash that is calculated is the hash
+ *    of the concatenation of these messages in order.
+ * -# To calculate the hash, call psa_hash_finish().
+ *    To compare the hash with an expected value, call psa_hash_verify().
+ *
+ * If an error occurs at any step after a call to psa_hash_setup(), the
+ * operation will need to be reset by a call to psa_hash_abort(). The
+ * application may call psa_hash_abort() at any time after the operation
+ * has been initialized.
+ *
+ * After a successful call to psa_hash_setup(), the application must
+ * eventually terminate the operation. The following events terminate an
+ * operation:
+ * - A successful call to psa_hash_finish() or psa_hash_verify().
+ * - A call to psa_hash_abort().
+ *
+ * \param[in,out] operation The operation object to set up. It must have
+ *                          been initialized as per the documentation for
+ *                          #psa_hash_operation_t and not yet in use.
+ * \param alg               The hash algorithm to compute (\c PSA_ALG_XXX value
+ *                          such that #PSA_ALG_IS_HASH(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not a supported hash algorithm.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p alg is not a hash algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be inactive), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_hash_setup(psa_hash_operation_t *operation,
+                            psa_algorithm_t alg);
+
+/** Add a message fragment to a multipart hash operation.
+ *
+ * The application must call psa_hash_setup() before calling this function.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_hash_abort().
+ *
+ * \param[in,out] operation Active hash operation.
+ * \param[in] input         Buffer containing the message fragment to hash.
+ * \param input_length      Size of the \p input buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_hash_update(psa_hash_operation_t *operation,
+                             const uint8_t *input,
+                             size_t input_length);
+
+/** Finish the calculation of the hash of a message.
+ *
+ * The application must call psa_hash_setup() before calling this function.
+ * This function calculates the hash of the message formed by concatenating
+ * the inputs passed to preceding calls to psa_hash_update().
+ *
+ * When this function returns successfully, the operation becomes inactive.
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_hash_abort().
+ *
+ * \warning Applications should not call this function if they expect
+ *          a specific value for the hash. Call psa_hash_verify() instead.
+ *          Beware that comparing integrity or authenticity data such as
+ *          hash values with a function such as \c memcmp is risky
+ *          because the time taken by the comparison may leak information
+ *          about the hashed data which could allow an attacker to guess
+ *          a valid hash and thereby bypass security controls.
+ *
+ * \param[in,out] operation     Active hash operation.
+ * \param[out] hash             Buffer where the hash is to be written.
+ * \param hash_size             Size of the \p hash buffer in bytes.
+ * \param[out] hash_length      On success, the number of bytes
+ *                              that make up the hash value. This is always
+ *                              #PSA_HASH_LENGTH(\c alg) where \c alg is the
+ *                              hash algorithm that is calculated.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p hash buffer is too small. You can determine a
+ *         sufficient buffer size by calling #PSA_HASH_LENGTH(\c alg)
+ *         where \c alg is the hash algorithm that is calculated.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_hash_finish(psa_hash_operation_t *operation,
+                             uint8_t *hash,
+                             size_t hash_size,
+                             size_t *hash_length);
+
+/** Finish the calculation of the hash of a message and compare it with
+ * an expected value.
+ *
+ * The application must call psa_hash_setup() before calling this function.
+ * This function calculates the hash of the message formed by concatenating
+ * the inputs passed to preceding calls to psa_hash_update(). It then
+ * compares the calculated hash with the expected hash passed as a
+ * parameter to this function.
+ *
+ * When this function returns successfully, the operation becomes inactive.
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_hash_abort().
+ *
+ * \note Implementations shall make the best effort to ensure that the
+ * comparison between the actual hash and the expected hash is performed
+ * in constant time.
+ *
+ * \param[in,out] operation     Active hash operation.
+ * \param[in] hash              Buffer containing the expected hash value.
+ * \param hash_length           Size of the \p hash buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The expected hash is identical to the actual hash of the message.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The hash of the message was calculated successfully, but it
+ *         differs from the expected hash.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_hash_verify(psa_hash_operation_t *operation,
+                             const uint8_t *hash,
+                             size_t hash_length);
+
+/** Abort a hash operation.
+ *
+ * Aborting an operation frees all associated resources except for the
+ * \p operation structure itself. Once aborted, the operation object
+ * can be reused for another operation by calling
+ * psa_hash_setup() again.
+ *
+ * You may call this function any time after the operation object has
+ * been initialized by one of the methods described in #psa_hash_operation_t.
+ *
+ * In particular, calling psa_hash_abort() after the operation has been
+ * terminated by a call to psa_hash_abort(), psa_hash_finish() or
+ * psa_hash_verify() is safe and has no effect.
+ *
+ * \param[in,out] operation     Initialized hash operation.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_hash_abort(psa_hash_operation_t *operation);
+
+/** Clone a hash operation.
+ *
+ * This function copies the state of an ongoing hash operation to
+ * a new operation object. In other words, this function is equivalent
+ * to calling psa_hash_setup() on \p target_operation with the same
+ * algorithm that \p source_operation was set up for, then
+ * psa_hash_update() on \p target_operation with the same input that
+ * that was passed to \p source_operation. After this function returns, the
+ * two objects are independent, i.e. subsequent calls involving one of
+ * the objects do not affect the other object.
+ *
+ * \param[in] source_operation      The active hash operation to clone.
+ * \param[in,out] target_operation  The operation object to set up.
+ *                                  It must be initialized but not active.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The \p source_operation state is not valid (it must be active), or
+ *         the \p target_operation state is not valid (it must be inactive), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation,
+                            psa_hash_operation_t *target_operation);
+
+/**@}*/
+
+/** \defgroup MAC Message authentication codes
+ * @{
+ */
+
+/** Calculate the MAC (message authentication code) of a message.
+ *
+ * \note To verify the MAC of a message against an
+ *       expected value, use psa_mac_verify() instead.
+ *       Beware that comparing integrity or authenticity data such as
+ *       MAC values with a function such as \c memcmp is risky
+ *       because the time taken by the comparison may leak information
+ *       about the MAC value which could allow an attacker to guess
+ *       a valid MAC and thereby bypass security controls.
+ *
+ * \param key               Identifier of the key to use for the operation. It
+ *                          must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE.
+ * \param alg               The MAC algorithm to compute (\c PSA_ALG_XXX value
+ *                          such that #PSA_ALG_IS_MAC(\p alg) is true).
+ * \param[in] input         Buffer containing the input message.
+ * \param input_length      Size of the \p input buffer in bytes.
+ * \param[out] mac          Buffer where the MAC value is to be written.
+ * \param mac_size          Size of the \p mac buffer in bytes.
+ * \param[out] mac_length   On success, the number of bytes
+ *                          that make up the MAC value.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not compatible with \p alg.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not a MAC algorithm.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         \p mac_size is too small
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ *         The key could not be retrieved from storage.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_mac_compute(mbedtls_svc_key_id_t key,
+                             psa_algorithm_t alg,
+                             const uint8_t *input,
+                             size_t input_length,
+                             uint8_t *mac,
+                             size_t mac_size,
+                             size_t *mac_length);
+
+/** Calculate the MAC of a message and compare it with a reference value.
+ *
+ * \param key               Identifier of the key to use for the operation. It
+ *                          must allow the usage PSA_KEY_USAGE_VERIFY_MESSAGE.
+ * \param alg               The MAC algorithm to compute (\c PSA_ALG_XXX value
+ *                          such that #PSA_ALG_IS_MAC(\p alg) is true).
+ * \param[in] input         Buffer containing the input message.
+ * \param input_length      Size of the \p input buffer in bytes.
+ * \param[in] mac           Buffer containing the expected MAC value.
+ * \param mac_length        Size of the \p mac buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The expected MAC is identical to the actual MAC of the input.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The MAC of the message was calculated successfully, but it
+ *         differs from the expected value.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not compatible with \p alg.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not a MAC algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ *         The key could not be retrieved from storage.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_mac_verify(mbedtls_svc_key_id_t key,
+                            psa_algorithm_t alg,
+                            const uint8_t *input,
+                            size_t input_length,
+                            const uint8_t *mac,
+                            size_t mac_length);
+
+/** The type of the state data structure for multipart MAC operations.
+ *
+ * Before calling any function on a MAC operation object, the application must
+ * initialize it by any of the following means:
+ * - Set the structure to all-bits-zero, for example:
+ *   \code
+ *   psa_mac_operation_t operation;
+ *   memset(&operation, 0, sizeof(operation));
+ *   \endcode
+ * - Initialize the structure to logical zero values, for example:
+ *   \code
+ *   psa_mac_operation_t operation = {0};
+ *   \endcode
+ * - Initialize the structure to the initializer #PSA_MAC_OPERATION_INIT,
+ *   for example:
+ *   \code
+ *   psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
+ *   \endcode
+ * - Assign the result of the function psa_mac_operation_init()
+ *   to the structure, for example:
+ *   \code
+ *   psa_mac_operation_t operation;
+ *   operation = psa_mac_operation_init();
+ *   \endcode
+ *
+ *
+ * This is an implementation-defined \c struct. Applications should not
+ * make any assumptions about the content of this structure.
+ * Implementation details can change in future versions without notice. */
+typedef struct psa_mac_operation_s psa_mac_operation_t;
+
+/** \def PSA_MAC_OPERATION_INIT
+ *
+ * This macro returns a suitable initializer for a MAC operation object of type
+ * #psa_mac_operation_t.
+ */
+
+/** Return an initial value for a MAC operation object.
+ */
+static psa_mac_operation_t psa_mac_operation_init(void);
+
+/** Set up a multipart MAC calculation operation.
+ *
+ * This function sets up the calculation of the MAC
+ * (message authentication code) of a byte string.
+ * To verify the MAC of a message against an
+ * expected value, use psa_mac_verify_setup() instead.
+ *
+ * The sequence of operations to calculate a MAC is as follows:
+ * -# Allocate an operation object which will be passed to all the functions
+ *    listed here.
+ * -# Initialize the operation object with one of the methods described in the
+ *    documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT.
+ * -# Call psa_mac_sign_setup() to specify the algorithm and key.
+ * -# Call psa_mac_update() zero, one or more times, passing a fragment
+ *    of the message each time. The MAC that is calculated is the MAC
+ *    of the concatenation of these messages in order.
+ * -# At the end of the message, call psa_mac_sign_finish() to finish
+ *    calculating the MAC value and retrieve it.
+ *
+ * If an error occurs at any step after a call to psa_mac_sign_setup(), the
+ * operation will need to be reset by a call to psa_mac_abort(). The
+ * application may call psa_mac_abort() at any time after the operation
+ * has been initialized.
+ *
+ * After a successful call to psa_mac_sign_setup(), the application must
+ * eventually terminate the operation through one of the following methods:
+ * - A successful call to psa_mac_sign_finish().
+ * - A call to psa_mac_abort().
+ *
+ * \param[in,out] operation The operation object to set up. It must have
+ *                          been initialized as per the documentation for
+ *                          #psa_mac_operation_t and not yet in use.
+ * \param key               Identifier of the key to use for the operation. It
+ *                          must remain valid until the operation terminates.
+ *                          It must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE.
+ * \param alg               The MAC algorithm to compute (\c PSA_ALG_XXX value
+ *                          such that #PSA_ALG_IS_MAC(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not compatible with \p alg.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not a MAC algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ *         The key could not be retrieved from storage.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be inactive), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
+                                mbedtls_svc_key_id_t key,
+                                psa_algorithm_t alg);
+
+/** Set up a multipart MAC verification operation.
+ *
+ * This function sets up the verification of the MAC
+ * (message authentication code) of a byte string against an expected value.
+ *
+ * The sequence of operations to verify a MAC is as follows:
+ * -# Allocate an operation object which will be passed to all the functions
+ *    listed here.
+ * -# Initialize the operation object with one of the methods described in the
+ *    documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT.
+ * -# Call psa_mac_verify_setup() to specify the algorithm and key.
+ * -# Call psa_mac_update() zero, one or more times, passing a fragment
+ *    of the message each time. The MAC that is calculated is the MAC
+ *    of the concatenation of these messages in order.
+ * -# At the end of the message, call psa_mac_verify_finish() to finish
+ *    calculating the actual MAC of the message and verify it against
+ *    the expected value.
+ *
+ * If an error occurs at any step after a call to psa_mac_verify_setup(), the
+ * operation will need to be reset by a call to psa_mac_abort(). The
+ * application may call psa_mac_abort() at any time after the operation
+ * has been initialized.
+ *
+ * After a successful call to psa_mac_verify_setup(), the application must
+ * eventually terminate the operation through one of the following methods:
+ * - A successful call to psa_mac_verify_finish().
+ * - A call to psa_mac_abort().
+ *
+ * \param[in,out] operation The operation object to set up. It must have
+ *                          been initialized as per the documentation for
+ *                          #psa_mac_operation_t and not yet in use.
+ * \param key               Identifier of the key to use for the operation. It
+ *                          must remain valid until the operation terminates.
+ *                          It must allow the usage
+ *                          PSA_KEY_USAGE_VERIFY_MESSAGE.
+ * \param alg               The MAC algorithm to compute (\c PSA_ALG_XXX value
+ *                          such that #PSA_ALG_IS_MAC(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \c key is not compatible with \c alg.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \c alg is not supported or is not a MAC algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ *         The key could not be retrieved from storage.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be inactive), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
+                                  mbedtls_svc_key_id_t key,
+                                  psa_algorithm_t alg);
+
+/** Add a message fragment to a multipart MAC operation.
+ *
+ * The application must call psa_mac_sign_setup() or psa_mac_verify_setup()
+ * before calling this function.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_mac_abort().
+ *
+ * \param[in,out] operation Active MAC operation.
+ * \param[in] input         Buffer containing the message fragment to add to
+ *                          the MAC calculation.
+ * \param input_length      Size of the \p input buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_mac_update(psa_mac_operation_t *operation,
+                            const uint8_t *input,
+                            size_t input_length);
+
+/** Finish the calculation of the MAC of a message.
+ *
+ * The application must call psa_mac_sign_setup() before calling this function.
+ * This function calculates the MAC of the message formed by concatenating
+ * the inputs passed to preceding calls to psa_mac_update().
+ *
+ * When this function returns successfully, the operation becomes inactive.
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_mac_abort().
+ *
+ * \warning Applications should not call this function if they expect
+ *          a specific value for the MAC. Call psa_mac_verify_finish() instead.
+ *          Beware that comparing integrity or authenticity data such as
+ *          MAC values with a function such as \c memcmp is risky
+ *          because the time taken by the comparison may leak information
+ *          about the MAC value which could allow an attacker to guess
+ *          a valid MAC and thereby bypass security controls.
+ *
+ * \param[in,out] operation Active MAC operation.
+ * \param[out] mac          Buffer where the MAC value is to be written.
+ * \param mac_size          Size of the \p mac buffer in bytes.
+ * \param[out] mac_length   On success, the number of bytes
+ *                          that make up the MAC value. This is always
+ *                          #PSA_MAC_LENGTH(\c key_type, \c key_bits, \c alg)
+ *                          where \c key_type and \c key_bits are the type and
+ *                          bit-size respectively of the key and \c alg is the
+ *                          MAC algorithm that is calculated.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p mac buffer is too small. You can determine a
+ *         sufficient buffer size by calling PSA_MAC_LENGTH().
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be an active mac sign
+ *         operation), or the library has not been previously initialized
+ *         by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_mac_sign_finish(psa_mac_operation_t *operation,
+                                 uint8_t *mac,
+                                 size_t mac_size,
+                                 size_t *mac_length);
+
+/** Finish the calculation of the MAC of a message and compare it with
+ * an expected value.
+ *
+ * The application must call psa_mac_verify_setup() before calling this function.
+ * This function calculates the MAC of the message formed by concatenating
+ * the inputs passed to preceding calls to psa_mac_update(). It then
+ * compares the calculated MAC with the expected MAC passed as a
+ * parameter to this function.
+ *
+ * When this function returns successfully, the operation becomes inactive.
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_mac_abort().
+ *
+ * \note Implementations shall make the best effort to ensure that the
+ * comparison between the actual MAC and the expected MAC is performed
+ * in constant time.
+ *
+ * \param[in,out] operation Active MAC operation.
+ * \param[in] mac           Buffer containing the expected MAC value.
+ * \param mac_length        Size of the \p mac buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The expected MAC is identical to the actual MAC of the message.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The MAC of the message was calculated successfully, but it
+ *         differs from the expected MAC.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be an active mac verify
+ *         operation), or the library has not been previously initialized
+ *         by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_mac_verify_finish(psa_mac_operation_t *operation,
+                                   const uint8_t *mac,
+                                   size_t mac_length);
+
+/** Abort a MAC operation.
+ *
+ * Aborting an operation frees all associated resources except for the
+ * \p operation structure itself. Once aborted, the operation object
+ * can be reused for another operation by calling
+ * psa_mac_sign_setup() or psa_mac_verify_setup() again.
+ *
+ * You may call this function any time after the operation object has
+ * been initialized by one of the methods described in #psa_mac_operation_t.
+ *
+ * In particular, calling psa_mac_abort() after the operation has been
+ * terminated by a call to psa_mac_abort(), psa_mac_sign_finish() or
+ * psa_mac_verify_finish() is safe and has no effect.
+ *
+ * \param[in,out] operation Initialized MAC operation.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_mac_abort(psa_mac_operation_t *operation);
+
+/**@}*/
+
+/** \defgroup cipher Symmetric ciphers
+ * @{
+ */
+
+/** Encrypt a message using a symmetric cipher.
+ *
+ * This function encrypts a message with a random IV (initialization
+ * vector). Use the multipart operation interface with a
+ * #psa_cipher_operation_t object to provide other forms of IV.
+ *
+ * \param key                   Identifier of the key to use for the operation.
+ *                              It must allow the usage #PSA_KEY_USAGE_ENCRYPT.
+ * \param alg                   The cipher algorithm to compute
+ *                              (\c PSA_ALG_XXX value such that
+ *                              #PSA_ALG_IS_CIPHER(\p alg) is true).
+ * \param[in] input             Buffer containing the message to encrypt.
+ * \param input_length          Size of the \p input buffer in bytes.
+ * \param[out] output           Buffer where the output is to be written.
+ *                              The output contains the IV followed by
+ *                              the ciphertext proper.
+ * \param output_size           Size of the \p output buffer in bytes.
+ * \param[out] output_length    On success, the number of bytes
+ *                              that make up the output.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not compatible with \p alg.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not a cipher algorithm.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_cipher_encrypt(mbedtls_svc_key_id_t key,
+                                psa_algorithm_t alg,
+                                const uint8_t *input,
+                                size_t input_length,
+                                uint8_t *output,
+                                size_t output_size,
+                                size_t *output_length);
+
+/** Decrypt a message using a symmetric cipher.
+ *
+ * This function decrypts a message encrypted with a symmetric cipher.
+ *
+ * \param key                   Identifier of the key to use for the operation.
+ *                              It must remain valid until the operation
+ *                              terminates. It must allow the usage
+ *                              #PSA_KEY_USAGE_DECRYPT.
+ * \param alg                   The cipher algorithm to compute
+ *                              (\c PSA_ALG_XXX value such that
+ *                              #PSA_ALG_IS_CIPHER(\p alg) is true).
+ * \param[in] input             Buffer containing the message to decrypt.
+ *                              This consists of the IV followed by the
+ *                              ciphertext proper.
+ * \param input_length          Size of the \p input buffer in bytes.
+ * \param[out] output           Buffer where the plaintext is to be written.
+ * \param output_size           Size of the \p output buffer in bytes.
+ * \param[out] output_length    On success, the number of bytes
+ *                              that make up the output.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not compatible with \p alg.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not a cipher algorithm.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_cipher_decrypt(mbedtls_svc_key_id_t key,
+                                psa_algorithm_t alg,
+                                const uint8_t *input,
+                                size_t input_length,
+                                uint8_t *output,
+                                size_t output_size,
+                                size_t *output_length);
+
+/** The type of the state data structure for multipart cipher operations.
+ *
+ * Before calling any function on a cipher operation object, the application
+ * must initialize it by any of the following means:
+ * - Set the structure to all-bits-zero, for example:
+ *   \code
+ *   psa_cipher_operation_t operation;
+ *   memset(&operation, 0, sizeof(operation));
+ *   \endcode
+ * - Initialize the structure to logical zero values, for example:
+ *   \code
+ *   psa_cipher_operation_t operation = {0};
+ *   \endcode
+ * - Initialize the structure to the initializer #PSA_CIPHER_OPERATION_INIT,
+ *   for example:
+ *   \code
+ *   psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
+ *   \endcode
+ * - Assign the result of the function psa_cipher_operation_init()
+ *   to the structure, for example:
+ *   \code
+ *   psa_cipher_operation_t operation;
+ *   operation = psa_cipher_operation_init();
+ *   \endcode
+ *
+ * This is an implementation-defined \c struct. Applications should not
+ * make any assumptions about the content of this structure.
+ * Implementation details can change in future versions without notice. */
+typedef struct psa_cipher_operation_s psa_cipher_operation_t;
+
+/** \def PSA_CIPHER_OPERATION_INIT
+ *
+ * This macro returns a suitable initializer for a cipher operation object of
+ * type #psa_cipher_operation_t.
+ */
+
+/** Return an initial value for a cipher operation object.
+ */
+static psa_cipher_operation_t psa_cipher_operation_init(void);
+
+/** Set the key for a multipart symmetric encryption operation.
+ *
+ * The sequence of operations to encrypt a message with a symmetric cipher
+ * is as follows:
+ * -# Allocate an operation object which will be passed to all the functions
+ *    listed here.
+ * -# Initialize the operation object with one of the methods described in the
+ *    documentation for #psa_cipher_operation_t, e.g.
+ *    #PSA_CIPHER_OPERATION_INIT.
+ * -# Call psa_cipher_encrypt_setup() to specify the algorithm and key.
+ * -# Call either psa_cipher_generate_iv() or psa_cipher_set_iv() to
+ *    generate or set the IV (initialization vector). You should use
+ *    psa_cipher_generate_iv() unless the protocol you are implementing
+ *    requires a specific IV value.
+ * -# Call psa_cipher_update() zero, one or more times, passing a fragment
+ *    of the message each time.
+ * -# Call psa_cipher_finish().
+ *
+ * If an error occurs at any step after a call to psa_cipher_encrypt_setup(),
+ * the operation will need to be reset by a call to psa_cipher_abort(). The
+ * application may call psa_cipher_abort() at any time after the operation
+ * has been initialized.
+ *
+ * After a successful call to psa_cipher_encrypt_setup(), the application must
+ * eventually terminate the operation. The following events terminate an
+ * operation:
+ * - A successful call to psa_cipher_finish().
+ * - A call to psa_cipher_abort().
+ *
+ * \param[in,out] operation     The operation object to set up. It must have
+ *                              been initialized as per the documentation for
+ *                              #psa_cipher_operation_t and not yet in use.
+ * \param key                   Identifier of the key to use for the operation.
+ *                              It must remain valid until the operation
+ *                              terminates. It must allow the usage
+ *                              #PSA_KEY_USAGE_ENCRYPT.
+ * \param alg                   The cipher algorithm to compute
+ *                              (\c PSA_ALG_XXX value such that
+ *                              #PSA_ALG_IS_CIPHER(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not compatible with \p alg.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not a cipher algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be inactive), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
+                                      mbedtls_svc_key_id_t key,
+                                      psa_algorithm_t alg);
+
+/** Set the key for a multipart symmetric decryption operation.
+ *
+ * The sequence of operations to decrypt a message with a symmetric cipher
+ * is as follows:
+ * -# Allocate an operation object which will be passed to all the functions
+ *    listed here.
+ * -# Initialize the operation object with one of the methods described in the
+ *    documentation for #psa_cipher_operation_t, e.g.
+ *    #PSA_CIPHER_OPERATION_INIT.
+ * -# Call psa_cipher_decrypt_setup() to specify the algorithm and key.
+ * -# Call psa_cipher_set_iv() with the IV (initialization vector) for the
+ *    decryption. If the IV is prepended to the ciphertext, you can call
+ *    psa_cipher_update() on a buffer containing the IV followed by the
+ *    beginning of the message.
+ * -# Call psa_cipher_update() zero, one or more times, passing a fragment
+ *    of the message each time.
+ * -# Call psa_cipher_finish().
+ *
+ * If an error occurs at any step after a call to psa_cipher_decrypt_setup(),
+ * the operation will need to be reset by a call to psa_cipher_abort(). The
+ * application may call psa_cipher_abort() at any time after the operation
+ * has been initialized.
+ *
+ * After a successful call to psa_cipher_decrypt_setup(), the application must
+ * eventually terminate the operation. The following events terminate an
+ * operation:
+ * - A successful call to psa_cipher_finish().
+ * - A call to psa_cipher_abort().
+ *
+ * \param[in,out] operation     The operation object to set up. It must have
+ *                              been initialized as per the documentation for
+ *                              #psa_cipher_operation_t and not yet in use.
+ * \param key                   Identifier of the key to use for the operation.
+ *                              It must remain valid until the operation
+ *                              terminates. It must allow the usage
+ *                              #PSA_KEY_USAGE_DECRYPT.
+ * \param alg                   The cipher algorithm to compute
+ *                              (\c PSA_ALG_XXX value such that
+ *                              #PSA_ALG_IS_CIPHER(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not compatible with \p alg.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not a cipher algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be inactive), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
+                                      mbedtls_svc_key_id_t key,
+                                      psa_algorithm_t alg);
+
+/** Generate an IV for a symmetric encryption operation.
+ *
+ * This function generates a random IV (initialization vector), nonce
+ * or initial counter value for the encryption operation as appropriate
+ * for the chosen algorithm, key type and key size.
+ *
+ * The application must call psa_cipher_encrypt_setup() before
+ * calling this function.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_cipher_abort().
+ *
+ * \param[in,out] operation     Active cipher operation.
+ * \param[out] iv               Buffer where the generated IV is to be written.
+ * \param iv_size               Size of the \p iv buffer in bytes.
+ * \param[out] iv_length        On success, the number of bytes of the
+ *                              generated IV.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p iv buffer is too small.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active, with no IV set),
+ *         or the library has not been previously initialized
+ *         by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_cipher_generate_iv(psa_cipher_operation_t *operation,
+                                    uint8_t *iv,
+                                    size_t iv_size,
+                                    size_t *iv_length);
+
+/** Set the IV for a symmetric encryption or decryption operation.
+ *
+ * This function sets the IV (initialization vector), nonce
+ * or initial counter value for the encryption or decryption operation.
+ *
+ * The application must call psa_cipher_encrypt_setup() before
+ * calling this function.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_cipher_abort().
+ *
+ * \note When encrypting, applications should use psa_cipher_generate_iv()
+ * instead of this function, unless implementing a protocol that requires
+ * a non-random IV.
+ *
+ * \param[in,out] operation     Active cipher operation.
+ * \param[in] iv                Buffer containing the IV to use.
+ * \param iv_length             Size of the IV in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The size of \p iv is not acceptable for the chosen algorithm,
+ *         or the chosen algorithm does not use an IV.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be an active cipher
+ *         encrypt operation, with no IV set), or the library has not been
+ *         previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation,
+                               const uint8_t *iv,
+                               size_t iv_length);
+
+/** Encrypt or decrypt a message fragment in an active cipher operation.
+ *
+ * Before calling this function, you must:
+ * 1. Call either psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup().
+ *    The choice of setup function determines whether this function
+ *    encrypts or decrypts its input.
+ * 2. If the algorithm requires an IV, call psa_cipher_generate_iv()
+ *    (recommended when encrypting) or psa_cipher_set_iv().
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_cipher_abort().
+ *
+ * \param[in,out] operation     Active cipher operation.
+ * \param[in] input             Buffer containing the message fragment to
+ *                              encrypt or decrypt.
+ * \param input_length          Size of the \p input buffer in bytes.
+ * \param[out] output           Buffer where the output is to be written.
+ * \param output_size           Size of the \p output buffer in bytes.
+ * \param[out] output_length    On success, the number of bytes
+ *                              that make up the returned output.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p output buffer is too small.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active, with an IV set
+ *         if required for the algorithm), or the library has not been
+ *         previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_cipher_update(psa_cipher_operation_t *operation,
+                               const uint8_t *input,
+                               size_t input_length,
+                               uint8_t *output,
+                               size_t output_size,
+                               size_t *output_length);
+
+/** Finish encrypting or decrypting a message in a cipher operation.
+ *
+ * The application must call psa_cipher_encrypt_setup() or
+ * psa_cipher_decrypt_setup() before calling this function. The choice
+ * of setup function determines whether this function encrypts or
+ * decrypts its input.
+ *
+ * This function finishes the encryption or decryption of the message
+ * formed by concatenating the inputs passed to preceding calls to
+ * psa_cipher_update().
+ *
+ * When this function returns successfully, the operation becomes inactive.
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_cipher_abort().
+ *
+ * \param[in,out] operation     Active cipher operation.
+ * \param[out] output           Buffer where the output is to be written.
+ * \param output_size           Size of the \p output buffer in bytes.
+ * \param[out] output_length    On success, the number of bytes
+ *                              that make up the returned output.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The total input size passed to this operation is not valid for
+ *         this particular algorithm. For example, the algorithm is a based
+ *         on block cipher and requires a whole number of blocks, but the
+ *         total input size is not a multiple of the block size.
+ * \retval #PSA_ERROR_INVALID_PADDING
+ *         This is a decryption operation for an algorithm that includes
+ *         padding, and the ciphertext does not contain valid padding.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p output buffer is too small.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active, with an IV set
+ *         if required for the algorithm), or the library has not been
+ *         previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_cipher_finish(psa_cipher_operation_t *operation,
+                               uint8_t *output,
+                               size_t output_size,
+                               size_t *output_length);
+
+/** Abort a cipher operation.
+ *
+ * Aborting an operation frees all associated resources except for the
+ * \p operation structure itself. Once aborted, the operation object
+ * can be reused for another operation by calling
+ * psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup() again.
+ *
+ * You may call this function any time after the operation object has
+ * been initialized as described in #psa_cipher_operation_t.
+ *
+ * In particular, calling psa_cipher_abort() after the operation has been
+ * terminated by a call to psa_cipher_abort() or psa_cipher_finish()
+ * is safe and has no effect.
+ *
+ * \param[in,out] operation     Initialized cipher operation.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation);
+
+/**@}*/
+
+/** \defgroup aead Authenticated encryption with associated data (AEAD)
+ * @{
+ */
+
+/** Process an authenticated encryption operation.
+ *
+ * \param key                     Identifier of the key to use for the
+ *                                operation. It must allow the usage
+ *                                #PSA_KEY_USAGE_ENCRYPT.
+ * \param alg                     The AEAD algorithm to compute
+ *                                (\c PSA_ALG_XXX value such that
+ *                                #PSA_ALG_IS_AEAD(\p alg) is true).
+ * \param[in] nonce               Nonce or IV to use.
+ * \param nonce_length            Size of the \p nonce buffer in bytes.
+ * \param[in] additional_data     Additional data that will be authenticated
+ *                                but not encrypted.
+ * \param additional_data_length  Size of \p additional_data in bytes.
+ * \param[in] plaintext           Data that will be authenticated and
+ *                                encrypted.
+ * \param plaintext_length        Size of \p plaintext in bytes.
+ * \param[out] ciphertext         Output buffer for the authenticated and
+ *                                encrypted data. The additional data is not
+ *                                part of this output. For algorithms where the
+ *                                encrypted data and the authentication tag
+ *                                are defined as separate outputs, the
+ *                                authentication tag is appended to the
+ *                                encrypted data.
+ * \param ciphertext_size         Size of the \p ciphertext buffer in bytes.
+ *                                This must be appropriate for the selected
+ *                                algorithm and key:
+ *                                - A sufficient output size is
+ *                                  #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type,
+ *                                  \p alg, \p plaintext_length) where
+ *                                  \c key_type is the type of \p key.
+ *                                - #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p
+ *                                  plaintext_length) evaluates to the maximum
+ *                                  ciphertext size of any supported AEAD
+ *                                  encryption.
+ * \param[out] ciphertext_length  On success, the size of the output
+ *                                in the \p ciphertext buffer.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not compatible with \p alg.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not an AEAD algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         \p ciphertext_size is too small.
+ *         #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, \p alg,
+ *         \p plaintext_length) or
+ *         #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length) can be used to
+ *         determine the required buffer size.
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key,
+                              psa_algorithm_t alg,
+                              const uint8_t *nonce,
+                              size_t nonce_length,
+                              const uint8_t *additional_data,
+                              size_t additional_data_length,
+                              const uint8_t *plaintext,
+                              size_t plaintext_length,
+                              uint8_t *ciphertext,
+                              size_t ciphertext_size,
+                              size_t *ciphertext_length);
+
+/** Process an authenticated decryption operation.
+ *
+ * \param key                     Identifier of the key to use for the
+ *                                operation. It must allow the usage
+ *                                #PSA_KEY_USAGE_DECRYPT.
+ * \param alg                     The AEAD algorithm to compute
+ *                                (\c PSA_ALG_XXX value such that
+ *                                #PSA_ALG_IS_AEAD(\p alg) is true).
+ * \param[in] nonce               Nonce or IV to use.
+ * \param nonce_length            Size of the \p nonce buffer in bytes.
+ * \param[in] additional_data     Additional data that has been authenticated
+ *                                but not encrypted.
+ * \param additional_data_length  Size of \p additional_data in bytes.
+ * \param[in] ciphertext          Data that has been authenticated and
+ *                                encrypted. For algorithms where the
+ *                                encrypted data and the authentication tag
+ *                                are defined as separate inputs, the buffer
+ *                                must contain the encrypted data followed
+ *                                by the authentication tag.
+ * \param ciphertext_length       Size of \p ciphertext in bytes.
+ * \param[out] plaintext          Output buffer for the decrypted data.
+ * \param plaintext_size          Size of the \p plaintext buffer in bytes.
+ *                                This must be appropriate for the selected
+ *                                algorithm and key:
+ *                                - A sufficient output size is
+ *                                  #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type,
+ *                                  \p alg, \p ciphertext_length) where
+ *                                  \c key_type is the type of \p key.
+ *                                - #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p
+ *                                  ciphertext_length) evaluates to the maximum
+ *                                  plaintext size of any supported AEAD
+ *                                  decryption.
+ * \param[out] plaintext_length   On success, the size of the output
+ *                                in the \p plaintext buffer.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The ciphertext is not authentic.
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not compatible with \p alg.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not an AEAD algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         \p plaintext_size is too small.
+ *         #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, \p alg,
+ *         \p ciphertext_length) or
+ *         #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length) can be used
+ *         to determine the required buffer size.
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_aead_decrypt(mbedtls_svc_key_id_t key,
+                              psa_algorithm_t alg,
+                              const uint8_t *nonce,
+                              size_t nonce_length,
+                              const uint8_t *additional_data,
+                              size_t additional_data_length,
+                              const uint8_t *ciphertext,
+                              size_t ciphertext_length,
+                              uint8_t *plaintext,
+                              size_t plaintext_size,
+                              size_t *plaintext_length);
+
+/** The type of the state data structure for multipart AEAD operations.
+ *
+ * Before calling any function on an AEAD operation object, the application
+ * must initialize it by any of the following means:
+ * - Set the structure to all-bits-zero, for example:
+ *   \code
+ *   psa_aead_operation_t operation;
+ *   memset(&operation, 0, sizeof(operation));
+ *   \endcode
+ * - Initialize the structure to logical zero values, for example:
+ *   \code
+ *   psa_aead_operation_t operation = {0};
+ *   \endcode
+ * - Initialize the structure to the initializer #PSA_AEAD_OPERATION_INIT,
+ *   for example:
+ *   \code
+ *   psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
+ *   \endcode
+ * - Assign the result of the function psa_aead_operation_init()
+ *   to the structure, for example:
+ *   \code
+ *   psa_aead_operation_t operation;
+ *   operation = psa_aead_operation_init();
+ *   \endcode
+ *
+ * This is an implementation-defined \c struct. Applications should not
+ * make any assumptions about the content of this structure.
+ * Implementation details can change in future versions without notice. */
+typedef struct psa_aead_operation_s psa_aead_operation_t;
+
+/** \def PSA_AEAD_OPERATION_INIT
+ *
+ * This macro returns a suitable initializer for an AEAD operation object of
+ * type #psa_aead_operation_t.
+ */
+
+/** Return an initial value for an AEAD operation object.
+ */
+static psa_aead_operation_t psa_aead_operation_init(void);
+
+/** Set the key for a multipart authenticated encryption operation.
+ *
+ * The sequence of operations to encrypt a message with authentication
+ * is as follows:
+ * -# Allocate an operation object which will be passed to all the functions
+ *    listed here.
+ * -# Initialize the operation object with one of the methods described in the
+ *    documentation for #psa_aead_operation_t, e.g.
+ *    #PSA_AEAD_OPERATION_INIT.
+ * -# Call psa_aead_encrypt_setup() to specify the algorithm and key.
+ * -# If needed, call psa_aead_set_lengths() to specify the length of the
+ *    inputs to the subsequent calls to psa_aead_update_ad() and
+ *    psa_aead_update(). See the documentation of psa_aead_set_lengths()
+ *    for details.
+ * -# Call either psa_aead_generate_nonce() or psa_aead_set_nonce() to
+ *    generate or set the nonce. You should use
+ *    psa_aead_generate_nonce() unless the protocol you are implementing
+ *    requires a specific nonce value.
+ * -# Call psa_aead_update_ad() zero, one or more times, passing a fragment
+ *    of the non-encrypted additional authenticated data each time.
+ * -# Call psa_aead_update() zero, one or more times, passing a fragment
+ *    of the message to encrypt each time.
+ * -# Call psa_aead_finish().
+ *
+ * If an error occurs at any step after a call to psa_aead_encrypt_setup(),
+ * the operation will need to be reset by a call to psa_aead_abort(). The
+ * application may call psa_aead_abort() at any time after the operation
+ * has been initialized.
+ *
+ * After a successful call to psa_aead_encrypt_setup(), the application must
+ * eventually terminate the operation. The following events terminate an
+ * operation:
+ * - A successful call to psa_aead_finish().
+ * - A call to psa_aead_abort().
+ *
+ * \param[in,out] operation     The operation object to set up. It must have
+ *                              been initialized as per the documentation for
+ *                              #psa_aead_operation_t and not yet in use.
+ * \param key                   Identifier of the key to use for the operation.
+ *                              It must remain valid until the operation
+ *                              terminates. It must allow the usage
+ *                              #PSA_KEY_USAGE_ENCRYPT.
+ * \param alg                   The AEAD algorithm to compute
+ *                              (\c PSA_ALG_XXX value such that
+ *                              #PSA_ALG_IS_AEAD(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be inactive), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not compatible with \p alg.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not an AEAD algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
+                                    mbedtls_svc_key_id_t key,
+                                    psa_algorithm_t alg);
+
+/** Set the key for a multipart authenticated decryption operation.
+ *
+ * The sequence of operations to decrypt a message with authentication
+ * is as follows:
+ * -# Allocate an operation object which will be passed to all the functions
+ *    listed here.
+ * -# Initialize the operation object with one of the methods described in the
+ *    documentation for #psa_aead_operation_t, e.g.
+ *    #PSA_AEAD_OPERATION_INIT.
+ * -# Call psa_aead_decrypt_setup() to specify the algorithm and key.
+ * -# If needed, call psa_aead_set_lengths() to specify the length of the
+ *    inputs to the subsequent calls to psa_aead_update_ad() and
+ *    psa_aead_update(). See the documentation of psa_aead_set_lengths()
+ *    for details.
+ * -# Call psa_aead_set_nonce() with the nonce for the decryption.
+ * -# Call psa_aead_update_ad() zero, one or more times, passing a fragment
+ *    of the non-encrypted additional authenticated data each time.
+ * -# Call psa_aead_update() zero, one or more times, passing a fragment
+ *    of the ciphertext to decrypt each time.
+ * -# Call psa_aead_verify().
+ *
+ * If an error occurs at any step after a call to psa_aead_decrypt_setup(),
+ * the operation will need to be reset by a call to psa_aead_abort(). The
+ * application may call psa_aead_abort() at any time after the operation
+ * has been initialized.
+ *
+ * After a successful call to psa_aead_decrypt_setup(), the application must
+ * eventually terminate the operation. The following events terminate an
+ * operation:
+ * - A successful call to psa_aead_verify().
+ * - A call to psa_aead_abort().
+ *
+ * \param[in,out] operation     The operation object to set up. It must have
+ *                              been initialized as per the documentation for
+ *                              #psa_aead_operation_t and not yet in use.
+ * \param key                   Identifier of the key to use for the operation.
+ *                              It must remain valid until the operation
+ *                              terminates. It must allow the usage
+ *                              #PSA_KEY_USAGE_DECRYPT.
+ * \param alg                   The AEAD algorithm to compute
+ *                              (\c PSA_ALG_XXX value such that
+ *                              #PSA_ALG_IS_AEAD(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not compatible with \p alg.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not supported or is not an AEAD algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be inactive), or the
+ *         library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_aead_decrypt_setup(psa_aead_operation_t *operation,
+                                    mbedtls_svc_key_id_t key,
+                                    psa_algorithm_t alg);
+
+/** Generate a random nonce for an authenticated encryption operation.
+ *
+ * This function generates a random nonce for the authenticated encryption
+ * operation with an appropriate size for the chosen algorithm, key type
+ * and key size.
+ *
+ * The application must call psa_aead_encrypt_setup() before
+ * calling this function.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_aead_abort().
+ *
+ * \param[in,out] operation     Active AEAD operation.
+ * \param[out] nonce            Buffer where the generated nonce is to be
+ *                              written.
+ * \param nonce_size            Size of the \p nonce buffer in bytes.
+ * \param[out] nonce_length     On success, the number of bytes of the
+ *                              generated nonce.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p nonce buffer is too small.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be an active aead encrypt
+ *         operation, with no nonce set), or the library has not been
+ *         previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_aead_generate_nonce(psa_aead_operation_t *operation,
+                                     uint8_t *nonce,
+                                     size_t nonce_size,
+                                     size_t *nonce_length);
+
+/** Set the nonce for an authenticated encryption or decryption operation.
+ *
+ * This function sets the nonce for the authenticated
+ * encryption or decryption operation.
+ *
+ * The application must call psa_aead_encrypt_setup() or
+ * psa_aead_decrypt_setup() before calling this function.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_aead_abort().
+ *
+ * \note When encrypting, applications should use psa_aead_generate_nonce()
+ * instead of this function, unless implementing a protocol that requires
+ * a non-random IV.
+ *
+ * \param[in,out] operation     Active AEAD operation.
+ * \param[in] nonce             Buffer containing the nonce to use.
+ * \param nonce_length          Size of the nonce in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The size of \p nonce is not acceptable for the chosen algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active, with no nonce
+ *         set), or the library has not been previously initialized
+ *         by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_aead_set_nonce(psa_aead_operation_t *operation,
+                                const uint8_t *nonce,
+                                size_t nonce_length);
+
+/** Declare the lengths of the message and additional data for AEAD.
+ *
+ * The application must call this function before calling
+ * psa_aead_update_ad() or psa_aead_update() if the algorithm for
+ * the operation requires it. If the algorithm does not require it,
+ * calling this function is optional, but if this function is called
+ * then the implementation must enforce the lengths.
+ *
+ * You may call this function before or after setting the nonce with
+ * psa_aead_set_nonce() or psa_aead_generate_nonce().
+ *
+ * - For #PSA_ALG_CCM, calling this function is required.
+ * - For the other AEAD algorithms defined in this specification, calling
+ *   this function is not required.
+ * - For vendor-defined algorithm, refer to the vendor documentation.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_aead_abort().
+ *
+ * \param[in,out] operation     Active AEAD operation.
+ * \param ad_length             Size of the non-encrypted additional
+ *                              authenticated data in bytes.
+ * \param plaintext_length      Size of the plaintext to encrypt in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         At least one of the lengths is not acceptable for the chosen
+ *         algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active, and
+ *         psa_aead_update_ad() and psa_aead_update() must not have been
+ *         called yet), or the library has not been previously initialized
+ *         by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_aead_set_lengths(psa_aead_operation_t *operation,
+                                  size_t ad_length,
+                                  size_t plaintext_length);
+
+/** Pass additional data to an active AEAD operation.
+ *
+ * Additional data is authenticated, but not encrypted.
+ *
+ * You may call this function multiple times to pass successive fragments
+ * of the additional data. You may not call this function after passing
+ * data to encrypt or decrypt with psa_aead_update().
+ *
+ * Before calling this function, you must:
+ * 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup().
+ * 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce().
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_aead_abort().
+ *
+ * \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS,
+ *          there is no guarantee that the input is valid. Therefore, until
+ *          you have called psa_aead_verify() and it has returned #PSA_SUCCESS,
+ *          treat the input as untrusted and prepare to undo any action that
+ *          depends on the input if psa_aead_verify() returns an error status.
+ *
+ * \param[in,out] operation     Active AEAD operation.
+ * \param[in] input             Buffer containing the fragment of
+ *                              additional data.
+ * \param input_length          Size of the \p input buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The total input length overflows the additional data length that
+ *         was previously specified with psa_aead_set_lengths().
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active, have a nonce
+ *         set, have lengths set if required by the algorithm, and
+ *         psa_aead_update() must not have been called yet), or the library
+ *         has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_aead_update_ad(psa_aead_operation_t *operation,
+                                const uint8_t *input,
+                                size_t input_length);
+
+/** Encrypt or decrypt a message fragment in an active AEAD operation.
+ *
+ * Before calling this function, you must:
+ * 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup().
+ *    The choice of setup function determines whether this function
+ *    encrypts or decrypts its input.
+ * 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce().
+ * 3. Call psa_aead_update_ad() to pass all the additional data.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_aead_abort().
+ *
+ * \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS,
+ *          there is no guarantee that the input is valid. Therefore, until
+ *          you have called psa_aead_verify() and it has returned #PSA_SUCCESS:
+ *          - Do not use the output in any way other than storing it in a
+ *            confidential location. If you take any action that depends
+ *            on the tentative decrypted data, this action will need to be
+ *            undone if the input turns out not to be valid. Furthermore,
+ *            if an adversary can observe that this action took place
+ *            (for example through timing), they may be able to use this
+ *            fact as an oracle to decrypt any message encrypted with the
+ *            same key.
+ *          - In particular, do not copy the output anywhere but to a
+ *            memory or storage space that you have exclusive access to.
+ *
+ * This function does not require the input to be aligned to any
+ * particular block boundary. If the implementation can only process
+ * a whole block at a time, it must consume all the input provided, but
+ * it may delay the end of the corresponding output until a subsequent
+ * call to psa_aead_update(), psa_aead_finish() or psa_aead_verify()
+ * provides sufficient input. The amount of data that can be delayed
+ * in this way is bounded by #PSA_AEAD_UPDATE_OUTPUT_SIZE.
+ *
+ * \param[in,out] operation     Active AEAD operation.
+ * \param[in] input             Buffer containing the message fragment to
+ *                              encrypt or decrypt.
+ * \param input_length          Size of the \p input buffer in bytes.
+ * \param[out] output           Buffer where the output is to be written.
+ * \param output_size           Size of the \p output buffer in bytes.
+ *                              This must be appropriate for the selected
+ *                                algorithm and key:
+ *                                - A sufficient output size is
+ *                                  #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type,
+ *                                  \c alg, \p input_length) where
+ *                                  \c key_type is the type of key and \c alg is
+ *                                  the algorithm that were used to set up the
+ *                                  operation.
+ *                                - #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p
+ *                                  input_length) evaluates to the maximum
+ *                                  output size of any supported AEAD
+ *                                  algorithm.
+ * \param[out] output_length    On success, the number of bytes
+ *                              that make up the returned output.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p output buffer is too small.
+ *         #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, \c alg, \p input_length) or
+ *         #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length) can be used to
+ *         determine the required buffer size.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The total length of input to psa_aead_update_ad() so far is
+ *         less than the additional data length that was previously
+ *         specified with psa_aead_set_lengths(), or
+ *         the total input length overflows the plaintext length that
+ *         was previously specified with psa_aead_set_lengths().
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active, have a nonce
+ *         set, and have lengths set if required by the algorithm), or the
+ *         library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_aead_update(psa_aead_operation_t *operation,
+                             const uint8_t *input,
+                             size_t input_length,
+                             uint8_t *output,
+                             size_t output_size,
+                             size_t *output_length);
+
+/** Finish encrypting a message in an AEAD operation.
+ *
+ * The operation must have been set up with psa_aead_encrypt_setup().
+ *
+ * This function finishes the authentication of the additional data
+ * formed by concatenating the inputs passed to preceding calls to
+ * psa_aead_update_ad() with the plaintext formed by concatenating the
+ * inputs passed to preceding calls to psa_aead_update().
+ *
+ * This function has two output buffers:
+ * - \p ciphertext contains trailing ciphertext that was buffered from
+ *   preceding calls to psa_aead_update().
+ * - \p tag contains the authentication tag.
+ *
+ * When this function returns successfully, the operation becomes inactive.
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_aead_abort().
+ *
+ * \param[in,out] operation     Active AEAD operation.
+ * \param[out] ciphertext       Buffer where the last part of the ciphertext
+ *                              is to be written.
+ * \param ciphertext_size       Size of the \p ciphertext buffer in bytes.
+ *                              This must be appropriate for the selected
+ *                              algorithm and key:
+ *                              - A sufficient output size is
+ *                                #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type,
+ *                                \c alg) where \c key_type is the type of key
+ *                                and \c alg is the algorithm that were used to
+ *                                set up the operation.
+ *                              - #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE evaluates to
+ *                                the maximum output size of any supported AEAD
+ *                                algorithm.
+ * \param[out] ciphertext_length On success, the number of bytes of
+ *                              returned ciphertext.
+ * \param[out] tag              Buffer where the authentication tag is
+ *                              to be written.
+ * \param tag_size              Size of the \p tag buffer in bytes.
+ *                              This must be appropriate for the selected
+ *                              algorithm and key:
+ *                              - The exact tag size is #PSA_AEAD_TAG_LENGTH(\c
+ *                                key_type, \c key_bits, \c alg) where
+ *                                \c key_type and \c key_bits are the type and
+ *                                bit-size of the key, and \c alg is the
+ *                                algorithm that were used in the call to
+ *                                psa_aead_encrypt_setup().
+ *                              - #PSA_AEAD_TAG_MAX_SIZE evaluates to the
+ *                                maximum tag size of any supported AEAD
+ *                                algorithm.
+ * \param[out] tag_length       On success, the number of bytes
+ *                              that make up the returned tag.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p ciphertext or \p tag buffer is too small.
+ *         #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, \c alg) or
+ *         #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE can be used to determine the
+ *         required \p ciphertext buffer size. #PSA_AEAD_TAG_LENGTH(\c key_type,
+ *         \c key_bits, \c alg) or #PSA_AEAD_TAG_MAX_SIZE can be used to
+ *         determine the required \p tag buffer size.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The total length of input to psa_aead_update_ad() so far is
+ *         less than the additional data length that was previously
+ *         specified with psa_aead_set_lengths(), or
+ *         the total length of input to psa_aead_update() so far is
+ *         less than the plaintext length that was previously
+ *         specified with psa_aead_set_lengths().
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be an active encryption
+ *         operation with a nonce set), or the library has not been previously
+ *         initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_aead_finish(psa_aead_operation_t *operation,
+                             uint8_t *ciphertext,
+                             size_t ciphertext_size,
+                             size_t *ciphertext_length,
+                             uint8_t *tag,
+                             size_t tag_size,
+                             size_t *tag_length);
+
+/** Finish authenticating and decrypting a message in an AEAD operation.
+ *
+ * The operation must have been set up with psa_aead_decrypt_setup().
+ *
+ * This function finishes the authenticated decryption of the message
+ * components:
+ *
+ * -  The additional data consisting of the concatenation of the inputs
+ *    passed to preceding calls to psa_aead_update_ad().
+ * -  The ciphertext consisting of the concatenation of the inputs passed to
+ *    preceding calls to psa_aead_update().
+ * -  The tag passed to this function call.
+ *
+ * If the authentication tag is correct, this function outputs any remaining
+ * plaintext and reports success. If the authentication tag is not correct,
+ * this function returns #PSA_ERROR_INVALID_SIGNATURE.
+ *
+ * When this function returns successfully, the operation becomes inactive.
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_aead_abort().
+ *
+ * \note Implementations shall make the best effort to ensure that the
+ * comparison between the actual tag and the expected tag is performed
+ * in constant time.
+ *
+ * \param[in,out] operation     Active AEAD operation.
+ * \param[out] plaintext        Buffer where the last part of the plaintext
+ *                              is to be written. This is the remaining data
+ *                              from previous calls to psa_aead_update()
+ *                              that could not be processed until the end
+ *                              of the input.
+ * \param plaintext_size        Size of the \p plaintext buffer in bytes.
+ *                              This must be appropriate for the selected algorithm and key:
+ *                              - A sufficient output size is
+ *                                #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type,
+ *                                \c alg) where \c key_type is the type of key
+ *                                and \c alg is the algorithm that were used to
+ *                                set up the operation.
+ *                              - #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE evaluates to
+ *                                the maximum output size of any supported AEAD
+ *                                algorithm.
+ * \param[out] plaintext_length On success, the number of bytes of
+ *                              returned plaintext.
+ * \param[in] tag               Buffer containing the authentication tag.
+ * \param tag_length            Size of the \p tag buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The calculations were successful, but the authentication tag is
+ *         not correct.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p plaintext buffer is too small.
+ *         #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, \c alg) or
+ *         #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE can be used to determine the
+ *         required buffer size.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The total length of input to psa_aead_update_ad() so far is
+ *         less than the additional data length that was previously
+ *         specified with psa_aead_set_lengths(), or
+ *         the total length of input to psa_aead_update() so far is
+ *         less than the plaintext length that was previously
+ *         specified with psa_aead_set_lengths().
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be an active decryption
+ *         operation with a nonce set), or the library has not been previously
+ *         initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_aead_verify(psa_aead_operation_t *operation,
+                             uint8_t *plaintext,
+                             size_t plaintext_size,
+                             size_t *plaintext_length,
+                             const uint8_t *tag,
+                             size_t tag_length);
+
+/** Abort an AEAD operation.
+ *
+ * Aborting an operation frees all associated resources except for the
+ * \p operation structure itself. Once aborted, the operation object
+ * can be reused for another operation by calling
+ * psa_aead_encrypt_setup() or psa_aead_decrypt_setup() again.
+ *
+ * You may call this function any time after the operation object has
+ * been initialized as described in #psa_aead_operation_t.
+ *
+ * In particular, calling psa_aead_abort() after the operation has been
+ * terminated by a call to psa_aead_abort(), psa_aead_finish() or
+ * psa_aead_verify() is safe and has no effect.
+ *
+ * \param[in,out] operation     Initialized AEAD operation.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_aead_abort(psa_aead_operation_t *operation);
+
+/**@}*/
+
+/** \defgroup asymmetric Asymmetric cryptography
+ * @{
+ */
+
+/**
+ * \brief Sign a message with a private key. For hash-and-sign algorithms,
+ *        this includes the hashing step.
+ *
+ * \note To perform a multi-part hash-and-sign signature algorithm, first use
+ *       a multi-part hash operation and then pass the resulting hash to
+ *       psa_sign_hash(). PSA_ALG_GET_HASH(\p alg) can be used to determine the
+ *       hash algorithm to use.
+ *
+ * \param[in]  key              Identifier of the key to use for the operation.
+ *                              It must be an asymmetric key pair. The key must
+ *                              allow the usage #PSA_KEY_USAGE_SIGN_MESSAGE.
+ * \param[in]  alg              An asymmetric signature algorithm (PSA_ALG_XXX
+ *                              value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg)
+ *                              is true), that is compatible with the type of
+ *                              \p key.
+ * \param[in]  input            The input message to sign.
+ * \param[in]  input_length     Size of the \p input buffer in bytes.
+ * \param[out] signature        Buffer where the signature is to be written.
+ * \param[in]  signature_size   Size of the \p signature buffer in bytes. This
+ *                              must be appropriate for the selected
+ *                              algorithm and key:
+ *                              - The required signature size is
+ *                                #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ *                                where \c key_type and \c key_bits are the type and
+ *                                bit-size respectively of key.
+ *                              - #PSA_SIGNATURE_MAX_SIZE evaluates to the
+ *                                maximum signature size of any supported
+ *                                signature algorithm.
+ * \param[out] signature_length On success, the number of bytes that make up
+ *                              the returned signature value.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag,
+ *         or it does not permit the requested algorithm.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p signature buffer is too small. You can
+ *         determine a sufficient buffer size by calling
+ *         #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ *         where \c key_type and \c key_bits are the type and bit-size
+ *         respectively of \p key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_sign_message(mbedtls_svc_key_id_t key,
+                              psa_algorithm_t alg,
+                              const uint8_t *input,
+                              size_t input_length,
+                              uint8_t *signature,
+                              size_t signature_size,
+                              size_t *signature_length);
+
+/** \brief Verify the signature of a message with a public key, using
+ *         a hash-and-sign verification algorithm.
+ *
+ * \note To perform a multi-part hash-and-sign signature verification
+ *       algorithm, first use a multi-part hash operation to hash the message
+ *       and then pass the resulting hash to psa_verify_hash().
+ *       PSA_ALG_GET_HASH(\p alg) can be used to determine the hash algorithm
+ *       to use.
+ *
+ * \param[in]  key              Identifier of the key to use for the operation.
+ *                              It must be a public key or an asymmetric key
+ *                              pair. The key must allow the usage
+ *                              #PSA_KEY_USAGE_VERIFY_MESSAGE.
+ * \param[in]  alg              An asymmetric signature algorithm (PSA_ALG_XXX
+ *                              value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg)
+ *                              is true), that is compatible with the type of
+ *                              \p key.
+ * \param[in]  input            The message whose signature is to be verified.
+ * \param[in]  input_length     Size of the \p input buffer in bytes.
+ * \param[in] signature         Buffer containing the signature to verify.
+ * \param[in]  signature_length Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag,
+ *         or it does not permit the requested algorithm.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The calculation was performed successfully, but the passed signature
+ *         is not a valid signature.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_verify_message(mbedtls_svc_key_id_t key,
+                                psa_algorithm_t alg,
+                                const uint8_t *input,
+                                size_t input_length,
+                                const uint8_t *signature,
+                                size_t signature_length);
+
+/**
+ * \brief Sign a hash or short message with a private key.
+ *
+ * Note that to perform a hash-and-sign signature algorithm, you must
+ * first calculate the hash by calling psa_hash_setup(), psa_hash_update()
+ * and psa_hash_finish(), or alternatively by calling psa_hash_compute().
+ * Then pass the resulting hash as the \p hash
+ * parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg)
+ * to determine the hash algorithm to use.
+ *
+ * \param key                   Identifier of the key to use for the operation.
+ *                              It must be an asymmetric key pair. The key must
+ *                              allow the usage #PSA_KEY_USAGE_SIGN_HASH.
+ * \param alg                   A signature algorithm (PSA_ALG_XXX
+ *                              value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
+ *                              is true), that is compatible with
+ *                              the type of \p key.
+ * \param[in] hash              The hash or message to sign.
+ * \param hash_length           Size of the \p hash buffer in bytes.
+ * \param[out] signature        Buffer where the signature is to be written.
+ * \param signature_size        Size of the \p signature buffer in bytes.
+ * \param[out] signature_length On success, the number of bytes
+ *                              that make up the returned signature value.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p signature buffer is too small. You can
+ *         determine a sufficient buffer size by calling
+ *         #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ *         where \c key_type and \c key_bits are the type and bit-size
+ *         respectively of \p key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_sign_hash(mbedtls_svc_key_id_t key,
+                           psa_algorithm_t alg,
+                           const uint8_t *hash,
+                           size_t hash_length,
+                           uint8_t *signature,
+                           size_t signature_size,
+                           size_t *signature_length);
+
+/**
+ * \brief Verify the signature of a hash or short message using a public key.
+ *
+ * Note that to perform a hash-and-sign signature algorithm, you must
+ * first calculate the hash by calling psa_hash_setup(), psa_hash_update()
+ * and psa_hash_finish(), or alternatively by calling psa_hash_compute().
+ * Then pass the resulting hash as the \p hash
+ * parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg)
+ * to determine the hash algorithm to use.
+ *
+ * \param key               Identifier of the key to use for the operation. It
+ *                          must be a public key or an asymmetric key pair. The
+ *                          key must allow the usage
+ *                          #PSA_KEY_USAGE_VERIFY_HASH.
+ * \param alg               A signature algorithm (PSA_ALG_XXX
+ *                          value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
+ *                          is true), that is compatible with
+ *                          the type of \p key.
+ * \param[in] hash          The hash or message whose signature is to be
+ *                          verified.
+ * \param hash_length       Size of the \p hash buffer in bytes.
+ * \param[in] signature     Buffer containing the signature to verify.
+ * \param signature_length  Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The signature is valid.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The calculation was performed successfully, but the passed
+ *         signature is not a valid signature.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_verify_hash(mbedtls_svc_key_id_t key,
+                             psa_algorithm_t alg,
+                             const uint8_t *hash,
+                             size_t hash_length,
+                             const uint8_t *signature,
+                             size_t signature_length);
+
+/**
+ * \brief Encrypt a short message with a public key.
+ *
+ * \param key                   Identifier of the key to use for the operation.
+ *                              It must be a public key or an asymmetric key
+ *                              pair. It must allow the usage
+ *                              #PSA_KEY_USAGE_ENCRYPT.
+ * \param alg                   An asymmetric encryption algorithm that is
+ *                              compatible with the type of \p key.
+ * \param[in] input             The message to encrypt.
+ * \param input_length          Size of the \p input buffer in bytes.
+ * \param[in] salt              A salt or label, if supported by the
+ *                              encryption algorithm.
+ *                              If the algorithm does not support a
+ *                              salt, pass \c NULL.
+ *                              If the algorithm supports an optional
+ *                              salt and you do not want to pass a salt,
+ *                              pass \c NULL.
+ *
+ *                              - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is
+ *                                supported.
+ * \param salt_length           Size of the \p salt buffer in bytes.
+ *                              If \p salt is \c NULL, pass 0.
+ * \param[out] output           Buffer where the encrypted message is to
+ *                              be written.
+ * \param output_size           Size of the \p output buffer in bytes.
+ * \param[out] output_length    On success, the number of bytes
+ *                              that make up the returned output.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p output buffer is too small. You can
+ *         determine a sufficient buffer size by calling
+ *         #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ *         where \c key_type and \c key_bits are the type and bit-size
+ *         respectively of \p key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_asymmetric_encrypt(mbedtls_svc_key_id_t key,
+                                    psa_algorithm_t alg,
+                                    const uint8_t *input,
+                                    size_t input_length,
+                                    const uint8_t *salt,
+                                    size_t salt_length,
+                                    uint8_t *output,
+                                    size_t output_size,
+                                    size_t *output_length);
+
+/**
+ * \brief Decrypt a short message with a private key.
+ *
+ * \param key                   Identifier of the key to use for the operation.
+ *                              It must be an asymmetric key pair. It must
+ *                              allow the usage #PSA_KEY_USAGE_DECRYPT.
+ * \param alg                   An asymmetric encryption algorithm that is
+ *                              compatible with the type of \p key.
+ * \param[in] input             The message to decrypt.
+ * \param input_length          Size of the \p input buffer in bytes.
+ * \param[in] salt              A salt or label, if supported by the
+ *                              encryption algorithm.
+ *                              If the algorithm does not support a
+ *                              salt, pass \c NULL.
+ *                              If the algorithm supports an optional
+ *                              salt and you do not want to pass a salt,
+ *                              pass \c NULL.
+ *
+ *                              - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is
+ *                                supported.
+ * \param salt_length           Size of the \p salt buffer in bytes.
+ *                              If \p salt is \c NULL, pass 0.
+ * \param[out] output           Buffer where the decrypted message is to
+ *                              be written.
+ * \param output_size           Size of the \c output buffer in bytes.
+ * \param[out] output_length    On success, the number of bytes
+ *                              that make up the returned output.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p output buffer is too small. You can
+ *         determine a sufficient buffer size by calling
+ *         #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ *         where \c key_type and \c key_bits are the type and bit-size
+ *         respectively of \p key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_INVALID_PADDING \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_asymmetric_decrypt(mbedtls_svc_key_id_t key,
+                                    psa_algorithm_t alg,
+                                    const uint8_t *input,
+                                    size_t input_length,
+                                    const uint8_t *salt,
+                                    size_t salt_length,
+                                    uint8_t *output,
+                                    size_t output_size,
+                                    size_t *output_length);
+
+/**@}*/
+
+/** \defgroup key_derivation Key derivation and pseudorandom generation
+ * @{
+ */
+
+/** The type of the state data structure for key derivation operations.
+ *
+ * Before calling any function on a key derivation operation object, the
+ * application must initialize it by any of the following means:
+ * - Set the structure to all-bits-zero, for example:
+ *   \code
+ *   psa_key_derivation_operation_t operation;
+ *   memset(&operation, 0, sizeof(operation));
+ *   \endcode
+ * - Initialize the structure to logical zero values, for example:
+ *   \code
+ *   psa_key_derivation_operation_t operation = {0};
+ *   \endcode
+ * - Initialize the structure to the initializer #PSA_KEY_DERIVATION_OPERATION_INIT,
+ *   for example:
+ *   \code
+ *   psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
+ *   \endcode
+ * - Assign the result of the function psa_key_derivation_operation_init()
+ *   to the structure, for example:
+ *   \code
+ *   psa_key_derivation_operation_t operation;
+ *   operation = psa_key_derivation_operation_init();
+ *   \endcode
+ *
+ * This is an implementation-defined \c struct. Applications should not
+ * make any assumptions about the content of this structure.
+ * Implementation details can change in future versions without notice.
+ */
+typedef struct psa_key_derivation_s psa_key_derivation_operation_t;
+
+/** \def PSA_KEY_DERIVATION_OPERATION_INIT
+ *
+ * This macro returns a suitable initializer for a key derivation operation
+ * object of type #psa_key_derivation_operation_t.
+ */
+
+/** Return an initial value for a key derivation operation object.
+ */
+static psa_key_derivation_operation_t psa_key_derivation_operation_init(void);
+
+/** Set up a key derivation operation.
+ *
+ * A key derivation algorithm takes some inputs and uses them to generate
+ * a byte stream in a deterministic way.
+ * This byte stream can be used to produce keys and other
+ * cryptographic material.
+ *
+ * To derive a key:
+ * -# Start with an initialized object of type #psa_key_derivation_operation_t.
+ * -# Call psa_key_derivation_setup() to select the algorithm.
+ * -# Provide the inputs for the key derivation by calling
+ *    psa_key_derivation_input_bytes() or psa_key_derivation_input_key()
+ *    as appropriate. Which inputs are needed, in what order, and whether
+ *    they may be keys and if so of what type depends on the algorithm.
+ * -# Optionally set the operation's maximum capacity with
+ *    psa_key_derivation_set_capacity(). You may do this before, in the middle
+ *    of or after providing inputs. For some algorithms, this step is mandatory
+ *    because the output depends on the maximum capacity.
+ * -# To derive a key, call psa_key_derivation_output_key() or
+ *    psa_key_derivation_output_key_ext().
+ *    To derive a byte string for a different purpose, call
+ *    psa_key_derivation_output_bytes().
+ *    Successive calls to these functions use successive output bytes
+ *    calculated by the key derivation algorithm.
+ * -# Clean up the key derivation operation object with
+ *    psa_key_derivation_abort().
+ *
+ * If this function returns an error, the key derivation operation object is
+ * not changed.
+ *
+ * If an error occurs at any step after a call to psa_key_derivation_setup(),
+ * the operation will need to be reset by a call to psa_key_derivation_abort().
+ *
+ * Implementations must reject an attempt to derive a key of size 0.
+ *
+ * \param[in,out] operation       The key derivation operation object
+ *                                to set up. It must
+ *                                have been initialized but not set up yet.
+ * \param alg                     The key derivation algorithm to compute
+ *                                (\c PSA_ALG_XXX value such that
+ *                                #PSA_ALG_IS_KEY_DERIVATION(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \c alg is not a key derivation algorithm.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \c alg is not supported or is not a key derivation algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be inactive), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_setup(
+    psa_key_derivation_operation_t *operation,
+    psa_algorithm_t alg);
+
+/** Retrieve the current capacity of a key derivation operation.
+ *
+ * The capacity of a key derivation is the maximum number of bytes that it can
+ * return. When you get *N* bytes of output from a key derivation operation,
+ * this reduces its capacity by *N*.
+ *
+ * \param[in] operation     The operation to query.
+ * \param[out] capacity     On success, the capacity of the operation.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_get_capacity(
+    const psa_key_derivation_operation_t *operation,
+    size_t *capacity);
+
+/** Set the maximum capacity of a key derivation operation.
+ *
+ * The capacity of a key derivation operation is the maximum number of bytes
+ * that the key derivation operation can return from this point onwards.
+ *
+ * \param[in,out] operation The key derivation operation object to modify.
+ * \param capacity          The new capacity of the operation.
+ *                          It must be less or equal to the operation's
+ *                          current capacity.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p capacity is larger than the operation's current capacity.
+ *         In this case, the operation object remains valid and its capacity
+ *         remains unchanged.
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active), or the
+ *         library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_set_capacity(
+    psa_key_derivation_operation_t *operation,
+    size_t capacity);
+
+/** Use the maximum possible capacity for a key derivation operation.
+ *
+ * Use this value as the capacity argument when setting up a key derivation
+ * to indicate that the operation should have the maximum possible capacity.
+ * The value of the maximum possible capacity depends on the key derivation
+ * algorithm.
+ */
+#define PSA_KEY_DERIVATION_UNLIMITED_CAPACITY ((size_t) (-1))
+
+/** Provide an input for key derivation or key agreement.
+ *
+ * Which inputs are required and in what order depends on the algorithm.
+ * Refer to the documentation of each key derivation or key agreement
+ * algorithm for information.
+ *
+ * This function passes direct inputs, which is usually correct for
+ * non-secret inputs. To pass a secret input, which should be in a key
+ * object, call psa_key_derivation_input_key() instead of this function.
+ * Refer to the documentation of individual step types
+ * (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t)
+ * for more information.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_key_derivation_abort().
+ *
+ * \param[in,out] operation       The key derivation operation object to use.
+ *                                It must have been set up with
+ *                                psa_key_derivation_setup() and must not
+ *                                have produced any output yet.
+ * \param step                    Which step the input data is for.
+ * \param[in] data                Input data to use.
+ * \param data_length             Size of the \p data buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \c step is not compatible with the operation's algorithm, or
+ *         \c step does not allow direct inputs.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid for this input \p step, or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_input_bytes(
+    psa_key_derivation_operation_t *operation,
+    psa_key_derivation_step_t step,
+    const uint8_t *data,
+    size_t data_length);
+
+/** Provide a numeric input for key derivation or key agreement.
+ *
+ * Which inputs are required and in what order depends on the algorithm.
+ * However, when an algorithm requires a particular order, numeric inputs
+ * usually come first as they tend to be configuration parameters.
+ * Refer to the documentation of each key derivation or key agreement
+ * algorithm for information.
+ *
+ * This function is used for inputs which are fixed-size non-negative
+ * integers.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_key_derivation_abort().
+ *
+ * \param[in,out] operation       The key derivation operation object to use.
+ *                                It must have been set up with
+ *                                psa_key_derivation_setup() and must not
+ *                                have produced any output yet.
+ * \param step                    Which step the input data is for.
+ * \param[in] value               The value of the numeric input.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \c step is not compatible with the operation's algorithm, or
+ *         \c step does not allow numeric inputs.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid for this input \p step, or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_input_integer(
+    psa_key_derivation_operation_t *operation,
+    psa_key_derivation_step_t step,
+    uint64_t value);
+
+/** Provide an input for key derivation in the form of a key.
+ *
+ * Which inputs are required and in what order depends on the algorithm.
+ * Refer to the documentation of each key derivation or key agreement
+ * algorithm for information.
+ *
+ * This function obtains input from a key object, which is usually correct for
+ * secret inputs or for non-secret personalization strings kept in the key
+ * store. To pass a non-secret parameter which is not in the key store,
+ * call psa_key_derivation_input_bytes() instead of this function.
+ * Refer to the documentation of individual step types
+ * (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t)
+ * for more information.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_key_derivation_abort().
+ *
+ * \param[in,out] operation       The key derivation operation object to use.
+ *                                It must have been set up with
+ *                                psa_key_derivation_setup() and must not
+ *                                have produced any output yet.
+ * \param step                    Which step the input data is for.
+ * \param key                     Identifier of the key. It must have an
+ *                                appropriate type for step and must allow the
+ *                                usage #PSA_KEY_USAGE_DERIVE or
+ *                                #PSA_KEY_USAGE_VERIFY_DERIVATION (see note)
+ *                                and the algorithm used by the operation.
+ *
+ * \note Once all inputs steps are completed, the operations will allow:
+ * - psa_key_derivation_output_bytes() if each input was either a direct input
+ *   or  a key with #PSA_KEY_USAGE_DERIVE set;
+ * - psa_key_derivation_output_key() or psa_key_derivation_output_key_ext()
+ *   if the input for step
+ *   #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD
+ *   was from a key slot with #PSA_KEY_USAGE_DERIVE and each other input was
+ *   either a direct input or a key with #PSA_KEY_USAGE_DERIVE set;
+ * - psa_key_derivation_verify_bytes() if each input was either a direct input
+ *   or  a key with #PSA_KEY_USAGE_VERIFY_DERIVATION set;
+ * - psa_key_derivation_verify_key() under the same conditions as
+ *   psa_key_derivation_verify_bytes().
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The key allows neither #PSA_KEY_USAGE_DERIVE nor
+ *         #PSA_KEY_USAGE_VERIFY_DERIVATION, or it doesn't allow this
+ *         algorithm.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \c step is not compatible with the operation's algorithm, or
+ *         \c step does not allow key inputs of the given type
+ *         or does not allow key inputs at all.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid for this input \p step, or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_input_key(
+    psa_key_derivation_operation_t *operation,
+    psa_key_derivation_step_t step,
+    mbedtls_svc_key_id_t key);
+
+/** Perform a key agreement and use the shared secret as input to a key
+ * derivation.
+ *
+ * A key agreement algorithm takes two inputs: a private key \p private_key
+ * a public key \p peer_key.
+ * The result of this function is passed as input to a key derivation.
+ * The output of this key derivation can be extracted by reading from the
+ * resulting operation to produce keys and other cryptographic material.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_key_derivation_abort().
+ *
+ * \param[in,out] operation       The key derivation operation object to use.
+ *                                It must have been set up with
+ *                                psa_key_derivation_setup() with a
+ *                                key agreement and derivation algorithm
+ *                                \c alg (\c PSA_ALG_XXX value such that
+ *                                #PSA_ALG_IS_KEY_AGREEMENT(\c alg) is true
+ *                                and #PSA_ALG_IS_RAW_KEY_AGREEMENT(\c alg)
+ *                                is false).
+ *                                The operation must be ready for an
+ *                                input of the type given by \p step.
+ * \param step                    Which step the input data is for.
+ * \param private_key             Identifier of the private key to use. It must
+ *                                allow the usage #PSA_KEY_USAGE_DERIVE.
+ * \param[in] peer_key      Public key of the peer. The peer key must be in the
+ *                          same format that psa_import_key() accepts for the
+ *                          public key type corresponding to the type of
+ *                          private_key. That is, this function performs the
+ *                          equivalent of
+ *                          #psa_import_key(...,
+ *                          `peer_key`, `peer_key_length`) where
+ *                          with key attributes indicating the public key
+ *                          type corresponding to the type of `private_key`.
+ *                          For example, for EC keys, this means that peer_key
+ *                          is interpreted as a point on the curve that the
+ *                          private key is on. The standard formats for public
+ *                          keys are documented in the documentation of
+ *                          psa_export_public_key().
+ * \param peer_key_length         Size of \p peer_key in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \c private_key is not compatible with \c alg,
+ *         or \p peer_key is not valid for \c alg or not compatible with
+ *         \c private_key, or \c step does not allow an input resulting
+ *         from a key agreement.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \c alg is not supported or is not a key derivation algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid for this key agreement \p step,
+ *         or the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_key_agreement(
+    psa_key_derivation_operation_t *operation,
+    psa_key_derivation_step_t step,
+    mbedtls_svc_key_id_t private_key,
+    const uint8_t *peer_key,
+    size_t peer_key_length);
+
+/** Read some data from a key derivation operation.
+ *
+ * This function calculates output bytes from a key derivation algorithm and
+ * return those bytes.
+ * If you view the key derivation's output as a stream of bytes, this
+ * function destructively reads the requested number of bytes from the
+ * stream.
+ * The operation's capacity decreases by the number of bytes read.
+ *
+ * If this function returns an error status other than
+ * #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error
+ * state and must be aborted by calling psa_key_derivation_abort().
+ *
+ * \param[in,out] operation The key derivation operation object to read from.
+ * \param[out] output       Buffer where the output will be written.
+ * \param output_length     Number of bytes to output.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         One of the inputs was a key whose policy didn't allow
+ *         #PSA_KEY_USAGE_DERIVE.
+ * \retval #PSA_ERROR_INSUFFICIENT_DATA
+ *                          The operation's capacity was less than
+ *                          \p output_length bytes. Note that in this case,
+ *                          no output is written to the output buffer.
+ *                          The operation's capacity is set to 0, thus
+ *                          subsequent calls to this function will not
+ *                          succeed, even with a smaller output buffer.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active and completed
+ *         all required input steps), or the library has not been previously
+ *         initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_output_bytes(
+    psa_key_derivation_operation_t *operation,
+    uint8_t *output,
+    size_t output_length);
+
+/** Derive a key from an ongoing key derivation operation.
+ *
+ * This function calculates output bytes from a key derivation algorithm
+ * and uses those bytes to generate a key deterministically.
+ * The key's location, usage policy, type and size are taken from
+ * \p attributes.
+ *
+ * If you view the key derivation's output as a stream of bytes, this
+ * function destructively reads as many bytes as required from the
+ * stream.
+ * The operation's capacity decreases by the number of bytes read.
+ *
+ * If this function returns an error status other than
+ * #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error
+ * state and must be aborted by calling psa_key_derivation_abort().
+ *
+ * How much output is produced and consumed from the operation, and how
+ * the key is derived, depends on the key type and on the key size
+ * (denoted \c bits below):
+ *
+ * - For key types for which the key is an arbitrary sequence of bytes
+ *   of a given size, this function is functionally equivalent to
+ *   calling #psa_key_derivation_output_bytes
+ *   and passing the resulting output to #psa_import_key.
+ *   However, this function has a security benefit:
+ *   if the implementation provides an isolation boundary then
+ *   the key material is not exposed outside the isolation boundary.
+ *   As a consequence, for these key types, this function always consumes
+ *   exactly (\c bits / 8) bytes from the operation.
+ *   The following key types defined in this specification follow this scheme:
+ *
+ *     - #PSA_KEY_TYPE_AES;
+ *     - #PSA_KEY_TYPE_ARIA;
+ *     - #PSA_KEY_TYPE_CAMELLIA;
+ *     - #PSA_KEY_TYPE_DERIVE;
+ *     - #PSA_KEY_TYPE_HMAC;
+ *     - #PSA_KEY_TYPE_PASSWORD_HASH.
+ *
+ * - For ECC keys on a Montgomery elliptic curve
+ *   (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a
+ *   Montgomery curve), this function always draws a byte string whose
+ *   length is determined by the curve, and sets the mandatory bits
+ *   accordingly. That is:
+ *
+ *     - Curve25519 (#PSA_ECC_FAMILY_MONTGOMERY, 255 bits): draw a 32-byte
+ *       string and process it as specified in RFC 7748 &sect;5.
+ *     - Curve448 (#PSA_ECC_FAMILY_MONTGOMERY, 448 bits): draw a 56-byte
+ *       string and process it as specified in RFC 7748 &sect;5.
+ *
+ * - For key types for which the key is represented by a single sequence of
+ *   \c bits bits with constraints as to which bit sequences are acceptable,
+ *   this function draws a byte string of length (\c bits / 8) bytes rounded
+ *   up to the nearest whole number of bytes. If the resulting byte string
+ *   is acceptable, it becomes the key, otherwise the drawn bytes are discarded.
+ *   This process is repeated until an acceptable byte string is drawn.
+ *   The byte string drawn from the operation is interpreted as specified
+ *   for the output produced by psa_export_key().
+ *   The following key types defined in this specification follow this scheme:
+ *
+ *     - #PSA_KEY_TYPE_DES.
+ *       Force-set the parity bits, but discard forbidden weak keys.
+ *       For 2-key and 3-key triple-DES, the three keys are generated
+ *       successively (for example, for 3-key triple-DES,
+ *       if the first 8 bytes specify a weak key and the next 8 bytes do not,
+ *       discard the first 8 bytes, use the next 8 bytes as the first key,
+ *       and continue reading output from the operation to derive the other
+ *       two keys).
+ *     - Finite-field Diffie-Hellman keys (#PSA_KEY_TYPE_DH_KEY_PAIR(\c group)
+ *       where \c group designates any Diffie-Hellman group) and
+ *       ECC keys on a Weierstrass elliptic curve
+ *       (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a
+ *       Weierstrass curve).
+ *       For these key types, interpret the byte string as integer
+ *       in big-endian order. Discard it if it is not in the range
+ *       [0, *N* - 2] where *N* is the boundary of the private key domain
+ *       (the prime *p* for Diffie-Hellman, the subprime *q* for DSA,
+ *       or the order of the curve's base point for ECC).
+ *       Add 1 to the resulting integer and use this as the private key *x*.
+ *       This method allows compliance to NIST standards, specifically
+ *       the methods titled "key-pair generation by testing candidates"
+ *       in NIST SP 800-56A &sect;5.6.1.1.4 for Diffie-Hellman,
+ *       in FIPS 186-4 &sect;B.1.2 for DSA, and
+ *       in NIST SP 800-56A &sect;5.6.1.2.2 or
+ *       FIPS 186-4 &sect;B.4.2 for elliptic curve keys.
+ *
+ * - For other key types, including #PSA_KEY_TYPE_RSA_KEY_PAIR,
+ *   the way in which the operation output is consumed is
+ *   implementation-defined.
+ *
+ * In all cases, the data that is read is discarded from the operation.
+ * The operation's capacity is decreased by the number of bytes read.
+ *
+ * For algorithms that take an input step #PSA_KEY_DERIVATION_INPUT_SECRET,
+ * the input to that step must be provided with psa_key_derivation_input_key().
+ * Future versions of this specification may include additional restrictions
+ * on the derived key based on the attributes and strength of the secret key.
+ *
+ * \note This function is equivalent to calling
+ *       psa_key_derivation_output_key_ext()
+ *       with the production parameters #PSA_KEY_PRODUCTION_PARAMETERS_INIT
+ *       and `params_data_length == 0` (i.e. `params->data` is empty).
+ *
+ * \param[in] attributes    The attributes for the new key.
+ *                          If the key type to be created is
+ *                          #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in
+ *                          the policy must be the same as in the current
+ *                          operation.
+ * \param[in,out] operation The key derivation operation object to read from.
+ * \param[out] key          On success, an identifier for the newly created
+ *                          key. For persistent keys, this is the key
+ *                          identifier defined in \p attributes.
+ *                          \c 0 on failure.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ *         If the key is persistent, the key material and the key's metadata
+ *         have been saved to persistent storage.
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ *         This is an attempt to create a persistent key, and there is
+ *         already a persistent key with the given identifier.
+ * \retval #PSA_ERROR_INSUFFICIENT_DATA
+ *         There was not enough data to create the desired key.
+ *         Note that in this case, no output is written to the output buffer.
+ *         The operation's capacity is set to 0, thus subsequent calls to
+ *         this function will not succeed, even with a smaller output buffer.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         The key type or key size is not supported, either by the
+ *         implementation in general or in this particular location.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The provided key attributes are not valid for the operation.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The #PSA_KEY_DERIVATION_INPUT_SECRET or
+ *         #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a
+ *         key; or one of the inputs was a key whose policy didn't allow
+ *         #PSA_KEY_USAGE_DERIVE.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active and completed
+ *         all required input steps), or the library has not been previously
+ *         initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_output_key(
+    const psa_key_attributes_t *attributes,
+    psa_key_derivation_operation_t *operation,
+    mbedtls_svc_key_id_t *key);
+
+/** Derive a key from an ongoing key derivation operation with custom
+ *  production parameters.
+ *
+ * See the description of psa_key_derivation_out_key() for the operation of
+ * this function with the default production parameters.
+ * Mbed TLS currently does not currently support any non-default production
+ * parameters.
+ *
+ * \note This function is experimental and may change in future minor
+ *       versions of Mbed TLS.
+ *
+ * \param[in] attributes    The attributes for the new key.
+ *                          If the key type to be created is
+ *                          #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in
+ *                          the policy must be the same as in the current
+ *                          operation.
+ * \param[in,out] operation The key derivation operation object to read from.
+ * \param[in] params        Customization parameters for the key derivation.
+ *                          When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT
+ *                          with \p params_data_length = 0,
+ *                          this function is equivalent to
+ *                          psa_key_derivation_output_key().
+ *                          Mbed TLS currently only supports the default
+ *                          production parameters, i.e.
+ *                          #PSA_KEY_PRODUCTION_PARAMETERS_INIT,
+ *                          for all key types.
+ * \param params_data_length
+ *                          Length of `params->data` in bytes.
+ * \param[out] key          On success, an identifier for the newly created
+ *                          key. For persistent keys, this is the key
+ *                          identifier defined in \p attributes.
+ *                          \c 0 on failure.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ *         If the key is persistent, the key material and the key's metadata
+ *         have been saved to persistent storage.
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ *         This is an attempt to create a persistent key, and there is
+ *         already a persistent key with the given identifier.
+ * \retval #PSA_ERROR_INSUFFICIENT_DATA
+ *         There was not enough data to create the desired key.
+ *         Note that in this case, no output is written to the output buffer.
+ *         The operation's capacity is set to 0, thus subsequent calls to
+ *         this function will not succeed, even with a smaller output buffer.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         The key type or key size is not supported, either by the
+ *         implementation in general or in this particular location.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The provided key attributes are not valid for the operation.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The #PSA_KEY_DERIVATION_INPUT_SECRET or
+ *         #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a
+ *         key; or one of the inputs was a key whose policy didn't allow
+ *         #PSA_KEY_USAGE_DERIVE.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active and completed
+ *         all required input steps), or the library has not been previously
+ *         initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_output_key_ext(
+    const psa_key_attributes_t *attributes,
+    psa_key_derivation_operation_t *operation,
+    const psa_key_production_parameters_t *params,
+    size_t params_data_length,
+    mbedtls_svc_key_id_t *key);
+
+/** Compare output data from a key derivation operation to an expected value.
+ *
+ * This function calculates output bytes from a key derivation algorithm and
+ * compares those bytes to an expected value in constant time.
+ * If you view the key derivation's output as a stream of bytes, this
+ * function destructively reads the expected number of bytes from the
+ * stream before comparing them.
+ * The operation's capacity decreases by the number of bytes read.
+ *
+ * This is functionally equivalent to the following code:
+ * \code
+ * psa_key_derivation_output_bytes(operation, tmp, output_length);
+ * if (memcmp(output, tmp, output_length) != 0)
+ *     return PSA_ERROR_INVALID_SIGNATURE;
+ * \endcode
+ * except (1) it works even if the key's policy does not allow outputting the
+ * bytes, and (2) the comparison will be done in constant time.
+ *
+ * If this function returns an error status other than
+ * #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE,
+ * the operation enters an error state and must be aborted by calling
+ * psa_key_derivation_abort().
+ *
+ * \param[in,out] operation The key derivation operation object to read from.
+ * \param[in] expected_output Buffer containing the expected derivation output.
+ * \param output_length     Length of the expected output; this is also the
+ *                          number of bytes that will be read.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The output was read successfully, but it differs from the expected
+ *         output.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         One of the inputs was a key whose policy didn't allow
+ *         #PSA_KEY_USAGE_VERIFY_DERIVATION.
+ * \retval #PSA_ERROR_INSUFFICIENT_DATA
+ *                          The operation's capacity was less than
+ *                          \p output_length bytes. Note that in this case,
+ *                          the operation's capacity is set to 0, thus
+ *                          subsequent calls to this function will not
+ *                          succeed, even with a smaller expected output.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active and completed
+ *         all required input steps), or the library has not been previously
+ *         initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_verify_bytes(
+    psa_key_derivation_operation_t *operation,
+    const uint8_t *expected_output,
+    size_t output_length);
+
+/** Compare output data from a key derivation operation to an expected value
+ * stored in a key object.
+ *
+ * This function calculates output bytes from a key derivation algorithm and
+ * compares those bytes to an expected value, provided as key of type
+ * #PSA_KEY_TYPE_PASSWORD_HASH.
+ * If you view the key derivation's output as a stream of bytes, this
+ * function destructively reads the number of bytes corresponding to the
+ * length of the expected value from the stream before comparing them.
+ * The operation's capacity decreases by the number of bytes read.
+ *
+ * This is functionally equivalent to exporting the key and calling
+ * psa_key_derivation_verify_bytes() on the result, except that it
+ * works even if the key cannot be exported.
+ *
+ * If this function returns an error status other than
+ * #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE,
+ * the operation enters an error state and must be aborted by calling
+ * psa_key_derivation_abort().
+ *
+ * \param[in,out] operation The key derivation operation object to read from.
+ * \param[in] expected      A key of type #PSA_KEY_TYPE_PASSWORD_HASH
+ *                          containing the expected output. Its policy must
+ *                          include the #PSA_KEY_USAGE_VERIFY_DERIVATION flag
+ *                          and the permitted algorithm must match the
+ *                          operation. The value of this key was likely
+ *                          computed by a previous call to
+ *                          psa_key_derivation_output_key() or
+ *                          psa_key_derivation_output_key_ext().
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The output was read successfully, but if differs from the expected
+ *         output.
+ * \retval #PSA_ERROR_INVALID_HANDLE
+ *         The key passed as the expected value does not exist.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The key passed as the expected value has an invalid type.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The key passed as the expected value does not allow this usage or
+ *         this algorithm; or one of the inputs was a key whose policy didn't
+ *         allow #PSA_KEY_USAGE_VERIFY_DERIVATION.
+ * \retval #PSA_ERROR_INSUFFICIENT_DATA
+ *                          The operation's capacity was less than
+ *                          the length of the expected value. In this case,
+ *                          the operation's capacity is set to 0, thus
+ *                          subsequent calls to this function will not
+ *                          succeed, even with a smaller expected output.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active and completed
+ *         all required input steps), or the library has not been previously
+ *         initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_verify_key(
+    psa_key_derivation_operation_t *operation,
+    psa_key_id_t expected);
+
+/** Abort a key derivation operation.
+ *
+ * Aborting an operation frees all associated resources except for the \c
+ * operation structure itself. Once aborted, the operation object can be reused
+ * for another operation by calling psa_key_derivation_setup() again.
+ *
+ * This function may be called at any time after the operation
+ * object has been initialized as described in #psa_key_derivation_operation_t.
+ *
+ * In particular, it is valid to call psa_key_derivation_abort() twice, or to
+ * call psa_key_derivation_abort() on an operation that has not been set up.
+ *
+ * \param[in,out] operation    The operation to abort.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_key_derivation_abort(
+    psa_key_derivation_operation_t *operation);
+
+/** Perform a key agreement and return the raw shared secret.
+ *
+ * \warning The raw result of a key agreement algorithm such as finite-field
+ * Diffie-Hellman or elliptic curve Diffie-Hellman has biases and should
+ * not be used directly as key material. It should instead be passed as
+ * input to a key derivation algorithm. To chain a key agreement with
+ * a key derivation, use psa_key_derivation_key_agreement() and other
+ * functions from the key derivation interface.
+ *
+ * \param alg                     The key agreement algorithm to compute
+ *                                (\c PSA_ALG_XXX value such that
+ *                                #PSA_ALG_IS_RAW_KEY_AGREEMENT(\p alg)
+ *                                is true).
+ * \param private_key             Identifier of the private key to use. It must
+ *                                allow the usage #PSA_KEY_USAGE_DERIVE.
+ * \param[in] peer_key            Public key of the peer. It must be
+ *                                in the same format that psa_import_key()
+ *                                accepts. The standard formats for public
+ *                                keys are documented in the documentation
+ *                                of psa_export_public_key().
+ * \param peer_key_length         Size of \p peer_key in bytes.
+ * \param[out] output             Buffer where the decrypted message is to
+ *                                be written.
+ * \param output_size             Size of the \c output buffer in bytes.
+ * \param[out] output_length      On success, the number of bytes
+ *                                that make up the returned output.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p alg is not a key agreement algorithm, or
+ *         \p private_key is not compatible with \p alg,
+ *         or \p peer_key is not valid for \p alg or not compatible with
+ *         \p private_key.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         \p output_size is too small
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p alg is not a supported key agreement algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_raw_key_agreement(psa_algorithm_t alg,
+                                   mbedtls_svc_key_id_t private_key,
+                                   const uint8_t *peer_key,
+                                   size_t peer_key_length,
+                                   uint8_t *output,
+                                   size_t output_size,
+                                   size_t *output_length);
+
+/**@}*/
+
+/** \defgroup random Random generation
+ * @{
+ */
+
+/**
+ * \brief Generate random bytes.
+ *
+ * \warning This function **can** fail! Callers MUST check the return status
+ *          and MUST NOT use the content of the output buffer if the return
+ *          status is not #PSA_SUCCESS.
+ *
+ * \note    To generate a key, use psa_generate_key() instead.
+ *
+ * \param[out] output       Output buffer for the generated data.
+ * \param output_size       Number of bytes to generate and output.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_generate_random(uint8_t *output,
+                                 size_t output_size);
+
+/**
+ * \brief Generate a key or key pair.
+ *
+ * The key is generated randomly.
+ * Its location, usage policy, type and size are taken from \p attributes.
+ *
+ * Implementations must reject an attempt to generate a key of size 0.
+ *
+ * The following type-specific considerations apply:
+ * - For RSA keys (#PSA_KEY_TYPE_RSA_KEY_PAIR),
+ *   the public exponent is 65537.
+ *   The modulus is a product of two probabilistic primes
+ *   between 2^{n-1} and 2^n where n is the bit size specified in the
+ *   attributes.
+ *
+ * \note This function is equivalent to calling psa_generate_key_ext()
+ *       with the production parameters #PSA_KEY_PRODUCTION_PARAMETERS_INIT
+ *       and `params_data_length == 0` (i.e. `params->data` is empty).
+ *
+ * \param[in] attributes    The attributes for the new key.
+ * \param[out] key          On success, an identifier for the newly created
+ *                          key. For persistent keys, this is the key
+ *                          identifier defined in \p attributes.
+ *                          \c 0 on failure.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ *         If the key is persistent, the key material and the key's metadata
+ *         have been saved to persistent storage.
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ *         This is an attempt to create a persistent key, and there is
+ *         already a persistent key with the given identifier.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
+                              mbedtls_svc_key_id_t *key);
+
+/**
+ * \brief Generate a key or key pair using custom production parameters.
+ *
+ * See the description of psa_generate_key() for the operation of this
+ * function with the default production parameters. In addition, this function
+ * supports the following production customizations, described in more detail
+ * in the documentation of ::psa_key_production_parameters_t:
+ *
+ * - RSA keys: generation with a custom public exponent.
+ *
+ * \note This function is experimental and may change in future minor
+ *       versions of Mbed TLS.
+ *
+ * \param[in] attributes    The attributes for the new key.
+ * \param[in] params        Customization parameters for the key generation.
+ *                          When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT
+ *                          with \p params_data_length = 0,
+ *                          this function is equivalent to
+ *                          psa_generate_key().
+ * \param params_data_length
+ *                          Length of `params->data` in bytes.
+ * \param[out] key          On success, an identifier for the newly created
+ *                          key. For persistent keys, this is the key
+ *                          identifier defined in \p attributes.
+ *                          \c 0 on failure.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ *         If the key is persistent, the key material and the key's metadata
+ *         have been saved to persistent storage.
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ *         This is an attempt to create a persistent key, and there is
+ *         already a persistent key with the given identifier.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes,
+                                  const psa_key_production_parameters_t *params,
+                                  size_t params_data_length,
+                                  mbedtls_svc_key_id_t *key);
+
+/**@}*/
+
+/** \defgroup interruptible_hash Interruptible sign/verify hash
+ * @{
+ */
+
+/** The type of the state data structure for interruptible hash
+ *  signing operations.
+ *
+ * Before calling any function on a sign hash operation object, the
+ * application must initialize it by any of the following means:
+ * - Set the structure to all-bits-zero, for example:
+ *   \code
+ *   psa_sign_hash_interruptible_operation_t operation;
+ *   memset(&operation, 0, sizeof(operation));
+ *   \endcode
+ * - Initialize the structure to logical zero values, for example:
+ *   \code
+ *   psa_sign_hash_interruptible_operation_t operation = {0};
+ *   \endcode
+ * - Initialize the structure to the initializer
+ *   #PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT, for example:
+ *   \code
+ *   psa_sign_hash_interruptible_operation_t operation =
+ *   PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT;
+ *   \endcode
+ * - Assign the result of the function
+ *   psa_sign_hash_interruptible_operation_init() to the structure, for
+ *   example:
+ *   \code
+ *   psa_sign_hash_interruptible_operation_t operation;
+ *   operation = psa_sign_hash_interruptible_operation_init();
+ *   \endcode
+ *
+ * This is an implementation-defined \c struct. Applications should not
+ * make any assumptions about the content of this structure.
+ * Implementation details can change in future versions without notice. */
+typedef struct psa_sign_hash_interruptible_operation_s psa_sign_hash_interruptible_operation_t;
+
+/** The type of the state data structure for interruptible hash
+ *  verification operations.
+ *
+ * Before calling any function on a sign hash operation object, the
+ * application must initialize it by any of the following means:
+ * - Set the structure to all-bits-zero, for example:
+ *   \code
+ *   psa_verify_hash_interruptible_operation_t operation;
+ *   memset(&operation, 0, sizeof(operation));
+ *   \endcode
+ * - Initialize the structure to logical zero values, for example:
+ *   \code
+ *   psa_verify_hash_interruptible_operation_t operation = {0};
+ *   \endcode
+ * - Initialize the structure to the initializer
+ *   #PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT, for example:
+ *   \code
+ *   psa_verify_hash_interruptible_operation_t operation =
+ *   PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT;
+ *   \endcode
+ * - Assign the result of the function
+ *   psa_verify_hash_interruptible_operation_init() to the structure, for
+ *   example:
+ *   \code
+ *   psa_verify_hash_interruptible_operation_t operation;
+ *   operation = psa_verify_hash_interruptible_operation_init();
+ *   \endcode
+ *
+ * This is an implementation-defined \c struct. Applications should not
+ * make any assumptions about the content of this structure.
+ * Implementation details can change in future versions without notice. */
+typedef struct psa_verify_hash_interruptible_operation_s psa_verify_hash_interruptible_operation_t;
+
+/**
+ * \brief                       Set the maximum number of ops allowed to be
+ *                              executed by an interruptible function in a
+ *                              single call.
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ * \note                        The time taken to execute a single op is
+ *                              implementation specific and depends on
+ *                              software, hardware, the algorithm, key type and
+ *                              curve chosen. Even within a single operation,
+ *                              successive ops can take differing amounts of
+ *                              time. The only guarantee is that lower values
+ *                              for \p max_ops means functions will block for a
+ *                              lesser maximum amount of time. The functions
+ *                              \c psa_sign_interruptible_get_num_ops() and
+ *                              \c psa_verify_interruptible_get_num_ops() are
+ *                              provided to help with tuning this value.
+ *
+ * \note                        This value defaults to
+ *                              #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, which
+ *                              means the whole operation will be done in one
+ *                              go, regardless of the number of ops required.
+ *
+ * \note                        If more ops are needed to complete a
+ *                              computation, #PSA_OPERATION_INCOMPLETE will be
+ *                              returned by the function performing the
+ *                              computation. It is then the caller's
+ *                              responsibility to either call again with the
+ *                              same operation context until it returns 0 or an
+ *                              error code; or to call the relevant abort
+ *                              function if the answer is no longer required.
+ *
+ * \note                        The interpretation of \p max_ops is also
+ *                              implementation defined. On a hard real time
+ *                              system, this can indicate a hard deadline, as a
+ *                              real-time system needs a guarantee of not
+ *                              spending more than X time, however care must be
+ *                              taken in such an implementation to avoid the
+ *                              situation whereby calls just return, not being
+ *                              able to do any actual work within the allotted
+ *                              time.  On a non-real-time system, the
+ *                              implementation can be more relaxed, but again
+ *                              whether this number should be interpreted as as
+ *                              hard or soft limit or even whether a less than
+ *                              or equals as regards to ops executed in a
+ *                              single call is implementation defined.
+ *
+ * \note                        For keys in local storage when no accelerator
+ *                              driver applies, please see also the
+ *                              documentation for \c mbedtls_ecp_set_max_ops(),
+ *                              which is the internal implementation in these
+ *                              cases.
+ *
+ * \warning                     With implementations that interpret this number
+ *                              as a hard limit, setting this number too small
+ *                              may result in an infinite loop, whereby each
+ *                              call results in immediate return with no ops
+ *                              done (as there is not enough time to execute
+ *                              any), and thus no result will ever be achieved.
+ *
+ * \note                        This only applies to functions whose
+ *                              documentation mentions they may return
+ *                              #PSA_OPERATION_INCOMPLETE.
+ *
+ * \param max_ops               The maximum number of ops to be executed in a
+ *                              single call. This can be a number from 0 to
+ *                              #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0
+ *                              is the least amount of work done per call.
+ */
+void psa_interruptible_set_max_ops(uint32_t max_ops);
+
+/**
+ * \brief                       Get the maximum number of ops allowed to be
+ *                              executed by an interruptible function in a
+ *                              single call. This will return the last
+ *                              value set by
+ *                              \c psa_interruptible_set_max_ops() or
+ *                              #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED if
+ *                              that function has never been called.
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ * \return                      Maximum number of ops allowed to be
+ *                              executed by an interruptible function in a
+ *                              single call.
+ */
+uint32_t psa_interruptible_get_max_ops(void);
+
+/**
+ * \brief                       Get the number of ops that a hash signing
+ *                              operation has taken so far. If the operation
+ *                              has completed, then this will represent the
+ *                              number of ops required for the entire
+ *                              operation. After initialization or calling
+ *                              \c psa_sign_hash_interruptible_abort() on
+ *                              the operation, a value of 0 will be returned.
+ *
+ * \note                        This interface is guaranteed re-entrant and
+ *                              thus may be called from driver code.
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ *                              This is a helper provided to help you tune the
+ *                              value passed to \c
+ *                              psa_interruptible_set_max_ops().
+ *
+ * \param operation             The \c psa_sign_hash_interruptible_operation_t
+ *                              to use. This must be initialized first.
+ *
+ * \return                      Number of ops that the operation has taken so
+ *                              far.
+ */
+uint32_t psa_sign_hash_get_num_ops(
+    const psa_sign_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief                       Get the number of ops that a hash verification
+ *                              operation has taken so far. If the operation
+ *                              has completed, then this will represent the
+ *                              number of ops required for the entire
+ *                              operation. After initialization or calling \c
+ *                              psa_verify_hash_interruptible_abort() on the
+ *                              operation, a value of 0 will be returned.
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ *                              This is a helper provided to help you tune the
+ *                              value passed to \c
+ *                              psa_interruptible_set_max_ops().
+ *
+ * \param operation             The \c
+ *                              psa_verify_hash_interruptible_operation_t to
+ *                              use. This must be initialized first.
+ *
+ * \return                      Number of ops that the operation has taken so
+ *                              far.
+ */
+uint32_t psa_verify_hash_get_num_ops(
+    const psa_verify_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief                       Start signing a hash or short message with a
+ *                              private key, in an interruptible manner.
+ *
+ * \see                         \c psa_sign_hash_complete()
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ * \note                        This function combined with \c
+ *                              psa_sign_hash_complete() is equivalent to
+ *                              \c psa_sign_hash() but
+ *                              \c psa_sign_hash_complete() can return early and
+ *                              resume according to the limit set with \c
+ *                              psa_interruptible_set_max_ops() to reduce the
+ *                              maximum time spent in a function call.
+ *
+ * \note                        Users should call \c psa_sign_hash_complete()
+ *                              repeatedly on the same context after a
+ *                              successful call to this function until \c
+ *                              psa_sign_hash_complete() either returns 0 or an
+ *                              error. \c psa_sign_hash_complete() will return
+ *                              #PSA_OPERATION_INCOMPLETE if there is more work
+ *                              to do. Alternatively users can call
+ *                              \c psa_sign_hash_abort() at any point if they no
+ *                              longer want the result.
+ *
+ * \note                        If this function returns an error status, the
+ *                              operation enters an error state and must be
+ *                              aborted by calling \c psa_sign_hash_abort().
+ *
+ * \param[in, out] operation    The \c psa_sign_hash_interruptible_operation_t
+ *                              to use. This must be initialized first.
+ *
+ * \param key                   Identifier of the key to use for the operation.
+ *                              It must be an asymmetric key pair. The key must
+ *                              allow the usage #PSA_KEY_USAGE_SIGN_HASH.
+ * \param alg                   A signature algorithm (\c PSA_ALG_XXX
+ *                              value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
+ *                              is true), that is compatible with
+ *                              the type of \p key.
+ * \param[in] hash              The hash or message to sign.
+ * \param hash_length           Size of the \p hash buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The operation started successfully - call \c psa_sign_hash_complete()
+ *         with the same context to complete the operation
+ *
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The key does not have the #PSA_KEY_USAGE_SIGN_HASH flag, or it does
+ *         not permit the requested algorithm.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         An operation has previously been started on this context, and is
+ *         still in progress.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_sign_hash_start(
+    psa_sign_hash_interruptible_operation_t *operation,
+    mbedtls_svc_key_id_t key, psa_algorithm_t alg,
+    const uint8_t *hash, size_t hash_length);
+
+/**
+ * \brief                       Continue and eventually complete the action of
+ *                              signing a hash or short message with a private
+ *                              key, in an interruptible manner.
+ *
+ * \see                         \c psa_sign_hash_start()
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ * \note                        This function combined with \c
+ *                              psa_sign_hash_start() is equivalent to
+ *                              \c psa_sign_hash() but this function can return
+ *                              early and resume according to the limit set with
+ *                              \c psa_interruptible_set_max_ops() to reduce the
+ *                              maximum time spent in a function call.
+ *
+ * \note                        Users should call this function on the same
+ *                              operation object repeatedly until it either
+ *                              returns 0 or an error. This function will return
+ *                              #PSA_OPERATION_INCOMPLETE if there is more work
+ *                              to do. Alternatively users can call
+ *                              \c psa_sign_hash_abort() at any point if they no
+ *                              longer want the result.
+ *
+ * \note                        When this function returns successfully, the
+ *                              operation becomes inactive. If this function
+ *                              returns an error status, the operation enters an
+ *                              error state and must be aborted by calling
+ *                              \c psa_sign_hash_abort().
+ *
+ * \param[in, out] operation    The \c psa_sign_hash_interruptible_operation_t
+ *                              to use. This must be initialized first, and have
+ *                              had \c psa_sign_hash_start() called with it
+ *                              first.
+ *
+ * \param[out] signature        Buffer where the signature is to be written.
+ * \param signature_size        Size of the \p signature buffer in bytes. This
+ *                              must be appropriate for the selected
+ *                              algorithm and key:
+ *                              - The required signature size is
+ *                                #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c
+ *                                key_bits, \c alg) where \c key_type and \c
+ *                                key_bits are the type and bit-size
+ *                                respectively of key.
+ *                              - #PSA_SIGNATURE_MAX_SIZE evaluates to the
+ *                                maximum signature size of any supported
+ *                                signature algorithm.
+ * \param[out] signature_length On success, the number of bytes that make up
+ *                              the returned signature value.
+ *
+ * \retval #PSA_SUCCESS
+ *         Operation completed successfully
+ *
+ * \retval #PSA_OPERATION_INCOMPLETE
+ *         Operation was interrupted due to the setting of \c
+ *         psa_interruptible_set_max_ops(). There is still work to be done.
+ *         Call this function again with the same operation object.
+ *
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p signature buffer is too small. You can
+ *         determine a sufficient buffer size by calling
+ *         #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \c alg)
+ *         where \c key_type and \c key_bits are the type and bit-size
+ *         respectively of \c key.
+ *
+ * \retval #PSA_ERROR_BAD_STATE
+ *         An operation was not previously started on this context via
+ *         \c psa_sign_hash_start().
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has either not been previously initialized by
+ *         psa_crypto_init() or you did not previously call
+ *         psa_sign_hash_start() with this operation object. It is
+ *         implementation-dependent whether a failure to initialize results in
+ *         this error code.
+ */
+psa_status_t psa_sign_hash_complete(
+    psa_sign_hash_interruptible_operation_t *operation,
+    uint8_t *signature, size_t signature_size,
+    size_t *signature_length);
+
+/**
+ * \brief                       Abort a sign hash operation.
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ * \note                        This function is the only function that clears
+ *                              the number of ops completed as part of the
+ *                              operation. Please ensure you copy this value via
+ *                              \c psa_sign_hash_get_num_ops() if required
+ *                              before calling.
+ *
+ * \note                        Aborting an operation frees all associated
+ *                              resources except for the \p operation structure
+ *                              itself. Once aborted, the operation object can
+ *                              be reused for another operation by calling \c
+ *                              psa_sign_hash_start() again.
+ *
+ * \note                        You may call this function any time after the
+ *                              operation object has been initialized. In
+ *                              particular, calling \c psa_sign_hash_abort()
+ *                              after the operation has already been terminated
+ *                              by a call to \c psa_sign_hash_abort() or
+ *                              psa_sign_hash_complete() is safe.
+ *
+ * \param[in,out] operation     Initialized sign hash operation.
+ *
+ * \retval #PSA_SUCCESS
+ *         The operation was aborted successfully.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_sign_hash_abort(
+    psa_sign_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief                       Start reading and verifying a hash or short
+ *                              message, in an interruptible manner.
+ *
+ * \see                         \c psa_verify_hash_complete()
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ * \note                        This function combined with \c
+ *                              psa_verify_hash_complete() is equivalent to
+ *                              \c psa_verify_hash() but \c
+ *                              psa_verify_hash_complete() can return early and
+ *                              resume according to the limit set with \c
+ *                              psa_interruptible_set_max_ops() to reduce the
+ *                              maximum time spent in a function.
+ *
+ * \note                        Users should call \c psa_verify_hash_complete()
+ *                              repeatedly on the same operation object after a
+ *                              successful call to this function until \c
+ *                              psa_verify_hash_complete() either returns 0 or
+ *                              an error. \c psa_verify_hash_complete() will
+ *                              return #PSA_OPERATION_INCOMPLETE if there is
+ *                              more work to do. Alternatively users can call
+ *                              \c psa_verify_hash_abort() at any point if they
+ *                              no longer want the result.
+ *
+ * \note                        If this function returns an error status, the
+ *                              operation enters an error state and must be
+ *                              aborted by calling \c psa_verify_hash_abort().
+ *
+ * \param[in, out] operation    The \c psa_verify_hash_interruptible_operation_t
+ *                              to use. This must be initialized first.
+ *
+ * \param key                   Identifier of the key to use for the operation.
+ *                              The key must allow the usage
+ *                              #PSA_KEY_USAGE_VERIFY_HASH.
+ * \param alg                   A signature algorithm (\c PSA_ALG_XXX
+ *                              value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
+ *                              is true), that is compatible with
+ *                              the type of \p key.
+ * \param[in] hash              The hash whose signature is to be verified.
+ * \param hash_length           Size of the \p hash buffer in bytes.
+ * \param[in] signature         Buffer containing the signature to verify.
+ * \param signature_length      Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         The operation started successfully - please call \c
+ *         psa_verify_hash_complete() with the same context to complete the
+ *         operation.
+ *
+ * \retval #PSA_ERROR_BAD_STATE
+ *         Another operation has already been started on this context, and is
+ *         still in progress.
+ *
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The key does not have the #PSA_KEY_USAGE_VERIFY_HASH flag, or it does
+ *         not permit the requested algorithm.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_verify_hash_start(
+    psa_verify_hash_interruptible_operation_t *operation,
+    mbedtls_svc_key_id_t key, psa_algorithm_t alg,
+    const uint8_t *hash, size_t hash_length,
+    const uint8_t *signature, size_t signature_length);
+
+/**
+ * \brief                       Continue and eventually complete the action of
+ *                              reading and verifying a hash or short message
+ *                              signed with a private key, in an interruptible
+ *                              manner.
+ *
+ * \see                         \c psa_verify_hash_start()
+ *
+ * \warning                     This is a beta API, and thus subject to change
+ *                              at any point. It is not bound by the usual
+ *                              interface stability promises.
+ *
+ * \note                        This function combined with \c
+ *                              psa_verify_hash_start() is equivalent to
+ *                              \c psa_verify_hash() but this function can
+ *                              return early and resume according to the limit
+ *                              set with \c psa_interruptible_set_max_ops() to
+ *                              reduce the maximum time spent in a function
+ *                              call.
+ *
+ * \note                        Users should call this function on the same
+ *                              operation object repeatedly until it either
+ *                              returns 0 or an error. This function will return
+ *                              #PSA_OPERATION_INCOMPLETE if there is more work
+ *                              to do. Alternatively users can call
+ *                              \c psa_verify_hash_abort() at any point if they
+ *                              no longer want the result.
+ *
+ * \note                        When this function returns successfully, the
+ *                              operation becomes inactive. If this function
+ *                              returns an error status, the operation enters an
+ *                              error state and must be aborted by calling
+ *                              \c psa_verify_hash_abort().
+ *
+ * \param[in, out] operation    The \c psa_verify_hash_interruptible_operation_t
+ *                              to use. This must be initialized first, and have
+ *                              had \c psa_verify_hash_start() called with it
+ *                              first.
+ *
+ * \retval #PSA_SUCCESS
+ *         Operation completed successfully, and the passed signature is valid.
+ *
+ * \retval #PSA_OPERATION_INCOMPLETE
+ *         Operation was interrupted due to the setting of \c
+ *         psa_interruptible_set_max_ops(). There is still work to be done.
+ *         Call this function again with the same operation object.
+ *
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The calculation was performed successfully, but the passed
+ *         signature is not a valid signature.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         An operation was not previously started on this context via
+ *         \c psa_verify_hash_start().
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has either not been previously initialized by
+ *         psa_crypto_init() or you did not previously call
+ *         psa_verify_hash_start() on this object. It is
+ *         implementation-dependent whether a failure to initialize results in
+ *         this error code.
+ */
+psa_status_t psa_verify_hash_complete(
+    psa_verify_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief                     Abort a verify hash operation.
+ *
+ * \warning                   This is a beta API, and thus subject to change at
+ *                            any point. It is not bound by the usual interface
+ *                            stability promises.
+ *
+ * \note                      This function is the only function that clears the
+ *                            number of ops completed as part of the operation.
+ *                            Please ensure you copy this value via
+ *                            \c psa_verify_hash_get_num_ops() if required
+ *                            before calling.
+ *
+ * \note                      Aborting an operation frees all associated
+ *                            resources except for the operation structure
+ *                            itself. Once aborted, the operation object can be
+ *                            reused for another operation by calling \c
+ *                            psa_verify_hash_start() again.
+ *
+ * \note                      You may call this function any time after the
+ *                            operation object has been initialized.
+ *                            In particular, calling \c psa_verify_hash_abort()
+ *                            after the operation has already been terminated by
+ *                            a call to \c psa_verify_hash_abort() or
+ *                            psa_verify_hash_complete() is safe.
+ *
+ * \param[in,out] operation   Initialized verify hash operation.
+ *
+ * \retval #PSA_SUCCESS
+ *         The operation was aborted successfully.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_verify_hash_abort(
+    psa_verify_hash_interruptible_operation_t *operation);
+
+
+/**@}*/
+
+#ifdef __cplusplus
+}
+#endif
+
+/* The file "crypto_sizes.h" contains definitions for size calculation
+ * macros whose definitions are implementation-specific. */
+#include "crypto_sizes.h"
+
+/* The file "crypto_struct.h" contains definitions for
+ * implementation-specific structs that are declared above. */
+#if defined(MBEDTLS_PSA_CRYPTO_STRUCT_FILE)
+#include MBEDTLS_PSA_CRYPTO_STRUCT_FILE
+#else
+#include "crypto_struct.h"
+#endif
+
+/* The file "crypto_extra.h" contains vendor-specific definitions. This
+ * can include vendor-defined algorithms, extra functions, etc. */
+#include "crypto_extra.h"
+
+#endif /* PSA_CRYPTO_H */
diff --git a/tf-psa-crypto/include/psa/crypto_adjust_auto_enabled.h b/tf-psa-crypto/include/psa/crypto_adjust_auto_enabled.h
new file mode 100644
index 0000000..3a2af15
--- /dev/null
+++ b/tf-psa-crypto/include/psa/crypto_adjust_auto_enabled.h
@@ -0,0 +1,31 @@
+/**
+ * \file psa/crypto_adjust_auto_enabled.h
+ * \brief Adjust PSA configuration: enable always-on features
+ *
+ * This is an internal header. Do not include it directly.
+ *
+ * Always enable certain features which require a negligible amount of code
+ * to implement, to avoid some edge cases in the configuration combinatorics.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_ADJUST_AUTO_ENABLED_H
+#define PSA_CRYPTO_ADJUST_AUTO_ENABLED_H
+
+#if !defined(MBEDTLS_CONFIG_FILES_READ)
+#error "Do not include psa/crypto_adjust_*.h manually! This can lead to problems, " \
+    "up to and including runtime errors such as buffer overflows. " \
+    "If you're trying to fix a complaint from check_config.h, just remove " \
+    "it from your configuration file: since Mbed TLS 3.0, it is included " \
+    "automatically at the right point."
+#endif /* */
+
+#define PSA_WANT_KEY_TYPE_DERIVE 1
+#define PSA_WANT_KEY_TYPE_PASSWORD 1
+#define PSA_WANT_KEY_TYPE_PASSWORD_HASH 1
+#define PSA_WANT_KEY_TYPE_RAW_DATA 1
+
+#endif /* PSA_CRYPTO_ADJUST_AUTO_ENABLED_H */
diff --git a/tf-psa-crypto/include/psa/crypto_adjust_config_dependencies.h b/tf-psa-crypto/include/psa/crypto_adjust_config_dependencies.h
new file mode 100644
index 0000000..92e9c4d
--- /dev/null
+++ b/tf-psa-crypto/include/psa/crypto_adjust_config_dependencies.h
@@ -0,0 +1,51 @@
+/**
+ * \file psa/crypto_adjust_config_dependencies.h
+ * \brief Adjust PSA configuration by resolving some dependencies.
+ *
+ * This is an internal header. Do not include it directly.
+ *
+ * See docs/proposed/psa-conditional-inclusion-c.md.
+ * If the Mbed TLS implementation of a cryptographic mechanism A depends on a
+ * cryptographic mechanism B then if the cryptographic mechanism A is enabled
+ * and not accelerated enable B. Note that if A is enabled and accelerated, it
+ * is not necessary to enable B for A support.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H
+#define PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H
+
+#if !defined(MBEDTLS_CONFIG_FILES_READ)
+#error "Do not include psa/crypto_adjust_*.h manually! This can lead to problems, " \
+    "up to and including runtime errors such as buffer overflows. " \
+    "If you're trying to fix a complaint from check_config.h, just remove " \
+    "it from your configuration file: since Mbed TLS 3.0, it is included " \
+    "automatically at the right point."
+#endif /* */
+
+#if (defined(PSA_WANT_ALG_TLS12_PRF) && \
+    !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF)) || \
+    (defined(PSA_WANT_ALG_TLS12_PSK_TO_MS) && \
+    !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS)) || \
+    (defined(PSA_WANT_ALG_HKDF) && \
+    !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF)) || \
+    (defined(PSA_WANT_ALG_HKDF_EXTRACT) && \
+    !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT)) || \
+    (defined(PSA_WANT_ALG_HKDF_EXPAND) && \
+    !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND)) || \
+    (defined(PSA_WANT_ALG_PBKDF2_HMAC) && \
+    !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_HMAC))
+#define PSA_WANT_ALG_HMAC 1
+#define PSA_WANT_KEY_TYPE_HMAC 1
+#endif
+
+#if (defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128) && \
+    !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_AES_CMAC_PRF_128))
+#define PSA_WANT_KEY_TYPE_AES 1
+#define PSA_WANT_ALG_CMAC 1
+#endif
+
+#endif /* PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H */
diff --git a/tf-psa-crypto/include/psa/crypto_adjust_config_key_pair_types.h b/tf-psa-crypto/include/psa/crypto_adjust_config_key_pair_types.h
new file mode 100644
index 0000000..cec39e0
--- /dev/null
+++ b/tf-psa-crypto/include/psa/crypto_adjust_config_key_pair_types.h
@@ -0,0 +1,101 @@
+/**
+ * \file psa/crypto_adjust_config_key_pair_types.h
+ * \brief Adjust PSA configuration for key pair types.
+ *
+ * This is an internal header. Do not include it directly.
+ *
+ * See docs/proposed/psa-conditional-inclusion-c.md.
+ * - Support non-basic operations in a keypair type implicitly enables basic
+ *   support for that keypair type.
+ * - Support for a keypair type implicitly enables the corresponding public
+ *   key type.
+ * - Basic support for a keypair type implicilty enables import/export support
+ *   for that keypair type. Warning: this is implementation-specific (mainly
+ *   for the benefit of testing) and may change in the future!
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_ADJUST_KEYPAIR_TYPES_H
+#define PSA_CRYPTO_ADJUST_KEYPAIR_TYPES_H
+
+#if !defined(MBEDTLS_CONFIG_FILES_READ)
+#error "Do not include psa/crypto_adjust_*.h manually! This can lead to problems, " \
+    "up to and including runtime errors such as buffer overflows. " \
+    "If you're trying to fix a complaint from check_config.h, just remove " \
+    "it from your configuration file: since Mbed TLS 3.0, it is included " \
+    "automatically at the right point."
+#endif /* */
+
+/*****************************************************************
+ * ANYTHING -> BASIC
+ ****************************************************************/
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
+    defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
+    defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) || \
+    defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC 1
+#endif
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT) || \
+    defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || \
+    defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) || \
+    defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE)
+#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC 1
+#endif
+
+#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \
+    defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \
+    defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE) || \
+    defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE)
+#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC 1
+#endif
+
+/*****************************************************************
+ * BASIC -> corresponding PUBLIC
+ ****************************************************************/
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC)
+#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1
+#endif
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
+#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
+#endif
+
+#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC)
+#define PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY 1
+#endif
+
+/*****************************************************************
+ * BASIC -> IMPORT+EXPORT
+ *
+ * (Implementation-specific, may change in the future.)
+ ****************************************************************/
+
+/* Even though KEY_PAIR symbols' feature several level of support (BASIC, IMPORT,
+ * EXPORT, GENERATE, DERIVE) we're not planning to have support only for BASIC
+ * without IMPORT/EXPORT since these last 2 features are strongly used in tests.
+ * In general it is allowed to include more feature than what is strictly
+ * requested.
+ * As a consequence IMPORT and EXPORT features will be automatically enabled
+ * as soon as the BASIC one is. */
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC)
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT 1
+#endif
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
+#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT 1
+#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1
+#endif
+
+#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC)
+#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT 1
+#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT 1
+#endif
+
+#endif /* PSA_CRYPTO_ADJUST_KEYPAIR_TYPES_H */
diff --git a/tf-psa-crypto/include/psa/crypto_adjust_config_synonyms.h b/tf-psa-crypto/include/psa/crypto_adjust_config_synonyms.h
new file mode 100644
index 0000000..54b116f
--- /dev/null
+++ b/tf-psa-crypto/include/psa/crypto_adjust_config_synonyms.h
@@ -0,0 +1,49 @@
+/**
+ * \file psa/crypto_adjust_config_synonyms.h
+ * \brief Adjust PSA configuration: enable quasi-synonyms
+ *
+ * This is an internal header. Do not include it directly.
+ *
+ * When two features require almost the same code, we automatically enable
+ * both when either one is requested, to reduce the combinatorics of
+ * possible configurations.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_ADJUST_CONFIG_SYNONYMS_H
+#define PSA_CRYPTO_ADJUST_CONFIG_SYNONYMS_H
+
+#if !defined(MBEDTLS_CONFIG_FILES_READ)
+#error "Do not include psa/crypto_adjust_*.h manually! This can lead to problems, " \
+    "up to and including runtime errors such as buffer overflows. " \
+    "If you're trying to fix a complaint from check_config.h, just remove " \
+    "it from your configuration file: since Mbed TLS 3.0, it is included " \
+    "automatically at the right point."
+#endif /* */
+
+/****************************************************************/
+/* De facto synonyms */
+/****************************************************************/
+
+#if defined(PSA_WANT_ALG_ECDSA_ANY) && !defined(PSA_WANT_ALG_ECDSA)
+#define PSA_WANT_ALG_ECDSA PSA_WANT_ALG_ECDSA_ANY
+#elif !defined(PSA_WANT_ALG_ECDSA_ANY) && defined(PSA_WANT_ALG_ECDSA)
+#define PSA_WANT_ALG_ECDSA_ANY PSA_WANT_ALG_ECDSA
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN_RAW) && !defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN)
+#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN PSA_WANT_ALG_RSA_PKCS1V15_SIGN_RAW
+#elif !defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN_RAW) && defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN)
+#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN_RAW PSA_WANT_ALG_RSA_PKCS1V15_SIGN
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_PSS_ANY_SALT) && !defined(PSA_WANT_ALG_RSA_PSS)
+#define PSA_WANT_ALG_RSA_PSS PSA_WANT_ALG_RSA_PSS_ANY_SALT
+#elif !defined(PSA_WANT_ALG_RSA_PSS_ANY_SALT) && defined(PSA_WANT_ALG_RSA_PSS)
+#define PSA_WANT_ALG_RSA_PSS_ANY_SALT PSA_WANT_ALG_RSA_PSS
+#endif
+
+#endif /* PSA_CRYPTO_ADJUST_CONFIG_SYNONYMS_H */
diff --git a/tf-psa-crypto/include/psa/crypto_builtin_composites.h b/tf-psa-crypto/include/psa/crypto_builtin_composites.h
new file mode 100644
index 0000000..c14f5dd
--- /dev/null
+++ b/tf-psa-crypto/include/psa/crypto_builtin_composites.h
@@ -0,0 +1,214 @@
+/*
+ *  Context structure declaration of the Mbed TLS software-based PSA drivers
+ *  called through the PSA Crypto driver dispatch layer.
+ *  This file contains the context structures of those algorithms which need to
+ *  rely on other algorithms, i.e. are 'composite' algorithms.
+ *
+ * \note This file may not be included directly. Applications must
+ * include psa/crypto.h.
+ *
+ * \note This header and its content are not part of the Mbed TLS API and
+ * applications must not depend on it. Its main purpose is to define the
+ * multi-part state objects of the Mbed TLS software-based PSA drivers. The
+ * definitions of these objects are then used by crypto_struct.h to define the
+ * implementation-defined types of PSA multi-part state objects.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_BUILTIN_COMPOSITES_H
+#define PSA_CRYPTO_BUILTIN_COMPOSITES_H
+#include "mbedtls/private_access.h"
+
+#include <psa/crypto_driver_common.h>
+
+#include "mbedtls/cmac.h"
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
+#include "mbedtls/gcm.h"
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
+#include "mbedtls/ccm.h"
+#endif
+#include "mbedtls/chachapoly.h"
+
+/*
+ * MAC multi-part operation definitions.
+ */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
+#define MBEDTLS_PSA_BUILTIN_MAC
+#endif
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || defined(PSA_CRYPTO_DRIVER_TEST)
+typedef struct {
+    /** The HMAC algorithm in use */
+    psa_algorithm_t MBEDTLS_PRIVATE(alg);
+    /** The hash context. */
+    struct psa_hash_operation_s hash_ctx;
+    /** The HMAC part of the context. */
+    uint8_t MBEDTLS_PRIVATE(opad)[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
+} mbedtls_psa_hmac_operation_t;
+
+#define MBEDTLS_PSA_HMAC_OPERATION_INIT { 0, PSA_HASH_OPERATION_INIT, { 0 } }
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
+
+typedef struct {
+    psa_algorithm_t MBEDTLS_PRIVATE(alg);
+    union {
+        unsigned MBEDTLS_PRIVATE(dummy); /* Make the union non-empty even with no supported algorithms. */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || defined(PSA_CRYPTO_DRIVER_TEST)
+        mbedtls_psa_hmac_operation_t MBEDTLS_PRIVATE(hmac);
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC) || defined(PSA_CRYPTO_DRIVER_TEST)
+        mbedtls_cipher_context_t MBEDTLS_PRIVATE(cmac);
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
+    } MBEDTLS_PRIVATE(ctx);
+} mbedtls_psa_mac_operation_t;
+
+#define MBEDTLS_PSA_MAC_OPERATION_INIT { 0, { 0 } }
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
+#define MBEDTLS_PSA_BUILTIN_AEAD  1
+#endif
+
+/* Context structure for the Mbed TLS AEAD implementation. */
+typedef struct {
+    psa_algorithm_t MBEDTLS_PRIVATE(alg);
+    psa_key_type_t MBEDTLS_PRIVATE(key_type);
+
+    unsigned int MBEDTLS_PRIVATE(is_encrypt) : 1;
+
+    uint8_t MBEDTLS_PRIVATE(tag_length);
+
+    union {
+        unsigned dummy; /* Enable easier initializing of the union. */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
+        mbedtls_ccm_context MBEDTLS_PRIVATE(ccm);
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
+        mbedtls_gcm_context MBEDTLS_PRIVATE(gcm);
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
+        mbedtls_chachapoly_context MBEDTLS_PRIVATE(chachapoly);
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
+
+    } ctx;
+
+} mbedtls_psa_aead_operation_t;
+
+#define MBEDTLS_PSA_AEAD_OPERATION_INIT { 0, 0, 0, 0, { 0 } }
+
+#include "mbedtls/ecdsa.h"
+
+/* Context structure for the Mbed TLS interruptible sign hash implementation. */
+typedef struct {
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx);
+    mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx);
+
+    uint32_t MBEDTLS_PRIVATE(num_ops);
+
+    size_t MBEDTLS_PRIVATE(coordinate_bytes);
+    psa_algorithm_t MBEDTLS_PRIVATE(alg);
+    mbedtls_md_type_t MBEDTLS_PRIVATE(md_alg);
+    uint8_t MBEDTLS_PRIVATE(hash)[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
+    size_t MBEDTLS_PRIVATE(hash_length);
+
+#else
+    /* Make the struct non-empty if algs not supported. */
+    unsigned MBEDTLS_PRIVATE(dummy);
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+        * defined( MBEDTLS_ECP_RESTARTABLE ) */
+} mbedtls_psa_sign_hash_interruptible_operation_t;
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
+#define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, 0, 0, 0 }
+#else
+#define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 }
+#endif
+
+/* Context structure for the Mbed TLS interruptible verify hash
+ * implementation.*/
+typedef struct {
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
+
+    mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx);
+    mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx);
+
+    uint32_t MBEDTLS_PRIVATE(num_ops);
+
+    uint8_t MBEDTLS_PRIVATE(hash)[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
+    size_t MBEDTLS_PRIVATE(hash_length);
+
+    mbedtls_mpi MBEDTLS_PRIVATE(r);
+    mbedtls_mpi MBEDTLS_PRIVATE(s);
+
+#else
+    /* Make the struct non-empty if algs not supported. */
+    unsigned MBEDTLS_PRIVATE(dummy);
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+        * defined( MBEDTLS_ECP_RESTARTABLE ) */
+
+} mbedtls_psa_verify_hash_interruptible_operation_t;
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    defined(MBEDTLS_ECP_RESTARTABLE)
+#define MBEDTLS_VERIFY_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, 0, { 0 }, \
+        { 0 } }
+#else
+#define MBEDTLS_VERIFY_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 }
+#endif
+
+
+/* EC-JPAKE operation definitions */
+
+#include "mbedtls/ecjpake.h"
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
+#define MBEDTLS_PSA_BUILTIN_PAKE  1
+#endif
+
+/* Note: the format for mbedtls_ecjpake_read/write function has an extra
+ * length byte for each step, plus an extra 3 bytes for ECParameters in the
+ * server's 2nd round. */
+#define MBEDTLS_PSA_JPAKE_BUFFER_SIZE ((3 + 1 + 65 + 1 + 65 + 1 + 32) * 2)
+
+typedef struct {
+    psa_algorithm_t MBEDTLS_PRIVATE(alg);
+
+    uint8_t *MBEDTLS_PRIVATE(password);
+    size_t MBEDTLS_PRIVATE(password_len);
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
+    mbedtls_ecjpake_role MBEDTLS_PRIVATE(role);
+    uint8_t MBEDTLS_PRIVATE(buffer[MBEDTLS_PSA_JPAKE_BUFFER_SIZE]);
+    size_t MBEDTLS_PRIVATE(buffer_length);
+    size_t MBEDTLS_PRIVATE(buffer_offset);
+#endif
+    /* Context structure for the Mbed TLS EC-JPAKE implementation. */
+    union {
+        unsigned int MBEDTLS_PRIVATE(dummy);
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
+        mbedtls_ecjpake_context MBEDTLS_PRIVATE(jpake);
+#endif
+    } MBEDTLS_PRIVATE(ctx);
+
+} mbedtls_psa_pake_operation_t;
+
+#define MBEDTLS_PSA_PAKE_OPERATION_INIT { { 0 } }
+
+#endif /* PSA_CRYPTO_BUILTIN_COMPOSITES_H */
diff --git a/tf-psa-crypto/include/psa/crypto_builtin_key_derivation.h b/tf-psa-crypto/include/psa/crypto_builtin_key_derivation.h
new file mode 100644
index 0000000..6b91ae7
--- /dev/null
+++ b/tf-psa-crypto/include/psa/crypto_builtin_key_derivation.h
@@ -0,0 +1,118 @@
+/*
+ *  Context structure declaration of the Mbed TLS software-based PSA drivers
+ *  called through the PSA Crypto driver dispatch layer.
+ *  This file contains the context structures of key derivation algorithms
+ *  which need to rely on other algorithms.
+ *
+ * \note This file may not be included directly. Applications must
+ * include psa/crypto.h.
+ *
+ * \note This header and its content are not part of the Mbed TLS API and
+ * applications must not depend on it. Its main purpose is to define the
+ * multi-part state objects of the Mbed TLS software-based PSA drivers. The
+ * definitions of these objects are then used by crypto_struct.h to define the
+ * implementation-defined types of PSA multi-part state objects.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_BUILTIN_KEY_DERIVATION_H
+#define PSA_CRYPTO_BUILTIN_KEY_DERIVATION_H
+#include "mbedtls/private_access.h"
+
+#include <psa/crypto_driver_common.h>
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
+typedef struct {
+    uint8_t *MBEDTLS_PRIVATE(info);
+    size_t MBEDTLS_PRIVATE(info_length);
+#if PSA_HASH_MAX_SIZE > 0xff
+#error "PSA_HASH_MAX_SIZE does not fit in uint8_t"
+#endif
+    uint8_t MBEDTLS_PRIVATE(offset_in_block);
+    uint8_t MBEDTLS_PRIVATE(block_number);
+    unsigned int MBEDTLS_PRIVATE(state) : 2;
+    unsigned int MBEDTLS_PRIVATE(info_set) : 1;
+    uint8_t MBEDTLS_PRIVATE(output_block)[PSA_HASH_MAX_SIZE];
+    uint8_t MBEDTLS_PRIVATE(prk)[PSA_HASH_MAX_SIZE];
+    struct psa_mac_operation_s MBEDTLS_PRIVATE(hmac);
+} psa_hkdf_key_derivation_t;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF ||
+          MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT ||
+          MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
+typedef struct {
+    uint8_t MBEDTLS_PRIVATE(data)[PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE];
+} psa_tls12_ecjpake_to_pms_t;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+typedef enum {
+    PSA_TLS12_PRF_STATE_INIT,             /* no input provided */
+    PSA_TLS12_PRF_STATE_SEED_SET,         /* seed has been set */
+    PSA_TLS12_PRF_STATE_OTHER_KEY_SET,    /* other key has been set - optional */
+    PSA_TLS12_PRF_STATE_KEY_SET,          /* key has been set */
+    PSA_TLS12_PRF_STATE_LABEL_SET,        /* label has been set */
+    PSA_TLS12_PRF_STATE_OUTPUT            /* output has been started */
+} psa_tls12_prf_key_derivation_state_t;
+
+typedef struct psa_tls12_prf_key_derivation_s {
+#if PSA_HASH_MAX_SIZE > 0xff
+#error "PSA_HASH_MAX_SIZE does not fit in uint8_t"
+#endif
+
+    /* Indicates how many bytes in the current HMAC block have
+     * not yet been read by the user. */
+    uint8_t MBEDTLS_PRIVATE(left_in_block);
+
+    /* The 1-based number of the block. */
+    uint8_t MBEDTLS_PRIVATE(block_number);
+
+    psa_tls12_prf_key_derivation_state_t MBEDTLS_PRIVATE(state);
+
+    uint8_t *MBEDTLS_PRIVATE(secret);
+    size_t MBEDTLS_PRIVATE(secret_length);
+    uint8_t *MBEDTLS_PRIVATE(seed);
+    size_t MBEDTLS_PRIVATE(seed_length);
+    uint8_t *MBEDTLS_PRIVATE(label);
+    size_t MBEDTLS_PRIVATE(label_length);
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+    uint8_t *MBEDTLS_PRIVATE(other_secret);
+    size_t MBEDTLS_PRIVATE(other_secret_length);
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+
+    uint8_t MBEDTLS_PRIVATE(Ai)[PSA_HASH_MAX_SIZE];
+
+    /* `HMAC_hash( prk, A( i ) + seed )` in the notation of RFC 5246, Sect. 5. */
+    uint8_t MBEDTLS_PRIVATE(output_block)[PSA_HASH_MAX_SIZE];
+} psa_tls12_prf_key_derivation_t;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) ||
+        * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+#if defined(PSA_HAVE_SOFT_PBKDF2)
+typedef enum {
+    PSA_PBKDF2_STATE_INIT,             /* no input provided */
+    PSA_PBKDF2_STATE_INPUT_COST_SET,   /* input cost has been set */
+    PSA_PBKDF2_STATE_SALT_SET,         /* salt has been set */
+    PSA_PBKDF2_STATE_PASSWORD_SET,     /* password has been set */
+    PSA_PBKDF2_STATE_OUTPUT            /* output has been started */
+} psa_pbkdf2_key_derivation_state_t;
+
+typedef struct {
+    psa_pbkdf2_key_derivation_state_t MBEDTLS_PRIVATE(state);
+    uint64_t MBEDTLS_PRIVATE(input_cost);
+    uint8_t *MBEDTLS_PRIVATE(salt);
+    size_t MBEDTLS_PRIVATE(salt_length);
+    uint8_t MBEDTLS_PRIVATE(password)[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
+    size_t MBEDTLS_PRIVATE(password_length);
+    uint8_t MBEDTLS_PRIVATE(output_block)[PSA_HASH_MAX_SIZE];
+    uint8_t MBEDTLS_PRIVATE(bytes_used);
+    uint32_t MBEDTLS_PRIVATE(block_number);
+} psa_pbkdf2_key_derivation_t;
+#endif /* PSA_HAVE_SOFT_PBKDF2 */
+
+#endif /* PSA_CRYPTO_BUILTIN_KEY_DERIVATION_H */
diff --git a/tf-psa-crypto/include/psa/crypto_builtin_primitives.h b/tf-psa-crypto/include/psa/crypto_builtin_primitives.h
new file mode 100644
index 0000000..98ab4d3
--- /dev/null
+++ b/tf-psa-crypto/include/psa/crypto_builtin_primitives.h
@@ -0,0 +1,114 @@
+/*
+ *  Context structure declaration of the Mbed TLS software-based PSA drivers
+ *  called through the PSA Crypto driver dispatch layer.
+ *  This file contains the context structures of those algorithms which do not
+ *  rely on other algorithms, i.e. are 'primitive' algorithms.
+ *
+ * \note This file may not be included directly. Applications must
+ * include psa/crypto.h.
+ *
+ * \note This header and its content are not part of the Mbed TLS API and
+ * applications must not depend on it. Its main purpose is to define the
+ * multi-part state objects of the Mbed TLS software-based PSA drivers. The
+ * definitions of these objects are then used by crypto_struct.h to define the
+ * implementation-defined types of PSA multi-part state objects.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_BUILTIN_PRIMITIVES_H
+#define PSA_CRYPTO_BUILTIN_PRIMITIVES_H
+#include "mbedtls/private_access.h"
+
+#include <psa/crypto_driver_common.h>
+
+/*
+ * Hash multi-part operation definitions.
+ */
+
+#include "mbedtls/md5.h"
+#include "mbedtls/ripemd160.h"
+#include "mbedtls/sha1.h"
+#include "mbedtls/sha256.h"
+#include "mbedtls/sha512.h"
+#include "mbedtls/sha3.h"
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+#define MBEDTLS_PSA_BUILTIN_HASH
+#endif
+
+typedef struct {
+    psa_algorithm_t MBEDTLS_PRIVATE(alg);
+    union {
+        unsigned dummy; /* Make the union non-empty even with no supported algorithms. */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
+        mbedtls_md5_context md5;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
+        mbedtls_ripemd160_context ripemd160;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
+        mbedtls_sha1_context sha1;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256) || \
+        defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
+        mbedtls_sha256_context sha256;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512) || \
+        defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
+        mbedtls_sha512_context sha512;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
+        defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
+        defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
+        defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+        mbedtls_sha3_context sha3;
+#endif
+    } MBEDTLS_PRIVATE(ctx);
+} mbedtls_psa_hash_operation_t;
+
+#define MBEDTLS_PSA_HASH_OPERATION_INIT { 0, { 0 } }
+
+/*
+ * Cipher multi-part operation definitions.
+ */
+
+#include "mbedtls/cipher.h"
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_CTR) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_CFB) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_OFB) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG)
+#define MBEDTLS_PSA_BUILTIN_CIPHER  1
+#endif
+
+typedef struct {
+    /* Context structure for the Mbed TLS cipher implementation. */
+    psa_algorithm_t MBEDTLS_PRIVATE(alg);
+    uint8_t MBEDTLS_PRIVATE(iv_length);
+    uint8_t MBEDTLS_PRIVATE(block_length);
+    union {
+        unsigned int MBEDTLS_PRIVATE(dummy);
+        mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher);
+    } MBEDTLS_PRIVATE(ctx);
+} mbedtls_psa_cipher_operation_t;
+
+#define MBEDTLS_PSA_CIPHER_OPERATION_INIT { 0, 0, 0, { 0 } }
+
+#endif /* PSA_CRYPTO_BUILTIN_PRIMITIVES_H */
diff --git a/tf-psa-crypto/include/psa/crypto_compat.h b/tf-psa-crypto/include/psa/crypto_compat.h
new file mode 100644
index 0000000..2a226c0
--- /dev/null
+++ b/tf-psa-crypto/include/psa/crypto_compat.h
@@ -0,0 +1,230 @@
+/**
+ * \file psa/crypto_compat.h
+ *
+ * \brief PSA cryptography module: Backward compatibility aliases
+ *
+ * This header declares alternative names for macro and functions.
+ * New application code should not use these names.
+ * These names may be removed in a future version of Mbed TLS.
+ *
+ * \note This file may not be included directly. Applications must
+ * include psa/crypto.h.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_COMPAT_H
+#define PSA_CRYPTO_COMPAT_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * To support both openless APIs and psa_open_key() temporarily, define
+ * psa_key_handle_t to be equal to mbedtls_svc_key_id_t. Do not mark the
+ * type and its utility macros and functions deprecated yet. This will be done
+ * in a subsequent phase.
+ */
+typedef mbedtls_svc_key_id_t psa_key_handle_t;
+
+#define PSA_KEY_HANDLE_INIT MBEDTLS_SVC_KEY_ID_INIT
+
+/** Check whether a handle is null.
+ *
+ * \param handle  Handle
+ *
+ * \return Non-zero if the handle is null, zero otherwise.
+ */
+static inline int psa_key_handle_is_null(psa_key_handle_t handle)
+{
+    return mbedtls_svc_key_id_is_null(handle);
+}
+
+/** Open a handle to an existing persistent key.
+ *
+ * Open a handle to a persistent key. A key is persistent if it was created
+ * with a lifetime other than #PSA_KEY_LIFETIME_VOLATILE. A persistent key
+ * always has a nonzero key identifier, set with psa_set_key_id() when
+ * creating the key. Implementations may provide additional pre-provisioned
+ * keys that can be opened with psa_open_key(). Such keys have an application
+ * key identifier in the vendor range, as documented in the description of
+ * #psa_key_id_t.
+ *
+ * The application must eventually close the handle with psa_close_key() or
+ * psa_destroy_key() to release associated resources. If the application dies
+ * without calling one of these functions, the implementation should perform
+ * the equivalent of a call to psa_close_key().
+ *
+ * Some implementations permit an application to open the same key multiple
+ * times. If this is successful, each call to psa_open_key() will return a
+ * different key handle.
+ *
+ * \note This API is not part of the PSA Cryptography API Release 1.0.0
+ * specification. It was defined in the 1.0 Beta 3 version of the
+ * specification but was removed in the 1.0.0 released version. This API is
+ * kept for the time being to not break applications relying on it. It is not
+ * deprecated yet but will be in the near future.
+ *
+ * \note Applications that rely on opening a key multiple times will not be
+ * portable to implementations that only permit a single key handle to be
+ * opened. See also :ref:\`key-handles\`.
+ *
+ *
+ * \param key           The persistent identifier of the key.
+ * \param[out] handle   On success, a handle to the key.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success. The application can now use the value of `*handle`
+ *         to access the key.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ *         The implementation does not have sufficient resources to open the
+ *         key. This can be due to reaching an implementation limit on the
+ *         number of open keys, the number of open key handles, or available
+ *         memory.
+ * \retval #PSA_ERROR_DOES_NOT_EXIST
+ *         There is no persistent key with key identifier \p key.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p key is not a valid persistent key identifier.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The specified key exists, but the application does not have the
+ *         permission to access it. Note that this specification does not
+ *         define any way to create such a key, but it may be possible
+ *         through implementation-specific means.
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_open_key(mbedtls_svc_key_id_t key,
+                          psa_key_handle_t *handle);
+
+/** Close a key handle.
+ *
+ * If the handle designates a volatile key, this will destroy the key material
+ * and free all associated resources, just like psa_destroy_key().
+ *
+ * If this is the last open handle to a persistent key, then closing the handle
+ * will free all resources associated with the key in volatile memory. The key
+ * data in persistent storage is not affected and can be opened again later
+ * with a call to psa_open_key().
+ *
+ * Closing the key handle makes the handle invalid, and the key handle
+ * must not be used again by the application.
+ *
+ * \note This API is not part of the PSA Cryptography API Release 1.0.0
+ * specification. It was defined in the 1.0 Beta 3 version of the
+ * specification but was removed in the 1.0.0 released version. This API is
+ * kept for the time being to not break applications relying on it. It is not
+ * deprecated yet but will be in the near future.
+ *
+ * \note If the key handle was used to set up an active
+ * :ref:\`multipart operation <multipart-operations>\`, then closing the
+ * key handle can cause the multipart operation to fail. Applications should
+ * maintain the key handle until after the multipart operation has finished.
+ *
+ * \param handle        The key handle to close.
+ *                      If this is \c 0, do nothing and return \c PSA_SUCCESS.
+ *
+ * \retval #PSA_SUCCESS
+ *         \p handle was a valid handle or \c 0. It is now closed.
+ * \retval #PSA_ERROR_INVALID_HANDLE
+ *         \p handle is not a valid handle nor \c 0.
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_close_key(psa_key_handle_t handle);
+
+/** \addtogroup attributes
+ * @{
+ */
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+/** Custom Diffie-Hellman group.
+ *
+ * Mbed TLS does not support custom DH groups.
+ *
+ * \deprecated This value is not useful, so this macro will be removed in
+ *             a future version of the library.
+ */
+#define PSA_DH_FAMILY_CUSTOM                                            \
+    ((psa_dh_family_t) MBEDTLS_DEPRECATED_NUMERIC_CONSTANT(0x7e))
+
+/**
+ * \brief Set domain parameters for a key.
+ *
+ * \deprecated  Mbed TLS no longer supports any domain parameters.
+ *              This function only does the equivalent of
+ *              psa_set_key_type() and will be removed in a future version
+ *              of the library.
+ *
+ * \param[in,out] attributes    Attribute structure where \p type will be set.
+ * \param type                  Key type (a \c PSA_KEY_TYPE_XXX value).
+ * \param[in] data              Ignored.
+ * \param data_length           Must be 0.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ */
+static inline psa_status_t MBEDTLS_DEPRECATED psa_set_key_domain_parameters(
+    psa_key_attributes_t *attributes,
+    psa_key_type_t type, const uint8_t *data, size_t data_length)
+{
+    (void) data;
+    if (data_length != 0) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+    psa_set_key_type(attributes, type);
+    return PSA_SUCCESS;
+}
+
+/**
+ * \brief Get domain parameters for a key.
+ *
+ * \deprecated  Mbed TLS no longer supports any domain parameters.
+ *              This function alwaya has an empty output and will be
+ *              removed in a future version of the library.
+
+ * \param[in] attributes        Ignored.
+ * \param[out] data             Ignored.
+ * \param data_size             Ignored.
+ * \param[out] data_length      Set to 0.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ */
+static inline psa_status_t MBEDTLS_DEPRECATED psa_get_key_domain_parameters(
+    const psa_key_attributes_t *attributes,
+    uint8_t *data, size_t data_size, size_t *data_length)
+{
+    (void) attributes;
+    (void) data;
+    (void) data_size;
+    *data_length = 0;
+    return PSA_SUCCESS;
+}
+
+/** Safe output buffer size for psa_get_key_domain_parameters().
+ *
+ */
+#define PSA_KEY_DOMAIN_PARAMETERS_SIZE(key_type, key_bits)      \
+    MBEDTLS_DEPRECATED_NUMERIC_CONSTANT(1u)
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/**@}*/
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* PSA_CRYPTO_COMPAT_H */
diff --git a/tf-psa-crypto/include/psa/crypto_config.h b/tf-psa-crypto/include/psa/crypto_config.h
new file mode 100644
index 0000000..36e937a
--- /dev/null
+++ b/tf-psa-crypto/include/psa/crypto_config.h
@@ -0,0 +1,159 @@
+/**
+ * \file psa/crypto_config.h
+ * \brief PSA crypto configuration options (set of defines)
+ *
+ */
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+/**
+ * When #MBEDTLS_PSA_CRYPTO_CONFIG is enabled in mbedtls_config.h,
+ * this file determines which cryptographic mechanisms are enabled
+ * through the PSA Cryptography API (\c psa_xxx() functions).
+ *
+ * To enable a cryptographic mechanism, uncomment the definition of
+ * the corresponding \c PSA_WANT_xxx preprocessor symbol.
+ * To disable a cryptographic mechanism, comment out the definition of
+ * the corresponding \c PSA_WANT_xxx preprocessor symbol.
+ * The names of cryptographic mechanisms correspond to values
+ * defined in psa/crypto_values.h, with the prefix \c PSA_WANT_ instead
+ * of \c PSA_.
+ *
+ * Note that many cryptographic mechanisms involve two symbols: one for
+ * the key type (\c PSA_WANT_KEY_TYPE_xxx) and one for the algorithm
+ * (\c PSA_WANT_ALG_xxx). Mechanisms with additional parameters may involve
+ * additional symbols.
+ */
+#else
+/**
+ * When \c MBEDTLS_PSA_CRYPTO_CONFIG is disabled in mbedtls_config.h,
+ * this file is not used, and cryptographic mechanisms are supported
+ * through the PSA API if and only if they are supported through the
+ * mbedtls_xxx API.
+ */
+#endif
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_CONFIG_H
+#define PSA_CRYPTO_CONFIG_H
+
+/*
+ * CBC-MAC is not yet supported via the PSA API in Mbed TLS.
+ */
+//#define PSA_WANT_ALG_CBC_MAC                    1
+#define PSA_WANT_ALG_CBC_NO_PADDING             1
+#define PSA_WANT_ALG_CBC_PKCS7                  1
+#define PSA_WANT_ALG_CCM                        1
+#define PSA_WANT_ALG_CCM_STAR_NO_TAG            1
+#define PSA_WANT_ALG_CMAC                       1
+#define PSA_WANT_ALG_CFB                        1
+#define PSA_WANT_ALG_CHACHA20_POLY1305          1
+#define PSA_WANT_ALG_CTR                        1
+#define PSA_WANT_ALG_DETERMINISTIC_ECDSA        1
+#define PSA_WANT_ALG_ECB_NO_PADDING             1
+#define PSA_WANT_ALG_ECDH                       1
+#define PSA_WANT_ALG_FFDH                       1
+#define PSA_WANT_ALG_ECDSA                      1
+#define PSA_WANT_ALG_JPAKE                      1
+#define PSA_WANT_ALG_GCM                        1
+#define PSA_WANT_ALG_HKDF                       1
+#define PSA_WANT_ALG_HKDF_EXTRACT               1
+#define PSA_WANT_ALG_HKDF_EXPAND                1
+#define PSA_WANT_ALG_HMAC                       1
+#define PSA_WANT_ALG_MD5                        1
+#define PSA_WANT_ALG_OFB                        1
+#define PSA_WANT_ALG_PBKDF2_HMAC                1
+#define PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128    1
+#define PSA_WANT_ALG_RIPEMD160                  1
+#define PSA_WANT_ALG_RSA_OAEP                   1
+#define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT         1
+#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN          1
+#define PSA_WANT_ALG_RSA_PSS                    1
+#define PSA_WANT_ALG_SHA_1                      1
+#define PSA_WANT_ALG_SHA_224                    1
+#define PSA_WANT_ALG_SHA_256                    1
+#define PSA_WANT_ALG_SHA_384                    1
+#define PSA_WANT_ALG_SHA_512                    1
+#define PSA_WANT_ALG_SHA3_224                   1
+#define PSA_WANT_ALG_SHA3_256                   1
+#define PSA_WANT_ALG_SHA3_384                   1
+#define PSA_WANT_ALG_SHA3_512                   1
+#define PSA_WANT_ALG_STREAM_CIPHER              1
+#define PSA_WANT_ALG_TLS12_PRF                  1
+#define PSA_WANT_ALG_TLS12_PSK_TO_MS            1
+#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS       1
+
+/* XTS is not yet supported via the PSA API in Mbed TLS.
+ * Note: when adding support, also adjust include/mbedtls/config_psa.h */
+//#define PSA_WANT_ALG_XTS                        1
+
+#define PSA_WANT_ECC_BRAINPOOL_P_R1_256         1
+#define PSA_WANT_ECC_BRAINPOOL_P_R1_384         1
+#define PSA_WANT_ECC_BRAINPOOL_P_R1_512         1
+#define PSA_WANT_ECC_MONTGOMERY_255             1
+#define PSA_WANT_ECC_MONTGOMERY_448             1
+#define PSA_WANT_ECC_SECP_K1_192                1
+/*
+ * SECP224K1 is buggy via the PSA API in Mbed TLS
+ * (https://github.com/Mbed-TLS/mbedtls/issues/3541). Thus, do not enable it by
+ * default.
+ */
+//#define PSA_WANT_ECC_SECP_K1_224                1
+#define PSA_WANT_ECC_SECP_K1_256                1
+#define PSA_WANT_ECC_SECP_R1_192                1
+#define PSA_WANT_ECC_SECP_R1_224                1
+/* For secp256r1, consider enabling #MBEDTLS_PSA_P256M_DRIVER_ENABLED
+ * (see the description in mbedtls/mbedtls_config.h for details). */
+#define PSA_WANT_ECC_SECP_R1_256                1
+#define PSA_WANT_ECC_SECP_R1_384                1
+#define PSA_WANT_ECC_SECP_R1_521                1
+
+#define PSA_WANT_DH_RFC7919_2048                1
+#define PSA_WANT_DH_RFC7919_3072                1
+#define PSA_WANT_DH_RFC7919_4096                1
+#define PSA_WANT_DH_RFC7919_6144                1
+#define PSA_WANT_DH_RFC7919_8192                1
+
+#define PSA_WANT_KEY_TYPE_DERIVE                1
+#define PSA_WANT_KEY_TYPE_PASSWORD              1
+#define PSA_WANT_KEY_TYPE_PASSWORD_HASH         1
+#define PSA_WANT_KEY_TYPE_HMAC                  1
+#define PSA_WANT_KEY_TYPE_AES                   1
+#define PSA_WANT_KEY_TYPE_ARIA                  1
+#define PSA_WANT_KEY_TYPE_CAMELLIA              1
+#define PSA_WANT_KEY_TYPE_CHACHA20              1
+#define PSA_WANT_KEY_TYPE_DES                   1
+//#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR          1 /* Deprecated */
+#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY        1
+#define PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY         1
+#define PSA_WANT_KEY_TYPE_RAW_DATA              1
+//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR          1 /* Deprecated */
+#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY        1
+
+/*
+ * The following symbols extend and deprecate the legacy
+ * PSA_WANT_KEY_TYPE_xxx_KEY_PAIR ones. They include the usage of that key in
+ * the name's suffix. "_USE" is the most generic and it can be used to describe
+ * a generic suport, whereas other ones add more features on top of that and
+ * they are more specific.
+ */
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC      1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT   1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT   1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE   1
+
+#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC      1
+#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT   1
+#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT   1
+#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1
+//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE   1 /* Not supported */
+
+#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC       1
+#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT    1
+#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT    1
+#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE  1
+//#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE    1 /* Not supported */
+
+#endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/tf-psa-crypto/include/psa/crypto_driver_common.h b/tf-psa-crypto/include/psa/crypto_driver_common.h
new file mode 100644
index 0000000..cc11d3b
--- /dev/null
+++ b/tf-psa-crypto/include/psa/crypto_driver_common.h
@@ -0,0 +1,44 @@
+/**
+ * \file psa/crypto_driver_common.h
+ * \brief Definitions for all PSA crypto drivers
+ *
+ * This file contains common definitions shared by all PSA crypto drivers.
+ * Do not include it directly: instead, include the header file(s) for
+ * the type(s) of driver that you are implementing. For example, if
+ * you are writing a dynamically registered driver for a secure element,
+ * include `psa/crypto_se_driver.h`.
+ *
+ * This file is part of the PSA Crypto Driver Model, containing functions for
+ * driver developers to implement to enable hardware to be called in a
+ * standardized way by a PSA Cryptographic API implementation. The functions
+ * comprising the driver model, which driver authors implement, are not
+ * intended to be called by application developers.
+ */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef PSA_CRYPTO_DRIVER_COMMON_H
+#define PSA_CRYPTO_DRIVER_COMMON_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+/* Include type definitions (psa_status_t, psa_algorithm_t,
+ * psa_key_type_t, etc.) and macros to build and analyze values
+ * of these types. */
+#include "crypto_types.h"
+#include "crypto_values.h"
+/* Include size definitions which are used to size some arrays in operation
+ * structures. */
+#include <psa/crypto_sizes.h>
+
+/** For encrypt-decrypt functions, whether the operation is an encryption
+ * or a decryption. */
+typedef enum {
+    PSA_CRYPTO_DRIVER_DECRYPT,
+    PSA_CRYPTO_DRIVER_ENCRYPT
+} psa_encrypt_or_decrypt_t;
+
+#endif /* PSA_CRYPTO_DRIVER_COMMON_H */
diff --git a/tf-psa-crypto/include/psa/crypto_driver_contexts_composites.h b/tf-psa-crypto/include/psa/crypto_driver_contexts_composites.h
new file mode 100644
index 0000000..5a484fc
--- /dev/null
+++ b/tf-psa-crypto/include/psa/crypto_driver_contexts_composites.h
@@ -0,0 +1,151 @@
+/*
+ *  Declaration of context structures for use with the PSA driver wrapper
+ *  interface. This file contains the context structures for 'composite'
+ *  operations, i.e. those operations which need to make use of other operations
+ *  from the primitives (crypto_driver_contexts_primitives.h)
+ *
+ *  Warning: This file will be auto-generated in the future.
+ *
+ * \note This file may not be included directly. Applications must
+ * include psa/crypto.h.
+ *
+ * \note This header and its content are not part of the Mbed TLS API and
+ * applications must not depend on it. Its main purpose is to define the
+ * multi-part state objects of the PSA drivers included in the cryptographic
+ * library. The definitions of these objects are then used by crypto_struct.h
+ * to define the implementation-defined types of PSA multi-part state objects.
+ */
+/*  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_DRIVER_CONTEXTS_COMPOSITES_H
+#define PSA_CRYPTO_DRIVER_CONTEXTS_COMPOSITES_H
+
+#include "psa/crypto_driver_common.h"
+
+/* Include the context structure definitions for the Mbed TLS software drivers */
+#include "psa/crypto_builtin_composites.h"
+
+/* Include the context structure definitions for those drivers that were
+ * declared during the autogeneration process. */
+
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
+#include <libtestdriver1/tf-psa-crypto/include/psa/crypto.h>
+#endif
+
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
+    defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_MAC)
+typedef libtestdriver1_mbedtls_psa_mac_operation_t
+    mbedtls_transparent_test_driver_mac_operation_t;
+typedef libtestdriver1_mbedtls_psa_mac_operation_t
+    mbedtls_opaque_test_driver_mac_operation_t;
+
+#define MBEDTLS_TRANSPARENT_TEST_DRIVER_MAC_OPERATION_INIT \
+    LIBTESTDRIVER1_MBEDTLS_PSA_MAC_OPERATION_INIT
+#define MBEDTLS_OPAQUE_TEST_DRIVER_MAC_OPERATION_INIT \
+    LIBTESTDRIVER1_MBEDTLS_PSA_MAC_OPERATION_INIT
+
+#else
+typedef mbedtls_psa_mac_operation_t
+    mbedtls_transparent_test_driver_mac_operation_t;
+typedef mbedtls_psa_mac_operation_t
+    mbedtls_opaque_test_driver_mac_operation_t;
+
+#define MBEDTLS_TRANSPARENT_TEST_DRIVER_MAC_OPERATION_INIT \
+    MBEDTLS_PSA_MAC_OPERATION_INIT
+#define MBEDTLS_OPAQUE_TEST_DRIVER_MAC_OPERATION_INIT \
+    MBEDTLS_PSA_MAC_OPERATION_INIT
+
+#endif /* MBEDTLS_TEST_LIBTESTDRIVER1 && LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_MAC */
+
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
+    defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_AEAD)
+typedef libtestdriver1_mbedtls_psa_aead_operation_t
+    mbedtls_transparent_test_driver_aead_operation_t;
+
+#define MBEDTLS_TRANSPARENT_TEST_DRIVER_AEAD_OPERATION_INIT \
+    LIBTESTDRIVER1_MBEDTLS_PSA_AEAD_OPERATION_INIT
+#else
+typedef mbedtls_psa_aead_operation_t
+    mbedtls_transparent_test_driver_aead_operation_t;
+
+#define MBEDTLS_TRANSPARENT_TEST_DRIVER_AEAD_OPERATION_INIT \
+    MBEDTLS_PSA_AEAD_OPERATION_INIT
+
+#endif /* MBEDTLS_TEST_LIBTESTDRIVER1 && LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_AEAD */
+
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
+    defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE)
+
+typedef libtestdriver1_mbedtls_psa_pake_operation_t
+    mbedtls_transparent_test_driver_pake_operation_t;
+typedef libtestdriver1_mbedtls_psa_pake_operation_t
+    mbedtls_opaque_test_driver_pake_operation_t;
+
+#define MBEDTLS_TRANSPARENT_TEST_DRIVER_PAKE_OPERATION_INIT \
+    LIBTESTDRIVER1_MBEDTLS_PSA_PAKE_OPERATION_INIT
+#define MBEDTLS_OPAQUE_TEST_DRIVER_PAKE_OPERATION_INIT \
+    LIBTESTDRIVER1_MBEDTLS_PSA_PAKE_OPERATION_INIT
+
+#else
+typedef mbedtls_psa_pake_operation_t
+    mbedtls_transparent_test_driver_pake_operation_t;
+typedef mbedtls_psa_pake_operation_t
+    mbedtls_opaque_test_driver_pake_operation_t;
+
+#define MBEDTLS_TRANSPARENT_TEST_DRIVER_PAKE_OPERATION_INIT \
+    MBEDTLS_PSA_PAKE_OPERATION_INIT
+#define MBEDTLS_OPAQUE_TEST_DRIVER_PAKE_OPERATION_INIT \
+    MBEDTLS_PSA_PAKE_OPERATION_INIT
+
+#endif /* MBEDTLS_TEST_LIBTESTDRIVER1 && LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_PAKE */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+
+/* Define the context to be used for an operation that is executed through the
+ * PSA Driver wrapper layer as the union of all possible driver's contexts.
+ *
+ * The union members are the driver's context structures, and the member names
+ * are formatted as `'drivername'_ctx`. This allows for procedural generation
+ * of both this file and the content of psa_crypto_driver_wrappers.h */
+
+typedef union {
+    unsigned dummy; /* Make sure this union is always non-empty */
+    mbedtls_psa_mac_operation_t mbedtls_ctx;
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+    mbedtls_transparent_test_driver_mac_operation_t transparent_test_driver_ctx;
+    mbedtls_opaque_test_driver_mac_operation_t opaque_test_driver_ctx;
+#endif
+} psa_driver_mac_context_t;
+
+typedef union {
+    unsigned dummy; /* Make sure this union is always non-empty */
+    mbedtls_psa_aead_operation_t mbedtls_ctx;
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+    mbedtls_transparent_test_driver_aead_operation_t transparent_test_driver_ctx;
+#endif
+} psa_driver_aead_context_t;
+
+typedef union {
+    unsigned dummy; /* Make sure this union is always non-empty */
+    mbedtls_psa_sign_hash_interruptible_operation_t mbedtls_ctx;
+} psa_driver_sign_hash_interruptible_context_t;
+
+typedef union {
+    unsigned dummy; /* Make sure this union is always non-empty */
+    mbedtls_psa_verify_hash_interruptible_operation_t mbedtls_ctx;
+} psa_driver_verify_hash_interruptible_context_t;
+
+typedef union {
+    unsigned dummy; /* Make sure this union is always non-empty */
+    mbedtls_psa_pake_operation_t mbedtls_ctx;
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+    mbedtls_transparent_test_driver_pake_operation_t transparent_test_driver_ctx;
+    mbedtls_opaque_test_driver_pake_operation_t opaque_test_driver_ctx;
+#endif
+} psa_driver_pake_context_t;
+
+#endif /* PSA_CRYPTO_DRIVER_CONTEXTS_COMPOSITES_H */
+/* End of automatically generated file. */
diff --git a/tf-psa-crypto/include/psa/crypto_driver_contexts_key_derivation.h b/tf-psa-crypto/include/psa/crypto_driver_contexts_key_derivation.h
new file mode 100644
index 0000000..2119051
--- /dev/null
+++ b/tf-psa-crypto/include/psa/crypto_driver_contexts_key_derivation.h
@@ -0,0 +1,52 @@
+/*
+ *  Declaration of context structures for use with the PSA driver wrapper
+ *  interface. This file contains the context structures for key derivation
+ *  operations.
+ *
+ *  Warning: This file will be auto-generated in the future.
+ *
+ * \note This file may not be included directly. Applications must
+ * include psa/crypto.h.
+ *
+ * \note This header and its content are not part of the Mbed TLS API and
+ * applications must not depend on it. Its main purpose is to define the
+ * multi-part state objects of the PSA drivers included in the cryptographic
+ * library. The definitions of these objects are then used by crypto_struct.h
+ * to define the implementation-defined types of PSA multi-part state objects.
+ */
+/*  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_DRIVER_CONTEXTS_KEY_DERIVATION_H
+#define PSA_CRYPTO_DRIVER_CONTEXTS_KEY_DERIVATION_H
+
+#include "psa/crypto_driver_common.h"
+
+/* Include the context structure definitions for the Mbed TLS software drivers */
+#include "psa/crypto_builtin_key_derivation.h"
+
+/* Include the context structure definitions for those drivers that were
+ * declared during the autogeneration process. */
+
+typedef union {
+    unsigned dummy; /* Make sure this union is always non-empty */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
+    psa_hkdf_key_derivation_t MBEDTLS_PRIVATE(hkdf);
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+    psa_tls12_prf_key_derivation_t MBEDTLS_PRIVATE(tls12_prf);
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
+    psa_tls12_ecjpake_to_pms_t MBEDTLS_PRIVATE(tls12_ecjpake_to_pms);
+#endif
+#if defined(PSA_HAVE_SOFT_PBKDF2)
+    psa_pbkdf2_key_derivation_t MBEDTLS_PRIVATE(pbkdf2);
+#endif
+} psa_driver_key_derivation_context_t;
+
+#endif /* PSA_CRYPTO_DRIVER_CONTEXTS_KEY_DERIVATION_H */
+/* End of automatically generated file. */
diff --git a/tf-psa-crypto/include/psa/crypto_driver_contexts_primitives.h b/tf-psa-crypto/include/psa/crypto_driver_contexts_primitives.h
new file mode 100644
index 0000000..281e0a1
--- /dev/null
+++ b/tf-psa-crypto/include/psa/crypto_driver_contexts_primitives.h
@@ -0,0 +1,105 @@
+/*
+ *  Declaration of context structures for use with the PSA driver wrapper
+ *  interface. This file contains the context structures for 'primitive'
+ *  operations, i.e. those operations which do not rely on other contexts.
+ *
+ *  Warning: This file will be auto-generated in the future.
+ *
+ * \note This file may not be included directly. Applications must
+ * include psa/crypto.h.
+ *
+ * \note This header and its content are not part of the Mbed TLS API and
+ * applications must not depend on it. Its main purpose is to define the
+ * multi-part state objects of the PSA drivers included in the cryptographic
+ * library. The definitions of these objects are then used by crypto_struct.h
+ * to define the implementation-defined types of PSA multi-part state objects.
+ */
+/*  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_DRIVER_CONTEXTS_PRIMITIVES_H
+#define PSA_CRYPTO_DRIVER_CONTEXTS_PRIMITIVES_H
+
+#include "psa/crypto_driver_common.h"
+
+/* Include the context structure definitions for the Mbed TLS software drivers */
+#include "psa/crypto_builtin_primitives.h"
+
+/* Include the context structure definitions for those drivers that were
+ * declared during the autogeneration process. */
+
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
+#include <libtestdriver1/tf-psa-crypto/include/psa/crypto.h>
+#endif
+
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
+    defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER)
+typedef libtestdriver1_mbedtls_psa_cipher_operation_t
+    mbedtls_transparent_test_driver_cipher_operation_t;
+
+#define MBEDTLS_TRANSPARENT_TEST_DRIVER_CIPHER_OPERATION_INIT \
+    LIBTESTDRIVER1_MBEDTLS_PSA_CIPHER_OPERATION_INIT
+#else
+typedef mbedtls_psa_cipher_operation_t
+    mbedtls_transparent_test_driver_cipher_operation_t;
+
+#define MBEDTLS_TRANSPARENT_TEST_DRIVER_CIPHER_OPERATION_INIT \
+    MBEDTLS_PSA_CIPHER_OPERATION_INIT
+#endif /* MBEDTLS_TEST_LIBTESTDRIVER1 &&
+          LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER */
+
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
+    defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_HASH)
+typedef libtestdriver1_mbedtls_psa_hash_operation_t
+    mbedtls_transparent_test_driver_hash_operation_t;
+
+#define MBEDTLS_TRANSPARENT_TEST_DRIVER_HASH_OPERATION_INIT \
+    LIBTESTDRIVER1_MBEDTLS_PSA_HASH_OPERATION_INIT
+#else
+typedef mbedtls_psa_hash_operation_t
+    mbedtls_transparent_test_driver_hash_operation_t;
+
+#define MBEDTLS_TRANSPARENT_TEST_DRIVER_HASH_OPERATION_INIT \
+    MBEDTLS_PSA_HASH_OPERATION_INIT
+#endif /* MBEDTLS_TEST_LIBTESTDRIVER1 &&
+          LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_HASH */
+
+typedef struct {
+    unsigned int initialised : 1;
+    mbedtls_transparent_test_driver_cipher_operation_t ctx;
+} mbedtls_opaque_test_driver_cipher_operation_t;
+
+#define MBEDTLS_OPAQUE_TEST_DRIVER_CIPHER_OPERATION_INIT \
+    { 0, MBEDTLS_TRANSPARENT_TEST_DRIVER_CIPHER_OPERATION_INIT }
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+
+/* Define the context to be used for an operation that is executed through the
+ * PSA Driver wrapper layer as the union of all possible driver's contexts.
+ *
+ * The union members are the driver's context structures, and the member names
+ * are formatted as `'drivername'_ctx`. This allows for procedural generation
+ * of both this file and the content of psa_crypto_driver_wrappers.h */
+
+typedef union {
+    unsigned dummy; /* Make sure this union is always non-empty */
+    mbedtls_psa_hash_operation_t mbedtls_ctx;
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+    mbedtls_transparent_test_driver_hash_operation_t test_driver_ctx;
+#endif
+} psa_driver_hash_context_t;
+
+typedef union {
+    unsigned dummy; /* Make sure this union is always non-empty */
+    mbedtls_psa_cipher_operation_t mbedtls_ctx;
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+    mbedtls_transparent_test_driver_cipher_operation_t transparent_test_driver_ctx;
+    mbedtls_opaque_test_driver_cipher_operation_t opaque_test_driver_ctx;
+#endif
+} psa_driver_cipher_context_t;
+
+#endif /* PSA_CRYPTO_DRIVER_CONTEXTS_PRIMITIVES_H */
+/* End of automatically generated file. */
diff --git a/tf-psa-crypto/include/psa/crypto_extra.h b/tf-psa-crypto/include/psa/crypto_extra.h
new file mode 100644
index 0000000..6ed1f6c
--- /dev/null
+++ b/tf-psa-crypto/include/psa/crypto_extra.h
@@ -0,0 +1,1883 @@
+/**
+ * \file psa/crypto_extra.h
+ *
+ * \brief PSA cryptography module: Mbed TLS vendor extensions
+ *
+ * \note This file may not be included directly. Applications must
+ * include psa/crypto.h.
+ *
+ * This file is reserved for vendor-specific definitions.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_EXTRA_H
+#define PSA_CRYPTO_EXTRA_H
+#include "mbedtls/private_access.h"
+
+#include "crypto_types.h"
+#include "crypto_compat.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* UID for secure storage seed */
+#define PSA_CRYPTO_ITS_RANDOM_SEED_UID 0xFFFFFF52
+
+/* See mbedtls_config.h for definition */
+#if !defined(MBEDTLS_PSA_KEY_SLOT_COUNT)
+#define MBEDTLS_PSA_KEY_SLOT_COUNT 32
+#endif
+
+/** \addtogroup attributes
+ * @{
+ */
+
+/** \brief Declare the enrollment algorithm for a key.
+ *
+ * An operation on a key may indifferently use the algorithm set with
+ * psa_set_key_algorithm() or with this function.
+ *
+ * \param[out] attributes       The attribute structure to write to.
+ * \param alg2                  A second algorithm that the key may be used
+ *                              for, in addition to the algorithm set with
+ *                              psa_set_key_algorithm().
+ *
+ * \warning Setting an enrollment algorithm is not recommended, because
+ *          using the same key with different algorithms can allow some
+ *          attacks based on arithmetic relations between different
+ *          computations made with the same key, or can escalate harmless
+ *          side channels into exploitable ones. Use this function only
+ *          if it is necessary to support a protocol for which it has been
+ *          verified that the usage of the key with multiple algorithms
+ *          is safe.
+ */
+static inline void psa_set_key_enrollment_algorithm(
+    psa_key_attributes_t *attributes,
+    psa_algorithm_t alg2)
+{
+    attributes->MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg2) = alg2;
+}
+
+/** Retrieve the enrollment algorithm policy from key attributes.
+ *
+ * \param[in] attributes        The key attribute structure to query.
+ *
+ * \return The enrollment algorithm stored in the attribute structure.
+ */
+static inline psa_algorithm_t psa_get_key_enrollment_algorithm(
+    const psa_key_attributes_t *attributes)
+{
+    return attributes->MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg2);
+}
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+
+/** Retrieve the slot number where a key is stored.
+ *
+ * A slot number is only defined for keys that are stored in a secure
+ * element.
+ *
+ * This information is only useful if the secure element is not entirely
+ * managed through the PSA Cryptography API. It is up to the secure
+ * element driver to decide how PSA slot numbers map to any other interface
+ * that the secure element may have.
+ *
+ * \param[in] attributes        The key attribute structure to query.
+ * \param[out] slot_number      On success, the slot number containing the key.
+ *
+ * \retval #PSA_SUCCESS
+ *         The key is located in a secure element, and \p *slot_number
+ *         indicates the slot number that contains it.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The caller is not permitted to query the slot number.
+ *         Mbed TLS currently does not return this error.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The key is not located in a secure element.
+ */
+psa_status_t psa_get_key_slot_number(
+    const psa_key_attributes_t *attributes,
+    psa_key_slot_number_t *slot_number);
+
+/** Choose the slot number where a key is stored.
+ *
+ * This function declares a slot number in the specified attribute
+ * structure.
+ *
+ * A slot number is only meaningful for keys that are stored in a secure
+ * element. It is up to the secure element driver to decide how PSA slot
+ * numbers map to any other interface that the secure element may have.
+ *
+ * \note Setting a slot number in key attributes for a key creation can
+ *       cause the following errors when creating the key:
+ *       - #PSA_ERROR_NOT_SUPPORTED if the selected secure element does
+ *         not support choosing a specific slot number.
+ *       - #PSA_ERROR_NOT_PERMITTED if the caller is not permitted to
+ *         choose slot numbers in general or to choose this specific slot.
+ *       - #PSA_ERROR_INVALID_ARGUMENT if the chosen slot number is not
+ *         valid in general or not valid for this specific key.
+ *       - #PSA_ERROR_ALREADY_EXISTS if there is already a key in the
+ *         selected slot.
+ *
+ * \param[out] attributes       The attribute structure to write to.
+ * \param slot_number           The slot number to set.
+ */
+static inline void psa_set_key_slot_number(
+    psa_key_attributes_t *attributes,
+    psa_key_slot_number_t slot_number)
+{
+    attributes->MBEDTLS_PRIVATE(has_slot_number) = 1;
+    attributes->MBEDTLS_PRIVATE(slot_number) = slot_number;
+}
+
+/** Remove the slot number attribute from a key attribute structure.
+ *
+ * This function undoes the action of psa_set_key_slot_number().
+ *
+ * \param[out] attributes       The attribute structure to write to.
+ */
+static inline void psa_clear_key_slot_number(
+    psa_key_attributes_t *attributes)
+{
+    attributes->MBEDTLS_PRIVATE(has_slot_number) = 0;
+}
+
+/** Register a key that is already present in a secure element.
+ *
+ * The key must be located in a secure element designated by the
+ * lifetime field in \p attributes, in the slot set with
+ * psa_set_key_slot_number() in the attribute structure.
+ * This function makes the key available through the key identifier
+ * specified in \p attributes.
+ *
+ * \param[in] attributes        The attributes of the existing key.
+ *
+ * \retval #PSA_SUCCESS
+ *         The key was successfully registered.
+ *         Note that depending on the design of the driver, this may or may
+ *         not guarantee that a key actually exists in the designated slot
+ *         and is compatible with the specified attributes.
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ *         There is already a key with the identifier specified in
+ *         \p attributes.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         The secure element driver for the specified lifetime does not
+ *         support registering a key.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The identifier in \p attributes is invalid, namely the identifier is
+ *         not in the user range, or
+ *         \p attributes specifies a lifetime which is not located
+ *         in a secure element, or no slot number is specified in \p attributes,
+ *         or the specified slot number is not valid.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The caller is not authorized to register the specified key slot.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t mbedtls_psa_register_se_key(
+    const psa_key_attributes_t *attributes);
+
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+/**@}*/
+
+/**
+ * \brief Library deinitialization.
+ *
+ * This function clears all data associated with the PSA layer,
+ * including the whole key store.
+ * This function is not thread safe, it wipes every key slot regardless of
+ * state and reader count. It should only be called when no slot is in use.
+ *
+ * This is an Mbed TLS extension.
+ */
+void mbedtls_psa_crypto_free(void);
+
+/** \brief Statistics about
+ * resource consumption related to the PSA keystore.
+ *
+ * \note The content of this structure is not part of the stable API and ABI
+ *       of Mbed TLS and may change arbitrarily from version to version.
+ */
+typedef struct mbedtls_psa_stats_s {
+    /** Number of slots containing key material for a volatile key. */
+    size_t MBEDTLS_PRIVATE(volatile_slots);
+    /** Number of slots containing key material for a key which is in
+     * internal persistent storage. */
+    size_t MBEDTLS_PRIVATE(persistent_slots);
+    /** Number of slots containing a reference to a key in a
+     * secure element. */
+    size_t MBEDTLS_PRIVATE(external_slots);
+    /** Number of slots which are occupied, but do not contain
+     * key material yet. */
+    size_t MBEDTLS_PRIVATE(half_filled_slots);
+    /** Number of slots that contain cache data. */
+    size_t MBEDTLS_PRIVATE(cache_slots);
+    /** Number of slots that are not used for anything. */
+    size_t MBEDTLS_PRIVATE(empty_slots);
+    /** Number of slots that are locked. */
+    size_t MBEDTLS_PRIVATE(locked_slots);
+    /** Largest key id value among open keys in internal persistent storage. */
+    psa_key_id_t MBEDTLS_PRIVATE(max_open_internal_key_id);
+    /** Largest key id value among open keys in secure elements. */
+    psa_key_id_t MBEDTLS_PRIVATE(max_open_external_key_id);
+} mbedtls_psa_stats_t;
+
+/** \brief Get statistics about
+ * resource consumption related to the PSA keystore.
+ *
+ * \note When Mbed TLS is built as part of a service, with isolation
+ *       between the application and the keystore, the service may or
+ *       may not expose this function.
+ */
+void mbedtls_psa_get_stats(mbedtls_psa_stats_t *stats);
+
+/**
+ * \brief Inject an initial entropy seed for the random generator into
+ *        secure storage.
+ *
+ * This function injects data to be used as a seed for the random generator
+ * used by the PSA Crypto implementation. On devices that lack a trusted
+ * entropy source (preferably a hardware random number generator),
+ * the Mbed PSA Crypto implementation uses this value to seed its
+ * random generator.
+ *
+ * On devices without a trusted entropy source, this function must be
+ * called exactly once in the lifetime of the device. On devices with
+ * a trusted entropy source, calling this function is optional.
+ * In all cases, this function may only be called before calling any
+ * other function in the PSA Crypto API, including psa_crypto_init().
+ *
+ * When this function returns successfully, it populates a file in
+ * persistent storage. Once the file has been created, this function
+ * can no longer succeed.
+ *
+ * If any error occurs, this function does not change the system state.
+ * You can call this function again after correcting the reason for the
+ * error if possible.
+ *
+ * \warning This function **can** fail! Callers MUST check the return status.
+ *
+ * \warning If you use this function, you should use it as part of a
+ *          factory provisioning process. The value of the injected seed
+ *          is critical to the security of the device. It must be
+ *          *secret*, *unpredictable* and (statistically) *unique per device*.
+ *          You should be generate it randomly using a cryptographically
+ *          secure random generator seeded from trusted entropy sources.
+ *          You should transmit it securely to the device and ensure
+ *          that its value is not leaked or stored anywhere beyond the
+ *          needs of transmitting it from the point of generation to
+ *          the call of this function, and erase all copies of the value
+ *          once this function returns.
+ *
+ * This is an Mbed TLS extension.
+ *
+ * \note This function is only available on the following platforms:
+ * * If the compile-time option MBEDTLS_PSA_INJECT_ENTROPY is enabled.
+ *   Note that you must provide compatible implementations of
+ *   mbedtls_nv_seed_read and mbedtls_nv_seed_write.
+ * * In a client-server integration of PSA Cryptography, on the client side,
+ *   if the server supports this feature.
+ * \param[in] seed          Buffer containing the seed value to inject.
+ * \param[in] seed_size     Size of the \p seed buffer.
+ *                          The size of the seed in bytes must be greater
+ *                          or equal to both #MBEDTLS_ENTROPY_BLOCK_SIZE
+ *                          and the value of \c MBEDTLS_ENTROPY_MIN_PLATFORM
+ *                          in `library/entropy_poll.h` in the Mbed TLS source
+ *                          code.
+ *                          It must be less or equal to
+ *                          #MBEDTLS_ENTROPY_MAX_SEED_SIZE.
+ *
+ * \retval #PSA_SUCCESS
+ *         The seed value was injected successfully. The random generator
+ *         of the PSA Crypto implementation is now ready for use.
+ *         You may now call psa_crypto_init() and use the PSA Crypto
+ *         implementation.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p seed_size is out of range.
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ *         There was a failure reading or writing from storage.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The library has already been initialized. It is no longer
+ *         possible to call this function.
+ */
+psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
+                                        size_t seed_size);
+
+/** \addtogroup crypto_types
+ * @{
+ */
+
+/** DSA public key.
+ *
+ * The import and export format is the
+ * representation of the public key `y = g^x mod p` as a big-endian byte
+ * string. The length of the byte string is the length of the base prime `p`
+ * in bytes.
+ */
+#define PSA_KEY_TYPE_DSA_PUBLIC_KEY                 ((psa_key_type_t) 0x4002)
+
+/** DSA key pair (private and public key).
+ *
+ * The import and export format is the
+ * representation of the private key `x` as a big-endian byte string. The
+ * length of the byte string is the private key size in bytes (leading zeroes
+ * are not stripped).
+ *
+ * Deterministic DSA key derivation with psa_generate_derived_key follows
+ * FIPS 186-4 &sect;B.1.2: interpret the byte string as integer
+ * in big-endian order. Discard it if it is not in the range
+ * [0, *N* - 2] where *N* is the boundary of the private key domain
+ * (the prime *p* for Diffie-Hellman, the subprime *q* for DSA,
+ * or the order of the curve's base point for ECC).
+ * Add 1 to the resulting integer and use this as the private key *x*.
+ *
+ */
+#define PSA_KEY_TYPE_DSA_KEY_PAIR                    ((psa_key_type_t) 0x7002)
+
+/** Whether a key type is a DSA key (pair or public-only). */
+#define PSA_KEY_TYPE_IS_DSA(type)                                       \
+    (PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) == PSA_KEY_TYPE_DSA_PUBLIC_KEY)
+
+#define PSA_ALG_DSA_BASE                        ((psa_algorithm_t) 0x06000400)
+/** DSA signature with hashing.
+ *
+ * This is the signature scheme defined by FIPS 186-4,
+ * with a random per-message secret number (*k*).
+ *
+ * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
+ *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
+ *                      This includes #PSA_ALG_ANY_HASH
+ *                      when specifying the algorithm in a usage policy.
+ *
+ * \return              The corresponding DSA signature algorithm.
+ * \return              Unspecified if \p hash_alg is not a supported
+ *                      hash algorithm.
+ */
+#define PSA_ALG_DSA(hash_alg)                             \
+    (PSA_ALG_DSA_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
+#define PSA_ALG_DETERMINISTIC_DSA_BASE          ((psa_algorithm_t) 0x06000500)
+#define PSA_ALG_DSA_DETERMINISTIC_FLAG PSA_ALG_ECDSA_DETERMINISTIC_FLAG
+/** Deterministic DSA signature with hashing.
+ *
+ * This is the deterministic variant defined by RFC 6979 of
+ * the signature scheme defined by FIPS 186-4.
+ *
+ * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
+ *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
+ *                      This includes #PSA_ALG_ANY_HASH
+ *                      when specifying the algorithm in a usage policy.
+ *
+ * \return              The corresponding DSA signature algorithm.
+ * \return              Unspecified if \p hash_alg is not a supported
+ *                      hash algorithm.
+ */
+#define PSA_ALG_DETERMINISTIC_DSA(hash_alg)                             \
+    (PSA_ALG_DETERMINISTIC_DSA_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
+#define PSA_ALG_IS_DSA(alg)                                             \
+    (((alg) & ~PSA_ALG_HASH_MASK & ~PSA_ALG_DSA_DETERMINISTIC_FLAG) ==  \
+     PSA_ALG_DSA_BASE)
+#define PSA_ALG_DSA_IS_DETERMINISTIC(alg)               \
+    (((alg) & PSA_ALG_DSA_DETERMINISTIC_FLAG) != 0)
+#define PSA_ALG_IS_DETERMINISTIC_DSA(alg)                       \
+    (PSA_ALG_IS_DSA(alg) && PSA_ALG_DSA_IS_DETERMINISTIC(alg))
+#define PSA_ALG_IS_RANDOMIZED_DSA(alg)                          \
+    (PSA_ALG_IS_DSA(alg) && !PSA_ALG_DSA_IS_DETERMINISTIC(alg))
+
+
+/* We need to expand the sample definition of this macro from
+ * the API definition. */
+#undef PSA_ALG_IS_VENDOR_HASH_AND_SIGN
+#define PSA_ALG_IS_VENDOR_HASH_AND_SIGN(alg)    \
+    PSA_ALG_IS_DSA(alg)
+
+/**@}*/
+
+/** \addtogroup attributes
+ * @{
+ */
+
+/** PAKE operation stages. */
+#define PSA_PAKE_OPERATION_STAGE_SETUP 0
+#define PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS 1
+#define PSA_PAKE_OPERATION_STAGE_COMPUTATION 2
+
+/**@}*/
+
+
+/** \defgroup psa_external_rng External random generator
+ * @{
+ */
+
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+/** External random generator function, implemented by the platform.
+ *
+ * When the compile-time option #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is enabled,
+ * this function replaces Mbed TLS's entropy and DRBG modules for all
+ * random generation triggered via PSA crypto interfaces.
+ *
+ * \note This random generator must deliver random numbers with cryptographic
+ *       quality and high performance. It must supply unpredictable numbers
+ *       with a uniform distribution. The implementation of this function
+ *       is responsible for ensuring that the random generator is seeded
+ *       with sufficient entropy. If you have a hardware TRNG which is slow
+ *       or delivers non-uniform output, declare it as an entropy source
+ *       with mbedtls_entropy_add_source() instead of enabling this option.
+ *
+ * \param[in,out] context       Pointer to the random generator context.
+ *                              This is all-bits-zero on the first call
+ *                              and preserved between successive calls.
+ * \param[out] output           Output buffer. On success, this buffer
+ *                              contains random data with a uniform
+ *                              distribution.
+ * \param output_size           The size of the \p output buffer in bytes.
+ * \param[out] output_length    On success, set this value to \p output_size.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success. The output buffer contains \p output_size bytes of
+ *         cryptographic-quality random data, and \c *output_length is
+ *         set to \p output_size.
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
+ *         The random generator requires extra entropy and there is no
+ *         way to obtain entropy under current environment conditions.
+ *         This error should not happen under normal circumstances since
+ *         this function is responsible for obtaining as much entropy as
+ *         it needs. However implementations of this function may return
+ *         #PSA_ERROR_INSUFFICIENT_ENTROPY if there is no way to obtain
+ *         entropy without blocking indefinitely.
+ * \retval #PSA_ERROR_HARDWARE_FAILURE
+ *         A failure of the random generator hardware that isn't covered
+ *         by #PSA_ERROR_INSUFFICIENT_ENTROPY.
+ */
+psa_status_t mbedtls_psa_external_get_random(
+    mbedtls_psa_external_random_context_t *context,
+    uint8_t *output, size_t output_size, size_t *output_length);
+#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+
+/**@}*/
+
+/** \defgroup psa_builtin_keys Built-in keys
+ * @{
+ */
+
+/** The minimum value for a key identifier that is built into the
+ * implementation.
+ *
+ * The range of key identifiers from #MBEDTLS_PSA_KEY_ID_BUILTIN_MIN
+ * to #MBEDTLS_PSA_KEY_ID_BUILTIN_MAX within the range from
+ * #PSA_KEY_ID_VENDOR_MIN and #PSA_KEY_ID_VENDOR_MAX and must not intersect
+ * with any other set of implementation-chosen key identifiers.
+ *
+ * This value is part of the library's ABI since changing it would invalidate
+ * the values of built-in key identifiers in applications.
+ */
+#define MBEDTLS_PSA_KEY_ID_BUILTIN_MIN          ((psa_key_id_t) 0x7fff0000)
+
+/** The maximum value for a key identifier that is built into the
+ * implementation.
+ *
+ * See #MBEDTLS_PSA_KEY_ID_BUILTIN_MIN for more information.
+ */
+#define MBEDTLS_PSA_KEY_ID_BUILTIN_MAX          ((psa_key_id_t) 0x7fffefff)
+
+/** A slot number identifying a key in a driver.
+ *
+ * Values of this type are used to identify built-in keys.
+ */
+typedef uint64_t psa_drv_slot_number_t;
+
+#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
+/** Test whether a key identifier belongs to the builtin key range.
+ *
+ * \param key_id  Key identifier to test.
+ *
+ * \retval 1
+ *         The key identifier is a builtin key identifier.
+ * \retval 0
+ *         The key identifier is not a builtin key identifier.
+ */
+static inline int psa_key_id_is_builtin(psa_key_id_t key_id)
+{
+    return (key_id >= MBEDTLS_PSA_KEY_ID_BUILTIN_MIN) &&
+           (key_id <= MBEDTLS_PSA_KEY_ID_BUILTIN_MAX);
+}
+
+/** Platform function to obtain the location and slot number of a built-in key.
+ *
+ * An application-specific implementation of this function must be provided if
+ * #MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS is enabled. This would typically be provided
+ * as part of a platform's system image.
+ *
+ * #MBEDTLS_SVC_KEY_ID_GET_KEY_ID(\p key_id) needs to be in the range from
+ * #MBEDTLS_PSA_KEY_ID_BUILTIN_MIN to #MBEDTLS_PSA_KEY_ID_BUILTIN_MAX.
+ *
+ * In a multi-application configuration
+ * (\c MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER is defined),
+ * this function should check that #MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(\p key_id)
+ * is allowed to use the given key.
+ *
+ * \param key_id                The key ID for which to retrieve the
+ *                              location and slot attributes.
+ * \param[out] lifetime         On success, the lifetime associated with the key
+ *                              corresponding to \p key_id. Lifetime is a
+ *                              combination of which driver contains the key,
+ *                              and with what persistence level the key is
+ *                              intended to be used. If the platform
+ *                              implementation does not contain specific
+ *                              information about the intended key persistence
+ *                              level, the persistence level may be reported as
+ *                              #PSA_KEY_PERSISTENCE_DEFAULT.
+ * \param[out] slot_number      On success, the slot number known to the driver
+ *                              registered at the lifetime location reported
+ *                              through \p lifetime which corresponds to the
+ *                              requested built-in key.
+ *
+ * \retval #PSA_SUCCESS
+ *         The requested key identifier designates a built-in key.
+ *         In a multi-application configuration, the requested owner
+ *         is allowed to access it.
+ * \retval #PSA_ERROR_DOES_NOT_EXIST
+ *         The requested key identifier is not a built-in key which is known
+ *         to this function. If a key exists in the key storage with this
+ *         identifier, the data from the storage will be used.
+ * \return (any other error)
+ *         Any other error is propagated to the function that requested the key.
+ *         Common errors include:
+ *         - #PSA_ERROR_NOT_PERMITTED: the key exists but the requested owner
+ *           is not allowed to access it.
+ */
+psa_status_t mbedtls_psa_platform_get_builtin_key(
+    mbedtls_svc_key_id_t key_id,
+    psa_key_lifetime_t *lifetime,
+    psa_drv_slot_number_t *slot_number);
+#endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
+
+/** @} */
+
+/** \addtogroup crypto_types
+ * @{
+ */
+
+#define PSA_ALG_CATEGORY_PAKE                   ((psa_algorithm_t) 0x0a000000)
+
+/** Whether the specified algorithm is a password-authenticated key exchange.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \p alg is a password-authenticated key exchange (PAKE)
+ *         algorithm, 0 otherwise.
+ *         This macro may return either 0 or 1 if \p alg is not a supported
+ *         algorithm identifier.
+ */
+#define PSA_ALG_IS_PAKE(alg)                                        \
+    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_PAKE)
+
+/** The Password-authenticated key exchange by juggling (J-PAKE) algorithm.
+ *
+ * This is J-PAKE as defined by RFC 8236, instantiated with the following
+ * parameters:
+ *
+ * - The group can be either an elliptic curve or defined over a finite field.
+ * - Schnorr NIZK proof as defined by RFC 8235 and using the same group as the
+ *   J-PAKE algorithm.
+ * - A cryptographic hash function.
+ *
+ * To select these parameters and set up the cipher suite, call these functions
+ * in any order:
+ *
+ * \code
+ * psa_pake_cs_set_algorithm(cipher_suite, PSA_ALG_JPAKE);
+ * psa_pake_cs_set_primitive(cipher_suite,
+ *                           PSA_PAKE_PRIMITIVE(type, family, bits));
+ * psa_pake_cs_set_hash(cipher_suite, hash);
+ * \endcode
+ *
+ * For more information on how to set a specific curve or field, refer to the
+ * documentation of the individual \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants.
+ *
+ * After initializing a J-PAKE operation, call
+ *
+ * \code
+ * psa_pake_setup(operation, cipher_suite);
+ * psa_pake_set_user(operation, ...);
+ * psa_pake_set_peer(operation, ...);
+ * psa_pake_set_password_key(operation, ...);
+ * \endcode
+ *
+ * The password is provided as a key. This can be the password text itself,
+ * in an agreed character encoding, or some value derived from the password
+ * as required by a higher level protocol.
+ *
+ * (The implementation converts the key material to a number as described in
+ * Section 2.3.8 of _SEC 1: Elliptic Curve Cryptography_
+ * (https://www.secg.org/sec1-v2.pdf), before reducing it modulo \c q. Here
+ * \c q is order of the group defined by the primitive set in the cipher suite.
+ * The \c psa_pake_set_password_key() function returns an error if the result
+ * of the reduction is 0.)
+ *
+ * The key exchange flow for J-PAKE is as follows:
+ * -# To get the first round data that needs to be sent to the peer, call
+ *    \code
+ *    // Get g1
+ *    psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...);
+ *    // Get the ZKP public key for x1
+ *    psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...);
+ *    // Get the ZKP proof for x1
+ *    psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...);
+ *    // Get g2
+ *    psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...);
+ *    // Get the ZKP public key for x2
+ *    psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...);
+ *    // Get the ZKP proof for x2
+ *    psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...);
+ *    \endcode
+ * -# To provide the first round data received from the peer to the operation,
+ *    call
+ *    \code
+ *    // Set g3
+ *    psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...);
+ *    // Set the ZKP public key for x3
+ *    psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...);
+ *    // Set the ZKP proof for x3
+ *    psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...);
+ *    // Set g4
+ *    psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...);
+ *    // Set the ZKP public key for x4
+ *    psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...);
+ *    // Set the ZKP proof for x4
+ *    psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...);
+ *    \endcode
+ * -# To get the second round data that needs to be sent to the peer, call
+ *    \code
+ *    // Get A
+ *    psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...);
+ *    // Get ZKP public key for x2*s
+ *    psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...);
+ *    // Get ZKP proof for x2*s
+ *    psa_pake_output(operation, #PSA_PAKE_STEP_ZK_PROOF, ...);
+ *    \endcode
+ * -# To provide the second round data received from the peer to the operation,
+ *    call
+ *    \code
+ *    // Set B
+ *    psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...);
+ *    // Set ZKP public key for x4*s
+ *    psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PUBLIC, ...);
+ *    // Set ZKP proof for x4*s
+ *    psa_pake_input(operation, #PSA_PAKE_STEP_ZK_PROOF, ...);
+ *    \endcode
+ * -# To access the shared secret call
+ *    \code
+ *    // Get Ka=Kb=K
+ *    psa_pake_get_implicit_key()
+ *    \endcode
+ *
+ * For more information consult the documentation of the individual
+ * \c PSA_PAKE_STEP_XXX constants.
+ *
+ * At this point there is a cryptographic guarantee that only the authenticated
+ * party who used the same password is able to compute the key. But there is no
+ * guarantee that the peer is the party it claims to be and was able to do so.
+ *
+ * That is, the authentication is only implicit (the peer is not authenticated
+ * at this point, and no action should be taken that assume that they are - like
+ * for example accessing restricted files).
+ *
+ * To make the authentication explicit there are various methods, see Section 5
+ * of RFC 8236 for two examples.
+ *
+ */
+#define PSA_ALG_JPAKE                   ((psa_algorithm_t) 0x0a000100)
+
+/** @} */
+
+/** \defgroup pake Password-authenticated key exchange (PAKE)
+ *
+ * This is a proposed PAKE interface for the PSA Crypto API. It is not part of
+ * the official PSA Crypto API yet.
+ *
+ * \note The content of this section is not part of the stable API and ABI
+ *       of Mbed TLS and may change arbitrarily from version to version.
+ *       Same holds for the corresponding macros #PSA_ALG_CATEGORY_PAKE and
+ *       #PSA_ALG_JPAKE.
+ * @{
+ */
+
+/** \brief Encoding of the application role of PAKE
+ *
+ * Encodes the application's role in the algorithm is being executed. For more
+ * information see the documentation of individual \c PSA_PAKE_ROLE_XXX
+ * constants.
+ */
+typedef uint8_t psa_pake_role_t;
+
+/** Encoding of input and output indicators for PAKE.
+ *
+ * Some PAKE algorithms need to exchange more data than just a single key share.
+ * This type is for encoding additional input and output data for such
+ * algorithms.
+ */
+typedef uint8_t psa_pake_step_t;
+
+/** Encoding of the type of the PAKE's primitive.
+ *
+ * Values defined by this standard will never be in the range 0x80-0xff.
+ * Vendors who define additional types must use an encoding in this range.
+ *
+ * For more information see the documentation of individual
+ * \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants.
+ */
+typedef uint8_t psa_pake_primitive_type_t;
+
+/** \brief Encoding of the family of the primitive associated with the PAKE.
+ *
+ * For more information see the documentation of individual
+ * \c PSA_PAKE_PRIMITIVE_TYPE_XXX constants.
+ */
+typedef uint8_t psa_pake_family_t;
+
+/** \brief Encoding of the primitive associated with the PAKE.
+ *
+ * For more information see the documentation of the #PSA_PAKE_PRIMITIVE macro.
+ */
+typedef uint32_t psa_pake_primitive_t;
+
+/** A value to indicate no role in a PAKE algorithm.
+ * This value can be used in a call to psa_pake_set_role() for symmetric PAKE
+ * algorithms which do not assign roles.
+ */
+#define PSA_PAKE_ROLE_NONE                  ((psa_pake_role_t) 0x00)
+
+/** The first peer in a balanced PAKE.
+ *
+ * Although balanced PAKE algorithms are symmetric, some of them needs an
+ * ordering of peers for the transcript calculations. If the algorithm does not
+ * need this, both #PSA_PAKE_ROLE_FIRST and #PSA_PAKE_ROLE_SECOND are
+ * accepted.
+ */
+#define PSA_PAKE_ROLE_FIRST                ((psa_pake_role_t) 0x01)
+
+/** The second peer in a balanced PAKE.
+ *
+ * Although balanced PAKE algorithms are symmetric, some of them needs an
+ * ordering of peers for the transcript calculations. If the algorithm does not
+ * need this, either #PSA_PAKE_ROLE_FIRST or #PSA_PAKE_ROLE_SECOND are
+ * accepted.
+ */
+#define PSA_PAKE_ROLE_SECOND                ((psa_pake_role_t) 0x02)
+
+/** The client in an augmented PAKE.
+ *
+ * Augmented PAKE algorithms need to differentiate between client and server.
+ */
+#define PSA_PAKE_ROLE_CLIENT                ((psa_pake_role_t) 0x11)
+
+/** The server in an augmented PAKE.
+ *
+ * Augmented PAKE algorithms need to differentiate between client and server.
+ */
+#define PSA_PAKE_ROLE_SERVER                ((psa_pake_role_t) 0x12)
+
+/** The PAKE primitive type indicating the use of elliptic curves.
+ *
+ * The values of the \c family and \c bits fields of the cipher suite identify a
+ * specific elliptic curve, using the same mapping that is used for ECC
+ * (::psa_ecc_family_t) keys.
+ *
+ * (Here \c family means the value returned by psa_pake_cs_get_family() and
+ * \c bits means the value returned by psa_pake_cs_get_bits().)
+ *
+ * Input and output during the operation can involve group elements and scalar
+ * values:
+ * -# The format for group elements is the same as for public keys on the
+ *  specific curve would be. For more information, consult the documentation of
+ *  psa_export_public_key().
+ * -# The format for scalars is the same as for private keys on the specific
+ *  curve would be. For more information, consult the documentation of
+ *  psa_export_key().
+ */
+#define PSA_PAKE_PRIMITIVE_TYPE_ECC       ((psa_pake_primitive_type_t) 0x01)
+
+/** The PAKE primitive type indicating the use of Diffie-Hellman groups.
+ *
+ * The values of the \c family and \c bits fields of the cipher suite identify
+ * a specific Diffie-Hellman group, using the same mapping that is used for
+ * Diffie-Hellman (::psa_dh_family_t) keys.
+ *
+ * (Here \c family means the value returned by psa_pake_cs_get_family() and
+ * \c bits means the value returned by psa_pake_cs_get_bits().)
+ *
+ * Input and output during the operation can involve group elements and scalar
+ * values:
+ * -# The format for group elements is the same as for public keys on the
+ *  specific group would be. For more information, consult the documentation of
+ *  psa_export_public_key().
+ * -# The format for scalars is the same as for private keys on the specific
+ *  group would be. For more information, consult the documentation of
+ *  psa_export_key().
+ */
+#define PSA_PAKE_PRIMITIVE_TYPE_DH       ((psa_pake_primitive_type_t) 0x02)
+
+/** Construct a PAKE primitive from type, family and bit-size.
+ *
+ * \param pake_type     The type of the primitive
+ *                      (value of type ::psa_pake_primitive_type_t).
+ * \param pake_family   The family of the primitive
+ *                      (the type and interpretation of this parameter depends
+ *                      on \p pake_type, for more information consult the
+ *                      documentation of individual ::psa_pake_primitive_type_t
+ *                      constants).
+ * \param pake_bits     The bit-size of the primitive
+ *                      (Value of type \c size_t. The interpretation
+ *                      of this parameter depends on \p pake_family, for more
+ *                      information consult the documentation of individual
+ *                      ::psa_pake_primitive_type_t constants).
+ *
+ * \return The constructed primitive value of type ::psa_pake_primitive_t.
+ *         Return 0 if the requested primitive can't be encoded as
+ *         ::psa_pake_primitive_t.
+ */
+#define PSA_PAKE_PRIMITIVE(pake_type, pake_family, pake_bits) \
+    ((pake_bits & 0xFFFF) != pake_bits) ? 0 :                 \
+    ((psa_pake_primitive_t) (((pake_type) << 24 |             \
+                              (pake_family) << 16) | (pake_bits)))
+
+/** The key share being sent to or received from the peer.
+ *
+ * The format for both input and output at this step is the same as for public
+ * keys on the group determined by the primitive (::psa_pake_primitive_t) would
+ * be.
+ *
+ * For more information on the format, consult the documentation of
+ * psa_export_public_key().
+ *
+ * For information regarding how the group is determined, consult the
+ * documentation #PSA_PAKE_PRIMITIVE.
+ */
+#define PSA_PAKE_STEP_KEY_SHARE                 ((psa_pake_step_t) 0x01)
+
+/** A Schnorr NIZKP public key.
+ *
+ * This is the ephemeral public key in the Schnorr Non-Interactive
+ * Zero-Knowledge Proof (the value denoted by the letter 'V' in RFC 8235).
+ *
+ * The format for both input and output at this step is the same as for public
+ * keys on the group determined by the primitive (::psa_pake_primitive_t) would
+ * be.
+ *
+ * For more information on the format, consult the documentation of
+ * psa_export_public_key().
+ *
+ * For information regarding how the group is determined, consult the
+ * documentation #PSA_PAKE_PRIMITIVE.
+ */
+#define PSA_PAKE_STEP_ZK_PUBLIC                 ((psa_pake_step_t) 0x02)
+
+/** A Schnorr NIZKP proof.
+ *
+ * This is the proof in the Schnorr Non-Interactive Zero-Knowledge Proof (the
+ * value denoted by the letter 'r' in RFC 8235).
+ *
+ * Both for input and output, the value at this step is an integer less than
+ * the order of the group selected in the cipher suite. The format depends on
+ * the group as well:
+ *
+ * - For Montgomery curves, the encoding is little endian.
+ * - For everything else the encoding is big endian (see Section 2.3.8 of
+ *   _SEC 1: Elliptic Curve Cryptography_ at https://www.secg.org/sec1-v2.pdf).
+ *
+ * In both cases leading zeroes are allowed as long as the length in bytes does
+ * not exceed the byte length of the group order.
+ *
+ * For information regarding how the group is determined, consult the
+ * documentation #PSA_PAKE_PRIMITIVE.
+ */
+#define PSA_PAKE_STEP_ZK_PROOF                  ((psa_pake_step_t) 0x03)
+
+/** The type of the data structure for PAKE cipher suites.
+ *
+ * This is an implementation-defined \c struct. Applications should not
+ * make any assumptions about the content of this structure.
+ * Implementation details can change in future versions without notice.
+ */
+typedef struct psa_pake_cipher_suite_s psa_pake_cipher_suite_t;
+
+/** Return an initial value for a PAKE cipher suite object.
+ */
+static psa_pake_cipher_suite_t psa_pake_cipher_suite_init(void);
+
+/** Retrieve the PAKE algorithm from a PAKE cipher suite.
+ *
+ * \param[in] cipher_suite     The cipher suite structure to query.
+ *
+ * \return The PAKE algorithm stored in the cipher suite structure.
+ */
+static psa_algorithm_t psa_pake_cs_get_algorithm(
+    const psa_pake_cipher_suite_t *cipher_suite);
+
+/** Declare the PAKE algorithm for the cipher suite.
+ *
+ * This function overwrites any PAKE algorithm
+ * previously set in \p cipher_suite.
+ *
+ * \param[out] cipher_suite    The cipher suite structure to write to.
+ * \param algorithm            The PAKE algorithm to write.
+ *                             (`PSA_ALG_XXX` values of type ::psa_algorithm_t
+ *                             such that #PSA_ALG_IS_PAKE(\c alg) is true.)
+ *                             If this is 0, the PAKE algorithm in
+ *                             \p cipher_suite becomes unspecified.
+ */
+static void psa_pake_cs_set_algorithm(psa_pake_cipher_suite_t *cipher_suite,
+                                      psa_algorithm_t algorithm);
+
+/** Retrieve the primitive from a PAKE cipher suite.
+ *
+ * \param[in] cipher_suite     The cipher suite structure to query.
+ *
+ * \return The primitive stored in the cipher suite structure.
+ */
+static psa_pake_primitive_t psa_pake_cs_get_primitive(
+    const psa_pake_cipher_suite_t *cipher_suite);
+
+/** Declare the primitive for a PAKE cipher suite.
+ *
+ * This function overwrites any primitive previously set in \p cipher_suite.
+ *
+ * \param[out] cipher_suite    The cipher suite structure to write to.
+ * \param primitive            The primitive to write. If this is 0, the
+ *                             primitive type in \p cipher_suite becomes
+ *                             unspecified.
+ */
+static void psa_pake_cs_set_primitive(psa_pake_cipher_suite_t *cipher_suite,
+                                      psa_pake_primitive_t primitive);
+
+/** Retrieve the PAKE family from a PAKE cipher suite.
+ *
+ * \param[in] cipher_suite     The cipher suite structure to query.
+ *
+ * \return The PAKE family stored in the cipher suite structure.
+ */
+static psa_pake_family_t psa_pake_cs_get_family(
+    const psa_pake_cipher_suite_t *cipher_suite);
+
+/** Retrieve the PAKE primitive bit-size from a PAKE cipher suite.
+ *
+ * \param[in] cipher_suite     The cipher suite structure to query.
+ *
+ * \return The PAKE primitive bit-size stored in the cipher suite structure.
+ */
+static uint16_t psa_pake_cs_get_bits(
+    const psa_pake_cipher_suite_t *cipher_suite);
+
+/** Retrieve the hash algorithm from a PAKE cipher suite.
+ *
+ * \param[in] cipher_suite      The cipher suite structure to query.
+ *
+ * \return The hash algorithm stored in the cipher suite structure. The return
+ *         value is 0 if the PAKE is not parametrised by a hash algorithm or if
+ *         the hash algorithm is not set.
+ */
+static psa_algorithm_t psa_pake_cs_get_hash(
+    const psa_pake_cipher_suite_t *cipher_suite);
+
+/** Declare the hash algorithm for a PAKE cipher suite.
+ *
+ * This function overwrites any hash algorithm
+ * previously set in \p cipher_suite.
+ *
+ * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX`
+ * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true)
+ * for more information.
+ *
+ * \param[out] cipher_suite     The cipher suite structure to write to.
+ * \param hash                  The hash involved in the cipher suite.
+ *                              (`PSA_ALG_XXX` values of type ::psa_algorithm_t
+ *                              such that #PSA_ALG_IS_HASH(\c alg) is true.)
+ *                              If this is 0, the hash algorithm in
+ *                              \p cipher_suite becomes unspecified.
+ */
+static void psa_pake_cs_set_hash(psa_pake_cipher_suite_t *cipher_suite,
+                                 psa_algorithm_t hash);
+
+/** The type of the state data structure for PAKE operations.
+ *
+ * Before calling any function on a PAKE operation object, the application
+ * must initialize it by any of the following means:
+ * - Set the structure to all-bits-zero, for example:
+ *   \code
+ *   psa_pake_operation_t operation;
+ *   memset(&operation, 0, sizeof(operation));
+ *   \endcode
+ * - Initialize the structure to logical zero values, for example:
+ *   \code
+ *   psa_pake_operation_t operation = {0};
+ *   \endcode
+ * - Initialize the structure to the initializer #PSA_PAKE_OPERATION_INIT,
+ *   for example:
+ *   \code
+ *   psa_pake_operation_t operation = PSA_PAKE_OPERATION_INIT;
+ *   \endcode
+ * - Assign the result of the function psa_pake_operation_init()
+ *   to the structure, for example:
+ *   \code
+ *   psa_pake_operation_t operation;
+ *   operation = psa_pake_operation_init();
+ *   \endcode
+ *
+ * This is an implementation-defined \c struct. Applications should not
+ * make any assumptions about the content of this structure.
+ * Implementation details can change in future versions without notice. */
+typedef struct psa_pake_operation_s psa_pake_operation_t;
+
+/** The type of input values for PAKE operations. */
+typedef struct psa_crypto_driver_pake_inputs_s psa_crypto_driver_pake_inputs_t;
+
+/** The type of computation stage for J-PAKE operations. */
+typedef struct psa_jpake_computation_stage_s psa_jpake_computation_stage_t;
+
+/** Return an initial value for a PAKE operation object.
+ */
+static psa_pake_operation_t psa_pake_operation_init(void);
+
+/** Get the length of the password in bytes from given inputs.
+ *
+ * \param[in]  inputs           Operation inputs.
+ * \param[out] password_len     Password length.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         Password hasn't been set yet.
+ */
+psa_status_t psa_crypto_driver_pake_get_password_len(
+    const psa_crypto_driver_pake_inputs_t *inputs,
+    size_t *password_len);
+
+/** Get the password from given inputs.
+ *
+ * \param[in]  inputs           Operation inputs.
+ * \param[out] buffer           Return buffer for password.
+ * \param      buffer_size      Size of the return buffer in bytes.
+ * \param[out] buffer_length    Actual size of the password in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         Password hasn't been set yet.
+ */
+psa_status_t psa_crypto_driver_pake_get_password(
+    const psa_crypto_driver_pake_inputs_t *inputs,
+    uint8_t *buffer, size_t buffer_size, size_t *buffer_length);
+
+/** Get the length of the user id in bytes from given inputs.
+ *
+ * \param[in]  inputs           Operation inputs.
+ * \param[out] user_len         User id length.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         User id hasn't been set yet.
+ */
+psa_status_t psa_crypto_driver_pake_get_user_len(
+    const psa_crypto_driver_pake_inputs_t *inputs,
+    size_t *user_len);
+
+/** Get the length of the peer id in bytes from given inputs.
+ *
+ * \param[in]  inputs           Operation inputs.
+ * \param[out] peer_len         Peer id length.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         Peer id hasn't been set yet.
+ */
+psa_status_t psa_crypto_driver_pake_get_peer_len(
+    const psa_crypto_driver_pake_inputs_t *inputs,
+    size_t *peer_len);
+
+/** Get the user id from given inputs.
+ *
+ * \param[in]  inputs           Operation inputs.
+ * \param[out] user_id          User id.
+ * \param      user_id_size     Size of \p user_id in bytes.
+ * \param[out] user_id_len      Size of the user id in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         User id hasn't been set yet.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p user_id is too small.
+ */
+psa_status_t psa_crypto_driver_pake_get_user(
+    const psa_crypto_driver_pake_inputs_t *inputs,
+    uint8_t *user_id, size_t user_id_size, size_t *user_id_len);
+
+/** Get the peer id from given inputs.
+ *
+ * \param[in]  inputs           Operation inputs.
+ * \param[out] peer_id          Peer id.
+ * \param      peer_id_size     Size of \p peer_id in bytes.
+ * \param[out] peer_id_length   Size of the peer id in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         Peer id hasn't been set yet.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p peer_id is too small.
+ */
+psa_status_t psa_crypto_driver_pake_get_peer(
+    const psa_crypto_driver_pake_inputs_t *inputs,
+    uint8_t *peer_id, size_t peer_id_size, size_t *peer_id_length);
+
+/** Get the cipher suite from given inputs.
+ *
+ * \param[in]  inputs           Operation inputs.
+ * \param[out] cipher_suite     Return buffer for role.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BAD_STATE
+ *         Cipher_suite hasn't been set yet.
+ */
+psa_status_t psa_crypto_driver_pake_get_cipher_suite(
+    const psa_crypto_driver_pake_inputs_t *inputs,
+    psa_pake_cipher_suite_t *cipher_suite);
+
+/** Set the session information for a password-authenticated key exchange.
+ *
+ * The sequence of operations to set up a password-authenticated key exchange
+ * is as follows:
+ * -# Allocate an operation object which will be passed to all the functions
+ *    listed here.
+ * -# Initialize the operation object with one of the methods described in the
+ *    documentation for #psa_pake_operation_t, e.g.
+ *    #PSA_PAKE_OPERATION_INIT.
+ * -# Call psa_pake_setup() to specify the cipher suite.
+ * -# Call \c psa_pake_set_xxx() functions on the operation to complete the
+ *    setup. The exact sequence of \c psa_pake_set_xxx() functions that needs
+ *    to be called depends on the algorithm in use.
+ *
+ * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX`
+ * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true)
+ * for more information.
+ *
+ * A typical sequence of calls to perform a password-authenticated key
+ * exchange:
+ * -# Call psa_pake_output(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to get the
+ *    key share that needs to be sent to the peer.
+ * -# Call psa_pake_input(operation, #PSA_PAKE_STEP_KEY_SHARE, ...) to provide
+ *    the key share that was received from the peer.
+ * -# Depending on the algorithm additional calls to psa_pake_output() and
+ *    psa_pake_input() might be necessary.
+ * -# Call psa_pake_get_implicit_key() for accessing the shared secret.
+ *
+ * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX`
+ * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true)
+ * for more information.
+ *
+ * If an error occurs at any step after a call to psa_pake_setup(),
+ * the operation will need to be reset by a call to psa_pake_abort(). The
+ * application may call psa_pake_abort() at any time after the operation
+ * has been initialized.
+ *
+ * After a successful call to psa_pake_setup(), the application must
+ * eventually terminate the operation. The following events terminate an
+ * operation:
+ * - A call to psa_pake_abort().
+ * - A successful call to psa_pake_get_implicit_key().
+ *
+ * \param[in,out] operation     The operation object to set up. It must have
+ *                              been initialized but not set up yet.
+ * \param[in] cipher_suite      The cipher suite to use. (A cipher suite fully
+ *                              characterizes a PAKE algorithm and determines
+ *                              the algorithm as well.)
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The algorithm in \p cipher_suite is not a PAKE algorithm, or the
+ *         PAKE primitive in \p cipher_suite is not compatible with the
+ *         PAKE algorithm, or the hash algorithm in \p cipher_suite is invalid
+ *         or not compatible with the PAKE algorithm and primitive.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         The algorithm in \p cipher_suite is not a supported PAKE algorithm,
+ *         or the PAKE primitive in \p cipher_suite is not supported or not
+ *         compatible with the PAKE algorithm, or the hash algorithm in
+ *         \p cipher_suite is not supported or not compatible with the PAKE
+ *         algorithm and primitive.
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid, or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_pake_setup(psa_pake_operation_t *operation,
+                            const psa_pake_cipher_suite_t *cipher_suite);
+
+/** Set the password for a password-authenticated key exchange from key ID.
+ *
+ * Call this function when the password, or a value derived from the password,
+ * is already present in the key store.
+ *
+ * \param[in,out] operation     The operation object to set the password for. It
+ *                              must have been set up by psa_pake_setup() and
+ *                              not yet in use (neither psa_pake_output() nor
+ *                              psa_pake_input() has been called yet). It must
+ *                              be on operation for which the password hasn't
+ *                              been set yet (psa_pake_set_password_key()
+ *                              hasn't been called yet).
+ * \param password              Identifier of the key holding the password or a
+ *                              value derived from the password (eg. by a
+ *                              memory-hard function).  It must remain valid
+ *                              until the operation terminates. It must be of
+ *                              type #PSA_KEY_TYPE_PASSWORD or
+ *                              #PSA_KEY_TYPE_PASSWORD_HASH. It has to allow
+ *                              the usage #PSA_KEY_USAGE_DERIVE.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_HANDLE
+ *         \p password is not a valid key identifier.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The key does not have the #PSA_KEY_USAGE_DERIVE flag, or it does not
+ *         permit the \p operation's algorithm.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The key type for \p password is not #PSA_KEY_TYPE_PASSWORD or
+ *         #PSA_KEY_TYPE_PASSWORD_HASH, or \p password is not compatible with
+ *         the \p operation's cipher suite.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         The key type or key size of \p password is not supported with the
+ *         \p operation's cipher suite.
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must have been set up.), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_pake_set_password_key(psa_pake_operation_t *operation,
+                                       mbedtls_svc_key_id_t password);
+
+/** Set the user ID for a password-authenticated key exchange.
+ *
+ * Call this function to set the user ID. For PAKE algorithms that associate a
+ * user identifier with each side of the session you need to call
+ * psa_pake_set_peer() as well. For PAKE algorithms that associate a single
+ * user identifier with the session, call psa_pake_set_user() only.
+ *
+ * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX`
+ * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true)
+ * for more information.
+ *
+ * \param[in,out] operation     The operation object to set the user ID for. It
+ *                              must have been set up by psa_pake_setup() and
+ *                              not yet in use (neither psa_pake_output() nor
+ *                              psa_pake_input() has been called yet). It must
+ *                              be on operation for which the user ID hasn't
+ *                              been set (psa_pake_set_user() hasn't been
+ *                              called yet).
+ * \param[in] user_id           The user ID to authenticate with.
+ * \param user_id_len           Size of the \p user_id buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p user_id is not valid for the \p operation's algorithm and cipher
+ *         suite.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         The value of \p user_id is not supported by the implementation.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid, or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_pake_set_user(psa_pake_operation_t *operation,
+                               const uint8_t *user_id,
+                               size_t user_id_len);
+
+/** Set the peer ID for a password-authenticated key exchange.
+ *
+ * Call this function in addition to psa_pake_set_user() for PAKE algorithms
+ * that associate a user identifier with each side of the session. For PAKE
+ * algorithms that associate a single user identifier with the session, call
+ * psa_pake_set_user() only.
+ *
+ * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX`
+ * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true)
+ * for more information.
+ *
+ * \param[in,out] operation     The operation object to set the peer ID for. It
+ *                              must have been set up by psa_pake_setup() and
+ *                              not yet in use (neither psa_pake_output() nor
+ *                              psa_pake_input() has been called yet). It must
+ *                              be on operation for which the peer ID hasn't
+ *                              been set (psa_pake_set_peer() hasn't been
+ *                              called yet).
+ * \param[in] peer_id           The peer's ID to authenticate.
+ * \param peer_id_len           Size of the \p peer_id buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p peer_id is not valid for the \p operation's algorithm and cipher
+ *         suite.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         The algorithm doesn't associate a second identity with the session.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         Calling psa_pake_set_peer() is invalid with the \p operation's
+ *         algorithm, the operation state is not valid, or the library has not
+ *         been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_pake_set_peer(psa_pake_operation_t *operation,
+                               const uint8_t *peer_id,
+                               size_t peer_id_len);
+
+/** Set the application role for a password-authenticated key exchange.
+ *
+ * Not all PAKE algorithms need to differentiate the communicating entities.
+ * It is optional to call this function for PAKEs that don't require a role
+ * to be specified. For such PAKEs the application role parameter is ignored,
+ * or #PSA_PAKE_ROLE_NONE can be passed as \c role.
+ *
+ * Refer to the documentation of individual PAKE algorithm types (`PSA_ALG_XXX`
+ * values of type ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true)
+ * for more information.
+ *
+ * \param[in,out] operation     The operation object to specify the
+ *                              application's role for. It must have been set up
+ *                              by psa_pake_setup() and not yet in use (neither
+ *                              psa_pake_output() nor psa_pake_input() has been
+ *                              called yet). It must be on operation for which
+ *                              the application's role hasn't been specified
+ *                              (psa_pake_set_role() hasn't been called yet).
+ * \param role                  A value of type ::psa_pake_role_t indicating the
+ *                              application's role in the PAKE the algorithm
+ *                              that is being set up. For more information see
+ *                              the documentation of \c PSA_PAKE_ROLE_XXX
+ *                              constants.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The \p role is not a valid PAKE role in the \p operation’s algorithm.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         The \p role for this algorithm is not supported or is not valid.
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid, or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_pake_set_role(psa_pake_operation_t *operation,
+                               psa_pake_role_t role);
+
+/** Get output for a step of a password-authenticated key exchange.
+ *
+ * Depending on the algorithm being executed, you might need to call this
+ * function several times or you might not need to call this at all.
+ *
+ * The exact sequence of calls to perform a password-authenticated key
+ * exchange depends on the algorithm in use.  Refer to the documentation of
+ * individual PAKE algorithm types (`PSA_ALG_XXX` values of type
+ * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more
+ * information.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_pake_abort().
+ *
+ * \param[in,out] operation    Active PAKE operation.
+ * \param step                 The step of the algorithm for which the output is
+ *                             requested.
+ * \param[out] output          Buffer where the output is to be written in the
+ *                             format appropriate for this \p step. Refer to
+ *                             the documentation of the individual
+ *                             \c PSA_PAKE_STEP_XXX constants for more
+ *                             information.
+ * \param output_size          Size of the \p output buffer in bytes. This must
+ *                             be at least #PSA_PAKE_OUTPUT_SIZE(\c alg, \c
+ *                             primitive, \p output_step) where \c alg and
+ *                             \p primitive are the PAKE algorithm and primitive
+ *                             in the operation's cipher suite, and \p step is
+ *                             the output step.
+ *
+ * \param[out] output_length   On success, the number of bytes of the returned
+ *                             output.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ *         The size of the \p output buffer is too small.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p step is not compatible with the operation's algorithm.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p step is not supported with the operation's algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active, and fully set
+ *         up, and this call must conform to the algorithm's requirements
+ *         for ordering of input and output steps), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_pake_output(psa_pake_operation_t *operation,
+                             psa_pake_step_t step,
+                             uint8_t *output,
+                             size_t output_size,
+                             size_t *output_length);
+
+/** Provide input for a step of a password-authenticated key exchange.
+ *
+ * Depending on the algorithm being executed, you might need to call this
+ * function several times or you might not need to call this at all.
+ *
+ * The exact sequence of calls to perform a password-authenticated key
+ * exchange depends on the algorithm in use.  Refer to the documentation of
+ * individual PAKE algorithm types (`PSA_ALG_XXX` values of type
+ * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more
+ * information.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling psa_pake_abort().
+ *
+ * \param[in,out] operation    Active PAKE operation.
+ * \param step                 The step for which the input is provided.
+ * \param[in] input            Buffer containing the input in the format
+ *                             appropriate for this \p step. Refer to the
+ *                             documentation of the individual
+ *                             \c PSA_PAKE_STEP_XXX constants for more
+ *                             information.
+ * \param input_length         Size of the \p input buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The verification fails for a #PSA_PAKE_STEP_ZK_PROOF input step.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p input_length is not compatible with the \p operation’s algorithm,
+ *         or the \p input is not valid for the \p operation's algorithm,
+ *         cipher suite or \p step.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         \p step p is not supported with the \p operation's algorithm, or the
+ *         \p input is not supported for the \p operation's algorithm, cipher
+ *         suite or \p step.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The operation state is not valid (it must be active, and fully set
+ *         up, and this call must conform to the algorithm's requirements
+ *         for ordering of input and output steps), or
+ *         the library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_pake_input(psa_pake_operation_t *operation,
+                            psa_pake_step_t step,
+                            const uint8_t *input,
+                            size_t input_length);
+
+/** Get implicitly confirmed shared secret from a PAKE.
+ *
+ * At this point there is a cryptographic guarantee that only the authenticated
+ * party who used the same password is able to compute the key. But there is no
+ * guarantee that the peer is the party it claims to be and was able to do so.
+ *
+ * That is, the authentication is only implicit. Since the peer is not
+ * authenticated yet, no action should be taken yet that assumes that the peer
+ * is who it claims to be. For example, do not access restricted files on the
+ * peer's behalf until an explicit authentication has succeeded.
+ *
+ * This function can be called after the key exchange phase of the operation
+ * has completed. It imports the shared secret output of the PAKE into the
+ * provided derivation operation. The input step
+ * #PSA_KEY_DERIVATION_INPUT_SECRET is used when placing the shared key
+ * material in the key derivation operation.
+ *
+ * The exact sequence of calls to perform a password-authenticated key
+ * exchange depends on the algorithm in use.  Refer to the documentation of
+ * individual PAKE algorithm types (`PSA_ALG_XXX` values of type
+ * ::psa_algorithm_t such that #PSA_ALG_IS_PAKE(\c alg) is true) for more
+ * information.
+ *
+ * When this function returns successfully, \p operation becomes inactive.
+ * If this function returns an error status, both \p operation
+ * and \c key_derivation operations enter an error state and must be aborted by
+ * calling psa_pake_abort() and psa_key_derivation_abort() respectively.
+ *
+ * \param[in,out] operation    Active PAKE operation.
+ * \param[out] output          A key derivation operation that is ready
+ *                             for an input step of type
+ *                             #PSA_KEY_DERIVATION_INPUT_SECRET.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         #PSA_KEY_DERIVATION_INPUT_SECRET is not compatible with the
+ *         algorithm in the \p output key derivation operation.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ *         Input from a PAKE is not supported by the algorithm in the \p output
+ *         key derivation operation.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The PAKE operation state is not valid (it must be active, but beyond
+ *         that validity is specific to the algorithm), or
+ *         the library has not been previously initialized by psa_crypto_init(),
+ *         or the state of \p output is not valid for
+ *         the #PSA_KEY_DERIVATION_INPUT_SECRET step. This can happen if the
+ *         step is out of order or the application has done this step already
+ *         and it may not be repeated.
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_pake_get_implicit_key(psa_pake_operation_t *operation,
+                                       psa_key_derivation_operation_t *output);
+
+/** Abort a PAKE operation.
+ *
+ * Aborting an operation frees all associated resources except for the \c
+ * operation structure itself. Once aborted, the operation object can be reused
+ * for another operation by calling psa_pake_setup() again.
+ *
+ * This function may be called at any time after the operation
+ * object has been initialized as described in #psa_pake_operation_t.
+ *
+ * In particular, calling psa_pake_abort() after the operation has been
+ * terminated by a call to psa_pake_abort() or psa_pake_get_implicit_key()
+ * is safe and has no effect.
+ *
+ * \param[in,out] operation    The operation to abort.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t psa_pake_abort(psa_pake_operation_t *operation);
+
+/**@}*/
+
+/** A sufficient output buffer size for psa_pake_output().
+ *
+ * If the size of the output buffer is at least this large, it is guaranteed
+ * that psa_pake_output() will not fail due to an insufficient output buffer
+ * size. The actual size of the output might be smaller in any given call.
+ *
+ * See also #PSA_PAKE_OUTPUT_MAX_SIZE
+ *
+ * \param alg           A PAKE algorithm (\c PSA_ALG_XXX value such that
+ *                      #PSA_ALG_IS_PAKE(\p alg) is true).
+ * \param primitive     A primitive of type ::psa_pake_primitive_t that is
+ *                      compatible with algorithm \p alg.
+ * \param output_step   A value of type ::psa_pake_step_t that is valid for the
+ *                      algorithm \p alg.
+ * \return              A sufficient output buffer size for the specified
+ *                      PAKE algorithm, primitive, and output step. If the
+ *                      PAKE algorithm, primitive, or output step is not
+ *                      recognized, or the parameters are incompatible,
+ *                      return 0.
+ */
+#define PSA_PAKE_OUTPUT_SIZE(alg, primitive, output_step)               \
+    (alg == PSA_ALG_JPAKE &&                                           \
+     primitive == PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC,      \
+                                     PSA_ECC_FAMILY_SECP_R1, 256) ?    \
+     (                                                                 \
+         output_step == PSA_PAKE_STEP_KEY_SHARE ? 65 :                   \
+         output_step == PSA_PAKE_STEP_ZK_PUBLIC ? 65 :                   \
+         32                                                              \
+     ) :                                                               \
+     0)
+
+/** A sufficient input buffer size for psa_pake_input().
+ *
+ * The value returned by this macro is guaranteed to be large enough for any
+ * valid input to psa_pake_input() in an operation with the specified
+ * parameters.
+ *
+ * See also #PSA_PAKE_INPUT_MAX_SIZE
+ *
+ * \param alg           A PAKE algorithm (\c PSA_ALG_XXX value such that
+ *                      #PSA_ALG_IS_PAKE(\p alg) is true).
+ * \param primitive     A primitive of type ::psa_pake_primitive_t that is
+ *                      compatible with algorithm \p alg.
+ * \param input_step    A value of type ::psa_pake_step_t that is valid for the
+ *                      algorithm \p alg.
+ * \return              A sufficient input buffer size for the specified
+ *                      input, cipher suite and algorithm. If the cipher suite,
+ *                      the input type or PAKE algorithm is not recognized, or
+ *                      the parameters are incompatible, return 0.
+ */
+#define PSA_PAKE_INPUT_SIZE(alg, primitive, input_step)                 \
+    (alg == PSA_ALG_JPAKE &&                                           \
+     primitive == PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC,      \
+                                     PSA_ECC_FAMILY_SECP_R1, 256) ?    \
+     (                                                                 \
+         input_step == PSA_PAKE_STEP_KEY_SHARE ? 65 :                    \
+         input_step == PSA_PAKE_STEP_ZK_PUBLIC ? 65 :                    \
+         32                                                              \
+     ) :                                                               \
+     0)
+
+/** Output buffer size for psa_pake_output() for any of the supported PAKE
+ * algorithm and primitive suites and output step.
+ *
+ * This macro must expand to a compile-time constant integer.
+ *
+ * The value of this macro must be at least as large as the largest value
+ * returned by PSA_PAKE_OUTPUT_SIZE()
+ *
+ * See also #PSA_PAKE_OUTPUT_SIZE(\p alg, \p primitive, \p output_step).
+ */
+#define PSA_PAKE_OUTPUT_MAX_SIZE 65
+
+/** Input buffer size for psa_pake_input() for any of the supported PAKE
+ * algorithm and primitive suites and input step.
+ *
+ * This macro must expand to a compile-time constant integer.
+ *
+ * The value of this macro must be at least as large as the largest value
+ * returned by PSA_PAKE_INPUT_SIZE()
+ *
+ * See also #PSA_PAKE_INPUT_SIZE(\p alg, \p primitive, \p output_step).
+ */
+#define PSA_PAKE_INPUT_MAX_SIZE 65
+
+/** Returns a suitable initializer for a PAKE cipher suite object of type
+ * psa_pake_cipher_suite_t.
+ */
+#define PSA_PAKE_CIPHER_SUITE_INIT { PSA_ALG_NONE, 0, 0, 0, PSA_ALG_NONE }
+
+/** Returns a suitable initializer for a PAKE operation object of type
+ * psa_pake_operation_t.
+ */
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
+#define PSA_PAKE_OPERATION_INIT { 0 }
+#else
+#define PSA_PAKE_OPERATION_INIT { 0, PSA_ALG_NONE, 0, PSA_PAKE_OPERATION_STAGE_SETUP, \
+                                  { 0 }, { { 0 } } }
+#endif
+
+struct psa_pake_cipher_suite_s {
+    psa_algorithm_t algorithm;
+    psa_pake_primitive_type_t type;
+    psa_pake_family_t family;
+    uint16_t  bits;
+    psa_algorithm_t hash;
+};
+
+static inline psa_algorithm_t psa_pake_cs_get_algorithm(
+    const psa_pake_cipher_suite_t *cipher_suite)
+{
+    return cipher_suite->algorithm;
+}
+
+static inline void psa_pake_cs_set_algorithm(
+    psa_pake_cipher_suite_t *cipher_suite,
+    psa_algorithm_t algorithm)
+{
+    if (!PSA_ALG_IS_PAKE(algorithm)) {
+        cipher_suite->algorithm = 0;
+    } else {
+        cipher_suite->algorithm = algorithm;
+    }
+}
+
+static inline psa_pake_primitive_t psa_pake_cs_get_primitive(
+    const psa_pake_cipher_suite_t *cipher_suite)
+{
+    return PSA_PAKE_PRIMITIVE(cipher_suite->type, cipher_suite->family,
+                              cipher_suite->bits);
+}
+
+static inline void psa_pake_cs_set_primitive(
+    psa_pake_cipher_suite_t *cipher_suite,
+    psa_pake_primitive_t primitive)
+{
+    cipher_suite->type = (psa_pake_primitive_type_t) (primitive >> 24);
+    cipher_suite->family = (psa_pake_family_t) (0xFF & (primitive >> 16));
+    cipher_suite->bits = (uint16_t) (0xFFFF & primitive);
+}
+
+static inline psa_pake_family_t psa_pake_cs_get_family(
+    const psa_pake_cipher_suite_t *cipher_suite)
+{
+    return cipher_suite->family;
+}
+
+static inline uint16_t psa_pake_cs_get_bits(
+    const psa_pake_cipher_suite_t *cipher_suite)
+{
+    return cipher_suite->bits;
+}
+
+static inline psa_algorithm_t psa_pake_cs_get_hash(
+    const psa_pake_cipher_suite_t *cipher_suite)
+{
+    return cipher_suite->hash;
+}
+
+static inline void psa_pake_cs_set_hash(psa_pake_cipher_suite_t *cipher_suite,
+                                        psa_algorithm_t hash)
+{
+    if (!PSA_ALG_IS_HASH(hash)) {
+        cipher_suite->hash = 0;
+    } else {
+        cipher_suite->hash = hash;
+    }
+}
+
+struct psa_crypto_driver_pake_inputs_s {
+    uint8_t *MBEDTLS_PRIVATE(password);
+    size_t MBEDTLS_PRIVATE(password_len);
+    uint8_t *MBEDTLS_PRIVATE(user);
+    size_t MBEDTLS_PRIVATE(user_len);
+    uint8_t *MBEDTLS_PRIVATE(peer);
+    size_t MBEDTLS_PRIVATE(peer_len);
+    psa_key_attributes_t MBEDTLS_PRIVATE(attributes);
+    psa_pake_cipher_suite_t MBEDTLS_PRIVATE(cipher_suite);
+};
+
+typedef enum psa_crypto_driver_pake_step {
+    PSA_JPAKE_STEP_INVALID        = 0,  /* Invalid step */
+    PSA_JPAKE_X1_STEP_KEY_SHARE   = 1,  /* Round 1: input/output key share (for ephemeral private key X1).*/
+    PSA_JPAKE_X1_STEP_ZK_PUBLIC   = 2,  /* Round 1: input/output Schnorr NIZKP public key for the X1 key */
+    PSA_JPAKE_X1_STEP_ZK_PROOF    = 3,  /* Round 1: input/output Schnorr NIZKP proof for the X1 key */
+    PSA_JPAKE_X2_STEP_KEY_SHARE   = 4,  /* Round 1: input/output key share (for ephemeral private key X2).*/
+    PSA_JPAKE_X2_STEP_ZK_PUBLIC   = 5,  /* Round 1: input/output Schnorr NIZKP public key for the X2 key */
+    PSA_JPAKE_X2_STEP_ZK_PROOF    = 6,  /* Round 1: input/output Schnorr NIZKP proof for the X2 key */
+    PSA_JPAKE_X2S_STEP_KEY_SHARE  = 7,  /* Round 2: output X2S key (our key) */
+    PSA_JPAKE_X2S_STEP_ZK_PUBLIC  = 8,  /* Round 2: output Schnorr NIZKP public key for the X2S key (our key) */
+    PSA_JPAKE_X2S_STEP_ZK_PROOF   = 9,  /* Round 2: output Schnorr NIZKP proof for the X2S key (our key) */
+    PSA_JPAKE_X4S_STEP_KEY_SHARE  = 10, /* Round 2: input X4S key (from peer) */
+    PSA_JPAKE_X4S_STEP_ZK_PUBLIC  = 11, /* Round 2: input Schnorr NIZKP public key for the X4S key (from peer) */
+    PSA_JPAKE_X4S_STEP_ZK_PROOF   = 12  /* Round 2: input Schnorr NIZKP proof for the X4S key (from peer) */
+} psa_crypto_driver_pake_step_t;
+
+typedef enum psa_jpake_round {
+    PSA_JPAKE_FIRST = 0,
+    PSA_JPAKE_SECOND = 1,
+    PSA_JPAKE_FINISHED = 2
+} psa_jpake_round_t;
+
+typedef enum psa_jpake_io_mode {
+    PSA_JPAKE_INPUT = 0,
+    PSA_JPAKE_OUTPUT = 1
+} psa_jpake_io_mode_t;
+
+struct psa_jpake_computation_stage_s {
+    /* The J-PAKE round we are currently on */
+    psa_jpake_round_t MBEDTLS_PRIVATE(round);
+    /* The 'mode' we are currently in (inputting or outputting) */
+    psa_jpake_io_mode_t MBEDTLS_PRIVATE(io_mode);
+    /* The number of completed inputs so far this round */
+    uint8_t MBEDTLS_PRIVATE(inputs);
+    /* The number of completed outputs so far this round */
+    uint8_t MBEDTLS_PRIVATE(outputs);
+    /* The next expected step (KEY_SHARE, ZK_PUBLIC or ZK_PROOF) */
+    psa_pake_step_t MBEDTLS_PRIVATE(step);
+};
+
+#define PSA_JPAKE_EXPECTED_INPUTS(round) ((round) == PSA_JPAKE_FINISHED ? 0 : \
+                                          ((round) == PSA_JPAKE_FIRST ? 2 : 1))
+#define PSA_JPAKE_EXPECTED_OUTPUTS(round) ((round) == PSA_JPAKE_FINISHED ? 0 : \
+                                           ((round) == PSA_JPAKE_FIRST ? 2 : 1))
+
+struct psa_pake_operation_s {
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
+    mbedtls_psa_client_handle_t handle;
+#else
+    /** Unique ID indicating which driver got assigned to do the
+     * operation. Since driver contexts are driver-specific, swapping
+     * drivers halfway through the operation is not supported.
+     * ID values are auto-generated in psa_crypto_driver_wrappers.h
+     * ID value zero means the context is not valid or not assigned to
+     * any driver (i.e. none of the driver contexts are active). */
+    unsigned int MBEDTLS_PRIVATE(id);
+    /* Algorithm of the PAKE operation */
+    psa_algorithm_t MBEDTLS_PRIVATE(alg);
+    /* A primitive of type compatible with algorithm */
+    psa_pake_primitive_t MBEDTLS_PRIVATE(primitive);
+    /* Stage of the PAKE operation: waiting for the setup, collecting inputs
+     * or computing. */
+    uint8_t MBEDTLS_PRIVATE(stage);
+    /* Holds computation stage of the PAKE algorithms. */
+    union {
+        uint8_t MBEDTLS_PRIVATE(dummy);
+#if defined(PSA_WANT_ALG_JPAKE)
+        psa_jpake_computation_stage_t MBEDTLS_PRIVATE(jpake);
+#endif
+    } MBEDTLS_PRIVATE(computation_stage);
+    union {
+        psa_driver_pake_context_t MBEDTLS_PRIVATE(ctx);
+        psa_crypto_driver_pake_inputs_t MBEDTLS_PRIVATE(inputs);
+    } MBEDTLS_PRIVATE(data);
+#endif
+};
+
+static inline struct psa_pake_cipher_suite_s psa_pake_cipher_suite_init(void)
+{
+    const struct psa_pake_cipher_suite_s v = PSA_PAKE_CIPHER_SUITE_INIT;
+    return v;
+}
+
+static inline struct psa_pake_operation_s psa_pake_operation_init(void)
+{
+    const struct psa_pake_operation_s v = PSA_PAKE_OPERATION_INIT;
+    return v;
+}
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* PSA_CRYPTO_EXTRA_H */
diff --git a/tf-psa-crypto/include/psa/crypto_legacy.h b/tf-psa-crypto/include/psa/crypto_legacy.h
new file mode 100644
index 0000000..7df3614
--- /dev/null
+++ b/tf-psa-crypto/include/psa/crypto_legacy.h
@@ -0,0 +1,88 @@
+/**
+ * \file psa/crypto_legacy.h
+ *
+ * \brief Add temporary suppport for deprecated symbols before they are
+ *        removed from the library.
+ *
+ * PSA_WANT_KEY_TYPE_xxx_KEY_PAIR and MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR
+ * symbols are deprecated.
+ * New symols add a suffix to that base name in order to clearly state what is
+ * the expected use for the key (use, import, export, generate, derive).
+ * Here we define some backward compatibility support for uses stil using
+ * the legacy symbols.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_PSA_CRYPTO_LEGACY_H
+#define MBEDTLS_PSA_CRYPTO_LEGACY_H
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) //no-check-names
+#if !defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC)
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC      1
+#endif
+#if !defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT)
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT   1
+#endif
+#if !defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT)
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT   1
+#endif
+#if !defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
+#endif
+#if !defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE   1
+#endif
+#endif
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) //no-check-names
+#if !defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
+#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC      1
+#endif
+#if !defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT)
+#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT   1
+#endif
+#if !defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT)
+#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT   1
+#endif
+#if !defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
+#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1
+#endif
+#endif
+
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) //no-check-names
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC)
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC
+#endif
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT)
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT
+#endif
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT)
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT
+#endif
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE
+#endif
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE
+#endif
+#endif
+
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) //no-check-names
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_BASIC)
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_BASIC
+#endif
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_IMPORT)
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_IMPORT
+#endif
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_EXPORT)
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_EXPORT
+#endif
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE
+#endif
+#endif
+
+#endif /* MBEDTLS_PSA_CRYPTO_LEGACY_H */
diff --git a/tf-psa-crypto/include/psa/crypto_platform.h b/tf-psa-crypto/include/psa/crypto_platform.h
new file mode 100644
index 0000000..a871ee1
--- /dev/null
+++ b/tf-psa-crypto/include/psa/crypto_platform.h
@@ -0,0 +1,102 @@
+/**
+ * \file psa/crypto_platform.h
+ *
+ * \brief PSA cryptography module: Mbed TLS platform definitions
+ *
+ * \note This file may not be included directly. Applications must
+ * include psa/crypto.h.
+ *
+ * This file contains platform-dependent type definitions.
+ *
+ * In implementations with isolation between the application and the
+ * cryptography module, implementers should take care to ensure that
+ * the definitions that are exposed to applications match what the
+ * module implements.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_PLATFORM_H
+#define PSA_CRYPTO_PLATFORM_H
+#include "mbedtls/private_access.h"
+
+/*
+ * Include the build-time configuration information header. Here, we do not
+ * include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which
+ * is basically just an alias to it. This is to ease the maintenance of the
+ * TF-PSA-Crypto repository which has a different build system and
+ * configuration.
+ */
+#include "psa/build_info.h"
+
+/* PSA requires several types which C99 provides in stdint.h. */
+#include <stdint.h>
+
+#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
+
+/* Building for the PSA Crypto service on a PSA platform, a key owner is a PSA
+ * partition identifier.
+ *
+ * The function psa_its_identifier_of_slot() in psa_crypto_storage.c that
+ * translates a key identifier to a key storage file name assumes that
+ * mbedtls_key_owner_id_t is a 32-bit integer. This function thus needs
+ * reworking if mbedtls_key_owner_id_t is not defined as a 32-bit integer
+ * here anymore.
+ */
+typedef int32_t mbedtls_key_owner_id_t;
+
+/** Compare two key owner identifiers.
+ *
+ * \param id1 First key owner identifier.
+ * \param id2 Second key owner identifier.
+ *
+ * \return Non-zero if the two key owner identifiers are equal, zero otherwise.
+ */
+static inline int mbedtls_key_owner_id_equal(mbedtls_key_owner_id_t id1,
+                                             mbedtls_key_owner_id_t id2)
+{
+    return id1 == id2;
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
+
+/*
+ * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is being built for SPM
+ * (Secure Partition Manager) integration which separates the code into two
+ * parts: NSPE (Non-Secure Processing Environment) and SPE (Secure Processing
+ * Environment). When building for the SPE, an additional header file should be
+ * included.
+ */
+#if defined(MBEDTLS_PSA_CRYPTO_SPM)
+#define PSA_CRYPTO_SECURE 1
+#include "crypto_spe.h"
+#endif // MBEDTLS_PSA_CRYPTO_SPM
+
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+/** The type of the context passed to mbedtls_psa_external_get_random().
+ *
+ * Mbed TLS initializes the context to all-bits-zero before calling
+ * mbedtls_psa_external_get_random() for the first time.
+ *
+ * The definition of this type in the Mbed TLS source code is for
+ * demonstration purposes. Implementers of mbedtls_psa_external_get_random()
+ * are expected to replace it with a custom definition.
+ */
+typedef struct {
+    uintptr_t MBEDTLS_PRIVATE(opaque)[2];
+} mbedtls_psa_external_random_context_t;
+#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
+/** The type of the client handle used in context structures
+ *
+ * When a client view of the multipart context structures is required,
+ * this handle is used to keep a mapping with the service side of the
+ * context which contains the actual data.
+ */
+typedef uint32_t mbedtls_psa_client_handle_t;
+#endif
+
+#endif /* PSA_CRYPTO_PLATFORM_H */
diff --git a/tf-psa-crypto/include/psa/crypto_se_driver.h b/tf-psa-crypto/include/psa/crypto_se_driver.h
new file mode 100644
index 0000000..9ce14bb
--- /dev/null
+++ b/tf-psa-crypto/include/psa/crypto_se_driver.h
@@ -0,0 +1,1383 @@
+/**
+ * \file psa/crypto_se_driver.h
+ * \brief PSA external cryptoprocessor driver module
+ *
+ * This header declares types and function signatures for cryptography
+ * drivers that access key material via opaque references.
+ * This is meant for cryptoprocessors that have a separate key storage from the
+ * space in which the PSA Crypto implementation runs, typically secure
+ * elements (SEs).
+ *
+ * This file is part of the PSA Crypto Driver HAL (hardware abstraction layer),
+ * containing functions for driver developers to implement to enable hardware
+ * to be called in a standardized way by a PSA Cryptography API
+ * implementation. The functions comprising the driver HAL, which driver
+ * authors implement, are not intended to be called by application developers.
+ */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef PSA_CRYPTO_SE_DRIVER_H
+#define PSA_CRYPTO_SE_DRIVER_H
+#include "mbedtls/private_access.h"
+
+#include "crypto_driver_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** \defgroup se_init Secure element driver initialization
+ */
+/**@{*/
+
+/** \brief Driver context structure
+ *
+ * Driver functions receive a pointer to this structure.
+ * Each registered driver has one instance of this structure.
+ *
+ * Implementations must include the fields specified here and
+ * may include other fields.
+ */
+typedef struct {
+    /** A read-only pointer to the driver's persistent data.
+     *
+     * Drivers typically use this persistent data to keep track of
+     * which slot numbers are available. This is only a guideline:
+     * drivers may use the persistent data for any purpose, keeping
+     * in mind the restrictions on when the persistent data is saved
+     * to storage: the persistent data is only saved after calling
+     * certain functions that receive a writable pointer to the
+     * persistent data.
+     *
+     * The core allocates a memory buffer for the persistent data.
+     * The pointer is guaranteed to be suitably aligned for any data type,
+     * like a pointer returned by `malloc` (but the core can use any
+     * method to allocate the buffer, not necessarily `malloc`).
+     *
+     * The size of this buffer is in the \c persistent_data_size field of
+     * this structure.
+     *
+     * Before the driver is initialized for the first time, the content of
+     * the persistent data is all-bits-zero. After a driver upgrade, if the
+     * size of the persistent data has increased, the original data is padded
+     * on the right with zeros; if the size has decreased, the original data
+     * is truncated to the new size.
+     *
+     * This pointer is to read-only data. Only a few driver functions are
+     * allowed to modify the persistent data. These functions receive a
+     * writable pointer. These functions are:
+     * - psa_drv_se_t::p_init
+     * - psa_drv_se_key_management_t::p_allocate
+     * - psa_drv_se_key_management_t::p_destroy
+     *
+     * The PSA Cryptography core saves the persistent data from one
+     * session to the next. It does this before returning from API functions
+     * that call a driver method that is allowed to modify the persistent
+     * data, specifically:
+     * - psa_crypto_init() causes a call to psa_drv_se_t::p_init, and may call
+     *   psa_drv_se_key_management_t::p_destroy to complete an action
+     *   that was interrupted by a power failure.
+     * - Key creation functions cause a call to
+     *   psa_drv_se_key_management_t::p_allocate, and may cause a call to
+     *   psa_drv_se_key_management_t::p_destroy in case an error occurs.
+     * - psa_destroy_key() causes a call to
+     *   psa_drv_se_key_management_t::p_destroy.
+     */
+    const void *const MBEDTLS_PRIVATE(persistent_data);
+
+    /** The size of \c persistent_data in bytes.
+     *
+     * This is always equal to the value of the `persistent_data_size` field
+     * of the ::psa_drv_se_t structure when the driver is registered.
+     */
+    const size_t MBEDTLS_PRIVATE(persistent_data_size);
+
+    /** Driver transient data.
+     *
+     * The core initializes this value to 0 and does not read or modify it
+     * afterwards. The driver may store whatever it wants in this field.
+     */
+    uintptr_t MBEDTLS_PRIVATE(transient_data);
+} psa_drv_se_context_t;
+
+/** \brief A driver initialization function.
+ *
+ * \param[in,out] drv_context       The driver context structure.
+ * \param[in,out] persistent_data   A pointer to the persistent data
+ *                                  that allows writing.
+ * \param location                  The location value for which this driver
+ *                                  is registered. The driver will be invoked
+ *                                  for all keys whose lifetime is in this
+ *                                  location.
+ *
+ * \retval #PSA_SUCCESS
+ *         The driver is operational.
+ *         The core will update the persistent data in storage.
+ * \return
+ *         Any other return value prevents the driver from being used in
+ *         this session.
+ *         The core will NOT update the persistent data in storage.
+ */
+typedef psa_status_t (*psa_drv_se_init_t)(psa_drv_se_context_t *drv_context,
+                                          void *persistent_data,
+                                          psa_key_location_t location);
+
+#if defined(__DOXYGEN_ONLY__) || !defined(MBEDTLS_PSA_CRYPTO_SE_C)
+/* Mbed TLS with secure element support enabled defines this type in
+ * crypto_types.h because it is also visible to applications through an
+ * implementation-specific extension.
+ * For the PSA Cryptography specification, this type is only visible
+ * via crypto_se_driver.h. */
+/** An internal designation of a key slot between the core part of the
+ * PSA Crypto implementation and the driver. The meaning of this value
+ * is driver-dependent. */
+typedef uint64_t psa_key_slot_number_t;
+#endif /* __DOXYGEN_ONLY__ || !MBEDTLS_PSA_CRYPTO_SE_C */
+
+/**@}*/
+
+/** \defgroup se_mac Secure Element Message Authentication Codes
+ * Generation and authentication of Message Authentication Codes (MACs) using
+ * a secure element can be done either as a single function call (via the
+ * `psa_drv_se_mac_generate_t` or `psa_drv_se_mac_verify_t` functions), or in
+ * parts using the following sequence:
+ * - `psa_drv_se_mac_setup_t`
+ * - `psa_drv_se_mac_update_t`
+ * - `psa_drv_se_mac_update_t`
+ * - ...
+ * - `psa_drv_se_mac_finish_t` or `psa_drv_se_mac_finish_verify_t`
+ *
+ * If a previously started secure element MAC operation needs to be terminated,
+ * it should be done so by the `psa_drv_se_mac_abort_t`. Failure to do so may
+ * result in allocated resources not being freed or in other undefined
+ * behavior.
+ */
+/**@{*/
+/** \brief A function that starts a secure element  MAC operation for a PSA
+ * Crypto Driver implementation
+ *
+ * \param[in,out] drv_context   The driver context structure.
+ * \param[in,out] op_context    A structure that will contain the
+ *                              hardware-specific MAC context
+ * \param[in] key_slot          The slot of the key to be used for the
+ *                              operation
+ * \param[in] algorithm         The algorithm to be used to underly the MAC
+ *                              operation
+ *
+ * \retval  #PSA_SUCCESS
+ *          Success.
+ */
+typedef psa_status_t (*psa_drv_se_mac_setup_t)(psa_drv_se_context_t *drv_context,
+                                               void *op_context,
+                                               psa_key_slot_number_t key_slot,
+                                               psa_algorithm_t algorithm);
+
+/** \brief A function that continues a previously started secure element MAC
+ * operation
+ *
+ * \param[in,out] op_context    A hardware-specific structure for the
+ *                              previously-established MAC operation to be
+ *                              updated
+ * \param[in] p_input           A buffer containing the message to be appended
+ *                              to the MAC operation
+ * \param[in] input_length      The size in bytes of the input message buffer
+ */
+typedef psa_status_t (*psa_drv_se_mac_update_t)(void *op_context,
+                                                const uint8_t *p_input,
+                                                size_t input_length);
+
+/** \brief a function that completes a previously started secure element MAC
+ * operation by returning the resulting MAC.
+ *
+ * \param[in,out] op_context    A hardware-specific structure for the
+ *                              previously started MAC operation to be
+ *                              finished
+ * \param[out] p_mac            A buffer where the generated MAC will be
+ *                              placed
+ * \param[in] mac_size          The size in bytes of the buffer that has been
+ *                              allocated for the `output` buffer
+ * \param[out] p_mac_length     After completion, will contain the number of
+ *                              bytes placed in the `p_mac` buffer
+ *
+ * \retval  #PSA_SUCCESS
+ *          Success.
+ */
+typedef psa_status_t (*psa_drv_se_mac_finish_t)(void *op_context,
+                                                uint8_t *p_mac,
+                                                size_t mac_size,
+                                                size_t *p_mac_length);
+
+/** \brief A function that completes a previously started secure element MAC
+ * operation by comparing the resulting MAC against a provided value
+ *
+ * \param[in,out] op_context    A hardware-specific structure for the previously
+ *                              started MAC operation to be finished
+ * \param[in] p_mac             The MAC value against which the resulting MAC
+ *                              will be compared against
+ * \param[in] mac_length        The size in bytes of the value stored in `p_mac`
+ *
+ * \retval #PSA_SUCCESS
+ *         The operation completed successfully and the MACs matched each
+ *         other
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The operation completed successfully, but the calculated MAC did
+ *         not match the provided MAC
+ */
+typedef psa_status_t (*psa_drv_se_mac_finish_verify_t)(void *op_context,
+                                                       const uint8_t *p_mac,
+                                                       size_t mac_length);
+
+/** \brief A function that aborts a previous started secure element MAC
+ * operation
+ *
+ * \param[in,out] op_context    A hardware-specific structure for the previously
+ *                              started MAC operation to be aborted
+ */
+typedef psa_status_t (*psa_drv_se_mac_abort_t)(void *op_context);
+
+/** \brief A function that performs a secure element MAC operation in one
+ * command and returns the calculated MAC
+ *
+ * \param[in,out] drv_context   The driver context structure.
+ * \param[in] p_input           A buffer containing the message to be MACed
+ * \param[in] input_length      The size in bytes of `p_input`
+ * \param[in] key_slot          The slot of the key to be used
+ * \param[in] alg               The algorithm to be used to underlie the MAC
+ *                              operation
+ * \param[out] p_mac            A buffer where the generated MAC will be
+ *                              placed
+ * \param[in] mac_size          The size in bytes of the `p_mac` buffer
+ * \param[out] p_mac_length     After completion, will contain the number of
+ *                              bytes placed in the `output` buffer
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ */
+typedef psa_status_t (*psa_drv_se_mac_generate_t)(psa_drv_se_context_t *drv_context,
+                                                  const uint8_t *p_input,
+                                                  size_t input_length,
+                                                  psa_key_slot_number_t key_slot,
+                                                  psa_algorithm_t alg,
+                                                  uint8_t *p_mac,
+                                                  size_t mac_size,
+                                                  size_t *p_mac_length);
+
+/** \brief A function that performs a secure element MAC operation in one
+ * command and compares the resulting MAC against a provided value
+ *
+ * \param[in,out] drv_context       The driver context structure.
+ * \param[in] p_input       A buffer containing the message to be MACed
+ * \param[in] input_length  The size in bytes of `input`
+ * \param[in] key_slot      The slot of the key to be used
+ * \param[in] alg           The algorithm to be used to underlie the MAC
+ *                          operation
+ * \param[in] p_mac         The MAC value against which the resulting MAC will
+ *                          be compared against
+ * \param[in] mac_length   The size in bytes of `mac`
+ *
+ * \retval #PSA_SUCCESS
+ *         The operation completed successfully and the MACs matched each
+ *         other
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ *         The operation completed successfully, but the calculated MAC did
+ *         not match the provided MAC
+ */
+typedef psa_status_t (*psa_drv_se_mac_verify_t)(psa_drv_se_context_t *drv_context,
+                                                const uint8_t *p_input,
+                                                size_t input_length,
+                                                psa_key_slot_number_t key_slot,
+                                                psa_algorithm_t alg,
+                                                const uint8_t *p_mac,
+                                                size_t mac_length);
+
+/** \brief A struct containing all of the function pointers needed to
+ * perform secure element MAC operations
+ *
+ * PSA Crypto API implementations should populate the table as appropriate
+ * upon startup.
+ *
+ * If one of the functions is not implemented (such as
+ * `psa_drv_se_mac_generate_t`), it should be set to NULL.
+ *
+ * Driver implementers should ensure that they implement all of the functions
+ * that make sense for their hardware, and that they provide a full solution
+ * (for example, if they support `p_setup`, they should also support
+ * `p_update` and at least one of `p_finish` or `p_finish_verify`).
+ *
+ */
+typedef struct {
+    /**The size in bytes of the hardware-specific secure element MAC context
+     * structure
+     */
+    size_t                    MBEDTLS_PRIVATE(context_size);
+    /** Function that performs a MAC setup operation
+     */
+    psa_drv_se_mac_setup_t          MBEDTLS_PRIVATE(p_setup);
+    /** Function that performs a MAC update operation
+     */
+    psa_drv_se_mac_update_t         MBEDTLS_PRIVATE(p_update);
+    /** Function that completes a MAC operation
+     */
+    psa_drv_se_mac_finish_t         MBEDTLS_PRIVATE(p_finish);
+    /** Function that completes a MAC operation with a verify check
+     */
+    psa_drv_se_mac_finish_verify_t  MBEDTLS_PRIVATE(p_finish_verify);
+    /** Function that aborts a previously started MAC operation
+     */
+    psa_drv_se_mac_abort_t          MBEDTLS_PRIVATE(p_abort);
+    /** Function that performs a MAC operation in one call
+     */
+    psa_drv_se_mac_generate_t       MBEDTLS_PRIVATE(p_mac);
+    /** Function that performs a MAC and verify operation in one call
+     */
+    psa_drv_se_mac_verify_t         MBEDTLS_PRIVATE(p_mac_verify);
+} psa_drv_se_mac_t;
+/**@}*/
+
+/** \defgroup se_cipher Secure Element Symmetric Ciphers
+ *
+ * Encryption and Decryption using secure element keys in block modes other
+ * than ECB must be done in multiple parts, using the following flow:
+ * - `psa_drv_se_cipher_setup_t`
+ * - `psa_drv_se_cipher_set_iv_t` (optional depending upon block mode)
+ * - `psa_drv_se_cipher_update_t`
+ * - `psa_drv_se_cipher_update_t`
+ * - ...
+ * - `psa_drv_se_cipher_finish_t`
+ *
+ * If a previously started secure element Cipher operation needs to be
+ * terminated, it should be done so by the `psa_drv_se_cipher_abort_t`. Failure
+ * to do so may result in allocated resources not being freed or in other
+ * undefined behavior.
+ *
+ * In situations where a PSA Cryptographic API implementation is using a block
+ * mode not-supported by the underlying hardware or driver, it can construct
+ * the block mode itself, while calling the `psa_drv_se_cipher_ecb_t` function
+ * for the cipher operations.
+ */
+/**@{*/
+
+/** \brief A function that provides the cipher setup function for a
+ * secure element driver
+ *
+ * \param[in,out] drv_context   The driver context structure.
+ * \param[in,out] op_context    A structure that will contain the
+ *                              hardware-specific cipher context.
+ * \param[in] key_slot          The slot of the key to be used for the
+ *                              operation
+ * \param[in] algorithm         The algorithm to be used in the cipher
+ *                              operation
+ * \param[in] direction         Indicates whether the operation is an encrypt
+ *                              or decrypt
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ */
+typedef psa_status_t (*psa_drv_se_cipher_setup_t)(psa_drv_se_context_t *drv_context,
+                                                  void *op_context,
+                                                  psa_key_slot_number_t key_slot,
+                                                  psa_algorithm_t algorithm,
+                                                  psa_encrypt_or_decrypt_t direction);
+
+/** \brief A function that sets the initialization vector (if
+ * necessary) for a secure element cipher operation
+ *
+ * Rationale: The `psa_se_cipher_*` operation in the PSA Cryptographic API has
+ * two IV functions: one to set the IV, and one to generate it internally. The
+ * generate function is not necessary for the drivers to implement as the PSA
+ * Crypto implementation can do the generation using its RNG features.
+ *
+ * \param[in,out] op_context    A structure that contains the previously set up
+ *                              hardware-specific cipher context
+ * \param[in] p_iv              A buffer containing the initialization vector
+ * \param[in] iv_length         The size (in bytes) of the `p_iv` buffer
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ */
+typedef psa_status_t (*psa_drv_se_cipher_set_iv_t)(void *op_context,
+                                                   const uint8_t *p_iv,
+                                                   size_t iv_length);
+
+/** \brief A function that continues a previously started secure element cipher
+ * operation
+ *
+ * \param[in,out] op_context        A hardware-specific structure for the
+ *                                  previously started cipher operation
+ * \param[in] p_input               A buffer containing the data to be
+ *                                  encrypted/decrypted
+ * \param[in] input_size            The size in bytes of the buffer pointed to
+ *                                  by `p_input`
+ * \param[out] p_output             The caller-allocated buffer where the
+ *                                  output will be placed
+ * \param[in] output_size           The allocated size in bytes of the
+ *                                  `p_output` buffer
+ * \param[out] p_output_length      After completion, will contain the number
+ *                                  of bytes placed in the `p_output` buffer
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ */
+typedef psa_status_t (*psa_drv_se_cipher_update_t)(void *op_context,
+                                                   const uint8_t *p_input,
+                                                   size_t input_size,
+                                                   uint8_t *p_output,
+                                                   size_t output_size,
+                                                   size_t *p_output_length);
+
+/** \brief A function that completes a previously started secure element cipher
+ * operation
+ *
+ * \param[in,out] op_context    A hardware-specific structure for the
+ *                              previously started cipher operation
+ * \param[out] p_output         The caller-allocated buffer where the output
+ *                              will be placed
+ * \param[in] output_size       The allocated size in bytes of the `p_output`
+ *                              buffer
+ * \param[out] p_output_length  After completion, will contain the number of
+ *                              bytes placed in the `p_output` buffer
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ */
+typedef psa_status_t (*psa_drv_se_cipher_finish_t)(void *op_context,
+                                                   uint8_t *p_output,
+                                                   size_t output_size,
+                                                   size_t *p_output_length);
+
+/** \brief A function that aborts a previously started secure element cipher
+ * operation
+ *
+ * \param[in,out] op_context    A hardware-specific structure for the
+ *                              previously started cipher operation
+ */
+typedef psa_status_t (*psa_drv_se_cipher_abort_t)(void *op_context);
+
+/** \brief A function that performs the ECB block mode for secure element
+ * cipher operations
+ *
+ * Note: this function should only be used with implementations that do not
+ * provide a needed higher-level operation.
+ *
+ * \param[in,out] drv_context   The driver context structure.
+ * \param[in] key_slot          The slot of the key to be used for the operation
+ * \param[in] algorithm         The algorithm to be used in the cipher operation
+ * \param[in] direction         Indicates whether the operation is an encrypt or
+ *                              decrypt
+ * \param[in] p_input           A buffer containing the data to be
+ *                              encrypted/decrypted
+ * \param[in] input_size        The size in bytes of the buffer pointed to by
+ *                              `p_input`
+ * \param[out] p_output         The caller-allocated buffer where the output
+ *                              will be placed
+ * \param[in] output_size       The allocated size in bytes of the `p_output`
+ *                              buffer
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ */
+typedef psa_status_t (*psa_drv_se_cipher_ecb_t)(psa_drv_se_context_t *drv_context,
+                                                psa_key_slot_number_t key_slot,
+                                                psa_algorithm_t algorithm,
+                                                psa_encrypt_or_decrypt_t direction,
+                                                const uint8_t *p_input,
+                                                size_t input_size,
+                                                uint8_t *p_output,
+                                                size_t output_size);
+
+/**
+ * \brief A struct containing all of the function pointers needed to implement
+ * cipher operations using secure elements.
+ *
+ * PSA Crypto API implementations should populate instances of the table as
+ * appropriate upon startup or at build time.
+ *
+ * If one of the functions is not implemented (such as
+ * `psa_drv_se_cipher_ecb_t`), it should be set to NULL.
+ */
+typedef struct {
+    /** The size in bytes of the hardware-specific secure element cipher
+     * context structure
+     */
+    size_t               MBEDTLS_PRIVATE(context_size);
+    /** Function that performs a cipher setup operation */
+    psa_drv_se_cipher_setup_t  MBEDTLS_PRIVATE(p_setup);
+    /** Function that sets a cipher IV (if necessary) */
+    psa_drv_se_cipher_set_iv_t MBEDTLS_PRIVATE(p_set_iv);
+    /** Function that performs a cipher update operation */
+    psa_drv_se_cipher_update_t MBEDTLS_PRIVATE(p_update);
+    /** Function that completes a cipher operation */
+    psa_drv_se_cipher_finish_t MBEDTLS_PRIVATE(p_finish);
+    /** Function that aborts a cipher operation */
+    psa_drv_se_cipher_abort_t  MBEDTLS_PRIVATE(p_abort);
+    /** Function that performs ECB mode for a cipher operation
+     * (Danger: ECB mode should not be used directly by clients of the PSA
+     * Crypto Client API)
+     */
+    psa_drv_se_cipher_ecb_t    MBEDTLS_PRIVATE(p_ecb);
+} psa_drv_se_cipher_t;
+
+/**@}*/
+
+/** \defgroup se_asymmetric Secure Element Asymmetric Cryptography
+ *
+ * Since the amount of data that can (or should) be encrypted or signed using
+ * asymmetric keys is limited by the key size, asymmetric key operations using
+ * keys in a secure element must be done in single function calls.
+ */
+/**@{*/
+
+/**
+ * \brief A function that signs a hash or short message with a private key in
+ * a secure element
+ *
+ * \param[in,out] drv_context       The driver context structure.
+ * \param[in] key_slot              Key slot of an asymmetric key pair
+ * \param[in] alg                   A signature algorithm that is compatible
+ *                                  with the type of `key`
+ * \param[in] p_hash                The hash to sign
+ * \param[in] hash_length           Size of the `p_hash` buffer in bytes
+ * \param[out] p_signature          Buffer where the signature is to be written
+ * \param[in] signature_size        Size of the `p_signature` buffer in bytes
+ * \param[out] p_signature_length   On success, the number of bytes
+ *                                  that make up the returned signature value
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ */
+typedef psa_status_t (*psa_drv_se_asymmetric_sign_t)(psa_drv_se_context_t *drv_context,
+                                                     psa_key_slot_number_t key_slot,
+                                                     psa_algorithm_t alg,
+                                                     const uint8_t *p_hash,
+                                                     size_t hash_length,
+                                                     uint8_t *p_signature,
+                                                     size_t signature_size,
+                                                     size_t *p_signature_length);
+
+/**
+ * \brief A function that verifies the signature a hash or short message using
+ * an asymmetric public key in a secure element
+ *
+ * \param[in,out] drv_context   The driver context structure.
+ * \param[in] key_slot          Key slot of a public key or an asymmetric key
+ *                              pair
+ * \param[in] alg               A signature algorithm that is compatible with
+ *                              the type of `key`
+ * \param[in] p_hash            The hash whose signature is to be verified
+ * \param[in] hash_length       Size of the `p_hash` buffer in bytes
+ * \param[in] p_signature       Buffer containing the signature to verify
+ * \param[in] signature_length  Size of the `p_signature` buffer in bytes
+ *
+ * \retval #PSA_SUCCESS
+ *         The signature is valid.
+ */
+typedef psa_status_t (*psa_drv_se_asymmetric_verify_t)(psa_drv_se_context_t *drv_context,
+                                                       psa_key_slot_number_t key_slot,
+                                                       psa_algorithm_t alg,
+                                                       const uint8_t *p_hash,
+                                                       size_t hash_length,
+                                                       const uint8_t *p_signature,
+                                                       size_t signature_length);
+
+/**
+ * \brief A function that encrypts a short message with an asymmetric public
+ * key in a secure element
+ *
+ * \param[in,out] drv_context   The driver context structure.
+ * \param[in] key_slot          Key slot of a public key or an asymmetric key
+ *                              pair
+ * \param[in] alg               An asymmetric encryption algorithm that is
+ *                              compatible with the type of `key`
+ * \param[in] p_input           The message to encrypt
+ * \param[in] input_length      Size of the `p_input` buffer in bytes
+ * \param[in] p_salt            A salt or label, if supported by the
+ *                              encryption algorithm
+ *                              If the algorithm does not support a
+ *                              salt, pass `NULL`.
+ *                              If the algorithm supports an optional
+ *                              salt and you do not want to pass a salt,
+ *                              pass `NULL`.
+ *                              For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is
+ *                              supported.
+ * \param[in] salt_length       Size of the `p_salt` buffer in bytes
+ *                              If `p_salt` is `NULL`, pass 0.
+ * \param[out] p_output         Buffer where the encrypted message is to
+ *                              be written
+ * \param[in] output_size       Size of the `p_output` buffer in bytes
+ * \param[out] p_output_length  On success, the number of bytes that make up
+ *                              the returned output
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ */
+typedef psa_status_t (*psa_drv_se_asymmetric_encrypt_t)(psa_drv_se_context_t *drv_context,
+                                                        psa_key_slot_number_t key_slot,
+                                                        psa_algorithm_t alg,
+                                                        const uint8_t *p_input,
+                                                        size_t input_length,
+                                                        const uint8_t *p_salt,
+                                                        size_t salt_length,
+                                                        uint8_t *p_output,
+                                                        size_t output_size,
+                                                        size_t *p_output_length);
+
+/**
+ * \brief A function that decrypts a short message with an asymmetric private
+ * key in a secure element.
+ *
+ * \param[in,out] drv_context   The driver context structure.
+ * \param[in] key_slot          Key slot of an asymmetric key pair
+ * \param[in] alg               An asymmetric encryption algorithm that is
+ *                              compatible with the type of `key`
+ * \param[in] p_input           The message to decrypt
+ * \param[in] input_length      Size of the `p_input` buffer in bytes
+ * \param[in] p_salt            A salt or label, if supported by the
+ *                              encryption algorithm
+ *                              If the algorithm does not support a
+ *                              salt, pass `NULL`.
+ *                              If the algorithm supports an optional
+ *                              salt and you do not want to pass a salt,
+ *                              pass `NULL`.
+ *                              For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is
+ *                              supported.
+ * \param[in] salt_length       Size of the `p_salt` buffer in bytes
+ *                              If `p_salt` is `NULL`, pass 0.
+ * \param[out] p_output         Buffer where the decrypted message is to
+ *                              be written
+ * \param[in] output_size       Size of the `p_output` buffer in bytes
+ * \param[out] p_output_length  On success, the number of bytes
+ *                              that make up the returned output
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ */
+typedef psa_status_t (*psa_drv_se_asymmetric_decrypt_t)(psa_drv_se_context_t *drv_context,
+                                                        psa_key_slot_number_t key_slot,
+                                                        psa_algorithm_t alg,
+                                                        const uint8_t *p_input,
+                                                        size_t input_length,
+                                                        const uint8_t *p_salt,
+                                                        size_t salt_length,
+                                                        uint8_t *p_output,
+                                                        size_t output_size,
+                                                        size_t *p_output_length);
+
+/**
+ * \brief A struct containing all of the function pointers needed to implement
+ * asymmetric cryptographic operations using secure elements.
+ *
+ * PSA Crypto API implementations should populate instances of the table as
+ * appropriate upon startup or at build time.
+ *
+ * If one of the functions is not implemented, it should be set to NULL.
+ */
+typedef struct {
+    /** Function that performs an asymmetric sign operation */
+    psa_drv_se_asymmetric_sign_t    MBEDTLS_PRIVATE(p_sign);
+    /** Function that performs an asymmetric verify operation */
+    psa_drv_se_asymmetric_verify_t  MBEDTLS_PRIVATE(p_verify);
+    /** Function that performs an asymmetric encrypt operation */
+    psa_drv_se_asymmetric_encrypt_t MBEDTLS_PRIVATE(p_encrypt);
+    /** Function that performs an asymmetric decrypt operation */
+    psa_drv_se_asymmetric_decrypt_t MBEDTLS_PRIVATE(p_decrypt);
+} psa_drv_se_asymmetric_t;
+
+/**@}*/
+
+/** \defgroup se_aead Secure Element Authenticated Encryption with Additional Data
+ * Authenticated Encryption with Additional Data (AEAD) operations with secure
+ * elements must be done in one function call. While this creates a burden for
+ * implementers as there must be sufficient space in memory for the entire
+ * message, it prevents decrypted data from being made available before the
+ * authentication operation is complete and the data is known to be authentic.
+ */
+/**@{*/
+
+/** \brief A function that performs a secure element authenticated encryption
+ * operation
+ *
+ * \param[in,out] drv_context           The driver context structure.
+ * \param[in] key_slot                  Slot containing the key to use.
+ * \param[in] algorithm                 The AEAD algorithm to compute
+ *                                      (\c PSA_ALG_XXX value such that
+ *                                      #PSA_ALG_IS_AEAD(`alg`) is true)
+ * \param[in] p_nonce                   Nonce or IV to use
+ * \param[in] nonce_length              Size of the `p_nonce` buffer in bytes
+ * \param[in] p_additional_data         Additional data that will be
+ *                                      authenticated but not encrypted
+ * \param[in] additional_data_length    Size of `p_additional_data` in bytes
+ * \param[in] p_plaintext               Data that will be authenticated and
+ *                                      encrypted
+ * \param[in] plaintext_length          Size of `p_plaintext` in bytes
+ * \param[out] p_ciphertext             Output buffer for the authenticated and
+ *                                      encrypted data. The additional data is
+ *                                      not part of this output. For algorithms
+ *                                      where the encrypted data and the
+ *                                      authentication tag are defined as
+ *                                      separate outputs, the authentication
+ *                                      tag is appended to the encrypted data.
+ * \param[in] ciphertext_size           Size of the `p_ciphertext` buffer in
+ *                                      bytes
+ * \param[out] p_ciphertext_length      On success, the size of the output in
+ *                                      the `p_ciphertext` buffer
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ */
+typedef psa_status_t (*psa_drv_se_aead_encrypt_t)(psa_drv_se_context_t *drv_context,
+                                                  psa_key_slot_number_t key_slot,
+                                                  psa_algorithm_t algorithm,
+                                                  const uint8_t *p_nonce,
+                                                  size_t nonce_length,
+                                                  const uint8_t *p_additional_data,
+                                                  size_t additional_data_length,
+                                                  const uint8_t *p_plaintext,
+                                                  size_t plaintext_length,
+                                                  uint8_t *p_ciphertext,
+                                                  size_t ciphertext_size,
+                                                  size_t *p_ciphertext_length);
+
+/** A function that performs a secure element authenticated decryption operation
+ *
+ * \param[in,out] drv_context           The driver context structure.
+ * \param[in] key_slot                  Slot containing the key to use
+ * \param[in] algorithm                 The AEAD algorithm to compute
+ *                                      (\c PSA_ALG_XXX value such that
+ *                                      #PSA_ALG_IS_AEAD(`alg`) is true)
+ * \param[in] p_nonce                   Nonce or IV to use
+ * \param[in] nonce_length              Size of the `p_nonce` buffer in bytes
+ * \param[in] p_additional_data         Additional data that has been
+ *                                      authenticated but not encrypted
+ * \param[in] additional_data_length    Size of `p_additional_data` in bytes
+ * \param[in] p_ciphertext              Data that has been authenticated and
+ *                                      encrypted.
+ *                                      For algorithms where the encrypted data
+ *                                      and the authentication tag are defined
+ *                                      as separate inputs, the buffer must
+ *                                      contain the encrypted data followed by
+ *                                      the authentication tag.
+ * \param[in] ciphertext_length         Size of `p_ciphertext` in bytes
+ * \param[out] p_plaintext              Output buffer for the decrypted data
+ * \param[in] plaintext_size            Size of the `p_plaintext` buffer in
+ *                                      bytes
+ * \param[out] p_plaintext_length       On success, the size of the output in
+ *                                      the `p_plaintext` buffer
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ */
+typedef psa_status_t (*psa_drv_se_aead_decrypt_t)(psa_drv_se_context_t *drv_context,
+                                                  psa_key_slot_number_t key_slot,
+                                                  psa_algorithm_t algorithm,
+                                                  const uint8_t *p_nonce,
+                                                  size_t nonce_length,
+                                                  const uint8_t *p_additional_data,
+                                                  size_t additional_data_length,
+                                                  const uint8_t *p_ciphertext,
+                                                  size_t ciphertext_length,
+                                                  uint8_t *p_plaintext,
+                                                  size_t plaintext_size,
+                                                  size_t *p_plaintext_length);
+
+/**
+ * \brief A struct containing all of the function pointers needed to implement
+ * secure element Authenticated Encryption with Additional Data operations
+ *
+ * PSA Crypto API implementations should populate instances of the table as
+ * appropriate upon startup.
+ *
+ * If one of the functions is not implemented, it should be set to NULL.
+ */
+typedef struct {
+    /** Function that performs the AEAD encrypt operation */
+    psa_drv_se_aead_encrypt_t MBEDTLS_PRIVATE(p_encrypt);
+    /** Function that performs the AEAD decrypt operation */
+    psa_drv_se_aead_decrypt_t MBEDTLS_PRIVATE(p_decrypt);
+} psa_drv_se_aead_t;
+/**@}*/
+
+/** \defgroup se_key_management Secure Element Key Management
+ * Currently, key management is limited to importing keys in the clear,
+ * destroying keys, and exporting keys in the clear.
+ * Whether a key may be exported is determined by the key policies in place
+ * on the key slot.
+ */
+/**@{*/
+
+/** An enumeration indicating how a key is created.
+ */
+typedef enum {
+    PSA_KEY_CREATION_IMPORT, /**< During psa_import_key() */
+    PSA_KEY_CREATION_GENERATE, /**< During psa_generate_key() */
+    PSA_KEY_CREATION_DERIVE, /**< During psa_key_derivation_output_key() */
+    PSA_KEY_CREATION_COPY, /**< During psa_copy_key() */
+
+#ifndef __DOXYGEN_ONLY__
+    /** A key is being registered with mbedtls_psa_register_se_key().
+     *
+     * The core only passes this value to
+     * psa_drv_se_key_management_t::p_validate_slot_number, not to
+     * psa_drv_se_key_management_t::p_allocate. The call to
+     * `p_validate_slot_number` is not followed by any other call to the
+     * driver: the key is considered successfully registered if the call to
+     * `p_validate_slot_number` succeeds, or if `p_validate_slot_number` is
+     * null.
+     *
+     * With this creation method, the driver must return #PSA_SUCCESS if
+     * the given attributes are compatible with the existing key in the slot,
+     * and #PSA_ERROR_DOES_NOT_EXIST if the driver can determine that there
+     * is no key with the specified slot number.
+     *
+     * This is an Mbed TLS extension.
+     */
+    PSA_KEY_CREATION_REGISTER,
+#endif
+} psa_key_creation_method_t;
+
+/** \brief A function that allocates a slot for a key.
+ *
+ * To create a key in a specific slot in a secure element, the core
+ * first calls this function to determine a valid slot number,
+ * then calls a function to create the key material in that slot.
+ * In nominal conditions (that is, if no error occurs),
+ * the effect of a call to a key creation function in the PSA Cryptography
+ * API with a lifetime that places the key in a secure element is the
+ * following:
+ * -# The core calls psa_drv_se_key_management_t::p_allocate
+ *    (or in some implementations
+ *    psa_drv_se_key_management_t::p_validate_slot_number). The driver
+ *    selects (or validates) a suitable slot number given the key attributes
+ *    and the state of the secure element.
+ * -# The core calls a key creation function in the driver.
+ *
+ * The key creation functions in the PSA Cryptography API are:
+ * - psa_import_key(), which causes
+ *   a call to `p_allocate` with \p method = #PSA_KEY_CREATION_IMPORT
+ *   then a call to psa_drv_se_key_management_t::p_import.
+ * - psa_generate_key(), which causes
+ *   a call to `p_allocate` with \p method = #PSA_KEY_CREATION_GENERATE
+ *   then a call to psa_drv_se_key_management_t::p_import.
+ * - psa_key_derivation_output_key(), which causes
+ *   a call to `p_allocate` with \p method = #PSA_KEY_CREATION_DERIVE
+ *   then a call to psa_drv_se_key_derivation_t::p_derive.
+ * - psa_copy_key(), which causes
+ *   a call to `p_allocate` with \p method = #PSA_KEY_CREATION_COPY
+ *   then a call to psa_drv_se_key_management_t::p_export.
+ *
+ * In case of errors, other behaviors are possible.
+ * - If the PSA Cryptography subsystem dies after the first step,
+ *   for example because the device has lost power abruptly,
+ *   the second step may never happen, or may happen after a reset
+ *   and re-initialization. Alternatively, after a reset and
+ *   re-initialization, the core may call
+ *   psa_drv_se_key_management_t::p_destroy on the slot number that
+ *   was allocated (or validated) instead of calling a key creation function.
+ * - If an error occurs, the core may call
+ *   psa_drv_se_key_management_t::p_destroy on the slot number that
+ *   was allocated (or validated) instead of calling a key creation function.
+ *
+ * Errors and system resets also have an impact on the driver's persistent
+ * data. If a reset happens before the overall key creation process is
+ * completed (before or after the second step above), it is unspecified
+ * whether the persistent data after the reset is identical to what it
+ * was before or after the call to `p_allocate` (or `p_validate_slot_number`).
+ *
+ * \param[in,out] drv_context       The driver context structure.
+ * \param[in,out] persistent_data   A pointer to the persistent data
+ *                                  that allows writing.
+ * \param[in] attributes            Attributes of the key.
+ * \param method                    The way in which the key is being created.
+ * \param[out] key_slot             Slot where the key will be stored.
+ *                                  This must be a valid slot for a key of the
+ *                                  chosen type. It must be unoccupied.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ *         The core will record \c *key_slot as the key slot where the key
+ *         is stored and will update the persistent data in storage.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ */
+typedef psa_status_t (*psa_drv_se_allocate_key_t)(
+    psa_drv_se_context_t *drv_context,
+    void *persistent_data,
+    const psa_key_attributes_t *attributes,
+    psa_key_creation_method_t method,
+    psa_key_slot_number_t *key_slot);
+
+/** \brief A function that determines whether a slot number is valid
+ * for a key.
+ *
+ * To create a key in a specific slot in a secure element, the core
+ * first calls this function to validate the choice of slot number,
+ * then calls a function to create the key material in that slot.
+ * See the documentation of #psa_drv_se_allocate_key_t for more details.
+ *
+ * As of the PSA Cryptography API specification version 1.0, there is no way
+ * for applications to trigger a call to this function. However some
+ * implementations offer the capability to create or declare a key in
+ * a specific slot via implementation-specific means, generally for the
+ * sake of initial device provisioning or onboarding. Such a mechanism may
+ * be added to a future version of the PSA Cryptography API specification.
+ *
+ * This function may update the driver's persistent data through
+ * \p persistent_data. The core will save the updated persistent data at the
+ * end of the key creation process. See the description of
+ * ::psa_drv_se_allocate_key_t for more information.
+ *
+ * \param[in,out] drv_context   The driver context structure.
+ * \param[in,out] persistent_data   A pointer to the persistent data
+ *                                  that allows writing.
+ * \param[in] attributes        Attributes of the key.
+ * \param method                The way in which the key is being created.
+ * \param[in] key_slot          Slot where the key is to be stored.
+ *
+ * \retval #PSA_SUCCESS
+ *         The given slot number is valid for a key with the given
+ *         attributes.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The given slot number is not valid for a key with the
+ *         given attributes. This includes the case where the slot
+ *         number is not valid at all.
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ *         There is already a key with the specified slot number.
+ *         Drivers may choose to return this error from the key
+ *         creation function instead.
+ */
+typedef psa_status_t (*psa_drv_se_validate_slot_number_t)(
+    psa_drv_se_context_t *drv_context,
+    void *persistent_data,
+    const psa_key_attributes_t *attributes,
+    psa_key_creation_method_t method,
+    psa_key_slot_number_t key_slot);
+
+/** \brief A function that imports a key into a secure element in binary format
+ *
+ * This function can support any output from psa_export_key(). Refer to the
+ * documentation of psa_export_key() for the format for each key type.
+ *
+ * \param[in,out] drv_context   The driver context structure.
+ * \param key_slot              Slot where the key will be stored.
+ *                              This must be a valid slot for a key of the
+ *                              chosen type. It must be unoccupied.
+ * \param[in] attributes        The key attributes, including the lifetime,
+ *                              the key type and the usage policy.
+ *                              Drivers should not access the key size stored
+ *                              in the attributes: it may not match the
+ *                              data passed in \p data.
+ *                              Drivers can call psa_get_key_lifetime(),
+ *                              psa_get_key_type(),
+ *                              psa_get_key_usage_flags() and
+ *                              psa_get_key_algorithm() to access this
+ *                              information.
+ * \param[in] data              Buffer containing the key data.
+ * \param[in] data_length       Size of the \p data buffer in bytes.
+ * \param[out] bits             On success, the key size in bits. The driver
+ *                              must determine this value after parsing the
+ *                              key according to the key type.
+ *                              This value is not used if the function fails.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success.
+ */
+typedef psa_status_t (*psa_drv_se_import_key_t)(
+    psa_drv_se_context_t *drv_context,
+    psa_key_slot_number_t key_slot,
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data,
+    size_t data_length,
+    size_t *bits);
+
+/**
+ * \brief A function that destroys a secure element key and restore the slot to
+ * its default state
+ *
+ * This function destroys the content of the key from a secure element.
+ * Implementations shall make a best effort to ensure that any previous content
+ * of the slot is unrecoverable.
+ *
+ * This function returns the specified slot to its default state.
+ *
+ * \param[in,out] drv_context       The driver context structure.
+ * \param[in,out] persistent_data   A pointer to the persistent data
+ *                                  that allows writing.
+ * \param key_slot                  The key slot to erase.
+ *
+ * \retval #PSA_SUCCESS
+ *         The slot's content, if any, has been erased.
+ */
+typedef psa_status_t (*psa_drv_se_destroy_key_t)(
+    psa_drv_se_context_t *drv_context,
+    void *persistent_data,
+    psa_key_slot_number_t key_slot);
+
+/**
+ * \brief A function that exports a secure element key in binary format
+ *
+ * The output of this function can be passed to psa_import_key() to
+ * create an equivalent object.
+ *
+ * If a key is created with `psa_import_key()` and then exported with
+ * this function, it is not guaranteed that the resulting data is
+ * identical: the implementation may choose a different representation
+ * of the same key if the format permits it.
+ *
+ * This function should generate output in the same format that
+ * `psa_export_key()` does. Refer to the
+ * documentation of `psa_export_key()` for the format for each key type.
+ *
+ * \param[in,out] drv_context   The driver context structure.
+ * \param[in] key               Slot whose content is to be exported. This must
+ *                              be an occupied key slot.
+ * \param[out] p_data           Buffer where the key data is to be written.
+ * \param[in] data_size         Size of the `p_data` buffer in bytes.
+ * \param[out] p_data_length    On success, the number of bytes
+ *                              that make up the key data.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+typedef psa_status_t (*psa_drv_se_export_key_t)(psa_drv_se_context_t *drv_context,
+                                                psa_key_slot_number_t key,
+                                                uint8_t *p_data,
+                                                size_t data_size,
+                                                size_t *p_data_length);
+
+/**
+ * \brief A function that generates a symmetric or asymmetric key on a secure
+ * element
+ *
+ * If the key type \c type recorded in \p attributes
+ * is asymmetric (#PSA_KEY_TYPE_IS_ASYMMETRIC(\c type) = 1),
+ * the driver may export the public key at the time of generation,
+ * in the format documented for psa_export_public_key() by writing it
+ * to the \p pubkey buffer.
+ * This is optional, intended for secure elements that output the
+ * public key at generation time and that cannot export the public key
+ * later. Drivers that do not need this feature should leave
+ * \p *pubkey_length set to 0 and should
+ * implement the psa_drv_key_management_t::p_export_public function.
+ * Some implementations do not support this feature, in which case
+ * \p pubkey is \c NULL and \p pubkey_size is 0.
+ *
+ * \param[in,out] drv_context   The driver context structure.
+ * \param key_slot              Slot where the key will be stored.
+ *                              This must be a valid slot for a key of the
+ *                              chosen type. It must be unoccupied.
+ * \param[in] attributes        The key attributes, including the lifetime,
+ *                              the key type and size, and the usage policy.
+ *                              Drivers can call psa_get_key_lifetime(),
+ *                              psa_get_key_type(), psa_get_key_bits(),
+ *                              psa_get_key_usage_flags() and
+ *                              psa_get_key_algorithm() to access this
+ *                              information.
+ * \param[out] pubkey           A buffer where the driver can write the
+ *                              public key, when generating an asymmetric
+ *                              key pair.
+ *                              This is \c NULL when generating a symmetric
+ *                              key or if the core does not support
+ *                              exporting the public key at generation time.
+ * \param pubkey_size           The size of the `pubkey` buffer in bytes.
+ *                              This is 0 when generating a symmetric
+ *                              key or if the core does not support
+ *                              exporting the public key at generation time.
+ * \param[out] pubkey_length    On entry, this is always 0.
+ *                              On success, the number of bytes written to
+ *                              \p pubkey. If this is 0 or unchanged on return,
+ *                              the core will not read the \p pubkey buffer,
+ *                              and will instead call the driver's
+ *                              psa_drv_key_management_t::p_export_public
+ *                              function to export the public key when needed.
+ */
+typedef psa_status_t (*psa_drv_se_generate_key_t)(
+    psa_drv_se_context_t *drv_context,
+    psa_key_slot_number_t key_slot,
+    const psa_key_attributes_t *attributes,
+    uint8_t *pubkey, size_t pubkey_size, size_t *pubkey_length);
+
+/**
+ * \brief A struct containing all of the function pointers needed to for secure
+ * element key management
+ *
+ * PSA Crypto API implementations should populate instances of the table as
+ * appropriate upon startup or at build time.
+ *
+ * If one of the functions is not implemented, it should be set to NULL.
+ */
+typedef struct {
+    /** Function that allocates a slot for a key. */
+    psa_drv_se_allocate_key_t   MBEDTLS_PRIVATE(p_allocate);
+    /** Function that checks the validity of a slot for a key. */
+    psa_drv_se_validate_slot_number_t MBEDTLS_PRIVATE(p_validate_slot_number);
+    /** Function that performs a key import operation */
+    psa_drv_se_import_key_t     MBEDTLS_PRIVATE(p_import);
+    /** Function that performs a generation */
+    psa_drv_se_generate_key_t   MBEDTLS_PRIVATE(p_generate);
+    /** Function that performs a key destroy operation */
+    psa_drv_se_destroy_key_t    MBEDTLS_PRIVATE(p_destroy);
+    /** Function that performs a key export operation */
+    psa_drv_se_export_key_t     MBEDTLS_PRIVATE(p_export);
+    /** Function that performs a public key export operation */
+    psa_drv_se_export_key_t     MBEDTLS_PRIVATE(p_export_public);
+} psa_drv_se_key_management_t;
+
+/**@}*/
+
+/** \defgroup driver_derivation Secure Element Key Derivation and Agreement
+ * Key derivation is the process of generating new key material using an
+ * existing key and additional parameters, iterating through a basic
+ * cryptographic function, such as a hash.
+ * Key agreement is a part of cryptographic protocols that allows two parties
+ * to agree on the same key value, but starting from different original key
+ * material.
+ * The flows are similar, and the PSA Crypto Driver Model uses the same functions
+ * for both of the flows.
+ *
+ * There are two different final functions for the flows,
+ * `psa_drv_se_key_derivation_derive` and `psa_drv_se_key_derivation_export`.
+ * `psa_drv_se_key_derivation_derive` is used when the key material should be
+ * placed in a slot on the hardware and not exposed to the caller.
+ * `psa_drv_se_key_derivation_export` is used when the key material should be
+ * returned to the PSA Cryptographic API implementation.
+ *
+ * Different key derivation algorithms require a different number of inputs.
+ * Instead of having an API that takes as input variable length arrays, which
+ * can be problematic to manage on embedded platforms, the inputs are passed
+ * to the driver via a function, `psa_drv_se_key_derivation_collateral`, that
+ * is called multiple times with different `collateral_id`s. Thus, for a key
+ * derivation algorithm that required 3 parameter inputs, the flow would look
+ * something like:
+ * ~~~~~~~~~~~~~{.c}
+ * psa_drv_se_key_derivation_setup(kdf_algorithm, source_key, dest_key_size_bytes);
+ * psa_drv_se_key_derivation_collateral(kdf_algorithm_collateral_id_0,
+ *                                      p_collateral_0,
+ *                                      collateral_0_size);
+ * psa_drv_se_key_derivation_collateral(kdf_algorithm_collateral_id_1,
+ *                                      p_collateral_1,
+ *                                      collateral_1_size);
+ * psa_drv_se_key_derivation_collateral(kdf_algorithm_collateral_id_2,
+ *                                      p_collateral_2,
+ *                                      collateral_2_size);
+ * psa_drv_se_key_derivation_derive();
+ * ~~~~~~~~~~~~~
+ *
+ * key agreement example:
+ * ~~~~~~~~~~~~~{.c}
+ * psa_drv_se_key_derivation_setup(alg, source_key. dest_key_size_bytes);
+ * psa_drv_se_key_derivation_collateral(DHE_PUBKEY, p_pubkey, pubkey_size);
+ * psa_drv_se_key_derivation_export(p_session_key,
+ *                                  session_key_size,
+ *                                  &session_key_length);
+ * ~~~~~~~~~~~~~
+ */
+/**@{*/
+
+/** \brief A function that Sets up a secure element key derivation operation by
+ * specifying the algorithm and the source key sot
+ *
+ * \param[in,out] drv_context   The driver context structure.
+ * \param[in,out] op_context    A hardware-specific structure containing any
+ *                              context information for the implementation
+ * \param[in] kdf_alg           The algorithm to be used for the key derivation
+ * \param[in] source_key        The key to be used as the source material for
+ *                              the key derivation
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ */
+typedef psa_status_t (*psa_drv_se_key_derivation_setup_t)(psa_drv_se_context_t *drv_context,
+                                                          void *op_context,
+                                                          psa_algorithm_t kdf_alg,
+                                                          psa_key_slot_number_t source_key);
+
+/** \brief A function that provides collateral (parameters) needed for a secure
+ * element key derivation or key agreement operation
+ *
+ * Since many key derivation algorithms require multiple parameters, it is
+ * expected that this function may be called multiple times for the same
+ * operation, each with a different algorithm-specific `collateral_id`
+ *
+ * \param[in,out] op_context    A hardware-specific structure containing any
+ *                              context information for the implementation
+ * \param[in] collateral_id     An ID for the collateral being provided
+ * \param[in] p_collateral      A buffer containing the collateral data
+ * \param[in] collateral_size   The size in bytes of the collateral
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ */
+typedef psa_status_t (*psa_drv_se_key_derivation_collateral_t)(void *op_context,
+                                                               uint32_t collateral_id,
+                                                               const uint8_t *p_collateral,
+                                                               size_t collateral_size);
+
+/** \brief A function that performs the final secure element key derivation
+ * step and place the generated key material in a slot
+ *
+ * \param[in,out] op_context    A hardware-specific structure containing any
+ *                              context information for the implementation
+ * \param[in] dest_key          The slot where the generated key material
+ *                              should be placed
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ */
+typedef psa_status_t (*psa_drv_se_key_derivation_derive_t)(void *op_context,
+                                                           psa_key_slot_number_t dest_key);
+
+/** \brief A function that performs the final step of a secure element key
+ * agreement and place the generated key material in a buffer
+ *
+ * \param[out] p_output         Buffer in which to place the generated key
+ *                              material
+ * \param[in] output_size       The size in bytes of `p_output`
+ * \param[out] p_output_length  Upon success, contains the number of bytes of
+ *                              key material placed in `p_output`
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ */
+typedef psa_status_t (*psa_drv_se_key_derivation_export_t)(void *op_context,
+                                                           uint8_t *p_output,
+                                                           size_t output_size,
+                                                           size_t *p_output_length);
+
+/**
+ * \brief A struct containing all of the function pointers needed to for secure
+ * element key derivation and agreement
+ *
+ * PSA Crypto API implementations should populate instances of the table as
+ * appropriate upon startup.
+ *
+ * If one of the functions is not implemented, it should be set to NULL.
+ */
+typedef struct {
+    /** The driver-specific size of the key derivation context */
+    size_t                           MBEDTLS_PRIVATE(context_size);
+    /** Function that performs a key derivation setup */
+    psa_drv_se_key_derivation_setup_t      MBEDTLS_PRIVATE(p_setup);
+    /** Function that sets key derivation collateral */
+    psa_drv_se_key_derivation_collateral_t MBEDTLS_PRIVATE(p_collateral);
+    /** Function that performs a final key derivation step */
+    psa_drv_se_key_derivation_derive_t     MBEDTLS_PRIVATE(p_derive);
+    /** Function that performs a final key derivation or agreement and
+     * exports the key */
+    psa_drv_se_key_derivation_export_t     MBEDTLS_PRIVATE(p_export);
+} psa_drv_se_key_derivation_t;
+
+/**@}*/
+
+/** \defgroup se_registration Secure element driver registration
+ */
+/**@{*/
+
+/** A structure containing pointers to all the entry points of a
+ * secure element driver.
+ *
+ * Future versions of this specification may add extra substructures at
+ * the end of this structure.
+ */
+typedef struct {
+    /** The version of the driver HAL that this driver implements.
+     * This is a protection against loading driver binaries built against
+     * a different version of this specification.
+     * Use #PSA_DRV_SE_HAL_VERSION.
+     */
+    uint32_t MBEDTLS_PRIVATE(hal_version);
+
+    /** The size of the driver's persistent data in bytes.
+     *
+     * This can be 0 if the driver does not need persistent data.
+     *
+     * See the documentation of psa_drv_se_context_t::persistent_data
+     * for more information about why and how a driver can use
+     * persistent data.
+     */
+    size_t MBEDTLS_PRIVATE(persistent_data_size);
+
+    /** The driver initialization function.
+     *
+     * This function is called once during the initialization of the
+     * PSA Cryptography subsystem, before any other function of the
+     * driver is called. If this function returns a failure status,
+     * the driver will be unusable, at least until the next system reset.
+     *
+     * If this field is \c NULL, it is equivalent to a function that does
+     * nothing and returns #PSA_SUCCESS.
+     */
+    psa_drv_se_init_t MBEDTLS_PRIVATE(p_init);
+
+    const psa_drv_se_key_management_t *MBEDTLS_PRIVATE(key_management);
+    const psa_drv_se_mac_t *MBEDTLS_PRIVATE(mac);
+    const psa_drv_se_cipher_t *MBEDTLS_PRIVATE(cipher);
+    const psa_drv_se_aead_t *MBEDTLS_PRIVATE(aead);
+    const psa_drv_se_asymmetric_t *MBEDTLS_PRIVATE(asymmetric);
+    const psa_drv_se_key_derivation_t *MBEDTLS_PRIVATE(derivation);
+} psa_drv_se_t;
+
+/** The current version of the secure element driver HAL.
+ */
+/* 0.0.0 patchlevel 5 */
+#define PSA_DRV_SE_HAL_VERSION 0x00000005
+
+/** Register an external cryptoprocessor (secure element) driver.
+ *
+ * This function is only intended to be used by driver code, not by
+ * application code. In implementations with separation between the
+ * PSA cryptography module and applications, this function should
+ * only be available to callers that run in the same memory space as
+ * the cryptography module, and should not be exposed to applications
+ * running in a different memory space.
+ *
+ * This function may be called before psa_crypto_init(). It is
+ * implementation-defined whether this function may be called
+ * after psa_crypto_init().
+ *
+ * \note Implementations store metadata about keys including the lifetime
+ *       value, which contains the driver's location indicator. Therefore,
+ *       from one instantiation of the PSA Cryptography
+ *       library to the next one, if there is a key in storage with a certain
+ *       lifetime value, you must always register the same driver (or an
+ *       updated version that communicates with the same secure element)
+ *       with the same location value.
+ *
+ * \param location      The location value through which this driver will
+ *                      be exposed to applications.
+ *                      This driver will be used for all keys such that
+ *                      `location == #PSA_KEY_LIFETIME_GET_LOCATION( lifetime )`.
+ *                      The value #PSA_KEY_LOCATION_LOCAL_STORAGE is reserved
+ *                      and may not be used for drivers. Implementations
+ *                      may reserve other values.
+ * \param[in] methods   The method table of the driver. This structure must
+ *                      remain valid for as long as the cryptography
+ *                      module keeps running. It is typically a global
+ *                      constant.
+ *
+ * \return #PSA_SUCCESS
+ *         The driver was successfully registered. Applications can now
+ *         use \p location to access keys through the methods passed to
+ *         this function.
+ * \return #PSA_ERROR_BAD_STATE
+ *         This function was called after the initialization of the
+ *         cryptography module, and this implementation does not support
+ *         driver registration at this stage.
+ * \return #PSA_ERROR_ALREADY_EXISTS
+ *         There is already a registered driver for this value of \p location.
+ * \return #PSA_ERROR_INVALID_ARGUMENT
+ *         \p location is a reserved value.
+ * \return #PSA_ERROR_NOT_SUPPORTED
+ *         `methods->hal_version` is not supported by this implementation.
+ * \return #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \return #PSA_ERROR_NOT_PERMITTED
+ * \return #PSA_ERROR_STORAGE_FAILURE
+ * \return #PSA_ERROR_DATA_CORRUPT
+ */
+psa_status_t psa_register_se_driver(
+    psa_key_location_t location,
+    const psa_drv_se_t *methods);
+
+/**@}*/
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* PSA_CRYPTO_SE_DRIVER_H */
diff --git a/tf-psa-crypto/include/psa/crypto_sizes.h b/tf-psa-crypto/include/psa/crypto_sizes.h
new file mode 100644
index 0000000..635ee98
--- /dev/null
+++ b/tf-psa-crypto/include/psa/crypto_sizes.h
@@ -0,0 +1,1292 @@
+/**
+ * \file psa/crypto_sizes.h
+ *
+ * \brief PSA cryptography module: Mbed TLS buffer size macros
+ *
+ * \note This file may not be included directly. Applications must
+ * include psa/crypto.h.
+ *
+ * This file contains the definitions of macros that are useful to
+ * compute buffer sizes. The signatures and semantics of these macros
+ * are standardized, but the definitions are not, because they depend on
+ * the available algorithms and, in some cases, on permitted tolerances
+ * on buffer sizes.
+ *
+ * In implementations with isolation between the application and the
+ * cryptography module, implementers should take care to ensure that
+ * the definitions that are exposed to applications match what the
+ * module implements.
+ *
+ * Macros that compute sizes whose values do not depend on the
+ * implementation are in crypto.h.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_SIZES_H
+#define PSA_CRYPTO_SIZES_H
+
+/*
+ * Include the build-time configuration information header. Here, we do not
+ * include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which
+ * is basically just an alias to it. This is to ease the maintenance of the
+ * TF-PSA-Crypto repository which has a different build system and
+ * configuration.
+ */
+#include "psa/build_info.h"
+
+#define PSA_BITS_TO_BYTES(bits) (((bits) + 7u) / 8u)
+#define PSA_BYTES_TO_BITS(bytes) ((bytes) * 8u)
+#define PSA_MAX_OF_THREE(a, b, c) ((a) <= (b) ? (b) <= (c) ? \
+                                   (c) : (b) : (a) <= (c) ? (c) : (a))
+
+#define PSA_ROUND_UP_TO_MULTIPLE(block_size, length) \
+    (((length) + (block_size) - 1) / (block_size) * (block_size))
+
+/** The size of the output of psa_hash_finish(), in bytes.
+ *
+ * This is also the hash size that psa_hash_verify() expects.
+ *
+ * \param alg   A hash algorithm (\c PSA_ALG_XXX value such that
+ *              #PSA_ALG_IS_HASH(\p alg) is true), or an HMAC algorithm
+ *              (#PSA_ALG_HMAC(\c hash_alg) where \c hash_alg is a
+ *              hash algorithm).
+ *
+ * \return The hash size for the specified hash algorithm.
+ *         If the hash algorithm is not recognized, return 0.
+ */
+#define PSA_HASH_LENGTH(alg)                                        \
+    (                                                               \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_MD5 ? 16u :           \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_RIPEMD160 ? 20u :     \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_1 ? 20u :         \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_224 ? 28u :       \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_256 ? 32u :       \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_384 ? 48u :       \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512 ? 64u :       \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_224 ? 28u :   \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_256 ? 32u :   \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_224 ? 28u :      \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_256 ? 32u :      \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_384 ? 48u :      \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_512 ? 64u :      \
+        0u)
+
+/** The input block size of a hash algorithm, in bytes.
+ *
+ * Hash algorithms process their input data in blocks. Hash operations will
+ * retain any partial blocks until they have enough input to fill the block or
+ * until the operation is finished.
+ * This affects the output from psa_hash_suspend().
+ *
+ * \param alg   A hash algorithm (\c PSA_ALG_XXX value such that
+ *              PSA_ALG_IS_HASH(\p alg) is true).
+ *
+ * \return      The block size in bytes for the specified hash algorithm.
+ *              If the hash algorithm is not recognized, return 0.
+ *              An implementation can return either 0 or the correct size for a
+ *              hash algorithm that it recognizes, but does not support.
+ */
+#define PSA_HASH_BLOCK_LENGTH(alg)                                  \
+    (                                                               \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_MD5 ? 64u :           \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_RIPEMD160 ? 64u :     \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_1 ? 64u :         \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_224 ? 64u :       \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_256 ? 64u :       \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_384 ? 128u :      \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512 ? 128u :      \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_224 ? 128u :  \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_256 ? 128u :  \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_224 ? 144u :     \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_256 ? 136u :     \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_384 ? 104u :     \
+        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_512 ? 72u :      \
+        0u)
+
+/** \def PSA_HASH_MAX_SIZE
+ *
+ * Maximum size of a hash.
+ *
+ * This macro expands to a compile-time constant integer. This value
+ * is the maximum size of a hash in bytes.
+ */
+/* Note: for HMAC-SHA-3, the block size is 144 bytes for HMAC-SHA3-224,
+ * 136 bytes for HMAC-SHA3-256, 104 bytes for SHA3-384, 72 bytes for
+ * HMAC-SHA3-512. */
+/* Note: PSA_HASH_MAX_SIZE should be kept in sync with MBEDTLS_MD_MAX_SIZE,
+ * see the note on MBEDTLS_MD_MAX_SIZE for details. */
+#if defined(PSA_WANT_ALG_SHA3_224)
+#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 144u
+#elif defined(PSA_WANT_ALG_SHA3_256)
+#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 136u
+#elif defined(PSA_WANT_ALG_SHA_512)
+#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 128u
+#elif defined(PSA_WANT_ALG_SHA_384)
+#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 128u
+#elif defined(PSA_WANT_ALG_SHA3_384)
+#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 104u
+#elif defined(PSA_WANT_ALG_SHA3_512)
+#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 72u
+#elif defined(PSA_WANT_ALG_SHA_256)
+#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64u
+#elif defined(PSA_WANT_ALG_SHA_224)
+#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64u
+#else /* SHA-1 or smaller */
+#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64u
+#endif
+
+#if defined(PSA_WANT_ALG_SHA_512) || defined(PSA_WANT_ALG_SHA3_512)
+#define PSA_HASH_MAX_SIZE 64u
+#elif defined(PSA_WANT_ALG_SHA_384) || defined(PSA_WANT_ALG_SHA3_384)
+#define PSA_HASH_MAX_SIZE 48u
+#elif defined(PSA_WANT_ALG_SHA_256) || defined(PSA_WANT_ALG_SHA3_256)
+#define PSA_HASH_MAX_SIZE 32u
+#elif defined(PSA_WANT_ALG_SHA_224) || defined(PSA_WANT_ALG_SHA3_224)
+#define PSA_HASH_MAX_SIZE 28u
+#else /* SHA-1 or smaller */
+#define PSA_HASH_MAX_SIZE 20u
+#endif
+
+/** \def PSA_MAC_MAX_SIZE
+ *
+ * Maximum size of a MAC.
+ *
+ * This macro expands to a compile-time constant integer. This value
+ * is the maximum size of a MAC in bytes.
+ */
+/* All non-HMAC MACs have a maximum size that's smaller than the
+ * minimum possible value of PSA_HASH_MAX_SIZE in this implementation. */
+/* Note that the encoding of truncated MAC algorithms limits this value
+ * to 64 bytes.
+ */
+#define PSA_MAC_MAX_SIZE PSA_HASH_MAX_SIZE
+
+/** The length of a tag for an AEAD algorithm, in bytes.
+ *
+ * This macro can be used to allocate a buffer of sufficient size to store the
+ * tag output from psa_aead_finish().
+ *
+ * See also #PSA_AEAD_TAG_MAX_SIZE.
+ *
+ * \param key_type            The type of the AEAD key.
+ * \param key_bits            The size of the AEAD key in bits.
+ * \param alg                 An AEAD algorithm
+ *                            (\c PSA_ALG_XXX value such that
+ *                            #PSA_ALG_IS_AEAD(\p alg) is true).
+ *
+ * \return                    The tag length for the specified algorithm and key.
+ *                            If the AEAD algorithm does not have an identified
+ *                            tag that can be distinguished from the rest of
+ *                            the ciphertext, return 0.
+ *                            If the key type or AEAD algorithm is not
+ *                            recognized, or the parameters are incompatible,
+ *                            return 0.
+ */
+#define PSA_AEAD_TAG_LENGTH(key_type, key_bits, alg)                        \
+    (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 ?                            \
+     PSA_ALG_AEAD_GET_TAG_LENGTH(alg) :                                     \
+     ((void) (key_bits), 0u))
+
+/** The maximum tag size for all supported AEAD algorithms, in bytes.
+ *
+ * See also #PSA_AEAD_TAG_LENGTH(\p key_type, \p key_bits, \p alg).
+ */
+#define PSA_AEAD_TAG_MAX_SIZE       16u
+
+/* The maximum size of an RSA key on this implementation, in bits.
+ * This is a vendor-specific macro.
+ *
+ * Mbed TLS does not set a hard limit on the size of RSA keys: any key
+ * whose parameters fit in a bignum is accepted. However large keys can
+ * induce a large memory usage and long computation times. Unlike other
+ * auxiliary macros in this file and in crypto.h, which reflect how the
+ * library is configured, this macro defines how the library is
+ * configured. This implementation refuses to import or generate an
+ * RSA key whose size is larger than the value defined here.
+ *
+ * Note that an implementation may set different size limits for different
+ * operations, and does not need to accept all key sizes up to the limit. */
+#define PSA_VENDOR_RSA_MAX_KEY_BITS 4096u
+
+/* The minimum size of an RSA key on this implementation, in bits.
+ * This is a vendor-specific macro.
+ *
+ * Limits RSA key generation to a minimum due to avoid accidental misuse.
+ * This value cannot be less than 128 bits.
+ */
+#if defined(MBEDTLS_RSA_GEN_KEY_MIN_BITS)
+#define PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS MBEDTLS_RSA_GEN_KEY_MIN_BITS
+#else
+#define PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS 1024
+#endif
+
+/* The maximum size of an DH key on this implementation, in bits.
+ * This is a vendor-specific macro.*/
+#if defined(PSA_WANT_DH_RFC7919_8192)
+#define PSA_VENDOR_FFDH_MAX_KEY_BITS 8192u
+#elif defined(PSA_WANT_DH_RFC7919_6144)
+#define PSA_VENDOR_FFDH_MAX_KEY_BITS 6144u
+#elif defined(PSA_WANT_DH_RFC7919_4096)
+#define PSA_VENDOR_FFDH_MAX_KEY_BITS 4096u
+#elif defined(PSA_WANT_DH_RFC7919_3072)
+#define PSA_VENDOR_FFDH_MAX_KEY_BITS 3072u
+#elif defined(PSA_WANT_DH_RFC7919_2048)
+#define PSA_VENDOR_FFDH_MAX_KEY_BITS 2048u
+#else
+#define PSA_VENDOR_FFDH_MAX_KEY_BITS 0u
+#endif
+
+/* The maximum size of an ECC key on this implementation, in bits.
+ * This is a vendor-specific macro. */
+#if defined(PSA_WANT_ECC_SECP_R1_521)
+#define PSA_VENDOR_ECC_MAX_CURVE_BITS 521u
+#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
+#define PSA_VENDOR_ECC_MAX_CURVE_BITS 512u
+#elif defined(PSA_WANT_ECC_MONTGOMERY_448)
+#define PSA_VENDOR_ECC_MAX_CURVE_BITS 448u
+#elif defined(PSA_WANT_ECC_SECP_R1_384)
+#define PSA_VENDOR_ECC_MAX_CURVE_BITS 384u
+#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
+#define PSA_VENDOR_ECC_MAX_CURVE_BITS 384u
+#elif defined(PSA_WANT_ECC_SECP_R1_256)
+#define PSA_VENDOR_ECC_MAX_CURVE_BITS 256u
+#elif defined(PSA_WANT_ECC_SECP_K1_256)
+#define PSA_VENDOR_ECC_MAX_CURVE_BITS 256u
+#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
+#define PSA_VENDOR_ECC_MAX_CURVE_BITS 256u
+#elif defined(PSA_WANT_ECC_MONTGOMERY_255)
+#define PSA_VENDOR_ECC_MAX_CURVE_BITS 255u
+#elif defined(PSA_WANT_ECC_SECP_R1_224)
+#define PSA_VENDOR_ECC_MAX_CURVE_BITS 224u
+#elif defined(PSA_WANT_ECC_SECP_K1_224)
+#define PSA_VENDOR_ECC_MAX_CURVE_BITS 224u
+#elif defined(PSA_WANT_ECC_SECP_R1_192)
+#define PSA_VENDOR_ECC_MAX_CURVE_BITS 192u
+#elif defined(PSA_WANT_ECC_SECP_K1_192)
+#define PSA_VENDOR_ECC_MAX_CURVE_BITS 192u
+#else
+#define PSA_VENDOR_ECC_MAX_CURVE_BITS 0u
+#endif
+
+/** This macro returns the maximum supported length of the PSK for the
+ * TLS-1.2 PSK-to-MS key derivation
+ * (#PSA_ALG_TLS12_PSK_TO_MS(\c hash_alg)).
+ *
+ * The maximum supported length does not depend on the chosen hash algorithm.
+ *
+ * Quoting RFC 4279, Sect 5.3:
+ * TLS implementations supporting these ciphersuites MUST support
+ * arbitrary PSK identities up to 128 octets in length, and arbitrary
+ * PSKs up to 64 octets in length.  Supporting longer identities and
+ * keys is RECOMMENDED.
+ *
+ * Therefore, no implementation should define a value smaller than 64
+ * for #PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE.
+ */
+#define PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE 128u
+
+/* The expected size of input passed to psa_tls12_ecjpake_to_pms_input,
+ * which is expected to work with P-256 curve only. */
+#define PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE 65u
+
+/* The size of a serialized K.X coordinate to be used in
+ * psa_tls12_ecjpake_to_pms_input. This function only accepts the P-256
+ * curve. */
+#define PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE 32u
+
+/* The maximum number of iterations for PBKDF2 on this implementation, in bits.
+ * This is a vendor-specific macro. This can be configured if necessary */
+#define PSA_VENDOR_PBKDF2_MAX_ITERATIONS 0xffffffffU
+
+/** The maximum size of a block cipher. */
+#define PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE 16u
+
+/** The size of the output of psa_mac_sign_finish(), in bytes.
+ *
+ * This is also the MAC size that psa_mac_verify_finish() expects.
+ *
+ * \warning This macro may evaluate its arguments multiple times or
+ *          zero times, so you should not pass arguments that contain
+ *          side effects.
+ *
+ * \param key_type      The type of the MAC key.
+ * \param key_bits      The size of the MAC key in bits.
+ * \param alg           A MAC algorithm (\c PSA_ALG_XXX value such that
+ *                      #PSA_ALG_IS_MAC(\p alg) is true).
+ *
+ * \return              The MAC size for the specified algorithm with
+ *                      the specified key parameters.
+ * \return              0 if the MAC algorithm is not recognized.
+ * \return              Either 0 or the correct size for a MAC algorithm that
+ *                      the implementation recognizes, but does not support.
+ * \return              Unspecified if the key parameters are not consistent
+ *                      with the algorithm.
+ */
+#define PSA_MAC_LENGTH(key_type, key_bits, alg)                                   \
+    ((alg) & PSA_ALG_MAC_TRUNCATION_MASK ? PSA_MAC_TRUNCATED_LENGTH(alg) :        \
+     PSA_ALG_IS_HMAC(alg) ? PSA_HASH_LENGTH(PSA_ALG_HMAC_GET_HASH(alg)) :         \
+     PSA_ALG_IS_BLOCK_CIPHER_MAC(alg) ? PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \
+     ((void) (key_type), (void) (key_bits), 0u))
+
+/** The maximum size of the output of psa_aead_encrypt(), in bytes.
+ *
+ * If the size of the ciphertext buffer is at least this large, it is
+ * guaranteed that psa_aead_encrypt() will not fail due to an
+ * insufficient buffer size. Depending on the algorithm, the actual size of
+ * the ciphertext may be smaller.
+ *
+ * See also #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length).
+ *
+ * \warning This macro may evaluate its arguments multiple times or
+ *          zero times, so you should not pass arguments that contain
+ *          side effects.
+ *
+ * \param key_type            A symmetric key type that is
+ *                            compatible with algorithm \p alg.
+ * \param alg                 An AEAD algorithm
+ *                            (\c PSA_ALG_XXX value such that
+ *                            #PSA_ALG_IS_AEAD(\p alg) is true).
+ * \param plaintext_length    Size of the plaintext in bytes.
+ *
+ * \return                    The AEAD ciphertext size for the specified
+ *                            algorithm.
+ *                            If the key type or AEAD algorithm is not
+ *                            recognized, or the parameters are incompatible,
+ *                            return 0.
+ */
+#define PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg, plaintext_length) \
+    (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 ?                      \
+     (plaintext_length) + PSA_ALG_AEAD_GET_TAG_LENGTH(alg) :          \
+     0u)
+
+/** A sufficient output buffer size for psa_aead_encrypt(), for any of the
+ *  supported key types and AEAD algorithms.
+ *
+ * If the size of the ciphertext buffer is at least this large, it is guaranteed
+ * that psa_aead_encrypt() will not fail due to an insufficient buffer size.
+ *
+ * \note This macro returns a compile-time constant if its arguments are
+ *       compile-time constants.
+ *
+ * See also #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\p key_type, \p alg,
+ * \p plaintext_length).
+ *
+ * \param plaintext_length    Size of the plaintext in bytes.
+ *
+ * \return                    A sufficient output buffer size for any of the
+ *                            supported key types and AEAD algorithms.
+ *
+ */
+#define PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(plaintext_length)          \
+    ((plaintext_length) + PSA_AEAD_TAG_MAX_SIZE)
+
+
+/** The maximum size of the output of psa_aead_decrypt(), in bytes.
+ *
+ * If the size of the plaintext buffer is at least this large, it is
+ * guaranteed that psa_aead_decrypt() will not fail due to an
+ * insufficient buffer size. Depending on the algorithm, the actual size of
+ * the plaintext may be smaller.
+ *
+ * See also #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length).
+ *
+ * \warning This macro may evaluate its arguments multiple times or
+ *          zero times, so you should not pass arguments that contain
+ *          side effects.
+ *
+ * \param key_type            A symmetric key type that is
+ *                            compatible with algorithm \p alg.
+ * \param alg                 An AEAD algorithm
+ *                            (\c PSA_ALG_XXX value such that
+ *                            #PSA_ALG_IS_AEAD(\p alg) is true).
+ * \param ciphertext_length   Size of the plaintext in bytes.
+ *
+ * \return                    The AEAD ciphertext size for the specified
+ *                            algorithm.
+ *                            If the key type or AEAD algorithm is not
+ *                            recognized, or the parameters are incompatible,
+ *                            return 0.
+ */
+#define PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg, ciphertext_length) \
+    (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 &&                      \
+     (ciphertext_length) > PSA_ALG_AEAD_GET_TAG_LENGTH(alg) ?      \
+     (ciphertext_length) - PSA_ALG_AEAD_GET_TAG_LENGTH(alg) :      \
+     0u)
+
+/** A sufficient output buffer size for psa_aead_decrypt(), for any of the
+ *  supported key types and AEAD algorithms.
+ *
+ * If the size of the plaintext buffer is at least this large, it is guaranteed
+ * that psa_aead_decrypt() will not fail due to an insufficient buffer size.
+ *
+ * \note This macro returns a compile-time constant if its arguments are
+ *       compile-time constants.
+ *
+ * See also #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\p key_type, \p alg,
+ * \p ciphertext_length).
+ *
+ * \param ciphertext_length   Size of the ciphertext in bytes.
+ *
+ * \return                    A sufficient output buffer size for any of the
+ *                            supported key types and AEAD algorithms.
+ *
+ */
+#define PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(ciphertext_length)     \
+    (ciphertext_length)
+
+/** The default nonce size for an AEAD algorithm, in bytes.
+ *
+ * This macro can be used to allocate a buffer of sufficient size to
+ * store the nonce output from #psa_aead_generate_nonce().
+ *
+ * See also #PSA_AEAD_NONCE_MAX_SIZE.
+ *
+ * \note This is not the maximum size of nonce supported as input to
+ *       #psa_aead_set_nonce(), #psa_aead_encrypt() or #psa_aead_decrypt(),
+ *       just the default size that is generated by #psa_aead_generate_nonce().
+ *
+ * \warning This macro may evaluate its arguments multiple times or
+ *          zero times, so you should not pass arguments that contain
+ *          side effects.
+ *
+ * \param key_type  A symmetric key type that is compatible with
+ *                  algorithm \p alg.
+ *
+ * \param alg       An AEAD algorithm (\c PSA_ALG_XXX value such that
+ *                  #PSA_ALG_IS_AEAD(\p alg) is true).
+ *
+ * \return The default nonce size for the specified key type and algorithm.
+ *         If the key type or AEAD algorithm is not recognized,
+ *         or the parameters are incompatible, return 0.
+ */
+#define PSA_AEAD_NONCE_LENGTH(key_type, alg) \
+    (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) == 16 ? \
+     MBEDTLS_PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_CCM) ? 13u : \
+     MBEDTLS_PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_GCM) ? 12u : \
+     0u : \
+     (key_type) == PSA_KEY_TYPE_CHACHA20 && \
+     MBEDTLS_PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_CHACHA20_POLY1305) ? 12u : \
+     0u)
+
+/** The maximum default nonce size among all supported pairs of key types and
+ *  AEAD algorithms, in bytes.
+ *
+ * This is equal to or greater than any value that #PSA_AEAD_NONCE_LENGTH()
+ * may return.
+ *
+ * \note This is not the maximum size of nonce supported as input to
+ *       #psa_aead_set_nonce(), #psa_aead_encrypt() or #psa_aead_decrypt(),
+ *       just the largest size that may be generated by
+ *       #psa_aead_generate_nonce().
+ */
+#define PSA_AEAD_NONCE_MAX_SIZE 13u
+
+/** A sufficient output buffer size for psa_aead_update().
+ *
+ * If the size of the output buffer is at least this large, it is
+ * guaranteed that psa_aead_update() will not fail due to an
+ * insufficient buffer size. The actual size of the output may be smaller
+ * in any given call.
+ *
+ * See also #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length).
+ *
+ * \warning This macro may evaluate its arguments multiple times or
+ *          zero times, so you should not pass arguments that contain
+ *          side effects.
+ *
+ * \param key_type            A symmetric key type that is
+ *                            compatible with algorithm \p alg.
+ * \param alg                 An AEAD algorithm
+ *                            (\c PSA_ALG_XXX value such that
+ *                            #PSA_ALG_IS_AEAD(\p alg) is true).
+ * \param input_length        Size of the input in bytes.
+ *
+ * \return                    A sufficient output buffer size for the specified
+ *                            algorithm.
+ *                            If the key type or AEAD algorithm is not
+ *                            recognized, or the parameters are incompatible,
+ *                            return 0.
+ */
+/* For all the AEAD modes defined in this specification, it is possible
+ * to emit output without delay. However, hardware may not always be
+ * capable of this. So for modes based on a block cipher, allow the
+ * implementation to delay the output until it has a full block. */
+#define PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_length)                             \
+    (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 ?                                             \
+     PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) ?                                              \
+     PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type), (input_length)) : \
+     (input_length) : \
+     0u)
+
+/** A sufficient output buffer size for psa_aead_update(), for any of the
+ *  supported key types and AEAD algorithms.
+ *
+ * If the size of the output buffer is at least this large, it is guaranteed
+ * that psa_aead_update() will not fail due to an insufficient buffer size.
+ *
+ * See also #PSA_AEAD_UPDATE_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).
+ *
+ * \param input_length      Size of the input in bytes.
+ */
+#define PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(input_length)                           \
+    (PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE, (input_length)))
+
+/** A sufficient ciphertext buffer size for psa_aead_finish().
+ *
+ * If the size of the ciphertext buffer is at least this large, it is
+ * guaranteed that psa_aead_finish() will not fail due to an
+ * insufficient ciphertext buffer size. The actual size of the output may
+ * be smaller in any given call.
+ *
+ * See also #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE.
+ *
+ * \param key_type            A symmetric key type that is
+                              compatible with algorithm \p alg.
+ * \param alg                 An AEAD algorithm
+ *                            (\c PSA_ALG_XXX value such that
+ *                            #PSA_ALG_IS_AEAD(\p alg) is true).
+ *
+ * \return                    A sufficient ciphertext buffer size for the
+ *                            specified algorithm.
+ *                            If the key type or AEAD algorithm is not
+ *                            recognized, or the parameters are incompatible,
+ *                            return 0.
+ */
+#define PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg) \
+    (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 &&  \
+     PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) ?    \
+     PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \
+     0u)
+
+/** A sufficient ciphertext buffer size for psa_aead_finish(), for any of the
+ *  supported key types and AEAD algorithms.
+ *
+ * See also #PSA_AEAD_FINISH_OUTPUT_SIZE(\p key_type, \p alg).
+ */
+#define PSA_AEAD_FINISH_OUTPUT_MAX_SIZE     (PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE)
+
+/** A sufficient plaintext buffer size for psa_aead_verify().
+ *
+ * If the size of the plaintext buffer is at least this large, it is
+ * guaranteed that psa_aead_verify() will not fail due to an
+ * insufficient plaintext buffer size. The actual size of the output may
+ * be smaller in any given call.
+ *
+ * See also #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE.
+ *
+ * \param key_type            A symmetric key type that is
+ *                            compatible with algorithm \p alg.
+ * \param alg                 An AEAD algorithm
+ *                            (\c PSA_ALG_XXX value such that
+ *                            #PSA_ALG_IS_AEAD(\p alg) is true).
+ *
+ * \return                    A sufficient plaintext buffer size for the
+ *                            specified algorithm.
+ *                            If the key type or AEAD algorithm is not
+ *                            recognized, or the parameters are incompatible,
+ *                            return 0.
+ */
+#define PSA_AEAD_VERIFY_OUTPUT_SIZE(key_type, alg) \
+    (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 &&  \
+     PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) ?    \
+     PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \
+     0u)
+
+/** A sufficient plaintext buffer size for psa_aead_verify(), for any of the
+ *  supported key types and AEAD algorithms.
+ *
+ * See also #PSA_AEAD_VERIFY_OUTPUT_SIZE(\p key_type, \p alg).
+ */
+#define PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE     (PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE)
+
+#define PSA_RSA_MINIMUM_PADDING_SIZE(alg)                         \
+    (PSA_ALG_IS_RSA_OAEP(alg) ?                                   \
+     2u * PSA_HASH_LENGTH(PSA_ALG_RSA_OAEP_GET_HASH(alg)) + 1u :   \
+     11u /*PKCS#1v1.5*/)
+
+/**
+ * \brief ECDSA signature size for a given curve bit size
+ *
+ * \param curve_bits    Curve size in bits.
+ * \return              Signature size in bytes.
+ *
+ * \note This macro returns a compile-time constant if its argument is one.
+ */
+#define PSA_ECDSA_SIGNATURE_SIZE(curve_bits)    \
+    (PSA_BITS_TO_BYTES(curve_bits) * 2u)
+
+/** Sufficient signature buffer size for psa_sign_hash().
+ *
+ * This macro returns a sufficient buffer size for a signature using a key
+ * of the specified type and size, with the specified algorithm.
+ * Note that the actual size of the signature may be smaller
+ * (some algorithms produce a variable-size signature).
+ *
+ * \warning This function may call its arguments multiple times or
+ *          zero times, so you should not pass arguments that contain
+ *          side effects.
+ *
+ * \param key_type  An asymmetric key type (this may indifferently be a
+ *                  key pair type or a public key type).
+ * \param key_bits  The size of the key in bits.
+ * \param alg       The signature algorithm.
+ *
+ * \return If the parameters are valid and supported, return
+ *         a buffer size in bytes that guarantees that
+ *         psa_sign_hash() will not fail with
+ *         #PSA_ERROR_BUFFER_TOO_SMALL.
+ *         If the parameters are a valid combination that is not supported,
+ *         return either a sensible size or 0.
+ *         If the parameters are not valid, the
+ *         return value is unspecified.
+ */
+#define PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg)        \
+    (PSA_KEY_TYPE_IS_RSA(key_type) ? ((void) alg, PSA_BITS_TO_BYTES(key_bits)) : \
+     PSA_KEY_TYPE_IS_ECC(key_type) ? PSA_ECDSA_SIGNATURE_SIZE(key_bits) : \
+     ((void) alg, 0u))
+
+#define PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE     \
+    PSA_ECDSA_SIGNATURE_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
+
+/** \def PSA_SIGNATURE_MAX_SIZE
+ *
+ * Maximum size of an asymmetric signature.
+ *
+ * This macro expands to a compile-time constant integer. This value
+ * is the maximum size of a signature in bytes.
+ */
+#define PSA_SIGNATURE_MAX_SIZE      1
+
+#if (defined(PSA_WANT_ALG_ECDSA) || defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)) && \
+    (PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE > PSA_SIGNATURE_MAX_SIZE)
+#undef PSA_SIGNATURE_MAX_SIZE
+#define PSA_SIGNATURE_MAX_SIZE      PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE
+#endif
+#if (defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN) || defined(PSA_WANT_ALG_RSA_PSS)) && \
+    (PSA_BITS_TO_BYTES(PSA_VENDOR_RSA_MAX_KEY_BITS) > PSA_SIGNATURE_MAX_SIZE)
+#undef PSA_SIGNATURE_MAX_SIZE
+#define PSA_SIGNATURE_MAX_SIZE      PSA_BITS_TO_BYTES(PSA_VENDOR_RSA_MAX_KEY_BITS)
+#endif
+
+/** Sufficient output buffer size for psa_asymmetric_encrypt().
+ *
+ * This macro returns a sufficient buffer size for a ciphertext produced using
+ * a key of the specified type and size, with the specified algorithm.
+ * Note that the actual size of the ciphertext may be smaller, depending
+ * on the algorithm.
+ *
+ * \warning This function may call its arguments multiple times or
+ *          zero times, so you should not pass arguments that contain
+ *          side effects.
+ *
+ * \param key_type  An asymmetric key type (this may indifferently be a
+ *                  key pair type or a public key type).
+ * \param key_bits  The size of the key in bits.
+ * \param alg       The asymmetric encryption algorithm.
+ *
+ * \return If the parameters are valid and supported, return
+ *         a buffer size in bytes that guarantees that
+ *         psa_asymmetric_encrypt() will not fail with
+ *         #PSA_ERROR_BUFFER_TOO_SMALL.
+ *         If the parameters are a valid combination that is not supported,
+ *         return either a sensible size or 0.
+ *         If the parameters are not valid, the
+ *         return value is unspecified.
+ */
+#define PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(key_type, key_bits, alg)     \
+    (PSA_KEY_TYPE_IS_RSA(key_type) ?                                    \
+     ((void) alg, PSA_BITS_TO_BYTES(key_bits)) :                         \
+     0u)
+
+/** A sufficient output buffer size for psa_asymmetric_encrypt(), for any
+ *  supported asymmetric encryption.
+ *
+ * See also #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\p key_type, \p key_bits, \p alg).
+ */
+/* This macro assumes that RSA is the only supported asymmetric encryption. */
+#define PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE          \
+    (PSA_BITS_TO_BYTES(PSA_VENDOR_RSA_MAX_KEY_BITS))
+
+/** Sufficient output buffer size for psa_asymmetric_decrypt().
+ *
+ * This macro returns a sufficient buffer size for a plaintext produced using
+ * a key of the specified type and size, with the specified algorithm.
+ * Note that the actual size of the plaintext may be smaller, depending
+ * on the algorithm.
+ *
+ * \warning This function may call its arguments multiple times or
+ *          zero times, so you should not pass arguments that contain
+ *          side effects.
+ *
+ * \param key_type  An asymmetric key type (this may indifferently be a
+ *                  key pair type or a public key type).
+ * \param key_bits  The size of the key in bits.
+ * \param alg       The asymmetric encryption algorithm.
+ *
+ * \return If the parameters are valid and supported, return
+ *         a buffer size in bytes that guarantees that
+ *         psa_asymmetric_decrypt() will not fail with
+ *         #PSA_ERROR_BUFFER_TOO_SMALL.
+ *         If the parameters are a valid combination that is not supported,
+ *         return either a sensible size or 0.
+ *         If the parameters are not valid, the
+ *         return value is unspecified.
+ */
+#define PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(key_type, key_bits, alg)     \
+    (PSA_KEY_TYPE_IS_RSA(key_type) ?                                    \
+     PSA_BITS_TO_BYTES(key_bits) - PSA_RSA_MINIMUM_PADDING_SIZE(alg) :  \
+     0u)
+
+/** A sufficient output buffer size for psa_asymmetric_decrypt(), for any
+ *  supported asymmetric decryption.
+ *
+ * This macro assumes that RSA is the only supported asymmetric encryption.
+ *
+ * See also #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\p key_type, \p key_bits, \p alg).
+ */
+#define PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE          \
+    (PSA_BITS_TO_BYTES(PSA_VENDOR_RSA_MAX_KEY_BITS))
+
+/* Maximum size of the ASN.1 encoding of an INTEGER with the specified
+ * number of bits.
+ *
+ * This definition assumes that bits <= 2^19 - 9 so that the length field
+ * is at most 3 bytes. The length of the encoding is the length of the
+ * bit string padded to a whole number of bytes plus:
+ * - 1 type byte;
+ * - 1 to 3 length bytes;
+ * - 0 to 1 bytes of leading 0 due to the sign bit.
+ */
+#define PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(bits)      \
+    ((bits) / 8u + 5u)
+
+/* Maximum size of the export encoding of an RSA public key.
+ * Assumes that the public exponent is less than 2^32.
+ *
+ * RSAPublicKey  ::=  SEQUENCE  {
+ *    modulus            INTEGER,    -- n
+ *    publicExponent     INTEGER  }  -- e
+ *
+ * - 4 bytes of SEQUENCE overhead;
+ * - n : INTEGER;
+ * - 7 bytes for the public exponent.
+ */
+#define PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(key_bits)        \
+    (PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(key_bits) + 11u)
+
+/* Maximum size of the export encoding of an RSA key pair.
+ * Assumes that the public exponent is less than 2^32 and that the size
+ * difference between the two primes is at most 1 bit.
+ *
+ * RSAPrivateKey ::= SEQUENCE {
+ *     version           Version,  -- 0
+ *     modulus           INTEGER,  -- N-bit
+ *     publicExponent    INTEGER,  -- 32-bit
+ *     privateExponent   INTEGER,  -- N-bit
+ *     prime1            INTEGER,  -- N/2-bit
+ *     prime2            INTEGER,  -- N/2-bit
+ *     exponent1         INTEGER,  -- N/2-bit
+ *     exponent2         INTEGER,  -- N/2-bit
+ *     coefficient       INTEGER,  -- N/2-bit
+ * }
+ *
+ * - 4 bytes of SEQUENCE overhead;
+ * - 3 bytes of version;
+ * - 7 half-size INTEGERs plus 2 full-size INTEGERs,
+ *   overapproximated as 9 half-size INTEGERS;
+ * - 7 bytes for the public exponent.
+ */
+#define PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(key_bits)   \
+    (9u * PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE((key_bits) / 2u + 1u) + 14u)
+
+/* Maximum size of the export encoding of a DSA public key.
+ *
+ * SubjectPublicKeyInfo  ::=  SEQUENCE  {
+ *      algorithm            AlgorithmIdentifier,
+ *      subjectPublicKey     BIT STRING  } -- contains DSAPublicKey
+ * AlgorithmIdentifier  ::=  SEQUENCE  {
+ *      algorithm               OBJECT IDENTIFIER,
+ *      parameters              Dss-Params  } -- SEQUENCE of 3 INTEGERs
+ * DSAPublicKey  ::=  INTEGER -- public key, Y
+ *
+ * - 3 * 4 bytes of SEQUENCE overhead;
+ * - 1 + 1 + 7 bytes of algorithm (DSA OID);
+ * - 4 bytes of BIT STRING overhead;
+ * - 3 full-size INTEGERs (p, g, y);
+ * - 1 + 1 + 32 bytes for 1 sub-size INTEGER (q <= 256 bits).
+ */
+#define PSA_KEY_EXPORT_DSA_PUBLIC_KEY_MAX_SIZE(key_bits)        \
+    (PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(key_bits) * 3u + 59u)
+
+/* Maximum size of the export encoding of a DSA key pair.
+ *
+ * DSAPrivateKey ::= SEQUENCE {
+ *     version             Version,  -- 0
+ *     prime               INTEGER,  -- p
+ *     subprime            INTEGER,  -- q
+ *     generator           INTEGER,  -- g
+ *     public              INTEGER,  -- y
+ *     private             INTEGER,  -- x
+ * }
+ *
+ * - 4 bytes of SEQUENCE overhead;
+ * - 3 bytes of version;
+ * - 3 full-size INTEGERs (p, g, y);
+ * - 2 * (1 + 1 + 32) bytes for 2 sub-size INTEGERs (q, x <= 256 bits).
+ */
+#define PSA_KEY_EXPORT_DSA_KEY_PAIR_MAX_SIZE(key_bits)   \
+    (PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(key_bits) * 3u + 75u)
+
+/* Maximum size of the export encoding of an ECC public key.
+ *
+ * The representation of an ECC public key is:
+ *      - The byte 0x04;
+ *      - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
+ *      - `y_P` as a `ceiling(m/8)`-byte string, big-endian;
+ *      - where m is the bit size associated with the curve.
+ *
+ * - 1 byte + 2 * point size.
+ */
+#define PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits)        \
+    (2u * PSA_BITS_TO_BYTES(key_bits) + 1u)
+
+/* Maximum size of the export encoding of an ECC key pair.
+ *
+ * An ECC key pair is represented by the secret value.
+ */
+#define PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(key_bits)   \
+    (PSA_BITS_TO_BYTES(key_bits))
+
+/* Maximum size of the export encoding of an DH key pair.
+ *
+ * An DH key pair is represented by the secret value.
+ */
+#define PSA_KEY_EXPORT_FFDH_KEY_PAIR_MAX_SIZE(key_bits)   \
+    (PSA_BITS_TO_BYTES(key_bits))
+
+/* Maximum size of the export encoding of an DH public key.
+ */
+#define PSA_KEY_EXPORT_FFDH_PUBLIC_KEY_MAX_SIZE(key_bits)   \
+    (PSA_BITS_TO_BYTES(key_bits))
+
+/** Sufficient output buffer size for psa_export_key() or
+ * psa_export_public_key().
+ *
+ * This macro returns a compile-time constant if its arguments are
+ * compile-time constants.
+ *
+ * \warning This macro may evaluate its arguments multiple times or
+ *          zero times, so you should not pass arguments that contain
+ *          side effects.
+ *
+ * The following code illustrates how to allocate enough memory to export
+ * a key by querying the key type and size at runtime.
+ * \code{c}
+ * psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ * psa_status_t status;
+ * status = psa_get_key_attributes(key, &attributes);
+ * if (status != PSA_SUCCESS) handle_error(...);
+ * psa_key_type_t key_type = psa_get_key_type(&attributes);
+ * size_t key_bits = psa_get_key_bits(&attributes);
+ * size_t buffer_size = PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, key_bits);
+ * psa_reset_key_attributes(&attributes);
+ * uint8_t *buffer = malloc(buffer_size);
+ * if (buffer == NULL) handle_error(...);
+ * size_t buffer_length;
+ * status = psa_export_key(key, buffer, buffer_size, &buffer_length);
+ * if (status != PSA_SUCCESS) handle_error(...);
+ * \endcode
+ *
+ * \param key_type  A supported key type.
+ * \param key_bits  The size of the key in bits.
+ *
+ * \return If the parameters are valid and supported, return
+ *         a buffer size in bytes that guarantees that
+ *         psa_export_key() or psa_export_public_key() will not fail with
+ *         #PSA_ERROR_BUFFER_TOO_SMALL.
+ *         If the parameters are a valid combination that is not supported,
+ *         return either a sensible size or 0.
+ *         If the parameters are not valid, the return value is unspecified.
+ */
+#define PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, key_bits)                                              \
+    (PSA_KEY_TYPE_IS_UNSTRUCTURED(key_type) ? PSA_BITS_TO_BYTES(key_bits) :                         \
+     PSA_KEY_TYPE_IS_DH(key_type) ? PSA_BITS_TO_BYTES(key_bits) :                                   \
+     (key_type) == PSA_KEY_TYPE_RSA_KEY_PAIR ? PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(key_bits) :     \
+     (key_type) == PSA_KEY_TYPE_RSA_PUBLIC_KEY ? PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(key_bits) : \
+     (key_type) == PSA_KEY_TYPE_DSA_KEY_PAIR ? PSA_KEY_EXPORT_DSA_KEY_PAIR_MAX_SIZE(key_bits) :     \
+     (key_type) == PSA_KEY_TYPE_DSA_PUBLIC_KEY ? PSA_KEY_EXPORT_DSA_PUBLIC_KEY_MAX_SIZE(key_bits) : \
+     PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type) ? PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(key_bits) :      \
+     PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(key_type) ? PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits) :  \
+     0u)
+
+/** Sufficient output buffer size for psa_export_public_key().
+ *
+ * This macro returns a compile-time constant if its arguments are
+ * compile-time constants.
+ *
+ * \warning This macro may evaluate its arguments multiple times or
+ *          zero times, so you should not pass arguments that contain
+ *          side effects.
+ *
+ * The following code illustrates how to allocate enough memory to export
+ * a public key by querying the key type and size at runtime.
+ * \code{c}
+ * psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ * psa_status_t status;
+ * status = psa_get_key_attributes(key, &attributes);
+ * if (status != PSA_SUCCESS) handle_error(...);
+ * psa_key_type_t key_type = psa_get_key_type(&attributes);
+ * size_t key_bits = psa_get_key_bits(&attributes);
+ * size_t buffer_size = PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, key_bits);
+ * psa_reset_key_attributes(&attributes);
+ * uint8_t *buffer = malloc(buffer_size);
+ * if (buffer == NULL) handle_error(...);
+ * size_t buffer_length;
+ * status = psa_export_public_key(key, buffer, buffer_size, &buffer_length);
+ * if (status != PSA_SUCCESS) handle_error(...);
+ * \endcode
+ *
+ * \param key_type      A public key or key pair key type.
+ * \param key_bits      The size of the key in bits.
+ *
+ * \return              If the parameters are valid and supported, return
+ *                      a buffer size in bytes that guarantees that
+ *                      psa_export_public_key() will not fail with
+ *                      #PSA_ERROR_BUFFER_TOO_SMALL.
+ *                      If the parameters are a valid combination that is not
+ *                      supported, return either a sensible size or 0.
+ *                      If the parameters are not valid,
+ *                      the return value is unspecified.
+ *
+ *                      If the parameters are valid and supported,
+ *                      return the same result as
+ *                      #PSA_EXPORT_KEY_OUTPUT_SIZE(
+ *                          \p #PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(\p key_type),
+ *                          \p key_bits).
+ */
+#define PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, key_bits)                           \
+    (PSA_KEY_TYPE_IS_RSA(key_type) ? PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(key_bits) : \
+     PSA_KEY_TYPE_IS_ECC(key_type) ? PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits) : \
+     PSA_KEY_TYPE_IS_DH(key_type) ? PSA_BITS_TO_BYTES(key_bits) : \
+     0u)
+
+/** Sufficient buffer size for exporting any asymmetric key pair.
+ *
+ * This macro expands to a compile-time constant integer. This value is
+ * a sufficient buffer size when calling psa_export_key() to export any
+ * asymmetric key pair, regardless of the exact key type and key size.
+ *
+ * See also #PSA_EXPORT_KEY_OUTPUT_SIZE(\p key_type, \p key_bits).
+ */
+#define PSA_EXPORT_KEY_PAIR_MAX_SIZE            1
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) && \
+    (PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS) > \
+     PSA_EXPORT_KEY_PAIR_MAX_SIZE)
+#undef PSA_EXPORT_KEY_PAIR_MAX_SIZE
+#define PSA_EXPORT_KEY_PAIR_MAX_SIZE    \
+    PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
+#endif
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) && \
+    (PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) > \
+     PSA_EXPORT_KEY_PAIR_MAX_SIZE)
+#undef PSA_EXPORT_KEY_PAIR_MAX_SIZE
+#define PSA_EXPORT_KEY_PAIR_MAX_SIZE    \
+    PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS)
+#endif
+#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC) && \
+    (PSA_KEY_EXPORT_FFDH_KEY_PAIR_MAX_SIZE(PSA_VENDOR_FFDH_MAX_KEY_BITS) > \
+     PSA_EXPORT_KEY_PAIR_MAX_SIZE)
+#undef PSA_EXPORT_KEY_PAIR_MAX_SIZE
+#define PSA_EXPORT_KEY_PAIR_MAX_SIZE    \
+    PSA_KEY_EXPORT_FFDH_KEY_PAIR_MAX_SIZE(PSA_VENDOR_FFDH_MAX_KEY_BITS)
+#endif
+
+/** Sufficient buffer size for exporting any asymmetric public key.
+ *
+ * This macro expands to a compile-time constant integer. This value is
+ * a sufficient buffer size when calling psa_export_key() or
+ * psa_export_public_key() to export any asymmetric public key,
+ * regardless of the exact key type and key size.
+ *
+ * See also #PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(\p key_type, \p key_bits).
+ */
+#define PSA_EXPORT_PUBLIC_KEY_MAX_SIZE            1
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) && \
+    (PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS) > \
+     PSA_EXPORT_PUBLIC_KEY_MAX_SIZE)
+#undef PSA_EXPORT_PUBLIC_KEY_MAX_SIZE
+#define PSA_EXPORT_PUBLIC_KEY_MAX_SIZE    \
+    PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
+#endif
+#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) && \
+    (PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) > \
+     PSA_EXPORT_PUBLIC_KEY_MAX_SIZE)
+#undef PSA_EXPORT_PUBLIC_KEY_MAX_SIZE
+#define PSA_EXPORT_PUBLIC_KEY_MAX_SIZE    \
+    PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS)
+#endif
+#if defined(PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY) && \
+    (PSA_KEY_EXPORT_FFDH_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_FFDH_MAX_KEY_BITS) > \
+     PSA_EXPORT_PUBLIC_KEY_MAX_SIZE)
+#undef PSA_EXPORT_PUBLIC_KEY_MAX_SIZE
+#define PSA_EXPORT_PUBLIC_KEY_MAX_SIZE    \
+    PSA_KEY_EXPORT_FFDH_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_FFDH_MAX_KEY_BITS)
+#endif
+
+/** Sufficient output buffer size for psa_raw_key_agreement().
+ *
+ * This macro returns a compile-time constant if its arguments are
+ * compile-time constants.
+ *
+ * \warning This macro may evaluate its arguments multiple times or
+ *          zero times, so you should not pass arguments that contain
+ *          side effects.
+ *
+ * See also #PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE.
+ *
+ * \param key_type      A supported key type.
+ * \param key_bits      The size of the key in bits.
+ *
+ * \return              If the parameters are valid and supported, return
+ *                      a buffer size in bytes that guarantees that
+ *                      psa_raw_key_agreement() will not fail with
+ *                      #PSA_ERROR_BUFFER_TOO_SMALL.
+ *                      If the parameters are a valid combination that
+ *                      is not supported, return either a sensible size or 0.
+ *                      If the parameters are not valid,
+ *                      the return value is unspecified.
+ */
+#define PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(key_type, key_bits)   \
+    ((PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type) || \
+      PSA_KEY_TYPE_IS_DH_KEY_PAIR(key_type)) ? PSA_BITS_TO_BYTES(key_bits) : 0u)
+
+/** Maximum size of the output from psa_raw_key_agreement().
+ *
+ * This macro expands to a compile-time constant integer. This value is the
+ * maximum size of the output any raw key agreement algorithm, in bytes.
+ *
+ * See also #PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(\p key_type, \p key_bits).
+ */
+#define PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE       1
+
+#if defined(PSA_WANT_ALG_ECDH) && \
+    (PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS) > PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE)
+#undef PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE
+#define PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE    PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)
+#endif
+#if defined(PSA_WANT_ALG_FFDH) && \
+    (PSA_BITS_TO_BYTES(PSA_VENDOR_FFDH_MAX_KEY_BITS) > PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE)
+#undef PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE
+#define PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE    PSA_BITS_TO_BYTES(PSA_VENDOR_FFDH_MAX_KEY_BITS)
+#endif
+
+/** The default IV size for a cipher algorithm, in bytes.
+ *
+ * The IV that is generated as part of a call to #psa_cipher_encrypt() is always
+ * the default IV length for the algorithm.
+ *
+ * This macro can be used to allocate a buffer of sufficient size to
+ * store the IV output from #psa_cipher_generate_iv() when using
+ * a multi-part cipher operation.
+ *
+ * See also #PSA_CIPHER_IV_MAX_SIZE.
+ *
+ * \warning This macro may evaluate its arguments multiple times or
+ *          zero times, so you should not pass arguments that contain
+ *          side effects.
+ *
+ * \param key_type  A symmetric key type that is compatible with algorithm \p alg.
+ *
+ * \param alg       A cipher algorithm (\c PSA_ALG_XXX value such that #PSA_ALG_IS_CIPHER(\p alg) is true).
+ *
+ * \return The default IV size for the specified key type and algorithm.
+ *         If the algorithm does not use an IV, return 0.
+ *         If the key type or cipher algorithm is not recognized,
+ *         or the parameters are incompatible, return 0.
+ */
+#define PSA_CIPHER_IV_LENGTH(key_type, alg) \
+    (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) > 1 && \
+     ((alg) == PSA_ALG_CTR || \
+      (alg) == PSA_ALG_CFB || \
+      (alg) == PSA_ALG_OFB || \
+      (alg) == PSA_ALG_XTS || \
+      (alg) == PSA_ALG_CBC_NO_PADDING || \
+      (alg) == PSA_ALG_CBC_PKCS7) ? PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \
+     (key_type) == PSA_KEY_TYPE_CHACHA20 && \
+     (alg) == PSA_ALG_STREAM_CIPHER ? 12u : \
+     (alg) == PSA_ALG_CCM_STAR_NO_TAG ? 13u : \
+     0u)
+
+/** The maximum IV size for all supported cipher algorithms, in bytes.
+ *
+ * See also #PSA_CIPHER_IV_LENGTH().
+ */
+#define PSA_CIPHER_IV_MAX_SIZE 16u
+
+/** The maximum size of the output of psa_cipher_encrypt(), in bytes.
+ *
+ * If the size of the output buffer is at least this large, it is guaranteed
+ * that psa_cipher_encrypt() will not fail due to an insufficient buffer size.
+ * Depending on the algorithm, the actual size of the output might be smaller.
+ *
+ * See also #PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(\p input_length).
+ *
+ * \warning This macro may evaluate its arguments multiple times or
+ *          zero times, so you should not pass arguments that contain
+ *          side effects.
+ *
+ * \param key_type      A symmetric key type that is compatible with algorithm
+ *                      alg.
+ * \param alg           A cipher algorithm (\c PSA_ALG_XXX value such that
+ *                      #PSA_ALG_IS_CIPHER(\p alg) is true).
+ * \param input_length  Size of the input in bytes.
+ *
+ * \return              A sufficient output size for the specified key type and
+ *                      algorithm. If the key type or cipher algorithm is not
+ *                      recognized, or the parameters are incompatible,
+ *                      return 0.
+ */
+#define PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input_length)     \
+    (alg == PSA_ALG_CBC_PKCS7 ?                                         \
+     (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) != 0 ?                    \
+      PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type), \
+                               (input_length) + 1u) +                   \
+      PSA_CIPHER_IV_LENGTH((key_type), (alg)) : 0u) :                   \
+     (PSA_ALG_IS_CIPHER(alg) ?                                          \
+      (input_length) + PSA_CIPHER_IV_LENGTH((key_type), (alg)) :        \
+      0u))
+
+/** A sufficient output buffer size for psa_cipher_encrypt(), for any of the
+ *  supported key types and cipher algorithms.
+ *
+ * If the size of the output buffer is at least this large, it is guaranteed
+ * that psa_cipher_encrypt() will not fail due to an insufficient buffer size.
+ *
+ * See also #PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).
+ *
+ * \param input_length  Size of the input in bytes.
+ *
+ */
+#define PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(input_length)                \
+    (PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE,          \
+                              (input_length) + 1u) +                    \
+     PSA_CIPHER_IV_MAX_SIZE)
+
+/** The maximum size of the output of psa_cipher_decrypt(), in bytes.
+ *
+ * If the size of the output buffer is at least this large, it is guaranteed
+ * that psa_cipher_decrypt() will not fail due to an insufficient buffer size.
+ * Depending on the algorithm, the actual size of the output might be smaller.
+ *
+ * See also #PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(\p input_length).
+ *
+ * \param key_type      A symmetric key type that is compatible with algorithm
+ *                      alg.
+ * \param alg           A cipher algorithm (\c PSA_ALG_XXX value such that
+ *                      #PSA_ALG_IS_CIPHER(\p alg) is true).
+ * \param input_length  Size of the input in bytes.
+ *
+ * \return              A sufficient output size for the specified key type and
+ *                      algorithm. If the key type or cipher algorithm is not
+ *                      recognized, or the parameters are incompatible,
+ *                      return 0.
+ */
+#define PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, input_length)     \
+    (PSA_ALG_IS_CIPHER(alg) &&                                          \
+     ((key_type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_SYMMETRIC ? \
+     (input_length) :                                                   \
+     0u)
+
+/** A sufficient output buffer size for psa_cipher_decrypt(), for any of the
+ *  supported key types and cipher algorithms.
+ *
+ * If the size of the output buffer is at least this large, it is guaranteed
+ * that psa_cipher_decrypt() will not fail due to an insufficient buffer size.
+ *
+ * See also #PSA_CIPHER_DECRYPT_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).
+ *
+ * \param input_length  Size of the input in bytes.
+ */
+#define PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(input_length)    \
+    (input_length)
+
+/** A sufficient output buffer size for psa_cipher_update().
+ *
+ * If the size of the output buffer is at least this large, it is guaranteed
+ * that psa_cipher_update() will not fail due to an insufficient buffer size.
+ * The actual size of the output might be smaller in any given call.
+ *
+ * See also #PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(\p input_length).
+ *
+ * \param key_type      A symmetric key type that is compatible with algorithm
+ *                      alg.
+ * \param alg           A cipher algorithm (PSA_ALG_XXX value such that
+ *                      #PSA_ALG_IS_CIPHER(\p alg) is true).
+ * \param input_length  Size of the input in bytes.
+ *
+ * \return              A sufficient output size for the specified key type and
+ *                      algorithm. If the key type or cipher algorithm is not
+ *                      recognized, or the parameters are incompatible, return 0.
+ */
+#define PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input_length)      \
+    (PSA_ALG_IS_CIPHER(alg) ?                                           \
+     (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) != 0 ?                    \
+      (((alg) == PSA_ALG_CBC_PKCS7      ||                              \
+        (alg) == PSA_ALG_CBC_NO_PADDING ||                              \
+        (alg) == PSA_ALG_ECB_NO_PADDING) ?                              \
+       PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type), \
+                                input_length) :                         \
+       (input_length)) : 0u) :                                          \
+     0u)
+
+/** A sufficient output buffer size for psa_cipher_update(), for any of the
+ *  supported key types and cipher algorithms.
+ *
+ * If the size of the output buffer is at least this large, it is guaranteed
+ * that psa_cipher_update() will not fail due to an insufficient buffer size.
+ *
+ * See also #PSA_CIPHER_UPDATE_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).
+ *
+ * \param input_length  Size of the input in bytes.
+ */
+#define PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input_length)     \
+    (PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE, input_length))
+
+/** A sufficient ciphertext buffer size for psa_cipher_finish().
+ *
+ * If the size of the ciphertext buffer is at least this large, it is
+ * guaranteed that psa_cipher_finish() will not fail due to an insufficient
+ * ciphertext buffer size. The actual size of the output might be smaller in
+ * any given call.
+ *
+ * See also #PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE().
+ *
+ * \param key_type      A symmetric key type that is compatible with algorithm
+ *                      alg.
+ * \param alg           A cipher algorithm (PSA_ALG_XXX value such that
+ *                      #PSA_ALG_IS_CIPHER(\p alg) is true).
+ * \return              A sufficient output size for the specified key type and
+ *                      algorithm. If the key type or cipher algorithm is not
+ *                      recognized, or the parameters are incompatible, return 0.
+ */
+#define PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg)    \
+    (PSA_ALG_IS_CIPHER(alg) ?                           \
+     (alg == PSA_ALG_CBC_PKCS7 ?                        \
+      PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) :         \
+      0u) :                                             \
+     0u)
+
+/** A sufficient ciphertext buffer size for psa_cipher_finish(), for any of the
+ *  supported key types and cipher algorithms.
+ *
+ * See also #PSA_CIPHER_FINISH_OUTPUT_SIZE(\p key_type, \p alg).
+ */
+#define PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE           \
+    (PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE)
+
+#endif /* PSA_CRYPTO_SIZES_H */
diff --git a/tf-psa-crypto/include/psa/crypto_struct.h b/tf-psa-crypto/include/psa/crypto_struct.h
new file mode 100644
index 0000000..3913551
--- /dev/null
+++ b/tf-psa-crypto/include/psa/crypto_struct.h
@@ -0,0 +1,501 @@
+/**
+ * \file psa/crypto_struct.h
+ *
+ * \brief PSA cryptography module: Mbed TLS structured type implementations
+ *
+ * \note This file may not be included directly. Applications must
+ * include psa/crypto.h.
+ *
+ * This file contains the definitions of some data structures with
+ * implementation-specific definitions.
+ *
+ * In implementations with isolation between the application and the
+ * cryptography module, it is expected that the front-end and the back-end
+ * would have different versions of this file.
+ *
+ * <h3>Design notes about multipart operation structures</h3>
+ *
+ * For multipart operations without driver delegation support, each multipart
+ * operation structure contains a `psa_algorithm_t alg` field which indicates
+ * which specific algorithm the structure is for. When the structure is not in
+ * use, `alg` is 0. Most of the structure consists of a union which is
+ * discriminated by `alg`.
+ *
+ * For multipart operations with driver delegation support, each multipart
+ * operation structure contains an `unsigned int id` field indicating which
+ * driver got assigned to do the operation. When the structure is not in use,
+ * 'id' is 0. The structure contains also a driver context which is the union
+ * of the contexts of all drivers able to handle the type of multipart
+ * operation.
+ *
+ * Note that when `alg` or `id` is 0, the content of other fields is undefined.
+ * In particular, it is not guaranteed that a freshly-initialized structure
+ * is all-zero: we initialize structures to something like `{0, 0}`, which
+ * is only guaranteed to initializes the first member of the union;
+ * GCC and Clang initialize the whole structure to 0 (at the time of writing),
+ * but MSVC and CompCert don't.
+ *
+ * In Mbed TLS, multipart operation structures live independently from
+ * the key. This allows Mbed TLS to free the key objects when destroying
+ * a key slot. If a multipart operation needs to remember the key after
+ * the setup function returns, the operation structure needs to contain a
+ * copy of the key.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_STRUCT_H
+#define PSA_CRYPTO_STRUCT_H
+#include "mbedtls/private_access.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Include the build-time configuration information header. Here, we do not
+ * include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which
+ * is basically just an alias to it. This is to ease the maintenance of the
+ * TF-PSA-Crypto repository which has a different build system and
+ * configuration.
+ */
+#include "psa/build_info.h"
+
+/* Include the context definition for the compiled-in drivers for the primitive
+ * algorithms. */
+#include "psa/crypto_driver_contexts_primitives.h"
+
+struct psa_hash_operation_s {
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
+    mbedtls_psa_client_handle_t handle;
+#else
+    /** Unique ID indicating which driver got assigned to do the
+     * operation. Since driver contexts are driver-specific, swapping
+     * drivers halfway through the operation is not supported.
+     * ID values are auto-generated in psa_driver_wrappers.h.
+     * ID value zero means the context is not valid or not assigned to
+     * any driver (i.e. the driver context is not active, in use). */
+    unsigned int MBEDTLS_PRIVATE(id);
+    psa_driver_hash_context_t MBEDTLS_PRIVATE(ctx);
+#endif
+};
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
+#define PSA_HASH_OPERATION_INIT { 0 }
+#else
+#define PSA_HASH_OPERATION_INIT { 0, { 0 } }
+#endif
+static inline struct psa_hash_operation_s psa_hash_operation_init(void)
+{
+    const struct psa_hash_operation_s v = PSA_HASH_OPERATION_INIT;
+    return v;
+}
+
+struct psa_cipher_operation_s {
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
+    mbedtls_psa_client_handle_t handle;
+#else
+    /** Unique ID indicating which driver got assigned to do the
+     * operation. Since driver contexts are driver-specific, swapping
+     * drivers halfway through the operation is not supported.
+     * ID values are auto-generated in psa_crypto_driver_wrappers.h
+     * ID value zero means the context is not valid or not assigned to
+     * any driver (i.e. none of the driver contexts are active). */
+    unsigned int MBEDTLS_PRIVATE(id);
+
+    unsigned int MBEDTLS_PRIVATE(iv_required) : 1;
+    unsigned int MBEDTLS_PRIVATE(iv_set) : 1;
+
+    uint8_t MBEDTLS_PRIVATE(default_iv_length);
+
+    psa_driver_cipher_context_t MBEDTLS_PRIVATE(ctx);
+#endif
+};
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
+#define PSA_CIPHER_OPERATION_INIT { 0 }
+#else
+#define PSA_CIPHER_OPERATION_INIT { 0, 0, 0, 0, { 0 } }
+#endif
+static inline struct psa_cipher_operation_s psa_cipher_operation_init(void)
+{
+    const struct psa_cipher_operation_s v = PSA_CIPHER_OPERATION_INIT;
+    return v;
+}
+
+/* Include the context definition for the compiled-in drivers for the composite
+ * algorithms. */
+#include "psa/crypto_driver_contexts_composites.h"
+
+struct psa_mac_operation_s {
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
+    mbedtls_psa_client_handle_t handle;
+#else
+    /** Unique ID indicating which driver got assigned to do the
+     * operation. Since driver contexts are driver-specific, swapping
+     * drivers halfway through the operation is not supported.
+     * ID values are auto-generated in psa_driver_wrappers.h
+     * ID value zero means the context is not valid or not assigned to
+     * any driver (i.e. none of the driver contexts are active). */
+    unsigned int MBEDTLS_PRIVATE(id);
+    uint8_t MBEDTLS_PRIVATE(mac_size);
+    unsigned int MBEDTLS_PRIVATE(is_sign) : 1;
+    psa_driver_mac_context_t MBEDTLS_PRIVATE(ctx);
+#endif
+};
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
+#define PSA_MAC_OPERATION_INIT { 0 }
+#else
+#define PSA_MAC_OPERATION_INIT { 0, 0, 0, { 0 } }
+#endif
+static inline struct psa_mac_operation_s psa_mac_operation_init(void)
+{
+    const struct psa_mac_operation_s v = PSA_MAC_OPERATION_INIT;
+    return v;
+}
+
+struct psa_aead_operation_s {
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
+    mbedtls_psa_client_handle_t handle;
+#else
+    /** Unique ID indicating which driver got assigned to do the
+     * operation. Since driver contexts are driver-specific, swapping
+     * drivers halfway through the operation is not supported.
+     * ID values are auto-generated in psa_crypto_driver_wrappers.h
+     * ID value zero means the context is not valid or not assigned to
+     * any driver (i.e. none of the driver contexts are active). */
+    unsigned int MBEDTLS_PRIVATE(id);
+
+    psa_algorithm_t MBEDTLS_PRIVATE(alg);
+    psa_key_type_t MBEDTLS_PRIVATE(key_type);
+
+    size_t MBEDTLS_PRIVATE(ad_remaining);
+    size_t MBEDTLS_PRIVATE(body_remaining);
+
+    unsigned int MBEDTLS_PRIVATE(nonce_set) : 1;
+    unsigned int MBEDTLS_PRIVATE(lengths_set) : 1;
+    unsigned int MBEDTLS_PRIVATE(ad_started) : 1;
+    unsigned int MBEDTLS_PRIVATE(body_started) : 1;
+    unsigned int MBEDTLS_PRIVATE(is_encrypt) : 1;
+
+    psa_driver_aead_context_t MBEDTLS_PRIVATE(ctx);
+#endif
+};
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
+#define PSA_AEAD_OPERATION_INIT { 0 }
+#else
+#define PSA_AEAD_OPERATION_INIT { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, { 0 } }
+#endif
+static inline struct psa_aead_operation_s psa_aead_operation_init(void)
+{
+    const struct psa_aead_operation_s v = PSA_AEAD_OPERATION_INIT;
+    return v;
+}
+
+/* Include the context definition for the compiled-in drivers for the key
+ * derivation algorithms. */
+#include "psa/crypto_driver_contexts_key_derivation.h"
+
+struct psa_key_derivation_s {
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
+    mbedtls_psa_client_handle_t handle;
+#else
+    psa_algorithm_t MBEDTLS_PRIVATE(alg);
+    unsigned int MBEDTLS_PRIVATE(can_output_key) : 1;
+    size_t MBEDTLS_PRIVATE(capacity);
+    psa_driver_key_derivation_context_t MBEDTLS_PRIVATE(ctx);
+#endif
+};
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
+#define PSA_KEY_DERIVATION_OPERATION_INIT { 0 }
+#else
+/* This only zeroes out the first byte in the union, the rest is unspecified. */
+#define PSA_KEY_DERIVATION_OPERATION_INIT { 0, 0, 0, { 0 } }
+#endif
+static inline struct psa_key_derivation_s psa_key_derivation_operation_init(
+    void)
+{
+    const struct psa_key_derivation_s v = PSA_KEY_DERIVATION_OPERATION_INIT;
+    return v;
+}
+
+struct psa_key_production_parameters_s {
+    /* Future versions may add other fields in this structure. */
+    uint32_t flags;
+    uint8_t data[];
+};
+
+/** The default production parameters for key generation or key derivation.
+ *
+ * Calling psa_generate_key_ext() or psa_key_derivation_output_key_ext()
+ * with `params=PSA_KEY_PRODUCTION_PARAMETERS_INIT` and
+ * `params_data_length == 0` is equivalent to
+ * calling psa_generate_key() or psa_key_derivation_output_key()
+ * respectively.
+ */
+#define PSA_KEY_PRODUCTION_PARAMETERS_INIT { 0 }
+
+struct psa_key_policy_s {
+    psa_key_usage_t MBEDTLS_PRIVATE(usage);
+    psa_algorithm_t MBEDTLS_PRIVATE(alg);
+    psa_algorithm_t MBEDTLS_PRIVATE(alg2);
+};
+typedef struct psa_key_policy_s psa_key_policy_t;
+
+#define PSA_KEY_POLICY_INIT { 0, 0, 0 }
+static inline struct psa_key_policy_s psa_key_policy_init(void)
+{
+    const struct psa_key_policy_s v = PSA_KEY_POLICY_INIT;
+    return v;
+}
+
+/* The type used internally for key sizes.
+ * Public interfaces use size_t, but internally we use a smaller type. */
+typedef uint16_t psa_key_bits_t;
+/* The maximum value of the type used to represent bit-sizes.
+ * This is used to mark an invalid key size. */
+#define PSA_KEY_BITS_TOO_LARGE          ((psa_key_bits_t) -1)
+/* The maximum size of a key in bits.
+ * Currently defined as the maximum that can be represented, rounded down
+ * to a whole number of bytes.
+ * This is an uncast value so that it can be used in preprocessor
+ * conditionals. */
+#define PSA_MAX_KEY_BITS 0xfff8
+
+struct psa_key_attributes_s {
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    psa_key_slot_number_t MBEDTLS_PRIVATE(slot_number);
+    int MBEDTLS_PRIVATE(has_slot_number);
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+    psa_key_type_t MBEDTLS_PRIVATE(type);
+    psa_key_bits_t MBEDTLS_PRIVATE(bits);
+    psa_key_lifetime_t MBEDTLS_PRIVATE(lifetime);
+    psa_key_policy_t MBEDTLS_PRIVATE(policy);
+    /* This type has a different layout in the client view wrt the
+     * service view of the key id, i.e. in service view usually is
+     * expected to have MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER defined
+     * thus adding an owner field to the standard psa_key_id_t. For
+     * implementations with client/service separation, this means the
+     * object will be marshalled through a transport channel and
+     * interpreted differently at each side of the transport. Placing
+     * it at the end of structures allows to interpret the structure
+     * at the client without reorganizing the memory layout of the
+     * struct
+     */
+    mbedtls_svc_key_id_t MBEDTLS_PRIVATE(id);
+};
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+#define PSA_KEY_ATTRIBUTES_MAYBE_SLOT_NUMBER 0, 0,
+#else
+#define PSA_KEY_ATTRIBUTES_MAYBE_SLOT_NUMBER
+#endif
+#define PSA_KEY_ATTRIBUTES_INIT { PSA_KEY_ATTRIBUTES_MAYBE_SLOT_NUMBER \
+                                      PSA_KEY_TYPE_NONE, 0,            \
+                                      PSA_KEY_LIFETIME_VOLATILE,       \
+                                      PSA_KEY_POLICY_INIT,             \
+                                      MBEDTLS_SVC_KEY_ID_INIT }
+
+static inline struct psa_key_attributes_s psa_key_attributes_init(void)
+{
+    const struct psa_key_attributes_s v = PSA_KEY_ATTRIBUTES_INIT;
+    return v;
+}
+
+static inline void psa_set_key_id(psa_key_attributes_t *attributes,
+                                  mbedtls_svc_key_id_t key)
+{
+    psa_key_lifetime_t lifetime = attributes->MBEDTLS_PRIVATE(lifetime);
+
+    attributes->MBEDTLS_PRIVATE(id) = key;
+
+    if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) {
+        attributes->MBEDTLS_PRIVATE(lifetime) =
+            PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
+                PSA_KEY_LIFETIME_PERSISTENT,
+                PSA_KEY_LIFETIME_GET_LOCATION(lifetime));
+    }
+}
+
+static inline mbedtls_svc_key_id_t psa_get_key_id(
+    const psa_key_attributes_t *attributes)
+{
+    return attributes->MBEDTLS_PRIVATE(id);
+}
+
+#ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+static inline void mbedtls_set_key_owner_id(psa_key_attributes_t *attributes,
+                                            mbedtls_key_owner_id_t owner)
+{
+    attributes->MBEDTLS_PRIVATE(id).MBEDTLS_PRIVATE(owner) = owner;
+}
+#endif
+
+static inline void psa_set_key_lifetime(psa_key_attributes_t *attributes,
+                                        psa_key_lifetime_t lifetime)
+{
+    attributes->MBEDTLS_PRIVATE(lifetime) = lifetime;
+    if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) {
+#ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+        attributes->MBEDTLS_PRIVATE(id).MBEDTLS_PRIVATE(key_id) = 0;
+#else
+        attributes->MBEDTLS_PRIVATE(id) = 0;
+#endif
+    }
+}
+
+static inline psa_key_lifetime_t psa_get_key_lifetime(
+    const psa_key_attributes_t *attributes)
+{
+    return attributes->MBEDTLS_PRIVATE(lifetime);
+}
+
+static inline void psa_extend_key_usage_flags(psa_key_usage_t *usage_flags)
+{
+    if (*usage_flags & PSA_KEY_USAGE_SIGN_HASH) {
+        *usage_flags |= PSA_KEY_USAGE_SIGN_MESSAGE;
+    }
+
+    if (*usage_flags & PSA_KEY_USAGE_VERIFY_HASH) {
+        *usage_flags |= PSA_KEY_USAGE_VERIFY_MESSAGE;
+    }
+}
+
+static inline void psa_set_key_usage_flags(psa_key_attributes_t *attributes,
+                                           psa_key_usage_t usage_flags)
+{
+    psa_extend_key_usage_flags(&usage_flags);
+    attributes->MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(usage) = usage_flags;
+}
+
+static inline psa_key_usage_t psa_get_key_usage_flags(
+    const psa_key_attributes_t *attributes)
+{
+    return attributes->MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(usage);
+}
+
+static inline void psa_set_key_algorithm(psa_key_attributes_t *attributes,
+                                         psa_algorithm_t alg)
+{
+    attributes->MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg) = alg;
+}
+
+static inline psa_algorithm_t psa_get_key_algorithm(
+    const psa_key_attributes_t *attributes)
+{
+    return attributes->MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg);
+}
+
+static inline void psa_set_key_type(psa_key_attributes_t *attributes,
+                                    psa_key_type_t type)
+{
+    attributes->MBEDTLS_PRIVATE(type) = type;
+}
+
+static inline psa_key_type_t psa_get_key_type(
+    const psa_key_attributes_t *attributes)
+{
+    return attributes->MBEDTLS_PRIVATE(type);
+}
+
+static inline void psa_set_key_bits(psa_key_attributes_t *attributes,
+                                    size_t bits)
+{
+    if (bits > PSA_MAX_KEY_BITS) {
+        attributes->MBEDTLS_PRIVATE(bits) = PSA_KEY_BITS_TOO_LARGE;
+    } else {
+        attributes->MBEDTLS_PRIVATE(bits) = (psa_key_bits_t) bits;
+    }
+}
+
+static inline size_t psa_get_key_bits(
+    const psa_key_attributes_t *attributes)
+{
+    return attributes->MBEDTLS_PRIVATE(bits);
+}
+
+/**
+ * \brief The context for PSA interruptible hash signing.
+ */
+struct psa_sign_hash_interruptible_operation_s {
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
+    mbedtls_psa_client_handle_t handle;
+#else
+    /** Unique ID indicating which driver got assigned to do the
+     * operation. Since driver contexts are driver-specific, swapping
+     * drivers halfway through the operation is not supported.
+     * ID values are auto-generated in psa_crypto_driver_wrappers.h
+     * ID value zero means the context is not valid or not assigned to
+     * any driver (i.e. none of the driver contexts are active). */
+    unsigned int MBEDTLS_PRIVATE(id);
+
+    psa_driver_sign_hash_interruptible_context_t MBEDTLS_PRIVATE(ctx);
+
+    unsigned int MBEDTLS_PRIVATE(error_occurred) : 1;
+
+    uint32_t MBEDTLS_PRIVATE(num_ops);
+#endif
+};
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
+#define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 }
+#else
+#define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0, 0 }
+#endif
+
+static inline struct psa_sign_hash_interruptible_operation_s
+psa_sign_hash_interruptible_operation_init(void)
+{
+    const struct psa_sign_hash_interruptible_operation_s v =
+        PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT;
+
+    return v;
+}
+
+/**
+ * \brief The context for PSA interruptible hash verification.
+ */
+struct psa_verify_hash_interruptible_operation_s {
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
+    mbedtls_psa_client_handle_t handle;
+#else
+    /** Unique ID indicating which driver got assigned to do the
+     * operation. Since driver contexts are driver-specific, swapping
+     * drivers halfway through the operation is not supported.
+     * ID values are auto-generated in psa_crypto_driver_wrappers.h
+     * ID value zero means the context is not valid or not assigned to
+     * any driver (i.e. none of the driver contexts are active). */
+    unsigned int MBEDTLS_PRIVATE(id);
+
+    psa_driver_verify_hash_interruptible_context_t MBEDTLS_PRIVATE(ctx);
+
+    unsigned int MBEDTLS_PRIVATE(error_occurred) : 1;
+
+    uint32_t MBEDTLS_PRIVATE(num_ops);
+#endif
+};
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
+#define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 }
+#else
+#define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0, 0 }
+#endif
+
+static inline struct psa_verify_hash_interruptible_operation_s
+psa_verify_hash_interruptible_operation_init(void)
+{
+    const struct psa_verify_hash_interruptible_operation_s v =
+        PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT;
+
+    return v;
+}
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* PSA_CRYPTO_STRUCT_H */
diff --git a/tf-psa-crypto/include/psa/crypto_types.h b/tf-psa-crypto/include/psa/crypto_types.h
new file mode 100644
index 0000000..c21bad8
--- /dev/null
+++ b/tf-psa-crypto/include/psa/crypto_types.h
@@ -0,0 +1,484 @@
+/**
+ * \file psa/crypto_types.h
+ *
+ * \brief PSA cryptography module: type aliases.
+ *
+ * \note This file may not be included directly. Applications must
+ * include psa/crypto.h. Drivers must include the appropriate driver
+ * header file.
+ *
+ * This file contains portable definitions of integral types for properties
+ * of cryptographic keys, designations of cryptographic algorithms, and
+ * error codes returned by the library.
+ *
+ * This header file does not declare any function.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_TYPES_H
+#define PSA_CRYPTO_TYPES_H
+
+/*
+ * Include the build-time configuration information header. Here, we do not
+ * include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which
+ * is basically just an alias to it. This is to ease the maintenance of the
+ * TF-PSA-Crypto repository which has a different build system and
+ * configuration.
+ */
+#include "psa/build_info.h"
+
+/* Define the MBEDTLS_PRIVATE macro. */
+#include "mbedtls/private_access.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_PLATFORM_FILE)
+#include MBEDTLS_PSA_CRYPTO_PLATFORM_FILE
+#else
+#include "crypto_platform.h"
+#endif
+
+#include <stdint.h>
+
+/** \defgroup error Error codes
+ * @{
+ */
+
+/**
+ * \brief Function return status.
+ *
+ * This is either #PSA_SUCCESS (which is zero), indicating success,
+ * or a small negative value indicating that an error occurred. Errors are
+ * encoded as one of the \c PSA_ERROR_xxx values defined here. */
+/* If #PSA_SUCCESS is already defined, it means that #psa_status_t
+ * is also defined in an external header, so prevent its multiple
+ * definition.
+ */
+#ifndef PSA_SUCCESS
+typedef int32_t psa_status_t;
+#endif
+
+/**@}*/
+
+/** \defgroup crypto_types Key and algorithm types
+ * @{
+ */
+
+/** \brief Encoding of a key type.
+ *
+ * Values of this type are generally constructed by macros called
+ * `PSA_KEY_TYPE_xxx`.
+ *
+ * \note Values of this type are encoded in the persistent key store.
+ *       Any changes to existing values will require bumping the storage
+ *       format version and providing a translation when reading the old
+ *       format.
+ */
+typedef uint16_t psa_key_type_t;
+
+/** The type of PSA elliptic curve family identifiers.
+ *
+ * Values of this type are generally constructed by macros called
+ * `PSA_ECC_FAMILY_xxx`.
+ *
+ * The curve identifier is required to create an ECC key using the
+ * PSA_KEY_TYPE_ECC_KEY_PAIR() or PSA_KEY_TYPE_ECC_PUBLIC_KEY()
+ * macros.
+ *
+ * Values defined by this standard will never be in the range 0x80-0xff.
+ * Vendors who define additional families must use an encoding in this range.
+ *
+ * \note Values of this type are encoded in the persistent key store.
+ *       Any changes to existing values will require bumping the storage
+ *       format version and providing a translation when reading the old
+ *       format.
+ */
+typedef uint8_t psa_ecc_family_t;
+
+/** The type of PSA Diffie-Hellman group family identifiers.
+ *
+ * Values of this type are generally constructed by macros called
+ * `PSA_DH_FAMILY_xxx`.
+ *
+ * The group identifier is required to create a Diffie-Hellman key using the
+ * PSA_KEY_TYPE_DH_KEY_PAIR() or PSA_KEY_TYPE_DH_PUBLIC_KEY()
+ * macros.
+ *
+ * Values defined by this standard will never be in the range 0x80-0xff.
+ * Vendors who define additional families must use an encoding in this range.
+ *
+ * \note Values of this type are encoded in the persistent key store.
+ *       Any changes to existing values will require bumping the storage
+ *       format version and providing a translation when reading the old
+ *       format.
+ */
+typedef uint8_t psa_dh_family_t;
+
+/** \brief Encoding of a cryptographic algorithm.
+ *
+ * Values of this type are generally constructed by macros called
+ * `PSA_ALG_xxx`.
+ *
+ * For algorithms that can be applied to multiple key types, this type
+ * does not encode the key type. For example, for symmetric ciphers
+ * based on a block cipher, #psa_algorithm_t encodes the block cipher
+ * mode and the padding mode while the block cipher itself is encoded
+ * via #psa_key_type_t.
+ *
+ * \note Values of this type are encoded in the persistent key store.
+ *       Any changes to existing values will require bumping the storage
+ *       format version and providing a translation when reading the old
+ *       format.
+ */
+typedef uint32_t psa_algorithm_t;
+
+/**@}*/
+
+/** \defgroup key_lifetimes Key lifetimes
+ * @{
+ */
+
+/** Encoding of key lifetimes.
+ *
+ * The lifetime of a key indicates where it is stored and what system actions
+ * may create and destroy it.
+ *
+ * Lifetime values have the following structure:
+ * - Bits 0-7 (#PSA_KEY_LIFETIME_GET_PERSISTENCE(\c lifetime)):
+ *   persistence level. This value indicates what device management
+ *   actions can cause it to be destroyed. In particular, it indicates
+ *   whether the key is _volatile_ or _persistent_.
+ *   See ::psa_key_persistence_t for more information.
+ * - Bits 8-31 (#PSA_KEY_LIFETIME_GET_LOCATION(\c lifetime)):
+ *   location indicator. This value indicates which part of the system
+ *   has access to the key material and can perform operations using the key.
+ *   See ::psa_key_location_t for more information.
+ *
+ * Volatile keys are automatically destroyed when the application instance
+ * terminates or on a power reset of the device. Persistent keys are
+ * preserved until the application explicitly destroys them or until an
+ * integration-specific device management event occurs (for example,
+ * a factory reset).
+ *
+ * Persistent keys have a key identifier of type #mbedtls_svc_key_id_t.
+ * This identifier remains valid throughout the lifetime of the key,
+ * even if the application instance that created the key terminates.
+ * The application can call psa_open_key() to open a persistent key that
+ * it created previously.
+ *
+ * The default lifetime of a key is #PSA_KEY_LIFETIME_VOLATILE. The lifetime
+ * #PSA_KEY_LIFETIME_PERSISTENT is supported if persistent storage is
+ * available. Other lifetime values may be supported depending on the
+ * library configuration.
+ *
+ * Values of this type are generally constructed by macros called
+ * `PSA_KEY_LIFETIME_xxx`.
+ *
+ * \note Values of this type are encoded in the persistent key store.
+ *       Any changes to existing values will require bumping the storage
+ *       format version and providing a translation when reading the old
+ *       format.
+ */
+typedef uint32_t psa_key_lifetime_t;
+
+/** Encoding of key persistence levels.
+ *
+ * What distinguishes different persistence levels is what device management
+ * events may cause keys to be destroyed. _Volatile_ keys are destroyed
+ * by a power reset. Persistent keys may be destroyed by events such as
+ * a transfer of ownership or a factory reset. What management events
+ * actually affect persistent keys at different levels is outside the
+ * scope of the PSA Cryptography specification.
+ *
+ * The PSA Cryptography specification defines the following values of
+ * persistence levels:
+ * - \c 0 = #PSA_KEY_PERSISTENCE_VOLATILE: volatile key.
+ *   A volatile key is automatically destroyed by the implementation when
+ *   the application instance terminates. In particular, a volatile key
+ *   is automatically destroyed on a power reset of the device.
+ * - \c 1 = #PSA_KEY_PERSISTENCE_DEFAULT:
+ *   persistent key with a default lifetime.
+ * - \c 2-254: currently not supported by Mbed TLS.
+ * - \c 255 = #PSA_KEY_PERSISTENCE_READ_ONLY:
+ *   read-only or write-once key.
+ *   A key with this persistence level cannot be destroyed.
+ *   Mbed TLS does not currently offer a way to create such keys, but
+ *   integrations of Mbed TLS can use it for built-in keys that the
+ *   application cannot modify (for example, a hardware unique key (HUK)).
+ *
+ * \note Key persistence levels are 8-bit values. Key management
+ *       interfaces operate on lifetimes (type ::psa_key_lifetime_t) which
+ *       encode the persistence as the lower 8 bits of a 32-bit value.
+ *
+ * \note Values of this type are encoded in the persistent key store.
+ *       Any changes to existing values will require bumping the storage
+ *       format version and providing a translation when reading the old
+ *       format.
+ */
+typedef uint8_t psa_key_persistence_t;
+
+/** Encoding of key location indicators.
+ *
+ * If an integration of Mbed TLS can make calls to external
+ * cryptoprocessors such as secure elements, the location of a key
+ * indicates which secure element performs the operations on the key.
+ * Depending on the design of the secure element, the key
+ * material may be stored either in the secure element, or
+ * in wrapped (encrypted) form alongside the key metadata in the
+ * primary local storage.
+ *
+ * The PSA Cryptography API specification defines the following values of
+ * location indicators:
+ * - \c 0: primary local storage.
+ *   This location is always available.
+ *   The primary local storage is typically the same storage area that
+ *   contains the key metadata.
+ * - \c 1: primary secure element.
+ *   Integrations of Mbed TLS should support this value if there is a secure
+ *   element attached to the operating environment.
+ *   As a guideline, secure elements may provide higher resistance against
+ *   side channel and physical attacks than the primary local storage, but may
+ *   have restrictions on supported key types, sizes, policies and operations
+ *   and may have different performance characteristics.
+ * - \c 2-0x7fffff: other locations defined by a PSA specification.
+ *   The PSA Cryptography API does not currently assign any meaning to these
+ *   locations, but future versions of that specification or other PSA
+ *   specifications may do so.
+ * - \c 0x800000-0xffffff: vendor-defined locations.
+ *   No PSA specification will assign a meaning to locations in this range.
+ *
+ * \note Key location indicators are 24-bit values. Key management
+ *       interfaces operate on lifetimes (type ::psa_key_lifetime_t) which
+ *       encode the location as the upper 24 bits of a 32-bit value.
+ *
+ * \note Values of this type are encoded in the persistent key store.
+ *       Any changes to existing values will require bumping the storage
+ *       format version and providing a translation when reading the old
+ *       format.
+ */
+typedef uint32_t psa_key_location_t;
+
+/** Encoding of identifiers of persistent keys.
+ *
+ * - Applications may freely choose key identifiers in the range
+ *   #PSA_KEY_ID_USER_MIN to #PSA_KEY_ID_USER_MAX.
+ * - The implementation may define additional key identifiers in the range
+ *   #PSA_KEY_ID_VENDOR_MIN to #PSA_KEY_ID_VENDOR_MAX.
+ * - 0 is reserved as an invalid key identifier.
+ * - Key identifiers outside these ranges are reserved for future use.
+ *
+ * \note Values of this type are encoded in the persistent key store.
+ *       Any changes to how values are allocated must require careful
+ *       consideration to allow backward compatibility.
+ */
+typedef uint32_t psa_key_id_t;
+
+/** Encoding of key identifiers as seen inside the PSA Crypto implementation.
+ *
+ * When PSA Crypto is built as a library inside an application, this type
+ * is identical to #psa_key_id_t. When PSA Crypto is built as a service
+ * that can store keys on behalf of multiple clients, this type
+ * encodes the #psa_key_id_t value seen by each client application as
+ * well as extra information that identifies the client that owns
+ * the key.
+ *
+ * \note Values of this type are encoded in the persistent key store.
+ *       Any changes to existing values will require bumping the storage
+ *       format version and providing a translation when reading the old
+ *       format.
+ */
+#if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
+typedef psa_key_id_t mbedtls_svc_key_id_t;
+
+#else /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
+/* Implementation-specific: The Mbed TLS library can be built as
+ * part of a multi-client service that exposes the PSA Cryptography API in each
+ * client and encodes the client identity in the key identifier argument of
+ * functions such as psa_open_key().
+ */
+typedef struct {
+    psa_key_id_t MBEDTLS_PRIVATE(key_id);
+    mbedtls_key_owner_id_t MBEDTLS_PRIVATE(owner);
+} mbedtls_svc_key_id_t;
+
+#endif /* !MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
+
+/**@}*/
+
+/** \defgroup policy Key policies
+ * @{
+ */
+
+/** \brief Encoding of permitted usage on a key.
+ *
+ * Values of this type are generally constructed as bitwise-ors of macros
+ * called `PSA_KEY_USAGE_xxx`.
+ *
+ * \note Values of this type are encoded in the persistent key store.
+ *       Any changes to existing values will require bumping the storage
+ *       format version and providing a translation when reading the old
+ *       format.
+ */
+typedef uint32_t psa_key_usage_t;
+
+/**@}*/
+
+/** \defgroup attributes Key attributes
+ * @{
+ */
+
+/** The type of a structure containing key attributes.
+ *
+ * This is an opaque structure that can represent the metadata of a key
+ * object. Metadata that can be stored in attributes includes:
+ * - The location of the key in storage, indicated by its key identifier
+ *   and its lifetime.
+ * - The key's policy, comprising usage flags and a specification of
+ *   the permitted algorithm(s).
+ * - Information about the key itself: the key type and its size.
+ * - Additional implementation-defined attributes.
+ *
+ * The actual key material is not considered an attribute of a key.
+ * Key attributes do not contain information that is generally considered
+ * highly confidential.
+ *
+ * An attribute structure works like a simple data structure where each function
+ * `psa_set_key_xxx` sets a field and the corresponding function
+ * `psa_get_key_xxx` retrieves the value of the corresponding field.
+ * However, a future version of the library  may report values that are
+ * equivalent to the original one, but have a different encoding. Invalid
+ * values may be mapped to different, also invalid values.
+ *
+ * An attribute structure may contain references to auxiliary resources,
+ * for example pointers to allocated memory or indirect references to
+ * pre-calculated values. In order to free such resources, the application
+ * must call psa_reset_key_attributes(). As an exception, calling
+ * psa_reset_key_attributes() on an attribute structure is optional if
+ * the structure has only been modified by the following functions
+ * since it was initialized or last reset with psa_reset_key_attributes():
+ * - psa_set_key_id()
+ * - psa_set_key_lifetime()
+ * - psa_set_key_type()
+ * - psa_set_key_bits()
+ * - psa_set_key_usage_flags()
+ * - psa_set_key_algorithm()
+ *
+ * Before calling any function on a key attribute structure, the application
+ * must initialize it by any of the following means:
+ * - Set the structure to all-bits-zero, for example:
+ *   \code
+ *   psa_key_attributes_t attributes;
+ *   memset(&attributes, 0, sizeof(attributes));
+ *   \endcode
+ * - Initialize the structure to logical zero values, for example:
+ *   \code
+ *   psa_key_attributes_t attributes = {0};
+ *   \endcode
+ * - Initialize the structure to the initializer #PSA_KEY_ATTRIBUTES_INIT,
+ *   for example:
+ *   \code
+ *   psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ *   \endcode
+ * - Assign the result of the function psa_key_attributes_init()
+ *   to the structure, for example:
+ *   \code
+ *   psa_key_attributes_t attributes;
+ *   attributes = psa_key_attributes_init();
+ *   \endcode
+ *
+ * A freshly initialized attribute structure contains the following
+ * values:
+ *
+ * - lifetime: #PSA_KEY_LIFETIME_VOLATILE.
+ * - key identifier: 0 (which is not a valid key identifier).
+ * - type: \c 0 (meaning that the type is unspecified).
+ * - key size: \c 0 (meaning that the size is unspecified).
+ * - usage flags: \c 0 (which allows no usage except exporting a public key).
+ * - algorithm: \c 0 (which allows no cryptographic usage, but allows
+ *   exporting).
+ *
+ * A typical sequence to create a key is as follows:
+ * -# Create and initialize an attribute structure.
+ * -# If the key is persistent, call psa_set_key_id().
+ *    Also call psa_set_key_lifetime() to place the key in a non-default
+ *    location.
+ * -# Set the key policy with psa_set_key_usage_flags() and
+ *    psa_set_key_algorithm().
+ * -# Set the key type with psa_set_key_type().
+ *    Skip this step if copying an existing key with psa_copy_key().
+ * -# When generating a random key with psa_generate_key() or deriving a key
+ *    with psa_key_derivation_output_key(), set the desired key size with
+ *    psa_set_key_bits().
+ * -# Call a key creation function: psa_import_key(), psa_generate_key(),
+ *    psa_key_derivation_output_key() or psa_copy_key(). This function reads
+ *    the attribute structure, creates a key with these attributes, and
+ *    outputs a key identifier to the newly created key.
+ * -# The attribute structure is now no longer necessary.
+ *    You may call psa_reset_key_attributes(), although this is optional
+ *    with the workflow presented here because the attributes currently
+ *    defined in this specification do not require any additional resources
+ *    beyond the structure itself.
+ *
+ * A typical sequence to query a key's attributes is as follows:
+ * -# Call psa_get_key_attributes().
+ * -# Call `psa_get_key_xxx` functions to retrieve the attribute(s) that
+ *    you are interested in.
+ * -# Call psa_reset_key_attributes() to free any resources that may be
+ *    used by the attribute structure.
+ *
+ * Once a key has been created, it is impossible to change its attributes.
+ */
+typedef struct psa_key_attributes_s psa_key_attributes_t;
+
+
+#ifndef __DOXYGEN_ONLY__
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+/* Mbed TLS defines this type in crypto_types.h because it is also
+ * visible to applications through an implementation-specific extension.
+ * For the PSA Cryptography specification, this type is only visible
+ * via crypto_se_driver.h. */
+typedef uint64_t psa_key_slot_number_t;
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+#endif /* !__DOXYGEN_ONLY__ */
+
+/**@}*/
+
+/** \defgroup derivation Key derivation
+ * @{
+ */
+
+/** \brief Encoding of the step of a key derivation.
+ *
+ * Values of this type are generally constructed by macros called
+ * `PSA_KEY_DERIVATION_INPUT_xxx`.
+ */
+typedef uint16_t psa_key_derivation_step_t;
+
+/** \brief Custom parameters for key generation or key derivation.
+ *
+ * This is a structure type with at least the following fields:
+ *
+ * - \c flags: an unsigned integer type. 0 for the default production parameters.
+ * - \c data: a flexible array of bytes.
+ *
+ * The interpretation of this structure depend on the type of the
+ * created key.
+ *
+ * - #PSA_KEY_TYPE_RSA_KEY_PAIR:
+ *     - \c flags: must be 0.
+ *     - \c data: the public exponent, in little-endian order.
+ *       This must be an odd integer and must not be 1.
+ *       Implementations must support 65537, should support 3 and may
+ *       support other values.
+ *       When not using a driver, Mbed TLS supports values up to \c INT_MAX.
+ *       If this is empty or if the custom production parameters are omitted
+ *       altogether, the default value 65537 is used.
+ * - Other key types: reserved for future use. \c flags must be 0.
+ *
+ */
+typedef struct psa_key_production_parameters_s psa_key_production_parameters_t;
+
+/**@}*/
+
+#endif /* PSA_CRYPTO_TYPES_H */
diff --git a/tf-psa-crypto/include/psa/crypto_values.h b/tf-psa-crypto/include/psa/crypto_values.h
new file mode 100644
index 0000000..1d678db
--- /dev/null
+++ b/tf-psa-crypto/include/psa/crypto_values.h
@@ -0,0 +1,2783 @@
+/**
+ * \file psa/crypto_values.h
+ *
+ * \brief PSA cryptography module: macros to build and analyze integer values.
+ *
+ * \note This file may not be included directly. Applications must
+ * include psa/crypto.h. Drivers must include the appropriate driver
+ * header file.
+ *
+ * This file contains portable definitions of macros to build and analyze
+ * values of integral types that encode properties of cryptographic keys,
+ * designations of cryptographic algorithms, and error codes returned by
+ * the library.
+ *
+ * Note that many of the constants defined in this file are embedded in
+ * the persistent key store, as part of key metadata (including usage
+ * policies). As a consequence, they must not be changed (unless the storage
+ * format version changes).
+ *
+ * This header file only defines preprocessor macros.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_VALUES_H
+#define PSA_CRYPTO_VALUES_H
+#include "mbedtls/private_access.h"
+
+/** \defgroup error Error codes
+ * @{
+ */
+
+/* PSA error codes */
+
+/* Error codes are standardized across PSA domains (framework, crypto, storage,
+ * etc.). Do not change the values in this section or even the expansions
+ * of each macro: it must be possible to `#include` both this header
+ * and some other PSA component's headers in the same C source,
+ * which will lead to duplicate definitions of the `PSA_SUCCESS` and
+ * `PSA_ERROR_xxx` macros, which is ok if and only if the macros expand
+ * to the same sequence of tokens.
+ *
+ * If you must add a new
+ * value, check with the Arm PSA framework group to pick one that other
+ * domains aren't already using. */
+
+/* Tell uncrustify not to touch the constant definitions, otherwise
+ * it might change the spacing to something that is not PSA-compliant
+ * (e.g. adding a space after casts).
+ *
+ * *INDENT-OFF*
+ */
+
+/** The action was completed successfully. */
+#define PSA_SUCCESS ((psa_status_t)0)
+
+/** An error occurred that does not correspond to any defined
+ * failure cause.
+ *
+ * Implementations may use this error code if none of the other standard
+ * error codes are applicable. */
+#define PSA_ERROR_GENERIC_ERROR         ((psa_status_t)-132)
+
+/** The requested operation or a parameter is not supported
+ * by this implementation.
+ *
+ * Implementations should return this error code when an enumeration
+ * parameter such as a key type, algorithm, etc. is not recognized.
+ * If a combination of parameters is recognized and identified as
+ * not valid, return #PSA_ERROR_INVALID_ARGUMENT instead. */
+#define PSA_ERROR_NOT_SUPPORTED         ((psa_status_t)-134)
+
+/** The requested action is denied by a policy.
+ *
+ * Implementations should return this error code when the parameters
+ * are recognized as valid and supported, and a policy explicitly
+ * denies the requested operation.
+ *
+ * If a subset of the parameters of a function call identify a
+ * forbidden operation, and another subset of the parameters are
+ * not valid or not supported, it is unspecified whether the function
+ * returns #PSA_ERROR_NOT_PERMITTED, #PSA_ERROR_NOT_SUPPORTED or
+ * #PSA_ERROR_INVALID_ARGUMENT. */
+#define PSA_ERROR_NOT_PERMITTED         ((psa_status_t)-133)
+
+/** An output buffer is too small.
+ *
+ * Applications can call the \c PSA_xxx_SIZE macro listed in the function
+ * description to determine a sufficient buffer size.
+ *
+ * Implementations should preferably return this error code only
+ * in cases when performing the operation with a larger output
+ * buffer would succeed. However implementations may return this
+ * error if a function has invalid or unsupported parameters in addition
+ * to the parameters that determine the necessary output buffer size. */
+#define PSA_ERROR_BUFFER_TOO_SMALL      ((psa_status_t)-138)
+
+/** Asking for an item that already exists
+ *
+ * Implementations should return this error, when attempting
+ * to write an item (like a key) that already exists. */
+#define PSA_ERROR_ALREADY_EXISTS        ((psa_status_t)-139)
+
+/** Asking for an item that doesn't exist
+ *
+ * Implementations should return this error, if a requested item (like
+ * a key) does not exist. */
+#define PSA_ERROR_DOES_NOT_EXIST        ((psa_status_t)-140)
+
+/** The requested action cannot be performed in the current state.
+ *
+ * Multipart operations return this error when one of the
+ * functions is called out of sequence. Refer to the function
+ * descriptions for permitted sequencing of functions.
+ *
+ * Implementations shall not return this error code to indicate
+ * that a key either exists or not,
+ * but shall instead return #PSA_ERROR_ALREADY_EXISTS or #PSA_ERROR_DOES_NOT_EXIST
+ * as applicable.
+ *
+ * Implementations shall not return this error code to indicate that a
+ * key identifier is invalid, but shall return #PSA_ERROR_INVALID_HANDLE
+ * instead. */
+#define PSA_ERROR_BAD_STATE             ((psa_status_t)-137)
+
+/** The parameters passed to the function are invalid.
+ *
+ * Implementations may return this error any time a parameter or
+ * combination of parameters are recognized as invalid.
+ *
+ * Implementations shall not return this error code to indicate that a
+ * key identifier is invalid, but shall return #PSA_ERROR_INVALID_HANDLE
+ * instead.
+ */
+#define PSA_ERROR_INVALID_ARGUMENT      ((psa_status_t)-135)
+
+/** There is not enough runtime memory.
+ *
+ * If the action is carried out across multiple security realms, this
+ * error can refer to available memory in any of the security realms. */
+#define PSA_ERROR_INSUFFICIENT_MEMORY   ((psa_status_t)-141)
+
+/** There is not enough persistent storage.
+ *
+ * Functions that modify the key storage return this error code if
+ * there is insufficient storage space on the host media. In addition,
+ * many functions that do not otherwise access storage may return this
+ * error code if the implementation requires a mandatory log entry for
+ * the requested action and the log storage space is full. */
+#define PSA_ERROR_INSUFFICIENT_STORAGE  ((psa_status_t)-142)
+
+/** There was a communication failure inside the implementation.
+ *
+ * This can indicate a communication failure between the application
+ * and an external cryptoprocessor or between the cryptoprocessor and
+ * an external volatile or persistent memory. A communication failure
+ * may be transient or permanent depending on the cause.
+ *
+ * \warning If a function returns this error, it is undetermined
+ * whether the requested action has completed or not. Implementations
+ * should return #PSA_SUCCESS on successful completion whenever
+ * possible, however functions may return #PSA_ERROR_COMMUNICATION_FAILURE
+ * if the requested action was completed successfully in an external
+ * cryptoprocessor but there was a breakdown of communication before
+ * the cryptoprocessor could report the status to the application.
+ */
+#define PSA_ERROR_COMMUNICATION_FAILURE ((psa_status_t)-145)
+
+/** There was a storage failure that may have led to data loss.
+ *
+ * This error indicates that some persistent storage is corrupted.
+ * It should not be used for a corruption of volatile memory
+ * (use #PSA_ERROR_CORRUPTION_DETECTED), for a communication error
+ * between the cryptoprocessor and its external storage (use
+ * #PSA_ERROR_COMMUNICATION_FAILURE), or when the storage is
+ * in a valid state but is full (use #PSA_ERROR_INSUFFICIENT_STORAGE).
+ *
+ * Note that a storage failure does not indicate that any data that was
+ * previously read is invalid. However this previously read data may no
+ * longer be readable from storage.
+ *
+ * When a storage failure occurs, it is no longer possible to ensure
+ * the global integrity of the keystore. Depending on the global
+ * integrity guarantees offered by the implementation, access to other
+ * data may or may not fail even if the data is still readable but
+ * its integrity cannot be guaranteed.
+ *
+ * Implementations should only use this error code to report a
+ * permanent storage corruption. However application writers should
+ * keep in mind that transient errors while reading the storage may be
+ * reported using this error code. */
+#define PSA_ERROR_STORAGE_FAILURE       ((psa_status_t)-146)
+
+/** A hardware failure was detected.
+ *
+ * A hardware failure may be transient or permanent depending on the
+ * cause. */
+#define PSA_ERROR_HARDWARE_FAILURE      ((psa_status_t)-147)
+
+/** A tampering attempt was detected.
+ *
+ * If an application receives this error code, there is no guarantee
+ * that previously accessed or computed data was correct and remains
+ * confidential. Applications should not perform any security function
+ * and should enter a safe failure state.
+ *
+ * Implementations may return this error code if they detect an invalid
+ * state that cannot happen during normal operation and that indicates
+ * that the implementation's security guarantees no longer hold. Depending
+ * on the implementation architecture and on its security and safety goals,
+ * the implementation may forcibly terminate the application.
+ *
+ * This error code is intended as a last resort when a security breach
+ * is detected and it is unsure whether the keystore data is still
+ * protected. Implementations shall only return this error code
+ * to report an alarm from a tampering detector, to indicate that
+ * the confidentiality of stored data can no longer be guaranteed,
+ * or to indicate that the integrity of previously returned data is now
+ * considered compromised. Implementations shall not use this error code
+ * to indicate a hardware failure that merely makes it impossible to
+ * perform the requested operation (use #PSA_ERROR_COMMUNICATION_FAILURE,
+ * #PSA_ERROR_STORAGE_FAILURE, #PSA_ERROR_HARDWARE_FAILURE,
+ * #PSA_ERROR_INSUFFICIENT_ENTROPY or other applicable error code
+ * instead).
+ *
+ * This error indicates an attack against the application. Implementations
+ * shall not return this error code as a consequence of the behavior of
+ * the application itself. */
+#define PSA_ERROR_CORRUPTION_DETECTED    ((psa_status_t)-151)
+
+/** There is not enough entropy to generate random data needed
+ * for the requested action.
+ *
+ * This error indicates a failure of a hardware random generator.
+ * Application writers should note that this error can be returned not
+ * only by functions whose purpose is to generate random data, such
+ * as key, IV or nonce generation, but also by functions that execute
+ * an algorithm with a randomized result, as well as functions that
+ * use randomization of intermediate computations as a countermeasure
+ * to certain attacks.
+ *
+ * Implementations should avoid returning this error after psa_crypto_init()
+ * has succeeded. Implementations should generate sufficient
+ * entropy during initialization and subsequently use a cryptographically
+ * secure pseudorandom generator (PRNG). However implementations may return
+ * this error at any time if a policy requires the PRNG to be reseeded
+ * during normal operation. */
+#define PSA_ERROR_INSUFFICIENT_ENTROPY  ((psa_status_t)-148)
+
+/** The signature, MAC or hash is incorrect.
+ *
+ * Verification functions return this error if the verification
+ * calculations completed successfully, and the value to be verified
+ * was determined to be incorrect.
+ *
+ * If the value to verify has an invalid size, implementations may return
+ * either #PSA_ERROR_INVALID_ARGUMENT or #PSA_ERROR_INVALID_SIGNATURE. */
+#define PSA_ERROR_INVALID_SIGNATURE     ((psa_status_t)-149)
+
+/** The decrypted padding is incorrect.
+ *
+ * \warning In some protocols, when decrypting data, it is essential that
+ * the behavior of the application does not depend on whether the padding
+ * is correct, down to precise timing. Applications should prefer
+ * protocols that use authenticated encryption rather than plain
+ * encryption. If the application must perform a decryption of
+ * unauthenticated data, the application writer should take care not
+ * to reveal whether the padding is invalid.
+ *
+ * Implementations should strive to make valid and invalid padding
+ * as close as possible to indistinguishable to an external observer.
+ * In particular, the timing of a decryption operation should not
+ * depend on the validity of the padding. */
+#define PSA_ERROR_INVALID_PADDING       ((psa_status_t)-150)
+
+/** Return this error when there's insufficient data when attempting
+ * to read from a resource. */
+#define PSA_ERROR_INSUFFICIENT_DATA     ((psa_status_t)-143)
+
+/** This can be returned if a function can no longer operate correctly.
+ * For example, if an essential initialization operation failed or
+ * a mutex operation failed. */
+#define PSA_ERROR_SERVICE_FAILURE       ((psa_status_t)-144)
+
+/** The key identifier is not valid. See also :ref:\`key-handles\`.
+ */
+#define PSA_ERROR_INVALID_HANDLE        ((psa_status_t)-136)
+
+/** Stored data has been corrupted.
+ *
+ * This error indicates that some persistent storage has suffered corruption.
+ * It does not indicate the following situations, which have specific error
+ * codes:
+ *
+ * - A corruption of volatile memory - use #PSA_ERROR_CORRUPTION_DETECTED.
+ * - A communication error between the cryptoprocessor and its external
+ *   storage - use #PSA_ERROR_COMMUNICATION_FAILURE.
+ * - When the storage is in a valid state but is full - use
+ *   #PSA_ERROR_INSUFFICIENT_STORAGE.
+ * - When the storage fails for other reasons - use
+ *   #PSA_ERROR_STORAGE_FAILURE.
+ * - When the stored data is not valid - use #PSA_ERROR_DATA_INVALID.
+ *
+ * \note A storage corruption does not indicate that any data that was
+ * previously read is invalid. However this previously read data might no
+ * longer be readable from storage.
+ *
+ * When a storage failure occurs, it is no longer possible to ensure the
+ * global integrity of the keystore.
+ */
+#define PSA_ERROR_DATA_CORRUPT          ((psa_status_t)-152)
+
+/** Data read from storage is not valid for the implementation.
+ *
+ * This error indicates that some data read from storage does not have a valid
+ * format. It does not indicate the following situations, which have specific
+ * error codes:
+ *
+ * - When the storage or stored data is corrupted - use #PSA_ERROR_DATA_CORRUPT
+ * - When the storage fails for other reasons - use #PSA_ERROR_STORAGE_FAILURE
+ * - An invalid argument to the API - use #PSA_ERROR_INVALID_ARGUMENT
+ *
+ * This error is typically a result of either storage corruption on a
+ * cleartext storage backend, or an attempt to read data that was
+ * written by an incompatible version of the library.
+ */
+#define PSA_ERROR_DATA_INVALID          ((psa_status_t)-153)
+
+/** The function that returns this status is defined as interruptible and
+ *  still has work to do, thus the user should call the function again with the
+ *  same operation context until it either returns #PSA_SUCCESS or any other
+ *  error. This is not an error per se, more a notification of status.
+ */
+#define PSA_OPERATION_INCOMPLETE           ((psa_status_t)-248)
+
+/* *INDENT-ON* */
+
+/**@}*/
+
+/** \defgroup crypto_types Key and algorithm types
+ * @{
+ */
+
+/* Note that key type values, including ECC family and DH group values, are
+ * embedded in the persistent key store, as part of key metadata. As a
+ * consequence, they must not be changed (unless the storage format version
+ * changes).
+ */
+
+/** An invalid key type value.
+ *
+ * Zero is not the encoding of any key type.
+ */
+#define PSA_KEY_TYPE_NONE                           ((psa_key_type_t) 0x0000)
+
+/** Vendor-defined key type flag.
+ *
+ * Key types defined by this standard will never have the
+ * #PSA_KEY_TYPE_VENDOR_FLAG bit set. Vendors who define additional key types
+ * must use an encoding with the #PSA_KEY_TYPE_VENDOR_FLAG bit set and should
+ * respect the bitwise structure used by standard encodings whenever practical.
+ */
+#define PSA_KEY_TYPE_VENDOR_FLAG                    ((psa_key_type_t) 0x8000)
+
+#define PSA_KEY_TYPE_CATEGORY_MASK                  ((psa_key_type_t) 0x7000)
+#define PSA_KEY_TYPE_CATEGORY_RAW                   ((psa_key_type_t) 0x1000)
+#define PSA_KEY_TYPE_CATEGORY_SYMMETRIC             ((psa_key_type_t) 0x2000)
+#define PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY            ((psa_key_type_t) 0x4000)
+#define PSA_KEY_TYPE_CATEGORY_KEY_PAIR              ((psa_key_type_t) 0x7000)
+
+#define PSA_KEY_TYPE_CATEGORY_FLAG_PAIR             ((psa_key_type_t) 0x3000)
+
+/** Whether a key type is vendor-defined.
+ *
+ * See also #PSA_KEY_TYPE_VENDOR_FLAG.
+ */
+#define PSA_KEY_TYPE_IS_VENDOR_DEFINED(type) \
+    (((type) & PSA_KEY_TYPE_VENDOR_FLAG) != 0)
+
+/** Whether a key type is an unstructured array of bytes.
+ *
+ * This encompasses both symmetric keys and non-key data.
+ */
+#define PSA_KEY_TYPE_IS_UNSTRUCTURED(type) \
+    (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_RAW || \
+     ((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_SYMMETRIC)
+
+/** Whether a key type is asymmetric: either a key pair or a public key. */
+#define PSA_KEY_TYPE_IS_ASYMMETRIC(type)                                \
+    (((type) & PSA_KEY_TYPE_CATEGORY_MASK                               \
+      & ~PSA_KEY_TYPE_CATEGORY_FLAG_PAIR) ==                            \
+     PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY)
+/** Whether a key type is the public part of a key pair. */
+#define PSA_KEY_TYPE_IS_PUBLIC_KEY(type)                                \
+    (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY)
+/** Whether a key type is a key pair containing a private part and a public
+ * part. */
+#define PSA_KEY_TYPE_IS_KEY_PAIR(type)                                   \
+    (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_KEY_PAIR)
+/** The key pair type corresponding to a public key type.
+ *
+ * You may also pass a key pair type as \p type, it will be left unchanged.
+ *
+ * \param type      A public key type or key pair type.
+ *
+ * \return          The corresponding key pair type.
+ *                  If \p type is not a public key or a key pair,
+ *                  the return value is undefined.
+ */
+#define PSA_KEY_TYPE_KEY_PAIR_OF_PUBLIC_KEY(type)        \
+    ((type) | PSA_KEY_TYPE_CATEGORY_FLAG_PAIR)
+/** The public key type corresponding to a key pair type.
+ *
+ * You may also pass a public key type as \p type, it will be left unchanged.
+ *
+ * \param type      A public key type or key pair type.
+ *
+ * \return          The corresponding public key type.
+ *                  If \p type is not a public key or a key pair,
+ *                  the return value is undefined.
+ */
+#define PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type)        \
+    ((type) & ~PSA_KEY_TYPE_CATEGORY_FLAG_PAIR)
+
+/** Raw data.
+ *
+ * A "key" of this type cannot be used for any cryptographic operation.
+ * Applications may use this type to store arbitrary data in the keystore. */
+#define PSA_KEY_TYPE_RAW_DATA                       ((psa_key_type_t) 0x1001)
+
+/** HMAC key.
+ *
+ * The key policy determines which underlying hash algorithm the key can be
+ * used for.
+ *
+ * HMAC keys should generally have the same size as the underlying hash.
+ * This size can be calculated with #PSA_HASH_LENGTH(\c alg) where
+ * \c alg is the HMAC algorithm or the underlying hash algorithm. */
+#define PSA_KEY_TYPE_HMAC                           ((psa_key_type_t) 0x1100)
+
+/** A secret for key derivation.
+ *
+ * This key type is for high-entropy secrets only. For low-entropy secrets,
+ * #PSA_KEY_TYPE_PASSWORD should be used instead.
+ *
+ * These keys can be used as the #PSA_KEY_DERIVATION_INPUT_SECRET or
+ * #PSA_KEY_DERIVATION_INPUT_PASSWORD input of key derivation algorithms.
+ *
+ * The key policy determines which key derivation algorithm the key
+ * can be used for.
+ */
+#define PSA_KEY_TYPE_DERIVE                         ((psa_key_type_t) 0x1200)
+
+/** A low-entropy secret for password hashing or key derivation.
+ *
+ * This key type is suitable for passwords and passphrases which are typically
+ * intended to be memorizable by humans, and have a low entropy relative to
+ * their size. It can be used for randomly generated or derived keys with
+ * maximum or near-maximum entropy, but #PSA_KEY_TYPE_DERIVE is more suitable
+ * for such keys. It is not suitable for passwords with extremely low entropy,
+ * such as numerical PINs.
+ *
+ * These keys can be used as the #PSA_KEY_DERIVATION_INPUT_PASSWORD input of
+ * key derivation algorithms. Algorithms that accept such an input were
+ * designed to accept low-entropy secret and are known as password hashing or
+ * key stretching algorithms.
+ *
+ * These keys cannot be used as the #PSA_KEY_DERIVATION_INPUT_SECRET input of
+ * key derivation algorithms, as the algorithms that take such an input expect
+ * it to be high-entropy.
+ *
+ * The key policy determines which key derivation algorithm the key can be
+ * used for, among the permissible subset defined above.
+ */
+#define PSA_KEY_TYPE_PASSWORD                       ((psa_key_type_t) 0x1203)
+
+/** A secret value that can be used to verify a password hash.
+ *
+ * The key policy determines which key derivation algorithm the key
+ * can be used for, among the same permissible subset as for
+ * #PSA_KEY_TYPE_PASSWORD.
+ */
+#define PSA_KEY_TYPE_PASSWORD_HASH                  ((psa_key_type_t) 0x1205)
+
+/** A secret value that can be used in when computing a password hash.
+ *
+ * The key policy determines which key derivation algorithm the key
+ * can be used for, among the subset of algorithms that can use pepper.
+ */
+#define PSA_KEY_TYPE_PEPPER                         ((psa_key_type_t) 0x1206)
+
+/** Key for a cipher, AEAD or MAC algorithm based on the AES block cipher.
+ *
+ * The size of the key can be 16 bytes (AES-128), 24 bytes (AES-192) or
+ * 32 bytes (AES-256).
+ */
+#define PSA_KEY_TYPE_AES                            ((psa_key_type_t) 0x2400)
+
+/** Key for a cipher, AEAD or MAC algorithm based on the
+ * ARIA block cipher. */
+#define PSA_KEY_TYPE_ARIA                           ((psa_key_type_t) 0x2406)
+
+/** Key for a cipher or MAC algorithm based on DES or 3DES (Triple-DES).
+ *
+ * The size of the key can be 64 bits (single DES), 128 bits (2-key 3DES) or
+ * 192 bits (3-key 3DES).
+ *
+ * Note that single DES and 2-key 3DES are weak and strongly
+ * deprecated and should only be used to decrypt legacy data. 3-key 3DES
+ * is weak and deprecated and should only be used in legacy protocols.
+ */
+#define PSA_KEY_TYPE_DES                            ((psa_key_type_t) 0x2301)
+
+/** Key for a cipher, AEAD or MAC algorithm based on the
+ * Camellia block cipher. */
+#define PSA_KEY_TYPE_CAMELLIA                       ((psa_key_type_t) 0x2403)
+
+/** Key for the ChaCha20 stream cipher or the Chacha20-Poly1305 AEAD algorithm.
+ *
+ * ChaCha20 and the ChaCha20_Poly1305 construction are defined in RFC 7539.
+ *
+ * \note For ChaCha20 and ChaCha20_Poly1305, Mbed TLS only supports
+ *       12-byte nonces.
+ *
+ * \note For ChaCha20, the initial counter value is 0. To encrypt or decrypt
+ *       with the initial counter value 1, you can process and discard a
+ *       64-byte block before the real data.
+ */
+#define PSA_KEY_TYPE_CHACHA20                       ((psa_key_type_t) 0x2004)
+
+/** RSA public key.
+ *
+ * The size of an RSA key is the bit size of the modulus.
+ */
+#define PSA_KEY_TYPE_RSA_PUBLIC_KEY                 ((psa_key_type_t) 0x4001)
+/** RSA key pair (private and public key).
+ *
+ * The size of an RSA key is the bit size of the modulus.
+ */
+#define PSA_KEY_TYPE_RSA_KEY_PAIR                   ((psa_key_type_t) 0x7001)
+/** Whether a key type is an RSA key (pair or public-only). */
+#define PSA_KEY_TYPE_IS_RSA(type)                                       \
+    (PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) == PSA_KEY_TYPE_RSA_PUBLIC_KEY)
+
+#define PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE            ((psa_key_type_t) 0x4100)
+#define PSA_KEY_TYPE_ECC_KEY_PAIR_BASE              ((psa_key_type_t) 0x7100)
+#define PSA_KEY_TYPE_ECC_CURVE_MASK                 ((psa_key_type_t) 0x00ff)
+/** Elliptic curve key pair.
+ *
+ * The size of an elliptic curve key is the bit size associated with the curve,
+ * i.e. the bit size of *q* for a curve over a field *F<sub>q</sub>*.
+ * See the documentation of `PSA_ECC_FAMILY_xxx` curve families for details.
+ *
+ * \param curve     A value of type ::psa_ecc_family_t that
+ *                  identifies the ECC curve to be used.
+ */
+#define PSA_KEY_TYPE_ECC_KEY_PAIR(curve)         \
+    (PSA_KEY_TYPE_ECC_KEY_PAIR_BASE | (curve))
+/** Elliptic curve public key.
+ *
+ * The size of an elliptic curve public key is the same as the corresponding
+ * private key (see #PSA_KEY_TYPE_ECC_KEY_PAIR and the documentation of
+ * `PSA_ECC_FAMILY_xxx` curve families).
+ *
+ * \param curve     A value of type ::psa_ecc_family_t that
+ *                  identifies the ECC curve to be used.
+ */
+#define PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve)              \
+    (PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE | (curve))
+
+/** Whether a key type is an elliptic curve key (pair or public-only). */
+#define PSA_KEY_TYPE_IS_ECC(type)                                       \
+    ((PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) &                        \
+      ~PSA_KEY_TYPE_ECC_CURVE_MASK) == PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE)
+/** Whether a key type is an elliptic curve key pair. */
+#define PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type)                               \
+    (((type) & ~PSA_KEY_TYPE_ECC_CURVE_MASK) ==                         \
+     PSA_KEY_TYPE_ECC_KEY_PAIR_BASE)
+/** Whether a key type is an elliptic curve public key. */
+#define PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(type)                            \
+    (((type) & ~PSA_KEY_TYPE_ECC_CURVE_MASK) ==                         \
+     PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE)
+
+/** Extract the curve from an elliptic curve key type. */
+#define PSA_KEY_TYPE_ECC_GET_FAMILY(type)                        \
+    ((psa_ecc_family_t) (PSA_KEY_TYPE_IS_ECC(type) ?             \
+                         ((type) & PSA_KEY_TYPE_ECC_CURVE_MASK) : \
+                         0))
+
+/** Check if the curve of given family is Weierstrass elliptic curve. */
+#define PSA_ECC_FAMILY_IS_WEIERSTRASS(family) ((family & 0xc0) == 0)
+
+/** SEC Koblitz curves over prime fields.
+ *
+ * This family comprises the following curves:
+ * secp192k1, secp224k1, secp256k1.
+ * They are defined in _Standards for Efficient Cryptography_,
+ * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
+ * https://www.secg.org/sec2-v2.pdf
+ *
+ * \note For secp224k1, the bit-size is 225 (size of a private value).
+ *
+ * \note Mbed TLS only supports secp192k1 and secp256k1.
+ */
+#define PSA_ECC_FAMILY_SECP_K1           ((psa_ecc_family_t) 0x17)
+
+/** SEC random curves over prime fields.
+ *
+ * This family comprises the following curves:
+ * secp192r1, secp224r1, secp256r1, secp384r1, secp521r1.
+ * They are defined in _Standards for Efficient Cryptography_,
+ * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
+ * https://www.secg.org/sec2-v2.pdf
+ */
+#define PSA_ECC_FAMILY_SECP_R1           ((psa_ecc_family_t) 0x12)
+/* SECP160R2 (SEC2 v1, obsolete, not supported in Mbed TLS) */
+#define PSA_ECC_FAMILY_SECP_R2           ((psa_ecc_family_t) 0x1b)
+
+/** SEC Koblitz curves over binary fields.
+ *
+ * This family comprises the following curves:
+ * sect163k1, sect233k1, sect239k1, sect283k1, sect409k1, sect571k1.
+ * They are defined in _Standards for Efficient Cryptography_,
+ * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
+ * https://www.secg.org/sec2-v2.pdf
+ *
+ * \note Mbed TLS does not support any curve in this family.
+ */
+#define PSA_ECC_FAMILY_SECT_K1           ((psa_ecc_family_t) 0x27)
+
+/** SEC random curves over binary fields.
+ *
+ * This family comprises the following curves:
+ * sect163r1, sect233r1, sect283r1, sect409r1, sect571r1.
+ * They are defined in _Standards for Efficient Cryptography_,
+ * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
+ * https://www.secg.org/sec2-v2.pdf
+ *
+ * \note Mbed TLS does not support any curve in this family.
+ */
+#define PSA_ECC_FAMILY_SECT_R1           ((psa_ecc_family_t) 0x22)
+
+/** SEC additional random curves over binary fields.
+ *
+ * This family comprises the following curve:
+ * sect163r2.
+ * It is defined in _Standards for Efficient Cryptography_,
+ * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
+ * https://www.secg.org/sec2-v2.pdf
+ *
+ * \note Mbed TLS does not support any curve in this family.
+ */
+#define PSA_ECC_FAMILY_SECT_R2           ((psa_ecc_family_t) 0x2b)
+
+/** Brainpool P random curves.
+ *
+ * This family comprises the following curves:
+ * brainpoolP160r1, brainpoolP192r1, brainpoolP224r1, brainpoolP256r1,
+ * brainpoolP320r1, brainpoolP384r1, brainpoolP512r1.
+ * It is defined in RFC 5639.
+ *
+ * \note Mbed TLS only supports the 256-bit, 384-bit and 512-bit curves
+ *       in this family.
+ */
+#define PSA_ECC_FAMILY_BRAINPOOL_P_R1    ((psa_ecc_family_t) 0x30)
+
+/** Curve25519 and Curve448.
+ *
+ * This family comprises the following Montgomery curves:
+ * - 255-bit: Bernstein et al.,
+ *   _Curve25519: new Diffie-Hellman speed records_, LNCS 3958, 2006.
+ *   The algorithm #PSA_ALG_ECDH performs X25519 when used with this curve.
+ * - 448-bit: Hamburg,
+ *   _Ed448-Goldilocks, a new elliptic curve_, NIST ECC Workshop, 2015.
+ *   The algorithm #PSA_ALG_ECDH performs X448 when used with this curve.
+ */
+#define PSA_ECC_FAMILY_MONTGOMERY        ((psa_ecc_family_t) 0x41)
+
+/** The twisted Edwards curves Ed25519 and Ed448.
+ *
+ * These curves are suitable for EdDSA (#PSA_ALG_PURE_EDDSA for both curves,
+ * #PSA_ALG_ED25519PH for the 255-bit curve,
+ * #PSA_ALG_ED448PH for the 448-bit curve).
+ *
+ * This family comprises the following twisted Edwards curves:
+ * - 255-bit: Edwards25519, the twisted Edwards curve birationally equivalent
+ *   to Curve25519.
+ *   Bernstein et al., _Twisted Edwards curves_, Africacrypt 2008.
+ * - 448-bit: Edwards448, the twisted Edwards curve birationally equivalent
+ *   to Curve448.
+ *   Hamburg, _Ed448-Goldilocks, a new elliptic curve_, NIST ECC Workshop, 2015.
+ *
+ * \note Mbed TLS does not support Edwards curves yet.
+ */
+#define PSA_ECC_FAMILY_TWISTED_EDWARDS   ((psa_ecc_family_t) 0x42)
+
+#define PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE             ((psa_key_type_t) 0x4200)
+#define PSA_KEY_TYPE_DH_KEY_PAIR_BASE               ((psa_key_type_t) 0x7200)
+#define PSA_KEY_TYPE_DH_GROUP_MASK                  ((psa_key_type_t) 0x00ff)
+/** Diffie-Hellman key pair.
+ *
+ * \param group     A value of type ::psa_dh_family_t that identifies the
+ *                  Diffie-Hellman group to be used.
+ */
+#define PSA_KEY_TYPE_DH_KEY_PAIR(group)          \
+    (PSA_KEY_TYPE_DH_KEY_PAIR_BASE | (group))
+/** Diffie-Hellman public key.
+ *
+ * \param group     A value of type ::psa_dh_family_t that identifies the
+ *                  Diffie-Hellman group to be used.
+ */
+#define PSA_KEY_TYPE_DH_PUBLIC_KEY(group)               \
+    (PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE | (group))
+
+/** Whether a key type is a Diffie-Hellman key (pair or public-only). */
+#define PSA_KEY_TYPE_IS_DH(type)                                        \
+    ((PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) &                        \
+      ~PSA_KEY_TYPE_DH_GROUP_MASK) == PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE)
+/** Whether a key type is a Diffie-Hellman key pair. */
+#define PSA_KEY_TYPE_IS_DH_KEY_PAIR(type)                               \
+    (((type) & ~PSA_KEY_TYPE_DH_GROUP_MASK) ==                         \
+     PSA_KEY_TYPE_DH_KEY_PAIR_BASE)
+/** Whether a key type is a Diffie-Hellman public key. */
+#define PSA_KEY_TYPE_IS_DH_PUBLIC_KEY(type)                            \
+    (((type) & ~PSA_KEY_TYPE_DH_GROUP_MASK) ==                         \
+     PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE)
+
+/** Extract the group from a Diffie-Hellman key type. */
+#define PSA_KEY_TYPE_DH_GET_FAMILY(type)                        \
+    ((psa_dh_family_t) (PSA_KEY_TYPE_IS_DH(type) ?              \
+                        ((type) & PSA_KEY_TYPE_DH_GROUP_MASK) :  \
+                        0))
+
+/** Diffie-Hellman groups defined in RFC 7919 Appendix A.
+ *
+ * This family includes groups with the following key sizes (in bits):
+ * 2048, 3072, 4096, 6144, 8192. A given implementation may support
+ * all of these sizes or only a subset.
+ */
+#define PSA_DH_FAMILY_RFC7919            ((psa_dh_family_t) 0x03)
+
+#define PSA_GET_KEY_TYPE_BLOCK_SIZE_EXPONENT(type)      \
+    (((type) >> 8) & 7)
+/** The block size of a block cipher.
+ *
+ * \param type  A cipher key type (value of type #psa_key_type_t).
+ *
+ * \return      The block size for a block cipher, or 1 for a stream cipher.
+ *              The return value is undefined if \p type is not a supported
+ *              cipher key type.
+ *
+ * \note It is possible to build stream cipher algorithms on top of a block
+ *       cipher, for example CTR mode (#PSA_ALG_CTR).
+ *       This macro only takes the key type into account, so it cannot be
+ *       used to determine the size of the data that #psa_cipher_update()
+ *       might buffer for future processing in general.
+ *
+ * \note This macro returns a compile-time constant if its argument is one.
+ *
+ * \warning This macro may evaluate its argument multiple times.
+ */
+#define PSA_BLOCK_CIPHER_BLOCK_LENGTH(type)                                     \
+    (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_SYMMETRIC ? \
+     1u << PSA_GET_KEY_TYPE_BLOCK_SIZE_EXPONENT(type) :                         \
+        0u)
+
+/* Note that algorithm values are embedded in the persistent key store,
+ * as part of key metadata. As a consequence, they must not be changed
+ * (unless the storage format version changes).
+ */
+
+/** Vendor-defined algorithm flag.
+ *
+ * Algorithms defined by this standard will never have the #PSA_ALG_VENDOR_FLAG
+ * bit set. Vendors who define additional algorithms must use an encoding with
+ * the #PSA_ALG_VENDOR_FLAG bit set and should respect the bitwise structure
+ * used by standard encodings whenever practical.
+ */
+#define PSA_ALG_VENDOR_FLAG                     ((psa_algorithm_t) 0x80000000)
+
+#define PSA_ALG_CATEGORY_MASK                   ((psa_algorithm_t) 0x7f000000)
+#define PSA_ALG_CATEGORY_HASH                   ((psa_algorithm_t) 0x02000000)
+#define PSA_ALG_CATEGORY_MAC                    ((psa_algorithm_t) 0x03000000)
+#define PSA_ALG_CATEGORY_CIPHER                 ((psa_algorithm_t) 0x04000000)
+#define PSA_ALG_CATEGORY_AEAD                   ((psa_algorithm_t) 0x05000000)
+#define PSA_ALG_CATEGORY_SIGN                   ((psa_algorithm_t) 0x06000000)
+#define PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION  ((psa_algorithm_t) 0x07000000)
+#define PSA_ALG_CATEGORY_KEY_DERIVATION         ((psa_algorithm_t) 0x08000000)
+#define PSA_ALG_CATEGORY_KEY_AGREEMENT          ((psa_algorithm_t) 0x09000000)
+
+/** Whether an algorithm is vendor-defined.
+ *
+ * See also #PSA_ALG_VENDOR_FLAG.
+ */
+#define PSA_ALG_IS_VENDOR_DEFINED(alg)                                  \
+    (((alg) & PSA_ALG_VENDOR_FLAG) != 0)
+
+/** Whether the specified algorithm is a hash algorithm.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \p alg is a hash algorithm, 0 otherwise.
+ *         This macro may return either 0 or 1 if \p alg is not a supported
+ *         algorithm identifier.
+ */
+#define PSA_ALG_IS_HASH(alg)                                            \
+    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_HASH)
+
+/** Whether the specified algorithm is a MAC algorithm.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \p alg is a MAC algorithm, 0 otherwise.
+ *         This macro may return either 0 or 1 if \p alg is not a supported
+ *         algorithm identifier.
+ */
+#define PSA_ALG_IS_MAC(alg)                                             \
+    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_MAC)
+
+/** Whether the specified algorithm is a symmetric cipher algorithm.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \p alg is a symmetric cipher algorithm, 0 otherwise.
+ *         This macro may return either 0 or 1 if \p alg is not a supported
+ *         algorithm identifier.
+ */
+#define PSA_ALG_IS_CIPHER(alg)                                          \
+    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_CIPHER)
+
+/** Whether the specified algorithm is an authenticated encryption
+ * with associated data (AEAD) algorithm.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \p alg is an AEAD algorithm, 0 otherwise.
+ *         This macro may return either 0 or 1 if \p alg is not a supported
+ *         algorithm identifier.
+ */
+#define PSA_ALG_IS_AEAD(alg)                                            \
+    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_AEAD)
+
+/** Whether the specified algorithm is an asymmetric signature algorithm,
+ * also known as public-key signature algorithm.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \p alg is an asymmetric signature algorithm, 0 otherwise.
+ *         This macro may return either 0 or 1 if \p alg is not a supported
+ *         algorithm identifier.
+ */
+#define PSA_ALG_IS_SIGN(alg)                                            \
+    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_SIGN)
+
+/** Whether the specified algorithm is an asymmetric encryption algorithm,
+ * also known as public-key encryption algorithm.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \p alg is an asymmetric encryption algorithm, 0 otherwise.
+ *         This macro may return either 0 or 1 if \p alg is not a supported
+ *         algorithm identifier.
+ */
+#define PSA_ALG_IS_ASYMMETRIC_ENCRYPTION(alg)                           \
+    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION)
+
+/** Whether the specified algorithm is a key agreement algorithm.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \p alg is a key agreement algorithm, 0 otherwise.
+ *         This macro may return either 0 or 1 if \p alg is not a supported
+ *         algorithm identifier.
+ */
+#define PSA_ALG_IS_KEY_AGREEMENT(alg)                                   \
+    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_KEY_AGREEMENT)
+
+/** Whether the specified algorithm is a key derivation algorithm.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \p alg is a key derivation algorithm, 0 otherwise.
+ *         This macro may return either 0 or 1 if \p alg is not a supported
+ *         algorithm identifier.
+ */
+#define PSA_ALG_IS_KEY_DERIVATION(alg)                                  \
+    (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_KEY_DERIVATION)
+
+/** Whether the specified algorithm is a key stretching / password hashing
+ * algorithm.
+ *
+ * A key stretching / password hashing algorithm is a key derivation algorithm
+ * that is suitable for use with a low-entropy secret such as a password.
+ * Equivalently, it's a key derivation algorithm that uses a
+ * #PSA_KEY_DERIVATION_INPUT_PASSWORD input step.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \p alg is a key stretching / password hashing algorithm, 0
+ *         otherwise. This macro may return either 0 or 1 if \p alg is not a
+ *         supported algorithm identifier.
+ */
+#define PSA_ALG_IS_KEY_DERIVATION_STRETCHING(alg)                                  \
+    (PSA_ALG_IS_KEY_DERIVATION(alg) &&              \
+     (alg) & PSA_ALG_KEY_DERIVATION_STRETCHING_FLAG)
+
+/** An invalid algorithm identifier value. */
+/* *INDENT-OFF* (https://github.com/ARM-software/psa-arch-tests/issues/337) */
+#define PSA_ALG_NONE                            ((psa_algorithm_t)0)
+/* *INDENT-ON* */
+
+#define PSA_ALG_HASH_MASK                       ((psa_algorithm_t) 0x000000ff)
+/** MD5 */
+#define PSA_ALG_MD5                             ((psa_algorithm_t) 0x02000003)
+/** PSA_ALG_RIPEMD160 */
+#define PSA_ALG_RIPEMD160                       ((psa_algorithm_t) 0x02000004)
+/** SHA1 */
+#define PSA_ALG_SHA_1                           ((psa_algorithm_t) 0x02000005)
+/** SHA2-224 */
+#define PSA_ALG_SHA_224                         ((psa_algorithm_t) 0x02000008)
+/** SHA2-256 */
+#define PSA_ALG_SHA_256                         ((psa_algorithm_t) 0x02000009)
+/** SHA2-384 */
+#define PSA_ALG_SHA_384                         ((psa_algorithm_t) 0x0200000a)
+/** SHA2-512 */
+#define PSA_ALG_SHA_512                         ((psa_algorithm_t) 0x0200000b)
+/** SHA2-512/224 */
+#define PSA_ALG_SHA_512_224                     ((psa_algorithm_t) 0x0200000c)
+/** SHA2-512/256 */
+#define PSA_ALG_SHA_512_256                     ((psa_algorithm_t) 0x0200000d)
+/** SHA3-224 */
+#define PSA_ALG_SHA3_224                        ((psa_algorithm_t) 0x02000010)
+/** SHA3-256 */
+#define PSA_ALG_SHA3_256                        ((psa_algorithm_t) 0x02000011)
+/** SHA3-384 */
+#define PSA_ALG_SHA3_384                        ((psa_algorithm_t) 0x02000012)
+/** SHA3-512 */
+#define PSA_ALG_SHA3_512                        ((psa_algorithm_t) 0x02000013)
+/** The first 512 bits (64 bytes) of the SHAKE256 output.
+ *
+ * This is the prehashing for Ed448ph (see #PSA_ALG_ED448PH). For other
+ * scenarios where a hash function based on SHA3/SHAKE is desired, SHA3-512
+ * has the same output size and a (theoretically) higher security strength.
+ */
+#define PSA_ALG_SHAKE256_512                    ((psa_algorithm_t) 0x02000015)
+
+/** In a hash-and-sign algorithm policy, allow any hash algorithm.
+ *
+ * This value may be used to form the algorithm usage field of a policy
+ * for a signature algorithm that is parametrized by a hash. The key
+ * may then be used to perform operations using the same signature
+ * algorithm parametrized with any supported hash.
+ *
+ * That is, suppose that `PSA_xxx_SIGNATURE` is one of the following macros:
+ * - #PSA_ALG_RSA_PKCS1V15_SIGN, #PSA_ALG_RSA_PSS, #PSA_ALG_RSA_PSS_ANY_SALT,
+ * - #PSA_ALG_ECDSA, #PSA_ALG_DETERMINISTIC_ECDSA.
+ * Then you may create and use a key as follows:
+ * - Set the key usage field using #PSA_ALG_ANY_HASH, for example:
+ *   ```
+ *   psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); // or VERIFY
+ *   psa_set_key_algorithm(&attributes, PSA_xxx_SIGNATURE(PSA_ALG_ANY_HASH));
+ *   ```
+ * - Import or generate key material.
+ * - Call psa_sign_hash() or psa_verify_hash(), passing
+ *   an algorithm built from `PSA_xxx_SIGNATURE` and a specific hash. Each
+ *   call to sign or verify a message may use a different hash.
+ *   ```
+ *   psa_sign_hash(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA_256), ...);
+ *   psa_sign_hash(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA_512), ...);
+ *   psa_sign_hash(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA3_256), ...);
+ *   ```
+ *
+ * This value may not be used to build other algorithms that are
+ * parametrized over a hash. For any valid use of this macro to build
+ * an algorithm \c alg, #PSA_ALG_IS_HASH_AND_SIGN(\c alg) is true.
+ *
+ * This value may not be used to build an algorithm specification to
+ * perform an operation. It is only valid to build policies.
+ */
+#define PSA_ALG_ANY_HASH                        ((psa_algorithm_t) 0x020000ff)
+
+#define PSA_ALG_MAC_SUBCATEGORY_MASK            ((psa_algorithm_t) 0x00c00000)
+#define PSA_ALG_HMAC_BASE                       ((psa_algorithm_t) 0x03800000)
+/** Macro to build an HMAC algorithm.
+ *
+ * For example, #PSA_ALG_HMAC(#PSA_ALG_SHA_256) is HMAC-SHA-256.
+ *
+ * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
+ *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
+ *
+ * \return              The corresponding HMAC algorithm.
+ * \return              Unspecified if \p hash_alg is not a supported
+ *                      hash algorithm.
+ */
+#define PSA_ALG_HMAC(hash_alg)                                  \
+    (PSA_ALG_HMAC_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
+
+#define PSA_ALG_HMAC_GET_HASH(hmac_alg)                             \
+    (PSA_ALG_CATEGORY_HASH | ((hmac_alg) & PSA_ALG_HASH_MASK))
+
+/** Whether the specified algorithm is an HMAC algorithm.
+ *
+ * HMAC is a family of MAC algorithms that are based on a hash function.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \p alg is an HMAC algorithm, 0 otherwise.
+ *         This macro may return either 0 or 1 if \p alg is not a supported
+ *         algorithm identifier.
+ */
+#define PSA_ALG_IS_HMAC(alg)                                            \
+    (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_MAC_SUBCATEGORY_MASK)) == \
+     PSA_ALG_HMAC_BASE)
+
+/* In the encoding of a MAC algorithm, the bits corresponding to
+ * PSA_ALG_MAC_TRUNCATION_MASK encode the length to which the MAC is
+ * truncated. As an exception, the value 0 means the untruncated algorithm,
+ * whatever its length is. The length is encoded in 6 bits, so it can
+ * reach up to 63; the largest MAC is 64 bytes so its trivial truncation
+ * to full length is correctly encoded as 0 and any non-trivial truncation
+ * is correctly encoded as a value between 1 and 63. */
+#define PSA_ALG_MAC_TRUNCATION_MASK             ((psa_algorithm_t) 0x003f0000)
+#define PSA_MAC_TRUNCATION_OFFSET 16
+
+/* In the encoding of a MAC algorithm, the bit corresponding to
+ * #PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG encodes the fact that the algorithm
+ * is a wildcard algorithm. A key with such wildcard algorithm as permitted
+ * algorithm policy can be used with any algorithm corresponding to the
+ * same base class and having a (potentially truncated) MAC length greater or
+ * equal than the one encoded in #PSA_ALG_MAC_TRUNCATION_MASK. */
+#define PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG   ((psa_algorithm_t) 0x00008000)
+
+/** Macro to build a truncated MAC algorithm.
+ *
+ * A truncated MAC algorithm is identical to the corresponding MAC
+ * algorithm except that the MAC value for the truncated algorithm
+ * consists of only the first \p mac_length bytes of the MAC value
+ * for the untruncated algorithm.
+ *
+ * \note    This macro may allow constructing algorithm identifiers that
+ *          are not valid, either because the specified length is larger
+ *          than the untruncated MAC or because the specified length is
+ *          smaller than permitted by the implementation.
+ *
+ * \note    It is implementation-defined whether a truncated MAC that
+ *          is truncated to the same length as the MAC of the untruncated
+ *          algorithm is considered identical to the untruncated algorithm
+ *          for policy comparison purposes.
+ *
+ * \param mac_alg       A MAC algorithm identifier (value of type
+ *                      #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p mac_alg)
+ *                      is true). This may be a truncated or untruncated
+ *                      MAC algorithm.
+ * \param mac_length    Desired length of the truncated MAC in bytes.
+ *                      This must be at most the full length of the MAC
+ *                      and must be at least an implementation-specified
+ *                      minimum. The implementation-specified minimum
+ *                      shall not be zero.
+ *
+ * \return              The corresponding MAC algorithm with the specified
+ *                      length.
+ * \return              Unspecified if \p mac_alg is not a supported
+ *                      MAC algorithm or if \p mac_length is too small or
+ *                      too large for the specified MAC algorithm.
+ */
+#define PSA_ALG_TRUNCATED_MAC(mac_alg, mac_length)              \
+    (((mac_alg) & ~(PSA_ALG_MAC_TRUNCATION_MASK |               \
+                    PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG)) |   \
+     ((mac_length) << PSA_MAC_TRUNCATION_OFFSET & PSA_ALG_MAC_TRUNCATION_MASK))
+
+/** Macro to build the base MAC algorithm corresponding to a truncated
+ * MAC algorithm.
+ *
+ * \param mac_alg       A MAC algorithm identifier (value of type
+ *                      #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p mac_alg)
+ *                      is true). This may be a truncated or untruncated
+ *                      MAC algorithm.
+ *
+ * \return              The corresponding base MAC algorithm.
+ * \return              Unspecified if \p mac_alg is not a supported
+ *                      MAC algorithm.
+ */
+#define PSA_ALG_FULL_LENGTH_MAC(mac_alg)                        \
+    ((mac_alg) & ~(PSA_ALG_MAC_TRUNCATION_MASK |                \
+                   PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG))
+
+/** Length to which a MAC algorithm is truncated.
+ *
+ * \param mac_alg       A MAC algorithm identifier (value of type
+ *                      #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p mac_alg)
+ *                      is true).
+ *
+ * \return              Length of the truncated MAC in bytes.
+ * \return              0 if \p mac_alg is a non-truncated MAC algorithm.
+ * \return              Unspecified if \p mac_alg is not a supported
+ *                      MAC algorithm.
+ */
+#define PSA_MAC_TRUNCATED_LENGTH(mac_alg)                               \
+    (((mac_alg) & PSA_ALG_MAC_TRUNCATION_MASK) >> PSA_MAC_TRUNCATION_OFFSET)
+
+/** Macro to build a MAC minimum-MAC-length wildcard algorithm.
+ *
+ * A minimum-MAC-length MAC wildcard algorithm permits all MAC algorithms
+ * sharing the same base algorithm, and where the (potentially truncated) MAC
+ * length of the specific algorithm is equal to or larger then the wildcard
+ * algorithm's minimum MAC length.
+ *
+ * \note    When setting the minimum required MAC length to less than the
+ *          smallest MAC length allowed by the base algorithm, this effectively
+ *          becomes an 'any-MAC-length-allowed' policy for that base algorithm.
+ *
+ * \param mac_alg         A MAC algorithm identifier (value of type
+ *                        #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p mac_alg)
+ *                        is true).
+ * \param min_mac_length  Desired minimum length of the message authentication
+ *                        code in bytes. This must be at most the untruncated
+ *                        length of the MAC and must be at least 1.
+ *
+ * \return                The corresponding MAC wildcard algorithm with the
+ *                        specified minimum length.
+ * \return                Unspecified if \p mac_alg is not a supported MAC
+ *                        algorithm or if \p min_mac_length is less than 1 or
+ *                        too large for the specified MAC algorithm.
+ */
+#define PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(mac_alg, min_mac_length)   \
+    (PSA_ALG_TRUNCATED_MAC(mac_alg, min_mac_length) |              \
+     PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG)
+
+#define PSA_ALG_CIPHER_MAC_BASE                 ((psa_algorithm_t) 0x03c00000)
+/** The CBC-MAC construction over a block cipher
+ *
+ * \warning CBC-MAC is insecure in many cases.
+ * A more secure mode, such as #PSA_ALG_CMAC, is recommended.
+ */
+#define PSA_ALG_CBC_MAC                         ((psa_algorithm_t) 0x03c00100)
+/** The CMAC construction over a block cipher */
+#define PSA_ALG_CMAC                            ((psa_algorithm_t) 0x03c00200)
+
+/** Whether the specified algorithm is a MAC algorithm based on a block cipher.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \p alg is a MAC algorithm based on a block cipher, 0 otherwise.
+ *         This macro may return either 0 or 1 if \p alg is not a supported
+ *         algorithm identifier.
+ */
+#define PSA_ALG_IS_BLOCK_CIPHER_MAC(alg)                                \
+    (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_MAC_SUBCATEGORY_MASK)) == \
+     PSA_ALG_CIPHER_MAC_BASE)
+
+#define PSA_ALG_CIPHER_STREAM_FLAG              ((psa_algorithm_t) 0x00800000)
+#define PSA_ALG_CIPHER_FROM_BLOCK_FLAG          ((psa_algorithm_t) 0x00400000)
+
+/** Whether the specified algorithm is a stream cipher.
+ *
+ * A stream cipher is a symmetric cipher that encrypts or decrypts messages
+ * by applying a bitwise-xor with a stream of bytes that is generated
+ * from a key.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \p alg is a stream cipher algorithm, 0 otherwise.
+ *         This macro may return either 0 or 1 if \p alg is not a supported
+ *         algorithm identifier or if it is not a symmetric cipher algorithm.
+ */
+#define PSA_ALG_IS_STREAM_CIPHER(alg)            \
+    (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_CIPHER_STREAM_FLAG)) == \
+     (PSA_ALG_CATEGORY_CIPHER | PSA_ALG_CIPHER_STREAM_FLAG))
+
+/** The stream cipher mode of a stream cipher algorithm.
+ *
+ * The underlying stream cipher is determined by the key type.
+ * - To use ChaCha20, use a key type of #PSA_KEY_TYPE_CHACHA20.
+ */
+#define PSA_ALG_STREAM_CIPHER                   ((psa_algorithm_t) 0x04800100)
+
+/** The CTR stream cipher mode.
+ *
+ * CTR is a stream cipher which is built from a block cipher.
+ * The underlying block cipher is determined by the key type.
+ * For example, to use AES-128-CTR, use this algorithm with
+ * a key of type #PSA_KEY_TYPE_AES and a length of 128 bits (16 bytes).
+ */
+#define PSA_ALG_CTR                             ((psa_algorithm_t) 0x04c01000)
+
+/** The CFB stream cipher mode.
+ *
+ * The underlying block cipher is determined by the key type.
+ */
+#define PSA_ALG_CFB                             ((psa_algorithm_t) 0x04c01100)
+
+/** The OFB stream cipher mode.
+ *
+ * The underlying block cipher is determined by the key type.
+ */
+#define PSA_ALG_OFB                             ((psa_algorithm_t) 0x04c01200)
+
+/** The XTS cipher mode.
+ *
+ * XTS is a cipher mode which is built from a block cipher. It requires at
+ * least one full block of input, but beyond this minimum the input
+ * does not need to be a whole number of blocks.
+ */
+#define PSA_ALG_XTS                             ((psa_algorithm_t) 0x0440ff00)
+
+/** The Electronic Code Book (ECB) mode of a block cipher, with no padding.
+ *
+ * \warning ECB mode does not protect the confidentiality of the encrypted data
+ * except in extremely narrow circumstances. It is recommended that applications
+ * only use ECB if they need to construct an operating mode that the
+ * implementation does not provide. Implementations are encouraged to provide
+ * the modes that applications need in preference to supporting direct access
+ * to ECB.
+ *
+ * The underlying block cipher is determined by the key type.
+ *
+ * This symmetric cipher mode can only be used with messages whose lengths are a
+ * multiple of the block size of the chosen block cipher.
+ *
+ * ECB mode does not accept an initialization vector (IV). When using a
+ * multi-part cipher operation with this algorithm, psa_cipher_generate_iv()
+ * and psa_cipher_set_iv() must not be called.
+ */
+#define PSA_ALG_ECB_NO_PADDING                  ((psa_algorithm_t) 0x04404400)
+
+/** The CBC block cipher chaining mode, with no padding.
+ *
+ * The underlying block cipher is determined by the key type.
+ *
+ * This symmetric cipher mode can only be used with messages whose lengths
+ * are whole number of blocks for the chosen block cipher.
+ */
+#define PSA_ALG_CBC_NO_PADDING                  ((psa_algorithm_t) 0x04404000)
+
+/** The CBC block cipher chaining mode with PKCS#7 padding.
+ *
+ * The underlying block cipher is determined by the key type.
+ *
+ * This is the padding method defined by PKCS#7 (RFC 2315) &sect;10.3.
+ */
+#define PSA_ALG_CBC_PKCS7                       ((psa_algorithm_t) 0x04404100)
+
+#define PSA_ALG_AEAD_FROM_BLOCK_FLAG            ((psa_algorithm_t) 0x00400000)
+
+/** Whether the specified algorithm is an AEAD mode on a block cipher.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \p alg is an AEAD algorithm which is an AEAD mode based on
+ *         a block cipher, 0 otherwise.
+ *         This macro may return either 0 or 1 if \p alg is not a supported
+ *         algorithm identifier.
+ */
+#define PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg)    \
+    (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_AEAD_FROM_BLOCK_FLAG)) == \
+     (PSA_ALG_CATEGORY_AEAD | PSA_ALG_AEAD_FROM_BLOCK_FLAG))
+
+/** The CCM authenticated encryption algorithm.
+ *
+ * The underlying block cipher is determined by the key type.
+ */
+#define PSA_ALG_CCM                             ((psa_algorithm_t) 0x05500100)
+
+/** The CCM* cipher mode without authentication.
+ *
+ * This is CCM* as specified in IEEE 802.15.4 §7, with a tag length of 0.
+ * For CCM* with a nonzero tag length, use the AEAD algorithm #PSA_ALG_CCM.
+ *
+ * The underlying block cipher is determined by the key type.
+ *
+ * Currently only 13-byte long IV's are supported.
+ */
+#define PSA_ALG_CCM_STAR_NO_TAG                 ((psa_algorithm_t) 0x04c01300)
+
+/** The GCM authenticated encryption algorithm.
+ *
+ * The underlying block cipher is determined by the key type.
+ */
+#define PSA_ALG_GCM                             ((psa_algorithm_t) 0x05500200)
+
+/** The Chacha20-Poly1305 AEAD algorithm.
+ *
+ * The ChaCha20_Poly1305 construction is defined in RFC 7539.
+ *
+ * Implementations must support 12-byte nonces, may support 8-byte nonces,
+ * and should reject other sizes.
+ *
+ * Implementations must support 16-byte tags and should reject other sizes.
+ */
+#define PSA_ALG_CHACHA20_POLY1305               ((psa_algorithm_t) 0x05100500)
+
+/* In the encoding of an AEAD algorithm, the bits corresponding to
+ * PSA_ALG_AEAD_TAG_LENGTH_MASK encode the length of the AEAD tag.
+ * The constants for default lengths follow this encoding.
+ */
+#define PSA_ALG_AEAD_TAG_LENGTH_MASK            ((psa_algorithm_t) 0x003f0000)
+#define PSA_AEAD_TAG_LENGTH_OFFSET 16
+
+/* In the encoding of an AEAD algorithm, the bit corresponding to
+ * #PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG encodes the fact that the algorithm
+ * is a wildcard algorithm. A key with such wildcard algorithm as permitted
+ * algorithm policy can be used with any algorithm corresponding to the
+ * same base class and having a tag length greater than or equal to the one
+ * encoded in #PSA_ALG_AEAD_TAG_LENGTH_MASK. */
+#define PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG  ((psa_algorithm_t) 0x00008000)
+
+/** Macro to build a shortened AEAD algorithm.
+ *
+ * A shortened AEAD algorithm is similar to the corresponding AEAD
+ * algorithm, but has an authentication tag that consists of fewer bytes.
+ * Depending on the algorithm, the tag length may affect the calculation
+ * of the ciphertext.
+ *
+ * \param aead_alg      An AEAD algorithm identifier (value of type
+ *                      #psa_algorithm_t such that #PSA_ALG_IS_AEAD(\p aead_alg)
+ *                      is true).
+ * \param tag_length    Desired length of the authentication tag in bytes.
+ *
+ * \return              The corresponding AEAD algorithm with the specified
+ *                      length.
+ * \return              Unspecified if \p aead_alg is not a supported
+ *                      AEAD algorithm or if \p tag_length is not valid
+ *                      for the specified AEAD algorithm.
+ */
+#define PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, tag_length)           \
+    (((aead_alg) & ~(PSA_ALG_AEAD_TAG_LENGTH_MASK |                     \
+                     PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG)) |         \
+     ((tag_length) << PSA_AEAD_TAG_LENGTH_OFFSET &                      \
+        PSA_ALG_AEAD_TAG_LENGTH_MASK))
+
+/** Retrieve the tag length of a specified AEAD algorithm
+ *
+ * \param aead_alg      An AEAD algorithm identifier (value of type
+ *                      #psa_algorithm_t such that #PSA_ALG_IS_AEAD(\p aead_alg)
+ *                      is true).
+ *
+ * \return              The tag length specified by the input algorithm.
+ * \return              Unspecified if \p aead_alg is not a supported
+ *                      AEAD algorithm.
+ */
+#define PSA_ALG_AEAD_GET_TAG_LENGTH(aead_alg)                           \
+    (((aead_alg) & PSA_ALG_AEAD_TAG_LENGTH_MASK) >>                     \
+     PSA_AEAD_TAG_LENGTH_OFFSET)
+
+/** Calculate the corresponding AEAD algorithm with the default tag length.
+ *
+ * \param aead_alg      An AEAD algorithm (\c PSA_ALG_XXX value such that
+ *                      #PSA_ALG_IS_AEAD(\p aead_alg) is true).
+ *
+ * \return              The corresponding AEAD algorithm with the default
+ *                      tag length for that algorithm.
+ */
+#define PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(aead_alg)                   \
+    (                                                                    \
+        PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG_CASE(aead_alg, PSA_ALG_CCM) \
+        PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG_CASE(aead_alg, PSA_ALG_GCM) \
+        PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG_CASE(aead_alg, PSA_ALG_CHACHA20_POLY1305) \
+        0)
+#define PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG_CASE(aead_alg, ref)         \
+    PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, 0) ==                      \
+    PSA_ALG_AEAD_WITH_SHORTENED_TAG(ref, 0) ?                            \
+    ref :
+
+/** Macro to build an AEAD minimum-tag-length wildcard algorithm.
+ *
+ * A minimum-tag-length AEAD wildcard algorithm permits all AEAD algorithms
+ * sharing the same base algorithm, and where the tag length of the specific
+ * algorithm is equal to or larger then the minimum tag length specified by the
+ * wildcard algorithm.
+ *
+ * \note    When setting the minimum required tag length to less than the
+ *          smallest tag length allowed by the base algorithm, this effectively
+ *          becomes an 'any-tag-length-allowed' policy for that base algorithm.
+ *
+ * \param aead_alg        An AEAD algorithm identifier (value of type
+ *                        #psa_algorithm_t such that
+ *                        #PSA_ALG_IS_AEAD(\p aead_alg) is true).
+ * \param min_tag_length  Desired minimum length of the authentication tag in
+ *                        bytes. This must be at least 1 and at most the largest
+ *                        allowed tag length of the algorithm.
+ *
+ * \return                The corresponding AEAD wildcard algorithm with the
+ *                        specified minimum length.
+ * \return                Unspecified if \p aead_alg is not a supported
+ *                        AEAD algorithm or if \p min_tag_length is less than 1
+ *                        or too large for the specified AEAD algorithm.
+ */
+#define PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(aead_alg, min_tag_length) \
+    (PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, min_tag_length) |            \
+     PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG)
+
+#define PSA_ALG_RSA_PKCS1V15_SIGN_BASE          ((psa_algorithm_t) 0x06000200)
+/** RSA PKCS#1 v1.5 signature with hashing.
+ *
+ * This is the signature scheme defined by RFC 8017
+ * (PKCS#1: RSA Cryptography Specifications) under the name
+ * RSASSA-PKCS1-v1_5.
+ *
+ * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
+ *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
+ *                      This includes #PSA_ALG_ANY_HASH
+ *                      when specifying the algorithm in a usage policy.
+ *
+ * \return              The corresponding RSA PKCS#1 v1.5 signature algorithm.
+ * \return              Unspecified if \p hash_alg is not a supported
+ *                      hash algorithm.
+ */
+#define PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg)                             \
+    (PSA_ALG_RSA_PKCS1V15_SIGN_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
+/** Raw PKCS#1 v1.5 signature.
+ *
+ * The input to this algorithm is the DigestInfo structure used by
+ * RFC 8017 (PKCS#1: RSA Cryptography Specifications), &sect;9.2
+ * steps 3&ndash;6.
+ */
+#define PSA_ALG_RSA_PKCS1V15_SIGN_RAW PSA_ALG_RSA_PKCS1V15_SIGN_BASE
+#define PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg)                               \
+    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PKCS1V15_SIGN_BASE)
+
+#define PSA_ALG_RSA_PSS_BASE               ((psa_algorithm_t) 0x06000300)
+#define PSA_ALG_RSA_PSS_ANY_SALT_BASE      ((psa_algorithm_t) 0x06001300)
+/** RSA PSS signature with hashing.
+ *
+ * This is the signature scheme defined by RFC 8017
+ * (PKCS#1: RSA Cryptography Specifications) under the name
+ * RSASSA-PSS, with the message generation function MGF1, and with
+ * a salt length equal to the length of the hash, or the largest
+ * possible salt length for the algorithm and key size if that is
+ * smaller than the hash length. The specified hash algorithm is
+ * used to hash the input message, to create the salted hash, and
+ * for the mask generation.
+ *
+ * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
+ *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
+ *                      This includes #PSA_ALG_ANY_HASH
+ *                      when specifying the algorithm in a usage policy.
+ *
+ * \return              The corresponding RSA PSS signature algorithm.
+ * \return              Unspecified if \p hash_alg is not a supported
+ *                      hash algorithm.
+ */
+#define PSA_ALG_RSA_PSS(hash_alg)                               \
+    (PSA_ALG_RSA_PSS_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
+
+/** RSA PSS signature with hashing with relaxed verification.
+ *
+ * This algorithm has the same behavior as #PSA_ALG_RSA_PSS when signing,
+ * but allows an arbitrary salt length (including \c 0) when verifying a
+ * signature.
+ *
+ * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
+ *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
+ *                      This includes #PSA_ALG_ANY_HASH
+ *                      when specifying the algorithm in a usage policy.
+ *
+ * \return              The corresponding RSA PSS signature algorithm.
+ * \return              Unspecified if \p hash_alg is not a supported
+ *                      hash algorithm.
+ */
+#define PSA_ALG_RSA_PSS_ANY_SALT(hash_alg)                      \
+    (PSA_ALG_RSA_PSS_ANY_SALT_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
+
+/** Whether the specified algorithm is RSA PSS with standard salt.
+ *
+ * \param alg           An algorithm value or an algorithm policy wildcard.
+ *
+ * \return              1 if \p alg is of the form
+ *                      #PSA_ALG_RSA_PSS(\c hash_alg),
+ *                      where \c hash_alg is a hash algorithm or
+ *                      #PSA_ALG_ANY_HASH. 0 otherwise.
+ *                      This macro may return either 0 or 1 if \p alg is not
+ *                      a supported algorithm identifier or policy.
+ */
+#define PSA_ALG_IS_RSA_PSS_STANDARD_SALT(alg)                   \
+    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PSS_BASE)
+
+/** Whether the specified algorithm is RSA PSS with any salt.
+ *
+ * \param alg           An algorithm value or an algorithm policy wildcard.
+ *
+ * \return              1 if \p alg is of the form
+ *                      #PSA_ALG_RSA_PSS_ANY_SALT_BASE(\c hash_alg),
+ *                      where \c hash_alg is a hash algorithm or
+ *                      #PSA_ALG_ANY_HASH. 0 otherwise.
+ *                      This macro may return either 0 or 1 if \p alg is not
+ *                      a supported algorithm identifier or policy.
+ */
+#define PSA_ALG_IS_RSA_PSS_ANY_SALT(alg)                                \
+    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PSS_ANY_SALT_BASE)
+
+/** Whether the specified algorithm is RSA PSS.
+ *
+ * This includes any of the RSA PSS algorithm variants, regardless of the
+ * constraints on salt length.
+ *
+ * \param alg           An algorithm value or an algorithm policy wildcard.
+ *
+ * \return              1 if \p alg is of the form
+ *                      #PSA_ALG_RSA_PSS(\c hash_alg) or
+ *                      #PSA_ALG_RSA_PSS_ANY_SALT_BASE(\c hash_alg),
+ *                      where \c hash_alg is a hash algorithm or
+ *                      #PSA_ALG_ANY_HASH. 0 otherwise.
+ *                      This macro may return either 0 or 1 if \p alg is not
+ *                      a supported algorithm identifier or policy.
+ */
+#define PSA_ALG_IS_RSA_PSS(alg)                                 \
+    (PSA_ALG_IS_RSA_PSS_STANDARD_SALT(alg) ||                   \
+     PSA_ALG_IS_RSA_PSS_ANY_SALT(alg))
+
+#define PSA_ALG_ECDSA_BASE                      ((psa_algorithm_t) 0x06000600)
+/** ECDSA signature with hashing.
+ *
+ * This is the ECDSA signature scheme defined by ANSI X9.62,
+ * with a random per-message secret number (*k*).
+ *
+ * The representation of the signature as a byte string consists of
+ * the concatenation of the signature values *r* and *s*. Each of
+ * *r* and *s* is encoded as an *N*-octet string, where *N* is the length
+ * of the base point of the curve in octets. Each value is represented
+ * in big-endian order (most significant octet first).
+ *
+ * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
+ *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
+ *                      This includes #PSA_ALG_ANY_HASH
+ *                      when specifying the algorithm in a usage policy.
+ *
+ * \return              The corresponding ECDSA signature algorithm.
+ * \return              Unspecified if \p hash_alg is not a supported
+ *                      hash algorithm.
+ */
+#define PSA_ALG_ECDSA(hash_alg)                                 \
+    (PSA_ALG_ECDSA_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
+/** ECDSA signature without hashing.
+ *
+ * This is the same signature scheme as #PSA_ALG_ECDSA(), but
+ * without specifying a hash algorithm. This algorithm may only be
+ * used to sign or verify a sequence of bytes that should be an
+ * already-calculated hash. Note that the input is padded with
+ * zeros on the left or truncated on the left as required to fit
+ * the curve size.
+ */
+#define PSA_ALG_ECDSA_ANY PSA_ALG_ECDSA_BASE
+#define PSA_ALG_DETERMINISTIC_ECDSA_BASE        ((psa_algorithm_t) 0x06000700)
+/** Deterministic ECDSA signature with hashing.
+ *
+ * This is the deterministic ECDSA signature scheme defined by RFC 6979.
+ *
+ * The representation of a signature is the same as with #PSA_ALG_ECDSA().
+ *
+ * Note that when this algorithm is used for verification, signatures
+ * made with randomized ECDSA (#PSA_ALG_ECDSA(\p hash_alg)) with the
+ * same private key are accepted. In other words,
+ * #PSA_ALG_DETERMINISTIC_ECDSA(\p hash_alg) differs from
+ * #PSA_ALG_ECDSA(\p hash_alg) only for signature, not for verification.
+ *
+ * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
+ *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
+ *                      This includes #PSA_ALG_ANY_HASH
+ *                      when specifying the algorithm in a usage policy.
+ *
+ * \return              The corresponding deterministic ECDSA signature
+ *                      algorithm.
+ * \return              Unspecified if \p hash_alg is not a supported
+ *                      hash algorithm.
+ */
+#define PSA_ALG_DETERMINISTIC_ECDSA(hash_alg)                           \
+    (PSA_ALG_DETERMINISTIC_ECDSA_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
+#define PSA_ALG_ECDSA_DETERMINISTIC_FLAG        ((psa_algorithm_t) 0x00000100)
+#define PSA_ALG_IS_ECDSA(alg)                                           \
+    (((alg) & ~PSA_ALG_HASH_MASK & ~PSA_ALG_ECDSA_DETERMINISTIC_FLAG) ==  \
+     PSA_ALG_ECDSA_BASE)
+#define PSA_ALG_ECDSA_IS_DETERMINISTIC(alg)             \
+    (((alg) & PSA_ALG_ECDSA_DETERMINISTIC_FLAG) != 0)
+#define PSA_ALG_IS_DETERMINISTIC_ECDSA(alg)                             \
+    (PSA_ALG_IS_ECDSA(alg) && PSA_ALG_ECDSA_IS_DETERMINISTIC(alg))
+#define PSA_ALG_IS_RANDOMIZED_ECDSA(alg)                                \
+    (PSA_ALG_IS_ECDSA(alg) && !PSA_ALG_ECDSA_IS_DETERMINISTIC(alg))
+
+/** Edwards-curve digital signature algorithm without prehashing (PureEdDSA),
+ * using standard parameters.
+ *
+ * Contexts are not supported in the current version of this specification
+ * because there is no suitable signature interface that can take the
+ * context as a parameter. A future version of this specification may add
+ * suitable functions and extend this algorithm to support contexts.
+ *
+ * PureEdDSA requires an elliptic curve key on a twisted Edwards curve.
+ * In this specification, the following curves are supported:
+ * - #PSA_ECC_FAMILY_TWISTED_EDWARDS, 255-bit: Ed25519 as specified
+ *   in RFC 8032.
+ *   The curve is Edwards25519.
+ *   The hash function used internally is SHA-512.
+ * - #PSA_ECC_FAMILY_TWISTED_EDWARDS, 448-bit: Ed448 as specified
+ *   in RFC 8032.
+ *   The curve is Edwards448.
+ *   The hash function used internally is the first 114 bytes of the
+ *   SHAKE256 output.
+ *
+ * This algorithm can be used with psa_sign_message() and
+ * psa_verify_message(). Since there is no prehashing, it cannot be used
+ * with psa_sign_hash() or psa_verify_hash().
+ *
+ * The signature format is the concatenation of R and S as defined by
+ * RFC 8032 §5.1.6 and §5.2.6 (a 64-byte string for Ed25519, a 114-byte
+ * string for Ed448).
+ */
+#define PSA_ALG_PURE_EDDSA                      ((psa_algorithm_t) 0x06000800)
+
+#define PSA_ALG_HASH_EDDSA_BASE                 ((psa_algorithm_t) 0x06000900)
+#define PSA_ALG_IS_HASH_EDDSA(alg)              \
+    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HASH_EDDSA_BASE)
+
+/** Edwards-curve digital signature algorithm with prehashing (HashEdDSA),
+ * using SHA-512 and the Edwards25519 curve.
+ *
+ * See #PSA_ALG_PURE_EDDSA regarding context support and the signature format.
+ *
+ * This algorithm is Ed25519 as specified in RFC 8032.
+ * The curve is Edwards25519.
+ * The prehash is SHA-512.
+ * The hash function used internally is SHA-512.
+ *
+ * This is a hash-and-sign algorithm: to calculate a signature,
+ * you can either:
+ * - call psa_sign_message() on the message;
+ * - or calculate the SHA-512 hash of the message
+ *   with psa_hash_compute()
+ *   or with a multi-part hash operation started with psa_hash_setup(),
+ *   using the hash algorithm #PSA_ALG_SHA_512,
+ *   then sign the calculated hash with psa_sign_hash().
+ * Verifying a signature is similar, using psa_verify_message() or
+ * psa_verify_hash() instead of the signature function.
+ */
+#define PSA_ALG_ED25519PH                               \
+    (PSA_ALG_HASH_EDDSA_BASE | (PSA_ALG_SHA_512 & PSA_ALG_HASH_MASK))
+
+/** Edwards-curve digital signature algorithm with prehashing (HashEdDSA),
+ * using SHAKE256 and the Edwards448 curve.
+ *
+ * See #PSA_ALG_PURE_EDDSA regarding context support and the signature format.
+ *
+ * This algorithm is Ed448 as specified in RFC 8032.
+ * The curve is Edwards448.
+ * The prehash is the first 64 bytes of the SHAKE256 output.
+ * The hash function used internally is the first 114 bytes of the
+ * SHAKE256 output.
+ *
+ * This is a hash-and-sign algorithm: to calculate a signature,
+ * you can either:
+ * - call psa_sign_message() on the message;
+ * - or calculate the first 64 bytes of the SHAKE256 output of the message
+ *   with psa_hash_compute()
+ *   or with a multi-part hash operation started with psa_hash_setup(),
+ *   using the hash algorithm #PSA_ALG_SHAKE256_512,
+ *   then sign the calculated hash with psa_sign_hash().
+ * Verifying a signature is similar, using psa_verify_message() or
+ * psa_verify_hash() instead of the signature function.
+ */
+#define PSA_ALG_ED448PH                                 \
+    (PSA_ALG_HASH_EDDSA_BASE | (PSA_ALG_SHAKE256_512 & PSA_ALG_HASH_MASK))
+
+/* Default definition, to be overridden if the library is extended with
+ * more hash-and-sign algorithms that we want to keep out of this header
+ * file. */
+#define PSA_ALG_IS_VENDOR_HASH_AND_SIGN(alg) 0
+
+/** Whether the specified algorithm is a signature algorithm that can be used
+ * with psa_sign_hash() and psa_verify_hash().
+ *
+ * This encompasses all strict hash-and-sign algorithms categorized by
+ * PSA_ALG_IS_HASH_AND_SIGN(), as well as algorithms that follow the
+ * paradigm more loosely:
+ * - #PSA_ALG_RSA_PKCS1V15_SIGN_RAW (expects its input to be an encoded hash)
+ * - #PSA_ALG_ECDSA_ANY (doesn't specify what kind of hash the input is)
+ *
+ * \param alg An algorithm identifier (value of type psa_algorithm_t).
+ *
+ * \return 1 if alg is a signature algorithm that can be used to sign a
+ *         hash. 0 if alg is a signature algorithm that can only be used
+ *         to sign a message. 0 if alg is not a signature algorithm.
+ *         This macro can return either 0 or 1 if alg is not a
+ *         supported algorithm identifier.
+ */
+#define PSA_ALG_IS_SIGN_HASH(alg)                                       \
+    (PSA_ALG_IS_RSA_PSS(alg) || PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||    \
+     PSA_ALG_IS_ECDSA(alg) || PSA_ALG_IS_HASH_EDDSA(alg) ||             \
+     PSA_ALG_IS_VENDOR_HASH_AND_SIGN(alg))
+
+/** Whether the specified algorithm is a signature algorithm that can be used
+ * with psa_sign_message() and psa_verify_message().
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if alg is a signature algorithm that can be used to sign a
+ *         message. 0 if \p alg is a signature algorithm that can only be used
+ *         to sign an already-calculated hash. 0 if \p alg is not a signature
+ *         algorithm. This macro can return either 0 or 1 if \p alg is not a
+ *         supported algorithm identifier.
+ */
+#define PSA_ALG_IS_SIGN_MESSAGE(alg)                                    \
+    (PSA_ALG_IS_SIGN_HASH(alg) || (alg) == PSA_ALG_PURE_EDDSA)
+
+/** Whether the specified algorithm is a hash-and-sign algorithm.
+ *
+ * Hash-and-sign algorithms are asymmetric (public-key) signature algorithms
+ * structured in two parts: first the calculation of a hash in a way that
+ * does not depend on the key, then the calculation of a signature from the
+ * hash value and the key. Hash-and-sign algorithms encode the hash
+ * used for the hashing step, and you can call #PSA_ALG_SIGN_GET_HASH
+ * to extract this algorithm.
+ *
+ * Thus, for a hash-and-sign algorithm,
+ * `psa_sign_message(key, alg, input, ...)` is equivalent to
+ * ```
+ * psa_hash_compute(PSA_ALG_SIGN_GET_HASH(alg), input, ..., hash, ...);
+ * psa_sign_hash(key, alg, hash, ..., signature, ...);
+ * ```
+ * Most usefully, separating the hash from the signature allows the hash
+ * to be calculated in multiple steps with psa_hash_setup(), psa_hash_update()
+ * and psa_hash_finish(). Likewise psa_verify_message() is equivalent to
+ * calculating the hash and then calling psa_verify_hash().
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \p alg is a hash-and-sign algorithm, 0 otherwise.
+ *         This macro may return either 0 or 1 if \p alg is not a supported
+ *         algorithm identifier.
+ */
+#define PSA_ALG_IS_HASH_AND_SIGN(alg)                                   \
+    (PSA_ALG_IS_SIGN_HASH(alg) &&                                       \
+     ((alg) & PSA_ALG_HASH_MASK) != 0)
+
+/** Get the hash used by a hash-and-sign signature algorithm.
+ *
+ * A hash-and-sign algorithm is a signature algorithm which is
+ * composed of two phases: first a hashing phase which does not use
+ * the key and produces a hash of the input message, then a signing
+ * phase which only uses the hash and the key and not the message
+ * itself.
+ *
+ * \param alg   A signature algorithm (\c PSA_ALG_XXX value such that
+ *              #PSA_ALG_IS_SIGN(\p alg) is true).
+ *
+ * \return      The underlying hash algorithm if \p alg is a hash-and-sign
+ *              algorithm.
+ * \return      0 if \p alg is a signature algorithm that does not
+ *              follow the hash-and-sign structure.
+ * \return      Unspecified if \p alg is not a signature algorithm or
+ *              if it is not supported by the implementation.
+ */
+#define PSA_ALG_SIGN_GET_HASH(alg)                                     \
+    (PSA_ALG_IS_HASH_AND_SIGN(alg) ?                                   \
+     ((alg) & PSA_ALG_HASH_MASK) | PSA_ALG_CATEGORY_HASH :             \
+     0)
+
+/** RSA PKCS#1 v1.5 encryption.
+ *
+ * \warning     Calling psa_asymmetric_decrypt() with this algorithm as a
+ *              parameter is considered an inherently dangerous function
+ *              (CWE-242). Unless it is used in a side channel free and safe
+ *              way (eg. implementing the TLS protocol as per 7.4.7.1 of
+ *              RFC 5246), the calling code is vulnerable.
+ *
+ */
+#define PSA_ALG_RSA_PKCS1V15_CRYPT              ((psa_algorithm_t) 0x07000200)
+
+#define PSA_ALG_RSA_OAEP_BASE                   ((psa_algorithm_t) 0x07000300)
+/** RSA OAEP encryption.
+ *
+ * This is the encryption scheme defined by RFC 8017
+ * (PKCS#1: RSA Cryptography Specifications) under the name
+ * RSAES-OAEP, with the message generation function MGF1.
+ *
+ * \param hash_alg      The hash algorithm (\c PSA_ALG_XXX value such that
+ *                      #PSA_ALG_IS_HASH(\p hash_alg) is true) to use
+ *                      for MGF1.
+ *
+ * \return              The corresponding RSA OAEP encryption algorithm.
+ * \return              Unspecified if \p hash_alg is not a supported
+ *                      hash algorithm.
+ */
+#define PSA_ALG_RSA_OAEP(hash_alg)                              \
+    (PSA_ALG_RSA_OAEP_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
+#define PSA_ALG_IS_RSA_OAEP(alg)                                \
+    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_OAEP_BASE)
+#define PSA_ALG_RSA_OAEP_GET_HASH(alg)                          \
+    (PSA_ALG_IS_RSA_OAEP(alg) ?                                 \
+     ((alg) & PSA_ALG_HASH_MASK) | PSA_ALG_CATEGORY_HASH :      \
+     0)
+
+#define PSA_ALG_HKDF_BASE                       ((psa_algorithm_t) 0x08000100)
+/** Macro to build an HKDF algorithm.
+ *
+ * For example, `PSA_ALG_HKDF(PSA_ALG_SHA_256)` is HKDF using HMAC-SHA-256.
+ *
+ * This key derivation algorithm uses the following inputs:
+ * - #PSA_KEY_DERIVATION_INPUT_SALT is the salt used in the "extract" step.
+ *   It is optional; if omitted, the derivation uses an empty salt.
+ * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key used in the "extract" step.
+ * - #PSA_KEY_DERIVATION_INPUT_INFO is the info string used in the "expand" step.
+ * You must pass #PSA_KEY_DERIVATION_INPUT_SALT before #PSA_KEY_DERIVATION_INPUT_SECRET.
+ * You may pass #PSA_KEY_DERIVATION_INPUT_INFO at any time after steup and before
+ * starting to generate output.
+ *
+ *  \warning  HKDF processes the salt as follows: first hash it with hash_alg
+ *  if the salt is longer than the block size of the hash algorithm; then
+ *  pad with null bytes up to the block size. As a result, it is possible
+ *  for distinct salt inputs to result in the same outputs. To ensure
+ *  unique outputs, it is recommended to use a fixed length for salt values.
+ *
+ * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
+ *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
+ *
+ * \return              The corresponding HKDF algorithm.
+ * \return              Unspecified if \p hash_alg is not a supported
+ *                      hash algorithm.
+ */
+#define PSA_ALG_HKDF(hash_alg)                                  \
+    (PSA_ALG_HKDF_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
+/** Whether the specified algorithm is an HKDF algorithm.
+ *
+ * HKDF is a family of key derivation algorithms that are based on a hash
+ * function and the HMAC construction.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \c alg is an HKDF algorithm, 0 otherwise.
+ *         This macro may return either 0 or 1 if \c alg is not a supported
+ *         key derivation algorithm identifier.
+ */
+#define PSA_ALG_IS_HKDF(alg)                            \
+    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_BASE)
+#define PSA_ALG_HKDF_GET_HASH(hkdf_alg)                         \
+    (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK))
+
+#define PSA_ALG_HKDF_EXTRACT_BASE                       ((psa_algorithm_t) 0x08000400)
+/** Macro to build an HKDF-Extract algorithm.
+ *
+ * For example, `PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA_256)` is
+ * HKDF-Extract using HMAC-SHA-256.
+ *
+ * This key derivation algorithm uses the following inputs:
+ *  - PSA_KEY_DERIVATION_INPUT_SALT is the salt.
+ *  - PSA_KEY_DERIVATION_INPUT_SECRET is the input keying material used in the
+ *    "extract" step.
+ * The inputs are mandatory and must be passed in the order above.
+ * Each input may only be passed once.
+ *
+ *  \warning HKDF-Extract is not meant to be used on its own. PSA_ALG_HKDF
+ *  should be used instead if possible. PSA_ALG_HKDF_EXTRACT is provided
+ *  as a separate algorithm for the sake of protocols that use it as a
+ *  building block. It may also be a slight performance optimization
+ *  in applications that use HKDF with the same salt and key but many
+ *  different info strings.
+ *
+ *  \warning  HKDF processes the salt as follows: first hash it with hash_alg
+ *  if the salt is longer than the block size of the hash algorithm; then
+ *  pad with null bytes up to the block size. As a result, it is possible
+ *  for distinct salt inputs to result in the same outputs. To ensure
+ *  unique outputs, it is recommended to use a fixed length for salt values.
+ *
+ * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
+ *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
+ *
+ * \return              The corresponding HKDF-Extract algorithm.
+ * \return              Unspecified if \p hash_alg is not a supported
+ *                      hash algorithm.
+ */
+#define PSA_ALG_HKDF_EXTRACT(hash_alg)                                  \
+    (PSA_ALG_HKDF_EXTRACT_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
+/** Whether the specified algorithm is an HKDF-Extract algorithm.
+ *
+ * HKDF-Extract is a family of key derivation algorithms that are based
+ * on a hash function and the HMAC construction.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \c alg is an HKDF-Extract algorithm, 0 otherwise.
+ *         This macro may return either 0 or 1 if \c alg is not a supported
+ *         key derivation algorithm identifier.
+ */
+#define PSA_ALG_IS_HKDF_EXTRACT(alg)                            \
+    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_EXTRACT_BASE)
+
+#define PSA_ALG_HKDF_EXPAND_BASE                       ((psa_algorithm_t) 0x08000500)
+/** Macro to build an HKDF-Expand algorithm.
+ *
+ * For example, `PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256)` is
+ * HKDF-Expand using HMAC-SHA-256.
+ *
+ * This key derivation algorithm uses the following inputs:
+ *  - PSA_KEY_DERIVATION_INPUT_SECRET is the pseudorandom key (PRK).
+ *  - PSA_KEY_DERIVATION_INPUT_INFO is the info string.
+ *
+ *  The inputs are mandatory and must be passed in the order above.
+ *  Each input may only be passed once.
+ *
+ *  \warning HKDF-Expand is not meant to be used on its own. `PSA_ALG_HKDF`
+ *  should be used instead if possible. `PSA_ALG_HKDF_EXPAND` is provided as
+ *  a separate algorithm for the sake of protocols that use it as a building
+ *  block. It may also be a slight performance optimization in applications
+ *  that use HKDF with the same salt and key but many different info strings.
+ *
+ * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
+ *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
+ *
+ * \return              The corresponding HKDF-Expand algorithm.
+ * \return              Unspecified if \p hash_alg is not a supported
+ *                      hash algorithm.
+ */
+#define PSA_ALG_HKDF_EXPAND(hash_alg)                                  \
+    (PSA_ALG_HKDF_EXPAND_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
+/** Whether the specified algorithm is an HKDF-Expand algorithm.
+ *
+ * HKDF-Expand is a family of key derivation algorithms that are based
+ * on a hash function and the HMAC construction.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \c alg is an HKDF-Expand algorithm, 0 otherwise.
+ *         This macro may return either 0 or 1 if \c alg is not a supported
+ *         key derivation algorithm identifier.
+ */
+#define PSA_ALG_IS_HKDF_EXPAND(alg)                            \
+    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_EXPAND_BASE)
+
+/** Whether the specified algorithm is an HKDF or HKDF-Extract or
+ *  HKDF-Expand algorithm.
+ *
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \c alg is any HKDF type algorithm, 0 otherwise.
+ *         This macro may return either 0 or 1 if \c alg is not a supported
+ *         key derivation algorithm identifier.
+ */
+#define PSA_ALG_IS_ANY_HKDF(alg)                                   \
+    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_BASE ||          \
+     ((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_EXTRACT_BASE ||  \
+     ((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_EXPAND_BASE)
+
+#define PSA_ALG_TLS12_PRF_BASE                  ((psa_algorithm_t) 0x08000200)
+/** Macro to build a TLS-1.2 PRF algorithm.
+ *
+ * TLS 1.2 uses a custom pseudorandom function (PRF) for key schedule,
+ * specified in Section 5 of RFC 5246. It is based on HMAC and can be
+ * used with either SHA-256 or SHA-384.
+ *
+ * This key derivation algorithm uses the following inputs, which must be
+ * passed in the order given here:
+ * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed.
+ * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key.
+ * - #PSA_KEY_DERIVATION_INPUT_LABEL is the label.
+ *
+ * For the application to TLS-1.2 key expansion, the seed is the
+ * concatenation of ServerHello.Random + ClientHello.Random,
+ * and the label is "key expansion".
+ *
+ * For example, `PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256)` represents the
+ * TLS 1.2 PRF using HMAC-SHA-256.
+ *
+ * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
+ *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
+ *
+ * \return              The corresponding TLS-1.2 PRF algorithm.
+ * \return              Unspecified if \p hash_alg is not a supported
+ *                      hash algorithm.
+ */
+#define PSA_ALG_TLS12_PRF(hash_alg)                                  \
+    (PSA_ALG_TLS12_PRF_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
+
+/** Whether the specified algorithm is a TLS-1.2 PRF algorithm.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \c alg is a TLS-1.2 PRF algorithm, 0 otherwise.
+ *         This macro may return either 0 or 1 if \c alg is not a supported
+ *         key derivation algorithm identifier.
+ */
+#define PSA_ALG_IS_TLS12_PRF(alg)                                    \
+    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_TLS12_PRF_BASE)
+#define PSA_ALG_TLS12_PRF_GET_HASH(hkdf_alg)                         \
+    (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK))
+
+#define PSA_ALG_TLS12_PSK_TO_MS_BASE            ((psa_algorithm_t) 0x08000300)
+/** Macro to build a TLS-1.2 PSK-to-MasterSecret algorithm.
+ *
+ * In a pure-PSK handshake in TLS 1.2, the master secret is derived
+ * from the PreSharedKey (PSK) through the application of padding
+ * (RFC 4279, Section 2) and the TLS-1.2 PRF (RFC 5246, Section 5).
+ * The latter is based on HMAC and can be used with either SHA-256
+ * or SHA-384.
+ *
+ * This key derivation algorithm uses the following inputs, which must be
+ * passed in the order given here:
+ * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed.
+ * - #PSA_KEY_DERIVATION_INPUT_OTHER_SECRET is the other secret for the
+ *   computation of the premaster secret. This input is optional;
+ *   if omitted, it defaults to a string of null bytes with the same length
+ *   as the secret (PSK) input.
+ * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key.
+ * - #PSA_KEY_DERIVATION_INPUT_LABEL is the label.
+ *
+ * For the application to TLS-1.2, the seed (which is
+ * forwarded to the TLS-1.2 PRF) is the concatenation of the
+ * ClientHello.Random + ServerHello.Random,
+ * the label is "master secret" or "extended master secret" and
+ * the other secret depends on the key exchange specified in the cipher suite:
+ * - for a plain PSK cipher suite (RFC 4279, Section 2), omit
+ *   PSA_KEY_DERIVATION_INPUT_OTHER_SECRET
+ * - for a DHE-PSK (RFC 4279, Section 3) or ECDHE-PSK cipher suite
+ *   (RFC 5489, Section 2), the other secret should be the output of the
+ *   PSA_ALG_FFDH or PSA_ALG_ECDH key agreement performed with the peer.
+ *   The recommended way to pass this input is to use a key derivation
+ *   algorithm constructed as
+ *   PSA_ALG_KEY_AGREEMENT(ka_alg, PSA_ALG_TLS12_PSK_TO_MS(hash_alg))
+ *   and to call psa_key_derivation_key_agreement(). Alternatively,
+ *   this input may be an output of `psa_raw_key_agreement()` passed with
+ *   psa_key_derivation_input_bytes(), or an equivalent input passed with
+ *   psa_key_derivation_input_bytes() or psa_key_derivation_input_key().
+ * - for a RSA-PSK cipher suite (RFC 4279, Section 4), the other secret
+ *   should be the 48-byte client challenge (the PreMasterSecret of
+ *   (RFC 5246, Section 7.4.7.1)) concatenation of the TLS version and
+ *   a 46-byte random string chosen by the client. On the server, this is
+ *   typically an output of psa_asymmetric_decrypt() using
+ *   PSA_ALG_RSA_PKCS1V15_CRYPT, passed to the key derivation operation
+ *   with `psa_key_derivation_input_bytes()`.
+ *
+ * For example, `PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256)` represents the
+ * TLS-1.2 PSK to MasterSecret derivation PRF using HMAC-SHA-256.
+ *
+ * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
+ *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
+ *
+ * \return              The corresponding TLS-1.2 PSK to MS algorithm.
+ * \return              Unspecified if \p hash_alg is not a supported
+ *                      hash algorithm.
+ */
+#define PSA_ALG_TLS12_PSK_TO_MS(hash_alg)                                  \
+    (PSA_ALG_TLS12_PSK_TO_MS_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
+
+/** Whether the specified algorithm is a TLS-1.2 PSK to MS algorithm.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \c alg is a TLS-1.2 PSK to MS algorithm, 0 otherwise.
+ *         This macro may return either 0 or 1 if \c alg is not a supported
+ *         key derivation algorithm identifier.
+ */
+#define PSA_ALG_IS_TLS12_PSK_TO_MS(alg)                                    \
+    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_TLS12_PSK_TO_MS_BASE)
+#define PSA_ALG_TLS12_PSK_TO_MS_GET_HASH(hkdf_alg)                         \
+    (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK))
+
+/* The TLS 1.2 ECJPAKE-to-PMS KDF. It takes the shared secret K (an EC point
+ * in case of EC J-PAKE) and calculates SHA256(K.X) that the rest of TLS 1.2
+ * will use to derive the session secret, as defined by step 2 of
+ * https://datatracker.ietf.org/doc/html/draft-cragie-tls-ecjpake-01#section-8.7.
+ * Uses PSA_ALG_SHA_256.
+ * This function takes a single input:
+ * #PSA_KEY_DERIVATION_INPUT_SECRET is the shared secret K from EC J-PAKE.
+ * The only supported curve is secp256r1 (the 256-bit curve in
+ * #PSA_ECC_FAMILY_SECP_R1), so the input must be exactly 65 bytes.
+ * The output has to be read as a single chunk of 32 bytes, defined as
+ * PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE.
+ */
+#define PSA_ALG_TLS12_ECJPAKE_TO_PMS            ((psa_algorithm_t) 0x08000609)
+
+/* This flag indicates whether the key derivation algorithm is suitable for
+ * use on low-entropy secrets such as password - these algorithms are also
+ * known as key stretching or password hashing schemes. These are also the
+ * algorithms that accepts inputs of type #PSA_KEY_DERIVATION_INPUT_PASSWORD.
+ *
+ * Those algorithms cannot be combined with a key agreement algorithm.
+ */
+#define PSA_ALG_KEY_DERIVATION_STRETCHING_FLAG  ((psa_algorithm_t) 0x00800000)
+
+#define PSA_ALG_PBKDF2_HMAC_BASE                ((psa_algorithm_t) 0x08800100)
+/** Macro to build a PBKDF2-HMAC password hashing / key stretching algorithm.
+ *
+ * PBKDF2 is defined by PKCS#5, republished as RFC 8018 (section 5.2).
+ * This macro specifies the PBKDF2 algorithm constructed using a PRF based on
+ * HMAC with the specified hash.
+ * For example, `PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256)` specifies PBKDF2
+ * using the PRF HMAC-SHA-256.
+ *
+ * This key derivation algorithm uses the following inputs, which must be
+ * provided in the following order:
+ * - #PSA_KEY_DERIVATION_INPUT_COST is the iteration count.
+ *   This input step must be used exactly once.
+ * - #PSA_KEY_DERIVATION_INPUT_SALT is the salt.
+ *   This input step must be used one or more times; if used several times, the
+ *   inputs will be concatenated. This can be used to build the final salt
+ *   from multiple sources, both public and secret (also known as pepper).
+ * - #PSA_KEY_DERIVATION_INPUT_PASSWORD is the password to be hashed.
+ *   This input step must be used exactly once.
+ *
+ * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
+ *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
+ *
+ * \return              The corresponding PBKDF2-HMAC-XXX algorithm.
+ * \return              Unspecified if \p hash_alg is not a supported
+ *                      hash algorithm.
+ */
+#define PSA_ALG_PBKDF2_HMAC(hash_alg)                                  \
+    (PSA_ALG_PBKDF2_HMAC_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
+
+/** Whether the specified algorithm is a PBKDF2-HMAC algorithm.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \c alg is a PBKDF2-HMAC algorithm, 0 otherwise.
+ *         This macro may return either 0 or 1 if \c alg is not a supported
+ *         key derivation algorithm identifier.
+ */
+#define PSA_ALG_IS_PBKDF2_HMAC(alg)                                    \
+    (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_PBKDF2_HMAC_BASE)
+#define PSA_ALG_PBKDF2_HMAC_GET_HASH(pbkdf2_alg)                         \
+    (PSA_ALG_CATEGORY_HASH | ((pbkdf2_alg) & PSA_ALG_HASH_MASK))
+/** The PBKDF2-AES-CMAC-PRF-128 password hashing / key stretching algorithm.
+ *
+ * PBKDF2 is defined by PKCS#5, republished as RFC 8018 (section 5.2).
+ * This macro specifies the PBKDF2 algorithm constructed using the
+ * AES-CMAC-PRF-128 PRF specified by RFC 4615.
+ *
+ * This key derivation algorithm uses the same inputs as
+ * #PSA_ALG_PBKDF2_HMAC() with the same constraints.
+ */
+#define PSA_ALG_PBKDF2_AES_CMAC_PRF_128         ((psa_algorithm_t) 0x08800200)
+
+#define PSA_ALG_IS_PBKDF2(kdf_alg)                                      \
+    (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg) || \
+     ((kdf_alg) == PSA_ALG_PBKDF2_AES_CMAC_PRF_128))
+
+#define PSA_ALG_KEY_DERIVATION_MASK             ((psa_algorithm_t) 0xfe00ffff)
+#define PSA_ALG_KEY_AGREEMENT_MASK              ((psa_algorithm_t) 0xffff0000)
+
+/** Macro to build a combined algorithm that chains a key agreement with
+ * a key derivation.
+ *
+ * \param ka_alg        A key agreement algorithm (\c PSA_ALG_XXX value such
+ *                      that #PSA_ALG_IS_KEY_AGREEMENT(\p ka_alg) is true).
+ * \param kdf_alg       A key derivation algorithm (\c PSA_ALG_XXX value such
+ *                      that #PSA_ALG_IS_KEY_DERIVATION(\p kdf_alg) is true).
+ *
+ * \return              The corresponding key agreement and derivation
+ *                      algorithm.
+ * \return              Unspecified if \p ka_alg is not a supported
+ *                      key agreement algorithm or \p kdf_alg is not a
+ *                      supported key derivation algorithm.
+ */
+#define PSA_ALG_KEY_AGREEMENT(ka_alg, kdf_alg)  \
+    ((ka_alg) | (kdf_alg))
+
+#define PSA_ALG_KEY_AGREEMENT_GET_KDF(alg)                              \
+    (((alg) & PSA_ALG_KEY_DERIVATION_MASK) | PSA_ALG_CATEGORY_KEY_DERIVATION)
+
+#define PSA_ALG_KEY_AGREEMENT_GET_BASE(alg)                             \
+    (((alg) & PSA_ALG_KEY_AGREEMENT_MASK) | PSA_ALG_CATEGORY_KEY_AGREEMENT)
+
+/** Whether the specified algorithm is a raw key agreement algorithm.
+ *
+ * A raw key agreement algorithm is one that does not specify
+ * a key derivation function.
+ * Usually, raw key agreement algorithms are constructed directly with
+ * a \c PSA_ALG_xxx macro while non-raw key agreement algorithms are
+ * constructed with #PSA_ALG_KEY_AGREEMENT().
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \p alg is a raw key agreement algorithm, 0 otherwise.
+ *         This macro may return either 0 or 1 if \p alg is not a supported
+ *         algorithm identifier.
+ */
+#define PSA_ALG_IS_RAW_KEY_AGREEMENT(alg)                               \
+    (PSA_ALG_IS_KEY_AGREEMENT(alg) &&                                   \
+     PSA_ALG_KEY_AGREEMENT_GET_KDF(alg) == PSA_ALG_CATEGORY_KEY_DERIVATION)
+
+#define PSA_ALG_IS_KEY_DERIVATION_OR_AGREEMENT(alg)     \
+    ((PSA_ALG_IS_KEY_DERIVATION(alg) || PSA_ALG_IS_KEY_AGREEMENT(alg)))
+
+/** The finite-field Diffie-Hellman (DH) key agreement algorithm.
+ *
+ * The shared secret produced by key agreement is
+ * `g^{ab}` in big-endian format.
+ * It is `ceiling(m / 8)` bytes long where `m` is the size of the prime `p`
+ * in bits.
+ */
+#define PSA_ALG_FFDH                            ((psa_algorithm_t) 0x09010000)
+
+/** Whether the specified algorithm is a finite field Diffie-Hellman algorithm.
+ *
+ * This includes the raw finite field Diffie-Hellman algorithm as well as
+ * finite-field Diffie-Hellman followed by any supporter key derivation
+ * algorithm.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \c alg is a finite field Diffie-Hellman algorithm, 0 otherwise.
+ *         This macro may return either 0 or 1 if \c alg is not a supported
+ *         key agreement algorithm identifier.
+ */
+#define PSA_ALG_IS_FFDH(alg) \
+    (PSA_ALG_KEY_AGREEMENT_GET_BASE(alg) == PSA_ALG_FFDH)
+
+/** The elliptic curve Diffie-Hellman (ECDH) key agreement algorithm.
+ *
+ * The shared secret produced by key agreement is the x-coordinate of
+ * the shared secret point. It is always `ceiling(m / 8)` bytes long where
+ * `m` is the bit size associated with the curve, i.e. the bit size of the
+ * order of the curve's coordinate field. When `m` is not a multiple of 8,
+ * the byte containing the most significant bit of the shared secret
+ * is padded with zero bits. The byte order is either little-endian
+ * or big-endian depending on the curve type.
+ *
+ * - For Montgomery curves (curve types `PSA_ECC_FAMILY_CURVEXXX`),
+ *   the shared secret is the x-coordinate of `d_A Q_B = d_B Q_A`
+ *   in little-endian byte order.
+ *   The bit size is 448 for Curve448 and 255 for Curve25519.
+ * - For Weierstrass curves over prime fields (curve types
+ *   `PSA_ECC_FAMILY_SECPXXX` and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`),
+ *   the shared secret is the x-coordinate of `d_A Q_B = d_B Q_A`
+ *   in big-endian byte order.
+ *   The bit size is `m = ceiling(log_2(p))` for the field `F_p`.
+ * - For Weierstrass curves over binary fields (curve types
+ *   `PSA_ECC_FAMILY_SECTXXX`),
+ *   the shared secret is the x-coordinate of `d_A Q_B = d_B Q_A`
+ *   in big-endian byte order.
+ *   The bit size is `m` for the field `F_{2^m}`.
+ */
+#define PSA_ALG_ECDH                            ((psa_algorithm_t) 0x09020000)
+
+/** Whether the specified algorithm is an elliptic curve Diffie-Hellman
+ * algorithm.
+ *
+ * This includes the raw elliptic curve Diffie-Hellman algorithm as well as
+ * elliptic curve Diffie-Hellman followed by any supporter key derivation
+ * algorithm.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \c alg is an elliptic curve Diffie-Hellman algorithm,
+ *         0 otherwise.
+ *         This macro may return either 0 or 1 if \c alg is not a supported
+ *         key agreement algorithm identifier.
+ */
+#define PSA_ALG_IS_ECDH(alg) \
+    (PSA_ALG_KEY_AGREEMENT_GET_BASE(alg) == PSA_ALG_ECDH)
+
+/** Whether the specified algorithm encoding is a wildcard.
+ *
+ * Wildcard values may only be used to set the usage algorithm field in
+ * a policy, not to perform an operation.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \c alg is a wildcard algorithm encoding.
+ * \return 0 if \c alg is a non-wildcard algorithm encoding (suitable for
+ *         an operation).
+ * \return This macro may return either 0 or 1 if \c alg is not a supported
+ *         algorithm identifier.
+ */
+#define PSA_ALG_IS_WILDCARD(alg)                            \
+    (PSA_ALG_IS_HASH_AND_SIGN(alg) ?                        \
+     PSA_ALG_SIGN_GET_HASH(alg) == PSA_ALG_ANY_HASH :       \
+     PSA_ALG_IS_MAC(alg) ?                                  \
+     (alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0 :   \
+     PSA_ALG_IS_AEAD(alg) ?                                 \
+     (alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0 :  \
+     (alg) == PSA_ALG_ANY_HASH)
+
+/** Get the hash used by a composite algorithm.
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return The underlying hash algorithm if alg is a composite algorithm that
+ * uses a hash algorithm.
+ *
+ * \return \c 0 if alg is not a composite algorithm that uses a hash.
+ */
+#define PSA_ALG_GET_HASH(alg) \
+    (((alg) & 0x000000ff) == 0 ? ((psa_algorithm_t) 0) : 0x02000000 | ((alg) & 0x000000ff))
+
+/**@}*/
+
+/** \defgroup key_lifetimes Key lifetimes
+ * @{
+ */
+
+/* Note that location and persistence level values are embedded in the
+ * persistent key store, as part of key metadata. As a consequence, they
+ * must not be changed (unless the storage format version changes).
+ */
+
+/** The default lifetime for volatile keys.
+ *
+ * A volatile key only exists as long as the identifier to it is not destroyed.
+ * The key material is guaranteed to be erased on a power reset.
+ *
+ * A key with this lifetime is typically stored in the RAM area of the
+ * PSA Crypto subsystem. However this is an implementation choice.
+ * If an implementation stores data about the key in a non-volatile memory,
+ * it must release all the resources associated with the key and erase the
+ * key material if the calling application terminates.
+ */
+#define PSA_KEY_LIFETIME_VOLATILE               ((psa_key_lifetime_t) 0x00000000)
+
+/** The default lifetime for persistent keys.
+ *
+ * A persistent key remains in storage until it is explicitly destroyed or
+ * until the corresponding storage area is wiped. This specification does
+ * not define any mechanism to wipe a storage area, but integrations may
+ * provide their own mechanism (for example to perform a factory reset,
+ * to prepare for device refurbishment, or to uninstall an application).
+ *
+ * This lifetime value is the default storage area for the calling
+ * application. Integrations of Mbed TLS may support other persistent lifetimes.
+ * See ::psa_key_lifetime_t for more information.
+ */
+#define PSA_KEY_LIFETIME_PERSISTENT             ((psa_key_lifetime_t) 0x00000001)
+
+/** The persistence level of volatile keys.
+ *
+ * See ::psa_key_persistence_t for more information.
+ */
+#define PSA_KEY_PERSISTENCE_VOLATILE            ((psa_key_persistence_t) 0x00)
+
+/** The default persistence level for persistent keys.
+ *
+ * See ::psa_key_persistence_t for more information.
+ */
+#define PSA_KEY_PERSISTENCE_DEFAULT             ((psa_key_persistence_t) 0x01)
+
+/** A persistence level indicating that a key is never destroyed.
+ *
+ * See ::psa_key_persistence_t for more information.
+ */
+#define PSA_KEY_PERSISTENCE_READ_ONLY           ((psa_key_persistence_t) 0xff)
+
+#define PSA_KEY_LIFETIME_GET_PERSISTENCE(lifetime)      \
+    ((psa_key_persistence_t) ((lifetime) & 0x000000ff))
+
+#define PSA_KEY_LIFETIME_GET_LOCATION(lifetime)      \
+    ((psa_key_location_t) ((lifetime) >> 8))
+
+/** Whether a key lifetime indicates that the key is volatile.
+ *
+ * A volatile key is automatically destroyed by the implementation when
+ * the application instance terminates. In particular, a volatile key
+ * is automatically destroyed on a power reset of the device.
+ *
+ * A key that is not volatile is persistent. Persistent keys are
+ * preserved until the application explicitly destroys them or until an
+ * implementation-specific device management event occurs (for example,
+ * a factory reset).
+ *
+ * \param lifetime      The lifetime value to query (value of type
+ *                      ::psa_key_lifetime_t).
+ *
+ * \return \c 1 if the key is volatile, otherwise \c 0.
+ */
+#define PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)  \
+    (PSA_KEY_LIFETIME_GET_PERSISTENCE(lifetime) == \
+     PSA_KEY_PERSISTENCE_VOLATILE)
+
+/** Whether a key lifetime indicates that the key is read-only.
+ *
+ * Read-only keys cannot be created or destroyed through the PSA Crypto API.
+ * They must be created through platform-specific means that bypass the API.
+ *
+ * Some platforms may offer ways to destroy read-only keys. For example,
+ * consider a platform with multiple levels of privilege, where a
+ * low-privilege application can use a key but is not allowed to destroy
+ * it, and the platform exposes the key to the application with a read-only
+ * lifetime. High-privilege code can destroy the key even though the
+ * application sees the key as read-only.
+ *
+ * \param lifetime      The lifetime value to query (value of type
+ *                      ::psa_key_lifetime_t).
+ *
+ * \return \c 1 if the key is read-only, otherwise \c 0.
+ */
+#define PSA_KEY_LIFETIME_IS_READ_ONLY(lifetime)  \
+    (PSA_KEY_LIFETIME_GET_PERSISTENCE(lifetime) == \
+     PSA_KEY_PERSISTENCE_READ_ONLY)
+
+/** Construct a lifetime from a persistence level and a location.
+ *
+ * \param persistence   The persistence level
+ *                      (value of type ::psa_key_persistence_t).
+ * \param location      The location indicator
+ *                      (value of type ::psa_key_location_t).
+ *
+ * \return The constructed lifetime value.
+ */
+#define PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(persistence, location) \
+    ((location) << 8 | (persistence))
+
+/** The local storage area for persistent keys.
+ *
+ * This storage area is available on all systems that can store persistent
+ * keys without delegating the storage to a third-party cryptoprocessor.
+ *
+ * See ::psa_key_location_t for more information.
+ */
+#define PSA_KEY_LOCATION_LOCAL_STORAGE          ((psa_key_location_t) 0x000000)
+
+#define PSA_KEY_LOCATION_VENDOR_FLAG            ((psa_key_location_t) 0x800000)
+
+/* Note that key identifier values are embedded in the
+ * persistent key store, as part of key metadata. As a consequence, they
+ * must not be changed (unless the storage format version changes).
+ */
+
+/** The null key identifier.
+ */
+/* *INDENT-OFF* (https://github.com/ARM-software/psa-arch-tests/issues/337) */
+#define PSA_KEY_ID_NULL                         ((psa_key_id_t)0)
+/* *INDENT-ON* */
+/** The minimum value for a key identifier chosen by the application.
+ */
+#define PSA_KEY_ID_USER_MIN                     ((psa_key_id_t) 0x00000001)
+/** The maximum value for a key identifier chosen by the application.
+ */
+#define PSA_KEY_ID_USER_MAX                     ((psa_key_id_t) 0x3fffffff)
+/** The minimum value for a key identifier chosen by the implementation.
+ */
+#define PSA_KEY_ID_VENDOR_MIN                   ((psa_key_id_t) 0x40000000)
+/** The maximum value for a key identifier chosen by the implementation.
+ */
+#define PSA_KEY_ID_VENDOR_MAX                   ((psa_key_id_t) 0x7fffffff)
+
+
+#if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
+
+#define MBEDTLS_SVC_KEY_ID_INIT ((psa_key_id_t) 0)
+#define MBEDTLS_SVC_KEY_ID_GET_KEY_ID(id) (id)
+#define MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(id) (0)
+
+/** Utility to initialize a key identifier at runtime.
+ *
+ * \param unused  Unused parameter.
+ * \param key_id  Identifier of the key.
+ */
+static inline mbedtls_svc_key_id_t mbedtls_svc_key_id_make(
+    unsigned int unused, psa_key_id_t key_id)
+{
+    (void) unused;
+
+    return key_id;
+}
+
+/** Compare two key identifiers.
+ *
+ * \param id1 First key identifier.
+ * \param id2 Second key identifier.
+ *
+ * \return Non-zero if the two key identifier are equal, zero otherwise.
+ */
+static inline int mbedtls_svc_key_id_equal(mbedtls_svc_key_id_t id1,
+                                           mbedtls_svc_key_id_t id2)
+{
+    return id1 == id2;
+}
+
+/** Check whether a key identifier is null.
+ *
+ * \param key Key identifier.
+ *
+ * \return Non-zero if the key identifier is null, zero otherwise.
+ */
+static inline int mbedtls_svc_key_id_is_null(mbedtls_svc_key_id_t key)
+{
+    return key == 0;
+}
+
+#else /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
+
+#define MBEDTLS_SVC_KEY_ID_INIT ((mbedtls_svc_key_id_t){ 0, 0 })
+#define MBEDTLS_SVC_KEY_ID_GET_KEY_ID(id) ((id).MBEDTLS_PRIVATE(key_id))
+#define MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(id) ((id).MBEDTLS_PRIVATE(owner))
+
+/** Utility to initialize a key identifier at runtime.
+ *
+ * \param owner_id Identifier of the key owner.
+ * \param key_id   Identifier of the key.
+ */
+static inline mbedtls_svc_key_id_t mbedtls_svc_key_id_make(
+    mbedtls_key_owner_id_t owner_id, psa_key_id_t key_id)
+{
+    return (mbedtls_svc_key_id_t){ .MBEDTLS_PRIVATE(key_id) = key_id,
+                                   .MBEDTLS_PRIVATE(owner) = owner_id };
+}
+
+/** Compare two key identifiers.
+ *
+ * \param id1 First key identifier.
+ * \param id2 Second key identifier.
+ *
+ * \return Non-zero if the two key identifier are equal, zero otherwise.
+ */
+static inline int mbedtls_svc_key_id_equal(mbedtls_svc_key_id_t id1,
+                                           mbedtls_svc_key_id_t id2)
+{
+    return (id1.MBEDTLS_PRIVATE(key_id) == id2.MBEDTLS_PRIVATE(key_id)) &&
+           mbedtls_key_owner_id_equal(id1.MBEDTLS_PRIVATE(owner), id2.MBEDTLS_PRIVATE(owner));
+}
+
+/** Check whether a key identifier is null.
+ *
+ * \param key Key identifier.
+ *
+ * \return Non-zero if the key identifier is null, zero otherwise.
+ */
+static inline int mbedtls_svc_key_id_is_null(mbedtls_svc_key_id_t key)
+{
+    return key.MBEDTLS_PRIVATE(key_id) == 0;
+}
+
+#endif /* !MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
+
+/**@}*/
+
+/** \defgroup policy Key policies
+ * @{
+ */
+
+/* Note that key usage flags are embedded in the
+ * persistent key store, as part of key metadata. As a consequence, they
+ * must not be changed (unless the storage format version changes).
+ */
+
+/** Whether the key may be exported.
+ *
+ * A public key or the public part of a key pair may always be exported
+ * regardless of the value of this permission flag.
+ *
+ * If a key does not have export permission, implementations shall not
+ * allow the key to be exported in plain form from the cryptoprocessor,
+ * whether through psa_export_key() or through a proprietary interface.
+ * The key may however be exportable in a wrapped form, i.e. in a form
+ * where it is encrypted by another key.
+ */
+#define PSA_KEY_USAGE_EXPORT                    ((psa_key_usage_t) 0x00000001)
+
+/** Whether the key may be copied.
+ *
+ * This flag allows the use of psa_copy_key() to make a copy of the key
+ * with the same policy or a more restrictive policy.
+ *
+ * For lifetimes for which the key is located in a secure element which
+ * enforce the non-exportability of keys, copying a key outside the secure
+ * element also requires the usage flag #PSA_KEY_USAGE_EXPORT.
+ * Copying the key inside the secure element is permitted with just
+ * #PSA_KEY_USAGE_COPY if the secure element supports it.
+ * For keys with the lifetime #PSA_KEY_LIFETIME_VOLATILE or
+ * #PSA_KEY_LIFETIME_PERSISTENT, the usage flag #PSA_KEY_USAGE_COPY
+ * is sufficient to permit the copy.
+ */
+#define PSA_KEY_USAGE_COPY                      ((psa_key_usage_t) 0x00000002)
+
+/** Whether the key may be used to encrypt a message.
+ *
+ * This flag allows the key to be used for a symmetric encryption operation,
+ * for an AEAD encryption-and-authentication operation,
+ * or for an asymmetric encryption operation,
+ * if otherwise permitted by the key's type and policy.
+ *
+ * For a key pair, this concerns the public key.
+ */
+#define PSA_KEY_USAGE_ENCRYPT                   ((psa_key_usage_t) 0x00000100)
+
+/** Whether the key may be used to decrypt a message.
+ *
+ * This flag allows the key to be used for a symmetric decryption operation,
+ * for an AEAD decryption-and-verification operation,
+ * or for an asymmetric decryption operation,
+ * if otherwise permitted by the key's type and policy.
+ *
+ * For a key pair, this concerns the private key.
+ */
+#define PSA_KEY_USAGE_DECRYPT                   ((psa_key_usage_t) 0x00000200)
+
+/** Whether the key may be used to sign a message.
+ *
+ * This flag allows the key to be used for a MAC calculation operation or for
+ * an asymmetric message signature operation, if otherwise permitted by the
+ * key’s type and policy.
+ *
+ * For a key pair, this concerns the private key.
+ */
+#define PSA_KEY_USAGE_SIGN_MESSAGE              ((psa_key_usage_t) 0x00000400)
+
+/** Whether the key may be used to verify a message.
+ *
+ * This flag allows the key to be used for a MAC verification operation or for
+ * an asymmetric message signature verification operation, if otherwise
+ * permitted by the key’s type and policy.
+ *
+ * For a key pair, this concerns the public key.
+ */
+#define PSA_KEY_USAGE_VERIFY_MESSAGE            ((psa_key_usage_t) 0x00000800)
+
+/** Whether the key may be used to sign a message.
+ *
+ * This flag allows the key to be used for a MAC calculation operation
+ * or for an asymmetric signature operation,
+ * if otherwise permitted by the key's type and policy.
+ *
+ * For a key pair, this concerns the private key.
+ */
+#define PSA_KEY_USAGE_SIGN_HASH                 ((psa_key_usage_t) 0x00001000)
+
+/** Whether the key may be used to verify a message signature.
+ *
+ * This flag allows the key to be used for a MAC verification operation
+ * or for an asymmetric signature verification operation,
+ * if otherwise permitted by the key's type and policy.
+ *
+ * For a key pair, this concerns the public key.
+ */
+#define PSA_KEY_USAGE_VERIFY_HASH               ((psa_key_usage_t) 0x00002000)
+
+/** Whether the key may be used to derive other keys or produce a password
+ * hash.
+ *
+ * This flag allows the key to be used for a key derivation operation or for
+ * a key agreement operation, if otherwise permitted by the key's type and
+ * policy.
+ *
+ * If this flag is present on all keys used in calls to
+ * psa_key_derivation_input_key() for a key derivation operation, then it
+ * permits calling psa_key_derivation_output_bytes() or
+ * psa_key_derivation_output_key() at the end of the operation.
+ */
+#define PSA_KEY_USAGE_DERIVE                    ((psa_key_usage_t) 0x00004000)
+
+/** Whether the key may be used to verify the result of a key derivation,
+ * including password hashing.
+ *
+ * This flag allows the key to be used:
+ *
+ * This flag allows the key to be used in a key derivation operation, if
+ * otherwise permitted by the key's type and policy.
+ *
+ * If this flag is present on all keys used in calls to
+ * psa_key_derivation_input_key() for a key derivation operation, then it
+ * permits calling psa_key_derivation_verify_bytes() or
+ * psa_key_derivation_verify_key() at the end of the operation.
+ */
+#define PSA_KEY_USAGE_VERIFY_DERIVATION         ((psa_key_usage_t) 0x00008000)
+
+/**@}*/
+
+/** \defgroup derivation Key derivation
+ * @{
+ */
+
+/* Key input steps are not embedded in the persistent storage, so you can
+ * change them if needed: it's only an ABI change. */
+
+/** A secret input for key derivation.
+ *
+ * This should be a key of type #PSA_KEY_TYPE_DERIVE
+ * (passed to psa_key_derivation_input_key())
+ * or the shared secret resulting from a key agreement
+ * (obtained via psa_key_derivation_key_agreement()).
+ *
+ * The secret can also be a direct input (passed to
+ * key_derivation_input_bytes()). In this case, the derivation operation
+ * may not be used to derive keys: the operation will only allow
+ * psa_key_derivation_output_bytes(),
+ * psa_key_derivation_verify_bytes(), or
+ * psa_key_derivation_verify_key(), but not
+ * psa_key_derivation_output_key().
+ */
+#define PSA_KEY_DERIVATION_INPUT_SECRET     ((psa_key_derivation_step_t) 0x0101)
+
+/** A low-entropy secret input for password hashing / key stretching.
+ *
+ * This is usually a key of type #PSA_KEY_TYPE_PASSWORD (passed to
+ * psa_key_derivation_input_key()) or a direct input (passed to
+ * psa_key_derivation_input_bytes()) that is a password or passphrase. It can
+ * also be high-entropy secret such as a key of type #PSA_KEY_TYPE_DERIVE or
+ * the shared secret resulting from a key agreement.
+ *
+ * The secret can also be a direct input (passed to
+ * key_derivation_input_bytes()). In this case, the derivation operation
+ * may not be used to derive keys: the operation will only allow
+ * psa_key_derivation_output_bytes(),
+ * psa_key_derivation_verify_bytes(), or
+ * psa_key_derivation_verify_key(), but not
+ * psa_key_derivation_output_key().
+ */
+#define PSA_KEY_DERIVATION_INPUT_PASSWORD   ((psa_key_derivation_step_t) 0x0102)
+
+/** A high-entropy additional secret input for key derivation.
+ *
+ * This is typically the shared secret resulting from a key agreement obtained
+ * via `psa_key_derivation_key_agreement()`. It may alternatively be a key of
+ * type `PSA_KEY_TYPE_DERIVE` passed to `psa_key_derivation_input_key()`, or
+ * a direct input passed to `psa_key_derivation_input_bytes()`.
+ */
+#define PSA_KEY_DERIVATION_INPUT_OTHER_SECRET \
+    ((psa_key_derivation_step_t) 0x0103)
+
+/** A label for key derivation.
+ *
+ * This should be a direct input.
+ * It can also be a key of type #PSA_KEY_TYPE_RAW_DATA.
+ */
+#define PSA_KEY_DERIVATION_INPUT_LABEL      ((psa_key_derivation_step_t) 0x0201)
+
+/** A salt for key derivation.
+ *
+ * This should be a direct input.
+ * It can also be a key of type #PSA_KEY_TYPE_RAW_DATA or
+ * #PSA_KEY_TYPE_PEPPER.
+ */
+#define PSA_KEY_DERIVATION_INPUT_SALT       ((psa_key_derivation_step_t) 0x0202)
+
+/** An information string for key derivation.
+ *
+ * This should be a direct input.
+ * It can also be a key of type #PSA_KEY_TYPE_RAW_DATA.
+ */
+#define PSA_KEY_DERIVATION_INPUT_INFO       ((psa_key_derivation_step_t) 0x0203)
+
+/** A seed for key derivation.
+ *
+ * This should be a direct input.
+ * It can also be a key of type #PSA_KEY_TYPE_RAW_DATA.
+ */
+#define PSA_KEY_DERIVATION_INPUT_SEED       ((psa_key_derivation_step_t) 0x0204)
+
+/** A cost parameter for password hashing / key stretching.
+ *
+ * This must be a direct input, passed to psa_key_derivation_input_integer().
+ */
+#define PSA_KEY_DERIVATION_INPUT_COST       ((psa_key_derivation_step_t) 0x0205)
+
+/**@}*/
+
+/** \defgroup helper_macros Helper macros
+ * @{
+ */
+
+/* Helper macros */
+
+/** Check if two AEAD algorithm identifiers refer to the same AEAD algorithm
+ *  regardless of the tag length they encode.
+ *
+ * \param aead_alg_1 An AEAD algorithm identifier.
+ * \param aead_alg_2 An AEAD algorithm identifier.
+ *
+ * \return           1 if both identifiers refer to the same AEAD algorithm,
+ *                   0 otherwise.
+ *                   Unspecified if neither \p aead_alg_1 nor \p aead_alg_2 are
+ *                   a supported AEAD algorithm.
+ */
+#define MBEDTLS_PSA_ALG_AEAD_EQUAL(aead_alg_1, aead_alg_2) \
+    (!(((aead_alg_1) ^ (aead_alg_2)) & \
+       ~(PSA_ALG_AEAD_TAG_LENGTH_MASK | PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG)))
+
+/**@}*/
+
+/**@}*/
+
+/** \defgroup interruptible Interruptible operations
+ * @{
+ */
+
+/** Maximum value for use with \c psa_interruptible_set_max_ops() to determine
+ *  the maximum number of ops allowed to be executed by an interruptible
+ *  function in a single call.
+ */
+#define PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED UINT32_MAX
+
+/**@}*/
+
+#endif /* PSA_CRYPTO_VALUES_H */
diff --git a/visualc/VS2013/.gitignore b/visualc/VS2017/.gitignore
index a9ded4a..a9ded4a 100644
--- a/visualc/VS2013/.gitignore
+++ b/visualc/VS2017/.gitignore